Today, many electronic apparatuses such as information apparatuses and household appliances use central processing units (hereinafter referred to as CPUs) as units central to their control systems, and to control an electronic apparatus with the CPU, a program for operating the CPU is indispensable. Depending on the kind of CPU, the CPU can store the program internally in itself, but in most cases, for reasons of development efficiency, production efficiency and maintenance of the electronic apparatus, a read only memory (hereinafter referred to as ROM) is provided externally to the CPU and the program is stored in the ROM.
Data such as cryptographic keys (including a decryption key), customer identifiers or the like may also be stored in the ROM.
The ROM is a nonvolatile storage device, and the ROM of the type that allows stored information to be altered only by electrical signals (hereinafter referred to as EEPROM, whose examples include a flash memory, an electrically erasable and programmable ROM, etc.) is mainly used.
The “nonvolatile storage device” refers to a device that can retain its stored contents even when power is turned off.
Storing data (including CPU program, codes such as customer identifiers, decryption keys, etc. and the like) in the EEPROM offers the advantage of increasing production efficiency and making it possible to alter the data (including the CPU program, etc) for the maintenance of the electronic apparatus because the stored data can be easily altered. On the other hand, the disadvantage is that, since the specifications for the EEPROM is made public, a malicious third party could alter the program illegally, causing damage to not only the manufacturer of the electronic apparatus but also the society as a whole.
In particular, if the CPU is a device compliant with the IEEE 1149 standard, there is the possibility that an unauthorized person may connect an external apparatus to the CPU and alter the data stored in the EEPROM by directly controlling the internal logic circuit of the CPU through the external apparatus.
The IEEE 1149 standard is a standard for test circuits of semiconductor devices (including large scale integrated circuit and central processing unit). A device (semiconductor device) compliant with the IEEE 1149 standard has five test input/output terminals (Test Access Port) for testing of the device itself or for testing of the circuit block containing the device (to test mainly for judging the presence or absence of a fault and locating a faulty part).
To test the device, etc., an external apparatus, for example, is connected to a test input terminal of the device, and a test input signal is applied from the external apparatus to the test input terminal, causing the input signal or a signal obtained by processing the input signal to be outputted from the device's output terminal (an ordinary output terminal or a test output terminal). The presence or absence of a fault and the location of a faulty part can be detected by comparing the output signal with the expected signal.
It is also possible to connect an external apparatus to the test input/output terminals of the IEEE 1149 standard compliant CPU and to write data to the EEPROM by directly controlling the internal logic circuit of the CPU through the external apparatus.
By incorporating the step of writing data to the EEPROM by the above method into the production of an electronic apparatus, the more efficient production of the electronic apparatus can be realized, compared with the conventional method in which data is written to the EEPROM by using a commercially available PROM writer.
This, however, may give rise to illegal alteration of the data; that is, by abusing the above feature, an unauthorized person may connect an external apparatus to the input/output terminals of the IEEE 1149 compliant CPU in the field and alter the data stored in the EEPROM by directly controlling the internal logic circuit of the CPU through the external apparatus.
For example, in satellite broadcasting, etc., unique data may be assigned to each customer, in which case the receiver or like apparatus can store the assigned data in its internal EEPROM.
The unique data includes a customer identifier (including the unique identification code assigned to each customer and the unique identification code assigned to each receiver at the customer), a decryption key, and an identification number.
The CPU pays a monthly viewing fee by using the unique data (for example, the customer identifier) stored in the EEPROM. However, there is the possibility that criminal act may be made to evade paying viewing fees, for example, by altering the unique data stored in the EEPROM to someone else's unique data or by altering the program written in the EEPROM (for example, by writing a program therein such that a report is sent to the broadcast center that the viewing time is zero regardless of the actual viewing time).
To prevent such criminal act, there is a need for means that prevents illegal alteration (rewriting) of the data (including the CPU program, etc.) stored in the EEPROM.
