Microchip Technology Inc HCS300-I-P, HCS300T-I-SN, HCS300T-I-P, HCS300-I-SN Datasheet



HCS300

Code Hopping Encoder*

FEATURES

Security

• Programmable 28-bit serial number

• Programmable 64-bit encryption key

• Each transmission is unique

• 66-bit transmission code length

• 32-bit hopping code

• 34-bit fixed code (28-bit serial number,
4-bit button code, 2-bit status)

• Encryption keys are read protected

Operating

• 2.0—6.3V operation

• Four button inputs

- No additional circuitry required

- 15 functions available

• Selectable baud rate

• Automatic code word completion

• Battery low signal transmitted to receiver

• Non-volatile synchronization data

Other

• Easy to use programming interface

• On-chip EEPROM

• On-chip oscillator and timing components

• Button inputs have internal pulldown resistors

• Current limiting on LED

• Minimum component count

• Synchronous transmission mode

output

PACKA GE TYPES

PDIP, SOIC

S0

S1
S2

S3

1
2
3
4

HCS300

HCS300 BLOCK DIAGRAM

Oscillator

Controller

32-bit shift register

Button input port

LED

PWM

Reset circuit

LED driver

EEPROM

VSS

VDD

8

7
6

5

Encoder

DD

V

LED
PWM

V

SS

Power
latching
and
switching

Typical Applications

The HCS300 is ideal for Remote Keyless Entry (RKE)
applications. These applications include:

• Automotive RKE systems

• Automotive alarm systems

• Automotive immobilizers

• Gate and garage door openers

• Identity tokens

• Burglar alarm systems

DESCRIPTION

The HCS300, from Microchip Technology Inc., is a code
hopping encoder designed for secure Remote Keyless
Entry (RKE) systems. The HCS300 utilizes the K
code hopping technology , which incorporates high secu­rity, a small package outline and low cost, to make this
device a perfect solution for unidirectional remote key­less entry systems and access control systems.

KeeLoq is a trademark of Microchip Technology Inc.
*Code hopping encoder patents allowed and pending.

1996 Microchip Technology Inc.

EE

OQ

L

Preliminary

S

S

S1S

2

3

The HCS300 combines a 32-bit hopping code
generated by a non-linear encryption algorithm, with a
28-bit serial number and six status bits to create a
66-bit transmission stream. The length of the
transmission eliminates the threat of code scanning
and the code hopping mechanism makes each
transmission unique, thus rendering code capture and
resend (code grabbing) schemes useless.

The encryption key, serial number, and configuration
data are stored in EEPROM which is not accessible via
any external connection. This makes the HCS300 a
very secure unit. The HCS300 provides an easy to use
serial interface for programming the necessary security
keys, system parameters, and configuration data.

The encyrption keys and code combinations are pro­grammable but read-protected. The keys can only be
verified after an automatic erase and programming
operation. This protects against attempts to gain
access to keys and manipulate synchronization values .

0

DS21137D-page 1



HCS300

The HCS300 operates over a wide voltage range of

2.0V to 6.3V and has four button inputs in an 8-pin
configuration. This allows the system designer the
freedom to utilize up to 15 functions. The only
components required for device operation are the but­tons and RF circuitry, allowing a very low system cost.

1.0 SYSTEM OVERVIEW

ey Terms

K

ufacturer’s code - a 64-bit word, unique to

• Man
each manufacturer, used to produce a unique
encryption key in each transmitter (encoder).

• Encr

yption Key - a unique 64-bit key generated
and programmed into the encoder during the
manufacturing process. The encryption key
controls the encryption algorithm and is stored in
EEPROM on the encoder device.

1.1 Learn

The HCS product family facilitates several learn strate­gies to be implemented on the decoder. The following
are examples of what can be done. It must be pointed
out that their exists some third-party patents on learn­ing strategies and implementation.

1.1.1 NORMAL LEARN
The receiver uses the same information that is transmit-

ted during normal operation to derive the transmitter’s
secret key, decrypt the discrimination value and the
synchronization counter.

1.1.2 SECURE LEARN*
The transmitter is activated through a special button

combination to transmit a stored 48-bit value (random
seed) that can be used for key generation or be part of
the key. Transmission of the random seed can be dis­abled after learning is completed.

The HCS300 is a code hopping encoder device that is
designed specifically for keyless entry systems,
primarily for vehicles and home garage door openers. It
is meant to be a cost-effective, yet secure solution to

such systems. The encoder portion of a keyless entry
system is meant to be held by the user and operated to
gain access to a vehicle or restricted area. The
HCS300 requires very few external components
(Figure 2-1).

