1996 Microchip Technology Inc.
Preliminary
DS21137D-page 1
FEATURES
Security
Programmable 28-bit serial number
Programmable 64-bit encryption key
Each transmission is unique
66-bit transmission code length
32-bit hopping code
34-bit fixed code (28-bit serial number,
4-bit button code, 2-bit status)
Encryption keys are read protected
Operating
2.0--6.3V operation
Four button inputs
- No additional circuitry required
- 15 functions available
Selectable baud rate
Automatic code word completion
Battery low signal transmitted to receiver
Non-volatile synchronization data
Other
Easy to use programming interface
On-chip EEPROM
On-chip oscillator and timing components
Button inputs have internal pulldown resistors
Current limiting on LED output
Minimum component count
Synchronous transmission mode
Typical Applications
The HCS300 is ideal for Remote Keyless Entry (RKE)
applications. These applications include:
Automotive RKE systems
Automotive alarm systems
Automotive immobilizers
Gate and garage door openers
Identity tokens
Burglar alarm systems
DESCRIPTION
The HCS300, from Microchip Technology Inc., is a code
hopping encoder designed for secure Remote Keyless
Entry (RKE) systems. The HCS300 utilizes the K
EE
L
OQ
code hopping technology, which incorporates high secu-
rity, a small package outline and low cost, to make this
device a perfect solution for unidirectional remote key-
less entry systems and access control systems.
PACKAGE TYPES
HCS300 BLOCK DIAGRAM
The HCS300 combines a 32-bit hopping code
generated by a non-linear encryption algorithm, with a
28-bit serial number and six status bits to create a
66-bit transmission stream. The length of the
transmission eliminates the threat of code scanning
and the code hopping mechanism makes each
transmission unique, thus rendering code capture and
resend (code grabbing) schemes useless.
The encryption key, serial number, and configuration
data are stored in EEPROM which is not accessible via
any external connection. This makes the HCS300 a
very secure unit. The HCS300 provides an easy to use
serial interface for programming the necessary security
keys, system parameters, and configuration data.
The encyrption keys and code combinations are pro-
grammable but read-protected. The keys can only be
verified after an automatic erase and programming
operation. This protects against attempts to gain
access to keys and manipulate synchronization values.
1
2
3
4
8
7
6
5
S0
S1
S2
S3
V
DD
LED
PWM
V
SS
PDIP, SOIC
HCS300
V
SS
V
DD
Oscillator
Reset circuit
LED driver
Controller
Power
latching
and
switching
Button input port
32-bit shift register
Encoder
EEPROM
PWM
LED
S
3
S
2
S
1
S
0
HCS300
Code Hopping Encoder*
KeeLoq is a trademark of Microchip Technology Inc.
*Code hopping encoder patents allowed and pending.
This document was created with FrameMaker 4 0 4
HCS300
DS21137D-page 2
Preliminary
1996 Microchip Technology Inc.
The HCS300 operates over a wide voltage range of
2.0V to 6.3V and has four button inputs in an 8-pin
configuration. This allows the system designer the
freedom to utilize up to 15 functions. The only
components required for device operation are the but-
tons and RF circuitry, allowing a very low system cost.
1.0
SYSTEM OVERVIEW
Key Terms
Manufacturer's code - a 64-bit word, unique to
each manufacturer, used to produce a unique
encryption key in each transmitter (encoder).
Encryption Key - a unique 64-bit key generated
and programmed into the encoder during the
manufacturing process. The encryption key
controls the encryption algorithm and is stored in
EEPROM on the encoder device.
1.1
Learn
The HCS product family facilitates several learn strate-
gies to be implemented on the decoder. The following
are examples of what can be done. It must be pointed
out that their exists some third-party patents on learn-
ing strategies and implementation.
1.1.1
NORMAL LEARN
The receiver uses the same information that is transmit-
ted during normal operation to derive the transmitter's
secret key, decrypt the discrimination value and the
synchronization counter.
1.1.2
SECURE LEARN*
The transmitter is activated through a special button
combination to transmit a stored 48-bit value (random
seed) that can be used for key generation or be part of
the key. Transmission of the random seed can be dis-
abled after learning is completed.
The HCS300 is a code hopping encoder device that is
designed specifically for keyless entry systems,
primarily for vehicles and home garage door openers. It
is meant to be a cost-effective, yet secure solution to
such systems. The encoder portion of a keyless entry
system is meant to be held by the user and operated to
gain access to a vehicle or restricted area. The
HCS300 requires very few external components
(Figure 2-1).
Most keyless entry systems transmit the same code
from a transmitter every time a button is pushed. The
relative number of code combinations for a low end sys-
tem is also a relatively small number. These
shortcomings provide the means for a sophisticated
thief to create a device that `grabs' a transmission and
re-transmits it later or a device that scans all possible
combinations until the correct one is found.
The HCS300 employs the K
EE
L
OQ
code hopping tech-
nology and an encryption algorithm to achieve a high
level of security. Code hopping is a method by which
the code transmitted from the transmitter to the receiver
is different every time a button is pushed. This method,
coupled with a transmission length of 66 bits, virtually
eliminates the use of code `grabbing' or code
`scanning'.
As indicated in the block diagram on page one, the
HCS300 has a small EEPROM array which must be
loaded with several parameters before use. The most
important of these values are:
A 28-bit serial number which is meant to be
unique for every encoder
An encryption key that is generated at the time of
production
A 16-bit synchronization value
The serial number for each transmitter is programmed
by the manufacturer at the time of production. The
generation of the encryption key is done using a key
generation algorithm (Figure 1-1). Typically, inputs to
the key generation algorithm are the serial number of
the transmitter and a 64-bit manufacturer's code. The
manufacturer's code is chosen by the system
manufacturer and must be carefully controlled. The
manufacturer's code is a pivotal part of the overall
system security.
FIGURE 1-1:
CREATION AND STORAGE OF ENCRYPTION KEY DURING PRODUCTION
Transmitter
Manufacturer's
Serial Number or
Code
Encryption
Key
Key
Generation
Algorithm
Serial Number
Encryption Key
Sync Counter
.
.
.
HCS300 EEPROM Array
Seed
1996 Microchip Technology Inc.
Preliminary
DS21137D-page 3
HCS300
The 16-bit synchronization value is the basis for the
transmitted code changing for each transmission, and
is updated each time a button is pressed. Because of
the complexity of the code hopping encryption algo-
rithm, a change in one bit of the synchronization value
will result in a large change in the actual transmitted
code. There is a relationship (Figure 1-2) between the
key values in EEPROM and how they are used in the
encoder. Once the encoder detects that a button has
been pressed, the encoder reads the button and
updates the synchronization counter. The synchroniza-
tion value is then combined with the encryption key in
the encryption algorithm and the output is 32 bits of
encrypted information. This data will change with every
button press, hence, it is referred to as the hopping
portion of the code word. The 32-bit hopping code is
combined with the button information and the serial
number to form the code word transmitted to the
receiver. The code word format is explained in detail
in Section 4.2.
Any type of controller may be used as a receiver, but it
is typically a microcontroller with compatible firmware
that allows the receiver to operate in conjunction with a
transmitter, based on the HCS300. Section
7.0
provides more detail on integrating the HCS300 into a
total system.
Before a transmitter can be used with a particular
receiver, the transmitter must be `learned' by the
receiver. Upon learning a transmitter, information is
stored by the receiver so that it may track the
transmitter, including the serial number of the
transmitter, the current synchronization value for that
transmitter and the same encryption key that is used on
the transmitter. If a receiver receives a message of valid
format, the serial number is checked and, if it is from a
learned transmitter, the message is decrypted and the
decrypted synchronization counter is checked against
what is stored. If the synchronization value is verified,
then the button status is checked to see what operation
is needed. Figure 1-3 shows the relationship between
some of the values stored by the receiver and the val-
ues received from the transmitter.
FIGURE 1-2:
BASIC OPERATION OF TRANSMITTER (ENCODER)
FIGURE 1-3:
BASIC OPERATION OF RECEIVER (DECODER)
K
EE
L
OQ
Algorithm
Button Press
Information
Encryption
EEPROM Array
32 Bits of
Encrypted Data
Serial Number
Transmitted Information
Encryption Key
Sync Counter
Serial Number
Button Press
Information
EEPROM Array
Encryption Key
32 Bits of
Encrypted Data
Serial Number
Received Information
Decrypted
Synchronization
Counter
Check for
Match
Check for
Match
K
EE
L
OQ
Algorithm
Decryption
Sync Counter
Serial Number
Manufacturer Code
HCS300
DS21137D-page 4
Preliminary
1996 Microchip Technology Inc.
2.0
DEVICE OPERATION
As shown in the typical application circuits (Figure 2-1),
the HCS300 is a simple device to use. It requires only
the addition of buttons and RF circuitry for use as the
transmitter in your security application. A description of
each pin is described in Table 2-1.
FIGURE 2-1:
TYPICAL CIRCUITS
V
DD
B0
Tx out
S0
S1
S2
S3
LED
V
DD
PWM
V
SS
2 button remote control
B1
V
DD
Tx out
S0
S1
S2
S3
LED
V
DD
PWM
V
SS
5 button remote control (Note)
B4 B3 B2 B1 B0
Note:
Up to 15 functions can be implemented by
pressing more than one button simulta-
neously or by using a suitable diode array.
TABLE 2-1:
PIN DESCRIPTIONS
The high security level of the HCS300 is based on the
patented K
EE
L
OQ
technology. A block cipher type of
encryption algorithm based on a block length of 32 bits
and a key length of 64 bits is used. The algorithm
obscures the information in such a way that even if the
transmission information (before coding) differs by only
one bit from the information in the previous transmis-
sion, the next coded transmission will be totally differ-
ent. Statistically, if only one bit in the 32-bit string of
information changes, approximately 50 percent of the
coded transmission will change. The HCS300 will wake
up upon detecting a switch closure and then delay
approximately 10 ms for switch debounce (Figure 2-2).
The synchronized information, fixed information, and
switch information will be encrypted to form the hopping
code. The encrypted or hopping code portion of the
transmission will change every time a button is
pressed, even if the same button is pushed again.
Keeping a button pressed for a long time will result in
the same code word being transmitted until the button
is released or timeout occurs. A code that has been
transmitted will not occur again for more than 64K
transmissions. This will provide more than 18 years of
typical use before a code is repeated based on 10 oper-
ations per day. Overflow information programmed into
the encoder can be used by the decoder to extend the
number of unique transmissions to more than 192K.
If in the transmit process it is detected that a new but-
ton(s) has been pressed, a reset will immediately be
forced and the code word will not be completed. Please
note that buttons removed will not have any effect on
the code word unless no buttons remain pressed in
which case the ccurrent code word will be completed
and the power down will occur.
Name
Pin
Number
Description
S0
1
Switch input 0
S1
2
Switch input 1
S2
3
Switch input 2/Can also be clock
pin when in programming mode
S3
4
Switch input 3/Clock pin when in
programming mode
V
SS
5
Ground reference connection
PWM
6
Pulse width modulation (PWM)
output pin/Data pin for
programming mode
LED
7
Cathode connection for directly
driving LED during transmission
V
DD
8
Positive supply voltage
connection
1996 Microchip Technology Inc.
Preliminary
DS21137D-page 5
HCS300
FIGURE 2-2:
ENCODER OPERATION
Power Up
Reset and Debounce Delay
(10 ms)
Sample Inputs
Update Sync Info
Encrypt With
Load Transmit Register
Buttons
Added
?
All
Buttons
Released
?
(A button has been pressed)
Transmit
Stop
No
Yes
No
Yes
Encryption Key
Complete Code
Word Transmission
3.0
EEPROM MEMORY
ORGANIZATION
The HCS300 contains 192 bits (12 x 16-bit words) of
EEPROM memory (Table 3-1). This EEPROM array is
used to store the encryption key information,
synchronization value, etc. Further descriptions of the
memory array is given in the following sections.
TABLE 3-1:
EEPROM MEMORY MAP
3.1
Key_0 - Key_3 (64-Bit Encryption Key)
The 64-bit encryption key is used by the transmitter to
create the encrypted message transmitted to the
receiver. This key is created and programmed at the
time of production using a key generation algorithm.
Inputs to the key generation algorithm are the serial
number for the particular transmitter being used and a
secret manufacturer's code. While the key generation
algorithm supplied from Microchip is the typical method
used, a user may elect to create their own method of
key generation. This may be done providing that the
decoder is programmed with the same means of creat-
ing the key for decryption purposes. If a seed is used,
the seed will also form part of the input to the key gen-
eration algorithm.
WORD
ADDRESS
MNEMONIC
DESCRIPTION
0
KEY_0
64-bit encryption key
(word 0)
1
KEY_1
64-bit encryption key
(word 1)
2
KEY_2
64-bit encryption key
(word 2)
3
KEY_3
64-bit encryption key
(word 3)
4
SYNC
16-bit synchronization
value
5
RESERVED
Set to 0000H
6
SER_0
Device Serial Number
(word 0)
7
SER_1(Note) Device Serial Number
(word 1)
8
SEED_0
Seed Value (word 0)
9
SEED_1
Seed Value (word 1)
10
EN_KEY
16-bit Envelope Key
11
CONFIG
Config Word
Note:
The MSB of the serial number contains a bit
used to select the auto shutoff timer.
HCS300
DS21137D-page 6
Preliminary
1996 Microchip Technology Inc.
3.2
SYNC (Synchronization Counter)
This is the 16-bit synchronization value that is used to
create the hopping code for transmission. This value
will be changed after every transmission.
3.3
SER_0, SER_1 (Encoder Serial
Number)
SER_0 and SER_1 are the lower and upper words of
the device serial number, respectively. Although there
are 32 bits allocated for the serial number, only the
lower order 28 bits are transmitted. The serial number
is meant to be unique for every transmitter. The most
significant bit of the serial number (Bit 31) is used to
turn the auto shutoff timer on or off.
3.3.1
AUTO SHUTOFF TIMER SELECT
The most significant bit of the serial number (Bit 31) is
used to turn the Auto shutoff timer on or off. This timer
prevents the transmitter from draining the battery
should a button get stuck in the on position for a long
period of time. The time period is approximately
25 seconds, after which the device will go to the
Time-out mode. When in the Time-out mode, the
device will stop transmitting, although since some
circuits within the device are still active, the current
draw within the Shutoff mode will be more than
Standby mode. If the most significant bit in the serial
number is a one, then the auto shutoff timer is enabled,
and a zero in the most significant bit will disable the
timer. The length of the timer is not selectable.
3.4
SEED_0, SEED_1 (Seed Word)
This is the two word (32 bits) seed code that will be
transmitted when all four buttons are pressed at the same
time. This allows the system designer to implement the
secure learn feature or use this fixed code word as part of
a different key generation/tracking process or purely as a
fixed code transmission.
3.5
EN_Key (Envelope Encryption Key)
Envelope encryption is a selectable option that
encrypts the portion of the transmission that contains
the transmitter serial number. Selecting this option is
done by setting the appropriate bit in the configuration
word (Table
3-2). Normally, the serial number is
transmitted in the clear (un-encrypted), but for an
added level of security, the system designer may elect
to implement this option. The envelope encryption key
is used to encrypt the serial number portion of the
transmission, if the envelope encryption option has
been selected. The envelope encryption algorithm is a
different algorithm than the key generation or transmit
encryption algorithm. The EN_key is typically a random
number and the same for all transmitters in a system.
3.6
Configuration Word
The configuration word is a 16-bit word stored in
EEPROM array that is used by the device to store
information used during the encryption process, as well
as the status of option configurations. Further
explanations of each of the bits are described in the
following sections.
TABLE 3-2:
CONFIGURATION WORD
3.6.1
DISCRIMINATION VALUE
(DISC0 TO DISC9)
The discrimination value can be programmed with any
value to serve as a post decryption check on the
decoder end. In a typical system, this will be
programmed with the 10 least significant bits of the
serial number, which will also be stored by the receiver
system after a transmitter has been learned. The
discrimination bits are part of the information that is to
form the encrypted portion of the transmission. After
the receiver has decrypted a transmission, the
discrimination bits can be checked against the stored
value to verify that the decryption process was valid.
3.6.2
OVERFLOW BITS (OVR0 AND OVR1)
The overflow bits are used to extend the number of pos-
sible synchronization values. The synchronization
counter is 16 bits in length, yielding 65,536 values
before the cycle repeats. Under typical use of
10 operations a day, this will provide nearly 18 years of
use before a repeated value will be used. Should the
system designer conclude that is not adequate, then
the overflow bits can be utilized to extend the number of
unique values. This can be done by programming
OVR0 and OVR1 to 1s at the time of production. The
encoder will automatically clear OVR0 the first time that
the synchronization value wraps from 0xFFFF to
0x0000 and clear OVR1 the second time the counter
wraps. Once cleared, OVR0 and OVR1 cannot be set
Bit Number
Bit Description
0
Discrimination Bit 0
1
Discrimination Bit 1
2
Discrimination Bit 2
3
Discrimination Bit 3
4
Discrimination Bit 4
5
Discrimination Bit 5
6
Discrimination Bit 6
7
Discrimination Bit 7
8
Discrimination Bit 8
9
Discrimination Bit 9
10
Overflow Bit 0 (OVR0)
11
Overflow Bit 1 (OVR1)
12
Low Voltage Trip Point Select
13
Baudrate Select Bit 0 (BSL0)
14
Baudrate Select Bit 1 (BSL1)
15
Envelope Encryption Select (EENC)
1996 Microchip Technology Inc.
Preliminary
DS21137D-page 7
HCS300
again, thereby creating a permanent record of the
counter overflow. This prevents fast cycling of 64K
counter. If the decoder system is programmed to track
the overflow bits, then the effective number of unique
synchronization values can be extended to 196,608. If
programmed to zero, the system will be compatible with
the NTQ104/5/6 devices (i.e., no overflow with discrim-
ination bits set to zero).
3.6.3
ENVELOPE ENCRYPTION (EENC)
If the EENC bit is set to a 1, the 32-bit fixed code part
of the transmission will also be encrypted so that it will
appear to be random. The 16-bit envelope key and
envelope algorithm will be used for encryption.
3.6.4
BAUDRATE SELECT BITS (BSL0, BSL1)
BSL0 and BSL1 select the speed of transmission and
the code word blanking. Table 3-3 shows how the bits
are used to select the different baud rates and
Section 5.2 provides detailed explanation in code word
blanking.
