ib technology Data Sheet H2PROT.PDF 9 Pages Last Revised 04/11/09 Micro RWD H2 Protocol The MicroRWD H2 version is a complete reader and tag acceptance solution for Hitag 2 RF transponders. The solution only needs a 700uH antenna coil connected and 5v DC supply to be a fully featured read/write system. The module provides internal EEPROM memory for holding lists of authorised identity codes, a manual override switch facility and has LED drives to give visual indication of acceptance. The RWD also has a TTL level RS232 interface that allows a host system to communicate with the RWD if necessary, so that system features can be customised, configurations changed and tag read/write data handled by the host system. Typical application configuration for Micro RWD module +5v SW override +5v Red LED 1k Green LED LOAD 1 24 2 23 CTS Tx TTL 3 22 Rx 4 21 5 20 25ma (sink) (O/P) drives Micro 6 RWD 19 7 HT 18 0v GND 8 17 9 16 10 15 700 uH Antenna 22R nom 11 14 12 13 Screen (if applicable) RS232 I/F +5v DC supply 25ma (sink) O/P drives 0v GND The Hitag 2 transponders provide 256 bits (32 bytes) of read/write EEPROM memory arranged as 8 partitioned 32 bit pages. An area of 128 bits (16 bytes) is open for general user data. The Hitag 2 transponders are configurable for different modes of operation and the MircoRWD H2 version supports the high security PASSWORD mode only. This feature uses two password codes stored both in the H2 transponder and the RWD that are mutually exchanged when a tag is brought into the RF field; the tag is only unlocked for read/write operations if these codes exactly agree. The use of this Mutual Authentication process, encrypted communications and a pulsed RF field ensures that the MicroRWD H2 reader system is very secure. 1 ib technology The MicroRWD is essentially a proximity system and a Read/Write range of up to 20cm can be achieved with the same level of reliable communication and EMC resilience. The unique AST (Adaptive Sampling) feature allows the RWD to continually adjust and retune the sampling to allow for inductive changes in the RF field, an essential feature for real-world reliability and robust operation. The communication protocol with the tags can achieve 4k bits/second of data transfer and the total time to read a 32-bit page takes less than 50ms. The MicroRWD can be easily integrated into almost any application; when power (5v DC) is first applied to the board the red and green LEDs flash once to indicate successful power-up. The device can also check for broken or shorted antenna and can even detect badly tuned antennas; these problems are indicated by the red LED flashing continuously until the fault has been rectified. The MicroRWD will normally have the red LED lit until a valid card or tag is brought into the RF field. If the tag is accepted as valid then the green LED is lit and the output drivers (OP0, OP1, OP2, OP3) are switched on. These outputs can be connected together to give up to 100ma of drive current for operating a relay etc. In addition, a switch input is provided for overriding the tag reading operation and switching the output drives directly. (Hitag 2 is a trademark of Philips/NXP Semiconductors NV) The Micro RWD has two basic modes of operation:- Micro RWD Chip Module Micro RWD Chip Module Antenna RS232 Serial comms Antenna Standalone mode with Internal EEPROM holding authorised tag codes for acceptance Host System Remote mode (connected to a host computer or microcontroller) and Standalone mode. 1) Remote mode involves connecting to a host serial interface. This is where the stored list of authorised identity codes can be empty, effectively authorising any HT2 transponder for subsequent read/write operations. A simple serial protocol allows a host system to communicate with the Micro RWD in order to program new authorised identity codes, change passwords and perform read/write operations to the tag itself. 