Si4010 Keyfob AES DEMO Si4010 K EY F O B A E S D EMO K IT W I T H EZR ADIO ® LCD B A SE B OARD U SER ’ S G U I D E 1. Purpose This user’s guide describes the use of the Demo Kit and gives the user a brief introduction to the AES encryption/decryption algorithm. The current version of the firmware does not support remote mode, so it can only be used in standalone mode without the Wireless Development Suite (WDS). 2. Kit Contents The kit contains the following items: Qty Part Number Description 1 4010-KFOB-xxx 1 MSC-LCDBB930-AES 1 4355-PRXBxxxB 1 MSC-AT50-xxx 1 MSC-PLPB_1/2/3 1 CR2032 3 AA 1.5 V AA battery 1 USB USB mini-B cable Si4010 universal key fob for 316.66/433.92/868.3/917 MHz LCD Base Board with C8051F930 MCU RF Pico Board with EZRadio chip for 316.66/433.92/868.3/917 MHz Antenna for 316.66/433.92/868.3/917 MHz Key fob plastic case CR2032 Coin Cell battery Figure 1. LCD Base Board Rev 0.2 6/12 Copyright © 2012 by Silicon Laboratories Si4010 Keyfob AES DEMO Si4010 Keyfob AES DEMO Figure 2. RF Pico Board Figure 3. Si4010 Key Fob 2 Rev 0.2 Si4010 Keyfob AES DEMO 3. Requirements The following items are required to use the demo in standalone mode: LCD Base Board Pico Board with EZRadio Next Generation chip 3xAA batteries or USB Mini-B cable Si4010 key fob on 316.66/433.9/868.30/917.00 MHz RF 4. Si4010 Key Fob Demo Description The AES demo utilizes the capabilities of the Si4010 key fob transmitter and the Si4355 EZRadio receiver in order to demonstrate a one-way secure link application. The Si4010 key fob as the transmitter sends radio packets with partially encoded content. At the receiver side an EZRadio receiver, the Si4355 chip receives the packet, then evaluates and decodes it. The receiver can handle OOK or 2FSK modulated RF packets as well as the transmitter can set up to transmit OOK or 2FSK modulated RF packets. 4.1. RF Parameters The Si4010 AES Demo transmitter and receiver uses the following RF configuration: Center frequencies: 316.66/433.92/868.3/917 MHz depending on RF Pico board and key fob OOK/2FSK modulation (selectable) 9.6 kBaud Manchester coding in OOK mode (results in 4.8 kbps data rate). 4.2. Selection of Si4010 Key Fob Modulation The Si4010 key fob can modulate RF packets in OOK/2FSK. In order to select the appropriate modulation type, follow the steps below: 1. Open the plastic case of the key fob. 2. Remove the battery and wait for 30 seconds to discharge capacitors. 3. For 2FSK modulation, place the battery back and make sure that no buttons are pressed during battery insertion. 4. For OOK modulation, press and hold the center button on the key fob during the battery insertion process. 5. Fit the plastic case of the key fob. 4.3. RF Packet Formats The packet format sent by the Si4010 is as follows: Table 1. RF Packet Format Preamble Sync Chip ID Status Counter CRC AES part CRC 13 byte 2 byte 4 byte 1 byte 2 byte 2 byte 16 byte 2 byte Rev 0.2 3 Si4010 Keyfob AES DEMO The fields other than AES part are not encoded. The AES encoded part of the RF packet contains the following encoded fields: Table 2. AES Encoded Fields Temperature 2 byte Battery Status Rolling Counter 1 byte 4 byte Button State PACap value 1 byte 2 byte Chip ID Reserved (0x00) 4 byte 2 byte Since the plain part and the AES encrypted part both contains the Chip ID, the decoding process is verified by comparing the Chip ID field between the two parts of the RF packet. If the decryption fails, a notification screen appears describing the AES decryption failure. 4.4. AES Encoding The AES encryption/decryption algorithm is a symmetric algorithm because the same key is used for encryption and decryption. The AES128 encoding/decoding process has been done using the SiLabs AES128 library. A session key for each packet is generated based on the sender Chip ID field and the constant key for the given packet type. There are two kinds of RF packets the key fob can send: an Association packet or a Message packet. There are different keys stored in the flash for each kind of packet. The receiver determines which key should be used by the Association flag in the plain Status byte. Association Key / Message Key Session Key AES Cipher Array with Chip ID AES Cipher Encrypted Data Data Array Figure 4. AES Encoding Decoding of AES encrypted data basically consists of the same steps as encoding except that the final AES cipher is replaced with inverse-ciphering. The receiver generates the same session key from the constant key and the sender Chip ID, and, since the AES is a symmetric algorithm, it can decrypt the data if the session key is valid. 4 Rev 0.2 Si4010 Keyfob AES DEMO 5. Demo Usage Connect an appropriate RF Pico board to the LCD Base Board; then, set the SW1 switch on the LCD Base Board according to the power source (battery or USB). During startup, the RF parameters are automatically detected by the demo software based on the EBID information. In this way, only the modulation type (OOK/FSK) should be selected manually. Figure 5 shows the modulation selection screen. Figure 5. Modulation Type Selection To select the modulation type on the Si4010 key fob, refer to "4.2. Selection of Si4010 Key Fob Modulation" on page 3. After the modulation has been chosen, the AES Demo main screen will display as shown in Figure 6. Figure 6. Main Screen Notification screens discussed below can pop up in the Main screen view and are caused by various events. The notification screens disappear after a time-out of several seconds; they can also be eliminated by pressing any of the push buttons. After startup, no associated clients are registered. In order to associate a client, press the push-button under the Asc menu option. During association, there is a limited amount of time available to associate a client. The remaining time is written to the screen as shown in Figure 7. Figure 7. Association Timeout The radio packets sent by the key fob are not like the association packets sent during normal use. To get an association packet out from the key fob, press Button 1 and Button 3 at the same time. This causes the key fob to generate an association plain text packet and then encrypt it with a different (association) AES key. Button 1 (right) and Button 3 (left) on the key fob are identified by arrows in Figure 8. Rev 0.2 5 Si4010 Keyfob AES DEMO Figure 8. Key Fob Association If the association timeout has not elapsed and an association request packet is received by the radio chip, the encoded part of the packet will be decrypted using an Association Session Key based on an Association Key and the sender ID. If decryption was successful, the client rolling counter is synchronized and registered to the clients list. Figure 9 shows the case when a successful association process completed. Figure 9. Association Success When at least one client is associated, the Main screen displays the space used on the list as shown in Figure 10. Figure 10. Main Screen with Associated Clients If an AES encoded radio packet is received by the RF Pico board from an associated client (other than an association request), the payload data is decrypted and displayed on the screen. The associated clients can also send unencrypted packets, which do not need to be decrypted. The notification screen will be the same in both cases, except the title, which shows if the packet was AES encrypted or is a Plain text packet. The encrypted data contains the index from the list and the ID of the sender, the button number pressed on the key fob, the rolling counter value, the key fob battery voltage, and, finally, the PACap value as shown in Figure 11. Figure 11. AES Encoded Packet Received 6 Rev 0.2 Si4010 Keyfob AES DEMO If an incoming packet rolling counter is greater than the last given rolling client counter value stored in the base Board RAM by the predefined limit, the client will be removed from the registered list, and a notification screen will be displayed as shown in Figure 12. Figure 12. Rolling Counter Out of Limit The list containing the associated clients can be erased by pressing the button under the Del menu option on the Main screen. Deleting clients also resets their rolling counters. After a client is removed from the list, its packet is neither received by the Base Board nor decrypted unless it is associated again. The Delete screen is shown in Figure 13. Figure 13. Delete Clients The associated client list can be viewed by pressing the button under the List menu option on the Main screen. The list view contains the indices and chip IDs of each associated client from the list. The list view is shown in Figure 14. Figure 14. List View of Clients Rev 0.2 7 RF_GPIO_1 RF_GPIO_0 Yellow 330R VDD Green 1k 1k R2 VDD VDD to U2 MCU RF_GPIO_2 LED3 R1 LED1 R9 PB1 Yellow R12 R3 1k 330R RF_GPIO_3 18R 1/4W R21 R4 LED4 1k 1uF C23 R13 BZ1 VOUT V0 V1 V2 V3 V4 10uF 6.3V C6 VDD 32 21 22 23 24 25 100nF C7 EADOGM132L-5 2 C1 19 C2 1 A1 20 A2 26 27 VSS CAP2N 33 VSS2 /RST 29 /CS CAP1P SCL 30 SI CAP1N AO 31 CAP3P 34 VDD2 35 VDD 28 CAP2P 39 40 37 36 38 0R 1k R6 R16 N.F. LCD_NSEL SCLK MOSI LCD_A0 100pF C8 1uF 1uF C18 6 16 15 14 13 12 11 8 7 2 U2 1uF C20 24 23 22 21 20 19 18 17 32 31 30 29 28 27 26 25 1uF C21 10 XTAL3 9 XTAL4 P1.0/AD0 P1.1/AD1 P1.2/AD2 P1.3/AD3 P1.4/AD4 P1.5/AD5 P1.6/AD6 P1.7/AD7 P0.0/VREF P0.1/AGND P0.2/XTAL1 P0.3/XTAL2 P0.4/TX P0.5/RX P0.6/CNVSTR P0.7/IREF0 1uF C19 C8051F930 RST/C2CK P2.0/A8 P2.1/A9 P2.2/A10 P2.3/A11 P2.4/ALE P2.5/RD P2.6/WR P2.7/C2D GND 4 DCEN 5 VBAT 3 VDD/DC+ 1 GND/DC- C17 1uF C15 1uF 1uF C14 C16 1uF C13 MCU Section SCLK MISO MOSI RF_NSEL RF_NIRQ RF_SDN SDA SCL RF_GPIO_0 RF_GPIO_1 RF_GPIO_2 RF_GPIO_3 MOSI SCLK SCL SDA VPP MOSI SCLK RF_NIRQ SDA RF_GPIO_0 RF_GPIO_2 VDD 1 3 5 7 9 11 13 15 17 19 1 3 5 7 9 11 13 15 17 19 R Size A3 TITLE: DATE: 2 4 6 8 10 12 14 16 18 20 2 4 6 8 10 12 14 16 18 20 2 1 MOSI SCLK LCD_NSEL LCD_A0 VDD to USB Debug Interface section MCU_C2D MCU_C2CK TS_TX TS_RX SCL SDA to LCD VPP N.F. JP3 MISO RF_NSEL RF_SDN SCL RF_GPIO_1 RF_GPIO_3 Apt/04/2012 REV: 1V2 MSC-LCDBB930 SHEET: 1 OF 2 SILICON LABORATORIES RFP2 RFP1 To RF Pico Board SILICON LABS RESET Figure 15. LCD Base Board Schematic 1 1 JP4 2 Jumper 330R Red LCD Q3 100nF 32.768kHz TZ1006A C22 1 JP5 2 Jumper LED2 R10 PB2 R5 R17 330R R11 PB3 Rev 0.2 PB4 4.7k 8 1k VDD Si4010 Keyfob AES DEMO 6. Schematics This section contains schematics of the RFPico, LCD Base Board, and Si4010 key fob boards included in the kit. High-definition schematics and a complete manufacturing pack with CAD/CAM files and BOMs can be found at www.silabs.com. C24 MCU_C2D MCU_C2CK 100nF 2 A 1 C D2 MBR0520L Z 4 2 GND SW1 2 C9 100pF 1uF 2 C5 N.F. JP2 1uF 1 VPP C4 SWITCH-SSA12G 3 1 VBUS VDD VDD 74LVC1G3157GW Z 4 3 Y0 2 GND 1 U6 VCC 5 S 6 Y1 74LVC1G3157GW 3 Y0 1 U5 VCC 5 S 6 Y1 VDD 5 C2CK/RST 6 P2.7/C2D 9 P1.5 8 P1.6/XTAL3 7 P1.7/XTAL4 C8051F981-GM P0.0/VREF P0.1/AGND P0.2/XTAL1 P0.3/XTAL2 P0.4/TX P0.5/RX P0.6 P0.7/IREF0 VDD 3 12 GND GND 2 1 20 19 18 17 16 15 VDD R20 14 P1.0/CP0+ 13 P1.1/CP011 P1.2 10 P1.3 100nF C11 1uF C10 100nF C12 VDD GPIO1_CTS GPIO0_RTS P0.0 P0.1 P0.2 P0.3 P0.4 P0.5 P0.6 P0.7 VIO VDD 20 N/C 21 N/C 1 28 27 26 25 24 23 22 5 6 GND 2 19 18 12 11 17 16 Size A3 DATE: VDD Green R 100nF C3 VDD LED5 J8 VBUS VDD R7 FUSE_PTC VDD 6 7 J7 USB_CONN_SMT_MINI 1 VBUS 2 D3 D+ 4 IO 5 GND REV: 1V2 MSC-LCDBB930 SHEET: 2 OF2 SILICON LABORATORIES 1 2 3 4 2k R8 Apt/04/2012 SILICON LABS TITLE: 7 REGIN 8 VBUS 4 D3 D+ 13 N/C 14 N/C 15 N/C 10 P3.0/C2D 9 C2CK/RST P2.0 P2.1 P2.2 P2.3 P2.4 P2.5 U3 CF326-SX0261GM Figure 16. LCD Base Board Schematic 2 MIC5353-33YMT U1 3 4 VIN VOUT 5 1 NC EN 6 2 GND BYP TS_TX to MCU section TS_RX TDI_C2CLK TCK_C2DAT TDO_C2DATPS TMS_C2CLKPS C2 100nF C1 4.7uF VDD USB Debug Interface Section R14 LED6 SDA SCL U4 LED7 4 JP1 4.7k R19 10k N.F. R18 R15 EBID D1 2k Red 2 3 4 1 Rev 0.2 BAT 1 2 + BATTERY_3XAA DIODE-SP0503BAHTG 1k Yellow VDD Si4010 Keyfob AES DEMO 9 4.3pF CA R18 RX R19 N.F. 0R 2 1 2 1 VPP PCB antenna Rev 0.2 U3 A0 VCC A1 WP A2 SCL VSS SDA 56nH LR2 VPP 8 7 6 EBID_SCL 5 EBID_SDA 100nF 24AA64T-I/MNY 1 2 3 4 C11 RF EBID 270pF CC1 2.7pF CR2 C3 100pF C2 100nF 2.2uF 4R7 R7 C1 RFVDD RF_SDN 33pF C4 1 2 3 4 5 100nF C5 GND SDN RXP RXN TX U1 SDI SDO SCLK NIRQ GPIO_1 Si4455 30MHz RF_NSEL RF_GPIO_3 RF_GPIO_2 R Size A3 TITLE: DATE: 1 3 5 7 9 11 13 15 17 19 1 3 5 7 9 11 13 15 17 19 J3 RFP2 RFP1 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 2 4 6 8 10 12 14 16 18 20 2 4 6 8 10 12 14 16 18 20 J6 2 1 J2 2 MCU_SDN MCU_GPIO_3 MCU_GPIO_2 MCU_NSEL MCU_SDI MCU_SDO MCU_SCLK MCU_NIRQ MCU_GPIO_1 MCU_GPIO_0 MCU_SDA MCU_SCL GND 1 VDD VDD To MCU Section EBID_SDA VPP RFVDD RF_GPIO_1 RF_GPIO_3 RF_MISO RF_NSEL RF_SDN Mar/13/2012 REV: 1V0 4355-LED-434 SHEET: 1 OF 2 SILICON LABORATORIES 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 RFVDD RF_SDN RF_GPIO_3 RF_GPIO_2 RF_NSEL RF_MOSI RF_MISO RF_SCLK RF_NIRQ RF_GPIO_1 RF_GPIO_0 EBID_SDA EBID_SCL VPP VPP EBID_SCL RFVDD RF_GPIO_0 RF_GPIO_2 RF_MOSI RF_SCLK RF_NIRQ SILICON LABS RF_GPIO_0 15 RF_MOSI 14 RF_MISO 13 RF_SCLK 12 RF_NIRQ 11 RF_GPIO_1 Figure 17. RFPico Board Schematic CR1 5.1pF LR1 56nH Antenna matching for 434MHz with multilayer inductors Q1 EP 20 19 18 17 16 GPIO_3 GPIO_2 XIN XOUT NSEL GND VDD VDD GND GPIO_0 6 7 8 9 10 10 EP RF Section Si4010 Keyfob AES DEMO SW3 GPIO3 SW2 SW1 GPIO2 GPIO1 SW4 GPIO4 GPIO3 GPIO2 GPIO1 GPIO0 GPIO4 VDD 1 2 Rev 0.2 Red LED GPIO0 GPIO9 GPIO2 GPIO1 GPIO8 Si4010-C2-GS TXP TXM GND GPIO3 VDD GPIO5 GPIO4 GPIO7 GPIO6 IC1 1nF C3 1 2 3 4 5 6 7 270pF C4 VDD GPIO8 & GPIO9 NC = 434MHz FW setup 14 13 12 11 10 9 8 2.2uF C2 VDD VPP VCC C2D C2CK GND R 220nH Size A4 DATE: VDD Printed Capacitor 04/27/2012 REV: V1.1 SHEET: 1 OF1 SILICON LABORATORIES 3.0pF C5 L1 4010-KFOB-434 TITLE: SILICON LABS 1 1 1 1 1 N.F. C_TX For C2 debugging cut s.c. and use 470Ohms instead! Shortcircuit Figure 18. Si4010-KFOB-434 Schematic 3 GPIO0 CR2032 SW0 BAT R1 VDD Si4010 Keyfob AES DEMO 11 Si4010 Keyfob AES DEMO DOCUMENT CHANGE LIST Revision 0.1 to Revision 0.2 Added schematic diagrams. the purpose description. Modified 12 Rev 0.2 Si4010 Keyfob AES DEMO NOTES: Rev 0.2 13 Simplicity Studio One-click access to MCU tools, documentation, software, source code libraries & more. Available for Windows, Mac and Linux! www.silabs.com/simplicity MCU Portfolio www.silabs.com/mcu SW/HW www.silabs.com/simplicity Quality www.silabs.com/quality Support and Community community.silabs.com Disclaimer Silicon Laboratories intends to provide customers with the latest, accurate, and in-depth documentation of all peripherals and modules available for system and software implementers using or intending to use the Silicon Laboratories products. Characterization data, available modules and peripherals, memory sizes and memory addresses refer to each specific device, and "Typical" parameters provided can and do vary in different applications. Application examples described herein are for illustrative purposes only. Silicon Laboratories reserves the right to make changes without further notice and limitation to product information, specifications, and descriptions herein, and does not give warranties as to the accuracy or completeness of the included information. Silicon Laboratories shall have no liability for the consequences of use of the information supplied herein. This document does not imply or express copyright licenses granted hereunder to design or fabricate any integrated circuits. The products must not be used within any Life Support System without the specific written consent of Silicon Laboratories. A "Life Support System" is any product or system intended to support or sustain life and/or health, which, if it fails, can be reasonably expected to result in significant personal injury or death. Silicon Laboratories products are generally not intended for military applications. Silicon Laboratories products shall under no circumstances be used in weapons of mass destruction including (but not limited to) nuclear, biological or chemical weapons, or missiles capable of delivering such weapons. Trademark Information Silicon Laboratories Inc., Silicon Laboratories, Silicon Labs, SiLabs and the Silicon Labs logo, CMEMS®, EFM, EFM32, EFR, Energy Micro, Energy Micro logo and combinations thereof, "the world’s most energy friendly microcontrollers", Ember®, EZLink®, EZMac®, EZRadio®, EZRadioPRO®, DSPLL®, ISOmodem ®, Precision32®, ProSLIC®, SiPHY®, USBXpress® and others are trademarks or registered trademarks of Silicon Laboratories Inc. ARM, CORTEX, Cortex-M3 and THUMB are trademarks or registered trademarks of ARM Holdings. Keil is a registered trademark of ARM Limited. All other products or brand names mentioned herein are trademarks of their respective holders. Silicon Laboratories Inc. 400 West Cesar Chavez Austin, TX 78701 USA http://www.silabs.com