CoolRunner ™ -II CPLDs in

Cell Phone Security

Quick Start Training

Overview

• Application Example: Cell Phone Security• Feature Overview• Shadow RAM based CPLDs• Background Mode Programming• Demonstration

Quick Start Training

Wall Street Journal Article

Quick Start Training

Application Example: Cell Phone Security

• SIM based cell phones such as those in Europe are a high priority target for thieves

• User is identified by SIM card in phone

• Thief steals phone, removesSIM

• Sells phone

Quick Start Training

Subscriber Identity Module (SIMs)

E2PROM

RAM

CPU

ROM I/O

RST

CLK

VCC

GND

SMART CARD Technology

• Subscriber Identity Module block diagram– ISO 7816 for original– New models: UIM, R-UIM

Quick Start Training

Bullet Proof Security?

• Absolute security is just not possible– With enough time, money and resources, determined

thieves can always find a way

• However...– By increasing the difficulty/risk of the theft, it is

possible to increase the ‘cost’ of the crime such that it is not economically viable

• How can CoolRunner-II CPLDs help?

Quick Start Training

CoolRunner-II CPLD Advanced Features

• CoolRunner-II CPLDs contain “designer friendly” new features that add value to the CPLD product line– DualEdge Flip Flops– Clock Divider– Schmitt Trigger inputs– DataGATE– Four levels of security– OTF Reconfiguration

Quick Start Training

• Traditional CPLDs - bipolar sense amp product terms– Always consumes power

– Even at standby– Performance is traded for

power consumption as devices get larger

• CoolRunner-II RealDigital design uses 100% CMOS for product terms– Virtually no standby current– Combines high performance &

ultra low power– No power limits on device size

RealDigital™ Design Advantage

RealDigital : CMOS Everywhere - Zero Static Power

C

BA

D

Sense amplifier 0.25mA each - Standby Higher ICC at Fmax

A B C

Turbo vs Non TurboLarger R = slower response

& less powerVcc

Quick Start Training

RealDigital Configuration Method

• Sense amplifiers are required to read from NV memory• Once configuration data captured in SRAM cell, NV

memory is turned off

C

BA

D

Vdd

A

A

From non-volatile

Quick Start Training

Two Configuration Storage Areas

• At time of power up (or ISP forced initialization) data is transferred from NV block to SRAM block

• After initialization, NV block contents have no influence on device operation• NV Block may be modified while part is running, with no effect on operation of

PLD• Data transfer from NV to SRAM occurs in ~30 to 200 us

100101100101001110101010101011110NV SRAM

Quick Start Training

An Opportunity for Innovation

• Since the operation of the device is controlled completely by the SRAM contents, and

• Since the EE portion of the device has no bearing on the operation of the CPLD once configuration is complete, therefore:

• It is possible to reprogram the NV portion of the CPLD while the CPLD is running and fully operational!

• This background mode programming is known as On The Fly (OTF) reconfiguration

Quick Start Training

Take a Byte Out of Crime….• Insert CoolRunner-II CPLD into

mission critical aspect of phone, and interface to SIM card

E2PROM RAM

CPU ROM

I/O

RST

CLKVCC

GNDCoolRunner-II

JTAG

Microproc.JTAG

SIM

Mission CriticalFeature

Keyboard, display interface, or RF controller

Quick Start Training

Basic Handset Flow

Phone operable

SIM Match?Y

Enter User Code

Code Match?YAccept New

SIMN

N

Perform Self Erase

• User must know security code to switch out SIM cards

• Incorrect code results in disablement

Quick Start Training

Self Erase

• CoolRunner-II CPLD can operate independent of NV contents or manipulation of NV memory

• CPLD can modify its own contents as part of the normal operation

• Three I/O pins are tied to TDI, TMS, TCK• These three pins manipulate the JTAG signals to

produce a bulk erased device

Quick Start Training

Self Erase (cont.)• Simple state machine indexes through and drives

TDI,TMS, and TCK.• Some timers exist to produce required ‘burn time’

delays.• After programming EE array, device initiates an ‘Init’

command• Part erases itself using design requiring only 27mc

(75 states and a few timers)• Easily fits into smallest CoolRunner-II CPLD

Quick Start Training

Generation of OTF Files

• Obviously, self erase is a small, intensely specific application• How would other, more complicated

reconfigurations be generated?

Quick Start Training

OTF via IMPACT

• IMPACT is the ISP configuration utility provided by Xilinx

• Typical use is direct ISP operation: Erase, Program, Verify, Blank Check etc.

• Users may modify their SVF file to function as OTF by making a simple modification to the SVF file

Quick Start Training

Enabling OTF

• In normal SVF flow, select “On-The-Fly Program” to generate appropriate SVF file

Quick Start Training

Demonstration

• A small demo board has been created to illustrate this capability

• Please allow us to play a brief movie showing the operation of this board

Quick Start Training

Summary• CoolRunner-II CPLDs contain inherent features that

facilitate innovative application• Additional design measures can be used to increase

level of security• OTF also useful in other applications

– PicoBlaze– Design for Test automation– Any design where rapid reconfiguration is needed

• Questions?