PicoPass 32K(S) Card Operations with the TRF79xxA Texas Instruments S2 MCU NFC/RFID Apps/Systems Team Training Module #6 09/14/2014 Agenda • Background • TRF79xxA Register Configurations • Card Specific Details – Parity Handling on Command Opcodes – CRC16 handling – Command opcodes implementation details inside of code project – Next steps (to do list, as of 09/14/2014) • MSP430G2553 LaunchPad code example using the TRF7970A BoosterPack (DLP-7970ABP) Background • Customer is using TRF79xxA for their reader/writer and is looking at using the PicoPass 32K(S) based card/tag devices from Inside Secure. • These cards are have the following characteristics: – Carrier frequency: 13.56MHz +/- 7kHz – Data rate : • 26kbps (ISO15693-2) • 106 or 424kbps (ISO14443B-2 and ISO14443B-3) – Data coding : User can configure : • ISO15693-2 & ISO14443B-2 compliant with protocol auto-detection – Fast anti-collision : • Up to 50 chips/s using protocol ISO15693-2, and >100 chips using protocol ISO14443B-2 • Several chips can operate independently in the field. • While these cards are not fully ISO15693 or ISO14443B compliant, they do use the same air interface, so several customers have requested TI to have a look at seeing how they might be used with the TRF79xxA devices. • This training and code example is a response to those requests. TRF79xx Configuration for PicoPass ISO15693-like operation • Write Control Registers to set up TRF79xx for PicoPass card for ISO15693-2 (air interface) and Inside Secure 32K(S) commands • Chip Status Control Register (0x00) • Value 0x21 or 0x20 – 0x21 = TX on, full power out, +5VDC operation (~200mW) » Hardware = TRF79x0AEVM, TRF79x0ATB – 0x20 = TX on, full power out, +3.3VDC operation (~80mW) » Hardware = DLP-7970ABP (BoosterPack) – ISO Control Register (0x01) • Value 0x86 – No RX CRC, ISO15693 high tag bit rate, FSK, 1 of 4 data coding – Modulator/SYS_CLK Control Register (0x09) • Value 0xX0 – Modulation Depth = 10%, X = your desired SYS_CLK output NOTE: TRF79x0AEVM MSP430F2370 uses SYS_CLK, whereas systems using TRF79x0ATB or DLP-7970A do not normally use it as the DCO is utilized (i.e. MSP-EXP430F5529, MSP-EXP430F5529LP, MSP-EXP430G2 LaunchPad) – Interrupt Mask Register (0x0D) • Value 0x3F – Enables no-response interrupt for when card is not present – Interrupt Mask Register (0x14) • Value 0x03 – Sets TRF7970A TX FIFO water level IRQ for 32 bytes TRF7970A Register Configuration Example (in CCS) • In the CCS project properties, under Build, Advanced Options, Predefined Symbols, the Pre-Define NAME of ENABLEPICOPASS was added. • This technique allows us to “objectify” the support of the protocol throughout the code project, starting with main.c (see below) • In this way, a user can comment in/out three lines of code per protocol, then build their project to support what only what is needed, while still having multiple protocols at their disposal in the main MSP430G2553 codebase. 5 TRF7970A Register Configuration Example (in CCS) • In trf7970.c file, #ifdef statement for PicoPass was inserted to accommodate configuring the TRF7970A correctly. • This configuration is sent to TRF7970A when PicoPass_ACS function is called from main.c and executed in picopass.c file (first line of code), passing the 0x86 value into trf7970.c write ISO Control function shown above. 6 CRC Details • These cards use same CRC polynomial equation that is seen in ISO15693-3, but use a different CRC start value than what is seen with compliant ISO15693-3 devices. 16 12 5 – Polynomial is 0x8408 x x x 1 – Start (Preset) Value is 0xE012 – Direction Backwards • This means that ISO15693-like CRC engine needs to be in firmware now for these cards, but with the different preset value and it need to be sent out accordingly with some of the commands, as TRF79xx has ISO15693-3 compliant CRC generator built in (and will not be needed for these cards) • CRC is not calculated on the command byte, just the data being sent. – For Example • Read Operation on Block 1, send CRC with the packet of 0xFA22 (example later) • CRC for ISO14443B style operations follows exactly the ISO14443-3 (for Type B) standard CRC. Parity Bit Handling for PicoPass Command Opcodes • For the command opcodes, the PicoPass cards use 1 byte format. • B7 is the parity bit of the byte and is calculated bitwise over B0:B6 using XOR OPCODE (1 byte) B7 B6 B5 B4 P M1 M0 K B3 B2 B1 B0 Instruction • For example: – Command is ACTALL (0xA = 10102) – K = 0 (should be 0 for all commands other than READCHECK) – M0 = 1 (ISO15693-2 FSK coding) – M1 = 0 B7 – Parity calculated by XOR’ing B0:B6 to find B7 value 1 – Resulting Byte is: 0xAA = 101010102 OPCODE (for ACTALL) B6 B5 B4 B3 B2 B1 B0 0 1 0 1 0 1 0 XOR these bits to get B7 (parity bit) Command Opcodes Used • The following PicoPass commands were used with the sample cards in ISO15693-2 mode: – ACS (three step process) • ACTALL 0xAA, response is SOF – TRF Command String: 0x8F, 0x90, 0x3D, 0x00, 0x10, 0xAA – Expected response (if tag is present) is SOF, otherwise no response interrupt will occur IMPORTANT NOTE: The IRQ Status register (if tag is present) will send back a 0x44, meaning that RX is complete and a framing error was detected (because only an SOF is coming back from tag). The Direct Command 0x96 (Stop Decoders) has to be sent after servicing the interrupt and getting the 0x44 in order for the ISR to handle this response correctly. Another technique might be to use B0 in the Special Functions Register (0x11) to trigger the direct command being sent, but this has not been attempted at this time (09/13/2014) • IDENTIFY 0xAC, response is ASNB + CRC – TRF Command String: 0x8F, 0x90, 0x3D, 0x00, 0x10, 0xAC – Expected response: ASNB = 0x58, 0xB7, 0x6B, 0xE0, 0x00, 0x40, 0x02, 0x1C plus CRC = 0xAC, 0x98 (for this card’s ASNB) • SELECT 0x21 + ASNB, expected response is SN + CRC – TRF Command String: 0x8F, 0x90, 0x3D, 0x00, 0x90, 0x21, ASNB (for the card being used) – Expected response: SN (Contents of Block 0, Chip UID) = E0120007035DBAC0, plus CRC = 0xE01B (for this card’s SN) • ACS must be performed before other commands are sent to the PicoPass 32K(S) ACS Function • ACS function was implemented in picopass.c file with the three functions (described in the next slides) being called. 10 ACTALL Function (Step 1 of ACS process) • Declaration of the ACTALL function, located in picopass.c file • To reiterate, in the ISR, a #ifdef ENABLEPICOPASS statement was used to handle the 0x44 IRQ status which occurs because all that comes back from the tag in reply to this being sent out over the air is an ISO15693 SOF. • This #ifdef ENABLEPICOPASS statement is in trf7970.c file, ISR section, starting at line 215. 11 IDENTIFY Function (Step 2 of ACS process) • Declaration of the IDENTIFY function, located in picopass.c file • This is the second step in the ACS process and returns the Anti-Collision Serial Number (ASNB) plus CRC of the ASNB. • To the right is a snippet from the entire function, which is showing the command string the MSP430 sends to the TRF7970A. • The TRF7970A will send out the 0xAC byte over the air to the tag 12 SELECT Function (Step 3 of ACS process) • Declaration of the SELECT function, located in picopass.c file • This is the third step in the ACS process and returns the Serial Number (SN) plus CRC of the SN. • To the right is a snippet from the entire function, which is showing the command string the MSP430 sends to the TRF7970A. • The TRF7970A will send out the 0x21 + ASNB bytes over the air to the tag. • The ASNB received is put in a buffer for use by this command, so any tag presented will be selected. • Next step is to implement CRC checking. – In this case, for development purposes, an external CRC calculator tool was used to verify that CRC received was correct. 13 Card Operation Codes • After ACS procedure, the card is in the “selected” state and other commands are now possible to issue to the tag. • For example, detecting a tag in EAS mode, retrieving a single block of data, reading four blocks of data at once, writing data to the tag in unsecured and secured manners, reading the tag in a secure manner and halting the tag are things now possible. • These commands are defined in picopass.h for implementation as declared functions in picopass.c – NOTE: shell structures are present in picopass.c file, with the parity calculated correctly for the commands commented out below for easier implementation later. 14 Card Operation Functions • Other functions implemented and described in the rest of the slides were implemented in picopass.c file, in the ACS function call, to demonstrate them working inside the loop. 15 Card Operation Codes (Implemented as of 09/14/2014) – DETECT (0xAF) – For example: TRF79xx command string for detecting a tag (in EAS mode) » 0x8F, 0x90, 0x3D, 0x00, 0x10, 0xAF – Response will be tag Serial Number (SN) + CRC Card Operation Codes (Implemented as of 09/14/2014) – READ (0xAC + Block Address + CRC) – For example: TRF79xx command string for reading block 1 on tag that has been through ACS command procedure. » 0x8F, 0x90, 0x3D, 0x00, 0x40, 0xAC, 0x01, 0xFA, 0x22 – Response will be contents of Block 1 (8 bytes of block data) » 0xC1, 0xBA, 0x5D, 0x03, 0x01, 0x00, 0x7F, 0xA0 » Needs to be rotated for display as this is LSByte first format (expected) » Results in 0xA07F0001035DBAC1 » CRC is 0xEC46, also needs to be rotated for display to 0x46EC Card Operation Codes (Implemented as of 09/14/2014) – READ4 (0xA6 + Starting Block Address + CRC) – For example: TRF79xx command string for reading blocks 3 through 6 on tag that has been through ACS command procedure » 0x8F, 0x90, 0x3D, 0x00, 0x40, 0xA6, 0x03, 0xE8, 0x01 – Response will be contents of Blocks 3 through 6 (32 bytes of block data + CRC) Card Operation Codes (Implemented as of 09/14/2014) – ACT (0x2E + Starting Block Address + CRC) – For example: TRF79xx command string for reading blocks 3 through 6 on tag that has been through ACS command procedure – 0x8F, 0x90, 0x3D, 0x00, 0x10, 0x2E – Response will be SOF (just like ACTALL, so decoders need to be turned off in same way) – HALT (0xA0) – For example: TRF79xx command string for reading blocks 3 through 6 on tag that has been through ACS command procedure – 0x8F, 0x90, 0x3D, 0x00, 0x10, 0xA0 – Results in tag not responding anymore while in reader field, until SELECT command is issued, with that tag’s SN Card Operation Codes (not completely implemented, as of 09/14/2014) Two Step Mutual Authentication Procedure • The following commands have yet to be completely implemented, but structure is present in code project and parity bits already correctly calculated for each command. – UPDATE (0xA0) – This command is for writing a single block of tag memory – PAGESEL (0x24) – This command is for changing book or page being read from – READCHECK (0x28 or 0xB8) – This command is first command in authentication procedure – CHECK (0xA5) – This command is second command in authentication procedure, results in tag authentication the reader and tag replying with 32 bit response for reader to check – UPDATE_SECURED (0x27) – This command is for writing a single block of tag memory, after mutual authentication procedure is completed and successful. TO DO: (as of 09/15/2014) • Implement CRC generator and checker for 0x8408, with start value of 0xE012 (reversed) • Implement UPDATE command – For writing data to tag • Implement READCHECK command – For starting the AUTH procedure • Other commands left to do (CHECK, UPDATE_SECURED) will require working with INSIDE to make sure keys, etc. are known beforehand to be successful • Investigate the ISO14443B operations of these cards. 21