AT88SC3216CRF-MX1

Features • A Family of Devices with User Memories of 4 Kbits to 64 Kbits • Contactless 13.56 MHz RF Communications Interface ⎯ ISO/IEC 14443-2:2001 Type B Compliant ⎯ ISO/IEC 14443-3:2001 Type B Compliant Anticollision Protocol ⎯ Tolerant of Type A Signaling for Multi-Protocol Applications • Integrated 82 pF Tuning Capacitor • User EEPROM Memory Configurations: ⎯ 64 Kbits Configured as Sixteen 512 byte (4 Kbit) User Zones [AT88SC6416CRF] ⎯ 32 Kbits Configured as Sixteen 256 byte (2 Kbit) User Zones [AT88SC3216CRF] ⎯ 16 Kbits Configured as Sixteen 128 byte (1 Kbit) User Zones [AT88SC1616CRF] ⎯ 8 Kbits Configured as Eight ⎯ 4 Kbits Configured as Four ⎯ Self Timed Write Cycle 128 byte (1 Kbit) User Zones [AT88SC0808CRF] 128 byte (1 Kbit) User Zones [AT88RF04C] CryptoRF® Specification AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF ⎯ Byte, Page, and Partial Page Write Modes • 256 byte (2 Kbit) Configuration Memory ⎯ User Programmable Application Family Identifier (AFI) ⎯ User-defined Anticollision Polling Response ⎯ User-defined Keys and Passwords ⎯ Read-Only Unique Die Serial Number • High Security Features ⎯ Selectable Access Rights by Zone ⎯ 64-bit Mutual Authentication Protocol (under license of ELVA) ⎯ Encrypted Checksum ⎯ Stream Encryption using 64-bit Key ⎯ Four Key Sets for Authentication and Encryption ⎯ Four or Eight 24-bit Password Sets ⎯ Password and Authentication Attempts Counters ⎯ Anti-tearing Function ⎯ Tamper Sensors • High Reliability ⎯ Endurance : 100,000 Write Cycles ⎯ Data Retention : 10 Years 5276C–RFID–3/09 Description The CryptoRF® family integrates a 13.56 MHz RF interface with CryptoMemory® security features. This product line is ideal for RF tags and contactless smart cards that can benefit from advanced security and cryptographic features. The device is optimized as a contactless secure memory for secure data storage without the requirement of an internal microprocessor. For communications the RF interface utilizes the ISO/IEC 14443–2 and –3 Type B bit timing and signal modulation schemes, and the ISO/IEC 14443-3 Slot-MARKER Anticollision Protocol. Data is exchanged half duplex at a 106k bit per second rate, with a two byte CRC_B providing error detection capability. The RF interface powers the other circuits, no battery is required. Full compliance with the ISO/IEC 14443 –2 and –3 standards provides both a proven RF communication interface, and a robust anticollision protocol. The five products in the CryptoRF family contain 4 Kbits to 64 Kbits of User Memory plus 2 Kbits of Configuration Memory. The 2 Kbits of Configuration Memory contains read/write password sets, four crypto key sets, security access registers for each user zone, and password/key registers for each zone. The CryptoRF command set is optimized for a multi-card RF communications environment. A programmable AFI register allows this IC to be used in numerous applications in the same geographic area with seamless discrimination of cards assigned to a particular application during the anticollision process. Figure 1. Block Diagram RF Interface AC1 Command and Response EEPROM Modulator ifi er C VSS R ec t Over Voltage Clamp Data Transfer Regulator VDD Password Verification AC2 Clock Extraction Data Extraction Frame Formatting and Error Detection Interface Anticollision Authentication Encryption and Certification Unit Random Number Generator 2 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Table of Contents Features Description .................................................................................................................................................. 1 .................................................................................................................................................. 2 1. Introduction.............................................................................................................................................. 5 1.1. Communications .............................................................................................................................. 5 1.2. Scope............................................................................................................................................... 5 1.3. Conventions..................................................................................................................................... 5 2. User Memory............................................................................................................................................ 7 3. Configuration Memory ............................................................................................................................ 8 4. Command Set .......................................................................................................................................... 9 5. Anticollision Command Definitions..................................................................................................... 10 5.1. REQB / WUPB Polling Commands [$05] ...................................................................................... 10 5.2. Slot MARKER Command [$s5]...................................................................................................... 13 5.3. ATTRIB Command [$1D]............................................................................................................... 15 5.4. HLTB Command [$50]................................................................................................................... 18 6. Active State Command Definitions...................................................................................................... 19 6.1. Response Format .......................................................................................................................... 19 6.2. Set User Zone Command [$c1] ..................................................................................................... 21 6.3. Read User Zone Command [$c2].................................................................................................. 23 6.4. Read User Zone (Large Memory) Command [$c2] ....................................................................... 25 6.5. Read User Zone Command with Integrated MAC [$c2] [88RF] ................................................... 27 6.6. Write User Zone Command [$c3] .................................................................................................. 30 6.7. Write User Zone (Large Memory) Command [$c3] ....................................................................... 33 6.8. Write User Zone Command with Integrated MAC [$c3] [88RF] ................................................... 36 6.9. Write System Zone Command [$c4].............................................................................................. 39 6.10. Write System Zone Command with Integrated MAC [$c4] [88RF]............................................... 42 6.11. Write System Zone Command, Write Fuse Byte Option [$c4] ...................................................... 45 6.12. Read System Zone Command [$c6] ............................................................................................. 