# **Standard Read/Write Crypto Identification IC**

## Description

The e5560 is a member of the TEMIC **ID**entification **IC** (IDIC<sup>®</sup>) family for applications where information has to be transmitted contactless. The IDIC<sup>®</sup> is connected to a tuned LC circuit for power supply and bidirectional data communication (**R**ead/**W**rite) to a base station. TEMIC offers LC circuit and chip assembled in form of a transponder or tag. These units are smal, smart and rugged data storage units.

The e5560 is a Read/Write crypto-IC for applications which demand higher security levels than standard R/W transponder ICs can offer. For that purpose, the e5560 has an encryption algorithm block which enables a base station to authenticate the transponder. The base station transmits a random number to the e5560. This challenge is encrypted by both, IC and base station. The e5560 sends back the result to the base station for comparison. As both should possess the same secret key, the results of this encryption are expected to be equal. Any attempt to fake the base station with a wrong transponder will be recognized immediately.

The on-chip 320-bit EEPROM (10 blocks of 32 bits each)

#### Features

- Low-power, low-voltage CMOS IDIC<sup>®</sup>
- Contactless power supply
- Contactless bidirectional data transmission
- Contactless programming of EEPROM
- Radio Frequency (RF): 100 kHz to 150 kHz
- Automatic adaptation of resonance frequency
- Easy synchronization with special terminators
- High-security authentication with crypto algorithm (AUT64)

can be read and written blockwise by a base station. Four blocks contain the ID code and six memory blocks are used to store the crypto key as well as the read/write options. The crypto key and the ID code can be protected individually against overwriting. Likewise, the crypto key can not be read out. To ensure that the e5560 can not be used from unauthorized users to copy and fake readonly IDIC<sup>®</sup>s, the supplier can program and lock 8 bits of the ID code with a customer-specific header.

125 kHz is the typical operational frequency of a system using the e5560. Two read data rates are programmable. Reading occurs through damping the incoming RF field with an on-chip load. This damping is detected by the field-generating base station. Data transmission starts after power-up with the transmission of the ID code and continues as long as the e5560 is powered. Writing is carried out with TEMIC writing method. To transmit data to the e5560, the base station has to interrupt the RF for a short time to create a field gap. The information is encoded in the number of clock cycles between two subsequent gaps.

- Encryption time < 35 ms
- 320-bit EEPROM memory in 10 blocks of 32 bits each
- Programmable read/write protection
- Extensive protection against contactless malprogramming of the EEPROM
- Programming time for one block of the EEPROM 16 ms typically
- Main options set by EEPROM: Bitrate [bit/s]: RF/32, RF/64 Encoding: Manchester, Biphase



Figure 1. Transponder system example using e5560

#### Table 2. Pads

| Name            | Pad Window                | Function                      |
|-----------------|---------------------------|-------------------------------|
| Coil1           | 136 x 136 μm <sup>2</sup> | 1st coil pad                  |
| Coil2           | 136 x 136 µm <sup>2</sup> | 2nd coil pad                  |
| V <sub>DD</sub> | 78 x 78 μm <sup>2</sup>   | Positive supply voltage       |
| V <sub>SS</sub> | 78 x 78 μm <sup>2</sup>   | Negative supply voltage (gnd) |
| TEST1           | 78 x 78 μm <sup>2</sup>   | Test pad                      |
| TEST2           | 78 x 78 μm <sup>2</sup>   | Test pad                      |
| TEST3           | 78 x 78 μm <sup>2</sup>   | Test pad                      |

For normal (coil-driven) operation, the e5560 needs only Coil1 and Coil2.



Figure 2. Pad positions

## **Internal Modes of the e5560**

The e5560 can be operated in several internal modes, each providing a special function. These are:

- Start-up
- ID mode
- Programming mode
- Direct-access mode
- Crypto mode
- Stop mode
- Password function

The following section gives a short functional description of each mode. A more detailed description is given in the section: "Operating the e5560".

#### Start-up

After the power-on reset (POR) has reset the entire circuit, the e5560 is configured by reading out the configuration data bits of the EEPROM. If the auto-adapt function is disabled, the start-up procedure sets the capacitance value for the adaption of the resonance frequency according to the configuration data.

#### **ID Mode**

In the ID mode the e5560 transmits an identification datastream (ID code) to the base station. As the base station reads out data coming from the transponder, this direction of data transmission will be designated as 'read'.

The ID code is sent in loop as long as the RF field is applied. The single parts of the datastream and the type of modulation depend on the configuration loaded during

start-up. The following options are available during ID mode:

- Two different bitrates and modulations
- Two possible lengths of ID code (64 bit or 128 bit)
- Two different terminators
- 4-bit preburst followed by terminator 1 between start-up and sending the first data bits of the ID-code

#### **Programming Mode**

The e5560 must be programmed before being used in a security system. The e5560 contains a 320-bit EEPROM which is arranged in 10 blocks of 32 bits each. Programming the e5560 is carried out blockwise, i.e., every single block has to be programmed separately. The blocks of the EEPROM are divided into 4 sections:

- Configuration
- ID code
- Crypto key
- Customer configuration

Every section consists of one or more block of the EEPROM. Programming is carried out by sending the programming data sequence to the e5560. As the base station sends data to the transponder this direction of data transmission will be designated as 'write'.

After the base station has sent the data sequence and the specified block has been programmed, the e5560 transmits the content of the programmed EEPROM block. The content is always sent in loop with terminator 1. The beginning of the datastream is indicated by a preburst.

During programming, the e5560 monitors several fault and protection mechanisms. If a fault or a protection violation is detected, the e5560 enters the ID mode.

#### **Direct-Access Mode**

If the base station transmits a special data sequence to the e5560, it will enter the direct-access mode. The base station can activate two different functions:

- Read the content of a single block of the EEPROM
- Activate special features (e.g., for test purposes)

In the first case, the e5560 transmits the block's content in loop, starting with a preburst followed by the terminator which is also used to indicate the beginning of the transmission of the specified block data.

During the direct-access mode, the e5560 monitors several fault and protection mechanisms. If a fault or a protection violation is detected, the e5560 enters the ID mode.

#### **Crypto Mode**

In crypto mode, a non-linear high-security encryption algorithm called AUT64 is used to authenticate the e5560.

After the base station has identified the e5560 (i.e., read the ID code), the base station may authenticate the transponder by transmitting it a challenge. Receiving this data sequence, the e5560 enters the crypto mode.

This initiates the following actions:

- During calculating the AUT64 result, the transponder transmits the checksum of the challenge
- The e5560 generates the response from the calculated result of the AUT64
- As soon as the calculation is finished, the e5560 interrupts the transmission of the checksum by sending a terminator
- The e5560 transmits the response in loop with a terminator back to the base station

The base station can read the response and authentify the transponder. It is possible to interrupt the calculation of the AUT64 result by sending another data sequence (e.g., if the checksum was found to be wrong).

During the crypto mode, the e5560 monitors several fault and protection mechanisms. If a fault or a protection violation is detected, the e5560 enters the ID mode.

#### **Stop Mode**

If two or more transponders are used simultaneously (e.g., in a manufacturing step), it might be useful to be able to set the transponders in a passive state. To avoid a communication conflict, the base station has to transmit a special data sequence to the active transponder(s) forcing them to enter the stop mode.

In the stop mode, the e5560 switches off the damping as long as the RF field is applied. After a power-on reset, the e5560 enters the start-up and the ID mode again.

During the data sequence of the stop mode, the e5560 monitors fault mechanisms. If a fault is detected, the e5560 enters the ID mode.

#### **Password Function**

The password function is a separate protection mechanism to avoid that a base station can read or manipulate the internal configuration and data blocks of the e5560 without knowing the password. Even a transition to the crypto-mode is disabled. If the password function is active, the base station has to reset the password bit by sending the password and reprogramming the customerconfiguration section before any other operation is possible. During the password mode, the e5560 monitors several fault and protection mechanism. If a fault or a protection violation is detected, the e5560 enters the ID mode.

#### **Mode Transitions**

If the e5560 is in ID mode and the base station transmits a write sequence by interrupting the RF field, the internal mode changes according to the received write sequence. If an error has been detected or the password function has been enabled, the e5560 remains in ID mode.

A transition to and from all other modes (except the ID mode) is possible by sending the corresponding write sequence. Once the ID mode is left, returning is only possible by sending an uncorrect data sequence to the transponder.



Figure 3. State diagram of the e5560 (overview)

Note: This picture is only an overview. In reality, more transitions are possible.

12718

## **Building Blocks of the e5560**



Figure 4. Block diagram

#### **Analog Front End (AFE)**

The AFE includes all circuits directly connected to the coil. It generates the IC's power supply and handles the bidirectional data communication with the base station. It consists of the following blocks:

- Rectifier to generate a DC supply voltage from the AC coil voltage
- Clock extractor
- Switchable load between Coil1/Coil2 for data transmission from the IC to the base station (read)
- Field gap detector for data transmission from the base station to the IC (write)

#### Controller

The controller has following functions:

- Initialize and refresh configuration register from EEPROM
- Control memory access (read, program)
- Handle correct write data transmission
- Error detection and error handling
- Control encryption operation
- Control adaptation of resonance frequency

## **Power-On Reset (POR)**

The power-on reset is a delay reset which is triggered when the supply voltage is applied.

#### **Configuration Register**

The configuration register stores the configuration data read out from EEPROM blocks 0 and 9. It is continuously refreshed which increases the reliability of the device (if the initially loaded configuration was wrong or modified, it will be corrected by subsequent refresh cycles).

#### Adapt

The e5560 is able to minimize the tolerance of the resonance frequency by switching on-chip capacitors in parallel to the external LC circuit. By using an external coil of approx. 4 mH and a resonance frequency of 125 kHz it is possible to tune the resonance frequency in a range of about 5%. The amount of the additional capacitance is determined by the adapt [2:0] bits in the configuration register. By using the LC circuit mentioned above, a resonance-frequency tolerance of less than 1% can be achieved.

Automatic adaptation: If the e5560 is used in a multiple base station environment, the adaptation can be carried out automatically (auto\_adapt option). In this case, the e5560 starts an auto-adaptation procedure every time it enters an RF field (i.e., a power-on reset occurs). The adapt bits of the configuration data in block 0 do not affect the capacitance's value determined by the auto-adaptation.

#### **Bitrate Generator**

The bitrate generator can deliver bitrates of RF/32 and RF/64 for data transmission from the e5560 to the base station. If the option 'block0\_free' is not set, the bitrate is determined by the length of the ID code, otherwise the bitrate can be selected independently.

#### **Bit Decoder**

The bit decoder forms the signals needed for write operation and decodes the received data bits in the write data stream.

#### **Modulator**

The modulator consists of two data encoders and the terminator generator. There are two kinds of modulation:

- Manchester mid-bit rising edge = data H; mid-bit falling edge = data L
- Biphase every bit creates a change, a data "0" creates an additional mid-bit change

By using biphase modulation, data transmission always starts damping on.

#### **HV Generator**

Voltage pump which generates ~18V for programming of the EEPROM.

#### Memory

The memory of the e5560 is a 320-bit EEPROM which is arranged in 10 blocks of 32 bits each. All 32 bits of a block

are programmed simultaneously. The programming voltage is generated on-chip.

Block 0 is reserved for basic configuration data. Blocks 1 to 9 are freely programmable except the 8-bit headers in blocks 1 and 5, if the corresponding header lockbits are set. Blocks 1 to 4 are used for the ID code, blocks 5 to 8 contain the crypto key. In password mode, bits 4 to 31 of block 9 contain the password; bits 0 to 3 of block 9 contain the customer-configuration data. If no password is required, the corresponding bits can be programmed freely.

NOTE: Data from the memory is transmitted serially, starting with the least significant bit #0.

The basic configuration data in block 0 contains the following information (see figure 9):

- Type of modulation and bitrate
- Length of ID code
- Several lockbits
- Terminator set
- Adaptation of resonance frequency

The customer-configuration data in block 9 contains (see figure 10):

- Lockbit for ID code (blocks 1 to 4)
- Lockbit for crypto key (block 5 to 8)
- Lockbit for block 9
- Password mode enable



Figure 5. Types of modulation



Figure 6. Memory map

## **Crypto Circuit**

The crypto circuit uses the certified AUT64-algorithm to encrypt the challenge which is written to the e5560. The computed result can be read by the base station. Comparing the encryption results of the base station and the e5560, a high-security authentification procedure is established. This procedure requires the crypto key of the e5560 and the base station to be equal. The crypto key is stored in the blocks 5 to 8 of the EEPROM and can be locked by the user to avoid read-out or changes.

#### **Protection Mechanisms of the e5560**

Several protection mechanisms are implemented into the e5560. The two main groups are:

- Error mechanisms to detect a fault. These mechanisms are always enabled.
- Programmable protection mechanisms. These mechanisms are optional. When used, they provide protection against attempts to break the security system. They can be enabled by the customer or by TEMIC.

#### **Password Protection**

If the password protection is enabled, the e5560 remains in ID mode even if it has received a correct write sequence. The only possible operation is to modify the content of block 9 by sending the correct password bits. In all other cases, an error handling procedure is started and the e5560 enters ID mode.

#### **Lockbit Protection**

A lockbit is a physical part of the EEPROM's content and is controlled by TEMIC as well as by the customer. The lockbit protection mechanism has two different effects:

- Avoid programming (modifying data) of the EEPROM's blocks
- Avoid reading out the crypto key from the EEPROM using direct-access mode

If the base station tries to read out the crypto key and the corresponding lockbit is set, the e5560 will enter the ID mode immediately. Once the crypto key lockbit is set, the crypto key can neither be modified nor read out any more.

There are several lockbits available, each affecting a special data region of the EEPROM. The main groups of lockbits are:

- Lockbits to inhibit programming of one block of the EEPROM
- Lockbits to inhibit programming of one block of a specific address range
- Lockbits to inhibit programming of the least significant 8 bits of one specific block

In the first two cases, an attempt to modify a data region protected by a lockbit will cause an error handling procedure (i.e., the e5560 enters ID mode). In the third case programming of the block is possible but the 8 bits protected by the lockbit are not changed. No error handling procedure starts.

#### **Stop Mode**

The stop mode can also be used as a protection mechanism, e.g., during configuration at manufacturing. The base station can configure the transponders one by one by, forcing them into stop mode after programming. In this way, transponders can be programmed even if there are other transponders in the RF field at the same time.

# **Operating the e5560**

#### General

The basic functions of the e5560 are: *supply* the IC from the coil, *read* data from the EEPROM to the base station, *authenticate* the IC, *receive* commands from the base station and *program* the data sent into the EEPROM. Several *write errors* can be detected to protect the memory from being overwritten with uncorrect data. A password function is implemented ensuring that only authorized people can operate the IC.

Operating modes:

- ID mode: the e5560 sends ID code to the base station
- **Programming mode:** the e5560 programs the EEPROM with data bits received from the base station
- **Direct-access mode:** the e5560 sends the content of single block of the EEPROM to the base station
- **Crypto mode:** the e5560 computes a response according to the challenge received from the base station and sends the response to the base station
- **Stop mode:** the e5560 stops modulation

An additional password function enables the e5560 to be operated only by a person who knows the password programmed in the EEPROM memory.

#### Supply

The e5560 is supplied via a tuned LC circuit which is connected to the Coil1 and Coil2 pads. The incoming RF (actually a magnetic field) induces a current into the coil which powers the chip. The on-chip rectifier generates the DC supply voltage ( $V_{DD}$ ,  $V_{SS}$  pads). Overvoltage protection prevents the IC from damage due to high field strengths (depending on the coil, the open-circuit voltage across the LC circuit can reach more than 100 V). The first occurrence of RF triggers a power-on reset pulse, ensuring a defined start-up state.

#### Start-up

The various modes of the e5560 are activated after the first readout of the configuration. The modulation is on during power-on reset and is off while the configuration is read. After this initialization period of 256 FCs the e5560 enters the ID mode immediately if the terminator 2 is selected, otherwise a data value of Fh in the selected configuration (modulation, bitrate, bitcount) is sent followed by the eventually specified terminator 1.

If the auto-adapt option is set, the start-up sequence is different (see figure 8). After the POR, the e5560 waits for 1 ms (i.e., 128 clock cycles) before starting the automatic adaptation of the resonance frequency. The auto-adaptation time is between 1.0 ms and 4.0 ms depending on the capacitance needed to achieve resonance. After the adaption is carried out, the e5560 continues with the preburst, terminator etc.



Figure 7. Application circuit

#### Without auto-adapt



With auto-adapt option set



Figure 8. Voltage at Coil1/Coil2 after start-up (e.g., RF/32, Manchester, Terminator 1)

#### Configuration

The configuration data of the e5560 is stored in block 0 of the EEPROM which contains the following information (see figure 9):

- Type of modulation and bitrate
- Length of ID code
- Several lockbits
- Selected terminator
- Adaptation of the resonance frequency (if auto-adapt is not used)

The configuration may be changed by programming block 0. However, this is only possible if the lockbits  $L_C$  and  $L_0$  in block 0 have not been set.

e5560

| 31 30 29                                       | 9 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0                                                                                                                                                                                                                                                                                                                  |
|------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                                                | 20 bit Supplier Chip ID (SCID)                                                                                                                                                                                                                                                                                                                                                                  |
| MOD<br>BR<br>BC<br>T<br>L_C<br>H1<br>H5<br>L_0 | Modulation ('0' = Manchester, '1' = Biphase)adapt $L_0$ H5H1 $L_C$ TBCBRMOBitrate ('0' = RF/32, '1' = RF/64)[2][1][0][1][0]Bitcount ('0' = 128 bit, '1' = 64 bit)Not used00TerminatorTerminator 110Lockbit config. for the first 8 bits of block 0Terminator 20ID code header lockbit (first 8 bits of block 1)Not terminator1Crypto-key header lockbit (first 8 bits of block 5)No terminator1 |
| adapt                                          | 3 bits for adaptation of the resonance frequency 12723                                                                                                                                                                                                                                                                                                                                          |
|                                                | Figure 9. Configuration data in block 0                                                                                                                                                                                                                                                                                                                                                         |

Block 9 contains the customer configuration and the password (if password function is enabled). The customer-configuration data in block 9 includes (see figure 10):

- lockbit for ID code (blocks 1 to 4)
- lockbit for crypro key (block 5 to 8)
- lockbit for block 9
- password function enable

If the password function has been enabled, bits 4 to 31 represent the password of the e5560.



Figure 10. Customer configuration data in block 9

#### Data Transmission to the Base Station (Read)

Data transmission from the e5560 to the base station is carried out by switching a load between the coil pads on and off (damping). This changes the current through the IC coil which can be detected by the base station.



**Preliminary Information** 

TELEFUNKEN Semiconductors Rev. A1, 20-Dec-96



#### **ID Mode**

The ID mode is the default mode after starting-up. The ID code is read out of the EEPROM and sent to the base station.

#### **Modulation and Bitrate**

The different bitrates and modulators of the e5560 can be selected using the appropriate bit in block 0. Available bitrates are RF/32 and RF/64; the e5560 provides biphase and manchester modulation.



Figure 12. Types of modulation

#### **Data Streams**

Reading begins with block 1 (LSB first). Depending on the selected bitcount, block 1 is followed by block 2, 3 and 4 (128-bit bitcount) or just by block 4 (64-bit bitcount). The ID code is transmitted in loop or interrupted by the selected terminator, respectively. To avoid malfunction, the mode register is refreshed continuously with the content of EEPROM blocks 0 and 9 during reading of block 4. The data streams of the ID mode are shown in figure 13.



Figure 13. ID mode data streams

#### Terminators

Terminators are a special pattern to mark the beginning and end of the code. The terminators may be used to synchronize the base station. They can be detected reliably since they are a violation of the modulation scheme. After a terminator is sent, transmission of the first bit of the ID-code starts with damping on for a certain detection (if biphase modulation is used).

Note: Terminator 2 is only available in ID mode; all other modes make use of terminator 1.



Figure 14. Terminators

#### Data Transmission to the e5560 (Write)

Data transmission from the base station to the e5560 is carried out by using the TEMIC write method. It is based on interrupting the RF field with short gaps. The number of field clock cycles (FC) of two consecutive gaps encodes the (0/1) bit-information to be transmitted.

#### **Start Gap**

The first gap is the start gap which triggers writing. During writing the damping is permanently enabled which simplifies gap detection. The start gap has to be longer than the subsequent gaps in order to be reliably detected. By default, a start gap will be detected at any time after start-up intialization has been finished (field-on plus approx. 2 ms).



Figure 15. Signals to the transponder during writing

#### **Bit Decoder**

The duration of the gaps is usually 50µs - 150µs. The time between two gaps is nominally 24 field clocks for a '0' and 56 field clocks for a '1'. The bit will be interpreted as '0' if there are 16 to 32 field clocks since the last field gap; it will be interpreted as '1' if the number of field clock cycles is in a range of 48 to 64. When there is no gap for more

than 64 field clocks, writing is carried out (EOT). If there is a wrong number of field clocks between two gaps– i.e., one or more data sent were not a valid '0' or '1' – the e5560 will detect an error (see 'Error handling').



Figure 16. Bit decoding scheme (number of FCs between two consecutive gaps)

#### **OP Codes**

The OP code is defined as the first two bits of a writing sequence. It is used for changing the operational modes of the e5560. There are three valid OP codes: The programming mode and direct-access mode are entered with the '10' OP code, '01' is used to initiate the authentication of the e5560, and the OP code '00' disables modulation until a POR occurs.



Figure 17. OP codes

#### **Programming Mode**

Programming the EEPROM of the e5560 is carried out blockwise, i.e., every single block has to be programmed separately. The programming-mode write sequence is shown in figure 18. After the OP code '10', the 32 data bits have to be sent followed by the four address bits specifying the block to be programmed (each LSB first). The sequence is completed by sending an EOT (end of transmission), i.e., more than 64 field clocks without any gap.



Figure 18. Programming mode write sequence

When the entire write sequence is written to the e5560, programming may proceed. There is a 64-clock delay between the end of writing and the start of programming. During this time, the EEPROM's programming voltage  $V_{PP}$  is measured and the lockbit for the block to be programmed is examined. Further,  $V_{PP}$  is continually monitored throughout the programming cycle. If Vpp is too low, the chip starts error handling. The programming time is 16 ms (including erase) with a field clock frequency of 125 kHz.

# e5560

Write mode

Check V<sub>PP</sub>

V<sub>PP</sub> on



| Operation | write V <sub>PP</sub> & lock ok? |                                       | erase EEPROM | program EEPROM | read  |  |
|-----------|----------------------------------|---------------------------------------|--------------|----------------|-------|--|
|           |                                  | · · · · · · · · · · · · · · · · · · · |              |                | 12733 |  |

Figure 19. Programming

After programming is carried out, the e5560 sends an Fh preburst followed by the terminator 1. After that, the just programmed data is read out of the EEPROM and sent in loop with the terminator 1. This enables the base station to detect a malprogramming by comparing the data transmitted with the data read out after programming. This mode remains until a POR occurs or another gap is detected.







Figure 21. Coil voltage in programming mode

#### **Direct-Access Mode**

The direct-access mode is typically used to read out the content of a single block of the EEPROM. The write sequence is shown in figure 22. Following the OP code '10', the address of the block to be read has to be sent (LSB first).

|  |  | 12735 | 12735 |
|--|--|-------|-------|
|--|--|-------|-------|

Figure 22. Direct-access mode write sequence

Reading the content of block 0 and the four blocks of the ID code is always possible. The blocks containing the cryptokey (blocks 5 to 8) can only be accessed when the corresponding lockbit in block 9 is not set. Therefore, there is no possibility for a non-authorized person to read out or modify the crypto key if it is locked. Figure 23 shows the direct-access-mode data stream. After the write sequence, an FFh preburst is sent followed by the terminator 1. After that, the addressed block and the terminator 1 are sent in loop.

```
Preliminary Information
```

TELEFUNKEN Semiconductors Rev. A1, 20-Dec-96



Figure 24. Coil voltage in direct-access mode

#### **Crypto Mode**

The crypto mode enables the high-security authentication of the e5560. For this purpose, a certified algorithm called AUT64 is used. The crypto-mode write sequence is shown in figure 25. After the OP code '01', the challenge is sent to the e5560 (LSB first).



Figure 25. Crypto mode write sequence

After the write sequence, the AUT64-algorithm is started. The computation of the response takes about 30 ms. During this time, a checksum - the number of the challenge bits set to '1' - can be read by the base station. Once the response has been computed, the base station can read the response in loop with the terminator 1. This remains until a POR occurs or another gap is detected. The datastream of the crypto-mode is shown in figure 26.





During the encryption calculation, the checksum is sent in loop with a special pattern (see figure 27). The bits of the checksum are sent with LSB first. If the base station detects an error by comparing the checksum, the calculation of the response can be interrupted by sending a new challenge. This will start the authentication procedure again.





# **Preliminary Information**

15 (24)



Figure 28. Coil voltage in crypto mode

#### **Stop Mode**

The stop mode disables the modulation of the e5560, i.e., switches off the e5560. This feature may be useful when several transponders enter the RF field of the base station one after the other. In this case, the transponders may be collected one by one and disabled after being read out. The stop-mode write sequence is shown in figure 29. It consists just of the OP-code '00' followed by an EOT. After entering stop mode, the modulation is turned off until a POR occurs.



12742

#### Figure 29. Stop mode data sequences

#### **Password Function**

The password function may be used to prevent unauthorized programming, reading via direct-access mode and authentification of the e5560. If the password bit in block 9 of the EEPROM is set, no other operation is possible than reading the ID code in ID mode and programming block 9 (if the password is correct).

If someone wants to use the crypto-, programming or direct-access modes, he has to disable the password-function by resetting the password bit. This is carried out by programming block 9 with bits 4 to 31 set according to the password of the e5560. If password function is enabled and the password transmitted does not match the programmed password, block 9 is not modified.

With this function enabled, the customer configuration can only be changed by an authorized person using the correct password of the e5560.



12743

Figure 30. Write sequence to disable password function

#### **Error Handling**

Several error conditions can be detected to ensure that only valid operations have effect on the e5560.

#### **Errors During Writing Data**

There are four detectable errors possible during writing data to the e5560:

- Field gap was not detected
- Wrong number of field clocks between two gaps, e.g., 37 FCs
- The OP code is not valid ('11')
- The number of bits received is incorrect; valid bit counts are: programming mode 38 bits direct-access mode 6 bits crypto mode 66 bits

| crypto mode 001 |     |
|-----------------|-----|
| stop mode 2 bi  | its |

If any of these four conditions is detected, the e5560 stops writing and enters ID mode. This can easily be analyzed using the damping which is usually on during writing. It changes according to the selected modulation scheme in ID mode.

#### **Errors During Programming Mode**

If the writing sequence has been transmitted successfully, there are three errors that may prevent the e5560 from programming the data to the EEPROM:

• The programming voltage V<sub>PP</sub> is too low, i.e., the field strength is not high enough

- The lockbit of the adressed block is set
- The password function is enabled

In these cases, the procedure stops immediately after the error is detected and the IC reverts to ID mode.

#### **Errors During Direct-Access Mode**

In addition to the possible errors mentioned before, two errors may occur in direct-access mode:

- The lock bit of the addressed block 5 to 8 is set
- The password function is enabled

In these cases, the e5560 enters the ID mode after the end of the writing sequence.

#### **Errors During Crypto Mode**

In crypto mode there are two errors that may prevent the e5560 from sending the correct response:

- Error during the crypto writing sequence
- The password function is enabled

The e5560 will enter ID mode immediately if an error in the writing sequence is detected. If the password function is enabled the e5560 enters ID mode after having completed the writing sequence.



Figure 31. Simplified error handling of the e5560

# Authentication

Especially for applications with high-security demands such as immobilizer systems, the e5560 contains an optimized authentication procedure with the following advantages:

- Secure and fast authentication (< 100 ms)
- Application-optimized high-security algorithm
- Customer-specific generation of unique keys

Therefore, a high-security data transmission and encryption as well as a short authentication time is achieved.

For further information, some additional documentation and programms are available:

- The encryption process of the e5560
- Key generating program
- Algorithm program





Figure 32. Authentication procedure

#### Initialization

Before using the e5560 in crypto mode it has to be initialized.

First, the crypto key to be used by the crypto algorithm has to be generated by the key-generating program. This program guarantees that each crypto key is unique, no other e5560 has the same key. This key has to be stored in the memory (block 5 - block 8) of the e5560 via the programming mode. Once the crypto key is locked, it can not be overwritten or read out anymore with direct-access mode. For correct authentication it is necessary that base station and transponder both use the same key. Therefore, the base station needs to know which transponder is currently in the field. Only then the base station can select the key corresponding to this particular transponder. For this identification the e5560 sends a string of data after it is powered up. This ID code also has to be stored in the e5560.

#### Starting the Authentication

After power-up the various modes (bitrate, encoding) are read out of block 0. Then, the e5560 transmits the ID code to identify itself. Thereby, the base station can identify the transponder and knows which crypto key to use. The base station forces the e5560 in crypto mode by sending the OP code '01' followed by a 64-bit string, the challenge.

#### Challenge

The base station generates a 64-bit random number R. This number is the starting value of the actual encryption algorithm. To improve security, this random number is not sent directly to the transponder, but is encrypted by means of a part of the crypto key. The encoded result R' is then transmitted as challenge to the transponder. Once the transponder has received the encoded random number R, it recovers the random number R originally generated by the base station. Both devices, the base station as well as the transponder, then start with the encryption of this number. If the number of received bits is incorrect, the e5560 leaves the crypto mode and enters read mode immediatly, transmitting the ID code.

#### Checksum

For verification of the received challenge, the e5560 sends a checksum (representing the number of '1' of the

challenge) with a special pattern in loop until the encryption is finished (less than 35 ms).

#### Encryption

For encryption, the optimized high-security algorithm AUT64 is used. The elementary parts of this 64-bit block cipher are transposition and substitution (figure 33). For more detailed information on this algorithm additional documentation is provided. The entire algorithm AUT64 is executed 24 times. At each of these 24 times, another key is generated out of the crypto key. Therefore, the algorithm keeps changing and a high-security level is achieved. This is confirmed by statistical analysis.

For more detailed information, the description 'The Encryption Process of the e5560' can be provided.

#### Response

The 64-bit result of the algorithm is reduced to 32 bits using logical operations. This 32-bit response is sent back to the base station for comparison. If the correct keys were used, the result generated inside the base station is identical to the result sent by the e5560. The response is transmitted in loop including the terminator until the IC is powered by the RF field. This gives the base station enough time for checking the validation of the response.





Figure 33. TEMIC crypto algorithm AUT64



Figure 34. Authentication example

# **Technical Data**

#### **Absolute Maximum Ratings**

All voltage are given corresponding to VSS.

| Parameters                                   | Symbol             | Value                                                                        | Unit |
|----------------------------------------------|--------------------|------------------------------------------------------------------------------|------|
| Supply voltage                               | V <sub>DD</sub>    | -0.3 to +7.0                                                                 | V    |
| Input voltage                                | V <sub>IN</sub>    | $\begin{array}{c} V_{SS} - 0.3 \leq V_{IN} \leq \\ V_{DD} + 0.3 \end{array}$ | V    |
| Current into Coil1/Coil2                     | I <sub>C1/C2</sub> | 10                                                                           | mA   |
| Power dissipation (dice) (1)                 | P <sub>tot</sub>   | 100                                                                          | mW   |
| Operating temperature range                  | T <sub>amb</sub>   | -20 to +70                                                                   | °C   |
| Storage temperature range (2)                | T <sub>stg</sub>   | -40 to +125                                                                  | °C   |
| Assembly temperature $(t \le 5 \text{ min})$ | T <sub>ass</sub>   | 150                                                                          | °C   |

Notes:

(1) Free-air condition. Time of application: 1s

(2) Data retention reduced

Stresses above those listed under "Absolute Maximum Ratings" may cause permanent damage to the device.

## **Operating Characteristics**

 $T_{ambient} = 25^{\circ}C$ ; reference terminal is  $V_{SS}$ ; DC operating voltage  $V_{DD} - V_{SS} = 3$  V (unless otherwise noted)

| Parameter           | Test Conditions                           | Symbol                 | Min     | Тур  | Max  | Unit  |
|---------------------|-------------------------------------------|------------------------|---------|------|------|-------|
| RF frequency range  |                                           | f <sub>RF</sub>        | 100     | 125  | 150  | kHz   |
| Supply current      | $f_{RF} = 125 \text{ kHz}$ , Read & Write | I <sub>DD</sub>        |         | 5    | •    | μΑ    |
|                     | $f_{RF} = 125 \text{ kHz}$ , Programming  | I <sub>DD</sub>        |         | tbd. |      | μΑ    |
| Clamp voltage       | Current into $Coil1/2 = 5 mA$             | V <sub>cl</sub>        | 6       |      | 8    | V     |
| Programming voltage | from on-chip HV-Gen                       | V <sub>PP</sub>        | 16      | 18   | 20   | V     |
| Programming time    | $f_{RF} = 125 \text{ kHz}$                | t <sub>PP</sub>        |         | 16   |      | ms    |
| Data retention      | (1)                                       | t <sub>retention</sub> | 10      |      |      | years |
| Programming cycles  | (1)                                       | n <sub>cycle</sub>     | 100 000 |      |      | -     |
| Reset delay time    |                                           | t1                     | 0       | -    | tbd. | μs    |
| Reset recovery time |                                           | t2                     | tbd.    | tbd. | tbd. | ms    |

(1) Since the EEPROM's performance may be influenced by assembly and packaging, we can confirm the parameters for dow (=die-on-wafer) and ICs assembled in standard package.

## **Application Example**



We reserve the right to make changes to improve technical design and may do so without further notice. Parameters can vary in different applications. All operating parameters must be validated for each customer application by the customer. Should the buyer use TEMIC products for any unintended or unauthorized application, the buyer shall indemnify TEMIC against all claims, costs, damages, and expenses, arising out of, directly or indirectly, any claim of personal damage, injury or death associated with such unintended or unauthorized use.

TEMIC TELEFUNKEN microelectronic GmbH, P.O.B. 3535, D-74025 Heilbronn, Germany Telephone: 49 (0)7131 67 2831, Fax number: 49 (0)7131 67 2423