Skip to main content

NFC/RFID tag authentication and encryption library

Project description

schnee

schnee is a Python package and CLI for working with NFC/RFID tags through a PC/SC reader, with a current focus on NTAG profile inspection and NDEF URL writes.

Installation

Install the package from PyPI:

pip install schnee

Requirements

schnee talks to tags through PC/SC via pyscard, so practical use requires:

  • a compatible NFC or smart card reader
  • a working system PC/SC library/service
  • access to the target tag

Platform-specific PC/SC prerequisites:

  • Linux: install a PC/SC implementation such as pcsc-lite and ensure the pcscd daemon/service is installed and running. Depending on your distribution, you may also need your reader's driver package.
  • Windows: pyscard uses the built-in WinSCard PC/SC subsystem that ships with Windows; make sure the smart card service and your reader driver are available.
  • macOS: pyscard uses the system PCSC.framework, which is included with macOS; make sure the reader is connected and recognized by the system.

If the PC/SC stack, service, or reader is not available, pyscard may fail to import, no readers may be discovered, or CLI commands that access hardware will fail during reader discovery or card communication.

CLI Usage

After installation, the schnee command is available on your PATH.

Show the top-level help:

schnee --help

List selectable backends and detected PC/SC readers:

schnee backends

Read the current NTAG profile as JSON:

schnee ntag read --backend pcsc

Use a specific reader by name:

schnee ntag read --backend "pcsc:ACS ACR1252 1S CL Reader PICC 0"

Write a URL as a single NDEF URI record:

schnee ntag write-url --backend pcsc --url "https://example.com"

For NTAG 424 DNA tags that require application authentication before writing, provide the current 16-byte AES key as 32 hex characters:

schnee ntag write-url \
  --backend pcsc \
  --url "https://example.com" \
  --ntag424-master-key-hex 00112233445566778899aabbccddeeff

Warning: passing a secret key on the command line can expose it through shell history, terminal logging, or process listings visible to other local users. Avoid using real production keys this way; prefer a safer secret input mechanism if one is available in your environment.

Verify an NTAG 424 DNA SDM MAC from mirrored URL data:

schnee ntag verify-sdm-mac \
  --signed-text "example.com/t?uid=044C2F82322190&ctr=250000&mac=" \
  --mac 260d8310beb0e062 \
  --sdm-key-hex 00112233445566778899aabbccddeeff \
  --uid 044C2F82322190 \
  --counter 250000

When the tag stored the URI record without NDEF URI compression, keep the default --ndef-prefix no_prefix and pass --signed-text exactly as it was mirrored.

When the tag stored the URI record with an NDEF URI Identifier Code such as https (which expands to https://), pass that token through --ndef-prefix. The verifier removes the expanded prefix from signed_text before MAC calculation only when both of the following are true:

  • the selected --ndef-prefix expands to a non-empty prefix such as https://
  • --signed-text starts with that expanded prefix

This means signed_text may include the display prefix copied from the tag scan, or it may already be prefix-normalized. Both are accepted as long as --ndef-prefix matches the URI Identifier Code used when the URL was stored.

For a tag that used compressed https:// storage, these two commands verify the same signed bytes:

schnee ntag verify-sdm-mac \
  --signed-text "https://example.com/t?uid=044C2F82322190&ctr=250000&mac=" \
  --mac 260d8310beb0e062 \
  --sdm-key-hex 00112233445566778899aabbccddeeff \
  --uid 044C2F82322190 \
  --counter 250000 \
  --ndef-prefix https
schnee ntag verify-sdm-mac \
  --signed-text "example.com/t?uid=044C2F82322190&ctr=250000&mac=" \
  --mac 260d8310beb0e062 \
  --sdm-key-hex 00112233445566778899aabbccddeeff \
  --uid 044C2F82322190 \
  --counter 250000 \
  --ndef-prefix https

If you provide --uid or --counter, those bytes must match the tag's SDM configuration and the mirrored URL contents. In particular, --counter expects 3 mirrored bytes as 6 hex characters in URL order, and the mirrored ctr= value inside --signed-text should use that same hex representation. The verifier handles the NTAG 424 DNA counter byte-order conversion internally.

Python API

The stable Python entry points currently exposed by the package are the service classes re-exported from schnee.services. For example, you can list the selectable backends from Python:

from schnee.services import ListBackendNamesService

backends = ListBackendNamesService.call(ListBackendNamesService.Request())
print(backends)

This call uses the same backend discovery as schnee backends, so it also depends on a working PC/SC environment when the PC/SC backend is enabled.

Trademarks and Disclaimer

  • Trademarks: NTAG, MIFARE, and NXP are registered trademarks of NXP B.V. This project is an independent open-source implementation and is not affiliated with, endorsed by, or sponsored by NXP B.V.
  • Accuracy of Information: This SDK is developed based on publicly available datasheets. While every effort has been made to ensure the accuracy of the implementation, the author makes no guarantees regarding its suitability for any specific purpose.
  • Limitation of Liability: In no event shall the author be liable for any damages arising from the use of this software, including but not limited to hardware damage (NFC tags, readers, etc.), data loss, or "bricking" of tags due to incorrect AES key configuration or authentication failures. Use this software at your own risk.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

schnee-2026.5.10.tar.gz (84.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

schnee-2026.5.10-py3-none-any.whl (54.2 kB view details)

Uploaded Python 3

File details

Details for the file schnee-2026.5.10.tar.gz.

File metadata

  • Download URL: schnee-2026.5.10.tar.gz
  • Upload date:
  • Size: 84.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for schnee-2026.5.10.tar.gz
Algorithm Hash digest
SHA256 6cab3481128b27fd0fb1d08d00d9322e112f3ba2b423d505486fa13d68a8784b
MD5 8ba2725c39f2a70ea7e4799e401a9a04
BLAKE2b-256 c10a4b16589c9506c4964e0e0f0f7ad9445fff08b11f3ef1a241a47756323d9a

See more details on using hashes here.

Provenance

The following attestation bundles were made for schnee-2026.5.10.tar.gz:

Publisher: deploy.yaml on shinaji/schnee

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file schnee-2026.5.10-py3-none-any.whl.

File metadata

  • Download URL: schnee-2026.5.10-py3-none-any.whl
  • Upload date:
  • Size: 54.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for schnee-2026.5.10-py3-none-any.whl
Algorithm Hash digest
SHA256 557f0bbac96437a0f43c4c5f3e194146106c8a99f4e2f34935081fec16a88eb4
MD5 512082b6b14be8cd241c52f6aec70f43
BLAKE2b-256 04d1b00bafd88648134ffb56e6ef1599e0fa66c5f6b569e3485ea832d1d15af0

See more details on using hashes here.

Provenance

The following attestation bundles were made for schnee-2026.5.10-py3-none-any.whl:

Publisher: deploy.yaml on shinaji/schnee

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page