- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- Neural Processing UnitsNeural Processing Units
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
- Neural Processing Units
-
- NXP Tech Blogs
- Home
- :
- RFID / NFC
- :
- NFC
- :
- NTAG 5 Link AUTHENTICATE command only errors 0F
NTAG 5 Link AUTHENTICATE command only errors 0F
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
NTAG 5 Link AUTHENTICATE command only errors 0F
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm sort of pulling my hair out here. I cannot get the chip to perform a TAM1 or MAM1 cryptographic command. It will only respond with an 0F error. Here is the configuration of my test chip (yes I've tried multiple different chips).
Device Security Configuration (Block 0x3F)
- DEV_SEC_CONFIG: 0xA2 — AES mode enabled, writable
Global Crypto Header (Block 0x0C, Byte 1)
- NFC_GCH: 0xC1 — Access Right Activated
Crypto Config Header (Block 0x0D, Byte 1)
- NFC_CCH: 0xE7 — Active/Locked
Authentication Limit (Block 0x0E)
- NFC_AUTH_LIMIT: 0 — Unlimited attempts
Key Headers (NFC_KHx)
- KEY0 (0x10): 0xE7 — Active/Locked
- KEY1 (0x12): 0xE7 — Active/Locked
- KEY2 (0x14): 0xE7 — Active/Locked
- KEY3 (0x16): 0xE7 — Active/Locked
Key Privileges (NFC_KPx)
- KEY0 (0x11): 0xFF — All privileges (AREA1_Write, AREA1_Read, CryptoConfig, EAS/AFI, Destroy, Privacy, Write, Read)
- KEY1 (0x13): 0x00 — None
- KEY2 (0x15): 0x00 — None
- KEY3 (0x17): 0x00 — None
Key Storage Blocks
- All key storage blocks (0x20–0x2F) are protected and unreadable
Here is the command I'm sending;
The message portion (bytes 12–23) is 12 bytes = 96 bits, as required by the specification.
The response from the chip is always 01 (flags) 0F (error).
What the heck am I doing wrong here?
EduardoZamora
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @F938FAFFA317AB,
Hope you are doing well.
Based on GET NXP SYSTEM INFO response, I can see that your NTAG 5 Link variant is AES capable.
By any chance, is your Reader adding the proper CRC16 to the Authentication command frame?
This may be a basic question; did you provide a valid AES Key before locking the Key being used? Are you able to authenticate with a different KeyID?
Regards,
Eduardo.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Eduardo,
Thank you for your reply.
> By any chance, is your Reader adding the proper CRC16 to the Authentication command frame?
Yes I am primarily using an ACR1552U, however I have tested using an HID OmniKey 5022CL as well as an Android 14 application sending the same commands and getting the same 0F error response.
> did you provide a valid AES Key before locking the Key being used? Are you able to authenticate with a different KeyID?
Yes, for ease of testing, key0 is set to all AA bytes, key1 is set to all BB bytes, etc. I first set the operational mode to AES because if you attempt to write keys prior to this, only key0 and part of key1 will retain the data. After writing keys, reading them back, power cycling the chip (removing and placing back on the reader), and reading again, only then did I activate each key. I have tried to send MAM1 and TAM1 via AUTHENTICATE (35h) and specified all keys (00, 01, 02, 03) and all attempts return the same 0F error response. Furthermore, I have tried TAM1 via unaddressed mode CHALLENGE with 250ms delay and READBUFFER and the data returned appears random and does not decrypt to the correct response.
I am at a loss. I have used multiple NTAG 5 link chips embedded in our product, and even chips on test boards - NTP5332 NFC Tag Click board™ | NTAG 5 Link Click
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A little more progress... I have switched to using the HID OmniKey 5022 CL reader since transparent transceive commands are a little more straightforward using it. I was able to use the AUTHENTICATE command to send a TAM1 challenge and receive a response. The MAM1 still returns error 0F however.
Sadly MAM1 still fails with 0F response.
Response:
0000010F9000
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For more information, here is the response to NXP GET SYSTEM INFO (0xAB);
Command sent: 02 AB 04 (flags, command, manufacturer code)
Response received: 00 00 20 00 FF F1 07 64
Byte 0 (0x00) — Response Flags
Success, no error.
Byte 1 (0x00) — Protection Pointer Address
Block address 0x00 (protection starts at block 0).
Byte 2 (0x20) — Protection Pointer Condition
- Bit 5 (WH) = 1: Page 0-H IS write protected
- Bit 4 (RH) = 0: Page 0-H is NOT read protected
- Bit 1 (WL) = 0: Page 0-L is NOT write protected
- Bit 0 (RL) = 0: Page 0-L is NOT read protected
Byte 3 (0x00) — Lock Bits
All features unlocked (PP area, DSFID, EAS, AFI all modifiable).
---
Bytes 4-7 — Feature Flags
Byte 4 (0xFF) — Features Set 0:
- Customer ID (CID) — Supported
- EAS IR (extended inventory) — Supported
- Inventory Read Extended Mode — Supported
- AFI Protection — Supported
- EAS Protection — Supported
- EAS ID — Supported
- NFC Counter — Supported
- User Memory Protection — Supported
Byte 5 (0xF1) — Features Set 1:
- High Bitrates — Supported
- Write CID — Supported
- DESTROY Feature — Supported
- NFC Privacy Mode — Supported
- Persistent Quiet — Not supported
- Originality Signature — Supported
Byte 6 (0x07) — Features Set 2:
- Key Privileges — Supported
- Mutual Authentication (MAM) — Supported
- Tag Authentication (TAM) — Supported
Byte 7 (0x64) — Features Set 3:
- Extended Flags — None
- Interface — GPIO and I2C (11b)
- Number of Keys — 4
