Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 6:27 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Sat Oct 12, 2013 6:44 pm 
Offline

Joined: Sat Jan 05, 2013 7:52 pm
Posts: 7
Hi,

I have a NEO with firmware version 3.0.2

I've been playing around with the NEO (Manager) Applet (A000000527 200101), but somehow I'm not able to select this applet via the contacted interface, only via contactless (I think i was able to select this applet via contacted back in january, but I'm not sure)

I can however select other applets via the contacted interface (OATH applet, GP applet, OpenPGP applet, etc), but not the NEO Applet.

The select command (00 a4 04 00 08 a0 00 00 05 27 20 01 01) returns "69 99" (Applet selection failed).

According to the JavaCard API docs, this may happen if the Applet.select() method returns false:
http://www.win.tue.nl/pinpasjc/docs/apis/jc222/javacard/framework/Applet.html#select()

ykpersonalize also fails:
Code:
>ykpersonalize.exe -m81 -y
Firmware version 3.0.2 Touch level 1285 Program sequence 1

The USB mode will be set to: 0x81

Commit? (y/n) [n]: yes
Yubikey core error: write error

(I have set a configuration passcode on my NEO, but the -cPASS option returns the same error)

ykinfo works fine:
Code:
>ykinfo.exe -a
serial: [SERIAL]
serial_hex: [SERIAL]
serial_modhex: [SERIAL]
version: 3.0.2
touch_level: 1285
programming_sequence: 1
slot1_status: 1
slot2_status: 0


ykneo-ccid-modeswitch also fails:
Code:
error: SCardConnect failed, rc=8010000c


But the strange thing is, I am able to select the NEO applet via the contactless interface (14443-4A):

Code:
-> 00 a4 04 00 08 a0 00 00 05 27 20 01 01 00
<- 03 00 02 01 05 07 82 0f 00 00

This shows that the NEO is in mode 0x82

However, I'm not able to change the mode via the contactless interface:
Code:
-> 00 01 11 00 04 81 0f 00 00
<- 03 00 02 01 05 07

..but the NEO remains in mode 0x82. (I'm guessing the mode can only be change in contacted mode?)



Have I somehow messed up the NEO applet selection via the contacted interface?

What exactly is the NEO applet doing in the select() method?
Does the NEO Applet have a different code path for contacted vs contactless? (APDU.getProtocol())


Thomas

PS: It would be great if you could open source the NEO applet as well, but I'm guessing this is not easy as it's probably using some proprietary NXP api's...


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Oct 15, 2013 8:48 am 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Hello,

I'll try to answer all of your questions below, please tell me if I miss anything or gloss over something interesting..

The early versions of the NEO (only 3.0.2 I think) require touch to be selectable over the contact interface, that's why the select is failing. (and yes, the code path is slightly different, in that functions that require touch are always allowed over contact-less).

To change mode neither slot can have access code set, it must be removed before changing (over any interface).

Currently there's no plans to opensource the YubiKey applet.

/klas


Top
 Profile  
Reply with quote  
PostPosted: Thu Oct 17, 2013 11:16 pm 
Offline

Joined: Sat Jan 05, 2013 7:52 pm
Posts: 7
Hi

Thank you! With your help, I was able to change the mode over contactless, and finally select the Yubikey Applet via USB.

As a reference (for others):

Disabled the access code for both slots, and were able to change mode from 0x82 to 0x01 over contactless.

Why 0x01 and not 0x81:
The eject flag had to be cleared, or else pressing the button in mode 0x81 would cause the virtual smart card to be "removed" from the reader, eg no luck is selecting any applets.

After setting the mode to 0x01 via contactless, and power cycling the NEO twice via USB (inserted, removed and then inserted again), and pressing the button twice, i was able to select the Yubikey Applet via the contacted interface.

About pressing the button:
After the NEO is powered up, press the button twice. The button does not need to be kept 'pressed'.
Now the 'touched' state will be set until the NEO is power cycled, or the button is pressed again.
Pressing the button repeatedly will toggle the 'touched' state.

Thomas


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group