ST25R3916 How to set it into 14443-A emulation mode and send/receive APDU ?

Stasevich · ‎2022-05-05

Hi everyone !

After successfully launched ST25R3911 (in 14443-A smart card reader mode) without RFAL , using only analysis of dialog on ST25R3911B-DISCO there was a need to implement an 14443-A emulator based on ST25R3916.

With the DISCO everything is easy : logic analyzer, datasheet, and a week to learn and reproduce control commands for ST. The result is a sequence of instructions and register values to implement read mode, sleep mode and so on.

ST25R3916 it’s difficult here, let’s say I’m not friends with RFAL in the context of integration into my project and I don't have access to something like DISCO for 3916.

The Q is : in which document can I find a sequence of commands using RFAL or register values / direct commands and algorithm for implementing the emulation mode ?

Ulysses HERNIOSUS · ‎2022-05-30

Hi,

Your attempted read of FIFO status register actually ends up as a write! The MOSI byte for reading FIFO status register needs to be 5Eh. By using 1Eh you are performing a write (to a read-only register).

BR, Ulysses

View solution in original post

Ulysses HERNIOSUS · ‎2022-05-06

Hi Stasevich,

the ST25 embedded lib (STSW-ST25R016 for 3916) cotains a project bluetooth_pairing demo which emulates an NFC tag with NDEF content to be read and paired by a smartphone.

I think this should be a good start for you.

BR, Ulysses

Stasevich · ‎2022-05-07

Sorry for the impudence. Can I ask someone to capture the process of initialization and APDU send/receive by the logic analyzer , pls ?

Ulysses HERNIOSUS · ‎2022-05-08

Hi Stasevich,

are you referring now to APDU exchange with 3916 being PCD or PICC?

I don't have a board at hand now to do such traces. But could do some beginning of next week.

Could you share a bit about your non-friendship with RFAL - we we are trying to have it usable from basically any real time platform ?

Best Regards, Ulysses

Stasevich · ‎2022-05-13

PCD or PICC ? I would be interested in both modes with your permission .

Could you share a bit about your non-friendship with RFAL .....?

In particular, I study and work with the exchange protocol at the level like:

for example data exchange for antenna calibration....

A.

Wrie in H21 val . H00

Wrie in H15 val . H3F

Dir.com. HD8

B.

Waiting for HL on IRQ and read interrupt registers

C.

Wrie in H15 val . HFF

Read H23 *Offset for inductive (ampl) sensor

This is actually what I get from data SPI analysis

Why am I doing this - because I use a very exotic platform for our days . I am sure that when I'll be able appreciate all the advantages of RFAL , I'll be just as enthusiastic as from the outstanding functionality of the chip .

Ulysses HERNIOSUS · ‎2022-05-18

Hi Stasevich,

please find attached some traces (using ST25Embedded NFC lib) which showcase 3916 reading a T4T and 3916 being read as emulated card (T4T).

Traces were done using Digiview (software available here : https://www.tech-tools.com/logic-analyzer-downloads.htm v9.3.0).

BR, Ulysses

Stasevich · ‎2022-05-25

Thank you . Here is what I managed to make from the files you provided...

From reset (C1) until the 3916 is recognized by external devices as a card, there are five stages separated by IRQ

Stage_1:

Start

Dir_cmd (&HC1)

Reg_Wrie (&H01,&H1C)

Dir_cmd (&HFC)

Reg_Wrie (&H04,&H10)

Reg_Wrie (&H02,&H80)

Stage_2:

Wait for IRQ ... Read 1A,80_00_00_00

Reg_Wrie (&H16,&H80)

Dir_cmd (&HDF)

Stage_3:

Wait for IRQ ... Read 1A,00_80_00_00

Reg_Wrie (&H16,&HFF)

Reg_Wrie (&H17,&HFF)

Reg_Wrie (&H18,&HFF)

Reg_Wrie (&H19,&HFF)

Reg_Wrie (&H00,&H07)

Reg_Wrie (&H01,&H3C)

Reg_Wrie (&H2A,&H11)

Reg_Wrie (&H2B,&H00)

Reg_Wrie (&H08,&H50)

Reg_Wrie (&H29,&H5F)

Dir_cmd (&HFB)

Reg_Wrie (&H05,&H40)

Reg_Wrie (&H26,&H82)

Reg_Wrie (&H27,&H82)

Reg_Wrie (&H02,&H83)

Reg_Wrie (&H2C,&H00)

Reg_Wrie (&H17,&H7F)

Dir_cmd (&HD6)

Stage_4:

Wait for IRQ ... Read 1A,00_90_00_00

Reg_Wrie (&H17,&HFF)

Reg_Wrie (&H08,&H5F)

Reg_Wrie (&H03,&H08) ' Mode definition register

FIFO = "5F53544D0000000000000200202020"

WR_mem_l_A

FIFO = "ABCD0102FE11223344ABFF00000000007F7F000000"

WR_mem_l_F

FIFO_str = "123456789ABCDF21436587A9"

WR_mem_l_TSN

Reg_Wrie (&H08,&H5A) ' NFCIP-1 passive target definition register

Reg_Wrie (&H12,&H08) ' Timer and EMV® control register

Reg_Wrie (&H0F,&H02) ' Mask receive timer register

Reg_Wrie (&H26,&H00) ' Antenna tuning control register 1

Reg_Wrie (&H27,&HFF) ' Antenna tuning control register 2

Reg_Wrie (&H0B,&H01) ' P2P receiver configuration register 1

Reg_Wrie (&H0C,&H6D) ' Correlator configuration register 1

Reg_Wrie (&H02,&HC3) ' Operation control register

Dir_cmd (&HCD)

Reg_Wrie (&H16,&H4F)

Reg_Wrie (&H17,&HE6)

Reg_Wrie (&H18,&H0F)

Reg_Wrie (&H19,&HE4)

Reg_Wrie (&H03,&HE8) ' Mode definition register

Reg_Wrie (&H02,&H03) ' Operation control register

Stage_5:

Wait for IRQ ... Read 1A,00_10_00_00

Reg_Wrie (&H02,&HC3)

After this sequence ST25R3911B-DISCO detects 3916 as FellCa

It's clear here.

Next : attempt to send any command from 3911 as a reader to 3916 in emulation mode. As a result, we get two IRQ : about the beginning and IRQ due to end of transmission. it is logical that after that I can try to read FiFO . BUT FIFO status register 1 is empty /1E (Number of bytes in the FIFO) = 0/

Q: WHY !?

Ulysses HERNIOSUS · ‎2022-05-25

Hi,

which command are you sending from 3911 side? Is it one that is automatically answered? Otherwise the command data should be available.

Otherwise please do a combined Logic analyzer trace - SPI+IRQ of both the 3911 and the 3916 - and share it with me.

I see here now that you are going the FeliCa/T3T road - was expecting NFC-A/T4T as that was what I shared.

Best Regards, Ulysses

Stasevich · ‎2022-05-25

.

Stasevich · ‎2022-05-25

Capture data from both boards