I'm writing an Android application. I'm trying to send NfcA low-level commands (in my case: HALT and WAKE-UP) to my Mifare Plus S card. The NfcA tech is for "low-level" access to ISO 14443 Type A tags (i.e. the
proprietary protocol as mentioned in ISO 14443-3).
This is part of my code:
protected void onNewIntent(Intent intent) {
if (NfcAdapter.ACTION_TAG_DISCOVERED.equals(intent.getAction())) {
tagFromIntent = intent.getParcelableExtra(NfcAdapter.EXTRA_TAG);
UID = Utils.byteArrayToHexString(intent.getByteArrayExtra(NfcAdapter.EXTRA_ID));
}
NfcA nfca = null;
try {
Log.e(TAG, "WakeUpCMD and HaltCMD");
nfca = NfcA.get(tagFromIntent);
nfca.connect();
Short s = nfca.getSak();
byte[] a = nfca.getAtqa();
byte[] HaltCMD = {0x35, 0x30, 0x30,0x30, 0x00};
byte[] WakeUpCMD = {0x35, 0x32, 0x00};
byte[] data = null;
try {
data = nfca.transceive(HaltCMD);
length = data.length;
}
catch (Exception e){
Log.e(TAG, "HALT complete "+Utils.byteArrayToHexString(data));
}
Log.e(TAG, "Tag is connected: "+nfca.isConnected());
//Log.e(TAG, "Response from tag "+Utils.byteArrayToHexString(data));
nfca.setTimeout(100);
data = nfca.transceive(WakeUpCMD);
Log.e(TAG, "Response from tag"+Utils.byteArrayToHexString(data));
nfca.close();
} catch (Exception e) {
Log.e(TAG, "Error when reading tag");
}
}
WAKE-UP Command is sent by the PCD to put PICCs which have entered the HALT State back into the READY
State. They shall then participate in further anticollision and selection procedures.
|b7| |b6| |b5| |b4| |b3| |b2| |b1|
|1 | | 0 | | 1| | 0| | 0| | 1| | 0| {‘52’} = WAKE-UP
HALT Command consists of four bytes and shall be transmitted using the Standard Frame.
First bit transmitted
S | ‘50’ | ‘00’ | CRC_A | E
If the PICC responds with any modulation during a period of 1 ms after the end of the HALT Frame, this response shall be interpreted as 'not acknowledge'.
This is the descriptions of the two commands from ISO 14443-3 which I try to send to my card.
When I start my app, I get a "Tag Lost" Exception. Can you help me? What's wrong? How can I send these commands?
It seems as if you are converting the command codes into null-terminated ASCII character strings before sending them with NfcA.transceive():
byte[] HaltCMD = {0x35, 0x30, 0x30,0x30, 0x00};
byte[] WakeUpCMD = {0x35, 0x32, 0x00};
0x35 0x30 0x30 0x30 gives "5000"
0x35 0x32 gives "52"
This does not make any sense as the commands (50 00 for HLTA, and 52 for WUPA) are hexadecimal representations of the command values already.
For the HLTA command, you would therefore need to send 50 00:
data = nfca.transceive(new byte[] { (byte)0x50, (byte)0x00 });
Note that S (start of communication), E (end of communication), and CRC_A will be automatically added by the NFC controller (or the NFC stack).
For the WUPA command, you could probably try to send 52:
data = nfca.transceive(new byte[] { (byte)0x52 });
However, it is very likely that the NFC stack does not permit you to send 7-bit commands using the transceive method. Instead, the stack may automatically use this command value as one full byte and add a CRC_A.
General note on sending ISO/IEC 14443-3 initialization and anti-collision commands
Sending such commands may or may not work (depending on the NFC stack implementation and the NFC controller). In general I would strongly recommend that you do not send such commands. Particularly the HLTA command will confuse the internal state keeping of the NFC stack on some devices and will lead to unexpected results. Normally, you don't need to exchange such commands, as anti-collision, initialization and activation are handled automatically by the NFC device.
Related
I am trying to use the PN532 to read my NFC UID from phone(Samsung Galaxy S10), but i receive just 08 and another 3 digits of random values.I read that a value that start with 08 is a RID(Random ID). Is there any possible way to read just a unique value, or use the PN532 to read something that is unique from my phones NFC?
I want to use that value to compare it with a constant in my code and send an impulse to a relay to open a door.
This code is from da Adafruit_PN532 library.
#include <Wire.h>
#include <SPI.h>
#include <Adafruit_PN532.h>
#define PN532_IRQ (2)
#define PN532_RESET (3) // Not connected by default on the NFC Shield
// Or use this line for a breakout or shield with an I2C connection:
Adafruit_PN532 nfc(PN532_IRQ, PN532_RESET);
void setup(void) {
Serial.begin(115200);
Serial.println("Hello!");
nfc.begin();
uint32_t versiondata = nfc.getFirmwareVersion();
if (! versiondata) {
Serial.print("Didn't find PN53x board");
while (1); // halt
}
Serial.print("Found chip PN5"); Serial.println((versiondata >> 24) & 0xFF, HEX);
Serial.print("Firmware ver. "); Serial.print((versiondata >> 16) & 0xFF, DEC);
Serial.print('.'); Serial.println((versiondata >> 8) & 0xFF, DEC);
// configure board to read RFID tags
nfc.SAMConfig();
Serial.println("Waiting for an ISO14443A Card ...");
}
void loop(void) {
uint8_t success;
uint8_t uid[] = { 0, 0, 0, 0, 0, 0, 0 }; // Buffer to store the returned UID
uint8_t uidLength; // Length of the UID (4 or 7 bytes depending on ISO14443A card type)
// Wait for an ISO14443A type cards (Mifare, etc.). When one is found
// 'uid' will be populated with the UID, and uidLength will indicate
// if the uid is 4 bytes (Mifare Classic) or 7 bytes (Mifare Ultralight)
success = nfc.readPassiveTargetID(PN532_MIFARE_ISO14443A, uid, &uidLength);
if (success) {
// Display some basic information about the card
Serial.println("Found an ISO14443A card");
Serial.print(" UID Length: "); Serial.print(uidLength, DEC); Serial.println(" bytes");
Serial.print(" UID Value: ");
nfc.PrintHex(uid, uidLength);
if (uidLength == 4) {
// We probably have a Mifare Classic card ...
uint32_t cardid = uid[0];
cardid <<= 8;
cardid |= uid[1];
cardid <<= 8;
cardid |= uid[2];
cardid <<= 8;
cardid |= uid[3];
Serial.print("Seems to be a Mifare Classic card #");
Serial.println(cardid);
}
delay(2000);
}
}
Do not use the NFC UID for any security purpose, as you can see a phone does give a random one for privacy purposes.
The NFC UID is designed only to help reading hardware deal with handling sending data to the right card when multiple different Tags are in range. There is no guarantee that the UID is actually Unique and that it cannot duplicated (even with Tag that are supposed to have it programmed at the factory you can buy clones from China where they can be programmed by the end user).
It is better to use cryptographic methods with data stored on a tag or emulated Tag if using a phone to provide uniqueness to use a Tag for anything with security implications.
I am developing an application where i have to read information from ITSO smart card. And it supports below three technologies for filter ACTION_TECH_DISCOVERED.
android.nfc.tech.IsoDep, android.nfc.tech.NfcA
android.nfc.tech.NdefFormatable
Now when I using below code
byte[] apduCmd = {
0x00, //CLA
(byte)0xA4, //INS select
0x00, //P1
0x00, //P2
0x02 //LE
};
Tag tag = intent.getParcelableExtra(NfcAdapter.EXTRA_TAG);
IsoDep isoDep = IsoDep.get(tag);
try {
isoDep.connect();
byte[] result = isoDep.transceive(apduCmd);
Log.i(TAG, "SELECT: " + bytesToHex(result));
if (!(result[0] == (byte) 0x90 && result[1] == (byte) 0x00)) {
Toast.makeText(this, "Exception occurred!", Toast.LENGTH_SHORT).show();
}else{
Toast.makeText(this, "Read successfully!", Toast.LENGTH_SHORT).show();
}
} catch (IOException e) {
e.printStackTrace();
}
Above code gives me success bytes i.e. 9000
Now I am not sure what to do next? How to read complete Data/information from this ITSO card. (this card is type of bus ticket).
Any suggestion?
Thanks Michael, i have read the document ITSO specification, and got idea to create command to read the data from the card.
I execute the commands in below sequence.
1) SELECT DIRECTORY- 906A000000
2) SELECT APPLICATION- 905A0000031602A000
3) READ DATA- 90BD0000070400000000000000 (File number- 4)
4) ADDITIONAL FRAME- 90AF000000 (This will execute only if we have Additional frame in response.)
