INTRODUCTION

Hardware implementation of a SD card prototype with an hidden memory partition

This project focuses on the realization of a SD card prototype whose main property is the fact that it has an integrated memory partition accessible by the user thanks to a unique enabling device which allows the access to that zone in an exclusive manner. This means that only the user endowed with the enabling device is able to perform reading/writing operations on that special partition. To realize a higher security level, the hidden partition is disabled by the card every time the hosting device powers itself off. Therefore, the user must extract the SD card from the hosting device and insert it into the enabling device to gain access to the hidden partition once again. Once the partition has been enabled, the card can be inserted into the hosting device. This prototype has been realized in VHDL language to implement it on a FPGA.
This website has the following structure:

  • STRUCTURE : In this section, the general project structure is presented along with the implemented hardware schemes and the finite state machines which allow the device to properly work.
  • CODE : In this section, the most important VHDL code parts are presented.
  • SIMULATION : In this section, the obtained simulation are presentend in order to verify the correct behaviour of the device.

alternative

Hidden partition visible only if enabled

The hidden memory partition is accessible only after its abilitation.

Power-off security

Everytime the card is switched off, the hidden partition is disabled. This brings the card back to its normal behaviour, where only the unrestricted zone is visible.

Protection against external users

The enabling device is unique. This allows the hidden partition to be enabled only by the users endowed with the enabling device.

STRUCTURE

Project structure analysis

This project is composed by a main entity which realizes the SD card prototype. This entity includes an interface and a memory zone.

alternative

Secure Digital (SD)

The main parts of an SD card are briefly introduced to provide a far-eye idea of the project.

alternative

Interface and memory

Explanation of the system interface to the hosting device and memory design flow.

alternative

Enabling device

Implementation of an enabling device to activate the hidden memory usage.

Secure Digital (SD)

alternative

Secure Digital (SD) is a non-volatile memory card standard introduced by SD Association (SDA), whose aim is to memorize in a digital format a big amount of information using flash memories. This standard has been introduced in August 1999 with a collaboration between Sandisk, Panasonic and Toshiba with the idea of improving the previous MultiMediaCard (MMC) memories.
In this project, the prototype consists on two main blocks:

  1. Interface: it is referred to the SD card component which rules the speech between the memory section and the hosting device of the card.
  2. Memory: it is the memory block in which read and write actions are made.

The following image represents the implemented SD Card block diagram. The structure is composed by the two highlighted main blocks.

alternative

SD cards are tipically endowed with flash memories which are non-volatile solid-state memories characterized by having a high portability and a good data storage capacity. In this prototype, a 256x32 bit RAM has been realized and the memory persistency is garanteed by backing up into text files the memory information at each writing operation. This choice has been made to simplify the project because the FPGA on board flash memory uses the SPI protocol which is tricky to realize in VHDL. Morover, every flash memory cell has an upper limit on writing operation after which the cell is not usable anymore. To avoid the fact that some code mistakes could damage those cells, a separate memory area has been created. The memory content is saved on the text files following the address order and at each card boot the file content is uploaded to the simulated RAM in order to restore the last memory state. The hidden memory region is indexed by setting not to 0 the two most significant bits of the memory address. When the hidden region is not enabled, those two bits are forced to 0 in order to avoid their indexing by the master.

Interface and memory

alternative

The interface is a component which manages the master output signals (SD card input signals) to adapt them to the memory input signals. It is composed by six signals which interface with the external world and other six signals which connect it to the memory component.

The prototype card pin layout is composed by the following listed signals. They are all of std_logic type and thus 1-bit long signals. The following list does not include the power pins, which are shown in the picture below.


  • clk_in : it represents the input clock of the card.
  • enable: if set to high, it enables the input signal elaboration.
  • cmd_in: it allows the master to send the read/write command and the hidden memory enabling command by the enabler device.
  • data: serial bus which contains the data bits which have to be saved due to a write operation or have been read from memory after a read operation. Thus it is a signal that can be used in both directions (inwise and outwise) according to the performed operation.
  • ready: if set to high, it indicates that the performed operation had reached its end.
  • reset: signal that re-boots the card.

