bq26100 www.ti.com SLUS696 – JUNE 2006 SHA-1/HMAC BASED SECURITY AND AUTHENTICATION IC WITH SDQ INTERFACE FEATURES APPLICATIONS • • • • • • • • • • • • • Provides Authentication of Battery Packs Through SHA-1 Engine Based HMAC 160 Bytes OTP, 16 Bytes EEPROM Internal Time-Base Eliminates External Crystal Oscillator Low Power Operating Modes: – Active: < 50 µA – Sleep: 8 µA Typical Single-Wire SDQ Interface Powers Directly From the Communication Bus 6 Lead SON Package Cellular Phones PDA and Smart Phones MP3 Players Digital Cameras Internet Appliances Handheld Devices DESCRIPTION The bq26100 provides a method to authenticate battery packs, ensuring that only packs manufactured by authorized sub-contractors are used in the end application. The security is achieved using the SHA-1 hash function inside the widely adopted HMAC construction. A unique 128-bit key is stored in each bq26100 device, allowing the host to authenticate each pack. The bq26100 communicates to the system over a simple one-wire bi-directional serial interface. The 5-kbits/s SDQ bus interface reduces communications overhead in the external microcontroller. The bq26100 also derives power over the SDQ bus line via an external capacitor. TYPICAL APPLICATION P+ R1 4.7 kW + SDQ bq26100 C1 0.1 mF PWR SDQ NC VSS NC NC Protector BAT VSS OC DO CO P- Please be aware that an important notice concerning availability, standard warranty, and use in critical applications of Texas Instruments semiconductor products and disclaimers thereto appears at the end of this data sheet. PRODUCTION DATA information is current as of publication date. Products conform to specifications per the terms of the Texas Instruments standard warranty. Production processing does not necessarily include testing of all parameters. Copyright © 2006, Texas Instruments Incorporated bq26100 www.ti.com SLUS696 – JUNE 2006 ORDERING INFORMATION TA PACKAGE PART NUMBER –40°C to 85°C 6-lead SON bq26100DRP ABSOLUTE MAXIMUM RATINGS (1) VALUE Supply voltage (SDQ all with respect to VSS) UNIT –0.3 to 7.7 V 5 mA Output current (SDQ) TA Operating free-air temperature range –40 to 85 °C Tstg Storage temperature range –65 to 150 °C TJ Junction temperature range –40 to 90 °C 300 °C Lead temperature (Soldering, 10 sec) (1) Stresses beyond those listed under absolute maximum ratings may cause permanent damage to the device. These are stress ratings only, and functional operation of the device at these or any other conditions beyond those indicated under recommended operating conditions is not implied. Exposure to absolute-maximum-rated conditions for extended periods may affect device reliability. RECOMMENDED OPERATING CONDITIONS over operating free-air temperature range (unless otherwise noted) MIN MAX Vsdq Pull-up voltage 2.5 5.0 UNIT V TJ Operating free-air temperature range –40 85 °C ELECTRICAL CHARACTERISTICS all parameters over operating free-air temperature and supply voltage range (unless otherwise noted) (memory programming and authentication were tested with R1 = 4.7 kΩ, C1 = 0.1 µF over pull-up voltage range) PARAMETER TEST CONDITIONS Power up communication delay Isleep Sleep current Isdq(Vsdq) Vsdq Current MIN Power capacitor charge time TYP 8 Vsdq≥ Vsdq(min) OTP Memory programming voltage MAX 100 6.8 OTP Memory programming time EEPROM Programming current (peak current) EEPROM Peak current duration EEPROM Programming time 7 UNIT ms 11 µA 50 µA 7.7 V 100 µs/byte 83 µA 100 µs 50 ms SDQ VIL Input low-level voltage IOL Output low sink current 0.63 VOL = 0.4 V V 1 mA MAX UNIT STANDARD SERIAL COMMUNICATION (SDQ) TIMING over recommended operating temperature and supply voltage range (unless otherwise noted) (See Figure 1) PARAMETER 2 TEST CONDITIONS MIN TYP µs tRSTL Reset time – low 480 tRSTH Reset time – high 480 tPDL Presence detect – low 60 240 µs tPDH Presence detect – high 15 60 µs tREC Recovery time tSLOT Host bit window tLOW1 Host sends 1 µs µs 1 Submit Documentation Feedback 60 120 µs 1 13 µs bq26100 www.ti.com SLUS696 – JUNE 2006 STANDARD SERIAL COMMUNICATION (SDQ) TIMING (continued) over recommended operating temperature and supply voltage range (unless otherwise noted) (See Figure 1) PARAMETER tLOW0 Host sends 0 tLOWR Host read bit start tSLOT bq26100 bit window tSU bq26100 data setup tRDV bq26100 data valid tRELEASE bq26100 data release TEST CONDITIONS MIN TYP MAX UNIT 60 120 µs 1 13 µs 60 120 µs 1 µs µs exactly 15 0 15 45 µs tRSTL tPDL tPDH tRSTH (a) Reset and Presence Timing tLOW1 tREC tLOW0 & tSLOT tSU tREC tLOWR tRELEASE tRDV (b) Host Transmitted Bit Timing tSLOT (c) bq26100 Transmitted Bit Timing Figure 1. SDQ Timing Diagrams The SDQ protocol requires a CRC calculation as part of the communication flow. The CRC, based on a polynomial of x8+x5+x4+1, is computed to determine data integrity and its use varies in the protocol. The Memory Function flows show what data is shifted through the CRC and when the value is transmitted from the slave. Each data byte used in the CRC calculation is pushed through the CRC shift register from LSB to MSB. The byte wide CRC computation is: for (i = 0; i < 8; i++) { if (crc[0] ^ input[i]) crc = (crc >> 1) ^ 0x8C; else crc = crc >> 1; } Where did the magic number 0x8C come from? CRC polynomials are defined such that the highest order simply shows the number of bits, so x8+x5+x4+1 defines an 8-bit value with a binary value of 00110001 (bits 0, 4, and 5 are 1 and all others are 0). Since the SDQ CRC is computed by shifting in the LSB, the polynomial must be used in reverse bit order – binary 10001100 or hexadecimal 0x8C. The CRC value is reset to 0 prior to the first byte being shifted through. The CRC is also reset when the CRC is shifted out as part of the SDQ protocol. Submit Documentation Feedback 3 bq26100 www.ti.com SLUS696 – JUNE 2006 OTP PROGRAMMING SPECIFICATIONS PARAMETER TEST CONDITIONS MIN tpon Program setup time 2 trise Pulse rise time 1 tprog Pulse high time tfall Pulse fall time Single byte programming TYP Vprog Last bit before programming pulse Vpull-up GND Programming Pulse tpon Figure 2. bq26100 Communication to OTP Programming Pulse Diagram tprog tfall Figure 3. OTP Programming Pulse Detail PIN ASSIGNMENT 1 2 3 1.6 mm Exposed Thermal Pad 3 mm 2.3 mm 6 5 3 mm 4 TERMINAL FUNCTIONS TERMINAL NAME NC PWR 4 NO. I/O 2, 3, 4 1 DESCRIPTION No connect I/O Power capacitor connection Submit Documentation Feedback µs µs µs 3 1 UNIT µs 10 300 Key programming trise MAX 10 µs bq26100 www.ti.com SLUS696 – JUNE 2006 TERMINAL FUNCTIONS (continued) TERMINAL NAME NO. I/O SDQ 6 I/O VSS 5 I DESCRIPTION Single wire SDQ interface to host Ground FUNCTIONAL BLOCK DIAGRAM PWR EEPROM - Charge Pump Power Retification DTOP - SHA-1/HMAC - SDQ - Ctrl and Status Registers OTP ATOP - Oscillator - LDO - POR - OTP Power Comparator VSS SDQ FUNCTIONAL DESCRIPTION The bq26100 provides the same basic functionality as the bq2022 with added battery pack/accessory authentication functions. In addition to four 32-byte pages of general use One Time Programmable (OTP) non-volatile memory available on the bq2022, the bq26100 adds a fifth 32-byte page of OTP and a 16-byte page of EEPROM to be used at the host system designer’s discretion. An external high voltage is required for programming the OTP, but not necessary for programming the EEPROM. A modified form of the SHA-1/HMAC provides the authentication function of the bq26100. Both the host and the bq26100 share two 64-bit keys used in the authentication calculation. To authenticate a battery pack, the host writes a random 20-byte message to the bq26100 and sets the AUTH bit in the CTRL register. The bq26100 calculates the HMAC digest in less than 500 µs, replacing the random message sent by the host with the HMAC result. To complete the authentication process, the host computes the HMAC function with the same 20-byte random message originally written to the bq26100. The result is compared to the HMAC result computed by the bq26100. If the values match, the pack is authenticated. The key is separated into two 64-bit spaces, allowing multiple parties to program separate portions of the key and providing an added level of security. Programming a key utilizes the SHA-1 algorithm to provide a mix from the values used to program the device to the actual key stored on the device. When put into key programming mode, the device combines the 