© 2011 Microchip Technology Inc.
DS40183E-page 1
HCS515
FEATURES
Security
• Encrypted storage of manufacturer’s code
• Encrypted storage of encoder decryption keys
• Up to seven transmitters can be learned code
hopping technology
• Normal and secure learning mechanisms
Operating
• 4.5V – 5.5V operation
• Internal oscillator
• Auto bit rate detection
Other
• Stand-alone decoder
• Internal EEPROM for transmitter storage
• Synchronous serial interface
• 1 Kbit user EEPROM
• 14-pin DIP/SOIC package
Typical Applications
• Automotive remote entry systems
• Automotive alarm systems
• Automotive immobilizers
• Gate and garage openers
• Electronic door locks
• Identity tokens
• Burglar alarm systems
Compatible Encoders
All encoders and transponders configured for the fol-
lowing setting:
• PWM modulation format (1/3-2/3)
• T
E
in the range from 100
μs to 400 μs
• 10 x T
E
Header
• 28-bit Serial Number
• 16-bit Synchronization counter
• Discrimination bits equal to Serial Number 8 LSbs
• 66- to 69-bit length code word.
DESCRIPTION
The Microchip Technology Inc. HCS515 is a code hop-
ping decoder designed for secure Remote Keyless
Entry (RKE) systems. The HCS515 utilizes the pat-
ented code hopping system and high security learning
mechanisms to make this a canned solution when used
with the HCS encoders to implement a unidirectional
remote and access control systems. The HCS515 can
be used as a stand-alone decoder or in conjunction
with a microcontroller.
PACKAGE TYPE
BLOCK DIAGRAM
The manufacturer’s code, encoder decryption keys,
and synchronization information are stored in
encrypted form in internal EEPROM. The HCS515
uses the
S_DAT
and
S_CLK
inputs to communicate
with a host controller device.
The HCS515 operates over a wide voltage range of
4.5V – 5.5V. The decoder employs automatic bit rate
detection, which allows it to compensate for wide vari-
HC
S5
15
PDIP, SOIC
1
2
3
4
NC
NC
V
DD
S1
NC
NC
Vss
RF_IN
5
6
7
14
13
12
11
10
9
8
S0
MCLR
NC
S_CLK
S_DAT
NC
Reception Register
Internal
CONTROL
DECRYPTOR
RFIN
OSCILLATOR
S_DAT
S_CLK
MCLR
EEPROM
EE_DAT
EE_CLK
S0
S1
K
EE
L
OQ
®
Code Hopping Decoder
HCS515
DS40183E-page 2
© 2011 Microchip Technology Inc.
ations in transmitter data rate. The decoder contains
sophisticated error checking algorithms to ensure only
valid codes are accepted.
1.0
SYSTEM OVERVIEW
Key Terms
The following is a list of key terms used throughout this
data sheet. For additional information on K
EE
L
OQ®
and
Code Hopping, refer to Technical Brief 3 (TB003).
• RKE - Remote Keyless Entry
• Button Status - Indicates what button input(s)
activated the transmission. Encompasses the 4
button status bits S3, S2, S1 and S0 (Figure 7-2).
• Code Hopping - A method by which a code,
viewed externally to the system, appears to
change unpredictably each time it is transmitted.
• Code word - A block of data that is repeatedly
transmitted upon button activation (Figure 7-1).
• Transmission - A data stream consisting of
repeating code words (Figure 7-1).
• Crypt key - A unique and secret 64-bit number
used to encrypt and decrypt data. In a symmetri-
cal block cipher such as the K
EE
L
OQ
algorithm,
the encryption and decryption keys are equal and
will therefore be referred to generally as the crypt
key.
• Encoder - A device that generates and encodes
data.
• Encryption Algorithm - A recipe whereby data is
scrambled using a crypt key. The data can only be
interpreted by the respective decryption algorithm
using the same crypt key.
• Decoder - A device that decodes data received
from an encoder.
• Decryption algorithm - A recipe whereby data
scrambled by an encryption algorithm can be
unscrambled using the same crypt key.
• Learn – Learning involves the receiver calculating
the transmitter’s appropriate crypt key, decrypting
the received hopping code and storing the serial
number, synchronization counter value and crypt
key in EEPROM. The K
EE
L
OQ
product family facil-
itates several learning strategies to be imple-
mented on the decoder. The following are
examples of what can be done.
- Simple Learning
The receiver uses a fixed crypt key, common
to all components of all systems by the same
manufacturer, to decrypt the received code
word’s encrypted portion.
- Normal Learning
The receiver uses information transmitted
during normal operation to derive the crypt
key and decrypt the received code word’s
encrypted portion.
- Secure Learn
The transmitter is activated through a special
button combination to transmit a stored 60-bit
seed value used to generate the transmitter’s
crypt key. The receiver uses this seed value
to derive the same crypt key and decrypt the
received code word’s encrypted portion.
• Manufacturer’s code – A unique and secret 64-
bit number used to generate unique encoder crypt
keys. Each encoder is programmed with a crypt
key that is a function of the manufacturer’s code.
Each decoder is programmed with the manufac-
turer code itself.
1.1
HCS Encoder Overview
The HCS encoders have a small EEPROM array which
must be loaded with several parameters before use.
The most important of these values are:
• A crypt key that is generated at the time of pro-
duction
• A 16-bit synchronization counter value
• A 28-bit serial number which is meant to be
unique for every encoder
The manufacturer programs the serial number for each
encoder at the time of production, while the ‘Key Gen-
eration Algorithm’ generates the crypt key (Figure 1-1).
Inputs to the key generation algorithm typically consist
of the encoder’s serial number and a 64-bit manufac-
turer’s code, which the manufacturer creates.
Note:
The manufacturer code is a pivotal part of
the system’s overall security. Conse-
quently, all possible precautions must be
taken and maintained for this code.
© 2011 Microchip Technology Inc.
DS40183E-page 3
HCS515
FIGURE 1-1:
CREATION AND STORAGE OF CRYPT KEY DURING PRODUCTION
The 16-bit synchronization counter is the basis behind
the transmitted code word changing for each transmis-
sion; it increments each time a button is pressed. Due
to the code hopping algorithm’s complexity, each incre-
ment of the synchronization value results in greater
than 50% of the bits changing in the transmitted code
word.
Figure 1-2 shows how the key values in EEPROM are
used in the encoder. Once the encoder detects a button
press, it reads the button inputs and updates the syn-
chronization counter. The synchronization counter and
crypt key are input to the encryption algorithm and the
output is 32 bits of encrypted information. This data will
change with every button press, its value appearing
externally to ‘randomly hop around’, hence it is referred
to as the hopping portion of the code word. The 32-bit
hopping code is combined with the button information
and serial number to form the code word transmitted to
the receiver. The code word format is explained in
greater detail in Section 7.2.
A receiver may use any type of controller as a decoder,
but it is typically a microcontroller with compatible firm-
ware that allows the decoder to operate in conjunction
with an HCS515 based transmitter. Section 3.0
provides detail on integrating the HCS515 into a sys-
tem.
A transmitter must first be ‘learned’ by the receiver
before its use is allowed in the system. Learning
includes calculating the transmitter’s appropriate crypt
key, decrypting the received hopping code and storing
the serial number, synchronization counter value and
crypt key in EEPROM.
In normal operation, each received message of valid
format is evaluated. The serial number is used to deter-
mine if it is from a learned transmitter. If from a learned
transmitter, the message is decrypted and the synchro-
nization counter is verified. Finally, the button status is
checked to see what operation is requested. Figure 1-3
shows the relationship between some of the values
stored by the receiver and the values received from
the transmitter.
FIGURE 1-2:
BUILDING THE TRANSMITTED CODE WORD (ENCODER)
Transmitter
Manufacturer’s
Serial Number
Code
Crypt
Key
Key
Generation
Algorithm
Serial Number
Crypt Key
Sync Counter
.
.
.
HCS515
Production
Programmer
EEPROM Array
Button Press
Information
EEPROM Array
32 Bits
Encrypted Data
Serial Number
Transmitted Information
Crypt Key
Sync Counter
Serial Number
K
EE
L
OQ®
Encryption
Algorithm
HCS515
DS40183E-page 4
© 2011 Microchip Technology Inc.
FIGURE 1-3:
BASIC OPERATION OF RECEIVER (DECODER)
NOTE: Circled numbers indicate the order of execution.
2.0
PIN ASSIGNMENT
Button Press
Information
EEPROM Array
Manufacturer Code
32 Bits of
Encrypted Data
Serial Number
Received Information
Decrypted
Synchronization
Counter
Check for
Match
Sync Counter
Serial Number
K
EE
L
OQ®
Decryption
Algorithm
1
3
4
Check for
Match
2
Perform Function
Indicated by
button press
5
Crypt Key
PIN
Decoder
Function
I/O
(1)
Buffer
Type
(1)
Description
1
NC
—
—
No connection
2
NC
—
—
No connection
3
V
DD
—
—
Power connection
4
S1
O
TTL
S1 function output
5
S0
O
TTL
S0 function output
6
MCLR
I
ST
Master clear input
7
NC
—
—
No connection
8
NC
—
—
No connection
9
S_DAT
I/O
TTL
Synchronous data from controller
10
S_CLK
I
TTL
Synchronous clock from controller
11
RF_IN
I
TTL
Input from RF receiver
12
GND
—
—
Ground connection
13
NC
—
—
No connection
14
NC
—
—
No connection
Note:
P = power, I = in, O = out, and ST = Schmitt Trigger input.
© 2011 Microchip Technology Inc.
DS40183E-page 5
HCS515
3.0
DECODER OPERATION
3.1
Learning a Transmitter to a
Receiver (Normal or Secure Learn)
Before the transmitter and receiver can work together,
the receiver must first ‘learn’ and store the following
information from the transmitter in EEPROM:
• A check value of the serial number
• The encoder decryption key
• The current synchronization counter value
The decoder must also store the manufacturer’s code
(Section 1.1) in protected memory. This code will
typically be the same for all of the decoders in a sys-
tem.
The HCS515 has seven memory slots, and, conse-
quently, can store up to seven transmitters. During the
learn procedure, the decoder searches for an empty
memory slot for storing the transmitter’s information.
When all of the memory slots are full, the decoder will
overwrite the last transmitter’s information. To erase all
of the memory slots at once, use the
ERASE_ALL
command (C3H).
3.1.1
LEARNING PROCEDURE
Learning is initiated by sending the
ACTIVATE_LEARN
(D2H) command to the decoder.
The decoder acknowledges reception of the command
by pulling the data line high.
For the HCS515 decoder to learn a new transmitter, the
following sequence is required:
1.
Activate the transmitter once.
2.
Activate the transmitter a second time. (In
Secure Learning mode, the seed transmission
must be transmitted during the second stage of
learn by activating the appropriate buttons on
the transmitter.)
3.
The HCS515 will transmit a learn-status string,
indicating that the learn was successful.
4.
The decoder has now learned the transmitter.
5.
Repeat steps 1-3 to learn up to seven
transmitters
Note 1: Learning will be terminated if two
nonsequential codes were received or
if two acceptable codes were not
decoded within 30 seconds.
2: If more than seven transmitters are
learned, the new transmitter will
replace the last transmitter learned. It
is, therefore, not possible to erase lost
transmitters by repeatedly learning
new transmitters. To remove lost or
stolen transmitters, ERASE_ALL
transmitters and relearn all available
transmitters.
3: Learning a transmitter with an encoder
decryption key that is identical to a
transmitter already in memory
replaces the existing transmitter. In
practice, this means that all transmit-
ters should have unique encoder
decryption keys. Learning a previously
learned transmitter does not use any
additional memory slots.
The following checks are performed by the decoder to
determine if the transmission is valid during learn:
• The first code word is checked for bit integrity.
• The second code word is checked for bit integrity.
• The encoder decryption key is generated accord-
ing to the selected algorithm.
• The hopping code is decrypted.
• The discrimination value is checked.
• If all the checks pass, the key, serial number
check value, and synchronization counter values
are stored in EEPROM memory.
Figure 3-1 shows a flow chart of the learn sequence.
FIGURE 3-1:
LEARN SEQUENCE
Enter Learn
Mode
Wait for Reception
of Second
Compare Discrimination
Value with Serial Number
Use Generated Key
to Decrypt
Equal?
Sync. Counter Value
Encoder Decryption Key
Exit
Learn Successful Store:
Learn
Unsuccessful
No
Yes
Wait for Reception
of a Valid Code
Non-Repeated
Valid Code
Generate Key
from Serial Number/
Seed Value
Serial Number Check Value
HCS515
DS40183E-page 6
© 2011 Microchip Technology Inc.
3.2
Validation of Codes
The decoder waits for a transmission and checks the
serial number to determine if it is a learned transmitter.
If it is, it takes the code hopping portion of the transmis-
sion and decrypts it, using the encoder decryption key.
It uses the discrimination value to determine if the
decryption was valid. If everything up to this point is
valid, the synchronization counter value is evaluated.
3.3
Validation Steps
Validation consists of the following steps:
1.
Search EEPROM to find the Serial Number
Check Value Match
2.
Decrypt the Hopping Code
3.
Compare the 10 bits of the discrimination value
with the lower 10 bits of serial number
4.
Check if the synchronization counter value falls
within the first synchronization window.
5.
Check if the synchronization counter value falls
within the second synchronization window.
6.
If a valid transmission is found, update the
synchronization counter, else use the next
transmitter block, and repeat the tests.
FIGURE 3-2:
DECODER OPERATION
Transmission
Received?
Does
Ser # Check Val
Match?
Decrypt Transmission
Is
decryption
valid?
Is
Counter within
16?
Is
Counter within
16K?
Update
Counter
Execute
Command
Save Counter
in Temp Location
Start
No
No
No
No
Yes
Yes
Yes
Yes
Yes
No
and
© 2011 Microchip Technology Inc.
DS40183E-page 7
HCS515
3.4
Synchronization with Decoder
(Evaluating the Counter)
The K
EE
L
OQ
technology patent scope includes a
sophisticated synchronization technique that does not
require the calculation and storage of future codes. The
technique securely blocks invalid transmissions while
providing transparent resynchronization to transmitters
inadvertently activated away from the receiver.
Figure 3-3 shows a 3-partition, rotating synchronization
window. The size of each window is optional but the
technique is fundamental. Each time a transmission is
authenticated, the intended function is executed and
the transmission's synchronization counter value is
stored in EEPROM. From the currently stored counter
value there is an initial "Single Operation" forward win-
dow of 16 codes. If the difference between a received
synchronization counter and the last stored counter is
within 16, the intended function will be executed on the
single button press and the new synchronization coun-
ter will be stored. Storing the new synchronization
counter value effectively rotates the entire synchroniza-
tion window.
A "Double Operation" (resynchronization) window fur-
ther exists from the Single Operation window up to 32K
codes forward of the currently stored counter value. It
is referred to as "Double Operation" because a trans-
mission with synchronization counter value in this win-
dow will require an additional, sequential counter
transmission prior to executing the intended function.
Upon receiving the sequential transmission the
decoder executes the intended function and stores the
synchronization counter value. This resynchronization
occurs transparently to the user as it is human nature
to press the button a second time if the first was unsuc-
cessful.
The third window is a "Blocked Window" ranging from
the double operation window to the currently stored
synchronization counter value. Any transmission with
synchronization counter value within this window will
be ignored. This window excludes previously used,
perhaps code-grabbed transmissions from accessing
the system.
FIGURE 3-3:
SYNCHRONIZATION WINDOW
Blocked
Entire Window
rotates to eliminate
use of previously
used codes
Single Operation
Window
Window
(32K Codes)
(16 Codes)
Double Operation
(resynchronization)
Window
(32K Codes)
Stored
Synchronization
Counter Value
HCS515
DS40183E-page 8
© 2011 Microchip Technology Inc.
4.0
INTERFACING TO A
MICROCONTROLLER
The HCS515 interfaces to a microcontroller via a syn-
chronous serial interface. A clock and data line are
used to communicate with the HCS515. The microcon-
troller controls the clock line. There are two groups of
data transfer messages. The first is from the decoder
whenever the decoder receives a valid transmission.
The decoder signals reception of a valid code by taking
the data line high (maximum of 500 ms) The microcon-
troller then services the request by clocking out a data
string from the decoder. The data string contains the
function code, the status bit, and block indicators. The
second is from the controlling microcontroller to the
decoder in the form of a defined command set.
Figure 4-1 shows the HCS515 decoder and the I/O
interface lines necessary to interface to a microcon-
troller.
4.1
Valid Transmission Message
The decoder informs the microcontroller of a valid
transmission by taking the data line high for up to
500 ms. The controlling microcontroller must acknowl-
edge by taking the clock line high. The decoder then
takes the data line low. The microcontroller can then
begin clocking a data stream out of the HCS515. The
data stream consists of:
• START bit ‘
0
’.
• 2 status bits [
REPEAT
,
Vlow
].
• 4-bit function code [
S3 S2 S1 S0
].
• STOP bit ‘
1
’.
• 4 bits indicating the number of transmitters
learned into the decoder [
CNT3…CNT0
].
• 4 bits indicating which block was used
[
TX3…TX0
].
• 64 bits of the received transmission with the hop-
ping code decrypted.
Note:
Data is always clocked in/out Least
Significant bit (LSb) first.
The decoder will terminate the transmission of the data
stream at any point where the clock is kept low for lon-
ger than 1 ms. Therefore, the microcontroller can only
clock out the required bits. A maximum of 80 bits can
be clocked out of the decoder.
FIGURE 4-1:
HCS515 DECODER AND I/O INTERFACE LINES
FIGURE 4-2:
DECODER VALID TRANSMISSION MESSAGE
NC
NC
V
DD
S1
RF DATA
SYNC CLOCK
SYNC DATA
S0 OUTPUT
HCS515
S0
MCLR
NC
NC
NC
V
SS
RF_IN
S_CLK
S_DAT
NC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
V
CC
X
X
X
MICRO RESET
S1 OUTPUT
X
X
X
Decoder Signal Valid
T
CLKH
T
DS
A
B
Cii
T
ACT
T
DHI
T
CLA
Received String
Ci
S_DAT
TX0
TX3
RX63
REPT V
LOW
S0
S1
S2
S3
CNT0
CNT3
0
RX0
RX1
RX62
1
S_CLK
Information
T
ACK
T
CLKH
T
CLKL
Transmission
© 2011 Microchip Technology Inc.
DS40183E-page 9
HCS515
4.2
Command Mode
4.2.1
MICROCONTROLLER COMMAND
MODE ACTIVATION
The microcontroller command consists of four parts.
The first part activates the Command mode, the sec-
ond part is the actual command, the third is the address
accessed, and the fourth part is the data. The micro-
controller starts the command by taking the clock line
high for up to 500 ms. The decoder acknowledges the
start-up sequence by taking the data line high. The
microcontroller takes the clock line low, after which the
decoder will take the data line low, tri-state the data line
and wait for the command to be clocked in. The data
must be set up on the rising edge and will be sampled
on the falling edge of the clock line.
4.2.2
COLLISION DETECTION
The HCS515 uses collision detection to prevent
clashes between the decoder and microcontroller.
Whenever the decoder receives a valid transmission
the following sequence is followed:
• The decoder first checks to see if the clock line is
high. If the clock line is high, the valid transmis-
sion notification is aborted, and the microcon-
troller Command mode request is serviced.
• The decoder takes the data line high and checks
that the clock line doesn’t go high within 50
μs. If
the clock line goes high, the valid transmission
notification is aborted and the Command mode
request is serviced.
• If the clock line goes high after 50
μs but before
500 ms, the decoder will acknowledge by taking
the data line low.
• The microcontroller can then start to clock out the
80-bit data stream of the received transmission.
FIGURE 4-3:
MICROCONTROLLER COMMAND MODE ACTIVATION
MSB
A
Command Byte
START Command
T
CLKL
T
CLKH
T
DS
B
C
LSB
T
START
T
CMD
D
T
DATA
E
Address Byte
Data Byte
T
ADDR
T
REQ
T
RESP
CLK
μC Data
MSB
LSB
MSB
LSB
T
ACK
HCS515
Data
HCS515
DS40183E-page 10
© 2011 Microchip Technology Inc.
4.2.3
COMMAND ACTIVATION TIMES
The command activation time (Table 4-1) is defined as
the maximum time the microcontroller has to wait for a
response from the decoder. The decoder will abort and
service the command request. The response time
depends on the state of the decoder when the Com-
mand mode is requested.
TABLE 4-1:
COMMAND ACTIVATION TIMES
4.2.4
DECODER COMMANDS
The command byte specifies the operation required by
the controlling microcontroller. Table 4-2 lists the com-
mands.
TABLE 4-2:
DECODER COMMANDS
Decoder State
Min
Max
While receiving transmissions
—
2.5 ms BPWMAX = 2.7 ms
During the validation of a received transmission
—
3 ms
During the update of the sync counters
—
40 ms
During learn
—
170 ms
Instruction
Command Byte
Operation
READ
F0
HEX
Read a byte from user EEPROM
WRITE
E1
HEX
Write a byte to user EEPROM
ACTIVATE_LRN
D2
HEX
Activate a learn sequence on the decoder
ERASE_ALL
C3
HEX
Activate an erase all function on the decoder
PROGRAM
B4
HEX
Program manufacturer’s code and configuration byte