The following image shows the chosen position of the different pins in relation with the physical contact structure of a SD adaptor.

alternative

Once the card is inserted into the hosting device (master), some preliminary actions are performed. After that, the card goes into a waiting state and listens for a known command:

alternative

The previous three actions are performed in a cuncurrent manner. In the first one (Flag reading to understand if the hidden area is enabled), the card understands whether its usage in the hidden area is enabled or not by reading a special memory cell in which a single bit is stored. If that bit is high, the hidden memory partition is enabled. That value is copied in a card internal flag for a future usage during a read/write operation. On the other hand, the special memory cell content is set to 0 so that, in case of the card reboot, the hidden memory partition will be disabled. To enable that section again, the user must connect the card to the enabler device and then put it back on the master device.
The second phasee (Signal recieving FSM enable) initiate to an idle state the FSM which understands the input commands given by the master device. In this state, the card waits for the enable signal going up to indicate that an action can start and a new command is given as input.
The third phase understands if the card is connected to an enabler device when it boots up. If that is correct, the enabler device is recognised and the flag representing the hidden partition enable is set to high for a future use.

Memory

The memory zone is divided into two sections: a visible one, which is usable by everyone who wants to use the SD card, and a hidden partition which is accessible only after the SD card has been enabled. The enabling operation can be done by inserting the card into the enabler device. Usually, SD cards are endowed with a non-volatile flash memory to store data. In this project, the afromentioned memory is simulated with a RAM memory composed by 256 words each of them is 32 bit long. The data persistency is realized by saving the whole memory content on a text file after every write operation. A 8-bit long address can be used to address the memory where the two most significant bits could be forced to 0 in case the SD card is not enabled to work in the hidden zone. A general memory structure scheme is provided in the following image:

alternative

Talking about VHDL sythesis, the memory block is endowed with five input signals and two output signals. The address signal is a 8-bit bus whereas data_in is a 32-bit long bus. Once the memory has performed an operation, it sets to high the ready signal in oreder to indicate the end of the operation. In case of a reading operation, the obtained data are put on the data_out signal, which is a 32-bit bus. Insidewise, to simulate data persistency, the whole memory content is stored in a text file at each end of a write operation. That file is used every time the SD is booting up to upload the last state of the memory.

Interface

As mentioned above, the working principle of the interface and thus of the whole system, is based on a finite state machine (FSM) which has to comprehend and translate every command that comes from the master device. According to the operation that the system has to perform, the input commands have to follow a communication protocol which describes how to put information on the card input signals. The chosen protocol realizes a simplified version of the SPI protocol used to interface with a flash memory found on the majority of the non-volatile memory based devices. The working priciple of our protocol needs three signals:

  • enable : it is set to logic high when a new command has to be given.
  • cmd_in: it is used to insert the instruction (read/write) and the memory address in which the operation has to be performed.
  • data: it is used to insert/retrieve data to write/read onto the memory at the specified address.

The signals behaviour in this phase is the following:

alternative

Once enable is high, on cmd_in the communication of the command to execute starts by inserting a bit which tells the system whether it's a write or read operation. After that, the memory address bits are inserted in a serial manner. In case of a write action, after the memory address has been put on the cmd_in signal, the data bits can be inserted serially on data signal.

The address and data that has to be saved on memory bits have to be put as input to the memory block, which means that the interface has to deserialize those bit using a SIPO register. The obtained parallel data stream will be inserted on the address and data_in signals.

If the hidden memory zone access flag is set to 0, the two most significant bits of the memory address in which the specified action has to be performed are set to 0 before giving that memory address as input to the memory block. In this way, the SD card must work only on the free-access zone without letting anyone access to the hidden memory addresses. The user won't notice anything strange because the specified operation will be done in a different address on the clear zone. The following image better explains this principle. In fact, the user wants to perform a write opration followed by a read operation on the same memory address which is contained in the hidden zone. Because the hidden partition has not been enabled yet, that address is changed and the operation is performed on the clear zone. From an outside point of view, the data seems to be stored in the provided address.

alternative

In case of a read action, the output data bits (a 32-bit long string found in the specified address) will be given on data_out signal. To do so, the interface has to serialize the data which comes from memory using a PISO reister and put them on the data signal. The SD card user has indeed to use the data signal both in an input and output way according to the performed action.

