Skip to main content
I
itanuj_KI
Associate II
May 29, 2025
Solved

Unable to write Password for AREA1 on a fresh ST25TV02KC Tag using RFAL

  • May 29, 2025
  • 3 replies
  • 705 views
Hello ST Community,
 
I am encountering a persistent issue while attempting to program a new password for the user memory in AREA1 of an ST25TVxxXC NFC tag using an ST25R200 reader and the RFAL library.
 
I have followed below procedures for setting the password:
  1. Get a 2-byte Random Number from the tag using rfalST25xVPollerGetRandomNumber() api.
  2. XOR the desired 64-bit password with the obtained Random Number, as per table 30 of ST25TV02KC datasheet
  3. Use the PresentPassword command to enter secure session mode with default password {0,0,0,0,0,0,0,0} using rfalST25xVPollerPresentPassword() api.
  4. Use the WritePassword command to set the new password using rfalST25xVPollerWritePassword() api.
I have written a local function to perform XOR operation and confirmed that the XORed output matches as per below table of ST25TV02KC datasheet:
64-bit_password_data.png

 

Below is the code snippet for the same:
platformLog("\r\nUSE CASE : Writing password.\r\n");

uint8_t rnd_num[ 1 + 2 + RFAL_CRC_LEN ]; /* Response Flags + RND_NUMBER(2) + CRC */

/* Read UTC_EN from System Configuration Register @(FID=02h, PID=00h) */
err = rfalST25xVPollerGetRandomNumber(reqFlag, uid, rnd_num, sizeof(rnd_num), &rcvLen);
platformLog("Received Random Number : %s %s\r\n", (err != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", (err != RFAL_ERR_NONE) ? "" : hex2Str( &rnd_num[1], rcvLen - 1));

uint8_t default_pwd[8] = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}; //64-Bit password
uint8_t pwd[8] = {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}; //64-Bit password
uint8_t coded_pwd[8];

uint16_t xor_val = (rnd_num[1] << | rnd_num[2];

/* 2.Make the password and Random Number XOR. */
get_xored_pwd(pwd, PWD_64_BIT, xor_val, coded_pwd);

platformLog("Raw Password : %s %s\r\n", (err != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", (err != RFAL_ERR_NONE) ? "" : hex2Str( &pwd[0], 8));
platformLog("Coded Password : %s %s\r\n", (err != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", (err != RFAL_ERR_NONE) ? "" : hex2Str( &coded_pwd[0], 8));

/* 3.Use the Present Password function to enter secure session mode. */
err = rfalST25xVPollerPresentPassword( reqFlag, uid, 0x01, default_pwd, 8);
platformLog("Opening Secured Session : %s (Error Code: %d)\r\n", (err != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", err);

/* 4.Start writing the password that you want */
err = rfalST25xVPollerWritePassword( reqFlag, uid, 0x01, coded_pwd, 8);
platformLog("Writing Password : %s (Error Code: %d) %s\r\n", (err != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", err, (err != RFAL_ERR_NONE) ? "" : hex2Str( &coded_pwd[0], 8));
However, I am unable to successfully enter the secure session using present password api, consistently receiving RFAL_ERR_REQUEST (invalid request or requested function can't be executed at the moment).
 
Below is the debug prints on Tera Term terminal:
debug_prints.png

 

 
 
 
 
 
 
 
 
 
Any guidance, insights into common pitfalls, or suggestions for further debugging would be greatly appreciated.
 
Thank you for your time and assistance.
 
Regards,
Tanuj
This topic has been closed for replies.
Best answer by Brian TIDAL

Hi Tanuj,

in case of PWD_A1, pwdLengthInBytes should be 8 not 4 (this is 4 in case of PWD_CFG) and line 17 should be replaced by:

	for (uint8_t i = 0; i < pwdLengthInBytes; i++)

Rgds

BT

3 replies

Brian TIDAL
Brian TIDAL
Technical Moderator
May 29, 2025

 

 

Hi

Line 13 seems erroneous.

Line 22: clear password cannot be used to open the security session.

Please see the following code example for presenting password:

ReturnCode ST25TAGS_TVC_OpenSecuritySession(const uint8_t * uid, ST25TAG_TVC_SecuritySession_t sessionType,
 const uint8_t * pPassword)
{
 uint8_t pwdNumber;
 uint8_t pwdLengthInBytes = 4;
 ReturnCode errCode;
 uint8_t rxBuf[ 1 + 2 + 2 ]; /* Flags + Random Number Data + CRC */;
 uint16_t rcvLen;
 uint8_t updatedPassword[8];

 switch (sessionType)
 {
 case CONFIGURATION_SECURITY_SESSION:
 pwdNumber = 0;
 break;
 case USER_AREA1_SECURITY_SESSION:
 pwdNumber = 1;
 break;
 case USER_AREA2_SECURITY_SESSION:
 pwdNumber = 2;
 break;
 case SINGLE_USER_AREA_SECURITY_SESSION:
 pwdLengthInBytes = 8;
 pwdNumber = 1;
 break;
 case UNTRACEABLE_SECURITY_SESSION:
 pwdNumber = 3;
 break;
 default:
 return RFAL_ERR_PARAM;
 }

 // Encrypt password
 // 1. Get Random Number
 errCode = rfalST25xVPollerGetRandomNumber( ST25TAGS_TVC_REQ_FLAG, uid, rxBuf, sizeof(rxBuf), &rcvLen );

 if ( errCode == RFAL_ERR_NONE )
 {
 // 2. XOR random number with given password located in rxBuf[1] and rxBuf[2]
 for (uint8_t i = 0; i < (pwdLengthInBytes * 2); i++)
 {
 updatedPassword[i] = pPassword[i] ^ rxBuf[2 - (i + 1) % 2];
 }

 // Present password
 errCode = rfalST25xVPollerPresentPassword( ST25TAGS_TVC_REQ_FLAG, uid,
 pwdNumber, updatedPassword, pwdLengthInBytes);
 }

 // Same ReturnCode definitions used in st_errno.h of RFAL
 return errCode;
}

Rgds

BT

In order to give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.
I
itanuj_KIAuthor
Associate II
May 30, 2025

Hello Brian,

Thank you for the help.

 

Line 22: clear password cannot be used to open the security session.

I didn't get you, what are you trying to convey? I haven't used any clear password api in the shared code snippet. Could you help me understand?

 

ReturnCode ST25TAGS_TVC_OpenSecuritySession(const uint8_t * uid, ST25TAG_TVC_SecuritySession_t sessionType,
 const uint8_t * pPassword)

I have created a sample application using the X-CUBE-NFC10 package, but I do not see the above function.
However, I have reviewed its implementation and incorporated it into my application, but this did not work either.

Below is the code snippet:

	uint8_t pwdNumber;
	uint8_t pwdLengthInBytes = 4;
	ReturnCode errCode;
	uint8_t rxBuf[ 1 + 2 + 2 ]; /* Flags + Random Number Data + CRC */;
	uint16_t rcvLen;
	uint8_t updatedPassword[8];
	uint8_t pPassword[8] = {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88};	//64-Bit password

	// 1. Get Random Number
	errCode = rfalST25xVPollerGetRandomNumber( RFAL_NFCV_REQ_FLAG_DEFAULT, uid, rxBuf, sizeof(rxBuf), &rcvLen );
	platformLog("Received Random Number : %s %s\r\n", (errCode != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", (errCode != RFAL_ERR_NONE) ? "" : hex2Str( &rxBuf[1], rcvLen - 1));

	pwdNumber = 1;	// USER_AREA1_SECURITY_SESSION:

	// 2. XOR random number with given password located in rxBuf[1] and rxBuf[2]
	for (uint8_t i = 0; i < (pwdLengthInBytes * 2); i++)
	{
		updatedPassword[i] = pPassword[i] ^ rxBuf[2 - (i + 1) % 2];
	}

	platformLog("Raw Password : %s %s\r\n", (errCode != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", (errCode != RFAL_ERR_NONE) ? "" : hex2Str( &pPassword[0], 8));
	platformLog("Updated Password : %s %s\r\n", (errCode != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", (errCode != RFAL_ERR_NONE) ? "" : hex2Str( &updatedPassword[0], 8));

	// Present password
	errCode = rfalST25xVPollerPresentPassword( RFAL_NFCV_REQ_FLAG_DEFAULT, uid, pwdNumber, updatedPassword, pwdLengthInBytes);
	platformLog("Opening Secured Session : %s (Error Code: %d)\r\n", (errCode != RFAL_ERR_NONE) ? "FAIL" : "OK Data:", errCode);

and below is the debug prints captured on tera term terminal:

debug_prints_2.png

 

 

 

 

 

Please let me know if i missed anything.

I would like to confirm my understanding: In order to set a new password for AREA1 on a fresh tag, we must first open the USER_AREA1_SECURITY_SESSION using the default password, after which the new password can be written.

Regards,

Tanuj

 

Brian TIDAL
Brian TIDAL
Technical Moderator
May 30, 2025

Hi Tanuj,

if a "fresh ST25TV02KC" is being used, the password factory value is 0000000000000000 and likely not 1122334455667788. See Table 19 in ST25TV02KC datasheet for the factory value. Presenting a 1122334455667788 XOR'ed password instead of a 0000000000000000 XOR'ed password will not work. Presenting a non-XOR'ed password (as in line 22 of your initial code snipped: default_pwd is a non-XOR'ed password) will not work as well.

See also section 5.1.2 Password management and table 26 regarding the update of PWD_A1.

Just XOR the factory password and present the XOR'ed value.

Rgds

BT

In order to give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.
Brian TIDAL
Brian TIDALBest answer
Technical Moderator
May 30, 2025

Hi Tanuj,

in case of PWD_A1, pwdLengthInBytes should be 8 not 4 (this is 4 in case of PWD_CFG) and line 17 should be replaced by:

	for (uint8_t i = 0; i < pwdLengthInBytes; i++)

Rgds

BT

In order to give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.
    I
    itanuj_KIAuthor
    Associate II
    June 5, 2025

    Hello Brian,

    Apologies for the delayed response. Thanks for the fix—it worked.

    I am now able to set and modify the password.

    Regards,

    Tanuj

     

     

    Terms & ConditionsAccessibility statement