Mitsubishi Motors DS5000TK User Manual

USER’S GUIDE

050396 77/173

78

On–chip Vector RAM

A 48–byte RAM area is incorporated inside the
DS5000FP and DS5002FP. This area maps to the first
48 locations of program memory to store reset and
interrupt vectors. Any other data stored in the first 48
locations will be contained in this Vector RAM. The prin-
cipal reason for the Vector RAM is that the reset and
interrupt vectors are known logical addresses in the
8051 family. Thus an attacker could force a reset or
interrupt and discover the encrypted address gener-
ated by the Secure Microcontroller. By storing these
Vectors in on–chip RAM, it is impossible to observe
such relationships. Although it is very unlikely that an
application program could be deciphered by observing
the vector addresses, the Vector RAM eliminated this
possibility. Note that the dummy accesses discussed
above also occur while the Vector area is being
accessed.

The Vector RAM is automatically loaded with the reset
and interrupt vectors during Bootstrap Loading. This
feature is transparent to operation and no action is
required to use it. However, considering the Vector area
feature can improve overall system security. As men-
tioned above, the Vector RAM is instantaneously
destroyed in the event of an unlock (also by a self–de-
struct on DS5002FP). Since it is hidden and subject to
destruction, the 48 bytes are the most secure memory in
a system. Thus the most critical constants can also be
stored there. This is an ideal location for storing DES
keys for applications involving data encryption such as
electronic funds transfer.

The Vector RAM is always used on a DS5002FP. The
data stored between logical location 00h and 30h will be
loaded into and executed for the Vector RAM. This data
will not be duplicated in NV RAM accessed by the Byte–
wide bus. The operation of DS5000FP Vector RAM is
the same, but only when the encryption feature is
enabled. When a DS5000FP has not had an Encryption
Key loaded, the Vector RAM is left unused.

Self–Destruct Input

The Self–Destruct Input (SDI) is an active high input pin
that is used to clear the security lock on a DS5002FP in
response to an external event. The SDI is intended to be
used with external tamper detection circuitry. It can be
activated by an active high signal with or without operat-

ing power applied to the V

CCI

pin. Activation of the SDI

pin instantaneously clears the Security Lock initiating
the sequence of events described above. In addition,
power is momentarily removed from all Byte–wide bus
interface signals including the V

CCO

pin, resulting in

loss of data by the external RAM. Address and data
lines are also pulled low to remove any excess charge
that could help retain data in that RAM. The SDI pin is
deglitched so that a 2

µ

s pulse is required to activate it.

However, this pin is sensitive so it should be grounded if
not used. It is only available on the DS5002FP and
DS2252FP products.

Microprobe/Die Top Coating

The DS5002FPM is provided with a special top–layer
coating that is designed to prevent a microprobe attack.
The coating is implemented with a second layer of metal
on the microcontroller die. This metal will result in a
short circuit of critical functions if probing is attempted.
The probing action destroys the data that is secret.
Also, security circuits and Vector RAM derive their
power from this screen. Therefore they will be de–pow-
ered if the top coating is removed, also destroying the
secret data. In this event, any critical data stored on–
chip will be destroyed and off–chip data is rendered use-
less.

Random Number Generator

As mentioned above, the DS5002FP incorporates a
hardware random number generator used by the Boot-
strap Loader to generate Encryption Keys. The Ran-
dom Number Generator is not a security circuit perse,
but it is available to the application and can be used to
improve the overall system security. Random numbers
have numerous applications with respect to security.
For example, to prevent an attacker from developing a
histogram of code execution, the Random Number
Generator could be used to decide how long to spend on
particular activities. The random number is created
8 bits at a time. They are obtained by the application
code at SFR location 0CFh. The random number takes
160

µ

s to develop. Reading a byte from register 0CFh

will start the generation of another random number.
After the random number is read, another will be avail-
able approximately 160

µ

s later. The RNR bit

(RPCTL.7; 0D8h) will be set to a logic 1 each time a new
number is available. If the random number is read prior
to RNR being set, the value will be 00.