Maxim Integrated Secure Microcontroller User Manual
Secure Microcontroller
User’s Guide
Rev 1/14
Maxim Integrated cannot assume responsibility for use of any circuitry other than circuitry entirely embodied in a Maxim Integrated product. No circuit patent licenses
are implied. Maxim Integrated reserves the right to change the circuitry and specifications without notice at any time.
Maxim Integrated 160 Rio Robles, San Jose, CA 95134 USA 1-408-601-1000
© 2014 Maxim Integrated Products, Inc. Maxim Integrated and the Maxim Integrated logo are trademarks of Maxim Integrated Products, Inc.
Secure Microcontroller User’s Guide
TABLE OF CONTENTS
1. INTRODUCTION ................................................................................................................. 7
1.1 I
1.2 S
1.3 P
1.4 I
2. SELECTOR GUIDE .......................................................................................................... 12
3. SECURE MICROCONTROLLER ARCHITECTURE ........................................................ 13
3.1 B
3.2 CPU
4. PROGRAMMER’S GUIDE ................................................................................................ 18
4.1 S
4.2 DS5000
4.3 DS5000
4.4 DS5001/DS5002
4.5 DS5001/DS5002
4.6 DS5001/DS5002
4.7 L
4.8 S
4.9 I
4.10 A
4.11 P
5. MEMORY INTERCONNECT ............................................................................................ 51
6. LITHIUM/BATTERY BACKUP ......................................................................................... 58
6.1 D
7. POWER MANAGEMENT ................................................................................................. 62
7.1 I
7.2 S
7.3 V
7.4 P
7.5 T
7.6 P
8. SOFTWARE CONTROL ................................................................................................... 68
8.1 T
8.2 W
8.3 CRC
9. FIRMWARE SECURITY ................................................................................................... 74
9.1 S
9.2 RAM
9.3 E
9.4 E
9.5 E
9.6 E
9.7 D
9.8 O
9.9 S
9.10 M
MPORTANT NOTICE REGARDING DISCONTINUED DS2251T/DS2252T .............................................. 7
OFTWARE SECURITY ..................................................................................................................... 7
RODUCT DESCRIPTION .................................................................................................................. 9
NTRODUCTION TO THE DS5250 HIGH-SPEED SECURE MICROCONTROLLER ................................... 10
US ORGANIZATION ...................................................................................................................... 13
REGISTERS ........................................................................................................................... 13
ECURE MICROCONTROLLER MEMORY ORGANIZATION .................................................................. 18
4.1.1 Internal Registers ................................................................................................................................. 19
4.1.2 Program and Data Memory .................................................................................................................. 20
SERIES MEMORY ORGANIZATION ..................................................................................... 21
MEMORY MAP CONTROL .................................................................................................. 23
MEMORY ORGANIZATION ................................................................................... 24
MEMORY-MAPPED PERIPHERALS ....................................................................... 27
MEMORY MAP CONTROL .................................................................................... 28
OADING AND RELOADING PROGRAM MEMORY .............................................................................. 28
PECIAL FUNCTION REGISTERS ..................................................................................................... 33
NSTRUCTION SET ......................................................................................................................... 48
DDRESSING MODES ................................................................................................................. 48
ROGRAM STATUS FLAGS .......................................................................................................... 50
ATA RETENTION .......................................................................................................................... 58
DLE MODE .................................................................................................................................... 62
TOP MODE .................................................................................................................................. 64
OLTAGE MONITORING CIRCUITRY ................................................................................................ 64
OWER-FAIL INTERRUPT ............................................................................................................... 64
OTAL POWER FAILURE ................................................................................................................. 65
ARTIAL POWER FAILURES ............................................................................................................ 66
IMED ACCESS .............................................................................................................................. 68
ATCHDOG TIMER ........................................................................................................................ 70
MEMORY VERIFICATION ........................................................................................................ 71
8.3.1 Automatic CRC on Power-Up Feature ................................................................................................. 71
ECURITY LOCK ............................................................................................................................ 74
MEMORY .............................................................................................................................. 75
NCRYPTED MEMORY ................................................................................................................... 76
NCRYPTION ALGORITHM .............................................................................................................. 78
NCRYPTION KEY .......................................................................................................................... 78
NCRYPTION KEY SELECTION AND LOADING .................................................................................. 78
UMMY BUS ACCESS .................................................................................................................... 79
N-CHIP VECTOR RAM ................................................................................................................. 79
ELF-DESTRUCT INPUT ................................................................................................................. 80
ICROPROBE/DIE TOP COATING ................................................................................................ 81
2 of 187
Secure Microcontroller User’s Guide
9.11 RANDOM NUMBER GENERATOR .................................................................................................. 81
9.12 S
9.13 A
ECURITY SUMMARY BY PART .................................................................................................... 81
PPLICATION: ADVANCED SECURITY TECHNIQUES ...................................................................... 82
10. RESET CONDITIONS ....................................................................................................... 85
10.1 R
10.1.1 Power-On Reset ................................................................................................................................... 87
10.1.2 No-VLI Power-On Reset ....................................................................................................................... 88
10.1.3 External Reset ...................................................................................................................................... 88
10.1.4 Watchdog Timer Reset ........................................................................................................................ 88
10.2 M
10.3 I
10.4 T
10.5 T
ESET SOURCES ....................................................................................................................... 85
EMORY MAP ............................................................................................................................ 89
NTERRUPTS .............................................................................................................................. 90
IMERS ...................................................................................................................................... 90
RANSIENT VOLTAGE PROTECTION ............................................................................................. 91
11. INTERRUPTS ................................................................................................................... 92
11.1 I
11.2 E
11.3 T
11.4 S
11.5 P
11.6 S
11.7 I
11.8 I
NTERRUPT SOURCES ................................................................................................................ 92
XTERNAL INTERRUPTS .............................................................................................................. 93
IMER INTERRUPTS .................................................................................................................... 93
ERIAL PORT INTERRUPTS ......................................................................................................... 93
OWER-FAIL WARNING INTERRUPT ............................................................................................ 94
IMULATED INTERRUPTS ............................................................................................................ 94
NTERRUPT PRIORITIES .............................................................................................................. 96
NTERRUPT ACKNOWLEDGE ........................................................................................................ 97
12. PARALLEL I/O ................................................................................................................. 99
12.1 O
12.2 I
12.3 R
12.4 R
12.5 RPC
12.6 RPC
12.7 DMA
UTPUT FUNCTIONS ................................................................................................................ 102
NPUT FUNCTION ...................................................................................................................... 103
EAD-MODIFY-WRITE INSTRUCTIONS ....................................................................................... 104
EPROGRAMMABLE PERIPHERAL CONTROLLER (RPC) ............................................................. 104
INTERRUPTS .................................................................................................................... 106
PROTOCOL ...................................................................................................................... 107
OPERATION ..................................................................................................................... 107
13. PROGRAMMABLE TIMERS .......................................................................................... 109
13.1 F
13.2 M
13.3 M
13.4 M
13.5 M
UNCTIONAL DESCRIPTION ....................................................................................................... 109
ODE 0 ................................................................................................................................... 111
ODE 1 ................................................................................................................................... 111
ODE 2 ................................................................................................................................... 112
ODE 3 ................................................................................................................................... 114
14. SERIAL I/O ..................................................................................................................... 115
14.1 F
14.2 B
14.3 S
14.4 A
UNCTION DESCRIPTION .......................................................................................................... 115
AUD RATE GENERATION ......................................................................................................... 118
YNCHRONOUS OPERATION (MODE 0) ...................................................................................... 119
SYNCHRONOUS OPERATION ................................................................................................... 120
15. CPU TIMING ................................................................................................................... 130
15.1 O
15.2 I
15.3 E
15.4 E
SCILLATOR ............................................................................................................................ 130
NSTRUCTION TIMING ............................................................................................................... 131
XPANDED PROGRAM MEMORY TIMING .................................................................................... 132
XPANDED DATA MEMORY TIMING ........................................................................................... 135
16. PROGRAM LOADING .................................................................................................... 137
16.1 I
16.2 I
16.3 I
16.4 E
16.5 S
NVOKING THE BOOTSTRAP LOADER ......................................................................................... 137
NVOKING THE BOOTSTRAP LOADER ON DS5000 SERIES DEVICES ............................................ 138
NVOKING THE BOOTSTRAP LOADER ON DS5001/DS5002 SERIES DEVICES .............................. 138
XITING THE LOADER ............................................................................................................... 139
ERIAL PROGRAM LOAD MODE ................................................................................................. 141
3 of 187
Secure Microcontroller User’s Guide
16.6 AUTO-BAUD RATE DETECTION ................................................................................................. 142
16.7 B
16.8 C
16.9 C
16.10 C
16.11 E
16.12 I
16.13 P
16.14 P
16.15 P
16.16 RPC
OOTSTRAP LOADER INITIALIZATION ......................................................................................... 142
OMMAND LINE INTERFACE ...................................................................................................... 143
OMMAND LINE SYNTAX ........................................................................................................... 143
OMMAND SUMMARIES ............................................................................................................ 145
RROR MESSAGES .................................................................................................................. 148
NTEL HEX FILE FORMAT .......................................................................................................... 149
ARALLEL PROGRAM LOAD OPERATION .................................................................................... 150
ARALLEL PROGRAM LOAD MODE ............................................................................................ 152
ARALLEL PROGRAMMING CONCERNS ...................................................................................... 153
PROGRAM MODE OPERATION .......................................................................................... 153
17. REAL-TIME CLOCK (RTC) ............................................................................................ 155
17.1 DS5000T/DS2250T
17.2 I
17.3 R
17.4 S
MPORTANT DS5000T/DS2250T APPLICATION NOTE ............................................................... 156
EGISTERS .............................................................................................................................. 160
PECIAL BITS ........................................................................................................................... 160
17.5 DS2251T/DS2252T
17.6 M
EMORY MAP .......................................................................................................................... 163
17.7 DS2251T/DS2252T
RTC ........................................................................................................ 155
RTC ........................................................................................................ 162
RTC INTERRUPTS .................................................................................... 166
18. TROUBLESHOOTING .................................................................................................... 176
18.1 U
18.2 DS5000T/DS2250T
18.3 RAM
18.4 U
18.5 S
18.6 P
18.7 D
NEXPLAINED DEVICE RESETS ................................................................................................. 176
REPORTS THE INCORRECT TIME/DATE ...................................................... 176
LOSES DATA WHEN POWERED DOWN .............................................................................. 177
NABLE TO INVOKE STOP MODE ............................................................................................... 177
ERIAL PORT DOES NOT WORK ............................................................................................... 177
ROGRAM WILL NOT EXECUTE ................................................................................................. 177
O’S AND DON’TS .................................................................................................................... 179
19. INSTRUCTION SET DETAILS ....................................................................................... 181
4 of 187
Secure Microcontroller User’s Guide
LIST OF FIGURES
Figure 3-1. Secure Microcontroller Architectural Block Diagram .............................................................. 15
Figure 4-1. Secure Microcontroller Memory Map ..................................................................................... 18
Figure 4-2. Scratchpad Register Map ....................................................................................................... 20
Figure 4-3. DS5000 Series Memory Map ................................................................................................. 23
Figure 4-4. Partitionable Memory Map for DS5001/DS5002 Series ......................................................... 26
Figure 4-5. Nonpartitionable Memory Map for DS5001/DS5002 Series ................................................... 27
Figure 4-6. Peripheral Enables in the Data Memory Map......................................................................... 28
Figure 4-7. Reloading Portions of a DS5000 Series Device ..................................................................... 31
Figure 4-8. Reloading a DS5001/DS5002 Series Device ......................................................................... 33
Figure 4-9. DS5000 SFR Map .................................................................................................................. 34
Figure 4-10. DS5001/DS5002 SFR Map .................................................................................................. 35
Figure 5-1. Memory Interconnect of the DS5000FP ................................................................................. 51
Figure 5-2. DS5000 Series Module Block Diagram .................................................................................. 52
Figure 5-3. Memory Interconnect of the Partitionable DS5001/DS5002 ................................................... 53
Figure 5-4. Memory Interconnect of the Nonpartitionable DS5001FP, DS5002FP .................................. 54
Figure 5-5. Memory Interconnect Using the 128kB SRAM ....................................................................... 55
Figure 5-6. DS2251T-128 Block Diagram ................................................................................................ 56
Figure 5-7. DS2252T-32 Block Diagram .................................................................................................. 57
Figure 6-1. Power-Supply Slew Rate ....................................................................................................... 59
Figure 7-1. Secure Microcontroller Power Cycling Timing........................................................................ 65
Figure 7-2. Secure Microcontroller Power Management .......................................................................... 67
Figure 8-1. Timed Access ......................................................................................................................... 69
Figure 8-2. CRC Code Example ............................................................................................................... 73
Figure 9-1. DS5000 Software Encryption Block Diagram ......................................................................... 76
Figure 9-2. DS5002 Software Encryption Block Diagram ......................................................................... 77
Figure 9-3. Dummy Bus Access Timing ................................................................................................... 80
Figure 10-1. Power-On Reset Timing ....................................................................................................... 87
Figure 11-1. Interrupt Request Sources ................................................................................................... 95
Figure 11-2. Interrupt Acknowledge Sequence ........................................................................................ 98
Figure 12-1. Port 0 Functional Circuitry .................................................................................................. 100
Figure 12-2. Port 1 Functional Circuitry .................................................................................................. 100
Figure 12-3. Port 2 Functional Circuitry .................................................................................................. 101
Figure 12-4. Port 3 Functional Circuitry .................................................................................................. 101
Figure 12-5. Parallel Port Output Buffers (Ports 1, 2, and 3) .................................................................. 103
Figure 12-6. Use of the RPC Mode ........................................................................................................ 105
Figure 13-1. Timer/Counter Mode 0 and 1 Operation ............................................................................ 112
Figure 13-2. Timer/Counter Mode 2 Operation ...................................................................................... 113
Figure 13-3. Timer 0 Mode 3 Operation ................................................................................................. 113
Figure 14-1. Mode 0 Block Diagram And Timing .................................................................................... 122
Figure 14-2. Serial Port Mode 1 Block Diagram ..................................................................................... 123
5 of 187
Secure Microcontroller User’s Guide
Figure 14-3. Mode2 and 3 Block Diagram .............................................................................................. 124
Figure 15-1. Crystal Connection ............................................................................................................. 130
Figure 15-2. Clock Source Input ............................................................................................................. 131
Figure 15-3. Bytewide RAM Instruction Execution Timing...................................................................... 133
Figure 15-4. Expanded Program Memory Fetch .................................................................................... 134
Figure 15-5. Expanded Data Memory Read ........................................................................................... 134
Figure 15-6. Expanded Data Memory Write ........................................................................................... 135
Figure 16-1. Invoking and Exiting the Loader on the DS5001/DS5002 Series ....................................... 140
Figure 16-2. Serial Load Configuration ................................................................................................... 141
Figure 16-3. Parallel Program Load Configuration ................................................................................. 150
Figure 16-4. Parallel Program Load Cycles ............................................................................................ 151
Figure 17-1. DS5000T/DS2250T Functional Block Diagram .................................................................. 155
Figure 17-2. DS5000T/DS2250T RTC Pattern Comparison Register .................................................... 157
Figure 17-3. DS5000T/DS2250T RTC Register Entry Flowchart ........................................................... 158
Figure 17-4. DS5000T/DS2250T RTC Registers ................................................................................... 159
Figure 17-5. Time Register Examples .................................................................................................... 161
Figure 17-6. DS2251T/DS2252T RTC Block Diagram ........................................................................... 163
Figure 17-7. DS2251T/DS2252T RTC Memory Map.............................................................................. 164
LIST OF TABLES
Table 4-A. Instructions That Affect Program Status Flag ......................................................................... 50
Table 7-A. Pin States in Idle/Stop Modes ................................................................................................. 63
Table 8-A. Timed-Access-Protected Control Bits ..................................................................................... 69
Table 10-A. SFR Reset States ................................................................................................................. 86
Table 12-A. Use of the RPC Mode ......................................................................................................... 105
Table 14-A. Serial Port Operating Modes ............................................................................................... 116
Table 14-B. Timer 1 Baud Rate Generation ........................................................................................... 119
Table 14-C. Serial I/O Operating Modes ................................................................................................ 126
Table 16-A. Serial Loader Baud Rates For Different Crystal Frequencies ............................................. 142
Table 16-B. 8751-Compatible Program Load Cycles ............................................................................. 152
Table 17-A. Alarm Mask Bit Operation ................................................................................................... 166
6 of 187
Secure Microcontroller User’s Guide
1. INTRODUCTION
The secure microcontroller family is a line of 8051-compatible devices that use nonvolatile (NV) RAM
rather than ROM for program storage. NV RAM allows the design of a “soft” microcontroller that
provides many unique features for embedded system designers. The enhanced security features employed
by the secure microcontroller family protect the user-application software against piracy and tampering.
