HCS201
K
EE
L
OQ®
Code Hopping Encoder
FEATURES
Security
•
•
•
•
•
•
Programmable 28-bit serial number
Programmable 64-bit encryption key
Each transmission is unique
66-bit transmission code length
32-bit hopping code
34-bit fixed code (28-bit serial number,
4-bit button code, 2-bit status)
• Encryption keys are read protected
DESCRIPTION
The HCS201 from Microchip Technology Inc. is a code
hopping encoder designed for secure Remote Keyless
Entry (RKE) systems. The HCS201 utilizes the K
EE
L
OQ
code hopping technology, incorporating high security, a
small package outline and low cost. The HCS201 is a
perfect solution for unidirectional remote keyless entry
systems and access control systems.
PACKAGE TYPES
PDIP, SOIC
S0
S1
S2
V
DDB
1
8
V
DD
STEP
DATA
V
SS
Operating
• 3.5V-13V operation
(2.0V min. using the Step up feature)
• Three button inputs
• 7 functions available
• Selectable baud rate
• Automatic code word completion
• Battery low signal transmitted to receiver
• Non-volatile synchronization data
HCS201
2
3
4
7
6
5
HCS201 BLOCK DIAGRAM
V
DDB
V
DD
Other
•
•
•
•
•
•
•
Simple programming interface
On-chip EEPROM
On-chip oscillator and timing components
Button inputs have internal pull-down resistors
Minimum component count
Synchronous Transmission mode
Built-in step up regulator
DATA
V
SS
V
DD
Oscillator
RESET circuit
Step Up
Controller
Power
latching
and
switching
STEP
Controller
EEPROM
Encoder
32-bit shift register
Typical Applications
• The HCS201 is ideal for Remote Keyless Entry
(RKE) applications. These applications include:
• Automotive RKE systems
• Automotive alarm systems
• Automotive immobilizers
• Gate and garage door openers
• Identity tokens
• Burglar alarm systems
Button input port
S
2
S
1
S
0
The HCS201 combines a 32-bit hopping code,
generated by a nonlinear encryption algorithm, with a
28-bit serial number and 6 information bits to create a
66-bit code word. The code word length eliminates the
threat of code scanning and the code hopping mecha-
nism makes each transmission unique, thus rendering
code capture and resend schemes useless.
©
2001 Microchip Technology Inc.
DS41098C-page 1
HCS201
The crypt key, serial number and configuration data are
stored in an EEPROM array which is not accessible via
any external connection. The EEPROM data is pro-
grammable but read-protected. The data can be veri-
fied only after an automatic erase and programming
operation. This protects against attempts to gain
access to keys or manipulate synchronization values.
The HCS201 provides an easy-to-use serial interface
for programming the necessary keys, system parame-
ters and configuration data.
•
Learn
– Learning involves the receiver calculating
the transmitter’s appropriate crypt key, decrypting
the received hopping code and storing the serial
number, synchronization counter value and crypt
key in EEPROM. The K
EE
L
OQ
product family facil-
itates several learning strategies to be imple-
mented on the decoder. The following are
examples of what can be done.
-
Simple Learning
The receiver uses a fixed crypt key, common
to all components of all systems by the same
manufacturer, to decrypt the received code
word’s encrypted portion.
-
Normal Learning
The receiver uses information transmitted
during normal operation to derive the crypt
key and decrypt the received code word’s
encrypted portion.
-
Secure Learn
The transmitter is activated through a special
button combination to transmit a stored 60-bit
seed value used to generate the transmitter’s
crypt key. The receiver uses this seed value
to derive the same crypt key and decrypt the
received code word’s encrypted portion.
•
Manufacturer’s code
– A unique and secret 64-
bit number used to generate unique encoder crypt
keys. Each encoder is programmed with a crypt
key that is a function of the manufacturer’s code.
Each decoder is programmed with the manufac-
turer code itself.
The HCS201 code hopping encoder is designed specif-
ically for keyless entry systems; primarily vehicles and
home garage door openers. The encoder portion of a
keyless entry system is integrated into a transmitter,
carried by the user and operated to gain access to a
vehicle or restricted area. The HCS201 is meant to be
a cost-effective yet secure solution to such systems,
requiring very few external components (Figure 2-1).
Most low-end keyless entry transmitters are given a
fixed identification code that is transmitted every time a
button is pushed. The number of unique identification
codes in a low-end system is usually a relatively small
number. These shortcomings provide an opportunity
for a sophisticated thief to create a device that ‘grabs’
a transmission and retransmits it later, or a device that
quickly ‘scans’ all possible identification codes until the
correct one is found.
The HCS201, on the other hand, employs the K
EE
L
OQ
code hopping technology coupled with a transmission
length of 66 bits to virtually eliminate the use of code
‘grabbing’ or code ‘scanning’. The high security level of
the HCS201 is based on the patented K
EE
L
OQ
technol-
ogy. A block cipher based on a block length of 32 bits
and a key length of 64 bits is used. The algorithm
obscures the information in such a way that even if the
transmission information (before coding) differs by only
one bit from that of the previous transmission, the next
1.0
SYSTEM OVERVIEW
Key Terms
The following is a list of key terms used throughout this
data sheet. For additional information on K
EE
L
OQ
and
Code Hopping, refer to Technical Brief 3 (TB003).
•
RKE
- Remote Keyless Entry
•
Button Status
- Indicates what button input(s)
activated the transmission. Encompasses the 4
button status bits S3, S2, S1 and S0 (Figure 4-2).
•
Code Hopping
- A method by which a code,
viewed externally to the system, appears to
change unpredictably each time it is transmitted.
•
Code word
- A block of data that is repeatedly
transmitted upon button activation (Figure 4-1).
•
Transmission
- A data stream consisting of
repeating code words (Figure 8-1).
•
Crypt key
- A unique and secret 64-bit number
used to encrypt and decrypt data. In a symmetri-
cal block cipher such as the K
EE
L
OQ
algorithm,
the encryption and decryption keys are equal and
will therefore be referred to generally as the crypt
key.
•
Encoder
- A device that generates and encodes
data.
•
Encryption Algorithm
- A recipe whereby data is
scrambled using a crypt key. The data can only be
interpreted by the respective decryption algorithm
using the same crypt key.
•
Decoder
- A device that decodes data received
from an encoder.
•
Decryption algorithm
- A recipe whereby data
scrambled by an encryption algorithm can be
unscrambled using the same crypt key.
DS41098C-page 2
©
2001 Microchip Technology Inc.
HCS201
coded transmission will be completely different. Statis-
tically, if only one bit in the 32-bit string of information
changes, greater than 50 percent of the coded trans-
mission bits will change.
As indicated in the block diagram on page one, the
HCS201 has a small EEPROM array which must be
loaded with several parameters before use; most often
programmed by the manufacturer at the time of produc-
tion. The most important of these are:
• A 28-bit serial number, typically unique for every
encoder
• A crypt key
• An initial 16-bit synchronization value
• A 16-bit configuration value
The crypt key generation typically inputs the transmitter
serial number and 64-bit manufacturer’s code into the
key generation algorithm (Figure 1-2). The manufac-
turer’s code is chosen by the system manufacturer and
must be carefully controlled as it is a pivotal part of the
overall system security.
FIGURE 1-1:
Production
Programmer
CREATION AND STORAGE OF CRYPT KEY DURING PRODUCTION
HCS201
EEPROM Array
Serial Number
Crypt Key
Sync Counter
Transmitter
Serial Number
Manufacturer’s
Code
Key
Generation
Algorithm
Crypt
Key
.
.
.
The 16-bit synchronization counter is the basis behind
the transmitted code word changing for each transmis-
sion; it increments each time a button is pressed. Due
to the code hopping algorithm’s complexity, each incre-
ment of the synchronization value results in greater
than 50% of the bits changing in the transmitted code
word.
Figure 1-2 shows how the key values in EEPROM are
used in the encoder. Once the encoder detects a button
press, it reads the button inputs and updates the syn-
chronization counter. The synchronization counter and
crypt key are input to the encryption algorithm and the
output is 32 bits of encrypted information. This data will
change with every button press, its value appearing
externally to ‘randomly hop around’, hence it is referred
to as the hopping portion of the code word. The 32-bit
hopping code is combined with the button information
and serial number to form the code word transmitted to
the receiver. The code word format is explained in
greater detail in Section 4.0.
A receiver may use any type of controller as a decoder,
but it is typically a microcontroller with compatible firm-
ware that allows the decoder to operate in conjunction
with an HCS201 based transmitter. Section 7.0
provides detail on integrating the HCS201 into a sys-
tem.
A transmitter must first be ‘learned’ by the receiver
before its use is allowed in the system. Learning
includes calculating the transmitter’s appropriate crypt
key, decrypting the received hopping code and storing
the serial number, synchronization counter value and
crypt key in EEPROM.
In normal operation, each received message of valid
format is evaluated. The serial number is used to deter-
mine if it is from a learned transmitter. If from a learned
transmitter, the message is decrypted and the synchro-
nization counter is verified. Finally, the button status is
checked to see what operation is requested. Figure 1-3
shows the relationship between some of the values
stored by the receiver and the values received from
the transmitter.
©
2001 Microchip Technology Inc.
DS41098C-page 3
HCS201
FIGURE 1-2:
EEPROM Array
Crypt Key
Sync Counter
Serial Number
BUILDING THE TRANSMITTED CODE WORD (ENCODER)
K
EE
L
OQ
Encryption
Algorithm
Button Press
Information
Serial Number
32 Bits
Encrypted Data
Transmitted Information
FIGURE 1-3:
BASIC OPERATION OF RECEIVER (DECODER)
1 Received Information
EEPROM Array
Button Press
Information
Serial Number
32 Bits of
Encrypted Data
Manufacturer Code
2
Check for
Match
Serial Number
Sync Counter
Crypt Key
3
K
EE
L
OQ
Decryption
Algorithm
Decrypted
Synchronization
Counter
Perform Function
5 Indicated by
button press
4
Check for
Match
NOTE:
Circled numbers indicate the order of execution.
DS41098C-page 4
©
2001 Microchip Technology Inc.
HCS201
2.0
ENCODER OPERATION
TABLE 2-1:
Pin
Pin
Name Number
S0
S1
S2
V
DDB
V
SS
B0
B1
S0
S1
S2
V
DDB
V
DD
STEP
DATA
V
SS
Tx out
PIN DESCRIPTIONS
Pin Description
Switch input 0
Switch input 1
Switch input 2 / Clock pin for
Programming mode
Battery input pin, supplies power
to the step up control circuitry
Ground reference connection
Pulse Width Modulation (PWM)
output pin / Data pin for
Programming mode
Step up regulator switch control
Positive supply voltage
As shown in the typical application circuits (Figure 2-1),
the HCS201 is a simple device to use. It requires only
the addition of buttons and RF circuitry for use as the
transmitter in your security application. A description of
each pin is given in Table 2-1.
1
2
3
4
5
6
FIGURE 2-1:
V
DD
TYPICAL CIRCUITS
DATA
STEP
V
DD
7
8
Two button remote control
V
DD
B3 B2 B1 B0
S0
S1
S2
V
DDB
V
DD
STEP
DATA
V
SS
Tx out
The HCS201 will wake-up upon detecting a button
press and delay approximately 10 ms for button
debounce (Figure 2-2). The synchronization counter,
discrimination value and button information will be
encrypted to form the hopping code. The hopping code
portion will change every transmission, even if the
same button is pushed again. A code word that has
been transmitted will not repeat for more than 64K
transmissions. This provides more than 18 years of use
before a code is repeated; based on 10 operations per
day. Overflow information sent from the encoder can be
used to extend the number of unique transmissions to
more than 192K.
If in the transmit process it is detected that a new but-
ton(s) has been pressed, a RESET will immediately
occur and the current code word will not be completed.
Please note that buttons removed will not have any
effect on the code word unless no buttons remain
pressed; in which case the code word will be completed
and the power-down will occur.
Four button remote control
V
DD
L
D
S0
S1
S2
V
DDB
2.0-6.0V
Three button remote control with Step up regulator
External components sample values:
R = 5.1 KΩ
C = 1.0 uF
L = 390 uH
Q = 2N3904
D = ZHCS400CT (40V 0.4A Zetex)
V
DD
R
STEP
DATA
V
SS
Tx out
Q
C
(see Section 5.6 for a description of the Step Up circuit)
Note:
Up to 7 functions can be implemented by pressing
more than one button simultaneously or by using a
suitable diode array.
©
2001 Microchip Technology Inc.
DS41098C-page 5
京公网安备 11010802033920号
Copyright © 2005-2026 EEWORLD.com.cn, Inc. All rights reserved
电子工程世界
