Secure Microcontroller User’s Guide Rev 1/14 Maxim Integrated cannot assume responsibility for use of any circuitry other than circuitry entirely embodied in a Maxim Integrated product. No circuit patent licenses are implied. Maxim Integrated reserves the right to change the circuitry and specifications without notice at any time. Maxim Integrated 160 Rio Robles, San Jose, CA 95134 USA 1-408-601-1000 © 2014 Maxim Integrated Products, Inc.
Secure Microcontroller User’s Guide TABLE OF CONTENTS 1. INTRODUCTION................................................................................................................. 7 1.1 1.2 1.3 1.4 2. 3. IMPORTANT NOTICE REGARDING DISCONTINUED DS2251T/DS2252T .............................................. 7 SOFTWARE SECURITY ..................................................................................................................... 7 PRODUCT DESCRIPTION ......................................
Secure Microcontroller User’s Guide 9.11 9.12 9.13 10. RESET CONDITIONS....................................................................................................... 85 10.1 10.1.1 10.1.2 10.1.3 10.1.4 10.2 10.3 10.4 10.5 11. OUTPUT FUNCTIONS ................................................................................................................ 102 INPUT FUNCTION ......................................................................................................................
Secure Microcontroller User’s Guide 16.6 16.7 16.8 16.9 16.10 16.11 16.12 16.13 16.14 16.15 16.16 17. REAL-TIME CLOCK (RTC) ............................................................................................ 155 17.1 17.2 17.3 17.4 17.5 17.6 17.7 18. DS5000T/DS2250T RTC ........................................................................................................ 155 IMPORTANT DS5000T/DS2250T APPLICATION NOTE ...............................................................
Secure Microcontroller User’s Guide LIST OF FIGURES Figure 3-1. Secure Microcontroller Architectural Block Diagram .............................................................. 15 Figure 4-1. Secure Microcontroller Memory Map ..................................................................................... 18 Figure 4-2. Scratchpad Register Map ....................................................................................................... 20 Figure 4-3. DS5000 Series Memory Map ...............
Secure Microcontroller User’s Guide Figure 14-3. Mode2 and 3 Block Diagram .............................................................................................. 124 Figure 15-1. Crystal Connection ............................................................................................................. 130 Figure 15-2. Clock Source Input ............................................................................................................. 131 Figure 15-3.
Secure Microcontroller User’s Guide 1. INTRODUCTION The secure microcontroller family is a line of 8051-compatible devices that use nonvolatile (NV) RAM rather than ROM for program storage. NV RAM allows the design of a “soft” microcontroller that provides many unique features for embedded system designers. The enhanced security features employed by the secure microcontroller family protect the user-application software against piracy and tampering.
Secure Microcontroller User’s Guide The DS5002FP secure microprocessor chip offers the highest level of security, with permanently enabled memory encryption, an 80-bit random encryption key, and a self-destruct input for tamper protection. The DS5000FP soft microprocessor chip and DS5000(T) and DS2250(T) soft microcontroller modules offer lesser, but still substantial, protection with optional data encryption and a 48-bit encryption key.
Secure Microcontroller User’s Guide 1.3 Product Description All secure microcontroller products have the following standard 8051 family features: 8051-compatible instruction set Four 8-bit pseudo-bidirectional I/O ports Two 16-bit timer/counters Five interrupts with two external Addresses 64kB program and 64kB data memory 128 bytes scratchpad RAM One UART DS5000FP Soft Microprocessor Chip The DS5000FP is the original soft microprocessor chip.
Secure Microcontroller User’s Guide The DS5001FP provides the base feature set of the DS5000FP with the following extras. Note that the DS5001FP has no memory encryption feature.
Secure Microcontroller User’s Guide • • Random number generator Firmware bootstrap loader resides in a 16kB factory-programmed ROM 8051 Compatible with Expanded Addressing • 4-clock/machine cycle architecture (25MHz/6.
Secure Microcontroller User’s Guide 2. SELECTOR GUIDE The following configurations are available. Speeds are rated maximums, but all members of the secure microcontroller family are fully static and can be run as slow as desired.
Secure Microcontroller User’s Guide 3. SECURE MICROCONTROLLER ARCHITECTURE The secure microcontroller family is based on an 8051-compatible core with a memory interface and I/O logic build around it. In general, most architecture features are identical to standard 8051s and apply to all members of the secure microcontroller family. Differences between versions are mentioned. This section briefly documents the important features. Figure 3-1 shows a block diagram of the microcontroller core.
Secure Microcontroller User’s Guide Scratchpad Registers Scratchpad registers are 128 registers where data can be stored directly. They are addressed from 00H to 7FH and can be accessed by a MOV instruction. Included in the scratchpad area are four 8-byte banks of working registers. These registers are not part of the data memory map. Serial I/O The on-chip serial I/O port is composed of a receive data buffer, a transmit data buffer, and a control register.
Secure Microcontroller User’s Guide Figure 3-1.
Secure Microcontroller User’s Guide Parallel I/O Four SFRs provide access for the four parallel I/O port latches. These I/O ports are denoted as P0, P1, P2, and P3. 32 bits of parallel I/O is available through these I/O ports. However, up to 16 bits are sacrificed when the expanded bus mode is used to interface to external memory and up to 6 bits can be sacrificed if any external interrupt inputs, timer counter inputs, or serial I/O functions are used. When using the bytewide bus, ports are not affected.
Secure Microcontroller User’s Guide Vector RAM The vector RAM is used to contain the reset and interrupt vector code when the soft microcontroller is operating in the encryption mode. This feature is included to insure the security of the application software. The operation of the vector RAM as well as the reason for its inclusion in the architecture are discussed in Software Security in Section 1.1.
Secure Microcontroller User’s Guide 4. PROGRAMMER’S GUIDE The secure microcontroller uses NV RAM technology for program and data memory. NV SRAM writeprotected memory segments are designated as program memory. The remaining RAM area is used as nonvolatile data storage. One of the advantages of breaking a common RAM into two segments is that a smaller number of memory chips is needed. For example, if a system requires 24kB of program memory and 4kB of data memory, this all fits within one 32kB x 8 SRAM.
Secure Microcontroller User’s Guide 4.1.1 Internal Registers The internal register space is divided into two parts. These are scratchpad registers and SFRs. There are 128 scratchpad registers, commonly referred to as on-chip RAM. The 128 bytes include four 8-byte banks of working registers (R0–R7). The scratchpad registers are located at register addresses 00–7Fh. This area is not located in the program or data memory area and is accessed by different instructions. The SFRs are located between 80h and FFh.
Secure Microcontroller User’s Guide Figure 4-2.
Secure Microcontroller User’s Guide The second bus is an expanded bus constituted by Ports 0 and 2. This is the standard 8051-compatible memory bus that is available as an option, but is not needed in most cases. Program memory on the expanded bus must be ROM/EPROM and data memory must be volatile SRAM. If NV RAM is needed on the expanded bus, then it must be externally backed up and write protected. The secure microcontroller makes no special provisions for NV RAM on the expanded bus.
Secure Microcontroller User’s Guide When the partition is at 3000h and the range at 32kB, program memory below 3000h is accessed on the bytewide bus. Program memory at or above 3000h is directed to the expanded bus or Ports 0 and 2. When the partition is at 5800h and the range at 32K, data memory at 0000h is accessed on Ports 0 and 2. Data memory at 6000h is located in NV RAM on the bytewide bus. When the partition is at 1000h and the range at 8kB, all memory access above 1FFFh is on the expanded bus.
Secure Microcontroller User’s Guide Figure 4-3. DS5000 Series Memory Map ECE2=0 FFFFh ECE2=1 7FFFh 64kB 32kB RANGE ADDR. 8kB 1FFFh BYTEWIDE BUS ACCESS PARTITION ADDR. BYTEWIDE BUS ACCESS BYTEWIDE BUS ACCESS 0000 PROGRAM MEMORY DATA MEMORY DEVICE #1 SELECTED WITH CE1 DATA MEMORY DEVICE #2 SELECTED WITH CE2 = NO MEMORY ACCESS = BYTEWIDE ACCESS WITH CE2 (NV RAM) = BYTEWIDE ACCESS WITH CE1 (NV RAM) = EXPANDED BUS ACCESS ON PORTS 0 AND 2 4.
Secure Microcontroller User’s Guide DS5000 SERIES MCON REGISTER MCON.7–4 Partition Address PA3–0 Use to select the starting address of data memory in embedded RAM. Program space lies below the partition address. MCON.3 Range Address RA32/8 Sets the maximum usable address on the bytewide bus. RA32/8 = 0 sets range address = 1FFFH (8kB); RA32/8 = 1 sets range address = 7FFFH (32kB) MCON.2 Enable Chip Enable 2 ECE2 Used to enable or disable the CE2 signal to additional RAM data memory space.
Secure Microcontroller User’s Guide are selected during the bootstrap loading process and cannot be modified by the application software. The table below shows the range values that can be selected when PM = 0 (partitionable). RG1 RG0 1 1 0 0 1 0 1 0 RANGE (kB) 64 32 16 8 CE1 ACCESS CE2 ACCESS 0000–7FFFh 0000–7FFFh 0000–1FFFh 0000–1FFFh 8000–FFFFh NA 2000h–3FFFh NA The total RAM space is partitionable, regardless of which range is selected.
Secure Microcontroller User’s Guide Figure 4-4. Partitionable Memory Map for DS5001/DS5002 Series PES = 0 FFFFh 64kB RANGE ADDRESS BYTEWIDE BUS ACCESS PARTITION ADDRESS BYTEWIDE BUS ACCESS 0000 PROGRAM MEMORY DATA MEMORY = BYTEWIDE ACCESS (NV RAM) = EXPANDED BUS ACCESS ON PORT 0/2 The nonpartitionable mode allows the maximum amount of memory to be used on the bytewide bus.
Secure Microcontroller User’s Guide Figure 4-5. Nonpartitionable Memory Map for DS5001/DS5002 Series PES=0 FFFFh 64kB PROGRAM RANGE DATA RANGE 7FFFh 32kB BYTEWIDE BUS ACCESS BYTEWIDE BUS ACCESS PROGRAM MEMORY DATA MEMORY 0000 = BYTEWIDE ACCESS (NV RAM) 4.5 = EXPANDED BUS ACCESS ON PORTS 0 AND 2 DS5001/DS5002 Memory-Mapped Peripherals The DS5001FP and DS5002FP provide four peripheral chip enables (PE4–PE1) designed to access unencrypted peripherals on the bytewide bus.
Secure Microcontroller User’s Guide = 1, the entire 64kB data memory map is accessed in this way. Clearing EXBS causes the microcontroller to revert to its selected configuration. In most systems, the EXBS bit is not used. 4.6 DS5001/DS5002 Memory Map Control Like the DS5000, the DS5001/DS5002 uses SFRs to control the memory map. The memory control functions include the partition, range, partition mode (PM), expanded bus select (EXBS), peripheral enable select (PES) and access enable (AE).
Secure Microcontroller User’s Guide advantages of a secure microcontroller is the ability to change these settings, and even reload the entire program memory while the device is installed in system. To completely re-program and re-configure a device, the bootstrap loader must be invoked. However, the secure microcontroller is designed to allow a partial reload of memory without invoking the bootstrap loader. The major advantage of this technique is that it requires no hardware or external switches.
Secure Microcontroller User’s Guide that includes this loader routine. Once the partition is moved to this temporary location, the software loader can reprogram new code as before. When loading is complete, the partition must be either restored or set to a new value that is appropriate for the new software. If the PA3–0 bits were not modified, the PAA bit can simply be cleared. This restores the old partition.
Secure Microcontroller User’s Guide Figure 4-7.
Secure Microcontroller User’s Guide If the device is in a nonpartitionable configuration, an extra step is required. To perform a soft reload of the program in a nonpartitionable mode, the software must temporarily convert the microprocessor to a partitionable mode using the access-enable bit (RPCTL.4). Setting the AE bit to a logic 1 converts the DS5001/DS5002 into a partitionable mode for as long as it is set.
Secure Microcontroller User’s Guide Figure 4-8. Reloading a DS5001/DS5002 Series Device 7FFFh RANGE (32kB) DATA MEMORY SPACE DATA MEMORY SPACE DATA MEMORY SPACE A000h NEW PARTITION (24kB) 4000h 1000h OLD PARTITION (16kB) PROGRAM MEMORY SPACE PROGRAM MEMORY SPACE TEMP PARTITION (2kB) PROGRAM MEMORY SPACE 0kB 0000h BEFORE LOADING PA3-0 = 0100b DURING LOADING PA3-0 = 0001b = NV RAM DATA MEMORY = NO RAM PROGRAM MEMORY 4.
Secure Microcontroller User’s Guide Figure 4-9.
Secure Microcontroller User’s Guide Figure 4-10.
Secure Microcontroller User’s Guide Power Control Register PCON, 087H D7 SMOD RW-0 D6 POR RT-* D5 PFW R-* D4 WTR R-* D3 EPFW RW-0 D2 EWT RT-* D1 STOP RT-0 D0 IDL RW-0 R = Unrestricted Read Access, W = Unrestricted Write Access, T = Timed-access Write Only, n = Value after Reset, * = Special: see description PCON.7 SMOD Double Baud Rate When set to 1, the baud rate is doubled when the serial port is being used in modes 1, 2, or 3. PCON.
Secure Microcontroller User’s Guide Timer Control Register TCON, 088H D7 TF1 RW-0 D6 TR1 RW-0 D5 TF0 RW-0 D4 TR0 RW-0 D3 IE1 RW-0 D2 IT1 RW-0 D1 IE0 RW-0 D0 IT0 RW-0 R = Unrestricted Read Access, W = Unrestricted Write Access, T = Timed-access Write Only, n = Value after Reset, * = Special: see description TCON.7 Timer 1 Overflow Flag TF1 Status bit set to 1 when timer 1 overflows from a previous count value of all 1s. Cleared to 0 when CPU vectors to timer 1 interrupt service routine. TCON.
Secure Microcontroller User’s Guide Timer Mode Register TMOD, 089H D7 D6 D5 D4 D3 D2 D1 D0 GATE C/ T RW-0 M1 M0 GATE M1 M0 RW-0 RW-0 RW-0 C/ T RW-0 RW-0 RW-0 RW-0 R = Unrestricted Read Access, W = Unrestricted Write Access, T = Timed-access Write Only, n = Value after Reset, * = Special: see description TMOD.7 (Timer 1); TMOD.3 (Timer 0) Gate Control TMOD.6 (Timer 1); TMOD.2 (Timer 0) Counter/Timer Select TMOD.5-4 (Timer 1); TMOD.
Secure Microcontroller User’s Guide Serial Control Register SCON, 098H D7 SM0 RW-0 D6 SM1 RW-0 D5 SM2 RW-0 D4 REN RW-0 D3 TB8 RW-0 D2 RB8 RW-0 D1 TI RW-0 D0 RI RW-0 R = Unrestricted Read Access, W = Unrestricted Write Access, T = Timed-access Write Only, n = Value after Reset, * = Special: see description SCON.7, SCON.
Secure Microcontroller User’s Guide Interrupt Enable Register IE, 0A8H D7 EA RW-0 D6 — D5 — D4 ES RW-0 D3 ET1 RW-0 D2 EX1 RW-0 D1 ET0 RW-0 D0 EX0 RW-0 R = Unrestricted Read Access, W = Unrestricted Write Access, T = Timed-access Write Only, n = Value after Reset, * = Special: see description IE.7 Global Interrupt Enable EA When set to 1, each interrupt except for PFW may be individually enabled or disabled by setting or clearing the associated IEx bit.
Secure Microcontroller User’s Guide Interrupt Priority Register IP, 0B8H D7 RWT RT-1 D6 1 R-1 D5 1 R-1 D4 PS RW-0 D3 PT1 RW-0 D2 PX1 RW-0 D1 PT0 RW-0 D0 PX0 RW-0 R = Unrestricted Read Access, W = Unrestricted Write Access, T = Timed-access Write Only, n = Value after Reset, * = Special: see description IP.7 Reset Watchdog Timer RWT When a 1 is written to this bit via the timed-access procedure the watchdog timer count will be reset and counting will begin again.
Secure Microcontroller User’s Guide DS5001 CRC Register CRC, 0C1H D7 RNGE3 RB-* D6 RNGE2 RB-* D5 RNGE1 RB-* D4 RNGE0 RB-* D3 — D2 — D1 — D0 CRC RB-* R = Unrestricted Read Access, B = Modifiable only via Bootstrap Loader, n = Value after Reset, * = Special: see description CRC.7-4 RNGE3-0 Determines the range over which a power-up CRC will be performed. Addresses are specified on 4K boundaries. These bits are reset 0 on a no-VLI reset and unchanged by all other resets. CRC.
Secure Microcontroller User’s Guide *A 4kB increment (not 2kB) takes place between PA3–0 values 1110b and 1111b. MCON.3 Range Address RA32/8 Set the maximum usable address on the bytewide bus. RA32/8 = 0 sets range address = 1FFFH (8kB) RA32/8 = 1 sets range address = 7FFFH (32kB) Set to 1 during a no-VLI reset and when the security lock bit is cleared by hardware or the bootstrap loader. Remains unchanged on all other types of resets. MCON.
Secure Microcontroller User’s Guide DS5001/DS5002 MCON Register MCON, 0C6H D7 PA3 RT*-* D6 PA2 RT*-* D5 PA1 RT*-* D4 PA0 RT*-* D3 RG1 RB-* D2 PES RW-0 D1 PM R*-* D0 SL R*-* R = Unrestricted Read Access, W = Unrestricted Write Access, T = Timed-access Write Only, B = Modifiable only via Bootstrap Loader, n = Value after Reset, * = Special: see description MCON.7-4 Partition Address Bits PA3-0 When PM = 0, this address specifies the boundary between program and data memory in a continuous space.
Secure Microcontroller User’s Guide Program Status Word Register PSW, 0D0H D7 C RW-0 D6 AC RW-0 D5 F0 RW-0 D4 RS1 RW-0 D3 RS0 RW-0 D2 OV RW-0 D1 D0 P R-0 R = Unrestricted Read Access, W = Unrestricted Write Access, T = Timed-access Write Only, n = Value after Reset, * = Special: see description PSW.7 Carry C Set when the previous operation resulted in a carry (during addition) or a borrow (during subtraction). Otherwise cleared. PSW.
Secure Microcontroller User’s Guide DS5001/DS5002 RPC Control Register RPCTL, 0D8H D7 RNR R-0 D6 — D5 EXBS RW-0 D4 AE RT-0 D3 IBI R*W*-0 D2 DMA RW*-0 D1 RPCON RW-0 D0 RG0 RB-* R = Unrestricted Read Access, W = Unrestricted Write Access, T = Timed-access Write Only, B = Modifiable only via Bootstrap Loader, n = Value after Reset, * = Special: see description RPCTL.
Secure Microcontroller User’s Guide DS5001/DS5002 RPC Status Register RPS, 0DAH D7 ST7 * D6 ST6 * D5 ST5 * D4 ST4 * D3 IA0 * D2 F0 * D1 IBF * D0 OBF * R = Unrestricted Read Access, W = Unrestricted Write Access, T = Timed-access Write Only, n = Value after Reset, * = Special: see description RPS.7–4 General-purpose status bits that can be written by the microcontroller and can be read by the external host. These bits are cleared when RPCON = 0.
Secure Microcontroller User’s Guide 4.9 Instruction Set The secure microcontroller executes an instruction set that is object-code compatible with the industry standard 8051 microcontroller. As a result, software tools written for the 8051 are compatible with the secure microcontroller, including cross-assemblers, compilers, and debugging tools. There are 42 instruction types recognized by the secure microcontroller.
Secure Microcontroller User’s Guide In addition, this addressing is used via the stack pointer register (SP) for manipulation of the stack. The stack area is contained in the internal data register area. The PUSH and POP instructions are the only ones that use SP for this addressing mode. PUSH P0 ; Save the contents of the Port 0 SFR latch on the stack The R0, R1, and the DPTR registers are used with register-indirect addressing for accessing data memory.
Secure Microcontroller User’s Guide highest order 5 bits for the next contiguous instruction (PC + 2) and concatenating them with the lowest order 11-bit field contained in the current instruction. The 11-bit field provides an efficient instruction encoding of a destination address for these instructions. ACALL 100H ; Call to the subroutine at address ; 0100H + current page address If the instruction were located at 0830h, the destination address would be 800H + 100H or 900H.
Secure Microcontroller User’s Guide 5. MEMORY INTERCONNECT The secure microcontrollers are composed of microprocessors and modules. This section illustrates the memory interconnect for the various chips and shows block diagrams of selected modules. The soft microprocessor chips are 80-pin QFP packages that connect to a low-power CMOS SRAM. When using a chip, the user must connect the bytewide bus to the RAM as shown in this section. In module form, the bus is connected inside the package.
Secure Microcontroller User’s Guide Figure 5-2. DS5000 Series Module Block Diagram The DS5001FP/DS5002FP has several memory options. It can be connected to between one 8kB SRAM and four 32kB SRAMs. It also supports one 128kB SRAM. In most cases the DS5001FP is used for its greater memory access so it is not used with 8kB RAMs. In the partitionable mode (Section 4), the device can be connected to one or two SRAMs. Figure 5-3 illustrates the connection of two 32kB x 8 SRAMs.
Secure Microcontroller User’s Guide Figure 5-3.
Secure Microcontroller User’s Guide Figure 5-4.
Secure Microcontroller User’s Guide Figure 5-5. Memory Interconnect Using the 128kB SRAM In the 128kB x 8 configuration, the microprocessor converts the CE3 into A15 and CE2 into A16. Grounding the MSEL pin causes this configuration. The physical location of program memory is between addresses 0000h to FFFFh. Data memory is located between 10000h and 1FFFFh. These physical locations are transparent to the user. From a software perspective, both program and data are located between 0000 and FFFFh.
Secure Microcontroller User’s Guide Figure 5-6.
Secure Microcontroller User’s Guide Figure 5-7.
Secure Microcontroller User’s Guide 6. LITHIUM/BATTERY BACKUP Soft microcontroller devices are battery backed for data retention in the absence of VCC. The state of the microcontroller in the soft microcontroller is also maintained, unlike a conventional processor system using an external NV RAM. This section discusses the battery-backup feature, covering system design, battery attach procedure, I/O pin restrictions, lifetime calculations, and battery/RAM size tradeoffs.
Secure Microcontroller User’s Guide Figure 6-1. Power-Supply Slew Rate 40µs, 130µs VCC VCCMIN VLI LITHIUM CURRENT Each time VCC is restored, the battery-backed functions remain in their previous state. The exception is when the device performs a no-VLI reset. This special reset event is a one-time, user-initiated action that forces selected SFR bits to special states. The no-VLI reset is documented in Section 10, Reset Conditions.
Secure Microcontroller User’s Guide ESR rating over the intended operating temperature range to ensure against leakage that may shorten battery life. Battery Lifetime The calculations of data retention lifetime are helpful for chip or module users. They can serve as design and system reliability guidelines. All microcontroller modules are rated for better than 10 years of data retention in the absence of VCC at +25°C. Following these guidelines, similar performance can be achieved using chips.
Secure Microcontroller User’s Guide is conservative. This gives a total data retention current of 2475nA. In this system, a Rayovac BR2325 with a capacity of 180mAh is used. 180 x 10-3 (2400 + 75) x 10-9 x 24 x 365) = = 180 x 10-3 21.68 x 10-3 = 8.3 years Note that these ratings are for continuous data retention so VCC is assumed absent for the entire period. The lifetime will increase based on the ratio of time when VCC is applied vs. data retention time.
Secure Microcontroller User’s Guide 7. POWER MANAGEMENT All secure microcontrollers are implemented using CMOS circuitry for low power consumption. Two software-initiated modes are available for further power saving at times when processing is not required and VCC is at normal operating voltage. These are the idle and stop modes. The additional third mode is the data retention or zero-power state, which is made possible by the on-chip circuitry.
Secure Microcontroller User’s Guide Control/Status Bits for Power Control PCON.6 Power-On Reset Indicates that the previous reset was initiated during a power-on sequence. Initialization: Read Access: Write Access: Cleared to 0 by a power-on reset. Remains at 0 until set to a 1 by software. Can be read normally at any time. Can be written only by using the timed-access register. PCON.5 Power-Fail Warning PFW Indicates that a potential power-failure is in progress.
Secure Microcontroller User’s Guide 7.2 Stop Mode Stop mode is initiated by setting the STOP bit (PCON.1). The operation of the oscillator is halted in stop mode so that no internal clocking signals are produced for either the CPU or the I/O circuitry. An external reset via the RST pin is the only means of exiting this mode without powering down (VCC taken below VCCMIN) and then backing up to produce a power-on reset.
Secure Microcontroller User’s Guide Figure 7-1. Secure Microcontroller Power Cycling Timing 7.5 Total Power Failure If VCC voltage should fall below the VCCMIN threshold, processor operation halts. This is done by first placing the CPU in a reset condition and then stopping the internal clock oscillator circuit, as illustrated in Figure 7-1. At this time the interface to the program/data RAM is disabled by pulling the CE line high. This action guarantees an orderly shutdown for the lithium-backed RAM.
Secure Microcontroller User’s Guide clock oscillator is allowed to start up and an internal power-on reset cycle is executed. Part of the cycle involves a considerable delay that is generated to allow the clock oscillator frequency to stabilize. Activity on the RST pin is ignored until this sequence is completed. The time required for this cycle is shown as tPOR in Figure 7-1 and is specified in the AC Electrical Specifications of the data sheet.
Secure Microcontroller User’s Guide Figure 7-2.
Secure Microcontroller User’s Guide 8. SOFTWARE CONTROL Several features have been incorporated into the secure microcontroller to help ensure the orderly execution of the application software in the face of harsh electrical environments. Any microcontroller that is operating in a particularly noisy environment is susceptible to loss of software control.
Secure Microcontroller User’s Guide Figure 8-1. Timed Access WRITE AAh WRITE 55h WINDOW FOR TIMED ACCESS CLOSES 2 CYCLES 4 CYCLES This code allows the reset of the watchdog timer: MOV MOV SETB 0C7H,#0AAh 0C7H,#055h IP.7 ; 1st TA Value ; 2nd TA Value 2 Cycles ; Reset Watchdog Timer 1 Cycle The watchdog timer bit may have been set using ORL IP, #80H, which takes 2 cycles.
Secure Microcontroller User’s Guide POR informs the software of the power supply condition. Specifically, it means the power has previously dropped below the VCC MIN level and returned to normal. In many systems, this is a unique condition that requires interaction with external hardware. Protecting this bit with a timed-access procedure prevents the microcontroller from accidentally performing a power-on reset procedure. On a DS5000 series device, the PAA bit allows software to alter the partition.
Secure Microcontroller User’s Guide MOV MOV SETB 0C7H, #0AAh 0C7H, #055h IP.7 ; 1st TA Value ; 2nd TA Value ; Reset Watchdog Timer If the timeout period expires without the timer being reset by the software, the Watchdog Timer will reset the CPU, set the WTR status flag (regardless of whether the reset is enabled), and start counting again. The WTR flag allows the application software to distinguish this type of reset from other reset so that special processing can be performed to accommodate this case.
Secure Microcontroller User’s Guide This function is supported in the CRC register, accessible via the Bootstrap Loader. Setting the CRC bit (LSB) enables the power-up CRC function. The upper nibble of the CRC register (values 0h–Fh) defines the address space in 4kB blocks over which the CRC calculation is performed. For example, if the nibble is set to 0001b, the CRC range is from 0000 to 0FFFh.
Secure Microcontroller User’s Guide The CRC-16 logic is accessed via the CRCMSB and CRCLSB SFRs mentioned above. The software must sequentially write the memory values into the CRC LSB at location 0C2h. After a delay of one instruction cycle, the 16-bit result will be available at 0C3h and 0C2h. When using the CRC-16 hardware as part of an application, the CRC should first be cleared by writing the LSB back twice with a delay in between for computation. This process makes the CRC-16 result equal to 0000h.
Secure Microcontroller User’s Guide 9. FIRMWARE SECURITY One of the outstanding features of the secure microcontroller is its firmware security. The family far surpasses the standard offering of ROM-based microcontrollers in keeping system attackers or competitors from viewing the contents of memory. In a standard EPROM-based microcontroller, a knowledgeable attacker can disable the EPROM security bit and have access to the entire memory contents.
Secure Microcontroller User’s Guide single-chip microcontroller, in that it prevents a programmer from reading the memory. In addition, the security lock prevents the microcontroller from executing code on the expanded bus of Ports 0 and 2. Thus an attacker cannot add a memory and use MOVC instructions to would force the microcontroller to read out the contents of protected memory. However, the secure microcontroller security lock does provide one important difference from EPROM security bits.
Secure Microcontroller User’s Guide 9.3 Encrypted Memory The heart of secure microcontroller security is the memory encryption function. Since the NV RAM is visible, the memory contents and memory bus are encrypted. That is, in real-time, the addresses and data moving between the RAM and the microcontroller are scrambled by on-chip encryption circuits. Thus, an attacker that observes the RAM contents or memory bus sees unintelligible addresses and data.
Secure Microcontroller User’s Guide Figure 9-2. DS5002 Software Encryption Block Diagram The address encryptor translates each “logical” address, i.e., the normal sequence of addresses that are generated in the logical flow of a program, into an encrypted address (or physical address) at which the byte is actually stored in RAM.
Secure Microcontroller User’s Guide Different memory areas are encrypted in the DS5000 and DS5002. For a DS5000, all memory accessed under CE1 can be encrypted. CE2 is not encrypted. This allows access to peripherals such as a Real-time Clock to be performed using CE2. For the DS5002, encryption is performed on all bytes stored under CE1– CE4. The memory or peripherals accessed by PE1–PE4 on a DS5002 are not encrypted. 9.
Secure Microcontroller User’s Guide decrypted by the micro. Once a new Key is loaded, it will allow all commands to work properly within the same Bootstrap session since memory access is done using the correct Key. Exiting and re-entering the Bootstrap Loader, then doing a Dump will not work since this action would first result in Loading a new Encryption Key. The microcontroller would no longer be able to decrypt the RAM contents. This extra precaution is used regardless of the Security Lock.
Secure Microcontroller User’s Guide Figure 9-3. Dummy Bus Access Timing 9.9 Self-Destruct Input The self-destruct input (SDI) is an active-high input pin designed to be used with external tamperdetection circuitry. The SDI feature operates in both powered (VCC > 4.5V) and battery-backed (VCC < 4.5V) modes. To guard against accidental activation, the pin is debounced, with accept and rejection criteria as shown in the DC electrical characteristics (refer to data sheet).
Secure Microcontroller User’s Guide Once activated, the SDI event duration is determined by the state of VCC and the SDI pin. Once both VCC > 4.5V and SDI = 0 are met, SDI remains active for an additional 1792 machine cycles before exiting the SDI state. 9.10 Microprobe/Die Top Coating The DS5002FPM is provided with a special top-layer coating that is designed to prevent a microprobe attack. The coating is implemented with a second layer of metal on the microcontroller die.
Secure Microcontroller User’s Guide spend a long time breaking into the DS5000, but the user can simply change system security at any time. Thus any stolen information has a very limited lifetime. DS5001FP/DS2251T The DS5001 is a newer product than the DS5000, but has less security. It is useful in systems that need a large memory, but that provide sufficient physical security for all needs. The DS5001 incorporates a security lock. This is used to prevent the bootstrap loader from dumping memory.
Secure Microcontroller User’s Guide stores text that appears on a display in encrypted form. This gives the pirate a starting point to look for the clear text in encrypted storage and analyze the encryption algorithm. The “data answer” is already known. If clear text is required, then preferably store it in nonencrypted memory. If this is impractical, then disperse it so that it is hard to find. Avoid at all costs reading the clear text from memory then immediately displaying it.
Secure Microcontroller User’s Guide External Circuits A variety of external circuits can support secure operation. For example, the DS2401 is a unique 48-bit silicon serial number. If it is installed with the microprocessor, it can be read when the system is first powered up, then stored inside the secure microcontroller. This serializes the system. If the software ever finds a different serial number (or missing number) from the stored one, it can refuse to work.
Secure Microcontroller User’s Guide 10. RESET CONDITIONS 10.1 Reset Sources The secure microcontroller family provides proper reset operation with a minimum of external circuitry. In fact, for many applications, external reset circuitry is not required. The possible sources of reset are: a) b) c) d) Power-on (operating voltage applied to VCC) No-VLI power-on External RST pin Watchdog timeout Certain actions are taken in all cases where a reset has been issued.
Secure Microcontroller User’s Guide Table 10-A.
Secure Microcontroller User’s Guide 10.1.1 Power-On Reset The secure microcontroller family provides an internal power-on reset capability that requires no external components. When voltage is applied to the VCC pin from a power-off condition, the device automatically performs an internal reset sequence to prepare the processor for execution of the application software. The traditional capacitor reset circuit should not be used. Figure 10-1 illustrates the timing associated with the power-on reset cycle.
Secure Microcontroller User’s Guide The distinguishing action taken during a power-on reset is that the POR bit is cleared in order to indicate that a power-on reset has just occurred. All other control bits that are initialized according to the type of reset are left unchanged from their previous condition. 10.1.2 No-VLI Power-On Reset During a power-on reset cycle, at the end of the power-on reset-delay time, internal circuitry measures the voltage on the VLI pin of the microprocessor. If VLI <~0.
Secure Microcontroller User’s Guide routine. It can lie any where in the 64kB of program memory addressed by the device. A common choice is location 0030h. Thus at location 0000h, the user would use the instruction SJMP 30h. This instruction requires two bytes, so it easily fits in the available space. At the location of the reset routine, the user places instructions that initialize the microprocessor and any external hardware specific to the application.
Secure Microcontroller User’s Guide the Partition is set to 5800h, the DPTR should be set to 5800h to start. Once data has been saved in NV RAM, the DPTR should be saved in a known, nonvolatile location so that is can be restored on a reset. 10.3 Interrupts All interrupts are disabled after a reset so the user must enable individual interrupts as needed, as well as the global interrupt. Any interrupt needing a higher priority must be selected as such.
Secure Microcontroller User’s Guide 10.5 Transient Voltage Protection The microprocessor provides protection from transients through a built in power-fail/power-on reset and Watchdog Timer. Each of these functions should be initialized by the user as part of the reset routine. The following code demonstrates the set up for a user that will support the Watchdog function.
Secure Microcontroller User’s Guide 11. INTERRUPTS The secure microcontroller family follows the standard 8051 convention for interrupts (with one extra) and is fully compatible. An interrupt stops the normal flow of processing and allows software to react to an event with special processing. This event can be external, time-related, or the result of serial communication. However, the interrupt will not be performed until the completion of the current instruction. This is discussed in more detail below.
Secure Microcontroller User’s Guide 11.2 External Interrupts The two external interrupts are INT0 and INT1. They correspond to P3.2 and P3.3 respectively. These pins become interrupts when the respective interrupt is enabled. Otherwise, they are simply port pins. No other special action is required. Each pin is sampled once per machine cycle when the interrupts are enabled. Setting the EX0 bit to logic 1 enables INT0. Setting the EX1 bit to logic 1 enables INT1. These bits are located at IE.0 and IE.
Secure Microcontroller User’s Guide 11.5 Power-Fail Warning Interrupt The secure microcontroller family adds a new interrupt, the early warning power-fail interrupt (PFW), to the standard 8051 collection. During a power-down or brown out, as VCC is falling, the secure microcontroller can generate an early warning power-fail interrupt. This allows the software to save critical data prior to entering a reset condition. Since the NV RAM is not affected by a reset, this data is effectively saved.
Secure Microcontroller User’s Guide Figure 11-1.
Secure Microcontroller User’s Guide Interrupt Enable Control Bits All bits are read/write at any time and are cleared to 0 following any hardware reset. IE.7 Enable All Interrupts EA When set to 1, each interrupt except for PFW may be individually enabled or disabled by setting or clearing the associated IE.x bit. When cleared to 0, interrupts are globally disabled and no pending interrupt request will be acknowledged except for PFW. IE.
