1. Features • • • • • • • • • • • 1K X 1 Serial EEPROM with Security Logic Two Application Zones Stores and Validates Security Codes Maximum of Four Incorrect Security Code Attempts Provides Transport Code Security Low Voltage Operation: 2.7V to 5.5V Manufactured using Low Power CMOS Technology VPP Internally Generated 2 µs Read Access Time; 3 ms Write Cycle Time ESD Protection 4,000V Minimum. High Reliability: – 100,000 Program/Erase Cycles Guaranteed – Data Retention of 10 years 2. Description The AT88SC102 device is a low-cost, synchronous, secure memory integrated circuit, designed for use in prepaid and loyalty smart card applications. The AT88SC102 provides 1024 bits of serial Electrically Erasable and Programmable Read Only Memory (EEPROM) within two Application Zones, plus 64 bits in a code protected zone. Additional EEPROM memory and security logic provide security for smart card applications. Space is provided in the EEPROM memory for manufacturing records for both the smart card manufacturer and card issuer. After personalization, these records, and the state of the bit which enables the Erase Counter function, are locked and protected from modification for the lifetime of the product. Table 2-1. 1K EEPROM– Security Logic with Two Application Zones AT88SC102 Pin Configuration ISO Contact Pad Name C1 VCC Operating Voltage C2 RST Address Reset C3 CLK Clock and Address Control C4 FUS Fuse C5 GND Ground C6 NC No Connect C7 I/O Bidirectional Data C8 PGM Figure 2-1. VCC = C1 RST = C2 CLK = C3 FUS = C4 Description Programming Control Card Module Contact C5 = GND C6 = NC C7 = I/O C8 = PGM 1419C-SMEM-6/08 3. Terminology The following terms have specific definitions for the AT88SC102. 3.1 Erase Erase is a program operation that results in an EEPROM data bit being set to a logic “1” state. Outside the application zones, all erase operations are performed on 16-bit words. An erase operation performed on any bit within a word will execute an erase of the entire word. Inside the application zones, erase operations are controlled by the SV flag, EZ passwords, and EC2EN fuse. These operations are defined in the “Device Operation” section of the data sheet. 3.2 Write Write is a program operation that results in an EEPROM bit or word being set to a logic “0” state. An unwritten bit is defined as erased or set to a logic “1” state. Write operations in the AT88SC102 may be performed on individual bits after security code validation. In Security Level 2, write operations also require that the P1 or P2 bit within the application zone is set to “1”. 3.3 Program Program is an EEPROM function that activates internally timed, high-voltage circuitry and results in a data bit or word being set to either a logic “0” or “1” state. 3.4 Bit A bit is a single data element set to either a logic “0” or “1” state. All bit addresses within the application zones (AZ1, AZ2) may be written individually. 3.5 Byte A byte is eight consecutive data bits. A byte boundary will begin on an address that is evenly divisible by eight. The AT88SC102 has no capability for byte write operations. 3.6 Word A word is sixteen consecutive data bits. A word boundary will begin on an address that is evenly divisible by 16. Erase operations will always operate on 16-bit words when applied to addresses outside the application zones. In Security Level 1, erase operations within the application zones also operate on 16-bit words. In Security Level 2, erase operations within the application zones operate on the entire zone. Write operations function on single bits, not words, in both security levels. 3.7 Blown In reference to an AT88SC102 internal EEPROM fuse, the blown state is a logic “0”. 3.8 Unblown In reference to an AT88SC102 internal EEPROM fuse, the unblown state is a logic “1”. 3.9 Verification AT88SC102 operations are controlled by the state of several internal flags. The flags SV, E1, and E2 are set after verification of an associated password (security code or EZ1 or EZ2 respectively). Verification is accomplished by executing an INC/CMP operation, which correctly 2 AT88SC102 1419C–SMEM–6/08 AT88SC102 matches the password bit by bit as the CLK increments the address through the password memory addresses. Figure 3-1. Block Diagram VCC GND Power On Reset RST CLK PGM Address Counter FUS E2PROM Memory Security Logic I/O The AT88SC102 is manufactured using low-power CMOS technology and features its own internal high-voltage pump for single voltage supply operation. The devices are guaranteed to 100,000 erase/write cycles and 10-year data retention. The AT88SC102 supports the ISO/IEC 7816-3 synchronous protocol. 4. Security Features The security features of Atmel’s AT88SC102 include: • Data access only after validation of the security code. • Permanent invalidation of the device after four consecutive false security code presentations. • Read/write protection of certain memory zones. • Secure transport of devices using transport code compare sequence. • Unique customer identification number written and locked into every device for protection against duplication or counterfeiting. 4.1 Security Levels and Memory Access to AT88SC102 Access to the memory is controlled by the state of the issuer fuse and by the voltage supply applied on the FUS pad. Table 1. FUS Pad Issuer Fuse Security Level Logic “0” X 2 Logic “1” 1 1 Logic “1” 0 2 3 1419C–SMEM–6/08 4.1.1 Level 1: Security During Personalization AT88SC1003 die and modules are delivered with the issuer fuse intact. Issuer personalization is completed at this level. Security code validation is required to allow access to personalize the EEPROM memory. During personalization, the manufacturer fuse may be blown to lock the manufacturer’s zone. See “Memory Access Rules During Personalization” (Table 9-1 on page 10). Conditions: Issuer fuse = “1” (not blown) FUS pin = “1” (required) 4.1.2 Level 2: Security After Personalization EEPROM memory zones are protected by the various flags and passwords. After issuer personalization, Security Level 2 is implemented by blowing the issuer fuse. The device can also be placed in Security Level 2 by taking the FUS pin low, independent of the state of the issuer fuse. This function of the FUS pin enables the card issuer to simulate Security Level 2 during application development without permanently blowing the issuer fuse. See “Memory Access Rules After Personalization” (Table 10-1 on page 11). Conditions: Issuer fuse = “0” (blown) FUS pin = “X” or Issuer fuse = “1” (not blown) FUS pin = “0” 4 AT88SC102 1419C–SMEM–6/08 AT88SC102 5. Memory Map Table 5-1. AT88SC102 Memory Diagram Bit Address Description Bits Words 0–15 Fabrication Zone (FZ) 16 1 16–79 Issuer Zone (IZ) 64 4 80–95 Security Code (SC) 16 1 96–111 Security Code Attempts counter (SCAC) 16 1 112–175 Code Protected Zone (CPZ) 64 4 176–687 Application Zone 1 (AZ1) 512 32 688–735 Application Zone 1 Erase Key (EZ1) 48 3 736–1247 Application Zone 2 (AZ2) 512 32 1248–1279 Application Zone 2 Erase Key (EZ2) 32 2 1280–1407 Application Zone 2 Erase Counter (EC2) 128 8 1408–1423 Memory Test Zone (MTZ) 16 1 1424–1439 Manufacturer’s Zone (MFZ) 16 1 1440–1455 Block Write/Erase 16 1 1456–1471 MANUFACTURER’S FUSE 16 1 EC2EN FUSE (Controls use of EC2) 1 ISSUER FUSE 16 1529 1552 - 1567 1 6. Memory Zones Table 6-1. Memory Zones Zone Definition Fabrication Zone FZ (16 bits) The 16-bit fabrication zone is programmed when the chip is manufactured and cannot be changed. Application software may check this fabrication zone code to assure that the device was manufactured by Atmel. Issuer Zone IZ (64 bits) The 64-bit issuer zone is programmed by the card issuer during the personalization phase. It will contain issuer-specific information, such as serial numbers and dates. This area becomes read-only after the issuer fuse has been blown. Read access is always allowed in the issuer zone. Security Code SC (16 bits) The card security code is initially set by Atmel to protect the card during transportation to the card issuer. During personalization, this code must be verified by the AT88SC102 to allow access to the EEPROM memory. After the security code has been verified, the code itself may be changed in either security mode. While in personalization mode (Security Level 1), the security code gives erase and write access to both the application zones and the code protected zone. In Security Level 2, the security code gives write access to both the application zones and the code protected zone. Erase access requires verification of both the security code and the erase key (EZ1 or EZ2). Verification of the security code will set the internal flag SV to “1”. Atmel ships the device with a security code (transportation code) pre-programmed. This protects against the unauthorized use of an unpersonalized device and should be written to a new value during initialization. 5 1419C–SMEM–6/08 6. Memory Zones Table 6-1. Memory Zones Zone Definition Security Code Attempts Counter SCAC (16 bits) The protocol for verification of the security code requires that the user write one of the first four bits of the SCAC to a logic “0”. This allows the SCAC to count the number of consecutive incorrect presentations of the security code. After four consecutive incorrect security code presentations, the first four bits of the SCAC will all be written to “0”, and the user is permanently blocked from access to the application zones, as well as other areas controlled by the security code. After a successful presentation of the security code, the entire 16-bit SCAC, including the four active bits, should be erased. This verifies that the correct security code has been presented, since an erase operation in this area is not allowed without SC verification. It also clears the SCAC bits in preparation for the next use of the card. This erase operation will also clear the remaining twelve bits of the 16-bit SCAC word. These twelve bits may be used in an application, although the entire 16-bit word will be erased if any bit in the SCAC is erased. Code Protected Zone CPZ (64 bits) Read access to this area is always allowed and does not require SC validation. The security code must be correctly presented to allow write or erase access to the code protected zone. Application Zones 1 and 2 AZ1 and AZ2 (512 bits each) The application zones (AZ1 and AZ2) are intended to hold user application data. P1 (address 176) controls write access, and R1 (address 177) controls read access within AZ1. P2 (address 736) controls write access and R2 (address 737) controls read access within AZ2. In Security Level 1, an entire 16-bit word will be erased if an erase is performed on any single bit within that word. In Security Level 2, erase operations are controlled by both the SV flag and the erase keys (EZ1 and EZ2). See the Device Operation ERASE definition for specific details. The number of erase operations performed in AZ2 may be limited by leaving the EC2EN fuse set to “1”. The AT88SC102 allows unlimited erase operations of AZ1. Application Zone Erase Keys EZ1 (48 bits) EZ2 (32 bits) (Enabled in Security Level 2 only) The erase keys are passwords used to control erase operations within the application zones, after the issuer fuse has been blown (Security Level 2). The erase key passwords are written by the issuer during personalization (Security Level 1), after verification of the security code. EZ1 and EZ2 can not be changed after the issuer fuse is blown. In Security Level 2, the AT88SC102 allows only block erasure of an entire application zone. AZ1 can be erased only after both the SC and the EZ1 password have been validated. Verification of EZ1 will set the internal flag E1 to “1”. AZ2 can be erased only after both the SC and the EZ2 password have been validated. Verification of EZ1 will set the internal flag E1 to “1”. Verification of EZ2 will set the internal flag E2 to “1”. Application Zone 2 Erase Counter EC2 (128 bits) (Enabled in Security Level 2 only) The Application Zone 2 Erase Counter (EC2) is enabled only in Security Mode 2 and only when the EC2EN fuse is set to “1”. If both of these conditions are true, the user will be limited to 128 erase operations in Application Zone 2. EC2 is used to count these erase cycles. The erase protocol for the AT88SC102 Application Zone 2 requires one bit in EC2 to be written to “0”. After 128 erase operations, all 128 bits in EC2 will be “0” and the user will be blocked from erasing AZ2. The erase counter is only writeable and cannot be erased. When the EC2EN fuse = “0”, the EC2 operation is disabled. In that case there is no limit to the number of times AZ2 can be erased, and EC2 has no function. Memory Test Zone MTZ (16 bits) All operations are allowed for this zone (write, erase, read). The purpose of this zone is to provide an area in the product memory which is not restricted by security logic. It is used for testing purposes during the manufacturing process, and may also be used in the product application if desired, although no security protection exists for the MTZ. Manufacturer’s Zone MFZ (16 bits) The MFZ is intended to hold data specific to the smart card manufacturer (like assembly lot codes, dates, etc.). Read operations within this zone are always allowed. Write or erase operations within this zone are allowed after the SC has been verified. After the data is entered by the card manufacturer, the manufacturer’s fuse can be blown and the data within the MFZ will become read-only. Blowing the issuer fuse will also lock the data in the MFZ. 6 AT88SC102 1419C–SMEM–6/08 AT88SC102 6. Memory Zones Table 6-1. Memory Zones Zone Definition EC2EN Fuse (1 bit) This single-bit EEPROM fuse selects whether the EC2 counter is used to limit the number of AZ2 erase operations in Security Mode 2. If the EC2EN fuse is unblown (“1”), the number of erase operations allowed in AZ2 is limited to 128. If the EC2EN fuse is blown (“0”), there is no limit to the number of erase operations in AZ2. After the issuer fuse is blown, the state of the EC2EN fuse is locked and cannot be changed. Issuer Fuse (16 bits) This EEPROM fuse is used to change the security mode of the AT88SC102 from Security Mode 1 (“1”) to Security Mode 2 (“0”). Initialization of the AT88SC102 for use by the end customer occurs in Security Mode 1. Access conditions in Security Mode 1 are described in Table 1. Access conditions in Security Mode 2 are described in Table 2. Manufacturer’s Fuse (1 bit) This single-bit EEPROM fuse is used to lock the data stored in the manufacturer’s zone after personalization has been completed. 7 1419C–SMEM–6/08 6.1 Internal Flags Table 6-2. Zone SV P1 R1 P2 R2 8 Definition of AT88SC102 Internal Flags Definition Operation Function Security Validation Flag The SV flag is set by correctly matching the 16-bit security code bit-by-bit from address 80 through 95 as CLK increments the address counter. The security code matching operation must be followed immediately by a validation operation within the Security Code Attempts Counter (SCAC). This validation operation requires the user to find a bit in the first eight bits of the SCAC (addresses 96–103) that is a logic “1”. A write operation is performed, followed by an erase. The AT88SC102 will validate that the comparison was correct by outputting a logic “1”, and SV will be set. After the erase, all 16 bits in the SCAC will also be erased. The SV flag remains set until power to the card is turned off. If the comparison was in error, or part of the validation was not performed correctly, the AT88SC102 will output a logic “0”, showing that the SV flag has not been set. After eight consecutive incorrect security code presentations, the card is permanently locked. This flag is the master protection for the memory zones. See Tables 1 and 2. Application Zone 1 Write Flag If Bit 176 has been programmed to a logic “1”, this flag is set after Bit 176 has been addressed. The flag remains set until power to the device is turned off, even if this bit is written to “0” by a subsequent operation. P1 and SV must both be set in order to enable a write command in the application zone (Security Mode 2). Application Zone 1 Read Flag If Bit 177 has been programmed to a logic “1”, this flag is set after Bit 177 has been addressed. The flag remains set until power to the device is turned off, even if this bit is written to “0” by a subsequent operation. R1 or SV must be set in order to enable Application Zone 1 to be read. Application Zone 2 Write Flag If Bit 736 has been programmed to a logic “1”, this flag is set after Bit 736 has been addressed. The flag remains set until power to the device is turned off, even if this bit is written to “0” by a subsequent operation. P2 and SV must both be set in order to enable a write command in Application Zone 2 (Security Mode 2). Application Zone 2 Read Flag If Bit 737 has been programmed to a logic “1”, this flag is set after Bit 737 has been addressed. The flag remains set until power to the device is turned off, even if this bit is written to “0” by a subsequent operation. R2 or SV must be set in order to enable Application Zone 2 to be read. AT88SC102 1419C–SMEM–6/08 AT88SC102 Table 6-2. Zone E1 E2 EC Enabled E2 EC Disabled Definition of AT88SC102 Internal Flags (Continued) Definition Operation Function Application Zone 1 Erase Flag The E1 flag is set by correctly matching the Application Zone 1 Erase Key (EZ1) bit by bit as pin CLK increments the address counter. To complete an erase operation of AZ1 in Security Level 2, an erase operation must be performed on Bit 736 after E1 is set. The E1 flag is reset when the address counter = 0. Application Zone 1 (Bits 176– 687) will be erased when E1 is set and an erase is performed on Bit 736. This operation erases all bits in Application Zone 1. There is no limit to the number of erase operations that can be performed on AZ1. Application Zone 2 Erase Flag with Erase Counter operation enabled. (EC2EN FUSE = “1”) This flag is set by correctly matching the Application Zone 2 Erase Key (EZ2) bit by bit as pin CLK increments the address counter. Then a validation operation must be completed. This operation requires the user to find a bit in Application Zone 2 Erase Counter (EC2), addresses 1280–1407, that is a logic “1”. A write must then be performed, followed by an erase. The AT88SC102 will validate that the comparison was correct and Application Zone 2 will be erased. This flag is also reset when the address counter = 0. Application Zone 2 (Bits 736– 1237) is erased when E2 is set and an erase is performed after the validation operation in EC2 described above. This operation erases all bits in Application Zone 2. E2 is set when the Application Zone 2 Erase Key comparison is valid. It is reset when the address counter = 0. Application Zone 2 (bits 736– 1247) is erased when E2 is set and an erase is performed on Bit 1280. This operation erases all bits in Application Zone 2 but does not affect the word containing Bit 1280. Application Zone 2 Erase Flag with Erase Counter operation disabled. (EC2EN FUSE = “0”) 7. Definition of AT88SC102 Passwords Table 7-1. Definition of Passwords Table 1. Password Definition Security Code (SC) Bits 80–95 (16 bits) This password is used to set the Security Validation (SV) flag and is used in determining what operations are allowed in each zone (see Tables 1 and 2). Application Zone 1 Erase Key (EZ1) Bits 688–735 (48 bits) This password must be programmed during issuer personalization. It is used to erase Application Zone 1 in Security Level 2. Verification of EZ1 will set the internal flag E1 to “1”. Application Zone 2 Erase Key (EZ2) Bits 1248–1279 (32 bits) This password must be programmed during issuer personalization. It is used to erase Application Zone 2 in Security Level 2. Verification of EZ2 will set the internal flag E2 to “1”. 8. Definition of AT88SC102 Fuses • Manufacturer Fuse This fuse is used to control writes and erases of the Manufacturer Zone (MFZ). When the security code has been validated and both the issuer fuse and the manufacturer fuse are unblown, writes and erases of the MFZ are allowed. Blowing the issuer fuse will also disable the manufacturer fuse if it has not been blown previously. 9 1419C–SMEM–6/08 • EC2EN Fuse This fuse selects whether the EC2 counter is used to limit the number of Application Zone 2 erases allowed in Security Mode 2. If the EC2EN fuse is “unblown”, then the Application Zone 2 erases are limited to 128. If the EC2EN fuse is “blown”, the application zone erases are unlimited. After the issuer fuse is blown, the state of the EC2EN fuse is locked and cannot be changed. • Issuer Fuse This fuse is used to personalize the AT88SC102 for end use. It is an additional EEPROM bit that can be programmed to a logic “0”. This is its “blown” state. Security of the device when the issuer fuse is a logic “1” is described in Table 1. The device is in Security Level 2 when the issuer fuse is blown. The device can also be placed in Security Level 2 by taking the FUS pin low independent of the state of issuer fuse. Memory access rules of the device in Security Level 2 are described in Table 2. 9. Memory Access Rules During Personalization – Security Mode 1(1) Table 9-1. Access Conditions During Personalization (issuer fuse not blown) Zone SV(2) R1(3) R2(4) MF(5) Read Erase Write Compare FZ x x x x yes no no no IZ 0 1 x x x x x x yes yes no yes no yes no no SC 0 1 x x x x x x no yes no yes no yes yes no SCAC 0 1 x x x x x x yes yes no yes yes yes no no CPZ 0 1 x x x x x x yes yes no yes no yes no no AZ1 0 0 1 0 1 x x x x x x x no yes yes no no yes no no yes no no no EZ1 0 1 x x x x x x no yes no yes no yes no no AZ2 0 0 1 x x x 0 1 x x x x no yes yes no no yes no no yes no no no EZ2 0 1 x x x x x x no yes no yes no yes no no EC2 0 1 x x x x x x yes yes no yes yes yes no no MTZ x x x x yes yes yes no MFZ 0 1 1 x x x x x x x 0 1 yes yes yes no no yes no no yes no no no Notes: 1. Security Mode 1 Conditions: EC2EN = “1” or “0” Issuer Fuse = “1” FUS Pin = “1” (required) 2. SV = “1” after validation of the security code 10 AT88SC102 1419C–SMEM–6/08 AT88SC102 3. R1: 2nd bit of Application Zone 1 (Bit 177) 4. R2: 2nd bit of Application Zone 2 (Bit 737) 5. MF: Manufacturers Fuse = “0” when blown 10. Memory Access Rules After Personalization – Security Mode 2(1) Table 10-1. Access Conditions After Personalization (issuer fuse blown) Zone SV(2) P1(3) R1(4) P2(5) R2(6) E1(7) E2(8) Read Erase Write Compare FZ x x x x x x x yes no no no IZ x x x x x x x yes no no no SC 0 1 x x x x x x x x x x x x no no no yes no yes yes no SCAC 0 1 x x x x x x x x x x x x yes yes no yes yes yes no no CPZ 0 1 x x x x x x x x x x x x yes yes no yes no yes no no AZ1 0 0 1 1 1 1 x x 0 0 1 1 0 1 x x x x x x x x x x x x x x x x x x 0 1 0 1 x x x x x x no yes yes yes yes yes no no no yes no yes no no no no yes yes no no no no no no EZ1 x x x x x x x no no no yes AZ2 0 0 1 1 1 1 x x x x x x x x x x x x x x 0 0 1 1 0 1 x x x x x x x x x x x x 0 1 0 1 no yes yes yes yes yes no no no yes no yes no no no no yes yes no no no no no no EZ2 x x x x x x x no no no yes EC2 x x x x x x x yes no yes no MTZ x x x x x x x yes yes yes no MFZ x x x x x x x yes no no no Notes: 1. Security Mode 2 Conditions: Manufacturer Fuse = “X” EC2EN Fuse = “1” or “0” Issuer Fuse = “0” FUS Pin = “X” 2. SV = “1” after validation of the security code 3. P1: 1st bit of Application Zone 1 (Bit 176) 4. R1: 2nd bit of Application Zone 1 (Bit 177) 5. P2: 1st bit of the Application Zone (Bit 736) 6. R2: 2nd bit of the Application Zone 2 (Bit 737) 7. E1 = “1” after a valid presentation of the Application Zone 1 Erase Key (EZ1) 8. E2 = “1” after a valid presentation of the Application Zone 2 Erase Key (EZ2) 11 1419C–SMEM–6/08 11. Micro Operations The AT88SC102 circuit operation modes are selected by the input logic levels on the control pins PGM, CLK, and RST and by the internal address. Timing for these operations is specified in the AC Characteristics section. Table 11-1. Micro Operations Operation PGM RESET X INC/READ 0 RST 0 0 0 ERASE/WRITE 1 0 STANDBY 0 1 Definition This operation will reset the internal address to “0”. After the falling edge of RST, the first bit of the fabrication zone (Address 0) will be driven on the I/O contact. The erase flags (E1 and E2) will be reset. The address is incremented on the falling edge of CLK. If read operations are enabled, the addressed bit will be driven on the I/O pin after the falling edge of CLK. When read operations are disabled, the I/O will be disabled and pulled to a high state by the external system pull-up resistor. 0 INC/CMP Notes: CLK The INC/CMP operation will compare the value of the data driven by the system host on the I/O pin to the value of the bit already written into the EEPROM memory at that address location. This process is used during validation of the AT88SC102 security code and erase keys. The data must be stable on the I/O pin before the rising edge of CLK when the data will be latched internally. Comparison occurs on the next falling edge of CLK. The internal address is also incremented on the falling edge of CLK. The I/O pin must be driven to a “1” for an erase and to a “0” for a write operation before the rising edge of CLK (see tDS) X The device is placed in standby mode when FUS pin = “0” and RST = “1”. The address will not increment when RST is high. 1. The output is disabled (hi-state) on all addresses where the read operation is disabled. 2. The two instructions INC/READ and INC/CMP share the same control signal states. 3. The circuit will distinguish between the INC/READ and INC/CMP instructions by testing the internal address counter. (CMP can only be done with the addresses corresponding to the security code or to an erase key). 4. The internal address counter counts up to 1567. An additional CLK pulse resets the address to “0”. 12 AT88SC102 1419C–SMEM–6/08 AT88SC102 12. Device Functional Operation Table 12-1. Device Functional Operation Name Functional Operation Sequence POR OPERATION: POR (power-on reset) is initiated as the device power supply ramps from 0V up to a valid operating voltage. FUNCTION: POR resets all flags, and the address is reset to “0”. RESET OPERATION: With CLK low, a falling edge on the RST pin will reset the address counter to address “0”. FUNCTION: The address is reset to “0”, and the first bit of the memory is driven by the AT88SC102 on I/O after a reset. Only E1 and E2 are reset when the address is reset to 0. The Reset operation has no affect on any of the other flags (SV, P1, R1, P2, R2). ADDRESSING OPERATION: Addressing is handled by an internal address counter. The address is incremented on the falling edge of CLK. Reset must be low while incrementing the address. A falling edge of reset clears the counter to address “0”. FUNCTION: Addressing of the AT88SC102 is sequential. Specific bit addresses may be reached by completing a reset, then clocking the device (INC/READ) until the desired address is reached. The AT88SC102 will determine which operations are allowed at specific address locations. These operations are specified in Tables 1 and 2. For instance, to address the issuer zone (IZ), execute a reset operation, then clock the device 16 times. The device now outputs the first bit of the IZ. After the address counter counts up to 1567, the next CLK pulse resets the address to “0”. READ OPERATION: RST and PGM pins must be low. If a read operation is allowed, the state of the memory bit being addressed is output on the I/O pin. The I/O buffer is an open drain, and the output of a logic “0” therefore causes the device to pull the pin to ground. The output of a logic “1” causes the device to place the pin in a high impedance state. So to sense a logic “1”, an external pull-up must be placed between the I/O pin and VCC. The address counter is incremented on the falling edge of CLK. FUNCTION: Non-application Zones: As the address counter is incremented, the contents of the memory are read out on the I/O pin. The read operation is inhibited for addresses where security prevents a read operation (see Tables 1 and 2). Application Zones: Application Zone 1 can be read when: SV = “1” or R1 = “1”. Application Zone 2 can be read when: SV = “1” or R2 = “1”. 13 1419C–SMEM–6/08 Table 12-1. Device Functional Operation (Continued) Name Functional Operation Sequence WRITE A WRITE operation sets the bit(s) to a logic “0” OPERATION: CLK = “0” PGM “0” → “1” (I/O switches to an input) I/O = “0” (input = “0” for write operation) CLK “0”→ “1” (rising edge of CLK starts the write operation) PGM “1”→ “0” I/O “0”→ “Z” (high-impedance) Wait tCHP (see “AC Electrical Characteristics”) CLK “1”→ “0” (falling edge of CLK ends the WRITE operation) Note: The falling edge of CLK that ends the write operation does not increment the address counter. FUNCTION: Non-application Zones: The write operation is inhibited for addresses where security prevents a write operation (see Tables 1 and 2). Application Zones: The Application Zones can be written when: Security Level 1: SV = “1” Security Level 2: SV = “1”and P1 = “1” for AZ1. SV = “1” and P2 = “1” for AZ2 ERASE Operation Sequence CLK = “0” PGM “0” → “1” (I/O switches to an input) I/O = “1” (input = “1” for erase operation) CLK “0” → “1” (rising edge of CLK starts the erase operation) PGM “1” → “0” I/O “1” → “Z” (high-impedance) Wait tCHP (see “AC Electrical Characteristics”) CLK “1” → “0” (falling edge of CLK ends the erase operation) Note: The falling edge of CLK that ends the erase operation does not increment the address counter. ERASE (NonApplication Zones) An erase operation sets the bits to logic “1”. The EEPROM memory is organized into 16 bit words. Although erases are performed on single bits, the erase operation clears an entire word in the memory (except for the application zones in Security Level 2). Therefore, performing an erase on any bit in the word will clear all 16 bits of that word to logic “1”. OPERATION: Perform “Erase Operation Sequence” as specified above. FUNCTION: The erase operation is inhibited for addresses where security prevents an erase operation (see Tables 1 and 2.) ERASE (Application Zones) Security Level 1 Security level 1: (Issuer Fuse = “1” and FUS pin = “0”) The Application Zone can only be erased when SV = “1”. OPERATION: Increment address counter to any bit within AZ1 or AZ2. Perform “Erase Operation Sequence” as specified above. FUNCTION: This operation will erase the entire 16-bit word containing the bit. 14 AT88SC102 1419C–SMEM–6/08 AT88SC102 Table 12-1. Device Functional Operation (Continued) Name Functional Operation Sequence ERASE (Application Zone 2) Security Level 2 EC Mode Enabled Security level 2: (Issuer Fuse = “0” or FUS pin = “0”) EC mode is enabled. Erase operations within AZ2 are limited to 128. Application Zone 1 can only be erased when SV = “1” and E1 = “1”. OPERATION: Set SV = “1” by validating the security code (see definition of SV internal flag). Increment address counter to the first bit of the Application Zone 2 Erase Key (EZ2 = bit 1248). Execute 32 INC/CMP operations, correctly verifying each bit of the 32-bit erase key. Increment the address counter through the Application Zone 2 Erase Counter (EC2 = bits 1280–1407) until a bit is found that is set to “1”. Perform a write operation on this bit (this write will not increment the address counter). Perform an erase operation on the same bit. FUNCTION: This operation will erase the entire Application Zone. One additional bit of Erase Counter 2 will now be written to “0”. The erase operation in EC2 will initiate the AZ2 erase, but will not affect the state of the bits within EC2. ERASE (Application Zone 1 or 2) Security Level 2 EC Mode Disabled Security Level 2: (Issuer Fuse = “0” or FUS pin = “0”) EC mode is disabled in AZ2. Unlimited erase operations in AZ2. AZ1 always allows unlimited erase operations. Application Zone 1 can only be erased when SV = “1” and E1 = “1”. Application Zone 2 can only be erased when SV = “1” and E2 = “1”. OPERATION: Set SV = “1” by validating the security code (see definition of SV internal flag). Increment address counter to the first bit of the Application Zone Erase Key (EZ1 = bit 688, EZ2 = bit 1248). Execute 32 or 48 INC/CMP operations, correctly verifying each bit of the 32- or 48-bit erase key. Increment the address counter to the next bit (bit 736, to erase AZ1, bit 1280 to erase AZ2). Perform an erase operation on this bit. FUNCTION: This operation will erase the entire Application Zone but does not affect the word containing bit 736 or 1280. Block Write/Erase Enabled in Security Level 1 only. OPERATION: Set address counter between address 1440 and 1455. SV must be set. FUS pin must be high. Perform a write or erase operation. FUNCTION: The entire memory excluding the Fabrication Zone (FZ), Memory Test Zone (MTZ) and Manufacturer’s Zone (MFZ) will be written to “0” (write) or “1” (erase). The block write/erase modes are used to quickly personalize the device. 15 1419C–SMEM–6/08 Table 12-1. Device Functional Operation (Continued) Name Functional Operation Sequence Blowing Manufacturer Fuse Valid in Security Level 1. OPERATION: Set address counter between address 1456 and 1471. SV must be set. The FUS pin can be either a “0” or a “1”. RST pin = “1” Perform a write operation. FUNCTION: The manufacturer fuse will be at a logic “0” state. Note: The address will not change as long as RST is high. CLK should be low when RST is brought low. This will reset the address counter to “0”. Blowing EC2EN Fuse Valid in Security Level 1. The EC2EN fuse must be blown before the issuer fuse is blown. OPERATION: Set the address counter to address 1529. FUS pin = “1” RST pin = “1” Perform a write operation. FUNCTION: EC2EN fuse will be written to a logic “0” state. Note: The address will not change as long as RST is high. CLK should be low when RST is brought low This will reset the address counter to “0”. Blowing Issuer Fuse OPERATION: Set address counter between address 1552 and 1567. SV must be set. The FUS pin can be either a “0” or a “1”. RST pin = “1” Perform a write operation. FUNCTION: The issuer fuse will be set to a logic “0” state. This operation will convert the AT88SC102 from Security Level 1 to Security Level 2. The action is irreversible. Note: The address will not change as long as RST is high. CLK should be low when RST is brought low. This will reset the address counter to 0. Table 12-2. 16 Function of FUS and RST Pin FUS Used for personalizing the device. FUS must be high to be able to personalize the device when the issuer fuse is unblown. In Security Level 1, the FUS pin may be forced low to simulate Security Level 2. In Security Level 2, the FUS pin has no function. RST This pin is used to reset the address counter address to 0. It is also used in writing the issuer fuse and the EC2EN FUSE low. When the FUS pin is low and the RST pin is high, the part is in stand-by mode. AT88SC102 1419C–SMEM–6/08 AT88SC102 13. Absolute Maximum Ratings Operating Temperature ............................. 0°C to +70°C Note: Storage Temperature............................-65°C to +150°C Voltage on Any Pin with Respect to Ground................... -0.3V to VCC + 0.7V Maximum Voltage ..................................................6.25V Stresses beyond those listed under “Absolute Maximum Ratings” may cause permanent damage to the device. This is a stress rating only; functional operation of the device at these or any other conditions beyond those indicated in the operational sections of this specification is not implied. Exposure to absolute maximum rating conditions for extended periods may affect device reliability. DC Output Current................................................5.0 mA 14. DC Characteristics Applicable over recommended operating range from: VCC = 2.7V to 5.5V and TAC = 0°C to +70°C (unless otherwise noted). Table 14-1. Symbol DC Characteristics Characteristics Min Type Max Unit ICC Supply Current on VCC during Read (TAMB = + 25°C) 2 mA ICCP Supply Current on VCC during Program (TAMB = + 25°C) 5 mA ISB Standby Current on VCC (RST @ VCC; FUS, CLK, PGM @ GND; IOL = 0 µA; FCLK = 0 kHz) 50 µA VIL Input Low Level –0.3 VCC x 0.3 V VIH Input High Level VCC x 0.7 VCC + 0.3 V VOL Output Low Level (IOL = 1mA) 0.4 V IIL Input Leakage Current 20 µA IIH I/O Leakage Current (VOH = VCC Open Drain) 20 µA 17 1419C–SMEM–6/08 15. AC Characteristics Table 15-1. AC Characteristics TAC = 0°C to +70°C, VCC = 5V ± 10%, GND = 0V (unless otherwise noted). Symbol Characteristics Min Type Max tCLK Clock Cycle Time 3.3 µs tRH RST Hold Time 0.1 µs tDVR Data Valid Reset to Address “0” tCH CLK Pulse Width (High) 0.2 µs tCL CLK Pulse Width (Low) 0.2 µs tDV Data Access tOH Data Hold 0 µs tSC Data In Setup (CMP instruction) 0 µs tHC Data In Hold (CMP instruction) 0.2 µs tCHP CLK Pulse Width (High in Programming) 3.0 ms tDS Data in Setup 0.2 µs tDH Data in Hold 0 µs tSPR PGM Setup 2.2 µs tHPR PGM Hold 0.2 µs 2.0 2.0 Unit µs µs 16. Conditions of Dynamic Tests The circuit has an output with open drain. An external resistor is necessary between VCC and I/O in order to load the output Table 16-1. Conditions of Dynamic Tests. Pulse Levels of the Input GND to VCC Reference Levels in Input VCC x 0.3 and VCC x 0.7 Reference Levels in Output 1.5V Rising and Falling Time of Signals 5 ns 18 AT88SC102 1419C–SMEM–6/08 AT88SC102 17. AC Load Circuit Figure 17-1. AC Load Circuit VCC CHIP RLOAD I/O Test Point 100 pF Test Ckt. Included 18. Timing Diagrams 18.1 Reset Figure 18-1. Reset 0 (internal address counter) Address CLK tRH RST tDVR I/O Note: Output Data Valid CLK should be low on the falling edges of RST. CLK may remain low while RST is pulsed. 19 1419C–SMEM–6/08 18.2 Read Figure 18-2. Read tCLK Address tCL tCH CLK tOH tOH I/O tDV Note: PGM and RST must both be low during a read cycle. I/O should not be driven (except by the external pullup resistor). 18.3 Erase/Write Figure 18-3. Erase/Write Read Address An-1 Erase/Write An Read An An An+1 tCHP CLK tHPR tSPR tDV PGM tDV I/O tOH Valid Output Notes: tDH tDS Drive "1" (Erase) or "0" (Write) Input Valid Output 1. During any Erase or Write operation, PGM must fall before the falling edge of CLK at the end of tCHP (recommend a minimum setup of 1 µsec). 2. After the rising edge of PGM to initiate the Erase/Write operation, delay at least tDV (2 µsec) before driving data on the I/O contact. 20 AT88SC102 1419C–SMEM–6/08 AT88SC102 18.4 Compare Figure 18-4. Compare Address An+1 An An-1 CLK tSC tHC tSC Input I/O Note: Input Data is latched on the rising edge of CLK. Comparison occurs on the next falling edge of CLK. The address counter is incremented on the falling edge of CLK. During a compare operation of the first bit following a read (i.e., the first bit of the SC or erase keys), data driven to the I/O may be delayed by tDV after the falling edge of CLK. 18.5 Security Code Validation Figure 18-5. Security Code Validation Read Reset Address Ax (A) A0 A1 A2 A79 A80 A81 A94 (B) A95 A96 A97 A98 Read Write Read SCAC Compare SC (C) (D) Erase (E) (F) Read A99 (G) A100 RST CLK I/O DX D0 Output D1 CD80 CD81 Input CD95 0 0 Output 0 1 0 Input 0 Input Output 1 D99 Input Output PGM SV flag Notes: 1. An = Address, Dn = Read data (output), CDn = Compare data (input 2. Security Level 2 (issuer fuse blown). A = Compare sequence of the security code. B = This diagram shows an example in which the first three bits of the Security Code Attempts Counter (96–98) are previously set to “0”. Bit 99 in this example is a “1”, so the write/erase sequence is begun with that bit. C = Write operation of a “0” over the existing “1”. D = The AT88SC102 will output a “0” following the write operation. If the comparison is successful, the SV flag is set on the falling edge of CLK and the SCAC zone can be erased. E = Erase operation. F = The AT88SC102 will output a “1” following the erase operation if the security code verification is successful. If invalid, the 21 1419C–SMEM–6/08 device will output a “0”. G = On the falling edge of CLK, the address is incremented and the state of the next bit is driven on the I/O pin. 18.6 Erase Operation Figure 18-6. Erase Operation Application Zone 1 (AZ1) Read Reset Erase Compare EZ1 (B) (A) Address Ax A0 A1 A2 A431 A432 A433 A478 A479 Read (C) A480 (D) A481 RST CLK I/O DX D0 Output D1 CD432 Input CD433 1 CD479 Input Output Input D480 Output PGM E1 flag Notes: 1. An = Internal Address, Dn = Read data (output), CDn = Compare data (input). 2. This diagram illustrates the protocol for setting the E1 flag in Security Level 2 (issuer fuse blown). Erase operations in Security Level 1 within Application Zone 1 do not require setting of the E1 flag. In Security Level 1, an erase operation on any bit in Application Zone 1 will erase the entire 16-bit word containing the bit. A = Compare sequence of EZ1. If the comparison is valid, the EZ1 flag is set to “1”, enabling erasure of AZ1. B = If E1 is set to “1”, an erase operation on Bit 736 will erase Bits 176–687 (AZ1) (Security Level 1). C = After the falling edge of CLK, the device will drive the I/O contact to the logic state of the existing data in Bit 736. The state of this bit is not affected by the AZ1 erase operation. D = After the falling edge of CLK, the address is incremented and the state of the next bit is driven on the I/O contact. 22 AT88SC102 1419C–SMEM–6/08 AT88SC102 Figure 18-7. Erase Operation Application Zone 2 (AZ2), EC2 Function Disabled Read Reset Address Ax Erase Compare EZ2 (A) A0 A1 A2 A735 A736 A737 (B) A766 Read (C) A768 A767 (D) A769 RST CLK I/O DX D0 Output D1 CD736 Input CD737 CD767 Input 1 Output Input D768 Output PGM E2 flag Notes: 1. An = Internal Address, Dn = Read data (output), CDn = Compare data (input). 2. This diagram illustrates the protocol for setting the E2 flag in Security Level 2 (issuer fuse blown). Erase operations in Security Level 1 within Application Zone 2 do not require setting of the E2 flag. In Security Level 1, an erase operation on any bit in Application Zone 2 will erase the entire 16-bit word containing the bit. 3. EC2EN Fuse - “0” (disabled). A = Compare sequence of EZ2. If the comparison is valid, the EZ2 flag is set to “1”, enabling erasure of AZ2. B = If E2 is set to “1”, an erase operation on Bit 1280 will erase Bits 736–1247 (AZ2) (Security Level 1). C = After the falling edge of CLK, the device will drive the I/O contact to the logic state of the existing data in Bit 1280. The state of this bit is not affected by the AZ2 erase operation. D = After the falling edge of CLK, the address is incremented and the state of the next bit is driven on the I/O contact. 23 1419C–SMEM–6/08 Figure 18-8. Erase Operation Application Zone 2 (AZ2) EC2 Function Enabled Read Reset Address Ax (A) A0 A1 A2 A735 A736 A737 A766 (B) A767 A768 A769 Read Write Read SCAC Compare EZ2 (C) (D) Erase (E) Read (F) A771 A770 (G) A772 RST CLK I/O DX D0 D1 Output CD736 CD737 Input CD767 0 0 0 Output 1 0 Input 0 Input Output 1 Input 0 D772 Output PGM E2 flag Notes: 1. An = Internal Address, Dn = Read data (output), CDn = Compare data (input). 2. EC2EN fuse = 1 (enabled) 3. Security Level 2 (issuer fuse blown) A = Compare sequence of the Application Zone 2 Erase Key (EZ2). B =This diagram shows an example in which the first three bits of the EC2 Erase Counter (bits 1280 – 1282) are previously set to “0”. The write/erase operation should be performed on the first bit in EC2 which is found to be a “1”. Bit 1283 in this example is a “1”, so the write/erase sequence is begun with that bit. C = Write operation of a “0” over the existing “1”. D = The AT88SC102 will output a “0” following the write operation. If the comparison is successful, the E2 flag is set and the AZ2 zone can be erased. E = Erase operation. F = The AT88SC102 will output a “0” following the erase operation regardless of the success of the compare operation. G = On the falling edge of CLK, the address is incremented and the state of the next bit is driven on the I/O pin. 24 AT88SC102 1419C–SMEM–6/08 AT88SC102 19. Ordering Information Ordering Code(1) Package(2) Voltage Range Temperature Range AT88SC102–09ET–xx–2.7 AT88SC102–09PT–xx–2.7 M2–E Module M2–P Module 2.7V to 3.3V Commercial (0°C to 70°C) AT88SC102–09ET–xx AT88SC102–09PT–xx M2–E Module M2–P Module 4.5V to 5.5V Commercial (0°C to 70°C) Package Type(1) Notes: Description M2–E Module M2 ISO 7816 Smart Card Module M2–P Module M4 ISO 7816 Smart Card Module with Atmel Logo 1. “xx” must be replaced by a security code. Contact an Atmel Sales Office for the security code. 2. Formal drawings may be obtained from an Atmel Sales Office. 20. Smart Card Modules M2 - E Module Ordering Code: 09ET Module Size: M2 Dimension*: 12.6 x 11.4 [mm] Glob Top: Round - ∅ 8.0 [mm] Thickness: 0.58 [mm] Pitch: 14.25 mm Note: M2 - P Module Ordering Code: 09PT - 00 Module Size: M2 Dimension*: 12.6 x 11.4 [mm] Glob Top: Square - 8.8 x 8.8 [mm] Thickness: 0.58 [mm] Pitch: 14.25 mm The module dimensions listed refer to the dimensions of the exposed metal contact area. The actual dimensions of the module after excise or punching from the carrier tape are generally 0.4 mm greater in both directions (i.e. a punched M2 module will yield 13.0 x 11.8 mm). 25 1419C–SMEM–6/08 Headquarters International Atmel Corporation 2325 Orchard Parkway San Jose, CA 95131 USA Tel: 1(408) 441-0311 Fax: 1(408) 487-2600 Atmel Asia Room 1219 Chinachem Golden Plaza 77 Mody Road Tsimshatsui East Kowloon Hong Kong Tel: (852) 2721-9778 Fax: (852) 2722-1369 Atmel Europe Le Krebs 8, Rue Jean-Pierre Timbaud BP 309 78054 Saint-Quentin-enYvelines Cedex France Tel: (33) 1-30-60-70-00 Fax: (33) 1-30-60-71-11 Atmel Japan 9F, Tonetsu Shinkawa Bldg. 1-24-8 Shinkawa Chuo-ku, Tokyo 104-0033 Japan Tel: (81) 3-3523-3551 Fax: (81) 3-3523-7581 Technical Support [email protected] Sales Contact www.atmel.com/contacts Product Contact Web Site www.atmel.com/products/securemem Literature Requests www.atmel.com/literature Disclaimer: The information in this document is provided in connection with Atmel products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Atmel products. EXCEPT AS SET FORTH IN ATMEL’S TERMS AND CONDITIONS OF SALE LOCATED ON ATMEL’S WEB SITE, ATMEL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT SHALL ATMEL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ATMEL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Atmel makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Atmel does not make any commitment to update the information contained herein. Unless specifically provided otherwise, Atmel products are not suitable for, and shall not be used in, automotive applications. Atmel’s products are not intended, authorized, or warranted for use as components in applications intended to support or sustain life. © 2008 Atmel Corporation. All rights reserved. Atmel®, logo and combinations thereof, and others are registered trademarks or trademarks of Atmel Corporation or its subsidiaries. Other terms and product names may be trademarks of others. 1419C–SMEM–6/08