Atmel AT88SC102-09PT Card

AT88SC102,

Features
• 1K X 1 Serial EEPROM with Security Logic
• Two Application Zones
• Stores and Validates Security Codes
• Maximum of Eight Incorrect Security Code Attempts
• Provides Transport Code Security
• Low Voltage Operation: 2.7V to 5.5V
• Manufactured using Low Power CMOS Technology
• Supports ISO/IEC 7816-3 Synchronous Protocol
• VPP Internally Generated
• 2 μs Read Access Time; 2 ms Write Cycle Time
• Temperature Range from -40°C to 85°C
• ESD Protection 4,000V Minimum.
• High Reliability:
100,000 Program/Erase Cycles Guaranteed
Data Retention of 10 years

The AT88SC102 device is a low-cost, synchronous, secure memory integrated circuit, designed for use in prepaid and loyalty smart card applications. The AT88SC102 provides 1024 bits of serial Electrically Erasable and Programmable Read Only Memory (EEPROM) within two Application Zones, plus 64 bits in a code protected zone. Additional EEPROM memory and security logic provide security for smart card applications. Space is provided in the EEPROM memory for manufacturing records for both the smart card manufacturer and card issuer. After personalization, these records, and the state of the bit which enables the Erase Counter function, are locked and protected from modification for the lifetime of the product.

AT88SC102, 1K EEPROM Security Logic with Two Application Zones

Terminology

The following terms have specific definitions for the AT88SC102.

ERASE: A program operation which results in an EEPROM data bit being set to a logic “1” state. Outside the Application Zones, all erase operations are performed on 16-bit words. An erase operation performed on any bit within a word will execute an erase of the entire word. Inside the Application Zones, erase operations are controlled by the SV Flag, EZ passwords and the EC2EN fuse. These operations are defined in the “Device Operation” section of the data sheet.

WRITE: A program operation which results in an EEPROM bit, or word being set to a logic “0” state. An unwritten bit is defined as erased, or set to a logic “1” state. Write operations in the AT88SC102 may be performed on individual bits after security code validation. In Security Level 2, write operations also require that the P1 or P2 bit within the Application Zone is set to “1”.

Security Features

The Security Features of Atmel’s AT88SC102 include:
• Data access only after validation of the Security Code.
• Permanent invalidation of the device after eight consecutive false Security Code presentations.
• Read/Write protection of certain memory zones.

Secure transport of devices using transport code compare sequence.
• Unique customer identification number written and locked into every device for protection against
duplication or counterfeiting.

Security Levels and Memory Access

Level 1: (Security During Personalization)
Conditions:
ISSUER FUSE = “1” (not blown)
FUS PIN = “1” (required)
AT88SC102 die and modules are delivered with the Issuer Fuse intact (unblown). Issuer personalization is completed at this level. Security Code validation is required to allow access to personalize the EEPROM memory. The FUS PIN must be held at a logic “1” for Security Level 1. The function of the FUS PIN enables the card issuer to simulate Security Level 2 during application development, without permanently blowing the Issuer fuse.
See “Memory Access Rules During Personalization”.

Level 2: (Security After Personalization)
Conditions:
ISSUER FUSE = “0” (blown)
FUS PIN = “X” (don’t care)
Customer release. The EEPROM memory zone is protected by the various flags and passwords. After issuer personalization, Security Level 2 is implemented by blowing the Issuer Fuse. The device can also be placed in Security Level 2 by taking FUS pin low, independent of the state of Issuer Fuse.
See “Memory Access Rules After Personalization”.

AT88SC102, 1K EEPROM Security Logic with Two Application Zones

Memory Map

AT88SC102 Memory Diagram
Bit Address	Description	Bits	Words
0 – 15	Fabrication Zone (FZ)	16 Bits	1 Words
16 – 79	Issuer Zone (IZ)	64 Bits	4 Words
80 – 95	Security Code (SC)	16 Bits	1 Words
96 – 111	Security Code Attempts counter (SCAC)	16 Bits	1 Words
112 – 175	Code Protected Zone (CPZ)	64 Bits	4 Words
176 – 687	Application Zone 1 (AZ1)	512 Bits	32 Words
688 – 735	Application Zone 1 Erase Key (EZ1)	48 Bits	3 Words
736 – 1247	Application Zone 2 (AZ2)	512 Bits	32 Wordss
1248 – 1279	Application Zone 2 Erase Key (EZ2)	32 Bits	2 Words
1280 – 1407	Application Zone 2 Erase Counter (EC2)	128 Bits	8 Words
1408 – 1423	Memory Test Zone (MTZ)	16 Bits	1 Words
1424 – 1439	Manufacturer’s Zone (MFZ)	16 Bits	1 Words
1440 – 1455	Block Write/Erase	16 Bits	1 Words
1456 – 1471	MANUFACTURER’S FUSE	16 Bits	1 Words
1529	EC2EN FUSE (Controls use of EC2)	1 Bits
1552 – 1567	ISSUER FUSE	16 Bits	1 Words

Memory Zones

Zone	Definition
Fabrication Zone FZ (16 bits)	The 16-bit Fabrication Zone is programmed when the chip is manufactured and cannot be changed. The data held in the Fabrication Zone is specific to each Atmel customer, and cannot be modified. Application software may check this Fabrication Zone Code to assure that the device was manufactured by Atmel specifically for the intended application. Devices containing codes assigned to specific customers will not be sold to unauthorized customers. Fraudulent cards will not contain the correct code.
Issuer Zone IZ (64 bits)	The 64-bit Issuer Zone is programmed by the card issuer during the personalization phase. It will contain issuer-specific information, such as serial numbers and dates. This area becomes read-only after the ISSUER FUSE has been blown. Read access is always allowed in the Issuer Zone.
Security Code SC (16 bits)	The card Security Code is initially set by Atmel, to protect the card during transportation to the card issuer. During personalization, this code must be verified by the AT88SC102 to allow access to the EEPROM memory. After the Security Code has been verified, the code itself may be changed in either security mode. While in personalization mode (Security Level 1), the Security Code gives ERASE and WRITE access to both the Application Zones and the Code Protected Zone. In Security Level 2, the Security Code gives WRITE access to both the Application Zones and the Code Protected Zone. ERASE access requires verification of both the Security Code and the Erase Key (EZ1 or EZ2). Verification of the Security Code will set the internal flag SV to “1”. Atmel ships the device with a Security Code (transportation code) pre-programmed. This protects against the unauthorized use of an unpersonalized device, and should be written to a new value during initialization.
Security Code Attempts Counter SCAC (16 bits)	The protocol for verification of the Security Code requires that the user write one of the first eight bits of the SCAC to a logic “0”. This allows the SCAC to count the number of consecutive incorrect presentations of the Security Code. After eight consecutive incorrect Security Code presentations, the first eight bits of the SCAC will all be written to “0”, and the user is permanently blocked from access to the Application Zones, as well as other areas controlled by the Security Code. After a successful presentation of the Security Code, the entire 16-bit SCAC, including the eight active bits, should be erased. This verifies that the correct Security Code has been presented, since an erase operation in this area is not allowed without SC verification. It also clears the SCAC bits in preparation for the next use of the card. This erase operation will also clear the remaining eight bits of the 16-bit SCAC word. These eight bits may be used in an application, although the entire 16-bit word will be erased if any bit in the SCAC is erased.
Code Protected Zone CPZ (64 bits)	READ access to this area is always allowed, and does not require SC validation. The Security Code must be correctly presented to allow WRITE or ERASE access to the Code Protected Zone.
Application Zones 1 and 2 AZ1 and AZ2 (512 bits each)	The Application Zones (AZ1 and AZ2) are intended to hold user application data. P1 (address 176) controls WRITE access, and R1 (address 177) controls READ access within AZ1. P2 (address 736) controls WRITE access and R2 (address 737) controls READ access within AZ2. In Security Level 1, an entire 16-bit word will be erased if an erase is performed on any single bit within that word. In Security Level 2, erase operations are controlled by both the SV flag and the Erase Keys (EZ1 and EZ2). See the Device Operation ERASE definition for specific details. The number of erase operations performed in AZ2 may be limited by leaving the EC2EN Fuse set to “1”. The AT88SC102 allows unlimited erase operations of AZ1.
Application Zone Erase Keys EZ1 (48 bits) EZ2 (32 bits)	(Enabled in Security Level 2 only.) The Erase Keys are passwords used to control ERASE operations within the Application Zones, after the Issuer Fuse has been blown (Security Level 2). The Erase Key passwords are written by the Issuer during personalization (Security Level 1), after verification of the Security Code. EZ1 and EZ2 can not be changed after the Issuer Fuse is blown. In Security Level 2, the AT88SC102 allows only block erasure of an entire Application Zone. AZ1 can be erased only after both the Security Code and the EZ1 password have been validated. Verification of EZ1 will set the internal flag E1 to “1”. AZ2 can be erased only after both the Security Code and the EZ2 password have been validated. Verification of EZ1 will set the internal flag E1 to “1”. Verification of EZ2 will set the internal flag E2 to “1”.
Application Zone 2 Erase Counter EC2 (128 bits)	(Enabled in Security Level 2 only) The Application Zone 2 Erase Counter (EC2) is enabled only in Security Mode 2 and only when the EC2EN fuse is set to “1”. If both of these conditions are true, the user will be limited to 128 erase operations in Application Zone 2. EC2 is used to count these erase cycles. The erase protocol for the AT88SC102 Application Zone 2 requires one bit in EC2 to be written to “0”. After 128 erase operations, all 128 bits in EC2 will be “0” and the user will be blocked from erasing AZ2. The Erase Counter is only writeable and cannot be erased. When the EC2EN fuse = “0”, the EC2 operation is disabled. In that case there is no limit to the number of times AZ2 can be erased, and EC2 has no function.
Memory Test Zone MTZ (16 bits)	All operations are allowed for this zone (WRITE, ERASE, READ). The purpose of this zone is to provide an area in the product memory which is not restricted by security logic. It is used for testing purposes during the manufacturing process, and may also be used in the product application if desired, although no security protection exists for the MTZ.
Manufacturer’s Zone MFZ (16 bits)	The MFZ is intended to hold data specific to the smart card manufacturer (like assembly lot codes, dates, etc.). Read operations within this zone are always allowed. Write or Erase operations within this zone are allowed after the Security Code has been verified. After the data is entered by the Card Manufacturer, the Manufacturer’s Fuse can be blown and the data within the MFZ will become readonly. Blowing the Issuer Fuse will also lock the data in the MFZ.
EC2EN Fuse (1 bit)	This single bit EEPROM fuse selects whether the EC2 counter is used to limit the number of AZ2 erase operations in Security Mode 2. If the EC2EN Fuse is unblown (“1”), the number of erase operations allowed in AZ2 is limited to 128. If the EC2EN Fuse is blown (“0”), there is no limit to the number of erase operations in AZ2. After the Issuer Fuse is blown, the state of the EC2EN Fuse is locked and cannot be changed.
Issuer Fuse (16 bits)	This EEPROM fuse is used to change the security mode of the AT88SC102 from Security Mode 1 (“1”) to Security Mode 2 (“0”). Initialization of the AT88SC102 for use by the end customer occurs in Security Mode 1. Access conditions in Security Mode 1 are described in Table 1. Access conditions in Security Mode 2 are described in Table 2.
Manufacturer’s Fuse (1 bit)	This single bit EEPROM fuse is used to lock the data stored in the Manufacturer’s Zone after personalization has been completed.