Secure Microcontroller User’s Guide Each interrupt priority is determined by an individual bit as in the following table. Setting the appropriate bit to a logic 1 will cause that interrupt to be high priority.
Secure Microcontroller User’s Guide a) The current cycle is not part of an instruction within an interrupt service routine of an interrupt of equal or higher priority. b) The current cycle is not the final machine cycle of an instruction that accesses the IP or IE registers. If the above criteria are met during IA2, then a long call will be executed during IA3 and IA4 to the vector location of the pending interrupt of highest priority and the interrupt acknowledge sequence will be complete.
Secure Microcontroller User’s Guide 12. PARALLEL I/O The secure microcontroller provides four 8-bit bidirectional ports for general-purpose I/O functions. Each port pin is bit and byte addressable using four SFRs that control the respective port latch. Each bit has an associated latch (accessed via SFR), input buffer circuit, and output driver circuit. Ports 0, 2, and 3 also have alternate functions that can be used in place of general I/O.
Secure Microcontroller User’s Guide Figure 12-1. Port 0 Functional Circuitry Figure 12-2.
Secure Microcontroller User’s Guide Figure 12-3. Port 2 Functional Circuitry Figure 12-4.
Secure Microcontroller User’s Guide 12.1 Output Functions Slightly different output buffer structures are implemented for the four parallel I/O ports. When the pins are used strictly for parallel I/O, ports 1, 2, and 3 have internal weak pullup devices. Port 0, on the other hand, has a totem-pole output structure. When used as outputs, all port pins will drive the state to which the associated SFR latch bit has been set except for Port 0 which will only drive low.
Secure Microcontroller User’s Guide Figure 12-5. Parallel Port Output Buffers (Ports 1, 2, and 3) 12.2 Input Function Any port pin can be used as a general purpose input by simply writing a logic 1 into the associated SFR latch. Ports 1, 2, and 3 have weak pullups, so they will go to a logic 1 state. However, the pullup is sufficiently weak that an external circuit can easily overdrive it with a logic 0. Thus an output of 1 and an input are the same state.
Secure Microcontroller User’s Guide 12.3 Read-Modify-Write Instructions MNEMONIC ANL ORL XRL JBC CPL INC DEC DJNZ MOV PX.n,C CLR PX.n SETB PX.n DESCRIPTION Logical AND Logical OR Logical Exclusive OR Branch if Bit Set and Clear (bit) Complement Bit Increment Decrement Decrement and Branch if not Zero Move Carry Bit to bit n of Port X Clear bit n in Port X Set bit n in Port X 12.
Secure Microcontroller User’s Guide Port 2.3 WR Input that allows the host to write data or commands to DBBIN. Port 2.4 OBF Output flag that indicates to a host that the output buffer is full and should be read. Port 2.5 IBF Output that indicates to a host that the input buffer is empty. Port 2.6 DRQ Output that indicates to a host that a DMA is required. Port 2.7 DACK Input that indicates to the DS5001 that the host has granted a DMA. Figure 12-6. Use of the RPC Mode P2.0/A0 P2.1/ CE P2.
Secure Microcontroller User’s Guide 12.5 RPC Interrupts RPC mode provides an additional interrupt to the standard secure microcontroller set. An input buffer-full interrupt (IBF) will be performed (if enabled) when data is written to the DBBIN from a host. When enabled, this interrupt replaces the Timer 1 interrupt (vector location 1BH). Regardless of whether this interrupt is enabled, future writes are locked out of the secure microprocessor until the DBBIN is ready.
Secure Microcontroller User’s Guide RPS.0: OBF Output Buffer Full Flag is set following a write of the DBBOUT by the DS5001/2, and is cleared following a read of the DBBOUT by the external host. Initialization: Cleared when RPC=0. Read Access: Can be read by the DS5001/2 and host CPU when in RPC mode. Write Access: Written automatically as part of the RPC communication. Cannot be set by the application software. 12.
Secure Microcontroller User’s Guide RPC Control Register—RPCTL (0D8H) RNR RPCTL.3: Initialization: Read Access: Write Access: RPCTL.2: Initialization: Read Access: Write Access: RPCTL.1: Initialization: Read Access: Write Access: — EXBS AE IBI DMA RPCON RG0 IBI When using the RPC mode, an interrupt may be required for the Input Buffer Flag. This interrupt is enabled by setting the input buffer interrupt (IBI) bit.
Secure Microcontroller User’s Guide 13. PROGRAMMABLE TIMERS 13.1 Functional Description The secure microcontroller incorporates two 16-bit timers called Timer 0 and Timer 1. Both can be used to generate precise time intervals, measure external pulse widths, or count externally applied pulses.
Secure Microcontroller User’s Guide TMOD Register Control Bit Summary TMOD.7 (Timer 1); TMOD.3 (Timer 0) Gate Control Initialization: TMOD.6 (Timer 1); TMOD.2 (Timer 0): Counter/Timer Select Initialization: TMOD.5, TMOD.4 Mode Select Initialization: TMOD.1, TMOD.0 Mode Select Initialization: GATE When set to 1 with TRns=1, timer/counter’s input count pulses will only be delivered while a 1 is present on the INT pin.
Secure Microcontroller User’s Guide TCON Register Control/Status Bits TCON.7 Timer 1 Overflow Flag Initialization: TCON.6 Timer 1 Run Control Initialization: TCON.5 Timer 0 Overflow Initialization: TCON.4 Timer 0 Run Control Initialization: TF1 Status bit set to 1 when Timer 1 overflows from a previous count value of all 1’s. Cleared to 0 when CPU vectors to Timer 1 Interrupt service routine. Cleared to 0 on any type of reset. TR1 When set to a 1 by software, Timer 1 operation will be enabled.
Secure Microcontroller User’s Guide Figure 13-1. Timer/Counter Mode 0 and 1 Operation 13.4 Mode 2 The selection of Mode 2 configures an 8-bit timer/counter with automatic reload of a value preset by software. Figure 13-2 illustrates a functional block diagram of this operational mode. When Timer 0 is used in Mode 2, TL0 is incremented as each count is received. When the value of 0FFH (all 1s) is reached, TF0 will be set on the next count and the reload value held in TH0 will be transferred into TL0.
Secure Microcontroller User’s Guide Figure 13-2. Timer/Counter Mode 2 Operation Figure 13-3.
Secure Microcontroller User’s Guide 13.5 Mode 3 When Timer 0 is selected for operation in Mode 3, both TH0 and TL0 are configured independently as an 8-bit timer/counter and as an 8-bit timer. Figure 13-3 illustrates the function of Timer 0 for Mode 3 operation. For Timer 0 in Mode 3, TL0 becomes an 8-bit timer/counter that is controlled by the Timer 0 control bits (TR0 and TF0) in the TMOD and TCON registers.
Secure Microcontroller User’s Guide 14. SERIAL I/O 14.1 Function Description The secure microcontroller, like the 8051, includes a powerful serial I/O (UART) port capable of both synchronous and asynchronous communication. The baud rate and time-base source is fully programmable. The serial port uses P3.0 as receive data (RXD) and P3.1 transmit data (TXD). Note that no special action other than enabling the function (i.e.
Secure Microcontroller User’s Guide Table 14-A. Serial Port Operating Modes MODE SYNC/ASYNC BAUD CLOCK DATA BITS START/STOP 9TH DATA BIT FUNCTION 0 SYNC 12 tCLK 8 None None 1 ASYNC Timer 1 Overflow 8 1 Start, 1 Stop None 2 ASYNC 32 tCLK or 64 tCLK 9 1 Start, 1 Stop 0, 1, or parity 3 ASYNC Timer 1 Overflow 9 1 Start, 1 Stop 0, 1, or parity Mode 1 is a 10-bit asynchronous mode using 8-bit words, one start bit, and one stop bit.
Secure Microcontroller User’s Guide Serial Port Control Register SM0 SM1 MODE FUNCTION WORD LENGTH 0 0 1 1 0 1 0 1 Mode 0 Mode 1 Mode 2 Mode 3 Sync Async Async Async 8 bits 10 bits 11 bits 11 bits BAUD CLOCK PERIOD 12 tCLK Timer 1 Overflow 64 tCLK or 32 tCLK Timer 1 Overflow SCON.7, SCON.6 Mode Select Initialization: SM0, SM1 Used to select the operational mode of the serial I/O port as follows: Cleared to 0 on any type of reset. SCON.
Secure Microcontroller User’s Guide 14.2 Baud Rate Generation As shown in Serial Port Control Register, the baud rate clock source for the serial I/O is determined by the selection of the operating mode. In Modes 0 and 2, the baud rate is divided down from the clock oscillator frequency by a fixed value. In Mode 0, the baud rate is 1/12 of the clock oscillator frequency, or: Mode 0 Baud Rate = 1 12tCLK In Mode 2, the baud rate is either 1/32 or 1/64 of the clock oscillator frequency.
Secure Microcontroller User’s Guide Table 14-B lists some commonly used baud rates that can be derived by using Timer 1 in the timer configuration described above with an 11.059MHz crystal as the time base. Table 14-B. Timer 1 Baud Rate Generation BAUD RATE (BPS) 1/tCLK (MHz) 19,200 9600 4800 2400 1200 300 11.059 11.059 11.059 11.059 11.059 11.059 SMOD (PCON.
Secure Microcontroller User’s Guide The SHCLK signal will be initially output low on the TXD pin starting at S3P1 of the same machine cycle in which D0 was sampled. As in the case described above for transmit, SHCLK will be low during S3, S4, and S5 and high during S6, S1, and S2 of every machine cycle. After the last data bit (D7) has been shifted in, the control logic will immediately load the Receive Data Buffer at the SBUF register address with the contents of the Receive Shift register.
Secure Microcontroller User’s Guide sample times by the bit detector, is the one shifted into the receive shift register. Just after the logic level is detected during the 10th bit time, the control logic tests to see if the following conditions are true: a) The previous state of RI was 0. b) SM2 = 0; or if SM2 = 1, then if the 10th received bit = 1.
Secure Microcontroller User’s Guide Figure 14-1.
Secure Microcontroller User’s Guide Figure 14-2.
Secure Microcontroller User’s Guide Figure 14-3.
Secure Microcontroller User’s Guide Mode 2 and 3 For Mode 1 operation, the baud rate generator clock is the Timer 1 Overflow output as described for Mode 1. Transmission and reception takes place for Modes 2 and 3 as described except as noted below. In Mode 2 and 3, the asynchronous serial data word is 11 bits long, including one start bit, eight data bits, a programmable 9th data bit, and one stop bit.
Secure Microcontroller User’s Guide Table 14-C. Serial I/O Operating Modes MODE SYNC/ASYNC BAUD CLOCK DATA BITS START/STOP MODE 0 MODE 1 SYNC ASYNC 8 8 MODE 2 ASYNC MODE 3 ASYNC 12 tCLK Timer 1 Overflow 32 tCLK or 64 tCLK Timer 1 Overflow None 1 Start 1 Stop 1 Start 1 Stop 1 Start 1 Stop 9 9 9TH DATA BIT FUNCTION None None 0, 1, or parity 0, 1, or parity The serial port is controlled by the SCON register. Serial interrupts are also used, which are controlled by IE and IP.
Secure Microcontroller User’s Guide To enable interrupts, the EA bit must be set. In addition, the setting the ES bit turns on the serial interrupt. Thus, the value 10010000b or 90h enables serial interrupts. Note that although a timer is used to generate serial baud rates, the timer interrupt is not used. As mentioned above, this example uses a high priority for the serial interrupt by setting the PS bit to a logic 1.
Secure Microcontroller User’s Guide To create 19,200 baud, the SMOD bit should be set to a logic 1 with the same value for TH1. SMOD has the doubles the baud rate for any time out value. The values for TH1 and SMOD have been determined. The only remaining task is to configure the timer 1 for 8-bit auto-reload operation. This causes the timer to start counting from the TH1 value after each timeout.
Secure Microcontroller User’s Guide ;This code example shows how to initialize the serial port and transmit / ; receive code as described above.
Secure Microcontroller User’s Guide 15. CPU TIMING 15.1 Oscillator The secure microcontroller provides an on-chip oscillator circuit that can be driven either by using an external crystal as a time base or from a TTL-compatible clock signal. The oscillator circuitry provides the internal clocking signals to the on-chip CPU and I/O circuitry. Figure 15-1 illustrates the required connections when using a crystal. Typically, the values of C1 and C2 should both be 33pF.
Secure Microcontroller User’s Guide Figure 15-2. Clock Source Input N.C. XTAL2 EXTERNAL OSCILLATOR SIGNAL XTAL1 GND 15.2 Instruction Timing The internal clocking signals are divided to produce the necessary clock phases, state times, and machine cycles that define the sequential execution of instructions. Two clock oscillator periods define one state time. The first clock-oscillator pulse period of a state time is called the Phase 1 clock. Tthe second is called the Phase 2 clock.
Secure Microcontroller User’s Guide In the 2-byte 1-cycle instruction shown in Figure 15-3(B), the op code is read during S1 while the second byte of the instruction, or the operand, is read during S4. Again, execution of the instruction is complete at the end of S6P2. A 1-byte, 2-cycle instruction is shown in Figure 15-3(C). In this case the op-code byte is read at S1 of the first machine cycle. The next op code is then read three times during the S1 and S4 of the second machine cycle.
Secure Microcontroller User’s Guide Figure 15-3.
Secure Microcontroller User’s Guide Figure 15-4. Expanded Program Memory Fetch Figure 15-5.
Secure Microcontroller User’s Guide Figure 15-6. Expanded Data Memory Write 15.4 Expanded Data Memory Timing The timing for the expanded data memory access cycle is illustrated in Figure 15-5 and Figure 15-6. Accesses to data memory on the expanded bus will occur any time that a MOVX instruction is executed that references a data memory location that is mapped outside the area that has been assigned to the expanded bus via the partition and range.
Secure Microcontroller User’s Guide When a MOVX instruction is used with an indirect register address (e.g., MOVX @R0) for the same purpose, only an 8-bit address will be generated for the current instruction. This 8-bit address will appear on Port 0, while the contents of the SFR latch for Port 2 will remain on Port 2. When data is to be read from data memory on the expanded bus, the external RD pin will be activated during the second machine cycle of the MOVX instruction.
Secure Microcontroller User’s Guide 16. PROGRAM LOADING The secure microcontroller family has the ability to perform true in-system and in-application program loading. Program loading allows the initialization of program and data NV RAM, as well as providing a means to configure the various memory modes and security features of the microcontroller. Loading is accomplished using a bootstrap ROM loader built into all members of the secure microcontroller family.
Secure Microcontroller User’s Guide The guaranteed preserved locations are areas in scratchpad RAM that will not be changed by the bootstrap loader. These locations as useful for storing data such as serial numbers, which should be retained regardless of the software. Similarly, the guaranteed destroyed locations have all been overwritten during bootstrap loader execution with indeterminate data.
Secure Microcontroller User’s Guide 16.4 Exiting the Loader In the DS5000 series, the RST pin must be driven low or allowed to float and the PSEN signal should be allowed to float. The RST pin has an internal pulldown. The PSEN is an output and drives itself. Note that both of these conditions must occur or the loader will not be exited. For the DS5001/2, there are several options. If the RST and PSEN option is used, they must be removed as described above.
Secure Microcontroller User’s Guide Figure 16-1.
Secure Microcontroller User’s Guide 16.5 Serial Program Load Mode The serial bootstrap loader is the easiest method of loading application software into the NV RAM. Communication can be performed over a standard asynchronous serial communications port using a terminal emulator program with 8-N-1 (8 data bits, no parity, 1 stop bit) protocol settings. A typical application would use a simple RS232C serial interface to program the device as part of a final production procedure.
Secure Microcontroller User’s Guide 16.6 Auto-Baud Rate Detection The serial bootstrap loader can automatically detect, within certain limits, the external baud rate and configure itself to that speed. When the serial bootstrap loader mode is first invoked, the device will watch for a character on the serial port. If received at one of the supported baud rates, then the serial program load mode will be established.
Secure Microcontroller User’s Guide 16.8 Command Line Interface The serial bootstrap loader uses an easy-to-use command line interface that responds to single character alphabetic commands that are summarized below. There are differences between versions as noted. A detailed description of each command follows.
Secure Microcontroller User’s Guide The D and F commands allow optional addresses to be entered. The syntax [Begin-Address [EndAddress]] is used to convey the following meanings: a) No arguments: Begin-Address is set to 0 and End-Address is set to the range. b) One argument: Begin-Address is set to the argument and End-Address is set to the range. c) Two arguments: Begin-Address is set to the first argument and End-Address is set to the second argument.
Secure Microcontroller User’s Guide 16.10 Command Summaries ^C Interrupt whatever is going on, clear all the buffers, put up a prompt and wait for the next command. Anything in the type-ahead buffer is removed. All output is stopped. If trace had been on before, it is cleared. If XOFF had been in effect, it is cleared. C [begin-address [end-address]] Return the CRC-16 (cyclic redundancy check) of the NV RAM. This computation is performed over the Range unless optional start and end addresses are given.
Secure Microcontroller User’s Guide N The newness command, N, places the device into freshness mode if VCC is removed following execution of the command. After typing N the device prompts CONFIRM:. At this point the host system must reply FRESH, followed by a carriage return, to complete the process. If completed successfully, the message POWER-DOWN TO MAINTAIN FRESHNESS is returned. Deviation from this sequence displays the message DID NOT CONFIRM and returns to the loader prompt.
Secure Microcontroller User’s Guide Z Set the security lock. Only the U and Z commands may be given after the security lock is set. ^C Restarts most operations. N cannot be restarted. XON/XOFF These two characters provide flow control to the serial loader. The serial loader never issues them, but responds to both. XOFF (control-S, DS3, 0x13) requests that character transmission stop. XON (controlQ, DC1, 0x11) requests the resumption of transmission.
Secure Microcontroller User’s Guide MSL This bit allows the data space in a fixed memory (nonpartitionable) system to be loaded using the loader software. MSL only uses the low order bit of value to change the MSL bit. In fixed partition and 128kB mode, if MSL equals 0, program loads/verifies goes to data space. Upon entry, MSL = 1. MSL has no affect in user mode. RPCTL RPCTL only uses the low order bit of VAL to change bit 0 of the RPCTL register.
Secure Microcontroller User’s Guide E:ILLOPT The optional parameters given were in error. If the start address is greater than the given address, either implicitly or explicitly, then an error is printed. The range bit implicitly determines the maximum range. E:LOCKED The requested operation cannot be performed because the device is locked. E:MEMVER An error was encountered while programming or verifying a byte in RAM. Reload the record or file. Repeated error messages can indicate a bad device.
Secure Microcontroller User’s Guide :200000000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20D0 :0F0020002122232425262728292A2B2C2D2E2F79 :00000001FF 16.13 Parallel Program Load Operation The DS5000 parallel program load mode is compatible with the program mode of the 87C51. The hardware configuration used for this mode of operation is shown in Figure 16-3.
Secure Microcontroller User’s Guide Figure 16-4.
Secure Microcontroller User’s Guide 16.14 Parallel Program Load Mode Table 16-B summarizes the selection of the available parallel program load cycles. Figure 16-4 illustrates the timing associated with these cycles. Table 16-B. 8751-Compatible Program Load Cycles MODE Program Security Set Verify Prog Expanded Verify Expanded Prog MCON or Key Verify MCON RST 1 1 1 1 1 1 1 PSEN PROG EA 0 0 X 0 0 0 0 0 0 0 0 1 0 1 VPP VPP 1 VPP 1 VPP 1 P2.7 1 1 0 0 0 0 0 P2.6 0 1 0 1 1 1 1 P2.
Secure Microcontroller User’s Guide 16.15 Parallel Programming Concerns Maxim highly recommends using the highly reliable and easy to use serial load mode for programming the DS5000. If parallel programming must be used, several incompatibilities have been discovered in conventional device programmers. The following is a summary of these incompatibilities: 1) The DS5000 is a fully CMOS device, and was designed to be pin-compatible with the 80C51/87C51 as opposed to the 8051/8751.
Secure Microcontroller User’s Guide is written with a 0Dh, this will cause the loader to respond with its banner and prompt using this same interface. An external microprocessor is assumed to have written and read these values. The RPC loader implements the same command interface and syntax as the Serial Loader. The only difference is the speed at which data can be written, and the lack of a baud rate consideration. As bytes are written into the buffer, they will be acted upon.
Secure Microcontroller User’s Guide 17. REAL-TIME CLOCK (RTC) Many user applications require a time-of-day clock. For this reason, all secure microcontroller modules have RTC options. These include the DS5000T DIP and the DS2250T, DS2251T, and DS2252T SIMMs. There are two types of RTCs used in Maxim modules, which are described below. 17.1 DS5000T/DS2250T RTC The RTC used on the DS5000T and DS2250T provide permanently powered time-of-day monitoring in a convenient BCD format.
Secure Microcontroller User’s Guide The timekeeper contains a shift register with 128 bit locations. The first 64 locations correspond to a pattern shown in Figure 17-2. The next 64 are time data. Before access to time data can occur, the 64-bit pattern must be written. A pattern recognition circuit checks the incoming bits. As each correct bit of the pattern is received, the pointer is advanced. Any incorrect bit will cause the pointer to stop, and it may only be reset by a read operation.
Secure Microcontroller User’s Guide Figure 17-2.
Secure Microcontroller User’s Guide Figure 17-3. DS5000T/DS2250T RTC Register Entry Flowchart Set ECE2 bit in the MCON register to a logic 1 *To guarantee that the pattern recognition circuit is reset to the first bit of the sequence it is highly recommended that 65 read operations be performed. This is in case the DS5000T has been interrupted or reset while the clock was open.
Secure Microcontroller User’s Guide Figure 17-4.
Secure Microcontroller User’s Guide 17.3 Registers The time information is contained in eight registers that are each 8 bits long. After the 64-bit recognition pattern has been received, data in these registers is accessed one bit at a time that is shown conceptually in Figure 17-4. It is recommended that data written to the RTC be handled in groups of 8 bits corresponding to the register bytes in order to prevent erroneous results.
Secure Microcontroller User’s Guide Figure 17-5.
Secure Microcontroller User’s Guide 17.5 DS2251T/DS2252T RTC The DS2251T and DS2252T RTCs provide permanently powered time-of-day monitoring. The clock runs from an internal 32kHz crystal (in the modules) and is generally independent of the microcontroller. It provides time of day information including 0.01 second, seconds, minutes, hours, day, date, month and year. The register format is shown below. The RTC keeps time to two minutes per month accuracy.
Secure Microcontroller User’s Guide Figure 17-6. DS2251T/DS2252T RTC Block Diagram 17.6 Memory Map The RTCs in the DS2251T and DS2252T are memory mapped. It is accessed using the peripheral selects. First, the PES bit at MCON.2 must be set to a logic 1. This enables the peripheral space in the MOVX area. The RTC function is mapped under PE1 . This area begins at address 0000h. The timekeeping map consists of 14 time-related registers and 50 bytes of SRAM. It is illustrated in Figure 17-7.
Secure Microcontroller User’s Guide Figure 17-7.
Secure Microcontroller User’s Guide The time, calendar, and alarm functions are controlled by these 14 registers. In particular, the command register controls most functions. There are two additional bits in register 09h that deserve mention. Bit 7 is EOSC , which enables the Timekeeping oscillator if set to a 0. Battery lifetime can be preserved by disabling the oscillator when it is not needed and power is not present.
Secure Microcontroller User’s Guide 17.7 DS2251T/DS2252T RTC Interrupts The DS2252T/DS2252T RTC provides two interrupt functions. They are time-of-day alarm and a watchdog alarm. The watchdog alarm is a user programmed periodic interval time-out. It is programmed using registers 0Ch and 0Dh. The time-of-day alarm is controlled by the registers at locations 03h, 05h, and 07h as well as the command register. The alarm registers relate to similar time registers.
Secure Microcontroller User’s Guide the DS2251T will immediately identify this condition, if present, by the INTP being continually low. Users of the DS2252T will recognize this condition by the INT0 signal (pin 12) being stuck low. This is because the RTC interrupt is internally connected to the INT0 signal via an open-drain output. Although external signals can drive this pin to a logic 1 state, attempts by the device to set P3.2 to a logic 1 will be unsuccessful.
Secure Microcontroller User’s Guide Programmer’s Note: In the Write subroutine at the end of this example program, there is one unusual statement. The action of writing a byte to the RTC is actually done using a read instruction (MOVX A, @DPTR). This is because a write instruction would write to the RAM under CE2 if one were present. Since the RTC uses A2 as a write enable and A0 as the data bit, this instruction is acceptable.
Secure Microcontroller User’s Guide lcall OPEN ;Set up to read date/time. mov B #8 ;Set up to send 8 bytes. F: lcall RBYTE ;Read a byte of date/time. G: jnb TI, G ;Wait for end of previous send. clr TI ;Clear transmitter. mov SBUF, A ;Send out the byte. djnz B, F ;Loop for 8 bytes. sjmp L ;Return to main loop. H: cjne A, #’W’, J ;Skip if not a write. lcall OPEN ;Set up to read date/time. mov B, #8 ; Set up to receive 8 bytes. I: jnb RI, I ;Wait to receive a byte. jlr RI ;Clear the receiver.
Secure Microcontroller User’s Guide ;*********************************** ; ; This subroutine performs a “context switch: to the CE2 data ; space and then reads one byte from the timekeeping device. ; Then it switches back to the CE1 data space and returns ; the byte read in the accumulator, with all other registers ; unchanged. ; RBYTE: PUSH DPL ;Save the data PUSH DPH ; pointer on stack. PUSH MCON ;Save MCON register. ORL MCON,#4 ;Switch to CE2. PUSH B ;Save the B register.
Secure Microcontroller User’s Guide Application: Using the DS2251T/DS2252T RTC The RTC of the DS2251T or DS2252T is accessed in a parallel fashion like a RAM. The user simply writes to the registers to set the time and control functions. The following program is an example of how to use this clock. It provides a serial port interface allowing an user to set and read the time of day. Note that the serial port setup expects 9600-baud communication and an 11.0592MHz crystal.
