Reference Manual of ACR33U-A1 SmartDuo Smart Card Reader

Reference Manual of ACR33U-A1 SmartDuo Smart Card Reader
ACR33U-A1
SmartDuo
Smart Card Reader
Reference Manual V1.05
Subject to change without prior notice
info@acs.com.hk
www.acs.com.hk
Table of Contents
1.0.
Introduction ............................................................................................................. 4
1.1.
1.2.
Reference Documents ........................................................................................................... 4
Symbols and Abbreviations ................................................................................................... 4
2.0.
Features ................................................................................................................... 5
3.0.
Smart Card Support ................................................................................................ 6
3.1.
3.2.
MCU Cards ............................................................................................................................ 6
Memory-based Smart Cards.................................................................................................. 6
4.0.
Smart Card Interface ............................................................................................... 7
4.1.
4.2.
4.3.
4.4.
4.5.
Smart Card Power Supply VCC (C1) .................................................................................... 7
Programming Voltage VPP (C6) ............................................................................................ 7
Card Type Selection .............................................................................................................. 7
Interface for Microcontroller-based Cards ............................................................................. 7
Card Tearing Protection......................................................................................................... 7
5.0.
Power Supply........................................................................................................... 8
5.1.
Status LED ............................................................................................................................. 8
6.0.
USB Interface ........................................................................................................... 9
6.1.
6.2.
Communication Parameters .................................................................................................. 9
Endpoints ............................................................................................................................... 9
7.0.
Communication Protocol ...................................................................................... 10
8.0.
Memory Card Type Selection................................................................................ 12
9.0.
Commands ............................................................................................................. 13
9.1.
CCID Command Pipe Bulk-OUT Messages ........................................................................ 13
PC_to_RDR_IccPowerOn ........................................................................................... 13
PC_to_RDR_IccPowerOff ........................................................................................... 13
PC_to_RDR_GetSlotStatus ........................................................................................ 13
PC_to_RDR_XfrBlock ................................................................................................. 14
PC_to_RDR_GetParameters ...................................................................................... 14
PC_to_RDR_SetParameters ...................................................................................... 14
PC_to_RDR_Escape .................................................................................................. 16
CCID Bulk-IN Messages ...................................................................................................... 18
RDR_to_PC_DataBlock .............................................................................................. 18
RDR_to_PC_SlotStatus .............................................................................................. 18
RDR_to_PC_Parameters ............................................................................................ 19
RDR_to_PC_Escape .................................................................................................. 21
Memory Card Command Set ............................................................................................... 23
Memory Card – 1, 2, 4, 8, 16 kilobit I2C Card ............................................................ 23
Memory Card – 32, 64, 128, 256, 512, 1024 kilobit I2C Card ....................................27
Memory Card – ATMEL AT88SC153.......................................................................... 31
Memory Card – ATMEL AT88SC1608........................................................................ 37
Memory Card – SLE4418/SLE4428/SLE5518/SLE5528 ............................................43
Memory Card – SLE4432/SLE4442/SLE5532/SLE5542 ............................................50
Memory Card – SLE4406/SLE4436/SLE5536/SLE6636 ............................................58
Memory Card – SLE4404 ........................................................................................... 65
Memory Card – AT88SC101/AT88SC102/AT88SC1003 ...........................................71
Other Commands Access via PC_to_RDR_XfrBlock ..........................................................80
GET_READER_INFORMATION ................................................................................ 80
9.1.1.
9.1.2.
9.1.3.
9.1.4.
9.1.5.
9.1.6.
9.1.7.
9.2.
9.2.1.
9.2.2.
9.2.3.
9.2.4.
9.3.
9.3.1.
9.3.2.
9.3.3.
9.3.4.
9.3.5.
9.3.6.
9.3.7.
9.3.8.
9.3.9.
9.4.
9.4.1.
Appendix A.
Supported Card Types.............................................................................. 81
Appendix B. CCID Response Error Codes.................................................................... 82
Page 2 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
Tables
Table 1 : Symbols and Abbreviations ..................................................................................................... 4
Table 2 : USB Interface Wiring ............................................................................................................... 9
Table 3 : Supported Card Types .......................................................................................................... 81
Table 4 : CCID Response Error Codes ................................................................................................ 82
Page 3 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
1.0. Introduction
The ACR33U-A1 SmartDuo PC-linked Smart Card Reader acts as an interface for the communication
between a computer and a smart card. Different types of smart cards have different commands and
different communication protocols, which, in most cases, prevent direct communication between a
smart card and a computer. The ACR33U-A1 SmartDuo Smart Card Reader establishes a uniform
interface from the computer to the smart card for a wide variety of cards. By taking care of the card’s
particulars, it releases the computer software programmer from being responsible with smart card
operations’ technical details, which in many cases, are not relevant to the implementation of a smart
card system.
1.1. Reference Documents
The following related documents are available from www.usb.org
•
Universal Serial Bus Specification 2.0 (also referred to as the USB specification), April 27,
2000
•
Universal Serial Bus Common Class Specification 1.0, December 16, 1997
•
Universal Serial Bus Device Class: Smart Card CCID Specification for Integrated Circuit(s)
Cards Interface Devices, Revision 1.1, April 22, 2005
The following related documents can be ordered through www.ansi.org
•
ISO/IEC 7816-1; Identification Cards – Integrated circuit(s) cards with contacts - Part 1:
Physical Characteristics
•
ISO/IEC 7816-2; Identification Cards – Integrated circuit(s) cards with contacts - Part 2:
Dimensions and Locations of the Contacts
•
ISO/IEC 7816-3; Identification Cards – Integrated circuit(s) cards with contacts - Part 3:
Electronic Signals and Transmission Protocols
1.2. Symbols and Abbreviations
Abbreviation
Description
ATR
Answer-to-reset
CCID
Chip/Smart Card Interface Device
ICC
Integrated Circuit Cards
IFSC
Information Field Sized for ICC for protocol T=1
IFSD
Information Field Sized for CCID for protocol T=1
NAD
Node Address
PPS
Protocol and Parameters Selection
RFU
Reserved for future use 1
TPDU
USB
Transport Protocol Data Unit
Universal Serial Bus
Table 1: Symbols and Abbreviations
.
1
Must be set to zero unless stated differently
Page 4 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
2.0. Features
•
USB Full Speed Interface
•
Plug-and-Play – CCID support brings utmost compatibility
•
Dual Slots for Full-sized Smart Cards
•
Smart Card Reader:
•
o
Supports ISO 7816 Class A (5 V) smart cards
o
Supports CAC (Common Access Card)
o
Supports microprocessor cards with T=0 and T=1 protocol
o
Supports memory cards
o
Supports PPS (Protocol and Parameters Selection)
o
Features Short Circuit Protection
SAM (Secure Access Module) Card Interface:
o
•
•
2
Three SAM card slots
User controllable peripherals:
o
Tri-color LED (Green, Red, Blue)
o
Buzzer
Application Programming Interface:
o
Supports PC/SC
o
Supports CT-API (through wrapper on top of PC/SC)
•
Supports Android™ 3.1 and above 2
•
Compliant with the following international standards:
o
FIPS 201
o
TAA
o
EN60950/IEC 60950
o
ISO 7816
o
CE
o
FCC
o
VCCI
o
PC/SC
o
CCID
o
Microsoft® WHQL
o
RoHS 2
o
REACH
PC/SC and CCID support are not applicable
Page 5 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
3.0. Smart Card Support
3.1. MCU Cards
The ACR33U-A1 is a PC/SC compliant smart card reader that supports ISO 7816 Class A (5 V) smart
card. It also works with MCU (MicroController Unit) cards following either the T=0 and T=1 protocol.
The card ATR indicates the specific operation mode (TA2 present; bit b5 of TA2 must be 0) and when
that the particular mode is not supported by the ACR33U-A1; the reader will reset the card to a
negotiable mode. If the card cannot be set to negotiable mode, the reader will then reject the card.
When the card ATR indicates the negotiable mode (TA2 not present) and communication parameters
other than the default parameters, the ACR33U-A1 will execute the PPS and try to use the
communication parameters that the card suggested in its ATR. If the card does not accept the PPS,
the reader will use the default parameters (F=372, D=1).
Note: For the meaning of the aforementioned parameters, please refer to ISO 7816-3.
3.2. Memory-based Smart Cards
The ACR33U-A1 works with several memory-based smart cards such as:
•
Cards following the I2C bus protocol (free memory cards) with maximum 128 bytes page with
capability, including:
o
•
Cards with secure memory IC with password and authentication, including:
o
•
Infineon®: SLE4432, SLE4442, SLE5532 and SLE5542
Cards with ‘104’ type EEPROM non-reloadable token counter cards, including:
o
•
Infineon®: SLE4418, SLE4428, SLE5518 and SLE5528
Cards with intelligent 256 bytes EEPROM with write-protect function, including:
o
•
Atmel®: AT88SC153 and AT88SC1608
Cards with intelligent 1 KB EEPROM with write-protect function, including:
o
•
Atmel®: AT24C01/02/04/08/16/32/64/128/256/512/1024
Infineon®: SLE4406, SLE4436, SLE5536 and SLE6636
Cards with Security Logic with Application Zone(s), including:
o
Atmel®: AT88SC101, AT88SC102 and AT88SC1003
Note: Memory card is supported in ICC Slot 0 only of ACR33U-A1 SmartDuo Smart Card Reader.
Page 6 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
4.0. Smart Card Interface
The interface between the ACR33U-A1 and the inserted smart card follows the specifications of ISO
7816-3 with certain restrictions or enhancements to increase the practical functionality of the
ACR33U-A1.
4.1. Smart Card Power Supply VCC (C1)
The current consumption of the inserted card must not be higher than 50 mA.
4.2. Programming Voltage VPP (C6)
According to ISO 7816-3, the smart card contact C6 (VPP) supplies the programming voltage to the
smart card. Since all common smart cards in the market are EEPROM-based and do not require the
provision of an external programming voltage, the contact C6 (VPP) has been implemented as a
normal control signal in the ACR33U-A1. The electrical specifications of this contact are identical to
those of the signal RST (at contact C2).
4.3. Card Type Selection
The controlling personal computer must always select the card type through the proper command
sent to the ACR33U-A1 prior to activating the inserted card. This includes both the memory cards and
MCU-based cards.
For MCU-based cards, the reader is allowed to select the preferred protocol, T=0 or T=1. However,
this selection is only accepted and carried out by the reader through the PPS when the card inserted
in the reader supports both protocol types. Whenever an MCU-based card supports only one protocol
type, T=0 or T=1, the reader automatically uses that protocol type, regardless of the protocol type
selected by the application.
4.4. Interface for Microcontroller-based Cards
For microcontroller-based smart cards only the contacts C1 (VCC), C2 (RST), C3 (CLK), C5 (GND)
and C7 (I/O) are used. A frequency of 4 MHz is applied to the CLK signal (C3).
4.5. Card Tearing Protection
The ACR33U-A1 provides a mechanism to protect the inserted card when it is suddenly withdrawn
while it is powered up. The power supply to the card and the signal lines between the ACR33U-A1
and the card is immediately deactivated when the card is removed. However, as a rule to avoid any
electrical damage, a card should only be removed from the reader while it is powered down.
Note: ACR33U-A1 does not switch on the power supply to the inserted card by itself. This can be
done by the controlling computer through the proper command sent to the reader.
Page 7 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
5.0. Power Supply
The ACR33U-A1 requires a voltage of 5 V DC, 100 mA, regulated, power supply. The ACR33U-A1
gets the power supply from the computer (through the cable supplied along with each type of reader).
5.1. Status LED
The LED indicates the activation status of the smart card interface:
•
Flashing slowly (turns on 200 ms every 2 seconds)
Indicates ACR33U-A1 is powered up and in the standby state. Either the smart card has not
been inserted or the smart card has not been powered up (if it is inserted).
•
Lighting up
Indicates power supply to the smart card is switched on (e.g. the smart card is activated).
•
Flashing quickly
Indicates there are communications between ACR33U-A1 and smart card.
The different LED colors indicate the different states of the ACR33U-A1, where:
•
Red LED
Power status
•
Green LED
Main card slot status (ICC Slot 0)
•
Blue LED
Slave card slot status (ICC Slot 1)
Page 8 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
6.0. USB Interface
6.1. Communication Parameters
The ACR33U-A1 is connected to a computer through USB as specified in the USB Specification 2.0.
The ACR33U-A1 is working in full speed mode (e.g. 12 Mbps).
Pin
Signal
Function
1
VBUS
2
D-
Differential signal transmits data between ACR33U-A1 and PC.
3
D+
Differential signal transmits data between ACR33U-A1 and PC.
4
GND
+5 V power supply for the reader.
Reference voltage level for power supply.
Table 2: USB Interface Wiring
Note: In order for the ACR33U-A1 to function properly through USB interface, either ACS proprietary
device driver or ACS PC/SC device driver has to be installed.
6.2. Endpoints
The ACR33U-A1 uses the following endpoints to communicate with the host computer:
Control Endpoint
For setup and control purpose
Bulk OUT
For command to be sent from host to ACR33U-A1
(data packet size is 64 bytes)
Bulk IN
For response to be sent from ACR33U-A1 to host
(data packet size is 64 bytes)
Interrupt IN
For card status message to be sent from ACR33U-A1 to
host
(data packet size is 8 bytes)
Page 9 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
7.0. Communication Protocol
ACR33U-A1 shall interface with the host through the USB connection. A specification, namely CCID,
has been released within the industry defining such a protocol for the USB chip-card interface
devices. CCID covers all the protocols required for operating smart cards.
Note: The configurations and usage of USB endpoints on ACR33U-A1 shall follow CCID Section 3.
An overview is summarized below:
1. Control Commands are sent on control pipe (default pipe). These include class-specific
requests and USB standard requests. Commands that are sent on the default pipe report
information back to the host on the default pipe.
2. CCID Events are sent on the interrupt pipe.
3. CCID Commands are sent on BULK-OUT endpoint. Each command sent to ACR33U-A1 has
an associated ending response. Some commands can also have intermediate responses.
4. CCID Responses are sent on BULK-IN endpoint. All commands sent to ACR33U-A1 have to
be sent synchronously (e.g. bMaxCCIDBusySlots is equal to 01h for ACR33U-A1).
The ACR33U-A1 supported CCID features are indicated in its Class Descriptor:
Offset
Field
Size
Value
Description
0
bLength
1
36h
Size of this descriptor, in bytes.
1
bDescriptorType
1
21h
CCID Functional Descriptor type.
2
bcdCCID
2
0100h
4
bMaxSlotIndex
1
05h
2 big slots and 3 SAM slots are
available on ACR33U-A1.
5
bVoltageSupport
1
01h
ACR33U-A1 can supply 5 V to its slot.
6
dwProtocols
4
00000003h
ACR33U-A1 supports T=0 and T=1
protocol.
10
dwDefaultClock
4
00000FA0h
Default ICC clock frequency is 4 MHz.
14
dwMaximumClock
4
00000FA0h
Maximum supported ICC clock
frequency is 4 MHz.
18
bNumClockSupported
1
00h
19
dwDataRate
4
00002A00h
Default ICC I/O data rate is 10752 bps.
23
dwMaxDataRate
4
00054024h
Maximum supported ICC I/O data rate is
344100 bps.
27
bNumDataRatesSupported
1
00h
Does not support manual setting of data
rates.
28
dwMaxIFSD
4
00000FEh
Maximum IFSD supported by ACR33UA1 for protocol T=1 is 254.
32
dwSynchProtocols
4
00000000h
ACR33U-A1 does not support
synchronous card.
36
dwMechanical
4
00000000h
ACR33U-A1 does not support special
mechanical characteristics.
CCID Specification Release Number in
Binary-Coded decimal.
Does not support manual setting of
clock frequency.
Page 10 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
Offset
Field
Size
Value
Description
ACR33U-A1 supports the following
features:
40
dwFeatures
4
•
Automatic ICC clock frequency
change according to parameters
•
Automatic baud rate change
according to frequency and FI,DI
parameters
•
Automatic PPS made by the CCID
according to the active parameters
•
Automatic IFSD exchange as first
exchange (T=1 protocol in use)
•
Short APDU level exchange with
CCID
000204B0h
44
dwMaxCCIDMessageLength
4
0000010Fh
Maximum message length accepted by
ACR33U-A1 is 271 bytes.
48
bClassGetResponse
1
00h
Insignificant for TPDU level exchanges.
49
bClassEnvelope
1
00h
Insignificant for TPDU level exchanges.
50
wLCDLayout
2
0000h
52
bPINSupport
1
03h
With PIN verification and modification.
53
bMaxCCIDBusySlots
1
01h
Only 1 slot can be simultaneously busy.
No LCD.
Page 11 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
8.0. Memory Card Type Selection
The SELECT_CARD_TYPE command must be executed first before other memory card commands.
This command powers down and up the selected card inserted in the card reader and performs a card
reset. This command can only be used after the logical smart card reader communication has been
established using the SCardConnect() API.
Note: For details of ScardConnect() API, please refer to PC/SC specifications.
A code snippet for the program flow is given below to demonstrate how to select the memory card
type:
SCARDCONTEXT hContext;
SCARDHANDLE hCard;
unsigned long dwActProtocol;
SCARD_IO_REQUEST ioRequest;
DWORD size = 64, SendLen = 6, RecvLen = 255, retCode;
byte cardType;
//Establish PC/SC Connection
retCode
=
SCardEstablishContext
(SCARD_SCOPE_USER,
NULL,
NULL,
&hContext);
//List all readers in the system
retCode = SCardListReaders (hContext, NULL, readerName, &size);
//Connect to the reader
retCode
=
SCardConnect(hContext,
readerName,
SCARD_SHARE_SHARED,
SCARD_PROTOCOL_T0, &hCard, &dwActProtocol);
//Select Card Type
unsigned char SendBuff[] = {0xFF,0xA4,0x00,0x00,0x01,cardType};
retCode = SCardTransmit( hCard, &ioRequest, SendBuff, SendLen, NULL,
RecvBuff, &RecvLen);
//Disconnect from the reader
retCode = SCardDisconnect(hCard, SCARD_UNPOWER_CARD);
//End the established context
retCode = SCardReleaseContext(hContext);
Page 12 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.0. Commands
9.1. CCID Command Pipe Bulk-OUT Messages
ACR33U-A1 shall follow the CCID Bulk-OUT Messages as specified in CCID Section 4. In addition,
this specification defines some extended commands for operating additional features.
This section lists the CCID Bulk-OUT Messages to be supported by ACR33U-A1.
9.1.1.
PC_to_RDR_IccPowerOn
This command is used to activate the card slot and return ATR from the card.
Offset
Field
Size
Value
Description
0
bMessageType
1
62h
1
dwLength
4
00000000h
2
bSlot
1
00-05h
Identifies the slot number for this command.
5
bSeq
1
00-FFh
Sequence number for command.
6
bPowerSelect
1
01h
Voltage that is applied to the ICC:
01h = 5 volts
7
abRFU
2
Size of extra bytes of this message.
Reserved for future use.
The response to this command message is the RDR_to_PC_DataBlock response message and the
data returned is the Answer-to-Reset (ATR) data.
9.1.2.
PC_to_RDR_IccPowerOff
This command is used to deactivate the card slot.
Offset
Field
Size
Value
Description
0
bMessageType
1
63h
1
dwLength
4
00000000h
5
bSlot
1
00-05h
Identifies the slot number for this command.
6
bSeq
1
00-FFh
Sequence number for command.
7
abRFU
3
Size of extra bytes of this message.
Reserved for future use.
The response to this message is the RDR_to_PC_SlotStatus message.
9.1.3.
PC_to_RDR_GetSlotStatus
This command is used to get current status of the slot.
Offset
Field
Size
Value
Description
0
bMessageType
1
65h
1
dwLength
4
00000000h
5
bSlot
1
00-05h
Identifies the slot number for this command.
6
bSeq
1
00-FFh
Sequence number for command.
7
abRFU
3
Size of extra bytes of this message.
Reserved for future use.
The response to this message is the RDR_to_PC_SlotStatus message.
Page 13 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.1.4.
PC_to_RDR_XfrBlock
This command is used to transfer data block to the ICC.
Offset
Field
Size
Value
Description
0
bMessageType
1
6Fh
1
dwLength
4
5
bSlot
1
00-05h
Identifies the slot number for this command.
6
bSeq
1
00-FFh
Sequence number for command.
Size of abData field of this message.
7
bBWI
1
00-FFh
Used to extend the CCIDs Block Waiting
Timeout for this current transfer. The CCID
will timeout the block after “this number
multiplied by the Block Waiting Time” has
expired.
8
wLevelParameter
2
0000h
RFU (TPDU exchange level).
10
abData
Byte
array
Data block sent to the CCID. Data is sent
“as is” to the ICC (TPDU exchange level).
The response to this message is the RDR_to_PC_DataBlock message.
9.1.5.
PC_to_RDR_GetParameters
This command is used to get the slot parameters.
Offset
Field
Size
Value
Description
0
bMessageType
1
6Ch
1
dwLength
4
00000000h
5
bSlot
1
00-05h
Identifies the slot number for this command.
6
bSeq
1
00-FFh
Sequence number for command.
7
abRFU
3
Size of extra bytes of this message.
Reserved for future use.
The response to this message is the RDR_to_PC_Parameters message.
9.1.6.
PC_to_RDR_SetParameters
This command is used to set the slot parameters.
Offset
Field
Size
Value
Description
0
bMessageType
1
61h
1
dwLength
4
5
bSlot
1
00-05h
Identifies the
command.
6
bSeq
1
00-FFh
Sequence number for command.
Size of extra bytes of this message.
slot
number
for
this
Page 14 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
Offset
Field
Size
Value
00h,
01h
Description
Specifies what protocol data structure
follows.
00h = Structure for protocol T=0
01h = Structure for protocol T=1
The following values are reserved for
future use:
80h = Structure for 2-wire protocol
81h = Structure for 3-wire protocol
82h = Structure for I2C protocol
7
bProtocolNum
1
8
abRFU
2
Reserved for future use.
10
abProtocolDataStructure
Byte
array
Protocol Data Structure.
The response to this message is the RDR_to_PC_Parameters message.
Protocol Data Structure for Protocol T=0 (dwLength=00000005h)
Offset
10
Field
bmFindexDindex
Size
Value
Description
1
B7-4 – FI - Index into the Table 7 in ISO/IEC
7816-3:1997 selecting a clock rate conversion
factor
B3-0 – DI - Index into the Table 8 in
ISO/IEC 7816-3:1997 selecting a baud rate
conversion factor
B0 – 0b, B7-2 – 000000b
B1 – Convention used (b1=0 for direct, b1=1
for inverse)
Note: The CCID ignores this bit.
11
bmTCCKST0
1
12
bGuardTimeT0
1
00-FFh
Extra guard time between two characters. Add
0 to 254etu to the normal guard time of 12etu.
FFh is the same as 00h.
13
bWaitingIntegerT0
1
00-FFh
WI for T=0 used to define WWT
00-03h
ICC Clock Stop Support:
00h = Stopping the Clock is not allowed
01h = Stop with Clock signal Low
02h = Stop with Clock signal High
03h = Stop with Clock either High or Low
14
bClockStop
1
The response to this message is the RDR_to_PC_Parameters message.
Page 15 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
Protocol Data Structure for Protocol T=1 (dwLength=00000007h)
Offset
10
Field
Size
bmFindexDindex
Value
Description
1
B7-4 – FI - Index into the Table 7 in ISO/IEC
7816-3:1997 selecting a clock rate
conversion factor
B3-0 – DI - Index into the Table 8 in
ISO/IEC 7816-3:1997 selecting a baud rate
conversion factor
B7-2 – 000100b
B0 – Checksum type (b0=0 for LRC, b0=1
for CRC
B1 – Convention used (b1=0 for direct, b1=1
for inverse)
Note: The CCID ignores this bit.
11
BmTCCKST1
1
12
BGuardTimeT1
1
00-FFh
Extra guard time (0 to 254etu between two
characters). If value is FFh, then guard time
is reduced by 1etu.
13
BwaitingIntegerT1
1
00-9Fh
B7-4 = BWI values 0-9 valid
B3-0 = CWI values 0-Fh valid
14
bClockStop
1
00-03h
ICC Clock Stop Support:
00h = Stopping the Clock is not allowed
01h = Stop with Clock signal Low
02h = Stop with Clock signal High
03h = Stop with Clock either High or Low
15
bIFSC
1
00-FFh
Size of negotiated IFSC.
16
bNadValue
1
00h
Only support NAD = 00h
The response to this message is the RDR_to_PC_Parameters message.
9.1.7.
PC_to_RDR_Escape
This command is used to define and access extended features.
Offset
Field
Size
Value
Description
0
bMessageType
1
6Bh
1
dwLength
4
5
bSlot
1
00-05h
Identifies the slot number for this command.
6
bSeq
1
00-FFh
Sequence number for command.
7
abRFU
3
10
abData
Byte
array
Size of abData field of this message.
Reserved for future use.
Data block sent to the CCID.
Page 16 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.1.7.1.
LED
Offset
Field
Size
Value
10
bcmdCode
1
01h
11
wcmdLength
2
0001h
13
abRFU
2
Reserved for future use.
1
00000xxx for 3 LED,
XYZ: 000 => 3 LEDs off
XYZ: 001 => LED1 on, green for 1 Sec
XYZ: 010 => LED2 on, red for 1 Sec
XYZ: 100 => LED3 on, blue for 1 Sec
15
abData
00000
XYZb
Description
The response to this command message is the RDR_to_PC_Escape response message.
9.1.7.2.
Buzzer
Offset
Field
Size
Value
10
bcmdCode
1
08h
11
wcmdLength
2
0001h
13
abRFU
2
15
abData
1
Description
Reserved for future use.
XXh
XX for buzzer on or off,
YZ: 5A = buzzer on for 1 Sec
YZ: A5 = buzzer off
The response to this command message is the RDR_to_PC_Escape response message.
9.1.7.3.
Get Firmware Version
Offset
Field
Size
Value
10
bcmdCode
1
04h
11
wcmdLength
2
0000h
13
abRFU
2
Description
Reserved for future use.
The response to this command message is the RDR_to_PC_Escape response message.
Page 17 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.2. CCID Bulk-IN Messages
The Bulk-IN messages are used in response to the Bulk-OUT messages. ACR33U-A1 shall follow the
CCID Bulk-IN Messages as specified in CCID Section 4.
This section lists the CCID Bulk-IN Messages to be supported by ACR33U-A1.
Note: The values of bSlot and bSeq are the same as Bulk-OUT message.
9.2.1.
RDR_to_PC_DataBlock
This message is sent by ACR33U-A1 in
PC_to_RDR_IccPowerOn and PC_to_RDR_XfrBlock.
response
to
the
command
message:
Offset
Field
Size
Value
0
bMessageType
1
80h
1
dwLength
4
-
Size of extra bytes of this message.
5
bSlot
1
-
Same value as in Bulk-OUT message.
6
bSeq
1
-
Same value as in Bulk-OUT message.
7
bStatus
1
-
Slot status register as defined in CCID Section
4.2.1.
8
bError
1
-
Slot error register as defined in CCID Section
4.2.1.
9
bChainParameter
1
00h
10
abData
Byte
array
-
9.2.2.
Description
Indicates that a data block is being sent from
the CCID.
RFU (TPDU exchange level).
This field contains the data returned
by the CCID.
RDR_to_PC_SlotStatus
This message is sent
PC_to_RDR_GetSlotStatus.
by
ACR33U-A1
in
response
to
PC_to_RDR_IccPowerOff,
Offset
Field
Size
Value
0
bMessageType
1
81
1
dwLength
4
00000000h
5
bSlot
1
Same value as in Bulk-OUT message.
6
bSeq
1
Same value as in Bulk-OUT message.
7
bStatus
1
Slot status register as defined in CCID
Section 4.2.1.
8
bError
1
Slot error register as defined in CCID Section
4.2.1.
1
Value:
00h = Clock running
01h = Clock stopped in state L
02h = Clock stopped in state H
03h = Clock stopped in an unknown state
All other values are RFU.
9
bClockStatus
Description
Size of extra bytes of this message.
Page 18 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.2.3.
RDR_to_PC_Parameters
This message is sent by ACR33U-A1 in response to PC_to_RDR_GetParameters and
PC_to_RDR_SetParameters messages.
Offset
Field
Size
Value
Description
0
bMessageType
1
82h
1
dwLength
4
Size of extra bytes of this message.
5
bSlot
1
Same value as in Bulk-OUT message.
6
bSeq
1
Same value as in Bulk-OUT message.
7
bStatus
1
Slot status register as defined in CCID
Section 4.2.1.
8
bError
1
Slot error register as defined in CCID
Section 4.2.1.
9
bProtocolNum
1
Specifies what protocol data structure
follows:
00h = Structure for protocol T=0
01h = Structure for protocol T=1
The following values are reserved for
future use.
80h = Structure for 2-wire protocol
81h = Structure for 3-wire protocol
82h = Structure for I2C protocol
10
abProtocolDataStructure
Byte
array
Protocol Data Structure as summarized in
CCID Section 10.1.6.
Protocol Data Structure for Protocol T=0 (bProtocolNum=0, dwLength=00000005h)
Offset
Field
Size
Value
Description
10
bmFindexDindex
1
-
B7-4 – FI - Index into the Table 7 in ISO/IEC
7816-3:1997 selecting a clock rate conversion
factor
B3-0 – DI - Index into the Table 8 in
ISO/IEC 7816-3:1997 selecting a baud rate
conversion factor
11
bmTCCKST0
1
00h,
02h
For T=0, B0 – 0b, B7-2 – 000000b
B1 – Convention used (b1=0 for direct, b1=1 for
inverse)
12
bGuardTimeT0
1
00-FFh
Extra guard time between two characters. Add 0
to 254etu to the normal guard time of 12etu. FFh
is the same as 00h.
13
bWaitingIntegerT0
1
00-FFh
WI for T=0 used to define WWT
00-03h
ICC Clock Stop Support:
00h = Stopping the Clock is not allowed
01h = Stop with Clock signal Low
02h = Stop with Clock signal High
03h = Stop with Clock either High or Low
14
bClockStop
1
Page 19 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
Protocol Data Structure for Protocol T=1 (bProtocolNum=1, dwLength=00000007h)
Offset
10
Field
bmFindexDindex
Size
Value
Description
B7-4 – FI - Index into the Table 7 in ISO/IEC
7816-3:1997 selecting a clock rate conversion
factor
B3-0 – DI - Index into the Table 8 in
ISO/IEC 7816-3:1997 selecting a baud rate
conversion factor
1
For T-1, B7-2 – 000100b
B0 – Checksum type (b0=0 for LRC, b0=1 for
CRC
B1 – Convention used (b1=0 for direct, b1=1 for
inverse)
11
bmTCCKST1
1
10h,
11h,
12h,
13h
12
bGuardTimeT1
1
00-FFh
Extra guard time (0 to 254etu between two
characters). If value is FFh, then guard time is
reduced by 1h.
13
bwaitingIntegerT1
1
00-9Fh
B7-4 = BWI
B3-0 = CWI
14
bClockStop
1
00-03h
ICC Clock Stop Support:
00h = Stopping the Clock is not allowed
01h = Stop with Clock signal Low
02h = Stop with Clock signal High
03h = Stop with Clock either High or Low
15
bIFSC
1
00-FFh
Size of negotiated IFSC.
16
bNadValue
1
00h
Only support NAD = 00h
Page 20 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.2.4.
RDR_to_PC_Escape
This message is sent by ACR33U-A1 in response to PC_to_RDR_Escape messages.
Offset
Field
Size
Value
0
bMessageType
1
83h
1
dwLength
4
Size of abData field of this message.
5
bSlot
1
Same value as in Bulk-OUT message.
6
bSeq
1
Same value as in Bulk-OUT message.
7
bStatus
1
Slot status register as defined in CCID Section
4.2.1.
8
bError
1
Slot error register as defined in CCID Section
4.2.1.
9
bRFU
1
10
abData
Byte
array
9.2.4.1.
00h
Description
RFU (TPDU exchange level).
This field contains the data returned
by the CCID.
LED
This message is sent by ACR33U-A1 in response to PC_to_RDR_Escape LED messages.
Offset
Field
Size
Value
10
bcmdCode
1
81
11
wcmdLength
2
0000
13
9.2.4.2.
abStatus
2
00XX
Description
XXh for SW2:
00h: Success
01h: Bad parameter
Buzzer
This message is sent by ACR33U-A1 in response to PC_to_RDR_Escape buzzer messages.
Offset
Field
Size
Value
10
bcmdCode
1
88h
11
wcmdLength
2
0000h
13
abStatus
2
00XXh
Description
XXh:
00h = Success
01h = Bad parameter
Page 21 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.2.4.3.
Get Firmware Version
This message is sent by ACR33U-A1 in response to PC_to_RDR_Escape Get Firmware Version
messages.
Offset
Field
Size
Value
10
bcmdCode
1
84h
11
wcmdLength
2
0004h
13
abStatus
15
abData
2
00XXh
13
41h
43h
52h
33h
33h
2Dh
41h
31h
20h
XXh
XXh
XXh
XXh
Description
XXh:
00h = Success
01h = Bad parameter
XX XX XX XX: Firmware Version
Page 22 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3. Memory Card Command Set
Memory cards can be accessed via PC_to_RDR_XfrBlock command. All memory card functions are
mapped into pseudo-APDUs.
9.3.1.
Memory Card – 1, 2, 4, 8, 16 kilobit I2C Card
9.3.1.1.
SELECT_CARD_TYPE
This command powers down and up the selected card inserted in the card reader and performs a card
reset.
Note: This command can only be used after the logical smart card reader communication has been
established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to
PC/SC specifications.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
Lc
Card Type
FFh
A4h
00h
00h
01h
01h
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2
= 90 00h if no error.
Page 23 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.1.2.
SELECT_PAGE_SIZE
This command will choose the page size to read the smart card. The default value is 8-byte page
write. It will reset to default value whenever the card is removed or the reader is powered down.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
Lc
FFh
01h
00h
00h
01h
Page size
Where:
Page size = 03h for 8-byte page write
= 04h for 16-byte page write
= 05h for 32-byte page write
= 06h for 64-byte page write
= 07h for 128-byte page write
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 24 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.1.3.
READ_MEMORY_CARD
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
FFh
B0h
Byte Address
MSB
LSB
MEM_L
Where:
Byte Address
Memory address location of the memory card.
MEM_L
Length of data to be read from the memory card.
Response data format (abData field in the RDR_to_PC_DataBlock)
BYTE 1
…
…
BYTE N
SW1
SW2
Where:
BYTE x
Data read from memory card.
SW1 SW2
= 90 00h if no error.
Page 25 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.1.4.
WRITE_MEMORY_CARD
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
FFh
D0h
Byte Address
MSB
LSB
MEM_L
Byte 1
….
....
Byte n
Where:
Byte Address
Memory address location of the memory card.
MEM_L
Length of data to be written to the memory card.
Byte x
Data to be written to the memory card.
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2
= 90 00h if no error.
Page 26 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.2.
Memory Card – 32, 64, 128, 256, 512, 1024 kilobit I2C Card
9.3.2.1.
SELECT_CARD_TYPE
This command powers down and up the selected card inserted in the card reader and performs a card
reset.
Note: This command can only be used after the logical smart card reader communication has been
established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to
PC/SC specifications.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
Lc
Card Type
FFh
A4h
00h
00h
01h
02h
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 27 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.2.2.
SELECT_PAGE_SIZE
This command will choose the page size to read the smart card. The default value is 8-byte page
write. It will reset to default value whenever the card is removed or the reader is powered off.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
Lc
FFh
01h
00h
00h
01h
Page size
Where:
Data
TPDU to be sent to the card
Page size
= 03h for 8-byte page write
= 04h for 16-byte page write
= 05h for 32-byte page write
= 06h for 64-byte page write
= 07h for 128-byte page write
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2
= 90 00h if no error.
Page 28 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.2.3.
READ_MEMORY_CARD
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
Byte Address
MSB
LSB
MEM_L
FFh
Where:
INS
= B0h for 32, 64,128, 256, 512 kilobit iic card
= 1011 000*b for 1024 kilobit iic card, where * is the MSB of the 17 bit
addressing
Byte Address
Memory address location of the memory card.
MEM_L
Length of data to be read from the memory card.
Response data format (abData field in the RDR_to_PC_DataBlock)
BYTE 1
…
…
BYTE N
SW1
SW2
Where:
BYTE x
Data read from memory card.
SW1 SW2
= 90 00h if no error.
