topic Re: NTAG 5 Link AUTHENTICATE command only errors 0F in NFC

NTAG 5 Link AUTHENTICATE command only errors 0F

F938FAFFA317AB — Fri, 13 Feb 2026 21:38:52 GMT

I'm sort of pulling my hair out here. I cannot get the chip to perform a TAM1 or MAM1 cryptographic command. It will only respond with an 0F error. Here is the configuration of my test chip (yes I've tried multiple different chips).

Device Security Configuration (Block 0x3F)
- DEV_SEC_CONFIG: 0xA2 — AES mode enabled, writable

Global Crypto Header (Block 0x0C, Byte 1)
- NFC_GCH: 0xC1 — Access Right Activated

Crypto Config Header (Block 0x0D, Byte 1)
- NFC_CCH: 0xE7 — Active/Locked

Authentication Limit (Block 0x0E)
- NFC_AUTH_LIMIT: 0 — Unlimited attempts

Key Headers (NFC_KHx)
- KEY0 (0x10): 0xE7 — Active/Locked
- KEY1 (0x12): 0xE7 — Active/Locked
- KEY2 (0x14): 0xE7 — Active/Locked
- KEY3 (0x16): 0xE7 — Active/Locked

Key Privileges (NFC_KPx)
- KEY0 (0x11): 0xFF — All privileges (AREA1_Write, AREA1_Read, CryptoConfig, EAS/AFI, Destroy, Privacy, Write, Read)
- KEY1 (0x13): 0x00 — None
- KEY2 (0x15): 0x00 — None
- KEY3 (0x17): 0x00 — None

Key Storage Blocks
- All key storage blocks (0x20–0x2F) are protected and unreadable

Here is the command I'm sending;

The message portion (bytes 12–23) is 12 bytes = 96 bits, as required by the specification.

The response from the chip is always 01 (flags) 0F (error).

What the heck am I doing wrong here?

Re: NTAG 5 Link AUTHENTICATE command only errors 0F

F938FAFFA317AB — Thu, 12 Feb 2026 10:21:53 GMT

For more information, here is the response to NXP GET SYSTEM INFO (0xAB);

Command sent: 02 AB 04 (flags, command, manufacturer code)

Response received: 00 00 20 00 FF F1 07 64

Byte 0 (0x00) — Response Flags
Success, no error.

Byte 1 (0x00) — Protection Pointer Address
Block address 0x00 (protection starts at block 0).

Byte 2 (0x20) — Protection Pointer Condition
- Bit 5 (WH) = 1: Page 0-H IS write protected
- Bit 4 (RH) = 0: Page 0-H is NOT read protected
- Bit 1 (WL) = 0: Page 0-L is NOT write protected
- Bit 0 (RL) = 0: Page 0-L is NOT read protected

Byte 3 (0x00) — Lock Bits
All features unlocked (PP area, DSFID, EAS, AFI all modifiable).

---
Bytes 4-7 — Feature Flags

Byte 4 (0xFF) — Features Set 0:
- Customer ID (CID) — Supported
- EAS IR (extended inventory) — Supported
- Inventory Read Extended Mode — Supported
- AFI Protection — Supported
- EAS Protection — Supported
- EAS ID — Supported
- NFC Counter — Supported
- User Memory Protection — Supported

Byte 5 (0xF1) — Features Set 1:
- High Bitrates — Supported
- Write CID — Supported
- DESTROY Feature — Supported
- NFC Privacy Mode — Supported
- Persistent Quiet — Not supported
- Originality Signature — Supported

Byte 6 (0x07) — Features Set 2:
- Key Privileges — Supported
- Mutual Authentication (MAM) — Supported
- Tag Authentication (TAM) — Supported

Byte 7 (0x64) — Features Set 3:
- Extended Flags — None
- Interface — GPIO and I2C (11b)
- Number of Keys — 4

Re: NTAG 5 Link AUTHENTICATE command only errors 0F

EduardoZamora — Thu, 12 Feb 2026 21:33:07 GMT

Hello @F938FAFFA317AB,

Hope you are doing well.

Based on GET NXP SYSTEM INFO response, I can see that your NTAG 5 Link variant is AES capable.

By any chance, is your Reader adding the proper CRC16 to the Authentication command frame?

This may be a basic question; did you provide a valid AES Key before locking the Key being used? Are you able to authenticate with a different KeyID?

Regards,
Eduardo.

Re: NTAG 5 Link AUTHENTICATE command only errors 0F

F938FAFFA317AB — Fri, 13 Feb 2026 00:42:38 GMT

Hi Eduardo,

Thank you for your reply.

> By any chance, is your Reader adding the proper CRC16 to the Authentication command frame?

Yes I am primarily using an ACR1552U, however I have tested using an HID OmniKey 5022CL as well as an Android 14 application sending the same commands and getting the same 0F error response.

> did you provide a valid AES Key before locking the Key being used? Are you able to authenticate with a different KeyID?

Yes, for ease of testing, key0 is set to all AA bytes, key1 is set to all BB bytes, etc. I first set the operational mode to AES because if you attempt to write keys prior to this, only key0 and part of key1 will retain the data. After writing keys, reading them back, power cycling the chip (removing and placing back on the reader), and reading again, only then did I activate each key. I have tried to send MAM1 and TAM1 via AUTHENTICATE (35h) and specified all keys (00, 01, 02, 03) and all attempts return the same 0F error response. Furthermore, I have tried TAM1 via unaddressed mode CHALLENGE with 250ms delay and READBUFFER and the data returned appears random and does not decrypt to the correct response.

I am at a loss. I have used multiple NTAG 5 link chips embedded in our product, and even chips on test boards - NTP5332 NFC Tag Click board™ | NTAG 5 Link Click

Re: NTAG 5 Link AUTHENTICATE command only errors 0F

F938FAFFA317AB — Fri, 13 Feb 2026 21:39:43 GMT

A little more progress... I have switched to using the HID OmniKey 5022 CL reader since transparent transceive commands are a little more straightforward using it. I was able to use the AUTHENTICATE command to send a TAM1 challenge and receive a response. The MAM1 still returns error 0F however.

Sadly MAM1 still fails with 0F response.

Response:
0000010F9000