[FIX] NFC Card Emulation enabled for 2.3.4_r1

Search This thread

m0rtadelo

Member
Dec 7, 2010
11
5
I attach the patches I have created and that should be applied to stock AOSP 2.3.4_r1.

The patches enable card emulation mode on Nexus S (original credit goes to Nemik, who posted the first working patches on Android Developers Group). They are basically a rewrite of my own patches but allowing also SWP mode for UICC sporting a SE.

I modified the Settings application to add a pair of options related to NFC:
  • Card Emulation Only Mode. This disables reader function. Card emulation mode is always enabled. Be careful because P2P mode may not work (not tested)
  • Use External Secure Element if Available. This makes the phone to use the SE of the UICC if available instead of embedded one.

To test card emulation, just approach your Nexus S to a Mifare compatible card reader. Embedded element (SmartMX) has a 4K Mifare card with stock keys (all FF).

As a bonus I also modified Bluetooth settings so discoverable option makes phone discoverable without stupid time limits.

Important BUGFIX Update 01/05/2012
The patch was not well created, since NFC was not enabled in building process. You could see NFC Settings but options were not enabled. The corrected version has date of today.
 

Attachments

  • gb-2_3_4_r1-patches_nfc-ce_bt-fd-20120105.zip
    357.3 KB · Views: 4,072
Last edited:
B

bedalus

Guest
I would love to test this, but it's a catch 22 situation for me... AFAIK the only place in the UK that accepts contactless payment is McDonalds, and the only time I go to McDonalds is after a night of heavy drinking, so with a hangover there is no chance that I would be able to operate my phone.

Sent from the future to put right what once went wrong.
 

eiabea

Senior Member
Jun 28, 2010
521
23
Vienna
i think i don't really get it...

with this patch i can "store" a NFC card at my phone and use the phone instead of the card?? :confused:
 

m0rtadelo

Member
Dec 7, 2010
11
5
i think i don't really get it...

with this patch i can "store" a NFC card at my phone and use the phone instead of the card?? :confused:

Yes and No. With this patch you can enable card emulation mode for experimental purposes. With an external reader you can read/write the Mifare memory area inside the embedded secure element. If you happen to use Mifare classic for a purpose (i.e. ticketing transport), you know the map, and you know the keys you can store a clone of the card you are using on your phone by means of a external reader.

You could load smartcard cardlets (to implement advanced smart card applications such as paywave/paypass, etc.) if you knew the smartcard access keys, but unfortunatelly they are only known by google.

This hack is only intentended for experimentation/research. Beware, do not use it if you do not know what card emulation is or what it is useful for.
 
  • Like
Reactions: ldnjoe

grippa

Senior Member
Feb 26, 2008
129
15
UK
This is great stuff. I've been waiting for something like this for a while. are you in the UK? If so do you have any idea about the oyster card? I have a visa paywave card as well. It is it possible to read these cards from the nexus s and then emulate them? Also, can the nfc chip in the nexus read 125khz cards? I know that's out of the nfc standard range, just curious. sorry for the number of questions, but if we could get this to work it would be the best use of this underused nfc chip! I'm on 2.3.6 though, I heard they enabled access to the secure element on this version.

Sent from my Nexus S using XDA App
 

m0rtadelo

Member
Dec 7, 2010
11
5
This is great stuff. I've been waiting for something like this for a while. are you in the UK? If so do you have any idea about the oyster card? I have a visa paywave card as well. It is it possible to read these cards from the nexus s and then emulate them? Also, can the nfc chip in the nexus read 125khz cards? I know that's out of the nfc standard range, just curious. sorry for the number of questions, but if we could get this to work it would be the best use of this underused nfc chip! I'm on 2.3.6 though, I heard they enabled access to the secure element on this version.

Sent from my Nexus S using XDA App

Well, answering to your questions ... No I am not in UK, but I have heard about Oyster card. In fact I work developing ticketing systems. It used to be a plain Mifare Classic 1K but Wikipeda states it has been replaced by Mifare DESfire. The embedded secure element of the Nexus S sports a Mifare 4K, which is backwards compatible with Mifare Classic 1K. Mifare DESFire is a different story. Classic Mifare Cards are memory cards divided into sectors that requiere a key authentication against each sector. Every sector has two keys, one usually configured for reading and the other one configured for writing. Real world ticketing systems usually configure different keys for every card. These keys could be derived from CSN of the card using hardware encryption modules (such as SAMs). However I have seen real systems working with prefixed keys for all the cards (which is just insane).

All that being said, you could theoretically configure the embedded Mifare 4K card to work as a plain old Oyster card, which is nowadays useless. I said theoretically because you should know the map of the key (how to write the correct values in the correct blocks) and the matching keys for your card. If you knew how to get the matching keys (read and write keys) obviously the security of the system would be broken.

You said something about reading cards. Nexus S can act as a reader and in card emulation mode. To read cards you need to know the read keys, which usually are not public either.

I do not know how Visa Paywave works, but I guess it is a command (APDU) based card. The same happens here. You wont even have access to card application to copy it to other card. In fact card applications (cardlets) can not be extracted from cards, only replaced or deleted.

Paypass can work with Google's Wallet because Visa itself installs its cardlets on the embedded element of the Nexus S surely via some kind of TSM service provided by Google (who owns the access keys to load new cardlets)
 
  • Like
Reactions: mcfrost

remi.serriere

New member
Oct 17, 2007
1
0
Hi everyone,

I just found thie thread on another website (don't remember which one btw)... And I'm wondering something...

Here at work, we have RFID cards for opening the door, Mifare 4k I think.
We also have the writer so we can program cards when we need one or two...

So could I use our writer on my Nexus S so I could open the door with my phone ?
 

mad_vtak

Senior Member
Aug 16, 2007
349
5
Memfrica
Hi everyone,

I just found thie thread on another website (don't remember which one btw)... And I'm wondering something...

Here at work, we have RFID cards for opening the door, Mifare 4k I think.
We also have the writer so we can program cards when we need one or two...

So could I use our writer on my Nexus S so I could open the door with my phone ?

This is what i am after, would this ever be possible?
 

b0ngokarl

Member
Sep 14, 2010
26
1
I attach the patches I have created and that should be applied to stock AOSP 2.3.4_r1.

The patches enable card emulation mode on Nexus S (original credit goes to Nemik, who posted the first working patches on Android Developers Group). They are basically a rewrite of my own patches but allowing also SWP mode for UICC sporting a SE.

I modified the Settings application to add a pair of options related to NFC:
  • Card Emulation Only Mode. This disables reader function. Card emulation mode is always enabled. Be careful because P2P mode may not work (not tested)
  • Use External Secure Element if Available. This makes the phone to use the SE of the UICC if available instead of embedded one.

To test card emulation, just approach your Nexus S to a Mifare compatible card reader. Embedded element (SmartMX) has a 4K Mifare card with stock keys (all FF).

As a bonus I also modified Bluetooth settings so discoverable option makes phone discoverable without stupid time limits.

Guess you used the SmartMX java applet to emulate?

Is this the part where UID is generated?

Code:
 /*
+ *  Utility to recover UID from target infos
+ */
static phNfc_sData_t get_target_uid(phLibNfc_sRemoteDevInformation_t *psRemoteDevInfo)
{
    phNfc_sData_t uid;

    switch(psRemoteDevInfo->RemDevType)
    {
    case phNfc_eISO14443_A_PICC:
    case phNfc_eISO14443_4A_PICC:
    case phNfc_eISO14443_3A_PICC:
    case phNfc_eMifare_PICC:
        uid.buffer = psRemoteDevInfo->RemoteDevInfo.Iso14443A_Info.Uid;
        uid.length = psRemoteDevInfo->RemoteDevInfo.Iso14443A_Info.UidLength;
        break;
    case phNfc_eISO14443_B_PICC:
    case phNfc_eISO14443_4B_PICC:
        uid.buffer = psRemoteDevInfo->RemoteDevInfo.Iso14443B_Info.AtqB.AtqResInfo.Pupi;
        uid.length = sizeof(psRemoteDevInfo->RemoteDevInfo.Iso14443B_Info.AtqB.AtqResInfo.Pupi);
        break;
    case phNfc_eFelica_PICC:
        uid.buffer = psRemoteDevInfo->RemoteDevInfo.Felica_Info.IDm;
        uid.length = psRemoteDevInfo->RemoteDevInfo.Felica_Info.IDmLength;
        break;
    case phNfc_eJewel_PICC:
        uid.buffer = psRemoteDevInfo->RemoteDevInfo.Jewel_Info.Uid;
        uid.length = psRemoteDevInfo->RemoteDevInfo.Jewel_Info.UidLength;
        break;
    case phNfc_eISO15693_PICC:
        uid.buffer = psRemoteDevInfo->RemoteDevInfo.Iso15693_Info.Uid;
        uid.length = psRemoteDevInfo->RemoteDevInfo.Iso15693_Info.UidLength;
        break;
    case phNfc_eNfcIP1_Target:
    case phNfc_eNfcIP1_Initiator:
        uid.buffer = psRemoteDevInfo->RemoteDevInfo.NfcIP_Info.NFCID;
        uid.length = psRemoteDevInfo->RemoteDevInfo.NfcIP_Info.NFCID_Length;
        break;
    default:
        uid.buffer = NULL;
        uid.length = 0;
        break;
    }

    return uid;
}

Is it possible to tell the app to emulate UID i.e. AA BB CC DD?

Kind regards

Jonas
 
  • Like
Reactions: softy007

shailentj

Member
Mar 9, 2011
21
5
Bremen
This is a real hacker method. I went though the patches. The main modifications are in the NFCService.java file.

Side question:

Why does the ID of the eSE (embedded Secure Element) change all the time with an unhacked phone?

With this hack, the Id of my eSE is 4246981811.

In the source code however, it appears that the ID is hard coded to 11259375. I used the patched provided here. Why do I get a different ID?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    I attach the patches I have created and that should be applied to stock AOSP 2.3.4_r1.

    The patches enable card emulation mode on Nexus S (original credit goes to Nemik, who posted the first working patches on Android Developers Group). They are basically a rewrite of my own patches but allowing also SWP mode for UICC sporting a SE.

    I modified the Settings application to add a pair of options related to NFC:
    • Card Emulation Only Mode. This disables reader function. Card emulation mode is always enabled. Be careful because P2P mode may not work (not tested)
    • Use External Secure Element if Available. This makes the phone to use the SE of the UICC if available instead of embedded one.

    To test card emulation, just approach your Nexus S to a Mifare compatible card reader. Embedded element (SmartMX) has a 4K Mifare card with stock keys (all FF).

    As a bonus I also modified Bluetooth settings so discoverable option makes phone discoverable without stupid time limits.

    Important BUGFIX Update 01/05/2012
    The patch was not well created, since NFC was not enabled in building process. You could see NFC Settings but options were not enabled. The corrected version has date of today.
    1
    i think i don't really get it...

    with this patch i can "store" a NFC card at my phone and use the phone instead of the card?? :confused:

    Yes and No. With this patch you can enable card emulation mode for experimental purposes. With an external reader you can read/write the Mifare memory area inside the embedded secure element. If you happen to use Mifare classic for a purpose (i.e. ticketing transport), you know the map, and you know the keys you can store a clone of the card you are using on your phone by means of a external reader.

    You could load smartcard cardlets (to implement advanced smart card applications such as paywave/paypass, etc.) if you knew the smartcard access keys, but unfortunatelly they are only known by google.

    This hack is only intentended for experimentation/research. Beware, do not use it if you do not know what card emulation is or what it is useful for.
    1
    This is great stuff. I've been waiting for something like this for a while. are you in the UK? If so do you have any idea about the oyster card? I have a visa paywave card as well. It is it possible to read these cards from the nexus s and then emulate them? Also, can the nfc chip in the nexus read 125khz cards? I know that's out of the nfc standard range, just curious. sorry for the number of questions, but if we could get this to work it would be the best use of this underused nfc chip! I'm on 2.3.6 though, I heard they enabled access to the secure element on this version.

    Sent from my Nexus S using XDA App

    Well, answering to your questions ... No I am not in UK, but I have heard about Oyster card. In fact I work developing ticketing systems. It used to be a plain Mifare Classic 1K but Wikipeda states it has been replaced by Mifare DESfire. The embedded secure element of the Nexus S sports a Mifare 4K, which is backwards compatible with Mifare Classic 1K. Mifare DESFire is a different story. Classic Mifare Cards are memory cards divided into sectors that requiere a key authentication against each sector. Every sector has two keys, one usually configured for reading and the other one configured for writing. Real world ticketing systems usually configure different keys for every card. These keys could be derived from CSN of the card using hardware encryption modules (such as SAMs). However I have seen real systems working with prefixed keys for all the cards (which is just insane).

    All that being said, you could theoretically configure the embedded Mifare 4K card to work as a plain old Oyster card, which is nowadays useless. I said theoretically because you should know the map of the key (how to write the correct values in the correct blocks) and the matching keys for your card. If you knew how to get the matching keys (read and write keys) obviously the security of the system would be broken.

    You said something about reading cards. Nexus S can act as a reader and in card emulation mode. To read cards you need to know the read keys, which usually are not public either.

    I do not know how Visa Paywave works, but I guess it is a command (APDU) based card. The same happens here. You wont even have access to card application to copy it to other card. In fact card applications (cardlets) can not be extracted from cards, only replaced or deleted.

    Paypass can work with Google's Wallet because Visa itself installs its cardlets on the embedded element of the Nexus S surely via some kind of TSM service provided by Google (who owns the access keys to load new cardlets)
    1
    I attach the patches I have created and that should be applied to stock AOSP 2.3.4_r1.

    The patches enable card emulation mode on Nexus S (original credit goes to Nemik, who posted the first working patches on Android Developers Group). They are basically a rewrite of my own patches but allowing also SWP mode for UICC sporting a SE.

    I modified the Settings application to add a pair of options related to NFC:
    • Card Emulation Only Mode. This disables reader function. Card emulation mode is always enabled. Be careful because P2P mode may not work (not tested)
    • Use External Secure Element if Available. This makes the phone to use the SE of the UICC if available instead of embedded one.

    To test card emulation, just approach your Nexus S to a Mifare compatible card reader. Embedded element (SmartMX) has a 4K Mifare card with stock keys (all FF).

    As a bonus I also modified Bluetooth settings so discoverable option makes phone discoverable without stupid time limits.

    Guess you used the SmartMX java applet to emulate?

    Is this the part where UID is generated?

    Code:
     /*
    + *  Utility to recover UID from target infos
    + */
    static phNfc_sData_t get_target_uid(phLibNfc_sRemoteDevInformation_t *psRemoteDevInfo)
    {
        phNfc_sData_t uid;
    
        switch(psRemoteDevInfo->RemDevType)
        {
        case phNfc_eISO14443_A_PICC:
        case phNfc_eISO14443_4A_PICC:
        case phNfc_eISO14443_3A_PICC:
        case phNfc_eMifare_PICC:
            uid.buffer = psRemoteDevInfo->RemoteDevInfo.Iso14443A_Info.Uid;
            uid.length = psRemoteDevInfo->RemoteDevInfo.Iso14443A_Info.UidLength;
            break;
        case phNfc_eISO14443_B_PICC:
        case phNfc_eISO14443_4B_PICC:
            uid.buffer = psRemoteDevInfo->RemoteDevInfo.Iso14443B_Info.AtqB.AtqResInfo.Pupi;
            uid.length = sizeof(psRemoteDevInfo->RemoteDevInfo.Iso14443B_Info.AtqB.AtqResInfo.Pupi);
            break;
        case phNfc_eFelica_PICC:
            uid.buffer = psRemoteDevInfo->RemoteDevInfo.Felica_Info.IDm;
            uid.length = psRemoteDevInfo->RemoteDevInfo.Felica_Info.IDmLength;
            break;
        case phNfc_eJewel_PICC:
            uid.buffer = psRemoteDevInfo->RemoteDevInfo.Jewel_Info.Uid;
            uid.length = psRemoteDevInfo->RemoteDevInfo.Jewel_Info.UidLength;
            break;
        case phNfc_eISO15693_PICC:
            uid.buffer = psRemoteDevInfo->RemoteDevInfo.Iso15693_Info.Uid;
            uid.length = psRemoteDevInfo->RemoteDevInfo.Iso15693_Info.UidLength;
            break;
        case phNfc_eNfcIP1_Target:
        case phNfc_eNfcIP1_Initiator:
            uid.buffer = psRemoteDevInfo->RemoteDevInfo.NfcIP_Info.NFCID;
            uid.length = psRemoteDevInfo->RemoteDevInfo.NfcIP_Info.NFCID_Length;
            break;
        default:
            uid.buffer = NULL;
            uid.length = 0;
            break;
        }
    
        return uid;
    }

    Is it possible to tell the app to emulate UID i.e. AA BB CC DD?

    Kind regards

    Jonas