Phát Nguyễn Tấn

UNIVERSITY OF INFROMATION & TECHNOLOGY

 1
RFID Guide by CuteBoiz

I. MIFARE TAG

1. Three Pass Authentication

Step:
- Initial & Enable: USART, SPI, MFRC
- Send WUPA command. Wait until there a tag in antenna area.
- Send Anticollision command to get 4 bytes NUID

P a g e 1 | 19
 2
RFID Guide by CuteBoiz

2. Memory organnization

The 1024 x 8 bit EEPROM memory is organized in 16 sectors of 4 blocks. Oneblock contains
16 bytes.

Manafucturer block

Data blocks
- All sectors contain 3 blocks of 16 bytes for storing data.

P a g e 2 | 19
 3
RFID Guide by CuteBoiz

3. MIFARE Class command.

Command Cmd code

REQUEST (REQA) 0x26 (7 bit)
WAKEUP (WUPA) 0x52 (7 bit)
AntiCollision CL1 0x93 0x20
SELECT CL1 0x93 0x70
AntiCollision CL2 0x95 0x20
SELECT CL2 0x95 0x70
HALT 0x50 0x00
Authentication with key A 0x60
Authentication with key B 0x61
Personalize UID Usage 0x40
SET_MOD_TYPE 0x43
MIFARE Read 0x30
MIFARE Write 0xA0
MIFARE Decrement 0xC0
MIFARE Increment 0xC1
MIFARE Restore 0xC2
MIFARE Transfer 0xB0

ACK & NAK

Code (4 bit) Transfer Buffer Validity Description

Ah ACK
0h Valid Invalid operation
1h Valid Parity or CRC error
4h Invalid Invalid operation
5h Invalid Parity or CRC error
P a g e 3 | 19
 4
RFID Guide by CuteBoiz

ATQA and SAK Response

Type Hex Code

MF1S500yX (Mifare UltraLight) 00 44h

MF1S503yX (Mifare_One S50) 00 04h

MF1S700yX 00 42h
MF1S703yX (Mifare_One S70) 00 02h

P a g e 4 | 19
 5
RFID Guide by CuteBoiz

REQA & WUPA:

- The MF0ICU1 accepts the REQA command only in Idle state the response is the 2 byte
ATQA.

- The MF0ICU1 accepts the WUPA command only in Idle and halt state the response is
the 2 byte ATQA.

Casade level 1: Anticollsion & Select command:

- The Anticollision and Select commands are based on the same command code. Only the
parameter byte is different.
- This is as the 70h definition in case of Select command. The MF0ICU1 accepts these
commands only in the Ready 1 state.
- The response is NUID for the anticollision and SAK for Select.
ANTICOLLISION:

SELECT:

HALT:
- The Halt command is used to set the MF0ICU1 Ics into a different wait state (halt
instead of idle).

P a g e 5 | 19
 6
RFID Guide by CuteBoiz

II. MFRC

Command Command Code Action

No action, cancel current
Idle 0000
command axecution
Stores 25 bytes into interal
Mem 0001
Buffer
Generates a 10-byte
Generate RamdomID 0010
random ID number
Activates the CRC
CalcCRC 0011
calculation
Transmits data form the
Transmit 0100
FIFO buffer
NoCmdChange 0111 No cmd change.
Activates the receiver
Receive 1000
circuits
Transmit data from FIFO
buffer to antenna and
Transceive 1100 automactically activates the
receiver affter
transmission.
- 1101 Reserved
Preforms the MIFARE
MFAuthent 1110 standard authentication as a
reader
SoftReset 1111 Reset the MFRC522

Idle:
- Places the MFRC in Idle mode. The Idle command also terminates itself.
Mem:
- Transfer 25 bytes from the FIFO buffer to the internal buffer.
- To Read out the 25 bytes from internal buffer the Mem command must be started with
an empty FIFO buffer. In this case, 25 bytes are transferrd from internal Buffer to FIFO.
- This command automatically terminates when finished and Idle command becomes
active.

P a g e 6 | 19
 7
RFID Guide by CuteBoiz

Generate RandomId:
- This command generates a 10-bytes random number which ins initally stored in the
internal Buffer. This then overwrites the current 10 bytes in the internal 25-byte buffer.
- This command automatically terminates when finished and the MFRC522 return to Idle
mode.

CalcCRC:
- The FIFO buffer content ins transferred to the CRC coprocessor and the CRC
calculation is started.
- The CRC calculation’s result is stored in CRCResultReg register.
- The CRC calculation is not stopped when the FIFO buffer is empty during the data
stream. The next byte written to the FIFO buffer is added to the calculation.
- The CRC preset value is controlled by the ModeReg register’s CRCPreset[1:0]. The
value is loaded in to the CRC coprocessor when the command starts.
- This command must be terminates by writing a command to the CommandReg[3:0].

Transmit:
- The FIFO buffer content is imediately transmitted after starting this command.
- Before transmitting the FIFO buffer content, all relevant registers must be set for data
transmission.
- This command automatically terminates when the FIFO buffer is empty. It can be
termanated by another command written to the CommandReg[3:0].

NoCmdChange:
- This command does not influence any running command in the CommandReg register.

Receive:
- The MFRC522 activates the receiver path and waits for a data stream to be received. The
correct settings must be chosen before starting this command.
- This command auto terminated when the data stream ends. This is indacated either by
the end of frame pattern or by the length byte depending on the selected frame type and
speed.
- Remark: if the RxModeReg[2] set to 1. The receive command will not automatically
terminate. It must be terminated by starting another command.

P a g e 7 | 19
 8
RFID Guide by CuteBoiz

Transceive:
- This command continously repeats the transmission of data from the FIFO buffer and
the reception of data from RF field. The first action is transmit and after transmission the
comamnd is changed to receive a data stream.
- Each transmit process must be started by setting the BitFramingReg[7] to 1.
- This command must be cleared by writing any command to the CommandReg register

MFAuthent:
SoftReset
- This command performs a reset of the device. The configuration data of the internal
buffer remain unchanged. All registers are set to the reset values.
- This command automatically terminates when finished.
- Remark: The SerialSpeedReg register is reset and therefore the serial data rate is set to
9.6 kBd.

P a g e 8 | 19
 9
RFID Guide by CuteBoiz

III. CODE

1. Serial Peripheral Interface (SPI)

Description:
- Send data to or receive data from MFRC522 for communicate with Tag.
Step:
- SPSR = data send to MFRC
- Wait until 1 process of SPI complete (recv or sent)
- Return SPSR as data received

MSB always sent first

2. Read Data from a MFRC’s Register

Description:
- Read value of a MFRC’s register
Input: Register’s Address
Output: Register’s Value
Step:
- Transfer Enable (Clear MFRC’s SS pin).
- Sent register’s address with fomula : 1XXXXXX0
- Receive register’s value by sending 0x00
- Transfer Disable (Set MFRC’s SS pin)
- Return

P a g e 9 | 19
 10
RFID Guide by CuteBoiz

3. Write Data to a MFRC’s Register

Description:
- Change value of a MFRC’s register
Input: Register’s Addess + Register’s new Value
Output: None
Step:
- Transfer Enable
- Sent register’s address with fomula: 0XXXXXX0
- Sent new value you want to set for that register
- Transfer Disable.

4. Set a bit of Register

Input:
- Register’s Address + bit location
Output: None
Step:
- Write data to that register with it’s current value |= (1<<bitLocation)

5. Clear a bit of Register

Input: Register’s Address + bit location
Output: None
Step:
- Write data to that register with it’s current value |= (1<<bitLocation)

P a g e 10 | 19
 11
RFID Guide by CuteBoiz

6. MFRC Initial
Description:
- Get MFRC to be ready for reading any Tag
Input: None
Output: None
Step:
- Transfer Disable
- Reset MFRC522
- Create a Auto-Timer with 25ms count up.
- Enable 100% ASK
- Enable:
o Transmitter can only be started if an RF field is generated
o MFIN Pin active high.
o Preset value for CRC calculate to 6363h
- Output signal on pin TX1/TX2 delivers the 13.56Mhz enegy carrier modulated
by the transmission data.
Infromation:
- Timer:
𝑇𝑃𝑟𝑒𝑠𝑐𝑎𝑙𝑒𝑟(3390) .𝑇𝑅𝑒𝑙𝑜𝑎𝑑𝑉𝑎𝑙(48)
25ms =
6.78𝑀𝐻𝑧

TModeReg: define setting for internal timer

[7]: = 1 => Auto Timer : Start automatically at the end of the transmission in
all communication mode at all speeds.
= 0 => Indicates the the timers is not influenced by the protocol.

TPrescalesReg: define setting for internal timer

P a g e 11 | 19
 12
RFID Guide by CuteBoiz

TReloadReg: define the 16-bit timer reload value

TXASKReg: control setting of the transmission modulation

[6]: = 1 => Force a 100% ASK modulation independent of the ModGsPReg

register setting.

ModeReg: Defines general mode setting for transmitting and receiving.

[5]: = 1 => Transmitter can only be started if an RF field is generated

[3]: = 0 => MFIN Active Low
= 1 => MFIN Active High
[1:0]
Value Preset Value for CRC
00 0000h
01 6363h
10 A671h
11 FFFFh

TxControlReg: control the logical behavior of the antenna driver pins TX1/TX2

P a g e 12 | 19
 13
RFID Guide by CuteBoiz

7. Send Data
Description:
- Send data from FIFO Buffer to Tag.

Input:

- *Data : data send to Tag.

- Dlen : Number of data bytes sent to Tag.
- *Result: Response from Tag (ACK/NACK/ATQA/NUID/) .
- *Rlen: Number of data bits received.

Output:

- MFRC522’s Error code

Step:

- Initial:
o Enable TX/RX/Idle/LoArlett/Err/Timer Interrupts.
o Set signal on pin IRQ is inverted to Status1Reg[4].
o Clear all interrupt requests.
o Clear FIFO pointer.
o Set MFRC to Idle.
- Write data into FIFO Buffer
- Set MFRC to Transceive mode.
- Send data.
- Wait until Timeout or There’s interrupt request from Rx/Idle/Err
- Stop send data
- Check Timeout.
- Check Errors (BufferOvfl / CollErr/ CRCErr/ ProtocolErr)
- Check there’s a Tag by check interrupt request from(TxIrq/LoAlert/ Err).
- Get bits number of receive data.
- Get result data from FIFO Buffer
- Return.
P a g e 13 | 19
 14
RFID Guide by CuteBoiz

Information:
ComIEnReg: Interrupt Request Enable bits

[7]: = 1 => Signal on pin IRQ is inverted to the Status1Reg register’s IRQ bit
= 0 => Equal.
[6:0]: = 1 => Allows the …. Interrupt Request to be propagated to pin IRQ.

ComIrqReg: Interrupt Request Status bits

[7]: = 1 => Indicates that all bits in this register are set.
= 0 => Indicates that all bits in this register are cleared.
[6]: = 1 when last bit of the transmitted was sent out.
[5]: = 1 when receiver has detected the end of a valid data stream
[4]: = 1 when a command terminates.
If an unknown command is started, the CommandReg value changes to
idle state and this bit is set.
The MCU starting the Idle command does not set this bit.
[2]: = 1 when FIFOLength > WaterLevel
[1]: = 1 when any error bit in the ErrorReg is set.
[0]: = 1 when the timer overflow from 65535 back to 0

P a g e 14 | 19
 15
RFID Guide by CuteBoiz

FIFOLevelReg: Number of bytes stored in the FIFO Buffer

[7]: = 1 => Immediately clear the internal FIFO buffer’s read and write pointer
and BufferOvfl bit.
[6:0]: Indicates the number if bytes stored in the FIFO buffer
Writing to FIFODataReg register increments and Reading decrement this
value.

BitFramingReg: Adjustment for-oriented frames

[7]: = 1 => Starts the transmission of data. Only valid in Transceive Command.
[2:0]: Number of bits of last byte will be transmitted. 000b indicates that all bits
of the last byte will be transmitted.

ErrorReg: Error bits showing the errir status of the last command executed.

[4]: = 1 when MFRC write data to FIFO Buffer eventhough it is already full
[3]: = 1 when a bit-collision is detected.
Cleared automatically at reicever start-up phase.
Only valid during the bitwise anticollision at 106kBd.
[2]: = 1 when CRC calculation is failed.
Automatically cleared during receiver start-up phase.
[0]: = 1 when SOF is incorrect

P a g e 15 | 19
 16
RFID Guide by CuteBoiz

ControlReg: Miscellaneous control register.

[2:0]: Indicates the number of valid bits in last received byte. If this value is 0,
whole byte is valid.

8. Wake Up
Input:
- An byte array to store ATQA response
Output:
- Status
Step:
- Set number of bits of the last byte will be transmitted to 7
- Send WUPA command to Tag

- Check status and number of bits received.

- Return

P a g e 16 | 19
 17
RFID Guide by CuteBoiz

9. Anti Collision
Input:
- A bytes array to store received 4 bytes NUID.
Output:
- Status
Step:
- Set number of bits of last byte will be transmitted to 8.
- Send AntiCollision Command

- Check bits received and status

- Check BCC1 byte
- Return

10. CRC Calculate

Input:
- *Data: Data to be calculated.
- *result: 2 bytes CRC
Output:
- None
Step:
- Clear interrupt request from CRC calculate
- Clear FIFO pointer
- Write data need to calculate to FIFO Buffer
- Change MFRC522 to CalcCRC state.
- Wait until have interrupt request from CRC calculate.
- result[0] = CRCResultRegL, result[1] = CRCResultRegM

P a g e 17 | 19
 18
RFID Guide by CuteBoiz

Information:
DivIrqReg: Interrupt request bits

[2]: = 1 when Calc command is active and all data is processed.

= 0 => Clear this bit

11. HALT
Description:
- The Halt command is used to set the MF0ICU1 Ics into a different wait state
(halt instead of idle).
Input: None
Output: None
Step:
- Send HALT command to Tag

- Clean Tempeture Error

- Stop encyption.
Infromation:
Status2Reg: Cointain status bits of receiver, transmitter and data mode detector.

[7]: = 1 => Clean Temperture error if the temp is below the alarm limit of 125oC.
[3]: Indicate that the MIFARE crypto1 unit is swithed in and therefore all data
communication with the card is encrypted.
Can only be set to 1 by a succsessful execution of the MFAuthent command.
P a g e 18 | 19
 19
RFID Guide by CuteBoiz

IV. SOURCE

- MFRC522 datasheet
- MifareUltra/OneS50 datasheet
- https://labitat.dk/wiki/RFID_RC522-AN
- http://calc.gmss.ru/Mifare1k/

P a g e 19 | 19