HCS300
Code Hopping Encoder*
FEATURES
Security
Programmable 28-bit serial number
Programmable 64-bit encryption key
Each transmission is unique
66-bit transmission code length
32-bit hopping code
34-bit fixed code (28-bit serial number,
4-bit button code, 2-bit status)
• Encryption keys are read protected
•
•
•
•
•
•
PACKAGE TYPES
PDIP, SOIC
S0
S1
S2
S3
1
HCS300
2
3
4
8
7
6
5
V
DD
LED
PWM
V
SS
Operating
• 2.0—6.3V operation
• Four button inputs
- No additional circuitry required
- 15 functions available
• Selectable baud rate
• Automatic code word completion
• Battery low signal transmitted to receiver
• Non-volatile synchronization data
HCS300 BLOCK DIAGRAM
Oscillator
Reset circuit
LED
LED driver
Controller
Power
latching
and
switching
EEPROM
Other
•
•
•
•
•
•
•
Easy to use programming interface
On-chip EEPROM
On-chip oscillator and timing components
Button inputs have internal pulldown resistors
Current limiting on LED output
Minimum component count
Synchronous transmission mode
PWM
32-bit shift register
Encoder
V
SS
V
DD
Button input port
Typical Applications
The HCS300 is ideal for Remote Keyless Entry (RKE)
applications. These applications include:
•
•
•
•
•
•
Automotive RKE systems
Automotive alarm systems
Automotive immobilizers
Gate and garage door openers
Identity tokens
Burglar alarm systems
S
3
S
2
S
1
S
0
The HCS300 combines a 32-bit hopping code
generated by a non-linear encryption algorithm, with a
28-bit serial number and six status bits to create a
66-bit transmission stream. The length of the
transmission eliminates the threat of code scanning
and the code hopping mechanism makes each
transmission unique, thus rendering code capture and
resend (code grabbing) schemes useless.
The encryption key, serial number, and configuration
data are stored in EEPROM which is not accessible via
any external connection. This makes the HCS300 a
very secure unit. The HCS300 provides an easy to use
serial interface for programming the necessary security
keys, system parameters, and configuration data.
The encyrption keys and code combinations are pro-
grammable but read-protected. The keys can only be
verified after an automatic erase and programming
operation. This protects against attempts to gain
access to keys and manipulate synchronization values.
DESCRIPTION
The HCS300, from Microchip Technology Inc., is a code
hopping encoder designed for secure Remote Keyless
Entry (RKE) systems. The HCS300 utilizes the K
EE
L
OQ
code hopping technology, which incorporates high secu-
rity, a small package outline and low cost, to make this
device a perfect solution for unidirectional remote key-
less entry systems and access control systems.
KeeLoq is a trademark of Microchip Technology Inc.
*Code hopping encoder patents allowed and pending.
©
1996 Microchip Technology Inc.
Preliminary
This document was created with FrameMaker 4 0 4
DS21137D-page 1
HCS300
The HCS300 operates over a wide voltage range of
2.0V to 6.3V and has four button inputs in an 8-pin
configuration. This allows the system designer the
freedom to utilize up to 15 functions. The only
components required for device operation are the but-
tons and RF circuitry, allowing a very low system cost.
such systems. The encoder portion of a keyless entry
system is meant to be held by the user and operated to
gain access to a vehicle or restricted area. The
HCS300 requires very few external components
(Figure 2-1).
Most keyless entry systems transmit the same code
from a transmitter every time a button is pushed. The
relative number of code combinations for a low end sys-
tem is also a relatively small number. These
shortcomings provide the means for a sophisticated
thief to create a device that ‘grabs’ a transmission and
re-transmits it later or a device that scans all possible
combinations until the correct one is found.
The HCS300 employs the K
EE
L
OQ
code hopping tech-
nology and an encryption algorithm to achieve a high
level of security. Code hopping is a method by which
the code transmitted from the transmitter to the receiver
is different every time a button is pushed. This method,
coupled with a transmission length of 66 bits, virtually
eliminates the use of code ‘grabbing’ or code
‘scanning’.
As indicated in the block diagram on page one, the
HCS300 has a small EEPROM array which must be
loaded with several parameters before use. The most
important of these values are:
• A 28-bit serial number which is meant to be
unique for every encoder
• An encryption key that is generated at the time of
production
• A 16-bit synchronization value
The serial number for each transmitter is programmed
by the manufacturer at the time of production. The
generation of the encryption key is done using a key
generation algorithm (Figure 1-1). Typically, inputs to
the key generation algorithm are the serial number of
the transmitter and a 64-bit manufacturer’s code. The
manufacturer’s code is chosen by the system
manufacturer and must be carefully controlled. The
manufacturer’s code is a pivotal part of the overall
system security.
1.0
SYSTEM OVERVIEW
Key Terms
• Manufacturer’s code - a 64-bit word, unique to
each manufacturer, used to produce a unique
encryption key in each transmitter (encoder).
• Encryption Key - a unique 64-bit key generated
and programmed into the encoder during the
manufacturing process. The encryption key
controls the encryption algorithm and is stored in
EEPROM on the encoder device.
1.1
Learn
The HCS product family facilitates several learn strate-
gies to be implemented on the decoder. The following
are examples of what can be done. It must be pointed
out that their exists some third-party patents on learn-
ing strategies and implementation.
1.1.1
NORMAL LEARN
The receiver uses the same information that is transmit-
ted during normal operation to derive the transmitter’s
secret key, decrypt the discrimination value and the
synchronization counter.
1.1.2
SECURE LEARN*
The transmitter is activated through a special button
combination to transmit a stored 48-bit value (random
seed) that can be used for key generation or be part of
the key. Transmission of the random seed can be dis-
abled after learning is completed.
The HCS300 is a code hopping encoder device that is
designed specifically for keyless entry systems,
primarily for vehicles and home garage door openers. It
is meant to be a cost-effective, yet secure solution to
FIGURE 1-1:
CREATION AND STORAGE OF ENCRYPTION KEY DURING PRODUCTION
Transmitter
Serial Number or
Seed
HCS300 EEPROM Array
Serial Number
Encryption Key
Sync Counter
Manufacturer’s
Code
Key
Generation
Algorithm
Encryption
Key
.
.
.
DS21137D-page 2
Preliminary
©
1996 Microchip Technology Inc.
HCS300
The 16-bit synchronization value is the basis for the
transmitted code changing for each transmission, and
is updated each time a button is pressed. Because of
the complexity of the code hopping encryption algo-
rithm, a change in one bit of the synchronization value
will result in a large change in the actual transmitted
code. There is a relationship (Figure 1-2) between the
key values in EEPROM and how they are used in the
encoder. Once the encoder detects that a button has
been pressed, the encoder reads the button and
updates the synchronization counter. The synchroniza-
tion value is then combined with the encryption key in
the encryption algorithm and the output is 32 bits of
encrypted information. This data will change with every
button press, hence, it is referred to as the hopping
portion of the code word. The 32-bit hopping code is
combined with the button information and the serial
number to form the code word transmitted to the
receiver. The code word format is explained in detail
in Section 4.2.
Any type of controller may be used as a receiver, but it
is typically a microcontroller with compatible firmware
that allows the receiver to operate in conjunction with a
transmitter, based on the HCS300. Section 7.0
provides more detail on integrating the HCS300 into a
total system.
Before a transmitter can be used with a particular
receiver, the transmitter must be ‘learned’ by the
receiver. Upon learning a transmitter, information is
stored by the receiver so that it may track the
transmitter, including the serial number of the
transmitter, the current synchronization value for that
transmitter and the same encryption key that is used on
the transmitter. If a receiver receives a message of valid
format, the serial number is checked and, if it is from a
learned transmitter, the message is decrypted and the
decrypted synchronization counter is checked against
what is stored. If the synchronization value is verified,
then the button status is checked to see what operation
is needed. Figure 1-3 shows the relationship between
some of the values stored by the receiver and the val-
ues received from the transmitter.
FIGURE 1-2:
BASIC OPERATION OF TRANSMITTER (ENCODER)
Transmitted Information
K
EE
L
OQ
Encryption
Algorithm
32 Bits of
Encrypted Data
Button Press
Information
Serial Number
EEPROM Array
Encryption Key
Sync Counter
Serial Number
FIGURE 1-3:
BASIC OPERATION OF RECEIVER (DECODER)
Check for
Match
EEPROM Array
Encryption Key
Sync Counter
Serial Number
Manufacturer Code
Check for
Match
K
EE
L
OQ
Decryption
Algorithm
Decrypted
Synchronization
Counter
Button Press
Information
Serial Number
32 Bits of
Encrypted Data
Received Information
©
1996 Microchip Technology Inc.
Preliminary
DS21137D-page 3
HCS300
2.0
DEVICE OPERATION
TABLE 2-1:
Name
S0
S1
S2
S3
V
SS
B0
B1
S0
S1
S2
S3
V
DD
LED
PWM
V
SS
Tx out
PIN DESCRIPTIONS
Description
Switch input 0
Switch input 1
Switch input 2/Can also be clock
pin when in programming mode
Switch input 3/Clock pin when in
programming mode
Ground reference connection
Pulse width modulation (PWM)
output pin/Data pin for
programming mode
Cathode connection for directly
driving LED during transmission
Positive supply voltage
connection
As shown in the typical application circuits (Figure 2-1),
the HCS300 is a simple device to use. It requires only
the addition of buttons and RF circuitry for use as the
transmitter in your security application. A description of
each pin is described in Table 2-1.
Pin
Number
1
2
3
4
5
6
FIGURE 2-1:
V
DD
TYPICAL CIRCUITS
PWM
LED
V
DD
7
8
2 button remote control
B4 B3 B2 B1 B0
V
DD
S0
S1
S2
S3
V
DD
LED
PWM
V
SS
Tx out
5 button remote control (Note)
Note:
Up to 15 functions can be implemented by
pressing more than one button simulta-
neously or by using a suitable diode array.
The high security level of the HCS300 is based on the
patented K
EE
L
OQ
technology. A block cipher type of
encryption algorithm based on a block length of 32 bits
and a key length of 64 bits is used. The algorithm
obscures the information in such a way that even if the
transmission information (before coding) differs by only
one bit from the information in the previous transmis-
sion, the next coded transmission will be totally differ-
ent. Statistically, if only one bit in the 32-bit string of
information changes, approximately 50 percent of the
coded transmission will change. The HCS300 will wake
up upon detecting a switch closure and then delay
approximately 10 ms for switch debounce (Figure 2-2).
The synchronized information, fixed information, and
switch information will be encrypted to form the hopping
code. The encrypted or hopping code portion of the
transmission will change every time a button is
pressed, even if the same button is pushed again.
Keeping a button pressed for a long time will result in
the same code word being transmitted until the button
is released or timeout occurs. A code that has been
transmitted will not occur again for more than 64K
transmissions. This will provide more than 18 years of
typical use before a code is repeated based on 10 oper-
ations per day. Overflow information programmed into
the encoder can be used by the decoder to extend the
number of unique transmissions to more than 192K.
If in the transmit process it is detected that a new but-
ton(s) has been pressed, a reset will immediately be
forced and the code word will not be completed. Please
note that buttons removed will not have any effect on
the code word unless no buttons remain pressed in
which case the ccurrent code word will be completed
and the power down will occur.
DS21137D-page 4
Preliminary
©
1996 Microchip Technology Inc.
HCS300
FIGURE 2-2:
ENCODER OPERATION
(A button has been pressed)
3.0
Power Up
EEPROM MEMORY
ORGANIZATION
Reset and Debounce Delay
(10 ms)
Sample Inputs
Update Sync Info
Encrypt With
Encryption Key
Load Transmit Register
Transmit
The HCS300 contains 192 bits (12 x 16-bit words) of
EEPROM memory (Table 3-1). This EEPROM array is
used to store the encryption key information,
synchronization value, etc. Further descriptions of the
memory array is given in the following sections.
TABLE 3-1:
WORD
ADDRESS
0
1
2
3
4
No
5
6
7
8
9
Stop
10
11
Note:
EEPROM MEMORY MAP
MNEMONIC
KEY_0
KEY_1
KEY_2
KEY_3
SYNC
RESERVED
SER_0
DESCRIPTION
64-bit encryption key
(word 0)
64-bit encryption key
(word 1)
64-bit encryption key
(word 2)
64-bit encryption key
(word 3)
16-bit synchronization
value
Set to 0000H
Device Serial Number
(word 0)
Yes
Buttons
Added
?
No
All
Buttons
Released
?
Yes
Complete Code
Word Transmission
SER_1(Note) Device Serial Number
(word 1)
SEED_0
SEED_1
EN_KEY
CONFIG
Seed Value (word 0)
Seed Value (word 1)
16-bit Envelope Key
Config Word
The MSB of the serial number contains a bit
used to select the auto shutoff timer.
3.1
Key_0 - Key_3 (64-Bit Encryption Key)
The 64-bit encryption key is used by the transmitter to
create the encrypted message transmitted to the
receiver. This key is created and programmed at the
time of production using a key generation algorithm.
Inputs to the key generation algorithm are the serial
number for the particular transmitter being used and a
secret manufacturer’s code. While the key generation
algorithm supplied from Microchip is the typical method
used, a user may elect to create their own method of
key generation. This may be done providing that the
decoder is programmed with the same means of creat-
ing the key for decryption purposes. If a seed is used,
the seed will also form part of the input to the key gen-
eration algorithm.
©
1996 Microchip Technology Inc.
Preliminary
DS21137D-page 5
京公网安备 11010802033920号
Copyright © 2005-2026 EEWORLD.com.cn, Inc. All rights reserved
电子工程世界
