Microchip Technology Inc HCS301T-I-SN, HCS301T-I-P, HCS301-I-P Datasheet
HCS301
K
EE
L
OQ
Code Hopping Encoder*
FEATURES
Security
• Programmable 28-bit serial number
• Programmable 64-bit encryption key
• Each transmission is unique
• 66-bit transmission code length
• 32-bit hopping code
• 34-bit fixed code (28-bit serial number,
4-bit button code, 2-bit status)
• Encryption keys are read protected
Operating
• 3.5V - 13.0V operation
• Four button inputs
- 15 functions available
• Selectable baud rate
• Automatic code word completion
• Battery low signal transmitted to receiver
• Battery low indication on LED
• Non-volatile synchronization data
Other
• Functionally identical to HCS300
• Easy to use programming interface
• On-chip EEPROM
• On-chip oscillator and timing components
• Button inputs have internal pulldown resistors
• Current limiting on LED
• Low external component cost
output
Typical Applications
The HCS301 is ideal for Remote Keyless Entry (RKE)
applications. These applications include:
• Automotive RKE systems
• Automotive alarm systems
• Automotive immobilizers
• Gate and garage door openers
• Identity tokens
• Burglar alarm systems
DESCRIPTION
The HCS301, from Microchip Technology Inc., is a code
hopping encoder designed for secure Remote Keyless
Entry (RKE) systems. The HCS301 utilizes the K
code hopping technology , which incorporates high security, a small package outline, and low cost, to make this
device a perfect solution for unidirectional remote keyless entry systems and access control systems.
EE
OQ
L
PACKA GE TYPES
PDIP, SOIC
8
DD
S0
S1
S2
S3
1
2
3
4
HCS301
V
LED
7
6
PWM
V
SS
5
HCS301 BLOCK DIAGRAM
Oscillator
Reset circuit
LED
PWM
The HCS301 combines a 32-bit hopping code
generated by a non-linear encryption algorithm, with a
28-bit serial number and six status bits to create a
66-bit transmission stream. The length of the
transmission eliminates the threat of code scanning
and the code hopping mechanism makes each
transmission unique, thus rendering code capture and
resend (code grabbing) schemes useless.
The encryption key, serial number, and configuration
data are stored in EEPROM which is not accessible via
any external connection. This makes the HCS301 a
very secure unit. The HCS301 provides an easy to use
serial interface for programming the necessary security
keys, system parameters, and configuration data.
The encryption keys and code combinations are programmable but read-protected. The keys can only be
verified after an automatic erase and programming
operation. This protects against attempts to gain
access to keys and manipulate synchronization values .
LED driver
EEPROM
VSS
VDD
Controller
32-bit shift register
Button input port
S
S
2
3
Encoder
S1S
0
Power
latching
and
switching
KeeLoq is a registered trademark of Microchip Technology Inc.
*Code hopping encoder patents issued for Europe, U. S. A., and R. S. A.
1996 Microchip Technology Inc.
Preliminary
DS21143A-page 1
HCS301
The HCS301 operates over a wide voltage range of
3.5 volts to 13.0 volts and has four button inputs in an
8-pin configuration. This allo ws the system designer the
freedom to utilize up to 15 functions. The only
components required for device operation are the buttons and RF circuitry, allowing a very low system cost.
1.0 SYSTEM OVERVIEW
ey Terms
K
ufacturer’s code – a 64-bit word, unique to
• Man
each manufacturer, used to produce a unique
encryption key in each transmitter (encoder).
• Encr
yption Key – a unique 64-bit key generated
and programmed into the encoder during the
manufacturing process. The encryption key
controls the encryption algorithm and is stored in
EEPROM on the encoder device.
1.1 Learn
The HCS product family facilitates several learn strategies to be implemented on the decoder. The following
are examples of what can be done. It must be pointed
out that there exists some third-party patents on learning strategies and implementation.
The HCS301 is a code hopping encoder device that is
designed specifically for keyless entry systems,
primarily for vehicles and home garage door openers. It
is meant to be a cost-effective, yet secure solution to
such systems. The encoder por tion of a keyless entry
system is meant to be held by the user and operated to
gain access to a vehicle or restricted area. The
HCS301 requires very few external components
(Figure 2-1).
1.1.1 NORMAL LEARN
The receiver uses the same information that is transmit-
ted during normal operation to derive the transmitter’s
secret key, decrypt the discrimination value and the
synchronization counter.
1.1.2 SECURE LEARN*
The transmitter is activated through a special button
combination to transmit a stored 48-bit value (random
seed) that can be used for key generation or be part of
the key. Transmission of the random seed can be disabled after learning is completed.
Most low-end keyless entry systems transmit the same
code from a transmitter every time a button is pushed.
The relative number of code combinations for a lo w end
system is also a relatively small number. These
shortcomings provide the means for a sophisticated
thief to create a device that ‘grabs’ a transmission and
re-transmits it later, or a device that scans all possible
combinations until the correct one is found.
The HCS301 employs the K
encryption algorithm to achieve a high level of security.
Code hopping is a method by which the code
transmitted from the transmitter to the receiver is
different every time a button is pushed. This method,
coupled with a transmission length of 66 bits, virtually
eliminates the use of code ‘grabbing’ or code
‘scanning’.
As indicated in the block diagram on page one, the
HCS301 has a small EEPROM array which must be
loaded with several parameters before use. The most
important of these values are:
• A 28-bit serial number which is meant to be
unique for every encoder
• An encryption key that is generated at the time of
production
• A 16-bit synchronization value
The serial number for each transmitter is programmed
by the manufacturer at the time of production. The
generation of the encryption key is done using a key
generation algorithm (Figure 1-1). Typically, inputs to
the key generation algorithm are the serial number of
the transmitter and a 64-bit manufacturer’s code. The
manufacturer’s code is chosen by the system
manufacturer and must be carefully controlled. The
manufacturer’s code is a pivotal part of the overall
system security.
EE
L
OQ
code hopping
FIGURE 1-1: CREATION AND STORAGE OF ENCRYPTION KEY DURING PRODUCTION
HCS301 EEPROM Array
Serial Number
Encryption Key
Sync Counter
.
.
.
1996 Microchip Technology Inc.
Manufacturer’s
EE
OQ
*K
L
learning patents pending.
DS21143A-page 2
Code
Transmitter
Serial Number
Key
Generation
Algorithm
Encryption
Key
Preliminary
HCS301
The 16-bit synchronization value is the basis for the
transmitted code changing for each transmission, and
is updated each time a button is pressed. Because of
the complexity of the code hopping algorithm, a change
in one bit of the synchronization value will result in a
large change in the actual transmitted code. There is a
relationship (Figure 1-2) between the key values in
EEPROM and how they are used in the encoder . Once
the encoder detects that a button has been pressed,
the encoder reads the button and updates the synchronization counter. The synchronization value is then
combined with the encryption key in the encryption
algorithm and the output is 32 bits of encrypted information. This data will change with every button press,
hence, it is referred to as the hopping portion of the
code word. The 32-bit hopping code is combined with
the button information and the serial number to form the
code word transmitted to the receiver. The code word
format is explained in detail in Section 4.3.
Any type of controller may be used as a receiver, but it
is typically a microcontroller with compatible firmware
that allows the receiver to operate in conjunction with a
transmitter, based on the HCS301. Section 7.0
provides more detail on integrating the HCS301 into a
total system.
Before a transmitter can be used with a particular
receiver, the transmitter must be ‘learned’ by the
receiver. Upon learning a transmitter, information is
stored by the receiver so that it may track the
transmitter, including the serial number of the
transmitter, the current synchronization value for that
transmitter and the same encryption key that is used on
the transmitter. If a receiv er receives a message of v alid
format, the serial number is checked and, if it is from a
learned transmitter, the message is decrypted and the
decrypted synchronization counter is checked against
what is stored. If the synchronization value is verified,
then the button status is checked to see what operation
is needed. Figure 1-3 shows the relationship between
some of the values stored by the receiver and the values received from the transmitter.
FIGURE 1-2: BASIC OPERATION OF TRANSMITTER (ENCODER)
Transmitted Information
EEPROM Array
Encryption Key
Sync Counter
Serial Number
KEELOQ
Encryption
Algorithm
32 Bits of
Encrypted Data
Serial Number
FIGURE 1-3: BASIC OPERATION OF RECEIVER (DECODER)
EEPROM Array
Encryption Key
Sync Counter
Serial Number
Manufacturer Code
Button Press
Information
Check for
Match
Serial Number
KEELOQ
Encryption
Algorithm
32 Bits of
Encrypted Data
Button Press
Information
Check for
Match
Decrypted
Synchronization
Counter
1996 Microchip Technology Inc.
Received Information
Preliminary
DS21143A-page 3
HCS301
2.0 DEVICE OPERATION
As shown in the typical application circuits (Figure 2-1),
the HCS301 is a simple device to use. It requires only
the addition of buttons and RF circuitry for use as the
transmitter in your security application. A description of
each pin is described in Table 2-1.
Note: When V
loads, a resistor with a minimum value of 50 Ω
should be used in line with V
clamping of PWM at 9.0V in the event of PWM
overshoot.
FIGURE 2-1: TYPICAL CIRCUITS
(Note 2)
B0
B1
B4 B3 B2 B1 B0
DD
> 9.0V and driving low capacitive
DD
. This prevents
+12V
R
VDD
S0
VDD
S1
S2
S3
2 button remote control
LED
PWM
V
SS
(Note 2)
VDD
Tx out
+12V
R
The high security level of the HCS301 is based on the patented K
EE
L
OQ
technology . A b lock cipher based on a b lock
length of 32 bits and a key length of 64 bits is used. The
algorithm obscures the information in such a way that ev en
if the transmission information (before coding) differs by
only 1 bit from the information in the previous transmission, the next coded transmission will be totally different.
Statistically, if only 1 bit in the 32-bit string of information
changes, approximately 50 percent of the coded transmission will change. The HCS301 will wake up upon detecting
a switch closure and then delay approximately 10 ms for
switch debounce (Figure 2-2). The synchronization information, fixed information, and switch information will be
encrypted to form the hopping code. The encrypted or
hopping code portion of the transmission will change every
time, even if the same b utton is pushed again. A code that
has been transmitted will not occur again for more than
64K transmissions. This will provide more than 18 years of
typical use before a code is repeated, based on 10 operations per day. Overflow information sent from the encoder
can be used by the decoder to extend the number of
unique transmissions to more than 192K.
If, in the transmit process, it is detected that a new button(s) has been pressed, a reset will immediately be
forced and the code word will not
be completed. Please
note that buttons removed will not have any effect on the
code word unless no buttons remain pressed. In this case ,
the code word will be completed and the power down will
occur.
S0
VDD
LED
S1
PWM
S2
S3
V
SS
5 button remote control (Note1)
Note 1: Up to 15 functions can be implemented by pressing
more than one button simultaneously or by using a
suitable diode array.
Tx out
2: Resistor (R) is recommended for current limiting.
TABLE 2-1: PIN DESCRIPTIONS
Name
S0 1 Switch input 0
S1 2 Switch input 1
S2 3 Switch input 2/Can also be clock
S3 4 Switch input 3/Clock pin when in
V
SS
PWM 6 Pulse width modulation (PWM)
LED
V
DD
Pin
Number
Description
pin when in programming mode
programming mode
5 Ground reference connection
output pin/Data pin for
programming mode
7 Cathode connection for directly
driving LED
during transmission
8 Positive supply voltage
connection
FIGURE 2-2: ENCODER OPERATION
Power Up
(A button has been pressed)
Reset and Debounce Delay
Load T r ansmit Register
Yes
Word Transmission
(10 ms)
Sample Inputs
Update Sync Info
Encrypt With
Encryption Key
T r ansmit
Buttons
Added?
No
All
Buttons
Released?
Yes
Complete Code
Stop
No
DS21143A-page 4
Preliminary
1996 Microchip Technology Inc.
HCS301
3.0 EEPROM MEMORY ORGANIZATION
The HCS301 contains 192 bits (12 x 16-bit words) of
EEPROM memory (Table 3-1). This EEPROM array is
used to store the encryption key information,
synchronization value, etc. Further descriptions of the
memory array is given in the following sections.
TABLE 3-1: EEPROM MEMORY MAP
WORD
ADDRESS
0 KEY_0 64-bit encryption key
1 KEY_1 64-bit encryption key
2 KEY_2 64-bit encryption key
3 KEY_3 64-bit encryption key
4 SYNC 16-bit synchronization
5 RESERVED Set to 0000H
6 SER_0 Device Serial Number
7 SER_1(Note) Device Serial Number
8 SEED_0 Seed Value (word 0)
9 SEED_1 Seed Value (word 1)
10 EN_KEY 16-bit Envelope Key
11 CONFIG Configuration Word
Note: The MSB of the serial number contains a bit
3.1 Key_0 - Key_3 (64-Bit Encryption Key)
The 64-bit encryption key is used by the transmitter to
create the encrypted message transmitted to the
receiver. This key is created and programmed at the
time of production using a key generation algorithm.
The key generation algorithm is different from the
K
encryption method. Inputs to the key generation
algorithm are the serial number for the particular
transmitter being used and the 64-bit manufacturer’s
code. While the key generation algorithm supplied from
Microchip is the typical method used, a user may elect
to create their own method of key generation. This may
be done providing that the decoder is programmed with
the same means of creating the key for
decryption purposes.
EE
L
OQ
MNEMONIC DESCRIPTION
(word 0)
(word 1)
(word 2)
(word 3)
value
(word 0)
(word 1)
used to select the auto shutoff timer.
algorithm, although it too is a proprietary
3.2 SYNC (Synchronization Counter)
This is the 16-bit synchronization value that is used to
create the hopping code for transmission. This value
will be changed after every transmission.
3.3 SER_0, SER_1 (Encoder Serial Number)
SER_0 and SER_1 are the lower and upper words of
the device serial number, respectively. Although there
are 32 bits allocated for the serial number, only the
lower order 28 bits are transmitted. The serial number
is meant to be unique for every transmitter. The most
significant bit of the serial number (Bit 31) is used to
turn the auto shutoff timer on or off.
3.3.1 AUTO-SHUTOFF TIMER SELECT
The most significant bit of the serial number (Bit 31) is
used to turn the Auto-shutoff timer on or off. This timer
prevents the transmitter from draining the battery
should a button get stuck in the on position for a long
period of time. The time period is approximately
25 seconds, after which the device will go to the
Time-out mode. When in the Time-out mode , the device
will stop transmitting, although since some circuits
within the device are still active, the current dr a w within
the Shutoff mode will be more than Standby mode. If
the most significant bit in the serial number is a one,
then the Auto-shutoff timer is enabled, and a zero in the
most significant bit will disable the timer. The length of
the timer is not selectable.
3.4 SEED_0, SEED_1 (Seed Word)
This is the two-word (32 bits) seed code that will be
transmitted when all four buttons are pressed at the same
time. This allows the system designer to implement the
secure learn feature or use this fixed code word as part of
a different key gener ation/tr ac king process .
3.5 EN_Key (Envelope Encryption Key)
Envelope encryption is a selectable option that
encrypts the portion of the transmission that contains
the transmitter serial number and function code. Selecting this option is done by setting the appropriate bit in
the configuration word (Table 3-2). Normally, the serial
number and function code are transmitted in the clear
(unencrypted), but for an added level of security, the
system designer may elect to implement this option.
The envelope encryption key is used to encrypt the
serial number and function code portion of the transmission, if the envelope encryption option has been
selected. The envelope encryption algorithm is a different algorithm than the key generation or transmit
encryption algorithm. The EN_k e y is typically a random
number and the same for all transmitters in a system.
1996 Microchip Technology Inc.
Preliminary
DS21143A-page 5
HCS301
3.6 Configuration Wor d
The configuration word is a 16-bit word stored in
EEPROM array that is used by the device to store
information used during the encryption process, as well
as the status of option configurations. Further
explanations of each of the bits are described in the
following sections.
TABLE 3-2: CONFIGURATION WORD
Bit Number Bit Description
0 Discrimination Bit 0
1 Discrimination Bit 1
2 Discrimination Bit 2
3 Discrimination Bit 3
4 Discrimination Bit 4
5 Discrimination Bit 5
6 Discrimination Bit 6
7 Discrimination Bit 7
8 Discrimination Bit 8
9 Discrimination Bit 9
10 Overflow Bit 0 (OVR0)
11 Overflow Bit 1 (OVR1)
12 Low V oltage Trip Point Select
13 Baudrate Select Bit 0 (BSL0)
14 Baudrate Select Bit 1 (BSL1)
15 Envelope Encryption Select (EENC)
0x0000 and clear OVR1 the second time the counter
wraps. Once cleared, OVR0 and OVR1 cannot be set
again, thereby creating a permanent record of the
counter overflow. This prevents fast cycling of 64K
counter. If the decoder system is programmed to track
the overflow bits, then the effective number of unique
synchronization values can be extended to 196,608.
3.6.3 ENVELOPE ENCRYPTION (EENC)
If the EENC bit is set to a 1, the serial number and func-
tion code will also be encrypted so that it will appear to
be random. The 16-bit en velope k ey and env elope algorithm will be used for encryption.
3.6.4 BAUDRATE SELECT BITS (BSL0, BSL1)
BSL0 and BSL1 select the speed of transmission and
the code word blanking. Table 3-3 shows how the bits
are used to select the different baud rates and
Section 5.2 provides detailed explanation in code word
blanking.
TABLE 3-3: BAUDRATE SELECT
BSL1 BSL0
0 0 400 µ s All
0 1 200 µ s 1 out of 2
1 0 100 µ s 1 out of 2
1 1 100 µ s 1 out of 4
Basic Pulse
Element
Code Wor ds
T ransmitted
3.6.1 DISCRIMINATION VALUE (DISC0 TO DISC9)
The discrimination value can be programmed with any
value to serve as a post decryption check on the
decoder end. In a typical system, this will be
programmed with the 10 least significant bits of the
serial number or a constant value, which will also be
stored by the receiver system after a transmitter has
been learned. The discrimination bits are part of the
information that is to form the encrypted portion of the
transmission. After the receiver has decrypted a transmission, the discrimination bits can be checked against
the stored value to verify that the decryption process
was valid.
3.6.2 OVERFLOW BITS (OVR0 AND OVR1)
The overflow bits are used to e xtend the number of possible synchronization values. The synchronization
counter is 16 bits in length, yielding 65,536 values
before the cycle repeats. Under typical use of
10 operations a day, this will provide nearly 18 years of
use before a repeated value will be used. Should the
system designer conclude that is not adequate, then
the overflow bits can be utilized to e xtend the number of
unique values. This can be done by programming
OVR0 and OVR1 to 1s at the time of production. The
encoder will automatically clear OVR0 the first time that
the synchronization value wraps from 0xFFFF to
DS21143A-page 6
Preliminary
1996 Microchip Technology Inc.
Loading...