DALLAS DS5002FP

DS5002FP
Secure Microprocessor Chip
www.maxim-ic.com
FEATURES
·
·
BA11
P0.5/AD5
PE1
P0.6/AD6
BA10
P0.7/AD7
CE1
NC
CE1N
BD7
ALE
BD6
NC
BD5
P2.7/A15
BD4
8051-compatible microprocessor for
secure/sensitive applications
- Access 32, 64, or 128 kbytes of
nonvolatile SRAM for program and/or
data storage
- In-system programming via on-chip serial
port
- Capable of modifying its own program or
data memory in the end system
Firmware security features
- Memory stored in encrypted form
- Encryption using on-chip 64-bit key
- Automatic true random key generator
- Self Destruct Input (SDI)
- Optional top coating prevents microprobe
(DS5002FPM)
- Improved security over previous
generations
- Protects memory contents from piracy
Crashproof operation
- Maintains all nonvolatile resources for
over 10 years in the absence of power
- Power-fail reset
- Early warning power-fail interrupt
- Watchdog timer
80 79 78 77 76 75 74 73 72 71 70 69 68 67 66 65
P0.4AD4
CE2
PE2
BA9
P0.3/AD3
BA8
P0.2/AD2
BA13
P0.1/AD1
R/W
P0.0/AD0
VCC0
VCC
MSEL
P1.0
BA14
P1.1
BA12
P1.2
BA7
P1.3
PE3
PE4
BA6
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
DS5002FP
64
63
62
61
60
59
58
57
56
55
54
53
52
51
50
49
48
47
46
45
44
43
42
41
P2.6/A14
CE3
CE4
BD3
P2.5/A13
BD2
P2.4/A12
BD1
P2.3/A11
BD0
VLI
SDI
GND
P2.2/A10
P2.1/A9
P2.0/A8
XTAL1
XTAL2
P3.7/RD
P3.6/WR
P3.5/TI
PF
VRST
P3.4/T0
25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
P1.4
BA5
P1.5
BA4
P1.6
BA3
P1.7
PROG
BA2
RST
BA1
P3.0/RXD
BA0
P3.1/TXD
P3.2/INT0
P3.3/INT1
·
PIN ASSIGNMENT
DESCRIPTION
The DS5002FP Secure Microprocessor Chip is a secure version of the DS5001FP 128k Soft
Microprocessor Chip. In addition to the memory and I/O enhancements of the DS5001FP, the Secure
Microprocessor Chip incorporates the most sophisticated security features available in any processor. The
security features of the DS5002FP include an array of mechanisms which are designed to resist all levels
of threat, including observation, analysis, and physical attack. As a result, a massive effort would be
required to obtain any information about memory contents. Furthermore, the “soft” nature of the
DS5002FP allows frequent modification of the secure information, thereby minimizing the value of any
secure information obtained by such a massive effort.
Note: Some revisions of this device may incorporate deviations from published specifications known
as errata. Multiple revisions of any device may be simultaneously available through various sales
channels. For information about device errata, click here: http://dbserv.maxim-ic.com/errata.cfm.
1 of 29
052599
DS5002FP
The DS5002FP implements a security system which is an improved version of its predecessor, the
DS5000FP. Like the DS5000FP, the DS5002FP loads and executes application software in encrypted
form. Up to 128 kbytes of standard SRAM can be accessed via its byte-wide bus. This RAM is converted
by the DS5002FP into lithium-backed nonvolatile storage for program and data. Data is maintained for
over 10 years at room temperature with a very small lithium cell. As a result, the contents of the RAM
and the execution of the software appear unintelligible to the outside observer. The encryption algorithm
uses an internally stored and protected key. Any attempt to discover the key value results in its erasure,
rendering the encrypted contents of the RAM useless.
The Secure Microprocessor Chip offers a number of major enhancements to the software security
implemented in the previous generation DS5000FP. First, the DS5002FP provides a stronger software
encryption algorithm which incorporates elements of DES encryption. Second, the encryption is based on
a 64-bit key word, as compared to the DS5000FP’s 40-bit key. Third, the key can only be loaded from an
on-chip true random number generator. As a result, the true key value is never known by the user. Fourth,
a Self-Destruct Input pin (SDI) is provided to interface to external tamper detection circuitry. With or
without the presence of VCC, activation of the SDI pin has the same effect as resetting the Security Lock:
immediate erasure of the key word and the 48-byte Vector RAM area. Fifth, an optional top-coating of
the die prevents access of information using microprobing techniques. Finally, customer-specific versions
of the DS5002FP are available which incorporate a one-of-a-kind encryption algorithm.
When implemented as a part of a secure system design, a system based on the DS5002FP can typically
provide a level of security which requires more time and resources to defeat than it is worth to
unauthorized individuals who have reason to try. For a user who wants a preconstructed module using the
DS5002FP, RAM, lithium cell, and a real time clock, the DS2252T is available and described in a
separate data sheet.
ORDERING INFORMATION
The following devices are available as standard products from Dallas Semiconductor:
PART #
DS5002FP-16
DS5002FPM-16
DESCRIPTION
80-pin QFP,
Max. clock speed 16 MHz,
0°C to 70°C operation
80-pin QFP,
Max. clock speed 16 MHz,
0°C to 70°C operation,
Internal microprobe shield
Operating information is contained in the User’s Guide Section of the Secure Microprocessor Data Book.
This data sheet provides ordering information, pin-out, and electrical specifications.
BLOCK DIAGRAM
Figure 1 is a block diagram illustrating the internal architecture of the DS5002FP. The DS5002FP is a
secure implementation of the DS5001FP 128k Soft Microprocessor Chip. As a result, It operates in an
identical fashion to the DS5001FP except where indicated. See the DS5001FP Data Sheet for operating
details.
2 of 29
DS5002FP
DS5002FP BLOCK DIAGRAM Figure 1
3 of 29
DS5002FP
PIN DESCRIPTION
PIN
11, 9, 7, 5, 1,
79, 77, 75
15, 17, 19, 21,
25, 27, 29, 31
49, 50, 51, 56,
58, 60, 64, 66
36
38
39
40
41
44
45
46
34
70
47, 48
52
13
12
54
16, 8, 18, 80,
76, 4, 6, 20,
24, 26, 28, 30,
33, 35, 37
71, 69, 67, 65,
61, 59, 57, 55
10
74
2
PIN
63
DESCRIPTION
P0.0 - P0.7. General purpose I/O Port 0. This port is open-drain and can not drive a logic 1. It requires
external pullups. Port 0 is also the multiplexed expanded address/data bus. When used in this mode, it
does not require pullups.
P1.0 - P1.7. General purpose I/O Port 1.
P2.0 - P2.7. General purpose I/O Port 2. Also serves as the MSB of the expanded address bus.
P3.0 RXD. General purpose I/O port pin 3.0. Also serves as the receive signal for the on board UART.
This pin should NOT be connected directly to a PC COM port.
P3.1 TXD. General purpose I/O port pin 3.1. Also serves as the transmit signal for the on board UART.
This pin should NOT be connected directly to a PC COM port.
P3.2 INT0 . General purpose I/O port pin 3.2. Also serves as the active low External Interrupt 0.
P3.3 INT1 . General purpose I/O port pin 3.3. Also serves as the active low External Interrupt 1.
P3.4 T0. General purpose I/O port pin 3.4. Also serves as the Timer 0 input.
P3.5 T1. General purpose I/O port pin 3.5. Also serves as the Timer 1 input.
P3.6 WR . General purpose I/O port pin. Also serves as the write strobe for Expanded bus operation.
P3.7 RD . General purpose I/O port pin. Also serves as the read strobe for Expanded bus operation.
RST - Active high reset input. A logic 1 applied to this pin will activate a reset state. This pin is pulled
down internally so this pin can be left unconnected if not used. An RC power-on reset circuit is not
needed and is NOT recommended.
ALE - Address Latch Enable. Used to de-multiplex the multiplexed expanded address/data bus on port 0.
This pin is normally connected to the clock input on a ’373 type transparent latch.
XTAL2, XTAL1. Used to connect an external crystal to the internal oscillator. XTAL1 is the input to an
inverting amplifier and XTAL2 is the output.
GND - Logic ground.
VCC - +5V
VCCO - VCC Output. This is switched between VCC and VLI by internal circuits based on the level of VCC.
When power is above the lithium input, power will be drawn from VCC. The lithium cell remains isolated
from a load. When VCC is below VLI, the VCCO switches to the VLI source. VCCO should be connected to
the VCC pin of an SRAM.
VLI - Lithium Voltage Input. Connect to a lithium cell greater than VLImin and no greater than VLimax as
shown in the electrical specifications. Nominal value is +3V.
BA14 - 0. Byte-wide address bus bits 14-0. This bus is combined with the non–multiplexed data bus
(BD7-0) to access NVSRAM. Decoding is performed using CE1 through CE4 . Therefore, BA15 is not
actually needed. Read/write access is controlled by R/ W . BA14-0 connect directly to an 8k, 32k, or 128k
SRAM. If an 8k RAM is used, BA13 and BA14 will be unconnected. If a 128k SRAM is used, the micro
converts CE2 and CE3 to serve as A16 and A15 respectively.
BD7 - 0. Byte-wide Data bus bits 7-0. This 8-bit bi-directional bus is combined with the non-multiplexed
address bus (BA14-0) to access NV SRAM. Decoding is performed on CE1 and CE2 . Read/write access
is controlled by R/ W . BD7-0 connect directly to an SRAM, and optionally to a real-time clock or other
peripheral.
R/ W - Read/Write. This signal provides the write enable to the SRAMs on the byte-wide bus. It is
controlled by the memory map and partition. The blocks selected as program (ROM) will be writeprotected.
CE1 - Chip Enable 1. This is the primary decoded chip enable for memory access on the byte-wide bus. It
connects to the chip enable input of one SRAM. CE1 is lithium-backed. It will remain in a logic high
inactive state when VCC falls below VLI.
CE2 - Chip Enable 2. This chip enable is provided to access a second 32k block of memory. It connects
to the chip enable input of one SRAM. When MSEL=0, the micro converts CE2 into A16 for a 128k x 8
SRAM. CE2 is lithium-backed and will remain at a logic high when VCC falls below VLI.
DESCRIPTION
CE3 - Chip Enable 3. This chip enable is provided to access a third 32k block of memory. It connects to
the chip enable input of one SRAM. When MSEL=0, the micro converts CE3 into A15 for a 128k x 8
4 of 29
DS5002FP
62
78
3
22
23
32
42
43
14
53
72
73
SRAM. CE3 is lithium-backed and will remain at a logic high when VCC falls below VLI.
CE4 - Chip Enable 4. This chip enable is provided to access a fourth 32k block of memory. It connects to
the chip enable input of one SRAM. When MSEL=0, this signal is unused. CE4 is lithium-backed and
will remain at a logic high when VCC falls below VLI.
PE1 - Peripheral Enable 1. Accesses data memory between addresses 0000h and 3FFFh when the PES bit
is set to a logic 1. Commonly used to chip enable a byte-wide real time clock such as the DS1283. PE1 is
lithium-backed and will remain at a logic high when VCC falls below VLI. Connect PE1 to battery-backed
functions only.
PE2 - Peripheral Enable 2. Accesses data memory between addresses 4000h and 7FFFh when the PES bit
is set to a logic 1. PE2 is lithium-backed and will remain at a logic high when VCC falls below VLI.
Connect PE2 to battery-backed functions only.
PE3 - Peripheral Enable 3. Accesses data memory between addresses 8000h and BFFFh when the PES bit
is set to a logic 1. PE3 is not lithium-backed and can be connected to any type of peripheral function. If
connected to a battery-backed chip, it will need additional circuitry to maintain the chip enable in an
inactive state when VCC < VLI.
PE4 - Peripheral Enable 4. Accesses data memory between addresses C000h and FFFFh when the PES bit
is set to a logic 1. PE4 is not lithium-backed and can be connected to any type of peripheral function. If
connected to a battery-backed chip, it will need additional circuitry to maintain the chip enable in an
inactive state when VCC < VLI.
PROG - Invokes the Bootstrap Loader on a falling edge. This signal should be debounced so that only
one edge is detected. If connected to ground, the micro will enter Bootstrap loading on power-up. This
signal is pulled up internally.
VRST - This I/O pin (open drain with internal pullup) indicates that the power supply (VCC) has fallen
below the VCCmin level and the micro is in a reset state. When this occurs, the DS5002FP will drive this
pin to a logic 0. Because the micro is lithium-backed, this signal is guaranteed even when VCC =0V.
Because it is an I/O pin, it will also force a reset if pulled low externally. This allows multiple parts to
synchronize their power-down resets.
PF - This output goes to a logic 0 to indicate that the micro has switched to lithium backup. This
corresponds to VCC < VLI. Because the micro is lithium-backed, this signal is guaranteed even when VCC
=0V. The normal application of this signal is to control lithium powered current to isolate battery-backed
functions from non-battery-backed functions.
MSEL - Memory select. This signal controls the memory size selection. When MSEL= +5V, the
DS5002FP expects to use 32k x 8 SRAMs. When MSEL = 0V, the DS5002FP expects to use a 128k x 8
SRAM. MSEL must be connected regardless of partition, mode, etc.
SDI – Self-Destruct Input. An active high on this pin causes an unlock procedure. This results in the
destruction of Vector RAM, Encryption Keys, and the loss of power from VCCO. This pin should be
grounded if not used.
CE1N - This is a non-battery-backed version of CE1 . It is not generally useful since the DS5002FP can
not be used with EPROM due to its encryption.
NC - Do not connect.
5 of 29
DS5002FP
SECURE OPERATION OVERVIEW
The DS5002FP incorporates encryption of the activity on its byte-wide address/data bus to prevent
unauthorized access to the program and data information contained in the nonvolatile RAM. Loading an
application program in this manner is performed via the Bootstrap Loader using the general sequence
described below:
1.
Clear Security Lock.
2.
Set memory map configuration as for DS5001FP.
3.
Load application software.
4.
Set Security Lock.
5.
Exit Loader.
Loading of application software into the program/data RAM is performed while the DS5002FP is in its
Bootstrap Load mode. Loading is only possible when the Security Lock is clear. If the Security Lock has
previously set, then it must be cleared by issuing the “Z” command from the Bootstrap Loader. Resetting
the Security Lock instantly clears the previous key word and the contents of the Vector RAM. In addition,
the Bootstrap ROM writes 0s into the first 32k of external RAM.
The user’s application software is loaded into external CMOS SRAM via the “L” command in
“scrambled” form through on-chip encryptor circuits. Each external RAM address is an encrypted
representation of an on-chip logical address. Thus, the sequential instructions of an ordinary program or
data table are stored non-sequentially in RAM memory. The contents of the program/data RAM are also
encrypted. Each byte in RAM is encrypted by a key- and address-dependent encryptor circuit such that
identical bytes are stored as different values in different memory locations.
The encryption of the program/data RAM is dependent on an on-chip 64-bit key word. The key is loaded
by the ROM firmware just prior to the time that the application software is loaded, and is retained as
nonvolatile information in the absence of VCC by the lithium backup circuits. After loading is complete,
the key is protected by setting the on-chip Security Lock, which is also retained as nonvolatile
information in the absence of VCC. Any attempt to tamper with the key word and thereby gain access to
the true program/data RAM contents results in the erasure of the key word as well as the RAM contents.
During execution of the application software, logical addresses on the DS5002FP that are generated from
the program counter or data pointer registers are encrypted before they are presented on the byte-wide
address bus. Opcodes and data are read back and decrypted before they are operated on by the CPU.
Similarly, data values written to the external nonvolatile RAM storage during program execution are
encrypted before they are presented on the byte-wide data bus during the write operation. This
encryption/decryption process is performed in real time such that no execution time is lost as compared to
the non-encrypted DS5001FP or 8051 running at the same clock rate. As a result, operation of the
encryptor circuitry is transparent to the application software.
Unlike the DS5000FP, the DS5002FP chip’s security feature is always enabled.
SECURITY CIRCUITRY
The on-chip functions associated with the DS5002FP’s software security feature are depicted in Figure 2.
Encryption logic consists of an address encryptor and a data encryptor. Although each encryptor uses its
6 of 29
DS5002FP
own algorithm for encrypting data, both depend on the 64-bit key word which is contained in the
Encryption Key registers. Both the encryptors operate during loading of the application software and also
during its execution.
DS5002FP SECURITY CIRCUITRY Figure 2
The address encryptor translates each “logical” address, i.e., the normal sequence of addresses that are
generated in the logical flow of program execution, into an encrypted address (or “physical” address) at
which the byte is actually stored. Each time a logical address is generated, either during program loading
or during program execution, the address encryptor circuitry uses the value of the 64-bit key word and of
the address itself to form the physical address which will be presented on the address lines of the RAM.
The encryption algorithm is such that there is one and only one physical address for every possible logical
address. The address encryptor operates over the entire memory range which is configured during
Bootstrap Loading for access on the byte-wide bus.
As Bootstrap Loading of the application software is performed, the data encryptor logic transforms the
opcode, operand, or data byte at any given memory location into an encrypted representation. As each
byte is read back to the CPU during program execution, the internal data encryptor restores it to its
original value. When a byte is written to the external nonvolatile program/ data RAM during program
execution, that byte is stored in encrypted form as well. The data encryption logic uses the value of the
64-bit key, the logical address to which the data is being written, and the value of the data itself to form
the encrypted data which is written to the nonvolatile program/data RAM. The encryption algorithm is
repeatable, such that for a given data value, Encryption Key value, and logical address the encrypted byte
will always be the same. However, there are many possible encrypted data values for each possible true
data value due to the algorithm’s dependency on the values of the logical address and Encryption Key.
When the application software is executed, the internal CPU of the DS5002FP operates as normal.
Logical addresses are calculated for opcode fetch cycles and also data read and write operations. The
DS5002FP has the ability to perform address encryption on logical addresses as they are generated
internally during the normal course of program execution. In a similar fashion, data is manipulated by the
7 of 29
DS5002FP
CPU in its true representation. However, it is also encrypted when it is written to the external
program/data RAM, and is restored to its original value when it is read back.
When an application program is stored in the format described above, it is virtually impossible to
disassemble opcodes or to convert data back into its true representation. Address encryption has the effect
that the opcodes and data are not stored in the contiguous form in which they were assembled, but rather
in seemingly random locations in memory. This in itself makes it virtually impossible to determine the
normal flow of the program. As an added protection measure, the address encryptor also generates
“dummy” read access cycles whenever time is available during program execution.
DUMMY READ CYCLES
Like the DS5000FP, the DS5002FP generates a “dummy” read access cycle to non-sequential addresses
in external RAM memory whenever time is available during program execution. This action has the effect
of further complicating the task of determining the normal flow of program execution. During these
pseudo-random dummy cycles, the RAM is read to all appearances, but the data is not used internally.
Through the use of a repeatable exchange of dummy and true read cycles, it is impossible to distinguish a
dummy cycle from a real one.
ENCRYPTION ALGORITHM
The DS5002FP incorporates a proprietary algorithm implemented in hardware which performs the
scrambling of address and data on the byte-wide bus to the static RAM. This algorithm has been greatly
strengthened with respect to its DS5000FP predecessor. Improvements include:
1.
64-bit Encryption Key.
2.
Incorporation of DES-like operations to provide a greater degree of nonlinearity.
3.
Customizable encryption.
The encryption circuitry uses a 64-bit key value (compared to the DS5000FP’s 40-bit key) which is stored
on the DS5002FP die and protected by the Security Lock function described below. In addition, the
algorithm has been strengthened to incorporate certain operations used in DES encryption, so that the
encryption of both the addresses and data is highly nonlinear. Unlike the DS5000FP, the encryption
circuitry in the DS5002FP is always enabled.
Dallas Semiconductor can customize the encryption circuitry by laser programming the die to insure that
a unique encryption algorithm is delivered to the customer. In addition, the customer-specific version can
be branded as specified by the customer. Please contact Dallas Semiconductor for ordering information of
customer-specific versions.
ENCRYPTION KEY
As described above, the on-chip 64-bit Encryption Key is the basis of both the address and data encryptor
circuits. The DS5002FP provides a key management system which is greatly improved over the
DS5000FP. The DS5002FP does not give the user the ability to select a key. Instead, when the loader is
given certain commands, the key is set based on the value read from an on-chip hardware random number
generator. This action is performed just prior to actually loading the code into the external RAM. This
scheme prevents characterization of the encryption algorithm by continuously loading new, known keys.
It also frees the user from the burden of protecting the key selection process.
8 of 29
DS5002FP
The random number generator circuit uses the asynchronous frequency differences of two internal ring
oscillator and the processor master clock (determined by XTAL1 and XTAL2). As a result, a true random
number is produced.
VECTOR RAM
A 48-byte Vector RAM area is incorporated on-chip, and is used to contain the reset and interrupt vector
code in the DS5002FP. It is included in the architecture to help insure the security of the application
program.
If reset and interrupt vector locations were accessed from the external nonvolatile program/data RAM
during the execution of the program, then it would be possible to determine the encrypted value of known
addresses. This could be done by forcing an interrupt or reset condition and observing the resulting
addresses on the byte-wide address/data bus. For example, it is known that when a hardware reset is
applied the logical program address is forced to location 0000H and code is executed starting from this
location. It would then be possible to determine the encrypted value (or physical address) of the logical
address value 0000H by observing the address presented to the external RAM following a hardware reset.
Interrupt vector address relationships could be determined in a similar fashion. By using the on-chip
Vector RAM to contain the interrupt and reset vectors, it is impossible to observe such relationships.
Although it is very unlikely that an application program could be deciphered by observing vector address
relationships, the Vector RAM eliminates this possibility. Note that the dummy accesses mentioned
above are conducted while fetching from Vector RAM.
The Vector RAM is automatically loaded with the user’s reset and interrupt vectors during bootstrap
loading.
SECURITY LOCK
Once the application program has been loaded into the DS5002FP’s NV RAM, the Security Lock may be
enabled by issuing the “Z” command in the Bootstrap Loader. While the Security Lock is set, no further
access to program/ data information is possible via the on-chip ROM. Access is prevented by both the
Bootstrap Loader firmware and the DS5002FP encryptor circuits.
Access to the NVRAM may only be regained by clearing the Security Lock via the “U” command in the
Bootstrap Loader. This action triggers several events which defeat tampering. First, the Encryption Key is
instantaneously erased. Without the Encryption Key, the DS5002FP is no longer able to decrypt the
contents of the RAM. Therefore, the application software can no longer be correctly executed, nor can it
be read back in its true form via the Bootstrap Loader. Second, the Vector RAM area is also
instantaneously erased, so that the reset and vector information is lost. Third, the Bootstrap Loader
firmware sequentially erases the encrypted RAM area. Lastly, the loader creates and loads a new random
key.
The Security Lock bit itself is constructed using a multiple-bit latch which is interlaced for self-destruct in
the event of tampering. The lock is designed to set-up a “domino-effect” such that erasure of the bit will
result in an unstoppable sequence of events that clears critical data including Encryption Key and Vector
RAM. In addition, this bit is protected from probing by the top-coating feature mentioned below.
SELF-DESTRUCT INPUT
The Self-Destruct Input (SDI) pin is an active high input which is used to reset the Security Lock in
response to an external event. The SDI input is intended to be used with external tamper detection
circuitry. It can be activated with or without operating power applied to the VCC pin. Activation of the
SDI pin instantly resets the Security Lock and causes the same sequence of events described above for
9 of 29
DS5002FP
this action. In addition, power is momentarily removed from the byte-wide bus interface including the
VCCO pin, resulting in the loss of data in external RAM.
TOP LAYER COATING
The DS5002FPM is provided with a special top-layer coating that is designed to prevent a probe attack.
This coating is implemented with second-layer metal added through special processing of the
microcontroller die. This additional layer is not a simple sheet of metal, but rather a complex layout that
is interwoven with power and ground, which are in turn connected to logic for the Encryption Key and
the Security Lock. As a result, any attempt to remove the layer or probe through it will result in the
erasure of the Security Lock and/or the loss of Encryption Key bits.
BOOTSTRAP LOADING
Initial loading of application software into the DS5002FP is performed by firmware within the on-chip
Bootstrap Loader communicating with a PC via the on-chip serial port in a manner which is almost
identical to that for the DS5001FP. The user should consult the DS5001FP data sheet as a basis of
operational characteristics of this firmware. Certain differences in loading procedure exist in order to
support the security feature. These differences are documented below. Table 1 summarizes the
commands accepted by the bootstrap loader.
When the Bootstrap Loader is invoked, portions of the 128-byte scratchpad RAM area are automatically
overwritten with zeroes, and then used for variable storage for the bootstrap firmware. Also, a set of 8
bytes are generated using the random number generator circuitry and are saved as a potential word for the
64-bit Encryption Key.
Any read or write operation to the DS5002FP’s external program/data SRAM can only take place if the
Security Lock bit is in a cleared state. Therefore, the first step which is taken in the loading of a program
should be the clearing of the Security Lock bit through the “U” command.
10 of 29
DS5002FP
DS5002FP SERIAL BOOTSTRAP LOADER COMMANDS Table 1
COMMAND
C
D
F
G
I
L
M
N
P
R
T
U
V
W
Z
FUNCTION
Return CRC-16 of the program/data NV RAM
Dump Intel Hex file
Fill program/data NV RAM
Get data from P1, P2, and P3
N/A on the DS5002FP
Load Intel Hex file
Toggle modem available bit
Set Freshness Seal - All program and data will be lost
Put data into P0, P1, P2, and P3
Read status of NVSFRs (MCON, RPCTL, MSL, CALIB)
Trace (echo) incoming Intel Hex code
Clear Security Lock
Verify program/data NV RAM with incoming Intel Hex data
Write Special Function Registers - (MCON, RPCTL, MSL, CALIB)
Set Security Lock
Execution of certain Bootstrap Loader commands will result in the loading of the newly generated 64-bit
random number into the Encryption Key word. These commands are as follows:
Fill
Load
Dump
Verify
CRC
F
L
D
V
C
Execution of the Fill and Load commands will result in the data loaded into the NV RAM in an encrypted
form determined by the value of the newly-generated key word. The subsequent execution of the Dump
command within the same bootstrap session will cause the contents of the encrypted RAM to be read out
and transmitted back to the host PC in decrypted form. Similarly, execution of the Verify command
within the same bootstrap session will cause the incoming absolute hex data to be compared against the
true contents of the encrypted RAM, and the CRC command will return the CRC value calculated from
the true contents of the encrypted RAM. As long as any of the above commands are executed within the
same bootstrap session, the loaded key value will remain the same and contents of the encrypted
program/data NV RAM may be read or written normally and freely until the Security Lock bit is set.
When the Security Lock bit is set using the Z command, no further access to the true RAM contents is
possible using any bootstrap command or by any other means.
INSTRUCTION SET
The DS5002FP executes an instruction set that is object code-compatible with the industry standard 8051
microcontroller. As a result, software development packages such as assemblers and compilers that have
been written for the 8051 are compatible with the DS5002FP. A complete description of the instruction
set and operation are provided in the User’s Guide section of the Secure Microcontroller Data Book.
Also note that the DS5002FP is embodied in the DS2252T module. The DS2252T combines the
DS5002FP with between 32k and 128k of SRAM, a lithium cell, and a real time clock. This is packaged
in a 40-pin SIMM module.
11 of 29
DS5002FP
MEMORY ORGANIZATION
Figure 3 illustrates the memory map accessed by the DS5002FP. The entire 64k of program and 64k of
data are potentially available to the byte-wide bus. This preserves the I/O ports for application use. The
user controls the portion of memory that is actually mapped to the byte-wide bus by selecting the program
range and data range. Any area not mapped into the NV RAM is reached via the expanded bus on ports 0
and 2. An alternate configuration allows dynamic partitioning of a 64k space as shown in Figure 4.
Selecting PES=1 provides another 64k of potential data storage or memory mapped peripheral space as
shown in Figure 5. These selections are made using Special Function Registers. The memory map and its
controls are covered in detail in the User’s Guide section of the Secure Microcontroller Data Book.
DS5002FP MEMORY MAP IN NON-PARTITIONABLE MODE (PM=1) Figure 3
12 of 29
DS5002FP
DS5002FP MEMORY MAP IN PARTITIONABLE MODE (PM=0) Figure 4
DS5002FP MEMORY MAP WITH PES=1 Figure 5
13 of 29
DS5002FP
Figure 6 illustrates a typical memory connection for a system using a 128-kbyte SRAM. Note that in this
configuration, both program and data are stored in a common RAM chip Figure 7 shows a similar system
with using two 32-kbyte SRAMs. The byte-wide address bus connects to the SRAM address lines. The
bi-directional byte-wide data bus connects the data I/O lines of the SRAM.
DS5002FP CONNECTION TO 128k X 8 SRAM Figure 6
14 of 29
DS5002FP
DS5002FP CONNECTION TO 64K X 8 SRAM Figure 7
POWER MANAGEMENT
The DS5002FP monitors VCC to provide power-fail reset, early warning power-fail interrupt, and switch
over to lithium backup. It uses an internal band-gap reference in determining the switch points. These are
called VPFW, VCCMIN, and VLI respectively. When VCC drops below VPFW, the DS5002FP will perform an
interrupt vector to location 2Bh if the power-fail warning was enabled. Full processor operation continues
regardless. When power falls further to VCCMIN, the DS5002FP invokes a reset state. No further code
execution will be performed unless power rises back above VCCMIN. All decoded chip enables and the
R/ W signal go to an inactive (logic 1) state. VCC is still the power source at this time. When VCC drops
further to below VLI, internal circuitry will switch to the lithium cell for power. The majority of internal
circuits will be disabled and the remaining nonvolatile states will be retained. Any devices connected
VCCO will be powered by the lithium cell at this time. VCCO will be at the lithium battery voltage less a
diode drop. This drop will vary depending on the load. Low-power SRAMs should be used for this
reason. When using the DS5002FP, the user must select the appropriate battery to match the RAM data
retention current and the desired backup lifetime. Note that the lithium cell is only loaded when VCC <
VLI. The User’s Guide has more information on this topic. The trip points VCCMIN and VPFW are listed in
the electrical specifications.
15 of 29
DS5002FP
ELECTRICAL SPECIFICATIONS
The DS5002FP adheres to all AC and DC electrical specifications published for the DS5001FP. The
absolute maximum ratings and unique specifications for the DS5002FP are listed below.
ABSOLUTE MAXIMUM RATINGS*
Voltage on Any Pin Relative to Ground
Voltage on VCC Relative to Ground
Operating Temperature
Storage Temperature2
Soldering Temperature
-0.3V to (VCC + 0.5V)
-0.3V to +6.0V
-40°C to +85°C
-55°C to +125°C
260°C for 10 seconds
1
This is a stress rating only and functional operation of the device at these or any other conditions above
those indicated in the operation sections of this specification is not implied. Exposure to absolute
maximum rating conditions for extended periods of time may affect reliability.
2
Storage temperature is defined as the temperature of the device when VCC=0V and VLI=0V. In this state
the contents of SRAM are not battery-backed and are undefined.
DC CHARACTERISTICS
PARAMETER
Input Low Voltage
Input High Voltage
Input High Voltage
(RST, XTAL1, PROG )
Output Low Voltage
@ IOL=1.6 mA (Ports 1, 2, 3, PF )
Output Low Voltage
@ IOL=3.2 mA (Ports 0, ALE,
BA15-0, BD7-0, R/ W , CE1N ,
CE 1-4, PE 1-4, VRST)
Output High Voltage
@ IOH=-80 µA (Ports 1, 2, 3)
Output High Voltage
@ IOH=-400 µA (Ports 0, ALE,
BA15-0, BD7-0, R/ W , CE1N ,
CE 1-4, PE 1-4, VRST)
Input Low Current
VIN=0.45V (Ports 1, 2, 3)
Transition Current; 1 to 0
VIN=2.0V (Ports 1, 2, 3)
(0°C to 70°C)
Transition Current; 1 to 0
VIN=2.0V (Ports 1, 2, 3)
(-40°C to +85°C)
SDI Input Low Voltage
SDI Input High Voltage
SDI Pulldown Resistor
(TA = 0°C to 70°C; VCC=5V ± 10%)
SYMBOL
VIL
VIH1
VIH2
MIN
-0.3
2.0
3.5
TYP
MAX
+0.8
VCC+0.3
VCC+0.3
UNITS
V
V
V
NOTES
1
1
1
VOL1
0.15
0.45
V
1, 13
VOL2
0.15
0.45
V
1
VOH1
2.4
4.8
V
1
VOH2
2.4
4.8
V
1
IIL
-50
µA
ITL
-500
µA
ITL
-600
µA
12
VILS
VIHS
RSDI
0.4
VCCO
60
V
V
kΩ
1
1, 11
2.0
25
16 of 29
DS5002FP
DC CHARACTERISTICS (cont’d)
PARAMETER
Input Leakage Current
0.45 < VIN < VCC (Port 0, MSEL)
RST Pulldown Resistor
(0°C to 70°C)
RST Pulldown Resistor
(-40°C to +85°C)
VRST Pullup Resistor
PROG Pullup Resistor
Power-fail Warning Voltage
(0°C to 70°C)
Power-fail Warning Voltage
(-40°C to +85°C)
Minimum Operating Voltage
(0°C to 70°C)
Minimum Operating Voltage
(-40°C to +85°C)
Lithium Supply Voltage
Operating Current @ 16 MHz
Idle Mode Current @ 12 MHz
(0°C to 70°C)
Idle Mode Current @ 12 MHz
(-40°C to +85°C)
Stop Mode Current
Pin Capacitance
Output Supply Voltage (VCCO)
Output Supply Battery-backed Mode
(VCCO, CE 1-4, PE 1-2)
(0°C to 70°C)
Output Supply Battery-backed Mode
(VCCO, CE 1-4, PE 1-2)
(-40°C to +85°C)
Output Supply Current
@ VCCO=VCC - 0.3V
Lithium-backed Quiescent Current
(0°C to 70°C)
Lithium-backed Quiescent Current
(-40°C to +85°C)
Reset Trip Point in Stop Mode
w/BAT=3.0V (0°C to 70°C)
w/BAT=3.0V (-40°C to +85°C)
w/BAT=3.0V (0°C to 70°C)
(TA = 0°C to 70°C; VCC=5V ± 10%)
SYMBOL
IIL
MIN
RRE
RRE
TYP
MAX
+10
UNITS
µA
NOTES
40
150
kΩ
30
180
kΩ
12
4.5
kΩ
kΩ
V
1
RVR
RPR
VPFW
4.25
4.7
40
4.37
VPFW
4.1
4.37
4.6
V
1, 12
VCCMIN
4.00
4.12
4.25
V
1
VCCMIN
3.85
4.09
4.25
V
1, 12
VLI
ICC
IIDLE
2.5
4.0
36
7.0
V
mA
mA
1
2
3
IIDLE
8.0
mA
3, 12
ISTOP
CIN
VCCO1
80
10
µA
pF
V
4
5
1, 2
V
1, 8
V
1, 8, 12
75
mA
6
VCCO2
VCCO2
VCC
-0.35
VLI
-0.65
VLI
-0.9
ICCO1
ILI
5
75
nA
7
ILI
75
500
nA
7
4.0
3.85
4.4
17 of 29
4.25
4.25
4.65
1
1, 12
1
DS5002FP
AC CHARACTERISTICS
PARAMETER
SDI Pulse Reject
(4.5V < VCC < 5.5V)
(VCC=0V, VBAT=2.9V)
SDI Pulse Accept
(4.5V < VCC < 5.5V)
(VCC=0V, VBAT=2.9V)
(TA = 0°C to70°C; VCC=0V to 5V)
SYMBOL
tSPR
MIN
tSPA
10
50
TYP
AC CHARACTERISTICS
EXPANDED BUS MODE TIMING SPECIFICATIONS
#
1
2
3
4
14
15
16
17
18
19
20
21
22
23
24
25
26
27
PARAMETER
Oscillator Frequency
ALE Pulse Width
Address Valid to ALE Low
Address Hold After ALE Low
RD Pulse Width
WR Pulse Width
RD Low to Valid Data In @ 12 MHz
@ 16 MHz
Data Hold after RD High
Data Float after RD High
ALE Low to Valid Data In @ 12 MHz
@ 16 MHz
Valid Addr. to Valid Data In @ 12 MHz
@ 16 MHz
ALE Low to RD or WR Low
Address Valid to RD or WR Low
Data Valid to WR Going Low
Data Valid to WR High @ 12 MHz
@ 16 MHz
Data Valid after WR High
RD Low to Address Float
RD or WR High to ALE High
MAX
2
4
MIN
1.0
2tCLK-40
tCLK-40
tCLK-35
6tCLK-100
6tCLK-100
tRDHDV
tRDHDZ
tALLVD
0
18 of 29
µs
10
MAX
16
5tCLK-165
5tCLK-105
tAVDV
tWRHDV
tRDLAZ
tRDHALH
NOTES
10
(TA = 0°C to70°C; VCC=5V ± 10%)
SYMBOL
1/ tCLK
tALPW
tAVALL
tAVAAV
tRDPW
tWRPW
tRDLDV
tALLRDL
tAVRDL
tDVWRL
tDVWRH
UNITS
µs
3tCLK-50
4tCLK-130
tCLK-60
7tCLK-150
7tCLK-90
tCLK-50
tCLK-40
2tCLK-70
8tCLK-150
8tCLK-90
9tCLK-165
9tCLK-105
3tCLK+50
0
tCLK+50
UNITS
MHz
ns
ns
ns
ns
ns
ns
ns
ns
ns
ns
ns
ns
ns
ns
ns
ns
ns
ns
DS5002FP
EXPANDED DATA MEMORY READ CYCLE
EXPANDED DATA MEMORY WRITE CYCLE
19 of 29
DS5002FP
AC CHARACTERISTICS (cont’d)
EXTERNAL CLOCK DRIVE
#
28
29
30
31
(TA = 0°C to70°C; VCC=5V ± 10%)
PARAMETER
External Clock High Time @ 12 MHz
@ 16 MHz
External Clock Low Time @ 12 MHz
@ 16 MHz
External Clock Rise Time @ 12 MHz
@ 16 MHz
External Clock Fall Time @ 12 MHz
@ 16 MHz
SYMBOL
tCLKHPW
tCLKLPW
tCLKR
tCLKF
EXTERNAL CLOCK TIMING
20 of 29
MIN
20
15
20
15
MAX
20
15
20
15
UNITS
ns
ns
ns
ns
ns
ns
ns
ns
DS5002FP
AC CHARACTERISTICS (cont’d)
POWER CYCLE TIME
#
32
33
34
PARAMETER
Slew Rate from VCCmin to VLI
Crystal Start-up Time
Power-on Reset Delay
(TA = 0°C to70°C; VCC=5V ± 10%)
SYMBOL
tF
tCSU
tPOR
POWER CYCLE TIMING
21 of 29
MIN
130
MAX
(note 9)
21504
UNITS
µs
tCLK
DS5002FP
AC CHARACTERISTICS (cont’d)
SERIAL PORT TIMING - MODE 0
#
35
36
37
38
39
(TA = 0°C to70°C; VCC=5V ± 10%)
PARAMETER
Serial Port Clock Cycle Time
Output Data Setup to Rising Clock Edge
Output Data Hold after Rising Clock Edge
Clock Rising Edge to Input Data Valid
Input Data Hold after Rising Clock Edge
SYMBOL
tSPCLK
tDOCH
tCHDO
tCHDV
tCHDIV
SERIAL PORT TIMING - MODE 0
22 of 29
MIN
12tCLK
10tCLK-133
2tCLK-117
MAX
10tCLK-133
0
UNITS
µs
ns
ns
ns
ns
DS5002FP
AC CHARACTERISTICS (cont’d)
BYTEWIDE ADDRESS/DATA BUS TIMING
#
40
41
42
43
44
45
46
47
48
49
50
51
52
53
PARAMETER
Delay to Byte-wide Address Valid from
CE1 , CE2 or CE1N Low During Opcode
Fetch
Pulse Width of CE 1-4, PE 1-4 or CE1N
Byte-wide Address Hold After CE1 , CE2
or CE1N High During Opcode Fetch
Byte-wide Data Setup to CE1 , CE2 or
CE1N High During Opcode Fetch
Byte-wide Data Hold After CE1 , CE2 or
CE1N High During Opcode Fetch
Byte-wide Address Hold After CE 1-4,
PE 1-4, or CE1N High During MOVX
Delay from Byte-wide Address Valid
CE 1-4, PE 1-4, or CE1N Low During
MOVX
Byte-wide Data Setup to CE 1-4,
PE 1-4, or CE1N High During MOVX
(read)
Byte-wide Data Hold After CE 1-4,
PE 1-4, or CE1N High During MOVX
(read)
Byte-wide Address Valid to R/ W Active
During MOVX (write)
Delay from R/ W Low to Valid Data Out
During MOVX (write)
Valid Data Out Hold Time from CE 1-4,
PE 1-4, or CE1N High
Valid Data Out Hold Time from R/ W
High
Write Pulse Width (R/ W Low Time)
SYMBOL
tCE1LPA
tCEPW
(TA = 0°C to70°C; VCC=5V ± 10%)
MIN
MAX
UNITS
30
ns
tCE1HPA
4tCLK-35
2tCLK-20
ns
ns
tOVCE1H
1tCLK+40
ns
tCE1HOV
0
ns
tCEHDA
4tCLK-30
ns
tCELDA
4tCLK-35
ns
tDACEH
1tCLK+40
ns
tCEHDV
0
ns
tAVRWL
3tCLK-35
ns
tRWLDV
20
ns
tCEHDV
1tCLK-15
ns
tRWHDV
0
ns
tRWLPW
6tCLK-20
ns
23 of 29
DS5002FP
BYTE-WIDE BUS TIMING
RPC AC CHARACTERISTICS - DBB READ
#
54
55
56
57
58
59
PARAMETER
CS , A0 Setup to RD
CS , A0 Hold After RD
RD Pulse Width
CS , A0 to Data Out Delay
RD to Data Out Delay
RD to Data Float Delay
(TA = 0°C to70°C; VCC=5V ± 10%)
SYMBOL
tAR
tRA
tRR
tAD
tRD
tRDZ
24 of 29
MIN
0
0
160
0
MAX
130
130
85
UNITS
ns
ns
ns
ns
ns
ns
DS5002FP
RPC AC CHARACTERISTICS - DBB WRITE
#
PARAMETER
60 CS , A0 Setup to WR
61A CS , Hold After WR
61B A0, Hold After WR
62 WR Pulse Width
63 Data Setup to WR
64 Data Hold After WR
SYMBOL
tAW
tWA
tWA
tWW
tDW
tWD
AC CHARACTERISTICS - DMA
#
65
66
67
68
PARAMETER
to WR or RD
RD or WR to DACK
DACK to Data Valid
RD or WR to DRQ Cleared
DACK
PARAMETER
Low to Active
PROG High to Inactive
PROG
MIN
0
0
20
160
130
20
MAX
UNITS
ns
ns
ns
ns
ns
ns
(TA = 0°C to70°C; VCC=5V ± 10%)
SYMBOL
tACC
tCAC
tACD
tCRQ
AC CHARACTERISTICS - PROG
#
69
70
(TA = 0°C to70°C; VCC=5V ± 10%)
MIN
0
0
0
MAX
130
110
UNITS
ns
ns
ns
ns
(TA = 0°C to70°C; VCC=5V ± 10%)
SYMBOL
tPRA
tPRI
25 of 29
MIN
48
48
MAX
UNITS
CLKS
CLKS
DS5002FP
RPC TIMING MODE
26 of 29
DS5002FP
NOTES:
All parameters apply to both commercial and industrial temperature operation unless otherwise noted.
1.
All voltages are referenced to ground.
2.
Maximum operating ICC is measured with all output pins disconnected; XTAL1 driven with tCLKR,
tCLKF=10 ns, VIL = 0.5V; XTAL2 disconnected; RST = PORT0 = VCC, MSEL = VSS.
3.
Idle mode IIDLE is measured with all output pins disconnected; XTAL1 driven with tCLKR, tCLKF =
10 ns, VIL = 0.5V; XTAL2 disconnected; PORT0 = VCC, RST = MSEL = VSS.
4.
Stop mode ISTOP is measured with all output pins disconnected; PORT0 = VCC; XTAL2 not
connected; RST = MSEL = XTAL1 = VSS.
5.
Pin capacitance is measured with a test frequency - 1 MHz, tA = 25°C.
6.
ICCO1 is the maximum average operating current that can be drawn from VCCO in normal operation.
7.
ILI is the current drawn from VLI input when VCC = 0V and VCCO is disconnected. Battery-backed
mode: 2.5V £ VBAT £ 4.0; VCC £ VBAT; VSDI should be £ VILS for IBAT max.
8.
VCCO2 is measured with VCC < VLI, and a maximum load of 10 µA on VCCO.
9.
Crystal start-up time is the time required to get the mass of the crystal into vibrational motion
from the time that power is first applied to the circuit until the first clock pulse is produced by the
on-chip oscillator. The user should check with the crystal vendor for a worst case specification on
this time.
10.
SDI is deglitched to prevent accidental destruction. The pulse must be longer than tSPR to pass the
deglitcher, but SDI is not guaranteed unless it is longer than tSPA.
11.
VIHS minimum is 2.0V or VCCO, whichever is lower.
12.
This parameter applies to industrial temperature operation.
13.
PF
pin operation is specified with VBAT ³ 3.0V.
27 of 29
DS5002FP
DS5002FP CMOS MICROPROCESSOR
DIM
A
A1
A2
B
C
D
D1
E
E1
e
L
MILLIMETERS
MIN
MAX
3.40
0.25
2.55
2.87
0.30
0.50
0.13
0.23
23.70
24.10
19.90
20.10
17.70
18.10
13.90
14.10
0.80 BSC
0.65
0.95
56-G4005-001
28 of 29
DS5002FP
DATA SHEET REVISION SUMMARY
The following represent the key differences between 11/27/95 and 07/30/96 version of the DS5002FP
data sheet. Please review this summary carefully.
1.
Change VCC02 specification from VLI-0.5 to VLI-0.65 (PCN F62501).
2.
Update mechanical specifications.
The following represent the key differences between 07/30/96 and 11/19/96 version of the DS5002FP
data sheet. Please review this summary carefully.
1.
Change VCC01 from VCC-0.3 to VCC-0.35.
The following represent the key differences between 11/19/96 and 06/12/97 version of the DS5002FP
data sheet. Please review this summary carefully.
signal moved from VOL2 test specification to VOL1. PCN No. (D72502)
1.
PF
2.
AC characteristics for battery-backed SDI pulse specification added.
The following represent the key differences between 06/12/97 and 05/14/99 version of the DS5002FP
data sheet. Please review this summary carefully.
1. Reduced absolute maximum voltage to VCC + 0.5V.
2. Added note clarifying storage temperature specification is for non-battery-backed state.
3. Deleted IBAT specification (Duplicate of ILI specification).
4. Changed RRE min (industrial temp range) from 40 kΩ to 30 kΩ.
5. Changed VPFW max (industrial temp range) from 4.5V to 4.6V.
6. Added industrial specification for ILI.
7. Reduced tCE1HOV and tCEHDV from 10 ns to 0 ns.
The following represent the key differences between 05/14/99 and 05/25/99 version of the DS5002FP
data sheet. Please review this summary carefully.
1. Minor revisions and approval.
29 of 29