ST STM1404 User Manual

security supervisor with battery switchover

Features

■ STM1404 supports FIPS-140 security level 4

– Four high-impedance physical tamper

inputs
– Over/under operating voltage detector
– Security alarm (SAL
– Over/under operating temperature detector
– Over/under temperature thresholds are

customer-selectable and factory-

programmed

■ Supervisory functions

– Automatic battery switchover
–RST

output (open drain)
– Manual (push-button) reset input (MR
– Power-fail comparator (PFI/PFO

■ Vccsw (V

switch output)

CC

– Low when switched to V
– High when switched to V

indicator)

■ Battery low voltage detector (power-up)

) on tamper detection

)

)

CC

(BATT ON

BAT

STM1404

3 V FIPS-140

QFN16, 3 mm x 3 mm (Q)

■ Optional V

– (Available for STM1404A only)

■ Low battery supply current (5.3 µA typ)

■ Secure low profile 16-pin, 3 x 3 mm, QFN

package

■ RoHS compliance

– Lead-free components compliant with the

RoHS directive

(1.237 V)

REF

Table 1. Device summary

Standard

Device

STM1404A ✔✔✔ ✔✔ON Normal mode

STM1404B

STM1404C ✔✔✔ ✔Note

1. Reset output, power-fail comparator, battery low detection (SAL, RST, PFO, and BLD are open drain).

2. Normal mode: low when V

3. Contact local ST sales office for availability.

4. Pin 9 is the V

August 2008 Rev 5 1/36

supervisory

functions

(3)

✔✔✔ ✔Note

pin for STM1404A. It is the V

REF

Physical

tamper

(1)

inputs

is internally switched to VCC and high when V

OUT

Over/under

voltage

alarms

pin for STM1404B/C.

TPU

Over/under

temperature

alarms

V

REF

(1.237 V)

option

(4)

(4)

is internally switched to battery.

OUT

status,

V

OUT

during alarm

High-Z High

Ground High

Vccsw status,

during alarm

(2)

www.st.com

1

Contents STM1404

Contents

1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.1 V

pin modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

OUT

1.1.1 STM1404A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.1.2 STM1404B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.1.3 STM1404C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2 Pin descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.1 SAL, security alarm output (open drain) . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.2 TP

2.3 TP

2.4 BLD, V

2.5 Active-low RST

2.6 MR

2.7 PFO

2.8 PFI, power-fail input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.9 V

2.10 V

2.11 V

2.12 V

2.13 V

2.14 V

, TP3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1

, TP4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2

2.3.1 Vccsw, VCC switch output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

low voltage detect output (open drain) . . . . . . . . . . . . . . . . . . 13

BAT

output (open drain) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

, manual reset input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

, power-fail output (open drain) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

, reference voltage output (1.237, typ) . . . . . . . . . . . . . . . . . . . . . . . 14

REF

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

OUT

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

TPU

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

CC

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

BAT

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

SS

3 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.1 Reset input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.2 Push-button reset input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.3 Backup battery switchover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.4 Applications information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.5 Negative-going V

transients and undershoot . . . . . . . . . . . . . . . . . . . . 17

CC

4 Tamper detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

4.1 Physical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2/36

STM1404 Contents

4.2 Supply voltage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

4.3 Temperature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5 Typical operating characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

6 Maximum ratings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

7 DC and AC parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

8 Package mechanical data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

9 Part numbering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

10 Revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3/36

List of tables STM1404

List of tables

Table 1. Device summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Table 2. Signal names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Table 3. I/O status in battery backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Table 4. Absolute maximum ratings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Table 5. Operating and AC measurement conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Table 6. DC and AC characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Table 7. Physical and environmental tamper detection levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Table 8. QFN16 – 16-lead, quad, flat package, no lead, 3 x 3 mm body size mechanical data. . . . 32

Table 9. Ordering information scheme (see Figure 31 on page 34 for marking information) . . . . . . 33

Table 10. Document revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

4/36

STM1404 List of figures

List of figures

Figure 1. Logic diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Figure 2. QFN16 connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Figure 3. Block diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Figure 4. Hardware hookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Figure 5. Tamper pin (TP
Figure 6. Tamper pin (TP
Figure 7. Tamper pin (TP
Figure 8. Tamper pin (TP

Figure 9. Power-fail comparator waveform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Figure 10. Supply voltage protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Figure 11. V

BAT

-to-V

Figure 12. Supply current vs. temperature (no load) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Figure 13. V

threshold vs. temperature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

PFI

Figure 14. Reset comparator propagation delay vs. temperature . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Figure 15. Power-up t

Figure 16. Normalized reset threshold vs. temperature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Figure 17. PFI to PFO
Figure 18. RST
Figure 19. RST

output voltage vs. supply voltage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

response time (assertion) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Figure 20. Power-fail comparator response time (assertion) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Figure 21. Power-fail comparator response time (de-assertion) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Figure 22. V

to reset propagation delay vs. temperature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

CC

Figure 23. Maximum transient duration vs. reset threshold overdrive . . . . . . . . . . . . . . . . . . . . . . . . . 23

Figure 24. AC testing input/output waveforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Figure 25. MR

timing waveform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Figure 26. STM1404 switchover diagram, condition A (V
Figure 27. STM1404 switchover diagram, condition B (V

Figure 28. Temperature hysteresis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Figure 29. QFN16 – 16-lead, quad, flat package, no lead, 3 x 3 mm body size, outline . . . . . . . . . . . 31

Figure 30. QFN16 – 16-lead, quad, flat package, no lead, 3 x 3 mm, recommended footprint . . . . . . 32

Figure 31. Topside marking information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

or TP3) normally high (NH) external hookup (switch closed) . . . . . . . . . 10

1

or TP3) normally high (NH) external hookup (switch open). . . . . . . . . . . 10

1

or TP4) normally low (NL) external hookup (switch closed) . . . . . . . . . . 10

2

or TP4) normally low (NL) external hookup (switch open). . . . . . . . . . . . 11

2

on-resistance vs. temperature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

OUt

vs. temperature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

rec

propagation delay vs. temperature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

< VSW) . . . . . . . . . . . . . . . . . . . . . . . . . 26

BAT

> VSW) . . . . . . . . . . . . . . . . . . . . . . . . . 26

BAT

5/36

Description STM1404

1 Description

The STM1404 family of security supervisors are a low power family of intrusion (tamper)
detection chips targeted at manufacturers of POS terminals and other systems, to enable
them to meet physical and/or environmental intrusion monitoring requirements as
mandated by various standards, such as Federal Information Processing Standards (FIPS)
Pub 140 entitled “Security Requirements for Cryptographic Modules,” published by the
National Institute of Standards and Technology, U.S. Department of Commerce), EMVCo,
ISO, ZKA, and VISA PED.

STM1404 will target the highest security level 4 and include both physical and
environmental (voltage and temperature) monitoring.

The STM1404 include automatic battery switchover, RST
(push-button) reset input (MR
environmental tamper detect/security alarm, and battery low voltage detect features.

The STM1404A also offers a V
is V

1.1 V

The STM1404 is available in three versions, corresponding to three modes of the V
(supply voltage out), when the SAL
detection:

(internally switched VCC or V

TPU

pin modes

OUT

1.1.1 STM1404A

V

stays ON (at VCC or V

OUT

1.1.2 STM1404B

V

is set to High-Z when SAL is driven low (activated).

OUT

1.1.3 STM1404C

V

is driven to ground when SAL is activated (may be used when V

OUT

directly to the V

All variants (see Table 1: Device summary) are pin-compatible and available in a security-
friendly, low profile, 16-pin QFN package.

output (open drain), manual

), power-fail comparator (PFI/PFO), physical and/or

(1.237V) as an option on pin 9. On STM1404B/C this pin

REF

) when SAL is driven low (activated).

BAT

pin of the external SRAM that holds the cryptographic codes).

CC

).

BAT

(security alarm) is asserted (active-low) upon tamper

OUT

OUT

is connected

pin

6/36

STM1404 Description

Figure 1. Logic diagram

V

REF

(3)

or

V

BLD

V

TPU

(1)

BAT

V

CC

(2)

V

CCSW

MR

STM1404

PFI

TP1 (NH)

TP

TP

(NH)

TP

3

4

(NL)

1. V

2. Normal mode: low when V

3. SAL

Table 2. Signal names

only for STM1404A; V

REF

battery.

, RST, PFO, and BLD are open drain.

(1)

Vccsw

TPU

OUT

MR

2

(NL)

for STM1404B/C.

is internally switched to VCC and High when V

VCC switch output

Manual (push-button) reset input

PFI Power-fail input

- TP

TP

1

4

V

OUT

(2)

RST

(2)

PFO

(2)

SAL

(2)

BLD

(3)

V

REF

(3)

V

TPU

V

BAT

V

CC

V

SS

1. Normal mode: low when V
battery.

2. SAL, RST, PFO, and BLD are open drain.

3. V

only for STM1404A; V

REF

is internally switched to VCC and high when V

OUT

TPU

Independent physical tamper detect pins 1 through 4

Supply voltage output

Active-low reset output

Power-fail output

Security alarm output

Battery low voltage detect

1.237 V reference voltage

Tamper pull-up (VCC or V

Backup supply voltage

Supply voltage

Ground

for STM1404B/C.

Note: See Section 2: Pin descriptions on page 11 for details.

V

OUT

(3)

RST

(3)

PFO

(3)

SAL

V

SS

AI09682a

is internally switched to

OUT

)

BAT

is internally switched to

OUT

7/36

Description STM1404

Figure 2. QFN16 connections

V

CCSW

14

(1)

V

CC

13

V

12

OUT

RST

(2)

BLD

16

1

(2)

PFI

15

(2)

SS

2

3

4

5

TP

(NH)

11

10

8

76

TP

(NH)

TP

3

(NL)

TP

1

2

(NL)

MR

SAL

V

Note: See Section 2: Pin descriptions on page 11 for details.

1. Normal mode: low when V
battery.

, RST, PFO, and BLD are open drain.

2. SAL

3. V

only for STM1404A; V

REF

is internally switched to VCC and high when V

OUT

for STM1404B/C.

TPU

Figure 3. Block diagram

V

CC

(1,2)

MR

PFI

BAT54J

V

BAT

(1)

V

INT

COMPARE

V

SO

COMPARE

V

RST

COMPARE

V

PFI

V

BAT

(2)

PFO

V

REF

or

9

V

TPU

(3)

4

AI09683

is internally switched to

OUT

V

OUT

V

CCSW

t

rec

Generator

RST

PFO

(3)

(3)

V

DET

V

HV

V

TP1 (NH)

TP2 (NL)

TP3 (NH)
TP4 (NL)

LV

1. Required for battery-reverse charging protection

2. User supplied

3. Open drain

4. V

only for STM1404A; V

REF

for STM1404B/C

TPU

8/36

COMPARE @

POWER-UP

1.237V V

REF

Generator

COMPARE

COMPARE

High Temp.

Sense

TA > T

H

Low Temp.

Sense

TA < T

L

V

V

AI09684a

BLD

SAL

TPU

REF

(3)

(4)

(4)

(3)

STM1404 Description

Figure 4. Hardware hookup

(1)

Unregulated

Voltage

Regulator

V

IN

V

CC

0.1μF

V

CC

V

CCSW

STM1404

V

OUT

V

CC

V

CC

(2)

C

LPSRAM

R1

R2

(e.g., Switches, Wire Mesh)

1. Normal mode: low when V
battery.

PFI

Push-Button

BAT54J

1.0μF

From Actuator Device

is internally switched to VCC and high when V

OUT

MR

(4)

V

BAT

TP

1

TP

2

TP

3

TP

4

(3)

PFO

(3)

RST

(3)

BLD

(3)

SAL

(5)

V

REF

or

V

TPU

To Microprocessor NMI

To Microprocessor Reset

To Microprocessor

To ADC

To Physical Tamper Pins TP

is internally switched to

OUT

X

AI09690a

2. Capacitor (C) is typically ≥ 10 µF.

3. Open drain

4. Diode is required for battery reverse charge protection.

5. V

only for STM1404A; V

REF

for STM1404B/C

TPU

Figure 5. Tamper pin (TP1 or TP3) normally high (NH) external hookup (switch

closed)

V

(STM1404A)

OUT

V

Switch Normally Closed;

Tamper Detection on Open

or

(STM1404B/C)

TPU

TP1 or TP

(1)

R

AI09698a

1. R typical is 10 MΩ. Resistors must be protected against conductive materials.

9/36

3

Description STM1404

Figure 6. Tamper pin (TP1 or TP3) normally high (NH) external hookup (switch

open)

V

(STM1404A)

OUT

V

or

(STM1404B/C)

TPU

(1)

R

Tamper Detection when Closed

Switch Normally Open

TP1 or TP

3

AI10461a

1. R typical is 10 MΩ. Resistors must be protected against conductive materials.

Figure 7. Tamper pin (TP2 or TP4) normally low (NL) external hookup (switch

closed)

V

(STM1404A)

OUT

V

Switch Normally Closed;

Tamper Detection on Open

or

(STM1404B/C)

TPU

(1)

R

TP2 or TP

4

AI09699a

1. R typical is 10 MΩ. Resistors must be protected against conductive materials.

Figure 8. Tamper pin (TP2 or TP4) normally low (NL) external hookup (switch open)

Switch Normally Open;

Tamper Detection when Closed

1. R typical is 10 MΩ. Resistors must be protected against conductive materials.

10/36

V

OUT

V

(STM1404B/C)

TPU

(STM1404A)

or

(1)

R

TP2 or TP

AI10462a

4

STM1404 Pin descriptions

2 Pin descriptions

See Figure 1: Logic diagram and Table 2: Signal names for a brief overview of the signals
connected to this device.

2.1 SAL, security alarm output (open drain)

This signal can be generated when ANY of the following conditions occur:

● V

● V

● When any of the physical tamper inputs, TP

● T

● T

> VHV, where VHV = upper voltage trip limit (4.2 V typ); and where V

INT

V

;

BAT

< VLV, where VLV = lower voltage trip limit (2.0 V typ); and where V

INT

V

; or

BAT

to TP4, change from their normal states to

1

= VCC or

INT

= VCC or

INT

the opposite (i.e., intrusion of a physical enclosure).

> TH, where TH is an upper temperature trip limit specified by the customer (+80°C,

A

+85°C, and +95°C), factory-programmed (STM1404 only);

< TL, where TL is a lower temperature trip limit specified by the customer (–25°C or

A

–35°C), factory-programmed (STM1404 only);

Note: 1 The default state of the SAL

output during initial power-up is undetermined.

2 The alarm function will operate either with V

from V

2.2 TP1, TP

CC

to V

3

BAT

.

Physical tamper detect pin set normally to high (NH). They are connected externally through
a closed switch or a high-impedance resistor to V
the case of STM1404B/C. A tamper condition will be detected when the input pin is pulled
low (see Figure 5 and Figure 6 on page 10). If not used, tie the pin to V
or V

2.3 TP2, TP

(for STM1404B/C).

TPU

4

Physical tamper detect pin set normally to low (NL). They are connected externally through
a high-impedance resistor or a closed switch to V
when the input pin is pulled high (see Figure 7 and Figure 8 on page 10). If not used, tie the
pin to V

SS

.

2.3.1 Vccsw, VCC switch output

This output is low when V
V

; in this mode it may be used to turn on an external p-channel MOSFET switch which

CC

can source an external device directly from V
the STM1404).

(see Section 2.10: V

OUT

on or when the part is internally switched

CC

(in the case of STM1404A) or V

OUT

(for STM1404A)

OUT

. A tamper condition will be detected

SS

on page 13) is internally switched to

OUT

for currents greater than 80 mA (bypassing

CC

TPU

(in

This pin goes high when V
“BATTERY ON” indicator.

is internally switched to V

OUT

11/36

and may be used as a

BAT