Part Number Hot Search : 
2N440 FZT789A EZ140 00A54E3 IRF131 GP7NB60K DG4052A 3ADR2G
Product Description
Full Text Search
 

To Download ATA5580 Datasheet File
  If you can't view the Datasheet, Please click here to try to view without PDF Reader .  
 
 

  Datasheet File OCR Text:
  9254a?rfid?02/12 features aes crypto transponder in plastic brick package includes coil and capacitor for tuned circuit antenna radio frequency f rf = 125khz contactless power supply contactless bidirectional data communication interface high performance aes encryption hardware unit open immobilizer stack by atmel ? 2k eeprom for secret key storage, field user data, and configuration data error correction code support for nvm 32-bit unique id multiple configuration registers modulation/coding: biphase, manchester, qplm configurable baudrate ?40c to + 85c operation temperature lga like brick package atmel ATA5580 the aes 125khz transponde r with open immobilizer software stack preliminary datasheet www.datasheet.co.kr datasheet pdf - http://www..net/
2 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 1. description the atmel ? ATA5580 is a smart transponder module with an aes encr yption unit, customer eeprom, an 125khz lf front end and a lf ferrite antenna for wireless power supply and commun ication. all components are built up in a single pinless transponder package. the ic contains the highly conf igurable open immobilizer software stack by atmel. 1.1 module schematic the atmel ATA5580 transponder contains an ultra low power trans ponder ic with aes engine, an lf antenna resonant circuit, and a buffer capacitor. 1.2 functional description atmel ? ATA5580 is designed for automotive immobilization app lications in rke keys. the atmel ATA5580 micro module consists of an ultra low power ic with aes encryption engine and immobilizer frontend, an lf fe rrite antenna and capacitors for the antenna and as supply buffer. the small lga -like package of the atmel ATA5580 contains all the components required fo r the transponder application. the ic needs no battery supply as it is powered by a 125khz lf field. the communication with the chip is also done via an lf field. a base station can request data via an lf telegram and the transponder responds with data from its memory or with cipher data via a damping modulation from the lf field. the transponder function is defined by a special atmel immobilizer stack. figure 1-1. block diagram c2 lf antenna ATA5580-ic ATA5580 l1 www.datasheet.co.kr datasheet pdf - http://www..net/
3 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 2. atmel open immobilize r protocol description 2.1 overview 2.1.1 protocol flexibility the atmel ? immobilizer protocol has been designed as a configurable software stack. for instance, security levels, turn-around authentication time, and authentication schemes are all configurable at runtime whil e covering a wide range of car manufacturer requirements. additionally, atmel defined three default config urations respectively targeting fast, st andard, and high security for which ana lysis of bit security strength vs. turn-around ti me was carried out. obviously, flexibility for tuning the protocol stack to meet spe cific constraints is still a feature. 2.1.2 open software stack rather than developing its own proprietary cryptographic fu nctions, atmel selected and implemented the 128 -bit aes global benchmark standard as its data encryption and decryption source. this standard is op en source and freely available to the public for use and scrutiny. because of this it continues to be favored by industry experts over private and proprietary crypto algorithms. in addition to selecting an open source and public aes crypto fu nction, the firmware includes user configurable options that enable the engineer to ?build? an authentic ation protocol that meets user requirements. the comp lete documentation of the protocol configuration options are made publ icly available. the encryption and config uration of the authenti cation protocol are open source and freely available to customers free of charge. 2.1.3 production-ready software implementation besides defining an open immobilizer protoc ol stack, atmel elected to implement it in all car access devices with an embedded lf frontend. this implementation complies with automotive grade development standards (cmmi - automotive spice) and is production-ready. 2.2 system overview as a sub-system of the general car access system, the immobilize r is not used for accessing th e car but instea d to allow the driver to start the engine. figure 2-1 visualizes system partitioning. figure 2-1. system overview keyfob containing the microcontroller based transponder 125khz downlink lin/k-line/spi/uart- based communication interface tp key car bs uplink atmel immobilizer system software base station containing the microcontroller based transceiver bcm body control module containing the main controller www.datasheet.co.kr datasheet pdf - http://www..net/
4 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 2.3 device support the firmware implementation developed by atmel ? uses specific hardware blocks that are found in our vehicle access product line. the transponder features are optimized to function seamlessly with the following devices: atmel ATA5580 (traesure): standalone transponder atmel ata5790 (primus): passive entr y/go microcontroller with 3d lf re ceiver and transponder interface atmel ata5794 (primeone): remote keyless entr y microcontroller with transponder interface atmel ata5795 (primatik): remote keyless entry microcontroller with transponder interface and frac-n rf transmitter. the vehicle consists of the atmel ata5272 base station device containing a matched firmwar e library for implementing the entire system. the transponder's hardware and software layers have been specif ically designed to be compatible with any fdx basestation available on the market by implementing the protocol described in this document on the host microcontroller. 2.4 firmware features the purpose of this section is to provide an overview of th e complete immobilizer features included with the atmel firmware library. it also describes the information flow between the car side base station and the key side transponder. it includes definitions and requirements in terms of ph ysical layer, protocol layer, and encryption. 2.5 memory partitioning except for the atmel ATA5580, there are two types of memory on the atmel devices ar e used by both the immobilizer and the application. these memories need to be partitioned and some gui delines established to ensure reliable operation. program code stored in flash memory is typically used as read -only memory once initia l programming has occurred. non -volatile memory that supports multiple read/write access is provided through eeprom memory structures. 2.5.1 flash memory the immobilizer firmware developed by atmel is stored in the bootloader secti on of the flash memory. this is shipped from atmel with the bootloader section protected from overwrit ing through the use of fuse settin gs. this allows the application spac e to be programmed without corrupting the immobilizer firmware. each atmel device provides differing amou nts of flash memory. the bootlo ader space is consistent across devices at 2kbytes. in the case of the atmel ATA5580 a ll of the flash memory (8k) is av ailable for the immobilizer stack. figure 2-2 on page 5 shows how the flash memory is partitioned for various memory sizes. www.datasheet.co.kr datasheet pdf - http://www..net/
5 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 figure 2-2. the flash memory partition 2.5.2 non-volatile memory non-volatile memory used for data storage is implemented in eeprom structures. this is subdivided into two pages. page one provides read and write access for storage of application and immobilize r data. this includes four special access protection (ap0 - ap3) areas. the protecti on takes the form of requiring an intentiona l setting of the second register before programming is possible. the ap0 location has been selected for exclusive use by the atmel ? immobilizer firmware. the application code should be audited to insure that this memory is not used to prevent corruption. figure 2-3 on page 6 shows the use of eeprom page 1. address 0x0000 0 0x1bfe 7166 0x1bff 7167 0x1fff 8191 0x0bfe 3070 0x0bff 3071 0x0fff 4095 015 address flash 8kbytes 0x0000 0 015 application space (7166 words) bootloader (1024 words) application space (3070 words) bootloader (1024 words) flash 16kbytes www.datasheet.co.kr datasheet pdf - http://www..net/
6 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 figure 2-3. eeprom page 1 page 2 is locked from overwriting at the end of atmel ? manufacturing. this page contains a vast set of configuration and identification features. once these have been set they are protected from any subsequent changes. 2.5.2.1 secret key storage atmel makes provisions for a total of three secret keys that ca n be used. one of these is the fixed default secret key which resides in the locked page 2 of eeprom and is intended for use dur ing a secure key transfer process to establish the other two secret keys. the other two secret keys are intended for use during normal ope ration. these are stored in th e ap0 section of eeprom when the supplied lf interface is used to pair the transponder to the vehicle. to ensure integrity, t he lf interface for transferrin g secret keys also stores each of these two secret keys with two copies. when the secr et key is accessed for the authentication process, all three copies are read out and checked against each other for er rors. any corruption of a single copy can be corrected automatically. figure 2-4 on page 7 shows the mappin g of the ap0 section loca ted in page 1 of eeprom. the size of the secret key is 16 bytes. the secret keys for immobilizer and application must be stored based on the config uration stored in page 2. both secret key 1 and secret ke y 2 must be stored with 2 copies in their respective locations. figure 2-4 on page 7 represents the allocation of secret key in the eeprom memory. address 0x0000 0 0x077f 1919 0x0780 1920 0x06ff 1791 0x0700 1792 0x067f 1663 ap3 ap2 ap1 ap0 0x0680 1664 0x05ff 1535 0x0600 1536 0x07ff 2047 07 application space (1920 bytes) key space (128 bytes) eeprom 2kbytes www.datasheet.co.kr datasheet pdf - http://www..net/
7 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 figure 2-4. the ap0 memory map the unassigned locations of ap0 are reserved for general variable storage for the immobilizer firmware. 2.5.2.2 configuration memory options the atmel ? firmware includes highly co nfigurable immobilizer fe atures allowing the system design to be optimized. all configuration options must be selected during design testin g and validation and are placed and locked in page 2 of eeprom. data check disable eeprom address 0x0815 bit 0 allows the crc data to be di sabled for both the request frame and the response frame. data check disable (dcd): 0 = crc enabled, 1 = crc disabled this configuration bit is checked when sending or receiving all commands. authentication format eeprom address 0x0815 bit 2 allo ws the type of authenticati on protocol to be selected. crypto mode (cm): 0 = unilateral, 1 = bilateral this configuration bit is checked when the start authentication and memory access commands are executed. details of this interaction are provided in the lf command set section. challenge and response length these two configuration register s deal with the number of bits transferred during authentication. the leng th of the challenge t hat the transponder expects is stored in eepr om address 0x0819. in resp onse the transponder return s an encrypted value with a length determined by the setting in address 0x081a. the star t authentication command must have knowledge of these length settings to be used in the authentication protocol. data 1 secret key 2 0780 - 078f 0790 - 079f 07a0 - 07af 07b0 - 07bf 07c0 - 07cf 07d0 - 07df 07e0 - 07ef 07f0 - 07ff 2 (copy 1) 2 (copy 2) 1 1 (copy 1) 1 (copy 2) 128 bytes of secret key memory 128 bit data 2 data 3 data 4 data 5 data 6 data 7 data 8 data 9 data 10 data 11 data 12 data 13 data 14 data 15 data 16 physical address ap0 128 bytes byte address bit 7 bit 6 bit 5 bit 4 bit 3 bit 2 bit 1 bit 0 remarks 815 tdh skt ks dlp1 dlp0 cm mod dcd configuration byte address bit 7 bit 6 bit 5 bit 4 bit 3 bit 2 bit 1 bit 0 remarks 815 tdh skt ks dlp1 dlp0 cm mod dcd configuration byte address bit 7 bit 6 bit 5 bit 4 bit 3 bit 2 bit 1 bit 0 remarks 819 ch7 ch6 ch5 ch4 ch3 ch2 ch1 ch0 challenge length 81a rs7 rs6 rs5 rs4 rs3 rs2 rs1 rs0 response length www.datasheet.co.kr datasheet pdf - http://www..net/
8 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 uplink coding and data rate eeprom address 0x0815 bit 1 allows the uplink coding type to be selected. uplink modulation (mod): 0 = manchester, 1 = biphase the baud rate setting (0x0817) sets the threshold for the manc hester/biphase encoder. this works in combination with the t2 prescaler (0x0818) to provide a very accu rate and flexible transmission of data from the transponder to the vehicle. a typical value is recommended as 0x07 and 0x00 respec tively to provide ap proximately 3.906kb/s. downlink coding and data rate eeprom address 0x0815 bits 3 and 4 allows the downlink coding type to be selected. downlink protocol (dlp1:0): 00 = bplm, 01 = qplm (one of four codings), 10 = dps plm threshold (0x0816) sets the threshold used to decode bplm data from the vehicle. the value in this register (plm0 - plm7) is used to determine if the number of field clock cycles received represents a logical zero or one. for example, a typica l bplm configuration uses 16 fiel d clocks to represent a zero and 32 field clocks to represent a one. the threshold setting can then be set to 24 to achieve accurate decoding. in qplm mode the plm threshold becomes the reference val ue that is used to determine t he four possible state values. secret key selection and transfer eeprom address 0x0815 bits 5 and 6 configure the handling of secret keys in the system. key select (ks): 0 = secret key one, 1 = secret key two secure key transfer (skt): 0 = off, 1 = on the secret key selected in th is option determines whic h key from the ap0 section of eepr om is used during the start authentication command. in additi on, the type of key transfer process used to l oad the secret keys into ap0 is specified using this configuration. byte address bit 7 bit 6 bit 5 bit 4 bit 3 bit 2 bit 1 bit 0 remarks 815 tdh skt ks dlp1 dlp0 cm mod dcd configuration 816 plm7 plm6 plm5 plm4 plm3 plm2 plm1 plm0 plm threshold 817 bd7 bd6 bd5 bd4 bd3 bd2 bd1 bd0 baud rate setting 818 t23 t22 t21 t20 t2d1 t2d0 t2 prescaler byte address bit 7 bit 6 bit 5 bit 4 bit 3 bit 2 bit 1 bit 0 remarks 815 tdh skt ks dlp1 dlp0 cm mod dcd configuration 816 plm7 plm6 plm5 plm4 plm3 plm2 plm1 plm0 plm threshold byte address bit 7 bit 6 bit 5 bit 4 bit 3 bit 2 bit 1 bit 0 remarks 815 tdh skt ks dlp1 dlp0 cm mod dcd configuration www.datasheet.co.kr datasheet pdf - http://www..net/
9 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 fob power up eeprom address 0x0815 bit 7 al lows the detection header functionalit y to be selected. detection header (tdh): 0 = off, 1 = on this configuration determines if the detection header is in cluded as part of the immobilizer initialization routine. default secret key a 128 -bit default secret key is programmed and locked into eeprom address locations 0x081b to 0x82a. this is programmed identically for all devices that are shipped to the customer and includes the customer id address (0x081b). the remaining 15 bytes of data can be specified by the customer or assigned by atmel ? . this default secret key ca nnot be read out of eeprom by lf field commands. the default secret key is used for the secure key transfer process. byte address bit 7 bit 6 bit 5 bit 4 bit 3 bit 2 bit 1 bit 0 remarks 815 tdh skt ks dlp1 dlp0 cm mod dcd configuration byte address bit 7 bit 6 bit 5 bit 4 bit 3 bit 2 bit 1 bit 0 remarks 81b cid7 cid6 cid5 cid4 cid3 cid2 cid1 cid0 customer id 81c sk119 sk118 sk117 sk116 sk115 sk114 sk113 sk112 default secret key 81d sk111 sk110 sk109 sk108 sk107 sk106 sk105 sk104 81e sk103 sk102 sk101 sk100 sk99 sk98 sk97 sk96 81f sk95 sk94 sk93 sk92 sk91 sk90 sk89 sk88 820 sk87 sk86 sk85 sk84 sk83 sk82 sk81 sk80 821 sk79 sk78 sk77 sk76 sk75 sk74 sk73 sk72 822 sk71 sk70 sk69 sk68 sk67 sk66 sk65 sk64 823 sk63 sk62 sk61 sk60 sk59 sk58 sk57 sk56 824 sk55 sk54 sk53 sk52 sk51 sk50 sk49 sk48 825 sk47 sk46 sk45 sk44 sk43 sk42 sk41 sk40 826 sk39 sk38 sk37 sk36 sk35 sk34 sk33 sk32 827 sk31 sk30 sk29 sk28 sk27 sk26 sk25 sk24 828 sk23 sk22 sk21 sk20 sk19 sk18 sk17 sk16 829 sk15 sk14 sk13 sk12 sk11 sk10 sk9 sk8 82a sk7 sk6 sk5 sk4 sk3 sk2 sk1 sk0 www.datasheet.co.kr datasheet pdf - http://www..net/
10 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 2.5.2.3 fixed identification fixed identification contains data that has been programmed and locked by atmel. this data is provided for use in the immobilizer application as well as part of supply chain management. unique id the id or serial number consists of 32 bits of non-sequential, unique values. each transponder is assigned this value at the en d of the manufacturing process. the val ue is stored at eeprom address locations 0x0800 to 0x0803. this value can be accessed very efficiently through the use of the read uid command. the customer id stored at address 0x0804 may optionally be added to the unique id. atmel traceability atmel traceability entails information that can be used to det ermine where and how this device has been processed. the following information completely identifies this device in the atmel process chain: address - value 0x0808 - device type 0x0809 to 0x080b - lot number 0x080c - wafer number 0x080d to 0x080e - die number software revision the software revision is contained in eeprom address 0x080f and provides information about the current version loaded into flash memory. byte address bit 7 bit 6 bit 5 bit 4 bit 3 bit 2 bit 1 bit 0 remarks 800 id31 id30 id29 id28 id27 id26 id25 id24 unique id / serial # 801 id23 id22 id21 id20 id19 id18 id17 id16 802 id15 id14 id13 id12 id11 id10 id9 id8 803 id7 id6 id5 id4 id3 id2 id1 id0 804 cid7 cid6 cid5 cid4 cid3 cid2 cid1 cid0 customer id byte address bit 7 bit 6 bit 5 bit 4 bit 3 bit 2 bit 1 bit 0 remarks 808 dev7 dev6 dev5 dev4 dev3 dev2 dev1 dev0 device type 809 lot23 lot22 lot21 lot20 lot19 lot18 lot17 lot16 lot number 80a lot15 lot14 lot13 lot12 lot11 lot10 lot9 lot8 80b lot7 lot6 lot5 lot4 lot3 lot2 lot1 lot0 80c waf7 waf6 waf5 waf4 waf3 waf2 waf1 waf0 wafer number 80d die15 die14 die13 die12 die11 die10 die9 die8 die number 80e die7 die6 die5 die4 die3 die2 die1 die0 byte address bit 7 bit 6 bit 5 bit 4 bit 3 bit 2 bit 1 bit 0 remarks 80f sw7 sw6 sw5 sw4 sw3 sw2 sw1 sw0 sw revision www.datasheet.co.kr datasheet pdf - http://www..net/
11 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 2.6 device initialization this section describes how the transponder device handles the initial power up sequenc e. the outcome or determination from the initialization sequence depends on various conditional paths. these are described in the foll owing sections. the system can guarantee that the immobilizer f unctionality is given the highest preference and can operate independently from the application code by means of this initialization sequence. 2.6.1 power-up scenarios power up occurs whenever there is a reset event. this can be po wer-on-reset (por), external re set, watchdog reset, brown-out reset, and transponder reset. this reset sets all registers, ports, and sram to initial conditions. the program counter is alwa ys set to the reset vector located in the bootloader section. this ensures the priority of the immobilizer over all other function s. after a fixed delay, a code is executed to check the conditions described as follows. 2.6.2 lf field detection the very first item checked after the reset delay is the determina tion of the presence of an lf fi eld. if the lf field is prese nt then the immobilizer function is used and the other conditional ch ecks can be skipped and the immobilizer function executed. if the lf field is not present, the initia lization routine will eventually exit to the application code section after the next step. transponder initialization will not occur. 2.6.3 enhanced mode detection this command does not apply to the atmel ? ATA5580 and will be ignored. 2.6.4 transponder initialization once all conditions have been met to enter transponder mode, th e following items are configured to prepare for communication: the presence of lf field has to be acknowledged in order to enable operation of the transponder system clocks are reconfigured system resources are configured for the lowest power consumption possible the interrupt vector table is mapped into bootloader space the watchdog timer is configured and activated system resources for uplink and downlink communication processing are initialized 2.6.5 reliable communication channel indication once the device has been initialized for transponder mode an indica tion of this readiness can be conveyed to the base station i f selected during device configuration. th is is achieved through the transmission of a detection header t hat ensures with high probability that the commun ication channel is open and reliable. both the uplink and downlink paths are verified by this in the following manner. for the downlink to be successful, the transponder must receive enoug h power to operate. once this condition is satisfied for a long enough time to charge a buffer capacitor, the transponder ca n survive field gaps needed to transfer data. the fact that th e initialization routine was successfully executed up to this point means this has been achieved. for the uplink to be successful, the transponder must modulate the carrier field with sufficient coupling and modulation depth that the base station can recover the data from the carrier. by sending a modulated signal as defined by the detection header, the base station can make a determination t hat the uplink path is open once this header is visible on the demodulated output. www.datasheet.co.kr datasheet pdf - http://www..net/
12 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 2.7 lf physical layer all communication between the base statio n and the transponder occurs using the lf field as the signal carrier. the lf communication link is established when the transponder transmits the lf channel detection header consisting of a manchester coded sequence of ?1010?? as a 125khz signal which continues until the base station interr upts the signal during a damped phase with a gap. the physical layer (uplink and downlink) is compatible with all standard fdx basestations available on the market. lf channel consists of data communicati on sessions comprised of a downlink (base station to transponder) and an uplink (transponder to base station) data transfer. figure 2-5 shows a transponder start-up sequence after whic h the lf communication channel is established. figure 2-5. lf physical layer 2.7.1 downlink a downlink channel is established when the data is being tran smitted from the base station to the transponder. the downlink communication uses amplitude modulation (am) in the form of on-off-keying (ook). data can be encoded in the following ways: binary pulse length modulation (bplm): single pulse length is decoded to a single binary logic state (1-bit value). quadpulse length modulation (qplm): also known as 1-of-4 encodi ng, in this case a single pulse length is decoded into dual binary logic state (2-bit value). damped phase synchronized modulation (dps): while the trans ponder modulates the field with a sequential pattern of manchester coded ?0,? the base station stop s or continues sending the field during th e second half of the bit (damped phase) to transmit ?1s? or ?0s?. figure 2-6. downlink t charge t syn t stup start up lf-field detection c_buffer charge transponder detection header transponder ready for communication damped mode ?0? = 16 periods of 125khz signal ?1? = 32 periods of 125khz signal gap = bit separator t syn t syn t syn www.datasheet.co.kr datasheet pdf - http://www..net/
13 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 2.7.2 uplink an uplink channel is established when the data is being tran smitted from the transponder to the base station. the uplink communication utilizes am by modulating th e induced voltage on the transponder coil down to 50% of its un-damped amplitude (50% modulation depth). binary data is either biphase or manchester encoded. figure 2-7. uplink 2.8 lf communication the protocol developed by atmel ? relies on two frame structures for the bi-directional communication. the downlink path from the base station to the transpond er consists of a request frame. the uplink path uses the response frame defined below. communication sessions consist of a base station request, a 2ms delay, and a transponder response. all communication follows this process and creates functionality by executing a series of communication session s. the base station request contains the means to utilize the command set provided by t he atmel firmware. all commands ha ve a defined response that is returned from the transponder. the command set indicates that this response only occurs if communication is successful. any errors that occur cause the transponder to signal the base stati on in a unique manner by sending a fixed 1khz waveform. this allows very rapid detection of a problem. the exact cause of the error is stored and can be accessed by a dedicated command. 2.8.1 request frame definition all transactions are initiated by t he base station sending the following: command field = 4-bit command + 4-bit command crc data field = variable bit length payload (optional based on command) crc field = payload crc8 (optional based on presence of payload data) lf-data bit undamped mode undamped mode manchester coded bit manchester coded bit ?0? 32 * 125khz signals manchester coded bit ?1? t bit t bit command field data field crc field 4 bits crc4 variable sw revision www.datasheet.co.kr datasheet pdf - http://www..net/
14 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 2.8.2 response frame definition all responses the transponder makes to the base station include sending the following: header field = recognizable pattern fixed at 0xfe data field = variable bit length payload (optional based on command) crc field = payload crc8 (optional based on presence of payload data) 2.9 lf command set 2.9.1 read uid the read uid command provides a very concise method fo r accessing the 32-bit unique serial number stored in the transponder. this serial number is assigned at the atmel fabr ication plant and provides a un ique identity for use in the immobilizer system. the request from the base station is stream lined to provide a very rapid re sponse consisting of only the 4-bit command and 4-bit crc. the response contains the un ique identifier. the eeprom a ddress designated for the unique identifier location starts from 0x810 and ends with 0x80d (4 bytes). figure 2-8. the read uid sequence command field data field crc field 4 bits crc4 variable sw revision table 2-1. the read uid (request frame) field size values description command id 4 + 4 bits 0000b + 0000 crc read uid data payload n/a crc n/a table 2-2. the read uid (response frame) field size values description preamble header 1 byte 0xfe synchronization data payload 4 bytes eeprom value serial number (id0 to id31) crc 1 byte calculate 0000b (4 bits) 0xfe (1 byte) 1 byte eeprom values id0 to id31 (4 bytes) preamble header data payload crc command id from basestation request frame response frame from transponder crc (4 bits) t rxdata_max t txdata_max www.datasheet.co.kr datasheet pdf - http://www..net/
15 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 2.9.2 transponder error status the status byte contains both error information and command ex ecution state information. by dire ctly requesting this byte, the base station can determine the cause of an error or determine the last command execut ed. this allows a base station error to be remedied without complete loss of previously executed functions. figure 2-9. the transponder error status sequence table 2-3. the transponder error status (request frame) field size values description command id 4 + 4 bits 0010b + 0110 crc request status byte data payload n/a crc n/a table 2-4. the transponder error status (response frame) field size values description preamble header 1 byte 0xfe synchronization data payload 1 byte status status crc 1 byte calculate 0011b (4 bits) 0xfe (1 byte) status (4+4 bits) 1 byte preamble header data payload crc command id from basestation request frame response frame from transponder crc (4 bits) t rxdata_max t txdata_max www.datasheet.co.kr datasheet pdf - http://www..net/
16 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 2.9.3 start authentication the immobilizer authentication protocol is to be based on challenge - response topology. this can be the unilateral authentication (ua) method or bilateral authentication (ba). the start authentication command causes an authentication prot ocol to begin. the length of the request payload (challenge length) is dependent upon the setting stored in the eeprom page 2 address 0x815 and the res ponse length is dependent upon the setting stored at the eeprom page 2 address 0x816. the type of protocol t hat is used depends on the configuration stored at the eeprom page 2 regist er address 0x811. bit 2 (cm) defines the crypto model selected (0=ua or 1=ba). the aut hentication protocol can be selected based on security level and authentication time requirement. ever y protocol implementation utilizes aes-12 8 block cipher encryption and depending on security level uses different variable bit length ciphers. figure 2-10. the start authentication sequence table 2-5. start authentication (request frame) field size values description command id 4 + 4 bits 0001b + 0011 crc start authentication data payload varies (100 or 128 bits recommended) challenge bits depends on eeprom page2 setting crc 1 byte calculate table 2-6. start authentication (response frame) field size values description preamble header 1 byte 0xfe synchronization data payload varies (56 or 80 bits recommended) response bits depends on eeprom page2 setting crc 1 byte calculate 0001b (4 bits) 0xfe (1 byte) 1 byte challenge bits (depends on setting at 0x815) response bits (depends on setting at 0x816) preamble header data payload crc command id data payload crc 1 byte from basestation request frame response frame from transponder crc (4 bits) t rxdata_max t txdata_max www.datasheet.co.kr datasheet pdf - http://www..net/
17 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 2.9.4 learn secret key1 this command starts the learn secret key1 process for the first secret key. this is either open transfer or secure transfer depending on the configuration setting stored in eeprom page 2 at address 0x811(bit 6) . if this bit (skt- secure key transfer bit) is 0, the transfer is open mode and if the bit is 1, the transfer is secure mo de. the request frame carries a128-bit secre t key data payload (may be encrypted during secure transfer). the 128- bit key transferred through this command is stored in ap0 key position 1 (0x7c0) along with two copies. the re sponse frame consists of a status byte at the data pay load. the status byte is stored in ram and updated with each communic ation session. the status byte consis ts of the last command received (ms 4bits) and an error flag (ls 4bits).status by te [7:4]: four msbs of the field contain an echo of the command received in the la st request frame. status byte [3:0]: four lsbs of the field contain status information in encoded form. figure 2-11. the learn secret key1 sequence table 2-7. the learn secret key1 (request frame) field size values description command id 4 + 4 bits 0111b + 1001 crc learn secret key1 data payload 128 bits aes (possibly encrypted) secret key crc 1 byte calculate table 2-8. learn secret key1 (response frame) field size values description preamble header 1 byte 0xfe synchronization data payload 1 byte status status crc 1 byte calculate 0111b (4 bits) 0xfe (1 byte) status (4+4 bits) 1 byte preamble header data payload crc command id data payload crc 1 byte from basestation request frame response frame from transponder crc (4 bits) secret key (128 bits) t rxdata_max t txdata_max www.datasheet.co.kr datasheet pdf - http://www..net/
18 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 2.9.5 learn secret key2 this command starts the secret key 2 learning process. this is either open or secure tr ansfer depending on the configuration stored in eeprom at address 0x811(bit 6). if this bit (skt- secu re key transfer bit) is 0, the transfer is open mode and if the bit is 1, the transfer is secure mode. the request frame carries 128-bit secret key data payload (may be encrypted during secure transfer). the 128-bit key transferred through this command is stored in the ap1 key position 2 (0x780) along with two copies. the response frame consists of a status byte at the data pay load. the status byte is stor ed in ram and updated with each communication session. the status byte consists of the last command received (ms 4bits) and an error flag (ls 4bits). status byte [7:4]: four msbs of the fiel d contain an echo of the command received in the last request frame. status byte [3:0]: four lsbs of the field contain st atus information in encoded form. figure 2-12. the learn secret key 2 sequence table 2-9. the learn secret key2 (request frame) field size values description command id 4 + 4 bits 1000b + 1011 crc learn secret key2 data payload 128 bits aes (possibly encrypted) secret key crc 1 byte calculate table 2-10. learn secret key2 (response frame) field size values description preamble header 1 byte 0xfe synchronization data payload 1 byte status status crc 1 byte calculate 0111b (4 bits) 0xfe (1 byte) status (4+4 bits) 1 byte preamble header data payload crc command id data payload crc 1 byte from basestation request frame response frame from transponder crc (4 bits) secret key (128 bits) t rxdata_max t txdata_max www.datasheet.co.kr datasheet pdf - http://www..net/
19 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 2.9.6 initiate enhanced mode this command initializes the enhanced m ode command structure. this command sets the transponder into enhanced mode when it enters the vfld the next time by setting the e nhanced mode flag in eeprom. this command begins a sequence to place the transponder into the enhanced mode where the bat tery supply is used during transponder communication. an eeprom flag of value tbd is stored at address tbd. this address is checked at each por to determine if the power switch should be disabled. once the fl ag is set by this lf command, the next po wer cycle causes the fo llowing lf session to be operated using battery power. this will occur only once each time this lf command is received. the status byte consists of the last command re ceived (ms 4bits) and an error flag (ls 4bits). status byte [7:4]: four msbs of the field contain an echo of the command received in the last re quest frame. status byte [3:0]: four lsbs of the field contain status information in encoded form. figure 2-13. the initiate enhanced mode sequence table 2-11. the initiate enhanced mode (request frame) field size values description command id 4 + 4 bits 0011b + 0101 crc initiate enhanced mode data payload n/a crc n/a table 2-12. the initiate enhanced mode (response frame) field size values description preamble header 1 byte 0xfe synchronization data payload 1 byte status status crc 1 byte calculate 0011b (4 bits) 0xfe (1 byte) status (4+4 bits) 1 byte preamble header data payload crc command id from basestation request frame response frame from transponder crc (4 bits) t rxdata_max t txdata_max www.datasheet.co.kr datasheet pdf - http://www..net/
20 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 2.9.7 repeat last response this command requests that the last transm ission be repeated. this quickly repeats the last response used. this enables a retry strategy that increase s communication response time. the response frame matches the re sponse from the previous command. figure 2-14. the repeat last response sequence table 2-13. repeat last response (request frame) field size values description command id 4 + 4 bits 1110b + 0001 crc repeat last response data payload n/a crc n/a table 2-14. repeat last response (response frame) field size values description preamble header 1 byte 0xfe synchronization data payload varies status crc 1 byte calculate 1110b (4 bits) 0xfe (1 byte) 1 byte varies preamble header data payload crc command id from basestation request frame response frame from transponder crc (4 bits) t rxdata_max t txdata_max www.datasheet.co.kr datasheet pdf - http://www..net/
21 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 2.9.8 read user memory this command prov ides memory read oper ation from the user memory (eeprom). the request fram e data block provides the beginning address of the eeprom as well as the read length (n umber of bytes that should be read). addresses in the range of (0x0780 to 0x07ff) or (0x0817 to 0x0826) should never be allowed access via the memory access commands. the transponder provides the status byte as well as requested number of eeprom data bytes in the response frame. the response length specified does not exceed 16 bytes. the status by te consists of the last command received (ms 4bits) and an error flag (ls 4bits). status byte [7:4]: four msbs of the field contain an echo of the command received in the last re quest frame. status byte [3:0]: four lsbs of the field contain status information in encoded form. figure 2-15. the read user memory sequence table 2-15. read user memory (request frame) field size values description command id 4 + 4 bits 0100b + 1100 crc read user memory data payload 2 bytes + 1 byte eeprom address + data length crc 1 byte calculate table 2-16. read user memory (response frame) field size values description preamble header 1 byte 0xfe synchronization data payload 1 byte + data status + data status + eeprom data crc 1 byte calculate 0100b (4 bits) 0xfe (1 byte) 1 byte status+data eeprom address (2 bytes) +data length (1 byte) preamble header data payload crc command id data payload crc 1 byte from basestation request frame response frame from transponder crc (4 bits) t rxdata_max t txdata_max www.datasheet.co.kr datasheet pdf - http://www..net/
22 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 2.9.9 write user memory this command provides write operation to the user memory (eeprom). the request frame data block prov ides the beginning address of the eeprom followed by the data to be written. th e transponder provides the status of the result in the response frame. write commands that involve tran sponder eeprom addresses with the ap1, ap2 , and ap3 sections initially check the saved lock state for this sectio n. if the section has previously been locked, th e command is aborted and the transponder sends an error response. during normal operation the number of eeprom data bytes to be written should be 4 bytes at the most. during enhanced mode the number of eeprom data bytes to be written should not exceed 128 bytes. the eeprom data is always sent as complete bytes. the status byte consists of th e last command received (ms 4bits) and an error flag (ls 4bits). status byte [7:4]: four msbs of the fiel d contain an echo of the command received in the last request frame. status byte [3:0]: four lsbs of the field contain st atus information in encoded form. figure 2-16. the write user memory sequence table 2-17. write user memory (request frame) field size values description command id 4 + 4 bits 0101b + 1111 crc read user memory data payload 16 bits + 1 to 4 bytes + 8 bits eeprom address + data lock crc 1 byte calculate table 2-18. write user memory (response frame) field size values description preamble header 1 byte 0xfe synchronization data payload 1 byte status status byte crc 1 byte calculate 0101b (4 bits) 0xfe (1 byte) status (4+4 bits) 1 byte eeprom address (16 bits) +data (8 to 32 bits) + lock (8 bits) preamble header data payload crc command id data payload crc 1 byte from basestation request frame response frame from transponder crc (4 bits) t rxdata_max t txdata_max www.datasheet.co.kr datasheet pdf - http://www..net/
23 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 2.9.10 write memory access protection this command protects only the ap1, ap2, ap3 sections from being overwritten through transponder memory access commands (lf field commands). once protection has been applied, it is not removed (sending 00b does not clear the locks). the request frame data block consists of binary 00+ap3+ap2+ ap1 to create one byte. to lock each section the command transmits b11 in that section and b00 if section locking is not required (ex. 00110011 locks ap3 and ap1 and leaves section ap2 unlocked). the use of two bits for each memory section pr otects against accidental locking due to one-bit corruption. the status byte consists of the last command re ceived (ms 4 bits) and an error flag (ls 4 bits). status byte [7:4]: four msbs of the field contain an echo of the command received in the last r equest frame. status byte [3:0]: four lsbs of the field contain status information in encoded form. figure 2-17. the write memory access protection sequence table 2-19. write memory access protection (request frame) field size values description command id 4 + 4 bits 0110b + 1010 crc write memory access protection data payload 1 byte protection scheme crc 1 byte calculate table 2-20. write memory access protection (response frame) field size values description preamble header 1 byte 0xfe synchronization data payload 1 byte status status byte crc 1 byte calculate 0110b (4 bits) 0xfe (1 byte) status (4+4 bits) 1 byte preamble header data payload crc command id data payload crc 1 byte 1 byte from basestation request frame response frame from transponder crc (4 bits) t rxdata_max t txdata_max www.datasheet.co.kr datasheet pdf - http://www..net/
24 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 2.9.11 leave enhanced mode this command will clear the enhanced mode flag from eeprom. if the transponder receives the command ?leave enhanced mode? , the internal power switch inside the transponder front end will be enabled. if the lf field is active the internal power management will switch automatica lly to the field supplied mode. this will then generate a power on reset and t he immobilizer firmware will be executed. 2.10 communication integrity and error mitigation the commands are protected from trans mission channel corruption by the use of a crc nibble. this prevents accidental processing of an unintended command due to bit corruption. the data can be protected through a second crc byte. this is true for communication in both the uplink and downlink direction. the use of this fast detection of bit level corruption allows a hi ghly efficient retry strategy to be implemented. when this is combined with the repeat last response command, uplink errors can be quickly and automatic ally mitigated. the following is suggested as means of progressive retries for downlink errors: error detected on downlink communication due to error signal response request status byte to determine the cause of error resend downlink request if error was due to failed downlink crc if error still persists, reset transponder comp letely via command or removing of lf field the following is suggested as a means of progressive retries for uplink errors: error detected on uplink communication via failed crc check request repeat transmission wit h repeat last response command if error still occurs, r epeat complete communication by resendi ng the desired command request frame if error still persists, reset transponder comp letely via command or removing of lf field table 2-21. leave enhanced mode (request frame) field size values description command id 4 + 4 bits 1010b + 1101b crc leave enhanced mode data payload n/a crc n/a table 2-22. leave enhanced mode (response frame) field size values description preamble header 1 byte 0xfe synchronization data payload 1 byte status [7:4] previous command [3:0] encoded error info crc 1 byte calculate www.datasheet.co.kr datasheet pdf - http://www..net/
