 |
|
| If you can't view the Datasheet, Please click here to try to view without PDF Reader . |
|
|
|
| If you can't view the Datasheet, Please click here to try to view without PDF Reader . |
|
|
| Datasheet File OCR Text: |
| Features * A Family of Devices with User Memories of 4 Kbits to 64 Kbits * Contactless 13.56 MHz RF Communications Interface ISO/IEC 14443-2:2001 Type B Compliant ISO/IEC 14443-3:2001 Type B Compliant Anticollision Protocol Tolerant of Type A Signaling for Multi-Protocol Applications * Integrated 82 pF Tuning Capacitor * User EEPROM Memory Configurations: 64 Kbits Configured as Sixteen 512 byte (4 Kbit) User Zones [AT88SC6416CRF] 32 Kbits Configured as Sixteen 256 byte (2 Kbit) User Zones [AT88SC3216CRF] 16 Kbits Configured as Sixteen 128 byte (1 Kbit) User Zones [AT88SC1616CRF] 8 Kbits Configured as Eight 4 Kbits Configured as Four Self Timed Write Cycle 128 byte (1 Kbit) User Zones [AT88SC0808CRF] 128 byte (1 Kbit) User Zones [AT88RF04C] CryptoRF(R) Specification AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF Byte, Page, and Partial Page Write Modes * 256 byte (2 Kbit) Configuration Memory User Programmable Application Family Identifier (AFI) User-defined Anticollision Polling Response User-defined Keys and Passwords Read-Only Unique Die Serial Number * High Security Features Selectable Access Rights by Zone 64-bit Mutual Authentication Protocol (under license of ELVA) Encrypted Checksum Stream Encryption using 64-bit Key Four Key Sets for Authentication and Encryption Four or Eight 24-bit Password Sets Password and Authentication Attempts Counters Anti-tearing Function Tamper Sensors * High Reliability Endurance : 100,000 Write Cycles Data Retention : 10 Years 5276C-RFID-3/09 Description The CryptoRF(R) family integrates a 13.56 MHz RF interface with CryptoMemory(R) security features. This product line is ideal for RF tags and contactless smart cards that can benefit from advanced security and cryptographic features. The device is optimized as a contactless secure memory for secure data storage without the requirement of an internal microprocessor. For communications the RF interface utilizes the ISO/IEC 14443-2 and -3 Type B bit timing and signal modulation schemes, and the ISO/IEC 14443-3 Slot-MARKER Anticollision Protocol. Data is exchanged half duplex at a 106k bit per second rate, with a two byte CRC_B providing error detection capability. The RF interface powers the other circuits, no battery is required. Full compliance with the ISO/IEC 14443 -2 and -3 standards provides both a proven RF communication interface, and a robust anticollision protocol. The five products in the CryptoRF family contain 4 Kbits to 64 Kbits of User Memory plus 2 Kbits of Configuration Memory. The 2 Kbits of Configuration Memory contains read/write password sets, four crypto key sets, security access registers for each user zone, and password/key registers for each zone. The CryptoRF command set is optimized for a multi-card RF communications environment. A programmable AFI register allows this IC to be used in numerous applications in the same geographic area with seamless discrimination of cards assigned to a particular application during the anticollision process. Figure 1. Block Diagram RF Interface AC1 Command and Response EEPROM Modulator ifi er C VSS R ec t Over Voltage Clamp Data Transfer Regulator VDD Password Verification AC2 Clock Extraction Data Extraction Frame Formatting and Error Detection Interface Anticollision Authentication Encryption and Certification Unit Random Number Generator 2 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Table of Contents Features Description .................................................................................................................................................. 1 .................................................................................................................................................. 2 1. Introduction.............................................................................................................................................. 5 1.1. Communications .............................................................................................................................. 5 1.2. Scope............................................................................................................................................... 5 1.3. Conventions..................................................................................................................................... 5 2. User Memory............................................................................................................................................ 7 3. Configuration Memory ............................................................................................................................ 8 4. Command Set .......................................................................................................................................... 9 5. Anticollision Command Definitions..................................................................................................... 10 5.1. REQB / WUPB Polling Commands [$05] ...................................................................................... 10 5.2. Slot MARKER Command [$s5]...................................................................................................... 13 5.3. ATTRIB Command [$1D]............................................................................................................... 15 5.4. HLTB Command [$50]................................................................................................................... 18 6. Active State Command Definitions...................................................................................................... 19 6.1. Response Format .......................................................................................................................... 19 6.2. Set User Zone Command [$c1] ..................................................................................................... 21 6.3. Read User Zone Command [$c2].................................................................................................. 23 6.4. Read User Zone (Large Memory) Command [$c2] ....................................................................... 25 6.5. Read User Zone Command with Integrated MAC [$c2] [88RF] ................................................... 27 6.6. Write User Zone Command [$c3] .................................................................................................. 30 6.7. Write User Zone (Large Memory) Command [$c3] ....................................................................... 33 6.8. Write User Zone Command with Integrated MAC [$c3] [88RF] ................................................... 36 6.9. Write System Zone Command [$c4].............................................................................................. 39 6.10. Write System Zone Command with Integrated MAC [$c4] [88RF]............................................... 42 6.11. Write System Zone Command, Write Fuse Byte Option [$c4] ...................................................... 45 6.12. Read System Zone Command [$c6] ............................................................................................. 48 6.13. Read System Zone Command, Read Fuse Byte Option [$c6]...................................................... 51 6.14. Read System Zone Command, Read Checksum Option [$c6]..................................................... 54 6.15. Verify Crypto Command [$c8] ....................................................................................................... 56 6.16. Send Checksum Command [$c9].................................................................................................. 59 6.17. DESELECT Command [$cA]......................................................................................................... 61 6.18. IDLE Command [$cB].................................................................................................................... 62 6.19. Check Password Command [$cC]................................................................................................. 63 7. Transaction Flow ................................................................................................................................... 66 8. Absolute Maximum Ratings*................................................................................................................ 67 9. Reliability................................................................................................................................................ 67 10. Electrical Characteristics ..................................................................................................................... 68 10.1. Tamper Detection .......................................................................................................................... 68 3 5276C-RFID-3/09 Appendix A. Terms and Abbreviations ..................................................................................................... 69 Appendix B. Standards and Reference Documents ................................................................................ 74 Appendix C. User Memory Maps ............................................................................................................... 75 Appendix D. Configuration Memory Maps ............................................................................................... 80 Appendix E. Device Personalization ......................................................................................................... 84 Appendix F. Secure Personalization [88RF] ........................................................................................... 88 Appendix G. Security Fuses....................................................................................................................... 91 Appendix H. Configuration of Password and Access Control Registers.............................................. 94 Appendix I. Using Password Security ................................................................................................... 101 Appendix J. Using Authentication Communication Security .............................................................. 106 Appendix K. Using Encryption Communication Security..................................................................... 115 Appendix L. Understanding Anti-Tearing .............................................................................................. 125 Appendix M. Personalization of the Anticollision Registers ................................................................ 129 Appendix N. Understanding Anticollision .............................................................................................. 134 Appendix O. The ISO/IEC 14443 Type B RF Signal Interface................................................................ 136 Appendix P. RF Specifications and Characteristics ............................................................................. 140 Appendix Q. Transaction Time ................................................................................................................ 144 Appendix R. 88RF PICC Backward Compatibility.................................................................................. 148 Appendix S. Ordering Information .......................................................................................................... 150 Appendix T. Errata .................................................................................................................................... 155 Appendix U. Revision History.................................................................................................................. 157 4 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 1. Introduction The CryptoRF family consists of devices in the AT88SCxxxxCRF and AT88RFxxC catalog number series. The first generation devices are assigned catalog numbers in the AT88SCxxxxCRF series. The second generation devices are assigned catalog numbers in the AT88RFxxC series. Several security options have been added to the second generation devices to enhance system security. 1.1. Communications All personalization and communication with this device is performed through the RF interface. The IC includes an integrated tuning capacitor, enabling it to operate with only the addition of a single external coil antenna. The RF communications interface is fully compliant with the electrical signaling and RF power specifications in ISO/IEC 14443-2 for Type B only. Anticollision operation and frame formatting are compliant with ISO/IEC 14443-3 for Type B only. 1.2. Scope This CryptoRF Specification document includes all specifications for the Normal, Authentication, and Encryption modes of CryptoRF operation. 1.3. Conventions ISO/IEC 14443 nomenclature is used in this specification where applicable. The following abbreviations are utilized throughout this document. Additional terms are defined in Appendix A. Proximity Coupling Device - is the reader/writer and antenna. Proximity Integrated Circuit Card - is the tag/card containing the IC and antenna. Reserved for Future Use - is any feature, memory location, or bit that is held as reserved for future use by the ISO standards committee or by Atmel. * $xx: Hexadecimal Number - denotes a hex number "xx" (Most Significant Bit on left). * xxxxb: Binary Number - denotes a binary number "xxxx" (Most Significant Bit on left). * 88SC: CryptoRF devices in the AT88SCxxxxCRF catalog number series. * 88RF: CryptoRF devices in the AT88RFxxC catalog number series. This document contains the specifications for AT88SCxxxxCRF and AT88RFxxC CryptoRF devices. Any specification that applies only to first generation AT88SCxxxxCRF devices references: "88SC" devices, "88SC" PICCs, or contain "[88SC]" in the section title. Any specification that applies only to second generation AT88RFxxC devices references: "88RF" devices, "88RF" PICCs, or contain "[88RF]" in the section title. Specifications that apply to all devices are referred to as CryptoRF specifications. Each command / response exchange between the PCD and PICC is formatted as shown in Figure 2. The bytes are shown in the order in which they are transmitted, with PCD transmissions in the left column, and PICC transmissions in the right column. * PCD: * PICC: * RFU: 5 5276C-RFID-3/09 Each byte contains one or more fields as indicated by lines drawn vertically within the byte. The field in the left half of the byte is the upper nibble of the byte, and the field to the right is the lower nibble of the byte. In Figure 2, five fields contain values ($1D, $00, $F, $51, $0), four fields contain field names ("Addr", "XX", "CID", "Data"), and four fields contain error detection codes (CRC1, CRC2). Figure 2. Example Command and Response Format Reader Command First Byte > Command Second Byte > Command Third Byte > Command Fourth Byte > Command Fifth Byte > CRC First Byte > CRC Second Byte > TR2 Response First Byte > Response Second Byte > CRC First Byte > CRC Second Byte > $0 DATA CRC1 CRC2 CID $F $51 CRC1 CRC2 $1D $00 ADDR XX PICC The CRC error detection codes are calculated using all of the previous bytes in the command or response and are appended to each command and response to allow detection of RF communication errors. These bytes are required by ISO/IEC 14443-3:2001 and are usually calculated and verified in the reader hardware. 6 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 2. User Memory The User EEPROM Memory characteristics are summarized in Table 1. User Memory is divided into equally sized User Zones. Access to the User Zones is allowed only after security requirements have been met. These security requirements are defined by the user in the configuration memory during personalization of the device. The default configuration is open read/write access to all user memory zones. For User Memory Maps see Appendix C. Table 1. CryptoRF User Memory Characteristics User Memory Size User Memory Organization Bits 4K 8K 16K 32K 64K Bytes 512 1K 2K 4K 8K # Zones 4 8 16 16 16 Bytes/Zones 128 128 128 256 512 Write Characteristics Standard Write 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 32 Bytes 1 to 32 Bytes Anti-Tearing Write 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF 7 5276C-RFID-3/09 3. Configuration Memory The configuration memory consists of 2048 bits of EEPROM memory used for storing system data, passwords, keys, codes, and access control registers for each user zone. Access rights to the configuration memory are defined in the control logic and cannot be altered by the user. These access rights include the ability to program certain portions of the configuration memory and then lock the data written through use of the security fuses. The Read System Zone and Write System Zone commands are used to access the configuration memory. For Configuration Memory Maps see Appendix D. Table 2. Configuration Memory Characteristics Password Sets 4 Sets 8 Sets 8 Sets 8 Sets 8 Sets Key Sets 4 Sets 4 Sets 4 Sets 4 Sets 4 Sets OTP Memory Free For Customer Use 25 Bytes 27 Bytes 27 Bytes 27 Bytes 27 Bytes Transport Password PW Index $07 $07 $07 $07 $07 Password $30 1D D2 $40 7F AB $50 44 72 $60 78 AF $70 BA 2E CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF 8 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 4. Command Set The CryptoRF command set contains two types of commands: Anticollision commands, and Active State commands. Anticollision commands are explicitly defined in ISO/IEC 14443-3:2001. The CryptoRF Active State commands are Atmel defined commands that are compliant with the ISO/IEC 14443-3:2001 requirements. The CryptoRF Active State commands contain the CID code that is assigned to a card when it is selected during the anticollision process. See the ATTRIB command for coding of the CID bits. Table 3. Bit 7 0 Coding of the Command Byte for the Anticollision Command Set Bit 6 0 Bit 5 0 Bit 4 0 Bit 3 0 0 1 1 1 0 Bit 2 1 1 1 0 Bit 1 0 0 0 0 Bit 0 1 1 1 0 Command Name REQB/WUPB Slot MARKER ATTRIB HLTB Hexadecimal $05 $s5 $1D $50 Slot Number 0 0 0 1 0 0 Table 4. Bit 7 Coding of the Command byte for the CryptoRF Active State Command Set. Bit 6 CID CID CID CID CID CID CID CID CID CID Bit 5 Bit 4 Bit 3 0 0 0 0 0 1 1 1 1 1 Bit 2 0 0 0 1 1 0 0 0 0 1 Bit 1 0 1 1 0 1 0 0 1 1 0 Bit 0 1 0 1 0 0 0 1 0 1 0 Command Name Set User Zone Read User Zone Write User Zone Write System Zone Read System Zone Verify Crypto Send Checksum DESELECT IDLE Check Password Hexadecimal $c1 $c2 $c3 $c4 $c6 $c8 $c9 $cA $cB $cC All Other Values Are Not Supported 9 5276C-RFID-3/09 5. Anticollision Command Definitions Commands in this section are arranged in order by the hexadecimal code in the command byte. 5.1. REQB / WUPB Polling Commands [$05] The REQB / WUPB command is used to search for PICCs in the RF field. The command and response are ISO/IEC 14443-3:2001 compliant. Reader PICC Command > $05 AFI PARAM CRC1 CRC2 ATQB Response > $50 PUPI 0 PUPI 1 PUPI 2 PUPI 3 APP 0 APP1 APP 2 APP 3 Protocol 1 Protocol 2 Protocol 3 CRC1 CRC2 SUCCESS RESPONSE System Zone Byte $00 System Zone Byte $01 System Zone Byte $02 System Zone Byte $03 System Zone Byte $04 System Zone Byte $05 System Zone Byte $06 System Zone Byte $07 $00 System Zone Byte $08 $51 5.1.1. Operation The "Request B" (REQB) and "Wake-Up B" (WUPB) commands are used to probe the RF field for Type B PICCs as the first step in the anticollision process. The response to an REQB or WUPB command is the "Answer to Request B" (ATQB). PICCs in the Active State are not permitted to answer this command. 10 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5.1.2. Command Field Descriptions AFI: The Application Family Identifier (AFI) is used to select the family and sub-family of cards which the PCD is targeting. Only PICCs with a matching AFI code are permitted to answer an REQB or WUPB command. Table 5 describes the AFI matching criteria. An AFI of $00 activates all Type B PICCs. AFI matching criteria for polling commands received by the PICC. AFI Low Bits $0 $0 "Y" "Y" REQB/WUPB Polling produces a PICC response from: All Families and sub-families All sub-families of Family "X" Only sub-family "Y" of Family "X" Proprietary sub-family "Y" Only Table 5. AFI High Bits $0 "X" "X" $0 "Y" = $1 to $F "X" = $1 to $F PARAM: The PARAM byte is used to send two parameters to the PICC. The parameter "N", which assigns the number of anticollision slots, and the REQB / WUPB selection bit. Definition of the PARAM byte in the REQB/WUPB command. Bit 6 0 Bit 5 0 Bit 4 0 Bit 3 RW Bit 2 Bit 1 N Bit 0 Figure 3. Bit 7 0 Table 6. Bit 2 0 0 0 0 1 1 1 1 Table 7. Bit 3 0 1 Coding of "N", the number of anticollision slots, in the PARAM byte. Bit 1 0 0 1 1 0 0 1 1 Bit 0 0 1 0 1 0 1 0 1 N 1 2 4 8 16 RFU RFU RFU Coding of the REQB / WUPB selection bit in the PARAM byte. Command REQB WUPB Communication error detection bytes. CRC: 11 5276C-RFID-3/09 5.1.3. Response Field Descriptions PUPI: APP: PseudoUnique PICC Identifier. This is the card ID used for anticollision, stored in the System Zone. Application Data. Information about the card or application, stored in the System Zone. The fourth byte of the application data field, APP3, is programmed by Atmel with a memory density code at the factory to permit easy identification of different card sizes. The memory density codes programmed by Atmel are shown in Table 8. Table 8. Default value of APP3 is the CryptoRF Memory Density Code Device Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF Protocol: CRC: Density Code $22 $33 $44 $54 $64 ISO/IEC 14443 communication capabilities reported to the PCD. Communication error detection bytes. 5.1.4. Error Handling If an REQB or WUPB command containing errors is received by the PICC, it is ignored and no response is sent. 5.1.5. Notes The REQB and WUPB commands are identical for 88SC and 88RF CryptoRF PICCs. 12 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5.2. Slot MARKER Command [$s5] The Slot MARKER command can be used to separately identify multiple PICCs in the RF field. The command and response are ISO/IEC 14443-3:2001 compliant. Reader PICC Command > S CRC1 CRC2 $5 ATQB Response > $50 PUPI 0 PUPI 1 PUPI 2 PUPI 3 APP 0 APP1 APP 2 APP 3 Protocol 1 Protocol 2 Protocol 3 CRC1 CRC2 SUCCESS RESPONSE System Zone Byte $00 System Zone Byte $01 System Zone Byte $02 System Zone Byte $03 System Zone Byte $04 System Zone Byte $05 System Zone Byte $06 System Zone Byte $07 $00 System Zone Byte $08 $51 5.2.1. Operation Slot MARKER is an optional command used to perform ISO/IEC 14443-3 Type B anticollision using the timeslot approach. Immediately after an REQB or WUPB command with "N" greater than 1 is issued, and the ATQB response (if any) is received, the PCD will transmit Slot MARKER commands with slot values "S" of 2 to "N" to define the start of each timeslot for anticollision. If the random number "R" selected by the PICC matches "S" then the PICC responds with ATQB. PICCs in the Active State are not permitted to answer this command. 5.2.2. Command Field Description S: CRC: The slot number "S" is encoded within the command byte as shown in Table 9. Communication error detection bytes. 13 5276C-RFID-3/09 Table 9. Bit 7 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 Coding of the slot number within the Slot MARKER command byte. Bit 6 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 Bit 5 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 Bit 4 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 Slot Not Supported 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 5.2.3. Response Field Description PUPI: APP: Protocol: CRC: PseudoUnique PICC Identifier. This is the card ID used for anticollision, stored in the System Zone. Application Data. Information about the card or application, stored in the System Zone. ISO/IEC 14443 communication capabilities reported to the PCD. Communication error detection bytes. 5.2.4. Error Handling If a Slot MARKER command containing errors is received by the PICC, it is ignored and no response is sent. 5.2.5. Notes The Slot MARKER command is identical for 88SC and 88RF CryptoRF PICCs. 14 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5.3. ATTRIB Command [$1D] The ATTRIB command is used to select a PICC for a transaction. The command and response are ISO/IEC 144433:2001 compliant. Reader PICC Command > $1D PUPI 0 PUPI of PCI > PUPI 1 PUPI 2 PUPI 3 Param 1 > Param 2 > Param 3 > Param 4 Assigns CID > $0 $0 $00 TBmax $00 CID CRC1 CRC2 ATTRIB Response > $0 CRC1 CRC2 CID SUCCESS RESPONSE 5.3.1. Operation Sending the ATTRIB command (with a matching PUPI) after an ATQB response places the PICC in the Active State and assigns the Card ID Number (CID) to the PICC. PICCs already in the Active State or Halt State are not permitted to answer this command. 15 5276C-RFID-3/09 5.3.2. Command Field Descriptions PUPI: Param: TBmax: CID: PseudoUnique PICC Identifier. This is the card ID used for anticollision, stored in the System Zone. ISO/IEC 14443 communication capabilities reported to the PICC. The contents of Param Bytes 1, 2, and 3 do not alter the behavior of CryptoRF PICCs. A parameter sent by the PCD reporting the receive buffer size of the PCD. Default value is $0. The Card ID Number (CID) in ATTRIB Param Byte 4 and in the ATTRIB Response is encoded as shown in Table 10 and Table 11. Each PICC is assigned a unique CID when it is placed in the Active State. CryptoRF Active State commands use the assigned CID to direct the commands to the desired PICC. Coding of the Card ID in the ATTRIB command and response for 88SC PICCs. Bit 6 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 Bit 5 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 Bit 4 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 CID Not Supported 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Not Supported Table 10. Bit 7 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 16 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Table 11. Bit 7 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 CRC: Coding of the Card ID in the ATTRIB command and response for 88RF PICCs. Bit 6 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 Bit 5 0 0 1 1 0 0 1 1 0 0 1 1 0 1 1 1 Bit 4 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 CID 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Not Supported Communication error detection bytes. 5.3.3. Response Field Descriptions CID: CRC: The PICC transmits its assigned card ID in the response. Communication error detection bytes. 5.3.4. Error Handling If an ATTRIB command containing transmission errors is received by the PICC, it is ignored and no response is sent. 5.3.5. Notes The ATTRIB command for 88SC PICCs is used to assign a CID in the range of 1 to 15 to the PICC; CID = 0 is not supported. The ATTRIB command for 88RF PICCs is used to assign a CID in the range of 0 to 15 to the PICC. 17 5276C-RFID-3/09 5.4. HLTB Command [$50] The HLTB command places a PICC in the Halt State, where it is not allowed to answer an REQB command. The command and response are ISO/IEC 14443-3 compliant. Reader PICC Command > $50 PUPI 0 PUPI of PCI > PUPI 1 PUPI 2 PUPI 3 CRC1 CRC2 HLTB Response > $00 CRC1 CRC2 SUCCESS RESPONSE 5.4.1. Operation Sending the "Halt B" (HLTB) command (with a matching PUPI) after an ATQB response places the PICC in the Halt State. A PICC in the Halt State will only respond to a WUPB command. PICCs in the Active State or already in the Halt State are not permitted to answer this command. 5.4.2. Command Field Descriptions PUPI: CRC: PseudoUnique PICC Identifier. This is the card ID used for anticollision, stored in the System Zone. Communication error detection bytes. 5.4.3. Response Field Description CRC: Communication error detection bytes. 5.4.4. Error Handling If a HLTB command containing errors is received by the PICC, it is ignored and no response is sent. 5.4.5. Notes The HLTB command is identical for 88SC and 88RF CryptoRF PICCs. 18 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6. Active State Command Definitions Commands in this section are arranged in order by the hexadecimal code in the command byte. Several of the Active state commands perform multiple functions; the value of the PARAM byte determines which function is performed. Table 12. Bit 7 Coding of the Command byte for the CryptoRF Active State Command Set Bit 6 CID CID CID CID CID CID CID CID CID CID Bit 5 Bit 4 Bit 3 0 0 0 0 0 1 1 1 1 1 Bit 2 0 0 0 1 1 0 0 0 0 1 Bit 1 0 1 1 0 1 0 0 1 1 0 Bit 0 1 0 1 0 0 0 1 0 1 0 Command Name Set User Zone Read User Zone Write User Zone Write System Zone Read System Zone Verify Crypto Send Checksum DESELECT IDLE Check Password Hexadecimal $c1 $c2 $c3 $c4 $c6 $c8 $c9 $cA $cB $cC All Other Values Are Not Supported 6.1. Response Format The response to each Active State command consists of five bytes or more. The first byte of the response is the command byte echoed back to the PCD. The second byte is the ACK/NACK byte which reports success or failure of the command execution. The final two bytes of the response are always the CRC bytes. The CRC bytes are preceded by a STATUS byte which reports error codes or PICC status codes. Any data bytes returned by the command are located between the ACK/NACK and STATUS bytes. Table 13. Coding of the ACK/NACK byte of the PICC response Bit 5 0 0 Bit 4 0 0 Bit 3 0 0 0 0 Bit 2 0 0 0 0 Bit 1 0 0 0 0 Bit 0 0 1 1 1 ACK NACK, See STATUS byte for PICC information NACK, Check Password Attempt Failure NACK, Authentication or Encryption Attempt Failure Response Decode Bit 7 0 0 Bit 6 0 0 Password Attempts Count Auth. Attempts Count The ACK/NACK byte reports success or failure of the command execution. In the event of a Check Password command failure or Verify Crypto command failure the ACK/NACK byte contains an attempts count coded as shown in Table 14 and Table 15. The STATUS byte provides information to the host application indicating the state of the PICC or the reason for failure of a requested operation. The STATUS byte does not report the success or failure of a command. In the event of multiple errors, the STATUS byte reports the first error detected. The PICC ignores commands that do not have a matching CID. Invalid command codes are also ignored. 19 5276C-RFID-3/09 Table 14. Coding of the Password Attempts Count or Authentication Attempts Count in the 88SC ACK/NACK byte. Bit 7 0 0 0 0 0 0 0 0 1 Bit 6 0 0 0 0 1 1 1 1 0 Bit 5 0 0 1 1 0 0 1 1 0 Bit 4 0 1 0 1 0 1 0 1 0 Description No Failed Attempts 1 Failed Attempt 2 Failed Attempts 3 Failed Attempts 4 Failed Attempts 5 Failed Attempts 6 Failed Attempts 7 Failed Attempts 8 Failed Attempts Hexadecimal $0 $1 $2 $3 $4 $5 $6 $7 $8 Table 15. Coding of the Password Attempt Count or Authentication Attempts Count in the 88RF ACK/NACK byte. Bit 7 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 Bit 6 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 Bit 5 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 Bit 4 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 Description No Failed Attempts 1 Failed Attempt 2 Failed Attempts 3 Failed Attempts 4 Failed Attempts 5 Failed Attempts 6 Failed Attempts 7 Failed Attempts 8 Failed Attempts 9 Failed Attempts 10 Failed Attempts 11 Failed Attempts 12 Failed Attempts 13 Failed Attempts 14 Failed Attempts 15 Failed Attempts (LOCK) Hexadecimal $0 $1 $2 $3 $4 $5 $6 $7 $8 $9 $A $B $C $D $E $F 20 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.2. Set User Zone Command [$c1] The Set User Zone command selects the user memory area to be addressed by the Read User Zone and Write User Zone commands. Reader PICC Command > CID PARAM CRC1 CRC2 $1 Echo Response > CID $1 ACK/NACK STATUS CRC1 CRC2 6.2.1. Operation Before reading and writing data to the user memory, the host must select a User Zone with this command. Only one User Zone may be selected at a time. At the time the zone is selected the host also chooses whether anti-tearing is active for the selected zone. If anti-tearing is activated, then all writes to the User Zone will utilize anti-tearing until a new Set User Zone command is received. Only PICCs in the Active State are permitted to answer this command. 6.2.2. Command Field Description CID: PARAM: Table 16. Bit 7 AT Table 17. Bit 7 0 1 The Card ID assigned by the ATTRIB command. Selects the User Zone and sets anti-tearing on or off. Definition of the PARAM byte of the Set User Zone command Bit 6 0 Bit 5 0 Bit 4 0 Bit 3 Bit 2 Bit 1 Bit 0 User Zone Coding of the Anti-Tearing Select bit within the PARAM byte Write User Zone Normal Write Enabled Anti-Tearing Write Enabled 21 5276C-RFID-3/09 Table 18. Bit 3 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 CRC: Coding of the User Zone number within the PARAM byte Bit 2 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 Bit 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 Bit 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 User Zone 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Communication error detection bytes. 6.2.3. Response Field Descriptions CID: ACK: NACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 6.2.4. Error Handling If a Set User Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. Table 19. Status Codes returned in the Set User Zone response Error/Status Message No Errors User Zone PARAM Invalid Status Code $00 $A1 Type ACK NACK 6.2.5. Notes The Set User Zone command is identical for 88SC and 88RF CryptoRF PICCs. 22 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.3. Read User Zone Command [$c2] The Read User Zone command reads data from the currently selected User Zone. See Read User Zone (Large Memory) command for the AT88SC6416CRF read command information. Reader Command > PARAM = $00 > CID PARAM ADDR "L" CRC1 CRC2 Echo Command > CID NACK STATUS CRC1 CRC2 Echo Command > CID ACK DATA 1 DATA 2 .......... DATA "L" DATA "L+1" STATUS CRC1 CRC2 The Read User Zone command reads data from the device's currently selected User Zone. The data byte address is internally incremented as each byte is read from memory. Reading beyond the end of the current User Zone is prohibited. Only PICCs in the Active State are permitted to answer this command. If Encryption Communication Security is active the DATA bytes are encrypted; no other bytes are encrypted. In the Normal and Authentication Communication Security modes none of the bytes are encrypted. 23 5276C-RFID-3/09 6.3.2. Command Field Descriptions CID: PARAM: ADDR: L: The Card ID assigned by the ATTRIB command. The PARAM byte selects the type of read operation to be performed. PARAM = $00 selects the normal Read User Zone command. The starting address of the data to read. The number of bytes to read minus 1. L cannot exceed the size of the user zone. Reading more than 64 bytes in a single operation is not recommended. In a typical application environment, optimal transaction time is achieved by reading no more than 32 data bytes in a single operation. CRC: Communication error detection bytes. 6.3.3. Response Field Descriptions CID: ACK: NACK: DATA: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. The data bytes read from user memory. PICC status code. Communication error detection bytes. 6.3.4. Error Handling If a Read User Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 20. Status Codes returned in the Read User Zone response Error/Status Message No errors Access Denied (User Zone Not Set) PARAM Invalid Address Invalid Length Invalid Authentication or Encryption Activation Required Password Required Memory Access Error Status Code $00 $99 $A1 $A2 $A3 $A9 $D9 $EE Type ACK NACK NACK NACK NACK NACK NACK ACK/NACK 6.3.5. Notes The Read User Zone command is identical for 88SC and 88RF CryptoRF PICCs when PARAM = $00. 24 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.4. Read User Zone (Large Memory) Command [$c2] The Read User Zone (Large Memory) command reads data from the currently selected User Zone. This command format applies to the AT88SC6416CRF device only. Reader PICC Command > PARAM = ADDR H CID ADDR H ADDR L "L" CRC1 CRC2 $2 Echo Command > CID NACK STATUS CRC1 CRC2 $2 FAILURE RESPONSE < Error Code Echo Command > CID ACK DATA 1 DATA 2 .......... DATA "L" $2 SUCCESS RESPONSE DATA "L+1" STATUS CRC1 CRC2 The Read User Zone (Large Memory) command operates identically to the standard Read User Zone command, but utilizes a two byte address to support large memory sizes. The Read User Zone command reads data from the device's currently selected User Zone. The data byte address is internally incremented as each byte is read from memory. Reading beyond the end of the current User Zone is prohibited. Only PICCs in the Active State are permitted to answer this command. If Encryption Communication Security is active the DATA bytes are encrypted; no other bytes are encrypted. In the Normal and Authentication Communication Security modes none of the bytes are encrypted. 25 5276C-RFID-3/09 6.4.2. Command Field Description CID: PARAM: Table 21. Bit 7 0 ADDR: L: The Card ID assigned by the ATTRIB command. The PARAM byte is the ADDR H byte of Read User Zone (Large Memory) command. Definition of the PARAM (ADDR H) byte of the Read User Zone (Large Memory) command Bit 6 0 Bit 5 0 Bit 4 0 Bit 3 0 Bit 2 0 Bit 1 0 Bit 0 A8 The two byte starting address of the location to read. The number of bytes to read minus 1. L cannot exceed the size of the user zone. Reading more than 64 bytes in a single operation is not recommended. In a typical application environment, optimal transaction time is achieved by reading no more than 32 data bytes in a single operation. CRC: Communication error detection bytes. 6.4.3. Response Field Descriptions CID: ACK: NACK: DATA: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. The data bytes read from user memory. PICC status code. Communication error detection bytes. 6.4.4. Error Handling If a Read User Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 22. Status Codes returned in the Read User Zone (Large Memory) response. Error/Status Message No errors Access Denied (User Zone Not Set) Address Invalid Length Invalid Authentication or Encryption Activation Required Password Required Memory Access Error Status Code $00 $99 $A2 $A3 $A9 $D9 $EE Type ACK NACK NACK NACK NACK NACK ACK/NACK 6.4.5. Notes The Read User Zone (Large Memory) command is not supported by 88RF PICCs. 26 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.5. Read User Zone Command with Integrated MAC [$c2] [88RF] The Read User Zone command with Integrated MAC reads data from the currently selected User Zone on 88RF PICCs. This command can only be used when the Authentication or Encryption Communication Security mode is active. Reader Command > PARAM = $80 > CID PARAM ADDR "L" CRC1 CRC2 Echo Command > CID NACK STATUS CRC1 CRC2 Echo Command > CID ACK DATA 1 DATA 2 .......... DATA "L" DATA "L+1" MAC1 MAC2 STATUS CRC1 CRC2 < Status Code < Checksum $2 SUCCESS RESPONSE < Error Code $2 FAILURE RESPONSE $2 PICC 6.5.1. Operation The Read User Zone command with Integrated MAC reads data from the 88RF device's currently selected User Zone and also returns the cryptographic checksum. If the RCS bit of the DCR register is set to 1b, then the cryptographic engine is reset after the checksum is read. If the RCS bit of the DCR register is set to 0b, then the cryptographic engine is not reset by this command. The data byte address is internally incremented as each byte is read from memory. Reading beyond the end of the current User Zone is prohibited. Only PICCs in the Active State are permitted to answer this command. If the Authentication or Encryption Communication Security mode is not active, then a NACK response is returned. If the Encryption Communication Security mode is active, then the DATA bytes are encrypted. In Authentication Communication Security mode the DATA bytes are not encrypted. 27 5276C-RFID-3/09 6.5.2. Command Field Descriptions CID: PARAM: Table 23. The Card ID assigned by the ATTRIB command. The PARAM byte selects the type of read operation to be performed. PARAM byte options for the Read User Zone command for 88RF PICCs. Command Read User Zone (Normal / Legacy) Read User Zone with Integrated MAC All Other Values Are Not Supported The starting address of the data to read. The number of bytes to read minus 1. L cannot exceed the size of the user zone. PARAM $00 $80 ADDR: L: Reading more than 64 bytes in a single operation is not recommended. In a typical application environment, optimal transaction time is achieved by reading no more than 32 data bytes in a single operation. CRC: Communication error detection bytes. 6.5.3. Response Field Descriptions CID: ACK: NACK: DATA: MAC: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. The data bytes read from user memory. The checksum bytes read from the cryptographic engine. PICC status code. Communication error detection bytes. 28 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.5.4. Error Handling If a Read User Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 24. Status Codes returned in the Read User Zone response Error/Status Message No errors Access Denied (User Zone Not Set) PARAM Invalid Address Invalid Length Invalid Authentication or Encryption Activation Required Password Required Memory Access Error Status Code $00 $99 $A1 $A2 $A3 $A9 $D9 $EE Type ACK NACK NACK NACK NACK NACK NACK ACK/NACK 6.5.5. Notes The Read User Zone command with Integrated MAC is not supported by 88SC PICCs. 29 5276C-RFID-3/09 6.6. Write User Zone Command [$c3] The Write User Zone command writes data into the currently selected User Zone. See Write User Zone (Large Memory) command for the AT88SC6416CRF write command information. Reader PICC Command > PARAM =$00 > CID PARAM ADDR "L" DATA 1 DATA 2 .......... DATA "L" DATA "L+1" CRC1 CRC2 $3 Echo Command > CID $3 ACK/NACK STATUS CRC1 CRC2 6.6.1. Operation The Write User Zone command writes data in the device's currently selected User Zone. As each byte is clocked in to the memory the lower bits of the address are internally incremented. The upper address bits are not incremented, so the page address remains constant. Write operations cannot cross page boundaries; a Write User Zone command can only write data bytes within a single physical memory page. Attempts to write beyond the end of the page boundary will wrap to the beginning of the same page. Only PICCs in the Active State are permitted to answer this command. If Encryption Communication Security is active the DATA bytes are encrypted; no other bytes are encrypted. In the Normal and Authentication Communication Security modes none of the bytes are encrypted. The Write User Zone command includes an automatic data verification function when used on 88RF PICCs. After the EEPROM write is complete the data verification logic reads the new EEPROM contents and compares it to the data received in the Write User Zone command. If the data does not match then the PICC returns a NACK response with $ED in the status byte. If the data matches, the PICC returns an ACK response. 30 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.6.2. Command Field Description CID: PARAM: ADDR: L: The Card ID assigned by the ATTRIB command. The PARAM byte selects the type of write operation to be performed. PARAM = $00 selects the normal Write User Zone command. The starting address of the location to be written. The number of bytes to read minus 1. "L" cannot exceed the physical page size of the memory. In antitearing mode the maximum number of bytes that can be written is 8 bytes. If the Access Register enables Write Lock mode or Program Only mode, the maximum number of bytes that can be written is 1 byte. Write Characteristics of CryptoRF Write Characteristics Standard Write 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 32 Bytes 1 to 32 Bytes Anti-Tearing Write 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes Table 25. CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF DATA: CRC: The data bytes to be written into user memory. Communication error detection bytes. 6.6.3. Response Field Description CID: ACK: NACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 31 5276C-RFID-3/09 6.6.4. Error Handling If a Write User Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 26. No errors Write Pending - Checksum Required One Byte Written (Write Lock Mode) Access Denied (User Zone Not Set) Access Denied (Security Fuses Invalid) PARAM Invalid Address Invalid Length Invalid Authentication or Encryption Activation Required Data Written (Program Only Mode) Access denied (Write Lock Mode) Checksum Failure Password Required Modify Forbidden Memory Write Error - Data Mismatch Memory Access Error Status Codes returned in the Write User Zone response Error/Status Message Status Code $00 $0C $1B $99 $99 $A1 $A2 $A3 $A9 $B0 $B9 $C9 $D9 $E9 $ED $EE Type ACK ACK ACK NACK NACK NACK NACK NACK NACK ACK NACK NACK NACK NACK NACK ACK/NACK 6.6.5. Notes The Write User Zone command is identical for 88SC and 88RF CryptoRF PICCs when PARAM = $00. Automatic data write verification is performed by 88RF PICCs; this function is not supported by 88SC PICCs. 32 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.7. Write User Zone (Large Memory) Command [$c3] The Write User Zone command writes data into the currently selected User Zone. This command format applies to the AT88SC6416CRF device only. Reader PICC Command > PARAM = ADDR H CID ADDR H ADDR L "L" DATA 1 DATA 2 .......... DATA "L" DATA "L+1" CRC1 CRC2 $3 Echo Command > CID $3 ACK/NACK STATUS CRC1 CRC2 6.7.1. Operation The Write User Zone (Large Memory) command operates identically to the normal Write User Zone command, but utilizes a two byte address to support large memory sizes. The Write User Zone command writes data in the device's currently selected User Zone. As each byte is clocked in to the memory the lower bits of the address are internally incremented. The upper address bits are not incremented, so the page address remains constant. Write operations cannot cross page boundaries; a Write User Zone command can only write data bytes within a single physical memory page. Attempts to write beyond the end of the page boundary will wrap to the beginning of the same page. Only PICCs in the Active State are permitted to answer this command. If Encryption Communication Security is active the DATA bytes are encrypted; no other bytes are encrypted. In the Normal and Authentication Communication Security modes none of the bytes are encrypted. 33 5276C-RFID-3/09 6.7.2. Command Field Descriptions CID: PARAM: Table 27. Bit 7 0 ADDR: L: The Card ID assigned by the ATTRIB command. The PARAM byte is the ADDR H byte of Write User Zone (Large Memory) command. Definition of the PARAM (ADDR H) byte of the Write User Zone (Large Memory) command Bit 6 0 Bit 5 0 Bit 4 0 Bit 3 0 Bit 2 0 Bit 1 0 Bit 0 A8 The two byte starting address of the location to be written. The number of bytes to read minus 1. "L" cannot exceed the physical page size of the memory. In antitearing mode the maximum number of bytes that can be written is 8 bytes. If the Access Register enables Write Lock mode or Program Only mode, the maximum number of bytes that can be written is 1 byte. Write Characteristics of Large Memory CryptoRF Write Characteristics Standard Write 1 to 32 Bytes Anti-Tearing Write 1 to 8 Bytes Table 28. CryptoRF Part Number AT88SC6416CRF DATA: CRC: The data bytes to be written into user memory. Communication error detection bytes. 6.7.3. Response Field Descriptions CID: ACK: NACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 34 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.7.4. Error Handling If a Write User Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 29. No errors Write Pending - Checksum Required One Byte Written (Write Lock Mode) Access Denied (User Zone Not Set) Access Denied (Security Fuses Invalid) Address Invalid Length Invalid Authentication or Encryption Activation Required Data Written (Program Only Mode) Access denied (Write Lock Mode) Password Required Modify Forbidden Memory Access Error Status Codes returned in the Write User Zone (Large Memory) response Error/Status Message Status Code $00 $0C $1B $99 $99 $A2 $A3 $A9 $B0 $B9 $D9 $E9 $EE Type ACK ACK ACK NACK NACK NACK NACK NACK ACK NACK NACK NACK ACK/NACK 6.7.5. Notes The Write User Zone (Large Memory) command is not supported by 88RF PICCs. 35 5276C-RFID-3/09 6.8. Write User Zone Command with Integrated MAC [$c3] [88RF] The Write User Zone command with Integrated MAC writes data into the currently selected User Zone of 88RF PICCs. This command can only be used when the Authentication or Encryption Communication Security mode is active. Reader PICC Command > PARAM = $80 > CID PARAM ADDR "L" DATA 1 DATA 2 .......... DATA "L" DATA "L+1" $3 Checksum > MAC1 MAC2 CRC1 CRC2 Echo Command > CID $3 ACK/NACK STATUS CRC1 CRC2 6.8.1. Operation The Write User Zone command with Integrated MAC writes data in the 88RF device's currently selected User Zone. As each byte is clocked in to the memory the lower bits of the address are internally incremented. The upper address bits are not incremented, so the page address remains constant. Write operations cannot cross page boundaries; a Write User Zone command can only write data bytes within a single physical memory page. Attempts to write beyond the end of the page boundary will wrap to the beginning of the same page. Only PICCs in the Active State are permitted to answer this command. If the Authentication or Encryption Communication Security mode is not active, then a NACK response is returned. If the checksum does not match, then a NACK response is returned, the write operation is aborted, and the cryptographic engine is reset. The Write User Zone command with Integrated MAC includes an automatic data verification function. After the EEPROM write is complete the data verification logic reads the new EEPROM contents and compares it to the data received in the Write User Zone command. If the data does not match the PICC returns a NACK response with $ED in the status byte. If the data matches, the PICC returns an ACK response. If the Encryption Communication Security mode is active, then the DATA bytes are encrypted. In Authentication Communication Security mode the DATA bytes are not encrypted. 36 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.8.2. Command Field Description CID: PARAM: Table 30. The Card ID assigned by the ATTRIB command. The PARAM byte selects the type of write operation to be performed. PARAM byte options for the Write User Zone command for 88RF PICCs. Command Write User Zone (Normal / Legacy) Write User Zone with Integrated MAC All Other Values Are Not Supported. The starting address of the location to be written. The number of bytes to write minus 1. "L" cannot exceed the 16 byte physical page size of the memory. In anti-tearing mode the maximum number of bytes that can be written is 8 bytes. Write Characteristics of 88RF PICCs Write Characteristics Normal Write 1 to 16 Bytes Anti-Tearing Write 1 to 8 Bytes PARAM $00 $80 ADDR: L: Table 31. CryptoRF Part Number AT88RF04C DATA: MAC: CRC: The data bytes to be written into user memory. The checksum bytes sent to the cryptographic engine. Communication error detection bytes. 6.8.3. Response Field Description CID: ACK: NACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 37 5276C-RFID-3/09 6.8.4. Error Handling If a Write User Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 32. No errors Write Pending - Checksum Required Access Denied (User Zone Not Set) Access Denied (Security Fuses Invalid) PARAM Invalid Address Invalid Length Invalid Authentication or Encryption Activation Required Data Written (Program Only Mode) Checksum Failure Password Required Modify Forbidden Memory Write Error - Data Mismatch Memory Access Error Status Codes returned in the Write User Zone response Error/Status Message Status Code $00 $0C $99 $99 $A1 $A2 $A3 $A9 $B0 $C9 $D9 $E9 $ED $EE Type ACK ACK NACK NACK NACK NACK NACK NACK ACK NACK NACK NACK NACK ACK/NACK 6.8.5. Notes The Write User Zone command with Integrated MAC is not supported by 88SC PICCs. 38 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.9. Write System Zone Command [$c4] The Write System Zone command writes data to the configuration memory. Reader PICC Command > PARAM = $00 > CID PARAM ADDR "L" DATA 1 DATA 2 .......... DATA "L" DATA "L+1" CRC1 CRC2 $4 Echo Command > CID $4 ACK/NACK STATUS CRC1 CRC2 6.9.1. Operation The Write System Zone command writes data into the configuration memory. As each byte is clocked in to the memory the lower bits of the address are internally incremented. The upper address bits are not incremented, so the page address remains constant. Write operations cannot cross page boundaries; a Write System Zone command can only write data bytes within a single physical memory page. Attempts to write beyond the end of the page boundary will wrap to the beginning of the same page. Only PICCs in the Active State are permitted to answer this command. If Authentication or Encryption Communication Security is active the DATA bytes written to the password (PW) registers are encrypted; no other bytes are encrypted. In the Normal Communication Security mode none of the bytes are encrypted. The Write System Zone command includes an automatic data verification function when used on 88RF PICCs. After the EEPROM write is complete the data verification logic reads the new EEPROM contents and compares it to the data received in the Write System Zone command. If the data does not match then the PICC returns a NACK response with $ED in the status byte. If the data matches, the PICC returns an ACK response. 39 5276C-RFID-3/09 6.9.2. Command Field Description CID: PARAM: The Card ID assigned by the ATTRIB command. The PARAM byte selects the type of write operation to be performed. 88RF PICCs do not support antitearing writes to the configuration memory. PARAM byte options for the Write System Zone command Command Write System Zone Write System Zone w/ AT Write Fuse Byte PARAM $00 $80 $01 ADDR Address Address Fuse addr "L" # of bytes - 1 # of bytes - 1 $00 DATA "L + 1" bytes "L + 1 bytes" 1 byte Table 33. All Other Values Are Not Supported The starting address of the data to write. The number of bytes to read minus 1. L cannot exceed the physical page size of the memory. In antitearing mode the maximum number of bytes that can be written is 8 bytes. Write Characteristics of CryptoRF Configuration Memory Write Characteristics Standard Write 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 32 Bytes 1 to 32 Bytes Anti-Tearing Write Not Supported 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes ADDR: L: Table 34. CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF DATA: CRC: The data bytes to be written into configuration memory. Communication error detection bytes. 6.9.3. Response Field Descriptions CID: ACK: NACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 40 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.9.4. Error Handling If a Write System Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 35. Status Codes returned in the Write System Zone response Error/Status Message No errors PARAM Invalid Address Invalid Length Invalid Integrated Checksum Mode Write Complete Access denied (Write Not Allowed) Checksum Failure Password Required Memory Write Error - Data Mismatch Memory Access Error Status Code $00 $A1 $A2 $A3 $B0 $BA $C9 $D9 $ED $EE Type ACK NACK NACK NACK ACK NACK NACK NACK NACK ACK/NACK 6.9.5. Notes The Write System Zone command is identical for 88SC and 88RF CryptoRF PICCs when PARAM = $00. 88RF PICCs do not support PARAM = $80. Automatic data write verification is performed by 88RF PICCs; this function is not supported by 88SC PICCs. 41 5276C-RFID-3/09 6.10. Write System Zone Command with Integrated MAC [$c4] [88RF] The Write System Zone command with Integrated MAC writes data to the 88RF PICC configuration memory. This command can only be used when the Encryption Communication mode is active. This command is only available when the Security fuses are: SEC = 0b, ENC = 0b, SKY = 1b, PER = 1b. Reader PICC Command > CID PARAM ADDR "L" DATA 1 DATA 2 .......... DATA "L" DATA "L+1" $4 Checksum > MAC1 MAC2 CRC1 CRC2 Echo Command > CID $4 ACK/NACK STATUS CRC1 CRC2 6.10.1. Operation The Write System Zone command with Integrated MAC writes data into the 88RF PICC configuration memory. As each byte is clocked in to the memory the lower bits of the address are internally incremented. The upper address bits are not incremented, so the page address remains constant. Write operations cannot cross page boundaries; a Write System Zone command can only write data bytes within a single physical memory page. Attempts to write beyond the end of the page boundary will wrap to the beginning of the same page. Only PICCs in the Active State are permitted to answer this command. If the Encryption Communication mode is not active, then a NACK response is returned. If the checksum does not match, then a NACK response is returned, the write operation is aborted, and the cryptographic engine is reset. The Write System Zone command with Integrated MAC includes an automatic data verification function. After the EEPROM write is complete the data verification logic reads the new EEPROM contents and compares it to the data received in the Write System Zone command. If the data does not match the PICC returns a NACK response with $ED in the status byte. If the data matches, the PICC returns an ACK response. 42 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.10.2. Command Field Description CID: PARAM: Table 36. The Card ID assigned by the ATTRIB command. The PARAM byte selects the type of write operation to be performed. PARAM byte options for the Write System Zone command for 88RF PICCs Command Write System Zone (Normal / Legacy) Write Fuse Byte Write System Zone with Integrated MAC PARAM $00 $01 $08 ADDR Address Fuse addr Address "L" # of bytes - 1 $00 # of bytes - 1 DATA "L + 1" bytes 1 byte "L + 1 bytes" All Other Values Are Not Supported ADDR: L: DATA: MAC: CRC: The starting address of the data to write. The number of bytes to write minus 1. L cannot exceed the 16 byte physical page size of the memory. The data bytes to be written into configuration memory. The checksum bytes sent to the cryptographic engine. Communication error detection bytes. 6.10.3. Response Field Descriptions CID: ACK: NACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 43 5276C-RFID-3/09 6.10.4. Error Handling If a Write System Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 37. Status Codes returned in the Write System Zone with Integrated MAC response Error/Status Message No errors PARAM Invalid Address Invalid Length Invalid Integrated Checksum Mode Write Complete Access denied (Write Not Allowed) Checksum Failure Password Required Memory Write Error - Data Mismatch Memory Access Error Status Code $00 $A1 $A2 $A3 $B0 $BA $C9 $D9 $ED $EE Type ACK NACK NACK NACK ACK NACK NACK NACK NACK ACK/NACK 6.10.5. Notes The Write System Zone command with Integrated MAC is not supported by 88SC PICCs. 44 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.11. Write System Zone Command, Write Fuse Byte Option [$c4] The Write Fuse Byte Option of the Write System Zone command is used to program the security fuses. Reader PICC Command > PARAM = $01 > CID PARAM ADDR $4 L = $00 > "L" DATA 1 CRC1 CRC2 Echo Command > CID $4 ACK/NACK STATUS CRC1 CRC2 6.11.1. Operation The Write Fuse Byte Option of the Write System Zone command programs the security fuses. Once programmed, the fuses cannot be erased. This operation can be performed in the Normal, Authentication, or Encryption Communication modes. The fuse byte value is never encrypted. Only PICCs in the Active State are permitted to answer this command. 6.11.2. Command Field Description CID: PARAM: Table 38. The Card ID assigned by the ATTRIB command. The PARAM byte selects the type of write operation to be performed. PARAM byte options for the Write System Zone command Command Write System Zone Write System Zone w/ AT Write Fuse Byte PARAM $00 $80 $01 ADDR Address Address Fuse addr "L" # of bytes - 1 # of bytes - 1 $00 DATA "L + 1" bytes "L + 1 bytes" 1 byte All Other Values Are Not Supported ADDR: When performing a fuse byte write the ADDR byte contains the address of the fuse; only one fuse may be programmed per Write System Zone command. 45 5276C-RFID-3/09 Table 39. Hex $07 $06 $04 $00 Coding of ADDR for 88SC PICC Fuse Programming Bit 7 0 0 0 0 Bit 6 0 0 0 0 Bit 5 0 0 0 0 Bit 4 0 0 0 0 Bit 3 0 0 0 0 Bit 2 1 1 1 0 Bit 1 1 1 0 0 Bit 0 1 0 0 0 Fuse SEC FAB CMA PER Table 40. Hex $07 $06 $04 $00 Coding of ADDR for 88RF PICC Fuse Programming Bit 7 0 0 0 0 Bit 6 0 0 0 0 Bit 5 0 0 0 0 Bit 4 0 0 0 0 Bit 3 0 0 0 0 Bit 2 1 1 1 0 Bit 1 1 1 0 0 Bit 0 1 0 0 0 Fuse SEC ENC SKY PER L: DATA: CRC: The number of bytes to write minus 1. L must be $00 when writing the Fuse Bytes. One byte of data is required to be sent when writing the fuse byte, however the contents of this byte are ignored. Communication error detection bytes. 6.11.3. Response Field Descriptions CID: ACK: NACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge; the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 46 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.11.4. Error Handling If a Write System Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 41. Status Codes returned in the Write System Zone response for Fuse Byte Writes Error/Status Message Fuse Byte (Successful Fuse Byte Write) Fuse Address Invalid Length Invalid Password Required Fuse Access Denied Access denied (Fuse Order Incorrect) Memory Access Error Status Code Fuse byte $A2 $A3 $D9 $DF $E9 $EE Type ACK NACK NACK NACK NACK NACK ACK/NACK 6.11.5. Notes The Write Fuse Byte option of the Write System Zone command is identical for 88SC and 88RF CryptoRF PICCs. 47 5276C-RFID-3/09 6.12. Read System Zone Command [$c6] The System Read command allows reading of system data from the configuration memory. Reader PICC Command > CID PARAM ADDR "L" CRC1 CRC2 $6 Echo Command > CID NACK STATUS CRC1 CRC2 $6 FAILURE RESPONSE < Error Code Echo Command > CID ACK DATA 1 DATA 2 .......... DATA "L" $6 SUCCESS RESPONSE DATA "L+1" STATUS CRC1 CRC2 The Read System Zone command reads from the devices configuration memory. The data byte address is internally incremented as each byte is read from the memory. If the data byte address increments into a segment where read access is forbidden, the "fuse byte" is transmitted in place of the forbidden data. Only PICCs in the Active State are permitted to answer this command. If Authentication or Encryption Communication Security is active the DATA bytes read from the password (PW) registers are encrypted; no other bytes are encrypted. In the Normal Communication Security mode none of the bytes are encrypted. 48 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.12.2. Command Field Description CID: PARAM: Table 42. The Card ID assigned by the ATTRIB command. The PARAM byte selects the type of read operation to be performed. PARAM byte options for the Read System Zone command. Command Read System Zone Read Fuse Byte Read Checksum PARAM $00 $01 $02 ADDR Address $FF $FF "L" # of bytes - 1 $00 $01 All Other Values Are Not Supported ADDR: L: The starting address of the data to read. The number of bytes to read minus 1. L cannot exceed 240 bytes. Reading more than 64 bytes in a single operation is not recommended. In a typical application environment, optimal transaction time is achieved by reading no more than 32 bytes in a single operation. CRC: Communication error detection bytes. 6.12.3. Response Field Descriptions CID: DATA: The PICC transmits its assigned card ID in the response. The data bytes read from the configuration memory. Since access rights vary throughout the system zone, the host may provide an authorized starting address, but a length that causes the device to reach forbidden data. In this case, the device will transmit the authorized bytes, but unauthorized bytes will be replaced by the "fuse byte". An "Access Denied" status code $BA or $BC will be returned to indicate that some of the bytes returned were replaced by the "fuse byte". ACK: NACK: STATUS: CRC: Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 49 5276C-RFID-3/09 6.12.4. Error Handling If a Read System Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 43. Status Codes returned in the Read System Zone response Error/Status Message No errors PARAM Invalid Address Invalid Length Invalid Byte Access denied (Read Not Allowed) Byte Access denied (Password Required) Memory Access Error Status Code $00 $A1 $A2 $A3 $BA $BC $EE Type ACK NACK NACK NACK ACK/NACK ACK/NACK ACK/NACK 6.12.5. Notes The Read System Zone command is identical for 88SC and 88RF CryptoRF PICCs. 50 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.13. Read System Zone Command, Read Fuse Byte Option [$c6] The Read Fuse Byte Option of the Read System Zone command reads the security fuse byte. Reader PICC Command > PARAM = $01 > ADDR = $FF > L = $00 > CID PARAM ADDR "L" CRC1 CRC2 $6 Echo Command > CID NACK STATUS CRC1 CRC2 $6 FAILURE RESPONSE < Error Code Echo Command > CID ACK DATA 1 STATUS CRC1 CRC2 $6 SUCCESS RESPONSE < Fuse Byte The Read Fuse Byte Option of the Read System Zone command reads the Security Fuse byte. This operation can be performed in the Normal, Authentication, or Encryption Communication modes. The fuse byte value is never encrypted. Only PICCs in the Active State are permitted to answer this command. 51 5276C-RFID-3/09 6.13.2. Command Field Description CID: PARAM: The Card ID assigned by the ATTRIB command. The PARAM byte selects the type of read operation to be performed. PARAM must be $01 for Read Fuse Byte. PARAM byte options for the Read System Zone command. Command Read System Zone Read Fuse Byte Read Checksum PARAM $00 $01 $02 ADDR Address $FF $FF "L" # of bytes - 1 $00 $01 Table 44. All Other Values Are Not Supported ADDR: L: CRC: The address must be $FF for Read Fuse Byte. The number of bytes to read minus 1. L must be $00 for Read Fuse Byte. Communication error detection bytes. 6.13.3. Response Field Descriptions CID: DATA: Figure 4. F7 RFU X The PICC transmits its assigned card ID in the response. The Security Fuse Byte value. Definition of the DATA byte received when reading the Fuse Byte of 88SC PICCs F6 RFU X F5 RFU X F4 RFU X F3 SEC 0 F2 PER 1 F1 CMA 1 F0 FAB 1 Default Value . Figure 5. F7 RFU X Coding of the DATA byte received when reading the fuse byte of 88RF PICCs F6 RFU X F5 RFU X F4 RFU X F3 SEC 0 F2 ENC 1 F1 SKY 1 F0 FAB 1 Default Value ACK: NACK: STATUS: CRC: Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 52 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.13.4. Error Handling If a Read System Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 45. Status Codes returned in the Read System Zone response when reading the Fuse Byte. Error/Status Message No errors PARAM Invalid Address Invalid Length Invalid Memory Access Error Status Code $00 $A1 $A2 $A3 $EE Type ACK NACK NACK NACK ACK/NACK 6.13.5. Notes The Read Fuse Byte Option of the Read System Zone command is identical for 88SC and 88RF CryptoRF PICCs. 53 5276C-RFID-3/09 6.14. Read System Zone Command, Read Checksum Option [$c6] The Read Checksum Option of the System Read command reads the checksum from the cryptographic engine. Reader PICC Command > PARAM = $02 > ADDR = $FF > L = $01 > CID PARAM ADDR "L" CRC1 CRC2 $6 Echo Command > CID NACK STATUS CRC1 CRC2 $6 FAILURE RESPONSE < Error Code Echo Command > CID ACK DATA 1 DATA 2 STATUS CRC1 CRC2 $6 SUCCESS RESPONSE < MAC1 < MAC2 The Read Checksum Option of the Read System Zone command reads the checksum from the cryptographic engine. This operation can be performed in the Normal, Authentication, or Encryption Communication modes. Only PICCs in the Active State are permitted to answer this command. 6.14.2. Command Field Description CID: PARAM: The Card ID assigned by the ATTRIB command. The PARAM byte selects the type of read operation to be performed. PARAM must be $02 for Read Checksum. 54 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Table 46. PARAM byte options for the Read System Zone command. Command Read System Zone Read Fuse Byte Read Checksum PARAM $00 $01 $02 ADDR Address $FF $FF "L" # of bytes - 1 $00 $01 All Other Values Are Not Supported The address must be $FF for Read Checksum. The number of bytes to read minus 1. L must be $01 for Read Checksum. Communication error detection bytes. ADDR: L: CRC: 6.14.3. Response Field Descriptions CID: DATA: ACK: NACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. The two checksum bytes read from the cryptographic engine. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 6.14.4. Error Handling If a Read System Zone command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 47. Status Codes returned in the Read System Zone response for Read Checksum. Error/Status Message No errors PARAM Invalid Address Invalid Length Invalid Memory Access Error Status Code $00 $A1 $A2 $A3 $EE Type ACK NACK NACK NACK ACK/NACK 6.14.5. Notes The Read Checksum Option of the Read System Zone command is identical for 88SC and 88RF CryptoRF PICCs. 55 5276C-RFID-3/09 6.15. Verify Crypto Command [$c8] The Verify Crypto command is used to activate the Authentication Communication Security mode and the Encryption Communication Security mode. Reader PICC Command > CID Key Index Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 CH1 CH2 CH3 CH4 CH5 CH6 CH7 CH8 CRC1 CRC2 $8 Echo Command > CID $8 ACK/NACK STATUS CRC1 CRC2 6.15.1. Operation The Verify Crypto command is used to perform mutual authentication between the PICC and the Host system. The Verify Crypto command is also used to activate the Encryption Communication Security mode. Only PICCs in the Active State are permitted to answer this command. 56 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.15.2. Command Field Description CID: The Card ID assigned by the ATTRIB command. Key Index: Selects the secret key to be used. The Authentication process uses one of the Secret Seeds Gi. Encryption Activation uses a Session Encryption Key Si. Table 48. Key Index coding for the Verify Crypto command Key Index $00 $01 $02 $03 $10 $11 $12 $13 Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 Session Encryption Key S0 Session Encryption Key S1 Session Encryption Key S2 Session Encryption Key S3 All Other Values Are Not Supported Q: CH: CRC: The Host random number. The Host challenge. Communication error detection bytes. Key 6.15.3. Response Field Descriptions CID: ACK: NACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 57 5276C-RFID-3/09 6.15.4. Error Handling If a Verify Crypto command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 49. Status Codes returned in the Verify Crypto response Error/Status Message No errors Invalid Key Index Authentication or Encryption Activation Failure Memory Access Error (Security Operation) Memory Access Error Status Code $00 $99 $A9 $F9 $EE Type ACK NACK NACK NACK ACK/NACK 6.15.5. Notes The Verify Crypto command is identical for 88SC and 88RF CryptoRF PICCs. 58 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.16. Send Checksum Command [$c9] The Send Checksum command is used to authenticate data sent to the PICC in the Authentication Communication Security mode or the Encryption Communication Security mode. Reader PICC Command > CID MAC1 MAC2 CRC1 CRC2 $9 Echo Command > CID $9 ACK/NACK STATUS CRC1 CRC2 6.16.1. Operation When a Write User Zone command is sent in Authentication Communication mode or Encryption Communication mode the data received by the PICC is saved in a buffer until a cryptographic Checksum is received. The host uses the Send Checksum command to transmit the Checksum it has computed. If the checksum is valid the PICC writes the data; if the checksum is incorrect the data is discarded and the cryptographic engine is reset. Only PICCs in the Active State are permitted to answer this command. 6.16.2. Command Field Description CID: MAC: CRC: The Card ID assigned by the ATTRIB command. The cryptographic checksum computed by the Host. Communication error detection bytes. 6.16.3. Response Field Descriptions CID: ACK: NACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 59 5276C-RFID-3/09 6.16.4. Error Handling If a Send Checksum command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 50. Status Codes returned in the Send Checksum response Error/Status Message No errors Checksum Failure Checksum Failure Memory Write Error - Data Mismatch Memory Access Error Status Code $00 $C8 $C9 $ED $EE Type ACK NACK NACK NACK ACK/NACK 6.16.5. Notes The Send Checksum command is identical for 88SC and 88RF CryptoRF PICCs. 60 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.17. DESELECT Command [$cA] The DESELECT command places a PICC in the Halt State. This command is used at the end of a transaction. Reader PICC Command > CID CRC1 CRC2 $A Echo Command > CID ACK STATUS CRC1 CRC2 $A 6.17.1. Operation Sending the DESELECT command (with a matching CID) to a PICC in the Active State places the PICC in the Halt State. The User Zone, password, and authentication registers are cleared before the PICC enters the Halt State. Only PICCs in the Active State are permitted to answer this command. 6.17.2. Command Field Descriptions CID: CRC: The Card ID assigned by the ATTRIB command. Communication error detection bytes. 6.17.3. Response Field Descriptions CID: ACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. PICC status code. Communication error detection bytes. 6.17.4. Error Handling If a DESELECT command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 51. Status Codes returned in the DESELECT response Error/Status Message No errors Status Code $00 Type ACK 6.17.5. Notes The HLTB command is identical for 88SC and 88RF CryptoRF PICCs. 61 5276C-RFID-3/09 6.18. IDLE Command [$cB] The IDLE command resets the PICC and places it in the Idle State. This command is used at the end of a transaction. Reader PICC Command > CID CRC1 CRC2 $B Echo Command > CID ACK STATUS CRC1 CRC2 $B 6.18.1. Operation Sending the IDLE command (with a matching CID) to a PICC in the Active State resets the PICC and places it in the Idle State. The User Zone, password, and authentication registers are cleared before the PICC enters the Idle State. The PICC responds only to successful IDLE commands. Only PICCs in the Active State are permitted to answer this command. 6.18.2. Command Field Descriptions CID: CRC: The Card ID assigned by the ATTRIB command. Communication error detection bytes. 6.18.3. Response Field Descriptions CID: ACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. PICC status code. Communication error detection bytes. 6.18.4. Error Handling If an IDLE command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 52. Status Codes returned in the IDLE response Error/Status Message No errors Status Code $00 Type ACK 6.18.5. Notes The HLTB command is identical for 88SC and 88RF CryptoRF PICCs. 62 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.19. Check Password Command [$cC] The Check Password command transmits a password for validation. Reader PICC Command > CID $C Password Index PW 1 PW 2 PW 3 CRC1 CRC2 Echo Command > CID $C ACK/NACK STATUS CRC1 CRC2 6.19.1. Operation To read or write data in User Zones that require a password for access the host must carry out a password validation operation. To write data to the Configuration Memory during personalization the host must carry out a transport password validation operation. The host uses the Check Password command to send the password for validation against the password selected with the Password Index byte. Only PICCs in the Active State are permitted to answer this command. If the Check Password is successful, the Password Attempts Counter (PAC) is cleared and the ACK response is issued. Only one password is active at any time. If the Check Password fails, the PAC is incremented and a NACK response is issued. The Check Password success or failure is memorized and active until the PICC is powered down, removed from the Active state, or until a new Check Password is received. If the password trials limit is reached, subsequent Check Password commands will be rejected. If the Authentication Communication mode or the Encryption Communication mode is active, then the three PW bytes are encrypted. In Normal Communication mode the PW bytes are not encrypted. 6.19.2. Command Field Descriptions CID: The Card ID assigned by the ATTRIB command. Password Index: Identifies the password register that the PICC will check the transmitted password against. 63 5276C-RFID-3/09 Table 53. Coding of the Password Index for 4K bit CryptoRF devices Check Password Password Read 0 Password Read 1 Password Read 2 Password Read 7 Password Write 0 Password Write 1 Password Write 2 Password Write 7 Password Index $10 $11 $12 $17 $00 $01 $02 $07 All Other Values Are Not Supported Table 54. Coding of the Password Index for 8K bit and larger CryptoRF devices Check Password Password Read 0 Password Read 1 Password Read 2 Password Read 3 Password Read 4 Password Read 5 Password Read 6 Password Read 7 Password Read 0 Password Write 1 Password Write 2 Password Write 3 Password Write 4 Password Write 5 Password Write 6 Password Write 7 Password Index $10 $11 $12 $13 $14 $15 $16 $17 $00 $01 $02 $03 $04 $05 $06 $07 All Other Values Are Not Supported PW: CRC: The password bytes. Communication error detection bytes. 64 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 6.19.3. Response Field Descriptions CID: ACK: NACK: STATUS: CRC: The PICC transmits its assigned card ID in the response. Acknowledge, the command executed correctly. Not Acknowledge, the command did not execute correctly. PICC status code. Communication error detection bytes. 6.19.4. Error Handling If a Check Password command containing transmission errors is received by the PICC, it is ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 55. Status Codes returned in the Check Password response Error/Status Message No errors Password Index Invalid Check Password Failure Memory Access Error (Security Operation) Memory Access Error Status Code $00 $A1 $D9 $F9 $EE Type ACK NACK NACK NACK ACK/NACK 6.19.5. Notes The Check Password command is identical for 88SC and 88RF CryptoRF PICCs. Password indexes of $03 to $06, and $13 to $16 will be NACKed by 88RF PICCs. 65 5276C-RFID-3/09 7. Transaction Flow Figure 6. Flowchart of a Typical CryptoRF Transaction Polling (REQB/WUPB) Select Card (ATTRIB) Halt (HLTB) Anticollision Complete Mutual Authentication (optional) Enter Authentication Mode Normal Mode Encryption Activation (optional) Enter Encryption Mode Set User Zone Read Configuration Memory Write Configuration Memory Check Password Read User Memory Read Checksum Write User Memory Send Checksum Deselect or Idle In a typical CryptoRF transaction the host performs anticollision, selects a User Zone, and reads or writes the user memory. When a User Zone requires a password, authentication, or encryption the host performs the required security operation before accessing the User Zone. Note: The Set User Zone command may be sent before or after the security operation. 66 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 8. Absolute Maximum Ratings* Operating Temperature (junction) .............-40C to +85C Storage Temperature (ambient).............-65C to + 150C HBM ESD (Antenna Pins only) ................ 2000V minimum *NOTICE: Stresses beyond those listed under "Absolute Maximum Ratings" may cause permanent damage to the device. This is a stress rating only and functional operation of the device at these or any other condition beyond those indicated in the operational sections of this specification is not implied. Exposure to absolute maximum rating conditions for extended periods may affect device reliability. The maximum temperature ratings in this section are applicable to CryptoRF in wafer form. When assembled into a package the CryptoRF temperature ratings may be reduced to reflect the limitations of the package. However the CryptoRF absolute maximum ratings should not be exceeded for any package. 9. Reliability Table 56. Reliability Parameter Write Endurance (each Byte) Anti-Tearing Write Endurance Data Retention (at 55C) Data Retention (At 35C) Read Endurance Min 100,000 50,000 10 30 50 Unlimited Typical Max Units Write Cycles Writes Years Years Read Cycles CryptoRF is fabricated with Atmel's high reliability CMOS EEPROM manufacturing technology. The write endurance and data retention EEPROM reliability ratings apply to each byte of the user and configuration memory. The optional CryptoRF anti-tearing functions use a single anti-tearing EEPROM buffer memory. Every anti-tearing write operation utilizes the same buffer. The anti-tearing write endurance specification is a limitation in the total number of anti-tearing write operations that can be performed by each die. 67 5276C-RFID-3/09 10. Electrical Characteristics Table 57. Symbol (2) CT Electrical Characteristics(1) Parameter Integrated Tuning Capacitance Polling Reset Time (no anti-tearing to process) Polling Reset Time (anti-tearing write to process) Write Cycle Time of EEPROM Memory 1.6 Min 72 Nominal 82 Max 92 5 10 2.0 Units pF mS mS mS TPOR TPOR-AT TWR Note: 1. Nominal values at 25 C. Values are based on characterization and are not tested. 2. Tuning Capacitance limits are specified at 25 C. CT temperature coefficient is < 100 ppm/C. 10.1. Tamper Detection CryptoRF contains tamper detection sensors to detect operation outside of specified limits. These sensors monitor the internal supply voltage and clock frequency. An additional sensor detects high intensity light attacks. The die is disabled and will not function when tampering is detected. 68 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Appendix A. Terms and Abbreviations Abbreviation 88RF 88SC A AAC AACi A/m AC Access Control ACK Active state ADDR AFI AK AM Anticollision APP AR ASK AT ATQB ATTRIB Auth B CA Card ChA Ch E Definition Second generation CryptoRF devices. Catalog Number Series: AT88RFxxC First generation CryptoRF devices. Catalog Number Series: AT88SCxxxxCRF Unmodulated PCD field amplitude. Used in modulation index calculation. Authentication Attempts Counter. Authentication Attempts Counter with index i. Amperes per Meter. Units of magnetic field strength. Alternating Current. Registers in the Configuration Memory that are reserved for security configuration. Acknowledge response, indicates success of the requested operation. The state of a PICC that is selected and ready to receive commands. Address identifying the location to begin a read or write operation. Application Family Identifier. Used during Type B anticollision. Authentication Key. PR Register bits. Authentication Mode. AR Register mode control bit. Registers in the Configuration Memory that are reserved for anticollision information. Application bytes. Access Register. Amplitude Shift Keying modulation. PCD data transmission signaling format. Anti-tearing. Answer to Request Type B. The response to a polling command. PICC Selection Command, Type B. Authentication. Modulated PCD field amplitude. Used in modulation index calculation. Post Authentication Cryptogram calculated by Host for comparison with Ci A PICC with loop antenna in a plastic card or other RFID form factor. Challenge from Host (for Mutual Authentication). Challenge from Host (for Encryption Activation). Challenge calculated by CryptoRF for Comparison with ChA or ChE Initial Cryptogram with Index i, stored in CryptoRF. Cryptogram with Index i after Authentication, stored in CryptoRF. Card ID. The 4 bit code used to identify a PICC in the Active state. A CH Ci CiA CID 69 5276C-RFID-3/09 Abbreviation E Ci Definition Cryptogram with Index i after Encryption Activation, stored in CryptoRF. The third of four security fuses on 88SC PICCs. Card Manufacturer Code. Register in Configuration Memory. Cyclic Redundancy Check = 16 bit RF Communication Error Detection Code. Cyclic Redundancy Check, Type B. CryptoRF A family of devices with CryptoRF security features and a TWI or ISO/IEC 7816 interface. CryptoRF. Catalog Number Series: AT88SCxxxxCRF and AT88RFxxC. The Atmel ISO/IEC 14443 Type B reader IC. Catalog Number: AT88RF1354 Registers in the Configuration Memory that are reserved for security information. Tuning Capacitance. The capacitance between antenna pins AC1 and AC2. Variable for the Data bytes in a read or write Command. Variable for the Encrypted Data Bytes in a read or write Command. Variable for a particular Data byte, byte x. Variable for a particular Encrypted Data byte, byte x. Bytes for EEPROM memory read or write. Device Configuration Register. Address $18 in the Configuration Memory. Nonvolatile memory. Extra Guard Time. Extra Guard Time Length. A DCR mode control bit. The second of four security fuses on 88RF PICCs. End of Frame. Encryption Required. AR Register mode control bit. Extended Trials Allowed. A DCR mode control bit on 88SC PICCs. Elementary Time Unit = fc / 128 = 128 carrier cycles = 9.4395 uS nominal. A Function used by the Host for Authentication Key diversification. Any Function Performed Using the CryptoRF Cryptographic Engine. The second of four security fuses on 88SC PICCs. Carrier Frequency = 13.56 MHz nominal. Resonant Frequency. Frame Option. Registers in the Configuration Memory that cannot be written or read. Subcarrier Frequency = fc/16 = 847.5 kHz nominal. CMA CMC CRC CRC_B CRF CryptoMemory CryptoRF CryptoRF Reader Cryptography CT D DE D(x) DE(x) DATA DCR EEPROM EGT EGTL ENC EOF ER ETA ETU F1 F2 FAB fc Fo FO Forbidden fs 70 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Abbreviation Fuse Byte FWI FWT Gi Halt state HLTB Hmin Hmax Host HWR i IC ID Idle state IEC ISO J K KR kbps kHz L LSB M MAC MDF M.D. MHz M.I. mm mS S MSB Definition The contents returned when reading the Security Fuses. Frame Waiting Time Integer. Protocol bits communicating the PICC FWT time. Frame Waiting Time. Maximum time the PCD must wait for a PICC response. Secret Seed with index i, stored in CryptoRF. The state of a PICC waiting for a WUPB command (ignoring all other commands). Halt command, Type B. Minimum unmodulated operating magnetic field strength. Maximum unmodulated operating magnetic field strength. The RF reader, firmware, and application software communicating with the PICC. Hardware Revision Register. [88RF PICCs] Variable for the Index of a Password Set or Key Set. Integrated Circuit. Identification. The state of a PICC after power on reset, waiting for a REQB or WUPB command. International Electrotechnical Commission. www.iec.ch International Organization for Standardization. www.iso.org Loop Count Variable in a Flowchart. Secret Host Key. Diversified Keys are based on K. Key Register. KiloBits Per Second. KiloHertz. Variable for the Length code in a CryptoRF read or write command. L = (N-1) Least Significant Bit. Communication Security Mode. AR Register mode control bits. Message Authentication Code. Checksum. Modify Forbidden. AR Register mode control bit. PCD Modulation Depth. MegaHertz. PCD Modulation Index. Calculated from calibration coil voltages as (A - B)/(A + B). MilliMeter. MilliSecond. MicroSecond Most Significant Bit. 71 5276C-RFID-3/09 Abbreviation MTZ mV N N Nc NACK NRZ-L nS OTP PAC PARAM PCD PER Pgm PGO PICC PK PM POK ppm PR Protocol PUPI PW PW Q Q R RBmax RCS RF RFU rms A E E Definition Memory Test Zone. Address $0A and $0B in the Configuration Memory. MilliVolt. Variable for the Number of anticollision slots. Variable for the Number of bytes in a read or write command. N = (L+1) A 7 byte register that can be used for key diversification. Not Acknowledge Response, Indicates failure of the requested operation. Non-Return to Zero (L for Level) data encoding. PICC data transmission coding. NanoSecond. One Time Programmable. Memory that cannot be erased or rewritten. Password Attempts Counter. A byte containing option codes or variables. Proximity Coupling Device. The RF reader/writer and antenna. The fourth of four security fuses. Program. Program Only mode. AR Register mode control bit. Proximity Integrated Circuit Card. The card/tag containing the IC and antenna. Primary Key. KR Register bits. Password Mode. AR Register mode control bit. Program Only Key. PR Register bits. Parts Per Million. Password Register. Bytes communicating ISO protocol information. Pseudo Unique PICC Identifier. ID for anticollision. Password. Encrypted Password. Host Random Number generated by Host for Mutual Authentication. Host Random Number generated by Host for Encryption Activation. Random number selected by PICC during anticollision. Receive Buffer size code. ATQB protocol byte returned by PICC. Read Checksum. A DCR mode control bit on 88RF PICCs. Radio Frequency. Reserved for Future Use. Any feature or bit reserved by ISO or by Atmel. Root Mean Square. 