These devices offer varying degrees of security, ranging from simple access prevention to a full
encryption of program and data memory of the device. Attempts to gain access to protected information
result in the self-destruction of all data. The secure microcontroller family is the heart of a wide range of
security-critical applications such as electronic banking, commercial transactions, and pay-TV access
control, or any application that requires the protection of proprietary software and algorithms.
The secure microcontroller family is divided between chips and modules. The chips are monolithic
microprocessors that connect to a standard SRAM and lithium battery. The modules combine the
microprocessor with the SRAM and lithium battery in a preassembled, pretested module. Depending on
the specific configuration, modules are available in either 40-pin encapsulated DIP or SIMM module
format.
In addition to NV RAM, Maxim microcontrollers offer a number of peripherals that simplify and reduce
the cost of embedded systems. Although the specific features of each chip or module vary, all devices
offer the following basic feature set:
100% code-compatible with 8051
Directly addresses 64kB program/64kB data memory
Nonvolatile memory control circuitry
10-year data retention in the absence of power
In-system reprogramming via serial port
128 bytes fast access scratchpad RAM
Two 16-bit general-purpose timer/counters
One UART
Five interrupts with two external
Dedicated memory bus, preserving four 8-bit ports for general purpose I/O
Power-fail reset
Early warning power-fail interrupt
Watchdog timer
1.1 Important Notice Regarding Discontinued DS2251T/DS2252T
The DS2251T and DS2252T have been discontinued and are no longer available. They remain in this
document for historical purposes only, and any references to them should be ignored.
1.2 Software Security
One of the most important features of the secure microcontroller family is firmware/memory security.
The devices were specifically designed to offer an unprecedented level of protection to the userapplication software, preventing unauthorized copying of firmware and denying access to critical data
values. The use of RAM rather than the traditional ROM or EPROM for program storage increases the
security, since tampering with the system results in the loss of the RAM contents. Additional features
such as real-time high-speed memory encryption, generation of dummy addresses on the bus, and internal
storage of vector RAM increases the security of a secure microcontroller/microprocessor-based system.
7 of 187
Secure Microcontroller User’s Guide
The DS5002FP secure microprocessor chip offers the highest level of security, with permanently enabled
memory encryption, an 80-bit random encryption key, and a self-destruct input for tamper protection. The
DS5000FP soft microprocessor chip and DS5000(T) and DS2250(T) soft microcontroller modules offer
lesser, but still substantial, protection with optional data encryption and a 48-bit encryption key.
Separate Address/Data Bus
Soft microprocessor chips provide a nonmultiplexed address/data bus that interfaces to memory without
interfering with I/O ports. This bytewide bus connects directly to standard CMOS SRAM in 32kB x 8 or
128kB x 8 densities with no glue logic. Note that this is in addition to the standard 8051 port 0 and 2
multiplexed bus. In module form, the bytewide bus is already connected directly to on-board SRAM, so
the memory access becomes transparent and the I/O ports are free for application use. The extra memory
bus also allows for a time-of-day function; all soft microcontroller modules are available with built-in
real-time clocks (RTCs). Battery backup and decoding is automatically handled by the microprocessor.
Large Nonvolatile Memory
Soft microprocessor chips provide nonvolatile memory control for standard CMOS SRAM. Modules
combine the microprocessor chip with memory and lithium backup. This includes conditionally writeprotected chip enables and a power-supply output that switches between +5V and battery backup. The
chip enables are decoded automatically based on user-selectable memory sizes and partitioning.
Partitioning defines the portion of memory used for program and data segments. Areas that are designated
program are always write-protected and are treated as ROM. Data areas are write-protected only when
power is out of tolerance. A large nonvolatile memory is useful for data logging and as flexible program
storage. Memory is retained for over 10 years at room temperature in the absence of power by ultra-lowleakage lithium-backed circuits.
In-System Loading
The in-system programming capability lets the user update program code at any time. This program
loading is supervised by a built-in ROM-based bootstrap loader. The ROM loader becomes transparent
once program loading is complete. All devices allow program loading via the serial port. Data memory
can also be retrieved using this loader function. Selected versions provide other parallel loading protocols
as well. In-system loading allows a system to be configured during final system test. A user can load
custom software, diagnostic routines, or calibration constants. If something changes or new features arise,
the system can then be reprogrammed while in the field.
High-Reliability Operation
Secure microcontroller devices are designed for unsupervised operation in remote locations. Special
features prevent a system from running out of control during transient events. These include a reset when
power is out of tolerance; an early warning power-fail interrupt that allows software to save critical data;
and a watchdog to reset the micro if it gets lost. Also, nonvolatile memory allows software to save the
operating state so a task can be resumed when power returns to normal. The secure microcontroller
family consists of three chips and their associated modules. Differences stem from I/O, memory access,
and security features. The DS5000FP is used in DS2250T and DS5000(T) modules. A full selector guide
with all memory and speed permutations is provided in the next section.
8 of 187
Secure Microcontroller User’s Guide
1.3 Product Description
All secure microcontroller products have the following standard 8051 family features:
8051-compatible instruction set
Four 8-bit pseudo-bidirectional I/O ports
Two 16-bit timer/counters
Five interrupts with two external
Addresses 64kB program and 64kB data memory
128 bytes scratchpad RAM
One UART
DS5000FP Soft Microprocessor Chip
The DS5000FP is the original soft microprocessor chip. It adds the following features to the 8051 set:
Nonmultiplexed bytewide address/data bus for memory access
Nonvolatile control for 8kB x 8 or 32kB x 8 SRAMs
Partitions one SRAM into program and data areas and write protects the program segment
Decodes memory for up to two 32kB x 8 SRAMs (#2 is data memory only)
Power-fail reset and interrupt
Precision watchdog timer
ROM-based serial bootstrap loader
Optional security features
− Memory encryption in real-time
− 48-bit user selected encryption key
− Security lock destroys memory if unlocked
− Vector RAM hides 48 bytes on-chip
− Dummy operations on the memory bus
DS5000(T) Soft Microcontroller Module
The DS5000 incorporates the DS5000FP chip in a 40-pin module with an 8051 footprint and pinout.
Familiar 40-pin DIP package
Built-in NV RAM of 32kB x 8
I/O ports not disturbed by on-board memory access
10-year data retention and clock operation in the absence of power
Partitions memory into program and data areas, write protects the program segment
Power-fail reset and interrupt
Precision watchdog timer
ROM-based serial bootstrap loader
Optional memory security
Optional built-in RTC (battery backed)
DS2250(T) Soft Microcontroller Module
The DS2250(T) incorporates the DS5000FP chip on a 40-pin SIMM module. It has the identical feature
set as the DS5000(T), but is in a different form-factor. This package change allows up to 64kB NV RAM
instead of 32kB. Note that as mentioned above, the second 32kB is restricted to data memory. Like the
DS5000(T), this module guarantees better than 10-year data retention at room temperature.
DS5001FP 128kB Soft Microprocessor Chip
9 of 187
Secure Microcontroller User’s Guide
The DS5001FP provides the base feature set of the DS5000FP with the following extras. Note that the
DS5001FP has no memory encryption feature.
Accesses up to 128kB on the bytewide bus
Decodes memory for 32kB x 8 or 128kB x 8 SRAMs
Four additional decoded peripheral-chip enables
CRC hardware for checking memory validity
Optionally emulates an 8042-style slave interface
Bandgap reference for more accurate power monitor
DS2251T 128kB Soft Microcontroller Module (Discontinued)
The DS2251T is a SIMM based on the DS5001. It provides up to 128kB of on-board NV RAM and has
the bytewide bus available at the connector. This is used with the decoded peripheral enables for
memory-mapped peripherals such as a UART o r ADC. The parallel-access RTC has interrupt capability.
Like the older versions, the DS2251T provides 10-year data retention, even in the largest memory
configuration.
