How to use Firmware Upgrade Utility

Firmware Upgrade Procedure

FUU “Firmware Upgrade Utility” is SpringCard’s all-in-one software to flash the firmware of most of the product families.

FUU could be use to flash the : H663, E663, S663 and K663 families.

First of all you'll need to download the Firmware Upgrade Utility software : https://www.springcard.com/fr/download/find/file/su13168

Once it's installed, launch it. You will see that window

Read More

New version of FUU supports unattended H663 firmware upgrade

FUU "Firmware Upgrade Utility" is SpringCard's all-in-one software to flash the firmware of most of the product families.

The H663 family (including the H663 OEM module itself, and also the Prox'N'Roll HSP, CrazyWriter HSP, TwistyWriter HSP and CSB HSP) is architectured over an Atmel (now Microchip) MCU, which could be flashed through USB. FUU Supports this family for long, and comes with Atmel DFU (Device Firmware Upgrade) driver for Windows.

Read More

SpringCard PC/SC SDK VERSION 2016.03

The version 2016.03 of our PC/SC SDK is now available for download: pcsc-sdk_2016-03.zip.

You can use it with our products in the SpringCard CSB6 Family (CSB6, Prox'N'Roll PC/SC, EasyFinger and CrazyWriter), with our products in the H663 family (Prox'N'Roll HSP PC/SC, CrazyWriter HSP, TwistyWriter HSP, CSB HSP) and our NFC readers/encoders (H512, NFC'Roll).

This SDK is also available on GitHub.

This SDK contains a new version of MemoryCardTool, a new tool called "scriptorxv" and a serie of basic projects for beginners.

Using Mifare Classic EV1 with SpringCard PC/SC readers

NXP has recently started shipping a new generation of Mifare Classic chips, called Mifare Classic EV1 (part numbers MF1S50yyX/V1 for Mifare Classic EV1 1K and MF1S70yyX/V1 for Mifare Classic EV1 4K).

The chips are 100% compliant with earlier Mifare Classic 1K and 4K, with 2 subtle differences:

  • the kind of protocol-level ID to be used must be configured once for all during the pre-personalisation step. Possible choices are 7-byte UID, 4-byte fixed but non-unique ID, and 4-byte random ID,
  • the load modulation level could be set to 'high' or 'low'.

In this short article we'll show how to configure both the kind of ID and the load modulation.

Personalize UID usage

This command can be only issued once. The choosen configuration is then locked forever. If you have ordered Mifare Classic EV1 with a specific configuration, the command has been issued in factory and will always fail adterwards.

The Mifare Classic EV1' "personalize UID usage" allows to select one of four different modes:

  1. UIDF0 (value 0x00): anti-collision and selection with the 7-B UID
  2. UIDF1 (value 0x40): anti-collision and selection with the 7-B UID plus a possible shortcut (select only the 4 first bytes and read block 0, bypassing the second step of the selection)
  3. UIDF2 (value 0x20): anti-collision and selection with a 4-B random ID
  4. UIDF3 (value 0x60): anti-collision and selection with a 4-B non-unique ID (calculated out of the 7-B UID)

The command code is 0x40 and must be sent in a CRYPTO1-ciphered stream, after a successfull authentication on sector 0.

To do so, here's the sequence of commands that must be send to the reader in a SCardTransmit stream (you may for instance write a script for csScriptor). We assume that the card is in transport condition, i.e. that the key A of sector 0 (as well as all other sectors) is the transport key FF FF FF FF FF FF and gives full access to the sector.

# Load the transport key in the reader's volatile memory
FF 82 00 00 06 FF FF FF FF FF FF

# Get authenticated over sector 0 using the transport key as key A
FF 86 00 00 05 01 00 03 60 00

# Check that the authentication is OK by reading block 0
FF B0 00 00 10

# Send the 'personalize UID' command within an ENCAPSULATE APDU
# P1 = 0x01 -> ISO 14443-3
# P2 = 0x08 -> timeout = 125ms
# The last byte is the value to be set, here we choose 0x60 for UIDF3
FF FE 01 08 02 40 60

The reader returns 90 00 if the card acknowledges the command.

If you receive 6F 02 instead (CRC error), it is likely that the card has sent a NACK, meaning that the configuration has already been set and is therefore locked.

Set modulation strength

The Mifare Classic EV1's "set modulation strength" command allows configuring the chip for either the strong modulation strength (default, value 0x01), or the weak modulation strength (value 0x00).

The command code is 0x43 and must be sent in a CRYPTO1-ciphered stream, after a successfull authentication on sector 0.

To do so, here's the sequence of commands that must be send to the reader in a SCardTransmit stream (you may for instance write a script for csScriptor). We assume that the card is in transport condition, i.e. that the key A of sector 0 (as well as all other sectors) is the transport key FF FF FF FF FF FF and gives full access to the sector.

# Load the transport key in the reader's volatile memory
FF 82 00 00 06 FF FF FF FF FF FF

# Get authenticated over sector 0 using the transport key as key A
FF 86 00 00 05 01 00 03 60 00

# Check that the authentication is OK by reading block 0
FF B0 00 00 10

# Send the 'set modulation strength' command within an ENCAPSULATE APDU
# P1 = 0x01 -> ISO 14443-3
# P2 = 0x08 -> timeout = 125ms
# The last byte is the value to be set, here we choose 0x00 for weak strength
FF FE 01 08 02 43 00

Reading and writing data in a Mifare UltraLight Card, with a Prox'N'Roll

DOWNLOAD AND READ THE DOCUMENTATIONS

First thing to do is to obtain the documentation of the card from the manufacturer (NXP in this case) and the Prox'N'Roll developer's reference manual.

From the card's functional specifications, we can see that the memory is structured in 16 pages of 4 bytes. The four first pages (0-3) contain special bytes: so, we'll only cover pages 4 to 16.

STEP BY STEP PROCEDURE

The goal is to read and write the card memory.

READ BINARY

In the developer's reference manual, the READ BINARY instruction is described in §2.2.4 at the time of this writing.

The APDU is :

  • CLA: FF
  • INS: B0
  • P1: Address MSB
  • P2: Address LSB
  • Lc: not needed
  • Data in: not needed
  • Le: number of bytes to be read

The specifics to read Mifare Ultralight cards are detailed in §4.3.3.a (at the time of this writing).
Here, we can see that :

  • P1 must be 00
  • P2 is the address of the first page to be read
  • Le must a multiple of 4.

We want to read the whole memory, starting from page 4: this means we want to read 12 pages of 4 bytes, so 48 bytes (ie: 30 in hexadecimal).
So the APDU is :
FF B0 00 04 30

To send this APDU, please use our PC/SC Diagnostic tool, available on our main site (QuickStart for PC/SC).

Put the card on the reader: its ATR prints. To understand what this means, you can check §4.1.2 (at the time of this writing) in the developer's reference manual.

ATRNow, double-clic on the line corresponding to the reader and enter the above-mentioned APDU :

read_capduClic on Transmit, or press "Enter": the APDU is sent to the card and its response is printed in the bottom.

read_rapduThe card has obviously been previously written and the ASCII translation is provided: "Mifare Ultralight card, used with Prox'N'Roll".
Please note that the card's reponse ends with "90 00", which means success.

UPDATE BINARY

In the developer's reference manual, the UPDATE BINARY instruction is described in §2.2.5 at the time of this writing.

The APDU is :

  • CLA: FF
  • INS: D6
  • P1: Address MSB
  • P2: Address LSB
  • Lc: Lenght of Data In
  • Data in: Bytes to be written
  • Le: not needed

The specifics to write Mifare Ultralight cards are detailed in §4.3.3.b (at the time of this writing).
Here, we can see that :

  • P1 must be 00
  • P2 is the address of the unique page to be written
  • Le must be 4.

We want to replace "Prox'N'Roll" by "SpringCard" in the card memory, so we first have to determine which pages must be updated. Remember that Le must be 4 : this means that we can write exactely 4 bytes at a time (one page), no more, no less.

To determine the content of each page, just use the READ BINARY APDU.
For example, for page 12, the APDU should be : FF B0 00 0C 04

read_single_pageUsing those commands, we can see that:

  • content of page 12 (0x0C) is 68 20 50 72 (in ASCII : "h Pr")
  • content of page 13 (0x0D) is 6F 78 27 4E (in ASCII: "ox'N")
  • content of page 14 (0x0E) is 27 52 6F 6C (in ASCII: "'Rol")
  • content of page 15 (0x0F) is 6C 00 00 00 (in ASCII: "l" followed by invalid characters)

So, we'll need to change 4 pages : pages 12, 13, 14 and 15.

SpringCard in ASCII is : "53 70 72 69 6E 67 43 61 72 64"

The 4 APDUs (one for each page) should be:

  • page 12: FF D6 00 0C 04 68 20 53 70 (the first two bytes remain unchanged)
  • page 13: FF D6 00 0D 04 72 69 6E 67
  • page 14: FF D6 00 0E 04 43 61 72 64
  • page 15: FF D6 00 0F 04 00 00 00 00 (we replace the first byte)

Enter those APDUs and click on "Transmit" :

write_single_pageOperation is successful if the card answers 90 00.

Now, you can read back the whole memory, using FF B0 00 04 0C:

final_readWe can see that "Prox'N'Roll" has been replaced by "SpringCard" in the card memory.

 

 

PC/SC Troubleshooting on Windows

Following our PC/SC installation guide on Windows, you've installed the appropriate driver, and made sure the "Smart Card" service is running on your Windows computer.
But still, your PC/SC reader doens't appear on PC/SC Diagnostic.

Please first check in your device manager that your SpringCard PC/SC reader is properly installed (it should appear under Smart Card Reader).

Now, if the drivers are properly installed, the "Smart Card" service is running, but the reader doesn't show up on the diagnostic tool, the reason must be one of the following :

  1. A third party security-related software or single-login solution takes full control over the PC/SC subsystem
  2. The computer is either running in a virtual machine or in a remote session on a terminal server
  3. Access to PC/SC readers has been disabled by the corporate administrators through a group policy
  4. A driver from one of our competitors has corrupted the registry

For reasons 1 and 2, SpringCard cannot offer any help.

For reason 3 : you should try to run a copy of our PC/SC Diagnostic tool, located on the C: drive, being logged in as Administrator. If this works, your reader is properly installed.

For reason 4, the problem is in the registry permission for LOCAL_SERVICE :
Open the registry editor ("regedit") :

  1. Right-click on the key HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Cryptography/Calais and select Permissions...
  2. Click Add.
  3. Click Advanced.
  4. Click Locations.
  5. Click on the computer name and click OK.
  6. In the window 'Select user or groups', click on Find now.
  7. Select LOCAL SERVICE.
  8. Click OK.
  9. In the window 'Select user or groups', click OK.
  10. In the window 'Permissions for Calais', click on LOCAL SERVICE and make sure 'Full control' , 'Read' and 'special permissions' are allowed.
  11. In the window "Advance Security Settings for Calais", deactivate the options "Inherit from parent the permission entries that apply to child objects..."
  12. When the window "Security" appears, click Copy.
  13. In the window "Advance Security Settings for Calais", activate the option "Replace permission entries on all child objects with entries shown here that apply to child objects" and click OK.
  14. In the window "Security" click Yes
  15. In the window "Permissions for Calais", click OK.

Restart the computer.

Accessing Reader's configuration from command line and in batch mode

All SpringCard PC/SC Readers feature a set of Configuration Registers that allow to alter the Reader behaviour to match a particular hardware setup or end-user requirement.

Editing the configuration is easy thanks to MultiConf, the new versatile configuration tool that covers all SpringCard products. But MultiConf is a GUI-application. When it comes to configuring numerous readers at once (with the same settings of course), a command-line tool, suitable to operate in batch mode, could be preferred.

This is typically the aim of pcscconf, a simple command-line utility (targetting Windows systems).

Getting started with pcscconf

Download pcscconf (and its companion tool pcscinfo) (ZIP)

Extract the ZIP archive in the directory of the choice. There are 3 files in the archive:

  • pcscconf.exe, the tool we'll be using
  • pcscinfo.exe, a software to retrieve all information regarding the connected readers (version, serial numbers, etc)
  • pcsctool.dll, the library that makes both software work.

Open a command-line box in the directory where you've extracted the archive, and at the prompt enter

pcscconf

pcscconf-1
pcscconf-2

Reading current configuration

Enter

pcscconf -d

to dump the current configuration.

pcscconf-3

It is also possible to enter

pcscconf -d <Filename>

to dump the configuration to a file. pcscconf uses the same file format as MultiConf.

If the file already exists, use

pcscconf -df <Filename>

to force the overwrite.

Changing a configuration register

Use syntax

pcscconf -s <RegisterAddress>=<RegisterValue>

 

pcscconf-4

To erase a register (i.e. restore product's default value), use syntax

pcscconf -s <RegisterAddress>

Applying a new configuration from a file

Use syntax

pcscconf -u <Filename>

to upload the configuration from the file into the reader.

There's no confirmation prompt or 'Are you sure' dialog box. Be sure to double-check the content of your file before uploading it into the reader.

pcscconf-5

Do not forget...

Changing a reader's configuration will change its behaviour! You're using this software at one risk. Always refer to the reader's detailed Developer's Guide or use MultiConf to choose the appropriate values.

Some registers play a special role and are therefore protected before delivery. This is the case of registers C0 and F0 to FF. Trying to write in one of these registers will always fail.

pcscconf targets the SpringCard PC/SC Readers only (and not the RFID Scanners, /RDR family and access control readers, nor the Legacy products).

pcscconf is able to work with only one PC/SC Reader at once. If you run pcscconf with two readers or more connected to your computer, the software will issue a warning and exit.

EAS management for ICODE SLI/SLI-X (standard, type S and type L)

ICODE SLI are ISO 15693 compliant but feature proprietary extensions not implemented in the reader's firmware. However, you can use those features in transparent mode. The following post will focus on EAS management with this type of tag. The function entries described are available in the CSB6 SDK.


EAS management in the different ICODE SLI types 

The way to access to the EAS field depend on the type of ICODE used. With ICODE SLI/SLI-X type L and S, EAS field can be password protected. Once password protected, a "set password" command must be sent to the card once in the RF field or if the password is modified. It will allow the execution of most of the other commands. This security is not available on classic ICODE SLI/SLI-X.


Transparent mode APDU structure

Most of the frames sent to the card contains :

Flags (1 byte) :
Those are detailed in the ISO 15693 documentation.

Command ID (1 byte) :
Allows to identify the type of command sent.

IC manufacturing code (1 byte) :
It refers to the tag type and is contained in the UID of the tag. For NXP Semiconductors, This code is 04h.

UID (8 bytes).

Some other fields are command specific and will be detailed below.


Command available in the SDK

*** AVAILABLE FOR ALL ICODE SLI TYPES ***

Set EAS
Available with void set_EAS(BYTE snr[8]);  
Set EAS status to 1.                                                                        

Reset EAS
Available with void reset_EAS(BYTE snr[8]); 
Set
 EAS status to 1.

Lock EAS
Available with void lock_EAS(BYTE snr[8]); 
This field is commented in the source code. Once locked, EAS cannot be modified anymore.

AVAILABLE FOR ICODE SLI/SLI-X S and L types

Protect EAS
Available with void protect_EAS(BYTE snr[8]);
This command allows to protect the EAS field with a password. Once set, this field cannot be changed and you will have to use the "set password" command to modify the EAS status.

Get random number
Available with short get_random_nb(BYTE snr[8], BYTE * rd_nb)      
It will request a 2 bytes randomly generated code required for a proper use of the "set password" command.

Set password
Available with void set_password(BYTE snr[8], BYTE password[4])
This command requires specific fileds : a password ID to inform the card of which fields are needed to be unlocked, and the previously stored password XOR two random numbers acquired with the "get random number" command.

ex :  if the last password was (00 00 00 00)h, and the last "get random number" command return you (0A 25)h, the 4 bytes to pass as command parameters will be (0A 25 0A 25)h.

Write password
Available with void write_password(BYTE snr[8], BYTE password[4])
Write a new password in the card (if the password field has not been locked).

Lock password
Available with void lock_password(BYTE snr[8])
This function is commented in the source code. Once locked, the password cannot be changed.


 About the reference application

The application manual is available via the executable call.
A simple [EXECUTABLE NAME] [COM] [HELP] will display the commands available.