# AN10993 Pegoda Software Design Guide Rev. 1.0 — 21 March 2011

196110

**Application note** COMPANY PUBLIC

### **Document information**

| Info     | Content                                                                                                                                                             |
|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Keywords | Pegoda software design guide, firmware documentation, software documentation, firmware update, Pegoda firmware architecture, Pegoda functional overview, PC/SC mode |
| Abstract | This document provides a comprehensive architectural overview of the Pegoda software.                                                                               |



### **Revision history**

| Rev | Date     | Description   |
|-----|----------|---------------|
| 1.0 | 20110321 | First release |
|     | 20101101 | Draft version |

# **Contact information**

For additional information, please visit: http://www.nxp.com

For sales office addresses, please send an email to: salesaddresses@nxp.com

AN10993

All information provided in this document is subject to legal disclaimers.

# 1. Introduction

### 1.1 Scope

The scope of this document covers the software architecture coming with the Pegoda package. This includes a description of the integrated firmware stack on the LPC1768 controller as well as a high level overview of available modes in RD710/RX852.

The Basic Function Library (BFL) architecture and modules are covered in a separate document. Examples on how to setup the BFL stack on PC environment to communicate in different SAM modes and card products are covered in the Example Project Document [5].

The firmware/BFL may be changed individually to its own needs. An adequate tool chain for loading the firmware project file and doing further programming/debugging is introduced in the documents [7].

Updates for future firmware releases may be provided by NXP and can be easily downloaded by USB.



# **1.2 Audience**

This document is intended for use by manufacturers wanting to develop applications based on the software stack delivered within the Pegoda package.

Note that understanding parts of this document requires knowledge on microcontroller and their underlying systems.

### **1.3 Applicable documents or references**

- [1] [ISO/IEC 14443]
- [2] PC/SC Workgroup Specifications (www.nxp.com/redirect/pcscworkgroup.com/specifications/specdownload)
- [3] onARM: see <u>www.nxp.com/redirect/onarm</u> for more information
- [4] See <u>www.nxp.com/redirect/freetos</u> for more information
- [5] www.nxp.com/redirect/en.wikipedia.org/wiki/Interrupt\_handler
- [6] AN10990 Example Project Pegoda
- [7] ANxxxx ISP Programming Toolchain
- [8] www.nxp.com/redirect/ics.nxp.com/products/lpc1000/all/~LPC1768 or on CD

For information on availability of samples as well as documentation, please refer to the application note 'Pegoda EV710/EV852 Documentation and Sampling guide'.

### 1.4 Acronyms and abbreviations

| SAM | Secure Access Module   |
|-----|------------------------|
| S   | SAM in S-Mode          |
| Ν   | no SAM                 |
| Х   | SAM in X-Mode          |
| BFL | Basic Function Library |

# 2. Functional overview and mode of operation

The reader firmware can perform contact and contactless communication. The contact part is used to communicate with a SAM. The contactless part performs the polling and activation sequence according to PC/SC part 2, ISO/IEC 14443-3 and 14443-4 standards.

The polling and activation sequence can be turned off and on with the use of escape (PC/SC part 3) commands. The polling and activation sequence is automatically disabled if escape commands are executed that would interfere with the normal operations. The firmware also interprets the ADPUs for MIFARE which are defined in PC/SC part 3.

The main modes of operation are being set by DIP switches which are located on the reader. Some configuration parameters can be set with the escape commands. The reader will store them in non-violate memory. The user will be able to reset the configuration back to default state.

The firmware will construct the product name – which is returned by USB descriptor – to easily identify the reader/SAM configuration. Depending on the DIP switches, there are three possible configurations

- 1. No SAM (Pegoda 2 N)
- 2. SAM in X-Mode (Pegoda 2 X)
- 3. SAM in S-Mode (Pegoda 2 S)

The user will be able to flash the board with custom or original firmware with three methods:

- 1. Over USB (IAP)
- 2. Over serial port (ISP)
- 3. Over JTAG with the use of external program

### The Pegoda reader provides four modes of operation:

- Demo Mode
- PCSC Mode
- Overwrite Configuration Mode
- Enter Secondary Bootloader Mode

### 2.1 Demo mode

The demo mode is used to showcase in an autonomous way the functionality of the reader. In this mode, ISO14443-3A activation loop is performed and based on **SAK** blink the LEDs according to the next table:

| Table 1.  | Card type according to SAK and number of beep |       |
|-----------|-----------------------------------------------|-------|
| Card type |                                               | sound |
|           | K (0v08)                                      | 1     |

| Card type                | sound |
|--------------------------|-------|
| MIFARE Ultralight (0x00) | 3     |
| MIFARE DESFire           | 4     |
| MIFARE Plus              | 5     |

The demo mode can run in all three operation modes (non SAM, SAM in S, SAM in X mode).

The demo mode is implemented in *src/p2\_fw\_demo\_mode.c* in the task:

```
void p2_fw_task_demo_mode (void * param);
```

it distinguishes between BFL and SAM driven demo.

The BFL mode is implemented in

static void p2\_fw\_task\_demo\_mode\_bfl (void \* param);
for the usage of the BFL library.

The SAM mode is implemented in

```
static void p2_fw_task_demo_mode_sam (void * param);
```

for the usage of SAM APDUs and T=1 protocol.

### 2.2 PC/SC Mode

In this mode the reader acts as a fully compliant PC/SC reader. The PC/SC mode provides two sub modes called

- Standard mode
- Direct mode.

The standard mode provides routines and commands according to the PC/SC standard. The user can also directly control the reader (e.g. manual activation of cards, settings IC registers) by using the direct mode.

The mode is split into two tasks:

void p2\_fw\_task\_pcsc\_execute (void \* param);

which takes care of scheduling the bottom halfs of interrupt functions and

void p2\_fw\_task\_pcsc\_poll\_and\_act\_loop (void \* param);

which performs activation and pooling of cards.

There are three types of operating modes within the PC/SC mode:

- No SAM mode
- SAM in non X-mode
- SAM in X-Mode

### 2.2.1 No SAM mode

The most important aspect of this mode is performing activation and polling sequence for ISO 14443 A type cards as defined in PC/SC part 3. Selected cards are put in slot manager and notification is sent to PC/SC driver. There can be only one ISO 14443-3 card or multiple (maximum 14) ISO 14443-4 cards in the field.



### 2.2.2 SAM in non X-mode

SAM in non X-mode is similar as 2.2.1 No SAM mode. The only difference is that slot 0 is always occupied with SAM, which can be used as key store, cryptographic engine, etc.

The reader chip can not be controlled by SAM in this mode.



### 2.2.3 SAM in X-mode

In this mode communication is only through SAM (slot 0). Only limited number of proprietary commands can be executed.



# 2.2.4 The Interrupt Driven Part

Interrupts from external interfaces are serviced by interrupt services which mainly read-in data sent from external device to the reader. After the data is read-in to the communication buffer we call:

void p2\_fw\_ccid\_top\_half\_dispatch(void);

in *src/p2\_fw\_ccid.c* which acts as a dispatcher for the CCID messages. For serial and ethernet messages (if selected interface is other then USB then the reader goes in to direct mode) the interrupt service always provides a CCID XFER Block command.

In the dispatcher we check if the requested command is supported and allowed and then call one of the dedicated functions:

• for CCID ICC\_POWER\_ON we call

void p2\_fw\_ccid\_icc\_power\_on\_top\_half (void);

for CCID GET\_SLOT\_STATUS we call

void p2\_fw\_ccid\_get\_slot\_status\_top\_half (void);

• for CCID ICC\_POWER\_OFF we call

void p2\_fw\_ccid\_icc\_power\_off\_top\_half (void);

• for CCID XFR\_BLOCK we call

void p2\_fw\_ccid\_xfr\_block\_top\_half (void);

• for CCID GET\_PARAMETERS we call

void p2\_fw\_ccid\_get\_parameters\_top\_half (void);

• for CCID SET\_PARAMETERS we call

void p2\_fw\_ccid\_set\_parameters\_top\_half (void);

• for CCID ESCAPE we call

void p2\_fw\_ccid\_escape\_top\_half (void);

These top half handlers do the smallest amount of work because we are still in the interrupt service routine. Mostly they only check if the frame is valid and of correct size and at the end schedule a bottom half which is run by execute task and which does the real work.

The bottom half functions are implemented in src/p2\_fw\_ccid.c with the following routines:

### Get Status Bottom half

Bool p2\_fw\_ccid\_get\_slot\_status\_bottom\_half (uint8\_t slot\_idx);

Returns status for slot defined by slot\_idx.

### **Power On Bottom Half**

Bool p2\_fw\_ccid\_icc\_power\_on\_bottom\_half (uint8\_t slot\_idx);

Powers on the SAM.

### **Power Off Bottom Half**

Bool p2\_fw\_ccid\_icc\_power\_off\_bottom\_half (uint8\_t slot\_idx);

Powers off the SAM card or Halts a contactless card if one is present.

### **Get Parameters Bottom Half**

Bool p2\_fw\_ccid\_get\_parameters\_bottom\_half (uint8\_t slot\_idx); Returns parameters of a card in slot.

### Set Parameters Bottom Half

Bool p2\_fw\_ccid\_set\_parameters\_bottom\_half (uint8\_t slot\_idx);
Sets parameters for a card in a slot.

### **Escape Bottom Half**

Bool p2\_fw\_ccid\_escape\_bottom\_half (uint8\_t slot\_idx);

Can be used to execute some of the direct mode commands in other modes.

### Xfer Bottom Half

Bool p2\_fw\_ccid\_xfr\_block\_bottom\_half (uint8\_t slot\_idx);

This is the most complex function which performs multiple actions depending on the sub mode.

### 2.2.5 Standard Submode

In standard mode the reader sends APDUs to an ISO14443-4 compliment card:

```
static Bool p2_fw_ccid_xfr_bh_l4_xfer (uint8_t slot_idx);
```

and to the SAM:

static Bool p2\_fw\_ccid\_xfr\_bh\_sam (uint8\_t slot\_idx);

The firmware also interprets the APDUs for MIFARE which are defined in PC/SC part 3. The list of supported APDUs is as following:

Get Data

static Bool p2\_fw\_pcsc\_ext\_cmd\_get\_data(uint8\_t slot\_idx);

• Load Keys

static Bool p2\_fw\_pcsc\_ext\_cmd\_load\_key(uint8\_t slot\_idx);

• General Authenticate

static Bool p2\_fw\_pcsc\_ext\_cmd\_auth(uint8\_t slot\_idx);

• Read binary

static Bool p2\_fw\_pcsc\_ext\_cmd\_read\_bin(uint8\_t slot\_idx);

Update binary

static Bool p2\_fw\_pcsc\_ext\_cmd\_update\_bin(uint8\_t slot\_idx);

### 2.2.6 Direct Submode

After we enter the direct mode the payload of xfer command is interpreted by the firmware. The main dispatcher function for direct mode:

Bool p2\_fw\_dm (uint8\_t message\_type, uint16\_t allowed\_cmds);

Every subset of direct mode is coded in its own file:

### **Reader Operations**

Implements commands for Reader Operations. Entry point:

Bool p2\_fw\_dm\_ro (uint8\_t message\_type);

### HAL Commands

Implements commands for HAL Commands. Entry point:

Bool p2\_fw\_dm\_hal (uint8\_t message\_type);

### ISO14443-3

### Implements commands for ISO14443-3. Entry point:

Bool p2\_fw\_dm\_l3 (uint8\_t message\_type );

All information provided in this document is subject to legal disclaimers.

### ISO14443-4Activation

Implements commands for ISO14443-4Activation. Entry point:

Bool p2\_fw\_dm\_l4a (uint8\_t message\_type);

### ISO14443-4

Implements commands for ISO14443-4 layer. Entry point:

Bool p2\_fw\_dm\_l4 (uint8\_t message\_type );

### **MIFARE Exchange**

Implements commands for MIFARE Exchange. Entry point:

Bool p2\_fw\_dm\_xchg (uint8\_t message\_type);

### CID Manager

Implements commands for CID Manager. Entry point:

Bool p2\_fw\_dm\_cid (uint8\_t message\_type);

### **Contact Card Communication**

Implements commands for Contact Card Communication. Entry point:

Bool p2\_fw\_dm\_cc (uint8\_t message\_type);

### Key Store

Implements commands for Key Store. Entry point:

Bool p2\_fw\_dm\_key\_store (uint8\_t message\_type);

### **Pooling and Activation Part**

Pooling and activation is implemented in three functions. It has its own task:

void p2\_fw\_task\_pcsc\_poll\_and\_act\_loop (void \* param);

This function performs the activation for ISO14443-3 level. If a card supports an ISO14443-4 level card then it calls:

static Bool p2\_fw\_task\_int\_do\_l4 (uint8\_t \* atq);

For pooling it uses:

static void p2\_fw\_task\_int\_do\_poll (void);

# 2.3 Overwrite Configuration Mode

In this mode we issue:

void p2\_fw\_flash\_erase\_config(void);

from src/p2\_fw\_flash\_utils.c which erases configuration from flash and then we call:

void p2\_fw\_invoke\_error\_mode(uint32\_t error\_code);

to inform the user that the overwrite was done.

### 2.4 Enter Secondary Bootloader Mode

In this mode we set a configuration option P2\_FW\_CFG\_ENT\_SEC\_BOOT\_MODE to buff[0] = 1 with the use of

Bool p2\_fw\_flash\_set\_config(uint32\_t cfg\_id, uint8\_t \* buff);

and then we issue a reset with the use of CMSIS function.

# 3. Library and source code overview

The firmware is composed from different libraries:

• BFL – NXP Basic Function Library 4.8 (can be found in bfl directory in the source tree) – provides all functions related to interaction with cards

• BFL Extensions – Extensions to the BFL provided by NXP – provides key store implementation required by the direct mode reader operation

• CMSIS - Cortex Microcontroller Software Interface Standard with extra peripheral drivers (can be found in cmsis directory in the source tree) – provides startup code and peripheral drivers and easier porting to other hardware platforms [3]

• FreeRTOS operating system (can be found in FreeRTOS\_6\_0\_0 directory in the source tree) – provides multitasking and tasks intercommunication and easier porting to other hardware platforms

• lpcusb – USB stack designed for NXP LPC family of microcontrollers (can be found in lpcusb directory in the source tree)

- debug simple debug library (can be found in debug directory in the source tree)
- firmware code (can be found in src and include directory in the source tree)

# 3.1 Architecture of the Pegoda 2 Firmware

The firmware is interrupt driven and can be split in two logical parts:

- the interrupt handling
- scheduled tasks

All interrupts are processed through top/bottom half (see **Error! Reference source not found.**) interfaces. Basically the interrupt service routine (also called top half) schedules bottom half which does not run in interrupt execution space but in "normal" execution space.

The scheduled tasks are described in the following chapters.

# 3.2 Description of firmware code

The following firmware source files (see Fig 5) can be found in the project. The main functionality will be described in the following section.



### 3.2.1 P2\_fw\_bfl.c

This file contains functions related to old BFL initialization and usage.

bool p2\_fw\_bfl\_init (void) – performs initialization of required BFL structures. We
initialize the hardware interface, the required subsystems (IO and OpCtrl) and
ISO14443 layer 3, 4A and 4 components.

PARAMETERS: NONE

### **RETURN: NONE**

• void p2\_fw\_bfl\_set\_up\_rc\_type\_a\_reading (void) – sets up registers for ISO14443-3A card type reading.

PARAMETERS: NONE

**RETURN: NONE** 

• bool p2\_fw\_bfl\_reset\_reader (void) - resets reader chip.

PARAMETERS: NONE RETURN: NONE

• **void p2\_fw\_bfl\_set\_timeout** (uint16\_t qsec, uint8\_t aFlags) – sets timeout to the reader chip timer in milliseconds or microseconds depending on the flags setting. Please note that values larger than 39590ms will cause overflow.

PARAMETERS: qsec - uint16\_t value

aFlags - can be:

- P2\_FW\_TMR\_MS qsec is in milliseconds
- P2\_FW\_TMR\_US qsec is in microseconds
- P2\_FW\_TMR\_START\_NOW force timer start

**RETURN: NONE** 

• void p2\_fw\_bfl\_set\_com\_speed(uint8\_t dri, uint8\_t dsi) – set card communication speed parameters to the reader.

PARAMETERS: dri - DRI parameter to set

dsi - DSI parameter to set

RETURN: NONE

• void p2\_fw\_bfl\_change\_rc523\_baud\_rate (uint32\_t baudrate) – changes the reader UART speed to higher one from the default (9600

PARAMETERS: **baudrate** – the baudrate value (9600 – 12880000) RETURN: NONE

 static void p2fw\_pcd\_utils\_wtx\_cb (phcsBfll3P4\_CbSetWtxParam\_t\* wtx\_param) - a callback for ISO14443-4 layer which sets the new WTX value.

> PARAMETERS: wtx\_param - internal BFL structure RETURN: NONE

### 3.2.2 P2\_fw\_ccid.c

The file contains implementation of the USB CCID 1.1 messages. For every message there is a top and bottom half function.

The following messages are implemented in this file:

ICC Power On

• void p2\_fw\_ccid\_icc\_power\_on\_top\_half (void);

Bool p2\_fw\_ccid\_icc\_power\_on\_bottom\_half (uint8\_t slot\_idx);

ICC Power Off

• void p2\_fw\_ccid\_icc\_power\_off\_top\_half (void);

Bool p2\_fw\_ccid\_icc\_power\_off\_bottom\_half (uint8\_t slot\_idx);

### Get Slot Status

• void p2\_fw\_ccid\_get\_slot\_status\_top\_half (void);

Bool p2\_fw\_ccid\_get\_slot\_status\_bottom\_half (uint8\_t slot\_idx);

### **Get Parameters**

• void p2\_fw\_ccid\_get\_parameters\_top\_half (void);

Bool p2\_fw\_ccid\_get\_parameters\_bottom\_half (uint8\_t slot\_idx);

Set Parameters

• void p2\_fw\_ccid\_set\_parameters\_top\_half (void);

Bool p2\_fw\_ccid\_set\_parameters\_bottom\_half (uint8\_t slot\_idx);

### Escape

• void p2\_fw\_ccid\_escape\_top\_half (void);

Bool p2\_fw\_ccid\_escape\_bottom\_half (uint8\_t slot\_idx);

Please refer to the source code and USB CCID 1.1 documentation for more information.

### 3.2.3 p2\_fw\_ccid\_xfer.c

The file contains implementation of the USB CCID 1.1 XfrBlock message for contact and contactless cards which support APDUs.

The top half is implemented in: void p2\_fw\_ccid\_xfr\_block\_top\_half (void) function.

The bottom half function: **Bool p2\_fw\_ccid\_xfr\_block\_bottom\_half (uint8\_t slot\_idx**) calls the correct sub functions:

### • for contactless cards:

static Bool p2\_fw\_ccid\_xfr\_bh\_l4\_xfer (uint8\_t slot\_idx) – function implements the ISO1444-4 protocol with chaining support, for more details refer to the source file

**Bool p2\_fw\_pcsc\_commands (uint8\_t slot\_idx)** – function implements the APDUs which are part PC/SC

### • for contact cards:

**static Bool p2\_fw\_ccid\_xfr\_bh\_sam (uint8\_t slot\_idx)** – function uses T=1 to exchange data with a contact SAM card, or more details refer to the source file

### 3.2.4 p2\_fw\_demo\_mode.c

The demo mode is a simple demonstration on how to query for a card. The mode performs a selection of an NXP card according to ISO/IEC14443. Depending on the SAK byte of the selected card, the antenna LEDs start blinking and an acoustic signal is generated.

The whole demo mode is implemented as one FreeRTOS task:

**void p2\_fw\_task\_demo\_mode (void \* param)** – main task function which calls the correct sub task according to requested mode:

- use reader chip directly:
  - static void p2\_fw\_task\_demo\_mode\_bfl (void \* param) the flow of this function is as following:
  - 1. set up type ISO/IEC14443-3A card type reading
  - 2. set up communication speed to 106kbps
  - 3. turn on the antenna LEDs
  - 4. enter infinity loop
  - 5. set up timeout for REQA (pool for card) function
  - 6. set up parameters for REQA function
  - 7. execute REQA function
  - 8. if REQA returns error, return to step 5.
  - 9. REQA /ATQA returned success card is in the field
  - 10. set up timeout for AnticollSelect function

AN10993

- 11. set up parameters for AnticollSelect function
- 12. perform AnticollSelect function
- 13. if selection of card is successful, beep according to reported SAK byte:
- if SAK ==  $0x08 \rightarrow$  one time (MIFARE Classic Card 1k)
- if SAK ==  $0x18 \rightarrow two times$  (MIFARE Classic Card 4k)
- if SAK ==  $0x00 \rightarrow$  three times (MIFARE Ultralight/Ultralight C Card)
- if SAK ==  $0x20 \rightarrow$  four times (ISO14443-4 Type Card (MIFARE Plus, MIFARE DESFire, ...))
- 14. halt the card and return to step 5
- use SAM:
  - static void p2\_fw\_task\_demo\_mode\_sam (void \* param) to use the SAM to control the chip, the following steps are required:
  - 1. enter an endless loop (a FreeRTOS requirement)
  - 2. reset the SAM by performing reinitialization
  - 3. check SAM version and correct mode of operation
  - 4. initialize the reader chip by performing Rc\_Init command on SAM

5. after the reader chip has been successfully initialized, set up the RF field by issuing RC\_RF\_Control command

6. activate a card by performing Activate Card command on SAM

7. after successful selection of a card, an acoustic signal is generated as described in the direct reader chip usage step 13.

### 3.2.5 Functions for Direct mode

The following files contain functions for so called direct mode of operation of the Pegoda reader. This mode is meant to be used by the NXPRdLib. Functions found in this file bridge the difference between the NXPRdLib and the old BFL which is used as foundation of the current Pegoda firmware. If you are interested in how this mode works please refer to the source code.

- p2\_fw\_direct\_mode.c
- p2\_fw\_direct\_mode\_cid.c
- p2\_fw\_direct\_mode\_contact\_card.c
- p2\_fw\_direct\_mode\_hal.c
- p2\_fw\_direct\_mode\_key\_store.c
- p2\_fw\_direct\_mode\_l3.c
- p2\_fw\_direct\_mode\_l4a.c
- p2\_fw\_direct\_mode\_l4.c

p2\_fw\_direct\_mode\_ro.c
p2 fw direct mode xchg.c

### 3.2.6 p2\_fw\_err\_and\_nfo\_mode.c

Contains a FreeRTOS task:

**void p2\_fw\_task\_err\_and\_nfo\_loop (void \* param)** – which is used to inform the user of an error or that some action was completed. First the antenna LEDs blinks for five seconds with two blinks per second and then with rate of one blink and one beep per second informs the user of the error or that some action is completed. Please refer to source code file for more information.

### 3.2.7 p2\_fw\_ext\_intf\_serial.c

This file contains implementation of the serial interface (RS232, RS485) for LPC1768 UART for communication with a client. The serial communication can be only used in Direct Mode.

For more information please refer to

- LPC1768 user manual Chapter 15. LPC17xx UART1 [8]
- the source file

### 3.2.8 p2\_fw\_ext\_intf\_usb.c

This file contains implementation of the USB interface (USB CCID 1.1) for communication with a client.

For more information please refer to:

- LPCUSB documentation (http://sourceforge.net/projects/lpcusb/)
- USB CCID 1.1 specification

(http://www.usb.org/developers/devclass\_docs/DWG\_Smart-Card\_CCID\_Rev110.pdf)

• source file

### 3.2.9 p2\_fw\_flash\_utils.c

The p2\_fw\_flash\_utils.c file contains functions which perform actions over the IAP interface of LPC1768. For more information on IAP please refer to NXP LPC1768 User Manual. These actions are:

 static Bool p2\_fw\_flash\_utils\_erase(int sec\_from, int sec\_to) – performs erase of the flash from sec\_from to sec\_to

PARAMETERS: - sec\_from - int - start erase at this sector

- sec\_to - int - stop erase at this sector

RETURN: -TRUE if success

-FALSE if error

 static Bool p2\_fw\_flash\_utils\_flash(int sec, uint8\_t \* buff, int size) – performs flashing of the internal flash

AN10993

PARAMETERS: - sec – int – sector to flash

buff – uint8[] - data to flash

- size – int – size of buff (should be 128, 512 or 1024)

RETURN: - TRUE if success

- FALSE if error

 Bool p2\_fw\_flash\_read\_serial(uint32\_t \* sernum) – returns the CPU serial PARAMETERS: - sernum – uint32\_t \* - pointer to a uint32\_t for storing the read CPU serial number

RETURN: - TRUE if success

- FALSE if error

### 3.2.10 p2\_fw\_main.c

The firmware starts in this file. In the main loop (int main()), initialization of hardware and software parts of the firmware are performed:

1. first we set up hardware (see p2\_fw\_reader.c for more information about setting up hardware)

2. then we initialize the debugging framework – this depends on type of build that we are building

3. next come reading the configuration from DIP switches and flash (see p2\_fw\_reader.c for more information about reading configuration)

4. now we can setup the external interface

5. now we have to set up FreeRTOS queue – used for communication between top bottom halfs and semaphore for protecting access to reader chip – so that we do not use it from two tasks at the same time

6. next we try to set up the reader chip

7. if we find a supported chip we set up the correct tasks for particular mode – if not found we enter into error and information task with correct error code

8. next we have to start the FreeRTOS scheduler (please refer to FreeRTOS documentation for more information) and loop forever

For more detailed information please refer to the source code file.

### 3.2.11 p2\_fw\_pcsc\_ext.c

In this file we implement PC/SC extensions for memory cards. The implemented commands are:

- Get Data see static Bool p2\_fw\_pcsc\_ext\_cmd\_get\_data(uint8\_t slot\_idx);
- Load Keys see static Bool p2\_fw\_pcsc\_ext\_cmd\_load\_key(uint8\_t slot\_idx);
- General Authenticate see static Bool p2\_fw\_pcsc\_ext\_cmd\_auth(uint8\_t slot\_idx);
- Read Binary see static Bool p2\_fw\_pcsc\_ext\_cmd\_read\_bin(uint8\_t slot\_idx);

Update Binary – see static Bool p2\_fw\_pcsc\_ext\_cmd\_update\_bin(uint8\_t slot\_idx);

For more information please refer to the source file.

### 3.2.12 p2\_fw\_pcsc\_mode.c

This file contains functions related to PC/SC mode of operation by Pegoda 2 reader. We define two FreeRTOS tasks:

### void p2\_fw\_task\_pcsc\_execute (void \* param)

This task provides executions of bottom halfs which are scheduled by top halfs. Most of time this task blocks on a queue waiting for interrupts to schedule a bottom half which is then executed by this task.

void p2\_fw\_task\_pcsc\_poll\_and\_act\_loop (void \* param)

This task provides polling and activation mechanism required by the PC/SC specification and it is split in three parts:

- main polling and ISO14443-3A activation (found in this function)
- ISO14443-4A activation function (see static Bool p2\_fw\_task\_int\_do\_l4 (uint8\_t \* atq, phcsBfll3P3A\_AnticollSelectParam\_t \* ans\_p))
- existing cards polling function (see static void p2\_fw\_task\_int\_do\_poll (void))

Please refer to the source file for more information.

### 3.2.13 p2\_fw\_reader.c

In this file we initialize the hardware parts of the Pegoda 2 reader:

- void p2\_fw\_reader\_setup\_hardware(void) function:
  - 1. runs SystemInit() function provided by the CMSIS library
  - 2. sets the Interrupt Vector table pointer to the correct address
  - 3. sets up the pin function of used GPIOs first the DIP switches, next configuration pins and lastly LEDs and beeper pin

4. next we set the correct direction and initial value (only for output pins) for this pins

• void p2\_fw\_reader\_read\_config(void) function reads the value of the DIP switches and stores a local copy of it

• **void p2\_fw\_reader\_set\_up\_external\_interface (void)** function sets up the correct external interface according to the configuration that was set by DIP switches

• **Bool p2\_fw\_reader\_set\_up\_reader\_chip(void)** function checks if the set configuration is possible – if it can find the correct reader chip and/or SAM – and sets up the old BFL if needed

Please refer to the source code for more information.

### 3.2.14 p2\_fw\_sam\_t1.c

This file contains implementation of the ISO/IEC 7816/3 standard:

• void p2\_fw\_sam\_t1\_init(uint8\_t chip, uint8\_t mode) – initialize the processors I/O pins according to chip and mode parameter to work with SAM card.

PARAMETERS: chip - P2\_FW\_READER\_CHIP\_RC523 or

P2\_FW\_READER\_CHIP\_SAM

mode - P2\_FW\_READER\_MODE\_SAM\_IN\_X or

P2\_FW\_READER\_MODE\_SAM\_NON\_X

- void p2\_fw\_sam\_t1\_start(void) it perform activation sequence according ISO 7816-3:2006 (Figure 1). The function returns immediately but the user should wait until the module is busy (see p2\_fw\_sam\_t1\_is\_busy) then he can read the ATR of inserted SAM card with p2\_fw\_sam\_t1\_get\_atr.
- void p2\_fw\_sam\_t1\_deinit(void) the function perform Deactivation sequence according to ISO 7816/3:2006 (Figure 6).
- void p2\_fw\_sam\_t1\_warm\_reset(void) the function perform warm reset according to ISO 7816-3:2006 (Figure 1). The function returns immediately but the user should wait until the module is busy (see p2\_fw\_sam\_t1\_is\_busy) then he can read the ATR of inserted SAM card with p2\_fw\_sam\_t1\_get\_atr.
- void p2\_fw\_sam\_t1\_send(uint8\_t \*data, uint32\_t len, uint8\_t frame\_type) The function sends len bytes of data to SAM.

PARAMETERS: data - uint8\_t \* - pointer to data to send

len – uint32\_t – length of data to send

frame\_type:

- **P2\_FW\_SAM\_FRAME\_APDU** the function prepends NAD, PCB and LEN bytes, and appends LRC to data parameter (according ISO 7816-3:2006).
- **P2\_FW\_SAM\_FRAME\_T1** the function just send data to SAM card.

The function returns immediately but the user should wait until the module is busy (see p2\_fw\_sam\_t1\_is\_busy) then he can read the response with p2\_fw\_sam\_t1\_receive.

 uint32\_t p2\_fw\_sam\_t1\_receive(uint8\_t \*data, uint8\_t frame\_type) – the function returns the number of bytes received from SAM card. If frame\_type equals P2\_FW\_SAM\_FRAME\_APDU only the INF field is returned.

PARAMETERS: data - uint8\_t \* - pointer to received data

frame\_type - uint8\_t - frame type

RETURN: number of bytes received

- Bool p2\_fw\_sam\_t1\_is\_busy(void) the function return true if the SAM module is busy and false otherwise.
- void p2\_fw\_sam\_t1\_get\_atr(uint8\_t \* buffer, uint8\_t \*max\_length) the function returns ATR of currently inserted SAM card.

PARAMETERS: buffer - uint8\_t \* - buffer in which to store ATR

max\_length – uint8\_t \* - the size of the buffer/length of ATR (on return)

 void p2\_fw\_sam\_t1\_set\_etu(uint8\_t fi\_di) – function sets the module's internal etu according to fi\_di parameter. fi\_di is encoded as TA1 of ATR (ISO 7816/3:2006; 8.3).

The module uses TIMER0, TIMER2, GPIO falling edge interrupt on SAM's I/O pin and PWM0 for SAM's CLK pin. When the user calls *p2\_fw\_sam\_t1\_start* or *p2\_fw\_sam\_t1\_warm\_reset* the SAM card is in reset state and after 400 clocks (ISO 7816-3:2006) the TIME0 interrupt triggers and sets the RST pin high. Then the module is in read state and waits for GPIO failing edge interrupt (start bit). After receiving start bit TIMER0 is used to capture data bits and parity bit. TIMER2 is used to timeout if no start bit is received. All that time the function *p2\_fw\_sam\_t1\_is\_busy* returns true. For sending data to SAM, TIMER0 is used to shift each bit to I/O pin. When the answer is received the module is not busy anymore and it can be read with *p2\_fw\_sam\_t1\_receive* function.

### 3.2.15 p2\_fw\_slots.c

We define multiple slots in which cards can reside. At one time you can use only one ISO144443 card or fourteen ISO14443 cards. Every card has its own communication settings and this are stored in a slot. All slot and CID management functions can be found in this source file:

- void p2\_fw\_slots\_init(void) initialize slots and prepare them for work
- Bool p2\_fw\_slots\_free\_cid (uint8\_t cid) frees occupied CID channel for ISO14443-4 communication

PARAMETERS: cid – uint8\_t – CID channel to free

- RETURN: TRUE if success, FALSE in case of ERROR
- Bool p2\_fw\_slots\_get\_free\_cid (uint8\_t \* cid) returns a free CID channel for ISO14443-4 communication

PARAMETERS: cid - uint8\_t \* - pointer to uint8\_t where to store CID channel

RETURN: TRUE if success, FALSE in case of ERROR

 Bool p2\_fw\_slots\_get\_free\_slot (uint8\_t \* slot) – returns a free slot to store a card (CID channel and slot index are two different things and should not be mixed up)

PARAMETERS: slot – uint8\_t \* - pointer to uint8\_t where to store slot index

RETURN: TRUE if success, FALSE in case of ERROR

• Bool p2\_fw\_slots\_add\_new\_I4\_card (phcsBfII3P4AAct\_RatsParam\_t \* rat\_p, uint8\_t cid\_index, uint8\_t sak, uint8\_t \* atq, uint8\_t \* uid, uint8\_t uid\_len) – adds a new ISO14443-4 card to a slot

PARAMETERS:

- rat\_p phcsBfll3P4AAct\_RatsParam\_t \* pointer to RATS structure used for card activation
- cid\_index uint8\_t CID channel used for communication

AN10993

- sak uint8\_t SAK that card returned at ISO14443-3A activation
- atq uint8\_t \* pointer to buffer containing ATQ
- uid uint8\_t \* pointer to buffer containing UID
- uid\_len uint8\_t uid buffer length
- RETURN: TRUE if success, FALSE in case of ERROR
  - Bool p2\_fw\_slots\_add\_new\_l3\_card (uint8\_t sak, uint8\_t \* atq, uint8\_t \* uid, uint8\_t uid\_len) – adds a new ISO14443-3 card to a slot

PARAMETERS:

- sak uint8\_t SAK that card returned at ISO14443-3A activation
- atq uint8\_t \* pointer to buffer containing ATQ
- uid uint8\_t \* pointer to buffer containing UID
- uid\_len uint8\_t uid buffer length
- RETURN: TRUE if success, FALSE in case of ERROR
- Bool p2\_fw\_slots\_add\_new\_sam\_card (void) adds a new SAM to a slot

PARAMETERS: NONE

RETURN: TRUE if success, FALSE in case of ERROR

• Bool p2\_fw\_slots\_is\_known\_l3\_card (uint8\_t \* uid, uint8\_t uid\_len) - check if the card is already occupying a slot

PARAMETERS:

- uid uint8\_t \* pointer to buffer containing UID
- uid\_len uint8\_t uid buffer length
- RETURN: TRUE if success, FALSE in case of ERROR
- Bool p2\_fw\_slots\_get\_atr (uint8\_t slot\_index, uint8\_t \* buffer, uint8\_t \*max\_length) – returns an ATR for a particular slot (by calling p2\_fw\_slots\_atr\_l4\_cards or p2\_fw\_slots\_atr\_l3\_card function)

### PARAMETERS:

- slot\_index uint8\_t index of the slot for which we would like to get ATR
- buffer uint8\_t \* pointer where to save the ATR
- max\_length maximum length of the ATR that can be stored to the buffer
- RETURN: TRUE if success, FALSE in case of ERROR
- static Bool p2\_fw\_slots\_atr\_I4\_cards (uint8\_t slot\_index, uint8\_t \* buffer, uint8\_t \*max\_length) – returns correctly formatted ATR for ISO14443-4 type card

PARAMETERS:

- slot\_index uint8\_t index of the slot for which we would like to get ATR
- buffer uint8\_t \* pointer where to save the ATR
- max\_length maximum length of the ATR that can be stored to the buffer
- RETURN: TRUE if success, FALSE in case of ERROR

 static Bool p2\_fw\_slots\_atr\_I3\_cards (uint8\_t slot\_index, uint8\_t \* buffer, uint8\_t \*max\_length) – returns correctly formatted ATR for ISO14443-3 type card

PARAMETERS:

- slot\_index uint8\_t index of the slot for which we would like to get ATR
- buffer uint8\_t \* pointer where to save the ATR
- max\_length maximum length of the ATR that can be stored to the buffer
- RETURN: TRUE if success, FALSE in case of ERROR
- void p2\_fw\_slots\_remove\_card (uint8\_t slot\_index) removes card from a slot PARAMETERS:
  - $\bullet$  slot\_index uint8\_t index of the slot from which we would like to remove the card

RETURN: NONE

Please refer to the source code for more information.

### 3.2.16 p2\_fw\_timing\_com.c

This file contains functions for timing of operations. The supported timing modes are:

- FTD frame time delay time between the end or transmission to the card and start of reply (this time is calculated from the RC523 timer)
- COM whole command time from start of the command until the end (this time is calculated by using LPC1768 timer TIM1)

Please refer to the source code for more information.

### 3.2.17 p2\_fw\_utils.c

Contains simple helpful functions:

- uint8\_t p2\_fw\_utils\_get\_dri(uint8\_t ta1) returns DRI parameter from cards ATS PARAMETERS: ta1 – cards ATSs TA1
- uint8\_t p2\_fw\_utils\_get\_dsi(uint8\_t ta1) returns DSI parameter from cards ATS

PARAMETERS: ta1 - cards ATSs TA1

- void p2\_fw\_utils\_blink(int count) blinks antenna LEDs count times PARAMETERS: count – times to blink the antenna LEDs
- void p2\_fw\_utils\_field\_off (void) turns off the RF field
- void p2\_fw\_utils\_field\_on (uint16\_t wFiledRecoveryTime) turns on the RF field

PARAMETERS: wFiledRecoveryTime - time to wait fro field to settle

 void p2\_fw\_utils\_reg\_write (uint8\_t addr, uint8\_t val) – write to a RC523 register

PARAMETERS: addr – uint8\_t – register address

© NXP B.V. 2011. All rights reserved.

AN10993

value - uint8\_t - value to write

 void p2\_fw\_utils\_reg\_read (uint8\_t addr, uint8\_t \* val) – read from RC523 register

PARAMETERS: addr – uint8\_t – register address

value - uint8\_t \* - pointer to store the value

# 4. Code execution overview

### 4.1 Initialization

On entry, after main we first setup the hardware by calling:

void p2\_fw\_reader\_setup\_hardware(void);

in *src/p2\_fw\_reader.c*. This function initializes the ARM CMSIS library and sets up hardware.

Next we setup the slots with a call to:

void p2\_fw\_slots\_init(void);

Now we are ready to read configuration – this configuration tells the currently set operating mode of the Pegoda.

void p2\_fw\_reader\_read\_config(void);

Now that we have read the configuration we can set up the external interface defined by PINs connected to DIP switch 3 and 4 by calling:

void p2\_fw\_reader\_set\_up\_external\_interface (void);

Depending on the configuration the correct interface is initialized:

USB:

void p2\_fw\_usb\_init\_usb(void);

• serial (RS232 and RS485):

void p2\_fw\_usb\_init\_serial(void);

• ethernet:

void p2\_fw\_usb\_init\_ethernet(void);

Now we need to initialize the timer for timing services by calling:

void p2\_fw\_timing\_init(void);

Now we only have to set up the reader chip by calling:

Bool p2\_fw\_reader\_set\_up\_reader\_chip(void);

This function – depending on the configuration and chip type – initializes the correct subsystems.

Initialization can be performed on BFL or/and SAM depending on configuration.

For initialization of the BFL we call:

Bool p2\_fw\_bfl\_init (void);

For SAM initialization we have to call the correct sequence of:

void p2\_fw\_sam\_t1\_init(uint8\_t chip, uint8\_t mode);

© NXP B.V. 2011. All rights reserved.

void p2\_fw\_sam\_t1\_start(void); Bool p2\_fw\_sam\_t1\_is\_busy(void); Bool p2\_fw\_sam\_t1\_is\_sam\_inserted(void) void p2\_fw\_sam\_t1\_deinit(void);

Now we can check which mode is requested and start the correct tasks for it.

**Application note** 

COMPANY PUBLIC

### Pegoda Software Design Guide

# 5. Legal information

## 5.1 Definitions

**Draft** — The document is a draft version only. The content is still under internal review and subject to formal approval, which may result in modifications or additions. NXP Semiconductors does not give any representations or warranties as to the accuracy or completeness of information included herein and shall have no liability for the consequences of use of such information.

# 5.2 Disclaimers

Limited warranty and liability — Information in this document is believed to be accurate and reliable. However, NXP Semiconductors does not give any representations or warranties, expressed or implied, as to the accuracy or completeness of such information and shall have no liability for the consequences of use of such information.

In no event shall NXP Semiconductors be liable for any indirect, incidental, punitive, special or consequential damages (including - without limitation - lost profits, lost savings, business interruption, costs related to the removal or replacement of any products or rework charges) whether or not such damages are based on tort (including negligence), warranty, breach of contract or any other legal theory.

Notwithstanding any damages that customer might incur for any reason whatsoever, NXP Semiconductors' aggregate and cumulative liability towards customer for the products described herein shall be limited in accordance with the Terms and conditions of commercial sale of NXP Semiconductors.

**Right to make changes** — NXP Semiconductors reserves the right to make changes to information published in this document, including without limitation specifications and product descriptions, at any time and without notice. This document supersedes and replaces all information supplied prior to the publication hereof.

Suitability for use — NXP Semiconductors products are not designed, authorized or warranted to be suitable for use in medical, military, aircraft, space or life support equipment, nor in applications where failure or malfunction of a NXP Semiconductors product can reasonably be expected to result in personal injury, death or severe property or environmental damage. NXP Semiconductors accepts no liability for inclusion and/or use of NXP Semiconductors products in such equipment or applications and therefore such inclusion and/or use is at the customer's own risk.

**Applications** — Applications that are described herein for any of these products are for illustrative purposes only. NXP Semiconductors makes no representation or warranty that such applications will be suitable for the specified use without further testing or modification.

NXP Semiconductors does not accept any liability related to any default, damage, costs or problem which is based on a weakness or default in the customer application/use or the application/use of customer's third party customer(s) (hereinafter both referred to as "Application"). It is customer's sole responsibility to check whether the NXP Semiconductors product is suitable and fit for the Application planned. Customer has to do all necessary testing for the Application in order to avoid a default of the Application and the product. NXP Semiconductors does not accept any liability in this respect.

**Export control** — This document as well as the item(s) described herein may be subject to export control regulations. Export might require a prior authorization from national authorities.

# 5.3 Licenses

Purchase of NXP ICs with ISO/IEC 14443 type B functionality



This NXP Semiconductors IC is ISO/IEC 14443 Type B software enabled and is licensed under Innovatron's Contactless Card patents license for ISO/IEC 14443 B.

The license includes the right to use the IC in systems and/or end-user equipment.

RATP/Innovatron Technology

# 5.4 Trademarks

Notice: All referenced brands, product names, service names and trademarks are property of their respective owners.

MIFARE — is a trademark of NXP B.V.

Application note

COMPANY PUBLIC

# 6. Index

### Pegoda Software Design Guide

# 7. List of figures

| Fig 1. | Flowchart                        | 3  |
|--------|----------------------------------|----|
| Fig 2. | No SAM configuration             | 7  |
| Fig 3. | SAM in non X configuration       | 7  |
| Fig 4. | SAM in X-mode configuration      | 8  |
| Fig 5. | Firmware source files In project | 14 |

Application note COMPANY PUBLIC

# 8. List of tables

### Pegoda Software Design Guide

# 9. Contents

| 1.     | Introduction3                              |
|--------|--------------------------------------------|
| 1.1    | Scope                                      |
| 1.2    | Audience4                                  |
| 1.3    | Applicable documents or references4        |
| 1.4    | Acronyms and abbreviations4                |
| 2.     | Functional overview and mode of operation5 |
| 2.1    | Demo mode5                                 |
| 2.2    | PC/SC Mode6                                |
| 2.2.1  | No SAM mode7                               |
| 2.2.2  | SAM in non X-mode7                         |
| 2.2.3  | SAM in X-mode8                             |
| 2.2.4  | The Interrupt Driven Part8                 |
| 2.2.5  | Standard Submode10                         |
| 2.2.6  | Direct Submode10                           |
| 2.3    | Overwrite Configuration Mode12             |
| 2.4    | Enter Secondary Bootloader Mode12          |
| 3.     | Library and source code overview13         |
| 3.1    | Architecture of the Pegoda 2 Firmware13    |
| 3.2    | Description of firmware code14             |
| 3.2.1  | P2_fw_bfl.c14                              |
| 3.2.2  | P2_fw_ccid.c16                             |
| 3.2.3  | p2_fw_ccid_xfer.c17                        |
| 3.2.4  | p2_fw_demo_mode.c17                        |
| 3.2.5  | Functions for Direct mode18                |
| 3.2.6  | p2_fw_err_and_nfo_mode.c19                 |
| 3.2.7  | p2_fw_ext_intf_serial.c19                  |
| 3.2.8  | p2_fw_ext_intf_usb.c19                     |
| 3.2.9  | p2_fw_flash_utils.c19                      |
| 3.2.10 | p2_fw_main.c20                             |
| 3.2.11 | p2_fw_pcsc_ext.c20                         |
| 3.2.12 | p2_fw_pcsc_mode.c21                        |
| 3.2.13 | p2_fw_reader.c21                           |
| 3.2.14 | p2_fw_sam_t1.c22                           |
| 3.2.15 | p2_fw_slots.c23                            |
| 3.2.16 | p2_fw_timing_com.c25                       |
| 3.2.17 | p2_fw_utils.c25                            |
| 4.     | Code execution overview26                  |
| 4.1    | Initialization26                           |
| 5.     | Legal information28                        |
| 5.1    | Definitions28                              |
| 5.2    | Disclaimers28                              |
| 5.3    | Licenses28                                 |
| 5.4    | Trademarks28                               |
| 6.     | Index29                                    |
| 7.     | List of figures                            |
|        |                                            |

Please be aware that important notices concerning this document and the product(s) described herein, have been included in the section 'Legal information'.

### © NXP B.V. 2011.

### All rights reserved.

For more information, please visit: http://www.nxp.com For sales office addresses, please send an please send an email to: salesaddresses@nxp.com

> Date of release: 21 March 2011 196110 Document identifier: AN10993