AT88SC0404CRF

Features • A Family of Devices with User Memories of 1 Kbit to 64 Kbit • Contactless 13.56 MHz RF Communications Interface – ISO/IEC 14443-2:2001 Type B Compliant – ISO/IEC 14443-3:2001 Type B Compliant Anticollision Protocol – Tolerant of Type A Signaling for Multi-Protocol Applications Integrated 82 pF Tuning Capacitor User EEPROM Memory Configurations: – 64 Kbits Configured as Sixteen 512 byte (4 Kbit) User Zones [AT88SC6416CRF] – 32 Kbits Configured as Sixteen 256 byte (2 Kbit) User Zones [AT88SC3216CRF] – 16 Kbits Configured as Sixteen 128 byte (1 Kbit) User Zones [AT88SC1616CRF] – 8 Kbits Configured as Eight 128 byte (1 Kbit) User Zones [AT88SC0808CRF] – 4 Kbits Configured as Four 128 byte (1 Kbit) User Zones [AT88SC0404CRF] – 2 Kbits Configured as Four 64 byte (512 bit) User Zones [AT88SC0204CRF] – 1 Kbits Configured as Four 32 byte (256 bit) User Zones [AT88SC0104CRF] – Byte, Page, and Partial Page Write Modes – Self Timed Write Cycle 256 byte (2 Kbit) Configuration Memory – User Programmable Application Family Identifier (AFI) – User-defined Anticollision Polling Response – User-defined Keys and Passwords High Security Features – Selectable Access Rights by Zone – 64-bit Mutual Authentication Protocol (under license of ELVA) – Encrypted Checksum – Stream Encryption – Four Key Sets for Authentication and Encryption – Four or Eight 24-bit Password Sets – Password and Authentication Attempts Counters – Anti-tearing Function – Tamper Sensors High Reliability – Endurance : 100,000 Write Cycles – Data Retention : 10 Years • • CryptoRF Specification AT88SC0104CRF AT88SC0204CRF AT88SC0404CRF AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF • • • 5276A–RFID–07/08 Features ..................................................................................................... 1 1 Introduction .............................................................................................. 4 1.1 Description ...............................................................................................................4 1.2 Block Diagram ..........................................................................................................4 1.3 Communications .......................................................................................................5 1.4 Scope ......................................................................................................................5 1.5 Conventions .............................................................................................................5 2 3 4 User Memory ............................................................................................ 7 Configuration Memory ............................................................................. 7 Command Set ........................................................................................... 8 4.1 Anticollision Command Definitions ...........................................................................9 4.2 REQB / WUPB Polling Commands [$05] ................................................................9 4.3 Slot MARKER Command [$s5] .............................................................................12 4.4 ATTRIB Command [$1D] ......................................................................................14 4.5 HLTB Command [$50] ...........................................................................................16 4.6 Active State Command Definitions .........................................................................17 4.7 Set User Zone Command [$c1] .............................................................................18 4.8 Read User Zone Command [$c2] ..........................................................................21 4.9 Read User Zone (Large Memory) Command [$c2] ...............................................24 4.10 Write User Zone Command [$c3] ........................................................................27 4.11 Write User Zone (Large Memory) Command [$c3] .............................................30 4.12 Write System Zone Command [$c4] ....................................................................33 4.13 Read System Zone Command [$c6] ...................................................................37 4.14 Verify Crypto Command [$c8] .............................................................................40 4.15 Send Checksum Command [$c9] ........................................................................41 4.16 DESELECT Command [$cA] ...............................................................................42 4.17 IDLE Command [$cB] ..........................................................................................43 4.18 Check Password Command [$cC] .......................................................................44 5 6 7 8 Transaction Flow ................................................................................... 47 Absolute Maximum Ratings* ................................................................ 48 Reliability ................................................................................................ 48 Electrical Characteristics ...................................................................... 49 8.1 Tamper Detection ...................................................................................................49 2 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Annex: A Terms and Abbreviations............................................................. 50 Annex: B Standards and Reference Documents........................................ 53 Annex: C User Memory Maps....................................................................... 54 Annex: D Configuration Memory Maps ....................................................... 65 Annex: E Device Personalization................................................................. 69 Annex: F Security Fuses............................................................................... 72 Annex: G Configuration of Password and Access Control Registers .... 74 Annex: H Using Password Security............................................................. 78 Annex: I Understanding Anti-Tearing.......................................................... 83 Annex: J Personalization of the Anticollision Registers ........................... 87 Annex: K Understanding Anticollision........................................................ 92 Annex: L The ISO/IEC 14443 Type B RF Signal Interface .......................... 94 Annex: M RF Specifications and Characteristics....................................... 98 Annex: N Transaction Time ........................................................................ 102 Annex: O Ordering Information.................................................................. 104 Annex: P Errata............................................................................................ 106 Revision History.................................................................................... 107 3 5276A–RFID–07/08 1. Introduction 1.1 Description The CryptoRF® family integrates a 13.56 Mhz RF interface with CryptoMemory® security features. This product line is ideal for RF tags and contactless smart cards that can benefit from advanced security and cryptographic features. The device is optimized as a contactless secure memory for secure data storage without the requirement of an internal microprocessor. For communications the RF interface utilizes the ISO/IEC 14443–2 and –3 Type B bit timing and signal modulation schemes, and the ISO/IEC 14443-3 Slot-MARKER Anticollision Protocol. Data is exchanged half duplex at a 106k bit per second rate, with a two byte CRC_B providing error detection capability. The RF interface powers the other circuits, no battery is required. Full compliance with the ISO/IEC 14443 –2 and –3 standards results in anticollision interoperability with the AT88RF020 2 Kbit RFID EEPROM product and provides both a proven RF communication interface, and a robust anticollision protocol. The seven products in this family contain 1 Kbits to 64 Kbits of User Memory plus 2 Kbits of Configuration Memory. The 2 Kbits of Configuration Memory contains read/write password sets, four crypto key sets, security access registers for each user zone, and password/key registers for each zone. The CryptoRF command set is optimized for a multicard RF communications environment. A programmable AFI register allows this IC to be used in numerous applications in the same geographic area with seamless discrimination of cards assigned to a particular application during the anticollision process. 1.2 Block Diagram Block Diagram Figure 1-1. RF Interface Command and Response EEPROM AC1 C Over Voltage Clamp er Modulator VSS ec tif i Regulator Vdd Data Transfer R Password Verification AC2 Clock Extraction Data Extraction Frame Form atting and Error Detection Interf ace Anticollision Authentication, Encryption and Certification Unit Random Number Generator 4 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 1.3 Communications All personalization and communication with this device is performed through the RF interface. The IC includes an integrated tuning capacitor, enabling it to operate with only the addition of a single external coil antenna. The RF communications interface is fully compliant with the electrical signaling and RF power specifications in ISO/IEC 14443-2 for Type B only. Anticollision operation and frame formatting are compliant with ISO/IEC 14443-3 for Type B only. 1.4 Scope This CryptoRF Specification document includes all specifications for the normal mode of CryptoRF operation. This document may be freely distributed without any formal user agreements. The Authentication and Encryption modes of operation are not described in this document. The Authentication and Encryption modes specifications are described in the document CryptoRF Specification Addendum for Secure Applications , which is available only under NonDisclosure and Limited Licensing Agreements (NDA and LLA). Contact your regional Atmel sales office to obtain this secure document. 1.5 Conventions ISO/IEC 14443 nomenclature is used in this specification where applicable. The following abbreviations are utilized throughout this document. Additional terms are defined in Annex A. • PCD: Proximity Coupling Device – is the reader/writer and antenna. • PICC: Proximity Integrated Circuit Card – is the tag/card containing the IC and antenna. • RFU: Reserved for Future Use – is any feature, memory location, or bit that is held as reserved for future use by the ISO standards committee or by Atmel. • $xx: Hexadecimal Number – denotes a hex number “xx” (Most Significant Bit on left). • xxxxb: Binary Number – denotes a binary number “xxxx” (Most Significant Bit on left). Each command / response exchange between the PCD and PICC is formatted as shown in Figure 1-2. The bytes are shown in the order in which they are transmitted, with PCD transmissions in the left column, and PICC transmissions in the right column. Each byte contains one or more fields as indicated by lines drawn vertically within the byte. The field in the left half of the byte is the upper nibble of the byte, and the field to the right is the lower nibble of the byte. In Figure 1-2, five fields contain values ($1D, $00, $F, $51, $0), four fields contain field names (“Addr”, “XX”, “CID”, “Data”), and four fields contain error detection codes (CRC1, CRC2). 5 5276A–RFID–07/08 Figure 1-2. Example Command and Response Format Reader PICC Command First Byte > Command Second Byte > Command Third Byte > Command Fourth Byte > Command Fifth Byte > CRC First Byte > CRC Second Byte > TR2 > Response First Byte > Response Second Byte > CRC First Byte > CRC Second Byte > $F $1D $00 ADDR XX $51 CRC1 CRC2 $0 DATA CRC1 CRC2 CID The CRC error detection codes are calculated using all of the previous bytes in the command or response and are appended to each command and response to allow detection of RF communication errors. These bytes are required by ISO/IEC 14443-3:2001 and are usually calculated and verified in the reader hardware. 6 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 2. User Memory The User EEPROM Memory characteristics are summarized in Table 2-1 below. User Memory is divided into equally sized User Zones. Access to the User Zones is allowed only after security requirements have been met. These security requirements are defined by the user in the configuration memory during personalization of the device. The default configuration is open read/write access to all user memory zones. Table 2-1. CryptoRF User Memory Characteristics User Memory Size Bits 1K 2K 4K 8K 16K 32K 64K Bytes 128 256 512 1K 2K 4K 8K User Memory Organization # Zones 4 4 4 8 16 16 16 Bytes/Zone 32 64 128 128 128 256 512 Write Characteristics Standard Write 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 32 Bytes 1 to 32 Bytes Anti-Tearing Write 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes CryptoRF Part Number AT88SC0104CRF AT88SC0204CRF AT88SC0404CRF AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF 3. Configuration Memory The configuration memory consists of 2048 bits of EEPROM memory used for storing system data, passwords, keys, codes, and access control registers for each user zone. Access rights to the configuration memory are defined in the control logic and cannot be altered by the user. These access rights include the ability to program certain portions of the configuration memory and then lock the data written through use of the security fuses. The Read System Zone and Write System Zone commands are used to access the configuration memory. Table 3-1. Configuration Memory Characteristics Password Sets 4 Sets 4 Sets 4 Sets 8 Sets 8 Sets 8 Sets 8 Sets Key Sets 4 Sets 4 Sets 4 Sets 4 Sets 4 Sets 4 Sets 4 Sets OTP Memory Free For Customer Use 27 Bytes 27 Bytes 27 Bytes 27 Bytes 27 Bytes 27 Bytes 27 Bytes Transport Password PW Index $07 $07 $07 $07 $07 $07 $07 Password $10 14 7C $20 C2 8B $30 1D D2 $40 7F AB $50 44 72 $60 78 AF $70 BA 2E CryptoRF Part Number AT88SC0104CRF AT88SC0204CRF AT88SC0404CRF AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF 7 5276A–RFID–07/08 4. Command Set The CryptoRF command set contains two types of commands: Anticollision commands, and Active State commands. Anticollision commands are explicitly defined in ISO/IEC 144433:2001. The CryptoRF Active State commands are Atmel defined commands that are compliant with the ISO/IEC 14443-3:2001 requirements. The CryptoRF Active State commands contain the CID code that is assigned to a card when it is selected during the anticollision process. See the ATTRIB command for coding of the CID bits. Table 4-1. Bit 7 0 Coding of the Command Byte for the Anticollision Command Set Bit 6 0 Bit 5 0 Bit 4 0 Bit 3 0 0 1 1 1 0 Bit 2 1 1 1 0 Bit 1 0 0 0 0 Bit 0 1 1 1 0 Command Name REQB/WUPB Slot MARKER ATTRIB HLTB Hexidecimal $05 $s5 $1D $50 Slot Number 0 0 0 1 0 0 Table 4-2. Bit 7 Coding of the Command byte for the CryptoRF Active State Command Set. Bit 6 CID CID CID CID CID CID CID CID CID CID Bit 5 Bit 4 Bit 3 0 0 0 0 0 1 1 1 1 1 Bit 2 0 0 0 1 1 0 0 0 0 1 Bit 1 0 1 1 0 1 0 0 1 1 0 Bit 0 1 0 1 0 0 0 1 0 1 0 Command Name Set User Zone Read User Zone Write User Zone Write System Zone Read System Zone Verify Crypto Send Checksum DESELECT IDLE Check Password Hexidecimal $c1 $c2 $c3 $c4 $c6 $c8 $c9 $cA $cB $cC All Other Values Are Not Supported 8 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 4.1 Anticollision Command Definitions Commands in this section are arranged in order by the hexadecimal code in the command byte. 4.2 REQB / WUPB Polling Commands [$05] The REQB / WUPB command is used to search for PICCs in the RF field. The command and response are ISO/IEC 14443-3:2001 compliant. Reader PICC Command > $05 AFI PARAM CRC1 CRC2 ATQB Response > $50 PUPI 0 PUPI 1 PUPI 2 PUPI 3 APP 0 APP 1 APP 2 APP 3 Protocol 1 Protocol 2 Protocol 3 CRC1 CRC2 SUCCESS RESPONSE System Zone Byte $00 System Zone Byte $01 System Zone Byte $02 System Zone Byte $03 System Zone Byte $04 System Zone Byte $05 System Zone Byte $06 System Zone Byte $07 $00 System Zone Byte $08 $51 4.2.1 Operation The “Request B” (REQB) and “Wake-Up B” (WUPB) commands are used to probe the RF field for Type B PICCs as the first step in the anticollision process. The response to an REQB or WUPB command is the “Answer to Request B” (ATQB). PICCs in the Active State are not permitted to answer this command. 