search

jekkos / android-hce-desfire

A HCE software implementation of the NXP Desfire NFC protocol in an Android app (to be used with Cyanogenmod HCE patch)
38 stars 13 forks source link

Support for some newer instructions #3

Open maxieds opened 4 years ago

maxieds commented 4 years ago

I have been digging through DESFire specs and documentation (that which is descriptive and I can find publicly online). It appears that there are a couple of newer Authenticate commands that are at least supported by the DESFire light tag versions (see NXP application note):

CMD_AUTHENTICATE_EV2_FIRST = 0x71,          /* See page 32 of AN12343.pdf */
CMD_AUTHENTICATE_EV2_NONFIRST = 0x77,  /* See page 32 of AN12343.pdf */

I am trying to use Android's NFC stack built-ins to perform some testing with DESFire tags. I'm not sure if your HCE implementation works this in yet, but there is also some support of ISO7816-4 commands. These are documented near the end of the data sheet I "discovered" in issue #1.

@jekkos One thing you could help me with is to understand where the communication modes for transfer of data get encoded? I cannot seem to find a solid reference for where this assumption is made. Historically, there should be three (plaintext, 2KTDEA, 3KTDEA) and more recently there are AES communication modes in key sizes of 128/192/256. One possibility is to just attach the current communication mode to whatever the most recent Authenticate instruction uses, but that is probably not up to standard, and is somewhat arbitrary. How did you handle this in your HCE emulation?

jekkos commented 4 years ago

I found most of my information from reading the libfreefare and libnfc code. They have a working implementation for most of the newer authentication commands. Then I also found a bit of an older javacard applet that implemented the older encryption schemes (TDES).

Also there was a blogpost with some communication examples but the info there is a bit spread out.

jekkos commented 4 years ago

But I must say that the authentication step was probably the most complicated one for sure.

maxieds commented 4 years ago

@jekkos I used much of the documentation you put together for this project in the form of command and response codes in my Chameleon Mini firmware project to add DESFire support. I gave this repository credit there. Thanks for all the hard work you put into this!

jekkos commented 4 years ago

Thanks for the credits, it's nice to hear that this research has been useful in the end.