emsec / ChameleonMini

The ChameleonMini is a versatile contactless smartcard emulator compliant to NFC. The ChameleonMini was developed by https://kasper-oswald.de. The device is available at https://shop.kasper.it. For further information see the Getting Started Page https://rawgit.com/emsec/ChameleonMini/master/Doc/Doxygen/html/_page__getting_started.html or the Wiki tab above.
Other
1.75k stars 392 forks source link

[VICINITY] Wrong size and Android is not able to read it #233

Open ikarus23 opened 5 years ago

ikarus23 commented 5 years ago

Hi,

first of all: Thanks to all the wonderful people contributing to this project. If I'm not mistaken, the VICINITY support (ISO 15693) was added lately. This is great! (Does the list of supported technologies need an update?!).

Today I read the contents of a TypeV (VICINITY) tag. It has 248 block with 4 byte each (992 bytes in total). When I try to emulate it with the ChameleonMini I noticed that the size does not fit my uploaded dump. MEMSIZE? is always 8192 bytes instead of 992 bytes. Also, when emulating, the UID was detected successfully, but my Android was not able to read the tag.

Any ideas?

ceres-c commented 5 years ago

Hi @ikarus23 Me and @MrMoDDoM are the ones who wrote most of ISO15693 applications, but we did not refactor that particular one. You might want to have a look at EM4233.c and TiTagItStandard.c which have been both been brought to a working state and could be considered the standard.

david-oswald commented 5 years ago

Yes, the list should be updated (@fptrs).

Do you have a datasheet for your tag? Sounds like one with specific sizes and possibly command set, ISO15693 only mandates a few standard commands but the rest is up to the manufacturer.

ikarus23 commented 5 years ago

@ceres-c, @MrMoDDoM, great work on the ISO 15693 stuff. Next time we meet the beer is on me ;)

@david-oswald, I'm want to emulate a my-d (SRF 55V10P) tag. From the datasheet I'm thought it is pretty much strait forward. 248 blocks, each 4 bytes. At least that is what I was able to read out from the original tag using Android. Not sure if there should be 2 more blocks with some meta information?! Anyway, when I'm uploading the 992-byte-dump the MEMSIZE? stays 8192 and I'm not able to read the emulated tag with Android. Sure, the datasheet mentions a "custom mode" but shouldn't it be possible to emulate this tag without any special functionality (just a memory card)?

ceres-c commented 5 years ago

Wild guess: it looks like in your tag the UID sits after user data (paragraph 2.2 of the datasheet you posted), while in Vicinity.c it is placed at the beginning of the dump file. You should relocate it to the appropriate offset (if it is actually present in the dump you have, or append it manually) and try again. Your phone might have rejected the card because iso 15693 tags must begin with 0xE0, so it was discarded as noise

See you at the Congress in December, I guess ;-)

ikarus23 commented 5 years ago

Thanks for the hint. Detecting the right UID worked, but reading the tag data didn't. My workflow was: config to Vicinity --> upload dump --> change UID. I guess that's why me UID was correct. But you might be right with my dump being "incomplete". The last blocks from my dump are not the UID. But still, I thought MEMSIZE will be adjusted to my dump after uploading.

ikarus23 commented 5 years ago

See you at the Congress in December, I guess ;-)

Sure thing ;)

ceres-c commented 5 years ago

Ok, I thought you were not able to even see the card on Android. Instead, the tag was recognized because you you changed the UID through the text interface, but at the same time the dump was corrupted, because the first 8 bytes of it were overwritten with the UID. If your dump does not have the trailing UID maybe it's just because the tag does not publicly expose it, which often happens. The response to ISO15693_CMD_GET_SYS_INFO might be 2 blocks less than the actual memory.

By the way, the reason you're not getting any data out of the emulated tag looks quite simple: The command ISO15693_CMD_READ_SINGLE is not considered at all in Vicinity.c, so no response should be the expected behaviour :-)

ikarus23 commented 5 years ago

Thanks for the helpful tips. I'm fairly new to ISO15693 and did not know there are standard commands and custom commands. It is most likely that you are right, and I don't have the full dump (with internal information). However, with Vicinity only partly implemented, there is no need to wonder why it does not work. I guess this is also the reason the tag size in not automatically adjusted after uploading the dump.

I guess there is just some more work to do. :)

ceres-c commented 5 years ago

I haven't actually seen any application automatically adjusting according to dump size, but I stand to be corrected. The current approach is to create a custom application for every specific tag, so you should probably do so basing on already available examples.