INTEGRATED CIRCUITS
`
`Standard 4 kByte Card IC
`MF1 IC S70
`Functional Specification
`
`Product Specification
`Revision 3.1
`PUBLIC
`
`Philips
`Semiconductors
`
`October 2002
`
`GOOG-1018
`GOOGLE LLC v. RFCYBER CORP. / Page 1 of 18
`
`

`

`Philips Semiconductors
`
`Product Specification Rev. 3.1 October 2002
`
`Functional Specification
`
`Standard Card IC MF1 IC S70
`
`CONTENTS
`1
`FEATURES ...........................................................................................................................3
`MIFARE RF Interface (ISO/IEC 14443 A) .............................................................................3
`1.1
`1.2
`EEPROM...............................................................................................................................3
`1.3
`Security .................................................................................................................................3
`2
`GENERAL DESCRIPTION.....................................................................................................4
`2.1
`Contactless Energy and Data Transfer...................................................................................4
`2.2
`Anticollision............................................................................................................................4
`2.3
`User Convenience .................................................................................................................4
`2.4
`Security .................................................................................................................................4
`2.5
`Multi-application Functionality ................................................................................................4
`2.6
`Delivery Options.....................................................................................................................5
`3
`FUNCTIONAL DESCRIPTION ...............................................................................................5
`3.1
`Block Description ...................................................................................................................5
`3.2
`Communication Principle........................................................................................................6
`3.2.1
`ANSWER TO REQUEST .......................................................................................................6
`3.2.2
`ANTICOLLISION LOOP.........................................................................................................6
`3.2.3
`SELECT CARD......................................................................................................................6
`3.2.4
`3 PASS AUTHENTICATION ..................................................................................................6
`3.2.5 MEMORY OPERATIONS.......................................................................................................7
`3.3
`Data Integrity .........................................................................................................................7
`3.4
`Security .................................................................................................................................7
`3.4.1
`THREE PASS AUTHENTICATION SEQUENCE ....................................................................7
`3.5
`RF Interface...........................................................................................................................7
`3.6
`Memory Organisation.............................................................................................................8
`3.6.1 MANUFACTURER BLOCK ....................................................................................................9
`3.6.2 DATA BLOCKS......................................................................................................................9
`3.6.3
`SECTOR TRAILER..............................................................................................................10
`3.7
`Memory Access ...................................................................................................................11
`3.7.1
`ACCESS CONDITIONS.......................................................................................................12
`3.7.2
`Access Conditions for the Sector Trailer...............................................................................13
`3.7.3
`Access Conditions for Data Areas ........................................................................................14
`4
`DEFINITIONS ......................................................................................................................15
`5
`LIFE SUPPORT APPLICATIONS.........................................................................................15
`6
`REVISION HISTORY...........................................................................................................16
`Contact Information...........................................................................................................................18
`
` MIFARE is a registered trademark of Philips Electronics N.V.
`
`printed 2002-10-11
`
`2
`
`PUBLIC
`
`GOOG-1018
`GOOGLE LLC v. RFCYBER CORP. / Page 2 of 18
`
`

`

`Philips Semiconductors
`
`Product Specification Rev. 3.1 October 2002
`
`Functional Specification
`
`Standard Card IC MF1 IC S70
`
`1 FEATURES
`
`1.1 MIFARE RF Interface (ISO/IEC 14443 A)
`
`• Contactless transmission of data and supply
`energy (no battery needed)
`• Operating distance: Up to 100mm (depending
`on antenna geometry)
`• Operating frequency: 13.56 MHz
`• Fast data transfer: 106 kbit/s
`• High data integrity: 16 bit CRC, parity, bit
`coding, bit counting
`• True anticollision
`• Typical ticketing transaction: < 100 ms (including
`backup management)
`
`1.2 EEPROM
`
`• 4 Kbyte, organised in 32 sectors with 4 blocks
`and 8 sectors with 16 blocks (one block consists
`of 16 bytes)
`• User definable access conditions
`memory block
`• Data retention of 10 years.
`• Write endurance 100.000 cycles
`
`for each
`
`1.3 Security
`
`(ISO/IEC
`
`three pass authentication
`• Mutual
`DIS9798-2)
`• Data encryption on RF-channel with replay
`attack protection
`Individual key set per sector (per application) to
`support multi-application with key hierarchy
`• Unique serial number for each device
`• Transport key protects access to EEPROM on
`chip delivery
`
`•
`
`printed 2002-10-11
`
`3
`
`PUBLIC
`
`GOOG-1018
`GOOGLE LLC v. RFCYBER CORP. / Page 3 of 18
`
`

`

`Philips Semiconductors
`
`Product Specification Rev. 3.1 October 2002
`
`Functional Specification
`
`Standard Card IC MF1 IC S70
`
`2 GENERAL DESCRIPTION
`
`2.3 User Convenience
`
`Philips has developed the mifare MF1 IC S70 to be
`used
`in contactless smart cards according
`to
`ISO/IEC 14443 A. The communication
`layer
`complies to parts 2 and 3 of the ISO/IEC 14443 A
`standard. The security layer supports the field-
`proven CRYPTO1 stream cipher for secure data
`exchange of the mifare classic family.
`
`2.1 Contactless Energy and Data Transfer
`
`In the mifare system, the MF1 IC S70 is connected
`to a coil with a few turns and then embedded in
`plastic to form the passive contactless smart card.
`No battery is needed. When the card is positioned in
`the proximity of the Proximity Coupling Device
`(PCD) antenna, the high speed RF communication
`interface allows to transmit data with 106 kbit/s.
`
`2.2 Anticollision
`
`An intelligent anticollision function allows to operate
`more than one card in the field simultaneously. The
`anticollision algorithm selects each card individually
`and ensures that the execution of a transaction with
`a selected card is performed correctly without data
`corruption resulting from other cards in the field.
`
`The mifare system is designed for optimal user
`convenience. The high data transmission rate for
`example allows complete ticketing transactions to be
`handled in less than 100ms. Thus, the mifare card
`user is not forced to stop at PCD antenna leading to
`a high throughput at gates and reduced boarding
`times onto busses. The mifare card may also
`remain in the wallet during the transaction, even if
`there are coins in it.
`
`2.4 Security
`
`Special emphasis has been placed on security
`against
`fraud. Mutual challenge and response
`authentication, data
`ciphering and message
`authentication checks protect the system from any
`kind of tampering and thus make it attractive for
`electronic purse applications. Serial numbers, which
`can not be altered, guarantee the uniqueness of
`each card.
`
`2.5 Multi-application Functionality
`
`The mifare system offers real multi-application
`functionality comparable
`to
`the
`features of a
`processor card. Two different keys for each sector
`support systems using key hierarchies.
`
`mifare card
`contacts La , Lb
`
`4 turns wire coil
`
`MF1 IC S70 chip
`
`Energy
`
` Data
`
`mifare card PCD
`
`printed 2002-10-11
`
`4
`
`PUBLIC
`
`GOOG-1018
`GOOGLE LLC v. RFCYBER CORP. / Page 4 of 18
`
`