Secure Microcontroller User’s Guide LCALL LCALL LCALL MOV LCALL LCALL LCALL MOV LCALL LCALL LCALL DEC MOV LCALL LCALL LCALL DEC MOV LCALL LCALL LCALL DEC MOV LCALL LCALL LCALL CLR LCALL LCALL MOV LCALL LCALL MOV MOV LCALL ; TELL_TIME: MOV LCALL CONTINUE: ; LCALL CLR MOV LCALL MOV LCALL MOV LCALL ANL LCALL MOV LCALL LCALL ANL LCALL MOV LCALL MOV LCALL LCALL TEXT_OUT HEX_IN WBYTE DPTR, TEXT_OUT HEX_IN WBYTE DPTR, TEXT_OUT HEX_IN WBYTE R0 DPTR, TEXT_OUT HEX_IN WBYTE R0 DPTR, TEXT_OUT HEX_IN WBYTE R0 DPTR, TE
Secure Microcontroller User’s Guide MOV LCALL MOV LCALL DEC LCALL MOV LCALL LCALL LCALL MOV LCALL LCALL LCALL MOV LCALL LCALL LCALL MOV LCALL MOV MOV LCALL DPTR, TEXT_OUT R0, RBYTE R0 HEX_OUT A, CHAR_OUT RBYTE HEX_OUT A, CHAR_OUT RBYTE HEX_OUT A, CHAR_OUT RBYTE HEX_OUT DPTR, TEXT_OUT A, R0, WBYTE SJMP ; ;Utilities HEX_IN: MOV HEX_LP: LCALL LCALL CJNE MOV RET NOT_CR: ADD JNC CJNE JC ADD CJNE JC CJNE JNC HEX_XX: XCH ANL SWAP ORL MOV SJMP ; HEX_OUT: MOV OUT_LP: SWAP PUSH ANL CJNE JC CONTINUE #TEXT2 #4 ; R
Secure Microcontroller User’s Guide ADD A, #7 ADD LCALL POP DJNZ RET A, CHAR_OUT ACC B, #30H HEX_OK: ; TEXT_OUT: PUSH WT1: CLR MOVC INC JZ LCALL SJMP WT2: POP RET ; CHAR_IN: JNB MOV CLR RET ; CHAR_OUT: JNB MOV CLR RET ; RBYTE: PUSH ORL MOVX DEC POP RET ; WBYTE: PUSH ORL MOVX DEC POP RET ; YEAR: DB MONTH: DB DAY: DB DAYW: DB HOUR: DB MINUTE: DB OUT_LP ACC A A, DPTR WT2 CHAR_OUT WT1 @A+DPTR ACC RI, A, RI CHAR_IN SBUF TI, SBUF, TI CHAR_OUT A MCON MCON, A, R0 MCON MCON MCON, @R0, R0 MCON #4 @
Secure Microcontroller User’s Guide TRIGGER: DB TEXT0: DB DB DB TEXT1: DB TEXT2: DB TEXT3: DB TEXT4: DB DB ; END CR,LF,’PRESS ANY KEY TO SET THIS TIME’,CR,LF,0 CR,LF,’****** DALLAS SEMICONDUCTOR *******’ CR,LF,’DS2251/2 RTC DEMONSTRATION PROGRAM’,CR,LF CR,LF,’DO YOU WANT TO SET THE TIME (Y/N) ? ’,0 CR,LF,’DATE: ’,0 CR,LF,’TIME: ’,0 CR,LF,0 CR,LF,’PRESS ANY KEY TO READ THE DATE AND TIME’ CR,LF,0 ; End of Program.
Secure Microcontroller User’s Guide 18. TROUBLESHOOTING Maxim’s secure microcontroller family has proven itself to be a reliable and easy-to-use product. As with any highly integrated device, however, questions and or problems can arise during its use and development. Many of these stem from inadvertent attempts to design with the secure microcontroller as though it were exactly an 8051. To reduce these difficulties, Maxim has gathered the common problems in this section.
Secure Microcontroller User’s Guide 2) Time is not changing. The timekeeper oscillator must be enabled if the RTC is to be used. If the oscillator is off, the time will remain as it was written. 18.3 RAM Loses Data When Powered Down The battery is drained, and no longer has sufficient capacity to create a voltage that sustains data in the absence of power. This could occur if a negative voltage (below -0.3V) has been applied to the part on any pin. Look for undershoots on power or signals.
Secure Microcontroller User’s Guide Memory map is not configured. If the developer has not selected the correct memory map via the bootstrap loader, it may not be possible to run the application software as desired. For example, a DS2251T with 64kB of memory could be configured with a 32kB range. Code above 32kB in NV RAM would not be executed. No stack. C programmers frequently use a large memory model. This places the C stack in MOVX RAM area.
Secure Microcontroller User’s Guide INT0 is stuck low on DS2252T. The DS2252T incorporates an RTC with interrupt capability. The INTP output of the RTC is connected to the INTO pin of the DS5002FP microcontroller and also the INTO pin of the SIMM. If an RTC interrupt occurs, this will pull the INTO signal low. If the system is not expecting the INTO signal to be active, this can appear as the INTO signal “stuck” low.
Secure Microcontroller User’s Guide battery-backed. PE3 and PE4 are not backed, and can be connected to normal circuits. On the DS5000FP, CE1, CE2, and BA14 are battery-backed. Negative Voltage Spikes. Do not allow negative voltage to contact the device. This includes under shoots on power or ports, static, plugging in backwards, or applying a signal without a common ground reference. Electrostatic discharge can also produce momentary negative voltages. Do’s Use Static Protection.
Secure Microcontroller User’s Guide 19.
Secure Microcontroller User’s Guide ARITHMETIC OPER.
Secure Microcontroller User’s Guide MNEMONIC RL A D7 D6 0 0 INSTRUCTION CODE D5 D4 D3 D2 D1 1 0 0 0 1 D0 HEX BYTE CYCLE 23 1 1 1 EXPLANATION A7 A6 A5 A4 A3 A2 A1 A0 The contents of the accumulator are rotated left by 1 bit. RLC A 0 0 1 1 0 0 1 1 33 1 1 LOGICAL OPERATION C RR A 0 0 0 0 0 0 1 1 03 1 1 A7 A6 A5 A4 A3 A2 A0 A1 The contents of the accumulator are rotated right by 1 bit.
Secure Microcontroller User’s Guide MNEMONIC D0 1 a0 d0 HEX BYTE CYCLE 75 Byte 2 Byte 3 3 2 (direct) = #data 1 i F6–F7 1 1 ((Ri)) = A 1 a2 1 d2 0 d2 d2 1 a1 1 d1 0 d1 d1 i a0 i d0 0 d0 d0 A6–A7 Byte 2 76–77 Byte 2 90 Byte 2 Byte 3 2 2 ((Ri)) = (direct) 2 1 ((Ri)) = #data 3 2 (DPTR) = #data15-0 (DPH) = #data15-8 (DPL) = #data7-0 0 0 1 1 93 1 2 (A)=((A) + (DPTR)) 0 0 0 1 1 83 1 2 (A) = ((A) + (PC)) 1 0 0 0 1 i E2–E3 1 2 (A) = ((Ri)) 1 1 0 0 0 0 0
Secure Microcontroller User’s Guide D7 INSTRUCTION CODE D6 D5 D4 D3 D2 D1 D0 CLR C 1 1 0 0 0 0 1 CLR bit 1 b7 1 b6 0 b5 0 b4 0 b3 0 b2 SETB C 1 1 0 1 0 SETB bit 1 b7 1 b6 0 b5 1 b4 CPL C 1 0 1 CPL bit 1 b7 0 b6 ANL C, bit 1 b7 ANL C, bit HEX BYTE CYCLE 1 C3 1 1 (C) = 0 1 b1 0 b0 C2 Byte 2 2 1 (bit) = 0 0 1 1 D3 1 1 (C) = 1 0 b3 0 b2 1 b1 0 b0 D2 Byte 2 2 1 (bit) = 1 1 0 0 1 1 B3 1 1 (C) = (C) 1 b5 1 b4 0 b3 0 b2 1 b1 0 b0 B2
Secure Microcontroller User’s Guide MNEMONIC ACALL addr 11 LCALL addr 16 RET PROGRAM BRANCHING RETI AJMP addr 11 LJMP addr 16 SJMP rel JMP @A + DPTR JZ rel JNZ rel JC rel JNC rel JB bit, rel JNB bit, rel JBC bit, direct, rel D7 a10 a7 D6 a9 a6 INSTRUCTION CODE D5 D4 D3 D2 D1 a8 1 0 0 0 a5 a8 a3 a2 a1 D0 1 a0 HEX 0 a14 a6 0 a13 a5 1 a12 a5 0 a11 a3 0 a10 a2 1 a9 a1 0 a8 a0 12 Byte 2 Byte 3 0 0 1 0 0 0 1 0 22 0 1 1 0 0 1 CYCLE Byte 1 Byte 2 0 a15 a7 0 BYTE 0 2
Secure Microcontroller User’s Guide CJNE A, direct, rel CJNE A, #data, rel CJNE Rn, #data, rel CJNE @Ri, #data, rel DJNZ Rn, rel DJNZ direct,rel NOP 0 a7 r7 1 d7 r7 1 d7 r7 1 d7 r7 0 a6 r6 0 d6 r6 0 d6 r6 0 d6 r6 0 a5 r5 1 d5 r5 1 d5 r5 1 d5 r5 1 a4 r4 1 d4 r4 1 d4 r4 1 d4 r4 0 a3 r3 0 d3 r3 1 d3 r3 0 d3 r3 0 a2 r2 1 d2 r2 n2 d2 r2 1 d2 r2 0 a1 r1 0 d1 r1 n1 d1 r1 1 d1 r1 0 a0 r0 0 d0 r0 n0 d0 r0 i d0 r0 B5 Byte 2 Byte 3 3 2 3 2 3 2 3 2 2 2 B4 Byte 2 Byte 3
