The BQ40Z50-R4, BQ40Z50-R3, and BQ40Z50-R2 have the option to choose the secure memory location for SHA-1 authentication.
To program the SHA-1 key into secure memory a specific sequence of commands is required. Once the key is programmed it cannot be erased or re-programmed after the device goes through a power reset. Search the Technical Reference Manual (TRM) for the SHA1_SECURE bit for more information.
Sequence for programming the SHA1 secure keys:
- If device is in FW mode, send cmd 0x00 with data 0x0F00 to bring the device to ROM mode
- In order for the device to enter ROM mode it must be unsealed and in full-access mode.
- Set bit 0x08 in address 0
- Set address: Send SMB write word with cmd 0x09, data = 0x00
- Peek data: Read SMB read word with cmd 0x0B, LSB is used, ignore MSB
- OR the LSB with 0x08 (i.e. 0x08 | LSB)
- Poke data: Send SMB write word with cmd 0x0A, data = 0x08 | LSB
- Poke address 2 with data 0xC7
- Set address: Send SMB write word with cmd 0x09, data = 0x02
- Poke data: Send SMB write word with cmd 0x0A, data = 0xC7
- Block write 20-byte key F to command AuthWriteKeyF()
- Block write 20-byte Key C to command AuthWriteKeyC()
- Clear bit 0x08 in address 0
- Set address: Send SMB write word with cmd 0x09, data = 0x00
- Peek data: Read SMB read word with cmd 0x0B, LSB is used, ignore MSB
- Clear bit 0x08 from LSB
- Poke data: Send SMB write word with cmd 0x0A, data = LSB after clearing bit 0x08
- Poke address 2 with data 0x00
- Set address: Send SMB write word with cmd 0x09, data = 0x02
- Poke data: Send SMB write word with cmd 0x0A, data = 0x00
If you are not sure the state at the beginning of programming the keys, these extra steps can be followed to verify:
- Challenge with all zeroes
- Read response
- If the response is a blank-key response then continue with the programming
- Blank-key response: 0x224FA0DFEEF27CD58F32805A70A3F99C0A902F99
- If the response is the intended key response then stop programming, the key is already programmed
- If response is anything else then stop programming, another key is present, the key cannot be erased or re-programmed.
To verify keys:
Calculate the SHA-1 hash of the 20-byte Key F sent to the gauge, in reverse byte order of what was sent. Key F is the last 8-bytes. Key C uses same procedure. The final key is Key C appended to Key F.
Example:
If 00112233445566778899AABBCCDDEEFFFFEEDDCC (little endian) is sent for KeyF through cmd AuthWriteKeyF()
SHA-1 hash input to find keyF: CCDDEEFFFFEEDDCCBBAA99887766554433221100 (big endian)
SHA-1 hash output: 72F4CE321EC5CCE7A753AF1FCF7AEDB86FE9B179
If BBAA998877665544332211000011223344556677 (little endian) is sent for KeyC through cmd AuthWriteKeyC()
SHA-1 hash input to find keyC: 776655443322110000112233445566778899AABB (big endian)
SHA-1 hash output: 097AB73E6D21AAD2254A9849AD2F370E3CAFA442
KeyF = CF7AEDB86FE9B179, KeyC = AD2F370E3CAFA442
SHA-1 hash input for all 0’s challenge:
KeyF + KeyC + Challenge = CF7AEDB86FE9B179AD2F370E3CAFA4420000000000000000000000000000000000000000
Response: 04FE132E7D9A45212515E8E5565B3649A47D1026
Second hash is the response of the first appended to the key:
KeyF + KeyC + Response from first hash = CF7AEDB86FE9B179AD2F370E3CAFA44204FE132E7D9A45212515E8E5565B3649A47D1026
Response: 8E885C98F2916482FCF62F2A5F4AA79FF7ABAC7E
Actual from gauge: 7EACABF79FA74A5F2A2FF6FC826491F2985C888E (endian reversed, confirmed valid authentication)
This response should correspond to the data received from the gauge after using an all 0’s challenge.
Commands:
SMBus Command |
Name |
SMBus Protocol |
Description |
0x1b |
AuthWriteKeyF |
Block Write. Block size is 20-byte |
Writes half of the SHA-1 split key (64-bit). This must be programmed first before using AuthWriteKeyC to program the other half of the split key. This location is not writable once AuthWriteKeyC is issued followed by a POR. |
0x1c |
AuthWriteKeyC |
Block Write. Block size is 20-byte |
Writes half of the SHA-1 split key (64-bit). This location is not writable after this command is used followed by a POR. |
0x1d |
AuthKeyChallenge |
Block Write. Block size is 20-byte |
Sends a 20 byte challenge code to the sha-1 authentication routine. The routine computes the 20 byte challenge response corresponding to the programmed customer authentication key. Allow 22 msecs for this command to complete before reading the Response cmd. |
0x21 |
Response |
Block read. Block size is 20-byte |
Returns the 20 byte response code for the last issued Challenge message. |