SCM SCL3711, Reference Manual

Page 1: ...SCM Microsystems Reference Manual version 1 3 SCL3711 Multiprotocol contactless mobile reader ...

Page 2: ......

Page 3: ...Reference manual SCL3711 Multiprotocol Contactless mobile Reader SCM Microsystems Oskar Messter Strasse 13 85737 Ismaning Germany Phone 49 89 9595 5000 Fax 49 89 9595 5555 ...

Page 4: ...management 18 03 2009 1 2 Final review for release 01 04 2009 1 3 Update added examples of APDU sequences for a few commands corrected a few typos Contact information http www scmmicro com products services smart card readers terminals contactless dual interface readers html For sales information please email sales scmmicro com ...

Page 5: ...s 13 3 5 Contactless communication principles and SCL3711 usage recommendations 14 3 5 1 Power supply 14 3 5 2 Data exchange 14 3 5 3 Recommendations 15 3 6 Applications 16 3 6 1 General 16 3 6 2 Applications provided by SCM Microsystems 16 4 SCL3711 characteristics 17 4 1 SCL3711 high level architecture 17 4 1 1 Block diagram 17 4 1 2 Software architecture 17 4 2 Quick reference data 18 4 2 1 SCL...

Page 6: ...7 STORAGE_CARD_CMDS_VALUE_BLOCK 37 6 3 Set of APDU for ISO IEC 14443 4 user tokens 38 6 3 1 T CL Command 38 6 4 Set of APDU defined by SCM Microsystems 39 6 4 1 Commands for communicating with NFC Forum Tags Type 1 tags 39 6 4 2 Commands for communicating with NFC Forum Tags Type 2 45 6 4 3 Commands for communication with NFC Forum Tags Type 3 45 6 4 4 Commands for communicating with NFC Forum Tag...

Page 7: ...edback to support scmmicro com 1 2 Licenses If the document contains source code examples they are provided for illustrative purposes only and subject to the following restrictions You MAY at your own risk use or modify the source code provided in the document in applications you may develop You MAY distribute those applications ONLY in form of compiled applications You MAY NOT copy or distribute ...

Page 8: ...d supported commands available for developers using SCL3711 in their applications 2 2 Target audience This document describes the technical implementation of SCL3711 The manual targets software developers It assumes knowledge about 13 56 MHz contactless technologies like ISO IEC 14443 and commonly used engineering terms Should you have questions you may send them to support scmmicro com 2 3 Produc...

Page 9: ...e Address NDEF NFC Data Exchange Format data structure defined by the NFC Forum for NFC Forum tags NFC Near Field Communication Nibble Group of 4 bits 1 digit of the hexadecimal representation of a byte Example 0xA3 is represented in binary as 10100011 b The least significant nibble is 0x3 or 0011 b and the most significant nibble is 0xA or 1010 b P2P Peer to Peer PCD Proximity Coupling Device PC ...

Page 10: ...nge between systems Near Field Communication Interface and Protocol NFCIP 1 ISO IEC 18092 2004 E ISO IEC NFC Forum tag type 1 NFCForum TS Type 1 Tag_1 0 NFC Forum NFC Forum tag type 2 NFCForum TS Type 2 Tag_1 0 NFC Forum NFC Forum tag type 3 NFCForum TS Type 3 Tag_1 0 NFC Forum NFC Forum tag type 4 NFCForum TS Type 4 Tag_1 0 NFC Forum PC SC Interoperability Specification for ICCs and Personal Comp...

Page 11: ...igit Bytes are represented by upper case B where followed by a numbering digit Example 163 in decimal is represented in hexadecimal as 0xA3 in binary as 10100011 b The least significant nibble of 0xA3 is 0x3 in hexadecimal 0011 b in binary The most significant nibble of xA3 is 0xA in hexadecimal 1010 b in binary ...

