Microchip Technology Inc HCS361T-I-SN, HCS361T-I-P, HCS361-I-P Datasheet
1996 Microchip Technology Inc.
Preliminary
DS40146C-page 1
M
FEATURES
Security
• Programmable 28/32-bit serial number
• Programmable 64-bit encryption key
• Each transmission is unique
• 67-bit transmission code length
• 32-bit hopping code
• 35-bit fixed code (28/32-bit serial number,
4/0-bit function code, 1-bit status, 2-bit CRC)
• Encryption keys are read protected
Operating
• 2.0-6.6V operation
• Four button inputs
- 15 functions available
• Selectable baud rate
• Automatic code word completion
• Battery low signal transmitted to receiver
• Nonvolatile synchronization data
• PWM and VPWM modulation
Other
• Easy to use programming interface
• On-chip EEPROM
• On-chip oscillator and timing components
• Button inputs have internal pulldown resistors
• Current limiting on LED
output
• Minimum component count
Enhanced Features Over HCS300
• 48-bit seed vs. 32-bit seed
• 2-bit CRC for error detection
• 28/32-bit serial number select
• Two seed transmission methods
• PWM and VPWM modulation
• Wake-up signal in VPWM mode
• IR modulation mode
Typical Applications
The HCS361 is ideal for Remote Keyless Entry (RKE)
applications. These applications include:
• Automotive RKE systems
• Automotive alarm systems
• Automotive immobilizers
• Gate and garage door openers
• Identity tokens
• Burglar alarm systems
PACKA GE TYPES
HCS361 BLOCK DIAGRAM
DESCRIPTION
The HCS361 is a code hopping encoder designed for
secure Remote Keyless Entry (RKE) systems. The
HCS361 utilizes the K
EE
L
OQ
code hopping technology,
which incorporates high security, a small package
outline and low cost, to make this device a perfect
solution for unidirectional remote keyless entry systems
and access control systems.
The HCS361 combines a 32-bit hopping code
generated by a nonlinear encryption algorithm, with a
28/32-bit serial number and 7/3 status bits to create a
67-bit transmission stream. The length of the
transmission eliminates the threat of code scanning
and the code hopping mechanism makes each
transmission unique, thus rendering code capture and
resend (code grabbing) schemes useless.
1
2
3
4
8
7
6
5
S0
S1
S2
S3
V
DD
LED
PWM
V
SS
PDIP, SOIC
HCS361
VSS
VDD
Oscillator
Reset circuit
LED driver
Controller
Power
latching
and
switching
Button input port
32-bit shift register
Encoder
EEPROM
PWM
LED
S
3
S
2
S1S
0
K
EE
L
OQ
is a trademark of Microchip Technology Inc.
*Code hopping encoder patents issued in Europe, U. S. A., R. S. A. — US: 5,517,187; Europe: 0459781
HCS361
Code Hopping Encoder*
HCS361
DS40146C-page 2
Preliminary
1996 Microchip Technology Inc.
The encryption key, serial number, and configuration
data are stored in EEPROM which is not accessible via
any external connection. This makes the HCS361 a
very secure unit. The HCS361 provides an easy to use
serial interface for programming the necessary security
keys, system parameters, and configuration data.
The encryption keys and code combinations are programmable but read-protected. The keys can only be
verified after an automatic erase and programming
operation. This protects against attempts to gain
access to keys and manipulate synchronization values .
The HCS361 operates over a wide voltage range of
2.0V to 6.6V and has four button inputs in an 8-pin
configuration. This allows the system designer the
freedom to utilize up to 15 functions. The only
components required for device operation are the buttons and RF circuitry, allowing a very low system cost.
1.0 SYSTEM OVERVIEW
1.1 K
ey Terms
• Manufacturer’s Code – a 64-bit word, unique to
each manufacturer, used to produce a unique
encryption key in each transmitter (encoder).
• Encr
yption Key – a unique 64-bit key generated
and programmed into the encoder during the
manufacturing process. The encryption key
controls the encryption algorithm and is stored in
EEPROM on the encoder device.
• Lear
n – The HCS product family facilitates se ver al
learning strategies to be implemented on the
decoder. The following are examples of what can
be done.
Normal Learning
The receiver uses the same information that is
transmitted during normal operation to derive the
transmitter’s secret k ey, decrypt the discrimination
value and the synchronization counter.
Secure Learn*
The transmitter is activated through a special but-
ton combination to transmit a stored 48-bit value
(random seed) that can be used for key generation or be part of the key. Transmission of the random seed can be disabled after learning is
completed.
The HCS361 is a code hopping encoder device that is
designed specifically for keyless entry systems,
primarily for vehicles and home garage door openers. It
is meant to be a cost-effective, yet secure solution to
such systems. The encoder portion of a keyless entry
system is meant to be held by the user and operated to
gain access to a vehicle or restricted area. The
HCS361 requires very few external components
(Figure 2-1).
Most keyless entry systems transmit the same code
from a transmitter every time a button is pushed. The
relative number of code combinations for a lo w end sys-
tem is also a relatively small number. These
shortcomings provide the means for a sophisticated
thief to create a device that ‘grabs’ a transmission and
retransmits it later or a device that scans all possible
combinations until the correct one is found.
The HCS361 employs the K
EE
L
OQ
code hopping technology and an encryption algorithm to achieve a high
level of security. Code hopping is a method by which
the code transmitted from the transmitter to the receiver
is different every time a button is pushed. This method,
coupled with a transmission length of 67 bits, virtually
eliminates the use of code ‘grabbing’ or code
‘scanning’.
As indicated in the block diagram on page one, the
HCS361 has a small EEPROM array which must be
loaded with several parameters before use. The most
important of these values are:
• A 28/32-bit serial number which is meant to be
unique for every encoder
• An encryption key that is generated at the time of
production
• A 16-bit synchronization value
The serial number for each transmitter is programmed
by the manufacturer at the time of production. The
generation of the encryption key is done using a key
generation algorithm (Figure 1-1). Typically, inputs to
the key generation algorithm are the serial number of
the transmitter or seed value, and a 64-bit manufacturer’s code. The manufacturer’s code is chosen by the
system manufacturer and must be carefully controlled.
The manufacturer’s code is a pivotal part of the overall
system security.
The 16-bit synchronization value is the basis for the
transmitted code changing for each transmission, and
is updated each time a button is pressed. Because of
the complexity of the code hopping encryption algorithm, a change in one bit of the synchronization value
will result in a large change in the actual transmitted
code. There is a relationship (Figure 1-2) between the
key values in EEPROM and how they are used in the
encoder. Once the encoder detects that a button has
been pressed, the encoder reads the button and
updates the synchronization counter. The synchronization value is then combined with the encryption key in
the encryption algor ithm and the output is 32 bits of
encrypted information. This data will change with every
button press, hence, it is referred to as the hopping
portion of the code word. The 32-bit hopping code is
combined with the button information and the serial
number to form the code word transmitted to the
receiver. The code word format is explained in detail
in Section 4.2.
Any type of controller may be used as a receiver, but it
is typically a microcontroller with compatible firmware
that allows the receiver to operate in conjunction with a
transmitter, based on the HCS361. Section 7.0
provides more detail on integrating the HCS361 into a
total system.
*Secure Learning patents pending.
HCS361
1996 Microchip Technology Inc.
Preliminary
DS40146C-page 3
Before a transmitter can be used with a particular
receiver, the transmitter must be ‘learned’ by the
receiver. Upon learning a transmitter, information is
stored by the receiver so that it may track the
transmitter, including the serial number of the
transmitter, the current synchronization value for that
transmitter and the same encryption key that is used on
the transmitter. If a receiv er receives a message of v alid
format, the serial number is checked and, if it is from a
learned transmitter, the message is decrypted and the
decrypted synchronization counter is checked against
what is stored. If the synchronization value is verified,
then the button status is checked to see what operation
is needed. Figure 1-3 shows the relationship between
some of the values stored by the receiver and the values received from the transmitter.
FIGURE 1-1: CREATION AND STORAGE OF ENCRYPTION KEY DURING PRODUCTION
FIGURE 1-2: BASIC OPERATION OF TRANSMITTER (ENCODER)
FIGURE 1-3: BASIC OPERATION OF RECEIVER (DECODER)
Transmitter
Manufacturer’s
Serial Number or
Code
Encryption
Key
Key
Generation
Algorithm
Serial Number
Encryption Key
Sync Counter
.
.
.
HCS361 EEPROM Array
Seed
KEELOQ
Algorithm
Button Press
Information
Encryption
EEPROM Array
32 Bits of
Encrypted Data
Serial Number
Transmitted Information
Decryption Key
Sync Counter
Serial Number
Button Press
Information
EEPROM Array
Decryption Key
32 Bits of
Encrypted Data
Serial Number
Received Information
Decrypted
Synchronization
Counter
Check for
Match
Check for
Match
KEELOQ
Algorithm
Decryption
Sync Counter
Serial Number
Manufacturer Code
HCS361
DS40146C-page 4
Preliminary
1996 Microchip Technology Inc.
2.0 DEVICE OPERATION
As shown in the typical application circuits (Figure 2-1),
the HCS361 is a simple device to use. It requires only
the addition of buttons and RF circuitry for use as the
transmitter in your security application. A description of
each pin is described in Table 2-1.
FIGURE 2-1: TYPICAL CIRCUITS
TABLE 2-1 PIN DESCRIPTIONS
The high security level of the HCS361 is based on the
patented K
EE
L
OQ
technology. A block cipher type of
encryption algorithm based on a block length of 32 bits
and a key length of 64 bits is used. The algorithm
obscures the information in such a way that even if the
transmission information (before coding) differs by only
one bit from the information in the previous transmission, the next coded transmission will be totally different. Statistically, if only one bit in the 32-bit str ing of
information changes, approximately 50 percent of the
coded transmission will change. The HCS361 will wake
up upon detecting a switch closure and then delay
approximately 6.5 ms for s witch debounce (Figure 2-2).
The synchronization information, fixed information, and
switch information will be encrypted to form the hopping
code. The encrypted or hopping code portion of the
transmission will change every time a button is
pressed, even if the same button is pushed again.
Keeping a button pressed for a long time will result in
the same code word being transmitted until the button
is released or time-out occurs. A code that has been
transmitted will not occur again for more than 64K
transmissions. This will provide more than 18 years of
typical use before a code is repeated based on 10 operations per day. Overflow information programmed into
the encoder can be used by the decoder to extend the
number of unique transmissions to more than 128K.
If in the transmit process it is detected that a new button(s) has been pressed, a reset will immediately be
forced and the code word will not
be completed. Please
note that buttons removed will not have any effect on
the code word unless no buttons remain pressed in
which case the current code word will be completed
and the power down will occur.
VDD
B0
Tx out
S0
S1
S2
S3
LED
VDD
PWM
V
SS
2 button remote control
B1
VDD
Tx out
S0
S1
S2
S3
LED
VDD
PWM
V
SS
5 button remote control (Note)
B4 B3 B2 B1 B0
Note: Up to 15 functions can be implemented
by pressing more than one button simul-
Name
Pin
Number
Description
S0 1 Switch input 0
S1 2 Switch input 1
S2 3 Switch input 2/Can also be clock
pin when in programming mode
S3 4 Switch input 3/Clock pin when in
programming mode
V
SS
5 Ground reference connection
PWM 6 Pulse width modulation (PWM)
output pin/Data pin for
programming mode
LED
7 Cathode connection for directly
driving LED
during transmission
V
DD
8 Positive supply voltage
connection
HCS361
1996 Microchip Technology Inc.
Preliminary
DS40146C-page 5
FIGURE 2-2: ENCODER OPERATION
3.0 EEPROM MEMORY
ORGANIZATION
The HCS361 contains 192 bits (12 x 16-bit words) of
EEPROM memory (Table 3-1). This EEPROM array is
used to store the encryption key information,
synchronization value, etc. Further descriptions of the
memory array is given in the following sections.
TABLE 3-1 EEPROM MEMORY MAP
3.1 K
ey_0 - Key_3 (64-Bit Encryption Ke y)
The 64-bit encryption key is used by the transmitter to
create the encrypted message transmitted to the
receiver. This key is created and programmed at the
time of production using a key generation algorithm.
Inputs to the key generation algorithm are the serial
number for the particular transmitter being used and a
secret manufacturer’s code. While the key generation
algorithm supplied from Microchip is the typical method
used, a user may elect to create their own method of
key generation. This may be done providing that the
decoder is programmed with the same means of creating the key for decryption purposes. If a seed is used,
the seed will also form part of the input to the key generation algorithm.
Power Up
Reset and Debounce Delay
(6.5 ms)
Sample Inputs
Update Sync Info
Encrypt With
Load Transmit Register
Buttons
Added
?
All
Buttons
Released
?
(A button has been pressed)
Transmit
Stop
No
Yes
No
Yes
Encryption Key
Complete Code
Word Transmission
WORD
ADDRESS
MNEMONIC DESCRIPTION
0 KEY_0 64-bit encryption
key (word 0)
1 KEY_1 64-bit encryption
key (word 1)
2 KEY_2 64-bit encryption
key (word 2)
3 KEY_3 64-bit encryption
key (word 3)
4 SYNC_A 16-bit synchroni-
zation value
5 SYNC_B/SEED_2 16-bit synchroni-
zation or seed
value (word 2)
6 RESERVED Set to 0000H
7 SEED_0 Seed Value
(word 0)
8 SEED_1 Seed Value
(word 1)
7 SER_0 Device Serial
Number (word 0)
10 SER_1 Device Serial
Number (word 1)
11 CONFIG Configuration
Word
HCS361
DS40146C-page 6
Preliminary
1996 Microchip Technology Inc.
3.2 SYNC_A,
SYNC_B
(Synchronization Counter)
This is the 16-bit synchronization value that is used to
create the hopping code for transmission. This value
will be changed after every transmission. A second synchronization value can be used to stay synchronized
with a second receiver.
3.3 SEED_0,
SEED_1, and SEED_2
(Seed Word)
This is the three word (48 bits) seed code that will be
transmitted when seed transmission is selected. This
allows the system designer to implement the secure
learn feature or use this fixed code word as part of a different key generation/tracking process or purely as a
fixed code transmission.
3.4 SER_0,
SER_1 (Encoder Serial
Number)
SER_0 and SER_1 are the lower and upper words of
the device serial number, respectiv ely. There are 32 bits
allocated for the serial number and a selectable configuration bit determines whether 32 or 28 bits will be
transmitted. The serial number is meant to be unique
for every transmitter.
3.5 CONFIG (Confi
guration Word)
The configuration word is a 16-bit word stored in
EEPROM array that is used by the device to store
information used during the encryption process, as well
as the status of option configurations. Further
explanations of each of the bits are described in the
following sections.
TABLE 3-2 CONFIGURATION WORD
3.5.1 BACW: BLANK ALTERNATE CODE WORD
BACW = 1 selects the encoder to transmit every sec-
ond code word. This can be used to reduce the a ver age
power transmitted over a 100ms window and thereby
transmit a higher peak power.
3.5.2 FAST: SELECT FAST TRANSMISSION
FAST selects the baud rate. If FAST = 1, the baud rate
is nominally 1667 bits per second and with FAST = 0,
833 bits per second.
3.5.3 TXWAK: BIT FORMAT SELECT OR
WAKEUP
In PWM mode, this bit selects the bit format. If TXWAK
= 1, the PWM pulse is 1/6;2/6 and for TXWAK = 0, 1/
3;2/3 (Figure 4-1, VPWM = 0).
In VPWM mode, this bit enables the wake-up signal.
With TXWAK = 1, transmission of the wake-up and
dead time sequence is enabled (Figure 4-2, VPWM =
1). Wakeup is transmitted before the first code word of
each transmission only. For TXWAK = 0, the transmission will skip wake-up and start transmitting the preamble portion of the code word (Figure 4-2, VPWM = 1).
3.5.4 SPM: SYNC PULSE MODULATION
Select modulation mode of Sync Pulse. If SPM = 1, the
sync pulse is modulated (Figure 4-1 and Figure 4-2).
Bit Number Symbol Bit Description
0 BACW Blank Alternate Code Word
1 FAST Baud Rate Selection
2 TXWAK PWM mode: 1/6, 2/6 or 1/3,
2/3 select
VPWM mode: Wakeup
enable
3 SPM Sync Pulse Modulation
4 SEED Seed Transmission enable
5 DELM Delay mode enable
6 TIMO Time out enable
7 IND Independent mode enable
8 USRA0 User bit
9 USRA1 User bit
10 USRB0 User bit
11 USRB1 User bit
12 XSER Extended serial number
enable
13 TMPSD Temporary seed transmis-
sion enable
14 VPWM VPWM select
15 OVR Overflow bit
HCS361
1996 Microchip Technology Inc.
Preliminary
DS40146C-page 7
3.5.5 SEED: ENABLE SEED TRANSMISSION
If SEED = 0, seed transmission is disabled. The inde-
pendent counter mode can only be used with seed
transmission disabled since SEED_2 is shared with the
second synchronization counter.
With SEED = 1, seed transmission is enabled. The
appropriate button code(s) must be activated to transmit the seed information. In this mode, the seed infor-
mation (SEED_0, SEED_1, and SEED_2) and the
upper 12- or 16-bits of the serial number (SER_1)are
transmitted instead of the hop code.
Seed transmission is available for function codes
(Table 3-7) S[3:0] = 1001 and S[3:0] = 0011 (delayed).
This takes place regardless of the setting of the IND bit.
The two seed transmissions are shown in Figure 3-1.
