PMA8N9P-BC
02/06/2009
Headquarters, Europa
SpringCard
13 voie la Cardon
Parc Gutenberg
91120 Palaiseau
FRANCE
Phone : +33 (0) 164 53 20 10
Fax : +33 (0) 164 53 20 18
Americas
SpringCard
964 Fifth Avenue
Suite 235
San Diego, CA 92101
USA
Phone : +1 (619) 544 1450
Fax : +1 (619) 573 6867
www.springcard.com
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
P
ROX
'N'R
OLL
RFID S
CANNER
Reference manual
PMA8N9P-BC
2 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
DOCUMENT INFORMATION
Category :
Manual
Keywords :
Group :
Prox'N'Roll RFID Scanner, Reader, Prox'N'Roll, HID, Configuration
Reference :
PMA8N9P
Version :
BC
Abstract :
Status :
Approved
pma8n9p-bc.doc
saved 02/06/09 - printed 02/06/09
REVISION HISTORY
Valid. by
Ver. Date
Author
Tech. Qual.
Approv.
by
Remarks :
BC 02/06/09 LTX LTX LTX ECL Change the default value of General Option (OPT)
BB 13/05/09 LTX LTX LTX ECL Added new keyboard layout
BA 20/02/09 LTX JDA JDA JDA SpringCard branding.
Added reference to “RFID Scanner” family. Common chapters now shared with other
products along the same family.
Added serial mode and reference to CrazyWriter / CSB6.
AA 03/12/08 LTX Initial release, Pro Active branding
PMA8N9P-BC
3 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
TABLE OF CONTENT
1.
INTRODUCTION.................................... 5
1.1. A
UDIENCE
.............................................. 5
1.2. P
RODUCT BRIEF
....................................... 5
1.3. K
EYBOARD EMULATION MODE
....................... 5
1.4. S
ERIAL PORT EMULATION MODE
..................... 6
1.5. R
ELATED DOCUMENTS
................................ 6
1.6. O
THER PRODUCTS IN THE SAME FAMILY
............ 6
2.
CONFIGURATION ATTRIBUTES ............... 7
2.1. P
RINCIPLES
............................................ 7
2.2. G
LOBAL CONFIGURATION ATTRIBUTES
............. 8
2.3. K
EYBOARD EMULATION MODE ATTRIBUTES
.......10
2.4. S
ERIAL EMULATION MODE ATTRIBUTES
............11
2.5. O
THER ATTRIBUTES
..................................12
3.
CARD ACCEPTANCE TEMPLATES ............13
3.1. B
ASIS
.................................................13
3.2. ID-
ONLY ACCEPTANCE TEMPLATES
................16
3.3. M
IFARE CLASSIC ACCEPTANCE TEMPLATE
........21
3.4. M
IFARE ULTRALIGHT ACCEPTANCE TEMPLATE
...26
3.5. D
ESFIRE ACCEPTANCE TEMPLATE
..................28
3.6. ISO 7816-4 A
CCEPTANCE TEMPLATE
............31
3.7. C
ALYPSO ACCEPTANCE TEMPLATE
.................35
4.
SERIAL PROTOCOL AND COMMAND SET .38
4.1. S
ERIAL OUTPUT FORMAT
............................38
4.2. S
ERIAL INPUT
.........................................38
5.
CONFIGURING PROX’N’ROLL RFID
SCANNER ...........................................40
5.1. C
ONNECTING PROX
’N’R
OLL TO A COMPUTER
.... 40
5.2. R
ETRIEVING PROX
’N’R
OLL
RFID S
CANNER
INFORMATION
........................................ 41
5.3. E
NABLING CONFIGURATION COMMANDS
.......... 41
5.4. A
CCESSING PROX
’N’R
OLL CONFIGURATION
..... 41
5.5. A
PPLYING NEW CONFIGURATION
.................. 42
5.6. R
EVERTING TO DEFAULT
............................ 42
6.
CREATING MASTER CARDS USING
SQ844P SOFTWARE ............................ 43
6.1. O
VERVIEW
........................................... 43
6.2. C
ONFIGURATION FILES
............................. 44
6.3. O
PERATION INSTRUCTIONS
........................ 47
6.4. C
HANGING AUTHENTICATION KEY FOR MASTER
C
ARDS
................................................ 47
6.5. R
EVERTING TO DEFAULT
............................ 49
7.
SPECIFICATION OF MASTER CARDS...... 50
7.1. B
UILDING A MASTER CARD
........................ 50
7.2. T
EMPLATE FOR MASTER CARDS
................... 50
7.3. D
ATA STRUCTURE
................................... 52
7.4. D
IGITAL SIGNATURE
................................ 53
8.
SECURITY ALGORITHMS ...................... 54
8.1. HMAC
SIGNATURE AND KEY DIVERSIFICATION
. 54
8.2. D
ESFIRE
SAM / RC171
KEY DIVERSIFICATION
56
PMA8N9P-BC
4 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
PMA8N9P-BC
5 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
1. I
NTRODUCTION
This document provides detailed technical information for use of SpringCard
Prox’N’Roll RFID Scanner.
1.1. A
UDIENCE
This reference manual assumes that the reader has expert knowledge of
computer configuration and usage. It is designed to be used by system
integrators.
1.2. P
RODUCT BRIEF
Prox’N’Roll RFID Scanner is a table-top USB proximity reader. It reads serial
number or data from any standard ISO/IEC 14443 contactless card, including
popular NXP MIFARE and DESFire families, and also ISO/IEC 15693 vicinity tags
used in RFID systems.
Prox’N’Roll RFID Scanner supports to operating modes :
Keyboard emulation mode (default configuration),
Serial port emulation mode.
1.3. K
EYBOARD EMULATION MODE
Configured for keyboard emulation1, Prox’N’Roll RFID Scanner outputs its
data as if there were typed on the computer’s keyboard, just as a bar code
scanner behaves.
This allows a drop-in replacement of legacy bar code scanners (PS/2 or USB
devices) by a state-of-the-art RFID solution.
a. Typical applications
This reader is primarily dedicated to replace a bar code scanner where RFID
labels may be used instead of barcodes : library or book stores, item
management, ….
b. Output configuration
Thanks to the software’s configuration (stored in non-volatile memory), the
same reader is highly customizable on-the-field :
Keyboard layout (QWERTY, AZERTY, QWERTZ),
Keyboard sequences (prefix and postfix) to automate the navigation between
the fields in any existing application.
1
The device complies with the USB “Human Interface Device” (HID) profile, keyboard subclass. With
most operation systems, no specific driver is needed as the device is seen as a standard computer
keyboard.
PMA8N9P-BC
6 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
1.4. S
ERIAL PORT EMULATION MODE
Configured to emulate a serial port2, Prox’N’Roll RFID Scanner outputs its
data in a standard serial communication stream.
This configuration typically allows to replace an RS-232 Magstripe reader by a
state-of-the-art RFID solution. Replacing former RS-232 bar code scanners is
possible too.
a. Typical applications
This reader is primarily dedicated to replace a card reader (Magstripe, 125kHz…)
or a bar code scanner in cashiers, top-up kiosks, vending machines…
b. Output configuration
Thanks to the software’s configuration (stored in non-volatile memory), the
same reader is highly customizable on-the-field :
Output format,
Prefix and postfix sequences.
1.5. R
ELATED DOCUMENTS
You’ll find any details regarding hardware and physical characteristics of each
reader in the corresponding datasheet.
Datasheet Covered products
PFL8P9P Prox'N'Roll RFID Scanner product information sheet
PMU84OP Prox'N'Roll RFID Scanner Quick Start guide
1.6. O
THER PRODUCTS IN THE SAME FAMILY
Prox’N’Roll RFID Scanner firmware is able to run on any other hardware in
the SpringCard CSB6 family.
For instance, the SpringCard CrazyWriter OEM contactless coupler may run
the Prox’N’Roll RFID Scanner firmware, providing same functionality as tabletop Prox’N’Roll, but in a form factor that may be more convenient for custom
integrations.
Due to the wide choice of hardware platforms and the rich portfolio of firmware
to cover virtually any requirement, not every combination can be offered as an
“out of the shelf” product. Hopefully, SpringCard has a strong experience in
offering customized yet flexible products to the integrators. Do not hesitate to
contact us in case you need such a specific offer.
2
The device complies with the USB “Communication Device Class” (CDC) profile. Drivers are
available for most operation systems to have the device activated as a serial communication port.
PMA8N9P-BC
7 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
2. C
ONFIGURATION ATTRIBUTES
There are two families of configuration attributes :
Product specific Global Configuration Attributes,
Card Acceptance Templates.
The Card Acceptance Templates are common to all products in the SpringCard
RFID Scanner family, and are exposed in detail in the next chapter.
In this chapter, we’ll introduce configuration tags and detail the Prox’N’Roll
RFID Scanner’s specific configuration attributes.
2.1. P
RINCIPLES
a. Configuration tags
Each configuration attribute is recognized by its “tag” and its length. The tag is a
one-byte value, that uniquely identifies the attribute.
The list of available tags, and their meaning, is the purpose of this chapter and
the next one.
Unless specified, each configuration attribute is exactly one byte (8 bits) long.
b. Non-volatile memory endurance
Prox’N’Roll RFID Scanner configuration attributes are stored in reader’s nonvolatile memory (flash). They can be changed up to 100 times.
Changing any configuration attribute more than 100 times may permanently
damage your Prox’N’Roll RFID Scanner reader.
PMA8N9P-BC
8 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
2.2. G
LOBAL CONFIGURATION ATTRIBUTES
2.2.1. Operating mode
Name Tag Description Size
MOD
h
C0 Operating mode. See table a below. 1
a. Operating mode bits
Bit Value
Meaning
7 – 4
RFU (set to 0000)
3 – 0
0001
0011
Operating mode :
Serial emulation mode
Keyboard emulation mode
Default value : b00000011
2.2.2. General options
Name Tag Description Size
OPT
h
60 General options. See table a below. 1
a. General options bits
Bit Value
Meaning
7
RFU (set to 0)
6
0 1 Shutdown RF field when idle
Shutdown RF field only when no card detected3
5 – 4
00
01
10
11
Anti-collision model :
Process every card one after the other
RFU
When 2 cards are in the field, process the 1st and ignore the 2nd
When 2 cards are in the field, ignore both
3 – 2
00
01
10
11
Master Card :
Master Cards are disabled4
Master Cards are enabled at power up
RFU
Master Cards are enabled all the time
1 – 0
00
01
10
11
Activate physical serial port5 :
Serial port is enabled
RFU
Serial port is disabled
RFU
Default value : b00001100
(Master Cards are enabled all the time, serial port enabled)
3
This is required if strict anti-collision (bits 5-4 = b10 or b11) is needed.
4
Configuration settings can only be altered through serial link
5
Prox’N’Roll doesn’t have a serial port. This attribute is relevant only for CrazyWriter or other
hardware platforms that feature an UART with either RS-TTL or RS-232 connection
PMA8N9P-BC
9 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
2.2.3. Delays and repeat options
Name Tag Description Min Max
ODL
h
61 Min. delay between 2 consecutive outputs (0.1s). 0 100
RDL
h
62 Min. delay between 2 consecutive identical outputs (0.1s).
A value of 255 means that the card must be removed from the
field –and re-inserted into– before being read again.
0 100
Default value : ODL = 2 (200ms) RDL = 10 (1s)
2.2.4. LED and buzzer control options
Name Tag Description Size
CLD
h
63 LEDs control. See table a below. 1
CBZ
h
64 Buzzer control. See table b below. 1
a. LEDs control bits
Bit Value
Meaning
7
0 1 Short LED sequences (3 seconds)
Long LED sequences (10 seconds)
6 – 5
00
01
10
11
When idle, blue LED blinks slowly (“heart beat” sequence)
When idle, blue LED is always on
When idle, blue LED is always off
RFU
4
0 1 Green LED stays OFF
Green LED blinks when a valid card has been processed
3
0 1 Red LED stays OFF
Red LED blinks when an unsupported card has been processed
2
0 1 Green LED stays OFF
Green LED blinks as soon as a card is seen in the field
1 – 0
11 RFU (set to 11)
Default value : b00001111
b. Buzzer control bits
Bit Value
Meaning
7
0 1 Buzzer short pulse = 0,2 sec
Buzzer short pulse = 0,5 sec
6
0 1 Buzzer long pulse = 0,7 sec
Buzzer long pulse = 1,5 sec
5
RFU
4
0 1 No action on buzzer before specified by host controller
Short pulse when a valid card has been processed
3
0 1 No action on buzzer for unsupported cards
Long pulse when an unsupported card has been processed
2
0 1 No action on buzzer before processing is achieved
Short pulse as soon as a card is seen in the field
1 – 0
RFU (set to 01)
Default value : b00010001
PMA8N9P-BC
10 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
2.3. K
EYBOARD EMULATION MODE ATTRIBUTES
The following attributes are relevant only when the devices is configured for
keyboard emulation (MOD = h03)
Name Tag Description Size
KBD.LYT
h
A0 Keyboard layout. See table a below. 1
KBD.OPT
h
A1 Keyboard options. See paragraph b below. 1
KBD.BEF
h
A2 Prefix string. See paragraph c below. Var.
KBD.AFT
h
A3 Postfix string. See paragraph c below. Var.
a. Keyboard layout
Bit Value
Meaning
7 – 0
h
00
h
01
h
02
h
03
QWERTY
AZERTY using Numeric Pad for number input
QWERTZ
AZERTY using Shift key for number input
All other values are RFU and must not be used
Default value : b00000000 (QWERTY)
b. Keyboard options
This entry is RFU and must be left empty.
c. Prefix and postfix
KBD.BEF defines the character string do be sent before the actual data.
Default value for KBD.DEF : absent (no prefix)
KBD.AFT defines the character string do be sent after the actual data.
Default value for KBD.DEF : ENTER key
If a non-null ASCII value is specified for either KBD.DEF or KBD.AFT (either a
single character or a string), it will be transmitted before of after the data
respectively.
Allowed ASCII codes are :
HEX value C char Meaning
h
09 \t TAB key
h
0A \n ENTER key
h
0D \r (discarded)
h
20 ‘ ’ Space
h
41 to h5A ‘A’ to ‘Z’
h
61 to h7A ‘a’ to ‘z’
Letters A to Z. Actual case vary with CAPS LOCK state.
h
30 to h39 ‘0’ to ‘9’ Digits 0 to 9 (as if they were entered on the numerical
keypad). NUM LOCK must be active.
h
21 to h2F
‘!’ to ‘/’
h
3A to h40
‘:’ to ‘@’
h
5B to h60
‘[ to ‘`’
h
7B to h7E
‘{’ to ‘~’
Symbols (put in order) :
!"#$%&'()*+,-./:;<=>?@ [\]^_`{|}~
h
00 \0 End of string
PMA8N9P-BC
11 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
2.4. S
ERIAL EMULATION MODE ATTRIBUTES
The following attributes are relevant only when the devices is configured for
serial emulation (MOD = h01) or when the serial output is enabled (bits 1-0 in
OPT).
2.4.1. Serial configuration
Name Tag Description Size
SER
h
67 Serial configuration bits. See table a below. 1
a. Serial configuration bits
Bit Value
Meaning
7
0 1 No STX / ETX frame markers
Use STX and ETX as frame markers
6 – 5
00
01
10
11
No BEL / TAB / CR/LF frame markers
Use CR/LF only
Use BEL and CR/LF as frame markers
Use TAB and CR/LF as frame markers
4 – 3
00
01
10
11
Serial Repeat
No repeat
Repeat 4 times with timeout of 100ms
Repeat 4 times with timeout of 250ms
Repeat 9 times with timeout of 250ms
2 – 0
RFU (set to 101)
Default value : b11000000
The baudrate is always 38400 bps.
b. Serial frame format
Serial frames are always transmitted using ASCII representation of binary
values.
For example, data ‘00 7A 12 6C 59 F4 04’ (hexadecimal notation) is transmitted
as string “007A126C59F404”.
c. Serial frame markers
Bits 7-5 drive the start of frame / end of frame markers.
See chapter 4.1 for details on using the reader in Serial mode.
PMA8N9P-BC
12 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
2.5. O
THER ATTRIBUTES
2.5.1. PIN code
Name Tag Description Size
PIN
h
6F PIN code to access reader’s console. 2
Default value : empty (no pin-code)
Use this tag to define a 4 digits PIN code to protect access to reader’s console.
The 2-byte value must store 4 valid BCD digits, or the reserved value hFFFF that
permanently disables the console feature.
PMA8N9P-BC
13 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3. C
ARD ACCEPTANCE TEMPLATES
Products in the SpringCard RFID Scanners family are able to manage different
types of cards, and different sources of data on each card.
A Card Acceptance Template defines how the reader will recognize the card to
be read, and how it would get the actual data (serial number, block reading, file
selection and reading, authentication keys to be used for Mifare or Desfire, etc).
The template also defines which formatting is to be applied to the data when
sending them to the target device (translation to ASCII or to Decimal, constant
prefix or suffic, etc).
This product is able to run up to 4 Card Acceptance Templates simultaneously.
3.1. B
ASIS
Each Card Acceptance Template is configured through a set of configuration
attributes, each attribute having its own tag.
• Template 1 uses Configuration tags
h
10 to h1F
• Template 2 uses Configuration tags
h
20 to h2F
• Template 3 uses Configuration tags
h
30 to h3F
• Template 4 uses Configuration tags
h
40 to h4F
In the following pages, we use the convention “ Template t uses Configuration
tags ht0 to htF ”. Replace t by the current template number.
PMA8N9P-BC
14 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.1.1. Card lookup list
Name Tag Description Size
LKL
h
t0 Card lookup list of the template. See table a below. 1
a. Available values for LKL
Value Card(s) accepted by the template Processing template §
h
01 ISO/IEC 14443 type A (layer 3)
h
02 ISO/IEC 14443 type B (layer 3)
h
03 ISO/IEC 14443 A&B (layer 3)
h
04 ISO/IEC 15693
h
07 ISO/IEC 14443 A&B and ISO/IEC 15693
h
08 NXP ICODE1
h
0C NXP ICODE1 and ISO/IEC 15693
h
0F All of the above
ID only 3.2
h
11 ISO/IEC 14443 type A (layer 4 / T=CL)
h
12 ISO/IEC 14443 type B (layer 4 / T=CL)
h
13 ISO/IEC 14443 A&B (layer 4 / T=CL)
7816-4 3.6
h
22 ST MicroElectronics SR family
h
23 ASK CTS256B and CTS512B
h24
Inside Contactless PicoTAG6
ID only 3.2
h
61 NXP Mifare Classic 1k & 4k Mifare Classic 3.3
h62
NXP Mifare UltraLight Mifare UltraLight 3.4
h
71 NXP Desfire 4k Desfire 3.5
h
72 Calypso (Innovatron protocol) ID only or 7816-4 3.2 or 3.7
h
FF All cards supported ID only 3.2
Other values are RFU
The LKL tag is mandatory to enable a template group. If not found, the template
group is empty.
6
Also HID iClass
PMA8N9P-BC
15 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.1.2. Summary of other tags in templates
Depending of the card lookup list (LKL tag), a specific list of tags controls the
behaviour of the Processing Template.
The table below summarize this.
Tag
ID only
Mifare
UltraLight
Mifare
Classic
Desfire
7816-4
Calypso
h
t1 Output format
ht2
Output prefix
ht3
Offset Location of data
h
t4 Options T=CL options C. options
h
t5 Auth. method & key 1st APDU
h
t6 Sign. method & key 2nd APDU
h
t7 3rd APDU
Grey items are RFU and must be kept empty.
3.1.3. Important notice regarding template-ordering
Be careful that the 4 templates are processed one after the other. The loop is
ended after the first successful match.
If a card matches two (or more) templates, it will be handled only by the first
one.
Suppose you want to accept both a specific kind of 14443-B T=CL cards, with
advanced file reading, and another kind of wired-logic 14443-B cards, where
only the ID is significant. You must put the T=CL template before the ID
template, otherwise the T=CL part will be skipped.
PMA8N9P-BC
16 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.2. ID-
ONLY ACCEPTANCE TEMPLATES
Use an ID-only Acceptance Templates when you want to read the serial number
and/or the protocol-related constant bytes from a contactless card, or a group of
contactless cards.
Depending on the settings you define in the Lookup List attribute (tag LKL.IDO),
the reader may either
• Find any supported contactless card,
• Find only a specific family of contactless cards,
• Find ISO compliant contactless cards.
As you may have more than one ID-only Acceptance Template (up to 4 in fact),
you may easily display different types of cards with a different format.
Including card’s type in the returned ID is also an interesting option (see
3.2.6.b), as for instance there’s no rule to prevent an ISO 14443-B card to have
a different serial number than any ISO 14443-A ones.
3.2.1. Lookup list
Name Tag Description Size
LKL.IDO
h
t0 ID-only lookup list :
h
01 ≤ value ≤
h
0F for ISO-compliant cards,
h
21 ≤ value ≤
h
2F for non-ISO cards,
value = hFF all the supported cards.
See 3.1.1.a for details.
1
PMA8N9P-BC
17 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.2.2. Output format
Name Tag Description Size
TOF.IDO
h
t1 ID-only output format. See table a below. 1
a. Output format bits
Bit Value
Meaning
7 – 6
00
01
10
11
Byte swapping
Do not swap ID bytes (ID is transmitted “as is”)
RFU
Swap bytes for single-size (4 bytes) ISO 14443-A UIDs 7 only ; IDs of any other
card is transmitted “as is”
Swap ID bytes for all kind of cards
5
0
1
Padding
Left-padding with h0
Right-padding with hF
4
0
1
ISO 14443-B specific
Use ISO 14443-B PUPI (4 bytes) as ID
Use complete ISO 14443-B ATQ (11 bytes) as ID
3 – 0
0000
0001
0010
0011
0100
0101
0110
0111
1000
1001
1010
1011
1100
1101
1110
1111
Output length
Decimal, 4 bytes seen as 10 digits (i.e. 32 40 bits expansion)
Fixed length, 4 bytes 8
Fixed length, 8 bytes 9
Fixed length, 5 bytes
Fixed length, 12 bytes 10
Fixed length, 7 bytes 11
Fixed length, 11 bytes 12
RFU
Fixed length, 16 bytes
RFU
RFU
RFU
Decimal, 5 bytes seen as 12 digits (i.e. 40 56 bits expansion)
Decimal, 5 bytes seen as 13 digits (i.e. 40 64 bits expansion)
Decimal, variable length (maximum 13 digits)
Variable length (depends on actual size of ID)
Default value : b10000010
(8 bytes fixed length, left padding, swap bytes for short ISO 14443-A UIDs only)
7
This is the default format in NXP’s Mifare Classic related literature.
8
ISO 14443-A single-size UID, ISO 14443-B PUPI, serial number for ASK CTS256B and CTS512B.
9
ISO 15693 ID, serial number for NXP ICODE1, Inside Contactless PicoTag, ST MicroElectronics SR
family…
10
ISO 14443-A triple-size UID.
11
ISO 14443-A double-size UID.
12
ISO 14443-B complete ATQB.
PMA8N9P-BC
18 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.2.3. Output prefix
Name Tag Description Size
PFX.IDO
h
t2 ID-only output prefix. Var.
Default value : absent (no prefix)
If a non-null ASCII value is specified (either a single character or a string), it will
be transmitted before the data (therefore the actual length will be longer than
the specified length).
3.2.4. Offset of data
Name Tag Description Size
LOC.IDO
h
t3 Offset in the ID. 1
Default value : b00000000 (d0)
When TOF.IDO specifies a fixed length output, using LOC.IDO makes it possible
to select some bytes in the ID, and not only the first ones. This is principally
useful when working with non-ISO cards, as shown in the following paragraphs.
PMA8N9P-BC
19 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.2.5. Role of LOC.IDO with non-ISO cards
A few manufacturers still offer non standard cards, most of them based on ISO
14443-B bit-level specification, but with a proprietary frame format (protocol)
and a proprietary command set.
As those cards don’t answer to ISO 14443 standard detection commands, a
specific template must be activated to discover them.
a. ST MicroElectronics SR family
When LKL.IDO=h22, the reader performs the lookup sequence for cards in the ST
MicroElectronics SR family (SR176, SRX, SRIX).
A 8-byte serial number is returned by the card. Use TOF.IDO and LOC.IDO if you
need to truncate it.
b. ASK CTS256B and CTS512B
When LKL.IDO=h23, the reader performs the lookup sequence for cards in the
ASK CTS-B family (CTS256B, CTS512B).
A 8-byte identifier is built as follow :
Byte 0 Byte 1 Byte 2 Byte 3 Bytes 4 to 7
Manufacturing
code
Product code Embedded code Application code 4-byte serial
number
CTS256B’s product code is between h50 and h5F,
CTS512B’s product code is between h60 and h6F,
See ASK’s documentation for explanations regarding other bytes.
Define LOC.IDO=h04 (and TOF.IDO=h01) if you need only the serial number (and
don’t care for card type and other data).
c. Inside Contactless PicoTAG13
When LKL.IDO=h24, the reader performs the lookup sequence for cards in the
Inside Contactless PicoTAG family (PicoTAG 16KS).
A 8-byte serial number is returned by the card. Use TOF.IDO and LOC.IDO if you
need to truncate it.
13
Also HID iClass
PMA8N9P-BC
20 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.2.6. Miscellaneous options
Name Tag Description Size
OPT.IDO
h
t4 ID-only miscellaneous options. See table a below. 1
a. Miscellaneous option bits
Bit Value
Meaning
7 – 4
RFU
3 – 2
00
01
10
11
Position of card’s type in the output
Card type is sent before the prefix14
Card type is sent after the prefix and before the ID15
Card type is sent after the actual ID16
RFU
1 – 0
00
01
10
11
Send card’s type in the output
Do not send card’s type
Send card’s type on one byte (2 hex digits) (see table b below)
Send card’s type as a string (see table b below)
RFU
Default value : b00000000
b. Values for card’s type byte or string
When OPT.IDO is configured to send card’s type in the output, the possible
values are :
“Physical”
card’s type
One byte
value
String
value
Remark
ISO/IEC 14443 A
h
01 “ A ”
ISO/IEC 14443 B
h
02 “ B ”
Card must be compliant with Layer
3 or layer 4
ISO/IEC 15693
h
04 “ V ”
NXP ICODE1
h
08 “ I ”
Inside Contactless PicoTAG
h
10 “ i ” Also HID iClass
ST MicroElectronics SR family
h
20 “ s ”
ASK CTS256B and CTS512B
h
40 “ a ”
Calypso (Innovatron protocol)
h
80 “ C ”
14
The actual frame is <card type><PFX.IDO><card id> (PFX.IDO may be empty)
15
The actual frame is <PFX.IDO><card type><card id> (PFX.IDO may be empty)
16
The actual frame is <PFX.IDO><card id><card type> (PFX.IDO may be empty)
PMA8N9P-BC
21 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.3. M
IFARE CLASSIC ACCEPTANCE TEMPLATE
Mifare “Classic” refers to NXP Mifare 1k (MF1ICS50) and Mifare 4k (MF1ICS70)
wired-logic contactless cards.
Mifare 1k is divided into 64 16-byte blocks.
Mifare 4k is divided into 256 16-byte blocks.
Both cards have a 4-byte serial number, located at the beginning of block 0. As
those cards are ISO/IEC 14443-3 compliant, you can read the serial number
through the generic ID-Only template, instead of using this dedicated template.
3.3.1. Lookup list
Name Tag Description Size
LKL.MIF
h
t0 Mifare classic lookup list, value = h61.
See 3.1.1.a for details.
1
3.3.2. Output format
Name Tag Description Size
TOF.MIF
h
t1 Mifare output format. See table a below. 1
a. Output format bits
Bit Value
Meaning
7
0 1 Do not swap bytes
Swap bytes
6
0 1 RAW data
ASCII encoded data 17
5
0 1 Left-padding with h0 (RAW) or <SPACE> (ASCII)
Right-padding with hF (RAW) or <SPACE> (ASCII)
4
0
1
Long string reading option18
Disable long string reading option
Enable long string reading option
3 – 0
Output length
Format depends on bit 6 (RAW or ASCII).
See table b below for RAW data (bit 6 = 0)
See table c below for ASCII data (bit 6 = 1)
Default value : b00000010
17
If data read from the memory card is “31 32 33 43 34 35” (hexadecimal notation), output will be
“123C45”. Make sure that only valid digits (values from 31 to 39 and 41 to 46 or 61 to 66) are
encoded in every card, otherwise actual reader output will be undefined.
18
This option is only available on Prox’N’Roll RFID Scanner, RDR-K632 and ProxRunner. If working
with IWM-K632 or FunkyGate, please ignore this configuration tag.
PMA8N9P-BC
22 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
b. Output length when bit 6 = 0
Bit Value
Meaning
3 – 0
0000
0001
0010
0011
0100
0101
0110
0111
1000
1001
1010
1011
1100
1101
1110
1111
Decimal, 4 bytes seen as 10 digits (i.e. 32 40 bits expansion)
Fixed length, 4 bytes (32 bits)
Fixed length, 8 bytes (64 bits)
Fixed length, 5 bytes (40 bits)
Fixed length, 12 bytes (96 bits)
Fixed length, 7 bytes (56 bits)
Fixed length, 11 bytes (88 bits)
RFU
Fixed length, 16 bytes (128 bits)
RFU
RFU
RFU
Decimal, 5 bytes seen as 12 digits (i.e. 40 56 bits expansion)
Decimal, 5 bytes seen as 13 digits (i.e. 40 64 bits expansion)
Decimal, variable length (maximum 13 digits)
Variable length (using h0 and hF as end of string markers)
c. Output length when bit 6 = 1
Bit Value
Meaning
3 – 0
0000
0001
to
1111
Max output length = d16
Max output length from d1 to d15
3.3.3. Output prefix
Name Tag Description Size
PFX.MIF
h
t2 Mifare output prefix. Var.
Same as ID-only output prefix (see 3.2.3).
3.3.4. Location of data
Depending on the size, the LOC.MIF tag can either be
A block number (= address of data in Mifare card) when size = 1,
An Application Identifier (AID) when size = 2.
PMA8N9P-BC
23 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
a. Fixed block number
Name Tag Description Size
LOC.MIF
h
t3 Block number to be read. 1
Default value : b00000100 (d4)
When a Mifare card is found, the reader tries to read the block specified in
LOC.MIF (16 bytes), and then truncates the data according to the length
specified in TOF.MIF.
The block number shall be
Between 0 and 63 for Mifare 1k cards,
Between 0 and 255 for Mifare 4k cards.
Note that data must start on a block boundary.
Mifare sector t
railers (security blocks) numbered 3, 7, … can be read, but their
content is masked (to protect the keys). Using such a block as access control
identifier is definitely not a good idea.
b. AID in MAD
Name Tag Description Size
LOC.MIF
h
t3 AID to be selected and read. 2
When a Mifare card is found, reader reads the MAD (blocks 1 and 2 of sector 0)19
and tries to find the specified AID. The location of the AID in the MAD is the
pointer onto the actual block to be read.
Note that data must be located at the beginning of the first block marked with
the specified AID.
Please refer to NXP application notes for detailed explanations of the MAD.
19
Sector 0 must be freely readable either with base key A (“A0 A1 A2 A3 A4 A5”), with transport key
(“FF FF FF FF FF FF”) or with the application key specified in AUT.MIF .
PMA8N9P-BC
24 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.3.5. Authentication key
Depending on the size, the AUT.MIF tag can either be
A pointer to a key located in RC’s secure EEPROM when size = 1.
The Mifare key itself, when size = 7,
A master key and its diversification options, when size = 9 or 17
When the AUT.MIF tag is absent, all EEPROM keys are tried out in sequence (this
can take a long time…).
Name Tag Description Size
AUT.MIF
h
t5 Mifare authentication key. See below
Default value : absent
a. Size = 1 : pointer to a key in RC’s secure EEPROM
Values h00 to h0F refer to type A keys d0 to d15, respectively,
Values h80 to h8F refer to type B keys d0 to d15, respectively.
b. Size = 7 : specified Mifare key
Offset Length Content
0 1 Key options. See table c below.
1 6 Mifare key value.
c. Key options bits, when size = 7
Bit Value
Meaning
7
0 1 Key is an A key
Key is a B key
6 – 0
RFU
d. Size = 17 : master key diversification using HMAC-MD5
Offset Length Content
0 1 Key options. See table e below.
1 16 Master key value.
e. Key options bits, when size = 17
Bit Value
Meaning
7
0 1 Diversified key is an A key
Diversified key is a B key
6
0 1 Diversification with card UID and address fixed to h00
Diversification with card UID and address = sector number
5 – 4
10 Diversify the key using HMAC-MD5 algorithm
3 – 0
RFU
PMA8N9P-BC
25 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
f. Size = 15 or 23 : master key diversification using RC171 algorithm
Offset Length Content
0 1 Key options. See table g below.
1 6 Mifare master key.
7 8 or 16 DES or 3-DES diversification key.
g. Key options bits, when size = 15 or 23
Bit Value
Meaning
7
0 1 Diversified key is an A key
Diversified key is a B key
6
0 1 Diversification with card UID and address fixed to h00
Diversification with card UID and address = sector number
5 – 4
01 Diversify the key using RC171 algorithm
3 – 0
RFU
3.3.6. Reading a long string from a Mifare Classic card
Note : This option is only available on Prox’N’Roll RFID Scanner, RDR-K632 and
ProxRunner.
When bits 4 and 6 in TOF.MIF are set (ASCII output, long string reading
extension enabled), the reader behaves as follow :
• The output length (bits 0 to 3 of TOF.MIF) is ignored,
• The reader reads sequentially all Mifare data blocks starting at address
specified in LOC.MIF (absolute address or pointer found in MAD), until
one of those events occurs :
o The end-of-string character (‘\0’ i.e. h00) is read,
o The end of the card is reached,
o The authentication failed (see note below),
o 4 blocks (64 bytes) have been read.
Doing so, the reader is able to fetch ASCII strings up to 64 characters.
Note : in this mode, the reading may cross a sector boundary (64 bytes is 4
blocks, where sectors below 32 are 3-block wide). In this case, the two sectors
to be read must be formatted with the same Mifare key and the same access
mode.
PMA8N9P-BC
26 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.4. M
IFARE ULTRALIGHT ACCEPTANCE TEMPLATE
NXP Mifare UltraLight is a low-cost wired-logic contactless cards. It is divided
into 16 4-byte pages. This template reads 4 pages (i.e. exactly 16 bytes) at
once.
This card has a 7-byte serial number, located on blocks 0 and 1. As the card is
ISO/IEC 14443-3 compliant, you can read the serial number through the generic
ID-Only template, instead of using this dedicated template.
3.4.1. Lookup list
Name Tag Description Size
LKL.MFU
h
t0 Mifare UltraLight lookup list, value = h62.
See 3.1.1.a for details.
1
3.4.2. Output format
Name Tag Description Size
TOF. MFU
h
t1 Mifare UltraLight output format. 1
Same as Mifare Classic output format (see 3.3.2).
3.4.3. Output prefix
Name Tag Description Size
PFX.MFU
h
t2 Mifare UltraLight output prefix. Var.
Same as ID-only output prefix (see 3.2.3).
3.4.4. Location of data
Name Tag Description Size
LOC.MFU
h
t3 Number of the first page to be read. 1
Default value : b00000000 (d0)
Remember that this template always reads 4 pages (16 bytes) starting at
LOC.MFU.
PMA8N9P-BC
27 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.4.5. Reading a long string from a Mifare UltraLight card
Note : This option is only available on Prox’N’Roll RFID Scanner, RDR-K632 and
ProxRunner.
When bits 4 and 6 in TOF.MIF are set (ASCII output, long string reading
extension enabled), the reader behaves as follow :
• The output length (bits 0 to 3 of TOF.MIF) is ignored,
• The reader reads sequentially all Mifare data blocks starting at address
specified in LOC.MIF (absolute address or pointer found in MAD), until
one of those events occurs :
o The end-of-string character (‘\0’ i.e. h00) is read,
o The end of the card is reached,
o 16 pages (64 bytes) have been read.
Doing so, the reader is able to return ASCII strings up to 64 characters20.
20
Well, not really, as Mifare UltraLight currently features only 64 bytes of data, with only 48 bytes
actually usable to store data.
PMA8N9P-BC
28 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.5. D
ESFIRE ACCEPTANCE TEMPLATE
Desfire Acceptance Template has been designed for the first version of NXP
Desfire 4k cards (MF3ICD40).
It should work with new Desfire versions (MF3ICD21, MF3ICD41 and MF3ICD81)
as long as they are configured to remain compatible with the earlier version
(DES or two-key Triple-DES authentication, same ATQ/SAK as MF3ICD40).
3.5.1. Lookup list
Name Tag Description Size
LKL.DFR
h
t0 Desfire lookup list, value = h71.
See 3.1.1.a for details.
1
3.5.2. Output format
Name Tag Description Size
TOF.DFR
h
t1 Desfire output format. 1
Same as Mifare Classic output format (see 3.3.2).
3.5.3. Output prefix
Name Tag Description Size
PFX.DFR
h
t2 Desfire output prefix. Var.
Same as ID-only output prefix (see 3.2.3).
3.5.4. Location of data
Name Tag Description Size
LOC.DFR
h
t3 Location of data in Desfire card. See table a below. 8
a. Data location bytes
Offset Length Content
0 3 Application IDentifier (AID).
3 1 File IDentifier (FID). File must be a “standard data” file.
4 3 Offset of data in file.
7 1 Length of data to be read21 (1 to 64).
Default value : unspecified.
Values are MSB first.
21
Data will be truncated to the length specified in TOF.DFR, unless the long string reading extension
is enabled.
PMA8N9P-BC
29 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.5.5. T=CL options
Name Tag Description Size
OPT.DFR
h
t4 Desfire T=CL options. 1
Same as 7816-4 T=CL options (see 3.5.5).
3.5.6. Authentication key
Name Tag Description Size
AUT.DFR
h
t5 Desfire authentication key. See table a below. 9 or 17
Default value : absent
(No authentication is performed, plain read operation is used to fetch the data)
a. Authentication key bytes
Offset Length Content
0 1 Desfire key index and options. See table b below.