Most keyless entry systems transmit the same code
from a transmitter every time a button is pushed. The
relative number of code combinations for a lo w end sys­tem is also a relatively small number. These
shortcomings provide the means for a sophisticated
thief to create a device that ‘grabs’ a transmission and
re-transmits it later or a device that scans all possible
combinations until the correct one is found.

The HCS300 employs the K
nology and an encryption algorithm to achieve a high
level of security. Code hopping is a method by which
the code transmitted from the transmitter to the receiver
is different every time a button is pushed. This method,
coupled with a transmission length of 66 bits, virtually
eliminates the use of code ‘grabbing’ or code
‘scanning’.

As indicated in the block diagram on page one, the
HCS300 has a small EEPROM array which must be
loaded with several parameters before use. The most
important of these values are:

• A 28-bit serial number which is meant to be
unique for every encoder

• An encryption key that is generated at the time of
production

• A 16-bit synchronization value

The serial number for each transmitter is programmed
by the manufacturer at the time of production. The
generation of the encryption key is done using a key
generation algorithm (Figure 1-1). Typically, inputs to
the key generation algorithm are the serial number of
the transmitter and a 64-bit manufacturer’s code. The
manufacturer’s code is chosen by the system
manufacturer and must be carefully controlled. The
manufacturer’s code is a pivotal part of the overall
system security.

EE

OQ

L

code hopping tech-

FIGURE 1-1: CREATION AND STORAGE OF ENCRYPTION KEY DURING PRODUCTION

HCS300 EEPROM Array

Serial Number

Encryption Key
Sync Counter

.
.

.

1996 Microchip Technology Inc.

Manufacturer’s

DS21137D-page 2

Code

Transmitter

Serial Number or

Seed

Key

Generation

Algorithm

Encryption

Key

Preliminary



HCS300

The 16-bit synchronization value is the basis for the
transmitted code changing for each transmission, and
is updated each time a button is pressed. Because of
the complexity of the code hopping encryption algo­rithm, a change in one bit of the synchronization value
will result in a large change in the actual transmitted
code. There is a relationship (Figure 1-2) between the
key values in EEPROM and how they are used in the
encoder. Once the encoder detects that a button has
been pressed, the encoder reads the button and
updates the synchronization counter. The synchroniza­tion value is then combined with the encryption key in
the encryption algorithm and the output is 32 bits of
encrypted information. This data will change with every
button press, hence, it is referred to as the hopping
portion of the code word. The 32-bit hopping code is
combined with the button information and the serial
number to form the code word transmitted to the
receiver. The code word format is explained in detail
in Section 4.2.

Any type of controller may be used as a receiver, but it
is typically a microcontroller with compatible firmware
that allows the receiver to operate in conjunction with a
transmitter, based on the HCS300. Section 7.0
provides more detail on integrating the HCS300 into a
total system.

Before a transmitter can be used with a particular
receiver, the transmitter must be ‘learned’ by the
receiver. Upon learning a transmitter, information is
stored by the receiver so that it may track the
transmitter, including the serial number of the
transmitter, the current synchronization value for that
transmitter and the same encryption key that is used on
the transmitter. If a receiv er receives a message of v alid
format, the serial number is checked and, if it is from a
learned transmitter, the message is decrypted and the
decrypted synchronization counter is checked against
what is stored. If the synchronization value is verified,
then the button status is checked to see what operation
is needed. Figure 1-3 shows the relationship between
some of the values stored by the receiver and the val­ues received from the transmitter.

FIGURE 1-2: BASIC OPERATION OF TRANSMITTER (ENCODER)

Transmitted Information

EEPROM Array

Encryption Key

Sync Counter

Serial Number

KEELOQ

Encryption

Algorithm

32 Bits of

Encrypted Data

Serial Number

FIGURE 1-3: BASIC OPERATION OF RECEIVER (DECODER)

EEPROM Array

Encryption Key

Sync Counter

Serial Number

Manufacturer Code

Button Press
Information

Check for

Match

Serial Number

KEELOQ

Decryption

Algorithm

32 Bits of

Encrypted Data

Button Press

Information

Check for

Match

Decrypted

Synchronization

Counter

1996 Microchip Technology Inc.

Received Information

Preliminary

DS21137D-page 3

HCS300



2.0 DEVICE OPERATION

As shown in the typical application circuits (Figure 2-1),
the HCS300 is a simple device to use. It requires only
the addition of buttons and RF circuitry for use as the
transmitter in your security application. A description of
each pin is described in Table 2-1.