Definition of AT88SC102 Internal Flags

Zone	Definition
SV	Security Validation Flag OPERATION: The SV flag is set by correctly matching the 16-bit Security Code bit-by-bit from address 80 through 95, as CLK increments the address counter. The security code matching operation must be followed immediately by a validation operation within the Security Code Attempts Counter (SCAC). This validation operation requires the user to find a bit in the first eight bits of the SCAC (addresses 96 – 103) which is a logic “1”. A WRITE operation is performed, followed by an ERASE. The AT88SC102 will validate that the comparison was correct by outputting a logic “1”, and SV will be set. After the ERASE, all 16 bits in the SCAC will also be erased. The SV flag remains set until power to the card is turned off. If the comparison was in error, or part of the validation was not performed correctly, the AT88SC102 will output a logic “0”, showing that the SV flag has not been set. After eight consecutive incorrect Security Code presentations, the card is permanently locked. FUNCTION: This flag is the master protection for the memory zones. See Tables 1 and 2.
P1	Application Zone 1 Write Flag OPERATION: If bit 176 has been programmed to a logic “1” this flag is set after bit 176 has been addressed. The flag remains set until power to the device is turned off, even if this bit is written to “0” by a subsequent operation. FUNCTION: P1 and SV must both be set in order to enable a WRITE command in the Application Zone (Security Mode 2).
R1	Application Zone 1 Read Flag OPERATION: If bit 177 has been programmed to a logic “1” this flag is set after bit 177 has been addressed. The flag remains set until power to the device is turned off, even if this bit is written to “0” by a subsequent operation. FUNCTION: R1 or SV must be set in order to enable Application Zone 1 to be read.
P2	Application Zone 2 Write Flag OPERATION: If bit 736 has been programmed to a logic “1” this flag is set after bit 736 has been addressed. The flag remains set until power to the device is turned off, even if this bit is written to “0” by a subsequent operation. FUNCTION: P2 and SV must both be set in order to enable a WRITE command in Application Zone 2 (Security Mode 2).
R2	Application Zone 2 Read Flag OPERATION: If bit 737 has been programmed to a logic “1” this flag is set after bit 737 has been addressed. The flag remains set until power to the device is turned off, even if this bit is written to “0” by a subsequent operation. FUNCTION: R2 or SV must be set in order to enable Application Zone 2 to be read.
E1	Application Zone 1 Erase Flag OPERATION: The E1 Flag is set by correctly matching the Application Zone 1 Erase Key (EZ1) bit by bit as pin CLK increments the address counter. To complete an ERASE operation of AZ1 in Security Level 2, an ERASE operation must be performed on bit 736 after E1 is set. The E1 Flag is reset when the address counter = 0. FUNCTION: Application Zone 1 (bits 176 – 687) will be erased when E1 is set and an ERASE is performed on bit 736. This operation erases all bits in Application Zone 1. There is no limit to the number of erase operations which can be performed on AZ1.
E2 EC Enabled	Application Zone 2 Erase Flag with Erase Counter operation enabled. (EC2EN FUSE = “1”) OPERATION: This flag is set by correctly matching the Application Zone 2 Erase Key (EZ2) bit by bit as pin CLK increments the address counter. Then a validation operation must be completed. This operation requires the user to find a bit in Application Zone 2 Erase Counter (EC2), addresses 1280 – 1407, which is a logic “1”. A WRITE must then be performed, followed by an ERASE. The AT88SC102 will validate that the comparison was correct and Application Zone 2 will be erased. This flag is also reset when the address counter = 0. FUNCTION: Application Zone 2 (bits 736 -1237) is erased when E2 is set and an ERASE is performed after the validation operation in EC2 described above. This operation erases all bits in Application Zone 2.
E2 EC Disabled	Application Zone 2 Erase Flag with Erase Counter operation disabled. (EC2EN FUSE = “0”) OPERATION: E2 is set when the Application Zone 2 Erase Key comparison is valid. It is reset when the address counter = 0. FUNCTION: Application Zone 2 (bits 736 -1247) is erased when E2 is set and an ERASE is performed on bit 1280. This operation erases all bits in Application Zone 2, but does not affect the word containing bit 1280.

Definition of AT88SC102 Passwords

Password	Definition
Security Code (SC) bits 80-95 (16 bits)	This password is used to set the SV (Security Validation) flag and is used in determining what operations are allowed in each zone (see Tables 1 and 2).
Application Zone 1 Erase Key (EZ1) bits 688-735 (48 bits)	This password must be programmed during issuer personalization. It is used to erase Application Zone 1 in Security Level 2. Verification of EZ1 will set the internal flag E1 to “1”.
Application Zone 2 Erase Key (EZ2) bits 1248-1279 (32 bits)	This password must be programmed during issuer personalization. It is used to erase Application Zone 2 in Security Level 2. Verification of EZ2 will set the internal flag E2 to “1”.

Definition of AT88SC102 Fuses

MANUFACTURER FUSE: This fuse is used to control writes and erases of the Manufacturer Zone (MFZ). When the security code has been validated and both the Issuer Fuse and the Manufacturer Fuse are unblown, writes and erases of the MFZ are allowed. Blowing the Issuer Fuse will also disable the Manufacturer Fuse if it has not been blown previously.
EC2EN FUSE: This fuse selects whether the EC2 counter is used to limit the number of Application Zone 2 erases allowed in security mode 2. If EC2EN FUSE is “unblown”, then the Application Zone 2 erases are limited to 128. If the EC2EN FUSE is “blown” the Application Zone erases are unlimited. After the Issuer Fuse is blown the state of the EC2EN FUSE is locked and cannot be changed.

ISSUER FUSE: This fuse is used to personalize the AT88SC102 for end use. It is an additional EEPROM bit which can be programmed to a logic “0”. This is its “blown” state. Security of the device when Issuer Fuse is a logic “1” is described in Table 1. The device is in Security Level 2 when the Issuer Fuse is blown. The device can also be placed in Security Level 2 by taking the FUS pin low independent of the state of Issuer Fuse. Memory access rules of the device in Security Level 2 are described in Table 2.

Micro Operations

The AT88SC102 circuit operation modes are selected by the input logic levels on the control pins PGM, CLK and RST and by the internal address. Timing for these operations is specified in the AC Characteristics section.
Operation	Definition
RESET	This operation will reset the internal address to 0. After the falling edge of RST, the first bit of the Fabrication Zone (Address 0) will be driven on the I/O contact. The erase flags (E1 and E2) will be reset.
INC/READ	The address is incremented on the falling edge of CLK. If READ operations are enabled, the addressed bit will be driven on the I/O pin after the falling edge of CLK. When READ operations are disabled, the I/O will be disabled and pulled to a high state by the external system pull-up resistor.
INC/CMP	The INC/CMP operation will compare the value of the data driven by the system host on the I/O pin, to the value of the bit already written into the EEPROM memory at that address location. This process is used during validation of the AT88SC102 Security Code and Erase Keys. The data must be stable on the I/O pin before the rising edge of CLK, when the data will be latched internally. Comparison occurs on the next falling edge of CLK. The internal address is also incremented on the falling edge of CLK.
ERASE/WRITE	The I/O pin must be driven to a “1” for an ERASE, and to a “0” for a WRITE operation before the rising edge of CLK (see t_DS)
STANDBY	The device is placed in standby mode when FUS pin = “0” and RST = “1”. The address will not increment when RST is high.

Notes: 1. The output is disabled (hi-state) on all addresses where the READ operation is disabled. 2. The two instructions INC/READ and INC/CMP share the same control signal states. 3. The circuit will distinguish between the INC/READ and INC/CMP instructions by testing the internal address counter. (CMP can only be done with the addresses corresponding to the Security Code or to an Erase Key). 4. The internal address counter counts up to 1567. An additional CLK pulse resets the address to 0.

