@D77F.ADF IBM Cryptographic Adapter (thx to SuperVinx)
189-174 IBM 4754 Security Interface Unit Model 001,
IBM 4755 Cryptographic Adapter Models 001, 002, and IBM Personal Security Card
ZG92-0260 4755-003/004/005/013/014 Cryptographic Adapter
CSUTMSTR.BOO 4753 Network Security
Processor Model 14 Installation and Service Manual
The cryptographic microprocessor on the Cryptographic Adapter is an 80186
CPU with ROM, RAM, a DEA engine, and other support logic, all integrated into
a single encapsulated custom package.
This level of integration and the incorporation of intrusion-resistant
design techniques, are intended to provide protection against electromagnetic,
chemical, and physical attacks on the cryptographic keys and other sensitive
data that are stored on the custom module.
The Cryptographic Adapter also includes the RS-232 communication interface
for the Security Interface Unit, and a socket for plugging the signature
processing module. A battery backup system is used to retain cryptographic keys
in the secure memory. The memory is erased when the 4755 is removed from the
- -002 (DES) 31F1716 / 34F1684 PS/2
- -004 (DES) 31F1786 PS/2
- -014 (DES/PKA) 31F1790 PS/2
- -005 (DES) 17G7547 RS/6000
All photos and illustrations that we have seen so far resemble the outline
below (with the exception of jumper CD8). It seems possible that any differences
between versions are in the circuitry inside the "Silver Shield" (sounds like a
Super Hero). Stirring things up even more is the later addition of a ability to
use custom encryption. No idea, I suspect it is inside the Silver Shield.
EPROM? Flash? Only The Shadow knows... -LFO
The 475x Product Line
The IBM Transaction Security System (TSS, product family 475x) is an
integrated hardware and software implementation of common cryptographic
functions. Together with the software support package SECIWS, TSS is designed
to improve security at PC workstations, communication channels between
workstations and between workstations and host processors
The 4753 NSP uses the 3172 chassis, with a
1S1P 95 planar and
Type 2 (H or L) or
Type 4 "P" (P66) complex upgrade. IBM lists the
3172 (-003?) documentation.
Further, the Cryptographic Adapter is found in a number of financial
systems, the 37xx in particular. Additionally, the 4755 can enable a PS/2 to
connect securely to S/370, RS/6000, and AS/400 systems. I have seen a picture
of a 4755-014 in an AS/400 "book" as well.
The 4755 does not communicate anything over the DE9, instead it provides
"in-stride" encryption of the data to be transmitted over the Token Ring
network. So, any fantasies of doing a "direct connect" with a 4755 to 4755 is
We don't have the Workstation drivers or the 4753 Control Program.
(photos from UMMR,
"Wormetti" @ VCF and
BT1 Battery outline
CD1 DE9 male connector (RS-232 to 4754)
CD2,3 Daughterboard pin headers
CD4 3-pin Memory Retain jumper
CD5 2-pin Service jumper
CD6 3-pin Ext. battery jumper
CD7 2-pin Tamper Test jumper
ZM3 DIP-24 ROM socket
ZM5 41F9867 PAL
ZM7 Intel N82530-6 SSC
ZM17-20 32Kx8 SRAM
ZM21 Secure module (metal can)
? 6.0? MHz osc (for SSC?)
BT1 Outline and solder pads for a PCB
mounted battery (a large coin cell, reminiscent of the one on an 8573-P75 -LFO).
Replaced by a power lead with a 2-pin connector attached to a cylindrical
battery (IBM P/N 49F4906). 3 V, 1400 or 1500 mAh, CR12600SE or compatible -
identified as "Lithium", cell says MnO2-Li (Lithium Manganese oxide). Different
termination methods available:
CR12600SE is a normal battery (button positive, flat negative)
CR12600SET has tabs
CR12600SEP has pins
CD2,3 Headers for Signature Verification
module. This module REQUIRES the 4754 Security Interface Unit to be attached to
the DE9 port on the 4755. From my hurried reading of some documentation, the
"pen" (attached to 4754) looks for selected movements when someone signs with
the "pen". No digitizer pad is used. -LFO
ZM3 Cryptographic adapter ROM (P/N
11H0381 for 4753 at Control Program Version 3.00 and P/N 41H6783 for Version
SWAG: The ROM is just for setting up the card's resources on the
MCA bus. Not sure if the Control Program internals changed from ver 3.00 to
3.10, or if the 4755 hardware changed, or IBM did it "just because". -LFO
ZM10 is a TI "special sauce" chip, note
the "CF" prefix.
HM62256LFP-12T or compatible
ZM21 Metal shield seems to be held on
with tabs soldered to the PCB. The solder side has no apparent large holes for
mounting pegs or twisted tab ends.
Note: Position 1 - pin 1 and center pin; Position
2 - pin 2 and center pin.
CD4 - Battery Retain (default "1")
Lose or Retain cryptographic adapter RAM:
Position 1 - memory contents lost if cryptographic adapter is unplugged.
Position 2 - memory contents retained if cryptographic adapter unplugged.
If CD4 is not installed, memory contents are lost if you unplug the
cryptographic adapter or if you switch off the power.
Note: Install a jumper to prevent inconsistent
results from memory content loss.
CD5 - Service Switch (default "closed")
Determines if the service switch was set to ON since the service switch flag
last reset. (service switch flag reset when security officer uses operations
utility to reset switch or when a cryptographic adapter is reinitialized.)
Note: The toggle switch is mounted on an MCA slot
filler. In this illustration, Slot 6 is actually empty.
CD6 - External Battery (default "1")
Currently ignored; but a jumper MUST be installed.
CD7 - Tamper Test (default "open")
Manufacturing test point; Open for normal operations.
CD8 - FEPROM Program (default "1")
Erase or Change the code in the loadable shield:
Position 1 - erase or change code.
Position 2 - cannot erase or change code.
Note: This jumper is not present on some boards
(not even the solder pads). These (older?) adapters probably aren't capable of
erasing/modifying the EPROM contents.
AdapterId D77F IBM Cryptographic Adapter
9 highest, then in
decreasing order 3, 4, and 7. Change if it is in conflict with another
<"INT 7">, 9, 3,
it is in conflict with another assignment
Level 1 highest priority, higher levels decrease in
priority. Change if it is in conflict with another
<"Level 6">, 1, 2,
3, 5, 7
Burst Enable (Burst Mode DMA)
ON - Adapter attempts to do 8 or 16
transfers per arbitration cycle.
OFF - Single byte or word transfers occur
for each arbitration cycle.
Burst Transfer Count
Number of possible transfers before adapter releases channel when
Note: Use 16 only with PS/2's that use the default
Word Transfer Enable
Adapter operates in ON (Word) or OFF (Byte) mode.
DMA Slave Selection
IO ADDR forces I/O address of adapter to be valid during I/O
ARB LVL selection made on decode of I/O
cycle, arbitration level, and valid status.
Note: Most PS/2s support either, but some models
don't support ARB LVL. In general, use IO ADDR on PS/2s. The RISC System/6000
only supports ARB LVL.
Change if it is in conflict with another assignment
0CA000-0CBFFF, 0CC000-0CDFFF, 0CE000-0CFFFF,
0D0000-0D1FFF, 0D2000-0D3FFF, 0D4000-0D5FFF,
0D6000-0D7FFF, 0D8000-0D9FFF, 0DA000-0DBFFF,
0DC000-0DDFFF, 0DE000-0DFFFF, 0C0000-0C1FFF,
0C2000-0C3FFF, 0C4000-0C5FFF, 0C6000-0C7FFF