IT 18 047
Examensarbete 30 hp
September 2018
Vicinity Integrated Circuit
Card Emulation of ISO15693 in
NFC Devices
Elmar van Rijnswou
Teknisk- naturvetenskaplig fakultet UTH-enheten Besöksadress: Ångströmlaboratoriet Lägerhyddsvägen 1 Hus 4, Plan 0 Postadress: Box 536 751 21 Uppsala Telefon: 018 – 471 30 03 Telefax: 018 – 471 30 00 Hemsida: http://www.teknat.uu.se/student
Abstract
Vicinity Integrated Circuit Card Emulation of
ISO15693 in NFC Devices
Elmar van Rijnswou
This thesis describes the work flow of integrating a new digital design in an existing integrated circuit, the SN100V designed by NXP. The new digital design enables the SN100V for emulating ISO 15693 card, which is not available yet in any near field radio device. ISO 15693 is used at skiing lifts for example, and a NFC device could replace the card for access in such situations. The timings and response times are derived from the specifications of ISO 15693. The SN100V currently is unable to respond in time. This is solved by running two different phase locked loops in parallel, one for the accuracy that’s needed by other standards, and one that can lock quickly so that the SN100V can start receiving ISO 15693 frames within the required time. Furthermore the system requires two more modules, a demodulator and transmitter. The demodulator can decode both 1-out-of-4 and 1-out-of-256 encodings. Both are used by a reader device, where the latter is the slower one. The transmission of ISO 15693 is done with both analogue shift keying and frequency shift keying. The required bit rates were not supported, thus a new bit rate generator was
implemented. Also, there was no support for frequency shift keying whatsoever, so this functionality also had to be implemented. After implementation the whole system was tested and verified using loopback tests, which shorts the transmitting end with the receiving end. As there was no support for frequency shift keying demodulation, it had to be done visually and measuring the timing. In the end everything was verified, and the new timing constraints were met.
IT 18 047
Contents
1 Introduction 1
1.1 ICode, RFID, NFC . . . 1
1.1.1 Communication . . . 2
1.2 Scope and Contributions . . . 2
2 Requirements 5 2.1 ISO 15693 reception . . . 5 2.1.1 Encoding . . . 5 2.1.1.1 1-out-of-4 . . . 6 2.1.1.2 1-out-of-256 . . . 7 2.1.2 Symbols . . . 8 2.1.2.1 Start of Frame . . . 8 2.1.2.2 End of Frame . . . 8 2.2 ISO 15693 transmission . . . 9 2.2.1 Modulation . . . 9 2.2.2 Symbols . . . 9
2.2.2.1 Other data speeds . . . 10
2.2.2.2 Data . . . 10 2.2.2.3 Start of Frame . . . 12 2.2.2.4 End of Frame . . . 12 2.3 Command timing . . . 13 2.4 Response times . . . 14 3 Architecture 17 3.1 Current architecture . . . 17 3.2 Clock . . . 18 3.2.1 Clock Generation . . . 18
3.2.1.2 Digital Phase Locked Loop (DPLL) . . . 19
3.2.1.3 All Digital Phase Locked Loop (ADPLL) . . . 20
3.2.2 Proposed Clock Flow . . . 20
3.2.2.1 Clock switching . . . 23 3.3 ISO 15693 Receiver . . . 24 3.3.1 Demodulation . . . 25 3.4 ISO 15693 Transmitter . . . 27 3.4.0.1 Bitrate . . . 27 3.4.1 Modulation . . . 27
3.4.1.1 Frequency Shift Keying (FSK) . . . 30
4 Verification 31 4.1 Verification Strategy . . . 31
4.1.1 Universal Verification Methodology . . . 31
4.1.1.1 Analogue model . . . 31 4.1.1.2 CPU . . . 32 4.2 Simulations . . . 32 4.2.1 ISO 15693 Transmitter . . . 32 4.2.1.1 ASK transmission . . . 33 4.2.1.2 FSK transmission . . . 33 4.2.2 Receiver Loop-back . . . 33 4.2.2.1 1 out of 256 encoding . . . 34 4.2.2.2 1 out of 4 encoding . . . 34 4.2.3 Clock domain . . . 35 4.2.3.1 Clock generation . . . 35 4.2.3.2 Clock switching . . . 35
5 Summary and Concluding Remarks 37 Bibliography 40 A Simulation Results 43 A.1 Transmitter simulations . . . 43
A.1.1 Amplitude Shift Keying at 6 kbit/s . . . 44
A.1.2 Amplitude Shift Keying at 53 kbit/s . . . 45
A.1.5 Frequency Shift Keying at 6 kbit/s . . . 48
A.1.6 Frequency Shift Keying at 26 kbit/s . . . 49
A.2 Reception simulations . . . 50
A.2.1 1-out-of-4 . . . 51
A.2.2 1-out-of-256 . . . 52
A.3 Clock generation simulations . . . 53
A.3.1 Startup . . . 54
A.3.2 Switch to ADPLL . . . 55
Acronyms
ADPLL All Digital Phase Locked Loop. 15–18, 20, 31
ALM Active Load Modulation. 2
ASK Amplitude Shift Keying. 7, 8, 33
DPLL Digital Phase Locked Loop. 15–18, 20, 31
EoF End of Frame. 5, 10–12
FSK Frequency Shift Keying. 7, 14, 24, 27
HFO High Frequency Oscillator. 15, 17, 20
IC Integrated Circuit. 1, 14, 15
NFC Near Field Communication. 1, 14, 31
PLL Phase Locked Loop. 15–18, 31, 33
PLM Passive Load Modulation. 2
RFID Radio Frequency Identification. 1, 15
SoF Start of Frame. 4–6, 9, 12, 33
VCD Vicinity Coupling Device. 2–7, 9–12, 33
VCO Voltage Controlled Oscillator. 16
Chapter 1
Introduction
An increasing amount of applications are shifting towards a wireless and contactless domain. Hotel room access[1], payment and skiing lifts[2] are some of the many examples. Keys in hotels are getting replaced by contactless cards, payments at shops can often be done by the touch of a card, and the skiing lift can grant access depending on whether an access card is being carried or not. All these examples make use of Radio Frequency Identification (RFID). However they use different technologies. Both the payment and hotel room access are examples of proximity cards, meaning that the distance over which can be communicated is relatively small ( 10 cm). The skiing lift uses vicinity cards, which have as advantage that the communication range is larger (up to 150 cm), at the cost of a lower data speed. Proximity card functionality is slowly being transferred to smartphones, which allows payment with the phone rather than a card. Near Field Communication (NFC) chips of phones manage both reading and emulating of cards. However not all card types are implemented yet. Emulation of vicinity cards is not available yet in NFC devices. To enable vicinity card emulation, new functionality will have to be added. In order to save time, this functionality will be added to an already existing Integrated Circuit (IC)s. NXP Semiconductors, which is one of the leading companies in designing such ICs, has been chosen to implement this functionality in. Their latest RFID IC, SN100V, is being used by large semiconductor and smartphone companies. Because of physical limitations for a big antenna in a phone, the range will not be able to exceed 10 cm.
1.1
ICode, RFID, NFC
specified to be used for communications closer than 10cm and finds it’s applications in contactless payment or other applications that require higher levels of security at a high data speed. MiFare is a proximity standard following ISO/IEC 14443[4]. ICode is an extension on ISO/IEC 15693[5][6][7] developed by NXP. It offers higher a data speed than ISO/IEC 15693 does, and provides extra security functionality.
1.1.1
Communication
ISO 15693 uses a magnetic field as communication medium requiring a reader device, Vicinity Coupling Device (VCD), and a card IC, Vicinity Integrated Circuit Card (VICC). The VCD both initiates communication and provides power to the VICC. The VCD initiates communication by emitting a magnetic field, which powers on the VICC, and transmits a request to see whether there are devices around. The VICC uses this field as a source of energy, and modulates the signal. With traditional cards the VICC uses Passive Load Modulation (PLM), by switching a load at the antenna. As the VICC and VCD are inductively coupled, this will generate a current in the tag. The tag can adjust the load, and adjust the current with it. This changes the perturbation of the magnetic field which in turn can creates side-band frequencies. These are coupled into the antenna of the VCD which can detect the signal and decode it. However PLM requires a large antenna, which is not available in smartphones. Another communication approach is Active Load Modulation (ALM). With ALM the VICC has it’s own power source, making it independent of the magnetic field. And instead of coupling the received signal, it generates the side-band frequencies itself, which allows for a much smaller antenna.
1.2
Scope and Contributions
Chapter 2
Requirements
To transfer binary data over the air, we will have to encode it first. This is a way to describe the binary data. The inverse function of modulation is also called demodula-tion. ICode is a superset of ISO 15693, adding new commands and three faster data rate speeds on top of it. Detailed specifications of the physical requirements of ISO 15693 can be found in [5], modulation can be found in [6] and protocol can be found in [7]. In order to define the line between firmware and hardware it is important to know the timings for the data rate and response times. The requirements for ISO 15693 differ between Receiver and Transmitter. Both using their own modulation scheme, which are explained below.
2.1
ISO 15693 reception
The reader device, VCD, decides which modulation technique and coding scheme will be used. The card IC, VICC, should be compliant with each, in ISO 15693 described, techniques and schemes. The modulation and data symbols used are described below.
2.1.1
Encoding
The VCD transmits data trough amplitude modulation. There are two different am-plitude indices available that a reader could use. It can either use a 100% modulation index, or a 10% modulation index. The modulation index represents the amplitude at which the magnetic field will be emitted. There are two different encoding schemes available; both making use of a Pulse Position Modulation (PPM) technique, 1-out-of-256 and 1-out-of-4. With 1-out-of-1-out-of-256 the VCD will send 1-out-of-256 successive time periods where each period is 256/fcµs as the fc is 13.56MHz, this yields with a period of
Table 2.1: Timing of all the 1-out-of-4 00 01 10 11 T1VCD (µs) 9.44 28.32 47.20 66.08
T1VCD (pulses) 128 384 640 896
data rate of 1/(4.883 ∗ 10−6) ∗ 8 = 1.66kbit/s. With 1-out-of-4 it will send a four sequences of 75.72µs for one byte, which brings the encoding symbol rate of fc/512
can be reached. This results in a data rate of 26.48 kbits/s.
The data encoding is also decided by the VCD and the card should support both. The VCD indicates the coding trough different Start of Frame (SoF) sequences.
2.1.1.1 1-out-of-4
For 1-out-of-4 PPM there are four different symbols. Every symbol represents 2 bits, to compose a byte 4 different symbols would be required. Below in Fig. 2.1 the timing of sending ’00’ is seen. For symbols ’01’, ’10’, ’11’ the time TVCD1 is adjusted.
Figure 2.1: Transmission of one byte, 0 decimal, with 1-out-of-4
Further timing of the other symbols can be found in table 2.1. As an example in Fig. 2.2 the binary string ’11100100’ is encoded.
2.1.1.2 1-out-of-256
With 1-out-of-256 an entire byte is encoded at once. There are 512 periods of 9.44 µs, where every period but one is modulated. The unmodulated period denotes the complete byte value. The unmodulated period is always following a modulated period. This means that the start of a 1-out-of-256 byte always start with a modulated signal.
Figure 2.3: Transmission of a complete byte, 225 decimal, with 1-out-of-256
In Fig. 2.3 above the timing fo a complete byte from the 1-out-of-256 PPM can be seen. In Fig. 2.4 the time period is seen up close, here it can also be seen that the unmodulated period is following a modulated period.
2.1.2
Symbols
ISO 15693 uses framing for transmitting and receiving data. This means that there will be an indication when an amount of data will be sent, and when the data ends. This is done by dedicated symbols, SoF and End of Frame (EoF) symbols. These denote the start and end of data. In ISO 15693 the SoF also gives information about the coding mode that the VCD will be using.
2.1.2.1 Start of Frame
As mentioned earlier, there are two different coding sets for the VCD. The 1-out-of-256 data coding mode, and 1-out-of-4 data coding mode. The coding set that will be used by the VCD is denoted with a different kind of SoF. In Fig. 2.5 the SoF for a 1-out-of-4 coding scheme is seen.
Figure 2.5: Timing for start of frame when selecting 1-out-of-4 pulse position modu-lation for VCD to VICC communication
And in Fig. 2.6 the SoF of a 1-out-of-256 can be seen.
Figure 2.6: Timing for start of frame when selecting 1-out-of-256 pulse position mod-ulation for VCD to VICC communication
2.1.2.2 End of Frame
Figure 2.7: End of frame timing for VCD to VICC communication
2.2
ISO 15693 transmission
Once the data has been demodulated, and processed, the card should be ready to respond. The response is done on the field that the reader generates, but with a different modulation than the reader emits. Instead of PPM, the card uses both Amplitude Shift Keying (ASK) and Frequency Shift Keying (FSK), where symbols are encoded with Manchester transitions and subcarrier.
2.2.1
Modulation
With the ASK modulation a high means a modulated period, and a low means an unmodulated period. The duration each period depends on the data rate. A logic ’0’ starts with a modulated period of T1, after which it will have a unmodulated period equally long to T1. An example with a high speed data rate can be seen in Fig. 2.8. A logic ’1’ has the same principle, however the unmodulated and modulated period are now switched around Fig. 2.9. With FSK modulation the VICC switches between two different sub-carrier frequencies, where a high is presented by the slower sub-carrier frequency fc/28 = 484.28kHz and a low is presented by the faster
sub-carrier frequency fc/32 = 423.75. For a logic ’0’ at the high data rate, 8 pulses of
the slow clock will be modulated, after which the clock is switched and 9 more pulses follow Fig. 2.10. The logic ’1’ follows the same strategy as the logic ’0’, however with the logic ’1’ the faster sub-carrier frequency is presented first, followed by the slower one Fig. 2.11. FSK supports only two speeds, a high speed and a low speed. The speeds differ slightly to that of the ASK and can be seen in table 2.4. The timing in the images given below are all for the in ISO 15693 defined high data rate, unless specified otherwise.
2.2.2
Symbols
Table 2.2: Timing for other data rates
T1 (in µs) T2(in µs) T3(in µs) Data rate (in kbit/s) Low speed 75.52 151.04 226.56 6.62
High Speed 18.88 37.76 56.64 26.48 ICode x2 9.44 18.88 28.32 52.97 ICode x4 4.72 9.44 14.16 105.94 ICode x8 2.36 4.72 7.08 211.88
2.2.2.1 Other data speeds
Other data rates and timings for ASK can be seen in table 2.3.
Table 2.3: Timing and pulse count for both speeds Low speed High speed T4 (µs) 75.52 18.88 T4 (pulses) 32 8 T5 (µs) 74.32 18.58 T5 (pulses) 36 9 T6 (µs) 151.04 37.76 T6 (pulses) 68 17 T7 (µs) 226.56 56.64 T7 (pulses) 96 24 T8 (µs) 223 55.75 T8 (pulses) 108 27 Data rate (kbit/s) 6.67 26.69
2.2.2.2 Data
Amplitude Shift Keying
Table 2.4: Timing frequency shift keying. Bit time (in µs) Data rate (in kbit/s) Low speed 149.84 151.04
Figure 2.8: Logic ’0’ modulated with ASK
Figure 2.9: Logic ’1’ modulated with ASK
Frequency Shift Keying
Figure 2.10: Logic ’0’ modulated with FSK
2.2.2.3 Start of Frame
Amplitude Shift Keying The SoF symbol is build out of three periods. First there is an unmodulated period of T3 long, after which a modulated period equally long to T3 takes place, and lastly a logic ’1’ is sent Fig. 2.12.
Figure 2.12: SoF symbol from VICC to VCD communication
Frequency Shift Keying The start of frame is indicated by switching between the subcarrier frequencies. First there will be a period of T8 with the fc/28 subcarrier,
followed by period T7 with the slower fc/32 subcarrier, and finally a logic ’1’ is sent
Fig. 2.13.
Figure 2.13: Logic ’1’ modulated with FSK at a high data rate
2.2.2.4 End of Frame
Amplitude Shift Keying The EoF is equal to the start of frame symbol, however it is mirrored. First a logic ’0’ is sent, then there is a modulated period of T3, and an unmodulated period equally long to T3 Fig. 2.14.
followed by period T7 with the slower fc/32 subcarrier, and finally there will be a
period of T8 with the fc/28 subcarrier Fig. 2.15.
Figure 2.15: Logic ’1’ modulated with FSK at a high data rate
2.3
Command timing
Besides from data timings, the VCD also expects responses from the VICC within a pre defined time. This time is depending on a few aspects, read commands should always be sent within the times specified below. For writing commands it depends on the header settings from the VCD. In Fig. 2.16 two scenarios where the VCD sends requests to a VICC can be seen, one in which the VICC responds and one where no response is received. The VCD starts with sending a requests, after which the VICC should respond within tp1, which has to be within 323.3µs, but not before
318.6µs have passed. This is equal to 4384 and 4320 pulses of the carrier wave fc
consecutively. The VICC synchronizes this timing on the rising edge of the EoF from the VCD. Once the VICC has transmitted its response, the VCD waits an period of tp2 before sending out the next request. The period tp2 is synchronized upon
reception of the EoF of the VICC and lasts minimally 309.2µs which is equal to 4192 pulses of the carrier wave fc.
If no cards are available, or the requested card is not available, the VCD will wait a time of minimal Tp3. Tp3 is evaluated as the maximum value of Tp1, 323.3µs, plus
VCD
VICC
RequestVCD
Response Tp1 Tp2 RequestVCD
RequestVCD
No response Tp3 RequestFigure 2.16: Timings for requests other than write requests
For write requests it depends on the option flag in the header. If the option flag is not set the VICC has to reply within 20 ms, but not before 320.9µs has passed. It also should respond after periods of 302µs. However if the option flag is set, the VICC shall wait with sending a response when it receives a EoF from the VCD.
2.4
Response times
Gathered from the chapter before, the timing constraints can be obtained. When support from ISO 15693 is desired, the system should be able to send a single bit within 4.72 µs, and an entire byte is sent in 8 ∗ 4.72 = 37.76µs. The system should be ready to send the required data from a request within 323.3µs of the rising edge from the EoF of the VCD. Considering the rising edge of the EoF happens 9.44µs before the end of symbol, and the SoF from the VICC lasts minimally T3 + T3 + T2 of ICode x8, the data should be ready within 323.3 − 9.44 + 7.08 + 7.08 + 4.72 = 332.74µs. This is however only for read and inventory commands. For write commands the timings are defined differently depending on the settings.
Chapter 3
Architecture
The current architecture of SN100V is the latest iteration of the NFC ICs. Now that the requirements are obtained, the shortcomings can be seen, and improvements can be carried out on the current architecture. First the shortcomings will be highlighted in the current architecture after which improvements will be suggested.
3.1
Current architecture
The biggest drawbacks with the current architecture are the lack of a pulse position modulation demodulation, FSK, and response higher than 1 ms. Pulse position mod-ulation is supported, for reader devices. FSK is not supported at all, both in encoding as well as decoding. And there is no way of having a reliable clock signal in less than 3 ms, whereas the ISO 15693 standard should be able to receive after 1 ms of field activation.
The demodulation happens within the Signal Processing (SigPro) card mode module. Here the waveforms should be transformed in binary values that can be created into bytes, which can be processed by the system later on.
All the modulation happens in the txenc module. This module receives bytes, which will then be decomposed to bits, which then will be transformed in an envelope signal. This envelope signal denotes whether to modulate, or not to modulate.
3.2
Clock
As mentioned before, it is crucial to get an accurate clock source synchronized to that of the reader. Without it the data transmitted would not be in phase and received incorrectly. There are multiple clocks available to the system. First off an external high frequency oscillator h is used for the initial boot sequence. Secondly, the host system can provide the IC with a clock, and thirdly a clock can be obtained trough clock recovery. These clocks can generate other clocking signals, or be used for other signal generation.
3.2.1
Clock Generation
The system clock of the card is synchronized with the reader clock. This is necessary as the datatransfer is synchronous. This system clock synchronization is obtained from the magnetic field of the reader. In Fig. 3.1 the clock generation can be seen.
Figure 3.1: Current clock path
The High Frequency Oscillator (HFO) is an external crystal, used for the booting up of the IC. During this stage all the settings and registers are loaded, and other synchronized clocking mechanisms can be set up. The Phase Locked Loop (PLL) and Clkgen module generate all digital clock frequencies used by the system, CLIF. For clock synchronization it’s possible to either use the All Digital Phase Locked Loop (ADPLL) or the Digital Phase Locked Loop (DPLL). Where the DPLL has a higher accuracy, and the ADPLL has a faster ready time.
3.2.1.1 Phase Locked Loop (PLL)
another host. A clock signal can be recovered from the electric field emitted by the reader.
Figure 3.2: Control loop for a PLL
The control loop used by a PLL is seen in Fig. 3.2. The reference signal in this case is the magnetic field of the reader. This is then compared to an already existing clock, using the phase detector, which creates a difference signal. This difference signal is used to steer the frequency of the Voltage Controlled Oscillator (VCO). The resulting frequency is used as a system clock, and will be used to compare the reference signal with. A final module between the resulting frequency and phase detector can divide or multiply the resulting frequency. When a divider is used in the feedback loop, the phase detector will believe the system is lagging behind, and steer the VCO with a higher frequency. This multiplies the resulting clock. In the beginning the system will oscillate, as the VCO won’t have the right settings yet. However after a while a steady state will be reached, meaning the PLL locked.
The SN100V has two different PLLs. A DPLL, and an ADPLL, where the latter is the latest implemented. The difference lies in what is done in the analogue domain and what is done in digital domain. These choices ultimately result in a higher/lower lock time, and higher/lower accuracy.
3.2.1.2 Digital Phase Locked Loop (DPLL)
Figure 3.3: DPLL lock time diagram.
3.2.1.3 All Digital Phase Locked Loop (ADPLL)
The ADPLL uses a linear phase detector that then controls a Digitally Controlled Oscillator (DCO). It is important to note that the ADPLL can not lock during trans-mission, this could cause a problem with FSK transtrans-mission, as the clock might drift off since it would be continuously transmitting. According to the specifications the ADPLL can lock within 1 ms.
Figure 3.4: ADPLL lock time diagram.
3.2.2
Proposed Clock Flow
Clkgen modules should be instantiated, as well as a safe way to switch the clock. A possible solution can be seen in Fig. 3.5.
Figure 3.5: New clocking domain
The TXN and TXP signals are for transmitting, only one of the domains should ever transmit. The clocks, PHASE REF CLK13M56 and A2D CLK 27P12M, will go to the specialized multiplexer and the status busses, ”PCRM CLIF ANA STS” and ”CLIF ANA STS”, will also be multiplexed and fed in to the system.
3.2.2.1 Clock switching
It should be noted that the clocks can be out of phase. The system will not work when two clock pulses follow each other too quickly, this can be done by syncing them. However, in order to prevent clock glitching, there should be minimal logic components on the clock line. Therefor a small circuit has been designed that, by the use of some memory cells and specialized clock latches, can switch safely between the two clocks. This then can act as a multiplexer that is controllable from a register. The multiplexer should not switch during either transmission or reception, as the clocks act as a point of reference for the data. Therefor the firmware should only switch clocks if the ADPLL or DPLL is locked, no transmission is going on, and no reception is going on. The timing diagram would then be as seen as in Fig. 3.7. First the HFO is turned on to load all the registers. Then both the ADPLLs and DPLL are turned on. As soon as the ADPLL has a lock, the system clock will switch to it, and execute all following tasks with it. As soon as the DPLL has a lock, the system can switch again.
Figure 3.7: Lock time diagram for ADPLL and DPLL.
Figure 3.8: Clock multiplex and synchronization.
3.3
ISO 15693 Receiver
To make sure that the ppm demodulation can be achieved, a new demodulator has been created. This module works alongside the old system, so that other cards can still be emulated. SN100V can be set up to receive only for a given card standard, such as ISO 15693, or can be set to decide on itself which card standard is being used. This is done in the General Target Mode (GTM), Venus serializes the data, builds a frame, checks the CRC, and stores it in a buffer for the host to be used.
Figure 3.9: Data flow from analogue value to data.
to the SigPro, block. The SigPro module selects one of the decoders to be forwarded to the RX decoder. The selection can be done in two ways, depending on whether the system is configured in GTM, or not. With GTM enabled the system will decide dynamically which decoder to use during which every decoder observes whether they have valid signals and whether they’ve observed a start of frame. This information is then passed to the mode detection module, which decides what decoder to keep enabled. When GTM is not enabled the host will have to configure the to be used decoder. All the other decoders will be disabled in this situation. The SigPro module then forwards the data signals of the decoders to the RX decoder module. Here the bitstream is further processed. Bits are made into bytes, and the CRC gets calculated from the received data, and compared to the received CRC. Settings such as the bits per byte and CRC type can be set in the registers which are loaded into the system. The decoder will fill a buffer once all is in order, and gives an interrupt so that the host system gets notified that it can start reading data from the buffer. For ISO 15693 a new preprocessing module had to be instantiated, as there is a new decoder. The SigPro module, as well as the Mode Detect module, have been adjusted to accept the new signals of the Type I decoder. The bitstream and control signals that are going to the RX decoder have been left unchanged, thus nothing after the RX Decoder had to be adapted at the reception side. The registers were extended to allow for a type I interrupt signal, and to load the correct RX Decoder settings.
3.3.1
Demodulation
The serializer breaks the received byte down in bits, and provides a new data bit every clock cycle. The system will also mimic an ISO 14443 Type A end of frame sequence to denote the end of the frame. In the upcoming revision of NXP’s IC it is possible to provide a byte stream instead of a bitstream. This reduces the extra clock cycles it takes to serialize the data, and thus is more efficient. The type I decoder could be used in the new revision without the need of extra modules.
3.4
ISO 15693 Transmitter
A bigger reorganization was needed within the txenc module, FSK modulation was not available as a configuration at all, and the available bitrates that could be used were limited to the system clock divided by a exponent of 2.
Figure 3.11: Model for demodulation
3.4.0.1 Bitrate
The newly implemented bitrate module was made as a drop in replacement of the old one. Meaning that it would be fully backwards compatible with the old system. In addition to this it added new bitrate frequencies needed for the FSK. Instead of looking at a single bit, as it was in the old system, it would compare the counter to a number loaded into the memory. Once it’s a match it would clear the counter and toggle the output bitrate.
3.4.1
Modulation
In Fig. 3.12 the module names can be seen. Many connections are left out of the image, such as system clock, enable, and finer settings. The bit gen module is the previously described stream generator, and receives the data byte from the byte generator module. The bitrate can be set from a register, just like the sc mode (subcarrier mode) and envelope type. The envelope generator passes one output, the tx envelope, to the analogue driver where it will be transmitted to the other medium.
3.4.1.1 Frequency Shift Keying (FSK)
The subcarrier functionality has been expanded and moved out for the new design. It has been moved out to a separate module as the functionality has been expanded to justify a module of its own. As well as testing and verification can be more on module level without having other systems interfere it.
Figure 3.13: FSK statemachine
Chapter 4
Verification
As it’s not feasible to produce new ICs to test new changes, a digital simulation framework has been used which emulates the environment the IC as much as possible. NXP has multiple verification steps, consisting out of a MatLab framework and a Cadence environment on a virtual Unix machine. It’s possible to verify the entire IC with the use of Universal Verification Methodology (UVM) and analogue models. The testbenches and tests are written using SystemVerilog.
4.1
Verification Strategy
Some of the features that have been implemented have some support within the system already. The reader functionality from the IC contains already a PPM mod-ulation, which can be used to verify the ISO 15693 receiver with. The framework has a loop-back functionality, this shorts the transmitting end with the receiving end. Meaning that all the data transmitted will be on the receiver end.
4.1.1
Universal Verification Methodology
UVM can be seen as an extension to SystemVerilog, which makes the testbenches more automated and adds capability to compare by design generated values with expected values[9]. The UVM extension also includes the analogue model and automates the CPU communication.
4.1.1.1 Analogue model
extensions (Verilog-AMS) and describes the functionality for the analogue design, which can then be simulated. The analogue model incorporates random errors for transmission according to the specifications that are given by NXP.
4.1.1.2 CPU
As the IC is not standalone, it relies on a CPU interface. The interface used with host systems is the Advanced Peripheral Bus (APB), which is implemented in many ARM devices. The test environment simulates APB communication with a host and the IC, and takes care of setting the registers in the IC, writing the data to be sent, and reading out received data from the buffer.
4.2
Simulations
The horizontal axis for time might not always be proportional as a full run does not fit on a page, therefore proportional simulation runs can be found in A. It was not possible to run designated card mode tests, as no analogue model was available for ISO 15693 yet. This model should be made in the future, and contains mathematical approximations of the magnetic fields for ISO 15693. Another way of testing the system is by using a loop-back feature.
4.2.1
ISO 15693 Transmitter
4.2.1.1 ASK transmission
Figure 4.1: ASK modulation
4.2.1.2 FSK transmission
With the FSK transmission it’s important to see whether the switching between both subcarriers is done without any phase error. The simulation program does not provide any way of having two cursors on at a time, so only one subcarrier displays a value, which is 484 khz. However after measuring the other frequency it can be said that the second subcarrier has a value of 424 kHz, as required by spec. Furthermore the bit time is 149.85µs which is very close to that of the in table 2.4 specified.
Figure 4.2: FSK modulation
4.2.2
Receiver Loop-back
This added extra workload, but the end result is the same. All the values are either in single binary values, or in hexadecimal.
4.2.2.1 1 out of 256 encoding
In Fig. 4.3 1-out-of-256 can be seen. The bottom data byte signal is the transmitted signal, and the other data byte signal is the received data that will be written to the buffer. All the values are in hexadecimal. First the value 0xFE is sent, following by 0x08 and 0xFE. The time scale is not correct on the image, see apendix for the complete simulation. The reception of a value takes 4.8 ms, as specified in the specifications. Therefor it can be said that this test was successful.
Figure 4.3: 1 out of 256 demodulation
4.2.2.2 1 out of 4 encoding
4.2.3
Clock domain
Both the locking mechanism with both ADPLL and DPLL running as well as the clock switching have been successfully tested. For this a card mode test has been executed, meaning that the external field is created by a reader. This was done since the clocking mechanism is used for obtaining a reference clock to synchronize to, and that only happens in card mode.
4.2.3.1 Clock generation
The system is ready to receive once an ADPLL lock has been obtained, this should happen within 1 ms. And, if possible, lock with the DPLL when ready. In Fig. 4.5 both systems can be seen running simultaneously. After 0.697 ms a first lock with the ADPLL has been obtained. Which is well within the minimum response time of 1 ms. Then, after 2.639 ms a lock with the DPLL has been obtained, which is fast enough for the other standards, and switching to the other clock would be possible in case there is no transmission/reception going on.
Figure 4.5: Both ADPLL and DPLL lock
4.2.3.2 Clock switching
Chapter 5
Summary and Concluding Remarks
List of Figures
2.1 Transmission of one byte, 0 decimal, with 1-out-of-4 . . . 6
2.2 The number 228 decimal represented by 1-out-of-4 . . . 6
2.3 Transmission of a complete byte, 225 decimal, with 1-out-of-256 . . . 7
2.4 Up close timing of a 1-out-of-256 byte . . . 7
2.5 Timing for start of frame when selecting 1-out-of-4 pulse position mod-ulation for VCD to VICC communication . . . 8
2.6 Timing for start of frame when selecting 1-out-of-256 pulse position modulation for VCD to VICC communication . . . 8
2.7 End of frame timing for VCD to VICC communication . . . 9
2.8 Logic ’0’ modulated with ASK . . . 11
2.9 Logic ’1’ modulated with ASK . . . 11
2.10 Logic ’0’ modulated with FSK . . . 11
2.11 Logic ’1’ modulated with FSK . . . 11
2.12 SoF symbol from VICC to VCD communication . . . 12
2.13 Logic ’1’ modulated with FSK at a high data rate . . . 12
2.14 End of Frame symbol from VICC to VCD communication . . . 12
2.15 Logic ’1’ modulated with FSK at a high data rate . . . 13
2.16 Timings for requests other than write requests . . . 14
2.17 Summary of timings . . . 14
3.1 Current clock path . . . 18
3.2 Control loop for a PLL . . . 19
3.3 DPLL lock time diagram. . . 20
3.4 ADPLL lock time diagram. . . 20
3.5 New clocking domain . . . 21
3.6 Detailed block diagram of new clock generation. . . 22
3.7 Lock time diagram for ADPLL and DPLL. . . 23
3.8 Clock multiplex and synchronization. . . 24
3.10 Model for demodulation . . . 26
3.11 Model for demodulation . . . 27
3.12 Detailed modulation overview. . . 29
3.13 FSK statemachine . . . 30
4.1 ASK modulation . . . 33
4.2 FSK modulation . . . 33
4.3 1 out of 256 demodulation . . . 34
4.4 1 out of 4 demodulation . . . 34
4.5 Both ADPLL and DPLL lock . . . 35
Bibliography
[1] Maglocks. (2018) Hotel Locking Systems and Hotel Locks. [Online]. Available: http://www.maglocks.com/hotel
[2] Springcard. (2016) Our RFID reader used as a ski pass reader by 5 operators. [Online]. Available: https://www.springcard.com/en/blog/news/the-prox-n-roll-rfid-scanner-a-swiss-army-knife-reader
[3] “Information technology – Telecommunications and information exchange be-tween systems – Near Field Communication – Interface and Protocol (NFCIP-1),” International Organization for Standardization, Geneva, CH, Standard, Mar. 2013.
[4] “Identification cards – Contactless integrated circuit cards – Proximity cards – Part 2: Radio frequency power and signal interface,” International Organization for Standardization, Geneva, CH, Standard, Jul. 2016.
[5] “Identification cards – Contactless integrated circuit cards – Vicinity cards – Part 1: Physical characteristics,” International Organization for Standardization, Geneva, CH, Standard, Oct. 2010.
[6] “Identification cards – Contactless integrated circuit cards – Vicinity cards – Part 2: Air interface and initialization,” International Organization for Standardiza-tion, Geneva, CH, Standard, Dec. 2006.
[7] “Identification cards – Contactless integrated circuit cards – Vicinity cards – Part 3: Anticollision and transmission protoco,” International Organization for Stan-dardization, Geneva, CH, Standard, Dec. 2009.
