DS5003 Datasheet, PDF(19/24 Page) Maxim Integrated Products

English

English German Russian Spanish Italian Polish Chinese Japanese Korean French Portuguese	Language :

DS5003 Datasheet, PDF (19/24 Pages) Maxim Integrated Products – Secure Microprocessor Chip

◁

Secure Microprocessor Chip

loader. This action triggers several events that defeat

tampering. First, the encryption key is instantaneously

erased. Without the encryption key, the DS5003 can no

longer decrypt the contents of the SRAM. Therefore, the

application software can no longer be correctly execut-

ed, nor can it be read back in its true form by the boot-

strap loader. Second, the vector RAM area is also

instantaneously erased, so that the reset and vector

information is lost. Third, the bootstrap loader firmware

sequentially erases the encrypted SRAM area. Lastly,

the loader creates and loads a new random key.

The security lock bit is constructed using a multiple-bit

latch that is interlaced for self-destruction in the event

of tampering. The lock is designed to set up a âdomino

effectâ such that erasure of the bit results in an unstop-

pable sequence of events that clears critical data

including encryption key and vector RAM. In addition,

this bit is protected from probing by the top-coating

feature.

Self-Destruct Input (SDI)

The self-destruct input (SDI) pin is an active-high input

that is used to reset the security lock in response to a

variety of user-defined external events. The SDI input is

intended to be used with external tamper-detection cir-

cuitry. It can be activated with or without operating

power applied to the VCC pin. Activation of the SDI pin

instantly resets the security lock and causes the same

sequence of events previously described for this

action. In addition, power is momentarily removed from

the byte-wide bus interface including the VCC pin,

resulting in the loss of data in external SRAM.

Top-Layer Coating

The DS5003M is provided with a special top-layer coat-

ing that is designed to prevent a probe attack. This

coating is implemented with second-layer metal added

through special processing of the microcontroller die.

This additional layer is not a simple sheet of metal, but

rather a complex layout that is interwoven with power

and ground, which are in turn connected to logic for the

encryption key and the security lock. As a result, any

attempt to remove the layer or probe through it results

in the erasure of the security lock and/or the loss of

encryption key bits.

Bootstrap Loading

Initial loading of application software into the DS5003 is

performed by firmware within the on-chip bootstrap

loader communicating with a PC by the on-chip serial

port. Table 1 summarizes the commands accepted by

the bootstrap loader.

When the bootstrap loader is invoked, portions of the

256-byte scratchpad RAM area are automatically over-

written with zeros and then used for variable storage for

the bootstrap firmware. Also, a set of 8 bytes is gener-

ated using the random-number generator circuitry and

saved as a potential word for the 64-bit encryption key.

Any read or write operation to the DS5003âs external

program/data SRAM can only take place if the security

lock bit is in a cleared state. Therefore, the first step in

loading a program should be the clearing of the securi-

ty lock bit through the U command.

Table 1. Serial Bootstrap Loader

Commands

COMMAND

FUNCTION

Return CRC-16 of the program/data SRAM.

Dump RAM memory specified by MSL bit as

Intel hex format.

Fill program/data SRAM.

Get data from P0, P1, P2, and P3.

Load Intel hex file.

Set freshness sealâall program and data is

lost.

Put data into P0, P1, P2, and P3.

Read status of SFRs (MCON, RPCTL, MSL).

Trace (echo) incoming Intel hex code.

Clear security lock.

Verify program/data memory with incoming

Intel hex data.

Write special function registers (MCON,

RPCTL, MSL).

Set security lock.

Execution of certain bootstrap loader commands result

in the loading of the newly generated 64-bit random

number into the encryption key word. These commands

are as follows:

Fill

Load L

Dump D

Verify V

CRC C

Execution of the Fill and Load commands load the

encrypted data into SRAM using encryption keys from

the newly generated key word. The subsequent execu-

tion of the Dump command within the same bootstrap

session causes the contents of the encrypted SRAM to

______________________________________________________________________________________ 19

▷