ACR3801 PC-linked Smart Card Reader FIPS 201 Certified Reference Manual V2.01 Subject to change without prior notice info@acs.com.hk www.acs.com.
Table of Contents 1.0. Introduction ............................................................................................................. 4 1.1. 1.2. Reference Documents ........................................................................................................... 4 Symbols and Abbreviations ................................................................................................... 4 2.0. Features .............................................................................
List of Tables Table 1 : Symbols and Abbreviations ..................................................................................................... 4 Table 2 : USB Interface Wiring ............................................................................................................... 9 Table 3 : Supported Card Types .......................................................................................................... 61 Table 4 : Response Error Codes ........................................
1.0. Introduction ACR3801 Smart Card Reader acts as a communication interface between a computer and a smart card. Different types of smart cards have different commands and different communication protocols, which prevents in most cases, the direct communication between a smart card and a computer. The ACR3801 Smart Card Reader establishes a uniform interface from the computer to the smart card for a wide variety of cards.
2.0. Features • USB 2.0 Full Speed Interface • Plug-and-Play – CCID support brings utmost mobility • Smart Card Reader: • o Supports ISO 7816 Class A, B and C (5 V, 3 V, 1.
3.0. Supported Card Types 3.1. MCU Cards ACR3801 is a PC/SC compliant smart card reader that supports ISO 7816 Class A, B and C (5 V, 3 V, and 1.8 V) smart cards. It also works with MCU cards following either the T=0 and T=1 protocol. The card ATR indicates the specific operation mode (TA2 present; bit b5 of TA2 must be 0) and when that particular mode is not supported by ACR3801, the reader will reset the card to a negotiable mode.
4.0. Smart Card Interface The interface between the ACR3801 and the inserted smart card follows the specification of ISO 7816-3 with certain restrictions or enhancements to increase the practical functionality of ACR3801. 4.1. Smart Card Power Supply VCC (C1) The current consumption of the inserted card must not be higher than 50 mA. 4.2. Programming Voltage VPP (C6) According to ISO 7816-3, the smart card contact C6 (VPP) supplies the programming voltage to the smart card.
5.0. Power Supply ACR3801 requires a voltage of 5 V DC, 100 mA, regulated, power supply. ACR3801 gets the power supply from the computer (through the cable supplied along with each type of reader). 5.1. Status LED The LED indicates the activation status of the smart card interface: • Flashing slowly (turns on 200 ms for every 2 seconds) Indicates ACR3801 is powered up and in the standby state. Either the smart card has not been inserted or the smart card has not been powered up (if it is inserted).
6.0. USB Interface 6.1. Communication Parameters ACR3801 is connected to a computer through USB as specified in the USB Specification 2.0. ACR3801 is working in full speed more, i.e. 12 Mbps.
7.0. Communication Protocol ACR3801 shall interface with the host through the USB connection. A specification, namely CCID, has been released within the industry defining such a protocol for the USB chip-card interface devices. CCID covers all the protocols required for operating smart cards. The configurations and usage of USB endpoints on ACR3801 shall follow CCID Section 3. An overview is summarized below: 1. Control Commands are sent on control pipe (default pipe).
Offset Field Size Value Description 40 dwFeatures 4 00010030h ACR3801 supports the following features: Automatic ICC clock frequency change according to parameters Automatic baud rate change according to frequency and FI,DI parameters TPDU level change with ACR3801 44 dwMaxCCIDMessageLength 4 0000010Fh Maximum message length accepted by ACR3801 is 271 bytes 48 bClassGetResponse 1 00h Insignificant for TPDU level exchanges 49 bClassEnvelope 1 00h Insignificant for TPDU level exchanges
8.0. Commands 8.1. CCID Command Pipe Bulk-OUT Messages ACR3801 shall follow the CCID Bulk-OUT Messages as specified in CCID Section 4. In addition, this specification defines some extended commands for operating additional features. This section lists the CCID Bulk-OUT Messages to be supported by ACR3801. 8.1.1. PC_to_RDR_IccPowerOn Activates the card slot and returns ATR from the card.
8.1.2. PC_to_RDR_IccPowerOff Deactivates the card slot. Offset Field Size Value Description 0 bMessageType 1 63h - 1 dwLength 4 00000000h Size of extra bytes of this message 5 bSlot 1 - Identifies the slot number for this command 6 bSeq 1 - Sequence number for command 7 abRFU 3 - Reserved for future use The response to this message is the RDR_to_PC_SlotStatus message. Page 13 of 62 ACR3801 – Reference Manual Version 2.01 info@acs.com.hk www.acs.com.
8.1.3. PC_to_RDR_GetSlotStatus Gets current status of the slot. Offset Field Size Value Description 0 bMessageType 1 65h - 1 dwLength 4 00000000h Size of extra bytes of this message 5 bSlot 1 - Identifies the slot number for this command 6 bSeq 1 - Sequence number for command 7 abRFU 3 - Reserved for future use The response to this message is the RDR_to_PC_SlotStatus message. Page 14 of 62 ACR3801 – Reference Manual Version 2.01 info@acs.com.hk www.acs.com.
8.1.4. PC_to_RDR_XfrBlock Transfers data block to the ICC. Offset Field Size Value Description 0 bMessageType 1 6Fh - 1 dwLength 4 - Size of abData field of this message 5 bSlot 1 - Identifies the slot number for this command 6 bSeq 1 - Sequence number for command Used to extend the CCIDs Block Waiting Timeout for this current transfer. The CCID will timeout the block after “this number multiplied by the Block Waiting Time” has expired.
8.1.5. PC_to_RDR_GetParameters Gets slot parameters. Offset Field Size Value Description 0 bMessageType 1 6Ch - 1 DwLength 4 00000000h Size of extra bytes of this message 5 BSlot 1 - Identifies the slot number for this command 6 BSeq 1 - Sequence number for command 7 AbRFU 3 - Reserved for future use The response to this message is the RDR_to_PC_Parameters message. Page 16 of 62 ACR3801 – Reference Manual Version 2.01 info@acs.com.hk www.acs.com.
8.1.6. PC_to_RDR_ResetParameters Resets slot parameters to default value. Offset Field Size Value Description 0 bMessageType 1 6Dh - 1 DwLength 4 00000000h 5 BSlot 1 - Identifies the slot number for this command 6 BSeq 1 - Sequence number for command 7 AbRFU 3 - Reserved for future use Size of extra bytes of this message The response to this message is the RDR_to_PC_Parameters message. Page 17 of 62 ACR3801 – Reference Manual Version 2.01 info@acs.com.hk www.acs.com.
8.1.7. PC_to_RDR_SetParameters Sets slot parameters.
Protocol Data Structure for Protocol T=1 (dwLength=00000007h) Offset 10 Field bmFindexDindex Size 1 Value Description - B7-4 – FI – Index into the table 7 in ISO/IEC 7816-3:1997 selecting a clock rate conversion factor B3-0 – DI - Index into the table 8 in ISO/IEC 7816-3:1997 selecting a baud rate conversion factor 11 BmTCCKST1 1 - B7-2 – 000100b B0 – Checksum type (b0=0 for LRC, b0=1 for CRC B1 – Convention used (b1=0 for direct, b1=1 for inverse) Note: The CCID ignores this bit.
8.2. CCID Bulk-IN Messages The Bulk-IN messages are used in response to the Bulk-OUT messages. ACR3801 shall follow the CCID Bulk-IN Messages as specified in CCID Section 4. This section lists the CCID Bulk-IN Messages to be supported by ACR3801. 8.2.1. RDR_to_PC_DataBlock This message is sent by ACR3801 in response to PC_to_RDR_IccPowerOn, PC_to_RDR_XfrBlock and PC_to_RDR_Secure messages.
8.2.2. RDR_to_PC_SlotStatus This message is sent by ACR3801 in response to PC_to_RDR_IccPowerOff, PC_to_RDR_GetSlotStatus, PC_to_RDR_Abort messages and Class specific ABORT request. Offset Field Size Value Description 0 bMessageType 1 81h - 1 dwLength 4 00000000h 5 bSlot 1 - Same value as in Bulk-OUT message 6 bSeq 1 - Same value as in Bulk-OUT message 7 bStatus 1 - Slot status register as defined in CCID Section 4.2.
8.2.3. RDR_to_PC_Parameters This message is sent by ACR3801 in response to PC_to_RDR_GetParameters, PC_to_RDR_ResetParameters and PC_to_RDR_SetParameters messages. Offset Field Size Value Description 0 bMessageType 1 82h - 1 dwLength 4 - Size of extra bytes of this message 5 bSlot 1 - Same value as in Bulk-OUT message 6 bSeq 1 - Same value as in Bulk-OUT message 7 bStatus 1 - Slot status register as defined in CCID Section 4.2.
8.3. Memory Card Command Set This section contains the Memory Card Command Set for ACR3801. 8.3.1. Recollection Card – 1, 2, 4, 8 and 18 Kbit I2C Card 8.3.1.1. SELECT_CARD_TYPE This command powers down and up the selected card inserted in the card reader and performs a card reset. Note: This command can only be used after the logical smart card reader communication has been established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to PC/SC specification.
Response Data Format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1 SW2 = 90 00h if no error 8.3.1.3.
SW1 SW2 Where: SW1 SW2 = 90 00h if no error Page 25 of 62 ACR3801 – Reference Manual Version 2.01 info@acs.com.hk www.acs.com.
8.3.2. Memory Card – 32, 64, 128, 256, 512, and 1024 Kbit I2C Card 8.3.2.1. SELECT_CARD_TYPE This command powers down and up the selected card that is inserted in the card reader and performs a card reset. Note: This command can only be used after the logical smart card reader communication has been established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to PC/SC specifications.
Where: SW1 SW2 = 90 00h if no error 8.3.2.3.
Response Data Format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1 SW2 = 90 00h if no error Page 28 of 62 ACR3801 – Reference Manual Version 2.01 info@acs.com.hk www.acs.com.
8.3.3. Memory Card – ATMEL AT88SC153 8.3.3.1. SELECT_CARD_TYPE This command powers down and up the selected card that is inserted in the card reader and performs a card reset. It will also select the page size to be 8-byte page write. Note: This command can only be used after the logical smart card reader communication has been established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to PC/SC specifications.
8.3.3.3. WRITE_MEMORY_CARD Command Format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CLA INS FFh P1 Byte Address MEM_L Byte 1 .... ....
Response Data Format (abData field in the RDR_to_PC_DataBlock) SW2 ErrorCnt SW1 90h Where: SW1 = 90h SW2 (ErrorCnt) = Error Counter. FFh indicates the verification is correct. 00h indicates the password is locked (or exceeded the maximum number of retries). Other values indicate the current verification has failed. 8.3.3.5.
8.3.4. Memory Card – ATMEL AT88C1608 8.3.4.1. SELECT_CARD_TYPE This command powers down and up the selected card that is inserted in the card reader and performs a card reset. It will also select the page size to be 16-byte page write. Note: This command can only be used after the logical smart card reader communication has been established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to PC/SC specifications.
SW1 SW2 8.3.4.3.
Response Data Format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 ErrorCnt 90h Where: SW1 = 90h SW2 (ErrorCnt) = Error Counter. FFh indicates the verification is correct. 00h indicates the password is locked (or exceeded the maximum number of retries). Other values indicate the current verification has failed. 8.3.4.5.
Response Data Format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1 SW2 = 90 00h if no error Page 35 of 62 ACR3801 – Reference Manual Version 2.01 info@acs.com.hk www.acs.com.
8.3.5. Memory Card – SLE 4418/SLE 4428/SLE 5518/SLE 5528 8.3.5.1. SELECT_CARD_TYPE This command powers down and up the selected card that is inserted in the card reader and performs a card reset. Note: This command can only be used after the logical smart card reader communication has been established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to PC/SC specifications.
8.3.5.3. READ_PRESENTATION_ERROR_COUNTER_MEMORY_CARD 4428 and SLE 5528) (SLE This command is used to read the presentation error counter for the secret code. Command Format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CLA INS P1 P2 MEM_L FFh B1h 00h 00h 03h Response Data Format (abData field in the RDR_to_PC_DataBlock) ERRCNT DUMMY 1 DUMMY 2 SW1 SW2 Where: ERRCNT Error Counter. FFh indicates that the last verification is correct.
Response Data Format (abData field in the RDR_to_PC_DataBlock) PROT 1 … … PROT L SW1 SW2 Where: PROT y Bytes containing the protection bits SW1 SW2 = 90 00h if no error The arrangement of the protection bits in the PROT bytes is as follows: PROT 1 P8 P7 P6 P5 P4 PROT 2 P3 P2 P1 P16 P15 P14 P13 P12 … P11 P10 P9 .. .. .. .. .. .. P18 P17 Px is the protection bit of BYTE x in the response data ‘0’ byte is write protected ‘1’ byte can be written 8.3.5.5.
Command Format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CLA INS FFh D1h Byte Address MSB LSB MEM_L Byte 1 .... .... Byte N Where: MSB Byte Address = 0000 00A9A8b is the memory address location of the memory card LSB Byte Address = A7A6A5A4 A3A2A1A0b is the memory address location of the memory card MEM_L Length of data to be written to the memory card Byte x Byte values to be compared with the data in the card starting at Byte Address.
Where: SW1 = 90h SW2 (ErrorCnt) = Error Counter. FFh indicates successful verification. 00h indicates that the password is locked (or exceeded the maximum number of retries). Other values indicate that current verification has failed. Page 40 of 62 ACR3801 – Reference Manual Version 2.01 info@acs.com.hk www.acs.com.
8.3.6. Memory Card – SLE 4432/SLE 4442/SLE 5532/SLE 5542 8.3.6.1. SELECT_CARD_TYPE This command powers down and up the selected card that is inserted in the card reader and performs a card reset. Note: This command can only be used after the logical smart card reader communication has been established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to PC/SC specifications.
8.3.6.3. READ_PRESENTATION_ERROR_COUNTER_MEMORY_CARD 4442 and SLE 5542) (SLE This command is used to read the presentation error counter for the secret code. Command Format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CLA INS P1 P2 MEM_L FFh B1h 00h 00h 04h Response Data Format (abData field in the RDR_to_PC_DataBlock) ERRCNT DUMMY 1 DUMMY 2 DUMMY 3 SW1 SW2 Where: ERRCNT Error counter. 07h indicates that the last verification is correct.
‘0’ byte is write protected ‘1’ byte can be written 8.3.6.5. WRITE_MEMORY_CARD Command Format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CLA INS P1 FFh D0h 00h Byte Address MEM_L Byte 1 .... ....
Response Data Format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1 SW2 = 90 00h if no error 8.3.6.7. PRESENT_CODE_MEMORY_CARD (SLE 4442 and SLE 5542) To submit the secret code to the memory card to enable the write operation with the SLE 4442 and SLE 5542 card, the following actions are executed: 1. Search a ‘1’ bit in the presentation error counter and write the bit to ‘0’. 2. Present the specified code to the card. 3. Try to erase the presentation error counter.
Command Format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CODE CLA INS P1 P2 MEM_L FFh D2h 00h 01h 03h Byte 1 Byte 2 Byte 3 Response Data Format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1 SW2 = 90 00h if no error Page 45 of 62 ACR3801 – Reference Manual Version 2.01 info@acs.com.hk www.acs.com.
8.3.7. Memory Card – SLE 4406/SLE 4436/SLE 5536/SLE 6636 8.3.7.1. SELECT_CARD_TYPE This command powers down and up the selected card that is inserted in the card reader and performs a card reset. Note: This command can only be used after the logical smart card reader communication has been established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to PC/SC specifications.
command data field: a) Write The byte value specified in the command is written to the specified address. This command can be used for writing personalization data and counter values to the card. b) Write with carry The byte value specified in the command is written to the specified address and the command is sent to the card to erase the next lower counter stage. Thus, this write mode can only be used for updating the counter value in the card.
8.3.7.4. PRESENT_CODE_MEMORY_CARD To submit the secret code to the memory card to enable the card personalization mode, the following actions are executed: 1. Search a '1' bit in the presentation counter and write the bit to '0'. 2. Present the specified code to the card. ACR3801 does not try to erase the presentation counter after the code submission. This must be done by the application software through a separate ‘Write with carry' command.
Step 1: Send Authentication Certificate to the Card Command Format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CLA INS P1 P2 MEM_L FFh 84h 00h 00h 08h CODE KEY CLK_CNT Byte 1 Byte 2 …… Byte 5 Byte 6 Where: KEY Key to be used for the computation of the authentication certificate: 00h: Key 1 with no cipher block chaining 01h: Key 2 with no cipher block chaining 80h: Key 1 with cipher block chaining (SLE 5536 and SLE 6636 only) 81h: Key 2 with cipher block chaining (SLE 5536 and SLE
8.3.8. Memory Card – SLE 4404 8.3.8.1. SELECT_CARD_TYPE This command powers down and up the selected card that is inserted in the card reader and performs a card reset. Note: This command can only be used after the logical smart card reader communication has been established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to PC/SC specifications.
bits can only be programmed from '1' to '0'. Command Format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CLA INS P1 FFh D0h 00h Byte Address MEM_L Byte 1 … … Byte N Where: Byte Address = Memory address location of the memory card MEM_L Length of data to be written to the memory card BYTE Byte value to be written to the card Response Data Format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1 SW2 = 90 00h if no error 8.3.8.4.
8.3.8.5. VERIFY_USER_CODE This command is used to submit User Code (2 bytes) to the inserted card. User Code is to enable the memory access of the card. The following actions are executed: 1. Present the specified code to the card. 2. Search a '1' bit in the presentation error counter and write the bit to '0'. 3. Erase the presentation error counter. The User Error Counter can be erased when the submitted code is correct.
Command Format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CODE CLA INS Error Counter LEN Byte Address MEM_L FFh 20h 40h 28h 04h Byte 1 Byte 2 Byte 3 Byte 4 Where: Error Counter LEN Length of presentation error counter in bits Byte Address Byte address of the key in the card CODE 4 bytes Memory Code Response Data Format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1 SW2 = 90 00h if no error = 63 00h if there are no more retries Note: After SW1SW2 = 0x9000h has
8.3.9. Memory Card – AT88SC101/AT88SC102/AT88SC1003 8.3.9.1. SELECT_CARD_TYPE This command powers down and up the selected card that is inserted in the card reader and performs a card reset. Note: This command can only be used after the logical smart card reader communication has been established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to PC/SC specifications.
bits can only be programmed from '1' to '0'. Command Format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CLA INS P1 FFh D0h 00h Byte Address MEM_L Byte 1 .... .... Byte N Where: Byte Address Memory address location of the memory card MEM_L Length of data to be written to the memory card BYTE Byte value to be written to the card Response Data Format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1 SW2 = 90 00h if no error 8.3.9.4.
Where: SW1 SW2 = 90 00h if no error 8.3.9.5. ERASE_APPLICATION_ZONE_WITH_ERASE This command can be used in the following cases: 1. AT88SC101: To erase the data in Application Zone with EC Function Disabled. 2. AT88SC102: To erase the data in Application Zone 1. 3. AT88SC102: To erase the data in Application Zone 2 with EC2 Function Disabled. 4. AT88SC1003: To erase the data in Application Zone 1. 5. AT88SC1003: To erase the data in Application Zone 2 with EC2 Function Disabled. 6.
MEM_L Length of the Erase Key. Please refer to the table above for the correct value. CODE N bytes of Erase Key Response Data Format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1 SW2 = 90 00h if no error Note: After SW1SW2 = 0x9000h has been received, read back the data in Application Zone to check if the ERASE_APPLICATION_ZONE_WITH_ERASE is correct. If all data in Application Zone is erased and is equal to “0xFFh,” the previous verification is successful. 8.3.9.6.
CODE 4 bytes Erase Key Response Data Format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1 SW2 = 90 00h if no error = 63 00h if there are no more retries Note: After SW1SW2 = 0x9000h has been received, read back the data in Application Zone can check whether the ERASE_APPLICATION_ZONE_WITH_WRITE_AND_ERASE is correct. If all data in Application Zone is erased and is equal to “0xFFh,” the previous verification is successful. 8.3.9.7.
8.3.9.8. BLOWN_FUSE This command is used to blow the fuse of the inserted card. The fuse can be EC_EN Fuse, EC2EN Fuse, Issuer Fuse or Manufacturer’s Fuse. Note: The blowing of fuse is an irreversible process. Command Format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CODE CLA INS Error Counter LEN Byte Address MEM_L FFh 05h 00h 00h 04h Fuse Bit Addr (High) Fuse Bit Addr (Low) State of FUS Pin State of RST Pin 01h 00h or 01h Where: Fuse Bit Addr (2 bytes) Bit address of the fuse.
8.4. Other Commands Access via PC_to_RDR_XfrBlock 8.4.1. GET_READER_INFORMATION This command returns relevant information about ACR3801 and the current operating status, such as, the firmware revision number, the maximum data length of a command and response, the supported card types, and whether a card is inserted and powered up or not. Note: This command can only be used after the logical smart card reader communication has been established using the SCardConnect( ) API.
Appendix A. Supported Card Types The following table summarizes the card type returned by GET_READER_INFORMATION correspond with the respective card type.
Appendix B.