We couldn’t help but notice that there is a lot of speculation and
discussion (and frankly, a few wild guesses) concerning the functions of
the Apple’s new lightning connectors. We don’t normally give (a total
of five blogs!) this much attention to a single electronics teardown,
but since we haven’t seen it elsewhere yet, we figured the world needed
“just one more thing” on the Apple iPhone 5. We have confirmed that the
Lightning cable does have four chips embedded in it, plus some passive
devices. Two of these chips are very simple (only a couple of
transistors), and the third is an NXP NX20P3. However, the fourth and
arguably most interesting of these is the TI chip.
The above images show the location of the TI chip on the lightning connector. Once we stripped away the cable housing (easier said than done), and took the die out of the package, we found die markings of “BQ2025”. (See our die photo below). This part number is not published by TI.
However, TI does have published datasheets on the BQ2022, BQ2023, BQ2024, and BQ2026. These four chips are cataloged on TI’s website as battery fuel gauges, but they are not identical, with three of them being serial EPROMs and one of them being a battery monitor IC.
However, all four do have some common characteristics. All use a single wire SDQ interface (TI’s proprietary serial communications protocol), and all have some basic security features such as CRC generation. So, it is certainly likely that the BQ2025 does have some security implemented on it. It would also seem likely that it includes an SDQ interface.
We continued our lab work on the BQ2025 and now have a lower metal sample to view (and purchase in the Chipworks store). On this sample, we have been able to see some further details of this chip. There is a digital logic block occupying the top left portion of the chip. This block includes about 5K gates of logic. Also on the chip is the EPROM, with likely 64 or 128 bits of storage (visual inspection only, full RE not completed). There are also some large driver transistors, quite a bit of analog circuitry, and a fair amount of capacitance. This is certainly all consistent with a serial communication chip including some simple security features.
Part of the magic going on is that the Lightning connector features fewer direct connections than the prior generation connector. This means that Apple needs to apply some intelligence to what wire is sending and receiving the signals because there are fewer connections, but just as much data. Additionally, Apple has a number of patents related to authentication and security between devices. This has useful application by allowing “handshake” access to only certain function necessary for the functioning of a peripheral (such as a speaker docking station) without allowing access to the full functionality of the phone. It has additional application in smart battery applications. Both Apple and Texas Instruments (separately) have documented this security technology in a number of related patents (applied and issued) wherein they describe the passing of information from the host through to the accessory. For those interested, here are a few patent numbers, with the last being a TI patent: 20100173973A1, US8200881, US8239605, US8086781, US8161567, US823881, US8245041.
It is actually very interesting that we may have found a chip with (likely) some modest security in this cable. In this case not only related to securing their revenue stream for cables or ensuring reliable and high quality (licensed) peripherals, but in delivering useful product features that are not necessarily in the consumers top of mind. We are planning a full systems analysis on this device to further understand what exactly is going on.
Previously, we have analyzed security devices regarding medical printer media (armbands), printer cartridges, flash drive memory, batteries, and smart cards, but this is the first secure cable we have seen. The security does not come close to the herculean approaches that are used in (for example) today’s printer cartridges, but resembles the level of effort that cartridge manufacturers used to implement in the olden days. In other words, at this time the security is “just enough.” With future generations of Apple and non-Apple products, we may begin to see even stronger security and control if the market forces merit it.
To complete the story, let’s look at the other three chips on the lightning connector board. The NXP NX20P3 includes one huge transistor occupying over 75% of the die area. It also has a fair amount of analog circuitry, as would be consistent with their line of charging devices for peripherals – from our last trip to the Applied Power Electronics Conference (APEC) we know that this is a market that NXP is very strong in. The last two dies appear to be simple power transistors.Good design wins again for TI and NXP!
Source: Chipworks
The above images show the location of the TI chip on the lightning connector. Once we stripped away the cable housing (easier said than done), and took the die out of the package, we found die markings of “BQ2025”. (See our die photo below). This part number is not published by TI.
However, TI does have published datasheets on the BQ2022, BQ2023, BQ2024, and BQ2026. These four chips are cataloged on TI’s website as battery fuel gauges, but they are not identical, with three of them being serial EPROMs and one of them being a battery monitor IC.
However, all four do have some common characteristics. All use a single wire SDQ interface (TI’s proprietary serial communications protocol), and all have some basic security features such as CRC generation. So, it is certainly likely that the BQ2025 does have some security implemented on it. It would also seem likely that it includes an SDQ interface.
We continued our lab work on the BQ2025 and now have a lower metal sample to view (and purchase in the Chipworks store). On this sample, we have been able to see some further details of this chip. There is a digital logic block occupying the top left portion of the chip. This block includes about 5K gates of logic. Also on the chip is the EPROM, with likely 64 or 128 bits of storage (visual inspection only, full RE not completed). There are also some large driver transistors, quite a bit of analog circuitry, and a fair amount of capacitance. This is certainly all consistent with a serial communication chip including some simple security features.
Part of the magic going on is that the Lightning connector features fewer direct connections than the prior generation connector. This means that Apple needs to apply some intelligence to what wire is sending and receiving the signals because there are fewer connections, but just as much data. Additionally, Apple has a number of patents related to authentication and security between devices. This has useful application by allowing “handshake” access to only certain function necessary for the functioning of a peripheral (such as a speaker docking station) without allowing access to the full functionality of the phone. It has additional application in smart battery applications. Both Apple and Texas Instruments (separately) have documented this security technology in a number of related patents (applied and issued) wherein they describe the passing of information from the host through to the accessory. For those interested, here are a few patent numbers, with the last being a TI patent: 20100173973A1, US8200881, US8239605, US8086781, US8161567, US823881, US8245041.
It is actually very interesting that we may have found a chip with (likely) some modest security in this cable. In this case not only related to securing their revenue stream for cables or ensuring reliable and high quality (licensed) peripherals, but in delivering useful product features that are not necessarily in the consumers top of mind. We are planning a full systems analysis on this device to further understand what exactly is going on.
Previously, we have analyzed security devices regarding medical printer media (armbands), printer cartridges, flash drive memory, batteries, and smart cards, but this is the first secure cable we have seen. The security does not come close to the herculean approaches that are used in (for example) today’s printer cartridges, but resembles the level of effort that cartridge manufacturers used to implement in the olden days. In other words, at this time the security is “just enough.” With future generations of Apple and non-Apple products, we may begin to see even stronger security and control if the market forces merit it.
To complete the story, let’s look at the other three chips on the lightning connector board. The NXP NX20P3 includes one huge transistor occupying over 75% of the die area. It also has a fair amount of analog circuitry, as would be consistent with their line of charging devices for peripherals – from our last trip to the Applied Power Electronics Conference (APEC) we know that this is a market that NXP is very strong in. The last two dies appear to be simple power transistors.Good design wins again for TI and NXP!
Source: Chipworks
No comments:
Post a Comment