Dummy Bus Access, Dummy BUS Access Timing ±3 | Mitsubishi DS5000TK

USER'S GUIDE

Dummy Bus Access

The Secure Microcontroller makes its memory contents obscure through encryption. Additional steps are also to prevent analysis of the bus activity by 8051±familiar hackers. Both the DS5000FP and DS5002FP insert dummy memory operations when possible. In the 8051 architecture, there are typically two identical memory accesses per instruction cycle, but most operations so nothing with the second program fetch. In the Secure Microcontroller, a pseudo±random address is gener- ated for the dummy cycle and this random memory address is actually fetched, but the dummy data is dis- carded. The order of the real and dummy accesses are

switched according to a pseudo±random process. This is repeatable so that the execution always appears the same. During these pseudo±random cycles, the RAM is to all appearance read. Thus by repeatedly switching between real and dummy access, it is impossible to dis- tinguish a dummy cycle from a real one. In analyzing bus activity, a large percentage of the memory fetches will be garbage that has no meaning. The dummy accesses are always performed on a DS5002FP, but are only used on a DS5000FP when encryption is enabled. Naturally, dummy accesses are always read operations since the dummy address might contain valid data.

DUMMY BUS ACCESS TIMING Figure 9±3

NON±ENCRYPTED MEMORY ACCESS

	SINGLE CYCLE INSTRUCTION		SINGLE CYCLE INSTRUCTION
ALE
CE1
BA14±0	PC	PC	PC+1	PC+1
BD7±0	CODE IN	CODE IN	CODE IN	CODE IN

ENCRYPTED MEMORY ACCESS WITH DUMMY FETCHES

	SINGLE CYCLE INSTRUCTION		SINGLE CYCLE INSTRUCTION
ALE
CE1
BA14±0	XXXXh	YYYYh	QQQQh	RRRRh
BD7±0	BYTE1 IN	BYTE2 IN	BYTE3 IN	BYTE4 IN

Either XXXX or YYYY is real but encrpted, the other is pseudo±random.

Either QQQQ or RRRR is real but encrypted, the other is pseudo±random.

Either Byte1 or Byte2 is used, the other is a dummy fetch and is not used. Both are encrypted.

Either Byte3 or Byte4 is used, the other is a dummy fetch and is not used. Both are encrypted.

050396 76/173

77

Image 77

Mitsubishi DS5000TK, DS907x SIP manual Dummy Bus Access, Dummy BUS Access Timing ±3

Contents

Table of Contents Separate ADDRESS/DATA BUS IntroductionSoftware Security IN±SYSTEM Loading Large Nonvolatile MemoryHigh Reliability Operation Module Description ON±BOARD Memory Package DS5000FP Soft Microprocessor Chip Product DescriptionDS5000T Soft Microcontroller Module DS2250T Soft Microcontroller Module DS2252T Secure Microcontroller Module DS2251T 128K Soft Microcontroller ModuleDS5002FP Secure Microprocessor Chip Chip Description Maximum Speed Part Number Selection GuideModule Description Speed Clock Part Number Secure Microcontroller Architecture Secure Microcontroller Architectural Block Diagram Figure Parallel I/O Timed Access LogicProgram/Data RAM Interface High±Reliability Circuitry Resident Loader ROM Watchdog Timer Secure Microcontroller Memory Organization Programmers GuideSecure Microcontroller Memory MAP ±1 Internal Registers Scratchpad Register MAP ±2 Bank Starting Address R0 Program and Data MemoryPSW.4±3 R1±R0 Register Bank Select Important Application Note DS5000 Series Memory Organization Overrides the condition of the EA pin as well DS5000 Series Memory MAP ±3Memory map. The first is the EA pin. The second is PA3 DS5000 Memory Map ControlDS5000 Series Mcon Register ±4 Bit Description MCON.3 DS5001/DS5002 Memory OrganizationRA32/8 MCON.2 ECE2 PA3 PA2 PA1 PA0 Partition BYTE±WIDE BUS Memory MAP RG1 RG0 Range CE1 Access CE2 Access Partitionable Memory MAP for DS5001/DS5002 Series ±5 Msel RG1 RG0 Program Data Program Access Data AccessCE1 CE3 CE4 CE1 CE2 CE3 DS5001/DS5002 Memory Mapped Peripherals NON±PARTITIONABLE Memory MAP for DS5001, DS5002 Series ±6 DS5001/DS5002 Memory Map Control Peripheral Enables in the Data Memory MAP ±7 PA3 PA2 PA1 PA0 RG1 PES DS5001/DS5002 Series Mcon Register ±8MCON.3 RG1 MCON.2 PES RPCTL.5 Exbs Loading and Reloading Program MemoryRPCTL.4 RPCTL.0 RG0 050396 23/173 Reloading Portions of a DS5000 Series Device ±10 Soft Reload of a DS5001/DS5002 Reloading a DS5001/DS5002 Series Device ±11 Special Function Registers ECE2 DS5000 Series Special Function Register MAP ±12 CRC DS5001/DS5002 Series Special Function Register MAP ±13 Label Pcon Register Address 087H Power Control Register PCON.2 EWT PCON.3EPFWPCON.1 Stop PCON.0 IDL Label Tcon Register Address 088H Timer Control Register Label Tmod Register Address 089H Timer Mode RegisterTCON.0 IT0 Gate LabelSCON Register Address 098H Serial Control Register LabelIE Register Address 0A8H Interrupt Enable RegisterSCON.0 ET1 LabelIP Register Address 0B8H Interrupt Priority Register Label CRC Register Address 0C1H DS5001 CRC RegisterRNGE3±0 CRC.1 MDM LabelMCON Register Address 0C6H DS5000 Memory Control RegisterPA3 PA2 PA1 PA0 RA32/8 MCON.0 DS5001 Mcon RegisterLabel Mcon Register Address 0C6H Accessed by Movx instructions on the Byte±wide bus LabelPSW Register Address 0D0H Program Status Word Register Label Rpctl Register Address 0D8H DS5001/DS5002 RPC Control RegisterRPCTL.7 RNR RPCTL.3 IBI Label RPS Register Address 0DAH DS5001/DS5002 RPC Status RegisterRPCTL.1 Rpcon IA0 IBF RPS.1RPS.0 OBF Addressing Modes Instruction SETADD A, R4 Setb 00H Addressing ±20 Branch to the location PC+2 ±Acall 100H Call to the subroutine at Address Flags Instruction OV AC Instructions That Affect Flag SettingsProgram Status Flags Recommended SRAMs for USE with Soft Microcontrollers ±1 Memory InterconnectData Reten Part Tion Current RAM Size Vendor 25C 40C 70C Memory Interconnect of the DS5000FP ±1 DS5000 Series Module Block Diagram ±2 Memory Interconnect of the Partitionable DS5001/DS5002 ±3 Óóóóóóóóó Ó Óóóóóóóó 52 14Ó GND Memory Interconnect Using the 128K Sram ±5 DS2251T±128 Block Diagram ±6 Ôôôôôô DS2252T±32 Block Diagram ±7 Data Retention LITHIUM/BATTERY BackupBattery Backed Circuits Battery Attach Procedure Power Supply Slew Rate ±1Battery Lifetime Battery attached 2400 + 75 * 10±9 * 24 21.68 * 10±3 54 * 10±3180 * 10±3 Freshness Seal Lithium Battery Usage Idle Mode Power ManagementCONTROL/STATUS Bits for Power Control ±1 Bit Description ªPower On Resetº Mode Program ALE Psen Memory Stop ModePIN States in IDLE/STOP Modes ±1 PCON.3 Epfw Voltage Monitoring Circuitry Secure Microcontroller Power Cycling Timing ±2 Total Power Failure Power Fail InterruptPartial Power Failures Vpfw threshold is above the specified minimum Reset Vector Secure Microcontroller Power Management ±3 Software Control Timed AccessTimed Access ±1 BIT Name Micro Version Location Description Timed Access Protected Control Bits ±1 050396 66/173 IP.7 Watchdog Timer ±20C7H, #055H 2nd TA Value CRC Memory Verification Watchdog Timer Control Bits Range 3±0 DS5001 CRC Register Address 0C1hCRC.1 CRC.0 This routine tests the CRC±16 circuit in the DS5001FP CRC Code Example ±3 Firmware Security FeatureSecurity Overview DS5001 DS5000 DS5002 Encrypted Memory Security LockRAM Memory DS5002 Software Encryption Block Diagram ±2 DS5000 Software Encryption Block Diagram ±1 050396 74/173 Encryption Key Selection and Loading Encryption AlgorithmEncryption Key Dummy BUS Access Timing ±3 Dummy Bus Access Self±Destruct Input On±chip Vector RAMMicroprobe/Die Top Coating Random Number Generator DS5001FP / DS2251T Security Summary by PartDS5000FP / DS5000T / DS2250T Application Advanced Security Techniques Tamper Protection Change CodeExternal Circuits Reset Status Bits ±1 Reset ConditionsReset Sources Register Special Function Register Reset States ±1Reset Condition Reset Type Chanical and some time is required to get the mass Power On ResetPower on Reset Timing ±2 Watchdog Timer Reset No±VLI Power On ResetExternal Reset Memory Map Application Reset Routine ExampleMemory Interrupts TIMERS/SERIAL Protection Timed ± DS5000 only Interrupts Tively. Shown here is an example of Timer and Serial TimersMicroprocessor disables timer activity excluding Protection Interrupts Interrupt Source Enable BIT LocationInterrupt Sources Interrupt Source Vector Address Flag Flag Location Power±fail Warning Interrupt Timer InterruptsMachine cycle when the interrupts are enabled. INT0 is External Interrupts Interrupt Request Sources ±1 Simulated Interrupts EX0 Interrupt Enable Control Bits ±2 Bit DescriptionET0 Interrupt Priority Control Bits ±3 Bit Description Interrupt PrioritiesPriority Flag Interrupt Source IP.4 Flag Vector Address Interrupt Source Interrupt AcknowledgeInterrupt Acknowledge Sequence ±4 050396 94/173 Port 0 Functional Circuitry ±1 Parallel I/O OverviewPIN Name Function Port 2 Functional Circuitry Port 1 Functional Circuitry Output Functions Port 3 Functional Circuitry Input Function Parallel Port Output Buffers Ports 1, 2, and 3 ±2 Reprogrammable Peripheral Controller RPC READ±MODIFY±WRITE InstructionsMnemonic Description Port 0 D0±7 USE of the RPC Mode ±4 USE of the RPC Mode ±3Command RPC Interrupts ST7 ST6 ST5 ST4 IAO IBF OBF RPC Status Register ± Status Address 0DAH ±5 DMA Operation RPC ProtocolDbbout 103 RPC Control Register ± Rpctl Address 0D8H ±6 Port 2 becomes the control signals as shown in ±3RNR Exbs IBI DMA Rpcon RG0 Rpcon bit is set Tmod Register Control BIT Summary ±1 Bit Description Programmable Timers Functional DescriptionTMOD.6 Timer TMOD.2 Timer TMOD.1, TMOD.0 Tcon Register CONTROL/STATUS Bits ±2TMOD.5, TMOD.4 Mode TIMER/COUNTER Mode 0 and 1 Operation ±3Scribed for TR0, TF0, and INT0 107 108 TIMER/COUNTER Mode 2 Operation ±4 109 Timer 0 Mode 3 Operation ±5 Serial I/O Function Description Mode SYNC/ASYNC Baud ClockSerial Port Operating Modes ±1 START/STOP Mode Sync Bits CLK Async Timer 1 Overflow Mode Function Word Length PeriodSerial Port Control Register ±1 Bit Description ªXmit Bit 8º SCON.1 SCON.2 RB8SCON.0 Baud Rate Generation Synchronous Operation Mode Timer 1 Baud Rate Generation ±2Smod Timer TH1 Baud Rate BPS 114 115 Mode 0 Block Diagram and Timing ±2 116 Asynchronous Operation 117 Mode 2Smod BRG Clock 118 Serial Port Mode 1 Block Diagram ±3 119 MODE2 and 3 Block Diagram ±4 Serial I/O Operating Modes Mode Function Word Length Baud ClockApplication Serial Port Initialization TB8 RB8 SM0 SM1 SM2 RENET1 EX1 ET0 EX0 PT1 PX1 PT0 PX0 IE1 IT1 IE0 Smod POR PFW WTR Epfw EWT Stop IDLTF1 TR1 TF0 TR0 123 Crystal Connection ±1 CPU Timing OscillatorClock Source Input ±2 XTAL1 125 Instruction Timing 126 BYTE±WIDE RAM Instruction Execution Timing ±3Expanded Program Memory Timing 127 Expanded Program Memory Fetch ±4 128 Expanded Data Memory Read ±5Expanded Data Memory Write ±6 129 Expanded Data Memory TimingComplete RD cycle, including activation of ALE and RD Program Loading Introduction Invoking the Bootstrap LoaderDS5000FP DS5001/2FP 130 DS5001/DS5002 Series DS5000 SeriesExiting the Loader 131 MODEM=1 PROG=0 132 133 Serial Program Load ModeSerial Load Configuration ±2 Baud Rate AUTO±BAUD Rate DetectionCrystal Freq MHz 300 1200 2400 57600 Command Line Interface Bootstrap Loader InitializationCommand Line Syntax Command Function Version Begin±address end±address Command Summaries→ 000AH AB → 00ABH ABC → 0ABCH Abcd → 0ABCDH Abcde → 0BCDEH Byte±1 byte±2 byte±3 byte±4 byte±5 Byte begin±address end±addressByte P0 value P1 value P2 value P3 value CRC/MCON/MSL/RPCTL byte Xon/XoffMcon MSL Eextarg Error Messages EargreqEillcmd Eillopt 140 Intel HEX File Format Parallel Program Load Operation Parallel Program Load Configuration ±3Parallel Program Load Cycles ±4 141 Mode RST Psen Prog Parallel Program Load Mode8751±COMPATIBLE Program Load Cycles ±3 P2.7 P2.6 P2.5 Parallel Programming Concerns RPC Program Mode OperationPulses specified, each with a low time of 90 to 143 REAL±TIME Clock DS5000T/DS2250T Functional Block Diagram ±1DS1215 Phantom Time Chip 144 145 146 Pattern Comparison Register Description ±2 147 DS1215 Register Entry Flowchart ±3 Registers DS1215 Time Registers Description ±4Special Bits 148 149 Time Register Examples ±5 150 DS1283 Watchdog Timekeeper Chip 151 DS2251T/DS2252T RTC Block Diagram ±6Memory MAP 152 DS1283 REAL±TIME Clock Memory MAP ±7 DS1283 REAL±TIME Clock Command Register ±8 Alarm Condition Alarm Maskbit Operation ±9DS1283 RTC Interrupts Mask 155 Application Using the DS5000T RTC DS1215 Example 156 Wbyte 157 RET 158 159 Application Using the DS2251T RTC DS1283 Example 160 161 162 163 Unexplained Device Resets TroubleshootingRAM Loses Data When Powered Down Time Microcontroller Reads the Wrong Time Program will not Execute Unable to Invoke Stop ModeSerial Port does not Work Data is Lost or Corrupted High Current Drain in Stop ModeINT0 is Stuck LOW on DS2252T DS5000TK KIT does not Respond to KIT5K Software DOS Mnemonic Instruction Code HEX Byte Cycle Explanation Instruction SET Details CLR a CPL a DA a RLC a RL aRR a RRC a Mnemonic Instruction Code HEX Byte Setb bit Bit = CLR bit Bit =CPL bit Bit = bit ANL C, bit = C and bit Dptr RETReti NOP