Electronic Passport (eMRTD) NFC CHIP01-52CN Chip

Application Software Developer Guide

Version: 1.0
Date: 2026-03-23
Based on: ICAO Doc 9303, 8th Edition (2021), Parts 9, 10, 11, 12 incorporating Amendments No.1 (2024) and No.2 (2026)

General Information
Physical Layer and Communication Protocols
Chip File Structure
Chip Access Protocols
Data Read Operations (LDS1)
Data Write Operations (LDS2)
APDU Commands Reference
Data Groups
Data Authenticity Verification
Chip Authentication
Typical Usage Scenarios
Error Handling
Standards References

1. General Information

1.1 About the CHIP01-52CN Chip

The NFC CHIP01-52CN chip is a Contactless Integrated Circuit (Contactless IC) used in electronic Machine Readable Travel Documents (eMRTD) per the ICAO Doc 9303 specification. The chip operates according to the ISO/IEC 14443 standard (Type A or Type B) and supports ISO/IEC 7816-4 commands.

Important: The Doc 9303 specification does not describe a chip from a specific manufacturer but defines interoperability requirements. This guide describes the software interface for communicating with the chip as an ISO 14443-compliant eMRTD controller.

1.2 Key Characteristics

Parameter	Value
Radio Interface	ISO/IEC 14443-2 (Type A or Type B)
Transmission Protocol	ISO/IEC 14443-4 (Half-duplex)
Transmission Speed	Minimum 424 kbps (recommended)
Command Interface	ISO/IEC 7816-4, ISO/IEC 7816-8
Minimum Memory Size	32 KB
Anti-collision	ISO/IEC 14443-3
Reading Range	Up to 10 cm

1.3 Applications on the Chip

Application	AID	Requirement
LDS1 eMRTD	`A0 00 00 02 47 10 01`	MANDATORY
LDS2 Travel Records	`A0 00 00 02 47 20 01`	Optional
LDS2 Visa Records	`A0 00 00 02 47 20 02`	Optional
LDS2 Additional Biometrics	`A0 00 00 02 47 20 03`	Optional

2. Physical Layer and Communication Protocols

2.1 Connection Establishment

Polling: The reader sends REQA (Type A) or REQB (Type B).
Response: The chip responds with ATQA / ATQB.
Anti-collision: Per ISO/IEC 14443-3 (UID for Type A, PUPI for Type B).
- UID/PUPI may be fixed or random — depends on the issuing country's choice.
- Recommended to use random identifiers.
Protocol Establishment: ISO/IEC 14443-4 (T=CL protocol).

2.2 Extended Length Support

Extended Lc/Le: Mandatory for terminals. For chips — CONDITIONAL (if the cryptographic algorithms in use require it).
Extended length support availability is indicated in ATS or in EF.ATR/INFO.
The terminal MUST verify extended length support before using it.

3. Chip File Structure

3.1 General Structure

MF (Master File)
├── EF.CardAccess     (SFI '1C', FID '011C') — SecurityInfos for PACE
├── EF.CardSecurity   (SFI '1D', FID '011D') — SecurityInfos for PACE-CAM
├── EF.DIR            (SFI '1E', FID '2F00') — Application list
├── EF.ATR/INFO       (SFI '01', FID '2F01') — Capability information
│
├── DF: LDS1 eMRTD Application (AID: A0 00 00 02 47 10 01)
│   ├── EF.COM        (SFI '1E', FID '011E') — LDS Header
│   ├── EF.SOD        (SFI '1D', FID '011D') — Security Object
│   ├── EF.DG1        (SFI '01', FID '0101') — MRZ data
│   ├── EF.DG2        (SFI '02', FID '0102') — Face photo
│   ├── EF.DG3        (SFI '03', FID '0103') — Fingerprints (opt.)
│   ├── EF.DG4        (SFI '04', FID '0104') — Iris (opt.)
│   ├── EF.DG5-DG7    (SFI '05'-'07')        — Displayed images
│   ├── EF.DG8-DG10   (SFI '08'-'0A')        — Reserved
│   ├── EF.DG11       (SFI '0B', FID '010B') — Additional personal data
│   ├── EF.DG12       (SFI '0C', FID '010C') — Additional document data
│   ├── EF.DG13       (SFI '0D', FID '010D') — National data (opt.)
│   ├── EF.DG14       (SFI '0E', FID '010E') — SecurityInfos
│   ├── EF.DG15       (SFI '0F', FID '010F') — AA Public Key
│   └── EF.DG16       (SFI '10', FID '0110') — Emergency contacts
│
├── DF: Travel Records (AID: A0 00 00 02 47 20 01, opt.)
│   ├── EF.Certificates   (SFI '1A', FID '011A')
│   ├── EF.EntryRecords    (SFI '01', FID '0101')
│   └── EF.ExitRecords     (SFI '02', FID '0102')
│
├── DF: Visa Records (AID: A0 00 00 02 47 20 02, opt.)
│   ├── EF.Certificates   (SFI '1A', FID '011A')
│   └── EF.VisaRecords    (SFI '03', FID '0103')
│
└── DF: Additional Biometrics (AID: A0 00 00 02 47 20 03, opt.)
    ├── EF.Certificates   (SFI '1A', FID '011A')
    └── EF.Biometrics1-64 (FID '0201'-'0240')

3.2 MF File Access Rights

File	Select	Read	Write
EF.CardAccess	ALWAYS	ALWAYS	NEVER
EF.CardSecurity	ALWAYS	PACE	NEVER
EF.DIR	ALWAYS	ALWAYS	NEVER
EF.ATR/INFO	ALWAYS	ALWAYS	NEVER

3.3 LDS1 File Access Rights

All EFs in the LDS1 eMRTD Application:

Select: ALWAYS (after application selection)
Read: BAC/PACE (less sensitive), PACE+TA (DG3, DG4)
Write/Update/Erase: NEVER (after personalization and locking)

4. Chip Access Protocols

4.1 General Access Sequence

┌─────────────────────────────────────────────────────┐
│ 1. Physical connection establishment (ISO 14443)    │
│ 2. Read EF.CardAccess (determine PACE/BAC)          │
│ 3. PACE or BAC → Establish secure channel           │
│ 4. Application selection (SELECT DF)                │
│ 5. Data reading (READ BINARY/READ RECORD)           │
│ 6. Passive Authentication (SOD verification)        │
│ 7. Active Authentication or Chip Authentication     │
│ 8. Terminal Authentication (for LDS2 / DG3,DG4)     │
│ 9. LDS2 data read/write                             │
└─────────────────────────────────────────────────────┘

4.2 BAC (Basic Access Control)

Note: Starting 01.01.2028, new eMRTDs are issued with PACE only. BAC is deprecated, but terminals must support it until 2038.

Algorithm:

Read MRZ optically (OCR) or enter manually.
Extract MRZ_information = Document_Number + Date_of_Birth + Date_of_Expiry (with check digits).
Compute Kseed = SHA-1(MRZ_information)[0..15] (16 bytes).
Derive keys from Kseed:
- KEnc — encryption key (3DES, 112 bits)
- KMAC — MAC key
Perform challenge-response (GET CHALLENGE → EXTERNAL AUTHENTICATE).
Both sides compute session keys KSEnc, KSMAC.
All subsequent communication uses Secure Messaging.

APDU for BAC:

GET CHALLENGE:
  CLA='00', INS='84', P1='00', P2='00', Le='08'
  → Response: 8 bytes RND.IC

EXTERNAL AUTHENTICATE (Mutual Authenticate):
  CLA='00', INS='82', P1='00', P2='00',
  Data = EIFD || MIFD (40 bytes)
  → Response: EIC || MIC (40 bytes)

4.3 PACE (Password Authenticated Connection Establishment)

Recommended access protocol.

Algorithm:

Read EF.CardAccess to determine supported PACE parameters.
Choose password: MRZ_information (mandatory) or CAN (optional).
Compute Kπ = KDFπ(password).
Execute GENERAL AUTHENTICATE sequence (4 steps):

Step	Description	Command Data Tag	Response Data Tag
1	Encrypted Nonce	— (empty)	`0x80`
2	Map Nonce	`0x81`	`0x82`
3	Key Agreement	`0x83`	`0x84`
4	Mutual Auth	`0x85`	`0x86` (+`0x87`, `0x88`, `0x8A` cond.)

APDU for PACE:

MSE:Set AT (PACE initialization):
  CLA=context, INS='22', P1/P2='C1A4'
  Data:
    0x80 [PACE protocol OID]             — MANDATORY
    0x83 [password ref: 01=MRZ, 02=CAN]  — MANDATORY
    0x84 [domain parameter ref]           — CONDITIONAL

GENERAL AUTHENTICATE (4 times, with command chaining):
  CLA=context, INS='86', P1/P2='0000'
  Data: 0x7C [Dynamic Authentication Data]
  → Response: 0x7C [Dynamic Authentication Data]

Supported PACE variants (ECDH):

OID	Mapping	Cipher	Key	SM
id-PACE-ECDH-GM-AES-CBC-CMAC-128	Generic	AES	128	CBC/CMAC
id-PACE-ECDH-GM-AES-CBC-CMAC-192	Generic	AES	192	CBC/CMAC
id-PACE-ECDH-GM-AES-CBC-CMAC-256	Generic	AES	256	CBC/CMAC
id-PACE-ECDH-IM-AES-CBC-CMAC-128	Integrated	AES	128	CBC/CMAC
id-PACE-ECDH-IM-AES-CBC-CMAC-192	Integrated	AES	192	CBC/CMAC
id-PACE-ECDH-IM-AES-CBC-CMAC-256	Integrated	AES	256	CBC/CMAC
id-PACE-ECDH-CAM-AES-CBC-CMAC-128	Chip Auth	AES	128	CBC/CMAC
id-PACE-ECDH-CAM-AES-CBC-CMAC-192	Chip Auth	AES	192	CBC/CMAC
id-PACE-ECDH-CAM-AES-CBC-CMAC-256	Chip Auth	AES	256	CBC/CMAC

5. Data Read Operations (LDS1)

5.1 Reading Sequence

Establish a secure channel (BAC or PACE).
Select the LDS1 application: SELECT DF (AID: A0 00 00 02 47 10 01).
Read EF.COM — obtain the list of present Data Groups.
Read EF.SOD — obtain the Document Security Object.
Read the required EF.DGn files.

5.2 Method 1: SELECT + READ BINARY

SELECT EF (by File Identifier):
  CLA='00'/'0C', INS='A4', P1='02', P2='0C'
  Lc='02', Data=File_ID (e.g. '0101' for DG1)

READ BINARY (from selected EF):
  CLA='00'/'0C', INS='B0', P1=Offset_Hi, P2=Offset_Lo
  Le=byte_count
  → Response: Data + SW1-SW2='9000'

5.3 Method 2: READ BINARY with Short EF Identifier (recommended)

READ BINARY (with Short EF ID):
  CLA='00'/'0C', INS='B0'
  P1 = Short_EF_ID (bits b8-b4) | bit8=1
  P2 = Offset
  Le = byte_count
  → Response: Data + SW1-SW2='9000'

Example: reading EF.DG1 (SFI='01'):

→ 00 B0 81 00 04     (P1=0x80|0x01=0x81, P2=0x00, Le=4)
← [first 4 bytes of DG1: tag '61' + length] + 90 00

→ 00 B0 81 04 XX     (offset=4, Le=remainder)
← [DG1 data] + 90 00

5.4 Reading Files > 32767 bytes (READ BINARY with INS=B1)

For large files (e.g. DG2 with a photograph), READ BINARY with odd INS is used:

READ BINARY (odd INS, EF > 32767 bytes):
  CLA='00'/'0C', INS='B1'
  P1-P2: Short EF ID or '0000' (current EF)
  Lc: data field length
  Data: DO'54' (Offset) — e.g. '54 02 FF FF' for offset=0xFFFF
  Le: maximum bytes in response

  → Response:
  Data: DO'53' (Discretionary Data) — read data
  SW1-SW2: '9000'

5.5 Reading Strategy for Optimization

First read ~4 bytes to obtain the TLV tag+length.
Determine the total file size from the length.
Read in blocks of the maximum Le size supported by the chip.
For DG2 (photograph): typically 15–30 KB — use maximum Le.

6. Data Write Operations (LDS2)

LDS1 data cannot be written after personalization! Writing is only possible for LDS2 applications and requires PACE + Terminal Authentication.

6.1 Prerequisites for Writing

PACE successfully completed.
Chip Authentication performed (mandatory for LDS2).
Terminal Authentication successfully performed with appropriate rights in the CV certificate.

6.2 Writing Travel Records / Visa Records (APPEND RECORD)

APPEND RECORD:
  CLA='0C', INS='E2', P1='00'
  P2: Short_EF_ID (bits b8-b4) | 000
  Lc: record length
  Data: record contents (BER-TLV)

  → Response: SW1-SW2='9000' (success)

Travel Record format (Entry/Exit):

'5F44' [3]  — State code (for SEARCH RECORD)
'73'   [var] — Record contents (signed block):
  '5F44' [3]  — State code
  '5F45' [8]  — Date (yyyymmdd)
  '5F4B' [var] — Inspection authority
  '5F46' [var] — Inspection location
  '5F4A' [var] — Inspector reference
  ... (optional fields)
'5F37' [var] — Electronic signature (Authenticity Token)
'5F38' [1]  — Record number of LDS2-TS Signer certificate in EF.Certificates

The order of DOs in the record is fixed and must conform to the specification.

6.3 Writing Additional Biometrics (UPDATE BINARY)

First UPDATE BINARY command (with offset 0):
  CLA='0C'/'8C', INS='D7'
  P1-P2: File ID or '0000' (current EF)
  Data:
    DO'54' ['00']           — Offset = 0
    DO'53' [data]           — First data block
    DO'C0' [size] (opt.)    — Total EF size

Subsequent UPDATE BINARY:
  CLA='0C', INS='D7'
  P1-P2: '0000'
  Data:
    DO'54' [offset]  — Offset = n+1 (where n = number of bytes written)
    DO'53' [data]    — Next data block

ACTIVATE (finalization):
  CLA='0C', INS='44', P1='00', P2='00'
  → Transitions EF from Deactivated to Activated (writing no longer possible)

6.4 FILE AND MEMORY MANAGEMENT (checking free space)

Before writing, it is recommended to check available memory:

FMM Command:
  CLA='8C', INS='5F'
  P1: '00' (current EF) or '01' (EF by reference in Data)
  P2: bitmap of requested information:
    b1 = total number of bytes in EF
    b2 = number of remaining records
    b3 = number of existing records
  Data: (if P1='01') DO'51' with file reference
  Le: '00'

  → Response:
  DO'7F78':
    DO'81' — total number of bytes
    DO'82' — number of remaining records
    DO'83' — number of existing records

6.5 Record Search (SEARCH RECORD)

SEARCH RECORD:
  CLA='0C', INS='A2', P1='00', P2='F8' (search across multiple EFs)
  Lc: command data length
  Data: Record handling DO'7F76':
    DO'51' — File reference (SFI or FID)
    DO'A1' — Search configuration:
      DO'80' — Search parameters ('00' — all records, '30' — first match)
      DO'B0' — Search window (offset + byte count)
    DO'A3' — Search string:
      DO'B1':
        DO'81' — Search string
  Le: '00' / '00 00'

  → Response:
  DO'7F76':
    DO'51' — File reference
    DO'02' — Matching record numbers
  SW: '9000' or '6282' (not found)

7. APDU Commands Reference

7.1 Minimum Command Set (LDS1)

Command	INS	Purpose
SELECT	`A4`	DF/EF selection
READ BINARY	`B0`	Read transparent file
READ BINARY (odd)	`B1`	Read file > 32767 bytes

7.2 Security Commands

Command	INS	Purpose
GET CHALLENGE	`84`	Request challenge (BAC)
EXTERNAL AUTHENTICATE	`82`	Mutual authenticate (BAC)
INTERNAL AUTHENTICATE	`88`	Active Authentication
MSE:Set AT	`22` (P1/P2=`C1A4`)	PACE/CA initialization
MSE:Set KAT	`22` (P1/P2=`41A6`)	Chip Auth (3DES)
GENERAL AUTHENTICATE	`86`	PACE/Chip Auth execution
PSO: Verify Certificate	`2A`	Terminal Authentication

7.3 LDS2 Commands

Command	INS	Purpose
READ RECORD	`B2`	Read records
APPEND RECORD	`E2`	Append records
SEARCH RECORD	`A2`	Search records
UPDATE BINARY (odd)	`D7`	Write Additional Biometrics
ACTIVATE	`44`	Activate EF.Biometrics
FMM	`5F`	File and Memory Management
PSO	`2A`	Perform Security Operation

7.4 Status Codes (SW1-SW2)

Code	Meaning
`9000`	Success
`6282`	Warning: search yielded no results
`6300`	Authentication failed
`6700`	Invalid length
`6982`	Security status not satisfied (no SM)
`6A80`	Invalid parameters in data field
`6A82`	File not found
`6A83`	Record not found
`6A84`	Insufficient memory in file
`6A88`	Referenced data not found

8. Data Groups

8.1 LDS1 Data Groups Table

DG	EF	SFI	Tag	Contents	Requirement
DG1	EF.DG1	`01`	`61`	MRZ data	MANDATORY
DG2	EF.DG2	`02`	`75`	Face photo (biometrics)	MANDATORY
DG3	EF.DG3	`03`	`63`	Fingerprints	Optional
DG4	EF.DG4	`04`	`76`	Iris	Optional
DG5	EF.DG5	`05`	`65`	Displayed portrait	Optional
DG7	EF.DG7	`07`	`67`	Signature/mark	Optional
DG11	EF.DG11	`0B`	`6B`	Additional personal data	Optional
DG12	EF.DG12	`0C`	`6C`	Additional document data	Optional
DG13	EF.DG13	`0D`	`6D`	National data	Optional
DG14	EF.DG14	`0E`	`6E`	SecurityInfos	Conditional
DG15	EF.DG15	`0F`	`6F`	AA Public Key	Conditional
DG16	EF.DG16	`10`	`70`	Emergency contacts	Optional

8.2 EF.COM (Header)

Tag '60' (Application level info):
  Tag '5F01' [4] — LDS Version (e.g. '0108' = v1.8)
  Tag '5F36' [6] — Unicode Version (e.g. '040000')
  Tag '5C'  [var] — Tag list (list of present DGs)

8.3 DG1 — MRZ (TD3 / Passport)

Tag '61':
  Tag '5F1F' [var] — MRZ (88 characters for TD3):
    Line 1 (44 characters): Type + Issuing State + Name
    Line 2 (44 characters): Doc No + DoB + Sex + DoE + Optional + Check digits

MRZ format for passport (TD3):

Field	Size	Type
Document code	2	A,S
Issuing State	3	A,S
Name	39	A,S
Document number	9	A,N,S
Check digit (doc no)	1	N,S
Nationality	3	A,S
Date of birth	6	N,S
Check digit (DoB)	1	N
Sex	1	A,S
Date of expiry	6	N
Check digit (DoE)	1	N
Optional data	14	A,N,S
Check digit (optional)	1	N
Composite check digit	1	N

8.4 DG2 — Biometric Photo (CBEFF)

Tag '75':
  Tag '7F61':                          — BIT Group Template
    Tag '02' [1] = number of templates
    Tag '7F60':                        — 1st BIT
      Tag 'A1':                        — Biometric Header Template
        Tag '87' [2] — Format Owner    — MANDATORY
        Tag '88' [2] — Format Type     — MANDATORY
        Tag '80' [2] — CBEFF version   (opt.)
        Tag '81' [1-3] — Biometric type (opt.)
        Tag '82' [1] — Biometric subtype (opt.)
      Tag '5F2E' or '7F2E' [var]      — Biometric Data Block

Tag 5F2E → ISO/IEC 19794 data (legacy)
Tag 7F2E → ISO/IEC 39794 data (mandatory for reading from 2026, for writing from 2030)

8.5 EF.SOD — Document Security Object

Tag '77':
  SignedData (CMS, RFC 3369):
    version: v3
    digestAlgorithms
    encapContentInfo:
      eContentType: id-icao-mrtd-security-ldsSecurityObject
      eContent: LDSSecurityObject:
        version: v0 or v1
        hashAlgorithm: SHA-256/384/512
        dataGroupHashValues: [{dgNumber, dgHash}, ...]
        ldsVersionInfo (v1): {ldsVersion, unicodeVersion}
    certificates: [Document Signer Certificate]
    signerInfos: [SignerInfo]

9. Data Authenticity Verification

9.1 Passive Authentication (mandatory)

Verifies that data on the chip has not been modified:

Read EF.SOD.
Extract the Document Signer certificate (CDS) from SignedData.
Build the certificate chain from the Trust Anchor (CSCA) to CDS.
Verify the EF.SOD signature using the key from CDS.
For each read DG:
- Compute the hash of the DG contents.
- Compare with the hash in dataGroupHashValues from SOD.
Additionally recommended:
- Verify DocumentTypeExtension in CDS.
- Verify country code consistency.
- Verify the Private Key Usage period in CDS.

9.2 Passive Authentication for LDS2

LDS2 data is written after document issuance and is not protected by SOD. For each signed LDS2 object:

Extract the LDS2 Signer Certificate from EF.Certificates.
Build the trust chain CSCA → LDS2 Signer.
Verify the Authenticity Token (DO 5F37) using the key from the LDS2 Signer.

10. Chip Authentication

10.1 Active Authentication (optional)

Proves chip authenticity via challenge-response:

1. Inspection system → GET CHALLENGE (obtain RND.IFD)
2. Send: INTERNAL AUTHENTICATE (INS='88', Data=RND.IFD)
3. Chip signs the challenge with private key KPrAA
4. IS verifies the signature with public key KPuAA from DG15

Supports RSA (ISO/IEC 9796-2) and ECDSA (plain format).

10.2 Chip Authentication (recommended; mandatory for LDS2)

Ephemeral-static Diffie-Hellman key agreement:

Obtain the chip's static public key PKIC from DG14 or EF.CardSecurity.
Generate an ephemeral terminal key pair (SKDH,IFD, PKDH,IFD).
Send PKDH,IFD to the chip (MSE:Set KAT or MSE:Set AT + GENERAL AUTHENTICATE).
Both sides compute the shared secret K = KA(SK, PK_other, D).
Derive new session keys KSEnc, KSMAC.
Restart Secure Messaging with the new keys.
Confirm the authenticity of PKIC via Passive Authentication.

10.3 PACE-CAM (PACE with Chip Authentication Mapping)

Combines channel establishment and chip authentication into a single protocol. After successful PACE-CAM:

Read and verify EF.CardSecurity.
Using PKIC from EF.CardSecurity + Mapping Data + Chip Authentication Data → authenticate the chip.

10.4 Terminal Authentication (for LDS2)

1. Terminal sends the CV certificate chain (CVCA → DV → IS).
2. Chip verifies the chain, extracts PKIFD.
3. Chip generates challenge rIC.
4. Terminal computes: sIFD = Sign(SKIFD, IDIC || rIC || Comp(PKDH,IFD))
5. Chip verifies the signature.
6. On success — access to LDS2 data according to the rights in the CV certificate.

11. Typical Usage Scenarios

11.1 Scenario: Reading Basic Passport Data

# Pseudocode

# 1. Establish NFC connection (ISO 14443)
nfc.connect()

# 2. Attempt to read EF.CardAccess
try:
    card_access = read_ef(SFI=0x1C)  # EF.CardAccess
    pace_params = parse_security_infos(card_access)
    # 3a. Perform PACE
    perform_pace(mrz_info, pace_params)
except FileNotFound:
    # 3b. Fallback to BAC
    select_application(AID='A0000002471001')
    perform_bac(mrz_info)

# 4. Select LDS1 application (if not already selected)
select_application(AID='A0000002471001')

# 5. Read EF.COM
ef_com = read_binary(SFI=0x1E)
present_dgs = parse_ef_com(ef_com)

# 6. Read EF.SOD
ef_sod = read_binary(SFI=0x1D)

# 7. Read DG1 (MRZ data)
dg1 = read_binary(SFI=0x01)
mrz_data = parse_dg1(dg1)

# 8. Read DG2 (face photo)
dg2 = read_binary_large(SFI=0x02)  # may be > 32K
face_image = parse_dg2(dg2)

# 9. Passive Authentication
verify_sod(ef_sod, trusted_csca_certs)
verify_dg_hash(dg1, ef_sod, dg_number=1)
verify_dg_hash(dg2, ef_sod, dg_number=2)

# 10. Chip Authentication (optional, mandatory for DG3/DG4/LDS2)
if 14 in present_dgs:
    dg14 = read_binary(SFI=0x0E)
    perform_chip_authentication(dg14)

11.2 Scenario: Reading Fingerprints (DG3)

# Requires: PACE + Chip Authentication + Terminal Authentication

# 1. PACE
perform_pace(mrz_info, pace_params)

# 2. Read EF.CardSecurity
card_security = read_ef(SFI=0x1D)

# 3. Chip Authentication
dg14 = read_binary(SFI=0x0E)
perform_chip_authentication(dg14)

# 4. Terminal Authentication (with CV certificate having DG3 access rights)
perform_terminal_authentication(cv_cert_chain)

# 5. Read DG3
dg3 = read_binary(SFI=0x03)
fingerprints = parse_dg3(dg3)

11.3 Scenario: Writing a Travel Record (LDS2)

# Requires: PACE + Chip Auth + Terminal Auth with write rights

# 1. PACE + Chip Auth + Terminal Auth
perform_pace(mrz_info, pace_params)
perform_chip_authentication(...)
perform_terminal_authentication(cv_cert_chain_with_write_rights)

# 2. Select Travel Records application
select_application(AID='A0000002472001')

# 3. Check free space (FMM)
fmm_response = fmm_command(SFI=0x01, query=TOTAL_BYTES|REMAINING_RECORDS)

# 4. Find or write certificate
search_result = search_record(SFI=0x1A, cert_serial)
if not search_result:
    cert_record = build_cert_record(cert_serial, x509_cert)
    append_record(SFI=0x1A, data=cert_record)
    cert_ref = fmm_command(SFI=0x1A, query=EXISTING_RECORDS)

# 5. Build and sign Travel Record
record = build_travel_record(
    state='USA', date='20260323', authority='CBP',
    location='SFO', inspector='SFO00001234'
)
signature = sign(signer_private_key, record.tag_73)
record.set_authenticity_token(signature)
record.set_cert_reference(cert_ref)

# 6. Write Travel Record
append_record(SFI=0x01, data=record.encode())  # EF.EntryRecords

12. Error Handling

12.1 Communication Errors

Situation	Action
Chip not responding to REQA/REQB	Check antenna positioning, retry polling
Connection lost during read	Restore session from the beginning (PACE/BAC)
CRC error	Retry the command

12.2 Security Errors

SW1-SW2	Situation	Action
`6982`	Secure Messaging not established	Perform BAC or PACE
`6300`	Authentication failed	Verify MRZ/CAN, restart PACE
`6A80`	Invalid parameters	Check protocol OID and parameters
`6A88`	Key/data not found	Select different parameters

12.3 LDS2 Errors

SW1-SW2	Situation	Action
`6A84`	Insufficient memory	Use FMM to check before writing
`6700`	Record exceeds maximum	Reduce record size
`6A83`	Record not found	Verify record number / FMM correctness

13. Standards References

Standard	Description
ICAO Doc 9303 Part 9	Deployment of biometrics and electronic data storage
ICAO Doc 9303 Part 10	Logical Data Structure (LDS) for ICs
ICAO Doc 9303 Part 11	Security mechanisms for MRTDs
ICAO Doc 9303 Part 12	PKI for MRTDs
ISO/IEC 14443-1..4	Contactless cards — physical characteristics, RF, protocol
ISO/IEC 7816-4	Smart cards — organization, security, commands
ISO/IEC 7816-8	Security commands
ISO/IEC 19794-4/5/6	Biometric data formats (legacy)
ISO/IEC 39794-4/5/6	Extensible biometric data formats (new)
RFC 3369	Cryptographic Message Syntax (CMS)
RFC 5280	X.509 PKI — Certificate and CRL Profile
FIPS 197	AES
NIST SP 800-38B	CMAC
BSI TR-03110	Extended Access Control (EAC)
BSI TR-03111	Elliptic Curve Cryptography

Document prepared based on analysis of ICAO Doc 9303, 8th Edition (Parts 9, 10, 11, 12) with 2024 and 2026 amendments.

ilyar/NFC_CHIP01-52CN.md