AN12705

MIFARE SAM AV3 - X interface

Rev. 1.1 — 10 January 2020 Application note
521911 COMPANY PUBLIC

Document information
Information Content
Keywords MIFARE SAM AV3, TDEA, AES, RSA, MIFARE Plus, MIFARE DESFire EV1,
X interface.
Abstract This application note describes usages of MIFARE SAM AV3 in X interface.
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

Revision history
Rev Date Description
1.1 20200110 AN number changed, security status changed into “Company Public”.
1.0 20190115 Initial version

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 2 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

1 Introduction
MIFARE SAMs (Secure Application Module) have been designed to provide the secure
storage of cryptographic keys and cryptographic functions for the terminals to access the
MIFARE products securely and to enable secure communication between terminals and
host (backend).

1.1 Scope
This application note presents examples of using MIFARE SAM AV3 (referred to SAM in
1
this document, if not otherwise mentioned) in X-interface . In this document, the SAM is
in AV3 mode. There is a set of application note for MIFARE SAM AV3; each of them is
addressing specific features. The list of application note is given in [4].
This application note is a supplement document for application development using
MIFARE SAM AV3. Should there be any confusion please check MIFARE SAM
AV3 datasheet [1]. Best use of this application note will be achieved by reading this
specification [1] in advance.
Note: This application note does not replace any of the relevant data sheets,
datasheets, application notes or design guides.

1.2 Abbreviation
Refer to Application note “MIFARE SAM AV3 – Quick Start up Guide” [4].

1.3 Examples presented in this document

The following symbols have been used to mention the operations in the examples:
= Preparation of data by SAM, PICC or host.
> Data sent by the host to SAM or PICC (if not mentioned, SAM).
< Data Response from SAM or PICC (if not mentioned, SAM).

Table 1. C-APDU:
CLA INS P1 P2 Lc Data (nc) Le

Table 2. R-APDU:
Response data SW1 SW2

Please note, that the numerical data are used solely as examples. They appear in
the text in order to clarify the commands and command data.
Any data, values, cryptograms are expressed as hex string format if not otherwise
mentioned e.g. 0x563412 in hex string format represented as “123456”. Byte [0] = 0x12,
Byte [1] = 0x34, Byte [2] = 0x56.

1 MIFARE SAM AV3 is directly connected to reader IC [4].

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 3 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

1.4 X interface
The host is managing the communication to SAM only, and SAM is managing all the
required communication to PICCs.

Figure 1. Architecture in X interface

RF controller can be RC52x, PN51x or RC66x. The X interface is explained in the

following chapter.

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 4 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

2 X interface
MIFARE SAM AV3 has the FW for ISO/IEC 14443, MIFARE Classic, MIFARE DESFire
(EV1, EV2 and light) and MIFARE Plus X, S, SE and EV1. The μC sends the command
to SAM for specific task related to RF (PICC) and SAM performs that task fully
independent of μC.

2.1 MIFARE SAM AV3, X interface

Figure 2. Reader with MIFARE SAM AV3

2
The I C interface has to be implemented as described in [9]. The slave address of the
MFRC52x/PN51x/RC66x is fixed in the SAM AV3.

2
Figure 3.  Detail I C interface

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 5 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

2.2 Initializing the X interface

The chip must be initialized before using the X interface by executing the “RC_Init”
2
command. The RC_Init establishes the I C communication between SAM and
MFRC52X. The RF field must be turned on (if not done using the saved register setting)
before any RF communication. One example flow diagram is shown in the following
figure.

Figure 4. X interface command-sequence for MIFARE product family

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 6 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

3 X interface functions
The functions supported in X interface are also known as X functionalities. All the X-
functionalities commands are listed in the following table. Some of them are shown
with examples in this application note. For detail descriptions, refer to [2].

Table 3. All X functionalities commands

C
Command L INS P1 P2 Lc Data Le Purpose
A
MFRC52X Control commands
xx.
RC_ReadRegister 8X EE 00 00 xx 00 Reads the RC52X register.
.xx
xx.
RC_WriteRegister 8X 1E 00 00 xx - Writes to the RC52X register.
.xx
mS
RC_RFControl 8X CF 00 00 02 - Turns on or off the RF field.
ec
Initializes the Interface between
RC_Init 8X E5 xx 00 - - -
SAM and RC52X.
RC_ xx. Loads the register values for
8X 2E xx xx xx -
LoadRegisterValueSets .xx initializing the RC52X.
ISO/IEC 14443, type A card activation command
ISO14443-3_Request_ 26 Sends the REQA or WUPA
8X 25 00 00 01 00
WakeUp or 52 command to the RF.
ISO14443-3_ xx. Sends anticollision and select
8X 93 00 00 xx 00
Anticollision_Select .xx commands for all cascade level.
ISO14443-3_ xx.
8X 26 xx xx xx 00 Activates card(s) from Idle state.
ActivateIdle .xx
ISO14443-3_ xx.
8X 52 00 00 xx - Activates card from Halt state.
ActivateWakeUp .xx
ISO14443-3_HaltA 8X 50 00 00 - - - Halts the activated card.
ISO14443-3_ xx. Transceives any byte and bit to
8X 7E xx 00 xx 00
TransparentExchange .xx and from the PICC
MIFARE commands
xx.
MF_Authenticate 8X 0C 00 00 xx - Authenticates MIFARE.
.xx
xx.
MF_Read 8X 30 00 00 xx 00 Reads MIFARE block(s).
.xx
xx.
MF_Write 8X A0 xx 00 xx - Writes to MIFARE block(s).
.xx
xx. Prepares block(s) to value
MF_ValueWrite 8X A2 00 00 xx -
.xx block(s).
xx.
MF_Increment 8X C3 00 00 xx - Increments the value block(s).
.xx
xx.
MF_Decrement 8X C0 00 00 xx - Decrements the value block(s).
.xx

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 7 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

C
Command L INS P1 P2 Lc Data Le Purpose
A
xx. Copies value block(s) to other
MF_Restore 8X C2 00 00 xx -
.xx value block(s)
xx. Authenticates and reads MIFARE
MF_AuthenticateRead 8X 3A 00 00 xx 00
.xx block(s).
xx. Authenticates and writes to
MF_AuthenticateWrite 8X AA 00 00 xx -
.xx MIFARE block(s).
xx. Changes (updates) MIFARE keys
MF_ChangeKey 8X A1 xx 00 xx -
.xx in the sector trailer.
MIFARE Ultralight commands
Performs the Password
UL_PwdAuthPICC 8X 2D 00 00 xx xx xx - Authentication on the MIFARE
Ultralight EV1 PICC
ISO14443-4 Type commands
ISO14443-4_RATS_ xx. Performs the RATS and PPS
8X E0 00 00 03 00
PPS .xx command
Initializes PICC and reader
xx. for protocol data exchange,
ISO14443-4_Init 8X 11 00 00 05 -
.xx alternative command of
ISO14443-4_RATS_PPS.
xx. -/ Transceives APDU to and from
ISO14443-4_Exchange 8X EC xx 00 xx
.xx 00 the PICC.
ISO14443-4_
8X 4C 00 00 - - - Tracks the PICC.
PresenceCheck
Deselects the PICC and PICC
ISO14443-4_Deselcect 8X D4 xx 00 - - -
goes to halt state.
xx.
ISO14443-4_FreeCID 8X FC 00 00 xx - Frees the CID used by the PCD.
.xx
MIFARE DESFire related commands
DESFire_ xx. Performs complete 3-pass mutual
8X DA xx xx xx 00
AuthenticatePICC .xx authentication for DESFire.
DESFire_ xx.
8X DE xx xx xx 00 Changes the keys in DESFire
ChangeKeyPICC .xx
xx. Can be used for DESFire memory
DESFire_WriteX 8X D3 xx xx xx 00
.xx updated commands.
xx. Can be used for DESFire memory
DESFire_ReadX 8X D2 00 xx xx 00
.xx reading commands.
DESFire_ Creates a Transaction MAC File in
8X D1 xx xx xx xx xx 00
CreateTMFilePICC the PICC
MIFARE Plus related command
The data is transferred in plain, so
xx.
MFP_WritePerso 8X A8 00 00 xx 00 perform the write_perso command
.xx
in a secure site.

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 8 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

C
Command L INS P1 P2 Lc Data Le Purpose
A
The same command is used in
xx. all security level (SL) of MIFARE
MFP_Authenticate 8X 70 0x 00 xx 00
.xx Plus, P1 is used to distinguish the
SL.
Performs the Post-Delivery
PCD_Authenticate 8X 73 0x 00 xx xx xx 00
configuration on the MIFARE Plus
The data field contains MIFARE
xx.
MFP_CombinedRead 8X 31 00 00 04 00 Plus cmd+2-byte block nr + nr. of
.xx
blocs to read
xx. The data filed contains the plain
MFP_CombinedWrite 8X 32 00 00 xx 00
.xx command.
xx. Only one key can be changed at a
MFP_ChangeKey 8X A5 0x 00 xx 00
.xx time.
MFP_ Switches the security level of
8X 72 xx 00 xx xx xx 00
AuthSectorSwitch MIFARE Plus sectors
MIFARE Ultralight C Authentication command
ULC_ xx. Only CMAC based key
8X 2C 0x 00 xx 00
AuthenticatePICC .xx diversification is allowed.
MIFARE common
TMRI_ Commits the ReaderID to the
8X 37 00 00 xx xx xx 00
CommitReaderID PICC
Programmable Logic
Triggers the execution of the
SAM_PLExec 8X BE xx 00 xx xx xx 00
programmable logic
Updates the code in the
SAM_PLUpload 8X BF xx xx xx xx xx 00
programmable logic
Virtual Card Architecture
xx.
VCA_ProximityCheck 8X FB 0x 00 xx 00 Performs the proximity check.
.xx
xx.
VCA_Select 8X 45 0x 00 xx 00 Used for VC selection
.xx

X = 0, 1, 2, 3; the logical channel.

3.1 RF Controller IC Control commands

These commands are controlling, preparing and enabling the RC52x/PN51x/RC663 for
further communication with PICC. As the reader IC can be always in one state, so the
logical channel has no role in these commands.

3.1.1 RC_LoadRegisterValueSet
RC_LoadRegisterValueSet loads one full set of values (deleting complete set and
loading the new value set) in a single command. In the SAM, 8 sets of register values
can be stored. The default register values stored at register set 0 is given in the Table 4.
AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 9 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

It is required to modify some of the register values to initialize the reader IC (RC52x) for
ISO/IEC 14443 type A. The modified values are given also in Table 4.

Table 4. Default “Register Set 0” storage

RC52X register name RC52X/PN51X Default set Value Modified Value
register address to be reloaded
TModReg 2A 82 82
TPrescalerReg 2B AA AA
TxASKReg 15 40 40
RxThresholdReg 18 75 75
DemodReg 19 4D 4D
RFCfgReg 26 59 59
GsNReg 27 F4 F4
CWGsPReg 28 3F 3F
ModGsPReg 29 11 11
ControlReg 0C 10 10
CommandReg 01 - 00

As RC_LoadRegisterValueSet delete and store the complete set, it is required to

load the full set (not only the modified one). Single register can be loaded using
“RC_WriteRegister” command. This “RC_LoadRegisterValueSet” command can be
executed (see table 4) once at SAM personalization and can be used through the SAM
life as long the register set is not required to use for other purposes.
For other type of ISO/IEC 14443 standard, register setting can be defined with the help
of register description given in 9; starting register values can be requested from local, ID
FAEs as well. In the following example the register set 0x01 is loaded with the following
values.

Table 5. Register Set for ISO/IEC 14443 Type A

RC52X register name RC52X/PN51X register address Value will be set to
TModReg 2A 82
TPrescalerReg 2B AA
TxASKReg 15 40
RxThresholdReg 18 75
DemodReg 19 4D
RFCfgReg 26 59
GsNReg 27 F4
CWGsPReg 28 3F
ModGsPReg 29 11
ControlReg 0C 10
CommandReg 01 00

The above register setting is stored in the register set 0x00 in the following example.

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 10 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

Table 6. Example of RC_LoadRegisterValueSet

Step Indication Data/Message Comments
802E0000162A822BAA154
Data field contains in pair
1 C-APDU > 01875194D265927F4283F2
[addr, value]
9110C100100
Loading of register is
2 R-APDU < 9000
successful.

The RC_Init command with the value P1 = 0x00 will initialize the RC52X/PN51X with the
register settings stored in register set 0x00 in this example.

3.1.2 RC_Init
The RF controller IC (RC52X/PN51X) is initialized with the addressed set of values
stored in the SAM memory. By default, the register value sets 0 contains ISO/IEC 14443
A type register settings of the RC52X and PN51X (RF is turned off).

Table 7. Example of RC_Init

Step Indication Data/Message Comment
Register set = 0, and higher
1 C-APDU > 80E58000
speed in I2C.
2 R-APDU < 9000 Status

3.1.3 RC_RFControl
This command can be interpreted as the resetting of RF. The time (in ms) given in the
data field is the time the RF remains turned off before turning on again. The time “0000”
given in the data field turned off the RF.

Table 8. Example of RC_RFControl

Step Indication Data/Message
1 C-APDU > 80CF0000020500 (5ms is the RF turned off time)
2 R-APDU < 9000

In the following figure the RF field is shown while executing the above command.

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 11 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

The time provided in the data field and the real RF turned off time can be in tolerance up to 10%

Figure 5. RF behavior with RC_RFControl command

3.2 ISO14443-3 type A card activation commands

All the ISO/IEC 14443 part 3 type A commands are mapped in these APDU commands.
Moreover, there are some compound commands which can activate A type card with
minimum user interaction. It is also possible to activate the ISO/IEC 14443 B type card
using the commands stated here.

3.2.1 ISO14443-3_ActivateIdle
This is a compound command, performs all ISO/IEC 14443 type A card activation
sequences (ReqA – Anticollision - select). In the following example a DESFire card is
activated.

Table 9. Example of ISO14443-3_ActivateIdle

Step Indication Data/Message Comment
= The application will activate
1 P1 05*
up to 5 cards.
= The ATQA and SAK filter is
2 P2 03
applied
= all bits of ATQA (4403
3 ATQA filter FF44FF03 ATQA of DESFire) are
considered
= All bits of SAK is
considered. For CL-2 and
4 SAK filter FF20
CL3 only the final SAK is
considered.
ISO14443-3_ > 8026050306FF44FF03FF
5
ActivateIdle C-APDU 2000
ISO14443-3_ 014403200704261419701 One DESFire card has
6 <
ActivateIdle R-APDU C809000; been found.

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 12 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

* All the activated card will go to halt state. To continue with a card, those cards need to
wake up using ActivateWakeUp command. If P1= 01, then the card is in activated state.

3.2.2 ISO14443-3_TransparentExchange
Using this command every bits and bytes can be sent to the card. One example of using
this command is to activate ISO/IEC 14443 B type card. In the following example the
REQB command is shown.

Table 10. Example of ISO14443-3_TransparentExchange

Step Indication Data/Message Comments
1 C-APDU > 807E00000305000000 REQB command
50xxxxxxxxxxxxxxxxxxxxx
2 R-APDU < ATQB response
x9000

Of course, before executing this command the RC523 registers have to be set to the
correct values using RC_Init command. The register setting can be requested from
Customer Application Support.

3.3 MIFARE Commands

These are the commands can be used to communicate with the MIFARE Classic
(MIFARE Plus SL1) PICCs.

3.3.1 MF_Authenticate
Table 11. MF_Authenticate Example
Step Indication Data/Message Comments
In case of 7-byte UID, take
1 MIFARE UID = 443898DE
last four byte.
The MIFARE Key entry is
2 SAM Key Entry No = 02
personalized in advance
Key version of the SAM
3 = 01
Key Entry
4 MIFARE Key Type A = 0A
5 MIFARE Block Nr = 28
6 Div constant = 0A Here the sector number.
800C000009443898DE020
7 C-APDU >
10A280A
8 R-APDU < 9000

3.3.2 MF_Read
MF_Read command can read multiple numbers of blocks. In RF level the SAM is
performing the read command for every block and providing the total data to the user in
one step.

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 13 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

Table 12. MF_Read Example

Step Indication Data/Message Comments
Data field is the block
1 C-APDU > 803000000304050600
numbers to be read.
0000000000000000000000
0000000000000000000000
2 R_APDU < 0000000000000000000000 Content of block 4, 5, 6.
0000000000000000000000
000000009000

In the above example, block number 04, 05 and 06 (sector 1) have been read. If any
block has different access condition, the SAM will not return data from the read block(s)
but only the NACK (90FX).

3.3.3 MF_Write
MF_Write command can read multiple numbers of blocks. In RF level the SAM is
performing the read command for every block and providing the total data to the user in
one step.

Table 13. MF_Write Example

Step Indication Data/Message Comments
16-byte data for writing each
1 P1 = 00
block
80A00000330401020304
0506070809101112131415
Data field contains [block
160501020304050607080
2 C-APDU > nr,16-byte data; block nr,
910111213141516060102
16-byte data; …]
030405060708091011121
3141516
3 R_APDU < 9000 Successful

In the above example, block number 04, 05 and 06 (sector 1) have been written. If the
blocks access condition is different, the SAM will return NACK (90FX) but may be some
blocks already updated. As example, in this example if block 6 has different write access
condition than the current authentication state, SAM will return 90FX but already block
number 4 and 5 are updated.

3.3.4 MF_ValueWrite
MF_ValueWrite can personalize one or several blocks to value block. In the following
example block number 5 and block number 6 are personalized for 100 units.

Table 14. MF_ValueWrite Example

Step Indication Data/Message Comment
Block Address of
1 = 05
MIFARE
2 Value = 64000000 Value = 100
3 Address = FF00FF00
Block Address of
4 = 06
MIFARE

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 14 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

Step Indication Data/Message Comment

5 Value = 64000000 (100 unit)
6 Address = FF00FF00
80A20000120564000000FF
7 C-APDU > 00FF000664000000FF00F
F00
8 R-APDU < 9000 Successful

Please note, the address provided here is fully written in the value block (last 4 bytes of
the 16-byte value block). If the blocks access condition is different, the SAM will return
NACK (90FX) but some blocks may have already been updated.

3.3.5 MF_Increment
MF_Increment can increment the value block(s). In the following example the value of
block 5 is incremented by 10 units and transferred to block number 6.

Table 15. MF_Increment Example

Step Indication Data/Message Comments
1 Source Address = 05
2 Destination Address = 06
Value to be incremented
3 = 0A000000 Value = 10
by
4 C-APDU > 80C300000605060A000000
5 R-APDU < 9000 Successful

3.3.6 MF_Decrement
MF_Decrement can decrement the value block(s). In the following example the value of
block 5 is decremented by 10 units and transferred to block number 6.

Table 16. MF_Decrement Example

Step Indication Data/Message Comments
1 Source Address = 05
2 Destination Address = 06
Value to be incremented
3 = 0A000000 Value = 10
by
4 C-APDU > 80C000000605060A000000
5 R-APDU < 9000 Successful

3.3.7 MF_AuthenticateRead
This is a compound command consolidating Authentication and read, which can be very
useful for optimizing performance transaction time of MIFARE Classic applications. In the
following example, the sector number 10 is authenticated and blocks 40, 41 and 43 (3
user blocks of sector 10) will be read.

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 15 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

Table 17. MF_AuthenticateRead Example

Step Indication Data/Message Comments
Last 4-byte in case of 7-byte
1 MIFARE UID = 443898DE
UID.
key information is provided
2 CmdSettings = 02
and diversifying key.
3 SAM Key Entry No = 02 SAM key entry number.
Key version of the SAM
4 = 01
Key Entry
5 MIFARE Key Type A = 0A
MIFARE Block Nr to
6 = 28
authenticate
7 Div Constant = 0A Here the sector number
Number of blocks to be
8 = 03
read
MIFARE block numbers
9 = 28292A 3 blocks 40,41, 42
to read
803A00000E443898DE020
10 C-APDU >
2010A280A0328292A00
41627549736D61696C2043
41534E5850640000009BFF
3x16= 48 bytes data and
11 R-APDU < FFFF6400000000FF00FF64
SW1SW2.
0000009BFFFFFF64000000
00FF00FF9000

Please note, if the block read accesses are different or required keys are different, then
the information has to be provided in the data field. Please refer to [2]. If any block has
different access condition, the SAM will not return data from the read block(s) but only
the NACK (90FX).

3.3.8 MF_AuthenticateWrite
This is a compound command consolidating Authentication and write, which can be very
useful for optimizing performance transaction time of MIFARE Classic applications. In the
following example, the sector number 1 is authenticated and blocks 4, 5 and 6 (3 user
blocks of sector 1) will be written.

Table 18. MF_AuthenticateWrite Example

Step Indication Data/Message Comment
Last 4-byte in case of 7-byte
1 MIFARE UID = 540B9ADE
UID.
key information is provided
2 CmdSettings = 02
and diversifying key
3 SAM Key Entry No = 01
Key version of the SAM
4 = 02
Key Entry
5 MIFARE Key Type = 0B Key type B

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 16 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

Step Indication Data/Message Comment

MIFARE Block Nr to
6 = 04
authenticate
7 Div Constant = 01
Number of blocks to be
8 = 03
written
040102030405060708091
011121314151605010203
MIFARE block numbers Block nr, data; block nr, data
9 = 040506070809101112131
and data ….
415160601020304050607
080910111213141516
80AA00003E540B9ADE02
01010B0401030401020304
0506070809101112131415
10 C-APDU > 1605010203040506070809
1011121314151606010203
0405060708091011121314
1516
11 R-APDU < 9000 Successful

Please note, if the block write accesses are different or required keys are different, then
the information has to be provided in the data field. Please refer to [2]. If the blocks
access condition is different, the SAM will return NACK (90FX) but may be some blocks
already updated.

3.3.9 MF_ChangeKey
This command can be used to personalize or roll the MIFARE keys in MIFARE Classic
cards. MF_ChangeKey command at first generates the MIFARE diversified key and then
writes it to the corresponding sector trailer.

Table 19. MF_ChangeKey Example

Step Indication Data/Message Comments
Both key A and key B have
to be diversified), Please
1 KeyCompMeth (P1) = 06
note bit 0 and other bits are
RFU and has to be set 0.
Which is a MIFARE Key
2 SAM Key Entry No = 02 entry, personalized in
advance.
Key version of the SAM
3 Key Entry for MIFARE = 01
key A
The version for Key A and
Key B can be different. If
Key version of the SAM
different, the Key A is taken
4 Key Entry for MIFARE = 01
from one position (version)
key B
and Key B is taken from
another position (version).

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 17 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

Step Indication Data/Message Comments

Sector trailer block number,
MIFARE Block number
5 = 2B here we are taking sector
where to store the key
number 0A.
6 Access conditions = 08778F69 3 bytes AC and GPB
Last 4-byte in case of 7-byte
7 MIFARE UID = 443898DE
UID.
8 Div Constant = 0A Here is the sector number.
80A106000D0201012B0877
9 C-APDU >
8F69443898DE0A
10 R-APDU < 9000 Successful

3.4 Preparing the proximity chips for T=CL half duplex transmission
MIFARE SAM AV3 supports the “Exchange Transparent Data” state with up to 4 cards
(according to ISO/IEC 14443-4, the number of cards in this state can be up to 15, CID 0
to CID 14). One logical channel can be assigned to one specific CID. In the following a
flow diagram is shown:

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 18 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

Figure 6. Specific logical channel is assigned in ISO/IEC14443-4

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 19 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

3.4.1 ISO14443-4_RATS_PPS
Table 20. RATS_PPS Example
Step Indication Data/Message Comments
1 CID = 01
2 DRI = 02 424 kbps (PCD to PICC)
3 DSI = 02 424 kbps (PICC to PCD)
4 C-APDU > 80E000000301020200
5 R-APDU < 0102020675778102809000
Activating another card
6 CID = 02
7 DRI = 01 212 kbps (PCD to PICC)
8 DSI = 01 212 kbps (PICC to PCD)
9 C-APDU > 81E000000302010100
10 R-APDU < 0202020675778102809000
Accessing the card with CID 01, ‘GetApplicationID’ command
Logical channel 0 is
11 C-APDU > 80EC0000016A00 communicating with card
with CID = 0.
12 R-APDU < 004444449000
Accessing the card with CID 02, ‘GetApplicationID’ command
Logical channel 1 is
13 C-APDU > 81EC0000016A00 communicating with card
with CID = 1.
14 R-APDU < 002F8CF11111119000

MIFARE SAM AV3 supports using different RF communication speeds with different
cards at the same time.

3.4.2 ISO14443-4_PresenceCheck
For tracking a card, (if still the activated card is present) this command can be issued,
facilitates the windows resource manager according to PC/SC. This command will not
change any state of the card.

Table 21. ISO14443-4_PresenceCheck Example

Step Indication Data/Message Comments
1 C-APDU > 804C0000
2 R-APDU < 9000 Card is present.

In this example the presence of the card attached to logical channel 0 is checked.

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 20 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

3.5 Accessing MIFARE DESFire

The “ISO14443-4_Exchange” command can be used to access a MIFARE DESFire
(EV1) or any ISO/IEC 14443 part 4 compliant PICCs. In this case, the data field contains
the application data.

Figure 7. ISO14443-4_Exchange Command APDU for DESFire

3.5.1 Selecting MIFARE DESFire Application

MIFARE DESFire “Select Application” command in native mode is shown in the following
table.

Table 22. Example of Select Application command

Step Indication Data/Message Comment
3-byte DESFire application
1 Application ID = 123456
ID
DESFire Select Select application cmd and
2 = 5A123456
application command 3-byte AID
DESFire select application
ISO14443-4_Exchange command is packed in the
3 > 80EC0000045A12345600
C-APDU data field of ISO14443-4_
Exchange command APDU.
DESFire response is in the
ISO14443-4_Exchange response data field and
4 < 009000
R-APDU SW1SW2. Here ‘00’ is the
DESFire status code.

3.5.2 MIFARE DESFire Read command

MIFARE DESFire “Read Data” command in native mode is shown in the following table.

Table 23. Example of MIFARE DESFire Read native APDU

Reading 70 bytes from a standard data file
Step Indication Data/Message Comments
1 Read command = BD
2 File no = 02
3 Offset = 000000
4 length = 460000 (70 bytes)
5 DESFire Native APDU = BD02000000460000

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 21 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

Step Indication Data/Message Comments

MIFARE DESFire native
APDU command is packed
ISO14443-4_Exchange 80EC000008BD020000004
6 > in the data field of the
C-APDU 6000000
ISO14443-4_Exchange C-
APDU
AF0102030405060708091
011121314151617181920
212223242526272829303 MIFARE DESFire EV1
ISO14443-4_Exchange 132333435363738394041 response is packed in
7 <
R-APDU 424344454647484950515 ISO14443-4_Exchange R-
2535455565758599000 (AF APDU
is the DESFire native status
code [5] and 59 bytes data )
C-APDU to SAM for
8 > 80EC000001AF00
more data
006061626364656667686
9709000 (00 is the DESFire
9 R-APDU from SAM <
native status code [5] and
11 bytes data)
0102030405060708091011
1213141516171819202122
2324252627282930313233
10 Application data read = 3435363738394041424344
4546474849505152535455
5657585960616263646566
67686970

Table 24. Example of Wrapping of DESFire Native APDU

Reading 70 bytes from a standard data file
Step Command Data/Message
1 Read command = BD
2 File no = 02
3 Offset = 000000
4 length = 460000 (70 bytes)
5 Wrapped APDU[5] = 90BD0000070200000046000000
6 C-APDU to SAM > 80EC00000D90BD000007020000004600000000
01020304050607080910111213141516171819202122
23242526272829303132333435363738394041424344
7 R-APDU from SAM <
45464748495051525354555657585991AF9000 (91AF is
the SW1SW2 from wrapping and 59 bytes data)
C-APDU to SAM for
8 > 80EC00000590AF00000000
more data
606162636465666768697091009000 (9100 is the
9 R-APDU from SAM <
SW1SW2 and 11 bytes data)

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 22 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

Step Command Data/Message

0102030405060708091011121314151617181920212223
2425262728293031323334353637383940414243444546
10 Application data read =
4748495051525354555657585960616263646566676869
70

Important clarification: The complete APDU is made up of two APDUs. DESFire’s APDU
is transported/wrapped within the standard ISO14443 part IV APDU, as shown in the
following figure.

Figure 8. Wrapping of DESFire Native APDU in ISO14443-4_Exchange APDU

Please note, for ISO/IEC 7816-4 INS will have same structure like the above one.
These structures can be used for any DESFire commands. More over, some of the
DESFire commands are supported by MIFARE SAM AV3 directly and these commands
are named “DESFire related commands” in [1]. In the following some of them are
discussed.

3.5.3 DESFire_AuthenticatePICC
This command is very straightforward. The SAM key entry has to be personalized prior
to issue DESFire_AuthenticatePICC command. Please make sure, the key entry is in
accordance.

Table 25. Example of MIFARE DESFire EV1 Authentication

Reading 70 bytes from a standard data file
Step Indication Data/Message Comments
DESFire_
No key diversification is
1 AuthenticatePICC C- > 80EC0000045A12345600
used.
APDU
DESFire_
2 AuthenticatePICC R- < 9000 Authentication is successful
APDU

3.5.4 DESFire_ChangeKeyPICC
This command changes the keys of the MIFARE DESFire EV1 and can be used in
personalization or rolling of the keys. It supports the diversification mechanism as
described in [1]. Please note the same diversification inputs have to be used for both new
and current key, if they both are diversified.

Table 26. Example of DESFire_ChangeKeyPICC

Step Indication Data/Message Comment
DESFire key number
1 to be changed (one = 01
application key )

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 23 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

Step Indication Data/Message Comment

Current DESFire key
2 belongs to SAM key = 01
entry nr.
Current DESFire key
3 version (version of the = 00
SAM key entry of 1)
New DESFire key
4 belongs to SAM key = 01
entry nr.
New DESFire key
5 version (version of the = 01
SAM key entry of 01)
b0 is set to 0, DESFire
change key nr ≠ currently
authenticated key nr.
6 P1 = 00100010b (0x22) New key will be diversified
but not the current one.
Key diversification mode is
CMAC based.
UID of the card, as the
CMAC based diversification
7 Diversification input = 049137C9922680
is used the input length can
be any value from 1 to 31.
80DE22010B010001010491
8 C-APDU >
37C992268000
9 R-APDU < 9000

3.5.5 DESFire_WriteX
“DESFire_WriteX” command is optimized for several memory update-type functions e.g.
ChangeKeySettings, WriteData, Credit, Debit, LimitedCredit, WriteRecord for DESFire.
Please note, the complete DESFire APDU (DESFire native, ISO 7816 wrapping or
ISO7816-4 INS) is provided in the data field. Please check the following example.

Table 27. Example of DESFire_WriteX Command for writing to a data file

Step Command Data/Message
“Write Data” command
1 = 3D
for DESFire
2 File no, where to write = 01
Offset at which the write
3 = 000000
starts
Length of data to be
4 = 0A0000 (10 bytes)
written
5 Data to write = 01020304050607080910
DESFire Native APDU, 3D010000000A000001020304050607080910 (will be the
6 =
the application data. data field of DESFire_WriteX C-APDU)
7 Now mapped to DESFire_WriteX APDU

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 24 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

Step Command Data/Message

8 P1 = 00, last frame
th
38, (encrypted communication**, encryption starts from 8
9 P2 =
byte as this is the starting of written data bytes)
10 Lc = 12; (18 bytes from step 6)
80D30038123D010000000A00000102030405060708091
11 C-APDU >
000
12 R-APDU < 9000

**Please note, “DESFire_WriteX” command cannot be used for plain communication. For
plain communication, use the “ISO14443-4_Exchange” command.
DESFire_WriteX command does not support DESFire application chaining. To write
longer length of data (does not fit in one write frame, please check [5]), user has to
implement the chaining.

3.5.6 DESFire_ReadX
DESFire_ReadX command is optimized for accessing memory (ReadData, GetValue
and ReadRecord) in fully encrypted or MACed (CAMCed) communication. The complete
DESFire application protocol data unit (Native, ISO7816 wrapping or ISO7816-4 INS) is
given in the data field. In the following one example with reading the data file is shown.

Table 28. Example of DESFire_ReadX Command for reading a data file

Step Command Data/Message
“Read Data” command
1 = BD
for DESFire
2 File no, to read = 01
Offset at which the read
3 = 000000
starts
Length of data to be
4 = 0A0000 (10 bytes)
read
DESFire Native APDU, BD010000000A0000 (will be the data field of DESFire_
5 =
the application data. ReadX C-APDU)
6 Now mapped to DESFire_ReadX APDU
7 P1 = 00
8 P2 = 30, (encrypted communication)
9 Lc = 08; (8 bytes from step 6)
80D200300B0A0000BD010000000A000000 (The length
10 C-APDU > of data “0A0000” to be read has to be added in front of the
DESFire APDU as well )
11 R-APDU < 010203040506070809109000

**Please note, “DESFire_ReadX” command cannot be used for plain communication. For
plain communication, use the “ISO14443-4_Exchange” command.

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 25 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

DESFire_ReadX command does not support DESFire application chaining. To read

longer length of data (does not fit in one frame, please check [5]), user has to implement
the chaining. Please see the next example.

Table 29. Example of DESFire_ReadX Command for reading a data file with chaining
Step Command Data/Message
“Read Data” command
1 = BD
for DESFire
2 File no, to read = 01
Offset at which the read
3 = 000000
starts
Length of data to be
4 = 960000 (150 bytes)
read
DESFire Native APDU, BD01000000960000 (will be the data field of DESFire_
5 =
the application data. ReadX C-APDU)
6 Now mapped to DESFire_ReadX APDU
7 P1 = 00
8 P2 = 30, (encrypted communication)
9 Lc = 08; (8 bytes from step 6)
80D200300B960000BD0100000096000000 (The length
10 C-APDU > of data “960000” to be read has to be added in front of the
DESFire APDU as well )
000102030405060708090A0B0C0D0E0F101112131415
161718191A1B1C1D1E1F202122232425262728292A2B
11 R-APDU <
2C2D2E2F90AF (90AF means more data from the
DESFire)
C-APDU (for more data,
12 > 80D2003001AF00
chaining)
303132333435363738393A3B3C3D3E3F4041424344454
13 R-APDU < 64748494A4B4C4D4E4F505152535455565758595A5B5C
5D5E5F606162636465666790AF
C-APDU (for more data,
14 > 80D2003001AF00
chaining)
68696A6B6C6D6E6F707172737475767778797A7B7C7D
15 R-APDU < 7E7F808182838485868788898A8B8C8D8E8F909192939
4959000
000102030405060708090A0B0C0D0E0F1011121314151
61718191A1B1C1D1E1F202122232425262728292A2B2C
2D2E2F303132333435363738393A3B3C3D3E3F4041424
The complete 150 bytes
16 = 34445464748494A4B4C4D4E4F50515253545556575859
data
5A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
707172737475767778797A7B7C7D7E7F8081828384858
68788898A8B8C8D8E8F909192939495

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 26 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

3.6 Accessing MIFARE Plus

All the MIFARE Plus commands can be executed in X interface of MIFARE SAM AV3.

3.6.1 MFP_WritePerso
MFP_WritePerso command requires the exact data/key to be written to MIFARE Plus
card. The MIFARE Plus AES keys can be dumped from the SAM with “must diversified”
option, if it is required.

Table 30. Example of MFP_WritePerso

Step Indication Data/Message Comment
Activate the card up to ISO/IEC 14443-4 layer (e.g. ISO14443-3_ActivateIdle,
1
ISO14443-4_RATS_PPSRATS)
80A800005A00904A5EBE0
86D7A4E353345614E9B88
C87F0190D7B12348ABE1A
58AFECC513C713C1BF30 Here the block numbers
MFP_WritePerso 2903F613B19AE782E989A 0x9000 to 0x9004 have
2 >
C-APDU A5CDA4073BE27B039067B been written. The LSB of the
2C4D72DF59C413F8BCDD block number comes first.
E9795BE00049086EDB107
245EC47045FF88FEB6DB
363E00
The status code of
MFP_WritePerso
3 < 909000 MIFARE Plus = ‘90’ means
R-APDU successful.

The Commit_Perso command can be issued by using the ISO14443-4_Exchange

command.
As the data/keys are transferred in plain to the MIFARE Plus card, it is recommended to
perform the “Write Perso” command in a secure site.

3.6.2 MFP_Authenticate
The same command is used for all type of AES authentication in all security level. Set bit
number 2 and 3 accordingly for selection of different authentication. In the following, one
example is given for authentication in security level 3.

Table 31. Example of MFP_Authenticate

Step Indication Data/Message Comment
The MIFARE Plus key is stored in SAM key entry number 07 and version 00
P1 = 0C means
MFP_Authenticate no diversification,
1 > 80700C0005070000400000
C-APDU authentication first and SL3
authentication.
PDCap2 (6 bytes) ||
MFP_Authenticate 0000000000000000000000
2 < PCDCap2 (6 bytes) and
R-APDU 009000
status 9000.

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 27 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

3.6.3 MFP_CombinedRead
This ‘combined read’ command can read MIFARE Plus block(s). If the access condition
allows, the full card can be read in one command.

Table 32. Example of MFP_CombinedRead

Step Indication Data/Message Comment
The data field contains
read command in plain
(the MIFARE Plus read is
MFP_CombinedRead encrypted and CMAC in
1 > 80310000043100000400
C-APDU both direction).
Four blocks have to be read
starting from block number
‘0000’.
9000050001020304184200
140111002209A6FE56B361 The response contains
A6595A568401D3597D0A8 MIFARE Plus status code
MFP_CombinedRead
2 < 6097D1FA3C8BA056D70D (90) and the content of the
R-APDU 2E9DF3E54550200010203 blocks followed by the SAM
0405060708090A0B0C0D0 status bytes(9000, success).
E0F9000

3.7 Use of Secure Messaging

The communication between SAM and the PICC is secured by the PICC’s security
policy and the security between the SAM and the host is ensured by the SAC (Secure
authenticated Channel [1]).

Figure 9. Secure messaging adds security in the communication between SAM and Host

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 28 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

3.7.1 Secure Messaging example for MIFARE DESFire EV1

The logical channel number 0 (CLA = 0x80) is used for this example.

Table 33. Example full protection Host communication for MIFARE DESFire EV1
Step Indication Data/Message Comment
1 Initialize the reader IC and turn on the RF.
Authenticate Host, using SAM_AuthenticateHost command take host mode = full
protection. See §2 of [8] for detail calculation. In this example session key were as
2 follows:
Encryption session key = 3056A1804B24B44386F5E1032AA206A9 and
CMAC session key = D03206A036FB41257A8093DB52A2DBC5
The command APDU
in plain. It requires now
3 ISO14443-3_ActivateIdle = 8026010000
calculation of secure
messaging.
Data field contains CMAC.
ISO14443-3_ActivateIdle 802601000804FD77D0FAF
4 > See §2 of [8] for detail
C-APDU in full protection F11E500
calculation
4FE359F6A562BC2E51BA9
ISO14443-3_ActivateIdle The response is encrypted
5 < 5ED48C9E9F4432959D77D
R-APDU in full protection with a CAMC.
63B69A9000
Plain response after
See §2 of [8] for detail
6 CMAC verification and = 44032007049137C9922680
calculation
decryption
The command APDU
ISO14443-4_RATS_ in plain. It requires now
7 = 80E000000301000000
PPS calculation of secure
messaging.
Data field contains
ISO14443-4_RATS_ 80E00000181917CFB3C9E encrypted data and CMAC.
8 PPS C-APDU in full > 585DFA822E3FEC4964062
See §2 of [8] for detail
protection 47C842647935E3EF00
calculation.
ISO14443-4_RATS_ 983A7DF82021274B40FC3 Response data field
9 PPS R-APDU in full < 919E00F7269C330BD2316 contains encrypted data and
protection DAD8299000 CAMC
Plain response of
the card after CMAC See §2 of [8] for detail
10 = 010000067577810280
verification and calculation.
decryption
The command APDU
ISO14443-4_Exchange
in plain. It requires now
11 command for application = 80EC0000045A12345600
calculation of secure
selection
messaging.
ISO14443-4_Exchange Data field contains
80EC00000002000018B73 encrypted data and CMAC.
C-APDU for application
11 > D246612CF9FB04C61089D
selection in full See §2 of [8] for detail
BD45DF3A00
protection mode calculation.
80EC000018B73D246612C Response data field
ISO14443-4_Exchange
12 < F9FB04C61089DBD45DF3 contains encrypted data and
R-APDU in full protection
A06FD8224F07FFF3800 CAMC
AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 29 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

Step Indication Data/Message Comment

Plain response of
the card after CMAC See §2 of [8] for detail
13 = 00
verification and calculation.
decryption
The command APDU
DESFire_
in plain. It requires now
14 AuthenticatePICC = 80DA00000303020400
calculation of secure
command
messaging.
DESFire_ Data field contains
80DA000018A352C73F5AE encrypted data and CMAC.
AuthenticatePICC C-
15 > DBA175FBED58CA83F250
APDU in full protection See §2 of [8] for detail
0F3616AC0732A74E800
mode calculation.
DESFire_
Only CMAC as, that
AuthenticatePICC R-
16 < 2B2972077BE6D0E79000 command has no response
APDU in full protection
data.
mode
See §2 of [8] for detail
17 Verify the CMAC = 2B2972077BE6D0E7
calculation.
80D30038123D010000000 Writing 10 bytes
DESFire_WriteX
18 = A000001020304050607080 (01020304050607080910)
command in plain
91000 to file 01 and at offset 0.
80D3003828283BB2DBF56
DESFire_WriteX C- 3F405DDD0AA65E45863C
See §2 of [8] for detail
19 APDU in full protection > F9C3ADD68667C06CED22
calculation.
mode. 1652FCB601DF04518399B
B15DF57500
DESFire_WriteX R- Only CMAC as, that
20 APDU in full protection < 0938B4429A7FCDA29000 command has no response
mode. data.
See §2 of [8] for detail
21 Verify the CMAC = 0938B4429A7FCDA2
calculation.
DESFire_ReadX 80D200300B0A0000BD010 Reading 10bytes from file 1
22 =
command in plain 000000A000000 at offset 0.
DESFire_ReadX C- 80D20030188EAFB3DF099
See §2 of [8] for detail
23 APDU in full protection > 9FDF926255B661C2411BA
calculation.
mode. BA9788D8BB65B88F00
DESFire_ReadX R- FEBE6CB3F57860A92DFF
Response data field =
24 APDU in full protection < E7774913D303544C5BDB3
encrypted data and CAMC.
mode. B81B2C59000
After verification of The data read from the
25 = 01020304050607080910
CMAC and decryption DESFire file.

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 30 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

4 References
1. Data sheet – MIFARE SAM AV3, document number DS3235xx.
2. System guidance manual – MF4SAM30 (MIFARE SAM AV3), document number xx.
3. Data sheet – MIFARE Plus, document number 1637xx.
4. Application note – AN12695 - MIFARE SAM AV3 –Quick Start up Guide,
document number 5210xx, https://www.nxp.com/docs/en/application-note/
AN12695.pdf
5. Application note – AN5212 - MIFARE SAM AV3- Key Management and
Personalization, document number 5212xx.
6. Application note – Symmetric Key Diversifications, document number 1653xx.
7. Application note – AN5217 – MIFARE SAM AV3 for MIFARE Classic, document
number AN5217xx.
8. Application note – AN12704 – MIFARE SAM AV3 Host communication, document
number 5213xx, https://www.nxp.com/docs/en/application-note/AN12704.pdf
9. Data sheet – MFRC523, Contactless Reader IC.

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 31 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

5 Legal information
responsible for doing all necessary testing for the customer’s applications
and products using NXP Semiconductors products in order to avoid a
5.1 Definitions default of the applications and the products or of the application or use by
customer’s third party customer(s). NXP does not accept any liability in this
Draft — The document is a draft version only. The content is still under respect.
internal review and subject to formal approval, which may result in
modifications or additions. NXP Semiconductors does not give any Export control — This document as well as the item(s) described herein
representations or warranties as to the accuracy or completeness of may be subject to export control regulations. Export might require a prior
information included herein and shall have no liability for the consequences authorization from competent authorities.
of use of such information.
Evaluation products — This product is provided on an “as is” and “with all
faults” basis for evaluation purposes only. NXP Semiconductors, its affiliates
and their suppliers expressly disclaim all warranties, whether express,
5.2 Disclaimers implied or statutory, including but not limited to the implied warranties of
non-infringement, merchantability and fitness for a particular purpose. The
entire risk as to the quality, or arising out of the use or performance, of this
Limited warranty and liability — Information in this document is believed
product remains with customer. In no event shall NXP Semiconductors, its
to be accurate and reliable. However, NXP Semiconductors does not
affiliates or their suppliers be liable to customer for any special, indirect,
give any representations or warranties, expressed or implied, as to the
consequential, punitive or incidental damages (including without limitation
accuracy or completeness of such information and shall have no liability
damages for loss of business, business interruption, loss of use, loss of
for the consequences of use of such information. NXP Semiconductors
data or information, and the like) arising out the use of or inability to use
takes no responsibility for the content in this document if provided by an
the product, whether or not based on tort (including negligence), strict
information source outside of NXP Semiconductors. In no event shall NXP
liability, breach of contract, breach of warranty or any other theory, even if
Semiconductors be liable for any indirect, incidental, punitive, special or
advised of the possibility of such damages. Notwithstanding any damages
consequential damages (including - without limitation - lost profits, lost
that customer might incur for any reason whatsoever (including without
savings, business interruption, costs related to the removal or replacement
limitation, all damages referenced above and all direct or general damages),
of any products or rework charges) whether or not such damages are based
the entire liability of NXP Semiconductors, its affiliates and their suppliers
on tort (including negligence), warranty, breach of contract or any other
and customer’s exclusive remedy for all of the foregoing shall be limited to
legal theory. Notwithstanding any damages that customer might incur for
actual damages incurred by customer based on reasonable reliance up to
any reason whatsoever, NXP Semiconductors’ aggregate and cumulative
the greater of the amount actually paid by customer for the product or five
liability towards customer for the products described herein shall be limited
dollars (US$5.00). The foregoing limitations, exclusions and disclaimers
in accordance with the Terms and conditions of commercial sale of NXP
shall apply to the maximum extent permitted by applicable law, even if any
Semiconductors.
remedy fails of its essential purpose.
Right to make changes — NXP Semiconductors reserves the right to
Translations — A non-English (translated) version of a document is for
make changes to information published in this document, including without
reference only. The English version shall prevail in case of any discrepancy
limitation specifications and product descriptions, at any time and without
between the translated and English versions.
notice. This document supersedes and replaces all information supplied prior
to the publication hereof.

Suitability for use — NXP Semiconductors products are not designed,

authorized or warranted to be suitable for use in life support, life-critical or 5.3 Licenses
safety-critical systems or equipment, nor in applications where failure or
malfunction of an NXP Semiconductors product can reasonably be expected ICs with DPA Countermeasures functionality
to result in personal injury, death or severe property or environmental
damage. NXP Semiconductors and its suppliers accept no liability for NXP ICs containing functionality
inclusion and/or use of NXP Semiconductors products in such equipment or implementing countermeasures to
applications and therefore such inclusion and/or use is at the customer’s own Differential Power Analysis and Simple
risk. Power Analysis are produced and sold
under applicable license from Cryptography
Applications — Applications that are described herein for any of these Research, Inc.
products are for illustrative purposes only. NXP Semiconductors makes
no representation or warranty that such applications will be suitable
for the specified use without further testing or modification. Customers
are responsible for the design and operation of their applications and
products using NXP Semiconductors products, and NXP Semiconductors 5.4 Trademarks
accepts no liability for any assistance with applications or customer product
design. It is customer’s sole responsibility to determine whether the NXP Notice: All referenced brands, product names, service names and
Semiconductors product is suitable and fit for the customer’s applications trademarks are the property of their respective owners.
and products planned, as well as for the planned application and use of
customer’s third party customer(s). Customers should provide appropriate MIFARE — is a trademark of NXP B.V.
design and operating safeguards to minimize the risks associated with
their applications and products. NXP Semiconductors does not accept any DESFire — is a trademark of NXP B.V.
liability related to any default, damage, costs or problem which is based MIFARE Plus — is a trademark of NXP B.V.
on any weakness or default in the customer’s applications or products, or MIFARE Ultralight — is a trademark of NXP B.V.
the application or use by customer’s third party customer(s). Customer is
MIFARE Classic — is a trademark of NXP B.V.

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 32 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

Tables
Tab. 1. C-APDU: ............................................................3 Tab. 21. ISO14443-4_PresenceCheck Example ........... 20
Tab. 2. R-APDU: ............................................................3 Tab. 22. Example of Select Application command ........ 21
Tab. 3. All X functionalities commands ......................... 7 Tab. 23. Example of MIFARE DESFire Read native
Tab. 4. Default “Register Set 0” storage ......................10 APDU ...............................................................21
Tab. 5. Register Set for ISO/IEC 14443 Type A .......... 10 Tab. 24. Example of Wrapping of DESFire Native
Tab. 6. Example of RC_LoadRegisterValueSet .......... 11 APDU ...............................................................22
Tab. 7. Example of RC_Init ......................................... 11 Tab. 25. Example of MIFARE DESFire EV1
Tab. 8. Example of RC_RFControl ..............................11 Authentication ..................................................23
Tab. 9. Example of ISO14443-3_ActivateIdle ..............12 Tab. 26. Example of DESFire_ChangeKeyPICC ...........23
Tab. 10. Example of ISO14443-3_ Tab. 27. Example of DESFire_WriteX Command for
TransparentExchange ..................................... 13 writing to a data file .........................................24
Tab. 11. MF_Authenticate Example .............................. 13 Tab. 28. Example of DESFire_ReadX Command for
Tab. 12. MF_Read Example ..........................................14 reading a data file ........................................... 25
Tab. 13. MF_Write Example ..........................................14 Tab. 29. Example of DESFire_ReadX Command for
Tab. 14. MF_ValueWrite Example .................................14 reading a data file with chaining ......................26
Tab. 15. MF_Increment Example .................................. 15 Tab. 30. Example of MFP_WritePerso .......................... 27
Tab. 16. MF_Decrement Example .................................15 Tab. 31. Example of MFP_Authenticate ........................27
Tab. 17. MF_AuthenticateRead Example ......................16 Tab. 32. Example of MFP_CombinedRead ................... 28
Tab. 18. MF_AuthenticateWrite Example ...................... 16 Tab. 33. Example full protection Host communication
Tab. 19. MF_ChangeKey Example ............................... 17 for MIFARE DESFire EV1 ............................... 29
Tab. 20. RATS_PPS Example .......................................20

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 33 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

Figures
Fig. 1. Architecture in X interface .................................4 Fig. 7. ISO14443-4_Exchange Command APDU
Fig. 2. Reader with MIFARE SAM AV3 ........................5 for DESFire ..................................................... 21
Fig. 3. Detail I2C interface ........................................... 5 Fig. 8. Wrapping of DESFire Native APDU in
Fig. 4. X interface command-sequence for MIFARE ISO14443-4_Exchange APDU ........................ 23
product family ....................................................6 Fig. 9. Secure messaging adds security in the
Fig. 5. RF behavior with RC_RFControl command .... 12 communication between SAM and Host ..........28
Fig. 6. Specific logical channel is assigned in ISO/
IEC14443-4 ..................................................... 19

AN12705 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.

Application note Rev. 1.1 — 10 January 2020

COMPANY PUBLIC 521911 34 / 35
NXP Semiconductors
AN12705
MIFARE SAM AV3 - X interface

Contents
1 Introduction ......................................................... 3
1.1 Scope .................................................................3
1.2 Abbreviation ....................................................... 3
1.3 Examples presented in this document ...............3
1.4 X interface ......................................................... 4
2 X interface ............................................................5
2.1 MIFARE SAM AV3, X interface ......................... 5
2.2 Initializing the X interface .................................. 6
3 X interface functions .......................................... 7
3.1 RF Controller IC Control commands ..................9
3.1.1 RC_LoadRegisterValueSet ................................ 9
3.1.2 RC_Init ............................................................. 11
3.1.3 RC_RFControl ................................................. 11
3.2 ISO14443-3 type A card activation
commands ....................................................... 12
3.2.1 ISO14443-3_ActivateIdle ................................. 12
3.2.2 ISO14443-3_TransparentExchange ................ 13
3.3 MIFARE Commands ........................................13
3.3.1 MF_Authenticate ..............................................13
3.3.2 MF_Read ......................................................... 13
3.3.3 MF_Write ......................................................... 14
3.3.4 MF_ValueWrite ................................................ 14
3.3.5 MF_Increment ..................................................15
3.3.6 MF_Decrement ................................................ 15
3.3.7 MF_AuthenticateRead ..................................... 15
3.3.8 MF_AuthenticateWrite ..................................... 16
3.3.9 MF_ChangeKey ............................................... 17
3.4 Preparing the proximity chips for T=CL half
duplex transmission ......................................... 18
3.4.1 ISO14443-4_RATS_PPS ................................. 20
3.4.2 ISO14443-4_PresenceCheck .......................... 20
3.5 Accessing MIFARE DESFire ........................... 21
3.5.1 Selecting MIFARE DESFire Application .......... 21
3.5.2 MIFARE DESFire Read command .................. 21
3.5.3 DESFire_AuthenticatePICC ............................. 23
3.5.4 DESFire_ChangeKeyPICC .............................. 23
3.5.5 DESFire_WriteX ...............................................24
3.5.6 DESFire_ReadX .............................................. 25
3.6 Accessing MIFARE Plus ..................................27
3.6.1 MFP_WritePerso ..............................................27
3.6.2 MFP_Authenticate ........................................... 27
3.6.3 MFP_CombinedRead ...................................... 28
3.7 Use of Secure Messaging ............................... 28
3.7.1 Secure Messaging example for MIFARE
DESFire EV1 ................................................... 29
4 References ......................................................... 31
5 Legal information .............................................. 32

Please be aware that important notices concerning this document and the product(s)
described herein, have been included in section 'Legal information'.

© NXP B.V. 2020. All rights reserved.

For more information, please visit: http://www.nxp.com
For sales office addresses, please send an email to: [email protected]
Date of release: 10 January 2020
Document identifier: AN12705
Document number: 521911