Microchip Technology Inc HCS410T-I-ST, HCS410T-I-SN, HCS410T-I-P, HCS410-I-ST, HCS410-I-SN Datasheet



1997 Microchip Technology Inc.

Preliminary

DS40158C-page 1

M

HCS410

FEATURES

Security

• Two programmable 64-bit encoder keys

• 16/32-bit bi-directional challenge and response
using one of two keys

• 69-bit transmission length

• 32-bit unidirectional code hopping, 37-bit
nonencrypted portion

• Encoder keys are read protected

• Programmable 28/32-bit serial number

• 60/64-bit, read-protected seed for secure learning

• Three IFF encryption algorithms

• Delayed increment mechanism

• Asynchronous transponder communication

• Queuing information transmitted

Operating

• 2.0V to 6.6V operation, 13V encoder only
operation

• Three switch inputs [S2, S1, S0]—sev en functions

• Batteryless bi-directional transponder

• Selectable baud rate and code word blanking

• Automatic code word completion

• Battery low signal transmitted

• Nonvolatile synchronization

• PWM or Manchester RF encoding

• Combined transmitter, transponder operation

• Anti-collision of multiple transponders

• Passive proximity activation

• Device protected against reverse battery

• Intelligent damping for high Q LC-circuits

Other

• 37-bit nonencrypted part contains 28/32-bit serial
number, 4/0-bit function code, 1-bit battery low,
2-bit CRC, 2-bit queue

• Simple programming interface

• On-chip tunable RC oscillator ( ± 10%)

• On-chip EEPROM

• 64-bit user EEPROM in transponder mode

• Battery-low LED indication

• SQTP serialization quick-time programming

• 8-pin PDIP/SOIC/TSSOP and die

Typical Applications

• Automotive remote entry systems

• Automotive alarm systems

• Automotive immobilizers

• Gate and garage openers

• Electronic door locks (Home/Office/Hotel)

• Burglar alarm systems

• Proximity access control

PACKA GE TYPES

BLOCK DIAGRAM

HCS410

S0
S1

S2/LED

LC1

VDD
LC0

PWM

GND

18
2

3

4

7

6

5

PDIP, SOIC

HCS410

S2/LED

LC1

GND

PWM

1
2
3
4

8
7
6
5

S1
S0
V

DD

LC0

TSSOP

Oscillator

Configuration Register

Power

Control

Wakeup

Logic

Address

Decoding

EEPROM

Debounce

Control

and

Queuer

LED

Control

PWM

Driver

PPM

Detector

PWM

PPM

Manch.

Encoder

Transponder

Circuitry

Control Logic

and Counters

Encryption/Increment

Logic

Register

VDD

S0
S1

S2

LCI0
LCI1

PWM

Code Hopping Encoder and Transponder*

K

EE

L

OQ

is a registered trademark of Microchip Technology Inc.

*Code hopping encoder patents issued in Europe, U.S.A., R.S.A.—U.S.A.: 5,517,187; Europe: 0459781

HCS410

DS40158C-page 2

Preliminary



1997 Microchip Technology Inc.

Table of Contents

1.0 System Overview ....................................................................................................................................................3

1.1 Key Terms ........................................................................................................................................................3

1.2

K

EELOQ

Code Hopping Encoders .....................................................................................................................4

1.3 K

EE

L

OQ

IFF ......................................................................................................................................................5

2.0 Device Operation ....................................................................................................................................................6

2.1 Pinout Description ............................................................................................................................................7

2.2 Code Hopping Mode (CH Mode) .....................................................................................................................8

2.3 Code Hopping Mode Special Features ..........................................................................................................11

2.4 IFF Mode ........................................................................................................................................................14

2.5 IFF Opcodes ..................................................................................................................................................17

2.6 IFF Special Features ......................................................................................................................................18

2.7 LED Indicator .................................................................................................................................................18

3.0 EEPROM Organization and Configuration ............................................................................................................19

3.1 Encoder Key 1 and 2 .....................................................................................................................................19

3.2 Discrimination Value and Overflow ................................................................................................................19

3.3 16-bit Synchronization Counter ......................................................................................................................19

3.4 60/64-bit Seed Word/Transport Code ............................................................................................................20

3.5 Encoder Serial Number ..................................................................................................................................20

3.6 User Data .......................................................................................................................................................20

3.7 Configuration Data .........................................................................................................................................21

4.0 Integrating the HCS410 into a System ..................................................................................................................23

4.1 Key Generation ..............................................................................................................................................23

4.2 Learning an HCS410 to a Receiver ...............................................................................................................24

4.3 CH Mode Decoder Operation ........................................................................................................................25

4.4 IFF Decoder Operation ..................................................................................................................................27

5.0 Electrical Characteristics .......................................................................................................................................28

HCS410 Product Identification System ........................................................................................................................35

HCS410



1997 Microchip Technology Inc.

Preliminary

DS40158C-page 3

DESCRIPTION

The HCS410 is a code hopping transponder device
designed for secure entry systems. The HCS410 uti­lizes the patented K

EELOQ

code hopping system and
bi-directional challenge-and-response for logical and
physical access control. High security learning mecha­nisms make this a turnkey solution when used with the
K

EELOQ

decoders. The encoder keys and synchroniza­tion information are stored in protected on-chip
EEPROM.

A low cost batteryless transponder can be imple­mented with the addition of an inductor and two capac­itors. A packaged module including the inductor and
capacitor will also be offered.

A single HCS410 can be used as an encoder for
Remote Keyless Entry (RKE) and a transponder for
immobilization in the same circuit and thereby dramat­ically reducing the cost of hybrid transmitter/transpon­der circuits.

1.0 SYSTEM OVERVIEW

1.1 Key Terms

• Anticollision

– Allows two transponders to be in
the files simultaneously and be verified individu­ally.

• CH Mode

– Code Hopping Mode. The HCS410
transmits a 69-bit transmission each time it is acti­vated, with at least 32-bits changing each time the
encoder is activated.

•E

ncoder Key – A unique 64-bit k ey gener ated and
programmed into the encoder during the manu­facturing process. The encoder key controls the
encryption algorithm and is stored in EEPROM on
the encoder device.

• IFF

– Identify friend or foe is a means of validating
a token. A decoder sends a random challenge to
the token and checks that the response of the
token is a valid response.

•K

EE

L

OQ

Encr

yption Algorithm – The high security
level of the HCS410 is based on the patented
K

EE

L

OQ

technology. A block cipher encryption
algorithm based on a block length of 32 bits and a
key length of 64 bits is used. The algorithm
obscures the information in such a way that even
if the unencrypted/challenge information differs by
only one bit from the information in the previous
transmission/challenge, the next coded transmis­sion/response will be totally different. Statistically,
if only one bit in the 32-bit string of information
changes, approximately 50 percent of the coded
transmission will change.

•L

earn – The HCS product family f acilitates sev eral
learning strategies to be implemented on the
decoder. The following are examples of what can
be done.

Normal Learn –The receiver uses the same infor-

mation that is transmitted during normal operation to
derive the transmitter’s encoder key, decrypt the dis­crimination value and the synchronization counter.

Secure Learn* – The transmitter is activ ated through

a special button combination to transmit a stored
60-bit value (random seed) that can be used for key
generation or be part of the key. Transmission of the
random seed can be disabled after learning is com­pleted.

•M

anufacturer’s Code – A 64-bit word, unique to
each manufacturer, used to produce a unique
encoder key in each transmitter (encoder).

•P

assive Proximity Activ ation – When the HCS410
is brought into in a magnetic field without a
command given by the base station, the HCS410
can be programmed to give an RF transmission.

•T

ransport Code – A 32-bit transport code needs
to be given before the HCS410 can be inductiv ely
programmed. This prevents accidental
programming of the HCS410.

*Secure Learn patent pending.

HCS410

DS40158C-page 4

Preliminary



1997 Microchip Technology Inc.

1.2 K

EE

L

OQ

Code Hopping Encoders

When the HCS410 is used as a code hopping encoder
device, it is ideally suited to keyless entry systems,
primarily for vehicles and home garage door openers.
It is meant to be a cost-effective, yet secure solution to
such systems. The encoder portion of a keyless entry
system is meant to be carried by the user and operated
to gain access to a vehicle or restricted area.

Most keyless entry systems transmit the same code
from a transmitter every time a button is pushed. The
relative number of code combinations for a low end
system is also a relatively small number. These
shortcomings provide the means for a sophisticated
thief to create a device that ‘grabs’ a transmission and
retransmits it later or a device that scans all possible
combinations until the correct one is found.

The HCS410 employs the K

EE

L

OQ

code hopping tech­nology and an encryption algorithm to achieve a high
level of security. Code hopping is a method by which
the code transmitted from the transmitter to the
receiver is different every time a button is pushed. This
method, coupled with a transmission length of 69 bits,
virtually eliminates the use of code ‘grabbing’ or code
‘scanning’.

The HCS410 has a small EEPROM array which must
be loaded with several parameters before use. The
most important of these values are:

• A 28/32-bit serial number which is meant to be
unique for every encoder

• 64-bit seed value

• A 64-bit encoder key that is generated at the time
of production

• A 16-bit synchronization counter value.

• Configuration options

The 16-bit synchronization counter value is the basis
for the transmitted code changing for each transmis­sion, and is updated each time a button is pressed.
Because of the complexity of the code hopping encryp­tion algorithm, a change in one bit of the synchroniza­tion counter value will result in a large change in the
actual transmitted code.

Once the encoder detects that a button has been
pressed, the encoder reads the button and updates the
synchronization counter. The synchronization counter
value, the function bits, and the discrimination value are
then combined with the encoder key in the encryption
algorithm, and the output is 32 bits of encrypted infor­mation (Figure 1-1). The code hopping portion pro­vides up to four billion changing code combinations.
This data will change with every button press, hence, it
is referred to as the code hopping portion of the code
word.

The 32-bit code hopping portion is combined with the
button information and the serial number to form the
code word transmitted to the receiver. The code word
format is explained in detail in Section 2.2.

FIGURE 1-1: BASIC OPERATION OF A CODE HOPPING TRANSMITTER (ENCODER)

KEELOQ

Algorithm

Button Press

Information

Encryption

EEPROM Array

32 Bits of

Encrypted Data

Serial Number

Transmitted Information

Encoder Key

Sync Counter

Serial Number

HCS410



1997 Microchip Technology Inc.

Preliminary

DS40158C-page 5

1.3 K

EE

L

OQ

IFF

The HCS410 can be used as an IFF transponder for
verification of a token. In IFF mode the HCS410 is ide­ally suited for authentication of a key before disarming
a vehicle immobilizer. Once the key has been inserted
in the car’s ignition the decoder would inductively poll
the key validating it before disarming the immobilizer.

IFF validation of the token inv olves a r andom challenge
being sent by a decoder to a token. The token then gen­erates a response to the challenge and sends this
response to the decoder (Figure 1-2). The decoder cal­culates an expected response using the same chal­lenge. The expected response is compared to the
response received from the token. If the responses
match, the token is identified as a valid token and the
decoder can take appropriate action.

The HCS410 can do either 16 or 32-bit IFF. The
HCS410 has two encryption algorithms that can be
used to generate a response to a challenge. In addition
there are up to two encoder keys that can be used by
the HCS410. Typically each HCS410 will be pro­grammed with a unique encoder key(s).

In IFF mode, the HCS410 will wait for a command from
the base station and respond to the command. The
command can either request a read/write from user
EEPROM or an IFF challenge response. A given 16 or
32-bit challenge will produce a unique 16/32-bit
response, based on the IFF key and IFF algorithm
used.

FIGURE 1-2: IBASIC OPERATION OF AN IFF TOKEN

IFF Key

Serial Number

KEELOQ

IFF

Algorithm

Serial Number

EEPROM Array

Challenge Received from Decoder

Response

Read by Decoder

HCS410

DS40158C-page 6

Preliminary



1997 Microchip Technology Inc.

2.0 DEVICE OPERATION

The HCS410 can either operate as a normal code hop­ping transmitter with one or two IFF keys (Figure 2-1) or
as purely an IFF token with two IFF keys (Figure 2-2
and Figure 2-3). When used as a code hopping trans­mitter the HCS410 only needs the addition of buttons
and RF circuitry for use as a transmitter. Adding the
transponder function to the transmitter requires the
addition of an inductor and two capacitors as shown in
Figure 2-1 and Figure 2-2. A description of each pin is
given in Table 2-1. Table 2-2 shows the function codes
for using the HCS410.

