PCF7937EA

Security Transponder (HT2-Extended)

Product Specification 2013 Oct 10

Confidential
NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

CONTENTS

1 FEATURES.................................................................................................................................................................................. 4
2 GENERAL DESCRIPTION .......................................................................................................................................................... 4
3 ORDERING INFORMATION ....................................................................................................................................................... 4
4 BLOCK DIAGRAM ....................................................................................................................................................................... 5
5 TYPICAL APPLICATION ............................................................................................................................................................. 5
6 QUICK REFERENCE DATA ........................................................................................................................................................ 6
7 FUNCTIONAL DESCRIPTION SECURITY TRANSPONDER ..................................................................................................... 7
7.1 Memory Organization, EEPROM......................................................................................................................................... 7
7.1.1 Transponder Memory, TM ....................................................................................................................................... 8
7.1.2 Identifier, IDE ........................................................................................................................................................... 8
7.1.3 Password Base station, PSW B ................................................................................................................................ 9
7.1.4 Secret Key, SK ........................................................................................................................................................ 9
7.1.5 Transponder and Memory Configuration, TMCF...................................................................................................... 9
Secret Key Lock, SKL ....................................................................................................................................................... 9
Page 3 Lock, PG3L ........................................................................................................................................................... 9
Protect Write User Page 4 and 5, PWP1 ........................................................................................................................ 10
Protect Write User Page 6 and 7, PWP0 ........................................................................................................................ 10
Enable Cipher Mode, ENC.............................................................................................................................................. 10
EQM, Equalizer Mode ..................................................................................................................................................... 10
Data Coding Select, DCS ............................................................................................................................................... 10
7.1.6 Password Transponder, PSW T ............................................................................................................................. 10
7.1.7 User Pages, USER 0 to 3 ...................................................................................................................................... 10
7.2 Extended User Memory, XM ............................................................................................................................................. 11
Configuration Memory, CM ............................................................................................................................................. 11
Extended Memory Access Configuration, XMACFG ....................................................................................................... 11
Segment Size, SEGx_S .................................................................................................................................................. 12
Segment Mode, SEGx_M ............................................................................................................................................... 12
Device Configuration, DCFG .......................................................................................................................................... 12
8 FUNCTIONAL DESCRIPTION .................................................................................................................................................. 13
8.1 State Diagram ................................................................................................................................................................... 13
INIT State ....................................................................................................................................................................... 13
WAIT State ..................................................................................................................................................................... 14
AUTHORIZED State ....................................................................................................................................................... 14
XMA State....................................................................................................................................................................... 14
XMA CFG State .............................................................................................................................................................. 15
TEST State ..................................................................................................................................................................... 15
8.2 Transponder Command Set .............................................................................................................................................. 16
8.2.1 Command Description ........................................................................................................................................... 17
READ_CFG .................................................................................................................................................................... 18
REFRESH....................................................................................................................................................................... 19
SEL_BLOCK ................................................................................................................................................................... 19
SOFT_RESET ................................................................................................................................................................ 20
READ_PAGE .................................................................................................................................................................. 21
READ_PAGE_INV .......................................................................................................................................................... 21
START_AUTH (Password Mode) ................................................................................................................................... 22
START_AUTH (Cipher Mode) ........................................................................................................................................ 23
WRITE_CFG_M.............................................................................................................................................................. 24
WRITE_CFG_S .............................................................................................................................................................. 25
WRITE_PAGE ................................................................................................................................................................ 26
XMA ................................................................................................................................................................................ 27

2013 Oct 10 2 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

XMA_CFG ...................................................................................................................................................................... 27
XMA_WAIT ..................................................................................................................................................................... 28
TEST .............................................................................................................................................................................. 28
8.3 Calculation Unit ................................................................................................................................................................. 29
8.4 Transponder Data Transmission Format ........................................................................................................................... 30
8.4.1 Read Direction ....................................................................................................................................................... 30
8.4.2 Write Direction ....................................................................................................................................................... 31
8.5 LF Field Power On Reset .................................................................................................................................................. 32
9 EEPROM CONTENT AT DELIVERY ......................................................................................................................................... 33
10 LIMITING VALUES .................................................................................................................................................................. 34
11 DEVICE CHARACTERISTICS ................................................................................................................................................. 35
11.1 Electrical Characteristics ................................................................................................................................................. 35
11.2 Timing Characteristics ..................................................................................................................................................... 36
11.3 Mechanical Characteristics ............................................................................................................................................. 37
12 TEST SETUP........................................................................................................................................................................... 39
13 RELATED DOCUMENTS ........................................................................................................................................................ 40
14 DEVELOPMENT TOOLS......................................................................................................................................................... 40
15 REVISION HISTORY ............................................................................................................................................................... 40
16 LEGAL INFORMATION ........................................................................................................................................................... 41
16.1 Data sheet status ............................................................................................................................................................ 41
16.2 Definitions ....................................................................................................................................................................... 41
16.3 Disclaimers ...................................................................................................................................................................... 41
17 Contact information .................................................................................................................................................................. 42

2013 Oct 10 3 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

1 FEATURES 2 GENERAL DESCRIPTION

 Security Transponder for use in contactless vehicle The PCF7937EA is a high performance Security
Immobilization applications Transponder for vehicle Immobilization applications, where
 PCF7x41EA and PCF7952E compatible Transponder the transponder has to identify itself towards the base
operation station as an authorized device and shall offer extended
 Data transmission and energy supply via LF link user EEPROM data space with versatile access and
 32 bit device identification (serial number) and product protection capabilities. The device is compatible with the
type identification. Transponder operation as provided by the combi-chip
 Fast mutual authentication, 39ms (48 bit Secret Key) devices PCF7x41ETT and PCF7952ETT.
 48 bit Secret Key
The Security Transponder derives its power supply from
 Up to 448 Byte User EEPROM size
the magnetic field (LF field) established by the base station.
 Versatile EEPROM access and protection capabilities
No additional battery supply is needed. Data is transmitted
 Improved Transponder Command error handling
by modulating the LF field.
 20 years non-volatile data retention
 More than 100 000 EEPROM erase/write cycles The Security Transponder features secure contactless
 Excellent sensitivity in read and write mode authentication, employing a Secret Key and a random
 Automotive temperature range: -40°C to +85°C number in order to cipher any communication between the
 Leadless plastic stick package device and the base station.. The device features a factory
programmed quasi random serial number that also serves
as product type identification.

Although the device provides a HT2 compatible

Transponder operation some deviations have to be
observed.

3 ORDERING INFORMATION

EXTENDED PACKAGE TEMPERATURE

TYPE NUMBER NAME DESCRIPTION OUTLINE VERSION RANGE (°C)
PCF7937EA/C1AB5901 SOT3851 leadless plastic stick package SOT385-1 -40°C to +85°C

2013 Oct 10 4 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

4 BLOCK DIAGRAM Security Transponder

The PCF7937EA features a high degree of integration and  Contactless Interface
incorporates the transponder chip, coil and capacitor
 EEPROM (512 Byte)
assembled in a leadless stick package, see Figure 1.
 Control Unit
 Calculation Unit (security algorithm)
 Test Interface

PCF7937EA
V7341E Chip

Contactless Interface EEPROM

IN1
Rectifier (512 Byte)
Voltage Limiter

Modulator
IN2

Clock Control Unit

Resonance circuit
Recovery
fRES = 125 kHz (typ)

VFLD Demodulator

LF Field Calculation
Power On Reset Unit
VSS

Test Interface

Figure 1. Block Diagram

5 TYPICAL APPLICATION

Inductive Link
fSYS = 125 kHz (typ)

Energy
PCF 7937EA
Contactless Interface EEPROM
Basestation Rectifier (512 Bytet)
Voltage Limiter
Analog
Modulator
Interface
To Micro- Clock Control Unit
controller Recovery
Serial
Interface
Write Demodulator

LF Field Calculation
Read Power On Reset Unit

Test Interface

Figure 2. Typical System Configuration

2013 Oct 10 5 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

6 QUICK REFERENCE DATA

PARAMETER VALUE UNIT

Carrier frequency 125 kHz
Data rate READ 4.0 kbit/s
WRITE (typ) 5.2 kbit/s
Data coding READ Manchester or Bi-Phase
WRITE Binary Pulse Length Modulation (BPLM)
Data transmission mode Half-Duplex
Modulation Amplitude Shift Keying (ASK)
EEPROM 512 Byte
Identifier (serial number and product type ID) 32 bit
Secret Key (Cipher Mode) 48 bit
Password (Password Mode) 32 bit
Authentication time 39 ms
Special Features  Ciphered mutual authentication and data transmission, according to HT2 Security Algorithm
Note 1  Up to 448 Byte User EEPROM with versatile access and protection capabilities
 Functional compatible with Security Transponder PCF7x41E
 PCF7936AS compatible Password mode

Note
1. The Password mode is useful prior to device personalization and provided for backward compatibility reasons.

2013 Oct 10 6 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

7 FUNCTIONAL DESCRIPTION SECURITY 7.1 Memory Organization, EEPROM

TRANSPONDER
The device incorporates 512 byte of non-volatile memory
The PCF7937EA does not require any additional power (EEPROM), organized as 16 blocks of 8 pages, each page
supply. It derives its power supply by inductive coupling to assembled by four byte with a total of 32 bit per page. The
the LF Field, which is generated by the base station. memory space is split into Transponder Memory, TM,
Reading and writing to the transponder is provided by Extended User Memory, XM, and Device Configuration
amplitude modulation of the LF field. data; see Figure 3.
The Contactless Interface generates the chip power supply,
clock and reset and features the modulator, and Byte 3 Byte 2 Byte 1 Byte 0

demodulator. The system clock is derived from the LF field Transponder Page 0
Block 0
generated by the base station that typically operates with a Memory
carrier frequency of 125 kHz.
Block 1
The Control Unit grants communication with the
transponder and memory access. Transponder operation
and authentication is controlled by commands send form
Extended User
the base station. Access to the transponder memory Memory
(EEPROM) depends on the device configuration and the
authentication state. The memory is split into blocks and
pages with independent access rights, as configured by the Block 14
user and partly predefined by design.

Device authentication may be performed in Password mode Block 15 Configuration

or in Ciphered mode. In Password mode the base station Memory Page 127
and transponder in plain exchange a set of passwords, Figure 3. EEPROM Organization
while in Cipher mode a mutual authentication based on a
security algorithm is performed that employs a Secret Key
and a random number. The security algorithm is
determined by the on-chip Calculation Unit that in addition
supports ciphered communication and data exchange
between the base station and the transponder.

The Cipher mode is ideally suited for vehicle immobilization

application, while the Password mode is useful prior to
device personalization and provided for backward
compatibility reasons with the PCF7936AS.

Although the chipset provides a HT2 compatible

Transponder operation some deviations have to be
observed. Unless the standard HT2 the HT2-Extended
Transponder operation does not feature a HALT state and
utilizes a modified Transponder Command error handling,
in order to improve system robustness. Latter one refers to
the fact that device configuration changes will become
affective after a reset condition only and not upon detection
of a Transponder Command error.

2013 Oct 10 7 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

7.1.1 Transponder Memory, TM

Password Mode (ENC = 0)
The Transponder Memory, TM, is split into areas for bit 31 bit 0
Transponder Configuration/Personalization, TCFG, and
IDE Page 0
basic User Memory, USER, see Figure 1.
b31 PSW B b0 Page 1
X not used Page 2
Transponder Memory, TM TMCF b23 PSW T b0 Page 3

USER 0 Page 4
Page 0
USER 1 Page 5
TCFG USER 2 Page 6
USER 3 Page 7
Page 3 MSB LSB
Page 4
Cipher Mode (ENC = 1)
USER
bit 31 bit 0
Page 7 IDE Page 0
b31 SK (low) b0 Page 1
Figure 4. Memory Organization
X b47 SK (high) b32 Page 2
Typically, access to the TM segment is granted only after TMCF b23 PSW T b0 Page 3
successful device authorization. Depending on the device
USER 0 Page 4
configuration, device authorization is performed either in
USER 1 Page 5
Password mode or in Cipher mode. However, to ease
USER 2 Page 6
device initialization the TM Segment may also be accessed
plain by taking advantage from the extended memory USER 3 Page 7
access feature. Anyway, memory access is provided only in MSB LSB

accordance with the memory protection settings applied. Figure 5. Transponder Memory Map
The organization of the Transponder Memory, TM,
depends on the authorization method selected (Password Note
or Cipher mode) by the corresponding configuration bit 1. Locations marked ‘X’ are for device internal use. They
(ENC) see Figure 5. are partly initialized and locked against overwriting
during device manufacturing and are not available for
data storage. Any read operation yields an undefined bit
value.
Pages 0 to 3 of the EEPROM memory are reserved for
transponder configuration and personalization, while
Page 4 to 7 are reserved for user data storage, USER.
According to the selected authorization method, page 1 and
2 do hold a Password, PSW B, (Password mode) or the
Secret Key, SK, (Cipher mode).

Any changes made regarding the Transponder

Configuration, TCFG, respectively Page 1 to 3, become
effective after a device reset, hence LF Reset or
SOFT_RESET command only. Detection of a command
error does not cause the device to apply the new
configuration.

7.1.2 Identifier, IDE

The Identifier, IDE, is a factory programmed quasi random
32 bit pattern that serves the function of a device serial
number (SN) and product type identification (PI) see in
Figure 6. The Identifier, IDE, is incorporated in the process

2013 Oct 10 8 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

of device authentication, thus used by the on-chip 7.1.4 Secret Key, SK

Calculation Unit as well as by the interrogating system. The The Secret Key, SK is applicable in Cipher mode only
Identifier is located in page 0 and supports read access (ENC = 1). The Secret Key is a 48 bit pattern, which
only, thus cannot be altered. typically is initialized and subsequently locked by the
customer during device personalization. The Secret Key is
IDE located in page 1 and 2, see Figure 5.
bit 31 8 7 4 3 0
SN 3 SN 2 SN 1 PI SN 0 The 32 least significant bits of SK (bit 31 to bit 0) are
MSB LSB located in page 1 while the 16 most significant bits (bit 47 to
bit 32) are located in page 2 at bit address 0 to 15.
bit 7 6 5 4
The Immobilizer Secret Key is incorporated in the process
1 0 1 1 PI of device authentication and used by the on-chip calculation
unit as well as by the interrogating system. However the
Figure 6. Identifier Organization, IDE Immobilizer Secret Key is never transmitted during the
process of device authentication. For details refer to
The product type identification is located in the bits 4 to 7 section 8.2.1, START_AUTH command.
and factory programmed for all PCF7937EA devices to BH.
The Secret Key may be assigned any value that is
considered useful by the application. The SK can be
7.1.3 Password Base station, PSW B
protected against reading and writing by setting the lock bit
The Password Base station, PSW B, is applicable in SKL, see section 7.1.5
Password mode only (ENC = 0). The Password Base
station is a 32 bit pattern, which typically is initialized and 7.1.5 Transponder and Memory Configuration, TMCF
subsequently locked by the customer during device
Access to the Transponder Memory, TM, and device
personalization. The Password Base station is located in
configuration is controlled by a set of configuration bits,
page 1, see Figure 5.
TMCF, located in page 3, see Figure 7.
During the process to identify the base station towards the
transponder, the transponder verifies the password
bit 31 30 29 28 27 26 25 24
received by the base station with the password stored in
PWP1

PWP0
PG3L

PSW B. If both match each other, the transponder assumes

DCS
ENC

EQM
SKL

TMCF
X

successful identification of the base station and the

authentication sequence is continued, otherwise it is
MSB LSB
terminated. For details refer to section 8.2.1,
START_AUTH command. Figure 7. Transponder Memory Configuration, TMCF

The Password Base station may be assigned any value The memory access rights applied by TMCF affect the
that is considered useful by the application. The PSW B can behavior of READ_PAGE and WRITE_PAGE commands
be protected against reading and writing by setting the lock only. Device operation, e.g. with respect to the
bit SKL, see section 7.1.5 authentication process, is not affected at all.
During device manufacturing the Password Base station is
initialized with a common Transport Key value as specified Secret Key Lock, SKL
(see section 9), in order to enable initial device access. If set, the Password Base station, PSW B, (Password
Since the corresponding lock bit is not set, the PSW B mode) or the Secret Key, SK, (Cipher mode) is irreversible
Transport Key value and device configuration can be read locked against reading and writing (OTP like). If set once,
and modified at any time as desired. its value can no longer be read or altered.

The Password Base station, PSW B, is not applicable in

Page 3 Lock, PG3L
Cipher mode only (ENC = 1). In the latter case the
Password Base station is a pattern fixed by design (all If set, page 3 is irreversible locked against writing (OTP
ones). For further details consult the corresponding like). Thus if set once, the Transponder and Memory
application note (UM0101); see section13. Configuration (TMCF) as well as the Password
Transponder (PSW T) can no longer be altered. However,
reading is supported in any case.

2013 Oct 10 9 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

Protect Write User Page 4 and 5, PWP1 7.1.6 Password Transponder, PSW T
If set, a write protection is assigned for the user pages The Password Transponder, PSW T, is a 24 bit pattern,
page 4 and 5 (USER0 and USER1). As a result its content which typically is initialized and subsequently locked by the
cannot be altered, however, reading is supported in any customer during device personalization. The Password
case. Transponder is located in page 3, see Figure 5.

If cleared, page 4 and page 5 support reading and writing.

The Password Transponder serves the function to identify
The content and organization of the user pages is fully the transponder towards the base station. After successful
determined by the application. device authentication, the transponder returns the content
of page 3 to the base station. In Password mode the
Protect Write User Page 6 and 7, PWP0 content is returned in plain, while in Cipher mode the
content is returned in ciphered fashion. For details refer to
If set, a write protection is assigned for the user pages
section 8.2.1, START_AUTH command.
page 6 and 7 (USER2 and USER3). As a result its content
cannot be altered, however, reading is supported in any Thus the Password Transponder and TMCF configuration
case. may be evaluated by the base station, if desired. The
If cleared, page 6 and page 7 support reading and writing. Password Transponder may hold any value that is
considered useful by the application.
The content and organization of the user pages is fully
determined by the application. 7.1.7 User Pages, USER 0 to 3
Page 4 to 7 provide space for user data storage. Data
Enable Cipher Mode, ENC
access is supported according to the device configuration
The device may be configured for to perform authentication selected.
in either Password mode or Cipher mode.
The user pages may hold any data that is considered
If ENC is set, Cipher mode is selected, otherwise Password useful by the application.
mode.

Thus, ENC affects operation of the START_AUTH

command and whether plain or ciphered transmission of
data and commands is supported, for details refer to
section 8.2.1.

EQM, Equalizer Mode

Transponder communication utilizes an initial Equalizer
pattern to aid settling and synchronization of the base
station, when data is being received from the Transponder.
If EQM is cleared, the standard (HT2 like) Equalizer pattern
(EQ) comprising of fife ones (11111) is being used. If EQM
is set, a modified pattern (EQM) comprising of six ones
followed by a zero bit is selected. The modified Equalizer
pattern eases Manchester decoder synchronization.

Data Coding Select, DCS

In Password or Cipher mode data transmitted from the
transponder to the base station may be encoded in
Manchester or CDP fashion, according to the setting of
DCS.

If DCS is cleared, Manchester encoding is applied,

otherwise CDP coding is applied, see section 8.4.1 for
details.

2013 Oct 10 10 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

7.2 Extended User Memory, XM

ÉEPROM Memory Access
The Extended User Memory offers means to store Byte 3 Byte 2 Byte 1 Byte 0

application data that exceeds the basic user memory Transponder Block 0
space, USER, provided in the Transponder Memory, TM, Memory
Segment 0
and/or that shall feature customized access rights. The Block 1
Extended User Memory is split into 14 Blocks each
comprising of eight pages; see Figure 4. Segment 1
Reading from and writing to the Extended User Memory via Extended User
Memory
the transponder interface is supported by the Extended Segment N
Memory Access feature; see section 8.1.
Block 14
To utilize the extended memory access feature, the Segment 7
Extended User Memory has to be configured and memory
Configuration Block 15
access is provided only in accordance with the memory
Memory
protection settings applied; see section 7.2.
Figure 9. EEPROM Segmentation
Configuration Memory, CM
The first Segment (Segment 0) always incorporates Block 0
Block 15 of the EEPROM holds a set of configuration
and eventually further Blocks. The second Segment directly
pages designated to configure the operation of the Device,
follows the first Segment and so on. The first Segment with
DCFG, Extended Memory Access, XMACFG, and for User
the size of zero terminates the addressable EEPROM
configuration purposes, UCFG; see Figure 8.
space. All following segments are not accessible, even in
case of non-zero size.
Bit Address
The corresponding Segment size and Access Mode per
00H 1FH Segment is determined by a set of configuration pages,
Page 120 see Figure 10.
Page 121
XMACFG
Page 122 Bit Address PAGE
Page 123
00H 07h 08h 0Fh 10h 17h 18h 1FH
Page 124
RESERVED SEG0_M SEG0_S SEG1_M SEG1_S Page 120
Page 125
SEG2_M SEG2_S SEG3_M SEG3_S Page 121
RESERVED / TRIMMING Page 126 SEG4_M SEG4_S SEG5_M SEG5_S Page 122
DCFG Page 127 SEG6_M SEG6_S SEG7_M SEG7_S Page 123
bit 31 bit 0 bit 31 bit 0
MSB LSB MSB LSB

Figure 8. Configuration Memory, CM Figure 10. Extended Memory Access Configuration,

XMACFG
Extended Memory Access Configuration, XMACFG
Any changes made regarding the Extended Memory
The Extended Memory Access feature provides means to Access configuration, XMACFG, becomes effective after a
implement a customized EEPROM read and write scheme device reset, hence LF Reset or SOFT_RESET command
that targets block 0 to block14. Hence enables direct only. Detection of a command error does not cause the
access to the Transponder Memory, TM, and the Extended device to apply the new configuration.
User Memory, XM. To utilize the extended memory access
feature, EEPROM block 0 to block 14 have to be organized However, Extended Memory Access is provided only in
into Segments that may feature individual sizes, see accordance with the corresponding memory protection
Figure 9. settings applied. E.G. access restrictions applied for the
Transponder Memory by the Transponder and Memory
Configuration, TMCF, (see section 7.1.5) are applicable
anyway and cannot be overcome.

2013 Oct 10 11 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

Segment Size, SEGx_S Table 1. Transponder Access Mode

Up to 8 different EEPROM Segments with individual size
Mode Transponder Access Note
may be assigned. Each Segment may comprise of up to
MOD2 MOD1 MOD0 READ WRITE
8 blocks, as defined by the least significant bits of the
corresponding configuration byte; see Figure 11. 0 0 0 DENIED DENIED

0 0 1 PLAIN DENIED
0 1 0 DENIED PLAIN
PWSx

SIZE3

SIZE0
SIZE2
SIZE1

SEGx_S
X

0 1 1 PLAIN PLAIN

1 0 0 PLAIN CIPHERED
MSB LSB 1 0 1 CIPHERED DENIED
Figure 11. Segment Size Configuration, SEGx_S 1 1 0 DENIED CIPHERED
1 1 1 CIPHERED CIPHERED
The configuration designator, SIZE, represent the number
of block assigned (SIZE value ranges from 0 to 8 blocks). If Notes
zero the Segment is not present and ignored during 1. Access to the Transponder Memory may be restricted
Extended Memory Access. The first non-zero size Segment due to Transponder configuration (TMCF), regardless of
starts with the absolute EEPROM Block 0 anyway. the extended memory access mode selected.
2. Access from the RISC is granted anyway and not
If the maximum number of 8 EEPROM blocks is exceeded affected by this configuration.
(SIZE value greater than 8), block 9 and higher of this 3. Access to CIPHER segments is only possible in
segment is simply ignored. CIPHER mode (not in PLAIN mode). Access to
PLAIN segments however is possible in PLAIN
Once an EEPROM segment has been assigned its final mode and in CIPHER mode as well.
size, this configuration may be protected against alteration,
Each Segment may feature an individual Access Mode, as
by setting (OTP like) the configuration bit Protect Write Size
defined by the least significant bits of the corresponding
(PWSx). Anyway, the segment size configuration may still
configuration byte; see Figure 12.
be read.

However, since Segment Size and OTP like nature of the

configuration bit Protect Write Size become effective after a
PWMx

MOD0
MOD2
MOD1

SEGx_M
X

device reset (LF Reset or SOFT_RESET command) only

read after write operation can be applied, to verify proper
programming. Hence, the risk of rendering a device useless MSB LSB
due to programming errors is minimized.
Figure 12. Segment Access Mode Configuration,
SEGx_M
Segment Mode, SEGx_M
The Segment access mode determines under which Once an EEPROM segment has been assigned its final
conditions EEPROM read or write is granted in access mode, this configuration may be protected against
Transponder mode. One out of 8 access modes may be alteration, by setting (OTP like) the configuration bit Protect
selected; see Table 1. Write Mode (PWMx_). Anyway, the segment mode
configuration may still be read.

However, since Segment Mode and OTP like nature of the

configuration bit Protect Write Mode become effective after
a device reset (LF Reset or SOFT_RESET command) only
read after write operation can be applied, to verify proper
programming. Hence, the risk of rendering a device useless
due to programming errors is minimized.

Device Configuration, DCFG

DCFG page, which is located in physical page 127 of the
EEPROM contains device configuration information, which
is locked against overwriting during manufacturing

2013 Oct 10 12 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

8 FUNCTIONAL DESCRIPTION device need to successfully pass the AUTHORIZED state

prior to entering XMA state.
8.1 State Diagram
Configuration of the extended memory access features
Transponder operation is controlled by commands issued requires entering the XMA_CFG state.
from the base station; see Figure 13.
In general, any violation of the command sequence coding
After a LF Field Power-On Reset condition or a or command timing causes an error condition, upon which
SOFT_RESET, the transponder function is initialized by the device enters the WAIT state. In such an event the
reading the corresponding configuration pages and finally device will not read the corresponding configuration pages
enters the WAIT state. Subsequent commands may be again, instead will continue to operate according to the
issued to authenticate the device, access the Transponder configuration that was read upon the most recent LF Field
Memory or the Extended User Memory or to configure and Power-On Reset or SOFT_RESET.
re-initialize the device.
If desired, the transponder may be forced to update its
Device authentication is interrogated by means of a initialization by issuing a SOFT_RESET command, which
START_AUTH command. After successful completion of causes reading the corresponding configuration pages
the authentication sequence the device enters again, allowing configuration changes to become effective.
AUTHORIZED state and grants access to the Transponder Subsequently the device enters WAIT state.
Memory. Device authentication is based on the HT2
Security Algorithm utilizing a 48 bit Secret Key. The device features a dedicated TEST state for use during
device manufacturing, allowing EEPROM integrity test
To utilize the Extended Memory Access feature, the XMA under special operation conditions.
state has to be entered. Plain and cipher access of
EEPROM data is supported. In case of cipher access the

LF Field Power On Reset

or
SOFT_RESET

INIT TEST
TEST
error

WRITE_CFG_S
WRITE_CFG_M
XMA_CFG
WAIT XMA_CFG READ_CFG
REFRESH
REFRESH

START_AUTH XMA_WAIT
XMA
READ_PAGE READ_PAGE
XMA
READ_PAGE_INV WRITE_PAGE
AUTHORIZED XMA
WRITE_PAGE SEL_BLOCK
REFRESH REFRESH

Figure 13. Transponder State Diagram

been read from the corresponding EEPROM locations, the

device automatically proceeds to the WAIT state. In INIT
INIT State state the configuration bits of the four XMACFG pages are
The INIT state is an intermediate state that is entered to read to RAM and the ISK (page 1 and page 2) as well as
initialize the transponder. Once all configuration data has the data of page 3 is loaded to the RAM as well, to have

2013 Oct 10 13 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

defined access conditions for the entire transponder Table 3. Command Set in AUTHORIZED State
session.
NAME COMMAND, CMD Note
The INIT state is entered upon a LF Field Power-On Reset
CM4 CM3 CM2 CM1 CM0
(POR) condition or a SOFT_RESET only. Consequently
only POR or SOFT_RESET command lead to a re- READ_PAGE 1 1 pg2 pg1 pg0
initialization of the transponder session. In case of an error, READ_PAGE_INV 0 1 pg2 pg1 pg0
the transponder state is changed back and the last valid
WRITE_PAGE 1 0 pg2 pg1 pg0
transponder configuration is kept in RAM. For more
XMA 0 0 seg2 seg1 seg0 1
information refer to the related application note (see
references, chapter 13). SOFT_RESET 1 2

REFRESH 0 2
WAIT State
Note
In WAIT state, general memory accessed is denied.
Commands may be issued for communication refresh or to 1. By default the first block within the designated segment
is subject to subsequent Read/Write operations, unless
update the transponder initialization or to enter the XMA
a different Block is being selected, see XMA state.
state or to trigger device authentication and entering the
2. The command comprises of a single bit and is NOT
AUTHORIZED state, see Figure 13. encrypted (no need to involve the cipher bit generator).
Table 2. Command Set in WAIT State Any read respectively write attempt to a page that is read
respectively write protected by the corresponding bit in the
NAME COMMAND, CMD Note
configuration page, causes the device to terminate the
CM4 CM3 CM2 CM1 CM0 AUTHORIZED state and to enter WAIT state.
START_AUTH 1 1 0 0 0
To terminate the AUTHORIZED state a SOFT_RESET
XMA_CFG 1 0 1 0 0 command may be issued or a transponder LF Field Power-
XMA_WAIT 0 0 seg2 seg1 seg0 1 On Reset condition may be generated.
TEST 0 1 1 1 1
XMA State
REFRESH 0 2
The XMA state provides extended memory access
SOFT_RESET 1 2
features, by means of read and write commands. The
Note EEPROM may be split into eight segments that may hold
up to eight Blocks each comprising of eight pages. Plain
1. By default the first block within the designated segment
is subject to subsequent Read/Write operations, unless and cipher access of EEPROM segments is supported in
a different Block is being selected, see XMA state. accordance with the Extended Memory Access
2. The command comprises of a single bit and is NOT Configuration, XMACFG, selected.
encrypted (no need to involve the cipher bit generator).
If the XMA state is entered from WAIT state, only EEPROM
segments designated for plain access are accessible and
AUTHORIZED State
any communication with the device employs plain
The AUTHORIZED state is entered only after successful transmission of commands and data.
device authentication; see START_AUTH command.
Communication with the device employs either ciphered or Otherwise, if the XMA state is entered from AUTHORIZED
plain transmission of commands and data, depending on state, EEPROM segments designated for ciphered access
the device configuration (CIPHER/PASSWORD mode). as well as for plain access are accessible. In this case
communication with the device employs ciphered
In AUTHORIZED state access to the Transponder Memory, transmission of commands and data in any case.
TM, is granted, by means of read and write commands.
The Transponder Memory is accessed page wise in Upon entry of the XMA state the desired segment is
accordance with the memory protection selected. selected and may be changed any time subsequently.
Since a segment may comprise of multiple memory blocks,
The available command set is given inTable 3. the designated block need to be selected prior to reading or
writing. Upon entry of the XMA state or the segment
selection is changed, the first block within a segment is
selected by default.

2013 Oct 10 14 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

The available command set is given in Table 4. The available command set is given in Table 5.

Table 4, Command Set in XMA State Table 5. Command Set in XMA CFG State

NAME COMMAND, CMD Note NAME COMMAND, CMD Note

CM4 CM3 CM2 CM1 CM0 CM4 CM3 CM2 CM1 CM0

READ_PAGE 1 1 pg2 pg1 pg0 READ_CFG 0 1 seg2 seg1 seg0

WRITE_PAGE 1 0 pg2 pg1 pg0 WRITE_CFG_M 1 0 seg2 seg1 seg0

SEL_BLOCK 0 1 blk2 blk1 blk0 WRITE_CFG_S 1 1 seg2 seg1 seg0
XMA 0 0 seg2 seg1 seg0 1 SOFT_RESET 1 1
SOFT_RESET 1 2 REFRESH 0 1
REFRESH 0 2
Note
Note 1. The command comprises of a single bit and is NOT
encrypted (no need to involve the cipher bit generator).
1. By default the first block within the designated segment
is subject to subsequent Read/Write operations, unless Any attempt to write a configuration that is write protected
a different Block is being selected by the SEL_BLOCK by the corresponding configuration bit, causes the device to
command.
terminate the XMA_CFG state and to enter WAIT state.
2. The command comprises of a single bit and is NOT
encrypted (no need to involve the cipher bit generator).
TEST State
Any read respectively write attempt that fails, because the
The TEST state provides access to test features, by means
corresponding page configuration, causes the device to
of dedicated test commands. The test features provided do
terminate the XMA state and to enter WAIT.
not alter the content of the EEPROM, hence is quasi
To terminate the XMA state a SOFT_RESET command transparent for the application.
may be issued or a transponder LF Field Power-On Reset
To terminate the TEST state a SOFT_RESET command
condition may be generated.
has to be issued or a transponder LF Field Power-On
Reset condition has be generated.
XMA CFG State
In XMA_CFG state configuration of the Extended Memory While the device resides in TEST state different operation
Access is feasible. conditions are applicable, than specified under section 11.
For example the minimum flux density is higher, hence the
Communication with the device employs plain transmission applied LF Field has to be stronger.
of commands and configuration data. Reading and writing
target the Extended Memory Access Configuration,
XMACFG, in Block 15 of the EEPROM only.

2013 Oct 10 15 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

8.2 Transponder Command Set of the applicable commands in alphabetic order. Command
Device operation is controlled by commands issued from operation and acceptance depend on the actual device
the base station. Table 6 gives a comprehensive summary state in which the command is being issued and on the
device configuration selected, see also section 8.

Table 6. Command Set Summary

NAME DESCRIPTION APPLICABLE Note

STATE

READ_CFG Reads the corresponding configuration data for the designated EEPROM segment. XMA_CFG

Reads 32 bit from the designated memory page, if not restricted by the corresponding AUTHORIZED
READ_PAGE
memory protection flags or by specification XMA

Reads 32 bit from the designated memory page, if not restricted by the corresponding
READ_PAGE_INV memory protection flags or by specification. The content of the page is returned in inverse AUTHORIZED
polarity.

AUTHORIZED
REFRESH Initialize LF demodulator XMA
XMA_CFG

SEL_BLOCK Selects the memory Block subject to subsequent Read/Write commands. XMA

WAIT
SOFT_RESET Force device to enter INIT state AUTHORIZED
XMA
XMA_CFG

START_AUTH Starts the device authentication sequence WAIT

TEST Forces the device to enter the TEST state WAIT

Writes the corresponding configuration data for the designated EEPROM segment, if not
WRITE_CFG_M XMA_CFG
restricted by the corresponding protection bits.

Writes the corresponding configuration data for the designated EEPROM segment, if not
WRITE_CFG_S XMA_CFG
restricted by the corresponding protection bits.

Writes 32 bit to the designated memory page, if not restricted by the corresponding memory AUTHORIZED
WRITE_PAGE
protection flags or by specification XMA

Forces the device to enter the XMA state from AUTHORIZED state and returns the XMA
configuration for the selected segment. AUTHORIZED
XMA
XMA
If the command XMA is issued in XMA state, another memory segment may be selected.

XMA_CFG Forces the device to enter the XMA_CFG state WAIT

Forces the device to enter the XMA state from WAIT state and returns the XMA
XMA_WAIT WAIT
configuration for the selected segment.

2013 Oct 10 16 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

8.2.1 Command Description Some operations require additional parameter to be send to

The general form of a control sequence consists of the and/or to be received from the device, e.g. WRITE_PAGE
command sequence send to the transponder and an or START_AUTH.
Equalizer pattern (EQ) and Response received from the For proper operation, command execution by the device
transponder. The general control sequence timing is shown must not be suspended for more than the specified Idle
in Figure 14. time (tIDLE), see Figure 15. Otherwise the device may stop
When switching from SEND to RECEIVE and vice versa, command decoding, disabling any communication with the
the base station and control software have to consider the device. In this case, a LF Field Power-On Reset has to be
indicated delays (tWAIT,Tr and tWAIT,Bs), during which the base applied, in order to reset and initialize the circuitry, see
station must not transmit any data or commands. section 8.5. Consequently, the device resumes WAIT state.
As indicated, the Idle time is specified as the time interval
Depending on the command, the Command Sequence between the last bit received from the transponder and the
consists of a minimum of 5 bit respectively 10 bit. For data last bit of the Command Sequence send to the
integrity reasons memory read and write commands have transponder. Some commands allow repeating the
to be transmitted in normal coding and in inverted coding command several times for data integrity reasons,
before being accepted by the device, which yields a however, in any case the limitations imposed by the Idle
minimum Command Sequence of 10 bit. time have to be considered.
The Equalizer, EQ, consist of a 5 bit pattern (all ones) for The Idle time applies also for the very first command send
base station settling and software synchronization to the device after a device LF Field Power-On Reset
purposes. The device response consists of a command condition, see also section 8.5.
acknowledgment and/or the requested data.

SEND to Command Sequence Parameter

Transponder

RECEIVED from EQ Response EQ Parameter

Transponder

tWAIT,Tr tWAIT,Bs tWAIT,Tr

Figure 14. General control sequence timing

SEND to Command Sequence

Transponder

RECEIVED from Response / Parameter

Transponder
tIDLE
tWAIT,Tr

Figure 15. Command Idle Time

2013 Oct 10 17 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

READ_CFG
The command READ_CFG returns the configuration of the
designated EEPROM segment. The segment configuration
designated for reading is specified by the command bits
seg2 to seg0. For data integrity reasons the 5 bit command
and its complement have to be send, before it will be
accepted by the device, see Figure 16. If accepted, the
command Response consist of the 16 bit representing the
segment size (SEGx_S) and segment mode (SEGx_M), as
stored in the extended memory access configuration,
XMACFG; see section 0 (including protection bit settings,
referenced by ‘px’). The MSB is send first.

The 10 bit command sequence may be repeated several

times, if desired, to increase the data integrity level. In the
case that one of the 5 bit commands and its complement
do not match, an error condition occurs that causes the
device to terminate the command and to enter the WAIT
state. No command Response will be send by the device in
this case.

Subsequent commands may be issued after termination of

tWAIT,Bs.

READ_CFG

SEND to 0 1, seg2, seg1, seg0 1 0, seg2, seg1, seg0

Transponder CM[4:0] CM[4:0]
Equalizer Segment Mode Segment Size
RECEIVED from
Transponder EQ / EQM px 0 0 0 0 , m2 , m1, m0 px 0 0 0, s3, s2, s1 , s0

tWAIT,Tr tWAIT,Bs

Figure 16. READ_CFG timing

2013 Oct 10 18 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

REFRESH SEL_BLOCK
The command REFRESH serves to refresh the LF The SEL_BLOCK command selects the memory block
interface operating condition enabling to prolong the within the current segment that is subject to a subsequent
command IDLE time. The command comprises of a single read or write operation. The designated block is specified
bit and does not affect the current cipher state at all. Hence by the command bits blk2 to blk0. For data integrity
is fully transparent. This command does not feature any reasons the 5 bit command and its complement have to be
command Response, see Figure 17. send, before it will be accepted by the device,
see Figure 18. If accepted, the command Response consist
The REFRESH command may be applied anytime between
of the command itself, and the corresponding complement.
completely executed commands. Consequently, an
The MSB is send first.
interrupt of a command in progress (e.g. for
START_AUTHENT command immediately after IDE The 10 bit command sequence may be repeated several
transmission) by REFRESH is not allowed and leads to an times, if desired, to increase the data integrity level. In the
error condition. case that one of the 5 bit commands and its complement
do not match, an error condition occurs that causes the
Subsequent commands may be issued after termination of
device to terminate the command and to enter the WAIT
tWAIT,Bs.
state. No command Response will be send by the device in
this case.

If the block addressed by the SEL_BLOCK command is not

available in the currently selected segment, the command
is terminated and the WAIT state is entered.

Subsequent commands may be issued after termination of

tWAIT,Bs.

REFRESH

SEND to 0
Transponder
CM

RECEIVED from
Transponder

tWAIT,Bs

Figure 17. REFRESH timing

SEL_BLOCK

SEND to 0 1, blk2, blk1, blk0 1 0, blk2, blk1, blk0

Transponder
CM[4:0] CM[4:0]
Equalizer
RECEIVED from
EQ / EQM 0 1, blk2, blk1, blk0 1 0, blk2, blk1, blk0
Transponder
CM[4:0] CM[4:0]
tWAIT,Tr tWAIT,Bs

Figure 18. SEL_BLOCK timing

2013 Oct 10 19 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

SOFT_RESET
The command SOFT_RESET serves to reset the
transponder state machine forcing it into the INIT state,
which causes reading the corresponding configuration
pages again, allowing configuration changes to become
effective. Subsequently the device enters WAIT state. In
addition the LF interface operating condition are refreshed
prolonging the command IDLE time. The command
comprises of a single bit. This command does not feature
any command Response, see Figure 19.

Subsequent commands may be issued after termination of

tWAIT,Bs.

SOFT_RE SET

SEND to 1
Transponder CM

RECEIVED from
Transponder

tINI STATE_SR

Figure 19. SOFT_RESET timing

2013 Oct 10 20 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

READ_PAGE READ_PAGE_INV
The command READ_PAGE returns the content of the The command READ_PAGE_INV returns the complement
designated page. The page designated for reading is of the content of the designated page. The page
specified by the command bits pg2 to pg0. For data designated for reading is specified by the command bits
integrity reasons the 5 bit command and its complement pg2 to pg0. For data integrity reasons the 5 bit command
have to be send, before it will be accepted by the device, and its complement have to be send, before it will be
see Figure 20. If accepted, the command Response consist accepted by the device, see Figure 21. If accepted, the
of the 32 bit content of the designated page. The MSB is command Response consist of the complement of the
send first. 32 bit content. The MSB is send first.

The 10 bit command sequence may be repeated several The 10 bit command sequence may be repeated several
times, if desired, to increase the data integrity level. In the times, if desired, to increase the data integrity level. In the
case that one of the 5 bit commands and its complement case that one of the 5 bit commands and its complement
do not match, an error condition occurs that causes the do not match, an error condition occurs that causes the
device to terminate the command and to enter the WAIT device to terminate the command and to enter the WAIT
state. No command Response will be send by the device in state. No command Response will be send by the device in
this case. this case.

Subsequent commands may be issued after termination of Subsequent commands may be issued after termination of
tWAIT,Bs. tWAIT,Bs.

Any attempt to read a page that is protected against Any attempt to read a page that is protected against
reading, will be detected and cause an error condition, reading, will be detected and cause an error condition,
upon which the device terminates the command during upon which the device terminates the command during
tWAIT,Tr and enters the WAIT state. No Response will be tWAIT,Tr and enters the WAIT state. No Response will be
send in this case. send in this case.

READ_PAGE

SEND to 1 1, pg2, pg1, pg0 0 0, pg2, pg1, pg0

Transponder CM[4:0] CM[4:0]
Equalizer Data
RECEIVED from
EQ / EQM bit 31 ..................... bit 0
Transponder

tWAIT,Tr tWAIT,Bs

Figure 20. READ_PAGE timing

READ_PAGE_INV

SEND to 0 1, pg2, pg1, pg0 1 0, pg2, pg1, pg0

Transponder CM[4:0] CM[4:0]
Equalizer Data
RECEIVED from
EQ / EQM bit 31 ..................... bit 0
Transponder

tWAIT,Tr tWAIT,Bs

Figure 21. READ_PAGE_INV timing

2013 Oct 10 21 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

START_AUTH (Password Mode) In case the authentication process fails, an error condition
If configured for Password mode, START_AUTH triggers occurs that causes the device to terminate the command
the mutual device authentication sequence. If completed and to enter WAIT state. No further Response will be sent
successfully, the device enters AUTHORIZED state and by the device in this case.
subsequently supports plain read and write access of the Subsequent commands may be issued after termination of
Transponder Memory, TM. Device authentication employs the final tWAIT,Bs.
the Password Base station, PSW B, and Password
For proper command execution, the interrogating system
Transponder, PSW T, see Figure 22.
has to identify itself towards the device within the specified
After acceptance of the 5 bit command sequence, the initial IDLE time, otherwise the device may generate a power-on
device Response consist of the 32 bit Identifier (IDE) that is reset condition, upon which the circuitry would be reset and
stored in the Transponder Memory. Subsequently, the the transponder initialized, causing the device to enter the
interrogating system (e.g. base station) has to identify itself WAIT state.
towards the device, by issuing the matching 32 bit
Password Base station, PSW B. The device verifies the
Password received with the one stores in the page 1. If
identical, the final device Response consist of the content
of page 3 that contains the Transponder and Memory
configuration (TMCF) and device Password Transponder
(PSW T). The MSB is send first.

START_AUTH Page 1

SEND to 11000 bit 31 ..............bit 0

Transponder CM[4:0]
Equalizer IDE
RECEIVED from
EQ / EQM bit 31 ..............bit 0
Transponder

tWAIT,Tr tWAIT,Bs
tIDLE

SEND to
Transponder

RECEIVED from Equalizer Page 3

Transponder EQ / EQM bit 31 ..............bit 0

tWAIT,Tr tWAIT,Bs

Figure 22. START_AUTH timing

2013 Oct 10 22 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

START_AUTH (Cipher Mode) In case the authentication process fails, an error condition
If configured for Cipher mode, START_AUTH triggers the occurs that causes the device to terminate the command
mutual device authentication sequence. If completed and to enter WAIT state. No further Response will be sent
successfully, the device enters AUTHORIZED state and by the device in this case.
subsequently supports ciphered read and write access of Subsequent commands may be issued after termination of
the Transponder Memory, TM. Device authentication the final tWAIT,Bs.
employs the Identifier, a Random Number, a ciphered
For proper command execution, the interrogating system
Signature and a ciphered device Response, see Figure 23.
has to identify itself towards the device within the specified
After acceptance of the 5 bit command sequence, the initial IDLE time, otherwise the device may generate a power-on
device Response consist of the 32 bit Identifier (IDE) that is reset condition, upon which the circuitry would be reset and
stored in the Transponder Memory. Subsequently, the the transponder initialized, causing the device to enter the
interrogating system (e.g. base station) has to identify itself WAIT state.
towards the device, by issuing a 32 bit Random Number
The Security Algorithm details, involved in the process of
and a matching 32 bit ciphered Signature. The device
mutual device authentication, are specified in a separate
verifies the authenticity of the ciphered Signature received,
Application Note. Please contact your NXP Semiconductors
by means of the Calculation Unit, involving the Secret Key
representative for more information.
(SK). If successful, the final device Response consist of the
ciphered content of page 3 that contains the Transponder
and Memory configuration (TMCF) and device Password
Transponder (PSW T). The MSB is send first.

START_AUTH Random Number [Signature]CIPHER

SEND to 11000 bit 31 ..............bit 0 bit 31 ..............bit 0

Transponder CM[4:0]
Equlaizer IDE
RECEIVED from
EQ / EQM bit 31 ..............bit 0
Transponder

tWAIT,Tr tWAIT,Bs
tIDLE

SEND to
Transponder

Equalizer [Page 3 Block 0]CIPHER

RECEIVED from
Transponder EQ / EQM bit 31 ..............bit 0

tWAIT,Tr tWAIT,Bs

Figure 23. START_AUTH timing

2013 Oct 10 23 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

WRITE_CFG_M In the case the write operation did not complete

The command WRITE_CFG_SM writes configuration data successfully, the designated EEPROM page may hold an
affecting the access mode of the designated segment to undefined content or may suffer from a weak programming.
the corresponding EEPORM location. The segment In order to unambiguously verify, whether configuration of
designated for configuration is specified by the command the designated segment completed properly, the base
bits seg2 to pg0. For data integrity reasons the 5 bit station has to identify, if the device still resides in
command and its complement have to be send, before it XMA_CFG state or entered WAIT state. Thus, a
will be accepted by the device, see Figure 24. If accepted, READ_CFG command should be issued subsequently and
the command Response consist of the command itself, and monitored, if this command executes properly.
the corresponding complement.
If the device still resides in XMA_CFG state, command
The 10 bit command sequence may be repeated several execution would complete successfully and after verifying
times, if desired, to increase the data integrity level. In the the data that has been read, proper operation of the
case that one of the 5 bit commands and its complement corresponding WRITE_CFG_S command can be assumed.
do not match, an error condition occurs that causes the
Subsequent commands may be issued after termination of
device to terminate the command and to enter the WAIT
the final tWAIT,Bs.
state. No command Response will be send by the device in
this case nor does the designated configuration being Any attempt to write a configuration that is protected
altered. against overwriting cause an error condition, upon which
the device terminates the command during tWAIT,Tr and
After termination of tPROG the device checks, if the
enters the WAIT state. No Response will be send in this
EEPROM write operation completed successfully, if not, an
case.
error condition occurs that causes the device to enter the
WAIT state.

WRITE_CFG_M

SEND to 1 0, seg2, seg1, seg0 0 1, seg2, seg1, seg0

Transponder
CM[4:0] CM[4:0]
Equalizer
RECEIVED from
EQ / EQM 1 0, seg2, seg1, seg0 0 1, seg2, seg1, seg0
Transponder
CM[4:0] CM[4:0]
tWAIT,Tr

SEND to
px 0 0 0 0, m2, m1, m0
Transponder
Segment Mode
RECEIVED from
Transponder

tWAIT,Bs tPROG

tIDLE tWAIT,Bs

Figure 24. WRITE_CFG_M timing

2013 Oct 10 24 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

WRITE_CFG_S In the case the write operation did not complete

The command WRITE_CFG_S writes configuration data successfully, the designated EEPROM page may hold an
affecting the size of the designated segment to the undefined content or may suffer from a weak programming.
corresponding EEPORM location. The segment designated In order to unambiguously verify, whether configuration of
for configuration is specified by the command bits seg2 to the designated segment completed properly, the base
pg0. For data integrity reasons the 5 bit command and its station has to identify, if the device still resides in
complement have to be send, before it will be accepted by XMA_CFG state or entered WAIT state. Thus, a
the device, see Figure 25. If accepted, the command READ_CFG command should be issued subsequently and
Response consist of the command itself, and the monitored, if this command executes properly.
corresponding complement.
If the device still resides in XMA_CFG state, command
The 10 bit command sequence may be repeated several execution would complete successfully and after verifying
times, if desired, to increase the data integrity level. In the the data that has been read, proper operation of the
case that one of the 5 bit commands and its complement corresponding WRITE_CFG_S command can be assumed.
do not match, an error condition occurs that causes the
Subsequent commands may be issued after termination of
device to terminate the command and to enter the WAIT
the final tWAIT,Bs.
state. No command Response will be send by the device in
this case nor does the designated configuration being Any attempt to write a configuration that is protected
altered. against overwriting cause an error condition, upon which
the device terminates the command during tWAIT,Tr and
After termination of tPROG the device checks, if the
enters the WAIT state. No Response will be send in this
EEPROM write operation completed successfully, if not, an
case.
error condition occurs that causes the device to enter the
WAIT state.

WRITE_CFG_S

SEND to 1 1, seg2, seg1, seg0 0 0, seg2, seg1, seg0

Transponder
CM[4:0] CM[4:0]
Equalizer
RECEIVED from
EQ / EQM 1 1, seg2, seg1, seg0 0 0, seg2, seg1, seg0
Transponder
CM[4:0] CM[4:0]
tWAIT,Tr

SEND to
px 0 0 0, s3, s2, s1, s0
Transponder
Segment Size
RECEIVED from
Transponder

tWAIT,Bs tPROG

tIDLE tWAIT,Bs

Figure 25. WRITE_CFG_S timing

2013 Oct 10 25 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

WRITE_PAGE READ_PAGE_INV command should be issued

The command WRITE_PAGE writes the data supplied with subsequently and monitored, if this command executes
this command into the designated page. The page properly.
designated for writing is specified by the command bits pg2 If the device still resides in CIPHER state, command
to pg0. For data integrity reasons the 5 bit command and execution would complete successfully and after verifying
its complement have to be send, before it will be accepted the data that has been read, proper operation of the
by the device, see Figure 26. If accepted, the command corresponding WRITE_PAGE command can be assumed.
Response consist of the command itself, and the
Subsequent commands may be issued after termination of
corresponding complement.
the final tWAIT,Bs.
The 10 bit command sequence may be repeated several
Any attempt to write a page that is protected against
times, if desired, to increase the data integrity level. In the
overwriting will be detected and cause an error condition,
case that one of the 5 bit commands and its complement
upon which the device terminates the command during
do not match, an error condition occurs that causes the
tWAIT,Tr and enters the WAIT state. No Response will be
device to terminate the command and to enter the WAIT
send in this case.
state. No command Response will be send by the device in
this case nor does the designated page being overwritten. If the device operates in CIPHER state, a WRITE_PAGE
for page 0 equals the command coding of RESYNC and
After termination of tPROG the device checks, if the
will be executed like a RESYNC command.
EEPROM write operation completed successfully, if not, an
error condition occurs that causes the device to enter the
WAIT state.

In the case the write operation did not complete

successfully, the designated EEPROM page may hold an
undefined content or may suffer from a weak programming.

In order to unambiguously verify, whether programming of

the designated page completed properly, the base station
has to identify, if the device still resides in CIPHER state or
entered WAIT state. Thus, a READ_PAGE or

WRITE_PAGE
SEND to 1 0, pg2, pg1, pg0 0 1, pg2, pg1, pg0
Transponder
CM[4:0] CM[4:0]
RECEIVED from Equalizer
Transponder EQ / EQM 1 0, pg2, pg1, pg0 0 1, pg2, pg1, pg0

CM[4:0] CM[4:0]
tWAIT,Tr

Data
SEND to bit 31 ..............bit 0
Transponder

RECEIVED from
Transponder

tWAIT,Bs tPROG

tIDLE tWAIT,Bs

Figure 26. WRITE_PAGE timing

2013 Oct 10 26 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

XMA XMA_CFG
The command XMA may be issued in AUTHORIZED state The command XMA_CFG may be issued in WAIT state
or XMA state and forces the device to enter the XMA state, and forces the device to enter the XMA_CFG state.
selecting the corresponding Segment and initializing the
To be able to distinguish commands applicable in WAIT
Block Pointer to a value of zero, addressing the first block
state (like XMA_CFG) from commands allowed in other
within the designated segment. For data integrity reasons
states, this 5 bit command (instead of 10 bits) has to be
the 5 bit command and its complement have to be send,
send, before it will be accepted by the device,
before it will be accepted by the device, see Figure 27. The
see Figure 28. If accepted, the command Response consist
command Response consist of the 16 bit representing the
of the command itself, and the corresponding complement.
actual configuration (Size and Access Mode) of the
activated segment. The MSB is send first. In the case that this command is not accepted an error
condition occurs that causes the device to terminate the
The 10 bit command sequence may be repeated several
command and to enter the WAIT state again. No command
times, if desired, to increase the data integrity level. In the
Response will be send by the device in this case.
case that one of the 5 bit commands and its complement
do not match, an error condition occurs that causes the Subsequent commands may be issued after termination of
device to terminate the command and to enter the WAIT tWAIT,Bs.
state. No command Response will be send by the device in
this case.

By calling the XMA command in XMA state, another

Segment may be selected for subsequent read or write
access.

In case the selected segment is undefined by the current

XMACFG setting (size of the segment is zero), no
response is transmitted by the transponder and the WAIT
state is entered. However if the segment is existent, the
response is transmitted in any case (even if the any read or
write access is denied).

Subsequent commands may be issued after termination of

tWAIT,Bs.

XMA

SEND to 0 0, seg2, seg1, seg0 1 1, seg2, seg1, seg0

Tra nsponder CM[4:0] CM[4:0]
Equalizer Segment Mode Segment Size
RECEIVED from
Tra nsponder EQ / EQM px 0 0 0 0 , m2 , m1, m0 px 0 0 0, s3, s2, s1 , s0

tWAIT,Tr tWAIT,Bs

Figure 27. XMA timing

XMA_CFG
SEND to 10100
Tra nsponder
CM[4:0]
Equalizer
RECEIVED from
Tra nsponder EQ / EQM 10100 01011

CM[4:0] CM[4:0]
tWAIT,Tr tWAIT,Bs

Figure 28. XMA_CFG timing

2013 Oct 10 27 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

XMA_WAIT TEST
The command XMA_WAIT may be issued in WAIT state The command TEST may be issued in WAIT state and
only and forces the device to enter the XMA state, selecting forces the device to enter the TEST state, allowing
the corresponding Segment and initializing the Block execution of subsequent test commands for test purposes
Pointer to a value of zero, addressing the first block within
If the TEST command is accepted, the device enters the
the designated segment. To be able to distinguish
TEST state and acknowledges the state change by
commands applicable in WAIT state (like XMA_WAIT) from
returning the command code and its complement.
commands allowed in other states, this 5 bit command
(instead of 10 bits) has to be send, before it will be Subsequent commands may be issued after termination of
accepted by the device, see Figure 29. No command tWAIT,Bs.
repetitions are allowed, and therefore only 5 bits are
If the command is not accepted, the device terminates the
accepted. The command Response consist of the 16 bit
command during tWAIT,Tr and enters the WAIT state. No
representing the actual configuration (Size and Access
response will be send in this case.
Mode) of the activated segment. The MSB is send first.

In case the selected segment is undefined by the current

XMACFG setting (size of the segment is zero), no
response is transmitted by the transponder and the WAIT
state is entered.

However if the segment is existent, the response is

transmitted in any case (even if the any read or write
access is denied).

Subsequent commands may be issued after termination of

tWAIT,Bs.

XMA_WAIT
SEND to 0 0, seg2, seg1, seg0
Tra nsponder
CM[4:0]
Equalizer Segment Mode Segment Size
RECEIVED from
Tra nsponder EQ / EQM px 0 0 0 0 , m2 , m1, m0 px 0 0 0, s3, s2, s1 , s0

tWAIT,Tr tWAIT,Bs

Figure 29. XMA_WAIT timing

TEST
SEND to 01111
Transponder
CM[4:0]
Equalizer
RECEIVED from
Transponder EQ/ EQM 01111 10000

tWAIT,Tr CM[4:0] CM[4:0] tWAIT,Bs

Figure 30 TEST command timing

2013 Oct 10 28 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

8.3 Calculation Unit Mutual authentication of the Security Transponder in Cipher

The PCF7937EA incorporates a Calculation Unit for use mode is triggered by means of the START_AUTH
during mutual device authentication, command operation command, see also section 8.2. As a result, the device
and EEPROM data exchange, if the device is configured reveals its Identifier to the interrogating system (base
for Cipher mode. The security algorithm involves a quasi station) and subsequently the interrogating system has to
random 32 bit Identifier, a 48 bit Secret Key and a 32 bit send a 32 bit Random Number and a ciphered Signature to
Random Number. the device. Both are processed by the Calculation Unit,
involving the Secret Key (SK) and Identifier (IDE), in order
The Identifier and the Secret Key are stored in the to authenticate the interrogating system. If successful, the
Transponder Memory, TM. The Identifier (IDE) is a factory device replies with a ciphered response for validation by
programmed quasi unique pattern, while the Secret Key is the interrogating system.
initialized and subsequently locked by the customer during
device personalization. Details concerning the security algorithm implementation
are specified in a separate Application Note. Please contact
your local NXP Semiconductors representative for more
information.

2013 Oct 10 29 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

8.4 Transponder Data Transmission Format setting of the Immobilizer Configuration bit DCS, which is
Reading from and writing to the device is accomplished by part of the Transponder and Memory Configuration bits,
modulating the LF field in amplitude. Since the LF field also TMCF, see also section 7.1.5.
provides the device power supply, the modulation In case of Manchester encoding, a logic ‘1’ is modulated by
characteristics have to be verified carefully, in order to loading the LF field during the first half of the bit frame,
avoid a device reset due to a power low condition. while no load is applied during the second half. A logic ‘0’ is
modulated in the opposite manner.
8.4.1 Read Direction
In case of CDP encoding, a logic ‘1’ corresponds to a state
Transmission of data from the transponder to the base change at the end of the bit frame. A logic ‘0’ corresponds
station is accomplished by absorption modulation applied to to a state change after the first half and at the end of the bit
the LF field. According to the data designated for frame.
transmission, the transponder interface activates an
additional load that modulates the current drawn from the In any case, the device starts with a „Load ON“ condition,
transponder resonant circuit. Due to the inductive coupling when data transmission commences.
of the transponder resonant circuit and the base station The bit duration is a fixed multiple of the system clock
coil, the current in the base station coil is modulated recovered from the LF field carrier.
accordingly, resulting in a corresponding two-level
amplitude modulation, see Figure 31. After reception of the last bit, the base station and control
software have to consider the indicated delay, tWAIT,Bs,
In read direction the device employs either Manchester or before any command or data is transmitted to the device,
CDP encoding of data, see Figure 32, according to the see also section 8.2.1.

VLF-LOW VLF-HIGH
Load ON Load OFF

Figure 31. LF Field Absorption Modulation

Start of transmission End of transmission tWAIT,Bs

Last
Internal Data '1' '1' ... '0' '1' '0' '0' '1' '0' Bit LF field:
Load OFF
Manchester
Encoding Load ON

Load OFF
CDP
Encoding Load ON

TBIT 0.5 x TBIT

Figure 32. Data Transmission in Read Direction

2013 Oct 10 30 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

8.4.2 Write Direction corresponding repetition time (TLOG_0 respectively TLOG_1) of

Transmission of data from the base station to the the write pulse sequence.
transponder is accomplished by Amplitude Shift Keying The end of the transmitted bit string is marked by a stop
(ASK) of the LF field with a modulation index as specified. condition. A stop condition is detected by the transponder,
According to the data designated for transmission, the base if no write pulse is detected for the specified time (TSTOP).
station coil driver is simply switched ON and OFF (tri-state)
In the case the bit string transmitted causes the device to
typically. Due to the inductive coupling of the transponder
respond with data, modulation of the LF field by the device
resonant circuit and the base station coil, the voltage of the
does commence after the specified time out (tWAIT,Tr), see
transponder resonant circuit is modulated accordingly.
also section 8.2.1.
Resulting in a two-level amplitude modulation that is
detected by the transponder interface demodulator circuitry, Violation of the specified timing causes an error condition,
see Figure 33. upon which the device enters the WAIT state, see also
section 8.1.
The PCF7937EA transponder demodulator circuitry has
been optimized for base stations with antenna coil drivers
that perform the LF field modulation by Tri-State switching
of the driver stage.

In write direction Binary Pulse Length Modulation (BPLM) is

applied for data encoding, see Figure 34.

Sending data or commands to the device commences with

an initial write pulse that marks transmission start. A logic
‘0’ or ‘1’ is signaled to the transponder by the

VLF-HIGH
Coil

VLF-LOW
Coil

Figure 33. ASK Modulation of LF Field by the Base station

Start of transmission End of transmission tWAIT,Tr

Internal Data '1' '1' '0' Last Stop

... LF field:
Bit Condition
High
BPLM
Encoding Low

TWRP

TLOG_1 TLOG_0
TSTOP

Figure 34. Data Transmission in Write Direction

2013 Oct 10 31 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

8.5 LF Field Power On Reset LF Field Power-On Reset has to be applied, in order to
When the transponder enters a LF field a rectifier circuitry reset and initialize the circuitry. Consequently, the device
becomes operational and the internal transponder supply would resume WAIT state. As indicated, the Idle time is
voltage (VDD) develops. As soon as the supply voltage specified as the time interval following the initialization
exceeds the LF Field Power-On Reset threshold voltage sequence until the last bit of the Command Sequence that
(VTHR) the device performs a chip reset and starts its is send to the transponder.
initialization sequence, see Figure 35. In order to force a LF Field Power-On Reset and proper
Subsequently, the transponder is muted and does not device initialization at any time, the LF field OFF condition
respond to any command prior to termination of the must be applied for at least tRESET,SETUP, in order to ensure
initialization sequence, tBoot. The startup time, tSTART, that the internal device supply voltage, VDD, drops below
depends on the base station configuration, the resonance the threshold voltage (VTHR), see Figure 36.
circuit properties and the system coupling factor, however,
is small compared with the initialization time typically.

For proper device operation, after a LF Filed Power-On

Reset condition, command execution must commence
within the specified Idle time, tIDLE, see Figure 35.
Otherwise the device may stop command decoding,
disabling any communication with the device. In this case a

VDD

VTHR LF field power on reset (POR)

threshold voltage

LF field applied tIDLE

Command Sequence t
tSTART tBoot

Figure 35. LF field power on reset timing

VDD

VTHR LF field power on reset (POR)

threshold voltage

LF field OFF

t
tRESET_SETUP

Figure 36. LF field power on reset setup timing

2013 Oct 10 32 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

9 EEPROM CONTENT AT DELIVERY Table 7. EEPROM Content Upon Delivery

The PCF7937EA EEPROM content is initialized during bit 31 bit 0
device manufacturing, according to Table 7. Content [HEX] Page Note
However, the EEPROM content may be changed as XX XX XX BX 0 1
desired by the application, except for the page 0 and page 4D 49 4B 52 1
127. Page 0 holds the device Identifier (IDE) and serves 00 00 4F 4E 2
the function of a serial number and product type ID, while
00 AA 48 54 3 2
page 127 holds device configuration dat
XX XX XX XX 4 to 119
00 00 00 00 120 to 123
XX XX XX XX 124
XX XX XX XX 125 to 126
X6 XX 80 00 127

Note
1. Bit 7 to 4 of the this page (Identifier) serve the function
of a product type (application) identifier and are set to
‘1011’ for the PCF7937EA.
2. Initially the device is configured for Password mode with
the Transport Key (Password Base station, PSW B, as
specified (page1) and a EQ pattern identical to the HT2
is selected. The customer as desired for the application
may change the configuration.
3. Locations marked ‘X’ are undefined and may hold any
pattern.
Consequently, the device is configured for Password Mode,
Manchester Coding and the extended memory access
disabled.

2013 Oct 10 33 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

10 LIMITING VALUES
All values are in accordance with Absolute Maximum Rating System (IEC 134)

PARAMETER MIN MAX UNIT

Operating temperature range -40 +85 °C
Storage temperature range -55 +125 °C
Magnetic flux density (resistance against magnetic pulses) 0.2 T
Vibration 10 g
- 10 - 2000Hz
- 3.axis
- IEC 68-2-6, Test Fc
Shock 1500 g
- 3.axis
- IEC 68-2-27, Test Ea
Mechanical stress (FMAX), Note 1 10 N

Note
1. FMAX is specified as indicated in Test Setup, section 12.

2013 Oct 10 34 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

11 DEVICE CHARACTERISTICS

11.1 Electrical Characteristics

Tamb = -40 to +85°C, fSYS = 125kHz, TO = 1/fSYS. Unless otherwise specified

SYMBOL PARAMETER CONDITION MIN TYP MAX UNIT
Operating Conditions
fRES Resonance frequency 120 130 kHz
BW Bandwidth 2.3 kHz
BTHR Magnetic flux density, 40 400 TPP
Read direction
BPRG Magnetic flux density, Note 1 m = 0,95, TWRP = 8 TO 40 400 TPP
For EEPROM programming
BAUT Magnetic flux density, Note 1 m = 0,95, TWRP = 8 TO 40 400 TPP
For device authentication
BREAD LF field absorption in read direction, Note 1 BFIELD = 35 TPP 4.5 TPP
MIPRG Minimum modulation index (m), Note 1 BFIELD = 35 TPP, TWRP = 8 TO 95 %
Write direction, device programming and
authentication
EEPROM
TRET Data retention time Tamb = 50°C 20 years
NWR-CYL Write endurance, page 1 to 7 100 k cycle

Note
1. Modulation index (m) and LF Field absorption (BREAD) are defined according to Figure 37.
2. Parameters are measured with the Scemtech test equipment STM-1 in a Helmholtz arrangement according to section 12.

BMAX - BMIN
m =
Transponder BMAX + BMIN
BMIN BMAX
LF Field
BREAD = BMAX - BMIN

Figure 37. Definition of modulation index (m) and LF field absorption (BREAD)

2013 Oct 10 35 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

11.2 Timing Characteristics

Tamb = -40 to +85°C, fSYS = 125kHz, TO = 1/fSYS. Unless otherwise specified

SYMBOL PARAMETER CONDITION MIN TYP MAX UNIT
Command Handling
tWAIT,Tr Transponder response delay 199 206 TO
tWAIT,Bs Base station response delay 96 TO
tPROG EEPROM erase/write time 438 615 TO
tIDLE Idle time 80 ms
tINITSTATE_SR Calculation time in INIT state after 790 TO
execution of SOFT_RESET
tBoot Calculation time in INIT state after LF Note 2 830 TO
reset
Data Transmission
TBIT Bit duration 32 TO
TWRP Write pulse width Note 1 4 10 TO
TLOG_0 Write pulse repetition time, logic 0 18 20 22 TO
TLOG_1 Write pulse repetition time, logic 1 26 28 32 TO
TSTOP Write pulse length, stop condition 36 TO
LF Field Power On Reset, Note 3
tSTART Transponder initialization time BFIELD = 35T 80 s
tRESET,SETUP LF Field Power On Reset setup time BFIELD = 100T 5 ms

Notes
1. As detected by the transponder interface demodulator. The corresponding LF Field write pulse width applied by the base
station depends on the resonance circuit properties and actual system coupling factor.
2. This is the time between start of boot process and entering WAIT state.

3. Characterized with the Scemtech test equipment STM-1 in a Helmholtz arrangement according to section 12.

2013 Oct 10 36 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

11.3 Mechanical Characteristics

Figure 38 Package outlines SOT 385-1

2013 Oct 10 37 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

12.0

0.4
10.4
1.6 ±0.2

2.1 -0.1
L

1.5 ±0.25
1.5 ±0.25
2.1 -0.1

OUTLINE DIMENSIONS ARE NOMINAL VALUES

Figure 39 Coil position, Layout SOT 385-1

2013 Oct 10 38 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

12 TEST SETUP The sense coils detect the absorption modulation induced
Device characteristics are measured according to the test by the transponder, whereas the reference coils sense the
setups given below. magnetic flux generated by the field generating coils only.
The voltage difference measured between the sense coils
Electrical characteristics are measured in a Helmholtz and reference coils is proportional to the magnetic field
arrangement that generates an almost homogenous absorption induced by the transponder.
magnetic field at the position of the device under test
(transponder), see Figure 41.

FMAX

DUT

Figure 40 Mechanical Stress

Reference Coils
(serial connected, in phase)
Field Generating Coils

(serial connected, in phase)

(serial connected, in phase)

DUT VDIF
Sense Coils

Signal
~
Generator

Reference Coils
(serial connected, in phase)

Figure 41 Helmholtz setup for electrical characteristics

2013 Oct 10 39 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

13 RELATED DOCUMENTS

Type Name / Reference Description

Application CAS/UM0101 HT2 Security Algorithm

Note

Application AppNote_HT2Extended_V10 AN-HT2Extended

Note
Data Sheet f7x41E-rom_lib PCF7x41E ROM Library

Data Sheet PCF7x41E Security Transponder and RISC Controller

14 DEVELOPMENT TOOLS

Reference Name Description

OM6705 TED Kit Transponder Evaluation and Development Kit

15 REVISION HISTORY

Revision Page Description

2007 Oct 12 Specification Release

2008 Sep 01 32, 36 Replace tInit with tBoot. Update Figure 35. LF field power on reset timing

2008 Nov 05 19, 28 update SEL_BLOCK, TEST, Figure 30

2010 Nov 22 Editorial changes, update Legal Information

2011 Mar 01 Editorial changes.

37 Updated Package outlines SOT 385-1

2011 Mar 01 20 Corrected Figure 19: Changed twait,Bs to tINI STATE_SR.

2011 Jun 14 Preliminary Specification, production of PCF7937EA/CAAB2601

2011 Oct 06 Change Status to Product Specification

41 Update Legal Information

2012 Mar 12 4 Update ORDERING INFORMATION

33 Corrected EEPROM Content Upon Delivery

2012 Mar 15 33 Corrected EEPROM Content Upon Delivery

2013 Mar 20 12 Corrected Table 2. Command Set in WAIT State

2013 Oct 10 3 Update ORDERING INFORMATION.

2013 Oct 10 40 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

16 LEGAL INFORMATION

16.1 Data sheet status

[1][2] [3] Definition
Document status Product status

Objective [short] data sheet Development This document contains data from the objective specification or product development

Preliminary [short] data sheet Qualification This document contains data from the preliminary specification

Product [short] data sheet Production This document contains the product specification

[1] Please consult the most recently issued document before initiating or completing a design.
[2] The term ‘short data sheet’ is explained in section “Definitions”.
[3] The product status of device(s) described in this document may have changed since this document was published and may differ in case of multiple devices. The latest product status
information is available on the Internet at URL http://www.nxp.com.

16.2 Definitions Suitability for use in automotive applications — This NXP

Semiconductors product has been qualified for use in automotive
Draft applications. Unless otherwise agreed in writing, the product is not
The document is a draft version only. The content is still under internal designed, authorized or warranted to be suitable for use in life support, life-
review and subject to formal approval, which may result in modifications or critical or safety-critical systems or equipment, nor in applications where
additions. NXP Semiconductors does not give any representations or failure or malfunction of an NXP Semiconductors product can reasonably be
warranties as to the accuracy or completeness of information included expected to result in personal injury, death or severe property or
herein and shall have no liability for the consequences of use of such
environmental damage. NXP Semiconductors accepts no liability for
information.
inclusion and/or use of NXP Semiconductors products in such equipment or
Short data sheet applications and therefore such inclusion and/or use is at the customers
A short data sheet is an extract from a full data sheet with the same product
own risk.
type number(s) and title. A short data sheet is intended for quick reference
only and should not be relied upon to contain detailed and full information. Applications — Applications that are described herein for any of these
For detailed and full information see the relevant full data sheet, which is products are for illustrative purposes only. NXP Semiconductors makes no
available on request via the local NXP Semiconductors sales office. In case representation or warranty that such applications will be suitable for the
of any inconsistency or conflict with the short data sheet, the full data sheet specified use without further testing or modification. Customers are
shall prevail.
responsible for the design and operation of their applications and products
Product specification — The information and data provided in a Product using NXP Semiconductors products, and NXP Semiconductors accepts no
data sheet shall define the specification of the product as agreed between liability for any assistance with applications or customer product design. It is
NXP Semiconductors and its customer, unless NXP Semiconductors and customer’s sole responsibility to determine whether the NXP
customer have explicitly agreed otherwise in writing. In no event however, Semiconductors product is suitable and fit for the customer’s applications
shall an agreement be valid in which the NXP Semiconductors product is and products planned, as well as for the planned application and use of
deemed to offer functions and qualities beyond those described in the customer’s third party customer(s). Customers should provide appropriate
Product data sheet. design and operating safeguards to minimize the risks associated with their
applications and products.
16.3 Disclaimers NXP Semiconductors does not accept any liability related to any default,
damage, costs or problem which is based on any weakness or default in the
Limited warranty and liability — Information in this document is believed customer’s applications or products, or the application or use by customer’s
to be accurate and reliable. However, NXP Semiconductors does not give third party customer(s). Customer is responsible for doing all necessary
any representations or warranties, expressed or implied, as to the accuracy testing for the customer’s applications and products using NXP
or completeness of such information and shall have no liability for the Semiconductors products in order to avoid a default of the applications and
consequences of use of such information. the products or of the application or use by customer’s third party
customer(s). NXP does not accept any liability in this respect.
In no event shall NXP Semiconductors be liable for any indirect, incidental,
punitive, special or consequential damages (including - without limitation - Limiting values — Stress above one or more limiting values (as defined in
lost profits, lost savings, business interruption, costs related to the removal the Absolute Maximum Ratings System of IEC 60134) will cause permanent
or replacement of any products or rework charges) whether or not such damage to the device. Limiting values are stress ratings only and (proper)
damages are based on tort (including negligence), warranty, breach of operation of the device at these or any other conditions above those given
contract or any other legal theory. in the Recommended operating conditions section (if present) or the
Characteristics sections of this document is not warranted. Constant or
Notwithstanding any damages that customer might incur for any reason
repeated exposure to limiting values will permanently and irreversibly affect
whatsoever, NXP Semiconductors’ aggregate and cumulative liability
the quality and reliability of the device.
towards customer for the products described herein shall be limited in
accordance with the Terms and conditions of commercial sale of NXP Terms and conditions of commercial sale — NXP Semiconductors
Semiconductors. products are sold subject to the general terms and conditions of commercial
sale, as published at http://www.nxp.com/profile/terms, unless otherwise
Right to make changes — NXP Semiconductors reserves the right to
agreed in a valid written individual agreement. In case an individual
make changes to information published in this document, including without
agreement is concluded only the terms and conditions of the respective
limitation specifications and product descriptions, at any time and without
agreement shall apply. NXP Semiconductors hereby expressly objects to
notice. This document supersedes and replaces all information supplied
applying the customer’s general terms and conditions with regard to the
prior to the publication hereof.
purchase of NXP Semiconductors products by customer.

2013 Oct 10 41 Confidential

NXP Semiconductors Product Specification

Security Transponder (HT2-Extended) PCF7937EA

No offer to sell or license — Nothing in this document may be interpreted

or construed as an offer to sell products that is open for acceptance or the
grant, conveyance or implication of any license under any copyrights,
patents or other industrial or intellectual property rights.
Export control — This document as well as the item(s) described herein
may be subject to export control regulations. Export might require a prior
authorization from national authorities.
Quick reference data — The Quick reference data is an extract of the
product data given in the Limiting values and Characteristics sections of this
document, and as such is not complete, exhaustive or legally binding.

17 Contact information
For sales office addresses, please send an email to:
[email protected]
For additional information, please visit: http://www.nxp.com

Please be aware that important notices concerning this document and the
product(s) described herein, have been included in the section 'Legal information'.

© NXP B.V. All rights reserved.

For more information, please visit: http://www.nxp.com

For sales office addresses, email to: [email protected]