`

`Philips Semiconductors
`
`Product Specification Rev. 3.1 October 2002
`
`Functional Specification
`
`Standard Card IC MF1 IC S70
`
`2.6 Delivery Options
`
`• Die on wafer:
`• Bumped die on wafer:
`• Chip Card Module:
`
`MF1ICS70W/V5D
`MF1ICS70W/V4D
`MF1MOA2S70/D
`
`3 FUNCTIONAL DESCRIPTION
`
`3.1 Block Description
`
`The MF1 IC S70 chip consists of the 4 Kbytes
`EEPROM, the RF-Interface and the Digital Control
`Unit. Energy and data are transferred via an
`antenna, which consists of a coil with a few turns
`directly connected to the MF1 IC S70. No further
`external components are necessary. (For details on
`antenna design please refer
`to
`the document
`mifare (Card) Coil Design Guide.)
`
`• RF-Interface:
`– Modulator/Demodulator
`– Rectifier
`– Clock Regenerator
`– Power On Reset
`– Voltage Regulator
`• Anticollision: Several cards in the field may be
`selected and operated in sequence
`Preceding
`any memory
`• Authentication:
`operation the authentication procedure ensures
`that access to a block is only possible via the
`two keys specified for each block
`• Control & Arithmetic Logic Unit: Values are
`stored in a special redundant format and can be
`incremented and decremented
`• EEPROM-Interface
`• Crypto unit: The field-proven CRYPTO1 stream
`cipher of the mifare classic family ensures a
`secure data exchange
`• EEPROM: 4 Kbytes are organised in 32 sectors
`with 4 blocks each and 8 sectors with 16 blocks
`each. One block contains 16 bytes. The last
`block of each sector is called “sector trailer”,
`which
`contains
`two
`secret
`keys
`and
`programmable access conditions
`for each
`sector.
`
`RF-Interface
`
`Digital Control Unit
`
`EEPROM
`
`Anti-
`collision
`
`Authenti-
`cation
`
`Control & ALU
`
`EEPROM-
`Interface
`
`Crypto
`
`antenna
`
`printed 2002-10-11
`
`5
`
`PUBLIC
`
`GOOG-1018
`GOOGLE LLC v. RFCYBER CORP. / Page 5 of 18
`
`

`

`Philips Semiconductors
`
`Product Specification Rev. 3.1 October 2002
`
`Functional Specification
`
`Standard Card IC MF1 IC S70
`
`3.2 Communication Principle
`
`3.2.3 SELECT CARD
`
`The commands are initiated by the PCD and
`controlled by
`the Digital Control Unit of
`the
`MF1 IC S70 according to the access conditions valid
`for the corresponding sector.
`
`3.2.1 ANSWER TO REQUEST
`
`After Power On Reset (POR) of a card it can answer
`to a request command - sent by the PCD to all cards
`in the antenna field - by sending the answer to
`request code (ATQA according to ISO/IEC 14443A).
`
`3.2.2 ANTICOLLISION LOOP
`
`In the anticollision loop the serial number of a card is
`read. If there are several cards in the operating
`range of the PCD, they can be distinguished by their
`unique serial numbers and one can be selected
`(select card) for further transactions. The unselected
`cards return to the standby mode and wait for a new
`request command.
`
`POR
`
`Transaction Sequence
`
`Request Standard
`
`Request All
`
`Anticollision Loop
`Get Serial Number
`
`Select Card
`
`3 Pass Authentication
`sector specific
`
`Read
`Block
`
`Write
`Block
`
`Decre-
`ment
`
`Incre-
`ment
`
`Re-
`store
`
`Halt
`
`Transfer
`
`With the select card command the PCD selects one
`individual card
`for authentication and memory
`related operations. The card returns the Answer To
`Select (ATS) code (=18h), which determines the
`type of the selected card. Please refer to the
`document mifare Standardized Card Type
`Identification Procedure for further details.
`
`3.2.4 3 PASS AUTHENTICATION
`
`After selection of a card the PCD specifies the
`memory location of the following memory access
`and uses the corresponding key for the 3 pass
`authentication procedure. After a successful
`authentication all memory operations are encrypted.
`
`Typical Transaction Time
`Identification and Selection
`Procedure
`3 ms without collision
` + 1 ms for each collision
`
`Authentication Procedure
`2 ms
`
`Memory Operations
`2.5 ms
`read block
`6.0 ms write block
`
`printed 2002-10-11
`
`6
`
`PUBLIC
`
`GOOG-1018
`GOOGLE LLC v. RFCYBER CORP. / Page 6 of 18
`
`

`

`Philips Semiconductors
`
`Product Specification Rev. 3.1 October 2002
`
`Functional Specification
`
`Standard Card IC MF1 IC S70
`
`After transmission of the first random challenge the
`communication between card and PCD is encrypted.
`
`3.5 RF Interface
`
`The RF-interface is according to the standard for
`contactless proximity smart cards ISO/IEC 14443 A.
`The carrier field from the PCD is always present
`(with short pauses when transmitting), because it is
`used for the power supply of the card.
`For both directions of data communication there is
`only one start bit at the beginning of each frame.
`Each byte is transmitted with a parity bit (odd parity)
`at the end. The LSB of the byte with the lowest
`address of the selected block is transmitted first. The
`maximum frame length is 163 bits (16 data bytes + 2
`CRC bytes = 16 * 9 + 2 * 9 + 1 start bit).
`
`3.2.5 MEMORY OPERATIONS
`
`After successful authentication any of the following
`operations may be performed:
`
`•
`
`• Read block
`• Write block
`• Decrement:Decrements the contents of a block
`and stores the result in an internal data-register
`Increment: Increments the contents of a block
`and stores the result in an internal data-register
`• Restore: Moves the contents of a block into the
`internal data-register
`• Transfer: Writes the contents of the internal
`data-register to a block
`
`3.3 Data Integrity
`
`Following mechanisms are implemented in the
`contactless communication link between PCD and
`card to ensure very reliable data transmission:
`• 16 bits CRC per block
`• Parity bits for each byte
`• Bit count checking
`• Bit coding to distinguish between "1", "0", and no
`information
`• Channel monitoring (protocol sequence and bit
`stream analysis)
`
`3.4 Security
`
`To provide a very high security level a three pass
`authentication according to ISO 9798-2 is used.
`3.4.1 THREE PASS AUTHENTICATION
`SEQUENCE
`
`a) The PCD specifies the sector to be accessed
`and chooses key A or B.
`b) The card reads the secret key and the access
`conditions from the sector trailer. Then the card
`sends a random number as the challenge to the
`PCD (pass one).
`c) The PCD calculates the response using the
`secret key and additional input. The response,
`together with a random challenge from the
`PCD, is then transmitted to the card (pass two).
`d) The card verifies the response of the PCD by
`comparing it with its own challenge and then it
`calculates the response to the challenge and
`transmits it (pass three).
`e) The PCD verifies the response of the card by
`comparing it to its own challenge.
`
`printed 2002-10-11
`
`7
`
`PUBLIC
`
`GOOG-1018
`GOOGLE LLC v. RFCYBER CORP. / Page 7 of 18
`
`

`

`Philips Semiconductors
`
`Product Specification Rev. 3.1 October 2002
`
`Functional Specification
`
`Standard Card IC MF1 IC S70
`
`3.6 Memory Organisation
`
`The 4 kByte EEPROM memory is organised in 32
`sectors with 4 blocks and in 8 sectors with 16
`blocks. One block consists of 16 bytes.
`
`In the erased state the EEPROM cells are read as a
`logical “0”, in the written state as a logical “1”.
`
`Sector
`39
`
`32
`
`31
`
`0
`
`Block
`15
`14
`13
`..
`..
`2
`1
`0
`..
`..
`..
`15
`14
`13
`..
`..
`2
`1
`0
`3
`2
`1
`0
`..
`..
`..
`3
`2
`1
`0
`
`Byte Number within a Block
`0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Description
`Sector Trailer 39
`Key A
`Access Bits
`Key B
`Data
`Data
`..
`..
`Data
`Data
`Data
`..
`..
`..
`Sector Trailer 32
`Data
`Data
`..
`..
`Data
`Data
`Data
`Sector Trailer 31
`Data
`Data
`Data
`..
`..
`..
`Sector Trailer 0
`Data
`Data
`Manufacturer Data
`
`Key A
`
`Access Bits
`
`Key B
`
`Key A
`
`Access Bits
`
`Key B
`
`Key A
`
`Access Bits
`
`Key B
`
`printed 2002-10-11
`
`8
`
`PUBLIC
`
`GOOG-1018
`GOOGLE LLC v. RFCYBER CORP. / Page 8 of 18
`
`

`

`Philips Semiconductors
`
`Product Specification Rev. 3.1 October 2002
`
`Functional Specification
`
`Standard Card IC MF1 IC S70
`
`3.6.1 MANUFACTURER BLOCK
`
`This is the first data block (block 0) of the first sector
`(sector 0). It contains the IC manufacturer data. Due
`to security and system requirements this block is
`
`write protected after having been programmed by
`the IC manufacturer at production.
`
`MSB
`x
`
`x
`
`x
`
`x
`
`x
`
`x
`
`x
`
`LSB
`x
`
`Byte
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`Manufacturer Data
`
`3.6.2.1 Value Blocks
`
`The value blocks allow to perform electronic purse
`functions (valid commands: read, write, increment,
`decrement, restore, transfer).
`The value blocks have a fixed data format which
`permits error detection and correction and a backup
`management.
`A value block can only be generated through a write
`operation in the value block format:
`• Value: Signifies a signed 4-byte value. The
`lowest significant byte of a value is stored in the
`lowest address byte. Negative values are stored
`in standard 2´s complement format. For reasons
`of data integrity and security, a value is stored
`three
`times,
`twice non-inverted and once
`inverted.
`• Adr: Signifies a 1-byte address, which can be
`used to save the storage address of a block,
`when
`implementing
`a
`powerful
`backup
`management. The address byte is stored four
`times, twice inverted and non-inverted. During
`increment, decrement, restore and
`transfer
`operations the address remains unchanged. It
`can only be altered via a write command.
`
`0 S
`
`erial Number
`Check Byte
`
`3.6.2 DATA BLOCKS
`
`Sectors 0 .. 31 contain 3 blocks and sectors 32 .. 39
`contain 15 blocks for storing data. (Sector 0 contains
`only two data blocks and the read-only manufacturer
`block).
`The Data blocks can be configured by the access
`bits as
`read/write blocks for e.g. contactless access
`•
`control or
`for e.g. electronic purse
`value blocks
`applications, where additional commands like
`increment and decrement for direct control of the
`stored value are provided.
`An authentication command has to be carried out
`before any operation in order to allow further
`commands.
`
`•
`
`Byte Number
`Description
`
`0
`
`1
`2
`Value
`
`3
`
`4
`
`5
`6
`Value
`
`7
`
`8
`
`9
`10
`Value
`
`11
`
`12
`Adr
`
`13
`14
`15
`Adr Adr Adr
`
`printed 2002-10-11
`
`9
`
`PUBLIC
`
`GOOG-1018
`GOOGLE LLC v. RFCYBER CORP. / Page 9 of 18
`
`

`

`Philips Semiconductors
`
`Product Specification Rev. 3.1 October 2002
`
`Functional Specification
`
`Standard Card IC MF1 IC S70
`
`3.6.3 SECTOR TRAILER
`
`Each sector has a sector trailer. Due to the memory
`configuration of the MF1 IC S70 this sector trailer is
`located in block 3 of each sector in the first two
`kByte of the NV-memory respectively in block 15 of
`each sector in the upper 2 kByte of the 4 kByte NV-
`memory.
`Each sector trailer holds the
`secret keys A and B (optional) of the sector,
`•
`which return logical “0”s when read and
`the access conditions for all blocks of that
`sector, which are stored in bytes 6 .. 9. The
`access bits also specify the type (read/write or
`value) of the data blocks.
`
`•
`
`If key B is not needed, the last 6 bytes of the sector
`trailer can be used as data bytes.
`Byte 9 of the sector trailer is available for user data.
`For this byte apply the same access rights as for
`byte 6, 7 and 8.
`
`Byte Number
`Description
`
`0
`
`1
`
`2
`3
`Key A
`
`4
`
`5
`
`6
`
`7
`8
`Access Bits
`
`9
`
`10
`
`11
`12
`13
`14
`Key B (optional)
`
`15
`
`printed 2002-10-11
`
`10
`
`PUBLIC
`
`GOOG-1018
`GOOGLE LLC v. RFCYBER CORP. / Page 10 of 18
`
`

`

`Philips Semiconductors
`
`Product Specification Rev. 3.1 October 2002
`
`Functional Specification
`
`Standard Card IC MF1 IC S70
`
`3.7 Memory Access
`
`Before any memory operation can be carried out,
`the card has to be selected and authenticated as
`described previously.
`
`The possible memory operations for an addressed
`block depend on the key used and the access
`conditions stored in the associated sector trailer.
`
`POR
`
`Change of Sector
`
`Identification and Selection Procedure
`
`Change of Sector
`(RC17X, RC5XX based PCDs)
`
`Authentication Procedure
`
`New Command without
`Change of Sector
`
`Halt
`
`Memory Operations
`Value Block
`Read, Write, Increment, Decrement, Transfer, Restore
`
`Read/Write Block
`Read, Write
`
`Memory Operations
`Operation
`Read
`Write
`Increment
`
`Decrement
`
`Transfer
`
`Restore
`
`Description
`reads one memory block
`writes one memory block
`increments the contents of a
`block and stores the result in the
`data register
`decrements the contents of a
`block and stores the result in the
`data register
`writes the contents of the data
`register to a block
`reads the contents of a block into
`the data register
`
`Valid for Block Type
`read/write, value and sector trailer
`read/write, value and sector trailer
`value
`
`value
`
`value
`
`value
`
`printed 2002-10-11
`
`11
`
`PUBLIC
`
`GOOG-1018
`GOOGLE LLC v. RFCYBER CORP. / Page 11 of 18
`
`

`

`Philips Semiconductors
`
`Product Specification Rev. 3.1 October 2002
`
`Functional Specification
`
`Standard Card IC MF1 IC S70
`
`3.7.1 ACCESS CONDITIONS
`
`The access conditions for the data area and the
`sector trailer are defined by 3 bits, which are stored
`non-inverted and inverted in the sector trailer of the
`specified sector.
`
`The access bits control the rights of memory access
`using the secret keys A and B. The access
`conditions may be altered, provided one knows the
`relevant key and the current access condition allows
`this operation.
`
`Note: In the following description the access bits are
`mentioned in the non-inverted mode only.
`
`The internal logic of the MF1 IC S70 ensures that
`the commands are executed only after an successful
`authentication procedure or never.
`
`Access Bits Valid Commands
`read, write
`C13 C23 C33
`→
`C12 C22 C32
`read, write, increment, decrement, transfer, restore →
`C11 C21 C31
`read, write, increment, decrement, transfer, restore →
`C10 C20 C30
`read, write, increment, decrement, transfer, restore →
`
`Description
`sector trailer
`data area1
`data area1
`data area1
`
`3
`2
`1
`0
`
`Byte Number
`
`0
`
`1
`
`2
`3
`Key A
`
`4
`
`5
`
`6
`
`7
`8
`Access Bits
`
`9
`
`10
`
`11
`12
`13
`14
`Key B (optional)
`
`15
`
`Bit 7
`C23
`
`C13
`
`C33
`
`6
`C22
`
`C12
`
`C32
`
`5
`C21
`
`C11
`
`C31
`
`4
`C20
`
`C10
`
`C30
`
`3
`C13
`
`C33
`
`C23
`
`2
`C12
`
`C32
`
`C22
`
`1
`C11
`
`C31
`
`C21
`
`0
`C10
`
`C30
`
`C20
`
`Byte 6
`Byte 7
`Byte 8
`Byte 9
`
`Note: With each memory access the internal logic
`verifies the format of the access conditions. If it
`detects a format violation the whole sector is
`irreversible blocked.
`
`
`1 Note: For the first 32 sectors (first 2 Kbytes of NV-memory) the
`access conditions can be set individually for a data area sized
`one block.
`For the last 8 sectors (upper 2 Kbytes of NV-memory) access
`conditions can be set individually for a data area sized 5 blocks.
`
`printed 2002-10-11
`
`12
`
`PUBLIC
`
`GOOG-1018
`GOOGLE LLC v. RFCYBER CORP. / Page 12 of 18
`
`

`

`Philips Semiconductors
`
`Product Specification Rev. 3.1 October 2002
`
`Functional Specification
`
`Standard Card IC MF1 IC S70
`
`3.7.2 ACCESS CONDITIONS FOR THE SECTOR
`TRAILER
`
`Depending on the access bits for the sector trailer
`the read/write access to the keys and the access
`bits is specified as ‘never’, ‘key A’, ‘key B’ or
`‘key A|B’ (key A or key B).
`
`On chip delivery the access conditions for the sector
`trailer and key A are predefined as
`transport
`configuration. Since key B may be read in transport
`configuration, new cards must be authenticated with
`key A.
`
`Since the access bits themselves can also be
`blocked, special care should be
`taken during
`personalization of cards.
`
` Remark
`
` KEYB
` read
` write
`
` key A
` key A Key B may be read
` key A
` never
` Key B may be read
` never
` key B
`
` Access condition for
` Access bits
` KEYA
` read
` write
` read
` write
` never
` key A key A
` never
` never
` never
` key A
` never
` never
` key B
` key
` never
`A|B
` key
`A|B
` key A key A
`
` never
`
` never
`
` never
`
` never
`
` never
`
`
`
` key A Key B may be read, transport
`configuration
` key B
`
` key A key A
`
` key B never
`
` Access bits
`
` C1 C2 C3
` 0
` 0
` 0
` 0
` 1
` 0
` 1
` 0
` 0
`
` 1
`
` 0
`
` 0
`
` 1
`
` 1
`
` 1
`
` 0
`
` 1
`
` 0
`
` 1
`
` 0
`
` 1
`
` 1
`
` 1
`
` 1
`
` never
`
` never
`
` key B
`
` never
`
` never
`
` never
`
` never
`
` key
`A|B
` key
`A|B
` key
`A|B
`
` key B never
`
` never
`
` never
`
` never
`
` never
`
`
`
`
`
`printed 2002-10-11
`
`13
`
`PUBLIC
`
`GOOG-1018
`GOOGLE LLC v. RFCYBER CORP. / Page 13 of 18
`
`

`

`Philips Semiconductors
`
`Product Specification Rev. 3.1 October 2002
`
`Functional Specification
`
`Standard Card IC MF1 IC S70
`
`3.7.3 ACCESS CONDITIONS FOR DATA AREAS
`
`Depending on the access bits for data blocks
`(blocks 0 .. 2,
`respectively blocks
` 0 .. 14)
`the
`read/write access is specified as ‘never’, ‘key A’,
`‘key B’ or ‘key A|B’ (key A or key B). The setting of
`the relevant access bits defines the application and
`the corresponding applicable commands.
`• Read/Write block: The operations read and write
`are allowed.
`the additional value
`• Value block: Allows
`operations increment, decrement, transfer and
`restore. In one case (‘001’) only read and
`decrement are possible for a non-rechargeable
`card. In the other case (‘110’) recharging is
`possible by using key B.
`• Manufacturer block: The read-only condition is
`not affected by the access bits setting!
`• Key management: In transport configuration
`key A must be used for authentication!1
`
` Access bits
` C1 C2 C3
`
` 0
` 0
` 1
` 1
` 0
` 0
` 1
` 1
`
` 0
` 1
` 0
` 1
` 0
` 1
` 0
` 1
`
` 0
` 0
` 0
` 0
` 1
` 1
` 1
` 1
`
` Read
`
` key A|B1
` key A|B1
` key A|B1
` key A|B1
` key A|B1
` key B1
` key B1
` never
`
` Access condition for
` write
` increment
`
` Key A|B1
` Never
` Key B1
` Key B1
` Never
` Key B1
` Never
` Never
`
` key A|B1
` never
` never
` key B1
` never
` never
` never
` never
`
` decrement,
`transfer,
`restore
` key A|B1
` never
` never
` key A|B1
` key A|B1
` never
` never
` never
`
` Application
`
`
` transport configuration
` read/write block
` read/write block
` value block
` value block
` read/write block
` read/write block
` read/write block
`
`
` 1 If Key B may be read in the corresponding Sector Trailer it
`cannot serve for authentication (all grey marked lines in previous
`table). Consequences: If the RDW tries to authenticate any block
`of a sector with key B using grey marked access conditions, the
`card will refuse any subsequent access after authentication.
`
`printed 2002-10-11
`
`14
`
`PUBLIC
`
`GOOG-1018
`GOOGLE LLC v. RFCYBER CORP. / Page 14 of 18
`
`

`

`Philips Semiconductors
`
`Product Specification Rev. 3.1 October 2002
`
`Functional Specification
`
`Standard Card IC MF1 IC S70
`
`4 DEFINITIONS
`
`Data sheet status
`Objective specification This data sheet contains target or goal specifications for product development.
`Preliminary specification This data sheet contains preliminary data; supplementary data may be
`published later.
`This data sheet contains final product specifications.
`
`Product specification
`Limiting values
`Limiting values given are in accordance with the Absolute Maximum Rating System (IEC 134). Stress
`above one or more of the limiting values may cause permanent damage to the device. These are stress
`ratings only and operation of the device at these or at any other conditions above those given in the
`Characteristics section of the specification is not implied. Exposure to limiting values for extended
`periods may affect device reliability.
`Application information
`Where application information is given, it is advisory and does not form part of the specification.
`
`5 LIFE SUPPORT APPLICATIONS
`
`These products are not designed for use in life support appliances, devices, or systems where malfunction of
`these products can reasonably be expected to result in personal injury. Philips customers using or selling
`these products for use in such applications do so on their own risk and agree to fully indemnify Philips for
`any damages resulting from such improper use or sale.
`
`printed 2002-10-11
`
`15
`
`PUBLIC
`
`GOOG-1018
`GOOGLE LLC v. RFCYBER CORP. / Page 15 of 18
`
`

`

`Philips Semiconductors
`
`Product Specification Rev. 3.1 October 2002
`
`Functional Specification
`
`Standard Card IC MF1 IC S70
`
`6 REVISION HISTORY
`
`Table 1 Functional Specification MF1 IC S70 Revision History
`REVISION DATE CPCN Chp.
`
`DESCRIPTION
`
`3.1
`
`3.0
`
`2.0
`
`1.2
`
`1.1
`
`1.0
`
`October
`2002
`
`Nov
`2001
`October
`2001
`August
`2001
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`Security Status Changed to PUBLIC
`
`3.2.3
`
`Product Version
`ATS=18hex
`Preliminary Version
`
`Updated Wording
`
`Update of Document Layout
`
`Initial version.
`
`printed 2002-10-11
`
`16
`
`PUBLIC
`
`GOOG-1018
`GOOGLE LLC v. RFCYBER CORP. / Page 16 of 18
`
`

`

`Philips Semiconductors
`
`Product Specification Rev. 3.1 October 2002
`
`Functional Specification
`
`Standard Card IC MF1 IC S70
`
`NOTES
`
`printed 2002-10-11
`
`17
`
`PUBLIC
`
`GOOG-1018
`GOOGLE LLC v. RFCYBER CORP. / Page 17 of 18
`
`

`

`Philips Semiconductors - a worldwide company
`
`Contact Information
`
`For additional information please visit http://www.semiconductors.philips.com.Fax: +31 40 27 24825
`For sales offices addresses send e-mail to: sales.addresses@www.semiconductors.philips.com.
`
`© Koninklijke Philips Electronics N.V. 2002
`
` SCA74
`
`All rights are reserved. Reproduction in whole or in part is prohibited without the prior written consent of the copyright owner.
`The information presented in this document does not form part of any quotation or contract, is believed to be accurate and reliable and may be changed
`without any notice. No liability will be accepted by the publisher for any consequence of its use. Publication thereof does not convey nor imply any license
`under patent- or other industrial or intellectual property rights.
`
`Philips
`Semiconductors
`
`GOOG-1018
`GOOGLE LLC v. RFCYBER CORP. / Page 18 of 18
`
`