background image

 

ACR3901U-S1 – Reference Manual

 

[email protected] 

Version 1.09 

www.acs.com.hk

 

Page 14 of 96

 

 

 

6.0. Software Design 

6.1.  Bluetooth Communication Protocol 

6.1.1.  Bluetooth Connection Program Flow 

The program flow of a Bluetooth connection is shown below: 

 

Figure 2

: Bluetooth Connection Flow 

 

Yes 

No 

Bluetooth Start 

(Reset/Power up) 

Successful Connection? 

 

No 

Enable Service 

Disconnect? 

Reset  

Power Off 

Authentication 

Smart Card Operation with Security Channel 

 

Successful Authentication? 

 

Yes 

Summary of Contents for ACR3901U-S1

Page 1: ...Subject to change without prior notice info acs com hk www acs com hk Reference Manual V1 10 ACR3901U S1 ACS Secure Bluetooth Contact Card Reader...

Page 2: ...pdated Section 6 5 5 4 Rewrite Master Key Command Updated Section 6 6 Mutual Authentication Table 1 02 2016 09 16 Updated Product Photo Updated Product Marketing Name Updated command examples with inc...

Page 3: ...oth Communication Protocol Added Section 6 5 5 APDU2 Command From FW v1 20 and later Updated Section 7 1 4 PC_to_RDR_XfrBlock Updated Section 7 2 1 RDR_to_PC_DataBlock 1 07 2018 12 17 Updated Formatti...

Page 4: ...5 5 5 Card Tearing Protection 13 6 0 Software Design 14 6 1 Bluetooth Communication Protocol 14 6 1 1 Bluetooth Connection Program Flow 14 6 1 2 Profile Selection 15 6 1 3 Authentication 17 6 1 4 Fram...

Page 5: ...01U S1 Architecture 9 Figure 2 Bluetooth Connection Flow 14 Figure 3 nRFgo Studio GATT Setting Interface 15 Figure 4 Authentication Procedure 17 List of Tables Table 1 Symbols and Abbreviations 6 Tabl...

Page 6: ...o referred to as the USB specification April 27 2000 Universal Serial Bus Common Class Specification 1 0 December 16 1997 Universal Serial Bus Device Class Smart Card CCID Specification for Integrated...

Page 7: ...s Selection Features Short Circuit Protection Supports AES 128 encryption algorithm Application Programming Interface o Supports PC SC o Supports CT API through wrapper on top of PC SC Built in Periph...

Page 8: ...the default parameters F 372 D 1 For the meaning of the aforementioned parameters please refer to ISO 7816 3 3 2 Memory based Smart Cards ACR3901U S1 works with several memory based smart cards such a...

Page 9: ...k Version 1 09 www acs com hk Page 9 of 96 4 0 System Block Diagram Figure 1 ACR3901U S1 Architecture ACR3901U S1 Power Management MCU Bluetooth Mobile device or Computer LEDs Full sized Card Recharge...

Page 10: ...n Bluetooth mode run 10 operations per day with 1 minute operation run 2 In Bluetooth mode set sleep time as 60 seconds and wake up once per day 5 2 Bluetooth Interface ACR3901U S1 uses Bluetooth Low...

Page 11: ...data packet size is 64 bytes Bulk IN For response to be sent from ACR3901U S1 to host data packet size is 64 bytes Interrupt IN For card status message to be sent from ACR3901U S1 to host data packet...

Page 12: ...and PC On Card is connected and powered on Table 5 Status LED Note When red blue and green LEDs are OFF the reader is powered off Both blue and green LEDs will light for 1 second and then will turn o...

Page 13: ...type regardless of the protocol type selected by the application 5 5 4 Interface for Microcontroller based Cards For microcontroller based smart cards only the contacts C1 VCC C2 RST C3 CLK C5 GND and...

Page 14: ...Protocol 6 1 1 Bluetooth Connection Program Flow The program flow of a Bluetooth connection is shown below Figure 2 Bluetooth Connection Flow Yes No Bluetooth Start Reset Power up Successful Connectio...

Page 15: ...he paired device through a specific pipe To simplify the battery levels are divided into three groups below is a table summarizing the battery level and its corresponding return value Status Voltage R...

Page 16: ...NUMBER_OF_PIPES 10 define PIPE_GAP_DEVICE_NAME_SET is used to change the device name at runtime by the application controller So that in Bluetooth mode the advertising name will be in the format of AC...

Page 17: ...g device for simplicity and better illustration Figure 4 Authentication Procedure After successful authentication a 16 byte Session Key is generated in both ACR3901U S1 and the data server Default Cus...

Page 18: ...ntication was introduced to avoid man in the middle attack through the Bluetooth communication channel After a successful mutual authentication the Bluetooth Frame Format in Table 7 will be encrypted...

Page 19: ...nticated Paired device Peripheral Commands 70h Connected Authenticated Paired device SPH_to_RDR_ReqAuth 71h Connected Authenticated Paired device SPH_to_RDR_AuthRsp Table 9 Command Code Summary Comman...

Page 20: ...er of extra bytes starting from the next field for this message It is expressed in two bytes long LEN1 is LSB while LEN2 is MSB 3 N byte ATR N Card Answer To Reset 3 N CSUM wChecksum 1 CSUM means the...

Page 21: ...Size Value Description 0 bMessageType 1 13h 1 LEN1 LEN2 wLength 2 0100h Number of extra bytes starting from the next field for this message It is expressed in two bytes long LEN1 is LSB while LEN2 is...

Page 22: ...XOR values of all bytes in the command Response Data Format Error Offset Field Size Value Description 0 bMessageType 1 94h 1 LEN1 LEN2 wLength 2 0200h Number of extra bytes starting from the next fiel...

Page 23: ...sageType 1 11h 1 LEN1 LEN2 wLength 2 Number of extra bytes starting from the next field for this message It is expressed in two bytes long LEN1 is LSB while LEN2 is MSB 3 APDU Response N APDU Format D...

Page 24: ...1 is LSB while LEN2 is MSB Maximum length is 263 3 Data Param 1 Parameter Short APDU level 00h default Extended APDU level 00h the command APDU begins and ends with this command 01h the command APDU b...

Page 25: ...and ends the response APDU 03h this Data field continues the response APDU and another block is to follow 10h empty Data field continuation of the command APDU is expected in the next Command 4 APDU...

Page 26: ...eans the XOR values of all bytes in the command Example Sends 600 bytes data to the card 1 Command 67 07 01 01 261 bytes data checksum Response 17 02 00 10 checksum 2 Command 67 07 01 03 261 bytes dat...

Page 27: ...m 1 CSUM means the XOR values of all bytes in the command Response Data Format Offset Field Size Value Description 0 bMessageType 1 15h Escape Response Header 1 LEN1 LEN2 wLength 2 Number of extra byt...

Page 28: ...al info acs com hk Version 1 09 www acs com hk Page 28 of 96 Offset Field Size Value Description 3 Error Code bErrorCode 1 Error Code Refer to Appendix A 4 CSUM wChecksum 1 CSUM means the XOR values o...

Page 29: ...l bytes in the command Response Data Format Offset Field Size Value Description 0 bMessageType 1 16h Escape Response Header 1 LEN1 LEN2 wLength 2 Number of extra bytes starting from the next field for...

Page 30: ...ength 0900h Offset Field Size Value Description 4 bmFindexDindex 1 B7 4 FI Index into the table 7 in ISO IEC 7816 3 1997 selecting a clock rate conversion factor B3 0 DI Index into the table 8 in ISO...

Page 31: ...ersion 1 09 www acs com hk Page 31 of 96 Example T0 protocol Request 61 07 00 00 11 00 00 0A 00 7D Response 16 07 00 00 11 00 00 0A 00 0A Example T1 protocol Request 61 09 00 01 96 10 00 45 00 FE 00 5...

