“Lets pretend to be developers” 🙂

Here’s as good a place as any. Im trying to authenticate using a spark2 and im trying to get a picc challenge but havent figured out how yet.

I found a PDF amal created / uploaded that had a tiny snip saying you need to authenticateFirst so run the APDU command for that but now what!

Ok so now i am issuing the authFirst command but i get 91 7E back (Length of command string invalid)

So now im digging into the IOS app code yay and see that it issues 1APDU command then another later. The first is:

instructionClass: 0x90, instructionCode: 0x71, p1Parameter: 0x00, p2Parameter: 0x00, data: Data([0x02, 0x00]), expectedResponseLength: 256

in my case

byte[] data = { 0x02, 0x00 };

                    var apdu = new CommandApdu(IsoCase.Case4Extended, isoReader.ActiveProtocol)
                        CLA = 0x90, // Class
                        INS = 0x71,
                        P1 = 0x00, // Parameter 1
                        P2 = 0x00, // Parameter 2
                        Data = data,
                        Le = 0xFF

Problem is im still getting a 90 7E response

Indeed it is, but if you think it is better suited and thread worthy


If you give me a title, I will create one, move this post and attribute ownership to you

1 Like

“Lets pretend to be developers” :slight_smile:

1 Like

It’s funny because it still happens:



1 Like

Thanks @Pilgrimsmaster

1 Like

sorry i will make one for spark 2 soon

platform-blockout-Spark 1 Scan API Flow

Also check docs…


You will need to sign up to developer.vivokey.com to get an API key before you can do anything. We had to decouple the APIs from actually having a VivoKey because… well, some developers aren’t necessarily excited about implants or having to keep a developer “demo card” in their wallet just to access developer stuff.

Aye no worries i found this

like i said im kind of stuck, in the iphone chipscan demo you issue an APDU command 90, 71, 00, 00, {02,00},256 but when i do that get an error “Length of command string invalid”

iPhone… curses. @RyuuzakiJulio :slight_smile:

Well the android one is closed source so cant peek :sweat_smile:

1 Like

But it can be decompiled and looked at

1 Like

Yeah @Devilclarke I’d also suggest you take a look at the decompiled source. The APDU you named happens down the chain, like pretty much the last step. Before that there’s some APDU called NDEF_SEL you need to transceive.
(And maybe VKID_AID to get the type but like does Spark even have an applet?!)
This stuff is confusing even with the source.

Right I got it working around 2am but had to sleep as got work at 8:30 it’s now 7:30 so will update later.


Right so i’ve not finished but when i have ill share the c# code for what im doing as an example implementation (currently only for the spark2).

Now im getting a PCD Challenge yay, basically you issue the command and you don’t expect data back hence the le = 0x0x but the chip responds its really weird but i did find a few posts talking about commands functioning like that.

Code for PCDChallenge
using (var isoReader = new IsoReader(ctx, comboBox1.Text, SCardShareMode.Shared, SCardProtocol.Any, false))
                    var data = new byte[] { 0x02, 0x00};

                    var apdu = new CommandApdu(IsoCase.Case4Short, isoReader.ActiveProtocol)
                        CLA = 0x90, // Class
                        INS = 0x71,
                        P1 = 0x00, // Parameter 1
                        P2 = 0x00, // Parameter 2
                        Data = data,
                        Le = 0x00

                    var response = isoReader.Transmit(apdu);

                    return BitConverter.ToString(response.GetData()).Replace("-", string.Empty);

Now i have a different problem, no matter what i do i can’t get a response on the pcd-challenge my code structures the JSON and send it but all i ever get back is an ERROR 500.

The JSON im sending is structured exactly like this example from the dev docs.

"picc-uid": "04F2DA739E2BA0",
"picc-challenge": "17695fd27eaf8c65833d50cbff12a501",
"pcd-challenge": "55ecc39e823fd6c7c244f0d14a127f28"


Code if anyone's interested
string response;
            var httpWebRequest = (HttpWebRequest)WebRequest.Create(baseURL + pcdChallengeEndpoint);
            httpWebRequest.ContentType = "application/json";
            httpWebRequest.Method = "POST";

            using (var streamWriter = new StreamWriter(httpWebRequest.GetRequestStream()))
                Dictionary<string, string> post = new Dictionary<string, string>
                    {"picc-uid", auth.PICCUID },
                    {"picc-challenge", auth.PICCchallenge },
                    {"pcd-challenge", auth.PCDchallenge }

                string json = JsonConvert.SerializeObject(post, Formatting.Indented);


            var httpResponse = (HttpWebResponse)httpWebRequest.GetResponse();
            using (var streamReader = new StreamReader(httpResponse.GetResponseStream()))
                response = streamReader.ReadToEnd();

            var data = (JObject)JsonConvert.DeserializeObject(response);
1 Like

Sounds a lot like you and @AbbottSmith have the same problem. It’s probably the API? But why does the chipscanlib tester work for some people?

1 Like

It does dosnt it, and I’m not even using a library :sweat_smile:

Any ideas @amal or @fraggersparks maybe there’s some logging server side that would shed some ligh

Ok so ive tried UID, PICC challenge and, PCD challenge all in LSB and MSB and a ton of combinations of both non seem to work. i send the POST and it hangs for about 30s to 1 minute (not always but most of the time) then i get an ERROR 500.

I think the ERROR 500 is actually a time out in the http library im using as its waiting for a response it never gets.

Can anyone else get this endpoint to work?
Is there an official vivokey developer forum / support system?

1 Like

Well I give up. Tried a bunch if other things and it just doesn’t work.

Either the documentation is wrong or there’s something funky with the endpoint. Without input from vivokey this is going no further.

@fraggersparks any ideas here?

Ok sorry for the absence.

Can you try lowercase on the uid?

I will fish the details out of the API test cases for you on how to use these endpoints.