AT88CK9000 Atmel Secure Personalization Kit for CryptoAuthentication USER GUIDE Atmel AT88CK9000 Secure Personalization Kit Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 Features Single Push-button Triggers Parallel Programming Supports Programming of Up to (10) Devices at a Time for SOIC Package Supports Programming of Up to (5) Devices at a Time for TSSOP, UDFN, SOT23-3, or CONTACT Provides the Following Feedback: - Serial Number - Programming Count - Programming Limitation Count - Firmware Version - Device and Protocol - Verification Cycle - Status Lights For Pass/Fail per Device - Visual Feedback While Programming (Push Button Light is On) Embedded Power Controller Provides power to DUTs Only When Programming -- Load/Unload Safe Detects When Devices are Positioned Backwards and Cuts Power to Protect the Board Standard Micro-USB Used for Power and Configuration Contents Atmel AT88CK9000 Board Universal Power Supply Adaptor 0.5m USB Cable (R) Introduction The AT88CK9000 secure personalization kit has been developed to securely personalize the Atmel CryptoAuthenticationTM ATSHA204A device series. Depending on the ordering code, the kit can securely personalize 8-lead SOIC, 8-lead TSSOP, 8-pad UDFN, 3-lead SOT23, and 3-lead RBH CONTACT packages. The 8-lead SOIC kit has sockets which can accommodate two devices per socket making it capable of personalizing up to 10 devices at a time. Safety and security has been added to ensure secure high-reliability programming. The AT88CK9000 kit interfaces to the Atmel Crypto Evaluation Studio (ACES) software suite to provide communication to a PC via a USB interface. This allows trusted users to program the board outside of the manufacturing environment. Once programmed, the board becomes a standalone board. As a standalone board, it only requires power, after which, will allow the programming of the ATSHA204A devices. In addition, this board has an internal counter to keep track of how many devices were programmed, both in total, as well as by session. 2 AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] 2 Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 Ta bl e of Conte nts Becoming Familiar with AT88CK9000 Board .................................................................... 4 Install Atmel Crypto Evaluation Studio (ACES) ................................................................ 6 Configuring the AT88CK9000 Board ................................................................................. 7 Powering Up the AT88CK9000 Board................................................................................ 9 Putting the Board in Download Mode ............................................................................. 10 Firmware Upgrade/Recovery ........................................................................................... 13 Maintenance of the AT88CK9000 Board ......................................................................... 20 Troubleshooting the AT88CK9000 Kit ............................................................................. 20 Ordering Code Information .............................................................................................. 21 Revision History ............................................................................................................... 21 AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 3 3 Becoming Familiar with AT88CK9000 Board The AT88CK9000 has been designed to make secure personalization of the CryptoAuthentication ATSHA204A devices as easy as possible. Program Button Display USB Power Pass/Fail Indicators 4 AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] 4 Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 FW Erase Pads Reset Button Download Mode Button AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 5 5 Install Atmel Crypto Evaluation Studio (ACES) To download ACES, visit: http://www.atmel.com/tools/ATMELCRYPTOEVALUATIONSTUDIO_ACES_.aspx. Note: The AT88CK9000 kit is compatible with version 4.3.2 or later. 1. Launch the installer by executing the downloaded file (e.g. ACES_Setup.exe). 2. Follow the installation instructions in the setup wizard. 3. Once installed, three ACES icons should be located on the desktop. These icons include: 4. The ACES Programmer icon will launch the ACES Programmer. See the following section, "Configuring the AT88CK9000 Board". ACES CE recognizes the following kits.(Does not recognize the AT88CK9000): Atmel AT88CK101 Development Kit - General Engineering, Combined Firmware Atmel AT88CK454BLACK Evaluation Kit - ATSHA204A Rhino Black Atmel AT88CK427GREEN Evaluation Kit - ATAES132 Rhino Green Atmel AT88CK460WHITE - ATECC108 Rhino White Atmel AT88CK490 Evaluation Kit - CryptoAuthentication 6 AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] 6 Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 Configuring the AT88CK9000 Board Once ACES has been installed, begin configuring the ATSHA204A device to work in your system. This step will not involve the AT88CK9000 board directly but is a preparation step before you can download the device configuration to the AT88CK9000 and subsequently program the multiple devices in the AT88CK9000. The recommended method is to define and test the device configuration using the ACES Configuration Environment (CE). In order to use ACES CE, one of the compatible kits listed above that ACES CE recognizes is required. ACES CE does not recognize the AT88CK9000 as a development kit, however, ACES CE creates a personalization file which is targeted for the AT88CK9000 kit. Save the personalization file in ACES CE: 1. Launch ACES CE: - From your desktop, select the ACES CE icon, or - 2. 3. From the Start Menu, select Start > Atmel Crypto Solutions > ACES > ACES CE. Configure the working device to the desired configuration. From ACES CE menu bar, select File > Save Personalization File... AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 7 7 4. The File Save As dialog box will be displayed. 5. Check the checkbox for Save as `Atmel Personalization'. If the `Atmel Personalization' checkbox is not checked and the resulting .shax file is downloaded into the AT88CK9000, an Invalid Format error during the download process will be produced. 6. 7. 8. 8 Select the `Session Key Slot' that the ATCK9000 will use during programming. If the `Session Key Slot' selector is empty, then define a slot from slot 6 to slot F to be Read:Secret/Write:Never (SlotConfig = 8F8F) Check the `Save Responses File (*.shar)' checkbox if desired. The *.shar file is a responses file that can be used with ACES CE to verify that parts are programmed properly. After programming parts, launch ACES CE select the Tools>Verify... menu then select the *.shar file to verify. Name the personalization file, and then select Save. AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] 8 Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 Powering Up the AT88CK9000 Board The AT88CK9000 board can be powered via the multi-voltage power supply which is supplied with the kit or via a USB port on a PC. Once powered, the green LED will illuminate next to the USB connector, and the green LEDs will illuminate below each socket. USB Power Power LED is illuminated LEDs are illuminated AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 9 9 Putting the Board in Download Mode There are two main modes the secure personalization board may be in: 1. Download Mode 2. Personalization (Programming) Mode Download mode is used to initially load the configuration of the crypto parts - the configuration is created with ACES. It is typically done once before you start producing programmed parts with the AT88CK9000, but after you've tested the device configuration in your application. This order insures that when you start programming devices with the AT88CK9000 in higher quantities, those parts will be programmed with the tested configuration. Personalization (Programming) mode is the default mode when the board is first powered up. It is the mode used most often and is used to personalize the crypto parts. This section describes how to download the ACES to create the configuration file into the AT88CK9000. 1. Plug in the secure personalization board while holding the Boot Select button. Holding the Boot Select button located on the back of the board while powering the board will put the board in the Download mode. The below image shows what should be shown on the display. 2. 10 Download the file contents to the programmer board. - Select the ACES Programmer desktop icon to launch the ACES Programmer. - The Personalize Programmer Board dialog box will then be presented. Notes: 1. The board is attached. 2. The file is not selected. AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] 1 Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 0 - 3. Select the XX button and select a personalization file. (Select the file that you have created using ACES CE.) To load the contents of the file in preparation to download to the programmer board, select Preview File. The Programmer User Interface should resemble the below dialog box. AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 11 1 1 4. 5. Select Download. - If download is successful, the download confirmation dialog box will be displayed. - If download is not successful, the unsuccessful download dialog box will be displayed. Once the board has been successfully loaded with the new configuration, either: - Unplug the USB cable from the board, or - Press the Reset button located on the back of the board. The AT88CK9000 display should display the communication panel screen as shown below which indicates your board is ready to personalize (program) parts. Device = Device Type and Protocol Count-T = Lifetime Count of Programmed Devices Count-S = Session Count of Programmed Devices 6. Limit = Configurable Limit Per Session S/N = Unique Serial Number FW = Firmware Revision Status = Board Status Congratulations, the AT88CK9000 board is up and running. You may now load the devices into the sockets and press the Program button when ready to program the parts. Be sure to test the first few programmed devices before mass programming additional devices. 12 AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] 1 Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 2 Firmware Upgrade/Recovery To perform a firmware recovery or upgrade, the follow the next steps: 1. (R) Download and install Atmel SAM-BA In-system Programmer from the following link: http://www.atmel.com/tools/ATMELSAM-BAIN-SYSTEMPROGRAMMER.aspx If using Windows, download and install the atm6124 CDC USB driver for Windows on the located on the link above or use the below direct link: http://www.atmel.com/images/atm6124_cdc_signed.zip 2. Download and unzip the AT88CK9000 SAM-BA patch from the following link: http://www.atmel.com/tools/AT88CK9000.aspx 3. Copy the directory located under at88ck9000-SAM-BA-v2.11-patch: tcl_lib . 4. Paste the tcl_lib directory inside the SAM-BA installation directory. AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 13 1 3 5. Plug the board to a computer USB port. 6. Using a metal object, short the Firmware-Erase pads to enable the USB Bootloader, then simultaneously reset the board using the reset switch on the bottom of the board. Firmware-Erase Pads AT88CK9000 will appear as a virtual COM port: AT91 USB to Serial Converter (COMxx). 14 AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] 1 Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 4 7. 8. 9. Open the device manager to check the COM port number. Launch SAM-BA and select the board AT88CK9000-AT91SAM3U4 > then select Connect. Select OK. AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 15 1 5 10. From the Scripts drop-down menu, select Enable Flash Access > select Execute. 11. From the Scripts drop-down menu, select Boot from Flash (GPNVM1) > select Execute. 16 AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] 1 Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 6 12. From the Scripts drop-down menu, select Erase All Flash > select Execute. 13. In Download / Upload File next to the field for Send File Name, select the browse icon to locate the binary firmware file. AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 17 1 7 14. Find the binary firmware file located in the directory, at88ck9000_fw. The name of the firmware file could change based on the version. 15. Once the file has loaded, select Send File to download the new firmware. 18 AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] 1 Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 8 16. Select Yes to lock the regions. 17. Verify the new firmware > select Compare sent file with memory. 18. Be sure you get a success match, similar to the following message. 19. Reset the board to allow the new firmware to execute. 20. Congratulations. The firmware recovery or upgrade is complete. AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 19 1 9 Maintenance of the AT88CK9000 Board The sockets used in the AT88CK9000 kit are rated for 50,000 insertions per socket. Care must be taken to not bend or deform the leads of the socket. If the sockets become damaged or worn, the following part numbers and suppliers should be used for replacement purchases. The sockets will need to be unsoldered and then resoldered onto the board. Package Type Part Number Supplier 8-lead SOIC 216-7388-55-1902 Digikey 3M5078-ND 8-lead TSSOP FP-8(24)-065-01A Enplas 3-lead SOT23-3 499-P36-10 WellsCTI 8-pad UDFN 08QN50L43020 Plastronics 3-lead CONTACT 06QHCMY01-A Plastronics Troubleshooting the AT88CK9000 Kit Issue: No Power. Resolution: Verify the USB cable is plugged correctly to the board, and is plugged into an approved power source. Issue: One or More Sockets (Sites) Always Fail. Resolution: Visually inspect the socket for bent leads. If the leads are straight, clean the contacts on the socket. If the site is still failing, the socket may be worn and should be replaced. Issue: Board Fails to be detected by the PC for Download Mode. Resolution: Be sure the board is in the Download mode and is not in the Programming mode. 20 If the cable is plugged into the correct power source, try unplugging the cable, and then replug the cable into the AT88CK9000 board. Try unplugging and then replug the USB cable into the board while pushing the Boot Select Mode button on the back of the board. AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] 2 Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 0 Ordering Code Information Ordering Code Package Type AT88CK9000-8SH 8S1 8-lead JEDEC SOIC AT88CK9000-8TH 8X 8-lead TSSOP AT88CK9000-TSU 3TS1 3-lead SOT23-3 AT88CK9000-8MA 8MA2 8-pad UDFN AT88CK9000-RBH 3RB 3-lead CONTACT ATMEL EVALUATION BOARD/KIT IMPORTANT NOTICE AND DISCLAIMER This evaluation board/kit is intended for user's internal development and evaluation purposes only. It is not a finished product and may not comply with technical or legal requirements that are applicable to finished products, including, without limitation, directives or regulations relating to electromagnetic compatibility, recycling (WEE), FCC, CE or UL. Atmel is providing this evaluation board/kit "AS IS" without any warranties or indemnities. The user assumes all responsibility and liability for handling and use of the evaluation board/kit including, without limitation, the responsibility to take any and all appropriate precautions with regard to electrostatic discharge and other technical issues. User indemnifies Atmel from any claim arising from user's handling or use of this evaluation board/kit. Except for the limited purpose of internal development and evaluation as specified above, no license, express or implied, by estoppel or otherwise, to any Atmel intellectual property right is granted hereunder. ATMEL SHALL NOT BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMGES RELATING TO USE OF THIS EVALUATION BOARD/KIT. ATMEL CORPORATION 1600 Technology Drive San Jose, CA 95110 USA Revision History Doc Rev. Date Comments 8821C 12/2014 Removed Verify step in Putting the Board in Download Mode section. 8821B 11/2014 Added Firmware Upgrade/Recovery section, terminology changes, and RBH package support notes. Updated ordering codes, template, board/kit notice, and disclaimer page. 8821A 06/2012 Initial document release. AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 21 2 1 Atmel Corporation 1600 Technology Drive, San Jose, CA 95110 USA T: (+1)(408) 441.0311 F: (+1)(408) 436.4200 www.atmel.com (c) 2014 Atmel Corporation. / Rev.:Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014. Atmel(R), Atmel logo and combinations thereof, Enabling Unlimited Possibilities(R), CryptoAuthenticationTM, SAM-BA(R), and others are registered trademarks or trademarks of Atmel Corporation in U.S. and other countries. Windows is a registered trademark of Microsoft Corporation in U.S. and or other countries. Other terms and product names may be trademarks of others. DISCLAIMER: The information in this document is provided in connection with Atmel products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Atmel products. EXCEPT AS SET FORTH IN THE ATMEL TERM S AND CONDITIONS OF SALES LOCATED ON THE ATMEL WEBSITE, ATMEL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODU CTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL ATMEL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAG ES FOR LOSS AND PROFITS, BUSINESS INTERRUPTION, OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ATMEL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Atmel makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and products descriptions at any time without notice. Atmel does not make any com mitment to update the information contained herein. Unless specifically provided otherwise, Atmel products are not suitable for, and shall not be used in, automotive applications. Atmel products are not intended, authorized, or warrante d for use as components in applications intended to support or sustain life. SAFETY-CRITICAL, MILITARY, AND AUTOMOTIVE APPLICATIONS DISCLAIMER: Atmel products are not designed for and will not be used in connection with any applications where the failure of such products would reasonably be expected to result in significant personal injury or death ("Safety -Critical Applications") without an Atmel officer's specific written consent. Safety-Critical Applications include, without limitation, life support devices and systems, equipment or systems for the operation o f nuclear facilities and weapons systems. Atmel products are not designed nor intended for use in military or aerospace applications or environments unless specifically designated by Atmel as militar y-grade. Atmel products are not designed nor intended for use in automotive applications unless specifically designated by Atmel a s automotive-grade. Atmel-8821C-CryptoAuth-AT88CK9000-Secure-Personalization-Kit-UserGuide_122014 22 AT88CK9000 Secure Personalization Kit for CryptoAuthentication [USER GUIDE] 2 2 Mouser Electronics Authorized Distributor Click to View Pricing, Inventory, Delivery & Lifecycle Information: Atmel: AT88CK9000-8MA AT88CK9000-8SH AT88CK9000-8TH AT88CK9000-TSU