Page 32: ...H_AuthRsp2 22h Authenticated Reader RDR_to_SPH_DataRsp Table 11 Summary of Mutual Authentication Commands 6 1 6 1 SPH_to_RDR_ReqAuth This command will request ACR3901U S1 to perform authentication wit...

Page 33: ...ield Size Value Description Encrypted 0 bMessageType 1 20h No 1 LEN1 LEN2 wLength 2 1100h Number of extra bytes starting from the next field for this message It is expressed in two bytes long LEN1 is...

Page 34: ...1U S1 using this command in order to have a successful authentication For more information on the authentication process please refer to Authentication Offset Field Size Value Description Encrypted 0...

Page 35: ...on Encrypted 0 bMessageType 1 21h No 1 LEN1 LEN2 wLength 2 1100h Number of extra bytes starting from the next field for this message It is expressed in two bytes long LEN1 is LSB while LEN2 is MSB No...

Page 36: ...wherein each byte will be encrypted with the Session Key which is generated after mutual authentication using the AES128 CBC cipher mode The initial vector is 16bytes of 00h in AES 128 CBC cipher mod...

Page 37: ...will be encrypted and transmitted after a successful mutual authentication Offset Field Size Value Description Encrypted 0 bMessageType 1 22h No 1 LEN1 LEN2 wLength 2 The Number of extra bytes starti...

Page 38: ...s sent to ACR3901U S1 have to be sent synchronously e g bMaxCCIDBusySlots is equal to 01h for ACR3901U S1 The ACR3901U S1 supported CCID features are indicated in its Class Descriptor Offset Field Siz...

Page 39: ...rs Automatic baud rate change according to frequency and FI DI parameters TPDU level change with ACR3901U S1 44 dwMaxCCIDMessageLength 4 Maximum message length accepted by ACR3901U S1 is 271 bytes 48...

Page 40: ...essage and the data returned is the Answer to Reset ATR data 6 2 1 2 PC_to_RDR_IccPowerOff This command deactivates the card slot Offset Field Size Value Description 0 bMessageType 1 63h 1 dwLength 4...

Page 41: ...this command 0001h the command APDU begins with this command and continues in the next PC_to_RDR_XfrBlock 0002h the abData field continues a command APDU and ends the APDU command 0003h the abData fi...

Page 42: ..._to_PC_Parameters message 6 2 1 7 PC_to_RDR_SetParameters This command sets slot parameters Offset Field Size Value Description 0 bMessageType 1 61h 1 dwLength 4 Size of extra bytes of this message 5...

Page 43: ...I for T 0 used to define WWT 14 bClockStop 1 ICC Clock Stop Support 00h Stopping the Clock is not allowed 01h Stop with Clock signal Low 02h Stop with Clock signal High 03h Stop with Clock either High...

Page 44: ...otiated IFSC 16 bNadValue 1 00h Only support NAD 00h The response to this message is the RDR_to_PC_Parameters message 6 2 1 8 PC_to_RDR_Escape This command accesses extended features Offset Field Size...

Page 45: ...9 bChainParameter 1 Short APDU level RFU 00h Extended APDU level 00h the response APDU begins and ends in this command 01h the response APDU begins with this command and is to continue 02h this abDat...

Page 46: ...rs and PC_to_RDR_SetParameters messages Offset Field Size Value Description 0 bMessageType 1 82h 1 dwLength 4 Size of extra bytes of this message 5 bSlot 1 Same value as in Bulk OUT message 6 bSeq 1 S...

Page 47: ...e Description 0 bMessageType 1 83h 1 dwLength 4 Size of extra bytes of this message 5 bSlot 1 Same value as in Bulk OUT message 6 bSeq 1 Same value as in Bulk OUT message 7 bStatus 1 Slot status regis...

Page 48: ...e serial number of the reader Command Format Offset Field Size Value Description 0 abData1 CommandCode 1 02h Command Code of Write Serial Number 1 Len CommandLength 1 00h Number of extra bytes of data...

Page 49: ...e for Bluetooth Mode Only Command Format Offset Field Size Value Description 0 abData1 CommandCode 1 03h Command Code of Get Random Number 1 Len CommandLength 1 00h Number of extra bytes of data 2 Dat...

Page 50: ...and Code of Get Firmware Version 1 Len CommandLength 1 00h Number of extra bytes of data 2 Data 0 Response Format Offset Field Size Value Description 0 abData2 ResponseCode 1 84h Response Code of Get...

Page 51: ...Command Code of Rewrite Master Key 1 Len CommandLength 1 20h Number of extra bytes of data 2 Data 32 Combine the random number KeyRstRnd 0 15 encrypted by original Customer Master Key 16 byte of new...

Page 52: ...Field Size Value Description 0 abData1 CommandCode 1 0Dh Command Code of Sleep Mode Option 1 Len CommandLength 1 01h Number of extra bytes of data 2 Data 1 00h 60 seconds Default 01h 90 seconds 02h 1...

Page 53: ...escription 0 abData1 CommandCode 1 0Eh Command Code of Get Device Address 1 Len CommandLength 1 00h Number of extra bytes of data 2 Data 0 Response Format Offset Field Size Value Description 0 abData2...

Page 54: ...and Code of Set Tx Power 1 Len CommandLength 1 01h Number of extra bytes of data 2 Data 1 00h 18 dBm Default Distance 4 meters 01h 12 dBm Distance 7 meters 02h 6 dBm Distance 16 meters 03h 0 dBm Dista...

Page 55: ...dCode 1 09h Command Code of Read Tx Power 1 Len CommandLength 1 00h Number of extra bytes of data 2 Data 0 Response Format Offset Field Size Value Description 0 abData2 ResponseCode 1 89h Response Cod...

Page 56: ...Generate random number Customer Master Key Reset Request 0F 00 Customer Master Key Reset Command Response 8F 10 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 2 Encrypt the random number and new cus...

Page 57: ...Command Format abData field in the PC_to_RDR_XfrBlock Pseudo APDU CLA INS P1 P2 Lc Card Type FFh A4h 00h 00h 01h 01h Response Data Format abData field in the RDR_to_PC_DataBlock SW1 SW2 Where SW1 SW2...

Page 58: ...address location of the memory card MEM_L Length of data to be read from the memory card Response Data Format abData field in the RDR_to_PC_DataBlock BYTE 1 BYTE N SW1 SW2 Where BYTE x Data read from...

Page 59: ...ACR3901U S1 Reference Manual info acs com hk Version 1 09 www acs com hk Page 59 of 96 Response Data Format abData field in the RDR_to_PC_DataBlock SW1 SW2 Where SW1 SW2 90 00h if no error...

Page 60: ...ta field in the PC_to_RDR_XfrBlock Pseudo APDU CLA INS P1 P2 Lc Card Type FFh A4h 00h 00h 01h 02h Response Data Format abData field in the RDR_to_PC_DataBlock SW1 SW2 Where SW1 SW2 90 00h if no error...

Page 61: ...kilobit iic card where is the MSB of the 17 bit addressing Byte Address Memory address location of the memory card MEM_L Length of data to be read from the memory card Response Data Format abData fie...

Page 62: ...Page 62 of 96 Byte Address Memory address location of the memory card MEM_L Length of data to be written to the memory card Byte x Data to be written to the memory card Response Data Format abData fi...

Page 63: ...rmat abData field in the PC_to_RDR_XfrBlock Pseudo APDU CLA INS P1 P2 Lc Card Type FFh A4h 00h 00h 01h 03h Response Data Format abData field in the RDR_to_PC_DataBlock SW1 SW2 Where SW1 SW2 90 00h if...

Page 64: ...ddress location of the memory card MEM_L Length of data to be written to the memory card MEM_D Data to be written to the memory card Response Data Format abData field in the RDR_to_PC_DataBlock SW1 SW...

Page 65: ...7 2 3 5 INITIALIZE_AUTHENTICATION Command Format abData field in the PC_to_RDR_XfrBlock Pseudo APDU CLA INS P1 P2 Lc Q 0 Q 1 Q 7 FFh 84h 00h 00h 08h Where Q 0 Q 1 Q 7 Host random number 8 bytes Respon...

Page 66: ...ock Pseudo APDU CLA INS P1 P2 Lc Card Type FFh A4h 00h 00h 01h 04h Response Data Format abData field in the RDR_to_PC_DataBlock SW1 SW2 Where SW1 SW2 90 00h if no error 7 2 4 2 READ_MEMORY_CARD Comman...

Page 67: ...A2A1A0b is the memory address location of the memory card 1000 0000b for writing fuse MEM_L Length of data to be written to the memory card Byte x Data to be written to the memory card Response Data F...

Page 68: ...5 INITIALIZE_AUTHENTICATION Command Format abData field in the PC_to_RDR_XfrBlock Pseudo APDU CLA INS P1 P2 Lc Q 0 Q 1 Q 7 FFh 84h 00h 00h 08h Where Byte Address Memory address location of the memory...

Page 69: ...ACR3901U S1 Reference Manual info acs com hk Version 1 09 www acs com hk Page 69 of 96 Response Data Format abData field in the RDR_to_PC_DataBlock SW1 SW2 Where SW1 SW2 90 00h if no error...

Page 70: ...d in the PC_to_RDR_XfrBlock Pseudo APDU CLA INS P1 P2 Lc Card Type FFh A4h 00h 00h 01h 05h Response Data Format abData field in the RDR_to_PC_DataBlock SW1 SW2 Where SW1 SW2 90 00h if no error 7 2 5 2...

Page 71: ...is locked exceeded the maximum number of retries Other values indicate that the last verification has failed DUMMY Two bytes dummy data read from the card SW1 SW2 90 00h if no error 7 2 5 4 READ_PROT...

Page 72: ...E x in the response data 0 byte is write protected 1 byte can be written 7 2 5 5 WRITE_MEMORY_CARD Command Format abData field in the PC_to_RDR_XfrBlock Pseudo APDU CLA INS Byte Address MEM_L Byte 1 B...

Page 73: ...g at Byte Address BYTE 1 is compared with the data at Byte Address BYTE N is compared with the data at Byte Address N 1 Response Data Format abData field in the RDR_to_PC_DataBlock SW1 SW2 Where SW1 S...

Page 74: ...Data Format abData field in the RDR_to_PC_DataBlock SW1 SW2 ErrorCnt 90h Where SW1 90h SW2 ErrorCnt Error Counter FFh indicates successful verification 00h indicates that the password is locked or ex...

Page 75: ...a field in the PC_to_RDR_XfrBlock Pseudo APDU CLA INS P1 P2 Lc Card Type FFh A4h 00h 00h 01h 06h Response Data Format abData field in the RDR_to_PC_DataBlock SW1 SW2 Where SW1 SW2 90 00h if no error 7...

Page 76: ...tion is correct 00h indicates that the password is locked exceeded the maximum number of retries Other values indicate that the last verification has failed DUMMY Three bytes dummy data read from the...

Page 77: ...location of the memory card MEM_L Length of data to be written to the memory card Byte x Data to be written to the memory card Response Data Format abData field in the RDR_to_PC_DataBlock SW1 SW2 Whe...

Page 78: ...card the following actions are executed 1 Search a 1 bit in the presentation error counter and write the bit to 0 2 Present the specified code to the card 3 Try to erase the presentation error counte...

Page 79: ...d The current secret code must have been presented to the card with the PRESENT_CODE command prior to the execution of this command Command Format abData field in the PC_to_RDR_XfrBlock Pseudo APDU CL...

Page 80: ...e refer to PC SC specifications Command Format abData field in the PC_to_RDR_XfrBlock Pseudo APDU CLA INS P1 P2 Lc Card Type FFh A4h 00h 00h 01h 07h Response Data Format abData field in the RDR_to_PC_...

Page 81: ...or writing personalization data and counter values to the card Backup bit is enabled to prevent data loss when card tearing occurs d Write with carry and backup enabled SLE 4436 SLE 5536 and SLE 6636...

Page 82: ...r and write the bit to 0 2 Present the specified code to the card The ACR3901U S1 does not try to erase the presentation counter after the code submission This must be done by the application software...

Page 83: ...wo bytes of authentication data calculated by the card Step 1 Send Authentication Certificate to the Card Command Format abData field in the PC_to_RDR_XfrBlock Pseudo APDU CLA INS P1 P2 MEM_L CODE KEY...

Page 84: ...Command Format abData field in the PC_to_RDR_XfrBlock Pseudo APDU CLA INS P1 P2 MEM_L FFh C0h 00h 00h 02h Response Data Format abData field in the RDR_to_PC_DataBlock CERT SW1 SW2 Where CERT 16 bits...

Page 85: ...SC specifications Command Format abData field in the PC_to_RDR_XfrBlock Pseudo APDU CLA INS P1 P2 Lc Card Type FFh A4h 00h 00h 01 08h Response Data Format abData field in the RDR_to_PC_DataBlock SW1...

Page 86: ...yte Address Memory address location of the memory card MEM_L Length of data to be written to the memory card BYTE Byte value to be written to the card Response Data Format abData field in the RDR_to_P...

Page 87: ...r counter The User Error Counter can be erased when the submitted code is correct Command Format abData field in the PC_to_RDR_XfrBlock Pseudo APDU CLA INS Error Counter LEN Byte Address MEM_L CODE By...

Page 88: ...to 0 3 Erase the presentation error counter Please note that Memory Error Counter cannot be erased Command Format abData field in the PC_to_RDR_XfrBlock Response Data Format abData field in the RDR_t...

Page 89: ...a Format abData field in the RDR_to_PC_DataBlock SW1 SW2 Where SW1 SW2 90 00h if no error 7 2 9 2 READ_MEMORY_CARD Command Format abData field in the PC_to_RDR_XfrBlock Pseudo APDU CLA INS P1 Byte Add...

Page 90: ...s The EEPROM memory is organized into 16 bit words Although erases are performed on single bit the ERASE operation clears an entire word in the memory Therefore performing an ERASE on any bit in the w...

Page 91: ...tions are executed for this command 1 Present the specified code to the card a Erase the presentation error counter The data in corresponding Application Zone can be erased when the submitted code is...

Page 92: ...To erase the data in Application Zone with EC Function Enabled 2 AT88SC102 To erase the data in Application Zone 2 with EC2 Function Enabled 3 AT88SC1003 To erase the data in Application Zone 2 with...

Page 93: ...FY_SECURITY_CODE This command is used to submit Security Code 2 bytes to the inserted card Security Code is to enable the memory access of the card The following actions are executed 1 Present the spe...

Page 94: ...w the fuse of the inserted card The fuse can be EC_EN Fuse EC2EN Fuse Issuer Fuse or Manufacturer s Fuse Note The blowing of fuse is an irreversible process Command Format abData field in the PC_to_RD...

Page 95: ...anufacturer Fuse 05h 80h 01h EC_EN Fuse 05h C9h 01h Issuer Fuse 05h E0h 01h AT88SC102 Manufacturer Fuse 05h B0h 01h EC2EN Fuse 05h F9h 01h Issuer Fuse 06h 10h 01h AT88SC1003 Manufacturer Fuse 03h F8h...

Page 96: ...h Exceeded max authentication retry failure 0Ah T1 Card operation error Table 12 Error Code Android is a trademark of Google LLC Atmel is a registered trademark of Atmel Corporation or its subsidiarie...

Reviews: