PicoPass 32K(S) Card Operations with the TRF79xxA Texas Instruments S2 MCU NFC/RFID Apps/Systems Team Training Module #6 09/14/2014
Agenda Background TRF79xxA Register Configurations Card Specific Details –Parity Handling on Command Opcodes –CRC16 handling –Command opcodes implementation details inside of code project –Next steps (to do list, as of 09/14/2014) MSP430G2553 LaunchPad code example using the TRF7970A BoosterPack (DLP-7970ABP)
Background Customer is using TRF79xxA for their reader/writer and is looking at using the PicoPass 32K(S) based card/tag devices from Inside Secure. These cards are have the following characteristics: –Carrier frequency: 13.56MHz +/- 7kHz –Data rate : 26kbps (ISO ) 106 or 424kbps (ISO14443B-2 and ISO14443B-3) –Data coding : User can configure : ISO & ISO14443B-2 compliant with protocol auto-detection –Fast anti-collision : Up to 50 chips/s using protocol ISO , and >100 chips using protocol ISO14443B-2 Several chips can operate independently in the field. While these cards are not fully ISO15693 or ISO14443B compliant, they do use the same air interface, so several customers have requested TI to have a look at seeing how they might be used with the TRF79xxA devices. This training and code example is a response to those requests SIDE NOTE: The Nexus S and Galaxy Nexus cannot detect or read the PicoPass cards at all whereas TRF79xxA can get them to respond to standard REQB command. (more details later in presentation)
TRF79xx Configuration for PicoPass ISO15693-like operation Write Control Registers to set up TRF79xx for PicoPass card for ISO (air interface) and Inside Secure 32K(S) commands Chip Status Control Register (0x00) Value 0x21 or 0x20 –0x21 = TX on, full power out, +5VDC operation (~200mW) »Hardware = TRF79x0AEVM, TRF79x0ATB –0x20 = TX on, full power out, +3.3VDC operation (~80mW) »Hardware = DLP-7970ABP (BoosterPack) –ISO Control Register (0x01) Value 0x86 –No RX CRC, ISO15693 high tag bit rate, FSK, 1 of 4 data coding –Modulator/SYS_CLK Control Register (0x09) Value 0xX0 –Modulation Depth = 10%, X = your desired SYS_CLK output NOTE: TRF79x0AEVM MSP430F2370 uses SYS_CLK, whereas systems using TRF79x0ATB or DLP-7970A do not normally use it as the DCO is utilized (i.e. MSP-EXP430F5529, MSP-EXP430F5529LP, MSP-EXP430G2 LaunchPad) –Interrupt Mask Register (0x0D) Value 0x3F –Enables no-response interrupt for when card is not present
TRF7970A Register Configuration Example (in CCS) In the CCS project properties, under Build, Advanced Options, Predefined Symbols, the Pre-Define NAME of ENABLEPICOPASS was added. This technique allows us to “objectify” the support of the protocol throughout the code project, starting with main.c (see below) In this way, a user can comment in/out three lines of code per protocol, then build their project to support what only what is needed, while still having multiple protocols at their disposal in the main MSP430G2553 codebase. 5
In trf7970.c file, #ifdef statement for PicoPass was inserted to accommodate configuring the TRF7970A correctly. This configuration is sent to TRF7970A when PicoPass_ACS function is called from main.c and executed in picopass.c file (first line of code), passing the 0x86 value into trf7970.c write ISO Control function shown above. TRF7970A Register Configuration Example (in CCS) 6
CRC Details These cards use same CRC polynomial equation that is seen in ISO , but use a different CRC start value than what is seen with compliant ISO devices. –Polynomial is 0x8408 –Start (Preset) Value is 0xE012 –Direction Backwards This means that ISO15693-like CRC engine needs to be in firmware now for these cards, but with the different preset value and it need to be sent out accordingly with some of the commands, as TRF79xx has ISO compliant CRC generator built in (and will not be needed for these cards) CRC is not calculated on the command byte, just the data being sent. –For Example Read Operation on Block 1, send CRC with the packet of 0xFA22 (example later) CRC for ISO14443B style operations follows exactly the ISO (for Type B) standard CRC.
Parity Bit Handling for PicoPass Command Opcodes For the command opcodes, the PicoPass cards use 1 byte format. B7 is the parity bit of the byte and is calculated bitwise over B0:B6 using XOR For example: –Command is ACTALL (0xA = ) –K = 0 (should be 0 for all commands other than READCHECK) –M0 = 1 (ISO FSK coding) –M1 = 0 –Parity calculated by XOR’ing B0:B6 to find B7 value –Resulting Byte is: 0xAA = XOR these bits to get B7 (parity bit)
Command Opcodes Used The following PicoPass commands were used with the sample cards in ISO mode: –ACS (three step process) ACTALL 0xAA, response is SOF –TRF Command String: 0x8F, 0x90, 0x3D, 0x00, 0x10, 0xAA –Expected response (if tag is present) is SOF, otherwise no response interrupt will occur IMPORTANT NOTE: The IRQ Status register (if tag is present) will send back a 0x44, meaning that RX is complete and a framing error was detected (because only an SOF is coming back from tag). The Direct Command 0x96 (Stop Decoders) has to be sent after servicing the interrupt and getting the 0x44 in order for the ISR to handle this response correctly. Another technique might be to use B0 in the Special Functions Register (0x11) to trigger the direct command being sent, but this has not been attempted at this time (09/13/2014) IDENTIFY 0xAC, response is ASNB + CRC –TRF Command String: 0x8F, 0x90, 0x3D, 0x00, 0x10, 0xAC –Expected response: ASNB = 0x58, 0xB7, 0x6B, 0xE0, 0x00, 0x40, 0x02, 0x1C plus CRC = 0xAC, 0x98 (for this card’s ASNB) SELECT 0x21 + ASNB, expected response is SN + CRC –TRF Command String: 0x8F, 0x90, 0x3D, 0x00, 0x90, 0x21, ASNB (for the card being used) –Expected response: SN (Contents of Block 0, Chip UID) = E DBAC0, plus CRC = 0xE01B (for this card’s SN) ACS must be performed before other commands are sent to the PicoPass 32K(S)
ACS Function ACS function was implemented in picopass.c file with the three functions (described in the next slides) being called. 10
ACTALL Function (Step 1 of ACS process) Declaration of the ACTALL function, located in picopass.c file To reiterate, in the ISR, a #ifdef ENABLEPICOPASS statement was used to handle the 0x44 IRQ status which occurs because all that comes back from the tag in reply to this being sent out over the air is an ISO15693 SOF. This #ifdef ENABLEPICOPASS statement is in trf7970.c file, ISR section, starting at line
IDENTIFY Function (Step 2 of ACS process) Declaration of the IDENTIFY function, located in picopass.c file This is the second step in the ACS process and returns the Anti-Collision Serial Number (ASNB) plus CRC of the ASNB. To the right is a snippet from the entire function, which is showing the command string the MSP430 sends to the TRF7970A. The TRF7970A will send out the 0xAC byte over the air to the tag 12
SELECT Function (Step 3 of ACS process) Declaration of the SELECT function, located in picopass.c file This is the third step in the ACS process and returns the Serial Number (SN) plus CRC of the SN. To the right is a snippet from the entire function, which is showing the command string the MSP430 sends to the TRF7970A. The TRF7970A will send out the 0x21 + ASNB bytes over the air to the tag. This is showing hardcoded ASNB byte values being used. Next step is to take the ASNB received, put in buffer for use by this command, so any tag presented will be selected. CRC checking should also be implemented. –In this case, for development purposes, an external CRC calculator tool was used to verify that CRC received was correct. 13
Card Operation Codes After ACS procedure, the card is in the “selected” state and other commands are now possible to issue to the tag. For example retrieving a single block of data, reading four blocks of data at once, writing data to the tag in unsecured and secured manners, reading the tag in a secure manner and halting the tag are things now possible. These commands are defined in picopass.h for implementation as declared functions in picopass.c –NOTE: shell structures are present in picopass.c file, with the parity calculated correctly for the commands commented out below for easier implementation later. 14
Card Operation Functions Other functions implemented and described in the rest of the slides were implemented in picopass.c file, in the ACS function call, to demonstrate them working inside the loop. The ISO14443B section is turned on here on the code build, and this card also responds to REQB, so this is why you see it responding twice, once as ISO14443B and then as PicoPass in ISO mode. 15
Card Operation Codes (Implemented as of 09/14/2014) –READ (0xAC + Block Address + CRC) –For example: TRF79xx command string for reading block 1 on tag that has been through ACS command procedure. »0x8F, 0x90, 0x3D, 0x00, 0x40, 0xAC, 0x01, 0xFA, 0x22 –Response will be contents of Block 1 (8 bytes of block data) »0xC1, 0xBA, 0x5D, 0x03, 0x01, 0x00, 0x7F, 0xA0 »Needs to be rotated for display as this is LSByte first format (expected) »Results in 0xA07F DBAC1 »CRC is 0xEC46, also needs to be rotated for display to 0x46EC
Card Operation Codes (Implemented as of 09/14/2014) –READ4 (0xA6 + Starting Block Address + CRC) –For example: TRF79xx command string for reading blocks 3 through 6 on tag that has been through ACS command procedure –0x8F, 0x90, 0x3D, 0x00, 0x40, 0xA6, 0x03, 0xE8, 0x01 –Response will be contents of Blocks 3 through 6 (32 bytes of block data + a CRC)
Card Operation Codes (Implemented as of 09/14/2014) –ACT (0x2E + Starting Block Address + CRC) –For example: TRF79xx command string for reading blocks 3 through 6 on tag that has been through ACS command procedure –0x8F, 0x90, 0x3D, 0x00, 0x10, 0x2E –Response will be SOF (just like ACTALL, so decoders need to be turned off in same way) –HALT (0xA0) –For example: TRF79xx command string for reading blocks 3 through 6 on tag that has been through ACS command procedure –0x8F, 0x90, 0x3D, 0x00, 0x10, 0xA0 –Results in tag not responding anymore while in reader field, until SELECT command is issued, with that tag’s SN
Card Operation Codes (not completely implemented, as of 09/14/2014) The following commands have yet to be completely implemented, but structure is present in code project and parity bits already correctly calculated for each command. –DETECT (0xAF) –This command is for EAS mode (when card has EAS bit set to 0) –UPDATE (0xA0) –This command is for writing a single block of tag memory –PAGESEL (0x24) –This command is for changing book or page being read from –READCHECK (0x28 or 0xB8) –This command is first command in authentication procedure –CHECK (0xA5) –This command is second command in authentication procedure, results in tag authentication the reader and tag replying with 32 bit response for reader to check –UPDATE_SECURED (0x27) –This command is for writing a single block of tag memory, after mutual authentication procedure is completed and successful. Two Step Mutual Authentication Procedure
TO DO: (as of 09/14/2014) Implement CRC generator and checker for 0x8408, with start value of 0xE012 (reversed) Implement dynamic handler of tag ASNB to retrieve tag SN. –Only have 1 tag to work with at this time, and code is proven to work, so now it’s time to go back and clean up. Implement dynamic handler of tag data for READ4 command. Implement DETECT command –To see if tag has EAS bit set to 0 so it will respond Implement UPDATE command –For writing data to tag Implement READCHECK command –For starting the AUTH procedure Other commands left to do (CHECK, UPDATE_SECURED) will require working with INSIDE to make sure keys, etc. are known beforehand to be successful 20