25 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 3. immobilizer functionality this section describes the steps required to implement the immobilizer system functi onality. this functionality can be achieved in the base station and vehicl e controller by using features and commands provided by atmel ? . the following sections recommend how this can be achieved. 3.1 authentication the heart of the vehicle immobilizer is the ability to identify th e user as authorized to start the vehicle. there are many dif ferent authentication schemes. each has different affects on response time and security. in order to provide the customer with a wide array of options, atmel has developed a command and feature set that provides a high level of configurable authentication options including the choice of either uni lateral or bilateral means of authentication. 3.1.1 unilateral authentication unilateral authentication is a st rategy where authentication is performed by only one entity in the syst em. the other entity si mply responds to any command that it receives. in the case of a v ehicle immobilizer system, the vehicle attempts to verify the ident ity of the key fob. the benefit of this approach is that a high level of security can be achieved without sacrificing system respon se time. unilateral authentication should be initiated by the base station and conform to the following sequence: 1. the base station sends the lf request ?read uid?. 2. the transponder responds by providing the 32-bit uid in its ?response frame?. 3. the base station then sends the ?start authentication? request which includes a random number ?challenge?. 4. the transponder returns an ?encrypted response? message to the base station. notes: 1. the ?challenge? will use bit length defin ed by configuration memory address 0x0819. 2. the secret key can be either key1 or key2 as defined by configuration memory address 0x0815 bit 5. 3. the ?response? will use bit length defined by configuration memory address 0x081a. 4. when necessary for encryption, the challenge will be exte nded by first padding the upper bit positions with the 32-bit uid, then with ?0?s as needed, and in this order, to attain 128 bits. a graphical example is shown in figure 3-1 on page 26 . www.datasheet.co.kr datasheet pdf - http://www..net/
26 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 figure 3-1. unilateral au thentication protocol 3.1.1.1 read uid the read uid command has been optimized to enhance the speed of the authentication. the reques t from the vehicle consists only of 8bits. the response contains a 32-bit unique serial nu mber that can be used for rough authentication to determine if th is key is potentially paired with the vehicle. 3.1.1.2 start authentication the encrypted authentication is initiat ed with the start auth entication request that provi des the challenge data. atmel ? recommends choosing 100 or 128 bits for the challenge length. the encrypted response should be chosen as 56 or 80 bits respectively. the reason for these choices would be to achieve a high level of security while optimizing the speed for the enti re communication. the total number of bits tr ansferred is 188 and 240 respectively. this works out to a bit security level of 50 a nd 64 bits for these two options. the attacker would need to attemp t more than one trillion trials to break the security. the 128 bi t secret key that is used can be chosen from one of two possible locations. id memory key memory key memory id id n y n y challenge response aes-128 encryption challenge response lf-field on read uid stop stop valid = car key ok? random number aes-128 encryption detection header (optional) 4-bit command + 4-bit crc 8-bit header + 32-bit id + 8-bit crc 8-bit command + n challenge bits + 8-bit crc 8-bit header + m response bits + 8-bit crc ok, it is the right key start authentication command read uid command www.datasheet.co.kr datasheet pdf - http://www..net/
27 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 3.1.2 bilateral authentication bilateral authenti cation is a strategy where authentication is performed by both entities in th e system. each side attempts to ensure that they are only communicating with an approved a nd previously paired system entity. in the case of a vehicle immobilizer system, the transponder first veri fies that the vehicle is approved. once this has been established, the transponde r provides the means for the vehicle to verify that the transponder is approved. the benefi t of this approach is that a mutually secure system can be achieved within a reasonable system response time. it also provides the transponder a way to detect and defeat attacks from ?unapproved? base stations. bilateral authentication shall be initiated by the base station and conform to the following sequence: 1. the base station shall send the lf command ?read uid?. 2. the transponder shall respond by providing the 32-bit uid in its ?response frame?. 3. the base station shall send the lf command ?start auth entication? which includes a random number ?challenge? followed by an aes encrypted version of the ?c hallenge? using one of its two secret keys. 4. the transponder will check the ?encrypt ed challenge? to verify it matches the transponder's calculated value for ?encrypted challenge? (using the same secret key that created the ?encrypted challenge? in the base station). 5. the transponder will create an ?encrypted response? if the verification in step 4 was successful. it will use the full 128-bit ?encrypted challenge? not just the subset sent from the base station and the other of the two secret keys as aes block cipher inputs to form the encrypted ?response?. 6. the base station will compare transponder's ?encrypted response? with its calculated value for encrypted ?response? following the same process used in step 5. if they match, bilateral authentication was successful. notes: 1. the ?challenge? will use bit length defin ed by configuration memory address 0x0819. 2. the initial secret key can be either key1 or key2 as defined by configuration memory address 0x0815 bit 5. 3. the ?encrypted challenge? and ?encrypted response? will have bit length defined by configuration memory address 0x081a. 4. the other secret key will be used to create the ?encrypted response?. 5. when necessary, inputs for calculating the ?encrypted ch allenge? and ?encrypted response? will be extended by first padding the upper bit positions with the 32-bit uid, then with "0"'s as needed, and in this order, to attain 128bits. a visual representation is noted in figure 3-2 on page 28 . www.datasheet.co.kr datasheet pdf - http://www..net/
28 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 figure 3-2. authentication ba 3.1.3 read uid the read uid command has been optimized to enhance the speed of the authentication. the reques t from the vehicle consists only of 8bits. the response contains a 32-bit unique serial nu mber that can be used for rough authentication to determine if th is key is potentially paired with the vehicle. 3.1.4 start authentication the start authentication command begins with sending a challenge followed by the output of an encryption of this challenge with an initial secret key. this ?encrypted challenge? serves to authenticate the vehicle identit y to the transponder and prove that the vehicle is a valid partner with whom the transponder ca n communicate. the lengths of bo th of these are adjustable in the configuration options but atmel recommend s that a challenge length of 100 bits and encrypted challenge of 56 bits. if this fails, the transponder simply sends an error signal back. in the case of a successful vehicle aut hentication, the transponder would calculate the response to the vehicle using the hidden challe nge and the remaining secret key. this is the same length as the ?encrypted challenge? and we recommend this be set to 56 bits. this response can be evaluated by the vehicle to determine authent icity of the transponder. the to tal number of bits transferre d is 244 and provides a bit security level of 50. this approach also is strengthened by the use of two separate 128-bit secret ke ys. each secret key protects one directio n of authentication meaning that compro mising one secret key does not break the complete bilateral authentication protocol. aes-128 encryption aes-128 encryption key 1 memory id memory key 2 memory challenge random number id n y n y stop aes-128 encryption aes-128 encryption key 1 memory key 2 memory challenge detection header (optional) 4-bit command + 4-bit crc 8-bit header + 32-bit id + 8-bit crc 8-bit command + n bit rand n + m bit (rand n) aes + 8-bit crc 8-bit header + m bit (response) aes + 8-bit crc lf-field on id read uid stop valid = = key car read uid command hidden challenge (hch) expanded to 128 bits hidden challenge (hch) expanded to 128 bits ok, it is the right key, car and key match ok, it is the right car, continue start authentication command www.datasheet.co.kr datasheet pdf - http://www..net/
29 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 3.1.5 hidden challenge another aspect of this protocol is the us e of a "hidden" challenge as the input to the second encryption stage. the reason this is considered ?hidden? is that only a portion of this value is ever transmitted over the wireless interface. using the recommended values from above, we see that the input to the second encrypti on block contains the 56 bit ?encrypted challenge? that was used to determine the authenticity of the vehicle. while this value was sent over the air and could be recorded, the second encryption block requires that the complete 128-bit output of the first encryption be known precisely. since only 56 bits could be captured, this leaves 72 bits that are "h idden" from the attacker but are critical to producing the correct output. through this scheme we are able to allow a truncated initial challenge to be expanded to a full 128-bit aes operation when producing the response used to validate the transponder i dentity. this final step is w hat protects against unauthor ized vehicle starts and ou r system provides maximum protection in this area. 3.2 memory access general purpose memory is a very important part of an immo bilizer system. atmel has provid ed a large eeprom section in hardware and a very efficient means of accessing this through lf commands. the block size for access is flexible and allows the end system designer to build structures that are optimized for the dat a content. the only areas that are not accessed through the memory commands are the ap0 section used for secret ke ys and the default secret key stored in eeprom page 2. all other memories providing an interf ace for the vehicle to interact with the app lication functionality can be accessed. fo r example, the vehicle could resynchronize with the rke rolling code counter, read out user specific information, or store diagnostic trouble codes. for higher security, if the transponder is configured to us e bilateral authentication, an authentication session must be successfully accomplished before any memory access command is possible. 3.2.1 read memory to read user memory only requ ires that the starting a ddress and the number of bytes requested are provided. this allows block sizes from one to sixteen bytes to be accessed from the trans ponder non-volatile memory. the memory is accessed and the data returned starting with the first address and incrementing sequentially until all bytes are sent. the flexibility of this command means it ca n be used for many functions that would normally require a dedicated lf command. examples of this are shown in other sections of this document. figure 3-3. read memory address (16b) address (16b) length (8b) 1 eeprom 2 l length (8b) user memory byte(s) user memory byte(s) read user memory read user memory lf-field on key car detection header (optional) 8-bit command + 16-bit address + 8-bit length + 8-bit crc 8-bit header + data requested + 8-bit crc read user memory command must not be located in api or default key www.datasheet.co.kr datasheet pdf - http://www..net/
30 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 3.2.2 write memory writing data into the memory requires th e starting address to be provided followed by the number of data bytes to be stored. the length of this block is limited to four bytes (128 bytes in enhanced mode) and must always be sent as full 8-bit multiples. before the memory location is wr itten, the firmware checks to see if access prot ection applies and determine if this command is allowed. only if these c hecks are successful is the data written into eeprom. figure 3-4. write memory address (16b) address (16b) 1 eeprom 2 n address protected? data 1 (8b) data 2 (8b) data n (8b) data 1 (8b) data 2 (8b) data n (8b) status response (pass/fail/locked) status response (pass/fail/locked) write user memory write user memory yes lf-field on key car detection header (optional) 8-bit command + 16-bit address + 8-bit length + data contents + 8-bit crc 8-bit header + 8-bit status + 8-bit crc write user memory command address should be less than ap0 www.datasheet.co.kr datasheet pdf - http://www..net/
31 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 3.2.3 memory protection memory protection provides a means to prevent eeprom data from being modified by future lf commands. once this protection is applied, it cannot be re moved by a subsequent lf comm and. the protection applies to a complete section of eeprom. there are three such sections th at can be used. they are defined as the ap1, ap2, and ap3 portions of eeprom and contain 128 bytes in each section. one example of this mi ght be a block of manufacturing process information programmed into ap1 and locked so that this cannot be modified by lf co mmands. this allows a returned device to be traced back through the precise manufacturing chain. the locking feature is implemented in firmware and does not co ntain any hardware components. t he protection applies to the reaction to lf commands received by the immobilizer. the write memory access protection command requires only one byte with the protection to be assigned to each section. two bits are used for each memory section to a dd extra protection against false locking scena rios. both bits must be set to logical one for the protection to be invoked. all unused locations sh ould be set to logic zero which do not change the protection currently invoked. figure 3-5. write memory protection note: only when the lock bits are set ?11? will be written to eeprom. lock bits set to ?00? will not clear alread y set bits, i.e. xor with current eeprom data. 3.2.4 memory encryption encryption of the data is not provided through a special comm and or the immobilizer firmware. with the hardware encryption block, the need for this functionality can be implemented before t he data is placed in the non-volatile memory by the applicati on or before it is sent from the base statio n. memory encryption can be easily decrypted by the application before it is used. for example, a rolling code counter can be encr ypted and stored in memory. each time th is is needed, the application decrypts it, uses the counter, increments it , encrypts the new count, and t hen stores this back in memory. eeprom lock bit address lock bits status response (pass/fail) write memory protection status response (pass/fail) lf-field on key car detection header (optional) 8 bit command + 8 bit protection + 8 bit crc 8 bit header + 8 bit status + 8 bit crc 00 (2b) ap1 (2b) ap2 (2b) ap3 (2b) 00 (2b) ap1 (2b) ap2 (2b) ap3 (2b) write memory protection write memory access protection command www.datasheet.co.kr datasheet pdf - http://www..net/
32 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 3.3 identification one of the primary goals of the immobilizer is to establish the verified identity of the user. the firmware provided by atmel ? offers many identification op tions that allow the system to be optimized. the fo llowing sections describe how the fixed identification aspects can be used. it is possible to achieve cu stomized identification scenarios by using the memory access commands and custom block sizes as needed. 3.3.1 serial number the serial number is a fixed value programmed and locked by atmel during manufacturing. this value is a 32-bit, non- sequential, non-repeating number and is optimized for fast initial identification. a dedicated lf command (read uid) allows thi s value to be accessed prior to authenticatio n for a very rough screening of users. 3.3.2 atmel traceability atmel provides manufacture traceability from our process flow to directly identify a given device. this information is fixed an d locked at the end of our manufacture line. it provides very us eful information about the device and also uniquely associates th is with a physical die location on a wafer. each of the following piec es of information can be accessed individually or as a unit with the read memory command. device type: this contains information that specifies which atmel device this is lot number: this specifies the atmel facility and the production lot run t hat created this device wafer number: this designates the physical wafer in this lot die number: this locates the die on the wafer software rev: this indicates the firmware release version that is currently running www.datasheet.co.kr datasheet pdf - http://www..net/
33 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 3.4 personalization personalization refers to the process of setting or resetting the initial parameters of the device. in the case of the immobili zer this involves pairing the transponder with the vehicle. the mo st common pairing scenario is the transfer of the secret key(s) from the vehicle to the transponder. other personalization pa rameters can be set through the use of the write memory command. these could be the initial roll code, application featur e configuration, vehicle vin, etc. the following section will look at the options possible for secret key transfer. 3.4.1 open key learn if the security of the key tran sfer can be ensured through physical or other se curity methods it may be desirable to send the secret key in plain text. the firmware can be configured to allow this and the following sequence would occur: the base station sends 128bits of secret key coding to be stored using the learn secret key command. the transponder stores the encoded key in the ap0 section of eeprom in key position 1 or 2. figure 3-6. open key learn 1/2 key memory key memory n y pass lf-field on stop = car key random number secret key secret key response (pass/fail) detection header (optional) 8-bit header + 8-bit status + 8-bit crc learn secret key (1 or 2) command 8-bit command + 128-bit key + 8-bit crc www.datasheet.co.kr datasheet pdf - http://www..net/
34 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 3.4.2 secure key learn because the encryption key protects the integrity of the auth entication process atmel has provided a means to transfer the secret key in an encrypted manner. this involves the use of the default secret key stored in eeprom page 2 and protects against eavesdropping by an attacker during key transfer. as a resu lt, secure implement ation of user -ini tiated personalization is possible where physical security cannot be ensured. the base station sends 128bits of data that have been encrypted using the default key stored in eeprom page 2. the transponder decodes this to produce the secret key to be stored. the transponder then stores the encoded key in t he ap0 section of eeprom in key position 1 or 2. figure 3-7. secure key learn key memory default key key memory default key n y pass aes-128 (dec.) lf-field on stop = car key random number encrypted key encrypted key secret key secret key response (pass/fail) aes-128 encryption detection header (optional) 8-bit header + 8-bit status + 8-bit crc learn secret key (1 or 2) command 8-bit command + (128-bit key) aes + 8-bit crc www.datasheet.co.kr datasheet pdf - http://www..net/
35 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 4. abbreviations fdx ? full duplex am ? amplitude modulation bcm ? body control module ecu ? electronic control unit bplm ? binary pulse length modulation qplm ? quad pulse length modulation por ? power on reset tic ? transmitter id code rke ? remote keyless entry dps ? damped phase synchronized vfld ? field voltage 5. absolute maximum ratings stress beyond those listed under ?absolute maximum ratings? may c ause permanent damage to the device. this is a stress rating o nly and functional operation of the device in these or any other co nditions beyond those indicated in the operational sections of t his specification is not intended. exposure to absolute maximum ra ting conditions for extended periods may affect device reliabilit y. parameters symbol value unit operating temperature range t amb ?40 to +85 c storage temperature range (data retention reduced) t amb ?40 to +125 c maximum assembly temperature, t < 5min t ass 170 c magnetic field strength at f = 125khz h pp 1000 a/m 6. operating characteristics t amb = +25c; f coil = 125khz; unless otherwise specified. no. parameters test conditions symbol min. typ. max. unit type* 1 inductance l tbd 2.38 tbd mh q 2.1 lc circuit h pp = 14.5a/m fr tbd 125 tbd khz t 2.2 h pp = 1.5a/m qlc tbd 20 tbd 1 t 3 max. field strength where tag does not modulate quiet mode h pp not - tbd tbd a/m q 4 min. field for modulation read mode h pp mod tbd tbd - a/m t 5 min. field for programming write mode h pp prog tbd tbd - a/m t 6 maximum field strength h pp max tbd a/m q *) type means: t: directly or indirectly tested during produ ction; q: guaranteed based on initial product qualification data www.datasheet.co.kr datasheet pdf - http://www..net/
36 atmel ATA5580 [pre liminary datasheet] 9254a?rfid?02/12 7. ordering information 8. package information table 7-1. ATA5580 ordering information ATA5580m nnn -tsmw package remarks 132 brick tag package ua, bplm, manchester, rf/32, 32b ch, 32b rs 156 brick tag package ua, bplm, manchester, rf/32, 100b ch, 56b rs 264 brick tag package ba, bplm, manchester, rf/32, 64b ch, 64b rs 256 brick tag package ba, bplm, manchester, rf/32, 100b ch, 56b rs 300 to 999 brick tag package customer defined product. must submit complete configuration memory map common dimensions (unit of measure = mm) package drawing contact: packagedrawings@atmel.com gpc symbol min nom max note 2.9 a 3 3.1 0.35 a3 0.4 0.45 11.9 d 12 12.1 5.9 e 6 6.1 drawing no. rev. title 6.549-5036.01-4 1 12/14/11 package: brick transponder , ATA5580 dimensions in mm specifications according to din technical drawings traseure ATA5580 orientation feature d e a3 a e www.datasheet.co.kr datasheet pdf - http://www..net/
atmel corporation 2325 orchard parkway san jose, ca 95131 usa tel: (+1) (408) 441-0311 fax: (+1) (408) 487-2600 www.atmel.com atmel asia limited unit 01-5 & 16, 19f bea tower, millennium city 5 418 kwun tong roa kwun tong, kowloon hong kong tel: (+852) 2245-6100 fax: (+852) 2722-1369 atmel munich gmbh business campus parkring 4 d-85748 garching b. munich germany tel: (+49) 89-31970-0 fax: (+49) 89-3194621 atmel japan g.k. 16f shin-osaki kangyo building 1-6-4 osaki shinagawa-ku, tokyo 141-0032 japan tel: (+81) (3) 6417-0300 fax: (+81) (3) 6417-0370 ? 2012 atmel corporation. all rights reserved. / rev.: 9254a?rfid?02/12 disclaimer: the information in this document is provided in connection with atmel products. no license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of atmel products. exc ept as set forth in the atmel terms and conditions of sales locat ed on the atmel website, atmel assumes no liability whatsoever and disclaims any express, implied or statutory warranty relating to its products including, but not li mited to, the implied warranty of merchantability, fitness for a particular purpose, or non-infringement. in no event shall atmel be liable for any d irect, indirect, consequential, punitive, special or incide ntal damages (including, without limitation, damages for loss and profits, business i nterruption, or loss of information) arising out of the us e or inability to use this document, even if at mel has been advised of the possibility of suc h damages. atmel makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the ri ght to make changes to specifications and products descriptions at any time without notice. atmel does not make any commitment to update th e information contained herein. un less specifically provided oth erwise, atmel products are not suitable for, and shall not be used in, automotive applications. atmel products are not intended, authorized, or warranted for use as components in applications intend ed to support or sustain life. atmel ? , atmel logo and combinations thereof, avr ? and others are registered trademarks, enabling unlimited possibilities ? and others are trademarks of atmel corporation or its subsidiaries. other terms and product names may be trademarks of others. www.datasheet.co.kr datasheet pdf - http://www..net/


▲Up To Search▲   

 
Price & Availability of ATA5580

All Rights Reserved © IC-ON-LINE 2003 - 2022  
[Add Bookmark] [Contact Us] [Link exchange] [Privacy policy]
Mirror Sites :  [www.datasheet.hk]   [www.maxim4u.com]  [www.ic-on-line.cn] [www.ic-on-line.com] [www.ic-on-line.net] [www.alldatasheet.com.cn] [www.gdcy.com]  [www.gdcy.net]
 . . . . .
  We use cookies to deliver the best possible web experience and assist with our advertising efforts. By continuing to use this site, you consent to the use of cookies. For more information on cookies, please take a look at our Privacy Policy. X