HCS200
K
EE
L
OQ®
Code Hopping Encoder
FEATURES
Security
•
•
•
•
•
•
Programmable 28-bit serial number
Programmable 64-bit crypt key
Each transmission is unique
66-bit transmission code length
32-bit hopping code
28-bit serial number, 4-bit button status,
low battery indicator transmitted
• Crypt keys are read protected
DESCRIPTION
The HCS200 from Microchip Technology Inc. is a code
hopping encoder designed primarily for Remote Key-
less Entry (RKE) systems. The device utilizes the
K
EE
L
OQ®
code hopping technology, incorporating high
security, a small package outline and low cost. The
HCS200 is a perfect replacement of fixed code devices
in unidirectional remote keyless entry systems and
access control systems.
PACKAGE TYPES
PDIP, SOIC
S0
S1
S2
NC
1
HCS200
2
3
4
8
7
6
5
V
DD
NC
PWM
V
SS
Operating
•
•
•
•
•
•
3.5–13.0V operation
Three button inputs - seven functions available
Selectable baud rate
Automatic code word completion
Low battery signal transmitted to receiver
Non-volatile synchronization data
Other
•
•
•
•
•
Easy to use programming interface
On-chip EEPROM
On-chip oscillator and timing components
Button inputs have internal pull-down resistors
Low external component cost
BLOCK DIAGRAM
Oscillator
RESET circuit
Controller
Power
latching
and
switching
Typical Applications
The HCS200 is ideal for Remote Keyless Entry (RKE)
applications. These applications include:
•
•
•
•
•
•
•
Fixed code replacement
Automotive RKE systems
Automotive alarm systems
Automotive immobilizers
Gate and garage door openers
Identity tokens
Burglar alarm systems
PWM
EEPROM
Encoder
32-bit shift register
Vss
V
DD
Button input port
S2 S1 S0
The HCS200 operates over a wide voltage range of
3.5 volts to 13.0 volts and has three button inputs in an
8-pin configuration. This allows the system designer
the freedom to implement up to seven functions. The
only components required for device operation are the
buttons and RF circuitry, allowing a very low
system cost.
©
2002 Microchip Technology Inc.
DS40138C-page 1
HCS200
The HCS200 combines a 32-bit hopping code,
generated by a non-linear encryption algorithm, with a
28-bit serial number and 6 information bits to create a
66-bit code word. The code word length eliminates the
threat of code scanning and the code hopping mecha-
nism makes each transmission unique, thus rendering
code capture and resend schemes useless.
The crypt key, serial number and configuration data are
stored in an EEPROM array which is not accessible via
any external connection. The EEPROM data is pro-
grammable but read-protected. The data can be veri-
fied only after an automatic erase and programming
operation. This protects against attempts to gain
access to keys or manipulate synchronization values.
The HCS200 provides an easy to use serial interface
for programming the necessary keys, system parame-
ters and configuration data.
•
Learn
– Learning involves the receiver calculating
the transmitter’s appropriate crypt key, decrypting
the received hopping code and storing the serial
number, synchronization counter value and crypt
key in EEPROM. The K
EE
L
OQ
product family facil-
itates several learning strategies to be imple-
mented on the decoder. The following are
examples of what can be done.
-
Simple Learning
The receiver uses a fixed crypt key, common
to all components of all systems by the same
manufacturer, to decrypt the received code
word’s encrypted portion.
-
Normal Learning
The receiver uses information transmitted
during normal operation to derive the crypt
key and decrypt the received code word’s
encrypted portion.
-
Secure Learn
The transmitter is activated through a special
button combination to transmit a stored 60-bit
seed value used to generate the transmitter’s
crypt key. The receiver uses this seed value
to derive the same crypt key and decrypt the
received code word’s encrypted portion.
•
Manufacturer’s code
– A unique and secret 64-
bit number used to generate unique encoder crypt
keys. Each encoder is programmed with a crypt
key that is a function of the manufacturer’s code.
Each decoder is programmed with the manufac-
turer code itself.
The HCS200 code hopping encoder is designed specif-
ically for keyless entry systems; primarily vehicles and
home garage door openers. The encoder portion of a
keyless entry system is integrated into a transmitter,
carried by the user and operated to gain access to a
vehicle or restricted area. The HCS200 is meant to be
a cost-effective yet secure solution to such systems,
requiring very few external components (Figure 2-1).
Most low-end keyless entry transmitters are given a
fixed identification code that is transmitted every time a
button is pushed. The number of unique identification
codes in a low-end system is usually a relatively small
number. These shortcomings provide an opportunity
for a sophisticated thief to create a device that ‘grabs’
a transmission and retransmits it later, or a device that
quickly ‘scans’ all possible identification codes until the
correct one is found.
The HCS200, on the other hand, employs the K
EE
L
OQ
code hopping technology coupled with a transmission
length of 66 bits to virtually eliminate the use of code
‘grabbing’ or code ‘scanning’. The high security level of
the HCS200 is based on the patented K
EE
L
OQ
technol-
ogy. A block cipher based on a block length of 32 bits
and a key length of 64 bits is used. The algorithm
obscures the information in such a way that even if the
transmission information (before coding) differs by only
one bit from that of the previous transmission, the next
1.0
SYSTEM OVERVIEW
Key Terms
The following is a list of key terms used throughout this
data sheet. For additional information on K
EE
L
OQ
and
Code Hopping, refer to Technical Brief 3 (TB003).
•
RKE
- Remote Keyless Entry
•
Button Status
- Indicates what button input(s)
activated the transmission. Encompasses the 4
button status bits S3, S2, S1 and S0 (Figure 4-2).
•
Code Hopping
- A method by which a code,
viewed externally to the system, appears to
change unpredictably each time it is transmitted.
•
Code word
- A block of data that is repeatedly
transmitted upon button activation (Figure 4-1).
•
Transmission
- A data stream consisting of
repeating code words (Figure 8-2).
•
Crypt key
- A unique and secret 64-bit number
used to encrypt and decrypt data. In a symmetri-
cal block cipher such as the K
EE
L
OQ
algorithm,
the encryption and decryption keys are equal and
will therefore be referred to generally as the crypt
key.
•
Encoder
- A device that generates and encodes
data.
•
Encryption Algorithm
- A recipe whereby data is
scrambled using a crypt key. The data can only be
interpreted by the respective decryption algorithm
using the same crypt key.
•
Decoder
- A device that decodes data received
from an encoder.
•
Decryption algorithm
- A recipe whereby data
scrambled by an encryption algorithm can be
unscrambled using the same crypt key.
DS40138C-page 2
©
2002 Microchip Technology Inc.
HCS200
coded transmission will be completely different. Statis-
tically, if only one bit in the 32-bit string of information
changes, greater than 50 percent of the coded trans-
mission bits will change.
As indicated in the block diagram on page one, the
HCS200 has a small EEPROM array which must be
loaded with several parameters before use; most often
programmed by the manufacturer at the time of produc-
tion. The most important of these are:
• A 28-bit serial number, typically unique for every
encoder
• A crypt key
• An initial 16-bit synchronization value
• A 16-bit configuration value
The crypt key generation typically inputs the transmitter
serial number and 64-bit manufacturer’s code into the
key generation algorithm (Figure 1-1). The manufac-
turer’s code is chosen by the system manufacturer and
must be carefully controlled as it is a pivotal part of the
overall system security.
FIGURE 1-1:
Production
Programmer
CREATION AND STORAGE OF CRYPT KEY DURING PRODUCTION
HCS200
EEPROM Array
Serial Number
Crypt Key
Sync Counter
Transmitter
Serial Number
Manufacturer’s
Code
Key
Generation
Algorithm
Crypt
Key
.
.
.
The 16-bit synchronization counter is the basis behind
the transmitted code word changing for each transmis-
sion; it increments each time a button is pressed. Due
to the code hopping algorithm’s complexity, each incre-
ment of the synchronization value results in greater
than 50% of the bits changing in the transmitted code
word.
Figure 1-2 shows how the key values in EEPROM are
used in the encoder. Once the encoder detects a button
press, it reads the button inputs and updates the syn-
chronization counter. The synchronization counter and
crypt key are input to the encryption algorithm and the
output is 32 bits of encrypted information. This data will
change with every button press, its value appearing
externally to ‘randomly hop around’, hence it is referred
to as the hopping portion of the code word. The 32-bit
hopping code is combined with the button information
and serial number to form the code word transmitted to
the receiver. The code word format is explained in
greater detail in Section 4.0.
A receiver may use any type of controller as a decoder,
but it is typically a microcontroller with compatible firm-
ware that allows the decoder to operate in conjunction
with an HCS200 based transmitter. Section 7.0
provides detail on integrating the HCS200 into a sys-
tem.
A transmitter must first be ‘learned’ by the receiver
before its use is allowed in the system. Learning
includes calculating the transmitter’s appropriate crypt
key, decrypting the received hopping code and storing
the serial number, synchronization counter value and
crypt key in EEPROM.
In normal operation, each received message of valid
format is evaluated. The serial number is used to deter-
mine if it is from a learned transmitter. If from a learned
transmitter, the message is decrypted and the synchro-
nization counter is verified. Finally, the button status is
checked to see what operation is requested. Figure 1-3
shows the relationship between some of the values
stored by the receiver and the values received from
the transmitter.
©
2002 Microchip Technology Inc.
DS40138C-page 3
HCS200
FIGURE 1-2:
EEPROM Array
Crypt Key
Sync Counter
Serial Number
BUILDING THE TRANSMITTED CODE WORD (ENCODER)
K
EE
L
OQ
Encryption
Algorithm
Button Press
Information
Serial Number
32 Bits
Encrypted Data
Transmitted Information
FIGURE 1-3:
BASIC OPERATION OF RECEIVER (DECODER)
1 Received Information
EEPROM Array
Button Press
Information
Serial Number
32 Bits of
Encrypted Data
Manufacturer Code
2
Check for
Match
Serial Number
Sync Counter
Crypt Key
3
K
EE
L
OQ
Decryption
Algorithm
Decrypted
Synchronization
Counter
Perform Function
5 Indicated by
button press
4
Check for
Match
NOTE:
Circled numbers indicate the order of execution.
DS40138C-page 4
©
2002 Microchip Technology Inc.
HCS200
2.0
ENCODER OPERATION
As shown in Figure 2-1, the HCS200 is a simple device
to use. It requires only the addition of buttons and RF
circuitry for use as the transmitter in your security appli-
cation. A description of each pin is described in
Table 2-1.
Note:
When V
DD
> 9.0V and driving low capaci-
tive loads, a resistor with a minimum value
of 50Ω should be used in line with V
DD
.
This prevents clamping of PWM at 9.0V in
the event of PWM overshoot.
The HCS200 will wake-up upon detecting a button
press and delay approximately 10 ms for button
debounce (Figure 2-2). The synchronization counter,
discrimination value and button information will be
encrypted to form the hopping code. The hopping code
portion will change every transmission, even if the
same button is pushed again. A code word that has
been transmitted will not repeat for more than 64K
transmissions. This provides more than 18 years of use
before a code is repeated; based on 10 operations per
day. Overflow information sent from the encoder can be
used to extend the number of unique transmissions to
more than 192K.
If in the transmit process it is detected that a new but-
ton(s) has been pressed, a RESET will immediately
occur and the current code word will not be completed.
Please note that buttons removed will not have any
effect on the code word unless no buttons remain
pressed; in which case the code word will be completed
and the power-down will occur.
FIGURE 2-1:
+12V
R
(Note
2
)
TYPICAL CIRCUITS
B0
B1
S0
S1
S2
NC
V
DD
NC
PWM
Vss
Tx out
FIGURE 2-2:
ENCODER OPERATION
(A button has been pressed)
Power-Up
2 button remote control
RESET and Debounce Delay
+12V
R
(Note
2
)
B3 B2 B1 B0
(10 ms)
Sample Inputs
Update Sync Info
Tx out
S0
S1
S2
NC
V
DD
NC
PWM
Vss
Encrypt With
Crypt Key
Load Transmit Register
Transmit
Buttons
Added
?
No
All
Buttons
Released
?
Yes
Complete Code
Word Transmission
Stop
No
4 button remote control
(Note
1
)
Note
1:
Up to 7 functions can be implemented by pressing
more than one button simultaneously or by using a
suitable diode array.
2:
Resistor (R) is recommended for current limiting.
Yes
TABLE 2-1:
Pin
Name
Number
S0
S1
S2
V
SS
PWM
1
2
3
5
6
PIN DESCRIPTIONS
Description
Switch input 0
Switch input 1
Switch input 2/Clock pin when in
Programming mode
Ground reference
Pulse Width Modulation (PWM)
output pin/Data pin for Program-
ming mode
Positive supply voltage
V
DD
8
©
2002 Microchip Technology Inc.
DS40138C-page 5
FPGA/CPLD
京公网安备 11010802033920号
EEWORLD