FIGURE 2-1: COMBINED TRANSMITTER/

TRANSPONDER CIRCUIT

FIGURE 2-2: TRANSPONDER CIRCUIT

FIGURE 2-3: 2-WIRE, 1 OR 2-KEY IFF

TOKEN

Figure 2-4 shows how to use the HCS410 with a 12V
battery as a code hopping transmitter. The circuit uses
the internal regulator, normally used for charging a
capacitor/battery in LC mode, to generate a 6V supply
for the HCS410.

FIGURE 2-4: HCS410 ENCODER WITH 12V

BATTERY

FIGURE 2-5: LED CONNECTION TO

S2/LED OUTPUT

FIGURE 2-6: LC PIN BLOCK DIAGRAM

18

RF

2
3

4

7
6

5

1 µF

18

2
3

4

7
6

5

1 µF

18

2
3

4

7
6

5

1 µF

Data I/O

18

RF

2
3

4

7
6

5

6.3V

12V

Pulse

VDD

S2/LED

220Ω

220Ω

60k

30Ω

VDD

6.7V

Damp

Out

MOD

Detector

Rectifier,
Damping,
Clamping

15V

15V

100Ω

100Ω

LCI1

LCI0

HCS410



1997 Microchip Technology Inc.

Preliminary

DS40158C-page 7

2.1 Pinout Description

The HCS410 has the same footprint as all of the other
devices in the K

EE

L

OQ

family, except for the two pins
that are reserved for transponder operations and the
LED that is now located at the same position as the S2
switch input.

• S[0:1] – are inputs with Schmitt Trigger detectors
and an internal 60k Ω (nominal) pull-down
resistors.

• S2/LED – uses the same input detection circuit as
S0/S1 but with an added PMOS transistor con­nected to V

DD

capable of sourcing enough current

to drive an LED.

• LC[0:1] – is the transponder interface pins to be
connected to an LC circuit for inductive communi­cation. LC0 is connected to a detector for data
input. Data output is achieved by clamping LC0
and LC1 to GND through two NMOS transistors.
These pins are also connected to a rectifier and a
regulator, providing power to the rest of the logic
and for charging an external power source (Bat­tery/Capacitor) through V

DD

.

TABLE 2-1: PINOUT DESCRIPTION

Name Pin Number Description

S0 1 Switch input 0
S1 2 Switch input 1

S2/LED 3 Switch input 2/LED output, Clock pin for programming mode

LC1 4 Transponder interface pin
V

SS

5 Ground reference connection

PWM 6 Pulse width modulation (PWM)

output pin/Data pin for

programming mode
LC0 7 Transponder interface pin.
V

DD

8 Positive supply voltage connection

TABLE 2-2: FUNCTION CODES

LC0 S2 S1 S0 Comments

10001Normal Code Hopping transmission
20010Normal Code Hopping transmission

30011

Delayed seed transmission if allowed by SEED and TMPSD/Normal

Code Hopping transmission
40100Normal Code Hopping transmission
50101Normal Code Hopping transmission
60110Normal Code Hopping transmission

70111

Immediate seed transmission if allowed by SEED and TMPSD/Normal

Code Hopping transmission
81000Transponder mode

HCS410

DS40158C-page 8

Preliminary



1997 Microchip Technology Inc.

2.2 Code Hopping Mode (CH Mode)

The HCS410 wakes up upon detecting a switch closure
and then delays approximately 30 ms for switch
debounce (Figure 2-7). The synchronization counter
value, fixed information, and switch information are
encrypted to form the code hopping portion. The
encrypted or code hopping portion of the transmission
changes every time a button is pressed, even if the
same button is pushed again. Keeping a button
pressed for a long time results in the same code word
being transmitted until the button is released or time­out occurs. A code that has been transmitted will not
occur again for more than 64K transmissions. Overflow
information programmed into the encoder can be used
by the decoder to extend the number of unique trans­missions to more than 192k.

If, during the transmit process, it is detected that a new
button(s) has been added, a reset will immediately be
forced and the code word will not

be completed. Please
note that buttons removed will not have any effect on
the code word unless no buttons remain pressed in
which case the current code word will be completed
and the power down will occur. If, after a button combi­nation is pressed, and the same button combination is
pressed again within 2 seconds of the first press, the
current transmission will be aborted and a new trans­mission will start with the queue counter (QUE)
incremented.

FIGURE 2-7: CODE HOPPING ENCODER OPERATION

20-second

timeout

No

Transmitted

2 second

time-out

completed?

All buttons

released?

Sample Inputs

Update Sync Info

Encrypt With

T ransmit

Encoder Key

Power-up

(A button has been

pressed (Note1)

Buttons added?

Yes

Yes

Yes

No

(Note 1)

7 complete code

words?

Complete current

code word while

checking buttons

(Note 2)

Stop transmitting

DINC Set?

Power down

Buttons

pressed?

(Note 1)

Same as

previous

press?

Increment queue

counter

20 second

time-out

completed?

Buttons

pressed?

(Note 1)

Increase sync

counter

by 12

immediately

Yes

Yes

No

Yes

Yes

No

No

No

Yes

No

Yes

No

No

Note 1: 30 ms debounce on press and release of all buttons.

2: Completes a minimum of 3 code words if MTX3 is set.

No

DINC

Set?

Yes

Yes

No

HCS410



1997 Microchip Technology Inc.

Preliminary

DS40158C-page 9

2.2.1 TRANSMISSION DATA FORMAT
The HCS410 transmission (CH Mode) is made up of

several parts (Figure 2-10 and Figure 2-11). Each
transmission is begun with a preamble and a header,
followed by the encrypted and then the fixed data. The
actual data is 69 bits which consists of 32 bits of
encrypted data and 37 bits of fixed data. Each trans­mission is followed by a guard period before another
transmission can begin. Refer to Table 5-4
and Table 5-5 for transmission timing specifications.
The combined encrypted and nonencrypted sections
increase the number of combinations to 1.47 x 10

20

.

The HCS410 transmits a 69-bit code word when a but­ton is pressed. The 69-bit word is constructed from a
Fixed Code portion and Code Hopping portion
(Figure 2-8).

The Encrypted Data is generated from 4 function bits,
2 overflow bits, and 10 discrimination bits, and the 16­bit synchronization counter value (Figure 2-8).

The Nonencrypted Code Data is made up of 2 QUE
bits, 2 CRC bits, a V

LOW

bit, 4 function bits, and the
28-bit serial number. If the extended serial number
(32 bits) is selected, the 4 function code bits will not be
transmitted (Figure 2-8).

FIGURE 2-8: HOP CODE WORD ORGANIZATION (RIGHT-MOST BIT IS CLOCKED OUT FIRST)

FIGURE 2-9: SEED CODE WORD ORGANIZATION

Fixed Code Data Encrypted Code Data

69 bits
of Data
Transmitted

MSB LSB

CRC
(2 bit)

VLOW
(1 bit)

Button
Status*
(4 bits)

28-bit

Serial Number

Overflow (2 bits)

bits (10 bits)

16-bit

Synchronization

CRC
(2 bits)

VLOW
(1 bit)

+

Serial Number and

Button Status (32 bits)

+ 32 bits of Encrypted Data

QUE

QUE

(Q1, Q0

S2 S1 S0 0

Button
Status
(4 bits)

S2 S1 S0 0

(2 bits)

bit)

Counter Value

Discrimination

and

* Optional.

Fixed Code Data

69 bits
of Data
Transmitted

CRC
(2 bit)

VLOW
(1 bit)

Button*
Status
(4 bits)

CRC

(2 bits)

VLOW
(1 bit)

+

QUE

QUE0

(Q1, Q0

S2 S1 S0 0

(2 bits)

bit)

Unencrypted

Button
(4 bits)

SEED

(60 bits)

+

SEED

* Optional.