Page 29 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.2.4.
WRITE_MEMORY_CARD
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
Byte Address
MSB
LSB
MEM_L
Byte 1
….
....
Byte n
FFh
Where:
INS
= D0h for 32, 64, 128, 256, 512 kilobit iic card
= 1101 000*b for 1024 kilobit iic card, where * is the MSB of the 17 bit
addressing.
Byte Address
Memory address location of the memory card.
MEM_L
Length of data to be written to the memory card.
Byte x
Data to be written to the memory card.
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 30 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.3.
Memory Card – ATMEL AT88SC153
9.3.3.1.
SELECT_CARD_TYPE
This command powers down and up the selected card inserted in the card reader and performs a card
reset. It will also select the page size to be 8-byte page write.
Note: This command can only be used after the logical smart card reader communication has been
established using the SCardConnect( ) API. For details of ScardConnect( ) API, please refer to PC/SC
specifications.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
Lc
Card Type
FFh
A4h
00h
00h
01h
03h
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 31 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.3.2.
READ_MEMORY_CARD
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
FFh
P1
Byte Address
MEM_L
00h
Where:
INS
= B0h for reading zone 00b
= B1h for reading zone 01b
= B2h for reading zone 10b
= B3h for reading zone 11b
= B4h for reading fuse
Byte Address
Memory address location of the memory card.
MEM_L
Length of data to be read from the memory card.
Response data format (abData field in the RDR_to_PC_DataBlock)
BYTE 1
…
…
BYTE N
SW1
SW2
Where:
BYTE x
Data read from memory card.
SW1 SW2
= 90 00h if no error.
Page 32 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.3.3.
WRITE_MEMORY_CARD
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
FFh
P1
Bye Address
MEM_L
Byte 1
....
....
Byte n
00h
Where:
INS
= D0h for writing zone 00b
= D1h for writing zone 01b
= D2h for writing zone 10b
= D3h for writing zone 11b
= D4h for writing fuse
Byte Address
Memory address location of the memory card.
MEM_L
Length of data to be written to the memory card.
MEM_D
Data to be written to the memory card.
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 33 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.3.4.
VERIFY_PASSWORD
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
FFh
20h
00h
P2
Lc
Pw(0)
Pw(1)
Pw(2)
03h
Where:
Pw(0),Pw(1),Pw(2) Passwords to be sent to memory card.
P2 = 0000 00rpb
where the two bits “rp” indicate the password to compare
r = 0: Write password,
r = 1: Read password,
p = Password set number,
rp = 01 for the secure code
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
ErrorCnt
90h
Where:
SW1
= 90h
SW2 (ErrorCnt) = Error Counter. FFh indicates the verification is correct. 00h indicates the
password is locked (exceeded the maximum number of retries). Other
values indicate the current verification has failed.
Page 34 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.3.5.
INITIALIZE_AUTHENTICATION
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
Lc
FFh
84h
00h
00h
08h
Q(0)
Q(1)
…
Q(7)
Where:
Q(0),Q(1)…Q(7)
Host random number, 8 bytes.
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 35 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.3.6.
VERIFY_AUTHENTICATION
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
Lc
FFh
82h
00h
00h
08h
Ch(0)
Ch(1)
…
Ch(7)
Where:
Ch(0),Ch(1)…Ch(7)
Host challenge, 8 bytes.
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 36 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.4.
Memory Card – ATMEL AT88SC1608
9.3.4.1.
SELECT_CARD_TYPE
This command powers down and up the selected card inserted in the card reader and performs a card
reset. It will also select the page size to be 16-byte page write.
Note: This command can only be used after the logical smart card reader communication has been
established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to
PC/SC specifications.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
Lc
Card Type
FFh
A4h
00h
00h
01h
04h
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 37 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.4.2.
READ_MEMORY_CARD
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
Zone Address
Byte Address
MEM_L
FFh
Where:
INS
= B0h for reading user zone
= B1h for reading configuration zone or reading fuse
Zone Address
= 0000 0A10A9A8b, where A10 is the MSB of zone address
= don’t care for reading fuse
Byte Address
= A7A6A5A4 A3A2A1A0 b is the memory address location of the memory
card
= 1000 0000b for reading fuse
MEM_L
Length of data to be read from the memory card.
Response data format (abData field in the RDR_to_PC_DataBlock)
BYTE 1
…
…
BYTE N
SW1
SW2
Where:
BYTE x
Data read from memory card.
SW1 SW2
= 90 00h if no error.
Page 38 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.4.3.
WRITE_MEMORY_CARD
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
Zone Address
Byte Address
MEM_L
Byte 1
....
....
Byte n
FFh
Where:
INS
= D0h for writing user zone
= D1h for writing configuration zone or writing fuse
Zone Address = 0000 0A10A9A8b, where A10 is the MSB of zone address
= don’t care for writing fuse
Byte Address = A7A6A5A4 A3A2A1A0b is the memory address location of the memory card
= 1000 0000b for writing fuse
MEM_L
Length of data to be written to the memory card.
Byte x
Data to be written to the memory card.
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 39 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.4.4.
VERIFY_PASSWORD
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
Lc
FFh
20h
00h
00h
04h
Data
RP
Pw(0)
Pw(1)
Pw(2)
Where:
Pw(0),Pw(1),Pw(2): Passwords to be sent to memory card
RP
= 0000 rp2p1p0b
where the four bits “rp2p1p0” indicate the password to compare:
r = 0: Write password,
r = 1: Read password,
p2p1p0: Password set number
(rp2p1p0 = 0111 for the secure code)
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
ErrorCnt
90h
Where:
SW1
= 90h
SW2 (ErrorCnt) = Error Counter. FFh indicates the verification is correct. 00h indicates the
password is locked (exceeded the maximum number of retries). Other
values indicate the current verification has failed.
Page 40 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.4.5.
INITIALIZE_AUTHENTICATION
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
Lc
FFh
84h
00h
00h
08h
Q(0)
Q(1)
…
Q(7)
Where:
Byte Address
Memory address location of the memory card.
Q(0),Q(1)…Q(7)
Host random number, 8 bytes
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 41 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.4.6.
VERIFY_AUTHENTICATION
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
Lc
FFh
82h
00h
00h
08h
Q1(0)
Q1(1)
…
Q1(7)
Where:
Byte Address:
Memory address location of the memory card.
Q1(0),Q1(1)…Q1(7):
Host challenge, 8 bytes.
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 42 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.5.
Memory Card – SLE4418/SLE4428/SLE5518/SLE5528
9.3.5.1.
SELECT_CARD_TYPE
This command powers down and up the selected card inserted in the card reader and performs a card
reset.
Note: This command can only be used after the logical smart card reader communication has been
established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to
PC/SC specifications.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
Lc
Card Type
FFh
A4h
00h
00h
01h
05h
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 43 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.5.2.
READ_MEMORY_CARD
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
FFh
B0h
Byte Address
MSB
LSB
MEM_L
Where:
MSB Byte Address
= 0000 00A9A8b is the memory address location of the memory card.
LSB Byte Address
= A7A6A5A4 A3A2A1A0b is the memory address location of the memory
card.
MEM_L
Length of data to be read from the memory card.
Response data format (abData field in the RDR_to_PC_DataBlock)
BYTE 1
…
…
BYTE N
SW1
SW2
Where:
BYTE x
Data read from memory card.
SW1 SW2
= 90 00h if no error.
Page 44 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.5.3.
READ_PRESENTATION_ERROR_COUNTER_MEMORY_CARD
SLE4428 and SLE5528)
(only
This command is used to read the presentation error counter for the secret code.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
MEM_L
FFh
B1h
00h
00h
03h
Response data format (abData field in the RDR_to_PC_DataBlock)
ERRCNT
DUMMY 1
DUMMY 2
SW1
SW2
Where:
ERRCNT
The value of the presentation error counter. FFh indicates the last verification is
correct. 00h indicates the password is locked (exceeded the maximum number of
retries). Other values indicate the last verification has failed.
DUMMY
Two bytes dummy data read from the card.
SW1 SW2 = 90 00h if no error.
Page 45 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.5.4.
READ_PROTECTION_BIT
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
FFh
B2h
Byte Address
MSB
LSB
MEM_L
Where:
MSB Byte Address
= 0000 00A9A8b is the memory address location of the memory card.
LSB Byte Address
= A7A6A5A4 A3A2A1A0b is the memory address location of the memory
card.
MEM_L
Length of protection bits to be read from the card, in multiples of 8
bits. Maximum value is 32.
MEM_L = 1 + INT( (number of bits-1)/8 )
Example: To read eight protection bits starting from memory 0010h, the following pseudo-APDU
should be issued:
FF B1 00 10 01h
Response data format (abData field in the RDR_to_PC_DataBlock)
PROT 1
…
…
PROT L
SW1
SW2
Where:
PROT y
Bytes containing the protection bits.
SW1 SW2 = 90 00h if no error.
The arrangement of the protection bits in the PROT bytes is as follows:
PROT 1
P8
P7
P6
P5
P4
PROT 2
P3
P2
P1
P16
P15
P14
P13
P12
….
P11
P10
P9
..
..
..
..
..
..
P18
P17
Where:
Px is the protection bit of BYTE x in the response data
‘0’ byte is write protected
‘1’ byte can be written
Page 46 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.5.5.
WRITE_MEMORY_CARD
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
FFh
D0h
Byte Address
MSB
LSB
MEM_L
Byte 1
....
....
Byte N
Where:
MSB Byte Address = 0000 00A9A8b is the memory address location of the memory card.
LSB Byte Address = A7A6A5A4 A3A2A1A0b is the memory address location of the memory
card.
MEM_L:
Length of data to be written to the memory card.
Byte x:
Data to be written to the memory card.
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 47 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.5.6.
WRITE_PROTECTION_MEMORY_CARD
Each of the bytes specified in the command is internally in the card compared with the byte stored at
the specified address and if the data is matched, the corresponding protection bit is irreversibly
programmed to ‘0’.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
FFh
D1h
Byte Address
MSB
LSB
MEM_L
Byte 1
....
....
Byte N
Where:
MSB Byte Address
= 0000 00A9A8b is the memory address location of the memory card
LSB Byte Address
= A7A6A5A4 A3A2A1A0b is the memory address location of the memory
card
MEM_L
Length of data to be written to the memory card
Byte x
Byte values to be compared with the data in the card starting at Byte
Address. BYTE 1 is compared with the data at Byte Address; BYTE
N is compared with the data at (Byte Address+N-1).
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 48 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.5.7.
PRESENT_CODE_MEMORY_CARD (only SLE 4428 and SLE5528)
This command is used to submit the secret code to the memory card to enable the write operation
with the SLE4428 and SLE5528 card, the following actions are executed:
•
Search a ‘1’ bit in the presentation error counter and write the bit to ‘0’
•
Present the specified code to the card
•
Try to erase the presentation error counter
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
MEM_L
FFh
20h
00h
00h
02h
CODE
Byte 1
Byte 2
Where:
CODE
Two bytes secret code (PIN).
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
ErrorCnt
90h
Where:
SW1
= 90h
SW2 (ErrorCnt)
= Error Counter. FFh indicates the verification is correct. 00h indicates
the password is locked (exceeded the maximum number of retries).
Other values indicate the current verification has failed.
Page 49 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.6.
Memory Card – SLE4432/SLE4442/SLE5532/SLE5542
9.3.6.1.
SELECT_CARD_TYPE
This command powers down and up the selected card inserted in the card reader and performs a card
reset.
Note: This command can only be used after the logical smart card reader communication has been
established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to
PC/SC specifications.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
Lc
Card Type
FFh
A4h
00h
00h
01h
06h
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 50 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.6.2.
READ_MEMORY_CARD
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
FFh
B0h
00h
Byte Address
MEM_L
Where:
Byte Address = A7A6A5A4 A3A2A1A0b is the memory address location of the memory card.
MEM_L
Length of data to be read from the memory card.
Response data format (abData field in the RDR_to_PC_DataBlock)
BYTE 1
…
…
BYTE N
SW1
SW2
Where:
BYTE x
Data read from memory card.
SW1 SW2
= 90 00h if no error.
Page 51 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.6.3.
READ_PRESENTATION_ERROR_COUNTER_MEMORY_CARD
SLE4442 and SLE5542)
(only
This command is used to read the presentation error counter for the secret code.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
MEM_L
FFh
B1h
00h
00h
04h
Response data format (abData field in the RDR_to_PC_DataBlock)
ERRCNT
DUMMY 1
DUMMY 2
DUMMY 3
SW1
SW2
Where:
ERRCNT
The value of the presentation error counter. 07h indicates the last verification is
correct. 00h indicates the password is locked (exceeded the maximum number of
retries). Other values indicate the last verification has failed.
DUMMY
Three bytes dummy data read from the card.
SW1 SW2 = 90 00h if no error.
Page 52 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.6.4.
READ_PROTECTION_BITS
This command is used to read the protection bits for the first 32 bytes.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
MEM_L
FFh
B2h
00h
00h
04h
Response data format (abData field in the RDR_to_PC_DataBlock)
PROT 1
PROT 2
PROT3
PROT 4
SW1
SW2
Where:
PROT y
Bytes containing the protection bits from protection memory.
SW1 SW2
= 90 00h if no error.
The arrangement of the protection bits in the PROT bytes is as follows:
PROT 1
P8
P7
P6
P5
P4
PROT 2
P3
P2
P1
P16
P15
P14
P13
P12
…
P11
P10
P9
..
..
..
..
..
..
P18
P17
Where:
Px is the protection bit of BYTE x in the response data
‘0’ byte is write protected
‘1’ byte can be written
Page 53 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.6.5.
WRITE_MEMORY_CARD
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
FFh
D0h
00h
Byte Address
MEM_L
Byte 1
....
....
Byte N
Where:
Byte Address = A7A6A5A4 A3A2A1A0b is the memory address location of the memory card.
MEM_L
Length of data to be written to the memory card.
Byte x
Data to be written to the memory card.
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 54 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.6.6.
WRITE_PROTECTION_MEMORY_CARD
Each of the bytes specified in the command is internally in the card compared with the byte stored at
the specified address and if the data is matched, the corresponding protection bit is irreversibly
programmed to ‘0’.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
FFh
D1h
00h
Byte Address
MEM_L
Byte 1
....
....
Byte N
Where:
Byte Address = 000A4 A3A2A1A0b (00h to 1Fh) is the protection memory address location of
the memory card.
MEM_L
Length of data to be written to the memory card.
Byte x
Byte values to be compared with the data in the card starting at Byte
Address. BYTE 1 is compared with the data at Byte Address; BYTE N is
compared with the data at (Byte Address+N-1).
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 55 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.6.7.
PRESENT_CODE_MEMORY_CARD (only SLE 4442 and SLE5542)
This command is used to submit the secret code to the memory card to enable the write operation
with the SLE4442 and SLE5542 card, the following actions are executed:
1. Search a ‘1’ bit in the presentation error counter and write the bit to ‘0’.
2. Present the specified code to the card.
3. Try to erase the presentation error counter.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
MEM_L
FFh
20h
00h
00h
03h
CODE
Byte 1
Byte 2
Byte 3
Where:
CODE
Three bytes secret code (PIN).
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
ErrorCnt
90h
Where:
SW1
SW2 (ErrorCnt)
= 90h.
= Error Counter. 07h indicates the verification is correct. 00h indicates the
password is locked (exceeded the maximum number of retries). Other
values indicate the current verification has failed.
Page 56 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.6.8.
CHANGE_CODE_MEMORY_CARD (only SLE 4442 and SLE5542)
This command is used to write the specified data as new secret code in the card.
The current secret code must be presented to the card with the PRESENT_CODE command prior to
the execution of this command.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
MEM_L
FFh
D2h
00h
01h
03h
CODE
Byte 1
Byte 2
Byte 3
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 57 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.7.
Memory Card – SLE4406/SLE4436/SLE5536/SLE6636
9.3.7.1.
SELECT_CARD_TYPE
This command powers down and up the selected card inserted in the card reader and performs a card
reset.
Note: This command can only be used after the logical smart card reader communication has been
established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to
PC/SC specifications.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
Lc
Card Type
FFh
A4h
00h
00h
01h
07h
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 58 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.7.2.
READ_MEMORY_CARD
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
FFh
B0h
00h
Byte Address
MEM_L
Where:
Byte Address = Memory address location of the memory card.
MEM_L
Length of data to be read from the memory card.
Response data format (abData field in the RDR_to_PC_DataBlock)
BYTE 1
…
…
BYTE N
SW1
SW2
Where:
BYTE x
Data read from memory card.
SW1 SW2 = 90 00h if no error.
Page 59 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.7.3.
WRITE_ONE_BYTE_MEMORY_CARD
This command is used to write one byte to the specified address of the inserted card. The byte is
written to the card with LSB first (i.e. the bit at card address 0 is regarded as the LSB of byte 0).
Four different WRITE modes are available for this card type, which are distinguished by a flag in the
command data field:
1. Write
The byte value specified in the command is written to the specified address. This command can
be used for writing personalization data and counter values to the card.
2. Write with carry
The byte value specified in the command is written to the specified address and the command is
sent to the card to erase the next lower counter stage. This write mode can therefore only be
used for updating the counter value in the card.
3. Write with backup enabled (SLE4436, SLE5536 and SLE6636 only)
The byte value specified in the command is written to the specified address. This command can
be used for writing personalization data and counter values to the card. Backup bit is enabled to
prevent data loss when card tearing occurs.
4. Write with carry and backup enabled (SLE4436, SLE5536 and SLE6636 only)
The byte value specified in the command is written to the specified address and the command is
sent to the card to erase the next lower counter stage. This write mode can therefore only be
used for updating the counter value in the card. Backup bit is enabled to prevent data loss when
card tearing occurs.
With all write modes, the byte at the specified card address is not erased prior to the write operation
and hence, memory bits can only be programmed from '1' to '0'.
The backup mode available in the SLE4436 and SLE5536 card can be enabled or disabled in the
write operation.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
FFh
D0h
00h
Byte Address
MEM_L
MODE
BYTE
02h
Where:
Byte Address = Memory address location of the memory card.
MODE
Specifies the write mode and backup option.
00h: write
01h: write with carry
02h: write with backup enabled (SLE4436, SLE5536 and SLE6636 only)
03h: write with carry and with backup enabled (SLE4436, SLE5536 and
SLE6636 only)
BYTE
Byte value to be written to the card.
Page 60 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 61 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.7.4.
PRESENT_CODE_MEMORY_CARD
This command is used to submit the secret code to the memory card to enable the card
personalization mode, the following actions are executed:
1. Search a '1' bit in the presentation counter and write the bit to '0'.
2. Present the specified code to the card.
The ACR33U-A1 does not try to erase the presentation counter after the code submission. This must
be done by the application software through a separate 'Write with carry' command.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
MEM_L
FFh
20h
00h
00h
04h
CODE
ADDR
Byte 1
Byte 2
Byte 3
09h
Where:
ADDR
Byte address of the presentation counter in the card.
CODE
Three bytes secret code (PIN).
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 62 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.7.5.
AUTHENTICATE_MEMORY_CARD (SLE4436, SLE5536 and SLE6636
only)
This command is used to read a card authentication certificate from a SLE5536 or SLE6636 card, the
following actions are executed by the ACR33U-A1:
1. Select Key 1 or Key 2 in the card as specified in the command.
2. Present the challenge data specified in the command to the card.
3. Generate the specified number of CLK pulses for each bit of authentication data computed by
the card.
4. Read 16 bits of authentication data from the card.
5. Reset the card to normal operation mode.
The authentication has to be performed in two steps. The first step is to send the Authentication
Certificate to the card. The second step is to get back two bytes of authentication data calculated by
the card.
Step 1: Send Authentication Certificate to the Card.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
FFh
84h
00h
00h
MEM_L
CODE
KEY
CLK_CNT
Byte1
Byte 2
……
Byte 5
Byte 6
08h
Where:
KEY:
Key to be used for the computation of the authentication certificate:
00h: key 1 with no cipher block chaining
01h: key 2 with no cipher block chaining
80h: key 1 with cipher block chaining (SLE5536 and SLE6636 only)
81h: key 2 with cipher block chaining (SLE5536 and SLE6636 only)
CLK_CNT:
Number of CLK pulses to be supplied to the card for the computation of each
bit of the authentication certificate. Typical value is 160 clocks (A0h).
BYTE 1...6:
Card challenge data.
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
61h
02h
Where:
SW1 SW2 = 61 02h if no error, meaning two bytes of authentication data are ready. The
authentication data can be retrieved by “Get_Response” command.
Page 63 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
Step 2: Get back the Authentication Data (Get_Response).
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
MEM_L
FFh
C0h
00h
00h
02h
Response data format (abData field in the RDR_to_PC_DataBlock)
CERT
SW1
SW2
Where:
CERT
16 bits of authentication data computed by the card. The LSB of BYTE 1 is the
first authentication bit read from the card.
SW1 SW2 = 90 00h if no error.
Page 64 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.8.
Memory Card – SLE4404
9.3.8.1.
SELECT_CARD_TYPE
This command powers down and up the selected card inserted in the card reader and performs a card
reset.
Note: This command can only be used after the logical smart card reader communication has been
established using the SCardConnect( ) API. For details of ScardConnect( ) API, please refer to PC/SC
specifications.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
Lc
Card
Type
FFh
A4h
00h
00h
01h
08h
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 65 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.8.2.
READ_MEMORY_CARD
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
FFh
B0h
00h
Byte Address
MEM_L
Where:
Byte Address = Memory address location of the memory card.
MEM_L
Length of data to be read from the memory card.
Response data format (abData field in the RDR_to_PC_DataBlock)
BYTE 1
…
…
BYTE N
SW1
SW2
Where:
BYTE x
Data read from memory card.
SW1 SW2 = 90 00h if no error.
Page 66 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.8.3.
WRITE_MEMORY_CARD
This command is used to write data to the specified address of the inserted card. The byte is written
to the card with LSB first (i.e. the bit at card address 0 is regarded as the LSB of byte 0).
The byte at the specified card address is not erased prior to the write operation and, hence, memory
bits can only be programmed from '1' to '0'.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
FFh
D0h
00h
Byte
Address
MEM_
L
Byte
1
… …
Byte N
Where:
Byte Address = Memory address location of the memory card.
MEM_L
Length of data to be written to the memory card.
BYTE
Byte value to be written to the card.
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 67 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.8.4.
ERASE_SCRATCH_PAD_MEMORY_CARD
This command is used to erase the data of the scratch pad memory of the inserted card. All memory
bits inside the scratch pad memory will be programmed to the state of ‘1’.
To erase error counter or user area, please use the VERIFY_USER_CODE command as specified in
the Section 4.8.5.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
FFh
D2h
00h
Byte Address
MEM_L
00h
Where:
Byte Address
= Memory byte address location of the scratch pad.
Typical value is 02h.
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error
Page 68 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.8.5.
VERIFY_USER_CODE
This command is used to submit User Code (2 bytes) to the inserted card. User Code is used to
enable the memory access of the card.
The following actions are executed:
1. Present the specified code to the card.
2. Search a '1' bit in the presentation error counter and write the bit to '0'.
3. Erase the presentation error counter. The User Error Counter can be erased when the
submitted code is correct.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
Error
Counter
LEN
Byte
Address
MEM_L
CODE
FFh
20h
04h
08h
02h
Byte 1
Byte 2
Where:
Error Counter LEN
Length of presentation error counter in bits.
Byte Address
Byte address of the key in the card.
CODE
2 bytes User Code
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
= 63 00h if there is no more retry chance
Note: After SW1 SW2 = 9000h has been received, read back the User Error Counter to check
whether the VERIFY_USER_CODE is correct. If User Error Counter is erased and equals to FFh, the
previous verification is a success.
Page 69 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.8.6.
VERIFY_MEMORY_CODE
This command is used to submit Memory Code (4 bytes) to the inserted card. Memory Code is used
to authorize the reloading of the user memory, together with the User Code.
The following actions are executed:
1. Present the specified code to the card.
2. Search a '1' bit in the presentation error counter and write the bit to '0'.
3. Erase the presentation error counter. Please note that Memory Error Counter cannot be
erased.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
Error
Counter
LEN
Byte
Address
MEM_L
CODE
FFh
20h
40h
28h
04h
Byte 1
Byte 2
Byte 3
Byte 4
Where:
Error Counter LEN
Length of presentation error counter in bits.
Byte Address
Byte address of the key in the card.
CODE
4 bytes Memory Code.
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
= 63 00h if there is no more retry chance.
Note: After SW1 SW2 = 90 00h has been received, read back the Application Area to check whether
the VERIFY_MEMORY_CODE is correct. If all data in Application Area is erased and equals to FFh,
the previous verification is a success.
Page 70 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.9.
Memory Card – AT88SC101/AT88SC102/AT88SC1003
9.3.9.1.
SELECT_CARD_TYPE
This command powers down and up the selected card inserted in the card reader and performs a card
reset.
Note: This command can only be used after the logical smart card reader communication has been
established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to
PC/SC specifications.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
Lc
Card Type
FFh
A4h
00h
00h
01h
09h
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 71 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.9.2.
READ_MEMORY_CARD
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
FFh
B0h
00h
Byte Address
MEM_L
Where:
Byte Address = Memory address location of the memory card.
MEM_L
Length of data to be read from the memory card.
Response data format (abData field in the RDR_to_PC_DataBlock)
BYTE 1
…
…
BYTE N
SW1
SW2
Where:
BYTE x
Data read from memory card.
SW1 SW2 = 90 00h if no error.
Page 72 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.9.3.
WRITE_MEMORY_CARD
This command is used to write data to the specified address of the inserted card. The byte is written
to the card with LSB first (i.e. the bit at card address 0 is regarded as the LSB of byte 0).
The byte at the specified card address is not erased prior to the write operation and hence, memory
bits can only be programmed from '1' to '0'.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
FFh
D0h
00h
Byte Address
MEM_L
Byte 1
....
....
Byte N
Where:
Byte Address = Memory address location of the memory card.
MEM_L
Length of data to be written to the memory card.
BYTE
Byte value to be written to the card.
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 73 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.9.4.
ERASE_NON_APPLICATION_ZONE
This command is used to erase the data in Non-Application Zones. The EEPROM memory is
organized into 16 bit words. Although erases are performed on single bits the ERASE operation clears
an entire word in the memory. Therefore, performing an ERASE on any bit in the word will clear ALL
16 bits of that word to the state of ‘1’.
To erase Error Counter or the data in Application Zones, please refer to:
•
ERASE_APPLICATION_ZONE_WITH_ERASE command as specified in Section 8.3.8.5
•
ERASE_APPLICATION_ZONE_WITH_WRITE_AND_ERASE command as specified in
Section 8.3.8.6
•
VERIFY_SECURITY_CODE commands as specified in Section 8.3.8.7
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
FFh
D2h
00h
Byte Address
MEM_L
00h
Where:
Byte Address = Memory byte address location of the word to be erased.
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 74 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.9.5.
ERASE_APPLICATION_ZONE_WITH_ERASE
This command can be used in the following cases:
•
AT88SC101: To erase the data in Application Zone with EC Function Disabled
•
AT88SC102: To erase the data in Application Zone 1
•
AT88SC102: To erase the data in Application Zone 2 with EC2 Function Disabled
•
AT88SC1003: To erase the data in Application Zone 1
•
AT88SC1003: To erase the data in Application Zone 2 with EC2 Function Disabled
•
AT88SC1003: To erase the data in Application Zone 3
The following actions are executed for this command:
1. Present the specified code to the card.
2. Erase the presentation error counter. The data in corresponding Application Zone can be
erased when the submitted code is correct.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
Error Counter
LEN
FFh
20h
00h
Byte
Address
MEM_L
CODE
Byte 1
Byte 2
…….
……
Byte N
Where:
Error Counter LEN
Length of presentation error counter in bits. The value should be 00h
always.
Byte Address
Byte address of the Application Zone Key in the card. Please refer to
the table below for the correct value.
Case
Byte Address
LEN
AT88SC101: Erase Application Zone with EC function disabled
96h
04h
AT88SC102: Erase Application Zone 1
56h
06h
AT88SC102: Erase Application Zone 2 with EC2 function disabled
9Ch
04h
AT88SC1003: Erase Application Zone 1
36h
06h
AT88SC1003: Erase Application Zone 2 with EC2 function disabled
5Ch
04h
AT88SC1003: Erase Application Zone 3
C0h
06h
Where:
MEM_L
Length of the Erase Key. Please refer to the table below for the
correct value
CODE
N bytes of Erase Key
Page 75 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Note: After SW1 SW2 = 90 00h has been received, read back the data in Application Zone to check
whether the ERASE_APPLICATION_ZONE_WITH_ERASE is correct. If all data in Application Zone
is erased and equals to FFh, the previous verification is a success.
Page 76 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.9.6.
ERASE_APPLICATION_ZONE_WITH_WRITE_AND_ERASE
This command can be used in the following cases:
•
AT88SC101: To erase the data in Application Zone with EC Function Enabled
•
AT88SC102: To erase the data in Application Zone 2 with EC2 Function Enabled
•
AT88SC1003: To erase the data in Application Zone 2 with EC2 Function Enabled
With EC or EC2 Function Enabled (that is, ECEN or EC2EN Fuse is undamaged and in “1” state), the
following actions are executed:
1. Present the specified code to the card.
2. Search a '1' bit in the presentation error counter and write the bit to '0'.
3. Erase the presentation error counter. The data in corresponding Application Zone can be
erased when the submitted code is correct.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
Error
Counter LEN
FFh
20h
80h
CODE
Byte
Address
MEM_L
Byte 1
Byte 2
Byte 3
Byte 4
04h
Where:
Error Counter LEN
Length of presentation error counter in bits. The value should be 80h
always.
Byte Address
Byte address of the Application Zone Key in the card.
Byte Address
CODE
AT88SC101
96h
AT88SC102
9Ch
AT88SC1003
5Ch
4 bytes Erase Key.
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
= 63 00h if there is no more retry chance.
Note: After SW1 SW2 = 90 00h has been received, read back the data in Application Zone to check
whether the ERASE_APPLICATION_ZONE_WITH_ERASE is correct. If all data in Application Zone
is erased and equals to FFh, the previous verification is a success.
Page 77 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.9.7.
VERIFY_SECURITY_CODE
This command is used to submit Security Code (2 bytes) to the inserted card. Security Code is to
enable the memory access of the card.
The following actions are executed:
1. Present the specified code to the card.
2. Search a '1' bit in the presentation error counter and write the bit to '0'.
3. Erase the presentation error counter. The Security Code Attempts Counter can be erased
when the submitted code is correct.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
Error Counter LEN
Byte Address
MEM_L
FFh
20h
08h
0Ah
02h
CODE
Byte 1
Byte 2
Where:
Error Counter LEN
Length of presentation error counter in bits.
Byte Address
Byte address of the key in the card.
CODE
2 bytes Security Code.
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
= 63 00h if there is no more retry chance.
Note: After SW1 SW2 = 90 00h has been received, read back the Security Code Attempts Counter
(SCAC) to check whether the VERIFY_USER_CODE is correct. If SCAC is erased and equals to FFh,
the previous verification is a success.
Page 78 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.3.9.8.
BLOWN_FUSE
This command is used to blow the fuse of the inserted card. The fuse can be EC_EN Fuse, EC2EN
Fuse, Issuer Fuse or Manufacturer’s Fuse.
Note: Blowing of the fuse is an irreversible process.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
Error
Counter
LEN
FFh
05h
00h
CODE
Byte
Address
MEM_L
00h
04h
Fuse Bit
Addr
(High)
Fuse Bit
Addr
(Low)
State of
FUS
Pin
State of
RST Pin
01h
00h or 01h
Where:
Fuse Bit Addr (2 bytes)
Bit address of the fuse. Please refer to the table below for the
correct value.
State of FUS Pin
State of the FUS pin. Should always be 01h.
State of RST Pin
State of the RST pin. Please refer to below table for the correct
value.
AT88SC101
AT88SC102
AT88SC1003
Fuse Bit Addr
(High)
Fuse Bit Addr
(Low)
State of RST
Pin
Manufacturer
Fuse
05h
80h
01h
EC_EN Fuse
05h
C9h
01h
Issuer Fuse
05h
E0h
01h
Manufacturer
Fuse
05h
B0h
01h
EC2EN Fuse
05h
F9h
01h
Issuer Fuse
06h
10h
01h
Manufacturer
Fuse
03h
F8h
00h
EC2EN Fuse
03h
FCh
00h
Issuer Fuse
03h
E0h
00h
Response data format (abData field in the RDR_to_PC_DataBlock)
SW1
SW2
Where:
SW1 SW2 = 90 00h if no error.
Page 79 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
9.4. Other Commands Access via PC_to_RDR_XfrBlock
9.4.1.
GET_READER_INFORMATION
This command returns relevant information about the particular ACR33U-A1 SmartDuo model and the
current operating status, such as, the firmware revision number, the maximum data length of a
command and response, the supported card types, and whether a card is inserted and powered up.
Note: This command can only be used after the logical smart card reader communication has been
established using the SCardConnect( ) API. For details of ScardConnect( ) API, please refer to PC/SC
specifications.
Command format (abData field in the PC_to_RDR_XfrBlock)
Pseudo-APDU
CLA
INS
P1
P2
Lc
FFh
09h
00h
00h
10h
Response data format (abData field in the RDR_to_PC_DataBlock)
FIRMWARE
MAX_C
MAX_R
C_TYPE
C_SEL
C_STAT
Where:
FIRMWARE
10 bytes data for firmware version.
MAX_C
The maximum number of command data bytes.
MAX_R
The maximum number of data bytes that can be requested to be transmitted
in a response.
C_TYPE
The card types supported by the ACR33U-A1 SmartDuo. This data field is a
bitmap with each bit representing a particular card type. A bit set to '1' means
the corresponding card type is supported by the reader and can be selected
with the SELECT_CARD_TYPE command. The bit assignment is as follows:
Byte
card type
1
2
F E D C B A 9 8 7 6 5 4 3 2 1 0
Refer to the next section for the correspondence between these bits and the respective card
types.
C_SEL
The currently selected card type. A value of 00h means that no card type has
been selected.
C_STAT
Indicates whether a card is physically inserted in the reader and whether the
card is powered up:
00h: no card inserted
01h: card inserted, not powered up
03h: card powered up
Page 80 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
Appendix A. Supported Card Types
The following table summarizes the card type returned by GET_READER_INFORMATION
correspond with the respective card type.
Byte
Card Type
00h
Auto-select T=0 or T=1 communication protocol
01h
I2C memory card (1, 2, 4, 8 and 16 kilobits)
02h
I2C memory card (32, 64, 128, 256, 512 and 1024 kilobits)
03h
Atmel AT88SC153 secure memory card
04h
Atmel AT88SC1608 secure memory card
05h
Infineon SLE 4418 and SLE 4428
06h
Infineon SLE 4432 and SLE 4442
07h
Infineon SLE 4406, SLE 4436 and SLE 5536
08h
Infineon SLE 4404
09h
Atmel AT88SC101, AT88SC102 and AT88SC1003
0Ch
MCU-based cards with T=0 communication protocol
0Dh
MCU-based cards with T=1 communication protocol
Table 3: Supported Card Types
Page 81 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
Appendix B. CCID Response Error Codes
The following table summarizes the possible error code returned by the ACR33U-A1:
Error Code
Status
FFh
SLOTERROR_CMD_ABORTED
FEh
SLOTERROR_ICC_MUTE
FDh
SLOTERROR_XFR_PARITY_ERROR
FCh
SLOTERROR_XFR_OVERRUN
FBh
SLOTERROR_HW_ERROR
F8h
SLOTERROR_BAD_ATR_TS
F7h
SLOTERROR_BAD_ATR_TCK
F6h
SLOTERROR_ICC_PROTOCOL_NOT_SUPPORTED
F5h
SLOTERROR_ICC_CLASS_NOT_SUPPORTED
F4h
SLOTERROR_PROCEDURE_BYTE_CONFLICE
F3h
SLOTERROR_DEACTIVATED_PROTOCOL
F2h
SLOTERROR_BUSY_WITH_AUTO_SEQUENCE
E0h
SLOTERROR_CMD_SLOT_BUSY
Table 4: CCID Response Error Codes
Android is a trademark of Google Inc.
Atmel is registered trademark of Atmel Corporation or its subsidiaries, in the US and/or other countries.
Infineon is a registered trademark of Infineon Technologies AG.
Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries.
Page 82 of 82
ACR33U-A1 – Reference Manual
Version 1.05
info@acs.com.hk
www.acs.com.hk
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising