Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,782,632 Members 36,641 Now Online
XDA Developers Android and Mobile Development Forum

[DEV] Xposed module: KitKat Card-Emulation catch-all AID Routing

Tip us?
 
androcheck
Old
(Last edited by androcheck; 17th December 2013 at 10:11 AM.)
#1  
androcheck's Avatar
Senior Member - OP
Thanks Meter 86
Posts: 124
Join Date: Dec 2009
Default [DEV] Xposed module: KitKat Card-Emulation catch-all AID Routing

Hi!

This may be mainly interesting for developers.

Overview:
I created a Xposed module which allows a "catch-all" routing for KitKat's new Host-Card-Emulation feature. Which means you can create an Host-Card-Emulation app which will receive ALL incoming APDUs (not only the ones for the AID your app has registered for).

This may not be useful at all but maybe it makes sense for debugging or checking which AID a specific card terminal is asking for.

Here's the code:
https://github.com/johnzweng/XposedModifyAidRouting




Details:
With Android 4.4 (KitKat) Google introduced NFC Host-Card-Emulation, which allows your phone to act as a NFC-SmartCard. App developers now can create special apps which handle all the incoming NFC data packets and response like a ISO 7816-4 SmartCard would do it.

However, the app developer has to declare explicitly which SmartCard application it wants to simulate in the app's Manifest file.

In more detail: each SmartCard application on a SmartCard is identified by a unique AID (application identifier). Usually a card terminal first sends a SELECT xxxxxxxxx message to the SmartCard where the xxxxxxx stands for the AID, and the SmartCard responds accordingly if it can handle this AID or not.

On a KitKat phone Android takes care of checking the AID value. So if the card terminal sends a SELECT xxxxxxxxx message, Android checks if there is any Card-Emulation app installed which has registered for this AID and if so it forwards this and all folowing APDU (ISO 7816-4 application protocol data unit) packets to this app.

Otherwise (if no app has registered this AID) it simply responds to the card terminal with a Application not found message and no app will ever be informed about the incoming APDU message.

What this Xposed module does:
If this module is enabled, it completly OVERRIDES the AID routing mechanism of Android. So ALL incoming APDUs for ALL application identifier will be routed to the app which has registered the "special magic" AID "F04E66E75C02D8" (I just randomly chose this one.) Even if there are other Card-Emulation apps installed which explicitly register for a specific AID they never will get any APDU message.

So as an app developer, you simply can create a Host Card Emulation app as described here (https://developer.android.com/guide/...y/nfc/hce.html) and register it for the special AID F04E66E75C02D8 and your app will receive all APDUs packets for ANY AID value the card terminal ever may ask for.

All your APDUs are belong to us!



Edit:
I just added the module to the Xposed repository. Should now also be available in the Xposed installer app.
The Following 4 Users Say Thank You to androcheck For This Useful Post: [ Click to Expand ]
 
abuttino
Old
#2  
Senior Member
Thanks Meter 227
Posts: 1,281
Join Date: Sep 2006
Quote:
Originally Posted by androcheck View Post
Hi!

This may be mainly interesting for developers.

Overview:
I created a Xposed module which allows a "catch-all" routing for KitKat's new Host-Card-Emulation feature. Which means you can create an Host-Card-Emulation app which will receive ALL incoming APDUs (not only the ones for the AID your app has registered for).

This may not be useful at all but maybe it makes sense for debugging or checking which AID a specific card terminal is asking for.

Here's the code:
https://github.com/johnzweng/XposedModifyAidRouting




Details:
With Android 4.4 (KitKat) Google introduced NFC Host-Card-Emulation, which allows your phone to act as a NFC-SmartCard. App developers now can create special apps which handle all the incoming NFC data packets and response like a ISO 7816-4 SmartCard would do it.

However, the app developer has to declare explicitly which SmartCard application it wants to simulate in the app's Manifest file.

In more detail: each SmartCard application on a SmartCard is identified by a unique AID (application identifier). Usually a card terminal first sends a SELECT xxxxxxxxx message to the SmartCard where the xxxxxxx stands for the AID, and the SmartCard responds accordingly if it can handle this AID or not.

On a KitKat phone Android takes care of checking the AID value. So if the card terminal sends a SELECT xxxxxxxxx message, Android checks if there is any Card-Emulation app installed which has registered for this AID and if so it forwards this and all folowing APDU (ISO 7816-4 application protocol data unit) packets to this app.

Otherwise (if no app has registered this AID) it simply responds to the card terminal with a Application not found message and no app will ever be informed about the incoming APDU message.

What this Xposed module does:
If this module is enabled, it completly OVERRIDES the AID routing mechanism of Android. So ALL incoming APDUs for ALL application identifier will be routed to the app which has registered the "special magic" AID "F04E66E75C02D8" (I just randomly chose this one.) Even if there are other Card-Emulation apps installed which explicitly register for a specific AID they never will get any APDU message.

So as an app developer, you simply can create a Host Card Emulation app as described here (https://developer.android.com/guide/...y/nfc/hce.html) and register it for the special AID F04E66E75C02D8 and your app will receive all APDUs packets for ANY AID value the card terminal ever may ask for.

All your APDUs are belong to us!



Edit:
I just added the module to the Xposed repository. Should now also be available in the Xposed installer app.
Would this work to get Google Wallet working on NXP controllers?
 
Entropy512
Old
#3  
Senior Recognized Developer
Thanks Meter 24,246
Posts: 13,224
Join Date: Aug 2007
Location: Owego, NY

 
DONATE TO ME
Quote:
Originally Posted by abuttino View Post
Would this work to get Google Wallet working on NXP controllers?
No.
*so much sig updating needed*

My Github profile - Some Android stuff, some AVR stuff

An excellent post on "noobs vs. developers"

A few opinions on kernel development "good practices"

Note: I have chosen not to use XDA's "friends" feature - I will reject all incoming "friend" requests.

Code:
<MikeyMike01> Smali is a spawn of hell
<shoman94> ^^^ +!
Code:
<Entropy512> gotta be careful not to step on each other's work.  :)
<Bumble-Bee> thats true
<jerdog> compeete for donations
 
matthew5025
Old
#4  
Senior Member
Thanks Meter 125
Posts: 443
Join Date: Dec 2010
Would it be possible to record the aid / adup requests?
[Current Phone: Nexus 5] [Recovery:TWRM] [ROM: 4.4 Stock] [Kernel:Faux]
Other Smartphones:
Motorola Backflip (Lost the Battery)
Sony Ericsson X10i (Flaky USB port)
Nexus S (Somewhere...)
Motorola Razr
Sony Xperia S
Motorola Atrix (Cracked Digitizer)
Motorola Atrix 2 (Cracked Digitizer + Battery most likely will explode soon)
HTC 8X LTE
Quote:
Originally Posted by Swiftks View Post
Remember, if you donít soft brick your device at least once, then youíre probably doing something wrong...
Use the "thanks" button if I helped!
 
androcheck
Old
#5  
androcheck's Avatar
Senior Member - OP
Thanks Meter 86
Posts: 124
Join Date: Dec 2009
I don't know what "adup" stands for but you definitly can record all AID requests.

If you implement your own HostApduService as described here the very first APDU command your service will receive via this method:
Code:
@Override
public byte[] processCommandApdu(byte[] apdu, Bundle extras) {
       ...
}
will always be the SELECT command containing the AID. So you simply can record all the requests there.
 
matthew5025
Old
#6  
Senior Member
Thanks Meter 125
Posts: 443
Join Date: Dec 2010
Quote:
Originally Posted by androcheck View Post
I don't know what "adup" stands for but you definitly can record all AID requests.

If you implement your own HostApduService as described here the very first APDU command your service will receive via this method:
Code:
@Override
public byte[] processCommandApdu(byte[] apdu, Bundle extras) {
       ...
}
will always be the SELECT command containing the AID. So you simply can record all the requests there.
Thanks! I actually meant APDU.

Also, as part of anti-collision process, the card will provide an UID. It seems the UID provided is randomly generated. Is there a way to specify a UID the phone should provide?
[Current Phone: Nexus 5] [Recovery:TWRM] [ROM: 4.4 Stock] [Kernel:Faux]
Other Smartphones:
Motorola Backflip (Lost the Battery)
Sony Ericsson X10i (Flaky USB port)
Nexus S (Somewhere...)
Motorola Razr
Sony Xperia S
Motorola Atrix (Cracked Digitizer)
Motorola Atrix 2 (Cracked Digitizer + Battery most likely will explode soon)
HTC 8X LTE
Quote:
Originally Posted by Swiftks View Post
Remember, if you donít soft brick your device at least once, then youíre probably doing something wrong...
Use the "thanks" button if I helped!
 
androcheck
Old
#7  
androcheck's Avatar
Senior Member - OP
Thanks Meter 86
Posts: 124
Join Date: Dec 2009
Quote:
Originally Posted by matthew5025 View Post
Thanks! I actually meant APDU.

Also, as part of anti-collision process, the card will provide an UID. It seems the UID provided is randomly generated. Is there a way to specify a UID the phone should provide?
As far as I can tell the UID seems not to be set anywhere in the Java part, but after skimming through the libnfc-nci I also found no clue where the random UID is set (or if it could be changed). But maybe I just missed it.

So for the moment I cannot tell you for sure if it's possible to change the UID but tend to believe it's not (but anybody should feel free to correct me in this point).
 
qman66
Old
#8  
Senior Member
Thanks Meter 37
Posts: 411
Join Date: Jul 2010
Location: Brooklyn
Can this enable Google wallet on Verizon note 3 with kit Kat?
Running rooted Galaxy Note 3 on Verizon
 
androcheck
Old
#9  
androcheck's Avatar
Senior Member - OP
Thanks Meter 86
Posts: 124
Join Date: Dec 2009
No sorry, unfortunately not.
 
haskell_noob
Old
#10  
Junior Member
Thanks Meter 0
Posts: 3
Join Date: Jul 2014
Default IllegalAccessException

I have been trying out your module, but keep getting the error:IllegalAccessException on what appears to be this line
Code:
Object resultInstanceAidResolveInfo = ctor.newInstance(registeredAidCacheInstance);
Is there any way around this?

Full logcat output:
Code:
07-11 13:50:27.456: D/Xposed(185): Starting Xposed binary version 58, compiled for SDK 16
07-11 13:50:27.456: D/Xposed(185): Phone: Nexus 7 (asus), Android version 4.4.3 (SDK 19)
07-11 13:50:27.456: D/Xposed(185): ROM: KTU84L
07-11 13:50:27.456: D/Xposed(185): Build fingerprint: google/razorg/deb:4.4.3/KTU84L/1148727:user/release-keys
07-11 13:50:27.456: I/Xposed(185): -----------------
07-11 13:50:27.456: I/Xposed(185): Added Xposed (/data/data/de.robv.android.xposed.installer/bin/XposedBridge.jar) to CLASSPATH.
07-11 13:50:27.736: D/Xposed(185): Using structure member offsets for mode WITH_JIT
07-11 13:50:27.796: I/Xposed(185): Found Xposed class 'de/robv/android/xposed/XposedBridge', now initializing
07-11 13:50:28.237: I/Xposed(185): -----------------
07-11 13:50:28.237: I/Xposed(185): Jul 11, 2014 1:50:28 AM UTC
07-11 13:50:28.237: I/Xposed(185): Loading Xposed v54 (for Zygote)...
07-11 13:50:28.237: I/Xposed(185): Running ROM 'KTU84L' with fingerprint 'google/razorg/deb:4.4.3/KTU84L/1148727:user/release-keys'
07-11 13:50:28.337: I/Xposed(185): Loading modules from /data/app/at.zweng.xposed.modifyaidrouting-1.apk
07-11 13:50:28.557: I/Xposed(185):   Loading class at.zweng.xposed.ModNfcAidRouting
07-11 13:50:28.567: I/Xposed(185): Loading modules from /data/app/com.example.nfc_xposed_module_nfcmanager-1.apk
07-11 13:50:28.667: I/Xposed(185):   Loading class com.example.nfc_xposed_module_nfcmanager.ModEmulationManager
07-11 13:50:41.009: I/Xposed(921): ModNfcAidRouting: we are in com.android.nfc application. :) Will place method hooks.
07-11 13:50:41.019: I/Xposed(921): ModNfcAidRouting: resolveAidPrefix() method hook in place! Let the fun begin! :)
07-11 13:50:41.019: I/Xposed(921): In the com.android.nfc application
07-11 13:50:41.019: I/Xposed(921): findSelectAid(byte[] ...) hook in place!
07-11 13:54:21.344: I/Xposed(921): Data:00A4040005F999999999
07-11 13:54:21.344: I/Xposed(921): ModNfcAidRouting: resolveAidPrefix(..) was called. aid = F999999999
07-11 13:54:21.344: I/Xposed(921): ModNfcAidRouting: resolveAidPrefix() error in beforeHookedMethod: 
07-11 13:54:21.344: I/Xposed(921): java.lang.IllegalAccessException: access to method denied
07-11 13:54:21.344: I/Xposed(921): access to method denied
07-11 13:54:21.344: I/Xposed(921): java.lang.IllegalAccessException: access to method denied
07-11 13:54:21.344: I/Xposed(921): 	at java.lang.reflect.Constructor.constructNative(Native Method)
07-11 13:54:21.344: I/Xposed(921): 	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
07-11 13:54:21.344: I/Xposed(921): 	at at.zweng.xposed.ModNfcAidRouting$1.beforeHookedMethod(ModNfcAidRouting.java:163)
07-11 13:54:21.344: I/Xposed(921): 	at de.robv.android.xposed.XposedBridge.handleHookedMethod(XposedBridge.java:611)
07-11 13:54:21.344: I/Xposed(921): 	at com.android.nfc.cardemulation.RegisteredAidCache.resolveAidPrefix(Native Method)
07-11 13:54:21.344: I/Xposed(921): 	at com.android.nfc.cardemulation.HostEmulationManager.notifyHostEmulationData(HostEmulationManager.java:171)
07-11 13:54:21.344: I/Xposed(921): 	at com.android.nfc.NfcService.onHostCardEmulationData(NfcService.java:349)
07-11 13:54:21.344: I/Xposed(921): 	at com.android.nfc.dhimpl.NativeNfcManager.notifyHostEmuData(NativeNfcManager.java:421)
07-11 13:54:21.344: I/Xposed(921): 	at dalvik.system.NativeStart.run(Native Method)

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes