You are on page 1of 26

Broadcom USH Diagnostics User Guide

Broadcom USH DOS Diagnostics User Guide


Version 1.8

Broadcom Corporation
3151 Zanker Road
San Jose, CA 95134

www.broadcom.com

Page 1 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

Revision History:
Revision

Date

Change Description

1.0

7/26/07

Initial release

1.1

9/12/07

Modified the command strings.


Expanded on CV commands.

1.2

10/19/07

Added use examples, updated CV test numbers

1.3

1/29/08

Updated document.

1.4

2/21/08

Added Error Codes and fingerprint test details

1.5

2/22/08

Added Appendix & adjusted heading format from x.x.x to


x.x.

1.6

4/15/08

Updated Document with new commands and error codes.

1.7

6/16/08

Added ErrorLevel return codes

1.8

6/19/08

Updated CV Commands, section 5.0

Page 2 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

INTRODUCTION

This document describes the usage of the Broadcom DOS USH Diagnostics program (USHDIAG).

The DOS USHDIAG is a single DOS based diagnostic program that provides the necessary host based diagnostics
interface to the USH firmware.

The USH (BCM5880) has two communication interfaces: TPM (via LPC) and CV (via USB). The USHDIAG program
can communicate to the USH firmware via the TPM or CV interface. The program provides a means of extracting
diagnostic information, running diagnostic tests, upgrading firmware and enabling diagnostic debug information,. The
program is command line driven with the arguments specifying the desired diagnostic functions or download operations.

The USHDIAG uses Dells BIOS USB Driver for the USH CV interface.

SYNTAX

The USHDIAG is a Host command line diagnostics program which communicates to the USH firmware. The various
options passed into the program dictates the behavior of the USHDIAG.

The USHDIAG syntax is:


ushdiag [option] [option] <CR>

Each option is preceded by a dash (-), with no space between the dash and the option.
Some options are stand alone, meaning there is no additional data. While other options have data associated
with them. If an option has data associated with it, the data is entered just after the option (e.g.: -offset 10000).
If an invalid option is entered, the help option is displayed, which lists all possible options.
Several options can be selected. The USHDIAG executes each option in a predefined order.

These options are divided into three categories (control commands, TPM commands & CV commands) and are
described below.

The USHDIAG can communicate to the USH firmware either via the TPM or CV interface. By default the USHDIAG
communicates to the USH via the TPM interface. If you wish to communicate to the USH via the CV interface you must
select the CV interface by using the CV Interface option (-u for USB interface).

Page 3 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

CONTROL COMMAND OPTIONS

The USHDIAG provides controls to enable diagnostic debugging. These controls help in the debugging of a particular
issue by providing more information to help identify a particular problem.

This is accomplished with the following commands:

3.1

Help (-h)

This command displays the available commands and their syntax.

3.2

Verbose (-v)

This command generates additional console messages.

3.3

Pause (-p)

If the DOS console messages scroll off the screen, it is not possible to retrieve them. This command pauses the console
output (and execution) when the console screen is full. The console and program remain paused until any key is
pressed on the keyboard.

3.4

Repeat (-rep <num>)

This command repeats the specified diagnostic tests <num> times. The tests are repeated <num> times unless an error
occurs or a key is pressed on the keyboard. If <num> is 0, the tests are repeated forever or until an error occurs or a key
is pressed.

3.5

Log (-l <filename>)

This command directs the console messages to the specified log file.

Page 4 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

3.6

CV Interface (-u)

By default the USHDIAG uses the TPM interface to communicate with the USH. Selecting this option forces the
USHDIAG to use the CV (or USB) interface to communicate with the USH.

Page 5 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

TPM COMMAND OPTIONS

The USHDIAG provides the following TPM functionality via the LPC port:

List TPM devices.


Display the TPM registers.
Run the TPM self-test.
Create and clear the TPM Endorsement Keys.
Transmit TPM vectors to the TPM device.
Upgrade the firmware.

Here is a list of the TPM command options.

4.1

SelfTest (default operation)

The TPM SelfTest runs by default. This option issues a TPM_ORD_SelfTestFull command to the USH firmware.
However, if an option listed below is selected to run, the SelfTest is not executed.

4.2

Memory Address (-m <hexaddr>)

This command specifies the TPM memory address in HEX. By default the address is 0x0CB0. Only use the option if
you know the base address is different and you what you are doing.

4.3

Identify (-id)

This command identifies the installed TPM devices. This command does not activate the TPM SelfTest.

4.4

Display Base ROM Major Version (-mjr)

This command displays the Base ROM-code major version number. This command does not activate the TPM SelfTest.

4.5

Display Base ROM Minor Version (-mnr)

This command displays the Base ROM-code minor version number. This command does not activate the TPM SelfTest.

Page 6 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

4.6

Registers (-reg)

This command displays the TPM device registers. This command does not activate the TPM SelfTest.

4.7

Create EK Pair (-cre)

This command creates a TPM Endorsement Key. This command does not activate the TPM SelfTest.

4.8

Clear EK (-cle)

This command clears a TPM Endorsement Key. This command does not activate the TPM SelfTest.

4.9

Execute Vector (-x <filename>)

This command transmits the TPM commands contained in the specified <filename> Vector File to the TPM. There can
me multiple TPM commands in the Vector File. This command does not activate the TPM SelfTest.

4.10 Upgrade Firmware (-f <filename>)


The command upgrades the USH firmware via TPM. As the firmware is downloaded, it is encrypted and loaded into
SPI flash. This command does not activate the TPM SelfTest.

Page 7 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

CV COMMAND OPTIONS

By default the USHDIAG uses the TPM interface to communicate with the USH. You must use the CV Interface option
(-u) to use the CV (or USB) interface to communicate with the USH.

The USHDIAG communicates to the USH via the CV-APIs through the USB port. The DOS diagnostic program
provides the following CV functionality:

Load SBI.
Load Flash Image.
Upgrade Firmware.
PBA Update.
USH Diagnostic Tests.
Get USH Versions.
Fingerprint Test.
Fingerprint Calibrate.

Here is a list of the CV commands.

5.1

Display CV Version (-mjr or -mnr)

This command displays the CV version number and the USH firmware versions.

5.2

Load SBI (-f <filename>)

This command loads the specified SBI (Secure Boot Image) onto the USH. When the USH receives this image, it is
loaded into RAM and then executed. The SBI is an applet capable of downloading an image into SPI flash. This option
is used when the existing USH SBI is incapable of performing a download. This command uses the
CV_CMD_LOAD_SBI CV-API command to load the specified SBI file.

5.3

Flash Update (-flsh <filename>)

This command loads the specified Flash image onto the SPI flash. The beginning SPI flash offset for the flash image is
determined by the SPI Flash Offset command (-o <offset>). By default the offset is 0. This command uses the
CV_CMD_FLASH_PROGRAMMING CV-API command to load the specified flash file into the SPI flash.

When a USH firmware image is loaded into SPI flash it is not encrypted. On the next power up of the USH, the SBI will
detect the non-encrypted USH image and will then encrypt the image. This process takes approximately 30-40 seconds

Page 8 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

and must not be interrupted (loss of power) or the image will be corrupted. If the image is corrupted, the Flash image
will have to be reloaded and encrypted.

5.4

Firmware Upgrade (-fw <filename>)

This command loads the specified Firmware image onto the SPI flash. There are two different types of Firmware images
that can be loaded using this command: a combination image (combination of SBI and USH images) or just the USH
image. The USH image is encrypted as it is received and loaded into flash. Thus there is no encryption necessary or 3040 second delay on the next power cycle.

The beginning SPI flash offset for the flash image is determined by the SPI Flash Offset command (-o <offset>). When
loading a combined image, the offset must be 0. When loading a USH image, the offset must be 10000. These are the
only two acceptable values for the offset. This command uses the CV_CMD_FLASH_PROGRAMMING CV-API
command to load the SBI image. The command then uses the CV_CMD_FW_UPGRADE_START,
CV_CMD_FW_UPGRADE_UPDATE and CV_CMD_FW_UPGRADE_COMPLETE CV-API commands to load the
USH image.

5.5

SPI Flash Offset (-o <offset>)

This command specifies the SPI flash offset. This command is used in conjunction with the Flash Update (-flsh) and
Firmware Upgrade (-fw) commands to determine where the image is loaded into the SPI Flash. By default the SPI Flash
Offset is 0.

5.6

PBA Update (-pba <filename>)

This command loads the specified PBA (Pre Boot Authorization) image onto a reserved section of SPI flash. This image
is written to the USH and then read back to verify that it was written correctly. This command uses the
CV_CMD_ACCESS_PBA_CODE_FLASH CV-API command to load the PBA image into flash.

5.7

Diag Test (-dt <testmsk>)

This command initiates USH diagnostic tests to determine if the status of the specified interface. This command issues a
CV diagnostic command to the USH. The USH then performs the specified connectivity tests, and responds with an
indication of which tests passed. Below is the bitmask of the defined diagnostic tests.
<testmsk>:
Bit0:

Smart card:
This test triggers a reset followed by an ATR. If a device is detected the test passes and several generic
commands are issued to the smart card.

Bit1:

Fingerprint:

Page 9 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

This test calls the vendor supplied fingerprint test API. The return status of the API is used as the test result.
Refer to Sections 9.0 and 10.0 for more information on the Upek and AuthenTec fingerprint tests.
Bit2:

RFID:
This test calls the HID API to detect if a card is present. If a card is detected the test passes.

Bit3:

USB Host:
This test passes if any USB devices are detected on the host ports.

Bit4:

TPM:
This test reads the TPM DID_VID register. If the register can be read then the TPM is present and the test
passes.

Bit5:

CV
This test uses the CV status to determine if the test passes.

5.8

Diag Test Extensive (-dte <testnum> <rfidparam>)

This command initiates a USH extensive diagnostic test. This command issues a CV diagnostic command to the USH.
The USH then performs the specified test and respond with a detailed status result. The RFID test requires an additional
parameter which specifies the RFID card type. Below are the diagnostic test numbers.
<testnum>:
1:

Smart Card:
This test triggers a reset followed by an ATR. If a device is detected the test passes and several generic
commands are issued to the smart card.

2:

Fingerprint:
This test calls the vendor supplied fingerprint test API. The return status of the API is used as the test result.
Refer to Sections 9.0 and 10.0 for more information on the Upek and AuthenTec fingerprint tests.

3:

RFID <rfidparam>
This test checks to see if it detects the specified card type (14a, 14b or 15). If the specified card is detected the
test passes.

4:

USB Host
This test passes if any USB devices are detected on the host ports. It also returns the number of devices
detected and their corresponding vendor and device IDs.

5:

TPM
This test reads the TPM DID_VID register. If the register can be read then the TPM is present and the test
passes.

6:

CV
This test uses the CV status to determine if the test passes.

7:

Smart Card (Java card):

Page 10 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

This test tests for the presence of a Java Smart Card.

<rfidparam>:
1:

Card Type 14a

2:

Card Type 14b

3:

Card Type 15

4:

Card Type iClass 14b

5:

Card Type iClass 15

6:

Card Type Felica

5.9

Fingerprint Test (-fpt)

This command issues the vendor supplied fingerprint test API. The return status of the API is used as the test result.
This command uses the CV_CMD_FINGERPRINT_TEST CV-API command to issue the test.

5.10 Fingerprint Calibrate (-fpc)


This command issues the vendor supplied fingerprint calibrate API. The return status of the API is used as the test
result. This command uses the CV_CMD_FINGERPRINT_CALIBRATE CV-API command to issue the test.

5.11 Antenna Check (-ac)


This command will determine if an RFID antenna is present.

5.12 Ignore Boot Mode (-ibm)


When the USHDIAG executes, prior to executing the specified CV commands, it checks if the USH CV firmware is
loaded. If the USH CV firmware is not loaded then the USH is executing from SBI. The USHDIAG detects if the USH
is running from the SBI and forces you to download a USH image. The USHDIAG prompts the user for a USH image
filename and a SPI flash offset. The ibm command bypasses this logic and jumps straight to the specified commands.

5.13 Short Verbose (-sv)


This command option will turn on verbose mode only during the USH discover process.

Page 11 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

5.14 Remove Flash Warnings (-rfw)


This command option will suppress the flash update warning messages.

5.15 Reset USH (-rst)


This command option will reset the USH.

5.16 Reset to SBI (-rsts)


This command option will reset the USH and force it to go into the SBI.

5.17 Display CV Status (-stat)


This command option will display selected CV status parameters. It will display the Operating Status, the Version, the
total and remaining volatile memory space, the cv_init status and the enable\disable status of each device.

5.18 Fingerprint Diagnostic Test (-fdt)


This command option will execute a diagnostic test for the Upek fingerprint sensor.

5.19 Fingerprint Manufacturing Test (-fmt)


This command option will execute a manufacturing test for the Upek fingerprint sensor.

5.20 Firmware Upgrade Delay (-dly)


When issuing a firmware upgrade (-fw <filename>) the USH must be in SBI mode. If the USH is not in SBI mode, the
USH will reset the USH to SBI mode. The USH will take approximately 5 seconds to come up into SBI. This dly
command is the time specified to wait for the USH to come back up into SBI. It is the time the ushdiag will wait before
continuing with the firmware upgrade.

5.21 Detect C0 Chip with Customer ID 1 (-c0c1)


This command will detect if the USH Chip is a C0 Chip with a Customer ID 1. If so it will exit with a return code of
USH_C0_CID1.

Page 12 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

5.22 Device Enable (-de <devMask>)


This command will enable the specified devices.
<devMask>:
0:
1:
2:
3:

Smart Card:
Fingerprint:
RFID radio
CV Only Radio

5.23 Device Disable (-dd <devMask>)


This command will disable the specified devices.
<devMask>:
0:
1:
2:
3:

Smart Card:
Fingerprint:
RFID radio
CV Only Radio

5.24 Detect Customer ID (-cid <hexId>)


This command will detect if the USH Chip has the specified Customer ID <hexId>. If so it will exit with a return code
of USH_C0_CID.

5.25 RFID Manufacturing Test (-rmt <test>)


This command will issue the specified RFID Manufacturing Test.
<test>:
0:
5 Second Test
1:
1 Minute Test
2:
3 Minute Test

5.26 Ignore SBI Customer ID Check (-iscc)


When updating the SBI (-flsh <filename> & -o 0), the ushdiag will check that the File Customer ID matches the Chip
Customer ID. If the Customer IDs do not match, the ushdiag will abort and exit with a return code of USH_FW_ERR.
The iscc command will ignore this test and continue with the SBI update.

Page 13 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

CV INTERFACE

When communicating with the USH via CV, the USHDIAG has to interface properly with the CV. This communication
detail is hidden from the user. When communicating with the CV, first a communication session must be opened via
CV_OPEN. Once a session is opened, commands can be issued to CV. When finished communicating with CV, the
session must closed via CV_CLOSE.

The USHDIAG uses the following CV-API commands. Refer to CV-API spec for more detailed information about each
command.

6.1

CV Open

This is used to open a CV session and obtain a CV Handle for subsequent commands. CV command: CV_CMD_OPEN.

6.2

CV Close

This is used to close a CV session. CV command: CV_CMD_CLOSE.