48 6.13. Read System Zone Command, Read Fuse Byte Option [$c6]...................................................... 51 6.14. Read System Zone Command, Read Checksum Option [$c6]..................................................... 54 6.15. Verify Crypto Command [$c8] ....................................................................................................... 56 6.16. Send Checksum Command [$c9].................................................................................................. 59 6.17. DESELECT Command [$cA]......................................................................................................... 61 6.18. IDLE Command [$cB].................................................................................................................... 62 6.19. Check Password Command [$cC]................................................................................................. 63 7. Transaction Flow ................................................................................................................................... 66 8. Absolute Maximum Ratings*................................................................................................................ 67 9. Reliability................................................................................................................................................ 67 10. Electrical Characteristics ..................................................................................................................... 68 10.1. Tamper Detection .......................................................................................................................... 68 3 5276C–RFID–3/09 Appendix A. Terms and Abbreviations ..................................................................................................... 69 Appendix B. Standards and Reference Documents ................................................................................ 74 Appendix C. User Memory Maps ............................................................................................................... 75 Appendix D. Configuration Memory Maps ............................................................................................... 80 Appendix E. Device Personalization ......................................................................................................... 84 Appendix F. Secure Personalization [88RF] ........................................................................................... 88 Appendix G. Security Fuses....................................................................................................................... 91 Appendix H. Configuration of Password and Access Control Registers.............................................. 94 Appendix I. Using Password Security ................................................................................................... 101 Appendix J. Using Authentication Communication Security .............................................................. 106 Appendix K. Using Encryption Communication Security..................................................................... 115 Appendix L. Understanding Anti-Tearing .............................................................................................. 125 Appendix M. Personalization of the Anticollision Registers ................................................................ 129 Appendix N. Understanding Anticollision .............................................................................................. 134 Appendix O. The ISO/IEC 14443 Type B RF Signal Interface................................................................ 136 Appendix P. RF Specifications and Characteristics ............................................................................. 140 Appendix Q. Transaction Time ................................................................................................................ 144 Appendix R. 88RF PICC Backward Compatibility.................................................................................. 148 Appendix S. Ordering Information .......................................................................................................... 150 Appendix T. Errata .................................................................................................................................... 155 Appendix U. Revision History.................................................................................................................. 157 4 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 1. Introduction The CryptoRF family consists of devices in the AT88SCxxxxCRF and AT88RFxxC catalog number series. The first generation devices are assigned catalog numbers in the AT88SCxxxxCRF series. The second generation devices are assigned catalog numbers in the AT88RFxxC series. Several security options have been added to the second generation devices to enhance system security. 1.1. Communications All personalization and communication with this device is performed through the RF interface. The IC includes an integrated tuning capacitor, enabling it to operate with only the addition of a single external coil antenna. The RF communications interface is fully compliant with the electrical signaling and RF power specifications in ISO/IEC 14443-2 for Type B only. Anticollision operation and frame formatting are compliant with ISO/IEC 14443-3 for Type B only. 1.2. Scope This CryptoRF Specification document includes all specifications for the Normal, Authentication, and Encryption modes of CryptoRF operation. 1.3. Conventions ISO/IEC 14443 nomenclature is used in this specification where applicable. The following abbreviations are utilized throughout this document. Additional terms are defined in Appendix A. • PCD: • PICC: • RFU: • • • • Proximity Coupling Device – is the reader/writer and antenna. Proximity Integrated Circuit Card – is the tag/card containing the IC and antenna. Reserved for Future Use – is any feature, memory location, or bit that is held as reserved for future use by the ISO standards committee or by Atmel. $xx: Hexadecimal Number – denotes a hex number “xx” (Most Significant Bit on left). xxxxb: Binary Number – denotes a binary number “xxxx” (Most Significant Bit on left). 88SC: CryptoRF devices in the AT88SCxxxxCRF catalog number series. 88RF: CryptoRF devices in the AT88RFxxC catalog number series. This document contains the specifications for AT88SCxxxxCRF and AT88RFxxC CryptoRF devices. Any specification that applies only to first generation AT88SCxxxxCRF devices references: "88SC" devices, "88SC" PICCs, or contain "[88SC]" in the section title. Any specification that applies only to second generation AT88RFxxC devices references: "88RF" devices, "88RF" PICCs, or contain "[88RF]" in the section title. Specifications that apply to all devices are referred to as CryptoRF specifications. Each command / response exchange between the PCD and PICC is formatted as shown in Figure 2. The bytes are shown in the order in which they are transmitted, with PCD transmissions in the left column, and PICC transmissions in the right column. 5 5276C–RFID–3/09 Each byte contains one or more fields as indicated by lines drawn vertically within the byte. The field in the left half of the byte is the upper nibble of the byte, and the field to the right is the lower nibble of the byte. In Figure 2, five fields contain values ($1D, $00, $F, $51, $0), four fields contain field names (“Addr”, “XX”, “CID”, “Data”), and four fields contain error detection codes (CRC1, CRC2). Figure 2. Example Command and Response Format Reader Command First Byte > Command Second Byte > Command Third Byte > Command Fourth Byte > Command Fifth Byte > CRC First Byte > CRC Second Byte > TR2 Response First Byte > Response Second Byte > CRC First Byte > CRC Second Byte > $0 DATA CRC1 CRC2 CID $F $51 CRC1 CRC2 $1D $00 ADDR XX PICC The CRC error detection codes are calculated using all of the previous bytes in the command or response and are appended to each command and response to allow detection of RF communication errors. These bytes are required by ISO/IEC 14443-3:2001 and are usually calculated and verified in the reader hardware. 6 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 2. User Memory The User EEPROM Memory characteristics are summarized in Table 1. User Memory is divided into equally sized User Zones. Access to the User Zones is allowed only after security requirements have been met. These security requirements are defined by the user in the configuration memory during personalization of the device. The default configuration is open read/write access to all user memory zones. For User Memory Maps see Appendix C. Table 1. CryptoRF User Memory Characteristics User Memory Size User Memory Organization Bits 4K 8K 16K 32K 64K Bytes 512 1K 2K 4K 8K # Zones 4 8 16 16 16 Bytes/Zones 128 128 128 256 512 Write Characteristics Standard Write 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 32 Bytes 1 to 32 Bytes Anti-Tearing Write 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF 7 5276C–RFID–3/09 3. Configuration Memory The configuration memory consists of 2048 bits of EEPROM memory used for storing system data, passwords, keys, codes, and access control registers for each user zone. Access rights to the configuration memory are defined in the control logic and cannot be altered by the user. These access rights include the ability to program certain portions of the configuration memory and then lock the data written through use of the security fuses. The Read System Zone and Write System Zone commands are used to access the configuration memory. For Configuration Memory Maps see Appendix D. Table 2. Configuration Memory Characteristics Password Sets 4 Sets 8 Sets 8 Sets 8 Sets 8 Sets Key Sets 4 Sets 4 Sets 4 Sets 4 Sets 4 Sets OTP Memory Free For Customer Use 25 Bytes 27 Bytes 27 Bytes 27 Bytes 27 Bytes Transport Password PW Index $07 $07 $07 $07 $07 Password $30 1D D2 $40 7F AB $50 44 72 $60 78 AF $70 BA 2E CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF 8 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 4. Command Set The CryptoRF command set contains two types of commands: Anticollision commands, and Active State commands. Anticollision commands are explicitly defined in ISO/IEC 14443-3:2001. The CryptoRF Active State commands are Atmel defined commands that are compliant with the ISO/IEC 14443-3:2001 requirements. The CryptoRF Active State commands contain the CID code that is assigned to a card when it is selected during the anticollision process. See the ATTRIB command for coding of the CID bits. Table 3. Bit 7 0 Coding of the Command Byte for the Anticollision Command Set Bit 6 0 Bit 5 0 Bit 4 0 Bit 3 0 0 1 1 1 0 Bit 2 1 1 1 0 Bit 1 0 0 0 0 Bit 0 1 1 1 0 Command Name REQB/WUPB Slot MARKER ATTRIB HLTB Hexadecimal $05 $s5 $1D $50 Slot Number 0 0 0 1 0 0 Table 4. Bit 7 Coding of the Command byte for the CryptoRF Active State Command Set. Bit 6 CID CID CID CID CID CID CID CID CID CID Bit 5 Bit 4 Bit 3 0 0 0 0 0 1 1 1 1 1 Bit 2 0 0 0 1 1 0 0 0 0 1 Bit 1 0 1 1 0 1 0 0 1 1 0 Bit 0 1 0 1 0 0 0 1 0 1 0 Command Name Set User Zone Read User Zone Write User Zone Write System Zone Read System Zone Verify Crypto Send Checksum DESELECT IDLE Check Password Hexadecimal $c1 $c2 $c3 $c4 $c6 $c8 $c9 $cA $cB $cC All Other Values Are Not Supported 9 5276C–RFID–3/09 5. Anticollision Command Definitions Commands in this section are arranged in order by the hexadecimal code in the command byte. 5.1. REQB / WUPB Polling Commands [$05] The REQB / WUPB command is used to search for PICCs in the RF field. The command and response are ISO/IEC 14443-3:2001 compliant. Reader PICC Command > $05 AFI PARAM CRC1 CRC2 ATQB Response > $50 PUPI 0 PUPI 1 PUPI 2 PUPI 3 APP 0 APP1 APP 2 APP 3 Protocol 1 Protocol 2 Protocol 3 CRC1 CRC2 SUCCESS RESPONSE System Zone Byte $00 System Zone Byte $01 System Zone Byte $02 System Zone Byte $03 System Zone Byte $04 System Zone Byte $05 System Zone Byte $06 System Zone Byte $07 $00 System Zone Byte $08 $51 5.1.1. Operation The “Request B” (REQB) and “Wake-Up B” (WUPB) commands are used to probe the RF field for Type B PICCs as the first step in the anticollision process. The response to an REQB or WUPB command is the “Answer to Request B” (ATQB). PICCs in the Active State are not permitted to answer this command. 10 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5.1.2. Command Field Descriptions AFI: The Application Family Identifier (AFI) is used to select the family and sub-family of cards which the PCD is targeting. Only PICCs with a matching AFI code are permitted to answer an REQB or WUPB command. Table 5 describes the AFI matching criteria. An AFI of $00 activates all Type B PICCs. AFI matching criteria for polling commands received by the PICC. AFI Low Bits $0 $0 “Y” “Y” REQB/WUPB Polling produces a PICC response from: All Families and sub-families All sub-families of Family “X” Only sub-family “Y” of Family “X” Proprietary sub-family “Y” Only Table 5. AFI High Bits $0 “X” “X” $0 “Y” = $1 to $F “X” = $1 to $F PARAM: The PARAM byte is used to send two parameters to the PICC. The parameter “N”, which assigns the number of anticollision slots, and the REQB / WUPB selection bit. Definition of the PARAM byte in the REQB/WUPB command. Bit 6 0 Bit 5 0 Bit 4 0 Bit 3 RW Bit 2 Bit 1 N Bit 0 Figure 3. Bit 7 0 Table 6. Bit 2 0 0 0 0 1 1 1 1 Table 7. Bit 3 0 1 Coding of “N”, the number of anticollision slots, in the PARAM byte. Bit 1 0 0 1 1 0 0 1 1 Bit 0 0 1 0 1 0 1 0 1 N 1 2 4 8 16 RFU RFU RFU Coding of the REQB / WUPB selection bit in the PARAM byte. Command REQB WUPB Communication error detection bytes. CRC: 11 5276C–RFID–3/09 5.1.3. Response Field Descriptions PUPI: APP: PseudoUnique PICC Identifier. This is the card ID used for anticollision, stored in the System Zone. Application Data. Information about the card or application, stored in the System Zone. The fourth byte of the application data field, APP3, is programmed by Atmel with a memory density code at the factory to permit easy identification of different card sizes. The memory density codes programmed by Atmel are shown in Table 8. Table 8. Default value of APP3 is the CryptoRF Memory Density Code Device Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF Protocol: CRC: Density Code $22 $33 $44 $54 $64 ISO/IEC 14443 communication capabilities reported to the PCD. Communication error detection bytes. 5.1.4. Error Handling If an REQB or WUPB command containing errors is received by the PICC, it is ignored and no response is sent. 5.1.5. Notes The REQB and WUPB commands are identical for 88SC and 88RF CryptoRF PICCs. 12 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5.2. Slot MARKER Command [$s5] The Slot MARKER command can be used to separately identify multiple PICCs in the RF field. The command and response are ISO/IEC 14443-3:2001 compliant. Reader PICC Command > S CRC1 CRC2 $5 ATQB Response > $50 PUPI 0 PUPI 1 PUPI 2 PUPI 3 APP 0 APP1 APP 2 APP 3 Protocol 1 Protocol 2 Protocol 3 CRC1 CRC2 SUCCESS RESPONSE System Zone Byte $00 System Zone Byte $01 System Zone Byte $02 System Zone Byte $03 System Zone Byte $04 System Zone Byte $05 System Zone Byte $06 System Zone Byte $07 $00 System Zone Byte $08 $51 5.2.1. Operation Slot MARKER is an optional command used to perform ISO/IEC 14443-3 Type B anticollision using the timeslot approach. Immediately after an REQB or WUPB command with “N” greater than 1 is issued, and the ATQB response (if any) is received, the PCD will transmit Slot MARKER commands with slot values “S” of 2 to “N” to define the start of each timeslot for anticollision. If the random number “R” selected by the PICC matches “S” then the PICC responds with ATQB. PICCs in the Active State are not permitted to answer this command. 5.2.2. Command Field Description S: CRC: The slot number “S” is encoded within the command byte as shown in Table 9. Communication error detection bytes. 13 5276C–RFID–3/09 Table 9. Bit 7 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 Coding of the slot number within the Slot MARKER command byte. Bit 6 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 Bit 5 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 Bit 4 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 Slot Not Supported 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 5.2.3. Response Field Description PUPI: APP: Protocol: CRC: PseudoUnique PICC Identifier. This is the card ID used for anticollision, stored in the System Zone. Application Data. Information about the card or application, stored in the System Zone. ISO/IEC 14443 communication capabilities reported to the PCD. Communication error detection bytes. 5.2.4. Error Handling If a Slot MARKER command containing errors is received by the PICC, it is ignored and no response is sent. 5.2.5. Notes The Slot MARKER command is identical for 88SC and 88RF CryptoRF PICCs. 14 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5.3. ATTRIB Command [$1D] The ATTRIB command is used to select a PICC for a transaction. The command and response are ISO/IEC 144433:2001 compliant. Reader PICC Command > $1D PUPI 0 PUPI of PCI > PUPI 1 PUPI 2 PUPI 3 Param 1 > Param 2 > Param 3 > Param 4 Assigns CID > $0 $0 $00 TBmax $00 CID CRC1 CRC2 ATTRIB Response > $0 CRC1 CRC2 CID SUCCESS RESPONSE 5.3.1. Operation Sending the ATTRIB command (with a matching PUPI) after an ATQB response places the PICC in the Active State and assigns the Card ID Number (CID) to the PICC. PICCs already in the Active State or Halt State are not permitted to answer this command. 15 5276C–RFID–3/09 5.3.2. Command Field Descriptions PUPI: Param: TBmax: CID: PseudoUnique PICC Identifier. This is the card ID used for anticollision, stored in the System Zone. ISO/IEC 14443 communication capabilities reported to the PICC. The contents of Param Bytes 1, 2, and 3 do not alter the behavior of CryptoRF PICCs. A parameter sent by the PCD reporting the receive buffer size of the PCD. Default value is $0. The Card ID Number (CID) in ATTRIB Param Byte 4 and in the ATTRIB Response is encoded as shown in Table 10 and Table 11. Each PICC is assigned a unique CID when it is placed in the Active State. CryptoRF Active State commands use the assigned CID to direct the commands to the desired PICC. Coding of the Card ID in the ATTRIB command and response for 88SC PICCs. Bit 6 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 Bit 5 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 Bit 4 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 CID Not Supported 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Not Supported Table 10. Bit 7 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 16 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Table 11. Bit 7 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 CRC: Coding of the Card ID in the ATTRIB command and response for 88RF PICCs. Bit 6 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 Bit 5 0 0 1 1 0 0 1 1 0 0 1 1 0 1 1 1 Bit 4 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 CID 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Not Supported Communication error detection bytes. 5.3.3. Response Field Descriptions CID: CRC: The PICC transmits its assigned card ID in the response. Communication error detection bytes. 5.3.4. Error Handling If an ATTRIB command containing transmission errors is received by the PICC, it is ignored and no response is sent. 5.3.5. Notes The ATTRIB command for 88SC PICCs is used to assign a CID in the range of 1 to 15 to the PICC; CID = 0 is not supported. The ATTRIB command for 88RF PICCs is used to assign a CID in the range of 0 to 15 to the PICC. 17 5276C–RFID–3/09 5.4. HLTB Command [$50] The HLTB command places a PICC in the Halt State, where it is not allowed to answer an REQB command. The command and response are ISO/IEC 14443-3 compliant. Reader PICC Command > $50 PUPI 0 PUPI of PCI > PUPI 1 PUPI 2 PUPI 3 CRC1 CRC2 HLTB Response > $00 CRC1 CRC2 SUCCESS RESPONSE 5.4.1. Operation Sending the “Halt B” (HLTB) command (with a matching PUPI) after an ATQB response places the PICC in the Halt State. A PICC in the Halt State will only respond to a WUPB command. PICCs in the Active State or already in the Halt State are not permitted to answer this command. 5.4.2. Command Field Descriptions PUPI: CRC: PseudoUnique PICC Identifier. This is the card ID used for anticollision, stored in the System Zone. Communication error detection bytes. 5.4.3. Response Field Description CRC: Communication error detection bytes. 5.4.4. Error Handling If a HLTB command containing errors is received by the PICC, it is ignored and no response is sent. 5.4.5. Notes The HLTB command is identical for 88SC and 88RF CryptoRF PICCs. 18 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6. Active State Command Definitions Commands in this section are arranged in order by the hexadecimal code in the command byte. Several of the Active state commands perform multiple functions; the value of the PARAM byte determines which function is performed. Table 12. Bit 7 Coding of the Command byte for the CryptoRF Active State Command Set Bit 6 CID CID CID CID CID CID CID CID CID CID Bit 5 Bit 4 Bit 3 0 0 0 0 0 1 1 1 1 1 Bit 2 0 0 0 1 1 0 0 0 0 1 Bit 1 0 1 1 0 1 0 0 1 1 0 Bit 0 1 0 1 0 0 0 1 0 1 0 Command Name Set User Zone Read User Zone Write User Zone Write System Zone Read System Zone Verify Crypto Send Checksum DESELECT IDLE Check Password Hexadecimal $c1 $c2 $c3 $c4 $c6 $c8 $c9 $cA $cB $cC All Other Values Are Not Supported 6.1. Response Format The response to each Active State command consists of five bytes or more. The first byte of the response is the command byte echoed back to the PCD. The second byte is the ACK/NACK byte which reports success or failure of the command execution. The final two bytes of the response are always the CRC bytes. The CRC bytes are preceded by a STATUS byte which reports error codes or PICC status codes. Any data bytes returned by the command are located between the ACK/NACK and STATUS bytes. Table 13. Coding of the ACK/NACK byte of the PICC response Bit 5 0 0 Bit 4 0 0 Bit 3 0 0 0 0 Bit 2 0 0 0 0 Bit 1 0 0 0 0 Bit 0 0 1 1 1 ACK NACK, See STATUS byte for PICC information NACK, Check Password Attempt Failure NACK, Authentication or Encryption Attempt Failure Response Decode Bit 7 0 0 Bit 6 0 0 Password Attempts Count Auth. Attempts Count The ACK/NACK byte reports success or failure of the command execution. In the event of a Check Password command failure or Verify Crypto command failure the ACK/NACK byte contains an attempts count coded as shown in Table 14 and Table 15. The STATUS byte provides information to the host application indicating the state of the PICC or the reason for failure of a requested operation. The STATUS byte does not report the success or failure of a command. In the event of multiple errors, the STATUS byte reports the first error detected. The PICC ignores commands that do not have a matching CID. Invalid command codes are also ignored. 19 5276C–RFID–3/09 Table 14. Coding of the Password Attempts Count or Authentication Attempts Count in the 88SC ACK/NACK byte. Bit 7 0 0 0 0 0 0 0 0 1 Bit 6 0 0 0 0 1 1 1 1 0 Bit 5 0 0 1 1 0 0 1 1 0 Bit 4 0 1 0 1 0 1 0 1 0 Description No Failed Attempts 1 Failed Attempt 2 Failed Attempts 3 Failed Attempts 4 Failed Attempts 5 Failed Attempts 6 Failed Attempts 7 Failed Attempts 8 Failed Attempts Hexadecimal $0 $1 $2 $3 $4 $5 $6 $7 $8 Table 15. Coding of the Password Attempt Count or Authentication Attempts Count in the 88RF ACK/NACK byte. Bit 7 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 Bit 6 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 Bit 5 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 Bit 4 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 Description No Failed Attempts 1 Failed Attempt 2 Failed Attempts 3 Failed Attempts 4 Failed Attempts 5 Failed Attempts 6 Failed Attempts 7 Failed Attempts 8 Failed Attempts 9 Failed Attempts 10 Failed Attempts 11 Failed Attempts 12 Failed Attempts 13 Failed Attempts 14 Failed Attempts 15 Failed Attempts (LOCK) Hexadecimal $0 $1 $2 $3 $4 $5 $6 $7 $8 $9 $A $B $C $D $E $F 20 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.2. Set User Zone Command [$c1] The Set User Zone command selects the user memory area to be addressed by the Read User Zone and Write User Zone commands. Reader PICC Command > CID PARAM CRC1 CRC2 $1 Echo Response > CID $1 ACK/NACK STATUS CRC1 CRC2 6.2.1. Operation Before reading and writing data to the user memory, the host must select a User Zone with this command. Only one User Zone may be selected at a time. At the time the zone is selected the host also chooses whether anti-tearing is active for the selected zone. If anti-tearing is activated, then all writes to the User Zone will utilize anti-tearing until a new Set User Zone command is received. Only PICCs in the Active State are permitted to answer this command. 6.2.2. Command Field Description CID: PARAM: Table 16. Bit 7 AT Table 17. Bit 7 0 1 The Card ID assigned by the ATTRIB command. Selects the User Zone and sets anti-tearing on or off. Definition of the PARAM byte of the Set User Zone command Bit 6 0 Bit 5 0 Bit 4 0 Bit 3 Bit 2 Bit 1 Bit 0 User Zone Coding of the Anti-Tearing Select bit within the PARAM byte Write User Zone Normal Write Enabled Anti-Tearing Write Enabled 21 5276C–RFID–3/09 Table 18. Bit 3 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 CRC: Coding of the User Zone number within the PARAM byte Bit 2 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 Bit 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 Bit 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 User Zone 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Communication error detection bytes. 6.2.3. Response Field Descriptions CID: ACK: NACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 6.2.4. Error Handling If a Set User Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. Table 19. Status Codes returned in the Set User Zone response Error/Status Message No Errors User Zone PARAM Invalid Status Code $00 $A1 Type ACK NACK 6.2.5. Notes The Set User Zone command is identical for 88SC and 88RF CryptoRF PICCs. 22 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.3. Read User Zone Command [$c2] The Read User Zone command reads data from the currently selected User Zone. See Read User Zone (Large Memory) command for the AT88SC6416CRF read command information. Reader Command > PARAM = $00 > CID PARAM ADDR “L” CRC1 CRC2 Echo Command > CID NACK STATUS CRC1 CRC2 Echo Command > CID ACK DATA 1 DATA 2 ………. DATA “L” DATA “L+1” STATUS CRC1 CRC2 PARAM = $80 > CID PARAM ADDR “L” CRC1 CRC2 Echo Command > CID NACK STATUS CRC1 CRC2 Echo Command > CID ACK DATA 1 DATA 2 ………. DATA “L” DATA “L+1” MAC1 MAC2 STATUS CRC1 CRC2 < Status Code < Checksum $2 SUCCESS RESPONSE < Error Code $2 FAILURE RESPONSE $2 PICC 6.5.1. Operation The Read User Zone command with Integrated MAC reads data from the 88RF device's currently selected User Zone and also returns the cryptographic checksum. If the RCS bit of the DCR register is set to 1b, then the cryptographic engine is reset after the checksum is read. If the RCS bit of the DCR register is set to 0b, then the cryptographic engine is not reset by this command. The data byte address is internally incremented as each byte is read from memory. Reading beyond the end of the current User Zone is prohibited. Only PICCs in the Active State are permitted to answer this command. If the Authentication or Encryption Communication Security mode is not active, then a NACK response is returned. If the Encryption Communication Security mode is active, then the DATA bytes are encrypted. In Authentication Communication Security mode the DATA bytes are not encrypted. 27 5276C–RFID–3/09 6.5.2. Command Field Descriptions CID: PARAM: Table 23. The Card ID assigned by the ATTRIB command. The PARAM byte selects the type of read operation to be performed. PARAM byte options for the Read User Zone command for 88RF PICCs. Command Read User Zone (Normal / Legacy) Read User Zone with Integrated MAC All Other Values Are Not Supported ADDR: L: The starting address of the data to read. The number of bytes to read minus 1. L cannot exceed the size of the user zone. PARAM $00 $80 Reading more than 64 bytes in a single operation is not recommended. In a typical application environment, optimal transaction time is achieved by reading no more than 32 data bytes in a single operation. CRC: Communication error detection bytes. 6.5.3. Response Field Descriptions CID: ACK: NACK: DATA: MAC: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. The data bytes read from user memory. The checksum bytes read from the cryptographic engine. PICC status code. Communication error detection bytes. 28 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.5.4. Error Handling If a Read User Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 24. Status Codes returned in the Read User Zone response Error/Status Message No errors Access Denied (User Zone Not Set) PARAM Invalid Address Invalid Length Invalid Authentication or Encryption Activation Required Password Required Memory Access Error Status Code $00 $99 $A1 $A2 $A3 $A9 $D9 $EE Type ACK NACK NACK NACK NACK NACK NACK ACK/NACK 6.5.5. Notes The Read User Zone command with Integrated MAC is not supported by 88SC PICCs. 29 5276C–RFID–3/09 6.6. Write User Zone Command [$c3] The Write User Zone command writes data into the currently selected User Zone. See Write User Zone (Large Memory) command for the AT88SC6416CRF write command information. Reader PICC Command > PARAM =$00 > CID PARAM ADDR “L” DATA 1 DATA 2 ………. DATA “L” DATA “L+1” CRC1 CRC2 $3 Echo Command > CID $3 ACK/NACK STATUS CRC1 CRC2 6.6.1. Operation The Write User Zone command writes data in the device's currently selected User Zone. As each byte is clocked in to the memory the lower bits of the address are internally incremented. The upper address bits are not incremented, so the page address remains constant. Write operations cannot cross page boundaries; a Write User Zone command can only write data bytes within a single physical memory page. Attempts to write beyond the end of the page boundary will wrap to the beginning of the same page. Only PICCs in the Active State are permitted to answer this command. If Encryption Communication Security is active the DATA bytes are encrypted; no other bytes are encrypted. In the Normal and Authentication Communication Security modes none of the bytes are encrypted. The Write User Zone command includes an automatic data verification function when used on 88RF PICCs. After the EEPROM write is complete the data verification logic reads the new EEPROM contents and compares it to the data received in the Write User Zone command. If the data does not match then the PICC returns a NACK response with $ED in the status byte. If the data matches, the PICC returns an ACK response. 30 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.6.2. Command Field Description CID: PARAM: ADDR: L: The Card ID assigned by the ATTRIB command. The PARAM byte selects the type of write operation to be performed. PARAM = $00 selects the normal Write User Zone command. The starting address of the location to be written. The number of bytes to read minus 1. “L” cannot exceed the physical page size of the memory. In antitearing mode the maximum number of bytes that can be written is 8 bytes. If the Access Register enables Write Lock mode or Program Only mode, the maximum number of bytes that can be written is 1 byte. Write Characteristics of CryptoRF Write Characteristics Standard Write 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 32 Bytes 1 to 32 Bytes Anti-Tearing Write 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes Table 25. CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF DATA: CRC: The data bytes to be written into user memory. Communication error detection bytes. 6.6.3. Response Field Description CID: ACK: NACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 31 5276C–RFID–3/09 6.6.4. Error Handling If a Write User Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 26. No errors Write Pending – Checksum Required One Byte Written (Write Lock Mode) Access Denied (User Zone Not Set) Access Denied (Security Fuses Invalid) PARAM Invalid Address Invalid Length Invalid Authentication or Encryption Activation Required Data Written (Program Only Mode) Access denied (Write Lock Mode) Checksum Failure Password Required Modify Forbidden Memory Write Error - Data Mismatch Memory Access Error Status Codes returned in the Write User Zone response Error/Status Message Status Code $00 $0C $1B $99 $99 $A1 $A2 $A3 $A9 $B0 $B9 $C9 $D9 $E9 $ED $EE Type ACK ACK ACK NACK NACK NACK NACK NACK NACK ACK NACK NACK NACK NACK NACK ACK/NACK 6.6.5. Notes The Write User Zone command is identical for 88SC and 88RF CryptoRF PICCs when PARAM = $00. Automatic data write verification is performed by 88RF PICCs; this function is not supported by 88SC PICCs. 32 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.7. Write User Zone (Large Memory) Command [$c3] The Write User Zone command writes data into the currently selected User Zone. This command format applies to the AT88SC6416CRF device only. Reader PICC Command > PARAM = ADDR H CID ADDR H ADDR L “L” DATA 1 DATA 2 ………. DATA “L” DATA “L+1” CRC1 CRC2 $3 Echo Command > CID $3 ACK/NACK STATUS CRC1 CRC2 6.7.1. Operation The Write User Zone (Large Memory) command operates identically to the normal Write User Zone command, but utilizes a two byte address to support large memory sizes. The Write User Zone command writes data in the device's currently selected User Zone. As each byte is clocked in to the memory the lower bits of the address are internally incremented. The upper address bits are not incremented, so the page address remains constant. Write operations cannot cross page boundaries; a Write User Zone command can only write data bytes within a single physical memory page. Attempts to write beyond the end of the page boundary will wrap to the beginning of the same page. Only PICCs in the Active State are permitted to answer this command. If Encryption Communication Security is active the DATA bytes are encrypted; no other bytes are encrypted. In the Normal and Authentication Communication Security modes none of the bytes are encrypted. 33 5276C–RFID–3/09 6.7.2. Command Field Descriptions CID: PARAM: Table 27. Bit 7 0 ADDR: L: The Card ID assigned by the ATTRIB command. The PARAM byte is the ADDR H byte of Write User Zone (Large Memory) command. Definition of the PARAM (ADDR H) byte of the Write User Zone (Large Memory) command Bit 6 0 Bit 5 0 Bit 4 0 Bit 3 0 Bit 2 0 Bit 1 0 Bit 0 A8 The two byte starting address of the location to be written. The number of bytes to read minus 1. “L” cannot exceed the physical page size of the memory. In antitearing mode the maximum number of bytes that can be written is 8 bytes. If the Access Register enables Write Lock mode or Program Only mode, the maximum number of bytes that can be written is 1 byte. Write Characteristics of Large Memory CryptoRF Write Characteristics Standard Write 1 to 32 Bytes Anti-Tearing Write 1 to 8 Bytes Table 28. CryptoRF Part Number AT88SC6416CRF DATA: CRC: The data bytes to be written into user memory. Communication error detection bytes. 6.7.3. Response Field Descriptions CID: ACK: NACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 34 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.7.4. Error Handling If a Write User Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 29. No errors Write Pending – Checksum Required One Byte Written (Write Lock Mode) Access Denied (User Zone Not Set) Access Denied (Security Fuses Invalid) Address Invalid Length Invalid Authentication or Encryption Activation Required Data Written (Program Only Mode) Access denied (Write Lock Mode) Password Required Modify Forbidden Memory Access Error Status Codes returned in the Write User Zone (Large Memory) response Error/Status Message Status Code $00 $0C $1B $99 $99 $A2 $A3 $A9 $B0 $B9 $D9 $E9 $EE Type ACK ACK ACK NACK NACK NACK NACK NACK ACK NACK NACK NACK ACK/NACK 6.7.5. Notes The Write User Zone (Large Memory) command is not supported by 88RF PICCs. 35 5276C–RFID–3/09 6.8. Write User Zone Command with Integrated MAC [$c3] [88RF] The Write User Zone command with Integrated MAC writes data into the currently selected User Zone of 88RF PICCs. This command can only be used when the Authentication or Encryption Communication Security mode is active. Reader PICC Command > PARAM = $80 > CID PARAM ADDR “L” DATA 1 DATA 2 ………. DATA “L” DATA “L+1” $3 Checksum > MAC1 MAC2 CRC1 CRC2 Echo Command > CID $3 ACK/NACK STATUS CRC1 CRC2 6.8.1. Operation The Write User Zone command with Integrated MAC writes data in the 88RF device's currently selected User Zone. As each byte is clocked in to the memory the lower bits of the address are internally incremented. The upper address bits are not incremented, so the page address remains constant. Write operations cannot cross page boundaries; a Write User Zone command can only write data bytes within a single physical memory page. Attempts to write beyond the end of the page boundary will wrap to the beginning of the same page. Only PICCs in the Active State are permitted to answer this command. If the Authentication or Encryption Communication Security mode is not active, then a NACK response is returned. If the checksum does not match, then a NACK response is returned, the write operation is aborted, and the cryptographic engine is reset. The Write User Zone command with Integrated MAC includes an automatic data verification function. After the EEPROM write is complete the data verification logic reads the new EEPROM contents and compares it to the data received in the Write User Zone command. If the data does not match the PICC returns a NACK response with $ED in the status byte. If the data matches, the PICC returns an ACK response. If the Encryption Communication Security mode is active, then the DATA bytes are encrypted. In Authentication Communication Security mode the DATA bytes are not encrypted. 36 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.8.2. Command Field Description CID: PARAM: Table 30. The Card ID assigned by the ATTRIB command. The PARAM byte selects the type of write operation to be performed. PARAM byte options for the Write User Zone command for 88RF PICCs. Command Write User Zone (Normal / Legacy) Write User Zone with Integrated MAC All Other Values Are Not Supported. ADDR: L: The starting address of the location to be written. The number of bytes to write minus 1. “L” cannot exceed the 16 byte physical page size of the memory. In anti-tearing mode the maximum number of bytes that can be written is 8 bytes. Write Characteristics of 88RF PICCs Write Characteristics Normal Write 1 to 16 Bytes Anti-Tearing Write 1 to 8 Bytes PARAM $00 $80 Table 31. CryptoRF Part Number AT88RF04C DATA: MAC: CRC: The data bytes to be written into user memory. The checksum bytes sent to the cryptographic engine. Communication error detection bytes. 6.8.3. Response Field Description CID: ACK: NACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 37 5276C–RFID–3/09 6.8.4. Error Handling If a Write User Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 32. No errors Write Pending – Checksum Required Access Denied (User Zone Not Set) Access Denied (Security Fuses Invalid) PARAM Invalid Address Invalid Length Invalid Authentication or Encryption Activation Required Data Written (Program Only Mode) Checksum Failure Password Required Modify Forbidden Memory Write Error - Data Mismatch Memory Access Error Status Codes returned in the Write User Zone response Error/Status Message Status Code $00 $0C $99 $99 $A1 $A2 $A3 $A9 $B0 $C9 $D9 $E9 $ED $EE Type ACK ACK NACK NACK NACK NACK NACK NACK ACK NACK NACK NACK NACK ACK/NACK 6.8.5. Notes The Write User Zone command with Integrated MAC is not supported by 88SC PICCs. 38 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.9. Write System Zone Command [$c4] The Write System Zone command writes data to the configuration memory. Reader PICC Command > PARAM = $00 > CID PARAM ADDR “L” DATA 1 DATA 2 ………. DATA “L” DATA “L+1” CRC1 CRC2 $4 Echo Command > CID $4 ACK/NACK STATUS CRC1 CRC2 6.9.1. Operation The Write System Zone command writes data into the configuration memory. As each byte is clocked in to the memory the lower bits of the address are internally incremented. The upper address bits are not incremented, so the page address remains constant. Write operations cannot cross page boundaries; a Write System Zone command can only write data bytes within a single physical memory page. Attempts to write beyond the end of the page boundary will wrap to the beginning of the same page. Only PICCs in the Active State are permitted to answer this command. If Authentication or Encryption Communication Security is active the DATA bytes written to the password (PW) registers are encrypted; no other bytes are encrypted. In the Normal Communication Security mode none of the bytes are encrypted. The Write System Zone command includes an automatic data verification function when used on 88RF PICCs. After the EEPROM write is complete the data verification logic reads the new EEPROM contents and compares it to the data received in the Write System Zone command. If the data does not match then the PICC returns a NACK response with $ED in the status byte. If the data matches, the PICC returns an ACK response. 39 5276C–RFID–3/09 6.9.2. Command Field Description CID: PARAM: The Card ID assigned by the ATTRIB command. The PARAM byte selects the type of write operation to be performed. 88RF PICCs do not support antitearing writes to the configuration memory. PARAM byte options for the Write System Zone command Command Write System Zone Write System Zone w/ AT Write Fuse Byte PARAM $00 $80 $01 ADDR Address Address Fuse addr “L” # of bytes – 1 # of bytes – 1 $00 DATA “L + 1” bytes “L + 1 bytes” 1 byte Table 33. All Other Values Are Not Supported ADDR: L: The starting address of the data to write. The number of bytes to read minus 1. L cannot exceed the physical page size of the memory. In antitearing mode the maximum number of bytes that can be written is 8 bytes. Write Characteristics of CryptoRF Configuration Memory Write Characteristics Standard Write 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 32 Bytes 1 to 32 Bytes Anti-Tearing Write Not Supported 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes Table 34. CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF DATA: CRC: The data bytes to be written into configuration memory. Communication error detection bytes. 6.9.3. Response Field Descriptions CID: ACK: NACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 40 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.9.4. Error Handling If a Write System Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 35. Status Codes returned in the Write System Zone response Error/Status Message No errors PARAM Invalid Address Invalid Length Invalid Integrated Checksum Mode Write Complete Access denied (Write Not Allowed) Checksum Failure Password Required Memory Write Error - Data Mismatch Memory Access Error Status Code $00 $A1 $A2 $A3 $B0 $BA $C9 $D9 $ED $EE Type ACK NACK NACK NACK ACK NACK NACK NACK NACK ACK/NACK 6.9.5. Notes The Write System Zone command is identical for 88SC and 88RF CryptoRF PICCs when PARAM = $00. 88RF PICCs do not support PARAM = $80. Automatic data write verification is performed by 88RF PICCs; this function is not supported by 88SC PICCs. 41 5276C–RFID–3/09 6.10. Write System Zone Command with Integrated MAC [$c4] [88RF] The Write System Zone command with Integrated MAC writes data to the 88RF PICC configuration memory. This command can only be used when the Encryption Communication mode is active. This command is only available when the Security fuses are: SEC = 0b, ENC = 0b, SKY = 1b, PER = 1b. Reader PICC Command > CID PARAM ADDR “L” DATA 1 DATA 2 ………. DATA “L” DATA “L+1” $4 Checksum > MAC1 MAC2 CRC1 CRC2 Echo Command > CID $4 ACK/NACK STATUS CRC1 CRC2 6.10.1. Operation The Write System Zone command with Integrated MAC writes data into the 88RF PICC configuration memory. As each byte is clocked in to the memory the lower bits of the address are internally incremented. The upper address bits are not incremented, so the page address remains constant. Write operations cannot cross page boundaries; a Write System Zone command can only write data bytes within a single physical memory page. Attempts to write beyond the end of the page boundary will wrap to the beginning of the same page. Only PICCs in the Active State are permitted to answer this command. If the Encryption Communication mode is not active, then a NACK response is returned. If the checksum does not match, then a NACK response is returned, the write operation is aborted, and the cryptographic engine is reset. The Write System Zone command with Integrated MAC includes an automatic data verification function. After the EEPROM write is complete the data verification logic reads the new EEPROM contents and compares it to the data received in the Write System Zone command. If the data does not match the PICC returns a NACK response with $ED in the status byte. If the data matches, the PICC returns an ACK response. 42 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.10.2. Command Field Description CID: PARAM: Table 36. The Card ID assigned by the ATTRIB command. The PARAM byte selects the type of write operation to be performed. PARAM byte options for the Write System Zone command for 88RF PICCs Command Write System Zone (Normal / Legacy) Write Fuse Byte Write System Zone with Integrated MAC PARAM $00 $01 $08 ADDR Address Fuse addr Address “L” # of bytes – 1 $00 # of bytes – 1 DATA “L + 1” bytes 1 byte “L + 1 bytes” All Other Values Are Not Supported ADDR: L: DATA: MAC: CRC: The starting address of the data to write. The number of bytes to write minus 1. L cannot exceed the 16 byte physical page size of the memory. The data bytes to be written into configuration memory. The checksum bytes sent to the cryptographic engine. Communication error detection bytes. 6.10.3. Response Field Descriptions CID: ACK: NACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 43 5276C–RFID–3/09 6.10.4. Error Handling If a Write System Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 37. Status Codes returned in the Write System Zone with Integrated MAC response Error/Status Message No errors PARAM Invalid Address Invalid Length Invalid Integrated Checksum Mode Write Complete Access denied (Write Not Allowed) Checksum Failure Password Required Memory Write Error - Data Mismatch Memory Access Error Status Code $00 $A1 $A2 $A3 $B0 $BA $C9 $D9 $ED $EE Type ACK NACK NACK NACK ACK NACK NACK NACK NACK ACK/NACK 6.10.5. Notes The Write System Zone command with Integrated MAC is not supported by 88SC PICCs. 44 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.11. Write System Zone Command, Write Fuse Byte Option [$c4] The Write Fuse Byte Option of the Write System Zone command is used to program the security fuses. Reader PICC Command > PARAM = $01 > CID PARAM ADDR $4 L = $00 > “L” DATA 1 CRC1 CRC2 Echo Command > CID $4 ACK/NACK STATUS CRC1 CRC2 6.11.1. Operation The Write Fuse Byte Option of the Write System Zone command programs the security fuses. Once programmed, the fuses cannot be erased. This operation can be performed in the Normal, Authentication, or Encryption Communication modes. The fuse byte value is never encrypted. Only PICCs in the Active State are permitted to answer this command. 6.11.2. Command Field Description CID: PARAM: Table 38. The Card ID assigned by the ATTRIB command. The PARAM byte selects the type of write operation to be performed. PARAM byte options for the Write System Zone command Command Write System Zone Write System Zone w/ AT Write Fuse Byte PARAM $00 $80 $01 ADDR Address Address Fuse addr “L” # of bytes – 1 # of bytes – 1 $00 DATA “L + 1” bytes “L + 1 bytes” 1 byte All Other Values Are Not Supported ADDR: When performing a fuse byte write the ADDR byte contains the address of the fuse; only one fuse may be programmed per Write System Zone command. 45 5276C–RFID–3/09 Table 39. Hex $07 $06 $04 $00 Coding of ADDR for 88SC PICC Fuse Programming Bit 7 0 0 0 0 Bit 6 0 0 0 0 Bit 5 0 0 0 0 Bit 4 0 0 0 0 Bit 3 0 0 0 0 Bit 2 1 1 1 0 Bit 1 1 1 0 0 Bit 0 1 0 0 0 Fuse SEC FAB CMA PER Table 40. Hex $07 $06 $04 $00 Coding of ADDR for 88RF PICC Fuse Programming Bit 7 0 0 0 0 Bit 6 0 0 0 0 Bit 5 0 0 0 0 Bit 4 0 0 0 0 Bit 3 0 0 0 0 Bit 2 1 1 1 0 Bit 1 1 1 0 0 Bit 0 1 0 0 0 Fuse SEC ENC SKY PER L: DATA: CRC: The number of bytes to write minus 1. L must be $00 when writing the Fuse Bytes. One byte of data is required to be sent when writing the fuse byte, however the contents of this byte are ignored. Communication error detection bytes. 6.11.3. Response Field Descriptions CID: ACK: NACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge; the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 46 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.11.4. Error Handling If a Write System Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 41. Status Codes returned in the Write System Zone response for Fuse Byte Writes Error/Status Message Fuse Byte (Successful Fuse Byte Write) Fuse Address Invalid Length Invalid Password Required Fuse Access Denied Access denied (Fuse Order Incorrect) Memory Access Error Status Code Fuse byte $A2 $A3 $D9 $DF $E9 $EE Type ACK NACK NACK NACK NACK NACK ACK/NACK 6.11.5. Notes The Write Fuse Byte option of the Write System Zone command is identical for 88SC and 88RF CryptoRF PICCs. 47 5276C–RFID–3/09 6.12. Read System Zone Command [$c6] The System Read command allows reading of system data from the configuration memory. Reader PICC Command > CID PARAM ADDR “L” CRC1 CRC2 $6 Echo Command > CID NACK STATUS CRC1 CRC2 $6 FAILURE RESPONSE < Error Code Echo Command > CID ACK DATA 1 DATA 2 ………. DATA “L” $6 SUCCESS RESPONSE DATA “L+1” STATUS CRC1 CRC2