AT88SC3216CRF-MVB1G Atmel, AT88SC3216CRF-MVB1G Datasheet

no-image

AT88SC3216CRF-MVB1G

Manufacturer Part Number
AT88SC3216CRF-MVB1G
Description
CRYPTOMEMORY 32KBIT 16ZONE MVB
Manufacturer
Atmel
Series
CryptoMemory®, CryptoRF®r

Specifications of AT88SC3216CRF-MVB1G

Rf Type
Read / Write
Frequency
13.56MHz
Features
ISO1444-2, 1444-3, 32-kbits
Package / Case
MVB Module
Lead Free Status / RoHS Status
Lead free / RoHS Compliant
Features
• A Family of Devices with User Memories of 4 Kbits to 64 Kbits
• Contactless 13.56 MHz RF Communications Interface
• Integrated 82 pF Tuning Capacitor
• User EEPROM Memory Configurations:
• 256 byte (2 Kbit) Configuration Memory
• High Security Features
• High Reliability
⎯ ISO/IEC 14443-2:2001 Type B Compliant
⎯ ISO/IEC 14443-3:2001 Type B Compliant Anticollision Protocol
⎯ Tolerant of Type A Signaling for Multi-Protocol Applications
⎯ 64 Kbits Configured as Sixteen 512 byte (4 Kbit) User Zones [AT88SC6416CRF]
⎯ 32 Kbits Configured as Sixteen 256 byte (2 Kbit) User Zones [AT88SC3216CRF]
⎯ 16 Kbits Configured as Sixteen 128 byte (1 Kbit) User Zones [AT88SC1616CRF]
⎯ 8 Kbits Configured as Eight
⎯ 4 Kbits Configured as Four
⎯ Byte, Page, and Partial Page Write Modes
⎯ Self Timed Write Cycle
⎯ User Programmable Application Family Identifier (AFI)
⎯ User-defined Anticollision Polling Response
⎯ User-defined Keys and Passwords
⎯ Read-Only Unique Die Serial Number
⎯ Selectable Access Rights by Zone
⎯ 64-bit Mutual Authentication Protocol (under license of ELVA)
⎯ Encrypted Checksum
⎯ Stream Encryption using 64-bit Key
⎯ Four Key Sets for Authentication and Encryption
⎯ Four or Eight 24-bit Password Sets
⎯ Password and Authentication Attempts Counters
⎯ Anti-tearing Function
⎯ Tamper Sensors
⎯ Endurance : 100,000 Write Cycles
⎯ Data Retention : 10 Years
128 byte (1 Kbit) User Zones [AT88SC0808CRF]
128 byte (1 Kbit) User Zones [AT88RF04C]
CryptoRF
Specification
AT88RF04C
AT88SC0808CRF
AT88SC1616CRF
AT88SC3216CRF
AT88SC6416CRF
®
5276C–RFID–3/09

Related parts for AT88SC3216CRF-MVB1G

AT88SC3216CRF-MVB1G Summary of contents

Page 1

... Integrated 82 pF Tuning Capacitor • User EEPROM Memory Configurations: ⎯ 64 Kbits Configured as Sixteen 512 byte (4 Kbit) User Zones [AT88SC6416CRF] ⎯ 32 Kbits Configured as Sixteen 256 byte (2 Kbit) User Zones [AT88SC3216CRF] ⎯ 16 Kbits Configured as Sixteen 128 byte (1 Kbit) User Zones [AT88SC1616CRF] ⎯ 8 Kbits Configured as Eight ⎯ ...

Page 2

Description ® The CryptoRF family integrates a 13.56 MHz RF interface with CryptoMemory RF tags and contactless smart cards that can benefit from advanced security and cryptographic features. The device is optimized as a contactless secure memory for secure data ...

Page 3

Table of Contents Features .................................................................................................................................................. 1 Description .................................................................................................................................................. 2 1. Introduction.............................................................................................................................................. 5 1.1. Communications .............................................................................................................................. 5 1.2. Scope............................................................................................................................................... 5 1.3. Conventions..................................................................................................................................... 5 2. User Memory............................................................................................................................................ 7 3. Configuration Memory ............................................................................................................................ 8 4. Command Set .......................................................................................................................................... 9 5. Anticollision Command Definitions..................................................................................................... ...

Page 4

Appendix A. Terms and Abbreviations ..................................................................................................... 69 Appendix B. Standards and Reference Documents ................................................................................ 74 Appendix C. User Memory Maps ............................................................................................................... 75 Appendix D. Configuration Memory Maps ............................................................................................... 80 Appendix E. Device Personalization ......................................................................................................... 84 Appendix F. Secure Personalization [88RF] ...

Page 5

... Proximity Integrated Circuit Card – is the tag/card containing the IC and antenna. • RFU: Reserved for Future Use – is any feature, memory location, or bit that is held as reserved for future use by the ISO standards committee or by Atmel. • $xx: Hexadecimal Number – denotes a hex number “xx” (Most Significant Bit on left). ...

Page 6

Each byte contains one or more fields as indicated by lines drawn vertically within the byte. The field in the left half of the byte is the upper nibble of the byte, and the field to the right is the ...

Page 7

... For User Memory Maps see Appendix C. Table 1. CryptoRF User Memory Characteristics CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C User Memory Size User Memory Organization Bits Bytes # Zones ...

Page 8

... Write System Zone commands are used to access the configuration memory. For Configuration Memory Maps see Appendix D. Table 2. Configuration Memory Characteristics CryptoRF Password Sets Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF AT88SC0808/1616/3216/6416CRF, AT88RF04C 8 Key Sets Free For Customer Use 4 Sets 4 Sets 8 Sets 4 Sets ...

Page 9

... Anticollision commands are explicitly defined in ISO/IEC 14443-3:2001. The CryptoRF Active State commands are Atmel defined commands that are compliant with the ISO/IEC 14443-3:2001 requirements. The CryptoRF Active State commands contain the CID code that is assigned to a card when it is selected during the anticollision process ...

Page 10

Anticollision Command Definitions Commands in this section are arranged in order by the hexadecimal code in the command byte. 5.1. REQB / WUPB Polling Commands [$05] The REQB / WUPB command is used to search for PICCs in the ...

Page 11

Command Field Descriptions The Application Family Identifier (AFI) is used to select the family and sub-family of cards which the PCD AFI: is targeting. Only PICCs with a matching AFI code are permitted to answer an REQB or WUPB ...

Page 12

... Table 8. Table 8. Default value of APP3 is the CryptoRF Memory Density Code Device Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF ISO/IEC 14443 communication capabilities reported to the PCD. Protocol: Communication error detection bytes. CRC: 5.1.4. Error Handling If an REQB or WUPB command containing errors is received by the PICC ignored and no response is sent. ...

Page 13

Slot MARKER Command [$s5] The Slot MARKER command can be used to separately identify multiple PICCs in the RF field. The command and response are ISO/IEC 14443-3:2001 compliant. Command > ATQB Response > 5.2.1. Operation Slot MARKER is an ...

Page 14

Table 9. Coding of the slot number within the Slot MARKER command byte. Bit 7 Bit 6 Bit ...

Page 15

ATTRIB Command [$1D] The ATTRIB command is used to select a PICC for a transaction. The command and response are ISO/IEC 14443- 3:2001 compliant. Command > PUPI of PCI > Param 1 > Param 2 > Param 3 > ...

Page 16

Command Field Descriptions PseudoUnique PICC Identifier. This is the card ID used for anticollision, stored in the System Zone. PUPI: ISO/IEC 14443 communication capabilities reported to the PICC. The contents of Param Bytes 1, 2, and Param ...

Page 17

Table 11. Coding of the Card ID in the ATTRIB command and response for 88RF PICCs. Bit 7 Bit 6 Bit ...

Page 18

HLTB Command [$50] The HLTB command places a PICC in the Halt State, where it is not allowed to answer an REQB command. The command and response are ISO/IEC 14443-3 compliant. Command > PUPI of PCI > HLTB Response ...

Page 19

Active State Command Definitions Commands in this section are arranged in order by the hexadecimal code in the command byte. Several of the Active state commands perform multiple functions; the value of the PARAM byte determines which function is ...

Page 20

Table 14. Coding of the Password Attempts Count or Authentication Attempts Count in the 88SC ACK/NACK byte. Hexadecimal Bit Table 15. ...

Page 21

Set User Zone Command [$c1] The Set User Zone command selects the user memory area to be addressed by the Read User Zone and Write User Zone commands. Command > Echo Response > 6.2.1. Operation Before reading and writing ...

Page 22

Table 18. Coding of the User Zone number within the PARAM byte Bit 3 Bit 2 Bit ...

Page 23

Read User Zone Command [$c2] The Read User Zone command reads data from the currently selected User Zone. See Read User Zone (Large Memory) command for the AT88SC6416CRF read command information. Command > PARAM = $00 > Echo Command ...

Page 24

Command Field Descriptions The Card ID assigned by the ATTRIB command. CID: The PARAM byte selects the type of read operation to be performed. PARAM = $00 selects the normal PARAM: Read User Zone command. The starting address of ...

Page 25

Read User Zone (Large Memory) Command [$c2] The Read User Zone (Large Memory) command reads data from the currently selected User Zone. This command format applies to the AT88SC6416CRF device only. Command > PARAM = ADDR H Echo Command ...

Page 26

Command Field Description The Card ID assigned by the ATTRIB command. CID: The PARAM byte is the ADDR H byte of Read User Zone (Large Memory) command. PARAM: Table 21. Definition of the PARAM (ADDR H) byte of the ...

Page 27

Read User Zone Command with Integrated MAC [$c2] [88RF] The Read User Zone command with Integrated MAC reads data from the currently selected User Zone on 88RF PICCs. This command can only be used when the Authentication or Encryption ...

Page 28

Command Field Descriptions The Card ID assigned by the ATTRIB command. CID: The PARAM byte selects the type of read operation to be performed. PARAM: Table 23. PARAM byte options for the Read User Zone command for 88RF PICCs. ...

Page 29

Error Handling If a Read User Zone command containing transmission errors is received by the PICC ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 24. Status Codes ...

Page 30

Write User Zone Command [$c3] The Write User Zone command writes data into the currently selected User Zone. See Write User Zone (Large Memory) command for the AT88SC6416CRF write command information. Command > PARAM =$00 > Echo Command > ...

Page 31

... Write Lock mode or Program Only mode, the maximum number of bytes that can be written is 1 byte. Table 25. Write Characteristics of CryptoRF CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF The data bytes to be written into user memory. DATA: Communication error detection bytes. CRC: 6.6.3. Response Field Description The PICC transmits its assigned card ID in the response. ...

