5001.TRF79xxA Operations with PicoPass 32K(S) transponders

Download Report

Transcript 5001.TRF79xxA Operations with PicoPass 32K(S) transponders 

PicoPass 32K(S)
Card Operations
with the TRF79xxA
Texas Instruments
S2 MCU NFC/RFID Apps/Systems Team
Training Module #6
09/14/2014
Agenda
• Background
• TRF79xxA Register Configurations
• Card Specific Details
– Parity Handling on Command Opcodes
– CRC16 handling
– Command opcodes implementation details inside of code project
– Next steps (to do list, as of 09/14/2014)
• MSP430G2553 LaunchPad code example using the TRF7970A BoosterPack (DLP-7970ABP)
Background
• Customer is using TRF79xxA for their reader/writer and is looking at using
the PicoPass 32K(S) based card/tag devices from Inside Secure.
• These cards are have the following characteristics:
– Carrier frequency: 13.56MHz +/- 7kHz
– Data rate :
• 26kbps (ISO15693-2)
• 106 or 424kbps (ISO14443B-2 and ISO14443B-3)
– Data coding : User can configure :
• ISO15693-2 & ISO14443B-2 compliant with protocol auto-detection
– Fast anti-collision :
• Up to 50 chips/s using protocol ISO15693-2, and >100 chips using protocol ISO14443B-2
• Several chips can operate independently in the field.
• While these cards are not fully ISO15693 or ISO14443B compliant, they do
use the same air interface, so several customers have requested TI to have
a look at seeing how they might be used with the TRF79xxA devices.
• This training and code example is a response to those requests.
TRF79xx Configuration for PicoPass
ISO15693-like operation
•
Write Control Registers to set up TRF79xx for PicoPass card for ISO15693-2 (air interface) and Inside Secure 32K(S)
commands
•
Chip Status Control Register (0x00)
• Value  0x21 or 0x20
– 0x21 = TX on, full power out, +5VDC operation (~200mW)
» Hardware = TRF79x0AEVM, TRF79x0ATB
– 0x20 = TX on, full power out, +3.3VDC operation (~80mW)
» Hardware = DLP-7970ABP (BoosterPack)
– ISO Control Register (0x01)
• Value  0x86
– No RX CRC, ISO15693 high tag bit rate, FSK, 1 of 4 data coding
– Modulator/SYS_CLK Control Register (0x09)
• Value  0xX0
– Modulation Depth = 10%, X = your desired SYS_CLK output
NOTE: TRF79x0AEVM MSP430F2370 uses SYS_CLK, whereas systems using TRF79x0ATB or DLP-7970A do not
normally use it as the DCO is utilized (i.e. MSP-EXP430F5529, MSP-EXP430F5529LP, MSP-EXP430G2 LaunchPad)
– Interrupt Mask Register (0x0D)
• Value  0x3F
– Enables no-response interrupt for when card is not present
– Interrupt Mask Register (0x14)
• Value  0x03
– Sets TRF7970A TX FIFO water level IRQ for 32 bytes
TRF7970A Register
Configuration Example (in CCS)
• In the CCS project properties, under Build,
Advanced Options, Predefined Symbols, the
Pre-Define NAME of ENABLEPICOPASS was
added.
• This technique allows us to “objectify” the
support of the protocol throughout the code
project, starting with main.c (see below)
• In this way, a user can comment in/out three
lines of code per protocol, then build their
project to support what only what is needed,
while still having multiple protocols at their
disposal in the main MSP430G2553 codebase.
5
TRF7970A Register
Configuration Example (in CCS)
• In trf7970.c file, #ifdef statement for PicoPass was inserted to accommodate configuring the
TRF7970A correctly.
• This configuration is sent to TRF7970A when PicoPass_ACS function is called from main.c and
executed in picopass.c file (first line of code), passing the 0x86 value into trf7970.c write ISO Control
function shown above.
6
CRC Details
• These cards use same CRC polynomial equation that is seen in ISO15693-3,
but use a different CRC start value than what is seen with compliant
ISO15693-3 devices.
16
12
5
– Polynomial is 0x8408  x  x  x  1
– Start (Preset) Value is  0xE012
– Direction  Backwards
• This means that ISO15693-like CRC engine needs to be in firmware now for
these cards, but with the different preset value and it need to be sent out
accordingly with some of the commands, as TRF79xx has ISO15693-3
compliant CRC generator built in (and will not be needed for these cards)
• CRC is not calculated on the command byte, just the data being sent.
– For Example 
• Read Operation on Block 1, send CRC with the packet of 0xFA22 (example later)
• CRC for ISO14443B style operations follows exactly the ISO14443-3 (for
Type B) standard CRC.
Parity Bit Handling for PicoPass Command Opcodes
• For the command opcodes, the PicoPass cards use 1 byte format.
• B7 is the parity bit of the byte and is calculated bitwise over B0:B6
using XOR
OPCODE (1 byte)
B7
B6
B5
B4
P
M1
M0
K
B3
B2
B1
B0
Instruction
• For example:
– Command is ACTALL (0xA = 10102)
– K = 0 (should be 0 for all commands other than READCHECK)
– M0 = 1 (ISO15693-2 FSK coding)
– M1 = 0
B7
– Parity calculated by XOR’ing B0:B6 to find B7 value
1
– Resulting Byte is: 0xAA = 101010102
OPCODE (for ACTALL)
B6
B5
B4
B3
B2
B1
B0
0
1
0
1
0
1
0
XOR these bits to get B7 (parity bit)
Command Opcodes Used
• The following PicoPass commands were used with the sample cards in ISO15693-2
mode:
– ACS (three step process)
• ACTALL  0xAA, response is SOF
– TRF Command String: 0x8F, 0x90, 0x3D, 0x00, 0x10, 0xAA
– Expected response (if tag is present) is SOF, otherwise no response interrupt will occur
IMPORTANT NOTE: The IRQ Status register (if tag is present) will send back a 0x44, meaning that RX is
complete and a framing error was detected (because only an SOF is coming back from tag). The Direct
Command 0x96 (Stop Decoders) has to be sent after servicing the interrupt and getting the 0x44 in order for the
ISR to handle this response correctly. Another technique might be to use B0 in the Special Functions Register
(0x11) to trigger the direct command being sent, but this has not been attempted at this time (09/13/2014)
• IDENTIFY  0xAC, response is ASNB + CRC
– TRF Command String: 0x8F, 0x90, 0x3D, 0x00, 0x10, 0xAC
– Expected response: ASNB = 0x58, 0xB7, 0x6B, 0xE0, 0x00, 0x40, 0x02, 0x1C plus CRC = 0xAC, 0x98
(for this card’s ASNB)
• SELECT  0x21 + ASNB, expected response is SN + CRC
– TRF Command String: 0x8F, 0x90, 0x3D, 0x00, 0x90, 0x21, ASNB (for the card being used)
– Expected response: SN (Contents of Block 0, Chip UID) = E0120007035DBAC0, plus CRC = 0xE01B
(for this card’s SN)
• ACS must be performed before other commands are sent to the PicoPass 32K(S)
ACS Function
• ACS function was implemented in picopass.c file with the three
functions (described in the next slides) being called.
10
ACTALL Function
(Step 1 of ACS process)
• Declaration of the ACTALL
function, located in picopass.c file
• To reiterate, in the ISR, a #ifdef
ENABLEPICOPASS statement
was used to handle the 0x44 IRQ
status which occurs because all
that comes back from the tag in
reply to this being sent out over
the air is an ISO15693 SOF.
• This #ifdef ENABLEPICOPASS
statement is in trf7970.c file, ISR
section, starting at line 215.
11
IDENTIFY Function
(Step 2 of ACS process)
• Declaration of the IDENTIFY
function, located in picopass.c file
• This is the second step in the
ACS process and returns the
Anti-Collision Serial Number
(ASNB) plus CRC of the ASNB.
• To the right is a snippet from the
entire function, which is showing
the command string the MSP430
sends to the TRF7970A.
• The TRF7970A will send out the
0xAC byte over the air to the tag
12
SELECT Function
(Step 3 of ACS process)
•
Declaration of the SELECT function,
located in picopass.c file
•
This is the third step in the ACS
process and returns the Serial Number
(SN) plus CRC of the SN.
•
To the right is a snippet from the entire
function, which is showing the
command string the MSP430 sends to
the TRF7970A.
•
The TRF7970A will send out the 0x21
+ ASNB bytes over the air to the tag.
•
The ASNB received is put in a buffer
for use by this command, so any tag
presented will be selected.
•
Next step is to implement CRC
checking.
–
In this case, for development purposes,
an external CRC calculator tool was
used to verify that CRC received was
correct.
13
Card Operation Codes
•
After ACS procedure, the card is in the “selected” state and other commands are now possible to issue to the tag.
•
For example, detecting a tag in EAS mode, retrieving a single block of data, reading four blocks of data at once, writing
data to the tag in unsecured and secured manners, reading the tag in a secure manner and halting the tag are things
now possible.
•
These commands are defined in picopass.h for implementation as declared functions in picopass.c
–
NOTE: shell structures are present in picopass.c file, with the parity calculated correctly for the commands commented out below for
easier implementation later.
14
Card Operation Functions
• Other functions implemented and described in the rest of the slides were implemented in picopass.c
file, in the ACS function call, to demonstrate them working inside the loop.
15
Card Operation Codes
(Implemented as of 09/14/2014)
– DETECT (0xAF)
– For example: TRF79xx command string for detecting a tag (in EAS mode)
» 0x8F, 0x90, 0x3D, 0x00, 0x10, 0xAF
– Response will be tag Serial Number (SN) + CRC
Card Operation Codes
(Implemented as of 09/14/2014)
– READ (0xAC + Block Address + CRC)
– For example: TRF79xx command string for reading block 1 on tag that has been through
ACS command procedure.
» 0x8F, 0x90, 0x3D, 0x00, 0x40, 0xAC, 0x01, 0xFA, 0x22
– Response will be contents of Block 1 (8 bytes of block data)
» 0xC1, 0xBA, 0x5D, 0x03, 0x01, 0x00, 0x7F, 0xA0
» Needs to be rotated for display as this is LSByte first format (expected)
» Results in 0xA07F0001035DBAC1
» CRC is 0xEC46, also needs to be rotated for display to 0x46EC
Card Operation Codes
(Implemented as of 09/14/2014)
– READ4 (0xA6 + Starting Block Address + CRC)
– For example: TRF79xx command string for reading blocks 3 through 6 on tag that has
been through ACS command procedure
» 0x8F, 0x90, 0x3D, 0x00, 0x40, 0xA6, 0x03, 0xE8, 0x01
– Response will be contents of Blocks 3 through 6 (32 bytes of block data + CRC)
Card Operation Codes
(Implemented as of 09/14/2014)
– ACT (0x2E + Starting Block Address + CRC)
– For example: TRF79xx command string for reading blocks 3 through 6 on tag that has
been through ACS command procedure
– 0x8F, 0x90, 0x3D, 0x00, 0x10, 0x2E
– Response will be SOF (just like ACTALL, so decoders need to be turned off in same way)
– HALT (0xA0)
– For example: TRF79xx command string for reading blocks 3 through 6 on tag that has
been through ACS command procedure
– 0x8F, 0x90, 0x3D, 0x00, 0x10, 0xA0
– Results in tag not responding anymore while in reader field, until SELECT command is
issued, with that tag’s SN
Card Operation Codes
(not completely implemented, as of 09/14/2014)
Two Step Mutual
Authentication Procedure
• The following commands have yet to be completely implemented, but structure is present
in code project and parity bits already correctly calculated for each command.
– UPDATE (0xA0)
– This command is for writing a single block of tag memory
– PAGESEL (0x24)
– This command is for changing book or page being read from
– READCHECK (0x28 or 0xB8)
– This command is first command in authentication procedure
– CHECK (0xA5)
– This command is second command in authentication procedure, results in tag
authentication the reader and tag replying with 32 bit response for reader to check
– UPDATE_SECURED (0x27)
– This command is for writing a single block of tag memory, after mutual authentication
procedure is completed and successful.
TO DO: (as of 09/15/2014)
• Implement CRC generator and checker for 0x8408, with start value of 0xE012
(reversed)
• Implement UPDATE command
– For writing data to tag
• Implement READCHECK command
– For starting the AUTH procedure
• Other commands left to do (CHECK, UPDATE_SECURED) will require working
with INSIDE to make sure keys, etc. are known beforehand to be successful
• Investigate the ISO14443B operations of these cards.
21