[DEV] Xposed module: KitKat Card-Emulation catch-all AID Routing

Search This thread

androcheck

Senior Member
Dec 7, 2009
236
413
john.zweng.at
[DEV] Xposed module: NFC Card-Emulation catch-all AID Routing

Hi!

This may be mainly interesting for developers.

Overview:
I created a Xposed module which allows a "catch-all" routing for KitKat's new Host-Card-Emulation feature. Which means you can create an Host-Card-Emulation app which will receive ALL incoming APDUs (not only the ones for the AID your app has registered for).

This may not be useful at all but maybe it makes sense for debugging or checking which AID a specific card terminal is asking for.

Here's the code:
https://github.com/johnzweng/XposedModifyAidRouting




Details:
With Android 4.4 (KitKat) Google introduced NFC Host-Card-Emulation, which allows your phone to act as a NFC-SmartCard. App developers now can create special apps which handle all the incoming NFC data packets and response like a ISO 7816-4 SmartCard would do it.

However, the app developer has to declare explicitly which SmartCard application it wants to simulate in the app's Manifest file.

In more detail: each SmartCard application on a SmartCard is identified by a unique AID (application identifier). Usually a card terminal first sends a SELECT xxxxxxxxx message to the SmartCard where the xxxxxxx stands for the AID, and the SmartCard responds accordingly if it can handle this AID or not.

On a KitKat phone Android takes care of checking the AID value. So if the card terminal sends a SELECT xxxxxxxxx message, Android checks if there is any Card-Emulation app installed which has registered for this AID and if so it forwards this and all folowing APDU (ISO 7816-4 application protocol data unit) packets to this app.

Otherwise (if no app has registered this AID) it simply responds to the card terminal with a Application not found message and no app will ever be informed about the incoming APDU message.

What this Xposed module does:
If this module is enabled, it completly OVERRIDES the AID routing mechanism of Android. So ALL incoming APDUs for ALL application identifier will be routed to the app which has registered the "special magic" AID "F04E66E75C02D8" (I just randomly chose this one.) Even if there are other Card-Emulation apps installed which explicitly register for a specific AID they never will get any APDU message.

So as an app developer, you simply can create a Host Card Emulation app as described here (https://developer.android.com/guide/topics/connectivity/nfc/hce.html) and register it for the special AID F04E66E75C02D8 and your app will receive all APDUs packets for ANY AID value the card terminal ever may ask for.

All your APDUs are belong to us! :)



Edit:
I just added the module to the Xposed repository. Should now also be available in the Xposed installer app.
 
Last edited:

abuttino

Senior Member
Sep 12, 2006
2,234
415
Hi!

This may be mainly interesting for developers.

Overview:
I created a Xposed module which allows a "catch-all" routing for KitKat's new Host-Card-Emulation feature. Which means you can create an Host-Card-Emulation app which will receive ALL incoming APDUs (not only the ones for the AID your app has registered for).

This may not be useful at all but maybe it makes sense for debugging or checking which AID a specific card terminal is asking for.

Here's the code:
https://github.com/johnzweng/XposedModifyAidRouting




Details:
With Android 4.4 (KitKat) Google introduced NFC Host-Card-Emulation, which allows your phone to act as a NFC-SmartCard. App developers now can create special apps which handle all the incoming NFC data packets and response like a ISO 7816-4 SmartCard would do it.

However, the app developer has to declare explicitly which SmartCard application it wants to simulate in the app's Manifest file.

In more detail: each SmartCard application on a SmartCard is identified by a unique AID (application identifier). Usually a card terminal first sends a SELECT xxxxxxxxx message to the SmartCard where the xxxxxxx stands for the AID, and the SmartCard responds accordingly if it can handle this AID or not.

On a KitKat phone Android takes care of checking the AID value. So if the card terminal sends a SELECT xxxxxxxxx message, Android checks if there is any Card-Emulation app installed which has registered for this AID and if so it forwards this and all folowing APDU (ISO 7816-4 application protocol data unit) packets to this app.

Otherwise (if no app has registered this AID) it simply responds to the card terminal with a Application not found message and no app will ever be informed about the incoming APDU message.

What this Xposed module does:
If this module is enabled, it completly OVERRIDES the AID routing mechanism of Android. So ALL incoming APDUs for ALL application identifier will be routed to the app which has registered the "special magic" AID "F04E66E75C02D8" (I just randomly chose this one.) Even if there are other Card-Emulation apps installed which explicitly register for a specific AID they never will get any APDU message.

