FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Unable to write Password for AREA1 on a fresh ST25TV02KC Tag using RFAL

Go to solution
itanuj_KI
Associate II

‎2025-05-29 6:12 AM - edited ‎2025-05-29 6:17 AM

Hello ST Community,
 
I am encountering a persistent issue while attempting to program a new password for the user memory in AREA1 of an ST25TVxxXC NFC tag using an ST25R200 reader and the RFAL library.
 
I have followed below procedures for setting the password:
  1. Get a 2-byte Random Number from the tag using rfalST25xVPollerGetRandomNumber() api.
  2. XOR the desired 64-bit password with the obtained Random Number, as per table 30 of ST25TV02KC datasheet
  3. Use the PresentPassword command to enter secure session mode with default password {0,0,0,0,0,0,0,0} using rfalST25xVPollerPresentPassword() api.
  4. Use the WritePassword command to set the new password using rfalST25xVPollerWritePassword() api.
I have written a local function to perform XOR operation and confirmed that the XORed output matches as per below table of ST25TV02KC datasheet:
64-bit_password_data.png

 

Below is the code snippet for the same:
platformLog("\r\nUSE CASE : Writing password.\r\n");

uint8_t  rnd_num[ 1 + 2 + RFAL_CRC_LEN ]; /* Response Flags + RND_NUMBER(2) + CRC */

/* Read UTC_EN from System Configuration Register @(FID=02h, PID=00h) */
err = rfalST25xVPollerGetRandomNumber(reqFlag, uid, rnd_num, sizeof(rnd_num), &rcvLen);
platformLog("Received Random Number : %s %s\r\n", (err != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", (err != RFAL_ERR_NONE) ? "" : hex2Str( &rnd_num[1], rcvLen - 1));

uint8_t default_pwd[8] = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}; //64-Bit password
uint8_t pwd[8] = {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}; //64-Bit password
uint8_t coded_pwd[8];

uint16_t xor_val = (rnd_num[1] <<  | rnd_num[2];

/* 2.Make the password and Random Number XOR. */
get_xored_pwd(pwd, PWD_64_BIT, xor_val, coded_pwd);

platformLog("Raw Password : %s %s\r\n", (err != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", (err != RFAL_ERR_NONE) ? "" : hex2Str( &pwd[0], 8));
platformLog("Coded Password : %s %s\r\n", (err != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", (err != RFAL_ERR_NONE) ? "" : hex2Str( &coded_pwd[0], 8));

/* 3.Use the Present Password function to enter secure session mode. */
err =  rfalST25xVPollerPresentPassword( reqFlag, uid, 0x01, default_pwd, 8);
platformLog("Opening Secured Session : %s (Error Code: %d)\r\n", (err != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", err);

/* 4.Start writing the password that you want */
err =  rfalST25xVPollerWritePassword( reqFlag, uid, 0x01, coded_pwd, 8);
platformLog("Writing Password : %s (Error Code: %d) %s\r\n", (err != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", err, (err != RFAL_ERR_NONE) ? "" : hex2Str( &coded_pwd[0], 8));
However, I am unable to successfully enter the secure session using present password api, consistently receiving RFAL_ERR_REQUEST (invalid request or requested function can't be executed at the moment).
 
Below is the debug prints on Tera Term terminal:
debug_prints.png

 

 
 
 
 
 
 
 
 
 
Any guidance, insights into common pitfalls, or suggestions for further debugging would be greatly appreciated.
 
Thank you for your time and assistance.
 
Regards,
Tanuj
0 Kudos
This discussion is locked. Please start a new topic to ask your question.
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
Brian TIDAL
ST Employee

‎2025-05-30 5:58 AM

Hi Tanuj,

in case of PWD_A1, pwdLengthInBytes should be 8 not 4 (this is 4 in case of PWD_CFG) and line 17 should be replaced by:

	for (uint8_t i = 0; i < pwdLengthInBytes; i++)

Rgds

BT

In order to give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

View solution in original post

6 REPLIES 6
Go to solution
Brian TIDAL
ST Employee

‎2025-05-29 1:37 PM

 

 

Hi

Line 13 seems erroneous.

Line 22: clear password cannot be used to open the security session.

Please see the following code example for presenting password:

ReturnCode ST25TAGS_TVC_OpenSecuritySession(const uint8_t * uid, ST25TAG_TVC_SecuritySession_t sessionType,
        const uint8_t * pPassword)
{
    uint8_t     pwdNumber;
    uint8_t     pwdLengthInBytes = 4;
    ReturnCode  errCode;
    uint8_t     rxBuf[ 1 + 2 + 2 ];    /* Flags + Random Number Data + CRC */;
    uint16_t    rcvLen;
    uint8_t     updatedPassword[8];

    switch (sessionType)
    {
        case CONFIGURATION_SECURITY_SESSION:
            pwdNumber = 0;
            break;
        case USER_AREA1_SECURITY_SESSION:
            pwdNumber = 1;
            break;
        case USER_AREA2_SECURITY_SESSION:
            pwdNumber = 2;
            break;
        case SINGLE_USER_AREA_SECURITY_SESSION:
            pwdLengthInBytes = 8;
            pwdNumber = 1;
            break;
        case UNTRACEABLE_SECURITY_SESSION:
            pwdNumber = 3;
            break;
        default:
            return RFAL_ERR_PARAM;
    }

    // Encrypt password
    // 1. Get Random Number
    errCode = rfalST25xVPollerGetRandomNumber( ST25TAGS_TVC_REQ_FLAG, uid, rxBuf, sizeof(rxBuf), &rcvLen );

    if ( errCode == RFAL_ERR_NONE )
    {
        // 2. XOR random number with given password located in rxBuf[1] and rxBuf[2]
        for (uint8_t i = 0; i < (pwdLengthInBytes * 2); i++)
        {
            updatedPassword[i] = pPassword[i] ^ rxBuf[2 - (i + 1) % 2];
        }

        // Present password
        errCode = rfalST25xVPollerPresentPassword( ST25TAGS_TVC_REQ_FLAG, uid,
                pwdNumber, updatedPassword, pwdLengthInBytes);
    }

    // Same ReturnCode definitions used in st_errno.h of RFAL
    return errCode;
}

Rgds

BT

In order to give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.
0 Kudos
Go to solution
itanuj_KI
Associate II
In response to Brian TIDAL

‎2025-05-30 3:07 AM

Hello Brian,

Thank you for the help.

 

Line 22: clear password cannot be used to open the security session.

I didn't get you, what are you trying to convey? I haven't used any clear password api in the shared code snippet. Could you help me understand?

 

ReturnCode ST25TAGS_TVC_OpenSecuritySession(const uint8_t * uid, ST25TAG_TVC_SecuritySession_t sessionType,
        const uint8_t * pPassword)

I have created a sample application using the X-CUBE-NFC10 package, but I do not see the above function.
However, I have reviewed its implementation and incorporated it into my application, but this did not work either.

Below is the code snippet:

	uint8_t     pwdNumber;
	uint8_t     pwdLengthInBytes = 4;
	ReturnCode  errCode;
	uint8_t     rxBuf[ 1 + 2 + 2 ];    /* Flags + Random Number Data + CRC */;
	uint16_t    rcvLen;
	uint8_t     updatedPassword[8];
	uint8_t     pPassword[8] = {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88};	//64-Bit password

	// 1. Get Random Number
	errCode = rfalST25xVPollerGetRandomNumber( RFAL_NFCV_REQ_FLAG_DEFAULT, uid, rxBuf, sizeof(rxBuf), &rcvLen );
	platformLog("Received Random Number : %s %s\r\n", (errCode != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", (errCode != RFAL_ERR_NONE) ? "" : hex2Str( &rxBuf[1], rcvLen - 1));

	pwdNumber = 1;	// USER_AREA1_SECURITY_SESSION:

	// 2. XOR random number with given password located in rxBuf[1] and rxBuf[2]
	for (uint8_t i = 0; i < (pwdLengthInBytes * 2); i++)
	{
		updatedPassword[i] = pPassword[i] ^ rxBuf[2 - (i + 1) % 2];
	}

	platformLog("Raw Password : %s %s\r\n", (errCode != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", (errCode != RFAL_ERR_NONE) ? "" : hex2Str( &pPassword[0], 8));
	platformLog("Updated Password : %s %s\r\n", (errCode != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", (errCode != RFAL_ERR_NONE) ? "" : hex2Str( &updatedPassword[0], 8));

	// Present password
	errCode = rfalST25xVPollerPresentPassword( RFAL_NFCV_REQ_FLAG_DEFAULT, uid, pwdNumber, updatedPassword, pwdLengthInBytes);
	platformLog("Opening Secured Session : %s (Error Code: %d)\r\n", (errCode != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", errCode);

and below is the debug prints captured on tera term terminal:

debug_prints_2.png

 

 

 

 

 

Please let me know if i missed anything.

I would like to confirm my understanding: In order to set a new password for AREA1 on a fresh tag, we must first open the USER_AREA1_SECURITY_SESSION using the default password, after which the new password can be written.

Regards,

Tanuj

 

0 Kudos
Go to solution
Brian TIDAL
ST Employee
In response to itanuj_KI

‎2025-05-30 5:24 AM

Hi Tanuj,

if a "fresh ST25TV02KC" is being used, the password factory value is 0000000000000000 and likely not 1122334455667788. See Table 19 in ST25TV02KC datasheet for the factory value. Presenting a 1122334455667788 XOR'ed password instead of a 0000000000000000 XOR'ed password will not work. Presenting a non-XOR'ed password (as in line 22 of your initial code snipped: default_pwd is a non-XOR'ed password) will not work as well.

See also section 5.1.2 Password management and table 26 regarding the update of PWD_A1.

Just XOR the factory password and present the XOR'ed value.

Rgds

BT

In order to give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.
0 Kudos
Go to solution
itanuj_KI
Associate II
In response to Brian TIDAL

‎2025-05-30 5:43 AM

Hello Brian,

My apologies, as I missed mentioning that I tried the same with the modification below, but the issue remains the same:

	uint8_t     pwdNumber;
	uint8_t     pwdLengthInBytes = 4;
	ReturnCode  errCode;
	uint8_t     rxBuf[ 1 + 2 + 2 ];    /* Flags + Random Number Data + CRC */;
	uint16_t    rcvLen;
	uint8_t     updatedPassword[8];
	//uint8_t     pPassword[8] = {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88};	//64-Bit password
	uint8_t     pPassword[8] = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0};	//64-Bit password

	// 1. Get Random Number
	errCode = rfalST25xVPollerGetRandomNumber( RFAL_NFCV_REQ_FLAG_DEFAULT, uid, rxBuf, sizeof(rxBuf), &rcvLen );
	platformLog("Received Random Number : %s %s\r\n", (errCode != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", (errCode != RFAL_ERR_NONE) ? "" : hex2Str( &rxBuf[1], rcvLen - 1));

	pwdNumber = 1;	// USER_AREA1_SECURITY_SESSION:

	// 2. XOR random number with given password located in rxBuf[1] and rxBuf[2]
	for (uint8_t i = 0; i < (pwdLengthInBytes * 2); i++)
	{
		updatedPassword[i] = pPassword[i] ^ rxBuf[2 - (i + 1) % 2];
	}

	platformLog("Raw Password : %s %s\r\n", (errCode != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", (errCode != RFAL_ERR_NONE) ? "" : hex2Str( &pPassword[0], 8));
	platformLog("Updated Password : %s %s\r\n", (errCode != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", (errCode != RFAL_ERR_NONE) ? "" : hex2Str( &updatedPassword[0], 8));

	// Present password
	errCode = rfalST25xVPollerPresentPassword( RFAL_NFCV_REQ_FLAG_DEFAULT, uid, pwdNumber, updatedPassword, pwdLengthInBytes);
	platformLog("Opening Secured Session : %s (Error Code: %d)\r\n", (errCode != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", errCode);

Debug prints on tera term output:
debug_prints_3.png

 

 

 

 

Are there any other prerequisites that I am missing?

Regards,

Tanuj

0 Kudos
Go to solution
Brian TIDAL
ST Employee

‎2025-05-30 5:58 AM

Hi Tanuj,

in case of PWD_A1, pwdLengthInBytes should be 8 not 4 (this is 4 in case of PWD_CFG) and line 17 should be replaced by:

	for (uint8_t i = 0; i < pwdLengthInBytes; i++)

Rgds

BT

In order to give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.
Go to solution
itanuj_KI
Associate II

‎2025-06-05 2:59 AM

Hello Brian,

Apologies for the delayed response. Thanks for the fix—it worked.

I am now able to set and modify the password.

Regards,

Tanuj

 

 

0 Kudos
Top