This thread has been locked.
If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.
The BQ40Z50-R4, BQ40Z50-R3, and BQ40Z50-R2 have the option to choose the secure memory location for SHA-1 authentication.
To program the SHA-1 key into secure memory a specific sequence of commands is required. Once the key is programmed it cannot be erased or re-programmed after the device goes through a power reset. Search the Technical Reference Manual (TRM) for the SHA1_SECURE bit for more information.
Sequence for programming the SHA1 secure keys:
If you are not sure the state at the beginning of programming the keys, these extra steps can be followed to verify:
To verify keys:
Calculate the SHA-1 hash of the 20-byte Key F sent to the gauge, in reverse byte order of what was sent. Key F is the last 8-bytes. Key C uses same procedure. The final key is Key C appended to Key F.
Example:
If 00112233445566778899AABBCCDDEEFFFFEEDDCC (little endian) is sent for KeyF through cmd AuthWriteKeyF()
SHA-1 hash input to find keyF: CCDDEEFFFFEEDDCCBBAA99887766554433221100 (big endian)
SHA-1 hash output: 72F4CE321EC5CCE7A753AF1FCF7AEDB86FE9B179
If BBAA998877665544332211000011223344556677 (little endian) is sent for KeyC through cmd AuthWriteKeyC()
SHA-1 hash input to find keyC: 776655443322110000112233445566778899AABB (big endian)
SHA-1 hash output: 097AB73E6D21AAD2254A9849AD2F370E3CAFA442
KeyF = CF7AEDB86FE9B179, KeyC = AD2F370E3CAFA442
SHA-1 hash input for all 0’s challenge:
KeyF + KeyC + Challenge = CF7AEDB86FE9B179AD2F370E3CAFA4420000000000000000000000000000000000000000
Response: 04FE132E7D9A45212515E8E5565B3649A47D1026
Second hash is the response of the first appended to the key:
KeyF + KeyC + Response from first hash = CF7AEDB86FE9B179AD2F370E3CAFA44204FE132E7D9A45212515E8E5565B3649A47D1026
Response: 8E885C98F2916482FCF62F2A5F4AA79FF7ABAC7E
Actual from gauge: 7EACABF79FA74A5F2A2FF6FC826491F2985C888E (endian reversed, confirmed valid authentication)
This response should correspond to the data received from the gauge after using an all 0’s challenge.
Commands:
SMBus Command |
Name |
SMBus Protocol |
Description |
0x1b |
AuthWriteKeyF |
Block Write. Block size is 20-byte |
Writes half of the SHA-1 split key (64-bit). This must be programmed first before using AuthWriteKeyC to program the other half of the split key. This location is not writable once AuthWriteKeyC is issued followed by a POR. |
0x1c |
AuthWriteKeyC |
Block Write. Block size is 20-byte |
Writes half of the SHA-1 split key (64-bit). This location is not writable after this command is used followed by a POR. |
0x1d |
AuthKeyChallenge |
Block Write. Block size is 20-byte |
Sends a 20 byte challenge code to the sha-1 authentication routine. The routine computes the 20 byte challenge response corresponding to the programmed customer authentication key. Allow 22 msecs for this command to complete before reading the Response cmd. |
0x21 |
Response |
Block read. Block size is 20-byte |
Returns the 20 byte response code for the last issued Challenge message. |
If you have any related questions to the above topics, please create a new post using the "+ Ask a related question" button.