Visitor II

Solved

ST25R3916 How to set it into 14443-A emulation mode and send/receive APDU ?

Forum|Forum|3 years ago
May 5, 2022
4 replies
3700 views

Hi everyone !

After successfully launched ST25R3911 (in 14443-A smart card reader mode) without RFAL , using only analysis of dialog on ST25R3911B-DISCO there was a need to implement an 14443-A emulator based on ST25R3916.

With the DISCO everything is easy : logic analyzer, datasheet, and a week to learn and reproduce control commands for ST. The result is a sequence of instructions and register values to implement read mode, sleep mode and so on.

ST25R3916 it’s difficult here, let’s say I’m not friends with RFAL in the context of integration into my project and I don't have access to something like DISCO for 3916.

The Q is : in which document can I find a sequence of commands using RFAL or register values / direct commands and algorithm for implementing the emulation mode ?

This topic has been closed for replies.

Best answer by Ulysses HERNIOSUS

Hi,

Your attempted read of FIFO status register actually ends up as a write! The MOSI byte for reading FIFO status register needs to be 5Eh. By using 1Eh you are performing a write (to a read-only register).

BR, Ulysses

U

Ulysses HERNIOSUS

Technical Moderator

Hi Stasevich,

the ST25 embedded lib (STSW-ST25R016 for 3916) cotains a project bluetooth_pairing demo which emulates an NFC tag with NDEF content to be read and paired by a smartphone.

I think this should be a good start for you.

BR, Ulysses

S

StasevichAuthor

Visitor II

Sorry for the impudence. Can I ask someone to capture the process of initialization and APDU send/receive by the logic analyzer , pls ?

U

Ulysses HERNIOSUS

Technical Moderator

Hi Stasevich,

are you referring now to APDU exchange with 3916 being PCD or PICC?

I don't have a board at hand now to do such traces. But could do some beginning of next week.

Could you share a bit about your non-friendship with RFAL - we we are trying to have it usable from basically any real time platform ?

Best Regards, Ulysses

S

StasevichAuthor

Visitor II

PCD or PICC ? I would be interested in both modes with your permission .

Could you share a bit about your non-friendship with RFAL .....?

In particular, I study and work with the exchange protocol at the level like:

for example data exchange for antenna calibration....

A.

Wrie in H21 val . H00

Wrie in H15 val . H3F

Dir.com. HD8

B.

Waiting for HL on IRQ and read interrupt registers

C.

Wrie in H15 val . HFF

Read H23 *Offset for inductive (ampl) sensor

This is actually what I get from data SPI analysis

Why am I doing this - because I use a very exotic platform for our days . I am sure that when I'll be able appreciate all the advantages of RFAL , I'll be just as enthusiastic as from the outstanding functionality of the chip .

U

Ulysses HERNIOSUS

Technical Moderator

Hi Stasevich,

please find attached some traces (using ST25Embedded NFC lib) which showcase 3916 reading a T4T and 3916 being read as emulated card (T4T).

Traces were done using Digiview (software available here : https://www.tech-tools.com/logic-analyzer-downloads.htm v9.3.0).

BR, Ulysses

S

StasevichAuthor

Visitor II

Thank you . Here is what I managed to make from the files you provided...

From reset (C1) until the 3916 is recognized by external devices as a card, there are five stages separated by IRQ

Stage_1:

Start

Dir_cmd (&HC1)

Reg_Wrie (&H01,&H1C)

Dir_cmd (&HFC)

Reg_Wrie (&H04,&H10)

Reg_Wrie (&H02,&H80)

Stage_2:

Wait for IRQ ... Read 1A,80_00_00_00

Reg_Wrie (&H16,&H80)

Dir_cmd (&HDF)

Stage_3:

Wait for IRQ ... Read 1A,00_80_00_00

Reg_Wrie (&H16,&HFF)

Reg_Wrie (&H17,&HFF)

Reg_Wrie (&H18,&HFF)

Reg_Wrie (&H19,&HFF)

Reg_Wrie (&H00,&H07)

Reg_Wrie (&H01,&H3C)

Reg_Wrie (&H2A,&H11)

Reg_Wrie (&H2B,&H00)

Reg_Wrie (&H08,&H50)

Reg_Wrie (&H29,&H5F)

Dir_cmd (&HFB)

Reg_Wrie (&H05,&H40)

Reg_Wrie (&H26,&H82)

Reg_Wrie (&H27,&H82)

Reg_Wrie (&H02,&H83)

Reg_Wrie (&H2C,&H00)

Reg_Wrie (&H17,&H7F)

Dir_cmd (&HD6)

Stage_4:

Wait for IRQ ... Read 1A,00_90_00_00

Reg_Wrie (&H17,&HFF)

Reg_Wrie (&H08,&H5F)

Reg_Wrie (&H03,&H08) ' Mode definition register

FIFO = "5F53544D0000000000000200202020"

WR_mem_l_A

FIFO = "ABCD0102FE11223344ABFF00000000007F7F000000"

WR_mem_l_F

FIFO_str = "123456789ABCDF21436587A9"

WR_mem_l_TSN

Reg_Wrie (&H08,&H5A) ' NFCIP-1 passive target definition register

Reg_Wrie (&H12,&H08) ' Timer and EMV® control register

Reg_Wrie (&H0F,&H02) ' Mask receive timer register

Reg_Wrie (&H26,&H00) ' Antenna tuning control register 1

Reg_Wrie (&H27,&HFF) ' Antenna tuning control register 2

Reg_Wrie (&H0B,&H01) ' P2P receiver configuration register 1

Reg_Wrie (&H0C,&H6D) ' Correlator configuration register 1

Reg_Wrie (&H02,&HC3) ' Operation control register

Dir_cmd (&HCD)

Reg_Wrie (&H16,&H4F)

Reg_Wrie (&H17,&HE6)

Reg_Wrie (&H18,&H0F)

Reg_Wrie (&H19,&HE4)

Reg_Wrie (&H03,&HE8) ' Mode definition register

Reg_Wrie (&H02,&H03) ' Operation control register

Stage_5:

Wait for IRQ ... Read 1A,00_10_00_00

Reg_Wrie (&H02,&HC3)

After this sequence ST25R3911B-DISCO detects 3916 as FellCa

It's clear here.

Next : attempt to send any command from 3911 as a reader to 3916 in emulation mode. As a result, we get two IRQ : about the beginning and IRQ due to end of transmission. it is logical that after that I can try to read FiFO . BUT FIFO status register 1 is empty /1E (Number of bytes in the FIFO) = 0/

Q: WHY !?

S

StasevichAuthor

Visitor II

.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded