DS2703U+ ,SHA-1 Battery Pack Authentication ICAPPLICATIONS contact battery pack configuration to support data 2.5G/3G Wireless Handsets and therm ..
DS2711 ,Loose Cell NiMH ChargersDSS25D-0045-T258MECHANICAL DATADimensions in mm6.86 (0.270)6.09 (0.240)17.65 (0.695)17.39 (0.685)DU ..
DS2711 ,Loose Cell NiMH ChargersDSS25D-0045-T258MECHANICAL DATADimensions in mm6.86 (0.270)6.09 (0.240)17.65 (0.695)17.39 (0.685)DU ..
DS2711+ ,Loose Cell NiMH ChargersDSS25D-0045-T258MECHANICAL DATADimensions in mm6.86 (0.270)6.09 (0.240)17.65 (0.695)17.39 (0.685)DU ..
DS2711E+ ,Loose Cell NiMH ChargersDSS25D-0045-T258MECHANICAL DATADimensions in mm6.86 (0.270)6.09 (0.240)17.65 (0.695)17.39 (0.685)DU ..
DS2711E+ ,Loose Cell NiMH ChargersDSS25D-0045-T258MECHANICAL DATADimensions in mm6.86 (0.270)6.09 (0.240)17.65 (0.695)17.39 (0.685)DU ..
E53NA50 ,NABSOLUTE MAXIMUM RATINGSSymbol Parameter Value UnitV Drain-source Voltage (V =0) 500 VDS GSV 500 VD ..
EA2-12 ,COMPACT AND LIGHTWEIGHTAPPLICATIONSElectronic switching systems, PBX, key telephone systems, automatic test equipment and ..
EA2-12NU ,COMPACT AND LIGHTWEIGHTFEATURESª Low power consumptionª Compact and light weightª 2 form c contact arrangementª Low magnet ..
EA2-12S ,COMPACT AND LIGHTWEIGHTFEATURESª Low power consumptionª Compact and light weightª 2 form c contact arrangementª Low magnet ..
EA2-12TNU ,COMPACT AND LIGHTWEIGHTAPPLICATIONSElectronic switching systems, PBX, key telephone systems, automatic test equipment and ..
EA2-4.5NU ,COMPACT AND LIGHTWEIGHTAPPLICATIONSElectronic switching systems, PBX, key telephone systems, automatic test equipment and ..
DS2703U+
SHA-1 Battery Pack Authentication IC
GENERAL DESCRIPTION The DS2703 provides a robust cryptographic solution to ensure the authenticity of Li-Ion battery packs for cell phone, PDA, and portable computing devices.
The DS2703 employs the Secure Hash Algorithm
(SHA-1) specified in the Federal Information publication 180-1 and 180-2, and ISO/IEC 10118-3.
SHA-1 is designed for authentication�just what is
required for identifying battery packs manufactured by authorized sources. The device’s SHA-1 engine processes a host
transmitted challenge using its stored 64-bit secret key and unique 64-bit ROM ID to produce a 160-bit
response word for transmission back to the host. The secret key is securely stored on-chip and never
transmitted between the battery and the host. A DS2703-based system produces a high degree of
authentication security between a host system and its removable battery or other peripheral devices. The Thermistor Multiplexer feature allows a three
contact battery pack configuration to support data and thermistor functions. When activated through
1-Wire command, the THM pin presents the thermistor impedance on the data contact and
disconnects internal loading from the node.
TYPICAL OPERATING CIRCUIT
FEATURES Secure Challenge and Response Authentication
Using the SHA-1 Algorithm Directly Powered by the Dallas 1-Wire® Interface with 16kpbs Standard and 143kpbs Overdrive Communication Modes Unique 64-Bit Serial Number Thermistor Multiplexer Operates with VPULLUP as Low as 2.7V �Max-8 Package (Lead-Free)
ORDERING INFORMATION + Denotes lead-free package.
APPLICATIONS 2.5G/3G Wireless Handsets PDAs
Handheld or Notebook Computers and Terminals Digital Still and Video Cameras
PIN CONFIGURATION
DS2703
SHA-1 Battery Pack 1-Wire is a registered trademark of Dallas Semiconductor.
DS2703 SHA-1 Battery Pack Authentication IC
ABSOLUTE MAXIMUM RATINGS Voltage Range on DQ, THM Pins Relative to Ground-0.3V to +18V
Voltage Range on VB Pin Relative to Ground -0.3V to +6VOperating Temperature Range -40°C to +85°C
Storage Temperature Range -55°C to +125°C
Soldering Temperature See IPC/JEDEC J-STD-020A Specification
Stresses beyond those listed under “Absolute Maximum Ratings” may cause permanent damage to the device. These are stress ratings only,
and functional operation of the device at these or any other conditions beyond those indicated in the operational sections of the specifications is
not implied. Exposure to the absolute maximum rating conditions for extended periods may affect device.
RECOMMENDED DC OPERATING CONDITIONS (TA = -20°C to +70°C.)
DC ELECTRICAL CHARACTERISTICS (VPULLUP = 2.7V to 5.5V, TA = -20°C to +70°C.)
EEPROM RELIABILITY SPECIFICATION (VPULLUP = 2.7V to 5.5V, TA = -20°C to +70°C.)
DS2703 SHA-1 Battery Pack Authentication IC
AC ELECTRICAL CHARACTERISTICS
(VPULLUP = 2.7V to 5.5V, TA = -20°C to +70°C.) AC ELECTRICAL CHARACTERISTICS: 1-Wire INTERFACE
(VPULLUP = 2.7V to 5.5V, TA = -20°C to +70°C.)
Note 1: VDQ – VTHM. The THM pin must not be driven to a higher voltage than the DQ pin.
Note 2: The application thermistor cannot exceed the RDQ-THM resistance range over operating temperature. If thermistor mode is not used in the application, it is
recommended that a 50KΩ resistor be connected between DQ and THM pins instead.
Note 3: Maximum leakage of DQ pin while in thermistor mode.
Note 4: When performing a Lock Secret (0x6A), Set Overdrive (0x8B) or Clear Overdrive (0x8D) operation, there will be an increased operating current of IPGM-
IDLE during the time period from when the command is issued until the next 1-Wire bus reset. IPGM-IDLE current will be present before and after the program
pulse.
Note 5: See Figure 11 for definitionof tPPR, tPPW, and tPPF.
Note 6: All voltages referenced to VSS.
Note 7: VDQ must be at least 3.0V when the 1-Wire bus is idle.
Note 8: Drive strength at time=0 after Activate Thermistor command is sent to the DS2703.
Note 9: Does not include capacitance referred from VB pin on initial power up.
Note 10: EEPROM data read retention is four years at +50°C
Note 11: Time from msb of Activate Thermistor command until THM pin is driven low internally.
Note 12: Time from msb of Compute Next Secret or Compute MAC command.
DS2703 SHA-1 Battery Pack Authentication IC
PIN DESCRIPTION Figure 1. Block Diagram
DS2703 SHA-1 Battery Pack Authentication IC
DETAILED DESCRIPTION
The DS2703 is comprised of a SHA-1 Authentication function and thermistor mux control that are accessed via a 1-
Wire interface. The high voltage (HV) detection circuit routes the externally supplied programming voltage to the EEPROM array and enables the internal regulator to isolate portions of the chip from the programming voltage. The
1-Wire interface controls access by a host system to the 64-bit Net Address (ROM ID) and SHA-1 Authentication.
The DS2703 operates in one of four operating modes: communication, computation, programming and thermistor
access. Most operations are performed in communication mode, with the host system addressing the DS2703 using Net Address commands and then setting up an authentication exchange and retrieving the results. In
communication mode, the DQ load current averages 5�A maximum, and the DS2703 can be “parasite” powered via the DQ pin through a high impedance pullup resistor during a communication transaction. Power available while
the 1-Wire bus is at a logic high is rectified by the on chip diode and stored in an off chip capacitor connected to the VB pin. The voltage regulator operates in a low impedance drop-out mode in the communication mode.
In computation mode, when a SHA-1 verification is performed, the DQ load current increases up to 1mA, necessitating a lower impedance pullup resistor. The computation mode load current occurs after the host supplies
the required challenge data and requests the computation using the proper function commands in communication mode. In this mode, the pullup supply and low impedance pullup resistor must be capable of keeping the DQ pin
above VPULLUP-MIN. The voltage regulator operates in a low impedance drop-out mode.
The third operating mode is required when programming the non-volatile memory portions of the DS2703. The
programming mode is defined by the application of a high voltage programming pulse to the DQ pin at the appropriate point during a Compute Secret command, Load/Lock Secret or Clear/Set Overdrive Timing command.
The internal voltage regulator limits the internal voltage (VDD_INT) to isolate low voltage portions of the chip from the HV programming pulse. Typically, programming mode is used during module or pack manufacture to configure the
DS2703 and program the 64-bit secret.
Finally, thermistor mode allows the voltage on an external thermistor to be measured from the DQ line. The
command sequence causes the DS2703 to internally disconnect its DQ interface and drive the THM pin to VSS allowing the measurement to be made. The IC remains in this mode until the VB pin capacitor is drained causing
the DS2703 to power cycle back to communication mode. AUTHENTICATION
Authentication is performed using a FIPS-180 compliant SHA-1 one way hash algorithm on a 512 bit message block. The message block consists of a 64-bit secret, a 64-bit challenge and 384 bits of constant data. Optionally,
the 64-bit net address replaces 64 of the 384 bits of constant data used in the hash operation. An authentication attempt is initiated by the host system providing a 64-bit random challenge then sending one of two compute
command sequences. The host and the DS2703 both calculate the result based on the mutually known secret. The result data, known as the Message Authentication Code (MAC) or Message Digest, is returned by the DS2703 for
comparison to the host’s result. Note that the secret is never transmitted on the bus and thus cannot be captured by observing bus traffic. SHA-1 based authentication is a cryptographically strong method in wide use for digitally
signing encrypted files and secure transactions such as electronic cash and password exchange protocols.
The FIPS 180 Compliant Input Block, the 512-bit message block is organized as sixteen 32-bit words, W0-W15.
The message block is initialized when a command is received to compute the MAC. Upon initialization, the 64-bit secret is loaded, and it is important to note that the SHA-1 algorithm has access to this data, but not the serial
interface. The challenge data is received with the command just prior to the compute MAC command. The challenge data is cleared during computation of the MAC, so the host must write new challenge data prior to
issuing each Compute MAC or Compute Next Secret command. Additionally, the A, B, C, D and E variables used in the hash computation are initialized per FIPS 180 as shown in Table 1. Variable Initiation.
DS2703 SHA-1 Battery Pack Authentication IC
Table 1. Variable Initiation
The 160-bit MAC is computed per FIPS 180, including the addition of constants H0-H4. Adding H0-H4 is necessary
only to maintain compliance with FIPS 180. The computed MAC is held in the A-E register memory and then returned as a 160-bit serial stream, beginning with the least significant bit of variable A.
Table 2. Message Authentication Code (MAC) Return Format SHA-1 HASH ALGORITHM
General Definitions:
This description of the SHA computation is adapted from the Secure Hash Standard SHA-1 document. The algorithm takes as its input data 16, 32-bit words Mt (0 ≤ t ≤ 15) as shown in the SHA-1 Input Message Format
tables. The SHA computation involves six 32-bit word variables labeled A, B, C, D, E, and TMP, five 32-bit word constants labeled H0, H1, H2, H3, and H4, a sequence of eighty 32-bit words called Wt (0 ≤ t ≤ 79), a sequence of
eighty 32-bit words called Kt (0 ≤ t ≤ 79), and a Boolean function ft(B,C,D) (0 ≤ t ≤ 79). The operations required for the SHA computation are arithmetic addition without carry ("+"), logical inversion or 1's complement ("\"), logical
XOR ("�"), logical AND ("^"), logical OR ("v"), concatenation of 32-bit values (“|”), assignment (":=") and circular
shifting within a 32-bit word. The expression Sn(X) represents a circular shift of X by n positions to the left, with X being a 32-bit word. The function ft is defined as follows:
ft(B,C,D) = (B^C)v((B\)^D) (0 ≤ t ≤ 19) = B � C � D (20 ≤ t ≤ 39) = (B^C)v(B^D)v(C^D) (40 ≤ t ≤ 59) = B � C � D (60 ≤ t ≤ 79) The sequence Kt (0 ≤ t ≤ 79) is defined as follows: Kt := 5A827999h (0 ≤ t ≤ 19)
6ED9EBA1h (20 ≤ t ≤ 39) 8F1BBCDCh (40 ≤ t ≤ 59)
CA62C1D6h (60 ≤ t ≤ 79)
The sequence Wt (0 ≤ t ≤ 79) is defined as follows: Wt := Mt (see table, FIPS-180 compliant input block) (0 ≤ t ≤ 15)
S1(Wt-3 � Wt-8 � Wt-14 � Wt-16) (16 ≤ t ≤ 79)
DS2703 SHA-1 Battery Pack Authentication IC
SHA Computation
The variables A, B, C, D, E and constants H0, H1, H2, H3, and H4 are initialized as follows: A := 67452301h H0 := 67452301h := EFCDAB89h H1 := EFCDAB89h C := 98BADCFEh H2 := 98BADCFEh := 10325476h H3 := 10325476h E := C3D2E1F0h H4 := C3D2E1F0h The final values of variables A, B, C, D, and E are generated by looping through the following set of computations
for t = 0 to 79 (discarding any carry-out). Finally, the H0-H4 constants are added to the A-E variables respectively, which are then concatenated to form the 160-bit MAC, ABCDE. for ( t = 0 to 79 ) TMP := S5(A) + Ft(B,C,D) + Wt + Kt + E
E := D D := C
C := S30(B) B := A
A := TMP } 160-bit MAC := (A+H0) | (B+H1) | (C+H2) | (D+H3) | (E+H4) DS2703 AUTHENTICATION COMMANDS
WRITE CHALLENGE [0Ch]. This command writes 64 bits in the message block. The LSB of the 64-bit data can begin immediately after the MSB of the command has been completed. If more than 8 bytes are written, the final
value in the challenge register will be indeterminate. The Compute MAC and Compute Next Secret (with or without ROM ID) function commands clear the challenge value. Therefore the Write Challenge command must be issued
prior to every Compute MAC or Compute Next Secret command for reliable results.
COMPUTE MAC WITHOUT ROM ID [36h]. This command initiates a SHA-1 computation on the 512 bit block comprised of words W0 - W15. The 64-bit secret and the 64-bit challenge are loaded in the message block. The
DS2703 takes up to 100us after receiving this command to begin computing the MAC. This gives the host ample time to connect the DQ pin to a low impedance node prior to the high current demand computation. The DQ pin
must not fall below VPULLUP_MIN during the computation period, tCOMP. The host must release the DQ pin for 1-Wire data communications (i.e. terminate the low source impedance mode). After the DQ pin has returned to normal
impedance, the host must write eight write zero time slots and then issue 160 read time slots to get the MAC. The 32-bit registers A, B, C, D, and E are used during every cycle of the hash algorithm and their final values at
calculation cycle t=79 are added to the values H0-H4 and stored in registers A-E. The new word ABCDE is now the MAC. After issuing the command and waiting a minimum of tCOMP, the host reads the 20-byte MAC. This command
allows the use of a master secret and message digest response independent of the ROM ID.
COMPUTE MAC WITH ROM ID [35h] This command is structured the same as the Compute MAC without ROM ID, except that the ROM ID is loaded to
the message block. Including the ROM ID unique to each DS2703 in the MAC computation allows the use of a unique secret in each token and a master secret in the host device. See application note “White Paper 4”, available
at http://, for more information.
SHA-1 related commands used while authenticating a battery or peripheral device are summarized in Table for convenience. Four additional commands for clearing, computing and locking of the Secret are described in detail in
the following section.
DS2703 SHA-1 Battery Pack Authentication IC
Table 3. Authentication Function Commands SECRET MANAGEMENT FUNCTION COMMANDS
LOAD SECRET [5Ah]. This command writes the 64-bit secret to the provided 64-bit data argument value. The host must apply a programming pulse to write the secret value to EEPROM. COMPUTE NEXT SECRET WITHOUT ROM ID [30h]. This command initiates a SHA-1 computation of the MAC
and uses a portion of the resulting MAC as the next or new secret. The MAC computation is performed with the current 64-bit secret and the 64-bit challenge. Logical 1’s are loaded in in place of the ROM ID since the ROM ID
data is not used in this command. Two words (64 bits) of the output MAC are used as the new secret value. The host must allow tCOMP after issuing this command for the SHA calculation to complete, then apply a programming
pulse to write the new secret value to EEPROM.
COMPUTE NEXT SECRET WITH ROM ID [33h]. This command initiates a SHA-1 computation of the MAC and uses a portion of the resulting MAC as the next or new secret. The MAC computation is performed with the current
64-bit secret, the 64-bit ROM ID, and the 64-bit challenge. Two words (64 bits) of the output MAC are used as the new secret value. The host must allow tCOMP after issuing this command for the SHA calculation to complete, then
apply a programming pulse to write the new secret value to EEPROM.
LOCK SECRET [6Ah]. This command write protects the 64-bit Secret to prevent accidental or malicious overwrite of the secret value. The Secret value stored in EEPROM becomes "final." The host must apply a programming
pulse to write the secret lock bit to EEPROM.
Table 4. Secret Loading Function Commands
1-Wire SPEED CONTROL FUNCTION COMMANDS CLEAR OVERDRIVE [8Dh]. This command clears the 1-Wire Overdrive bit to select the Standard 1-Wire timings
shown in the Electrical Characteristics table. The Overdrive bit is stored in EEPROM so that the programmed
speed selection can be recalled on initial power up. The host must apply a programming pulse to complete the command.
SET OVERDRIVE [8Bh]. This command sets the 1-Wire Overdrive bit to select the Overdrive 1-Wire timings
shown in the Electrical Characteristics table. The Overdrive bit is stored in EEPROM so that the programmed speed selection can be recalled on initial power up. The host must apply a programming pulse to complete the
command.
DS2703 SHA-1 Battery Pack Authentication IC
Table 5. 1-Wire Speed Control Function Commands THERMISTOR MEASUREMENT
The DS2703’s 1-Wire interface allows a thermistor to be multiplexed on the DQ line for thermal measurements of the cell pack without adding an additional pack connection. See the Typical Operating Circuit, Figure 5. The
thermistor is connected between the DQ and THM pins. THM is normally high impedance to prevent the thermistor from interfering with 1-Wire communication. When an Activate THM command is received, THM is internally driven
to VSS and the DQ pin becomes high impedance allowing the thermistor resistance to be measured. See the timing diagram in Figure 12. Figure 2. Thermistor Mode Duration when CVB is .22µF
The DS2703 will remain in thermistor measurement mode until the stored charge on the VB pin capacitor is depleted causing the IC to power cycle back to standard mode of operation. While in thermistor measurement
mode, communication to the DS2703 is not possible. After measuring the thermistor, the host must wait until the VB capacitor is depleted. Figure 2 shows the typical and worst case transition times over the full operating range
when using .22µF as the VB pin capacitor. Thermistor measurements should be made within the first 100ms after issuing the command. The host system should then wait until at least 1000ms have passed before sending the next
communication sequence to the IC.
DS2703 SHA-1 Battery Pack Authentication IC
Table 6. Thermistor Function Command 1-Wire BUS SYSTEM
The 1-Wire bus is a system that has a single bus master and one or more slaves. A multidrop bus is a 1-Wire bus with multiple slaves, while a single-drop bus has only one slave device. In all instances, the DS2703 is a slave
device. The bus master is typically a microprocessor in the host system. The discussion of this bus system consists of five topics: 64-bit net address, CRC generation, hardware configuration, transaction sequence, and 1-Wire
signaling. 64-BIT NET ADDRESS (ROM ID)
Each DS2703 has a unique, factory-programmed 1-Wire Net Address that is 64 bits in length. The term Net
Address is synonymous with the ROM ID or ROM Code terms used in earlier Dallas 1-Wire product documentation. The first eight bits of the Net Address are the 1-Wire family code, (34h) for the DS2703. The next 48 bits are a
unique serial number. The last eight bits are a cyclic redundancy check (CRC) of the first 56 bits (see Figure 3.). The 64-bit net address and the 1-Wire I/O circuitry built into the device enable the DS2703 to communicate through
the 1-Wire protocol detailed in this data sheet.
Figure 3. 1-Wire Net Address Format CRC GENERATION
The DS2703 has an 8-bit CRC stored in the most significant byte of its 1-Wire net address. To ensure error-free
transmission of the address, the host system can compute a CRC value from the first 56 bits of the address and compare it to the 8-bit CRC from the DS2703.
The host system is responsible for verifying the CRC value and taking action as a result. The DS2703 does not compare CRC values and does not prevent a command sequence from proceeding as a result of a CRC mismatch. Proper use of the CRC can result in a communication channel with a very high level of integrity. The CRC can be generated by the host using a circuit consisting of a shift register and XOR gates as shown in
Figure 4, or it can be generated in software using the polynomial X8 + X5 + X4 + 1. Additional information about the Dallas 1-Wire CRC is available in Application Note 27: Understanding and Using Cyclic Redundancy Checks with
Dallas Semiconductor Touch Memory Products (/appnoteindex).
In Figure 4, the Shift Register bits are initialized to 0. Then, starting with the least significant bit of the family code, one bit at a time is shifted in. After the 8th bit of the family code has been entered, then the serial number is
entered. After the 48th bit of the serial number has been entered, the shift register contains the CRC value.
Figure 4. 1-Wire CRC Generation Block Diagram