HCS410

DS40158C-page 10

Preliminary



1997 Microchip Technology Inc.

2.2.2 TRANSMISSION DATA MODULE
The Data Modulation Format is selectable between

Pulse Width Modulation (PWM) format and Manchester
encoding. Both formats are preceded by a preamble
and synchronization header, followed by the 69-bits of
data. Manchester encoding has a leading and closing
‘1’ for each code word.

The same code word is continuously sent as long as
the input pins are kept high with a guard time separat­ing the code words. All of the timing values are in mul­tiples of a Basic Timing Element (T

E), which can be

changed using the baud rate option bits.

FIGURE 2-10: TRANSMISSION FORMAT—MANCH = 0

FIGURE 2-11: TRANSMISSION FORMAT—MANCH = 1

LOGIC "1"

Code Word

Guard

Time

Preamble

Sync

Encrypted

TX Data

Fixed Code

BIT

LOGIC "0"

123579

46810

TE

CODE WORD:

TOTAL TRANSMISSION:

Preamble

Sync

Encrypt

Fixed

Guard

1 CODE WORD

12 456

Preamble Sync Encrypt

14 15 16

TE

Data

TE

Guard

Preamble Sync

Encrypted

Fixed Code

LOGIC "0"

123

4

BPW

CODE WORD:

TOTAL TRANSMISSION:

Sync Encrypt Fixed Guard

1 CODE WORD

12 456

Preamble Sync Encrypt

14 15 16

LOGIC "1"

Start bit

Stop bit

CODE WORD

Preamble

Time

Data

Data

HCS410

 1997 Microchip Technology Inc. Preliminary DS40158C-page 11

2.3 Code Hopping Mode Special Features

2.3.1 CODE WORD COMPLETION
Code word completion is an automatic feature that

ensures that the entire code word is transmitted, even
if the button is released before the transmission is com­plete. The HCS410 encoder powers itself up when a
button is pushed and powers itself down after the com­mand is finished (Figure 2-7). If MTX3 is set in the con­figuration word, a minimum of three transmissions will
be transmitted when the HCS410 is activated, even if
the buttons are released.

If less than seven words have been transmitted when
the buttons are released, the HCS410 will complete the
current word. If more than seven words have been
transmitted, and the button is released, the PWM out­put is immediately switched off.

2.3.2 CODE WORD BLANKING ENABLE
Federal Communications Commission (FCC) part 15

rules specify the limits on fundamental power and
harmonics that can be transmitted. Power is calculated
on the worst case average power transmitted in a
100ms window. It is therefore advantageous to
minimize the duty cycle of the transmitted word. This
can be achieved by minimizing the duty cycle of the
individual bits and by blanking out consecutive words.
Code Word Blanking Enable (CWBE) is used for
reducing the average power of a transmission
(Figure 2-12). Using the CWBE allows the user to
transmit a higher amplitude transmission if the
transmission length is shorter. The FCC puts

constraints on the average power that can be
transmitted by a device, and CWBE eff ectively pre vents
continuous transmission by only allowing the transmis­sion of every second or fourth word. This reduces the
average power transmitted and hence, assists in FCC
approval of a transmitter device.

The HCS410 will either transmit all code words, 1 in 2
or 1 in 4 code words, depending on the baud rate
selected and the code word blanking option. See
Section 3.7 for additional details.

2.3.3 CRC (CYCLE REDUNDANCY CHECK) BITS
The CRC bits are calculated on the 65 previously trans-

mitted bits. The CRC bits can be used by the receiver
to check the data integrity before processing starts. The
CRC can detect all single bit and 66% of double bit
errors. The CRC is computed as follows:

EQUATION 2-1: CRC CALCULATION

and

with

and Di

n

the nth transmission bit 0 ≤ n ≤ 64

FIGURE 2-12: CODE WORD BLANKING ENABLE

CRC 1[]

n 1+

CRC 0[]nDin⊕=

CRC 0[]

n 1+

CRC 0[]nDin⊕()CRC 1[]

n

⊕=

CRC 10,[]

0

0=

One Code Word

CWBE Disabled

(All words transmitted)

CWBE Enabled

(1 out of 2 transmitted)

A

2A

Amplitude

CWBE Enabled

(1 out of 4 transmitted)

4A

Time