ACR33U-A1 SmartDuo Smart Card Reader Reference Manual V1.02 Subject to change without prior notice info@acs.com.hk www.acs.com.
Table of Contents 1.0. Introduction ............................................................................................................. 4 1.1. 1.2. Reference Documents ........................................................................................................... 4 Symbols and Abbreviations ................................................................................................... 4 2.0. Features .............................................................................
Tables Table 1 : Symbols and Abbreviations ..................................................................................................... 4 Table 2 : USB Interface Wiring ............................................................................................................... 9 Table 3 : CCID Response Error Codes ................................................................................................ 60 Page 3 of 60 ACR33U-A1 – Reference Manual Version 1.02 info@acs.com.hk www.acs.
1.0. Introduction The ACR33U-A1 SmartDuo PC-linked Smart Card Reader acts as an interface for the communication between a computer and a smart card. Different types of smart cards have different commands and different communication protocols, which, in most cases, prevent direct communication between a smart card and a computer. The ACR33U-A1 SmartDuo Smart Card Reader establishes a uniform interface from the computer to the smart card for a wide variety of cards.
2.0.
3.0. Smart Card Support 3.1. MCU Cards The ACR33U-A1 is a PC/SC compliant smart card reader that supports ISO 7816 Class A (5 V) smart card. It also works with MCU cards following either the T=0 and T=1 protocol. The card ATR indicates the specific operation mode (TA2 present; bit b5 of TA2 must be 0) and when that the particular mode is not supported by the ACR33U-A1; the reader will reset the card to a negotiable mode. If the card cannot be set to negotiable mode, the reader will then reject the card.
4.0. Smart Card Interface The interface between the ACR33U-A1 and the inserted smart card follows the specifications of ISO 7816-3 with certain restrictions or enhancements to increase the practical functionality of the ACR33U-A1. 4.1. Smart Card Power Supply VCC (C1) The current consumption of the inserted card must not be higher than 50 mA. 4.2. Programming Voltage VPP (C6) According to ISO 7816-3, the smart card contact C6 (VPP) supplies the programming voltage to the smart card.
5.0. Power Supply The ACR33U-A1 requires a voltage of 5 V DC, 100 mA, regulated, power supply. The ACR33U-A1 gets the power supply from the computer (through the cable supplied along with each type of reader). 5.1. Status LED The LED indicates the activation status of the smart card interface: • • • Flashing slowly (turns on 200 ms every 2 seconds) Indicates ACR33U-A1 is powered up and in the standby state.
6.0. USB Interface 6.1. Communication Parameters The ACR33U-A1 is connected to a computer through USB as specified in the USB Specification 2.0. The ACR33U-A1 is working in full speed mode, i.e. 12 Mbps.
7.0. Communication Protocol ACR33U-A1 shall interface with the host through the USB connection. A specification, namely CCID, has been released within the industry defining such a protocol for the USB chip-card interface devices. CCID covers all the protocols required for operating smart cards. The configurations and usage of USB endpoints on ACR33U-A1 shall follow CCID Section 3. An overview is summarized below: 1. Control Commands are sent on control pipe (default pipe).
Offset Field Size Value Description 40 dwFeatures 4 000204B0h ACR33U-A1 supports the following features: Automatic ICC clock frequency change according to parameters Automatic baud rate change according to frequency and FI,DI parameters Automatic PPS made by the CCID according to the active parameters Automatic IFSD exchange as first exchange (T=1 protocol in use) Short APDU level exchange with CCID 44 dwMaxCCIDMessageLength 4 0000010Fh Maximum message length accepted by ACR33U-A1 is 271 bytes
8.0. Commands 8.1. CCID Command Pipe Bulk-OUT Messages ACR33U-A1 shall follow the CCID Bulk-OUT Messages as specified in CCID Section 4. In addition, this specification defines some extended commands for operating additional features. This section lists the CCID Bulk-OUT Messages to be supported by ACR33U-A1. 8.1.1. PC_to_RDR_IccPowerOn Activates the card slot and return ATR from the card.
8.1.2. PC_to_RDR_IccPowerOff Deactivates the card slot. Offset Field Size Value Description 0 bMessageType 1 63h - 1 dwLength 4 00000000h Size of extra bytes of this message 5 bSlot 1 00-05h Identifies the slot number for this command 6 bSeq 1 00-FFh Sequence number for command 7 abRFU 3 - Reserved for future use The response to this message is the RDR_to_PC_SlotStatus message. Page 13 of 60 ACR33U-A1 – Reference Manual Version 1.02 info@acs.com.hk www.acs.com.
8.1.3. PC_to_RDR_GetSlotStatus Gets current status of the slot. Offset Field Size Value Description 0 bMessageType 1 65h - 1 dwLength 4 00000000h Size of extra bytes of this message 5 bSlot 1 00-05h Identifies the slot number for this command 6 bSeq 1 00-FFh Sequence number for command 7 abRFU 3 - Reserved for future use The response to this message is the RDR_to_PC_SlotStatus message. Page 14 of 60 ACR33U-A1 – Reference Manual Version 1.02 info@acs.com.hk www.acs.com.
8.1.4. PC_to_RDR_XfrBlock Transfers data block to the ICC. Offset Field Size Value Description 0 bMessageType 1 6Fh 1 dwLength 4 - 5 bSlot 1 00-05h Identifies the slot number for this command 6 bSeq 1 00-FFh Sequence number for command Size of abData field of this message 7 bBWI 1 00-FFh Used to extend the CCIDs Block Waiting Timeout for this current transfer. The CCID will timeout the block after “this number multiplied by the Block Waiting Time” has expired.
8.1.5. PC_to_RDR_GetParameters Gets slot parameters. Offset Field Size Value Description 0 bMessageType 1 6CH - 1 DwLength 4 00000000H Size of extra bytes of this message 5 BSlot 1 00-05H Identifies the slot number for this command 6 BSeq 1 00-FFH Sequence number for command 7 AbRFU 3 - Reserved for future use The response to this message is the RDR_to_PC_Parameters message. Page 16 of 60 ACR33U-A1 – Reference Manual Version 1.02 info@acs.com.hk www.acs.com.
8.1.6. PC_to_RDR_SetParameters Sets slot parameters. Offset Field Size Value Description 0 bMessageType 1 61h 1 dwLength 4 - 5 bSlot 1 00-05h Identifies the slot number for this command 6 bSeq 1 00-FFh Sequence number for command Size of extra bytes of this message Specifies what protocol data structure follows.
Offset 14 Field bClockStop Size 1 Value Description 00-03h ICC Clock Stop Support: 00h = Stopping the Clock is not allowed 01h = Stop with Clock signal Low 02h = Stop with Clock signal High 03h = Stop with Clock either High or Low The response to this message is the RDR_to_PC_Parameters message.
8.1.7. PC_to_RDR_Escape Defines and access extended features. Offset Field Size Value 0 bMessageType 1 6Bh 1 dwLength 4 - 5 bSlot 1 00-05h Identifies the slot number for this command 6 bSeq 1 00-FFh Sequence number for command 7 abRFU 3 - Reserved for future use 10 abData Byte array - Data block sent to the CCID Offset Field Size Value 10 bcmdCode 1 01h - 11 wcmdLength 2 0001h - 13 abRFU 2 - 8.1.7.1.
8.1.7.3. Get Firmware Version Offset Field Size Value Description 10 bcmdCode 1 04h - 11 wcmdLength 2 0000h - 13 abRFU 2 - Reserved for future use The response to this command message is the RDR_to_PC_Escape response message. Page 20 of 60 ACR33U-A1 – Reference Manual Version 1.02 info@acs.com.hk www.acs.com.
8.2. CCID Bulk-IN Messages The Bulk-IN messages are used in response to the Bulk-OUT messages. ACR33U-A1 shall follow the CCID Bulk-IN Messages as specified in CCID Section 4. This section lists the CCID Bulk-IN Messages to be supported by ACR33U-A1. Note: The values of bSlot and bSeq are the same as Bulk-OUT message. 8.2.1. RDR_to_PC_DataBlock This message is sent by ACR33U-A1 in PC_to_RDR_IccPowerOn and PC_to_RDR_XfrBlock.
8.2.3. RDR_to_PC_Parameters This message is sent by ACR33U-A1 in response to PC_to_RDR_GetParameters and PC_to_RDR_SetParameters messages. Offset Field Size Value Description 0 bMessageType 1 82h 1 dwLength 4 - Size of extra bytes of this message 5 bSlot 1 - Same value as in Bulk-OUT message 6 bSeq 1 - Same value as in Bulk-OUT message 7 bStatus 1 - Slot status register as defined in CCID Section 4.2.1 8 bError 1 - Slot error register as defined in CCID Section 4.2.
Offset 14 Field bClockStop Size 1 Value Description 00-03h ICC Clock Stop Support: 00h = Stopping the Clock is not allowed 01h = Stop with Clock signal Low 02h = Stop with Clock signal High 03h = Stop with Clock either High or Low Protocol Data Structure for Protocol T=1 (bProtocolNum=1, dwLength=00000007h) Offset 10 Field bmFindexDindex Size Value Description B7-4 – FI – Index into the Table 7 in ISO/IEC 7816-3:1997 selecting a clock rate conversion factor B3-0 – DI - Index into the Table 8
8.2.4. RDR_to_PC_Escape This message is sent by ACR33U-A1 in response to PC_to_RDR_Escape messages. Offset Field Size Value 0 bMessageType 1 83h 1 dwLength 4 - Size of abData field of this message 5 bSlot 1 - Same value as in Bulk-OUT message 6 bSeq 1 - Same value as in Bulk-OUT message 7 bStatus 1 - Slot status register as defined in CCID Section 4.2.1 8 bError 1 - Slot error register as defined in CCID Section 4.2.1 9 bRFU 1 00h 10 abData Byte array - 8.2.4.1.
Offset Field Size Value 10 bcmdCode 1 84h - 11 wcmdLength 2 0004h - 13 15 abStatus abData Description 2 00XXh XXh: 00h: Success 0h: Bad parameter 13 0x41h 0x43h 0x52h 0x33h 0x33h 0x2Dh 0x41h 0x31h 0x20h 0xXXh 0xXXh 0xXXh 0xXXh XX XX XX XX: Firmware Version Page 25 of 60 ACR33U-A1 – Reference Manual Version 1.02 info@acs.com.hk www.acs.com.
8.3. Memory Card Access via PC_to_RDR_XfrBlock Memory cards can be accessed via PC_to_RDR_XfrBlock command. All memory card functions are mapped into pseudo-APDUs. 8.3.1. Memory Card – 1, 2, 4, 8, 16 kbit I2C Card 8.3.1.1. SELECT_CARD_TYPE This command powers down and up the selected card inserted in the card reader and performs a card reset. Note: This command can only be used after the logical smart card reader communication has been established using the SCardConnect( ) API.
Response data format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1, SW2 = 90 00h if no error 8.3.1.3.
Response data format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1, SW2 = 90 00h if no error Page 28 of 60 ACR33U-A1 – Reference Manual Version 1.02 info@acs.com.hk www.acs.com.
8.3.2. Memory Card – 32, 64, 128, 256, 512, 1024 kbit I2C Card 8.3.2.1. SELECT_CARD_TYPE This command powers down and up the selected card inserted in the card reader and performs a card reset. Note: This command can only be used after the logical smart card reader communication has been established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to PC/SC specifications.
Response data format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1, SW2 = 90 00h if no error 8.3.2.3.
Byte x: Data to be written to the memory card Response data format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1, SW2 = 90 00h if no error Page 31 of 60 ACR33U-A1 – Reference Manual Version 1.02 info@acs.com.hk www.acs.com.
8.3.3. Memory Card – ATMEL AT88SC153 8.3.3.1. SELECT_CARD_TYPE This command powers down and up the selected card inserted in the card reader and performs a card reset. It will also select the page size to be 8-byte page write. Note: This command can only be used after the logical smart card reader communication has been established using the SCardConnect( ) API. For details of ScardConnect( ) API, please refer to PC/SC specifications.
Response data format (abData field in the RDR_to_PC_DataBlock) BYTE 1 … … BYTE N SW1 SW2 Where: BYTE x: Data read from memory card SW1, SW2 = 90 00h if no error 8.3.3.3. WRITE_MEMORY_CARD Command format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CLA INS P1 FFh Bye Address MEM_L Byte 1 .... ....
P2 = 0000 00rpb where the two bits “rp” indicate the password to compare r = 0: Write password, r = 1: Read password, p = Password set number, rp = 01 for the secure code Response data format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 ErrorCnt 90h Where: SW1 = 90h SW2 (ErrorCnt) = Error Counter. FFh indicates the verification is correct. 00h indicates the password is locked (exceeded the maximum number of retries). Other values indicate the current verification has failed. 8.3.3.5.
Where: Ch(0),Ch(1)…Ch(7): Host challenge, 8 bytes Response data format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1, SW2 = 90 00h if no error Page 35 of 60 ACR33U-A1 – Reference Manual Version 1.02 info@acs.com.hk www.acs.com.
8.3.4. Memory Card – ATMEL AT88SC1608 8.3.4.1. SELECT_CARD_TYPE This command powers down and up the selected card inserted in the card reader and performs a card reset. It will also select the page size to be 16-byte page write. Note: This command can only be used after the logical smart card reader communication has been established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to PC/SC specifications.
Where: BYTE x : Data read from memory card SW1, SW2 = 90 00h if no error 8.3.4.3. WRITE_MEMORY_CARD Command format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CLA INS Zone Address Byte Address MEM_L Byte 1 .... ....
p2p1p0: Password set number (rp2p1p0 = 0111 for the secure code) Response data format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 ErrorCnt 90h Where: SW1 = 90h SW2 (ErrorCnt) = Error Counter. FFh indicates the verification is correct. 00h indicates the password is locked (exceeded the maximum number of retries). Other values indicate the current verification has failed. 8.3.4.5.
Response data format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1, SW2 = 90 00h if no error Page 39 of 60 ACR33U-A1 – Reference Manual Version 1.02 info@acs.com.hk www.acs.com.
8.3.5. Memory Card – SLE4418/SLE4428/SLE5518/SLE5528 8.3.5.1. SELECT_CARD_TYPE This command powers down and up the selected card inserted in the card reader and performs a card reset. Note: This command can only be used after the logical smart card reader communication has been established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to PC/SC specifications.
8.3.5.3. READ_PRESENTATION_ERROR_COUNTER_MEMORY_CARD SLE4428 and SLE5528) (only To read the presentation error counter for the secret code. Command format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CLA INS P1 P2 MEM_L FFh B1h 00h 00h 03h Response data format (abData field in the RDR_to_PC_DataBlock) ERRCNT DUMMY 1 DUMMY 2 SW1 SW2 Where: ERRCNT: The value of the presentation error counter. FFh indicates the last verification is correct.
Where: PROT y: Bytes containing the protection bits SW1,SW2 = 90 00h if no error The arrangement of the protection bits in the PROT bytes is as follows: PROT 1 P8 P7 P6 P5 P4 PROT 2 P3 P2 P1 P16 P15 P14 P13 P12 …. P11 P10 P9 .. .. .. .. .. .. P18 P17 Where: Px is the protection bit of BYTE x in the response data ‘0’ byte is write protected ‘1’ byte can be written 8.3.5.5.
Command format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CLA INS FFh D1h Byte Address MSB LSB MEM_L Byte 1 .... .... Byte N Where: MSB Byte Address = 0000 00A9A8b is the memory address location of the memory card LSB Byte Address = A7A6A5A4 A3A2A1A0b is the memory address location of the memory card MEM_L: Length of data to be written to the memory card Byte x: Byte values to be compared with the data in the card starting at Byte Address.
Where: SW1 = 90h SW2 (ErrorCnt) = Error Counter. FFh indicates the verification is correct. 00h indicates the password is locked (exceeded the maximum number of retries). Other values indicate the current verification has failed. Page 44 of 60 ACR33U-A1 – Reference Manual Version 1.02 info@acs.com.hk www.acs.com.
8.3.6. Memory Card – SLE4432/SLE4442/SLE5532/SLE5542 8.3.6.1. SELECT_CARD_TYPE This command powers down and up the selected card inserted in the card reader and performs a card reset. Note: This command can only be used after the logical smart card reader communication has been established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to PC/SC specifications.
8.3.6.3. READ_PRESENTATION_ERROR_COUNTER_MEMORY_CARD SLE4442 and SLE5542) (only To read the presentation error counter for the secret code. Command format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CLA INS P1 P2 MEM_L FFh B1h 00h 00h 04h Response data format (abData field in the RDR_to_PC_DataBlock) ERRCNT DUMMY 1 DUMMY 2 DUMMY 3 SW1 SW2 Where: ERRCNT: The value of the presentation error counter. 07h indicates the last verification is correct.
Where: Px is the protection bit of BYTE x in the response data ‘0’ byte is write protected ‘1’ byte can be written 8.3.6.5. WRITE_MEMORY_CARD Command format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CLA INS P1 FFh D0h 00h Byte Address MEM_L Byte 1 .... ....
Response data format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1, SW2 = 90 00h if no error 8.3.6.7.
Command format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CLA INS P1 P2 MEM_L FFh D2h 00h 01h 03h CODE Byte 1 Byte 2 Byte 3 Response data format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1, SW2 = 90 00h if no error Page 49 of 60 ACR33U-A1 – Reference Manual Version 1.02 info@acs.com.hk www.acs.com.
8.3.7. Memory Card – SLE4406/SLE4436/SLE5536/SLE6636 8.3.7.1. SELECT_CARD_TYPE This command powers down and up the selected card inserted in the card reader and performs a card reset. Note: This command can only be used after the logical smart card reader communication has been established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to PC/SC specifications.
8.3.7.3. WRITE_ONE_BYTE_MEMORY_CARD To write one byte to the specified address of the inserted card. The byte is written to the card with LSB first, i.e., the bit at card address 0 is regarded as the LSB of byte 0. Four different WRITE modes are available for this card type, which are distinguished by a flag in the command data field: 1. Write The byte value specified in the command is written to the specified address.
Response data format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1, SW2 = 90 00h if no error 8.3.7.4. PRESENT_CODE_MEMORY_CARD To submit the secret code to the memory card to enable the card personalization mode, the following actions are executed: 1. Search a '1' bit in the presentation counter and write the bit to '0'. 2. Present the specified code to the card. The ACR33U-A1 does not try to erase the presentation counter after the code submission.
The authentication has to be performed in two steps. The first step is to send the Authentication Certificate to the card. The second step is to get back two bytes of authentication data calculated by the card. Step 1: Send Authentication Certificate to the Card.
8.3.8. Memory Card – AT88SC101 / AT88SC102 / AT88SC1003 8.3.8.1. SELECT_CARD_TYPE This command powers down and up the selected card inserted in the card reader and performs a card reset. Note: This command can only be used after the logical smart card reader communication has been established using the SCardConnect( ) API. For details of SCardConnect( ) API, please refer to PC/SC specifications.
8.3.8.3. WRITE_MEMORY_CARD To write data to the specified address of the inserted card. The byte is written to the card with LSB first, e.g., the bit at card address 0 is regarded as the LSB of byte 0. The byte at the specified card address is not erased prior to the write operation and hence, memory bits can only be programmed from '1' to '0'. Command format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CLA INS P1 FFh D0h 00h Byte Address MEM_L Byte 1 .... ....
Response data format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1, SW2 = 90 00h if no error 8.3.8.5.
correct value CODE: N bytes of Erase Key Response data format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1, SW2 = 90 00h if no error Note: After SW1SW2 = 0x9000h has been received, read back the data in Application Zone can check whether the ERASE_APPLICATION_ZONE_WITH_ERASE is correct. If all data in Application Zone is erased and equals to “0xFFh”, the previous verification is success. 8.3.8.6.
Response data format (abData field in the RDR_to_PC_DataBlock) SW1 SW2 Where: SW1, SW2 = 90 00h if no error = 63 00h if there is no more retry chance Note: After SW1SW2 = 0x9000h has been received, read back the data in Application Zone can check whether the ERASE_APPLICATION_ZONE_WITH_ERASE is correct. If all data in Application Zone is erased and equals to “0xFFh,” the previous verification is success. 8.3.8.7. VERIFY_SECURITY_CODE To submit Security Code (2 bytes) to the inserted card.
8.3.8.8. BLOWN_FUSE To blow the fuse of the inserted card. The fuse can be EC_EN Fuse, EC2EN Fuse, Issuer Fuse or Manufacturer’s Fuse. Note: Blowing of the Fuse is an irreversible process. Command format (abData field in the PC_to_RDR_XfrBlock) Pseudo-APDU CLA INS Error Counter LEN FFh 05h 00h CODE Byte Address MEM_L 00h 04h Fuse Bit Addr (High) Fuse Bit Addr (Low) State of FUS Pin State of RST Pin 01h 00h or 01h Where: Fuse Bit Addr (2 bytes): Bit address of the fuse.
Appendix A.
