Maxim DS2704W 1280-bit eeprom with sha-1 authentication Datasheet

DS2704
1280-Bit EEPROM with SHA-1 Authentication
www.maxim-ic.com
GENERAL DESCRIPTION
PIN CONFIGURATION
The DS2704 provides 1280 bits of EEPROM data
storage and a Secure Hash Algorithm (SHA) engine.
The Dallas 1-WireÒ interface enables serial
communication on a single battery contact and the
64-bit unique serial number allows multidrop
networking and identification of individual devices.
The 1280-bit memory is organized as 5 pages of 32
bytes each and supports storage of battery cell
characteristics, charging voltage, current, and
temperature parameters, as well as battery pack
manufacturing data. The EEPROM pages are in
circuit rewritable and can be individually locked to
write protect data.
VDD
1
6
DQ
NC
2
5
VSS
NC
3
4
NC
3mm × 3mm TDFN
(TOP VIEW¾PADS ON BOTTOM)
Top Side A1 Mark
1
The DS2704 employs the Secure Hash Algorithm
(SHA-1) specified in the Federal Information
publication 180-1 and 180-2, and ISO/IEC 10118-3.
SHA-1 provides a robust cryptographic solution to
ensure battery packs or other peripherals have been
manufactured by authorized sources. The DS2704
processes a host transmitted challenge and the 64bit secret key stored on chip to produce a 160-bit
response for transmission back to the host. The
secret key is never transmitted between the battery
and the host.
2
3
A
B
1.73
C
1.98 mm
UCSP (FUTURE AVAILABILITY)
(TOP VIEW¾BALLS ON BOTTOM)
APPLICATION EXAMPLE
PACK+
FEATURES
§
150W
DATA
§
§
V DD
DQ
DS2704
150W
THM
§
§
VSS
0.01mF
4.7V
Li+
Safety
Circuit
PACK-
§
§
Secure Challenge and Response Authentication
Using the SHA-1 Algorithm
Five Lockable 32-Byte Pages of EEPROM
Dallas 1-Wire Interface with Standard and
Overdrive Communications Speeds
Unique 64-Bit Serial Number
Compatible with DS2502 Memory Map and Read
Function Command
Operates with VDD as Low as 2.5V
Tiny Chip-Scale UCSP and 3mm x 3mm TDFN
Packaging (Pb-free)
ORDERING INFORMATION
PART
DS2704G+
DS2704G+T&R
DS2704W
TEMP RANGE
PIN-PACKAGE
-20°C to +70°C
-20°C to +70°C
6-TDFN
DS2704G+ on Tape-and-Reel
-20°C to +70°C
Bare Die
+ Denotes lead-free package.
1-Wire is a registered trademark of Dallas Semiconductor.
1 of 18
011206
DS2704: 1280-Bit EEPROM with SHA-1 Authentication
ABSOLUTE MAXIMUM RATINGS
Voltage Range on All Pins, Relative to VSS
Operating Temperature Range
Storage Temperature Range
Soldering Temperature
-0.3V to +6V
-40°C to +85°C
-55°C to +125°C
See IPC/JEDEC J-STD-020A Specification
Stresses beyond those listed under “Absolute Maximum Ratings” may cause permanent damage to the device. These are stress ratings only,
and functional operation of the device at these or any other conditions beyond those indicated in the operational sections of the specifications is
not implied. Exposure to the absolute maximum rating conditions for extended periods may affect device.
RECOMMENDED DC OPERATING CONDITIONS
(2.5V £ VDD £ 5.5V, TA = -30°C to +85°C.)
PARAMETER
SYMBOL
CONDITIONS
MIN
TYP
MAX
UNITS
Supply Voltage
VDD
(Note 1)
2.5
5.5
V
Data Pin
DQ
(Note 1)
-0.3
+5.5
v
TYP
MAX
UNITS
1
2
mA
5
25
mA
25
75
mA
DC ELECTRICAL CHARACTERISTICS
(2.5V £ VDD £ 5.5V, TA = -30°C to +85°C, typical values at VDD = 3.7V and TA = 25°C.)
PARAMETER
Active Current
SYMBOL
CONDITIONS
IDD0
Standby mode (Note 4)
IDD1
Communication mode using
Standard Bus Timing (Note 5)
Communication mode using
Overdrive Bus Timing (Note 5)
MIN
IDD2
Computation mode
75
500
mA
IDDP
Programming mode
400
750
mA
Input Logic High: DQ
VIH
(Note 1)
Input Logic Low: DQ
VIL
(Note 1)
0.6
V
Output Logic Low: DQ
VOL
IOL = 4mA (Note 1)
0.4
V
Pull-down Current: DQ
IPD
1
3
mA
TYP
MAX
UNITS
1.5
V
EEPROM RELIABILITY SPECIFICATION
(2.5V £ VDD £ 5.5V, TA = -30°C to +85°C.)
PARAMETER
SYMBOL
CONDITIONS
MIN
Write Endurance:
EEPROM Data Field
NEEC1
(Note 2)
50,000
Writes
Write Endurance: Secret EEPROM
NEEC2
(Note 2)
1,000
Writes
10
Years
Storage
tEES
(Note 2, 3)
AC ELECTRICAL CHARACTERISTICS
(2.5V £ VDD £ 5.5V, TA = -30°C to +85°C)
PARAMETER
SYMBOL
Computation Time
tSHA
EEPROM Copy Time
tEEC
CONDITIONS
(Note 2)
2 of 18
MIN
TYP
MAX
UNITS
15
ms
10
ms
DS2704: 1280-Bit EEPROM with SHA-1 Authentication
AC ELECTRICAL CHARACTERISTICS: 1-WIRE INTERFACE
(2.5V £ VDD £ 5.5V, TA = -30°C to +85°C.)
PARAMETER
SYMBOL
CONDITIONS
MIN
TYP
MAX
UNITS
120
ms
STANDARD BUS TIMING
Time Slot
tSLOT
60
Recovery Time
tREC
1
Write 0 Low Time
tLOW0
60
120
ms
Write 1 Low Time
tLOW1
1
15
ms
Read Data Valid
tRDV
15
ms
Reset Time High
tRSTH
480
Reset Time Low
tRSTL
480
960
ms
Presence Detect High
tPDH
15
60
ms
Presence Detect Low
tPDL
60
240
ms
Time Slot
tSLOT
6
16
ms
Recovery Time
tREC
1
Write 0 Low Time
tLOW0
6
16
ms
Write 1 Low Time
tLOW1
1
2
ms
Read Data Valid
tRDV
2
ms
Reset Time High
tRSTH
48
Reset Time Low
tRSTL
48
80
ms
Presence Detect High
tPDH
2
6
ms
Presence Detect Low
tPDL
8
24
ms
DQ Capacitance
CDQ
60
pF
ms
ms
OVERDRIVE BUS TIMING
Note 1:
All voltages are referenced to VSS.
Note 2:
EEPROM programming temperature range limited to 0°C to 50°C.
ms
ms
Note 3:
Device written NEEC times then stored for tEES at 50°C.
Note 4:
DQ = VDD.
Note 5:
Current measured with minimum bus timing while the master issues: 1-Wire Reset, Skip ROM, Write Challenge, Write
Repeated 0’s until end of measurement.
3 of 18
DS2704: 1280-Bit EEPROM with SHA-1 Authentication
PIN DESCRIPTION
PIN
SYMBOL
FUNCTION
6
DQ
Serial interface data I/O pin. Bi-directional data transmit and receive at 16KBPS
or 143KBPS
5
VSS
Supply GND and reference for serial communication. Attach VSS to battery
pack negative terminal
1
VDD
Supply input. Bypass to VSS with 0.01mF typical
2, 3, 4
NC
No Connection
Figure 1. Block Diagram
DQ
VDD
Dout’
Din
1-Wire Interface
Multi-Stage
Charge Pump
Vpp
SHA-1 Algorithm,
Constants and W0W15, A-E Registers
Memory Control
CRC Generator
64 bit Secret
64 bit ROM ID
VSS
EEPROM Memory
Data Field
5 page x 32 byte
(1280 bit)
EEPROM STATUS
Data Field
DETAILED DESCRIPTION
The DS2704 is comprised of an EEPROM memory array and SHA-1 Authentication function that are accessed via
a 1-Wire interface. The 1-Wire interface controls access by a host system to the 64-bit Net Address (ROM ID),
SHA-1 Authentication, 1280-bit EEPROM memory and EEPROM Status.
The DS2704 operates in one of four modes: standby, communication, computation and programming. Standby
mode is the default mode of operation. Whenever any task has been completed, the IC will automatically return to
standby mode. Standby mode is also directly entered if DQ is low for a period of tRSTL. Once standby mode has
been entered, DQ can be returned to logic high and standby mode is retained. Most operations are performed in
communication mode, with the host system addressing the DS2704 using Net Address commands and then
retrieving EEPROM and Status data using memory function commands or setting up an authentication exchange
and retrieving the results. The supply current, IDD1, varies depending on bus activity, communication direction, and
selection of Standard or Overdrive bus timing.
In SHA-1 computation mode, the supply current increases to IDD2 for a period of tSHA. The computation mode load
current occurs after the last bit of one of the Compute MAC function commands is sent.
4 of 18
DS2704: 1280-Bit EEPROM with SHA-1 Authentication
Programming mode is entered when writing the nonvolatile memory portions of the DS2704. The supply current
increases to IDDP for tEEC when a Copy Scratchpad, Write Status, Compute Secret, Clear/Lock Secret or Clear/Set
Overdrive Timing command is executed.
Functional compatibility has been maintained between the DS2502 and DS2704 at the Net Address/ROM
Command and Function Command levels for reading the Memory and Status data fields. Since the DS2704 is
based on EEPROM technology versus the EPROM technology used for the DS2502, writing of the Memory and
Status data fields is not the same as the DS2502. The DS2704 includes an on-chip charge pump to facilitate incircuit programming. The need to apply an external high voltage programming pulse during pack manufacture is
therefore eliminated. Data can be written to a 0 or 1 value up to NEEC times in the DS2704. The ability to reprogram
the data in the EEPROM pages makes the Page Address Redirection bytes in the Status data field unnecessary.
Therefore, the DS2704 maintains them for DS2502 read compatibility but they cannot be modified from their factory
default values of FFh.
AUTHENTICATION
Authentication is performed using a FIPS-180 compliant SHA-1 one way hash algorithm on a 512-bit message
block. The message block consists of a 64-bit secret, a 64-bit challenge and 384 bits of constant data. Optionally,
the 64-bit net address replaces 64 of the 384 bits of constant data used in the hash operation. Contact
Dallas/Maxim for details of the message block organization.
The host and the DS2704 both calculate the result based on the mutually known secret. The result data, known as
the Message Authentication Code (MAC) or Message Digest, is returned by the DS2704 for comparison to the
host’s result. Note that the secret is never transmitted on the bus and thus cannot be captured by observing bus
traffic. Each authentication attempt is initiated by the host system by providing a 64-bit random challenge via the
Write Challenge command. The host then issues the Compute MAC or Compute MAC with ROM ID command. The
MAC is computed per FIPS 180, and then returned as a 160-bit serial stream, beginning with the least significant
bit.
DS2704 AUTHENTICATION COMMANDS
WRITE CHALLENGE [0Ch]. This command writes the 64-bit challenge to the DS2704. The LSB of the 64-bit data
argument can begin immediately after the MSB of the command has been completed. If more than 8 bytes are
written, the final value in the challenge register will be indeterminate. The Write Challenge command must be
issued prior to every Compute MAC or Compute Next Secret command for reliable results.
COMPUTE MAC WITHOUT ROM ID [36h]. This command initiates a SHA-1 computation based on the Challenge
value and internal Secret. Logical 1’s are loaded in place of the ROM ID. This command allows the use of a master
secret and MAC response independent of the ROM ID. The DS2704 computes the MAC in tSHA after receiving the
last bit of this command. After the MAC computation is complete, the host must write 8 write zero time slots and
then issue 160 read time slots to receive the 20-byte MAC. See Figure 7 on page 16 for command timing.
COMPUTE MAC WITH ROM ID [35h]
This command is structured the same as the Compute MAC without ROM ID, except that the ROM ID is included in
the message block. With the ROM ID unique to each DS2704 included in the MAC computation, use of a unique
secret in each token and a master secret in the host device is allowed. See application note “White Paper 4”,
available at http://www.maxim-ic.com, for more information. See Figure 7 on page 16 for command timing.
NOTE: Immediately after power-up, a dummy Compute MAC command is required to initialize the DS2704. If the
dummy command is not issued, the first authentication attempt is computed using a challenge value of 0. When
issuing the dummy Compute MAC command, the command sequence can be terminated immediately following the
th
8 bit of the Compute MAC command byte. Waiting for the SHA-1 computation and reading the results back are
not required.
SHA-1 related commands used while authenticating a battery or peripheral device are summarized in Table 1 for
convenience. Four additional commands for clearing, computing and locking of the Secret are described in detail in
the following section.
5 of 18
DS2704: 1280-Bit EEPROM with SHA-1 Authentication
Table 1. Authentication Function Commands
COMMAND
Hex
FUNCTION
Writes 64-bit challenge for SHA-1 processing. Required prior to
issuing Compute MAC and Compute Next Secret commands.
Write Challenge
0C
Compute MAC without ROM ID
and return MAC
36
Computes hash the message block with logical 1’s in place of the
ROM ID. Returns the 160-bit MAC.
Compute MAC with ROM ID and
return MAC
35
Computes hash of the message block including the ROM ID.
Returns the 160-bit MAC.
SECRET MANAGEMENT FUNCTION COMMANDS
CLEAR SECRET [5Ah]. This command sets the 64-bit secret to all 0’s (0000 0000 0000 0000h). The host must
wait tEEC for the DS2704 to write the new secret value to EEPROM. See Figure 10 on page 18 for command timing.
COMPUTE NEXT SECRET WITHOUT ROM ID [30h]. This command initiates a SHA-1 computation of the MAC
and uses a portion of the resulting MAC as the next or new secret. The MAC computation is performed with the
current 64-bit secret and the 64-bit challenge. Logical 1’s are loaded in place of the ROM ID. 64-bits of the output
MAC are used as the new secret value. The host must allow tSHA after issuing this command for the SHA
calculation to complete, then wait tEEC for the DS2704 to write the new secret value to EEPROM. See Figure 8 on
page 17 for command timing.
COMPUTE NEXT SECRET WITH ROM ID [33h]. This command initiates a SHA-1 computation of the MAC and
uses a portion of the resulting MAC as the next or new secret. The MAC computation is performed with the current
64-bit secret, the 64-bit ROM ID and the 64-bit challenge. 64-bits of the output MAC are used as the new secret
value. The host must allow tSHA after issuing this command for the SHA calculation to complete, then wait tEEC for
the DS2704 to write the new secret value to EEPROM. See Figure 8 on page 17 for command timing.
LOCK SECRET [6Ah]. This command write protects the 64-bit Secret to prevent accidental or malicious overwrite
of the secret value. The Secret value stored in EEPROM becomes "final." The host must wait tEEC for the DS2704
to write the lock secret bit to EEPROM. See Figure 10 on page 18 for command timing.
Table 2. Secret Loading Function Commands
COMMAND
Hex
Clear Secret
5A
Clears the 64-bit Secret to 0000 0000 0000 0000h
30
Generates new global secret
33
Generates new unique secret
6A
Sets lock bit to prevent changes to the Secret
Compute Next Secret without
ROM ID
Compute Next Secret with
ROM ID
Lock Secret
FUNCTION
1-WIRE SPEED CONTROL FUNCTION COMMANDS
CLEAR OVERDRIVE [8Dh]. This command selects the Standard 1-Wire timings shown in the Electrical
Characteristics table. The setting is stored in EEPROM so that the programmed speed selection can be recalled on
initial power up. The host must wait tEEC for the DS2704 to write the EEPROM. See Figure 10 for command timing.
Standard 1-Wire timing is the factory default.
SET OVERDRIVE [8Bh]. This command selects the Overdrive 1-Wire timings shown in the Electrical
Characteristics table. The setting is stored in EEPROM so that the programmed speed selection can be recalled on
initial power up. The host must wait tEEC for the DS2704 to write the EEPROM. See Figure 10 for command timing.
6 of 18
DS2704: 1280-Bit EEPROM with SHA-1 Authentication
Table 3. 1-Wire Speed Control Function Commands
COMMAND
Hex
Set Overdrive
Clear Overdrive
FUNCTION
8B
Sets 1-Wire interface timings to OVERDRIVE.
8D
Sets 1-Wire interface timings to STANDARD.
(Factory Default)
EEPROM MEMORY
The DS2704 has a linear address space for access to the EEPROM data field. The Read Memory and Read
Data/Generate CRC Memory function commands provide DS2502 legacy read access to the lower 1024 bits of the
EEPROM data field. Read access to the entire EEPROM data field is provided by the ReadAll function command.
The Write Scratchpad, Read Scratchpad and Copy Scratchpad function commands provide write access to the
EEPROM data field. The EEPROM memory is organized as 5 pages of 32 bytes each as shown in Table 4.
EEPROM Data Field. All pages are read and write (R/W) accessible. When received from the factory, the entire
1280-bit EEPROM data field appears as logical 1’s.
Table 4. EEPROM Data Field
ADDRESS (HEX)
DESCRIPTION
READ/WRITE
0000 – 001F
PAGE 0 (32 bytes)
R/W*
0020 – 003F
PAGE 1 (32 bytes)
R/W*
0040 – 005F
PAGE 2 (32 bytes)
R/W*
0060 – 007F
PAGE 3 (32 bytes)
R/W*
0080 – 009F
PAGE 4 (32 bytes)
R/W*
00A0 – FFFF
Reserved
* Writing requires programming delay of tEEC
READ MEMORY [F0h]
The Read Memory command is used to read data from the lower 1024 bits (PAGE 0 to PAGE 3) of the 1280-bit
EEPROM data field. The bus master follows the command byte with a 2-byte address (TA1=(T7:T0),
TA2=(T15:T8)) that indicates a starting byte location within the data field. An 8-bit CRC of the command byte and
address bytes is computed by the DS2704 and read back by the bus master to confirm that the correct command
word and starting address were received. If the CRC is deemed to be incorrect by the bus master, a reset pulse
should be issued and the entire sequence repeated. If the CRC is deemed to be correct by the bus master, read
time slots can be issued to receive data from the EEPROM data field starting at the initial address. The bus master
can issue a reset pulse at any point or continue to issue read time slots until the end of PAGE 3 of the data field is
reached.
If reading continues through the end of PAGE 3, the bus master can issue eight additional read time slots and the
DS2704 will respond with a 8-bit CRC of all data bytes read from the initial starting byte through the last byte of
PAGE 3. Terminating the command transaction with a reset pulse prior to reaching the end of PAGE 3 results in a
loss of availability of the 8-bit CRC.
READ DATA/GENERATE 8-BIT CRC [C3h]
The Read Data/Generate 8-bit CRC command is used to read data from the lower 1024 bits (PAGE 0 to PAGE 3)
of the 1280-bit EEPROM data field. The bus master follows the command byte with a 2-byte address
(TA1=(T7:T0), TA2=(T15:T8)) that indicates a starting byte location within the data field. An 8-bit CRC of the
command byte and address bytes is computed by the DS2704 and read back by the bus master to confirm that the
correct command word and starting address were received. If the CRC is deemed to be incorrect by the bus
master, a reset pulse should be issued and the entire sequence repeated. If the CRC is deemed to be correct by
the bus master, read time slots can be issued to receive data from the EEPROM data field starting at the initial
7 of 18
DS2704: 1280-Bit EEPROM with SHA-1 Authentication
address. The bus master can issue a reset pulse at any point or continue to issue read time slots until the end of
the 32-byte page is reached. If reading occurs through the end of the 32-byte page, the bus master can issue eight
additional read time slots and the DS2704 will respond with a 8-bit CRC of all data bytes read from the initial
starting byte through the last byte of the current page. After the CRC is received, additional read time slots return
data starting with the first byte of the next page. This sequence will continue until the bus master reads PAGE 3
and its accompanying CRC. Thus each page of data can be considered to be 33 bytes long: the 32 bytes of userprogrammed EEPROM data and an 8-bit CRC that gets generated automatically at the end of each page. The
Read Data/Generate 8-Bit CRC command sequence can be exited at any point by issuing a reset pulse.
READ ALL [65h]
The Read All command is used to read data from all 1280 bits (PAGE 0 – PAGE 4) of the EEPROM data field. This
includes PAGE 0 – PAGE 3 which are accessible via the DS2502 Read Memory and Read Data/Gen CRC legacy
commands and PAGE 4 which is only accessible using the Read All command.
The bus master follows the command byte with a 2-byte address (TA1=(T7:T0), TA2=(T15:T8)) that indicates a
starting byte location within the data field. An 8-bit CRC of the command byte and address bytes is computed by
the DS2704. The bus master must issue 8 read time slots to receive the CRC value, and then issue additional read
time slots to receive data from the DS2704 starting at TA2:TA1.
When reading begins within the EEPROM data field (0000h – 009Fh) and continues past 009Fh, an 8 bit CRC of
all data returned is computed by the DS2704 and returned following the last byte of the data field. If reading begins
in the reserved range or time slots are issued after receiving the 8 bit CRC, the DS2704 returns logical 1’s.
WRITE SCRATCHPAD [6Ch]
The Write Scratchpad command is used to write up to 8-bytes to the scratchpad buffer which is in turn used to
program 1280-bit EEPROM data field via the Copy Scratchpad command. The bus master issues the Write
Scratchpad function command followed by a 1-byte address argument that depicts the starting byte position in the
scratchpad of the following byte stream to be written. The valid range for the address is 00h – 07h. The address is
auto-incremented after each data byte is written. When the address is greater than 07h, no further bytes will be
accepted. Incomplete bytes are not written to the scratchpad. The Write Scratchpad command fills the scratchpad
LSByte first, so when fewer than 8 bytes are written, the upper bytes of the scratchpad buffer contain data from
previous operations. Since the Copy Scratchpad command transfers the entire scratchpad to the EEPROM data
field, incomplete writing of the scratchpad should be done with caution. If the master determines the scratchpad
data is unsuitable to copy to the EEPROM, the entire write sequence (command and data) must be repeated after
issuing a reset pulse.
READ SCRATCHPAD [69h]
The Read Scratchpad command is used to return scratchpad data if verification of the scratchpad data is required
prior to programming the EEPROM data field. The bus master issues the Read Scratchpad function command
followed by a 1-byte address argument that depicts the starting byte position in the scratchpad of the first byte to be
read. The valid range for the address is 00h – 07h. The address is auto-incremented after each data byte is read.
When the address is greater than 07h, any further reads will return bit values of 1. The DS2704 returns up to 64
bits from the scratchpad beginning with the least significant bit of the least significant byte.
COPY SCRATCHPAD [48h]
The Copy Scratchpad function command is used to transfer data from the 8-byte scratchpad buffer to the EEPROM
data field memory. Transfers are aligned on 8 byte boundaries. The bus master issues the Copy Scratchpad
function command followed by the 2-byte target address (TA1=(T7:T0), TA2=(T15:T8)). The DS2704 aligns target
addresses to the least significant byte (LSByte) of each eight byte boundary by zeroing the three least significant
bits of TA1. That is, TA1[T2:T0] are set internally to 000b. As an example, issuing the Copy Scratchpad command
with TA2:TA1 = 0x0020 or TA2:TA1 = 0x0027 results in the same 8-byte block being copied to PAGE 1 beginning
at address 0x0020.
A delay of tEEC is required to program the scratchpad contents to the EEPROM array. See Figure 9 for command
timing.
8 of 18
DS2704: 1280-Bit EEPROM with SHA-1 Authentication
EEPROM STATUS
The DS2704 has a separate 8-byte linear address space for access to the EEPROM Status data field using the
Read Status and Write Status Function Commands.
READ STATUS [AAh]
The Read Status command is used to read data from the EEPROM Status data field. The bus master follows the
command byte with a 2-byte address (TA1=(T7:T0), TA2=(T15:T8)) that indicates a starting byte location within the
data field. An 8-bit CRC of the command byte and address bytes is computed by the DS2704 and read back by the
bus master to confirm that the correct command word and starting address were received. If the CRC is deemed to
be incorrect by the bus master, a reset pulse should be issued and the entire sequence repeated. If the CRC is
deemed to be correct by the bus master, read time slots can be issued to receive data starting at the initial
address. The bus master can issue a reset pulse at any point or continue to issue read time slots until the end of
the EEPROM Status data field is reached. If reading occurs through the end of the EEPROM Status data field, the
bus master can issue eight additional read time slots and the DS2704 will respond with a 8-bit CRC of all data
bytes read from the initial starting byte through the last byte. Additional read time slots return logical 1’s. The Read
Status command sequence can be ended at any point by issuing a reset pulse.
Table 5. EEPROM Status Field
ADDRESS (HEX)
DESCRIPTION
READ/WRITE
0000
Write Protect Page bits
B0: Page 0 Write Protect
B1: Page 1 Write Protect
B2: Page 2 Write Protect
B3: Page 3 Write Protect
B4: Page 4 Write Protect
B5: Reserved for TMEX
B6: Reserved for TMEX
B7: Reserved for TMEX
0001
Factory Programmed to FFh
R
0002
Factory Programmed to FFh
R
0003
Factory Programmed to FFh
R
0004
Factory Programmed to FFh
R
Reserved
R
Factory Programmed to 00h
R
0005-0006
0007
R/W*
* One time write to “0”
WRITE STATUS [55h]
The Write Status command is used to program the EEPROM Status data field. Only the Write Protect Page bits at
address 0000h are writable. The other bytes are factory programmed to the values in Table 5. The Write Protect
Page bits are set to logical 1’s when received from the factory. EEPROM page data can be programmed multiple
times until its associated Write Protect Page bit is programmed to a logical 0. Once a Write Protect Page bit is
programmed to a logical 0, it cannot be programmed back to a logical 1. Programming a Write Protect Page bit to a
logical 0 prevents any future modification or overwriting of the data in the associated page.
To protect page data from modification, the bus master writes the Write Status function command followed by one
byte of status data containing the Write Protect Page bits (B7:B0). The status data must be written least significant
bit to most significant bit, that is B0 to B7. Once the eighth bit of the status data is completed, the write operation
cannot be undone. If the write operation is abandoned prior to completing the status data byte, the entire write
sequence must be repeated after issuing a reset pulse.
9 of 18
DS2704: 1280-Bit EEPROM with SHA-1 Authentication
After the programming write delay (tEEC), the master can issue a Read Status function command to verify that the
appropriate Write Protect Page bits have been programmed.
Table 6. EEPROM Memory and Status Function Commands
COMMAND
HEX
FUNCTION
Read data from the lower 1024 bits of the 1280-bit EEPROM
Memory data field. Generates a CRC value if read continues to end
th
of the 4 page.
Read data from lower 4 pages of the EEPROM Memory data field.
Generates a CRC value of the data read from each page if read
continues to the end of page.
Read Memory
F0
Read Data/Generate CRC
C3
Read All
65
Read data from all 5 pages of the EEPROM Memory data field
Read Status
AA
Read data from the 8-byte EEPROM Status data field
Write Status
55
Write the Page Protection bits in the EEPROM Status data field
Write Scratchpad
6C
Write up to 8 bytes of data to the Scratchpad register
Read Scratchpad
69
Read up to 8 bytes of the Scratchpad register data
Copy Scratchpad
48
Programs the Scratchpad data to EEPROM DATA FIELD at the
target address TA2:TA1
Note: The Read Data, Read Data/Generate CRC and Read Status commands filter the target address (TA2:TA1)
value with a 007Fh AND mask that limits the addressable size of the EEPROM Data Field and EEPROM Status
Field to 1024 bits. Target address values equal to or greater than 0080h (128 decimal) return data from the lower
128 bytes of the respective data field. It is also important to note that the filter is applied prior to calculation of the
CRC, so that target address values that are multiples of 128 return the same CRC. The CRC values should be
considered correct only for TA2:TA1 = 0000h to 007Fh.
1-Wire BUS SYSTEM
The 1-Wire bus is a system that has a single bus master and one or more slaves. A multidrop bus is a 1-Wire bus
with multiple slaves, while a single-drop bus has only one slave device. In all instances, the DS2704 is a slave
device. The bus master is typically a microprocessor in the host system. The discussion of this bus system consists
of five topics: 64-bit net address, CRC generation, hardware configuration, transaction sequence, and 1-Wire
signaling.
64-BIT NET ADDRESS (ROM ID)
Each DS2704 has a unique, factory-programmed 1-Wire Net Address that is 64 bits in length. The term Net
Address is synonymous with the ROM ID or ROM Code terms used in the DS2502 and other Dallas 1-Wire
documentation. The first eight bits of the Net Address are the 1-Wire family code (09h). The next 48 bits are a
unique serial number. The last eight bits are a cyclic redundancy check (CRC) of the first 56 bits (see Figure 2).
The 64-bit net address and the 1-Wire I/O circuitry built into the device enable the DS2704 to communicate through
the 1-Wire protocol detailed in this data sheet.
Figure 2. 1-Wire Net Address Format
8-BIT CRC
48-BIT SERIAL NUMBER
MSb
10 of 18
8-BIT FAMILY
CODE (09H)
LSb
DS2704: 1280-Bit EEPROM with SHA-1 Authentication
CRC GENERATION
The DS2704 has an 8-bit CRC stored in the most significant byte of its 1-Wire net address and generates a CRC
during some command protocols. To ensure error-free transmission of the address, the host system can compute a
CRC value from the first 56 bits of the address and compare it to the CRC from the DS2704.
The host system is responsible for verifying the CRC value and taking action as a result. The DS2704 does not
compare CRC values and does not prevent a command sequence from proceeding as a result of a CRC mismatch.
Proper use of the CRC can result in a communication channel with a very high level of integrity.
The CRC can be generated by the host using a circuit consisting of a shift register and XOR gates as shown in
8
5
4
Figure 3, or it can be generated in software using the polynomial X + X + X + 1. Additional information about the
Dallas 1-Wire CRC is available in Application Note 27: Understanding and Using Cyclic Redundancy Checks with
Dallas Semiconductor Touch Memory Products (www.maxim-ic.com/appnoteindex).
In the circuit in Figure 3, the shift register bits are initialized to 0. Then, starting with the least significant bit of the
family code, one bit at a time is shifted in. After the 8th bit of the family code has been entered, then the serial
number is entered. After the 48th bit of the serial number has been entered, the shift register contains the CRC
value.
Figure 3. 1-Wire CRC Generation Block Diagram
INPUT
MSb
XOR
XOR
LSb
XOR
During some command sequences, the DS2704 also generates an 8-bit CRC and provides this value to the bus
master to facilitate validation for the transfer of command, address, and data from the bus master to the DS2704.
The DS2704 computes an 8-bit CRC for the command and address bytes received from the bus master for the
Read Memory, Read Status and Read/Generate CRC commands to confirm that these bytes have been received
correctly. The CRC generator on the DS2704 is also used to provide verification of error-free data transfer as each
EEPROM page is sent to the master during a Read Data/Generate CRC command and for the 8 bytes of
information in the Status memory field.
In each case where a CRC is used for data transfer validation, the bus master must calculate the CRC value using
the same polynomial function and compare the calculated value to the CRC either stored in the DS2704 Net
Address or computed by the DS2704. The comparison of CRC values and decision to continue with an operation
are determined entirely by the bus master. There is no circuitry in the DS2704 that prevents the a command
sequence from proceeding if the stored or calculated CRC from the DS2704 and the calculated CRC from the host
do not match.
HARDWARE CONFIGURATION
Because the 1-Wire bus has only a single line, it is important that each device on the bus be able to drive it at the
appropriate time. To facilitate this, each device attached to the 1-Wire bus must connect to the bus with open-drain
or tri-state output drivers. The DS2704 uses an open-drain output driver as part of the bidirectional interface
circuitry shown in Figure 4. If a bidirectional pin is not available on the bus master, separate output and input pins
can be connected together.
The 1-Wire bus must have a pullup resistor at the bus-master end of the bus. A value of between 2kW and 5kW is
recommended. The idle state for the 1-Wire bus is high. If, for any reason, a bus transaction must be suspended,
the bus must be left in the idle state to properly resume the transaction later. Note that if the bus is left low for more
than tRSTL, slave devices on the bus begin to interpret the low period as a reset pulse, effectively terminating the
transaction.
11 of 18
DS2704: 1280-Bit EEPROM with SHA-1 Authentication
Figure 4. 1-Wire Bus Interface Circuitry
Vpullup
Bus Master
4.7kW
Device 1-Wire Port (DQ)
Rx
~100 Ohm
MOSFET
Rx
Tx
Rx = Receive
Tx = Transmit
~1 uA
Tx
TRANSACTION SEQUENCE
The protocol for accessing the DS2704 through the 1-Wire port is as follows:
§
§
§
§
Initialization
Net Address Command
Function Command(s)
Data Transfer (not all commands have data transfer)
All transactions of the 1-Wire bus begin with an initialization sequence consisting of a reset pulse transmitted by the
bus master, followed by a presence pulse simultaneously transmitted by the DS2704 and any other slaves on the
bus. The presence pulse tells the bus master that one or more devices are on the bus and ready to operate. For
more details, see the 1-Wire Signaling section below.
NET ADDRESS COMMANDS
Once the bus master has detected the presence of one or more slaves, it can issue one of the net address
commands described in the following paragraphs. The name of each Net Address command (ROM command) is
followed by the 8-bit opcode for that command in square brackets.
Read Net Address [33h]. This command allows the bus master to read the DS2704’s 1-Wire net address. This
command can only be used if there is a single slave on the bus. If more than one slave is present, a data collision
occurs when all slaves try to transmit at the same time (open drain produces a wired-AND result).
Match Net Address [55h]. This command allows the bus master to specifically address one DS2704 on the 1-Wire
bus. Only the addressed DS2704 responds to any subsequent function command. All other slave devices ignore
the function command and wait for a reset pulse. This command can be used with one or more slave devices on
the bus.
Skip Net Address [CCh]. This command saves time when there is only one DS2704 on the bus by allowing the
bus master to issue a function command without specifying the address of the slave. If more than one slave device
is present on the bus, a subsequent function command can cause a data collision when all slaves transmit data at
the same time.
Search Net Address [F0h]. This command allows the bus master to use a process of elimination to identify the
1-Wire net addresses of all slave devices on the bus. The search process involves the repetition of a simple threestep routine: read a bit, read the complement of the bit, then write the desired value of that bit. The bus master
performs this simple three-step routine on each bit location of the net address. After one complete pass through all
64 bits, the bus master knows the address of one device. The remaining devices can then be identified on
®
additional iterations of the process. See Chapter 5 of the Book of DS19xx iButton Standards for a comprehensive
discussion of a net address search, including an actual example (www.maxim-ic.com/iButtonBook).
iButton is a registered trademark of Dallas Semiconductor.
12 of 18
DS2704: 1280-Bit EEPROM with SHA-1 Authentication
I/O SIGNALING
The 1-Wire bus requires strict signaling protocols to ensure data integrity. The four protocols used by the DS2704
are as follows: the initialization sequence (reset pulse followed by presence pulse), write 0, write 1, and read data.
The bus master initiates all these types of signaling except the presence pulse.
The initialization sequence required to begin any communication with the DS2704 is shown in Figure 5. A presence
pulse following a reset pulse indicates that the DS2704 is ready to accept a net address command. The bus master
transmits (Tx) a reset pulse for tRSTL. The bus master then releases the line and goes into receive mode (Rx). The
1-Wire bus line is then pulled high by the pullup resistor. After detecting the rising edge on the DQ pin, the DS2704
waits for tPDH and then transmits the presence pulse for tPDL.
Figure 5. 1-Wire Initialization Sequence
tRSTL
tRSTH
tPDH
tPDL
PACK+
DQ
PACKLINE TYPE LEGEND:
BUS MASTER ACTIVE LOW
DS2704 ACTIVE LOW
BOTH BUS MASTER AND
DS2704 ACTIVE LOW
RESISTOR PULLUP
WRITE-TIME SLOTS
A write-time slot is initiated when the bus master pulls the 1-Wire bus from a logic-high (inactive) level to a logic-low
level. There are two types of write-time slots: write 1 and write 0. All write-time slots must be tSLOT in duration with
a 1ms minimum recovery time, tREC, between cycles. The DS2704 samples the 1-Wire bus line between tLOW1_MAX
and tLOW0_MIN after the line falls. If the line is high when sampled, a write 1 occurs. If the line is low when sampled, a
write 0 occurs. The sample window is illustrated in Figure 6. 1-Wire Write and Read Time Slots. For the bus master
to generate a write 1 time slot, the bus line must be pulled low and then released, allowing the line to be pulled high
less than tRDV after the start of the write time slot. For the host to generate a write 0 time slot, the bus line must be
pulled low and held low for the duration of the write-time slot.
READ-TIME SLOTS
A read-time slot is initiated when the bus master pulls the 1-Wire bus line from a logic-high level to a logic-low level.
The bus master must keep the bus line low for at least 1ms and then release it to allow the DS2704 to present valid
data. The bus master can then sample the data tRDV from the start of the read-time slot. By the end of the readtime slot, the DS2704 releases the bus line and allows it to be pulled high by the external pullup resistor. All readtime slots must be tSLOT in duration with a 1ms minimum recovery time, tREC, between cycles. See Figure 6 and the
timing specifications in the Electrical Characteristics table for more information.
13 of 18
DS2704: 1280-Bit EEPROM with SHA-1 Authentication
Figure 6. 1-Wire Write and Read Time Slots
WRITE 0 SLOT
WRITE 1 SLOT
tSLOT
tSLOT
tLOW1
tLOW0
VPULLUP
tREC
GND
>1ms
Device Sample Window
MIN TYP
MAX
MODE
Device Sample Window
MIN TYP
MAX
Standard
15ms
15ms
30ms
15ms
15ms
30ms
Overdrive
2ms
1ms
3ms
2ms
1ms
3ms
READ DATA SLOT
Data = 0
tSLOT
VPULLUP
tRDV
Data = 1
tREC
tSLOT
tRDV
GND
Master Sample Window
MODE
>1ms
Master Sample Window
Standard
15ms
15ms
Overdrive
2ms
2ms
LINE TYPE LEGEND:
Bus Master active LOW
Device active LOW
Both Bus Master and Device
active LOW
Resistor pullup
14 of 18
DS2704: 1280-Bit EEPROM with SHA-1 Authentication
Table 7. All Function Commands
COMMAND
COMPATIBILITY
DS2502 DS2703
HEX
FUNCTION
0C
Writes 64-bit challenge for SHA-1
processing. Required prior to all Compute
MAC and Compute Next Secret commands.
CC
36
Computes hash of the message block with all
1’s in place of the ROM ID
CC
35
Computes hash of the message block using
the ROM ID
CC
5A
Clears the 64-bit Secret to 0000 0000 0000
0000h.
30
Generates new global secret.
NP
33
Generates new unique secret.
NP
Lock Secret
6A
Sets lock bit to prevent changes to the
Secret.
NP
Read Memory
F0
Read Data/Generate
CRC
C3
Read All
65
Read Status
Write Challenge
Compute MAC
without ROM ID and
return MAC
Compute MAC
with ROM ID and
return MAC
Clear Secret
Compute Next Secret
without ROM ID
Compute Next Secret
with ROM ID
Read data from 1024-bit EEPROM Memory
data field
Read data from 1024-bit EEPROM Memory
data field and generate a CRC value of the
data read during the operation
Read data from the all 5 pages of the
EEPROM Memory data field
CC
AA
Read data from the 8-byte EEPROM Status
data field
CC
Write Status
55
Write data to the EEPROM Status data field.
NP
Write Scratchpad
6C
Write data to the 8-byte Scratchpad buffer
Read Scratchpad
69
Read data from the 8-byte Scratchpad buffer
Copy Scratchpad
48
Write Scratchpad data to EEPROM data
field.
Set Overdrive
8B
Sets 1-Wire interface timings to
OVERDRIVE.
NP
Clear Overdrive
8D
Sets 1-Wire interface timings to STANDARD.
(Factory Default)
NP
Reset
BB
Resets DS2704 (Software POR)
CC
Key: CC¾complete compatibility, NP:¾no programming pulse required on DS2704.
15 of 18
CC
DS2704: 1280-Bit EEPROM with SHA-1 Authentication
Table 8. Guide to Function Command Requirements
COMMAND
ISSUE MEMORY
ADDRESS
ISSUE 00H
BEFORE
READ
Write Challenge
READ/WRITE
TIME SLOTS
READBACK CRC
Write: 64
Compute MAC
Yes
Read: up to 160
Compute Next Secret
Clear/Lock Secret,
Set/Clear Overdrive
Read:
up to 1024 (data)
up to 16 (CRC)
Read:
up to 1024 (data)
up to 40 (CRC)
After CMD + TA2:TA1,
End of Page 3
Read Memory
16 bits: TA1, TA2
Read Data/Gen CRC
16 bits: TA1, TA2
Read All
16 bits: TA1, TA2
Read:
up to 1280 (data)
After CMD + TA2:TA1,
End of Page 4
Read Status
16 bits
Read:
up to 64 (data)
up to 16 (CRC)
After CMD + TA2:TA1,
End of Status field
Write Status
After CMD + TA2:TA1,
End of each page
Write: 8
Write Scratchpad
8 bits
Write: up to 64
Read Scratchpad
8 bits
Read: up to 64
Copy Scratchpad
16 bits: TA1, TA2
Reset
Figure 7: Compute MAC Function Command
tSHA
1-Wire
Reset
SKIP ROM
Cmd
Presence
Pulse
Up to 160 Read Time Slots
(Read 20-Byte MAC)
Wait for MAC
Computation
8 Write 0
Time Slots
Compute
MAC
Cmd
16 of 18
DS2704: 1280-Bit EEPROM with SHA-1 Authentication
Figure 8: Compute Next Secret Function Command
tSHA
1-Wire
Reset
SKIP ROM
Cmd
Presence
Pulse
Compute
Next Secret
Cmd
tEEC
Wait for MAC
Computation
Wait for
EEPROM Programming
Figure 9: Copy Scratchpad Function Command
tEEC
1-Wire
Reset
SKIP ROM
Cmd
Presence
Pulse
Copy
Scratchpad
Cmd
16 Write
Time Slots
(TA1, TA2)
17 of 18
Wait for
EEPROM Programming
DS2704: 1280-Bit EEPROM with SHA-1 Authentication
Figure 10: Clear/Lock Secret, Set/Clear Overdrive Function Commands
tEEC
1-Wire
Reset
SKIP ROM
Cmd
Presence
Pulse
Clear/Lock
Secret Cmd
or
Set/Clear
Overdrive Cmd
Wait for EEPROM Copy Time
PACKAGE INFORMATION
(For the latest package outline information, go to www.maxim-ic.com/DallasPackInfo.)
18 of 18
Similar pages