DS5002FP Secure Microprocessor Chip
The DS5002FP is a highly secure version of the DS5001FP. It provides the operating features of the
DS5001FP, with the following enhancements to the DS5000 security features.
Security is active at all times
Improved memory encryption using an 80-bit encryption key
Automatic random generation of encryption keys
Self-destruct input for tamper protection
Optional top-coating prevents microprobe (DS5002FPM)
DS2252T Secure Microcontroller Module (Discontinued)
The DS2252T incorporates the DS5002FP on a 40-pin SIMM. This includes from 32kB to 128kB of
secure memory with an RTC. The memory is highly secure from tampering and from competitors. Like
other products in the family, the D2252T has a data retention period of over 10 years at room
temperature.
1.4 Introduction to the DS5250 High-Speed Secure Microcontroller
The highest performance, most secure microcontroller available is the DS5250 high-speed secure
microcontroller. A member of the High-Speed Microcontroller family, the DS5250 device is a security
and performance enhanced version of the DS5002FP with the following features. More information about
it can be found on our website, www.maximintegrated.com/DS5250.
Security Features
• Designed to meet the physical security requirements of FIPS140 and Common Criteria certifications
• SRAM technology allows rapid “zeroization” of secure information as a tamper response
• Microprobe shield triggers tamper response if cryptographic boundary pentrated
• Environmental sensors trigger tamper response detect out-of-range conditions
• The equipment enclosure can be monitored by tamper response inputs for added protection
• External memory bus protected by single or triple-DES encryption
• Modulo Arithmetic Accelerator (MAA) for up to 4096-bit (e.g., PKI)
• DES and 112-bit key triple-DES engines available for secret key cryptography
10 of 187
Secure Microcontroller User’s Guide
Random number generator
•
• Firmware bootstrap loader resides in a 16kB factory-programmed ROM
8051 Compatible with Expanded Addressing
• 4-clock/machine cycle architecture (25MHz/6.25 MIPS)
• Contiguous address space accesses up to 4MB program + 4MB data external memory
• Four 8-bit ports, one 6-bit port
Advanced Features
• CRC-16/32 generator
• Secure bootstrap loader resides in a 16kB factory-programmed ROM
• RTC with alarm interrupt and wake-up
• 5kB internal SRAM (1kB can be used as a stack for high-level language support)
• Dual data pointers with increment/decrement
• Programmable length MOVX instructions
• Power-fail/power-on reset circuits
• Watchdog timer
11 of 187
Secure Microcontroller User’s Guide
Soft Microcontroller
Module
Soft Microcontroller
Module
Soft Microcontroller
Module
Soft Microcontroller
Module
Soft Microcontroller
Module
2. SELECTOR GUIDE
The following configurations are available. Speeds are rated maximums, but all members of the secure
microcontroller family are fully static and can be run as slow as desired.
CHIP DESCRIPTION
DS5000FP Soft Microprocessor Chip 16 DS5000FP-16
DS5001FP 128kB Microprocessor Chip 16 DS5001FP-16
DS5002FP Secure Microprocessor Chip 16 DS5002FP-16
MODULE DESCRIPTION
MEMORY
(kB)
MAX SPEED
(MHz)
SPEED
(MHz)
PART
RTC PACKAGE PART
DS5000
DS5000T
DS2250
DS2250
DS2250T
32 16 No 40 DIP DS5000-32-16
32 16 Yes 40 DIP DS5000T-32-16
32 16 No 40 SIMM DS2250-32-16
64 16 No 40 SIMM DS2250-64-16
64 16 Yes 40 SIMM DS2250T-64-16
12 of 187
Secure Microcontroller User’s Guide
3. SECURE MICROCONTROLLER ARCHITECTURE
The secure microcontroller family is based on an 8051-compatible core with a memory interface and I/O
logic build around it. In general, most architecture features are identical to standard 8051s and apply to all
members of the secure microcontroller family. Differences between versions are mentioned. This section
briefly documents the important features. Figure 3-1 shows a block diagram of the microcontroller core.
Users interested in a more thorough explanation of the 8051 architecture are referred to any of the
numerous texts on the subject.
3.1 Bus Organization
There are four major buses in the secure microprocessor: the internal data bus, the internal address bus,
the bytewide memory bus, and the expanded bus. All addresses and data that are transferred during
program execution are passed on the internal address and data buses. User program and data memory is
always accessed from either the bytewide program/data RAM or from external memory located on the
expanded bus. The bytewide memory bus allows access to program/data RAM in the same way as an
8051 family device would access internal ROM or EPROM memory. This bus can be used in place of the
expanded bus, freeing Port 2 and Port 0 pins for general I/O use.
3.2 CPU Registers
The CPU registers are mapped as special function registers (SFRs). They are identical in number and
function to those present within the 8051. These registers are described briefly:
Accumulator
The accumulator (A or ACC) is used as either a source and/or destination register in all arithmetic
instructions. It may also be used in most other types of instructions.
Stack Pointer
The stack pointer (SP) is an 8-bit register that marks the location of the last byte of data stored in the
stack. The stack itself can be located anywhere in the on-chip 128-byte scratchpad register area. The stack
pointer pre-increments during a stack push and post-decrements during a stack pop.
B Register
The major function of the B register is as a source and destination register during multiply and divide
instructions. It can also be used as a scratchpad register.
Program Status Word
The program status word (PSW) contains status flags that are set according to the results of a previously
executed instruction. In addition, the PSW contains register bank select bits.
Data Pointer
The data pointer (DPTR) is used to access data memory that can be mapped into bytewide data RAM or
onto external memory devices on the expanded bus. The DPTR is accessed by the user’s program as
either two 8-bit SFRs or as a 16-bit register with certain instructions.
13 of 187
Secure Microcontroller User’s Guide
Scratchpad Registers
Scratchpad registers are 128 registers where data can be stored directly. They are addressed from 00H to
7FH and can be accessed by a MOV instruction. Included in the scratchpad area are four 8-byte banks of
working registers. These registers are not part of the data memory map.
Serial I/O
The on-chip serial I/O port is composed of a receive data buffer, a transmit data buffer, and a control
register. Both the receive data buffer and the transmit data buffer are accessed in a single location (SBUF)
in the SFR map. The control register (SCON) is accessed in a separate location. When the serial I/O
function is enabled, two external I/O pins (P3.0, P3.1) are reassigned in hardware to serve the transmit
and receive data functions.
Programmable Timers
Two 16-bit programmable timers are included that can perform various timing and counting functions.
Four registers (TH1, TL1, TH0, and TL0) access the upper and lower halves of each of the two
timer/counters. A single control register (TCON) is used to select the various operating modes of the two
timers. Two external I/O pins (P3.4, P3.5) can be programmed to serve as external counter inputs, one pin
for each of the two timer/counters.
14 of 187
Secure Microcontroller User’s Guide
Figure 3-1. Secure Microcontroller Architectural Block Diagram
15 of 187
Secure Microcontroller User’s Guide
Parallel I/O
Four SFRs provide access for the four parallel I/O port latches. These I/O ports are denoted as P0, P1, P2,
and P3. 32 bits of parallel I/O is available through these I/O ports. However, up to 16 bits are sacrificed
when the expanded bus mode is used to interface to external memory and up to 6 bits can be sacrificed if
any external interrupt inputs, timer counter inputs, or serial I/O functions are used. When using the
bytewide bus, ports are not affected.
Program/Data RAM Interface
Secure microcontrollers provide a nonmultiplexed bytewide bus that connects to external SRAM. They
also make this RAM nonvolatile, decode memory access for it, and write-protect portions designated as
program memory. The bytewide bus consists of up to 16 address lines (depending on the version), eight
data lines, read/write control, and decoded chip enables. When accessing the SRAM via its bytewide bus,
there is no activity on the ports. Thus if memory access is restricted to this bus, all ports are free for use
by the application. In module form, the microprocessor is already connected to SRAM via the bytewide
bus making program and data memory access appear internal. Secure microprocessors can also access
memory using the multiplexed expanded bus consisting of Port 0 and 2, WR (P3.6) and RD (P3.7) . This
is usually undesirable since it consumes port pins that can be used for other activity. If expanded bus
access is desired, up to 64kB ROM and 64kB RAM can be accessed in the same manner as a traditional
8051. Each version has different provisions for using the expanded bus, depending on memory map and
user’s configuration. These issues are discussed in the Programmer’s Guide in Section 4.
High-Reliability Circuitry
This feature ensures proper operation of the micro and maintains the contents of the program/data RAM
in the absence of V
using a self-contained lithium energy source. The logic provided includes the
CC
power-fail warning interrupt, automatic power-down and power-on reset. As a result, the program/data
RAM can be modified whenever necessary during execution of the user’s software but remains
unchanged when V
is absent. The circuitry also maintains the internal scratchpad RAM and certain
CC
SFRs during a power-down condition.
Software Encryption Logic
DS5000 and DS5002 series parts provide software security circuits that include the address encryptor,
data encryptor, and the encryption key word. When the device is operating in the encryption mode and
using the program/data RAM, the address encryptor is used to transform “logical” addresses on the
internal address bus into encrypted addresses that appear on the bytewide memory bus to the RAM.
Similarly, the data encryptor transforms data on the internal data bus into encrypted data during write
operations on the bytewide memory bus. When data is read back, the data encryptor restores it to its true
value. Although each encryptor uses its own algorithm for encrypting data, both depend on the encryption
key word stored on-chip.
Security Lock Logic
The security lock logic prevents a read or write to any program/data RAM location using the bootstrap
loader. In addition, it inhibits the device from fetching code in the expanded bus mode. By disabling
access to key internal resources, this feature precludes unauthorized disassembly of application software
contained in program/data RAM. In contrast with an EPROM security bit, clearing the security lock
wipes the entire RAM area.
16 of 187
Secure Microcontroller User’s Guide
Vector RAM
The vector RAM is used to contain the reset and interrupt vector code when the soft microcontroller is
operating in the encryption mode. This feature is included to insure the security of the application
software. The operation of the vector RAM as well as the reason for its inclusion in the architecture are
discussed in Software Security in Section 1.1.
Timed-Access Logic
The timed-access logic protects against inadvertent changes to configuration and to the program RAM in
the event of a loss of software control. The protected configuration parameters include the partition
address bits in the MCON register as well as the enable watchdog-timer bit, stop mode bit, and power-on
reset bit in the PCON register.
Watchdog Timer
When the user’s software is being executed, the watchdog timer can be used to automatically restart the
processor in the event that software control is lost. It is also used to generate an oscillator start-up delay to
allow the clock frequency to stabilize. This occurs during reset cycles that follow a time in which the
oscillator has been stopped (stop mode reset and power-on reset).
Resident Loader ROM
The resident loader ROM contains firmware that controls the initial loading of the nonvolatile
program/data RAM. The firmware provides serial bootstrap load operation via the on-chip serial port. The
internal ROM is not accessible by the user and performs the loading function only when the device is
strapped for operation in the program mode. The ROM becomes transparent to the user once loading is
complete and has no affect on the memory map.
17 of 187
Secure Microcontroller User’s Guide
SCRATCH PAD
SPECIAL
FFh
FFFFh--
0000
PROGRAM
64kB
DATA
INTERNAL REGISTERS
4. PROGRAMMER’S GUIDE
The secure microcontroller uses NV RAM technology for program and data memory. NV SRAM writeprotected memory segments are designated as program memory. The remaining RAM area is used as
nonvolatile data storage. One of the advantages of breaking a common RAM into two segments is that a
smaller number of memory chips is needed. For example, if a system requires 24kB of program memory
and 4kB of data memory, this all fits within one 32kB x 8 SRAM. The secure microcontroller can
subdivide this RAM into program and data segments, unconditionally write-protecting the program area.
The process of dividing the common memory space into ROM and RAM is called partitioning. The
original DS5000 series could partition one SRAM of up to 32kB. It could access a second RAM, but this
was restricted to data memory only. The DS5001/DS5002 series can partition two 32kB SRAMs, or even
one 128kB x 8 SRAM. Common elements of the programming model are detailed in the following
paragraphs, with individual differences highlighted.
4.1 Secure Microcontroller Memory Organization
Secure microcontrollers follow the standard 8051 convention of three memory areas. These include
internal registers, program memory, and data memory. These memory areas are not contiguous and are
accessed in different ways. The secure microcontroller duplicates all standard 8051 registers and adds
several new ones. They have a 64kB program and 64kB data space. However, secure microcontrollers
provide several ways to access these areas, and these features are what make the family unique.
Figure 4-1 shows the memory map of secure microcontrollers in general terms. The specific details and
access to the memory areas are discussed below.
Figure 4-1. Secure Microcontroller Memory Map
7Fh
00
REGISTERS
FUNCTION
REGISTERS
MEMORY
MEMORY
18 of 187
Secure Microcontroller User’s Guide
R1
R0
BANK STARTING ADDRESS (R0)
0
0
00h
0
1
08h
1
0
10h
1
1
18h
4.1.1 Internal Registers
The internal register space is divided into two parts. These are scratchpad registers and SFRs. There are
128 scratchpad registers, commonly referred to as on-chip RAM. The 128 bytes include four 8-byte banks
of working registers (R0–R7). The scratchpad registers are located at register addresses 00–7Fh. This area
is not located in the program or data memory area and is accessed by different instructions. The SFRs are
located between 80h and FFh. SFRs control the on-chip peripherals and memory configurations. Direct
addressing should be used to access the SFR locations. If register-indirect addressing is used,
indeterminate data is returned. Scratchpad registers are discussed immediately below, with SFR
descriptions following later in this section.
The scratchpad registers are general-purpose data storage RAM. They are commonl y used for temporary
storage of a small number of variables when high-speed access is needed. Off-chip RAM (MOVX) is
used when the quantity of data is larger than 128 bytes. The scratchpad registers are lithium backed and
are preserved in the absence of power.
The scratchpad area has two additional functions. First, 16 bytes of the scratchpad area are bit
addressable. That is, while each byte has an address of its own, these bits also have individual bit
addresses. Certain instructions operate on bits instead of bytes. Although the addresses appear the same,
the microprocessor can distinguish a bit address from a byte address by the instruction used. A large
number of individual software flags and conditions can be represented using 128 (16 x 8) individually
addressable bits.
A second use of the scratchpad area is for the programmer’s stack. Like the 8051, the secure
microcontroller uses a stack pointer (SP–81h) SFR to direct stack access into the internal registers. The
SP has a default value of 07h. This means that stack storage begins at location 08h. Each PUSH or CALL
instruction increments the SP. Note that while the SP is located in the SFR area, the stack itself is stored
in the scratchpad area. Figure 4-2
the use of C compilers becoming more frequent, the large memory model should be examined. This
compiler model places the stack in off-chip SRAM. Secure microcontroller-based systems usually have
an abundance of such SRAM compared to ROM based systems. While off-chip stack results in slower
execution time, the stack size becomes virtually unlimited.
The 8051 instruction set allows efficient (single cycle) access to variables when using the working
registers. These are a group of four 8-byte banks of scratchpad RAM. The active working registers are
referred to as R0–R7. They reside between location 00h and 1Fh, depending on which bank is currently
selected. Two bits in the SFR PSW, called R1 (PSW.4) and R0 (PSW.3), are used to determine which is
the active bank. Once selected, all instructions involving R0–R7 are directed to the selected group of 8
bytes. This scheme also allows for a fast context switch by simply changing banks. The following table
shows the operation of the register bank selection.
PSW.4-3; R1–R0
Register Bank Select Used to select an 8-byte bank of registers to be assigned as R0–R7.
shows the scratchpad register memory map. Programmer’s Note: With
19 of 187
Figure 4-2. Scratchpad Register Map
7FH
2FH
7F
7E
7D
7C
7B
7A
79
78
2EH
77
76
75
74
73
72
71
70
2DH
6F
6E
6D
6C
6B
6A
69
68
2CH
67
66
65
64
63
62
61
60
2BH
5F
5E
5D
5C
5B
5A
59
58
2AH
57
56
55
54
53
52
51
50
29H
4F
4E
4D
4C
4B
4A
49
48
28H
47
46
45
44
43
42
41
40
27H
3F
3E
3D
3C
3B
3A
39
38
26H
37
36
35
34
33
32
31
30
25H
2F
2E
2D
2C
2B
2A
29
28
24H
27
26
25
24
23
22
21
20
23H
1F
1E
1D
1C
1B
1A
19
18
22H
17
16
15
14
13
12
11
10
21H
0F
0E
0D
0C
0B
0A
09
08
20H
07
06
05
04
03
02
01
00
1FH
18H
17H
10H
0FH
08H
07H
00H
MSB
LSB
≈
≈
Secure Microcontroller User’s Guide
BANK 3
BANK 2
BANK 1
BANK 0
4.1.2 Program and Data Memory
The secure microcontroller divides its main memory between program and data segments. Each map
consists of a 64kB area from 0000h–FFFFh. Program memory is inherently read-only, and data memory
is read/write. The CPU automatically routes program fetches to the program area and MOVX instructions
to the data memory area. All of these elements are in common with the standard 8051. Secure
microcontroller differences are in the memory interface, memory map control, and flexibility of the
memory resources.
Secure microcontrollers provide two separate buses for memory access. The first is a bytewide
address/data bus that is new to the 8051 architecture. This bus also provides a switched supply output that
makes standard SRAM into nonvolatile memory, decoded chip enables, and a R/W strobe. Furthermore,
the bytewide bus allows NV RAM memory to be divided between program and data segments. When
using a segment of the RAM as program memory, this area can be loaded using the bootstrap loader
function described later.
20 of 187
Secure Microcontroller User’s Guide
CE1
CE1
CE2
CE2
CE1
CE2
CE2
CE1
CE2
CE1
The second bus is an expanded bus constituted by Ports 0 and 2. This is the standard 8051-compatible
memory bus that is available as an option, but is not needed in most cases. Program memory on the
expanded bus must be ROM/EPROM and data memory must be volatile SRAM. If NV RAM is needed
on the expanded bus, then it must be externally backed up and write protected. The secure microcontroller
makes no special provisions for NV RAM on the expanded bus. When discussing memory addressing of
secure microcontrollers, there are two important terms that are used frequently–partition and range. The
partition is the user-selectable address that divides the program segment from the data segment in a
common RAM area on the bytewide bus. The partition is a user-adjustable boundary that can be selected
during bootstrap loading or on the fly by the application software. The range is the total amount of
memory connected to the bytewide bus. This is set once during initial programming.
The DS5000 series devices can access up to 8kB and 64kB of NV RAM on the bytewide bus. Up to the
first 32kB are partitionable into program and data segments as described above. The DS5001/DS5002
series can access between 8kB and 128kBs on its bytewide bus with better partition control. The memory
map control resides in the MCON (address C6h) SFR on DS5000 devices. The DS5001 devices use the
MCON (address C6h) and RPCTL (address D8h) registers. Since the memory maps and control have
significant differences between these versions, they are described later in separate sections.
4.2 DS5000 Series Memory Organization
As mentioned above, the DS5000 series consists of the DS5000FP chip and the DS5000(T) and DS2250T
modules. The programming model discussed in this section applies to all of these parts. The DS5000FP
bytewide bus has 15 address lines, eight data lines, a R/W strobe, and two chip enables to access NV
RAM. In the case of a module, these are already connected and can be thought of as internal or embedded
memory. The DS5000 series can use either 8kB x 8 or 32kB x 8 SRAMs, selected using the range bit
(MCON.3) and has a value of 0 when 8kB SRAM is used and 1 when a 32kB SRAM is use d. Range is
selected during bootstrap loading and cannot be varied by the application software. The DS5000FP
accesses memory on its bytewide bus using two chip enables. The first,
RAM connected to
, whether 8kB or 32kB, can be divided between program and data segments. The
, is partitionable. That is, the
partition is user-selected and can be set during bootstrap loading and by software. Partitions are available
on 2kB boundaries in the DS5000, except for the last, which is 4kB. The partition is selected using the
MCON SFR described below.
same size as
. Access to
is restricted to data memory only. The RAM on
should be of the
is controlled by ECE2 bit (MCON.2) and is described below.
Figure 4-3 illustrates the functional memory map of a DS5000 series device. The partition, range, ECE2,
and the logical address combine to determine whether the DS5000 uses its bytewide bus or the expanded
bus. NV RAM access occurs when the logical address lies in one of the shaded regions. These are
program addresses below the partition address, data addresses above the partition and below the range
address, or data addresses between 0 and the range when ECE2 is set to a logic 1. Note that when using
ECE2 to force data access, the
DS5000 module or a DS2250 with less than 64kB RAM, no data memory exists under
has no affect on program memory, which continues from the
RAM is selected instead of the
RAM or the expanded bus normally.
RAM. This means that on a
. The ECE2
Note that the partition and range settings are not automatically linked, allowing a user to accidentally
select a partition that is larger than the range. When the range is 32kB, the partition address can be as high
as 32kB. When a range of 8kB is used, partition addresses below 8kB should be used. Any address that
does not map onto the bytewide bus is automatically routed to the expanded bus of Ports 0 and 2. For
module users, this means that any address not routed to internal memory goes to the ports.
21 of 187
Secure Microcontroller User’s Guide
When the partition is at 3000h and the range at 32kB, program memory below 3000h is acce ssed on the
bytewide bus. Program memory at or above 3000h is directed to the expanded bus or Ports 0 and 2. When
the partition is at 5800h and the range at 32K, data memory at 0000h is accessed on Ports 0 and 2. Data
memory at 6000h is located in NV RAM on the bytewide bus. When the partition is at 1000h and the
range at 8kB, all memory access above 1FFFh is on the expanded bus. The partition rules apply when the
range is below 8kB.
Important Application Note
The MCON register is an SFR unique to Maxim microcontrollers that contains nonvolatile memory
configuration information. This register should be set to the desired value before loading the device via
the bootstrap loader. Failure to correctly configure the MCON register can cause the device to operate
incorrectly, including symptoms that appear similar to a defective device. Because this register is
nonvolatile, incorrect memory settings will be preserved when power is removed. The DS5001FP,
DS5002FP, DS2251T, and DS2252T store additional memory configuration information in the RPCTL
register, which should also be set to the desired value before loading the user program via the bootstrap
loader.
Figure 4-3 illustrates the typical operation. There are two conditions that can modify this memory map.
The first is the EA pin. The second is the security lock. When the EA pin is grounded, the DS5000 forces
all memory access to the expanded bus. This causes the DS5000 to behave like an 8031, regardless of the
partition, range, or ECE2. The EA should be pulled to +5V for normal operation. The second modifier is
the security lock. When set, the security lock prevents the bootstrap loader from reading the contents of
the NV RAM. For security purposes, it also prohibits program memory access on the expanded bus.
Thus, all program fetches must be restricted to the bytewide bus when locked. The security lock overrides
the condition of the EA pin as well.
These memory map controls provide unprecedented flexibility to configure a system. However, it is
possible to select contradictory settings. The partitioning function allows a user to select the quantity of
program and data memory. It is possible to select all data and no program in NV RAM by choosing a
partition of 0000h. This is a valid selection, except when the security lock is set, as it simultaneously
configures and prohibits the use of program memory on the expanded bus. In this illegal event, special
circuits will automatically force the partition to a location of 7FFFh. This means all 32kB memory on the
bytewide bus is designated program memory. The second contradictory case is to select a range of 8kB,
and to choose a partition of greater than 8kB. This results in the range as the limiting factor. Addresses
above the range are automatically deflected to the expanded bus. No data memory is allocated in NV
RAM for this configuration.
22 of 187
Figure 4-3. DS5000 Series Memory Map
CE2
32kB
RANGE
FFFFh
7FFFh
1FFFh
0000
PARTITION
ADDR.
ECE2=0
ECE2=1
BYTEWIDE
BYTEWIDE
BUS ACCESS
PROGRAM
DATA
DEVICE #1 SELECTED
WITH
CE1
BYTEWIDE
BUS ACCESS
DATA
DEVICE #2 SELECTED
WITH
CE2
64kB
= NO MEMORY ACCESS
CE2
CE1
4.3 DS5000 Memory Map Control
BUS ACCESS
MEMORY
= BYTEWIDE ACCESS WITH
(NV RAM)
= BYTEWIDE ACCESS WITH
(NV RAM)
= EXPANDED BUS ACCESS ON PORTS 0 AND 2
MEMORY
Secure Microcontroller User’s Guide
8kB
MEMORY
ADDR.
The partition and range can be selected using the bootstrap loader discussed in a later section. In addition,
the partition can be selected or modified by the application software and
controlled. However, in either case, the MCON SFR is used to choose these settings. The MCON register
is described fully in the SFR description section.
is normally software
23 of 187
Secure Microcontroller User’s Guide
CE2
CE1
CE2
W
CE1
CE4
PE1-PE4
CE1
PE1
PE2
PE3
PE4
PE1
CE1
CE2
DS5000 SERIES MCON REGISTER
MCON.7–4 PA3–0
Partition Address Use to select the starting address of data memory in embedded RAM. Program
space lies below the partition address.
MCON.3 RA32/8
Range Address Sets the maximum usable address on the bytewide bus. RA32/8 = 0 sets range
address = 1FFFH (8kB); RA32/8 = 1 sets range address = 7FFFH (32kB)
MCON.2 ECE2
Enable Chip Enable 2 Used to enable or disable the
When ECE2 = 0, all MOVX instruction s activat e the
all MOVX instructions activate the
to 0 in the DS5000-8, DS5000-32, DS2250-8, and DS2250-32 modules.
MCON.1 PAA
Partition Address Access Used to protect the programming of the par titio n address s elect bit s. PA3–0 cannot
be written when PAA = 0. PAA can be written only via the timed-access register.
signal to additional RAM data memory space.
signal. When ECE2 = 1,
signal. Thi s bit should always be cleared
4.4 DS5001/DS5002 Memory Organization
Note that the DS5002FP is a high-security version of the DS5001FP, but has the same memory map and
I/O. The programming model discussed in this section applies to all of these parts and any reference to
the DS5001 applies to all of them. The DS5001 series bytewide bus has 16 address lines, eight data lines,
a R/
strobe, and a total of eight chip enables to access NV RAM and peripherals. Chip enables include
-
and
. The four chip enables (
-4) are for NV RAM access. How they are connected
depends on the memory mode and the selection of SRAMs. The PE signals are generally for memorymapped peripherals, but can be used for more RAM if desired.
are not. In the case of a module,
may be connected to a RTC. Memory map control resides in
and
are lithium-backed,
and
the MCON (C6h) and RPCTL (D8h) registers. The MCON register has selected differences from its
DS5000 counterpart. These are documented below. The RPCTL is not present in the DS5000. Also, not
all of the bits in this register pertain to memory map control. This section describes the relevant bits and
the SFR section below documents the entire register.
The DS5001/DS5002 series can use multiple 8kB x 8 or 32kB x 8 SRAMs or a single 128kB x 8 SRAM.
These parts can operate in either a partitionable (like DS5000) or nonpartitionable mode. The mode is
selected via the PM (MCON.1) bit of the MCON register. Note that the DS5001 MCON provides
different functions than the DS5000. In partitionable mode (PM = 0), the DS5001/DS5002 can use up to
64kB x 8 SRAM for program and data on its bytewide bus. It can partition this area into program and data
segments on 4kB boundaries. The 64kB memory space would consist of two 32kB x 8 SRAMs. Each is
accessed by a separate chip enable (
and
), but the microcontroller automatically decodes which
is needed.
While the DS5001/DS5002 can use between one 8kB x 8 SRAM and four 32kB x 8 SRAMs, it does not
automatically know which configuration is used. The user must identify the total RAM size using the
range bits RG1 and RG0. RG1 is located at MCON.3 and RG0 is located at RPCTL.0. These range bits
24 of 187
Secure Microcontroller User’s Guide
RANGE
(kB)
CE1
CE2
1 1 64
0000–7FFFh
8000–FFFFh
1 0 32
0000–7FFFh
NA
0 1 16
0000–1FFFh
2000h–3FFFh
0 0 8
0000–1FFFh
NA
CE1
0 0 0 0 0000h
0 Program, Data = Range
0 0 0 1 1000h
4kB Program, Data = Range – 4kB
0 0 1 0 2000h
8kB Program, Data = Range – 8kB
0 0 1 1 3000h
12kB Program, Data = Range – 12kB
0 1 0 0 4000h
16kB Program, Data = Range – 16kB
0 1 0 1 5000h
20kB Program, Data = Range – 20kB
0 1 1 0 6000h
24kB Program, Data = Range – 24kB
0 1 1 1 7000h
28kB Program, Data = Range – 28kB
1 0 0 0 8000h
32kB Program, Data = Range – 32kB
1 0 0 1 9000h
36kB Program, 28kB Data
1 0 1 0 A000h
40kB Program, 24kB Data
1 0 1 1 B000h
44kB Program, 20kB Data
1 1 0 0 C000h
48kB Program, 16kB Data
1 1 0 1 D000h
52kB Program, 12kB Data
1 1 1 0 E000h
56kB Program, 8kB Data
1 1 1 1 FFFFh
64kB Program, 0kB Data
are selected during the bootstrap loading process and cannot be modified by the application software. The
table below shows the range values that can be selected when PM = 0 (partitionable).
RG1 RG0
ACCESS
ACCESS
The total RAM space is partitionable, regardless of which range is selected. This contrasts with the
DS5000 that allowed partitioning of
only (see the following partition table). PA3–0 are the four
MSBs of the MCON register (MCON.7-4). Note that the partition values do not scale depending on
range. That is, if a range of less than 64kB is selected, the partition settings above the range should not be
unused. The microcontroller automatically decodes which RAM to enable, and uses the partition to
decide if this is program memory or data memory.
Partition Table
PA3 PA2 PA1 PA0 PARTITION BYTEWIDE BUS MEMORY MAP
Figure 4-4 illustrates the functional memory map of a DS5001/DS5002 series device in partitionable
mode. Note that any access that does not correspond to a bytewide bus location is routed to the expanded
bus Ports 0 and 2.
25 of 187
Secure Microcontroller User’s Guide
PROGRAM
(kB)
DATA
(kB)
1 0 0
32
64
1 at 32kB, CE1
2 at 32kB, CE3 and CE4
1 0 1
64
32
2 at 32kB, CE1 and CE2
1 at 32kB, CE3
1 1 0
64
64
2 at 32kB, CE1 and CE2
2 at 32kB, CE3 and CE4
0 1 1
64
64
1 at 128kB x 8, for both program and data
PES = 0
BYTEWIDE
BYTEWIDE
RANGE
64kB
PARTITION
ADDRESS
FFFFh
0000
PROGRAM
DATA
= BYTEWIDE ACCESS = EXPANDED BUS ACCESS ON PORT 0/2
Figure 4-4. Partitionable Memory Map for DS5001/DS5002 Series
BUS ACCESS
BUS ACCESS
MEMORY
MEMORY
(NV RAM)
The nonpartitionable mode allows the maximum amount of memory to be used on the bytewide bus. A
nonpartitionable mode would be used because the 8051 architecture is restricted to 64kB program and
64kB data (without bank switching). This means that if the maximum amount of either program or data
(or both) is needed, partitioning cannot be done. The DS5001/DS5002 series accommodates these
situations with four selections of nonpartitionable (PM = 1) memory control (see table below). These are
selected using the range bits when PM = 1. Also note the MSEL pin on DS5001/DS5002 series devices
that tells the processor whether multiple 32kB RAMs (MSEL = 1) or a 128kB RAM (MSEL = 0) is being
used. The four selections are as follows. The nonpartitionable memory map is shown in Figure 4-5
Bytewide bus segments begin at 0000h.
MSEL RG1 RG0
PROGRAM ACCESS DATA ACCESS
ADDRESS
.
Any address that does not fall into the bytewide bus are a is routed to the expanded bus of Ports 0 and 2.
This could only occur for the first two settings. Note that a single 128kB device is the least expensive in
terms of component cost and size. In this case, all memory addressable by the DS5001 is stored in a
nonvolatile 128kB x 8 SRAM. When the MSEL pin = 0, and RG0 = RG1 = PM = 1, the device
automatically converts CE1 to a chip enable, CE2 to A16, CE3 to A15, and CE4 is unused. The MSL bit,
accessible only via the bootstrap loader, selects whether the loader addresses the 64kB data or 64kB
program segment.
26 of 187
Secure Microcontroller User’s Guide
BYTEWIDE
BUS ACCESS
BYTEWIDE
BUS ACCESS
FFFFh
7FFFh
0000
64kB
32kB
PROGRAM
DATA
PROGRAM
DATA
RANGE
PES=0
= BYTEWIDE ACCESS
= EXPANDED BUS ACCESS ON PORTS 0 AND 2
Figure 4-5. Nonpartitionable Memory Map for DS5001/DS5002 Series
RANGE
(NV RAM)
MEMORY
MEMORY
4.5 DS5001/DS5002 Memory-Mapped Peripherals
The DS5001FP and DS5002FP provide four peripheral chip enables (PE4–PE1) designed to access
unencrypted peripherals on the bytewide bus. While PES = 1, all MOVX-based instructions present
unencrypted address and data on the bytewide bus. During these instructions the device asserts peripheral
chip-enable signals instead of the standard chip-enable signals based on the logical address. The
peripheral chip enables are decoded on 16kB boundaries, as shown in Figure 4-6
. The PES bit operates
the same way in both partitionable and nonpartitionable modes.
The peripheral enables interfaced to battery-backed and nonbattery-backed peripherals. The lowest two
peripheral enables, PE1 and PE2, are battery backed by the DS5001/DS5002. This means that when VCC
is removed, the device drives these chip enables to a logic high inactive state. These signals should be
interfaced to SRAM and other devices that are battery backed. The upper two peripheral enables, PE3 and
PE4, are not battery backed by the DS5001/DS5002. This means that when VCC is removed, the device
allows these signals to float to an undefined state. These signals should be interfaced to ADCs, UARTs,
and any other peripheral that is powered by VCC rather than V
CCO
.
A novel use of the PES signals is to double the available MOVX memory space. When set, the PES bit in
essence creates an overlay of 64kB, using the same MOVX addresses. By toggling the PES bit on and off,
the device can access up to 128kB of MOVX memory.
On occasion, a memory-mapped peripheral is needed that interfaces directly to an 8051 multiplexed bus.
When this occurs, MOVX instructions can be forced to use the expanded bus in any mode with the EXBS
bit (RPCTL.5). Setting this bit to logic 1 forces all MOVX instructions to the expanded bus. While EXBS
27 of 187
Secure Microcontroller User’s Guide
PE4
PE3
PE2 PE1
DATA
MEMORY
PES=1
FFFFh
BFFFh
7FFFh
3FFFh
64kB
0
= 1, the entire 64kB data memory map is accessed in this way. Clearing EXBS causes the microcontroller
to revert to its selected configuration. In most systems, the EXBS bit is not used.
4.6 DS5001/DS5002 Memory Map Control
Like the DS5000, the DS5001/DS5002 uses SFRs to control the memory map. The memory control
functions include the partition, range, partition mode (PM), expanded bus select (EXBS), peripheral
enable select (PES) and access enable (AE). The partition and range can be selected using the bootstrap
loader discussed in a later section. In addition, the partition can be selected or modified by the application
software by writing to the MCON register. PES is normally used by software and is also controlled by the
MCON register. The range is controlled by a combination of MCON and RPCTL bits. In addition, the
EXBS and AE are controlled using the RTPCL register. MCON and RPCTL are fully documented in the
SFR summary.
Figure 4-6. Peripheral Enables in the Data Memory Map
4.7 Loading and Reloading Program Memory
Soft microcontrollers are programmed through their integral bootstrap loader feature. This loader is also
used to configure the desired options for memory map control. The secure microcontroller uses its low
power lithium-backed circuits to ma intain critical settings in the absence of power. For this reason, it is
unnecessary to set the partition, range, etc. after every power-up or reset. Once set, they will remain
unless deliberately modified. Bootstrap loading is discussed in a later section. One of the major
28 of 187
Secure Microcontroller User’s Guide
advantages of a secure microcontroller is the ability to change these settings, and even reload the entire
program memory while the device is installed in system. To completely re-program and re-configure a
device, the bootstrap loader must be invoked. However, the secure microcontroller is designed to allow a
partial reload of memory without invoking the bootstrap loader.
The major advantage of this technique is that it requires no hardware or external switches. Most of the
memory can be reprogrammed under application software control. It would commonly be used when the
target system connects to a PC through a serial port as part of an application, e.g., a data logger that must
dump memory periodically. While connected to the PC, it is extremely easy to reload portions of memory
using the “soft reload.”
Application software always has unrestricted read/write access to the NV RAM designated as data
memory. This is the memory that lies above the partition address and below the range address (the
nonpartitionable configuration of the DS5001/DS5002 is addressed separately). Data memory is read or
written using MOVX instructions. Only the area designated as program memory cannot be altered. The
key to doing a soft reload is to temporarily change the program memory RAM into data memory. Using
an SFR, the application software can authorize the secure microcontroller to temporarily redefine a
portion of the program memory area as data memory. Once this is done, the new code can be received
through a serial port (or other means) and written into data memory. When the process is complete and
the new memory is verified as correct, software converts the RAM back into write-protected program
memory for the duration. As with the memory map control, there are minor differences between the
DS5000 series and DS5001/DS5002 series devices in how this is accomplished.
Soft Reload of a DS5000 Series Device
When application software decides that it should reprogram a portion of memory, the software must
convert the target area into data memory. The DS5000 does this when software sets the PAA bit
(MCON.1) to a logic 1. PAA is the partition access-enable bit, which is protected from accidental
modification by the timed-access procedure. Timed access is discussed in a later section. When PAA = 1,
the microcontroller automatically moves the partition to 0800h and allows write access to the partition
control bits PA3–0 (MCON.7–4). At this time, the software can adjust the partition, but the new value is
not used until after PAA is cleared. The partition remains at 0800h as long as PAA = 1, regardless of the
partition control bits. This leaves a 2kB block of NV RAM (from 0000–0800h) assigned as program
memory. Apart from this, no other changes take place and software continues to operate normally.
Caution: Make certain that the code that controls the PAA resides in this first 2kB. When PAA = 1, all
addresses on the bytewide bus greater than 0800h are viewed as data memory and cannot be executed,
even if they were program memory originally. This gives the software read/write access to the remaining
6kB (range = 8kB) or 30kB (range = 32kB) of NV RAM on the bytewide bus.
At this time, software can begin reloading the target area of memory. There are two minor variations of
this procedure. First, a user’s loader routine that resides below 0800h (2kB) can reprogram the remainder
of memory as needed. This is done be receiving the new code through a serial port or other mechanism
and writing it to the RAM at the addresses where it will be executed. Since the RAM is data memory, the
write operation is done using MOVX instructions.
The second option is that the user’s code below 2kB can simply move the partition to a new value. This is
done by writing a new value for PA3–0 in MCON (MCON.7–4) while PAA is still set to 1, then clearing
PAA. The purpose of this would be that the loader routine mentioned in option 1 resides in memory
above 2kB, but below the target memory area. To gain access, the partition must be moved to a location
29 of 187
Secure Microcontroller User’s Guide
that includes this loader routine. Once the partition is moved to this temporary location, the software
loader can reprogram new code as before.
When loading is complete, the partition must be either restored or set to a new value that is appropriate
for the new software. If the PA3–0 bits were not modified, the PAA bit can simply be cleared. This
restores the old partition. If the PAA3–0 were modified during loading or software has grown
significantly, a new partition is needed. The PA3–0 bits must be written while PAA is set to 1.
To summarize the soft reload, the procedure goes as follows:
1) Ensure that current program execution is in the range of 0000h to 0800h.
2) Set the PAA bit using a timed-access procedure.
3) Load new contents into program memory at addresses above 0800h using MOVX instructions.
4) Define a new partition address if necessary and write the appropriate bits into PA3–0 in the MCON
SFR.
5) Restore the current partition by clearing the PAA bit with a timed-access procedure.
6) Resume operation.
The following example illustrates the soft reload procedure. The original program requires a partition of
4000h (16kB). The new program is larger, requiring a partition of 6000h (24kB). The code that performs
these steps is shown below. This routine must be located below 0800h in program memory.
MOV TA, #0Aah ; TIMED ACCESS
MOV TA, #55h ; TIMED ACCESS 2
MOV MCON, #10001010b ; SET PAA BIT
.
. ; USER’S CODE TO LOAD RAM USING MOVX GOES HERE
.
MOV TA, #0Aah ; TIMED ACCESS
MOV TA, #55h ; TIMED ACCESS 2
MOV MCON, #11001000b ; LOAD NEW PARTITION AND CLEAR PAA BIT
30 of 187
Loading...