2) Standalone mode is where the HT2 tag identity codes (serial number) are checked against a stored list of authorised codes. If an identity code is matched, the output drives and Green LED are enabled. Effectively standalone mode occurs when there is no host system communicating with the Micro RWD. 2 ib technology Supported transponder types The Micro RWD H2 version is designed to communicate with Hitag 2 transponders configured in PASSWORD mode. Setting the HT2 transponder to any other configuration will render them inoperable with this system. The operation of the Micro RWD and Hitag 2 transponders is described in more detail at the end of this document. The identification codes described in this text are regarded as the first four bytes (serial number or page 0) of the tag memory array. Serial Interface This is a basic implementation of RS232. The Micro RWD does not support buffered interrupt driven input so it must control a BUSY (CTS) line to inhibit communications from the host when it is fully occupied with tag communication. It is assumed that the host (such as a PC) can buffer received data. Tx, Rx and RTS signals from the Micro RWD are all TTL level and can be converted to +/-10v RS232 levels using an inverting level converter device such as the MAX202 (note the inversion of the TTL levels). The serial communication system and protocol allows for a 10ms ‘window’ every Tag polling cycle indicated by the BUSY line being low. During this ‘window’ the host must assert the first start bit and start transmitting data. The BUSY goes high again 10ms after the last stop bit is received. NOTE that only one command sequence is handled at a time. Transmitted or Received data byte, 9600 baud, 8 bit, 1 stop, No parity (104uS per bit) b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 5v 1 0v idle 0 START 8 bit data TTL levels STOP idle RWD tag polling cycle and serial communication BUSY protocol Ready to Receive RWD 5v BUSY 0v RWD 5v RX 0v RWD 5v TX 0v Busy Ready to Receive RWD cannot receive CMD or DATA CMD/DATA CMD/DATA Host must Transmit CMD/DATA within 10mS of BUSY going low Polling delay (100mS to 600mS) 100mS default 3 DATA ib technology Command Protocol The following commands are supported. The corresponding acknowledge code should be read back by the host and decoded to confirm that the command was received and actioned correctly. The serial bit protocol is 9600 baud, 8 bits, 1 stop, no parity (lsb transmitted first). The status flags returned in the Acknowledge byte are as follows: b7 b6 b5 b4 b3 b2 b1 b0 1 1 1 1 1 1 1 1 | | | | | EEPROM error (Internal EEPROM write error) | | | | Tag OK (Tag identity code matched to list and Password exchange successful) | | | Rx OK (Tag communications and acknowledgement OK) | | RS232 error (Host serial communications error) | RELAY Enabled flag HTRC (or Antenna fault) error flag Note that bits 6 and 7 are fixed 1’s so that an acknowledge code of D6 (Hex) would generally indicate no errors with a matched (or authorised) HT2 Tag present. Note also that only the relevant flags are set after each command as indicated in the following specification. Write Tag Command to write 4 bytes of data to HT2 32 bit page. If the write was unsuccessful (invalid tag or out of field) then Status flags in acknowledge byte indicate error. Command: Argument1: Argument2: Argument3: Argument4: Argument5: B7 0 1 x x D D D D D D D D Acknowledge: 1 1 F F F F F X 0 x D D D D 1 x D D D D 0 x D D D D 1 N D D D D 1 N D D D D B0 1 N D D D D (ASCII “W”, 0x57) (N = HT2 page address 0-7) (D = msb data to write to HT2) (D = lsb data to write to HT2) (F = Status flags) Note that PASSWORD exchange occurs for WRITE command. If no tag present then acknowledge / status byte reply is 0xC0 If tag present but RWD PASSWORD check fails then acknowledge byte reply is 0xC0. If tag present but TAG PASSWORD check fails then acknowledge byte reply is 0xC4. If tag present and both PASSWORDS match then acknowledge reply is 0xD6. 4 ib technology Read Tag Command to read 4 bytes of data from HT2 32 bit page. If the read was successful, indicated by acknowledge status flags then four bytes of tag data follow. Command: Argument1: B7 B0 0 1 0 1 0 0 1 0 x x x x x N N N (ASCII “R”, 0x52) (N = HT2 page address 0-7) Acknowledge: 1 1 F F F F F X (F = Status flags) Data only follows if read was successful Reply1: Reply2: Reply3: Reply4: D D D D D D D D D D D D D D D D D D D D D D D D D D D D D D D D (D = msb data to write to HT2) (D = lsb data to write to HT2) Note that PASSWORD exchange occurs for READ command. If no tag present then acknowledge / status byte reply is 0xC0 If tag present but RWD PASSWORD check fails then acknowledge byte reply is 0xC0. If tag present but TAG PASSWORD check fails then acknowledge byte reply is 0xC4. If tag present and both PASSWORDS match then acknowledge reply is 0xD6 followed by 4-bytes of data. Tag STATUS Command to return Tag status. The acknowledge byte flags indicate general Tag status. Command: B7 B0 0 1 0 1 0 0 1 1 (ASCII “S”, 0x53) Acknowledge: 1 1 F F F F F X (F = Status flags) Card UID Command to return card status and UID (Unique Identifier or Serial number). The acknowledge byte flags indicate general Tag status. Command: B7 B0 0 1 0 1 0 1 0 1 (ASCII “U”, 0x55) Acknowledge: 1 1 F F F F F X (F = Status flags) Data only follows if card was selected OK with no errors detected. Reply1: Reply2: Reply3: Reply4: D D D D D D D D D D D D D D D D D D D D D D D D D D D D D D D D (D =MS Byte of UID/Serial number from card) (D =LS Byte of UID/Serial number from card) Note that the CARD UID command works independently of the PASSWORD mode. The PASSWORD authentication only occurs for READ/WRITE operations. 5 ib technology Message Command to return product and firmware identifier string to host. Command: B7 B0 0 1 1 1 1 0 1 0 Reply: “a IDE RWD H2 (SECx V1.xx) DD/MM/YY” 0x00 (ASCII “z”, 0x7A) Returned string identifies author, product descriptor, project name, firmware version no. and date of last software change. Note that the string is always NULL terminated. The string begins with a unique lower case character that can be used to identify a particular version of Micro RWD. NOTE: 1) The serial communications uses hardware handshaking to inhibit the host from sending the Micro RWD commands while Tag interrogation is in progress. 2) Following the Read Tag command, if an error flag has been set in the Acknowledge code then there will be NO following data. 3) The serial communications system and protocol allows for a 10ms ‘window’ every Tag polling cycle indicated by the BUSY line being low. During this ‘window’ the host must assert the first start bit and start transmitting data. The BUSY goes high again 10ms after the last stop bit is received. 4) Only one command sequence is handled at a time. Program EEPROM The Micro RWD has some internal EEPROM for storing system parameters such as passwords and authorised identity codes. This command sequence allows individual bytes of the EEPROM to be programmed with new data. Note that due to the fundamental nature of these system parameters, incorrect data may render the system temporarily inoperable. Command: Argument1: Argument2: B7 B0 0 1 0 1 0 0 0 0 N N N N N N N N D D D D D D D D (ASCII “P”, 0x50) (N = EEPROM memory location 0- 255) (D = data to write to EEPROM) Acknowledge: 1 1 X F X X X F (F = Status flags) 6 ib technology Internal EEPROM memory map Byte 0: Tag Polling Rate (x 2.5ms) Byte 1: RF ON/OFF lock (0x55 = ON, anything else = OFF, normally set to 0x55) Byte 2: Reserved (Checksum) Byte 3: Reserved Byte 4: PASSWORD_RWD "M" (Sent to HT2) Byte 5: PASSWORD_RWD "I" Byte 6: PASSWORD_RWD "K" Byte 7: PASSWORD_RWD "R" Byte 8: Reserved Byte 9: PASSWORD_TAG 0xAA (Reply from HT2) Byte 10: PASSWORD_TAG "H" Byte 11: PASSWORD_TAG "T” Start of authorised tag codes. List is terminated with FF FF FF FF sequence. List is regarded as empty (all identity codes valid) if first code sequence in list is (FF FF FF FF). List can hold up to 60 identity codes (serial numbers). Byte 12: 0xFF Byte 13: 0xFF Byte 14: 0xFF Byte 15: 0xFF Empty list Byte 16: (MSB) Tag identity code Byte 17: Byte 18: Byte 19: (LSB) Byte 20: (MSB) Tag identity code Byte 21: Byte 22: Byte 23: (LSB) Byte 255: Last Internal EEPROM location Method of Operation The Micro RWD reader only allows full Read/Write access to the Hitag 2 transponders if TWO levels of security have both succeeded. During the initial communication with the H2 tag the serial number (identity code) is acquired (4-bytes from H2 page 0). The Micro RWD internal EEPROM is then checked to see if this serial number is stored in the authorisation list located from byte 12 onwards. If the tag serial number is matched or the list is empty then the tag has passed the first security check (If the Micro RWD has 0xFF FF FF FF stored at EEPROM locations 12 to 15 then the list is treated as empty and all Hitag 2 tags are accepted through the first security level). The serial number can be accessed at this stage using the CARD UID command. 7 ib technology For READ and WRITE commands a second security check is automatically performed by mutually exchanging two Passwords between the RWD and the Hitag2 tag. If the PASSWORD exchange operation is successful then memory access is allowed and the READ and WRITE commands can proceed. The first password is four bytes long (32 bits) and is called the "RWD PASSWORD" which is located at page 1 in the tag memory. The second password is three bytes long (24 bits) and is called the "TAG PASSWORD". It is located at page 3 in the tag from the second to the forth byte, the first byte in page 3 is the tag configuration byte which controls the basic mode of operation. This should be left as 06 (hex) until the system is fully understood. The configuration byte bit definitions are described at the end of this document. The RWD and TAG PASSWORDS are also stored in the Micro RWD EEPROM to allow the reader to verify the tag, and the tag to mutually verify the reader. For READ and WRITE commands the Micro RWD reader sends the RWD PASSWORD to the H2 tag first, which then checks this code against it’s own RWD PASSWORD. If they agree then the H2 tag sends it’s TAG PASSWORD to the reader which then checks the code against it’s stored TAG PASSWORD. If they agree then the second security level has been passed and the READ/WRITE commands can proceed. The use of these two levels of security makes the Hitag 2 tags very suitable for secure data storage or for RF identification applications such as locks and access control. Hitag 2 Memory Map (PASSWORD mode) The memory of the Hitag 2 transponder consists of 256 bits of very low power EEPROM memory which is organised into 8 pages of 32 bits (4 bytes) each. Page No. 0 1 2 3 4 5 6 7 Content (32 bit words/ 4 bytes) Serial number Password RWD (Default = “MIKR” = 4D 49 4B 52 hex) Reserved 8 bit Configuration, 24 bit Password TAG (Default = 06 AA 48 54 hex) Read/Write page Read/Write page Read/Write page Read/Write page 8 ib technology Hitag 2 Configuration Byte The 8 bit configuration byte located at the start of page 3 defines the basic mode of the Hitag 2 transponder and whether certain parts of it’s memory are locked or open for Read/Write operations. Note that the MicroRWD H2 only supports PASSWORD mode and can communicate with Hitag 2 tags with the configuration byte = 0x06 (or 0x46 with configuration and TAG Password locked). CONFIGURATION OR PASSWORDS MUST NOT BE CHANGED UNLESS THE OPERATION OF THE HITAG 2 TRANSPONDER IS UNDERSTOOD. Configuration Byte (Page 3, byte 0) b7 b6 b5 b4 b3 b2 b1 b0 | | | | 0 1 1 0 | | | 0 = Page 6 and 7 read/write | | | 1 = Page 6 and 7 read only | | | | | 0 = Page 4 and 5 read/write | | 1 = Page 4 and 5 read only | | | 0 = Page 3 read/write | 1 = Page 3 read only, Configuration and TAG Password FIXED, THIS BIT IS OTP | 0 = Page 1 an 2 read/write 1 = Page 1 no read/no write, Page 2 (RWD Password) read only, THIS BIT IS OTP No responsibility is taken for the method of integration or final use of Micro RWD More information on the Micro RWD and other products can be found at the Internet web site: http://www.ibtechnology.co.uk Or alternatively contact IB Technology by email at: [email protected] 9