A prior art electronic apparatus equipped with means for preventing data in an EEPROM from being altered illegally will be described with reference to FIG. 6.
The use of the electronic apparatus shown in FIG. 6 is not specifically limited, but the apparatus is applied, for example, to a satellite broadcast receiver, a portable telephone, or the like. FIG. 6 shows only the block relating to writing data to or reading data from the EEPROM.
In FIG. 6, reference numeral 107 designates the CPU which controls the electronic apparatus, 8 designates the EEPROM in which data such as the CPU program, etc. are stored, 101 designates an electrical or optical connector for connecting an external apparatus (not shown) used to rewrite the program, 102 designates an interface to which signals applied via the connector 101 are inputted. Reference numeral 105 designates a storage device (hereinafter referred to as the password ROM) which holds therein the identification number unique to the electronic apparatus and is mounted in a such manner that it cannot be removed by solder or the like, and in which the stored data cannot be altered. Reference numeral 104 designates a comparing circuit which compares the identification number inputted via the connector 101 and interface 102 with the identification number stored in the password ROM, and outputs a program rewrite permit signal only when they match. Reference numeral 103 designates a gate circuit which controls the passing of the rewrite control signal and program data to the EEPROM 8.
Next, the program rewrite operation will be described. When it becomes necessary to rewrite the program stored in the EEPROM 8, a program rewriting apparatus (external apparatus) is connected to the connector 101. An identification number, a new program, and control instructions necessary for rewriting the EEPROM are stored in the program rewriting apparatus. First, a program rewrite start instruction is inputted from the program rewriting apparatus, whereupon the CPU 107, etc. stop the normal operation and the data stored in the EEPROM 8 thus becomes ready for rewriting by this instruction.
Next, the comparing circuit 104 compares the identification number inputted via the interface 102 from the program rewriting apparatus with the identification number read out of the password ROM 105. Only when the two identification numbers perfectly match, the comparing circuit 104 outputs the program rewrite permit signal to the gate circuit 103. In accordance with the program rewrite permit signal, the gate circuit 103 allows the rewrite control signal and program data inputted via the interface 102 to be passed to the EEPROM 8. The program in the EEPROM 8 is rewritten. When the program rewrite operation is completed, the program rewriting apparatus sends a rewrite completion instruction to the CPU 107 via the interface 102. The CPU 107, based on the instruction, initializes the electronic apparatus, and starts the control of the electronic apparatus in accordance with the new program stored in the EEPROM 8.
In recent years, however, CPUs compliant with the IEEE std 1149.1-1990 Standard Test Access Port and Boundary-Scan Architecture (hereinafter referred to by its commonly known name “JTAG standard”) have come to be used. When the CPU is a JTAG standard compliant device, the prior art prevention system of illegal program alteration cannot provide effective prevention means because the program stored in the EEPROM 8 can be altered via the CPU by directly controlling the internal logic circuit of the CPU from the outside.
A system using a JTAG compliant device for the CPU and the configuration of the JTAG compliant device will be briefly described with reference to FIGS. 7 and 8.
FIG. 8 is a diagram showing the configuration of the JTAG standard compliant device, in which reference numeral 1 designates the JTAG standard compliant CPU (hereinafter referred to the J-CPU as distinguished from the conventional CPU), 2 designates an internal logic circuit responsible for the essential operations specific to the device, and 3 designates terminals for normal operation (usually connected to terminals, etc. of other devices). The terminals 7 consisting of TDI (test data input pin), TMS (test mode select pin), TCK (test clock), TDO (test data output pin) and TRST (power-on reset pin) are test terminals, collectively called the Test Access Port (hereinafter referred to TAP), that are provided based on the JTAG standard (TRST is optional). The TAP is an interface for connecting an external apparatus to the test circuit.
The JTAG standard compliant device contains JTAG registers 5 including a bypass register, instruction register, etc. (as options, an internal scan register and an ID CODE register may be included), a TAP controller 6 for controlling the JTAG registers 5, and cells 4 as a shift register arranged between each terminal 3 and the internal logic circuit 2.
The cell 4 selects for inputting the output data of the internal logic circuit 2 (including input terminals 3 of the J-CPU 1) or the test data transferred from its adjacent cell 4. The output data of the cell 4 is transferred to the internal logic circuit 2 (including output terminals 3 of the J-CPU 1) or to its adjacent cell 4.
During normal operation (not in a test mode), the input data inputted via the input terminals 3 of the J-CPU 1 are passed through the respective cells 4 and transferred to the internal logic circuit 2 as it is, and the output data of the internal logic circuit 2 are passed through the respective cells 4 and outputted from the output terminals 3 of the J-CPU 1 as it is.
In the test mode, instead of the input data inputted via the input terminals, signals inputted via the TAP 7 can be transferred into the internal logic circuit 2 via the cells 4. Further, instead of the output data of the internal logic circuit 2, signals inputted via the TAP 7 can be outputted from the output terminals 3 via the cells 4.
The TAP controller 6 controls various operations of the entire test circuit in accordance with the input sequence inputted via the TMS pin.
The JTAG standard compliant device allows the signals passing through the respective cells 4 (the input/output signals of the respective terminals 3) to be monitored by the external apparatus connected to the TAP 7, and also allows arbitrary data to be inputted to the internal logic circuit 2.
For example, test input data transmitted from the external apparatus is applied to the TDI terminal and the serial shift register consisting of the plurality of cells 4 is driven in serial fashion (clock signal is applied to the TCK terminal). In this way, the test input data is transferred to the respective cells 4. Next, the output data of each cell 4 is transferred to the internal logic circuit 2 (including output terminals 3 of the J-CPU 1). In this way, the test input data can be inputted directly to the internal logic circuit 2 (including the output terminals 3 of the J-CPU 1).
Likewise, the output data of the internal logic circuit 2 (including the input terminals 3 of the J-CPU 1) are latched into the respective cells 4 and the serial shift register consisting of the plurality of cells 4 is driven in serial fashion; in this way, the output data can be outputted from the TDO terminal.
That is, by connecting an external apparatus to the J-CPU 1 and controlling a maximum of five signal lines, the internal logic circuit 2 of the J-CPU 1 can be controlled directly from the external apparatus. This offers the advantage of facilitating the testing of the electronic apparatus or a device such as the J-CPU 1.
FIG. 7 is a diagram showing the electronic apparatus system using the J-CPU 1; in FIG. 7, reference numeral 9 designates a JTAG connector for connecting the TAP 7 of the J-CPU 1 to an external apparatus, 108 designates a RAM (a readable/writable storage device for storing data, etc. that need to be temporarily stored to operate the electronic apparatus), and 110 designates a signal bus (hereinafter referred to as the bus) connecting the EEPROM 8, RAM 108, etc. to the J-CPU. Besides the EEPROM 8 and RAM 108, a plurality of devices designated by 109 can be connected to the bus 110. An actual circuit contains many other electronic components, but they will not be described here.
Since the internal logic circuit of the J-CPU can be directly controlled from the outside by connecting an external apparatus called a JTAG debugger to the J-CPU, thereby making it possible to access all the devices including the EEPROM where the program and other data are stored, the prior art electronic apparatus using the J-CPU has had the advantage of being able to increase development efficiency and reduce the time required for testing and program writing during the production process.
This, however, has lead to the problem that using a JTAG debugger, a third party could illegally alter the data stored in the EEPROM in the prior art electronic apparatus.
It is an object of the present invention to achieve a production method that can produce an electronic apparatus efficiently, while making provisions to greatly reduce the risk of the data stored in the EEPROM in the completed electronic apparatus being altered in the field.
It is also an object of the present invention to achieve an electronic apparatus that can be produced efficiently, while making provisions to greatly reduce the risk of the data stored in the EEPROM being altered in the field.