4.2.2 Command Field Descriptions AFI: The Application Family Identifier (AFI) is used to select the family and sub-family of cards which the PCD is targeting. Only PICCs with a matching AFI code are permitted to answer an REQB or WUPB command. Table 4-3 describes the AFI matching criteria. An AFI of $00 activates all Type B PICCs. 9 5276A–RFID–07/08 Table 4-3. AFI High Bits $0 “X” “X” $0 AFI matching criteria for polling commands received by the PICC. AFI Low Bits $0 $0 “Y” “Y” REQB/WUPB Polling produces a PICC response from: All Families and sub-families All sub-families of Family “X” Only sub-family “Y” of Family “X” Proprietary sub-family “Y” Only “Y” = $1 to $F “X” = $1 to $F PARAM: The PARAM byte is used to send two parameters to the PICC. The parameter “N”, which assigns the number of anticollision slots, and the REQB / WUPB selection bit. Figure 4-1. Bit 7 0 Coding of the PARAM byte in the REQB/WUPB command. Bit 6 0 Bit 5 0 Bit 4 0 Bit 3 RW Bit 2 Bit 1 N Bit 0 Table 4-4. Bit 2 0 0 0 0 1 1 1 Coding of “N”, the number of anticollision slots, in the PARAM byte. Bit 1 0 0 1 1 0 0 1 Bit 0 0 1 0 1 0 1 x N 1 2 4 8 16 RFU RFU Table 4-5. Bit 3 0 1 Coding of the REQB / WUPB selection bit in the PARAM byte. Command REQB WUPB CRC: Communication error detection bytes. 10 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 4.2.3 Response Field Descriptions PUPI: PseudoUnique PICC Identifier. This is the card ID used for anticollision, stored in the System Zone. APP: Application Data. Information about the card or application, stored in the System Zone. The fourth byte of the application data field, APP3, is programmed by Atmel with a memory density code at the factory to permit easy identification of different card sizes. The memory density codes programmed by Atmel are shown in Table 4-6. Table 4-6. Default value of APP3 is the CryptoRF Memory Density Code Density Code $02 $12 $22 $33 $44 $54 $64 Device Number AT88SC0104CRF AT88SC0204CRF AT88SC0404CRF AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF Protocol: ISO/IEC 14443 communication capabilities reported to the PCD. CRC: Communication error detection bytes. 4.2.4 Error Handling If an REQB or WUPB command containing errors is received by the PICC, it is ignored and no response is send. 11 5276A–RFID–07/08 4.3 Slot MARKER Command [$s5] The Slot MARKER command can be used to separately identify multiple PICCs in the RF field. The command and response are ISO/IEC 14443-3:2001 compliant.. Reader PICC Command > “S” CRC1 CRC2 $5 ATQB Response > $50 PUPI 0 PUPI 1 PUPI 2 PUPI 3 APP 0 APP 1 APP 2 APP 3 Protocol 1 Protocol 2 Protocol 3 CRC1 CRC2 SUCCESS RESPONSE System Zone Byte $00 System Zone Byte $01 System Zone Byte $02 System Zone Byte $03 System Zone Byte $04 System Zone Byte $05 System Zone Byte $06 System Zone Byte $07 $00 System Zone Byte $08 $51 4.3.1 Operation Slot MARKER is an optional command used to perform ISO/IEC 14443-3 Type B anticollision using the timeslot approach. Immediately after an REQB or WUPB command with “N” greater than 1 is issued, and the ATQB response (if any) is received, the PCD will transmit Slot MARKER commands with slot values “S” of 2 to “N” to define the start of each timeslot for anticollision. If the random number “R” selected by the PICC matches “S” then the PICC responds with ATQB. PICCs in the Active State are not permitted to answer this command. 4.3.2 Command Field Descriptions S: The slot number “S” is encoded within the command byte as shown in Table 4-7. CRC: Communication error detection bytes. 12 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 4.3.3 Response Field Descriptions Table 4-7. Bit 7 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 Coding of the slot number within the Slot MARKER command byte. Bit 6 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 Bit 5 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 Bit 4 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 Slot Not Supported 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 PUPI: PseudoUnique PICC Identifier. This is the card ID used for anticollision, stored in the System Zone. APP: Application Data. Information about the card or application, stored in the System Zone. Protocol: ISO/IEC 14443 communication capabilities reported to the PCD. CRC: Communication error detection bytes. 4.3.4 Error Handling If a Slot MARKER command containing errors is received by the PICC, it is ignored and no response is send. 13 5276A–RFID–07/08 4.4 ATTRIB Command [$1D] The ATTRIB command is used to select a PICC for a transaction. The command and response are ISO/IEC 14443-3:2001 compliant. Reader PICC Command > $1D PUPI 0 PUPI of PCI > PUPI 1 PUPI 2 PUPI 3 Param 1 > Param 2 > Param 3 > Param 4 Assigns CID > $0 $0 $00 TBmax $00 CID CRC1 CRC2 ATTRIB Response > $0 CRC1 CRC2 CID SUCCESS RESPONSE 4.4.1 Operation Sending the ATTRIB command (with a matching PUPI) after an ATQB response places the PICC in the Active State and assigns the Card ID Number (CID) to the PICC. PICCs already in the Active State or Halt State are not permitted to answer this command. 4.4.2 Command Field Descriptions PUPI: PseudoUnique PICC Identifier. This is the card ID used for anticollision, stored in the System Zone. Param: ISO/IEC 14443 communication capabilities reported to the PICC. The contents of Param Bytes 1, 2, and 3 are not used by the CryptoRF family. TBmax: A parameter sent by the PCD reporting the receive buffer size of the PCD. Default value is $0. CID: The Card ID Number (CID) in ATTRIB Param Byte 4 and in the ATTRIB Response is encoded as shown in Table 4-8. Each PICC is assigned a unique CID when it is placed in the Active State. CryptoRF Active State commands use the assigned CID to direct the commands to the desired PICC. 14 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Table 4-8. Bit 7 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 Coding of the Card ID in the ATTRIB command and response. Bit 6 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 Bit 5 0 0 1 1 0 0 1 1 0 0 1 1 0 1 1 1 Bit 4 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 CID Not Supported 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Not Supported CRC: Communication error detection bytes. 4.4.3 Response Field Descriptions CID: The PICC transmits it’s assigned card ID in the response. CRC: Communication error detection bytes. 4.4.4 Error Handling If an ATTRIB command containing transmission errors is received by the PICC, it is ignored and no response is send. 15 5276A–RFID–07/08 4.5 HLTB Command [$50] The HLTB command places a PICC in the Halt State, where it is not allowed to answer an REQB command. The command and response are ISO/IEC 14443-3 compliant. Reader PICC Command > $50 PUPI 0 PUPI of PCI > PUPI 1 PUPI 2 PUPI 3 CRC1 CRC2 HLTB Response > $00 CRC1 CRC2 SUCCESS RESPONSE 4.5.1 Operation Sending the “Halt B” (HLTB) command (with a matching PUPI) after an ATQB response places the PICC in the Halt State. A PICC in the Halt State will only respond to a WUPB command. PICCs in the Active State or already in the Halt State are not permitted to answer this command. 4.5.2 Command Field Descriptions PUPI: PseudoUnique PICC Identifier. This is the card ID used for anticollision, stored in the System Zone. CRC: Communication error detection bytes. 4.5.3 Response Field Descriptions CRC: Communication error detection bytes. Error Handling If a HLTB command containing errors is received by the PICC, it is ignored and no response is send. 4.5.4 16 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 4.6 Active State Command Definitions Commands in this section are arranged in order by the hexadecimal code in the command byte. Table 4-9. Bit 7 Coding of the Command byte for the CryptoRF Active State Command Set Bit 6 CID CID CID CID CID CID CID CID CID CID Bit 5 Bit 4 Bit 3 0 0 0 0 0 1 1 1 1 1 Bit 2 0 0 0 1 1 0 0 0 0 1 Bit 1 0 1 1 0 1 0 0 1 1 0 Bit 0 1 0 1 0 0 0 1 0 1 0 Command Name Set User Zone Read User Zone Write User Zone Write System Zone Read System Zone Verify Crypto Send Checksum DESELECT IDLE Check Password Hexidecimal $c1 $c2 $c3 $c4 $c6 $c8 $c9 $cA $cB $cC All Other Values are Not Supported 4.6.1 Response Format The response to each Active State command consists of five bytes or more. The first byte of the response is the command byte echoed back to the PCD. The second byte is the ACK/NACK byte which reports success or failure of the command execution. The final two bytes of the response are always the CRC bytes. The CRC bytes are preceded by a STATUS byte which reports error codes or PICC status codes. Any data bytes returned by the command are located between the ACK/NACK and STATUS bytes. Coding of the ACK/NACK byte of the PICC response Bit 5 0 0 Bit 4 0 0 Bit 3 0 0 0 0 Bit 2 0 0 0 0 Bit 1 0 0 0 0 Bit 0 0 1 1 1 ACK NACK, See STATUS byte for cause NACK, Check Password Attempt Failure NACK, Authentication or Encryption Attempt Failure Response Decode Table 4-10. Bit 7 0 0 Bit 6 0 0 Password Attempts Counter Auth. Attempts Counter The STATUS byte reports reasons for failure of an operation, and provides feedback to the host application indicating status of the PICC. The PICC ignores commands that do not have a matching CID. Invalid command codes are also ignored. 17 5276A–RFID–07/08 4.7 Set User Zone Command [$c1] The Set User Zone command selects the user memory area to be addressed by the Read User Zone and Write User Zone commands. Reader PICC Command > CID PARAM CRC1 CRC2 $1 Echo Command > CID $1 ACK/NACK STATUS CRC1 CRC2 4.7.1 Operation Before reading and writing data to the user memory, the host must select a User Zone with this command. Only one User Zone may be selected at a time. At the time the zone is selected the host also chooses whether anti-tearing should be active for this zone. If anti-tearing is activated, then all writes to the User Zone will utilize anti-tearing until a new Set User Zone command is received. Only PICCs in the Active State are permitted to answer this command. 4.7.2 Command Field Descriptions CID: The Card ID assigned by the ATTRIB command. PARAM: Selects the User Zone and sets anti-tearing on or off. When the anti-tearing bit (bit 7) is set to 1b then anti-tearing is enabled, when set to 0b normal writes are selected. Figure 4-2. Bit 7 AT Coding of the PARAM byte of the Set User Zone command Bit 6 0 Bit 5 0 Bit 4 0 Bit 3 Bit 2 Bit 1 Bit 0 User Zone 18 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Table 4-11. Bit 3 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 Coding of the User Zone number within the PARAM byte Bit 2 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 Bit 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 Bit 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 User Zone 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 CRC: Communication error detection bytes. 4.7.3 Response Field Descriptions CID: The PICC transmits it’s assigned card ID in the response. ACK: Acknowledge, the command executed correctly. NACK: Not Acknowledge, the command did not execute correctly. STATUS: PICC status code. CRC: Communication error detection bytes. 19 5276A–RFID–07/08 4.7.4 Error Handling If a Set User Zone command containing transmission errors is received by the PICC, it is ignored and no response is send. Table 4-12. Status Codes returned in the Set User Zone response Status Code $00 $A1 Type ACK NACK Error/Status Message No Errors User Zone PARAM Invalid 20 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 4.8 Read User Zone Command [$c2] The Read User Zone command reads data from the currently selected User Zone. See Read User Zone (Large Memory) command for the AT88SC6416CRF read command information. Reader PICC Command > CID $00 ADDR “L” CRC1 CRC2 $2 Echo Command > CID NACK STATUS CRC1 CRC2 $2 FAILURE RESPONSE < Error Code Echo Command > CID ACK DATA 1 DATA 2 .......... DATA “L” $2 SUCCESS RESPONSE DATA “L+1” STATUS CRC1 CRC2 < Status Code 4.8.1 Operation The Read User Zone command reads data from the device's currently selected User Zone. The data byte address is internally incremented as each byte is read from memory. If the data byte address increments beyond the end of the current zone during a read, then the address will "roll over" to the first byte of the same zone. Only PICCs in the Active State are permitted to answer this command. 21 5276A–RFID–07/08 4.8.2 Command Field Descriptions CID: The Card ID assigned by the ATTRIB command. ADDR: The starting address of the data to read. L: The number of bytes to read minus 1. L cannot exceed the size of the user zone. Reading more than 64 bytes in a single operation is not recommended. In a typical application environment, optimal transaction time is achieved by reading no more than 32 data bytes in a single operation. CRC: Communication error detection bytes. 4.8.3 Response Field Descriptions CID: The PICC transmits it’s assigned card ID in the response. ACK: Acknowledge, the command executed correctly. NACK: Not Acknowledge, the command did not execute correctly. DATA: The data bytes read from user memory. STATUS: PICC status code. CRC: Communication error detection bytes. 22 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 4.8.4 Error Handling If a Read User Zone command containing transmission errors is received by the PICC, it is ignored and no response is send. The PICC reports errors in the status byte of the response. Table 4-13. Status Codes returned in the Read User Zone response Status Code $00 $99 $A2 $A3 $A9 $D9 $EE Type ACK NACK NACK NACK NACK NACK ACK/NACK Error/Status Message No errors Access Denied (User Zone Not Set) Address Invalid Length Invalid Authentication or Encryption Activation Required Password Required Memory Access Error 23 5276A–RFID–07/08 4.9 Read User Zone (Large Memory) Command [$c2] The Read User Zone (Large Memory) command reads data from the currently selected User Zone. This command format applies to the AT88SC6416CRF device only. Reader PICC Command > CID ADDR H ADDR L “L” CRC1 CRC2 $2 Echo Command > CID NACK STATUS CRC1 CRC2 $2 FAILURE RESPONSE < Error Code Echo Command > CID ACK DATA 1 DATA 2 .......... DATA “L” $2 SUCCESS RESPONSE DATA “L+1” STATUS CRC1 CRC2 < Status Code 4.9.1 Operation The Read User Zone (Large Memory) command operates identically to the standard Read User Zone command, but utilizes a two byte address to support large memory sizes. The Read User Zone command reads data from the device's currently selected User Zone. The data byte address is internally incremented as each byte is read from memory. If the data byte address increments beyond the end of the current zone during a read, then the address will "roll over" to the first byte of the same zone. Only PICCs in the Active State are permitted to answer this command. 24 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 4.9.2 Command Field Descriptions CID: The Card ID assigned by the ATTRIB command. ADDR: The two byte starting address of the location to be written. Figure 4-3. Bit 7 0 Format of the ADDR H byte of the Write User Zone (Large Memory) command Bit 6 0 Bit 5 0 Bit 4 0 Bit 3 0 Bit 2 0 Bit 1 0 Bit 0 A8 L: The number of bytes to read minus 1. L cannot exceed the size of the user zone. Reading more than 64 bytes in a single operation is not recommended. In a typical application environment, optimal transaction time is achieved by reading no more than 32 data bytes in a single operation. CRC: Communication error detection bytes. 4.9.3 Response Field Descriptions CID: The PICC transmits it’s assigned card ID in the response. ACK: Acknowledge, the command executed correctly. NACK: Not Acknowledge, the command did not execute correctly. DATA: The data bytes read from user memory. STATUS: PICC status code. CRC: Communication error detection bytes. 25 5276A–RFID–07/08 4.9.4 Error Handling If a Read User Zone command containing transmission errors is received by the PICC, it is ignored and no response is send. The PICC reports errors in the status byte of the response. Table 4-14. Status Codes returned in the Read User Zone (Large Memory) response. Error/Status Message No Errors Access Denied (User Zone Not Set) Address Invalid Length Invalid Authentication or Encryption Activation Required Password Required Memory Access Error Status Code $00 $99 $A2 $A3 $A9 $D9 $EE Type ACK NACK NACK NACK NACK NACK ACK/NACK 26 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 4.10 Write User Zone Command [$c3] The Write User Zone command writes data into the currently selected User Zone. See Write User Zone (Large Memory) command for the AT88SC6416CRF write command information. Reader PICC Command > CID $00 ADDR “L” DATA 1 DATA 2 .......... DATA “L” $3 DATA “L+1” CRC1 CRC2 Echo Command > CID $3 ACK/NACK STATUS CRC1 CRC2 4.10.1 Operation The Write User Zone command writes data in the device's currently selected User Zone. As each byte is clocked in to the memory the lower bits of the address are internally incremented. The upper address bits are not incremented, so the page address remains constant. Write operations cannot cross page boundaries; a Write User Zone command can only write data bytes within a single physical memory page. Attempts to write beyond the end of the page boundary will wrap to the beginning of the same page. Only PICCs in the Active State are permitted to answer this command. 4.10.2 Command Field Descriptions CID: The Card ID assigned by the ATTRIB command. ADDR: The starting address of the location to be written. L: The number of bytes to read minus 1. “L” cannot exceed the physical page size of the memory. In anti-tearing mode the maximum number of bytes that can be written is 8 bytes. If the 27 5276A–RFID–07/08 Access Register enables Write Lock mode or Program Only mode, the maximum number of bytes that can be written is 1 byte. Table 4-15. Write Characteristics of CryptoRF Write Characteristics Standard Write 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 32 Bytes Anti-Tearing Write 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes CryptoRF Part Number AT88SC0104CRF AT88SC0204CRF AT88SC0404CRF AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF DATA: The data bytes to be written into user memory. CRC: Communication error detection bytes. 4.10.3 Response Field Descriptions CID: The PICC transmits it’s assigned card ID in the response. ACK: Acknowledge, the command executed correctly. NACK: Not Acknowledge, the command did not execute correctly. STATUS: PICC status code. CRC: Communication error detection bytes. 4.10.4 Error Handling If a Write User Zone command containing transmission errors is received by the PICC, it is ignored and no response is send. The PICC reports errors in the status byte of the response. 28 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Table 4-16. Status Codes returned in the Write User Zone response Status Code $00 $0C $1B $99 $99 $A2 $A3 $A9 $B0 $B9 $D9 $E9 $EE Type ACK ACK ACK NACK NACK NACK NACK NACK ACK NACK NACK NACK ACK/NACK Error/Status Message No Errors Write Pending - Checksum Required One Byte Written (Write Lock Mode) Access Denied (User Zone Not Set) Access Denied ( Security Fuses Invalid) Address Invalid Length Invalid Authentication or Encryption Activation Required Data Written (Program Only Mode) Access Denied (Write Lock Mode) Password Required Modify Forbidden Memory Access Error 29 5276A–RFID–07/08 4.11 Write User Zone (Large Memory) Command [$c3] The Write User Zone command writes data into the currently selected User Zone. This command format applies to the AT88SC6416CRF device only. Reader PICC Command > CID ADDR H ADDR L “L” DATA 1 DATA 2 .......... DATA “L” $3 DATA “L+1” CRC1 CRC2 Echo Command > CID $3 ACK/NACK STATUS CRC1 CRC2 4.11.1 Operation The Write User Zone (Large Memory) command operates identically to the standard Write User Zone command, but utilizes a two byte address to support large memory sizes. The Write User Zone command writes data in the device's currently selected User Zone. As each byte is clocked in to the memory the lower bits of the address are internally incremented. The upper address bits are not incremented, so the page address remains constant. Write operations cannot cross page boundaries; a Write User Zone command can only write data bytes within a single physical memory page. Attempts to write beyond the end of the page boundary will wrap to the beginning of the same page. Only PICCs in the Active State are permitted to answer this command. 4.11.2 Command Field Descriptions CID: The Card ID assigned by the ATTRIB command. ADDR: The two byte starting address of the location to be written. 30 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Figure 4-4. Bit 7 0 Format of the ADDR H byte of the Write User Zone (Large Memory) command Bit 6 0 Bit 5 0 Bit 4 0 Bit 3 0 Bit 2 0 Bit 1 0 Bit 0 A8 L: The number of bytes to read minus 1. “L” cannot exceed the physical page size of the memory. In anti-tearing mode the maximum number of bytes that can be written is 8 bytes. If the Access Register enables Write Lock mode or Program Only mode, the maximum number of bytes that can be written is 1 byte. Table 4-17. Write Characteristics of Large Memory CryptoRF Write Characteristics Standard Write 1 to 32 Bytes Anti-Tearing Write 1 to 8 Bytes CryptoRF Part Number AT88SC6416CRF DATA: The data bytes to be written into user memory. CRC: Communication error detection bytes. 4.11.3 Response Field Descriptions CID: The PICC transmits it’s assigned card ID in the response. ACK: Acknowledge, the command executed correctly. NACK: Not Acknowledge, the command did not execute correctly. STATUS: PICC status code. CRC: Communication error detection bytes. 31 5276A–RFID–07/08 4.11.4 Error Handling If a Write User Zone command containing transmission errors is received by the PICC, it is ignored and no response is send. The PICC reports errors in the status byte of the response. Table 4-18. Status Codes returned in the Write User Zone (Large Memory) response Status Code $00 $0C $1B $99 $99 $A2 $A3 $A9 $B0 $B9 $D9 $E9 $EE Type ACK ACK ACK NACK NACK NACK NACK NACK ACK NACK NACK NACK ACK/NACK Error/Status Message No Errors Write Pending - Checksum Required One Byte Written (Write Lock Mode) Access Denied (User Zone Not Set) Access Denied ( Security Fuses Invalid) Address Invalid Length Invalid Authentication or Encryption Activation Required Data Written (Program Only Mode) Access Denied (Write Lock Mode) Password Required Modify Forbidden Memory Access Error 32 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 4.12 Write System Zone Command [$c4] The Write System Zone command writes data to the configuration memory. This command is also used to program the security fuses. Reader PICC Command > CID PARAM ADDR “L” DATA 1 DATA 2 .......... DATA “L” $4 DATA “L+1” CRC1 CRC2 Echo Command > CID $4 ACK/NACK STATUS CRC1 CRC2 4.12.1 Operation The Write System Zone command writes data into the configuration memory. As each byte is clocked in to the memory the lower bits of the address are internally incremented. The upper address bits are not incremented, so the page address remains constant. Write operations cannot cross page boundaries; a Write System Zone command can only write data bytes within a single physical memory page. Attempts to write beyond the end of the page boundary will wrap to the beginning of the same page. Only PICCs in the Active State are permitted to answer this command. A special mode of the Write System Zone programs the security fuses. Once programmed, the fuses cannot be erased. 4.12.2 Command Field Descriptions CID: The Card ID assigned by the ATTRIB command. PARAM: The PARAM byte selects the type of write operation to be performed. 33 5276A–RFID–07/08 Table 4-19. PARAM byte options for the Write System Zone command Command PARAM $00 $80 $01 ADDR address address fuse addr “L” # of bytes - 1 # of bytes - 1 $00 DATA “L+1” bytes “L+1 bytes” 1 bytes Write System Zone Write System Zone w/ AT Write Fuse Byte All Other Values Are Not Supported Table 4-20. Hex $07 $06 $04 $00 Coding of ADDR for Fuse Programming Only Bit 6 0 0 0 0 Bit 5 0 0 0 0 Bit 4 0 0 0 0 Bit 3 0 0 0 0 Bit 2 1 1 1 0 Bit 1 1 1 0 0 Bit 0 1 0 0 0 Fuse SEC FAB CMA PER Bit 7 0 0 0 0 ADDR: The starting address of the data to write. When performing a fuse byte write the ADDR byte contains the address of the fuse; only one fuse may be programmed per Write System Zone command. L: The number of bytes to read minus 1. L cannot exceed the physical page size of the memory. In anti-tearing mode the maximum number of bytes that can be written is 8 bytes. If the Access Register enables Write Lock Mode or Program Only Mode, the maximum number of bytes that can be written is 1 byte. Table 4-21. Write Characteristics of CryptoRF configuration memory Write Characteristics Standard Write 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 32 Bytes 1 to 32 Bytes Anti-Tearing Write 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes CryptoRF Part Number AT88SC0104CRF AT88SC0204CRF AT88SC0404CRF AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF 34 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF DATA: The data bytes to be written into configuration memory. One byte of data is required to be sent when writing the fuse byte, however the contents of this byte are ignored. CRC: Communication error detection bytes. 4.12.3 Response Field Descriptions CID: The PICC transmits it’s assigned card ID in the response. ACK: Acknowledge, the command executed correctly. NACK: Not Acknowledge, the command did not execute correctly. STATUS: PICC status code. CRC: Communication error detection bytes. 4.12.4 Error Handling If a Write System Zone command containing transmission errors is received by the PICC, it is ignored and no response is send. The PICC reports errors in the status byte of the response. . Table 4-22. Status Codes returned in the Write System Zone response Status Code $00 $A1 $A2 $A3 $BA $EE Type ACK NACK NACK NACK NACK ACK/NACK Error/Status Message No Errors PARAM Invalid Address Invalid Length Invalid Access Denied (Write Not Allowed) Memory Access Error 35 5276A–RFID–07/08 . Table 4-23. Status Codes returned in the Write System Zone response for Fuse Writes Status Code fuse byte $A2 $D9 $DF $E9 $EE Type ACK NACK NACK NACK NACK ACK/NACK Error/Status Message Fuse Byte (Successful Fuse Byte Write) Fuse Address Invalid Password Required Fuse Access Denied Access Denied (Fuse Order Incorrect) Memory Access Error 36 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 4.13 Read System Zone Command [$c6] The System Read command allows reading of system data from the configuration memory, from the security fuses, or from the checksum register. Reader PICC Command > CID PARAM ADDR “L” CRC1 CRC2 $6 Echo Command > CID NACK STATUS CRC1 CRC2 $6 FAILURE RESPONSE < Error Code Echo Command > CID ACK DATA 1 DATA 2 .......... DATA “L” $6 SUCCESS RESPONSE DATA “L+1” STATUS CRC1 CRC2 < Status Code 4.13.1 Operation The Read System Zone command reads from the devices configuration memory. The data byte address is internally incremented as each byte is read from the memory. If the data byte address increments into a segment where read access is forbidden, the “fuse byte” is transmitted in place of the forbidden data. Depending on the value of the PARAM byte, the host may read the data in the configuration memory, the fuses, or a checksum. Only PICCs in the Active State are permitted to answer this command. 37 5276A–RFID–07/08 4.13.2 Command Field Descriptions CID: The Card ID assigned by the ATTRIB command. PARAM: The PARAM byte selects the type of read operation to be performed. Table 4-24. PARAM byte options for the Read System Zone command Command Read System Zone Read Fuse Byte Read Checksum PARAM $00 $01 $02 ADDR address $FF $FF “L” # of bytes - 1 $00 $01 All Other Values Are Not Supported ADDR: The starting address of the data to read. L: The number of bytes to read minus 1. L cannot exceed 240 bytes. Reading more than 64 bytes in a single operation is not recommended. In a typical application environment, optimal transaction time is achieved by reading no more than 32 bytes in a single operation. CRC: Communication error detection bytes. 4.13.3 Response Field Descriptions CID: The PICC transmits it’s assigned card ID in the response. DATA: The data bytes read from the configuration memory. Since access rights vary throughout the system zone, the host may provide an authorized starting address, but a length that causes the device to reach forbidden data. In this case, the device will transmit the authorized bytes, but unauthorized bytes will be replaced by the "fuse byte". An “Access Denied" status code $BA or $BC will be returned to indicate that some of the bytes returned were replaced by the “fuse byte”. Figure 4-5. F7 RFU Coding of the data byte received when reading the fuse byte F6 RFU F5 RFU F4 RFU F3 SEC F2 PER F1 CMA F0 FAB When the Read Fuse Byte option is activated, only a single data byte is returned. When the Read Checksum option is activated, two bytes are returned. ACK: Acknowledge, the command executed correctly. 38 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF NACK: Not Acknowledge, the command did not execute correctly. STATUS: PICC status code. CRC: Communication error detection bytes. 4.13.4 Error Handling If a Read System Zone command containing transmission errors is received by the PICC, it is ignored and no response is send. The PICC reports errors in the status byte of the response.. Table 4-25. Status Codes returned in the Read System Zone response Status Code $00 $A1 $A2 $A3 $BA $BC $EE Type ACK NACK NACK NACK ACK/NACK ACK/NACK ACK/NACK Error/Status Message No Errors PARAM Invalid Address Invalid Length Invalid Byte Access Denied (Read Not Allowed) Byte Access Denied (Password Required) Memory Access Error 39 5276A–RFID–07/08 4.14 Verify Crypto Command [$c8] The Verify Crypto command is used in the Authentication mode and the Encryption mode only. See the document CryptoRF Specification Addendum for Secure Applications for information. 40 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 4.15 Send Checksum Command [$c9] The Send Checksum command is used in the Authentication mode and the Encryption mode only. See the document C ryptoRF Specification Addendum for Secure Applications f or information. 41 5276A–RFID–07/08 4.16 DESELECT Command [$cA] The DESELECT command places a PICC in the Halt State. Reader PICC Command > CID CRC1 CRC2 $A Echo Command > CID ACK STATUS CRC1 CRC2 $A 4.16.1 Operation Sending the DESELECT command (with a matching CID) to a PICC in the Active State places the PICC in the Halt State. The User Zone, password, and authentication registers are cleared before the PICC enters the Halt State. Only PICCs in the Active State are permitted to answer this command. 4.16.2 Command Field Descriptions CID: The Card ID assigned by the ATTRIB command. CRC: Communication error detection bytes. 4.16.3 Response Field Descriptions CID: The PICC transmits it’s assigned card ID in the response. ACK: Acknowledge, the command executed correctly. STATUS: PICC status code. CRC: Communication error detection bytes. 4.16.4 Error Handling If a DESELECT command containing transmission errors is received by the PICC, it is ignored and no response is send. The PICC reports errors in the status byte of the response. Table 4-26. Status Codes returned in the DESELECT response Error/Status Message No errors Status Code $00 Type ACK 42 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 4.17 IDLE Command [$cB] The IDLE command resets the PICC and places it in the Idle State. Reader PICC Command > CID CRC1 CRC2 $B Echo Command > CID ACK STATUS CRC1 CRC2 $B 4.17.1 Operation Sending the IDLE command (with a matching CID) to a PICC in the Active State resets the PICC and places it in the Idle State. The User Zone, password, and authentication registers are cleared before the PICC enters the Idle State. The PICC responds only to successful IDLE commands. Only PICCs in the Active State are permitted to answer this command. 4.17.2 Command Field Descriptions CID: The Card ID assigned by the ATTRIB command. CRC: Communication error detection bytes. 4.17.3 Response Field Descriptions CID: The PICC transmits it’s assigned card ID in the response. ACK: Acknowledge, the command executed correctly. STATUS: PICC status code. CRC: Communication error detection bytes. 4.17.4 Error Handling If an IDLE command containing transmission errors is received by the PICC, it is ignored and no response is send. The PICC reports errors in the status byte of the response. Table 4-27. Status Codes returned in the IDLE response Error/Status Message No errors Status Code $00 Type ACK 43 5276A–RFID–07/08 4.18 Check Password Command [$cC] The Check Password command transmits a password for validation. Reader PICC Command > CID $C Password Index PW 1 PW 2 PW 3 CRC1 CRC2 Echo Command > CID $C ACK/NACK STATUS CRC1 CRC2 4.18.1 Operation To read or write data in User Zones that require a password for access the host must carry out a password validation operation. The host uses the Check Password command to send the password for validation against the password selected with the Password Index byte. Only PICCs in the Active State are permitted to answer this command. If the Check Password is successful, the Password Attempts Counter (PAC) is cleared and the ACK response is issued. Only one password is active at any time. If the Check Password fails, the PAC is incremented and a NACK response is issued. The Check Password success or failure is memorized and active until the PICC is powered down, removed from the Active state, or until a new Check Password is received. If the password trials limit is reached, subsequent Check Password commands will be rejected. 4.18.2 Command Field Descriptions CID: The Card ID assigned by the ATTRIB command. Password Index: Identifies the password register that the PICC will check the transmitted password against. 44 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Table 4-28. Coding of the Password Index for 1K, 2K, and 4K bit CryptoRF devices Check Password Password Read 0 Password Read 1 Password Read 2 Password Read 7 Password Write 0 Password Write 1 Password Write 2 Password Write 7 Password Index $10 $11 $12 $17 $00 $01 $02 $07 All Other Values Are Not Supported . Table 4-29. Coding of the Password Index for 8K bit and larger CryptoRF devices Check Password Password Read 0 Password Read 1 Password Read 2 Password Read 3 Password Read 4 Password Read 5 Password Read 6 Password Read 7 Password Write 0 Password Write 1 Password Write 2 Password Write 3 Password Write 4 Password Write 5 Password Write 6 Password Write 7 Password Index $10 $11 $12 $13 $14 $15 $16 $17 $00 $01 $02 $03 $04 $05 $06 $07 All Other Values Are Not Supported 45 5276A–RFID–07/08 PW: The password bytes. CRC: Communication error detection bytes. 4.18.3 Response Field Descriptions CID: The PICC transmits it’s assigned card ID in the response. ACK: Acknowledge, the command executed correctly. NACK: Not Acknowledge, the command did not execute correctly. STATUS: PICC status code. CRC: Communication error detection bytes. 4.18.4 Error Handling If a Check Password command containing transmission errors is received by the PICC, it is ignored and no response is send. The PICC reports errors in the status byte of the response.. Table 4-30. Status Codes returned in the Check Password response Error/Status Message No errors Password Index Invalid Check Password Failure Memory Access Error (Security Operation) Memory Access Error Status Code $00 $A1 $D9 $F9 $EE Type ACK NACK NACK NACK ACK/NACK 46 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5. Transaction Flow Figure 5-1. Flowchart of a Typical CryptoRF Transaction Polling (REQB/WUPB) Select Card (ATTRIB) Halt (HLTB) Anticollision Complete Mutual Authentication (optional) Enter Authentication Mode Normal Mode Encryption Activation (optional) Enter Encryption Mode Set User Zone Read Configuration Memory Write Configuration Memory Check Password Read User Memory Read Checksum Write User Memory Send Checksum Deselect or Idle In a typical CryptoRF transaction the host performs anticollision, selects a User Zone, and reads or writes the user memory. When a User Zone requires a password, authentication, or encryption the host performs the required security operation before accessing the User Zone. Note that the Set User Zone command may be sent before or after the security operation. 47 5276A–RFID–07/08 6. Absolute Maximum Ratings* * NOTICE: Stresses beyond those listed under “Absolute Maximum Ratings” may cause permanent damage to the device. This is a stress rating only and functional operation of the device at these or any other conditions beyond those indicated in the operational sections of this specification is not implied. Exposure to absolute maximum rating conditions for extended periods may affect device reliability. Absolute Maximum Rating Operating Temperature (junction) Storage Temperature (ambient) HBM ESD (Antenna Pins only) -40°C to +85°C -65°C to +150°C 2000V minimum The maximum temperature ratings in this section are applicable to CryptoRF in wafer form. When assembled into a package the CryptoRF temperature ratings may be reduced to reflect the limitations of the package. However the CryptoRF absolute maximum ratings should not be exceeded for any package. 7. Reliability Parameter Write Endurance (each Byte) Anti-Tearing Write Endurance Data Retention (at 55°C) Data Retention (At 35°C) Read Endurance Min 100,000 50,000 10 30 50 Unlimited Typ Max Units Write Cycles Writes Years Years Read Cycles CryptoRF is fabricated with Atmel’s high reliability CMOS EEPROM manufacturing technology. The write endurance and data retention EEPROM reliability ratings apply to each byte of the user and configuration memory. The optional CryptoRF anti-tearing functions use a single anti-tearing EEPROM buffer memory. Every anti-tearing write operation utilizes the same buffer. The anti-tearing write endurance specification is a limitation in the total number of anti-tearing write operations that can be performed by each die. 48 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 8. Electrical Characteristics Symbol Cr TPOR TPOR-AT TWR Parameter Integrated Tuning Capacitance Polling Reset Time (no anti-tearing to process) Polling Reset Time (anti-tearing write to process) Write Cycle Time of EEPROM Memory 1.6 Min 72 Normal 82 Max 92 5 10 2.0 Units pF mS mS mS 8.1 Tamper Detection CryptoRF contains tamper detection sensors to detect operation outside of specified limits. These sensors monitor the internal supply voltage and clock frequency. An additional sensor detects high intensity light attacks. The die is disabled and will not function when tampering is detected. 49 5276A–RFID–07/08 Annex A: Terms and Abbreviations A A/m AC ACK Active state ADDR AFI APP AR ASK AT ATQB ATTRIB B Card CID CMA CRC CRC_B CRF CT DATA DCR EEPROM EGT EGTL EOF ETA ETU FAB fc Fo FO fs FWI Unmodulated PCD field amplitude. Used in modulation index calculation. Amperes per Meter. Units of magnetic field strength Alternating Current. Acknowledge response, indicates success of the requested operation. The state of a PICC that is selected and ready to receive commands. Address identifying the location to begin a read or write operation. Application Family Identifier. Used during Type B anticollision. Application bytes. Access Register. Amplitude Shift Keying modulation. PCD data transmission signaling format. Anti-tearing. Answer to Request Type B. The response to a polling command. PICC Selection Command, Type B. Modulated PCD field amplitude. Used in modulation index calculation. A PICC with loop antenna in a plastic card or other RFID form. Card ID. The 4 bit code used to identify a PICC in the Active state. The third of four security fuses. Cyclic Redundancy Check = 16 bit RF Communication Error Detection Code. Cyclic Redundancy Check, Type B. CryptoRF Tuning Capacitance. The capacitance between antenna pins AC1 and AC2. Bytes for EEPROM memory read or write. Device Configuration Register. Address $18 in the Configuration Memory. Nonvolatile memory. Extra Guard Time. Extra Guard Time Length. A DCR mode control bit. End of Frame. Extended Trials Allowed. A DCR mode control bit. Elementary Time Unit = 128 carrier cycles (9.4395 uS nominal). The second of four security fuses. Carrier Frequency = 13.56 MHz nominal. Resonant Frequency. Frame Option. Subcarrier Frequency = fc/16 = 847.5 kHz nominal. Frame Waiting Time Integer. Protocol bits communicating the PICC FWT time. 50 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF FWT Halt state HLTB Hmin Hmax Host i IC ID Idle state IEC ISO J kbps kHz L LSB MDF M.D. MHz M.I. mm mS uS MSB MTZ mV N N NACK NRZ-L nS OTP PAC PARAM PCD PER Frame Waiting Time. Maximum time the PCD must wait for a PICC response. The state of a PICC waiting for a WUPB command (ignoring all other commands). Halt command, Type B. Minimum unmodulated operating magnetic field strength. Maximum unmodulated operating magnetic field strength. The RF reader, firmware, and application software communicating with the PICC. Variable for the Index of a Password Set or Key Set. Integrated Circuit. Identification. The state of a PICC after power on reset, waiting for a REQB or WUPB command. International Electrotechnical Commission. www.iec.ch International Organization for Standardization. www.iso.org Loop Count Variable in a Flowchart. KiloBits Per Second. KiloHertz. Variable for the Length code in a CryptoRF read or write command. L = (N-1) Least Significant Bit. Modify Forbidden. Access Register mode control bit. PCD Modulation Depth. MegaHertz. PCD Modulation Index. Calculated from calibration coil voltages as (A – B)/(A + B) MilliMeter. MilliSecond. MicroSecond Most Significant Bit. Memory Test Zone. Address $0A and $0B in the Configuration Memory. MilliVolt. Variable for the Number of anticollision slots. Variable for the Number of bytes in a read or write command. N = (L+1) Not Acknowledge Response, Indicates failure of the requested operation Non-Return to Zero (L for Level) data encoding. PICC data transmission coding. NanoSecond. One Time Programmable. Memory that cannot be erased or rewritten. Password Attempts Counter. A byte containing option codes or variables. Proximity Coupling Device. The RF reader/writer and antenna. The fourth of four security fuses. 51 5276A–RFID–07/08 PGO PICC PM PR Protocol PUPI PW R RBmax RF RFU rms ROM RW S SEC SME STATUS Tag TBmax TPOR TPOR-AT TR0 TR1 TR2 TWR UZ WG8 WLM WUPB z Program Only mode. Access Register mode control bit. Proximity Integrated Circuit Card. The card/tag containing the IC and antenna. Password Mode. Access Register mode control bit. Password Register. Bytes communicating ISO protocol information. Pseudo Unique PICC Identifier. ID for anticollision. Password. Random number selected by PICC during anticollision. Receive Buffer size code. ATQB protocol byte returned by PICC. Radio Frequency. Reserved for Future Use. Any feature or bit reserved by ISO or by Atmel. Root Mean Square. Read Only Memory. REQB/WUPB command selection code. Slot Number. A code sent to the PICC with Slot MARKER command. The first of four security fuses. Supervisor Mode Enable. A DCR mode control bit. A response byte containing information on the status of the PICC. A PICC with loop antenna attached in a non-plastic credit card form. An ISO/IEC 14443-3 protocol code indicating the receive buffer size of the PCD. Polling Response Time. Polling Response Time with Anti-Tearing. Guard Time per ISO/IEC 14443-2. Synchronization Time per ISO/IEC 14443-2. PICC to PCD frame delay time (per ISO/IEC 14443-3 Amendment 1). EEPROM Write Cycle Time. User Zone. ISO/IEC Working Group eight. Develops standards for contactless smartcards. Write Lock Mode. Access Register mode control bit. Wake Up command, Type B. Variable for the Index of a Password Set or Key Set. 52 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Annex B: Standards and Reference Documents B.1 International Standards CryptoRF is designed to comply with the requirements of the following ISO/IEC standards for Type B PICCs operating at the standard 106 kbps data rate. ISO/IEC 7810:1995 Identification Cards – Physical Characteristics ISO/IEC 10373-6:2001 Identification Cards – Test Methods – Part 6: Proximity Cards ISO/IEC 14443-1:2000 Identification Cards – Contactless Integrated Circuit(s) Cards – Proximity Cards – Part 1: Physical Characteristics ISO/IEC 14443-2:2001 Identification Cards – Contactless Integrated Circuit(s) Cards – Proximity Cards – Part 2: Radio Frequency Power and Signal Interface ISO/IEC 14443-3:2001 Identification Cards – Contactless Integrated Circuit(s) Cards – Proximity Cards – Part 3: Initialization and Anticollision ISO/IEC standards are available at www.ansi.org, www.iso.org, and from your national standards organization. The ISO/IEC 14443 and ISO/IEC 10373 standards were developed by the WG8 committee (www.wg8.de). B.2 References Atmel Application Note: Understanding the Requirements of ISO/IEC 14443 for Type B Proximity Contactless Identification Cards. Document 2056x (Available at www.atmel.com ) CryptoRF Ordering Codes: CryptoRF and Secure RF Standard Product Offerings. Document 5047x (Available at www.atmel .com) 53 5276A–RFID–07/08 Annex C: User Memory Maps CryptoRF User Memory is divided into equal size User Zones as summarized in Table C-1. Access requirements for each zone are independently configured by the customer using the Access Control Registers. See Annex G for more information on access control. Table C-1. CryptoRF User Memory Characteristics User Memory Size Bits 1K 2K 4K 8K 16K 32K 64K Bytes 128 256 512 1K 2K 4K 8K User Memory Organization # Zones 4 4 4 8 16 16 16 Bytes / Zone 32 64 128 128 128 256 512 Write Characteristics Standard Write 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 32 Bytes 1 to 32 Bytes Anti-Tearing Write 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes CryptoRF Part Number AT88SC0104CRF AT88SC0204CRF AT88SC0404CRF AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF Note that the memory maps in this section are for reference and are not intended to accurately illustrate the physical page length of each User Memory configuration. The physical page length is equal to the maximum number of bytes that can be written with a standard write command. The Write User Zone command will not write data across page boundaries; each physical page must be written with a separate command. 54 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Figure C-1. ZONE AT88SC0104CRF Memory Map for 1 Kbit User Memory $0 $00 32 bytes $1 $2 $3 $4 $5 $6 $7 User 0 $18 $00 User 1 $18 $00 User 2 $18 $00 User 3 $18 32 bytes 32 bytes 32 bytes 55 5276A–RFID–07/08 Figure C-2. ZONE AT88SC0204CRF Memory Map for 2 Kbit User Memory $0 $00 64 bytes $1 $2 $3 $4 $5 $6 $7 User 0 $38 $00 User 1 $38 $00 User 2 $38 $00 User 3 $38 64 bytes 64 bytes 64 bytes 56 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Figure C-3. ZONE AT88SC0404CRF Memory Map for 4 Kbit User Memory $0 $00 128 bytes $1 $2 $3 $4 $5 $6 $7 User 0 $78 $00 User 1 $78 $00 User 2 $78 $00 User 3 $78 128 bytes 128 bytes 128 bytes 57 5276A–RFID–07/08 Figure C-4. ZONE AT88SC0808CRF Memory Map for 8 Kbit User Memory $0 $00 128 bytes $1 $2 $3 $4 $5 $6 $7 User 0 $78 $00 User 1 $78 $00 User 2 $78 $00 User 3 $78 $00 User 4 $78 $00 User 5 $78 $00 User 6 $78 $00 User 7 $78 128 bytes 128 bytes 128 bytes 128 bytes 128 bytes 128 bytes 128 bytes 58 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Figure C-5. ZONE AT88SC1616CRF Memory Map for 16 Kbit User Memory $0 $00 $1 $2 $3 $4 $5 $6 $7 User 0 $78 $00 128 bytes User 1 $78 $00 128 bytes User 2 $78 $00 128 bytes User 3 $78 $00 128 bytes User 4 $78 $00 128 bytes User 5 $78 $00 128 bytes User 6 $78 $00 128 bytes User 7 $78 $00 128 bytes User 8 $78 $00 128 bytes User 9 $78 $00 128 bytes User 10 $78 128 bytes 59 5276A–RFID–07/08 Figure C-5. ZONE AT88SC1616CRF Memory Map for 16 Kbit User Memory (Continued) $0 $00 $1 $2 $3 $4 $5 $6 $7 User 11 $78 $00 128 bytes User 12 $78 $00 128 bytes User 13 $78 $00 128 bytes User 14 $78 $00 128 bytes User 15 $78 128 bytes 60 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Figure C-6. ZONE AT88SC3216CRF Memory Map for 32 Kbit User Memory $0 $00 $1 $2 $3 $4 $5 $6 $7 User 0 $F8 $00 256 bytes User 1 $F8 $00 256 bytes User 2 $F8 $00 256 bytes User 3 $F8 $00 256 bytes User 4 $F8 $00 256 bytes User 5 $F8 $00 256 bytes User 6 $F8 $00 256 bytes User 7 $F8 $00 256 bytes User 8 $F8 $00 256 bytes User 9 $F8 $00 256 bytes User 10 $F8 256 bytes 61 5276A–RFID–07/08 Figure C-6. ZONE AT88SC3216CRF Memory Map for 32 Kbit User Memory (Continued) $0 $00 $1 $2 $3 $4 $5 $6 $7 User 11 $F8 $00 256 bytes User 12 $F8 $00 256 bytes User 13 $F8 $00 256 bytes User 14 $F8 $00 256 bytes User 15 $F8 256 bytes 62 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Figure C-7. ZONE $000 User 0 $1F8 $000 User 1 $1F8 $000 User 2 $1F8 $000 User 3 $1F8 $000 User 4 $1F8 $000 User 5 $1F8 $000 User 6 $1F8 $000 User 7 $1F8 $000 User 8 $1F8 $000 User 9 $1F8 $000 User 10 $1F8 $000 User 11 $1F8 512 bytes 512 bytes 512 bytes 512 bytes 512 bytes 512 bytes 512 bytes 512 bytes 512 bytes 512 bytes 512 bytes 512 bytes AT88SC6416CRF Memory Map for 64 Kbit User Memory $0 $1 $2 $3 $4 $5 $6 $7 63 5276A–RFID–07/08 Figure C-7. ZONE AT88SC6416CRF Memory Map for 64 Kbit User Memory (Continued) $0 $000 $1 $2 $3 $4 $5 $6 $7 User 12 $1F8 $000 512 bytes User 13 $1F8 $000 512 bytes User 14 $1F8 $000 512 bytes User 15 $1F8 512 bytes 64 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Annex D: Configuration Memory Maps The Configuration Memory contains all of the system information used to configure the User Zones, plus 27 bytes of OTP memory that the customer can use to store data of any kind. The data in the Configuration Memory is locked by programming fuses during the personalization process so that the PICC configuration cannot be changed by the end user. Table D-1. CryptoRF Configuration Memory Characteristics Password Sets Set Number 4 Sets 4 Sets 4 Sets 8 Sets 8 Sets 8 Sets 8 Sets 0,1,2,7 0,1,2,7 0,1,2,7 0,1,2,3,4,5,6,7 0,1,2,3,4,5,6,7 0,1,2,3,4,5,6,7 0,1,2,3,4,5,6,7 4 Sets 4 Sets 4 Sets 4 Sets 4 Sets 4 Sets 4 Sets Key Sets OTP Memory Free for Customer Use 27 Bytes 27 Bytes 27 Bytes 27 Bytes 27 Bytes 27 Bytes 27 Bytes Transport Password PW Index $07 $07 $07 $07 $07 $07 $07 Password $10 14 7C $20 C2 8B $30 1D D2 $40 7F AB $50 44 72 $60 78 AF $70 BA 2E CryptoRF Part Number AT88SC0104CRF AT88SC0204CRF AT88SC0404CRF AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF Access rights to the Configuration Memory are fixed in logic and are controlled by the security fuses. See Annex F for access control and fuse information. The Read System Zone and Write System Zone commands are used to access the Configuration Memory. The contents of the Configuration Memory registers affect the functionality of CryptoRF and should be changed from their default configuration only after careful consideration. Incorrect or invalid settings can disable the device or prevent it from communicating with the PCD. Configuration Memory registers marked as “Reserved” or RFU must not be changed and cannot be used for customer data. Only 27 bytes of OTP memory are available for general customer use, all other registers have assigned functionality. The 27 bytes of OTP memory available for customer use are described in Annex E: on page 69. 65 5276A–RFID–07/08 Figure D-1. Configuration Memory map for AT88SC0104CRF, AT88SC0204CRF, AT88SC0404CRF. $0 $1 PUPI $2 $3 $4 $5 APP Anticollision MTZ Lot History Code DCR AR0 PR0 AR1 Identification Number Nc PR1 AR2 PR2 AR3 PR3 Card Manufacturer Code Read Only $6 $7 $00 $08 $10 $18 $20 $28 $30 $38 $40 RBmax AFI Reserved Access Control Issuer Code $48 $50 $58 $60 $68 Reserved for Authentication and Encryption $70 $78 $80 $88 $90 $98 Reserved for Authentication and Encryption $A0 $A8 $B0 $B8 $C0 $C8 Password $D0 Reserved $D8 $E0 $E8 $F0 Reserved $F8 Forbidden PAC Write 7 PAC Read 7 PAC PAC PAC Write 0 Write 1 Write 2 PAC PAC PAC Read 0 Read 1 Read 2 Secret Cryptography 66 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Figure D-2. Configuration Memory map for AT88SC0808CRF. $0 $1 PUPI $2 $3 $4 $5 APP Anticollision MTZ Lot History Code DCR AR0 AR4 PR0 PR4 AR1 AR5 Identification Number Nc PR1 PR5 AR2 AR6 PR2 PR6 AR3 AR7 PR3 PR7 Access Control Reserved Card Manufacturer Code Read Only $6 $7 $00 $08 $10 $18 $20 $28 $30 $38 $40 RBmax AFI Issuer Code $48 $50 $58 $60 $68 Reserved for Authentication and Encryption $70 $78 $80 $88 $90 $98 Reserved for Authentication and Encryption $A0 $A8 $B0 $B8 $C0 $C8 $D0 $D8 $E0 $E8 $F0 Reserved $F8 Forbidden PAC PAC PAC PAC PAC PAC PAC PAC Write 0 Write 1 Write 2 Write 3 Write 4 Write 5 Write 6 Write 7 PAC PAC PAC PAC PAC PAC PAC PAC Read 0 Read 1 Read 2 Read3 Password Read 4 Read 5 Read 6 Read 7 Secret Cryptography 67 5276A–RFID–07/08 Figure D-3. Configuration Memory map for AT88SC1616CRF, AT88SC3216CRF, AT88SC6416CRF. $0 $1 PUPI $2 $3 $4 $5 APP Anticollision MTZ Lot History Code DCR AR0 AR4 AR8 PR0 PR4 PR8 PR12 AR1 AR5 AR9 AR13 Identification Number Nc PR1 PR5 PR9 PR13 AR2 AR6 AR10 AR14 PR2 PR6 PR10 PR14 AR3 AR7 AR11 AR15 PR3 PR7 PR11 PR15 Access Control Card Manufacturer Code Read Only $6 $7 $00 $08 $10 $18 $20 $28 $30 $38 $40 RBmax AFI AR12 Issuer Code $48 $50 $58 $60 $68 Reserved for Authentication and Encryption $70 $78 $80 $88 $90 $98 Reserved for Authentication and Encryption $A0 $A8 $B0 $B8 $C0 $C8 $D0 $D8 $E0 $E8 $F0 Reserved $F8 Forbidden PAC PAC PAC PAC PAC PAC PAC PAC Write 0 Write 1 Write 2 Write 3 Write 4 Write 5 Write 6 Write 7 PAC PAC PAC PAC PAC PAC PAC PAC Read 0 Read 1 Read 2 Read3 Password Read 4 Read 5 Read 6 Read 7 Secret Cryptography 68 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Annex E: Device Personalization CryptoRF is delivered with the user memory filled with $FF data and with all security features disabled. Before issuing a CryptoRF PICC to the end user, it is personalized with initial data and the security settings. The last step in the personalization process is to program the security fuses. Figure E-1. Personalization Process Flowchart START Select User Zone Write / Verify User Data No Done Initializing User Memory ? Yes Check Transport Password Write / Verify Configuration Memory Program Security Fuses END 69 5276A–RFID–07/08 E.1 User Memory Initialization The user memory is initialized by using the Set User Zone command to select a User Zone, and writing the initial data with Write User Zone commands. The data is then verified with Read User Zone commands. Each User Zone is programmed in this manner. E.2 Polling Response and OTP Memory Personalization After initializing the user memory, the Configuration Memory is programmed with the polling response and OTP data. Figure E-2 shows the polling response registers in blue, OTP memory in green, and access control registers in gray. The Lot History Code register is factory programmed and cannot be changed. There are 27 bytes of OTP memory available for customer use; these registers are shown in green in Figure E-2 and are described below. See Annex J for detailed information on configuration of the polling response registers. See Annex G for detailed information on configuration of the access control registers. Figure E-2. System Zone Map showing the OTP and Polling Response Registers $0 $1 PUPI $2 $3 $4 $5 APP Anticollision MTZ Lot History Code DCR Identification Number Nc Card Manufacturer Code Read Only $6 $7 $00 $08 $10 $18 $20 $28 RBmax AFI Access Registers, Password Registers, and Reserved $30 $38 $40 Issuer Code $48 Access Control Memory Test Zone (MTZ) The MTZ is a 2 byte register with open read/write access for testing basic functionality of the PICC. Data written in the MTZ cannot be protected from being rewritten; this field should not be used for application data. Card Manufacturer Code (CMC) This 32-bit register, defined by the customer during personalization, is often used to store card manufacturer lot codes. This OTP register may contain any value; it is an information field that does not affect functionality. Lot History Code This 64-bit register is defined by Atmel. This code contains manufacturing traceability data and cannot be modified. 70 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Identification Number Nc This 56-bit register, defined by the customer during personalization, is often used to store card ID numbers. This OTP register may contain any value; it is an information field that does not affect functionality. Issuer Code The 128-bit Issuer Code register is defined by the customer during personalization. This OTP register may contain any value; it is an information field that does not affect functionality. E.3 Transport Password Check The Transport Password must be presented using the Check Password command prior to writing the Configuration Memory. The Transport Password for each CryptoRF device is shown in Table E-1. The Transport Password is the same for every device with the same base part number, it is never changed. Table E-1. CryptoRF Transport Passwords Transport Password PW Index $07 $07 $07 $07 $07 $07 $07 Password $10 14 7C $20 C2 8B $30 1D D2 $40 7F AB $50 44 72 $60 78 AF $70 BA 2E CryptoRF Part Number AT88SC0104CRF AT88SC0204CRF AT88SC0404CRF AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF E.4 Security Fuse Programming Three security fuses are programmed at the end of the personalization process to lock the PICC configuration. The Write Fuse Byte option of the Write System Zone command is used to program the fuses. A fourth fuse, SEC, is already programmed by Atmel before CryptoRF leaves the factory. The fuses can only be programmed in the specified order. The security fuse programming sequence is as follows: 1. Send Write System Zone command with: PARAM = $01, ADDR = $06, L = $00, DATA = $00 to program the FAB fuse. 2. Send Write System Zone command with: PARAM = $01, ADDR = $04, L = $00, DATA = $00 to program the CMA fuse. 3. Send Write System Zone command with: PARAM = $01, ADDR = $00, L = $00, DATA = $00 to program the PER fuse. The response to each Write System Zone command should be ACK, and the fuse byte contents will be returned in the STATUS byte. After all three fuses are programmed, the device configuration is locked and personalization is complete. 71 5276A–RFID–07/08 Annex F: Security Fuses There are four fuses which control access to the Configuration Memory. One fuse (SEC) is programmed by Atmel before CryptoRF leaves the factory; the remaining three fuses are programmed during the personalization process. Once a fuse is programmed, it can never be changed. These fuses do not control access to the user memory; user memory access rights are defined in the Access Registers. The security fuses are used to lock the state of the Access Registers, passwords, and other configuration data during the personalization process so that they cannot be changed after a card is issued. F.1 Reading the Security Fuses To read the fuses send the Read System Zone command with PARAM = $01, ADDR = $FF, L = $00. The CryptoRF response will contain one data byte, the fuse byte. A value of 0b indicates the fuse has been programmed. Bits 4 to 7 of this byte are not used as security fuses and are reserved by Atmel. Figure F-1. F7 RFU Coding of the data byte received when reading the fuse byte. F6 RFU F5 RFU F4 RFU F3 SEC F2 PER F1 CMA F0 FAB F.2 Programming the Fuse Bits Three security fuses are programmed at the end of the personalization process to lock the PICC configuration. The Write Fuse Byte option of the Write System Zone command is used to program the fuses. A fourth fuse, SEC, is already programmed by Atmel before CryptoRF leaves the factory. The fuses can only be programmed in the specified order. The security fuse programming sequence is as follows: 4. Send Write System Zone command with: PARAM = $01, ADDR = $06, L = $00, DATA = $00 to program the FAB fuse. 5. Send Write System Zone command with: PARAM = $01, ADDR = $04, L = $00, DATA = $00 to program the CMA fuse. 6. Send Write System Zone command with: PARAM = $01, ADDR = $00, L = $00, DATA = $00 to program the PER fuse. The response to each Write System Zone command should be ACK, and the fuse byte contents will be returned in the STATUS byte. After all three fuses are programmed, the device configuration is locked. F.3 Configuration Memory Access Control Table F-1 shows the Configuration Memory access conditions for each of the security fuse settings. The left column contains the name of the register area in the Configuration Memory map. The next column indicates if that row applies to Read System Zone commands or Write System Zone commands. The four columns to the right show the security fuse names. The default state of the fuses when CryptoRF leaves the factory is SEC = 0b and the remaining three fuses set to 1b. The SEC fuse column in Table F-1 shows the access conditions for this fuse state. The FAB fuse column shows the access conditions for FAB = 0b. The CMA fuse col- 72 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF umn shows the access conditions for CMA = 0b. The PER fuse column shows the access conditions for PER = 0b. Table F-1. Configuration Memory Access control by Security Fuse State. Fuse Registers Anticollision (Except MT2 and CMC) Memory Test Zone (MTZ) Card Manufacturer Code (CMC) Read Only (Lot History Code) Access Control Write Cryptography (Except Encryption Key S) Encryption Keys (S) Secret Write Read Passwords Write Password Attempts Counters (PAC) Forbidden Write Read Write Read Forbidden Forbidden Forbidden Forbidden Open Transport PW Open Transport PW Open Transport PW Open Write PW Transport PW Transport PW Transport PW Write PW Read Write Read Transport PW Write Read Transport PW Transport PW Transport PW Forbidden Transport PW Transport PW Forbidden Transport PW Open Transport PW Transport PW Open Transport PW Transport PW Open Transport PW Forbidden Open Forbidden Operation Read Write Read Open Write Read Write Read Write Read Open Transport PW Open Forbidden Open Open Transport PW Open Forbidden Open Open Forbidden Open Forbidden Open Open Forbidden Open Forbidden Open Open Open Open SEC = 0b Open Transport PW FAB = 0b Open Forbidden CMA = 0b Open Forbidden PER = 0b Open Forbidden The register access conditions in Table F-1 are color coded. Open access is indicated by green. No access permitted is indicated by magenta. If access is restricted, then the field is yellow. For registers with restricted access, the requirement to gain access is indicated by the text. The text “Transport PW” indicates that if the Transport Password is validated using the Check Password command, then access is granted. The text “Write PW” indicates that if the Write Password of a password set is validated using the Check Password command, then access is granted to the PAC registers and password registers for that password set only. 73 5276A–RFID–07/08 Annex G: Configuration of Password and Access Control Registers There are two types of configuration registers in CryptoRF, User Zone access control registers, and device configuration registers. The User Zone access control registers set the access requirements for a single User Zone. The Device Configuration Register (DCR) selects optional behaviors for the PICC. Both types of registers are described in this annex. G.1 User Zone Configuration Options Access to each User Zone in the CryptoRF user memory is controlled by two registers in the Configuration Memory. The Access Register controls the access conditions for the User Zone. The Password Register controls the password set assigned to the User Zone. The default setting for these registers sets the security requirement to open access, no security features active, for all User Zones. Each set of User Zone access control registers has a name matched to the User Zone name. For example, User Zone 1 is controlled by AR1 and PR1, User Zone 2 is controlled by AR2 and PR2. User Zone i is controlled by ARi and PRi. G.1.1 Access Registers (AR) There is one Access Register for each User Zone in the user memory. The default state of this register is $FF, which disables all of the optional security features. Figure G-1. Bit 7 PM1 Bit definitions for the User Zone Access Registers. Bit 6 PM0 Bit 5 Bit 4 Reserved Bit 3 Bit 2 WLM Bit 1 MDF Bit 0 PGO The Access Register definition is shown in Figure G-1. Bits 3, 4, and 5 are reserved for control of the authentication and encryption modes and are not described in this document. The functionality of the remaining 5 bits is described below. Changes to the AR registers are effective immediately. PM: Password Mode selection bits. The PM0 and PM1 bits control the password requirements for the User Zone as shown in Table G-1 below. By default, no password is required for access to the User Zone. If PM = 10b, then write password verification is required for write access; read access does not require any password. If PM = 01b or 00b, then write password verification is required for read/write access and read password verification is required for read-only access. The password set assigned to the zone is specified in the Password Register. Table G-1. PM1 1 1 0 0 Coding of the Password Mode bits of the Access Register. PM0 1 0 1 Read and Write Passwords Required 0 Access No Password Required Write Password Required 74 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF WLM: Write Lock Mode control. By default the Write Lock Mode is disabled. If WLM = 0b then Write lock Mode is enabled and the user zone is effectively divided into 8 byte pages with the first byte of each page controlling write access to all 8 bytes. Figure G-2 shows an example of WLM on two contiguous pages. Figure G-2. Page $00 Example of byte level access control using the Write Lock Mode. $0 11011001 b $1 $xx locked $2 $xx locked $3 $xx $4 $xx $5 $xx locked $6 $xx $7 $xx < Address < Data < Status Page $08 $8 10101010 b locked $9 $xx $A $xx locked $B $xx $C $xx locked $D $xx $E $xx locked $F $xx < Address < Data < Status The first byte of each virtual 8 byte page is called the Write Lock Byte. Each bit of the Write Lock Byte controls the locked status of one byte in the page. Write access is forbidden to a byte if its associated lock bit is set to 0b. Bit 7 controls byte 7, bit 6 controls byte 6, etc. Note that when WLM is enabled, Write User Zone commands are restricted to a length of one byte. MDF: Modify Forbidden mode control. By default the Modify Forbidden mode is disabled. If MDF = 0b then Modify Forbidden mode is enabled and no write access is allowed to the User Zone. The User Zone effectively becomes Read Only Memory (ROM). PGO: Program Only mode control. By default the Program Only mode is disabled. If PGO = 0b then data within the User Zone may be changed from 1b to 0b, but never from 0b to 1b. Note that when PGO is enabled, Write User Zone commands are restricted to a length of one byte. G.1.2 Password/Key Registers (PR) There is one Password/Key Register for each User Zone in the user memory. The default state of this register is $FF. Figure G-3. Bit 7 Bit definitions for the User Zone Password/Key Registers. Bit 6 Bit 5 Reserved Bit 4 Bit 3 Bit 2 PW2 Bit 1 PW1 Bit 0 PW0 The Password/Key Register bit definitions are shown in Figure G-3. Bits 3 thru 7 are reserved for control of the authentication and encryption modes and are not described in this document. Changes to the PR registers are effective immediately. PW: Password Set selection bits. 75 5276A–RFID–07/08 The Password Set selection bits control the password set assigned to a User Zone. Table G-2 and Table G-3 show the coding of these register bits. Any number of PR registers can point to the same password set, allowing multiple User Zones to use the same password set. Table G-2. PW2 0 0 0 1 Coding of the Password Set select bits for 1K, 2K, and 4K bit CryptoRF devices. PW1 0 0 1 1 PW0 0 1 0 1 Password Set 0 1 2 7 All Other Values Are Not Supported Table G-3. PW2 0 0 0 0 1 1 1 1 Coding of the Password Set select bits for 8K bit and larger CryptoRF devices. PW1 0 0 1 1 0 0 1 1 PW0 0 1 0 1 0 1 0 1 Password Set 0 1 2 3 4 5 6 7 G.2 Device Configuration Options There are a few configuration options which affect the overall behavior of the CryptoRF PICC. These options are contained in the Device Configuration Register (DCR). G.2.1 Device Configuration Register (DCR) There is one Device Configuration Register in each PICC. The default state of this register is $FF, which disables all of the optional features. Figure G-4. Bit 7 SME Bit definitions for the Device Configuration Register Bit 6 Bit 5 Bit 4 ETA Bit 3 EGTL Bit 2 RFU Bit 1 RFU Bit 0 RFU Reserved The DCR register definition is shown in Figure G-4. Bits 5, and 6 are reserved for control of the authentication and encryption modes and are not described in this document. Bits 0, 1, and 2 are reserved for future use. Changes to the DCR are effective at the next POR or anticollision sequence. 76 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF SME: Supervisor Mode Enable control. By default the Supervisor Mode is disabled. If SME = 0b then Supervisor Mode is enabled and Password Write 7 becomes the Supervisor Password. Successful verification of the Supervisor Password grants read and write access to all passwords and Password Attempt Counters (PACs), allowing the passwords to be changed and PACs to be reset. ETA: Extended Trials Allowed control. By default the Extended Trials Allowed option is disabled. If this option is enabled by setting ETA = 0b then the maximum number of password trials is increased to permit a maximum of eight password verification attempts before a password is locked. If ETA is disabled then only four password attempts are permitted. EGTL: Extra Guard Time Length control. By default the Extra Guard Time Length option is disabled, which maximizes RF communication speed. This option controls the Extra Guard Time (EGT) for all data transmitted by the PICC. The default setting of EGTL = 0b selects zero ETUs of EGT. Setting EGTL = 1b selects two ETUs of EGT for all transmissions. The EGTL option does not affect EGT requirements for data transmitted by the reader. See annex L for information about EGT. 77 5276A–RFID–07/08 Annex H: Using Password Security CryptoRF contains security options that can be enabled by the customer at personalization. By default no security is enabled, allowing CryptoRF to operate as a simple RFID EEPROM memory. Enabling password security on a User Zone restricts access to the data to users with knowledge of the password. H.1 Communication Security Communication between the PICC and reader operates in three security modes. The Normal mode allows communication of all types of data in the clear. Authentication mode encrypts only passwords. Encryption mode encrypts both user data and passwords. The default communication mode is Normal mode. Table H-1. CryptoRF Communication Security Options. User Data clear clear encrypted System Data clear clear clear Passwords clear encrypted encrypted Communication Mode Normal Authentication Encryption As shown in Table H-1, passwords sent by the Host to CryptoRF in Normal communication mode are communicated in the clear, without being encrypted. In the Authentication or Encryption communication modes passwords are encrypted. H.2 Transport Password The Transport Password protects the Configuration Memory contents on all CryptoRF devices from accidental changes. All CryptoRF devices are shipped from Atmel with a Transport Password stored in password register Write 7. No changes to the Configuration Memory are permitted unless the Transport Password has been verified using the Check Password command. Table H-2. CryptoRF Family Password Characteristics and Transport Passwords Password Sets Set Number 4 Sets 4 Sets 4 Sets 8 Sets 8 Sets 8 Sets 8 Sets 0,1,2,7 0,1,2,7 0,1,2,7 0,1,2,3,4,5,6,7 0,1,2,3,4,5,6,7 0,1,2,3,4,5,6,7 0,1,2,3,4,5,6,7 Transport Password PW Index $07 $07 $07 $07 $07 $07 $07 Password $10 14 7C $20 C2 8B $30 1D D2 $40 7F AB $50 44 72 $60 78 AF $70 BA 2E CryptoRF Part Number AT88SC0104CRF AT88SC0204CRF AT88SC0404CRF AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF 78 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF H.3 The Password and PAC Registers Each password set, along with it’s associated Password Attempt Counters is stored in an 8 byte segment in the Password section of the Configuration Memory. Figure H-1 illustrates password set “z” in the Configuration Memory map. The Write Password and Write Password PAC are stored in the lower four bytes, while the Read Password and Read Password PAC are stored in the upper four bytes. Figure H-1. Password Set Register Format $0 Addr PAC $1 $2 PW Write z $3 $4 PAC $5 $6 PW Read z $7 PAC PW1 PW2 PW3 PAC PW1 PW2 PWS Each password register contains the three byte password that is compared with the three byte password that is sent for verification with the Check Password command. The storage locations of the three password bytes is illustrated in the bottom half of Figure H-1. Table H-3. Password Attempt Counter Coding for the Default Configuration Description No Failed Attempts 1 Failed Attempt 2 Failed Attempts 3 Failed Attempts 4 Failed Attempts (LOCK) PAC Register $FF $EE $CC $88 $00 All Other Values Are Not Supported Table H-4. Password Attempt Counter Coding for the Extended Trials Allowed Configuration Description No Failed Attempts 1 Failed Attempt 2 Failed Attempts 3 Failed Attempts 4 Failed Attempts 5 Failed Attempts 6 Failed Attempts 7 Failed Attempts 8 Failed Attempts (LOCK) PAC Register $FF $FE $FC $F8 $F0 $E0 $C0 $80 $00 All Other Values Are Not Supported 79 5276A–RFID–07/08 The Password Attempt Counters contain a value which indicates how many unsuccessful password verification attempts have been made using the Password Index of the corresponding password. Table H-3 and Table H-4 show coding of the PAC register. DCR register bit ETA selects the number of password attempt that are permitted; the default configuration allows four attempts, ETA = 0b allows eight attempts. If the PAC reaches the maximum count, then the corresponding password is locked and all subsequent Check Password commands will fail. H.4 Password Security Options Password security for a User Zone is enabled by programming the Access Register for the zone. A Password Set is assigned to the User Zone by programming the Password/Key Register for the zone. Configuration of the registers is described in annex G. Table H-5. PM1 1 1 0 0 Coding of the Password Mode bits of the Access Register. PM0 1 0 1 Read and Write Passwords Required 0 Access No Password Required Write Password Required Table H-5 shows the available password security options. The default setting of PM=00b disables password security. The remaining two options enable password security for either writes only, or for both reads and writes. If PM = 10b, then the Write Password is required to be verified before a Write User Zone command will be accepted. Data reads are not restricted in this configuration. If read and write password security is enabled by setting PM = 01b or PM = 00b, then verification of the Read Password allows access to data with the Read User Zone command; however no write access is permitted. Verification of the Write Password allows access to the data with either Read User Zone or Write User Zone commands. H.5 Password Verification A password is sent for verification using the Check Password command as shown in figure H-2. The Password Index identifies the Password Register that the password will be compared against. If the passwords match, then the PICC will latch the verification status as PASS along with the Password Index in an internal register, write the PAC to $FF, and return an ACK in the response. The internal password security status register maintains it’s contents until the PICC is reset or some other event causes them to be changed. For example, sending another Check Password command will update these registers to reflect the success or failure of the new password verification event. Note that only one password is active at any time, and only the status of the most recent password verification event is stored in the PICC. If multiple User Zones are assigned the same Password Set, then a single Check Password command will provide access to all of these User Zones. Note that it does not matter if the Set User Zone command is sent before or after a Check Password command. The currently selected User Zone is stored in a register that is independent of the password security status register. 80 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Figure H-2. Check Password Command and Response Reader PICC Command > CID $C Password Index PW 1 PW 2 PW 3 CRC1 CRC2 Echo Command > CID $C ACK/NACK STATUS CRC1 CRC2 If a Check Password command fails, then the PICC returns a NACK and a non-zero Status byte in the response. This Status byte reports the reason for failure of the operation. See the Check Password command section of this specification for a description of the Status codes. Table H-6. Bit 7 0 0 Check Password Command ACK/NACK Coding. Bit 6 0 0 Bit 5 0 0 Bit 4 0 0 Bit 3 0 0 0 Bit 2 0 0 0 Bit 1 0 0 0 Bit 0 0 1 1 ACK NACK, See STATUS byte for cause NACK, Check Password Attempt Failure Response Decode Password Attempts Counter A Check Password response NACK can be coded two different ways, depending on the reason for failure. If failure of the Check Password command results in the Password Attempt Counter being incremented, then the NACK byte will contain an embedded code indicating the number of failed attempts. This special NACK will contain one of the following values: $11, $21, $31, $41, $51, $61, $71, $81. The upper nibble of the NACK byte is the number of failed attempts (1 to 8 failures), while the lower nibble is the NACK code $1. H.6 Changing Passwords To change a password after the personalization procedure is complete and the card configuration has been locked by programming the security fuses, it is necessary to successfully verify the Write Password of a password set using the Check Password command. The Read Password and Write Password registers and PACs can then be written using a Write System Zone command, and verified using the Read System Zone command. 81 5276A–RFID–07/08 If the PAC for the Write Password has reached the attempt count limit, then the Write Password will be locked and it is not possible to change the passwords or PACs in this set. However if the optional Supervisor Mode has been enabled, then the Supervisor Password can be used to enable write access to the passwords unless the Supervisor Password is also locked. H.7 Supervisor Password Supervisor Mode is an optional feature that can be enabled by programming SME = 0b in the DCR register. In Supervisor Mode a Supervisor Password is enabled that grants read and write access to all of the password sets and PACs. Password Write 7 is the Supervisor Password if SME = 0b. If the Supervisor Password is successfully verified, then it is possible to write any of the passwords and PACs. This allows passwords to be easily changed in the field, and for PACs to be reset to $FF (no unsuccessful attempts) by writing the registers using the Write System Zone command. When a PICC is configured with SME = 0b, it is recommended that Password Set 7 be reserved for the Supervisor Password. User Zones using password security should be configured to use other password sets. If a PICC is configured in this manner, then it is unlikely that the PAC for Password Write 7 will accidentally become locked (due to too many unsuccessful attempts). If the PAC for Password Write 7 is locked, then all subsequent attempts to verify the Supervisor Password will fail. Supervisor Mode changes the Configuration Memory access requirements for the Password section of the memory only. Enabling Supervisor Mode does not change the access requirements for any other configuration registers. 82 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Annex I: Understanding Anti-Tearing Anti-tearing is an optional feature that protects a write operation from being corrupted due to PICC power loss during the write operation. This feature can be enabled as needed by the PCD during a transaction, it is not controlled by a configuration register. I.1 Tearing Explained A tearing attack on a Smartcard transaction involves quickly removing a card from the reader before a transaction has been completed. The object of a tearing attack is to remove the card from the reader after the Host application has granted access to a product, but before the cost of the product has been deducted from the value stored on the card. Both contact and contactless Smartcard transactions may be attacked in this manner. A tearing attack often results in corruption of a portion of the data stored in the Smartcard. Tearing attacks can be prevented from succeeding by careful application software development; if access to a product is not granted until after a Smartcard value debit has occurred, then the attacker cannot achieve his objective. However data corruption can occur if any Smartcard transaction is interrupted due to power loss. I.2 CryptoRF Anti-Tearing CryptoRF is designed with an anti-tearing feature that prevents data corruption in the event a memory write operation is interrupted. Activating the anti-tearing feature impacts both the transaction time and the memory write endurance of the PICC, so if should be activated only for critical data write operations. Figure I-1 illustrates how a CryptoRF PICC performs an anti-tearing write. A CryptoRF anti-tearing write is a four step process. The data is written to a buffer EEPROM memory before being written to the final EEPROM memory location. The EEPROM Anti-Tearing Flag indicates if an anti-tearing write is in progress, or is completed. The Anti-Tearing Flag is checked each time the PICC is powered up. If the flag indicates a write was in progress, then the anti-tearing write will be completed before the PICC is allowed to accept any commands. The memory address and data are written to a buffer EEPROM in step 1, followed by writing the Anti-Tearing Flag in Step 2. In step 3 the data in the buffer EEPROM is written to the address sent with the write command (the final EEPROM memory location). The Anti-Tearing flag is cleared in step 4, and the ACK response is returned to the PCD. If power is interrupted before step 2 is completed, then the write operation fails; the EEPROM contents are unchanged, and the Anti-Tearing Flag is not set to indicate an anti-tearing write is in progress. If power is interrupted after step 2 is complete, then the Anti-Tearing flag is set; when the PICC is next powered up, the anti-tearing write will be completed as part of the POR process. If power is interrupted during step 3 or 4, the Anti-Tearing Flag will be set and the write will be completed on the next POR. 83 5276A–RFID–07/08 Figure I-1. CryptoRF Anti-Tearing Write Process START Receive Anti-Tearing Write Command Transmit NACK Response NO PICC Power OK ? YES END Write to Anti-Tearing Buffer STEP 1 Write Anti-Tearing Flag STEP 2 Write Data to Final EEPROM Location STEP 3 Clear Anti-Tearing Flag STEP 4 Transmit ACK Response END 84 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Table I-1 shows the consequences of a tearing attack occurring at each step during an anti-tearing write. The EEPROM contents at the address being written will either remain unchanged, or will be written with the new data. The EEPROM is not corrupted by power interruption during an anti-tearing write operation. Table I-1. Step 1 2 3 4 Consequences of a Tearing Event during an Anti-Tearing Write Description Write Buffer Memory Write Anti-Tearing Flag Write Final Memory Clear Anti-Tearing Flag Result if Power is Interrupted Mid-Step Original EEPROM Contents are Unchanged Original EEPROM Contents are Unchanged Anti-Tearing Write Completes on POR Anti-Tearing Write Completes on POR I.3 Performance Impact of Anti-Tearing Anti-tearing impacts the CryptoRF write transaction time in two ways. First, the maximum length of a write command is limited to 8 bytes when anti-tearing is active. Second, the response time of a write command is increased by approximately four times due to additional EEPROM memory writes which occur when anti-tearing is active. If anti-tearing is used to write 8 bytes of data, the net result is an increase in the transaction time of only 5 milliseconds. When large amounts of data are written, the increase in transaction time is significant. Writing the entire 128 byte User Zone on AT88SC0404CRF takes 147 milliseconds with anti-tearing, but only 41 milliseconds without anti-tearing. Writing the entire 256 byte User Zone on AT88SC3216CRF takes 292 milliseconds with anti-tearing, but only 54 milliseconds without anti-tearing. Table I-2. CryptoRF Family Write Characteristics with Anti-Tearing CryptoRF Part Number AT88SC0104CRF AT88SC0204CRF AT88SC0404CRF AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF Write Characteristics Standard Write 1 to 16 bytes 1 to 16 bytes 1 to 16 bytes 1 to 16 bytes 1 to 16 bytes 1 to 32 bytes 1 to 32 bytes Anti-Tearing Write 1 to 8 bytes 1 to 8 bytes 1 to 8 bytes 1 to 8 bytes 1 to 8 bytes 1 to 8 bytes 1 to 8 bytes I.4 Reliability Impact of Anti-Tearing Each byte of the CryptoRF EEPROM user memory and configuration memory is rated for 100k write cycles minimum. The entire memory can be written at least 100,000 times without wearing out any of the EEPROM memory bits. 85 5276A–RFID–07/08 Table I-3. CryptoRF Family Write Endurance with Anti-Tearing Parameter Min 100,000 50,000 Typ Max Units Write Cycles Writes Write Endurance (each Byte) Anti-Tearing Write Endurance All anti-tearing write commands sent to a PICC are processed in a single buffer EEPROM memory before being written to the final EEPROM memory location. As a result, the write endurance for anti-tearing writes is a per-unit specification, not a per-byte specification. A minimum of 50,000 anti-tearing write commands can be processed without wearing out any of the buffer EEPROM bits, or the EEPROM Anti-Tearing Flag bits. I.5 Activating Anti-Tearing Anti-Tearing can be used for either User Zone or Configuration Memory writes. Activation of this optional feature is described in this section. The Set User Zone command is used to activate the anti-tearing feature when writing the user memory. To turn anti-tearing on, send a Set User Zone command with bit 7 in the PARAM byte set to 1b. Any Write User Zone command that is received following anti-tearing activation will automatically use the anti-tearing write process. To turn anti-tearing off, send a Set User Zone command with bit 7 in the PARAM byte set to 0b. All subsequent Write User Zone commands will automatically use the normal write process. Figure I-2. Bit 7 AT Coding of the PARAM byte of the Set User Zone command. Bit 6 0 Bit 5 0 Bit 4 0 Bit 3 Bit 2 Bit 1 Bit 0 User Zone When writing the Configuration Memory the anti-tearing function is controlled by the PARAM byte of the Write System Zone command. Table I-3 shows the PARAM byte options. If the PARAM byte of the Write System Zone command is $80, then the anti-tearing write process is used. If the PARAM byte of the Write System Zone command is $00, then the normal write process is used. Table I-4. PARAM byte options for the Write System Zone command. Command PARAM $00 $80 $01 ADDR address address fuse addr “L” # of bytes - 1 # of bytes - 1 $00 DATA “L + 1” bytes “L + 1” bytes 1 byte Write System Zone Write System Zone w A/T Write Fuse Byte All Other Values Are Not Supported 86 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Annex J: Personalization of the Anticollision Registers There are several registers that define the polling response of CryptoRF, which are written during the personalization process. The ISO/IEC 14443 Part 3 requirements must be considered when programming these registers. Incorrect personalization of these registers may cause readers to reject cards or to become confused and unable to complete the transaction. This annex describes the requirements for programming the polling registers for operation with ISO/IEC 14443 compliant readers and systems. J.1 Anticollision Procedure The RF reader (PCD) searches for Type B cards by issuing REQB or WUPB polling commands. These commands contain an AFI (Application Family Identifier) code to poll for only cards with a matching AFI code. Applications supporting multiple cards may also poll using the Slot MARKER command. See Annex K for a detailed description of the anticollision procedures. The answer to any of these polling commands is called the ATQB response. This response contains a card serial number (PUPI), which is used to select a specific card during the anticollision process, along with three protocol bytes. The protocol bytes tell the PCD what communication capabilities and options the card supports, and are used by the reader to configure itself for optimum communications with the card. J.2 Anticollision Registers The ATQB response of CryptoRF contains several values that are located in registers in the anticollision section of the System Zone (see Figure J-1). The values stored in the following registers are used during anticollision: PUPI, APP, RBmax, AFI. Figure J-1. Memory Map of Anticollision Registers in the System Zone $0 $1 PUPI $2 $3 $4 $5 APP Anticollision MTZ Card Manufacturer Code $6 $7 $00 $08 RBmax AFI The REQB/WUPB polling command and response are shown in Figure J-2 with color-coding which matches Figure J-1. Nine bytes of the ATQB response are customer programmable on CryptoRF. In addition, the AFI code used for selection of cards for a particular application during anticollision is also customer configured. 87 5276A–RFID–07/08 Figure J-2. CryptoRF Response to an REQB or WUPB polling command. Reader Command > $05 AFI PARAM CRC1 CRC2 PICC ATQB Response > $50 PUPI 0 PUPI 1 PUPI 2 PUPI 3 APP 0 APP 1 APP 2 APP 3 Protocol 1 Protocol 2 Protocol 3 CRC1 CRC2 SUCCESS RESPONSE System Zone Byte $00 System Zone Byte $01 System Zone Byte $02 System Zone Byte $03 System Zone Byte $04 System Zone Byte $05 System Zone Byte $06 System Zone Byte $07 $00 System Zone Byte $08 $51 The definitions of the polling configuration registers in the System Zone are listed below along with any restrictions which ISO/IEC 14443 Part 3 places on the register values. Pseudo Unique PICC Identifier (PUPI) PUPI is a 32 bit serial number defined by the customer during personalization; the PUPI is usually unique. This code is transmitted as part of the ATQB response during anticollision. PUPI may be set to any value. Application Data (APP) APP is an additional 32 bits of information transmitted as part of the ATQB response. This field is defined by the customer during personalization. The fourth byte is programmed by Atmel at the factory with a memory density code (see Figure J-1); this byte can be redefined by the card manufacturer if desired. APP may be set to any value. 88 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Table J-1. Default Value of APP 3 Byte. This Register can be Changed. Density Code $02 $12 $22 $33 $44 $54 $64 Device Number AT88SC0104CRF AT88SC0204CRF AT88SC0404CRF AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF Receive Buffer Max Code (RBmax) This 8-bit register is transmitted as Protocol 2 byte of the ATQB response. This register is programmed by Atmel with the receive buffer maximum frame size code. This field can be reprogrammed by the customer during personalization if desired. The value of this protocol byte is restricted by ISO/IEC 14443 Part 3 to the values $00, $10, $20, $30, $40, $50, $60, $70, or $80 only. Use of an unapproved value in this register is likely to cause PCDs to malfunction. The Protocol 2 byte of the ATQB response is defined in ISO/IEC 14443 Part 3, section 7.9 . This byte contains the Part 4 compliance code in the lower 4 bits and the code for the maximum frame size supported by the card in the upper 4 bits. CryptoRF must return a value of $0 in the Part 4 compliance bits to indicate the PICC does not support the optional ISO/IEC 14443 Part 4 Active State protocol. The coding of the card maximum frame size bits is shown in Figure J-2. Table J-2. Bit 7 0 0 0 0 0 0 0 0 1 PICC Maximum Frame Size Codes defined in ISO/IEC 14443 Part 3. Bit 6 0 0 0 0 1 1 1 1 0 Bit 5 0 0 1 1 0 0 1 1 0 Bit 4 0 1 0 1 0 1 0 1 0 Max Frame 16 Bytes 24 Bytes 32 Bytes 40 Bytes 48 Bytes 64 Bytes 96 Bytes 128 Bytes 256 Bytes The PCD will store the lower 4 bits of ATQB protocol byte 2 in a register and echo it back to a selected PICC in the lower 4 bits of ATTRIB parameter byte 3. CryptoRF will not accept an ATTRIB command with a non-zero value in parameter byte 3. Note that intelligent PCDs will reject invalid ATQB responses and will not send invalid ATTRIB commands. 89 5276A–RFID–07/08 Table J-3. Default Value of RBmax. This Register should not be Changed. RBmax Code $10 $10 $10 $10 $10 $30 $30 Device Number AT88SC0104CRF AT88SC0204CRF AT88SC0404CRF AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF Application Family Identifier (AFI) This 8 bit register identifies the application family and subfamily. This field is defined by the card manufacturer and is used during the anticollision process to determine which cards will respond to an REQB or WUPB polling command. This value is expected to be a single fixed value for all cards used in a particular system. The upper 4 bits are the application family and the lower 4 bits are the sub-family. The ISO/IEC 14443 Part 3 Type B application family definitions are shown in Figure J-6. The AFI register will accept any code, however only family codes of $0 to $F and subfamily codes of $1 to $F should be used. AFI Register values of $00, $10, $20, $30, $40, $50, $60, $70, $80, $90, $A0, $B0, $C0, $D0, $E0, and $F0 are prohibited and may cause PCDs to malfunction. Values defined as RFU are reserved for future definition by ISO and may not be supported by all readers. A card using an RFU value for the AFI is not compliant with ISO/IEC 14443 Part 3. Table J-4. AFI High Bits $0 $1 $2 $3 $4 $5 $6 $7 $8 $9 - $F Note: Application Family Codes as defined in ISO/IEC 14443 Part 3. AFI Low Bits “Y” “Y” “Y” “Y” “Y” “Y” “Y” “Y” “Y” “Y” Application Family Proprietary Transport Financial Identification Telecomm Medical Multimedia Gaming Data Storage RFU Portable Files... not currently defined by 14443-3 Internet Services... Mass Transit, Bus, Airline... Banking, Retail, Elec. Purse... Access Control... Telephony, GSM... Examples “Y” = $1 to $F 90 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF J.3 Summary The CryptoRF anticollision registers provide customers with the capability to customize the response of a CryptoRF PICC to the polling commands. This polling response is used by the PCD to perform anticollision and to determine the communication capabilities of the PICC. Intelligent RF readers will reconfigure themselves based on the contents of the protocol bytes in ATQB and may malfunction if invalid values are returned by the card. For this reason, the values of the CryptoRF anticollision registers must be carefully selected using the guidelines in this annex. 91 5276A–RFID–07/08 Annex K: Understanding Anticollision This section of the specification and the flow chart in Figure K-1 describe the Anticollision procedure for the CryptoRF family. The command and response definitions are detailed in the “Anticollision Command Definitions” section of this specification. For additional information on the anticollision command coding see section 7 of ISO/IEC 14443 Part 3 or Atmel Application note Understanding the Requirements of ISO/IEC 14443 for Type B Proximity Contactless Identification Cards. When the PICC enters the 13.56 Mhz RF field of the host reader (PCD) it performs a power on reset (POR) function and waits silently for a valid Type B polling command. The CryptoRF PICC processes the anti-tearing registers as part of the POR process. The PCD initiates the anticollision process by issuing an REQB or WUPB command. The WUPB command activates any card (PICC) in the field with a matching AFI code. The REQB command performs the same function, but does not affect a PICC in the Halt State. The REQB and WUPB commands contain an integer “N” indicating the number of Slots assigned to the anticollision process. If “N” = 1 then all PICCs (with a matching AFI) respond with the ATQB response. If “N” is greater than one, then the PICC selects a random number “R” in the range of 1 to “N” ; if “R” = 1 then the PICC responds with ATQB. If “R” is greater than 1, then the PICC waits for a Slot MARKER command where the slot number “S” is equal to “R”, then it responds with ATQB. The PCD polls all of the slots to determine if any PICC is present in the field. The ATQB response contains a PUPI card serial number which is used to direct commands to a specific PICC during the anticollision process. When the PCD receives an ATQB response, it can respond with a matching HLTB command to Halt the PICC, or it can respond with a matching ATTRIB command to assign a Card ID Number (CID) and place the PICC in the Active State. Once placed in the Active State the PICC is ready for transactions using the CryptoRF Active State commands. A PICC in the Active State ignores all commands that do not contain a CID number which matches the CID assigned by the ATTRIB command. A PICC in the Active State ignores all REQB, WUPB, Slot MARKER, ATTRIB, and HLTB commands. When the PCD receives an ATQB response with a CRC error, then a collision is assumed to have occurred. Typically the PCD will complete transactions with any other PICCs in the field, and then place them in the Halt State using a DESELECT command. The PCD will then issue a new REQB command, causing each PICC in the field (with a matching AFI) that has not been Halted to select a new random number “R”. This procedure resolves the conflict between the previously colliding PICCs, allowing the PCD to communicate with them. The anticollision process continues in this manner until all PICCs in the field have completed their transactions. Any command received by the PICC with a CRC error is ignored. Note that ISO/IEC 14443 Part 3 describes two anticollision options for Type B PICCs; the Timeslot option has been implemented in the CryptoRF family. 92 AT88SC0104/0204/0404/0808/1616/3216/6416CRF 5276A–RFID–07/08 AT88SC0104/0204/0404/0808/1616/3216/6416CRF Figure K-1. Anticollision and State Transition Flow Chart Power On Reset Process Anti-Tearing Registers W ait for REQB or WUPB AFI Match ? NO YES Is N = 1? NO Select Random Number "R" in Range 1 to "N" YES Is R = 1? NO Send ATQB Response W ait for Slot Marker = "R" Matched Slot Marker REQB or WUPB W ait for ATTRIB or HLTB with PUPI match HLTB ATTRIB REQB or WUPB Send Answer to HLTB Receive CID Assignment Send Answer to ATTRIB W ait for WUPB HALT State DESELECT ACTIVE State IDLE Active Command Process Active Command Anticollision YES 93 5276A–RFID–07/08 Annex L: The ISO/IEC 14443 Type B RF Signal Interface L.1 RF Signal Interface The CryptoRF communications interface is compliant with the ISO/IEC 14443 part 2 and part 3 requirements for Type B. Type B signaling utilizes 10 % amplitude modulation of the RF field for communication from the reader to the card with NRZ encoded data. Communication from card to reader utilizes BPSK load modulation of an 847.5 khz subcarrier with NRZ-L encoded data. The RF field is continuously on for Type B communications. L.2 Data Format Data communication between the card and reader is performed using an LSB first data format. Each byte of data is transmitted with a 0b start bit and a 1b stop bit as shown in Figure L-1. The stop bit, start bit, and each data bit are each one elementary time unit (ETU) in length (9.4395 microseconds). Each byte transmission consists of a start bit, 8 data bits (LSB first), and a stop bit. Each byte may be separated from the next byte by extra guard time (EGT). The EGT may be zero or a fraction of an ETU. EGT cannot exceed 57 microseconds for data transmitted by the PCD. EGT for data transmitted by the CryptoRF PICC is programmed to either zero or 2 ETUs using the EGTL bit of the Device Configuration Register (DCR). The position of each bit is measured relative to the falling edge of the start bit. Figure L-1. Byte transmission format requirements for type B communications. One Byte Transmission is 10 ETUs long plus EGT Start LSB b0 b1 b2 b3 b4 b5 b6 MSB b7 Stop EGT