Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[DEV] Xposed module: KitKat Card-Emulation catch-all AID Routing

OP androcheck

17th December 2013, 10:33 AM   |  #1  
androcheck's Avatar
OP Senior Member
Thanks Meter: 89
 
125 posts
Join Date:Joined: Dec 2009
Hi!

This may be mainly interesting for developers.

Overview:
I created a Xposed module which allows a "catch-all" routing for KitKat's new Host-Card-Emulation feature. Which means you can create an Host-Card-Emulation app which will receive ALL incoming APDUs (not only the ones for the AID your app has registered for).

This may not be useful at all but maybe it makes sense for debugging or checking which AID a specific card terminal is asking for.

Here's the code:
https://github.com/johnzweng/XposedModifyAidRouting




Details:
With Android 4.4 (KitKat) Google introduced NFC Host-Card-Emulation, which allows your phone to act as a NFC-SmartCard. App developers now can create special apps which handle all the incoming NFC data packets and response like a ISO 7816-4 SmartCard would do it.

However, the app developer has to declare explicitly which SmartCard application it wants to simulate in the app's Manifest file.

In more detail: each SmartCard application on a SmartCard is identified by a unique AID (application identifier). Usually a card terminal first sends a SELECT xxxxxxxxx message to the SmartCard where the xxxxxxx stands for the AID, and the SmartCard responds accordingly if it can handle this AID or not.

On a KitKat phone Android takes care of checking the AID value. So if the card terminal sends a SELECT xxxxxxxxx message, Android checks if there is any Card-Emulation app installed which has registered for this AID and if so it forwards this and all folowing APDU (ISO 7816-4 application protocol data unit) packets to this app.

Otherwise (if no app has registered this AID) it simply responds to the card terminal with a Application not found message and no app will ever be informed about the incoming APDU message.

What this Xposed module does:
If this module is enabled, it completly OVERRIDES the AID routing mechanism of Android. So ALL incoming APDUs for ALL application identifier will be routed to the app which has registered the "special magic" AID "F04E66E75C02D8" (I just randomly chose this one.) Even if there are other Card-Emulation apps installed which explicitly register for a specific AID they never will get any APDU message.

So as an app developer, you simply can create a Host Card Emulation app as described here (https://developer.android.com/guide/...y/nfc/hce.html) and register it for the special AID F04E66E75C02D8 and your app will receive all APDUs packets for ANY AID value the card terminal ever may ask for.

All your APDUs are belong to us!



Edit:
I just added the module to the Xposed repository. Should now also be available in the Xposed installer app.
Last edited by androcheck; 17th December 2013 at 11:11 AM.
The Following 4 Users Say Thank You to androcheck For This Useful Post: [ View ]
17th December 2013, 06:29 PM   |  #2  
Senior Member
Thanks Meter: 271
 
1,481 posts
Join Date:Joined: Sep 2006
More
Quote:
Originally Posted by androcheck

Hi!

This may be mainly interesting for developers.

Overview:
I created a Xposed module which allows a "catch-all" routing for KitKat's new Host-Card-Emulation feature. Which means you can create an Host-Card-Emulation app which will receive ALL incoming APDUs (not only the ones for the AID your app has registered for).

This may not be useful at all but maybe it makes sense for debugging or checking which AID a specific card terminal is asking for.

Here's the code:
https://github.com/johnzweng/XposedModifyAidRouting




Details:
With Android 4.4 (KitKat) Google introduced NFC Host-Card-Emulation, which allows your phone to act as a NFC-SmartCard. App developers now can create special apps which handle all the incoming NFC data packets and response like a ISO 7816-4 SmartCard would do it.

However, the app developer has to declare explicitly which SmartCard application it wants to simulate in the app's Manifest file.

In more detail: each SmartCard application on a SmartCard is identified by a unique AID (application identifier). Usually a card terminal first sends a SELECT xxxxxxxxx message to the SmartCard where the xxxxxxx stands for the AID, and the SmartCard responds accordingly if it can handle this AID or not.

On a KitKat phone Android takes care of checking the AID value. So if the card terminal sends a SELECT xxxxxxxxx message, Android checks if there is any Card-Emulation app installed which has registered for this AID and if so it forwards this and all folowing APDU (ISO 7816-4 application protocol data unit) packets to this app.

Otherwise (if no app has registered this AID) it simply responds to the card terminal with a Application not found message and no app will ever be informed about the incoming APDU message.

What this Xposed module does:
If this module is enabled, it completly OVERRIDES the AID routing mechanism of Android. So ALL incoming APDUs for ALL application identifier will be routed to the app which has registered the "special magic" AID "F04E66E75C02D8" (I just randomly chose this one.) Even if there are other Card-Emulation apps installed which explicitly register for a specific AID they never will get any APDU message.

So as an app developer, you simply can create a Host Card Emulation app as described here (https://developer.android.com/guide/...y/nfc/hce.html) and register it for the special AID F04E66E75C02D8 and your app will receive all APDUs packets for ANY AID value the card terminal ever may ask for.

All your APDUs are belong to us!



Edit:
I just added the module to the Xposed repository. Should now also be available in the Xposed installer app.

Would this work to get Google Wallet working on NXP controllers?
17th December 2013, 10:29 PM   |  #3  
Senior Recognized Developer
Flag Owego, NY
Thanks Meter: 24,837
 
13,539 posts
Join Date:Joined: Aug 2007
Donate to Me
More
Quote:
Originally Posted by abuttino

Would this work to get Google Wallet working on NXP controllers?

No.
29th December 2013, 10:31 AM   |  #4  
Senior Member
Thanks Meter: 126
 
443 posts
Join Date:Joined: Dec 2010
More
Would it be possible to record the aid / adup requests?
30th December 2013, 02:50 PM   |  #5  
androcheck's Avatar
OP Senior Member
Thanks Meter: 89
 
125 posts
Join Date:Joined: Dec 2009
I don't know what "adup" stands for but you definitly can record all AID requests.

If you implement your own HostApduService as described here the very first APDU command your service will receive via this method:
Code:
@Override
public byte[] processCommandApdu(byte[] apdu, Bundle extras) {
       ...
}
will always be the SELECT command containing the AID. So you simply can record all the requests there.
1st January 2014, 12:09 PM   |  #6  
Senior Member
Thanks Meter: 126
 
443 posts
Join Date:Joined: Dec 2010
More
Quote:
Originally Posted by androcheck

I don't know what "adup" stands for but you definitly can record all AID requests.

If you implement your own HostApduService as described here the very first APDU command your service will receive via this method:

Code:
@Override
public byte[] processCommandApdu(byte[] apdu, Bundle extras) {
       ...
}
will always be the SELECT command containing the AID. So you simply can record all the requests there.

Thanks! I actually meant APDU.

Also, as part of anti-collision process, the card will provide an UID. It seems the UID provided is randomly generated. Is there a way to specify a UID the phone should provide?
1st January 2014, 04:07 PM   |  #7  
androcheck's Avatar
OP Senior Member
Thanks Meter: 89
 
125 posts
Join Date:Joined: Dec 2009
Quote:
Originally Posted by matthew5025

Thanks! I actually meant APDU.

Also, as part of anti-collision process, the card will provide an UID. It seems the UID provided is randomly generated. Is there a way to specify a UID the phone should provide?

As far as I can tell the UID seems not to be set anywhere in the Java part, but after skimming through the libnfc-nci I also found no clue where the random UID is set (or if it could be changed). But maybe I just missed it.

So for the moment I cannot tell you for sure if it's possible to change the UID but tend to believe it's not (but anybody should feel free to correct me in this point).
14th June 2014, 07:45 PM   |  #8  
Senior Member
Brooklyn
Thanks Meter: 38
 
419 posts
Join Date:Joined: Jul 2010
More
Can this enable Google wallet on Verizon note 3 with kit Kat?
14th June 2014, 11:22 PM   |  #9  
androcheck's Avatar
OP Senior Member
Thanks Meter: 89
 
125 posts
Join Date:Joined: Dec 2009
No sorry, unfortunately not.
11th July 2014, 04:03 AM   |  #10  
Junior Member
Thanks Meter: 0
 
3 posts
Join Date:Joined: Jul 2014
IllegalAccessException
I have been trying out your module, but keep getting the error:IllegalAccessException on what appears to be this line
Code:
Object resultInstanceAidResolveInfo = ctor.newInstance(registeredAidCacheInstance);
Is there any way around this?

Full logcat output:
Code:
07-11 13:50:27.456: D/Xposed(185): Starting Xposed binary version 58, compiled for SDK 16
07-11 13:50:27.456: D/Xposed(185): Phone: Nexus 7 (asus), Android version 4.4.3 (SDK 19)
07-11 13:50:27.456: D/Xposed(185): ROM: KTU84L
07-11 13:50:27.456: D/Xposed(185): Build fingerprint: google/razorg/deb:4.4.3/KTU84L/1148727:user/release-keys
07-11 13:50:27.456: I/Xposed(185): -----------------
07-11 13:50:27.456: I/Xposed(185): Added Xposed (/data/data/de.robv.android.xposed.installer/bin/XposedBridge.jar) to CLASSPATH.
07-11 13:50:27.736: D/Xposed(185): Using structure member offsets for mode WITH_JIT
07-11 13:50:27.796: I/Xposed(185): Found Xposed class 'de/robv/android/xposed/XposedBridge', now initializing
07-11 13:50:28.237: I/Xposed(185): -----------------
07-11 13:50:28.237: I/Xposed(185): Jul 11, 2014 1:50:28 AM UTC
07-11 13:50:28.237: I/Xposed(185): Loading Xposed v54 (for Zygote)...
07-11 13:50:28.237: I/Xposed(185): Running ROM 'KTU84L' with fingerprint 'google/razorg/deb:4.4.3/KTU84L/1148727:user/release-keys'
07-11 13:50:28.337: I/Xposed(185): Loading modules from /data/app/at.zweng.xposed.modifyaidrouting-1.apk
07-11 13:50:28.557: I/Xposed(185):   Loading class at.zweng.xposed.ModNfcAidRouting
07-11 13:50:28.567: I/Xposed(185): Loading modules from /data/app/com.example.nfc_xposed_module_nfcmanager-1.apk
07-11 13:50:28.667: I/Xposed(185):   Loading class com.example.nfc_xposed_module_nfcmanager.ModEmulationManager
07-11 13:50:41.009: I/Xposed(921): ModNfcAidRouting: we are in com.android.nfc application. :) Will place method hooks.
07-11 13:50:41.019: I/Xposed(921): ModNfcAidRouting: resolveAidPrefix() method hook in place! Let the fun begin! :)
07-11 13:50:41.019: I/Xposed(921): In the com.android.nfc application
07-11 13:50:41.019: I/Xposed(921): findSelectAid(byte[] ...) hook in place!
07-11 13:54:21.344: I/Xposed(921): Data:00A4040005F999999999
07-11 13:54:21.344: I/Xposed(921): ModNfcAidRouting: resolveAidPrefix(..) was called. aid = F999999999
07-11 13:54:21.344: I/Xposed(921): ModNfcAidRouting: resolveAidPrefix() error in beforeHookedMethod: 
07-11 13:54:21.344: I/Xposed(921): java.lang.IllegalAccessException: access to method denied
07-11 13:54:21.344: I/Xposed(921): access to method denied
07-11 13:54:21.344: I/Xposed(921): java.lang.IllegalAccessException: access to method denied
07-11 13:54:21.344: I/Xposed(921): 	at java.lang.reflect.Constructor.constructNative(Native Method)
07-11 13:54:21.344: I/Xposed(921): 	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
07-11 13:54:21.344: I/Xposed(921): 	at at.zweng.xposed.ModNfcAidRouting$1.beforeHookedMethod(ModNfcAidRouting.java:163)
07-11 13:54:21.344: I/Xposed(921): 	at de.robv.android.xposed.XposedBridge.handleHookedMethod(XposedBridge.java:611)
07-11 13:54:21.344: I/Xposed(921): 	at com.android.nfc.cardemulation.RegisteredAidCache.resolveAidPrefix(Native Method)
07-11 13:54:21.344: I/Xposed(921): 	at com.android.nfc.cardemulation.HostEmulationManager.notifyHostEmulationData(HostEmulationManager.java:171)
07-11 13:54:21.344: I/Xposed(921): 	at com.android.nfc.NfcService.onHostCardEmulationData(NfcService.java:349)
07-11 13:54:21.344: I/Xposed(921): 	at com.android.nfc.dhimpl.NativeNfcManager.notifyHostEmuData(NativeNfcManager.java:421)
07-11 13:54:21.344: I/Xposed(921): 	at dalvik.system.NativeStart.run(Native Method)

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes