Highly Integrated ISO14443A Reader IC, MF RC500

MIFARE Classic Security Commands
LOADKEYE2 COMMAND 0BHEX

Command Codehex Action Arguments and Data Returned Data
LoadKeyE2  0B Reads a key from the E²PROM and puts it into the internal key buffer Start Address LSB Start Address MSB -

The LoadKeyE2-Command interprets the first two bytes found in the FIFO buffer as E²PROM starting byte-address. The E²PROM bytes starting from the given starting byte-address are interpreted as key, stored in the correct key format as described in chapter 6.4.1. When all two argument-bytes are available in the FIFO buffer, the command execution starts. The LoadKeyE2-Command can be started only by the μ-Processor. It stops automatically after having copied the key from the E²PROM into the key buffer.

Relevant Error Flags for the LoadKeyE2-Command
If the key format is not correct (see chapter 6.4.1) an undefined value is copied into the key buffer and the flag KeyError is set.

LOADKEY COMMAND 19HEX

Command Codehex Action Arguments and Data Returned Data
LoadKey 19 Reads a key from the FIFO buffer and puts it into the key buffer Byte0 (LSB) Byte1 … Byte10 Byte11 (MSB) -

The LoadKey-Command interprets the first twelve bytes it finds in the FIFO buffer as key, stored in the correct key format. When the twelve argument-bytes are available in the FIFO buffer they are checked and, if valid, are copied into the key buffer. The LoadKey-Command can only be started by the μ-Processor. It stops automatically after having copied the key from the FIFO buffer into the key buffer.

Relevant Error Flags for the LoadKey-Command
All bytes requested are copied from the FIFO buffer to the key buffer. If the key format is not correct  an undefined value is copied into the key buffer and the flag KeyError is set.

AUTHENT1 COMMAND 0CHEX

Command Codehex Action Arguments and Data Returned Data
Authent1 0C Performs the first part of the Crypto1 (MIFARE Classic) card authentication Card Auth-Command Card Block Address Card Serial Number LSB Card Serial Number Byte1 Card Serial Number Byte2 Card Serial Number MSB -

The Authent1-Command is a special Transceive-Command: it takes six argument bytes which are sent to the card. The card’s response is not forwarded to the μ-Processor, but is used to check the authenticity of the card and to prove authenticity of the MF RC500 to the card. The Authent1-Command can be triggered only by the μ-Processor. The sequence of states for this command is the same as for the Transceive-Command.

AUTHENT2 COMMAND 14HEX

Command Codehex Action Arguments and Data Returned Data
Authent2 14 Performs the second part of the card authentication using the Crypto1 algorithm. - -

The Authent2-Command is a special Transceive-Command. It does not need any argument byte but all necessary data which has to be sent to the card is assembled by the MF RC500 itself. The card response is not forwarded to the μ-Processor, but is used to check the authenticity of the card and to prove authenticity of the MF RC500 to the card. The Authent2-Command can only be started by the μ-Processor. The logical sequence for this command is the same as for the Transceive-Command.

Effect of the Authent2-Command
If the Authent2-Command was successful, authenticity of card and MF RC500 is proved. In this case, the control bit Crypto1On is set automatically. When bit Crypto1On is set, all further card communication is done encrypted, using the Crypto1 security algorithm. If the Authent2-Command fails, bit Crypto1On is cleared.
Note: The flag Crypto1On can not be set by the μ-Processor but only through a successfully performed Authent2-Command. The μ-Processor may clear the bit Crypto1On to continue with plain card communication.
Note: The Authent2-Command has to be executed immediately after a successful Authent1-Command. Furthermore, the keys stored in the key buffer and those on the card have to match.

MIFARE CLASSIC AUTHENTICATION AND CRYPTO1
The security algorithm implemented in MIFARE Classic products is called Crypto1. It is based on a proprietary stream cipher with a key length of 48 bits. To access data of a MIFARE Classic card, the knowledge of the according key is necessary. For successful card authentication and subsequent access to the card’s data stored in the EEPROM, the correct key has to be available in the MF RC500. After a card is selected as defined in ISO14443A the user may continue with the MIFARE Classic protocol. In this case it is mandatory to perform a card authentication. The Crypto1 authentication is a 3-pass authentication. This procedure is done automatically with the execution of Authent1- (see 16.8.3) and the Authent2-Commands (see 16.8.4). During the card authentication procedure, the security algorithm is initialised. The communication with a MIFARE Classic card following a successful authentication is encrypted.

Crypto1 Key Handling
During the authentication command the MF RC500 reads the key from the internal key buffer. The key is always taken from the key buffer. Therefore, the commands for Crypto1 authentication do not require addressing of a key. The user has to ensure, that the correct key is prepared in the key buffer before the card authentication is triggered.
The key buffer can be loaded
–from the E²PROM with the LoadKeyE2-Command.
–directly from the μ-Processor via the FIFO-Buffer with the LoadKey-Command.
This is shown in the following figure:

Performing MIFARE Classic Authentication
To enable authentication of MIFARE Classic cards the Crypto1 security algorithm is implemented. To obtain valid authentication, the correct key has to be available in the key buffer of the MF RC500.
–Step 1: Load the internal key buffer by means of the LoadKeyE2- (see 16.8.1) or the LoadKey-Command.
–Step 2: Start the Authent1-Command (see 16.8.3). When finished, check the error flags to obtain the status of the command execution.
–Step 3: Start the Authent2-Command (see 16.8.4). When finished, check the error flags and bit Crypto1On to obtain the status of the command execution.

TYPICAL APPLICATION
Circuit Diagram

The figure below shows a typical application, where the antenna is directly connected to the MF RC500:

Circuit Description
The matching circuit consists of an EMC low pass filter (L0 and C0), a matching circuitry (C1 and C2), and a receiving circuit (R1, R2, C3 and C4), and the antenna itself. For more detailed information about designing and tuning an antenna please refer to the Application Note
MIFARE and I CODE MICORE reader IC family; Directly Matched Antenna Design’ and
MIFARE (14443A) 13,56 MHz RFID Proximity Antennas’.

EMC LOW PASS FILTER
The MIFARE system operates at a frequency of 13.56 MHz. This frequency is generated by a quartz oscillator to clock the MF RC500 and is also the basis for driving the antenna with the 13.56 MHz energy carrier. This will not only cause emitted power at 13.56 MHz but will also emit power at higher harmonics. The international EMC regulations define the amplitude of the emitted power in a broad frequency range. Thus, an appropriate filtering of the output signal is necessary to fulfil these regulations. A multi-layer board it is recommended to implement a low pass filter as shown in the circuit above. The low pass filter consists of the components L0 and C0. The recommended values are given in the above mentioned application notes.
Note: To achieve best performance all components shall have at least the quality of the recommended ones.
Note: The layout has a major influence on the overall performance of the filter.

ANTENNA MATCHING
Due to the impedance transformation of the given low pass filter, the antenna coil has to be matched to a certain impedance. The matching elements C1 and C2 can be estimated and have to be fine tuned depending on the design of the antenna coil.
The correct impedance matching is important to provide the optimum performance. The overall Quality factor has to be considered to guarantee a proper ISO14443 communication scheme. Environmental influences
have to considered as well as common EMC design rules. For details refer to the above mentioned application notes.
Note: Do not exceed the current limits ITVDD, otherwise the chip might be destroyed.
Note: The overall 13.56MHz RFID proximity antenna design with the MF RC500 chip is straight forward and doesn’t require a special RF-know how. However, all relevant parameters have to be considered to guarantee an overall optimum performance together with international EMC compliance.

RECEIVING CIRCUIT
The internal receiving concept of the MF RC500 makes use of both side-bands of the sub-carrier load modulation of the card response. No external filtering is required. It is recommended to use the internally generated VMID potential as the input potential of pin RX. This DC voltage level of VMID has to be coupled to the Rx-pin via R2. To provide a stable DC reference voltage a capacitance C4 has to be connected between VMID and ground. Considering the (AC) voltage limits at the Rx-pin the AC voltage divider of R1 + C3 and R2 has to be designed. Depending on the antenna coil design and the impedance matching the voltage at the antenna coil varies from antenna design to antenna design. Therefore the recommended way to design the receiving circuit is to use the given values for R1, R2, and C3 from the above mentioned application note, and adjust the voltage at the Rx-pin by varying R1 within the given limits. Note: R2 is AC-wise connected to ground (via C4).

ANTENNA COIL
The precise calculation of the antenna coils’ inductance is not practicable but the inductance can be estimated using the following formula. We recommend designing an antenna either with a circular or rectangular shape.

l1 …………… Length of one turn of the conductor loop
D1 …………. Diameter of the wire or width of the PCB conductor respectively
K…………… Antenna Shape Factor (K = 1,07 for circular antennas and K = 1,47 for square antennas)
N1 …………. Number of turns
ln ………….. Natural logarithm function

The actual values of the antenna inductance, resistance, and capacitance at 13.56 MHz depend on various parameters like:
–antenna construction (Type of PCB)
–thickness of conductor
–distance between the windings
–shielding layer
–metal or ferrite in the near environment
Therefore a measurement of those parameters under real life conditions, or at least a rough measurement and a tuning procedure is recommended to guarantee the optimum performance. For details refer to the above mentioned application notes.