I am making a Host Card Emulation app on Android, everything works fine with my PC/SC reader. I am able to send APDU commands and get the reponses. Now I want to know if it's possible to manipulate the ATR of the card emulated by Android using Android's NFC library (or not)? I have looked into the documentation but there's nothing about the ATR, does Android generate it automatically for each device?
Yes, Android generates the answer-to-select (ATS) automatically. There is no Android API to change its contents. The same applies to the anti-collision identifier (UID).
ATS vs. ATR
Note that contactless smartcards (ISO/IEC 14443-4A) do not expose an ATR (answer-to-reset) during the activation sequence. Instead, they provide an ATS (in response to the selection procedure). PC/SC readers for contactless smartcards typically map parts of that ATS into an (emulated) ATR for compatibility.
Rooted devices
Even though Android does not provide an API, you might be able to modify values such as the ATS by modifying the NFC controller configuration files. See Editing Functionality of Host Card Emulation in Android and Host-based Card Emulation with Fixed Card ID
Related
I have researched Mifare and other card emulation I have very good knowledge in programming (not Android, but C/C++). I have proxmark and I have made multiple emulation codes for proxmark, so I know how the cards communicate.
I don't understand currently, does android enable full card emulation.
I have researched this for about 3 days now, and the conclusion is there is no one constant pattern. Some people say it is possible, some say it is not. I looked through android API and the Host-based card emulation seems to be able to do the trick, but as I understand it is new thing in 4.4 Kitkat, does anyone have any experience with that?
To make things simple, currently I'm investigating the basic most simple emulation for Mifare Ultralight. This card is a security nightmare, there is no encryption and only about 10 functions it does. So I'm interested in starting research with this card, because it is the easiest one to reproduce.
So does anyone have any knowledge in card emulation on android. Maybe not using the stock OS. Any thing that is worth knowing would be very appreciated.
Thanks.
With host-based card emulation (HCE) in Android 4.4 you can only emulate the ISO/IEC 14443-4 protocol. More specifically you can only emulate application structures according to ISO/IEC 7816-4 (thus card emulation applications need to be selected though an AID). Moreover, the API doesn't give you any means to specify if card emulation should be done using Type A or Type B protocol.
So regarding emulation of various MIFARE protocols:
MIFARE Ultralight (and derivates) protocol operates on top of ISO/IEC 14443-3. It is not possible to emulate cards using such low layer protocols using Android HCE.
MIFARE Classic protocol partially operates on top of ISO/IEC 14443-3 (with some different framing). Thus, its also not possible to emulate MIFARE Classic using Android HCE.
MIFARE DESFire protocols operate on top of ISO/IEC 14443-4. There are three variants of the DESFire protocol:
native protocol: As this protocol does not use APDUs according to ISO/IEC 7816-4 its not possible to emulate it using Android HCE.
wrapped native protocol: This protocol uses APDUs according to ISO/IEC 7816-4, however, readers will typically not issue a SELECT command using the DESFire AID when starting to communicate with a card in wrapped native command mode. (Note: Newer reader implementations are more likely to issue a SELECT command that is compatible with Android HCE as this is also required for some of NXP's newer smartcard products with DESFire protocol emulation.)
ISO protocol: This protocol is based on ISO/IEC 7816-4 and uses application selection by AID. Thus, it may be possible to emulate this protocol using Android HCE.
Some readers may require certain parameter values in lower protocol layers (such as a specific UID cascade-level, a certain ATQA value, a certain SAK value, or a certain ATS). Android HCE does not have any means to set these values. See Editing Functionality of Host Card Emulation in Android for a possible approach to modify those values on certain rooted devices and my answer to Host-based Card Emulation with Fixed Card ID for a strategy to programatically change those values in a custom ROM.
A note on the HCE feature available in CyanogenMod from version 9.1 to version 10.2: This will emulate any ISO/IEC 14443-4 based protocol without the requirement for an application structure according to ISO/IEC 7816-4. You can even choose if you want to emulate Type A or Type B protocol. So it should be possible (though I haven't tested) to emulate any of the three DESFire protocols. However, even with the HCE feature of CyanogenMod it is not possible to emulate MIFARE Ultralight or Classic protocols. Moreover, it's also not possible to influence low-level protocol parameters such as a UID, ATQA, SAK, or ATS.
I have spent weeks researching this topic a year ago and my conclusion based on the current implementation was:
The emulation of MIFARE Classic is possible, but only through the Embedded Secure Element, this element is embedded within NXP's NFC chip (PN65 chip built in for example the Samsung I9300).
I have been able to fully emulate a Mifare Classic card using hidden functions in the android_external_libnfc-nxp library. Though i could only read the card and for it to be useful you need access to the Secure Element where a applet by NXP exists in most cases, this applet servers as front-end for managing the emulated cards.
A good way to continue this search would be by reverse engineering Google's wallet application.
The short answer is YES. However depends on many factors such as android version, phone's NFC chip, etc.
To know if your device support it just download some app such as "NFC Check" by Tapkey, and it will inform you if MiFare Classic & Mifare Ultralight are supported. There is also a list up-to-date but apparently there might be some mismatch: https://www.shopnfc.com/en/content/7-nfc-compatibility
Now the question is "how". I have not found an app yet to use the new Android's host-based card emulation (HCE) for this purpose (see here): How well does the Android NFC API support Mifare Desfire?
In fact it is suggested recently by MiFare that you should use the "secure element" method instead: https://www.mifare.net/support/forum/topic/emulate-mifare-classic-1k/
Back to your question of the Ultralight, the main difficulty is that Android API defines as-today sending a random UID on each tap, as suggested by a previous user nCypher: https://developer.android.com/guide/topics/connectivity/nfc/hce
As an alternative root access (or custom cyanogen ROMs) might help to modify the UID such as in this example:
http://osgt7405i.bkt.clouddn.com/help/en/index.html?t=1536931682474
However the newest Android API refers directly to the Ultralight object: https://developer.android.com/reference/android/nfc/tech/MifareUltralight
I know some companies that are emulating this by the SIM storage. For using your phone as RFID card of these MIFARE types, MiFare has already made one solution where business can load cards in the cloud https://www.mifare4mobile.org/ associated to their carrier SIM. There is a list of the officially certified NFC chips which work, most of them NPX which are broadly included in smartphones.
However their solution is an SDK API (namely TapLinx). There is no pure software product from NXP available like any phone emulation software or a cloud base solution.
What's more, the MiFare forum speaks about this:
https://www.mifare.net/support/forum/topic/creating-nfc-android-app-to-act-as-mifare-card-to-interact-with-mifare-readers/
The MIFARE Ultralight chip MF0ICU1 (16 pages x 4 bytes each) is indeed a nightmare, but cannot be emulated on any NXP interfaces including PN53x, because they hardwired the first UID byte (UID0) to 0x08, so it means the tag has a random UID (according to NXP standards). You need UID0 = 0x04 to emulate MIFARE Ultralight.
There exists a standalone MIFARE Ultralight emulator which allows any value for UID0, has resettable OTP, lock, and block-locking bits. See the manual for more information.
I have researched Mifare and other card emulation I have very good knowledge in programming (not Android, but C/C++). I have proxmark and I have made multiple emulation codes for proxmark, so I know how the cards communicate.
I don't understand currently, does android enable full card emulation.
I have researched this for about 3 days now, and the conclusion is there is no one constant pattern. Some people say it is possible, some say it is not. I looked through android API and the Host-based card emulation seems to be able to do the trick, but as I understand it is new thing in 4.4 Kitkat, does anyone have any experience with that?
To make things simple, currently I'm investigating the basic most simple emulation for Mifare Ultralight. This card is a security nightmare, there is no encryption and only about 10 functions it does. So I'm interested in starting research with this card, because it is the easiest one to reproduce.
So does anyone have any knowledge in card emulation on android. Maybe not using the stock OS. Any thing that is worth knowing would be very appreciated.
Thanks.
With host-based card emulation (HCE) in Android 4.4 you can only emulate the ISO/IEC 14443-4 protocol. More specifically you can only emulate application structures according to ISO/IEC 7816-4 (thus card emulation applications need to be selected though an AID). Moreover, the API doesn't give you any means to specify if card emulation should be done using Type A or Type B protocol.
So regarding emulation of various MIFARE protocols:
MIFARE Ultralight (and derivates) protocol operates on top of ISO/IEC 14443-3. It is not possible to emulate cards using such low layer protocols using Android HCE.
MIFARE Classic protocol partially operates on top of ISO/IEC 14443-3 (with some different framing). Thus, its also not possible to emulate MIFARE Classic using Android HCE.
MIFARE DESFire protocols operate on top of ISO/IEC 14443-4. There are three variants of the DESFire protocol:
native protocol: As this protocol does not use APDUs according to ISO/IEC 7816-4 its not possible to emulate it using Android HCE.
wrapped native protocol: This protocol uses APDUs according to ISO/IEC 7816-4, however, readers will typically not issue a SELECT command using the DESFire AID when starting to communicate with a card in wrapped native command mode. (Note: Newer reader implementations are more likely to issue a SELECT command that is compatible with Android HCE as this is also required for some of NXP's newer smartcard products with DESFire protocol emulation.)
ISO protocol: This protocol is based on ISO/IEC 7816-4 and uses application selection by AID. Thus, it may be possible to emulate this protocol using Android HCE.
Some readers may require certain parameter values in lower protocol layers (such as a specific UID cascade-level, a certain ATQA value, a certain SAK value, or a certain ATS). Android HCE does not have any means to set these values. See Editing Functionality of Host Card Emulation in Android for a possible approach to modify those values on certain rooted devices and my answer to Host-based Card Emulation with Fixed Card ID for a strategy to programatically change those values in a custom ROM.
A note on the HCE feature available in CyanogenMod from version 9.1 to version 10.2: This will emulate any ISO/IEC 14443-4 based protocol without the requirement for an application structure according to ISO/IEC 7816-4. You can even choose if you want to emulate Type A or Type B protocol. So it should be possible (though I haven't tested) to emulate any of the three DESFire protocols. However, even with the HCE feature of CyanogenMod it is not possible to emulate MIFARE Ultralight or Classic protocols. Moreover, it's also not possible to influence low-level protocol parameters such as a UID, ATQA, SAK, or ATS.
I have spent weeks researching this topic a year ago and my conclusion based on the current implementation was:
The emulation of MIFARE Classic is possible, but only through the Embedded Secure Element, this element is embedded within NXP's NFC chip (PN65 chip built in for example the Samsung I9300).
I have been able to fully emulate a Mifare Classic card using hidden functions in the android_external_libnfc-nxp library. Though i could only read the card and for it to be useful you need access to the Secure Element where a applet by NXP exists in most cases, this applet servers as front-end for managing the emulated cards.
A good way to continue this search would be by reverse engineering Google's wallet application.
The short answer is YES. However depends on many factors such as android version, phone's NFC chip, etc.
To know if your device support it just download some app such as "NFC Check" by Tapkey, and it will inform you if MiFare Classic & Mifare Ultralight are supported. There is also a list up-to-date but apparently there might be some mismatch: https://www.shopnfc.com/en/content/7-nfc-compatibility
Now the question is "how". I have not found an app yet to use the new Android's host-based card emulation (HCE) for this purpose (see here): How well does the Android NFC API support Mifare Desfire?
In fact it is suggested recently by MiFare that you should use the "secure element" method instead: https://www.mifare.net/support/forum/topic/emulate-mifare-classic-1k/
Back to your question of the Ultralight, the main difficulty is that Android API defines as-today sending a random UID on each tap, as suggested by a previous user nCypher: https://developer.android.com/guide/topics/connectivity/nfc/hce
As an alternative root access (or custom cyanogen ROMs) might help to modify the UID such as in this example:
http://osgt7405i.bkt.clouddn.com/help/en/index.html?t=1536931682474
However the newest Android API refers directly to the Ultralight object: https://developer.android.com/reference/android/nfc/tech/MifareUltralight
I know some companies that are emulating this by the SIM storage. For using your phone as RFID card of these MIFARE types, MiFare has already made one solution where business can load cards in the cloud https://www.mifare4mobile.org/ associated to their carrier SIM. There is a list of the officially certified NFC chips which work, most of them NPX which are broadly included in smartphones.
However their solution is an SDK API (namely TapLinx). There is no pure software product from NXP available like any phone emulation software or a cloud base solution.
What's more, the MiFare forum speaks about this:
https://www.mifare.net/support/forum/topic/creating-nfc-android-app-to-act-as-mifare-card-to-interact-with-mifare-readers/
The MIFARE Ultralight chip MF0ICU1 (16 pages x 4 bytes each) is indeed a nightmare, but cannot be emulated on any NXP interfaces including PN53x, because they hardwired the first UID byte (UID0) to 0x08, so it means the tag has a random UID (according to NXP standards). You need UID0 = 0x04 to emulate MIFARE Ultralight.
There exists a standalone MIFARE Ultralight emulator which allows any value for UID0, has resettable OTP, lock, and block-locking bits. See the manual for more information.
I have researched Mifare and other card emulation I have very good knowledge in programming (not Android, but C/C++). I have proxmark and I have made multiple emulation codes for proxmark, so I know how the cards communicate.
I don't understand currently, does android enable full card emulation.
I have researched this for about 3 days now, and the conclusion is there is no one constant pattern. Some people say it is possible, some say it is not. I looked through android API and the Host-based card emulation seems to be able to do the trick, but as I understand it is new thing in 4.4 Kitkat, does anyone have any experience with that?
To make things simple, currently I'm investigating the basic most simple emulation for Mifare Ultralight. This card is a security nightmare, there is no encryption and only about 10 functions it does. So I'm interested in starting research with this card, because it is the easiest one to reproduce.
So does anyone have any knowledge in card emulation on android. Maybe not using the stock OS. Any thing that is worth knowing would be very appreciated.
Thanks.
With host-based card emulation (HCE) in Android 4.4 you can only emulate the ISO/IEC 14443-4 protocol. More specifically you can only emulate application structures according to ISO/IEC 7816-4 (thus card emulation applications need to be selected though an AID). Moreover, the API doesn't give you any means to specify if card emulation should be done using Type A or Type B protocol.
So regarding emulation of various MIFARE protocols:
MIFARE Ultralight (and derivates) protocol operates on top of ISO/IEC 14443-3. It is not possible to emulate cards using such low layer protocols using Android HCE.
MIFARE Classic protocol partially operates on top of ISO/IEC 14443-3 (with some different framing). Thus, its also not possible to emulate MIFARE Classic using Android HCE.
MIFARE DESFire protocols operate on top of ISO/IEC 14443-4. There are three variants of the DESFire protocol:
native protocol: As this protocol does not use APDUs according to ISO/IEC 7816-4 its not possible to emulate it using Android HCE.
wrapped native protocol: This protocol uses APDUs according to ISO/IEC 7816-4, however, readers will typically not issue a SELECT command using the DESFire AID when starting to communicate with a card in wrapped native command mode. (Note: Newer reader implementations are more likely to issue a SELECT command that is compatible with Android HCE as this is also required for some of NXP's newer smartcard products with DESFire protocol emulation.)
ISO protocol: This protocol is based on ISO/IEC 7816-4 and uses application selection by AID. Thus, it may be possible to emulate this protocol using Android HCE.
Some readers may require certain parameter values in lower protocol layers (such as a specific UID cascade-level, a certain ATQA value, a certain SAK value, or a certain ATS). Android HCE does not have any means to set these values. See Editing Functionality of Host Card Emulation in Android for a possible approach to modify those values on certain rooted devices and my answer to Host-based Card Emulation with Fixed Card ID for a strategy to programatically change those values in a custom ROM.
A note on the HCE feature available in CyanogenMod from version 9.1 to version 10.2: This will emulate any ISO/IEC 14443-4 based protocol without the requirement for an application structure according to ISO/IEC 7816-4. You can even choose if you want to emulate Type A or Type B protocol. So it should be possible (though I haven't tested) to emulate any of the three DESFire protocols. However, even with the HCE feature of CyanogenMod it is not possible to emulate MIFARE Ultralight or Classic protocols. Moreover, it's also not possible to influence low-level protocol parameters such as a UID, ATQA, SAK, or ATS.
I have spent weeks researching this topic a year ago and my conclusion based on the current implementation was:
The emulation of MIFARE Classic is possible, but only through the Embedded Secure Element, this element is embedded within NXP's NFC chip (PN65 chip built in for example the Samsung I9300).
I have been able to fully emulate a Mifare Classic card using hidden functions in the android_external_libnfc-nxp library. Though i could only read the card and for it to be useful you need access to the Secure Element where a applet by NXP exists in most cases, this applet servers as front-end for managing the emulated cards.
A good way to continue this search would be by reverse engineering Google's wallet application.
The short answer is YES. However depends on many factors such as android version, phone's NFC chip, etc.
To know if your device support it just download some app such as "NFC Check" by Tapkey, and it will inform you if MiFare Classic & Mifare Ultralight are supported. There is also a list up-to-date but apparently there might be some mismatch: https://www.shopnfc.com/en/content/7-nfc-compatibility
Now the question is "how". I have not found an app yet to use the new Android's host-based card emulation (HCE) for this purpose (see here): How well does the Android NFC API support Mifare Desfire?
In fact it is suggested recently by MiFare that you should use the "secure element" method instead: https://www.mifare.net/support/forum/topic/emulate-mifare-classic-1k/
Back to your question of the Ultralight, the main difficulty is that Android API defines as-today sending a random UID on each tap, as suggested by a previous user nCypher: https://developer.android.com/guide/topics/connectivity/nfc/hce
As an alternative root access (or custom cyanogen ROMs) might help to modify the UID such as in this example:
http://osgt7405i.bkt.clouddn.com/help/en/index.html?t=1536931682474
However the newest Android API refers directly to the Ultralight object: https://developer.android.com/reference/android/nfc/tech/MifareUltralight
I know some companies that are emulating this by the SIM storage. For using your phone as RFID card of these MIFARE types, MiFare has already made one solution where business can load cards in the cloud https://www.mifare4mobile.org/ associated to their carrier SIM. There is a list of the officially certified NFC chips which work, most of them NPX which are broadly included in smartphones.
However their solution is an SDK API (namely TapLinx). There is no pure software product from NXP available like any phone emulation software or a cloud base solution.
What's more, the MiFare forum speaks about this:
https://www.mifare.net/support/forum/topic/creating-nfc-android-app-to-act-as-mifare-card-to-interact-with-mifare-readers/
The MIFARE Ultralight chip MF0ICU1 (16 pages x 4 bytes each) is indeed a nightmare, but cannot be emulated on any NXP interfaces including PN53x, because they hardwired the first UID byte (UID0) to 0x08, so it means the tag has a random UID (according to NXP standards). You need UID0 = 0x04 to emulate MIFARE Ultralight.
There exists a standalone MIFARE Ultralight emulator which allows any value for UID0, has resettable OTP, lock, and block-locking bits. See the manual for more information.
As the HCE was implemented in the version 4.4, I could not find information of how to write in an emulated card.
The android website has a sample of card emulation and a sample of to read the card, but I could not find information about the possibility of writing in a emulated card and how to do it.
I am developing a application that will read an emulated card, it will modify the card and write it again.
Someone know if it's possible and how can I do it?
The question "How [do I] write in a [Android HCE] emulated card?" does not really match the concept of Android HCE.
With Android HCE you do not emulate a memory card, hence there is no such thing as writing to/reading from such an emulated card by default. Instead, you emulate an APDU based smartcard application (note: application, not memory area, not whole card). APDUs are commands that you can send to a card (for instance with a PC/SC-compliant contactless smartcard reader). These commands are then interpreted by your emulated smartcard application (i.e. your HCE service) and used to generate response messages.
So, to summarize, you define the commands (based on ISO 7816-4 APDU structure) that your application should understand and the response message format (again based on ISO 7816-4 APDU structure) that your application sends back.
There are some ISO 7816-4 based commands listed in this link:
http://www.cardwerk.com/smartcards/smartcard_standard_ISO7816-4_6_basic_interindustry_commands.aspx
I've based my communication is this commands, mainly in the item 6.6.
I'm likely to be working on a project where existing Desfire cards (used to access paid services) will be replaced with an NFC-capable mobile device. Can anyone point me to any resources to help me understand what's involved in a) replicating a Desfire card's data onto a mobile device so it can take the place of a card, and b) for the app to deliver NFC data in order to present to the reader as if it were a card. All relevant keys and access will be provided by the card issuer (if the project goes ahead) but I'm keen to understand the process in advance.
I also need to understand how well the Android NFC API supports Desfire, because as far as I can see it only properly support Classic. http://developer.android.com/reference/android/nfc/tech/package-summary.html
MIFARE DESFire is ISO 14443-4 compliant. Support in Android for ISO 14443-4 (and therefore MIFARE DESFire) is done by the IsoDep class. You can send any DESFire command using the transceive() method of that class.
Besides that, DESFire can be configured to be NFC Forum type 4 Tag compliant. In which case Android will read out automatically any NDEF messages from the tag and dispatch it in an intent. So you can make your app start automatically when a specific tag is scanned. (Android can also format a DESFire chip to contain NDEF and write NDEF data to it.)
Replacing a DESFire card by a mobile NFC device is another matter. Card emulation on currently available Android devices is done by an embedded Secure Element connected to the NFC chip. An Android app cannot emulate a card (there is also no API for this) and the Secure Element cannot emulate a DESFire chip. Furthermore, there is no open API to access the Secure Element from an app.
The only way an Android NFC app can communicate via NFC to another device (that is not a card) is using Android Beam. This is, however, a different protocol than that used between card and reader.
NFC guy answer is excellent, but a bit outdated, so I decided to add an update.
Starting with KitKat (4.4), you can now emulate cards without a secure element.
It is called Host-based Card Emulation (Hce) and with that you can emulate a ISO 14443 type A card.. Like a desfire card.
There are two small caveats:
your reader must issues, just after polling the "card", a ISO SELECT (aid), with a fixed application id (aid) of your choice. This AID must be registered in your app manifest. Android will intercept this ISO SELECT, read the aid, and call you only if it matches with the one in your manifest.
Then you can exchange anything, it does not even have to be ISO APDUs (ISO 14443 encapsulation is done by android). So, for example, if you want to, you can even emulate the challenge response authentication of desfire (0xA0 key_num, 0xAF challenge, 0xAF response, 0x00 session_key)
you cannot rely on the UID (but you don't, right? This is a bad practice anyway, so no-one does it... right? :) ) because it is random, and it changes constantly (not inside a single session, of course, but...)
We are emulating our desfire cards, and the only change we had to do was to switch from our initial desfire select application (0x5A) to a ISO SELECT (0x00 0xA4 0x04).
Emulating authentication (the challenge-response thing) can be tricky, but we had already done it "the other way around" (using NFC to read desfire cards), so it was easy for us.
And if you rely on the card UID for authentication.. it's a good time to change it :)
Given your situation, i would say Android SDK is more than sufficient to solve your problem.
There are two parts to your case:
Reading the information from the existing cards.
Making an app with the information you have read from the cards.
Part 1:
Your only worry has to be in reading the DESFire card. If the information in the DESFire card is stored in NDEF format, it makes things even more easy.
Ndef is a class in the SDK which can be used to retrieve the information in NdefMessage type which you can then use to save the retrieved information into your storage facility, be it a local database, or a remote database, or just in the application memory.
The above is under the assumption the card is not protected. If it is, then you have to use transceive function to interact using raw byte communication. This would unlock for the rest of the information to be read. From here you can read the NDEF records.
Part 2:
My suggestion is skip the card emulation aspect of it. You are going to hit a wall at some point in time.
If the device that has been reading the card in the existing solution is attached to an android device, then Android Beam is the way to go. Which is nothing but Android App to Android App communication! Android already does the heavy lifting, so most of your work is going to be easy.
The information on the card can be stored as ndef messages and sent through beam, or you can simply create a custom object and send it through.
You may want to look at Mifare4Mobile, the initiative set up to transition from Mifare cards to NFC devices:
http://mifare4mobile.org/