ATMEL AT88SC1003 User Manual

Features

• Compatible with Many Existing Memory Card Applications

• 1-Kbit EEPROM User Memory

– Two256x1ApplicationZones
– One512x1ApplicationZone
– Protected by Security Logic
– Vpp Internally Generated for Single Voltage Operation
– 2 µs Read Access Time
– 2 ms Write Cycle (Self-timed)

• Additional EEPROM Memory for Code Storage

– Three OTP Areas, 144 Bits Total
– 64-bit Code-protected Zone

• Security Features

– Stores and Validates Security Codes
– Maximum of Four Incorrect Security Code Attempts
– Provides Security Code Protection During Transportation

• High Reliability

– Endurance: 100,000 Cycles
– Data Retention: 10 Years
– ESD Protection: 4,000V Minimum

• Manufactured Using Low-power CMOS Technology

• Temperature Range from −25°Cto+85°C

• ISO 7816-compliant Card Modules

Description

The AT88SC1003 is a low-cost synchronous integrated circuit, designed for use in
prepaid and loyalty smart card applications. The AT88SC1003 provides 1024 bits of
serial EEPROM (Electrically Erasable and Programmable Read Only Memory) within
three application zones, plus 64 bits in a code-protected zone. Security logic provides
access protection through use of a 16-bit security code.

Additional EEPROM memory is available to hold unalterable information about the
card history. Separate zones are available for data written by the fabrication facility,
card manufacturer and card issuer. After personalization of the memory by the issuer,
an internal fuse is blown that secures critical memory areas of the device and config­ures the IC for use by the end customer. The action of blowing this fuse is irreversible.
The AT88SC1003 is manufactured using low-power CMOS technology. EEPROM
programming functions are accomplished using an internally generated high-voltage
pump for single voltage supply operation. Program timing is controlled internally.
Memory endurance is guaranteed to 100,000 erase/write cycles. Ten-year data reten­tion is guaranteed.

Table 1. Pin Configuration

1K Secure
EEPROM
with Three
Application
Zones

AT88SC1003

Pad Description ISO Module Contact

VCC Supply Voltage C1

GND Ground C5

CLK Serial Clock Input C3

I/O Serial Data Input/Output C7

RST Reset Input C2

PGM Program Input C8

FUS Fuse Input C4

Rev. 2035A–SMEM–4/02

1

Figure 1. Card Module Contact

Figure 2. Block Diagram

V

CC

GND

RST
CLK

PGM

FUS

V

= C1

CC

RST = C2

CLK = C3
FUS = C4

Power On

Reset

Address

Counter

C5 = GND

C6 = NC

C7 = I/O
C8 = PGM

Security Logic

2

E

PROM

Memory

I/O

Pin Descriptions

Supply Voltage (VCC) The VCC input is a 4.5V to 5.5V positive voltage.

Serial Clock (CLK) The CLK input is used to positive edge clock data into the device and negative edge

clock data out of the device. There is an internal pull-down on CLK.

Serial Data (I/O) I/O is bidirectional for serial data transfer to and from the device.

Reset (RST) The RST input is used to reset the address counter. There is an internal pull-up on RST.

Program (PGM) The PGM input is used to determine the state of I/O as an input or output. There is an

internal pull-down on PGM.

Fuse (FUS) The FUS input is used during the personalization of the device. There is an internal pull-

down on FUS.

2

AT88SC1003

2035A–SMEM–4/02

AT88SC1003

Security Features The security features of Atmel’s AT88SC1003 include:

– Data access only after validation of the security code

– Permanent invalidation of device upon four consecutive false security code

presentations

– Read/write protection of certain memory zones

– Secure transport of devices using security code compare sequence.

Security Levels Access to the memory is controlled by the state of the issuer fuse and by the voltage

supply applied on the FUS pin.

FUS Pin Issuer Fuse Security Level

Logic “0” X 2

Logic “1” 1 1

Logic “1” 0 2

Level 1: Security During Personalization by the Card Issuer

Level 2: Security After Personalization (Customer Release)

AT88SC1003 die and modules are delivered with the issuer fuse intact. Issuer personal­ization is completed at this level. Security code validation is required to allow access to
personalize the EEPROM memory. During personalization, the fab zone fuse may be
blown to lock the fabrication zone. The manufacturer fuse may be blown to lock the
manufacturer’s zone.

See “Memory Access Rules During Personalization” ( Table 2 on page 12).

Conditions:

Issuer fuse = “1” (not blown)

FUS pin = “1” (required)

EEPROM memory zones are protected by the various flags and passwords. After issuer
personalization, Security Level 2 is implemented by blowing the issuer fuse. The device
can also be placed in Security Level 2 by taking the FUS pin low, independent of the
state of the issuer fuse. This function of the FUS pin enables the card issuer to simulate
Security Level 2 during application development, without permanently blowing the
issuer fuse.

See “Memory Access Rules After Personalization” ( Table 3 on page 13).

Conditions:

Issuer fuse = “0” (blown)

FUS pin = “X”

or

Issuer fuse = “1” (not blown)

FUS pin = “0”

2035A–SMEM–4/02

3

Memory Diagram

Bit Address Zone Bits Words

0–15 FZ – Fabrication Zone 16 Bits 1

16–79 IZ – Issuer Zone 64 Bits 4

80–95 SC – Security Code 16 Bits 1

96–111 SCAC – Security Code Attempts Counter (only first 4 bits used) 16 Bits 1

112–175 CPZ – Code Protected Zone 64 Bits 4

176–431 AZ1 – Application Zone 1 256 Bits 16

432–479 EZ1 – Application Zone 1 Erase Key 48 Bits 3

480–735 AZ2 – Application Zone 2 256 Bits 16

736–767 EZ2 – Application Zone 2 Erase Key 32 Bits 2

768–895 EC2 – Application Zone 2 Erase Counter 128 Bits 8

896–911 MTZ – Memory Test Zone 16 Bits 1

912–975 MFZ – Manufacturer’s Zone 64 Bits 4

992–1007 ISSUER FUSE 16 Bits 1

1012–1015 FAB ZO NE FUSE 4Bits

1016–1019 MANUF. FUSE – Manufacturer’s Fuse 4 Bits

1020–1023 EC2EN FUSE – Controls use of EC2 4 Bits

1024–1535 AZ3 – Application Zone 3 512 Bits 32

1536–1583 EZ3 – Application Zone 3 Erase Key 48 Bits 3

1584 EB3 – Application Zone 3 Erase Bit 1 Bit

1585–1599 Unused 16 Bits 1

4

AT88SC1003

2035A–SMEM–4/02

Memory Zone Descriptions

Zone Definition

AT88SC1003

Fabrication Zone
FZ (16 bits)

Issuer Zone
IZ (64 bits)

Security Code
SC (16 bits)

Security Code Attempts
Counter SCAC
(4 bits plus 12 unused bits)

The 16-bit fabrication zone is initially programmed by Atmel. Prior to blowing the fab zone fuse, the
fabrication zone may be rewritten by the card manufacturer. This area becomes read-only after the
fab zone fuse is blown. Blowing the issuer fuse will also lock the data in the FZ.

The 64-bit issuer zone is programmed by the card issuer during the personalization phase. It will
contain issuer-specific information, such as serial numbers and dates. This area becomes read-only
after the issuer fuse has been blown. Read access is always allowed in the issuer zone.

The security code is initially set by Atmel to protect the product during transportation to the card
issuer. During personalization, this code must be entered and verified by the AT88SC1003 to allow
access to the
changed in either security mode. The security code gives access to Application Zones 1, 2 and 3, and
also gives access to the code-protected zone area for erase and write. Verification of the security
code will set the internal flag SV to “1”. Atmel ships the device with a security code (transportation
code) pre-programmed. This protects against the unauthorized use of an unpersonalized device, and
should be written to a new value during initialization.

