background image

 

Document Version 1.2 

Last revised on 

2017-09-26 

Page 27 of 92 

 

Reference Manual for uTrust 4701F and uTrust 4711F Readers 

6.

 

Commands description 

6.1.

 

Generic APDU 

6.1.1.

 

Working with DESFire and MIFARE Plus tokens 

To work with DESFire EV1 and MIFARE Plus tokens, please refer to the according application notes 
[AN337] and [AN338], respectively. 

Please  note  that, since  these  application notes  contain information available only  under NDA with 
NXP, you’d need to sign an NDA with NXP to be allowed to receive them. 

6.1.2.

 

PAPDU_GET_UID 

GET UID will retrieve the UID or SNR or PUPI of the user token. This command can be used for all 
supported technologies. 

Command APDU: 

CLA 

INS 

P1 

P2 

Lc 

Data in 

Le 

0xFF 

0xCA 

0x00 

0x00 

XX 

 

Setting Le = 0x00 can be used to request the full UID or PUPI is sent back.(e.g. for ISO14443A single 4 
bytes, double 7 bytes, triple 10 bytes, for ISO14443B 4 bytes PUPI). 

Response APDU: 

Data 

Status Word 

Requested bytes of UID 

SW1, SW2 

 

6.1.3.

 

PAPDU_ESCAPE_CMD 

Usually  escape  commands  are  transmitted  through  SCardControl  as  defined  in  PCSC  API  using 
IOCTL_CCID_ESCAPE. But on some environments, the driver will block this IOCTL unless the registry 
has  been  edited  to  allow  it.  Hence  this  vendor  specific  APDU  was  defined  to  transmit  Escape 
commands to the reader as below 

Command APDU: 

CLA 

INS 

P1 

P2 

Lc 

Data in 

Le 

0xFF 

0xCC 

0x00 

0x00 

Length of data 

Escape Command Buffer  XX 

 

Response APDU: 

Data 

Status Word 

Reader Response 

SW1, SW2 

 

 

 

Summary of Contents for uTrust 4701F

Page 1: ...Reference Manual for uTrust 4701F Dual Interface Reader and uTrust 4711F Contactless Reader with SAM For Part 905504 1 and 905565 1 Document Version 1 2 Last Revised On 2017 09 26...

Page 2: ...r and uTrust 4711F Contactless Reader with SAM Audience This document is intended for system integrators and software developers Revision History Rev Date Description 1 0 2013 24 01 Initial Version 1...

Page 3: ...ures 12 3 3 uTrust 47xx F ordering information 13 3 4 Available options 13 3 5 uTrust 47xx F customization options 13 3 6 Contactless communication principles and uTrust 47xx F usage recommendations 1...

Page 4: ...T CL Pass Thru 36 6 2 11 PAPDU_ISO14443_PART3_PASS_THRU Mifare Pass Thru 37 6 2 12 PAPDU_ISO14443_PART4_PART3_SWITCH TCL Mifare Switch 37 6 2 13 PAPDU_FELICA_REQC 37 6 2 14 PAPDU_FELICA_REQ_SERVICE 38...

Page 5: ...CNTLESS_P2P_INITIATOR_DESELECT 70 6 3 4 21 CNTLESS_P2P_INITIATOR_TRANCEIVE 71 6 3 4 22 CNTLESS_NFC_SINGLESHOT 72 6 3 4 23 CNTLESS_NFC_LOOPBACK 72 6 3 4 24 CNTLESS_GET_SET_NFC_PARAMS 73 6 3 4 25 CNTLES...

Page 6: ...armful interference and 2 This device must accept any interference received including interference that may cause undesired operation This equipment has been tested and found to comply with the limits...

Page 7: ...copy or distribute parts of or the entire source code without prior written consent from Identiv Inc You MAY NOT combine or distribute the source code provided with Open Source Software or with softw...

Page 8: ...cribes in detail interfaces and supported commands available for developers using uTrust47xx F in their applications 2 2 Target audience This document describes the technical implementation of uTrust...

Page 9: ...D Light emitting diode MIFARE The ISO14443 Type A with extensions for security NXP NA Not applicable NAD Node Address Nibble Group of 4 bits 1 digit of the hexadecimal representation of a byte Example...

Page 10: ...SO IEC 14443 4 2001 E ISO IEC PC SC Interoperability Specification for ICCs and Personal Computer Systems v2 01 PC SC Workgroup PCSC3 Interoperability Specification for ICCs and Personal Computer Syst...

Page 11: ...ented by lower case b where followed by a numbering digit Bytes are represented by upper case B where followed by a numbering digit Example 163 decimal number is represented in hexadecimal as 0xA3 in...

Page 12: ...ffer best in class interoperability 3 2 uTrust 47xx F key features 13 56MHz contactless reader o ISO14443 type A B o MIFARETM ISO7816 compliant contact smart card reader for ID 1 cards uTrust 4701 F I...

Page 13: ...wireholder It could be used to either place the reader on the desktop with an angle of 40 in regard to the desk or to mount it to a wall with a 40 angle in regard to that The wireholder keeps the con...

Page 14: ...put in the magnetic field of the reader its antenna couples with the reader and an induction current appears in the antenna thus providing power to the integrated circuit The generated current is pro...

Page 15: ...the geometry and especially the relative size of the reader s and credential s antennas directly influence the inductive coupling and therefore the communication uTrust 47xx F was designed and optimiz...

Page 16: ...e payment or transport applications or PKI or CAC applications Identiv Inc provides a few applications for development and evaluation purposes that can function with uTrust 47X0 F There are many tools...

Page 17: ...us indication A contact smart card interface An RF front end that handles the RF communication The controller embeds flash memory that contains the firmware developed by Identiv to handle all the ISO7...

Page 18: ...leverages a PC SC CCID driver that is freely available for all supported operating systems Windows macOS X and Linux With current Windows versions starting with Windows Vista and macOS X this driver...

Page 19: ...2g External dimensions 126 mm X 93 mm X 22 mm Cable length 1 5 meter long with USB type A connector Default color White and grey Default label 55 5 mm x 15 5 mm uTrust 4711 F Weight 157g without stand...

Page 20: ...ed Contactless card IN but not powered ON ON Contact card powered communication 500ms ON 500ms OFF OFF Contactless card powered communication 500ms ON 500ms OFF 500ms ON 500ms OFF Reader card errors O...

Page 21: ...e 600Kbps Cards supported ISO IEC 7816 smart cards Class A B and C Synchronous smart cards ISO 7816 compliant Yes CT API compliant Yes Number of slots Single smart card slot Ejection mechanism Manual...

Page 22: ...Utilities The following utilities are available A tool for testing the resource manager A tool called PCSCDiag capable of providing basic information about the reader and a card through PC SC stack 5...

Page 23: ...e examples of this Byte Value Designation Description 0 0x3B Initial header 1 0x8n T0 n indicates the number of historical bytes in following ATR 2 0x80 TD1 upper nibble 8 indicates no TA2 TB2 TC2 low...

Page 24: ...torical bytes in following ATR 2 0x80 TD1 upper nibble 8 indicates no TA2 TB2 TC2 lower nibble 0 means T 0 3 0x01 TD2 upper nibble 0 indicates no TA3 TB3 TC3 lower nibble 1 means T 1 4 3 n Historical...

Page 25: ...CCID messages are supported for the contact interface when received through bulk out endpoint PC_to_RDR_IccPowerOn PC_to_RDR_IccPowerOff PC_to_RDR_GetSlotStatus PC_to_RDR_XfrBlock PC_to_RDR_GetParamet...

Page 26: ...PROTOCOL_NOT_SUPPORTED This error code is returned if the card is signaling to use a protocol other than T 0 or T 1 in its ATR 5 4 1 3 4 BAD_ATR_TS This error code is returned if the initial character...

Page 27: ...for all supported technologies Command APDU CLA INS P1 P2 Lc Data in Le 0xFF 0xCA 0x00 0x00 XX Setting Le 0x00 can be used to request the full UID or PUPI is sent back e g for ISO14443A single 4 byte...

Page 28: ...ER_SETMODE 0X01 escape command this pseudo APDU would be used Command APDU FF CC 00 00 02 01 01 to set to EMV mode Response APDU 90 00 Note 1 To send Escape commands using this method the reader shoul...

Page 29: ...ad Binary 0xFF 0xB0 Addr MSB Addr LSB xx P1 and P2 represent the block number of the block to be read starting with 0 for sector 0 block 0 continuing with 4 for sector 1 block 0 sector no x 4 block no...

Page 30: ...pdate Binary 0xFF 0xD6 Addr MSB Addr LSB xx data For a description of P1 and P2 see PAPDU_MIFARE_READ_BINARY Lc has got to match the block size of the used card 16 bytes for Mifare Classic 4 bytes for...

Page 31: ...it is ignored Only one reader key 0x00 is supported by uTrust 47xx F Notes 1 Card keys can be loaded in both secure and non secure mode Card keys can only be loaded to the Volatile memory of the reade...

Page 32: ...n the following explains the steps needed to change the reader key to 10111213 15161718 1A1B1C1D 1F202122 Reader old key A 00010203 05060708 0A0B0C0D 0F101112 Reader new key B 10111213 15161718 1A1B1C...

Page 33: ...Read sector 1 of a Mifare Classic 1K APDU FF B1 00 01 00 SW12 9000 OK DataOut 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F AA 55 AA 55 AA 55 AA 55 AA...

Page 34: ...of Mifare Classic Command APDU Command CLA INS P1 P2 P3 Data Write Sector FF D7 AddrMsb AddrLsb Lc Data Lc P3 has got to be 0x30 when writing to the small sectors of a Mifare Classic and 0xF0 when wr...

Page 35: ...alue of a data object if the card supports it Refer to section 3 2 2 1 10 of PCSC3 AMD1 for further details Command APDU Command CLA INS P1 P2 Lc Data Le Increment Decrement FF C2 00 03 xx BER TLV 00...

Page 36: ...A 81 Data object XX not supported XX 67 00 Data object XX with unexpected length XX 6A 80 Data object XX with unexpected vale XX 64 00 Data Object XX execution error no response from IFD XX 64 01 Data...

Page 37: ...s the card state between TCL and MIFARE modes Command APDU Command CLA INS P1 P2 P3 Data Part 4 Part 3 Switch FF F8 P1 00 00 P1 0x00 switches from MIFARE mode to TCL mode P1 0x01 switches from TCL mod...

Page 38: ...SPONSE This command issues a REQ RESPONSE as defined in JIS 9 6 1 When an NFC Forum tag type 3 receives this command it responds with its current mode 0 1 2 Command APDU Command CLA INS P1 P2 P3 Data...

Page 39: ...ecified service Command APDU Command CLA INS P1 P2 P3 Data FeliCa Write Block 0xFF 0x48 Number of service Number of blocks 2 P1 P2 16 P2 Service Code List Block List Block Data Response APDU Data Stat...

Page 40: ...UID3 SW1 SW2 Where HR0 and HR1 are the 2 bytes Header ROM which identify the tag UID0 through UID3 are the first 3 bytes of the tag s UID Topaz tags have a 7 bytes long UID which can be fully fetched...

Page 41: ...3 Block value between 0x0 and 0xE b2 b0 Byte within the block value between 0 and 7 Response APDU Data Status Word Data returned by card SW1 SW2 6 2 22 PAPDU_NFC_TYPE1_TAG_WRITE_E This command issues...

Page 42: ...P2 P3 Data TYPE1 Tag WRITE No ERASE FF 58 00 Byte Addr 01 Data Where P2 codes the address of the memory byte in the following way Bit numbers Description b7 b3 Block value between 0x0 and 0xE b2 b0 B...

Page 43: ...ere P2 Block Address is Bit numbers Description b7 b0 General block 0x00 0xFF Response APDU Data Status Word 8 bytes of data SW1 SW2 6 2 26 PAPDU_NFC_TYPE1_TAG_WRITE_E8 This command issues a WRITE8 to...

Page 44: ...the value of the targeted byte before writing the new data Using this command EEPROM bits can be set but not reset Please note that this command only works on Topaz tags in dynamic memory model Comma...

Page 45: ...and APDU defined in this manual Please note that SCardTransmit will only work when connected to a card In Windows in order to be able to send Escape commands to the uTrust 47xx F the feature has got t...

Page 46: ...ID_04E6 PID_5725 MI_00 Device Instance xxxx Device Parameters that for uTrust 4711 F contactless part would be HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Enum USB VID_04E6 PID_5725 MI_01 Device Insta...

Page 47: ...ion To put the uTrust 47xx F back into its default mode it either has to be unplugged and plugged again or the application can send the same Escape command again The following Escape commands are supp...

Page 48: ...r Mode Value Remarks ISO 7816 0x00 ISO 7816 mode Applicable for both contact slot and contactless slot EMV 0x01 EMV Applicable only for contact slot and ignored by contactless interface Synchronous 0x...

Page 49: ...ISO 7816 mode EMV 0x01 EMV mode Synchronous 0x02 Memory card mode synchronous NFC Test 0x04 NFC Test Mode 6 3 3 3 READER_GET_IFDTYPE This Escape command is used to get the current IFD type from the re...

Page 50: ...uld be disabled using the escape command READER_LED_CONTROL_BY_FW to see proper LED change when using this IOCTL Input The first byte of the input buffer contains the escape code followed by LED numbe...

Page 51: ...current firmware version 1 byMinorVersion Minor Version in BCD 1 bySupportedModes Bit map indicating the supported modes of the reader 0x01 EMV mode 0x02 Memory card mode 0x04 Nfc test mode 0x07 for...

Page 52: ...ata area in the reader The user area is located in the non volatile memory of the reader and hence data will be retained even after power cycle Note Frequent writes should be avoided The non volatile...

Page 53: ...ER _CONTROL_CONTACT_SLOT This Escape command is supported through the READER_GENERIC_ESCAPE message This command can be used to disable the contact slot until it is re enabled through the same command...

Page 54: ...48 0x9D CNTLESS_GET_BAUDRATE 0x9E CNTLESS_CONTROL_RETRIES 0xA7 CNTLESS_CONTROL_POLLING 0xAC CNTLESS_FORCE_BAUDRATE 0xAD CNTLESS_GET_CARD_DETAILS 0xDA CNTLESS_SET_CONFIG_PARAMS 0xE1 CNTLESS_IS_COLLISIO...

Page 55: ...ard to Reader communication baud rate BYTE is defined as follows b0 212kbps supported direction reader to card b1 424kbps supported direction reader to card b2 848kbps supported direction reader to ca...

Page 56: ...is configured to poll for The input buffer shall contain the escape command code in the first byte and an optional extension specifier 0xFF in the second byte Byte0 Byte1 0x94 Empty or 0xFF The output...

Page 57: ...disable the polling for a given type of the card after having placed that card on the reader Since reader would immediately stop polling for the card it would never detect that card is removed The in...

Page 58: ...tus 0 PPS is enabled 1 PPS is disabled Output No response is returned for set state For Get State 1 byte response is received Output buffer NULL or current state 6 3 4 6 CNTLESS_RF_SWITCH This Escape...

Page 59: ...the reader No Output 0xFF Get current field state 0x00 RF is OFF when contact card is present in the reader 0x01 RF is ON when contact card is present in the reader After the RF is turned off to turn...

Page 60: ...00 106Kbps in both directions 0x01 106Kbps from PICC to PCD 212Kbps from PCD to PICC 0x02 106Kbps from PICC to PCD 424Kbps from PCD to PICC 0x03 106Kbps from PICC to PCD 848Kbps from PCD to PICC 0x10...

Page 61: ...t state of retries 0x00 Retries are enabled 0x01 Retries are disabled Output No response is returned for set state For Get State 1 byte response is received Output buffer NULL or current state 6 3 4 1...

Page 62: ...rted if bit is set to 1 b5 DS 4 supported if bit is set to 1 b6 DS 8 supported if bit is set to 1 b7 1 if the same D is required for both communication directions b7 0 if different D is supported for...

Page 63: ...ed if length smaller than 10 B13 0x00 CID not supported 0x01 CID supported B14 0x00 NAD not supported 0x01 NAD supported B15 Bit Rate Capability B16 FWI B17 IFSC B18 MBLI B19 SAK B20 SFGI OR B3 B10 8...

Page 64: ...te Value Description B0 0XE1 Escape code B1 Type A RXGAIN for polling or 106Kbps B2 Type A RXGAIN for 212 Kbps B3 Type A RXGAIN for 424 Kbps B4 Type A RXGAIN for 848 Kbps B5 Type A RX THRESHOLD for po...

Page 65: ...ue Description 0x00 Collision is not detected 0x01 Collision is detected 6 3 4 16 CNTLESS_FELICA_PASS_THRU This Escape command is used as a pass through to send FeliCa commands to FeliCa cards Input T...

Page 66: ...escape code The second byte either sets the mode or contains a code to retrieve the setting Additional data bytes will be needed for Initiator Target mode Offset Description Detailed description 0 0xE...

Page 67: ...NFCID2 13 0xBB NFCID2 14 0xBA NFCID2 15 0xA6 NFCID2 16 0xC9 NFCID2 17 0x89 NFCID2 18 C0 FeliCa Padding Bytes 19 C1 FeliCa Padding Bytes 20 C2 FeliCa Padding Bytes 21 C3 FeliCa Padding Bytes 22 C4 Fel...

Page 68: ...the target device would be given to the host computer Target Mode On successful detection by the initiator the entire ATR_REQ buffer from the initiator device would be given to the host computer Read...

Page 69: ...ly switched to target mode using CNTLESS_P2P_SWITCH_MODES E9 Input Buffer Offset Description Detailed description 0 0xEA Target Receive 1 RFU 2 RFU 3 RFU 4 0 No Chaining 1 Chaining Chaining byte 5 Tim...

Page 70: ...Chaining Chaining byte 5 Timeout Low Byte 6 Timeout High Byte Offset 7 to offset 7 N N data bytes Bytes to be sent to Initiator device Output Once the data bytes are sent successfully the firmware wo...

Page 71: ...Offset Description Detailed description 0 0xE7 Initiator transceive 1 0x00 RFU 2 0x00 RFU 3 0x00 RFU 4 0 No Chaining 1 Chaining Chaining 5 Timeout Low Byte 6 Timeout High Byte Offset 7 to 7 N N bytes...

Page 72: ...on 0 0xEC NFC Single shot 1 0x01 NFC_DEP supported If a value other than 0x01 is given NFC_DEP is not supported in the preceding I Blocks Output Output buffer NULL 6 3 4 23 CNTLESS_NFC_LOOPBACK This E...

Page 73: ...ameters the command syntax is Byte0 CLA Byte1 INS Byte2 P1 Byte3 P2 Byte4 Lc Byte5 Byte6 Byte7 Byte 8 Le 0xFF 0x70 0x04 0xE6 0x04 0x04 opcode 0x01 SET NFC Parameter Value 00 To get the parameters the...

Page 74: ...ed to check if external RF is reset after the reader got detected in target mode Input Byte0 CLA Byte1 INS Byte2 P1 Byte3 P2 Byte4 Lc Byte5 Le 0xFF 0x70 0x04 0xE6 0x01 0x06 opcode 00 Output If the com...

Page 75: ...E 0x04 CONTACT_EMV_LOOPBACK 0x05 CONTACT_EMV_SINGLEMODE 0x06 CONTACT_EMV_TIMERMODE 0x07 CONTACT_APDU_TRANSFER 0x08 CONTACT_DISABLE_PPS 0x0F CONTACT_EXCHANGE_RAW 0x10 CONTACT_GET_SET_CLK_FREQUENCY 0x1F...

Page 76: ...perating voltage the firmware will continue card communication at that voltage If power up fails in all the enabled operating voltages then the firmware will report an error Input The first byte of th...

Page 77: ...A voltage 5V 3V 1 8V order For retrieving current Power up sequence 0xFF the output will be Byte0 Value Description 0x00 Starts with Class C voltage 1 8V 3V 5V order 0x01 Starts with Class A voltage 5...

Page 78: ...p back application as specified in the EMV Level 1 Testing Requirements document Input Byte0 Escape code 0x06 Output Output buffer NULL 6 3 5 4 CONTACT_EMV_TIMERMODE This Escape command lets the host...

Page 79: ...r smart cards This setting will take effect from the next card connect and remains effective till it is changed again or the next Reader power on Default mode is PPS enabled Input The first byte of th...

Page 80: ...change in frequency will take effect immediately Default divisor value is 10 that is 4 8MHz Input The first byte of the input buffer contains the Escape code the next byte contains the clock divisor v...

Page 81: ...trol byte Byte0 Byte1 Value Description Escape code 0x88 0x00 Enable ATR validation 0x01 Disable ATR validation Output Output buffer NULL 6 3 5 10 CONTACT_GET_SET_MCARD_TIMEOUT This Escape command is...

Page 82: ...Input The input buffer contains the Escape code followed by an 8 bit GET SET identifier For SET ETU a DWORD specifying the value to be set is following Byte0 Byte1 Byte2 Byte3 Byte4 Byte5 Value Descri...

Page 83: ...x00 CWT BIT31 BIT24 BIT23 BIT16 BIT15 BIT8 BIT7 BIT0 0x01 BWT 0x00 GET Wait time 0x00 CWT 0x01 BWT Output For both Get Set Wait time the output will be the following Byte0 Byte1 Byte2 Byte3 Wait time...

Page 84: ...pported through the READER_GENERIC_ESCAPE command and retrieves the number of times a contact smart card has been inserted into the reader Input The first five bytes of the input buffer follow APDU st...

Page 85: ...Annex A Status words table SW1 SW2 Description 0x90 0x00 NO ERROR 0x63 0x00 NO INFORMATION GIVEN 0x65 0x81 MEMORY FAILURE 0x67 0x00 LENGTH INCORRECT 0x68 0x00 CLASS BYTE INCORRECT 0x6A 0x81 FUNCTION N...

Page 86: ..._EMV_LOOPBACK 0x05 define CONTACT_EMV_SINGLEMODE 0x06 define CONTACT_EMV_TIMERMODE 0x07 define CONTACT_APDU_TRANSFER 0x08 define CONTACT_CONTROL_PPS 0x0F define CONTACT_EXCHANGE_RAW 0x10 define CONTAC...

Page 87: ...S_SUCCESS s ReaderName 0 printf Connecting to reader s n s ret SCardConnect ContextHandle s SCARD_SHARE_DIRECT SCARD_PROTOCOL_UNDEFINED CardHandle ActiveProtocol if ret SCARD_S_SUCCESS InByte 0x1E ret...

Page 88: ...aderInfo bySerialNoLength i if strReaderInfo abySerialNumber i 0 printf c strReaderInfo abySerialNumber i else printf SCardControl failed 08X n ret else printf SCardConnect failed 08X n ret ret SCardR...

Page 89: ...Document Version 1 2 Last revised on 2017 09 26 Page 89 of 92 Reference Manual for uTrust 4701F and uTrust 4711F Readers 7 3 Annex C Mechanical drawings 7 3 1 Reader s Outline and cable positions...

Page 90: ...Document Version 1 2 Last revised on 2017 09 26 Page 90 of 92 Reference Manual for uTrust 4701F and uTrust 4711F Readers 7 3 2 Stand...

Page 91: ...Document Version 1 2 Last revised on 2017 09 26 Page 91 of 92 Reference Manual for uTrust 4701F and uTrust 4711F Readers 7 3 3 Reader mounted to Stand...

Page 92: ...Document Version 1 2 Last revised on 2017 09 26 Page 92 of 92 Reference Manual for uTrust 4701F and uTrust 4711F Readers 7 3 4 uTrust 4711 F SAM slot...

Reviews: