NFC0541 read Mifare Classic 1K

Dear Brian,

Fwt : modified to rfalConvMsTo1fc(100) (N°1 below) and back to RFAL_NFCA_FDTMIN set to 16200 instead of 1620 (N°2 below).

Flags : used these flags that are not default flags :

    status = rfalTransceiveBlockingTxRx(&bufferTx[0],

lenTx, &bufferRx[0], lenRxMax, &lenRx, RFAL_TXRX_FLAGS_PAR_TX_AUTO

| RFAL_TXRX_FLAGS_CRC_TX_AUTO | RFAL_TXRX_FLAGS_CRC_RX_REMV | RFAL_TXRX_FLAGS_PAR_RX_KEEP,

rfalConvMsTo1fc(100));

    status = rfalTransceiveBlockingTxRx(&bufferTx[0],

lenTx, &bufferRx[0], lenRxMax, &lenRx, RFAL_TXRX_FLAGS_PAR_TX_AUTO

| RFAL_TXRX_FLAGS_CRC_TX_AUTO | RFAL_TXRX_FLAGS_CRC_RX_REMV | RFAL_TXRX_FLAGS_PAR_RX_KEEP,

RFAL_NFCA_FDTMIN);

In both cases, the log tells :

ERR_INCOMPLETE_BYTE                  =

40, /*!< Incomplete byte

rcvd        */

The reason why I set the flag to RFAL_TXRX_FLAGS_CRC_RX_REMV

is that the former Log was    ERR_CRC                              =

21, /*!< crc error */

I already mentioned this log and you said in your former post that this

error refered to Rx, not Tx, so I tried to sort this out this way.

The situation now seems to be :

When the RX CRC is being kept : error since it is a wrong CRC

When the RX CRC is being removed (REMV) : error since byte is incomplete.

Any thought?

Thanks in advance

Best regards,

Olivier

Hi Olivier,

ERR_INCOMPLETE_BYTE does only mean that the data was not coming in 8-bit chunks and that the last byte which the user gets in his buffer contains less than 8 bits from RF. If you keep the parity then you will get one more bit per byte. It is natural to get incomplete bytes.

If you really want to support these tags then you need to read information about these tags and you will understand the reason for receiving with CRC and parity and in a further step you need also to move into sending user-defined parity and CRC.

Please keep in mind even though this protocol is broken and not highly secure it is not simple to support like apply an XOR-operation on some received bytes.

Regards, Ulysses

Hi Ulysses,

The card sends a card nonce to the reader.

Then, the reader sends a message, including, as you suggested :

User-defined parity :

This what is being sent:

Since there is a parity bit for every byte of data, the Tx looks like this : AA 80 BB 00 ....

So basically the tag receives 80 (10000000) or 00 (00000000) and only reads the first bit which is the parity bit of the former sent byte.

All in all, there are 8 bytes content + 8 bytes parity = 16 bytes ... plus the CRC :

user-defined CRC

then to this 16 bytes, 2 more bytes are being added.

CRC, calculated on the 8 bytes content only, (parity bytes are excluded from the calculation).

    status = rfalTransceiveBlockingTxRx(&tobesentTx[0], lentobesentTx, &bufferRx[0], lenRxMax, &lenRx, RFAL_TXRX_FLAGS_PAR_TX_NONE | RFAL_TXRX_FLAGS_CRC_TX_MANUAL | RFAL_TXRX_FLAGS_CRC_RX_KEEP | RFAL_TXRX_FLAGS_PAR_RX_KEEP , rfalConvMsTo1fc(100));

Error message is

  ERR_BUSY               = 2 (several times)

then

  ERR_TIMEOUT              = 4

You said "timeout just means no response from the card. Absolutely normal if the card did not understand the reader request"

Any clue about why the reader request can't be understood ?

Many thanks in advance,

Olivier Bontron

Hi Olivier,

yes, you need to pack the bits into an 8 byte stream. Unless it is completely well-formed with proper parity and CRC the card won't respond. Also the CRC bytes again will have a parity.

Regards, Ulysses.

Hi,

giving you a template for this.

Say you want to send a2 0f 00 00 00 00 (T2T write page 15 with 00 00 00 00).

with CRC the frame is: a2 0f 00 00 00 00 db d5 (8bytes). Adding one bit per byte makes this 9 bytes and with some shifting: a2 1e 02 04 08 10 e0 f6 6a. If you transfer these 9 bytes with CRC_TX_MANUAL and PAR_TX_NONE you will get exactly the same RF frame as with the chip automatics and it will write 00 00 00 00.

Of course if you want to transfer 4 bytes (including CRC) you will need to send in the end 36 bits ( 4bytes + 4 bits) in raw mode.

Regards, Ulysses

Hi Olivier,

raw mode for sending: RFAL_TXRX_FLAGS_PAR_TX_NONE | RFAL_TXRX_FLAGS_CRC_TX_MANUAL

raw mode for receiving: RFAL_TXRX_FLAGS_CRC_RX_KEEP | RFAL_TXRX_FLAGS_PAR_RX_KEEP

In your example it would be 90 bits as CRC is two bytes. However please carefully check the CRC and parity requirements for the frames. The DS indicates authentication frames are performed without CRC but probably with parity.

Regards, Ulysses

Hi Olivier,

the convenience functions rfalTransceiveBlockingTxRx() always assume a byte oriented interface. In the end you need to move to rfalStartTransceive(), rfalGetTransceiveStatus(), rfalWorker() usage to get the actual number of received bits.

This does not really explain the lenRx=0. Even in the case of a 4-bit ACK/NAK it should indicate a length of 1 byte. Alternatively I could imagine an overwrite of the buffer on the stack?! bufferRx[0] == Status == 9, ... maybe the lenRxMax=16 bytes does not match the allocated buffer.

Regards, Ulysses

Hi Olivier,

this now sounds more low-level. You shouldn't be hitting this timeout.

Please try the method in https://community.st.com/s/question/0D50X0000AlgXJWSQ2/st25tb-tag-not-recognized-by-xnucleonfc05a1-but-recognized-by-st25r3911bdisco.

If it does not help, then please provide logic analyzer traces of this issue.

Regards, Ulysses

Hi Ulysses,

Thanks, it sure makes a change.

Now status i 40 and LenRx is 1.

I'll dig a bit more and come back to you with the logs I get.

Regards,

Olivier