DS5003FPM-16+ Datasheet DS5003FPM-16+, DS5003M-DNS+, DS5003-CS1+ | P19-P21

loader. This action triggers several events that defeat

tampering. First, the encryption key is instantaneously

erased. Without the encryption key, the DS5003 can no

longer decrypt the contents of the SRAM. Therefore, the

application software can no longer be correctly execut-

ed, nor can it be read back in its true form by the boot-

strap loader. Second, the vector RAM area is also

instantaneously erased, so that the reset and vector

information is lost. Third, the bootstrap loader firmware

sequentially erases the encrypted SRAM area. Lastly,

the loader creates and loads a new random key.

The security lock bit is constructed using a multiple-bit

latch that is interlaced for self-destruction in the event

of tampering. The lock is designed to set up a “domino

effect” such that erasure of the bit results in an unstop-

pable sequence of events that clears critical data

including encryption key and vector RAM. In addition,

this bit is protected from probing by the top-coating

feature.

Self-Destruct Input (SDI)

The self-destruct input (SDI) pin is an active-high input

that is used to reset the security lock in response to a

variety of user-defined external events. The SDI input is

intended to be used with external tamper-detection cir-

cuitry. It can be activated with or without operating

power applied to the V

pin. Activation of the SDI pin

instantly resets the security lock and causes the same

sequence of events previously described for this

action. In addition, power is momentarily removed from

the byte-wide bus interface including the V

pin,

resulting in the loss of data in external SRAM.

Top-Layer Coating

The DS5003M is provided with a special top-layer coat-

ing that is designed to prevent a probe attack. This

coating is implemented with second-layer metal added

through special processing of the microcontroller die.

This additional layer is not a simple sheet of metal, but

rather a complex layout that is interwoven with power

and ground, which are in turn connected to logic for the

encryption key and the security lock. As a result, any

attempt to remove the layer or probe through it results

in the erasure of the security lock and/or the loss of

encryption key bits.

Bootstrap Loading

Initial loading of application software into the DS5003 is

performed by firmware within the on-chip bootstrap

loader communicating with a PC by the on-chip serial

port. Table 1 summarizes the commands accepted by

the bootstrap loader.

When the bootstrap loader is invoked, portions of the

256-byte scratchpad RAM area are automatically over-

written with zeros and then used for variable storage for

the bootstrap firmware. Also, a set of 8 bytes is gener-

ated using the random-number generator circuitry and

saved as a potential word for the 64-bit encryption key.

Any read or write operation to the DS5003’s external

program/data SRAM can only take place if the security

lock bit is in a cleared state. Therefore, the first step in

loading a program should be the clearing of the securi-

ty lock bit through the U command.

Execution of certain bootstrap loader commands result

in the loading of the newly generated 64-bit random

number into the encryption key word. These commands

are as follows:

Fill F

Load L

Dump D

Verify V

CRC C

Execution of the Fill and Load commands load the

encrypted data into SRAM using encryption keys from

the newly generated key word. The subsequent execu-

tion of the Dump command

within the same bootstrap

session

causes the contents of the encrypted SRAM to

DS5003

Secure Microprocessor Chip

______________________________________________________________________________________ 19

COMMAND FUNCTION

C Return CRC-16 of the program/data SRAM.

Dump RAM memory specified by MSL bit as

Intel hex format.

F Fill program/data SRAM.

G Get data from P0, P1, P2, and P3.

L Load Intel hex file.

Set freshness seal—all program and data is

lost.

P Put data into P0, P1, P2, and P3.

R Read status of SFRs (MCON, RPCTL, MSL).

T Trace (echo) incoming Intel hex code.

U Clear security lock.

Verify program/data memory with incoming

Intel hex data.

Write special function registers (MCON,

RPCTL, MSL).

Z Set security lock.

Table 1. Serial Bootstrap Loader

Commands

DS5003

be read out and transmitted back to the host PC in

decrypted form. Similarly, execution of the Verify com-

mand

within the same bootstrap session

causes the

incoming absolute hex data to be compared against

the true contents of the encrypted SRAM, and the CRC

command returns the CRC value calculated from the

true contents of the encrypted SRAM. As long as any of

these commands are executed

within the same boot-

strap session

, the loaded key value remains the same

and the contents of the encrypted program/data SRAM

can be read or written normally and freely until the

security lock bit is set.

When the security lock bit is set using the Z command,

no further access to the true SRAM contents is possible

using any bootstrap command or by any other means.

A more extensive explanation of the serial loader opera-

tion can be found in the

Secure Microcontroller User’s

Guide

(www.maxim-ic.com/SecureUG).

Instruction Set

The DS5003 executes an instruction set that is object-

code compatible with the industry-standard 8051

microcontroller. As a result, software development

packages such as assemblers and compilers that have

been written for the 8051 are compatible with the

DS5003. A complete description of the instruction set

and operation is provided in the

Secure Microcontroller

User’s Guide

Memory Organization

Figure 10 illustrates the memory map accessed by the

DS5003. The entire 64kB of program and 64kB of data

are potentially available to the byte-wide bus. This pre-

serves the I/O ports for application use. The user con-

trols the portion of memory that is actually mapped to

the byte-wide bus by selecting the program range and

data range. Any area not mapped into the SRAM is

Secure Microprocessor Chip

20 ______________________________________________________________________________________

PROGRAM MEMORY

FFFFh 64kB

DATA RANGE

PROGRAM RANGE

NV RAM

PROGRAM

NV RAM

DATA

DATA MEMORY (MOVX)

0000h

LEGEND:

= BYTE-WIDE BUS ACCESS (ENCRYPTED) = EXPANDED BUS (PORTS 0 AND 2) = NOT AVAILABLE

Figure 10. Memory Map in Nonpartitionable Mode (PM = 1)

reached by the expanded bus on ports 0 and 2. An

alternate configuration allows dynamic partitioning of a

64kB space as shown in Figure 11. Selecting PES = 1

provides another 64kB of potential data storage or

memory-mapped peripheral space as shown in Figure

12. These selections are made using special function

registers. The memory map and its controls are cov-

ered in detail in the

Secure Microcontroller User’s

Guide

Figure 13 illustrates a typical memory connection for a

system using a 128kB SRAM. Note that in this configu-

ration, both program and data are stored in a common

SRAM chip. Figure 14 shows a similar system with

using two 32kB SRAMs. The byte-wide address bus

connects to the SRAM address lines. The bidirectional

byte-wide data bus connects the data I/O lines of the

SRAM.

DS5003

Secure Microprocessor Chip

______________________________________________________________________________________ 21

PROGRAM MEMORY

FFFFh

PARTITION

NV RAM

PROGRAM

NV RAM

DATA

DATA MEMORY (MOVX)

0000h

LEGEND:

= NV RAM MEMORY = EXPANDED BUS (PORTS 0 AND 2) = NOT AVAILABLE

Figure 11. Memory Map in Partitionable Mode (PM = 0)

P1-P3 P4-P6 P7-P9 P10-P12 P13-P15 P16-P18 P19-P21 P22-P24

DS5003FPM-16+

Mfr. #:

Buy DS5003FPM-16+

Manufacturer:

Maxim Integrated

Description:

Microprocessors - MPU Soft MCU Chip

Lifecycle:

New from this manufacturer.

Delivery:

DHL FedEx Ups TNT EMS

Payment:

T/T Paypal Visa MoneyGram Western Union

DS5003FPM-16+

DS5003FPM-16+

Products related to this Datasheet