0

Currently in my C# console application, I've implemented an NFC tag reader functionality by sending APDU commands using ModWinsCard. So far I can get a list of connected readers, connect to it, get the NFC tag's UID, and reading/writing NDEF message to the NFC tag.

Right now, I'm trying to check whether the NFC tag in question is a genuine tag made by NXP by validating the originality signature, as per this document: https://www.nxp.com/docs/en/data-sheet/NTAG213_215_216.pdf (section 8.9).

However, while I have implemented the signature validation, I have yet to be able to get the signature from the NFC tag, since section 10.8 (READ_SIG) does not have any equivalent for APDU command.

Is there any APDU command I can use to send the READ_SIG command to the NFC tag and get the originality signature? The reader I'm currently using is ACS ACR1281U-C1, if it's any help.

protossscout
  • 46
  • 1
  • 3

2 Answers2

1

If you look Section 10.8 of the same doc the READ_SIG is just a standard low level command like READ or WRITE or FAST_READ, you just need to transceive the right byte array to the card and handle the byte array returned

I don't do c# and ModWinsCard but at a glance you need to SCardTransmit with byte SendBuff byte array of [3C,00] and receive back a 32 byte array.

I have done this in Java on Android easily.

Extra info as NTAG 21X cards are only Type 2 Cards they don't use APDU's

From the datasheet

NTAG213, NTAG215 and NTAG216 (from now on, generally called NTAG21x) are designed to fully comply to NFC Forum Type 2 Tag

The generic NFC docs for Type 2 Cards are available http://apps4android.org/nfc-specifications/

Only Type 4 cards use APDU commands

Update: May be this helps? https://stackoverflow.com/a/26069377/2373819

Seems You can "Pass Trough" The APDU level to send Native commands (In this case 0x1B is a Type 2 command, correct for Password Auth

Andrew
  • 8,198
  • 2
  • 15
  • 35
  • Thanks for your pointer. I tried to set the SendBuff byte array to [3C, 00], sendLength 2 and recvLength 32 to be sent with SCardTransmit. However, it returns the error code 31, which isn't documented in the ModWinsCard snippet I'm currently using for C# I also tried using the APDU tool provided by ACS to directly send the command (to my understanding, the reader in question translates APDU commands to Mifare specific commands), and turns out code 31 means "A device attached to the system is not functioning". I can still get the tag's UID just fine by sending `[FF CA 00 00 00]`. – protossscout Jan 31 '20 at 02:45
  • Seems you need to wrap the Type 2 commands in the right APDU command, added a link to another Answer that seems to do that – Andrew Jan 31 '20 at 10:30
  • This looks like the best bet to get the signature so far. I sent the following bytes: `[FF 00 00 00 04 D4 42 3C 00]`, which would conform to the specified READ_SIG command. While SCard_Status is SCARD_S_SUCCESS, the reader however return back bytes `[63 00]` indicating the operation has failed. The example for Java Android only transceives bytes `[3C 00]` so I don't know if I'm missing something in that command. – protossscout Jan 31 '20 at 15:25
  • I would try the `[D4,40]` command as well as the poster seem to written the password with that command, I've tried it in Java with transceive of `[3C,00]` and I got back the expected 32 bytes – Andrew Jan 31 '20 at 16:50
  • Tried `[D4,40]` with no luck either, still returning `[63,00]`. I also ran through the Java Android example, as well as NXP's TagInfo app to ensure the tags I have actually support READ_SIG, and sure enough Java returned the 32 bytes signature and verified it, while NXP TagInfo was able to verify the signature on scanning as well. – protossscout Feb 01 '20 at 05:53
0

Along with command i.e. 3C 00 you have to pass CRC of 2 bytes.

Adarsh Rotte
  • 634
  • 3
  • 8