So as an app developer, you simply can create a Host Card Emulation app as described here (https://developer.android.com/guide/topics/connectivity/nfc/hce.html) and register it for the special AID F04E66E75C02D8 and your app will receive all APDUs packets for ANY AID value the card terminal ever may ask for.

All your APDUs are belong to us! :)



Edit:
I just added the module to the Xposed repository. Should now also be available in the Xposed installer app.

Would this work to get Google Wallet working on NXP controllers?
 

androcheck

Senior Member
Dec 7, 2009
236
413
john.zweng.at
I don't know what "adup" stands for but you definitly can record all AID requests.

If you implement your own HostApduService as described here the very first APDU command your service will receive via this method:
Code:
@Override
public byte[] processCommandApdu(byte[] apdu, Bundle extras) {
       ...
}
will always be the SELECT command containing the AID. So you simply can record all the requests there.
 

matthew5025

Senior Member
Dec 23, 2010
451
137
I don't know what "adup" stands for but you definitly can record all AID requests.

If you implement your own HostApduService as described here the very first APDU command your service will receive via this method:
Code:
@Override
public byte[] processCommandApdu(byte[] apdu, Bundle extras) {
       ...
}
will always be the SELECT command containing the AID. So you simply can record all the requests there.

Thanks! I actually meant APDU.

Also, as part of anti-collision process, the card will provide an UID. It seems the UID provided is randomly generated. Is there a way to specify a UID the phone should provide?
 

androcheck

Senior Member
Dec 7, 2009
236
413
john.zweng.at
Thanks! I actually meant APDU.

Also, as part of anti-collision process, the card will provide an UID. It seems the UID provided is randomly generated. Is there a way to specify a UID the phone should provide?

As far as I can tell the UID seems not to be set anywhere in the Java part, but after skimming through the libnfc-nci I also found no clue where the random UID is set (or if it could be changed). But maybe I just missed it.

So for the moment I cannot tell you for sure if it's possible to change the UID but tend to believe it's not (but anybody should feel free to correct me in this point).
 

haskell_noob

New member
Jul 10, 2014
3
0
IllegalAccessException

I have been trying out your module, but keep getting the error:IllegalAccessException on what appears to be this line
Code:
Object resultInstanceAidResolveInfo = ctor.newInstance(registeredAidCacheInstance);
Is there any way around this?

Full logcat output:
Code:
07-11 13:50:27.456: D/Xposed(185): Starting Xposed binary version 58, compiled for SDK 16
07-11 13:50:27.456: D/Xposed(185): Phone: Nexus 7 (asus), Android version 4.4.3 (SDK 19)
07-11 13:50:27.456: D/Xposed(185): ROM: KTU84L
07-11 13:50:27.456: D/Xposed(185): Build fingerprint: google/razorg/deb:4.4.3/KTU84L/1148727:user/release-keys
07-11 13:50:27.456: I/Xposed(185): -----------------
07-11 13:50:27.456: I/Xposed(185): Added Xposed (/data/data/de.robv.android.xposed.installer/bin/XposedBridge.jar) to CLASSPATH.
07-11 13:50:27.736: D/Xposed(185): Using structure member offsets for mode WITH_JIT
07-11 13:50:27.796: I/Xposed(185): Found Xposed class 'de/robv/android/xposed/XposedBridge', now initializing
07-11 13:50:28.237: I/Xposed(185): -----------------
07-11 13:50:28.237: I/Xposed(185): Jul 11, 2014 1:50:28 AM UTC
07-11 13:50:28.237: I/Xposed(185): Loading Xposed v54 (for Zygote)...
07-11 13:50:28.237: I/Xposed(185): Running ROM 'KTU84L' with fingerprint 'google/razorg/deb:4.4.3/KTU84L/1148727:user/release-keys'
07-11 13:50:28.337: I/Xposed(185): Loading modules from /data/app/at.zweng.xposed.modifyaidrouting-1.apk
07-11 13:50:28.557: I/Xposed(185):   Loading class at.zweng.xposed.ModNfcAidRouting
07-11 13:50:28.567: I/Xposed(185): Loading modules from /data/app/com.example.nfc_xposed_module_nfcmanager-1.apk
07-11 13:50:28.667: I/Xposed(185):   Loading class com.example.nfc_xposed_module_nfcmanager.ModEmulationManager
07-11 13:50:41.009: I/Xposed(921): ModNfcAidRouting: we are in com.android.nfc application. :) Will place method hooks.
07-11 13:50:41.019: I/Xposed(921): ModNfcAidRouting: resolveAidPrefix() method hook in place! Let the fun begin! :)
07-11 13:50:41.019: I/Xposed(921): In the com.android.nfc application
07-11 13:50:41.019: I/Xposed(921): findSelectAid(byte[] ...) hook in place!
07-11 13:54:21.344: I/Xposed(921): Data:00A4040005F999999999
07-11 13:54:21.344: I/Xposed(921): ModNfcAidRouting: resolveAidPrefix(..) was called. aid = F999999999
07-11 13:54:21.344: I/Xposed(921): ModNfcAidRouting: resolveAidPrefix() error in beforeHookedMethod: 
07-11 13:54:21.344: I/Xposed(921): java.lang.IllegalAccessException: access to method denied
07-11 13:54:21.344: I/Xposed(921): access to method denied
07-11 13:54:21.344: I/Xposed(921): java.lang.IllegalAccessException: access to method denied
07-11 13:54:21.344: I/Xposed(921): 	at java.lang.reflect.Constructor.constructNative(Native Method)
07-11 13:54:21.344: I/Xposed(921): 	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
07-11 13:54:21.344: I/Xposed(921): 	at at.zweng.xposed.ModNfcAidRouting$1.beforeHookedMethod(ModNfcAidRouting.java:163)
07-11 13:54:21.344: I/Xposed(921): 	at de.robv.android.xposed.XposedBridge.handleHookedMethod(XposedBridge.java:611)
07-11 13:54:21.344: I/Xposed(921): 	at com.android.nfc.cardemulation.RegisteredAidCache.resolveAidPrefix(Native Method)
07-11 13:54:21.344: I/Xposed(921): 	at com.android.nfc.cardemulation.HostEmulationManager.notifyHostEmulationData(HostEmulationManager.java:171)
07-11 13:54:21.344: I/Xposed(921): 	at com.android.nfc.NfcService.onHostCardEmulationData(NfcService.java:349)
07-11 13:54:21.344: I/Xposed(921): 	at com.android.nfc.dhimpl.NativeNfcManager.notifyHostEmuData(NativeNfcManager.java:421)
07-11 13:54:21.344: I/Xposed(921): 	at dalvik.system.NativeStart.run(Native Method)
 

bobberkarl

Member
Nov 25, 2013
5
0
APDU and AID Routing.

Hey, is there a way to catch all APDU sent?
Because with HCE, the first apdu sent must only be the "Select AID" command. I get that you'd need a custom rom for that. but is there one already available ?
 

iamdude

Senior Member
Jun 6, 2015
95
19
Maybe you should try something like an NFC Spy or NFCGate applications.

---
Sony Xperia A2 SO-04F (Japan version of Z1 Compact)
 

androcheck

Senior Member
Dec 7, 2009
236
413
john.zweng.at
Hey, is there a way to catch all APDU sent?
Because with HCE, the first apdu sent must only be the "Select AID" command. I get that you'd need a custom rom for that. but is there one already available ?

Hi!

As far as I know, this is not possible. At least I didn't find anyting in the Java code.. But this is some time now, I don't know if this maybe has changed in recent android versions.
 

manuel-covas

New member
Jun 18, 2017
4
1
NoSuchMethod error, google changed the class?

Hey, I am trying to install this beauty of a module to start probing into the local urban transport system but I keep getting an error when the hook is placed that it can't find the resolveAidPrefix method and never logs the success message.
I'm running android 7.1.1 (op3, oos 4.5.1) and after checking the source the method really ain't there.

I was hoping you could provide some assistance since im really no exepert.

The closest i could find was this:
y4m6IbgzeOugisa5eHWVCHddSZBNHhuA0bcFdgp71KFSM13KFca9djGTxgaSTDdblZ0ljArRC5S4sT3bAi6i1kjkno03xS9b9rNLiNx3-Xoeu6HVvq6cuL1rIFmF14v2nEKNLFFcFAMKT48yCuneiinVb2XywJ_su3bVBWFKnLykGBeJyqjhfljnhE09zV3lUuEO4t6KMlTebIOaIeVV9g_KA


And the error:
Code:
01-08 18:17:33.306 I/Xposed  (  795):   Loading class at.zweng.xposed.ModNfcAidRouting
01-08 18:17:53.899 I/Xposed  ( 2718): ModNfcAidRouting: we are in com.android.nfc application. :) Will place method hooks.
01-08 18:17:53.914 E/Xposed  ( 2718): java.lang.NoSuchMethodError: com.android.nfc.cardemulation.RegisteredAidCache#resolveAidPrefix(java.lang.String)#exact
01-08 18:17:53.914 E/Xposed  ( 2718): 	at de.robv.android.xposed.XposedHelpers.findMethodExact(XposedHelpers.java:342)
01-08 18:17:53.914 E/Xposed  ( 2718): 	at de.robv.android.xposed.XposedHelpers.findAndHookMethod(XposedHelpers.java:183)
01-08 18:17:53.914 E/Xposed  ( 2718): 	at de.robv.android.xposed.XposedHelpers.findAndHookMethod(XposedHelpers.java:258)
01-08 18:17:53.914 E/Xposed  ( 2718): 	at at.zweng.xposed.ModNfcAidRouting.handleLoadPackage(ModNfcAidRouting.java:245)
01-08 18:17:53.914 E/Xposed  ( 2718): 	at de.robv.android.xposed.IXposedHookLoadPackage$Wrapper.handleLoadPackage(IXposedHookLoadPackage.java:34)
01-08 18:17:53.914 E/Xposed  ( 2718): 	at de.robv.android.xposed.callbacks.XC_LoadPackage.call(XC_LoadPackage.java:61)
01-08 18:17:53.914 E/Xposed  ( 2718): 	at de.robv.android.xposed.callbacks.XCallback.callAll(XCallback.java:106)
01-08 18:17:53.914 E/Xposed  ( 2718): 	at de.robv.android.xposed.XposedInit$2.beforeHookedMethod(XposedInit.java:123)
01-08 18:17:53.914 E/Xposed  ( 2718): 	at de.robv.android.xposed.XposedBridge.handleHookedMethod(XposedBridge.java:317)
01-08 18:17:53.914 E/Xposed  ( 2718): 	at android.app.ActivityThread.handleBindApplication(<Xposed>)
01-08 18:17:53.914 E/Xposed  ( 2718): 	at android.app.ActivityThread.-wrap2(ActivityThread.java)
01-08 18:17:53.914 E/Xposed  ( 2718): 	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1600)
01-08 18:17:53.914 E/Xposed  ( 2718): 	at android.os.Handler.dispatchMessage(Handler.java:102)
01-08 18:17:53.914 E/Xposed  ( 2718): 	at android.os.Looper.loop(Looper.java:154)
01-08 18:17:53.914 E/Xposed  ( 2718): 	at android.app.ActivityThread.main(ActivityThread.java:6321)
01-08 18:17:53.914 E/Xposed  ( 2718): 	at java.lang.reflect.Method.invoke(Native Method)
01-08 18:17:53.914 E/Xposed  ( 2718): 	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:886)
01-08 18:17:53.914 E/Xposed  ( 2718): 	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:776)
01-08 18:17:53.914 E/Xposed  ( 2718): 	at de.robv.android.xposed.XposedBridge.main(XposedBridge.java:103)
 

androcheck

Senior Member
Dec 7, 2009
236
413
john.zweng.at
Hey, I am trying to install this beauty of a module to start probing into the local urban transport system but I keep getting an error when the hook is placed that it can't find the resolveAidPrefix method and never logs the success message.
I'm running android 7.1.1 (op3, oos 4.5.1) and after checking the source the method really ain't there.

I was hoping you could provide some assistance since im really no exepert.

Hi! :)

The code was changes slightly in recent Android versions.
I've updated the module to version "0.4". Now it should work also with newer Android versions (as far as I see in the code it should also work with Android 9 now).

You can find the updated sourcecode here:
https://github.com/johnzweng/XposedModifyAidRouting

And the APK of the module:
either on Github: https://github.com/johnzweng/XposedModifyAidRouting/releases

or in the Xposed repo:
http://repo.xposed.info/module/at.zweng.xposed.modifyaidrouting
 
  • Like
Reactions: Gggggas

manuel-covas

New member
Jun 18, 2017
4
1
what can be done with this app?
Eli5 please.

Well, not much and alot, it serves more as maybe an entrance into investigating any existing smartcard system to maybe find some flaws like I did.
Smartcards can hold many applications and when you bring one up to a reader (at least the ISO/IEC 14443 ones) the reader must first issue a SELECT command with the AID (application id) of the application it wants to channel further communications to.
So to emulate smartcards in android, you must build an app with all required permissions but, most importantly, define in the manifest file the AIDs you want to listen too, so that when you bring your phone up to the reader and it sends the SELECT command, android matches it to your app and you get a raw bytes pipe. And here lies the problem.
In my case (and most likely anybody else's) I didn't know the AID of the system I was looking at and almost had to bring and oscilloscope to the train station and attach a coil to it to listen in on the signal and literally see the AID in the waves but luckily I found this module first which goes in and modifies android system code to redirect all AIDs to one that you know and allows you to quickly and simply write down the AID and then disable the module and listen to the correct AID. (and not get walked in on by the police)
 
  • Like
Reactions: Gggggas

Top Liked Posts

  • There are no posts matching your filters.
  • 6
    [DEV] Xposed module: NFC Card-Emulation catch-all AID Routing

    Hi!

    This may be mainly interesting for developers.

    Overview:
    I created a Xposed module which allows a "catch-all" routing for KitKat's new Host-Card-Emulation feature. Which means you can create an Host-Card-Emulation app which will receive ALL incoming APDUs (not only the ones for the AID your app has registered for).

    This may not be useful at all but maybe it makes sense for debugging or checking which AID a specific card terminal is asking for.

    Here's the code:
    https://github.com/johnzweng/XposedModifyAidRouting




    Details:
    With Android 4.4 (KitKat) Google introduced NFC Host-Card-Emulation, which allows your phone to act as a NFC-SmartCard. App developers now can create special apps which handle all the incoming NFC data packets and response like a ISO 7816-4 SmartCard would do it.

    However, the app developer has to declare explicitly which SmartCard application it wants to simulate in the app's Manifest file.

    In more detail: each SmartCard application on a SmartCard is identified by a unique AID (application identifier). Usually a card terminal first sends a SELECT xxxxxxxxx message to the SmartCard where the xxxxxxx stands for the AID, and the SmartCard responds accordingly if it can handle this AID or not.

    On a KitKat phone Android takes care of checking the AID value. So if the card terminal sends a SELECT xxxxxxxxx message, Android checks if there is any Card-Emulation app installed which has registered for this AID and if so it forwards this and all folowing APDU (ISO 7816-4 application protocol data unit) packets to this app.

    Otherwise (if no app has registered this AID) it simply responds to the card terminal with a Application not found message and no app will ever be informed about the incoming APDU message.

    What this Xposed module does:
    If this module is enabled, it completly OVERRIDES the AID routing mechanism of Android. So ALL incoming APDUs for ALL application identifier will be routed to the app which has registered the "special magic" AID "F04E66E75C02D8" (I just randomly chose this one.) Even if there are other Card-Emulation apps installed which explicitly register for a specific AID they never will get any APDU message.

    So as an app developer, you simply can create a Host Card Emulation app as described here (https://developer.android.com/guide/topics/connectivity/nfc/hce.html) and register it for the special AID F04E66E75C02D8 and your app will receive all APDUs packets for ANY AID value the card terminal ever may ask for.

    All your APDUs are belong to us! :)



    Edit:
    I just added the module to the Xposed repository. Should now also be available in the Xposed installer app.
    2
    sorry for the very late reply. I fixed the "IllegalAccessException" problem. Updated code is already in Github and in Xposed repository available as version 0.2 :)
    1
    Hey, I am trying to install this beauty of a module to start probing into the local urban transport system but I keep getting an error when the hook is placed that it can't find the resolveAidPrefix method and never logs the success message.
    I'm running android 7.1.1 (op3, oos 4.5.1) and after checking the source the method really ain't there.

    I was hoping you could provide some assistance since im really no exepert.

    Hi! :)

    The code was changes slightly in recent Android versions.
    I've updated the module to version "0.4". Now it should work also with newer Android versions (as far as I see in the code it should also work with Android 9 now).

    You can find the updated sourcecode here:
    https://github.com/johnzweng/XposedModifyAidRouting

    And the APK of the module:
    either on Github: https://github.com/johnzweng/XposedModifyAidRouting/releases

    or in the Xposed repo:
    http://repo.xposed.info/module/at.zweng.xposed.modifyaidrouting
    1
    what can be done with this app?
    Eli5 please.

    Well, not much and alot, it serves more as maybe an entrance into investigating any existing smartcard system to maybe find some flaws like I did.
    Smartcards can hold many applications and when you bring one up to a reader (at least the ISO/IEC 14443 ones) the reader must first issue a SELECT command with the AID (application id) of the application it wants to channel further communications to.
    So to emulate smartcards in android, you must build an app with all required permissions but, most importantly, define in the manifest file the AIDs you want to listen too, so that when you bring your phone up to the reader and it sends the SELECT command, android matches it to your app and you get a raw bytes pipe. And here lies the problem.
    In my case (and most likely anybody else's) I didn't know the AID of the system I was looking at and almost had to bring and oscilloscope to the train station and attach a coil to it to listen in on the signal and literally see the AID in the waves but luckily I found this module first which goes in and modifies android system code to redirect all AIDs to one that you know and allows you to quickly and simply write down the AID and then disable the module and listen to the correct AID. (and not get walked in on by the police)