Device Functional Operation

Function	Functional Operation Sequence
POR	OPERATION: POR (power-on reset) is initiated as the device power supply ramps from 0V up to a valid operating voltage. FUNCTION: POR resets all flags, and the address is reset to 0.
RESET	OPERATION: With CLK low, a falling edge on the RST pin will reset the address counter to address 0. FUNCTION: The address is reset to “0”, and the first bit of the memory is driven by the AT88SC102 on I/O after a reset. Only E1 and E2 are reset when the address is reset to 0. The RESET operation has no affect on any of the other flags (SV, P1, R1, P2, R2).
ADDRESSING	OPERATION: Addressing is handled by an internal address counter. The address is incremented on the falling edge of CLK. RESET must be low while incrementing the address. A falling edge of RESET clears the counter to address 0. FUNCTION: Addressing of the AT88SC102 is sequential. Specific bit addresses may be reached by completing a RESET, then clocking the device (INC/READ) until the desired address is reached. The AT88SC102 will determine which operations are allowed at specific address locations. These operations are specified in Tables 1 and 2. EXAMPLE: To address the Issuer Zone (IZ) execute a RESET operation, then clock the device 16 times. The device now outputs the first bit of the Issuer Zone (IZ). After the address counter counts up to 1567 the next CLK pulse resets the address to 0.
READ	OPERATION: RST and PGM pins must be low. If a READ operation is allowed, the state of the memory bit which is being addressed is output on the I/O pin. The I/O buffer is an open drain and the output of a logic “0” therefore causes the device to pull the pin to ground. The output of a logic “1” causes the device to place the pin in a high impedance state. Therefore in order to sense a logic “1”, an external pullup must be placed between the I/O pin and VCC. The address counter is incremented on the falling edge of CLK. FUNCTION: NON-APPLICATION ZONES: As the address counter is incremented, the contents of the memory are read out on the I/O pin. The READ operation is inhibited for addresses where security prevents a READ operation (see Tables 1 and 2). APPLICATION ZONES: Application Zone 1 can be read when: SV = “1” or R1 = “1”. Application Zone 2 can be read when: SV = “1” or R2 = “1”.
WRITE	A WRITE operation sets the bit(s) to a logic “0” OPERATION: CLK = “0” PGM “0” → “1” (I/O switches to an input) I/O = “0” (input = “0” for WRITE operation) CLK “0”→ “1” (rising edge of CLK starts the WRITE operation) PGM “1”→ “0” I/O “0”→ “Z” (high-impedance) Wait tCHP (see “AC Electrical Characteristics”) CLK “1”→ “0” (falling edge of CLK ends the WRITE operation). Note: The falling edge of CLK which ends the WRITE operation does not increment the address counter. FUNCTION: NON-APPLICATION ZONES: The WRITE operation is inhibited for addresses where security prevents a WRITE operation (see Tables 1 and 2). APPLICATION ZONES: The Application Zones can be written when: Security Level 1: SV = “1” Security Level 2: SV = “1”and P1 = “1” for AZ1. SV = “1” and P2 = “1” for AZ2
ERASE Operation Sequence	CLK = “0” PGM “0” → “1” (I/O switches to an input) I/O = “1” (input = “1” for ERASE Operation) CLK “0” → “1”(rising edge of CLK starts the ERASE operation.) PGM “1” → “0” I/O “1” → “Z” (high-impedance) Wait tCHP (see “AC Electrical Characteristics”) CLK “1” → “0” (falling edge of CLK ends the ERASE operation.) Note: The falling edge of CLK which ends the ERASE operation does not increment the address counter.
ERASE (Non- Application Zones)	An ERASE operation sets the bits to logic “1”. The EEPROM memory is organized into 16 bit words. Although erases are performed on single bits the ERASE operation clears an entire word in the memory (except for the Application Zones in Security Level 2). Therefore, performing an ERASE on any bit in the word will clear ALL 16 bits of that word to logic “1”. OPERATION: Perform “ERASE Operation Sequence” as specified above. FUNCTION: The ERASE operation is inhibited for addresses where security prevents an ERASE operation. (See Tables 1 and 2).
ERASE (Application Zones) Security Level 1	Security level 1: (ISSUER FUSE = “1” and FUS pin = “0”) The Application Zone can only be erased when SV = 1. OPERATION: Increment address counter to any bit within AZ1 or AZ2. Perform “ERASE Operation Sequence” as specified above. FUNCTION: This operation will erase the entire 16-bit word containing the bit.
ERASE (Application Zone 2) Security Level 2 EC Mode Enabled	Security level 2: (ISSUER FUSE = “0” or FUS pin = “0”) EC Mode is Enabled. Erase Operations within AZ2 are limited to 128. Application Zone 1 can only be erased when SV = “1” and E1 = “1”. OPERATION: Set SV = “1” by validating the Security Code (see definition of SV internal flag). Increment address counter to the first bit of the Application Zone 2 Erase Key (EZ2 = bit 1248). Execute 32 INC/CMP operations, correctly verifying each bit of the 32-bit Erase Key. Increment the address counter through the Application Zone 2 Erase Counter (EC2 = bits 1280 – 1407) until a bit is found which is set to “1”. Perform a WRITE operation on this bit (this WRITE will not increment the address counter). Perform an ERASE operation on the same bit. FUNCTION: This operation will erase the entire Application Zone. One additional bit of Erase Counter 2 will now be written to “0”. The ERASE operation in EC2 will initiate the AZ2 erase, but will not affect the state of the bits within EC2.
ERASE (Application Zone 1 or 2) Security Level 2 EC Mode Disabled	Security Level 2: (ISSUER FUSE = “0” or FUS pin = “0”) EC Mode is disabled in AZ2. Unlimited Erase operations in AZ2. AZ1 always allows unlimited Erase operations. Application Zone 1 can only be erased when SV = “1” and E1 = “1”. Application Zone 2 can only be erased when SV = “1” and E2 = “1”. OPERATION: Set SV = “1” by validating the Security Code (see definition of SV internal flag). Increment address counter to the first bit of the Application Zone Erase Key (EZ1 = bit 688, EZ2 = bit 1248). Execute 32 or 48 INC/CMP operations, correctly verifying each bit of the 32 or 48 bit Erase Key. Increment the address counter to the next bit (bit 736, to erase AZ1, bit 1280 to erase AZ2). Perform an ERASE operation on this bit. FUNCTION: This operation will erase the entire Application Zone, but does not affect the word containing bit 736 or 1280.
Block Write/Erase	Enabled in Security Level 1 only. OPERATION: Set address counter between address 1440 and 1455. SV must be set. FUS pin must be high. Perform a WRITE or ERASE operation. FUNCTION: The entire memory excluding the Fabrication Zone (FZ), Memory Test Zone (MTZ) and Manufacturer’s Zone (MFZ) will be written to “0” (WRITE) or “1” (ERASE). The BLOCK WRITE/ERASE modes are used to quickly personalize the device.
Blowing Manufacturer Fuse	Valid in Security Level 1. OPERATION: Set address counter between address 1456 and 1471. SV must be set. The FUS pin can be either a “0” or a “1”. RST pin = “1” Perform a WRITE operation. FUNCTION: The MANUFACTURER FUSE will be at a logic “0” state. Note: The address will not change as long as RST is high. CLK should be low when RST is brought low. This will reset the address counter to 0.
Blowing EC2EN Fuse	Valid in Security Level 1. The EC2EN FUSE must be blown before the ISSUER FUSE is blown. OPERATION: Set the address counter to address 1529. FUS pin = “1” RST pin = “1” Perform a WRITE operation FUNCTION: EC2EN Fuse will be written to a logic “0” state. Note: The address will not change as long as RST is high. CLK should be low when RST is brought low This will reset the address counter to 0.
Blowing Issuer Fuse	OPERATION: Set address counter between address 1552 and 1567. SV must be set. The FUS pin can be either a “0” or a “1”. RST pin = “1” Perform a WRITE operation FUNCTION: ISSUER FUSE will be set to a logic “0” state. This operation will convert the AT88SC102 from Security Level 1 to Security Level 2. The action is irreversible. Note: The address will not change as long as RST is high. CLK should be low when RST is brought low. This will reset the address counter to 0.
Function of FUS and RST Pin
FUS	Used for personalizing the device. FUS must be high to be able to personalize the device when ISSUER FUSE is unblown. In Security Level 1, the FUS pin may be forced low to simulate Security Level 2. In Security Level 2, the FUS pin has no function.
RST	This pin is used to reset the address counter address to 0. It is also used in writing the Issuer Fuse and the EC2EN FUSE low. When the FUS pin is low and the RST pin is high, the part is in stand-by mode.

Ordering Information

Ordering Code	Package	Voltage Range	Temperature Range
AT88SC102 – 09AT – xx – 2.7 AT88SC102 – 09BT – xx – 2.7 AT88SC102 – 09CT – xx – 2.7 AT88SC102 – 09DT – xx – 2.7 AT88SC102 – 09ET – xx – 2.7 AT88SC102 – 09GT – xx – 2.7 AT88SC102 – 09HT – xx – 2.7	M2 – A Module M2 – B Module M4 – C Module M4 – D Module M2 – E Module M3 – G Module M3 – H Module	2.7V to 3.3V	Commercial 0°C to 70°C
AT88SC102 – 09AT – xx AT88SC102 – 09BT – xx AT88SC102 – 09CT – xx AT88SC102 – 09DT – xx AT88SC102 – 09ET – xx AT88SC102 – 09GT – xx AT88SC102 – 09HT – xx	M2 – A Module M2 – B Module M4 – C Module M4 – D Module M2 – E Module M3 – G Module M3 – H Module	4.5V to 5.5V	Commercial 0°C to 70°C
Package Type
M2 – A Module	M2 ISO 7816 Smart Card Module
M2 – B Module	M2 ISO 7816 Smart Card Module with Atmel Logo
M4 – C Module	M4 ISO 7816 Smart Card Module
M4 – D Module	M4 ISO 7816 Smart Card Module with Atmel Logo
M2 – E Module	M2 ISO 7816 Smart Card Module
M3 – G Module	M3 ISO 7816 Smart Card Module
M3 – H Module	M3 ISO 7816 Smart Card Module with Atmel Logo

Notes: 1. “xx” must be replaced by a security code. Contact an Atmel Sales Office for the security code. 2. Formal drawings may be obtained from an Atmel Sales Office.

Smart Card Modules

Security Options

Anti-tearing
In the event of a power loss during a write cycle, the integrity of the device’s stored data may be recovered. This function is optional: the host may choose to activate the anti-tearing function, depending on application requirements. When anti-tearing is active, write commands take longer to execute, since more write cycles are required to complete them, and data are limited to eight bytes.

Data are written first to a buffer zone in EEPROM instead of the intended destination address, but with the same access conditions. The data are then written in the required location. If this second write cycle is interrupted due to a power loss, the device will automatically recover the data from the system buffer zone at the next power-up.

In 2-wire mode, the host is required to perform ACK polling for up to 8 ms after write commands when anti-tearing is active. At power-up, the host is required to perform ACK polling, in some cases for up to 2 ms, in the event that the device needs to carry out the data recovery process.

Write Lock
If a user zone is configured in the write lock mode, the lowest address byte of an 8-byte page constitutes a write access byte for the bytes of that page.

Password Verification
Passwords may be used to protect read and/or write access of any user zone. When a valid password is presented, it is memorized and active until power is turned off, unless a new password is presented or RST becomes active. There are eight password sets that may be used to protect any user zone. Only one password is active at a time, but write passwords give read access also.

Authentication Protocol
The access to a user zone may be protected by an authentication protocol. Any one of four keys may be selected to use with a user zone.

The authentication success is memorized and active as long as the chip is powered, unless a new authentication is initialized or RST becomes active. If the new authentication request is not validated, the card loses its previous authentication and it should be presented again. Only the last request is memorized d.

Note: Password and authentication may be presented at any time and in any order. If the trials limit has been reached (after four consecutive incorrect attempts), the password verification or authentication process will not be taken into account.

Checksum
The AT88SC0204C implements a data validity check function in the form of a checksum, which may function in standard, authentication or encryption modes.

In the standard mode, the checksum is implemented as a Modification Detection Code (MDC), in which the host may read an MDC from the device in order to verify that the data sent was received correctly.

In the authentication and encryption modes, the checksum becomes more powerful since it provides a bidirectional data integrity check and data origin authentication capability in the form of a Message Authentication Code (MAC). Only the host/device that carried out a valid authentication is capable of computing a valid MAC. While operating in the authentication or encryption modes, the use of a MAC is required. For an ingoing command, if the device calculates a MAC different from the MAC transmitted by the host, not only is the command abandoned but the mode is also reset. A new authentication and/or encryption activation will be required to reactivate the MAC.

Encryption
The data exchanged between the device and the host during read, write and verify password commands may be encrypted to ensure data confidentiality.

The issuer may choose to require encryption for a user zone by settings made in the configuration memory. Any one of four keys may be selected for use with a user zone. In this case, activation of the encryption mode is required in order to read/write data in the zone and only encrypted data will be transmitted. Even if not required, the host may elect to activate encryption provided the proper keys are known.

Supervisor Mode
Enabling this feature allows the holder of one specific password to gain full access to all eight password sets, including the ability to change passwords.

Modify Forbidden
No write access is allowed in a user zone protected with this feature at any time. The user zone must be written during device personalization prior to blowing the security fuses.

Program Only
For a user zone protected by this feature, data within the zone may be changed from a “1” to a “0”, but never from a “0” to a “1”.

Initial Device Programming
To enable the security features of CryptoMemory, the device must first be personalized to set up several registers and load in the appropriate passwords and keys. This is accomplished through programming the configuration memory of CryptoMemory using simple write and read commands. To gain access to the configuration memory, the secure code must first be successfully presented. For the AT88SC0204C device, the secure code is $E5 47 47. After writing and verifying data in the configuration memory, the security fuses must be blown to lock this information in the device. For additional information on personalizing CryptoMemory, please see the application notes Programming CryptoMemory for Embedded Applications and Initializing CryptoMemory for Smart Card Applications.

M2 – A Module – Ordering Code: 09AT

Module Size: M2
Dimension: 12.6 x 11.4 mm
Glob Top: Black, Square: 8.6 x 8.6 mm
Thickness: 0.58 mm max.
Pitch: 14.25 mm

M2 – E Module – Ordering Code: 09ET

Module Size: M2
Dimension: 12.6 x 11.4 mm
Glob Top: Clear, Round: Ø 7.5 mm max.
Thickness: 0.58 mm max.
Pitch: 14.25 mm

M2 – B Module – Ordering Code: 09BT

Module Size: M2
Dimension: 12.6 x 11.4 mm
Glob Top: Black, Square: 8.6 x 8.6 mm
Thickness: 0.58 mm max.
Pitch: 14.25 mm

M3 – G Module – Ordering Code: 09GT

Module Size: M3
Dimension: 10.6 x 8.0 mm
Glob Top: Clear, Round: Ø 6.5 mm max.
Thickness: 0.58 mm max.
Pitch: 9.5 mm

M4 – C Module – Ordering Code: 09CT

Module Size: M4
Dimension: 12.6 x 12.6 mm
Glob Top: Black, Square: 8.6 x 8.6 mm
Thickness: 0.58 mm
Pitch: 14.25 mm

M3 – H Module – Ordering Code: 09HT

Module Size: M3
Dimension: 10.6 x 8.0 mm
Glob Top: Clear, Round: Ø 6.5 mm max.
Thickness: 0.58 mm max.
Pitch: 9.5 mm

M4 – D Module – Ordering Code: 09DT

Module Size: M4
Dimension: 12.6 x 12.6 mm
Glob Top: Black, Square: 8.6 x 8.6 mm
Thickness: 0.58 mm max.
Pitch: 14.25 mm

Note: The module dimensions listed refer to the dimensions of the exposed metal contact area. The actual dimensions of the module after excise or punching from the carrier tape are generally 0.4 mm greater in both directions (i.e. a punched M2 module will yield 13.0 x 11.8 mm).