ChangeFileSettings fails (919E) when modifying access rights on existing SDM configuration #17
Description
I have NTAG424 DNA tags with a valid SDM configuration that was set by NXP TagWriter:
- UID mirroring: Enabled
- Counter mirroring: Enabled
- CMAC: Enabled
- Current access rights: Read=0xE, Write=0xE, ReadWrite=0xE, Change=0x0
This configuration works for my use case - I can successfully read deep-links from my NFC tags, and each scan gives me unique picc_data and cmac values. The problem is I want to protect my tags so no one can rewrite information on them. I did not find this functionality in NXP TagWriter (as well as options to change master and app keys), so I tried to use the ntag424-java library. This requirement is also mentioned in the NXP documentation (NT4H2421Gx datasheet): "Write and ReadWrite access rights for the NDEF File (File No. 02h) should be changed after personalization in order to prevent unauthorized changes in the NDEF File."
I am following the example code from the README SDM section, but I am stuck with the following error:
net.bplearning.ntag424.exception.ProtocolException: Invalid status result: 919E
Since SDM was configured in NXP TagWriter, I want to read the current settings for File 02h and modify only the Write and ReadWrite access rights while preserving the existing SDM configuration.
Code:
Authenticate with master key
boolean authenticated = AESEncryptionMode.authenticateEV2(communicator, 0, masterKey);
// Get current file settings
FileSettings currentSettings = (FileSettings) GetFileSettings.run(communicator, 2);
// Modify only access rights
currentSettings.readPerm = 0xE; // Free (no key)
currentSettings.writePerm = 0x1; // App Key 1
currentSettings.readWritePerm = 0x1; // App Key 1
currentSettings.changePerm = 0x0; // Master Key
// currentSettings.sdmSettings remains unchanged, preserving existing SDM
// Apply changes - FAILS with 919E
ChangeFileSettings.run(communicator, 2, currentSettings);
Error:
net.bplearning.ntag424.exception.ProtocolException: Invalid status result: 919E
at net.bplearning.ntag424.CommandResult.throwUnlessSuccessful(CommandResult.java:34)
at net.bplearning.ntag424.command.ChangeFileSettings.run(ChangeFileSettings.java:22)
Questions:
1. How is it possible to configure tags with both SDM enabled AND protected Write access?
2. Do I need to configure them together from the start (and implement full SDM configuration in my project)?
3. Or is it possible to modify access rights after SDM is already enabled?
4. Does the library support modifying access rights on files with pre-existing SDM configurations?
Library version: ntag424-java 1.0.9 (latest release)