Related
After researching about Mifare (Classic) card emulation on Android devices I've found information that says that it's not possible on older Android versions (e.g. Why doesn't Android HCE support Mifare Classic type? or Emulate Mifare card with Android 4.4). Is this still the case on Android 10? If so, is it a hardware thing? (maybe phones are not able to emulate them).
Thanks a lot in advance.
It doesn't allow to access the "Secure Element" (chip) using MiFare Classic cards. So it doesn't allow to emulate MiFare classic
With Host Card emulation you are emulating a Type 4 card, Mifare Classic is a Type 2 card (There are also various of standard numbers that relate to these card types mentioned in the links you gave.)
The only thing that has changed on Android 10 relating to NFC is the deprecation of Android Beam (Peer to Peer) NFC.
I have researched Mifare and other card emulation I have very good knowledge in programming (not Android, but C/C++). I have proxmark and I have made multiple emulation codes for proxmark, so I know how the cards communicate.
I don't understand currently, does android enable full card emulation.
I have researched this for about 3 days now, and the conclusion is there is no one constant pattern. Some people say it is possible, some say it is not. I looked through android API and the Host-based card emulation seems to be able to do the trick, but as I understand it is new thing in 4.4 Kitkat, does anyone have any experience with that?
To make things simple, currently I'm investigating the basic most simple emulation for Mifare Ultralight. This card is a security nightmare, there is no encryption and only about 10 functions it does. So I'm interested in starting research with this card, because it is the easiest one to reproduce.
So does anyone have any knowledge in card emulation on android. Maybe not using the stock OS. Any thing that is worth knowing would be very appreciated.
Thanks.
With host-based card emulation (HCE) in Android 4.4 you can only emulate the ISO/IEC 14443-4 protocol. More specifically you can only emulate application structures according to ISO/IEC 7816-4 (thus card emulation applications need to be selected though an AID). Moreover, the API doesn't give you any means to specify if card emulation should be done using Type A or Type B protocol.
So regarding emulation of various MIFARE protocols:
MIFARE Ultralight (and derivates) protocol operates on top of ISO/IEC 14443-3. It is not possible to emulate cards using such low layer protocols using Android HCE.
MIFARE Classic protocol partially operates on top of ISO/IEC 14443-3 (with some different framing). Thus, its also not possible to emulate MIFARE Classic using Android HCE.
MIFARE DESFire protocols operate on top of ISO/IEC 14443-4. There are three variants of the DESFire protocol:
native protocol: As this protocol does not use APDUs according to ISO/IEC 7816-4 its not possible to emulate it using Android HCE.
wrapped native protocol: This protocol uses APDUs according to ISO/IEC 7816-4, however, readers will typically not issue a SELECT command using the DESFire AID when starting to communicate with a card in wrapped native command mode. (Note: Newer reader implementations are more likely to issue a SELECT command that is compatible with Android HCE as this is also required for some of NXP's newer smartcard products with DESFire protocol emulation.)
ISO protocol: This protocol is based on ISO/IEC 7816-4 and uses application selection by AID. Thus, it may be possible to emulate this protocol using Android HCE.
Some readers may require certain parameter values in lower protocol layers (such as a specific UID cascade-level, a certain ATQA value, a certain SAK value, or a certain ATS). Android HCE does not have any means to set these values. See Editing Functionality of Host Card Emulation in Android for a possible approach to modify those values on certain rooted devices and my answer to Host-based Card Emulation with Fixed Card ID for a strategy to programatically change those values in a custom ROM.
A note on the HCE feature available in CyanogenMod from version 9.1 to version 10.2: This will emulate any ISO/IEC 14443-4 based protocol without the requirement for an application structure according to ISO/IEC 7816-4. You can even choose if you want to emulate Type A or Type B protocol. So it should be possible (though I haven't tested) to emulate any of the three DESFire protocols. However, even with the HCE feature of CyanogenMod it is not possible to emulate MIFARE Ultralight or Classic protocols. Moreover, it's also not possible to influence low-level protocol parameters such as a UID, ATQA, SAK, or ATS.
I have spent weeks researching this topic a year ago and my conclusion based on the current implementation was:
The emulation of MIFARE Classic is possible, but only through the Embedded Secure Element, this element is embedded within NXP's NFC chip (PN65 chip built in for example the Samsung I9300).
I have been able to fully emulate a Mifare Classic card using hidden functions in the android_external_libnfc-nxp library. Though i could only read the card and for it to be useful you need access to the Secure Element where a applet by NXP exists in most cases, this applet servers as front-end for managing the emulated cards.
A good way to continue this search would be by reverse engineering Google's wallet application.
The short answer is YES. However depends on many factors such as android version, phone's NFC chip, etc.
To know if your device support it just download some app such as "NFC Check" by Tapkey, and it will inform you if MiFare Classic & Mifare Ultralight are supported. There is also a list up-to-date but apparently there might be some mismatch: https://www.shopnfc.com/en/content/7-nfc-compatibility
Now the question is "how". I have not found an app yet to use the new Android's host-based card emulation (HCE) for this purpose (see here): How well does the Android NFC API support Mifare Desfire?
In fact it is suggested recently by MiFare that you should use the "secure element" method instead: https://www.mifare.net/support/forum/topic/emulate-mifare-classic-1k/
Back to your question of the Ultralight, the main difficulty is that Android API defines as-today sending a random UID on each tap, as suggested by a previous user nCypher: https://developer.android.com/guide/topics/connectivity/nfc/hce
As an alternative root access (or custom cyanogen ROMs) might help to modify the UID such as in this example:
http://osgt7405i.bkt.clouddn.com/help/en/index.html?t=1536931682474
However the newest Android API refers directly to the Ultralight object: https://developer.android.com/reference/android/nfc/tech/MifareUltralight
I know some companies that are emulating this by the SIM storage. For using your phone as RFID card of these MIFARE types, MiFare has already made one solution where business can load cards in the cloud https://www.mifare4mobile.org/ associated to their carrier SIM. There is a list of the officially certified NFC chips which work, most of them NPX which are broadly included in smartphones.
However their solution is an SDK API (namely TapLinx). There is no pure software product from NXP available like any phone emulation software or a cloud base solution.
What's more, the MiFare forum speaks about this:
https://www.mifare.net/support/forum/topic/creating-nfc-android-app-to-act-as-mifare-card-to-interact-with-mifare-readers/
The MIFARE Ultralight chip MF0ICU1 (16 pages x 4 bytes each) is indeed a nightmare, but cannot be emulated on any NXP interfaces including PN53x, because they hardwired the first UID byte (UID0) to 0x08, so it means the tag has a random UID (according to NXP standards). You need UID0 = 0x04 to emulate MIFARE Ultralight.
There exists a standalone MIFARE Ultralight emulator which allows any value for UID0, has resettable OTP, lock, and block-locking bits. See the manual for more information.
I have researched Mifare and other card emulation I have very good knowledge in programming (not Android, but C/C++). I have proxmark and I have made multiple emulation codes for proxmark, so I know how the cards communicate.
I don't understand currently, does android enable full card emulation.
I have researched this for about 3 days now, and the conclusion is there is no one constant pattern. Some people say it is possible, some say it is not. I looked through android API and the Host-based card emulation seems to be able to do the trick, but as I understand it is new thing in 4.4 Kitkat, does anyone have any experience with that?
To make things simple, currently I'm investigating the basic most simple emulation for Mifare Ultralight. This card is a security nightmare, there is no encryption and only about 10 functions it does. So I'm interested in starting research with this card, because it is the easiest one to reproduce.
So does anyone have any knowledge in card emulation on android. Maybe not using the stock OS. Any thing that is worth knowing would be very appreciated.
Thanks.
With host-based card emulation (HCE) in Android 4.4 you can only emulate the ISO/IEC 14443-4 protocol. More specifically you can only emulate application structures according to ISO/IEC 7816-4 (thus card emulation applications need to be selected though an AID). Moreover, the API doesn't give you any means to specify if card emulation should be done using Type A or Type B protocol.
So regarding emulation of various MIFARE protocols:
MIFARE Ultralight (and derivates) protocol operates on top of ISO/IEC 14443-3. It is not possible to emulate cards using such low layer protocols using Android HCE.
MIFARE Classic protocol partially operates on top of ISO/IEC 14443-3 (with some different framing). Thus, its also not possible to emulate MIFARE Classic using Android HCE.
MIFARE DESFire protocols operate on top of ISO/IEC 14443-4. There are three variants of the DESFire protocol:
native protocol: As this protocol does not use APDUs according to ISO/IEC 7816-4 its not possible to emulate it using Android HCE.
wrapped native protocol: This protocol uses APDUs according to ISO/IEC 7816-4, however, readers will typically not issue a SELECT command using the DESFire AID when starting to communicate with a card in wrapped native command mode. (Note: Newer reader implementations are more likely to issue a SELECT command that is compatible with Android HCE as this is also required for some of NXP's newer smartcard products with DESFire protocol emulation.)
ISO protocol: This protocol is based on ISO/IEC 7816-4 and uses application selection by AID. Thus, it may be possible to emulate this protocol using Android HCE.
Some readers may require certain parameter values in lower protocol layers (such as a specific UID cascade-level, a certain ATQA value, a certain SAK value, or a certain ATS). Android HCE does not have any means to set these values. See Editing Functionality of Host Card Emulation in Android for a possible approach to modify those values on certain rooted devices and my answer to Host-based Card Emulation with Fixed Card ID for a strategy to programatically change those values in a custom ROM.
A note on the HCE feature available in CyanogenMod from version 9.1 to version 10.2: This will emulate any ISO/IEC 14443-4 based protocol without the requirement for an application structure according to ISO/IEC 7816-4. You can even choose if you want to emulate Type A or Type B protocol. So it should be possible (though I haven't tested) to emulate any of the three DESFire protocols. However, even with the HCE feature of CyanogenMod it is not possible to emulate MIFARE Ultralight or Classic protocols. Moreover, it's also not possible to influence low-level protocol parameters such as a UID, ATQA, SAK, or ATS.
I have spent weeks researching this topic a year ago and my conclusion based on the current implementation was:
The emulation of MIFARE Classic is possible, but only through the Embedded Secure Element, this element is embedded within NXP's NFC chip (PN65 chip built in for example the Samsung I9300).
I have been able to fully emulate a Mifare Classic card using hidden functions in the android_external_libnfc-nxp library. Though i could only read the card and for it to be useful you need access to the Secure Element where a applet by NXP exists in most cases, this applet servers as front-end for managing the emulated cards.
A good way to continue this search would be by reverse engineering Google's wallet application.
The short answer is YES. However depends on many factors such as android version, phone's NFC chip, etc.
To know if your device support it just download some app such as "NFC Check" by Tapkey, and it will inform you if MiFare Classic & Mifare Ultralight are supported. There is also a list up-to-date but apparently there might be some mismatch: https://www.shopnfc.com/en/content/7-nfc-compatibility
Now the question is "how". I have not found an app yet to use the new Android's host-based card emulation (HCE) for this purpose (see here): How well does the Android NFC API support Mifare Desfire?
In fact it is suggested recently by MiFare that you should use the "secure element" method instead: https://www.mifare.net/support/forum/topic/emulate-mifare-classic-1k/
Back to your question of the Ultralight, the main difficulty is that Android API defines as-today sending a random UID on each tap, as suggested by a previous user nCypher: https://developer.android.com/guide/topics/connectivity/nfc/hce
As an alternative root access (or custom cyanogen ROMs) might help to modify the UID such as in this example:
http://osgt7405i.bkt.clouddn.com/help/en/index.html?t=1536931682474
However the newest Android API refers directly to the Ultralight object: https://developer.android.com/reference/android/nfc/tech/MifareUltralight
I know some companies that are emulating this by the SIM storage. For using your phone as RFID card of these MIFARE types, MiFare has already made one solution where business can load cards in the cloud https://www.mifare4mobile.org/ associated to their carrier SIM. There is a list of the officially certified NFC chips which work, most of them NPX which are broadly included in smartphones.
However their solution is an SDK API (namely TapLinx). There is no pure software product from NXP available like any phone emulation software or a cloud base solution.
What's more, the MiFare forum speaks about this:
https://www.mifare.net/support/forum/topic/creating-nfc-android-app-to-act-as-mifare-card-to-interact-with-mifare-readers/
The MIFARE Ultralight chip MF0ICU1 (16 pages x 4 bytes each) is indeed a nightmare, but cannot be emulated on any NXP interfaces including PN53x, because they hardwired the first UID byte (UID0) to 0x08, so it means the tag has a random UID (according to NXP standards). You need UID0 = 0x04 to emulate MIFARE Ultralight.
There exists a standalone MIFARE Ultralight emulator which allows any value for UID0, has resettable OTP, lock, and block-locking bits. See the manual for more information.
I have researched Mifare and other card emulation I have very good knowledge in programming (not Android, but C/C++). I have proxmark and I have made multiple emulation codes for proxmark, so I know how the cards communicate.
I don't understand currently, does android enable full card emulation.
I have researched this for about 3 days now, and the conclusion is there is no one constant pattern. Some people say it is possible, some say it is not. I looked through android API and the Host-based card emulation seems to be able to do the trick, but as I understand it is new thing in 4.4 Kitkat, does anyone have any experience with that?
To make things simple, currently I'm investigating the basic most simple emulation for Mifare Ultralight. This card is a security nightmare, there is no encryption and only about 10 functions it does. So I'm interested in starting research with this card, because it is the easiest one to reproduce.
So does anyone have any knowledge in card emulation on android. Maybe not using the stock OS. Any thing that is worth knowing would be very appreciated.
Thanks.
With host-based card emulation (HCE) in Android 4.4 you can only emulate the ISO/IEC 14443-4 protocol. More specifically you can only emulate application structures according to ISO/IEC 7816-4 (thus card emulation applications need to be selected though an AID). Moreover, the API doesn't give you any means to specify if card emulation should be done using Type A or Type B protocol.
So regarding emulation of various MIFARE protocols:
MIFARE Ultralight (and derivates) protocol operates on top of ISO/IEC 14443-3. It is not possible to emulate cards using such low layer protocols using Android HCE.
MIFARE Classic protocol partially operates on top of ISO/IEC 14443-3 (with some different framing). Thus, its also not possible to emulate MIFARE Classic using Android HCE.
MIFARE DESFire protocols operate on top of ISO/IEC 14443-4. There are three variants of the DESFire protocol:
native protocol: As this protocol does not use APDUs according to ISO/IEC 7816-4 its not possible to emulate it using Android HCE.
wrapped native protocol: This protocol uses APDUs according to ISO/IEC 7816-4, however, readers will typically not issue a SELECT command using the DESFire AID when starting to communicate with a card in wrapped native command mode. (Note: Newer reader implementations are more likely to issue a SELECT command that is compatible with Android HCE as this is also required for some of NXP's newer smartcard products with DESFire protocol emulation.)
ISO protocol: This protocol is based on ISO/IEC 7816-4 and uses application selection by AID. Thus, it may be possible to emulate this protocol using Android HCE.
Some readers may require certain parameter values in lower protocol layers (such as a specific UID cascade-level, a certain ATQA value, a certain SAK value, or a certain ATS). Android HCE does not have any means to set these values. See Editing Functionality of Host Card Emulation in Android for a possible approach to modify those values on certain rooted devices and my answer to Host-based Card Emulation with Fixed Card ID for a strategy to programatically change those values in a custom ROM.
A note on the HCE feature available in CyanogenMod from version 9.1 to version 10.2: This will emulate any ISO/IEC 14443-4 based protocol without the requirement for an application structure according to ISO/IEC 7816-4. You can even choose if you want to emulate Type A or Type B protocol. So it should be possible (though I haven't tested) to emulate any of the three DESFire protocols. However, even with the HCE feature of CyanogenMod it is not possible to emulate MIFARE Ultralight or Classic protocols. Moreover, it's also not possible to influence low-level protocol parameters such as a UID, ATQA, SAK, or ATS.
I have spent weeks researching this topic a year ago and my conclusion based on the current implementation was:
The emulation of MIFARE Classic is possible, but only through the Embedded Secure Element, this element is embedded within NXP's NFC chip (PN65 chip built in for example the Samsung I9300).
I have been able to fully emulate a Mifare Classic card using hidden functions in the android_external_libnfc-nxp library. Though i could only read the card and for it to be useful you need access to the Secure Element where a applet by NXP exists in most cases, this applet servers as front-end for managing the emulated cards.
A good way to continue this search would be by reverse engineering Google's wallet application.
The short answer is YES. However depends on many factors such as android version, phone's NFC chip, etc.
To know if your device support it just download some app such as "NFC Check" by Tapkey, and it will inform you if MiFare Classic & Mifare Ultralight are supported. There is also a list up-to-date but apparently there might be some mismatch: https://www.shopnfc.com/en/content/7-nfc-compatibility
Now the question is "how". I have not found an app yet to use the new Android's host-based card emulation (HCE) for this purpose (see here): How well does the Android NFC API support Mifare Desfire?
In fact it is suggested recently by MiFare that you should use the "secure element" method instead: https://www.mifare.net/support/forum/topic/emulate-mifare-classic-1k/
Back to your question of the Ultralight, the main difficulty is that Android API defines as-today sending a random UID on each tap, as suggested by a previous user nCypher: https://developer.android.com/guide/topics/connectivity/nfc/hce
As an alternative root access (or custom cyanogen ROMs) might help to modify the UID such as in this example:
http://osgt7405i.bkt.clouddn.com/help/en/index.html?t=1536931682474
However the newest Android API refers directly to the Ultralight object: https://developer.android.com/reference/android/nfc/tech/MifareUltralight
I know some companies that are emulating this by the SIM storage. For using your phone as RFID card of these MIFARE types, MiFare has already made one solution where business can load cards in the cloud https://www.mifare4mobile.org/ associated to their carrier SIM. There is a list of the officially certified NFC chips which work, most of them NPX which are broadly included in smartphones.
However their solution is an SDK API (namely TapLinx). There is no pure software product from NXP available like any phone emulation software or a cloud base solution.
What's more, the MiFare forum speaks about this:
https://www.mifare.net/support/forum/topic/creating-nfc-android-app-to-act-as-mifare-card-to-interact-with-mifare-readers/
The MIFARE Ultralight chip MF0ICU1 (16 pages x 4 bytes each) is indeed a nightmare, but cannot be emulated on any NXP interfaces including PN53x, because they hardwired the first UID byte (UID0) to 0x08, so it means the tag has a random UID (according to NXP standards). You need UID0 = 0x04 to emulate MIFARE Ultralight.
There exists a standalone MIFARE Ultralight emulator which allows any value for UID0, has resettable OTP, lock, and block-locking bits. See the manual for more information.
After reading a lot of questions, i decided to post this one. I read that stock version of android does not support API's for card emulation. Also, we cannot write custom applications to secure element embedded in nfc controllers due to keys managed by google/samsung.
I need to emulate a card (mifare or desfire etc). The option i can see is doing it via software. I have a ACR122U reader and i've tested that NFC P2P mode works fine with the Nexus-S that i have.
1) I came across a site that said that nexus s's NFC controller (pn532) can emulate a mifare 4k card. If this is true, can i write/read apdu commands to this emulated card? (Probably if i use a modded rom like cyanogenmod)
2) Can i write a android application that reads apdu commands sent from the reader and generate appropriate responses (if not fully, then upto some extent only). To do so, i searched that we need to patch nexus s with cynagenmod. Has someone tried emulating card via this method?
I see that this is possible since we have products from access control companies offering mobile applications via which one can open doors e.g. http://www.assaabloy.com/en/com/Products/seos-mobile-access/
Some facts that may be of help in your quest:
The NFC controller in the Nexus S (and Galaxy Nexus, Nexus 7 and quite a few other Android devices) is the PN544
Card emulation can be done either by the secure element connected to the NFC controller or by the host device (=Android device in this case). The Nexus S has a secure element that could be used for that (used in Google Wallet). Card emulation from the host device is not a feature of the PN544 NFC controller, although some claim that they have managed to get it working.
You can turn on card emulation by the secure element by rooting your device and following the instructions at https://stackoverflow.com/a/10506299/1202968 (haven't tried this with 4.x JB, but I assume that it still works).
Emulating a MIFARE Classic card can be done by the secure element in the Nexus S, but not by the host device. Emulating a DESFire card is not supported by the secure element in the Nexus S.
I have investigated a similar doorlock product that used card emulation itself to communicate to an NFC mobile device, while using card reader/writer mode to communicate to access control cards.
IMO, the 2 simplest options are: use P2P communication (Android Beam) or use card emulation in a reader device (if it supports it). All the other options require things like rooted devices and custom ROMs, which are not future-proof and have no possibility to be translated to a real product.
Card emulation via software is now available with Android 4.4. http://developer.android.com/guide/topics/connectivity/nfc/hce.html
2) Card emulation by software should definitely be possible, but not exposed in current Android APIs. You will have to dig deeper into the libnfc-nxp (and possibly below). This might be a difficult one though. This feature is offered on Inside Secure's chips, as shown in their OpenNFC reference implementation. The only question is whether it requires a CLF firmware change. If not, then you can hack it into a software image.
The caveats are, however, that you will lack the following features :
- security (an Android app is not as secure as a smartcard)
- fast and predictable response times (well, depends how you code it probably)
- card emulation running when phone is off
I believe SEOS is based on ISO14443-4 and not Mifare. This means you would need a secure element to run it.
1) Not too sure about this one, my guess is that this will still be hardware-based (e.g. depend on an embedded secure element such as NXP's SmartMX.
The other alternative is to start developing on a secure element. The most straightforward way would be to get some sample test SIMs with SWP/HCI support. There is a free dev kit called IzyNFC which you can use for the javacard, and GSMA and AFSCM technical documents for the Android application side.