Embedded System Desgin

Micro controller Based Password Lock

Password based Door locking system

This is a 8051 based security project, we can lock and unlock the door electronically. Electronic door locking systems are used in Bank lockers, home lockers, main doors and prison etc.,

Working: When we give correct UserID and Password then only we can UNLOCK and LOCK the door otherwise we can't operate it. If we entered correct userID and password it will show authenticated message on LCD screen otherwise Invalid userID or Access Denide. Then you can select one of the option LOCK DOOR and UNLOCK DOOR.

Here is the functional fl

ow chart

Here we are showing how door can be locked and unlocked mechanically and electrically with mechanical body of the door

case'1': when the door is locked

case'2':When the door is unlocked

NOTE: I haven't connected any motor driver here, but practically we can interconnect opto-coupler or motor driver H-bridge

Code




// Password based Door lock 
// modifying userID and Password
#include
sfr ROW=0x80;	//assigning PORT-0 to read rows
sfr COL=0xA0;	//assigning PORT-2 to read colomns
sfr ldata=0x90;	//assigning PORT-1 for LCD data
sbit rs=P3^0;
sbit rw=P3^1;
sbit en=P3^2;
sbit busy=P1^7;
sbit servo=P3^3;          //Output to motor
void lcdcmd(unsigned char value) ;
void lcddata(unsigned char value);
void lcdready(void)	   ;
void printstring(unsigned char ch[]) ;
void LCDclear(void);
void msdelay(unsigned int value)  ;
int keypad();
void timer(unsigned int msec);
void door_open(void);

void door_close(void);
unsigned char userID[5]={"9876"};
unsigned char password[5]={"1234"};
unsigned char update_1[5]={"0000"};
 unsigned char update_2[5]={"0000"};
 unsigned char x;
void main(void)
{ 
 unsigned int i,k;
 
 
  lcdcmd(0x38);
  lcdcmd(0x0F);
  lcdcmd(0x06);
  lcdcmd(0x01);
  //while(1){
  LCDclear();
  lcdcmd(0x80);
  while(1)
  {
  printstring("userID:");
  lcdcmd(0x87);
  
   i=0;
  do
  {
   update_1[i]=keypad();
   lcddata(update_1[i]);
   i++;
   }while(i!=4);
   i=0;
   if(update_1[0]==userID[0] && update_1[1]==userID[1] && update_1[2]==userID[2] && update_1[3]==userID[3] )
   {
 		 lcdcmd(0xC0);
 		 printstring("password:");
  		 lcdcmd(0xC9);
  
 		 do
 		 {
  			 update_1[i]=keypad();
  			 i++;
  			 lcddata('*');
  		 }while(i!=4);
		  if(update_1[0]==password[0] && update_1[1]==password[1] && update_1[2]==password[2] && update_1[3]==password[3] )
 		   {
		   LCDclear();
		   printstring("Authenticated");
		   msdelay(2000);
		   LCDclear();
		   lcdcmd(0x80);
		   printstring("1.Unlock Door");
		   lcdcmd(0xC0);
		   printstring("2.lock Door");

		   do
		   {
		    k=keypad();
			}while(k!='1' && k!='2' && k!='C');
		    switch(k)
			{
			 case '1' :while(1)
						 { 
						 door_open();
						if('2'==keypad())
						   door_close();
			 			if('C' ==keypad())
				 			{
				 				main();
							}	
						}
			 			break;
			case '2' : 	while(1)
						{
						 door_close();
						 if('1'==keypad())
						 door_open();
						if('C' ==keypad())
						 {
				 			main();
					    	}
						}
						break;
			case 'C' : main();
						break;
			default  :main();
					  break;
			}
		   }

		   else
		   {
		   LCDclear();
		   printstring("Access Denide");
		   msdelay(1000);
		   LCDclear();
		  
		   main();
		   }
 	
 }
 else
 {
  LCDclear();
  printstring("Invalid UserID");
  msdelay(1000);
  main();  		   
 }
 }
 }
 /* sending commands to  LCD display to act in command mode */ 
void lcdcmd(unsigned char value)
{
 lcdready();
 ldata=value;
 rs=0;
 rw=0;
 en=1;
 msdelay(10);
 en=0;
 }
 /* sending commnad to LCD to display characters*/
void lcddata(unsigned char value)
{
 lcdready();
 ldata=value;
 rs=1;
 rw=0;
 en=1;
 msdelay(10);
 en=0;
 }
 /* checking LCD buffer for free */
void lcdready(void)
{
 busy=1;
 rs=0;
 rw=1;
 if(busy==1)
  {
   en=0;
   msdelay(1);
   en=1;
   }
}

void printstring(unsigned char ch[])
{
 unsigned int i;
 for(i=0;ch[i]!='\0';i++)
 lcddata(ch[i]);
 }
/* generating delay*/
void msdelay(unsigned int value)
{
 unsigned int i,j;
 for(i=0;i for(j=0;j<100;j++);
 }
void LCDclear(void)
 {
  lcdcmd(0x01);
  }
int keypad() 
 {
   unsigned char dat[4][4]={'7','8','9','%',	 // assigning key matrix
                          '4','5','6','*',
						   '1','2','3','-',
						   'C','0','=','+'};
 unsigned char colloc,rowloc;
 COL=0xFF;
 ROW=0x00;
 rs=0;
 rw=0;
 en=0;
 busy=0;
 /* setting LCD screen*/ 
 ldata=0x00;
 lcdcmd(0x38);
 lcdcmd(0x0E);
  lcdcmd(0x06);

 while(1)
 {
/* reading character from keyboard */
   do
   {
    ROW=0x00;
   	colloc=COL;
	colloc&=0x0F;
	}while(colloc!=0x0F);
	do
	{
	 do
	 {
	  msdelay(25);
	  colloc=COL;
	  colloc&=0x0F;
	  }while(colloc==0x0F);
	  msdelay(25);
	  colloc=COL;
	  colloc&=0x0F;
	  }while(colloc==0x0F);
    while(1)
	{
	 ROW=0xFE;
	 colloc=COL;
	 colloc&=0x0F;
	 if(colloc!=0x0F)
	 { 
	  rowloc=0;
	  break;
	  }
	  ROW=0xFD;
	  colloc=COL;
	  colloc&=0x0F;
	   if(colloc!=0x0F)
	   {
	    rowloc=1;
		break;
		}
	  ROW=0xFB;
	  colloc=COL;
	  colloc&=0x0F;
	   if(colloc!=0x0F)
	   {
	    rowloc=2;
		break;
		}
	  ROW=0xF7;
	  colloc=COL;
	  colloc&=0x0F;
	if(colloc!=0x0F)
	  {  
	      rowloc=3;
	      break;
	    }
	   }
   if(colloc==0x0E)
   return(dat[rowloc][0]);
   else if(colloc==0x0D)
   return(dat[rowloc][1]);
   else if(colloc==0x0B)
   return(dat[rowloc][2]);
   else
    return(dat[rowloc][3]);
	}
	}
 void timer(unsigned int msec)     // Function for timer
{
unsigned int i;
for(i=0;i{
TMOD=0x20;         // Mode2
TH1=0xD1;
TL1=0xFF;

TR1=1;
while(TF1==0);
TF1=0;
TR1=0;
}
}

void door_open()
{
 unsigned int i;
servo=0;
//anticlockwise direction
		for(i=0;i<1;i++)
		{
			servo=1;
			timer(10);
			servo=0;
			timer(380);
		}
}
void door_close()
{
 unsigned int i;
servo=0;
//clockwise direction
		for(i=0;i<1;i++)
		{
			servo=1;
			timer(60);
			servo=0;
			timer(340);
		}
}

Micro controller Based Password Lock

Password based Door locking system

This is a 8051 based security project, we can lock and unlock the door electronically. Electronic door locking systems are used in Bank lockers, home lockers, main doors and prison etc.,

Here is the functional fl

ow chart

Here we are showing how door can be locked and unlocked mechanically and electrically with mechanical body of the door

case'1': when the door is locked

case'2':When the door is unlocked

NOTE: I haven't connected any motor driver here, but practically we can interconnect opto-coupler or motor driver H-bridge

Code



// Password based Door lock 
// modifying userID and Password
#include
sfr ROW=0x80;	//assigning PORT-0 to read rows
sfr COL=0xA0;	//assigning PORT-2 to read colomns
sfr ldata=0x90;	//assigning PORT-1 for LCD data
sbit rs=P3^0;
sbit rw=P3^1;
sbit en=P3^2;
sbit busy=P1^7;
sbit servo=P3^3;          //Output to motor
void lcdcmd(unsigned char value) ;
void lcddata(unsigned char value);
void lcdready(void)	   ;
void printstring(unsigned char ch[]) ;
void LCDclear(void);
void msdelay(unsigned int value)  ;
int keypad();
void timer(unsigned int msec);
void door_open(void);

void door_close(void);
unsigned char userID[5]={"9876"};
unsigned char password[5]={"1234"};
unsigned char update_1[5]={"0000"};
 unsigned char update_2[5]={"0000"};
 unsigned char x;
void main(void)
{ 
 unsigned int i,k;
 
 
  lcdcmd(0x38);
  lcdcmd(0x0F);
  lcdcmd(0x06);
  lcdcmd(0x01);
  //while(1){
  LCDclear();
  lcdcmd(0x80);
  while(1)
  {
  printstring("userID:");
  lcdcmd(0x87);
  
   i=0;
  do
  {
   update_1[i]=keypad();
   lcddata(update_1[i]);
   i++;
   }while(i!=4);
   i=0;
   if(update_1[0]==userID[0] && update_1[1]==userID[1] && update_1[2]==userID[2] && update_1[3]==userID[3] )
   {
 		 lcdcmd(0xC0);
 		 printstring("password:");
  		 lcdcmd(0xC9);
  
 		 do
 		 {
  			 update_1[i]=keypad();
  			 i++;
  			 lcddata('*');
  		 }while(i!=4);
		  if(update_1[0]==password[0] && update_1[1]==password[1] && update_1[2]==password[2] && update_1[3]==password[3] )
 		   {
		   LCDclear();
		   printstring("Authenticated");
		   msdelay(2000);
		   LCDclear();
		   lcdcmd(0x80);
		   printstring("1.Unlock Door");
		   lcdcmd(0xC0);
		   printstring("2.lock Door");

		   do
		   {
		    k=keypad();
			}while(k!='1' && k!='2' && k!='C');
		    switch(k)
			{
			 case '1' :while(1)
						 { 
						 door_open();
						if('2'==keypad())
						   door_close();
			 			if('C' ==keypad())
				 			{
				 				main();
							}	
						}
			 			break;
			case '2' : 	while(1)
						{
						 door_close();
						 if('1'==keypad())
						 door_open();
						if('C' ==keypad())
						 {
				 			main();
					    	}
						}
						break;
			case 'C' : main();
						break;
			default  :main();
					  break;
			}
		   }

		   else
		   {
		   LCDclear();
		   printstring("Access Denide");
		   msdelay(1000);
		   LCDclear();
		  
		   main();
		   }
 	
 }
 else
 {
  LCDclear();
  printstring("Invalid UserID");
  msdelay(1000);
  main();  		   
 }
 }
 }
 /* sending commands to  LCD display to act in command mode */ 
void lcdcmd(unsigned char value)
{
 lcdready();
 ldata=value;
 rs=0;
 rw=0;
 en=1;
 msdelay(10);
 en=0;
 }
 /* sending commnad to LCD to display characters*/
void lcddata(unsigned char value)
{
 lcdready();
 ldata=value;
 rs=1;
 rw=0;
 en=1;
 msdelay(10);
 en=0;
 }
 /* checking LCD buffer for free */
void lcdready(void)
{
 busy=1;
 rs=0;
 rw=1;
 if(busy==1)
  {
   en=0;
   msdelay(1);
   en=1;
   }
}

void printstring(unsigned char ch[])
{
 unsigned int i;
 for(i=0;ch[i]!='\0';i++)
 lcddata(ch[i]);
 }
/* generating delay*/
void msdelay(unsigned int value)
{
 unsigned int i,j;
 for(i=0;i

Copy Protection in Modern Microcontrollers

Introduction

A lot of microcontrollers are used in modern equipment and electronic devices. Some of them are used by amateurs to build small devices for fun, others are used by small companies in control, measurement or other equipment, others are used for serious applications by the military, security services, banks, medical services etc. Each microcontroller executes the algorithm or program uploaded into its memory. Usually this algorithm is written in Assembler (even if you write the program in C it will be translated into Assembler during compilation); rarely the algorithm is written in Basic or Java.
If you write a program for a microcontroller you are interested in your work being protected against unauthorized access or copying, so you want to control distribution of your devices. For this purpose microcontroller manufacturers developed special features which if selected allows software authors to prevent people downloading their program from their microcontroller if activated. This is Copy protection or Lock feature. Each microcontroller should be programmed before using. There are different techniques to do it depend on manufacturer and type of microcontroller. For evaluation purposes there are reprogrammable versions of microcontrollers, for production in small quantities there are one-time programmable (OTP) versions which is cheaper than reprogrammable one, and for large amount there are factory programmed versions which are very cheap but you have to purchase at least 1000 items. After the program for microcontroller is written and successfully compiled it should be uploaded into correspondent microcontroller integrated circuit. For this purpose you have to use special hardware device called programmer unit. For most microcontrollers this device could be very simple, cheap and consist of a power supply adapter, a few transistors, several resistors and a connector to RS232 or Parallel port. For other microcontrollers you have to use special programmer units distributed only by manufacturers, but these microcontrollers are not popular. Of course, if you want your device to be working properly for years (especially for OTP versions of microcontrollers) it would be better to use industrial programmer units which are approved by the most of manufacturers. You can find all necessary information about this devices on manufacturers' web-sites in the Internet.

Attack Technologies

1. Introduction

An increasing number of large and important systems, from pay-TV through GSM mobile phones and prepayment gas meters to smartcard electronic wallets, rely to a greater or lesser extent on the tamper resistance properties of microcontrollers, smartcards and other special security processors.
This tamper resistance is not absolute: an opponent with access to semiconductor test equipment can retrieve key material from a chip by direct observation and manipulation of the chip's components. It is generally believed that, given sufficient investment, any chip-sized tamper resistant device can be penetrated in this way.
So the level of tamper resistance offered by any particular product can be measured by the time and cost penalty that the protective mechanisms impose on the attacker. Estimating these penalties is clearly an important problem, but is one to which security researches, evaluators and engineers have paid less attention than perhaps it deserves.
We can distinguish four major attack categories:

Microprobing techniques can be used to access the chip surface directly, thus we can observe, manipulate, and interfere with integrated circuit
Software attack use normal communication interface of the processor and exploit security vulnerabilities found in the protocols, cryptographic algorithms, or their implementation
Eavesdropping techniques monitor, with high time resolution, the analog characteristics of all supply and interface connections and any other electromagnetic radiation by the processor during normal operation
Fault generation techniques use abnormal environmental conditions to generate malfunctions in the processor that provide additional access

All microprobing techniques are invasive attacks. They require hours or weeks in specialized laboratory and in the process they destroy the packaging. The other three are non-invasive attacks. The attacked card is not physically harmed during these attacks and the equipment used in the attack can usually be disguised as a normal smartcard reader.
Non-invasive attacks are particularly dangerous in some applications for two reasons. Firstly, the owner of the compromised card might not notice that the secret keys have been stolen, therefore it is unlikely that the validity of the compromised keys will be revoked before they are abused. Secondly, non-invasive attacks often scale well, as the necessary equipment can usually be reproduced and updated at low cost.
The design of most non-invasive attacks requires detailed knowledge of both the processor and software. On the other hand, invasive microprobing attacks require very little initial knowledge and usually work with a similar set of techniques on a wide range of products. Attacks therefore often start with invasive reverse engineering, the result of which then help to develop cheaper and faster non-invasive attacks.

2. Non-Invasive attacks

The most widely used non-invasive attacks include playing around supply voltage and clock signal. Under-voltage and over-voltage attacks could be used to disable protection circuit or force processor to do wrong operation. For these reasons, some security processors have voltage detection circuit, but as a rule this circuit does not react to transients. So fast signals of various kinds may reset the protection without destroying the protected information.
Power and clock transients can also be used in some processors to affect the decoding and execution of individual instructions. Every transistor and its connection paths act like an RC element with a characteristic time delay; the maximum usable clock frequency of a processor is determined by the maximum delay among its elements. Similarly, every flip-flop has a characteristic time window (of a few picoseconds) during which it samples its input voltage and changes its output accordingly. This window can be anywhere inside the specified setup cycle of the flip-flop, but is quite fixed for an individual device at a given voltage and temperature. So if we apply a clock glitch (a clock pulse much shorter than normal) or a power glitch (a rapid transient in supply voltage), this will affect only some transistors in the chip. By varying the parameters, the CPU can be made to execute a number of completely different wrong instructions, sometimes including instructions that are not even supported by the microcode. Although we do not know in advance which glitch will cause which wrong instruction in which chip, it can be fairly simple to conduct a systematic search.
Another possible way of attack is current analysis. Using 10 - 15 ohm resistor in the power supply, we can measure with an analog/digital converter the fluctuations in the current consumed by the card. Preferably, the recording should be made with at least 12-bit resolution and the sampling frequency should be an integer multiple of the card clock frequency.
Drivers on the address and data bus often consist of up to a dozen parallel inverters per bit, each driving a large capacitive load. They cause a significant power-supply short circuit during any transition. Changing a single bus line from 0 to 1 or vice versa can contribute in the order of 0.5 - 1 mA to the total current at the right time after the clock edge, such that a 12-bit ADC is sufficient to estimate the number of bus bits that change at a time. SRAM write operations often generate the strongest signals. By averaging the current measurements of many repeated identical transactions, we can even identify smaller signals that are not transmitted over the bus. Signals such as carry bit states are of special interest, because many cryptographic key scheduling algorithms use shift operations that single out individual key bits in the carry flag. Even if the status-bit changes cannot be measured directly, they often cause changes in the instruction sequencer or microcode execution, which then cause a clear change in the power consumption.
The various instructions cause different levels of activity in the instruction decoder and arithmetic units and can often be quite clearly distinguished, such that parts of algorithms can be reconstructed. Various units of the processor have their switching transients at different times relative to the clock edges and can be separated in high-frequency measurements.
Other possible threat to secure devices is data remanence. This is the capability of volatile memory to retain information stored in it for some period of time after power was disconnected. Static RAM contained the same key for a long period of time could reveal it on next power on. Other possible way is to 'freeze' state of the memory cell by applying low temperature to the device. In this case static RAM could retain information for several minutes at -20ºC or even hours at lower temperature.

3. Invasive attacks

Despite to more complexity of invasive attacks some of them could be done without using expensive laboratory equipment. Low-budget attackers are likely to get a cheaper solution on the second-hand market for semiconductor test equipment. With patience and skill it should not be too difficult to assemble all the required tools for even under ten thousand US dollars by buying a second-hand microscope and using self-designed micropositioners. The laser is not essential for first results, because vibrations in the probing needle can also be used to break holes into passivation.
Invasive attacks start with the removal of the chip package. Plastic over the chip could be removed by knife. Epoxy resin around the chip could be removed using fuming nitric acid. Hot fuming nitric acid dissolves the package without affecting the chip. The procedure should preferably be carried out under very dry conditions, as the presence of water could corrode exposed aluminium interconnects. The chip is then washed with acetone in an ultrasonic bath, followed optionally by a short bath in deionized water and isopropanol. After that chip could be glued into a test package and bonded manually. Having enough experience it might be possible to remove epoxy without destroying bonding wires and smartcard contacts.
Once the chip is opened it is possible to perform probing or modifying attacks. The most important tool for invasive attacks is a microprobing workstation. Its major component is a special optical microscope with a working distance of at least 8 mm between the chip surface and the objective lens. On a stable platform around a socket for the test package, we install several micropositioners , which allow us to move a probe arm with submicrometer precision over a chip surface. On this arm, we install a probe needle. These elastic probe hairs allow us to establish electrical contact with on-chip bus lines without damaging them.
On the depackaged chip, the top-layer aluminium interconnect lines are still covered by a passivation layer (usually silicon oxide or nitride), which protects the chip from the environment and ion migration. On top of this, we might also find a polyimide layer that was not entirely removed by HNO3 but which can be dissolved with ethylendiamine. We have to remove the passivation layer before the probes can establish contact. The most convenient depassivation technique is the use of a laser cutter. The UV or green laser is mounted on the camera port of the microscope and fires laser pulses through the microscope onto rectangular areas of the chip with micrometer precision. Carefully dosed laser flashes remove patches of the passivation layer. The resulting hole in the passivation layer can be made so small that only a single bus line is exposed. This prevents accidental contacts with neighboring lines and the hole also stabilizes the position of the probe and makes it less sensitive to vibrations and temperature changes.
It is usually not practical to read the information stored on a security processor directly out of each single memory cell, except for ROM. The stored data has to be accessed via the memory bus where all data is available at a single location. Microprobing is used to observe the entire bus and record the values in memory as they are accessed.
It is difficult to observe all (usually over 20) data and address bus lines at the same time. Various techniques can be used to get around this problem. For instance we can repeat the same transaction many times and use only two to four probes to observe various subsets of the bus lines. As long as the processor performs the same sequence of memory accesses each time, we can combine the recorded bus subset signals into a complete bus trace. Overlapping bus lines in the various recordings help us to synchronize them before they are combined.
In order to read all memory cells without the help of the card software, we have to abuse a CPU component as an address counter to access all memory cells for us. The program counter is already incremented automatically during every instruction cycle and used to read the next address, which makes it perfectly suited to serve us as an address sequence generator. We only have to prevent the processor from executing jump, call, or return instructions, which would disturb the program counter in its normal read sequence. Tiny modifications of the instruction decoder or program counter circuit, which can easily be performed by opening the right metal interconnect with a laser, often have the desired effect.
Another approach to understand how particular microcontroller or smartcard work is to reverse engineer it. The first step is to create a map of a new processor. It could be done by using an optical microscope with a CCD camera to produce several meter large mosaics of high-resolution photographs of the chip surface. Basic architecture structures, such as data and address bus lines, can be identified quite quickly by studying connectivity patterns and by tracing metal lines that cross clearly visible module boundaries (ROM, RAM, EEPROM, ALU, instruction decoder, etc.). All processing modules are usually connected to the main bus via easily recognizable latches and bus drivers. The attacker obviously has to be well familiar with CMOS VLSI design techniques and microcontroller architectures, but the necessary knowledge is easily available from numerous textbooks.
Photographs of the chip surface show the top metal layer, which is not transparent and therefore obscures the view on many structures below. Unless the oxide layers have been planarized, lower layers can still be recognized through the height variations that they cause in the covering layers. Deeper layers can only be recognized in a second series of photographs after the metal layers have been stripped off, which could be achieved by submerging the chip for a few seconds in hydrofluoric acid (HF) in an ultrasonic bath. HF quickly dissolves the silicon oxide around the metal tracks and detaches them from the chip surface. HF is an extremely dangerous substance and safety precautions have to be followed carefully when handling it.
Where the implementation is familiar, there are a number of ways to extract information from the chip by targeting specific gates or fuses or by overwriting specific memory locations. Even where this is not possible, memory cells can be attacked; this can also be done on a relatively modest budget.
Most currently available microcontrollers and smartcard processors have feature sizes of 0.5 - 1 µm and only two metal layers. These can be reverse-engineered and observed with the manual and optical techniques described in the previous sections. For future chip generations with more metal layers and features below the wavelength of visible light, more expensive tools additionally might have to be used.
A focused ion beam (FIB) workstation consists of a vacuum chamber with a particle gun, comparable to a scanning electron microscope (SEM). Gallium ions are accelerated and focused from a liquid metal cathode with 30 kV into a beam of down to 5 - 10 nm diameter, with beam currents ranging from 1 pA to 10 nA. FIBs can image samples from secondary particles similar to a SEM with down to 5 nm resolution. By increasing the beam current, chip material can be removed with the same resolution. Better etch rates can be achieved by injecting a gas like iodine via a needle that is brought to within a few hundred micrometers from the beam target. Gas molecules settle down on the chip surface and react with removed material to form a volatile compound that can be pumped away and is not redeposited. Using this gas-assisted etch technique, holes that are up to 12 times deeper than wide can be created at arbitrary angles to get access to deep metal layers without damaging nearby structures. By injecting a platinum-based organometallic gas that is broken down on the chip surface by the ion beam, platinum can be deposited to establish new contacts. With other gas chemistries, even insulators can be deposited to establish surface contacts to deep metal without contacting any covering layers.
Using laser interferometer stages, a FIB operator can navigate blindly on a chip surface with 0.15 µm precision, even if the chip has been planarized and has no recognizable surface structures. Chips can also be polished from the back side down to a thickness of just a few tens of micrometers. Using laser interferometer navigation or infrared laser imaging, it is then possible to locate individual transistors and contact them through the silicon substrate by FIB editing a suitable hole. This rear-access technique has probably not yet been used by pirates so far, but the technique is about to become much more commonly available and therefore has to be taken into account by designers of new security chips. FIBs are used by attackers today primarily to simplify manual probing of deep metal and polysilicon lines. A hole is drilled to the signal line of interest, filled with platinum to bring the signal to the surface, where a several micrometer large probing pad or cross is created to allow easy access. Modern FIB workstations (for example the FIB 200xP from FEI) cost less than half a million US$ and are available in over hundred organizations. Processing time can be rented from numerous companies all over the world for a few hundred dollars per hour.

for More go here

Copy Protection in Modern Microcontrollers

Introduction

Attack Technologies

1. Introduction

Microprobing techniques can be used to access the chip surface directly, thus we can observe, manipulate, and interfere with integrated circuit
Software attack use normal communication interface of the processor and exploit security vulnerabilities found in the protocols, cryptographic algorithms, or their implementation
Eavesdropping techniques monitor, with high time resolution, the analog characteristics of all supply and interface connections and any other electromagnetic radiation by the processor during normal operation
Fault generation techniques use abnormal environmental conditions to generate malfunctions in the processor that provide additional access

2. Non-Invasive attacks

3. Invasive attacks

Making multiple input by 3 wire Interfacing .

Parallel to serial Interfacing with Micro controller

Interfacing with 74HC165 with 8051

I am trying to make multiple input with using minimum input port of micro controller ,ie 3 wire .

By using a 3 wire we can interface more input as we wish.

I am making a tutorial for it , Basics of 74HC165 which is a parallel to serial shift register .

Data sheet of 74HC165

Only three pin is connected with this IC .

1) SH/LD or PL is used load parallel data to the IC .A low pulse (ground) is applied for store the parallel data at the pin from A to H . And a High (5 Volt) is applied to stop the reading from the PIN A to H .

2) Then to read the loaded or saved data to Micro controller we have to give clock to the PIN 2 of 74HC165 (CLK) . 8 pulses is applied to read 8 bit (Pin A to B)

3) QH / SO . serial out pin is used to get the stored parallel data to serially.

The CLK INH pin must be connect in ground for enable clock.

To use cascaded 74HC165 for increasing i/p .connect the Seriall output pin (PIN 9) of first satge into serial input of first stage see the following circuit.

see the code below

  #include  
#include
#include "lcd.h"  
sbit PL  = P1^0;   // Loading parallel data to HC165.
sbit CLK = P1^1;   // Clock pulse to HC165.
sbit Beep  = P1^2;   // 
sbit data_in  = P1^3;

  void clock(void);
  void display(unsigned char value);
     
void main()
{  
 unsigned char position ,no_of_ip = 17;
  lcd_init();
  string("   gElectron");     
  while(1)

   {  
      PL = 0 ;
  delay(2);
  PL = 1;

   for(position = 1; no_of_ip > position; position++ , clock())
  {     
  
    if(data_in == 1)
     display(position);   

  }
   } 
}  

 void clock(void)
 {
   CLK = 1;
   delay(1);
   CLK = 0;

 }

void display(unsigned int value)
  {  
  unsigned int a[1];
    Beep =   1;
    lcd_init();
 lcd_cmd(0x01);   
    string("Pressed key ");
    lcd_cmd(0xc0); 
  sprintf(a,"%d",value);  
     string(a); 
     delay(1);
     Beep = 0;
     
  }

Download the whle file here github.

Making multiple input by 3 wire Interfacing .

Parallel to serial Interfacing with Micro controller

Interfacing with 74HC165 with 8051

I am trying to make multiple input with using minimum input port of micro controller ,ie 3 wire .

By using a 3 wire we can interface more input as we wish.

I am making a tutorial for it , Basics of 74HC165 which is a parallel to serial shift register .

Data sheet of 74HC165

Only three pin is connected with this IC .

2) Then to read the loaded or saved data to Micro controller we have to give clock to the PIN 2 of 74HC165 (CLK) . 8 pulses is applied to read 8 bit (Pin A to B)

3) QH / SO . serial out pin is used to get the stored parallel data to serially.

The CLK INH pin must be connect in ground for enable clock.

To use cascaded 74HC165 for increasing i/p .connect the Seriall output pin (PIN 9) of first satge into serial input of first stage see the following circuit.

see the code below

  #include  
#include
#include "lcd.h"  
sbit PL  = P1^0;   // Loading parallel data to HC165.
sbit CLK = P1^1;   // Clock pulse to HC165.
sbit Beep  = P1^2;   // 
sbit data_in  = P1^3;

  void clock(void);
  void display(unsigned char value);
     
void main()
{  
 unsigned char position ,no_of_ip = 17;
  lcd_init();
  string("   gElectron");     
  while(1)

   {  
      PL = 0 ;
  delay(2);
  PL = 1;

   for(position = 1; no_of_ip > position; position++ , clock())
  {     
  
    if(data_in == 1)
     display(position);   

  }
   } 
}  

 void clock(void)
 {
   CLK = 1;
   delay(1);
   CLK = 0;

 }

void display(unsigned int value)
  {  
  unsigned int a[1];
    Beep =   1;
    lcd_init();
 lcd_cmd(0x01);   
    string("Pressed key ");
    lcd_cmd(0xc0); 
  sprintf(a,"%d",value);  
     string(a); 
     delay(1);
     Beep = 0;
     
  }

Download the whle file here github.

Development of a DSP-Controlled On-Line UPS

This research has developed DSP-based digital control techniques for high-performance single-phase on-line UPS systems. A transformerless common-neutral half-bridge AC-DC-AC converter has been adopted for the main power circuit. All the control functions for an on-line UPS, which includes power-on start-up control, input stage power factor control, battery charging and boosting control, output stage ac voltage regulation, and shut-down control, were realized by using a single-chip DSP controller, the TMS320F2407A. A multiple rate digital controller generates all the PWM control signals for the power stage by using a set of synchronously detected feedback signals. Software current control scheme with nonlinear pulsewidth compensation has been developed to eliminate the nonlinearity caused by the dead-lock protected PWM converters. A nonlinear digital control scheme with lower switching frequency has been developed for the power factor control of the ac-dc converter. Computer simulation and experimental results have been given to verify the proposed digital control scheme. The constructed DSP-controlled UPS system can achieve fast dynamic response for nonlinear loads and high power factor under various loading conditions. The developed UPS digital control techniques have been applied to a commercialized single-phase 2 kVA double conversion UPS. Excellent performance measurements have been achieved in the designed DSP-controlled UPS.

Implementation of a fully digital-controlled UPS provides many advantages, such as more sophisticated control functions can be employed in a UPS system, a software-controlled UPS can be more flexible, advanced robust control schemes can be implemented to accommodate stringent and versatile application requirements. Many research works have been carried out on the closed-loop regulation of PWM inverters using various feedback control schemes to achieve both good dynamic response and low harmonic distortion. Microprocessor-based deadbeat control technique has been applied to the closed-loop regulation of PWM inverters. Deadbeat control has been developed for the voltage regulation of the PWM inverter by employing a minor current loop and a major voltage loop. However, deadbeat control scheme has the disadvantages of highly sensitive to parameter and load variations and requiring large peak-to-average ratio of control signals to achieve deadbeat effect.

With the great advances in microelectronics and VLSI technology, high-performance microprocessor and digital signal processors (DSPs) can be effectively used to realize advanced control schemes [7]. Most instructions of a DSP can be accomplished within one instruction cycle and complicated control algorithms can be executed with fast speed, therefore, more control functions can be realized by using software. Attempts have been made to realize a fully DSP-controlled UPS [8]-[9]. However, only limited functions have been realized using software. In this paper, a single-chip DSP controller, the TMS320F240 from Texas Instruments, has been used to realize all the control functions required in an on-line UPS system.

With the availability of 16/32-bit high-performance single-chip DSP, as shown in Fig. 1.3, most of its instructions can be accomplished within one instruction cycle, complicated control algorithms can be realized efficiently. This paper describes the design and implementation of a DSP-embedded fully digital-controlled single-phase on-line uninterruptible power supply (UPS) system. All the control functions for an on-line UPS, which includes power-on start-up control, input stage power factor control, dc-link voltage regulation, battery charging and voltage boosting control, output stage ac voltage regulation, and shut-down control, were realized by using a single-chip DSP controller.

2. Power Circuit Design

The selection or development of a circuit topology for a single-phase double-conversion UPS plays a most important role in the design of a high-performance UPS. This is due to that the circuit topology is highly dependent on the overall efficiency, cost, safety regulations, and possible patent conflicts

2.1 Half-Bridge Common-Neutral AC-DC-AC Converter

Single-ended, half-bridge, or full-bridge PFC converters are all boost converters, from the point-of-view of control loop design they have the same dynamics. The only difference is the effective voltage applied to the inductor due to a specified PWM duty. From the point-of-view of power circuit design, these three PFC converters have the same utilization factor, which result the processing power ratings are proportional to their number of switches. The half-bridge PFC converter has advantages of common-neutral in UPS applications and a minimal number of power switches is required. However, it also has disadvantages of higher voltage stress and need fast response balance control of the totem-pole capacitor bank. Fig. 2.2 shows the detailed schematics of the power circuit of the common-neutral ac-dc-ac converter and Fig. 2.3 is an illustrated circuit topology for functional description and component rating calculations.

Figure 2.3 Common-neutral half-bridge ac-dc-ac converter.

Figure 2.2 Schematics of the Common-neutral half-bridge ac-dc-ac converter.

The inherent bi-directional characteristics of a common-neutral ac-dc-ac converter can be illustrated as shown in Fig. 2.4. The UPS output connected load may be inductive, capacitive, or even nonlinear with reactive characteristics, therefore, in order to a unit power factor input as well as keep a good dynamic response under step load change condition, the dc-link capacitor should provide a sufficient energy storage to maintain a half-cycle voltage fluctuation.

2.2 PFC Converter

3. Control Loop Design

        There are many control functions required in a smart UPS system, These may include system monitoring, diagnosis, protection, interface control, and real-time control. The real-time control function plays an important role for the improvement of the UPS control performance. The control functions of a UPS system can be classified four major parts according to their control purposes. These include: front-end power factor correction control, PWM inverter control for sinusoidal output voltage regulation, the dc-dc boost control for dc-link voltage regulation, and the battery charging control. These control functions are described as follows.
3.1 Power Factor Control
        Regulations on line current harmonics have made power factor control a basic requirement for power electronic equipment [14]. The main purpose of the PFC converter is to shape the input current to be linear proportional to its input voltage so that it behaves as a resistor. Another purpose of the PFC converter is to regulate its output dc voltage under line and load variations.
        Conventional PFC control schemes focus on the shaping of the line current in proportional to the voltage and therefore, a current loop controller with wide bandwidth is required. However, in order to minimize the current distortion resulted from the dc-link voltage regulation, a low-pass filter is required to smooth the double line frequency ripples in the dc-link voltage. This results a slow response of the UPS front-stage power converter. The slow response of the PFC converter will result a large voltage drop under a step load change and further deteriorate the UPS output waveform.
        In order to improve the dynamic response of the PFC boost converter, various feedback control schemes have been analyzed in [15]. Analog notch filter to eliminate measured output voltage ripples can achieve a better dynamic response compared with other approaches. Development of fast response control schemes for the PFC boost converter has become a technical pursuing goal in recent years [16]-[19]. These control techniques break the bandwidth barrier of double line frequency by using sophisticated control techniques in elimination the influences of output voltage ripples. All these control schemes are applied to the PFC boost converter and using analog controller or analog current-loop controller with microprocessor-based voltage-loop controller.
        One major design challenge in synthesizing a digital PFC controller is that we must make a compromise between the line current distortion and a fast response of the dc-link voltage regulation. Fig. 3.1 shows the control structure of a single-phase PFC converter and Fig. 3.2 is the detailed control block diagram. The PFC controller consists of three sub-controllers: an inner current loop controller, an outer voltage loop controller, and an adaptive ripple estimator.
    The inner current loop controller is required to regulate the line current with a high sampling rate, usually from 10 to 20 kHz. The outer voltage loop controller is used to regulate the dc-link voltage and at the same time to generate a current reference for the current loop. A lower sampling rate from 1 to 2 kHz is an appropriate choice for the voltage loop. The adaptive voltage ripple estimator is used to generate a compensated signal to cancel the line ripple voltage occurred in the dc-link.

Figure 3.1 Control structure of a single-phase PFC converter.

Figure 3.2 Detailed control block diagram of a digital-controlled half-bridge PFC converter.

3.2 PWM Inverter Control

The control loop design for the PWM inverter for ac voltage regulation is most difficult in the synthesis of the digital controller for the UPS. This is due to that the inverter should provide good quality ac voltage, this means low voltage THD, for various kinds of loads. The control architecture of the PWM inverter for ac voltage regulation is shown in Fig. 3.3. It includs four control loops.

Balancing Control Loop (fs=60 Hz): This loop is used to compensate dc-offset due to nonlinear distortion such as unbalanced turn-on and turn-off time, unbalance of the upper and lower common-neutral dc-link voltages, and possible dc-offsets of the feedback sensing circuits.
RMS Control Loop (fs=60 Hz): This loop is used to compensate RMS voltage errors due to limited voltage loop bandwidth and output voltage THD distortion when connected with nonlinear loads.
Voltage Control Loop (fs=6 kHz): This loop is used to compensate the instantaneous output voltage to track a sinusoidal 60 Hz reference. The desired closed-loop bandwidth (600 Hz) should be at least ten times of the reference frequency (60 Hz). A 10 times of sampling frequency to BW ratio means the voltage loop sampling frequency should be 6 kHz.
Current Control Loop (fs=24 kHz): The current loop plays a most important role in the control of a PWM inverter for ac voltage regulation. This loop can decouple the inductor from the LC filter dynamics and eliminate nonlinear distortion due to dead-time of the PWM inverter.
Figure 3.3 Control architecture of the PWM inverter for ac voltage regulation.
The current loop controller can decouple the nonlinear dynamics resulted by the load. The dynamics of the UPS inverter output filter with its connected load exhibits large load variations. Fig. 3.4 shows the frequency responses of the inverter with resistor load (10% ~100% load). It can be observed that the frequency response exhibits highly resonant characteristics at resonant frequency of the output filter when in light load. In order to achieve good dynamics responses and maintain good stability under large nonlinear load variation conditions, an adaptive variable structure control scheme, as shown in Fig. 3.5, has been developed for the PWM inverter for robust ac voltage regulation.
Figure 3.5 Block diagram of the digital adaptive variable structure control scheme for AC voltage regulation.
3.3 DC-DC Booster Control
        The booster in a UPS system is used to convert the battery output voltage to a much more high dc-link voltage. The battery booster in the designed UPS system is a common-neutral current-fed flyback converter with a coupled transformer. The PI control scheme has been applied for the inner current loop control of the boost converter. Because the booster output is connected to the dc-link and is activated when the utility is failed, its dynamic response behaves as an important performance index. The current-fed flyback converter is current regulated an inner-loop analog PWM controller and voltage regulated by an outer voltage loop controller using PI control with dc-link voltage feedforward compensation.
3.4 Battery Charger Control
        The battery charger in the designed UPS system is symmetric common-neutral flyback converter. A proportional controller is used for the current regulation and a simple PI controller is used for the voltage regulation. Constant current with battery voltage profile control is adopted as the battery charging scheme. The charging profile is stored in the EEPROM of the UPS controller and can be reloaded when a new set of battery are installed. The software control approach provides great flexibility in implementing various intelligent battery charging and discharging control schemes.
3.5 Line Frequency Synchronization Control
        For a double-conversion UPS, its output voltage must always be synchronized with the line voltage. This design requirement is required because in case of UPS failure or manually switched to maintenance mode the UPS output must be transferred to the line input and the synchronization ensures a smooth voltage transfer. If the line frequency is within the specified output frequency range (±3%), the output voltage should synchronize with the input voltage with zero phase error. However, if the line frequency deviation is larger than ±3% for a specified time interval (such as 10 cycles), the frequency of the UPS output voltage will converge to standard output frequency (such as 60 Hz) with a frequency slew rate of 0.1Hz/cycle. If the line frequency back to specified range, the UPS output should also synchronize with the line frequency with a same frequency slew rate. In any instances, the input current should synchronize with the line voltage and provide a proportional current control for input power factor correction.
4. UPS Realization

　　Realization of a practical UPS system involves a lot of sophisticated engineering works. In this research we focused on the realization issues of the digital control of the UPS system using a single-chip DSP controller - the TMS320F2407A.
4.1 Hardware Architecture
　　Fig. 4.1 shows the UPS hardware architecture and the control interface. The UPS consists of two major parts: the power conversion unit and the control unit. In order to unify the control interface for the control of various power converters we have defined a power interface bus, the P-bus, for the control interface between the power converter and the DSP-based control unit. We name UPS control engine for the the DSP-based UPS controller. Fig. 4.2 shows the pin definition of the UPS control engine.
Figure 4.1  UPS hardware architecture and control interface.
4.2 Selection of the Control Processor
　　The TMS320Lx240xA series of devices are members of the TMS320 family of digital signal processors (DSPs) designed to meet a wide range of digital motor control (DMC) and other embedded control applications. This series is based on the C2xLP 16-bit, fixed-point, low-power DSP CPU, and is complemented with a wide range of on-chip peripherals and on-chip ROM or flash program memory, plus on-chip dual-access RAM (DARAM). A single-chip DSP controller, the TMS320F2407A, as shown in Fig. 4.3, has been adopted as the control core for the UPS engine. The TMS320F2407A has 32k words on-chip flash memory for program codes. This feature allows program update and flexibility for performance enhancement.
Features:
- Sectored Flash for field re-programmability and simplified design
- Code compatible platform provides easy migration path
- CAN module enables inter-system communication
- Up to 16 PWM outputs allow multi-motor/axis control
- 6.6us to 500-ns A/D converter enhances system accuracy
- 33 to 50nS instruction cycle (30 or 20 MIPS) for processing complex control algorithms
- RAM for high-level programming language and high-order system modeling
- Fast Serial communication Ports

Fast Interrupts Control unit

Figure 4.3 Block diagram and features of a 40MPIS single-chip DSP controller - TMS320F2407A.

4.3 Development of the UPS Control Engine

The TMS320F2407A running at 40 MHz with a single 3.3V supply voltage, this makes it a challenge in hardware design for electromagnetic interference reduction. Special design considerations must be carried out in the design of the PCBs for the power and control circuits for EMI control. Fig. 4.4 shows the picture of the designed DSP control card for 2U rack-mount UPS systems. This single-board DSP controller is designed to meet high-performance requirement for power electronic systems.

Special Features:
Control Processor: TMS320F2407A 40 MHz
External RAM: 32k Words
8 channels 12-bits D/A conversion
16 channels 10-bits A/D conversion
16 channels for programmed PWM generation
SPI (Serial Peripheral Interface) for multiple-DSP controller
On-board RS-232 and USB interface
FPGA for programmed PWM generation
Figure 4.4 The DSP-based UPS control engine.

4.4 Development of the Power Board

Realization of the power board of an on-line UPS system includes a lot of accumulated experienced engineering works, such as on the components selection, design options for application models, power circuit PCB layout for EMI reduction, and safety requirements, etc.

4.5 System Integration

Fig. 4.5 shows the DSP-controlled UPS under development. The developed DSP control techniques have been realized into a commercialized 2kVA UPS to shows the feasibility of employing modern digital control techniques by using an advanced digital signal processor. A systematic top-down design procedure has been developed in the design of the a series of high-performance cost-effective UPS systems for rack-mount server applications.

4.6 Real-Time Control Firmware Design

The control of a power processing system is essential a real-time control problem. Many real-time control tasks can only be tested after the complete hardware has been constructed. It is time consuming for inexperienced engineers in developing these control, communication, and interface software for a commercialized UPS system. Fig. 4.7 shows the system software architecture of an on-line UPS. The control software are classified into three categories: real-time interrupted control routines, periodic background sequential control routines, and aperiodical background interface control routines. Fig. 4.8 illustrate the operating mode and interrupt mechanism of the DSP-based UPS controller and Fig. 4.9 shows the main flow chart of the system software. The interrupt-driven mechanism is activated by a real-time timer. An innovative asynchronous control scheme has been developed for the digital current loop control to achieve both good dynamic response and low electro-magnetic interference (EMI) with low PWM switching frequency.

6. Conclusions

　　This research has completed the design and implementation of a DSP-embedded fully digital-controlled single-phase on-line uninterruptible power supply (UPS) system. The applications of high-performance DSP in complicated power electronic systems will find great potential in synthesis of sophisticated control algorithms and PWM switching schemes. This paper has applied a single-chip DSP controller, the TMS320F2407A, in realizing all the required control functions for a single-phase on-line UPS. Experimental results show the designed 2 kVA UPS can reach very good dynamic responses both in utility interface and output voltage regulation.

　　　　Some practical important research issues include:

Detection scheme of the PWM switching current under large switching noise condition
Sophisticated control functions for ac voltage regulation with low THD and low switching frequency
Auto-tuning of the control parameters for optimal performance
Fast dynamic response of the PFC converter with good power factor
Good voltage regulation with nonlinear unbalanced load
Achieve AC mode efficiency beyond 92%
Reduction of EMI filters by using randomized PWM techniques in PFC converter
Optimization of the major power device parameters

Fore more & Credits Goes goHere

Micro controller Based Password Lock

Password based Door locking system

Micro controller Based Password Lock

Password based Door locking system

Copy Protection in Modern Microcontrollers

Introduction

Attack Technologies

1. Introduction

2. Non-Invasive attacks

3. Invasive attacks

Copy Protection in Modern Microcontrollers

Introduction

Attack Technologies

1. Introduction

2. Non-Invasive attacks

3. Invasive attacks

Making multiple input by 3 wire Interfacing .

Making multiple input by 3 wire Interfacing .

Development of a DSP-Controlled On-Line UPS

More Posts

Social Link

Report Abuse

Contributors

16x2 LCD Interfacing with STM32,STM32F103C6

Contact Form

Contact us

Follow Us

Comments

MKRdezign

Latest

Main Menu

Technology

Top Ads

RECENT COMMENTS

Subscribe Via Email

RECENT COMMENTS