6.3

CV Get Status

This is used to get specified status information. CV command: CV_CMD_GET_STATUS.

6.4

CV Get USH Versions

This is used to get the USH versions. CV command: CV_CMD_USH_VERSIONS.

6.5

CV Load SBI

This is used to load and execute an SBI. CV command: CV_CMD_LOAD_SBI.

6.6

CV Flash Update

This is used to program the flash with the specified data. CV command: CV_CMD_FLASH_PROGRAMMING.

Page 14 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

6.7

CV Firmware Upgrade

This is used to upgrade the USH firmware with the specified image. CV commands:
CV_CMD_FW_UPGRADE_START, CV_CMD_FW_UPGRADE_UPDATE and
CV_CMD_FW_UPGRADE_COMPLETE.

6.8

CV Diag Test

This command is used to test the connectivity for various interfaces. CV command: CV_CMD_DIAG_TEST; subcommand: CV_DIAG_CMD_TEST_GRP

6.9

CV Diag Extensive Test

This command is used to test the connectivity for various interfaces. CV command: CV_CMD_DIAG_TEST; subcommand: CV_DIAG_CMD_TEST_IND.

6.10 CV Fingerprint Test


This command is used to test the fingerprint sensor. CV command: CV_CMD_FINGERPRINT_TEST.

6.11 CV Fingerprint Calibrate


This command is used to calibrate the fingerprint sensor. CV command: CV_CMD_FINGERPRINT_CALIBRATE.

Page 15 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

USE EXAMPLES

Here are some use case examples.

7.1

Downloading a File into Flash via CV

The flsh <filename> command downloads the specified file into the USH SPI flash at the specified offset. The example
illustrates the mechanism for burning a file into flash. The procedure for upgrading the flash image is not covered here.
The procedure may vary depending on which version of software you are currently running. You may need to burn
different files into different locations in flash.

C:\>ushdiag u flsh sbi1018.bin o 0


DOS/4GW Protected Mode Run-time Version 1.97
Copyright Rational Systems, Inc. 1990-1994
USHDIAG v1.1 Copyright 2007 Broadcom Corporation
Log Stamp: Friday October 19, 2007 10:01:46 AM
Writing data to flash (75 packets; '.'=10 packets)
........
Firmware upgrade status: successful
NOTE: After a new USH image is loaded into flash, the next time the USH powers up it will detect a non encrypted
image. The SBI will then encrypt the image and load it back into flash. This process takes 30-40 seconds and must not
be interrupted (reset or turning off power). If the process is interrupted, the flash will be corrupted and the image must
be downloaded again.

7.2

Loading SBI into RAM via CV

The f <filename> command loads the specified file into RAM and then executes it. Once this SBI is loaded, it has the
ability to download a file into flash via the flsh command. This command is used in the case of a USH SBI not being
able to download an image.

C:\>ushdiag u f flashsbi.bin
DOS/4GW Protected Mode Run-time Version 1.97
Copyright Rational Systems, Inc. 1990-1994
USHDIAG v1.1 Copyright 2007 Broadcom Corporation
Log Stamp: Friday October 19, 2007 10:01:46 AM
cv_open() error status: 0x50
5880 in boot strap mode
CV_CMD_LOAD_SBI done, no bulkin
cvif_load_sbi() status (0x0)

Page 16 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

7.3

Running CV Diag Selftests

The dt <test mask> test issues a selftest on the specified interfaces. The command responds with a status of which tests
passed. In this example we are testing all the interfaces: Smart Card, Fingerprint, RFID, USB Host, TPM and CV.

C:\>ushdiag u dt 3f
DOS/4GW Protected Mode Run-time Version 1.97
Copyright Rational Systems, Inc. 1990-1994
USHDIAG v1.1 Copyright 2007 Broadcom Corporation
Log Stamp: Friday October 19, 2007 10:51:49 AM
Group tests initiated: 0x003f (SC, FP, RFID, USBH, TPM, CV)
Group tests that passed: 0x003b (SC, FP, USBH, TPM, CV)
ERROR: Group tests that failed: 0x0004 (RFID)

7.4

Running CV Diag Extensive Selftest

The dte <testnumber> test issues a selftest on the specified interface. The command runs a more extensive test and
responds with a status of the test result. Different tests return different parameters. For example the USB Host returns
the number of devices discovered on the USB Host ports and the corresponding vendor and device IDs.

C:\>ushdiag u dte 6
DOS/4GW Protected Mode Run-time Version 1.97
Copyright Rational Systems, Inc. 1990-1994
USHDIAG v1.1 Copyright 2007 Broadcom Corporation
Log Stamp: Friday October 19, 2007 10:54:52 AM
Individual test (CV) status: 0x20
Individual test (CV) PASSED

7.5

Updating PBA via CV

The pba <filename> command loads the specified file into the SPI flash PBA section. Once the file is written to the
flash, USHDIAG then reads back the data to verify that the flash was updated properly.