160-bit message space with a pad as required to get the minimum 512-bit SHA-1 block, and run through the SHA-1 engine once. The 160-bit output is truncated to the lower 64 bits, scrambled internally, and then written to the appropriate non-volatile memory key space. The key can only be read and descrambled by the authentication engine, not by the communication engine, of the bq26100. Submit Documentation Feedback 5 bq26100 www.ti.com SLUS696 – JUNE 2006 Communicating with the bq26100 The bq26100 communication protocol starts when the host pulls the bus low for reset time. All devices on the bus are to respond with a presence pulse, which is active low. The host can then transmit the ROM Function command, which is used to address the devices on the bus. The ROM functions include Match ID, Skip ID, Read ID, and Search ID. 6 Match ID The host transmits the 64-bit ID of the 1-wire based device to communicate. Skip ID No ID is necessary for communication. Used only if one device is connected to the host. Read ID The 1-wire slave transmits its 64 bit address. This command is only useful if there is only one device connected to the host. Search ID Useful if there are multiple devices on the bus. This command initiates a communication with a single device, but it is more useful in allowing the host to determine the address of every device on the bus. The Match ID can then be used to communicate with a specific addressed device. Submit Documentation Feedback bq26100 www.ti.com SLUS696 – JUNE 2006 ROM Function Flow Host Transmits Reset? YES NO bq26100 Transmits Presence Host Transmits R/F NO bq26100 Transmits 1 For Each Bit Start R/F = 0x55? Match ID YES Host Transmits ID (LSB to MSB) ID Match? YES NO R/F = 0xCC? Skip ID Memory Function Flow YES NO bq26100 Transmits ID (LSB to MSB) R/F = 0x33? Read ID YES NO R/F = 0xF0? Search ID n=0 YES NO bq26100 Transmits ID Bit n n=n+1 bq26100 Transmits ID Bit n Host Transmits ID Bit n NO n = 63? Bit n Match? YES YES NO Figure 4. ROM Function Flow Chart The 64-bit device ID is made up of an 8-bit family code, 48-bit random value, and a final 8-bit CRC. ID MSB CRC (8 bits) ID LSB Random Data (48 bits) Family Code (8 bits, defaults to 0x09) Contact Texas Instruments if specific data should be programmed into the ID. Submit Documentation Feedback 7 bq26100 www.ti.com SLUS696 – JUNE 2006 After the ROM function command is issued and the bq26100 is selected, a Memory Function command can be issued. The Memory Function commands are Read Memory, Read EEPROM, Read Status, Read Page, Read Page 4, Read Digest, Read Control, Write Memory, Write Page 4, Write EEPROM, Write Status, Write Message, Write Control, and Profile. Figure 5 shows the flow for the Memory Function selection. Figure 6 through Figure 12 illustrate the flow for each memory function. Memory Function Flow NO M/F = 0xF0? YES Read Memory Flow NO M/F = 0x0F? Write Memory Flow YES NO YES Read Page Flow YES Read Digest Flow M/F = 0xC3? NO M/F = 0xDD? NO M/F = 0x22? Write Message Flow YES YES NO NO M/F = 0xFA? M/F = 0xAA? YES Read Status Flow YES Write Status Flow YES M/F = 0xAF? YES NO NO M/F = 0x88? YES ROM Function Flow Read Control Flow NO M/F = 0x77? Write Control Flow YES NO M/F = 0xE0? YES Read EEPROM Flow NO M/F = 0x0E? YES Write EEPROM Flow NO Figure 5. Memory Function Flow Chart 8 Read Page 4 Flow NO NO M/F = 0x55? Profile Flow M/F = 0x99? Submit Documentation Feedback Write Page 4 Flow bq26100 www.ti.com SLUS696 – JUNE 2006 MEMORY DESCRIPTIONS The bq26100 has a memory and command structure that is compatible with the bq2022, however additional memory and commands have been added. The bq26100 uses a combination of non-volatile One-Time-Programmable (OTP), non-volatile EEPROM, and volatile registers. The memory is split into the following sections: Non-Volatile OTP Memory The One Time Programmable (OTP) memory is intended for factory programming. Programming the OTP requires putting a 7-V pulse on the communication pin after writing the data to the intended address. General Use – Memory Function Commands 0xF0 (Read) and 0x0F (Write) The general use space is erased to read 0x00. Data written to the general space is ORed with data already present at the address to be written. A bit can only be flipped from 0 to 1. Table 1. General Memory Space Addressing ADDRESSES FUNCTION 0x007F – 0x0060 Page 3 – 32 bytes general use 0x005F – 0x0040 Page 2 – 32 bytes general use 0x003F – 0x0020 Page 1 – 32 bytes general use 0x001F – 0x0000 Page 0 – 32 bytes general use Read Page Flow M/F = 0xC3 Read Memory Flow M/F = 0xF0 (1) Master TX: 16-bit address, A (1) Master TX: 16-bit address, A (1) Master RX: 8-bit data @ A A=A+1 Master TX: 16-bit address, A Master TX: 8-bit data, D Master RX: CRC of M/F cmd & A Master RX: CRC of M/F cmd & A A[4:0] = Last address of page Write Memory Flow M/F = 0x0F Master RX: 8-bit data @ A A=A+1 Master RX: CRC of M/F cmd, A & D Master TX: Programming Pulse A = 0x007F? YES Master RX: CRC of all data transmitted Master RX: CRC of all data transmitted CRC = A[7:0] Master RX: D A = A +1 A < 0x007F? NO YES ROM Function Flow NO YES ROM Function Flow ROM Function Flow (1) Master TX: 8-bit data, D NO NO YES A < 0x007F? Master RX: CRC of preloaded A[7:0] & shifted D 16-Bit address is sent with lower 8-bit address followed by higher 8-bit address with least significant bit first. Figure 6. General Memory OTP Write/Read Flows Submit Documentation Feedback 9 bq26100 www.ti.com SLUS696 – JUNE 2006 General Use — Memory Function Commands 0xFA (Read) and 0xAF (Write) The general use space is erased to read 0x00. Data written to the general space is ORed with data already present at the address to be written. A bit can only be flipped from 0 to 1. Table 2. General Memory Space Addressing ADDRESSES FUNCTION 0x001F – 0x0000 Page 4 – 32 bytes general use Write Page 4 M/F = 0xAF Read Page 4 M/F = 0xFA (1) (1) Master TX: 16-bit address, A Master TX: 16-bit address, A Master TX: 8-bit data, D Master RX: CRC of M/F cmd & A Master RX: 8-bit data @ A A=A+1 Master RX: CRC of M/F cmd, A & D Master RX: CRC of preloaded A[7:0] & shifted D Master TX: Programming Pulse A = 0x001F? Master TX: 8-bit data, D NO YES Master RX: CRC of all data transmitted CRC = A[7:0] Master RX: D A = A +1 A = 0x001F? ROM Function Flow NO YES ROM Function Flow (1) 16-Bit address is sent with lower 8-bit address followed by higher 8-bit address with least significant bit first. Figure 7. General Memory OTP Write/Read Flows 10 Submit Documentation Feedback bq26100 www.ti.com SLUS696 – JUNE 2006 Status – Memory Function Commands 0xAA (Read) and 0x55 (Write) Unlike the general use pages, the status bytes read 0xFF when not programmed and a bit is programmed from 1 to 0. A zero represents the active state. Address 0x0007 Reserved Programmed at the factory to read 0x00 Address 0x0006 Key Index The host can determine which one of multiple keys was programmed into the bq26100 by reading the key index value. Address 0x0005 – 0x0001 Page Redirection A pointer for alternative page information, these bytes can be used if information in the original page has been invalidated. The host can read these locations and direct reads and/or writes to the page pointed to by the value in the register. For example, if the data in page 2 is corrupted by an incorrectly written data value, and the corrected data is in page 1, the value written to address 0x0003 would be 0xFE (1’s complement value of 0x01). Upon reading address 0x0003, the host would receive 0xFE and would take the 1’s complement to determine that page 1 contains redirected data. Table 3. Page Redirection ADDRESS PAGE REDIRECTED 0x0005 Page 4 0x0004 Page 3 0x0003 Page 2 0x0002 Page 1 0x0001 Page 0 There is no hardware mapping of the page redirection bytes. The host is responsible for sending the correct address for a redirected page. Address 0x0000 PAGE LOCK FUNCTION BIT 7 BIT 6 BIT 5 BIT 4 BIT 3 BIT 2 BIT 1 BIT 0 LOCKK1 LOCKK0 RSVD PAGE 4 PAGE 3 PAGE 2 PAGE 1 PAGE 0 LOCKK1 Programming this bit to 0 locks the upper 64 bits of the device key, preventing additional writes. This bit can only be written once. LOCKK0 Programming this bit to 0 locks the lower 64 bits of the device key, preventing additional writes. This bit can only be written once. PAGEx Programming this bit to 0 locks page designated by x, preventing additional writes. This bit can only be programmed once. Submit Documentation Feedback 11 bq26100 www.ti.com SLUS696 – JUNE 2006 Write Status Flow M/F = 0x55 Read Status Flow M/F = 0xAA (1) (1) Master TX: 16-bit address, A Master TX: 16-bit address, A Master TX: 8-bit data, D Master RX: CRC of M/F cmd & A Master RX: 8-bit data @ A A=A+1 Master RX: CRC of M/F cmd, A & D Master RX: CRC of preloaded A[7:0] & shifted D Master TX: 8-bit data, D Master TX: Programming Pulse A = 0x0007? NO YES Master RX: CRC of all data transmitted CRC = A[7:0] Master RX: D A = 0x0007? ROM Function Flow NO A = A +1 YES ROM Function Flow (1) 16-Bit address is sent with lower 8-bit address followed by higher 8-bit address with least significant bit first. Figure 8. Status OTP Write/Read Flows 12 Submit Documentation Feedback bq26100 www.ti.com SLUS696 – JUNE 2006 Non-Volatile EEPROM Memory The EEPROM memory is intended for in-field programming. Programming the EEPROM is no different than writing to RAM or registers, but the timing between the write and read back is different. A bit can be written to 1 or cleared to 0 multiple times and the value is retained when power to the device is removed. General Use – Memory Function Commands 0xE0 (Read) and 0x0E (Write) Table 4. General Memory Space Addressing (1) ADDRESSES FUNCTION 0x000F – 0x0000 16 Bytes general use Read EEPROM Flow M/F = 0xE0 Write EEPROM Flow M/F = 0x0E Master TX: 16-bit address, A (1) Master TX: 16-bit address, A Master TX: 8-bit data, D Master RX: CRC of M/F cmd & A Master RX: 8-bit data @ A A=A+1 Master waits 100 ms Master waits 50 ms A = 0x00F? Master RX: CRC of preloaded A[7:0] & shifted D NO YES Master RX: CRC of all data transmitted CRC = A[7:0] Master RX: D A = A +1 A = 0x000F? ROM Function Flow Master TX: 8-bit data, D Master RX: CRC of M/F cmd, A & D NO YES ROM Function Flow (1) 16-Bit address is sent with lower 8-bit address followed by higher 8-bit address with least significant bit first. Figure 9. EEPROM Write/Read Flows Submit Documentation Feedback 13 bq26100 www.ti.com SLUS696 – JUNE 2006 Volatile Register Memory The register memory is intended for in-field programming. Message and Digest Registers – Memory Function Command 0xDD (Read) and 0x22 (Write) The message is a 160-bit input to the HMAC calculation, and the digest is the 160-bit output of the HMAC calculation. The message and digest share the same memory space, meaning that the message cannot be read back once the digest has been computed. The MSB of the message should be written to address 0x0013, and the LSB written to address 0x0000. The digest overwrites the message in the following manner. Table 5. Message/Digest Space Addressing ADDRESS MESSAGE VALUE DIGEST VALUE 0x0013 – 0x0010 M[159:128] A[31:0] 0x000F – 0x000C M[127:96] B[31:0] 0x000B – 0x0008 M[95:64] C[31:0] 0x0007 – 0x0004 M[63:32] D[31:0] 0x0003 – 0x0000 M[31:0] E[31:0] NOTE: See the SHA-1 and HMAC descriptions for more information on the meaning of the variables in the above table. Read Digest Flow M/F = 0xDD Write Message Flow M/F = 0x22 (1) Master TX: 16-bit address, A (1) Master TX: 16-bit address, A Master RX: CRC of M/F cmd & A Master TX: 8-bit data, D Master RX: 8-bit data @ A Master RX: CRC of M/F cmd, A & D Master TX: 8-bit data, D A=A+1 Master RX: CRC of preloaded A[7:0] & shifted D CRC = A[7:0] Master RX: D A = 0x0013? NO A = A +1 YES Master RX: CRC of all data transmitted ROM Function Flow (1) A = 0x0013? NO YES ROM Function Flow 16-Bit address is sent with lower 8-bit address followed by higher 8-bit address with least significant bit first. Figure 10. Message/Digest Write/Read Flows 14 Submit Documentation Feedback bq26100 www.ti.com SLUS696 – JUNE 2006 Control and Version Registers – Memory Function Command 0x88 (Read) and 0x77 (Write) The control register starts authentication, clears the message/digest values, and flags when the authentication process has completed. The version register is used to determine the silicon revision. Table 6. General Memory Space Addressing ADDRESSES FUNCTION 0x0001 Silicon Revision Number 0x0000 Control Register The bits of the Control register are as follows: NAME POR STATUS BIT 7 BIT 6 BIT 5 BIT 