FEATURES Contactless transmission of data and supply energy, no battery is needed Operating distance - up to 100mm (depending on the inlay antenna and reader) RF Interface - ISO/IEC 14443A compliant Operating frequency - 13.56 MHz Data transfer rate - 106 kbit/s Data integrity - 16-bit CRC, parity, bit coding, bit counting True anti-collision 1-kbyte EEPROM organized in 16 sectors with 4 blocks of 16 bytes each Data retention - 5 years Write endurance - 10 000 cycles User-definable access conditions for each memory block Mutual three-pass authentication ISO/IEC DIS 9798-2 compliant Adaptable to different applications, such as public transportation, event ticketing, access control, gaming & identity Typical ticketing transaction: < 100 ms DESCRIPTION The, contactless read/write transponder IC, is intended for a contactless smart-card according to ISO/IEC 14443 Type A. The adopts advanced manufacturing technology. There is a high-speed CMOS EEPROM inside the chip. The IC is used in such applications as the public transport ticketing, for which major cities have adopted e-ticketing as their solution. The anti-collision function enables operation of more than one card in the field simultaneously. The anticollision algorithm selects each card individually and ensures correct execution of a transaction with a selected card. The anti-collision function can select one card and transact with it without being affected by the other cards in or out. The is designed for simple integration and user convenience and allows complete ticketing transactions to be handled in less than 100 ms, so a card user is not forced to stop at the reader, the fact that ultimately leads to a high throughput at gates and less time for boarding busses. The card may lie in the wallet during the transaction, even with coins in. Several security measures like mutual challenge and response authentication, data ciphering and message authentication checks ensure the protection of the system against various attack scenarios. The UID of the IC as a base of key diversification supports the security concept. The 7-byte UID is programmed during the fabrication and cannot be modified later, which is actually a very effective anti-clone approach. ABSOLUTE MAXIMUM RATINGS Parameter Symbol Min Max Unit Operating temperature T A -25 70 C Storage temperature T STG -55 125 C www.estek.com.cn 1
ELECTRICAL CHARACTERISTICS Parameter Symbol Min Nom Max Unit Operating carrier frequency F IN 13.56 MHz Input capacitance C IN 13.3 14.7 16.1 pf EEPROM write endurance* N WE 10000 cycles EEPROM data retention time T RET 5 years *T A = 25 C, F = 13.56 MHz. SYSTEM BLOCK-DIAGRAM Transponder Reader Power Data Coil interface DCUs Memory FUNCTIONAL BLOCKS AND THEIR DESCRIPTION Fig. 1. -based transponder system. Digital Control Units (DCUs) Memory (EEPROM) Antenna Fig. 2. Functional block-diagram. Security 1. Mutual three-pass authentication (ISO/IEC DIS9798-2). 2. Ciphered data transfers. 3. Individual set of two keys per sector (per application) to support multiple applications with a key hierarchy. 4. Unique serial number for each device. www.estek.com.cn 2
Data Integrity 1. 16-bit CRC per block. 2. Parity bit check for each byte. 3. Bit counting check-out. 4. Bit coding to distinguish between "1", "0" or nothing. 5. Channel monitoring (by the protocol sequence and bit rate analysis). EEPROM 1. Total capacity 1 kbyte. 2. Organized in 16 sectors to support multiple applications. 3. 4 blocks per each sector (each block consists of 16 bytes). 4. User definable access conditions for each memory block. Transaction sequence Request Wake-up Anticollision loop (Get serial number of the card) Select Halt Authentication Read block Write block Increment Decrement Restore Halt Transfer Fig. 3. Typical transaction flow Typical transaction times Identification and select 3 ms + 1 ms or less per each collision Authentication 2 ms Read block (16 bytes) 2.0 ms Write block 6.0 ms Increment/decrement 2.5 ms Transfer 4.5 ms www.estek.com.cn 3
Communication signal interface The data interchange between a proximity coupling device (PCD) and a proximity card is given in ISO 14443-2 Type А. The communication between the proximity coupling device and card takes place using the amplitude shift keying 100 % of the RF operating field to create a pause. The pause length from a magnetic field strength initial value down to 5 % of the magnetic field strength initial value is 2.34 s. Communication signal interface is realised by Modified Miller Code. Modified Miller Code bit representation and coding Sequence X After a time of (64/f C ) a pause shall occur Sequence Y For the full bit duration (128/f C ) no modulation shall occur Sequence Z At the beginning of the bit duration a pause shall occur where f C is a frequency carrier of 13.56 МHz, the bit duration is 128/f C (9.44 s). The above sequences are used to code the following information: Logic 1 Logic 0 Start of communication End of communication No information Sequence X Sequence Y with the following two exceptions: if there are two or more contiguous 0 s, sequence Z shall be used from the second 0 on, if the first bit after a start of frame is 0, sequence Z shall be used to represent this and any 0 s which follow directly thereafter. Sequence Z Logic 0 followed by sequence Y At least two sequences Y The card is capable of communicating to the proximity coupling device via an inductive coupling area, where a carrier frequency is loaded to generate a subcarrier with the frequency f S = f C /16 ( 847 khz). Switching a load in the card generates the subcarrier. The load modulation amplitude is at least 30/H 1/2 mv, where H is the value of magnetic field strength in A/m. One bit duration is equivalent to 8 periods of the subcarrier (2.34 s). The communication signal interface is realized by Manchester Code. Manchester Code bit representation and coding Sequence D Sequence E Sequence F The carrier shall be modulated with the subcarrier for the first half (50%) of the bit duration The carrier shall be modulated with the subcarrier for the second half (50%) of the bit duration The carrier is not modulated with the subcarrier for one bit duration www.estek.com.cn 4
The above sequences are used to code the following information: Logic 1 Logic 0 Start of communication End of communication No information Sequence D Sequence E Sequence D Sequence F No subcarrier Each command being sent from the proximity coupling device to the card consists of a data bit sequence transmitted the LSB first. Each data byte is followed by an odd parity bit. Each data message is followed by CRC. The generator polynomial used to generate the check bits is X 16 + X 12 + X 5 + 1. The card checks CRC and parity bits. If the checksum (CRC) or parity bit is incorrect the card sends an error message. The proximity coupling device checks CRC and parity bits too. Authentication procedure PCD CARD Fig. 4. Authentication block diagram. (A) The CARD sends to the PCD a random number RB and stores it; (B) The PCD sends TokenAB to the CARD and stores random numbers R A and R B ; (C) On receipt of the message containing TokenAB, the CARD verifies TokenAB by deciphering the enciphered part and checking the correctness of the distinguishing identifier B and that the random number R B sent to the PCD in step (A) agrees with the random number contained in TokenAB; (D) The Card sends TokenBA to the PCD; (E) On receipt of the message containing TokenBA, the PCD verifies TokenBA by deciphering the enciphered part and checking that the random number R B, received from PCD in step (A) agrees with the random number contained in TokenBA and that the random number R A sent to card in step (B) agrees with the random number contained in TokenBA. www.estek.com.cn 5
Memory organization and access conditions The 1024x8 bit EEPROM memory is organized in 16 sectors with 4 blocks of 16 bytes each. Sector trailer Fig. 5. EEPROM memory organization. Byte 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Key A Access conditions Key B (optional) Access conditions format Bit Byte 7 6 5 4 3 2 1 0 6 A2B3_b A2B2_b A2B1_b A2B0_b A1B3_b A1B2_b A1B1_b A1B0_b 7 A1B3 A1B2 A1B1 A1B0 A3B3_b A3B2_b A3B1_b A3B0_b 8 A3B3 A3B2 A3B1 A3B0 A2B3 A2B2 A2B1 A2B0 9 BX7 BX6 BX5 BX4 BX3 BX2 BX1 BX0 where _b means inversion, e.g. A1B0_b = inv(a1b0). www.estek.com.cn 6
The access conditions for the Data Blocks are defined in the Sector Trailers. According to these conditions the data can be read, written, incremented, decremented, transferred or restored either with Key A, Key B or never. A1Bn to A3Bn (where n is the block number), which are stored twice for safety reasons define the access condition independently for the sector's four blocks. The last byte of the access conditions (R7-R0) may be used to store some specific application data (e.g. location of the write backup block). Access conditions for data blocks (n = 0 2) A3Bn A2Bn A1Bn Read Write Increment Decrement, transfer, restore 0 0 0 A B A B A B A B 0 0 1 A B B never never 0 1 0 A B never never never 0 1 1 A B B B A B 1 0 0 A B never never A B 1 0 1 B never never never 1 1 0 B B never never 1 1 1 never never never never A B is the access by Key A or B, B is the access by Key B only. If Key B for sector in consideration can be read, after Key B authentication no further memory access is possible. Access conditions for a sector trailer (n = 3) A3B3 A2B3 A1B3 Key A Access conditions Key B Read Write Read Write Read Write 0 0 0 never A A never A A 0 0 1 never B A B never never B 0 1 0 never never A never A never 0 1 1 never never A B never never never 1 0 0 never A A A A A 1 0 1 never never A B B never never 1 1 0 never B A B B never B 1 1 1 never never A B never never never A B is the access by Key A or B, B is the access by Key B only. If Key B for sector in consideration can be read, after Key B authentication no further memory access is possible. The first memory block contains manufacturer data (serial number, etc.). It is a read-only block. In the IC two types of data block are used, such as 1) read/write blocks. They are used to read and write general 16 bytes of data; 2) value blocks. They are used for electronic purse functions (read, increment, decrement, transfer and restore). The maximum size of a value is 4 byte. Format for negative values is a standard 2 s complement. To provide an error detection and correction capability, any value is stored 3 times in one value block. The remaining 4 bytes are reserved to some extent for check bits: www.estek.com.cn 7
Value blocks format: 15 11 7 3 0 addr addr addr addr value value value Value = signed integer (negative values are stored in 2 s complement format). The Value block is produced by the Write command at first. Next it can be used by Decrement/Increment/Restore commands. A calculation result is temporary stored in a data register. It can be writen back to the value block by TRANSFER command. Manufacturer block (Block 0) Byte byte 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Serial number CB0 CB1 Manufacturer data where CB0 and CB1 are check bytes for the serial number; CB0 = 0x88 XOR byte 0 XOR byte 1 XOR byte 2; CB1 = byte 3 XOR byte 4 XOR byte 5 XOR byte 6. ID options IC provides its user following ID options: 1) 7-byte UID (in compliance with ISO/IEC 14443-3); 2) 7-byte UID (in compliance with ISO/IEC 14443-3) with optional transition between states; 3) Random 4-byte ID (in compliance with ISO/IEC 14443-3); 4) Non-unique 4-byte ID (in compliance with ISO/IEC 14443-3); User selects ID option by sending IC Select ID option command. On receipt of this command IC programs selected option into its non-volatile memory. ID option can only be selected once. IC will reject further Select ID option commands if ID option was selected once. Memory access Prior to any memory operation the card is selected and authenticated as said before. The possible memory operations for an addressed block depend on the key used and the access conditions stored in the associated sector trailer. www.estek.com.cn 8
Fig. 6. Memory access procedure www.estek.com.cn 9
STATES P O R H A L T ID L E W a k e -up (W U P A ) R e q u e st (R E Q A ) W a k e -up (W U P A ) R E A D Y 1 A nticollision CL1 H a lt (H L T A ) H a lt (H L T A ) Select CL1 * Select CL1 * * R E A D Y 2 A nticollision CL2 ** R e a d 0 x 00* ** Select CL2 ** A C T IV E A u th e n tic a tio n A U T H E N T IC A T E D Select ID option R e a d W rite D e c re m e n t In c re m e n t R e sto re T ra n sfe r * o n ly if ID o p tio n R a n d o m 4 -b y te ID o r N o n -u n iq u e 4 -b y te ID is p ro g ra m m e d in to IC. **only if ID o p tio n 7 -b y te ID o r 7 -b y te ID w ith o p tio n a l tra n sitio n b e tw e e n sta te s is program m ed into IC. ***only if ID option 7 -byte ID w ith optional transition betw een states is program m ed into IC. Fig. 7. state diagram. 1. POR. In this state IC prepares its registers for further operation in the field. 2. IDLE. IC will enter this state and will be able to accept REQA and WUPA commands within 5 ms after being exposed to an unmodulated field (as ISO/IEC 14443-3 requires). 3. READY1. This state is entered as soon as the valid REQA (Request) or WUPA (Wake-up) commands have been received and exited when the IC is selected with its ID or first part if UID (Cascade Level 1 as specified in ISO/IEC 14443-3). In this state the bit frame anticollision is applied. 4. READY2. This state is entered as soon as the valid Select Cascade Level 1 command have been received and exited when the IC is selected with its second part of UID (Cascade Level 2 as specified in ISO/IEC 14443-3). In this state the bit frame anticollision is applied. 5. ACTIVE. This state is entered by selecting the IC with its complete ID or UID. 6. AUTHENTICATED. IC will enter this state on receipt of Authentication Command. After entering this state IC becomes capable of executing commands requiring memory access within requested sector. 7. HALT. This state is entered by the HALT command. www.estek.com.cn 10
command set The Request (REQA) command causes the PCD to look for cards within the operating field. If any cards are present, they respond with their individual tag type. If more than one card is present, the PCD returns the wired or of all tag types. With the Request (REQA) command only cards which are not set into the HALT mode will respond to this request, or it may be expanded explicitly to all cards in the field with a Wake-up option. The first option is needed to prevent the PCD from selecting one card several times. If there are one or more cards in the operating field, an anticollision instruction has to be used for choosing one individual card out of the set of cards. This instruction starts an anticollision loop, which at the end supplies the user with a valid 40-bit long serial number from one card in the field. After a successful Anticollision CL1 command or in any other case when the user exactly knows the required serial number (or first 3 bytes of it in case of 7-byte UID), the Select CL1 command must be used for establishing communication with one specific card or selecting several cards with the same first 3 bytes of UID. If 7-byte UID option was programmed into IC, Anticollision CL2 and Select CL2 should be sent to select the card with its complete UID. The card will respond with ATS (Answer to select) and give its own card type, which is encoded in one byte. Before the access is given to the data stored in the card memory, users have to prove their permission for the requested operations by the Authentication command. The Read command allows reading the complete data blocks from the card (16 bytes). The instruction can only be carried out if a previous authentication instruction has permitted the read access to the requested data sector. The Write command enables the user to write data into the card memory (complete blocks = 16 bytes). The instruction can only be completed if a previous authentication instruction has permitted the write access to the requested data sector. The is able to perform the increase and decrease operations by Increment, Decrement, Transfer and Restore commands. The Halt command puts the card into the HALT state, i.e. the card is withdrawn from the communication process. It remains in the HALT state until it is reset (e.g. leaving and re-entering the operating field). www.estek.com.cn 11
Commands Opcode 1 Request 0x26 2 Wake-up 0x52 3 Anticollision CL1 0x93 4 Anticollision CL2 0x95 5 Select 0x7093 6 Authentication 0x60 (0x61) 7 Read block 0x30 8 Write block 0xA0 9 Restore 0xC2 10 Increment 0xC1 11 Decrement 0xC0 12 Transfer 0xB0 13 Halt 0x50 14 Select ID option 0x40 www.estek.com.cn 12
PAD DIAGRAM 20 77.5 60x60 RF2 90x90 60x60 NC1 NC1 25 67 um 363 25 633 um RF1 90x90 360 NC2 60x60 RF1 90x90 560 um 67 70 100 (0:0) 60x60 RF2 90x90 60x60 NC1 NC1 - notch Pad name Coordinates Size RF1 (70:115) 90 um x 90 um RF2 (490:568) 90 um x 90 um NC1 (107.5:583) 60 um x 60 um NC2 (505:130) 60 um x 60 um www.estek.com.cn 13
MECHANICAL SPECIFICATIONS (the wafers thinned, scribed, diced and mounted on a frame) Wafer Wafer backside Chip dimensions Contact Pad size UV-tape FFC Diameter: 200 mm Thickness: 150 µm ± 15 µm Material: Treatment: Chip size: Scribe lane: RF1, RF2: NC1, NC2: Material Thickness Color Si Grinding and etching 0.560 x 0.633 (mm) 67.0 µm (X)/67.0 µm (Y) 90 x 90 (μm) 60 x 60 (μm) plastic (UV light degradable) 90 μm ±10 μm blue/transparent Deviation of the location of the center of a wafer relative to the FFC center is ±5 mm at X and Y. Angle of wafer-to-frame deviation: ±1,5 Adhesive film covering of the frame: 5 mm. The product should be stored in the original package at temperatures within -25 C to +50 C for not longer than 6 months from the date of UV exposure. www.estek.com.cn 14
Fig. 9. FFC. www.estek.com.cn 15