Atmel AT88SA10HS [DATASHEET] 18
8595H−CRYPTO−9/2012
6.6 BurnSecure
Burns any combination of the first 88-fuse bits. Verification that the proper secret fuse bits have been burned must occur using
the MAC command – there is no way to read the values in the first 64-fuses to verify their state. The 24-status fuses can be
verified with the read command.
The fuses to be burned are specified by the 88-bit input map parameter. If a bit in the map is set to a ‘1’, then the
corresponding fuse is burned. If a bit in the map parameter is zero, then the corresponding fuse is left in its current state. The
first bit sent to AT88SA10HS corresponds to Fuse[0] and so on up to Fuse[87].
Note: Since a ‘1’ bit in the map parameter results in a ‘0’ data value in the actual fuse array, the value in the Map
parameter should be the inverse of the desired secret or status value. See Section 1.2 for more details
To facilitate secure personalization of the AT88SA10HS, this map may be encrypted before being sent to the chip. If this mode
is desired, then the Decrypt parameter should be set to one in the input parameter list. The decryption (transport) key is
computed by the GenPersonalizationKey command, which must have been run immediately prior to the execution of
BurnSecure. In this case, prior to burning any fuses, the input Map parameter is XOR’d with the first 88-bits of that digest from
the GenPersonalizationKey command. The GenPersonalizationKey and BurnSecure commands must be run within a single
Wake cycle prior to the expiration of the watchdog timer.
The power supply pin must meet the V
BURN
specification during the entire BurnSecure command in order to burn fuses reliably.
If V
CC
is greater than or equal to 3.7V, then the BurnTime parameter should be set to 0x00 and the internal burn time will be
250µs. If Vcc is less than 3.7V but greater than V
BURN
then the BurnTime parameter should be set to 0xFFFF and the internal
burn time will be 262ms per fuse bit burned. The chip does not internally check the supply voltage level.
The total BurnSecure execution delay is directly proportional to the total number of fuses being burned. If V
CC
is less than
3.7V, then the total BurnSecure execution time may exceed the interval remaining before the expiration of the watchdog timer.
In this case, the BurnSecure command should be run repeatedly, with each repetition burning only as many fuses as there is
time available. The system software is responsible for counting the number of ‘1’ bits in the clear-text version of the map
parameter sent to the chip – no error is returned if the fuse burn count is too high. Other than Fuse[87] (see below), the fuses
may be burned in any order.
Prior to execution of BurnSecure, AT88SA10HS verifies that Fuse[87] is un-burned. If it has been burned, then the
BurnSecure command will return an error. Fuse[87] must be burned during the last repetition of BurnSecure as it cannot be
individually burned with BurnFuse.
There are a series of very small intervals during t
EXEC_SECURE
when the fuse element is actually being burned. During this
interval, the power supply must not be removed and the watchdog timer must not be allowed to expire, or the fuse may end up
in a state where it reads as un-burned but cannot be burned.
Table 6-13. Input Parameters
Name Size Notes
Opcode
BURNSECURE 1 0x10
Param1
Decrypt 1 If 1, decrypt Map data before usage. If 0, the map is transmitted in plain text.
Param2
BurnTime 2 Must be 0x0000 if V
CC
>=3.7 V; must be 0xFFFF otherwise.
Data
Map 11 Which fuses to burn, may be encrypted.
Table 6-14. Output Parameters
Name Size Notes
Success 1 Upon successful execution, a value of zero will be returned by AT88SA10HS.
This command takes a constant time to execute regardless of the number of fuses being burned.