FIGURE 3-1: SEED TRANSMISSION
All examples shown with XSER = 1, SEED = 1
When S[3:0] = 1001, delay is not applicable.
CRC+VLOW SER_1 SEED_2 SEED_1 SEED_0
Data transmission direction
For S[3:0] = 0x3 before delay:
16-bit Data Word 16-bit Counter
Encrypt
CRC+VLOW SER_1 SER_0 Encrypted Data
For S[3:0] = 0011 after delay (Note 1, Note 2):
CRC+VLOW SER_1 SEED_2 SEED_1 SEED_0
Data transmission direction
Data transmission direction
Note 1: For Seed Transmission, SEED_2 is transmitted instead of SER_0.
2: For Seed Transmission, the setting of DELM has no effect.
HCS361
DS40146C-page 8
Preliminary
1996 Microchip Technology Inc.
3.5.6 DELM: DELAY MODE
If DELM = 1, delay transmission is enabled. A delayed
transmission is indicated by inverting the lower nibb le of
the discrimination value. The delay mode is primarily for
compatibility with previous K
EE
L
OQ
devices. If
DELM = 0, delay transmission is disabled (Table 3-3).
TABLE 3-3 TYPICAL DELAY TIMES
3.5.7 TIMO: TIME-OUT
If TIMO = 1, the time-out is enabled. Time-out can be
used to terminate accidental continuous transmissions.
When time-out occurs, the PWM output is set low and
the LED is turned off. Current consumption will be
higher than in standby mode since current will flow
through the activated input resistors. This state can be
exited only after all inputs are taken low. TIMO = 0, will
enable continuous transmission (Table 3-4).
TABLE 3-4 TYPICAL TIME-OUT TIMES
3.5.8 IND: INDEPENDENT MODE
The independent mode can be used where one
encoder is used to control two receivers. Two counters
(SYNC_A and SYNC_B) are used in independent
mode. As indicated in Table 3-7, function codes 1 to 7
use SYNC_A and 8 to 15 SYNC_B. The independent
mode also selects IR mode. In IR mode function codes
12 to 15 will use counter B. The PWM output signal is
modulated with a 40 kHz carrier. It must be pointed out
the 40 kHz is derived from the internal clock and will
therefore vary with the same percentage as the baud
rate. If IND = 0, SYNC_A is used for all function codes.
If IND = 1, independent mode is enabled and counters
for functions are used according to Table 3-7.
For IND = 1 and S[3:0] ≡ 0xC, 0xD, 0xE, 0xF, Basic
Pulse Width modulation becomes:
TABLE 3-5 IR MODULATION
3.5.9 USRA,B: USER BITS
User bits form part of the discrimination value. The user
bits together with the IND bit can be used to identify the
counter that is used in independent mode.
3.5.10 XSER: EXTENDED SERIAL NUMBER
If XSER = 1, the full 32-bit serial number [SER_1,
SER_0] is transmitted. If XSER = 0, the four most significant bits of the serial number are substituted by
S[3:0] and is compatible with the HCS200/300/301.
3.5.11 TMPSD: TEMPORARY SEED
TRANSMISSION
The temporary seed transmission can be used to disable learning after the transmitter has been used for a
programmable number of operations. This feature can
be used to implement very secure systems. After learning is disabled, the seed information cannot be
accessed even if physical access to the transmitter is
possible. If TMPSD = 1 the seed transmission will be
disabled after a number of code hopping transmissions.
The number of transmissions before seed transmission
is disabled, can be programmed by setting the synchronization counter (SYNC_A or SYNC_B) to a value as
shown in Table 3-6.
TABLE 3-6 SYNCHRONOUS COUNTER
INITIALIZATION VALUES
TXWAK FAST
Number of
Code Words
before Delay
Mode
Time Before
Delay Mode
(VPWM = 0)
0 0 28
≈
2.8s
0 1 56
≈
2.9s
1 0 28
≈
2.6s
1 1 56
≈
2.8s
TXWAK FAST
Maximum
Number of
Code Words
Transmitted
Time Before
Time-out
(VPWM = 0)
0 0 256
≈
25.6s
0 1 512
≈
27.2s
1 0 256
≈
23.8s
1 1 512
≈
25.4s
TXWAK FAST Basic Pulse
0 0
0
1
1
0
1 1
Synchronous Counter
Values
Number of
Transmissions
0000H 128
0060H 64
0050H 32
0048H 16
(400µs)
(16x)
(200µs)
(8x)
Period = 25µs
(100µs)
(8x)
Loading...