FIGURE 2-1: TYPICAL CIRCUITS

VDD

B0

B1

B4 B3 B2 B1 B0

Note: Up to 15 functions can be implemented by

S0
S1

S2
S3

2 button remote control

5 button remote control (Note)

pressing more than one button simulta­neously or by using a suitable diode array.

S0
S1

S2
S3

VDD

LED

PWM

V

SS

VDD

LED

PWM

SS

V

Tx out

VDD

Tx out

TABLE 2-1: PIN DESCRIPTIONS

Name

S0 1 Switch input 0
S1 2 Switch input 1
S2 3 Switch input 2/Can also be clock

S3 4 Switch input 3/Clock pin when in

V

SS

PWM 6 Pulse width modulation (PWM)

LED

DD

V

The high security level of the HCS300 is based on the
patented K
encryption algorithm based on a block length of 32 bits
and a key length of 64 bits is used. The algorithm
obscures the information in such a way that even if the
transmission information (before coding) diff ers b y only
one bit from the information in the previous transmis­sion, the next coded transmission will be totally differ­ent. Statistically, if only one bit in the 32-bit string of
information changes, approximately 50 percent of the
coded transmission will change. The HCS300 will wake
up upon detecting a switch closure and then delay
approximately 10 ms for switch debounce (Figure 2-2).
The synchronized information, fixed information, and
switch information will be encrypted to form the hopping
code. The encrypted or hopping code portion of the
transmission will change every time a button is
pressed, even if the same button is pushed again.
Keeping a button pressed for a long time will result in
the same code word being transmitted until the button
is released or timeout occurs. A code that has been
transmitted will not occur again for more than 64K
transmissions. This will provide more than 18 years of
typical use before a code is repeated based on 10 oper­ations per day. Overflow information programmed into
the encoder can be used by the decoder to extend the
number of unique transmissions to more than 192K.

If in the transmit process it is detected that a new but­ton(s) has been pressed, a reset will immediately be
forced and the code word will not
note that buttons removed will not have any effect on
the code word unless no buttons remain pressed in
which case the ccurrent code word will be completed
and the power down will occur.

Pin

Number

Description

pin when in programming mode

programming mode

5 Ground reference connection

output pin/Data pin for
programming mode

7 Cathode connection for directly

driving LED

during transmission

8 Positive supply voltage

connection

EE

L

OQ

technology. A block cipher type of

be completed. Please

DS21137D-page 4

Preliminary

1996 Microchip Technology Inc.



HCS300

FIGURE 2-2: ENCODER OPERATION

Power Up

(A button has been pressed)

Reset and Debounce Delay

(10 ms)

Sample Inputs

Update Sync Info

Encrypt With

Encryption Key

Load T r ansmit Register

T r ansmit

Yes

Buttons
Added

?

No

All

Buttons

Released

?

Yes

Complete Code

Word Transmission

Stop

No

3.0 EEPROM MEMORY ORGANIZATION

The HCS300 contains 192 bits (12 x 16-bit words) of
EEPROM memory (Table 3-1). This EEPROM array is
used to store the encryption key information,
synchronization value, etc. Fur ther descriptions of the
memory array is given in the following sections.

TABLE 3-1: EEPROM MEMORY MAP

WORD

ADDRESS

0 KEY_0 64-bit encryption key

1 KEY_1 64-bit encryption key

2 KEY_2 64-bit encryption key

3 KEY_3 64-bit encryption key

4 SYNC 16-bit synchronization

5 RESERVED Set to 0000H
6 SER_0 Device Serial Number

7 SER_1(Note) Device Serial Number

8 SEED_0 Seed Value (word 0)

9 SEED_1 Seed Value (word 1)
10 EN_KEY 16-bit Envelope Key
11 CONFIG Config Word

Note: The MSB of the serial number contains a bit

MNEMONIC DESCRIPTION

(word 0)

(word 1)

(word 2)

(word 3)

value

(word 0)

(word 1)

used to select the auto shutoff timer.

1996 Microchip Technology Inc.

3.1 Key_0 - Key_3 (64-Bit Encryption Key)

The 64-bit encryption key is used by the transmitter to
create the encrypted message transmitted to the
receiver. This key is created and programmed at the
time of production using a key generation algorithm.
Inputs to the key generation algorithm are the serial
number for the particular transmitter being used and a
secret manufacturer’s code. While the key generation
algorithm supplied from Microchip is the typical method
used, a user may elect to create their own method of
key generation. This may be done providing that the
decoder is programmed with the same means of creat­ing the key for decryption pur poses. If a seed is used,
the seed will also form part of the input to the key gen­eration algorithm.

Preliminary

DS21137D-page 5

HCS300



3.2 SYNC (Synchronization Counter)

This is the 16-bit synchronization value that is used to
create the hopping code for transmission. This value
will be changed after every transmission.

3.3 SER_0, SER_1 (Encoder Serial Number)

SER_0 and SER_1 are the lower and upper words of
the device serial number, respectively. Although there
are 32 bits allocated for the serial number, only the
lower order 28 bits are transmitted. The serial number
is meant to be unique for every transmitter. The most
significant bit of the serial number (Bit 31) is used to
turn the auto shutoff timer on or off.

3.3.1 AUTO SHUTOFF TIMER SELECT

The most significant bit of the serial number (Bit 31) is
used to turn the Auto shutoff timer on or off. This timer
prevents the transmitter from draining the battery
should a button get stuck in the on position for a long
period of time. The time period is approximately
25 seconds, after which the device will go to the
Time-out mode. When in the Time-out mode, the
device will stop transmitting, although since some
circuits within the device are still active, the current
draw within the Shutoff mode will be more than
Standby mode. If the most significant bit in the serial
number is a one, then the auto shutoff timer is enabled,
and a zero in the most significant bit will disable the
timer. The length of the timer is not selectable.

3.4 SEED_0, SEED_1 (Seed Word)

This is the two word (32 bits) seed code that will be
transmitted when all four buttons are pressed at the same
time. This allows the system designer to implement the
secure learn feature or use this fixed code word as part of
a different key generation/tracking process or purely as a
fixed code transmission.

3.5 EN_Key (Envelope Encryption Key)

Envelope encryption is a selectable option that
encrypts the portion of the transmission that contains
the transmitter serial number. Selecting this option is
done by setting the appropriate bit in the configuration
word (Table 3-2). Normally, the serial number is
transmitted in the clear (un-encrypted), but for an
added level of security, the system designer may elect
to implement this option. The envelope encryption key
is used to encrypt the serial number portion of the
transmission, if the envelope encryption option has
been selected. The envelope encryption algorithm is a
different algorithm than the key generation or transmit
encryption algorithm. The EN_k e y is typically a random
number and the same for all transmitters in a system.

3.6 Configuration Wor d

The configuration word is a 16-bit word stored in
EEPROM array that is used by the device to store
information used during the encryption process, as well
as the status of option configurations. Further
explanations of each of the bits are described in the
following sections.

TABLE 3-2: CONFIGURATION WORD

Bit Number Bit Description

0 Discrimination Bit 0
1 Discrimination Bit 1
2 Discrimination Bit 2
3 Discrimination Bit 3
4 Discrimination Bit 4
5 Discrimination Bit 5
6 Discrimination Bit 6
7 Discrimination Bit 7
8 Discrimination Bit 8

9 Discrimination Bit 9
10 Overflow Bit 0 (OVR0)
11 Overflow Bit 1 (OVR1)
12 Low V oltage Trip Point Select
13 Baudrate Select Bit 0 (BSL0)
14 Baudrate Select Bit 1 (BSL1)
15 Envelope Encryption Select (EENC)

3.6.1 DISCRIMINATION VALUE (DISC0 TO DISC9)

The discrimination value can be programmed with any
value to serve as a post decryption check on the
decoder end. In a typical system, this will be
programmed with the 10 least significant bits of the
serial number, which will also be stored by the receiver
system after a transmitter has been learned. The
discrimination bits are part of the information that is to
form the encrypted portion of the transmission. After
the receiver has decrypted a transmission, the
discrimination bits can be checked against the stored
value to verify that the decryption process was valid.

3.6.2 OVERFLOW BITS (OVR0 AND OVR1)

The overflow bits are used to e xtend the number of pos­sible synchronization values. The synchronization
counter is 16 bits in length, yielding 65,536 values
before the cycle repeats. Under typical use of
10 operations a day, this will provide nearly 18 years of
use before a repeated value will be used. Should the
system designer conclude that is not adequate, then
the overflow bits can be utilized to e xtend the number of
unique values. This can be done by programming
OVR0 and OVR1 to 1s at the time of production. The
encoder will automatically clear OVR0 the first time that
the synchronization value wraps from 0xFFFF to
0x0000 and clear OVR1 the second time the counter
wraps. Once cleared, OVR0 and OVR1 cannot be set

DS21137D-page 6

Preliminary

1996 Microchip Technology Inc.