Configuring NTAG 424 DNA with Encrypted-Part and CMAC-Part

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Configuring NTAG 424 DNA with Encrypted-Part and CMAC-Part

17,253 Views
manuel_mertl
Contributor III

Problem:

How do i configure my NTAG 424 DNA using the TagXplorer and and my Macbook.

Goal:

I want to be able to configure my tags in a way like described in the section 4.4.4 (https://www.nxp.com/docs/en/application-note/AN12196.pdf )

https://ntag.nxp.com/424?e=EF963FF7828658A599F3041510671E88&c=94EED9EE65337086

So the goal is to have 2 parameters in my URL called "e" and "c" where "e" holds the encrypted version of the UID and the CTR and "c" would hold the cmac value.

Description:

Lets say i would like to use the following URL as base "https://ntag.nxp.com/424"

What configuration settings would i need to do in the following two screens? (using default keys is sufficent for my problem at that point)

pastedImage_5.png

and here:

pastedImage_6.png

might there also be other screens where i would have to configure things to be able to achieve my goal?

jonathaniglesias

Thank you :smileyhappy:

17 Replies

15,842 Views
randhawp
Contributor I

Is there a document for TagXplorer that shows the meaning of the various error codes. I have 2 brand new NTAG 424DNA, what I go in to authenticate with default settings the following error comes up: Error: 91AE

0 Kudos
Reply

14,303 Views
genetakavic
Contributor I

Hi @Jonathan_Iglesias!

My 424 works just fine with my own web service using https:// protocol, but now I need to hand this link over to another service with a particular prefix (smth:// for example). It is on purpose that the protocol combobox does not offer an option for no prefix (0x00)? Am I able to do this somehow within the tool or do I need to modify the APDU command and send it my own way ? Thx for your time!

0 Kudos
Reply

16,374 Views
AMS1979
Contributor I

Sorry for all the questions.

Is there a way to reset the NDEF url after it has been set?  Any attempt to change the URL results it an error 6982.  I've gone through several of these tags and would like to reuse them.

Any guidance here is appreciated.

0 Kudos
Reply

14,654 Views
piejanssens
Contributor II

Have you figured out eventually how to get rid of that error 6982? I'm experiencing the same issue when trying to change the URL via the mirroring features setup.

0 Kudos
Reply

14,648 Views
randhawp
Contributor I

Try changing the access key (after authenticating) with OE key and then change the NDEF information.

0 Kudos
Reply

14,646 Views
piejanssens
Contributor II

What is the 'OE' key?

Access rights for Read, R/W, W, Change are all using key 00.

Key 00 is set to the all-zero key and I can authenticate with it.

 

 

0 Kudos
Reply

17,100 Views
Contributor
Contributor I

Dear jonathaniglesia, please give me a similar step by step instruction for generating a plain URI as in AN12196 4.4.1 that looks like this:

https://ntag.nxp.com/424?uid=04C767F2066180&ctr=000001&c=54A45B2C3A558765

I am completely lost with File settings  and Mirroring features that do not match

0 Kudos
Reply

17,147 Views
Jonathan_Iglesias
NXP TechSupport
NXP TechSupport

Hi Manuel Mertl,

Hope you are doing great, all of this steps are assuming that you have a new tag, for this please follow the next steps :

  1.  go to mirroring features
  2. NTAG 424 DNA
  3. select the protocol in this case is https://www.
  4. copy and paste this ntag.nxp.com/424?e=00000000000000000000000000000000&c=0000000000000000 in the URI data 
  5. then be sure that the offset values for e and c. as you can see the tool let you check it by putting the cursor in the part you want to know the offset value  in this case e offset is 1A0000 or 26d in decimal ( this tool use decimal values but for other cases please use hex) and for c the offset is 3D0000 = 61d.
  6. leave the offset for epastedImage_2.pngpastedImage_3.png
  7. then write the NDEFpastedImage_4.png
  8. then go an authenticate to card key number with default valuepastedImage_5.png
  9. go to get/change file settings
  10. please use the settings in the following images,  please try to follow the numbering because some things enable others, like the check box for SDM and mirroring enable the SDM access rights and then this enables the check box for uid and ctr.

pastedImage_6.pngpastedImage_7.png

pastedImage_8.png

I tested on my side this worked, let me know if you still have any issue or questions or if there is any error on your side.

Have a nice day !!

BR

Jonathan

17,147 Views
manuel_mertl
Contributor III

Hi, jonathaniglesias‌!

Thank you so much, works like a charm. I just had to adapt die values for the keys a little bit to get it working with my backend verification. So I ended up with the following configuration for the first test version:

pastedImage_1.png

14,325 Views
V-IRL
Contributor I

Hey @manuel_mertl  I know this conversation is a few years old but hopefully you catch this. I'm exploring how to properly encode and authenticate unique 424 tags for merchandise authentication and ticketing. Any chance you're free to share what you learned?

0 Kudos
Reply

17,147 Views
Jonathan_Iglesias
NXP TechSupport
NXP TechSupport

great :smileygrin:  glad that it worked.

let me know if  you have any questions in the future. 

Have a nice day !
BR

Jonathan

0 Kudos
Reply

14,326 Views
V-IRL
Contributor I

Hey Jonathan!

I'm also new to 424 chips. My company is looking to use them for authenticating goods and also to use the same chips for access control and ticketing. 

Here is some background:

I have 1000 tags ready to be embedded in some merchandise for our first collection but they need to be encoded for authentication. We're looking to have authentication services provided by NXP authentication if possible but I'm waiting to hear back from NXP on getting access to that software and service. 

We also need to pull the unique ID of each tag or some sort of identifier that we can integrate into our blockchain end for cross verification.

So our needs are : 1. unique ID that we can query for each tag 2. support in encoding the tags 3. authentication support on the backend for our web app and native app. 

Thank you!

0 Kudos
Reply

16,383 Views
AMS1979
Contributor I

Hey Team,

Ok something weird going on

Mu url structure is:

 

https://isdomaincom.io/path/1?e=00000000000000000000000000000000&c=00000000000000

 

SDM MAC Input Offset: 66
SDM MAC Offset: 66
PICC Data Offset: 31

I've tried your example again on an additional 2 tags(now uneditable due to error 6982) and now getting the following url structure when I read from the tag

 

https://isdomaincom.io/path7F1B47206C71DC76A7AE7382B1B668190009A1BD60A2EA60C6900000

 

I'm not sure what I'm doing differently from the first time I used the tags.  As these are fresh tags Is there some preliminary step I need to do?  Do I have to write an NDEF first and then conduct the NTAG Operations?  

0 Kudos
Reply

16,382 Views
AMS1979
Contributor I

ok, figured it out.

The application doesn't like sub paths "/1".  

have to add an additional 5 to the original calculated amount of 31, 66 respectively.  The 5 is the total amount of characters after the first path("/path" )

/1?e=

 

This was a tricky one.  Hope it helps some people out!  Cheers

0 Kudos
Reply

16,375 Views
AMS1979
Contributor I

Ok so although the path is correct the iPhone doesn't recognize the url stored.  With an NFC reading app the stored URL is padded with what seem to be bytes.  I don't think these chips like additional paths ("/") in the query strings.  The urls work fine with the example, but adding another folder to the path seem to break things.  I'm now all out of test chips.

0 Kudos
Reply

16,372 Views
AMS1979
Contributor I

Just tested on an Android Nokia phone and no issues.  This seems to be related to how apple iOS nft reads the tag.  I'll keep you posted.

Tested with iPhone 7, iPhone8 , (not reading)

 

0 Kudos
Reply

16,400 Views
AMS1979
Contributor I

Yes, this finally woked for me however your instructions seemed to have locked my test tag.  I am now getting Error 6982 for any command I try and run from TaxXplorer.  Is there any way around this?

 

What does this error code mean?

Thanks!

0 Kudos
Reply