TI BQ26100DRPRG4

bq26100
www.ti.com
SLUS696 – JUNE 2006
SHA-1/HMAC BASED SECURITY AND AUTHENTICATION IC WITH SDQ INTERFACE
FEATURES
APPLICATIONS
•
•
•
•
•
•
•
•
•
•
•
•
•
Provides Authentication of Battery Packs
Through SHA-1 Engine Based HMAC
160 Bytes OTP, 16 Bytes EEPROM
Internal Time-Base Eliminates External
Crystal Oscillator
Low Power Operating Modes:
– Active: < 50 µA
– Sleep: 8 µA Typical
Single-Wire SDQ Interface
Powers Directly From the Communication
Bus
6 Lead SON Package
Cellular Phones
PDA and Smart Phones
MP3 Players
Digital Cameras
Internet Appliances
Handheld Devices
DESCRIPTION
The bq26100 provides a method to authenticate battery packs, ensuring that only packs manufactured by
authorized sub-contractors are used in the end application. The security is achieved using the SHA-1 hash
function inside the widely adopted HMAC construction. A unique 128-bit key is stored in each bq26100 device,
allowing the host to authenticate each pack.
The bq26100 communicates to the system over a simple one-wire bi-directional serial interface. The 5-kbits/s
SDQ bus interface reduces communications overhead in the external microcontroller. The bq26100 also derives
power over the SDQ bus line via an external capacitor.
TYPICAL APPLICATION
P+
R1
4.7 kW
+
SDQ
bq26100
C1
0.1 mF
PWR
SDQ
NC
VSS
NC
NC
Protector
BAT
VSS
OC
DO
CO
P-
Please be aware that an important notice concerning availability, standard warranty, and use in critical applications of Texas
Instruments semiconductor products and disclaimers thereto appears at the end of this data sheet.
PRODUCTION DATA information is current as of publication date.
Products conform to specifications per the terms of the Texas
Instruments standard warranty. Production processing does not
necessarily include testing of all parameters.
Copyright © 2006, Texas Instruments Incorporated
bq26100
www.ti.com
SLUS696 – JUNE 2006
ORDERING INFORMATION
TA
PACKAGE
PART NUMBER
–40°C to 85°C
6-lead SON
bq26100DRP
ABSOLUTE MAXIMUM RATINGS (1)
VALUE
Supply voltage (SDQ all with respect to VSS)
UNIT
–0.3 to 7.7
V
5
mA
Output current (SDQ)
TA
Operating free-air temperature range
–40 to 85
°C
Tstg
Storage temperature range
–65 to 150
°C
TJ
Junction temperature range
–40 to 90
°C
300
°C
Lead temperature (Soldering, 10 sec)
(1)
Stresses beyond those listed under absolute maximum ratings may cause permanent damage to the device. These are stress ratings
only, and functional operation of the device at these or any other conditions beyond those indicated under recommended operating
conditions is not implied. Exposure to absolute-maximum-rated conditions for extended periods may affect device reliability.
RECOMMENDED OPERATING CONDITIONS
over operating free-air temperature range (unless otherwise noted)
MIN
MAX
Vsdq
Pull-up voltage
2.5
5.0
UNIT
V
TJ
Operating free-air temperature range
–40
85
°C
ELECTRICAL CHARACTERISTICS
all parameters over operating free-air temperature and supply voltage range (unless otherwise noted) (memory programming
and authentication were tested with R1 = 4.7 kΩ, C1 = 0.1 µF over pull-up voltage range)
PARAMETER
TEST CONDITIONS
Power up communication delay
Isleep
Sleep current
Isdq(Vsdq)
Vsdq Current
MIN
Power capacitor charge time
TYP
8
Vsdq≥ Vsdq(min)
OTP Memory programming voltage
MAX
100
6.8
OTP Memory programming time
EEPROM Programming current (peak current)
EEPROM Peak current duration
EEPROM Programming time
7
UNIT
ms
11
µA
50
µA
7.7
V
100
µs/byte
83
µA
100
µs
50
ms
SDQ
VIL
Input low-level voltage
IOL
Output low sink current
0.63
VOL = 0.4 V
V
1
mA
MAX
UNIT
STANDARD SERIAL COMMUNICATION (SDQ) TIMING
over recommended operating temperature and supply voltage range (unless otherwise noted) (See Figure 1)
PARAMETER
2
TEST CONDITIONS
MIN
TYP
µs
tRSTL
Reset time – low
480
tRSTH
Reset time – high
480
tPDL
Presence detect – low
60
240
µs
tPDH
Presence detect – high
15
60
µs
tREC
Recovery time
tSLOT
Host bit window
tLOW1
Host sends 1
µs
µs
1
Submit Documentation Feedback
60
120
µs
1
13
µs
bq26100
www.ti.com
SLUS696 – JUNE 2006
STANDARD SERIAL COMMUNICATION (SDQ) TIMING (continued)
over recommended operating temperature and supply voltage range (unless otherwise noted) (See Figure 1)
PARAMETER
tLOW0
Host sends 0
tLOWR
Host read bit start
tSLOT
bq26100 bit window
tSU
bq26100 data setup
tRDV
bq26100 data valid
tRELEASE
bq26100 data release
TEST CONDITIONS
MIN
TYP
MAX
UNIT
60
120
µs
1
13
µs
60
120
µs
1
µs
µs
exactly 15
0
15
45
µs
tRSTL
tPDL
tPDH
tRSTH
(a) Reset and Presence Timing
tLOW1
tREC
tLOW0 & tSLOT
tSU
tREC
tLOWR
tRELEASE
tRDV
(b) Host Transmitted Bit Timing
tSLOT
(c) bq26100 Transmitted Bit Timing
Figure 1. SDQ Timing Diagrams
The SDQ protocol requires a CRC calculation as part of the communication flow. The CRC, based on a
polynomial of x8+x5+x4+1, is computed to determine data integrity and its use varies in the protocol. The Memory
Function flows show what data is shifted through the CRC and when the value is transmitted from the slave.
Each data byte used in the CRC calculation is pushed through the CRC shift register from LSB to MSB. The
byte wide CRC computation is:
for (i = 0; i < 8; i++)
{
if (crc[0] ^ input[i])
crc = (crc >> 1) ^ 0x8C;
else
crc = crc >> 1;
}
Where did the magic number 0x8C come from? CRC polynomials are defined such that the highest order simply
shows the number of bits, so x8+x5+x4+1 defines an 8-bit value with a binary value of 00110001 (bits 0, 4, and 5
are 1 and all others are 0). Since the SDQ CRC is computed by shifting in the LSB, the polynomial must be
used in reverse bit order – binary 10001100 or hexadecimal 0x8C.
The CRC value is reset to 0 prior to the first byte being shifted through. The CRC is also reset when the CRC is
shifted out as part of the SDQ protocol.
Submit Documentation Feedback
3
bq26100
www.ti.com
SLUS696 – JUNE 2006
OTP PROGRAMMING SPECIFICATIONS
PARAMETER
TEST CONDITIONS
MIN
tpon
Program setup time
2
trise
Pulse rise time
1
tprog
Pulse high time
tfall
Pulse fall time
Single byte programming
TYP
Vprog
Last bit before
programming pulse
Vpull-up
GND
Programming
Pulse
tpon
Figure 2. bq26100 Communication to OTP Programming Pulse Diagram
tprog
tfall
Figure 3. OTP Programming Pulse Detail
PIN ASSIGNMENT
1
2
3
1.6 mm
Exposed
Thermal Pad
3 mm
2.3 mm
6
5
3 mm
4
TERMINAL FUNCTIONS
TERMINAL
NAME
NC
PWR
4
NO.
I/O
2, 3, 4
1
DESCRIPTION
No connect
I/O
Power capacitor connection
Submit Documentation Feedback
µs
µs
µs
3
1
UNIT
µs
10
300
Key programming
trise
MAX
10
µs
bq26100
www.ti.com
SLUS696 – JUNE 2006
TERMINAL FUNCTIONS (continued)
TERMINAL
NAME
NO.
I/O
SDQ
6
I/O
VSS
5
I
DESCRIPTION
Single wire SDQ interface to host
Ground
FUNCTIONAL BLOCK DIAGRAM
PWR
EEPROM
- Charge Pump
Power
Retification
DTOP
- SHA-1/HMAC
- SDQ
- Ctrl and Status Registers
OTP
ATOP
- Oscillator
- LDO
- POR
- OTP Power Comparator
VSS
SDQ
FUNCTIONAL DESCRIPTION
The bq26100 provides the same basic functionality as the bq2022 with added battery pack/accessory
authentication functions. In addition to four 32-byte pages of general use One Time Programmable (OTP)
non-volatile memory available on the bq2022, the bq26100 adds a fifth 32-byte page of OTP and a 16-byte page
of EEPROM to be used at the host system designer’s discretion. An external high voltage is required for
programming the OTP, but not necessary for programming the EEPROM.
A modified form of the SHA-1/HMAC provides the authentication function of the bq26100. Both the host and the
bq26100 share two 64-bit keys used in the authentication calculation. To authenticate a battery pack, the host
writes a random 20-byte message to the bq26100 and sets the AUTH bit in the CTRL register. The bq26100
calculates the HMAC digest in less than 500 µs, replacing the random message sent by the host with the HMAC
result. To complete the authentication process, the host computes the HMAC function with the same 20-byte
random message originally written to the bq26100. The result is compared to the HMAC result computed by the
bq26100. If the values match, the pack is authenticated.
The key is separated into two 64-bit spaces, allowing multiple parties to program separate portions of the key
and providing an added level of security. Programming a key utilizes the SHA-1 algorithm to provide a mix from
the values used to program the device to the actual key stored on the device. When put into key programming
mode, the device combines the 160-bit message space with a pad as required to get the minimum 512-bit
SHA-1 block, and run through the SHA-1 engine once. The 160-bit output is truncated to the lower 64 bits,
scrambled internally, and then written to the appropriate non-volatile memory key space. The key can only be
read and descrambled by the authentication engine, not by the communication engine, of the bq26100.
Submit Documentation Feedback
5
bq26100
www.ti.com
SLUS696 – JUNE 2006
Communicating with the bq26100
The bq26100 communication protocol starts when the host pulls the bus low for reset time. All devices on the
bus are to respond with a presence pulse, which is active low. The host can then transmit the ROM Function
command, which is used to address the devices on the bus. The ROM functions include Match ID, Skip ID,
Read ID, and Search ID.
6
Match ID
The host transmits the 64-bit ID of the 1-wire based device to communicate.
Skip ID
No ID is necessary for communication. Used only if one device is connected to the host.
Read ID
The 1-wire slave transmits its 64 bit address. This command is only useful if there is only one
device connected to the host.
Search ID
Useful if there are multiple devices on the bus. This command initiates a communication with a
single device, but it is more useful in allowing the host to determine the address of every device
on the bus. The Match ID can then be used to communicate with a specific addressed device.
Submit Documentation Feedback
bq26100
www.ti.com
SLUS696 – JUNE 2006
ROM
Function
Flow
Host Transmits Reset?
YES
NO
bq26100 Transmits
Presence
Host Transmits
R/F
NO
bq26100 Transmits 1 For
Each Bit Start
R/F = 0x55?
Match ID
YES
Host Transmits ID
(LSB to MSB)
ID Match?
YES
NO
R/F = 0xCC?
Skip ID
Memory
Function
Flow
YES
NO
bq26100 Transmits ID
(LSB to MSB)
R/F = 0x33?
Read ID
YES
NO
R/F = 0xF0?
Search ID
n=0
YES
NO
bq26100 Transmits ID
Bit n
n=n+1
bq26100 Transmits ID
Bit n
Host Transmits ID
Bit n
NO
n = 63?
Bit n Match?
YES
YES
NO
Figure 4. ROM Function Flow Chart
The 64-bit device ID is made up of an 8-bit family code, 48-bit random value, and a final 8-bit CRC.
ID MSB
CRC (8 bits)
ID LSB
Random Data (48 bits)
Family Code (8 bits, defaults to 0x09)
Contact Texas Instruments if specific data should be programmed into the ID.
Submit Documentation Feedback
7
bq26100
www.ti.com
SLUS696 – JUNE 2006
After the ROM function command is issued and the bq26100 is selected, a Memory Function command can be
issued. The Memory Function commands are Read Memory, Read EEPROM, Read Status, Read Page, Read
Page 4, Read Digest, Read Control, Write Memory, Write Page 4, Write EEPROM, Write Status, Write
Message, Write Control, and Profile.
Figure 5 shows the flow for the Memory Function selection. Figure 6 through Figure 12 illustrate the flow for
each memory function.
Memory
Function
Flow
NO
M/F = 0xF0?
YES
Read
Memory
Flow
NO
M/F = 0x0F?
Write
Memory
Flow
YES
NO
YES
Read
Page
Flow
YES
Read
Digest
Flow
M/F = 0xC3?
NO
M/F = 0xDD?
NO
M/F = 0x22?
Write
Message
Flow
YES
YES
NO
NO
M/F = 0xFA?
M/F = 0xAA?
YES
Read
Status
Flow
YES
Write
Status
Flow
YES
M/F = 0xAF?
YES
NO
NO
M/F = 0x88?
YES
ROM
Function
Flow
Read
Control
Flow
NO
M/F = 0x77?
Write
Control
Flow
YES
NO
M/F = 0xE0?
YES
Read
EEPROM
Flow
NO
M/F = 0x0E?
YES
Write
EEPROM
Flow
NO
Figure 5. Memory Function Flow Chart
8
Read
Page 4
Flow
NO
NO
M/F = 0x55?
Profile
Flow
M/F = 0x99?
Submit Documentation Feedback
Write
Page 4
Flow
bq26100
www.ti.com
SLUS696 – JUNE 2006
MEMORY DESCRIPTIONS
The bq26100 has a memory and command structure that is compatible with the bq2022, however additional
memory and commands have been added. The bq26100 uses a combination of non-volatile
One-Time-Programmable (OTP), non-volatile EEPROM, and volatile registers. The memory is split into the
following sections:
Non-Volatile OTP Memory
The One Time Programmable (OTP) memory is intended for factory programming. Programming the OTP
requires putting a 7-V pulse on the communication pin after writing the data to the intended address.
General Use – Memory Function Commands 0xF0 (Read) and 0x0F (Write)
The general use space is erased to read 0x00. Data written to the general space is ORed with data already
present at the address to be written. A bit can only be flipped from 0 to 1.
Table 1. General Memory Space Addressing
ADDRESSES
FUNCTION
0x007F – 0x0060
Page 3 – 32 bytes general use
0x005F – 0x0040
Page 2 – 32 bytes general use
0x003F – 0x0020
Page 1 – 32 bytes general use
0x001F – 0x0000
Page 0 – 32 bytes general use
Read
Page
Flow
M/F = 0xC3
Read
Memory
Flow
M/F = 0xF0
(1) Master TX:
16-bit address, A
(1) Master TX:
16-bit address, A
(1)
Master RX:
8-bit data @ A
A=A+1
Master TX:
16-bit address, A
Master TX:
8-bit data, D
Master RX:
CRC of M/F cmd & A
Master RX:
CRC of M/F cmd & A
A[4:0] = Last
address of page
Write
Memory
Flow
M/F = 0x0F
Master RX:
8-bit data @ A
A=A+1
Master RX:
CRC of M/F cmd, A & D
Master TX:
Programming Pulse
A = 0x007F?
YES
Master RX:
CRC of all data transmitted
Master RX:
CRC of all data transmitted
CRC = A[7:0]
Master RX:
D
A = A +1
A < 0x007F?
NO
YES
ROM
Function
Flow
NO
YES
ROM
Function
Flow
ROM
Function
Flow
(1)
Master TX:
8-bit data, D
NO
NO
YES
A < 0x007F?
Master RX:
CRC of preloaded
A[7:0] & shifted D
16-Bit address is sent with lower 8-bit address followed by higher 8-bit address with least significant bit first.
Figure 6. General Memory OTP Write/Read Flows
Submit Documentation Feedback
9
bq26100
www.ti.com
SLUS696 – JUNE 2006
General Use — Memory Function Commands 0xFA (Read) and 0xAF (Write)
The general use space is erased to read 0x00. Data written to the general space is ORed with data already
present at the address to be written. A bit can only be flipped from 0 to 1.
Table 2. General Memory Space Addressing
ADDRESSES
FUNCTION
0x001F – 0x0000
Page 4 – 32 bytes general use
Write
Page 4
M/F = 0xAF
Read
Page 4
M/F = 0xFA
(1)
(1)
Master TX:
16-bit address, A
Master TX:
16-bit address, A
Master TX:
8-bit data, D
Master RX:
CRC of M/F cmd & A
Master RX:
8-bit data @ A
A=A+1
Master RX:
CRC of M/F cmd, A & D
Master RX:
CRC of preloaded
A[7:0] & shifted D
Master TX:
Programming Pulse
A = 0x001F?
Master TX:
8-bit data, D
NO
YES
Master RX:
CRC of all data transmitted
CRC = A[7:0]
Master RX:
D
A = A +1
A = 0x001F?
ROM
Function
Flow
NO
YES
ROM
Function
Flow
(1)
16-Bit address is sent with lower 8-bit address followed by higher 8-bit address with least significant bit first.
Figure 7. General Memory OTP Write/Read Flows
10
Submit Documentation Feedback
bq26100
www.ti.com
SLUS696 – JUNE 2006
Status – Memory Function Commands 0xAA (Read) and 0x55 (Write)
Unlike the general use pages, the status bytes read 0xFF when not programmed and a bit is programmed from
1 to 0. A zero represents the active state.
Address 0x0007 Reserved
Programmed at the factory to read 0x00
Address 0x0006 Key Index
The host can determine which one of multiple keys was programmed into the bq26100 by reading the
key index value.
Address 0x0005 – 0x0001 Page Redirection
A pointer for alternative page information, these bytes can be used if information in the original page has
been invalidated. The host can read these locations and direct reads and/or writes to the page pointed
to by the value in the register. For example, if the data in page 2 is corrupted by an incorrectly written
data value, and the corrected data is in page 1, the value written to address 0x0003 would be 0xFE (1’s
complement value of 0x01). Upon reading address 0x0003, the host would receive 0xFE and would take
the 1’s complement to determine that page 1 contains redirected data.
Table 3. Page Redirection
ADDRESS
PAGE REDIRECTED
0x0005
Page 4
0x0004
Page 3
0x0003
Page 2
0x0002
Page 1
0x0001
Page 0
There is no hardware mapping of the page redirection bytes. The host is responsible for sending the correct
address for a redirected page.
Address 0x0000 PAGE LOCK
FUNCTION
BIT 7
BIT 6
BIT 5
BIT 4
BIT 3
BIT 2
BIT 1
BIT 0
LOCKK1
LOCKK0
RSVD
PAGE 4
PAGE 3
PAGE 2
PAGE 1
PAGE 0
LOCKK1 Programming this bit to 0 locks the upper 64 bits of the device key, preventing additional writes.
This bit can only be written once.
LOCKK0 Programming this bit to 0 locks the lower 64 bits of the device key, preventing additional writes. This
bit can only be written once.
PAGEx
Programming this bit to 0 locks page designated by x, preventing additional writes. This bit can only
be programmed once.
Submit Documentation Feedback
11
bq26100
www.ti.com
SLUS696 – JUNE 2006
Write
Status
Flow
M/F = 0x55
Read
Status
Flow
M/F = 0xAA
(1)
(1)
Master TX:
16-bit address, A
Master TX:
16-bit address, A
Master TX:
8-bit data, D
Master RX:
CRC of M/F cmd & A
Master RX:
8-bit data @ A
A=A+1
Master RX:
CRC of M/F cmd, A & D
Master RX:
CRC of preloaded
A[7:0] & shifted D
Master TX:
8-bit data, D
Master TX:
Programming Pulse
A = 0x0007?
NO
YES
Master RX:
CRC of all data transmitted
CRC = A[7:0]
Master RX:
D
A = 0x0007?
ROM
Function
Flow
NO
A = A +1
YES
ROM
Function
Flow
(1)
16-Bit address is sent with lower 8-bit address followed by higher 8-bit address with least significant bit first.
Figure 8. Status OTP Write/Read Flows
12
Submit Documentation Feedback
bq26100
www.ti.com
SLUS696 – JUNE 2006
Non-Volatile EEPROM Memory
The EEPROM memory is intended for in-field programming. Programming the EEPROM is no different than
writing to RAM or registers, but the timing between the write and read back is different. A bit can be written to 1
or cleared to 0 multiple times and the value is retained when power to the device is removed.
General Use – Memory Function Commands 0xE0 (Read) and 0x0E (Write)
Table 4. General Memory Space Addressing
(1)
ADDRESSES
FUNCTION
0x000F – 0x0000
16 Bytes general use
Read
EEPROM
Flow
M/F = 0xE0
Write
EEPROM
Flow
M/F = 0x0E
Master TX:
16-bit address, A
(1) Master TX:
16-bit address, A
Master TX:
8-bit data, D
Master RX:
CRC of M/F cmd & A
Master RX:
8-bit data @ A
A=A+1
Master waits 100 ms
Master waits 50 ms
A = 0x00F?
Master RX:
CRC of preloaded
A[7:0] & shifted D
NO
YES
Master RX:
CRC of all data transmitted
CRC = A[7:0]
Master RX:
D
A = A +1
A = 0x000F?
ROM
Function
Flow
Master TX:
8-bit data, D
Master RX:
CRC of M/F cmd, A & D
NO
YES
ROM
Function
Flow
(1)
16-Bit address is sent with lower 8-bit address followed by higher 8-bit address with least significant bit first.
Figure 9. EEPROM Write/Read Flows
Submit Documentation Feedback
13
bq26100
www.ti.com
SLUS696 – JUNE 2006
Volatile Register Memory
The register memory is intended for in-field programming.
Message and Digest Registers – Memory Function Command 0xDD (Read) and 0x22 (Write)
The message is a 160-bit input to the HMAC calculation, and the digest is the 160-bit output of the HMAC
calculation. The message and digest share the same memory space, meaning that the message cannot be
read back once the digest has been computed. The MSB of the message should be written to address
0x0013, and the LSB written to address 0x0000. The digest overwrites the message in the following manner.
Table 5. Message/Digest Space Addressing
ADDRESS
MESSAGE VALUE
DIGEST VALUE
0x0013 – 0x0010
M[159:128]
A[31:0]
0x000F – 0x000C
M[127:96]
B[31:0]
0x000B – 0x0008
M[95:64]
C[31:0]
0x0007 – 0x0004
M[63:32]
D[31:0]
0x0003 – 0x0000
M[31:0]
E[31:0]
NOTE:
See the SHA-1 and HMAC descriptions for more information on the meaning of the
variables in the above table.
Read
Digest
Flow
M/F = 0xDD
Write
Message
Flow
M/F = 0x22
(1) Master TX:
16-bit address, A
(1) Master TX:
16-bit address, A
Master RX:
CRC of M/F cmd & A
Master TX:
8-bit data, D
Master RX:
8-bit data @ A
Master RX:
CRC of M/F cmd, A & D
Master TX:
8-bit data, D
A=A+1
Master RX:
CRC of preloaded
A[7:0] & shifted D
CRC = A[7:0]
Master RX:
D
A = 0x0013?
NO
A = A +1
YES
Master RX:
CRC of all data transmitted
ROM
Function
Flow
(1)
A = 0x0013?
NO
YES
ROM
Function
Flow
16-Bit address is sent with lower 8-bit address followed by higher 8-bit address with least significant bit first.
Figure 10. Message/Digest Write/Read Flows
14
Submit Documentation Feedback
bq26100
www.ti.com
SLUS696 – JUNE 2006
Control and Version Registers – Memory Function Command 0x88 (Read) and 0x77 (Write)
The control register starts authentication, clears the message/digest values, and flags when the
authentication process has completed. The version register is used to determine the silicon revision.
Table 6. General Memory Space Addressing
ADDRESSES
FUNCTION
0x0001
Silicon Revision Number
0x0000
Control Register
The bits of the Control register are as follows:
NAME
POR STATUS
BIT 7
BIT 6
BIT 5
BIT 4
BIT 3
BIT 2
BIT 1
BIT 0
PROGK1
PROGK0
RSVD
CLEAR
RSVD
POR
DONE
AUTH
0
0
0
0
0
1
0
0
PROGK1 If LOCKK1 is 1 (see Status Register), writing this bit to 1 enables the programming of Device Key 1.
Further information about the programming of the keys is found in the SHA-1 section.
PROGK0 If the LOCKK0 bit is 1 (see Status Register), writing this bit to 1 enables the programming of Device
Key 0. Further information about the programming of the keys is found in the SHA-1 section.
RSVD
These bits are reserved for future use. They should always be written to 0.
CLEAR
Writing this bit to 1 clears the message/digest registers. This can be done before the message is
written to ensure that all data values are known or after the digest is read to clear the HMAC
calculation output. The bq26100 resets the bit back to 0.
POR
This bit is set when the device comes out of a POR condition. The bit can be written to 0 to clear
the flag. Writing the bit to 1 has no effect on device operation.
DONE
This bit is set when the device completes the HMAC calculation. The host should poll for this bit to
determine when the digest is available for reading. This bit is automatically cleared when the AUTH
bit is written to 1. This bit is also cleared at POR.
AUTH
This bit is set to initiate the HMAC calculation. This bit is automatically cleared when the DONE bit
is written to 1.
Submit Documentation Feedback
15
bq26100
www.ti.com
SLUS696 – JUNE 2006
Write
Control
Flow
M/F = 0x77
Read
Control
Flow
M/F = 0x88
(1)
(1)
Master TX:
16-bit address, A
Master TX:
16-bit address, A
Master TX:
8-bit data, D
Master RX:
CRC of M/F cmd & A
Master RX:
8-bit data @ A
A=A+1
Master TX:
8-bit data, D
Master RX:
CRC of M/F cmd, A & D
Master RX:
CRC of preloaded
A[7:0] & shifted D
CRC = 0x01
Master RX:
D
A = 0x0001?
NO
A = A +1
YES
Master RX:
CRC of all data transmitted
NO
YES
ROM
Function
Flow
ROM
Function
Flow
(1)
A = 0x0001?
16-Bit address is sent with lower 8-bit address followed by higher 8-bit address with least significant bit first.
Figure 11. Control Register Write/Read Flows
Profile Command
Pack manufacturers can use the profile command to determine how the device should be programmed.
Profile
M/F = 0x99
Master RX:
0x55
ROM
Function
Flow
Figure 12. Profile Command Flow
SLEEP MODE DESCRIPTION
The bq26100 enters sleep mode when the SDQ enters a stop state or when SDQ encounters an invalid ID.
SHA-1 DESCRIPTION
The SHA-1 is known as a one-way hash function, meaning there is no known mathematical method of
computing the input given only the output. The specification of the SHA-1, as defined by FIPS 180-2, states that
the input consists of 512 bit blocks with a total input length less than 264 bits. Inputs which do not conform to
integer multiples of 512 bit blocks are padded before any block is input to the hash function. The SHA-1
algorithm outputs 160 bits, commonly referred to as the digest.
The full SHA-1 specification and algorithm can be found at http://csrc.nist.gov/publications/fips under FIPS 180.
(As of April 23, 2004 the latest revision is FIPS 180-2).
16
Submit Documentation Feedback
bq26100
www.ti.com
SLUS696 – JUNE 2006
The bq26100 generates an SHA-1 input block of 288 bits (total input = 160 bit message + 128 bit key). To
complete the 512 bit block size requirement of the SHA-1, the bq26100 pads the key and message with a 1,
followed by 159 0’s, followed by the 64 bit value for 288 (000…00100100000), which conforms to the pad
requirements specified by FIPS 180-2:
159 bits
64 bits
1 000 . . . 000 000 . . . 0100100000
HMAC DESCRIPTION
The SHA-1 engine is used to calculate a modified HMAC value. Using a public message and a secret key, the
HMAC output is considered to be a secure fingerprint that authenticates the device used to generate the HMAC.
To compute the HMAC let H designate the SHA-1 hash function, M designate the message transmitted to the
bq26100, and KD designate the unique 128 bit device key of the bq26100. HMAC(M) is defined as:
H[KD || H(KD || M)], where || symbolizes an append operation
The message, M, is appended to the device key, KD, and padded to become the input to the SHA-1 hash. The
output of this first calculation is then appended to the device key, KD, padded again, and cycled through the
SHA-1 hash a second time. The output is the HMAC digest value.
KEY PROGRAMMING DESCRIPTION
The 128-bit key used in the HMAC calculation is built from two 64-bit key spaces on the bq26100. Each key can
be programmed independently, allowing multiple parties to program part of the full 128-bit key without the
knowledge necessary to reproduce the full 128-bit key. To further protect the 128-bit key, the value written to
each 64-bit non-volatile key space is the output of a SHA-1 calculation on a 160-bit input. Figure 13 provides a
flow for the programming of the 128-bit device key. Once KEYx has been programmed, the LOCKKx bit should
be programmed to 0 in the status register, preventing another value from overwriting that key space.
Master TX:
Reset &
Write Message Command
Master RX:
CRC of Write Control Cmd,
Address, and Data
Master writes up to
160-bit message
Master pulls SDQ line to
VPROG for 3 ms
Master TX:
Reset &
Write Control Command
Master sets
PROGK1/PROGK0
in CONTROL reg
Master TX:
Reset &
Write Status command
Master sets
LOCKK1/LOCKK0 at Status
address 0x0000
Figure 13. Key Programming Flow
This flow is run twice, for KEY0 and KEY1. An external power source is required on the PWR pin during key
programming. Figure 14 shows a typical connection for the external power source.
Since there is no key pre-appended to the message, the key message is padded with a 1, followed by 287 0’s,
followed by the 64-bit value for 160 (00..01010000):
Submit Documentation Feedback
17
bq26100
www.ti.com
SLUS696 – JUNE 2006
287 bits
64 bits
1 000 . . . 000 000 . . . 0010100000
+
3.3V Power Supply
100 W
SDQ
Communication and
Programming Pulse
Control
PWR
VSS
0.1 mF
Figure 14. External Power Source Connection
18
Submit Documentation Feedback
PACKAGE OPTION ADDENDUM
www.ti.com
10-Jul-2006
PACKAGING INFORMATION
Orderable Device
Status (1)
Package
Type
Package
Drawing
Pins Package Eco Plan (2)
Qty
BQ26100DRPR
ACTIVE
SON
DRP
6
3000 Green (RoHS &
no Sb/Br)
CU NIPDAU
Level-2-260C-1 YEAR
BQ26100DRPRG4
ACTIVE
SON
DRP
6
3000 Green (RoHS &
no Sb/Br)
CU NIPDAU
Level-2-260C-1 YEAR
Lead/Ball Finish
MSL Peak Temp (3)
(1)
The marketing status values are defined as follows:
ACTIVE: Product device recommended for new designs.
LIFEBUY: TI has announced that the device will be discontinued, and a lifetime-buy period is in effect.
NRND: Not recommended for new designs. Device is in production to support existing customers, but TI does not recommend using this part in
a new design.
PREVIEW: Device has been announced but is not in production. Samples may or may not be available.
OBSOLETE: TI has discontinued the production of the device.
(2)
Eco Plan - The planned eco-friendly classification: Pb-Free (RoHS), Pb-Free (RoHS Exempt), or Green (RoHS & no Sb/Br) - please check
http://www.ti.com/productcontent for the latest availability information and additional product content details.
TBD: The Pb-Free/Green conversion plan has not been defined.
Pb-Free (RoHS): TI's terms "Lead-Free" or "Pb-Free" mean semiconductor products that are compatible with the current RoHS requirements
for all 6 substances, including the requirement that lead not exceed 0.1% by weight in homogeneous materials. Where designed to be soldered
at high temperatures, TI Pb-Free products are suitable for use in specified lead-free processes.
Pb-Free (RoHS Exempt): This component has a RoHS exemption for either 1) lead-based flip-chip solder bumps used between the die and
package, or 2) lead-based die adhesive used between the die and leadframe. The component is otherwise considered Pb-Free (RoHS
compatible) as defined above.
Green (RoHS & no Sb/Br): TI defines "Green" to mean Pb-Free (RoHS compatible), and free of Bromine (Br) and Antimony (Sb) based flame
retardants (Br or Sb do not exceed 0.1% by weight in homogeneous material)
(3)
MSL, Peak Temp. -- The Moisture Sensitivity Level rating according to the JEDEC industry standard classifications, and peak solder
temperature.
Important Information and Disclaimer:The information provided on this page represents TI's knowledge and belief as of the date that it is
provided. TI bases its knowledge and belief on information provided by third parties, and makes no representation or warranty as to the
accuracy of such information. Efforts are underway to better integrate information from third parties. TI has taken and continues to take
reasonable steps to provide representative and accurate information but may not have conducted destructive testing or chemical analysis on
incoming materials and chemicals. TI and TI suppliers consider certain information to be proprietary, and thus CAS numbers and other limited
information may not be available for release.
In no event shall TI's liability arising out of such information exceed the total purchase price of the TI part(s) at issue in this document sold by TI
to Customer on an annual basis.
Addendum-Page 1
IMPORTANT NOTICE
Texas Instruments Incorporated and its subsidiaries (TI) reserve the right to make corrections, modifications,
enhancements, improvements, and other changes to its products and services at any time and to discontinue
any product or service without notice. Customers should obtain the latest relevant information before placing
orders and should verify that such information is current and complete. All products are sold subject to TI’s terms
and conditions of sale supplied at the time of order acknowledgment.
TI warrants performance of its hardware products to the specifications applicable at the time of sale in
accordance with TI’s standard warranty. Testing and other quality control techniques are used to the extent TI
deems necessary to support this warranty. Except where mandated by government requirements, testing of all
parameters of each product is not necessarily performed.
TI assumes no liability for applications assistance or customer product design. Customers are responsible for
their products and applications using TI components. To minimize the risks associated with customer products
and applications, customers should provide adequate design and operating safeguards.
TI does not warrant or represent that any license, either express or implied, is granted under any TI patent right,
copyright, mask work right, or other TI intellectual property right relating to any combination, machine, or process
in which TI products or services are used. Information published by TI regarding third-party products or services
does not constitute a license from TI to use such products or services or a warranty or endorsement thereof.
Use of such information may require a license from a third party under the patents or other intellectual property
of the third party, or a license from TI under the patents or other intellectual property of TI.
Reproduction of information in TI data books or data sheets is permissible only if reproduction is without
alteration and is accompanied by all associated warranties, conditions, limitations, and notices. Reproduction
of this information with alteration is an unfair and deceptive business practice. TI is not responsible or liable for
such altered documentation.
Resale of TI products or services with statements different from or beyond the parameters stated by TI for that
product or service voids all express and any implied warranties for the associated TI product or service and
is an unfair and deceptive business practice. TI is not responsible or liable for any such statements.
Following are URLs where you can obtain information on other Texas Instruments products and application
solutions:
Products
Applications
Amplifiers
amplifier.ti.com
Audio
www.ti.com/audio
Data Converters
dataconverter.ti.com
Automotive
www.ti.com/automotive
DSP
dsp.ti.com
Broadband
www.ti.com/broadband
Interface
interface.ti.com
Digital Control
www.ti.com/digitalcontrol
Logic
logic.ti.com
Military
www.ti.com/military
Power Mgmt
power.ti.com
Optical Networking
www.ti.com/opticalnetwork
Microcontrollers
microcontroller.ti.com
Security
www.ti.com/security
Low Power Wireless www.ti.com/lpw
Mailing Address:
Telephony
www.ti.com/telephony
Video & Imaging
www.ti.com/video
Wireless
www.ti.com/wireless
Texas Instruments
Post Office Box 655303 Dallas, Texas 75265
Copyright  2006, Texas Instruments Incorporated