I am trying to send some data to the Nexus 4 through NFC (i.e. the card emulation mode). I tried a number of the command APDUs such as writing and updating APDUs, but I couldn't get them to work.
What I am trying to say is, I want to send some data (that is not the AID) to the phone after the select APDU command.
Thanks in advance,
Bader
The HCE emulated card will understand exactly those commands that your HCE app's APDU service processes. So, for instance, if your HCE service's processCommandApdu() callback method looks like this:
final static byte[] SW_NO_ERROR = new byte[]{ (byte)0x90, (byte)0x00 };
final static byte[] SW_INCORRECT_P1P2 = new byte[]{ (byte)0x6A, (byte)0x86 };
final static byte[] SW_INS_NOT_SUPPORTED = new byte[]{ (byte)0x6D, (byte)0x00 };
final static byte[] SW_ERR_UNKNOWN = new byte[]{ (byte)0x6F, (byte)0x00 };
#Override
public byte[] processCommandApdu(byte[] apdu, Bundle extras) {
if (apdu.length >= 4) {
if ((apdu[1] == (byte)0xA4) && (apdu[2] == (byte)0x04)) {
// SELECT APPLICATION
return SW_NO_ERROR;
} else if ((apdu[1] == (byte)0xCA) && (apdu[2] == (byte)0x02)) {
// GET DATA (SIMPLE TLV)
switch (apdu[3] & 0x0FF) {
case 0x001:
return new byte[]{ apdu[3], (byte)0x02, (byte)0x01, (byte)0x00, (byte)0x90, (byte)0x00 };
case 0x002:
return new byte[]{ apdu[3], (byte)0x02, (byte)0x12, (byte)0x34, (byte)0x90, (byte)0x00 };
case 0x003:
return new byte[]{ apdu[3], (byte)0x06, (byte)0xAA, (byte)0xBB, (byte)0xCC, (byte)0xDD, (byte)0xEE, (byte)0xFF, (byte)0x90, (byte)0x00 };
default:
return SW_INCORRECT_P1P2;
}
} else {
return SW_INS_NOT_SUPPORTED;
}
}
return SW_ERR_UNKNOWN;
}
Your HCE app would understand the following command APDUs:
SELECT APPLICATION (by AID)
00 A4 04 xx ...
GET DATA for data object 0201
00 CA 02 01 00
GET DATA for data object 0202
00 CA 02 02 00
GET DATA for data object 0203
00 CA 02 03 00
Other commands will result in various errors.
Related
I'm new in NFC and i am developing an android application to read and write data in an nfc, but i'm having some problems.
it's code i'm using (WRITE):
#Override
protected void onNewIntent(Intent intent) {
super.onNewIntent(intent);
if (intent.hasExtra(NfcAdapter.EXTRA_TAG)) {
Toast.makeText(this, R.string.message_tag_detected, Toast.LENGTH_SHORT).show();
}
Tag currentTag = intent.getParcelableExtra(NfcAdapter.EXTRA_TAG);
byte[] id = currentTag.getId();
String myData = "ABCDEFGHIJKL";
for (String tech : currentTag.getTechList()) {
if (tech.equals(NfcV.class.getName())) {
NfcV tag5 = NfcV.get(currentTag);
try {
tag5.connect();
int offset = 0;
int blocks = 8;
byte[] data = myData.getBytes();
byte[] cmd = new byte[] {
(byte)0x20,
(byte)0x21,
(byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,
(byte)0x00,
(byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00
};
System.arraycopy(id, 0, cmd, 2, 8);
for (int i = 0; i < blocks; ++i) {
cmd[10] = (byte)((offset + i) & 0x0ff);
System.arraycopy(data, i, cmd, 11, 4);
response = tag5.transceive(cmd);
}
}
catch (IOException e) {
Toast.makeText(getApplicationContext(), e.getMessage(), Toast.LENGTH_LONG).show();
return;
}
}
}
}
When i read a tag in app TagInfo, the output is:
[00] . 41 42 43 44 [ABCD]
[01] . 42 43 44 45 [BCDE]
[02] . 43 44 45 46 [CDEF]
[03] . 44 45 46 47 [DEFG]
[04] . 45 46 47 48 [EFGH]
[05] . 46 47 48 49 [FGHI]
[06] . 47 48 49 4A [GHIJ]
[07] . 48 49 4A 4B [HIJK]
[08] . 00 00 00 00 [. . . .]
. . .
Is this output correct?
If 'NOT', where am i going wrong?
To me this looks wrong but not an expert in NfcV only used NDEF nfc cards.
[00] . 41 42 43 44 [ABCD]
[01] . 45 46 47 48 [EFGH]
[02] . 49 4A 4B 4C [IJKL]
As the what actually your are wanting to do
I think the problem lies with System.arraycopy(data, i, cmd, 11, 4);
You are copying 4 bytes of data from your source data array but only incrementing the start position by 1 byte of data hence the next block start on letter later.
I think System.arraycopy(data, i*4, cmd, 11, 4); would produce the results you want.
As this increments the start of the arraycopy in the source data by the number of bytes you have already stored.
As you 12 bytes of data and each block stores 4 bytes you only need to use 3 blocks, so only loop 3 times by setting int blocks = 3; otherwise you will run out of data to copy in to cmd to send to the card generating IndexOutOfBoundsException from arraycopy
If you don't have a multiple of 4 bytes of data you will have to pad the data with zeros to be a multiple of 4 bytes OR handle a IndexOutOfBoundsException from arraycopy to correctly copy the remaining bytes.
I try to send command to USB device. I have to convert this command : DA AD 02 74 00 BFDB to byte array. I started like this :
private static final byte[] send = new byte[] {
(byte)0xda,(byte)0xad, // const
// command
};
But I don't know what's next. How should I write 02 as a byte, 74 and so on ? Please, help.
Just continue the same way you did before:
private static final byte[] send = new byte[] {
(byte)0xDA, (byte)0xAD, (byte)0x02, (byte)0x74,
(byte)0x00, (byte)0xBF, (byte)0xDB
};
To simplify the syntax, you could also take a look at this answer and then use a string like "DAAD027400BFDB" or even improve the code from that answer to ignore spaces, so you can keep the syntax you had in your question.
I now work with value files on DESFire cards. I created a value file in my DESFire card with the following command:
byte[] cmdCreateValueFile = new byte[]{
//cmd
(byte)0xCC,
//file no
(byte)0x01,
//com.sett.
(byte)0x00 ,
//access rights
(byte)0x44 , (byte)0x44,
//lower limit
(byte)0x00 ,(byte)0x00 ,(byte)0x00 ,(byte)0x00 ,
//upper limit
(byte)0x00 ,(byte)0x0F ,(byte)0x42 ,(byte)0x40 ,
//initial value
(byte)0x00 ,(byte)0x00 ,(byte)0x00 ,(byte)0x00 ,
//limited credit enabled
(byte)0x00
};
I then credit the value of file with this command:
//select my app first
...
doAuthenticate(); //authenticate with key #4 of my application
//credit in value file
tagResponse_cmdcredit = isodep.transceive(Utils.wrapMessage(
(byte)0x0C, new byte[]{(byte) 0x01 ,
//data
(byte)0x00,(byte)0x00, (byte)0x03 , (byte)0xE8}));
Log.d("credittttttttttt", "111 "+Utils.bytesToHex(tagResponse_cmdcredit));
//do commit transaction
tagResponse_cmdCommitTransaction = isodep.transceive(Utils.wrapMessage(
(byte)0xC7, null));
Log.d("committtttttttt", "111 "+Utils.bytesToHex(tagResponse_cmdCommitTransaction));
And my wrapMessage helper method looks like this:
public static byte[] wrapMessage (byte command, byte[] parameters) throws Exception {
ByteArrayOutputStream stream = new ByteArrayOutputStream();
stream.write((byte) 0x90);
stream.write(command);
stream.write((byte) 0x00);
stream.write((byte) 0x00);
if (parameters != null) {
stream.write((byte) parameters.length);
stream.write(parameters);
}
stream.write((byte) 0x00);
byte[] b = stream.toByteArray();
return b;
}
But I recieve 91 9E error. What could be the problem?
Edit:
I found My mistake! I didnt heed MSB and LSB value initializing in the create value file command. It must be like this if lower limit be 0x00 0x00 0x00 0x00(zero) and upper value be 0x0F 0x42 0x40(1000 000):
tagResponse_cmdcreateValueFile = isodep.transceive(Utils.wrapMessage((byte)0xCC, new byte[]{(byte)0x01,
//com.sett.
(byte)0x00 ,
//access rights
(byte)0x44 , (byte)0x44,
//lower limit
(byte)0x00 ,(byte)0x00 ,(byte)0x00 ,(byte)0x00 ,
//upper limit
(byte)0x40 ,(byte)0x42 ,(byte)0x0F ,(byte)0x00 ,
//initial value
(byte)0x00 ,(byte)0x00 ,(byte)0x00 ,(byte)0x00 ,
//limited credit enabled
(byte)0x00}));
I found my mistake! According to the DESFire documentation the value is always represented as LSB first.
When I want credit an amount of 1000 for example, I need to pass
(byte)0xE8, (byte)0x03, (byte)0x00, (byte)0x00
to the command instead of 0x00 0x00 0x03 0xE8 (where 03E8 is 1000 in decimal). When passing the value with MSB first, this would result in the decimal value -402456576 (signed 4-byte integer), which would be above the upper limit.
When I try to transceive commands for NFC-V Tag-it HF-I Plus Inlay tag I get a TagLostException for most of the commands.
From the links I have gone through this exception may be caused by incorrect commands.
How can I create correct ISO15693 command byte[] for Nfc V Tag-it HF-I Plus Inlay?
The datasheet shows the supported commands but how can I create correct commands to read NFC-V tags?
The commands in the document are:
The tag that I'm trying to read is:
Code:
Tag tag = intent.getParcelableExtra(NfcAdapter.EXTRA_TAG);
Log.i(TAG, " tag "+tag );
if (tag != null) {
NfcV tech = NfcV.get(tag);
Log.i(TAG, " tech "+tech );
if (tech != null) {
try {
tech.connect();
Log.i(TAG, " on connect" );
byte[] data = tech.transceive(Nfcv.InventoryRequest());
Log.i(TAG, "resp data " + data);
StringBuilder sb = new StringBuilder();
for (int i = 0; i < data.length; i++) {
byte b = data[i];
System.out.println(b);
sb.append(String.format("%02X ", b));
}
System.out.println("response: " + sb.toString());
} catch (IOException e) {
e.printStackTrace();
} finally {
try {
tech.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
I have gone through the following:
NfcV Transceive command throws tag lost exception with TI HF-I plus tag(ISO15693) in android
Transceive Failed on ISO15693 / Tag-it HF-I
Android NfcV Stay Quiet Command
Android NfcV (ISO 15693) tag
Connection error when reading Android NfcV tags
EDIT
Commands that I have tried:
public class Nfcv {
// texas get system info -> tag lost exception
public static byte[] GET_SYSTEM_INFO = ReadNfcActivity.hexStringToByteArray("010A00030418002B0000");
//read multiple blocks -> not working
byte[] read_multiple_blocks= ReadNfcActivity.hexStringToByteArray("010C00030418002301020000");
byte[] readSingleBlock = ReadNfcActivity.hexStringToByteArray("010B000304180020050000");
// readUID generic command -> not working
public static byte[] readUID = ReadNfcActivity.hexStringToByteArray("FFCA000000");
public static byte[] InventoryRequest(){
//working response: 00 00 3A E5 00 04 00 00 07 E0
// R/0 UID is E0 07 00 00 04 00 E5 3A 00 00 (reverse)
return new byte[] { (byte) 0x24, (byte) 0x01, (byte) 0x00};
}
//-> not working
private byte[] ReadSingleBlockUnadressed(byte blocknumber) {
return new byte[] {(byte) 0x00, (byte) 0x20, blocknumber};
}
//-> response 03
public static byte[] get_system_info = {0x00,(byte)0x2B};
}
The Android NFC stack automatically handles polling (searching for tags various tag technologies/protocols), anti-collision (enumeration of multiple tags within one tag technology/protocol) and activation (intitiating communication with one specific tag) for you. You should, therefore, never send commands used for anti-collision and activation yourself. The Inventory command is one such command (that is used to discover tags in range).
With regard to the Inventory command, there is typically no need to send this command. All the information that you would get from this command is already provided by the Android NFC API:
You can get the UID using tag.getId().
You can get the DSFID using tech.getDsfId().
Also, for your app to work reliable across different Android device platforms (= different NFC stacks), you should always use the addressed version of commands (i.e. Address_flag set and UID sent as part of request). See Android NfcV get information command returns only one byte.
If you want to read from/write to the tag, you could use the READ_SINGLE_BLOCK and WRITE_SINGLE_BLOCK commands:
byte[] tagUid = tag.getId(); // store tag UID for use in addressed commands
int blockAddress = 0; // block address that you want to read from/write to
READ_SINGLE_BLOCK:
byte[] cmd = new byte[] {
(byte)0x20, // FLAGS
(byte)0x20, // READ_SINGLE_BLOCK
0, 0, 0, 0, 0, 0, 0, 0,
(byte)(blockAddress & 0x0ff)
};
System.arraycopy(tagUid, 0, cmd, 2, 8);
byte[] response = tech.transceive(cmd);
WRITE_SINGLE_BLOCK:
byte[] cmd = new byte[] {
(byte)0x60, // FLAGS
(byte)0x21, // WRITE_SINGLE_BLOCK
0, 0, 0, 0, 0, 0, 0, 0,
(byte)(blockAddress & 0x0ff),
... // data block that you want to write (same length as the blocks that you read)
};
System.arraycopy(tagUid, 0, cmd, 2, 8);
byte[] response = tech.transceive(cmd);
I'm trying to read a smartcard via my LG P710 Optimus L7 2.
I'm following this tutorial
I can select the "1PAY.SYS.DDF01" directory
I can select the Application
But I can't perform an "GET PROCESSING OPTIONS"
It always result in an 6700 error (Lc or Le wrong)
here is my code
NfcAdapter mNFCAdapter;
Intent intent;
PendingIntent pendingIntent;
private TextView mTextView;
String[][] techList;
IntentFilter[] filters = new IntentFilter[3];
#Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
mTextView = (TextView) findViewById(R.id.title);
mNFCAdapter = NfcAdapter.getDefaultAdapter(this);
intent = new Intent(getApplicationContext(), getClass());
intent.setFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP);
pendingIntent = PendingIntent.getActivity(getApplicationContext(), 0, intent, 0);
techList = new String[][]{
new String[]
{ MifareClassic.class.getName() },
new String[]
{ IsoDep.class.getName() }
};
filters[0] = new IntentFilter();
filters[0].addAction(NfcAdapter.ACTION_NDEF_DISCOVERED);
filters[0].addCategory(Intent.CATEGORY_DEFAULT);
// add type of tag data you want to have - here ndef -> plain text
try {
filters[0].addDataType(MIME_TEXT_PLAIN);
} catch (MalformedMimeTypeException e) {
e.printStackTrace();
}
filters[1] = new IntentFilter();
filters[1].addAction(NfcAdapter.ACTION_TAG_DISCOVERED);
filters[1].addCategory(Intent.CATEGORY_DEFAULT);
filters[2] = new IntentFilter();
filters[2].addAction(NfcAdapter.ACTION_TECH_DISCOVERED);
filters[2].addCategory(Intent.CATEGORY_DEFAULT);
}
#Override
protected void onNewIntent(Intent intent) {
super.onNewIntent(intent);
String action = intent.getAction();
mTextView.setText(action);
Toast.makeText(getApplicationContext(), action, Toast.LENGTH_SHORT).show();
Tag tagFromIntent = intent.getParcelableExtra(NfcAdapter.EXTRA_TAG);
IsoDep tagIsoDep;
if((tagIsoDep = IsoDep.get(tagFromIntent)) != null)
if(handleIsoDep(tagIsoDep))
return;
}
private boolean handleIsoDep(IsoDep tag){
try{
tag.connect();
tag.setTimeout(20);
byte[] responseAPDU;
//2PAY.SYS.DDF01
byte[] select_Dir = new byte[]{
(byte)0x00, (byte)0xa4, (byte)0x04, (byte)0x00, (byte)0x0e,
(byte)0x32, (byte)0x50, (byte)0x41, (byte)0x59, (byte)0x2e,
(byte)0x53, (byte)0x59, (byte)0x53, (byte)0x2e, (byte)0x44,
(byte)0x44, (byte)0x46, (byte)0x30, (byte)0x31
};
//Select CC Applet
byte[] select_Applet = new byte[]{
(byte)0x00, (byte)0xa4, (byte)0x04, (byte)0x00, (byte)7,
(byte)0xa0, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x04,
(byte)0x30, (byte)0x60
};
//Send GET PROCESSING OPTIONS command
byte[] Send_Get = new byte[]{
(byte)0x80,(byte)0xA8,(byte)0x00,(byte)0x00,(byte)0x02,
(byte)0x83,(byte)0x00,
(byte)0x00
};
responseAPDU = tag.transceive(select_Dir);
mTextView.setText(mTextView.getText() + handleResponse(responseAPDU));
this returns the APDU-Statusword 9000 -> success
responseAPDU = tag.transceive(select_Applet);
mTextView.setText(mTextView.getText() + handleResponse(responseAPDU));
this returns the APDU-Statusword 9000 -> success
responseAPDU = tag.transceive(Send_Get);
mTextView.setText(mTextView.getText() + handleResponse(responseAPDU));
and this one is making problems: it returns 6700 -> wrong Lc or Le
mTextView.setText(mTextView.getText() + "\n\nDone");
tag.close();
} catch (IOException e) {
e.printStackTrace();
return false;
}
return true;
}
The function handleResponse just parses the "responseAPDU" from Binary to Hex an highlights the Statusword
Can anybody tell my what is going wrong?
or just help me out?
PS sry for bad english ;)
As response to my application-select I get:
6f298407a0000000043060a51e50074d41455354524f5f2d046465656e9f38039f5c08bf0c059f4d020b0a9000
6F -> FCI Template 29
84 -> DF Name 07 A0 00 00 00 04 30 60
A5 -> FCI Properietary Template 1E
50 -> Application Lable 07 4D 41 45 53 54 52 4F 5F 2D 04 64 65 6E
9F38 -> PDOL 03 9F 5C 08
BF0C -> FCI Issuer Data 05
9F4D -> Log Entry 02 0B
0A Additional Issuer Data
But I don't know what ive to insert into the Data fild from the GET PROCESSING OPTIONS.
Iv'e red the guidelines in EMV Book 3, section "5.4 Rules for Using a Data Object List (DOL)".
So do I just have to set the data field 83 03 9F 5C 08
and Lc = 5?
In order to help you, the entire ADPU dialog (commands/responses) would be needed.
However, based on your code : hardcoding your select_Dir and select_Applet commands is correct, but you can't hardcode the GET PROCESSING OPTIONS command whose syntax depends on the response of the card (ICC) to your select_Applet command.
EMV 4.3 Book 1, "Table 45: SELECT Response Message Data Field (FCI) of an ADF", explains that a successful card response to the SELECT command contains a "Processing Options Data Object List" (PDOL, tag 9F38). That's the list of fields required by the card to process the transaction (ex : amount, ...). These fields values are to be returned to the card by the terminal (your phone) through the GET PROCESSING OPTIONS command data field (tag 83), as documented in EMV 4.3 book 3, section "6.5.8.3 Data Field Sent in the Command Message" :
The data field of the command message is a data object coded according to the PDOL provided by the ICC, as defined in section 5.4, and is introduced by the tag '83'. When the data object list is not provided by the ICC, the terminal sets the length field of the template to zero. Otherwise, the length field of the template is the total length of the value fields of the data objects transmitted to the ICC.
Knowing that :
Your selected AID (A0 00 00 00 04 30 60) is a Mastercard Maestro one, which is unlikely to have an empty PDOL
But your GET PROCESSING OPTIONS command does not list any value in its data field
You probably have a mismatch between the length of your GET PROCESSING OPTIONS data field and the total length of the fields asked by the card in the PDOL, hence the 6700 checking error returned by the card (EMV Book 1, "Table 33: GET RESPONSE Error Conditions").
You have identified the PDOL requested by the card as : 9F38 -> 03 9F 5C 08.
The 03 tells you the PDOL is 3 bytes long. 9F5C is the tag of the requested field, 08 is the length of the field value that is to be returned by the phone.
Tag 9F5C is defined in EMV Contactless 2.3 Book C2 kernel 2 specification, section "A.1.59 DS Requested Operator ID". The DS Requested Operator ID is defined as
Contains the Terminal determined operator identifier for data
storage. It is sent to the Card in the GET PROCESSING
OPTIONS command.
I'm not familiar with this tag, so I can't tell you what a proper value is.
However, here is what the data field of the GET PROCESSING OPTIONS command should look like, assuming a DS Requested Operator ID has value 01 02 03 04 05 06 07 08, and given the Data Object List formatting guidelines in EMV Book 3, section "5.4 Rules for Using a Data Object List (DOL)" :
83 08 01 02 03 04 05 06 07 08
and Lc = 10