Commandlist:
1. Easy way to implement phoenix or
smartmouse support for AD-Teknik's programmer
2. Best way to implement phoenix or
smartmouse support in your software for AD-Teknik's programmers
3. Programming an Atmel based smartcard
like the Funcard
4. I2C programming with Multiprogrammer
5. Writing and reading pic-chips
The commandset may
only be used to communicate with Programmers and
other products from AD-Teknik
AB, any other use is illegal.
UPDATED for Firmware 5.0
NOTE! Commands for Firmware 2.0 and newer are preliminary as the Firmware 2.0 has not been released yet.
MP 3.4/3.5 runs on 9600, 8N1, half duplex (all data is echoed back)
Signals used in com-port:
1. DCD, Smartcard inserted or not.
2. TxD
3. RxD
4. DTR, Active=Power given to programmer
5. GND
7. RTS, used with trans through-communication, described below.
Flow control:
There is a one way flow control that must be used whenever data sent to the programmer is more than 31 bytes. The flow control is only used separately on each command. in other words it shouldn't be used if you send a bunch of commands to the programmer (which isn't allowed anyway since you have to wait for acknowledge on each command).
Anytime a single command is sent which data (command+data) is longer than 31 bytes you must wait for the programmer to respond with an XON before sending more data.
There is no flow control on any data sent from the programmer, but all commands is written so that the person who writes software for the programmer can decide how much data to be read, and this feature can be used as flow control. But a normal computer should be able to receive data at 960 bytes per second without any problem. At least an IBM PC running at 4.77MHz from 1982 has no problem with doing that.
| Command | Function | ||||||||||||||
| *A 2A 41 |
Returns
Firmware version number. lo,hi, and product code.
(byte) Product code is: 40h for 3.4
|
||||||||||||||
| *B<c> 2A 42 cc |
Set
VPP1 (C2) level: 0 = Nothing (hi
impedance, C2 will be set to 5V with help of a pull-up resistor Response: ACK Firmware 0.8 and newer has a built in
short-circuit detect which will be run automatically when C=3 if command
*{ (smart card reset). The test can give an false alarm if smartcard
is programmed with RC oscillator (unprogrammed state) and C3 is used
for programming data or clock. Firmware 0.12 (for MP34) and 1.2 (for
MP35) and newer will not give any false alarm. make sure that 5V and MCLR is low. Option 7 is only available in firmware 5.1 and newer. Bugfix in firmware 4.3 on *B3: The MCLR signal is now raised 100us after VDD is raised. |
||||||||||||||
| *C<n> 2A 43 nn |
Set
DATA-pin 0=C3 NOTE: The Data/Clock pin C6 is not available in MP 3.5USB and MP 3.6USB Response: ACK |
||||||||||||||
| *D<n> 2A 44 nn |
Set
CLOCK-pin 0=C3 Response: ACK To setup programming via DIL-socket and ICSP connectors use the following settings:
The pin-out for the ICSP connector is:
|
||||||||||||||
| *F<n,c,b,data> 2A 46 nn nn cc bb .. .. .. |
I2C-Write,
write I2C data, n=word. b= is the controlbyte which should be used for ack-polling. C= Response: Error address (word) equals FFFFh if no error + ACK. |
||||||||||||||
| *G<n,c> 2A 47 nn nn cc |
I2C-Read, read
I2C data. n=word. C= Response: N bytes of data+erroroffset(word)+ack/nack NOTE! N must not be greater than 255 on MP Basic with firmware revision 0.4 or earlier. NOTE! Error offset is FFFFh if no error occurred, but on MP Basic with firmware revision 0.3 or earlier error offset can be unknown. Anyway the ack signals a successful operation. |
||||||||||||||
| *N<n> 2A 4E nn |
Send
ICSP-command. where n is the ICSP command. Response: ACK |
||||||||||||||
| *O<n,d> 2A 4F nn dd dd |
Write ICSP-data.
same as *N but sends data with the ICSP command. n = the ICSP command d = the 14 bit data, send as a word, leftshifted! Firmware 2.0 or newer, this command also accepts 16 bit data for compability with PIC18Fxxx chips etc. Response: ACK |
||||||||||||||
| *P<command> 2A 50 |
Read ICSP-data. Response: word read. the result needs to be right shifted and or'ed with 3FFFh if it's an 14bit pic or or'ed with 0FFFh if it's an 12-bit pic. |
||||||||||||||
| *R<r,a,c,n,data> 2A 52 rr aa cc nn nn .. .. |
ICSP-program
data, programs n words of data to memory data, n=word R (byte) = Number of retries. A (byte) = Extra programming cycles to be made after successful programming. C (byte), bitmapped: 0=Normal Response: ErrorData(word)+ErrorOffset(word)+ack/nack NOTE! All data is left-shifted one time!!! I.e.. 3FFF becomes 7FFE etc. Bug fix in FW 1.5: Retries was never multiplied with additional progcycles. in earlier versions. |
||||||||||||||
| *S<n> 2A 53 nn nn |
ICSP-increase
program pointer with <n> word. Response: ACK |
||||||||||||||
| *T<c,n> 2A 54 cc nn nn |
ICSP-read
data, reads n words of program memory data, n=word C (byte), bitmapped: Response: N words of data. BUG! In firmware 0.8 and earlier this command would cause a Watchdog timeout if it takes more than 0.5 seconds. Workaround: don't read large memory blocks! |
||||||||||||||
| *^<c> 2A 5E cc |
Set
Oscillator C is: |
||||||||||||||
| *c 2A 63 |
Get
and clear SysError Response: <syserror>+<syserror2>+<syserror3>+<ack> SysError0 = SysError2 = SysError3 = All undefined bits read zero's. |
||||||||||||||
| *d<n> 2A 64 nn nn |
Send test data… 0,1,2,3, 4
etc… N is a word which tells how many bytes of test data to be sent. This function is only to be used for testing the communication between the programmer and the computer. |
||||||||||||||
| *e<n,data> 2A 65 nn nn .. .. |
Receive test
data, 0,1,2,3,4 etc… N is a word which tells how many bytes of test data the programmer will receive. |
||||||||||||||
| *g 2A 67 |
Smartcard…
Returns 1 if there is a smartcard in the smartcard reader. Not implemented in MP 3.5 |
||||||||||||||
| *h<n> 2A 68 nn |
Set pin low (see set data-pin *C ) | ||||||||||||||
| *i<n> 2A 69 nn |
Set pin high (see set data-pin *C ) | ||||||||||||||
| *j<a,b,c,d> 2A 6A aa bb cc dd |
Send
ATMEL data, Sends 4 byte of data to the ATMEL AT90Sxxxx chip, Serial
programming interface. C4=MOSI,
C7=MISO, C8=SCK Response: 4byte data + <ack/nack>. NOTE! The 4 bytes of data needs to be rotated 1-bit to the right in order to be read correctly. Example: Received 21 58 A6 00 should be translated to 10 AC 53 00 |
||||||||||||||
| *k 2A 6B |
ATMEL
power up, initializes the programmer for Atmel programming.
If firmware is 1.2 or older you need to make an positive clock pulse on the reset signal after sending the *k command Like this: (firmware 1.2 or earlier) *k or for firmware 1.3 and newer: *k |
||||||||||||||
| *l 2A 6C |
ATMEL
extra SCK-pulse, this is used in order to sync. the transmission
between the programmer and the atmel chip. According to the reset
sequence required by Atmel.
To enable communication between the programmer you need to send: *k to initialize programmer to Atmel mode, then send *j AC 53 00 00 to ask for reset, byte 3 should be 53h after you have rotated the *j answer, otherwise send *l and then send the *j command again repeat up to 32 times until you get 53 in byte 3. Now the communications are enabled. See the programming specs on www.atmel.com |
||||||||||||||
| *{ 2A 7B |
Terminate
communication to smartcard/chip.
This function sets C3,C4,C6,C7,C8 to a input high state, turns off the 3.58MHz oscillator and sets C2 to 0V (reset state). On firmware 1.0 and earlier (all MP 3.4) the C2 signal is not set to 0V, so it would be a good practice to send an *B1 2A 42 01 to force the C2 signal to 0V. Because this would prevent cards and chips to execute data if they are programmed to use an internal oscillator or RC-oscillator. On firmware 3.0 and newer this command will also turn on the supply power to the card. |
||||||||||||||
| *| 2A 7C |
Trans-Through
Mode, connects programmers serial port with data pin set by *C. Mode
is ended by setting RTS to inactive state. On Firmware 0.7 and newer, the Trans-through mode is not started until RTS is set active On Firmware 0.8 and newer, no reset is given to smartcard if trans-through mode is started with active RTS. |
||||||||||||||
| *} 2A 7D |
Set Phoenix mode (only implemented on MP34 firmware revision 0.1 and newer) | ||||||||||||||
| *~ 2A 7E |
Set Smartmouse mode (only implemented on MP34 firmware revision 0.1 and newer) | ||||||||||||||
| *
<n> 2A 7F nn |
Delay n=byte, n is the number of 100us delays that you want to be made. | ||||||||||||||
| *Ç 2A 80 |
Emergency
bugfix #1 (only implemented on MP 34 firmware revision
0.2 and newer) Not implemented in MP 35 firmware 1.7 and newer since a flash pic is used. |
||||||||||||||
| *ü 2A 81 |
Emergency
bugfix #2 (only implemented on MP 34 firmware revision
0.2 and newer) Not implemented in MP 35 firmware 1.7 and newer since a flash pic is used. |
||||||||||||||
| *é 2A 82 |
Emergency
bugfix #3 (only implemented on MP 34 firmware revision
0.2 and newer) Not implemented in MP 35 firmware 1.7 and newer since a flash pic is used. |
||||||||||||||
| *â 2A 83 |
Emergency
bugfix #4 (only implemented on MP 34 firmware revision
0.2 and newer) Not implemented in MP 35 firmware 1.7 and newer since a flash pic is used. |
||||||||||||||
| *ä 2A 84 |
Emergency
bugfix #5 (only implemented on MP 34 firmware revision
0.2 and newer) Not implemented in MP 35 firmware 1.7 and newer since a flash pic is used. |
||||||||||||||
| *à 2A 85 |
Emergency
bugfix #6 (only implemented on MP 34 firmware revision
0.2 and newer) Not implemented in MP 35 firmware 1.7 and newer since a flash pic is used. |
||||||||||||||
| *å 2A 86 |
Emergency
bugfix #7 (only implemented on MP 34 firmware revision
0.2 and newer) Not implemented in MP 35 firmware 1.7 and newer since a flash pic is used. |
||||||||||||||
| *ç 2A 87 |
Emergency
bugfix #8 (only implemented on MP 34 firmware revision
0.2 and newer) Not implemented in MP 35 firmware 1.7 and newer since a flash pic is used. |
||||||||||||||
| *ê 2A 88 |
Emergency
bugfix #9 (only implemented on MP 34 firmware revision
0.2 and newer) Not implemented in MP 35 firmware 1.7 and newer since a flash pic is used. |
||||||||||||||
| *ë 2A 89 |
Emergency
bugfix #10 (only implemented on MP 34 firmware revision
0.2 and newer) Not implemented in MP 35 firmware 1.7 and newer since a flash pic is used. |
||||||||||||||
| *è 2A 8A |
Power ON, power is on no
matter of the DTR-signal (only implemented on MP 35 firmware 1.0 and newer) |
||||||||||||||
| *ï 2A 8B |
Power OFF (default),
Power supply is controlled by DTR signal (only implemented on MP 35 firmware 1.0 and newer) |
||||||||||||||
| *î<n> 2A 8C nn |
Only implemented in MP35 firmware 1.4
and newer
n is a byte. Set programming delay in 100us/steps, this overrides the settings in *R if set to anything else than 0, default value is 0. Example, the setting of 100 gives 10ms programming delay. This programming delay is also used for the Atmel programming command, Atmel chip should normally have 4ms programming delay at 5V (set this program delay to 40) |
||||||||||||||
| *ì<p1,p2,n,s1,r1,c,data> 2A 8D p1 p2 nn nn s1 r1 cc .. .. |
Only implemented in MP35 firmware 1.4
and newer
Atmel program command. p1 and p2 is byte, if data is equal to p1 or p2 then the programming delay (specified by the command above) is used, otherwise data-polling is used. n is a word, defining how many byte of data that should be programmed. s1, is the first byte in the 4 byte atmel command to be sent for programming the chip. r1, is the first byte in the 4 byte atmel command to be sent for reading/verifying the chip. c: Response: ErrorData(word)+ErrorOffset(word)+ack/nack The following s1, r1 combinations should be used: 40h, 20h for 8515 low flash p1 and p2: 7Fh, 7Fh for 8515 flash
|
||||||||||||||
| *Ä<n,a> 2A 8E nn nn aa |
Only implemented in MP35 firmware 1.4
and newer
Atmel read command n is a word a is the first byte in the 4 byte atmel command to be sent for reading the chip. response: n bytes of data +<ack> example for the AT90S2323 chip: |
||||||||||||||
| *Å<c>
2A 8F cc |
Only implemented in MP35 firmware 1.5
and newer
Set ICSP PIC programming command, default is 08h, which is the default "Begin Erase Programming cycle", but if you set it to 18h the programmer will do a "Begin Programming Only Cycle" which can be used on bulk erased flash chips for faster programming. This command is no longer needed in firmware 2.0 and newer, but it's still implemented for compability reasons. |
||||||||||||||
| *É
2A 90 |
Switch programmer to use 48byte buffer
instead of 31
Only Firmware 1.5 |
||||||||||||||
|
*æ<a><c><n> 2A 91 aa aa cc nn nn |
Blank check. Make sure that
the data in a pic-chip is equal to a. n is the number of addresses to
check from the current address. a is a word, this is the data which the programmer should compair with the content on the pic-chip and the data should be left shifted once just as in the *R command C (byte), bitmapped: n is word which tells the programmer how many addresses that should be checked. Response: The programmer returns FF FF 06 if all was blank or <index>21 if something was not equal. index is the pointer where an mismatch first was found. NOTE! If no mismatch was detect the internal address pointer in the pic-chip will be placed after the checked memory area ( in other words it will be increased by one from the last checked address). However if a mismatch is detected, the internal address pointer will not be moved from the first detected mismatch. Then you can use the *T command to directly read the content of this address. NOTE! Checking large memory areas, for example the entire program memory of the PIC16F876 chip which has 8192 words of memory takes around 4 seconds to perform, since it requires the programmer to send nearly a quarter of a million clock pulses to the chip. Example: 2A 91 FE 7F 00 00 40 In this example the programmer checks for 3FFFh on 1024 addresses from the current position. The programmer will then return FF FF 06 if the entire memory are was blank or 00 00 21 if a missmatch was found on the first address. Only Firmware 1.7 and newer. |
||||||||||||||
|
*Æ<a><n><data> 2A 92 aa nn .. .. |
Write to the internal eeprom. N is a byte, telling how many bytes to write to address a (byte) and forwards. Note: the first 16 bytes are write protected. Only Firmware 1.7 and newer. |
||||||||||||||
|
*ô<a><n> 2A 93 aa nn |
Read from the internal
eeprom Reads n number of bytes starting from address a. Response: Number of requested bytes plus <ack> The internal eeprom in the programmer is 128 bytes Only Firmware 1.7 and newer. |
||||||||||||||
|
*ö<a> 2A 94 aa aa |
Receive address pointer for
the ATMEL write/read commands. A is a 16bit address pointer (word) This command is useful when you want to start to write or read from a certain address, since normally the ATMEL write/read commands always start from address 0. This command is also very useful when programming the ATmega chip's, since entire pages are programmed at once, example:
NOTE! Once this command has been sent to the programmer, it will always use the address-pointer sent by this command instead of the default 0 until the programmer is re-started. Only Firmware 2.0 and newer. |
||||||||||||||
|
*ò<b1,b2,b3,b4,b5> 2A 95 b1 b2 b3 b4 b5 |
Set communication timings
for the serial port. This command can be used to change the default speed of 9600bps of the programmers serial port. there are 5 timing variables to set: b1 = Startbit Sync, 230 This is how to change the speed:
NOTE! The programmer will always return to it's default speed when it's restarted. NOTE2! Remember to switch back to right speed when sending data through the programmer with the trans through command: *| 2A 7C Only firmware 2.0 and newer. |
||||||||||||||
|
*û <p,i,l,r,e,n,m> 2A 96 PP II LL RR EE NN MM |
Extended
parameters for the *R 2A 52 command. Set commands:
Other parameters:
NOTE! When M is set to 2 or more, be sure to turn of verifying during programming, the chip must be verified with the *T command once programming is completed NOTE! When using this command, there is no need to use the *Å 2A 8F command! Only firmware 2.0 and newer. |
||||||||||||||
|
*ù 2A 97 |
Select
PIC18FXXX programming mode, commands are sent as 4 bit's instead of
6bit's. Only firmware 2.0 and newer |
||||||||||||||
|
*ÿ cmd data 2A 98 cc dd |
ICSP Write
read command for the PIC18Fxxx series chip... cmd is the 4 bit command that should be sent data is a byte of data that should be sent Response: 1 byte of return data followed by ack. Only firmware 2.0 and newer |
||||||||||||||
|
*Ö startbittiming databittiming bits 2A 99 ss dd bb |
This command controls the
timing for the phoenix and smartmouse mode. The default for these commands is to use normal asynchron communication but for some cards a better timing is required between the computers bitrate and the oscillator supplied by the programmer. for 9600bps a startbittiming delay is 216 and for 5726bps a timing of 181 is normal. for 9600bps a databittiming delay of 152 is normal and for 5726bps a timing of 82 is normal. Every increase/decrease in this value changes the timing by +/1us. the startbit timing is calculated as follows: The wanted timing is exactly haft the length of the bit to be transferred, for example: if you use 9600bps each bit-length is 104us And half of that is 52us, there is a built in delay of 12us in the firmware: 216=256-(52-12) the databit timing is simply the wanted bitlength: 152=256-104 The "bits" value should normally be 10, since the stopbits are not included. When using normal ISO7816 compatible software data is sent with 1 startbit, 8 databits, 1 parity and 2 stopbits, this totals to 10bits when we exclude the stopbits. Only firmware 1.9 and newer |
||||||||||||||
|
*Ü 2A 9A |
Set programmer in Phoenix
mode using oscillator 2, 6MHz Only firmware 3.0 and newer |
||||||||||||||
|
*ø 2A 9B |
Set programmer in Smartmouse
mode using oscillator 2, 6MHz Only firmware 3.0 and newer |
||||||||||||||
|
*£ a 2A 9C aa |
Sets the programmer to use
another baudrate instead of 9600bps. The baudrate is calculated as
follows: Baudrate=cpuspeed/16(a+1) cpuspeed = 4000000 on MP 3.5 Set a to 25 for 9600bps and 12 for 19200bps. Maximum speed for firmware 3 and 4 is currently 125000bps This is done the following way: Send the command *£ a and wait for ack. Disable RTS Set the speed to the desired baudrate Enable RTS receive another ACK, this time in the desired baudrate instead. Only firmware 3.0 and newer |
||||||||||||||
|
*Ø T M C 2A 9D TT MM CC |
Setup phoenix/smartmouse
reset delay. In order to compensate for the delays caused by a device connected to a USB port, this command can be used to adjust the reset pulse causing it to be delayed in order to avoid a timeout caused by a too long delay between the reset pulse and data sent after the reset pulse. T is a byte, the default delay is set to 0, no delay. each digit represents a delay of 100us. For example a value of 107 decimal causes a delay of 10.7ms If random mode is activated (see below) the value of T is replaced by a random value instead. M is a byte, which can force the reset pulse lo for a certain minimum time, it is calculated as follows: delay in us = 256 - M. For example a value of 156 will cause a minimum reset pulse length of 100us. C is a bitmapped byte: This command is only supported by USB devices, firmware 4.1 and newer |
||||||||||||||
|
*× 2A 9E |
This command is used to make
the programmer measure the time between the start of the reset pulse and
the first data sent. Here is how to use it:
The value received by this command can be used as the T value of the 2A 9D command. But should be by 100 or 200us, since the programmer should have time to send the resetpulse and to have a small delay before the first data is transmitted This command is only supported by USB devices, firmware 4.1 and newer |
||||||||||||||
|
*ƒ T D C 2A 9F TT DD CC |
Trapcode sender for phoenix
mode. Sends the trapcode (byte) stored in T with a delay of D us (microseconds) the first time card is reseted in phoenix mode. The wanted delay in microseconds is sent to D and is calculated as Delay = (256 - D)*4. C is bitmapped byte: Bit 0 : 0=Direct Mode 1=Inverse mode Response: ACK This command is only supported by USB devices, firmware 4.1 and newer |
||||||||||||||
|
*á Delay1 Delay2 BitReg
ByteDelay ResetLength ResetDelay 2A A0 D1 D2 BB BD RL RD |
Configuration for the
send/receive command. (Only firmware 4.2 and newer) BitReg: 0 : 0=DirectMode 1=InverseMode If internal sync is used then Delay1 and Delay2 is: Delay1 = Bitdelay = 256 - number of us to wait between each bit. Example for 104us delay enter 256-104=152 Delay2 = Startbit delay = The delay between the moment when the falling flank of the start bit is detected until the middle of the first bit. (internal delay of the programmer is 10-16us). Example to get 156us delay for 9600bps: Delay2=256-(156-13) if external sync on C3 is used, then
Delay1 and Delay2 is a word which defines the ETU divided by 4 of each bit. Delay1 =
ETU_LO, Delay2 = ETU_HI. ByteDelay = Number of Bitdelays or ETU's to wait between each byte when sending data. ResetLength = Time to keep reset (C2)
low. Example, for a 100us long reset pulse: ResetDelay = Time to wait before sending data after a reset pulse. Example: To wait 500us before sendning data: ResetDelay=256-(500/4)=131 |
||||||||||||||
|
*í BitReg BytesToSend
BytesToReceive Data 2A A1 BB BS BR DD DD DD.... response: DD DD DD.... NN ACK
|
Send receive data command
(only firmware 4.2 and newer) BitReg: 0 : 0=Don't make resetpulse 1=Make reset pulse defined by ResetLength/ResetDelay BytesToSend = Number of bytes to send to the smartcard BytesToReceive = Number of bytes to receive from smartcard. This command will send the bytes which should be sent to the smartcard (if any) then it will receive the specified number of bytes from the card. To abort from the receive operation you must disable the RTS signal. The command will always respond with the number of bytes requested by the BytesToReceive variable but the actual number of bytes received by the card will be known by the NN byte sent by the command in response. |
||||||||||||||
|
*ó 2A A2 response: LL DD DD DD.... ACK
|
Receive firmware information
(only firmware 5.0 and newer) Receives data as a ascii text string from the programmer, the length of the string is given by the byte LL followed by the string followed by ACK |
||||||||||||||
Firmware consideration:
We recommend programmers to add support for Multiprogrammer 3.4 and 3.5 but as AD-Teknik AB replaces old firmware of the 3.4 for free there is no requirement to support firmware older than 0.10 for the 3.4 Multiprogrammer. But all firmware versions of the 3.5 Multiprogrammer needs to be supported.
Programming examples:
These programming examples explains how to use some of the most common commands for programmers to write their own software for AD-Teknik's Multiprogrammer.
1. Easy way to implement phoenix or smartmouse support for AD-Teknik's programmer
Open comport with 9600,8,N,1. Set DTR Active
Send *A (2A 41) to identify AD-Teknik's programmer (note that Firmware 0.0 of MP 3.4 has no support for phoenix or smartmouse).
For phoenix:
Set RTS signal active
Send command *} to enter phoenix emulation at 3.58MHz
Change comport settings for your application (se below)
Clear RTS, to raise RESET signal on smartcard.
Receive ATR (answer to reset from card)
For Smartmouse:
Clear RTS signal
Send command *~ to enter smartmouse emulation mode at 3.58MHz.
Change comport settings for your application (se below)
Set RTS signal to raise RESET signal on smartcard.
Receive ATR (answer to reset from card)
Comport settings:
9600,8,O,2 for inverted mode
9600,8,E,2 for direct mode.
When inverted mode is used you need to make a bit wise invert of each byte received and make msb to lsb and vice versa since the byte is received backwards.
After communication with card is done:
To exit Smartmouse or Phoenix mode, set transmit signal into Break-state for 1 second, then lower DTR.
2. Best way to implement phoenix or smartmouse support in your software for AD-Teknik's programmers:
The best way is to use the Trans trough command, because you can exit trans through mode easily just by lowering RTS signal.
Open comport at 9600,8,N,1 and set DTR active.
Send *{ to terminate/reset all I/O-pins on the programmer.
Send *B 01 to make sure that smartcard reset signal is cleared (set to 0V)
Send *C 02 to set data pin to C7 which is the most commonly used.
Send *^ 01 to start 3.58MHz oscillator on C3 connector.
Clear RTS signal.
Send *| to enter Trans-trough mode
Change your comport setting if needed (see above)
Active RTS signal to raise reset signal on smartcard
After communication is done:
Change comport back to 9600,8,N,1 if needed.
Clear RTS signal
Receive ACK from *| command.
3. Programming an Atmel based smartcard like the Funcard.
This section describes how to write software to read and write to the Atmel chip but also explains how to program an loader to read and write the external eeprom of a Funcard.
Multiprogrammer requires that the Atmelchip is connected in the following way:
| C1 | 5V |
| C2 | RESET |
| C3 | Oscillator |
| C4 | MOSI |
| C5 | GND |
| C6 | |
| C7 | MISO |
| C8 | SCK |
The above connections is the standard for all Funcards, Jupiter 1 and 2 cards.
Initializing the Atmelchip to enter programming mode:
This needs to be done whenever you need to read or write data from the atmel chip.
Send command *k to set the programmer in "Atmel" mode.
If Firmware is 1.2 or older add this sequence after sending the *k command
Make a positive "Clock-pulse" on reset signal with an 20ms delay afterwards if Firmware is 1.2 or older by sending these three commands:
*B 04 Set RESET to 5V (high)
*B 01 Set RESET to 0V (low)
*<ascii 127> 200
(2A 7F C8) Make a delay for 20ms.
Now send use command *j to send atmel commands, remember to always right shift the 4 byte reply from this command like this
Asm
rcr R1,1
rcr R2,1
rcr R3,1
rcr R4,1
End;
Send *j AC 53 00 00 and read the byte 3 of the result (called R3 here). R3 should equal 53h if you are synchronized with the chip.
If R3 is not equal to 53h then send command *l to make an positive clock pulse on the SCK pin to synchronize the chip. and then try again with *j AC 53 00 00 ,
You need to repeat this sequence with *j and *l up to 32 times until you have the correct answer received on byte 3 (R3).
Once you have received 53h on R3 you may start to identify which Atmel chip is connected reading the signature bytes from the chip
Send command *j 30 00 00 00 byte 4 of the result (R4) should return 1Eh to indicate an Atmel chip.
Send command *j 30 00 01 00 byte 4 of the result (R4) should return the Flash memory size in the following format:
93h means 8192 bytes of Flash memory.
91h means 2048 bytes of Flash memory.
Send command *j 30 00 02 00 byte 4 of the result (R4) should return:
01h means chip is AT90S8515 if Flash size is 8192.
02h means chip is AT90S2323 if Flash size is 2048.
03h means chip is AT90S2343 if Flash size is 2048 or AT90S8535 if Flash size is
8192.
Programming Flash or internal eeprom memory of the Atmel chip
The programming sequence look different depending on which firmware you have in the programmer, but all programmers support the slow sequence.
The addresses of the Flash memory is on a word basis but needs to be programmed one byte at time. So the Flash memory is separated in one LO-byte and one HI-byte.
Make a chip erase before programming, this way we don't need to waste time programming data which is equal to FFh:
Send *j AC 80 00 00 to send chip erase.
Send *<ascii 127> 200 to make a 20ms to wait until the internal erase cycle of the chip is done.
| Slow sequence | Fast Sequnce (only supported by Firmware 1.4 and newer) |
| Send *j 40 0a bb ii
were a is address high bits, b is address low bits and ii is data to write. use 48h instead of 40h to write HI-byte instead. And use C0 for writing to internal eeprom. Wait for 4 ms by sending command *<ascii 127> 40 (2A 7F 28) Verify programming by Sending command *j 20 0a bb oo were oo is byte 4 (R4) the byte read from the address set by a and bb. use 28h instead of 20h to read HI-byte instead. And use A0h to read internal eeprom. Repeat this programming sequence for all memory that require programming (no need to program FFh) as we have previously erased the chip.
|
Set programming delay to 4ms by sending
command: *î 40 (2A 8C 28) Then send command: *ì p1 p2 nnnn s1 r1 01 data (2A p1 p2 nn nn s1 r1 01 .. ..) Were: p1,p2 should both be 7Fh for 8515 Flash memory, and 80h and 7Fh for internal eeprom. nnnn is the number of bytes to be programmed for this memory area. s1 and r1 should be: We are setting the flags to 01h since we have erased the chip, so there is no need to program addresses with FFh. data is the data you wish to program the chip with, send as many bytes as you have specified with nnnn. The AT90S8515 chip has 4096 bytes of LO-byte Flash, and 4096 bytes of HI-byte Flash, plus 512 bytes of eeprom memory. |
Finnish by terminating communication, send *{
Programming the external eeprom of an atmel card.
Jupiter-1 cards has C4 and C8 not only connected to the Atmel chip but also to the external eeprom chip so you can use standard I2C commands to program them. (See below on details on the I2C programming)
C8 is SDA
C4 is SCL
But for other types of Atmel cards with external eeprom, the eeprom is not directly connected to the smartcard connector so the only way to program it is with help of an loader. To make things easier I've put one here:
:1000000017C0B59BFECFB799C09AB79BC0980000A8
:10001000C19AB599FECFC1980895B099C79AB09B7F
:10002000C798B59BFECFC19AB599FECFC1980895E8
:1000300002E00EBF0FE50DBF00E00ABB0BBB04BB27
:1000400005BB01BB02BB0FE107BB0FEA08BBC498AD
:10005000C29AC39AB799FECFC098B599FECFC198FE
:10006000C49ACFDFCEDFCDDFCCDFCBDFCADFC9DF85
:10007000E894B59BFECFB799C09AB79BC098B79943
:100080006894C19AB599FECFC198B898C09ABF9AA2
:10009000B09BC798B099C79AB59BFECFC19AB59946
:1000A000FECFC1989EF1BF98C79AE894C298B59BBD
:1000B000FECFB79BC098B89AC0996894C19A16F0C1
:1000C000B79922C0B599FBCFC1989BDF9ADF99DF22
:1000D00098DF97DF96DFB59BFECFB799C09AB79BA5
:1000E000C0980000C19AB599FECFC198B898C09A3F
:1000F000BF9AB09BC798B099C79AB59BFECFC19ADB
:10010000B599FECFC198CFCFC09AA1CFC39885DF54
:1001100084DF83DF82DF81DF80DF7FDF7EDFBF98E8
:10012000C79AB89AE894B59BFECFB799C09AB79B87
:10013000C098B7996894C19AB599FECFC19826F036
:10014000B898C09ABF9AE2CFB59BFECFC19AB79B31
:06015000FECFC09A7CCF37
:00000001FF
This loader may only be used together with AD-Teknik's Multiprogrammer and is specially written for this purpose. This loader is written for optimized speed of programming and reading the external eeprom, and it's very much different from normal loaders.
This is how it works:
It's very simple, this loader makes the C8 and C4 to act as it was the pin's on the external eeprom. So the only thing you need to do write/read the external eeprom is:
Program this loader into the Flash memory (internal eeprom is not used by this code).
Send *{ to terminate communication
Send *C 03 to set data to C8
Send *D 01 to set Clock to C4
Send *^ 01 to start the 3.58MHz oscillator
Send *B 04 to set RESET to 5V to execute the loader.
Now use the built in I2C programming features of the programmer to program the external eeprom *F and *G, as described on the I2C programming section.
Afterwards just send *{ to terminate the communication.
4. I2C programming with Multiprogrammer
The Multiprogrammer has built in commands to send I2C commands on user configured I/O-pins. To use them you need some knowledge of the buffer sizes of the serial eeprom's you need to program, and most important of all, if the chip uses 1 or 2 bytes of WA (Word address).
When writing to the chip, you must not write more data than the Write Cache size of the chip, then send an stop condition in order to execute the internal writing operation of the eeprom. The Multiprogrammer is capable of ack-polling which can be used to determine when the internal writing cycle of the chip is done.
| Chipname | Memory Size | Write Cache Size | WA size |
| 24C00 | 16 | 1 | 1 |
| 24C01 | 128 | 8 | 1 |
| 24C02 | 256 | 8 | 1 |
| 24C04 | 512 | 16 | 1 |
| 24C08 | 1024 | 16 | 1 |
| 24C16 | 2048 | 16 | 1 |
| 24C32 | 4096 | 32 | 2 |
| 24C64 | 8192 | 32 | 2 |
| 24C65 | 8192 | 64 | 2 |
| 24C128 | 16384 | 64 | 2 |
| 24C256 | 32768 | 64 | 2 |
Setup the programmer to I2C programming by:
Send command *{
Send command *C nn to select Data pin for SDA
Send command *D nn to select Clock pin for SCL
Then use the *F command to send data to the chip:
Example 1
Write 16 bytes to a 24C16 chip: *F 12 00 07 A0 A0 00 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
It will instruct the programmer to send 18 bytes, send a start and a stop condition and use A0 for ack-polling. The first two bytes of data is A0 00 which tells the I2C chip to point the address pointer to zero.
Example 2
Read 16 bytes of data on address zero from a 24C16 chip.
Set the address pointer of the chip to zero: *F 02 00 03 A0 A0 00
Make the chip to perform an read operation: *F 01 00 01 A1 A1
Read 16 bytes of data by sending: *G 10 00 01
5. Writing and reading pic-chips.
In order to write or read data from a pic microcontroller you need to set the MCLR signal on that chip to 13 Volt. The MCLR pin is also the reset pin of the pic chip so it's connected to smartcard connector C2. If you would set C2 to 13V by the *B command when a non pic smartcard is inserted like the Funcard or Megapic this card will be damaged.
Example how to write data to an PIC16F84 chip, on a standard Goldcard.
Send command *{ to reset the programmer.
Send Command *C 02 to set Data to C7
Send Command *D 00 to set Clock to C3
Send Command *B 03 to set C2/MCLR to 13 Volt.
Send Command *R 01 00 00 01 00 FE 7F
The above *R command sets retries to 01, additional prog cycles to 00, all flags can be zero when programming 16F84 (for 10ms programming delay), send 1 word of data (one address in the chip), data to send is 3FFFh which must first be left shifted, and sent lo byte first (FE7Fh)
The settings of Retry, Add and the bitmapped C register for different chips and Firmware versions of the programmer:
| Chip | Memory | Retry | Add | C (FW1.3 and older / new firmwares) |
Delay (FW 1.4/ new firmwares) |
Cmd | Address |
| PIC16C84/PIC16F84 | Program | 1 | 0 | 00/00 | 100/100 | 08h | 0-3FFh |
| EEPROM | 1 | 0 | 08/08 | 100/100 | 08h | 2100-213Fh | |
| CFG | 1 | 0 | 00/00 | 100/100 | 08h | 2007h | |
| PIC16F84A | Program | 1 | 0 | 00/00 | 80/40 | 18h | |
| EEPROM | 1 | 0 | 08/08 | 80/40 | 18h | ||
| CFG | 1 | 0 | 00/00 | 80/40 | 18h | ||
| PIC12C508/509 | Program | 8 | 11 | 07/07 | 1 | 08h | |
| CFG | 8 | 11 | 07/07 | 1 | 08h | FFFh | |
| PIC16F876/877 | Program | 1 | 0 | 00/00 | 40/20 | 18h | |
| EEPROM | 1 | 0 | 08/08 | 40/20 | 18h | ||
| CFG | 1 | 0 | 00/00 | 40/20 | 18h | ||
| PIC16C622 | Program | 25 | 3 | 07/07 | 1 | 08h | 0-7FFh |
| CFG | 1 | 100 | 03/03 | 1 | 08h | 2007h | |
| PIC16F627/628 | Program | 1 | 0 | 00/00 | 60/40 | 18h | |
| EEPROM | 1 | 0 | 08/08 | 60/40 | 18h | ||
| CFG | 1 | 0 | 00/00 | 60/40 | 18h |
As you can see, 3 different settings are needed in order to use full performance of each firmware version:
Copyright © 1999-2003 by AD-Teknik AB
Last updated 7 December 2004