All geek questions in one place

Android NFC card emulation with fixed UID

I downloaded the NFC parts from AOSP, and I am looking for a method used by Android to generate a random UID used to emulate a card. My goal is to fix the UID, instead of having a different one, every time there is a connection with the goal. I found inside the "libnfc-nci" module the file "nfa_ce_act.c" containing this:

void nfa_ce_t3t_generate_rand_nfcid (UINT8 nfcid2[NCI_RF_F_UID_LEN]) { UINT32 rand_seed = GKI_get_tick_count (); /* For Type-3 tag, nfcid2 starts witn 02:fe */ nfcid2[0] = 0x02; nfcid2[1] = 0xFE; /* The remaining 6 bytes are random */ nfcid2[2] = (UINT8) (rand_seed & 0xFF); nfcid2[3] = (UINT8) (rand_seed>>8 & 0xFF); rand_seed>>=(rand_seed&3); nfcid2[4] = (UINT8) (rand_seed & 0xFF); nfcid2[5] = (UINT8) (rand_seed>>8 & 0xFF); rand_seed>>=(rand_seed&3); nfcid2[6] = (UINT8) (rand_seed & 0xFF); nfcid2[7] = (UINT8) (rand_seed>>8 & 0xFF); }

This method generates UIDs for FeliCa tags. I can not find one that is suitable for ISO14443 (MIFARE) cards, which by default generate a UID starting with 0x08. According to Martijn Coenen, as explained in his G + Post, this is possible.

Sorry, I understand that many wanted this, but this is not possible in the official version. (Of course, you could do this with some AOSP hacks). The reason is because the HCE is designed around a background operation. If we allow applications to set a UID, each application may want to set its own UID, and there is no way to resolve the conflict. We hope that with HCE, the NFC infrastructure will move to higher layers of the protocol stack to do authentication instead of relying on a UID (which is easily cloned anyway). https://plus.google.com/+MartijnCoenen/posts/iX6LLoQmZLZ

Does anyone know how to achieve it?

thanks

+5
source share
1 answer

It is important to know that the UID is transmitted at a very low level of the nfc protocol. This means that this is done regardless of the nfc firmware, and not on the Android operating system. We had the same problem in our NFCGate project and found a solution for Broadcom BCM20793 chips, such as Nexus4 / 5 chips and others, by writing the UID with NFC_SetConfig directly to the chip firmware.

You can see the working version in our github repository . Here is an unverified version to show the principle:

 uint8_t cfg[] = { CFG_TYPE_UID, // config type 3, // uid length 0x0A, // uid byte 1 0x0B, // uid byte 2 0x0C // uid byte 3 }; NFC_SetConfig(sizeof(cfg), cfg);

Our tests showed that android sometimes returns a UID to a random one (length = 0, if I remember correctly), so you need to find a good place to install it when you need it, or to do something like that, as we did, and intercept NFC_SetConfig calls from android to redial our own UID.

+2
source

Source: https://habr.com/ru/post/1206583/

More articles:


All Articles