Does anyone knows the commands for the PN53X chip? (PN531,PN532,PN533)

rule · 2008-11-04 16:52:49

Hello hard/software developer,

If you know more about the NXP PN53X chip, please reply here or drop me a note in my email. This would help me investigating the ability cheap readers can supply. Most readers have the ability to talk direct to the PN5XX chip. It would be interesting to create a simple library for testing purposes.

This is what I have indexed so far:

#define PN5XX_CONNECT_TAG         "\xD4\x4A\x01\x00"
#define PN5XX_DISCONNECT_TAG      "\xD4\x44\x01"
#define PN5XX_TRANSMIT_FRAME      "\xD4\x42"
#define PN5XX_TRANSMIT_MIFARE     "\xD4\x40\x01"
#define PN5XX_DISABLE_ANTENNA     "\xD4\x32\x01\x00"
#define PN5XX_ENABLE_ANTENNA      "\xD4\x32\x01\x01"
#define PN5XX_GET_STATUS          "\xD4\x04"
#define PN5XX_GET_FIRMWARE        "\xD4\x02"
#define PN5XX_DISABLE_LAYER4      "\xD4\x12\x24"
#define PN5XX_ENABLE_LAYER4       "\xD4\x12\x34"

typedef enum MifareCommand {
  MC_AUTH_A       = 0x60,
  MC_AUTH_B       = 0x61,
  MC_READ         = 0x30,
  MC_WRITE        = 0xA0,
  MC_TRANSFER     = 0xB0,
  MC_DECREMENT    = 0xC0,
  MC_INCREMENT    = 0xC1,
  MC_RESTORE      = 0xC2
};

Thanks in advance, cheers,

Roel

d18c7db · 2008-11-05 11:48:49

Hey wow, this is what I've been looing into as well. We have a Snapper system here in my country for cashless payments mainly on buses but also accepted at corner stores and food courts. It's still in its infancy, the reader/writer looks like this:

Basically take the red cap off and plug into a USB port then place the credit card sized RFID card on it to read the balance or add funds. The shops have a diferent form factor (larger) read/write station with a digital display that shows the transaction amount and remaining credit.

I took the USB read/write RFID plug apart, but the chip has been filed to erase it's markings, however the pin layout matches that of a PN531.
The software drivers seem to be rebadged TMoney software so our system may well be based on that Korean system. I did some USB captures to figure out the protocol and I can now drive the RFID plug directly with some C code using libusb

I've been searching high and low for some datasheets on the PN531 but to no avail. NXP are keeping them under wraps. The protocol of my USB plug is near identical to that in this document and it shows some of the 0xD4 commands you list above.

Using the tag I have, a typical query balance uses the following commands:

// unknown command
ret=do_nxp_xfer(d, "\xD4\x32\x02\xff\x0f\x0d", 6);
// possibly select card command
ret=do_nxp_xfer(d, "\xD4\x4A\x01\x00", 4);
// retrieve card info command
ret=do_nxp_xfer(d, "\xD4\x42\x02\x00\xa4\x04\x00\x07\xd4\x10\x00\x00\x03\x00\x01\xcd\x0d", 17);
// read stored cash value command
ret=do_nxp_xfer(d, "\xD4\x42\x02\x90\x4C\x00\x00\x04\x57\xC6", 10);
// turn off RF field command
ret=do_nxp_xfer(d, "\xD4\x32\x01\x00", 4);

These USB readers can be had currently for the equivalent of $10 US while the special introductory price lasts. I've also been experimenting with using this reader to read a RFID enabled passport with some limited success. I can get the passport ATR and issue select file commands but I can't authenticate to the passport properly, I believe the RFID reader mangles (tries to process) some of the passport response packets (and fails). Possibly the DISABLE_LAYER4 might be useful here? In any case I haven't been able to progress this much as I don't have full time access to the RFID passport and my own one isn't RFID enabled till I renew it in a few years time...

(Uhh where's the post preview button on this forum???... oh well, submit <click>)

rule · 2008-11-05 17:52:59

Very interesting indeed!

