Rev 0; 3/08 Secure Microprocessor Chip Features The DS5003 secure microprocessor incorporates sophisticated security features including an array of mechanisms that are designed to resist all levels of threat, including observation, analysis, and physical attack. As a result, a massive effort is required to obtain any information about its memory contents. Furthermore, the “soft” nature of the DS5003 allows frequent modification of the secure information, thereby minimizing the value of any secure information obtained by such a massive effort. The device is an enhanced version of the DS5002FP secure microprocessor chip with additional scratchpad RAM. ♦ 8051-Compatible Microprocessor for Secure/Sensitive Applications Access 32kB, 64kB, or 128kB of Nonvolatile SRAM for Program and/or Data Storage 128 Bytes of RAM 128 Bytes of Indirect Scratchpad RAM In-System Programming Through On-Chip Serial Port Can Modify Its Own Program or Data Memory in the End System Differences from the DS5002FP The DS5003 implements only one additional feature from the DS5002FP: it adds 128 bytes of internal scratchpad memory (for a total of 256 bytes) similar to that used in 8032/8052 architectures. This additional memory is accessible through indirect addressing 8051 instructions such as “mov a, @r1,” where r1 now can have a value between 0 and 255. It is also usable as stack space for pushes, pops, calls, and returns. Register indirect addressing is used to access the scratchpad RAM locations above 7Fh. It can also be used to reach the lower RAM (0h–7Fh) if needed. The address is supplied by the contents of the working register specified in the instruction. Thus, one instruction can be used to reach many values by altering the contents of the designated working register. Note that only R0 and R1 can be used as pointers. An example of register indirect addressing is as follows: ANL A, @R0 ;Logical AND the Accumulator with the contents of ;the register pointed to by the value stored in R0 Applications ♦ Firmware Security Features Memory Stored in Encrypted Form Encryption Using On-Chip 64-Bit Key Automatic True Random-Key Generator Self-Destruct Input (SDI) Top Coating Prevents Microprobing Protects Memory Contents from Piracy ♦ Crash-Proof Operation Maintains All Nonvolatile Resources for Over 10 Years (at Room Temperature) in the Absence of Power Power-Fail Reset Early Warning Power-Fail Interrupt Watchdog Timer Ordering Information PART TEMP RANGE INTERNAL MICRO PROBE SHIELD DS5003FPM-16+ 0°C to +70°C Yes PINPACKAGE 80 MQFP +Denotes a lead-free/RoHS-compliant package. PIN Pads Gaming Machines Pin Configuration appears at end of data sheet. Any Application Requiring Software Protection ________________________________________________________________ Maxim Integrated Products For pricing, delivery, and ordering information, please contact Maxim Direct at 1-888-629-4642, or visit Maxim’s website at www.maxim-ic.com. 1 DS5003 General Description DS5003 Secure Microprocessor Chip ABSOLUTE MAXIMUM RATINGS Voltage Range on Any Pin Relative to Ground..................................-0.3V to (VCC + 0.5V) Voltage Range on VCC Relative to Ground ..........................................................-0.3V to +6.0V Operating Temperature Range.............................40°C to +85°C Storage Temperature* .......................................-55°C to +125°C Soldering Temperature...........................Refer to the IPC/JEDEC J-STD-020 Specification. *Storage temperature is defined as the temperature of the device when VCC = 0V and VLI = 0V. In this state, the contents of SRAM are not battery backed and are undefined. Note: The DS5003 adheres to all AC and DC electrical specifications published for the DS5002FP. Stresses beyond those listed under “Absolute Maximum Ratings” may cause permanent damage to the device. These are stress ratings only, and functional operation of the device at these or any other conditions beyond those indicated in the operational sections of the specifications is not implied. Exposure to absolute maximum rating conditions for extended periods may affect device reliability. DC CHARACTERISTICS (VCC = 5V ±10%, TA = 0°C to +70°C.) PARAMETER Operating Voltage SYMBOL VCC CONDITIONS (Note 1) MIN TYP VCCMIN MAX UNITS 5.5 V Minimum Operating Voltage VCCMIN 0°C to +70°C (Note 1) 4.00 4.12 4.25 V Power-Fail Warning Voltage VPFW 0°C to +70°C (Note 1) 4.25 4.37 4.50 V (Note 1) 2.5 4.0 V Lithium Supply Voltage VLI Operating Current at 16MHz ICC (Note 2) 36 mA Idle-Mode Current at 12MHz I IDLE 0°C to +70°C (Note 3) 7.0 mA Stop-Mode Current I STOP (Note 4) 80 μA CIN (Note 5) 10 pF Pin Capacitance Output Supply Voltage (VCCO) VCCO1 (Notes 1, 2) VCC 0.45 V Output Supply Battery-Backed Mode (VCCO, CE1–CE4, PE1, PE2) VCCO2 0°C to +70°C (Notes 1, 6) VLI 0.65 V Output Supply Current (Note 7) ICCO1 VCCO = VCC - 0.45V Lithium-Backed Quiescent Current (Note 8) ILI Reset Trip Point in Stop Mode Input Low Voltage VIL 0°C to +70°C 5 75 mA 75 nA BAT = 3.0V (0°C to +70°C) (Note 1) 4.00 4.25 BAT = 3.3V (0°C to +70°C) (Note 1) 4.40 4.65 (Note 1) -0.3 +0.8 V V V Input High Voltage VIH1 (Note 1) 2.0 VCC + 0.3 Input High Voltage (RST, XTAL1, PROG) VIH2 (Note 1) 3.5 VCC + 0.3 V Output Low Voltage at I OL = 1.6mA (Ports 1, 2, 3, PF) VOL1 (Notes 1, 9) 0.45 V 2 0.15 _______________________________________________________________________________________ Secure Microprocessor Chip (VCC = 5V ±10%, TA = 0°C to +70°C.) PARAMETER SYMBOL CONDITIONS MIN TYP MAX UNITS 0.15 0.45 V Output Low Voltage at I OL = 3.2mA (P0.0–P0.7, ALE, BA0–BA14, BD0–BD7, R/W, CE1N, CE1–CE4, PE1–PE4, VRST) VOL2 (Note 1) Output High Voltage at I OH = -80μA (Ports 1, 2, 3) VOH1 (Note 1) 2.4 4.8 V Output High Voltage at I OH = -400μA (P0.0–P0.7, ALE, BA0–BA14, BD0–BD7, R/W, CE1N, CE1–CE4, PE1–PE4, VRST) VOH2 (Note 1) 2.4 4.8 V Input Low Current, VIN = 0.45V (Ports 1, 2, 3) I IL -50 μA Transition Current 1 to 0, VIN = 2.0V (Ports 1, 2, 3) ITL -500 μA 0.4 V SDI Input Low Voltage VILS (Note 1) SDI Input High Voltage VIHS (Notes 1, 10) SDI Pulldown Resistor RSDI Input Leakage (P0.0–P0.7, MSEL) I IL 2.0 VCCO V 25 60 k +10 μA 150 k 0.45 < VIN < VCC RST Pulldown Resistor RRE 0°C to +70°C 40 VRST Pullup Resistor RVR 4.7 k PROG Pullup Resistor RPR 40 k AC CHARACTERISTICS—SDI PIN (VCC = 0V to 5V, TA = 0°C to +70°C.) PARAMETER SYMBOL SDI Pulse Reject (Note 11) t SPR SDI Pulse Accept (Note 11) t SPA CONDITIONS MIN 4.5V < VCC < 5.5V TYP MAX 1.3 VCC = 0V, VBAT = 2.9V 4.5V < VCC < 5.5V 4 10 VCC = 0V, VBAT = 2.9V 50 UNITS μs μs _______________________________________________________________________________________ 3 DS5003 DC CHARACTERISTICS (continued) DS5003 Secure Microprocessor Chip AC CHARACTERISTICS—EXPANDED BUS-MODE TIMING SPECIFICATIONS (VCC = 5V ±10%, TA = 0°C to +70°C.) (Figures 1, 2) MIN MAX UNITS Oscillator Frequency PARAMETER SYMBOL 1/tCLK 1.0 16.0 MHz ALE Pulse Width tALPW 2tCLK - 40 ns Address Valid to ALE Low tAVALL tCLK - 40 ns Address Hold After ALE Low tAVAAV tCLK - 35 ns RD Pulse Width tRDPW 6tCLK - 100 ns WR Pulse Width tWRPW RD Low to Valid Data In tRDLDV Data Hold After RD High tRDHDV Data Float After RD High tRDHDZ ALE Low to Valid Data In tALLVD Valid Address to Valid Data In tAVDV CONDITIONS 6tCLK - 100 ns 12MHz 5tCLK - 165 16MHz 5tCLK - 105 0 ns ns 2tCLK - 70 12MHz 8tCLK - 150 16MHz 8tCLK - 90 12MHz 9tCLK - 165 16MHz 9tCLK - 105 ns ns ns ALE Low to RD or WR Low tALLRDL 3tCLK - 50 Address Valid to RD or WR Low tAVRDL 4tCLK - 130 ns Data Valid to WR Going Low tDVWRL tCLK - 60 ns Data Valid to WR High tDVWRH Data Valid After WR High tWRHDV RD Low to Address Float tRDLAZ RD or WR High to ALE High 12MHz 7tCLK - 150 16MHz 7tCLK - 90 3tCLK + 50 ns tCLK - 50 tRDHALH ns ns 0 ns tCLK - 40 tCLK + 50 ns MIN MAX UNITS AC CHARACTERISTICS—EXTERNAL CLOCK DRIVE (VCC = 5V ±10%, TA = 0°C to +70°C.) (Figure 3) PARAMETER SYMBOL External Clock High Time tCLKHPW External Clock Low Time tCLKLPW External Clock Rise Time tCLKR External Clock Fall Time tCLKF 4 CONDITIONS 12MHz 20 16MHz 15 12MHz 20 16MHz 15 ns ns 12MHz 20 16MHz 15 12MHz 20 16MHz 15 _______________________________________________________________________________________ ns ns Secure Microprocessor Chip DS5003 AC CHARACTERISTICS—POWER-CYCLE TIME (VCC = 5V ±10%, TA = 0°C to +70°C.) (Figure 4) PARAMETER Slew Rate from VCCMIN to VLI SYMBOL MIN tF 130 MAX UNITS μs Crystal Startup Time tCSU (Note 12) Power-On Reset Delay t POR 21,504 tCLK MAX UNITS AC CHARACTERISTICS—SERIAL PORT TIMING (MODE 0) (VCC = 5V ±10%, TA = 0°C to +70°C.) (Figure 5) SYMBOL MIN Serial Port Clock Cycle Time PARAMETER t SPCLK 12tCLK μs Output Data Setup to Rising Clock Edge tDOCH 10tCLK - 133 ns Output Data Hold After Rising Clock Edge tCHDO 2tCLK - 117 Clock Rising Edge to Input Data Valid tCHDV Input Data Hold After Rising Clock Edge tCHDIV ns 10tCLK - 133 0 ns ns AC CHARACTERISTICS—BYTE-WIDE ADDRESS/DATA BUS TIMING (VCC = 5V ±10%, TA = 0°C to +70°C.) (Figure 6) PARAMETER Delay to Byte-Wide Address Valid from CE1, CE2, or CE1N Low During Op Code Fetch Pulse Width of CE1–CE4, PE1–PE4, or CE1N SYMBOL MIN tCE1LPA MAX UNITS 30 ns tCEPW 4tCLK - 35 ns Byte-Wide Address Hold After CE1, CE2, or CE1N High During Op Code Fetch tCE1HPA 2tCLK - 20 ns Byte-Wide Data Setup to CE1, CE2, or CE1N High During Op Code Fetch t OVCE1H 1tCLK + 40 ns Byte-Wide Data Hold After CE1, CE2, or CE1N High During Op Code Fetch tCE1HOV 0 ns Byte-Wide Address Hold After CE1–CE4, PE1–PE4, or CE1N High During MOVX tCEHDA 4tCLK - 30 ns Delay from Byte-Wide Address Valid CE1–CE4, PE1–PE4, or CE1N Low During MOVX tCELDA 4tCLK - 35 ns Byte-Wide Data Setup to CE1–CE4, PE1–PE4, or CE1N High During MOVX (Read) tDACEH 1tCLK + 40 ns Byte-Wide Data Hold After CE1–CE4, PE1–PE4, or CE1N High During MOVX (Read) tCEHDV 0 ns Byte-Wide Address Valid to R/W Active During MOVX (Write) tAVRWL 3tCLK - 35 ns _______________________________________________________________________________________ 5 DS5003 Secure Microprocessor Chip AC CHARACTERISTICS—BYTE-WIDE ADDRESS/DATA BUS TIMING (continued) (VCC = 5V ±10%, TA = 0°C to +70°C.) (Figure 6) PARAMETER SYMBOL MIN MAX UNITS Delay from R/W Low to Valid Data Out During MOVX (Write) tRWLDV 20 ns Valid Data Out Hold Time from CE1–CE4, PE1–PE4, or CE1N High tCEHDV 1tCLK - 15 ns Valid Data Out Hold Time from R/W High tRWHDV 0 ns Write Pulse Width (R/W Low Time) tRWLPW 6tCLK - 20 ns RPC AC CHARACTERISTICS—DBB READ (VCC = 5V ±10%, TA = 0°C to +70°C.) (Figure 7) SYMBOL MIN CS, A0 Setup to RD PARAMETER tAR 0 ns CS, A0 Hold After RD tRA 0 ns RD Pulse Width tRR 160 CS, A0 to Data Out Delay tAD RD to Data Out Delay tRD RD to Data Float Delay tRDZ 0 MAX UNITS ns 130 ns 130 ns 85 ns MAX UNITS RPC AC CHARACTERISTICS—DBB WRITE (VCC = 5V ±10%, TA = 0°C to +70°C.) (Figure 7) SYMBOL MIN CS, A0 Setup to WR PARAMETER tAW 0 CS Hold After WR tWA 0 ns A0 Hold After WR tWA 20 ns WR Pulse Width tWW 160 ns Data Setup to WR tDW 130 ns Data Hold After WR tWD 20 ns SYMBOL MIN DACK to WR or RD tACC 0 RD or WR to DACK tCAC 0 DACK to Data Valid tACD 0 RD or WR to DRQ Cleared tCRQ ns AC CHARACTERISTICS—DMA (VCC = 5V ±10%, TA = 0°C to +70°C.) PARAMETER 6 MAX UNITS ns ns 130 ns 110 ns _______________________________________________________________________________________ Secure Microprocessor Chip DS5003 AC CHARACTERISTICS—PROG (VCC = 5V ±10%, TA = 0°C to +70°C.) PARAMETER SYMBOL MIN MAX UNITS PROG Low to Active t PRA 48 Clocks PROG High to Inactive t PRI 48 Clocks All voltages are referenced to ground. Maximum operating ICC is measured with all output pins disconnected; XTAL1 driven with tCLKR, tCLKF = 10ns, VIL = 0.5V; XTAL2 disconnected; RST = Port 0 = VCC, MSEL = VSS. Note 3: Idle mode, IIDLE, is measured with all output pins disconnected; XTAL1 driven with tCLKR, tCLKF = 10ns, VIL = 0.5V; XTAL2 disconnected; Port 0 = VCC, RST = MSEL = VSS. Note 4: Stop mode, ISTOP, is measured with all output pins disconnected; Port 0 = VCC; XTAL2 not connected; RST = MSEL = XTAL1 = VSS. Note 5: Pin capacitance is measured with a test frequency: 1MHz, TA = +25°C. This specification is characterized but not production tested. Note 6: VCCO2 is measured with VCC < VLI and a maximum load of 10µA on VCCO. Note 7: ICCO1 is the maximum average operating current that can be drawn from VCCO in normal operation. Note 8: ILI is the current drawn from the VLI input when VCC = 0V and VCCO is disconnected. Battery-backed mode is 2.5V ≤ VBAT ≤ 4.0; VCC ≤ VBAT; VSDI should be ≤ VILS for IBAT max. Note 9: PF pin operation is specified with VBAT ≥ 3.0V. Note 10: VIHS minimum is 2.0V or VCCO, whichever is lower. Note 11: SDI is deglitched to prevent accidental destruction. The pulse must be longer than tSPR to pass the deglitcher, but SDI is not guaranteed unless it is longer than tSPA. Note 12: Crystal startup time is the time required to get the mass of the crystal into vibrational motion from the time that power is first applied to the circuit until the first clock pulse is produced by the on-chip oscillator. The user should check with the crystal vendor for a worst-case specification on this time. Note 1: Note 2: tRDHALH tALPW ALE tALLVD tALLRDL tRDPW tRDLDV RD tRDHDZ tAVALL PORT 0 tRDLAZ tAVAAV tRDHDV A7–A0 (Rn OR DPL) DATA IN A7–A0 (PCL) INSTR IN tAVRDL tAVDV PORT 2 P2.7–P2.0 OR A15–A8 FROM DPH A15–A8 FROM PCH Figure 1. Expanded Data Memory Read Cycle _______________________________________________________________________________________ 7 DS5003 Secure Microprocessor Chip tRDHALH ALE tALLRDL tWRPW WR tDVWRL tWRHDV tAVAAV tAVALL PORT 0 tDVWRH A7–A0 (Rn OR DPL) DATA OUT A7–A0 (PCL) INSTR IN tAVRDL P2.7–P2.0 OR A15–A8 FROM PDH PORT 2 A15–A8 FROM PCH Figure 2. Expanded Data Memory Write Cycle tCLKHPW tCLKLPW tCLKF tCLKR 1/tCLK Figure 3. External Clock Timing 8 _______________________________________________________________________________________ Secure Microprocessor Chip DS5003 VCC VPFW VCCMIN VLI tF INTERRUPT SERVICE ROUTINE tCSV CLOCK OSC tPOR INTERNAL RESET LITHIUM CURRENT Figure 4. Power-Cycle Timing _______________________________________________________________________________________ 9 DS5003 Secure Microprocessor Chip 0 1 2 3 4 5 6 7 8 ALE tSPCLK CLOCK tDOCH tCHDO DATA OUT 0 1 2 3 4 5 6 SET TI 7 tCHDV WRITE TO SBUF REGISTER tCHDIV SET RI INPUT DATA VALID VALID VALID VALID VALID VALID VALID CLEAR RI Figure 5. Serial Port Timing (Mode 0) MACHINE CYCLE 1 2 3 4 MACHINE CYCLE 5 6 1 2 3 4 MACHINE CYCLE 5 6 6 1 2 3 4 5 6 XTAL2 ALE tRWLPW R/W BA0–BA14 tAVRWL PC OUT PC OUT DPL AND (DPH OR P2 SFR OUT) tCELDA tCEL1LPA PC OUT tCEHDA DPL AND (DPH OR P2 SFR OUT) tCELDA tCEL1HPA PC OUT tCEHDA CE1, CE2, OR CE1N CE1, CE2, CE3, CE4, PE1, PE2, PE3, PE4, OR CE1N tCEPW tOVCE1H tDACEH tCE1HOV BD0–BD7 DATA IN tCEPW DATA IN tCEHDV DATA IN tRWHDV tCEHDV tRWLDV DATA DATA OUT Figure 6. Byte-Wide Bus Timing 10 ______________________________________________________________________________________ Secure Microprocessor Chip DS5003 READ OPERATION CS OR A0 tAR tRA tRR RD tAD tRD tRDZ DATA DATA VALID WRITE OPERATION CS OR A0 tAW tWW tWA WR tDW DATA tWD DATA VALID DMA DACK RD tACC tCAC WR tACC DATA tCAC VALID VALID tACD DRQ tCRQ tCRQ Figure 7. RPC Timing Mode ______________________________________________________________________________________ 11 Secure Microprocessor Chip DS5003 Pin Description PIN NAME FUNCTION POWER PINS 13 VCC Power Supply, +5V VCC Output. This is switched between VCC and VLI by internal circuits based on the level of VCC. When power is above the lithium input, power is drawn from VCC. The lithium cell remains isolated from a load. When VCC is below VLI, VCCO switches to the VLI source. VCCO should be connected to the VCC pin of an SRAM. 12 VCCO 54 VLI 52 GND 11 9 7 5 1 79 77 75 15 17 19 21 25 27 29 31 49 50 51 56 58 60 64 66 P0.0/AD0 P0.1/AD1 P0.2/AD2 P0.3/AD3 P0.4/AD4 P0.5/AD5 P0.6/AD6 P0.7/AD7 P1.0 P1.1 P1.2 P1.3 P1.4 P1.5 P1.6 P1.7 P2.0/A8 P2.1/A9 P2.2/A10 P2.3/A11 P2.4/A12 P2.5/A13 P2.6/A14 P2.7/A15 36 P3.0/RXD General-Purpose I/O Port Pin 3.0. Also serves as the receive signal for the on-board UART. This pin should not be connected directly to a PC COM port. 38 P3.1/TXD General-Purpose I/O Port Pin 3.1. Also serves as the transmit signal for the on-board UART. This pin should not be connected directly to a PC COM port. 39 40 41 44 45 46 P3.2/INT0 P3.3/INT1 P3.4/T0 P3.5/T1 P3.6/WR P3.7/RD General-Purpose I/O Port General-Purpose I/O Port General-Purpose I/O Port General-Purpose I/O Port General-Purpose I/O Port General-Purpose I/O Port Lithium Voltage Input. Connect to a lithium cell greater than VLIMIN and no greater than VLIMAX as shown in the electrical specifications. Nominal value is +3V. Logic Ground GENERAL-PURPOSE I/O PINS 12 General-Purpose I/O Port 0. This port is open drain and cannot drive a logic 1. It requires external pullups. Port 0 is also the multiplexed expanded address/data bus. When used in this mode, it does not require pullups. General-Purpose I/O Port 1 General-Purpose I/O Port 2. Also serves as the MSB of the expanded address bus. Pin 3.2. Pin 3.3. Pin 3.4. Pin 3.5. Pin 3.6. Pin 3.7. Also Also Also Also Also Also serves serves serves serves serves serves as the active-low external interrupt 0. as the active-low external interrupt 1. as the timer 0 input. as the timer 1 input. as the write strobe for expanded bus operation. as the read strobe for expanded bus operation. ______________________________________________________________________________________ Secure Microprocessor Chip PIN NAME FUNCTION BYTE-WIDE BUS INTERFACE PINS 37 BA0 35 BA1 33 BA2 30 BA3 28 BA4 26 BA5 24 BA6 20 BA7 6 BA8 4 BA9 76 BA10 80 BA11 18 BA12 Byte-Wide Address Bus Bits 14–0. This bus is combined with the nonmultiplexed data bus (BD7–BD0) to access external SRAM. Decoding is performed using CE1–CE4. Therefore, BA15 is not actually needed. Read/write access is controlled by R/W. BA14–BA0 connect directly to an 8kB, 32kB, or 128kB SRAM. If an 8kB SRAM is used, BA13 and BA14 are unconnected. If a 128kB SRAM is used, the microcontroller converts CE2 and CE3 to serve as A16 and A15, respectively. 8 BA13 16 BA14 55 BD0 57 BD1 59 BD2 61 BD3 65 BD4 67 BD5 69 BD6 71 BD7 70 ALE Address Latch Enable. Used to demultiplex the multiplexed expanded address/data bus on port 0. This pin is normally connected to the clock input on a ’373 type transparent latch. 10 R/W Read/Write (Active Low). This signal provides the write enable to the SRAMs on the byte-wide bus. It is controlled by the memory map and partition. The blocks selected as program (ROM) are write protected. 74 CE1 Active-Low Chip-Enable 1. This is the primary decoded chip enable for memory access on the byte-wide bus. It connects to the chip-enable input of one SRAM. CE1 is lithium-backed. It remains in a logic-high inactive state when VCC falls below VLI. 72 CE1N Nonbattery-Backed Version of CE1. It is not generally useful because the DS5003 cannot be used with EPROM due to its encryption. 2 63 Byte-Wide Data Bus Bits 7–0. This 8-bit bidirectional bus is combined with the nonmultiplexed address bus (BA14–BA0) to access external SRAM. Decoding is performed on CE1 and CE2. Read/write access is controlled by R/W. D7–D0 connect directly to an SRAM and optionally to a real-time clock or other peripheral. CE2 Active-Low Chip-Enable 2. This chip enable is provided to access a second 32kB block of memory. It connects to the chip-enable input of one SRAM. When MSEL = 0, the microcontroller converts CE2 into A16 for a 128kB x 8 SRAM. CE2 is lithium-backed and remains at a logic-high when VCC falls below VLI. CE3 Active-Low Chip-Enable 3. This chip enable is provided to access a third 32kB block of memory. It connects to the chip-enable input of one SRAM. When MSEL = 0, the microcontroller converts CE3 into A15 for a 128kB x 8 SRAM. CE3 is lithium backed and remains at a logic-high when VCC falls below VLI. ______________________________________________________________________________________ 13 DS5003 Pin Description (continued) Secure Microprocessor Chip DS5003 Pin Description (continued) PIN NAME FUNCTION CE4 Active-Low Chip-Enable 4. This chip enable is provided to access a fourth 32kB block of memory. It connects to the chip-enable input of one SRAM. When MSEL = 0, this signal is unused. CE4 is lithium-backed and remains at a logic-high when VCC falls below VLI. 78 PE1 Active-Low Peripheral Enable 1. Accesses data memory between addresses 0000h and 3FFFh when the PES bit is set to logic 1. Commonly used to chip enable a byte-wide real-time clock such as the DS1283. PE1 is lithium backed and remains at a logic-high when VCC falls below VLI. Connect PE1 to battery-backed circuitry only. 3 PE2 Active-Low Peripheral Enable 2. Accesses data memory between addresses 4000h and 7FFFh when the PES bit is set to logic 1. PE2 is lithium backed and remains at a logic-high when VCC falls below VLI. Connect PE2 to battery-backed circuitry only. PE3 Active-Low Peripheral Enable 3. Accesses data memory between addresses 8000h and BFFFh when the PES bit is set to a logic 1. PE3 is not lithium backed and can be connected to any type of peripheral function. If connected to a battery-backed chip, it needs additional circuitry to maintain the chip enable in an inactive state when VCC < VLI. 23 PE4 Active-Low Peripheral Enable 4. Accesses data memory between addresses C000h and FFFFh when the PES bit is set to logic 1. PE4 is not lithium backed and can be connected to any type of peripheral function. If connected to a battery-backed chip, it needs additional circuitry to maintain the chip enable in an inactive state when VCC < VLI. 14 MSEL 62 22 Memory Select. This signal controls the memory size selection. When MSEL = +5V, the DS5003 expects to use 32kB x 8 SRAMs. When MSEL = 0V, the DS5003 expects to use a 128kB x 8 SRAM. MSEL must be connected regardless of partition, mode, etc. CLOCK PINS 47, 48 XTAL2, XTAL1 Crystal Connections. Used to connect an external crystal to the internal oscillator. XTAL1 is the input to an inverting amplifier and XTAL2 is the output. RESET, STATUS, AND SELF-DESTRUCT PINS 34 RST Active-High Reset Input. A logic 1 applied to this pin activates a reset state. This pin is pulled down internally so this pin can be left unconnected if not used. An RC power-on reset circuit is not needed and is not recommended. 32 PROG Invokes the Bootstrap Loader on Falling Edge. This signal should be debounced so that only one edge is detected. If connected to ground, the microcontroller enters bootstrap loading on power-up. This signal is pulled up internally. VRST Reset State Active Due to Low VCC. This I/O pin (open drain with internal pullup) indicates that the power supply (VCC) has fallen below the VCCMIN level and the microcontroller is in a reset state. When this occurs, the DS5003 drives this pin to logic 0. Because the microcontroller is lithium backed, this signal is guaranteed even when VCC = 0V. Because it is an I/O pin, it also forces a reset if pulled low externally. This allows multiple parts to synchronize their powerdown resets. 43 PF Lithium Backup Active. This output goes to a logic 0 to indicate that the microcontroller has switched to lithium backup. This corresponds to VCC < VLI. Because the microcontroller is lithium backed, this signal is guaranteed even when VCC = 0V. The normal application of this signal is to control lithium-powered current to isolate battery-backed functions from nonbatterybacked functions. 53 SDI Self-Destruct Input. An active high on this pin causes an unlock procedure. This results in the destruction of vector SRAM, encryption keys, and the loss of power from VCCO. This pin should be grounded if not used. 68, 73 N.C. No Connection 42 MISCELLANEOUS PINS 14 ______________________________________________________________________________________ Secure Microprocessor Chip The DS5003 implements a security system that loads and executes application software in encrypted form. Up to 128kB of standard SRAM (64kB program + 64kB data) can be accessed by its byte-wide bus. This SRAM is converted by the DS5003 into lithium-backed nonvolatile storage for program and data. Data can be maintained for up to 10 years at room temperature with a very small lithium cell. As a result, the contents of the SRAM and the execution of the software appear unintelligible to the outside observer. The encryption algorithm uses an internally stored and protected key. Any attempt to discover the key value results in its erasure, rendering the encrypted contents of the SRAM useless. The secure microprocessor chip provides a strong software-encryption algorithm that incorporates elements of DES encryption. The encryption is based on a 64-bit key word, and the key can only be loaded from an onchip true random-number generator. As a result, the user never knows the true key value. A self-destruct input (SDI) pin is provided to interface to external tamper-detection circuitry. With or without the presence of VCC, activation of the SDI pin has the same effect as resetting the security lock: immediate erasure of the key word and the 48-byte vector SRAM area. In addition, an optional top coating of the die prevents access of information using microprobing techniques. When implemented as a part of an overall secure system design, a system based on the DS5003 can typically provide a level of security that requires more time and resources to defeat than necessary for unauthorized individuals who have reason to try. Figure 8 is a block diagram illustrating the internal architecture of the DS5003. The DS5003 operates in an identical fashion to the DS5002FP, except where noted in text. Secure Operation Overview The DS5003 incorporates encryption of the activity on its byte-wide address/data bus to prevent unauthorized access to the program and data information contained in the external SRAM. Loading an application program in this manner is performed by the bootstrap loader using the general sequence described as follows: 1) Activate bootstrap loader by asserting the PROG pin low for at least 48 clocks. 2) Clear security lock. 3) Set memory map configuration. These settings are identical to those used for DS5002FP-based designs. 4) Load application software. 5) Set security lock. 6) Exit loader by taking the PROG pin high again. Loading of application software into the program/data SRAM is performed while the DS5003 is in its bootstrap load mode. Loading is only possible when the security lock is clear. If the security lock was previously set, it must be cleared by issuing the U command from the bootstrap loader. Clearing the security lock instantly clears the previous key word and the contents of the vector SRAM. In addition, the bootstrap ROM writes zeros into the first 32kB of external SRAM. The user’s application software is loaded into user-supplied external SRAM by the L command in “scrambled” form through on-chip encryptor circuits. Each external SRAM address is an encrypted representation of an onchip logical address. Thus, the sequential instructions of an ordinary program or data table are stored nonsequentially in SRAM memory. The contents of the program/data SRAM are also encrypted. Each byte in SRAM is encrypted by a key- and address-dependent encryptor circuit such that identical bytes are stored as different values in different memory locations. The encryption of the program/data SRAM is dependent on an on-chip 64-bit key word. The key is automatically generated by the ROM firmware just prior to the time that the application software is loaded, and is retained as nonvolatile information in the absence of VCC by the lithium-backup circuits. After the application software loading is complete, the key is protected by setting the on-chip security lock, which is also retained as nonvolatile information in the absence of VCC. Any attempt to tamper with the key word and, thereby, gain access to the true program/data SRAM contents results in the erasure of the key word as well as the SRAM contents. During execution of the application software, logical addresses on the DS5003 that are generated from the program counter or data pointer registers are encrypted before they are presented on the byte-wide address bus. Op codes and data are read back and decrypted before they are operated on by the CPU. Similarly, data values written to the external NV SRAM storage during program execution are encrypted before they are presented on the byte-wide data bus during the write operation. This encryption/decryption process is performed in real time such that no execution time is lost, so the operation of the encryptor circuitry is transparent to the application software. The DS5003’s security features are always enabled. ______________________________________________________________________________________ 15 DS5003 Detailed Description DS5003 Secure Microprocessor Chip XTAL1 XTAL2 OSC WATCHDOG TIMER R/W 4 ADDRESS/ DATA ENCRYPTORS RST ALE PROG P0.7 P0.6 P0.5 P0.4 P0.3 P0.2 P0.1 P0.0 P1.7 P1.6 P1.5 P1.4 P1.3 P1.2 P1.1 P1.0 BYTEADDRESS WIDE BUS DATA INTERFACE BA0–BA14 8 BD0–BD7 4 TIMING AND BUS CONTROL SPECIAL FUNCTION REGISTERS PORT 0 CE1–CE4 16 DATA REGISTERS WITH ENHANCED INDIRECT ADDRESSING (256 BYTES) ENCRYPTION KEYS POWER MONITOR PE1–PE4 SDI VCC VCCO PF VRST VLI PORT 1 VECTOR RAM (48 BYTES) CPU P2.7 P2.6 P2.5 P2.4 P2.3 P2.2 P2.1 P2.0 P3.7 P3.6 P3.5 P3.4 P3.3 P3.2 P3.1 P3.0 PORT 2 PORT 3 BOOTSTRAP LOADER ROM DS5003 TXD RXD TIMER 0 TIMER 1 INT0 INT1 Figure 8. Block Diagram 16 ______________________________________________________________________________________ Secure Microprocessor Chip PROGRAM COUNTER entire memory range, which is configured during bootstrap loading for access on the byte-wide bus. As bootstrap loading of the application software is performed, the data encryptor logic transforms the op code, operand, or data byte at any given memory location into an encrypted representation. As each byte is read back to the CPU during program execution, the internal data encryptor restores it to its original value. When a byte is written to the external nonvolatile program/data SRAM during program execution, that byte is stored in encrypted form as well. The data encryption logic uses the value of the 64-bit key, the logical address to which the data is being written, and the value of the data itself to form the encrypted data, which is written to the nonvolatile program/data SRAM. The encryption algorithm is repeatable, such that for a given data value, encryption key value, and logical address the encrypted byte is always the same. However, there are many possible encrypted data values for each possible true-data value due to the algorithm’s dependency on the values of the logical address and encryption key. DATA POINTER ENCRYPTED BYTE-WIDE ADDRESS BUS SECURE INTERNAL ADDRESS BUS ADDRESS ENCRYPTOR 16 BOOTSTRAP LOADER RANDOMNUMBER GENERATOR SECURITY LOCK EXTERNAL BYTE-WIDE RAM 64-BIT ENCRYPTION KEY ENCRYPTED BYTE-WIDE DATA BUS SECURE INTERNAL DATA BUS DATA ENCRYPTOR 8 SDI (SELF-DESTRUCT INPUT) Figure 9. Security Circuitry ______________________________________________________________________________________ 17 DS5003 Security Circuitry Figure 9 shows the on-chip functions associated with the DS5003’s software security feature. Encryption logic consists of an address encryptor and a data encryptor. Although each encryptor uses its own algorithm for encrypting data, both depend on the 64-bit key word that is contained in the encryption key registers. Both the encryptors operate during loading of the application software and also during its execution. The address encryptor translates each logical address, i.e., the normal sequence of addresses that are generated in the logical flow of program execution, into an encrypted address (or physical address) at which the byte is actually stored. Each time a logical address is generated, either during program loading or during program execution, the address encryptor circuitry uses the value of the 64-bit key word and of the address itself to form the physical address, which are presented on the address lines of the SRAM. The encryption algorithm is such that there is one and only one physical address for every possible logical address. The address encryptor operates over the DS5003 Secure Microprocessor Chip When the application software is executed, the DS5003’s internal CPU operates as normal. Logical addresses are calculated for op code fetch cycles and also data read and write operations. The DS5003 can perform address encryption on logical addresses as they are generated internally during the normal course of program execution. In a similar fashion, data is manipulated by the CPU in its true representation. However, data is also encrypted when it is written to the external program/data SRAM, and is restored to its original value when it is read back. When an application program is stored in the previously described format, it is virtually impossible to disassemble op codes or to convert data back into its true representation. Address encryption has the effect that the op codes and data are not stored in the contiguous form in which they were assembled, but rather in seemingly random locations in memory. This effect makes it virtually impossible to determine the normal flow of the program. As an added protection measure, the address encryptor also generates dummy read-access cycles whenever time is available during program execution. Dummy Read Cycles Like the DS5002FP, the DS5003 generates a dummy read-access cycle to nonsequential addresses in external SRAM memory whenever time is available during program execution. This action further complicates the task of determining the normal flow of program execution. During these pseudorandom dummy cycles, the SRAM is read to all appearances, but the data is not used internally. Through the use of a repeatable exchange of dummy and true read cycles, it is impossible to distinguish a dummy cycle from a real one. Encryption Algorithm The DS5003 incorporates a proprietary hardware algorithm that performs the scrambling of address and data on the byte-wide bus to the SRAM. Improvements include the following: • 64-bit encryption key (protected by the security lock function). • Incorporation of DES-like operations to provide a greater degree of nonlinearity. • Customizable encryption. Encryption Key As previously described, the on-chip 64-bit encryption key is the basis of both the address and data encryptor circuits. When the loader is given certain commands, the key is generated from an on-chip hardware random-number generator. This action is performed just prior to actually loading the code into the external 18 SRAM. This scheme prevents characterization of the encryption algorithm by continuously loading new, known keys. It also frees the user from the burden of protecting the key selection process. The random-number generator circuit uses the asynchronous frequency differences of two internal ring oscillators and the processor master clock (determined by XTAL1 and XTAL2). As a result, a true random number is produced. Vector RAM A 48-byte vector RAM area is incorporated on-chip, and is used to contain the reset and interrupt vector code in the DS5003. It is included in the architecture to help ensure the security of the application program. If reset and interrupt vector locations were accessed from the external nonvolatile program/data RAM during the execution of the program, it would be possible to determine the encrypted value of known addresses. This could be done by forcing an interrupt or reset condition and observing the resulting addresses on the byte-wide address/data bus. For example, it is known that when a hardware reset is applied, the logical program address is forced to location 0000h and code is executed starting from this location. It would then be possible to determine the encrypted value (or physical address) of the logical address value 0000h by observing the address presented to the external SRAM following a hardware reset. Interrupt vector address relationships could be determined in a similar fashion. By using the on-chip vector RAM to contain the interrupt and reset vectors, it is impossible to observe such relationships. The vector RAM eliminates the unlikely possibility that an application program could be deciphered by observing vector address relationships. Note that the dummy accesses mentioned are conducted while fetching from vector RAM. The vector RAM is automatically loaded with the user’s reset and interrupt vectors from the Intel hex file during bootstrap loading. Security Lock Once the application program has been loaded into the DS5003’s external and vector RAM, the security lock can be enabled by issuing the Z command in the bootstrap loader. While the security lock is set, no further access to program/data information is possible by the on-chip ROM. Access is prevented by both the bootstrap loader firmware and the DS5003 encryptor circuits. Access to the SRAM can only be regained by clearing the security lock by the U command in the bootstrap ______________________________________________________________________________________ Secure Microprocessor Chip Self-Destruct Input (SDI) The self-destruct input (SDI) pin is an active-high input that is used to reset the security lock in response to a variety of user-defined external events. The SDI input is intended to be used with external tamper-detection circuitry. It can be activated with or without operating power applied to the VCC pin. Activation of the SDI pin instantly resets the security lock and causes the same sequence of events previously described for this action. In addition, power is momentarily removed from the byte-wide bus interface including the V CC pin, resulting in the loss of data in external SRAM. 256-byte scratchpad RAM area are automatically overwritten with zeros and then used for variable storage for the bootstrap firmware. Also, a set of 8 bytes is generated using the random-number generator circuitry and saved as a potential word for the 64-bit encryption key. Any read or write operation to the DS5003’s external program/data SRAM can only take place if the security lock bit is in a cleared state. Therefore, the first step in loading a program should be the clearing of the security lock bit through the U command. Table 1. Serial Bootstrap Loader Commands COMMAND C Return CRC-16 of the program/data SRAM. D Dump RAM memory specified by MSL bit as Intel hex format. F Fill program/data SRAM. G Get data from P0, P1, P2, and P3. L Load Intel hex file. N Set freshness seal—all program and data is lost. P Put data into P0, P1, P2, and P3. R Read status of SFRs (MCON, RPCTL, MSL). T Trace (echo) incoming Intel hex code. U Clear security lock. V Verify program/data memory with incoming Intel hex data. W Write special function registers (MCON, RPCTL, MSL). Z Set security lock. Top-Layer Coating The DS5003M is provided with a special top-layer coating that is designed to prevent a probe attack. This coating is implemented with second-layer metal added through special processing of the microcontroller die. This additional layer is not a simple sheet of metal, but rather a complex layout that is interwoven with power and ground, which are in turn connected to logic for the encryption key and the security lock. As a result, any attempt to remove the layer or probe through it results in the erasure of the security lock and/or the loss of encryption key bits. Bootstrap Loading Initial loading of application software into the DS5003 is performed by firmware within the on-chip bootstrap loader communicating with a PC by the on-chip serial port. Table 1 summarizes the commands accepted by the bootstrap loader. When the bootstrap loader is invoked, portions of the FUNCTION Execution of certain bootstrap loader commands result in the loading of the newly generated 64-bit random number into the encryption key word. These commands are as follows: Fill F Load L Dump D Verify V CRC C Execution of the Fill and Load commands load the encrypted data into SRAM using encryption keys from the newly generated key word. The subsequent execution of the Dump command within the same bootstrap session causes the contents of the encrypted SRAM to ______________________________________________________________________________________ 19 DS5003 loader. This action triggers several events that defeat tampering. First, the encryption key is instantaneously erased. Without the encryption key, the DS5003 can no longer decrypt the contents of the SRAM. Therefore, the application software can no longer be correctly executed, nor can it be read back in its true form by the bootstrap loader. Second, the vector RAM area is also instantaneously erased, so that the reset and vector information is lost. Third, the bootstrap loader firmware sequentially erases the encrypted SRAM area. Lastly, the loader creates and loads a new random key. The security lock bit is constructed using a multiple-bit latch that is interlaced for self-destruction in the event of tampering. The lock is designed to set up a “domino effect” such that erasure of the bit results in an unstoppable sequence of events that clears critical data including encryption key and vector RAM. In addition, this bit is protected from probing by the top-coating feature. DS5003 Secure Microprocessor Chip be read out and transmitted back to the host PC in decrypted form. Similarly, execution of the Verify command within the same bootstrap session causes the incoming absolute hex data to be compared against the true contents of the encrypted SRAM, and the CRC command returns the CRC value calculated from the true contents of the encrypted SRAM. As long as any of these commands are executed within the same bootstrap session, the loaded key value remains the same and the contents of the encrypted program/data SRAM can be read or written normally and freely until the security lock bit is set. When the security lock bit is set using the Z command, no further access to the true SRAM contents is possible using any bootstrap command or by any other means. A more extensive explanation of the serial loader operation can be found in the Secure Microcontroller User’s Guide (www.maxim-ic.com/SecureUG). PROGRAM MEMORY Instruction Set The DS5003 executes an instruction set that is objectcode compatible with the industry-standard 8051 microcontroller. As a result, software development packages such as assemblers and compilers that have been written for the 8051 are compatible with the DS5003. A complete description of the instruction set and operation is provided in the Secure Microcontroller User’s Guide. Memory Organization Figure 10 illustrates the memory map accessed by the DS5003. The entire 64kB of program and 64kB of data are potentially available to the byte-wide bus. This preserves the I/O ports for application use. The user controls the portion of memory that is actually mapped to the byte-wide bus by selecting the program range and data range. Any area not mapped into the SRAM is DATA MEMORY (MOVX) FFFFh 64kB PROGRAM RANGE DATA RANGE NV RAM PROGRAM NV RAM DATA 0000h LEGEND: = BYTE-WIDE BUS ACCESS (ENCRYPTED) = EXPANDED BUS (PORTS 0 AND 2) = NOT AVAILABLE Figure 10. Memory Map in Nonpartitionable Mode (PM = 1) 20 ______________________________________________________________________________________ Secure Microprocessor Chip PROGRAM MEMORY Figure 13 illustrates a typical memory connection for a system using a 128kB SRAM. Note that in this configuration, both program and data are stored in a common SRAM chip. Figure 14 shows a similar system with using two 32kB SRAMs. The byte-wide address bus connects to the SRAM address lines. The bidirectional byte-wide data bus connects the data I/O lines of the SRAM. DATA MEMORY (MOVX) FFFFh NV RAM DATA PARTITION NV RAM PROGRAM 0000h LEGEND: = NV RAM MEMORY = EXPANDED BUS (PORTS 0 AND 2) = NOT AVAILABLE Figure 11. Memory Map in Partitionable Mode (PM = 0) ______________________________________________________________________________________ 21 DS5003 reached by the expanded bus on ports 0 and 2. An alternate configuration allows dynamic partitioning of a 64kB space as shown in Figure 11. Selecting PES = 1 provides another 64kB of potential data storage or memory-mapped peripheral space as shown in Figure 12. These selections are made using special function registers. The memory map and its controls are covered in detail in the Secure Microcontroller User’s Guide. DS5003 Secure Microprocessor Chip PROGRAM MEMORY DATA MEMORY (MOVX) FFFFh 64kB PE4 48kB PARTITION PE3 32kB PE2 NV RAM PROGRAM 4000h 16kB PE1 0000h LEGEND: = BYTE-WIDE PROGRAM (ENCRYPTED) = NOT ACCESSIBLE Figure 12. Memory Map with PES = 1 +5V 13 54 VCC VCCO VLI R/W +3V LITHIUM DS5003 CE1 CE2 12 32 10 29 74 22 2 2 VCC WE CS2 CS1 OE A16 PORT 0 PORT 1 14 BA14–BA0 PORT 2 CE3 PORT 3 BD7–BD0 MSEL GND 30 24 128kB x 8 SRAM A14–A0 63 31 A15 D7–D0 52 16 GND Figure 13. Connection to 128kB x 8 SRAM 22 ______________________________________________________________________________________ Secure Microprocessor Chip 13 54 VCC VCCO VLI R/W +3V LITHIUM DS5003 CE1 CE2 12 28 10 27 74 20 2 DS5003 +5V VCC WE 32kB x 8 SRAM CS OE 22 A14–A0 PORT 0 PORT 1 BA14–BA0 D7–D0 14 PORT 2 PORT 3 +5V 14 MSEL GND BD7–BD0 GND 52 28 27 20 VCC WE 32kB x 8 SRAM CS OE 22 A14–A0 D7–D0 14 GND Figure 14. Connection to 64kB x 8 SRAM Power Management The DS5003 monitors VCC to provide power-fail reset, early warning power-fail interrupt, and switchover to lithium backup. It uses an internal bandgap reference in determining the switch points. These are called VPFW, VCCMIN, and VLI, respectively. When VCC drops below V PFW, the DS5003 performs an interrupt and vectors to location 2Bh if the power-fail warning was enabled. Full processor operation continues regardless. When power falls further to VCCMIN, the DS5003 invokes a reset state. No further code execution is performed unless power rises back above V CCMIN. All decoded chip enables and the R/W signal go to an inactive (logic 1) state. VCC is still the power source at this time. When VCC drops further to below VLI, internal circuitry switches to the lithium cell for power. The majority of internal circuits are disabled and the remaining nonvolatile states are retained. Any devices con- nected to VCCO are powered by the lithium cell at this time. V CCO is at the lithium battery voltage minus approximately 0.45V (less a diode drop), depending on the load. Low-power SRAMs should be used for this reason. When using the DS5003, the user must select the appropriate battery to match the SRAM data-retention current and the desired backup lifetime. Note that the lithium cell is only loaded when VCC < VLI. The Secure Microcontroller User’s Guide has more information on this topic. The trip points VCCMIN and VPFW are listed in the electrical specifications. Package Information (For the latest package outline information, go to www.maxim-ic.com/DallasPackInfo.) PACKAGE TYPE PACKAGE CODE DOCUMENT NO. 80 MQFP — 56-G4005-001 ______________________________________________________________________________________ 23 P0.5/AD5 PE1 P0.6/AD6 BA10 P0.7/AD7 CE1 N.C. CE1N BD7 ALE BD6 N.C. BD5 P2.7/A15 BD4 79 78 77 76 75 74 73 72 71 70 69 68 67 66 65 64 P2.6/A14 2 63 CE3 PE2 3 62 CE4 BA9 4 61 BD3 P0.3/AD3 5 60 P2.5/A13 BA8 6 59 BD2 P0.2/AD2 7 58 P2.4/A12 BA13 8 57 BD1 P0.1/AD1 9 56 P2.3/A11 R/W 10 55 BD0 P0.0/AD0 11 54 VLI VCCO 12 53 SDI VCC 13 52 GND MSEL 14 51 P2.2/A10 P1.0 15 50 P2.1/A9 BA14 16 49 P2.0/A8 P1.1 17 48 XTAL1 BA12 18 47 XTAL2 P1.2 19 46 P3.7/RD BA7 20 45 P3.6/WR P1.3 21 44 P3.5/T1 PE3 22 43 PF PE4 23 42 VRST BA6 24 41 P3.4/T0 34 35 36 37 38 39 40 RST BA1 P3.0/RXD BA0 P3.1/TXD P3.2/INT0 P3.3/INT1 31 P1.7 33 30 BA3 BA2 29 P1.6 32 28 BA4 PROG 27 P1.5 DS5003 26 CE2 + BA5 1 25 P0.4/AD4 BA11 TOP VIEW 80 Pin Configuration P1.4 DS5003 Secure Microprocessor Chip MQFP Maxim cannot assume responsibility for use of any circuitry other than circuitry entirely embodied in a Maxim product. No circuit patent licenses are implied. Maxim reserves the right to change the circuitry and specifications without notice at any time. 24 ____________________Maxim Integrated Products, 120 San Gabriel Drive, Sunnyvale, CA 94086 408-737-7600 © 2008 Maxim Integrated Products is a registered trademark of Maxim Integrated Products, Inc.