CHAPTER-5

SMART CARD (SLE 4442)

CHAPTER 4 SMART CARD (SLE 4442) It is an intelligent 256-Byte EEPROM with write protection function and programmable security code (PSC). 5.1 FEATURES: 256 x 8-bit EEPROM organization. Byte-wise addressing. Irreversible byte-wise write protection of lowest32 addresses (Byte 0 ... 31). 32 x 1-bit organization of protection memory. Two-wire link protocol. End of processing indicated at data output. Answer-to-Reset acc. to ISO standard 7816-3. Programming time 2.5 ms per byte for both erasing and writing. Minimum of 10 write/erase cycles1). Data retention for minimum of ten years1). Contact configuration and serial interface in accordance with ISO standard 7816 (synchronous transmission). Additional Feature of SLE 4442: Data can only be changed after entry of the correct 3-byteProgrammable security code (security memory). 5.2 PIN CONFIGURATION:
4

Fig 5.1: Pin Configuration

5.3 MEMORY OVERVIEW:

Fig 5.2: Memory Overview 5.4 DESCRIPTION OF CARD: 5.4.1 SLE 4442: The SLE 4432 consists of 256 x 8 bit EEPROM main memory and a 32-bit protection memory with PROM functionality. The main memory is erased and written byte by byte. When erased, all 8 bits of a data byte are set to logical one. When written, the information in the individual EEPROM cells is, according to the input data, altered bit by bit to logical zeros (logical AND between the old and the new data in the EEPROM). Normally a data change consists of an erase and write procedure. It depends on the contents of the data byte in the main memory and the new data byte whether the EEPROM is really erased and/or written. If none of the 8 bits in the addressed byte requires a zero-to-one transition the erase access will be suppressed. Vice versa the write access will be suppressed if no one-to-zero transition is necessary. The write and the erase operation take at least 2.5 ms each. Each of the first 32 bytes can be irreversibly protected against data change by writing the corresponding bit in the protection memory. Each data byte in this address range is assigned to one bit of the protection memory and has the same address as the data byte in the main memory which it is assigned to. Once written the protection bit cannot be erased (PROM). Additionally to the above functions the SLE 4442 provides a security code logic which controls the write/erase access to the memory. For this purpose the SLE 4442 contains a 4-byte security memory with an Error Counter EC (bit 0 to bit 2) and 3 bytes reference data. These 3 bytes as a whole are called

Programmable Security Code (PSC). After power on the whole memory, except for the reference data, can only be read. Only after a successful comparison of verification data with the internal reference data the memory has the identical access functionality of the SLE 4432 until the power is switched off. After three successive unsuccessful comparisons the Error Counter blocks any subsequent attempt, and hence any possibility to write and erase. 5.4.2Transmission protocol The transmission protocol is a two wire link protocol between the interface device IFD and the integrated circuit IC. It is identical to the protocol type S = A. All data changes on I/O are initiated by the falling edge of the CLK. The transmission protocol consists of 4 modes. Reset and Answer-to-Reset mode Command mode Outgoing data mode Processing mode.

5.4.2.1 Reset and Answer-to-reset: Answer-to-Reset takes place according to ISO standard 7816-3 (ATR). The reset can be given at any time during operation. In the beginning, the address counter is set to zero together with a clock pulse and the first data bit (LSB) is output to I/O when RST is set from level H to level L. Under a continuous input of additional 31 clock pulses the contents of the first 4 EEPROM addresses is readout. The 33rd clock pulse switches I/O to high impedance Z and finishes the ATR procedure. Answer-to-reset (Hex) Byte1 DO7DO0 Byte2 Byte3 Byte4

DO15DO8 DO23DO16 DO31DO24

Fig 5.3: Reset and Answer-to-Reset

5.4.2.2 Operational Modes: Command Mode After the Answer-to-Reset the chip waits for a command. Every command begins with a start condition, includes a 3 bytes long command entry followed by an additional clock pulse and ends with a stop condition. Start condition: Falling edge on I/O during CLK in level H Stop condition: Rising edge on I/O during CLK in level H After the reception of a command there are two possible modes: Outgoing data mode for reading Processing mode for writing and erasing Outgoing Data Mode: In this mode the IC sends data to the IFD. The first bit becomes valid on I/O after the first falling edge on CLK. After the last data bit an additional clock pulse is necessary in order to set I/O to high impedance Z and to prepare the IC for a new command entry. During this mode any start and stop condition is discarded. Processing Mode: In this mode the IC processes internally. The IC has to be clocked continuously until I/O, which was switched to level L after the first falling edge of CLK, is set to high impedance level Z. Any start and stop condition is discarded during this mode

Fig 5.4: Operational modes

5.5COMMANDS:
Command format: Each command consists of three bytes. MSB Control LSB MSB Control LSB MSB Control LSB

B7 B6 B5 B4 B3 B2 B1 B0 A7 A6 A5 A4 A3 A2 A1 A0 D7 D6 D5 D4 D3 D2 D1 D0

Beginning with the control byte LSB is transmitted first.

Fig 5.5: command mode The various commands used in the card operation of SLE4442 were provided in the following table. 5.5.1 Read Main Memory The command reads out the contents of the main memory (with LSB first) starting at the given byte address (N = 0255) up to the end of the memory. After the command entry the IFD has to supply sufficient clock pulses. The number of clocks is m = (256 N) 8 + 1. The read access to the main memory is always possible. Command: READ MAIN MEMORY Control B7 B6 Binary 0 0 B5 B4 1 1 B3 0 Address B2 B1 B0 A7..A0 0 0 0 Address Data D7..D0 No effect

Hexadecimal 30H

00HFFH No effect

Fig 5.6: Read Main Memory 5.5.2 Read Protection Memory The command transfers the protection bits under continuous input of 32 clock pulses to the output. I/O is switched to high impedance Z by an additional pulse. The protection memory can always be read, and indicates the data bytes of the main memory protected against changing. Command: READ PROTECTION MEMORY Control B7 B6 Binary 0 0 B5 B4 1 1 B3 0 Address Data

B2 B1 B0 A7..A0 D7..D0 1 0 0 No effect No effect No effect No effect

Hexadecimal 34H

Fig5.7: Read Protection Memory

5.5.3 Update Main Memory The command programs the addressed EEPROM byte with the data byte transmitted. Depending on the old and new data, one of the following sequences will take place during the processing mode. Erase and write (5 ms) corresponding to m= 255 clock pulses Write without erase(2.5 ms)corresponding to m= 124 clock pulses Erase without write(2.5 ms) corresponding to m= 255 clock pulses

Command: UPDATE MAIN MEMORY Control B7 B6 Binary 0 0 B5 B4 1 1 B3 1 Address B2 B1 B0 A7..A0 0 0 0 Address Data D7..D0 Input data

Hexadecimal 38H

00HFFH Input data

Fig 5.8: Erase and Write Main Memory

Fig 5.9: Erase or Write Main Memory

5.5.4 Write Protection Memory The execution of this command contains a comparison of the entered data byte with the assigned byte in the EEPROM. In case of identity the protection bit is written thus making the data information unchangeable. If the data comparison results in data differences writing of the protection bit will be suppressed. Execution times and required clock pulses see UPDATE MAIN MEMORY. Command: WRITE PROTECTION MEMORY Control B7 B6 Binary 0 0 B5 B4 1 1 B3 1 Address B2 B1 B0 A7..A0 1 0 0 Address Data D7..D0 Input data

Hexadecimal 3CH

00H1FH Input data

5.5.5 Read Security Memory Similar to the read command of the protection memory this command reads out the 4 bytes of the security memory. The number of clock pulses during the outgoing data mode is 32. I/O is switched to high impedance Z by an additional pulse. Without a proceeding successful verification of the PSC the output of the reference bytes is suppressed, that means I/O outputs state L for the reference data bytes. Command: READ SECURITY MEMORY Control B7 B6 Binary 0 0 B5 B4 1 1 B3 0 Address Data

B2 B1 B0 A7..A0 D7..D0 0 0 1 No effect No effect No effect No effect

Hexadecimal 31H

Fig 5.10: Read Security Memory

5.5.6 Update Security Memory Regarding the reference data bytes this command will only be executed if a PSC has open successfully verified before. Otherwise only each bit of the error counter (Address 0) can be written from 1 to 0. The execution times and required clock pulses are the same as described under UPDATE MAIN MEMORY. Command: UPDATE SECURITY MEMORY Control B7 B6 Binary 0 0 B5 B4 1 1 B3 1 Address B2 B1 B0 A7..A0 0 0 1 Address Data D7..D0 Input data

Hexadecimal 39H

00H03H Input data

5.5.7 Compare Verification Data This command can only be executed in combination with an update procedure of the error counter. The command compares one byte of the entered verification data byte with the corresponding reference data byte. For this procedure clock pulses are necessary during the processing mode. Command: COMPARE VERIFICATION DATA Control B7 B6 Binary 0 0 B5 B4 1 1 B3 0 Address B2 B1 B0 A7..A0 0 1 1 Address Data D7..D0 Input data

Hexadecimal 33H

00H03H Input data

Fig 5.11: Compare Verification Data

5.6 PSC Verification

The SLE4442 requires a correct verification of the Programmable Security Code PSC stored in the security memory for altering the data if desired. The following procedure has to be carried out exactly as described. Any variation leads to a failure, so that a write/erase access will not be achieved. As long as the procedure has not been successfully concluded the error counter bits can only be changed from 1 to 0 but not erased. At first an error counter bit has to be written to 0 by an UPDATE command followed by three COMPARE VERIFICATION DATA commands beginning with byte 1 of the reference data. A successful conclusion of the whole procedure can be recognized by being able to erase the error counter which is not automatically erased. Now write/erase access to all memory areas is possible as long as the operating voltage is applied. In case of error the whole procedure can be repeated as long as erased counter bits are available. Having been enabled, the reference data are allowed to be altered like any other information in the EEPROM. In the following table the sequence of the shaded commands is mandatory. Command Control Address B7B0 A7A0 Read Security Memory Update Security Memory 31H 39H No effect 00H Data D7D0 No effect Input data Check Error Counter Write free bit in Error Counter input data.0000 0ddd binary Compare Verification Data 33H Compare Verification Data 33H Compare Verification Data 33H Update Security Memory Read Security Memory 39H 31H 01H 02H 03H 00H No effect Input data Input data Input data FFH No effect Reference data byte 1 Reference data byte 2 Reference data byte 3 Erase Error Counter Check Error Counter Remark

Table 5.2: Commands Description