The protocol for verification of the security code requires that the user write one of the first four bits of
the SCAC to a logic “0”. This allows the SCAC to count the number of consecutive incorrect
presentations of the security code. After four consecutive incorrect security code presentations, the
first four bits of the SCAC will all be written to “0”, and the user is permanently blocked from access to
the application zones, as well as to other areas controlled by the security code. After a successful
presentation of the security code, the entire 16-bit SCAC, including the four active bits, should be
erased. This verifies that the correct security code has been presented, since an erase operation in
this area is not allowed without SC verification. It also clears the SCAC bits in preparation for the next
use of the card. This erase operation will also clear the remaining 12 bits of the 16-bit SCAC word.
These 12 bits may be used in an application, although the entire 16-bit word will be erased if any bit in
the SCAC is erased.

EEPROM memory. After the security code has been verified, the code itself may be

Code Protected Zone
CPZ (64 bits)

Application Zone 1
AZ1 (256 bits)

ApplicationZone1Erase
Key EZ1 (48 bits)

Read access to this area is always allowed and does not require SC validation. The security code
must be correctly presented to allow write access to the code-protected zone.

AZ1 is intended to hold user application data. P1 (address 176) controls write access and R1
(address 177) controls read access within Zone 1. In Security Level 1, erasing AZ1 is accomplished
by performing an erase operation on any bit within AZ1, after verification of the security code (SV flag
= 1). This operation will erase the entire zone. In Security Level 2, erase operations are controlled by
both the SV flag and the erase key EZ1. See the erase definition in the Device Functional Operation
chart (page 16) for specific details. There is no limit to the number of erase operations performed in
AZ1. In Security Level 1, write operations in AZ1 may be performed on single bits after verification of
the security code. In Security Level 2, the P1 bit must also be set to “1” to allow single bit write
operations. Read operations in Security Levels 1 and 2 are allowed if either R1 is set to “1” or the SV
flag is set to “1” by validating the security code.

The erase keys are passwords used to control erase operations within the application zones, after the
issuer fuse has been blown (Security Level 2). The erase key password is written during
personalization (Security Level 1), after verification of the security code. EZ1 can not be changed
after the issuer fuse is blown. In Security Level 2, AZ1 can be erased only after both the security code
and the EZ1 password have been validated. Verification of EZ1 will set the internal flag E1 to “1”.

2035A–SMEM–4/02

5

Memory Zone Descriptions (Continued)

Zone Definition

Application Zone 2
AZ2 (256 bits)

AZ2 is intended to hold user application data. P2 (address 480) controls write access and R2
(address 481) controls read access within Zone 2. In Security Level 1, erasing AZ2 is accomplished
by performing an erase operation on any bit within AZ2, after verification of the security code (SV flag
= 1). This operation will erase the entire zone. In Security Level 2, erase operations are controlled by
the erase key EZ2, the erase counter EC2 and the EC2EN fuse. If the EC2EN fuse is set to “1”, then
the erase counter made for Application Zone 2 is enabled, and the user is limited to 128 erase
operations on AZ2. If the EC2EN fuse is set to “0”, then the erase counter mode is disabled and there
is no limit to the number of erase operations on AZ2. The EC2EN fuse must be written during the
personalization phase (Security Level 1). After the issuer fuse is blown, the status of the EC2EN fuse
cannot be changed. See the erase definition in the Device Functional Operation chart (page 16) for
specific details about erase procedure. In Security Level 1, write operations in AZ2 may be performed
on single bits after verification of the secure code. In Security Level 2, the P2 bit must also be set to
“1” to allow single bit write operations. Read operations in Security Levels 1 and 2 are allowed if either
R2 is set to “1” or the SV flag is set to “1” by validating the secure code.