And i am getting response like below for each file ( below response if for file number 4)
Response: 230A00009469FA0798004600002698400100000000000000000000000000000000042C00C0001CDC131089EB4A583BC000000000000000000000000000000000
Now I am not sure how get the information from this?
Can i get all information at once in XML or JSON? Is there any easier way to do this?
Update 10/05/2016
I got the shell information in HEX String, Can you help me to decode the textual information from it. (Reference ITSO specification given above.
I am trying to implement IsoDep reading capabilities to chariotsolutions phongap-nfc plugin, so far (even though i am a complete newbie to Java/android and cordova/phonegap) I have managed to make it work with cordova, connect to the card, issue an APDU command and return it back to the web view. (hooray for me right?)
Well the simple problem is that I did not manage to get a 9000 response so far by selecting the application.
I am using LG L Fino#4.4.2.
Additions to NFCplugin.java + import nfc.tech.IsoDep, NFCa, NFCb
.... else if (action.equalsIgnoreCase(ISODEP)) {
registerIsoDep(callbackContext);
} else if (action.equalsIgnoreCase(READISODEP)){
readIsoDep(callbackContext);
} else .....
This should be the tag listener - i think so :-)
private void registerIsoDep(CallbackContext callbackContext) throws JSONException {
addTechList(new String[]{IsoDep.class.getName()});
callbackContext.success();
}
This reads the IsoDep tag, found out that it has to be called within the callback of the previous function (will get back in to that in the Js part)
private void readIsoDep(final CallbackContext callbackContext) throws JSONException {
final Tag tag = savedIntent.getParcelableExtra(NfcAdapter.EXTRA_TAG);
cordova.getThreadPool().execute(new Runnable() {
#Override
public void run() {
IsoDep isoDep = IsoDep.get(tag);
try {
isoDep.connect();
isoDep.setTimeout(5000);
byte[] SELECT = {
(byte) 0x00, // CLA Class
(byte) 0xA4, // INS Instruction
(byte) 0x04, // P1 Parameter 1
(byte) 0x00, // P2 Parameter 2
(byte) 0x07, // Length
(byte) 0xA0, (byte) 0x00,
(byte) 0x00, (byte) 0x00,
(byte) 0x04, (byte) 0x10,
(byte) 0x10, // AID
(byte) 0x00 // Lenght
};
try {
byte[] result = isoDep.transceive(SELECT);
isoDep.close();
callbackContext.success(result[0] + "|" + result[1]);
}catch (IOException e) {
callbackContext.error("error" + e);
}
} catch (IOException e) {
callbackContext.error("error" + e);
}
}
});
}
Cordova implementation
,addIDDiscoverListener: function(callback, win, fail) {
document.addEventListener("tag", callback, false);
cordova.exec(win, fail, "NfcPlugin", "registerIsoDep", []);
}
};
var isoDep = {
readIsoDep: function(win, fail) {
cordova.exec(win, fail, "NfcPlugin", "readIsoDep", []);
}
}
And lastly "app.js"
nfc.addIDDiscoverListener(function(nfcEvent) {
//listenes for the isodep tag
isoDep.readIsoDep(function(tag) {
console.log(tag); //returns ADPU response codes
}, function(reason) {
console.log('error! ' + reason);
});
},
function() {
console.log('registered reader');
},
function(reason) {
console.log('error! ' + reason);
});
My problem is that no matter what app id I select whether it is MasterCard (A0000000041010) with the above one or PPES (proximity payment system environment), I get this error. Since this is my first attempt to do Java I do not know if it is an implementation issue or command issue (which should be fine) most of this code was written by looking at the chariot solutions code and literally thinking yea this should work, this is here so it should be probably be also here ("cordova execute runnable" - i know sh*t what it does, just assumed it should probably be in my code also).
Also there is probably another small bug - it reads the card only ONCE until I quit the app and start it again.
PS.: I have read a ton of SO post, googled like hell for couple of days and tried a lot of things (learned a couple also) but none of them were able to help me.
PSS.: And yes when it is done I want to merge it the the original project.
Thank for any help and sorry for the long post.
The 6F XX that you are seeing is not the status word. In fact 6F ... is exactly what you should receive when your SELECT (by DF name) command succeeds. 6F is the tag of an FCI template.
When you try to retrieve the status word, you are actually reading the first two bytes of the array that you get from the transceive() method. However, a response APDU looks like
+---------+--------+--------+
| DATA | SW1 | SW2 |
| n bytes | 1 byte | 1 byte |
+---------+--------+--------+
So you would need to check the last two bytes of result for the status word:
result[result.length - 2] + "|" + result[result.length - 1]
I am newbie in Android NFC API.
Currently, I have a NFC tag, I am making an Android app to read data from it. My simple App is launched when my phone get closer enough to the NFC Tag. But I have no idea how to read the data inside the NFC Tag. The tag uses IsoDep technology.
My current code:
#Override
protected void onResume (){
super.onResume();
Intent intent = getIntent();
Tag tag = intent.getParcelableExtra(NfcAdapter.EXTRA_TAG);
IsoDep isoDep = IsoDep.get(tag);
// How to read data from IsoDep instance?
I googled on internet, I notice people are sending commands to IsoDep to get response from NFC Tag, I suppose from the response, we can parse the data in the tag, I saw people doing this:
//What is the 'command' ? How to define the command?
//e.g.:
byte command = (byte) 0x6A
isoDep.transceive(command)
But, the command is just a byte, as a newbie, it is too difficult to understand what is happening. I have no idea how to define the command to read data? Anyone can explain to me? or is there a document I can learn about the command?
Generally, I need some guidance on how to define commands & how to parse data from response, I would like to read the data stored in the Tag & show the data in String format in UI element (e.g. TextView).
*AND***
I have no problem with those configurations(e.g. AnroidManifest.xml), please don't guide me on how to configure :)
IsoDep allows you to communicate over a ISO-14443-4 connection with the transceive operation. Over this protocol application data units (APDUs) are exchanged. The format is specified, you find a description on Wikipedia.
For exaple, to select an application on a smart card with a particular application identifier (AID) you would execute the following APDU command. The result simply indicates ok (9000) or an error.
byte[] SELECT = {
(byte) 0x00, // CLA Class
(byte) 0xA4, // INS Instruction
(byte) 0x04, // P1 Parameter 1
(byte) 0x00, // P2 Parameter 2
(byte) 0x0A, // Length
0x63,0x64,0x63,0x00,0x00,0x00,0x00,0x32,0x32,0x31 // AID
};
Tag tagFromIntent = intent.getParcelableExtra(NfcAdapter.EXTRA_TAG);
IsoDep tag = IsoDep.get(tagFromIntent);
tag.connect();
byte[] result = tag.transceive(SELECT);
if (!(result[0] == (byte) 0x90 && result[1] == (byte) 0x00))
throw new IOException("could not select applet");
After the application has been selected, you can execute application specific commands. The programs are typically written in JavaCard which follows the GlobalPlatorm spec. The following example executes on the above selected application the method 4 (0x04) which returns a byte array of at most 11 bytes. This result is then converted to a string.
byte[] GET_STRING = {
(byte) 0x80, // CLA Class
0x04, // INS Instruction
0x00, // P1 Parameter 1
0x00, // P2 Parameter 2
0x10 // LE maximal number of bytes expected in result
};
result = tag.transceive(GET_STRING);
int len = result.length;
if (!(result[len-2]==(byte)0x90&&result[len-1]==(byte) 0x00))
throw new RuntimeException("could not retrieve msisdn");
byte[] data = new byte[len-2];
System.arraycopy(result, 0, data, 0, len-2);
String str = new String(data).trim();
tag.close();
I'm busy with an app to emulate normal APDU communication on a Nexus 7 with CM10.1 to an ACR122U102 reader/writer. I found this blog about software card emulation and wrote an app to make my device (the nexus) appear as a card. Now I'm trying to send messages back and forth between this device and the ACR122u. So far, I've only managed to communicate with the nexus 7 by sending D4 40 01 (InDataExchange page 127) APDU's. For the application I'm writing, this should be sufficient.
The problem lays in the answer I send from the device to the reader. Using the transcieve function (android.nfc.tech.IsoPcdA with reflection), I can reply with a byte array of length > 0. This would show up on the reader-end like a normal InDataExchange response (e.g: D5 41 00 01 02 03 with {01 02 03} being the byte array supplied to the transcieve function). But I can't control the status byte nor the SW bytes in the response (D5 41 XX and both SW's). There's no documentation to be found about this IsoPcdA class except the source code itself.
What I want to be able to do is change the XX to a byte of my choice and to send answers of length = 0 (e.g: D5 41 01 without any extra data). Is it possible?
I'm not exactly sure what you are trying to achieve here. Whatever you transceive with IsoPcdA's transceive method are complete APDUs (as defined in ISO/IEC 7816-4, or rather any PDU within the ISO-DEP transport protocol). So the return value of transceive is a full C-APDU (command APDU) and the byte array parameter of transceive is a full R-APDU (response APDU) including the two bytes of the status word (SW1 | SW2). Thus, the last two bytes of that parameter are the status word. In your example SW1 would be 02 and SW2 would be 03.
What you see as status byte in the InDataExchange command of the PN532 NFC controller is not the status word of the APDU but the status of the command execution within the PN532 NFC controller. This status byte gives you information about buffer overflows, communication timeouts, etc and is not something that is returned by the card side.
EDIT : Sample code + test commands:
Sample Code running on Galaxy Nexus (CM 10):
try {
Class isoPcdA = Class.forName("android.nfc.tech.IsoPcdA");
Method isoPcdA_get = isoPcdA.getDeclaredMethod("get", Tag.class);
final IsoPcdA techIsoPcdA = (IsoPcdA)isoPcdA_get.invoke(null, tag);
if (techIsoPcdA != null) {
if (mWorker != null) {
mInterrupt = true;
mWorker.interrupt();
try {
mWorker.join();
} catch (Exception e) {}
}
mInterrupt = false;
mWorker = new Thread(new Runnable() {
public void run () {
try {
techIsoPcdA.connect();
byte[] command = techIsoPcdA.transceive(new byte[]{ (byte)0x90, (byte)0x00 });
Log.d(CardEmulationTest.class.getName(), "Connected.");
while (!mInterrupt) {
Log.d(CardEmulationTest.class.getName(), "C-APDU=" + StringUtils.convertByteArrayToHexString(command));
command = techIsoPcdA.transceive(command);
}
} catch (Exception e) {
Log.e(CardEmulationTest.class.getName(), "Exception while communicating on IsoPcdA object", e);
} finally {
try {
techIsoPcdA.close();
} catch (Exception e) {}
}
}
});
mWorker.start();
}
} catch (Exception e) {
Log.e(CardEmulationTest.class.getName(), "Exception while processing IsoPcdA object", e);
}
Test (using ACR122U):
InListPassivTargets (1 target at 106kbps)
> FF00000004 D44A 0100 00
< D54B 010100046004088821310578338800 9000
InDataExchange with DATA = 0x01
> FF00000004 D440 01 01 00
< D541 00 01 9000
So we get an error code of 0x00 from the card reader (status of InDataExchange command; not part of the actual response APDU), we get 0x01 as the response (this is the IsoDepA response APDU) and we get 0x9000 as the status code for the card reader wrapper APDU (not part of the actual response APDU).
InDataExchange with DATA = 0x01 0x02
> FF00000005 D440 01 0102 00
< D541 00 0102 9000
So we get an error code of 0x00 from the card reader (status of InDataExchange command; not part of the actual response APDU), we get 0x01 0x02 as the response (this is the IsoDepA response APDU) and we get 0x9000 as the status code for the card reader wrapper APDU (not part of the actual response APDU).
InDataExchange with DATA = 0x01 0x02 0x03
> FF00000006 D440 01 010203 00
< D541 00 010203 9000
So we get an error code of 0x00 from the card reader (status of InDataExchange command; not part of the actual response APDU), we get 0x01 0x02 0x03 as the response (this is the IsoDepA response APDU) and we get 0x9000 as the status code for the card reader wrapper APDU (not part of the actual response APDU).
InDataExchange with DATA = 0x01 0x02 0x03 0x04
> FF00000007 D440 01 01020304 00
< D541 00 01020304 9000
So we get an error code of 0x00 from the card reader (status of InDataExchange command; not part of the actual response APDU), we get 0x01 0x02 0x03 0x04 as the response (this is the IsoDepA response APDU) and we get 0x9000 as the status code for the card reader wrapper APDU (not part of the actual response APDU).
Thus, we get exactly the data taht we send as command APDU as response APDU (note that none of these APDUs is formatted according to ISO 7816-4, but that doesnt matter as the IsoPcdA card emulation works with any ISO 14443-4 transport protocol format).
The status code of 0x9000 belongs to the card reader APDU encapsulation (CLA=FF INS=00 P1P2=0000 Lc [PN542 COMMAND] Le=00) that is required as the ACR122U's PN532 is accessed over the CCID (PC/SC) interface. These are pure reader command encapsulation and have nothing to do with the communication over ISO-DEP.
The D440 01 [DATA] is the PN532 command to exchange data (e.g. APDUs) over ISO-DEP and the D541 00 [DATA] is the associated response.