Yubico Forum

Hi,

I have a NEO with firmware version 3.0.2

I've been playing around with the NEO (Manager) Applet (A000000527 200101), but somehow I'm not able to select this applet via the contacted interface, only via contactless (I think i was able to select this applet via contacted back in january, but I'm not sure)

I can however select other applets via the contacted interface (OATH applet, GP applet, OpenPGP applet, etc), but not the NEO Applet.

The select command (00 a4 04 00 08 a0 00 00 05 27 20 01 01) returns "69 99" (Applet selection failed).

According to the JavaCard API docs, this may happen if the Applet.select() method returns false:
http://www.win.tue.nl/pinpasjc/docs/apis/jc222/javacard/framework/Applet.html#select()

ykpersonalize also fails:

(I have set a configuration passcode on my NEO, but the -cPASS option returns the same error)

ykinfo works fine:


ykneo-ccid-modeswitch also fails:


But the strange thing is, I am able to select the NEO applet via the contactless interface (14443-4A):


This shows that the NEO is in mode 0x82

However, I'm not able to change the mode via the contactless interface:

..but the NEO remains in mode 0x82. (I'm guessing the mode can only be change in contacted mode?)



Have I somehow messed up the NEO applet selection via the contacted interface?

What exactly is the NEO applet doing in the select() method?
Does the NEO Applet have a different code path for contacted vs contactless? (APDU.getProtocol())


Thomas

PS: It would be great if you could open source the NEO applet as well, but I'm guessing this is not easy as it's probably using some proprietary NXP api's...

Hello,

I'll try to answer all of your questions below, please tell me if I miss anything or gloss over something interesting..

The early versions of the NEO (only 3.0.2 I think) require touch to be selectable over the contact interface, that's why the select is failing. (and yes, the code path is slightly different, in that functions that require touch are always allowed over contact-less).

To change mode neither slot can have access code set, it must be removed before changing (over any interface).

Currently there's no plans to opensource the YubiKey applet.

/klas

Hi

Thank you! With your help, I was able to change the mode over contactless, and finally select the Yubikey Applet via USB.

As a reference (for others):

Disabled the access code for both slots, and were able to change mode from 0x82 to 0x01 over contactless.

Why 0x01 and not 0x81:
The eject flag had to be cleared, or else pressing the button in mode 0x81 would cause the virtual smart card to be "removed" from the reader, eg no luck is selecting any applets.

After setting the mode to 0x01 via contactless, and power cycling the NEO twice via USB (inserted, removed and then inserted again), and pressing the button twice, i was able to select the Yubikey Applet via the contacted interface.

About pressing the button:
After the NEO is powered up, press the button twice. The button does not need to be kept 'pressed'.
Now the 'touched' state will be set until the NEO is power cycled, or the button is pressed again.
Pressing the button repeatedly will toggle the 'touched' state.

Thomas