TABLE 3-3:
BAUDRATE SELECT
3.6.5
LOW VOLTAGE TRIP POINT SELECT
The low voltage trip point select bit is used to tell the
HCS300 what V
DD
level is being used. This information
will be used by the device to determine when to send
the voltage low signal to the receiver. When this bit is
set to a one, the V
DD
level is assumed to be operating
from a 5 volt or 6 volt V
DD
level. If the bit is set low, then
the V
DD
level is assumed to be 3.0 volts. Refer to
Figure 3-1 for voltage trip point.Vlow is tested at 6.3V at
-25
C and +85
C and 2.0V at -25
C and +85
C
FIGURE 3-1:
TYPICAL VOLTAGE TRIP
POINTS
BSL1
BSL0
Basic Pulse
Element
Code Words
Transmitted
0
0
400
s
All
0
1
200
s
1 out of 2
1
0
100
s
1 out of 2
1
1
100
s
1 out of 4
-40
0
50
85
2.0
1.6
1.8
1.4
2.2
2.4
2.6
3.6
3.8
4.0
4.2
V
LOW
Temp (C)
Volts (V)
V
LOW
sel = 0
V
LOW
sel = 1
4.0
TRANSMITTED WORD
4.1
Transmission Format (PWM)
The HCS300 transmission is made up of several parts
(Figure
4-1). Each transmission is begun with a
preamble and a header, followed by the encrypted and
then the fixed data. The actual data is 66 bits which
consists of 32 bits of encrypted data and 34 bits of fixed
data. Each transmission is followed by a guard period
before another transmission can begin. Refer to
Table 8-4 for transmission timing requirements. The
encrypted portion provides up to four billion changing
code combinations and includes the button status bits
(based on which buttons were activated) along with the
synchronization counter value and some discrimination
bits. The fixed portion is comprised of the status bits,
the function bits and the 28-bit serial number. The fixed
and encrypted sections combined increase the number
of combinations to 7.38 x 10
19
.
4.2
Synchronous Transmission Mode
Synchronous transmission mode can be used to clock
the code word out using an external clock.
To enter synchronous transmission mode, the program-
ming mode start-up sequence must be executed as
shown in Figure 4-3. If either S1 or S0 is set on the fall-
ing edge of S2 (or S3), the device enters synchronous
transmission mode. In this mode, it functions as a nor-
mal transmitter, with the exception that the timing of the
PWM data string is controlled externally and that 16
extra bits are transmitted at the end with he code word.
The button code will be the S0, S1 value at the falling
edge S2 or S3. The timing of the PWM data string is
controlled by supplying a clock on S2 or S3 and should
not exceed 20 KHz. The code word is the same as in
PWM mode with 16 reserved bits at the end of the
word. The reserved bits can be ignored. When in syn-
chronous transmission mode S2 or S3 should not be
toggled until all internal processing has been com-
pleted as shown in Figure 4-4.
4.3
Code Word Organization
The HCS300 transmits a 66-bit code word when a but-
ton is pressed. The 66-bit word is constructed from a
Fixed Code portion and an Encrypted Code portion
(Figure 4-2).
The
Encrypted Data
is generated from four button bits,
two overflow counter bits, ten discrimination bits, and
the 16-bit synchronization value (Figure 8-4).
The
Fixed Code Data
is made up from two status bits,
four button bits, and the 28-bit serial number. The four
button bits and the 28-bit serial number may be
encrypted with the Envelope Key if the envelope
encryption is enabled by the user.
HCS300
DS21137D-page 8
Preliminary
1996 Microchip Technology Inc.
FIGURE 4-1:
CODE WORD TRANSMISSION FORMAT
FIGURE 4-2:
CODE WORD ORGANIZATION
FIGURE 4-3:
SYNCHRONOUS TRANSMISSION MODE
FIGURE 4-4:
TRANSMISSION WORD FORMAT DURING SYNCHRONOUS TRANSMISSION MODE
LOGIC `0'
LOGIC `1'
Bit
Period
Preamble
Header
Encrypted Portion
of Transmission
Fixed Portion of
Transmission
Guard
Time
T
P
T
H
T
HOP
T
FIX
T
G
16-bit
Discrimination
bits
(10 bits)
Overflow
bits
(2 bits)
Button
Status
(4 bits)
Transmission Direction
32 bits of Encrypted Data
Encrypted using
B
LOCK
C
IPHER
Algorithm
Encrypted Code Data
Sync Value
28-bit Serial Number
Button
Status
(4 bits)
+
+
VLOW and
Repeat Status
(2 bits)
Serial Number and Button
2 bits
of Status
Fixed Code Data
Status (32 bits)
t = 50 ms
"01,10,11"
PWM
S2(S3)
S[1:0]
16
2
4
28
16
16
Transmission Direction
Reserved
Padding
Button
Code
Serial Number
Data Word
Sync Counter
1996 Microchip Technology Inc.
Preliminary
DS21137D-page 9
HCS300
5.0
SPECIAL FEATURES
5.1
Code Word Completion
Code word completion is an automatic feature that
makes sure that the entire code word is transmitted,
even if the button is released before the transmission is
complete. The HCS300 encoder powers itself up when
a button is pushed and powers itself down after the
command is finished, if the user has already released
the button. If the button is held down beyond the time
for one transmission, then multiple transmissions will
result. If another button is activated during a
transmission, the active transmission will be aborted
and the new code will be generated using the new
button information.
5.2
Blank Alternate Code Word
Federal Communications Commission (FCC) part 15
rules specify the limits on fundamental power and
harmonics that can be transmitted. Power is calculated
on the worst case average power transmitted in a
100ms window. It is therefore advantageous to
minimize the duty cycle of the transmitted word. This
can be achieved by minimizing the duty cycle of the
individual bits and by blanking out consecutive words.
Blank Alternate Code Word (BACW) is used for
reducing the average power of a transmission
(Figure
5-1). This is a selectable feature that is
determined in conjunction with the baudrate selection
bits BSL0 and BSL1. Using the BACW allows the user
to transmit a higher amplitude transmission if the
transmission length is shorter. The FCC puts
constraints on the average power that can be
transmitted by a device, and BACW effectively prevents
continuous transmission by only allowing the transmis-
sion of every second or every fourth code word. This
reduces the average power transmitted and hence,
assists in FCC approval of a transmitter device.
5.3
Envelope Encryption Option
Envelope Encryption is a user selectable option which
is meant to offer a higher level of security for a code
hopping system. During a normal transmission with the
envelope encryption turned off, the 28-bit serial number
is transmitted in the clear (unencrypted). If envelope
encryption is selected, then the serial number is also
encrypted before transmission. The encryption for the
serial number is done using a different algorithm than
the transmission algorithm. The envelope encryption
scheme is not nearly as complex as the KeeLoq algo-
rithm and, hence, not as secure. When the envelope
encryption is used, the serial number must be
decrypted using the envelope key and envelope
decryption. After the serial number is obtained, the nor-
mal decryption method can be used to decrypt the hop-
ping code. All transmitters in a system must use the
same envelope key.
5.4
Secure Learn
In order to increase the level of security in a system, it is
possible for the receiver to implement what is known as
a secure learn function. This can be done by utilizing the
seed value on the HCS300 which is stored in EEPROM
and can only be transmitted when all four button inputs
are pressed at the same time (Table 5-1). Instead of the
normal key generation method being used to create the
encryption key, this seed value is used and there need
not be any mathematical relationship between serial
numbers and seeds.
TABLE 5-1:
PIN ACTIVATION TABLE
5.5
Auto-shutoff
The Auto-shutoff function automatically stops the
device from transmitting if a button inadvertently gets
pressed for a long period of time. This will prevent the
device from draining the battery if a button gets pressed
while the transmitter is in a pocket or purse. This func-
tion can be enabled or disabled and is selected by set-
ting or clearing the Auto-shutoff bit (see Section 3.3.1).
Setting this bit high will enable the function (turn
Auto-shutoff function on) and setting the bit low will dis-
able the function. Time-out period is approximately 25
seconds.
S3
S2
S1
S0
Notes
1
0
0
0
1
1
2
0
0
1
0
1
3
0
0
1
1
1
4
0
1
0
0
1
5
0
1
0
1
1
6
0
1
1
0
1
7
0
1
1
1
1
8
1
0
0
0
1
9
1
0
0
1
1
10
1
0
1
0
1
11
1
0
1
1
1
12
1
1 0
0
1
13
1
1
0
1
1
14
1
1
1
0
1
15
1
1
1
1
2
Note 1: Transmit generated 32-bit code hopping
word.
2: Transmit 32-bit seed value.
HCS300
DS21137D-page 10
Preliminary
1996 Microchip Technology Inc.
FIGURE 5-1:
BLANK ALTERNATE CODE WORD (BACW)
One Code Word
BACW Disabled
(All words transmitted)
BACW Enabled
(1 out of 2 transmitted)
BACW Enabled
(1 out of 4 transmitted)
A
2A
4A
100ms
100ms
100ms
100ms
Amplitude
Time
5.6
VLOW: Voltage LOW Indicator
The VLOW bit is transmitted with every transmission
(Figure 8-4) and will be transmitted as a one if the
operating voltage has dropped below the low voltage
trip point. The trip point is selectable between two
values, based on the battery voltage being used. See
Section 3.6.5 for a description of how the low voltage
select option is set. This VLOW signal is transmitted so
the receiver can give an audible signal to the user that
the transmitter battery is low (Section 5.8).
5.7
RPT: Repeat Indicator
This bit will be low for the first transmitted word. If a
button is held down for more than one transmitted code
word, this bit will be set to indicate a repeated code
word and remain set until the button is released
(Figure 8-4).
5.8
LED Output Operation
During normal transmission the LED output is LOW. If
the supply voltage drops below the low voltage trip
point, the LED output will be toggled at approximately
5Hz during the transmission (Section 3.6.5).
1996 Microchip Technology Inc.
Preliminary
DS21137D-page 11
HCS300
6.0
PROGRAMMING THE HCS300
When using the HCS300 in a system, the user will have
to program some parameters into the device including
the serial number and the secret key before it can be
used. The programming cycle allows the user to input
all 192 bits in a serial data stream, which are then
stored internally in EEPROM. Programming will be
initiated by forcing the PWM line high, after the S3 line
has been held high for the appropriate length of time
line (Table 6-1 and Figure 6-1). After the program mode
is entered, a delay must be provided to the device for
the automatic bulk write cycle to complete. This will
write all locations in the EEPROM to an all zeros pat-
tern. The device can then be programmed by clocking
in 16 bits at a time, using S3 as the clock line and PWM
as the data in line. After each 16-bit word is loaded, a
programming delay is required for the internal program
cycle to complete. This delay can take up to Twc. At the
end of the programming cycle, the device can be veri-
fied (Figure 6-2) by reading back the EEPROM. Read-
ing is done by clocking the S3 line and reading the data
bits on PWM. For security reasons, it is not possible to
execute a verify function without first programming the
EEPROM. A verify operation can only be done
once, immediately following the program cycle.
Note:
To ensure that the device does not acci-
dentally enter programming mode, PWM
should never be pulled high by the circuit
connected to it. Special care should be
taken when driving PNP RF transistors.
FIGURE 6-1:
PROGRAMMING WAVEFORMS
FIGURE 6-2:
VERIFY WAVEFORMS
PWM
Enter Program
Mode
(Data)
(Clock)
Note 1: Unused button inputs to be held to ground during the entire programming sequence.
Bit 0
Bit 1
Bit 2
Bit 3
Bit 14
Bit 15
Bit 16
Bit 17
T
PH
1
T
PBW
T
PS
Repeat 12 times for each word
T
PH
2
T
CLKH
T
CLKL
T
WC
T
DS
S3
Data for Word 0 (KEY_0)
Data for Word 1
T
DH
Note 2: The V
DD
pin must be taken to ground after a program/verify cycle.
PWM
(Clock)
(Data)
Note: If a Verify operation is to be done, then it must immediately follow the Program cycle.
End of
Programming Cycle
Begin Verify Cycle Here
Bit 1 Bit 2
Bit 3
Bit 15
Bit 14
Bit 16 Bit 17
Bit190 Bit191
T
WC
Data in Word 0
T
DV
S3
Bit 0
Bit191
Bit190
HCS300
DS21137D-page 12
Preliminary
1996 Microchip Technology Inc.
TABLE 6-1:
PROGRAMMING/VERIFY TIMING REQUIREMENTS
V
DD
= 5.0V
10%
25
C
5
C
Parameter
Symbol
Min.
Max.
Units
Program mode setup time
T
PS
3.5
4.5
ms
Hold time 1
T
PH
1
3.5
--
ms
Hold time 2
T
PH
2
50
--
s
Bulk Write time
T
PBW
--
2.2
ms
Program delay time
T
PROG
--
2.2
ms
Program cycle time
T
WC
--
36
ms
Clock low time
T
CLKL
25
--
s
Clock high time
T
CLKH
25
--
s
Data setup time
T
DS
0
--
s
Data hold time
T
DH
18
--
s
Data out valid time
T
DV
10
24
s
1996 Microchip Technology Inc.
Preliminary
DS21137D-page 13
HCS300
7.0
INTEGRATING THE HCS300
INTO A SYSTEM
Use of the HCS300 in a system requires a compatible
decoder. This decoder is typically a microcontroller with
compatible firmware. Microchip will provide (via a
license agreement) firmware routines that accept
transmissions from the HCS300 and decrypt the
hopping code portion of the data stream. These
routines provide system designers the means to
develop their own decoding system.
7.1
Learning a Transmitter to a Receiver
In order for a transmitter to be used with a decoder, the
transmitter must first be `learned'. Several learning
strategies can be followed in the decoder implementa-
tion. When a transmitter is learned to a decoder, it is
suggested that the decoder stores the serial number
and current synchronization value in EEPROM. The
decoder must keep track of these values for every
transmitter that is learned (Figure 7-1). The maximum
number of transmitters that can be learned is only a
function of how much EEPROM memory storage is
available. The decoder must also store the manufac-
turer's code in order to learn a transmission transmitter,
although this value will not change in a typical system
so it is usually stored as part of the microcontroller
ROM code. Storing the manufacturer's code as part of
the ROM code is also better for security reasons.
It must be stated that some learning strategies have
been patented and care must be taken not to infringe.
FIGURE 7-1:
TYPICAL LEARN SEQUENCE
Enter Learn
Mode
Wait for Reception
of a Valid Code
Generate Key
from Serial Number
Use Generated Key
to Decrypt
Compare Discrimination
Value with Fixed Value
Equal
Wait for Reception
of Second Valid Code
Compare Discrimination
Value with Fixed Value
Use Generated Key
to Decrypt
Equal
Counters
Encryption key
Serial number
Synchronization counter
Sequential
?
?
?
Exit
Learn successful Store:
Learn
Unsuccessful
No
No
No
Yes
Yes
Yes
HCS300
DS21137D-page 14
Preliminary
1996 Microchip Technology Inc.
7.2
Decoder Operation
In a typical decoder operation (Figure 7-2), the key gen-
eration on the decoder side is done by taking the serial
number from a transmission and combining that with
the manufacturer's code to create the same secret key
that was used by the transmitter. Once the secret key is
obtained, the rest of the transmission can be decrypted.
The decoder waits for a transmission and immediately
can check the serial number to determine if it is a
learned transmitter. If it is, it takes the encrypted portion
of the transmission and decrypts it using the stored key
It uses the discrimination bits to determine if the
decryption was valid. If everything up to this point is
valid, the synchronization value is evaluated.
FIGURE 7-2:
TYPICAL DECODER
OPERATION
?
Transmission
Received
Does
Serial Number
Match
?
Decrypt Transmission
Is
Decryption
Valid
?
Is
Counter
Within 16
?
Is
Counter
Within 32K
?
Update
Counter
Execute
Command
Save Counter
in Temp Location
Start
No
No
No
No
Yes
Yes
Yes
Yes
Yes
No
and
No
7.3
Synchronization with Decoder
The K
EE
L
OQ
technology features a sophisticated
synchronization technique (Figure 7-3) which does not
require the calculation and storage of future codes. If
the stored counter value for that particular transmitter
and the counter value that was just decrypted are within
a formatted window of say 16, the counter is stored and
the command is executed. If the counter value was not
within the single operation window, but is within the
double operation window of say 32K window, the trans-
mitted synchronization value is stored in temporary
location and it goes back to waiting for another trans-
mission. When the next valid transmission is received,
it will check the new value with the one in temporary
storage. If the two values are sequential, it is assumed
that the counter had just gotten out of the single opera-
tion `window', but is now back in sync, so the new syn-
chronization value is stored and the command
executed. If a transmitter has somehow gotten out of
the double operation window, the transmitter will not
work and must be re-learned. Since the entire window
rotates after each valid transmission, codes that have
been used are part of the `blocked' (32K) codes and are
no longer valid. This eliminates the possibility of grab-
bing a previous code and re-transmitting to gain entry.
FIGURE 7-3:
SYNCHRONIZATION WINDOW
Note:
The synchronization method described in
this section is only a typical implementation
and because it is usually implemented in
firmware, it can be altered to fit the needs
of a particular system
Blocked
Entire Window
rotates to eliminate
use of previously
used codes
Current
Position
(32K Codes)
Double
Operation
(32K Codes)
Single Operation
Window (16 Codes)
1996 Microchip Technology Inc.
Preliminary
DS21137D-page 15
HCS300
8.0
ELECTRICAL CHARACTERISTICS
TABLE 8-1:
ABSOLUTE MAXIMUM RATINGS
TABLE 8-2:
DC CHARACTERISTICS
Symbol
Item
Rating
Units
V
DD
Supply voltage
-0.3 to 6.6
V
V
IN
Input voltage
-0.3 to V
DD
+ 0.3
V
V
OUT
Output voltage
-0.3 to V
DD
+ 0.3
V
I
OUT
Max output current
50
mA
T
STG
Storage temperature
-55 to +125
C (Note)
T
LSOL
Lead soldering temp
300
C (Note)
V
ESD
ESD rating
4000
V
Note:
Stresses above those listed under "ABSOLUTE MAXIMUM RATINGS" may cause permanent damage to
the device.
Commercial (C):
Tamb = 0
C to +70
C
Industrial
(I):
Tamb = -40
C to +85
C
2.0V < V
DD
< 3.0
3.0 < V
DD
< 6.3
Parameter
Sym.
Min
Typ
1
Max
Min
Typ
1
Max
Unit
Conditions
Operating cur-
rent (avg)
2
I
CC
0.2
0.5
0.7
1.4
mA
mA
V
DD
= 3.0V
V
DD
= 6.3V
Standby current
I
CCS
0.1
1.0
0.1
1.0
A
Auto-shutoff
current
3,4
I
CCS
40
75
160
650
A
High level Input
voltage
V
IH
0.55V
DD
V
DD
+0.3 0.55V
DD
V
DD
+0.3 V
Low level input
voltage
V
IL
-0.3
0.15V
DD
-0.3
0.15V
DD
V
High level output
voltage
V
OH
0.7V
DD
0.7V
DD
V
V
I
OH
= -1.0 mA V
DD
= 2.0V
I
OH
= -2.0 mA V
DD
= 6.3V
Low level output
voltage
V
OL
0.08V
DD
0.08V
DD
V
V
I
OL
= 1.0 mA V
DD
= 2.0V
I
OL
= 2.0 mA V
DD
= 6.3V
LED sink
current
5
I
LED
1.0
1.8
2.5
2.0
2.7
3.7
mA
mA
V
LED
6
= 1.5V V
DD
= 3.0V
V
LED
6
= 1.5V V
DD
= 6.3V
Resistance;
S0-S3
R
SO
-3
40
60
80
40
60
80
k
V
DD
= 4.0V
Resistance;
PWM
R
PWM
80
120
160
80
120
160
k
V
DD
= 4.0V
Note 1: Typical values are at 25
C.
2: No load.
3: Auto-shutoff current specification does not include the current through the input pulldown resistors.
4: Auto-shutoff current is periodically sampled and not 100% tested.
5: With VLOW Sel = 0 for operation from 2.0V to 3.0V and VLOW Sel = 1 for operation from 3.0V to 6.3V.
6: V
LED
is the voltage drop across the terminals of the LED.
HCS300
DS21137D-page 16
Preliminary
1996 Microchip Technology Inc.
FIGURE 8-1:
POWER UP AND TRANSMIT TIMING
TABLE 8-3:
POWER UP AND TRANSMIT TIMING REQUIREMENTS
FIGURE 8-2:
PWM FORMAT
FIGURE 8-3:
PREAMBLE/HEADER FORMAT
V
DD
= +2.0 to 6.3V
Commercial (C):
Tamb = 0
C to +70
C
Industrial
(I):
Tamb = -40
C to +85
C
Parameter
Symbol
Min
Max
Unit
Remarks
Time to second button press
T
BP
10 + Code
Word Time
26 + Code
Word Time
ms
(Note 1)
Transmit delay from button detect
T
TD
10
26
ms
Debounce delay
T
DB
6
13
ms
Auto-shutoff time-out period
T
TO
20
35
s
(Note 2)
Note 1: T
BP
is the time in which a second button can be pressed without completion of the first code word and the
intention was to press the combination of buttons.
2: The auto shutoff timeout period is not tested.
Button Press
Sn
Detect
T
DB
PWM
T
TD
Code Word Transmission
T
TO
Code
Word
1
Code
Word
2
Code
Word
3
Code
Word
n
T
BP
LOGIC `0'
LOGIC `1'
Preamble
Header
Encrypted Portion
of Transmission
Fixed portion of
Transmission
Guard
Time
T
P
T
H
T
HOP
T
FIX
T
G
T
BP
T
E
T
E
T
E
Preamble
Header
P1
P12
23 T
E
10 T
E
Data Word
Transmission
Bit 0
Bit 1
1996 Microchip Technology Inc.
Preliminary
DS21137D-page 17
HCS300
FIGURE 8-4:
DATA WORD FORMAT
TABLE 8-4:
CODE WORD TRANSMISSION TIMING REQUIREMENTS
FIGURE 8-5:
HCS300 TE VS. TEMP
V
DD
= +2.0 to 6.0V
Commercial (C):
Tamb = 0
C to +70
C
Industrial
(I):
Tamb = -40
C to +85
C
Code Words Transmitted
All
1 out of 2
1 out of 4
Symbol
Characteristic
Number
of T
E
Min.
Typ.
Max.
Min.
Typ.
Max.
Min.
Typ.
Max. Units
T
E
Basic pulse element
1
260
400
660
130
200
330
65
100
165
s
T
BP
PWM bit pulse width
3
780
1200
1980
390
600
990
195
300
495
s
T
P
Preamble duration
23
6.0
9.2
15.2
3.0
4.6
7.6
1.5
2.3
3.8
ms
T
H
Header duration
10
2.6
4.0
6.6
1.3
2.0
3.3
0.7
1.0
1.7
ms
T
HOP
Hopping code duration
96
25.0
38.4
63.4
12.5
19.2
31.7
6.2
9.6
15.8
ms
T
FIX
Fixed code duration
102
26.5
40.8
67.3
13.3
20.4
33.7
6.6
10.2
16.8
ms
T
G
Guard Time
39
10.1
15.6
25.7
5.1
7.8
12.9
2.5
3.9
6.4
ms
Total Transmit Time
270
70.2
108.0 178.2
35.1
54.0
89.1
17.6
27.0
44.6
ms
PWM data rate
1282
833
505
2564
1667
1010
5128
3333
2020
bps
Note:
The timing parameters are not tested but derived from the oscillator clock.
Bit 0
Bit 1
Header
Bit 30 Bit 31 Bit 32 Bit 33 Bit 58 Bit 59
Fixed Code Word
Hopping Code Word
Guard
LSB
LSB
MSB
MSB
S3
S0
S1
S2
VLOW RPT
Time
Serial Number
Button Code
Status
Bit 60 Bit 61 Bit 62 Bit 63 Bit 64 Bit 65
0.8
1.7
1.6
1.5
1.4
1.3
1.2
1.1
1.0
0.9
0.7
-50 -40 -30 -20 -10 0
10 20 30 40 50 60 70 80 90
0.6
LEGEND
= 2.0
= 3.0
= 6.0
T
E
Min.
T
E
Max.
Typical
HCS300
DS21137D-page 18
Preliminary
1996 Microchip Technology Inc.
NOTES:
HCS300
1996 Microchip Technology Inc.
Preliminary
DS21137D-page 19
HCS300 Product Identification System
To order or to obtain information (e.g., on pricing or delivery), please use the listed part numbers, and refer to the factory or the listed
sales offices.
Package:
P = Plastic DIP (300 mil Body), 8-lead
SN = Plasitic SOIC (150 mil body), 8-lead
Temperature
Blank = 0C to +70C
Range:
I
= 40C to +85C
Device:
HCS300
Code Hopping Encoder
HCS300T
Code Hopping Encoder (Tape and Reel)
HCS300
-
/P
Sales and Support
Products supported by a preliminary Data Sheet may possibly have an errata sheet describing minor operational differences and
recommended workarounds. To determine if an errata sheet exists for a particular device, please contact one of the following:
Your local Microchip sales office (see next page)
The Microchip Corporate Literature Center U.S. FAX: (602) 786-7277
The Microchip's Bulletin Board, via your local CompuServe number (CompuServe membership NOT required).
Please specify which device, revision of silicon and Data Sheet (include Literature #) you are using.
For latest version information and upgrade kits for Microchip Development Tools, please call 1-800-755-2345 or 1-602-786-7302.
1.
2.
3.
DS21137D-page 20
Preliminary
1996 Microchip Technology Inc.
Information contained in this publication regarding device applications and the like is intended through suggestion only and may be superseded by updates. No repre-
sentation or warranty is given and no liability is assumed by Microchip Technology Incorporated with respect to the accuracy or use of such information, or infringement
of patents or other intellectual property rights arising from such use or otherwise. Use of Microchip's products as critical components in life support systems is not autho-
rized except with express written approval by Microchip. No licenses are conveyed, implicitly or otherwise, under any intellectual property rights. The Microchip logo and
name are registered trademarks of Microchip Technology Inc. All rights reserved. All other trademarks mentioned herein are the property of their respective companies.
W
ORLDWIDE
S
ALES
& S
ERVICE
ASIA/PACIFIC
Hong Kong
Microchip Technology
RM 3801B, Tower Two
Metroplaza
223 Hing Fong Road
Kwai Fong, N.T. Hong Kong
Tel: 852 2 401 1200 Fax: 852 2 401 3431
India
Microchip Technology
No. 6, Legacy, Convent Road
Bangalore 560 025 India
Tel: 91 80 526 3148 Fax: 91 80 559 9840
Korea
Microchip Technology
168-1, Youngbo Bldg. 3 Floor
Samsung-Dong, Kangnam-Ku,
Seoul, Korea
Tel: 82 2 554 7200 Fax: 82 2 558 5934
Shanghai
Microchip Technology
Unit 406 of Shanghai Golden Bridge Bldg.
2077 Yan'an Road West, Hongiao District
Shanghai, Peoples Republic of China
Tel: 86 21 6275 5700
Fax: 011 86 21 6275 5060
Singapore
Microchip Technology
200 Middle Road
#10-03 Prime Centre
Singapore 188980
Tel: 65 334 8870 Fax: 65 334 8850
Taiwan, R.O.C
Microchip Technology
10F-1C 207
Tung Hua North Road
Taipei, Taiwan, ROC
Tel: 886 2 717 7175 Fax: 886 2 545 0139
EUROPE
United Kingdom
Arizona Microchip Technology Ltd.
Unit 6, The Courtyard
Meadow Bank, Furlong Road
Bourne End, Buckinghamshire SL8 5AJ
Tel: 44 1628 850303 Fax: 44 1628 850178
France
Arizona Microchip Technology SARL
Zone Industrielle de la Bonde
2 Rue du Buisson aux Fraises
91300 Massy - France
Tel: 33 1 69 53 63 20 Fax: 33 1 69 30 90 79
Germany
Arizona Microchip Technology GmbH
Gustav-Heinemann-Ring 125
D-81739 Muenchen, Germany
Tel: 49 89 627 144 0 Fax: 49 89 627 144 44
Italy
Arizona Microchip Technology SRL
Centro Direzionale Colleone Pas Taurus 1
Viale Colleoni 1
20041 Agrate Brianza
Milan Italy
Tel: 39 39 6899939 Fax: 39 39 689 9883
JAPAN
Microchip Technology Intl. Inc.
Benex S-1 6F
3-18-20, Shin Yokohama
Kohoku-Ku, Yokohama
Kanagawa 222 Japan
Tel: 81 45 471 6166 Fax: 81 45 471 6122
11/7/96
AMERICAS
Corporate Office
Microchip Technology Inc.
2355 West Chandler Blvd.
Chandler, AZ 85224-6199
Tel: 602 786-7200 Fax: 602 786-7277
Technical Support: 602 786-7627
Web: http://www.microchip.com
Atlanta
Microchip Technology Inc.
500 Sugar Mill Road, Suite 200B
Atlanta, GA 30350
Tel: 770 640-0034 Fax: 770 640-0307
Boston
Microchip Technology Inc.
5 Mount Royal Avenue
Marlborough, MA 01752
Tel: 508 480-9990 Fax: 508 480-8575
Chicago
Microchip Technology Inc.
333 Pierce Road, Suite 180
Itasca, IL 60143
Tel: 708 285-0071 Fax: 708 285-0075
Dallas
Microchip Technology Inc.
14651 Dallas Parkway, Suite 816
Dallas, TX 75240-8809
Tel: 972 991-7177 Fax: 972 991-8588
Dayton
Microchip Technology Inc.
Suite 150
Two Prestige Place
Miamisburg, OH 45342
Tel: 513 291-1654 Fax: 513 291-9175
Los Angeles
Microchip Technology Inc.
18201 Von Karman, Suite 1090
Irvine, CA 92612
Tel: 714 263-1888 Fax: 714 263-1338
New York
Microchip Technology Inc.
150 Motor Parkway, Suite 416
Hauppauge, NY 11788
Tel: 516 273-5305 Fax: 516 273-5335
San Jose
Microchip Technology Inc.
2107 North First Street, Suite 590
San Jose, CA 95131
Tel: 408 436-7950 Fax: 408 436-7955
Toronto
Microchip Technology Inc.
5925 Airport Road, Suite 200
Mississauga, Ontario L4V 1W1, Canada
Tel: 905 405-6279
Fax: 905 405-6253
All rights reserved.
1996, Microchip Technology Incorporated, USA. 11/96
Printed on recycled paper.
PDF 
ZIP