# AN10993 Pegoda Software Design Guide Rev. 2.1 – 08 August 2012

196121

**Application note COMPANY PUBLIC** 

#### **Document information**

| Info     | Content                                                                                                                                                             |  |
|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| Keywords | Pegoda software design guide, firmware documentation, software documentation, firmware update, Pegoda firmware architecture, Pegoda functional overview, PC/SC mode |  |
| Abstract | This document provides a comprehensive architectural overview of the Pegoda software.                                                                               |  |



#### **Revision history**

| Rev | Date     | Description                              |
|-----|----------|------------------------------------------|
| 2.1 | 20120808 | References updated                       |
| 2.0 | 20120716 | General update for new firmware (v2.2.7) |
| 1.0 | 20101101 | First release                            |

## **Contact information**

For more information, please visit: <u>http://www.nxp.com</u>

For sales office addresses, please send an email to: <a href="mailto:salesaddresses@nxp.com">salesaddresses@nxp.com</a>

AN10993

All information provided in this document is subject to legal disclaimers.

Application note COMPANY PUBLIC

## 1. Introduction

#### 1.1 Scope

The scope of this document covers the software architecture coming with the Pegoda package. This includes a description of the integrated firmware stack on the LPC1768 controller as well as a high level overview of available modes in RD710.

The NPX Reader Library (nxprdlib) architecture and modules are covered in a separate document [10].

The firmware\nxprdlib may be changed individually to its own needs. An adequate tool chain for loading the firmware project file and doing further programming/debugging is introduced in the documents [7].

This document primarily describes the latest firmware release (V2.2.7) but for historical reasons a description of the old firmware is added as well in the Appendix in section 5.

Updates for the latest or for future firmware releases may be provided by NXP and can be easily downloaded by USB as described in [9].



## 1.2 Audience

This document is intended for use by manufacturers wanting to develop applications based on the software stack delivered within the Pegoda package.

Note that understanding parts of this document requires knowledge on microcontroller and their underlying systems.

## 1.3 Applicable documents or references

- [1] [ISO/IEC 14443]
- [2] PC/SC Workgroup Specifications (www.nxp.com/redirect/pcscworkgroup.com/specifications/specdownload)
- [3] onARM: see <u>www.nxp.com/redirect/onarm</u> for more information
- [4] See <u>www.nxp.com/redirect/freetos</u> for more information
- [5] www.nxp.com/redirect/en.wikipedia.org/wiki/Interrupt handler
- [6] AN10990 Example Project Pegoda
- [7] AN11002 Pegoda Toolchain Information
- [8] www.nxp.com/redirect/ics.nxp.com/products/lpc1000/all/~LPC1768 or on CD
- [9] AN10992 Quick start up guide
- [10] NXP Reader Library (in .chm format in the source code on CD include)

For information on availability of samples as well as documentation, please refer to the application note 'AN10994 Pegoda EV710 Documentation and Sampling guide'.

## 1.4 Acronyms and abbreviations

| SAM | Secure Access Module   |
|-----|------------------------|
| S   | SAM in S-Mode          |
| Ν   | no SAM                 |
| Х   | SAM in X-Mode          |
| BFL | Basic Function Library |

## 2. Functional overview and mode of operation

The reader firmware can perform contact and contactless communication. The contact part is used to communicate with a SAM. The contactless part performs the polling and activation sequence according to PC/SC part 2, ISO/IEC 14443-3 and 14443-4 standards.

The polling and activation sequence can be turned off and on with the use of escape (PC/SC part 3) commands. The polling and activation sequence is automatically disabled if escape commands are executed that would interfere with the normal operations. The firmware also interprets the ADPUs for MIFARE which are defined in PC/SC part 3.

The main modes of operation are being set by DIP switches which are located on the reader. Some configuration parameters can be set with the escape commands. The reader will store them in non-violate memory. The user will be able to reset the configuration back to default state.

The firmware will construct the product name – which is returned by USB descriptor – to easily identify the reader/SAM configuration. Depending on the DIP switches, there are three possible configurations

- 1. No SAM (Pegoda 2 N)
- 2. SAM in X-Mode (Pegoda 2 X)
- 3. SAM in S-Mode (Pegoda 2 S)

The user will be able to flash the board with custom or original firmware with three methods:

- 1. Over USB (IAP)
- 2. Over serial port (ISP)
- 3. Over JTAG with the use of external program

#### The Pegoda reader provides four modes of operation:

- Demo Mode
- PCSC Mode
- Overwrite Configuration Mode
- Enter Secondary Bootloader Mode

## 2.1 Demo mode

The demo mode is used to showcase in an autonomous way the functionality of the reader. In this mode, ISO14443-3A and ISO14443-3B activation loop are performed and based on *SAK* and Type the LEDs blink and an acoustic signal is generated according to the next table:

| Table 1. Card type according to SAK and number of beeps and lights |       |       |  |  |
|--------------------------------------------------------------------|-------|-------|--|--|
| Card type                                                          | sound | blink |  |  |
| MIFARE 1K (0x08)                                                   | 1     | 2     |  |  |
| MIFARE Classic 4K (0x18)                                           | 2     | 2     |  |  |
| MIFARE Ultralight (0x00)                                           | 3     | 2     |  |  |
| MIFARE DESFire                                                     | 4     | 2     |  |  |
| MIFARE Plus                                                        | 5     | 2     |  |  |
| ISO14443 Type B                                                    | 1     | 1     |  |  |

The demo mode is implemented in src/p3fw\_demo.c in the task:

void p3fw task demo mode (void \* param );

Demo mode firstly performs initialization of NXPRdLib and then enters the activation loop.

#### 2.2 PC/SC Mode

For PCSC Mode to function we first need to setup card slots and prepare NXPRdLib protocol stacks with:

```
void p3fw slots init(void);
```

which can be found in *src/p3fw\_slots.c*.

Next we set up external communication interface as USB, with the help of:

void p3fw\_ext\_if\_init\_usb(void);

Now we can start the two main tasks which perform all the necessary work:

- Card Poll and Activation Task
- PCSC Execute Task

As ther are three types of operating modes within the PC/SC mode:

- No SAM mode
- SAM in non X-mode
- SAM in X-Mode

We must decide which is required because if we use Pegoda in SAM-X mode then we do not need the Card Poll and Activation task.

#### 2.2.1 No SAM mode

The most important aspect of this mode is performing activation and polling sequence for ISO 14443 A type cards as defined in PC/SC part 3. Selected cards are put in slot manager and notification is sent to PC/SC driver. There can be only one ISO 14443-3 card or multiple (maximum 14) ISO 14443-4 cards in the field.

## Pegoda Software Design Guide

AN10993



#### 2.2.2 SAM in non X-mode

SAM in non X-mode is similar as 2.2.1 No SAM mode. The only difference is that slot 0 is always occupied with SAM, which can be used as key store, cryptographic engine, etc.

The reader chip can not be controlled by SAM in this mode.



#### 2.2.3 SAM in X-mode

In this mode communication is only through SAM (slot 0). Only limited number of proprietary commands can be executed.

AN10993



#### 2.2.4 Card Poll and Activation Task

Card Poll and Activation Task checks if there is an empty slot and if one exists, it tries to activate a new card. After a card (or cards – depends on the card and reader configuration) is activated and added to previously empty slot, it regularly checks if the card is still present.

```
Task is implemented in function:
    void p3fw task poll and activate(void * param);
```

in src/p3fw poll.c file, as also all the bellow functions.

```
Card activation (for ISO14443-3A, ISO14443-3B and ISO14443-4 cards) happens in:
void p3fw check for new card(uint8 t bCLSlotIndex);
```

This checks if there is any new card available and puts it in a card slot numbered by bCLSlotIndex. Presence check is performed by:

- for ISO14443-3A cards:
   void p3fw check presence 13a card(uint8 t bCLSlotIndex);
- for ISO14443-3B cards: void p3fw check presence 13b card(uint8 t bCLSlotIndex);
- for ISO14443-4 cards:

```
void p3fw_check_presence_14a_card(uint8_t bCLSlotIndex);
```

#### 2.2.5 PCSC Execute Task

In this task we perform actions on behalf of the user, which uses Pegoda over USB CCID protocol.

Task is implemented in function:

void p3fw task ccid execute (void \* param)

Our execution mode is split into two halves:

- top half which runs as interrupt
- · bottom half which runs as protocol handler in a task

#### 2.2.5.1 Top Half

Top half runs when external interface driver (USB, RS232, RS485, ... ) runs:

void p3fw ccid th dispatch();

#### in src/p3fw\_ccid\_th.c.

This function performs various checks to determine if the received command is according to USB CCID specification and if the card slot exists.

Next we schedule a bottom half for next USB CCID commands:

- ICC Power On
- ICC Power Off
- · Get Slot Status
- Transfer
- Get Parameters
- Set Parameters
- Escape

#### 2.2.5.2 Bottom Half

Bottom halves are implemented in src/p3fw\_ccid\_bh.c as:

ICC Power On

void p3fw ccid bh icc power on(uint8 t bCCIDSlotIndex);

Powers on the SAM.

#### ICC Power Off

void p3fw\_ccid\_bh\_icc\_power\_off(uint8\_t bCCIDSlotIndex);
Powers off the SAM card or Halts a contactless card if one is present.

#### Get Slot Status

void p3fw ccid bh get slot status(uint8 t bCCIDSlotIndex);

Returns status of a card in slot

#### Transfer

void p3fw ccid bh xfer(uint8 t bCCIDSlotIndex);

This is the most complex function which performs multiple actions depending on the sub mode.

#### Get Parameters

```
void p3fw_ccid_bh_get_parameters(uint8_t bCCIDSlotIndex);
Returns parameters of a card in slot.
```

#### Set Parameters

void p3fw ccid bh set parameters(uint8 t bCCIDSlotIndex);

Sets parameters for a card in a slot.

#### Escape

void p3fw ccid bh escape(uint8 t bCCIDSlotIndex);

Can be used to execute some of the direct mode commands in other modes.

The most interesting bottom half function is the transfer function which can perform in two different modes:

- Standard PCSC mode all commands send by the user are send to the card (with exception of few standard memory card commands defined by PSCS standard – see below)
- Direct PCSC mode all commands send by the user are interpreted by the reader

#### 2.2.6 Standard PSCS Mode

In standard PCSC mode we relay most of the commands (APDUs) send by the user to the card. We do that with the help of two functions:

for contact cards - from src/p3fw\_samt1\_wrap.c:

for contactless cards - from src/p3fw\_ccid\_bh.c:

```
void p3fw_ccid_bh_xfer_14(uint8_t bCLSlot);
```

But there is an exception: we implement PC/SC Standard Memory Card Extensions Commands:

Get Data

void p3fw\_pcsc\_std\_ext\_cmd\_get\_data (uint8\_t bCLSlotIndex);

Load Key

void p3fw\_pcsc\_std\_ext\_cmd\_load\_key (uint8\_t bCLSlotIndex);

• Authenticate

void p3fw\_pcsc\_std\_ext\_cmd\_auth (uint8\_t bCLSlotIndex);

Read Binary

void p3fw pcsc std ext cmd read bin (uint8 t bCLSlotIndex);

• Update Binary

void p3fw\_pcsc\_std\_ext\_cmd\_update\_bin (uint8\_t bCLSlotIndex);

This function can be used to manipulate memory cards such as MIFARE Classic and MIFARE Ultralight. The implementation of these functions can be found in **src/p3fw\_pcsc\_mem\_cards.c**.

## Pegoda Software Design Guide



#### 2.2.7 Direct PCSC Mode

After we enter the direct mode the payload of xfer command is interpreted by the firmware. The main dispatcher function for direct mode:

void p3fw\_dm\_xfer ();

from src/p3fw\_dm.c

Every subset of direct mode is coded in its own file:

#### **Reader Operations**

Implements commands for Reader Operations. Entry point:

void p3fw\_dm\_ro ();

#### HAL Commands

Implements commands for HAL Commands. Entry point:

void p3fw\_dm\_hal ();

#### ISO14443-3

Implements commands for ISO14443-3. Entry point:

void p3fw\_dm\_l3 ();

#### ISO14443-4Activation

Implements commands for ISO14443-4Activation. Entry point:

void p3fw\_dm\_l4a ();

#### ISO14443-4

Implements commands for ISO14443-4 layer. Entry point: void p3fw\_dm\_l4 ();

#### **MIFARE Exchange**

Implements commands for MIFARE Exchange. Entry point:

void p3fw\_dm\_xchg ();

#### **CID Manager**

Implements commands for CID Manager. Entry point:

```
void p3fw_dm_cid ();
```

#### **Contact Card Communication**

Implements commands for Contact Card Communication. Entry point:

#### Pegoda Software Design Guide

void p3fw\_dm\_contact\_card ();

*Key Store* Implements commands for Key Store. Entry point:

void p3fw dm keystore ();

**Application note** 

**COMPANY PUBLIC** 

## p3fw\_dm\_get\_output\_pointer\_uint8\_t p3fw\_dm\_get\_input\_pointer\_uint8\_t p3fw\_dm\_get\_input\_payload\_length p3fw\_dm\_get\_output\_payload p3fw\_dm\_get\_input\_uint16\_t p3fw\_dm\_get\_input\_payload p3fw\_dm\_get\_input\_uint32\_ p3fw\_dm\_get\_input\_uint8\_ p3fw\_dm\_get\_instruction p3fw\_dm\_get\_slot\_index p3fw\_dm\_send\_frame NVIC\_SystemReset p3fw\_dm\_contact\_card p3fw\_dm\_get\_class p3fw\_dm\_keystore p3fw\_dm\_xchg p3fw\_dm\_l4a p3fw\_dm\_ro p3fw\_dm\_cid p3fw\_dm\_hal p3fw\_dm\_l3 p3fw\_dm\_l4 p3fw\_dm\_xfer Fig 6. **Call Graph for Direct Mode**

#### 2.2.7.1 Reader Operations

#### Reader operations are implemented in **src/p3fw\_dm\_ro.c** file as:

• LEDs On – turns on the antenna LEDs

AN10993

void p3fw\_dm\_ro\_led\_on ();

LEDs Off – turns off the antenna LEDs

```
void p3fw dm ro led off ();
```

• Reset - resets the reader

void p3fw\_dm\_ro\_reset ();

• Configuration Overwrite - reverts configuration to factory defaults

void p3fw\_dm\_ro\_conf\_over ();

• Set Reader Configuration – sets reader configuration option

void p3fw\_dm\_ro\_set\_conf ();

Get Reader Configuration – gets reader configuration option

void p3fw\_dm\_ro\_get\_conf ();

• Get Status – gets reader status (hardware and firmware versions)

void p3fw\_dm\_ro\_get\_status ();

Read Register – reads a value from reader chip register

void p3fw\_dm\_ro\_read\_register ();

• Write Register – writes a value to reader chip register

void p3fw\_dm\_ro\_write\_register ();

Field On – turns the reader RFID field on

void p3fw\_dm\_ro\_field\_on ();

• Field Off - turns the reader RFID field off

void p3fw\_dm\_ro\_field\_off ();

Field Reset – resets the field

void p3fw dm ro field reset ();

• Set PCSC Mode – enters or leaves the PCSC mode

void p3fw\_dm\_ro\_pcsc\_mode ();

#### 2.2.7.2 HAL Operations

HAL operations are implemented in src/p3fw\_dm\_hal.c file as:

HAL Initialization

void p3fw\_dm\_hal\_init (uint8\_t bDMSlotIndex);

• Exchange

void p3fw dm hal xchg (uint8 t bDMSlotIndex);

• Set Configuration

void p3fw\_dm\_hal\_set\_cfg (uint8\_t bDMSlotIndex);

• Get Configuration

void p3fw dm hal get cfg (uint8 t bDMSlotIndex);

Apply Protocol settings

void p3fw\_dm\_hal\_apply\_proto\_settings (uint8\_t bDMSlotIndex);

• Wait

void p3fw dm hal wait (uint8 t bDMSlotIndex);

• MIFARE Classic Authenticate

void p3fw dm hal mfc auth (uint8 t bDMSlotIndex);

MIFARE Classic Authenitcate With Key

void p3fw\_dm\_hal\_mfc\_auth (uint8\_t bDMSlotIndex);

#### 2.2.7.3 ISO14443-3A Operations

ISO14443-3A operations are implemented in src/p3fw\_dm\_I3.c file as:

• ISO14443-3A Initialization

void p3fw\_dm\_l3\_init (uint8\_t bDMSlotIndex);

• ReqA

void p3fw dm l3 req (uint8 t bDMSlotIndex);

• WeakUpA

void p3fw dm l3 wqua (uint8 t bDMSlotIndex);

HaltA

void p3fw\_dm\_l3\_hlta (uint8\_t bDMSlotIndex);

Anticolision

Pegoda Software Design Guide

AN10993

void p3fw\_dm\_l3\_anticol (uint8\_t bDMSlotIndex);

Select

void p3fw dm l3 select (uint8 t bDMSlotIndex);

• Activate Card

void p3fw\_dm\_l3\_act\_card (uint8\_t bDMSlotIndex);

• Exchange

void p3fw dm 13 xchg (uint8 t bDMSlotIndex);

• Get Serial Number

void p3fw dm l3 get serial num (uint8 t bDMSlotIndex);

#### 2.2.7.4 ISO14443-4A Operations

#### ISO14443-4A operations are implemented in src/p3fw\_dm\_l4a.c file as:

ISO14443-4A Initialization

void p3fw\_dm\_l4a\_init (uint8\_t bDMSlotIndex);

• RATS

void p3fw\_dm\_l4a\_rats (uint8\_t bDMSlotIndex);

• PPS

void p3fw\_dm\_l4a\_pps (uint8\_t bDMSlotIndex);

• Activate Card

void p3fw dm l4a act card (uint8 t bDMSlotIndex);

Get Protocol Parameters

void p3fw dm l4a get proto parm (uint8 t bDMSlotIndex);

#### 2.2.7.5 ISO14443-4 Operations

#### ISO14443-4 operations are implemented in src/p3fw\_dm\_l4.c file as:

• ISO14443-4 Initialization

void p3fw dm l4 init (uint8 t bDMSlotIndex);

Set Protocol

void p3fw\_dm\_14\_set\_protocol (uint8\_t bDMSlotIndex);

Reset Protocol

All information provided in this document is subject to legal disclaimers.

Pegoda Software Design Guide

AN10993

void p3fw\_dm\_l4\_reset\_protocol (uint8\_t bDMSlotIndex);

Deselect

void p3fw dm l4 deselect (uint8 t bDMSlotIndex);

• Presence Check

void p3fw dm l4 presenc check (uint8 t bDMSlotIndex);

• Exchange

void p3fw\_dm\_l4\_xchg (uint8\_t bDMSlotIndex);

• Set Configuration

void p3fw\_dm\_l4\_set\_cfg (uint8\_t bDMSlotIndex);

• Get Configuration

void p3fw\_dm\_l4\_get\_cfg (uint8\_t bDMSlotIndex);

#### 2.2.7.6 CID Operations

CID operations are implemented in src/p3fw\_dm\_cid.c file as:

CID Initialization

void p3fw dm cid init (uint8 t bDMSlotIndex);

• CID Free

void p3fw\_dm\_cid\_free (uint8\_t bDMSlotIndex);

• CID Get Free

void p3fw dm cid get free (uint8 t bDMSlotIndex);

#### 2.2.7.7 MIAFARE Operations

MIFARE operations are implemented in src/p3fw\_dm\_xchg.c file as:

MIFARE Initialization

void p3fw dm xchg init (uint8 t bDMSlotIndex);

Exchange L3

void p3fw\_dm\_xchg\_l3 (uint8\_t bDMSlotIndex);

• Exchange L4

void p3fw\_dm\_xchg\_l4 (uint8\_t bDMSlotIndex);

• Exchange PC

void p3fw\_dm\_xchg\_pc (uint8\_t bDMSlotIndex);

• Exchange RAW

void p3fw dm xchg raw (uint8 t bDMSlotIndex);

• MIFARE Authenticate

void p3fw dm xchg mfc auth (uint8 t bDMSlotIndex);

MIFARE Authenticate with Key

void p3fw dm xchg mfc auth key (uint8 t bDMSlotIndex);

#### 2.2.7.8 Key Store Operations

Key Store operations are implemented in src/p3fw\_dm\_keystore.c file as:

Key Store Initialization

void p3fw\_dm\_keystore\_init (uint8\_t bDMSlotIndex);

• Format Key

void p3fw\_dm\_keystore\_format\_key (uint8\_t bDMSlotIndex);

Set Key

void p3fw dm keystore set key (uint8 t bDMSlotIndex);

• Set Key Position

void p3fw dm keystore set key pos (uint8 t bDMSlotIndex);

#### • Set KUC

void p3fw dm keystore set kuc (uint8 t bDMSlotIndex);

• Set Full Key Entry

void p3fw dm keystore set full key (uint8 t bDMSlotIndex);

• Get Key Entry

void p3fw dm keystore get key entry (uint8 t bDMSlotIndex);

• Get Key

void p3fw\_dm\_keystore\_get\_key (uint8\_t bDMSlotIndex);

All information provided in this document is subject to legal disclaimers.

#### • Set Configuration

void p3fw dm keystore set config (uint8 t bDMSlotIndex);

• Get Configuration

void p3fw\_dm\_keystore\_get\_config (uint8\_t bDMSlotIndex);

Change KUC

void p3fw\_dm\_keystore\_chg\_kuc (uint8\_t bDMSlotIndex);

• Get KUC

void p3fw\_dm\_keystore\_get\_kuc (uint8\_t bDMSlotIndex);

• Set Configuration String

void p3fw\_dm\_keystore\_set\_cfg\_str (uint8\_t bDMSlotIndex);

• Get Configuration String

void p3fw dm keystore get cfg str (uint8 t bDMSlotIndex);

#### 2.2.7.9 Contact Card Operations

Contact Card operations are implemented in **src/p3fw\_dm\_cc.c** file in function:

void p3fw dm contact card (uint8 t bDMSlotIndex);

Commands implemented are:

- Activate Card
- Cold Reset
- Warm Reset
- Clock Stop
- Clock Start

#### 2.3 Overwrite Configuration Mode

In this mode we issue:

```
void p3fw flash erase config(void);
```

#### from src/p3fw\_flash.c which erases configuration from flash and then we call:

void p3fw invoke err and nfo mode(uint32 t dwErrorCode);

to inform the user that the overwrite was done.

## 2.4 Enter Secondary Bootloader Mode

In this mode we set a configuration option  $\ensuremath{\mathsf{P3FW\_CFG\_BOOTLOADER\_ACTIVE}}$  with the use of

phStatus\_t p3fw\_flash\_set\_config(uint32\_t dwCfgId, uint8\_t \* pBuff);

and then we issue a reset with the use of CMSIS function.

**Application note** 

COMPANY PUBLIC

## 3. Library and source code overview

The firmware is composed from different libraries:

• CMSIS - Cortex Microcontroller Software Interface Standard with extra peripheral drivers (can be found in cmsis directory in the source tree) – provides startup code and peripheral drivers and easier porting to other hardware platforms [3]

• FreeRTOS operating system (can be found in FreeRTOS\_6\_0\_0 directory in the source tree) – provides multitasking and tasks intercommunication and easier porting to other hardware platforms

• lpcusb – USB stack designed for NXP LPC family of microcontrollers (can be found in lpcusb directory in the source tree)

• NXPRdLib – NXP Reader Library (can be found in nxprdlib directory in the source tree) – provides all functions related to interaction with cards

• Firmware code including simple debug library (can be found in src and include directory in the source tree)

## 3.1 Architecture of the Pegoda 2 Firmware

The firmware is interrupt driven and can be split in two logical parts:

- the interrupt handling
- scheduled tasks

All interrupts are processed through top/bottom half (see [5]) interfaces. Basically the interrupt service routine (also called top half) schedules bottom half which does not run in interrupt execution space but in "normal" execution space.

The scheduled tasks are described in the following chapters.

## 3.2 Description of firmware code

The following firmware source files (see Fig 7) can be found in the project. The main functionality will be described in the following section.



#### 3.2.1 src/debug\_frmwrk.c

Implements functions for debugging over serial port

#### 3.2.2 src/p3fw\_bsp.c

Implements ports and PINs configuration

#### 3.2.3 src/p3fw.c

Main entry point for Pegoda firmware - exploration of source code should start here

The firmware starts in this file. In the main loop (int main()), initialization of hardware and software parts of the firmware are performed:

1. first we set up hardware (see p3fw\_hw\_init() in **p3fw\_bsp.c** for more information about setting up hardware)

2. then we initialize the debugging framework – this depends on type of build that we are building

3. next come reading the configuration from DIP switches and flash (see p3fw.c for more information about reading configuration)

- 4. now we can do all reader modes except the PCSC one
- 5. in case of PCSC mode we have to setup the external interface

6.then we have to set up FreeRTOS queue – used for communication between top bottom halfs and semaphore for protecting access to reader chip – so that we do not use it from two tasks at the same time

6. next we try to set up the reader chip

7. if we find a supported chip we set up the correct tasks for particular mode – if not found we enter into error and information task with correct error code

8. next we have to start the FreeRTOS scheduler (please refer to FreeRTOS documentation for more information) and loop forever

For more detailed information please refer to the source code file.

#### 3.2.4 src/p3fw\_ccid\_bh.c

Implements bottom half of the CCID protocol handler

The following messages are implemented in this file:

- ICC Power On void p3fw ccid bh icc power on(uint8 t bCCIDSlotIndex);
- ICC Power Off void p3fw ccid bh icc power off(uint8 t bCCIDSlotIndex);
- Get Slot Status void p3fw ccid bh get slot status(uint8\_t bCCIDSlotIndex);
- Transfer void p3fw\_ccid\_bh\_xfer(uint8\_t bCCIDSlotIndex);
- Get Parameters void p3fw ccid bh get parameters(uint8 t bCCIDSlotIndex);
- Set Parameters
  - void p3fw\_ccid\_bh\_set\_parameters(uint8\_t bCCIDSlotIndex);
- Escape

void p3fw\_ccid\_bh\_escape(uint8\_t bCCIDSlotIndex);

Please refer to the source code and USB CCID documentation for more information.

#### 3.2.5 src/p3fw\_ccid.c

Implements the CCID protocol handler task:

void p3fw\_task\_ccid\_execute (void \* param)

For more information please refer to the source file.

Application note

**COMPANY PUBLIC** 

#### 3.2.6 src/p3fw\_ccid\_th.c

Implements the top half (interrupt part) of the CCID handler

#### 3.2.7 src/p3fw\_demo.c

The demo mode is a simple demonstration on how to query for a card. The mode performs a selection of an NXP card according to ISO/IEC14443. Depending on the SAK byte of the selected card and the type, the antenna LEDs start blinking and an acoustic signal is generated.

The whole demo mode is implemented as one FreeRTOS task:

#### void p3fw\_task\_demo\_mode (void \* param)

- 1. set up type ISO/IEC14443-3A card type reading
- 2. set up type ISO/IEC14443-3B card type reading
- 3. turn on the antenna LEDs
- 4. enter infinity loop
- 5. perform ISO/IEC14443 3a\_ActivateCard
- 6. if ActivateCard returns error, go to step 9.

7. if ActivateCard of card is successful, blink two times and beep according to reported SAK byte:

- if SAK ==  $0x08 \rightarrow$  one time (MIFARE Classic Card 1k)
- if SAK ==  $0x18 \rightarrow two times$  (MIFARE Classic Card 4k)
- if SAK == 0x00 → three times (MIFARE Ultralight/Ultralight C Card)
- if SAK == 0x20  $\rightarrow$  four times (ISO14443-4 Type Card (MIFARE Plus, MIFARE DESFire, ...))
- 8. halt the card
- 9. reset the field
- 10. perform ISO/IEC14443 3b\_ActivateCard
- 11. if ActivateCard returns error, return to step 5.
- 12. if ActivateCard of card is successful, beep and blink one time
- 13. halt the card and return to step 5

#### 3.2.8 src/p3fw\_dm.c

Implements main direct mode functions. The following files contain functions. This mode is meant to be used by the NXPRdLib. If you are interested in how this mode works please refer to the source code.

src/p3fw\_dm\_cc.c src/p3fw\_dm\_cid.c src/p3fw\_dm\_hal.c src/p3fw\_dm\_keystore.c

All information provided in this document is subject to legal disclaimers.

src/p3fw\_dm\_I3.c src/p3fw\_dm\_I4a.c src/p3fw\_dm\_I4.c src/p3fw\_dm\_ro.c src/p3fw\_dm\_xchg.c

#### 3.2.9 src/p3fw\_error\_mode.c

Implements error and notification task/function. Contains a FreeRTOS task:

**void p3fw\_invoke\_err\_and\_nfo\_mode(uint32\_t dwErrorCode)**– which is used to inform the user of an error or that some action was completed. First the antenna LEDs blinks for five seconds with two blinks per second and then with rate of one blink and one beep per second informs the user of the error or that some action is completed. Please refer to source code file for more information.

#### 3.2.10 src/p3fw\_ext\_if\_usb.c

This file contains implementation of the USB interface (USB CCID 1.1) for communication with a client.

For more information please refer to:

- LPCUSB documentation (http://sourceforge.net/projects/lpcusb/)
- USB CCID 1.1 specification

(http://www.usb.org/developers/devclass\_docs/DWG\_Smart-Card\_CCID\_Rev110.pdf)

source file

#### 3.2.11 src/p3fw\_flash.c

Implements flash memory handling functions which perform actions over the IAP interface of LPC1768. For more information on IAP please refer to NXP LPC1768 User Manual. These actions are:

• static phStatus\_t p3fw\_flash\_erase(int sec\_from, int sec\_to)- performs erase of the flash from sec\_from to sec\_to

PARAMETERS: - sec\_from – int – start erase at this sector

- sec\_to - int - stop erase at this sector

RETURN: - phStatus\_t Status

 static phStatus\_t p3fw\_flash\_flash(int sec, uint8\_t \* buff, int size) – performs flashing of the internal flash

PARAMETERS: - sec - int - sector to flash

- buff - uint8[] - data to flash

- size - int - size of buff (should be 128, 512 or 1024)

RETURN: - phStatus\_t Status

 phStatus\_t p3fw\_flash\_read\_serial(uint32\_t \* pSerNum) – returns the CPU serial

AN10993

PARAMETERS: - sernum – uint32\_t \* - pointer to a uint32\_t for storing the read CPU serial number

RETURN: - phStatus\_t Status

#### 3.2.12 src/p3fw\_pcsc.c

Implements PCSC protocol handling functions

Send APDU

# phStatus\_t p3fw\_pcsc\_send\_apdu(uint8\_t bSW1, uint8\_t bSW2, uint16\_t wPayloadLength)

Prepare L3 Card

#### phStatus\_t p3fw\_pcsc\_std\_ext\_prepare\_I3\_card(uint8\_t bCLSlotIndex)

Do Authentication

phStatus\_t p3fw\_pcsc\_std\_ext\_do\_auth(uint8\_t bCLSlotIndex, uint8\_t bBlockNumber, uint8\_t bKeyType)

#### 3.2.13 src/p3fw\_pcsc\_mem\_cards.c

Implements PCSC Memory Cards Standard Extensions

- · Get Data
- see static phStatus\_t p3fw\_pcsc\_std\_ext\_cmd\_get\_data (uint8\_t bCLSlotIndex)
- Load Keys
- see static phStatus\_t p3fw\_pcsc\_std\_ext\_cmd\_ load\_key (uint8\_t bCLSlotIndex)
- · General Authenticate
- see static phStatus\_t p3fw\_pcsc\_std\_ext\_cmd\_ auth (uint8\_t bCLSlotIndex)
- Read Binary
- see static phStatus\_t p3fw\_pcsc\_std\_ext\_cmd\_ read\_bin (uint8\_t bCLSlotIndex)
- Update Binary
- see static phStatus\_t p3fw\_pcsc\_std\_ext\_cmd\_ update\_bin (uint8\_t bCLSlotIndex)

For more information please refer to the source file.

#### 3.2.14 src/p3fw\_poll.c

Implements cars poll and activation task

void p3fw\_task\_poll\_and\_activate (void \* param)

This task provides polling and activation mechanism required by the PC/SC specification and does the main polling and ISO14443-3A/4A/3B activation and polls existing cards

Please refer to the source file for more information.

#### 3.2.15 src/p3fw\_samt1.c

This file contains implementation of the ISO/IEC 7816/3 standard:T1 protocol for contact cards :

• void p2\_fw\_sam\_t1\_init(uint8\_t chip, uint8\_t mode) – initialize the processors I/O pins according to chip and mode parameter to work with SAM card.

PARAMETERS: chip – P2\_FW\_READER\_CHIP\_RC523 or

P2\_FW\_READER\_CHIP\_SAM

mode – P2\_FW\_READER\_MODE\_SAM\_IN\_X or

P2\_FW\_READER\_MODE\_SAM\_NON\_X

- void p2\_fw\_sam\_t1\_start(void) it perform activation sequence according ISO 7816-3:2006 (Figure 1). The function returns immediately but the user should wait until the module is busy (see p2\_fw\_sam\_t1\_is\_busy) then he can read the ATR of inserted SAM card with p2\_fw\_sam\_t1\_get\_atr.
- void p2\_fw\_sam\_t1\_deinit(void) the function perform Deactivation sequence according to ISO 7816/3:2006 (Figure 6).
- void p2\_fw\_sam\_t1\_warm\_reset(void) the function perform warm reset according to ISO 7816-3:2006 (Figure 1). The function returns immediately but the user should wait until the module is busy (see p2\_fw\_sam\_t1\_is\_busy) then he can read the ATR of inserted SAM card with p2\_fw\_sam\_t1\_get\_atr.
- void p2\_fw\_sam\_t1\_send(uint8\_t \*data, uint32\_t len, uint8\_t frame\_type) The function sends len bytes of data to SAM.

PARAMETERS: data - uint8\_t \* - pointer to data to send

len – uint32\_t – length of data to send

frame\_type:

- **P2\_FW\_SAM\_FRAME\_APDU** the function prepends NAD, PCB and LEN bytes, and appends LRC to data parameter (according ISO 7816-3:2006).
- **P2\_FW\_SAM\_FRAME\_T1** the function just send data to SAM card.

The function returns immediately but the user should wait until the module is busy (see p2\_fw\_sam\_t1\_is\_busy) then he can read the response with p2\_fw\_sam\_t1\_receive.

• uint32\_t p2\_fw\_sam\_t1\_receive(uint8\_t \*data, uint8\_t frame\_type) – the function returns the number of bytes received from SAM card. If frame\_type equals P2\_FW\_SAM\_FRAME\_APDU only the INF field is returned.

PARAMETERS: data – uint8\_t \* - pointer to received data

frame\_type - uint8\_t - frame type

RETURN: number of bytes received

- **Bool p2\_fw\_sam\_t1\_is\_busy(void)** the function return true if the SAM module is busy and false otherwise.
- void p2\_fw\_sam\_t1\_get\_atr(uint8\_t \* buffer, uint8\_t \*max\_length) the function returns ATR of currently inserted SAM card.

PARAMETERS: buffer – uint8\_t \* - buffer in which to store ATR

 $max\_length - uint8\_t * - the size of the buffer/length of ATR (on return)$ 

 void p2\_fw\_sam\_t1\_set\_etu(uint8\_t fi\_di) – function sets the module's internal etu according to fi\_di parameter. fi\_di is encoded as TA1 of ATR (ISO 7816/3:2006; 8.3).

The module uses TIMER0, TIMER2, GPIO falling edge interrupt on SAM's I/O pin and PWM0 for SAM's CLK pin. When the user calls *p2\_fw\_sam\_t1\_start* or *p2\_fw\_sam\_t1\_warm\_reset* the SAM card is in reset state and after 400 clocks (ISO 7816-3:2006) the TIME0 interrupt triggers and sets the RST pin high. Then the module is in read state and waits for GPIO failing edge interrupt (start bit). After receiving start bit TIMER0 is used to capture data bits and parity bit. TIMER2 is used to timeout if no start bit is received. All that time the function *p2\_fw\_sam\_t1\_is\_busy* returns true. For sending data to SAM, TIMER0 is used to shift each bit to I/O pin. When the answer is received the module is not busy anymore and it can be read with *p2\_fw\_sam\_t1\_receive* function.

#### 3.2.16 src/p3fw\_samt1\_wrap.c

Implements integration of T1 protocol in to Pegoda new Firmware

#### 3.2.17 src/p3fw\_slots.c

We define multiple slots in which cards can reside. At one time you can use only one ISO14443 card of fourteen ISO14443 cards. Every card has its own communication settings and this are stored in a slot. All slot and CID management functions can be found in this source file:

- phStatus\_t p3fw\_slots\_init(void) initialize slots and prepare them for work
   RETURN: phStatus t Status
- void p3fw\_slot\_reset\_all\_slots(uint8\_t contact\_card) removes cards from all slots

PARAMETERS: contact\_card – uint8\_t – indicates if the slots for contact cards (SAMs) are reset as well

RETURN: NONE

 void p3fw\_slot\_remove\_cl\_card(uint8\_t bCLSlotIndex) – removes contactless card from a slot

PARAMETERS:  $bCLSlotIndex - uint8_t - index of the slot from which we would like to remove the card$ 

RETURN: NONE

void p3fw\_slot\_add\_l4\_card(uint8\_t bCLSlotIndex, uint8\_t bSak)

- adds a new ISO14443-4 card to a slot

PARAMETERS:

- bCLSlotIndex uint8\_t Index of slot the card should be stored in
- bSak uint8\_t SAK that card returned at ISO14443-3A activation RETURN: NONE

void p3fw\_slot\_add\_l3a\_card(uint8\_t bCLSlotIndex, uint8\_t bSak)

- adds a new ISO14443-3a card to a slot

PARAMETERS:

- bCLSlotIndex uint8\_t Index of slot the card should be stored in
- bSak uint8\_t SAK that card returned at ISO14443-3A activation

RETURN: NONE

void p3fw\_slot\_add\_l3b\_card(uint8\_t bCLSlotIndex)

- adds a new ISO14443-3b card to a slot

PARAMETERS:

• bCLSlotIndex – uint8\_t – Index of slot the card should be stored in

RETURN: NONE

 phStatus\_t p3fw\_slot\_get\_atr(uint8\_t bCCIDSlotIndex, uint8\_t \* pbAtrBuffer, uint8\_t \* pbMaxLength) returns an ATR for a particular slot (by calling p3fw\_slot\_get\_atr\_or p3fw\_slot\_get\_atr\_l3 function)

PARAMETERS:

- bCCIDSlotIndex- uint8\_t -index of the slot for which we would like to get ATR
- pbAtrBuffer uint8\_t \* pointer where to save the ATR
- pbMaxLength maximum length of the ATR that can be stored to the buffer

RETURN: - phStatus\_t Status

 static phStatus\_t p3fw\_slot\_get\_atr\_l3 (uint8\_t bCLSlotIndex, uint8\_t \* pbAtrBuffer, uint8\_t \* pbMaxLength)returns a level 3 ATR for a particular slot

PARAMETERS:

- bCCIDSlotIndex- uint8\_t -index of the slot for which we would like to get ATR
- pbAtrBuffer uint8\_t \* pointer where to save the ATR
- pbMaxLength maximum length of the ATR that can be stored to the buffer

RETURN: - phStatus\_t Status

 static phStatus\_t p3fw\_slot\_get\_atr\_l4 (uint8\_t bCLSlotIndex, uint8\_t \* pbAtrBuffer, uint8\_t \* pbMaxLength)returns a level 4 ATR for a particular slot

PARAMETERS:

- bCCIDSlotIndex- uint8\_t -index of the slot for which we would like to get ATR
- pbAtrBuffer uint8\_t \* pointer where to save the ATR
- pbMaxLength maximum length of the ATR that can be stored to the buffer

RETURN: - phStatus\_t Status

#### 3.2.18 P3fw\_timing.c

Handles timers.

## 4. Code execution overview

## 4.1 Initialization

On program entry, after main, we first setup the hardware by calling: void p3fw hw init();

which can be found in *src/p3fw\_bsp.c*. This function initializes the *ARM CMSIS* library and sets up the correct PINs functions. Now we are ready to read configuration – this configuration tells us how Pegoda should function and which chip is on the board – from PINs – by using:

void p3fw\_read\_config(void);

which can be found in src/p3fw.c.
Now we need to initialize the timer for timing services by calling:
 p3fw timing init();

If not using the PCSC Mode the execution of the other modes can be stared.

For PCSC Mode the next step is to setup the slots with a call to:

status = p3fw slots init();

Depending on the configuration the correct interface is initialized:

• USB:

```
p3fw_ext_if_init_usb();
```

Now we can check which mode is requested and start the correct tasks for it.

Please refer to the implemented main method in src/p3fw.c for more information.

## 5. Appendix

This Appendix covers for historical reasons the design guide for the old pagoda firmware as it is present in the subfolder \firmware\_v1\_3. We do not recommend using this firmware for future development as it does not include the nxprdlib.

#### 5.1 Introduction

#### 5.1.1 Scope

The scope of this appendix covers the old software architecture coming with the Pegoda package (/firmware\_v1\_3). This includes a description of the integrated firmware stack on the LPC1768 controller as well as a high level overview of available modes in RD710.

The Basic Function Library (BFL) architecture and modules are covered in a separate document. Examples on how to setup the BFL stack on PC environment to communicate in different SAM modes and card products are covered in the Example Project Document [5].

The firmware/BFL may be changed individually to its own needs. An adequate tool chain for loading the firmware project file and doing further programming/debugging is introduced in the documents [7].

Updates for future firmware releases may be provided by NXP and can be easily downloaded by USB.

#### 5.2 Functional overview and mode of operation

The reader firmware can perform contact and contactless communication. The contact part is used to communicate with a SAM. The contactless part performs the polling and activation sequence according to PC/SC part 2, ISO/IEC 14443-3 and 14443-4 standards.

The polling and activation sequence can be turned off and on with the use of escape (PC/SC part 3) commands. The polling and activation sequence is automatically disabled if escape commands are executed that would interfere with the normal operations. The firmware also interprets the ADPUs for MIFARE which are defined in PC/SC part 3.

The main modes of operation are being set by DIP switches which are located on the reader. Some configuration parameters can be set with the escape commands. The reader will store them in non-violate memory. The user will be able to reset the configuration back to default state.

The firmware will construct the product name – which is returned by USB descriptor – to easily identify the reader/SAM configuration. Depending on the DIP switches, there are three possible configurations

- 1. No SAM (Pegoda 2 N)
- 2. SAM in X-Mode (Pegoda 2 X)
- 3. SAM in S-Mode (Pegoda 2 S)

The user will be able to flash the board with custom or original firmware with three methods:

- 1. Over USB (IAP)
- 2. Over serial port (ISP)
- 3. Over JTAG with the use of external program

#### The Pegoda reader provides four modes of operation:

- Demo Mode
- PCSC Mode
- Overwrite Configuration Mode
- Enter Secondary Bootloader Mode

#### 5.2.1 Demo mode

The demo mode is used to showcase in an autonomous way the functionality of the reader. In this mode, ISO14443-3A activation loop is performed and based on **SAK** blink the LEDs according to the next table:

| Table 2.         Card type according to SAK and number of beep |       |  |
|----------------------------------------------------------------|-------|--|
| Card type                                                      | sound |  |
| MIFARE 1K (0x08)                                               | 1     |  |
| MIFARE Classic 4K (0x18)                                       | 2     |  |
| MIFARE Ultralight (0x00)                                       | 3     |  |
| MIFARE DESFire                                                 | 4     |  |
| MIFARE Plus                                                    | 5     |  |

The demo mode can run in all three operation modes (non SAM, SAM in S, SAM in X mode).

The demo mode is implemented in *src/p2\_fw\_demo\_mode.c* in the task:

```
void p2_fw_task_demo_mode (void * param);
it distinguishes between BFL and SAM driven demo.
```

The BFL mode is implemented in

static void p2\_fw\_task\_demo\_mode\_bfl (void \* param);
for the usage of the BFL library.

The SAM mode is implemented in

static void p2 fw task demo mode sam (void \* param);

All information provided in this document is subject to legal disclaimers.

for the usage of SAM APDUs and T=1 protocol.

#### 5.2.2 PC/SC Mode

In this mode the reader acts as a fully compliant PC/SC reader. The PC/SC mode provides two sub modes called

- Standard mode
- Direct mode.

The standard mode provides routines and commands according to the PC/SC standard. The user can also directly control the reader (e.g. manual activation of cards, settings IC registers) by using the direct mode.

The mode is split into two tasks:

void p2 fw task pcsc execute (void \* param);

which takes care of scheduling the bottom halfs of interrupt functions and

void p2 fw task pcsc poll and act loop (void \* param);

which performs activation and pooling of cards.

There are three types of operating modes within the PC/SC mode:

- No SAM mode
- SAM in non X-mode
- SAM in X-Mode

#### 5.2.2.1 The Interrupt Driven Part

Interrupts from external interfaces are serviced by interrupt services which mainly read-in data sent from external device to the reader. After the data is read-in to the communication buffer we call:

void p2 fw ccid top half dispatch(void);

in *src/p2\_fw\_ccid.c* which acts as a dispatcher for the CCID messages. For serial and ethernet messages (if selected interface is other then USB then the reader goes in to direct mode) the interrupt service always provides a CCID XFER Block command.

In the dispatcher we check if the requested command is supported and allowed and then call one of the dedicated functions:

for CCID ICC\_POWER\_ON we call

void p2 fw ccid icc power on top half (void);

for CCID GET\_SLOT\_STATUS we call

void p2\_fw\_ccid\_get\_slot\_status\_top\_half (void);

- for CCID ICC\_POWER\_OFF we call void p2 fw ccid icc power off top half (void);
- for CCID XFR\_BLOCK we call

void p2\_fw\_ccid\_xfr\_block\_top\_half (void);

AN10993

• for CCID GET\_PARAMETERS we call

void p2\_fw\_ccid\_get\_parameters\_top\_half (void);

• for CCID SET\_PARAMETERS we call

void p2\_fw\_ccid\_set\_parameters\_top\_half (void);

• for CCID ESCAPE we call

void p2\_fw\_ccid\_escape\_top\_half (void);

These top half handlers do the smallest amount of work because we are still in the interrupt service routine. Mostly they only check if the frame is valid and of correct size and at the end schedule a bottom half which is run by execute task and which does the real work.

The bottom half functions are implemented in src/p2\_fw\_ccid.c with the following routines:

#### Get Status Bottom half

Bool p2\_fw\_ccid\_get\_slot\_status\_bottom\_half (uint8\_t slot\_idx); Returns status for slot defined by slot idx.

#### **Power On Bottom Half**

Bool p2\_fw\_ccid\_icc\_power\_on\_bottom\_half (uint8\_t slot\_idx);
Powers on the SAM.

#### **Power Off Bottom Half**

Bool p2\_fw\_ccid\_icc\_power\_off\_bottom\_half (uint8\_t slot\_idx);

Powers off the SAM card or Halts a contactless card if one is present.

#### **Get Parameters Bottom Half**

Bool p2\_fw\_ccid\_get\_parameters\_bottom\_half (uint8\_t slot\_idx); Returns parameters of a card in slot.

#### Set Parameters Bottom Half

Bool p2\_fw\_ccid\_set\_parameters\_bottom\_half (uint8\_t slot\_idx);
Sets parameters for a card in a slot.

#### **Escape Bottom Half**

Bool p2\_fw\_ccid\_escape\_bottom\_half (uint8\_t slot\_idx);

Can be used to execute some of the direct mode commands in other modes.

#### **Xfer Bottom Half**

Bool p2\_fw\_ccid\_xfr\_block\_bottom\_half (uint8\_t slot\_idx);

This is the most complex function which performs multiple actions depending on the sub mode.

#### 5.2.2.2 Standard Submode

In standard mode the reader sends APDUs to an ISO14443-4 compliment card:

```
static Bool p2_fw_ccid_xfr_bh_l4_xfer (uint8_t slot_idx);
```

and to the SAM:

```
static Bool p2 fw ccid xfr bh sam (uint8 t slot idx);
```

The firmware also interprets the APDUs for MIFARE which are defined in PC/SC part 3. The list of supported APDUs is as following:

• Get Data

static Bool p2\_fw\_pcsc\_ext\_cmd\_get\_data(uint8\_t slot\_idx);

Load Keys

static Bool p2\_fw\_pcsc\_ext\_cmd\_load\_key(uint8\_t slot\_idx);

General Authenticate

static Bool p2 fw pcsc ext cmd auth(uint8 t slot idx);

· Read binary

static Bool p2 fw pcsc ext cmd read bin(uint8 t slot idx);

Update binary

static Bool p2 fw pcsc ext cmd update bin(uint8 t slot idx);

#### 5.2.2.3 Direct Submode

After we enter the direct mode the payload of xfer command is interpreted by the firmware. The main dispatcher function for direct mode:

Bool p2 fw dm (uint8 t message type, uint16 t allowed cmds);

Every subset of direct mode is coded in its own file:

#### **Reader Operations**

Implements commands for Reader Operations. Entry point:

Bool p2\_fw\_dm\_ro (uint8\_t message\_type);

#### HAL Commands

Implements commands for HAL Commands. Entry point:

Bool p2\_fw\_dm\_hal (uint8\_t message\_type);

Pegoda Software Design Guide

#### ISO14443-3

Implements commands for ISO14443-3. Entry point:

```
Bool p2_fw_dm_l3 (uint8_t message_type );
```

#### ISO14443-4Activation

Implements commands for ISO14443-4Activation. Entry point:

Bool p2\_fw\_dm\_l4a (uint8\_t message\_type);

#### ISO14443-4

Implements commands for ISO14443-4 layer. Entry point:

Bool p2\_fw\_dm\_l4 (uint8\_t message\_type );

#### **MIFARE Exchange**

Implements commands for MIFARE Exchange. Entry point:

Bool p2\_fw\_dm\_xchg (uint8\_t message\_type);

#### **CID Manager**

Implements commands for CID Manager. Entry point:

Bool p2\_fw\_dm\_cid (uint8\_t message\_type);

## **Contact Card Communication**

Implements commands for Contact Card Communication. Entry point:

Bool p2\_fw\_dm\_cc (uint8\_t message\_type);

#### Key Store

Implements commands for Key Store. Entry point:

Bool p2\_fw\_dm\_key\_store (uint8\_t message\_type);

#### **Pooling and Activation Part**

Pooling and activation is implemented in three functions. It has its own task:

void p2\_fw\_task\_pcsc\_poll\_and\_act\_loop (void \* param);

This function performs the activation for ISO14443-3 level. If a card supports an ISO14443-4 level card then it calls:

```
static Bool p2_fw_task_int_do_l4 (uint8_t * atq);
```

For pooling it uses:

static void p2\_fw\_task\_int\_do\_poll (void);

All information provided in this document is subject to legal disclaimers.

# 5.2.3 Overwrite Configuration Mode

In this mode we issue:

void p2 fw flash erase config(void);

from src/p2\_fw\_flash\_utils.c which erases configuration from flash and then we call:

void p2\_fw\_invoke\_error\_mode(uint32\_t error\_code);

to inform the user that the overwrite was done.

## 5.2.4 Enter Secondary Bootloader Mode

In this mode we set a configuration option P2\_FW\_CFG\_ENT\_SEC\_BOOT\_MODE to buff[0] = 1 with the use of

Bool p2 fw flash set config(uint32 t cfg id, uint8 t \* buff);

and then we issue a reset with the use of CMSIS function.

# 5.3 Library and source code overview

The firmware is composed from different libraries:

• BFL – NXP Basic Function Library 4.8 (can be found in bfl directory in the source tree) – provides all functions related to interaction with cards

• BFL Extensions – Extensions to the BFL provided by NXP – provides key store implementation required by the direct mode reader operation

• CMSIS - Cortex Microcontroller Software Interface Standard with extra peripheral drivers (can be found in cmsis directory in the source tree) – provides startup code and peripheral drivers and easier porting to other hardware platforms [3]

• FreeRTOS operating system (can be found in FreeRTOS\_6\_0\_0 directory in the source tree) – provides multitasking and tasks intercommunication and easier porting to other hardware platforms

 Ipcusb – USB stack designed for NXP LPC family of microcontrollers (can be found in Ipcusb directory in the source tree)

- debug simple debug library (can be found in debug directory in the source tree)
- firmware code (can be found in src and include directory in the source tree)

## 5.3.1 Architecture of the Pegoda 2 Firmware

The firmware is interrupt driven and can be split in two logical parts:

- the interrupt handling
- scheduled tasks

All interrupts are processed through top/bottom half (see [5]) interfaces. Basically the interrupt service routine (also called top half) schedules bottom half which does not run in interrupt execution space but in "normal" execution space.

The scheduled tasks are described in the following chapters.

# 5.3.2 Description of firmware code

The following firmware source files (see Fig 7) can be found in the project. The main functionality will be described in the following section.



## 5.3.2.1 P2\_fw\_bfl.c

This file contains functions related to old BFL initialization and usage.

 bool p2\_fw\_bfl\_init (void) – performs initialization of required BFL structures. We initialize the hardware interface, the required subsystems (IO and OpCtrl) and ISO14443 layer 3, 4A and 4 components.

> PARAMETERS: NONE RETURN: NONE

• void p2\_fw\_bfl\_set\_up\_rc\_type\_a\_reading (void) – sets up registers for ISO14443-3A card type reading.

PARAMETERS: NONE

• bool p2\_fw\_bfl\_reset\_reader (void) - resets reader chip.

© NXP B.V. 2012. All rights reserved.

PARAMETERS: NONE RETURN: NONE

• **void p2\_fw\_bfl\_set\_timeout** (uint16\_t qsec, uint8\_t aFlags) – sets timeout to the reader chip timer in milliseconds or microseconds depending on the flags setting. Please note that values larger than 39590ms will cause overflow.

PARAMETERS: qsec - uint16\_t value

aFlags - can be:

- P2\_FW\_TMR\_MS qsec is in milliseconds
- P2\_FW\_TMR\_US qsec is in microseconds
- P2\_FW\_TMR\_START\_NOW force timer start

RETURN: NONE

 void p2\_fw\_bfl\_set\_com\_speed(uint8\_t dri, uint8\_t dsi) – set card communication speed parameters to the reader.

PARAMETERS: dri - DRI parameter to set

dsi - DSI parameter to set

RETURN: NONE

• **void p2\_fw\_bfl\_change\_rc523\_baud\_rate** (uint32\_t baudrate) – changes the reader UART speed to higher one from the default (9600

PARAMETERS: **baudrate** - the baudrate value (9600 - 12880000) RETURN: NONE

 static void p2fw\_pcd\_utils\_wtx\_cb (phcsBfll3P4\_CbSetWtxParam\_t\* wtx\_param) - a callback for ISO14443-4 layer which sets the new WTX value.

> PARAMETERS: **wtx\_param** - internal BFL structure RETURN: NONE

## 5.3.2.2 P2\_fw\_ccid.c

The file contains implementation of the USB CCID 1.1 messages. For every message there is a top and bottom half function.

The following messages are implemented in this file:

ICC Power On

void p2\_fw\_ccid\_icc\_power\_on\_top\_half (void);

Bool **p2\_fw\_ccid\_icc\_power\_on\_bottom\_half** (uint8\_t slot\_idx);

ICC Power Off

void p2\_fw\_ccid\_icc\_power\_off\_top\_half (void);
 Bool p2\_fw\_ccid\_icc\_power\_off\_bottom\_half (uint8\_t slot\_idx);

Get Slot Status

void p2\_fw\_ccid\_get\_slot\_status\_top\_half (void);
 Bool p2\_fw\_ccid\_get\_slot\_status\_bottom\_half (uint8\_t slot\_idx);

Get Parameters

void p2\_fw\_ccid\_get\_parameters\_top\_half (void);
 Bool p2\_fw\_ccid\_get\_parameters\_bottom\_half (uint8 t slot idx);

Set Parameters

• void p2\_fw\_ccid\_set\_parameters\_top\_half (void);

Bool p2\_fw\_ccid\_set\_parameters\_bottom\_half (uint8\_t slot\_idx);

Escape

• void p2\_fw\_ccid\_escape\_top\_half (void);

Bool **p2\_fw\_ccid\_escape\_bottom\_half** (uint8\_t slot\_idx);

Please refer to the source code and USB CCID 1.1 documentation for more information.

# 5.3.2.3 p2\_fw\_ccid\_xfer.c

The file contains implementation of the USB CCID 1.1 XfrBlock message for contact and contactless cards which support APDUs.

The top half is implemented in: void p2\_fw\_ccid\_xfr\_block\_top\_half (void) function.

The bottom half function: **Bool p2\_fw\_ccid\_xfr\_block\_bottom\_half (uint8\_t slot\_idx**) calls the correct sub functions:

## for contactless cards:

**static Bool p2\_fw\_ccid\_xfr\_bh\_l4\_xfer (uint8\_t slot\_idx)** – function implements the ISO1444-4 protocol with chaining support, for more details refer to the source file

**Bool p2\_fw\_pcsc\_commands (uint8\_t slot\_idx)** – function implements the APDUs which are part PC/SC

## for contact cards:

**static Bool p2\_fw\_ccid\_xfr\_bh\_sam (uint8\_t slot\_idx)** – function uses T=1 to exchange data with a contact SAM card, or more details refer to the source file

## 5.3.2.4 p2\_fw\_demo\_mode.c

The demo mode is a simple demonstration on how to query for a card. The mode performs a selection of an NXP card according to ISO/IEC14443. Depending on the SAK byte of the selected card, the antenna LEDs start blinking and an acoustic signal is generated.

The whole demo mode is implemented as one FreeRTOS task:

**void p2\_fw\_task\_demo\_mode (void \* param)** – main task function which calls the correct sub task according to requested mode:

- use reader chip directly:
  - static void p2\_fw\_task\_demo\_mode\_bfl (void \* param) the flow of this function is as following:
  - 1. set up type ISO/IEC14443-3A card type reading
  - 2. set up communication speed to 106kbps
  - 3. turn on the antenna LEDs
  - 4. enter infinity loop
  - 5. set up timeout for REQA (pool for card) function
  - 6. set up parameters for REQA function
  - 7. execute REQA function
  - 8. if REQA returns error, return to step 5.
  - 9. REQA /ATQA returned success card is in the field
  - 10. set up timeout for AnticollSelect function
  - 11. set up parameters for AnticollSelect function
  - 12. perform AnticollSelect function
  - 13. if selection of card is successful, beep according to reported SAK byte:
  - if SAK ==  $0x08 \rightarrow$  one time (MIFARE Classic Card 1k)
  - if SAK ==  $0x18 \rightarrow two times$  (MIFARE Classic Card 4k)
  - if SAK ==  $0x00 \rightarrow$  three times (MIFARE Ultralight/Ultralight C Card)
  - if SAK == 0x20  $\rightarrow$  four times (ISO14443-4 Type Card (MIFARE Plus, MIFARE DESFire, ...))
  - 14. halt the card and return to step 5
- use SAM:
  - static void p2\_fw\_task\_demo\_mode\_sam (void \* param) to use the SAM to control the chip, the following steps are required:
  - 1. enter an endless loop (a FreeRTOS requirement)
  - 2. reset the SAM by performing reinitialization
  - 3. check SAM version and correct mode of operation
  - 4. initialize the reader chip by performing Rc\_Init command on SAM

5. after the reader chip has been successfully initialized, set up the RF field by issuing RC\_RF\_Control command

6. activate a card by performing Activate Card command on SAM

7. after successful selection of a card, an acoustic signal is generated as described in the direct reader chip usage step 13.

## 5.3.2.5 Functions for Direct mode

The following files contain functions for so called direct mode of operation of the Pegoda reader. This mode is meant to be used by the NXPRdLib. Functions found in this file bridge the difference between the NXPRdLib and the old BFL which is used as foundation of the current Pegoda firmware. If you are interested in how this mode works please refer to the source code.

- p2\_fw\_direct\_mode.c
- p2\_fw\_direct\_mode\_cid.c
- p2\_fw\_direct\_mode\_contact\_card.c
- p2\_fw\_direct\_mode\_hal.c
- p2\_fw\_direct\_mode\_key\_store.c
- p2\_fw\_direct\_mode\_l3.c
- p2\_fw\_direct\_mode\_l4a.c
- p2\_fw\_direct\_mode\_l4.c
- p2\_fw\_direct\_mode\_ro.c
- p2\_fw\_direct\_mode\_xchg.c

## 5.3.2.6 p2\_fw\_err\_and\_nfo\_mode.c

Contains a FreeRTOS task:

**void p2\_fw\_task\_err\_and\_nfo\_loop (void \* param)** – which is used to inform the user of an error or that some action was completed. First the antenna LEDs blinks for five seconds with two blinks per second and then with rate of one blink and one beep per second informs the user of the error or that some action is completed. Please refer to source code file for more information.

## 5.3.2.7 p2\_fw\_ext\_intf\_serial.c

This file contains implementation of the serial interface (RS232, RS485) for LPC1768 UART for communication with a client. The serial communication can be only used in Direct Mode.

For more information please refer to

- LPC1768 user manual Chapter 15. LPC17xx UART1 [8]
- the source file

## 5.3.2.8 p2\_fw\_ext\_intf\_usb.c

This file contains implementation of the USB interface (USB CCID 1.1) for communication with a client.

For more information please refer to:

- LPCUSB documentation (http://sourceforge.net/projects/lpcusb/)
- USB CCID 1.1 specification

(http://www.usb.org/developers/devclass\_docs/DWG\_Smart-Card\_CCID\_Rev110.pdf)

source file

#### 5.3.2.9 p2\_fw\_flash\_utils.c

The p2\_fw\_flash\_utils.c file contains functions which perform actions over the IAP interface of LPC1768. For more information on IAP please refer to NXP LPC1768 User Manual. These actions are:

• static Bool p2\_fw\_flash\_utils\_erase(int sec\_from, int sec\_to) – performs erase of the flash from sec\_from to sec\_to

PARAMETERS: - sec\_from - int - start erase at this sector

- sec\_to - int - stop erase at this sector

RETURN: -TRUE if success

-FALSE if error

 static Bool p2\_fw\_flash\_utils\_flash(int sec, uint8\_t \* buff, int size) – performs flashing of the internal flash

PARAMETERS: - sec - int - sector to flash

- buff uint8[] data to flash
- size int size of buff (should be 128, 512 or 1024)
- RETURN: TRUE if success
  - FALSE if error
- Bool p2\_fw\_flash\_read\_serial(uint32\_t \* sernum) returns the CPU serial PARAMETERS: - sernum – uint32\_t \* - pointer to a uint32\_t for storing the read CPU serial number

RETURN: - TRUE if success

- FALSE if error

#### 5.3.2.10 p2\_fw\_main.c

The firmware starts in this file. In the main loop (int main()), initialization of hardware and software parts of the firmware are performed:

1. first we set up hardware (see p2\_fw\_reader.c for more information about setting up hardware)

2. then we initialize the debugging framework – this depends on type of build that we are building

3. next come reading the configuration from DIP switches and flash (see p2\_fw\_reader.c for more information about reading configuration)

4. now we can setup the external interface

5. now we have to set up FreeRTOS queue – used for communication between top bottom halfs and semaphore for protecting access to reader chip – so that we do not use it from two tasks at the same time

6. next we try to set up the reader chip

7. if we find a supported chip we set up the correct tasks for particular mode – if not found we enter into error and information task with correct error code

8. next we have to start the FreeRTOS scheduler (please refer to FreeRTOS documentation for more information) and loop forever

For more detailed information please refer to the source code file.

## 5.3.2.11 p2\_fw\_pcsc\_ext.c

In this file we implement PC/SC extensions for memory cards. The implemented commands are:

- Get Data see static Bool p2\_fw\_pcsc\_ext\_cmd\_get\_data(uint8\_t slot\_idx);
- Load Keys see static Bool p2\_fw\_pcsc\_ext\_cmd\_load\_key(uint8\_t slot\_idx);
- General Authenticate see static Bool p2\_fw\_pcsc\_ext\_cmd\_auth(uint8\_t slot\_idx);
- Read Binary see static Bool p2\_fw\_pcsc\_ext\_cmd\_read\_bin(uint8\_t slot\_idx);

Update Binary – see static Bool p2\_fw\_pcsc\_ext\_cmd\_update\_bin(uint8\_t slot\_idx);

For more information please refer to the source file.

## 5.3.2.12 p2\_fw\_pcsc\_mode.c

This file contains functions related to PC/SC mode of operation by Pegoda 2 reader. We define two FreeRTOS tasks:

## void p2\_fw\_task\_pcsc\_execute (void \* param)

This task provides executions of bottom halfs which are scheduled by top halfs. Most of time this task blocks on a queue waiting for interrupts to schedule a bottom half which is then executed by this task.

void p2\_fw\_task\_pcsc\_poll\_and\_act\_loop (void \* param)

This task provides polling and activation mechanism required by the PC/SC specification and it is split in three parts:

- main polling and ISO14443-3A activation (found in this function)
- ISO14443-4A activation function (see static Bool p2\_fw\_task\_int\_do\_l4 (uint8\_t \* atq, phcsBfll3P3A\_AnticollSelectParam\_t \* ans\_p))
- existing cards polling function (see static void p2\_fw\_task\_int\_do\_poll (void))

Pegoda Software Design Guide

Please refer to the source file for more information.

#### 5.3.2.13 p2\_fw\_reader.c

In this file we initialize the hardware parts of the Pegoda 2 reader:

- void p2\_fw\_reader\_setup\_hardware(void) function:
  - 1. runs SystemInit() function provided by the CMSIS library
  - 2. sets the Interrupt Vector table pointer to the correct address

3. sets up the pin function of used GPIOs – first the DIP switches, next configuration pins and lastly LEDs and beeper pin

4. next we set the correct direction and initial value (only for output pins) for this pins

• void p2\_fw\_reader\_read\_config(void) function reads the value of the DIP switches and stores a local copy of it

• **void p2\_fw\_reader\_set\_up\_external\_interface (void)** function sets up the correct external interface according to the configuration that was set by DIP switches

• **Bool p2\_fw\_reader\_set\_up\_reader\_chip(void)** function checks if the set configuration is possible – if it can find the correct reader chip and/or SAM – and sets up the old BFL if needed

Please refer to the source code for more information.

#### 5.3.2.14 p2\_fw\_sam\_t1.c

This file contains implementation of the ISO/IEC 7816/3 standard:

• void p2\_fw\_sam\_t1\_init(uint8\_t chip, uint8\_t mode) – initialize the processors I/O pins according to chip and mode parameter to work with SAM card.

PARAMETERS: chip - P2\_FW\_READER\_CHIP\_RC523 or

P2\_FW\_READER\_CHIP\_SAM

mode - P2\_FW\_READER\_MODE\_SAM\_IN\_X or

P2\_FW\_READER\_MODE\_SAM\_NON\_X

- void p2\_fw\_sam\_t1\_start(void) it perform activation sequence according ISO 7816-3:2006 (Figure 1). The function returns immediately but the user should wait until the module is busy (see p2\_fw\_sam\_t1\_is\_busy) then he can read the ATR of inserted SAM card with p2\_fw\_sam\_t1\_get\_atr.
- **void p2\_fw\_sam\_t1\_deinit(void)** the function perform Deactivation sequence according to ISO 7816/3:2006 (Figure 6).
- void p2\_fw\_sam\_t1\_warm\_reset(void) the function perform warm reset according to ISO 7816-3:2006 (Figure 1). The function returns immediately but the user should wait until the module is busy (see p2\_fw\_sam\_t1\_is\_busy) then he can read the ATR of inserted SAM card with p2\_fw\_sam\_t1\_get\_atr.
- void p2\_fw\_sam\_t1\_send(uint8\_t \*data, uint32\_t len, uint8\_t frame\_type) The function sends len bytes of data to SAM.

PARAMETERS: data – uint8\_t \* - pointer to data to send

len – uint32\_t – length of data to send

frame\_type:

- P2\_FW\_SAM\_FRAME\_APDU the function prepends NAD, PCB and LEN bytes, and appends LRC to data parameter (according ISO 7816-3:2006).
- **P2\_FW\_SAM\_FRAME\_T1** the function just send data to SAM card.

The function returns immediately but the user should wait until the module is busy (see p2\_fw\_sam\_t1\_is\_busy) then he can read the response with p2\_fw\_sam\_t1\_receive.

• uint32\_t p2\_fw\_sam\_t1\_receive(uint8\_t \*data, uint8\_t frame\_type) – the function returns the number of bytes received from SAM card. If frame\_type equals P2\_FW\_SAM\_FRAME\_APDU only the INF field is returned.

PARAMETERS: data - uint8\_t \* - pointer to received data

frame\_type - uint8\_t - frame type

RETURN: number of bytes received

- **Bool p2\_fw\_sam\_t1\_is\_busy(void)** the function return true if the SAM module is busy and false otherwise.
- void p2\_fw\_sam\_t1\_get\_atr(uint8\_t \* buffer, uint8\_t \*max\_length) the function returns ATR of currently inserted SAM card.

PARAMETERS: buffer – uint8\_t \* - buffer in which to store ATR

max\_length – uint8\_t \* - the size of the buffer/length of ATR (on return)

 void p2\_fw\_sam\_t1\_set\_etu(uint8\_t fi\_di) – function sets the module's internal etu according to fi\_di parameter. fi\_di is encoded as TA1 of ATR (ISO 7816/3:2006; 8.3).

The module uses TIMER0, TIMER2, GPIO falling edge interrupt on SAM's I/O pin and PWM0 for SAM's CLK pin. When the user calls *p2\_fw\_sam\_t1\_start* or *p2\_fw\_sam\_t1\_warm\_reset* the SAM card is in reset state and after 400 clocks (ISO 7816-3:2006) the TIME0 interrupt triggers and sets the RST pin high. Then the module is in read state and waits for GPIO failing edge interrupt (start bit). After receiving start bit TIMER0 is used to capture data bits and parity bit. TIMER2 is used to timeout if no start bit is received. All that time the function *p2\_fw\_sam\_t1\_is\_busy* returns true. For sending data to SAM, TIMER0 is used to shift each bit to I/O pin. When the answer is received the module is not busy anymore and it can be read with *p2\_fw\_sam\_t1\_receive* function.

## 5.3.2.15 p2\_fw\_slots.c

We define multiple slots in which cards can reside. At one time you can use only one ISO14443 card or fourteen ISO14443 cards. Every card has its own communication settings and this are stored in a slot. All slot and CID management functions can be found in this source file:

AN10993

- void p2\_fw\_slots\_init(void) initialize slots and prepare them for work
- Bool p2\_fw\_slots\_free\_cid (uint8\_t cid) frees occupied CID channel for ISO14443-4 communication

PARAMETERS: cid - uint8\_t - CID channel to free

RETURN: TRUE if success, FALSE in case of ERROR

 Bool p2\_fw\_slots\_get\_free\_cid (uint8\_t \* cid) – returns a free CID channel for ISO14443-4 communication

PARAMETERS: cid – uint8\_t \* – pointer to uint8\_t where to store CID channel

RETURN: TRUE if success, FALSE in case of ERROR

 Bool p2\_fw\_slots\_get\_free\_slot (uint8\_t \* slot) – returns a free slot to store a card (CID channel and slot index are two different things and should not be mixed up)

PARAMETERS: slot – uint8\_t \* - pointer to uint8\_t where to store slot index

RETURN: TRUE if success, FALSE in case of ERROR

Bool p2\_fw\_slots\_add\_new\_l4\_card (phcsBfll3P4AAct\_RatsParam\_t \* rat\_p, uint8\_t cid\_index, uint8\_t sak, uint8\_t \* atq, uint8\_t \* uid, uint8\_t uid\_len) – adds a new ISO14443-4 card to a slot

PARAMETERS:

- rat\_p phcsBfII3P4AAct\_RatsParam\_t \* pointer to RATS structure used for card activation
- cid\_index uint8\_t CID channel used for communication
- sak uint8\_t SAK that card returned at ISO14443-3A activation
- atq uint8\_t \* pointer to buffer containing ATQ
- uid uint8\_t \* pointer to buffer containing UID
- uid\_len uint8\_t uid buffer length

RETURN: TRUE if success, FALSE in case of ERROR

Bool p2\_fw\_slots\_add\_new\_l3\_card (uint8\_t sak, uint8\_t \* atq, uint8\_t \* uid, uint8\_t uid\_len) – adds a new ISO14443-3 card to a slot

PARAMETERS:

- sak uint8\_t SAK that card returned at ISO14443-3A activation
- atq uint8\_t \* pointer to buffer containing ATQ
- uid uint8\_t \* pointer to buffer containing UID
- uid\_len uint8\_t uid buffer length

RETURN: TRUE if success, FALSE in case of ERROR

 Bool p2\_fw\_slots\_add\_new\_sam\_card (void) – adds a new SAM to a slot PARAMETERS: NONE

RETURN: TRUE if success, FALSE in case of ERROR

• Bool p2\_fw\_slots\_is\_known\_l3\_card (uint8\_t \* uid, uint8\_t uid\_len) – check if the card is already occupying a slot

PARAMETERS:

- uid uint8\_t \* pointer to buffer containing UID
- uid\_len uint8\_t uid buffer length

RETURN: TRUE if success, FALSE in case of ERROR

• Bool p2\_fw\_slots\_get\_atr (uint8\_t slot\_index, uint8\_t \* buffer, uint8\_t \*max\_length) – returns an ATR for a particular slot (by calling p2\_fw\_slots\_atr\_l4\_cards or p2\_fw\_slots\_atr\_l3\_card function)

PARAMETERS:

- slot\_index uint8\_t index of the slot for which we would like to get ATR
- buffer uint8\_t \* pointer where to save the ATR
- max\_length maximum length of the ATR that can be stored to the buffer

RETURN: TRUE if success, FALSE in case of ERROR

 static Bool p2\_fw\_slots\_atr\_l4\_cards (uint8\_t slot\_index, uint8\_t \* buffer, uint8\_t \*max\_length) – returns correctly formatted ATR for ISO14443-4 type card

PARAMETERS:

- slot\_index uint8\_t index of the slot for which we would like to get ATR
- buffer uint8\_t \* pointer where to save the ATR
- max\_length maximum length of the ATR that can be stored to the buffer

RETURN: TRUE if success, FALSE in case of ERROR

 static Bool p2\_fw\_slots\_atr\_I3\_cards (uint8\_t slot\_index, uint8\_t \* buffer, uint8\_t \*max\_length) – returns correctly formatted ATR for ISO14443-3 type card

PARAMETERS:

- slot\_index uint8\_t index of the slot for which we would like to get ATR
- buffer uint8\_t \* pointer where to save the ATR
- max length maximum length of the ATR that can be stored to the buffer

RETURN: TRUE if success, FALSE in case of ERROR

void p2\_fw\_slots\_remove\_card (uint8\_t slot\_index) – removes card from a slot

PARAMETERS:

 slot\_index – uint8\_t – index of the slot from which we would like to remove the card

RETURN: NONE

Please refer to the source code for more information.

#### 5.3.2.16 p2\_fw\_timing\_com.c

This file contains functions for timing of operations. The supported timing modes are:

AN10993

• FTD – frame time delay – time between the end or transmission to the card and start of reply (this time is calculated from the RC523 timer)

• COM – whole command time – from start of the command until the end (this time is calculated by using LPC1768 timer TIM1)

Please refer to the source code for more information.

## 5.3.2.17 p2\_fw\_utils.c

Contains simple helpful functions:

 uint8\_t p2\_fw\_utils\_get\_dri(uint8\_t ta1) – returns DRI parameter from cards ATS

PARAMETERS: ta1 - cards ATSs TA1

 uint8\_t p2\_fw\_utils\_get\_dsi(uint8\_t ta1) – returns DSI parameter from cards ATS

PARAMETERS: ta1 - cards ATSs TA1

- void p2\_fw\_utils\_blink(int count) blinks antenna LEDs count times PARAMETERS: count – times to blink the antenna LEDs
- void p2\_fw\_utils\_field\_off (void) turns off the RF field
- void p2\_fw\_utils\_field\_on (uint16\_t wFiledRecoveryTime) turns on the RF field

PARAMETERS: wFiledRecoveryTime - time to wait fro field to settle

 void p2\_fw\_utils\_reg\_write (uint8\_t addr, uint8\_t val) – write to a RC523 register

PARAMETERS: addr - uint8\_t - register address

value – uint8\_t – value to write

 void p2\_fw\_utils\_reg\_read (uint8\_t addr, uint8\_t \* val) – read from RC523 register

PARAMETERS: addr - uint8\_t - register address

value – uint8\_t \* – pointer to store the value

# 5.4 Code execution overview

#### 5.4.1 Initialization

On entry, after main we first setup the hardware by calling:

void p2 fw reader setup hardware(void);

in *src/p2\_fw\_reader.c*. This function initializes the ARM CMSIS library and sets up hardware.

Next we setup the slots with a call to:

void p2 fw slots init(void);

Now we are ready to read configuration – this configuration tells the currently set operating mode of the Pegoda.

```
void p2_fw_reader_read_config(void);
```

Now that we have read the configuration we can set up the external interface defined by PINs connected to DIP switch 3 and 4 by calling:

void p2\_fw\_reader\_set\_up\_external\_interface (void);

Depending on the configuration the correct interface is initialized:

• USB:

void p2\_fw\_usb\_init\_usb(void);

• serial (RS232 and RS485):

void p2 fw usb init serial(void);

• ethernet:

void p2 fw usb init ethernet(void);

Now we need to initialize the timer for timing services by calling:

void p2 fw timing init(void);

Now we only have to set up the reader chip by calling:

Bool p2 fw reader set up reader chip(void);

This function – depending on the configuration and chip type – initializes the correct subsystems.

Initialization can be performed on BFL or/and SAM depending on configuration.

For initialization of the BFL we call:

Bool p2 fw bfl init (void);

For SAM initialization we have to call the correct sequence of:

```
void p2_fw_sam_t1_init(uint8_t chip, uint8_t mode);
void p2_fw_sam_t1_start(void);
Bool p2_fw_sam_t1_is_busy(void);
Bool p2_fw_sam_t1_is_sam_inserted(void)
void p2_fw_sam_t1_deinit(void);
```

Now we can check which mode is requested and start the correct tasks for it.

## Pegoda Software Design Guide

# 6. Legal information

# 6.1 Definitions

**Draft** — The document is a draft version only. The content is still under internal review and subject to formal approval, which may result in modifications or additions. NXP Semiconductors does not give any representations or warranties as to the accuracy or completeness of information included herein and shall have no liability for the consequences of use of such information.

# 6.2 Disclaimers

Limited warranty and liability — Information in this document is believed to be accurate and reliable. However, NXP Semiconductors does not give any representations or warranties, expressed or implied, as to the accuracy or completeness of such information and shall have no liability for the consequences of use of such information.

In no event shall NXP Semiconductors be liable for any indirect, incidental, punitive, special or consequential damages (including - without limitation - lost profits, lost savings, business interruption, costs related to the removal or replacement of any products or rework charges) whether or not such damages are based on tort (including negligence), warranty, breach of contract or any other legal theory.

Notwithstanding any damages that customer might incur for any reason whatsoever, NXP Semiconductors' aggregate and cumulative liability towards customer for the products described herein shall be limited in accordance with the Terms and conditions of commercial sale of NXP Semiconductors.

**Right to make changes** — NXP Semiconductors reserves the right to make changes to information published in this document, including without limitation specifications and product descriptions, at any time and without notice. This document supersedes and replaces all information supplied prior to the publication hereof.

Suitability for use — NXP Semiconductors products are not designed, authorized or warranted to be suitable for use in life support, life-critical or safety-critical systems or equipment, nor in applications where failure or malfunction of an NXP Semiconductors product can reasonably be expected to result in personal injury, death or severe property or environmental damage. NXP Semiconductors accepts no liability for inclusion and/or use of NXP Semiconductors products in such equipment or applications and therefore such inclusion and/or use is at the customer's own risk.

**Applications** — Applications that are described herein for any of these products are for illustrative purposes only. NXP Semiconductors makes no representation or warranty that such applications will be suitable for the specified use without further testing or modification.

Customers are responsible for the design and operation of their applications and products using NXP Semiconductors products, and NXP Semiconductors accepts no liability for any assistance with applications or customer product design. It is customer's sole responsibility to determine whether the NXP Semiconductors product is suitable and fit for the customer's applications and products planned, as well as for the planned application and use of customer's third party customer(s). Customers should provide appropriate design and operating safeguards to minimize the risks associated with their applications and products.

NXP Semiconductors does not accept any liability related to any default, damage, costs or problem which is based on any weakness or default in the customer's applications or products, or the application or use by customer's third party customer(s). Customer is responsible for doing all necessary testing for the customer's applications and products using NXP Semiconductors products in order to avoid a default of the applications and the products or of the application or use by customer's third party customer(s). NXP does not accept any liability in this respect.

**Export control** — This document as well as the item(s) described herein may be subject to export control regulations. Export might require a prior authorization from competent authorities.

**Evaluation products** — This product is provided on an "as is" and "with all faults" basis for evaluation purposes only. NXP Semiconductors, its affiliates and their suppliers expressly disclaim all warranties, whether express, implied or statutory, including but not limited to the implied warranties of non-infringement, merchantability and fitness for a particular purpose. The entire risk as to the quality, or arising out of the use or performance, of this product remains with customer.

In no event shall NXP Semiconductors, its affiliates or their suppliers be liable to customer for any special, indirect, consequential, punitive or incidental damages (including without limitation damages for loss of business, business interruption, loss of use, loss of data or information, and the like) arising out the use of or inability to use the product, whether or not based on tort (including negligence), strict liability, breach of contract, breach of warranty or any other theory, even if advised of the possibility of such damages.

Notwithstanding any damages that customer might incur for any reason whatsoever (including without limitation, all damages referenced above and all direct or general damages), the entire liability of NXP Semiconductors, its affiliates and their suppliers and customer's exclusive remedy for all of the foregoing shall be limited to actual damages incurred by customer based on reasonable reliance up to the greater of the amount actually paid by customer for the product or five dollars (US\$5.00). The foregoing limitations, exclusions and disclaimers shall apply to the maximum extent permitted by applicable law, even if any remedy fails of its essential purpose.

# 6.3 Licenses

Purchase of NXP ICs with ISO/IEC 14443 type B functionality



This NXP Semiconductors IC is ISO/IEC 14443 Type B software enabled and is licensed under Innovatron's Contactless Card patents license for ISO/IEC 14443 B.

The license includes the right to use the IC in systems and/or end-user equipment.

RATP/Innovatron Technology

# 6.4 Trademarks

Notice: All referenced brands, product names, service names and trademarks are property of their respective owners.

MIFARE — is a trademark of NXP B.V.

**DESFire** — is a trademark of NXP B.V.

MIFARE Ultralight — is a trademark of NXP B.V.

**MIFARE Plus** — is a trademark of NXP B.V.

Application note

**COMPANY PUBLIC** 

# 7. Contents

| 1.           | Introduction3                              |
|--------------|--------------------------------------------|
| 1.1          | Scope                                      |
| 1.2          | Audience4                                  |
| 1.3          | Applicable documents or references4        |
| 1.4          | Acronyms and abbreviations4                |
| 2.           | Functional overview and mode of operation5 |
| 2.1          | Demo mode5                                 |
| 2.2          | PC/SC Mode6                                |
| 2.2.1        | No SAM mode6                               |
| 2.2.2        | SAM in non X-mode7                         |
| 2.2.3        | SAM in X-mode7                             |
| 2.2.4        | Card Poll and Activation Task8             |
| 2.2.5        | PCSC Execute Task8                         |
| 2.2.5.1      | Top Half9                                  |
| 2.2.5.2      | Bottom Half9                               |
| 2.2.6        | Standard PSCS Mode10                       |
| 2.2.7        | Direct PCSC Mode12                         |
| 2.2.7.1      | Reader Operations14                        |
| 2.2.7.2      | HAL Operations15                           |
| 2.2.7.3      | ISO14443-3A Operations16                   |
| 2.2.7.4      | ISO14443-4A Operations17                   |
| 2.2.7.5      | ISO14443-4 Operations17                    |
| 2.2.7.6      | CID Operations18                           |
| 2.2.7.7      | MIAFARE Operations18                       |
| 2.2.7.8      | Key Store Operations 19                    |
| 2.2.7.9      | Contact Card Operations20                  |
| 2.3          | Overwrite Configuration Mode20             |
| 2.4          | Enter Secondary Bootloader Mode21          |
| 3.           | Library and source code overview           |
| 3.1          | Architecture of the Pegoda 2 Firmware      |
| 3.2<br>3.2.1 | Description of firmware code               |
| 3.2.1        | src/debug_frmwrk.c23<br>src/p3fw_bsp.c23   |
| 3.2.2        | src/p3fw_bsp.c                             |
| 3.2.3        | src/p3fw.ccid bh.c                         |
| 3.2.4        | src/p3fw_ccid.c                            |
| 3.2.6        | src/p3fw_ccid_th.c25                       |
| 3.2.7        | src/p3fw_ccld_uiic                         |
| 3.2.8        | src/p3fw_dm.c25                            |
| 3.2.9        | src/p3fw error mode.c                      |
| 3.2.10       | src/p3fw_ext_if_usb.c26                    |
| 3.2.10       | src/p3fw_flash.c                           |
| 3.2.12       | src/p3fw_pcsc.c                            |
| 3.2.12       | src/p3fw_pcsc_mem_cards.c27                |
| 3.2.14       | src/p3fw_poll.c                            |
| 3.2.15       | src/p3fw_samt1.c28                         |
| 0.2.10       |                                            |

|          |                                           | ~ ~ |
|----------|-------------------------------------------|-----|
| 3.2.16   | src/p3fw_samt1_wrap.c                     |     |
| 3.2.17   | src/p3fw_slots.c                          |     |
| 3.2.18   | P3fw_timing.c                             |     |
| 4.       | Code execution overview                   |     |
| 4.1      | Initialization                            |     |
| 5.       | Appendix                                  | 32  |
| 5.1      | Introduction                              | 32  |
| 5.1.1    | Scope                                     |     |
| 5.2      | Functional overview and mode of operation |     |
| 5.2.1    | Demo mode                                 |     |
| 5.2.2    | PC/SC Mode                                |     |
| 5.2.2.1  | The Interrupt Driven Part                 |     |
| 5.2.2.2  | Standard Submode                          |     |
| 5.2.2.3  | Direct Submode                            |     |
| 5.2.3    | Overwrite Configuration Mode              |     |
| 5.2.4    | Enter Secondary Bootloader Mode           |     |
| 5.3      | Library and source code overview          |     |
| 5.3.1    | Architecture of the Pegoda 2 Firmware     |     |
| 5.3.2    | Description of firmware code              | 39  |
| 5.3.2.1  | P2_fw_bfl.c                               |     |
| 5.3.2.2  | P2_fw_ccid.c                              |     |
| 5.3.2.3  | p2_fw_ccid_xfer.c                         |     |
| 5.3.2.4  | p2_fw_demo_mode.c                         |     |
| 5.3.2.5  | Functions for Direct mode                 |     |
| 5.3.2.6  | p2_fw_err_and_nfo_mode.c                  |     |
| 5.3.2.7  | p2_fw_ext_intf_serial.c                   |     |
| 5.3.2.8  | p2_fw_ext_intf_usb.c                      |     |
| 5.3.2.9  | p2_fw_flash_utils.c                       |     |
| 5.3.2.10 |                                           |     |
| 5.3.2.11 | p2_fw_pcsc_ext.c                          |     |
| 5.3.2.12 | h-TThere.T                                |     |
| 5.3.2.13 |                                           |     |
| 5.3.2.14 | h-TTeenTeene                              |     |
| 5.3.2.15 |                                           |     |
| 5.3.2.16 |                                           |     |
| 5.3.2.17 |                                           |     |
| 5.4      | Code execution overview                   |     |
| 5.4.1    | Initialization                            |     |
| 6.       | Legal information                         |     |
| 6.1      | Definitions                               |     |
| 6.2      | Disclaimers                               | 52  |
| 6.3      | Licenses                                  |     |
| 6.4      | Trademarks                                | -   |
| 7.       | Contents                                  | 53  |

Please be aware that important notices concerning this document and the product(s) described herein, have been included in the section 'Legal information'.

© NXP B.V. 2012.

#### All rights reserved.

For more information, visit: http://www.nxp.com For sales office addresses, please send an email to: salesaddresses@nxp.com