3

I'm using an ACR122U reader with an NTAG213 card. The card is password (reading and writing) protected with the password 52 84 00 08. What are the APDU commands I should run to authenticate the card and also to read pages 30 and 31 of it once authenticated?

I know with the MiFare 1k I could load the password and authenticate a sector, but I'm not sure how authentication works with the NTAG213 cards with the ACR122U readers.

Michael Roland
  • 39,663
  • 10
  • 99
  • 206
KaZaaV2
  • 71
  • 5

1 Answers1

4

With the ACR122U you would need to send direct commands to the PN532 NFC controller chip inside the reader in order to exchange such low-level commands. For instance, you could use the InCommunicateThru command to send a raw command to the tag:

+-----+-----+-----+-----+--------------+-----------+-----+
| CLA | INS | P1  | P2  | Lc           | DATA      | Le  |
| FF  | 00  | 00  | 00  | 2 + len(CMD) | D4 42 CMD | --  |
+-----+-----+-----+-----+--------------+-----------+-----+

That way, you could send the password authentication command (PWD_AUTH) to the tag:

FF 00 00 00  07  D4 42  1B  52 84 00 08
                        --  -----------
                        |   |
                        |   \-> password
                        \-> command: PWD_AUTH

The response to this command should be something like

D5 43 00  PACK  90 00

Similarly, you can send a READ command to read any page:

FF 00 00 00  04  D4 42  30  XX

where XX is the 1-byte page address.

Note that the read command should also work using the (more robust?) InDataExchange command:

FF 00 00 00  05  D4 40 01  30  XX
Michael Roland
  • 39,663
  • 10
  • 99
  • 206
  • I'm using the ACR122U tool from ACS to send commands to the NTAG 213. After I send the authentication command and I try to read a read/write protected page, this is what happens: < FF 00 00 00 07 D4 42 30 04 > D5 43 02 90 00 I can't seem to read anything at all that is authentication protected. Should I be using another program to communicate with the ACR122u? – KaZaaV2 May 30 '17 at 07:22
  • @KaZaaV2 That's odd. Status code 0x02 indicates a CRC error (which should not really happen since the PN532 automatically handles the CRC). Did you also try the InDataExchange version of the command? – Michael Roland May 30 '17 at 09:11
  • @KaZaaV2 Also: Did authentication work? I.e. did you receive a response in the form `D5 43 00 xx xx 90 00`? And what value do you get back in response to the APDU `FF 00 00 00 06 D4 06 63 02 63 03`? – Michael Roland May 30 '17 at 09:16
  • @KaZaaV2 Sorry, I just realized that I did not set Lc to the correct value in the last two APDU commands. Did you fix that yourself? If not, please try the commands in my updated answer. – Michael Roland May 30 '17 at 09:19
  • Yes I tried the InDataExchange version of the command and got the same thing. I tried the stuff you said above and this is what I got: ACR122U APDU Command `< FF 00 00 00 07 D4 42 1B 88 04 00 00 > D5 43 00 00 00 90 00 ` ACR122U APDU Command `< FF 00 00 00 06 D4 42 06 63 02 63 03 > D5 43 01 90 00 ` ACR122U APDU Command `< FF 00 00 00 07 D4 42 30 04 > D5 43 02 90 00` Did I miss anything? – KaZaaV2 May 30 '17 at 09:45
  • Sorry, made a mistake. Meant to post: ACR122U APDU Command `< FF 00 00 00 06 D4 06 63 02 63 03` `> D5 07 80 80 90 00 ` – KaZaaV2 May 30 '17 at 09:54
  • @KaZaaV2 Okay, the latter means automatic CRC is enabled in both directions, which is good. Did you also try the updates I posted in my answer? (I.e. the one that fixes the Lc fvalue of the APDU commands.) – Michael Roland May 30 '17 at 12:27
  • I tried it with the updated value you provided and got basically the same thing: ACR122U APDU Command `< FF 00 00 00 04 D4 42 30 04 ` ACR122U APDU Command `< FF 00 00 00 05 D4 40 01 30 04 ` `> D5 41 13 90 00 ` `> D5 43 02 90 00 ` – KaZaaV2 May 30 '17 at 19:24
  • Funny enough, on a card that isn't read/write protected with a password it works fine: ACR122U APDU Command `< FF 00 00 00 04 D4 42 30 04 ` `> D5 43 00 54 69 63 6B 65 54 69 6E 67 20 45 76 65 6E 74 73 90 00 ` – KaZaaV2 May 30 '17 at 19:32
  • @KaZaaV2 Could it be that you deselect and reselect the tag between authentication and reading (in that case the authentication state would be lost)? – Michael Roland May 31 '17 at 10:21
  • Well I never touched the card after I put in on and I also entered the commands you suggested one after the other so I'm not sure how that deselect may even happen. – KaZaaV2 Jun 01 '17 at 07:16
  • @KaZaaV2 Since I don't know the tool that you are using I can't tell how it might work, but if it closes the connection in between the two commands, this would explain your results. – Michael Roland Jun 01 '17 at 07:47
  • I'm using the ACS Scripting Tool that comes with the ACR122u. Is there a tool you can suggest for me to use instead? – KaZaaV2 Jun 02 '17 at 04:59
  • I used the tool here: https://www.youtube.com/watch?v=X7jvK_2LRSI and it works. When I take you commands and authenticate in another APDU, Authentication works . However, when I try to read a block that's password protected using this command: FF 00 00 00 05 D4 40 01 30 XX, I get this response: D5 43 02 90 00 Oddly enough, if i launch the tool and authenticate, then close it and launch another APDU and just try to read without sending the authentication command, it will read the blocks once I don't unplug the ACR122U. Why is this happening? – KaZaaV2 Jun 04 '17 at 06:57
  • I am also struggling with this and what I found out so far: `InDataExchange` / 0x40 does not work for some native NTAG21x commands (`GET_VERSION` / 0x60, `PWD_AUTH` / 0x1B - no response from the device), but does for others (`WRITE` / 0xA2). But using the scripting tool and `InCommunicateThru` / 0x42 they do work. Now I'm trying to get them also working when using a .NET `SmartCardConnection`... – Christoph Fink Feb 11 '18 at 16:31
  • ...and now got it working also using .NET - my mistake was that I supplied a (correct) `Le`. If I omit that (as in Michaels example) it did work. – Christoph Fink Feb 11 '18 at 16:38