Topic: 14443 Type B - U.S Passport - Difficulties reading it with PN532

I am trying to read a US Passport, issued 2010. It has an NFC chip in it using type B modulation. Most countries use Type A so I am just trying Type B now for the first time.

I am using an NXP PN532 NFC Controller. I am using the inCommunicateThru instruction rather than the inDataExchange since I need to manually control the timeouts and error handling to successfully talk to a type B chip on this model NFC controller. I had to implement parts of the ISO-14443-4 protocol myself, such as the PCB, CID and CRC bytes, however it seems to work. I am able to select the application and request a challenge nonce from the tag.

The Get Challenge command is weird with this passport in that setting Le to 0x08 as per the ICAO spec yields a 6700 error, but with Le=0x00, too many bytes returned. Using inDataExchange (not inCommunicateThru) to get the challenge works (as in, I get 8 bytes). This way I don't have to guess which 8 bytes are the challenge.

So great, now I with the challenge and the static public key in hand, I can execute the mutual authenticate instruction with the extended timeout mode and get the response bytes. The INS is 0x82, P1,P2 = 0x00, Le,Lc=0x28

The result is that I get back a 0x00 from the PN532 (NFC controller), but no return bytes! Not even SW1 or SW2. Below is an example:

Sending Type 4B Frame: 0A 01 00 82 00 00 28 73 3D 4E 2E C1 37 18 99 49 7C 4B 2A E0 79 A8 08 E2 6B 14 53 56 2C A4 66 D5 3E D8 94 56 79 50 2A 0D 6B C6 9A 75 5E B1 CB 28 11 75

Type 4B Response Frame Received: D5 43 00

The ITALIC bytes are the protocol bytes, the BOLD are the actual APDU

Does anyone know what the idiosyncrasies are in the U.S MRTD Passport issued 2008-2010?