EM MICROELECTRONIC - MARIN SA

AppNote 407
Application Note 407
Title:
EM4170 Application Note
Product Family: RFID

Part Number: EM4170

Keywords: 125KHz Crypto Read/Write. Contactless Identification Device
Date: 25 September 2002

TABLE OF CONTENT

1 Introduction....................................................................................................................................................................... 2
2 General Operation ............................................................................................................................................................ 2
3 Internal structure............................................................................................................................................................... 4
3.1 Memory organization ................................................................................................................................................. 5
4 Authentication Procedure ................................................................................................................................................. 6
4.1 Timing........................................................................................................................................................................ 7
5 Communication details ..................................................................................................................................................... 8
5.1 Status information...................................................................................................................................................... 8
5.2 Standby Mode ........................................................................................................................................................... 9
5.3 Receive Mode............................................................................................................................................................ 9
5.4 Command Set............................................................................................................................................................ 9
6 Software implementation .................................................................................................................................................. 9
6.1 Reading Listen Windows ........................................................................................................................................... 9
6.2 Synchronization to send the first “0” ........................................................................................................................ 11
6.3 Sending data to the transponder ............................................................................................................................. 11
6.4 Synchronizing to the header.................................................................................................................................... 13
6.5 Reading data from the transponder ......................................................................................................................... 13
7 Programming the E²PROM............................................................................................................................................. 14
8 Appendix......................................................................................................................................................................... 15

Copyright  2001, EM Microelectronic-Marin SA 1 www.emmicroelectronic.com


1 Introduction
The EM4170 is a chip to be used in a high security
identification system. Connected to a single coil and
packed into housing (glass tube, plastic brick or other) it
represents a complete transponder which can be read,
written or authenticated by a base station via magnetic
coupling. Due to the high integration level and the low
power consumption the coil is the only external
component which is necessary.
The EM4170 is designed to work with a carrier frequency
of 115kHz to 135kHz. Due to the bit period of 32 carrier
frequency cycles the data rate is about 3.9k Baud,
allowing a full authentication at 125kHz within 38ms.
The chip contains a 96 bit secret key for authentication, a
32 bit identification and 94 bit of user memory plus two
lock bits. A 32 bit password is incorporated to change
security sensitive settings.
Due to the large temperature range and the on chip crypto
algorithm the typical application for the EM4170 is the
automotive immobilizer or other high security applications
like access control.
A bief summary of the chip is given below:
• On chip crypt algorithm
• Two way authentication, no scanning possible
• 96 bit of secret-key without direct read access in
E²PROM
• 32 bit of manufacturer programmed identification
• 30 bit + 64 bit of user memory
• 2 lock bit to inhibit programming
• 32 bit pass word to unlock the lock bits
• Data transmission performed by amplitude modulation
• -40°C to +85°C temperature range
• Typical 125kHz carrier frequency
• On chip capacitor : 200pF (Adapted external coil of
8.1mH @ 125KHz)
Copyright  2001, EM Microelectronic-Marin SA
AppNote 407
2 General Operation
The transponder is interfaced with the base station via the
magnetic coupling of two coils. Both coils are acting as a
transformer with a very large air gap. The air gap is in
typical applications that large that the coupling factor of
both coils is below 5%.
The base station applies a 125kHz square wave signal to
its antenna coil which is connected with a capacitor to a
series resonance circuit to increase the coil current and
filter the harmonics of the square wave signal. The quality
factor of this series resonance circuit is usually in the
range of 10 to 15, limited by the tolerance of the electronic
components and the data rate of the transponder.
This base station coil current induces an alternating
voltage in the transponder coil. To increase this voltage
the transponder coil is connected to an on-chip capacitor
which forms a parallel resonant circuit. The coil voltage is
rectified on the chip and supplies the circuit.
The writing from transponder to base station (reading the
transponder) is done by modulating the quality factor of
the transponder parallel resonant circuit. Due to the
magnetic coupling of both coils this quality factor change
can be seen as voltage variation at the base station
antenna coil.
The writing from the base station to the transponder is
done by disrupting the carrier signal for a short period of
time so that the transponder can “survive” due to its
supply voltage capacitor. The disruption must be
synchronized with the transponder clock. To achieve this
the transponder is modulating the carrier signal with a so
called listen window.
2 www.emmicroelectronic.com
 AppNote 407

5V

3
6
DVDD
VDD
to µC
Coil1 2 12
ANT1 OUT
11
IN from µC
EM4170
V4170 4
CLK
10
from µC
ANT2
Coil2
Reader EC
16

7
DEMOD_IN IC 9
CDEC_IN

CAGND
8
CDEC_OUT

DVSS

CDC
VSS

CF
GND

13

15
14
5
1
GND GND GND GND

Downlink from Txp Uplink to Txp

Signal at the Transponder coil

Signal at the Transceiv er coil

Figure 1: General system principle

Copyright  2001, EM Microelectronic-Marin SA 3 www.emmicroelectronic.com


3 Internal structure
The EM4170 incorporates a full transponder circuit
except the coil on a single chip. The two coil terminals
are internally connected with a capacitor to achieve a
parallel resonant circuit. The alternating voltage over this
circuit is rectified by a full wave diode bridge and supplies
the rest of the circuit. Another on chip capacitor is used to
buffer this supply voltage during the modulation of the
carrier frequency.
Two other blocks are using the coil interface as input:
The clock extractor is generating the clock for all chip
logic derived from the 125kHz carrier signal. There is no
internal oscillator on the chip, all timings are derived from
the alternating voltage at the coil. This makes a larger
tolerance for the carrier frequency possible which is
usually the case for PLL based reader circuits. As there is
no clock during the modulation of the carrier the “off” time
of the carrier has to be measured by a monoflop.
AppNote 407
The second block is the data extractor where the
modulation of the carrier is compared and digitized. This
data extractor is feeding the command decoder (during
the first bits of the message) as well as the E²PROM and
the Crypto-Algorithm depending on the sent command.
A block which is using the coil interface as output is the
modulator which modulates the quality factor of the
resonant circuit by clipping the coil voltage. This
modulator is fed by the encoder which translates the
serial NRZ data from the crypto-algorithm or the E²PROM
into Manchester coded data.
The power control block supervises the supply voltage
and generates a power on reset for a rising slope of the
supply voltage.
The control logic finally is the central state machine for all
logic operations of the transponder chip.

Modulator Encoder Serial Data

external Antenna
VDD

Resonance AC/DC Storage Power

Capacitor Converter Capacitor Control

VSS
Reset

Clock Sequencer
Extractor

Control E²PROM Crypto-

Logic Algorithm

Data Command
Extractor Decoder

Figure 2: Bloc schematic

Copyright  2001, EM Microelectronic-Marin SA 4 www.emmicroelectronic.com


3.1 Memory organization
The memory of the EM4170 is organized in 16 bit words.
Starting with word 15 the first four words are reserved for
the 64 bit user memory 2. It can be read anytime and
written dependent on the lock bits.
The next two words are reserved for the 32 bit password.
It is used to reset the lock bits in case the memory was
locked and shall be rewritten. The password can be
written if it is unlocked.
The crypt key consists of 6 words which is 96 bit. This
memory can be written several times, if not locked, but
can never be read. It is used as input for the
cryptographic algorithm.
AppNote 407
The following two words are filled with the 32 bit
identification. This memory is programmed during the
production of the chip with a unique number. It can not be
rewritten and is read-only.
The last two word are filled with the 30 bit user memory 1
and two lock bit. The user memory 1 can be treated like
the user memory 2. The lock bits control the protection of
this memory as well .
To delock the all memory send the password command.
For more information, see EM4170 datasheet.
All in all the EM4170 contains 256 bit of memory. 94 bit of
it can be used to store any data.

Word 15 User2 63 User2 48

User2 47 User2 32
Read and Write
User2 31 User2 16
User2 15 User2 00
Password 31 Password 16
Password 15 Password 00

Crypt Key 95 Crypt Key 80

Crypt Key 79 Crypt Key 64 Write only
while LB0, LB1
Crypt Key 63 Crypt Key 48 are not set

Crypt Key 47 Crypt Key 32

Crypt Key 31 Crypt Key 16

Crypt Key 15 Crypt Key 00
Identification 31 Identification 16 Read only
programed during
Identification 15 Identification 00 production of Txp
Lock Bit 1, Lock Bit 0, User1 29 User1 16
Read and Write
Word 0 User1 15 User1 00

Figure 3 : Memory organization

Copyright  2001, EM Microelectronic-Marin SA 5 www.emmicroelectronic.com


4 Authentication Procedure
The release procedure is based on a principle called
mutual authentification. This means that both, the reader
and the transponder, have to authenticate against each
other.
Due to this double authentication it is not possible to scan
the transponder as there will be no answer from the
transponder unless the reader has proven its correctness
by a first authentication.
The communication starts with the base station which
sends a random number to the transponder. This random
number guarantees that every communication is unique
and that capturing a communication makes no sense.
AppNote 407
The next step is the transmission of the first result of the
crypto algorithm which has the random number and the
secret key as input.
Only if both numbers correlate the transponder answers
by sending a second result of the crypto algorithm which
has the first result and the secret key as input. Due to the
fact that the first result has the random number as input
also the second result is dependent from the random
number.
This last result can be compared by the base station with
the calculated result of the crypto algorithm and perform
the necessary actions.
The word length of random number and the results is
adapted to their susceptibility of being reverse calculated
or tested out.

Base station Transponder

Rnd
Crypt Key Random Crypt Key
56 Bit

f f

f(Rnd,K)
f(Rnd,K) f(Rnd,K)
28 Bit

=?
g
no action

g
g(Rnd,f,K)
no action

g(Rnd,f,K)
=? g(Rnd,f,K)
20 Bit

o.k.

Figure 4: Release procedure

Copyright  2001, EM Microelectronic-Marin SA 6 www.emmicroelectronic.com


4.1 Timing
The procedure to authenticate a transponder starts with
enabling the reader circuit. In this example it takes about
30ms before the demodulation chain has reached a
stable operation point. This depends on the used
hardware. During this time the random number and the
crypt algorithm can be calculated. Although about 20ms
are needed on a low end µController this time can be
hidden behind the analog start up time.
After the start up time has elapsed the first command
sent to the transponder is the “read ID” command. The
identification could be necessary if the crypt key is
AppNote 407
different from transponder to transponder and more than
one transponder is in the key table.
With the next command “authenticate” the authentication
is prepared. Following the command, the random number
and the result of the first crypt algorithm output is
transferred to the transponder. The second output of the
crypt algorithm is finally sent back from the transponder.
Excluding the analog start up which depends on the
actual hardware the full authentication of a single
transponder without communication errors and therefore
several attempts can be carried out within 38ms. Reading
the identification is optional and depends on the crypt key
strategy.

Action 0ms 10ms 20ms 30ms 40ms 50ms 60ms 70ms 80ms

Analog start up 31ms

Calculate f(rnd), g(rnd) ~20ms

Command: Read ID 6 Bit 5.4ms (3 LIWs)

Read ID 48 Bit 12.3ms

Compare ID ~2ms
Command: Authentication 6 Bit 5.4ms (3 LIWs)

Send rnd, f(rnd) 91 Bit 23.3ms

Receive g(rnd) 36 Bit 9.2ms

Compare g(rnd) ~2ms

Power on 31ms 50.7ms 90.6ms

Figure 5: Authetification timing

Copyright  2001, EM Microelectronic-Marin SA 7 www.emmicroelectronic.com

 AppNote 407
5 Communication details • LIW: Listen Window - Standby Mode / Ready to
receive a new command
The transponder can process several commands to
access the internal memory and all functions. The • ACK:Acknowledge - Operation completed
communication structure for every available transponder successfully
command is identical. It starts with a status feedback sent • NAK: Not Acknowledge - Any error occurred
by the transponder.
All data bits sent from the transponder to the reader are
5.1 Status information preceded by a header instead of an ACK consisting of 12
bit “1” plus 4 bit “0” in Manchester code.
The status information consists of patterns, which are
sent by the transponder to show its internal status or the
result of an operation. These patterns are designed to be
different from any data bit sequence and can therefore
not be confused with data sent by the transponder.

LIW ACK NAK

16 16 64 32 32 16 16 48 16 48 16 16 16 48 16 32 16 16

All numbers represent number of periods of RF field

Figure 6: Status information patterns

Copyright  2001, EM Microelectronic-Marin SA 8 www.emmicroelectronic.com

 AppNote 407
5.2 Standby Mode
In Standby Mode the EM4170 continuously sends Listen START
Windows to be able to receive commands from the base
station.
The transponder switches to Standby Mode when it
enters a carrier field (forced by the Power On Reset) or Read and
when any command operation is finished. Synchronize to
LIW
5.3 Receive Mode
In Receive Mode the base station sends at least a 4 bit
command to the transponder. Send
To switch from Standby Mode to Receive Mode the base RM pattern
station sends two bit “0” (RM pattern) to the transponder. + command
The beginning of the first bit “0” must be placed within the ( + data )
32 clocks of the modulated phase in a Listen Window.
The transponder stops sending Listen Windows. The
second bit ”0” turns to Receive Mode.
Synchronize
The base station continues by sending the 4 bit
command and data bits (depending on the command). to Header

5.4 Command Set

Read DATA

Command Pattern
Read ID 0011
Read UM 1 0101 STOP
Authentication 0110
Write Word 1010
Figure 7: Software structure
Send PIN 1001
For reading transponder signals the used µController
Read UM 2 1111 should be able at least to measure pulse widths or pulse
periods and to switch to the inverted measuring edge
The leftmost bit is the first received bit and the rightmost (falling / falling ↔ rising / rising) while reading. It is
one is the parity bit. recommended to use an Input Capture Timer with a
minimum resolution of 5 µs (better 0,5 - 2 µs) to
Reading a valid command (plus data bits respectively), determine the pulse lengths. The timer shall be able to
the transponder sends back data or starts an internal measure up to 848µs (96 + 10 periods) for a 125kHz
write process depending on the command. fixed frequency system as described below.
An invalid command changes back to Standby Mode. Please note that the reading software algorithms (LIW,
Data) must be able to handle non-inverted and inverted
signals from the reader demodulator output.
For sending bits to the transponder the µController
6 Software implementation should generate a fixed time cycle synchronized to the
EM4170 uplink data rate. A timer in Compare / Timer
Corresponding to the different modes explained above Mode is recommended.
the following structure for the software implementation
can be used.
6.1 Reading Listen Windows
The first step is to synchronize transponder and reader
by reading the Listen Window pattern.

Copyright  2001, EM Microelectronic-Marin SA 9 www.emmicroelectronic.com

 AppNote 407
There are several methods to find a LIW on the data line If the software cannot find the pulses of 80 RF periods,
of a receiver and to synchronize to it for sending the first toggle the measuring edge as well and read again
“0”. One solution which has shown good results in many because the data line might be inverted.
applications is the following procedure: To increase security the algorithm can be repeated
The algorithm reads the following pulse periods: before sending the first “0”.
In case of times (2) and (3) being too short for the
selected µController the software can wait another one or
1. 80 ± 10 (16 + 64) more Listen Windows in between.
The explained algorithm is designed to measure pulse
2. 80 ± 10 (32 + 32 + 16)
periods from falling to falling and rising to rising edge,
3. Toggle measuring edge because in general pulse periods are more stable
compared to pulse width due to demodulation effects.
4. 96 ± 10 (64 + 32)
Algorithms measuring pulse width will work as well and
5. 64 ± 10 (32 + 16 + 16) may use less LIWs for synchronization.
(values in RF periods)

LIW n LIW n+1 LIW n+2

Transponder
coil

32

(1) Reader delay (3) Switch from READ to WRITE (4) Time to start first “0“

16 16 64 32 32 16 16 64 32 32 16 16 64 32 32

Data line
non-inverted

80 80 96 64

(2) Toggle measuring edge (5) Do not start first „0“ here

All numbers represent number of periods of RF field

Figure 8: Listen Window Algorithm

Copyright  2001, EM Microelectronic-Marin SA 10 www.emmicroelectronic.com


6.2 Synchronization to send the first “0”
Concerning (3) and (4) please note that the demodulator
normally delays signals (1) on the data line compared to
the transmission on the transponder coil. Delay times
differ according to the reader IC and the surrounding
circuit.
This delay must be taken into account since the
modulation for the first “0” must start within the 32 periods
of modulated phase of the LIW related to the signal at the
transponder coil (4) not to the data line (5).
The delay can be calculated by trying the minimum and
maximum working values.
During the software development phase it can be helpful
to start the first “0” in the middle (after 16 periods) of the
required 32 periods modulated phase in the LIW to
startup with a tolerant timing.
For the final application the data line delay and starting of
first “0” should be checked for all system conditions like
temperature, tolerances and occurrence of interrupts etc.
to make sure that the modulation for the first “0” starts
always within the required range.
After reading the last LIW pulse period of 64 RF clocks
the software switches from Read to Write and can start a
Timer for an interval that places the first “0” appropriately.
Then the timer interval might be set to half of a bit period
(16 RF clocks) to send bits to the transponder.
The second step consists of sending RM pattern,
command and data (if required) to the transponder.
6.3 Sending data to the transponder
The first bit “0” started in the LIW is the first bit of a data
stream sent to the transponder depending on the
operated command. The data bits are sent as shown in
figure 9 below.
One bit period corresponds to 32 RF periods.
During the first half of a bit period the transponder
modulates the RF field and the base station sends the bit
value “0” (Modulation ON = RF field OFF) or “1”
(Modulation OFF = RF field ON).
When writing a bit “0” it is recommended not to modulate
RF periods 1 – 4 of this bit period and then turn ON
modulation for RF periods 5 – 16 with a minimum
duration of 80µs.
In general all transponder timings are related to the RF
field considering that the transponder generates its
internal clock from the RF field period. Turning
modulation ON stops the RF field and the internal clock
so the absolute value of 80µs for the minimum
modulation time is derived by an transponder internal
monoflop.
Turning OFF the modulation for the second half of the bit
period the transponder starts counting clocks and
therefore resynchronizes to the base station.
Copyright  2001, EM Microelectronic-Marin SA
AppNote 407
Bit streams without “0” can desynchronize transponder
and base station because of different time bases in the
µController and the transponder. The longest bit stream
without forced “0”s is the 56 bit random number. The
maximum possible desynchronization which occurs at the
end of this number should be calculated to achieve
reliable operation for all random numbers.
Because desynchronization errors are dependant from
the transmitted numbers they are causing an unstable
behavior and are hard to find. They should be eliminated
upfront.
There are different possibilities to stay synchronized
anyway:
• The random number is modified to avoid a certain
number of following “1”s. This makes the number not
truly random and cuts down the number length
effectively.
• The reader carrier frequency is derived from the
µController clock or vice versa. This may save a
resonator or crystal but causes a high frequency
signal to be routed over the printed circuit board.
Some semiconductor manufactures do not allow to
fetch signals from the oscillator circuit.
• The carrier frequency is captured by a timer and
multiples of this value are used to determine the
correct modulation moment. The resolution of this
timer needs to be high enough because errors are
accumulating. This mode is recommended for PLL
systems.
• The timer is using the carrier frequency as clock and
the timing is therefore derived from the carrier clock.
The transponder is doing the same and therefore the
synchronization is maintained. This mode can also be
recommended for PLL systems. The requirements for
the timer are relieved in comparison to the mode
above.
The second half of the bit period is used by the
transponder to recharge its internal supply therefore the
carrier field has be switched on.
One practicable software algorithm for sending bits to the
transponder is to set a Timer to the regular interval of half
a bit period:
1. Half : Next bit “0” = Modulation ON
“1” = Modulation OFF
2. Half : Always Modulation OFF
When sending a “0” the recommended 4 periods without
modulation can be generated by program run time, for
example the first instructions in an interrupt service
routine.
11 www.emmicroelectronic.com
 AppNote 407
Bit Period

DATA „1“ „0“ „0“ „1“ „0“

Transceiver
coil

Periods RF 16 16 16 16

Modulation induced by Transponder

Recommended : 4 periods Modulation induced by Transceiver

Minimum : 1 period Minimum : 80 µs

Figure 9: Sending Data

Copyright  2001, EM Microelectronic-Marin SA 12 www.emmicroelectronic.com

 AppNote 407
6.4 Synchronizing to the header
After reception of a valid command bit sequence the
transponder sends back a 16 bit header consisting of 12
x “1” + 4 x “0” and the requested data bits in Manchester
code.

Header Data

12 x „1“ 4 x „0“ „0“ „0“ „1“ „1“ „0“ „1“ „0“

1. 2. 3. 12. 1. 2. 3. 4.
16

Data line
non-inverted

16

1 1 1,5 2 Bit periods

„0“ „11“ „01“ Software

Pulse to synchronize Switch from Header
algorithm
for data Read to Data Read Toggle edge to start in bit mid

Figure 10: Header synchronization and reading data

After sending the last bit to the transponder the software 6.5 Reading data from the transponder
should switch the reader from Write to Read Mode if Data can be decoded by reading pulse periods always
necessary. During the first header bits when the reader is beginning in the middle of a bit period. One practicable
settling and the data line is unstable the software should algorithm for the non-inverted data line is described here:
not start the read timer. It is useful to run the Write Timer
some further cycles with RF field ON until data are
stable. Then the Read algorithm can be started. Measured Length Decoded Decoded Further
Changing from “1” to “0” in the header results in a pulse pulse limits bits with bits with Action
of one bit period which can be used for the software to length falling rising
synchronize for the data bits. edge edge

The 4 bits “0” of the header can be ignored by the 1 3/4 < 5/4 “0” “1” continue
software or can be read into the data buffer by the Data 1.5 5/4 < 7/4 “11” “00” toggle edge
Read algorithm. type
The signals ACK and NAK are sometimes difficult to 2 7/4 < 9/4 “10” “01” continue
read. In this case software can verify the operation by
read commands.
Starting point is the falling edge of the last header “0”
(values in bit periods)
Pulse tolerances can be set to a bit period divided by 4.
Between the highest and lowest allowed pulse length no
pulses should be excluded.
If the expected number of bits are read the algorithm is
stopped.
For inverted data line the same algorithm can be used,
only the reading edges must be inverted.
Algorithms reading pulse width will work as well but may
have an increased interrupt load and a higher
susceptibility for jittering signals.

Copyright  2001, EM Microelectronic-Marin SA 13 www.emmicroelectronic.com


7 Programming the E²PROM
Writing data into the transponders E²PROM works similar
to the read or authentication commands described
above. Anyway two things should be considered.
The current consumption of the transponder chip during
the writing process is increased as well as the required
minimum supply voltage. This means that the maximum
working distance between base station antenna and
transponder is reduced in comparison to the
authentication or read mode.
For that reason there is a reading distance range in
which reading and authentication of the transponder
works fine but writing into the transponders memory is
not possible or unreliable. If data retention is important
the writing distance should be determined by the
AppNote 407
minimum carrier field strength stated in the transponder
specification.
The second thing to have in mind is that the transponder
must be supplied with energy during the writing process.
As shown below the carrier field has to be switched on
during the whole writing procedure.
The times below are calculated for a carrier frequency of
125kHz.
Due to the fact that single ACK commands are difficult to
identify it is useful to verify the new memory content by a
read operation. If the crypt key has been changed an
authentication can verify the new key as it can not be
read.

Action -10ms 0ms 10ms 20ms 30ms 40ms 50ms 60ms 70ms

Command: Write Word 6 Bit 5.4ms (3 LIWs)

Adress 5 Bit 1.3ms

Data 25 Bit 6.4ms
Erase Memory 1ms
Acknowledge 1.3ms
Write Memory 24.6ms

Acknowledge 1.3ms

Start 41.3ms

Figure 11: Write Timing

Copyright  2001, EM Microelectronic-Marin SA 14 www.emmicroelectronic.com

 AppNote 407
8 Appendix

For further information see also:

Datasheet
EM4095 Read/Write analog front end for 125kHz RFID
Basestation
EM Microelectronic-Marin SA, Marin, 2000

EM4095 Application Note AN404

EM Microelectronic-Marin SA, Marin, 2000

Datasheet
EM4170 Crypto Contactless Identification Device
EM Microelectronic-Marin SA, Marin, 2001

EM Microelectronic-Marin SA cannot assume responsibility for use of any circuitry described other than circuitry
entirely embodied in an EM Microelectronic-Marin SA product. EM Microelectronic-Marin SA reserves the right to
change the circuitry and specifications without notice at any time. You are strongly urged to ensure that the
information given has not been superseded by a more up-to-date version.

© EM Microelectronic-Marin SA, 09/02, Rev. B, Preliminary

Copyright  2001, EM Microelectronic-Marin SA 15 www.emmicroelectronic.com