1 8 or 16 Key value (8 bytes for a DES key, 16 bytes for a 3-DES key).
b. Key index and options
Bit Value
Meaning
7 – 6
00
01
10
11
Communication mode for reading
Plain
MACed with session key
RFU
Enciphered with session key
5 – 4
00
01
10
11
Key diversification algorithm
Use the key “as is”
Diversify the key using Desfire SAM algorithm
Diversify the key using HMAC-MD5 algorithm
RFU
3 – 0
0000
to
1110
1111
Index of key in Desfire application
Index of the key to be used for authentication
RFU
PMA8N9P-BC
30 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.5.7. Reading a long string from a Desfire card
Note : This option is only available on Prox’N’Roll RFID Scanner, RDR-K632 and
ProxRunner.
When bits 4 and 6 in TOF.DFR are set (ASCII output, long string reading
extension enabled), the reader behaves as follow :
• The output length (bits 0 to 3 of TOF.DFR) is ignored,
• The reader reads the data up to the length specified in LOC.DFR (64
bytes max.),
• The reader returns those bytes as an ASCII string, truncated at the
correct length when the end-of-string character (‘\0’ i.e. h00) is reached.
Doing so, the reader is able to fetch ASCII strings up to 64 characters.
PMA8N9P-BC
31 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.6. ISO 7816-4 A
CCEPTANCE TEMPLATE
3.6.1. Lookup list
Name Tag Description Size
LKL.TCL
h
t0
7816-4 lookup list,
h
11 ≤ value ≤
h
13.
See 3.1.1.a for details.
1
3.6.2. Output format
Name Tag Description Size
TOF.TCL
h
t1 T=CL output format. 1
Same as Mifare Classic output format (see 3.3.2).
3.6.3. Output prefix
Name Tag Description Size
PFX.TCL
h
t2 T=CL output prefix. Var.
Same as ID-only output prefix (see 3.2.3).
3.6.4. Location of data
Name Tag Description Size
LOC.TCL
h
t3 Offset of data in answer to APDU 322 (0 to 127). 1
Default value : 0.
3.6.5. T=CL options
Name Tag Description Size
OPT.TCL
h
t4 T=CL (ISO/IEC 14443 layer 4) options. See table a below. 1
22
Data will be truncated according to the length specified in TOF.TCL .
PMA8N9P-BC
32 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
a. T=CL option bits
Bit Value
Meaning
7 – 6
00
01
10
11
Card to reader baudrate
No PPS, DSI = 106kbit/s
Perform PPS, DSI = 212kbit/s if card allows it
Perform PPS, DSI = 424kbit/s if card allows it
Perform PPS, DSI = 848kbit/s if card allows it
5 – 4
00
01
10
11
Reader to card baudrate
No PPS, DRI = 106kbit/s
Perform PPS, DRI = 212kbit/s if card allows it
Perform PPS, DRI = 424kbit/s if card allows it
Perform PPS, DRI = 848kbit/s if card allows it
3 – 0
0000
0001
to
1110
1111
Card identifier (CID)
Empty CID = d0
CID from d1 to d14
CID is disabled
This tag exists only if T=CL card is selected in LST.
Default value : b00001111
3.6.6. T=CL APDU 1
Typically this is a Select Application (or Select Applet) command.
May be absent if T=CL APDU 3 is sufficient to fetch the data.
Name Tag Description Size
AU1.TCL
h
t5 TCL APDU 1. Var.
Card’s Status Word is checked by the reader. A SW between h9000 and
h
9FFF is
considered valid. Any other value for SW (and in particular error values as
defined by ISO 7816-4 between h6100 and
h
6FFF) is considered as an error, and
the reader will ignore the card.
Reader’s internal buffer is limited to 128 bytes. If card’s answer is longer, the
answer will be discarded and the reader will ignore the card.
PMA8N9P-BC
33 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.6.7. T=CL APDU 2
Typically this is a Select File command.
May be absent if T=CL APDU 3 is sufficient to fetch the data.
Name Tag Description Size
AU2.TCL
h
t6 TCL APDU 2. Var.
Card’s Status Word is checked by the reader. A SW between h9000 and
h
9FFF is
considered valid. Any ot
her value for SW (and in particular error values as
defined by ISO 7816-4 between h6100 and
h
6FFF) is considered as an error, and
the reader will ignore the card.
Reader’s internal buffer is limited to 128 bytes. If card’s answer is longer, the
answer will be discarded and the reader will ignore the card.
3.6.8. T=CL APDU 3
APDU used to actually retrieve the data (typically this is a Read Binary
command). Data have to be found in answer at offset specified in LOC.TCL.
Name Tag Description Size
AU3.TCL
h
t7 TCL APDU 3. Var.
Card’s Status Word is checked by the reader. A SW between h9000 and
h
9FFF is
considered valid. Any other value for SW (and in particular error values as
defined by ISO 7816-4 between h6100 and
h
6FFF) is considered as an error, and
the reader will ignore the card.
Reader’s internal buffer is limited to 128 bytes. If card’s answer is longer, the
answer will be discarded and the reader will ignore the card.
PMA8N9P-BC
34 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.6.9. Reading a long string from a T=CL card
Note : This option is only available on Prox’N’Roll RFID Scanner, RDR-K632 and
ProxRunner.
When bits 4 and 6 in TOF.TCL are set (ASCII output, long string reading
extension enabled), the reader behaves as follow :
• The output length (bits 0 to 3 of TOF.TCL) is ignored,
• The reader fetches the data from offset LOC.TCL up to the length of the
response to APDU 3 (64 bytes max.),
• The reader returns those bytes as an ASCII string, truncated at the
correct length when the end-of-string character (‘\0’ i.e. h00) is reached.
Doing so, the reader is able to fetch ASCII strings up to 64 characters.
PMA8N9P-BC
35 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.7. C
ALYPSO ACCEPTANCE TEMPLATE
This part deals with old Calypso cards, to be accessed only through the legacy
Innovatron radio protocol.
New Calypso cards now support ISO/IEC 14443-B, and therefore can be
accessed either through ID-Only or ISO/IEC 7816-4 templates.
Working with Calypso cards is subject to a specific licence fee. This function is
therefore disabled in our readers, unless you order them with the Calypso
option.
Depending on the specified options, this Calypso card processing template can
retrieve :
A 4-byte serial number (ID-Only template)
Arbitrary data to be read in Calypso files (7816-4 template)
3.7.1. Lookup list
Name Tag Description Size
LKL.CYO
h
t0 Calypso/Innovatron lookup list, value = h72.
See 3.1.1.a for details.
1
3.7.2. Output format
Name Tag Description Size
TOF.CYO
h
t1 Calypso/Innovatron output format. 1
Same as Mifare Classic output format (see 3.3.2).
3.7.3. Output prefix
Name Tag Description Size
PFX.CYO
h
t2 Calypso/Innovatron output prefix. Var.
Same as ID-only output prefix (see 3.2.3).
PMA8N9P-BC
36 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.7.4. Location of data
Name Tag Description Size
LOC.CYO
h
t3 Offset of data in answer to APDU 323 (0 to 64). 1
Default value : 0.
3.7.5. Calypso APDU 1
Typically this is a Select Application, or Select DF command.
Name Tag Description Size
AU1.CYO
h
t5 Calypso/Innovatron APDU 1. Var.
Card’s Status Word is checked by the reader. A SW between h9000 and
h
9FFF is
considered valid. Any other v
alue for SW (and in particular error values as
defined by ISO 7816-4 between h6100 and
h
6FFF) is considered as an error, and
the reader will ignore the card.
Reader’s internal buffer is limited to 128 bytes. If card’s answer is longer, the
answer will be discarded and the reader will ignore the card.
3.7.6. Calypso APDU 2
Typically this is a Select EF command.
Name Tag Description Size
AU2.CYO
h
t6 Calypso/Innovatron APDU 2. Var.
Card’s Status Word is checked by the reader. A SW between h9000 and
h
9FFF is
con
sidered valid. Any other value for SW (and in particular error values as
defined by ISO 7816-4 between h6100 and
h
6FFF) is considered as an error, and
the reader will ignore the card.
Reader’s internal buffer is limited to 128 bytes. If card’s answer is lo
nger, the
answer will be discarded and the reader will ignore the card.
23
Data will be truncated according to the length specified in TOF.CYO .
PMA8N9P-BC
37 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
3.7.7. Calypso APDU 3
Typically this is a Read Binary command.
Name Tag Description Size
AU3.CYO
h
t7 Calypso/Innovatron APDU 3 Var.
Card’s Status Word is checked by the reader. A SW between h9000 and
h
9FFF is
considered valid. Any other value for SW (and in particular error values as
defined by ISO 7816-4 between h6100 and
h
6FFF) is considered as an error, and
the reader will ignore the card.
Reader’s internal buffer is limited to 128
bytes. If card’s answer is longer, the
answer will be discarded and the reader will ignore the card.
PMA8N9P-BC
38 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
4. S
ERIAL PROTOCOL AND COMMAND SET
4.1. S
ERIAL OUTPUT FORMAT
4.1.1. Frame markers
Serial frame markers are configured by bits 7-5 of SER .
Consider data ’01 23 45 67’ with a prefix <BEF> and postfix <AFT>,
If bits 7-5 = b000, frame is “<BEF>01234567<AFT>”.
If bits 7-5 = b001, frame is “<BEF>01234567<AFT><CR><LF>” where
<CR> the ASCII carriage return (h0D), and <LF> the ASCII line feed (h0A).
If bits 7-5 = b010, frame is “<BEL><BEF>01234567<AFT> <CR> <LF> ”
where <BEL> is the ASCII bell (or ring) character (h07), <CR> the ASCII
carriage return (h0D), and <LF> the ASCII line feed (h0A).
If bits 7-5 = b011, frame is “<TAB><BEF>01234567<AFT><CR><LF>”
where <TAB> is the ASCII horizontal tab character (h09), <CR> the ASCII
carriage return (h0D), and <LF> the ASCII line feed (h0A).
If bits 7-5 = b100, frame is “<STX><BEF>01234567<AFT><ETX>” where
<STX> is the ASCII “start of text” character (h02), and <ETX> the ASCII
“end of text” (h03).
If bits 7-5 = b101, frame is
“<STX><BEF>01234567<AFT><ETX><CR><LF>”.
If bits 7-5 = b110, frame is
“<BEL><STX><BEF>01234567<AFT><ETX><CR><LF>”.
If bits 7-5 = b111, frame is
“<TAB><STX><BEF>01234567<AFT><ETX><CR><LF>”.
4.2. S
ERIAL INPUT
Prox’N’Roll RFID Scanner in Serial mode accepts short commands from the
host, typically to drive its LEDs and buzzer.
Prox’N’Roll RFID Scanner doesn’t echo back the received data.
If the received command has been understood by Prox’N’Roll RFID Scanner,
it replies with an <ACK> byte before executing the requested action.
Otherwise, it replies with a <NACK> byte.
Command transmission format is <command> <CR> <LF>.
PMA8N9P-BC
39 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
4.2.1. List of commands
Command Action
A0
Reader goes inactive (tag polling is halted)
A1
Reader goes active
R0
Switch red LED off
R1
Switch red LED on
R2
Red LED blinks slowly
R3
Red LED blinks quickly
G0
Switch green LED off
G1
Switch green LED on
G2
Green LED blinks slowly
G3
Green LED blinks quickly
Z0
Stop buzzer
Z1
Start buzzer
Z2
Short buzzer sound
Z3
Long buzzer sound
Margz
Same as sending Aa + Rr + Gg + Zz
Mrg
Same as sending Rr + Gg
Marg
Same as sending Aa + Rr + Gg
RST
Reset the reader
VER
Retrieve reader’s version
SHO
Retrieve reader’s settings
Choose approp
riate configuration in CLD and CBZ before using the LEDs or
buzzer related commands.
PMA8N9P-BC
40 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
5. C
ONFIGURING PROX
’N’R
OLL
RFID S
CANNER
There are two ways to configure Prox’N’Roll RFID Scanner:
Using a Master Card, formatted with cfgfilecreator.exe software. See
chapters 6 and 7 for details. In Keyboard mode, when the Master Card has
been processed the reader, it sends its firmware version (in the keyboard
emulation stream), then restarts.
Manually, by entering configuration values in reader’s console (serial line
access), as shown in this chapter. Only available for Prox’N’Roll RFID
Scanner in Serial mode.
Default factory settings for Prox’N’Roll RFID Scanner firmware are :
Keyboard mode,
Reads any kind of ID, 8 byte fixed length output.
5.1. C
ONNECTING PROX
’N’R
OLL TO A COMPUTER
5.1.1. Activating serial mode
Activate the Serial mode using a Master Card configured to modify the OPT
attribute. See chapters 2.2.1 for details.
5.1.2. Connection information
Install software ref. SDD100 “USB Driver for SpringCard’s FTDI-based devices”
to see the interface as a virtual serial port (VCP).
Use HyperTerminal or any compliant terminal emulator to get connected onto
the reader through the serial port. Default communication settings are :
8 data bits, 1 stop, no parity, no flow control ;
Baudrate = 38400bps.
5.1.3. Testing connection
Power-up (or reset) the reader,
Reader sends its identification string :
SpringCard Prox’N’Roll RFID Scanner 1.28
PMA8N9P-BC
41 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
5.2. R
ETRIEVING PROX
’N’R
OLL
RFID S
CANNER INFORMATION
5.2.1. Firmware version
Enter “
ver
” to read Prox’N’Roll RFID Scanner firmware version.
5.2.2. Firmware configuration
Enter “
sho
” to read Prox’N’Roll RFID Scanner configuration.
5.3. E
NABLING CONFIGURATION COMMANDS
Prox’N’Roll RFID Scanner configuration may be protected by a pin-
code (if
PIN configuration tag is empty, no pin-code is needed.
If defined to hFFFF, configuration commands are permanently disabled).
Enter “
pinNNNN
” to allow configuration commands, where NNNN is the actual
pin-code (for instance, “
pin1234
”)24.
5.4. A
CCESSING PROX
’N’R
OLL CONFIGURATION
5.4.1. Reading configuration tags
Enter “
cfg
” to list all configuration tags.
Enter “
cfgXX
” to read value configuration tag XX (hexadecimal address).
Note that configuration tags h55, h56 and h6F (keys used by Master Cards and
pin-code) are masked when read back.
5.4.2. Writing configuration tags
Enter “
cfgXX=YYYY
” to update configuration tag XX (hexadecimal address)
with value YYYY (hexadecimal value).
Enter “
cfgXX=!!
” to delete configuration tag XX (hexadecimal address).
5.4.3. Writing keys in RC’s secure EEPROM
Enter “
keya0=XXXXXXXXXXXX
” to update key A at index 0, “
keya1=
...” to
update key A at index 1, and so on until “
keyaf=
...”.
Enter “
keyb0=XXXXXXXXXXXX
” to update key B at index 0, “
keyb1=
...” to
update key B at index 1, and so on until “
keybf=
...”.
24
For security reasons, configuration commands are enabled only for 3 minutes. After 3 minutes of
inactivity, you’ll have to enter the pin-code again.
PMA8N9P-BC
42 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
Note that keys stored in RC can’t be read back.
5.4.4. Reading RC’s 4-byte EEPROM
RC’s chipset includes a 4-byte EEPROM to store a configuration value.
Enter “
cfgRC
” to read this 4-byte value.
5.4.5. Writing RC’s 4-byte EEPROM
RC’s chipset includes a 4-byte EEPROM to store a configuration value.
Enter “
cfgRC=XXXXXXXX
” to write this 4-byte value.
Content of RC’s 4-byte EEPROM is currently not used by
Prox’N’Roll RFID
Scanner firmware.
Please keep this value to 00000000 as it may be used in future versions.
5.5. A
PPLYING NEW CONFIGURATION
New configuration is applied only after reset.
Cycle power or enter “
rst
” to reset the reader.
5.6. R
EVERTING TO DEFAULT
Sometimes it is necessary to put reader back in “out-of-factory” configuration
(for instance when reader goes from one site to another). This is done easily by
erasing all tags from reader’s memory.
Enter “
cfg!!=!!
” to delete all configuration tags.
There’s no confirmation prompt nor any kind of “are you sure ?” popup window.
Erasing everything is immediate and unrecoverable.
Erasing all the configuration tags is not really enough to put the reader(s) back
in out-of-
factory configuration, since Mifare keys stored in RC’s secure EEPROM
are not erased.
Read paragraph 3.5.3 to see how the keys may be overwritten.
PMA8N9P-BC
43 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
6. C
REATING MASTER CARDS USING
SQ844P
SOFTWARE
6.1. O
VERVIEW
Master Cards for SpringCard RFID Scanners are NXP Desfire 4k (MF3ICD40 or
MF3ICD41). You may buy them from SpringCard or any other NXP reseller.
SpringCard SQ844P is a software package featuring :
• A command line utility, that creates the Master Cards from a Master
Configuration File, and using a SpringCard contactless reader/writer25
• A wizard (HTML page) that helps authoring the Master Configuration File.
SpringCard SQ844P also includes various configuration files, that show typical
configuration for Prox’N’Roll RFID Scanner, IWM-K632, FunkyGate, RDR-K632,
ProxRunner, etc.
SpringCard SQ844P is available only for Microsoft Windows systems.
a. Downloading and installing
Go to www.springcard.com/download/sdks.html and download latest
version of package sq884p.
Double-click the downloaded file to launch the installer, and follow the wizard.
b. The cfgfilecreator.exe command line utility
cfgfilecreator.exe is a Windows command line software.
☺
Enter cfgfilecreator.exe -h
to read the complete list of command line switches
and options, and the complete list of sections and variables for configuration
files.
cfgfilecreator.exe
software comes with various sample configuration files that
show typical configurations of IWM-
K632, FunkyGate, Prox’N’Roll RFID Scanner,
etc.
25
SpringCard Prox’N’Roll PC/SC (or Legacy) typically. CSB4 or any product in the CSB6 family
may be used to create Master Cards too.
PMA8N9P-BC
44 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
c. The cfgfilecreator.exe web page
cfgfilecreator.html is a standalone web page that helps creating configuration
files for cfgfilecreator.exe .
6.2. C
ONFIGURATION FILES
cfgfilecreator.exe uses a configuration file to retrieve configuration data to be
written into the Master Card.
Configuration files are written like standard Windows “INI” files. They can be
created using Notepad or any other text editor, or using cfgfilecreator.html .
Each line of each section uses the format “name=value” where “name” is either
the name or the tag of the configuration variable (e.g. either “opt” or “60”), and
“value” its value in hexadecimal.
6.2.1. The “general” section
This section maps to tags h60 to h6F. Default content is :
[general]
opt=0C ; value for OPT
odl=02 ; value for ODL
rdl=0A ; value for RDF
cld=0F ; value for CLD
cbz=13 ; value for CBZ
wgd=0A ; value for WGD
dtc=0A ; value for DTC
PMA8N9P-BC
45 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
ser=C5 ; value for SER
shd=00 ; value for SHD
pin=0000 ; value for PIN
6.2.2. The “rckeys” section
This section holds the Mifare access keys to be written in RC’s secure EEPROM.
Type A keys are named “a0” to “a15”, and type B keys “b0” to “b15”.
Here’s an example of content :
[rckeys]
a0=A0A1A2A3A4A5 ; Mifare type A base key (for MAD)
a1=FFFFFFFFFFFF ; NXP transport key
a2=000000000000 ; other transport key
a3=CCCCCCCCCCCC ; unused
(...)
a15=CCCCCCCCCCCC ; unused
b0=B0B1B2B3B4B5 ; Mifare type B base key (for MAD)
b1=FFFFFFFFFFFF ; NXP transport key
b2=000000000000 ; other transport key
b3=CCCCCCCCCCCC ; unused
(...)
b15=CCCCCCCCCCCC ; unused
This section (and each line in it) is optional. Only keys listed in this section will
be written, other keys will be left unchanged.
6.2.3. Sections for Card Processing Templates
SpringCard RFID Scanners run 1 to 4 card accepting templates.
Each template is configured by sections “tpl1”, “tpl2”, “tpl3” and “tpl4”
respectively.
Mandatory and optional content for each section depends on the card lookup list
(LKL field) of the section itself.
a. ID-Only example
This sample section configures template 4 to read any kind of ID. Output format
is : 8-byte fixed length, prefixed by the string “ID=” :
[tpl4]
lkl=0F ; wants any kind of ID
tof=82 ; 8-byte output, swap 14443 A short IDs
pfx=49443D ; prefix = “ID=”
b. Desfire example
This sample section configures template 1 to read 8 bytes of data from a Desfire
card. Output format is : 8-byte fixed length, no prefix :
[tpl1]
lkl=71 ; wants Desfire cards
tof=02 ; 8-byte output
pfx= ; no prefix
loc=123456 01 000100 08 ; 8 bytes of data to be read in application
; 0x123456, field 0x01, at offset 0x000100
PMA8N9P-BC
46 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
aut=00 A0A1A2A3A4A5A7 ; authentication with key 0, plain comm.
; mode, no diversification. Key is a single
; DES key (8 bytes)
6.2.4. Master Cards related sections
a. Specifying a new configuration for future Master Cards
The “tpl5” section allows to update the card processing template reserved to
Master Cards. See paragraph 6.4.1 for details.
[tpl5]
aut=E0
xx...xx
; 16-byte authentication key
This 16-byte authentication key in the “tpl5” section is
the one that will be
written in the reader(s) by the Master Card.
It is not the key that will be used to create the Master Card itself.
b. Specifying configuration to be used by current Master Card
The “master” section defines how the Master Card shall be created. See
paragraph 6.4.2 for details.
[master]
aut=E0
xx...xx
; 16-byte authentication key
This 16-
byte authentication key in the “master” section is the one that will be
used to create the Master Card.
It has no impact on the key written in the reader(s).
PMA8N9P-BC
47 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
6.3. O
PERATION INSTRUCTIONS
Open Configuration files creator (cfgfilecreator.html) (on Windows :
Start Menu All Programs SpringCard Configuration Tools),
Create your configuration file and save it in the directory where
cfgfilecreator.exe is installed, for instance with the name siteconf.ini
(on Windows : C:\Program Files\SpringCard\SQ844P),
Open Configuration tools directory (on Windows : Start Menu All
Programs SpringCard Configuration Tools),
Plug and power-on your Prox’N’Roll PC/SC (or legacy),
Put a virgin Desfire card on the Prox’N’Roll PC/SC (or legacy),
Enter cfgfilecreator.exe –c siteconf.ini,
Wait until Master Card is written.
If the Desfire card is not virgin, the software will try to format it
(i.e. erase
the whole file structure with all the data) without prior notification.
Be sure to put on the reader only a virgin card, or an old Master Card to be
overwritten.
You’ve been warned…
6.4. C
HANGING AUTHENTICATION KEY FOR MASTER CARDS
All SpringCard products ship with the same out-of-
factory authentication key.
To secure their site, customers should replace the default key by their own key
before installing the readers.
SpringCard recommends to make (and keep) at least two distinct Master Cards
for each customer or site :
1st level Master Card alters only the authentication key (replace default
key by site specific key).
o All readers bought for this site shall be configured using this 1st
level Master Card as soon as they are received.
2nd level Master Card actually configures the reader (card processing
templates, output mode and format, and so on).
o It uses the site specific key for authentication, but doesn’t update
the key that is already inside the reader.
o The 2nd level Master Card shall be used during installation and
whenever you wish to change reader configuration.
PMA8N9P-BC
48 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
Note that more than one 2nd level Master Cards can be created (one for each
kind of output settings, one for each people in charge of installation…) whereas
only one 1st level Master Card should be created and be kept in a secure place26.
Be sure to remember the new authentication key you put in a reader. If
you forget the authentication key, and forget the pin-code (or define pincode to hFFFF), it will be impossible to change
reader configuration
again !
You’ve been warned…
6.4.1. Creating a first level Master Card
Create a configuration file (say, “master.ini”) with only those 4 lines :
[master]
; Master section is empty, we use SpringCard’s default keys
[tpl5]
aut=E0
xx...xx
where xx…xx is the site specific 16-byte authentication key27,
Put a virgin card on the Prox’N’Roll, label it “1st level Master Card”,
Enter cfgfilecreator.exe –c master.ini ,
Use this Master Card to write the new authentication key in the reader(s).
6.4.2. Creating a second level Master Card
Create a complete configuration file as seen earlier .
Terminate the file with those 4 lines :
[master]
aut=E0
xx...xx
[tpl5]
; Template 5 section is empty, we keep current keys in the reader
where xx…xx is the site specific 16-byte authentication key,
Put a virgin card on the Prox’N’Roll, label it “2nd level Master Card”,
Enter cfgfilecreator.exe –c siteconf.ini ,
Use this Master Card to write complete configuration in the reader(s).
26
That’s because 1st level Master Card has got the authentication key written in it, and anybody may
retrieve it using cfgfilecreator software, as the authentication key is only used to secure 2nd level
Master Cards and is not written in them.
27
This is key 0 inside Master Card application ; the key will be diversified using HMAC-MD5
algorithm, so the “E0” header is mandatory.
PMA8N9P-BC
49 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
6.5. R
EVERTING TO DEFAULT
Sometimes it is necessary to put reader back in “out-of-factory” configuration
(for instance when reader goes from one site to another). This is done easily by
erasing all tags from reader’s memory.
Create a configuration file (say, “factory.ini”) with only those 3 lines :
[master]
aut=E0
xx...xx
clear=1
where xx…xx is the site specific 16-byte authentication key
Put a virgin card on the Prox’N’Roll, label it “Erase all Master Card”,
Enter cfgfilecreator.exe –c factory.ini
Use this Master Card to put the reader(s) back in out-of-factory
configuration.
Erasing all the configuration tags is not really sufficient to put the reader(s)
back in out-of-
factory configuration, since Mifare keys stored in RC’s secure
EEPROM are not erased.
Just add an “rckeys” section, with dummy keys, to overwrite those keys.
PMA8N9P-BC
50 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
7. S
PECIFICATION OF MASTER CARDS
☺
This chapter is provided as a mean for security experts to evaluate the Master
Card architecture of SpringCard RFID Scanners.
Customers do not need to implement this part themselves, since
cfgfilecreator.exe
software is a convenient tool to create Master Cards. See
chapter 6 for details.
7.1. B
UILDING A MASTER CARD
The Master Card must be a Desfire 4k,
The reader tries to fetch configuration data from Desfire cards according to
the Master Card template specified in next paragraph. Data are protected by
an authentication key that may be changed on a per-customer or per-site
basis (i.e. Master Cards belonging to customer X will not work on customer
Y’s readers),
Before storing new settings in its non-volatile memory, the reader checks
that data comes with a valid digital signature. The signing key can’t be
changed, and is only known by SpringCard’s software. This ensure that only
data that has been pre-validated by a genuine software can be loaded in
reader’s non-volatile memory.
7.2. T
EMPLATE FOR MASTER CARDS
7.2.1. Location of data
Name Tag Description Size
LOC.MAS
h
53 Location of data in master cards. See table a below. 5
a. Data location bytes
Offset Length
Content Specified value
0 3 Application IDentifier (AID).
h
504143
3 1 File IDentifier (FID) for configuration data.
h
01
4 1 File IDentifier (FID) for digital signature.
h
02
PMA8N9P-BC
51 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
7.2.2. Authentication key
Out-of-factory key used for authentication of Master Cards is confidential.
Only SpringCard genuine software –such as cfgfilecreator.exe–
is able to
create Master Cards with the default authentication key.
To secure their installation, customers should replace this key as soon as they
receive the readers, as explained in 6.4 .
This is the same structure as AUT.DFR .
Name Tag Description Size
AUT.MAS
h
55 Authentication key. See table a below. 17
a. Authentication key bytes
Offset Length Content
0 1 Authentication key index and options. See table b below.
1 16 Authentication key for Master Cards (this is 3-DES key).
b. Authentication key index and options
Bit Value
Meaning
7 – 6
00
01
10
11
Communication mode in read operation
Plain
MACed with session key
RFU
Enciphered with session key
5 – 4
00
01
10
11
Key diversification algorithm
Use the key “as is”
Diversify the key using Desfire SAM algorithm
Diversify the key using HMAC-MD5 algorithm
RFU
3 – 0
0000
to
1110
1111
Index of key in Desfire application
Index of the key to be used for authentication
RFU
Specified value : hE0 (key 0, HMAC-MD5 diversification, ciphered reading)
PMA8N9P-BC
52 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
7.2.3. Signing key
Name Tag Description Size
SGN.MAS
h
56 Signing key. See table a below. 17
Key used for digital signature of master cards is confidential.
Only SpringCard genuine software –such as cfgfilecreator.exe–
is able to
sign the Master Cards28.
Customers shall not try to change this parameter, unless advised to by
SpringCard.
a. Signing key bytes
Offset Length Content
0 1 Index and options. See table b below.
1 16 Key data (this is 128-bits key).
b. Signing key index and options
Bit Value
Meaning
7 – 6
00 Those bits are RFU and must be 00
5 – 4
00
01
10
11
Key diversification algorithm
Use the key “as is”
Diversify the key using Desfire SAM algorithm
Diversify the key using HMAC-MD5 algorithm
RFU
3 – 0
0000 Those bits are RFU and must be 00
Specified value : h20 (HMAC-MD5 diversification)
7.3. D
ATA STRUCTURE
7.3.1. Size of file
File holding configuration data and Mifare keys (offset 3 in LOC.MAS) must be
exactly 512-byte long. In case used size is shorter than 512 bytes, file must be
padded with h00.
7.3.2. Configuration data
The configuration data block uses the T,L,V (tag, length, value) encoding
scheme.
Tag is 1 byte-wide,
Len is 1 byte-wide,
Value is 0 to 24 byte-wide.
28
This choice has been done to ensure that data inside the Master Card have been pre-validated
according to reader specifications, and have not been corrupted afterwards.
PMA8N9P-BC
53 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
Items found in T,L,V blocks will overwrite data with the same tag already present
in reader’s non-volatile memory.
Set Len = 0 to delete an existing tag from the non-volatile memory, without
replacing it.
Last T,L,V of the configuration data block must be the (valid) signature of the
whole block, according to the HMAC-MD5 digital signature algorithm specified in
next chapter.
7.3.3. Mifare keys to be loaded into RC’s secure EEPROM
Keys to be loaded into RC’s secure EEPROM use the T,L,V scheme, as follow :
Tag (1 byte) = h80 + key index (see chapter “Mifare Classic Card Acceptance
Template”),
Len (1 byte) = h06,
Value is the Mifare key (6 bytes exactly).
7.4. D
IGITAL SIGNATURE
7.4.1. Size of file
File holding the signature (offset 4 in LOC.MAS) must be exactly 16-byte long.
7.4.2. Algorithm
This is the signature algorithm when default parameters in SGN.KEY are used :
Let Content be the 512-byte configuration block as written in the card29,
Let SignKey be the 16-byte key,
Diversify SignKey from card’s UID, using HMAC-MD5 diversification
algorithm30 to get DivKey,
Compute Sign = HMAC-MD5 (Block) using DivKey 31.
The value of SignKey is confidential. Customers shall not try to change the key,
nor the signature algorithm.
29
This is the configuration data plus the Mifare keys to be loaded into RC’s secure EEPROM. Total size
is up to 512 bytes. Note that signature is computed over the whole file, including its padding,
whatever the used length is.
30
See next chapter “Security algorithms”
31
See next chapter “Security algorithms”
PMA8N9P-BC
54 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
8. S
ECURITY ALGORITHMS
8.1. HMAC
SIGNATURE AND KEY DIVERSIFICATION
8.1.1. Abstracts
A message authentication code, or MAC, is a short piece of information used to
authenticate a message. A MAC algorithm accepts as input a secret key and a
message, and outputs a MAC that protects both message’s integrity and
authenticity.
An HMAC (or keyed-hash message authentication code) is a type of MAC function
were a cryptographic hash function is used to compute the output.
a. HMAC algorithm
Where h is the hash function, K is the secret key padded with extra zeros up to
64 bytes, m is the message to be authenticated. opad is the value h5C repeated
64 times, and ipad the value h36 repeated 64 times.
b. HMAC-MD5
HMAC-MD5 is a particular HMAC function where h is the MD5 standard function,
as defined by RSA laboratories. Size of HMAC is 16 bytes exactly.
In the SpringCard RFID Scanners family, we use HMAC-MD5 for both
signature and key diversification.
8.1.2. HMAC-MD5 for digital signature
HMAC protects both message’s integrity and authenticity, so it can be considered
as a digital signature32.
IWM implementation allows only 16-byte keys. The key can be used “as is” or be
the result of a diversification from a master key.
8.1.3. HMAC-MD5 for key diversification
In this particular mode, we name K the “master key” and we compute the HMAC
over card’s identifier to establish a “diversified key” Ku.
32
Literature often reserve the name “digital signature” to public key schemes, where verifier doesn’t
need to know signer’s private key to verify the signature. HMAC is a scheme where signer and
verifier must share the same secret key.
PMA8N9P-BC
55 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
a. DES or Triple-DES key diversification
The algorithm takes as inputs :
A 16-byte master key (Km)
The card serial number (uid)33
It provides as output :
The 16-byte diversified key specific to this card (Ku).
HMAC
Km
uid
0-n
Ku
h
88
The diversified key can now be used either for Desfire authentication, or for
HMAC-MD5 signature.
b. Mifare key diversification
The algorithm takes as inputs :
A 16-byte master key (Km)
The 4-byte card serial number (uid)
The 1-byte block address (adr)
It provides as output :
The 6-byte Mifare key specific to the couple card + address (Ku).
HMAC
Km
uid
0-4h
88 adr
b
0
b
1
b
2
b
3
b
4
b
5
b
6
b
7
Ku
0
Ku
1
Ku
2
Ku
3
Ku
4
Ku
5
b
8
b
9
b
10
b
11
b
12
b
13
b
14
b
15
Note : the adr parameter is the either the sector number (not the block)
number) or fixed to h00, depending on the configuration in the Mifare Classic
Card Acceptance Template.
33
The UID is 7-byte long for a Desfire card, 4-byte long for a Mifare card. The same diversification
algorithm is usable whatever the length is.
PMA8N9P-BC
56 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
8.2. D
ESFIRE
SAM / RC171
KEY DIVERSIFICATION
8.2.1. DES or Triple DES key diversification
The key diversification algorithm described here is the one provided by Desfire
SAM. Please refer to the corresponding datasheet for details.
The algorithm takes as inputs :
A 16-byte Triple-DES master key (Km)34
The 7-byte card serial number (uid)
It provides as output :
The 16-byte diversified key specific to this card (Ku).
Here’s the flowchart :
Km
0-7
Km
8-16
TDES
or DES
uid
0
uid
1
uid
2
uid
3
uid
4
uid
5
uid
6
b
0
b
1
b
2
b
3
b
4
b
5
b
6
b
7
h
88
Km
Ku
0-7
Ku
8-16
TDES
or DES
The diversified key now be used for Desfire authentication.
8.2.2. Mifare key diversification
The Mifare diversification algorithm described here is provided both by Desfire
SAM and by NXP RC171 coprocessor. Please refer to the corresponding
datasheets for details.
a. Basis
The algorithm takes as inputs :
A 6-byte master key (Km)
A 16-byte Triple-DES diversification key (Kd)35
34
If both halves are equals, the key maps to a single DES key
35
If both halves are equals, the key maps to a single DES key
PMA8N9P-BC
57 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
The 1-byte block address (adr)
The 4-byte card serial number (uid)
It provides as output :
The 6-byte Mifare key specific to the couple card + address (Ku).
Here’s the flowchart :
uid
0
uid
1
uid
2
uid
3
Km
0
Km
1
Km
2
Km
3
Km
4
Km
5
adr
b
0
b
1
b
2
b
3
b
4
b
5
b
6
b
7
TDES
or DES
Kd
b
0
b
1
b
2
b
3
b
4
b
5
b
6
b
7
Ku
0
Ku
1
Ku
2
Ku
3
Ku
4
Ku
5
b. Diversification based on UID only
If this option is selected, the adr input parameter is fixed to h00 whatever the
block to be read is.
c. Diversification based on UID and address
If this option is selected, the adr input parameter is the Mifare sector number
(not the block).
Here’s an example with a Mifare 1k card :
Data is located on block 29,
Block 29 belongs to sector 7 (29 / 4),
The diversification algorithm will be fed with adr = 7.
Here’s an example with a Mifare 4k card :
Data is located on block 231,
Block 231 belongs to sector 38 (32 + (231-128) / 16),
The diversification algorithm will be fed with adr = 38.
PMA8N9P-BC
58 / 58
PROX'N'ROLL RFID SCANNER - Reference manual
SPRINGCARD, the SPRINGCARD logo, PRO ACTIVE and the PRO ACTIVE logo are registered trademarks of PRO ACTIVE SAS.
All other brand names, product names, or trademarks belong to their respective holders.
Information in this document is subject to change without notice. Reproduction without written permission of PRO ACTIVE is forbidden.
DISCLAIMER
This document is provided for informational purposes only and shall not be construed as a commercial offer, a
license, an advisory, fiduciary or professional relationship between PRO ACTIVE and you. No information provided
in this document shall be considered a substitute for your independent investigation.
The information provided in document may be related to products or services that are not available in your
country.
This document is provided "as is" and without warranty of any kind to the extent allowed by the applicable law.
While PRO ACTIVE will use reasonable efforts to provide reliable information, we don't warrant that this document
is free of inaccuracies, errors and/or omissions, or that its content is appropriate for your particular use or up to
date. PRO ACTIVE reserves the right to change the information at any time without notice.
PRO ACTIVE does not warrant any results derived from the use of the products described in this document. PRO
ACTIVE will not be liable for any indirect, consequential or incidental damages, including but not limited to lost
profits or revenues, business interruption, loss of data arising out of or in connection with the use, inability to use
or reliance on any product (either hardware or software) described in this document.
These products are not designed for use in life support appliances, devices, or systems where malfunction of these
product may result in personal injury. PRO ACTIVE customers using or selling these products for use in such
applications do so on their own risk and agree to fully indemnify PRO ACTIVE for any damages resulting from such
improper use or sale.
COPYRIGHT NOTICE
All information in this document is either public information or is the intellectual property of PRO ACTIVE and/or its
suppliers or partners.
You are free to view and print this document for your own use only. Those rights granted to you constitute a
license and not a transfer of title : you may not remove this copyright notice nor the proprietary notices contained
in this documents, and you are not allowed to publish or reproduce this document, either on the web or by any
mean, without written permission of PRO ACTIVE.
Copyright © PRO ACTIVE SAS 2009, all rights reserved.
EDITOR’S INFORMATION
PRO ACTIVE SAS company with a capital of 227 000 €
RCS EVRY B 429 665 482
Parc Gutenberg, 13 voie La Cardon
91120 Palaiseau – France
Loading...