C:\>ushdiag u pba pbaimage.bin


DOS/4GW Protected Mode Run-time Version 1.97
Copyright Rational Systems, Inc. 1990-1994
USHDIAG v1.12 Copyright 2007 Broadcom Corporation
Log Stamp: Friday October 19, 2007 10:01:46 AM
Writing pbaimage.bin to PBA
Reading from PBA to temppbafl.bin

Page 17 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

8.1

RETURN CODES

CV General Return Codes

CV_SUCCESS,
CV_SUCCESS_SUBMISSION,
CV_READ_HID_CREDENTIAL = 4,
CV_INVALID_HANDLE = 6,
CV_OBJECT_NOT_VALID,
CV_AUTH_FAIL,
CV_OBJECT_WRITE_REQUIRED,
CV_IN_LOCKOUT,
CV_INVALID_VERSION = 0xC,
CV_PARAM_BLOB_INVALID_LENGTH,
CV_PARAM_BLOB_INVALID,
CV_PARAM_BLOB_AUTH_FAIL,
CV_PARAM_BLOB_DECRYPTION_FAIL,
CV_PARAM_BLOB_ENCRYPTION_FAIL,
CV_PARAM_BLOB_RNG_FAIL,
CV_SECURE_SESSION_SUITE_B_REQUIRED,
CV_SECURE_SESSION_KEY_GENERATION_FAIL,
CV_SECURE_SESSION_KEY_HASH_FAIL,
CV_SECURE_SESSION_KEY_SIGNATURE_FAIL,
CV_VOLATILE_MEMORY_ALLOCATION_FAIL,
CV_SECURE_SESSION_BAD_PARAMETERS,
CV_SECURE_SESSION_SHARED_SECRET_FAIL,
CV_CALLBACK_TIMEOUT,
CV_INVALID_OBJECT_HANDLE,
CV_HOST_STORAGE_REQUEST_TIMEOUT,
CV_HOST_STORAGE_REQUEST_RESULT_INVALID,
CV_OBJ_AUTH_FAIL,
CV_OBJ_DECRYPTION_FAIL,
CV_OBJ_ANTIREPLAY_FAIL,
CV_OBJ_VALIDATION_FAIL,
CV_OBJECT_ATTRIBUTES_INVALID = 0x24,
CV_NO_PERSISTENT_OBJECT_ENTRY_AVAIL,
CV_OBJECT_DIRECTORY_FULL,
CV_NO_VOLATILE_OBJECT_ENTRY_AVAIL,
CV_FLASH_MEMORY_ALLOCATION_FAIL,
CV_ENUMERATION_BUFFER_FULL,
CV_ADMIN_AUTH_NOT_ALLOWED,
CV_ADMIN_AUTH_REQUIRED,
CV_CORRESPONDING_AUTH_NOT_FOUND_IN_OBJECT,
CV_INVALID_AUTH_LIST,
CV_UNSUPPORTED_CRYPT_FUNCTION,
CV_CANCELLED_BY_USER,
CV_POLICY_DISALLOWS_SESSION_AUTH,

// 0x00000000
// 0x00000001
// 0x00000004
// 0x00000006
// 0x00000007
// 0x00000008
// 0x00000009
// 0x0000000A
// 0x0000000C
// 0x0000000D
// 0x0000000E
// 0x0000000F
// 0x00000010
// 0x00000011
// 0x00000012
// 0x00000013
// 0x00000014
// 0x00000015
// 0x00000016
// 0x00000017
// 0x00000018
// 0x00000019
// 0x0000001A
// 0x0000001B
// 0x0000001C
// 0x0000001D
// 0x0000001E
// 0x0000001F
// 0x00000020
// 0x00000021
// 0x00000024
// 0x00000025
// 0x00000026
// 0x00000027
// 0x00000028
// 0x00000029
// 0x0000002A
// 0x0000002B
// 0x0000002C
// 0x0000002D
// 0x0000002E
// 0x0000002F
// 0x00000030

Page 18 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

CV_CRYPTO_FAILURE,
CV_RNG_FAILURE,
CV_INVALID_OUTPUT_PARAMETER_LENGTH = 0x34,
CV_INVALID_OBJECT_SIZE,
CV_INVALID_GCK_KEY_LENGTH = 0x37,
CV_INVALID_DA_PARAMS,
CV_CV_NOT_EMPTY,
CV_NO_GCK,
CV_RTC_FAILURE,
CV_INVALID_KDIX_KEY,
CV_INVALID_KEY_TYPE,
CV_INVALID_KEY_LENGTH,
CV_KEY_GENERATION_FAILURE,
CV_INVALID_KEY_PARAMETERS,
CV_INVALID_OBJECT_TYPE,
CV_INVALID_ENCRYPTION_PARAMETER,
CV_INVALID_HMAC_KEY,
CV_INVALID_INPUT_PARAMETER_LENGTH,
CV_INVALID_BULK_ENCRYPTION_PARAMETER,
CV_ENCRYPTION_FAILURE,
CV_INVALID_INPUT_PARAMETER,
CV_SIGNATURE_FAILURE,
CV_INVALID_OBJECT_PERSISTENCE,
CV_OBJECT_NONHASHABLE,
CV_SIGNED_TIME_REQUIRED,
CV_INVALID_SIGNATURE,
CV_INTERNAL_DEVICE_FAILURE,
CV_FLASH_ACCESS_FAILURE,
CV_RTC_NOT_AVAILABLE,
CV_USH_BOOT_FAILURE,
CV_INVALID_FINGERPRINT_TYPE,
CV_FAR_PARAMETER_DISALLOWED,
CV_FAR_VALUE_NOT_CONFIGURED,
CV_FINGERPRINT_CAPTURE_FAILED,
CV_HOST_CONTROL_REQUEST_TIMEOUT,
CV_HOST_CONTROL_REQUEST_RESULT_INVALID,
CV_INVALID_COMMAND,
CV_INVALID_COMMAND_LENGTH,
CV_FP_MATCH_GENERAL_ERROR,
CV_FP_DEVICE_GENERAL_ERROR,
CV_NO_BIOS_SHARED_SECRET,
CV_INVALID_HASH_TYPE,
CV_IDENTIFY_USER_FAILED,
CV_CONTACTLESS_FAILURE,
CV_INVALID_CONTACTLESS_CARD_TYPE,
CV_IDENTIFY_USER_TIMEOUT,
CV_INVALID_IMPORT_BLOB,
CV_CANT_REMAP_HANDLES,
CV_OBJECT_REQUIRES_PRIVACY_KEY,
CV_SMART_CARD_FAILURE,

// 0x00000031
// 0x00000032
// 0x00000034
// 0x00000035
// 0x00000037
// 0x00000038
// 0x00000039
// 0x0000003A
// 0x0000003B
// 0x0000003C
// 0x0000003D
// 0x0000003E
// 0x0000003F
// 0x00000040
// 0x00000041
// 0x00000042
// 0x00000043
// 0x00000044
// 0x00000045
// 0x00000046
// 0x00000047
// 0x00000048
// 0x00000049
// 0x0000004A
// 0x0000004B
// 0x0000004C
// 0x0000004D
// 0x0000004E
// 0x0000004F
// 0x00000050
// 0x00000051
// 0x00000052
// 0x00000053
// 0x00000054
// 0x00000055
// 0x00000056
// 0x00000057
// 0x00000058
// 0x00000059
// 0x0000005A
// 0x0000005B
// 0x0000005C
// 0x0000005D
// 0x0000005E
// 0x0000005F
// 0x00000060
// 0x00000061
// 0x00000062
// 0x00000063
// 0x00000064

Page 19 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

CV_INVALID_SMART_CARD_TYPE,
CV_SUPER_AUTH_TYPE_NOT_CONFIGURED,
CV_DIAG_FAIL,
CV_MONOTONIC_COUNTER_FAIL,
CV_FW_UPGRADE_START_FAILED,
CV_FW_UPGRADE_UPDATE_FAILED,
CV_FW_UPGRADE_COMPLETE_FAILED,
CV_FP_USER_TIMEOUT,
CV_ANTIHAMMERING_PROTECTION,
CV_UNALIGNED_ENCRYPTION_DATA,
CV_FP_BAD_SWIPE,
CV_ANTIHAMMERING_PROTECTION_DELAY_MED,
CV_ANTIHAMMERING_PROTECTION_DELAY_HIGH,
CV_RADIO_DISABLED_AND_LOCKED,
CV_FEATURE_NOT_AVAILABLE,
CV_RADIO_NOT_PRESENT,
CV_FP_NOT_PRESENT,
CV_RADIO_NOT_ENABLED,
CV_FP_RESET,
CV_SC_NOT_PRESENT,
CV_SC_NOT_ENABLED,
CV_FP_NOT_ENABLED,
CV_PHYSICAL_PRESENCE_AUTH_NOT_ALLOWED,

8.2

CV General Prompt Return Codes

CV_REMOVE_PROMPT = 0x00010000,
CV_PROMPT_SUPRESSED,

8.3

// 0x00010000
// 0x00010001

CV Smart Card & Contactless Prompt Return Codes

CV_PROMPT_FOR_SMART_CARD = 0x00020000,
CV_PROMPT_FOR_CONTACTLESS,
CV_PROMPT_PIN,
CV_PROMPT_PIN_AND_SMART_CARD,
CV_PROMPT_PIN_AND_CONTACTLESS,
CV_PROMPT_CONTACTLESS_DETECTED,

8.4

// 0x00000065
// 0x00000066
// 0x00000067
// 0x00000068
// 0x00000069
// 0x0000006A
// 0x0000006B
// 0x0000006C
// 0x0000006D
// 0x0000006E
// 0x0000006F
// 0x00000070
// 0x00000071
// 0x00000072
// 0x00000073
// 0x00000074
// 0x00000075
// 0x00000076
// 0x00000077
// 0x00000078
// 0x00000079
// 0x0000007A
// 0x0000007B

// 0x00020000
// 0x00020001
// 0x00020002
// 0x00020003
// 0x00020004
// 0x00020005

CV Fingerprint Prompt Return Codes

CV_PROMPT_FOR_FINGERPRINT_SWIPE = 0x00040000,
CV_PROMPT_FOR_FINGERPRINT_TOUCH,
CV_PROMPT_FOR_FIRST_FINGERPRINT_SWIPE,
CV_PROMPT_FOR_FIRST_FINGERPRINT_TOUCH,
CV_PROMPT_FOR_SECOND_FINGERPRINT_SWIPE,
CV_PROMPT_FOR_SECOND_FINGERPRINT_TOUCH,

// 0x00040000
// 0x00040001
// 0x00040002
// 0x00040003
// 0x00040004
// 0x00040005

Page 20 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

CV_PROMPT_FOR_THIRD_FINGERPRINT_SWIPE,
CV_PROMPT_FOR_THIRD_FINGERPRINT_TOUCH,
CV_PROMPT_FOR_FOURTH_FINGERPRINT_SWIPE,
CV_PROMPT_FOR_FOURTH_FINGERPRINT_TOUCH,
CV_PROMPT_FOR_RESAMPLE_SWIPE,
CV_PROMPT_FOR_RESAMPLE_TOUCH,
CV_PROMPT_FOR_RESAMPLE_SWIPE_TIMEOUT,
CV_PROMPT_FOR_RESAMPLE_TOUCH_TIMEOUT,

8.5

// 0x00040006
// 0x00040007
// 0x00040008
// 0x00040009
// 0x0004000A
// 0x0004000B
// 0x0004000C
// 0x0004000D

CV User Library Return Codes

CV_INVALID_OBJ_AUTH_FLAG = 0x00080000,
CV_MEMORY_ALLOCATION_FAIL,
CV_INVALID_PERSISTENT_TYPE,
CV_INVALID_LIBRARY,
CV_ERROR_LOADING_INTERFACE_LIBRARY,
CV_FAILURE,
CV_SECURE_SESSION_FAILURE,
CV_INVALID_SUITEB_FLAG,
CV_INVALID_CALLBACK_ADDRESS,
CV_GENERAL_ERROR,
CV_INVALID_BLOB_TYPE,
CV_INVALID_ENCRYPT,
CV_INVALID_DECRYPT,
CV_INVALID_HMAC_TYPE,
CV_INVALID_SIGN_TYPE,
CV_INVALID_VERIFY,
CV_INVALID_AUTH_ALG,
CV_INVALID_DEVICE,
CV_INVALID_OTP_PROV,
CV_INVALID_MAC_TYPE,
CV_INVALID_CONFIG_TYPE,
CV_INVALID_ENC_OP_TYPE,
CV_INVALID_DEC_OP_TYPE,
CV_INVALID_HASH_OP,
CV_INVALID_BULK_MODE,
CV_INVALID_OPTIONS,
CV_INVALID_APPID,
CV_INVALID_USERID,
CV_INVALID_INBOUND_PARAM_TYPE,
CV_INVALID_IPADDRESS,
CV_INVALID_AUTHORIZATION_TYPE,
CV_INVALID_STATUS_TYPE,
CV_INVALID_CONTACTLESS_TYPE,
CV_INVALID_SESSION,
CV_FAILED_OPEN_REMOTE_SESSION,
CV_FAILED_CLOSE_REMOTE_SESSION,
CV_HMAC_VERIFICATION_FAILURE,

// 0x00080000
// 0x00080001
// 0x00080002
// 0x00080003
// 0x00080004
// 0x00080005
// 0x00080006
// 0x00080007
// 0x00080008
// 0x00080009
// 0x0008000A
// 0x0008000B
// 0x0008000C
// 0x0008000D
// 0x0008000E
// 0x0008000F
// 0x00080010
// 0x00080011
// 0x00080012
// 0x00080013
// 0x00080014
// 0x00080015
// 0x00080016
// 0x00080017
// 0x00080018
// 0x00080019
// 0x0008001A
// 0x0008001B
// 0x0008001C
// 0x0008001D
// 0x0008001E
// 0x0008001F
// 0x00080020
// 0x00080021
// 0x00080022
// 0x00080023
// 0x00080024

Page 21 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

8.6

CV User Interface Return Codes

CV_UI_TRANSMIT_INVALID_INPUT = 0x00100000,
CV_UI_HSR_INVALID_INPUT,
CV_UI_FAILED_SEMAPHORE_CREATION,
CV_UI_FAILED_COMMAND_PROCESS,
CV_UI_FAILED_COMMAND_SUBMISSION,
CV_UI_FAILED_ASYNC_THREAD_CREATION,
CV_UI_FAILED_HOST_STORE_REQUEST,
CV_UI_FAILED_ABORT_COMMAND,
CV_UI_TRANSMIT_SERVER_INVALID_INPUT,
CV_FAILED_REMOTE_SERVER_FUNCTION,
CV_UI_FAILED_FP_REGISTER_EVENT_REQUEST,
CV_UI_TRANSMIT_CLIENT_INVALID_INPUT,
CV_UI_HCR_INVALID_INPUT,
CV_PROMPT_PIN_FAILURE,
CV_PROMPT_FAILURE,
CV_INVALID_HOST_STORE_REQUEST,
CV_INVALID_HOST_STORE_COMMAND_ID,
CV_HOST_STORE_REQUEST_FAILED,
CV_HOST_STORE_REQUEST_SUBMISSION_FAILED,
CV_HOST_CONTROL_REQUEST_FAILED,
CV_HOST_CONTROL_REQUEST_SUBMISSION_FAILED

8.7

// 0x00100000
// 0x00100001
// 0x00100002
// 0x00100003
// 0x00100004
// 0x00100005
// 0x00100006
// 0x00100007
// 0x00100008
// 0x00100009
// 0x0010000A
// 0x0010000B
// 0x0010000C
// 0x0010000D
// 0x0010000E
// 0x0010000F
// 0x00100010
// 0x00100011
// 0x00100012
// 0x00100013
// 0x00100014

USHDIAG Return Codes (ERRORLEVEL)

USH_SUCCESS,
USH_ERROR,
USH_INVALID_PARAMETER,
USH_INVALID_FILE,
USH_MISSING_PARAMETER,
USH_ERROR_USB,
USH_ERROR_CV,
USH_TEST_FAILED,
USH_NO_FIRMWARE,
USH_ERROR_TPM,
USH_AUTH_ERR,
USH_TPM_ERR,
USH_C0_CID1,
USH_C0_CID,
USH_AH_ERR
USH_FW_ERR

// 0x00
// 0x01
// 0x02
// 0x03
// 0x04
// 0x05
// 0x06
// 0x07
// 0x08
// 0x09
// 0x0a
// 0x0b
// 0x0c
// 0x0d
// 0x0e
// 0x0f

USHDIAG successfully with no errors or messages


Generic Error has occurred
Parameter is invalid
Invalid file specified
Parameter is missing
Could not initialized USB interface (could not find USH)
USH returned an error
Diagnostic test returned an error
BCM Firmware not loaded
Could not find TPM
PBA update failed authorization
Reset or Firmware update failed: TPM enabled
Found USH C0 Chip with Customer ID 1
Found USH Chip with specified Customer ID(-cid xx)
Anti-hammering protection encountered
Chip Customer ID & SBI File Customer ID mismatch

Page 22 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

UPEK FINGERPRINT TEST

Ushdiag invokes all of the Upek tests listed below. The following information is obtained from The Upek TCEFA1
Manufacturing Tests release 1.0 Application Notes.

9.1

TCS1 Sensor Test

This test verifies the connection between sensor and module. It also validates the sensor supported.
Pass/Fail Criteria: This test passes if the registers in the TCS are read correctly.

9.2

TCEFA1 Firmware Check

The test verifies the correct firmware is pre-loaded into the TCEFA1 module. It also verifies that sensor is pre-calibrated
and correct license installed.
Pass/Fail Criteria: This test passes if the TCEFA1 has correct firmware and it has been precalibrated and licensed.

9.3

TCS1 Sensor New Damage Check

The test first verify all the precalibrated data items, such as bad lines, bad pixels, gain/offset settings and gradient
compensation, exist in the flash, then it check the new damages.
Pass/Fail Criteria: This test passes if the pre-calibration succeeded and the new damages are within the limits.

9.4

TCS1 Sensor Bleeding Pixel Test

This test verifies that no bleeding pixels exist. A bad pixel bleeds into other pixels always causing its readout line to be
driven even when it is not addressed, which results in a black row in the image.
Pass/Fail Criteria: This test passes if the frame row averages for the standard calibration setting and for the max charge
setting are within the expected limits.

9.5

TCS1 Sensor Damage Level Test

This test verifies that the TCS damages detected by pre-calibration are within the limits.
Pass/Fail Criteria: This test passes if the damage is within normal limits during precalibration.

Page 23 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

9.6

System Noise Level Test

This test verifies that the system noise is within the acceptable limits and power supply is quite enough. A system with
less system noise will have better quality images from sensor.
Pass/Fail Criteria: This test passes if the system noise level is within normal limits during sensor active states.

9.7

TCS1 Sensor Image Quality Test

This test verifies that the resulting fingerprint is compliant with the TCS Image Quality Specification.
This test measures:
Image contrast
Image non-idealities such as offsets between rows
Image defectivity: bad rows and bad pixels
Pass/Fail Criteria: This test passes if all the measurements are within the expected limits.

9.8

TCEFA1 NVM/FLASH Check

This test verifies the presence and size of flash/NVM on the module.
Pass/Fail Criteria: This test passes if the correct flash is there.

Page 24 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

10 AUTHENTEC FINGERPRINT TEST


The fingerprint test function performs the following operations.

10.1 Establishes basic communications with the sensor

10.2 In the process of calibration, it validates:

The sensors registers to make sure this is a supported sensor.


It validates the sensor type, version and patch.
It validates the BIT Image.
It calibrates the sensor for operation.

10.3 Performs a pixel test to look for pixels that are stuck at either black or white
(manufacturing defect)

10.4 Performs a shorted finger ring test to make sure the finger ring was not damaged
during manufacture.
NOTE: Touching the sensor while it is performing the fingerprint test will cause the test to fail.

Page 25 of 26
Revision 1.3

Copyright 2008

Broadcom USH Diagnostics User Guide

11 APPENDIX

11.1 High Speed RFID Card


The card used for high speed RFID testing is made by ACG, the part# is MF3D40. People may refer it as MiFare
DesFire card using ISO14443A protocol at 848Kb data rate.

Page 26 of 26
Revision 1.3

Copyright 2008