• State Resolved
  • Locked Locked
  • Replies 1 reply
  • Subscribers 59 subscribers
  • Views 1228 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

[FAQ] What is the procedure to program the SHA-1 secure key?

Wyatt Keller
Guru* 89920 points
Other Parts Discussed in Thread: BQ40Z50-R2

The BQ40Z50-R4, BQ40Z50-R3, and BQ40Z50-R2 have the option to choose the secure memory location for SHA-1 authentication.

To program the SHA-1 key into secure memory a specific sequence of commands is required. Once the key is programmed it cannot be erased or re-programmed after the device goes through a power reset. Search the Technical Reference Manual (TRM) for the SHA1_SECURE bit for more information.

Sequence for programming the SHA1 secure keys:

  1.   If device is in FW mode, send cmd 0x00 with data 0x0F00 to bring the device to ROM mode
    1. In order for the device to enter ROM mode it must be unsealed and in full-access mode.
  2. Set bit 0x08 in address 0
    1. Set address: Send SMB write word with cmd 0x09, data = 0x00
    2. Peek data: Read SMB read word with cmd 0x0B, LSB is used, ignore MSB
    3. OR the LSB with 0x08 (i.e. 0x08 | LSB)
    4. Poke data: Send SMB write word with cmd 0x0A, data = 0x08 | LSB
  3. Poke address 2 with data 0xC7
    1. Set address: Send SMB write word with cmd 0x09, data = 0x02
    2. Poke data: Send SMB write word with cmd 0x0A, data = 0xC7
  4. Block write 20-byte key F to command AuthWriteKeyF()
  5. Block write 20-byte Key C to command AuthWriteKeyC()
  6. Clear bit 0x08 in address 0
    1. Set address: Send SMB write word with cmd 0x09, data = 0x00
    2. Peek data: Read SMB read word with cmd 0x0B, LSB is used, ignore MSB
    3. Clear bit 0x08 from LSB
    4. Poke data: Send SMB write word with cmd 0x0A, data = LSB after clearing bit 0x08
  7. Poke address 2 with data 0x00
    1. Set address: Send SMB write word with cmd 0x09, data = 0x02
    2. Poke data: Send SMB write word with cmd 0x0A, data = 0x00

If you are not sure the state at the beginning of programming the keys, these extra steps can be followed to verify:

  1. Challenge with all zeroes
  2. Read response
  3. If the response is a blank-key response then continue with the programming
    1. Blank-key response: 0x224FA0DFEEF27CD58F32805A70A3F99C0A902F99
  4. If the response is the intended key response then stop programming, the key is already programmed
  5. If response is anything else then stop programming, another key is present, the key cannot be erased or re-programmed.

To verify keys:

Calculate the SHA-1 hash of the 20-byte Key F sent to the gauge, in reverse byte order of what was sent. Key F is the last 8-bytes. Key C uses same procedure. The final key is Key C appended to Key F.

Example:

If 2309BDC0A9F86B69111CA850B530339111000C47 (little endian) is sent for KeyF through cmd AuthWriteKeyF()

SHA-1 hash input to find keyF: 470C0011913330B550A81C11696BF8A9C0BD0923 (big endian)

SHA-1 hash output: 8877626BD64ABC4843E43F1E42C5413DB9EDBBA2

If 330C0014913530B550A81D10696BF8A9C7BD0613 (little endian) is sent for KeyC through cmd AuthWriteKeyC()

SHA-1 hash input to find keyC: 1306BDC7A9F86B69101DA850B530359114000C33 (big endian)

SHA-1 hash output: 1B8689D48F55F5B5F81D30E012DFB96B7440433C

KeyF = 42C5413DB9EDBBA2, KeyC = 12DFB96B7440433C

SHA-1 hash input for all 0’s challenge:

KeyF + KeyC + Challenge = 42C5413DB9EDBBA212DFB96B7440433C0000000000000000000000000000000000000000

Response: 1625A385F73436792FD693D727BAC6EE47291D0B

Second hash is the response of the first appended to the key:

 KeyF + KeyC + Response from first hash = 42C5413DB9EDBBA212DFB96B7440433C1625A385F73436792FD693D727BAC6EE47291D0B

Response: B0BEF440CAC492FAF09604A46C2C0996512331AF

This response should correspond to the data received from the gauge after using an all 0’s challenge.

 Commands:

SMBus Command

Name

SMBus Protocol

Description

0x1b

AuthWriteKeyF

Block Write. Block size is 20-byte

Writes half of the SHA-1 split key (64-bit). This must be programmed first before using AuthWriteKeyC to program the other half of the split key. This location is not writable once AuthWriteKeyC is issued followed by a POR.

0x1c

AuthWriteKeyC

Block Write. Block size is 20-byte

Writes half of the SHA-1 split key (64-bit). This location is not writable after this command is used followed by a POR.

0x1d

AuthKeyChallenge

Block Write. Block size is 20-byte

Sends a 20 byte challenge code to the sha-1 authentication routine. The routine computes the 20 byte challenge response corresponding to the programmed customer authentication key. Allow 22 msecs for this command to complete before reading the Response cmd.

0x21

Response

Block read. Block size is 20-byte

Returns the 20 byte response code for the last issued Challenge message.