[MOD][Xposed] Patch SmartcardService for use with SIM-card-based banking apps

Search This thread
By:
Advanced…
androcheck

androcheck

Senior Member
Dec 7, 2009
236
413
john.zweng.at
Hi!

I've written another Xposed module for my LEX720 for a very specific purpose, so probably it won't be of much use for the most. But I'm still publishing it for reference reasons.

Background:
First the good news: The stock firmware of LeEco includes the "SmardcardService" (which also often is referred to as "Open Mobile API" or short "OMAPI") which is an extension API to plain Android (i.e. not existing in the Nexus devices or the Pixels) to allow apps accessing Secure Elements (i.e. secure applications embedded in a tamper-resistant hardware) within the SIM-card.

A real world example: in Austria some banks (in cooperation with the 3 largest network operators) support Tap'n'Pay with your phone by installing the NFC-capable banking card as an additional application into the SIM card (which is the same secure chipcard technology as a banking card). This means you get a new SIM card and then you can tap'n'pay with your phone (without Google, without VISA or MasterCard, just as with the Austrian NFC banking cards). AFAIK in some other countries the same concept is used for public transport and others.
The main difference to Android Pay is, that this system is backed by the chipcard (the SIM) and not by a cloud service. But this just as background information.

The problem:
The LEX720 is a dual-sim phone, and so the (banking) apps could read SIM-cards from either SIM1 or SIM2 slot (I tested, SmartcardService works with both). But if you also want to use NFC for payment it has to be inserted into SIM1 (as it seems that only the SIM1 slot ist connected over an SWP line to the NFC chipset). Unfortunately the Austrian banking apps don't seem to handle the dual-SIM situation correctly and only try to read SIM2 (which is empty for me) and therefore don't work.

Additionally, at the end of an transaction, when the application running within the SIM card signalizes that it just had finished a payment transaction to the Android system, the NFC service (/system/vendor/app/NQNfcNci/NQNfcNci.apk) broadcasts this message as an intent to the relevant (banking) app, so that the app can display a transaction result activity.
Unfortunately this mechanism is implemented often very different by different OEMs and so also by LeEco. There exists a standard (GSMA NFC Handset APIs Requirement Specification) but it seems there are a lot of different implementations in the wild.

(Note: this is probably the case because this type of functionality is not part of the official reference Android source code. Plain open source Android like it is running on all Nexus phones and the Pixels just doesn't support these type of applications - which is very unfortunate).

My workaround:
TL;DR I just made an Xposed module which fixes these 2 issues for me. Look into the README on Github for more details.

Source on Github: https://github.com/johnzweng/XposedOmapiBankcardFix
Download Xposed Module: Xposed-module-OMAPI-BankcardMobil-Fix-1.1.apk

Maybe it's also useful for other applications which use the SIM card as secure storage for keys of any type. Use at your own risk.

As a reference: these are the Austrian banking apps this module should work with:
The module might also help to get other similiar apps working which have problems with Dual-SIM or don't show Transaction confirmation screens. I am talking here about apps which use a special SIM card for payment, ticketing or similiar use-cases via NFC. This has nothing to do with "normal" NFC apps or cloud-based HCE (host card emulation) NFC apps. This module is only for apps which use special SIM cards.


[edit]
Updated download link to version 1.1.
For details see the CHANGELOG in the Github repoistory.
[/edit]
 
Last edited:
  • Like
Reactions: orsonbear, viercp, Raphael1899 and 2 others
androcheck

androcheck

Senior Member
Dec 7, 2009
236
413
john.zweng.at
Btw, during debugging I noticed another small bug in the LeEco NFC service:

The package com.android.nfc (/system/vendor/app/NQNfcNci/NQNfcNci.apk) declares a permission which allows apps to receive Intents about EVT_TRANSACTION events. On the LeEco LePro 3 (LEX720, running 5.8.018S, WAXCNFN5801811012S) this permission looks like this
Code: 
declared permissions:
    com.gsma.service.nfc.permission.TRANSACTION_EVENT: prot=dangerous, INSTALLED

You can check this easyily yourself with this adb command:
Code: 
adb shell pm dump com.android.nfc > dump-nfc-service.txt
This will dump all infos into a file named dump-nfc-service.txt. Open the file with an editor and search for "declared permissions:".

The problem with this permission is, that its name is missing a letter!
Correctly it should be called: com.gsma.services.nfc.action.TRANSACTION_EVENT (note the missing "s").

This is specified in the GSMA NFC Handset APIs Requirement Specification (see at the top of page 13 in the PDF)
Funny enough the specification in the PDF also contains a typo in the very same permission name the Intent action name (the dot "." after the word "gsma" is a comma "," in the PDF). It must be really hard to type this correctly. :)

Nevertheless this typo leads to errors like:
Code: 
W/PackageManager( 2357): Unknown permission com.gsma.services.nfc.permission.TRANSACTION_EVENT in package ......
and prevents applications of requesting the correct permission.

Does anybody know if and how it's the best way to report bugs to LeEco?


[edit1]
I contacted them on Twitter. I hope they will forward this issue to developers. :)

Btw, it seems that also LG had included the same typo in some of its devices:
Devices without the "s": https://census.tsyrklevich.net/permissions/com.gsma.service.nfc.permission.TRANSACTION_EVENT
vs.:
Devices with the "s": https://census.tsyrklevich.net/permissions/com.gsma.services.nfc.permission.TRANSACTION_EVENT
[/edit1]
 
Last edited:
  • Like
Reactions: orsonbear
viercp

viercp

Senior Member
Jun 28, 2016
110
9
Near to Vienna (better near to Bratislava)
Hi androcheck,

first i am really impressed that somebody found a solution for that problem (i already have several posts with no answer at all)

But now i have a problem as when i install the fix i stuck in a boot loop. Is this maybe cause i am on custom ROM (Turbo MIUI) ?
Hope you have an idea

thanks
Robert
 
Last edited:
viercp

viercp

Senior Member
Jun 28, 2016
110
9
Near to Vienna (better near to Bratislava)
viercp said:
Hi androcheck,

first i am really impressed that somebody found a solution for that problem (i already have several posts with no answer at all)

But now i have a problem as when i install the fix i stuck in a boot loop. Is this maybe cause i am on custom ROM (Turbo MIUI) ?
Hope you have an idea

thanks
Robert
Click to expand...
Click to collapse

So far seems a "one time bug" - all ok with patch but i still get the very same error mssg

Any poss to tell me where i can check if entries provided by fix are really done ?
 
androcheck

androcheck

Senior Member
Dec 7, 2009
236
413
john.zweng.at
viercp said:
So far seems a "one time bug" - all ok with patch but i still get the very same error mssg

Any poss to tell me where i can check if entries provided by fix are really done ?
Click to expand...
Click to collapse

Hi!

Sorry for the delayed answer.

First of all the ROM you are using must have the SmartcardService (=implementation of OpenMobile API), the corresponding library (org.simalliance.openmobileapi.jar) and permission manifest (org.simalliance.openmobileapi.xml) installed. I downloaded miau_destroyer_v12.zip from this thread here, extracted it and it seems that it contains all three of them.

My Xposed module "XposedOmapiBankcardFix" doesn't do very much besides forcing the apps which are using the OpenMobile API to always use "SIM1" as SmartcardReader. This was necessary because at the time of writing the Bankcard apps in Austria from PSA (Payment Services Austria) didn't correctly check for multiple SIM slots. So in fact this was a bug in the PSA apps, not in the phone.

Back then I reported this back to the developers (of the banking app) and today it seems to be fixed (I didn't check in detail but the Bank Austria app now is working for me on Android 7 without Xposed installed - with the SIM inserted in slot 1).

Another point I realized: By looking into the build.props of the miau_destroyer_v12 ROM it seemed to me that this ROM is configured for single SIM use. This means that the SmartcardService also only sees one cardreader (SIM slot). Maybe this also interferes with the Xposed module?

For clarification:
Before I wrote my Xposed module, the Bank Austria banking app worked already perfectly (no errors displayed, recognized the NFC SIM card, personalization of the bankcard worked ok) when I inserted the SIM card into slot 2. It just didn't work when the SIM card was inserted in slot 1. The problem is that it must be inserted in slot 1 if you want to use it over NFC. This is why I decided to work around this limitation with my Xposed module.
The second feature ("Fix EVT_TRANSACTION Intent") of my module was just a gimmick "on the way". I realized that the confirmation dialog after paying is not displayed, but this was just a "cosmetic" problem. Payments did still work, even if the confirmation dialog on the phone is not displayed.

Another sidenote:
As I have mentioned before I have switched already to an Android 7.1 based ROM on my personal phone (as a developer I want to use some of the new APIs) so I don't have Xposed anymore (as Xposed is not available for Android 7). So at the moment I cannot really test anything.

Which error exactly do you get? What do you see in logcat?

Kind regards,
john :)
 
viercp

viercp

Senior Member
Jun 28, 2016
110
9
Near to Vienna (better near to Bratislava)
androcheck said:
Hi!

Another point I realized: By looking into the build.props of the miau_destroyer_v12 ROM it seemed to me that this ROM is configured for single SIM use. This means that the SmartcardService also only sees one cardreader (SIM slot). Maybe this also interferes with the Xposed module?
Click to expand...
Click to collapse

Changed in build.prob to enable Dual SIM

Which error exactly do you get? What do you see in logcat?
Click to expand...
Click to collapse

Havent worked with before - which entry you are looking for ?
 
J

jasonlee0315

Senior Member
Sep 21, 2009
150
19
Hi,
Google says that Pixel 7 series don't support SWP-SIM while Pixel 6 and others supported.
So I started googling that if there's any 'Magisk way' to solve this issue, then I find your xda posts.

If you happen to be a Pixel 7 user, are you interested in looking into this issue?
I'd like to buy you a $30 coffee or more if I can use the SWP-SIM for payment on my Pixel 7.
 
androcheck

androcheck

Senior Member
Dec 7, 2009
236
413
john.zweng.at
jasonlee0315 said:
Google says that Pixel 7 series don't support SWP-SIM while Pixel 6 and others supported.
So I started googling that if there's any 'Magisk way' to solve this issue, then I find your xda posts.
Click to expand...
Click to collapse

Hi!

I don't have Pixel 7 and currently I am not working in this field, but for clarification:
"SWP-SIM support" is (also) a hardware feature.

To be able to use SWP-SIMs there must be a physical connection between the SWP pin of the NFC controller (this is a separate chip on the mainboard of your phone, not the main application processor, where Android runs on) and the respective pin of the SIM card slot.

Google in the past tended to not connect these 2 pins. I don't know if the Pixel 7 has this connection. I just wanted to let you know, that if this connection does not exist, there is no way to solve this in software.


[edit]
(see also this old question on stackexchange, this was about the Nexus 5X and 6P: https://stackoverflow.com/questions...-to-the-uicc-on-the-nexus-5x-and-the-nexus-6p)
[/edit]
 
Last edited:
J

jasonlee0315

Senior Member
Sep 21, 2009
150
19
androcheck said:
Hi!

I don't have Pixel 7 and currently I am not working in this field, but for clarification:
"SWP-SIM support" is (also) a hardware feature.

To be able to use SWP-SIMs there must be a physical connection between the SWP pin of the NFC controller (this is a separate chip on the mainboard of your phone, not the main application processor, where Android runs on) and the respective pin of the SIM card slot.

Google in the past tended to not connect these 2 pins. I don't know if the Pixel 7 has this connection. I just wanted to let you know, that if this connection does not exist, there is no way to solve this in software.


[edit]
(see also this old question on stackexchange, this was about the Nexus 5X and 6P: https://stackoverflow.com/questions...-to-the-uicc-on-the-nexus-5x-and-the-nexus-6p)
[/edit]
Click to expand...
Click to collapse
Thanks for replying. I guess I might give up trying to get SWP-SIM working on Pixel 7.
 
You must log in or register to reply here.

Similar threads

darkobas
  • Locked
[CLOSED][ROM] [WEEKLY] Official OmniRom 7.1.2 for LE_ZL1
Replies
2K
Views
262K
Q
qqzwc
androcheck
[MOD][Xposed] Make Infrared Blaster working with all 3rd party apps (on EUI)
Replies
81
Views
37K
K
kaaaxcreators
codeworkx
[ROM][TREBLE][X72X][8.1.X][OFFICIAL] LineageOS 15.1 (Oreo) for LeEco Le Pro3
Replies
3K
Views
429K
R
rickmec
GalaticStryder
[ROM/Kernel][AOSPA] Paranoid Android 7.3.1 for the Le Pro3 [10/31]
Replies
1K
Views
183K
Sony make.believe
Sony make.believe
codeworkx
[ROM][TREBLE][X72X][9.0.X] LineageOS 16.0 (Pie) for LeEco Le Pro3
Replies
2K
Views
247K
N
nwaves

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 5
    androcheck
    androcheck
    Hi!

    I've written another Xposed module for my LEX720 for a very specific purpose, so probably it won't be of much use for the most. But I'm still publishing it for reference reasons.

    Background:
    First the good news: The stock firmware of LeEco includes the "SmardcardService" (which also often is referred to as "Open Mobile API" or short "OMAPI") which is an extension API to plain Android (i.e. not existing in the Nexus devices or the Pixels) to allow apps accessing Secure Elements (i.e. secure applications embedded in a tamper-resistant hardware) within the SIM-card.

    A real world example: in Austria some banks (in cooperation with the 3 largest network operators) support Tap'n'Pay with your phone by installing the NFC-capable banking card as an additional application into the SIM card (which is the same secure chipcard technology as a banking card). This means you get a new SIM card and then you can tap'n'pay with your phone (without Google, without VISA or MasterCard, just as with the Austrian NFC banking cards). AFAIK in some other countries the same concept is used for public transport and others.
    The main difference to Android Pay is, that this system is backed by the chipcard (the SIM) and not by a cloud service. But this just as background information.

    The problem:
    The LEX720 is a dual-sim phone, and so the (banking) apps could read SIM-cards from either SIM1 or SIM2 slot (I tested, SmartcardService works with both). But if you also want to use NFC for payment it has to be inserted into SIM1 (as it seems that only the SIM1 slot ist connected over an SWP line to the NFC chipset). Unfortunately the Austrian banking apps don't seem to handle the dual-SIM situation correctly and only try to read SIM2 (which is empty for me) and therefore don't work.

    Additionally, at the end of an transaction, when the application running within the SIM card signalizes that it just had finished a payment transaction to the Android system, the NFC service (/system/vendor/app/NQNfcNci/NQNfcNci.apk) broadcasts this message as an intent to the relevant (banking) app, so that the app can display a transaction result activity.
    Unfortunately this mechanism is implemented often very different by different OEMs and so also by LeEco. There exists a standard (GSMA NFC Handset APIs Requirement Specification) but it seems there are a lot of different implementations in the wild.

    (Note: this is probably the case because this type of functionality is not part of the official reference Android source code. Plain open source Android like it is running on all Nexus phones and the Pixels just doesn't support these type of applications - which is very unfortunate).

    My workaround:
    TL;DR I just made an Xposed module which fixes these 2 issues for me. Look into the README on Github for more details.

    Source on Github: https://github.com/johnzweng/XposedOmapiBankcardFix
    Download Xposed Module: Xposed-module-OMAPI-BankcardMobil-Fix-1.1.apk

    Maybe it's also useful for other applications which use the SIM card as secure storage for keys of any type. Use at your own risk.

    As a reference: these are the Austrian banking apps this module should work with:
    The module might also help to get other similiar apps working which have problems with Dual-SIM or don't show Transaction confirmation screens. I am talking here about apps which use a special SIM card for payment, ticketing or similiar use-cases via NFC. This has nothing to do with "normal" NFC apps or cloud-based HCE (host card emulation) NFC apps. This module is only for apps which use special SIM cards.


    [edit]
    Updated download link to version 1.1.
    For details see the CHANGELOG in the Github repoistory.
    [/edit]
    View
    1
    androcheck
    androcheck
    Btw, during debugging I noticed another small bug in the LeEco NFC service:

    The package com.android.nfc (/system/vendor/app/NQNfcNci/NQNfcNci.apk) declares a permission which allows apps to receive Intents about EVT_TRANSACTION events. On the LeEco LePro 3 (LEX720, running 5.8.018S, WAXCNFN5801811012S) this permission looks like this
    Code: 
    declared permissions:
    com.gsma.service.nfc.permission.TRANSACTION_EVENT: prot=dangerous, INSTALLED

    You can check this easyily yourself with this adb command:
    Code: 
    adb shell pm dump com.android.nfc > dump-nfc-service.txt
    This will dump all infos into a file named dump-nfc-service.txt. Open the file with an editor and search for "declared permissions:".

    The problem with this permission is, that its name is missing a letter!
    Correctly it should be called: com.gsma.services.nfc.action.TRANSACTION_EVENT (note the missing "s").

    This is specified in the GSMA NFC Handset APIs Requirement Specification (see at the top of page 13 in the PDF)
    Funny enough the specification in the PDF also contains a typo in the very same permission name the Intent action name (the dot "." after the word "gsma" is a comma "," in the PDF). It must be really hard to type this correctly. :)

    Nevertheless this typo leads to errors like:
    Code: 
    W/PackageManager( 2357): Unknown permission com.gsma.services.nfc.permission.TRANSACTION_EVENT in package ......
    and prevents applications of requesting the correct permission.

    Does anybody know if and how it's the best way to report bugs to LeEco?


    [edit1]
    I contacted them on Twitter. I hope they will forward this issue to developers. :)

    Btw, it seems that also LG had included the same typo in some of its devices:
    Devices without the "s": https://census.tsyrklevich.net/permissions/com.gsma.service.nfc.permission.TRANSACTION_EVENT
    vs.:
    Devices with the "s": https://census.tsyrklevich.net/permissions/com.gsma.services.nfc.permission.TRANSACTION_EVENT
    [/edit1]
    View

New posts