4 BIT 3 BIT 2 BIT 1 BIT 0 PROGK1 PROGK0 RSVD CLEAR RSVD POR DONE AUTH 0 0 0 0 0 1 0 0 PROGK1 If LOCKK1 is 1 (see Status Register), writing this bit to 1 enables the programming of Device Key 1. Further information about the programming of the keys is found in the SHA-1 section. PROGK0 If the LOCKK0 bit is 1 (see Status Register), writing this bit to 1 enables the programming of Device Key 0. Further information about the programming of the keys is found in the SHA-1 section. RSVD These bits are reserved for future use. They should always be written to 0. CLEAR Writing this bit to 1 clears the message/digest registers. This can be done before the message is written to ensure that all data values are known or after the digest is read to clear the HMAC calculation output. The bq26100 resets the bit back to 0. POR This bit is set when the device comes out of a POR condition. The bit can be written to 0 to clear the flag. Writing the bit to 1 has no effect on device operation. DONE This bit is set when the device completes the HMAC calculation. The host should poll for this bit to determine when the digest is available for reading. This bit is automatically cleared when the AUTH bit is written to 1. This bit is also cleared at POR. AUTH This bit is set to initiate the HMAC calculation. This bit is automatically cleared when the DONE bit is written to 1. Submit Documentation Feedback 15 bq26100 www.ti.com SLUS696 – JUNE 2006 Write Control Flow M/F = 0x77 Read Control Flow M/F = 0x88 (1) (1) Master TX: 16-bit address, A Master TX: 16-bit address, A Master TX: 8-bit data, D Master RX: CRC of M/F cmd & A Master RX: 8-bit data @ A A=A+1 Master TX: 8-bit data, D Master RX: CRC of M/F cmd, A & D Master RX: CRC of preloaded A[7:0] & shifted D CRC = 0x01 Master RX: D A = 0x0001? NO A = A +1 YES Master RX: CRC of all data transmitted NO YES ROM Function Flow ROM Function Flow (1) A = 0x0001? 16-Bit address is sent with lower 8-bit address followed by higher 8-bit address with least significant bit first. Figure 11. Control Register Write/Read Flows Profile Command Pack manufacturers can use the profile command to determine how the device should be programmed. Profile M/F = 0x99 Master RX: 0x55 ROM Function Flow Figure 12. Profile Command Flow SLEEP MODE DESCRIPTION The bq26100 enters sleep mode when the SDQ enters a stop state or when SDQ encounters an invalid ID. SHA-1 DESCRIPTION The SHA-1 is known as a one-way hash function, meaning there is no known mathematical method of computing the input given only the output. The specification of the SHA-1, as defined by FIPS 180-2, states that the input consists of 512 bit blocks with a total input length less than 264 bits. Inputs which do not conform to integer multiples of 512 bit blocks are padded before any block is input to the hash function. The SHA-1 algorithm outputs 160 bits, commonly referred to as the digest. The full SHA-1 specification and algorithm can be found at http://csrc.nist.gov/publications/fips under FIPS 180. (As of April 23, 2004 the latest revision is FIPS 180-2). 16 Submit Documentation Feedback bq26100 www.ti.com SLUS696 – JUNE 2006 The bq26100 generates an SHA-1 input block of 288 bits (total input = 160 bit message + 128 bit key). To complete the 512 bit block size requirement of the SHA-1, the bq26100 pads the key and message with a 1, followed by 159 0’s, followed by the 64 bit value for 288 (000…00100100000), which conforms to the pad requirements specified by FIPS 180-2: 159 bits 64 bits 1 000 . . . 000 000 . . . 0100100000 HMAC DESCRIPTION The SHA-1 engine is used to calculate a modified HMAC value. Using a public message and a secret key, the HMAC output is considered to be a secure fingerprint that authenticates the device used to generate the HMAC. To compute the HMAC let H designate the SHA-1 hash function, M designate the message transmitted to the bq26100, and KD designate the unique 128 bit device key of the bq26100. HMAC(M) is defined as: H[KD || H(KD || M)], where || symbolizes an append operation The message, M, is appended to the device key, KD, and padded to become the input to the SHA-1 hash. The output of this first calculation is then appended to the device key, KD, padded again, and cycled through the SHA-1 hash a second time. The output is the HMAC digest value. KEY PROGRAMMING DESCRIPTION The 128-bit key used in the HMAC calculation is built from two 64-bit key spaces on the bq26100. Each key can be programmed independently, allowing multiple parties to program part of the full 128-bit key without the knowledge necessary to reproduce the full 128-bit key. To further protect the 128-bit key, the value written to each 64-bit non-volatile key space is the output of a SHA-1 calculation on a 160-bit input. Figure 13 provides a flow for the programming of the 128-bit device key. Once KEYx has been programmed, the LOCKKx bit should be programmed to 0 in the status register, preventing another value from overwriting that key space. Master TX: Reset & Write Message Command Master RX: CRC of Write Control Cmd, Address, and Data Master writes up to 160-bit message Master pulls SDQ line to VPROG for 3 ms Master TX: Reset & Write Control Command Master sets PROGK1/PROGK0 in CONTROL reg Master TX: Reset & Write Status command Master sets LOCKK1/LOCKK0 at Status address 0x0000 Figure 13. Key Programming Flow This flow is run twice, for KEY0 and KEY1. An external power source is required on the PWR pin during key programming. Figure 14 shows a typical connection for the external power source. Since there is no key pre-appended to the message, the key message is padded with a 1, followed by 287 0’s, followed by the 64-bit value for 160 (00..01010000): Submit Documentation Feedback 17 bq26100 www.ti.com SLUS696 – JUNE 2006 287 bits 64 bits 1 000 . . . 000 000 . . . 0010100000 + 3.3V Power Supply 100 W SDQ Communication and Programming Pulse Control PWR VSS 0.1 mF Figure 14. External Power Source Connection 18 Submit Documentation Feedback PACKAGE OPTION ADDENDUM www.ti.com 10-Jul-2006 PACKAGING INFORMATION Orderable Device Status (1) Package Type Package Drawing Pins Package Eco Plan (2) Qty BQ26100DRPR ACTIVE SON DRP 6 3000 Green (RoHS & no Sb/Br) CU NIPDAU Level-2-260C-1 YEAR BQ26100DRPRG4 ACTIVE SON DRP 6 3000 Green (RoHS & no Sb/Br) CU NIPDAU Level-2-260C-1 YEAR Lead/Ball Finish MSL Peak Temp (3) (1) The marketing status values are defined as follows: ACTIVE: Product device recommended for new designs. LIFEBUY: TI has announced that the device will be discontinued, and a lifetime-buy period is in effect. NRND: Not recommended for new designs. Device is in production to support existing customers, but TI does not recommend using this part in a new design. PREVIEW: Device has been announced but is not in production. Samples may or may not be available. OBSOLETE: TI has discontinued the production of the device. (2) Eco Plan - The planned eco-friendly classification: Pb-Free (RoHS), Pb-Free (RoHS Exempt), or Green (RoHS & no Sb/Br) - please check http://www.ti.com/productcontent for the latest availability information and additional product content details. TBD: The Pb-Free/Green conversion plan has not been defined. Pb-Free (RoHS): TI's terms "Lead-Free" or "Pb-Free" mean semiconductor products that are compatible with the current RoHS requirements for all 6 substances, including the requirement that lead not exceed 0.1% by weight in homogeneous materials. Where designed to be soldered at high temperatures, TI Pb-Free products are suitable for use in specified lead-free processes. Pb-Free (RoHS Exempt): This component has a RoHS exemption for either 1) lead-based flip-chip solder bumps used between the die and package, or 2) lead-based die adhesive used between the die and leadframe. The component is otherwise considered Pb-Free (RoHS compatible) as defined above. Green (RoHS & no Sb/Br): TI defines "Green" to mean Pb-Free (RoHS compatible), and free of Bromine (Br) and Antimony (Sb) based flame retardants (Br or Sb do not exceed 0.1% by weight in homogeneous material) (3) MSL, Peak Temp. -- The Moisture Sensitivity Level rating according to the JEDEC industry standard classifications, and peak solder temperature. Important Information and Disclaimer:The information provided on this page represents TI's knowledge and belief as of the date that it is provided. TI bases its knowledge and belief on information provided by third parties, and makes no representation or warranty as to the accuracy of such information. Efforts are underway to better integrate information from third parties. TI has taken and continues to take reasonable steps to provide representative and accurate information but may not have conducted destructive testing or chemical analysis on incoming materials and chemicals. TI and TI suppliers consider certain information to be proprietary, and thus CAS numbers and other limited information may not be available for release. In no event shall TI's liability arising out of such information exceed the total purchase price of the TI part(s) at issue in this document sold by TI to Customer on an annual basis. Addendum-Page 1 IMPORTANT NOTICE Texas Instruments Incorporated and its subsidiaries (TI) reserve the right to make corrections, modifications, enhancements, improvements, and other changes to its products and services at any time and to discontinue any product or service without notice. Customers should obtain the latest relevant information before placing orders and should verify that such information is current and complete. All products are sold subject to TI’s terms and conditions of sale supplied at the time of order acknowledgment. TI warrants performance of its hardware products to the specifications applicable at the time of sale in accordance with TI’s standard warranty. Testing and other quality control techniques are used to the extent TI deems necessary to support this warranty. Except where mandated by government requirements, testing of all parameters of each product is not necessarily performed. TI assumes no liability for applications assistance or customer product design. Customers are responsible for their products and applications using TI components. To minimize the risks associated with customer products and applications, customers should provide adequate design and operating safeguards. TI does not warrant or represent that any license, either express or implied, is granted under any TI patent right, copyright, mask work right, or other TI intellectual property right relating to any combination, machine, or process in which TI products or services are used. Information published by TI regarding third-party products or services does not constitute a license from TI to use such products or services or a warranty or endorsement thereof. Use of such information may require a license from a third party under the patents or other intellectual property of the third party, or a license from TI under the patents or other intellectual property of TI. Reproduction of information in TI data books or data sheets is permissible only if reproduction is without alteration and is accompanied by all associated warranties, conditions, limitations, and notices. Reproduction of this information with alteration is an unfair and deceptive business practice. TI is not responsible or liable for such altered documentation. Resale of TI products or services with statements different from or beyond the parameters stated by TI for that product or service voids all express and any implied warranties for the associated TI product or service and is an unfair and deceptive business practice. TI is not responsible or liable for any such statements. Following are URLs where you can obtain information on other Texas Instruments products and application solutions: Products Applications Amplifiers amplifier.ti.com Audio www.ti.com/audio Data Converters dataconverter.ti.com Automotive www.ti.com/automotive DSP dsp.ti.com Broadband www.ti.com/broadband Interface interface.ti.com Digital Control www.ti.com/digitalcontrol Logic logic.ti.com Military www.ti.com/military Power Mgmt power.ti.com Optical Networking www.ti.com/opticalnetwork Microcontrollers microcontroller.ti.com Security www.ti.com/security Low Power Wireless www.ti.com/lpw Mailing Address: Telephony www.ti.com/telephony Video & Imaging www.ti.com/video Wireless www.ti.com/wireless Texas Instruments Post Office Box 655303 Dallas, Texas 75265 Copyright 2006, Texas Instruments Incorporated