STMicroelectronics ST25TV02K, ST25TV512 Datasheet
ST25TV02K ST25TV512
Datasheet
NFC Type 5 / RFID tag IC with up to 2-Kbit EEPROM, product identification and protection
Wafer
Product status link
ST25TV02K
ST25TV512
Features
Contactless interface
•Based on ISO/IEC 15693
•NFC Forum Type 5 tag certified by the NFC Forum
•Supports all ISO/IEC 15693 modulations, coding, subcarrier modes and data rates
•Custom Fast read access up to 53 Kbit/s
•Single and multiple block reads
•Single block writes
•Internal tuning capacitance: 23 pF, 99.7 pF
•Proprietary Inventory commands for speeding up the inventory process
Memory
•Up to 2 Kbits of EEPROM
•RF interface accesses blocks of four bytes
•Write time from RF: typical 5 ms for one block
•Data retention: 60 years
•Minimum endurance: 100 k write cycles
•16-bit event counter with anti-tearing
Data protection
•User memory: two or three areas, read and/or write protected by two 32-bit encrypted passwords for three areas or one 64-bit encrypted password for two areas
•System configuration: write protected by a 32-bit encrypted password
•Permanent write locks at a block level
Product identification and protection
•Kill mode and untraceable mode
•Tamper detect capability (patent pending)
•TruST25 digital signature
•EAS (electronic article surveillance) capability
Privacy protection
•Consumer privacy can be protected through the following features:
–Kill mode
–Untraceable mode
•In association with:
–Passwords with cover coding
–Data and configuration locks (permanent or temporary)
Temperature range
•From - 40 to 85 °C
DS12074 - Rev 11 - February 2021 |
www.st.com |
For further information contact your local STMicroelectronics sales office. |
|
|
|
ST25TV02K ST25TV512
Package
•Sawn and bumped wafer, ECOPACK2 (RoHS compliant)
•5-pin package, ECOPACK2 (RoHS compliant)
Compatibility ST25TV02K / LRI2K
•Full compatibility in terms of functionality and capacitances with two exceptions:
–Kill command requires option_flag to be set to 0
–Error codes and error generation can be different on a per command basis
DS12074 - Rev 11 |
page 2/90 |
|
|
ST25TV02K ST25TV512
Description
1Description
ST25TV02K and ST25TV512 are NFC/RFID tag ICs with a tamper-proof feature, and specific modes to protect tag access, such as Untraceable mode.
These devices feature a digital signature used to prove the origin of the chip in cloning detection, embed a configurable EEPROM with 60-year data retention, and can be operated from a 13.56 MHz long-range RFID reader or an NFC phone.
The contactless interface is compatible with the ISO/IEC 15693 standard and NFC Forum Type 5 tag.
1.1ST25TV02K/512 block diagram (with tamper detect)
Figure 1. ST25TV02K/512 (with tamper detect) block diagram
|
|
|
|
|
|
|
|
|
EEPROM |
|
||
|
|
|
|
|
ISO 15693 |
|
|
xxx-bit |
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
256 bits |
|
|
|
|
|
|
|
|
|
|
|
|
(EAS) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RF Tag |
|
|
|
|
|
256 bits |
|
|
||
|
|
|
Long Range |
|
|
|
signature |
|
|
|||
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2x32-bit password |
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
TD(1) |
|
|
|
|
||
|
|
|
|
|
(tamper detect) |
|
||||||
|
|
|
|
|
|
|
|
|
|
|||
|
1. tamper detect is optional. |
|
|
|
|
|||||||
|
|
|
|
|
Table 1. Signal names |
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
||||
Signal name |
|
|
|
Function |
|
|
|
Direction |
||||
|
|
|
|
|
|
|
||||||
AC0 |
|
Antenna coil |
|
|
|
I/O |
||||||
|
|
|
|
|
|
|
||||||
AC1 |
|
Antenna coil |
|
|
|
I/O |
||||||
|
|
|
|
|
|
|
||||||
TD0 |
|
Tamper detect loop |
|
|
|
I/O |
||||||
|
|
|
|
|
|
|
||||||
TD1 |
|
Tamper detect loop |
|
|
|
I/O |
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
DS12074 - Rev 11 |
page 3/90 |
|
|
ST25TV02K ST25TV512
ST25TV02K/512 block diagram (with tamper detect)
Figure 2. DFN5 package connections diagram (with tamper detect)
TD0 |
1 |
|
ABCD |
5 TD1 |
5 |
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
||||||
NC1 |
2 |
|
2 NC1 |
2 |
|
|
|
|
|
|
2 |
|
|
XYZW |
|
|
|
|
|
|
|||||
AC0 |
3 |
|
4 AC1 |
4 |
|
|
|
|
|
|
3 |
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|||||
|
|
|
Top view |
|
Bottom view |
|
||||||
|
|
(marking side) |
|
(pads side) |
|
|||||||
1: Not Connected
Figure 3. Die connections for sawn and bumped wafer (bottom view)
AC0 |
|
TD0 |
|
AC0 |
|
NC |
|
|
|
|
|
|
|
AC1 |
|
TD1 |
|
AC1 |
|
NC |
|
|
|
|
|
|
|
With tamper detect Without tamper detect
DS12074 - Rev 11 |
page 4/90 |
|
|
ST25TV02K ST25TV512
Description of signals
2Description of signals
2.1Antenna coil (AC0, AC1)
These inputs are used exclusively to connect the ST25TV02K/512 devices to an external coil. It is advised not to connect any other DC or AC path to AC0 or AC1.
When correctly tuned, the coil is used to power and access the device using the ISO/IEC 15693 and ISO 18000-3 mode 1 protocols.
2.2Tamper detect (TD0, TD1)
These inputs are used to connect a wire loop to the ST25TV02K/512 devices to detect an open or a short between the two pins TD0, TD1.
DS12074 - Rev 11 |
page 5/90 |
|
|
ST25TV02K ST25TV512
Power management
3Power management
3.1Device set
To ensure a proper boot of the RF circuitry, the RF field must be turned ON without any modulation for a minimum period of time tboot_RF. Before this time, ST25TV02K/512 ignores all received RF commands. (See Figure 4. RF power-up sequence).
Figure 4. RF power-up sequence
|
|
|
RF interface ready |
|
||
|
RFfield |
None Access |
RF REQUEST |
|
|
|
|
|
RF ANSWER |
|
|||
|
|
|
|
|||
|
|
Allowed RF |
|
|
||
|
|
|
|
|
|
|
Power-up |
|
tboot_RF |
|
|
|
|
by RF |
|
|
|
|
|
|
Vint_supply |
|
|
|
|
|
|
3.2Device reset
To ensure a proper reset of the RF circuitry, the RF field must be turned off (100% modulation) for a minimum tRF_OFF period of time.
DS12074 - Rev 11 |
page 6/90 |
|
|
ST25TV02K ST25TV512
Memory management
4Memory management
4.1Memory organization overview
The ST25TV02K/512 memory is divided in two main memory areas:
•User memory
•System configuration area
The ST25TV02K/512 user memory can be divided into two or three user areas. Area 0 starts at address 0, it has 1 block size, it is always readable, and it can be locked.
The rest of the user memory can be either configured as one single area (Area 1) and can be read - and/or - write-protected with one 64-bit password, or configured as two areas (Area 1 and Area 2), which can be
individually read - and/or - write-protected with a 32-bit password each. When Area 2 exists, Area 2 starts at the block number corresponding to half the user memory.
Furthermore, each block can be locked permanently and individually for larger flexibility in number of areas
The ST25TV02K/512 system configuration area contains registers to configure all ST25TV02K/512 features, which can be tuned by user. Its access is protected by a 32 bit configuration password.
This system configuration area also includes read only device information such as IC reference, memory size, as well as a 64-bit block that is used to store the 64-bit unique identifier (UID), the AFI (default 00h) and DSFID
(default 00h) registers, the TruST25™ digital signature. The UID is compliant with the ISO 15693 description, and its value is used during the anticollision sequence (Inventory). The UID value is written by ST on the production line. The AFI register stores the application family identifier. The DSFID register stores the data storage family identifier used in the anticollision algorithm.
The system configuration area includes blocks that store up to two RF user area access passwords and a RF configuration password.
Figure 5. Memory organization
Area 0: |
|
Area 0: |
1 block (always readable) |
1 block (always readable) |
|
|
|
|
User memory |
Area 1 |
|
||
|
|
|
|
|
(EEPROM up |
|
|
Half user |
Area 1 |
to 2-Kbits) |
|
|
||
|
|
|
||
Password |
|
|
memory |
|
|
|
|
|
|
protected |
|
|
|
|
Area 2
Note: Each block can be individually locked
DS12074 - Rev 11 |
page 7/90 |
|
|
ST25TV02K ST25TV512
User memory
4.2User memory
User memory is addressed as blocks of 4 bytes, starting at address 0. Table 2. 2Kb user memory as seen by RF shows how memory is seen from RF interface.
Table 2. 2Kb user memory as seen by RF
RF command |
|
|
User memory |
|
|
(block addressing) |
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
RF block 00h |
|
|
|
|
|
|
|
|
|
|
|
Byte |
Byte |
|
Byte |
Byte |
|
0003h |
0002h |
|
0001h |
0000h |
|
|
|
|
|
|
Read Single Block |
RF block 01h |
|
|
|
|
Read Multiple Blocks |
Byte |
Byte |
|
Byte |
Byte |
Fast Read Single Block |
0007h |
0006h |
|
0005h |
0004h |
|
|
|
|
|
|
Fast Read Multiple Blocks |
RF block 02h |
|
|
|
|
Write Single Block |
|
|
|
|
|
Byte |
Byte |
|
Byte |
Byte |
|
Inventory Read |
0011h |
0010h |
|
0009h |
0008h |
Fast Inventory Read |
|
|
|
|
|
.... |
|
|
|
|
|
|
|
|
|
|
|
|
RF block 3Fh |
|
|
|
|
|
|
|
|
|
|
|
Byte |
Byte |
|
Byte |
Byte |
|
03FFh |
03FEh |
|
03FDh |
03FCh |
|
|
|
|
|
|
4.2.1User memory areas
The user memory can be split into two or three different areas as showed in Table 3. Memory Organization
Table 3. Memory Organization
Part Number |
|
Three areas configuration |
Two areas configuration |
|||
Area 0 |
Area 1 |
Area 2 |
Area 0 |
Area 1 |
||
|
||||||
|
|
|
|
|
|
|
ST25TV512 |
Block 0 |
Block 1 to 7 |
Block 8 to 15 |
Block 0 |
Block 1 to 15 |
|
|
|
|
|
|
|
|
ST25TV02K |
Block 0 |
Block 1 to 31 |
Block 32 to 63 |
Block 0 |
Block 1 to 63 |
|
|
|
|
|
|
|
|
Each area has a distinct access privilege as explained below:
•Area 0 is always readable. It can be locked.
•Areas 1 and 2 can be protected in read and/or write access by password.
Each block of Areas 1 and 2 can be individually locked (see Section 5.2 Data protection).
4.3System configuration area
In addition to the user memory, the ST25TV02K/512 include a set of registers located in the system configuration area memory (EEPROM nonvolatile registers). These registers are set during device configuration (i.e.: area extension), or by the application (i.e.: area protection)., their content is read during the boot sequence and defines basic ST25TV02K/512 behaviour.
The registers located in the system configuration area can be accessed via dedicated Read Configuration and Write Configuration commands, with a pointer acting as the register address.
The configuration security session must first be open, by presenting a valid configuration password, to grant write access to system configuration registers.
Table 4 shows the complete map of the system configuration area.
DS12074 - Rev 11 |
page 8/90 |
|
|
ST25TV02K ST25TV512
System configuration area
Table 4. System configuration memory map accessible through write_cfg and read_cfg commands
RF access |
|
|
Static Register |
||
Address |
Type |
|
Name |
|
Function |
00h |
RW (1) |
Table 8. A1SS |
|
Area 1 access protection |
|
01h |
RW(1) |
Table 9. A2SS |
|
Area 2 access protection |
|
02h |
RW(1) |
Table 17. EAS_SEC |
|
EAS Security |
|
03h |
RW(1) |
Table 22. |
CNT_CFG |
|
Counter Configuration |
04h |
RO |
Table 23. |
CNT_VAL |
|
Counter Value |
|
|
|
|
|
|
05h |
RO |
Table 24. TAMPER_DETECT |
|
Tamper Detect |
|
|
|
|
|
|
|
06h |
RW(1) |
Table 10. |
LOCK_CFG |
|
Configuration locked |
07h |
RO |
Table 21. |
KID |
|
Key identifier |
|
|
|
|
|
|
1.Write access is granted if RF configuration security session is open and configuration is not locked (LOCK_CFG register equals to 0).
Table 5. System configuration memory map for registers accessed through dedicated commands
RF access |
|
|
Static Register |
|
Address |
Type |
|
Name |
Function |
|
|
|
|
|
N/A |
WO (1) |
Table 25. LOCK_DSFID |
DSFID lock status |
|
N/A |
WO (2) |
Table 26. LOCK_AFI |
AFI lock status |
|
N/A |
WO(1) |
Table 27. DSFID |
DSFID value |
|
N/A |
WO(2) |
Table 28. AFI |
AFI value |
|
N/A |
RO |
Table 29. IC_REF |
IC reference value |
|
|
|
|
|
|
N/A |
RO |
Table 30. |
UID |
Unique identifier, 8 bytes |
|
|
|
|
|
N/A |
WO (3) |
Table 7. PWD_KILL |
Kill or untraceable password, 4 bytes |
|
N/A |
WO (4) |
Table 12. |
PWD_A1 |
User Area 1 security session password, 4 bytes |
N/A |
WO(3) |
Table 13. |
PWD_A2 |
User Area 2 security session password, 4 bytes |
N/A |
WO(3) |
Table 11. PWD_CFG |
Configuration security session password, 4 bytes |
|
1.Write access if DSFID is not locked
2.Write access if AFI is not locked.
3.Write access only if not locked.
4.Write access only if corresponding security session is open.
DS12074 - Rev 11 |
page 9/90 |
|
|
ST25TV02K ST25TV512
ST25TV02K/512 specific features
5ST25TV02K/512 specific features
ST25TV02K/512 offer the data protection feature, both user memory and system configuration, a kill mode, and a untraceable mode.
Those features can be programmed by setting registers of the ST25TV02K/512. ST25TV02K/512 can be partially customized using configuration registers located in the EEPROM system area.
These registers are dedicated to:
•Data Memory organization and protection AiSS, LOCK_BLOCK.
•Kill mode, KILL
•The device’s structure LOCK_CFG
•Electronic Article Surveillance (EAS)
•TruST25™ digital signature
•Counter
•Tamper Detect
•Random Number generation
•Untraceable mode
A set of additional registers allows to identify and customize the product (DSFID, AFI, IC_REF, etc.).
Dedicated commands Read Configuration and Write Configuration must be used to access the configuration registers. Update is only possible when the access right has been granted by presenting the configuration password (PWD_CFG), and if the system configuration was not previously locked (LOCK_CFG=1).
After any valid write access to the configuration registers, the new configuration is immediately applied.
5.1Kill mode
5.1.1Kill registers
Table 6. KILL
RF |
Command |
Kill (cmd code A6h) UID @00h |
|
|
|
|
|
Type |
WO if PWD_KILL is correctly presented in the Kill command. |
|
|
|
|
||
|
|
|
|
Bit |
Name |
Function |
Factory value |
|
|
|
|
N/A |
KILL_MUTE |
Status of the KILL feature |
Inactive |
|
|
|
|
Table 7. PWD_KILL
|
RF |
Command |
Write pswd (cmd code B1h) with pswd_id = 0h |
|
|
|
|
|
|
|
Type |
WO: only possible if PWD_KILL is not locked. |
|
|
|
|
|
||
|
|
|
|
|
|
Bit |
Name |
Function |
Factory value |
|
|
|
|
|
|
b31-b0 |
KILL_PSWD |
Password value for kill feature or untraceable mode |
00000000h |
|
|
|
|
|
Note: |
Refer to Table 5. System configuration memory map for registers accessed through dedicated commands . |
|||
DS12074 - Rev 11 |
page 10/90 |
|
|
ST25TV02K ST25TV512
Data protection
5.1.2Kill mode description
KILL register allows the user to permanently kill the ST25TV02K/512 tag. Two working modes are offered by ST25TV02K/512:
•Kill mute mode:
–When KILL_MUTE is set with the Kill command code, the ST25TV02K/512 are killed. They can not be read or written and stays mute to any request. Kill mute mode is definitive.
•Normal mode:
–In normal usage, KILL_MUTE is set to 0, ST25TV02K/512 will process the request and respond accordingly.
The Kill Password PWD_KILL must be presented in the Kill command for setting the Kill Mute mode.
Kill Password lock
By default, the Kill password is not write protected. The kill password can be locked with Lock kill (cmd code B2h). For safe operation, it is recommended to change the default value of the Kill Password and lock it even if not used in the final product
When not used in an end application, a random value should be written into the KILL_PWD and the KILL_PWD should be locked with Lock kill.
5.2Data protection
ST25TV02K/512 provide a special data protection mechanism based on encrypted passwords that unlock security sessions.
User memory can be protected for read and/or write access and system configuration can be protected from write access. User memory can also be permanently locked. Each block can be independently locked from each other with the Lock block command (refer to Section 6.4.8 Lock block).
5.2.1Data protection registers
Table 8. A1SS
|
Command |
Read Configuration (cmd code A0h) @00h |
|
|
RF |
Write Configuration (cmd code A1h) @00h |
|
||
|
|
|||
|
|
|
|
|
|
Type |
R always, W if configuration security session is open and configuration not locked |
||
|
|
|
|
|
Bit |
Name |
Function |
Factory value |
|
|
|
|
|
|
|
|
Area 1 access rights: |
|
|
|
|
00: Area 1 access: Read is always allowed / Write always allowed |
|
|
|
|
01: Area 1 access: Read is always allowed and if user security |
|
|
|
|
session is open (i.e. the proper area 1 password has been presented), |
|
|
b1-b0 |
RW_PROTECTION_A1 |
write is allowed. |
00b |
|
10: Area 1 access: Read and Write are allowed only if user security |
||||
|
|
|
||
|
|
session is open (the proper area 1 password has been presented). |
|
|
|
|
11: Area 1 access: Read is allowed only if user security session is |
|
|
|
|
open (the proper area 1 password has been presented). Write is |
|
|
|
|
always forbidden. |
|
|
|
|
|
|
|
b2 |
MEM_ORG |
0: memory is split in three areas (Areas 0, 1 and 2) |
1b |
|
1: memory is composed of two areas (Areas 0 and 1) |
||||
|
|
|
||
|
|
|
|
|
b7-b3 |
RFU |
- |
00000b |
|
|
|
|
|
|
Note: |
Refer to Table 4. System configuration memory map accessible through write_cfg and read_cfg commands |
|||
DS12074 - Rev 11 |
page 11/90 |
|
|
|
|
ST25TV02K ST25TV512 |
||
|
|
|
Data protection |
|
|
|
|
|
|
|
|
Table 9. A2SS |
|
|
|
|
|
|
|
|
Command |
Read Configuration (cmd code A0h) @01h |
|
|
RF |
Write Configuration (cmd code A1h) @01h |
|
||
|
|
|||
|
|
|
|
|
|
Type |
R always, W if configuration security session is open and configuration not locked |
||
|
|
|
|
|
Bit |
Name |
Function |
Factory value |
|
|
|
|
|
|
|
|
Area 2 access rights: |
|
|
|
|
00: Area 2 access: Read and write are always allowed |
|
|
|
|
01: Area 2 access: Read is always allowed, and if the user |
|
|
|
|
security session is open (i.e. the proper Area 2 password has been |
|
|
b1-b0 |
RW_PROTECTION_A2 |
presented), then write is allowed. |
00b |
|
10: Area 2 access: Read and Write are allowed only if the user |
||||
|
|
|
||
|
|
security session is open (the proper Area 2 password has been |
|
|
|
|
presented) |
|
|
|
|
11: Area 2 access: Read is allowed only if user security session is |
|
|
|
|
open (the proper Area 2 password has been presented). Write is |
|
|
|
|
always forbidden. |
|
|
|
|
|
|
|
b7-b2 |
RFU |
- |
000000b |
|
|
|
|
|
|
Note: |
Refer to Table 4. System configuration memory map accessible through write_cfg and read_cfg commands |
|||
|
|
Table 10. LOCK_CFG |
|
|
|
|
|
|
|
|
Command |
Read Configuration (cmd code A0h) @06h |
|
|
|
Write Configuration (cmd code A1h) @06h |
|
||
|
|
|
||
RF |
|
|
|
|
|
R: always possible |
|
||
|
|
|
||
|
Type |
W: if RF configuration security session is open (configuration password has been presented |
||
|
|
before) and configuration not locked |
|
|
|
|
|
|
|
Bit |
Name |
Function |
Factory value |
|
|
|
|
|
|
|
|
0: Configuration is unlocked (configuration registers can be written) |
|
|
b0 |
LCK_CFG |
1: Configuration is locked (configuration registers are definitively |
0b |
|
|
|
locked) |
|
|
|
|
|
|
|
b7-b1 |
RFU |
- |
0000000b |
|
|
|
|
|
|
Note: |
Refer to Table 4. System configuration memory map accessible through write_cfg and read_cfg commands |
|||
|
|
Table 11. PWD_CFG |
|
|
|
|
|
|
|
|
Command |
Write pswd (cmd code B1h) with pswd_id = 3h |
|
|
|
|
|
||
RF |
Type |
WO: if RF configuration security session is open (configuration password has been presented |
||
|
before). If the configuration is locked, and the EAS configuration is protected by password, the |
|||
|
|
new PWD_CFG value is only applicable to the EAS configuration. |
|
|
|
|
|
|
|
Bit |
Name |
Function |
Factory value |
|
|
|
|
|
|
b31-b0 |
CFG_PSWD |
Password value for configuration area |
00000000h |
|
|
|
|
|
|
Note: |
Refer to Table 5. System configuration memory map for registers accessed through dedicated commands |
|||
DS12074 - Rev 11 |
page 12/90 |
|
|
|
|
ST25TV02K ST25TV512 |
||
|
|
|
Data protection |
|
|
|
|
|
|
|
|
Table 12. PWD_A1 |
|
|
|
|
|
|
|
RF |
Command |
Write pswd (cmd code B1h) with pswd_id = 1h |
|
|
|
|
|
||
Type |
WO: if RF area 1 security session is open (area 1 password has been presented before). |
|||
|
||||
|
|
|
|
|
Bit |
Name |
Function |
Factory value |
|
|
|
|
|
|
|
|
When MEM_ORG=0: Password value for user area 1 |
|
|
b31-b0 |
A1_PSWD |
When MEM_ORG=1: 32 least significant bits of the 64-bit Password |
00000000h |
|
|
|
value for user area 1 |
|
|
|
|
|
|
|
Note: |
Refer to Table 5. System configuration memory map for registers accessed through dedicated commands |
|||
|
|
Table 13. PWD_A2 |
|
|
|
|
|
|
|
|
Command |
Write pswd (cmd code B1h) with pswd_id = 2h |
|
|
RF |
|
|
|
|
Type |
WO: if RF area 2 security session is open (area 2 password has been presented before). Only |
|||
|
||||
|
applicable to the case of MEMORG=0 |
|
||
|
|
|
||
|
|
|
|
|
Bit |
Name |
Function |
Factory value |
|
|
|
|
|
|
|
|
When MEM_ORG=0: Password value for user area 2 in case of three |
|
|
|
|
area memory setup |
|
|
b31-b0 |
A2_PSWD |
When MEM_ORG=1: 32 most significant bits of area 1 password in |
00000000h |
|
|
|
case of two area memory setup |
|
|
|
|
(in this last case area 1 password is 64-bit long) |
|
|
|
|
|
|
|
Note: |
Refer to Table 5. System configuration memory map for registers accessed through dedicated commands . |
|||
5.2.2Passwords and security sessions
ST25TV02K/512 provide protection of user memory and system configuration registers. The users can access those protected data by opening security sessions with the help of passwords. Access rights are more restricted when security sessions are closed, and less restricted when security sessions are open.
There are two types of security sessions, as shown in Table 14:
Table 14. Security session type
Security session |
Open by presenting |
Right granted when security session is open, and until it is |
|
closed |
|||
|
|
||
|
|
|
|
user |
password Area 1, Area 2 |
user access to protect user memory as defined in AiSS registers |
|
(PWD_A1, PWD_A2) |
user write access to password A1 or A2(1) |
||
|
|||
configuration |
Configuration password |
user write access to configuration registers |
|
(PWD_CFG) |
|||
|
|
||
|
|
|
1. Write access to the password number corresponding to the password number presented.
In a three areas set up (MEM_ORG set at 0), each of the User Area 1 and 2 passwords is 32-bits long, and default factory passwords value is 00000000h.
In a two areas setup (MEM_ORG set at 1), User Area 1 password is 64-bits long, and default factory password value is 0000000000000000h.
The ST25TV02K/512 passwords management is organized around dedicated set of commands to access the dedicated registers in system configuration area.
The dedicated password commands are:
• |
Write Password command (code B1h): See Section 6.4.20 Write Password. |
• |
Present Password command (code B3h): See Section 6.4.21 Present Password |
User possible actions for security sessions are:
DS12074 - Rev 11 |
page 13/90 |
|
|
ST25TV02K ST25TV512
Data protection
•Open user security session: Present Password command, with password identifier 1 for PWD_A1 and 2 for PWD_A2 for three areas configuration or identifier 1 for PWD_A1 for two areas configuration, and the valid corresponding password
•Write password:
–When MEMORG=0:
Present Password command, with password identifier 1 for PWD_A1 and 2 for PWD_A2 and the current valid corresponding password. Then Write Password command, with same password number (1 or 2) and the new corresponding password.
–When MEMORG=1:
present PWD_A1 (64 bits), then Write Password command with PWD_A1 and then PWD_A2
•Close user security session: Present Password command, with a different password number than the one used to open session or any wrong password. Or remove tag from RF field (POR).
•Open configuration security session: Present Password command, with password number 3 and the valid password PWD_CFG.
•Close configuration security session: Present Password command, with a password number different than 3, or password number 3 and wrong password PWD_CFG. Or remove tag from field (POR).
Opening any new security session (user or configuration) automatically close the previously open one (even if it fails).
Figure 6. Security sessions management
Present any password not OK
ST25TVxxx out of RF field
Field ON |
Field OFF |
|
All security |
Any other |
sessions |
command |
closed |
Present
PWD_x OK
|
|
|
|
|
|
|
|
Security |
|||
|
|
|
|
|
|
|
|
||||
Any other |
|
|
|
|
|
|
session x |
||||
|
|
|
|
|
|
opened |
|||||
command |
|
|
|
|
|
|
(y closed) |
|
|||
|
|
|
|
|
|
|
|||||
Present |
|
|
|
Present |
|||||||
|
|
|
|||||||||
PWD_x OK |
|
|
PWD_y OK |
||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Security |
|||
|
|
|
|
|
|
|
|
||||
Any other |
|
|
|
|
|
|
|
session y |
|||
|
|
|
|
|
|
|
opened |
|
|||
command |
|
|
|
|
|
|
|
(x closed) |
|||
|
|
|
|
||||||||
DS12074 - Rev 11 |
page 14/90 |
|
|
ST25TV02K ST25TV512
Data protection
5.2.3User memory protection
On factory delivery, areas are not protected.
Each area can be individually protected in read and/or write access. Area 0 is always readable.
Furthermore, Area 0 can be independently write locked.
Each memory area can also have individual Read/Write access conditions. For each area 1 and 2, an AiSS register is used to:
• Select the protection against read and write operations for this area
(See Table 8. A1SS, and Table 9. A2SS for details about available read and write protections).
When updating AiSS registers, the new protection value is effective immediately after the register write completion.
•Block 0 is an exception to this protection mechanism:
–Block 0 can be individually write locked by issuing a Lock Single Block command. Once locked, it cannot be unlock.
–User needs no password to lock block 0.
–Locking block 0 is possible even if the configuration is locked (LOCK_CFG=1).
–Unlocking Area 1 (through A1SS register) does not unlock block 0 if it has been locked though Lock Block command.
–Once locked, the user cannot unlock block 0.
•Other blocks can be individually locked.
Retrieve the security status of a user memory block or byte
User can read a block security status by issuing following commands:
•Get Multiple Blocks Security Status command
•(Fast) Read Single Block with option flag set to 1
•(Fast) Read Multiple Blocks with option flag set to 1
•(Fast) Inventory Read
ST25TV02K/512 responds with a Block security status containing a Lock_bit flag as specified in ISO 15693 standard. This lock_bit flag is set to 1 if block is locked against write.
Lock_bit flag value may vary if corresponding user security session is open or closed.
5.2.4System memory protection
By default, the system memory is write protected, except the kill password and the EAS settings.
Th system memory consists of all the registers defined in Table 4. System configuration memory map accessible through write_cfg and read_cfg commands. Some registers are read-only and can never be written.
To enable write access to system configuration registers, which have write capability, user must open the configuration security session (by presenting a valid password 3) and system configuration must not be locked (LOCK_CFG=00h).
By default, user can read all system configuration registers, except all passwords, LOCK_DSFID and LOCK_AFI. Configuration lock:
•Write access to system configuration registers can be locked by writing 01h in the LOCK_CFG register.
•User cannot unlock system configuration if LOCK_CFG=01h, even after opening configuration security session (Lock is definitive).
•When system configuration is locked (LOCK_CFG=01h), it is still possible to change passwords (0 to 3).
Device identification registers:
•AFI and DFSID registers can be independently locked by user, issuing respectively a Lock AFI and a Lock DSFID command. Lock is definitive: once locked, AFI and DSFID registers cannot be unlocked.
•Other device identification registers (MEM_SIZE, BLK_SIZE, IC_REF, UID) are read only registers.
DS12074 - Rev 11 |
page 15/90 |
|
|
ST25TV02K ST25TV512
Untraceable mode
5.3Untraceable mode
5.3.1Untraceable mode register
|
|
|
Table 15. Untraceable mode register |
|
|
|
|
|
|
|
|
|
|
Command |
|
Enable untraceable mode (cmd code BAh) with pswd_id = 0h |
|
|
RF |
|
|
|
|
|
Type |
|
WO : only possible if untraceable mode password has been written before, always |
||
|
|
|
|||
|
|
|
writable otherwise |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Bit |
Name |
|
Function |
Factory value |
|
|
|
|
|
|
|
b31-b0 |
UNTRACEABLE |
|
Password value for feature untraceable mode |
00000000h |
|
_MODE_PSWD |
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
Note: |
Refer to Table 5. System configuration memory map for registers accessed through dedicated commands for the |
||||
|
untraceable mode register. |
|
|
|
|
5.3.2Untraceable mode description
With the EnableUntraceableMode command, the ST25TV02K/512 do not respond to any command except Present Password and Get Random Number, guaranteeing the untraceability to customer requests.
The EnableUntraceableMode command requires the untraceable access code (fixed value) and the crypted untraceable mode password to be presented for ST25TV02K/512 to enter into this mode.
To get out of the mode, the valid crypted untraceable mode password has to be transmitted to ST25TV02K/512 with the Present password command. The crypted untraceable mode password is obtained from the random number and the untraceable mode password as explained in AN5103 "Password encryption for ST25TV512 and ST25TV02K devices", available on www.st.com. When not used in an end application, a random value must be written into the KILL_PWD password, and the KILL_PWD must be locked with Lock kill.
5.4Random number
5.4.1Random number register
Table 16. Random number register
|
RF |
Command |
Get random number (cmd code B4h) |
|
|
|
|
|
|
|
Type |
RO: is only possible with Get random number command. |
|
|
|
|
|
||
|
|
|
|
|
|
Bit |
Name |
Function |
Factory value |
|
|
|
|
|
|
b15-b0 |
RANDOM_NUMBER |
16-bit random number generated by ST25TV02K/512 |
N/A |
|
|
|
|
|
Note: |
Refer to Table 5. System configuration memory map for registers accessed through dedicated commands for the |
|||
|
random number register. |
|
|
|
5.4.2Random number description
The GET_RANDOM_NUMBER returns a 16-bit random number.
DS12074 - Rev 11 |
page 16/90 |
|
|
ST25TV02K ST25TV512
Electronic article surveillance (EAS)
5.5Electronic article surveillance (EAS)
5.5.1EAS registers
|
|
Table 17. EAS_SEC |
|
|
|
|
|
|
Command |
Read Configuration (cmd code A0h) @02h |
|
|
Write Configuration (cmd code A1h) @02h |
|
|
|
|
|
|
|
|
|
|
|
|
R: always possible |
|
|
Type |
W: if RF configuration security session is open (the proper configuration password has been |
|
|
|
presented before) and configuration not locked |
|
|
|
|
|
Bit |
Name |
Function |
Factory value |
|
|
|
|
|
|
EAS security write protection: |
|
|
|
0: EAS parameters are always writable |
|
b0 |
W_PROTECTION_EAS |
1: EAS parameters are write protected by configuration password. |
0b |
|
|
In case of lock_EAS command has been previously used, this bit is |
|
|
|
don’t care and EAS parameters are non-writable. |
|
|
|
|
|
b7-b1 |
RFU |
- |
0000000b |
|
|
|
|
Note: |
Refer to Table 4. System configuration memory map accessible through write_cfg and read_cfg commands for |
||
|
the AES security activation register. |
|
|
|
|
Table 18. EAS_TELEGRAM register |
|
|
|
|
|
|
|
Enable EAS (cmd code A5h) with option flag set to 0 |
|
|
Command |
Enable EAS (cmd code A5h) with option flag set to 1 and mask length ≠ 00h and EAS_ID |
|
|
Write Single (cmd code 21h) to Blocks [248 to 255] (1) |
|
|
|
|
|
|
RF |
|
Read Single blocks at @248 to 255 returns an error. |
|
|
|
|
|
|
|
R: possible with enable EAS command only if set EAS command has been presented before |
|
|
Type |
W: possible under conditions set in the EAS_SEC configuration register and EAS |
|
|
|
configuration not locked |
|
|
|
|
|
Bit |
Name |
Function |
Factory value |
|
|
|
|
b255-b0 |
EAS_TELEGRAM |
Electronic article surveillance telegram. |
All bits = 0b |
|
|
|
|
1. Write Single Block at addresses 248 to 255 correspond to EAS blocks 1 to 8 respectively.
5.5.2EAS ID
Table 19. EAS_ID
|
Command |
Enable EAS (cmd code A5h) with option flag set to 1 and mask length set to 0h |
|
|
Write EAS ID (cmd code A7h) |
|
|
|
|
|
|
RF |
|
|
|
|
R: possible with enable EAS command only if set EAS command has been presented before |
||
|
|
||
|
Type |
W: possible under conditions set in the EAS_SEC configuration register and EAS |
|
|
|
configuration not locked |
|
|
|
|
|
Bit |
Name |
Function |
Factory value |
|
|
|
|
b15-b0 |
EAS_ID |
Electronic article surveillance identifier value. |
0000h |
|
|
|
|
DS12074 - Rev 11 |
page 17/90 |
|
|
ST25TV02K ST25TV512
Electronic article surveillance (EAS)
5.5.3EAS configuration
|
|
Table 20. EAS_CFG |
|
|
|
|
|
|
|
Enable EAS (cmd code A5h) with option flag set to 1 and mask length ≠ 00h and EAS_ID, or |
|
|
Command |
with option flag set to 0 |
|
RF |
|
Write EAS config (cmd code A8h) |
|
|
|
|
|
|
Type |
WO: possible under conditions set in the EAS_SEC configuration register and configuration |
|
|
not locked |
|
|
|
|
|
|
|
|
|
|
Bit |
Name |
Function |
Factory value |
|
|
|
|
|
|
Electronic article surveillance identifier configuration: |
|
|
|
00: 256 bit payload (EAS block 1 to 8) |
|
b1-b0 |
EAS_CFG |
01: 128 bit payload (EAS block 1 to 4) |
00h |
|
|
10: 64 bit payload (EAS block 1 to 2) |
|
|
|
11: 32 bit payload (EAS block 1) |
|
|
|
|
|
b15-b2 |
RFU |
- |
000000b |
|
|
|
|
The EAS parameters (ID, Telegram, mode (set/reset) can be definitely locked with the Lock EAS command (refer to Section 6.4.27 Lock EAS).
5.5.4EAS description
The EAS (electronic article surveillance) feature is mainly used for library management, applications, requiring an anti-theft protection.
This is programmable and configured by custom commands and optionally protected by the configuration password (when programming EAS_SEC to 1) and can be locked.
A telegram can be stored using standard write command depending of its configured length (EAS block 1 – EAS Block 8).
The EAS feature can be activated, reset, locked using a set of custom commands (see Section 6.4.24 Set EAS, Section 6.4.25 Reset EAS, Section 6.4.26 Enable EAS, Section 6.4.27 Lock EAS, Section 6.4.28 Write EAS ID and Section 6.4.29 Write EAS CONFIG).
The EAS feature is reset (deactivated) by default.
DS12074 - Rev 11 |
page 18/90 |
|
|
ST25TV02K ST25TV512
Electronic article surveillance (EAS)
Figure 7. Nominal EAS operation
RF Reader |
ST25TV |
EAS – Normal
operation
Write Single (EAS, EAS block x)
Write EAS config
Optional
step
Write EAS ID
Set EAS
Lock EAS
Enable EAS (selective ID or none)
If selected: EAS ID or telegram
Reset EAS (if not locked)
EAS deactivated (reset)
Repeated based on EAS telegram size
EAS ready
EAS deactivated (reset)
By default, the EAS configuration (EAS telegram, EAS ID, EAS configuration, lock EAS, EAS mode) is not write protected.
The EAS configuration can be write protected by the configuration password (PWD_CFG) by writing 1b1 into the W_PROTECTION_EAS (EAS_SEC register). If W_PROTECTION_EAS bit is set, the EAS configuration can be changed only if the configuration password has been presented just before in the same RF session.
Write access to the EAS configuration can be locked by executing the lock_EAS command. User cannot unlock system configuration if the EAS configuration has already been locked earlier with the Lock_EAS command, even after opening configuration security session (Lock is definitive).
DS12074 - Rev 11 |
page 19/90 |
|
|
ST25TV02K ST25TV512
TruST25 digital signature
5.6TruST25 digital signature
ST25TV02K/512 support TruST25 digital signature, a feature that allows to verify the authenticity of the device, based on a unique digital signature.
TruST25 solution encompasses secure industrialization processes and tools deployed by STMicroelectronics to generate, store and check the signature in the device.
Table 21. KID
|
Command |
Read Cfg (cmd code A0h) @7h |
|
|
|
|
|
|
|
Bit |
Type |
RO |
|
|
|
|
|
|
|
|
Name |
Function |
Factory value |
|
|
|
|
|
|
b7-b0 |
KID |
Contains a key identifier used for TruST25 digital signature |
ST key number |
|
identification and possible revocation. |
||||
|
|
|
||
|
|
|
|
|
Note: |
Refer to Table 4. System configuration memory map accessible through write_cfg and read_cfg commands for |
|||
|
the KID register. |
|
|
|
5.7Counter
5.7.1Counter registers
Counter configuration
Table 22. CNT_CFG
|
Command |
Read Cfg (cmd code A0h) @3h |
|
|
|
Write Cfg (cmd code A1h) @3h |
|
||
|
|
|
||
|
|
|
|
|
Bit |
|
R: always possible |
|
|
Type |
W: if RF configuration security session is open (the proper configuration password has been |
|||
|
||||
|
|
presented before) and configuration not locked. |
|
|
|
|
|
|
|
|
Name |
Function |
Factory value |
|
|
|
|
|
|
|
|
Counter enable |
|
|
b0 |
CNT_EN |
0: counter is disabled |
0b |
|
1: counter is enabled on successful write operation (one increment |
||||
|
|
|
||
|
|
per RF session) |
|
|
|
|
|
|
|
|
|
Counter clear: |
|
|
b1 |
CNT_CLR |
0: don’t care |
0b |
|
1: counter is cleared and automatically disabled (CNT_EN is put to 0) |
||||
|
|
|
||
|
|
This bit is self-cleared |
|
|
|
|
|
|
|
b7-b2 |
RFU |
- |
000000b |
|
|
|
|
|
|
Note: |
Refer to Table 4. System configuration memory map accessible through write_cfg and read_cfg commands for |
|
|
the CNT_CFG register. |
|
|
Counter value |
|
|
|
Table 23. CNT_VAL |
|
|
|
Bit |
Command |
Read Cfg (cmd code A0h) @4h |
|
|
|
DS12074 - Rev 11 |
page 20/90 |
|
|
|
|
|
ST25TV02K ST25TV512 |
|
|
|
|
|
Inventory Read |
|
|
|
|
|
|
|
|
|
|
Bit |
Type |
RO |
|
|
|
|
|
|
|
|
Name |
Function |
|
Factory value |
|
|
|
|
|
b15-b0 |
CNT_VAL |
Counter value |
|
0h |
|
|
|
|
|
Note: |
Refer to Table 4. System configuration memory map accessible through write_cfg and read_cfg commands for |
|||
|
the CNT_VAL register. |
|
|
|
5.7.2Counter description
A 16 bits counter can track the write events on the NDEF file.
It benefits from an anti-tearing mechanism that ensures the consistency of the counter, even if there is an electrical problem during its increment.
The value of the counter (CNT_VAL) can be checked by any application, by reading the Counter register.
If enabled (when CNT_EN = 1), the Write counter will be incremented on first successful Write event which is performed in the user area, inside an RF session (an RF session is entered when ST25TV02K/512 receive
enough power from the RF field). After enabling the counter, the counter will not count until the next RF field on/off cycle.
The default configuration is with a counter disabled.
The counter cannot be locked. When the counter reach its maximum (216-1) the increment mechanism is blocked. The counter is cleared and automatically disabled when CNT_CLR is set to 1.
Apart from these procedures, there is no way to act on the value of this counter.
The Read/Write counter can be configured through the Counter Configuration register. This Counter Configuration register allows to:
•Enable or disable this counter (CNT_EN)
•Clear the counter (CNT_CLR)
The Counter Configuration register is protected by the configuration password.
5.8Inventory Read
ST25TV02K/512 have the ability to perform in a single command Inventory Read (Refer to
Section 6.4.37 Inventory read), an Inventory in accordance with the regular anticollision sequence followed by a Multiple Block Read, reducing the overall communication time. ST25TV02K/512 return the requested memory content if ST25TV02K/512 match the mask specified in the command.
When using the Fast Inventory Read (refer to Section 6.4.38 Fast inventory read), the response is twice the data rate.
5.9Inventory Initiated
ST25TV02K/512 provide a special feature to improve the inventory time response of moving tags using the Initiate_flag value. This flag, controlled by the Initiate command (refer to Section 6.4.36 Initiate), allows tags to answer to Inventory Initiated commands (refer to Section 6.4.35 Inventory Initiated).
For applications where multiple tags are moving in front of a reader, it is possible to miss tags using the standard inventory command. The reason is that the inventory sequence has to be performed on a global tree search. For example, a tag with a particular UID value may have to wait the run of a long tree search before being inventoried. If the delay is too long, the tag may be out of the field before it has been detected.
Using the Initiate command, the inventory sequence is optimized. When multiple tags are moving in front of a reader, the ones which are within the reader field will be initiated by the Initiate command. In this case, a small batch of tags will answer to the Inventory Initiated command which will optimize the time necessary to identify all the tags. When finished, the reader has to issue a new Initiate command in order to initiate a new small batch of tags which are new inside the reader field.
It is also possible to reduce the inventory sequence time using the Fast Initiate (refer to Section 6.4.34 Fast Initiate), and Fast Inventory Initiated commands (refer to Section 6.4.33 Fast Inventory Initiated). These commands allow the ST25TV02K/512 to increase their response data rate by a factor of 2, up to 53 kbit/s.
DS12074 - Rev 11 |
page 21/90 |
|
|
ST25TV02K ST25TV512
Tamper detect
5.10Tamper detect
5.10.1Tamper detect register
Tamper detection
Table 24. TAMPER_DETECT
|
Command |
Read Cfg (cmd code A0h) @5h |
|
|
|
|
|
Bit |
Type |
RO |
|
|
|
|
|
|
Name |
Function |
Factory value |
|
|
|
|
|
|
State of Tamper: |
|
b0 |
TAMPER_DETECT |
0: loop is open. Tamper is detected |
0b |
|
|
1: loop is closed. No tamper is detected |
|
|
|
|
|
b7-b1 |
RFU |
- |
000000b |
|
|
|
|
Note: |
Refer to Table 4. System configuration memory map accessible through write_cfg and read_cfg commands for |
||
|
the TAMPER_DETECT register. |
|
|
5.10.2Tamper detection description
The Tamper detection allows to check the shortage between the 2 TD0 and TD1 pins of the ST25TV02K/512.
This state TAMPER_DETECT is captured by ST25TV02K/512 each time that the ST25TV02K/512 are powered and available upon demand by the reader using the Read Cfg command with CFG_ID 5. (Tamper detection) This information will be lost during power off. (No permanent storage of the status.)
This is the customer responsibility to check the register status and behave accordingly. The short impedance should be less than 50 Ω.
The tamper detect feature is available for the ST25TV02K/512-AD devices only. On other configurations, a Read Cfg of the Tamper Detection register will return an error code.
If the two inputs pins TD0, TD1 are shorted with a wire at the time RF field is turned on, the tamper register will have a value “1”. If TD0, TD1 are not shorted at the time RF field is turned on, the tamper register will have a value “0”.
5.11Device parameter registers
Table 25. LOCK_DSFID
|
Command |
Lock DSFID (cmd code 2Ah) |
|
|
|
|
|
|
|
Bit |
Type |
WO if DSFID not locked |
|
|
|
|
|
|
|
|
Name |
Function |
Factory value |
|
|
|
|
|
|
b0 |
LOCK_DSFID |
0: DSFID is not locked |
0b |
|
1: DSFID is locked |
||||
|
|
|
||
|
|
|
|
|
b7-b1 |
RFU |
- |
0000000b |
|
|
|
|
|
Note: |
Refer to Table 5. System configuration memory map for registers accessed through dedicated commands for the |
||
|
LOCK_DSFID register. |
|
|
|
|
|
Table 26. LOCK_AFI |
|
|
|
|
|
Bit |
Command |
Lock AFI (cmd code 28h) |
|
|
|
|
DS12074 - Rev 11 |
page 22/90 |
|
|
|
|
|
|
|
ST25TV02K ST25TV512 |
|
|
|
|
|
|
Device parameter registers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Bit |
|
Type |
WO if AFI not locked |
|
|
|
|
|
|
|
|
|
|
|
|
Name |
Function |
|
Factory value |
|
|
|
|
|
|
|
|
b0 |
|
LOCK_AFI |
0: AFI is not locked |
|
0b |
|
|
1: AFI is locked |
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
b7-b1 |
|
RFU |
- |
|
0000000b |
|
|
|
|
|
||
Note: |
Refer to Table 5. System configuration memory map for registers accessed through dedicated commands for the |
|||||
|
LOCK_AFI register. |
|
|
|
|
|
|
|
|
|
Table 27. DSFID |
|
|
|
|
|
|
|
|
|
|
|
|
|
Inventory (cmd code 01h) |
|
|
|
|
|
Command |
Get System Info (cmd code 2Bh) |
|
|
|
Bit |
|
|
Write DSFID (cmd code 28h) |
|
|
|
|
|
|
|
|
|
|
|
|
Type |
R always, W if DSFID not locked |
|
|
|
|
|
|
|
|
|
|
|
|
Name |
Function |
|
Factory value |
|
|
|
|
|
|
|
|
b7-b0 |
|
DSFID |
ISO/IEC 15693 Data Storage Format Identifier |
|
00h |
Note: |
|
|
|
|
||
Refer to Table 5. System configuration memory map for registers accessed through dedicated commands for the |
||||||
|
DSFID register. |
|
|
|
|
|
|
|
|
|
Table 28. AFI |
|
|
|
|
|
|
|
|
|
|
|
|
|
Inventory (cmd code 01h) |
|
|
|
|
|
Command |
Get System Info (cmd code 2Bh) |
|
|
|
Bit |
|
|
Write AFI (cmd code 27h) |
|
|
|
|
|
|
|
|
|
|
|
|
Type |
R always, W if AFI not locked |
|
|
|
|
|
|
|
|
|
|
|
|
Name |
Function |
|
Factory value |
|
|
|
|
|
|
|
|
b7-b0 |
|
AFI |
ISO/IEC 15693 Application Family Identifier |
|
00h |
|
|
|
|
|
||
Note: |
Refer to Table 5. System configuration memory map for registers accessed through dedicated commands for the |
|||||
|
AFI register. |
|
|
|
|
|
|
|
|
|
Table 29. IC_REF |
|
|
|
|
|
|
|
|
|
|
|
|
Command |
Get System Info (cmd code 2Bh) |
|
|
|
Bit |
|
|
|
|
|
|
|
Type |
RO |
|
|
|
|
|
|
|
|
|
|
|
|
|
Name |
Function |
|
Factory value |
|
|
|
|
|
|
|
|
b7-b0 |
|
IC_REF |
ISO/IEC 15693 IC Reference |
|
45h |
|
|
|
|
|
||
Note: |
Refer to Table 5. System configuration memory map for registers accessed through dedicated commands for the |
|||||
|
IC_REF register. |
|
|
|
|
|
|
|
|
|
Table 30. UID |
|
|
|
|
|
|
|
|
|
|
|
|
Command |
Inventory (cmd code 01h) |
|
|
|
|
|
Get System Info (cmd code 2Bh) |
|
|
|
|
Bit |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Type |
RO |
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
Name |
Function |
|
Factory value |
|
|
|
|
|
|
|
DS12074 - Rev 11 |
page 23/90 |
|
|
ST25TV02K ST25TV512
Device parameter registers
|
b7-b0 |
|
|
ISO/IEC 15693 UID byte 0 (LSB) |
|
|
|
|
|
|
|
|
|
|
b7-b0 |
|
|
ISO/IEC 15693 UID byte 1 |
|
|
|
|
|
|
|
|
IC manufacturer |
|
b7-b0 |
|
|
ISO/IEC 15693 UID byte 2 |
||
|
|
|
serial number |
|||
|
|
|
|
|
|
|
|
b7-b0 |
|
UID |
ISO/IEC 15693 UID byte 3 |
|
|
|
|
|
|
|
|
|
|
b7-b0 |
|
ISO/IEC 15693 UID byte 4 |
|
||
|
|
|
|
|||
|
|
|
|
|
|
|
|
b7-b0 |
|
|
ISO/IEC 15693 |
UID byte 5: ST Product code |
23h |
|
|
|
|
|
|
|
|
b7-b0 |
|
|
ISO/IEC 15693 |
UID byte 6: IC Mfg code |
02h |
|
|
|
|
|
|
|
|
b7-b0 |
|
|
ISO/IEC 15693 |
UID byte 7 (MSB) |
E0h |
|
|
|
|
|
||
Note: |
Refer to Table 5. System configuration memory map for registers accessed through dedicated commands for the |
|||||
|
UID register. |
|
|
|
|
|
DS12074 - Rev 11 |
page 24/90 |
|
|
ST25TV02K ST25TV512
RF operations
6RF operations
Contactless exchanges are performed as specified by ISO/IEC 15693 and NFC Forum Type 5. The ST25TV02K/512 communicate via the 13.56 MHz carrier electromagnetic wave on which incoming data are demodulated from the received signal amplitude modulation (ASK: amplitude shift keying). The received ASK wave is 10% or 100% modulated with a data rate of 1.6 Kbit/s using the 1/256 pulse coding mode or a data rate of 26 Kbit/s using the 1/4 pulse coding mode.
Outgoing data are generated by the ST25TV02K/512 load variation using Manchester coding with one or two subcarrier frequencies at 423 kHz and 484 kHz. Data are transferred from the ST25TV02K/512 at 6.6 Kbit/s in low data rate mode and 26 Kbit/s in high data rate mode. The ST25TV02K/512 support the 53 Kbit/s data rate mode in one sub-carrier frequency at 423 kHz.
The ST25TV02K/512 follow ISO/IEC 15693 and NFC Forum Type 5 recommendation for radio-frequency power and signal interface and for anticollision and transmission protocol.
6.1RF communication
6.1.1Access to a ISO/IEC 15693 device
The dialog between the “reader” and the ST25TV02K/512 take place as follows:
These operations use the power transfer and communication signal interface described below (see Power transfer, Frequency and Operating field). This technique is called RTF (Reader talk first).
•Activation of the ST25TV02K/512 by the operating field of the reader,
•Transmission of a command by the reader (ST25TV02K/512 detect carrier amplitude modulation)
•Transmission of a response by the ST25TV02K/512 (ST25TV02K/512 modulate is load clocked at subcarrier rate)
Operating field
The ST25TV02K/512 operate continuously between the minimum and maximum values of the electromagnetic field H defined in Table 153. RF characteristics. The Reader has to generate a field within these limits.
Power transfer
Power is transferred to the ST25TV02K/512 by radio frequency at 13.56 MHz via coupling antennas in the ST25TV02K/512 and the Reader. The operating field of the reader is transformed on the ST25TV02K/512 antenna to an AC voltage which is rectified, filtered and internally regulated. During communications, the amplitude modulation (ASK) on this received signal is demodulated by the ASK demodulator.
Frequency
The ISO 15693 standard defines the carrier frequency (fC) of the operating field as
13.56 MHz ± 7 kHz.
6.2RF protocol description
6.2.1Protocol description
The transmission protocol (or simply “the protocol”) defines the mechanism used to exchange instructions and data between the VCD (Vicinity Coupling Device) and the VICC (Vicinity integrated circuit card) in both directions. It is based on the concept of “VCD talks first”. The ST25TV02K/512 act as the VICC.
This means that a ST25TV02K/512 do not start transmitting unless it has received and properly decoded an instruction sent by the VCD. The protocol is based on an exchange of:
•a request from the VCD to the ST25TV02K/512,
•a response from the ST25TV02K/512 to the VCD.
DS12074 - Rev 11 |
page 25/90 |
|
|
ST25TV02K ST25TV512
RF protocol description
Each request and each response are contained in a frame. The frames are delimited by a Start of Frame (SOF) and End of Frame (EOF).
The protocol is bit-oriented. The number of bits transmitted in a frame is a multiple of eight (8), that is an integer number of bytes.
A single-byte field is transmitted least significant bit (LSBit) first. A multiple-byte field is transmitted least significant byte (LSByte) first and each byte is transmitted least significant bit (LSBit) first.
Figure 8. ST25TV02K/512 protocol timing
VCD |
Request |
|
|
|
|
|
|
|
|
|
Request |
|
|
|
|
|
|
|
|
|
frame |
|
|
|
|
|
|
|
|
|
frame |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ST25TV02K/512 |
|
|
|
|
|
Response |
|
|
|
|
|
|
|
|
|
Response |
|
|
|
|
|
|
|
|
|
frame |
|
|
|
|
|
|
|
|
|
frame |
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
Timing |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
t1 |
|
|
|
t2 |
|
t1 |
|
|
t2 |
|||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||
6.2.2ST25TV02K/512 states referring to protocol
The ST25TV02K/512 can be in one of four states:
•Power-off
•Ready
•Quiet
•Selected
Transitions between these states are specified in Figure 9. state transition diagram and Table 31. response depending on Request_flags.
Power-off state
The ST25TV02K/512 are in the power-off state when it does not receive enough energy from the VCD.
Ready state
The ST25TV02K/512 are in the Ready state when it receives enough energy from the VCD. When in the Ready state, the ST25TV02K/512 answer any request where the Select_flag is not set.
Quiet state
When in the Quiet state, the ST25TV02K/512 answer any request with the Address_flag set, except for Inventory requests.
Selected state
In the Selected state, the ST25TV02K/512 answer any request in all modes (see Section 6.2.3 Modes):
•Request in Select mode with the Select_flag set
•Request in Addressed mode if the UID matches
•Request in Non-Addressed mode as it is the mode for general requests
DS12074 - Rev 11 |
page 26/90 |
|
|
ST25TV02K ST25TV512
RF protocol description
Table 31. response depending on Request_flags
|
Address_flag |
Select_flag |
|||
Flags |
1 |
0 |
1 |
0 |
|
|
Addressed |
Non addressed |
Selected |
Non selected |
|
|
|
|
|
|
|
ST25TV02K/512 in Ready or Selected state (Devices in Quiet state |
- |
X |
- |
X |
|
do not answer) |
|||||
|
|
|
|
||
|
|
|
|
|
|
ST25TV02K/512 in Selected state |
- |
X |
X |
- |
|
|
|
|
|
|
|
ST25TV02K/512 in Ready, Quiet or Selected state (the device |
X |
- |
- |
X |
|
which matches the UID) |
|||||
|
|
|
|
||
|
|
|
|
|
|
Error (03h) or no response (command dependent) |
X |
- |
X |
- |
|
|
|
|
|
|
|
Figure 9. state transition diagram
Power off
Out of field |
In RF field |
after tRF_OFF |
|
Out of RF field after tRF_OFF
Inventory |
Ready |
|
Any other command |
||||||||
|
where Select_Flag |
||||||||||
|
|
||||||||||
|
|
|
|
|
|
|
|
|
|
is not set |
|
|
|
ready |
|
Reset |
|
Select |
|||||
|
|
|
|
|
|
|
|
|
|
||
|
|
|
quiet(UID) |
Select to |
|
|
|
||||
|
to |
|
|
Select |
_ |
|
|
|
|
(UID) |
|
Reset |
|
Stay |
|
|
|
Flagready |
|
||||
|
|
|
|
(# |
|
|
|
|
|||
|
|
|
|
|
with |
is |
where |
||||
|
|
|
|
|
|
|
|
|
set |
|
|
|
|
|
|
|
|
|
UID) or |
||||
Out of RF field after tRF_OFF
Select (UID)
Quiet
Stay quiet(UID)
Any other command where the
Address_Flag is set AND where the Inventory_Flag is not set
Selected
Any other command
1.The ST25TV02K/512 return to the Power Off state if the tag is out of the field for at least tRF_OFF.
The intention of the state transition method is that only one ST25TV02K/512 should be in the Selected state at a time.
When the Select_flag is set to 1, the request shall NOT contain a unique ID. When the address_flag is set to 0, the request shall NOT contain a unique ID.
6.2.3Modes
The term “mode” refers to the mechanism used in a request to specify the set of ST25TV02K/512 devices that shall execute the request.
Addressed mode
When the Address_flag is set to 1 (Addressed mode), the request contains the Unique ID (UID) of the addressed ST25TV02K/512.
DS12074 - Rev 11 |
page 27/90 |
|
|
Loading...