Microchip Technology Inc HCS515T-I-P, HCS515-I-SM, HCS515-I-P Datasheet
1998 Microchip Technology Inc.
Preliminary
DS40183A-page 1
M
HCS515
FEATURES
Security
• Encrypted storage of manufacturer’s code
• Encrypted storage of encoder decryption keys
• Up to seven transmitters can be learned
• K
EE
L
OQ
code hopping technology
• Normal and secure learning mechanisms
Operating
• 3.0V—5.5V operation
• Internal oscillator
• Auto bit rate detection
Other
• Stand-alone decoder
• Internal EEPROM for transmitter storage
• Synchronous serial interface
• 1 Kbit user EEPROM
• 14-pin DIP/SOIC package
Typical Applications
• Automotive remote entry systems
• Automotive alarm systems
• Automotive immobilizers
• Gate and garage openers
• Electronic door locks
• Identity tokens
• Burglar alarm systems
Compatible Encoders
• HCS200, HCS300, HCS301, HCS360, HCS361,
HCS410 (PWM Mode)
DESCRIPTION
The Microchip Technology Inc. HCS515 is a code hopping decoder designed for secure Remote Keyless
Entry (RKE) systems. The HCS515 utilizes the patented K
EE
L
OQ
code hopping system and high security
learning mechanisms to make this a canned solution
when used with the HCS encoders to implement a unidirectional remote and access control systems. The
HCS515 can be used as a stand-alone decoder or in
conjunction with a microcontroller.
PACKA GE TYPE
BLOCK DIAGRAM
The manufacturer’s code, encoder decryption keys,
and synchronization information are stored in
encrypted form in internal EEPROM. The HCS515
uses the S_DAT and S_CLK inputs to communicate
with a host controller device.
The HCS515 operates over a wide voltage range of
3.0 volts to 5.5 volts. The decoder employs automatic
bit-rate detection, which allows it to compensate for
wide variations in transmitter data rate. The decoder
contains sophisticated error checking algorithms to
ensure only valid codes are accepted.
HCS515
PDIP, SOIC
1
2
3
4
NC
NC
Vdd
S0
NC
NC
Vss
RF_IN
5
6
7
14
13
12
11
10
9
8
S1
MCLR
NC
S_CLK
S_DAT
NC
67-bit Reception Register
Internal
CONTROL
DECRYPTOR
RFIN
OSCILLATOR
S_DAT
S_CLK
MCLR
EEPROM
EE_DAT
EE_CLK
S0
S1
Code Hopping Decoder
The K
EE
L
OQ
name, K
EE
L
OQ
logo, and logotype are registered trademarks of Microchip Technology Inc. in the U.S.A. and other countries.
*Code hopping patents issued in Europe, U. S. A. and R. S.—US:5,517,187; Europe: 0459781
HCS515
DS40183A-page 2
Preliminary
1998 Microchip Technology Inc.
1.0 K
EE
L
OQ
SYSTEM OVERVIEW
1.1 Key Terms
• Manufacturer’s Code – A 64-bit word, unique to
each manufacturer, used to produce a unique
encoder decryption key in each transmitter.
• Encoder Decryption Key – A 64-bit key, unique for
each transmitter. The encoder decryption key
controls the K
EE
L
OQ
decryption algorithm and is
stored in EEPROM on the decoder device.
• Learn – The receiver uses information that is
transmitted to derive the transmitter’s encoder
decryption key, decrypt the discrimination value,
and the synchronization counter in learning mode.
The encoder decryption key is a function of the
manufacturer’ s code and the device serial number
and/or seed value.
The HCS encoders and decoders employ the K
EE
L
OQ
code hopping technology and a K
EE
L
OQ
encryption
algorithm to achieve a high level of security. Code
hopping is a method by which the code transmitted
from the transmitter to the receiver is different ever y
time a button is pushed. This method, coupled with a
transmission length of 66 bits, virtually eliminates the
use of code ‘grabbing’ or code ‘scanning’.
1.2 HCS Encoder Overview
The HCS encoders have a small EEPROM arra y which
must be loaded with several parameters before use.
The most important of these values are:
• An encoder decryption key that is generated at
the time of production
• A 16-bit synchronization counter value
• A 28-bit serial number which is meant to be
unique for every encoder
The manufacturer programs the serial number f or each
encoder at the time of production, while the ‘Key Generation Algorithm’ generates the encoder decryption
key (Figure 1-1). Inputs to the k e y generation algorithm
typically consist of the encoder’s serial number and a
64-bit manufacturer’s code, which the manufacturer
creates.
The 16-bit synchronization counter is the basis for the
transmitted code changing for each transmission and is
updated each time a button is pressed. Because of the
complexity of the K
EE
L
OQ
encryption algorithm, a
change in one bit of the synchronization counter value
will result in a large change in the actual transmitted
code. There is a relationship (Figure 1-2) between the
encoder decryption key values in EEPROM and how
they are used in the encoder. Once the encoder
detects that a button has been pressed, the encoder
reads the button and updates the synchronization
counter. The synchronization value is then combined
with the encoder decryption key in the K
EE
L
OQ
encryption algorithm, and the output is 32 bits of
encrypted information. This data will change with e v ery
button press, hence, it is referred to as the code hopping portion of the code word. The 32-bit code hopping
portion is combined with the button information and the
serial number to form the code word transmitted to the
receiver.
FIGURE 1-1: CREATION AND STORAGE OF ENCRYPTION KEY DURING PRODUCTION
Note: The manufacturer code is a pivotal part of
the system’s overall security. Consequently, all possible precautions must be
taken and maintained for this code.
Transmitter
Manufacturer’s
Serial Number or
Code
Encryption
Key
Key
Generation
Algorithm
Serial Number
Encryption Key
Sync Counter
.
.
.
HCS515 EEPROM Array
Seed
HCS515
1998 Microchip Technology Inc.
Preliminary
DS40183A-page 3
1.3 HCS Decoder Overview
Before a transmitter and receiver can work together,
the receiver must first ‘learn’ and store certain information from the transmitter. This information includes a
‘check value’ of the serial number, the encoder decryption key, and current synchronization counter value.
When a valid formatted message is detected, the
receiver first compares the serial number. If the serial
number check value is from a learned transmitter, the
message is decrypted. Next, the receiver checks the
decrypted synchronization counter value against what
is stored in memory. If the synchronization counter
value is verified, then a valid transmission message is
sent. Figure 1-3 shows the relationship between some
of the values stored by the receiver and the values
received from the transmitter.
FIGURE 1-2: BASIC OPERATION OF A CODE HOPPING TRANSMITTER (ENCODER)
FIGURE 1-3: BASIC OPERATION OF A CODE HOPPING RECEIVER (DECODER)
KEELOQ
Algorithm
Button Press
Information
Encryption
EEPROM Array
32 Bits of
Encrypted Data
Serial Number
Transmitted Information
Encoder Decryption Key
Sync. Counter Value
Serial Number
Button Press
Information
EEPROM Array
Encoder Decryption Key
32 Bits of
Encrypted Data
Serial Number
Received Information
Decrypted
Synchronization
Counter
Check for
Match
Check for
Match
KEELOQ
Algorithm
Decryption
Sync. Counter Value
Serial Number
Manufacturer Code
HCS515
DS40183A-page 4
Preliminary
1998 Microchip Technology Inc.
2.0 PIN ASSIGNMENT
PIN
Decoder
Function
I/O
(1)
Buffer
Type
(1)
Description
1 NC — — No connection
2 NC — — No connection
3V
DD
— — Power connection
4 S0 O TTL S0 function output
5 S1 O TTL S1 function output
6 MCLR
I ST Master clear input
7 NC — — No connection
8 NC — — No connection
9 S_DAT I/O TTL Synchronous data from controller
10 S_CLK I TTL Synchronous clock from controller
11 RF_IN I TTL RF input from receiver
12 GND — — Ground connection
13 NC — — No connection
14 NC — — No connection
Note: P = power, I = in, O = out, and ST = Schmitt Trigger input.
HCS515
1998 Microchip Technology Inc.
Preliminary
DS40183A-page 5
3.0 DECODER OPERATION
3.1 Learning a Transmitter to a Receiver
(Normal or Secure Learn)
Before the transmitter and receiver can work together,
the receiver must first ‘lear n’ and store the following
information from the transmitter in EEPROM:
• A check value of the serial number
• The encoder decryption key
• The current synchronization counter value
The decoder must also store the manufacturer’s code
(Section 1.2) in protected memory. This code will
typically be the same for all of the decoders in a system.
The HCS515 has seven memory slots, and, consequently, can store up to seven transmitters. During the
learn procedure, the decoder searches for an empty
memory slot for storing the transmitter’s information.
When all of the memory slots are full, the decoder will
overwrite the last transmitter’s information. To erase all
of the memory slots at once, use the ERASE_ALL
command (C3H).
3.1.1 LEARNING PROCEDURE
Learning is initiated by sending the ACTIV ATE_LEARN
(D2H) command to the decoder. The decoder acknowledges reception of the command by pulling the data
line high.
For the HCS515 decoder to learn a new transmitter , the
following sequence is required:
1. Activate the transmitter once.
2. Activate the transmitter a second time. (In
secure learning mode, the seed transmission
must be transmitted during the second stage of
learn by activating the appropriate buttons on
the transmitter.)
The HCS515 will transmit a learn-status string,
indicating that the learn was successful.
3. The decoder has now learned the transmitter.
4. Repeat steps 1-3 to learn up to seven
transmitters
Note 1: Learning will be terminated if two
nonsequential codes were received or if two
acceptable codes were not decoded within
30 seconds.
2:
If more than seven transmitters are learned,
the new transmitter will replace the last
transmitter learned. It is, therefore, not possible to erase lost transmitters by
repeatedly learning new transmitters. To
remove lost or stolen transmitters,
ERASE_ALL transmitters and relearn all
available transmitters.
3:
Learning a transmitter with an encoder
decryption key that is identical to a transmitter already in memory replaces the existing
transmitter. In practice, this means that all
transmitters should have unique encoder
decryption keys. Learning a previously
learned transmitter does not use any additional memory slots.
The following checks are perfor med by the decoder to
determine if the transmission is valid during learn:
• The first code word is checked for bit integrity.
• The second code word is checked for bit integrity.
• The encoder decryption key is generated according to the selected algorithm.
• The hopping code is decrypted.
• The discrimination value is checked.
• If all the checks pass, the key, serial number
check value, and synchronization counter values
are stored in EEPROM memory.
Figure 3-1 shows a flow chart of the learn sequence.
FIGURE 3-1: LEARN SEQUENCE
Enter Learn
Mode
Wait for Reception
of Second
Compare Discrimination
Value with Serial Number
Use Generated Key
to Decrypt
Equal?
Sync. counter value
Encoder decryption key
Exit
Learn successful. Store:
Learn
Unsuccessful
No
Yes
Wait for Reception
of a Valid Code
Non-Repeated
Valid Code
Generate Key
from Serial Number/
Seed Value
Serial number check value
HCS515
DS40183A-page 6
Preliminary
1998 Microchip Technology Inc.
3.2 Validation of Codes
The decoder waits for a transmission and checks the
serial number to determine if it is a learned transmitter.
If it is, it takes the code hopping portion of the transmission and decrypts it, using the encoder decryption key .
It uses the discrimination value to determine if the
decryption was valid. If everything up to this point is
valid, the synchronization counter value is evaluated.
3.3 Validation Steps
Validation consists of the following steps:
1. Search EEPROM to find the Serial Number
Check V alue Match
2. Decrypt the Hopping Code
3. Compare the 10 bits of the discrimination value
with the lower 10 bits of serial number
4. Check if the synchronization counter value falls
within the first synchronization window.
5. Check if the synchronization counter value falls
within the second synchronization window.
6. If a valid transmission is found, update the
synchronization counter, else use the next
transmitter block, and repeat the tests.
FIGURE 3-2: DECODER OPERATION
3.4 Synchronization with Decoder
The K
EE
L
OQ
technology features a sophisticated
synchronization technique (Figure 3-3) which does not
require the calculation and storage of future codes. If
the stored synchronization counter value for that
particular transmitter and the synchronization counter
value that was just decrypted are within a formatted
window of 16, the counter is stored, and the command
is executed. If the synchronization counter value was
not within the single operation window , b ut is within the
double operation window of the 16K window, the
transmitted synchronization counter value is stored in a
temporary location, and the decoder goes back to waiting for another transmission. When the next valid
transmission is received, it will check the new
synchronization counter value with the one in temporary storage. If the two values are sequential, it is
assumed that the counter had just gotten out of the
single operation ‘windo w’, but is now bac k in synchronization, so the new synchronization counter value is
stored, and the command is executed. If a transmitter
has somehow gotten out of the double operation
window, the transmitter will not work and must be
relearned. Since the entire window rotates after each
valid transmission, codes that hav e been used become
part of the ‘blocked’ (48K) codes and are no longer
valid. This eliminates the possibility of g rabbing a pre vious code and retransmitting to gain entry.
FIGURE 3-3: SYNCHRONIZATION WINDOW
Transmission
Received?
Does
Ser # Check Val
Match?
Decrypt T ransmission
Is
decryption
valid?
Is
counter within
16?
Is
counter within
16K?
Update
Counter
Execute
Command
Save Counter
in T emp Location
Start
No
No
No
No
Yes
Yes
Yes
Yes
Yes
No
and
Blocked
Entire Window
rotates to eliminate
use of previously
used codes
Current
Position
(48K Codes)
Double
Operation
(16K Codes)
Single
Operation
Window
(16 Codes)
HCS515
1998 Microchip Technology Inc.
Preliminary
DS40183A-page 7
4.0 INTERFACING TO A
MICROCONTROLLER
The HCS515 interfaces to a microcontroller via a synchronous serial interface. A clock and data line are
used to communicate with the HCS515. The microcontroller controls the clock line. There are two groups of
data transfer messages. The first is from the decoder
whenever the decoder receives a valid transmission.
The decoder signals reception of a valid code by taking
the data line high (maximum of 500 ms) The microcontroller then services the request by clocking out a data
string from the decoder. The data string contains the
function code, the status bit, and block indicators. The
second is from the controlling microcontroller to the
decoder in the form of a defined command set.
Figure 4-1 shows the HCS515 decoder and the I/O
interface lines necessary to interface to a microcontroller.
4.1 Valid Transmission Message
The decoder informs the microcontroller of a valid
transmission by taking the data line high for up to
500 ms. The controlling microcontroller must acknowledge by taking the clock line high. The decoder then
takes the data line low. The microcontroller can then
begin clocking a data stream out of the HCS515. The
data stream consists of:
• Start bit ‘0’.
• 2 status bits [REPEAT, VLOW].
• 4-bit function code [S3 S2 S1 S0].
• Stop bit ‘1’.
• 4 bits indicating the number of transmitters
learned into the decoder [CNT3…CNT0].
• 4 bits indicating which block was used
[TX3…TX0].
• 64 bits of the received transmission with the hopping code decrypted.
The decoder will terminate the transmission of the data
stream at any point where the clock is kept low for
longer than 1 ms.Therefore, the microcontroller can
only clock out the required bits. A maximum of 80 bits
can be clocked out of the decoder.
FIGURE 4-1: HCS515 DECODER AND I/O INTERFACE LINES
FIGURE 4-2: DECODER VALID TRANSMISSION MESSAGE
Note: Data is always clocked in/out Least
Significant Bit (LSB) first.
NC
NC
VDD
S0
RF DATA
SYNC CLOCK
SYNC DATA
S1 OUTPUT
HCS515
S1
MCLR
NC
NC
NC
V
SS
RF_IN
S_CLK
S_DAT
NC
1
2
3
4
5
6
78
9
10
11
12
13
14
VCC
X
X
X
MICRO RESET
S0 OUTPUT
X
X
X
Decoder Signal Valid
TCLKH TDS
AB Cii
TACT
TDHI
TCLA
Received String
Ci
S_DAT
TX0 TX3 RX63REPT VLOW S0 S1 S2 S3 CNT0 CNT30 RX0 RX1 RX621
S_CLK
Information
TACK
TCLKH
TCLKL
Transmission
HCS515
DS40183A-page 8
Preliminary
1998 Microchip Technology Inc.
4.2 Command Mode
4.2.1 MICROCONTROLLER COMMAND MODE
ACTIVATION
The microcontroller command consists of four parts.
The first part activates the command mode, the second
part is the actual command, the third is the address
accessed, and the last part is the data. The microcontroller starts the command by taking the clock line high
for up to 500 ms. The decoder acknowledges the startup sequence by taking the data line high. The microcontroller takes the clock line low, after which the
decoder will take the data line low , tri-state the data line
and wait for the command to be clock in. The data must
be set up on the rising edge and will be sampled on the
falling edge of the clock line.
4.2.2 COLLISION DETECTION
The HCS515 uses collision detection to prevent
clashes between the decoder and microcontroller.
Whenever the decoder receives a valid transmission
the following sequence is followed:
• The decoder first checks to see if the clock line is
high. If the clock line is high, the valid transmission notification is aborted, and the microcontroller command mode request is serviced.
• The decoder takes the data line high and checks
that the clock line doesn’t go high within 50 µ s. If
the clock line goes high, the valid transmission
notification is aborted and the command mode
request is serviced.
• If the clock line goes high after 50 µ s but before
500 ms, the decoder will acknowledge by taking
the data line low.
• The microcontroller can then start to clock out the
80-bit data stream of the received transmission.
FIGURE 4-3: MICROCONTROLLER COMMAND MODE ACTIVATION
MSB
A
Command ByteStart Command
T
CLKL
TCLKH
TDS
BC
LSB
TSTART
TCMD
D
TDATA
E
Address Byte Data Byte
TADDR
TREQ
TRESP
CLK
µC Data
HCS515
Data
MSBLSB MSBLSB
TACK
HCS515
1998 Microchip Technology Inc.
Preliminary
DS40183A-page 9
4.2.3 COMMAND ACTIVATION TIMES
The command activation time (Table 4-1) is defined as
the maximum time the microcontroller has to wait for a
response from the decoder. The decoder will abort and
service the command request. The response time
depends on the state of the decoder when the command mode is requested.
4.2.4 DECODER COMMANDS
The command byte specifies the operation required by
the controlling microcontroller. Table 4-2 lists the commands.
TABLE 4-1: COMMAND ACTIVATION TIMES
Decoder State Min Max
While receiving transmissions — 2 1/2 BPW
MAX
= 2.7 ms
During the validation of a received transmission — 3 ms
During the update of the sync counters — 40 ms
During learn — 170 ms
TABLE 4-2: DECODER COMMANDS
Instruction Command Byte Operation
READ F0
16
Read a byte from user EEPROM
WRITE E1
16
Write a byte to user EEPROM
ACTIVATE_LRN D2
16
Activate a learn sequence on the decoder
ERASE_ALL C3
16
Activate an erase all function on the decoder
PROGRAM B4
16
Program manufacturer’s code and configuration byte
Loading...