Securing nonvolatile, nonresettable counters in embedded designs

by Bernhard Linke , TechOnline India - May 17, 2011

Although a counter based on flip-flops is easily built, it has major drawbacks. It rolls over to zero (resets itself) when it reaches the counting limit. Its operation is also volatile—it requires power to maintain the state of its count.

It is sometimes desirable for warranty reasons to count and record certain events such as power cycles, operating time, hard (pushbutton) resets, and timeouts – and do so securely.

The traditional electronic counters for this purpose are built from flip-flops, using a binary code such as the one shown in Figure 1 below. The maximum count is reached when all flip flops are set, so the size of the counter is determined by the maximum number of events to be counted during the interval of interest.

 

                             

Figure 1: In natural binary code, the place value doubles from one bit to the next.

 

Addressing the requirements

Although a counter based on flip-flops is easily built, it has major drawbacks. It rolls over to zero (resets itself) when it reaches the counting limit. Its operation is also volatile—it requires power to maintain the state of its count.

The first issue can be addressed by freezing the counter when it reaches its limit; you can resolve the second issue by attaching a battery to maintain power on the counter. But these measures may not be acceptable,
because they add cost and work only for a limited time.

There is an alternative. You can back up the count value in EEPROM or some other form of nonvolatile (NV) storage. On the next power-up, the counter can be preloaded with the value stored in this NV memory.

Unless the NV memory is embedded in another chip like a microcontroller or FPGA, however, the memory contents are not secure because the memory chip can easily be removed, reprogrammed (reset), and replaced on the circuit board. This method, therefore, does not meet the requirement of being nonresettable.

A trick from the past

EPROM is another type of nonvolatile memory that requires no battery. EPROM became popular in the 1970s with the advent of the microprocessor. Fresh from the factory, all EPROM bytes read FFh.

Data is stored by programming individual bits from 1 (erased) to 0 (programmed); the programming requires pulses of 12V to 13V. Before loading new data, you must erase the entire memory by exposing the chip to high-intensity ultraviolet light through a window built into the package for that purpose.

One-time-programmable (OTP) EPROMs do not have a window and, therefore, cannot be erased. Because of these inconveniencies, the popularity of EPROMs has dwindled in favor of EEPROMs and high-density FLASH memories, both of which can be operated and programmed at 5V or less.

Nonetheless, by combining the one-way programming (1 to 0) and lack of erasability of an OTP EPROM with modern EEPROM technology, you can attain a new feature called EPROM-emulation mode. EPROM-emulation mode is a key technique for realizing nonvolatile, nonresettable counters.

 

EPROM-emulation mode

A common feature of serial-interface EEPROMs is a page-write buffer, which lets you program an entire memory page in a single stroke. On receiving a write command, the system automatically loads the page-write
buffer with data from the addressed memory page. For EPROM-emulation mode, the write buffer is implemented as a shift register (Figure 2 below).                        

The incoming new data (D-IN) feeds into an AND gate that combines it with buffer data (S-OUT) before it enters the buffer (S-IN). Thus, the AND gate ensures that a memory bit cannot be changed to 1 after it has
been programmed to 0.

After a full cycle through all bits of the page, data in the buffer is again aligned with data in the memory page. Now the write cycle can be started, which copies the entire buffer back to the nonvolatile EEPROM.

 

                              

 Figure 2: EPROM Emulation writes the bitwise logical AND of new data and existing data back to the memory.

 

 

Counting in EPROM

Because EPROM bits can be changed only in one direction, a conventional counting code does not work. Instead, you must regard the entire memory array as a single entity of n bits. Initially, none of the n bits are
programmed (all are 1).

To count an event, you must change one of the unprogrammed bits to 0. You could simply select the next bit to be programmed at random, but the scheme in Figure 3 below is easier to implement.

It starts with the least significant bit and continues in sequence until all the bits of that byte are programmed. It then programs the next byte bit by bit, and so on. In EPROM-emulation mode, a memory chip with 1024 bits is good for counting 1024 events.

 

                              

 Figure 3: Counting in EPROM requires a code for which every bit has the same place value.

 

Chips supporting EPROM-emulation mode

Although the EPROM-emulation mode is easy to implement, it requires the use of memory devices ranging from 1Kbit to 20Kbit densities which come with a unique factory programmed identification number [1] and make use of a master that can generate a message-authentication code based on a device-specific secret to gain write access.

Going with the flow (chart)

As an example, consider a DS2431 memory chip in which memory page 0 is configured to implement a 256-bit counter in EPROM-emulation mode. The 32-byte page can be updated in blocks of eight bytes each, using a
64-bit scratchpad as intermediate storage. The algorithm in Figure 4 below detects the first block with unprogrammed bits, increments the count value, and writes the block back to EEPROM.

                             

Figure 4: This algorithm increments the counter in a 32-byte memory page.

 

 

Conclusion

EEPROMs that include EPROM-emulation mode are the product of choice for implementing nonvolatile, nonresettable counters. The serial number of the memory chip can be used to detect tampering—that is, replacing the memory chip with one that has a lower count value.

To prevent unauthorized incrementing of the counter, one should use a secure memory chip that requires a message-authentication code for write access.

References

1) Maxim Data sheets DS2431, DS28EC20, DS28E01, and DS28CN01.

About the author:

Bernhard Linke, a principal member of the technical staff at Maxim Integrated Products since 2001 following Maxim’s acquisition of Dallas Semiconductor, which Bernhard joined in 1993. Before Dallas Semiconductor, he worked for Astek Elektronik Vertriebs GmbH, a distributor in Kaltenkirchen, Germany, and in various positions at Valvo Röhren- und Halbleiterwerke der Philips GmbH in Hamburg, Germany. In 1979 he received a Diplom-Ingenieur degree in Allgemeine Elektrotechnik from the Rheinisch-Westfälische Technische Hochschule in Aachen, Germany.

                             

About Author

Comments

blog comments powered by Disqus