AN1879 APPLICATION NOTE
How To Use M41ST87 Tamper Detect and RAM Clear
INTRODUCTION
The M41ST87 is a supervisory family circuit that provides the industry with the latest in on-chip security solutions. The Tamper Detection and RAM Clear circuit can be used in any system to protect sensitive data in applications from tampering. This chip can be used to secure a wide range of applications from Credit Card Machines and Point-of-Sale (POS) terminals to electric data meters. The M41ST87 features the ability to detect and timestamp any tampering of the system, and corrupt the device memory when the event occurs. This prevents the intruder from accessing data stored in memory by clearing either the system internal and/or external RAM when the tampering event occurs. How It Works The M41ST87 device provides two independent tamper input pins, TP1IN and TP2IN, that can be used to monitor two separate signals. These two tamper input pins can be set to indicate that a tamper event has occurred by either 1) closing a switch (normally open) to Ground or VOUT or 2) opening a switch that was previously closed (normally closed) to Ground or VOUT. The closing and opening of the switch is configurable using bits that are set in the tamper registers. The M41ST87 device includes 128 bytes of internal RAM that the user has the option of clearing by setting the TEB and CLR Bits in the tamper registers. Clearing the External Memory with the Tamper Registers The M41ST87 can also clear the external, battery-backed up SRAM of the device by setting the TEB and CLREXT Bits in the tamper registers. To clear/corrupt the external memory, VCC of the SRAM can be taken to Ground. However, certain SRAMs require a significant amount of time for the memory to be corrupted if VCC is simply grounded. To corrupt the memory in a reasonable amount of time, one can take VCC of the SRAM to a negative voltage. By taking VCC to a negative voltage, the input protection diode turns on and goes into conduction mode so that it corrupts the memory. Clearing the External Memory with an External Charge Pump An external charge pump device should be used with the M41ST87 to drive VCC of the SRAM to a negative voltage during the tamper condition. Figure 1., page 2 shows how to connect this circuit. When using the M41ST87 with the charge pump device, the user must also provide two additional MOSFETs to isolate the VOUT of the M41ST87 from the output (OUT) of the charge pump during normal operation, and from VOUT of the M41ST87 device during the tamper condition. During normal operation the TPCLR signal will be forced low, disabling the charge pump. When disabled, the output of most charge pumps will be forced to Ground. In order to allow proper operation of the SRAM, MOSFET(1) must be "off" to isolate VCC of the SRAM from the charge pump output. At this same time, P-channel MOSFET(2) will be "on" to provide the supply voltage for the SRAM.
June 2004
1/5
AN1879 - APPLICATION NOTE
During a tamper condition, the TPCLR signal will be forced high, controlling the inhibit pin of the DC regulator. This will put the regulator in standby mode for tCLR and trec. The tCLR is the tamper clear timing where the regulator will be switched off for 1, 4, 8, or 16 seconds, depending on the setting of the CLRPW1 and CLRPW0 Bits in the register. The TPCLR signal also enables the charge pump. When the charge pump is enabled, OUT generates a negative voltage on the VCC pin of the SRAM (for a programmable period of time), causing data corruption. The M41ST87 must be isolated from the VCC of the SRAM to avoid data corruption of the M41ST87 due to forward biasing of the parasitic diode of the M41ST87 VOUT output. This is accomplished by using the TPCLR signal to turn the N-channel MOSFET(1) "on," while turning the Pchannel MOSFET(2) "off." It is recommended that low ESR capacitors be used for both C1 and C2 to reduce noise and ripple. In high VIN applications, a small value for C1 delivers less charge per clock cycle to the output capacitor, resulting in lower output ripple and also reduces the maximum IOUT capability. Therefore, a ceramic capacitor is recommended for the both capacitors C1 and C2 with a value in the range of 0.022F or less. Figure 1. Circuit Connection
Inverting Charge Pump IN Inhibit VIN VCC 5V Regulator VCC TP1IN TP2IN VOUT EX SCL WDI RSTIN1 Pushbutton Reset RSTIN2 ECON SDA RST SQW/FT PFO1 PFI1 PFI2 VSS VBAT IRQ/OUT F32k To INT To 32kHz PFO2 To RST To LED Display To NMI E Low-Power SRAM
(2)
OUT
Negative Output (1 x VIN)
(1)
SHDN M41ST87Y/W TPCLR
CAP+ CAP
VCC
AI07804
Note: 1. N-channel MOSFET 2. P-channel MOSFET
2/5
AN1879 - APPLICATION NOTE
RAM CLEAR DATA
Depending on the process technology used to manufacture of the external SRAM, clearing the memory may require varying durations of negative potential on the VCC pin. The M41ST87 device allows the user to program the time needed for their particular application. The Control Bits CLRPW0 and CLRPW1, located in the day register, determine the duration of the tCLR pulse width during a tamper event (see Figure 2) . At STMicroelectronics, we have evaluated several different SRAMs with different densities and found that we were able to corrupt the memory with certain minimum duration (1 second) negative pulse widths (see Table 1). Figure 2. Tamper Output Timing
TPCLR tCLRD tCLR RST VOUT(1)
(3) (4)
trec
High-Z(2)
IRQ/OUT
ECON Tamper Event (TB Bit set)
High-Z
AI07083
Table 1. RAM Clear Data with Different Vendors
SRAM: Density: VBAT Be fore Tamper VOUT IIN Total IBAT ISRAM VIN Du ring Tamper(1) IIN VSRAM Total IBAT Status Cypress 1 Meg 2.55 2.390 0 925.0 259.2 2.042 316.8 0.522 319.2 Hyundai 1 Meg 2.55 2.390 0 582.0 267.2 2.030 323.0 0.488 325.0 Hitachi 4 Meg 2.55 2.426 0 567.0 272.7 2.022 327.4 0.465 329.6 Cypress 4 Meg 2.55 2.425 0 578.0 287.7 2.000 339.5 0.397 340.8 Corrupted Hyundai 4 Meg 2.55 2.400 0 752.0 275.9 2.018 329.8 0.449 331.6 Samsung 4 Meg 2.55 2.423 0 492.0 382.0 2.010 335.0 0.425 336.5 ST 4 Meg 2.55 2.413 0 587.0 283.2 2.010 336.0 0.421 337.4 Unit V V A nA A V A V A
Note: 1. Typically some SRAMs would take > 10 seconds when VCC is taken to VSS at 25C to corrupt the memory. Keys: VBAT = Battery voltage VOUT = Voltage output IIN = Current into charge pump before and during tamper condition Total IBAT = Battery back-up current of both the M41ST87 and the SRAM ISRAM = Current sink into the external SRAM VIN = Voltage at the charge pump input during tamper condition VSRAM = Negative voltage produced by the charge pump at SRAM VCC during tamper condition
3/5
AN1879 - APPLICATION NOTE
TAMPER TIMESTAMP
When the device is tampered with, and regardless of which tamper occurs first, a time stamp freezing the update of the clock registers will occur to let the user know when it was tampered with. The Tamper Bits (TB1 or TB2 in the flag register) will be set immediately. Therefore, when tampering occurs, the user may elect to first read the time registers to determine exactly when the tamper event occurred, then read the flag register to see which tamper condition was triggered. The clock will update to the current time after resetting the TEB Bit in the tamper registers. The appropriate TEB Bit must always be reset to '0' in order to read the current time. The tamper detect function operates in VCC as well as in battery back-up.
CONCLUSION
With the increasing frequency of credit card fraud and identity theft, ST is leading the way protecting this sensitive data with its new line of secure RTCs. This sensitive data is stored in internal or external memory of most devices like ATM machines or POS terminals. The M41ST87 solution can provide early detection when these devices have been tampered with and clear the RAM before the intruder can access this data.
DOCUMENT REVISION HISTORY
Table 2. Revision History
Date February 4, 2004 12-Apr-04 03-Jun-04 Version 1.0 2.0 3.0 First Edition Reformatted; update vendor SRAM information (Table 1) Correct drawing (Figure 1) Revision Details
4/5
AN1879 - APPLICATION NOTE
Information furnished is believed to be accurate and reliable. However, STMicroelectronics assumes no responsibility for the consequences of use of such information nor for any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of STMicroelectronics. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. STMicroelectronics products are not authorized for use as critical components in life support devices or systems without express written approval of STMicroelectronics. The ST logo is a registered trademark of STMicroelectronics. All other names are the property of their respective owners. 2004 STMicroelectronics - All rights reserved STMicroelectronics GROUP OF COMPANIES Australia - Belgium - Brazil - Canada - China - Czech Republic - Finland - France - Germany Hong Kong - India - Israel - Italy - Japan - Malaysia - Malta - Morocco - Singapore Spain - Sweden - Switzerland - United Kingdom - United States www.st.com
5/5
|
