• State Resolved
  • Locked Locked
  • Replies 1 reply
  • Subscribers 61 subscribers
  • Views 1877 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

[FAQ] What is the procedure to program the SHA-1 secure key?

Wyatt Keller
Guru** 102415 points
Other Parts Discussed in Thread: BQ40Z50-R2

The BQ40Z50-R4, BQ40Z50-R3, and BQ40Z50-R2 have the option to choose the secure memory location for SHA-1 authentication.

To program the SHA-1 key into secure memory a specific sequence of commands is required. Once the key is programmed it cannot be erased or re-programmed after the device goes through a power reset. Search the Technical Reference Manual (TRM) for the SHA1_SECURE bit for more information.

Sequence for programming the SHA1 secure keys:

  1.   If device is in FW mode, send cmd 0x00 with data 0x0F00 to bring the device to ROM mode
    1. In order for the device to enter ROM mode it must be unsealed and in full-access mode.
  2. Set bit 0x08 in address 0
    1. Set address: Send SMB write word with cmd 0x09, data = 0x00
    2. Peek data: Read SMB read word with cmd 0x0B, LSB is used, ignore MSB
    3. OR the LSB with 0x08 (i.e. 0x08 | LSB)
    4. Poke data: Send SMB write word with cmd 0x0A, data = 0x08 | LSB
  3. Poke address 2 with data 0xC7
    1. Set address: Send SMB write word with cmd 0x09, data = 0x02
    2. Poke data: Send SMB write word with cmd 0x0A, data = 0xC7
  4. Block write 20-byte key F to command AuthWriteKeyF()
  5. Block write 20-byte Key C to command AuthWriteKeyC()
  6. Clear bit 0x08 in address 0
    1. Set address: Send SMB write word with cmd 0x09, data = 0x00
    2. Peek data: Read SMB read word with cmd 0x0B, LSB is used, ignore MSB
    3. Clear bit 0x08 from LSB
    4. Poke data: Send SMB write word with cmd 0x0A, data = LSB after clearing bit 0x08
  7. Poke address 2 with data 0x00
    1. Set address: Send SMB write word with cmd 0x09, data = 0x02
    2. Poke data: Send SMB write word with cmd 0x0A, data = 0x00

If you are not sure the state at the beginning of programming the keys, these extra steps can be followed to verify:

  1. Challenge with all zeroes
  2. Read response
  3. If the response is a blank-key response then continue with the programming
    1. Blank-key response: 0x224FA0DFEEF27CD58F32805A70A3F99C0A902F99
  4. If the response is the intended key response then stop programming, the key is already programmed
  5. If response is anything else then stop programming, another key is present, the key cannot be erased or re-programmed.

To verify keys:

Calculate the SHA-1 hash of the 20-byte Key F sent to the gauge, in reverse byte order of what was sent. Key F is the last 8-bytes. Key C uses same procedure. The final key is Key C appended to Key F.

Example:

If 00112233445566778899AABBCCDDEEFFFFEEDDCC (little endian) is sent for KeyF through cmd AuthWriteKeyF()

SHA-1 hash input to find keyF: CCDDEEFFFFEEDDCCBBAA99887766554433221100 (big endian)

SHA-1 hash output: 72F4CE321EC5CCE7A753AF1FCF7AEDB86FE9B179

If BBAA998877665544332211000011223344556677 (little endian) is sent for KeyC through cmd AuthWriteKeyC()

SHA-1 hash input to find keyC: 776655443322110000112233445566778899AABB (big endian)

SHA-1 hash output: 097AB73E6D21AAD2254A9849AD2F370E3CAFA442

KeyF = CF7AEDB86FE9B179, KeyC = AD2F370E3CAFA442

SHA-1 hash input for all 0’s challenge:

KeyF + KeyC + Challenge = CF7AEDB86FE9B179AD2F370E3CAFA4420000000000000000000000000000000000000000

Response: 04FE132E7D9A45212515E8E5565B3649A47D1026

Second hash is the response of the first appended to the key:

KeyF + KeyC + Response from first hash = CF7AEDB86FE9B179AD2F370E3CAFA44204FE132E7D9A45212515E8E5565B3649A47D1026

Response: 8E885C98F2916482FCF62F2A5F4AA79FF7ABAC7E

Actual from gauge: 7EACABF79FA74A5F2A2FF6FC826491F2985C888E (endian reversed, confirmed valid authentication)

This response should correspond to the data received from the gauge after using an all 0’s challenge.

 Commands:

SMBus Command

Name

SMBus Protocol

Description

0x1b

AuthWriteKeyF

Block Write. Block size is 20-byte

Writes half of the SHA-1 split key (64-bit). This must be programmed first before using AuthWriteKeyC to program the other half of the split key. This location is not writable once AuthWriteKeyC is issued followed by a POR.

0x1c

AuthWriteKeyC

Block Write. Block size is 20-byte

Writes half of the SHA-1 split key (64-bit). This location is not writable after this command is used followed by a POR.

0x1d

AuthKeyChallenge

Block Write. Block size is 20-byte

Sends a 20 byte challenge code to the sha-1 authentication routine. The routine computes the 20 byte challenge response corresponding to the programmed customer authentication key. Allow 22 msecs for this command to complete before reading the Response cmd.

0x21

Response

Block read. Block size is 20-byte

Returns the 20 byte response code for the last issued Challenge message.