Application Zone 2
Erase Key EZ2
(32 bits)

Application Zone 2
Erase Counter EC2
(128 bits)

Memory Test Zone
MTZ (16 bits)

Manufacturer’s Zone

MFZ (64 bits)

EC2EN Fuse

(4 bits)

The erase keys are passwords used to control erase operations within application zones after the
issuer fuse has been blown (Security Level 2). The erase key password is written during
personalization (Security Level 1), after verification of the security code. EZ2 cannot be changed after
the issuer fuse is blown. In Security Level 2, AZ2 can be erased only after both the security code and
the EZ2 password have been validated. Verification of EZ2 will set the internal flag E2 to “1”.

The erase counter (EC2) is enabled only in Security Mode 2 and only when the EC2EN fuse is set to
“1”. If both of these conditions are true, the user will be limited to 128 erase operations in Application
Zone 2. EC2 is used to count these erase cycles. The erase protocol for AZ2 requires one bit in EC2
to be written to a “0”. After 128 erase operations in AZ2, all 128 bits in EC2 will be “0” and the user will
be blocked from erasing AZ2. The erase counter is only writeable and cannot be erased. When the
EC2EN fuse = “0”, the EC2 operation is disabled. In that case there is no limit to the number of times
the AZ2 can be erased, and EC2 has no function.

All operations are allowed for this zone (write, erase, read). The purpose of this zone is to provide an
area in the product memory that is not restricted by security logic. It is used for testing purposes
during the manufacturing process and may also be used in the product application if desired, although
no security protection exists for the MTZ.

The MFZ is intended to hold data specific to the smart card manufacturer (like assembly lot codes,
dates, etc.). Read operations within this zone are always allowed. Write or erase operations within this
zone are allowed after the security code has been verified. After the data is entered by the card
manufacturer, the manufacturer’s fuse can be blown and the data within the MFZ will become read­only. Blowing the issuer fuse will also lock the data in the MFZ.

This single bit EEPROM fuse selects whether the EC2 counter is used to limit the number of AZ2
erases in Security Mode 2. If the EC2EN fuse is unblown (“1”), the number of erases of AZ2 is limited
to 128. If the EC2EN fuse is blown (“0”), there is no limit to the number of erase operations in AZ2.
After the issuer fuse is blown, the state of the EC2EN fuse is locked and cannot be changed.

Issuer Fuse
(16 bits)

6

This EEPROM bit functions as a fuse that is used to change the security mode of the AT88SC1003
from Security Mode 1 (“1”), to Security Mode 2 (“0”). Initialization of the IC for use by the end
customer occurs in Security Mode 1. Access conditions in Security Mode 1 are described in Table 2
(page 12). Access conditions in Security Mode 2 are described in Table 3 (page 13).

AT88SC1003

2035A–SMEM–4/02

Memory Zone Descriptions (Continued)

Zone Definition

Application Zone 3
AZ3 (512 bits)

AZ3 is intended to hold user application data. P3 (address 1024) controls write access and R3
(address 1025) controls read access within Zone 3. In Security Level 1, erasing AZ3 is accomplished
by performing an erase operation on any bit within AZ3, after verification of the security code (SV flag
= 1). This operation will erase the entire zone. In Security Level 2, erase operations are controlled by
both the SV flag and the erase key EZ3. See the device operation erase definition for specific details.
There is no limit to the number of erase operations performed in AZ3. In Security Level 1, write
operations in AZ3 may be performed on single bits after verification of the security code. In Security
Level 2, the P3 bit must also be set to “1” to allow single bit write operations. Read operations in
Securtiy Levels 1 and 2 are allowed if either R3 is set to “1” or the SV flag is set to “1” by validating the
security code.

AT88SC1003

Application Zone 3
Erase key EZ3
(1 bit)

Application Zone 3
Erase Bit EB3
(1 bit)

Unused
(16 bits)

The erase keys are passwords used to control erase operations within the application zones, after the
issuer fuse has been blown (Security Level 2). The erase key password is written during
personalization (Security Level 1), after verification of the security code. EZ3 can not be changed
after the issuer fuse is blown. In Security Level 2, AZ3 can be erased only after both the security code
and the EZ3 password have been validated. Verification of EZ3 will set the internal flag E3 to “1”.

Address location 1584 is designated as the erase bit for Application Zone 3. The erase protocol for an
AT88SC1003 in Security Mode 2 requires that the erase key (EZ3) be verified, then an erase
operation must be executed on the next bit following the erase key. This action will result in erasing the
entire zone.

Address locations 1585–1599 are not functional in the AT88SC1003. If the address counter is
incremented beyond address 1599, the counter will roll over to address 0. The counter can also be
reset to “0” by executing a reset command.

Terminology The following terms have specific definitions for the AT88SC1003.

– A program operation that results in an EEPROM data bit being set to a logic “1”

Erase

state. Outside the application zones, all erase operations are performed on 16-bit
words. An erase operation performed on any bit within a word will execute an erase of
the entire word. Inside an application zone, erase operations are controlled by the SV
flag, EZ passwords and the EC2EN fuse. These operations are defined in the

Functional Operation

– A program operation that results in an EEPROM bit or word being set to a logic

Write

“0” state. An unwritten bit is defined as erased, or set to a logic “1” state. Write opera­tions in the AT88SC1003 may be performed on individual bits after security code
validation. In Security Level 2, write operations also require that the P1, P2 or P3 bit
within an application zone is set to “1”.

section of this data sheet (page 15).

Device

2035A–SMEM–4/02

Program

– An EEPROM function that activates internally timed, high-voltage circuitry

and results in a data bit or word being set to either a logic “0” or “1” state.

– A single data element set to either a logic “0” or “1” state. All bit addresses within

Bit

the application zones (AZ1, AZ2, AZ3) may be written individually.

– Eight consecutive data bits. A byte boundary will begin on an address that is

Byte

evenly divisible by 8. The AT88SC1003 has no capability for byte write operations.

– Sixteen consecutive data bits. A word boundary will begin on an address that is

Word

evenly divisible by 16. The AT88SC1003 will allow words to be written to a “0” during
personalization (Security Level 1). Erase operations will always operate on 16-bit words
when applied to addresses outside the application zones.

7

Blown – In reference to AT88SC1003 internal EEPROM fuses, the blown state is a logic

“0”.

Unblown

logic “1”.

Verification

flags. The flags SV, E1, E2 and E3 are set after verification of an associated password
(security code; EZ1, EZ2 and EZ3 respectively). Verification is accomplished by execut­ing an INC/CMP operation, which correctly matches the password bit by bit as the CLK
increments the address through the password memory addresses.

– In reference to AT88SC1003 internal EEPROM fuses, the unblown state is a

– AT88SC1003 operations are controlled by the state of several internal

8

AT88SC1003

2035A–SMEM–4/02

Definition of AT88SC1003 Internal Flags

Flag Definition

SV Security Validation flag

OPERATION:

The SV flag is set by correctly matching the 16-bit security code bit by bit from address 80 through 95, as pin CLK
increments the address counter. The security code matching operation must be followed immediately by a validation
operation within the Security Code Attempts Counter (SCAC). This validation operation requires the user to find a bit
in the SCAC, Addresses 96–99, that is a logic “1”. A write is performed followed by an erase. The AT88SC1003 will
validate that the comparison was correct by outputting a logic “1”, and SV will be set. After the erase, all 16 bits in the
SCAC will also be erased. The flag remains set until power to the card is turned off. If the comparison was in error or
part of the validation was not performed correctly, the AT88SC1003 will output a logic “0” showing that SV has not
been set. After four consecutive incorrect security code presentations, the card is permanently locked.

FUNCTION:

This flag is the master protection for the memory zones. See Tables 1 and 2.

P1 Application Zone 1 write flag

OPERATION:

If Bit 176 has been programmed to a logic “1”, this flag is set after Bit 176 has been addressed. The flag remains set
until power to the device is turned off, even if this bit is written to “0” by a subsequent operation.

FUNCTION:

P1 and SV must both be set in order to enable a write command in Application Zone 1 (Security Mode 2).

AT88SC1003

P2 Application Zone 2 write flag

OPERATION:

If Bit 480 has been programmed to a logic “1”, this flag is set after Bit 480 has been addressed. The flag remains set
until power to the device is turned off, even if this bit is written to “0” by a subsequent operation.

FUNCTION:

P2 and SV must both be set in order to enable the write command in Application Zone 2 (Security Mode 2).

P3 Application Zone 3 write flag

OPERATION:

If Bit 1024 has been programmed to a logic “1”, this flag is set after Bit 1024 has been addressed. The flag remains
set until power to the device is turned off, even if this bit is written to “0” by a subsequent operation.

FUNCTION:

P3 and SV must both be set in order to enable a write command in Application Zone 3 (Security Mode 2).

R1 Application Zone 1 read flag

OPERATION:

If Bit 177 has been programmed to a logic “1”, this flag is set after Bit 177 has been addressed. The flag remains set
until power to the device is turned off, even if this bit is written to “0” by a subsequent operation.

FUNCTION:

R1 or SV must be set to “1” in order to enable Application Zone 1 bits to be read.

R2 Application Zone 2 read flag

OPERATION:

If Bit 481 has been programmed to a logic “1”, this flag is set after Bit 481 has been addressed. The flag remains set
until power to the device is turned off, even if this bit is written to “0” by a subsequent operation.

FUNCTION:

R2 or SV must be set to “1” in order to enable Application Zone 2 bits to be read.

R3 Application Zone 3 read flag

OPERATION:

If Bit 1025 has been programmed to a logic “1”, this flag is set after Bit 1025 has been addressed. The flag remains
set until power to the device is turned off, even if this bit is written to “0” by a subsequent operation.

FUNCTION:

R3 or SV must be set to “1” in order to enable Application Zone 3 bits to be read.

2035A–SMEM–4/02

9

Definition of AT88SC1003 Internal Flags (Continued)

Flag Definition

E1 Application Zone 1 erase flag

OPERATION:

E1 is set when the Application Zone 1 erase code comparison is valid.
This flag is reset when the address counter = 0.

FUNCTION:

Application Zone 1 (Bits 176–431) is erased when E1 is set and an erase is performed on Bit 480. This operation
erases all bits in Application Zone 1 but does not affect the word containing Bit 480.

E2 Application Zone 2 erase flag with erase counter operation enabled. (EC2EN FUSE = “1”)

OPERATION:

This flag is set by correctly matching the Application Zone 2 erase code (EZ2) bit by bit as CLK increments the
address counter. A validation operation must then be completed. This operation requires the user to find a bit in the
Application Zone 2 erase counter (EC2), Addresses 768–895, that is a logic “1”. A write must then be performed,
followed by an erase. The part will validate that the comparison was correct and Application Zone 2 will be erased. It
is reset when the address counter = 0.

FUNCTION:

Application Zone 2 (Bits 480–735) is erased when E2 is set and an erase is performed after the validation operation
in EC2 described above. This operation erases all bits in Application Zone 2.

E2 Application Zone 2 erase flag with erase counter operation disabled. (EC2EN FUSE = “0”)

OPERATION:

E2 is set when the Application Zone 2 erase code comparison is valid.
This flag is reset when the address counter = 0.

FUNCTION:

Application Zone 2 (Bits 480–735) is erased when E2 is set and an erase is performed on Bit 768. This operation
erases all bits in Application Zone 2 but does not affect the word containing Bit 768.

E3 Application Zone 3 erase flag

OPERATION:

E3 is set when the Application Zone 3 erase code comparison is valid.
This flag is reset when the address counter = 0.

FUNCTION:

Application Zone 3 (Bits 1024–1535) is erased when E3 is set and an erase is performed on Bit 1584. This operation
erases all bits in Application Zone 3.

10

AT88SC1003

2035A–SMEM–4/02