Page 32

Error Handling If a Write User Zone command containing transmission errors is received by the PICC ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 26. Status Codes ...

Page 33

Write User Zone (Large Memory) Command [$c3] The Write User Zone command writes data into the currently selected User Zone. This command format applies to the AT88SC6416CRF device only. Command > PARAM = ADDR H Echo Command > 6.7.1. ...

Page 34

Command Field Descriptions The Card ID assigned by the ATTRIB command. CID: The PARAM byte is the ADDR H byte of Write User Zone (Large Memory) command. PARAM: Table 27. Definition of the PARAM (ADDR H) byte of the ...

Page 35

Error Handling If a Write User Zone command containing transmission errors is received by the PICC ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 29. Status Codes ...

Page 36

Write User Zone Command with Integrated MAC [$c3] [88RF] The Write User Zone command with Integrated MAC writes data into the currently selected User Zone of 88RF PICCs. This command can only be used when the Authentication or Encryption ...

Page 37

Command Field Description The Card ID assigned by the ATTRIB command. CID: The PARAM byte selects the type of write operation to be performed. PARAM: Table 30. PARAM byte options for the Write User Zone command for 88RF PICCs. ...

Page 38

Error Handling If a Write User Zone command containing transmission errors is received by the PICC ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 32. Status Codes ...

Page 39

Write System Zone Command [$c4] The Write System Zone command writes data to the configuration memory. Command > PARAM = $00 > Echo Command > 6.9.1. Operation The Write System Zone command writes data into the configuration memory. As ...

Page 40

... Table 34. Write Characteristics of CryptoRF Configuration Memory CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF The data bytes to be written into configuration memory. DATA: Communication error detection bytes. CRC: 6.9.3. Response Field Descriptions The PICC transmits its assigned card ID in the response. ...

Page 41

Error Handling If a Write System Zone command containing transmission errors is received by the PICC ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 35. Status Codes ...

Page 42

Write System Zone Command with Integrated MAC [$c4] [88RF] The Write System Zone command with Integrated MAC writes data to the 88RF PICC configuration memory. This command can only be used when the Encryption Communication mode is active. This ...

Page 43

Command Field Description The Card ID assigned by the ATTRIB command. CID: The PARAM byte selects the type of write operation to be performed. PARAM: Table 36. PARAM byte options for the Write System Zone command for 88RF PICCs ...

Page 44

Error Handling If a Write System Zone command containing transmission errors is received by the PICC ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 37. Status Codes ...

Page 45

Write System Zone Command, Write Fuse Byte Option [$c4] The Write Fuse Byte Option of the Write System Zone command is used to program the security fuses. Command > PARAM = $01 > $00 > Echo Command ...

Page 46

Table 39. Coding of ADDR for 88SC PICC Fuse Programming Hex Bit 7 Bit Table 40. Coding of ADDR for 88RF PICC Fuse Programming Hex Bit 7 ...

Page 47

Error Handling If a Write System Zone command containing transmission errors is received by the PICC ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 41. Status Codes ...

Page 48

Read System Zone Command [$c6] The System Read command allows reading of system data from the configuration memory. Command > Echo Command > Echo Command > 6.12.1. Operation The Read System Zone command reads from the devices configuration memory. ...

Page 49

Command Field Description The Card ID assigned by the ATTRIB command. CID: The PARAM byte selects the type of read operation to be performed. PARAM: Table 42. PARAM byte options for the Read System Zone command. Command Read System ...

Page 50

Error Handling If a Read System Zone command containing transmission errors is received by the PICC ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 43. Status Codes ...

Page 51

Read System Zone Command, Read Fuse Byte Option [$c6] The Read Fuse Byte Option of the Read System Zone command reads the security fuse byte. Command > PARAM = $01 > ADDR = $FF > $00 > ...

Page 52

Command Field Description The Card ID assigned by the ATTRIB command. CID: The PARAM byte selects the type of read operation to be performed. PARAM must be $01 for Read Fuse PARAM: Byte. Table 44. PARAM byte options for ...

Page 53

Error Handling If a Read System Zone command containing transmission errors is received by the PICC ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 45. Status Codes ...

Page 54

Read System Zone Command, Read Checksum Option [$c6] The Read Checksum Option of the System Read command reads the checksum from the cryptographic engine. Command > PARAM = $02 > ADDR = $FF > $01 > Echo ...

Page 55

Table 46. PARAM byte options for the Read System Zone command. Command Read System Zone Read Fuse Byte Read Checksum The address must be $FF for Read Checksum. ADDR: The number of bytes to read minus 1. L must be ...

Page 56

Verify Crypto Command [$c8] The Verify Crypto command is used to activate the Authentication Communication Security mode and the Encryption Communication Security mode. Command > Echo Command > 6.15.1. Operation The Verify Crypto command is used to perform mutual ...

Page 57

Command Field Description The Card ID assigned by the ATTRIB command. CID: Key Index: Selects the secret key to be used. Encryption Activation uses a Session Encryption Key S Table 48. Key Index coding for the Verify Crypto command ...

Page 58

Error Handling If a Verify Crypto command containing transmission errors is received by the PICC ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 49. Status Codes returned ...

Page 59

Send Checksum Command [$c9] The Send Checksum command is used to authenticate data sent to the PICC in the Authentication Communication Security mode or the Encryption Communication Security mode. Command > Echo Command > 6.16.1. Operation When a Write ...

Page 60

Error Handling If a Send Checksum command containing transmission errors is received by the PICC ignored and no response is sent. The PICC reports errors in the status byte of the response. Table 50. Status Codes returned ...

Page 61

DESELECT Command [$cA] The DESELECT command places a PICC in the Halt State. This command is used at the end of a transaction. Command > Echo Command > 6.17.1. Operation Sending the DESELECT command (with a matching CID) to ...

Page 62

IDLE Command [$cB] The IDLE command resets the PICC and places it in the Idle State. This command is used at the end of a transaction. Command > Echo Command > 6.18.1. Operation Sending the IDLE command (with a ...

Page 63

Check Password Command [$cC] The Check Password command transmits a password for validation. Command > Echo Command > 6.19.1. Operation To read or write data in User Zones that require a password for access the host must carry out ...

Page 64

Table 53. Coding of the Password Index for 4K bit CryptoRF devices Password Index $10 $11 $12 $17 $00 $01 $02 $07 All Other Values Are Not Supported Table 54. Coding of the Password Index for 8K bit and larger ...

Page 65

Response Field Descriptions The PICC transmits its assigned card ID in the response. CID: Acknowledge, the command executed correctly. ACK: Not Acknowledge, the command did not execute correctly. NACK: PICC status code. STATUS: Communication error detection bytes. CRC: 6.19.4. ...

Page 66

Transaction Flow Figure 6. Flowchart of a Typical CryptoRF Transaction Read Write Configuration Configuration Memory Memory In a typical CryptoRF transaction the host performs anticollision, selects a User Zone, and reads or writes the user memory. When a User ...

Page 67

... Data Retention (At 35°C) Read Endurance CryptoRF is fabricated with Atmel’s high reliability CMOS EEPROM manufacturing technology. The write endurance and data retention EEPROM reliability ratings apply to each byte of the user and configuration memory. The optional CryptoRF anti-tearing functions use a single anti-tearing EEPROM buffer memory. Every anti-tearing write operation utilizes the same buffer ...

Page 68

Electrical Characteristics Table 57. Electrical Characteristics Symbol (2) Integrated Tuning Capacitance C T Polling Reset Time (no anti-tearing to process) T POR Polling Reset Time (anti-tearing write to process) T POR-AT Write Cycle Time of EEPROM Memory T WR ...

Page 69

Appendix A. Terms and Abbreviations Abbreviation Definition 88RF Second generation CryptoRF devices. Catalog Number Series: AT88RFxxC 88SC First generation CryptoRF devices. Catalog Number Series: AT88SCxxxxCRF A Unmodulated PCD field amplitude. Used in modulation index calculation. AAC Authentication Attempts Counter. AAC ...

Page 70

... A family of devices with CryptoRF security features and a TWI or ISO/IEC 7816 interface. CryptoRF CryptoRF. Catalog Number Series: AT88SCxxxxCRF and AT88RFxxC. CryptoRF Reader The Atmel ISO/IEC 14443 Type B reader IC. Catalog Number: AT88RF1354 Cryptography Tuning Capacitance. The capacitance between antenna pins AC1 and AC2. C ...

Page 71

Abbreviation Definition Fuse Byte The contents returned when reading the Security Fuses. FWI Frame Waiting Time Integer. Protocol bits communicating the PICC FWT time. FWT Frame Waiting Time. Maximum time the PCD must wait for a PICC response. G Secret ...

Page 72

... RBmax Receive Buffer size code. ATQB protocol byte returned by PICC. RCS Read Checksum. A DCR mode control bit on 88RF PICCs. RF Radio Frequency. Reserved for Future Use. Any feature or bit reserved by ISO or by Atmel. RFU rms Root Mean Square. AT88SC0808/1616/3216/6416CRF, AT88RF04C 72 5276C–RFID–3/09 ...

Page 73

Abbreviation Definition ROK Read Only Key. KR Register bits. ROM Read Only Memory. RW REQB/WUPB command selection code. S Slot Number. A code sent to the PICC with Slot MARKER command Session Key calculated by CMC during Mutual ...

Page 74

... ISO/IEC 14443 and ISO/IEC 10373 standards were developed by the WG8 committee (www.wg8.de). B.2. References Atmel Application Note: Understanding the Requirements of ISO/IEC 14443 for Type B Proximity Contactless Identification Cards. Document 2056x (Available at www.atmel.com) CryptoRF Ordering Codes: CryptoRF and Secure RF Standard Product Offerings. Document 5047x (Available at www ...

Page 75

... CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF Memory maps in this section are for reference and are not intended to accurately illustrate the physical page Note: length of each User Memory configuration. The physical page length is equal to the maximum number of bytes that can be written with a standard write command. The Write User Zone command will not write data across page boundaries ...

Page 76

Figure 8. AT88SC0808CRF Memory Map for 8 Kbit User Memory Zone $00 User 0 ― $78 $00 User 1 ― $78 $00 User 2 ― $78 $00 User 3 ― $78 $00 User 4 ― $78 $00 User 5 ― ...

Page 77

Figure 9. AT88SC1616CRF Memory Map for 16 Kbit User Memory Zone $00 User 0 ― $78 $00 User 1 ― $78 $00 User 2 ― $78 $00 User 3 ― $78 $00 User 4 ― $78 $00 User 5 ― ...

Page 78

... Figure 10. AT88SC3216CRF Memory Map for 32 Kbit User Memory Zone $00 User 0 ― $F8 $00 User 1 ― $F8 $00 User 2 ― $F8 $00 User 3 ― $F8 $00 User 4 ― $F8 $00 User 5 ― $F8 $00 User 6 ― $F8 $00 User 7 ― $F8 $00 User 8 ― $F8 $00 User 9 ― $F8 $00 User 10 ― ...

Page 79

Figure 11. AT88SC6416CRF Memory Map for 64 Kbit User Memory Zone $000 User 0 ― $1F8 $000 User 1 ― $1F8 $000 User 2 ― $1F8 $000 User 3 ― $1F8 $000 User 4 ― $1F8 $000 User 5 ― ...

Page 80

... Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF Access rights to the Configuration Memory are fixed in logic and are controlled by the security fuses. Refer to Appendix G for access control and fuse information. The Read System Zone and Write System Zone commands are used to access the Configuration Memory. ...

Page 81

Figure 12. Configuration Memory map for AT88RF04C $00 RBmax AFI $08 $10 DCR $18 AR0 KR0 $20 $28 $30 $38 $40 $48 AAC $50 0 $58 AAC $60 1 $68 AAC $70 2 $78 AAC $80 3 $88 ...

Page 82

Figure 13. Configuration Memory map for AT88SC0808CRF $00 RBmax AFI $08 $10 DCR $18 AR0 PR0 $20 AR4 PR4 $28 $30 $38 $40 $48 AAC $50 0 $58 AAC $60 1 $68 AAC $70 2 $78 AAC $80 ...

Page 83

... Figure 14. Configuration Memory map for AT88SC1616CRF, AT88SC3216CRF, AT88SC6416CRF $00 RBmax AFI $08 $10 DCR $18 AR0 PR0 $20 AR4 PR4 $28 AR8 PR8 $30 AR12 PR12 $38 $40 $48 AAC $50 0 $58 AAC $60 1 $68 AAC $70 2 $78 AAC $80 3 $88 $90 $98 $A0 $A8 PAC $B0 PAC $B8 PAC $C0 PAC $C8 PAC $D0 PAC $D8 PAC $E0 PAC $E8 $F0 $F8 5276C–RFID–3/09 ...

Page 84

Appendix E. Device Personalization CryptoRF is delivered with the user memory filled with $FF data and with the security features disabled. Before issuing a CryptoRF PICC to the end user personalized with initial data and the security settings. ...

Page 85

E.1. User Memory Initialization The user memory is initialized by using the Set User Zone command to select a User Zone, and writing the initial data with Write User Zone commands. The data is then verified with Read User Zone ...

Page 86

... Memory. The Transport Password for each CryptoRF device is shown in Table 60. The Transport Password is the same for every device with the same base part number never changed. Table 60. CryptoRF Transport Passwords CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF AT88SC0808/1616/3216/6416CRF, AT88RF04C 86 Transport Password PW Index Password $07 $ ...

Page 87

... Three security fuses are programmed at the end of the personalization process to lock the PICC configuration. The Write Fuse Byte option of the Write System Zone command is used to program the fuses. A fourth fuse, SEC, is already programmed by Atmel before CryptoRF leaves the factory. The fuses can only be programmed in the specified order. ...

Page 88

Appendix F. Secure Personalization [88RF] This appendix describes the optional Secure Personalization mode for 88RF PICCs. This mode allows the device secrets to be written with data encryption, so that eavesdropping on the personalization process cannot compromise the device secrets. ...

Page 89

... Three security fuses are programmed during the personalization process to lock the PICC configuration. The Write Fuse Byte option of the Write System Zone command is used to program the fuses. A fourth fuse, SEC, is already programmed by Atmel before CryptoRF leaves the factory. The fuses can only be programmed in the specified order. The security fuse programming sequence is as follows: 1 ...

Page 90

Figure 19. Configuration Memory map showing Data Encryption Requirements for Fuse State ENC = 0b, SKY = 1b $00 RBmax AFI $08 $10 DCR $18 AR0 KR0 $20 $28 $30 $38 $40 $48 AAC $50 0 $58 AAC ...

Page 91

... Appendix G. Security Fuses There are four fuses which control access to the Configuration Memory. One fuse (SEC) is programmed by Atmel before CryptoRF leaves the factory; the remaining three fuses are programmed during the personalization process. Once a fuse is programmed, it can never be changed. These fuses do not control access to the user memory; user memory access rights are defined in the Access Registers ...

Page 92

The default state of the fuses when CryptoRF leaves the factory is SEC = 0b and the remaining three fuses set to 1b. The left fuse column in Table 62 and Table 63 show the access conditions for this default ...

Page 93

Table 63. Configuration Memory Access control by Security Fuse State for 88RF PICCs. Registers Anticollision (Except MTZ, HWR) Memory Test Zone (MTZ) Hardware Revision (HWR) Read Only ( ) Unique Die Serial Number Access Control (Except Nc, DCR) Nc and ...

Page 94

Appendix H. Configuration of Password and Access Control Registers There are two types of configuration registers in CryptoRF, User Zone access control registers, and Device Configuration Registers. The User Zone Access Registers (AR) set the access requirements for a single ...

Page 95

The three Communication Security Mode control bits: AM0, AM1, and ER control the communication security requirements for the User Zone as shown in Table 65. By default authentication and encryption communication security are disabled. See Appendix K for information on ...

Page 96

H.2. Access Registers (AR) [88RF] There is one Access Register for each User Zone in the user memory. The default state of this register is $FF, which disables all of the optional security features. Figure 24. Definition of the Access ...

Page 97

Table 67. Communication Security Mode options for 88RF PICCs Modify Forbidden mode control. ...

Page 98

Program-Only Key Set selection bits. POK: The Program-Only Key Set selection bits control the key set assigned to a User Zone for communication security. The Access Register bits determine the Communication Security mode. The POK bits are only used if ...

Page 99

Table 71. Coding of the Primary Key Set select bits for CryptoRF communication security on 88RF PICCs. PK1 PK2 Read-Only Key Set selection bits. ROK: The Read-Only Key Set selection bits control ...

Page 100

H.3. Device Configuration Options There are a few configuration options which affect the overall behavior of the CryptoRF PICC. These options are contained in the Device Configuration Register (DCR). H.3.1. Device Configuration Register (DCR) There is one Device Configuration Register ...

Page 101

... No changes to the Configuration Memory are permitted unless the Transport Password has been verified using the Check Password command. Table 75. CryptoRF Family Password Characteristics and Transport Passwords CryptoRF Part Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C User Data Clear Clear Encryption Password Sets ...

Page 102

I.3. The Password and PAC Registers Each password set, along with its associated Password Attempt Counters is stored byte segment in the Password section of the Configuration Memory. Figure 30 illustrates password set “z” in the Configuration ...

Page 103

Table 78. Password Attempt Counter Coding for 88RF PICCs. PAC Register $55 $56 $59 $5A $65 $66 $69 $6A $95 $96 $99 $9A $A5 $A6 $A9 $AA All Other Values Are Not Supported The Password Attempt Counters contain a value ...

Page 104

10b, then the Write Password is required to be verified before a Write User Zone command will be accepted. Data reads are not restricted in this configuration. If read and write password security is enabled by setting ...

Page 105

Table 80. Check Password Command ACK/NACK Coding Bit 7 Bit 6 Bit Password Attempts Count A Check Password response NACK can be coded two different ways, depending on the reason for failure. If ...

Page 106

Appendix J. Using Authentication Communication Security CryptoRF contains security options that can be enabled by the customer at personalization. By default no security is enabled, allowing CryptoRF to operate as a simple RFID EEPROM memory. Enabling Authentication Communication Security on ...

Page 107

J.2. 001b Security – Dual Access Authentication Mode When M = 001b Authentication is required for Read or Write access to the User Zone. If Authentication is performed with the key identified in the POK bits of the ...

Page 108

J.3. 101b Security - Authentication for Write When M = 101b Authentication is required for Write access to the User Zone. If Authentication is performed with the key identified in the PK bits of the Key Register, then ...

Page 109

J.5. The Key Register [88RF] The Key Registers are used to select the Key Sets for Authentication or Encryption Communication Security. Any Key Set can be used with any User Zone by programming the Key Register for the User Zone ...

Page 110

J.6. Key Sets CryptoRF has four Key Sets. Each Key Set is associated with four registers in the Configuration Memory. The Authentication Key is stored in the Secret Seed G stored in the AAC register. The Cryptogram C i response ...

Page 111

J.7. AAC Registers The Authentication Attempt Counters contain a value which indicates how many unsuccessful Authentication attempts have been made using the Key Index of the corresponding Secret Seed. Table 88, Table 89 and Table 90 shows coding of the ...

Page 112

Table 90. Authentication Attempt Counter Coding for 88RF PICCs. AAC Register $55 $56 $59 $5A $65 $66 $69 $6A $95 $96 $99 $9A $A5 $A6 $A9 $AA All Other Values Are Not Supported J.8. Authentication Activation Authentication Communication Security is ...

Page 113

Figure 35. Mutual Authentication Procedure Host System Operations i = Card Key Set Number Alternate Flow (if new "C" already stored) END (FAILURE) YES Do you want to retry ? NO Card Authentication Failed 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C START Authentication Read ...

Page 114

J.8.1. Key Index The Key Index byte of the Verify Crypto command selects the Key Set that the PICC uses to perform the Mutual Authentication procedure. Table 91. Key Index coding for the Verify Crypto command for Mutual Authentication Key ...

Page 115

Appendix K. Using Encryption Communication Security CryptoRF contains security options that can be enabled by the customer at personalization. By default no security is enabled, allowing CryptoRF to operate as a simple RFID EEPROM memory. Enabling Encryption Communication Security on ...

Page 116

K.3. Encryption Security Options [88RF] Encryption Communication Security for a User Zone is enabled by programming the Access Register (AR) and Key Register (KR) for the zone. The Communication Security Mode (M) bits of the Access Register determine the Communication ...

Page 117

K.4. The Password Register [88SC] The Password Registers are used to select the Key Sets for Authentication or Encryption Communication Security on 88SC PICCs. Any Key Set can be used with any User Zone by programming the Password Register for ...

Page 118

K.5. The Key Register [88RF] The Key Registers are used to select the Key Sets for Authentication or Encryption Communication Security on 88RF PICCs. Any Key Set can be used with any User Zone by programming the Key Register for ...

Page 119

K.6. Key Sets CryptoRF has four Key Sets. Each Key Set is associated with four registers in the Configuration Memory. The Authentication Key is stored in the Secret Seed G stored in the AAC register. The Cryptogram C i Activation ...

Page 120

K.7. AAC Registers The Authentication Attempt Counters contain a value which indicates how many unsuccessful Authentication and Encryption Activation attempts have been made using the Key Index of the corresponding Secret Seed and Session Encryption Key. Table 99, Table 100, ...

Page 121

Table 101. Authentication Attempt Counter Coding for 88RF PICCs. AAC Register $55 $56 $59 $5A $65 $66 $69 $6A $95 $96 $99 $9A $A5 $A6 $A9 $AA All Other Values Are Not Supported 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Description No Failed Attempts ...

Page 122

K.8. Encryption Activation Authentication Activation must be performed prior to Encryption Activation. The Mutual Authentication is performed in steps 1 thru 7, and Encryption Activation in steps 8 thru 11 of the following procedure. 1. The Host reads the PICC ...

Page 123

Figure 39. Encryption Activation Procedure Host System Operations i = Card Key Set Number (Same i as used for Authentication) Goto START Authentication YES Do you want to retry ? NO Encryption Activation Failed 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C START Encryption Activation ...

Page 124

K.8.1. Key Index The Key Index byte of the Verify Crypto command selects the Key Set that the PICC uses to perform the Mutual Authentication and Encryption Activation procedure. Table 102. Key Index coding for the Verify Crypto command Key ...

Page 125

Appendix L. Understanding Anti-Tearing Anti-tearing is an optional feature that protects a write operation from being corrupted due to PICC power loss during the write operation. This feature can be enabled as needed by the Host during a transaction, it ...

Page 126

Figure 40. CryptoRF Anti-Tearing Write Process AT88SC0808/1616/3216/6416CRF, AT88RF04C 126 START Receive Anti-Tearing Write Command Transmit PICC NO NACK Power OK Response ? YES END Write to Anti-Tearing Buffer Write Anti-Tearing Flag Write Data to Final EEPROM Location Clear Anti-Tearing Flag ...

Page 127

... When large amounts of data are written, the increase in transaction time is significant. Writing the entire 128 byte User Zone on AT88RF04C takes 155 milliseconds with anti-tearing, but only 47 milliseconds without anti-tearing. Writing the entire 256 byte User Zone on AT88SC3216CRF takes 292 milliseconds with anti-tearing, but only 54 milliseconds without anti-tearing. ...

Page 128

L.4. Reliability Impact of Anti-Tearing Each byte of the CryptoRF EEPROM user memory and configuration memory is rated for 100k write cycles minimum. The entire memory can be written at least 100,000 times without wearing out any of the EEPROM ...

Page 129

Appendix M. Personalization of the Anticollision Registers There are several registers that define the polling response of CryptoRF, which are written during the personalization process. The ISO/IEC 14443 Part 3 requirements must be considered when programming these registers. Incorrect personalization ...

Page 130

Figure 44. CryptoRF Response to an REQB or WUPB polling command. Command > ATQB Response > The definitions of the polling configuration registers in the System Zone are listed below along with any restrictions which ISO/IEC 14443 Part 3 places ...

Page 131

... Device Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF Receive Buffer Max Code (RBmax) This 8-bit register is transmitted as Protocol 2 byte of the ATQB response. This register is programmed by Atmel with the receive buffer maximum frame size code. This field can be reprogrammed by the customer during personalization if desired ...

Page 132

... Device Number AT88RF04C AT88SC0808CRF AT88SC1616CRF AT88SC3216CRF AT88SC6416CRF Application Family Identifier (AFI) This 8 bit register identifies the application family and subfamily. This field is defined by the card manufacturer and is used during the anticollision process to determine which cards will respond to an REQB or WUPB polling command. ...

Page 133

The PICC compares the AFI register with the AFI value received in the REQB or WUPB polling command using the matching criteria defined in ISO/IEC 14443 Part 3. Table 111 shows the AFI matching criteria. Table 111. AFI matching criteria ...

Page 134

... The command and response definitions are detailed in the “Anticollision Command Definitions” section 5 of this specification. For additional information on the anticollision command coding see section 7 of ISO/IEC 14443 Part 3 or Atmel Application note Understanding the Requirements of ISO/IEC 14443 for Type B Proximity Contactless Identification Cards. ...

Page 135

Figure 45. Anticollision and State Transition Flow Chart Wait for WUPB 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Power On Reset Process Anti-Tearing Registers Wait for REQB or WUPB AFI Match ? NO YES YES YES Send ATQB Response ...

Page 136

Appendix O. The ISO/IEC 14443 Type B RF Signal Interface O.1. RF Signal Interface The CryptoRF communications interface is compliant with the ISO/IEC 14443 part 2 and part 3 requirements for Type B. Type B signaling utilizes 10 % amplitude ...

Page 137

O.3. Frame Format Data transmitted by the PCD or PICC is sent as frames. The frame consists of the start of frame (SOF), several bytes of information, and the end of frame (EOF). The SOF and EOF requirements are shown ...

Page 138

O.5. Card Data Transmission The CryptoRF PICC waits silently for a command from the PCD after being activated by the RF field. After receiving a valid command from the PCD, the PICC is allowed to turn on the subcarrier only ...

Page 139

O.7. CRC Error Detection A 2 byte CRC_B is required in each frame transmitted by the PICC or PCD to permit transmission error detection. The CRC_B is calculated on all of the command and data bytes in the frame. For ...

Page 140

Appendix P. RF Specifications and Characteristics The ISO/IEC 10373-6 Test Methods standard contains the test requirements for characterizing ISO/IEC 14443 devices. ISO/IEC 10373-6 utilizes PICCs in the ID-1 credit card size format for all tests. These test methods and the ...

Page 141

P.2. Reader Requirements Table 113. ISO/IEC 14443 Reader Requirements [Not PICC Antenna Size Dependent] Symbol fc Carrier Frequency M.I. Field Modulation Index (PCD to PICC communication) M.D. Field Modulation Depth (PCD to PICC communication) ETU Elementary Time Unit = Bit ...

Page 142

P.4. Specifications for Other Antenna Sizes The specifications in Table 114 cannot be applied directly to PICCs with larger or smaller antennas. The characteristics in Table 112 and Table 113 are applicable to a PICC with any antenna dimensions. Load ...

Page 143

P.6. What is an ID-1 PICC Antenna? ISO/IEC 7810 defines the mechanical requirements for plastic identification cards, including smartcards. The nominal ID-1 card dimensions are 85 53.98 mm, and 0.76 mm thick. There are no antenna dimension requirements ...

Page 144

Appendix Q. Transaction Time Q.1. Command Response Times [88SC] The command response time is the time between the end of the frame transmitted by the reader and beginning of the response from the PICC. It consists of the TR0 Guard ...

Page 145

Q.2. Command Response Times [88RF] The command response time is the time between the end of the frame transmitted by the reader and beginning of the response from the PICC. It consists of the TR0 Guard Time and the TR1 ...

Page 146

Q.3. Transaction Times [88SC] Typical transaction times for each individual command are listed below. This time includes the command transmission time from the reader, TR0, TR1, and response transmission time from the PICC. The typical transaction times in the table ...

Page 147

Q.4. Transaction Times [88RF] Typical transaction times for each individual command are listed below. This time includes the command transmission time from the reader, TR0, TR1, and response transmission time from the PICC. The typical transaction times in the table ...

Page 148

Appendix R. 88RF PICC Backward Compatibility 88RF PICCs can be configured to operate in the majority of applications developed for 88SC PICCs. Customers migrating from 88SC devices to 88RF devices may be required to change their application software if they ...

Page 149

R.5. Personalization The 88RF PICC fuse bit functionality has been changed to allow enhanced security during the device personalization process. See Appendix F and Appendix G for information. Customers that do not program any of the security fuses until the ...

Page 150

... AT88SC1616CRF-MR1 AT88SC1616CRF-MX1 AT88SC1616CRF-MY1 AT88SC1616CRF-WA1 CryptoRF with 32K bits of User Memory configured as 16 Zones of 256 Bytes each Ordering Code AT88SC3216CRF-MR1 AT88SC3216CRF-MX1 AT88SC3216CRF-MY1 AT88SC3216CRF-WA1 AT88SC0808/1616/3216/6416CRF, AT88RF04C 150 Package R Module MX1 RFID Tag Square MY1 RFID Tag Round 6 mil wafer, 150 mm diameter Package R Module ...

Page 151

... MY1 RFID Tag Round 6 mil wafer, 150 mm diameter 2-lead RF Smart Card Module, XOA2 style tape, Ag finish, Green Square Epoxy Glass RFID Tag tape, Au finish, Green 17 mm Round Epoxy Glass RFID Tag tape, Au finish, Green www.atmel.com Tuning Capacitor Temperature Range 82 pF Commercial (- ...

Page 152

S.2. Mechanical Mechanical Drawing of Module R Package (XOA2 Style) Ordering Code: AT88RFxxC-MR1G and AT88SCxxxxCRF-MR1 Dimension: Glob Top: Thickness: Pitch: AT88SC0808/1616/3216/6416CRF, AT88RF04C 152 5.06 x 8.00 [mm] Square – 4.8 x 5.1 [mm] 0.38 [mm] 9.5 [mm] 5276C–RFID–3/09 ...

Page 153

Mechanical Drawing of MX1 Epoxy Glass RFID Tag Ordering Code: AT88RFxxC-MX1G and AT88SCxxxxCRF-MX1 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C 153 ...

Page 154

Mechanical Drawing of MY1 Epoxy Glass RFID Tag Ordering Code: AT88RFxxC-MY1G and AT88SCxxxxCRF-MY1 AT88SC0808/1616/3216/6416CRF, AT88RF04C 154 5276C–RFID–3/09 ...

Page 155

... Lot History Code Register are not unique for each die. Atmel reserves the right to modify the format of the contents of the UDSN register without notice. However the UDSN register value is guaranteed to be unique for each die. The register name in the Configuration Memory Maps has been updated to Unique Die Serial Number in revision B of this document to reflect this change ...

Page 156

Customers are advised that past and future products may return Status Codes that are different. The ACK/NACK byte reports if a requested operation has passed or failed; the Status code contains additional information. T.5. Encryption Activation Change [88RF] One byte ...

Page 157

Appendix U. Revision History Doc. Rev. 5276A 07/2008 5276B 03/2009 5276C 03/2009 5276C–RFID–3/09 AT88SC0808/1616/3216/6416CRF, AT88RF04C Date Initial document release Add all CryptoRF Security Function Specifications. This Specification now requires an LLA license. REMOVED LLA AUGUST 2009 Delete AT88SC0104CRF, AT88SC0204CRF, AT88SC0404CRF ...

Page 158

... OF THE POSSIBILITY OF SUCH DAMAGES. Atmel makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Atmel does not make any commitment to update the information contained herein. Unless specifically provided otherwise, Atmel products are not suitable for, and shall not be used in, automotive applications. Atmel’ ...

Related keywords