MF1PLUS6011DA4/02 - NXP Semiconductors

1. General description

Migrate classic co ntactless smart card systems to the next security level! MIFARE Plus

brings benchmark security to mainstream contactless smart card applications. It is the

only mainstream IC compatible with MIFARE Classic 1K (MF1ICS50) and MIFARE

Classic 4K (MF1ICS70) which offers an upgrade path for existing infrastructure and

services.

After the security upgrade, MIFARE Plus uses AES-128 (Advanced Encryption Standard)

for authentication, data integrity and encryption. MIFARE Plus is based on open global

standar ds for both air interface and cryptographic methods at the highest security level.

MIFARE Plus is available in two versions: MIFARE Plus X and MIFARE Plus S.

•The MIFARE Plus X (MF1PLUSx0y1, described in this data sheet) offers more

flexibility to optimize the command flow for speed and confidentiality. It of fers a rich

feature set including proximity checks against relay attacks.

•The MIFARE Plus S (MF1SPLUSx0y1)is the standard version for straight forward

migration of MIFARE Classic systems. It is configured to offer high data integrity.

2. Features and benefits

2 kB or 4 kB EEPROM

Simple fixed memory structure compatible with MIFARE Classic 1K and

MIFARE Classic 4K

Memory structure identical to MIFARE Classic 4K (sectors, blocks)

Access conditions freely configurable

Supports ISO/IEC 14443-31 unique serial number (4-byte or 7-byte), optional support

of random IDs

Multi-sector authentication, Multi-block read and write

AES-128 used for authenticity, confidentiality and integrity

Anti-tearing mechanism for writing AES keys

Keys can be stored as MIFARE CRYPTO1 keys (2 × 48-bit per sector) and as AES

keys (2 × 128-bit per sector)

Full support of virtual card concept

Proximity check

Communicatio n speed up to 848 kbit/s

MF1PLUSx0y1

Mainstream contactless smart card IC for fast and easy

solution development

Rev. 3.1 — 19 April 2010

163531 Product short data sheet

PUBLIC

1. ISO/IEC 14443-x used in this data sheet refers to ISO/IEC 14443 Type A.

Product short data sheet

PUBLIC Rev. 3.1 — 19 April 2010

163531 2 of 20

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

Number of single write operations: 200000 cycles (typical)

Common Criteria Certification: EAL4+

3. Applications

Public transportation

Access management such as employee, school or campus cards

Electronic toll collection

Closed loop micro payment

Car parking

Internet cafés

Loyalty programs

4. Quick reference data

[1] Measured with LCR meter.

Table 1. Quick reference data

Symbol Parameter Conditions Min Typ Max Unit

Ciinput capacitance Tamb = 22 °C; fi = 13.56

MHz; 2.8 V RMS [1] 15.0 17.0 19.04 pF

fiinput frequency - 13.56 - MHz

EEPROM characteristics

tret retention time Tamb = 22 °C10--year

Nendu(W) write endurance Tamb = 22 °C; excluding

anti-tearing for AES keys or

sector trailers in security

level 3

100000 200000 - cycle

Product short data sheet

PUBLIC Rev. 3.1 — 19 April 2010

163531 3 of 20

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

5. Ordering information

Table 2. Orderi ng information

Type number Package

Commercial

name Name Description Version

MF1PLUS8001DUD/03 FFC - 8 inch wafer (sawn; 120 µm thickness, on film

frame carrier; electronic fail die marking

according to SECS-II format) see Ref. 3,

4 kB EEPROM, 7-byte UID, L1 card

MF1PLUS8001DA4/03 MOA4 PLLMC plastic leadless module carrier package; 35 mm

wide tape, 4 kB EEPROM, 7-byte UID, L1 card SOT500-2

MF1PLUS8011DUD/03 FFC - 8 inch wafer (sawn; 120 µm thickness, on film

frame carrier; electronic fail die marking

according to SECS-II format) see Ref. 3,

4 kB EEPROM, 4-byte UID, L1 card

MF1PLUS8021DUD/03 FFC - 8 inch wafer (sawn; 120 µm thickness, on film

frame carrier; electronic fail die marking

according to SECS-II format) see Ref. 3,

4 kB EEPROM, 4-byte UID, UID0 = XFh

according to ISO/IEC 14443-3, L1 card

MF1PLUS8011DA4/03 MOA4 PLLMC plastic leadless module carrier package; 35 mm

wide tape, 4 kB EEPROM, 4-byte UID, L1 card SOT500-2

MF1PLUS8021DA4/03 MOA4 PLLMC plastic leadless module carrier package; 35 mm

wide tape, 4 kB EEPROM, 4-byte UID,

UID0 = XFh according to ISO/IEC 14443-3, L1

card

SOT500-2

MF1PLUS6001DUD/03 FFC - 8 inch wafer (sawn; 120 µm thickness, on film

frame carrier; electronic fail die marking

according to SECS-II format) see Ref. 3,

2 kB EEPROM, 7-byte UID, L1 card

MF1PLUS6001DA4/03 MOA4 PLLMC plastic leadless module carrier package; 35 mm

wide tape, 2 kB EEPROM, 7-byte UID, L1 card SOT500-2

MF1PLUS6011DUD/03 FFC - 8 inch wafer (sawn; 120 µm thickness, on film

frame carrier; electronic fail die marking

according to SECS-II format) see Ref. 3,

2 kB EEPROM, 4-byte UID, L1 card

MF1PLUS6021DUD/03 FFC - 8 inch wafer (sawn; 120 µm thickness, on film

frame carrier; electronic fail die marking

according to SECS-II format) see Ref. 3,

2 kB EEPROM, 4-byte UID, UID0 = XFh

according to ISO/IEC 14443-3, L1 card

MF1PLUS6011DA4/03 MOA4 PLLMC plastic leadless module carrier package; 35 mm

wide tape, 2 kB EEPROM, 4-byte UID, L1 card SOT500-2

MF1PLUS6021DA4/03 MOA4 PLLMC plastic leadless module carrier package; 35 mm

wide tape, 2 kB EEPROM, 4-byte UID,

UID0 = XFh according to ISO/IEC 14443-3, L1

card

SOT500-2

Product short data sheet

PUBLIC Rev. 3.1 — 19 April 2010

163531 4 of 20

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

6. Block diagram

MF1PLUS8001DUD/13 FFC - 8 inch wafer (sawn; 120 µm thickness, on film

frame carrier; electronic fail die marking

according to SECS-II format) see Ref. 3,

4 kB EEPROM, 7-byte UID, no security level 1 or

2, L3 card

MF1PLUS8001DA4/13 MOA4 PLLMC plastic leadless module carrier package; 35 mm

wide tape, 4 kB EEPROM, 7-byte UID, no

security level 1 or 2, L3 card

SOT500-2

MF1PLUS6001DUD/13 FFC - 8 inch wafer (sawn; 120 µm thickness, on film

frame carrier; electronic fail die marking

according to SECS-II format) see Ref. 3,

2 kB EEPROM, 7-byte UID, no security level 1 or

2, L3 card

MF1PLUS6001DA4/13 MOA4 PLLMC plastic leadless module carrier package; 35 mm

wide tape, 2 kB EEPROM, 7-byte UID, no

security level 1or 2, L3 card

SOT500-2

Table 2. Orderi ng information …continued

Type number Package

Commercial

name Name Description Version

Fig 1. Block diagram

001aah389

INTERFACE

UART

ISO/IEC

14443A

AES CRYPTO

CO-PROCESSOR

CPU/LOGIC UNIT CRC

EEPROMRAMROM

TRUE RANDOM

NUMBER

GENERATOR

CRYPTO1

SECURITY

SENSORS

POWER ON

RESET

VOLTAGE

REGULATOR

CLOCK

INPUT FILTER

RESET

GENERATOR

Product short data sheet

PUBLIC Rev. 3.1 — 19 April 2010

163531 5 of 20

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

7. Pinning information

7.1 Smart card contactless module

Fig 2. Contact assignments for SOT500-2 (MOA4 )

Table 3. Bonding pad assignments to smart card contactless module

Contactless interface module MF1PLUSx0y1DA4/03 and /13

Antenna contacts Symbol Description

LA LA antenna coil connection LA

LB LB antenna coil connection LB

001aaj82

LA LBtop view

Product short data sheet

PUBLIC Rev. 3.1 — 19 April 2010

163531 6 of 20

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

8. Functional description

8.1 Memory organization

The 4 kB EEPROM memory (MF1PLUS80x) is organized in 32 sectors of 4 blocks and in

8 sectors of 16 blocks. The 2 kB EEPROM memory (MF1PLUS60x) is organized in

32 sectors of 4 block s .

One block consists of 16 bytes.

8.1.1 Manufacturer block

The first data block (block 0) of the first sector (sector 0) contains the PICC manufacturer

data. This block is programmed and write protected during the production test.

8.1.2 Data blocks

Sectors 0Dto 31D contain 3 blocks each and sectors 32Dto 39D cont ain 15 blocks for data

storage. The data blocks can be configured using the access bits as:

•read/write blocks for storing binary data

•value blocks (only available in security level 1)

(1) CRYPTO1 key A in security level 0, 1, 2; plain text access byte in security level 3

Fig 3. Memory organization

001aaj843

SECTOR BLOCK DESCRIPTION0

15 CRYPTO1 key A access bytes

BYTE NUMBERS WITHIN A BLOCK

CRYPTO1 key B or data

CRYPTO1 key A access bytes CRYPTO1 key B or data

...

sector trailer 39

data

...

data

sector trailer 32

data

...

data

...

sector trailer 31

...

data

sector trailer 0

data

manufacturer data0

1 2 3 4 5(1) 6 7 8 9 10 11 12 13 14 15

Product short data sheet

PUBLIC Rev. 3.1 — 19 April 2010

163531 7 of 20

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

Value blocks are special counters where the stored value can be manipulated with

specific comma nd s suc h as M F In cre m ent, MF Decrement and M F Transfer.

These value blocks have a fixed data format enabling error detection and correction with

backup management to be performed.

The MIFARE Plus X provides two further commands which can be used to optimize

performance when using value blocks. These are:

•MF Increment Decrement

•MF Decrement Transfer

A successful mutual authentication is required to allow any data operation.

8.1.2.1 Access condi ti on s

The access conditions for every data block and the sector trailer itself are stored in the

sector trailer of the corresponding sector.

The access bits control the rights of memory operations using the secret keys A and B.

The access conditions may be altered after authentication with the relevant key and the

current access condition allows this operation.

Furthermore, value blocks are configured using the access bits.

8.1.3 AES keys

AES keys are not shown in the memory map. The keys are stored on top of the other data

and can be updated and used by referencing the Key Number. In security level 3,

anti-tearing is supported for the update of AES keys as well as for the update of the sector

trailer. In security level 2, anti-tearing is supported only for the update of AES keys. This

anti-tearing mechanism is done by the PICC itself. The EEPROM stays in a defined

status, even if the PICC is removed from the electromagnetic field during the write

operation.

8.1.4 Proximity check

The security level 3 offers a feature to verify that the PICC is in close proximity to the

PCD. This functionality can be used to effectively prevent relay attacks.

The proximity check is based on a pr ecise time measurement of challenge-response pairs

in combination with cryptographic methods.

8.1.5 Multi-sector authentication

A new feature has been provided in security level 2 and 3 for data which is spread over

multiple sectors to improve tran saction performance.

Providing that such sectors are secured with identical keys (key value and key type) only

one authentication is required to read and/or write data from these sectors. There is no

need to re-authenticate when accessing any data within th es e sec to rs. The r efo re it is

possible to configure a card in such a way that operating with only one authentication is

needed in security level 3 to access all sectors. The same applies also for security level 2

authentications (one is AES-based the other one is CRYPTO1-based)

Product short data sheet

PUBLIC Rev. 3.1 — 19 April 2010

163531 8 of 20

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

8.1.6 Originality function

The originality function is implemented by an AES authentication with the originality key.

The authentication is performed in ISO/IEC 14443-4 protocol layer.

8.2 Card activation and communication protocol

The ISO/IEC 14443-3 anticollision mechanism allows for simultaneous handling of

multiple PICCs in the field. The anticollision algorithm selects each PICC individually and

ensures that execution of a transaction with a selected PICC is performed correctly

without data cor ruption from other PICCs in the field.

There are three different versions of the PICC. The first two have the UID programmed

into a locked part of the NV-memory reserve d for the manufacturer:

•the first is a unique 7-byte serial number

•the second is a unique 4-b yte ser i al num be r

Due to security and system requirements, these byte s ar e writ e- pr otected after being

programmed by the PICC manufa cturer at production.

The third version has a p seudo-unique ID according to ISO/IEC 14443-3 and uses the

XFh ID range.

The customer must decide which UID length to use when ordering the product, see

Table 2 for ordering information.

During person alization, the PICC can be con f igured to support Random ID in security

level 3. The user can co nfigure whethe r Random ID o r fixed UID shall be us ed. According

to ISO/IEC 14443-3 the first anticollision loop (see Ref. 5) returns the Random Number

Tag 08h, the 3-byte Rando m Number a nd the BCC, if Random ID is used. The retrieval of

the UID in this case can be done using the Virtual Card Support Last command, see

Ref. 3 or by reading out block 0.

8.2.1 Backwards compatibility protocol

The backwards compatibility of this product, as used in security level 1 and security

level 2, runs on the same protocol layer as MIFARE Classic 1K and MIFARE Classic 4K.

The protocol is formed out of the following components:

•Frame definition: according to ISO/IEC 14443-3

•Bit encoding: according to ISO/IEC 14443-2

•Error code handling: handling is proprietary as error codes are for matted in half bytes.

•Command specification: commands are p roprietary. Please use the specification as in

Ref. 1 and Ref. 2 and the additional commands which are only implemented in

MIFARE Plus as described in this document and in Ref. 3.

The following secur ity lev els ca n ru n on this pr ot oc ol:

•Security Level 0

•Security Level 1

•Security Level 2

Product short data sheet

PUBLIC Rev. 3.1 — 19 April 2010

163531 9 of 20

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

8.2.2 ISO/IEC 14443-4 Protocol

The ISO/IEC 14443-4 Protocol (also known as T=CL) is used in many processor cards.

This protocol is used for the MIFARE Plus with the following security levels:

•Security Level 0: all commands

•Security Level 1: only the security level switch and originality function

•Security Level 2: updating AES keys and configuration blocks as well as the security

level switch and originality function

•Security Level 3: all commands

8.3 Security level switching

The MIFARE Plus X offers a unique feature to support migration from CRYPTO1 based

systems to AES based operation. The migration on the card-side is done using different

security levels supporting dif fere nt cryptograp hic algorithms and prot ocols. There are four

security levels:

•Security level 0: initial delivery configuration, used for card personalization

•Security level 1: backwards functional compatibility mode (with MIFARE Classic 1K

and MIFARE Classic 4K) with optional AES authentication

•Security level 2: 3-Pass authentication based on AES followed by MIF ARE CR YPTO1

authentication, communication secur ed by MIFARE CRYPTO1

The MIFARE CRYPTO1 uses session keys derived from the AES and MIFARE

CRYPTO1 authentication.

•Security level 3: 3-Pass authentication based on AES, data manipulation commands

secured by AES encryption and an AES based MACing method

If the card is a L3 card the Commit Perso command will switch the card directly from

security level 0 to security level 3 instead of security level 1.

The security level switching (i.e. from security level 1 to security level 3) is performed

using the dedicated AES authentication switching keys.

The security level can only be switched from a lower to a higher level, never in the

opposite direction.

8.4 Security level 0

Security level 0 is the initial delivery configuration of the PICC. The card can be operated

either using the backwards compatibility protocol or the ISO/IEC 14443-4 protocol.

In this level, the card can be personalized including the programming of user data as well

as CRYPTO1 and/or AES keys. In addition, the originality function can be used.

The following mandatory AES keys must be written, using the Write Perso command

before the PICC can be switched to security level 1 or security level 3 (for L3 card) .

Product short data sheet

PUBLIC Rev. 3.1 — 19 April 2010

163531 10 of 20

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

Security level switching is performed using the Commit Perso command:

•Card Configuration Key

•Card Master Key

•Level 2 Switch Key (for L1 card)

•Level 3 Switch Key (for L1 card)

Using the originality function, it is possible to verify that the chip is a genuine

NXP Semiconductors MIFARE Plus.

8.5 Security level 1

Security level 1 offers the same functionality as a MIFARE Classic 1K and MIFARE

Classic 4K using the backwards compatibility protocol. The MIFARE Classic 1K and

MIFARE Classic 4K products are specified in Ref. 1 and Ref. 2.

Furthermore, an optional AES authentication is available in this level without af fecting the

MIF ARE Classic 1K and MIFARE Classic 4K functionality. The authenticity of the card can

be proven using strong cryptographic means with this additional functionality.

The timings may differ from the MIFARE Classic 1K and MI FARE Classic 4K pro duc ts.

Using the originality function, it is possible to verify that the chip is a genuine

NXP Semiconductors MIFARE Plus.

8.6 Security level 2

Security level 2 also offers the functionality of a MIFARE Classic 1K and MIFARE

Classic 4K using the backwards compatibility protocol. The significant difference

compared to security level 1 is that an AES authentication is mandatory and that the

CRYPTO1 keys are derived for each session using the results from the AES

authenticat i on , ra th er than be ing con stant for a spe c if ic sect or.

The timings may differ from the MIFARE Classic 1K and MI FARE Classic 4K pro duc ts.

In security level 2, the following keys are assigned to each sector:

•Two AES keys (key A and key B) these keys are also used in security level 3

two CRYPTO1 keys (key A and key B) these keys are also used in security level 1

The access conditions are set in the sector trailer as in MIFARE Classic 1K and MIFARE

Classic 4K.

Using the originality function, it is possible to verify that the chip is a genuine

NXP Semiconductors MIFARE Plus.

8.7 Security level 3

The operation in security level 3 is solely based on the ISO/IEC 14443-4 protocol layer.

The usage of the backwards compatibility protocol is not possible.

In security level 3, a mandatory AES authentication between PICC and reader is

conducted, where two keys are gen erated as a function of the random numbers from the

PICC and the reader as well as of the shared key.

Product short data sheet

PUBLIC Rev. 3.1 — 19 April 2010

163531 11 of 20

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

These two session keys are used to secure the dat a which is exchanged on the interface

between the card and reader. One of the two keys is used to ensure the confidentiality of

the command and the respon se while the o the r key ensures th e in tegrity of the com mand

and the response.

The reader can decide which security needs to be used in the communication between

PICC and reader. In the simplest case, all commands are secure d by a MAC, such that

the PICC will only accept commands from the authenticated reader. Any message

tampering is detected by verifying the MAC. All responses are appended by a MAC to

prove to the reader that neither the command nor the response have been compromised.

If performance is the highest priority, the card can be configu red to omit th e MAC for re ad

commands. The card then accepts read commands without knowing whether they are

authentic. However, there is a mechanism to prove to the reader tha t the read response is

resulting from the unmodified read command that it sent.

Other commands, like write comman ds, always ne ed to ha ve a MAC appen ded to ensur e

that no memory changes are carried out without proving the authenticity of the command.

The reader can decide for each command whether a MAC is included in the response.

When the appropriate MAC is received, due to linked MACs the reader knows that the

command and commands before it were properly executed.

All commands between two consecutive First Authenticate commands belong to one

transaction and the MACing mechanism assures inte gr ity of th e wh ole tran sa ct ion .

If the MAC on read responses is omitted, the integrity of all read responses within one

session can still be verified by including a MAC on one read response before issuing the

next First or Following Authenticate command.

If performance matters more than confidentiality of the transaction, each data block in a

sector can be configured to allow or disallow sending/receiving plain data.

9. Look-up tables

9.1 Security level 0, 1, 2, 3: ISO/IEC 14443-3

Table 4. ISO/IEC 14443-3

Command Description

REQA the REQA and ATQA commands are fully implemented according to

ISO/IEC 14443-3

WUPA the WAKE-UP command is fully implemented according to

ISO/IEC 14443-3

ANTICOLLISION/SELECT

cascade level 1 the ANTICOLLISION and SELECT commands are fully implemented

according to ISO/IEC 14443-3. The response is part 1 of the UID.

ANTICOLLISION/SELECT

cascade level 2 for 7 byte

UID version

the ANTICOLLISION and SELECT commands are fully implemented

according to ISO/IEC 14443-3. The response is part 2 of the UID.

HALT the HALT command is fully implemented according to

ISO/IEC 14443-3

Product short data sheet

PUBLIC Rev. 3.1 — 19 April 2010

163531 12 of 20

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

9.2 Security level 0, 1, 2, 3: ISO/IEC 14443-4

Please find more information on ISO/IEC 14443-3 in Ref. 5 as well as on the settings of

ATQA, SAK and ATS in Ref. 4.

9.3 Security level 0 command overview

9.4 Security level 1 command overview

Table 5. ISO/IEC 14443-4

Command Description

RATS the response to the RATS command identifies the PICC type to the

PCD.

PPS the PPS command allows individual selection of the

communication baud rate between PCD and PICC . It is possible

for MF1PLUSx0 to individually set the communication baud rate

independently for both directions i.e. MF1 PLUSx0 allows a

non-symmetrical information interchange speed.

DESELECT deselection according to ISO/IEC 14443-4.

Table 6. Security level 0 command overview

Command Description

Write Perso pre-personalization of AES keys and all blocks

Commit Perso switch to security level 1 (L1 card) or security level 3 (L3 card)

First Authenticate (part 1) first authenticate

Following Authenticate (part 1) following authenticate

Authenticate (part 2) second authentication step

Table 7. Security level 1 command overview

MF1ICS50xx, MF1ICS7 0xx,

MF1ICS20 xx commands Description

MF Authenticate key A authentication with key A

MF Authenticate key B authentication with key B

MF Read reading data

MF Write writing data

MF Increment incrementing a value

MF Decrement decrementing a value

MF Restore restoring a value

MF Transfer transferring a value

Commands using backwards compatibility protocol; see Section 8.2.1

Following Authenticate (part 1) following authenticate; pro to col used as described in

Section 8.2.1

Authenticate (part 2) second authentication step; protocol used as described in

Section 8.2.1

Command set for security level switch and originality function using ISO 14443-4 protocol

First Authenticate (part 1) first authenticate

Following Authenticate (part 1) following authenticate

Authenticate (part 2) second authentication step

Product short data sheet

PUBLIC Rev. 3.1 — 19 April 2010

163531 13 of 20

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

9.5 Security level 2 command overview

9.6 Security level 3 command overview

Table 8. Security level 2 command overview

Command Description

Commands using backwards compatibility protocol; see Section 8.2.1

Following Authenticate (part 1) following authenticate

Authenticate (part 2) second authentication step

MF1ICS50xx, MF1ICS70xx commands

MF Authenticate Key A authentication with key A

MF Authenticate Key B authentication with key B

MF Read reading data

MF Write writing data

MF Decrement decrementin g a va lu e

MF Increment incrementing a value

MF Restore restoring a value

MF T ransfer transferring a value

Multi Block Read reading multiple blocks (up to sector length)

Multi Block Write writing multiple blocks (up to sector length)

Command set for updating AES keys and configuration bloc ks as well as security level

switch and originality function usin g ISO 14443-4

First Authenticate (part 1) first authenticat e

Following Authenticate (part 1) following authenticate

Authenticate (part 2) second authentication step

Write writing encrypted, no MAC on response, MAC on command

Write MACed writing encrypted, MAC on response, MAC on command

Table 9. Security level 3 command overview

Command Description

MIFARE Plus commands

First Authenticate (part 1) first authenticate

Following Authenticate (part 1) following authenticate

Authenticate (part 2) second authentication step

ResetAuth reset the authentication step

READ commands

Read reading encrypted, no MAC on response, MAC on command

Read MACed reading encrypted, MAC on response, MAC on command

Read Plain reading in plain, no MAC on response, MAC on command

Read Plain MACed reading in plain, MAC on response, MAC on command

Read UnMACed reading encrypted, no MAC on response, no MAC on command

Read UnMACed, Response

MACed reading encrypted, MAC on response, no MAC on command

Read Plain UnMACed reading in plain, no MAC on response, no MAC on command

Product short data sheet

PUBLIC Rev. 3.1 — 19 April 2010

163531 14 of 20

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

Read Plain UnMACed,

Response MACed reading in plain, MAC on response, no MAC on command

Write commands

Write writing encrypted, no MAC on response, MAC on command

Write MACed writing encrypted, MAC on response, MAC on command

Write Plain writing in plain, no MAC on response, MAC on command

Write Plain MACed writing in plain, MAC on response, MAC on command

VALUE operations

Increment incrementing a value encrypted, no MAC on response, MAC on

command

Increment MACed incrementing a value encrypted, MAC on response, MAC on

command

Decrement decrementing a value encrypted , no MAC on response, MAC on

command

Decrement MACed decrementing a value encrypted, MAC on response, MAC on

command

Transfer transferring a value, no MAC on response, MAC on command

Transfer MACed transferring a value, MAC on response, MAC on command

Increment Transfer combined incrementing a nd transferring a value encrypted, no

MAC on response, MAC on command

Increment Transfer MACed combined incrementing and transferring a value encrypted, MAC

on response, MAC on command

Decrement Transfer combined decrementing and transferring a value encrypted, no

MAC on response, MAC on command

Decrement Transfer MACed combined decrementing and transferring a value encrypted, MAC

on response, MAC on command

Restore restoring a value, no MAC on response, MAC on command

Restore MACed restoring a value, MAC on response, MAC on command

Proximity check and virtual card concept

Prepare Proximity Check prepare for the proximity check

Proximity Check perform the precise measurement for the proximi ty check

Verify Proximity Check verify the proximity check

Virtual Card Support check, if the virtual card concept is supported

Virtual Card Support Last check if the virtual card concept is supported, communicate PCD

capabilities and retrieve the UID

Select Virtual Card select the virtual card

Deselect Virtual Card deselect the virtual card

Table 9. Security level 3 command overview …continued

Command Description

Product short data sheet

PUBLIC Rev. 3.1 — 19 April 2010

163531 15 of 20

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

10. Limiting values

[1] Stresses above one or more of the limiting values may cause permanent damage to the device.

[2] Exposure to limiting values for extended periods may affect device reliability.

[3] MIL Standard 883-C method 3015; Human body model: C = 100 pF, R = 1.5 kΩ.

11. Abbreviations

Table 10. Limiting values

In accordance with the Absolute Maximum Rating System (IEC 60134).

Symbol Parameter Conditions Min Max[1][2] Unit

IIinput curren t - 30 mA

Ptot/pack total power dissipation per package - 200 mW

Tstg storage temp erature −55 125 °C

Tamb ambient temperature −25 70 °C

VESD electrostatic discharge voltage [3] 2- kV

Ilu latch-up current ±100 - mA

Table 11. Abbreviations

Acronym Description

AES Advanced Encryption Standard

ATQA Answer To reQuest

ATS Answer To Select

BCC Bit Count Check

EEPROM Electrically Erasable Programmable Read-Only Memory

LCR L = inductance, Capacitance, Resistance (LCR meter)

MAC Message Authentication Code

NV Non-Volatile memory

PCD Proximity Coupling Device (Contactless Reader)

PICC Proximity Integrated Circuit Card (Contactless Card)

PPS Protocol Parameter Selection

RATS Request Answer To Select

REQA REQuest Answer

SAK Select AcKnowledge, type A

SECS-II SEMI Equipment Communications Standard part 2

SEMI Semiconductors Equipment and Material s International

UID Unique IDentifier

VC Virtual Card, one MIFARE Plus PICC is one virtual card

WUPA Wake Up Protocol A

Product short data sheet

PUBLIC Rev. 3.1 — 19 April 2010

163531 16 of 20

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

12. References

[1] Data sheet — MF1ICS50 Functional specification, BU-ID Doc. No. 0010**2.

[2] Data sheet — MF1ICS70 Functional specification, BU-ID Doc. No. 0435**.

[3] Data sheet — M1PLUSx0y1 MIFARE Plus functional specification, BU-ID Doc. No.

1637**.

[4] Application note — MIFARE Type identification procedure, BU-ID Doc. No. 1843**.

[5] Application note — ISO/IEC 14443 PICC selection, BU-ID Doc. No. 1308**.

[6] NIST Special Publication 800 -38A — Recommendation for block cipher modes of

operation: methods and techniques, 2001.

[7] NIST Special Publication 800 -38B — Recommendation for block cipher modes of

operation: The CMAC mode for authentication.

[8] ISO/IEC Standard — ISO/IEC 14443 Identification cards - contactless integrated

circuit cards - proximity cards.

[9] Recommendation for block cipher modes of operation: met hods and

techniques — FIPS PUB 197 ADVANCED ENCRYPTION STANDARD.

[10] ISO/IEC Standard — ISO/IEC 9797-1 Information technology - security techniques

- Message Authentication Codes (M ACs) - Part 1: Me chanism s using a bl ock cipher.

13. Revision history

2. ** ... document version number

Table 12. Revision history

Document ID Release date Data sheet status Ch ange notice Supersedes

MF1PLUSX0Y1_SDS_31 20100419 Product short data sheet - 163530

Modifications: •Minor text and standardization modifications

163530 20100211 Product short data sheet - 163512

Modifications: •Several editorial changes and content rephrasing

•Table 1 “Quick reference data: min. value of Ci modified

•Table 2 “Ordering information”: updated

•Section 14 “Legal information”: updated

163512 20090325 Objective short data sheet - 163511

Modifications: •New name for the product MIFARE Plus X

•General update

163511 20081113 Objective short data sheet - 163510

163510 20080919 Objective short data sheet - -

Product short data sheet

PUBLIC Rev. 3.1 — 19 April 2010

163531 17 of 20

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

14. Legal information

14.1 Data sheet status

[1] Please consult the most recently issued document before initiating or completing a design.

[2] The term ‘short data sheet’ is explained in section “Definitions”.

[3] The product status of de vice(s) descr ibed in th is document m ay have cha nged since thi s document w as publish ed and may di ffe r in case of multiple devices. The latest product status

information is available on the Internet at URL http://www.nxp.com.

14.2 Definitions

Draft — The document is a draft version only. The content is still under

internal review and subject to formal approval, which may result in

modifications or additions. NXP Semiconductors does not give any

representations or warranties as to the accuracy or completeness of

information included herein and shall have no liab ility for the consequences of

use of such information.

Short data sheet — A short data sheet is an extract from a full data sheet

with the same product type number(s) and tit le. A short data sh eet is intended

for quick reference only and shou ld not b e relied u pon to cont ain det ailed and

full information. For detailed and full information see the relevant full data

sheet, which is available on request via the local NXP Semicond uctors sales

office. In case of any inconsistency or conflict with the short data sheet, the

full data sheet shall pre va il.

Product specificatio n — The information and data provided in a Product

data sheet shall define the specification of the product as agreed between

NXP Semiconductors and its customer, unless NXP Semiconductors and

customer have explicitly agreed otherwise in writing. In no event however,

shall an agreement be valid in which the NXP Semiconductors product is

deemed to off er functions and qualities beyond those described in the

Product data sheet.

14.3 Disclaimers

Limited warr a nty and liability — Information in this document is believed to

be accurate and reliable. However, NXP Semiconductors does not give any

representations or warrant ies, expressed or implied, as to the accuracy or

completeness of such information and shall have no liability for the

consequences of use of such information.

In no event shall NXP Semiconductors be liable for any indirect, incidental,

punitive, special or consequ ential damages (including - wit hout limitation - lost

profits, lost savings, business interruption, costs related to the removal or

replacement of any products or rework charges) whether or not such

damages are based on tort (including negligence), warranty, breach of

contract or any other legal theory.

Notwithstanding any damages that customer might incur for any reason

whatsoever, NXP Semiconductors’ aggregate and cumulat ive liability toward s

customer for the products described herein shall be limited in accordance

with the Terms and conditions of commercial sale of NXP Semiconductors.

Right to make changes — NXP Semiconductors reserves the right to make

changes to information published in this document, including without

limitation specifications and product descriptions, at any time and without

notice. This document supersedes and replaces all informa tion supplied prior

to the publication hereof .

Suitability for use — NXP Semiconductors products are not designed,

authorized or warranted to be suitable for use in medical, military, aircraft,

space or life support equipment, nor in applications where failure or

malfunction of an NXP Semiconductors product can reasonabl y be expected

to result in perso nal injury, death or severe property or environmental

damage. NXP Semiconductors accepts no liab ility for inclusion and/or use of

NXP Semiconductors products in such equipment or applications and

therefore such inclusion and/or use is at the customer’s own risk.

Applications — Applications that are described herein for any of these

products are for illustrative purposes only. NXP Semiconductors makes no

representation or warranty that such applications will be suitable for the

specified use without further testing or modification.

NXP Semiconductors does not accept any liability related to any default ,

damage, costs or problem which is based on a weakness or default in the

customer application /use or t he application/use of customer’s third party

customer(s) (hereinafter both referred to a s “A pplication”). It is customer’s

sole responsibility to check whether the NXP Semiconductors product is

suitable and fit for the Appl ica tion plann ed. Customer has to do all necessary

testing for the Application in order to avoid a default of the Application and t he

product. NXP Semiconductors does not accept any liability in this respect.

Limiting values — Stress above one or more limiting values (as defined in

the Absolute Maximum Ratings System of IEC 60134) will cause permanent

damage to the device. Limiting values are stress ratings only and (proper)

operation of the device at these or any other conditions above those given in

the Recommended operating conditions section (if present) or the

Characteristics sections of this document is not warranted. Constant or

repeated exposure to limiting values will permanently and irreversibly affect

the quality and reliability of the device.

Terms and conditions of commercial sale — NXP Semiconductors

products are sold subject to the general terms and conditions of commercial

sale, as published at http://www.nxp.com/profile/terms, unless otherwise

agreed in a valid written individua l agreement. In case an individual

agreement is concluded only the ter m s and conditions of the respective

agreement shall apply. NXP Semiconductors hereby expressly objects to

applying the customer’s general terms and conditions with regard to the

purchase of NXP Semiconductors products by customer.

No offer to sell or license — Nothing i n this document may be interpreted or

construed as an of fer t o sell product s that is open for accept ance or the gr ant,

conveyance or implication of any license under any copyrights, patents or

other industrial or inte llectual property rights.

Export control — This document as well as the item(s) described herein

may be subject to export control regulatio ns. Export might require a prior

authorization from national authorities.

Quick reference data — The Quick reference data is an extract of the

product data given in the Limiting values and Characteristics sections of this

document, and as such is not complete, exhaustive or legally binding.

Non-automotive qualified products — Unless this data sheet expressly

states that t his specific NXP Semiconductors product is automotive qualified,

the product is not suit ab le for aut omotive u se. It is neit her qua lifi ed n or test ed

in accordance with automotive testing or application requirement s. NXP

Semiconductors accepts no liability for inclu sio n and/or use of

non-automotive qualifie d products in automotive equipment or applications.

Document status[1][2] Product status[3] Definition

Objective [short] data sheet Development This document contains data from the objective specification for product development.

Preliminary [short] dat a sheet Qualification This document contains data from the preliminary specification.

Product [short] data sheet Production This document contains the product specification.

Product short data sheet

PUBLIC Rev. 3.1 — 19 April 2010

163531 18 of 20

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

In the event that customer uses the product for design-in and use in

automotive applications to automot ive specifications and standards, custome r

(a) shall use the product without NXP Semiconductors’ warranty of the

product for such au tomotive applications, use and specifications, and (b)

whenever customer uses the product for automotive applications beyond

NXP Semiconductors’ specifications such use shall be solely at customer’s

own risk, and (c) customer fully indemnifies NXP Semiconductors for any

liability, damages or failed product claims resulting from customer design and

use of the product for automotive appl ications beyond NXP Semiconductors’

standard warrant y and NXP Semiconductors’ product specifications.

14.4 Licenses

14.5 Trademarks

Notice: All referenced b rands, produc t names, service names and trademarks

are the property of their respective ow ners.

MIFARE — is a trademark of NXP B.V.

MIFARE Plus — is a trademark of NXP B.V.

15. Contact information

For more information, please visit: http://www.nxp.com

For sales office addresses, please send an email to: salesaddresses@nxp.com

ICs with DPA Countermeasures functionality

NXP ICs containing functionality

implementing countermeasures to

Differential Power Analysis and Simple

Power Analysis are produced and sold

under applicable license from

Cryptography Research, Inc.

Product short data sheet

PUBLIC Rev. 3.1 — 19 April 2010

163531 19 of 20

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

16. Tables

Table 1. Quick reference data . . . . . . . . . . . . . . . . . . . . .2

Table 2. Ordering information . . . . . . . . . . . . . . . . . . . . .3

Table 3. Bonding pad assignments to smart card

contactless module. . . . . . . . . . . . . . . . . . . . . . .5

Table 4. ISO/IEC 14443-3 . . . . . . . . . . . . . . . . . . . . . . .11

Table 5. ISO/IEC 14443-4 . . . . . . . . . . . . . . . . . . . . . . .12

Table 6. Security level 0 command overview . . . . . . . . .12

Table 7. Security level 1 command overview. . . . . . . . . 12

Table 8. Security level 2 command overview. . . . . . . . . 13

Table 9. Security level 3 co mmand overview . . . . . . . . 13

Table 10. Limiting values . . . . . . . . . . . . . . . . . . . . . . . . 15

Table 11. Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . 15

Table 12. Revision history . . . . . . . . . . . . . . . . . . . . . . . . 16

17. Figures

Fig 1. Block diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Fig 2. Contact assignments for SOT500-2 (MOA4). . . . .5

Fig 3. Memory organization . . . . . . . . . . . . . . . . . . . . . . .6

NXP Semiconductors MF1PLUSx0y1

Mainstream con tactless smart card IC

For more information, please visit: http://www.nxp.com

For sales office addresses, please send an email to: salesaddresses@nxp.com

Date of release: 19 April 2010

163531

Please be aware that important notices concerning this document and the product(s)

described herein, have been included in section ‘Legal information’.

18. Contents

1 General description. . . . . . . . . . . . . . . . . . . . . . 1

2 Features and benefits . . . . . . . . . . . . . . . . . . . . 1

3 Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

4 Quick reference data . . . . . . . . . . . . . . . . . . . . . 2

5 Ordering information. . . . . . . . . . . . . . . . . . . . . 3

6 Block diagram . . . . . . . . . . . . . . . . . . . . . . . . . . 4

7 Pinning information. . . . . . . . . . . . . . . . . . . . . . 5

7.1 Smart card contactless module . . . . . . . . . . . . 5

8 Functional description . . . . . . . . . . . . . . . . . . . 6

8.1 Memory organization . . . . . . . . . . . . . . . . . . . . 6

8.1.1 Manufacturer block. . . . . . . . . . . . . . . . . . . . . . 6

8.1.2 Data blocks. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

8.1.2.1 Access conditions. . . . . . . . . . . . . . . . . . . . . . . 7

8.1.3 AES keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

8.1.4 Proximity check . . . . . . . . . . . . . . . . . . . . . . . . 7

8.1.5 Multi-sector authentication . . . . . . . . . . . . . . . . 7

8.1.6 Originality function . . . . . . . . . . . . . . . . . . . . . . 8

8.2 Card activation and communication protocol . . 8

8.2.1 Backwards compatibility protocol . . . . . . . . . . . 8

8.2.2 ISO/IEC 14443-4 Protocol . . . . . . . . . . . . . . . . 9

8.3 Security level switching . . . . . . . . . . . . . . . . . . 9

8.4 Security level 0. . . . . . . . . . . . . . . . . . . . . . . . . 9

8.5 Security level 1. . . . . . . . . . . . . . . . . . . . . . . . 10

8.6 Security level 2. . . . . . . . . . . . . . . . . . . . . . . . 10

8.7 Security level 3. . . . . . . . . . . . . . . . . . . . . . . . 10

9 Look-up tables . . . . . . . . . . . . . . . . . . . . . . . . . 11

9.1 Security level 0, 1, 2, 3: ISO/IEC 14443-3 . . . 11

9.2 Security level 0, 1, 2, 3: ISO/IEC 14443-4 . . . 12

9.3 Security level 0 command overview . . . . . . . . 12

9.4 Security level 1 command overview . . . . . . . . 12

9.5 Security level 2 command overview . . . . . . . . 13

9.6 Security level 3 command overview . . . . . . . . 13

10 Limiting values. . . . . . . . . . . . . . . . . . . . . . . . . 15

11 Abbreviations. . . . . . . . . . . . . . . . . . . . . . . . . . 15

12 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

13 Revision history. . . . . . . . . . . . . . . . . . . . . . . . 16

14 Legal information. . . . . . . . . . . . . . . . . . . . . . . 17

14.1 Data sheet status . . . . . . . . . . . . . . . . . . . . . . 17

14.2 Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

14.3 Disclaimers. . . . . . . . . . . . . . . . . . . . . . . . . . . 17

14.4 Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

14.5 Trademarks. . . . . . . . . . . . . . . . . . . . . . . . . . . 18

15 Contact information. . . . . . . . . . . . . . . . . . . . . 18

16 Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

17 Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

18 Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20