Rice University logo
 
Top blue bar image
MiExploits
Just another weblog
 

Archive for November, 2012


Overview of NFC Code on Android

November 20th, 2012 by ksl3

From Investigating the patch and the and android source code, we were able to figure out a little bit more about the details concerning NFC on the android.

These files are provided by nxp semiconductors to access the PN544 chip on the Android device. This represents the low level C NFC APIs.

root:
external/libnfc-nxp/src

phHal4Nfc.h
– general API header

phHal4Nfc_Internal.h
– internal structs used in nxp libs to pass around NFC context

phLibNfc_initiator.h
– initate nfc connection
– handle initial authentication protocol

phOsalNfc.h
– operatin system abstraction layer
– abstract away hardware specific components of NFC

phLibNfc_SE.h
– functions to access secure element on phone

phNfcConfig.h
– configure NFC chip

The below line is changed in the patch to enable card emulation

106 /**< Macro to Enable the Card Emulation Feature */
107 -/* #define HOST_EMULATION */
108 +#define HOST_EMULATION

phHal4Nfc_Emulation.c
– emulation libs in android

 

The following files provide the Java Native Interface that bridges the low level C API to the java interface exposed by Android.

Root:
packages/apps/Nfc/jni/

com_android_nfc_NativeNfcManager.cpp
– translate java to c library

Root:
packages/apps/Nfc/jni/src

NativeNfcManager.java
– high level nfc manager that broadcasts intents once an NFC event has been detected

NFCService:
– bridge between the NativeNfcManager and NFC events

Posted in Uncategorized | Comments Off on Overview of NFC Code on Android

Read Sector 0 Data

November 14th, 2012 by ksl3

Today, we were able to read data from sector 0 using existing NFC API in android.
Knowing the plaintext response from a sector of the MiFare is the key component in the latter part of our project in order to break the crypto 1 algorithm.

Crypto1 Algo:
Payload XOR KeyStream = Cyphertext

The idea is that the keystream can be kept constant because of the repeating nonce issue in MiFare Classic cards. If we also know the cyphertext and the payload, we can reconstruct the keystream.

Below is a brief trace of the actual response of the Q card.

Q Card
—————
SAK: 0x08
ATQA: 0x0400
ID: AA:65:8F:DB

Data
Sector 0
[00] AA 65 8F DB 9B 88 04 00
46 51 75 52 4D 10 13 08
[01] 20 00 54
..
[03] A0:A1:A2:A3:A4:A5 MAD access key
WxW 69:67:89 C1

Posted in Uncategorized | Comments Off on Read Sector 0 Data

Apply Android kernel source code with NFC patch

November 7th, 2012 by yc15

The goal of our project is to emulate a MiFare card with an Android device with NFC capability. Based on our research, we realized that we need to patch directly to the Android source code in order to have access to NFC calls that handle authentication since standard Android NFC API doesn’t grant that ability. To make sure it is doable, our first goal is to recompile the kernel source code and flash it to a Nexus S.

We find this blog post online that gives a thorough explanation of the process. It also gives a patch that provides the NFC setting change to enable card emulation mode. The post gives very detailed and clear instructions so with correct settings, anyone should able to follow it and patch the kernel. However, it took us about two weeks to actually make it work. Here are some problems we had and how we solved them.

1. Case insensitive file system:

The environment has to be a cases insensitive file system to compile the source code. I used my Mac OS X Lion which has case sensitive file system so I need to use “Disk Utility” to create a new disk image with case insensitive file system. Here is the instruction of how to do that. My laptop has only 20 GB left in my hard drive but it takes at least 25 GB to build Android so I create the disk image on an external hard drive. My first attempt failed when I made the disk image on an West Digital portable external hard drive with about 50 GB space left. The compilation went smoothly until it was trying to make the .img file. I kept getting the error that the disk image I created for android cannot be found. I didn’t solve that problem on that hard drive but after I get a new 1 TB external hard drive with USB 3.0, I was able to compile and build the .img files. Therefore it might be the problem of previous external hard drive.

2. Building environment

Using the Mac OS X Lion, I had the trouble of not finding OSX SDK 10.5. To solve that, I had to manual download that SDK from apple developer site. Here is the link of how to properly install the correct SDK. Because of this issue, I considered using a Linux virtual box for development. I got a 64 GB USB drive and build a disk image with case insensitive file system and then made a virtual box image and installed ubuntu 10.8. However, the USB 2.0 has really slow I/O and it takes forever to do any command and after 2 nights of setting up, the android source code could not compile. Therefore I gave up on that idea. It should be easier to build android in linux environment but we decide to stick with Mac OS X.

After solving those problems, I was able to build the source code with patch with the instructions fromĀ thisĀ blog post.

Tags:
Posted in Uncategorized | Comments Off on Apply Android kernel source code with NFC patch