Rainbow Electronics MAX66040 User Manual

MAX66040

ISO/IEC 14443 Type B-Compliant

Secure Memory

________________________________________________________________

Maxim Integrated Products

1

219-0012; Rev 0; 1/11

For pricing, delivery, and ordering information, please contact Maxim Direct at 1-888-629-4642,
or visit Maxim’s website at www.maxim-ic.com.

ABRIDGED DATA SHEET

General Description

The MAX66040 combines 1024 bits of user EEPROM
with secure hash algorithm (SHA-1) challenge-and­response authentication (ISO/IEC 10118-3 SHA-1), a
64-bit unique identifier (UID), one 64-bit secret, and a

13.56MHz RF interface (ISO/IEC 14443 Type B, Parts 2-

4) in a single chip. The memory is organized as 16
blocks of 8 bytes plus three more blocks, one for the
secret and two for data and control registers. Except for
the secret, each block has a user-readable write-cycle
counter. Four adjacent user EEPROM blocks form a
memory page (pages 0 to 3). The integrated SHA-1
engine provides a message authentication code (MAC)
using data from the EEPROM of the device and the 64­bit secret to guarantee secure, symmetric authentica­tion for both reading and writing to the device. Memory
protection features are write protection and EPROM
emulation, which the user can set for each individual
memory page. Page 3 can also be read-protected for
enhanced authentication strength. Memory access is
accomplished through the block transmission protocol
(ISO/IEC 14443-4), where requests and responses are
exchanged through I-blocks once a device is in the
ACTIVE state. The data rate can be as high as

847.5kbps. The reader must support a frame size of 26
bytes. The device supports an application family identi­fier (AFI) and a card identifier (CID). ISO/IEC 14443
functions not supported are chaining, frame-waiting
time extension, and power indication.

Applications

Driver Identification (Fleet Application)

Access Control

e-Cash

Asset Tracking

Features

♦ Fully Compliant ISO/IEC 14443 (Parts 2-4) Type B

Interface

♦ 13.56MHz ±7kHz Carrier Frequency

♦ 1024-Bit Secure User EEPROM with Block Lock

Feature, Write-Cycle Counter, and Optional
EPROM-Emulation Mode

♦ 64-Bit UID

♦ 512-Bit SHA-1 Engine to Compute 160-Bit MAC

and to Generate Secrets

♦ Mutual Authentication: Data Read from Device is

Verified and Authenticated by the Host with
Knowledge of the 64-Bit Secret

♦ Read and Write (64-Bit Block)

♦ Supports AFI and CID Function

♦ 10ms Maximum Programming Time

♦ Write: 10% ASK Modulation at 105.9kbps,

211.9kbps, 423.75kbps, or 847.5kbps

♦ Read: Load Modulation Using BPSK Modulated

Subcarrier at 105.9kbps, 211.9kbps, 423.75kbps,
or 847.5kbps

♦ 200,000 Write/Erase Cycles (Minimum)

♦ 40-Year Data Retention (Minimum)

Typical Operating Circuit

EVALUATION KIT

AVAILABLE

Ordering Information

+

Denotes a lead(Pb)-free/RoHS-compliant package.

PART TEMP RANGE PIN-PACKAGE

MAX66040E-000AA+ -25°C to +50°C ISO Card

MAX66040K-000AA+ -25°C to +50°C Key Fob

Mechanical Drawings appear at end of data sheet.

13.56MHz READER

TRANSMITTER

TX_OUT

RX_IN

MAGNETIC
COUPLING

MAX66040

IC LOAD

SWITCHED

ANTENNA

LOAD

MAX66040

ISO/IEC 14443 Type B-Compliant
Secure Memory

2 _______________________________________________________________________________________

ABRIDGED DATA SHEET

ABSOLUTE MAXIMUM RATINGS

ELECTRICAL CHARACTERISTICS

(TA= -25°C to +50°C.) (Note 1)

Stresses beyond those listed under “Absolute Maximum Ratings” may cause permanent damage to the device. These are stress ratings only, and functional
operation of the device at these or any other conditions beyond those indicated in the operational sections of the specifications is not implied. Exposure to
absolute maximum rating conditions for extended periods may affect device reliability.

Note 1: System requirement.
Note 2: Measured from the time at which the incident field is present with strength greater than or equal to H

(MIN)

to the time at
which the MAX66040’s internal power-on reset signal is deasserted and the device is ready to receive a command frame.
Not characterized or production tested; guaranteed by simulation only.

Maximum Incident Magnetic Field Strength ..........141.5dBµA/m

Operating Temperature Range ...........................-25°C to +50°C

Relative Humidity ..............................................(Water Resistant)

Storage Temperature Range ...............................-25°C to +50°C

PARAMETER S YMBOL CONDITIONS MIN TYP MAX UNITS

SHA-1 ENGINE

SHA-1 Computation Time t

EEPROM

Programm ing Time t

Endurance N

Data Retention t

RF INTERFACE

Carrier Frequency f

Operating Magnetic Field Strength
(Note 1)

Power-Up Time t

CSHA

PROG

CYCLE

RET

H

POR

Refer to the full data sheet. ms

9 10 ms

At +25°C 200,000 cycles

40 years

(Note 1) 13.553 13.560 13.567 MHz

C

At +25°C, MAX66040E 110.0 137.5

At +25°C, MAX66040K 123.5 137.5

(Note 2) 1.0 ms

dBμA/m

MAX66040

Detailed Description

The MAX66040 combines 1024 bits of user EEPROM,
128 bits of user and control registers, a 64-bit UID, one
64-bit secret, a 512-bit SHA-1 engine, and a 13.56MHz
RF interface (ISO/IEC 14443 Type B, Parts 2-4) in a sin­gle chip. The memory is organized as 19 blocks of 8
bytes each. Except for the secret, each block has a
user-readable write-cycle counter. Four adjacent user
EEPROM blocks form a memory page (pages 0 to 3).
Memory protection features include write protection
and EPROM emulation, which the user can set for each
individual memory page. Page 3 can also be read pro­tected for enhanced authentication strength. The
MAX66040 is accessed through the ISO/IEC 14443-4
block transmission protocol, where requests and
responses are exchanged through I-blocks once a
device is in the ACTIVE state. The reader must support
a frame size of at least 26 bytes. The data rate can be
as high as 847.5kbps. The MAX66040 supports AFI
and CID. Functions not supported are chaining, frame­waiting time extension, and power indication.
Applications of the MAX66040 include driver identifica­tion (fleet application), access control, electronic cash
(e-cash), and asset tracking.

Overview

Figure 1 shows the relationships between the major
control and memory sections of the MAX66040. The

device has six main data components: 64-bit UID,
64-bit read/write buffer, four 256-bit pages of user
EEPROM, two 8-byte blocks of user and control regis­ters, 64-bit secret’s memory, and a 512-bit SHA-1
engine. Figure 2 shows the hierarchical structure of the
ISO/IEC 14443 Type B-compliant access protocol. The
master must first apply network function commands to
put the MAX66040 into the ACTIVE state before the
memory and control functions become accessible. The
protocol required for these network function commands
is described in the

Network Function Commands

sec­tion. Once the MAX66040 is in the ACTIVE state, the
master can issue any one of the available memory and
control function commands. Upon completion of such a
command, the MAX66040 returns to the ACTIVE state
and the master can issue another memory and control
function command or deselect the device, which
returns it to the HALT state. The protocol for these
memory and control function commands is described in
the

Memory and Control Function Commands

section.
All data is read and written least significant bit (LSb)
first, starting with the least significant byte (LSB).

Parasite Power

As a wireless device, the MAX66040 is not connected
to any power source. It gets the energy for operation
from the surrounding RF field, which needs to have a
minimum strength as specified in the

Electrical

Characteristics

table.

Figure 1. Block Diagram

ISO/IEC 14443 Type B-Compliant

Secure Memory

_______________________________________________________________________________________ 3

ABRIDGED DATA SHEET

RF

FRONT-

END

DATA

f

c

MODULATION

INTERNALSUPPLY

VOLTAGE

REGULATOR

ISO 14443

FRAME

FORMATTING

ERROR

DETECTION

AND

MEMORY AND

FUNCTION

CONTROL

READ/WRITE BUFFER

REGISTER

BLOCK

UID

SHA-1

ENGINE

SECRET

USER

EEPROM

MAX66040

Unique Identification Number (UID)

Each MAX66040 contains a factory-programmed and
locked identification number that is 64 bits long
(Figure 3). The lower 36 bits are the serial number of
the chip. The next 8 bits store the device feature code,
which is 03h. Bits 45 to 48 are 0h. The code in bit loca­tions 49 to 56 identifies the chip manufacturer, accord­ing to ISO/IEC 7816-6/AM1. This code is 2Bh for
Maxim. The code in the upper 8 bits is E0h. The UID is
read accessible through the Get UID and Get System
Information commands. The lower 32 bits of the UID are
transmitted in the PUPI field of the ATQB response to
the REQB, WUPB, or SLOT-MARKER command. By
default, the upper 32 bits of the UID are factory pro­grammed into the application data field, which is trans­mitted as part of the ATQB response. This way the
master receives the complete UID in the first response

from the slave. See the

Network Function Commands

section for details.

Detailed Memory Description

ISO/IEC 14443 Type B-Compliant
Secure Memory

4 _______________________________________________________________________________________

ABRIDGED DATA SHEET

Figure 2. Hierarchical Structure of ISO/IEC 14443 Type B Protocol

MSB LSB

64 57 56 49 48 45 44 37 36 1

E0h 2Bh 0h FEATURE CODE (03h) 36-BIT IC SERIAL NUMBER

Figure 3. 64-Bit UID

Refer to the full data sheet.

Refer to the full data sheet for this information.

MAX66040

COMMAND LEVEL:

NETWORK

FUNCTION COMMANDS

AVAILABLE COMMANDS: DATA FIELD AFFECTED:

REQUEST (REQB)
WAKEUP (WUPB)
SLOT-MARKER
HALT (HLTB)
SELECT (ATTRIB)
DESELECT (DESELECT)

AFI, ADMINISTRATIVE DATA
AFI, ADMINISTRATIVE DATA
(ADMINISTRATIVE DATA)
PUPI
PUPI, ADMINISTRATIVE DATA
(ADMINISTRATIVE DATA)

MEMORY AND CONTROL

FUNCTION COMMANDS

GET SYSTEM INFORMATION 64-BIT UID, AFI, CONSTANTS

GET UID 64-BIT UID

MAX66040

ISO/IEC 14443 Type B-Compliant

Secure Memory

_______________________________________________________________________________________ 7

ISO/IEC 14443 Type B

Communication Concept

The communication between the master and the
MAX66040 (slave) is based on the exchange of data
packets. The master initiates every transaction; only
one side (master or slaves) transmits information at any
time. Data packets are composed of characters, which
always begin with a START bit and typically end with

one or more STOP bits (Figure 5). The least significant
data bit is transmitted first. Data characters have 8 bits.
Each data packet begins with a start-of-frame (SOF)
character and ends with an end-of-frame (EOF) charac­ter. The EOF/SOF characters have 9 all-zero data bits
(Figure 6). The SOF has 2 STOP bits, after which data
characters are transmitted. A data packet with at least
3 bytes between SOF and EOF is called a frame
(Figure 7). The last two data characters of an

START

1
0

BIT 1

BIT 2 BIT 3 BIT 4 BIT 5 BIT 6 BIT 7 BIT 8

LSB MSB

STOP

Figure 5. ISO/IEC 14443 Data Character Format

ABRIDGED DATA SHEET

ISO/IEC 14443 Type B frame are an inverted 16-bit
CRC of the preceding data characters generated
according to the CRC-16-CCITT polynomial. This CRC
is transmitted with the LSB first. For more details on the
CRC-16-CCITT, refer to ISO/IEC 14443-3, Annex B.
With network function commands, the command code,
parameters, and response are embedded between
SOF and CRC. With memory function commands, com­mand code, and parameters are placed into the infor­mation field of I-blocks (see the

Block Types

section),

which in turn are embedded between SOF and EOF.

For transmission, the frame information is modulated on
a carrier frequency, which in the case of ISO/IEC 14443
is 13.56MHz. The subsequent paragraphs are a con­cise description of the required modulation and coding.
For full details including SOF/EOF and subcarrier on/off
timing, refer to ISO/IEC 14443-3, Sections 7.1 and 7.2.

The path from master to slave uses amplitude modula-
tion with a modulation index between 8% and 14%
(Figure 8). In this direction, a START bit and logic 0 bit
correspond to a modulated carrier; STOP bit and
logic 1 bit correspond to the unmodulated carrier. EOF
ends with an unmodulated carrier instead of STOP bits.

MAX66040

ISO/IEC 14443 Type B-Compliant
Secure Memory

8 _______________________________________________________________________________________

ABRIDGED DATA SHEET

START

1
0

BIT 1 BIT 2 BIT 3 BIT 4 BIT 5 BIT 6 BIT 7 BIT 9

STOP/IDLE

BIT 8

Figure 6. ISO/IEC 14443 SOF/EOF Character Format

SOF ONE OR MORE DATA CHARACTERS

CRC (LSB) CRC (MSB) EOF

TIME

Figure 7. ISO/IEC 14443 Frame Format

A

B

CARRIER AMPLITUDE

t

11 1100

MODULATION INDEX M = = 0.08 TO 0.14

A - B
A + B

Figure 8. Downlink: 8% to 14% Amplitude Modulation

The path from slave to master uses an 847.5kHz sub­carrier, which is modulated using binary phase-shift key
(BPSK) modulation. Depending on the data rate, the
transmission of a single bit takes 8, 4, 2 or 1 subcarrier
cycles. The slave generates the subcarrier only when
needed; i.e., starting shortly before an SOF and ending
shortly after an EOF. The standard defines the phase of
the subcarrier before the SOF as 0° reference, which

corresponds to logic 1. The phase of the subcarrier
changes by 180° whenever there is a binary transition
in the character to be transmitted (Figure 9). The first
phase transition represents a change from logic 1 to
logic 0, which coincides with the beginning of the SOF.
The BPSK modulated subcarrier is used to modulate
the load on the device’s antenna (Figure 10).

MAX66040

DATA TO BE TRANSMITTED

INDICATES 180° PHASE CHANGE (POLARITY REVERSAL)

OR

110

847kHz SUBCARRIER

BPSK MODULATION

TRANSMISSION OF A SINGLE BIT

POWER-UP DEFAULT = EIGHT CYCLES OF 847kHz (9.44μs)

CAN BE REDUCED TO FOUR, TWO, OR ONE SUBCARRIER CYCLES FOR COMMUNICATION IN THE ACTIVE STATE.

Figure 9. Uplink: BPSK Modulation of the 847.5kHz Subcarrier

TRANSMISSION OF A SINGLE BIT

SHOWN AS EIGHT CYCLES OF THE 847kHz SUBCARRIER

DATA*

*DEPENDING ON THE INITIAL PHASE, THE DATA POLARITY MAY BE INVERSE.

10 1

Figure 10. Uplink: Load Modulation of the RF Field by the BPSK Modulated Subcarrier

ISO/IEC 14443 Type B-Compliant

Secure Memory

_______________________________________________________________________________________ 9

ABRIDGED DATA SHEET

MAX66040

ISO/IEC 14443 Block

Transmission Protocol

Before the master can send a data packet to access the
memory, the MAX66040 must be in the ACTIVE state.
The protocol to put the MAX66040 into the ACTIVE state
is explained in the

Network Function Commands

sec­tion. While in the ACTIVE state, the communication
between master and MAX66040 follows the block trans­mission protocol as specified in Section 7 of ISO/IEC
14443-4. Such a block (Figure 11) consists of three
parts: the prologue field, the information field, and the
epilogue field. The prologue can contain up to 3 bytes,
called the protocol control byte (PCB), card identifier
(CID), and the node address (NAD). Epilogue is another
name for the 16-bit CRC that precedes the EOF. The
information field is the general location for data.

Block Types

The standard defines three types of blocks: I-block,
R-block, and S-block. Figures 12, 13, and 14 show the
applicable PCB bit assignments.

The I-block is the main tool to access the memory and
to run the SHA-1 engine. For I-blocks, bit 2 must be 1
and bit 6, bit 7, and bit 8 must be 0. Bit 5, marked as
CH, is used to indicate chaining, a function that is not
used or supported by the MAX66040. Therefore, bit 5

must always be 0. Bit 4, marked as CID, is used by the
master to indicate whether the prologue field contains a
CID byte. The MAX66040 processes blocks with and
without CID as defined in the standard. The master
must include the CID byte if bit 4 is 1. Bit 3, marked as
NAD, is used to indicate whether the prologue field
contains an NAD byte, a feature not supported by the
MAX66040. Therefore, bit 3 must always be 0. Bit 1,
marked as #, is the block number field. The block num­ber is used to ensure that the response received relates
to the request sent. This function is important in the
error handling, which is illustrated in Annex B of
ISO/IEC 14443-4. The rules that govern the numbering
and handling of blocks are found in sections 7.5.3 and

7.5.4 of ISO/IEC 14443-4. The MAX66040 ignores
I-blocks that have bit 5 or bit 3 set to 1.

For R-blocks, the states of bit 2, bit 3, and bit 6, bit 7,
and bit 8 are fixed and must be transmitted as shown in
Figure 13. The function of bit 1 (block number) and bit 4
(CID indicator) is the same as for I-blocks. Bit 5,
marked as AN, is used to acknowledge (if transmitted
as 0) or not to acknowledge (if transmitted as 1) the
reception of the last frame for recovery from certain
error conditions. The MAX66040 fully supports the func­tion of the R-block as defined in the standard. For
details and the applicable rules, refer to Sections 7.5.3
and 7.5.4 and Annex B of ISO/IEC 14443-4.

ISO/IEC 14443 Type B-Compliant
Secure Memory

10 ______________________________________________________________________________________

ABRIDGED DATA SHEET

PROLOGUE FIELD INFORMATION FIELD EPILOGUE FIELD

PCB CID NAD (DATA)

CRC

(LSB)

CRC

(MSB)

1 BYTE 1 BYTE 1 BYTE 0 OR MORE BYTES 1 BYTE 1 BYTE

Figure 11. ISO/IEC 14443-4 Type B Block Format

BIT 8 BIT 7 BIT 6 BIT 5 BIT 4 BIT 3 BIT 2 BIT 1

MSB LSB

0 0 0 CH CID NAD 1 #

Figure 12. Bit Assignments for I-Block PCB

BIT 8 BIT 7 BIT 6 BIT 5 BIT 4 BIT 3 BIT 2 BIT 1

MSB LSB

1 0 1 AN CID 0 1 #

Figure 13. Bit Assignments for R-Block PCB