72 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Abbreviation ROK ROM RW S SA SiA SEC SKY SME STATUS Tag TBmax TPOR TPOR-AT TR0 TR1 TR2 TWR UAT UCR UDSN UZ WCS WG8 WLM WUPB z Definition Read Only Key. KR Register bits. Read Only Memory. REQB/WUPB command selection code. Slot Number. A code sent to the PICC with Slot MARKER command. Session Key calculated by CMC during Mutual Authentication. Session Key calculated by CryptoRF during Mutual Authentication. The first of four security fuses. The third of four security fuses on 88RF PICCs. Supervisor Mode Enable. A DCR mode control bit. A response byte containing information on the status of the PICC. A PICC with loop antenna attached; in one of several non-credit card form factors. An ISO/IEC 14443-3 protocol code indicating the receive buffer size of the PCD. Polling Response Time. Polling Response Time with Anti-Tearing. Guard Time per ISO/IEC 14443-2. Synchronization Time per ISO/IEC 14443-2. PICC to PCD frame delay time (per ISO/IEC 14443-3 Amendment 1). EEPROM Write Cycle Time. Unlimited Authentication Trials. A DCR mode control bit. Unlimited Checksum Read. A DCR mode control bit on 88SC PICCs. Unique Die Serial Number. Read-only register in the Configuration Memory User Zone. Write Checksum Timeout. A DCR mode control bit on 88RF PICCs. ISO/IEC Working Group eight. Develops standards for contactless smartcards. Write Lock Mode. AR Register mode control bit on 88SC PICCs. Wake Up command, Type B. Variable for the Index of a Password Set or Key Set. 73 5276C-RFID-3/09 Appendix B. Standards and Reference Documents B.1. International Standards CryptoRF is designed to comply with the requirements of the following ISO/IEC standards for Type B PICCs operating at the standard 106 kbps data rate. ISO/IEC 7810:1995 ISO/IEC 10373-6:2001 ISO/IEC 14443-1:2000 ISO/IEC 14443-1:2008 ISO/IEC 14443-2:2001 ISO/IEC 14443-3:2001 Identification Cards - Physical Characteristics Identification Cards - Test Methods - Part 6: Proximity Cards Identification Cards - Contactless Integrated Circuit(s) Cards - Proximity Cards - Part 1: Physical Characteristics Identification Cards - Contactless Integrated Circuit(s) Cards - Proximity Cards - Part 1: Physical Characteristics Identification Cards - Contactless Integrated Circuit(s) Cards - Proximity Cards - Part 2: Radio Frequency Power and Signal Interface Identification Cards - Contactless Integrated Circuit(s) Cards - Proximity Cards - Part 3: Initialization and Anticollision ISO/IEC standards are available at www.ansi.org, www.iso.org, and from your national standards organization. The ISO/IEC 14443 and ISO/IEC 10373 standards were developed by the WG8 committee (www.wg8.de). B.2. References Atmel Application Note: Understanding the Requirements of ISO/IEC 14443 for Type B Proximity Contactless Identification Cards. Document 2056x (Available at www.atmel.com) CryptoRF Ordering Codes: CryptoRF and Secure RF Standard Product Offerings. Document 5047x (Available at www.atmel.com) 74 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Appendix C. User Memory Maps CryptoRF User Memory is divided into equal size User Zones as summarized in Table 58. Access requirements for each zone are independently configured by the customer using the Access Control Registers. Refer to Appendix H for additional information on access control. Table 58. CryptoRF User Memory Characteristics User Memory Size Bits Bytes CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF Note: User Memory Organization # Zones Bytes / Zone Write Characteristics Standard Write Anti-Tearing 4K 8K 16K 32K 64K 512 1K 2K 4K 8K 4 8 16 16 16 128 128 128 256 512 1 to 16 Bytes 1 to 16 Bytes 1 to 16 Bytes 1 to 32 Bytes 1 to 32 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes 1 to 8 Bytes Memory maps in this section are for reference and are not intended to accurately illustrate the physical page length of each User Memory configuration. The physical page length is equal to the maximum number of bytes that can be written with a standard write command. The Write User Zone command will not write data across page boundaries; each physical page must be written with a separate command. AT88RF04C Memory Map for 4 Kbit User Memory $0 $00 $78 $00 $78 $00 $78 $00 $78 128 Bytes 128 Bytes 128 Bytes Figure 7. Zone $1 $2 $3 $4 $5 $6 $7 User 0 128 Bytes User 1 User 2 User 3 75 5276C-RFID-3/09 Figure 8. Zone AT88SC0808CRF Memory Map for 8 Kbit User Memory $0 $00 $78 $00 $1 $2 $3 $4 $5 $6 $7 User 0 128 Bytes User 1 $78 $00 128 Bytes User 2 $78 $00 128 Bytes User 3 $78 $00 128 Bytes User 4 $78 $00 128 Bytes User 5 $78 $00 128 Bytes User 6 $78 $00 128 Bytes User 7 $78 128 Bytes 76 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Figure 9. Zone $00 AT88SC1616CRF Memory Map for 16 Kbit User Memory $0 $78 $00 $1 $2 $3 $4 $5 $6 $7 User 0 128 Bytes User 1 $78 $00 128 Bytes User 2 $78 $00 128 Bytes User 3 $78 $00 128 Bytes User 4 $78 $00 128 Bytes User 5 $78 $00 128 Bytes User 6 $78 $00 128 Bytes User 7 $78 $00 128 Bytes User 8 $78 $00 128 Bytes User 9 $78 $00 128 Bytes User 10 $78 $00 128 Bytes User 11 $78 $00 128 Bytes User 12 $78 $00 128 Bytes User 13 $78 $00 128 Bytes User 14 $78 $00 128 Bytes User 15 $78 128 Bytes 77 5276C-RFID-3/09 Figure 10. Zone AT88SC3216CRF Memory Map for 32 Kbit User Memory $0 $00 $F8 $00 $1 $2 $3 $4 $5 $6 $7 User 0 256 Bytes User 1 $F8 $00 256 Bytes User 2 $F8 $00 256 Bytes User 3 $F8 $00 256 Bytes User 4 $F8 $00 256 Bytes User 5 $F8 $00 256 Bytes User 6 $F8 $00 256 Bytes User 7 $F8 $00 256 Bytes User 8 $F8 $00 256 Bytes User 9 $F8 $00 256 Bytes User 10 $F8 $00 256 Bytes User 11 $F8 $00 256 Bytes User 12 $F8 $00 256 Bytes User 13 $F8 $00 256 Bytes User 14 $F8 $00 256 Bytes User 15 $F8 256 Bytes 78 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Figure 11. Zone $000 AT88SC6416CRF Memory Map for 64 Kbit User Memory $0 $1F8 $000 $1 $2 $3 $4 $5 $6 $7 User 0 512 Bytes User 1 $1F8 $000 512 Bytes User 2 $1F8 $000 512 Bytes User 3 $1F8 $000 512 Bytes User 4 $1F8 $000 512 Bytes User 5 $1F8 $000 512 Bytes User 6 $1F8 $000 512 Bytes User 7 $1F8 $000 512 Bytes User 8 $1F8 $000 512 Bytes User 9 $1F8 $000 512 Bytes User 10 $1F8 $000 512 Bytes User 11 $1F8 $000 512 Bytes User 12 $1F8 $000 512 Bytes User 13 $1F8 $000 512 Bytes User 14 $1F8 $000 512 Bytes User 15 $1F8 512 Bytes 79 5276C-RFID-3/09 Appendix D. Configuration Memory Maps The Configuration Memory contains all of the system information used to configure the User Zones, plus 27 bytes of OTP memory that the customer can use to store data of any kind. The data in the Configuration Memory is locked by programming fuses during the personalization process so that the PICC configuration cannot be changed by the end user. Table 59. CryptoRF Configuration Memory Characteristics Password Sets Set Number CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF Key Sets OTP Memory Free for Customer Use Transport Password PW Index Password 4 sets 8 sets 8 sets 8 sets 8 sets 0,1,2,7 0,1,2,3,4,5,6,7 0,1,2,3,4,5,6,7 0,1,2,3,4,5,6,7 0,1,2,3,4,5,6,7 4 sets 4 sets 4 sets 4 sets 4 sets 25 Bytes 27 Bytes 27 Bytes 27 Bytes 27 Bytes $07 $07 $07 $07 $07 $30 1D D2 $40 7F AB $50 44 72 $60 78 AF $70 BA 2E Access rights to the Configuration Memory are fixed in logic and are controlled by the security fuses. Refer to Appendix G for access control and fuse information. The Read System Zone and Write System Zone commands are used to access the Configuration Memory. The contents of the Configuration Memory registers affect the functionality of CryptoRF and should be changed from their default configuration only after careful consideration. Incorrect or invalid settings can disable the device or prevent it from communicating with the PCD. Configuration Memory registers marked as "Reserved" or RFU must not be changed and cannot be used for customer data. Only 27 bytes of OTP memory are available for general customer use on 88SC PICCs and 25 bytes of OTP memory are available on 88RF PICCs, all other registers have assigned functionality. The OTP memory bytes available for customer use are described in Appendix E. 80 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Figure 12. Configuration Memory map for AT88RF04C. $0 $00 $08 $10 $18 $20 $28 $30 $38 $40 $48 $50 $58 $60 $68 $70 $78 $80 $88 $90 $98 $A0 $A8 $B0 $B8 $C0 $C8 $D0 $D8 $E0 $E8 $F0 $F8 PAC Write 7 PAC Reserved Read 7 Forbidden Reserved PAC PAC PAC Write 0 Write 1 Write 2 AAC3 AAC2 AAC1 AAC0 Cryptogram C0 Session Encryption Key S0 Cryptogram C1 Session Encryption Key S1 Cryptogram C2 Session Encryption Key S2 Cryptogram C3 Session Encryption Key S3 Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 PAC PAC PAC Read 0 Read 1 Read 2 Password Secret Cryptography Issuer Code Reserved Access Control DCR AR0 KR0 AR1 RBmax AFI $1 PUPI MTZ CMC Identification Number Nc KR1 AR2 KR2 AR3 KR3 Unique Die Serial Number $2 $3 $4 $5 APP HWR $6 $7 Anticollision Read only 81 5276C-RFID-3/09 Figure 13. Configuration Memory map for AT88SC0808CRF. $0 $1 PUPI RBmax DCR AR0 AR4 PR0 PR4 AR1 AR5 AFI MTZ Unique Die Serial Number Identification Number Nc PR1 PR5 AR2 AR6 PR2 PR6 AR3 AR7 PR3 PR7 Access Control $2 $3 $4 $5 APP CMC $6 $7 Anticollision Read only $00 $08 $10 $18 $20 $28 $30 $38 $40 $48 $50 $58 $60 $68 $70 $78 $80 $88 $90 $98 $A0 $A8 $B0 $B8 $C0 $C8 $D0 $D8 $E0 $E8 $F0 $F8 PAC PAC PAC PAC PAC PAC PAC PAC AAC3 AAC2 AAC1 AAC0 Reserved Issuer Code Cryptogram C0 Session Encryption Key S0 Cryptogram C1 Session Encryption Key S1 Cryptogram C2 Session Encryption Key S2 Cryptogram C3 Session Encryption Key S3 Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 Write 0 Write 1 Write 2 Write 3 Write 4 Write 5 Write 6 Write 7 PAC PAC PAC PAC PAC PAC PAC PAC Reserved Read 0 Read 1 Read 2 Read 3 Read 4 Read 5 Read 6 Read 7 Cryptography Secret Password Forbidden 82 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Figure 14. Configuration Memory map for AT88SC1616CRF, AT88SC3216CRF, AT88SC6416CRF. $0 $00 $08 $10 $18 $20 $28 $30 $38 $40 $48 $50 $58 $60 $68 $70 $78 $80 $88 $90 $98 $A0 $A8 $B0 $B8 $C0 $C8 $D0 $D8 $E0 $E8 $F0 $F8 PAC PAC PAC PAC PAC PAC PAC PAC Write 0 Write 1 Write 2 Write 3 Write 4 Write 5 Write 6 Write 7 AAC3 AAC2 AAC1 AAC0 Cryptogram C0 Session Encryption Key S0 Cryptogram C1 Session Encryption Key S1 Cryptogram C2 Session Encryption Key S2 Cryptogram C3 Session Encryption Key S3 Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 PAC PAC PAC PAC PAC PAC PAC PAC Reserved Read 0 Read 1 Read 2 Read 3 Read 4 Read 5 Read 6 Read 7 Forbidden Password Secret Cryptography DCR AR0 AR4 AR8 AR12 PR0 PR4 PR8 PR12 AR1 AR5 AR9 AR13 RBmax AFI $1 PUPI MTZ Unique Die Serial Number Identification Number Nc PR1 PR5 PR9 PR13 AR2 AR6 AR10 AR14 PR2 PR6 PR10 PR14 AR3 AR7 AR11 AR15 PR3 PR7 PR11 PR15 Access Control $2 $3 $4 $5 APP CMC $6 $7 Anticollision Read only Issuer Code 83 5276C-RFID-3/09 Appendix E. Device Personalization CryptoRF is delivered with the user memory filled with $FF data and with the security features disabled. Before issuing a CryptoRF PICC to the end user, it is personalized with initial data and the security settings. The last step in the personalization process is to program the security fuses. Figure 15. Personalization Process Flowchart START Select User Zone Write / Verify User Data No Done Initializing User Memory ? Yes Check Transport Password Write / Verify Configuration Memory Program Security Fuses END 84 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C E.1. User Memory Initialization The user memory is initialized by using the Set User Zone command to select a User Zone, and writing the initial data with Write User Zone commands. The data is then verified with Read User Zone commands. Each User Zone is programmed in this manner. E.2. Polling Response and OTP Memory Personalization After initializing the user memory, the Configuration Memory is programmed with the polling response and OTP data. Figure 16 shows the polling response registers in blue, OTP memory in green, and access control registers in gray. The Unique Die Serial Number register is factory programmed and cannot be changed. There are 27 bytes of OTP memory available for customer use in 88SC PICCs, and 25 bytes in 88RF PICCs; these registers are shown in green in Figure 16 and Figure 17. See Appendix M for detailed information on configuration of the polling response registers. See Appendix H for detailed information on configuration of the access control registers. Figure 16. System Zone Map for 88SC PICCs showing the OTP and Polling Response Registers $0 $00 $08 $10 $18 $20 $28 $30 $38 $40 $48 Issuer Code Access Registers, Password Registers, and Reserved Access Control DCR RBmax AFI $1 PUPI MTZ Unique Die Serial Number Identification Number Nc $2 $3 $4 $5 APP CMC Read Only $6 $7 Anticollision Figure 17. System Zone Map for 88RF PICCs showing the OTP and Polling Response Registers $0 $1 PUPI RBmax AFI MTZ CMC $2 $3 $4 $5 APP HWR Read Only $6 $7 Anticollision $00 $08 $10 $18 $20 $28 $30 $38 $40 $48 DCR Unique Die Serial Number Identification Number Nc Access Registers, Password Registers, and Reserved Access Control Issuer Code 85 5276C-RFID-3/09 Memory Test Zone (MTZ) The MTZ is a 2 byte register with open read/write access for testing basic functionality of the PICC. Data written in the MTZ cannot be protected from being rewritten; this field should not be used for application data. Card Manufacturer Code (CMC) This 16-bit or 32-bit register, defined by the customer during personalization, is often used to store card manufacturer lot codes. This OTP register may contain any value; it is an information field that does not affect functionality. Hardware Revision (HWR) [88RF] This 16-bit register is defined by Atmel. This code identifies the hardware type and design revision. This code cannot be modified. The HWR code for 88RF PICCs is $C2XX where XX is the design revision code. Unique Die Serial Number (UDSN) This 64-bit register is defined by Atmel. This code contains a unique serial number for each die and manufacturing traceability data. This code cannot be modified. [This register was previously named "Lot History Code".] Atmel reserves the right to modify the format of the contents of the UDSN register without notice. However the UDSN register value is guaranteed to be unique for each die. Identification Number Nc This 56-bit register, defined by the customer during personalization, is often used to store card ID numbers. This OTP register may contain any value; it is an information field that does not affect functionality. Issuer Code The 128-bit Issuer Code register is defined by the customer during personalization. This OTP register may contain any value; it is an information field that does not affect functionality. E.3. Transport Password Check The Transport Password must be presented using the Check Password command prior to writing the Configuration Memory. The Transport Password for each CryptoRF device is shown in Table 60. The Transport Password is the same for every device with the same base part number, it is never changed. Table 60. CryptoRF Transport Passwords Transport Password PW Index $07 $07 $07 $07 $07 Password $30 1D D2 $40 7F AB $50 44 72 $60 78 AF $70 BA 2E CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF 86 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C E.4. Security Fuse Programming Three security fuses are programmed at the end of the personalization process to lock the PICC configuration. The Write Fuse Byte option of the Write System Zone command is used to program the fuses. A fourth fuse, SEC, is already programmed by Atmel before CryptoRF leaves the factory. The fuses can only be programmed in the specified order. The security fuse programming sequence is as follows: 1. 2. 3. Send Write System Zone command with: PARAM = $01, ADDR = $06, L = $00, DATA = $00 to program the FAB or ENC fuse. Send Write System Zone command with: PARAM = $01, ADDR = $04, L = $00, DATA = $00 to program the CMA or SKY fuse. Send Write System Zone command with: PARAM = $01, ADDR = $00, L = $00, DATA = $00 to program the PER fuse. The response to each Write System Zone command should be ACK, and the fuse byte contents will be returned in the STATUS byte. After all three fuses are programmed, the device configuration is locked and personalization is complete. E.5. Secure Personalization The 88RF PICCs support an optional encrypted personalization mode for programming the device secrets. The Secure Personalization option is described in Appendix F. This option is not available on 88SC PICCs. 87 5276C-RFID-3/09 Appendix F. Secure Personalization [88RF] This appendix describes the optional Secure Personalization mode for 88RF PICCs. This mode allows the device secrets to be written with data encryption, so that eavesdropping on the personalization process cannot compromise the device secrets. Figure 18. Secure Personalization Process Flowchart START Personalize User Zones Check Transport Password Program ENC Security Fuse Activate Encryption Mode Write / Verify Configuration Memory Program Security Fuses END 88 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C F.1. User Memory Initialization The user memory is initialized by using the Set User Zone command to select a User Zone, and writing the initial data with Write User Zone commands. The data is automatically verified by the Automatic Data Write function as each Write User Zone command is processed. The data can also be verified with Read User Zone commands. Each User Zone is programmed in this manner. F.2. Transport Password Check The Transport Password must be presented using the Check Password command prior to writing the Configuration Memory. The Transport Password for each 88RF device is shown in Table 61. The Transport Password is the same for every device with the same base part number; it is never changed by Atmel. Table 61. 88RF PICC Transport Passwords Transport Password PW Index $07 Password $30 1D D2 CryptoRF Part Number AT88RF04C F.3. Security Fuse Programming The optional Secure Personalization mode is enabled and disabled by programming the security fuses. By default the Secure Personalization mode is disabled. Programming the ENC fuse enables Secure Personalization mode. Three security fuses are programmed during the personalization process to lock the PICC configuration. The Write Fuse Byte option of the Write System Zone command is used to program the fuses. A fourth fuse, SEC, is already programmed by Atmel before CryptoRF leaves the factory. The fuses can only be programmed in the specified order. The security fuse programming sequence is as follows: 1. 2. 3. Send Write System Zone command with: PARAM = $01, ADDR = $06, L = $00, DATA = $00 to program the ENC (Encryption) fuse. The Secure Personalization mode is enabled by programming the ENC fuse. Send Write System Zone command with: PARAM = $01, ADDR = $04, L = $00, DATA = $00 to program the SKY (Secret Key) fuse. The secrets are locked and the Secure Personalization mode is disabled by programming the SKY fuse. Send Write System Zone command with: PARAM = $01, ADDR = $00, L = $00, DATA = $00 to program the PER (Personalization) fuse. The Transport Password is disabled by programming the PER fuse. The response to each Write System Zone command should be ACK, and the fuse byte contents will be returned in the STATUS byte. After all three fuses are programmed, the device configuration is locked and personalization is complete. F.4. Secure Personalization Mode Data Encryption When the optional Secure Personalization mode is enabled by programming the ENC fuse to 0b, then certain registers in the configuration memory require communication encryption for read or write access. This is illustrated in Figure 19 below using color codes. The contents of registers with green shading are never encrypted when reading or writing, regardless of the communication security mode of the PICC. Access to registers with pink shading is forbidden; no read or write access is allowed. The registers shaded in blue contain device "secrets", they cannot be written or read unless the Encryption Communication Security mode has been activated (with any key set). The contents of these "secrets" registers is encrypted when reading or writing. Use of the Write System Zone with Integrated MAC command is mandatory when writing the "secrets" registers (see Section 6.10). 89 5276C-RFID-3/09 Figure 19. $00 $08 $10 $18 $20 $28 $30 $38 $40 $48 $50 $58 $60 $68 $70 $78 $80 $88 $90 $98 $A0 $A8 $B0 $B8 $C0 $C8 $D0 $D8 $E0 $E8 $F0 $F8 Configuration Memory map showing Data Encryption Requirements for Fuse State ENC = 0b, SKY = 1b. $0 RBmax DCR AR0 KR0 AR1 $1 PUPI AFI MTZ CMC Identification Number Nc KR1 AR2 KR2 AR3 KR3 Access Control Unique Die Serial Number $2 $3 $4 $5 APP HWR $6 $7 Anticollision Read only Reserved Issuer Code AAC0 AAC1 AAC2 AAC3 Cryptogram C0 Session Encryption Key S0 Cryptogram C1 Session Encryption Key S1 Cryptogram C2 Session Encryption Key S2 Cryptogram C3 Session Encryption Key S3 Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 PAC PAC PAC Write 0 Write 1 Write 2 PAC PAC PAC Read 0 Read 1 Read 2 Password Reserved Secret Cryptography PAC Write 7 PAC Reserved Read 7 Forbidden Programming the SKY fuse locks the Secret Seeds and Session Encryption Key registers so that the contents cannot be read or changed. Once locked, these registers cannot be unlocked. The SKY fuse also disables the Secure Personalization mode and disables the Write System Zone with Integrated MAC command. The Configuration Memory Access requirements for all four of the Security Fuse states is described in Appendix G. Note that it is not necessary to initialize the Session Encryption Key registers since any data contained in these registers will be overwritten by the first Authentication Activation attempt. 90 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Appendix G. Security Fuses There are four fuses which control access to the Configuration Memory. One fuse (SEC) is programmed by Atmel before CryptoRF leaves the factory; the remaining three fuses are programmed during the personalization process. Once a fuse is programmed, it can never be changed. These fuses do not control access to the user memory; user memory access rights are defined in the Access Registers. The security fuses are used to lock the state of the Access Registers, Passwords, Keys, and other configuration data during the personalization process so that they cannot be changed after a card is issued. G.1. Reading the Security Fuses To read the fuses send the Read System Zone command with PARAM = $01, ADDR = $FF, L = $00. The CryptoRF response will contain one data byte, the Fuse Byte. A value of 0b indicates the fuse has been programmed. Bits 4 to 7 of this byte are not used as security fuses and are reserved by Atmel. Figure 20. F7 RFU X Definition of the DATA Byte received when reading the Fuse Byte of 88SC PICCs. F6 RFU X F5 RFU X F4 RFU X F3 SEC 0 F2 PER 1 F1 CMA 1 F0 FAB 1 Default Value Figure 21. F7 RFU X Definition of the DATA Byte received when reading the Fuse Byte of 88RF PICCs. F6 RFU X F5 RFU X F4 RFU X F3 SEC 0 F2 ENC 1 F1 SKY 1 F0 PER 1 Default Value G.2. Programming the Fuse Bits Three security fuses are programmed at the end of the personalization process to lock the PICC configuration. The Write Fuse Byte option of the Write System Zone command is used to program the fuses. A fourth fuse, SEC, is already programmed by Atmel before CryptoRF leaves the factory. The fuses can only be programmed in the specified order. The security fuse programming sequence is as follows: 1. 2. 3. Send Write System Zone command with: PARAM = $01, ADDR = $06, L = $00, DATA = $00 to program the FAB or ENC fuse. Send Write System Zone command with: PARAM = $01, ADDR = $04, L = $00, DATA = $00 to program the CMA or SKY fuse. Send Write System Zone command with: PARAM = $01, ADDR = $00, L = $00, DATA = $00 to program the PER fuse. The response to each Write System Zone command should be ACK, and the fuse byte contents will be returned in the STATUS byte. After all three fuses are programmed, the device configuration is locked. G.3. Configuration Memory Access Control Table 62 shows the Configuration Memory access conditions for each of the 88SC PICC security fuse settings. Table 63 shows the Configuration Memory access conditions for each of the 88RF PICC security fuse settings. The left column contains the name of the register area in the Configuration Memory map. The next column indicates if that row applies to Read System Zone commands or Write System Zone commands. The four columns to the right show the security fuse states. 91 5276C-RFID-3/09 The default state of the fuses when CryptoRF leaves the factory is SEC = 0b and the remaining three fuses set to 1b. The left fuse column in Table 62 and Table 63 show the access conditions for this default fuse state. Table 62. Configuration Memory Access control by Security Fuse State for 88SC PICCs. Fuse State Registers Operation SEC = 0b FAB = 1b CMA = 1b PER = 1b Open Transport PW Open Open Transport PW Open Forbidden Open Transport PW Open Transport PW Transport PW SEC = 0b FAB = 0b CMA = 1b PER = 1b Open Forbidden Open Open Transport PW Open Forbidden Open Transport PW Open Transport PW Transport PW SEC = 0b FAB = 0b CMA = 0b PER = 1b Open Forbidden Open Open Forbidden Open Forbidden Open Transport PW Open Transport PW Transport PW SEC = 0b FAB = 0b CMA = 0b PER = 0b Open Forbidden Open Open Forbidden Open Forbidden Open Forbidden Open Forbidden Forbidden Anticollision (Except MT2 and CMC) Memory Test Zone (MTZ) Card Manufacturer Code (CMC) Read Only (Lot History Code) Access Control Cryptography (Except Encryption Key S) Encryption Keys (S) Secret Read Write Read Write Read Write Read Write Read Write Read Write Read Write Read Write Transport PW Transport PW Transport PW Forbidden Passwords Password Attempt Counters (PAC) Forbidden Read Write Read Write Read Write Transport PW Open Transport PW Forbidden Transport PW Open Transport PW Forbidden Transport PW Open Transport PW Forbidden Write PW Open Write PW Forbidden The register access conditions in Table 62 and Table 63 are color coded. Open access is indicated by green. No access permitted is indicated by magenta. If access is restricted, then the field is yellow. Blue fields indicate that Encryption Activation is required for access. For registers with restricted access, the requirement to gain access is indicated by the text. The text "Transport PW" indicates that if the Transport Password is validated using the Check Password command, then access is granted. The text "Write PW" indicates that if the Write Password of a password set is validated using the Check Password command, then access is granted to the PAC registers and password registers for that password set only. 92 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Table 63. Configuration Memory Access control by Security Fuse State for 88RF PICCs. Fuse State Registers Operation SEC = 0b ENC = 1b SKY = 1b PER = 1b Open Transport PW Open Open Forbidden Open Forbidden Open Transport PW Open Transport PW Open Transport PW Transport PW SEC = 0b ENC = 0b SKY = 1b PER = 1b Open Transport PW Open Open Forbidden Open Forbidden Open Transport PW Open Transport PW Open Transport PW Transport PW + Encryption Transport PW + Encryption Transport PW + Encryption Open Transport PW Forbidden SEC = 0b ENC = 0b SKY = 0b PER = 1b Open Transport PW Open Open Forbidden Open Forbidden Open Transport PW Open Forbidden Open Forbidden Forbidden SEC = 0b ENC = 0b SKY = 0b PER = 0b Open Forbidden Open Open Forbidden Open Forbidden Open Forbidden Open Forbidden Open Forbidden Forbidden Anticollision (Except MTZ, HWR) Memory Test Zone (MTZ) Hardware Revision (HWR) Read Only (Unique Die Serial Number) Access Control (Except Nc, DCR) Nc and DCR Cryptography (Except Encryption Keys S) Encryption Keys (S) Secret Read Write Read Write Read Write Read Write Read Write Read Write Read Write Read Write Read Write Transport PW Forbidden Forbidden Passwords Password Attempt Counters (PAC) Forbidden Read Write Read Write Read Write Transport PW Open Transport PW Forbidden Transport PW Open Transport PW Forbidden Write PW Open Write PW Forbidden 93 5276C-RFID-3/09 Appendix H. Configuration of Password and Access Control Registers There are two types of configuration registers in CryptoRF, User Zone access control registers, and Device Configuration Registers. The User Zone Access Registers (AR) set the access requirements for a single User Zone. The Device Configuration Register (DCR) selects optional behaviors for the PICC. Both types of registers are described in this appendix. H.1. User Zone Configuration Options Access to each User Zone in the CryptoRF user memory is controlled by two registers in the Configuration Memory. The Access Register controls the access conditions for the User Zone. The Password Register (PR) or Key Register (KR) controls the password set assigned to the User Zone. The default setting for these registers sets the security requirement to open access, no security features active, for all User Zones. Each set of User Zone access control registers has a name matched to the User Zone name. For example for 88SC PICCs, User Zone 1 is controlled by AR1 and PR1, User Zone 2 is controlled by AR2 and PR2. User Zone i is controlled by ARi and PRi. H.1.1. Access Registers (AR) [88SC] There is one Access Register for each User Zone in the user memory. The default state of this register is $FF, which disables all of the optional security features. Figure 22. Bit 7 PM1 1 Definition of the User Zone Access Registers for 88SC PICCs. Bit 6 PM0 1 Bit 5 AM1 1 Bit 4 AM0 1 Bit 3 ER 1 Bit 2 WLM 1 Bit 1 MDF 1 Bit 0 PGO 1 Default Value The Access Register definition for 88SC PICCs is shown in Figure 22. Changes to the AR registers are effective immediately. PM: Password Mode selection bits. The PM0 and PM1 bits control the password requirements for the User Zone as shown in Table 64. By default, no password is required for access to the User Zone. If PM = 10b, then write password verification is required for write access; read access does not require any password. If PM = 01b or 00b, then write password verification is required for read/write access and read password verification is required for read-only access. The password set assigned to the zone is specified in the Password Register. Table 64. PM1 1 1 0 0 Coding of the Password Mode bits of the Access Register. PM0 1 0 1 0 Authentication Mode selection bits. Access No Password Required Write Password Required Read and Write Passwords Required AM: The three Communication Security Mode control bits: AM0, AM1, and ER control the communication security requirements for the User Zone as shown in Table 65. By default authentication and encryption communication security are disabled. See Appendix J for information on the Authentication Communication Security modes. ER: Encryption Mode selection bit. 94 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C The three Communication Security Mode control bits: AM0, AM1, and ER control the communication security requirements for the User Zone as shown in Table 65. By default authentication and encryption communication security are disabled. See Appendix K for information on Encryption Communication Security. Table 65. AM1 0 0 0 0 1 1 1 1 Communication Security Mode options for 88SC PICCs. AM0 0 0 1 1 0 0 1 1 ER 0 1 0 1 0 1 0 1 Communication Security Mode Reserved For Future Use (Not Supported) Dual Access Authentication Mode Reserved For Future Use (Not Supported) Authentication for Read / Write Reserved For Future Use (Not Supported) Authentication for Write Encryption for Read / Write No Authentication or Encryption Required Auth. Key (AK) N/A Read / Write Access N/A Read / Write Access N/A Read / Write Access Read / Write Access N/A Pgm-Only Key (POK) N/A Read / Program Access N/A N/A N/A N/A N/A N/A WLM: Write Lock Mode control. By default the Write Lock Mode is disabled. If WLM = 0b then Write lock Mode is enabled and the User Zone is effectively divided into 8 byte pages with the first byte of each page controlling write access to all 8 bytes. Figure 23 shows an example of WLM on two contiguous 8 byte pages. Figure 23. Page $00 Example of byte level access control using the Write Lock Mode. $0 11011001 b $1 $xx Locked Page $08 $8 10101010 b Locked $9 $xx Locked $2 $xx Locked $A $xx $B $xx $C $xx Locked $3 $xx $4 $xx $5 $xx Locked $D $xx $E $xx Locked $F $xx $6 $xx $7 $xx < Address < Data < Status < Address < Data < Status The first byte of each virtual 8 byte page is called the Write Lock Byte. Each bit of the Write Lock Byte controls the locked status of one byte in the page. Write access is forbidden to a byte if its associated lock bit is set to 0b. Bit 7 controls byte 7, bit 6 controls byte 6, etc. Note: MDF: When WLM is enabled, Write User Zone commands are restricted to a length of one byte. Modify Forbidden mode control. By default the Modify Forbidden mode is disabled. If MDF = 0b then Modify Forbidden mode is enabled and no write access is allowed to the User Zone. The User Zone effectively becomes Read Only Memory (ROM). PGO: Program Only mode control. By default the Program Only mode is disabled. If PGO = 0b then data within the User Zone may be changed from 1b to 0b, but never from 0b to 1b. Note that when PGO is enabled, Write User Zone commands are restricted to a length of one byte. 95 5276C-RFID-3/09 H.2. Access Registers (AR) [88RF] There is one Access Register for each User Zone in the user memory. The default state of this register is $FF, which disables all of the optional security features. Figure 24. Bit 7 PM1 1 Definition of the Access Register for User Zone 1 of 88RF PICCs. Bit 6 PM0 1 Bit 5 M2 1 Bit 4 M1 1 Bit 3 M0 1 Bit 2 RFU 1 Bit 1 MDF 1 Bit 0 PGO 1 Default Value Figure 25. Bit 7 PM1 1 Definition of the Access Register for User Zones 0, 2, and 3 of 88RF PICCs. Bit 6 PM0 1 Bit 5 M2 1 Bit 4 M1 1 Bit 3 M0 1 Bit 2 RFU 1 Bit 1 MDF 1 Bit 0 RFU 1 Default Value The Access Register definition is shown in Figure 24 and Figure 25. Bit 2 is Reserved for Future Use. Changes to the AR registers are effective immediately. PM: Password Mode selection bits. The PM0 and PM1 bits control the password requirements for the User Zone as shown in Table 66. By default, no password is required for access to the User Zone. If PM = 10b, then write password verification is required for write access; read access does not require any password. If PM = 01b or 00b, then write password verification is required for read/write access and read password verification is required for read-only access. The password set assigned to the zone is specified in the Key Register. Table 66. PM1 1 1 0 0 M: Coding of the Password Mode bits of the Access Register. PM0 1 0 1 0 Communication Security Mode control. Access No Password Required Write Password Required Read and Write Passwords Required The Access Register M bits determine the Communication Security mode requirements for the User Zone. By default M = 111b and no Authentication or Encryption Activation is required to access the user memory. 96 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Table 67. M2 0 0 0 0 1 1 1 1 Communication Security Mode options for 88RF PICCs. M1 0 0 1 1 0 0 1 1 M0 0 1 0 1 0 1 0 1 Communication Security Mode Reserved For Future Use (Not Supported) Reserved For Future Use (Not Supported) Authentication for Read / Encryption for Write Authentication for Read / Write Encryption for Write Authentication for Write Encryption for Read / Write No Authentication or Encryption Required Primary Key (PK) N/A N/A Read / Write Access Read / Write Access Read / Write Access Read / Write Access Read / Write Access N/A Read-Only Key (ROK) N/A N/A Read Access Read Access N/A N/A Read Access N/A MDF: Modify Forbidden mode control. By default the Modify Forbidden mode is disabled. If MDF = 0b then Modify Forbidden mode is enabled and no write access is allowed to the User Zone. The User Zone effectively becomes Read Only Memory (ROM). PGO: Program Only mode control. By default the Program Only mode is disabled. If PGO = 0b then data within the User Zone may be changed from 1b to 0b, but never from 0b to 1b. Note that PGO is only available in User Zone 1. If PGO is enabled, then the Write User Zone data verification function is disabled when writing to User Zone 1 of 88RF PICCs. The PGO option is not available in User Zones 0, 2, and 3 of 88RF PICCs. H.2.1. Password Registers (PR) [88SC] There is one Password Register for each User Zone in the user memory. The default state of this register is $FF. Figure 26. Bit 7 AK1 1 Definition of the User Zone Password Registers on 88SC PICCs. Bit 6 AK0 1 Bit 5 POK1 1 Bit 4 POK0 1 Bit 3 RFU 1 Bit 2 PW2 1 Bit 1 PW1 1 Bit 0 PW0 1 Default Value The Password Register bit definitions are shown in Figure 26. Changes to the PR registers are effective immediately. AK: Authentication Key Set selection bits. The Authentication Key Set selection bits control the key set assigned to a User Zone for communication security. The Access Register bits determine the Communication Security mode. Any number of PR registers can point to the same key set, allowing multiple User Zones to use the same key set. Table 68. AK1 0 0 1 1 Coding of the Authentication Key Set select bits for CryptoRF communication security. AK0 0 1 0 1 Authentication Key Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 Encryption Key Session Key S0 Session Key S1 Session Key S2 Session Key S3 97 5276C-RFID-3/09 POK: Program-Only Key Set selection bits. The Program-Only Key Set selection bits control the key set assigned to a User Zone for communication security. The Access Register bits determine the Communication Security mode. The POK bits are only used if Dual Access Authentication mode has been selected. Any number of PR registers can point to the same key set, allowing multiple User Zones to use the same key set. Table 69. POK1 0 0 1 1 Coding of the Program-Only Key Set select bits for CryptoRF communication security. POK0 0 1 0 1 Password Set selection bits. Authentication Key Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 PW: The Password Set selection bits control the password set assigned to a User Zone. Table 70 shows the coding of these register bits. Any number of PR registers can point to the same password set, allowing multiple User Zones to use the same password set. Table 70. PW2 0 0 0 0 1 1 1 1 Coding of the Password Set select bits for the 8K bit and larger CryptoRF devices. PW1 0 0 1 1 0 0 1 1 PW0 0 1 0 1 0 1 0 1 Password Set 0 1 2 3 4 5 6 7 H.2.2. Key Registers (KR) [88RF] There is one Key Register for each User Zone in the user memory. The default state of this register is $FF. Figure 27. Bit 7 PK1 1 Definition of the User Zone Key Registers for 88RF PICCs. Bit 6 PK2 1 Bit 5 ROK1 1 Bit 4 ROK2 1 Bit 3 RFU 1 Bit 2 PW2 1 Bit 1 PW1 1 Bit 0 PW0 1 Default Value The Key Register bit definitions are shown in Figure 27. Changes to the KR registers are effective immediately. PK: Primary Key Set selection bits. The Primary Key Set selection bits control the key set assigned to a User Zone for communication security. The Access Register M bits determine the Communication Security mode associated with the PK bits. 98 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Table 71. PK1 0 0 1 1 ROK: Coding of the Primary Key Set select bits for CryptoRF communication security on 88RF PICCs. PK2 0 1 0 1 Authentication Key Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 Encryption Key Session Key S0 Session Key S1 Session Key S2 Session Key S3 Read-Only Key Set selection bits. The Read-Only Key Set selection bits control the key set assigned to a User Zone for communication security. The Access Register M bits determine the Communication Security mode associated with the ROK bits. Table 72. ROK1 0 0 1 1 Coding of the Read-Only Key Set select bits for CryptoRF communication security on 88RF PICCs. ROK2 0 1 0 1 Password Set selection bits. Authentication Key Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 Encryption Key Session Key S0 Session Key S1 Session Key S2 Session Key S3 PW: The Password Set selection bits control the password set assigned to a User Zone. Table 73 shows the coding of these register bits. Any number of KR registers can point to the same password set, allowing multiple User Zones to use the same password set. Table 73. PW2 0 0 0 1 Coding of the Password Set select bits on 88RF PICCs. PW1 0 0 1 1 PW0 0 1 0 1 Password Set 0 1 2 7 All Other Values Are Not Supported 99 5276C-RFID-3/09 H.3. Device Configuration Options There are a few configuration options which affect the overall behavior of the CryptoRF PICC. These options are contained in the Device Configuration Register (DCR). H.3.1. Device Configuration Register (DCR) There is one Device Configuration Register in each PICC. The default state of this register is $FF for 88SC PICCs and $7C for 88RF PICCs. Figure 28. Bit 7 SME 1 Definition of the Device Configuration Register for 88SC PICCs. Bit 6 UCR 1 Bit 5 UAT 1 Bit 4 ETA 1 Bit 3 EGTL 1 Bit 2 RFU 1 Bit 1 RFU 1 Bit 0 RFU 1 Default Value Figure 29. Bit 7 SME 0 Definition of the Device Configuration Register for 88RF PICCs. Bit 6 RFU 1 Bit 5 UAT 1 Bit 4 RFU 1 Bit 3 EGTL 1 Bit 2 RFU 1 Bit 1 WCS 0 Bit 0 RCS 0 Default Value The DCR register definition is shown in Figure 28 and Figure 29. Bits 0, 1, and 2 are reserved for future use. Changes to the DCR are effective at the next Power On or anticollision sequence. SME: Supervisor Mode Enable control. By default the Supervisor Mode is disabled on 88SC PICCs and enabled on 88RF PICCs. If SME = 0b then Supervisor Mode is enabled and Password Write 7 becomes the Supervisor Password. Successful verification of the Supervisor Password grants read and write access to all passwords and Password Attempt Counters (PACs), allowing the passwords to be changed and PACs to be reset. UCR: Unlimited Checksum Read control. [88SC] By default the UCR is disabled. If UCR = 0b then Unlimited Checksum Reads are enabled. This function is intended for development use only, since it allows systematic attacks on the security. This function does not affect the Password Attempts Counters (PACs). UAT: Unlimited Authentication Trials control. By default the UAT is disabled. If UAT = 0b then the Authentication Attempts Counters (AACs) are disabled for all key sets. This function is intended for development use only, since it allows systematic attacks on the security. This function does not affect the Password Attempts Counters (PACs). ETA: Extended Trials Allowed control. [88SC] By default the Extended Trials Allowed option is disabled. If this option is enabled by setting ETA = 0b then the maximum number of authentication and password trials is increased to permit a maximum of eight attempts before a password or key is locked. If ETA is disabled then only four attempts are permitted. EGTL: Extra Guard Time Length control. By default the Extra Guard Time Length option is disabled, which maximizes RF communication speed. This option controls the Extra Guard Time (EGT) for all data transmitted by the PICC. The default setting of EGTL = 0b selects zero ETUs of EGT. Setting EGTL = 1b selects two ETUs of EGT for all transmissions. The EGTL option does not affect EGT requirements for data transmitted by the reader. See Appendix O for information about EGT. WCS: Write Checksum Timeout control. [88RF] By default the WCS is enabled. In authentication and encryption communication security modes the correct checksum must be provided within 77 mS or the write operation is aborted. Setting WCS = 1b disables the timeout function. RCS: Read Checksum control. [88RF] By default the RCS is enabled, which allows one Read Checksum operation without resetting the cryptographic engine. 100 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Appendix I. Using Password Security CryptoRF contains security options that can be enabled by the customer at personalization. By default no security is enabled, allowing CryptoRF to operate as a simple RFID EEPROM memory. Enabling password security on a User Zone restricts access to the data to users with knowledge of the password. I.1. Communication Security Communication between the PICC and reader operates in three security modes. The Normal mode allows communication of all types of data in the clear. Authentication mode encrypts only passwords. Encryption mode encrypts both user data and passwords. The default communication mode is Normal mode. Table 74. CryptoRF Communication Security Options. User Data Clear Clear Encryption System Data Clear Clear Clear(1) Passwords Clear Encryption Encryption Communication Mode Normal Authentication Encryption Note: 1. 88RF PICCs support an encryption option for programming secrets. See Appendix F. As shown in Table 74, passwords sent by the Host to CryptoRF in Normal Communication Security mode are communicated in the clear, without being encrypted. In the Authentication or Encryption Communication Security modes passwords are encrypted. I.2. Transport Password The Transport Password protects the Configuration Memory contents on all CryptoRF devices from accidental changes. All CryptoRF devices are shipped from Atmel with a Transport Password stored in password register Write 7. No changes to the Configuration Memory are permitted unless the Transport Password has been verified using the Check Password command. Table 75. CryptoRF Family Password Characteristics and Transport Passwords Password Sets Set Number 4 Sets 8 Sets 8 Sets 8 Sets 8 Sets 0,1,2,7 0,1,2,3,4,5,6,7 0,1,2,3,4,5,6,7 0,1,2,3,4,5,6,7 0,1,2,3,4,5,6,7 Transport Password PW Index $07 $07 $07 $07 $07 Password $30 1D D2 $40 7F AB $50 44 72 $60 78 AF $70 BA 2E CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF 101 5276C-RFID-3/09 I.3. The Password and PAC Registers Each password set, along with its associated Password Attempt Counters is stored in an 8 byte segment in the Password section of the Configuration Memory. Figure 30 illustrates password set "z" in the Configuration Memory map. The Write Password and Write Password PAC are stored in the lower four bytes, while the Read Password and Read Password PAC are stored in the upper four bytes. Figure 30. Password Set Register Format $0 ADDR PAC $1 $2 PW Write z $3 $4 PAC $5 $6 PW Read z $7 PAC PW1 PW2 PW3 PAC PW1 PW2 PW3 Each password register contains the three byte password that is compared with the three byte password that is sent for verification with the Check Password command. The storage locations of the three password bytes is illustrated in the bottom half of Figure 30. Table 76. Password Attempt Counter Coding for the Default DCR Configuration of 88SC PICCs. Description No Failed Attempts 1 Failed Attempt 2 Failed Attempts 3 Failed Attempts 4 Failed Attempts (LOCK) PAC Register $FF $EE $CC $88 $00 All Other Values Are Not Supported Table 77. Password Attempt Counter Coding for the Extended Trials Allowed DCR Configuration of 88SC PICCs. Description No Failed Attempts 1 Failed Attempt 2 Failed Attempts 3 Failed Attempts 4 Failed Attempts 5 Failed Attempts 6 Failed Attempts 7 Failed Attempts 8 Failed Attempts (LOCK) PAC Register $FF $FE $FC $F8 $F0 $E0 $C0 $80 $00 All Other Values Are Not Supported 102 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Table 78. Password Attempt Counter Coding for 88RF PICCs. Description No Failed Attempts 1 Failed Attempt 2 Failed Attempts 3 Failed Attempts 4 Failed Attempts 5 Failed Attempts 6 Failed Attempts 7 Failed Attempts 8 Failed Attempts 9 Failed Attempts 10 Failed Attempts 11 Failed Attempts 12 Failed Attempts 13 Failed Attempts 14 Failed Attempts 15 Failed Attempts (LOCK) PAC Register $55 $56 $59 $5A $65 $66 $69 $6A $95 $96 $99 $9A $A5 $A6 $A9 $AA All Other Values Are Not Supported The Password Attempt Counters contain a value which indicates how many unsuccessful password verification attempts have been made using the Password Index of the corresponding password. Table 76, Table 77, and Table 78 show coding of the PAC register. On 88SC PICCs the DCR register bit ETA selects the number of password attempt that are permitted; the default configuration allows four attempts, ETA = 0b allows eight attempts. On 88RF PICCs the maximum number of attempts is fifteen. If the PAC reaches the maximum count, then the corresponding password is locked and all subsequent Check Password commands will fail. I.4. Password Security Options Password security for a User Zone is enabled by programming the Access Register for the zone. A Password Set is assigned to the User Zone by programming the Password Register for the zone. Configuration of the registers is described in Appendix H. Table 79. PM1 1 1 0 0 Coding of the Password Mode bits of the Access Register. PM0 1 0 1 0 Access No Password Required Write Password Required Read and Write Passwords Required Table 79 shows the available password security options. The default setting of PM=11b disables password security. The remaining two options enable password security for either writes only, or for both reads and writes. 103 5276C-RFID-3/09 If PM = 10b, then the Write Password is required to be verified before a Write User Zone command will be accepted. Data reads are not restricted in this configuration. If read and write password security is enabled by setting PM = 01b or PM = 00b, then verification of the Read Password allows access to data with the Read User Zone command; however no write access is permitted. Verification of the Write Password allows access to the data with either Read User Zone or Write User Zone commands. I.5. Password Verification A password is sent for verification using the Check Password command as shown in Figure 31. The Password Index identifies the Password Register that the password will be compared against. If the passwords match, then the PICC will latch the verification status as PASS along with the Password Index in an internal register, write the PAC to show no failed attempts, and return an ACK in the response. The internal password security status register maintains its state until the PICC is reset or some other event causes them to be changed. For example, sending another Check Password command will update these registers to reflect the success or failure of the new password verification event. Note that only one password is active at any time, and only the status of the most recent password verification event is stored in the PICC. If multiple User Zones are assigned the same Password Set, then a single Check Password command will provide access to all of these User Zones. Note that it does not matter if the Set User Zone command is sent before or after a Check Password command. The currently selected User Zone is stored in a register that is independent of the password security status register. Figure 31. Check Password Command and Response Reader PICC Command > CID $C Password Index PW 1 PW 2 PW 3 CRC1 CRC2 Echo Command > CID $C ACK/NACK STATUS CRC1 CRC2 If a Check Password command fails, then the PICC returns a NACK and a non-zero Status byte in the response. This Status byte reports the reason for failure of the operation. See the Check Password Command [$cC], Section 6.19 of this specification for a description of the Status codes. 104 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Table 80. Bit 7 0 0 Check Password Command ACK/NACK Coding Bit 6 0 0 Bit 5 0 0 Bit 4 0 0 Bit 3 0 0 0 Bit 2 0 0 0 Bit 1 0 0 0 Bit 0 0 1 1 ACK NACK, See STATUS byte for PICC information NACK, Check Password Attempt Failure Response Decode Password Attempts Count A Check Password response NACK can be coded two different ways, depending on the reason for failure. If failure of the Check Password command results in the Password Attempt Counter being incremented, then the NACK byte will contain an embedded code indicating the number of failed attempts. This special NACK will contain one of the following values: $11, $21, $31, $41, $51, $61, $71, $81 for 88SC PICCs. The upper nibble of the NACK byte is the number of failed attempts (1 to 8 failures), while the lower nibble is the NACK code $1. For 88RF PICCs this special NACK will contain one of the following values: $11, $21, $31, $41, $51, $61, $71, $81, $91, $A1, $B1, $C1, $D1, $E1, $F1. The upper nibble of the NACK byte is the number of failed attempts (1 to 15 failures), while the lower nibble is the NACK code $1. If failure of the Check Password command does not results in the Password Attempt Counter being incremented, then the NACK byte will contain $01. I.6. Changing Passwords To change a password after the personalization procedure is complete and the card configuration has been locked by programming the security fuses, it is necessary to successfully verify the Write Password of a password set using the Check Password command. The Read Password and Write Password registers and PACs can then be written using a Write System Zone command, and verified using the Read System Zone command. If the PAC for the Write Password has reached the attempt count limit, then the Write Password will be locked and it is not possible to change the passwords or PACs in this set. However if the optional Supervisor Mode has been enabled in the DCR, then the Supervisor Password can be used to enable write access to the passwords unless the Supervisor Password is also locked. I.7. Supervisor Password Supervisor Mode is an optional feature that can be enabled by programming SME = 0b in the DCR register. In Supervisor Mode a Supervisor Password is enabled that grants read and write access to all of the password sets and PACs. Password Write 7 is the Supervisor Password if SME = 0b. If the Supervisor Password is successfully verified, then it is possible to write any of the passwords and PACs. This allows passwords to be easily changed in the field, and for PACs to be reset to $FF (no unsuccessful attempts) by writing the registers using the Write System Zone command. When a PICC is configured with SME = 0b, it is recommended that Password Set 7 be reserved for the Supervisor Password. User Zones using password security should be configured to use other password sets. If a PICC is configured in this manner, then it is unlikely that the PAC for Password Write 7 will accidentally become locked (due to too many unsuccessful attempts). If the PAC for Password Write 7 is locked, then all subsequent attempts to verify the Supervisor Password will fail. Supervisor Mode changes the Configuration Memory access requirements for the Password section of the memory only. Enabling Supervisor Mode does not change the access requirements for any other configuration registers. 105 5276C-RFID-3/09 Appendix J. Using Authentication Communication Security CryptoRF contains security options that can be enabled by the customer at personalization. By default no security is enabled, allowing CryptoRF to operate as a simple RFID EEPROM memory. Enabling Authentication Communication Security on a User Zone restricts access to the data to users with knowledge of the Authentication key. J.1. Communication Security Communication between the PICC and reader operates in three security modes. The Normal mode allows communication of all types of data in the clear. Authentication Communication Security mode encrypts only passwords. Encryption Communication Security mode encrypts both user data and passwords. The default communication mode is Normal mode. Table 81. CryptoRF Communication Security Options. User Data Clear Clear Encryption System Data Clear Clear Clear(1) Passwords Clear Encryption Encryption Communication Mode Normal Authentication Encryption Note: 1. 88RF PICCs support an encryption option for programming secrets. See Appendix F. Authentication Communication Security is activated by performing Mutual Authentication between the Host system and the PICC using the Verify Crypto command. Once activated, the PICC will remain in Authentication mode until a security error occurs, a new Verify Crypto command is received, RF power is removed, or a DESELECT command or IDLE command is received. J.2. Authentication Security Options [88SC] Authentication Communication Security for a User Zone is enabled by programming the Access Register (AR) and Password Register (PR) for the zone. The Communication Security Mode (M) bits [AM1, AM0, ER] of the Access Register determine the Communication Security requirements for the User Zone. The Password Register determines which Key Set(s) are used to access the User Zone. Configuration of the AR and PR registers is described in Appendix H. Table 82. AM1 0 0 1 1 Selecting Authentication using the Communication Security Mode bits of the Access Register. AM0 0 1 0 1 ER 1 1 1 1 Communication Security Mode Dual Access Authentication Mode Authentication for Read / Write Authentication for Write No Authentication or Encryption Required Auth. Key (AK) Read / Write Access Read / Write Access Read / Write Access N/A Pgm-Only Key (POK) Read / Program Access N/A N/A N/A Table 82 shows the three 88SC PICC Authentication Communication Security options, plus the default setting. By default M = 111b and no Authentication or Encryption Activation is required to access the user memory. 106 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C J.2.1. M = 001b Security - Dual Access Authentication Mode When M = 001b Authentication is required for Read or Write access to the User Zone. If Authentication is performed with the key identified in the POK bits of the Password Register, then Read and Program-Only access is granted to the User Zone. In this state data may be changed from "1b" to "0b", but never from "0b" to "1b". If Authentication is performed with the key identified in the AK bits of the Password Register, then full Read/Write access is granted to the User Zone. A checksum is required for write operations. J.2.2. M = 011b Security - Authentication for Read / Write When M = 011b Authentication is required for Read or Write access to the User Zone. If Authentication is performed with the key identified in the AK bits of the Password Register, then Read/Write access is granted to the User Zone. A checksum is required for write operations. J.2.3. M = 101b Security - Authentication for Write When M = 101b Authentication is required for Write access to the User Zone. If Authentication is performed with the key identified in the AK bits of the Password Register, then Read/Write access is granted to the User Zone. Read-Only access does not require Authentication or Encryption Activation. A checksum is required for write operations. J.3. Authentication Security Options [88RF] Authentication Communication Security for a User Zone is enabled by programming the Access Register (AR) and Key Register (KR) for the zone. The Communication Security Mode (M) bits of the Access Register determine the Communication Security requirements for the User Zone. The Key Register determines which Key Set(s) are used to access the User Zone. Configuration of the AR and KR registers is described in Appendix H. Table 83. M2 0 0 1 1 Selecting Authentication using the Communication Security Mode bits of the Access Register. M1 1 1 0 1 M0 0 1 1 1 Communication Security Mode Authentication for Read / Encryption for Write Authentication for Read / Write Authentication for Write No Authentication or Encryption Required Primary Key (PK) Read / Write Access Read / Write Access Read / Write Access N/A Read-Only Key (ROK) Read Access Read Access N/A N/A Table 83 shows the three 88RF PICC Authentication Security options, plus the default setting. By default M = 111b and no Authentication or Encryption Activation is required to access the user memory. J.3.1. M = 010b Security - Authentication for Read / Encryption for Write When M = 010b Authentication is required for Read access to the User Zone. Encryption Activation is required for Write Access to the User Zone. If Authentication is performed with the key identified in the ROK bits of the Key Register, then Read-Only access is granted to the User Zone. If Encryption Activation is performed with the key identified in the PK bits of the Key Register, then Read/Write access is granted to the User Zone. A checksum is required for write operations. The M = 010b mode is a new feature in 88RF PICCs. This mode is not available in 88SC devices. J.3.2. M = 011b Security - Authentication for Read / Write When M = 011b Authentication is required for Read or Write access to the User Zone. If Authentication is performed with the key identified in the PK bits of the Key Register, then Read/Write access is granted to the User Zone. If Authentication is performed with the key identified in the ROK bits of the Key Register, then Read-Only access is granted to the User Zone. A checksum is required for write operations. If the PK and ROK bits of the Key Register select the same Key Set, then the Read-Only function is effectively disabled. Authenticating 88RF PICCs with the PK key results in behavior identical to 88SC devices. The Read-Only function is not supported by 88SC devices. 107 5276C-RFID-3/09 J.3.3. M = 101b Security - Authentication for Write When M = 101b Authentication is required for Write access to the User Zone. If Authentication is performed with the key identified in the PK bits of the Key Register, then Read/Write access is granted to the User Zone. Read-Only access does not require Authentication or Encryption Activation. A checksum is required for write operations. 88RF PICC behavior is identical to 88SC devices when M = 101b. J.4. The Password Register [88SC] The Password Registers are used to select the Key Sets for Authentication or Encryption Communication Security. Any Key Set can be used with any User Zone by programming the Key Register for the User Zone with the appropriate AK and POK values. One Key Set can be used with any number of User Zones. Figure 32. Bit 7 AK1 1 Definition of the User Zone Password Registers on 88SC PICCs. Bit 6 AK0 1 Bit 5 POK1 1 Bit 4 POK0 1 Bit 3 RFU 1 Bit 2 PW2 1 Bit 1 PW1 1 Bit 0 PW0 1 Default Value The Authentication Key Set selection bits control the key set assigned to a User Zone for communication security. The Access Register bits determine the Communication Security mode associated with the AK bits. Table 84. AK1 0 0 1 1 Coding of the Authentication Key Set select bits for CryptoRF communication security. AK0 0 1 0 1 Authentication Key Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 Encryption Key Session Key S0 Session Key S1 Session Key S2 Session Key S3 The Program-Only Key Set selection bits control the key set assigned to a User Zone for communication security. The Access Register bits determine the Communication Security mode associated with the POK bits. The POK bits are only used in Dual Access Authentication mode. Table 85. POK1 0 0 1 1 Coding of the Program-Only Key Set select bits for CryptoRF communication security. POK0 0 1 0 1 Authentication Key Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 108 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C J.5. The Key Register [88RF] The Key Registers are used to select the Key Sets for Authentication or Encryption Communication Security. Any Key Set can be used with any User Zone by programming the Key Register for the User Zone with the appropriate PK and ROK values. One Key Set can be used with any number of User Zones. Figure 33. Bit 7 PK1 1 Definition of the Key Registers on 88RF PICCs. Bit 6 PK2 1 Bit 5 ROK1 1 Bit 4 ROK2 1 Bit 3 RFU 1 Bit 2 PW2 1 Bit 1 PW1 1 Bit 0 PW0 1 Default Value The Primary Key Set selection bits control the key set assigned to a User Zone for communication security. The Access Register M bits determine the Communication Security mode associated with the PK bits. Table 86. PK1 0 0 1 1 Coding of the Primary Key Set select bits. PK2 0 1 0 1 Authentication Key Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 Encryption Key Session Key S0 Session Key S1 Session Key S2 Session Key S3 The Read-Only Key Set selection bits control the key set assigned to a User Zone for communication security. The Access Register M bits determine the Communication Security mode associated with the ROK bits. For some Communication Security modes the ROK register bits are not used. Table 87. ROK1 0 0 1 1 Coding of the Read-Only Key Set select bits. ROK2 0 1 0 1 Authentication Key Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 Encryption Key Session Key S0 Session Key S1 Session Key S2 Session Key S3 109 5276C-RFID-3/09 J.6. Key Sets CryptoRF has four Key Sets. Each Key Set is associated with four registers in the Configuration Memory. The Authentication Key is stored in the Secret Seed Gi register. The Authentication Attempt Counter for Secret Seed Gi is stored in the AACi register. The Cryptogram Ci register is used during Authentication Activation procedure to store the response to the Host challenge. The Session Key Si register is used to store the Encryption Activation key. Figure 34. Partial Configuration Memory map showing the Key Set Registers. $0 $50 $58 $60 $68 $70 $78 $80 $88 $90 $98 $A0 $A8 AAC3 AAC2 AAC1 AAC0 $1 $2 $3 $4 Cryptogram C0 Session Encryption Key S0 Cryptogram C1 Session Encryption Key S1 Cryptogram C2 Session Encryption Key S2 Cryptogram C3 Session Encryption Key S3 Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 Secret Cryptography $5 $6 $7 Figure 34 shows the portion of the Configuration Memory that contains the Key Set registers. The registers shaded in green can always be read, but cannot be written after personalization. The registers shaded in blue cannot be written or read after personalization. Note that all of the Security Fuses must be programmed during personalization for the device secrets to be secure. Key Set i uses registers AACi, Ci, Gi and Si. If AACi is locked, the Key Set i is permanently disabled and any User Zone requiring Key Set i for Authentication or Encryption Activation will no longer be accessible. J.6.1. Changing Keys The Secret Seeds cannot be modified after the Security Fuses are programmed during personalization. The AAC registers cannot be re-written after the Security Fuses are programmed either. This is true even if the SME option in the DCR register is enabled. 110 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C J.7. AAC Registers The Authentication Attempt Counters contain a value which indicates how many unsuccessful Authentication attempts have been made using the Key Index of the corresponding Secret Seed. Table 88, Table 89 and Table 90 shows coding of the AAC register. If the AAC reaches the maximum count of 4 or 8 on 88SC PICCs, then the corresponding key set is locked and all subsequent Authentication attempts will fail. If the AAC reaches the maximum count of 15 on 88RF PICCs, then the corresponding key set is locked and all subsequent Authentication attempts will fail. If the AAC contents are corrupted, or are programmed with an undefined value, then the corresponding key set is locked and all subsequent Authentication attempts will fail. The AAC registers can always be read using the Read System Zone command. Table 88. Authentication Attempt Counter Coding for the Default Configuration of 88SC PICCs. Description No Failed Attempts 1 Failed Attempt 2 Failed Attempts 3 Failed Attempts 4 Failed Attempts (LOCK) AAC Register $FF $EE $CC $88 $00 All Other Values Are Not Supported Table 89. Authentication Attempt Counter Coding for the Extended Trials Allowed Configuration of 88SC PICCs. Description No Failed Attempts 1 Failed Attempt 2 Failed Attempts 3 Failed Attempts 4 Failed Attempts 5 Failed Attempts 6 Failed Attempts 7 Failed Attempts 8 Failed Attempts (LOCK) AAC Register $FF $FE $FC $F8 $F0 $E0 $C0 $80 $00 All Other Values Are Not Supported 111 5276C-RFID-3/09 Table 90. Authentication Attempt Counter Coding for 88RF PICCs. Description No Failed Attempts 1 Failed Attempt 2 Failed Attempts 3 Failed Attempts 4 Failed Attempts 5 Failed Attempts 6 Failed Attempts 7 Failed Attempts 8 Failed Attempts 9 Failed Attempts 10 Failed Attempts 11 Failed Attempts 12 Failed Attempts 13 Failed Attempts 14 Failed Attempts 15 Failed Attempts (LOCK) AAC Register $55 $56 $59 $5A $65 $66 $69 $6A $95 $96 $99 $9A $A5 $A6 $A9 $AA All Other Values Are Not Supported J.8. Authentication Activation Authentication Communication Security is activated using the following Mutual Authentication procedure. 1. 2. 3. 4. 5. 6. The Host reads the PICC ID from Nc (or another equivalent memory location) and calculates the diversified key matching the PICC Secret Seed G. G = F1(K, ID, x, y, z) The Host reads AACi and Ci from card. A A The Host generates a Random Number Q and calculates challenge CH and other parameters with the cryptographic engine: [CHA, CA, SA] = F2(G, C, QA) A A The Host Sends Verify Crypto Command with Key Index $0i: Verify Crypto ($0i, Q , CH ) The PICC calculates challenge CH and other parameters using QA from the host with the cryptographic engine: A A A [CH, Ci , Si ] = F2(Gi, Ci, Q ) The PICC compares the internally calculated challenge CH to the value received from the host. If CH = CHA then A A the host is authenticated and the card writes the calculated values of Ci to the Ci register and Si to the Si register. The AACi is cleared, Authentication Communication Security mode is activated, and an ACK response is returned to the host. The Host reads the new AACi and CiA from Ci register of the PICC and compares it to the calculated CA from step A A 3. If C = Ci then the card is authenticated. The Mutual Authentication procedure is complete. 7. The Secret Seed Gi value in the PICC never changes after it is locked at personalization. The AACi, and Ci registers are written (by the PICC) each time a Verify Crypto command is received by the PICC. The Si register is written (by the PICC) each time the Mutual Authentication procedure succeeds. If the Host receives a NACK response from the PICC, then the Mutual Authentication procedure can be retried starting with step 2. Figure 35 shows the Mutual Authentication procedure as a flowchart. 112 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Figure 35. Mutual Authentication Procedure Host System Operations START Authentication CryptoRF Card Operations Read System Zone Command i = Card Key Set Number Store ID Read Card ID (Nc field or other ID) Answer with Nc (or equivalent) Note: CryptoRF Card must be in Active State before Starting Authentication Return Data Store C = AACi + Ci Read AACi and Cryptogram Ci Read System Zone Command Answer with AACi and Cryptogram Ci Return Data Alternate Flow (if new "C" already stored) END (FAILURE) Card Auth Key Set is Locked Is AACi Max ? YES NO Receive Verify Crypto Command with QA and ChA Card enters Normal Mode Secret Host Key K + x,y,z (if reqd.) Calculate Diversified Key G with K, ID, x, y, z using F1 Function Is AACi Max ? YES NO Generate Random Number QA Store CA and Session Key SA Calculate Challenge ChA, Cryptogram CA Session Key SA with G, C, QA using F2 Function Calculate Challenge CH, Cryptogram CiA, Session Key SiA with Ci, Gi, QA using F2 Function Secret Seed Gi Cryptogram Ci Does ChA match CH ? HOST is Authenticated YES NO Increment and Store AACi YES Send Verify Crypto Command with QA and ChA END (FAILURE) Receive Response Verify Crypto Command Do you want to retry ? Response NO Store CiA and Session Key SiA Card Authentication Failed YES Is Response NACK ? NO Clear AACi Store AACi + CiA Read AACi and Cryptogram CiA Send ACK Response Card enters Authentication Mode Send NACK Response Is AAC i Cleared ? Read System Zone Command YES Return Data Card is in Normal Mode NO Answer with AACi and Cryptogram CiA NO Does CiA Match CA ? YES Host enters Authentication Mode Card is Authenticated END Authentication 113 5276C-RFID-3/09 J.8.1. Key Index The Key Index byte of the Verify Crypto command selects the Key Set that the PICC uses to perform the Mutual Authentication procedure. Table 91. Key Index coding for the Verify Crypto command for Mutual Authentication Key Index $00 $01 $02 $03 Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 Key J.9. Set User Zone and Checksums The Mutual Authentication procedure can be performed before or after the Set User Zone command is sent. It is not necessary to repeat the Mutual Authentication procedure when changing User Zones unless the new User Zone requires a different Key Set. If Authentication Communication Security is activated and the application later selects a User Zone that does not require Authentication, the PICC will remain in Authentication Communication Security mode and all of the Authentication mode requirements will continue to apply. When Authentication Communication Security is active the Host must supply a correct cryptographic checksum when writing data to a User Zone. This is true even if the User Zone Access Register does not require Authentication for access to the zone. J.10. Passwords When Authentication Communication Security is active Passwords are encrypted during communications. The Host is required to encrypt the three password bytes when sending the Check Password command. The PICC encrypts any password bytes that are accessed with the Read System Zone command. The Host is required to encrypt any password bytes when sending the Write System Zone command. J.11. Deactivating Authentication Communication Security Once activated, the PICC will remain in Authentication Communication Security mode until a security error occurs, a new Verify Crypto command is received, RF power is removed, or a DESELECT command or IDLE command is received. In some applications it is necessary to deactivate Authentication Communication Security so that data can be written to a User Zone that has open read/write access without the necessity of computing a cryptographic checksum. While there are several possible ways to reset the cryptographic engine and exit the Authentication Communication Security mode, it is recommended that the Send Checksum command be used for this purpose. If the PICC receives a Send Checksum command containing an incorrect checksum, the PICC resets the cryptographic engine, returns to Normal Communication mode, and returns a NACK response to the host. The AACi register is not incremented by the PICC when a bad checksum is received, so there is no penalty for using Send Checksum to exit Authentication mode. 114 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Appendix K. Using Encryption Communication Security CryptoRF contains security options that can be enabled by the customer at personalization. By default no security is enabled, allowing CryptoRF to operate as a simple RFID EEPROM memory. Enabling Encryption Communication Security on a User Zone restricts access to the data to users with knowledge of the Authentication key. K.1. Communication Security Communication between the PICC and reader operates in three security modes. The Normal mode allows communication of all types of data in the clear. Authentication Communication Security mode encrypts only passwords. Encryption Communication Security mode encrypts both user data and passwords. The default communication mode is Normal mode. Table 92. CryptoRF Communication Security Options. User Data Clear Clear Encryption System Data Clear Clear Clear (1) Communication Mode Normal Authentication Encryption Note: Passwords Clear Encryption Encryption 1. 88RF PICCs support an encryption option for programming secrets. See Appendix F. Encryption Communication Security is activated by performing Mutual Authentication between the Host system and the PICC using the Verify Crypto command, followed by the Encryption Activation procedure. Once activated, the PICC will remain in Encryption mode until a security error occurs, a new Verify Crypto command is received, RF power is removed, or a DESELECT command or IDLE command is received. K.2. Encryption Security Options [88SC] Encryption Communication Security for a User Zone is enabled by programming the Access Register (AR) and Password Register (PR) for the zone. The Communication Security Mode (M) bits [AM1, AM0, ER] of the Access Register determine the Communication Security requirements for the User Zone. The Password Register determines which Key Set is used to access the User Zone. Configuration of the AR and PR registers is described in Appendix H. Table 93. AM1 1 1 Selecting Encryption using the Communication Security Mode bits of the Access Register. AM0 1 1 ER 0 1 Communication Security Mode Encryption for Read / Write No Authentication or Encryption Required Auth. Key (AK) Read / Write Access N/A Pgm-Only Key (POK) N/A N/A Table 93 shows the one CryptoRF Encryption Communication Security option for 88SC PICCs, plus the default setting. By default M = 111b and no Authentication or Encryption Activation is required to access the user memory. K.2.1. M = 110b Security - Encryption for Read / Write When M = 110b Encryption is required for Read or Write access to the User Zone. If Encryption Activation is performed with the key identified in the AK bits of the Password Register, then Read/Write access is granted to the User Zone. A checksum is required for write operations. 115 5276C-RFID-3/09 K.3. Encryption Security Options [88RF] Encryption Communication Security for a User Zone is enabled by programming the Access Register (AR) and Key Register (KR) for the zone. The Communication Security Mode (M) bits of the Access Register determine the Communication Security requirements for the User Zone. The Key Register determines which Key Set(s) are used to access the User Zone. Configuration of the AR and KR registers is described in Appendix H. Table 94. M2 0 1 1 1 Selecting Encryption using the Communication Security Mode bits of the Access Register. M1 1 0 1 1 M0 0 0 0 1 Communication Security Mode Authentication for Read / Encryption for Write Encryption for Write Encryption for Read / Write No Authentication or Encryption Required Primary Key (PK) Read / Write Access Read / Write Access Read / Write Access N/A Read-Only Key (ROK) Read Access N/A Read Access N/A Table 94 shows the three Encryption Security options for 88RF PICCs, plus the default setting. By default M = 111b and no Authentication or Encryption Activation is required to access the user memory. K.3.1. M = 010b Security - Authentication for Read / Encryption for Write When M = 010b Authentication is required for Read access to the User Zone. Encryption Activation is required for Write Access to the User Zone. If Authentication is performed with the key identified in the ROK bits of the Key Register, then Read-Only access is granted to the User Zone. If Encryption Activation is performed with the key identified in the PK bits of the Key Register, then Read/Write access is granted to the User Zone. A checksum is required for write operations. The M = 010b mode is a new feature in 88RF PICCs. This mode is not available in 88SC devices. K.3.2. M = 100b Security - Encryption for Write When M = 100b Encryption is required for Write access to the User Zone. If Encryption Activation is performed with the key identified in the PK bits of the Key Register, then Read/Write access is granted to the User Zone. Read-Only access does not require Authentication or Encryption Activation. A checksum is required for write operations. The M = 100b mode is a new feature in 88RF PICCs. This mode is not available in 88SC devices. K.3.3. M = 110b Security - Encryption for Read / Write When M = 110b Encryption is required for Read or Write access to the User Zone. If Encryption Activation is performed with the key identified in the PK bits of the Key Register, then Read/Write access is granted to the User Zone. If Encryption Activation is performed with the key identified in the ROK bits of the Key Register, then Read-Only access is granted to the User Zone. A checksum is required for write operations. If the PK and ROK bits of the Key Register select the same Key Set, then the Read-Only function is effectively disabled. Encryption Activation of 88RF PICCs with the PK key results in behavior identical to 88SC devices. The Read-Only function is not supported by 88SC devices. 116 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C K.4. The Password Register [88SC] The Password Registers are used to select the Key Sets for Authentication or Encryption Communication Security on 88SC PICCs. Any Key Set can be used with any User Zone by programming the Password Register for the User Zone with the appropriate AK and POK values. One Key Set can be used with any number of User Zones. Figure 36. Bit 7 AK1 1 Definition of the User Zone Password Registers on 88SC PICCs. Bit 6 AK0 1 Bit 5 POK1 1 Bit 4 POK0 1 Bit 3 RFU 1 Bit 2 PW2 1 Bit 1 PW1 1 Bit 0 PW0 1 Default Value The Authentication Key Set selection bits control the key set assigned to a User Zone for communication security. The Access Register bits determine the Communication Security mode associated with the AK bits. Table 95. AK1 0 0 1 1 Coding of the Authentication Key Set select bits for CryptoRF communication security. AK0 0 1 0 1 Authentication Key Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 Encryption Key Session Key S0 Session Key S1 Session Key S2 Session Key S3 The Program-Only Key Set selection bits control the key set assigned to a User Zone for communication security. The Access Register bits determine the Communication Security mode associated with the POK bits. The POK bits are only used in Dual Access Authentication mode. Table 96. POK1 0 0 1 1 Coding of the Program-Only Key Set select bits for CryptoRF communication security. POK0 0 1 0 1 Authentication Key Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 117 5276C-RFID-3/09 K.5. The Key Register [88RF] The Key Registers are used to select the Key Sets for Authentication or Encryption Communication Security on 88RF PICCs. Any Key Set can be used with any User Zone by programming the Key Register for the User Zone with the appropriate PK and ROK values. One Key Set can be used with any number of User Zones. Figure 37. Bit 7 PK1 1 Definition of the Key Registers on 88RF PICCs. Bit 6 PK2 1 Bit 5 ROK1 1 Bit 4 ROK2 1 Bit 3 RFU 1 Bit 2 PW2 1 Bit 1 PW1 1 Bit 0 PW0 1 Default Value The Primary Key Set selection bits control the key set assigned to a User Zone for communication security. The Access Register M bits determine the Communication Security mode associated with the PK bits. Table 97. PK1 0 0 1 1 Coding of the Primary Key Set select bits for CryptoRF communication security. PK2 0 1 0 1 Authentication Key Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 Encryption Key Session Key S0 Session Key S1 Session Key S2 Session Key S3 The Read-Only Key Set selection bits control the key set assigned to a User Zone for communication security. The Access Register M bits determine the Communication Security mode associated with the ROK bits. For some Communication Security modes the ROK register bits are not used. Table 98. ROK1 0 0 1 1 Coding of the Read-Only Key Set select bits for CryptoRF communication security. ROK2 0 1 0 1 Authentication Key Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 Encryption Key Session Key S0 Session Key S1 Session Key S2 Session Key S3 118 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C K.6. Key Sets CryptoRF has four Key Sets. Each Key Set is associated with four registers in the Configuration Memory. The Authentication Key is stored in the Secret Seed Gi register. The Authentication Attempt Counter for Secret Seed Gi is stored in the AACi register. The Cryptogram Ci register is used during Authentication Activation and Encryption Activation procedures to store the response to the Host challenge. The Session Key Si register is used to store the Encryption Activation key. Figure 38. Partial Configuration Memory map showing the Key Set Registers. $0 $50 $58 $60 $68 $70 $78 $80 $88 $90 $98 $A0 $A8 AAC3 AAC2 AAC1 AAC0 $1 $2 $3 $4 Cryptogram C0 Session Encryption Key S0 Cryptogram C1 Session Encryption Key S1 Cryptogram C2 Session Encryption Key S2 Cryptogram C3 Session Encryption Key S3 Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 Secret Cryptography $5 $6 $7 Figure 38 shows the portion of the Configuration Memory that contains the Key Set registers. The registers shaded in green can always be read, but cannot be written after personalization. The registers shaded in blue cannot be written or read after personalization. Note that all of the Security Fuses must be programmed during personalization for the device secrets to be secure. Key Set i uses registers AACi, Ci, Gi and Si. If AACi is locked, the Key Set i is permanently disabled and any User Zone requiring Key Set i for Authentication or Encryption Activation will no longer be accessible. K.6.1. Changing Keys The Secret Seeds cannot be modified after the Security Fuses are programmed during personalization. The AAC registers cannot be re-written after the Security Fuses are programmed either. This is true even if the SME option in the DCR register is enabled. 119 5276C-RFID-3/09 K.7. AAC Registers The Authentication Attempt Counters contain a value which indicates how many unsuccessful Authentication and Encryption Activation attempts have been made using the Key Index of the corresponding Secret Seed and Session Encryption Key. Table 99, Table 100, and Table 101 show coding of the AAC register. If the AAC reaches the maximum count of 4 or 8 on 88SC PICCs, then the corresponding key set is locked and all subsequent Authentication attempts will fail. If the AAC reaches the maximum count of 15 on 88RF PICCs, then the corresponding key set is locked and all subsequent Authentication attempts will fail. If the AAC contents are corrupted, or are programmed with an undefined value, then the corresponding key set is locked and all subsequent Authentication attempts will fail. The AAC registers can always be read using the Read System Zone command. Table 99. Authentication Attempt Counter Coding for the Default DCR Configuration on 88SC PICCs. Description No Failed Attempts 1 Failed Attempt 2 Failed Attempts 3 Failed Attempts 4 Failed Attempts (LOCK) AAC Register $FF $EE $CC $88 $00 All Other Values Are Not Supported Table 100. Authentication Attempt Counter Coding for the Extended Trials Allowed DCR Configuration on 88SC PICCs. Description No Failed Attempts 1 Failed Attempt 2 Failed Attempts 3 Failed Attempts 4 Failed Attempts 5 Failed Attempts 6 Failed Attempts 7 Failed Attempts 8 Failed Attempts (LOCK) AAC Register $FF $FE $FC $F8 $F0 $E0 $C0 $80 $00 All Other Values Are Not Supported 120 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Table 101. Authentication Attempt Counter Coding for 88RF PICCs. Description No Failed Attempts 1 Failed Attempt 2 Failed Attempts 3 Failed Attempts 4 Failed Attempts 5 Failed Attempts 6 Failed Attempts 7 Failed Attempts 8 Failed Attempts 9 Failed Attempts 10 Failed Attempts 11 Failed Attempts 12 Failed Attempts 13 Failed Attempts 14 Failed Attempts 15 Failed Attempts (LOCK) AAC Register $55 $56 $59 $5A $65 $66 $69 $6A $95 $96 $99 $9A $A5 $A6 $A9 $AA All Other Values Are Not Supported 121 5276C-RFID-3/09 K.8. Encryption Activation Authentication Activation must be performed prior to Encryption Activation. The Mutual Authentication is performed in steps 1 thru 7, and Encryption Activation in steps 8 thru 11 of the following procedure. The Host reads the PICC ID from Nc (or another equivalent memory location) and calculates the diversified key matching the PICC Secret Seed G. G = F1(K, ID, x, y, z) 2. The Host reads AACi and Ci from card. 3. The Host generates a Random Number QA and calculates challenge CHA and other parameters with the cryptographic engine: [CHA, CA, SA] = F2(G, C, QA) 4. The Host Sends Verify Crypto Command with Key Index $0i: Verify Crypto ($0i, QA, CHA) 5. The PICC calculates challenge CH and other parameters using QA from the host with the cryptographic engine: [CH, CiA, SiA] = F2(Gi, Ci, QA) 6. The PICC compares the internally calculated challenge CH to the value received from the host. If CH = CHA then the host is authenticated and the card writes the calculated values of CiA to the Ci register and SiA to the Si register. The AACi is cleared, Authentication Communication Security mode is activated, and an ACK response is returned to the host. 7. The Host reads the new AACi and CiA from Ci register of the PICC and compares it to the calculated CA from step 3. If CA = CiA then the card is authenticated. The Mutual Authentication procedure is complete. 8. The Host generates a Random Number QE and calculates challenge CHE and other parameters with the cryptographic engine: [CHE, CE] = F2(SiA, CiA, QE) 9. The Host Sends Verify Crypto Command with Key Index $1i: Verify Crypto ($1i, QE, CHE) 10. The PICC calculates challenge CH and other parameters using QE from the host with the cryptographic engine: [CH, CiE] = F2(SiA, CiA, QE) 11. The PICC compares the internally calculated challenge CH to the value received from the host. If CH = CHE then the host is authenticated and the card writes the calculated value of CiE to the Ci register. The AACi is cleared, Encryption Communication Security mode is activated, and an ACK response is returned to the host. The Secret Seed Gi value in the PICC never changes after it is locked at personalization. The AACi, and Ci registers are written (by the PICC) each time a Verify Crypto command is received by the PICC. The Si register is written (by the PICC) each time the Mutual Authentication procedure succeeds. If the Host receives a NACK response from the PICC, then the Mutual Authentication procedure can be retried starting with step 2. Figure 35 shows the Authentication Activation procedure as a flowchart. Figure 39 shows the Encryption Activation procedure as a flowchart. 1. 122 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Figure 39. Encryption Activation Procedure Host System Operations START Encryption Activation i = Card Key Set Number (Same i as used for Authentication) CryptoRF Card Operations Receive Verify Crypto Command with QE and ChE Note: CryptoRF Card must be in Authentication Mode before Starting Encryption Activation Session Key SA Cryptogram CA Is card in Authentication Mode ? YES NO Generate Random Number QE Calculate Challenge ChE, Cryptogram CE, SE (not used) with SA, CA, QE using F2 Function Is Key Index Correct ? YES NO Store CE Is AACi Max ? Send Verify Crypto Command with QE and ChE Goto START Authentication Receive Response Verify Crypto Command NO YES Response YES Do you want to retry ? NO END (FAILURE) Calculate Challenge CH, Cryptogram CiE, SiE (not used) with SiA, CiA, QE using F2 Function Session Key SiA Cryptogram CiA Encryption Activation Failed YES Is Response NACK ? NO Does ChE match CH ? NO Response is Unknown YES NO Increment and Store AACi Response is ACK Store CiE Read AACi Clear AACi Send ACK Response NO Card enters Encryption Mode Is AACi Cleared ? YES Send NACK Response Card enters Normal Mode Read System Zone Command Answer with AACi Return Data Encryption Activation Complete Host enters Encryption Mode END Encryption Activation 123 5276C-RFID-3/09 K.8.1. Key Index The Key Index byte of the Verify Crypto command selects the Key Set that the PICC uses to perform the Mutual Authentication and Encryption Activation procedure. Table 102. Key Index coding for the Verify Crypto command Key Secret Seed G0 Secret Seed G1 Secret Seed G2 Secret Seed G3 Session Encryption Key S0 Session Encryption Key S1 Session Encryption Key S2 Session Encryption Key S3 All Other Values Are Not Supported Key Index $00 $01 $02 $03 $10 $11 $12 $13 K.9. Set User Zone and Checksums The Mutual Authentication and Encryption Activation procedures can be performed before or after the Set User Zone command is sent. It is not necessary to repeat the Mutual Authentication and Encryption Activation procedure when changing User Zones unless the new User Zone requires a different Key Set. If Encryption Communication Security is activated and the application later selects a User Zone that does not require Encryption, the PICC will remain in Encryption Communication Security mode, User Zone data will be encrypted, and all of the Encryption mode requirements will continue to apply. When Encryption Communication Security is active the Host must supply a correct cryptographic checksum when writing data to a User Zone. This is true even if the User Zone Access Register does not require Encryption for access to the zone. K.10. Passwords When Encryption Communication Security is active Passwords are encrypted during communications. The Host is required to encrypt the three password bytes when sending the Check Password command. The PICC encrypts any password bytes that are accessed with the Read System Zone command. The Host is required to encrypt any password bytes when sending the Write System Zone command. K.11. Deactivating Encryption Communication Security Once activated, the PICC will remain in Encryption Communication Security mode until a security error occurs, a new Verify Crypto command is received, RF power is removed, or a DESELECT command or IDLE command is received. In some applications it is necessary to deactivate Encryption Communication Security so that data can be written to a User Zone that has open read/write access without the necessity of computing a cryptographic checksum. While there are several possible ways to reset the cryptographic engine and exit the Encryption Communication Security mode, it is recommended that the Send Checksum command be used for this purpose. If the PICC receives a Send Checksum command containing an incorrect checksum, the PICC resets the cryptographic engine, returns to Normal Communication mode, and returns a NACK response to the host. The AACi register is not incremented by the PICC when a bad checksum is received, so there is no penalty for using Send Checksum to exit Authentication or Encryption mode. 124 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Appendix L. Understanding Anti-Tearing Anti-tearing is an optional feature that protects a write operation from being corrupted due to PICC power loss during the write operation. This feature can be enabled as needed by the Host during a transaction, it is not controlled by any configuration register. L.1. Tearing Explained A tearing attack on a Smartcard transaction involves quickly removing a card from the reader before a transaction has been completed. The object of a tearing attack is to remove the card from the reader after the Host application has granted access to a product, but before the cost of the product has been deducted from the value stored on the card. Both contact and contactless Smartcard transactions may be attacked in this manner. A tearing attack often results in corruption of a portion of the data stored in the Smartcard. Tearing attacks can be prevented from succeeding by careful application software development; if access to a product is not granted until after a Smartcard value debit has occurred, then the attacker cannot achieve his objective. However data corruption can occur if any Smartcard transaction is interrupted due to power loss. L.2. CryptoRF Anti-Tearing CryptoRF is designed with an anti-tearing feature that prevents data corruption in the event a memory write operation is interrupted. Activating the anti-tearing feature impacts both the transaction time and the memory write endurance of the PICC, so it should be activated only for critical data write operations. Figure 40 illustrates how a CryptoRF PICC performs an anti-tearing write. A CryptoRF anti-tearing write is a four step process. The data is written to a buffer EEPROM memory before being written to the final EEPROM memory location. The EEPROM Anti-Tearing Flag indicates if an anti-tearing write is in progress, or is completed. The Anti-Tearing Flag is checked each time the PICC is powered up. If the flag indicates a write was in progress, then the anti-tearing write will be completed before the PICC is allowed to accept any commands. The memory address and data are written to a buffer EEPROM in step 1, followed by writing the Anti-Tearing Flag in Step 2. In step 3 the data in the buffer EEPROM is written to the address sent with the write command (the final EEPROM memory location). The Anti-Tearing flag is cleared in step 4, and the ACK response is returned to the PCD. If power is interrupted before step 2 is completed, then the write operation fails; the EEPROM contents are unchanged, and the Anti-Tearing Flag is not set to indicate an anti-tearing write is in progress. If power is interrupted after step 2 is complete, then the Anti-Tearing flag is set; when the PICC is next powered up, the anti-tearing write will be completed as part of the POR process. If power is interrupted during step 3 or 4, the Anti-Tearing Flag will be set and the write will be completed on the next POR. 125 5276C-RFID-3/09 Figure 40. CryptoRF Anti-Tearing Write Process START Receive Anti-Tearing Write Command Transmit NACK Response NO PICC Power OK ? YES END Write to Anti-Tearing Buffer STEP 1 Write Anti-Tearing Flag STEP 2 Write Data to Final EEPROM Location STEP 3 Clear Anti-Tearing Flag STEP 4 Transmit ACK Response END 126 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Table 103 shows the consequences of a tearing attack occurring at each step during an anti-tearing write. The EEPROM contents at the address being written will either remain unchanged, or will be written with the new data. The EEPROM is not corrupted by power interruption during an anti-tearing write operation. Table 103. Step 1 2 3 4 Consequences of a Tearing Event during an Anti-Tearing Write Description Write Buffer Memory Write Anti-Tearing Flag Write Final Memory Clear Anti-Tearing Flag Result if Power is interrupted Mid-Step Original EEPROM Contents are Unchanged Original EEPROM Contents are Unchanged Anti-Tearing Write Completes on POR Anti-Tearing Write Completes on POR L.3. Performance Impact of Anti-Tearing Anti-tearing impacts the CryptoRF write transaction time in two ways. First, the maximum length of a write command is limited to 8 bytes when anti-tearing is active. Second, the response time of a write command is increased by approximately four times due to additional EEPROM memory writes which occur when anti-tearing is active. If anti-tearing is used to write 8 bytes of data, the net result is an increase in the transaction time of only 5 milliseconds. When large amounts of data are written, the increase in transaction time is significant. Writing the entire 128 byte User Zone on AT88RF04C takes 155 milliseconds with anti-tearing, but only 47 milliseconds without anti-tearing. Writing the entire 256 byte User Zone on AT88SC3216CRF takes 292 milliseconds with anti-tearing, but only 54 milliseconds without anti-tearing. Table 104. CryptoRF Family Write Characteristics with Anti-Tearing Write Characteristics Standard Write 1 to 16 bytes 1 to 16 bytes 1 to 16 bytes 1 to 32 bytes 1 to 32 bytes Anti-Tearing Write 1 to 8 bytes 1 to 8 bytes 1 to 8 bytes 1 to 8 bytes 1 to 8 bytes CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF 127 5276C-RFID-3/09 L.4. Reliability Impact of Anti-Tearing Each byte of the CryptoRF EEPROM user memory and configuration memory is rated for 100k write cycles minimum. The entire memory can be written at least 100,000 times without wearing out any of the EEPROM memory bits. Table 105. CryptoRF Family Write Endurance with Anti-Tearing Parameter Write Endurance (each Byte) Anti-Tearing Write Endurance Min 100,000 50,000 Typical Max Units Write Cycles Writes All anti-tearing write commands sent to a PICC are processed in a single buffer EEPROM memory before being written to the final EEPROM memory location. As a result, the write endurance for anti-tearing writes is a per-unit specification, not a per-byte specification. A minimum of 50,000 anti-tearing write commands can be processed without wearing out any of the buffer EEPROM bits, or the EEPROM Anti-Tearing Flag bits. L.5. Activating Anti-Tearing Anti-Tearing can be used for either User Zone or Configuration Memory writes on 88SC PICCs. Anti-Tearing is available for User Zone writes only on 88RF PICCs. Activation of this optional feature is described in this section. The Set User Zone command is used to activate the anti-tearing feature when writing the user memory. To turn antitearing on, send a Set User Zone command with bit 7 in the PARAM byte set to 1b. Any Write User Zone command that is received following anti-tearing activation will automatically use the anti-tearing write process. To turn anti-tearing off, send a Set User Zone command with bit 7 in the PARAM byte set to 0b. All subsequent Write User Zone commands will automatically use the normal write process. Figure 41. Bit 7 AT Definition of the PARAM byte of the Set User Zone command. Bit 6 0 Bit 5 0 Bit 4 0 Bit 3 Bit 2 Bit 1 Bit 0 User Zone When writing the Configuration Memory on 88SC PICCs the anti-tearing function is controlled by the PARAM byte of the Write System Zone command. Table 106 shows the PARAM byte options. If the PARAM byte of the Write System Zone command is $80, then the anti-tearing write process is used. If the PARAM byte of the Write System Zone command is $00, then the normal write process is used. Table 106. PARAM byte options for the Write System Zone command for 88SC PICCs. Command Write System Zone Write System Zone w A/T Write Fuse Byte PARAM $00 $80 $01 ADDR Address Address Fuse ADDR "L" # of bytes - 1 # of bytes - 1 $00 DATA "L + 1" bytes "L + 1" bytes 1 byte All Other Values Are Not Supported 128 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Appendix M. Personalization of the Anticollision Registers There are several registers that define the polling response of CryptoRF, which are written during the personalization process. The ISO/IEC 14443 Part 3 requirements must be considered when programming these registers. Incorrect personalization of these registers may cause readers to reject cards or to become confused and unable to complete the transaction. This appendix describes the requirements for programming the polling registers for operation with ISO/IEC 14443 compliant readers and systems. M.1. Anticollision Procedure The RF reader (PCD) searches for Type B cards by issuing REQB or WUPB polling commands. These commands contain an AFI (Application Family Identifier) code to poll for only cards with a matching AFI code. Applications supporting multiple cards may also poll using the Slot MARKER command. See Appendix N for a detailed description of the anticollision procedures. The answer to any of these polling commands is called the ATQB response. This response contains a card serial number (PUPI), which is used to identify a specific card during the anticollision process, along with three protocol bytes. The protocol bytes tell the PCD what communication capabilities and options the card supports, and are used by the reader to configure itself for optimum communications with the card. M.2. Anticollision Registers The ATQB response of CryptoRF contains several values that are located in registers in the anticollision section of the System Zone (see Figure 42 and Figure 43). The values stored in the following registers are used during anticollision: PUPI, APP, RBmax, AFI. Figure 42. Memory Map of Anticollision Registers in the System Zone of 88SC PICCs. $0 $00 $08 RBmax AFI $1 PUPI MTZ $2 $3 $4 $5 APP CMC $6 $7 Anticollision Figure 43. Memory Map of Anticollision Registers in the System Zone of 88RF PICCs. $0 $1 PUPI RBmax AFI MTZ CMC $2 $3 $4 $5 APP HWR $6 $7 Anticollision $00 $08 The REQB/WUPB polling command and response are shown in Figure 44 with color-coding which matches Figure 42 and Figure 43. Nine bytes of the ATQB response are customer programmable on CryptoRF. In addition, the AFI code used for selection of cards for a particular application during anticollision is also customer configured. 129 5276C-RFID-3/09 Figure 44. CryptoRF Response to an REQB or WUPB polling command. Reader PICC Command > $05 AFI PARAM CRC1 CRC2 ATQB Response > $50 PUPI 0 PUPI 1 PUPI 2 PUPI 3 APP 0 APP1 APP 2 APP 3 Protocol 1 Protocol 2 Protocol 3 CRC1 CRC2 SUCCESS RESPONSE System Zone Byte $00 System Zone Byte $01 System Zone Byte $02 System Zone Byte $03 System Zone Byte $04 System Zone Byte $05 System Zone Byte $06 System Zone Byte $07 $00 System Zone Byte $08 $51 The definitions of the polling configuration registers in the System Zone are listed below along with any restrictions which ISO/IEC 14443 Part 3 places on the register values. Pseudo Unique PICC Identifier (PUPI) PUPI is a 32 bit serial number defined by the customer during personalization; the PUPI is usually unique. This code is transmitted as part of the ATQB response during anticollision. PUPI may be set to any value. 130 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Application Data (APP) APP is an additional 32 bits of information transmitted as part of the ATQB response. This field is defined by the customer during personalization. The fourth byte is programmed by Atmel at the factory with a memory density code (see Table 107); this byte can be redefined by the card manufacturer if desired. APP may be set to any value. Table 107. Default Value of APP 3 Byte. This Register can be Changed. Density Code $22 $33 $44 $54 $64 Device Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF Receive Buffer Max Code (RBmax) This 8-bit register is transmitted as Protocol 2 byte of the ATQB response. This register is programmed by Atmel with the receive buffer maximum frame size code. This field can be reprogrammed by the customer during personalization if desired. The value of this protocol byte is restricted by ISO/IEC 14443 Part 3 to the values $00, $10, $20, $30, $40, $50, $60, $70, or $80 only. Use of an unapproved value in this register is likely to cause PCDs to malfunction. The Protocol 2 byte of the ATQB response is defined in ISO/IEC 14443 Part 3, section 7.9 . This byte contains the Part 4 compliance code in the lower 4 bits and the code for the maximum frame size supported by the card in the upper 4 bits. CryptoRF must return a value of $0 in the Part 4 compliance bits to indicate the PICC does not support the optional ISO/IEC 14443 Part 4 Active State protocol. The coding of the card maximum frame size bits is shown in Table 108. Table 108. Bit 7 0 0 0 0 0 0 0 0 1 PICC Maximum Frame Size Codes defined in ISO/IEC 14443 Part 3. Bit 6 0 0 0 0 1 1 1 1 0 Bit 5 0 0 1 1 0 0 1 1 0 Bit 4 0 1 0 1 0 1 0 1 0 Max Frame 16 Bytes 24 Bytes 32 Bytes 40 Bytes 48 Bytes 64 Bytes 96 Bytes 128 Bytes 256 Bytes The PCD will store the lower 4 bits of ATQB protocol byte 2 in a register and echo it back to a selected PICC in the lower 4 bits of ATTRIB parameter byte 3. CryptoRF will not accept an ATTRIB command with a non-zero value in parameter byte 3. Note that intelligent PCDs will reject invalid ATQB responses and will not send invalid ATTRIB commands. 131 5276C-RFID-3/09 Table 109. Default Value of RBmax. This Register should not be Changed. RBmax Code $10 $10 $10 $30 $30 Device Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF Application Family Identifier (AFI) This 8 bit register identifies the application family and subfamily. This field is defined by the card manufacturer and is used during the anticollision process to determine which cards will respond to an REQB or WUPB polling command. This value is expected to be a single fixed value for all cards used in a particular system. The upper 4 bits are the application family and the lower 4 bits are the sub-family. The ISO/IEC 14443 Part 3 Type B application family definitions are shown in Table 110. The AFI register will accept any code, however only family codes of $0 to $F and subfamily codes of $1 to $F should be used. AFI Register values of $00, $10, $20, $30, $40, $50, $60, $70, $80, $90, $A0, $B0, $C0, $D0, $E0, and $F0 are prohibited and may cause PCDs to malfunction. Values defined as RFU are reserved for future definition by ISO and may not be supported by all readers. A card using an RFU value for the AFI is not compliant with ISO/IEC 14443 Part 3. Table 110. $0 $1 $2 $3 $4 $5 $6 $7 $8 $9 - $D $E $F Note: "Y" = $1 to $5 Application Family Codes as defined in ISO/IEC 14443 Part 3. AFI Low Bits "Y" "Y" "Y" "Y" "Y" "Y" "Y" "Y" "Y" "Y" "Y" "Y" Application Family Proprietary Transport Financial Identification Telecom Medical Multimedia Gaming Data Storage RFU Travel Documents (MRTD) RFU Portable Files... not currently defined by 14443-3 Y=$1 Passport, Y=$2 Visa, Y=$3 to $F RFU not currently defined by 14443-3 Internet Services... Mass Transit, Bus, Airline... Banking, Retail, Electronic Purse... Access Control... Telephony, GSM... Examples AFI High Bits 132 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C The PICC compares the AFI register with the AFI value received in the REQB or WUPB polling command using the matching criteria defined in ISO/IEC 14443 Part 3. Table 111 shows the AFI matching criteria. Table 111. AFI matching criteria for polling commands received by the PICC. AFI Low Bits $0 $0 "Y" "Y" REQB/WUPB Polling produces a PICC response from: All Families and sub-families All sub-families of Family "X" Only sub-family "Y" of Family "X" Proprietary sub-family "Y" Only AFI High Bits $0 "X" "X" $0 "Y" = $1 to $F "X" = $1 to $F M.3. Summary The CryptoRF anticollision registers provide customers with the capability to customize the response of a CryptoRF PICC to the polling commands. This polling response is used by the PCD to perform anticollision and to determine the communication capabilities of the PICC. Intelligent RF readers will reconfigure themselves based on the contents of the protocol bytes in ATQB and may malfunction if invalid values are returned by the card. For this reason, the values of the CryptoRF anticollision registers must be carefully selected using the guidelines in this appendix. 133 5276C-RFID-3/09 Appendix N. Understanding Anticollision This section of the specification and the flow chart in Figure 45 describe the Anticollision procedure for the CryptoRF family. The command and response definitions are detailed in the "Anticollision Command Definitions" section 5 of this specification. For additional information on the anticollision command coding see section 7 of ISO/IEC 14443 Part 3 or Atmel Application note Understanding the Requirements of ISO/IEC 14443 for Type B Proximity Contactless Identification Cards. When the PICC enters the 13.56 MHz RF field of the host reader (PCD) it performs a power on reset (POR) and waits silently for a valid Type B polling command. The CryptoRF PICC processes the anti-tearing registers as part of the POR process. The PCD initiates the anticollision process by issuing an REQB or WUPB command. The WUPB command activates any card (PICC) in the field with a matching AFI code. The REQB command performs the same function, but does not affect a PICC in the Halt State. The REQB and WUPB commands contain an integer "N" indicating the number of Slots assigned to the anticollision process. If "N" = 1 then all PICCs (with a matching AFI) respond with the ATQB response. If "N" is greater than one, then the PICC selects a random number "R" in the range of 1 to "N" ; if "R" = 1 then the PICC responds with ATQB. If "R" is greater than 1, then the PICC waits for a Slot MARKER command where the slot number "S" is equal to "R", then it responds with ATQB. The PCD polls all of the slots to determine if any PICC is present in the field. The ATQB response contains a PUPI card serial number which is used to direct commands to a specific PICC during the anticollision process. When the PCD receives an ATQB response, it can respond with a matching HLTB command to Halt the PICC, or it can respond with a matching ATTRIB command to assign a Card ID Number (CID) and place the PICC in the Active State. Once placed in the Active State the PICC is ready for transactions using the CryptoRF Active State commands. A PICC in the Active State ignores all commands that do not contain a CID number which matches the CID assigned by the ATTRIB command. A PICC in the Active State ignores all REQB, WUPB, Slot MARKER, ATTRIB, and HLTB commands. When the PCD receives an ATQB response with a CRC error, then a collision is assumed to have occurred. Typically the PCD will complete transactions with any other PICCs in the field, and then place them in the Halt State using a DESELECT command. The PCD will then issue a new REQB command, causing each PICC in the field (with a matching AFI) that has not been Halted to select a new random number "R". This procedure resolves the conflict between the previously colliding PICCs, allowing the PCD to communicate with them. The anticollision process continues in this manner until all PICCs in the field have completed their transactions. Any command received by the PICC with a CRC error is ignored. Note: ISO/IEC 14443 Part 3 describes two anticollision options for Type B PICCs; the Timeslot option has been implemented in the CryptoRF family. 134 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Figure 45. Anticollision and State Transition Flow Chart Power On Reset Process Anti-Tearing Registers Wait for REQB or WUPB AFI Match ? NO YES Is N = 1? NO Select Random Number "R" in Range 1 to "N" YES Is R = 1? NO Send ATQB Response Wait for Slot Marker = "R" REQBor WUPB Matched Slot Marker Wait for ATTRIB or HLTB with PUPI match HLTB Send Answer to HLTB ATTRIB Receive CID Assignment REQBor WUPB Send Answer to ATTRIB Wait for WUPB HALT State DESELECT ACTIVE State IDLE Active Command Process Active Command Anticollision 135 YES 5276C-RFID-3/09 Appendix O. The ISO/IEC 14443 Type B RF Signal Interface O.1. RF Signal Interface The CryptoRF communications interface is compliant with the ISO/IEC 14443 part 2 and part 3 requirements for Type B. Type B signaling utilizes 10 % amplitude modulation of the RF field for communication from the reader to the card with NRZ encoded data. Communication from card to reader utilizes BPSK load modulation of an 847.5 khz subcarrier with NRZ-L encoded data. The RF field is continuously on for Type B communications. O.2. Data Format Data communication between the card and reader is performed using an LSB first data format. Each byte of data is transmitted with a 0b start bit and a 1b stop bit as shown in Figure 46. The stop bit, start bit, and each data bit are each one elementary time unit (ETU) in length (9.4395 microseconds). Each byte transmission consists of a start bit, 8 data bits (LSB first), and a stop bit. Each byte may be separated from the next byte by extra guard time (EGT). The EGT may be zero or a fraction of an ETU. EGT cannot exceed 57 microseconds for data transmitted by the PCD. EGT for data transmitted by the CryptoRF PICC is programmed to either zero or 2 ETUs using the EGTL bit of the Device Configuration Register (DCR). The position of each bit is measured relative to the falling edge of the start bit. Figure 46. Byte transmission format requirements for type B communications. One Byte Transmission is 10 ETUs long plus EGT Start LSB b0 b1 b2 b3 b4 b5 b6 MSB b7 Stop EGT <-- All bit timing is measured from the falling edge of the Start bit Bit transitions shall occur within (n - 0.125) ETU and (n + 0.125) ETU of the falling edge of start bit EGT is 0 to 57 uS for PCD transmissions Despite the fact that data transmissions occur LSB first, all of the commands, data, and CRC bytes in ISO/IEC 14443 and in this specification are listed in the conventional manner, with MSB on the left and LSB on the right. 136 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C O.3. Frame Format Data transmitted by the PCD or PICC is sent as frames. The frame consists of the start of frame (SOF), several bytes of information, and the end of frame (EOF). The SOF and EOF requirements are shown in Figure 47. Figure 47. Start of Frame (SOF) and End of Frame (EOF) format requirements. 10 to 11 ETUs of "0"s Total Start of Frame Length is 12 to 14 ETUs 2 to 3 ETUs "1"s Start b0 b1 Starte of Frame No Modulation First Byte End of Frame Last Byte 10 to 11 ETUs of "0"s Total Start of Frame Length is 10 to 11 ETUs O.4. Reader Data Transmission The unmodulated 13.56 MHz carrier signal amplitude which is transmitted when the reader is idle is defined as logical "1", while the modulated signal level is defined as logical "0". A frame transmitted by the reader consists of SOF, several bytes of data, a 2 byte CRC_B, and the EOF. Figure 48. Format of a frame transmitted by the reader to the card. Command, Data and CRC_B SOF Data Transmission EOF No Modulation ("1"s) No Modulation ("1"s) 137 5276C-RFID-3/09 O.5. Card Data Transmission The CryptoRF PICC waits silently for a command from the PCD after being activated by the RF field. After receiving a valid command from the PCD, the PICC is allowed to turn on the subcarrier only if it intends to transmit a complete response frame. The PICC response consists of TR1, SOF, several bytes of data followed by a 2 byte CRC_B, and the EOF. The subcarrier is turned off no later than 2 ETUs after the EOF. Figure 49 shows the PICC frame format. When the subcarrier is turned on it remains unmodulated for a time period known as the synchronization time (TR1). The phase of the subcarrier during TR1 defines a logical one and permits the reader demodulator to lock on to the subcarrier signal. The subcarrier remains on until after the EOF transmission is complete. The TR1 transmitted by CryptoRF is 10 to 11 ETUs in duration for all responses. Figure 49. Format of a frame transmitted by the PICC to the reader. Subcarrier On TR1 Subcarrier Off Transmit Data and CRC_B Start of Frame Data Transmission End of Frame Subcarrier Off O.6. Response Timing After the PICC receives a command from the PCD, it is not permitted to transmit a subcarrier during the guard time (TR0). The minimum guard time is 8 ETUs for all command responses. The maximum guard time is defined by the frame waiting time (FWT), except for the ATQB response (response to REQB or Slot MARKER polling commands) which has a maximum TR0 of 32 ETUs. Figure 50. ISO/IEC 14443 Response timing requirements for the card. CRC EOF Unmodulated Carrier PCD (Reader) TR0 TR1 Subcarrier ON No modulation SOF Response Data PICC (Chip) Subcarrier OFF The FWT is the maximum time that a PICC requires to begin a response. The PICC transmits a parameter in the ATQB response to the polling command that tells the reader the worst case FWT. Typical response times for the CryptoRF are listed in Appendix Q of this specification. See Appendix P for signal timing specifications. The PCD is not permitted to modulate the RF field while waiting for a PICC to respond to a command. Modulation of the RF field during a memory read or write operation may corrupt the operation or cause reset of the PICC. 138 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C O.7. CRC Error Detection A 2 byte CRC_B is required in each frame transmitted by the PICC or PCD to permit transmission error detection. The CRC_B is calculated on all of the command and data bytes in the frame. For encrypted data the encryption is performed prior to CRC_B calculation. The SOF, EOF, start bits, stop bits, and EGT are not included in the CRC_B calculation. The two byte CRC_B follows the data bytes in the frame. Figure 51. SOF Location of the two CRC_B bytes within a frame. K data bytes CRC1 CRC2 EOF The CRC_B polynomial is defined in ISO/IEC 14443 and ISO/IEC 13239 as x16 + x12 + x5 + x0. This is a hex polynomial of $1021. The initial value of the register used for the CRC_B calculation is all ones ($FFFF). When receiving information from the reader, the PICC computes the CRC on the incoming command, data, and CRC bytes. After the last bit has been processed the CRC register should contain $0000. In the example illustrated in Figure 51, the CRC_B is calculated on the "K" bytes of data and then appended to the data. CRC1 is the least significant byte and CRC2 is the most significant byte of the CRC_B. If the CRC_B was calculated as $5A6B, then CRC1 is $6B and CRC2 is $5A. O.8. Type A Tolerance The RF Interface is designed for use in multi-protocol applications. It will not latch or lock up if exposed to Type A signals and will not respond to them. The PICC may reset in the presence of Type A field modulation, but is not damaged by exposure to Type A signals. In a typical multi-protocol application the reader will poll for Type B cards and complete all transactions with any Type B cards present in the field. The reader will then poll for Type A cards and complete all transactions with them. The reader alternates between the two types of modulation and protocols. 139 5276C-RFID-3/09 Appendix P. RF Specifications and Characteristics The ISO/IEC 10373-6 Test Methods standard contains the test requirements for characterizing ISO/IEC 14443 devices. ISO/IEC 10373-6 utilizes PICCs in the ID-1 credit card size format for all tests. These test methods and the RF signal interface requirements of ISO/IEC 14443 contain PICC and PCD performance requirements that are dependent on the physical size of the PICC antenna. The ISO/IEC 14443 set of standards do not differentiate PCD and PICC requirements that are PICC antenna size dependent from those that are not. In this Appendix all of the RF requirements are summarized, and antenna size related parameters are identified. P.1. Electrical Characteristics ISO/IEC 14443 devices, including the CryptoRF family, have their performance specified in terms of the RF interface of the PICC and/or the PCD (Reader). Both components of the RF interface must perform within the specified limits for communications to occur. An ISO/IEC 14443 PICC is not expected to operate with PCDs operating outside the specifications. P.1.1. AC Characteristics Table 112. Symbol fs CryptoRF PICC Characteristics [Not PICC Antenna Size Dependent](1) Parameter Load Modulation Subcarrier Frequency (fc / 16) BPSK Load Modulation Phase Shift Min 847.06 Nominal 847.50 180 9.4346 0 8 8 10 9.4395 9.4444 2 10 880 11 5 10 1.6 2.0 Max 847.94 Units kHz Degrees S ETU ETU ETU ETU mS mS mS ISO/IEC Spec. 14443-2 9.2.3 14443-2 9.2.5 14443-2 9.2.1 14443-3 7.1.2 14443-3 7.1.6 14443-3 7.1.6 14443-3 7.1.6 14443-3 5 ETU EGT ATQB TR0 TR0 TR1 TPOR TPOR-AT TWR Note: Elementary Time Unit = Bit Time ( fc /128) Extra Guard Time (PICC to PCD communication) Guard Time (for ATQB response only) Guard Time ( for all other command responses) Synchronization Time Polling Reset Time (no anti-tearing to process) Polling Reset Time (anti-tearing write to process) Write Cycle Time of EEPROM Memory 1. Nominal values at 25 C. Values are based on characterization and are not tested. The RF Interface characteristics of the CryptoRF family are listed in Table 112. Compliance with these specifications has been verified by characterization of PICCs with ID-1 size antennas, but these items are not antenna size dependent. The parameters in Table 112 are guaranteed by design. Appendix O contains illustrations of the RF interface timing parameters. 140 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C P.2. Reader Requirements Table 113. Symbol fc M.I. M.D. ETU EGT TR2 Note: Carrier Frequency Field Modulation Index (PCD to PICC communication) Field Modulation Depth (PCD to PICC communication) Elementary Time Unit = Bit Time ( fc /128) Extra Guard Time (PCD to PICC communication) Frame Delay Time (PICC EOF falling edge to PCD SOF falling edge) ISO/IEC 14443 Reader Requirements [Not PICC Antenna Size Dependent](1) Parameter Min 13.553 8 85.2 9.4346 0 14 Nominal 13.560 11 80.2 9.4395 Max 13.567 14 75.4 9.4444 57 Units MHz percent percent S S ETU 14443-2 9.1.1 14443-3 7.1.2 14443-3 7.1.7 ISO/IEC Spec. 14443-2 6.1 14443-2 9.1.2 1. Nominal values at 25 C. The CryptoRF family has been designed to operate with an ISO/IEC 14443 Type B compliant PCDs meeting the requirements listed in Table 113. CryptoRF has been characterized using PICCs with ID-1 size antennas and ISO/IEC 14443 Type B compliant readers with appropriately sized PCD antennas. The PCD characteristics in Table 113 are not PICC antenna size dependent. P.3. PICC Antenna Size Dependent Specifications Table 114. Symbol H Antenna Size Dependent Characteristics [ID-1 PICC Antennas Only](1) Parameter Unmodulated Operating Magnetic Field Maximum Magnetic Field Exposure (Non-Operating) Load Modulation Amplitude at Hmin (1.5 A/m rms) Load Modulation Amplitude at Hmin (7.5 A/m rms) 18.45 2.68 Min 1.5 Nominal Max 7.5 10 Units A/m rms A/m rms ISO/IEC Spec. 14443-2 6.2 14443-1 4.3.5 mV peak 14443-2 9.2.2 mV peak (test per 10373-6) Note: 1. Nominal values at 25 C. Values are based on characterization and are not tested. The specifications in Table 114 apply to ISO/IEC 14443 PICCs using an ID-1 size antenna only. CryptoRF has been characterized using ID-1 antennas and operates within these limits. The magnetic field limits of ISO/IEC 14443 are measured using a calibration coil defined in ISO/IEC 10373-6 section 2 6.1. This calibration coil integrates the field strength over the 3000 mm area of a typical ID-1 antenna. The Hmin and Hmax limits of 1.5 and 7.5 A/m rms define the expected operating volume of a PCD with an ID-1 size PICC. The PCD is not allowed to generate a magnetic field strength exceeding 7.5 A/m rms. An ID-1 PICC is required to survive continuous exposure to a 10 A/m rms magnetic field without damage; this non-operating specification guarantees a robust PICC RF interface circuit. The Load Modulation Amplitude is measured over the full operating magnetic field strength range using an apparatus defined in ISO/IEC 10373-6 section 7.1. This apparatus uses sense coils to detect the signal generated by a PICC transmitting a message to the PCD. The sense coils are optimized to detect a signal generated by an ID-1 PICC. The ISO/IEC 14443 Load Modulation Amplitude requirements apply to this test apparatus only. 141 5276C-RFID-3/09 P.4. Specifications for Other Antenna Sizes The specifications in Table 114 cannot be applied directly to PICCs with larger or smaller antennas. The characteristics in Table 112 and Table 113 are applicable to a PICC with any antenna dimensions. Load Modulation Amplitude measurements on larger or smaller PICCs would require the design and characterization of a new test apparatus. These measurement results would be dependent on the apparatus and cannot be extrapolated from the existing ISO/IEC 14443 specifications. A reasonable estimate of the Operating Magnetic Field range for a PICC can be made for any PICC antenna size as follows: Determine the area of the PICC antenna by measuring the outside dimensions of the loop antenna. The Magnetic Field strength operating range is inversely proportional to the PICC antenna area (use 3000 mm2 as the ID-1 antenna area). Note however that PCD magnetic field strength must be evaluated with a calibration coil similar in area to the PICC antenna, or the measurement result will not be accurate. Example 1 Guidelines for operation of a 6000 mm2 PICC Antenna. 3000/6000 = 0.5 The minimum Operating Magnetic Field (Hmin) is 1.5 x 0.5 = 0.75 A/m rms. The maximum Operating Magnetic Field (Hmax) is 7.5 x 0.5 = 3.75 A/m rms. This PICC can be expected to survive exposure to a Non-Operating Magnetic Field of 10 x 0.5 = 5.0 A/m rms. Example 2 Guidelines for operation of a 1000 mm2 PICC Antenna. 3000/1000 = 3.0 The minimum Operating Magnetic Field (Hmin) is 1.5 x 3.0 = 4.5 A/m rms. The maximum Operating Magnetic Field (Hmax) is 7.5 x 3.0 = 22.5 A/m rms. This PICC can be expected to survive exposure to a Non-Operating Magnetic Field of 10 x 3.0 = 30.0 A/m rms. Warning: Exposure to magnetic field strengths in excess of 30 A/m rms may be hazardous to your health. P.5. Modulation Index The Modulation Index of the PCD generated magnetic field is measured by placing a calibration coil or wire loop near the PCD antenna. Connect this loop to a high impedance oscilloscope probe and measure the amplitude modulation (ASK) waveform as shown in Figure 52. The PCD amplitude Modulation Index is defined in ISO/IEC 14443 part 2 as the M.I. = (A - B) / (A + B). For Type B operation the PCD modulation index is required to be between 8 % and 14 %. If the PCD modulation is insufficient then the PICC receiver will not successfully decode the transmissions. Excessive modulation reduces the power available to the PICC and may cause it to reset. Figure 52. Measurement of the PCD Amplitude Modulation Index B A Modulation Index = (A-B) (A+B) B A where: A = Unmodulated Signal Amplitude B = Modulated Signal Amplitude Modulation Depth = 142 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C P.6. What is an ID-1 PICC Antenna? ISO/IEC 7810 defines the mechanical requirements for plastic identification cards, including smartcards. The nominal ID-1 card dimensions are 85.6 mm by 53.98 mm, and 0.76 mm thick. There are no antenna dimension requirements in ISO/IEC 7810. Typical antenna dimensions for ID-1 PICCs are described in ISO/IEC 10373-6 section 6.3 as a "Reference PICC" antenna. The outer dimensions of this reference antenna are 72 mm x 42 mm with four concentric turns. The antenna trace width and spacing are both 0.5 mm with a tolerance of +/- 20 %. This is a test antenna; the number of turns required on a real antenna may be more or less than four turns. Additional guidance regarding ID-1 PICC antenna dimensions is provided in Amendment 4 to ISO/IEC 10373-6 in the form of a "Class 1" PICC antenna definition. A "Class 1" PICC has its antenna located entirely within a zone defined by two rectangles centered in the ID-1 dimensions. The external rectangle is 81 mm by 49 mm. The internal rectangle is 64 mm x 34 mm, with a 3 mm corner radius. All antenna turns must be located between these rectangles. Any antenna falling within the "Class 1" dimensions is considered an ID-1 antenna for the purpose of this specification. P.7. Other Characteristics Impacting Performance The ISO/IEC 14443 standards do not guarantee that any compliant PCD will operate with any compliant PICC. A reliable RFID system uses PICCs and PCDs matched to the application, with appropriately sized antennas. Discussion of the numerous factors impacting the performance of RFID systems is beyond the scope of this document. 143 5276C-RFID-3/09 Appendix Q. Transaction Time Q.1. Command Response Times [88SC] The command response time is the time between the end of the frame transmitted by the reader and beginning of the response from the PICC. It consists of the TR0 Guard Time and the TR1 Synchronization Time. Table 115. Command Response Timing for the CryptoRF Command Set for 88SC PICCs. Command REQB/WUPB Slot MARKER ATTRIB HLTB DESELECT IDLE Set User Zone Read User Zone Write User Zone Write User Zone w/ Anti-Tearing Write User Zone Authentication Mode Write User Zone Encryption Mode Write System Zone Write System Zone w/ Anti-Tearing Read System Zone Verify Crypto Send Checksum Send Checksum Authentication Mode Send Checksum Encryption Mode Get Checksum Read Fuse Byte Write Fuse Byte Check Password Note: Typical TR0 (microseconds) 83 83 83 83 83 83 230 93 1725 6690 112 112 1725 6690 93 1870 112 1725 1725 93 93 1725 1725 (1) Maximum TR0 (microseconds) 90 90 90 90 90 90 235 100 2130 8300 120 120 2130 8300 100 2275 120 2130 2130 100 100 2130 2130 Typical TR1 (microseconds) 97 97 97 97 97 97 97 97 97 97 97 97 97 97 97 97 97 97 97 97 97 97 97 1. Nominal values at 25 C. Values are based on characterization and are not tested. 144 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Q.2. Command Response Times [88RF] The command response time is the time between the end of the frame transmitted by the reader and beginning of the response from the PICC. It consists of the TR0 Guard Time and the TR1 Synchronization Time. Table 116. Command Response Timing for the CryptoRF Command Set for 88RF PICCs. Command REQB/WUPB Slot MARKER ATTRIB HLTB DESELECT IDLE Set User Zone Read User Zone Write User Zone 16 Bytes Write User Zone w/ Anti-Tearing 8 Bytes Write User Zone Authentication Mode 16 Bytes Write User Zone Encryption Mode 16 Bytes Write System Zone 16 Bytes Read System Zone Verify Crypto Send Checksum Send Checksum Authentication Mode Send Checksum Encryption Mode Get Checksum Read Fuse Byte Write Fuse Byte Check Password Note: Typical TR0 (microseconds) 83 83 83 83 83 83 230 93 2424 7087 2424 2424 2424 93 1870 112 1725 1725 93 93 1725 1725 (1) Maximum TR0 (microseconds) 90 90 90 90 90 90 235 100 2700 8000 2700 2700 2700 100 2275 120 2130 2130 100 100 2130 2130 Typical TR1 (microseconds) 97 97 97 97 97 97 97 97 97 97 97 97 97 97 97 97 97 97 97 97 97 97 1. Nominal values at 25 C. Values are based on characterization and are not tested. 145 5276C-RFID-3/09 Q.3. Transaction Times [88SC] Typical transaction times for each individual command are listed below. This time includes the command transmission time from the reader, TR0, TR1, and response transmission time from the PICC. The typical transaction times in the table are calculated with zero EGT for both the reader and PICC frames. The maximum transaction times are calculated with EGT = 2 ETUs for both the reader and PICC frames. Table 117. Transaction Time for the CryptoRF Command Set for 88SC PICCs.(1) Command REQB/WUPB Slot MARKER ATTRIB HLTB DESELECT IDLE Set User Zone Read User Zone 1 Byte Read User Zone 16 Bytes Read User Zone 32 Bytes Read User Zone 64 Bytes Write User Zone 1 Byte Write User Zone 8 Bytes Write User Zone w/ AT 8 Bytes Write User Zone 16 Bytes Write User Zone 32 Bytes Read System Zone 1 Byte Read System Zone 16 Bytes Read System Zone 32 Bytes Write System Zone 1 Byte Write System Zone 8 Bytes Write System Zone 16 Bytes Verify Crypto Send Checksum Send Checksum Authentication Mode Send Checksum Encryption Mode Get Checksum Check Password Note: 1. Typical Transaction Time (milliseconds) Maximum Transaction Time (milliseconds) 2.4 2.3 2.0 1.6 1.4 1.4 1.6 1.8 3.2 4.7 7.7 3.4 4.1 9.0 4.8 6.4 1.8 3.2 4.7 3.4 4.1 4.8 4.8 1.6 3.2 3.2 1.9 3.4 2.8 2.6 2.2 1.8 1.6 1.6 1.8 2.0 3.7 5.5 9.2 4.1 4.9 11.0 5.8 7.6 2.0 3.7 5.5 4.1 4.9 5.8 5.7 1.8 3.8 3.8 2.1 4.1 Nominal values at 25 C. Values are based on characterization and are not tested. 146 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Q.4. Transaction Times [88RF] Typical transaction times for each individual command are listed below. This time includes the command transmission time from the reader, TR0, TR1, and response transmission time from the PICC. The typical transaction times in the table are calculated with zero EGT for both the reader and PICC frames. The maximum transaction times are calculated with EGT = 2 ETUs for both the reader and PICC frames. Table 118. Transaction Time for the CryptoRF Command Set for 88RF PICCs. Command REQB/WUPB Slot MARKER ATTRIB HLTB DESELECT IDLE Set User Zone Read User Zone 1 Byte Read User Zone 16 Bytes Read User Zone 32 Bytes Read User Zone 64 Bytes Write User Zone 1 Byte Write User Zone 8 Bytes Write User Zone w/ AT 8 Bytes Write User Zone 16 Bytes Read System Zone 1 Byte Read System Zone 16 Bytes Read System Zone 32 Bytes Write System Zone 1 Byte Write System Zone 8 Bytes Write System Zone 16 Bytes Verify Crypto Send Checksum Send Checksum Authentication Mode Send Checksum Encryption Mode Get Checksum Check Password Note: 1. (1) Typical Transaction Time (milliseconds) 2.4 2.3 2.0 1.6 1.4 1.4 1.6 1.8 3.2 4.7 7.7 3.6 4.5 9.5 5.6 1.8 3.2 4.7 3.6 4.5 5.6 4.8 1.6 3.2 3.2 1.9 3.4 Maximum Transaction Time (milliseconds) 2.8 2.6 2.2 1.8 1.6 1.6 1.8 2.0 3.7 5.5 9.2 4.1 4.9 11.0 6.1 2.0 3.7 5.5 4.1 4.9 6.1 5.7 1.8 3.8 3.8 2.1 4.1 Nominal values at 25 C. Values are based on characterization and are not tested. 147 5276C-RFID-3/09 Appendix R. 88RF PICC Backward Compatibility 88RF PICCs can be configured to operate in the majority of applications developed for 88SC PICCs. Customers migrating from 88SC devices to 88RF devices may be required to change their application software if they are using functions identified in this appendix. R.1. Error Handling When a command packet containing errors is received by an 88SC or 88RF PICC, the status code returned in the NACK response is the first error detected by the logic. The status code returned by 88RF PICCs may be different from the status code returned by 88SC PICCs. R.2. Security Options The Access Register (AR) and Device Configuration Register (DCR) definitions for 88RF PICCs are not exactly the same as the 88SC PICC definitions. Some RFU bits have been assigned new functionality. The changes which impact backward compatibility are summarized here. R.2.1. Program Only Mode 88RF PICCs allows the Program Only Mode in User Zone 1 only. Program Only Mode is not allowed in User Zones 0, 2, or 3. The Access Register PGO bit is RFU for registers AR0, AR2, and AR3. R.2.2. Write Lock Mode 88RF PICCs do not support Write Lock Mode. The Access Register WLM bit is RFU. R.2.3. Unlimited Checksum Read 88RF PICCs do not support Unlimited Checksum Reads. The Device Configuration Register UCR bit is RFU. R.2.4. Extended Trials Allowed The CryptoRF Device Configuration Register ETA bit is RFU. The 88RF PICC attempts limit is always 15; it is no longer configurable. [88SC PICCs allowed 4 or 8 attempts.] R.2.5. Dual Access Mode 88RF PICCs do not support Dual Access Mode. The CryptoRF Access Register bits which selected Dual Access Mode have been assigned to another communication security mode. R.3. Attempt Counters Both the Password Attempts Counters (PACs) and Authentication Attempts Counters (AACs) have been redesigned to allow 15 failed attempts before the Password or Key is locked. The coding of the PAC and AAC registers has been changed to support the increased attempts counts. R.4. Checksums The requirement to supply a valid checksum when performing a write in Encryption Communication mode and Authentication Communication mode is strictly enforced by 88RF PICCs. [88SC PICCs require a valid checksum if the Access Register security mode bits for the current User Zone require that Encryption Communication mode or Authentication Communication mode be active to write the User Zone. If Authentication or Encryption is not required, then 88SC PICCs do not always require that a valid checksum be supplied to perform a write.] 148 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C R.5. Personalization The 88RF PICC fuse bit functionality has been changed to allow enhanced security during the device personalization process. See Appendix F and Appendix G for information. Customers that do not program any of the security fuses until the end of the personalization process will not notice a difference when personalizing 88RF PICCs. 88RF PICCs act the same as 88SC PICCs when the security fuses are in the default state. R.5.1. Write System Zone with Anti-Tearing 88RF PICCs do not support anti-tearing writes using the Write System Zone command. Attempts to activate this option will result in a NACK response. R.5.2. Reserved Memory 88RF PICCs do not allow writes to registers identified in the Configuration Memory Map as reserved. Any attempts to write these registers will be NACKed. Attempts to read the Configuration Memory using a starting address which is a reserved byte will be NACKed. R.5.3. OTP Memory 88RF PICCs have 25 bytes of OTP memory available for customer use in the Configuration Memory; 88SC PICCs have 27 bytes of OTP memory available for customer use. In 88RF PICCs bytes $0E and $0F are the read-only Hardware Revision Register (HWR); in 88SC PICCs these bytes are available for customer use. 149 5276C-RFID-3/09 Appendix S. Ordering Information CryptoRF with 4K bits of User Memory configured as 4 Zones of 128 Bytes each Ordering Code AT88RF04C-MR1G AT88RF04C-MX1G AT88RF04C-MY1G AT88RF04C-WA1 R Module MX1 RFID Tag, 13 mm Square MY1 RFID Tag, 17 mm Round 6 mil wafer, 150 mm diameter 82 pF Package Tuning Capacitor 82 pF Temperature Range Commercial (-25 C to 70 C) Commercial (-25 C to 70 C) Commercial (-25 C to 70 C) Industrial (-40 C to 85 C) CryptoRF with 8K bits of User Memory configured as 8 Zones of 128 Bytes each Ordering Code AT88SC0808CRF-MR1 AT88SC0808CRF-MX1 AT88SC0808CRF-MY1 AT88SC0808CRF-WA1 R Module MX1 RFID Tag, 13 mm Square MY1 RFID Tag, 17 mm Round 6 mil wafer, 150 mm diameter 82 pF Package Tuning Capacitor 82 pF Temperature Range Commercial (-25 C to 70 C) Commercial (-25 C to 70 C) Commercial (-25 C to 70 C) Industrial (-40 C to 85 C) CryptoRF with 16K bits of User Memory configured as 16 Zones of 128 Bytes each Ordering Code AT88SC1616CRF-MR1 AT88SC1616CRF-MX1 AT88SC1616CRF-MY1 AT88SC1616CRF-WA1 R Module MX1 RFID Tag, 13 mm Square MY1 RFID Tag, 17 mm Round 6 mil wafer, 150 mm diameter 82 pF Package Tuning Capacitor 82 pF Temperature Range Commercial (-25 C to 70 C) Commercial (-25 C to 70 C) Commercial (-25 C to 70 C) Industrial (-40 C to 85 C) CryptoRF with 32K bits of User Memory configured as 16 Zones of 256 Bytes each Ordering Code AT88SC3216CRF-MR1 AT88SC3216CRF-MX1 AT88SC3216CRF-MY1 AT88SC3216CRF-WA1 R Module MX1 RFID Tag, 13 mm Square MY1 RFID Tag, 17 mm Round 6 mil wafer, 150 mm diameter 82 pF Package Tuning Capacitor 82 pF Temperature Range Commercial (-25 C to 70 C) Commercial (-25 C to 70 C) Commercial (-25 C to 70 C) Industrial (-40 C to 85 C) 150 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C CryptoRF with 64K bits of User Memory configured as 16 Zones of 512 Bytes each Ordering Code AT88SC6416CRF-MR1 AT88SC6416CRF-MX1 AT88SC6416CRF-MY1 AT88SC6416CRF-WA1 R Module MX1 RFID Tag, 13 mm Square MY1 RFID Tag, 17 mm Round 6 mil wafer, 150 mm diameter 82 pF Package Tuning Capacitor 82 pF Temperature Range Commercial (-25 C to 70 C) Commercial (-25 C to 70 C) Commercial (-25 C to 70 C) Industrial (-40 C to 85 C) Package Type R Module MX1 RFID Tag MY1 RFID Tag Note: Description 2-lead RF Smart Card Module, XOA2 style, on 35 mm tape, Ag finish, Green(1) 13 x 13 mm Square Epoxy Glass RFID Tag on 35 mm tape, Au finish, Green(1) 17 mm Round Epoxy Glass RFID Tag on 35 mm tape, Au finish, Green(1) 1. Lead-free, halogen-free package. Exceeds RoHS requirements. The ordering codes for CryptoRF in standard packages are listed here. For additional ordering information see CryptoRF and Secure RF Standard Product Offerings at www.atmel.com 151 5276C-RFID-3/09 S.2. Mechanical Mechanical Drawing of Module R Package (XOA2 Style) Ordering Code: AT88RFxxC-MR1G and AT88SCxxxxCRF-MR1 Dimension: Glob Top: Thickness: Pitch: 5.06 x 8.00 [mm] Square - 4.8 x 5.1 [mm] 0.38 [mm] 9.5 [mm] 152 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Mechanical Drawing of MX1 Epoxy Glass RFID Tag Ordering Code: AT88RFxxC-MX1G and AT88SCxxxxCRF-MX1 153 5276C-RFID-3/09 Mechanical Drawing of MY1 Epoxy Glass RFID Tag Ordering Code: AT88RFxxC-MY1G and AT88SCxxxxCRF-MY1 154 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Appendix T. T.1. Errata Lot History Code Register Contents The format of the Lot History Code Register at addresses $10 thru $17 of the Configuration Memory has been changed to contain a Unique Serial Number for each die. The first forty one bits of the register contain the Unique Serial Number, while the other twenty three bits contain additional lot history information. Since this is a read-only register, these bits can be used by customers to uniquely identify a particular die for anticollision, authentication key diversification, or any other purpose required by the application. Figure 53. Addr $10 Contents of UDSN (Lot History Code) Register $10 $11 $12 $13 $14 $15 $16 $17 Read Only Unique Serial Number Other Lot Information This register format change is effective on all CryptoRF products manufactured in July 2008 or later. Prior to July 2008 the contents of the Lot History Code Register are not unique for each die. Atmel reserves the right to modify the format of the contents of the UDSN register without notice. However the UDSN register value is guaranteed to be unique for each die. The register name in the Configuration Memory Maps has been updated to Unique Die Serial Number in revision B of this document to reflect this change. T.2. Read User Zone command As the Read User Zone command reads data from the device's currently selected User Zone the data byte address is internally incremented as each byte is read from memory. If the data byte address increments beyond the end of the current User Zone during a read, then the address will "roll over" to the first byte of the same User Zone. T.3. Read User Zone command PARAM Codes [88RF] The Read User Zone command accepts PARAM = $01, $02, $03 and interprets them as PARAM = $00. The Read User Zone command accepts PARAM = $81, $82, $83 and interprets them as PARAM = $80. In both cases the read operation succeeds, when it should NACKed due to an invalid PARAM. This error will be fixed in future products. Customers are advised that these PARAM values are not supported. T.4. Status Codes [88RF] In the response to each CryptoRF command the PICC returns a Status Code which indicates the state of the device or the reason for failure of a requested operation. 88RF PICCs are known to return misleading Status Codes under certain circumstances: Write User Zone command The Write User Zone command returns Status Code $A1 and NACK when L greater than $0F is sent. A Status Code $A3 is expected. The write operation fails and no data is written. Write System Zone command The Write System Zone command returns Status Code $B0 and ACK when the integrated checksum option is used in the encryption communication mode. A Status Code $00 is expected. The write operation succeeds and the data is written to the EEPROM correctly. The Write System Zone command returns Status Code $C9 and NACK when PARAM = $02 is sent. A Status Code $A1 is expected. The write operation fails and no data is written. The Write System Zone command returns Status Code $00 and NACK when PARAM = $0C and an invalid ADDR is sent. A Status Code $A2 is expected. The operation fails and no data is written. 155 5276C-RFID-3/09 Customers are advised that past and future products may return Status Codes that are different. The ACK/NACK byte reports if a requested operation has passed or failed; the Status code contains additional information. T.5. Encryption Activation Change [88RF] One byte value in the Encryption Activation procedure has been changed to allow 88RF PICCs to be used with the AT88SC018 CryptoMemory Companion chip. This change may impact customers migrating from 88SC PICCs to 88RF PICCs if the Encryption Communication Security mode is used. When the host calculates the Authentication Activation Challenge at step 8 in the procedure in section K.8, a value of $FF must be substituted in the calculation (in place of the actual 88RF PICC AAC value of $55). This change is intentional. 156 AT88SC0808/1616/3216/6416CRF, AT88RF04C 5276C-RFID-3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Appendix U. Revision History Doc. Rev. Date Comments 5276A 5276B 5276C 07/2008 03/2009 03/2009 Initial document release Add all CryptoRF Security Function Specifications. This Specification now requires an LLA license. REMOVED LLA AUGUST 2009 Delete AT88SC0104CRF, AT88SC0204CRF, AT88SC0404CRF Specifications. Add AT88RF04C Specifications. 157 5276C-RFID-3/09 Headquarters Atmel Corporation 2325 Orchard Parkway San Jose, CA 95131 USA Tel: 1(408) 441-0311 Fax: 1(408) 487-2600 International Atmel Asia Unit 1-5 & 16, 19/F BEA Tower, Millennium City 5 418 Kwun Tong Road Kwun Tong, Kowloon Hong Kong Tel: (852) 2245-6100 Fax: (852) 2722-1369 Atmel Europe Le Krebs 8, Rue Jean-Pierre Timbaud BP 309 78054 Saint-Quentin-enYvelines Cedex France Tel: (33) 1-30-60-70-00 Fax: (33) 1-30-60-71-11 Atmel Japan 9F, Tonetsu Shinkawa Bldg. 1-24-8 Shinkawa Chuo-ku, Tokyo 104-0033 Japan Tel: (81) 3-3523-3551 Fax: (81) 3-3523-7581 Product Contact Web Site www.atmel.com Technical Support security@atmel.com Sales Contact www.atmel.com/contacts Literature Requests www.atmel.com/literature I N N O VAT R O N RATP/Innovatron Technology Disclaimer: The information in this document is provided in connection with Atmel products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Atmel products. EXCEPT AS SET FORTH IN ATMEL'S TERMS AND CONDITIONS OF SALE LOCATED ON ATMEL'S WEB SITE, ATMEL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL ATMEL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDEN-TAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ATMEL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Atmel makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Atmel does not make any commitment to update the information contained herein. Unless specifically provided otherwise, Atmel products are not suitable for, and shall not be used in, automotive applications. Atmel's products are not intended, authorized, or warranted for use as components in applications intended to support or sustain life. (c) 2009 Atmel Corporation. All rights reserved. Atmel(R), Atmel logo and combinations thereof, and others are registered trademarks or trademarks of Atmel Corporation or its subsidiaries. Innovatron(R) is a registered trademark of Innovatron. Other terms and product names may be trademarks of others. 5276C-RFID-3/09 |
Price & Availability of AT88SC0808CRF-MX1
 |
|
|
|
|
All Rights Reserved © IC-ON-LINE 2003 - 2022 |
| [Add Bookmark] [Contact Us] [Link exchange] [Privacy policy] |
|
Mirror Sites : [www.datasheet.hk]
[www.maxim4u.com] [www.ic-on-line.cn]
[www.ic-on-line.com] [www.ic-on-line.net]
[www.alldatasheet.com.cn]
[www.gdcy.com]
[www.gdcy.net] |