Git Product home page Git Product logo

android-hce-desfire's Introduction

Project Inception

This project is an incomplete software implementation of the Mifare Desfire protocol for HCE on Android. The app has to be used with the original HCE patch of Doug Yeager introduced in CyanogenMod 9. Most of the initial code has now been removed from CyanogenMod and thus a system level patch is needed to make the whole work.

  • App will only work on phones with PN544 NXP chip (which are HTC One M7, Nexus S, ..)
  • A patched NFC.apk will need to be built from the packages_Nfc_apps repository I cloned here on github
  • A patched Android framework.jar should be built the android base framework
  • libnfc-nxp should contain the needed fixes in CM12 (no changes required)

Standard HCE emulation in Android 4.4 does not give complete control over APDUs sent. Desfire has 3 communication modes which are native, wrapped and iso14443-4.

A standard android HCE app would be able to cope with a wrapped protocol implementation after removing the AID routing functionality using an xposed framework library hook. However for my POC I found the hardware to communicate using native commands and thus needed to have full control over APDUs which at that time was only feasible with the original CM HCE patch.

Project state

The code contains some testcases that verify a couple of different basic communication scenario's with a DesFire card. Doug Yeager's patch was ported to Android 5 which enabled a pn544 to communicate with off the shelve NFC physical security system at Capgemini Belgium's premises. A talk was given at Capgemini Belgium in 2015 to present the POC.

You can detect a phone as a Mifare Tag by using an libnfc compqatible reader with patched libfreefare. One working example here includes the mifare get info command, which can request some general info fields from the Android application and show them in a linux terminal. To reproduce this case it's best to use the pn532-tamashell binary that comes by default with libfreefare.

In that case the raw command bytes for DesFire get info can be issued which should normally yield a valid response from the Android app.

LIBNFC_LOG_LEVEL=3 cat << EOF | pn53x-tamashell \
4a 01 00 \
40 01 00 a4 04 00 07 d2 76 00 00 85 01 00 00  \
40 01 00 00 60 00 00 00 \
40 01 00 00 AF 00 00 00 \
40 01 00 00 AF 00 00 00 \
EOF

References

This project is based on the following work

  • Kevin Valk's thesis on HCE in Android and his work on porting JavaCard applets to the Android platform
  • Original code from an academic paper on porting DesFire to JavaCard. This code contains an implementation for the legacy protocols only (non AES)
  • Libfreefare code which contains all the newer DesFire protocol implementation details.

android-hce-desfire's People

Contributors

jekkos avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

jardar miohtama mike-aungsan nuschpl gshwang darconeous maxieds aetelani rasata linuxfall bioenable-bit webstorage119 gaecom

android-hce-desfire's Issues

FYI: Solution to the DESfire APDU problem

Looking over your StackOverflow question, it is mentioned the major issue for emulating DESfire is the three flavours of the protocol: "native", "wrapped native" and "pure ISO7816", and that in order for an existing DESfire deployment to work, you'd need to talk one of the latter two protocols and send an ISO7816 SELECT APPLICATION first.

Since your post, there now are a small number of organisations which have rolled out support for DESFire on Android HCE using an SDK called "MIFARE 2GO". This finally gives an opportunity to discover what a real-world DESfire+HCE deployment looks like.

It looks like that these implementations have ISO7816 AIDs prefixed with A000000396 by convention.

There's two ways to get the "correct" AIDs for a particular deployment:

  1. Log / sniff the SELECT APPLICATION commands from a "legitimate" reader, or,

  2. Pull the Android manifest from a HCE application, and look for the AIDs in the manifest.

Once you've sent a SELECT APPLICATION, it appears that you can talk ISO7816-wrapped DESfire commands just fine.

If I understand the status of things correctly, this should mean that it's possible for this project to actually work, and emulate a card in the DESfire-recommended way.

It should also be possible to proxy card communication using two Android devices, provided that the reader unit supports connection with the ISO7816 SELECT APPLICATION command, one of your Android devices does HCE, and then just plumb the commands over the network.

Support for some newer instructions

I have been digging through DESFire specs and documentation (that which is descriptive and I can find publicly online). It appears that there are a couple of newer Authenticate commands that are at least supported by the DESFire light tag versions (see NXP application note):

CMD_AUTHENTICATE_EV2_FIRST = 0x71,          /* See page 32 of AN12343.pdf */
CMD_AUTHENTICATE_EV2_NONFIRST = 0x77,  /* See page 32 of AN12343.pdf */

I am trying to use Android's NFC stack built-ins to perform some testing with DESFire tags. I'm not sure if your HCE implementation works this in yet, but there is also some support of ISO7816-4 commands. These are documented near the end of the data sheet I "discovered" in issue #1.

@jekkos One thing you could help me with is to understand where the communication modes for transfer of data get encoded? I cannot seem to find a solid reference for where this assumption is made. Historically, there should be three (plaintext, 2KTDEA, 3KTDEA) and more recently there are AES communication modes in key sizes of 128/192/256. One possibility is to just attach the current communication mode to whatever the most recent Authenticate instruction uses, but that is probably not up to standard, and is somewhat arbitrary. How did you handle this in your HCE emulation?

Found new status code for the Desfire chips

Have a look at page 17 of this document. I think you might have missed an error code or two. Your site is great BTW! I'm using some of the compiled codes in your java files to try to do rudimentary apdu recognition in my app for the Chameleon Mini.

Keep up the good work!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.