Ict3k7-3r6940 I

CONFIDENTIAL No ASL - NP – 17749 – 01
Revision History
Rev. Date Editor Description
A Apr. 15, 2009 K.Hoson First Edition

B Oct. 07,2010 K.Saeki 5.3 To add pm="4" (Download attestation).
B 6.1 Command ("CA4"), this command changed to the reservation.
7.14.1, 7.14.3, 7.15.1, 7.15.3 and ANNEX 5
Vcc=1.8V is added.
7.14.1, 7.14.2, 7.14.9, 7.15.1, 7.15.2, 7.15.9 and ANNEX 3
ICC,SAM activation/deactivation timing is changed.
7.14.11 Correction of description.
7.18.1 Correction of description.
ANNEX 2 Supportable TA1 values are changed.
CONFIDENTIAL No ASL - NP – 17749 – 01 1 / 122
Contents
Revision History............................................................................................................................................................... 1
1. Logic level.................................................................................................................................................................. 4
1.1 Transmission / Control Specification ................................................................................................................ 4
1.2 Transmission control method............................................................................................................................ 4
1.3 Transmission Control Characters..................................................................................................................... 4
1.4 Transmission Format......................................................................................................................................... 4
2. Transmission / Control protocol............................................................................................................................... 5
2.1 Timing chart........................................................................................................................................................ 5
2.2 Cancel of command........................................................................................................................................... 6
2.3 Protocol............................................................................................................................................................... 6
2.3.1 Ordinary operation...................................................................................................................................... 6
2.3.2 Irregular operation and back-up ................................................................................................................ 7
2.3.3 State transition matrix................................................................................................................................. 8
3. Command /Response............................................................................................................................................ 10
3.1 Text format........................................................................................................................................................ 10
3.2 Structure of Firmware areas............................................................................................................................ 11
4. Supervisor program code area.............................................................................................................................. 12
4.1 Command list.................................................................................................................................................... 12
4.2 Status code....................................................................................................................................................... 12
4.3 Error code ......................................................................................................................................................... 12
5. Command explanation of Supervisor program code area ................................................................................. 13
5.1 Initialize command ........................................................................................................................................... 13
5.2 Revision command.......................................................................................................................................... 13
5.3 Download command ....................................................................................................................................... 14
5.4 Switch command ............................................................................................................................................. 17
6. User program code area........................................................................................................................................ 18
6.1 Command list.................................................................................................................................................... 18
6.2 Status code....................................................................................................................................................... 21
6.3 Error code ......................................................................................................................................................... 21
7. Command explanation of User program code area............................................................................................ 24
7.1 Initialize command ........................................................................................................................................... 24
7.2 Status request command................................................................................................................................ 26
7.3 Entry command ............................................................................................................................................ 27
7.4 Card carry command....................................................................................................................................... 28
7.5 Retrieve command ....................................................................................................................................... 28
7.6 LED command ................................................................................................................................................. 29
7.7 Mag-Track Read command............................................................................................................................ 30
7.8 Intake / Withdraw command ........................................................................................................................... 32
7.9 Enable/Disable command............................................................................................................................... 34
7.10 Port In/Out command .................................................................................................................................... 35
7.11 Sensor Level transmit command.................................................................................................................. 37
7.12 Revision command........................................................................................................................................ 38
7.13 Counter command......................................................................................................................................... 39
7.14 IC Card control command............................................................................................................................. 40
7.14.1 Activate ICC command.......................................................................................................................... 40
7.14.2 Deactivate ICC command ..................................................................................................................... 42
7.14.3 Inquire ICC status command................................................................................................................. 43
7.14.4 ICC communication T=0........................................................................................................................ 44
7.14.5 ICC communication T=1........................................................................................................................ 45
7.14.6 ICC extended communication 1............................................................................................................ 47
CONFIDENTIAL No ASL - NP – 17749 – 01 2

7.14.9 ICC warm reset....................................................................................................................................... 50
7.14.10 ICC automatic communication............................................................................................................ 51
7.14.11 Plaintext offline PIN verification ........................................................................................................... 52
7.15 SAM (Secure Application Module) control command ................................................................................ 53
7.15.1 Activate SAM command........................................................................................................................ 53
7.15.2 Deactivate SAM command ................................................................................................................... 55
7.15.3 Inquire SAM status command............................................................................................................... 56
7.15.4 SAM communication T=0...................................................................................................................... 58
7.15.5 SAM communication T=1...................................................................................................................... 59
7.15.6 SAM extended communication 1.......................................................................................................... 61
7.15.9 SAM warm reset..................................................................................................................................... 64
7.15.10 SAM automatic communication.......................................................................................................... 65
7.15.11 Select SAM........................................................................................................................................... 66
7.16 Switch command ........................................................................................................................................... 67
7.17 Siemens memory card control command ................................................................................................... 68
7.17.1 Siemens memory card Power on ......................................................................................................... 68
7.17.2 Siemens memory card Power off ......................................................................................................... 69
7.17.3 Inquire Status of Siemens memory card.............................................................................................. 70
7.17.4 Communicate with SLE4442................................................................................................................. 71
7.17.4.1 Data read from main memory on SLE4442 ................................................................................. 71
7.17.4.2 Data read from protection memory on SLE4442......................................................................... 72
7.17.4.3 Data read from security memory on SLE4442............................................................................. 72
7.17.4.4 Data write to main memory on SLE4442...................................................................................... 73
7.17.4.5 Data write to protection memory on SLE4442 ............................................................................. 74
7.17.4.6 Data write to security memory on SLE4442................................................................................. 75
7.17.4.7 Verification data present to SLE4442............................................................................................ 76
7.17.5.1 Data Reading of main-memory of SLE4428................................................................................ 77
7.17.5.2 Condition data reading of protection-bit of SLE4428 ................................................................... 78
7.17.5.3 Data writing to main-memory of SLE4428.................................................................................... 79
7.17.5.4 Data writing to main-memory of SLE4428 (with protecting it)..................................................... 79
7.17.5.5 Protection-bit is written by the completion of the verification ....................................................... 80
7.17.6.2 Data Reading of memory of SLE4406.......................................................................................... 83
7.17.6.3 Data writing to memory of SLE4406 ............................................................................................. 84
7.17.6.4 Reloading to counter stage of SLE4406....................................................................................... 85
7.18 I2C memory card control command............................................................................................................. 86
7.18.1 I2C Power on .......................................................................................................................................... 86
7.18.2 I2C Power off .......................................................................................................................................... 87
7.18.3 Inquire Status of I2C............................................................................................................................... 88
7.18.4 I2C Communication ............................................................................................................................... 89
7.18.4.1 Read data from I2C ........................................................................................................................ 90
7.18.4.2 Write data into I2C........................................................................................................................... 91
7.19 Security command......................................................................................................................................... 92
7.19.1 Device authentication data exchange and key exchange key loading.............................................. 92
7.19.2 Key loading for the magnetic data......................................................................................................... 92
7.19.3 Key loading for the Plaintext offline PIN verification............................................................................. 93

7.19.4 New master exchange key loading....................................................................................................... 93
8. Explanation of error code....................................................................................................................................... 95
8.1 Error in communication soft............................................................................................................................. 95
8.2 Error at card feeding ........................................................................................................................................ 95
8.3 Error in reading card ........................................................................................................................................ 96
8.4 Other error codes ............................................................................................................................................. 96
9. RAS (Reliability, Availability, and Serviceability) Function................................................................................... 97
9.1 The power on / reset boot mode..................................................................................................................... 97
9.2 The boot check items and result..................................................................................................................... 97
9.3 The condition for boot on RAS mode............................................................................................................. 97
9.4 The finish condition of RAS mode .................................................................................................................. 98
9.5 The overview of RAS operation...................................................................................................................... 98
9.6 The check items and the error indications of RAS........................................................................................ 98
9.7 The not checked functions by RAS................................................................................................................ 98
9.8 The flow chart of RAS operation..................................................................................................................... 99
ANNEX 1 Calculation method of CRCC ................................................................................................................100
ANNEX 2 Values of ATR parameter (TA1 and TA2)............................................................................................101
ANNEX 3 Values of ATR parameter ......................................................................................................................108
ANNEX 4 C-APDU Format .....................................................................................................................................109
ANNEX 5 Sequence of activating IC card / SAM..................................................................................................110
ANNEX 6 Method of IC card communication ........................................................................................................118
1. Logic level
The protocol transmitted from HOST is automatically recognized by ICRW after a power-on.
After the recognition, communication is executed according to each protocol.
Protocol type is recognized only after power-on.
And the protocol cannot be switched to another protocol during communication.
1.1 Transmission / Control Specification

1) Synchronous method : Asynchronous
2) Transmission method : Half duplex
3) Baud rate : 9600, 19200, 38400, 115200 BPS ( automatic recognition )
Note) Baud rate is recognized and set up by STX of the first time command after a power-on / reset,
and it is cleared by power-off/reset.
Therefore, baud rate recognition and a setup are not performed for every initialization command.
The parity check result of the following data of STX is also made into recognition conditions
as a measure against an incorrect recognition.
4) Data length : 8bit + 1 parity
ST b0 b1 b2 b3 b4 b5 b6 b7 P SP
5) Stop bit : 1 bit

6) Character Code : ASCII 8 bit code
7) Parity check method : Vertical (Even) parity check
1.2 Transmission control method

Command / Response method
ICRW executes particular operation according to text (command) received from HOST
then reports result of execution to HOST.
1.3 Transmission Control Characters

STX (F2h) Indicate start of text. STX code is F2h.
ACK (06h) Acknowledge.
NAK (15h) Negative acknowledge.
DLE,EOT (10h,04h) Clear the line.
LEN (2 bytes) Text length.
TEXT Command or response.
CRCC (2 bytes) Cyclic redundancy code.
Polynomial X16+X12+X5+1.
Initial value is 0000h.
1.4 Transmission Format
STX LEN CRCC

TEXT
(F2h)
Upper byte Lower byte Upper byte Lower byte
LEN range
CRCC range
Max 300 bytes
Notes 1.Gap between characters STX to CRCC is less than 250 msec.
2. Transmission / Control protocol
2.1 Timing chart

1)Power-on-reset and Signal-reset (User program code area only)
After the reset operation, ICRW ejects the card in ICRW. "DTR" is turned on after the card was ejected.
The HOST should monitor if the ICRW turn on "DTR" after power-on-reset or signal-reset.
For the signal reset, the reset line should be activating more than 50msec.
The time concerning ICRW initializing and card discharging is a maximum of 4sec at the time
of card jam was occurring.
At the time of RAS mode operation, "DTR" is not turned on until ICRW ends RAS operation and
changes to the normal mode. "DTR" is turned off while detecting the fall of power supply voltage.
Power-on-reset Signal-reset
Power
Reset
50ms from Reset IC 50ms
CPU Reset
Signal Max 4sec. Max 4sec.
(after Initial Eject) (after Initial Eject)
DTR
2)LED blinking after reset

On normal reset operation, ICRW blinks green LED. The blinking interval is 2 sec.
If the user area program is illegal condition, card is not ejected and the blinking interval is 1 sec.
After receiving the initial command correctly, ICRW turns off LED.
3) Data gap
During receiving mode, if 250ms Time-out occurs, ICRW assumes receiving the Text characters
data is completed.
4) Monitoring state of HOST

ICRW is monitoring "DTR" from HOST.
When "DTR" is off, ICRW considers that the state of HOST is not normal and interrupts
the command under execution.
It depends on specification by initialize command whether a card ejects after that.
5) Cancel/Resume of transmission (User program code area only)

During text transmission from ICRW, when CTS signal goes OFF, ICRW stops
its transmission with Max 2 characters' delay.
After CTS is turned on, text transmission is resumed within about 1msec.
ON
CTS
OFF Approx.
1msec
0
TXD
1
Char (i) Char (i+1) Char (i+2) Char (i+3) Char (i+4)
6) Eject Operations (User program code area only)

All of eject operations caused by reset, power down, DSR off, initial command and eject command
moves card to a gate and a card stops in the state where it was held at the roller.
Therefore, the eject2 command is not necessary to 8bit mode.
2.2 Cancel of command

(User program code area only)
When ICRW receives "DLE,EOT", ICRW will interrupt execution of a command immediately.
And then ICRW transmits "DLE,EOT" and waits for the following command.
If "DLE,EOT" is received during response transmission, ICRW will be in the state waiting for a command,
after it completes response transmission.
If "DLE,EOT" is received for the entry, retrieve, and eject commands at the time of execution,
each operation will be interrupted and a card will be ejected.
2.3 Protocol
2.3.1 Ordinary operation
Min.5msec
(HOST) Command ACK Command
(Execution)
(ICRW) ACK Response

2.3.2 Irregular operation and back-up
Case 1 300msec Timeout
(HOST) Command Command ACK
(Execution)
X error
(ICRW) ACK Response
Case 2

X error (Execution)
(ICRW) NAK ACK Response
Case 3
(HOST) Command NAK ACK
(Execution)
(ICRW) ACK Response Response
Case 4 20sec Time out (Except Entry and

Intake/Withdraw command)
(Execution)
(ICRW) ACK ACK Response
Case 5
(HOST) Command DLE, EOT
(Execution) (discontinue)
(ICRW) ACK DLE, EOT
Max 4sec
2.3.3 State transition matrix
1) HOST
Character
ACK NAK STX(F2h) Others Time out Timer
Mode
Re-send Re-send
(1) Wait for ACK
Go to (2) command Ignore Ignore command 300msec
after command
Go to (1)* Go to (1)*
(2) Wait for Re-send

response Ignore Ignore Go to (3) Ignore command 20sec**
after ACK Go to (1)*
(3) Wait for Send NAK

Receive 2 bytes as Length. Receive 2 bytes then go to (4) 250msec
LEN Go to (2)
(4) Wait for Receive Text in the Length. Send NAK

250msec
Text Receive the Length bytes then go to (5) Go to (2)
Receive 2 bytes as CRCC.

(5) Wait for Send NAK
OK then Normal receipt: Send ACK & go to (1) 250msec
CRCC Go to (2)
NG then Irregular receipt: Re-send NAK & go to (2)
* : If it is over the re-try count, it will be judged an error.

** : Except Entry and Intake/Withdraw command.
2)ICRW
Character
ACK NAK STX(F2h) DLE,EOT Others Time out Timer
Mode
Go to (1)
after
(1) Neutral Ignore Ignore Go to (2) Ignore None
send
DLE,EOT
Send
(2) Wait for Receive 2 bytes as Length.
NAK 250msec
LEN Receive 2 bytes then go to (3)
& go to (1)
Send
(3) Wait for Receive Text in the Length bytes.
NAK 250msec
Text Receive the Length bytes then go to (4)
& go to (1)
Receive 2 bytes as CRCC Send

(4) Wait for
OK then send ACK, execute command and go to (5) NAK 250msec
CRCC
NG then send NAK and go to (1) & go to (1)
(5) Wait for Go to (1)

Resend
ACK after after
Go to (1) Resp. Go to (2) Ignore go to (1) 300msec
sending send
Go to (5)
Resp DLE,EOT
During command execution, all characters except "DLE,EOT" are ignored.
3. Command /Response
HOST sends command to ICRW and instruct operation.
Command is followed by data necessary for operation.
ICRW sends result of execution as response.
Command must be transmitted more than 5msec after sending ACK to the response from ICRW.
3.1 Text format

An ASCII character is expressed as shown in "C" (=43h), and a binary code is shown like 30h (="0")
by hexadecimal. Command and response format is as follows.
"C" "0" "0" Data

(43h) (30h) (30h) (Binary 2bytes)
Especially when not written clearly, it becomes 1 byte of one division. The division surrounded
by the dotted line shows the data which may not be considered as the case where it exists.
1) Command format ( HOST -> ICRW )
"C"
cm pm Data
(43h)
cm: Command code
pm: Parameters
This is the format of the command transmit to ICRW from HOST.

The first character should be "C"(43h).
There are commands with data part and without data part.
2) Positive response format ( ICRW -> HOST )
"P"
cm pm st1 st0 Data
(50h)
st1,st0: Status code
This is the format of response when command was executed normally.

The first character should be "P"(50h).
There are positive responses with data part and without data part.
In this format cm and pm returns the same values which were received with command transmission.
(pm : except for IC card control)
3) Negative response format ( ICRW -> HOST )
"N"
cm pm e1 e0 Data
(4Eh)
e1,e0: Error code
This is the format of response when command was executed abnormally.

The first character should be "N"(4Eh).
There are negative responses with data part and without data part.
In this format cm and pm returns the same values which were received with command transmission.
(pm : except for IC card control)
3.2 Structure of Firmware areas
Firmware of ICRW is divided into two parts.
(1) Supervisor program code area

To execute the download and rewrite the firmware of a user part with directions of HOST.
HOST cannot rewrite this area.
(2) User program code area

This area usually performs control of the function of ICRW.
HOST can reprogram this area (under 100 times).
If the firmware is downloaded normally in this area, ICRW executes the program in it after power-on.
So HOST usually doesn't care Supervisor program code area.
In case error response "02"(30h,32h) arises in initialize command, User program code area is
abnormal condition. This state shows that ICRW executes Supervisor program code area.
And it needs to perform user part program rewriting by the download from HOST.
Switch command is to switch Supervisor program code area and User program code area.
Initialize command shall be executed when after Switch command is executed.
In addition to this, the firmware holds the sensor adjustment value for card detection,
the download counter of user program code area, and the path counter, as non-volatility data.
Moreover, since a firmware does not have the function of execution record of a command,
or memory dumping, it needs the communication log of HOST for the analysis of an error.
4. Supervisor program code area

4.1 Command list
cm: Command code pm: Parameters
Command cm Function pm Details of operation

“0” “0”
INITIALIZE (30h) Initialize ICRW (30h) Designate communication format
“A” “0”
REVISION (41h) Revision (30h) Send the revision of Supervisor program code area
“0”
(30h) Erase the User program code area
“1”
“J” (31h) Execute download
DOWNLOAD (4Ah) Download “2”
(32h) Confirm User program code area
“3”
(33h) Inquire download count
“K” “0”
SWITCH (4Bh) Area switch (30h) Switch to the User program code area
Notes. Do not use any other codes than those shown by this table.
4.2 Status code

st1, st0 : ICRW status code
status code Meaning

"00" (30h,30h) always "00" in Supervisor program code area.
4.3 Error code

e1, e0 : error code
error code Meaning

"00" (30h,30h) A given command code is unidentified
"01" (30h,31h) Parameter is not correct
"02" (30h,32h) Command execution is impossible. Under Supervisor program code area
"04" (30h,34h) Command data error
"70" (37h,30h) F-ROM write error
"71" (37h,31h) CRC error of user program code area
"B0" (42h,30h) Not received Initialize command
5. Command explanation of Supervisor program code area
5.1 Initialize command
"C" “0” “0” “0” “0” “0” “0”

Command fm
(43h) (30h) (30h) (30h) (30h) (30h) (30h)
Positive response Nothing
“N” “0” “0” “0” “2”

Negative response
(4Eh) (30h) (30h) (30h) (32h)
Execute this command whenever power is turned on or after switch from User program code area.
fm : Not use. Always "0"(30h).
A positive response is not transmitted to HOST with the initialization command of Supervisor program
code area.
A response is surely set to negative response and returns the error code "02"(30h,32h) to HOST.
5.2 Revision command
"C" “A” “0”

Command
(43h) (41h) (30h)
“P” “A” “0” “0” “0” Supervisor code area revision

Positive response
(50h) (41h) (30h) (30h) (30h) (ASCII 8bytes)
“N” “A” “0”

Negative response e1 e0
(4Eh) (41h) (30h)
Eight characters that show firmware revision of Supervisor program code area
are added to an positive response, and it transmits to HOST.
Ex) "1234-01A"
5.3 Download command
“C” “J”
Command pm Download Data(ASCII 176bytes)
(43h) (4Ah)
“P” “J” “0” “0” Download Count

Positive response pm
(50h) (4Ah) (30h) (30h) (ASCII 3bytes)
“N” “J”
Negative response pm e1 e0
(4Eh) (4Ah)
Execution of this command rewrites program in the User program code area by downloading from HOST.
This command is used in case to write latest firmware.
pm="0" Erase current User program code area.

(30h) Need to execute first to execute download.
Error "70"(37h,30h) arise in case Erase isn't executed normally.
This error relates to board degradation. Need to change the board.
pm="1" Write download data (Fixed length 176bytes).

(31h) HOST use this command write the date of download data file, Sankyo supplies, per each line.
Download is completed when all download data file is sent.
Error "70"(37h,30h) arise in case Write isn't executed normally.
Repeat the download again from pm="0"(30h).
pm="2" Execute the CRC check of User program code area and confirm it's condition.
(32h) Error "71"(37h,31h) arise in case CRC check is wrong.
Repeat the download again from pm="0"(30h).
pm="3" Inquire download count

(33h) This command reports the download count as three digit of ASCII decimal number.
100 times download is guaranteed by CPU on ICRW.
pm="4" Download attestation

B (34h) A supervisor checks the right download file. When this command is not executed or the response of
negative is returned, download cannot be performed
Structure of the file for downloading with the ASCII text format
Rev1234-01A [CRLF] <= Sankyo revision Header

B CJ41xxxxxxx[CRLF] <= Download attestation
CJ0 [CRLF] <= Erase command.
CJ1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(176bytes) [CRLF] <= transmit download data
: :
CJ1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(176bytes) [CRLF] :
CJ2[CRLF] <= CRC check command
(EOF) <= End of File
(CTRL-Z(1Ah) code is not added at the EOF)
Explanation of the download procedure

(1) Execute the Initialize command.
(2) If response is "N0002", the program in "Supervisor Program Area" is executed and goes to (4).
(3) If response is not "N0002", move to the "Supervisor Program Area" using "Switch command"
and restart from (1).
(4) Characters are read from the 2nd line of the Download file except of CRLF that Sankyo supplies
for line by line.
(5) If Host finds EOF then goes to (8). Downloading is completed.
(6) The characters read by (3) are sent to ICRW as a command.
(7) If ICRW detected positive response, goes to (4).
If ICRW detected negative response, downloading is failure.
(8) Reboot or change to "User Area Command" using "Switch command".
(9) Execute "Initialize command" and execute standard process.
The flow chart of the download procedure
Power ON or Standard Process
Initialize Command (1)

“C00....”
(2) (3)
“N0002” Switch Command
No “CK0”
Yes
XXXX-YY.DWL
(ASCII Text File)
(4)
Read Next
1 Line
(5)
EOF ?
Yes
No
Execute (6)
1 Line Command
(7)
Positive
Yes Response ?
Download No
Failure
(8)
Power Switch Command
Off / On “CK0”
(9)
Initialize Command
“C00....”
Standard Process
5.4 Switch command
“C” “K” “0”

Command
(43h) (4Bh) (30h)
“P” “K” “0” “0” “0”

Positive response
(50h) (4Bh) (30h) (30h) (30h)
“N” “K” “0”

(4Eh) (4Bh) (30h)
Execute the CRC check of User program code area.

Switch the control to User program code area from Supervisor program code area in case of normal.
Error "71"(37h,31h) arise and not switch to the User program code area, in case the CRC check is wrong.
Repeat the download again.
Note : Start from Initialize command of User program code area after the switch is completed.
ex) Under the supervisor program code area operation
Switch command "CK0"
Switch the control to User program code area
Execute initialize command of user program code area
Usual operation
6. User program code area

6.1 Command list
List1 cm: Command code pm: Parameters
“0”(30h) Initialize, set up and eject a card
“1”(31h) Initialize, set up and capture a card
“0”
INITIALIZE Initialize ICRW “2”(32h) Initialize, set up and re-positioning a card
(30h)
“3”(33h) Initialize, set up without card operation
“8”(38h) Initialize parameter report
STATUS “1” “0”(30h) Report presence of card and its position
Inquire status
REQUEST (31h) “1”(31h) Report presence of sensor status in detail
“2”
ENTRY Card Entry “0”(30h) Card Entry (Mag-Track read)
(32h)
“3” Eject “0”(30h) Move card to Gate from inside of ICRW
CARD CARRY
(33h) Capture “1”(31h) Capture card to rear side of ICRW
“4”
RETRIEVE Retrieve “0”(30h) Retrieve card from eject position
(34h)
LED Off “0”(30h) All Color LED Off
“5” LED Green On “1”(31h) Green On from All Off or Other Color On
LED
(35h) LED Red On “2”(32h) Red On from All Off or Other Color On
LED Orange On “3”(33h) Orange On from All Off or Other Color On
ISO #1 read “1”(31h) ISO Track #1 reads Transmit read data
Mag-Track “6” All tracks read “5”(35h) Transmit All channel data
READ (36h) Read Status “7”(37h) Data buffer status read
ISO#1 error read “9”(39h) ISO Track #1 reads Transmit read data
ISO#2 error read “:”(3Ah) ISO Track #2 reads Transmit read data
ISO#3 error read “;”(3Bh) ISO Track #3 reads Transmit read data
ISO #1 read “A”(41h) ISO Track #1 reads Transmit read data
ISO #2 read “B”(42h) ISO Track #2 reads Transmit read data
Mag-Track
ISO #3 read “C”(43h) ISO Track #3 reads Transmit read data
READ
“6”
with All tracks read “E”(45h) Transmit All channel data
(36h)
DATA
ISO#1 error read “I”(49h) ISO Track #1 reads Transmit read data
ENCRYPTION
ISO#2 error read “J”(4Ah) ISO Track #2 reads Transmit read data
ISO#3 error read “K”(4Bh) ISO Track #3 reads Transmit read data
Withdraw “0”(30h) Withdraw the card
INTAKE “9”
Intake “1”(31h) Card intake
/ WITHDRAW (39h)
Intake with Mag. Chk. “2”(32h) Card intake with the magnetic recording detection
List 2 cm: Command code pm: Parameters

ENABLE / “:” Enable “0”(30h) Enable card entry
DISABLE (3Ah) Disable “1”(31h) Disable card entry
“0”(30h) Enter maintenance mode
Mode Change
PORT “=” “1”(31h) Release maintenance mode
IN / OUT (3Dh) Output port “2”(32h) Check operation of a motor and solenoid.
Input port “3”(33h) Check operation of a sensor.
SENSOR
“>” NORMAL check “0”(30h) Transmit sensor A/D level with normal condition
LEVEL
(3Eh) for ADJUST “1”(31h) Transmit sensor A/D level with adjust condition
TRANSMIT
“1”(31h) Revision of User program code area
“2”(32h) Revision of EMV2000 code area
“A”
REVISION Revision “3”(33h) Transmit the EMV approval number
(41h)
“4”(34h) Transmit the GIE-CB approval number (Reserve)
B
“5”(35h) Transmit the IFM number of the EMV approval
Pass Counter Read “2”(32h) Inquire of card pass count
“C”
COUNTER Capture Counter Read “3”(33h) Inquire of card capture count
(43h)
Capture Alert Count Set “4”(34h) Set capture alert count
Device Authentication
Device authentication data exchange
& Key Exchange Key “0”(30h)
Load and key exchange key loading
“G”
Key Loading for
SECURITY (47h) Magnetic Data “1”(31h) Key loading for the magnetic data
Key Loading for
Offline PIN Verification “2”(32h) Key loading for the offline PIN verification
New Master Exchange
---- Key Loading --- New master exchange key loading
Activate “0”(30h) Activate ICC
Deactivate “1”(31h) Deactivate ICC
Inquire Status “2”(32h) Inquire of ICC status
Communication T=0 “3”(33h) ICC communication T=0
IC CARD “I” Communication T=1 “4”(34h) ICC communication T=1
CONTROL (49h) Communication 1 “5”(35h) ICC extended communication 1
Communication 2 “6”(36h) ICC extended communication 2
Communication 3 “7”(37h) ICC extended communication 3
Warm Reset “8”(38h) ICC Warm reset
Automatic
Communication “9”(39h) ICC automatic communication
Offline PIN Verification
T=0 with Triple DES “S”(53h) ICC communication T=0 with Triple DES
T=1 with Triple DES “T”(54h) ICC communication T=1 with Triple DES
OFFLINE PIN “I” Automatic with T-DES “Y”(59h) ICC automatic communication with Triple DES
VERIFICATION (49h) Offline PIN Verification
“c”(63h) ICC communication T=0 with Single DES
T=0 with Single DES
T=1 with Single DES “d”(64h) ICC communication T=1 with Single DES
Automatic with S-DES “i”(69h) ICC automatic communication with Single DES
List 3 cm: Command code pm: Parameters

Activate “@”(40h) Activate SAM
Deactivate “A”(41h) Deactivate SAM
Inquire Status “B”(42h) Inquire of SAM status
Communication T=0 “C”(43h) SAM communication T=0
Communication T=1 “D”(44h) SAM communication T=1
SAM “I”
Communication 1 “E”(45h) SAM extended communication 1
CONTROL (49h)
Communication 2 “F”(46h) SAM extended communication 2
Communication 3 “G”(47h) SAM extended communication 3
Warm Reset “H”(48h) SAM Warm reset
Automatic
Communication “I”(49h) SAM automatic communication
Select SAM “P”(50h) Select SAM
“K”
SWITCH Area switch “0”(30h) Switch to Supervisor program code area.
(4Bh)
Power on “0”(30h) Power Supply and Activate to Siemens card
Siemens Power off “1”(31h) Deactivate to Siemens card
Memory “R” Status request “2”(32h) Inquire status of Siemens card
Card (52h)
Communication “3”(33h) Exchange data for 4442 card
Control
Activate I2C “0”(30h) To activate I2C and To close the shutter
I2C “1”(31h) To deactivate I2C
“S” Deactivate I2C
MEMORY
(53h) Status of I2C “2”(32h) To inquire status of I2C
CONTROL
Communication “3”(33h) To exchange data between I2C
Notes. Do not use any other codes than those shown by this table.
6.2 Status code

st1, st0 : ICRW status code
status code Meaning

"00" (30h,30h) No card detected within ICRW (including card gate)
"01" (30h,31h) Card locates at card Gate
"02" (30h,32h) Card locates inside ICRW (Transport )
6.3 Error code

List 1 e1, e0 : error code
error code Meaning

"00" (30h,30h) A given command code is unidentified
"01" (30h,31h) Parameter is not correct
"02" (30h,32h) Command execution is impossible.
"03" (30h,33h) Function is not implemented.
"04" (30h,34h) Command data error
"05" (30h,35h)
"06" (30h,36h) Key for decrypting is not received
"07" (30h,37h)
"08" (30h,38h)
"09" (30h,39h) Intake withdraw timeout
"10" (31h,30h) Card jam
"11" (31h,31h) Shutter error
"12" (31h,32h)
"13" (31h,33h) Irregular card length (LONG)
"14" (31h,34h) Irregular card length (SHORT)
"15" (31h,35h) Flash Memory Parameter Area CRC error
"16" (31h,36h) Card position Move (and Pull out error)
"17" (31h,37h) Jam error at retrieve
“18” (31h,38h) Two card error
"19" (31h,39h)
error code Meaning

"20" (32h,30h) Read Error (Parity error (VRC error))
"21" (32h,31h) Read Error (Start sentinel error, end sentinel error or LRC error)
"22" (32h,32h)
"23" (32h,33h) Read Error (No data contents, only start sentinel, end sentinel and LRC)
"24" (32h,34h) Read Error (No magnetic stripe or not encorded)
"25" (32h,35h)
"26" (32h,36h)
"27" (32h,37h)
"28" (32h,38h)
"29" (32h,39h)
"30" (33h,30h) Power Down
"31" (33h,31h) DSR signal was turned to OFF
"32" (33h,32h)
"33" (33h,33h)
"34" (33h,34h)
"35" (33h,35h)
"36" (33h,36h)
"37" (33h,37h)
"38" (33h,38h)
"39" (33h,39h) Electric fan breaks down.
error code Meaning

"40" (34h,30h) Pull Out Error
"41" (34h,31h)
"42" (34h,32h)
"43" (34h,33h) IC Positioning Error
"44" (34h,34h)
"45" (34h,35h)
"46" (34h,36h)
"47" (34h,37h)
"48" (34h,38h)
"49" (34h,39h)
"50" (35h,30h) Capture Counter Overflow Error
"51" (35h,31h)
"52" (35h,32h)
"53" (35h,33h)
"54" (35h,34h)
"55" (35h,35h)
"56" (35h,36h)
"57" (35h,37h)
"58" (35h,38h)
"59" (35h,39h)
"60" (36h,30h) Abnormal Vcc condition error of IC card or SAM
"61" (36h,31h) ATR communication error of IC card or SAM
"62" (36h,32h) Invalid ATR error to the selected activation for IC card or SAM
"63" (36h,33h) No response error on communication from IC card or SAM
"64" (36h,34h) Communication error to IC card or SAM (except for no response)
"65" (36h,35h) Not activated error of IC card or SAM
"66" (36h,36h) Not supported IC card or SAM error by ICRW (only for non EMV activation)
"67" (36h,37h)
"68" (36h,38h)
"69" (36h,39h) Not supported IC card or SAM error by EMV2000 (only for EMV activation)
"73" (37h,33h) EEPROM error
"B0" (42h,30h) Not received Initialize command.

7. Command explanation of User program code area
7.1 Initialize command

* * * * =>See Note 1
“C” “0” “3” “2” “4” “1”

Command pm fm Pd Ty Ds Cc Re 30H 30H Ce
(43h) (30h) (33h) (32h) (34h) (31h)
“P” “0” Type recognizing code

Positive response pm st1 st0
(50h) (30h) (ASCII 16bytes)
“N” “0”
(4Eh) (30h)
This command set the operation conditions for ICRW and initializes ICRW.
Execute this command whenever power on, reset and code area change from supervisor program to
user program by switch command.
If this command is executed when the card is in the ICRW, the ICRW moves the card according to the
parameter of the command.
When the enable condition of the card insertion, this command disables the card insertion condition.
This command returns the ICRW from various error conditions to normal condition.
And this command clears the mag stripe data buffer.
Note 1. * These parameters have no meaning, but remained for the command format compatibility to
the command format of the other models. The parameter codes "0"(30h) to "4"(34h) are admitted as the
correct parameter to get positive response with the type recognizing code under the condition that the
model type is unknown.
pm : This parameter sets the card move mode.

"0" (30h) Eject the card to the gate portion and finish the command even if the card is not taken out.
"1" (31h) Capture the card to the rear side.
"2" (32h) Re-position the card to the home position in the ICRW.
"3" (33h) Don't move the card.
"8" (38h) Initialize parameter report command
fm : Not used. Always "0" (30h). (This code is not omissible.)
Pd : Power down card control

"0" (30h) The ICRW ejects the card in the ICRW. (Default value at omit this code)
"1" (31h) The ICRW keeps the card in the ICRW.
Ty : Reader type recognition code control

"0" (30h) No data is contained in the response. (Default value at omit this code)
"1" (31h) Response includes type recognition code.
Type ISO#1 ISO#2 ISO#3 JIS II IC
RF Pinpad Capture Fan Full “0” SAM1 SAM2 SAM3 SAM4 SAM5
recognition code contact Shutter (30h)
(16bytes)
Magnetic Head : Function : SAM Information :
"0"(30h) = Not Available "0"(30h) = Not Available “0”(30h) = Socket is not mounted
"1"(31h) = Available "1"(31h) = Available “1”(31h) = Socket is empty
“2”(32h) = SAM is inserted
“3”(33h) = SAM is inserted
but Vcc error
Ds : DSR off card control

"0" (30h) ICRW ejects the card in ICRW (Default value at omit this code)
"1" (31h) ICRW keeps the card in ICRW
Cc : Capture counter control

"0" (30h) Turn off the capture counter (Default value at omit this code)
"1" (31h) Turn on the capture counter
Re : Reset eject control

This code sets on / off of the card eject function after power on and reset. The setting is memorized and
is available after the next reset condition.
"0" (30h) Turn on the reset eject function. The ICRW eject the card to the gate after reset.
"1" (31h) Turn off the reset eject function. The ICRW don't eject the card after reset.
Omit : The previous value is valid.
Default : If the value has never been set, the ICRW control the card according to the following
default value.
ICRW without the capture function : "0" (30h) (The ICRW ejects the card)
ICRW with the capture function : "1" (31h) (The ICRW don't eject the card)
Ce : Transparent card eject control

The setting is held in the non volatile memory even after the power on / reset.
"0" (30h) Turn off the transparent card detect function. (Default value at omit this code)
The ICRW can not detect the transparent card.
"1" (31h) Turn on the transparent card detect function.
The ICRW detects and ejects the transparent card.
Omit : The previous set value is valid.
Default : If the value has never been set, the default value is 30h.
Notes Pd, Ty, Ds, Cc, Re and Ce are omissible. When Pd, Ty, Ds or Cc are not set, these are set "0" (30h)
internally as a default value.
When Re or Ce are not set, the ICRW control the card according to the previous value.
When power failure occurs at the same timing of DSR OFF, power failure handling routine has priority.
7.2 Status request command
“C” “1”
Command pm
(43h) (31h)
“P” “1”
Positive response pm st1 st0 Se
(50h) (31h)
“N” “1”
(4Eh) (31h)
Negative response is sent against Status request command if mechanical failure remains
from the prior operation.
pm="0" Report current status of after execution of previous command ICRW.

(30h)
pm="1" Response is returned in form of "Se", with the status information obtained.
(31h) "Se" is added also in the time of negative response transmission.
The locations of sensor are referred to appearance drawing.
b7 b0
Se= 0 X X X X X X X (binary)
Card Width Sensor
1: Card exists, 0: Card does not exist
PD2 1: Card exists, 0: Card does not exist
PI1 1: Shutter Close, 0: Shutter Open
PI2 1: IC Contact is set, 0: IC Contact is not set
(The IC contact is set mechanically at the card entry)
CAP 1: Capture Sensor Connector High Level
0: Capture Sensor Connector Low Level
(This connector terminal is pulled up, therefore this bit
is 1 when the connector is open or no mount. )
7.3 Entry command
“C” “2”
Command pm mg
(43h) (32h)
“P” “2”
(50h) (32h)
“N” “2”
(4Eh) (32h)
This is to accept to carry the card inside ICRW. This command doesn't allow ICRW to send response
to HOST until ICRW completes to carry the card inside ICRW.
If ICRW can not move the card on the way of carrying it, ICRW sends jam error "10" (31h,30h) to HOST.
If another card already stays inside ICRW, ICRW sends error "02" (30h,32h) to HOST.
Send DLE,EOT from HOST in order to cancel this command.
While the card is carried inside ICRW, data on the mag stripe is read to data buffer by ICRW.
(Even if read error occurs, ICRW sends positive response to HOST upon completion of
carrying the card inside ICRW.)
If ICRW is in the ENABLE mode, ICRW sends execution impossible error to HOST.
pm="0" To accept the card

(30h) When receiving the command with this parameter, ICRW becomes card insertion waiting mode.
After detecting a card insertion, ICRW rotate the motor forward and carry the card into inside of ICRW.
When ICRW completes to carry the card to the rear end of ICRW, ICRW closes the shutter.
ICRW stops the motor and sends positive response.
If the card is pulled out before roller catch the card, ICRW becomes card insertion waiting mode again
without error response.
Then, if a card is not inserted for 5sec, card ejecting error "40" (34h,30h) will be transmitted to HOST.
mg="0" Mag data detect Off

(30h) ICRW executes card accept operation without mag data detection. "mg" is omissible and this value is
default.
mg="1" Mag data detect On
(31h) ICRW executes card accept operation with mag data detection. If mag data is not detect, ICRW stops
the card accept operation and eject the card with negative response "24" (32h,34h) (No mag error) .
7.4 Card carry command
“C” “3”
Command pm
(43h) (33h)
“P” “3”
(50h) (33h)
“N” “3”
(4Eh) (33h)
pm="0" EJECT
(30h) ICRW moves the card from inside of ICRW to Gate with roller on position.
After executing this command, ICRW can execute a retrieve command.
After card was ejected, ICRW executes a status request command, and when the status code is
"00" (30h,30h), it is shown that the card was completely pull out from the gate.
It takes a maximum of 7sec after ICRW receives a command until it returns a response.
If a card is not in ICRW, ICRW does not executes the card move operation and returns positive response.
pm="1" CAPTURE
(31h) ICRW moves the card from inside of ICRW to rear side.
After card was captured, ICRW executes a status request command and when its status code is
"00" (30h,30h), it is shown that the card was completely discharged from the ICRW.
It takes a maximum of 7sec after ICRW receives a command until it returns a response.
If a card is not in ICRW, ICRW sends error "02" (30h,32h) to HOST against receipt of this command.
7.5 Retrieve command
“C” “4” “0”

Command
(43h) (34h) (30h)
“P” “4” “0”

Positive response st1 st0
(50h) (34h) (30h)
“N” “4” “0”

(4Eh) (34h) (30h)
ICRW moves card from gate with roller on position to inside of ICRW.
This command is available after Eject command.
This command does not ensure mag stripe read operation for read command after this command.
7.6 LED command
“C” “5” turn ON timer turn OFF timer

Command pm
(43h) (35h) (ASCII 2byte) (ASCII 2byte)
“P” “5”
(50h) (35h)
“N” “5”
(4Eh) (35h)
This function controls the LED on front bezel of ICRW. LED On commands for every color are able to
change directly from the condition of other color on.
pm="0"(30h) LED Off

pm="1"(31h) LED Green On
pm="2"(32h) LED Red On
pm="3"(33h) LED Orange On
The turn ON / OFF time is available for the LED blinking. The turn on time and turn off time are able to be
set independently. Each timer values are set by the 0.1 second unit which is given as 2bytes ASCII code.
Therefore, the minimum value is 0.1 second and the maximum value is 9.9 second. If these values are
omitted, the LED is only turned on. This blinking function doesn't affect to the other functions.
ex). Green LED blinking turn on time = 1.0sec. turn off time = 0.5sec. => "C511005"
7.7 Mag-Track Read command
“C” “6”
Command pm
(43h) (36h)
“P” “6” Read Data

(50h) (36h) (ASCII Max 219bytes (pm=”5”(35h)))
“N” “6” Read Data

(4Eh) (36h) (ASCII Max 104bytes (pm=”;”(3Bh)))
pm="1"(31h) read data on ISO Track #1

When ICRW takes in a card, the magnetic data read into the buffer is edited and is converted into
an ASCII code. If this data is normal, it will transmit to HOST as read data.
The data transmitted to HOST excepts the Start code, End code, and LRC on mag stripes.
The command with the above parameters allows ICRW not to read the card, but only to
transmit the data of buffer, which have been normally read during the card acceptance.
When Read Error occurs, ICRW sends negative response.
In case of card jamming, ICRW sends negative response too.
When the card has no magnetic track, ICRW makes no retrying and sends negative response
(Error code "24" (32h,34h) is no magnetic track).
When the card has a track with the sentinels but no data, ICRW sends negative response (error code
"23" (32h,33h))
EX) ISO Track #1 (Max 76bytes) ISO Track #2 (Max 37bytes)

bit 5 4 3 2 1 0 bit 3210
data=0 0 1 0 0 0 0 -> 30h data=0 0 0 0 0 -> 30h
data=A 1 0 0 0 0 1 -> 41h data=9 1 0 0 1 -> 39h
ISO Track #3 (Max 104char)

bit 3210
data=0 0 0 0 0 -> 30h
data=9 1 0 0 1 -> 39h
pm="5" All tracks simultaneous read and transmit.

(35h) The contents of read data are the order of track 1 data, track 2 data and track 3 data.
Among those, a maximum of three tracks to which ICRW corresponds are transmitted by HOST
on both sides of separator "~" (7Eh).
When one of the tracks is not read, its data area becomes blank.
Either of the tracks are not read, error "20"(32h,30h),"21"(32h,31h),"23"(32h,33h) or "24"(32h,34h) is sent
to HOST.
Ex) “~” “~”
Track 1 Data (7Eh) Track 2 Data (7Eh) Track 3 Data (Max 219bytes)
pm="7" Indicates in response if track is encoded/not encoded.

(37h) ICRW doesn't carry the card.
ISO#1: "0"(30h): ISO #1 is not encoded. "1"(31h): ISO #1 is encoded.
ISO#1 ISO#2 ISO#3 “0”(30h)
pm="9"(39h) read data on ISO Track #1 by another way.

pm=":"(3Ah) read data on ISO Track #2 by another way.
pm=";"(3Bh) read data on ISO Track #3 by another way.
The above parameters differ from pm="1"(31h), "2"(32h) and "3"(33h) in the following contents.
If the parity error occurs, the ICRW tries to send the data row before the error portion.
This partial readied data is concatenated the negative response.
If start sentinel is not detected, ICRW doesn't read data.
Mag-track read with data encryption command :
pm="A"(41h) read data on ISO Track #1

pm="B"(42h) read data on ISO Track #2
pm="C"(43h) read data on ISO Track #3
pm="E"(45h) All three tracks simultaneous read and transmit.
pm= "I" (49h) read data on ISO Track #1 by another way
pm="J"(4Ah) read data on ISO Track #2 by another way
pm="K"(4Bh) read data on ISO Track #3 by another way
The commands with these pm encrypt the read data in the form of Single DES-CBC and transmit data.
Other processing are the same as pm=31h to 3Bh.
In case of pm="E"(45h), ICRW encrypts whole data including separator “~"(7Eh).
Before using these pm, execution of "Security command" is necessary.
A 80h and some 00h code are padded in the end of read data, HOST must ignore after 80h.
In case of pm="E"(45h), a 80h and some 00h code are padded in the end of the data connected
with separator "~"(7Eh).
If ICRW has not obtain the key for these command by the "Key loading for the magnetic data",
ICRW sends an error code "06"(30h,36h).
Ex) Original data : 31h 32h 33h 34h 35h 36h 37h 38h 39h 30h
Transmit data : ??h ??h ??h ??h ??h ??h ??h ??h ??h ??h ??h ??h ??h ??h ??h ??h
Decrypted data : 31h 32h 33h 34h 35h 36h 37h 38h 39h 30h 80h 00h 00h 00h 00h 00h
Ex) Original data : 31h 32h 33h 34h 7Eh 35h 36h 37h 7Eh 38h 39h 30h (pm="E"(45h))
Transmit data : ??h ??h ??h ??h ??h ??h ??h ??h ??h ??h ??h ??h ??h ??h ??h ??h
Decrypted data : 31h 32h 33h 34h 7Eh 35h 36h 37h 7Eh 38h 39h 30h 80h 00h 00h 00h
7.8 Intake / Withdraw command
"C" “9” timer value

Command pm
(43h) (39h) (ASCII 2 byte)
"P" “9” Se
(50h) (39h) (1byte)
"N" “9” Se
(4Eh) (39h) (1byte)
This command executes the wait of the card insertion and the intake, or the card eject and the wait of the
pull out. This command is recommended for the development of the new host control software.
The settings of the card watching time for each pm are the same. The setting unit of the card waiting time
are second. The meaning of the setting values are following.
Watching time Watching function Response at time out
Omit Infinite time No time out
Positive response
00 second 0.1 sec. watching for polling (The card condition can be recognized by
the st1 and st0 bytes of the positive response.)
01 second 1 second watching Negative response
99 sec. watching
99 second Negative response
(max. value)
The positive response is sent when the ICRW detects the card pull out or the finishing of the card intake.
Each commands are able to be executed and check the status even after the time out.
The negative response is sent immediately, when the card jam occur.
The positive response and negative response is sent with the card sensor status byte Se.
The bit assignment of the Se byte is the following which is same as the response of the status command.
b7 b0
Card Width Sensor (full shutter model) or PD1 (pin shutter model)
(The IC contact is set mechanically at the card entry)
pm="0" Withdraw command (card eject and waiting pull out)

(30h) This command disables the card intake, ejects the card and watch the ejected card pull out.
The positive response is sent immediately, if the ICRW receive this command after the card pull out.
pm="1" Intake command (waiting card insertion and take in the card)
(31h) This command enables the card intake and watch the finishing of the card intake.
The positive response is sent immediately, if the ICRW receive this command after the card intake.
The intake enable state is kept after the time out. Therefore, the card can be take in at the interval of the
sequential intake command. If the time out is occur while the card intake, the card intake is continued and
negative response is sent.
pm="2" Intake command with magnetic records detection (waiting card insertion and take in the card with
(32h) magnetic records check).
This command check the magnetic record while the intake.
The no magnetic records error "24"(32h,34h) is sent, if the magnetic records are not detected.
The decode error of the magnetic records are not checked in this command.
Note 1) Intake mode disabled automatically in case of the following conditions.

* Receipt of Initialize command.
* When power failure occurred.
* ICRW detects DSR signal off.
7.9 Enable/Disable command
“C” “:” mg
Command pm
(43h) (3Ah) (1byte)
“P” “:”
(50h) (3Ah)
“N” “:”
Negative response (4Eh) (3Ah)
pm e1 e0
Control command to accept/inhibit card entry. ICRW sends response upon receipt of this command.
ICRW status should be recognized by Status request command from HOST.
Choose Enable/Disable command or Entry command according to customer's control system.
Although a card will be taken in if the enable command is executed when the discharged card is in a gate
position, the reading result of magnetic data is not guaranteed.
Since execution of the entry command becomes impossible at the time of enable command execution,
combined use of the enable command and the entry command cannot be performed.
pm="0" Enable to accept card . (Enable mode)

(30h) ICRW is changed into a card entry state, and positive response is immediately transmitted to HOST.
And ICRW detected insertion of a card at a gate, it will rotate a motor in the right direction and
will take in a card to inside. If a card is drawn out before being taken in by the roller, ICRW will
suspend a motor and will be again set to card entry state.
If a card is conveyed to an internal rear side, motor will stop its rotation and a shutter
will be closed automatically. In this operation, a response is not transmitted to HOST.
pm="1" Disable to accept card. (Disable mode)

(31h) It changes into a prohibition state from the permission state of accepting a card.
mg="0" Mag data detect Off

(30h) ICRW executes card accept operation without mag data detection.
"mg" is omissible and this value is default.
mg="1" Mag data detect On

(31h) ICRW executes card accept operation with mag data detection. If mag data is not detect, ICRW stops the
card accept operation and eject the card with negative response "24"(32h,34h). (No mag error)
The point of mag data detection is approx. 15mm from card front edge.
Notes; 1) Enable mode change automatically to Disable mode in case of the following conditions.
* Receipt of Initialize command.
* When power failure occurred.
* ICRW detects DSR signal off.
7.10 Port In/Out command
“C” “=” d0
Command pm
(43h) (3Dh) (1byte)
“P” “=” Se0

(50h) (3Dh) (1byte)
“N” “=”
Negative response (4Eh) (3Dh)
pm e1 e0
This is to check ICRW in maintenance. Operation checks can be done by this command
for the motor, the solenoids, the switch, and the sensors.
pm="0" To enter maintenance mode.

(30h) In this mode, no commands other than initialize or switch command can be executed.
After executing initialize or switch command, ICRW will usually return from maintenance mode to
Normal mode automatically.
pm="1" To release maintenance mode.

(31h) ICRW is returned from maintenance mode to normal mode.
Eject the card if it is within the reader transport.
pm="2" To output port.

(32h) To designate the operation for the motor and solenoids.
b7 b0
d0= 0 1 X 0 X X X X (binary)
SOL 1: Shutter solenoid active.

MCB Motor control*1
MCF
ICS 1: Capture solenoid active
R.F.U. : Reserved for future use
MGN 1: PD1-PD4 margin check circuit active
*1 MCB:1 BRAKE MCB:1 FWD MCB:0 BWD MCB:0 BRAKE

MCF:1 MCF:0 MCF:1 MCF:0
Note: Every function can not be simultaneously performed.

pm="3" To input port.

(33h) To input the status on the switch and the sensors.
b7 b0
Card Width Sensor (full shutter model) or PD1 (pin shutter model)
** Basic flow (example)
"C=0" "C=2E" "C=1"
MCF, SOL ON
Normal mode Maintenance mode Normal mode
The normal mode shows command modes other than the maintenance mode.
The method of going into the maintenance mode from the normal mode is only transmitting "C=0"
command shown in the above figure.
In order to return from the maintenance mode to the normal mode, please transmit "C=1" command shown
in the above figure.
However, Initialize command is executed, after returning to the normal mode, when transmitting Initialize
command into the maintenance mode.
7.11 Sensor Level transmit command
“C” “>”
Command pm
(43h) (3Eh)
“P” “>”
Positive response pm st1 st0 v1h v1l v2h v2l v3h v3l v4h v4l
(50h) (3Eh)
“N” “>”
Negative response (4Eh) (3Eh)
pm e1 e0
This command converts voltage level of photo sensor from Analog to Digital and reports the value.
"vih", "vil" are upper nibble and lower nibble divided from 1 byte of A/D conversion value and "0"(30h)
added respectively.
Ex) : A/D data=E5h

Convert to the Voltage data.
E5h = 229 (decimal) => 5[V] x (229/255) = 4.5[V] => vih="4"(34h), vil="5"(35h)
Comparison of vi and each sensor is as follows;
v1: PD1 , v2: PD2 , v3: PD3 , v4: PD4
pm="0" Emission amount of LED is normal level. If sensor voltage is less than 4.2V without any presence of
(30h) card on sensor, the sensor cleaning must be done as soon as possible. (Attention)
If sensor voltage is less than 3.0V, maintenance such as sensor cleaning must be done immediately
( Warning ) .
pm="1" Emission amount of LED is around one fifth of normal level.

(31h) Objective of voltage measurement with this parameter is to verify sensor work in maintenance.
If sensor voltage is more than 1.5V without any presence of card on sensor,
the sensor is normal. In the case of the full shutter model, the voltage of PD1 has no mean.
7.12 Revision command
“C” “A”
Command pm
(43h) (41h)
“P” “A” Revision data (ASCII 8bytes)

(50h) (41h) Approval Number (ASCII Max 22bytes)
“N” “A”
(4Eh) (41h)
pm="1" Indicates User program code area revision in positive response. (Data length = 8)
(31h) ex) "3432-01D"
pm="2" Indicates EMV controller's firmware revision in positive response. (Data length = 8)
(32h) ex) "2491-02C"
pm="3" Sends the EMV approval number to HOST(Data length = 21). Before EMV approved, 21 bytes space
characters return. EMV approval number is checked by specification.
(33h) ex) "11711 1203 400 20 FIM"
pm="4" (Reserve)
Note) This parameter is left for compatibility with an old ICRW. 22 bytes space characters return.
pm="5" Sends the IFM Identification of the EMV approval to HOST (Data length = 11). IFM Identification is checked
by specification.
(35h) ex) " IFM0K0-0400"
7.13 Counter command
“C” “C” Counter value

Command pm
(43h) (43h) (ASCII Max 3bytes)
“P” “C” Counter value

(50h) (43h) (ASCII Max 3bytes)
“N” “C”
(4Eh) (43h)
pm="2" This command reports cards pass count of the card transport in the ICRW.
(32h) One pass is one round trip of the card in the transport.
The pass count number is reported as the seven digit of ASCII decimal number.
pm="3" This command is for the capture counter function.

(33h) This command reports the cards capture count from the card transport to the back end of the ICRW.
The count up function operates by the Cc parameter setup of the initialize command.
The capture count number is reported as the three digit of ASCII decimal number from "000" to "999".
If a capture command is executed when the capture count number is over the alert count set by the
bellow function, the capture operation performs to usual and transmits the capture counter overflow
error "50"(35h,30h) to the HOST.
pm="4" This command is for the capture counter function.

(34h) This command sets the capture alert count number in the ICRW.
The set capture alert count should be the three digit of ASCII decimal number from "000" to "999".
7.14 IC Card control command

7.14.1 Activate ICC command
“C” “I” “0” Vcc

Command
(43h) (49h) (30h) (1byte)
“P” “I” “0” ATR

(50h) (49h) (30h) (Binary max 65bytes)
“N” “I” “0” ATR

(4Eh) (49h) (30h) (Binary max 65bytes)
This command activates an IC card. The ICRW supplies power (VCC) and clock (CLK), and releases
reset (RST).
Vcc="0" The ICRW supplies +5V to the VCC and activates according to the EMV version 4.2.
(30h)
Vcc="3" The ICRW supplies +5V to the VCC and activates according to the ISO/IEC7816-3:2006.
(33h)
(35h) After receiving the ATR, the ICRW changes the voltage of the VCC in accordance with the T=15 value of
the ATR.
Vcc="6" The ICRW supplies with +5V to the VCC and activates according to the
(36h) ISO/IEC7816-3:2006. After receiving the ATR, the ICRW changes the voltage to the VCC in accordance
with the T=15 value of the ATR.
Vcc="8" The ICRW activates ICC according to ISO/IEC7816-3:2006. VCC is supplied in order of 5V, 3V, and
B
(38h) 1.8V.
Vcc="@" The ICRW supplies +5V to the VCC and activates according to the MONEO card specification.
(40h)
The Vcc parameter can be omitted, and the default value is "0"(30h).
Note) Vcc=30H is used on EMV comply card.
B Vcc=33H is used on old ISO/IEC7816-3 card. (only 5v card)
Vcc=35H (VCC=3V then 5V), Vcc=36H(VCC=5V then 3V) and Vcc=38H(5V, 3V then 1.8V) are
used on ISO/IEC7816-3:2006 card.
Also, Answer To Reset (ATR) from the IC card is received and transmitted to the HOST.
ATR TS T0 TA1 TB1 … TCK
When a power failure is detected while a power supply is supplied to the IC card, the error code
"60"(36,30) is returned.
If the activation error is occurred, the ICRW initiate the deactivation sequence, and sends the error code "
61"(36h,31h), "63"(36h,33h) or "64"(36h,34h).
When the Vcc parameter "0"(30h) is selected and the ATR value is not based on the EMV, the ICRW
initiate the deactivation sequence, and sends the error code "69"(36h,39h).
B When the Vcc parameter "3"(33h), "5"(35h) ,"6"(36h) or "8"(38h) are selected and the ATR value is not
supported by the ICRW, the ICRW initiates the deactivation sequence, and sends the error code "
66"(36h,36h).
The Vcc parameter is not related to the IC card communication. The IC card communication complies
with the EMV version 4.2
The activation command "CI0@" (Vcc="@"(40h)) is only for the MONEO application with the MONEO
card. For the other application (CB, EMV and others) with the MONEO card, the activation commands
B
"CI00","CI03","CI05", "CI06" or "CI08" are available.
The IC card automatic communication command "CI9" must be used after the ICC activation by "CI0@".
The timing chart of ICC activation
Power on
VCC
CLK
RST
380 ~ 42000 clk
12msec 370 ~ 42100 clk
B
41000clk
42100clk ATR wait
TYP.
7.14.2 Deactivate ICC command
“C” “I” “1”

Command
(43h) (49h) (31h)
“P” “I” “1”

(50h) (49h) (31h)
“N” “I” “1”

(4Eh) (49h) (31h)
This command deactivates the IC card.

The time chart of the IC card deactivating sequence is as follows.
Power off
VCC
CLK
RST
B 1-10msec.
1msec.
7.14.3 Inquire ICC status command
“C” “I” “2”

Command
(43h) (49h) (32h)
“P” “I” “2” sti

(50h) (49h) (32h) (1byte)
“N” “I” “2”

(4Eh) (49h) (32h)
The ICRW reports the state of the IC card in the sti of a positive response.
b7 b0
B sti= 0 1 0 0 X X X X (binary)
VCC 1: Active , 0: Inactive

VCC 1: +3V 0: +5V
00 : No Clock
01 : 3.58MHz
10 : 7.16MHz
sti
B b7 b6 b5 b4 b3 b2 b1 b0 Meaning
0 1 0 X - - - - V18
0 1 0 0 - - - - - VCC is defined by V5V3
0 1 0 1 - - - - - VCC=1.8V
0 1 0 - X X - - CLK frequency
0 1 0 - 0 0 - - - No clock
0 1 0 - 0 1 - - - CLK=3.58MHz
0 1 0 - 1 0 - - - CLK=7.16MHz
0 1 0 - 1 1 - - - Reserve
0 1 0 - - - X - V5V3
0 1 0 - - - 0 - - VCC=5V if V18=0
0 1 0 - - - 1 - - VCC=3V if V18=0
0 1 0 - - - - X Active
0 1 0 - - - - 0 - Inactive
0 1 0 - - - - 1 - Active
While a power supply is supplied to the IC card, the ICRW monitors the VCC (the power supply line of the
IC card). The error "60"(36h,30h) is returned when a power failure is detected.
7.14.4 ICC communication T=0
“C” “I” “3” C-APDU

Command
“P” “I” R-APDU

Positive response px st1 st0
(50h) (49h) (Binary max 258bytes)
“N” “I” “3”

(4Eh) (49h) (33h)
This command exchanges data with the IC card using protocol T=0.
In this command, the HOST has to set the "C-APDU" data.
C-APDU CLA INS P1 P2 Lc Data1 ... Data(Lc) Le
The ICRW returns the "R-APDU" data to the HOST.

R-APDU Data1 ... Data(Licc) SW1 SW2
px="3" The received data from the IC card is 258 bytes or less.
(33h)
px="5" The received data from the IC card is 259 bytes or more.
(35h) The ICRW requires the following R-APDU data receiving.
The HOST has to receive the remaining R-APDU data using the "CI7" command.
The maximum data size which can be handled with the ICRW is 261 bytes. If the ICRW receives 262
bytes data from the HOST, the ICRW sends the error code "04"(30h,34h) to the HOST. The maximum
length of the R-APDU in the positive response is 258 bytes. If the R-APDU length from the IC card is 259
bytes or more, the ICRW returns the response with the parameter px="5"(35h) and first 258 bytes data.
The remaining R-APDU data are sent as the positive response data of the command "CI7".
While a power supply is supplied to the IC card, the ICRW monitors the VCC (the power supply line of
the IC card). The ICRW is returned the error code "60"(36h,30h) when a power failure is detected.
If the protocol type of the IC card is not T=0, error code "62"(36h,32h) is sent.
If IC card does not respond within WWT(Working Wait Time), the ICRW deactivates the IC card and the
error code "63"(36h,33h) is sent.
If any other protocol error occurs, the ICRW deactivates the IC card and the error code "64"(36h,34h) is
sent. If HOST tries to communicate before the IC card activation, the error code "65"(36h,35h) is sent.
Note) Licc is the data length which the IC card returns. Please refer to the specifications of the IC card
about Licc.
7.14.5 ICC communication T=1
“C” “I” “4” C-APDU

Command

“N” “I” “4”

(4Eh) (49h) (34h)
This command exchanges data with the IC card using the protocol T=1.
In this command, the HOST has to set the "C-APDU" data. The ICRW adds the Prologue field and the
Epilogue field to the "C-APDU", and sends to the IC card.
If the C-APDU length is greater than the information field size for the IC card (IFSC), the ICRW divides the
C-APDU into several consecutive blocks.
C-APDU CLA INS P1 P2 Lc Data1 .. Data(Lc) Le
chip data NAD PCB LEN CLA INS P1 P2 Lc Data1 .. Data(Lc) Le EDC
Prologue field Information field Epilogue
field
The ICRW sets the R-APDU data which received from the IC card into the positive response,
and transmits to the HOST.
Prologue field Information field Epilogue field
chip data NAD PCB LEN Data1 ... Data(Licc) SW1 SW2 EDC
px="4" The received R-APDU from the IC card is 258 bytes or less.
(34h)
px="5" The received R-APDU from IC card is 259 bytes or more.

(35h) The ICRW requires the following R-APDU receiving to the HOST.
The HOST has to receive the remaining R-APDU data using "CI7" command.
px="?" The ICRW received the S(ABORTrequest) block from the IC card, suspended the data transmission to
(3Fh) the IC card, and deactivated the IC card. The HOST has to stop the following data transmitting.
The maximum data size which can be handled by the ICRW is 261 bytes. If the ICRW receives more
than 262 bytes data from the HOST, the ICRW sends the error code "04"(30h,34h) to the HOST.
When the C-APDU data size is 262 bytes or more, the HOST has to transmit the C-APDU exceeding
261 bytes using the command "CI5" and "CI6".
The maximum length of the R-APDU in the positive response is 258 bytes. If the R-APDU length from
the IC card is 259 bytes or more, ICRW returns the response with the parameter px="5"(35h) and first
258 bytes data.

The remaining R-APDU data are sent as the positive response data of the command "CI7".
the IC card). The error "60"(36h,30h) is returned when a power failure is detected.
If the protocol type of IC card is not T=1, the error code "62"(36h,32h) is sent.
If the IC card does not respond within BWT(Block Waiting Time) or CWT(Character Waiting Time), the
ICRW deactivates the IC card and the error code "63"(36h,33h) is sent.
sent.
If the HOST tries to communicate before the IC card activation, the error code "65"(36h,35h) is sent.
In case there is any trouble in the sequence of command receiving, the error code "02"(30h,32h) is sent.
If the error code "02"(30h,32h) is sent, please re-start from the activation.
Note) The Licc is data length which the IC card returns. Please refer to specifications of the IC card about
length of Licc.
7.14.6 ICC extended communication 1
“C” “I” “5” C-APDU

Command
“P” “I”
(50h) (49h)
“N” “I” “5”

(4Eh) (49h) (35h)
This command transmits the C-APDU exceeding 261 bytes to the IC card. The HOST has to divide
the C-APDU into 261 bytes or less and transmits using this command repeatedly.
px="7" The ICRW requires the following C-APDU data to the IC card. There is no data portion of the positive
(37h) response. The HOST has to transmit the remaining C-APDU data using the command "CI5" or "CI6".
px="?" The ICRW received the S(ABORTrequest) block from the IC card, suspended the data transmission to
(3Fh) the IC card, and deactivated the IC card. The HOST has to stop the following data transmitting.
the IC card). The error code "60" is returned when a power failure is detected.
If the protocol type of the IC card is not T=1, the error code "62"(36h,32h) is sent.
ICRW deactivates the IC card and error code "63"(36h,33h) is sent.
sent.
“C” “I” “6” C-APDU

Command

“N” “I” “6”

(4Eh) (49h) (36h)
This command is used for transmitting the last part of the devided C-APDU. The size of the last data
which can be transmitted is 261 bytes or less.
px="4"(34h) The received R-APDU from the IC card is 258 bytes or less.
px="5"(35h) The received R-APDU from the IC card is 259 bytes or more.
The ICRW requires the following R-APDU data receiving.
The HOST has to receive the remaining R-APDU data using the "CI7" command.
px="?"(3Fh) The ICRW received the S(ABORTrequest) block from the IC card, suspended the data transmission
to the IC card, and deactivated the IC card. The HOST has to stop the following data transmitting.
While a power supply is supplied to the card, the ICRW monitors the VCC (the power supply line of the
card). The error "60"(36h,30h) is returned when a power failure is detected.
If protocol type of the IC card is not T=1, the error code "62"(36h,32h) is sent.
ICRW deactivates the IC card and error code "63"(36h,33h) is sent.
sent.
“C” “I” “7”

Command
(43h) (49h) (37h)

“N” “I” “7”

(4Eh) (49h) (37h)
This command is used for receiving the divided R-APDU exceeding 258 bytes. The HOST has to receive
all of the remaining R-APDU data using this command repeatedly until the response of this command
becomes px="6"(36h).
px="6"(36h) There is no remaining R-APDU data from the IC card.
card). The error "60"(36h,30h) is returned when a power failure is detected.
If the IC card does not respond within WWT(T=0), BWT(T=1) or CWT(T=1), ICRW deactivates the IC
card and the error code "63"(36h,33h) is sent.
sent.
If HOST tries to communicate before an IC card activation, the error code "65"(36h,35h) is sent.
7.14.9 ICC warm reset
“C” “I” “8”

Command
(43h) (49h) (38h)
“P” “I” “8” ATR

“N” “I” “8” ATR

The ICRW sends a reset pulse, keeping the state where the IC card is activated (VCC,CLK), and
receives the ATR from the IC card again (Warm Reset).
If the ATR is not supported by the ICRW with the selected condition at the activate command, the ICRW
initiate the deactivation sequence, and sends the error code "66"(36h,36h) or "69"(36h,39h) with the ATR.
If the ATR receive error is occurred, the ICRW initiate the deactivation sequence, and sends the error
code " 61"(36h,31h), "63"(36h,33h) or "64"(36h,34h).
The ICRW returns error code "65"(36h,35h) if the IC card does not activated.
IC card). The error code "60"(36h,30h) is returned when a power failure is detected.
The time chart of the warm reset sequence is as follows.
VCC
CLK
RST 380 ~ 42000 clk

B 370 ~ 42100 clk
41000clk
42100clk ATR wait
TYP.
7.14.10 ICC automatic communication
“C” “I” “9"

Command
(43h) (49h) (39h)

“N” “I” “9”

(4Eh) (49h) (39h)
This command exchanges data with the IC card using the protocol T=0 or T=1. These protocols are
selected automatically by the ICRW. In this command, the HOST has to set "C-APDU" data.
Other functions are same as "CI3" or "CI4".
px="4"(34h) The received R-APDU from the IC card is 258 bytes or less.
card). The ICRW is returned the error code "60"(36h,30h) when a power failure is detected.
If the IC card does not respond within WWT(T=0), BWT(T=1) or CWT(T=1), the ICRW deactivates the IC
card and error code "63"(36h,33h) is sent. If any other protocol error occurs, the ICRW deactivates the IC
card and the error code "64"(36h,34h) is sent. If the HOST tries to communicate with this command
before the IC card activation, the error code "65"(36h,35h) is sent.
When the protocol is T=1 and C-APDU data is 262 bytes or more, the HOST has to use "CI5" and "CI6"
to sends the following C-APDU data.
7.14.11 Plaintext offline PIN verification

C-APDU (Verify command)(13byte)
“C” “I”
Command pm CLA INS P1 P2 Lc Encrypted offline PIN block
(43h) (49h) 0xH 20H 00H 80H 08H (8byte)
“P” “I”
Positive response px st1 st0 R-APDU
(50h) (49h)
“N” “I”
Negative response pm er1 er0
(4Eh) (49h)
This command decrypts offlince PIN block of C-APDU and changes into plaintext verify command, then
transmits to an IC card.
This function intends the plain text offline PIN block (8bytes fixed) defined by the verify command which
P2 value is 80h to transmit ICRW safely.
pm = "S"(53h) Communication T=0 using "Triple-DES-ECB"

pm = "T"(54h) Communication T=1 using "Triple-DES-ECB"
pm = "Y"(59h) Automatic communication using "Triple-DES-ECB"
pm = "c"(63h) Communication T=0 using "Single-DES-ECB"
pm = "d"(64h) Communication T=1 using "Single-DES-ECB"
pm = "i"(69h) Automatic communication using "Single-DES-ECB"
The Key for decrypting PIN is set by "Key loading for the Plaintext offline PIN verification" command.
If "Device authentication data exchange and key exchange key loading" command or "Key loading for
the Plaintext offline PIN verification" command are not completed, error code "06"(30h,36h) is sent.
px="3"(33h) T=0 protocol IC card's response.

B px="4"(34h) T=1 protocol T=0 or T=1 IC card's response.
px="?"(3Fh) ICRW receive the S(ABORTrequest) block from the IC card, so the communication is
suspended and the IC card deactivated. (Only T=1 protocol).
Reference:
The plaintext offline PIN block shall be formatted as follows:
C N P P P P P/F P/F P/F P/F P/F P/F P/F P/F F F
Where
Name Value
C Control field Binary 2 (hex. 0010)
N PIN length 4-bit binary number with permissible values of hex. 0100 to hex. 1100
P PIN digit 4-bit field with permissible values of hex. 0000 to hex. 1001
P/F PIN / filler Determined by PIN length
F Filler 4-bit binary number with value of hex. 1111
(Reference: EMV version 4.2 Book 3 Application Specification, 6.5 Commands)

7.15 SAM (Secure Application Module) control command

7.15.1 Activate SAM command
“C” “I” “@” Vcc

Command
(43h) (49h) (40h) (1byte)
“P” “I” “@” ATR

“N” “I” “@” ATR

This command activates a SAM. The ICRW supplies power (VCC) and clock (CLK), and releases reset
(RST).
Vcc="0" The ICRW supplies +5V to the VCC and activates according to the EMV version 4.2.
(30h)
(33h)
(35h) After receiving the ATR, the ICRW changes the voltage of the VCC in accordance with the T=15 value of
the ATR.
Vcc="6" The ICRW supplies with +5V to the VCC and activates according to the
(36h) ISO/IEC7816-3:2006. After receiving the ATR, the ICRW changes the voltage to the VCC in accordance
with the T=15 value of the ATR.
Vcc="8" The ICRW activates ICC according to ISO/IEC7816-3:2006. VCC is supplied in order of 5V, 3V, and
B
(38h) 1.8V.
Vcc="@" The ICRW supplies +5V to the VCC and activates according to the MONEO card specification.
(40h)
The Vcc parameter can be omitted, and the default value is "0"(30h).
Note) Vcc=30H is used on EMV comply card.
B Vcc=33H is used on old ISO/IEC7816-3 card. (only 5v card)
Vcc=35H (VCC=3V then 5V), Vcc=36H(VCC=5V then 3V) and Vcc=38H(5V, 3V then 1.8V) are
used on ISO/IEC7816-3:2006 card.
Also, Answer To Reset (ATR) from the SAM is received and transmitted to the HOST.
ATR TS T0 TA1 TB1 … TCK
When a power failure is detected while a power supply is supplied to the SAM, the error code
"60"(36h,30h) is returned.
code " 61"(36h,31h), "63"(36h,33h) or "64"(36h,34h).
When the Vcc parameter "0"(30h) is selected and the ATR value is not based on the EMV2000 ver.4.0,
the ICRW initiate the deactivation sequence, and sends the error code " 69"(36h,39h).
When the Vcc parameter "3"(33h), "5"(35h) or "6"(36h) are selected and the ATR value is not supported
by the ICRW, the ICRW initiates the deactivation sequence, and sends the error code " 66"(36h,36h).
The Vcc parameter is not related to the SAM communication. The SAM communication complies with
the EMV version 4.2
The activation command "CI@@" (Vcc="@"(40h)) is only for the MONEO application with the MONEO
card. For the other application (CB, EMV and others) with the MONEO card, the activation commands
B
"CI@0","CI@3","CI@5" , "CI@6" or "CI@8" are available.
The SAM automatic communication command "CII" must be used after the SAM activation by "CI@@".
The time chart of the SAM activating sequence is as follows
Power on
VCC
CLK
RST
380 ~ 42000 clk
B 12msec 370 ~ 42100 clk
41000clk
42100clk ATR wait
TYP.
7.15.2 Deactivate SAM command
“C” “I” “A”

Command
(43h) (49h) (41h)
“P” “I” “A”

(50h) (49h) (41h)
“N” “I” “A”

(4Eh) (49h) (41h)
This command deactivates the SAM.

The time chart of the SAM deactivating sequence is as follows.
Power off
VCC
CLK
RST
1-10msec.
B 1msec.
7.15.3 Inquire SAM status command
“C” “I” “B”

Command
(43h) (49h) (42h)
“P” “I” “B”

Positive response st1 st0 sti stj
(50h) (49h) (42h)
“N” “I” “B”

(4Eh) (49h) (42h)
The ICRW reports the state of the SAM in the sti of the positive response.
B b7 b0
sti= 0 1 0 0 X X X X (Binary)

VCC 1: +3V , 0: +5V
00 : No clock
01 : 3.58 MHz
10 : 7.16 MHz
sti
B b7 b6 b5 b4 b3 b2 b1 b0 Meaning
0 1 0 X - - - - V18
0 1 0 0 - - - - - VCC is defined by V5V3
0 1 0 1 - - - - - VCC=1.8V
0 1 0 - X X - - CLK frequency
0 1 0 - 0 0 - - - No clock
0 1 0 - 0 1 - - - CLK=3.58MHz
0 1 0 - 1 0 - - - CLK=7.16MHz
0 1 0 - 1 1 - - - Reserve
0 1 0 - - - X - V5V3
0 1 0 - - - 0 - - VCC=5V if V18=0
0 1 0 - - - 1 - - VCC=3V if V18=0
0 1 0 - - - - X Active
0 1 0 - - - - 0 - Inactive
0 1 0 - - - - 1 - Active
And also, ICRW reports the number of the selected SAM with stj.
Before selecting SAM number, ICRW responds that ICRW selects SAM2.
b7 b0
stj= 0 0 1 1 0 X X X (binary)
Selected number
000:(SAM1 R.F.U.)
001: SAM 2 (option)
010: SAM 3 (option)
011: SAM 4 (option)
100: SAM 5 (option)
While a power supply is supplied to the SAM, the ICRW monitors the VCC (the power supply line of the
SAM). The error "60"(36h,30h) is returned when a power failure is detected.
7.15.4 SAM communication T=0
“C” “I” “C” C-APDU

Command

“N” “I” “C”

(4Eh) (49h) (43h)
This command exchanges data with the SAM using protocol T=0.
In this command, the HOST has to set the "C-APDU" data.
C-APDU CLA INS P1 P2 Lc Data1 ... Data(Lc) Le
The ICRW returns the "R-APDU" data to the HOST.
px="C"(43h) The received data from SAM is 258 bytes or less.

px="E"(45h) The received data from SAM is 259 bytes or more.
The HOST has to receive the remaining R-APDU data using the "CIG" command.
The maximum data size which can be handled with the ICRW is 261 bytes. If the ICRW receives 262
bytes data from the HOST, the ICRW sends the error code "04"(30h,34h) to the HOST. The maximum
length of the R-APDU in the positive response is 258 bytes. If the R-APDU length from the SAM is 259
bytes or more, the ICRW returns the response with the parameter px="E"(45h) and first 258 bytes data.
The remaining R-APDU data are sent as the positive response data of the command "CIG".
SAM).
The ICRW is returned the error code "60"(36h,30h) when a power failure is detected.
If the protocol type of the SAM is not T=0, the error code "62"(36h,32h) is sent.
If the SAM does not respond within WWT(Working Wait Time), the ICRW deactivates the SAM and the
error code "63"(36h,33h) is sent.
If any other protocol error occurs, the ICRW deactivates the SAM and the error code "64"(36h,34h) is
sent.
If the HOST tries to communicate before the SAM activation, the error code "65"(36h,35h) is sent.
Note) Licc is the data length which the SAM returns. Please refer to the specifications of the SAM about
Licc.
7.15.5 SAM communication T=1
“C” “I” “D” C-APDU

Command

“N” “I” “D”

(4Eh) (49h) (44h)
This command exchanges data with the SAM using the protocol T=1.
In this command, the HOST has to set the "C-APDU" data. The ICRW adds the Prologue field and the
Epilogue field to the "C-APDU", and sends to the SAM.
If the C-APDU length is greater than the information field size for the SAM (IFSC), the ICRW divides
the C-APDU into several consecutive blocks.
C-APDU CLA INS P1 P2 Lc Data1 .. Data(Lc) Le
chip data NAD PCB LEN CLA INS P1 P2 Lc Data1 .. Data(Lc) Le EDC
Prologue field Information field Epilogue
field
The ICRW sets the R-APDU information field which received from the SAM into the positive response,
and transmits to the HOST.
Prologue field Information field Epilogue field

chip data NAD PCB LEN Data1 ... Data(Licc) SW1 SW2 EDC
px="D"(44h) The received R-APDU from the SAM is 258 bytes or less.
px="E"(45h) The received R-APDU from the SAM is 259 bytes or more.
The ICRW requires the following R-APDU receiving to the HOST.
The HOST has to receive the remaining R-APDU data using "CIG" command.
px="O"(4Fh) The ICRW received the S(ABORTrequest) block from the SAM, suspended the data transmission
to the SAM, and deactivated the SAM. The HOST has to stop the following data transmitting.
The maximum data size which can be handled by the ICRW is 261 bytes. If the ICRW receives 262
bytes data from the HOST, the ICRW sends the error code "04"(30h,34h) to the HOST.
When the C-APDU data size is 262 bytes or more, the HOST has to transmit the C-APDU
exceeding 261 bytes using the command "CIE" and "CIF".
The maximum length of the R-APDU in the positive response is 258 bytes. If the R-APDU length
from the SAM is 259 bytes or more, ICRW returns the response with the parameter px="5"(35h) and
first 258 bytes data.
The remaining R-APDU data are sent as the positive response data of the command "CIG".
While a power supply is supplied to the SAM, the ICRW monitors the VCC (the power supply line of
the SAM). The error "60"(36h,30h) is returned when a power failure is detected.
If the SAM does not respond within BWT(Block Waiting Time) or CWT(Character Waiting Time),
the ICRW deactivates the SAM and the error code "63"(36h,33h) is sent.
If any other protocol error occurs, the CRW deactivates the SAM and the error code "64"(36h,34h) is
sent.
In case there is any trouble in sequence of command receiving, the error code "02"(30h,32h) is sent.
If the error code "02"(30h,32h) is sent, please re-start from activation.
Note) The Licc is data length which the SAM returns. Please refer to specifications of the SAM about
length of Licc.
7.15.6 SAM extended communication 1
“C” “I” “E” C-APDU

Command
“P” “I”
(50h) (49h)
“N” “I” “E”

(4Eh) (49h) (45h)
This command transmits the C-APDU exceeding 261 bytes to the SAM. The HOST has to divide the
C-APDU into 261 bytes or less and transmits using this command repeatedly.
px="G"(47h) The ICRW requires the following C-APDU data to the SAM. There is no data portion of the positive
response. The HOST has to transmit the remaining C-APDU data using the command "CIE" or "CIF".
px="O"(4Fh) The ICRW received the S(ABORTrequest) block from the SAM, suspended the data transmission to
the SAM, and deactivated the SAM. The HOST has to stop the following data transmitting.
SAM). The error code "60"(36h,30h) is returned when a power failure is detected.
If the SAM does not respond within BWT(Block Waiting Time) or CWT(Character Waiting Time), the
ICRW deactivates the SAM and error code "63"(36h,33h) is sent.
sent.
“C” “I” “F” C-APDU

Command

“N” “I” “F”

(4Eh) (49h) (46h)
This command is used for transmitting the last part of the devided C-APDU. The size of the last data
which can be transmitted is 261 bytes or less.
The HOST has to receive the remaining R-APDU data using the "CIG" command.
SAM). The error "60"(36h,30h) is returned when a power failure is detected.
If protocol type of the SAM is not T=1, the error code "62"(36h,32h) is sent.
If the SAM does not respond within BWT(Block Waiting Time) or CWT(Character Waiting Time), the
ICRW deactivates the SAM and error code "63"(36h,33h) is sent.
sent. If the HOST tries to communicate before the SAM activation, the error code "65"(36h,35h) is sent.
“C” “I” “G”

Command
(43h) (49h) (47h)

“N” “I” “G”

(4Eh) (49h) (47h)
This command is used for receiving the divided R-APDU exceeding 258 bytes. The HOST has to receive
all of the remaining R-APDU data using this command repeatedly until the response of this command
becomes px="F"(46h).
px="F"(46h) There is no remaining R-APDU data from the SAM.
SAM).The error "60"(36h,30h) is returned when a power failure is detected.
If the SAM does not respond within WWT(T=0), BWT(T=1) or CWT(T=1), the ICRW deactivates the
SAM and the error code "63"(36h,33h) is sent.
sent.
7.15.9 SAM warm reset
“C” “I” “H”

Command
(43h) (49h) (48h)
“P” “I” “H” ATR

“N” “I” “H” ATR

The ICRW sends a reset pulse, keeping the state where the SAM is activated (VCC,CLK), and receives
the ATR from the SAM again (Warm Reset).
If the ATR is not supported by the ICRW with the selected condition at the activate command, the ICRW
initiate the deactivation sequence, and sends the error code "66"(36h,36h) or "69"(36h,39h) with the ATR.
code " 61"(36h,31h), "63"(36h,33h) or "64"(36h,34h).
The ICRW returns error code "65"(36h,35h) if the SAM does not activated.
SAM). The error code "60"(36h,30h) is returned when a power failure is detected.
The time chart of the warm reset sequence is as follows.
VCC
CLK
RST 380 ~ 42000 clk

370 ~ 42100 clk
B
41000clk
42100clk ATR wait
TYP.
7.15.10 SAM automatic communication
“C” “I” “I"

Command
(43h) (49h) (49h)

“N” “I” “I”

(4Eh) (49h) (49h)
This command exchanges data with the SAM using the protocol T=0 or T=1. These protocols are
selected automatically by the ICRW. In this command, the HOST has to set "C-APDU" data.
Other functions are same as "CIC" or "CID".
px="O"(4Fh) The ICRW received the S(ABORTrequest) block from the SAM, suspended the data transmission
to the SAM, and deactivated the SAM. The HOST has to stop the following data transmitting.
While a power supply is supplied to the SAM, the ICRW monitors VCC (the power supply line of the
SAM).The ICRW is returned the error code "60"(36h,30h) when a power failure is detected.
If the SAM does not respond within WWT(T=0), BWT(T=1) or CWT(T=1), the ICRW deactivates the
SAM and error code "63"(36h,33h) is sent.
sent.
If the HOST tries to communicate with this command before the SAM activation, the error code
"65"(36h,35h) is sent.
When the protocol is T=1 and C-APDU data is 262 bytes or more, the HOST has to use "CI5" and "CI6"
to sends the following C-APDU data.
7.15.11 Select SAM
“C” “I” “P” Sel

Command
(43h) (49h) (50h) (1byte)
“P” “I” “P”

(50h) (49h) (50h)
“N” “I” “P”

(4Eh) (49h) (50h)
This command selects the SAM 2,3,4 or 5. The SAM 1 is reserved for future use(R.F.U).
These SAMs are available by connecting the external SAM board (option).
Sel = "0"(30h):(SAM 1(R.F.U.))
Sel = "1"(31h): SAM 2. (option)
The SAM commands for each SAM are available after selecting the SAM by this command.
The SAM2 is the default value before selecting the SAM using this command.
7.16 Switch command
“C” “K” “0”

Command
(43h) (4Bh) (30h)
“P” “K” “0”

(50h) (4Bh) (30h)
“N” “K” “0”

(4Eh) (4Bh) (30h)
Switch the control to Supervisor program code area from User program code area.
Note: Start from Initialize command of Supervisor program code area after the switch is completed.
Ex) Under user program code area is operated
Execute switch command "CK0"
Switch the control to Supervisor program code area
Execute Initialize command of Supervisor program code area
Execute download command group
Execute switch command "CK0"
Switch the control to User program code area
Execute Initialize command of User program code area
Usual operation
7.17 Siemens memory card control command
7.17.1 Siemens memory card Power on
“C” “R” “0” type

Command
(43h) (52h) (30h) (1byte)
“P” “R” “0”

Positive response st1 st0 ATR
(50h) (52h) (30h)
“N” “R” “0”

Negative response er1 er0
(4Eh) (52h) (30h)
This command activates the memory card. ICRW supply power (Vcc) and clock(CLK),
and assert reset (RST) signal. Then, the memory card is activated and return ATR.
ICRW returns a negative response when proper ATR isn't received from the memory card.
An error code "60"(36h,30h) is returned when a power failure is recognized while a power supply is
supplied to the card.
type :"1"(31h)
This is for the case to select SLE4406.
No ATR data check is executed, and return ATR.
If the card is activated properly with this command,
only SLE4406 command can be executed
: No definition or "0"(30h)
This is for the case to select all memory cards.
ICRW automatically judges the type of memory card by ATR data.
If the card is activated properly, the command of the memory card
of the judged kind can be executed.
Refer to the following table for the judgement.
ATR memory card

H1 H2
A2 13 SLE4442/4432
92 23 SLE4428/4418
19 04
99 04 SLE4406
Power on
Vcc Clock for receiving ATR
CLK
Reset with clock signal CLK

RST
7.17.2 Siemens memory card Power off

“C” “R” “1”
Command
(43h) (52h) (31h)
“P” “R” “1”

(50h) (52h) (31h)
“N” “R” “1”

(4Eh) (52h) (31h)
This command deactivates the memory card.

ICRW asserts reset (RST) signal, and stops clock (CLK) and power supply (Vcc).
Then, the memory card is deactivated.
Vcc
CLK
RST
7.17.3 Inquire Status of Siemens memory card

“C” “R” “2”
Command
(43h) (52h) (32h)
“P” “R” “2”

Positive response st1 st0 str
(50h) (52h) (32h)
“N” “R” “2”

(4Eh) (52h) (32h)
This command report the status of Siemens memory card in "str" byte.
While a power supply is supplied to the card, the ICRW monitors VCC (the power supply line of the card).
An error "60"(36h,30h) is returned when a power failure is detected.
b7 b0
str= 0 1 0 0 0 X X X (binary)

Sort 01: SLE4428 / 4418 , 00: SLE4442 / 4432
10:SLE4406
7.17.4 Communicate with SLE4442
The SLE4442 memory card has no protocol handler in it. So, ICRW builds in protocol handler to
control the memory card. When a usual IC card is controlled, ICRW doesn't check the contents of the
data. (A message is transmitted and received between ICRW and the IC card) Then, the data that it
was received from HOST are transmitted through ICRW to the IC card.
About SLE4442, ICRW must control the signal line of the memory card directly about each data
transmission by the hardware. Therefore, some functions to control SLE4442 were prepared in ICRW.
These functions are specified by a command data form like C-APDU which format is based on ISO/IEC
7816-3 T=0 standard.
Therefore, ICRW recognizes the meaning of the command data, and carries out the treatment related
to the card by controlling hardware.
After the command was executed properly, ICRW returns a positive response with response data
9000h like from the IC card.
When an error occurs during the communication with SLE4442, ICRW returns a positive response with
status information in response data "SW1+SW2" which is based on the ISO/IEC7816-3 T=0 standard.
While a power supply is supplied to the card, the ICRW monitors VCC (the power supply line of the
card). An error "60" is returned when a power failure is detected.
7.17.4.1 Data read from main memory on SLE4442

“C” “R” “3”
Command 00B000 h + ab h + cd h
(43h) (52h) (33h)
“P” “R” “3”

Positive response st1 st0 Data
(50h) (52h) (33h)
“N” “R” “3”

(4Eh) (52h) (33h)
This command is recognized as follows.

ab h : the start address to read data in the main memory
cd h : the number of bytes of data to read
ICRW reads data from the main memory of SLE4442, and transmits data on cdh bytes from the
address ab h. The capacity of the main memory is 256 bytes. The byte number "00"(30h,30h) of data to
read means 256bytes. All the contents of the main memory can be read with the following command.
ex). "CR3" + 00B0000000 h
card). An error "60"(36h,30h) is returned when a power failure is detected.
7.17.4.2 Data read from protection memory on SLE4442

“C” “R” “3”
(43h) (52h) (33h)
“P” “R” “3”

(50h) (52h) (33h)
“N” “R” “3”

(4Eh) (52h) (33h)

ab h : the start address to read data in the protection memory
ICRW handles the data of all 32bits in the protection memory as the data on 4bytes.
The contents (32bit) of the protection memory can be read with the following command.
ex). "CR3" + 00B0010004 h
ICRW reads data from the protection memory of SLE4442, and transmits data on cd h bytes from the
address ab h.
7.17.4.3 Data read from security memory on SLE4442

“C” “R” “3”
(43h) (52h) (33h)
“P” “R” “3”

(50h) (52h) (33h)
“N” “R” “3”

(4Eh) (52h) (33h)

ab h : the start address to read data in the security memory
The security code inside the security memory can't be read properly if the check of PSC (programmable
security code) isn't finished normally. ICRW returns three bytes of 00h as the security code
ICRW handles the data of all 32bits in the security memory as the data on 4bytes.
The contents (32bit) of the security memory can be read with the following command.
ex). "CR3" + 00B0020004 h
ICRW reads data from the security memory of SLE4442, and transmits data on cd h bytes from the
address ab h.
7.17.4.4 Data write to main memory on SLE4442

“C” “R” “3”
Command 00D000H + abH + cdH + efH + ....
(43h) (52h) (33h)
“P” “R” “3”

(50h) (52h) (33h)
“N” “R” “3”

(4Eh) (52h) (33h)

ab h : the start address to write data in the main memory
cd h : the number of bytes of data to write
ef h : the data to write first (cd h bytes)
ICRW writes data in the main memory. ICRW returns a result after written data are checked.
Before doing this operation, PSC (Programmable Security Code) check must be done.
The capacity of the main memory is 256 bytes. The byte number "00" of data to write means 256bytes.
The example that data are written in the whole area of the main memory is shown in the following.
ex). "CR3" + 00D0000000 h + Write Data (256byte)
After command execution, ICRW returns response with 9000h or sw1+sw2 as the result.
If the addressed data on main memory is protected by the protection memory, the write operation is not
available.
7.17.4.5 Data write to protection memory on SLE4442

“C” “R” “3”
Command 00D001 h + ab h + cdh + efh .....
(43h) (52h) (33h)
“P” “R” “3”

(50h) (52h) (33h)
“N” “R” “3”

(4Eh) (52h) (33h)

ab h : the start address of the protection of the main memory
cd h : the number of bytes that it is protected continuously
ef h : the contents of data to protect (cd h bytes)
ICRW can set up writing protection in a part of the main memory which can be protected. Once it is set
up, the protection can't be canceled. Before doing this operation, PSC (Programmable Security Code)
check must be done.
The address of the main memory that the protection is possible is 1Fh from 00h. Each protection
condition of the protectable main memory can be controlled with 4byte (32bits) in the protection memory.
For example, if bit0 of the protection memory byte0 is '1', data on the address 00h of the main memory
are protected.
The contents of data must be presented to protect data in main memory. Therefore, the contents of the
protection memory can't be operated directly.
For example, protection is set up with the next command when the value of the address 10h of the main
memory is 20h and protection isn't set up in the bit address 10h of the protection memory.
ex). "CR3" + 00D001100120 h
After command execution, ICRW returns response with 9000h or "SW1+SW2" as the result.
ICRW reads data first from the main memory, and it is compared with the value that it was received.
When this is wrong, writing isn't begun. Protection condition can be set up at a time in the data which
continued in the main memory.
7.17.4.6 Data write to security memory on SLE4442

“C” “R” “3”
Command 00D002H + ab h + cd h + ef h ....
(43h) (52h) (33h)
“P” “R” “3”

(50h) (52h) (33h)
“N” “R” “3”

(4Eh) (52h) (33h)

ab h : the start address to write data in the security memory
ef h : the data to write first (cd h bytes)
After a PSC check is finished normally, the Reference-Data area of 3byte can be changed.
All 32bits are handled as 4bytes. How to change the Reference-Data is as the following.
ex). "CR3"+ 00D0020103123456 h
Caution : It is only writing though data writing to Error-Counter is always possible. Therefore, be careful of writing
to Error-Counter. Or, the card can't be written any more. Error-Counter is controlled when PSC is
checked.
7.17.4.7 Verification data present to SLE4442

“C” “R” “3”
Command 0020 h + 03 h + 01 h + 03 h + ef h ....
(43h) (52h) (33h)
“P” “R” “3”

(50h) (52h) (33h)
“N” “R” “3”

(4Eh) (52h) (33h)

03 h : Fixed value (the maximum value of the error counter)
01 h : Fixed value (the start address of the security code in the security memory)
03 h : Fixed value (the number of bytes of data to compare)
ef h : the data to compare (3bytes)
Before changing data, PSC(Programmable Security Code) must be checked properly with SLE4442.
Because this function should be made effective, the issue of the next command is necessary.
ex). "CR3"+ 0020030103xxxxxx h (xxxxxx : security code 3bytes)
The presented data are compared with internal Reference-Data by SLE4442 card itself.
Writing treatment becomes effective until a power supply is turned off when a check is finished normally.
The writing function of the card is lost when the command is carried out continuously three times with the
wrong code. A user must know PSC at least when a user wants to rewrite the data on SLE4442 card.
Error-Counter can be reset in the zero if PSC is given to SLE4442 card properly if the value of
Error-Counter is 2 or less.
Same as SLE4442, The SLE4428 memory card has no protocol handler in it.
So, ICRW also builds in protocol handler to control SLE4428.
The control method of SLE4428 is done in the same way as SLE4442.
Refer to SLE4442 for the details of the contents.
7.17.5.1 Data Reading of main-memory of SLE4428

“C” “R” “4”
Command 00B0H + 0aH + bcH + deH
(43h) (52h) (34h)
“P” “R” “4”

(50h) (52h) (34h)
“N” “R” “4”

(4Eh) (52h) (34h)

abc h : the start address to read data in the main memory
de h : the number of bytes of data to read
ICRW reads data from the main memory of SLE4428, and transmits data on deh bytes from the
address abch.
The capacity of the main memory is 1024bytes. The byte number 00h of data to read means 256bytes.
The head part of the main memory can be read with the following command.
ex). "CR4" + 00B0000000h
7.17.5.2 Condition data reading of protection-bit of SLE4428
“C” “R” “4”

Command 00B0 h + 10 h + ab h + cd h
(43h) (52h) (34h)
“P” “R” “4”

(50h) (52h) (34h)
“N” “R” “4”

(4Eh) (52h) (34h)

ab h : the start address to read the image of protection data of the main memory
The protection conditions of 1024bytes of main-memory are changed into the data on 1024bits, and it is
read. 1024bits is equivalent to 128bytes. (1024 = 128 x 8)
Data to read first become protection information to address 007 h from address 000 h of main-memory in
the case of abh = 00 h. The contents of the whole protection image can be read with the following
command.
ex). "CR4" + 00B0100080 h
ICRW reads data as the protection image of SLE4428, and transmits data on cd h bytes from the
address ab h.
7.17.5.3 Data writing to main-memory of SLE4428
“C” “R” “4”

Command 00D0 h + 0a h + bc h + de h + fg h + ...
(43h) (52h) (34h)
“P” “R” “4”

(50h) (52h) (34h)
“N” “R” “4”

(4Eh) (52h) (34h)

abc h : the start address to write data in the main memory
de h : the number of bytes of data to write
fg h : the data to write first (de h bytes)
Before doing this operation, PSC (Programmable Security Code) check must be done (SLE4428).
The capacity of the main memory is 1024 bytes. The byte number 00h of data to write means 256bytes.
The example that data are written in from the address 100h is shown in the following.
ex). "CR4"+ 00D0010000 h + Write Data (256byte)
If the addressed data on main memory is protected, the write operation is not available.
7.17.5.4 Data writing to main-memory of SLE4428 (with protecting it)
“C” “R” “4”

(43h) (52h) (34h)
“P” “R” “4”

(50h) (52h) (34h)
“N” “R” “4”

(4Eh) (52h) (34h)

abc h : the start address to write data in the main memory
de h : the number of bytes of data to write
fg h : the data to write first (de h bytes)
Before doing this operation, PSC (Programmable Security Code) check must be done (SLE4428).
This command is the same as data writing except for Protect's being done at the same time with writing.
Renewal becomes impossible when data are written with this command.
7.17.5.5 Protection-bit is written by the completion of the verification
“C” “R” “4”

(43h) (52h) (34h)
“P” “R” “4”

(50h) (52h) (34h)
“N” “R” “4”

(4Eh) (52h) (34h)

abc h : the start address of the protection of the main memory
de h : the number of bytes that it is protected continuously
fg h : the contents of data to protect (de h bytes)
ICRW can set up writing protection in a part of the main memory which can be protected. Once it is
set up, the protection can't be canceled. Before doing this operation, PSC (Programmable Security
Code) check must be done. The contents of data must be presented to protect data in main memory.
For example, protection is set up with the next command when the value of the address 010 h of the
main memory is 20 h and protection isn't set up.
ex). "CR4" + 00D020100120 h
ICRW reads data first from the main memory, and it is compared with the value that it was received.
When this is wrong, writing isn't begun.
Protection condition can be set up at a time in the data which continued in the main memory.
“C” “R” “4”

Command 00200000 h + 02 h + ef h ....
(43h) (52h) (34h)
“P” “R” “4”

(50h) (52h) (34h)
“N” “R” “4”

(4Eh) (52h) (34h)

02 h : Fixed value (the number of bytes of data to compare)
ef h : the data to compare (2bytes)
Before changing data, PSC(Programmable Security Code) must be checked properly with SLE4428.
Because this function should be made effective, the issue of the next command is necessary.
ex). "CR4"+ 0020000002xxxx h (xxxx : security code 2bytes)
The presented data are compared with internal Reference-Data by SLE4428 card itself.
Writing treatment becomes effective until a power supply is turned off when a check is finished normally.
The writing function of the card is lost when the command is carried out continuously eight times with the
wrong code. A user must know PSC at least when a user wants to rewrite the data on SLE4428 card.
Error-Counter can be reset in the zero if PSC is given to SLE4428 card properly if the value of
Error-Counter is 7 or less.
Same as SLE4442, The SLE4406 memory card has no protocol handler in it.
So, ICRW also builds in protocol handler to control SLE4406.
The control method of SLE4406 is done in the same way as SLE4442.
Refer to SLE4442 for the details of the contents.

“C” “R” “5”
Command 002000 h + 0a h + 03 h + TCB1+TCB2+TCB3
(43h) (52h) (35h)
“P” “R” “5”

(50h) (52h) (35h)
“N” “R” “5”

(4Eh) (52h) (35h)

0a h : Fixed value
03 h : Fixed value
TCB1,TCB2,TCB3 : Transport Code Byte (3byte)
TCB1 TCB2 TDB3
D7-----------D0 D15---------D8 D23---------D16
Write operation is performed at an error counter (72bit~76bit), and TCB is presented to Transport code
area.
Verification is not performed when an error counter is 0.
The presented data are compared with internal Reference-Data by SLE4406 card itself. The writing
function of the card is lost when the command is carried out five times with the wrong code. Error
counter can not be reset to the 0.
After verification, writing the bit64 in the memory changes the card state from Issuer Mode to the User
Mode. This command is not required for card in User Mode.
7.17.6.2 Data Reading of memory of SLE4406

“C” “R” “5”
(43h) (52h) (35h)
“P” “R” “5”

(50h) (52h) (35h)
“N” “R” “5”

(4Eh) (52h) (35h)

ab h : the start address to read data in the memory
ICRW reads data from the memory of SLE4406, and transmits data on cdh bytes from the address abh.
The capacity of the memory is 128bits. 128bits is equivalent to 16bytes.
The contents of the whole data of memory can be read with the following command.
ex) Command
"CR5" + 00B000010 h
Bit 0123 4567 89….. 127

Data 0100 1000 0010 1100 0110 1010 0001 1110 …1111 1111
Address 00H 01H 02H 03H 0FH
Response
"PR5" + 12345678….FF9000 h
16byte
7.17.6.3 Data writing to memory of SLE4406
“C” “R” “5”

Command 00D000 h + ab h + cd h + ef h ...
(43h) (52h) (35h)
“P” “R” “5”

(50h) (52h) (35h)
“N” “R” “5”

(4Eh) (52h) (35h)

ab h : the start address to write data in the memory
ef h… : the data to write first (cd h bytes)
Write data Memory data operation

0 1 Write operation is executed.
Write bit to 0.
0 0 Not executed. *
1 1 or 0 Ignore.
* : Data write does not perform when a memory data
before writing is 0. In this case processing is interrupted.
ICRW write processing is performed from a low rank bit.

Under command execution if a verification error occurs processing is interrupted.
The capacity of the memory is 128bits(=16bytes). However, ROM area is also contained. Refer to the
specification of SLE4406 for details of writable area in memory. ICRW does not distinguish ROM area
and PROM/EEPROM area.
7.17.6.4 Reloading to counter stage of SLE4406
“C” “R” “5”

Command 00D001 h + ab h + cd h
(43h) (52h) (35h)
“P” “R” “5”

(50h) (52h) (35h)
“N” “R” “5”

(4Eh) (52h) (35h)

ab h : counter number.
cd h : bits number.
bit number
7 0
counter number 5 bit71-------bit64
4 bit79-------bit72
3 bit87-------bit80
2 bit95-------bit88
1 bit103-----bit96
ICRW performs reloading cycle operation to counter stage of SLE4406.

Reloading cycle does not perform, when a data is 0.
ICRW does not perform the check after reloading cycle operation.
A result of command execution can be checked by reading of the counter data.
7.18 I2C memory card control command
7.18.1 I2C Power on
“C” “S” “0” Vcc Wrd

Command
(43h) (53h) (30h) (1byte) (1byte)
“P” “S” “0”

(50h) (53h) (30h)
“N” “S” “0”

(4Eh) (53h) (30h)
To close the shutter, then To activate an I2C memory card.

B
ICRW supplies a power supply (Vcc) to the card. After that, ICRW initializes the card inside.
An error code "60"(36h,30h) is returned when a power failure is recognized while a power supply is
supplied to the card.
Vcc: The choice of a power supply voltage to supply

Vcc="0"(30h) : ICRW supplies with +5V to VCC and activates the card.
Vcc="1"(31h) : ICRW supplies with +3V to VCC and activates the card.
Wrd: The number of bytes of the word address of an I2C memory card to use
Wrd="1"(31h) : ICRW accesses an I2C memory card in the Word address of 1byte.
Wrd="2"(32h) : ICRW accesses an I2C memory card in the Word address of 2bytes.
7.18.2 I2C Power off
“C” “S” “1”

Command
(43h) (53h) (31h)
“P” “S” “1”

(50h) (53h) (31h)
“N” “S” “1”

(4Eh) (53h) (31h)
When this command is received, ICRW deactivates an I2C card.

ICRW suspends the supply of the power supply (Vcc). An I2C memory card is deactivated as a result.
7.18.3 Inquire Status of I2C
“C” “S” “2”

Command
(43h) (53h) (32h)
“P” “S” “2” sti

(50h) (53h) (32h) (1byte)
“N” “S” “2”

(4Eh) (53h) (32h)
When this command is received, ICRW reports the condition of an I2C memory card by byte of stj.
b7 b0
sti= 0 1 0 X 0 0 X X (binary)

VCC 1: +3V 0: +5V
Not Available
Not Available
The number of the word address 1: 2bytes , 0: 1byte
7.18.4 I2C Communication
The I2C memory card has no protocol handler in it. So, ICRW builds in protocol handler to control this.
When a usual IC card is controlled, ICRW doesn't check the contents of the data.
(A message is transmitted and received between ICRW and the IC card)
Then, the data that it was received from HOST are transmitted through ICRW to the IC card.
About the I2C memory card, ICRW must control the signal line of the I2C memory card directly about
each data transmission by the hardware.
Therefore, some functions to control an I2C memory card were prepared in ICRW. These functions are
specified by a command data form like C-APDU which format is based on ISO/IEC 7816-3 T=0
standard.
Therefore, ICRW recognizes the meaning of the command data, and carries out the treatment related
to the card by controlling hardware.
After a command is carried out properly, ICRW returns 9000h by the positive response as if it was just
received from the IC card.
When an error occurs during the communication with the I2C memory card, ICRW returns a positive
response with status information in response data "SW1+SW2" which is based on T=0 standard of
ISO/IEC7816-3.
7.18.4.1 Read data from I2C
“C” “S” “3”

Command 00B0 h + ab h + cd h + ef h
(43h) (53h) (33h)
“P” “S” “3”

(50h) (53h) (33h)
“N” “S” “3”

(4Eh) (53h) (33h)
Value
ab h : The upper address of head address which begins to read data
cd h : The lower address of head address which begins to read data
ef h : The number of bytes of data to read
ICRW reads data from the I2C memory card, and transmits data on ef h bytes from the address abcd h.
The value established with ef h bytes is the value which makes the value which it can access without striding
over a page by an I2C memory card to use an upper limit
When the following command is transmitted, data can be read from the I2C memory card.
ex). "CS3" + 00B0000008 h
Note) It doesn't change to the next page automatically when it tries to read it by the bigger value than the page
size of the used I2C memory card or when it changes in the next page from the middle of the page.
Therefore, access it not to cross the boundary of the page. If it is not so, it isn't finished normally.
While a power supply is supplied to the card, the ICRW monitors VCC (the power supply line of the card). An
error "60"(36h,30h) is returned when a power failure is detected.
7.18.4.2 Write data into I2C
“C” “S” “3”

Command 00D0 h + ab h + cd h + ef h + gh h + ....
(43h) (53h) (33h)
“P” “S” “3”

(50h) (53h) (33h)
“N” “S” “3”

(4Eh) (53h) (33h)

ab h : The upper address of head address which begins to write data
cd h : The lower address of head address which begins to write data
ef h : The number of bytes of data to write
gh h : the data to write first (the head data of the data on ef h bytes)
ICRW writes data in the I2C memory card. ICRW returns a result after written data are checked.
The example which data on 8bytes are written in by the continuance from the head address of the I2C memory
card is shown in the following.
ex). "CS3" + 00D0000008 h + Write Data (8bytes)
After command execution, ICRW returns response with 9000h or sw1+sw2 as the result.
Note) It doesn't change to the next page automatically when it tries to write it by the bigger value than the page
size of the used I2C memory card or when it changes in the next page from the middle of the page.
Therefore, access it not to cross the boundary of the page. If it is not so, it isn't finished normally.
While a power supply is supplied to the card, the ICRW monitors VCC (the power supply line of the card). An
error "60"(36h,30h) is returned when a power failure is detected.
7.19 Security command
This command loads the key for "Magnetic data encrypt / decrypt command" and "Plaintext offline PIN
verification command".
Detail of the encrypted data format is defined in the additional document to keep security.
7.19.1 Device authentication data exchange and key exchange key loading
“C” “G” “0”

Command Encrypted data A (32 bytes : binary value)
(43h) (47h) (30h)
“P” “G” “0”

Positive response st1 st0 Encrypted data B (16 bytes : binary value)
(50h) (47h) (30h)
“N” “G” “0”

(4Eh) (47h) (30h)
This command is for the preparation procedure of the encrypted data communication between ICRW
and HOST.
ICRW decrypts the "Encrypted data A" of the command using the master exchange key which is the
fixed secret key and obtains the device authentication data and the key exchange key for "Key loading for
the magnetic data" and "Key Loading for the Plaintext offline PIN verification".
ICRW encrypts the authentication data using the key exchange key and transmits to the HOST as the
"Encrypted data B" of the positive response. HOST checks the result of the authentication from the
"Encrypted data B". These encrypting and decrypting processes use Triple DES-ECB.
If the key exchange key is weak key or semi weak key, ICRW sends the error code "04"(30h,34h).
If the first 8 bytes and the second 8 bytes of the key exchange key are the same data, ICRW sends the
error code "04"(30h,34h).
7.19.2 Key loading for the magnetic data
“C” “G” “1”

Command Encrypted data (16 bytes : binary value)
(43h) (47h) (31h)
“P” “G” “1”

(50h) (47h) (31h)
“N” “G” “1”

(4Eh) (47h) (31h)
This command is for loading the key for the ICRW for the "Magnetic data encrypt / decrypt command".
ICRW decrypts the "Encrypted data" of the command using the key exchange key which is obtained by
the command with pm="0"(30h). This decrypting process uses Triple DES-ECB.
And ICRW obtains the key and initialization vector (IV) for "Magnetic data encrypt / decrypt command"
from the decrypted data.
If the obtained key is weak key or semi weak key, ICRW sends an error code "04"(30h,34h).
If ICRW has not obtain the key exchange key, ICRW sends and error code "06"(30h,36h).
7.19.3 Key loading for the Plaintext offline PIN verification
“C” “G” “2”

Command Encrypted data (16 bytes : binary value)
(43h) (47h) (32h)
“P” “G” “2”

(50h) (47h) (32h)
“N” “G” “2”

(4Eh) (47h) (32h)
This command is for loading the key for the ICRW for the "Plaintext offline PIN verification command".
ICRW decrypts the encrypted data of the command using the key exchange key which is obtained by
pm="0"(30h). This decrypting process uses Triple DES-ECB.
And ICRW obtains the key for "Plaintext offline PIN verification command" from the decrypted data.
When the Plaintext offline PIN verification command is used with the Single DES-ECB mode, the key is
only 8bytes and should be set in first 8bytes of the encrypted data. And second 8bytes should not be
same data to the first 8bytes.
If the obtained key is weak key or semi weak key, ICRW sends an error code "04"(30h,34h).
If the first 8 bytes and the second 8 bytes are the same data, ICRW sends an error code "04"(30h,34h).
If ICRW has not obtain the key exchange key, ICRW sends and error code "06"(30h,36h).
7.19.4 New master exchange key loading

This command loads the new master exchange key.
The detail of this command's specification is described in the separated confidential volume of the
interface specification.
Master exchange key (1) : 16bytes

Key exchange key (2) : 16bytes
Authenticate Data (3) : 16bytes
HOST CRD
(2) and (3) shall be interlaced by 1 byte.

“CG0”
As a result mixed 32bytes data shall be
Triple-DES (2)+(3)
made. These 32bytes data is encrypted
by Triple-DES using the Key (1). CRD decrypts received data by
“PG00x”+Encrypted Data B Triple-DES using Key (1) and gets plain
HOST decrypts received data by Triple-DES Triple-DES(3) text (2) and (3).
using Key (2) and gets plain text (3). CRD encrypts the data (3) by Triple-DES
using the Key (2).
HOST compares the original data of (3).
The Encrypted 16bytes data is sent to
If decrypted data is different from the
HOST.
original data of (3), it means that wrong CRD
is connected.
If decrypted data is same with the original
data of (3), it means that right CRD is
connected and HOST can continue
following operation.
Now Finished Device Authentication.
Key exchange key (2) “CG1” or “CG2”

(MAGKEY+IV) or PINKEY (4) (16bytes) Triple-DES(4) by (2)
CRD decrypts received data by Triple-DES
using Key (2) and gets plain text (4)
“PG10x” or “PG20x” "MAGKEY and IV " or "PINKEY".
ex.
“C6A”
Insert Magnetic Card
CRD read data on ISO Track #1

and encrypts the data by MAGKEY (4).
CRD send the encrypted data to HOST
“P6A02” +
Single-DES(ISO#1) by MAGKEY (4)
“CIT” + C-APDU (Verify Command)

ex. (offline PIN block encrypted by PINKEY)
Insert IC Card (T=1)
CRD Decrypts offline PIN block by PINKEY
(4) and makes normal Verify Command.
CRD sends this Verify Command to IC
“PI402” + R-APDU
and then respond to HOST with
returned data from IC
8. Explanation of error code

Every error status can be cleared by procedure of (Re-Start by initialize to complete normal).
Also, eliminating the cause (i.e.: taking card out of ICRW) clear the error status.
In this case, uses Status request command and confirm before next step that no error code remain.
8.1 Error in communication soft

"00" Meaning : To shows that received command was undefined.
(30h,30h)
Clear : Cleared by receiving correct commands.
"01" Meaning : To show command parameter error.

(30h,31h)
Clear : Cleared by receiving command with correct parameter.
"02" Meaning : To show that ICRW executes Supervisor program code area.
(30h,32h) (Supervisor) (Initialize command only on supervisor mode)
Meaning : To show that un-executable command was received.
(User) Cf. Receiving read command while card is not staying inside the ICRW.
Clear : Cleared by receiving executable command.
"03" Meaning : The function (hardware) required for execution of a command is not carried.
(30h,33h) The function may not be carried or be out of order.
(The existence of each function is automatically recognized by the firmware.)
Clear : The check of hardware is needed.
"04" Meaning : To show that error data was included in command.

(30h,34h)
Clear : Cleared by receiving command including correct data.
"06" Meaning : The key for the cipher function command is not received.
(30h,36h)
Clear : Cleared by the executing the key exchange procedure.
"B0" Meaning : Other commands were received before performing initialize command
(42h,30h) after a power supply injection, reset or switch command execution.
Clear : Execute Initialize command.
8.2 Error at card feeding

"10" Meaning : To show that the card was not carried to the specific location after specified
(31h,30h) number of trial for specified time duration during execution of command of
carrying card in various ways.
Clear : To execute a command again and a card is conveyed in a normal position.
Or, cleared when the card is taken out from the card reader manually.
In this case, confirm the recovery by Status request command.
"11" Meaning : To show that the full shutter does not close when the card entry is completed.
(31h,31h)
Clear : Cleared in case card is returned to card gate by eject command.
After the card is inserted, the unexpected objects are inserted into the gate or
the full shutter is not work collect. Please conform those condition.
"13" Meaning : To show that the card longer than 88.5mm is inserted into ICRW.
(31h,33h)
"14" Meaning : To show that the card shorter than 83.5mm is inserted into ICRW.
(31h,34h)
"16" Meaning : To show that card staying inside the ICRW was moved up to the point where
(31h,36h) status request information changes.
Clear : Cleared in the case card is ejected.
"17" Meaning : To show that the card was not carried to the specific location after specified
(31h,37h) number of trial for specified time duration during execution of Retrieve command.
Clear : To execute a Retrieve command again and a card is normally taken in.
Or, cleared when the card is taken out from the card reader manually.
Confirm the recovery by Status request command in this case.
"18" Meaning : ICRW detected that two cards were inserted, and ejected it.
(31h,38h)
Clear : Remove ejected card from a gate.
"40" Meaning : To show that card is pulled out against card feed in operation.
(34h,30h)
Clear : Command execution is normally possible continuously.
8.3 Error in reading card
The following errors may be recovered if ICRW re-take in and read a card.
When an error is not recovered after this operation, it is unrecoverable since magnetic record of
a card is unusual
"20" Meaning : To show that parity error exists in read error.
(32h,30h)
"21" Meaning : To show that other read error than "20"(32h,30h), "23"(32h,33h)
(32h,31h) and "24"(32h,34h) ( cf : no start sentinel is recorded in the card ).
"23" Meaning : To show that only start sentinel, end sentinel, LRC are contained in the card.
(32h,33h) There are no contents of data.
"24" Meaning : To show that the card has no magnetic track. For entry and enable command
(32h,31h) with mag check, this code is used to indicate error.
8.4 Other error codes
"30" Meaning : To show that power down (or power cut in short instant) is detected
(33h,30h) ( or being detected). It is to be recognized as normal power down
if back up power supply goes down below +12V.
Clear : Cleared when a card is ejected and pulled out after a power supply recovery.
"31" Meaning : To show that DSR signal was turned to OFF ( communication is cut ).
(33h,31h)
Clear : Cleared when a card is ejected and pulled out after DSR signal recovery.
9. RAS (Reliability, Availability, and Serviceability) Function

9.1 The power on / reset boot mode
The ICRW selects the boot modes by the shade conditions of the card detect sensors after the power on
or hardware reset. The boot modes are the standard mode for normal operation and RAS mode to check
their functions and report the results by LED.
9.2 The boot check items and result

The ICRW checks the following items with this order before booting as the standard mode or RAS mode.
Check Items Result

User Program Area CRC Check The ICRW work only on the supervisor program area
(The Initialize command response is always "N0002")
Flash ROM Parameter Area CRC Check The functions of the user program area are not available.
EEPROM Read Check The functions of user program area are not available.
Remained Card Eject and Card Jam Check The functions of user program area are not available.
Implemented Functions Self Recognition The result of the implemented functions self recognition
(Magnetic Head and the available tracks, are able to be confirmed by the initialize command
IC Contact response. The commands using not implemented
and Contactless Read / Write Module) functions are not available.
(The command response using not implemented
function is "Nxx02")
9.3 The condition for boot on RAS mode

The ICRW boots on RAS mode when the card shades only the card width sensor and the power supply
is turned on or the ICRW is reset.
The ICRW starts the card entry motion after booting on RAS mode.
The entry motion tries while 2 seconds with rotating the motor and retries 2 times.
If the card is not inserted while the entry motion, the ICRW finishes the RAS mode and starts the
standard mode.
Full Shutter Model Card Width Sensor
PD2
9.4 The finish condition of RAS mode

In the RAS mode, the ICRW finishes the RAS mode and start standard mode when the card is pulled out
to PD1 open position. And when the abnormal conditions which discontinue the RAS function is detected,
the RAS function stops and finishes the RAS mode when the card is pulled out.
9.5 The overview of RAS operation

1). When the ICRW enter the RAS mode, the ICRW checks the basic functions for RAS operation. If
the basic functions are not normal condition, the ICRW stops the RAS operation, indicate orange
LED and finishes the RAS mode.
2). The ICRW executes the card entry motion. When the ICRW detects the card transport error, the
ICRW stop the RAS operation, indicate orange LED and finishes the RAS mode.
3). While the ICRW executes the card entry, the ICRW read the magnetic stripe data on the card. After
finishing the card entry, the ICRW activate the contact IC card. Each functions are executed only
when the functions are implemented on the ICRW.
4). After the ICRW checks the results of the executions, the ICRW ejects the card. When the ICRW
detects the card transport error, the ICRW stop the RAS operation, indicate orange LED and
finishes the RAS mode.
5). The ICRW indicates the check results by LED blinking three times after ejecting the card properly.
6). The RAS operations are repeatable. If the card turn on the card width sensor or PD1 after LED
indicating the result of previous checking, the ICRW executes the card entry again.
7). If the card is pulled out after LED indicating the result of previous checking, the ICRW finishes the
RAS mode and starts the standard mode.
9.6 The check items and the error indications of RAS

LED LED indication color
check items check function not
indications normal abnormal implemented
basic functions power supply , sensor, light 1sec. orange
motor and turn off
card transport card jam or abnormal light 1sec. orange
card length are detected and turn off
magnetic stripe read error 1st blink green orange green
data read (except for not encoded)
contact IC card receive ATR properly 2nd blink green orange green
activation
OPTION: receive ATQB properly 3rd blink green orange green
(contactless IC card)
9.7 The not checked functions by RAS

1). CPU functions
2). LED lighting
3). Very low power supply voltage
4). Shutter solenoid
5). Interface to the HOST (While the RAS operation, the interface is not available)
9.8 The flow chart of RAS operation
Power On / Reset
Firmware Initializing
Mag. Head Set LED 1st Blink
Function Implementation Check Orange
Implemented ? NO
YES
only PD1
NO is closed ? Mag. Read Set LED 1st Blink
Error ? Orange
YES
YES
NO
Set LED 1st Blink
Card Pull Orange LED Power, Sensor, Green
Out ? Light 1sec. Motor is Normally?
YES NO
NO YES
IC Contact Set LED 2nd Blink
Card Entry Timer / Retry Counter Orange
Implemented ? NO
Motor On
YES
Contact ICC Set LED 2nd Blink

Orange
Card Pull
Activation Error ? YES
YES Out ?
NO
NO Set LED 2nd Blink
Green
Timer / Retry
YES Over ?
Contactless ICC Set LED 3rd Blink
NO R/W Orange
Implemented ? NO
Card Entry
YES
Start ?
NO
Contact less ICC Set LED 3rd Blink
YES Orange
ReqB Error ? YES
Mag. Head NO
Implemented ?
NO Set LED 3rd Blink
Green
YES
Mag. Stripe Data Read

Start LED Blinking
Card Card Eject Card Jam or

Pull Out ? Orange LED Card Length Error ?
YES Light 1sec. YES
NO NO
IC Contact
Implemented ? NO
YES
Contact IC Card Activation
Save Receive ATR
Contactless ICC
R/W
Implemented ? NO
YES
Contactless ICC Req.B Command
Save Receive ATQB
Card Eject
Card Card Eject

Pull Out ? Orange LED Card Jam ?
YES Light YES
NO NO
LED Turn Off

Start Standard Mode
ANNEX 1 Calculation method of CRCC
CRCC(X16+X12+X5+1) is made by the following method.

/*
[data]
hex 0xF2, 0x00, 0x08, 0x43, 0x30, 0x30, 0x33, 0x32, 0x34, 0x30, 0x30
CRC 0xFACE
*/
#define INIT 0x0000 /* Initial value */
#define POLYNOMIAL 0x1021 /* Polynomial X16+X12+X5+1 */
unsigned short calc_crc(unsigned short crc,unsigned short ch);
unsigned short GetCRC(unsigned char *p,unsigned short n);
unsigned short calc_crc(unsigned short crc,unsigned short ch)

{
unsigned short i;
ch <<= 8;
for (i = 8; i > 0; i--) {
if ((ch ^ crc ) & 0x8000) {
crc = (crc << 1) ^ POLYNOMIAL;
}
else {
crc <<= 1;
}
ch <<= 1;
}
return crc;
}
/* Generate GetCRC */
unsigned short GetCRC(unsigned char *p,unsigned short n)
{
unsigned char ch;
unsigned short i;
unsigned short crc = INIT;
for (i = 0; i < n; i++) {

ch = *p++;
crc = calc_crc(crc,(unsigned short)ch);
}
return crc;
}
int main(void)
{
/* Transmission command
STX : F2h
LEN : 00 08h
TEXT: Initialize command ("C0032400")
*/
unsigned char TransCommand[13] ={0xF2,0x00,0x08,0x43,0x30,0x30,0x33,0x32,0x34,0x30, 0x30,0x00,0x00};
unsigned short TextLength = 11; /*lengthof(STX+LEN+TEXT) */

unsigned short crc; /* CRC */
crc = GetCRC(TransCommand, TextLength);

TransCommand[11] = (crc >> 8) & 0xFF;
TransCommand[12] = crc & 0xFF;
return 0;
}
ANNEX 2 Values of ATR parameter (TA1 and TA2)
Table1: Supportable TA1 values

B
Vcc Condition Support Communication speed (F,D)

(Yes/No)
30h TA1 = '11' and TA2=none Yes 9622bps (F=372, D=1)
33h TA1 = 'any' and TA2=none Yes If TA1 is shown in Table2, ICRW
35h (Not including TA1='11') sends PPS request.
36h Communication speed depends
on PPS response.
If TA1 is not shown in Table2,
ICRW does not sends PPS
request. Communication speed is
9622bps (F=372, D=1).
TA1 = 'any' and TA2.b5 = 0 Yes (*1) Comply with Table3
TA1='any' and TA2.b5=1 No(Vcc=30h) -
Yes(Vcc=ELSE) 9622bps (F=372, D=1)
40h TA1 = 'any' and TA2=none Yes 9622bps (F=372, D=1)
(Including TA1='11')
TA1='any' and TA2.b5=0 Yes Comply with Table3
TA1='any' and TA2.b5=1 Yes 9622bps (F=372, D=1)
A meaning of Vcc parameter please refer "activate ICC command".
(*1) When TA1 exists in table3, ICRW supports its TA1.
Table2: TA1 values that ICRW sends PPS request
TA1 02, 12, 03, 13, 32, 33, 53, 54, 92, 93, B2, B3, D3, D4
B Table 3: Supported TA1 values in specific mode
D= 1 2 4 8 16 CLK
F= frequency
372 01 02 03 - - 3.58MHz
(9622) (19244) (38490)
372 11 12 13 - - 3.58MHz
(9622) (19244) (38490)
558 - - - - - -
744 31 32 33 - - 7.16MHz
(9622) (19244) (38490)
1116 - - - - - -
1488 - 52 53 54 - 7.16MHz
(9622) (19244) (38490)
1860 - - - - - -
512 91 92 93 - - 3.58MHz
(6991) (13983) (27965)
768 - - - - - -
1024 B1 B2 B3 - - 7.16MHz
(6991) (13983) (27965)
1536 - - - - - -
2048 - D2 D3 D4 7.16MHz
(6991) (13983) (27965)
Upper row: TA1 value

(Lower row): Communication speed (bps)
Table A2-1: Supportable TA1 values

B Vcc Condition Support Communication speed (F,D)
TA1 = ‘any’ and TA2=none
Yes Comply with table A2-2
(Negotiable mode)
"0"(30h) TA1 = ‘any’ and TA2.b5=0
Yes (*1) Comply with table A2-4
(Specific mode)
TA2.b5=1 No -

"3"(33h) Yes Comply with tabel A2-3
(Negotiable mode)
"5"(35h)
"6"(36h) TA1=‘any’ and TA2.b5=0
"8"(38h) (Specific mode)
TA1=’any’ and TA2.b5=1 Yes 9622bps (F=372, D=1)
Yes 9622bps (F=372, D=1)
(Negotiable mode)
"@"
(40h) TA1=‘any’ and TA2.b5=0
(Specific mode)
TA1=’any’ and TA2.b5=1 Yes 9622bps (F=372, D=1)
Vcc is defined by Activate ICC (SAM) command.

(*1) When TA1 exists in following tables, ICRW supports its TA1.
Table A2-2 – Supportable TA1 values and PPS reqeust in EMV mode
B
ATR PPS request Transmission speed
TA1 F D PPS1 F D
02h 372 2 02h 372 2 Transmisson speed depends on PPS
03h 372 4 03h 372 4 response of PPS1
12h 372 2 12h 372 2
13h 372 4 13h 372 4
32h 744 2 32h 744 2
33h 744 4 33h 744 4
48h 1116 12 48h 1116 12
53h 1488 4 53h 1488 4
54h 1488 8 54h 1488 8
55h 1488 16 55h 1488 16
69h 1860 20 69h 1860 20
92h 512 2 92h 512 2
93h 512 4 93h 512 4
B2h 1024 2 B2h 1024 2
B3h 1024 4 B3h 1024 4
B4h 1024 8 B4h 1024 8
C8h 1536 12 C8h 1536 12
D3h 2048 4 D3h 2048 4
D4h 2048 8 D4h 2048 8
D5h 2048 16 D5h 2048 16
f=3.58MHz,
All other values of TA1 none
Transmission speed(bps) = 9622bps
Note ) If the card returns echoing PPS1, transmission speed is changed to table A2-4. If the card doesn’t transmit
PPS1, transmission speed is default(not changed).
Table A2-3 – Supportable TA1 values and PPS reqeust in ISO mode
B ATR PPS request Transmission speed
TA1 F D PPS1 F D
04h 372 8
05h 372 16
06h 372 32
07h 372 64
08h 372 12
09h 372 20
12h 372 2 12h 372 2
13h 372 4 13h 372 4
14h 372 8
15h 372 16
16h 372 32
17h 372 64
18h 372 12
19h 372 20
32h 744 2 32h 744 2
33h 744 4 33h 744 4
34h 744 8
35h 744 16
36h 744 32
37h 744 64
38h 744 12
39h 744 20
48h 1116 12 48h 1116 12
53h 1488 4 53h 1488 4
54h 1488 8 54h 1488 8
55h 1488 16 55h 1488 16
56h 1488 32
57h 1488 64
58h 1488 12
59h 1488 20
Table A2-3(Continue) – Supportable TA1 values and PPS reqeust in ISO mode
B ATR PPS request Transmission speed
TA1 F D PPS1 F D
93h 512 4 93h 512 4
94h 512 8
95h 512 16
96h 512 32
97h 512 64
98h 512 12
99h 512 20
B2h 1024 2 B2h 1024 2
B3h 1024 4 B3h 1024 4
B4h 1024 8 B4h 1024 8
B5h 1024 16
B6h 1024 32
B7h 1024 64
B8h 1024 12
B9h 1024 20
C8h 1536 12 C8h 1536 12
D3h 2048 4 D3h 2048 4
D4h 2048 8 D4h 2048 8
D5h 2048 16 D5h 2048 16
D6h 2048 32
D7h 2048 64
D8h 2048 12
D9h 2048 20
f=3.58MHz,
All other values of TA1 none
Transmission speed(bps) = 9622bps
Note ) If the card returns echoing PPS1, transmission speed is changed to table A2-4. If the card doesn’t
transmit PPS1, transmission speed is default(not changed).
Table A2- 4 – Supportable TA1 in case of specific mode

B TA1 F D f (MHz) Transmission speed(bps)
= 1/(current etu)
current etu = F/(D*f)
01h 372 1 3.58 9622
02h 372 2 3.58 19245
03h 372 4 3.58 38490
11h 372 1 3.58 9622
12h 372 2 3.58 19245
13h 372 4 3.58 38490
31h 744 1 7.16 9622
32h 744 2 7.16 19245
33h 744 4 7.16 38490
34h 744 8 3.58 38490
48h 1116 12 3.58 38490
52h 1488 2 7.16 9622
53h 1488 4 7.16 19245
54h 1488 8 7.16 38490
55h 1488 16 3.58 38490
69h 1860 20 3.58 38490
91h 512 1 3.58 6991
92h 512 2 3.58 13983
93h 512 4 3.58 27965
B1h 1024 1 7.16 6991
B2h 1024 2 7.16 13983
B3h 1024 4 7.16 27965
B4h 1024 8 3.58 27965
C8h 1536 12 3.58 27965
D2h 2048 2 7.16 6991
D3h 2048 4 7.16 13983
D4h 2048 8 7.16 27965
D5h 2048 16 3.58 27965
ANNEX 3 Values of ATR parameter

Table4: Supported values of ATR B
Vcc 30h 33h 35h 36h 38h 40h

ATR
Supported values
TS 3Fh, 3Bh
T0 any value
TA1 See ANNEX2
TB1 00h (cold reset) any value (*1)
any value
(warm reset) (*1)
TC1 any value
TD1 m.s. nibble : any value
l.s. nibble : 0 or 1
TA2 ANNEX2 and See ANNEX 2
TA2 l.s.nibble = TD1
l.s.nibble
TB2 None (prohibit) any value (*1)
TC2 01h … FFh
TD2 m.s. nibble : any value m.s. nibble : any value
l.s. nibble : ‘1, 14 l.s. nibble : any value
NOT T=15
TA3,TA4 10h ... FEh 01h ... FEh
TB3,TB4 m.s. nibble : 0...4 and m.s. nibble : 0...9 and
l.s. nibble : 0...5 and l.s. nibble : 0...15 and
2CWI > (N+1) 2CWI > (N+1)
TC3,TC4 00h any value
TD3,TD4 any value any value
T=15 (*2) b1=1 b2=1 or b1=1 or
TA3 b1=1 b2=1 or any value
b3=1
TB3,TC3, (*2) any value
TD3
TA4 b1=1 b1=1 b2=1 or b1=1 or any value
b1=1 b2=1 or
b3=1
TB4,TC4 any value
TD4
A meaning of Vcc parameter please refer “activate ICC command”.
(*1) ICRW does not generate Vpp.

(*2) ‘F’(T=15) is prohibited in TD2 l.s.nibble.
ANNEX 4 C-APDU Format
The C-APDU consists of a mandatory header of four consecutive bytes denoted CLA, INS, P1 andP2, followed
by a conditional body of variable length. The meanings of every byte are below.
byte meanings
Mandatory Header CLA Instruction Class
INS Instruction Code
P1 Instruction Parameter 1
P2 Instruction Parameter 2
Conditional Body Lc Byte Length of Data Field
Data Data Field
Le Byte Length of Expected Response Length
About the details of each byte, refer to specifications of every card's standard.
The C-APDU structure has following four cases.

Case Structure
1 CLA INS P1 P2
2 CLA INS P1 P2 Le
3 CLA INS P1 P2 Lc Data
4 CLA INS P1 P2 Lc Data Le
The host shall transmit the command of Case1, Case2, Case3 and Case4 correctly.
Especially for the case 1 on T=0 protocol, ICRW adds '00' internally as the fifth byte of the command to the card.
ANNEX 5 Sequence of activating IC card / SAM
1. In case of Vcc=30h
START
Set Case = 1
(See Note 1)
Cold Reset
Warm Reset Set Case = 2
Yes
Is ATR Yes Is ATR No

check 1 OK ? check 2 OK ? Is Case = 1?
ATR check 1 is OK if ATR check 2 is OK if
No parity and TCK (if returned) Yes the parameters and No
are correct, and structure of the ATR
the timings specified in conform to the
EMV2000 are ANNEX.2 & 3
respected.
ABORT Continue using ABORT

(See Note 3) parameters D,F (See Note 2)
(*1) (*2) (*3)
'Case' is a process variable used to indicate whether a cold or warm reset is operative.
Case = 1 for a cold reset, and Case = 2 for a warm reset.
(*1)ICRW initiates the deactivation of ICC, and sends back error code “61”(36h,31h).
(*2)After ICRW received ATR which shows T=1 protocol, ICRW transmits S (IFSrequest) to ICC. If S
(IFSresponse) can't be received properly from ICC, ICRW initiates the deactivation of ICC, and sends back
error code "63"(36h,33h) or “64”(36h,34h).
When S (IFSresponse) is received properly in the above or when ATR is not T=1 protocol, ICRW transmits
the contents of ATR which is received from ICC to HOST.
(*3)When ATR content is not based on such protocol, which is supported by ICRW, error code “69”(36h,39h)
with ATR data will be sent back and ICRW will deactivate the IC card.
(Reference: EMV Integrated Circuit Card Specification for Payment Systems. Book 1 Version 4.2 June 2008)
START
Set Case=1
Cold Reset
(Vcc=33h:VCC=5V)
Warm Reset Set Case=2
Yes
Yes Yes
Is ATR Is ATR Is ATR No Is Case=1?
chek1 OK? class OK ? check2 OK ?
No No Yes
No
ABORT ABORT Continue using ABORT

parameters D,F
(*4) (*5) (*7)
(*6)
(*4) ICRW initiates the deactivation of ICC, and sends back error code “61”(36h,31h).
(*5) ICRW checks IC-card’s class indicator, which is not supported by ICRW, error code “66”(36h,36h) with
ATR data will be sent back and ICRW will deactivate the IC card.
(*6) After ICRW received ATR which shows T=1 protocol, ICRW transmits S (IFSrequest) to ICC. If S
error code “63"(36h,33h) or “64”(36h,34h).
When S (IFSresponse) is received properly in the above or when ATR is not T=1 protocol, ICRW
transmits the contents of ATR which is received from ICC to HOST.
(*7) When ATR content is not based on such protocol, which is supported by ICRW, error code “66”(36h,36h)
(Reference: ISO/IEC 7816-3:2006)

3. In case of Vcc=35h or 36h
START
Cold Reset
Vcc=35h:VCC=3V
Vcc=36h:VCC=5V
No Card answers
to reset?
De-activate and
Yes
Cold Reset
Vcc=35h:VCC=5V
Vcc=36h:VCC=3V
Is ATR Yes Is ATR Yes Is ATR No

chek1No
OK? class OK ? check2 OK ?
x (A)
No Yes
ABORT
(*8)
Continue using
No Vcc=35h:Is VCC=5V? parameters D,F
Vcc=36h:Is VCC=3V?
Yes (*10)
(A)
ABORT
(*9)
Warm Reset
Yes Yes No
Is ATR Is ATR Is ATR
chek1 OK? class OK ? check2 OK ?
ABORT
No (*11)
No Yes
ABORT
(*8)
ABORT Continue using
(*9) parameters D,F
(*10)
error code "63"(36h,33h) or “64”(36h,34h).
When S (IFSresponse) is received properly in the above or when ATR is not T=1 protocol, ICRW transmits
the contents of ATR which is received from ICC to HOST.
(*11) When ATR content is not based on such protocol, which is supported by ICRW, error code “66”(36h,36h)
(Reference: ISO/IEC 7816-3:2006)

B 4. In case of Vcc=38H
START
VCC=5V
Cold Reset
No
Card answers
to reset?
*a
Yes
No
VCC=5V
Yes Is ATR Yes Is ATR Yes Is ATR No

No check1 OK? class OK ? check2 OK ? (A)
VCC=3V
VCC=3V No No Yes
Yes
ABORT ABORT Continue using

VCC=1.8V *a
(*15) (*15) parameters determined
above
(*14)
(A)
Warm Reset
Is ATR Yes Is ATR Yes Is ATR No

check1 OK? class OK ? check2 OK ?
ABORT
No (*15)
No Yes
ABORT
(*12)
ABORT Continue using
(*13) parameters F,D
(*14)
(*12) ICRW initiates the deactivation of ICC, and sends back error code " 61".
(*13) ICRW checks IC-card's class indicator, which is not supported by ICRW, error code "66" with ATR data will
be sent back and ICRW will deactivate the IC card.
error code "61". When S (IFSresponse) is received properly in the above or when ATR is not T=1 protocol,
ICRW transmits the contents of ATR which is received from ICC to HOST.
(*15) When ATR content is not based on such protocol, which is supported by ICRW, error code "66" with ATR
data will be sent back and ICRW will deactivate the IC card.
(Reference: ISO/IEC 7816-3)

START
Cold Reset
(VCC=5V)
Is ATR No
chek1 OK?
ABORT(*16)
Yes
Is ATR No
check2 OK ?
ABORT(*17)
Yes
No
ATR=
3F 65 25 TC1 MCE
?
Continue using
Yes
parameters D,F (*18)
No MCE= 4x,5x,9x No
MCE= 91,92,93 (except 91,92,93)
Yes Yes
If 91, ICRW sets T=0 and inverse convention Warm Reset Continue using
If 92, ICRW sets T=1 and direct convention parameters D,F (*18)
If 93, ICRW sets T=1 and inverse convention
Is ATR No
chek1 OK?
Continue using ABORT(*16)

Yes
parameters D,F (*18)
Is ATR No
check2 OK ?
ABORT(*17)
Yes
Continue using
parameters D,F(*14)
(IFSresponse) can't be received properly from ICC, ICRW initiates the deactivation of ICC, and sends
back error code "63"(36h,33h) or “64”(36h,34h).
When S (IFSresponse) is received properly in the above or when ATR is not T=1 protocol, ICRW
transmits the contents of ATR which is received from ICC to HOST.
ANNEX 6 Method of IC card communication
IC card communication flow
Start
NO
C-APDU < 262
YES
Transmit “CI5” + C-APDU(n)
C-APDU=C-APDU - C-APDU(n)
Receive “PIX”
NO
X = “7” ?
YES
1
NO
C-APDU < 262
YES
Transmit “CI9” + C-APDU Transmit “CI6” + C-APDU
Receive “PIX” + R-APDU
YES(X=“5”)
X = “5” ?
NO(X=“3”,”4” or “?”) Transmit “CI7”

1
YES(X = “?”)
Receive “PIX” + R-APDU(n)
X = “?” ?
R-APDU=R-APDU+R-APDU(n)
NO
(X = “3”, “4” or “6”)
IC card
YES(X = “5”)
request
abortion. X = “5 “ ?
NO(X = “6” or “?”)
End
Example
HOST ICRW
(exp.1) Transmit 261 bytes or less of data.

Receive 258 bytes or less of data.
"CI9” data
"PI4” data
(exp.2) Transmit data by command chaining(Each data size is 261 bytes or less)
Receive 258 bytes or less of data
"CI5” data1
"PI7"
"CI5” data2
"PI7"
"CI6” data3
"PI4” data
(exp.3) Transmit 261 bytes or less of data

Receive data by command chaining (Each data size is 258 bytes or less)
"CI9” data
"PI5” data1
"CI7"
"PI5” data2
"CI7"
"PI6” data3
(exp.4) Transmit data by command chaining (Each data size is 261 bytes or less)
"CI5” data1
"PI7"
"CI5” data2
"PI7"
"CI6” data3
"PI5” data1
"CI7"
"PI5” data2
"CI7"
"PI6” data3
(exp.5) Interruption with receipt of ABORT request
"CI5”data1
"PI? "
SAM communication flow
Start
NO
C-APDU < 262
YES
Transmit “CIE” + C-APDU(n)
C-APDU=C-APDU - C-APDU(n)
Receive “PIX”
NO
X = “G” ?
YES
1
NO
C-APDU < 262
YES
Transmit “CII” + C-APDU Transmit “CIF” + C-APDU
Receive “PIX” + R-APDU
YES(X=“E”)
X = “E” ?
NO(X=“C”,”D” or “O”) Transmit “CIG”

1
YES(X = “O”)
Receive “PIX” + R-APDU(n)
X = “O” ?
R-APDU=R-APDU+R-APDU(n)
NO
(X = “C”, “D” or “F”)
SAM
YES(X = “E”)
request
abortion. X = “E “ ?
NO(X = “F” or “O”)
End
Example
HOST ICRW
(exp.1) Transmit data 261 bytes or less of data.

Receive 258 bytes or less of data.
"CII” data
"PID” data
(exp.2) Transmit data by command chaining(Each data size is 261 bytes or less)
Receive 258 bytes or less of data
"CIE” data1
"PIG"
"CIE “data2
"PIG"
"CIF” data3
"PID” data
(exp.3) Transmit 261 bytes or less of data

"CII” data
"PIE” data1
"CIG"
"PIE” data2
"CIG"
"PIF” data3
(exp.4) Transmit data by command chaining (Each data size is 261 bytes or less)
"CIE” data1
"PIG"
"CIE” data2
"PIG"
"CIF” data3
"PIE” data1
"CIG"
"PIE” data2
"CIG"
"PIF” data3
(exp.5) Interruption with receipt of ABORT request

"CIE” data1
"PIO"
This page is the end of the document.

Ict3k7-3r6940 I

Uploaded by

Copyright:

Available Formats

Ict3k7-3r6940 I

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ict3k7-3r6940 I

Uploaded by

Copyright:

Available Formats

CONFIDENTIAL No ASL - NP – 17749 – 01

Rev. Date Editor Description

A Apr. 15, 2009 K.Hoson First Edition

7.14.7 ICC extended communication 2............................................................................................................ 48

7.19.3 Key loading for the Plaintext offline PIN verification............................................................................. 93

1.1 Transmission / Control Specification

4) Data length : 8bit + 1 parity

5) Stop bit : 1 bit

1.2 Transmission control method

1.3 Transmission Control Characters

1.4 Transmission Format

STX LEN CRCC

2. Transmission / Control protocol

2.1 Timing chart

2)LED blinking after reset

4) Monitoring state of HOST

5) Cancel/Resume of transmission (User program code area only)

6) Eject Operations (User program code area only)

2.2 Cancel of command

(HOST) Command ACK Command

(ICRW) ACK Response

2.3.2 Irregular operation and back-up

Case 1 300msec Timeout

(HOST) Command Command ACK

(HOST) Command Command ACK

(ICRW) NAK ACK Response

(HOST) Command NAK ACK

Case 4 20sec Time out (Except Entry and

(ICRW) ACK ACK Response

(HOST) Command DLE, EOT

2.3.3 State transition matrix

(2) Wait for Re-send

(3) Wait for Send NAK

(4) Wait for Receive Text in the Length. Send NAK

Receive 2 bytes as CRCC.

* : If it is over the re-try count, it will be judged an error.

Receive 2 bytes as CRCC Send

(5) Wait for Go to (1)

3.1 Text format

"C" "0" "0" Data

1) Command format ( HOST -> ICRW )

This is the format of the command transmit to ICRW from HOST.

2) Positive response format ( ICRW -> HOST )

This is the format of response when command was executed normally.

3) Negative response format ( ICRW -> HOST )

This is the format of response when command was executed abnormally.

3.2 Structure of Firmware areas

Firmware of ICRW is divided into two parts.

(1) Supervisor program code area

(2) User program code area

4. Supervisor program code area

Command cm Function pm Details of operation

4.2 Status code

status code Meaning

4.3 Error code

error code Meaning

5. Command explanation of Supervisor program code area

5.1 Initialize command

"C" “0” “0” “0” “0” “0” “0”