Vivokey & Apex Troubleshooting

I want to install a Java Card implant soon and an doing some preliminary testing before deciding on whether to install the Apex Flex I have or instead purchase either an Apex Mega or FlexSecure.

I also have a number of Java Card devices that date back to original VivoKey beta. They include:

• 1 encased VivoKey tapped to the back of a business card
• 2 “naked” VivoKeys tapped to the back of business cards
• several Fidesmo test cards
• a Fidesmo branded Yubikey-style NFC/USB combo

My goal has been to simply get 3 applets tested and working on a single VivoKey. The FIDO applet, the OTP applet, and the HMAC applet. I’ve had some success, but am still a ways off and not sure what else to try.

I’m using a combination of:

• Samsung Galaxy S23 Ultra
• Pixel 4 XL
• ACR122U
• Digital Logic DL533R CS IP54 w/ Booster (another PC reader)

I’ve had some partial successes but have not been able to get all 3 applets installed and tested. Below are some of the issues I’ve had and some questions.

1. Cannot install any applet via Fidesmo’s fdsm utility

@StarGate01 Is it still possible to install applets directly via fdsm? I remember doing this back in the VK beta, but every app I’ve tried to install, I get a Unexpected error: Failed to run service: newPosition < 0: (-2 < 0). I’m using the command fdsm.exe --run <app_id>/install and am obtaining the app IDs either from the Fidesmo app on my phone or Fidesmo’s API.

I’ve tried multiple applets, including the “free memory” applet, which I kind of use as my test app, since I presume it has one of the smallest sizes.

I’ve tried using both the .exe utility and the .jar file. I’m using the latest release (fdsm v23.04.18-0-g5ddce34).

I’m using the ACR122U and have tried installing applets dozens of times in various orientations of the VivoKey; both the naked and encased ones. I also tried using the DL533R, but it bricked one of the VKs on the first install attempt.

I have been able to use both the ACR122U and the DL533R to install the Fidesmo “Applet Platform Tests” applet on a Fidesmo test card.

Destroying/removing applets via fdsm --run <appId>/[destroy|uninstall] works almost without fail. Listing applets also works.

My biggest concern is that if I can’t get even a single applet installed on a naked flex chip using a desktop reader, than the FlexSecure won’t be a viable option. Is there any reason to expect different performance when installing an applet to the flexSecure via gp than installing an applet to the original VivoKey via fdsm?

2. OTP Applications

Summary:

• I cannot use the Apex Manager to add OTP accounts to any device. The app just remains on the “Scan your Apex” screen, with no vibration or other indication of success or failure.
• The Apex Manager can scan the JavaCard devices and show the OTP codes that have already been installed.
• I get the same behavior of being able to see codes, but not install new ones on the Yubikey Auth app.
• Both apps seem to have a bug/issue where after a silently failing attempt to add a new OTP account, neither app will even read or acknowledge the NFC device unless the app is force killed and reopened.
• The Yubikey Authenticator app no longer works with the Fidesmo OTP applet. This isn’t a DT issue, just adding it here for completeness.
• The Vivokey OTP applet is almost impossible to install. In 4+ hours of trying across two phones, I was only ever able to get it installed once to a VK Beta (it was the one that was encased).
• Compare this to a more acceptable 20% success rate when installing the FIDO2 applet (which I believe is substantially larger and thus would require even better coupling).
• I am also able to install the Fidesmo OTP applet with a much higher success rate.

I’m sure many of these issues are related. I guess its possible that all of these are just under the “bad connection/coupling” heading, but that seems hard to believe. Especially given that I have been able to install the FIDO2 applet multiple times (although I haven’t tested actually using it yet).

A few questions:

1. My understanding is that the new version of the VivoKey OTP applet uses the same AID as a Yubikey and thus should be readable and writable by both the Apex Manager and the Yubikey Auth apps. Is this correct?
2. For purposes of writing new OTP accounts, it shouldn’t matter whether the underlying device is a VivoKey beta, an Apex Flex, or a Fidesmo Yubikey style card, right? As long as the VivoKey OPT applet was successfully installed and recognized by Apex Manager, the actual hardware/chip is irrelevant.
3. I’m using Generate QR Codes for Google Authenticator to generate QR codes for adding accounts. This works fine with a Yubikey 5 NFC via the Yubico Auth app. Any reason why these same codes wouldn’t be installable on Apex Manager?

Misc

I’ve tried to get a new developer account set up with Fidesmo (or have my old one reinstated), but after asking me some initial questions they’ve gone radio silent (its been over a week). My guess is that because my response to their “What are you developing” questions wasn’t something with large (or even small) commercial applications, they aren’t really interested. I know others on the forum have had the same experience. Not faulting DT in any way, but it would have been nice to at least been given a “Thanks, but not interested” response.

The flexSecure looks like a good alternative to the Fidesmo developer issue, but there seems to be a lack of viable options for desktop readers, and the only Android app I found to install applets hasn’t been updated in 10 years and can’t even be installed on my device. The ACR122U is no longer being produced, and it already didn’t have great performance. From what @amal has said, its successors aren’t any better. I know @StarGate01 and others have mentioned good performance with the DL533R Stick, but they have been out of stock for a while. I ordered one of the last two full sized version but it seems to have worse performance than the ACR.

I have some hope that the NFC repeater I ordered from @Hamspiced will help with the phone and desktop. It should arrive in a couple of days.

Anyone have other suggestions for a USB reader and/or a relatively inexpensive Android phone that has good NFC performance with the flex style implants?

but there seems to be a lack of viable options for desktop readers

I’ve had good experience with ACR1252U.

I cannot use the Apex Manager to add OTP accounts to any device. The app just remains on the “Scan your Apex” screen, with no vibration or other indication of success or failure.

Have you verified the phone is outputting a field with a DT diagnostic card or field detector?

I’m using Generate QR Codes for Google Authenticator to generate QR codes for adding accounts. This works fine with a Yubikey 5 NFC via the Yubico Auth app. Any reason why these same codes wouldn’t be installable on Apex Manager?

These QR codes will work with the Apex Manager TOTP applet.

Can you include the --verbose parameter and screenshot / copy exactly what you’re running and exactly what’s returned?

Thanks … Just ordered one.

No, I think I misplaced my old card. I’ll order a new one. There is some kind of issue where NFC doesn’t function (at least for that app) after a failed read … More below

Sure.

PS G:\My Drive\apps\fdsm\23.04.18> .\fdsm.exe --card-apps
Using card in ACS ACR122 0
#  appId - name and vendor
5d9673b4 - hello_world_v3 (by Echogy Technologies)
4f97a2e9 - Ledger FIDO U2F (by Ledger)
           Services: installPublic, install, delete
61fc54d5 - OTP Authenticator (by VivoKey Technologies)
           Services: destroy, install
99848a60 - Free Memory (by VivoKey Technologies)
           Services: install, destroy
PS G:\My Drive\apps\fdsm\23.04.18>
PS G:\My Drive\apps\fdsm\23.04.18> .\fdsm.exe --run 99848a60/destroy
Using card in ACS ACR122 0
PS G:\My Drive\apps\fdsm\23.04.18> .\fdsm.exe --card-apps
Using card in ACS ACR122 0
#  appId - name and vendor
5d9673b4 - hello_world_v3 (by Echogy Technologies)
4f97a2e9 - Ledger FIDO U2F (by Ledger)
           Services: installPublic, install, delete
61fc54d5 - OTP Authenticator (by VivoKey Technologies)
           Services: destroy, install
PS G:\My Drive\apps\fdsm\23.04.18> .\fdsm.exe --verbose --run 99848a60/install
Using card in ACS ACR122 0
[main] [INFO] ServiceDeliverySession - Delivering: Install
[main] [INFO] ServiceDeliverySession - Session ID: fdde2cd6-6ea5-4445-bb60-66d5d2736d0c
Failed to run service: newPosition < 0: (-2 < 0)
java.lang.RuntimeException: Failed to run service: newPosition < 0: (-2 < 0)
        at com.fidesmo.fdsm.ServiceDeliverySession.deliverService(ServiceDeliverySession.java:555)
        at com.fidesmo.fdsm.Main.main(Main.java:353)
Caused by: java.lang.IllegalArgumentException: newPosition < 0: (-2 < 0)
        at java.base/java.nio.Buffer.createPositionException(Buffer.java:352)
        at java.base/java.nio.Buffer.position(Buffer.java:327)
        at java.base/java.nio.ByteBuffer.position(ByteBuffer.java:1551)
        at jnasmartcardio.Smartcardio$JnaCardChannel.transmitImpl(Smartcardio.java:809)
        at jnasmartcardio.Smartcardio$JnaCardChannel.transmit(Smartcardio.java:690)
        at apdu4j.pcsc.CardBIBO.transceive(CardBIBO.java:121)
        at apdu4j.core.APDUBIBO.transceive(APDUBIBO.java:40)
        at com.fidesmo.fdsm.ServiceDeliverySession.processTransmitOperation(ServiceDeliverySession.java:258)
        at com.fidesmo.fdsm.ServiceDeliverySession.deliveryLoop(ServiceDeliverySession.java:220)
        at com.fidesmo.fdsm.ServiceDeliverySession.deliver(ServiceDeliverySession.java:174)
        at com.fidesmo.fdsm.ServiceDeliverySession.call(ServiceDeliverySession.java:95)
        at com.fidesmo.fdsm.ServiceDeliverySession.call(ServiceDeliverySession.java:59)
        at apdu4j.core.CancellationWaitingFuture.run(CancellationWaitingFuture.java:57)
        at com.fidesmo.fdsm.ServiceDeliverySession.deliverService(ServiceDeliverySession.java:546)
        ... 1 more

Unexpected error: Failed to run service: newPosition < 0: (-2 < 0)
PS G:\My Drive\apps\fdsm\23.04.18>

That error comes from the serviceDelivery.run() but it seems pretty generic. Looks like some kind of array or buffer index issue.

 
Going to make another reply below … made some progress with writing OTP secrets, but its weird.

Ok, I’m able to get OTP codes into the VivoKey OTP applet now using both the Apex Manager and Yubikey Authennticator, but there is definitely something funky going on.

My exact process for Apex is this:

Initial Conditions:

1. Close all apps
2. Ensure NFC is on

Process:

1. Open Apex Manager
2. Scan VK Beta - works about 80% of the time
3. Tap Authenticator
4. Tap QR Scanner and scan QR code
5. See the Pending Change and notice the Scan Apex come up in bottom of screen
6. Hold VK to back of phone in the normal spot I’ve been using. Wait about 10 seconds. Notice that nothing happens. No sound, no vibration.
7. Hit home, open settings, search for NFC
8. Turn NFC off and back on
9. Double tab app list button to go back to Apex Manager, still on the scan Apex screen
10. Hold VK to the pack of phone in exact same spot as before.
11. Watch in amazement as the credential gets added
12. Delete credential and repeat.

I’ve done this ~5 times in a row now and I’m getting the same result sequence. The initial write attempt does nothing, and it isn’t until I turn NFC off and back on that it works.

I get similar behavior when using the Yubico Authenticator app, so I think this is something to do with Android and/or the Galaxy S23.

Another weird thing is the position I use on my S23 Ultra. @amal do you know where the NFC antenna is by chance? According to an iFixIt teardown it is near the top, on the opposite side of the camera bank (top right if you were looking at the back of the phone). But the place I get the most consistent reads is on the bottom of the phone, with the flex perpendicular to the phone body.

(that’s a little low in the picutre; it’s more like about 1/4th of the phone height from the bottom)

Samsung Galaxy S23 Ultra
SM-2918U1
Android: 14
Google Play System Update: November 1, 2023

@TheCyborgFirefighter has one, he could probably help

I’m taking a stab in the dark here but I think the position issue is related to this applet. What is this hello world applet?

That was an applet I made back in the beta days and installed onto one of the test chips. It does nothing except return an encoded ‘hello world’ in response to the applet being initialized. I can’t remove it from the test card because I don’t have access to my old Fidesmo dev account any more, and I don’t think I have the AID saved anywhere.

But I don’t think that is the issue. I’m also unable to install any applets via fdsm on a clean VKB.

New theory: The HMAC-SHA1 applet and the OTP applet cannot both be installed at the same time

(at least not on the VivoKey Beta).

I think my issues earlier with the OTP applet were a red hearing. One of the first things I did was install the HMAC applet and test its integration with KeePassXC. That worked pretty well. Most of my subsequent testing was trying to get the FIDO2 and OTP applets installed along side the HMAC one.

I’m uploading a YouTube video that shows pretty conclusively that both cannot be installed at the same time. It should finish processing in about 45 minutes, but I’ve included the procedure below.

Could there be some kind of AID issue here? I know that both applets are emulating the Yubikey (I think the Yubikey Neo to be precise). I think that the way the Yubikey works with NFC is that there is an initial applet selection for the Yubikey itself, and then some type of sub-AID selection for the individual function. Might both the OTP applet and the HMAC applet be using the same outer AID?

Or could there not be enough space/memory on the VK to store both? I didn’t think the HMAC applet was that large. I have been able to get both the HMAC applet and FIDO2 applets installed. I was also able to have HMAC, FIDO and Fidesmo OTP installed at the same time, so this being a space issue seems unlikely.

Setup:

1. Placed phone on top of VK beta chip that was tapped to the back of a business card in an orientation that has given me solid coupling.
2. Removed all applets via my Samsung S23

The below steps are all done without moving or changing the coupling between the phone and chip:

Verify each applet can be installed independently:

1. Install HMAC applet: success
2. Remove HMAC applet: success
3. Install HMAC applet: success
4. Remove HMAC applet: success
5. Install OTP applet: success
6. Remove OTP applet: success
7. Install OTP applet: success

• Try to get both applets. At this point only the OTP applet is installed. Still have not moved the phone or chip/card.

8. Install the HMAC applet: fail
9. Remove the failed HMAC applet (must do this after every failed install): success
10. Install HMAC applet: fail
11. Remove the failed HMAC applet: success
12. Remove the OTP applet: success

• Now there are no applets on the chip

13. Install the HMAC applet: sucess

• The HMAC applet is now the only one installed.

14. Install the OTP applet: fail
15. Remove the failed OTP applet: success
16. Remove the HMAC applet: success
17. Install the OTP applet: success

Here’s a video showing my attempts to get both applets installed at the same time (as outlined in my previous reply).

The first 8 minutes are the important part. After that I made a few additional attempts, but re-seating the phone/card after each operation to see if that had any impact (it did not).

The official diagram from Samsung is below:

Screenshot_20240302_231520_Gallery778×1575 76.1 KB

I get my best reads, in the bottom-middle area, where the word “Samsung” is located.

Awesome, thank you! That’s essentially the area I’ve been using for my testing.

First of all, I do not recommend the ACR122U as its firmware has bugs and does not support extended APDUs. Get a ACR1252U instead, that is what I do my testing with.

Yes, works for me. Make sure you use the latest fdsm release.

No. Performance is the same. fdsm is essentially just a proxy for the GlobalPlatform tunnel to Fidesmo servers.

I cannot reproduce these issues on my side. Which versions of the apps are you using? Which version of Android?

I do not know of a Fidesmo OTP applet, but yea the Vivokey one is still compatible with Yubico tooling, even on desktop.

Correct

Correct, but make sure you use the most recent version of the Vivokey OTP applet.

These QR codes are standardized. They should work with Apex manager as well.

Just email them again.

No, just use a ACR1252U . It is a lot better. I use it all the time.

If the issues you detailed still occur with the ACR1252U, your chip might have bad coupling performance. This would also explain parts of the issues you see with your phone. Also, try to align your implants with the edge of readers, instead of the center.

For Vivokey Apex, these Apps are able to be installed at the same time and have distinct AIDs.

Not correct. For Fidesmo Vivokeys, the TOTP AID is A0000005272101014150455801, Package: A00000052721010141504558, while the HMAC-SHA1 the AID is A000000527200101, Package: A00000052720. Even on Yubikeys they have distinct AIDs. Also see https://github.com/DangerousThings/flexsecure-applets/blob/master/docs/7-aid-list.md and https://github.com/Yubico/yubikey-manager/blob/main/yubikit/core/smartcard.py#L69 . Not that Yubico calls TOTP OATH and HMAC-SHA1 OTP, see https://github.com/DangerousThings/flexsecure-applets/blob/master/docs/5-otp-naming.md .

How’s the ACR1252U support on Linux?

Linux support is great. A CCID driver is included in the ccid package, included with pcscd in most discributions. See Should work but untested by me . I use it on NixOS without issues.

Thanks for the detailed responses StarGate01.

I’ll give this a try and hold off on any more desktop installs until it arrives.

I was able to get the OTP codes installed eventually, but only after doing the procedure outlined in my previous reply (essentially having to turn NFC off and back on after the initial attempt to write fails). This was affecting both the Apex Manager and Yubico Auth app, so I think it is an issue with my phone.

Samsung Galaxy S23 Ultra
SM-2918U1
Android: 14
Google Play System Update: November 1, 2023
Apex Manager: 2.0.5
Yubico Auth: 6.4.0

image1920×2716 220 KB

It might only show up when connecting to a Flex One. It was a Fidesmo branded version of the ykneo-oauth that predated the Vivokey version.

I’ve sent two additional follow ups, but I’ll keep trying

Something is preventing me from installing both of these at the same time on the VK Flex One. I don’t think it is a coupling issue. I’ve installed/uninstalled each applet separately 3 times in a row using my S23, but no matter what order of steps I try I cannot get them both installed together on either my S23 or Pixel 4

Maybe this is somehow unique to the Flex One, but I can’t think of how that could be distinguishing.

Same with the available space/memory. I currently have the OTP, FIDO, Free Memory, and Smart PGP applets installed. I don’t think the HMAC applet would require more storage than the FIDO and Smart PGP ones combined. (The Free Memory applets shows > 100% available storage with no applets installed, so I don’t know if it is reliable for the Flex One).

Is there any way I could manually install the old version of the OTP applet just to rule it out? Not sure what else to try at this point. I’m hesitant to chalk it up as a quirk with the Flex One. I really wanted to get the OTP, FIDO, and HMAC applets installed and configured on a test chip before getting the Apex or FlexSecure implanted. Maybe with the ACR1252U and an NFC repeater I can get applets installed on the Apex through the packaging.

I was able to program the Flex while still in its packaging using that reader, even without a repeater. Just make sure not to damage the packaging.

Got the reader today and it worked great. I was able to install both the OTP and HMAC applets on my Apex though the packaging. Thanks!