I have looked at the DIGENT document, though I can't get everything to work on my ACR122 reader. The API of this reader does contains some information about the PN5XX chip ACR122 API. But a document with more detailed info would be very useful. I want to make an open-source implementation for this cheap-readers/chip, therefor I can not be bound to a NDA. Let me know if you have info about this reader that you want to share with me.

d18c7db · 2008-11-05 19:47:43

I'd already trawled through that ACR122 document and many others from here in search of info but I never really found what I wanted, which is a complate and detailed list of the protocol commands supported.

You can have a look at the python code I use to access my USB token if you want, uses pyUSB to access the USB bus and send/receive commands. Python is real easy to develop in I started in C, but python won in the end

Zanado · 2008-11-06 07:49:47

Ah, another New Zealander me thinks

rule · 2008-11-17 08:05:22

Can you get your hands on a few of those usb-stick readers for me?
Please mail me the payment details. And can you upload a c-example of accessing this reader through libusb?

Thanks in advance,

Roel

d18c7db · 2008-11-17 23:21:47

I've uploaded my sample C code as gofishgo.c for you to have a look. You need a to have at a minimum a cygwin environment able compile C code (gcc) and libusb installed. Let me know if you need help getting that set up.
TAMA.inf (together with libusb0.dll and libusb0.sys from the libusb package) can be used as the driver for the device.

rule · 2009-03-27 22:14:01

Finally, this chipset(snapper) and all related (PN531 USB) devices are supported by libnfc.
Lot's of interested things to find there about the hardware, instructions, commands and support.

  The PN531 USB RFID dongle protocol appears to be as follows:
  
  PC to Dongle:
  00 00 FF LEN LCS DATA[] DCS 00
  ++ +++++ +++ +++ ++++++ +++ ++
   |     |   |   |      |   |  |
   |     |   |   |      |   |  +- n+2 Postamble byte always 00
   |     |   |   |      |   +---- n+1 Data packet checksum byte (0-DATA[0]-DATA[1]-...-DATA[n])
   |     |   |   |      +-------- 6:n Variable length data packet
   |     |   |   +--------------- 5   Packet length checksum byte (0-LEN)
   |     |   +------------------- 4   Packet length (DATA+DCS)
   |     +----------------------- 2:3 Start or packet code always 00 FF
   +----------------------------- 1   Preamble byte always 00
   
  Dongle to PC (ACK frame):
  00 00 FF 00 FF 00
  ++ +++++ +++++ ++
   |     |     |  |
   |     |     |  +- 6   Postamble always 00
   |     |     +---- 4:5 AKC (00 FF) or NACK (FF 00)
   |     +---------- 2:3 Start or packet code always 00 FF
   +---------------- 1   Preamble byte always 00

  Dongle to PC again - Following above ACK frame Dongle sends another
  frame (returns data) in the same format as PC to dongle:
  00 00 FF LEN LCS DATA[] DCS 00

  Error frame - if received, indicates an error at application level
  00 00 FF 01 FF 7F 81 00

  DATA[] packets:
  "D4 32 01 RF"        RF 0=off, 1=on
  "D4 32 02 FF 0F 0D"    ?
  "D4 4A TAGS SPEED"    select tag, TAGS=1 or 2, only SPEED value accepted is 0=106k (1=212k, 2=424k ?)
  "D4 42 02"        ISO7816 APDU follows, eg "D4 42 02 90 4C 00 00 04 57 C6"

Proxmark3 community

Announcement

#1 2008-11-04 16:52:49

Does anyone knows the commands for the PN53X chip? (PN531,PN532,PN533)

#2 2008-11-05 11:48:49

Re: Does anyone knows the commands for the PN53X chip? (PN531,PN532,PN533)

#3 2008-11-05 17:52:59

Re: Does anyone knows the commands for the PN53X chip? (PN531,PN532,PN533)

#4 2008-11-05 19:47:43

Re: Does anyone knows the commands for the PN53X chip? (PN531,PN532,PN533)

#5 2008-11-06 07:49:47

Re: Does anyone knows the commands for the PN53X chip? (PN531,PN532,PN533)

#6 2008-11-17 08:05:22

Re: Does anyone knows the commands for the PN53X chip? (PN531,PN532,PN533)

#7 2008-11-17 23:21:47

Re: Does anyone knows the commands for the PN53X chip? (PN531,PN532,PN533)

#8 2009-03-27 22:14:01

Re: Does anyone knows the commands for the PN53X chip? (PN531,PN532,PN533)

Board footer