DS5002FP-16 - Dallas Semiconductor

patents and other intellectual property rights, please refer to

Dallas Semiconductor data books.

DS5002FP

Secure Microprocessor Chip

DS5002FP

111996 1/28

FEATURES

•8051 compatible microprocessor for secure/sensitive

applications

– Access 32K, 64K, or 128K bytes of nonvolatile

SRAM for program and/or data storage

– In–system programming via on–chip serial port

– Capable of modifying its own program or data

memory in the end system

•Firmware Security Features:

– Memory stored in encrypted form

– Encryption using on–chip 64–bit key

– Automatic true random key generator

– SDI Self Destruct Input

– Optional top coating prevents microprobe

(DS5002FPM)

– Improved security over previous generations

– Protects memory contents from piracy

•Crashproof Operation

– Maintains all nonvolatile resources for over 10

years in the absence of power

– Power–fail Reset

– Early Warning Power–fail Interrupt

– W atchdog Timer

PIN ASSIGNMENT

R/W

P3.6/WR

P3.7/RD

VRST

CE3

CE4

PE3

PE4

PE2

CE2 1

80 79 78 77 76 7475 73 72 71 70 69 68 67 66 65

25 26 27 28 29 30 31 4032 33 34 35 36 37 38 39

DS5002FP

P2.6/A14

BD3

P2.5/A13

BD2

P2.4/A12

BD1

P2.3/A11

BD0

VLI

SDI

GND

P2.2/A10

P2.1/A9

P2.0/A8

XTAL1

XTAL2

P3.5/T1

P3.4/T0

P0.4/AD4

BA9

P0.3/AD3

BA8

P0.2/AD2

BA13

P0.1/AD1

P0.0/AD0

VCC0

VCC

MSEL

P1.0

BA14

P1.1

BA12

P1.2

BA7

P1.3

BA6

P1.4

BA5

P1.5

BA4

P1.6

BA3

P1.7

PROG

BA2

RST

BA1

P3.0/RXD

BA0

P3.1/TXD

P3.2/INT0

P3.3/INT1

BA11

P0.5/AD5

PE1

P0.6/AD6

BA10

P0.7/AD7

CE1

CE1N

BD7

ALE

BD6

BD5

P2.7/A15

BD4

DESCRIPTION

The DS5002FP Secure Microprocessor Chip is a se-

cure version of the DS5001FP 128K Soft Microproces-

sor Chip. In addition to the memory and I/O enhance-

ments of the DS5001FP, the Secure Microprocessor

Chip incorporates the most sophisticated security fea-

tures available in any processor . The security features

of the DS5002FP include an array of mechanisms which

are designed to resist all levels of threat, including ob-

servation, analysis, and physical attack. As a result, a

massive effort would be required to obtain any informa-

tion about memory contents. Furthermore, the “soft” na-

ture of the DS5002FP allows frequent modification of

the secure information, thereby minimizing the value of

any secure information obtained by such a massive ef-

fort.

The DS5002FP implements a security system which is

an improved version of its predecessor , the DS5000FP.

Like the DS5000FP, the DS5002FP loads and executes

application software in encrypted form. Up to 128K x 8

bytes of standard SRAM can be accessed via its Byte–

wide bus. This RAM is converted by the DS5002FP into

lithium–backed nonvolatile storage for program and

data. Data is maintained for over 10 years at room tem-

perature with a very small lithium cell. As a result, the

contents of the RAM and the execution of the software

DS5002FP

111996 2/28 49

appear unintelligible to the outside observer. The en-

cryption algorithm uses an internally stored and pro-

tected key. Any attempt to discover the key value re-

sults in its erasure, rendering the encrypted contents of

the RAM useless.

The Secure Microprocessor Chip offers a number of

major enhancements to the software security imple-

mented in the previous generation DS5000FP . First, the

DS5002FP provides a stronger software encryption al-

gorithm which incorporates elements of DES encryp-

tion. Second, the encryption is based on a 64–bit key

word, as compared to the DS5000FP’s 40–bit key.

Third, the key can only be loaded from an on–chip true

random number generator . As a result, the true key val-

ue is never known by the user . Fourth, a Self–Destruct

input pin (SDI) is provided to interface to external tam-

per detection circuitry. With or without the presence of

VCC, activation of the SDI pin has the same effect as re-

setting the Security Lock: immediate erasure of the key

word and the 48–byte Vector RAM area. Fifth, an op-

tional top–coating of the die prevents access of in-

formation using microprobing techniques. Finally, cus-

tomer–specific versions of the DS5002FP are available

which incorporate a one–of–a–kind encryption algo-

rithm.

When implemented as a part of a secure system de-

sign, a system based on the DS5002FP can typically

provide a level of security which requires more time and

resources to defeat than it is worth to unauthorized indi-

viduals who have reason to try . For a user who wants a

pre–constructed module using the DS5002FP, RAM,

lithium cell, and a real time clock, the DS2252T is avail-

able and described in a separate data sheet.

ORDERING INFORMATION

The following devices are available as standard prod-

ucts from Dallas Semiconductor:

PART # DESCRIPTION

DS5002FP–16 80–pin QFP,

Max. clock speed 16 MHz,

0°C to 70°C operation

DS5002FPM–16 80–pin QFP,

Max. clock speed 16 MHz,

0°C to 70°C operation,

Internal microprobe shield

Operating information is contained in the User’s Guide

Section of the Secure Microprocessor Data Book. This

data sheet provides ordering information, pin–out, and

electrical specifications.

BLOCK DIAGRAM

Figure 1 is a block diagram illustrating the internal archi-

tecture of the DS5002FP. The DS5002FP is a secure

implementation of the DS5001FP 128K Soft Micropro-

cessor Chip. As a result, It operates in an identical fash-

ion to the DS5001FP except where indicated. See the

DS5001FP Data Sheet for operating details.

VRST

PROG

OSC WATCHDOG

TIMER

XTAL 1

XTAL2

RST

ALE

P0.7

P0.0

P1.7

P1.0

P2.7

P2.0

P3.7

P3.0

SPECIAL

FUNCTION

REGISTERS

DATA

REGISTERS

(128 BYTES)

VECTOR RAM

(48 BYTES)

CPU

BOOTSTRAP

LOADER

ROM

ENCRYPTION

KEYS

POWER

MONITOR

TXD

RXD

TIMER 0

TIMER 1

INT0

INT1

PORT 3 PORT 2 PORT 1 PORT 0 TIMING AND BUS

CONTROL

ADDRESS/DATA

ENCRYPTORS

BYTE–WIDE BUS

INTERFACE

VLI

VCC

VCCO

SDI

R/W

CE1–4

BA15–0

BD7–0

PE1–4

ADDRESS

DATA

DS5002FP

111996 3/28

DS5002FP BLOCK DIAGRAM Figure 1

DS5002FP

111996 4/28 51

PIN DESCRIPTION

11, 9, 7, 5, 1,

79, 77, 75 P0.0 – P0.7. General purpose I/O Port 0. This port is open–drain and can not drive a logic 1. It

requires external pull–ups. Port 0 is also the multiplexed Expanded Address/Data bus. When

used in this mode, it does not require pull–ups.

15, 17, 19,

21, 25, 27,

29, 31

P1.0 – P1.7. General purpose I/O Port 1.

49, 50, 51,

56, 58, 60,

64, 66

P2.0 – P2.7. General purpose I/O Port 2. Also serves as the MSB of the Expanded Address bus.

36 P3.0 RXD. General purpose I/O port pin 3.0. Also serves as the receive signal for the on board

UART. This pin should NOT be connected directly to a PC COM port.

38 P3.1 TXD. General purpose I/O port pin 3.1. Also serves as the transmit signal for the on board

UART. This pin should NOT be connected directly to a PC COM port.

39 P3.2 INT0. General purpose I/O port pin 3.2. Also serves as the active low External

Interrupt 0.

40 P3.3 INT1. General purpose I/O port pin 3.3. Also serves as the active low External

Interrupt 1.

41 P3.4 T0. General purpose I/O port pin 3.4. Also serves as the Timer 0 input.

44 P3.5 T1. General purpose I/O port pin 3.5. Also serves as the Timer 1 input.

45 P3.6 WR. General purpose I/O port pin. Also serves as the write strobe for Expanded bus opera-

tion.

46 P3.7 RD. General purpose I/O port pin. Also serves as the read strobe for Expanded bus opera-

tion.

34 RST – Active high reset input. A logic 1 applied to this pin will activate a reset state. This pin is

pulled down internally so this pin can be left unconnected if not used. An RC power–on reset cir-

cuit is not needed and is NOT recommended.

70 ALE – Address Latch Enable. Used to de–multiplex the multiplexed Expanded Address/Data bus

on Port 0. This pin is normally connected to the clock input on a ’373 type transparent latch.

47, 48 XT AL2, XT AL1. Used to connect an external crystal to the internal oscillator . XT AL1 is the input

to an inverting amplifier and XTAL2 is the output.

52 GND – Logic ground.

13 VCC – +5V

12 VCCO – VCC Output. This is switched between VCC and VLI by internal circuits based on the level

of VCC. When power is above the lithium input, power will be drawn from VCC. The lithium cell

remains isolated from a load. When VCC is below VLI, the VCCO switches to the VLI source. VCCO

should be connected to the VCC pin of an SRAM.

54 VLI – Lithium Voltage Input. Connect to a lithium cell greater than VLImin and no greater than

VLImax as shown in the electrical specifications. Nominal value is +3V.

16, 8, 18, 80,

76, 4, 6, 20,

24, 26, 28,

30, 33, 35, 37

BA14 – 0. Byte–wide Address bus bits 14–0. This bus is combined with the non–multiplexed data

bus (BD7–0) to access NVSRAM. Decoding is performed using CE1 through CE4. Therefore,

BA15 is not actually needed. Read/write access is controlled by R/W . BA14–0 connect directly

to an 8K, 32K, or 128K SRAM. If an 8K RAM is used, BA13 and BA14 will be unconnected. If a

128K SRAM is used, the micro converts CE2 and CE3 to serve as A16 and A15 respectively.

DS5002FP

111996 5/28

PIN DESCRIPTION

71, 69, 67,

65, 61, 59,

57, 55

BD7 – 0. Byte–wide Data bus bits 7–0. This 8–bit bi–directional bus is combined with the non–

multiplexed address bus (BA14–0) to access NV SRAM. Decoding is performed on CE1 and

CE2. Read/write access is controlled by R/W. BD7–0 connect directly to an SRAM, and optionally

to a Real–time Clock or other peripheral.

10 R/W – Read/Write. This signal provides the write enable to the SRAMs on the Byte–wide bus.

It is controlled by the memory map and Partition. The blocks selected as Program (ROM) will be

write protected.

74 CE1 – Chip Enable 1. This is the primary decoded chip enable for memory access on the Byte–

wide bus. It connects to the chip enable input of one SRAM. CE1 is lithium backed. It will remain

in a logic high inactive state when VCC falls below VLI.

2CE2 – Chip Enable 2. This chip enable is provided to access a second 32K block of memory.

It connects to the chip enable input of one SRAM. When MSEL=0, the micro converts CE2 into

A16 for a 128K x 8 SRAM. CE2 is lithium backed and will remain at a logic high when VCC falls

below VLI.

63 CE3 – Chip Enable 3. This chip enable is provided to access a third 32K block of memory. It con-

nects to the chip enable input of one SRAM. When MSEL=0, the micro converts CE3 into A15

for a 128K x 8 SRAM. CE3 is lithium backed and will remain at a logic high when VCC falls below

VLI.

62 CE4 – Chip Enable 4. This chip enable is provided to access a fourth 32K block of memory. It

connects to the chip enable input of one SRAM. When MSEL=0, this signal is unused. CE4 is

lithium backed and will remain at a logic high when VCC falls below VLI.

78 PE1 – Peripheral Enable 1. Accesses data memory between addresses 0000h and 3FFFh when

the PES bit is set to a logic 1. Commonly used to chip enable a Byte–wide Real Time Clock such

as the DS1283. PE1 is lithium backed and will remain at a logic high when VCC falls below VLI.

Connect PE1 to battery backed functions only.

3PE2 – Peripheral Enable 2. Accesses data memory between addresses 4000h and 7FFFh when

the PES bit is set to a logic 1. PE2 is lithium backed and will remain at a logic high when VCC

falls below VLI. Connect PE2 to battery backed functions only.

22 PE3 – Peripheral Enable 3. Accesses data memory between addresses 8000h and BFFFh when

the PES bit is set to a logic 1. PE3 is not lithium backed and can be connected to any type of

peripheral function. If connected to a battery backed chip, it will need additional circuitry to main-

tain the chip enable in an inactive state when VCC < VLI.

23 PE4 – Peripheral Enable 4. Accesses data memory between addresses C000h and FFFFh when

the PES bit is set to a logic 1. PE4 is not lithium backed and can be connected to any type of

peripheral function. If connected to a battery backed chip, it will need additional circuitry to main-

tain the chip enable in an inactive state when VCC < VLI.

32 PROG – Invokes the Bootstrap Loader on a falling edge. This signal should be debounced so

that only one edge is detected. If connected to ground, the micro will enter Bootstrap loading on

power up. This signal is pulled up internally.

42 VRST – This I/O pin (open drain with internal pull–up) indicates that the power supply (VCC) has

fallen below the VCCmin level and the micro is in a reset state. When this occurs, the DS5002FP

will drive this pin to a logic 0. Because the micro is lithium backed, this signal is guaranteed even

when VCC=0V . Because it is an I/O pin, it will also force a reset if pulled low externally . This allows

multiple parts to synchronize their power–down resets.

43 PF – This output goes to a logic 0 to indicate that the micro has switched to lithium backup. This

corresponds to VCC < VLI. Because the micro is lithium backed, this signal is guaranteed even

when VCC=0V . The normal application of this signal is to control lithium powered current to isolate

battery backed functions from non–battery backed functions.

DS5002FP

111996 6/28 53

PIN DESCRIPTION

14 MSEL – Memory select. This signal controls the memory size selection. When MSEL= +5V , the

DS5002FP expects to use 32K x 8 SRAMs. When MSEL = 0V, the DS5002FP expects to use

a 128K x 8 SRAM. MSEL must be connected regardless of Partition, Mode, etc.

53 SDI – Self–Destruct Input. An active high on this pin causes an unlock procedure. This results

in the destruction of Vector RAM, Encryption Keys, and the loss of power from VCCO. This pin

should be grounded if not used.

72 CE1N – This is a non–battery backed version of CE1. It is not generally useful since the

DS5002FP can not be used with EPROM due to its encryption.

73 NC – Do not connect.

SECURE OPERATION OVERVIEW

The DS5002FP incorporates encryption of the activity

on its Byte–wide Address/Data bus to prevent unautho-

rized access to the program and data information con-

tained in t h e n on v o la t i le R A M . Loading an applica-

tion program in this manner is performed via the

Bootstrap Loader using the general sequence de-

scribed below:

1. Clear Security Lock

2. Set memory map configuration as for DS5001FP

3. Load application software

4. Set Security Lock

5. Exit Loader

Loading of application software into the program/data

RAM is performed while the DS5002FP is in its Boot-

strap Load mode. Loading is only possible when the Se-

curity Lock is clear . If the Security Lock has previously

set, then it must be cleared by issuing the “Z” command

from the Bootstrap Loader. Resetting the Security Lock

instantly clears the previous key word and the contents

of the Vector RAM. In addition, the Bootstrap ROM

writes zeroes into the first 32K of external RAM.

The user’s application software is loaded into external

CMOS SRAM via the “L” command in “scrambled” form

through on–chip encryptor circuits. Each external RAM

address is an encrypted representation of an on–chip

logical address. Thus, the sequential instructions of an

ordinary program or data table are stored non–sequen-

tially in RAM memory. The contents of the program/data

RAM are also encrypted. Each byte in RAM is en-

crypted by a key– and address–dependent encryptor

circuit such that identical bytes are stored as different

values in different memory locations.

The encryption of the program/data RAM is dependent

on an on–chip 64–bit key word. The key is loaded by

the ROM firmware just prior to the time that the applica-

tion software is loaded, and is retained as nonvolatile

information in the absence of VCC by the lithium backup

circuits. After loading is complete, the key is protected

by setting the on–chip Security Lock, which is also re-

tained as nonvolatile information in the absence of VCC.

Any attempt to tamper with the key word and thereby

gain access to the true program/data RAM contents re-

sults in the erasure of the key word as well as the RAM

contents.

During execution of the application software, logical ad-

dresses on the DS5002FP that are generated from the

program counter or data pointer registers are encrypted

before they are presented on the Byte–wide Address

Bus. Opcodes and data are read back and decrypted

before they are operated on by the CPU. Similarly , data

values written to the external nonvolatile RAM storage

during program execution are encrypted before they are

presented on the Byte–wide data bus during the write

operation. This encryption/decryption process is per-

formed in real time such that no execution time is lost as

compared to the non–encrypted DS5001FP or 8051

running at the same clock rate. As a result, operation of

the encryptor circuitry is transparent to the application

software.

Unlike the DS5000FP, the DS5002FP chip’s security

feature is always enabled.

SECURITY CIRCUITRY

The on–chip functions associated with the DS5002FP’s

software security feature are depicted in Figure 2. En-

cryption logic consists of an address encryptor and a

data encryptor. Although each encryptor uses its own

algorithm for encrypting data, both depend on the

64–bit key word which is contained in the Encryption

Key registers. Both the encryptors operate during load-

ing of the application software and also during its

execution.

DS5002FP

111996 7/28

DS5002FP SECURITY CIRCUITRY Figure 2

DATA

POINTER

BOOTSTRAP

LOADER

EXTERNAL

BYTE–WIDE

RAM

PROGRAM

COUNTER

ADDRESS

ENCRYPTOR

SECURITY

LOCK

64–BIT ENCRYPTION KEY

DATA

ENCRYPTOR

SDI

(SELF–DESTRUCT

INPUT)

RANDOM

NUMBER

GENERATOR

ENCRYPTED BYTE–WIDE

ADDRESS BUS

ENCRYPTED BYTE–WIDE

DATA BUS

SECURE INTERNAL DATE BUS

SECURE INTERNAL ADDRESS BUS

The address encryptor translates each “logical” ad-

dress, i.e., the normal sequence of addresses that are

generated in the logical flow of program execution, into

an encrypted address (or “physical” address) at which

the byte is actually stored. Each time a logical ad-

dress is generated, either during program loading or

during program execution, the address encryptor cir-

cuitry uses the value of the 64–bit key word and of the

address itself to form the physical address which will be

presented on the address lines of the RAM. The encryp-

tion algorithm is such that there is one and only one

physical address for every possible logical address.

The address encryptor operates over the entire memory

range which is configured during Bootstrap Loading for

access on the Byte–wide Bus.

As Bootstrap Loading of the application software is per-

formed, the Data Encryptor logic transforms the op-

code, operand, or data byte at any given memory loca-

tion into an encrypted representation. As each byte is

read back to the CPU during program execution, the

internal Data Encryptor restores it to its original value.

When a byte is written to the external nonvolatile pro-

gram/data RAM during program execution, that byte is

stored in encrypted form as well. The data encryption

logic uses the value of the 64–bit key, the logical ad-

dress to which the data is being written, and the value of

the data itself to form the encrypted data which is written

to the nonvolatile program/data RAM. The encryption

algorithm is repeatable, such that for a given data value,

Encryption Key value, and logical address the en-

crypted byte will always be the same. However, there

are many possible encrypted data values for each pos-

sible true data value due to the algorithm’s dependency

on the values of the logical address and Encryption Key .

When the application software is executed, the internal

CPU of the DS5002FP operates as normal. Logical ad-

dresses are calculated for opcode fetch cycles and also

data read and write operations. The DS5002FP has the

ability to perform address encryption on logical ad-

dresses as they are generated internally during the nor-

mal course of program execution. In a similar fashion,

data is manipulated by the CPU in its true representa-

tion. However, it is also encrypted when it is written to

the external program/data RAM, and is restored to its

original value when it is read back.

When an application program is stored in the format de-

scribed above, it is virtually impossible to disassemble

opcodes or to convert data back into its true representa-

DS5002FP

111996 8/28 55

tion. Address encryption has the effect that the op-

codes and data are not stored in the contiguous form in

which they were assembled, but rather in seemingly

random locations in memory. This in itself makes it virtu-

ally impossible to determine the normal flow of the pro-

gram. As an added protection measure, the Address

Encryptor also generates “dummy” read access cycles

whenever time is available during program execution.

DUMMY READ CYCLES

Like the DS5000FP, the DS5002FP generates a

“dummy” read access cycle to non–sequential address-

es in external RAM memory whenever time is available

during program execution. This action has the ef fect of

further complicating the task of determining the normal

flow of program execution. During these pseudo–ran-

dom dummy cycles, the RAM is read to all appearance,

but the data is not used internally. Through the use of a

repeatable exchange of dummy and true read cycles, it

is impossible to distinguish a dummy cycle from a real

one.

ENCRYPTION ALGORITHM

The DS5002FP incorporates a proprietary algorithm im-

plemented in hardware which performs the scrambling

of address and data on the Byte–wide bus to the static

RAM. This algorithm has been greatly strengthened

with respect to its DS5000FP predecessor. Improve-

ments include:

1. 64–bit Encryption Key

2. Incorporation of DES–like operations to provide a

greater degree of nonlinearity

3. Customizable encryption

The encryption circuitry uses a 64–bit key value

(compared to the DS5000FP’s 40–bit key) which is

stored on the DS5002FP die and protected by the Secu-

rity Lock function described below . In addition, the al-

gorithm has been strengthened to incorporate certain

operations used in DES encryption, so that the encryp-

tion of both the addresses and data is highly nonlinear.

Unlike the DS5000FP, the encryption circuitry in the

DS5002FP is always enabled.

Dallas Semiconductor can customize the encryption cir-

cuitry by laser programming the die to insure that a

unique encryption algorithm is delivered to the custom-

er. In addition, the customer–specific version can be

branded as specified by the customer. Please contact

Dallas Semiconductor for ordering information of cus-

tomer–specific versions.

ENCRYPTION KEY

As described above, the on–chip 64–bit Encryption Key

is the basis of both the address and data encryptor cir-

cuits. The DS5002FP provides a key management sys-

tem which is greatly improved over the DS5000FP. The

DS5002FP does not give the user the ability to select a

key. Instead, when the loader is given certain com-

mands, the key is set based on the value read from an

on–chip hardware random number generator . This ac-

tion is performed just prior to actually loading the code

into the external RAM. This scheme prevents character-

ization of the encryption algorithm by continuously load-

ing new, known keys. It also frees the user from the bur-

den of protecting the key selection process.

The random number generator circuit uses the asynch-

ronous frequency differences of two internal ring oscil-

lator and the processor master clock (determined by

XT AL1 and XT AL2). As a result, a true random number

is produced.

VECTOR RAM

A 48–byte Vector RAM area is incorporated on–chip,

and is used to contain the reset and interrupt vector

code in the DS5002FP. It is included in the architecture

to help insure the security of the application program.

If reset and interrupt vector locations were accessed

from the external nonvolatile program/data RAM during

the execution of the program, then it would be possible

to determine the encrypted value of known addresses.

This could be done by forcing an interrupt or reset

condition and observing the resulting addresses on the

Byte–wide address/data bus. For example, it is known

that when a hardware reset is applied the logical pro-

gram address is forced to location 0000H and code is

executed starting from this location. It would then be

possible to determine the encrypted value (or physical

address) of the logical address value 0000H by observ-

ing the address presented to the external RAM following

a hardware reset. Interrupt vector address relationships

could be determined in a similar fashion. By using the

on–chip Vector RAM to contain the interrupt and reset

vectors, it is impossible to observe such relationships.

Although it is very unlikely that an application program

could be deciphered by observing vector address rela-

tionships, the Vector RAM eliminates this possibility.

DS5002FP

111996 9/28

Note that the dummy accesses mentioned above are

conducted while fetching from Vector RAM.

The V ector RAM is automatically loaded with the user’s

reset and interrupt vectors during bootstrap loading.

SECURITY LOCK

Once the application program has been loaded into the

DS5002FP’s NV RAM, the Security Lock may be en-

abled by issuing the “Z” command in the Bootstrap

Loader. While the Security Lock is set, no further ac-

cess to program/ data information is possible via the on–

chip ROM. Access is prevented by both the Bootstrap

Loader firmware and the DS5002FP encryptor circuits.

Access to the NVRAM may only be regained by clearing

the Security Lock via the “U” command in the Bootstrap

Loader. This action triggers several events which de-

feat tampering. First, the Encryption Key is instanta-

neously erased. Without the Encryption Key, the

DS5002FP is no longer able to decrypt the contents of

the RAM. Therefore, the application software can no

longer be correctly executed, nor can it be read back in

its true form via the Bootstrap Loader. Second, the Vec-

tor RAM area is also instantaneously erased, so that the

reset and vector information is lost. Third, the Bootstrap

Loader firmware sequentially erases the encrypted

RAM area. Lastly, the loader creates and loads a new

random key.

The Security Lock bit itself is constructed using a multi-

ple–bit latch which is interlaced for self–destruct in the

event of tampering. The lock is designed to set–up a

“domino–ef fect” such that erasure of the bit will result in

an unstoppable sequence of events that clears critical

data including Encryption Key and V ector RAM. In addi-

tion, this bit is protected from probing by the top–coating

feature mentioned below.

SELF–DESTRUCT INPUT

The Self–Destruct Input (SDI) pin is an active high input

which is used to reset the Security Lock in response to

an external event. The SDI input is intended to be used

with external tamper detection circuitry. It can be acti-

vated with or without operating power applied to the VCC

pin. Activation of the SDI pin instantly resets the Securi-

ty Lock and causes the same sequence of events de-

scribed above for this action. In addition, power is mo-

mentarily removed from the Byte–wide bus interface

including the VCCO pin, resulting in the loss of data in ex-

ternal RAM.

TOP LAYER COATING

The DS5002FPM is provided with a special top–layer

coating that is designed to prevent a probe attack. This

coating is implemented with second–layer metal added

through special processing of the microcontroller die.

This additional layer is not a simple sheet of metal, but

rather a complex layout that is interwoven with power

and ground which are in turn connected to logic for the

Encryption Key and the Security Lock. As a result, any

attempt to remove the layer or probe through it will re-

sult in the erasure of the Security Lock and/or the loss of

Encryption Key bits.

BOOTSTRAP LOADING

Initial loading of application software into the

DS5002FP is performed by firmware within the on–chip

Bootstrap Loader communicating with a PC via the on–

chip serial port in a manner which is almost identical to

that for the DS5001FP. The user should consult the

DS5001FP data sheet as a basis of operational charac-

teristics of this firmware. Certain differences in loading

procedure exist in order to support the security feature.

These differences are documented below . T able 1 sum-

marizes the commands accepted by the bootstrap

loader.

When the Bootstrap Loader is invoked, portions of the

128–byte scratchpad RAM area are automatically over-

written with zeroes, and then used for variable storage

for the bootstrap firmware. Also, a set of eight bytes are

generated using the random number generator circuitry

and are saved as a potential word for the 64–bit Encryp-

tion Key.

Any read or write operation to the DS5002FP’s external

program/data SRAM can only take place if the Security

Lock bit is in a cleared state. Therefore, the first step

which is taken in the loading of a program should be the

clearing of the Security Lock bit through the “U” com-

mand.

DS5002FP

111996 10/28 57

DS5002FP SERIAL BOOTSTRAP LOADER COMMANDS Table 1

COMMAND FUNCTION

CReturn CRC–16 of the program/data NV RAM

DDump Intel Hex file

FFill program/data NV RAM

GGet Data from P1, P2, and P3

IN/A on the DS5002FP

LLoad Intel Hex file

MToggle modem available bit

NSet Freshness Seal – All program and data will be lost

P Put data into P0, P1, P2, and P3

RRead status of NVSFRs (MCON, RPCTL, MSL, CALIB)

TT race (echo) incoming Intel Hex code

UClear Security Lock

VVerify program/data NV RAM with incoming Intel Hex data

WWrite Special Function Registers – (MCON, RPCTL, MSL, CALIB)

ZSet Security Lock

Execution of certain Bootstrap Loader commands will

result in the loading of the newly generated 64–bit ran-

dom number into the Encryption Key word. These com-

mands are as follows:

Fill F

Load L

Dump D

Verify V

CRC C

Execution of the Fill and Load commands will result in

the data loaded into the NV RAM in an encrypted form

determined by the value of the newly–generated key

word. The subsequent execution of the Dump com-

mand within the same bootstrap session will cause the

contents of the encrypted RAM to be read out and trans-

mitted back to the host PC in decrypted form. Similarly ,

execution of the V erify command within the same boot-

strap session will cause the incoming absolute hex data

to be compared against the true contents of the en-

crypted RAM, and the CRC command will return the

CRC value calculated from the true contents of the en-

crypted RAM. As long as any of the above commands

are executed within the same bootstrap session, the

loaded key value will remain the same and contents of

the encrypted program/data NV RAM may be read or

written normally and freely until the Security Lock bit is

set.

When the Security Lock bit is set using the Z command,

no further access to the true RAM contents is possible

using any bootstrap command or by any other means.

INSTRUCTION SET

The DS5002FP executes an instruction set that is

object code compatible with the industry standard 8051

microcontroller. As a result, software development

packages such as assemblers and compilers that have

been written for the 8051 are compatible with the

DS5002FP. A complete description of the instruction

set and operation are provided in the User’s Guide sec-

tion of the Secure Microcontroller Data Book.

Also note that the DS5002FP is embodied in the

DS2252T module. The DS2252T combines the

DS5002FP with between 32K and 128K of SRAM, a lith-

ium cell, and a real time clock. This is packaged in a

40–pin SIMM module.

DS5002FP

111996 11/28

MEMORY ORGANIZATION

Figure 3 illustrates the memory map accessed by the

DS5002FP. The entire 64K of program and 64K of data

are potentially available to the Byte–wide bus. This pre-

serves the I/O ports for application use. The user con-

trols the portion of memory that is actually mapped to

the Byte–wide bus by selecting the Program Range and

Data Range. Any area not mapped into the NV RAM is

reached via the Expanded bus on Ports 0 & 2. An alter-

nate configuration allows dynamic Partitioning of a 64K

space as shown in Figure 4. Selecting PES=1 provides

another 64K of potential data storage or memory

mapped peripheral space as shown in Figure 5. These

selections are made using Special Function Registers.

The memory map and its controls are covered in detail

in the User’s Guide section of the Secure Microcontrol-

ler Data Book.

DS5002FP MEMORY MAP IN NON–PARTITIONABLE MODE (PM=1) Figure 3

ÎÎÎÎÎ

FFFFh

0000h

ÏÏ

= BYTE–WIDE BUS ACCESS (ENCRYPTED)

LEGEND:

ÏÏÏÏÏ

NV RAM

PROGRAM

ÎÎ

PROGRAM MEMORY

EXPANDED BUS (PORTS 0 AND 2)

NOT A V AILABLE

DATA MEMORY (MOVX)

ÏÏÏÏÏ

NV RAM

DATA

64K

DATA RANGE

RANGE

DATA MEMORY (MOVX)

ÏÏÏÏÏ

ÎÎÎÎÎ

PROGRAM MEMORY

NV RAM

PROGRAM

FFFFh

4000h

0000h

PARTITION

ÎÎÎ

NOT ACCESSIBLE

ÏÏÏ

BYTE–WIDE PROGRAM (ENCRYPTED)

LEGEND:

PE3

PE4

64K

48K

32K

16K

PE1

PE2

DS5002FP

111996 12/28 59

DS5002FP MEMORY MAP IN PARTITIONABLE MODE (PM=0) Figure 4

ÎÎÎÎÎ

FFFFh

0000h

ÉÉ

= NVRAM MEMORY

LEGEND:

ÉÉÉÉÉ

NV RAM

DATA

ÉÉÉÉÉ

NV RAM

PROGRAM

PARTITION

ÎÎ

PROGRAM MEMORY

EXPANDED BUS (PORTS 0 AND 2)

NOT A V AILABLE

DATA MEMORY (MOVX)

NOTE: Partitionable mode is not supported when MSEL=0 (128KB mode).

DS5002FP MEMORY MAP WITH PES=1 Figure 5

DS5002FP

111996 13/28

Figure 6 illustrates a typical memory connection for a

system using a 128K byte SRAM. Note that in this con-

figuration, both program and data are stored in a com-

mon RAM chip Figure 7 shows a similar system with

using two 32K byte SRAMs. The Byte–wide Address

bus connects to the SRAM address lines. The bi–direc-

tional Byte–wide data bus connects the data I/O lines of

the SRAM.

DS5002FP CONNECTION TO 128K X 8 SRAM Figure 6

ÌÌ

ÌÌÌÌÌÌÌÌÌ

ÑÑ

ÑÑÑÑÑÑÑÑÑ

ÇÇÇ

+3V

+5V 12

5214

128K x 8 SRAMDS5002FP

VCC

CS1

A16

A14–A0

A15

D7–D0

GND

CS2

VCCO

R/W

CE1

CE2

BA14–BA0

CE3

BD7–BD0

GND

VCC

VLI

PORT0

PORT1

PORT2

PORT3

MSEL

LITHIUM

DS5002FP

111996 14/28 61

DS5002FP CONNECTION TO 64K X 8 SRAM Figure 7

ÇÇ

VCCO

R/W

CE1

CE2

BA14–BA0

BD7–BD0

GND

VCC

VLI

PORT0

PORT1

PORT2

PORT3

MSEL

32K x 8 SRAM

VCC

A14–A0

D7–D0

GND

VCC

A14–A0

D7–D0

GND

32K x 8

SRAM

ÑÑÑÑÑÑÑÑÑÑ

ÓÓÓÓÓÓÓÓÓÓ

32K x 8 SRAM

VCC

A14–A0

D7–D0

GND

+3V

+5V

DS5002FP

LITHIUM

+5V

POWER MANAGEMENT

The DS5002FP monitors VCC to provide Power–fail

Reset, early warning Power–fail Interrupt, and switch

over to lithium backup. It uses an internal band–gap ref-

erence in determining the switch points. These are

called VPFW, VCCMIN, and VLI respectively. When VCC

drops below VPFW, the DS5002FP will perform an inter-

rupt vector to location 2Bh if the power–fail warning was

enabled. Full processor operation continues regard-

less. When power falls further to VCCMIN, the

DS5002FP invokes a reset state. No further code

execution will be performed unless power rises back

above VCCMIN. All decoded chip enables and the R/W

signal go to an inactive (logic 1) state. VCC is still the

power source at this time. When VCC drops further to

below VLI, internal circuitry will switch to the lithium cell

for power. The majority of internal circuits will be dis-

abled and the remaining nonvolatile states will be

retained. Any devices connected to VCCO will be pow-

ered by the lithium cell at this time. VCCO will be at the

lithium battery voltage less a diode drop. This drop will

vary depending on the load. Low power SRAMs should

be used for this reason. When using the DS5002FP , the

user must select the appropriate battery to match the

RAM data retention current and the desired backup life-

time. Note that the lithium cell is only loaded when VCC <

VLI. The User’s Guide has more information on this

topic. The trip points VCCMIN and VPFW are listed in the

electrical specifications.

DS5002FP

111996 15/28

ELECTRICAL SPECIFICATIONS

The DS5002FP adheres to all AC and DC electrical

specifications published for the DS5001FP. The abso- lute maximum ratings and unique specifications for the

DS5002FP are listed below.

ABSOLUTE MAXIMUM RATINGS*

Voltage on Any Pin Relative to Ground –0.3V to +7.0V

Operating Temperature 0°C to 70°C

Storage Temperature –40°C to +70°C

Soldering Temperature 260°C for 10 seconds

* This is a stress rating only and functional operation of the device at these or any other conditions above those

indicated in the operation sections of this specification is not implied. Exposure to absolute maximum rating

conditions for extended periods of time may affect reliability.

DC CHARACTERISTICS (tA = 0°C to 70°C; VCC=5V ± 10%)

PARAMETER SYMBOL MIN TYP MAX UNITS NOTES

Input Low Voltage VIL –0.3 +0.8 V 1

Input High Voltage VIH1 2.0 VCC+0.3 V 1

Input High Voltage (RST, XTAL1,

PROG)VIH2 3.5 VCC+0.3 V 1

Output Low Voltage

@ IOL=1.6 mA (Ports 1, 2, 3) VOL1 0.15 0.45 V 1

Output Low Voltage

@ IOL=3.2 mA (Port 0, ALE, PF,

BA15–0, BD7–0, R/W, CE1N,

CE1–4, PE1–4, VRST)

VOL2 0.15 0.45 V 1

Output High Voltage

@ IOH=–80 µA (Ports 1, 2, 3) VOH1 2.4 4.8 V 1

Output High Voltage

@ IOH=–400 µA (Ports 0, ALE,

PF, BA15–0, BD7–0, R/W , CE1N,

CE1–4, PE1–4)

VOH2 2.4 4.8 V 1

Input Low Current

VIN=0.45V (Ports 1, 2, 3) IIL –50 µA

T ransition Current; 1 to 0

VIN=2.0V (Ports 1, 2, 3)

(0°C to 70°C)

ITL –500 µA

T ransition Current; 1 to 0

VIN=2.0V (Ports 1, 2, 3)

(–40°C to +85°C)

ITL –600 µA 12

SDI Input Low Voltage VILS 0.4 V 1

SDI Input High Voltage VIHS 2.0 VCCO V1, 11

SDI Pull–Down Resistor RSDI 25 60 KΩ

Battery–Backup Quiescent Current IBAT 575 nA 7

DS5002FP

111996 16/28 63

DC CHARACTERISTICS (cont’d) (tA = 0°C to 70°C; VCC=5V ± 10%)

PARAMETER SYMBOL MIN TYP MAX UNITS NOTES

Input Leakage Current

0.45 < VIN < VCC (Port 0, MSEL) IIL ±10 µA

RST Pull–down Resistor

(0°C to 70°C) RRE 40 150 KΩ

RST Pull–down Resistor

(–40°C to +85°C) RRE 40 180 KΩ12

VRST Pull–up Resistor RVR 4.7 KΩ

PROG Pull–up Resistor RPR 40 KΩ

Power–Fail W arning Voltage

(0°C to 70°C) VPFW 4.25 4.37 4.50 V 1

Power–Fail W arning Voltage

(–40°C to +85°C) VPFW 4.1 4.37 4.5 V 1, 12

Minimum Operating Voltage

(0°C to 70°C) VCCMIN 4.00 4.12 4.25 V 1

Minimum Operating Voltage

(–40°C to +85°C) VCCMIN 3.85 4.09 4.25 V 1, 12

Lithium Supply Voltage VLI 2.5 4.0 V 1

Operating Current @ 16 MHz ICC 36 mA 2

Idle Mode Current @ 12 MHz

(0°C to 70°C) IIDLE 7.0 mA 3

Idle Mode Current @ 12 MHz

(–40°C to +85°C) IIDLE 8.0 mA 3, 12

Stop Mode Current ISTOP 80 µA 4

Pin Capacitance CIN 10 pF 5

Output Supply Voltage (VCCO) VCCO1 VCC–0.35 V 1, 2

Output Supply Battery–backed

Mode (VCCO, CE1–4, PE1–2)

(0°C to 70°C)

VCCO2 VLI–0.65 V 1, 8

Output Supply Battery–backed

Mode (VCCO, CE1–4, PE1–2)

(–40°C to +85°C)

VCCO2 VLI–0.9 V 1, 8, 12

Output Supply Current

@ VCCO=VCC – 0.3V ICCO1 75 mA 6

Lithium–backed Quiescent Current ILI 575 nA 7

Reset Trip Point in Stop Mode

w/BAT=3.0V (0°C to 70°C)

w/BAT=3.0V (–40°C to +85°C)

w/BAT=3.3V (0°C to 70°C)

4.0

3.85

4.4

4.25

4.65

1, 12

DS5002FP

111996 17/28

AC CHARACTERISTICS (tA = 0°C to70°C; VCC=0V to 5V)

PARAMETER SYMBOL MIN TYP MAX UNITS NOTES

SDI Pulse Reject tSPR 2µs10

SDI Pulse Accept tSPA 10 µs 10

AC CHARACTERISTICS

EXPANDED BUS MODE TIMING SPECIFICATIONS (tA = 0°C to70°C; VCC=5V + 10%)

#PARAMETER SYMBOL MIN MAX UNITS

1Oscillator Frequency 1/tCLK 1.0 16 MHz

2 ALE Pulse Width tALPW 2tCLK–40 ns

3Address Valid to ALE Low tAVALL tCLK–40 ns

4 Address Hold After ALE Low tAVAAV tCLK–35 ns

14 RD Pulse Width tRDPW 6tCLK–100 ns

15 WR Pulse Width tWRPW 6tCLK–100 ns

16 RD Low to Valid Data In @12 MHz

@16 MHz tRDLDV 5tCLK–165

5tCLK–105 ns

17 Data Hold after RD High tRDHDV 0ns

18 Data Float after RD High tRDHDZ 2tCLK–70 ns

19 ALE Low to Valid Data In @12 MHz

@16 MHz tALLVD 8tCLK–150

8tCLK–90 ns

20 Valid Addr. to Valid Data In @12 MHz

@16 MHz tAVDV 9tCLK–165

9tCLK–105 ns

21 ALE Low to RD or WR Low tALLRDL 3tCLK–50 3tCLK+50 ns

22 Address Valid to RD or WR Low tAVRDL 4tCLK–130 ns

23 Data Valid to WR Going Low tDVWRL tCLK–60 ns

24 Data Valid to WR High @12 MHz

@16 MHz tDVWRH 7tCLK–150

7tCLK–90 ns

25 Data Valid after WR High tWRHDV tCLK–50 ns

26 RD Low to Address Float tRDLAZ 0ns

27 RD or WR High to ALE High tRDHALH tCLK–40 tCLK+50 ns

DS5002FP

111996 18/28 65

EXPANDED DATA MEMORY READ CYCLE

21 14

ALE

PORT 0

PORT 2 P2.7–P2.0 OR A15–A8 FROM DPH A15–A8 FROM PCH

DATA IN INSTR

A7–A0

(PCL)

A7–A0

(Rn OR DPL)

EXPANDED DATA MEMORY WRITE CYCLE

3424

ALE

PORT 0

PORT 2

DATA OUT

A7–A0

(Rn OR DPL) A7–A0

(PCL) INSTR

P2.7–P2.0 OR A15–A8 FROM PDH A15–A8 FROM PCH

DS5002FP

111996 19/28

AC CHARACTERISTICS (cont’d)

EXTERNAL CLOCK DRIVE (tA = 0°C to70°C; VCC = 5V + 10%)

#PARAMETER SYMBOL MIN MAX UNITS

28 External Clock High Time @12 MHz

@16 MHz tCLKHPW 20

15 ns

29 External Clock Low T ime @12 MHz

@16 MHz tCLKLPW 20

15 ns

30 External Clock Rise T ime @12 MHz

@16 MHz tCLKR 20

15 ns

31 External Clock Fall T ime @12 MHz

@16 MHz tCLKF 20

15 ns

EXTERNAL CLOCK TIMING

DS5002FP

111996 20/28 67

AC CHARACTERISTICS (cont’d)

POWER CYCLING TIMING (tA = 0°C to70°C; VCC = 5V + 10%)

#PARAMETER SYMBOL MIN MAX UNITS

32 Slew Rate from VCCmin to VLI tF130 µs

33 Crystal Start up T ime tCSU (note 9)

34 Power On Reset Delay tPOR 21504 tCLK

POWER CYCLE TIMING

VCC VPFW

VCCMIN

VLI

INTERRUPT

SERVICE

ROUTINE

CLOCK

OSC

INTERNAL

RESET

LITHIUM

CURRENT

DS5002FP

111996 21/28

AC CHARACTERISTICS (cont’d)

SERIAL PORT TIMING – MODE 0 (tA = 0°C to70°C; VCC = 5V + 10%)

#PARAMETER SYMBOL MIN MAX UNITS

35 Serial Port Clock Cycle Time tSPCLK 12tCLK µs

36 Output Data Setup to Rising Clock Edge tDOCH 10tCLK–133 ns

37 Output Data Hold after Rising Clock Edge tCHDO 2tCLK–117 ns

38 Clock Rising Edge to Input Data Valid tCHDV 10tCLK–133 ns

39 Input Data Hold after Rising Clock Edge tCHDIV 0ns

SERIAL PORT TIMING – MODE 0

012345678

ALE

CLOCK

DATA OUT

INPUT DATA

01234567

SET TI

SET RI

VALID VALIDVALIDVALIDVALIDVALIDVALID

CLEAR RI

WRITE TO

SBUF REGISTER

DS5002FP

111996 22/28 69

AC CHARACTERISTICS

BYTEWIDE ADDRESS/DATA BUS TIMING (tA = 0°C to70°C; VCC = 5V + 10%)

#PARAMETER SYMBOL MIN MAX UNITS

40 Delay to Byte–wide Address Valid from

CE1, CE2 or CE1N Low During Opcode

Fetch

tCE1LPA 30 ns

41 Pulse Width of CE1–4, PE1–4 or CE1N tCEPW 4tCLK–35 ns

42 Byte–wide Address Hold After CE1, CE2

or CE1N High During Opcode Fetch tCE1HPA 2tCLK–20 ns

43 Byte–wide Data Setup to CE1, CE2 or

CE1N High During Opcode Fetch tOVCE1H 1tCLK+40 ns

44 Byte–wide Data Hold After CE1, CE2 or

CE1N High During Opcode Fetch tCE1HOV 10 ns

45 Byte–wide Address Hold After CE1–4,

PE1–4, or CE1N High During MOVX tCEHDA 4tCLK–30 ns

46 Delay from Bytewide Address Valid

CE1–4, PE1–4, or CE1N Low During

MOVX

tCELDA 4tCLK–35 ns

47 Byte–wide Data Setup to CE1–4, PE1–4,

or CE1N High During MOVX (read) tDACEH 1tCLK+40 ns

48 Byte–wide Data Hold After CE1–4,

PE1–4, or CE1N High During MOVX

(read)

tCEHDV 10 ns

49 Byte–wide Address Valid to R/W Active

During MOVX (write) tAVRWL 3tCLK–35 ns

50 Delay from R/W Low to Valid Data Out

During MOVX (write) tRWLDV 20 ns

51 Valid Data Out Hold Time from CE1–4,

PE1–4, or CE1N High tCEHDV 1tCLK–15 ns

52 Valid Data Out Hold Time from R/W High tRWHDV 0ns

53 Write Pulse Width (R/W Low Time) tRWLPW 6tCLK–20 ns

DS5002FP

111996 23/28

BYTEWIDE BUS TIMING

RPC AC CHARACTERISTICS – DBB READ (tA = 0°C to70°C; VCC = 5V + 10%)

#PARAMETER SYMBOL MIN MAX UNITS

54 CS, A0 Setup to RD tAR 0ns

55 CS, A0 Hold After RD tRA 0ns

56 RD Pulse Width tRR 160 ns

57 CS, A0 to Data Out Delay tAD 130 ns

58 RD to Data Out Delay tRD 0130 ns

59 RD to Data Float Delay tRDZ 85 ns

DS5002FP

111996 24/28 71

RPC AC CHARACTERISTICS – DBB WRITE (tA = 0°C to70°C; VCC = 5V + 10%)

#PARAMETER SYMBOL MIN MAX UNITS

60 CS, A0 Setup to WR tAW 0ns

61A CS, Hold After WR tWA 0ns

61B A0, Hold After WR tWA 20 ns

62 WR Pulse Width tWW 160 ns

63 Data Setup to WR tDW 130 ns

64 Data Hold After WR tWD 20 ns

AC CHARACTERISTICS – DMA (tA = 0°C to70°C; VCC = 5V + 10%)

#PARAMETER SYMBOL MIN MAX UNITS

65 DACK to WR or RD tACC 0ns

66 RD or WR to DACK tCAC 0ns

67 DACK to Data Valid tACD 0130 ns

68 RD or WR to DRQ Cleared tCRQ 110 ns

AC CHARACTERISTICS – PROG (tA = 0°C to70°C; VCC = 5V + 10%)

#PARAMETER SYMBOL MIN MAX UNITS

69 PROG Low to Active tPRA 48 CLKS

70 PROG High to Inactive tPRI 48 CLKS

DS5002FP

111996 25/28

RPC TIMING MODE

CS OR A0

DATA

CS OR A0

DATA

READ OPERATION

WRITE OPERATION

DATA VALID

DACK

DATA

DRQ

DMA

VALID VALID

54 56

57 58 59

62 6160

63 64

65 66

68 68

DS5002FP

111996 26/28 73

NOTES:

All parameters apply to both commercial and industrial temperature operation unless otherwise noted.

1. All voltages are referenced to ground.

2. Maximum operating ICC is measured with all output pins disconnected; XTAL1 driven with tCLKR,

tCLKF=10 ns, VIL = 0.5V ; XTAL2 disconnected; RST = POR T0 = VCC, MSEL = VSS.

3. Idle mode IIDLE is measured with all output pins disconnected; XTAL1 driven with tCLKR, tCLKF = 10 ns,

VIL = 0.5V ; XTAL2 disconnected; PORT0 = VCC, RST = MSEL = VSS.

4. Stop mode ISTOP is measured with all output pins disconnected; PORT0 = VCC; XTAL2 not connected;

RST = MSEL = XTAL1 = VSS.

5. Pin Capacitance is measured with a test frequency – 1 MHz, tA = 25°C.

6. ICCO1 is the maximum average operating current that can be drawn from VCCO in normal operation.

7. ILI is the current drawn from VLI input when VCC = 0V and VCCO is disconnected. Battery–backed mode:

2.5V < VBAT < 4.0; VCC < VBAT; VSDI should be < VILS for IBAT max.

8. VCCO2 is measured with VCC < VLI, and a maximum load of 10 µA on VCCO.

9. Crystal start–up time is the time required to get the mass of the crystal into vibrational motion from the time

that power is first applied to the circuit until the first clock pulse is produced by the on–chip oscillator. The

user should check with the crystal vendor for a worst case specification on this time.

10.SDI is deglitched to prevent accidental destruction. The pulse must be longer than tSPR to pass the deglitch-

er, but SDI is not guaranteed unless it is longer than tSPA.

11. VIHS minimum is 2.0V or VCCO, whichever is lower .

12.This parameter applies to industrial temperature operation.

DS5002FP

111996 27/28

DS5002FP CMOS MICROPROCESSOR

DIM

MILLIMETERS

DIM MIN MAX

A– 3.40

A1 0.25 –

A2 2.55 2.87

B0.30 0.50

C0.13 0.23

D23.70 24.10

D1 19.90 20.10

E17.70 18.10

E1 13.90 14.10

e0.80 BSC

L0.65 0.95

56–G4005–001

DS5002FP

111996 28/28 75

DATA SHEET REVISION SUMMARY

The following represent the key differences between 11/27/95 and 07/30/96 version of the DS5002FP data sheet.

Please review this summary carefully.

1. Change VCC02 specification from VLI –0.5 to VLI –0.65 (PCN F62501).

2. Update mechanical specifications.

The following represent the key differences between 07/30/96 and 11/19/96 version of the DS5002FP data sheet.

Please review this summary carefully.

1. Change VCC01 from VCC–0.3 to VCC–0.35.