5,594,438 Members 32,886 Now Online
XDA Developers Android and Mobile Development Forum

[DEV] Xposed module: KitKat Card-Emulation catch-all AID Routing

Tip us?
 
androcheck
Old
(Last edited by androcheck; 17th December 2013 at 10:11 AM.)
#1  
androcheck's Avatar
Senior Member - OP
Thanks Meter 77
Posts: 121
Join Date: Dec 2009
Default [DEV] Xposed module: KitKat Card-Emulation catch-all AID Routing

Hi!

This may be mainly interesting for developers.

Overview:
I created a Xposed module which allows a "catch-all" routing for KitKat's new Host-Card-Emulation feature. Which means you can create an Host-Card-Emulation app which will receive ALL incoming APDUs (not only the ones for the AID your app has registered for).

This may not be useful at all but maybe it makes sense for debugging or checking which AID a specific card terminal is asking for.

Here's the code:
https://github.com/johnzweng/XposedModifyAidRouting




Details:
With Android 4.4 (KitKat) Google introduced NFC Host-Card-Emulation, which allows your phone to act as a NFC-SmartCard. App developers now can create special apps which handle all the incoming NFC data packets and response like a ISO 7816-4 SmartCard would do it.

However, the app developer has to declare explicitly which SmartCard application it wants to simulate in the app's Manifest file.

In more detail: each SmartCard application on a SmartCard is identified by a unique AID (application identifier). Usually a card terminal first sends a SELECT xxxxxxxxx message to the SmartCard where the xxxxxxx stands for the AID, and the SmartCard responds accordingly if it can handle this AID or not.

On a KitKat phone Android takes care of checking the AID value. So if the card terminal sends a SELECT xxxxxxxxx message, Android checks if there is any Card-Emulation app installed which has registered for this AID and if so it forwards this and all folowing APDU (ISO 7816-4 application protocol data unit) packets to this app.

Otherwise (if no app has registered this AID) it simply responds to the card terminal with a Application not found message and no app will ever be informed about the incoming APDU message.

What this Xposed module does:
If this module is enabled, it completly OVERRIDES the AID routing mechanism of Android. So ALL incoming APDUs for ALL application identifier will be routed to the app which has registered the "special magic" AID "F04E66E75C02D8" (I just randomly chose this one.) Even if there are other Card-Emulation apps installed which explicitly register for a specific AID they never will get any APDU message.

So as an app developer, you simply can create a Host Card Emulation app as described here (https://developer.android.com/guide/...y/nfc/hce.html) and register it for the special AID F04E66E75C02D8 and your app will receive all APDUs packets for ANY AID value the card terminal ever may ask for.

All your APDUs are belong to us!



Edit:
I just added the module to the Xposed repository. Should now also be available in the Xposed installer app.
The Following 3 Users Say Thank You to androcheck For This Useful Post: [ Click to Expand ]
 
abuttino
Old
#2  
Senior Member
Thanks Meter 162
Posts: 845
Join Date: Sep 2006
Quote:
Originally Posted by androcheck View Post
Hi!

This may be mainly interesting for developers.

Overview:
I created a Xposed module which allows a "catch-all" routing for KitKat's new Host-Card-Emulation feature. Which means you can create an Host-Card-Emulation app which will receive ALL incoming APDUs (not only the ones for the AID your app has registered for).

This may not be useful at all but maybe it makes sense for debugging or checking which AID a specific card terminal is asking for.

Here's the code:
https://github.com/johnzweng/XposedModifyAidRouting




Details:
With Android 4.4 (KitKat) Google introduced NFC Host-Card-Emulation, which allows your phone to act as a NFC-SmartCard. App developers now can create special apps which handle all the incoming NFC data packets and response like a ISO 7816-4 SmartCard would do it.

However, the app developer has to declare explicitly which SmartCard application it wants to simulate in the app's Manifest file.

In more detail: each SmartCard application on a SmartCard is identified by a unique AID (application identifier). Usually a card terminal first sends a SELECT xxxxxxxxx message to the SmartCard where the xxxxxxx stands for the AID, and the SmartCard responds accordingly if it can handle this AID or not.

On a KitKat phone Android takes care of checking the AID value. So if the card terminal sends a SELECT xxxxxxxxx message, Android checks if there is any Card-Emulation app installed which has registered for this AID and if so it forwards this and all folowing APDU (ISO 7816-4 application protocol data unit) packets to this app.

Otherwise (if no app has registered this AID) it simply responds to the card terminal with a Application not found message and no app will ever be informed about the incoming APDU message.

What this Xposed module does:
If this module is enabled, it completly OVERRIDES the AID routing mechanism of Android. So ALL incoming APDUs for ALL application identifier will be routed to the app which has registered the "special magic" AID "F04E66E75C02D8" (I just randomly chose this one.) Even if there are other Card-Emulation apps installed which explicitly register for a specific AID they never will get any APDU message.

So as an app developer, you simply can create a Host Card Emulation app as described here (https://developer.android.com/guide/...y/nfc/hce.html) and register it for the special AID F04E66E75C02D8 and your app will receive all APDUs packets for ANY AID value the card terminal ever may ask for.

All your APDUs are belong to us!



Edit:
I just added the module to the Xposed repository. Should now also be available in the Xposed installer app.
Would this work to get Google Wallet working on NXP controllers?
 
Entropy512
Old
#3  
Senior Recognized Developer
Thanks Meter 23384
Posts: 12,773
Join Date: Aug 2007
Location: Owego, NY

 
DONATE TO ME
Quote:
Originally Posted by abuttino View Post
Would this work to get Google Wallet working on NXP controllers?
No.
*so much sig updating needed*

My Github profile - Some Android stuff, some AVR stuff

An excellent post on "noobs vs. developers"

A few opinions on kernel development "good practices"

Note: I have chosen not to use XDA's "friends" feature - I will reject all incoming "friend" requests.

Code:
<MikeyMike01> Smali is a spawn of hell
<shoman94> ^^^ +!
Code:
<Entropy512> gotta be careful not to step on each other's work.  :)
<Bumble-Bee> thats true
<jerdog> compeete for donations
 
matthew5025
Old
#4  
Senior Member
Thanks Meter 124
Posts: 443
Join Date: Dec 2010
Would it be possible to record the aid / adup requests?
[Current Phone: Nexus 5] [Recovery:TWRM] [ROM: 4.4 Stock] [Kernel:Faux]
Other Smartphones:
Motorola Backflip (Lost the Battery)
Sony Ericsson X10i (Flaky USB port)
Nexus S (Somewhere...)
Motorola Razr
Sony Xperia S
Motorola Atrix (Cracked Digitizer)
Motorola Atrix 2 (Cracked Digitizer + Battery most likely will explode soon)
HTC 8X LTE
Quote:
Originally Posted by Swiftks View Post
Remember, if you donít soft brick your device at least once, then youíre probably doing something wrong...
Use the "thanks" button if I helped!
 
androcheck
Old
#5  
androcheck's Avatar
Senior Member - OP
Thanks Meter 77
Posts: 121
Join Date: Dec 2009
I don't know what "adup" stands for but you definitly can record all AID requests.

If you implement your own HostApduService as described here the very first APDU command your service will receive via this method:
Code:
@Override
public byte[] processCommandApdu(byte[] apdu, Bundle extras) {
       ...
}
will always be the SELECT command containing the AID. So you simply can record all the requests there.
 
matthew5025
Old
#6  
Senior Member
Thanks Meter 124
Posts: 443
Join Date: Dec 2010
Quote:
Originally Posted by androcheck View Post
I don't know what "adup" stands for but you definitly can record all AID requests.

If you implement your own HostApduService as described here the very first APDU command your service will receive via this method:
Code:
@Override
public byte[] processCommandApdu(byte[] apdu, Bundle extras) {
       ...
}
will always be the SELECT command containing the AID. So you simply can record all the requests there.
Thanks! I actually meant APDU.

Also, as part of anti-collision process, the card will provide an UID. It seems the UID provided is randomly generated. Is there a way to specify a UID the phone should provide?
[Current Phone: Nexus 5] [Recovery:TWRM] [ROM: 4.4 Stock] [Kernel:Faux]
Other Smartphones:
Motorola Backflip (Lost the Battery)
Sony Ericsson X10i (Flaky USB port)
Nexus S (Somewhere...)
Motorola Razr
Sony Xperia S
Motorola Atrix (Cracked Digitizer)
Motorola Atrix 2 (Cracked Digitizer + Battery most likely will explode soon)
HTC 8X LTE
Quote:
Originally Posted by Swiftks View Post
Remember, if you donít soft brick your device at least once, then youíre probably doing something wrong...
Use the "thanks" button if I helped!
 
androcheck
Old
#7  
androcheck's Avatar
Senior Member - OP
Thanks Meter 77
Posts: 121
Join Date: Dec 2009
Quote:
Originally Posted by matthew5025 View Post
Thanks! I actually meant APDU.

Also, as part of anti-collision process, the card will provide an UID. It seems the UID provided is randomly generated. Is there a way to specify a UID the phone should provide?
As far as I can tell the UID seems not to be set anywhere in the Java part, but after skimming through the libnfc-nci I also found no clue where the random UID is set (or if it could be changed). But maybe I just missed it.

So for the moment I cannot tell you for sure if it's possible to change the UID but tend to believe it's not (but anybody should feel free to correct me in this point).

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes