M AN665 Using KEELOQ¨ to Generate Hopping Passwords Author: Lucio Di Jasio Arizona Microchip Technology, Italy INTRODUCTION The purpose of this application note is to demonstrate how KEELOQÒ code hopping technology can be conveniently employed to implement an automatic code hopping password generator/keypad. Using a PIC12C508, the hopping code produced by an HCS300 is converted to a string of 16 hex digits. This string is then transferred to the PC via the keyboard line, thereby emulating the actual pressure of a sequence of keys on a standard PC/AT ® keyboard. Since this conversion process is transparent to any application, it appears as if the user is simply typing on a PC/AT-type keyboard. An ideal situation for implementing this application would be in creating a “super password” for general, access-control secure logins when transmitting information onto the internet (i.e., through a browser) or a Java applet. THE “HOPPING” ADVANTAGE Password-based access control systems are very popular today, but the level of security they provide are often overestimated. Being basically a unidirectional transmission, a password-based system has two very important shortcomings which can lead to unauthorized access: the code is fixed, and the number of possible combinations is relatively low. The growing speed of communication lines and the computing power of available systems increases the chance of a brute force attack or “code scanning.” The use of unsecure means of transmission, where code “grabbing” is possible (i.e., a typical modem connection over phone lines), can make the use of a fixed code highly undesirable. Note that these are the same situation that led to the introduction of the “code hopping” concept in the remote control market. The basic idea is to have the access code change each time it is used through a sequence where the new codes cannot be predicted even knowing a very large number of previously used ones. Producing such a sequence requires the use of a solid encryption engine. Microchip Technology is currently offering a broad range of encoders based on the proprietary KEELOQ code hopping technology. These encoders make producing a code hopping remote control easy, but as we will see, can also be conveniently used to add the hopping advantage to old password based access control systems in a transparent way. FIGURE 1: HCS300 AND PIC12C508 PINOUT DIAGRAMS HCS300 PIC12C508 S1 2 S2 3 S3 4 8 VDD VDD 7 LED GP5/OSC1/CLKIN 6 PWM 5 VSS GP4/OSC2 GP3/MCLR/VPP 1 2 3 4 PIC12C508 1 HCS300 S0 8 7 6 5 VSS GP0 GP1 GP2/T0CKI KEELOQ is a registered trademark of Microchip Technology, Inc. Microchip’s Secure Data Products are covered by some or all of the following patents: Code hopping encoder patents issued in Europe, U.S.A., and R.S.A. — U.S.A.: 5,517,187; Europe: 0459781; R.S.A.: ZA93/4726 Secure learning patents issued in the U.S.A. and R.S.A. — U.S.A.: 5,686,904; R.S.A.: 95/5429 IBM PC-AT, IBM and AT are registered trademarks of International Business Machines Corporation ã 1997 Microchip Technology Inc. DS00665A-page 1 AN665 INTRODUCTION TO KEELOQ ENCODERS The synchronization information is used at the decoder to determine whether a transmission is valid or is a repetition of a previous transmission. Previous codes are rejected to safeguard against code grabbers. All KEELOQ encoders use the KEELOQ code hopping technology to make each transmission by an encoder unique. The encoder transmissions have two parts. The first part changes each time the encoder is activated and is called the code hopping part and is encrypted. The second part is the unencrypted part of the transmission, principally containing the encoder serial number identifying it to a decoder. The HSC300 and HCS301 encoders transmit two overflow bits which may be used to extend the range of the synchronization counter from 65,536 to 196,608 button operations. The HCS300 and HCS301 encoders include provision for four bits of function information and two status bits in the fixed code portion of its transmission. The two status bits indicate whether a repeated transmission is being sent, and whether the battery voltage is low. The code hopping contains function information, a discrimination value, and a synchronization counter. This information is encrypted by an encryption algorithm before being transmitted. A 64-bit encryption key is used by the encryption algorithm. If one bit in the data that is encrypted changes, the result is that an average of half the bits in the output will change. As a result, the code hopping changes dramatically for each transmission and can not be predicted. The Microchip HCSXXX encoders all have the ability to transmit a fixed seed. The seed value is programmed into the encoder when the encoder is first initialized along with the counters, key, serial number, and other information. The seed length differs from encoder to encoder, with the HCS300 and HCS301 having a 32-bit seed. FIGURE 2: KEELOQ ENCODER CODE WORD TRANSMISSION FORMAT LOGIC ‘0’ LOGIC ‘1’ Bit Period Preamble TP Header TH Fixed Portion of Transmission TFIX Encrypted Portion of Transmission THOP Guard Time TG FIGURE 3: KEELOQ ENCODER CODE WORD ORGANIZATION Fixed Code Data VLOW and Button Repeat Status Status (4 bits) (2 bits) 28-bit Serial Number Encrypted Code Data Button Overflow Discrimination bits bits Status (10 bits) (4 bits) (2 bits) 16-bit Sync Value Encrypted using BLOCK CIPHER Algorithm 2 bits of Status + Serial Number and Button Status (32 bits) + 32 bits of Encrypted Data Transmission Direction DS00665A-page 2 ã 1997 Microchip Technology Inc. AN665 The IBM PC-AT® Keyboard Protocol FIGURE 4: HCS300 BLOCK DIAGRAM Oscillator Controller Reset circuit IBM® was the first to introduce the synchronous serial protocol most of today’s PC-ATs use to communicate with a keyboard. This now-standard, 5-pole shielding connector (Figure 5) carries the clock line, data line, ground, and +5V power supply in order to transmit data bidirectionally from the keyboard to the PC. Power latching and switching LED LED driver EEPROM Typically, data travelling from the keyboard to the PC is accomplished by either key pressure or release information. However, some configuration data (i.e., repeat, delay, and rate) can flow in the opposite direction – for example, during a system boot. The keyboard drives the clock line by using open collector drivers. To disable the keyboard, the PC can keep the clock line low. If the data line is held low by the PC while the clock line is high, the computer transmits a requests to send, and the keyboard goes into receive mode. The keyboard is only allowed to send data when both the clock line and data line are high. Encoder PWM 32-bit shift register VSS Button input port VDD S3 S2 S1 S0 FIGURE 5: STANDARD 5-POLE CONNECTOR 1 1 = Clock 2 = Data 3 = GND 4 = GND 5 = +5V 3 4 5 2 FIGURE 6: AT® KEYBOARD PROTOCOL Keyboard Clock Keyboard Data PC Data 1 2 Start Bit LSB LSB 3 4 5 6 7 8 MSB 9 10 11 MSB Parity Stop Bit Parity Stop Bit Start Bit Keyboard pulls low ã 1997 Microchip Technology Inc. DS00665A-page 3 AN665 Keyboard Transmission Key Pressure Release Encoding The keyboard pulls the data line low (start bit) and starts the clock. The eight data bits (least significant bit first) are shifted out, followed by the parity (odd), and stop bit (high). Data is valid after the falling edge of the clock and changes after the rising edge of the clock. If no data is transmitted, both the clock line and data line are high. If the computer pulls the clock line low for at least 60 ms before the tenth bit is transmitted, the keyboard stops the transmission and stores the aborted data in a buffer for retransmission at a later time. Key pressure is communicated to the PC by sending a scan code. Table 1 lists the scan codes corresponding to keys ‘0’…’F’. Release is communicated by sending the break code (0F0), followed by the previous scan code. Keyboard Receiving The computer pulls the data line low (start bit), after which the keyboard starts to shift out 11 clock pulses within 15 ms. Transmission has to be completed within 2 ms. Data from the computer changes after the falling edge of the clock line, and is valid before the rising edge of the clock. After the start bit, eight data bits (least significant bit first), followed by the parity bit (odd), and the stop bit (high) are shifted out by the computer with the clock signal provided by the keyboard. The keyboard pulls the stop bit low in order to acknowledge the receipt of the data. If a transmission error occurs (parity error or similar) the keyboard issues a “RESEND” command to the PC. DS00665A-page 4 TABLE 1: SCAN CODES Codes Key 45 ‘0’ 16 ‘1’ 1E ‘2’ 26 ‘3’ 25 ‘4’ 2E ‘5’ 36 ‘6’ 3D ‘7’ 3E ‘8’ 46 ‘9’ 1C ‘A’ 32 ‘B’ 21 ‘C’ 23 ‘D’ 24 ‘E’ 2B ‘F’ ã 1997 Microchip Technology Inc. AN665 Proposing a Demo Keypad/Dongle Implementation Power consumption has to be the lowest possible in order not to excessively load the line. Size and component count should also be kept to the possible minimum in order to allow for a very small package. Ideally, the whole circuit should fit into a small gap between the two connectors. The password generator fits between the keyboard and the PC. A 5-pin plug connects to the PC, supplying power to our device, and the keyboard plugs into the 5-pin socket (Figure 7). The clock and data lines are passed between the PC and keyboard, allowing normal keyboard operations. When S1 is activated, the PIC12C508 receives the new message (16 hex digits) produced by the KEELOQ HCS300 Encoder. The PIC12C508 will then emulate the keyboard, sending the appropriate sequence of key press and key release messages to the PC. To prevent the keyboard from interpreting this transmission as a ‘request to send’ from the PC, it is necessary to isolate the keyboard from the clock line and data line during the transmission. In the implementation we are proposing, an HCS300 KEELOQ code hopping encoder is used together with a PIC12C508 microcontroller.For simplicity, a standard CMOS quadruple switch (4066) is used to alternatively connect the dongle or the keyboard to the PC line. The HCS300 and the PIC12C508 (both available in 8-pin DIP or SOIC packages), draw extremely low currents as well as internally produce the clock required to operate the dongle. Beside a couple of pull-up resistors required for the clock line and data line, no other components are required to obtain a fully functional hopping password dongle (Figure 7). The KEELOQ HCS300 Encoder can be part of the dongle or can be removable, like a key, in order to allow different encoders with different encryption keys or serial numbers to be easily exchanged. FIGURE 7: KEYPAD/DONGLE SCHEMATIC To PC keyboard socket 5 1 2 5V 3 GND 5K6 5V 5K6 100 nF 1 S0 2 S1 VDD 8 LED 7 3 S2 PWM 6 4 S3 VSS 5 HCS300 1 VDD VSS 8 CLK 7 2 LED 3 HCSIN 4 NU DATA 6 SWITCH 5 PIC12C508 1K 2 4 4066 5,13 1 3 5V 5 GND 1 2 3 From keyboard ã 1997 Microchip Technology Inc. DS00665A-page 5 AN665 Software Implementation Decoding Options The software is composed of three short code segments: A code hopping password can be used to validate access to a wide variety of electronic services providing the recipient application (typically, it will be some software running on a server) is capable of following some simple decryption and verification steps. The fixed unencrypted part of the code (last 8 digits) can be used to identify the user (7 digits) and the function activated on the encoder (1 out of 15, corresponding to the last digit). • Receive routine for the KEELOQ HCS300 Encoder • Keyboard Emulation Routines • Main loop routine. Receive Routine for the HCS300 Encoder (RECEIVE) The RECEIVE routine gathers the first 64 bits transmitted by the HCS300, ignoring the last two bits (repeat and battery status) as they carry no useful information for this application, and packs them into a 8-bytes buffer (Buffer0…Buffer7). Keyboard Emulation Routines (Sendbit, SendKey) These implement the transmission of the key scan codes according to the IBM-PC/AT keyboard protocol. Main Loop While the CMOS switch connects the PC to the keyboard clock and data lines, the LED output line is continuously polled to detect the activation of the HCS300 The hopping part has to be decrypted using the appropriate 64-bit decryption key. Depending on the desired level of security, many different key generation and management techniques can be adopted. For example, the key could be deduced by the User ID and a Manufacturer’s Key, by the “seed” code of the encoder or could simply be a fixed 64-bit constant. Learning techniques can also be applied so that the application actually autonomously acquires the required keys and builds a database of users, ID codes, and decryption keys. For a further analysis, consult the following literature: AN645 Any combination of its four input lines after debouncing activates the encoder. PIC16C57 Based Code Hopping Security System (DS00645) AN662 When the LED line goes low, the CMOS switch is activated to isolate the clock and data lines from the keyboard. The RECEIVE routine is called. KEELOQ Code Hopping Decoder Using Secure Learn (DS00662) AN663 KEELOQ Simple Code Hopping Decoder (DS00663) TB001 An Introduction to KeeLoq Code Hopping (DS91000A) TB003 An Introduction to KEELOQ Code Hopping (DS91002A). Note: Upon successfully receiving a transmission, a loop is entered where 16 hex digits from the receive buffer are transmitted as a sequence of key press and key release messages, separated by appropriate delays repetitively calling the SENDKEY subroutine. . The software has been developed in the simplest possible form and, therefore, is open to a number of optimizations. For example: • The PIC12C508 could be put to “sleep” to further reduce power consumption. • The encoder could be removable and its presence/activation should be properly detected. • For simplicity, the presented RECEIVE routine requires a 400 ms transmission speed being configured in the encoder, while a more flexible multibaud rate routine can be used as presented in various other application notes. • A second code word could be compared with the first code word received to recognize transmission errors (although highly improbable when the encoder is wired to the PIC12508), since there is no decryption, there is no other means to tell that the transmission has not been corrupted. DS00665A-page 6 ã 1997 Microchip Technology Inc. AN665 Please check the Microchip Worldwide Web at www.microchip.com for the latest version of the source code. APPENDIX A: HOPPASW.LST MPASM 01.40 Released LOC OBJECT CODE VALUE HOPPASW.ASM 2-20-1997 16:45:24 PAGE 1 LINE SOURCE TEXT 00001 00002 00003 00004 00005 00006 00007 00008 00009 00010 00011 00012 00013 00014 00015 00016 00017 00018 00019 00020 00021 00022 00023 00024 00025 00026 00027 00028 00029 00030 00031 00032 00001 00002 00103 00033 0FFF 0FEA 00034 01FF 0000 0003 0001 00035 0002 00036 00037 00038 00039 00040 00041 00042 00043 00044 00045 00046 00047 00048 ã 1997 Microchip Technology Inc. LIST PROCESSOR RADIX n=0, c=132 PIC12C508 HEX ;* filename: HOPPASW.ASM ;********************************************************************** ;* Author: Lucio Di Jasio ;* Company: Microchip Technology ;* Revision: RevA0 ;* Date: 4-sept-96 ;* Assembled using: MPASM rev. 1.40 ;********************************************************************** ;* include files: ;* p12C508.inc ;* ;********************************************************************** ;* HCS300 to keyboard interface, for hopping password generation ;* ;* / / ;* HCS300 |5V |5V ;* +-------+ | | +--------+ ;* Key1-+S1 +-+ +-+Vdd +-----GND ;* Key2-+S2 LED+---------------------+LED +-----PCCLK ;* Key3-+S3 PWM+---------------------+HCSIN +-----DATA ;* Key4-+S4 +-+ -+nc +-----SWITCH ;* +-------+ | +--------+ ;* | ;* VGnd ;* ;********************************************************************** INCLUDE Ò\pic\include\p12c508.incÓ LIST ; P12C508.INC Standard Header File, Vers 1.01 Microchip Technology. Inc. LIST __CONFIG _IntRC_OSC & _MCLRE_OFF & _CP_OFF & _WDT_OFF __IDLOCS HÕ0312Õ ;********************************************************************** ;* internal 4MHz clock ;* internal reset ;* no code protect (?) ;* no watchdog ;* ID code is Ò0312Ó ;********************************************************************** ; ; pin description ; #define LED GPIO,5 ; Led from HCS300 DS00665A-page 7 AN665 00000007 00000008 00000009 0000000A 0000000B 0000000C 0000000D 0000000E 0000000F 00000010 00000011 00000012 00000013 00000014 00000015 00000016 0000 0000 0000 0025 0001 0A7A 0002 0002 0003 0004 0005 0006 0007 0008 0009 000A 000B 000C 000D 000E 000F 0010 0011 0012 01E2 0845 0816 081E 0826 0825 082E 0836 083D 083E 0846 081C 0832 0821 0823 0824 082B DS00665A-page 8 00049 00050 00051 00052 00053 00054 00055 00056 00057 00058 00059 00060 00061 00062 00063 00064 00065 00066 00067 00068 00069 00070 00071 00072 00073 00074 00075 00076 00077 00078 00079 00080 00081 00082 00083 00084 00085 00086 00087 00088 00089 00090 00091 00092 00093 00094 00095 00096 00097 00098 00099 00100 00101 00102 00103 00104 00105 00106 00107 00108 00109 00110 00111 00112 00113 00114 #define #define #define #define HCSIN NC SWITCH DATA GPIO,4 GPIO,3 GPIO,2 GPIO,1 ; ; ; ; PWM from HCS300 not used sense clock line to/from PC data to PC #define PCCLK 0 ; clock to PC #define MASKDEF #define MASKLOW #define MASKHIGH bÕ11111011Õ ; only SWITCH pin in output bÕ11111001Õ ; prepare data low bÕ11111011Õ ; prepare data high ; ; RAM assignments ; CBLOCK 07 BUFFER0 ; receive buffer for hcs300 BUFFER1 BUFFER2 BUFFER3 BUFFER4 BUFFER5 BUFFER6 BUFFER7 BITCOUNT ; counters BYTECOUNT ; TIMEHI ; timing TIMELO ; PARITY ; transmission parity bit AUX ; g.p. KEY ; key to encode GPIOTEMP ; temp copy of tris register ENDC ;---------------------------------------------------------------------ORG 0 movwf goto OSCCAL Main Start ; calibrate ;---------------------------------------------------------------------; keyscan table ; ScanCode addwf PCL,F retlw 45 ; key Ô0Õ retlw 16 ; key Ô1Õ retlw 1E ; key Ô2Õ retlw 26 ; key Ô3Õ retlw 25 ; key Ô4Õ retlw 2E ; key Ô5Õ retlw 36 ; key Ô6Õ retlw 3D ; key Ô7Õ retlw 3E ; key Ô8Õ retlw 46 ; key Ô9Õ retlw 1C ; key ÔAÕ retlw 32 ; key ÔBÕ retlw 21 ; key ÔCÕ retlw 23 ; key ÔDÕ retlw 24 ; key ÔEÕ retlw 2B ; key ÔFÕ #define BREAK 0F0 ; break scan code ;********************************************************************** ;* SubDelay ã 1997 Microchip Technology Inc. AN665 00115 00116 00117 00118 00119 00120 00121 00122 00123 00124 00125 00126 00127 00128 00129 00130 00131 00132 00133 00134 00135 00136 00137 00138 00139 00140 00141 00142 00143 00144 00145 00146 00147 00148 00149 00150 00151 00152 00153 00154 00155 00156 00157 00158 00159 00160 00161 00162 00163 00164 00165 00166 00167 00168 00169 00170 00171 00172 00173 00174 00175 00176 00177 00178 00179 00180 ;* short delay functions N us ;* ;* Input Variables: ;* none ;* Output Variables: ;* none ;********************************************************************** ; SubDelay10 nop SubDelay9 nop SubDelay8 nop SubDelay7 nop SubDelay6 nop SubDelay5 nop SubDelay4 retlw 0 ; 2 call + N nop + 2 retlw ã 1997 Microchip Technology Inc. DS00665A-page 9 0013 0014 0015 0016 0017 0018 0019 001A 001A 001B 001B 001C 001C 001D 001D 001E 001F 0020 0021 0022 0022 0023 0024 0025 0026 0027 0028 0029 002A 002A 002B 0000 0000 0000 0000 0000 0000 0800 0C0F 0031 0072 02F2 0A1D 02F1 0A1C 0800 0066 0CF9 0603 0CFB 0036 0006 0C0E 0032 02F2 0A2A 002C 0416 002D 0216 002E 0006 ;********************************************************************** ;* Wait10ms ;* waits for approx 10ms ;* ;* Input Variables: ;* none ;* Output Variables: ;* none ;********************************************************************** ; Wait10ms movlw .15 ; 15 * .7ms ~= 10ms@4MHz WaitWx750 movwf TIMEHI WaitHi clrf TIMELO ; 256 * 3us ~= 750us@4MHz WaitLo decfsz TIMELO,F goto WaitLo decfsz TIMEHI,F goto WaitHi retlw 0 ;********************************************************************** ;* SendBit ;* sends a bit in AT keyboard protocol ;* ;* Input Variables: ;* STATUS,C ;* Output Variables: ;* none ;********************************************************************** ; SendBit clrf GPIO ; disable kb and clear out buffers movlw MASKLOW ; DATA low prepare btfsc STATUS,C movlw MASKHIGH ; DATA high prepare movwf GPIOTEMP ; save value tris GPIO movlw movwf .14 TIMELO decfsz goto TIMELO,F SBitT ; 45us loop (data stable) bcf movf tris GPIOTEMP,PCCLK GPIOTEMP,W GPIO ; clk fall SBitT AN665 002F 0030 0031 0031 0032 0C0F 0032 0033 0034 0035 0036 0516 0216 0006 0800 02F2 0A31 0037 0037 0034 0038 0038 0706 0039 0A38 003A 0403 003B 0922 003C 0C08 003D 002F 003E 0073 003F 003F 0040 0041 0042 0043 0044 0334 0603 02B3 0922 02EF 0A3F 0045 02B3 0046 0333 0047 0922 0048 0503 0049 0A22 DS00665A-page 10 00181 00182 00183 00184 00185 00186 00187 00188 00189 00190 00191 00192 00193 00194 00195 00196 00197 00198 00199 00200 00201 00202 00203 00204 00205 00206 00207 00208 00209 00210 00211 00212 00213 00214 00215 00216 00217 00218 00219 00220 00221 00222 00223 00224 00225 00226 00227 00228 00229 00230 00231 00232 00233 00234 00235 00236 00237 00238 00239 00240 00241 00242 00243 00244 00245 00246 movlw movwf .15 TIMELO decfsz goto TIMELO,F SBitT2 ; 45us loop (data stable) bsf movf tris retlw GPIOTEMP,PCCLK GPIOTEMP,W GPIO 0 ; clk rise SBitT2 ;********************************************************************** ;* SendKEY ;* sends a scan code to the PC ;* ;* Input Variables: ;* W ;* Output Variables: ;* none ;********************************************************************** ; SendKEY movwf AUX ; temp storage ; wait PC ready SendW btfss goto GPIO,PCCLK SendW ; test PCCLK ; loop until HIGH ; PC request ? ; btfss ; goto DATA RecKEY ; PC pull down Data? ; go receive first ; send start bit bcf call STATUS,C SendBit ; than shift out 8 bit LSB first movlw .8 movwf BITCOUNT clrf PARITY SBitL rrf btfsc incf call decfsz goto AUX,F STATUS,C PARITY,F SendBit BITCOUNT,F SBitL ; next bit incf rrf call PARITY,F PARITY,F SendBit ; parity odd ; send parity Bit bsf goto STATUS,C SendBit ; count parity ; loop for 8 bit ; send stop bit (high = released) ;********************************************************************** ;* Receive ;* receives first 64 bit transmitted by an HCS300 encoder ;* simplified to operate with 400us PWM only ;* ;* Input Variables: ;* none ã 1997 Microchip Technology Inc. AN665 00247 00248 00249 00250 00251 00252 00253 00254 00255 00256 00257 00258 00259 00260 00261 00262 00263 00264 00265 00266 00267 00268 00269 00270 00271 00272 00273 00274 00275 00276 00277 00278 00279 00280 00281 00282 00283 00284 00285 00286 00287 00288 00289 00290 00291 00292 00293 00294 00295 00296 00297 00298 00299 00300 00301 00302 00303 00304 00305 00306 00307 00308 00309 00310 00311 00312 ;* Output Variables: ;* BUFFER0..7 ;********************************************************************** ; Receive btfsc HCSIN ; wait for a falling edge goto Receive ã 1997 Microchip Technology Inc. DS00665A-page 11 004A 004A 0686 004B 0A4A 00000038 004C 006F 004D 004D 0686 004E 0A54 004F 0913 0050 0914 0051 03EF 0052 0A4D 0053 0A4A 0054 0054 07EF 0055 0A4A 0056 0C40 0057 002F 0058 0058 0C38 0059 0031 005A 0A5D 005B 005B 0C36 005C 0031 005D 005D 005E 005F 0060 0061 02B1 0643 0A4A 0686 0A5D 0062 0C38 0063 0032 0064 0064 0065 0066 0067 0068 02B2 0643 0A4A 0786 0A64 0069 0211 006A 00B2 006B 032E ; will accept sync pulses from 3.0 to 6.1 ms. ; more than 128 cycles but less than 256 ; each cycle is 24 us @4MHz ; PREBIT EQU .56 clrf BITCOUNT ; init counter btfsc goto HCSIN Rise2 ; wait rising edge call call SubDelay10 SubDelay9 ; 24us per cycle ; incfsz goto goto BITCOUNT,F Rise Receive ; more than 6,0ms timeout ; waiting loop ; timeout restart btfss goto BITCOUNT,7 Receive ; if bit7=1 ok ; else less than Rise Rise2 3.0 ms timeout ;------------------------------------------------------------------; read folowing 8 bytes (ignore last 2 bit) ; movlw .64 ; 8 bit per byte movwf BITCOUNT ; FirstPreload movlw movwf goto PREBIT TIMEHI WHL ; first bit needs no balance movlw movwf PREBIT-2 TIMEHI ; preload counter ; balance extra rrf time incf btfsc goto btfsc goto TIMEHI,F STATUS,Z Receive HCSIN WHL ; measure high period movlw movwf PREBIT TIMELO ; preload counter incf btfsc goto btfss goto TIMELO,F STATUS,Z Receive HCSIN WLL ; measure low period RNextBit WHL ; after 1.2ms (200*6) timeout ; loop while High ; WLL ; shift in the new bit movf TIMEHI,W subwf TIMELO,F rrf BUFFER7,F ; after 1.2ms (200*6) timeout ; loop while Low ; if TIMEHI > TIMELO Carry = 0 ; insert bit in buffer AN665 006C 006D 006E 006F 0070 0071 0072 032D 032C 032B 032A 0329 0328 0327 0073 0074 0075 0076 0CE0 0152 0643 0A4A 0077 02EF 0078 0A5B 0079 0800 007A 007A 007B 007C 007D 007E 007F 0C04 0026 0CFB 0006 0C00 0002 0080 06A6 0081 0A7A 0082 0082 0066 0083 094A 0084 0085 0086 0087 0C08 0030 0C07 0024 0088 0088 0089 008A 008B 008C 008D 008E 008F 0090 0200 0E0F 0902 0035 0937 091A 0CF0 0937 0C01 DS00665A-page 12 00313 00314 00315 00316 00317 00318 00319 00320 00321 00322 00323 00324 00325 00326 00327 00328 00329 00330 00331 00332 00333 00334 00335 00336 00337 00338 00339 00340 00341 00342 00343 00344 00345 00346 00347 00348 00349 00350 00351 00352 00353 00354 00355 00356 00357 00358 00359 00360 00361 00362 00363 00364 00365 00366 00367 00368 00369 00370 00371 00372 00373 00374 00375 00376 00377 00378 rrf rrf rrf rrf rrf rrf rrf BUFFER6,F BUFFER5,F BUFFER4,F BUFFER3,F BUFFER2,F BUFFER1,F BUFFER0,F ; compare duty cycle, to skip preamble movlw 0E0 ; test duty cycle andwf TIMELO,W ; delta >200us? (32 cycles) btfsc STATUS,Z goto Receive ; no! itÕs a preamble decfsz goto retlw BITCOUNT,F RNextBit 0 ; loop to completion ;---------------------------------------------------------------------;********************************************************************** ;* Main loop ;* set TRIS and option register ;* wait for start (LED) ;* disable keyboard ;* receive new hopping code ;* send 16 hex digits ;* wait transmission end ;* loop ;********************************************************************** ; Main movlw bÕ00000100Õ ; set switch ON movwf GPIO movlw MASKDEF ; init port tris GPIO movlw 0 option btfsc goto LED Main ; wait for Led output fall clrf GPIO ; send disable kb ; SWITCH = LOW call Receive ; gets the new hopping code Disable ;---------------------------------------------------------------------; emulate a keyboard and send data as a sequence of 16 key ; pressed and released, one each hex digit ; movlw .8 ; 8 byte from the buffer movwf BYTECOUNT movlw BUFFER0 ; init pointer movwf FSR KEYL movf andlw call movwf call call movlw call movlw INDF,W 0F ScanCode KEY SendKEY Wait10ms BREAK SendKEY 1 ; low nibble ; encode hex nibble ; emulate key press ; emulate key release ã 1997 Microchip Technology Inc. AN665 0091 091B 0092 0215 0093 0937 00379 00380 00381 00382 00383 00384 00385 00386 00387 00388 00389 00390 00391 00392 00393 00394 00395 00396 00397 00398 00399 00400 00401 00402 00403 00404 00405 00406 00407 00408 00409 00410 00411 00412 0094 091A 0095 0096 0097 0098 0099 009A 009B 009C 009D 009E 009F 00A0 0380 0E0F 0902 0035 0937 091A 0CF0 0937 0C01 091B 0215 0937 00A1 091A 00A2 02A4 00A3 02F0 00A4 0A88 00A5 00A5 07A6 00A6 0AA5 00A7 0A7A XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX ---------------XXX---------------------------- ; wait 750us call Wait10ms swapf andlw call movwf call call movlw call movlw call movf call INDF,W 0F ScanCode KEY SendKEY Wait10ms BREAK SendKEY 1 WaitWx750 KEY,W SendKEY call Wait10ms incf decfsz goto FSR,F BYTECOUNT,F KEYL ; high nibble ; encode hex nibble ; emulate key press ; emulate key release ; wait 750us ; next byte END HOPPASW.ASM MEMORY USAGE MAP (ÔXÕ = Used, : : : : : : WaitWx750 KEY,W SendKEY ;---------------------------------------------------------------------; now wait for the HCS to stop transmisssion (button release) ; Release btfss LED ; wait Led rise goto Release goto Main MPASM 01.40 Released 0000 0040 0080 01C0 0200 0FC0 call movf call 2-20-1997 16:45:24 PAGE 2 Ô-Õ = Unused) XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX ---------------------------------------------- XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXX----------------------------------------------------- XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX ------------------------------X ------------------------------X All other memory blocks unused. Program Memory Words Used: Program Memory Words Free: Errors : Warnings : Messages : 0 0 reported, 0 reported, ã 1997 Microchip Technology Inc. 168 343 0 suppressed 0 suppressed DS00665A-page 13 AN665 NOTES: DS00665A-page 14 ã 1997 Microchip Technology Inc. AN665 NOTES: ã 1997 Microchip Technology Inc. DS00665A-page 15 Note the following details of the code protection feature on PICmicro® MCUs. • • • • • • The PICmicro family meets the specifications contained in the Microchip Data Sheet. Microchip believes that its family of PICmicro microcontrollers is one of the most secure products of its kind on the market today, when used in the intended manner and under normal conditions. There are dishonest and possibly illegal methods used to breach the code protection feature. All of these methods, to our knowledge, require using the PICmicro microcontroller in a manner outside the operating specifications contained in the data sheet. The person doing so may be engaged in theft of intellectual property. Microchip is willing to work with the customer who is concerned about the integrity of their code. Neither Microchip nor any other semiconductor manufacturer can guarantee the security of their code. Code protection does not mean that we are guaranteeing the product as “unbreakable”. Code protection is constantly evolving. We at Microchip are committed to continuously improving the code protection features of our product. If you have any further questions about this matter, please contact the local sales office nearest to you. Information contained in this publication regarding device applications and the like is intended through suggestion only and may be superseded by updates. It is your responsibility to ensure that your application meets with your specifications. No representation or warranty is given and no liability is assumed by Microchip Technology Incorporated with respect to the accuracy or use of such information, or infringement of patents or other intellectual property rights arising from such use or otherwise. Use of Microchip’s products as critical components in life support systems is not authorized except with express written approval by Microchip. No licenses are conveyed, implicitly or otherwise, under any intellectual property rights. Trademarks The Microchip name and logo, the Microchip logo, FilterLab, KEELOQ, microID, MPLAB, PIC, PICmicro, PICMASTER, PICSTART, PRO MATE, SEEVAL and The Embedded Control Solutions Company are registered trademarks of Microchip Technology Incorporated in the U.S.A. and other countries. dsPIC, ECONOMONITOR, FanSense, FlexROM, fuzzyLAB, In-Circuit Serial Programming, ICSP, ICEPIC, microPort, Migratable Memory, MPASM, MPLIB, MPLINK, MPSIM, MXDEV, PICC, PICDEM, PICDEM.net, rfPIC, Select Mode and Total Endurance are trademarks of Microchip Technology Incorporated in the U.S.A. Serialized Quick Turn Programming (SQTP) is a service mark of Microchip Technology Incorporated in the U.S.A. All other trademarks mentioned herein are property of their respective companies. © 2002, Microchip Technology Incorporated, Printed in the U.S.A., All Rights Reserved. Printed on recycled paper. Microchip received QS-9000 quality system certification for its worldwide headquarters, design and wafer fabrication facilities in Chandler and Tempe, Arizona in July 1999. The Company’s quality system processes and procedures are QS-9000 compliant for its PICmicro® 8-bit MCUs, KEELOQ® code hopping devices, Serial EEPROMs and microperipheral products. In addition, Microchip’s quality system for the design and manufacture of development systems is ISO 9001 certified. 2002 Microchip Technology Inc. M WORLDWIDE SALES AND SERVICE AMERICAS ASIA/PACIFIC Japan Corporate Office Australia 2355 West Chandler Blvd. Chandler, AZ 85224-6199 Tel: 480-792-7200 Fax: 480-792-7277 Technical Support: 480-792-7627 Web Address: http://www.microchip.com Microchip Technology Australia Pty Ltd Suite 22, 41 Rawson Street Epping 2121, NSW Australia Tel: 61-2-9868-6733 Fax: 61-2-9868-6755 Microchip Technology Japan K.K. Benex S-1 6F 3-18-20, Shinyokohama Kohoku-Ku, Yokohama-shi Kanagawa, 222-0033, Japan Tel: 81-45-471- 6166 Fax: 81-45-471-6122 Rocky Mountain China - Beijing 2355 West Chandler Blvd. Chandler, AZ 85224-6199 Tel: 480-792-7966 Fax: 480-792-7456 Microchip Technology Consulting (Shanghai) Co., Ltd., Beijing Liaison Office Unit 915 Bei Hai Wan Tai Bldg. No. 6 Chaoyangmen Beidajie Beijing, 100027, No. China Tel: 86-10-85282100 Fax: 86-10-85282104 Atlanta 500 Sugar Mill Road, Suite 200B Atlanta, GA 30350 Tel: 770-640-0034 Fax: 770-640-0307 Boston 2 Lan Drive, Suite 120 Westford, MA 01886 Tel: 978-692-3848 Fax: 978-692-3821 Chicago 333 Pierce Road, Suite 180 Itasca, IL 60143 Tel: 630-285-0071 Fax: 630-285-0075 Dallas 4570 Westgrove Drive, Suite 160 Addison, TX 75001 Tel: 972-818-7423 Fax: 972-818-2924 Detroit Tri-Atria Office Building 32255 Northwestern Highway, Suite 190 Farmington Hills, MI 48334 Tel: 248-538-2250 Fax: 248-538-2260 Kokomo 2767 S. Albright Road Kokomo, Indiana 46902 Tel: 765-864-8360 Fax: 765-864-8387 Los Angeles 18201 Von Karman, Suite 1090 Irvine, CA 92612 Tel: 949-263-1888 Fax: 949-263-1338 China - Chengdu Microchip Technology Consulting (Shanghai) Co., Ltd., Chengdu Liaison Office Rm. 2401, 24th Floor, Ming Xing Financial Tower No. 88 TIDU Street Chengdu 610016, China Tel: 86-28-6766200 Fax: 86-28-6766599 China - Fuzhou Microchip Technology Consulting (Shanghai) Co., Ltd., Fuzhou Liaison Office Unit 28F, World Trade Plaza No. 71 Wusi Road Fuzhou 350001, China Tel: 86-591-7503506 Fax: 86-591-7503521 China - Shanghai Microchip Technology Consulting (Shanghai) Co., Ltd. Room 701, Bldg. B Far East International Plaza No. 317 Xian Xia Road Shanghai, 200051 Tel: 86-21-6275-5700 Fax: 86-21-6275-5060 China - Shenzhen 150 Motor Parkway, Suite 202 Hauppauge, NY 11788 Tel: 631-273-5305 Fax: 631-273-5335 Microchip Technology Consulting (Shanghai) Co., Ltd., Shenzhen Liaison Office Rm. 1315, 13/F, Shenzhen Kerry Centre, Renminnan Lu Shenzhen 518001, China Tel: 86-755-2350361 Fax: 86-755-2366086 San Jose Hong Kong Microchip Technology Inc. 2107 North First Street, Suite 590 San Jose, CA 95131 Tel: 408-436-7950 Fax: 408-436-7955 Microchip Technology Hongkong Ltd. Unit 901-6, Tower 2, Metroplaza 223 Hing Fong Road Kwai Fong, N.T., Hong Kong Tel: 852-2401-1200 Fax: 852-2401-3431 New York Toronto 6285 Northam Drive, Suite 108 Mississauga, Ontario L4V 1X5, Canada Tel: 905-673-0699 Fax: 905-673-6509 India Microchip Technology Inc. India Liaison Office Divyasree Chambers 1 Floor, Wing A (A3/A4) No. 11, O’Shaugnessey Road Bangalore, 560 025, India Tel: 91-80-2290061 Fax: 91-80-2290062 Korea Microchip Technology Korea 168-1, Youngbo Bldg. 3 Floor Samsung-Dong, Kangnam-Ku Seoul, Korea 135-882 Tel: 82-2-554-7200 Fax: 82-2-558-5934 Singapore Microchip Technology Singapore Pte Ltd. 200 Middle Road #07-02 Prime Centre Singapore, 188980 Tel: 65-334-8870 Fax: 65-334-8850 Taiwan Microchip Technology Taiwan 11F-3, No. 207 Tung Hua North Road Taipei, 105, Taiwan Tel: 886-2-2717-7175 Fax: 886-2-2545-0139 EUROPE Denmark Microchip Technology Nordic ApS Regus Business Centre Lautrup hoj 1-3 Ballerup DK-2750 Denmark Tel: 45 4420 9895 Fax: 45 4420 9910 France Microchip Technology SARL Parc d’Activite du Moulin de Massy 43 Rue du Saule Trapu Batiment A - ler Etage 91300 Massy, France Tel: 33-1-69-53-63-20 Fax: 33-1-69-30-90-79 Germany Microchip Technology GmbH Gustav-Heinemann Ring 125 D-81739 Munich, Germany Tel: 49-89-627-144 0 Fax: 49-89-627-144-44 Italy Microchip Technology SRL Centro Direzionale Colleoni Palazzo Taurus 1 V. Le Colleoni 1 20041 Agrate Brianza Milan, Italy Tel: 39-039-65791-1 Fax: 39-039-6899883 United Kingdom Arizona Microchip Technology Ltd. 505 Eskdale Road Winnersh Triangle Wokingham Berkshire, England RG41 5TU Tel: 44 118 921 5869 Fax: 44-118 921-5820 01/18/02 2002 Microchip Technology Inc.