Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,769,021 Members 45,689 Now Online
XDA Developers Android and Mobile Development Forum

[FIX] NFC Card Emulation enabled for 2.3.4_r1

Tip us?
 
m0rtadelo
Old
(Last edited by m0rtadelo; 5th January 2012 at 12:08 PM.)
#1  
Junior Member - OP
Thanks Meter 7
Posts: 11
Join Date: Dec 2010
Default [FIX] NFC Card Emulation enabled for 2.3.4_r1

I attach the patches I have created and that should be applied to stock AOSP 2.3.4_r1.

The patches enable card emulation mode on Nexus S (original credit goes to Nemik, who posted the first working patches on Android Developers Group). They are basically a rewrite of my own patches but allowing also SWP mode for UICC sporting a SE.

I modified the Settings application to add a pair of options related to NFC:
  • Card Emulation Only Mode. This disables reader function. Card emulation mode is always enabled. Be careful because P2P mode may not work (not tested)
  • Use External Secure Element if Available. This makes the phone to use the SE of the UICC if available instead of embedded one.

To test card emulation, just approach your Nexus S to a Mifare compatible card reader. Embedded element (SmartMX) has a 4K Mifare card with stock keys (all FF).

As a bonus I also modified Bluetooth settings so discoverable option makes phone discoverable without stupid time limits.

Important BUGFIX Update 01/05/2012
The patch was not well created, since NFC was not enabled in building process. You could see NFC Settings but options were not enabled. The corrected version has date of today.
Attached Files
File Type: zip gb-2_3_4_r1-patches_nfc-ce_bt-fd-20120105.zip - [Click for QR Code] (357.3 KB, 2393 views)
The Following 4 Users Say Thank You to m0rtadelo For This Useful Post: [ Click to Expand ]
bedalus Old
#2  
Guest
Thanks Meter
Posts: n/a
I would love to test this, but it's a catch 22 situation for me... AFAIK the only place in the UK that accepts contactless payment is McDonalds, and the only time I go to McDonalds is after a night of heavy drinking, so with a hangover there is no chance that I would be able to operate my phone.

Sent from the future to put right what once went wrong.
The Following 3 Users Say Thank You to For This Useful Post: [ Click to Expand ]
 
eiabea
Old
#3  
eiabea's Avatar
Senior Member
Thanks Meter 20
Posts: 518
Join Date: Jun 2010
Location: Vienna
i think i don't really get it...

with this patch i can "store" a NFC card at my phone and use the phone instead of the card??
Galaxy Nexus GSM
ROM: Jelly Bean
Kernel: franco.Kernel
 
m0rtadelo
Old
#4  
Junior Member - OP
Thanks Meter 7
Posts: 11
Join Date: Dec 2010
Quote:
Originally Posted by eiabea View Post
i think i don't really get it...

with this patch i can "store" a NFC card at my phone and use the phone instead of the card??
Yes and No. With this patch you can enable card emulation mode for experimental purposes. With an external reader you can read/write the Mifare memory area inside the embedded secure element. If you happen to use Mifare classic for a purpose (i.e. ticketing transport), you know the map, and you know the keys you can store a clone of the card you are using on your phone by means of a external reader.

You could load smartcard cardlets (to implement advanced smart card applications such as paywave/paypass, etc.) if you knew the smartcard access keys, but unfortunatelly they are only known by google.

This hack is only intentended for experimentation/research. Beware, do not use it if you do not know what card emulation is or what it is useful for.
The Following 2 Users Say Thank You to m0rtadelo For This Useful Post: [ Click to Expand ]
 
grippa
Old
#5  
Senior Member
Thanks Meter 15
Posts: 117
Join Date: Feb 2008
Location: UK
This is great stuff. I've been waiting for something like this for a while. are you in the UK? If so do you have any idea about the oyster card? I have a visa paywave card as well. It is it possible to read these cards from the nexus s and then emulate them? Also, can the nfc chip in the nexus read 125khz cards? I know that's out of the nfc standard range, just curious. sorry for the number of questions, but if we could get this to work it would be the best use of this underused nfc chip! I'm on 2.3.6 though, I heard they enabled access to the secure element on this version.

Sent from my Nexus S using XDA App
 
m0rtadelo
Old
#6  
Junior Member - OP
Thanks Meter 7
Posts: 11
Join Date: Dec 2010
Quote:
Originally Posted by grippa View Post
This is great stuff. I've been waiting for something like this for a while. are you in the UK? If so do you have any idea about the oyster card? I have a visa paywave card as well. It is it possible to read these cards from the nexus s and then emulate them? Also, can the nfc chip in the nexus read 125khz cards? I know that's out of the nfc standard range, just curious. sorry for the number of questions, but if we could get this to work it would be the best use of this underused nfc chip! I'm on 2.3.6 though, I heard they enabled access to the secure element on this version.

Sent from my Nexus S using XDA App
Well, answering to your questions ... No I am not in UK, but I have heard about Oyster card. In fact I work developing ticketing systems. It used to be a plain Mifare Classic 1K but Wikipeda states it has been replaced by Mifare DESfire. The embedded secure element of the Nexus S sports a Mifare 4K, which is backwards compatible with Mifare Classic 1K. Mifare DESFire is a different story. Classic Mifare Cards are memory cards divided into sectors that requiere a key authentication against each sector. Every sector has two keys, one usually configured for reading and the other one configured for writing. Real world ticketing systems usually configure different keys for every card. These keys could be derived from CSN of the card using hardware encryption modules (such as SAMs). However I have seen real systems working with prefixed keys for all the cards (which is just insane).

All that being said, you could theoretically configure the embedded Mifare 4K card to work as a plain old Oyster card, which is nowadays useless. I said theoretically because you should know the map of the key (how to write the correct values in the correct blocks) and the matching keys for your card. If you knew how to get the matching keys (read and write keys) obviously the security of the system would be broken.

You said something about reading cards. Nexus S can act as a reader and in card emulation mode. To read cards you need to know the read keys, which usually are not public either.

I do not know how Visa Paywave works, but I guess it is a command (APDU) based card. The same happens here. You wont even have access to card application to copy it to other card. In fact card applications (cardlets) can not be extracted from cards, only replaced or deleted.

Paypass can work with Google's Wallet because Visa itself installs its cardlets on the embedded element of the Nexus S surely via some kind of TSM service provided by Google (who owns the access keys to load new cardlets)
The Following User Says Thank You to m0rtadelo For This Useful Post: [ Click to Expand ]
 
remi.serriere
Old
#7  
Junior Member
Thanks Meter 0
Posts: 1
Join Date: Oct 2007
Hi everyone,

I just found thie thread on another website (don't remember which one btw)... And I'm wondering something...

Here at work, we have RFID cards for opening the door, Mifare 4k I think.
We also have the writer so we can program cards when we need one or two...

So could I use our writer on my Nexus S so I could open the door with my phone ?
 
mad_vtak
Old
#8  
Senior Member
Thanks Meter 5
Posts: 299
Join Date: Aug 2007
Location: Memfrica
Quote:
Originally Posted by remi.serriere View Post
Hi everyone,

I just found thie thread on another website (don't remember which one btw)... And I'm wondering something...

Here at work, we have RFID cards for opening the door, Mifare 4k I think.
We also have the writer so we can program cards when we need one or two...

So could I use our writer on my Nexus S so I could open the door with my phone ?
This is what i am after, would this ever be possible?
 
b0ngokarl
Old
#9  
Junior Member
Thanks Meter 1
Posts: 26
Join Date: Sep 2010
Quote:
Originally Posted by m0rtadelo View Post
I attach the patches I have created and that should be applied to stock AOSP 2.3.4_r1.

The patches enable card emulation mode on Nexus S (original credit goes to Nemik, who posted the first working patches on Android Developers Group). They are basically a rewrite of my own patches but allowing also SWP mode for UICC sporting a SE.

I modified the Settings application to add a pair of options related to NFC:
  • Card Emulation Only Mode. This disables reader function. Card emulation mode is always enabled. Be careful because P2P mode may not work (not tested)
  • Use External Secure Element if Available. This makes the phone to use the SE of the UICC if available instead of embedded one.

To test card emulation, just approach your Nexus S to a Mifare compatible card reader. Embedded element (SmartMX) has a 4K Mifare card with stock keys (all FF).

As a bonus I also modified Bluetooth settings so discoverable option makes phone discoverable without stupid time limits.
Guess you used the SmartMX java applet to emulate?

Is this the part where UID is generated?

Code:
 /*
+ *  Utility to recover UID from target infos
+ */
static phNfc_sData_t get_target_uid(phLibNfc_sRemoteDevInformation_t *psRemoteDevInfo)
{
    phNfc_sData_t uid;

    switch(psRemoteDevInfo->RemDevType)
    {
    case phNfc_eISO14443_A_PICC:
    case phNfc_eISO14443_4A_PICC:
    case phNfc_eISO14443_3A_PICC:
    case phNfc_eMifare_PICC:
        uid.buffer = psRemoteDevInfo->RemoteDevInfo.Iso14443A_Info.Uid;
        uid.length = psRemoteDevInfo->RemoteDevInfo.Iso14443A_Info.UidLength;
        break;
    case phNfc_eISO14443_B_PICC:
    case phNfc_eISO14443_4B_PICC:
        uid.buffer = psRemoteDevInfo->RemoteDevInfo.Iso14443B_Info.AtqB.AtqResInfo.Pupi;
        uid.length = sizeof(psRemoteDevInfo->RemoteDevInfo.Iso14443B_Info.AtqB.AtqResInfo.Pupi);
        break;
    case phNfc_eFelica_PICC:
        uid.buffer = psRemoteDevInfo->RemoteDevInfo.Felica_Info.IDm;
        uid.length = psRemoteDevInfo->RemoteDevInfo.Felica_Info.IDmLength;
        break;
    case phNfc_eJewel_PICC:
        uid.buffer = psRemoteDevInfo->RemoteDevInfo.Jewel_Info.Uid;
        uid.length = psRemoteDevInfo->RemoteDevInfo.Jewel_Info.UidLength;
        break;
    case phNfc_eISO15693_PICC:
        uid.buffer = psRemoteDevInfo->RemoteDevInfo.Iso15693_Info.Uid;
        uid.length = psRemoteDevInfo->RemoteDevInfo.Iso15693_Info.UidLength;
        break;
    case phNfc_eNfcIP1_Target:
    case phNfc_eNfcIP1_Initiator:
        uid.buffer = psRemoteDevInfo->RemoteDevInfo.NfcIP_Info.NFCID;
        uid.length = psRemoteDevInfo->RemoteDevInfo.NfcIP_Info.NFCID_Length;
        break;
    default:
        uid.buffer = NULL;
        uid.length = 0;
        break;
    }

    return uid;
}
Is it possible to tell the app to emulate UID i.e. AA BB CC DD?

Kind regards

Jonas
The Following User Says Thank You to b0ngokarl For This Useful Post: [ Click to Expand ]
 
softy007
Old
#10  
softy007's Avatar
Junior Member
Thanks Meter 3
Posts: 19
Join Date: Dec 2011
Location: Gurgaon
I can see the NFC settings changed in teh application.Thanks.
See here for the steps for applying patches and buiding the Android and Flashign it on Nexus S.All credit goes to the patch writer.

Rgds,
Softy

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes