Clever Geek Handbook

Overwrite OffHostApduService to route APDU to SIM

I am working on a project to emulate a transport card on an android phone.I read the Android Kitkat documentation and found that in order to emulate a card with a protected element I need to inherit from OffHostApduService.

As much as you spend a lot of time on Google, I couldn't find what to write in the onBind function to redirect the APDU from another NFC device to the SIM card of the mobile device.

The card is NFC A and B compatible, does that mean I can send commands to it using NfcA or NfcB class?

I am working on Samsung Galaxy 3, Samsung Galaxy 4 Mini which have openmobile api or at least SmartCard API. I cannot fix my system as the goal is to conclude that this is possible on market devices.

Thanks for the help!

0


source to share


1 answer


The following patches will enable UICC NFC card emulation routing on 4.4 on Nexus 5:

First in the device / lge / hammerhead folder

diff --git a/nfc/libnfc-brcm-20791b05.conf b/nfc/libnfc-brcm-20791b05.conf
index 0ef61c3..9348673 100644
--- a/nfc/libnfc-brcm-20791b05.conf
+++ b/nfc/libnfc-brcm-20791b05.conf
@@ -26,10 +26,10 @@ LPTD_CFG={38:B9:36:01:00:FF:FF:08:00:00:00:A0:0F:40:00:00:12:02:10:00:00:00:2D:0
 #
 # This is applied at stack startup.
 # Use for Host based CE
-NFA_DM_START_UP_CFG={45:CB:01:01:A5:01:01:CA:17:00:00:00:00:06:00:00:00:00:0F:00:00:00:00:E0:67:35:00:14:01:00:00:10:B5:03:01:02:FF:80:01:01:C9:03:03:0F:AB:5B:01:00:B2:04:E8:03:00:00:CF:02:02:08:B1:06:00:20:00:00:00:12:C2:02
+#NFA_DM_START_UP_CFG={45:CB:01:01:A5:01:01:CA:17:00:00:00:00:06:00:00:00:00:0F:00:00:00:00:E0:67:35:00:14:01:00:00:10:B5:03:01:02:FF:80:01:01:C9:03:03:0F:AB:5B:01:00:B2:04:E8:03:00:00:CF:02:02:08:B1:06:00:20:00:00:00:12:C2:0

 # Support UICC
-#NFA_DM_START_UP_CFG={45:CB:01:01:A5:01:01:CA:17:00:00:00:00:06:00:00:00:00:0F:00:00:00:00:E0:67:35:00:14:01:00:00:10:B5:03:01:03:FF:80:01:01:C9:03:03:0F:AB:5B:01:02:B2:04:E8:03:00:00:CF:02:02:08:B1:06:00:20:00:00:00:12:C2:0
+NFA_DM_START_UP_CFG={45:CB:01:01:A5:01:01:CA:17:00:00:00:00:06:00:00:00:00:0F:00:00:00:00:E0:67:35:00:14:01:00:00:10:B5:03:01:03:FF:80:01:01:C9:03:03:0F:AB:5B:01:02:B2:04:E8:03:00:00:CF:02:02:08:B1:06:00:20:00:00:00:12:C2:02

 ###############################################################################
 # Pre-Discovery Startup Configuration (256 bytes maximum)
@@ -39,7 +39,7 @@ NFA_DM_START_UP_CFG={45:CB:01:01:A5:01:01:CA:17:00:00:00:00:06:00:00:00:00:0F:00
 # Do not set NFA_DM_PRE_DISCOVERY_CFG

 # Support UICC
-#NFA_DM_PRE_DISCOVERY_CFG={0A:C2:08:01:88:00:04:40:4B:4C:00}
+NFA_DM_PRE_DISCOVERY_CFG={0A:C2:08:01:88:00:04:40:4B:4C:00}

 ###############################################################################
 # Antenna Configuration - This data is used when setting 0xC8 config item
diff --git a/nfc/libnfc-brcm.conf b/nfc/libnfc-brcm.conf
index 4840a54..afe80cd 100644
--- a/nfc/libnfc-brcm.conf
+++ b/nfc/libnfc-brcm.conf
@@ -2,8 +2,10 @@

 ###############################################################################
 # Application options
-APPL_TRACE_LEVEL=0x01
-PROTOCOL_TRACE_LEVEL=0x00000000
+#APPL_TRACE_LEVEL=0x01
+#PROTOCOL_TRACE_LEVEL=0x00000000
+APPL_TRACE_LEVEL=0xFF
+PROTOCOL_TRACE_LEVEL=0xFFFFFFFF

 ###############################################################################
 # performance measurement
@@ -75,7 +77,7 @@ NFCC_ENABLE_TIMEOUT=1000
 # so that the stack will not wait any longer than necessary.
 #
 # Use for Host based CE
-NFA_MAX_EE_SUPPORTED=0
+#NFA_MAX_EE_SUPPORTED=0

 # Use for UICC support
 # NFA_MAX_EE_SUPPORTED=3
@@ -88,10 +90,10 @@ NFA_MAX_EE_SUPPORTED=0
 # system in order to skip SE initialization.
 #
 # Use for Host based CE
-ACTIVE_SE=0x0
+#ACTIVE_SE=0x0

 # Use for UICC support
-#ACTIVE_SE=0xF3
+ACTIVE_SE=0xF3

 ###############################################################################
 # Configure the NFC Extras to open and use a static pipe.  If the value is

Then in the packages / apps / Nfc folders:



diff --git a/src/com/android/nfc/cardemulation/AidRoutingManager.java b/src/com/android/nfc/cardemulation/AidRoutingManager.java
index 154bcf3..951fb2d 100644
--- a/src/com/android/nfc/cardemulation/AidRoutingManager.java
+++ b/src/com/android/nfc/cardemulation/AidRoutingManager.java
@@ -41,7 +41,8 @@ public class AidRoutingManager {
     // For Nexus devices, just a static route to the eSE
     // OEMs/Carriers could manually map off-host AIDs
     // to the correct eSE/UICC based on state they keep.
-    static final int DEFAULT_OFFHOST_ROUTE = 0xF4;
+//    static final int DEFAULT_OFFHOST_ROUTE = 0xF4;
+    static final int DEFAULT_OFFHOST_ROUTE = 0xF3; // pkvk9345

     final Object mLock = new Object();

diff --git a/nci/jni/RoutingManager.cpp b/nci/jni/RoutingManager.cpp
index 83e97d0..885e403 100644
--- a/nci/jni/RoutingManager.cpp
+++ b/nci/jni/RoutingManager.cpp
@@ -89,7 +89,8 @@ void RoutingManager::setDefaultRouting()
         ALOGE ("Fail to set default proto routing");

     // Tell the UICC to only listen on Nfc-A
-    nfaStat = NFA_CeConfigureUiccListenTech (mDefaultEe, 0x01);
+    //nfaStat = NFA_CeConfigureUiccListenTech (mDefaultEe, 0x01);
+    nfaStat = NFA_CeConfigureUiccListenTech (0xF3, 0x03);
     if (nfaStat != NFA_STATUS_OK)
         ALOGE ("Failed to configure UICC listen technologies");

Routing to UICC is not possible on Nexus 4 because SWP pin is not connected to NFC chip on this device.

The exchange of APDUs for your card ticket to download the ticket can be done using the Android search smartcard APIs as you suggest, or over the air in a binary SMS. The first is the simplest (but perhaps not the safest, depending on the context).

+3


source






More articles:


All Articles