Page 12: ... it to be used in a wide range of applications such as payment loyalty and ID schemes or to enable devices with NFC connectivity As a latest generation product SCL3711 can be supported by SCM s middleware that resides above the PC SC API and offers better portability of applications and abstraction of smart card related details that need to be handled by applications developed on top of the PC SC ...

Page 13: ...SCL3711 905108 Contactless SDK 905124 3 4 SCL3711 customization options Upon request SCM can customize The color of the casing The logo The product label The USB strings Terms and conditions apply please contact your local SCM representative or send an email to sales scmmicro com ...

Page 14: ...e magnetic flux going through the antenna of the user token 3 5 2 Data exchange The carrier frequency of the magnetic field is used as a fundamental clock signal for the communication between the reader and the card It is also use as a fundamental clock input for the integrated circuit microprocessor to function To send data to the user token the reader modulates the amplitude of the field There a...

Page 15: ...s reason SCM Microsystems has implemented in its driver the support for 1 slot only It is recommended to present only one user credential at a time in front of SCL3711 The communication between the reader and the user token is sensitive to the geometry of the system reader user token Parameters like the geometry and specially the relative size of the reader and user token antennas directly influen...

Page 16: ... on the host 3 6 2 Applications provided by SCM Microsystems SCM Microsystems does not provide payment or transport applications SCM Microsystems provides a few applications for development and evaluation purposes that can function with SCL3711 They are available within the software development kit There are many tools provided but the two main ones are The NFC forum tag reader writer is a standal...

Page 17: ... antenna to function properly 4 1 2 Software architecture Applications can interface with the driver directly through the PC SC interface or through the SCM proprietary interface to the NFC wrapper The NFC wrapper simplifies the usage of the different NFC Forum tags with the SCL3711 and other SCM contactless readers It provides a unique API to application developers which enables them to read and ...

Page 18: ...ndication GREEN After plug in no driver loaded OFF Driver successfully loaded ON User token arriving in the field One blink User token removed from the field ON no specific visual indication Suspend hibernate shutdown state OFF SCL3711 disabled OFF 4 2 3 Other data Parameter Value Description DC characteristics Low bus powered SCL3711 draws power from USB bus Voltage 5V Max Current 100mA Suspend c...

Page 19: ...ype 2 through PC SC defined APDUs NFC forum tag type 3 through SCM specific APDU NFC forum tag type 4 through PC SC APDUs ISO IEC 14443 4 PICC type A and type B MIFARE Non Secure FeliCa Maximum baud rate 848 Kbps Multiple PICC in field Not supported Operating temperature range TBC Operating humidity range TBC Storage condition range TBC Certifications USB CE FCC VCCI WEEE RoHS WHQL UL Radio Freque...

Page 20: ...vailable for installing the version of the driver this manual covers To manually install the driver please follow the following steps Extract the content of the ZIP file SCM Microsystems has sent you Plug in the SCL3711 Manually select the location where you extracted the driver to ...

Page 21: ...installed SCL3711 appears in Windows resource manager as SCL3711 reader NFC device SCL3711 is listed by PC SC applications as SCM Microsystems Inc SCL3711 reader NFC device N Where N 0 if only one SCL3711 is connected but is incremented in case several SCL3711 are connected to the host 5 3 2 Supported operating systems Operating systems supported by the driver Windows 2000 SP4 Windows 2003 Server ...

Page 22: ...SCL3711 in order to determine what type of technology is the user token based on The output buffer is a BYTE with the following meaning Technology Value MIFARE1K 0x01 MIFARE4K 0x02 MIFARE Ultralight 0x03 ISO14443 4A 0x04 FeliCa 0x05 Topaz 0x06 ISO14443 4B 0x07 Once a user credential is selected the driver constructs an ATR from the fixed elements that identify the token Depending on the user techn...

Page 23: ...on 0 0x3B Initial header 1 0x8n T0 n indicates the number of historical bytes in following ATR 2 0x80 TD1 Nibble8 indicates no TA2 TB2 TC2 Nibble 0 means T 0 3 0x01 TD2 Nibble8 indicates no TA3 TB3 TC3 Nibble 1 means T 1 0x80 A status indicator may be present in an optional TLV data object 0x4F Tag Application identifier Lentgh 1 byte RID Registered identifier on 5 bytes 4 3 n PIX Proprietary iden...

Page 24: ...resent 2 historical bytes in following ATR 2 0x80 TD1 Nibble8 indicates no TA2 TB2 TC2 and TD2 present Nibble 0 means T 0 3 0x01 TD2 Nibble8 indicates no TA3 TB3 TC3 Nibble 1 means T 1 4 0x02 Card Mode NFC TAG operating at Passive 106 baud rate 5 0x44 Card Type Card type is Topaz 6 0xXX TCK XOR of all previous bytes Example of the ATR built for a Topaz tag ...

Page 25: ...s no TA2 TB2 TC2 and TD2 present Nibble 0 means T 0 3 0x01 TD2 Nibble8 indicates no TA3 TB3 TC3 Nibble 1 means T 1 4 0x04 Card Mode NFC TAG operating at Passive 212 baud rate 5 0x43 Card Type Card type is Felica 6 0xFD IFS Maximum frame size of felica card 7 14 ID Felica card Identifier 8 bytes 15 0xXX Timeout Write Timeout indicated by card 16 0xXX TCK XOR of all previous bytes Example of the ATR...

Page 26: ...0x80 TD1 Nibble8 indicates no TA2 TB2 TC2 Nibble 0 means T 0 3 0x01 TD2 Nibble8 indicates no TA3 TB3 TC3 Nibble 1 means T 1 4 3 n Historical bytes or application information Type A the historical bytes from the ATS up to 15 bytes Type B 8 bytes Byte 0 through 3 application data from ATQB Byte 4 through 6 protocol info byte from ATQB Byte 7 higest nibble is the MBLI maximum buffer length index from...

Page 27: ...ansport protocol which is proprietary to NXP Semiconductors 5 4 2 Automatic PPS Automatic PPS implemented is implemented SCL3711 will automatically switch the highest baud rate commonly supported by the SCL3711 and the user token The maximum speed supported by SCL3711 is 848Kbps by default ...

Page 28: ...ed to request the full UID or PUPI is sent back For ISO14443A possible lengths are 4 7 or 10 For ISO14443B possible length is 4 bytes PUPI For FeliCa or NFC Forum type 3 tags possible length is 12 bytes of NFCID For NFC Forum type 1 tags possible length is 7 bytes of UID 6 1 1 3 Response Data Out Data SW1 SW2 6 1 1 4 Status Words SW1 SW2 Description 0x90 0x00 NO ERROR 0x62 0x82 WARNING specified L...

Page 29: ...n This command can be used to retrieve the ATS of an ISO IEC14443 4A user token only 6 1 1 6 Format CLA INS P1 P2 Lc 0xFF 0xCA 0x01 0x00 0x00 6 1 1 7 Response Data Out ATS SW1 SW2 6 1 1 8 Status Words SW1 SW2 Description 0x90 0x00 NO ERROR 0x6A 0x81 Command not supported ...

Page 30: ...lue 65535 If Le 0x00 then all the bytes until the end of the file are read within the limit of 256 for a short Le field and 65536 for an extended Le field 6 2 1 3 Response Data Out Data SW1 SW2 6 2 1 4 Status Words SW1 SW2 Description 0x90 0x00 NO ERROR 0x81 WARNING part of the returned data may be corrupted 0x62 0x82 WARNING end of file reached before Le bytes where read 0x67 0x00 Length incorrec...

Page 31: ...3711 REFERENCE MANUAL 31 6 2 1 5 Example For a MIFARE Classic 1K card which has the following memory content To read the seventh block you have to issue the following command and get the following response ...

Page 32: ...re P2 indicate the memory block number where data should be written Lc 0x10 for MIFARE Classic 1K 4K Lc 0x04 for MIFARE Ultralight 6 2 2 3 Response Data Out SW1 SW2 6 2 2 4 Status Words SW1 SW2 Description 0x90 0x00 NO ERROR 0x69 0x81 Command not supported 0x64 0x00 State of the non volatile memory unchanged 6 2 2 5 Example For a MIFARE Classic 1K card which has the following memory content Issuin...

Page 33: ...SCL3711 REFERENCE MANUAL 33 Will have the following effect on the memory content ...

Page 34: ...2 3 2 Format CLA INS P1 P2 Lc Data in 0xFF 0x82 0x00 Key Type Key Length Key value Where P2 can have the following values please refer to MIFARE documentation from NXP for further details on what is key A and Key B 0x60 to use the Key A 0x61 to use the Key B 6 2 3 3 Response Data Out SW1 SW2 6 2 3 4 Status Words SW1 SW2 Description 0x90 0x00 NO ERROR 0x83 Reader key not supported 0x85 Secured tran...

Page 35: ...xFF 0x86 0x00 0x00 0x05 Data Where the data field is structured as follow Byte Value Description B0 0x01 Version B1 Address MSB B2 Address LSB 0x60 Key A B3 0x61 Key B B4 Number of the key to be used for authentication Information about memory structure of MIFARE Classic must be requested from NXP Semiconductors 6 2 4 3 Response Data Out SW1 SW2 6 2 4 4 Status Words SW1 SW2 Description 0x90 0x00 N...

Page 36: ...ARE Classic 1K card which has the following memory mapping Authenticating with Key A against sector 0 would require sending the following sequence of APDU Authenticating with Key A against sector 1 or 2 would require sending the following sequence of APDU ...

Page 37: ...ue Where P1 P2 code the address of the block number addressed Where the data field is structured as follow Byte Value Description 0xC0 Increment B0 0xC1 Decrement B1 Block number B2 B5 Value LSB first 6 2 5 3 Response Data Out SW1 SW2 6 2 5 4 Status Words SW1 SW2 Description 0x90 0x00 NO ERROR 0x67 0x00 Length incorrect 0x68 0x00 CLA byte incorrect 0x6A 0x81 Function not supported 0x6B 0x00 Wrong ...

Page 38: ...on 6 3 1 3 Response Data Out PICC answer SW1 SW2 As defined in ISO IEC 7816 4 6 3 1 4 Status Words SW1 SW2 Description See ISO IEC 7816 4 As defined in ISO IEC 7816 4 6 3 1 5 Example The following APDU sequence reads the first 256 bytes of the data group 1 as specified in ICAO LDS logical data structure for machine readable travel documents with open access It first selects the issuer application ...

Page 39: ...ead Identification RID Read All Blocks 0 Eh RALL Read Byte READ Commands for Dynamic Memory Model Read Segment RSEG Read 8 Bytes READ8 Write No Erase 8 Bytes WRITE NE8 6 4 1 1 Read Identification RID Description This command is used to retrieve the tag s unique identifier Format CLA INS P1 P2 P3 Data 0xFF 0x50 0x00 0x00 0x00 Response Data SW1 SW2 HR0 HR1 UID0 UID1 UID2 UID3 0x90 0x00 ...

Page 40: ...e whole of the static memory blocks 0x0 0xE Format CLA INS P1 P2 P3 Data 0xFF 0x52 0x00 0x00 0x00 Response Data SW1 SW2 HR0 HR1 120 bytes Blocks 0x0 0xE 0x90 0x00 Example For a Topaz based user token that has the following memory content The following APDU sequence can be used to retrieve the identifier and read all the blocks ...

Page 41: ... used for authentication Response Data SW1 SW2 1 byte of data 0x90 0x00 6 4 1 4 Write Erase Byte WRITE E Description This commands erases and then writes the value of an individual memory byte within the static memory model area of blocks 0x0 0xE Format CLA INS P1 P2 P3 Data 0xFF 0x56 0x00 Byte Address 0x01 1 byte of data to be written Where P2 is coded as follow Bit Value Description b0 b2 Byte n...

Page 42: ...NS P1 P2 P3 Data 0xFF 0x58 0x00 Byte Address 0x01 1 byte of data to be written Where P2 is coded as follow Bit Value Description b0 b2 Byte number to be addressed value between 0x0 and 0x7 b3 b6 Block number value between 0x0 and 0xE b7 0 b Number of the key to be used for authentication Response Data SW1 SW2 Value of the memory byte after execution 0x90 0x00 Example Sending the following command ...

Page 43: ...is coded as follow Bit Value Description b0 b3 0000 b RFU b4 b7 Segment address value between 0x0 and 0xF Response Data SW1 SW2 128 bytes of data 0x90 0x00 6 4 1 7 Read 8 bytes READ8 Description This command reads out a block of memory Format CLA INS P1 P2 P3 Data 0xFF 0x5C 0x00 Block Address 0x00 P2 Block Address b8 b1 General block 0x00 0xFF Response Data SW1 SW2 8 bytes of data 0x90 0x00 ...

Page 44: ...mory This command does not erase the value of the targeted block before writing the new data Using this command EEPROM bits can be set but not reset Format CLA INS P1 P2 P3 Data 0xFF 0x60 0x00 Block Address 0x08 8 bytes of data to be written Where P2 codes the block address value between 0x00 and 0xFF Response Data SW1 SW2 8 bytes of data 0x90 0x00 Example Sending the following command to an NFC F...

Page 45: ...M Microsystems defined for the following FeliCa non secure commands For further details on FeliCa the reader should contact Sony corporation Some description can also be found in the JIS X 6319 4 Japanese Industry Standard or the ISO18092 standards REQC Request Service Request Response Read Write For further details on processing NFC Forum tag type 3 please refer to NFC Forum tag type 3 specificat...

Page 46: ...ervice version or area version list 2 n 0x90 0x00 6 4 3 3 Request response Description TBC Format CLA INS P1 P2 P3 Data 0xFF 0x44 0x00 0x00 0x00 Response Data SW1 SW2 8 bytes IDm Mode 0x90 0x00 6 4 3 4 Read Description TBC Format CLA INS P1 P2 P3 Data 0xFF 0x46 Number of services Number of blocks 2 P1 P2 Service Code List Block List Response Data SW1 SW2 8 bytes IDm Status Flag 1 Status Flag 2 No ...

Page 47: ...TBC Format CLA INS P1 P2 P3 Data 0xFF 0x4A 0x00 0x00 0x00 Response Data SW1 SW2 8 bytes IDm No of System Codes n System Code List 2n 0x90 0x00 6 4 4 Commands for communicating with NFC Forum Tags Type 4 To interact with NFC Forum tag type 4 tags ISO IEC 7816 4 defined APDU are used and sent through SCL3711 using the T CL command described earlier in this manual The reader can find in NFC Forum tag...

Page 48: ...ION ERROR 0x65 0x81 STATUS_COMMAND_FAILED 0x65 0x91 STATUS_SECUIRTY_STATUS_NOT_MET 0x68 0x00 CLASS BYTE INCORRECT 0x6A 0x81 FUNCTION NOT SUPPORTED 0x6B 0x00 WRONG PARAMETER P1 P2 7 1 2 Further information about PC SC The PC SC specifications can be downloaded from the PC SC workgroup web site www pcscworkgroup com Further information on the Microsoft resource manager API can be found online on htt...

Page 49: ...SCL3711 REFERENCE MANUAL 49 7 2 Annex B Mechanical drawings ...