All the afromentioned operation can be descibed with the following FSM:

alternative

This FSM is composed by 17 states where the IDLE state is its root. In that state the device is in a waiting period listening for a specified action to do. As soon as the enable signal goes high, the elaboration will start. Every state performs its own precise operations. The first part of the FSM concentrates on the undestanding of the provided command and on the reading of the hidden partition enabling falg. This is made to understand whether the hidden partition has to be visible or not. The following table shows how an operation is understood in function of the signal values:

reg_enable cmd_in (r/w) actions to perform final state
1 1 Write action with enabled hidden zone WRITE_HIDDEN
1 0 Read action with enabled hidden zone READ_HIDDEN
0 1 Write action with NOT enabled hidden zone WRITE_CLEAR
0 0 Read action with NOT enabled hidden zone READ_CLEAR

On the final states, the address in which to perform the indicated action is read. That address is then put on a 8-bit long signal which interfaces itself with the memory block. In case of a write operation the next state will be SET_DATA, in which the 32 bits of the data that has to be written are read and put on a same-lenght bus. At this point, the evolution of the FSM goes to WAIT_FOR_MEMORY_W, where the memory is enabled to perform the writing. The interface block listens on the ready signal from the memory to indicate that the action has been correctly completed. Once that signal goes high, the interface goes back to the IDLE state and waits for another command. On the other hand, in case of a read operation, from the final states, the FSM goes to WAIT_FOR_MEM_R in which it waits for an output from the memory block to be put on the output bus. At this point the execution proceeds on the PISO state. This state serializes the data obtained from memory and put bit by bit on the data pin of the card. As it happend in the write opration, the FSM then goes to the IDLE state.

Enabler device

alternative

The enabler device is important to make the hidden partition visible to the outside world. It's working principle bases on a 10-bit unique sequence which is "1011111101". Once this sequence is recognised by the connected SD card, the hidden partition flag is enabled. Particularly that flag is set to 1. At the following card boot up, the hidden memory partition will be available.

In the following image, the enable block structure is shown. That block is endowed with three outpu signals:



alternative

From the SD side, the sequence is recognised by a FSM: if the sequence is the correct one, the device will be enabled; otherwise the FSM outputs an error and the abilitation process goes wrong. The following image shows the state transactions of the previous FSM:

alternative
CODE

This section contains the VHDL source codes which implements every module of our prototype including also the test bench file for a final simulation of the whole system.

SD.vhd interface.vhd memory.vhd enabler.vhd mux.vhd SIPO.vhd D_FF.vhd signal_generator.vhd Testbench.vhd
SIMUALTION

Simulation of the VHDL prototype

The simulation aims to verify the correct behaviour of the card components and of the whole system. The test-bench architecture is composed by the SD card module which is connected to the enabler device or to a signal generator thanks to a multiplexer. The following block-diagram shows the setup:

alternative

With cmd signal it is possible to decide whether to use the signal generator or the enabler device.

Simulation analysis

The simulation process begins with the signal generator, which performs some write operations in specified addresses. Because the SD card has just been booted up, the hidden partition is not enabled yet. That means that those write operations are performed in the visible area. After those write operations, the simulation goes on with some reading operations on the same address used in the previous phase.

The second simulation phase consists on the connection fo the enabler device to the SD card via the multiplexer in order to enable the hidden partition. After the enabler device has been recognised, the SD card is disconnected from the enabler device and connected again to the signal generator. As a tial, some other reading oprations are performed in the same addresses in which the previous write operations has been done. The obtained data won't be the same as the one obtained by reading on the clear region in case the two most significat bits of the memory addres are not equal to 0.

The following table shows the saved data and associated addresses during the write operations on clear zone:

Address Data
00000000 11111111111111111111111111111111
00001111 10101010101010101010101010101010
11110000 11111111111111110000000000000000
11111111 00000000000000001111111111111111

The following viedo shows the simulation phase of the SD card in which the write/read operations on clear/hidden memory are highlighted.

One can notice that the write operation on the last two addresses gives a different output compared to what has been written during the related phase. This is due to the fact that the write operation is made in the clear memory zone whereas the last read operations are performed in the hidden memory zone. The obtained result on these last read operations will depend on the previous memory content.

Encountered difficulties and future developments

The main difficulty has been encountered during the individualization of the different blocks which compose the SD card system and the understanding of the used protocol which had to be simplyfied trying to keep it as much loyal as the physical interface of a real SD card. Then, during the VHDL coding phase some incompatibilities have been encountered between signals which have then been resolved after a very precise signal transaction analysis.
In a future development, the prototype could be uploaded to ad FPGA in order to evaluate its correct working state. In this case, the SPI protocol has to be implemented to speak with a flash memory zone because the simulated memory persistency is not fully sinthesysable.

CONTACTS

Where we are

University of Udine
Engineering and architecture department

Follow us on social