- NXP Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- Vigiles
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
-
- Home
- :
- Identification and Security
- :
- NFC
- :
- Mutual authentication error (ICODE DNA)
Mutual authentication error (ICODE DNA)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Mutual authentication error (ICODE DNA)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We have a problem when we try to send a mutual authentication with Inlays ICODE DNA.
We did the key initialization as mentioned in the doc : -
- Inventory Request (works well)
- Check that Byte1 == 0x81 in Global Crypto Header (works well)
- Check that Key Header is not active and is writable (works well)
- Write Key0 (works well)
- Verify good writing (works well)
- Write KEY0 privileges (0x00)
- Active & locked Key header (works well: read 0xE7)
- Update Global Crypto Header : active & locked (works well: read 0xE7)
- We try to send MAM1 command and we have the following reply ( Error detected and Unknown error ) : 01h 0Fh and 2 bytes of the CRC
What is the problem in the process ? Is there a missing step ?
Could you help us ?
Thanks
Regards,
S.L
ukcas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Rasool,
There shall be no dependency on response time. Please provide command exchange payloads so we can take more deeper look.
Thank you,
Uros
ukcas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Gireesh,
There is no timing "limitation" for responses on MAM1 or MAM2. You can allow min time as per my previous post.
Best regards,
Uros
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am at the same situation right now. After valid MAM1 response from the tag, I have used the website provided in the AN11808 document to compute the MAM2 message and sent to the tag. I can see the data sent on the scope which is correct. But there is no response from the tag. Anything to do with the delay in sending the MAM2 message after valid MAM1 response from tag?
ukcas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Gireesh,
Your numericals are ok. Authenticate command takes approx. 8,5ms, AES calculation on the Tag takes 4ms, length of the Tag´s response shall be 7ms, then you can expect a valid answer.
Do you have any chance to capture the RF on oscilloscope?
Best regards,
Uros
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am only interested to know if there is any timeout applied to the authentication commands like, after MAM1 is sent out and responded by the tag, if MAM2 is not received within xx seconds, or if MAM2 is received after xx seconds, the authentication is aborted. Otherwise, I am just polling for the tag response and I allowing plenty of time for tag to respond.
We don't have facility to capture RF signal, I am working on that to see if we can get one shortly.
ukcas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Sebastien,
Yes like you stated, you have to do a decrypt before.
DECRYPT (the tag can only do ENCRYPT): 59 F3 B5 DC C2 1F 77 FA 31 8E 67 E7 19 67 DD 99
Please note (important):
ISO15693 as air interface, is defined as LSB first, but crypto suite is defined as MSB first in our case.
Hopefully it works now for you.
br,
Uros
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried decryption as well, but still got unknown error response...
Here is what I am doing
Key: 1A 31 06 F0 D9 BA 90 E3 4F 29 E3 3B C0 FF 77 DB
Challenge: 00 00 00 00 00 00 00 00 00 00
Response from tag:
A7 55 07 B3 45 F4 89 5D 08 19 F8 CB DF 5B BD E5 1C 2D 5F 7A A5 FB 98
Swapped response: (excluding baker filed)
98 FB A5 7A 5F 2D 1C E5 BD 5B DF CB F8 19 08 5D 89 F4 45 B3 07 55
Decrypted firts 16 bytes of swapped response
DA 83 F0 74 FF 87 00 00 00 00 00 00 00 00 00 00
MAM2
DA 80 00 00 00 00 89 F4 45 B3 07 55 F0 74 FF 87
Decrypted MAM2
70 50 FC D4 6C 6A F3 09 56 11 65 3B 91 96 21 6A
Swapped response
00 06 6A 21 96 91 3B 65 11 56 09 F3 6A 6C D4 FC 50 70
Response from tag:
0F
Is there are any prerequisite to mutual authentication that Ia m missing here ?
I have
Config header = 81
Global crypto header = C1
Crypto configuration header = 81
Key header = C3
Key privileges = 00
is there any timing restriction like the tag is expecting response with in certain time window ?
ukcas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Sebastien,
Please kindly excuse for the delay. I accidentially replied to wrong topic. Hopefully you solved the issue.
I would suggest you to use some of our available SW tools. I would highly suggest NxpReaderLib available on DocStore under MIFARE SW directory, to be used with CM1 reader or Pegoda 701 (if you have it). It has a very nice Mutual Authentication example. It does all calculation for you.
Also we offer in NFC reader library - which is applicable for our reader development boards - an example to perform mutual authentication on ISO15693 protocol.
Recommendations:
- Did you try with ISO15693 selected mode? Just to minimize the command payload to be sent and faults it may have
- Try in the step: “Concatenate TChallenge_MAM1[79:32] and TChallenge_MAM1[31:0] : 8D 43 72 9A C3 0F 5A B0 BC AB“ to concatenate - IChallenge_MAM1[31:0] and TChallenge_MAM1[79:0] before encryption and sending back to the Tag
Best regards,
Uros
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I found the problem
When you send the MAM1 message , you have to decrypt the message before to send MAM2. That's ok
But before sending the MAM2 message , instead of encrypt the message , you have to decrypt it again ... logical :smileysad:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am also at same point as you, I tried many things but no success. Trying to contact NXP support in all possible ways, but never heard back from anybody.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thanks for your reply.
After posting the first message , I refer to the example in AN11808 and it’s better for MAM1
In fact , it was the order bit of the MAM1 message , more precisely an inversion between AuthMethod , Step, and MAM1_RFU
Now I have a valid response for MAM1 Response , so I tried to send the second parts of mutual authentication , and I have an error , always the same message 0x01 0x0F L
I will explain more :
My key : FFEEDDCCBBAA99887766554433221100
My IChallenge_MAM1 : 00000000000000000000
I receive the following MAM1 response from the tag : 04 47 0F C3 9A 72 43 8D EC 40 08 18 95 65 27 DA F2 75 F8 08 48 6B 0A 59
- remove the TChallenge_MAM1 [79:32] and swap it ( MSByte first) : 8D 43 72 9A C3 0F
- swap the AES encrypted Message : 59 0A 6B 48 08 F8 75 F2 DA 27 65 95 18 08 40 EC
- Result of decrypt : DA83 5AB0BCAB 00000000000000000000 ( I have the same result with AES Calculator: http://extranet.cryptomathic.com/aescalc/index )
- C_MAM1 has to be “DA 83”
- IChallenge_MAM1 same as the sent version
- TChallenge_MAM1[31:0] = 5A B0 BC AB
- Concatenate TChallenge_MAM1[79:32] and TChallenge_MAM1[31:0] : 8D 43 72 9A C3 0F 5A B0 BC AB
- Build MAM2 Message :
- DA 80 00 00 00 00 8D 43 72 9A C3 0F 5A B0 BC AB
- Encrypt this part, result : 34 7E 7A BD 7B 9F 45 ED 3C 5A 16 24 76 AF 69 4B (same result with AES Calculator: http://extranet.cryptomathic.com/aescalc/index )
- Swap it : 4B 69 AF 76 24 16 5A 3C ED 45 9F 7B BD 7A 7E 34
- Finally , I send the following Message : 22 35 UID 00 06 4B 69 AF 76 24 16 5A 3C ED 45 9F 7B BD 7A 7E 34 and CRC
- But I have an error message 0x01 0x0F
What did I do wrong ?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
may be check the Key0 byte order, it expects MSByte first. Other fields to look for is
Authentication method, step number and Key ID, again byte order of all these fields. Refer to the example in AN11808.
IvanRuiz
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Which document did you refer to?
Regards,
Ivan.
