Android Mifare Desfire EV1 Key Extraction / Lower Layers - Android Q&A, Help & Troubleshooting

Hey Guys,
I have an app that can read information from a Mifare Desfire EV1 card (That I don't have the key for). Now I believe that the master key is loaded into memory at some point in order to decrypt the information on the card.
Could someone point me in the right direction?
I can attach IDA to the application however there are heaps of different calls, I can't really see a call where the key is being passed to it. Does anyone know of the Android Mifare Decrypted call?
Perhaps the key is passed to the driver then its decrypted?
TL;DR
Can you extract Desfire EV1 Keys from a compiled app that I can successfully read a card? (Hopefully the key exchange isn't done in TZ!)
Cheers guys!

Hey Guys,
Little update.
I've attached strace to com.android.nfc
This app looks to be Android's NFC daemon is its in its own group 'nfc'
And it looks to be reading and writing (via read() and write() syscalls) all sorts of interesting data to /dev/pn544
pn544 also belongs to the NFC group:
crw------- 1 nfc nfc 10, 58 1970-10-24 02:53 /dev/pn544
I don't know though, this doesn't seem to be low enough, I guess I'd be seeing information going from the app to the lower NFC chip vice-versa.
This looks like it COULD be the right step, because the app would need to send the key to the NFC chip in order to decrypt it.
I'll keep you guys posted.

So I've read the tag with the app that can successfully read the tag, and an app that has no knowledge of the card (Incorrect key) so I could check the write()'s side by side and check.
From what I can see the following are init traffic:
[pid 2967] write(34, "\0\0\5\220`\0\0\0", 8 <unfinished ...>
[pid 2967] write(34, "!\6\1\1", 4 <unfinished ...>
[pid 2967] write(34, "!\4\3\1\4\2", 6 <unfinished ...>
[pid 2967] write(34, "\0\0\r\0\244\4\0\7\322v\0\0\205\1\1\0", 16 <unfinished ...>
[pid 2967] write(34, "\0\0\f\0\244\4\0\7\322v\0\0\205\1\0", 15 <unfinished ...>
[pid 2967] write(34, "\0\0\7\0\244\0\0\2\341\3", 10 <unfinished ...>
[pid 2967] write(34, "!\6\1\1", 4 <unfinished ...>
Click to expand...
Click to collapse
As both transactions send this same data to the driver.
Everything starts to change around:
[pid 2967] write(34, "\0\0\t\220Z\0\0\0031ES\0", 12 <unfinished ...>
Click to expand...
Click to collapse
As you can see the above data has the word "ES" in it, I also know this card is using AES, perhaps the ES is saying hey, use AES Encryption.
Also from what I've read, I think all of the data above is NCI data, its the NFC spec, I think HCI was used previously.

Hey Guys,
Another quick update, turns out /dev/pn54 is TOO DAMN LOW!
The encryption/decryption is actually handled in the Android App itself.
However, low level NFC spoofing to android applications (Invoking read() on pn544 from com.android.nfc) may work.

Hey! Have you had any luck extracting or cracking the key of a mifare desfire ev1?
This is the most recent information I could find about this topic with some sort of investigation

est_cap said:
Hey! Have you had any luck extracting or cracking the key of a mifare desfire ev1?
This is the most recent information I could find about this topic with some sort of investigation
Click to expand...
Click to collapse
Hey,
The research I was conducting was on a Public Transport card, they used a free-read block, meaning anyone can read the block, however to write you'd require a key.
If your app in question is writing to the card, open the app up in a debugger/dissembler trace the write function and you'll see the key sitting there
Hope this helps!

Question
Has anyone thought authenticate and send a key after another with brute force until the key is decrypted ? you could run a test key authentication for writing, does not seem too long without so many possibilities and the connection takes less than a second , it would be good to do it from taking advantage of Android NFC , indeed reader already is an application that is Mifare DESFire used to read EV1 in PlayStore .

Anden33 said:
Has anyone thought authenticate and send a key after another with brute force until the key is decrypted ? you could run a test key authentication for writing, does not seem too long without so many possibilities and the connection takes less than a second , it would be good to do it from taking advantage of Android NFC , indeed reader already is an application that is Mifare DESFire used to read EV1 in PlayStore .
Click to expand...
Click to collapse
Hi Anden33,
I was actually thinking of the same approach, bruteforcing the key, but does the key version also have to be correct? That might add to the complexity if so. I'm using the MIFARE DESFire EV1 tool on my androind and the key version is exposed for each key so i'm guessing if I should use the same key version while bruteforcing the key

7d5 said:
Hi Anden33,
I was actually thinking of the same approach, bruteforcing the key, but does the key version also have to be correct? That might add to the complexity if so. I'm using the MIFARE DESFire EV1 tool on my androind and the key version is exposed for each key so i'm guessing if I should use the same key version while bruteforcing the key
Click to expand...
Click to collapse
It was my understanding Mifare would have some protections aginst this sort of attack, if the Proxmark guys couldn't figure it out yet, I doubt this would work
For reference: http://www.proxmark.org/forum/viewforum.php?id=31

(dylanger) said:
It was my understanding Mifare would have some protections aginst this sort of attack, if the Proxmark guys couldn't figure it out yet, I doubt this would work
For reference: http://www.proxmark.org/forum/viewforum.php?id=31
Click to expand...
Click to collapse
I did the cryptanalysis, and its impossible ( at least during my lifetime ). I'm looking at other ways now, will let you know.

7d5 said:
I did the cryptanalysis, and its impossible ( at least during my lifetime ). I'm looking at other ways now, will let you know.
Click to expand...
Click to collapse
Hello, I was trying to find a way to emulate my school issued ISIC card. Have you had any success in this?
Thanks

Related

looking for a simple bill splitter

Im looking for a simple bill spliter where i just enter the sum and how much people are paying and the program tells me how much everyone has to give. Is there something like this?
Yup you can use the calculator and do the following steps...
1. Type in sum
2. Hit the divide key
3. Type in # of people
4. Hit "="
That should do it...
ai6908 said:
Yup you can use the calculator and do the following steps...
1. Type in sum
2. Hit the divide key
3. Type in # of people
4. Hit "="
That should do it...
Click to expand...
Click to collapse
+1
or this : http://forum.xda-developers.com/showthread.php?t=441967
apparently it's also paid application to make division !!!!
I don't know who is the most "dumb" : those who sell the soft or those who buy it !
I cant use a calculator.
If i for example would like to divide 20,06 € by 6 people the calculator would tell me 3.34333333333 wich is totally useless in accounting. The right answer would be 4 times 3,34 € and 2 times 3,35 €.
My calulator doenst do that..if yours does please tell me which it is...
I personally would advise stingy people not to go to a restaurant and save all this headache .....
I dont give a crap about restaurants i want this tool to help me in accounting...
This might help with your calculator problem
http://en.wikipedia.org/wiki/Rounding_numbers
;-)
Corwin9S said:
+1
or this : http://forum.xda-developers.com/showthread.php?t=441967
apparently it's also paid application to make division !!!!
I don't know who is the most "dumb" : those who sell the soft or those who buy it !
Click to expand...
Click to collapse
As you say yourself its just a crippled calculator that does division and not a bill splitter that would tell me how many people would have to pay 1 cent more an how many 1 cent less than the others.
if you don't want to use a calculator because it's too hard to round to the nearest penny, just create a simple Excel spreadsheet & put a shortcut to it in Start Menu.
I wouldnt know how to tell Excel that..this woulndt be simple..it would need a complex formular..
nurps said:
I wouldnt know how to tell Excel that..this woulndt be simple..it would need a complex formular..
Click to expand...
Click to collapse
Someone had to code it in the software. So if you can figure out what to code, you might be able to use Excel, which is pretty common in WM.
Sorry I am not an accounting guy to help you out more...
nurps said:
I wouldnt know how to tell Excel that..this woulndt be simple..it would need a complex formular..
Click to expand...
Click to collapse
It's not a complex formula; You can do it in 2 + (3 * p) cells (where p = number of people participating in the split)
Anyway, here you go
Headers
A1 = Total Value
B1 = Total People Split
First Row
A3 = Formula "=Int($A$1 / $B$1)"
B3 = Formula "=IF($A$1-SUM($A$3:$A$x) > 0, 1, 0)" (replace x with last row number)
C3 = Formula "=A3 + B3"
Second, Third, Fourth, Fifth, etc. Rows
Az = Formula "=Int($A$1 / $B$1)"
Bz = Formula "=IF($A$1-SUM($A$3:$A$x) - SUM($B$3:By) > 0, 1, 0)" (replace x with last row number, y with the row above the current one)
Cz = Formula "=A3 + B3"
This will give you column C telling you what each person requires. This is working off the assumption values are entered in the lowest denominator (pence, cents, etc.), so just times your euro count by 100 so 20,30e becomes 2030
This is the funniest thread I've seen so far. LOL LOL LOL...

[Q] NFC Tag Launcher "Open in Browser" prompt

Whenever I scan an NFC tag I created with NFC Tag Launcher it brings up a prompt that says "Open in browser" with options for OK and Cancel. However, it does not do that for tags I create in Lightflow for turning sleep on or off. Is there any way to disable this prompt?
Can't offer any help but I'm having the same problem with NFC Task Launcher.
I too get this. Not sure why. I'm on a rooted Verizon S3.
Download an app for NFC from the market first, then overwrite the default command that was stored on it. Most likely the command was to redirect you the site of the brand or seller of the tag.
nunyabiziz said:
Download an app for NFC from the market first, then overwrite the default command that was stored on it. Most likely the command was to redirect you the site of the brand or seller of the tag.
Click to expand...
Click to collapse
These are blank tags that I wrote to myself. I click OK every time and it never opens anything in the browser.
Have you verified that it was blank or have you erased the tag yet? I had the same issue with blanks that were not completely blanks.
nunyabiziz said:
Have you verified that it was blank or have you erased the tag yet? I had the same issue with blanks that were not completely blanks.
Click to expand...
Click to collapse
How can I tell if it's blank? According to NFC Tagwriter by NXP it's blank, and according to NFC TagInfo, the first two pages are read-only factory locked..
What do you have using NFC taginfo under "NDEF"?
nunyabiziz said:
What do you have using NFC taginfo under "NDEF"?
Click to expand...
Click to collapse
The blank tags have no message. One that I've written with NFC Tag Launcher has a message of the following:
Code:
WELL-KNOWN: urn:nfc:wkt:U(URI)
Identifier: 0x03("http://")
"tags.to/ntl"
MIME: ntl
enU:2:M:0,Q:-1;O:7;E:h:1__3:M:2;S:2;E:h:0
One written by lightflow has the following:
Code:
MIME: application/vnd.lightflow
SleepToggle
I would imagine the first part is what's causing it, but I don't know what there is to do about it.
EDIT: looks like that URL goes to the play store page for NFC Tag Launcher. Not sure why it's not actually opening in the browser though.
I personally use "NFC task launcher" and "erase tag" option.
---------- Post added at 09:28 PM ---------- Previous post was at 09:25 PM ----------
Sounds like you got it figured out.
nunyabiziz said:
I personally use "NFC task launcher" and "erase tag" option.
Click to expand...
Click to collapse
The issue is that I'm pretty sure it's NFC Tag Launcher that's writing the URL to it when it writes the task to the tag. I don't know what I'd do to write the tasks out to the tag otherwise.
I use NFC Task Launcher's erase function as well. As soon as the tag is written to again, this issue occurs.
jh120 said:
I use NFC Task Launcher's erase function as well. As soon as the tag is written to again, this issue occurs.
Click to expand...
Click to collapse
And did you write a task to the tag after? The NFC tag will always be detect, even blanks. It will just try to launch a unknown command.
nunyabiziz said:
And did you write a task to the tag after? The NFC tag will always be detect, even blanks. It will just try to launch a unknown command.
Click to expand...
Click to collapse
The issue is that the act of writing the task with NFC Task Launcher writes the URI to the tag. So erasing then rewriting the task accomplishes nothing.
I dont know all tags are the same size so maybe my tags are different. Im using web evolved tags and by default until erased and written to the tags will launch my browser and redirect to their site.
nunyabiziz said:
I dont know all tags are the same size so maybe my tags are different. Im using web evolved tags and by default until erased and written to the tags will launch my browser and redirect to their site.
Click to expand...
Click to collapse
Yeah, this isn't caused by anything with the tags themselves, it's just that NFC Tag Launcher adds the URI to the tag when you write out a task no matter what.
I can confirm that this happens regardless of tag type. I erased an old NFC-capable train ticket and wrote a wi-fi toggle to it. It works, but the browser dialog box still pops up.
Yeah, it's NFCTL writing that URL to the tag.
That URL is used as the intent filter and serves a few purposes. 1.) it saves space over a longer custom mime type or application specific record (which stores the package name). 2.) it directs anyone who doesn't have to the app to the play store to get it so that the tag actually does something - an application specific record does the same thing but has to store the *entire* package name (28 bytes in this case).
The way this has worked on *every* other device (and the way it should work in Android) is that the entire NDEF message hits the intent filter for that URL and the message is then delivered to the app. The app then grabs all records from the message (there are two) and parses the second record and executes those actions.
Given what the OP has sent me for some reason the Verizon S3 isn't doing this. (The international and ATT version work as expected).
Given that it's showing the chooser it's missing the specific intent filter and showing a dialog for what to do with this URL:
Code:
D/NfcService( 909): TAG: Tech [android.nfc.tech.MifareUltralight,
android.nfc.tech.NfcA, android.nfc.tech.Ndef]
D/NfcService( 909): Attempting to dispatch tag with override
D/NfcService( 909): No activities for NDEF handling of Intent {
act=android.nfc.action.NDEF_DISCOVERED dat=http://tags.to/ntl (has
extras) }
However it's still delivering the payload to NFCTL as the actions get executed (which it shouldn't do if you're getting the browser chooser dialog). It shouldn't work this way, literally. If you get the chooser it should deliver the entire payload to the chosen app (it's not).
So, what can we do here? I can add an option to use an application specific record in place of the URL. This should ensure it doesn't happen but at the cost of space - you'll lose 15+ bytes of space on the tag as a result though as it will write a separate NDEF record to the tag containing the full package name.
Is there anyone with a Verizon device this *isn't* happening for?
I could in theory get this into a release tomorrow as I'd want to have this squashed pre release.
I've been playing around quite abit with this and I have "sort of" gotten around this by use the Tasker URL Launcher.
With TUL installed along with tasker, I can use another NFC writer utility to create the url of tasker://taskname
Now if I touch the new tag without NFCTL installed I will be prompted with the "New Collected Tag" screen....unfortunately its still not an autorun but I can tap the "new tag" and the sequence fires correctly.
Obviously as previously stated the problem is the interception by the phone of the URL string used by NFCTL. Personally I have rooted and ripped out most all the Verizon bloat so I'm unsure what is left to cause this interception.
Let me know and I'll test whatever.
konman2k4 said:
I've been playing around quite abit with this and I have "sort of" gotten around this by use the Tasker URL Launcher.
With TUL installed along with tasker, I can use another NFC writer utility to create the url of tasker://taskname
Now if I touch the new tag without NFCTL installed I will be prompted with the "New Collected Tag" screen....unfortunately its still not an autorun but I can tap the "new tag" and the sequence fires correctly.
Obviously as previously stated the problem is the interception by the phone of the URL string used by NFCTL. Personally I have rooted and ripped out most all the Verizon bloat so I'm unsure what is left to cause this interception.
Let me know and I'll test whatever.
Click to expand...
Click to collapse
I may add a quick option tomorrow morning and throw a test APK up here. If the Verizon release is anything like the International and US pre-orders I suspect we'll see a lot of downloads and this is a *really* annoying thing to happen. So far Samsung takes the crown from HTC's head as the OEM making the weirdest changes.

NFC Tag Writing

Is there an app out there that we can write/config NFC tgas to launch apps, wifi, Bluetooth etc?
I wouldn't mind getting some and putting them around the house & car!
zok-star said:
Is there an app out there that we can write/config NFC tgas to launch apps, wifi, Bluetooth etc?
I wouldn't mind getting some and putting them around the house & car!
Click to expand...
Click to collapse
I've used NFC Interactor to write tags, I think it's a dollar or two. Just so you know apparently there is a windows phone limitation where it can't format tags. In my case I had to use a friends android tablet for that. I don't think there is a way to toggle wifi/bluetooth at the moment and it might not be possible with the SDK. But you can definitely start apps or phone settings if you find the GUID for it.
Goatmaster said:
I've used NFC Interactor to write tags, I think it's a dollar or two. Just so you know apparently there is a windows phone limitation where it can't format tags. In my case I had to use a friends android tablet for that. I don't think there is a way to toggle wifi/bluetooth at the moment and it might not be possible with the SDK. But you can definitely start apps or phone settings if you find the GUID for it.
Click to expand...
Click to collapse
that's a bit of a shame!
Found some useful links!
URI scheme listing
Reserved file and URI associations for Windows Phone 8
NFC tags, is there a good reliable place to get blank tags (no graphics on them) in Canada? I've been looking around on the net for the plastic ones but all I can find are paper ones or ones with company or product logos. Any recommendations are welcome.
NFC Publisher
Hi all
I've downloaded NFC Publisher but haven't tested it yet.
God bless
andrew-in-woking

[Q] Do I HAVE to root?

I am very happy with the features I have on my Kindle, as is, as I have a Note 3 as well for most of the other things I wish to do. I have however recently discovered something fun that would open up a lot of avenues, but seems to MAYBE require me to root, to accomplish. The thing is, I really don't want to if I don't have to.
What I found was that the Sony Dualshock playstation 4 controllers are able to pair, as is. They function well and it is very exciting. The main game I wish to play via this method GTA San Andras works fine with this controller, and I am told, when configured correctly, is near perfect. However, it seems the configuration of the controller is incorrect, meaning the button layout does not correspond to the correct keymap. I have found someone who corrected this problem, and was supplied with the keymap, only it needs to be placed in:system/usr/keylayout/
which is of course readonly..
It seems an awful lot of work, risk, and hassle to root to place ONE file in the proper location..
Is there any way to get around this without needing to root my device?
I thank you for any help.
ThE JafF
Well it seems no one wants to say one way or the other..
Well, maybe we can rule one of the two options out and make this multiple choice question a little easier. My device is the 8.9" and it just took the 4.5.1 update before i realized it was too late to stop it. Now that it has, are there any options out there for rooting it now?
If not then im left with finding some other sneaky way.. How about creating a legit app with the sdk that simply lets you make a keymap file? I know next to nothing about doing so, but all i am looking to do is place a text file if a particular name in a particular place.. Lol i know, it sounds so easy, but might not be.
Anyway id appreciate suggestions. Ibdont mind doing a little work, i just need someonevwith knowledge to point me in the correct direction.
Thanks
In fact to make helping me as easy as humanly possible, here is/are the results of all the work I currently was able to do for myself. I am no slouch, but i literally could get no further without assistance. I am hoping that this will mean something to someone who is willing and able to asist those eager to learn and willing to do as much as they are are currently capable of. I don't mind guidelines or vague outlines of what i will need, such as, learn what you need to get the sdk up and running, read this article xxx, hou need to understand how to handle xxx style of text and are going to want to read about lolipop, or kitkat, etc..
What won't work are suggestiobs like: learn how to program!, or, learn androiod, or buy a commercial controller.
Anyway, what I have found: it goes here:
system/usr/keylayout
It is called: Vendor_054c_Product_05c4.txt
Once in place you are supposed to change the extension to .kl
The contents of the kl file will follow this post as i am unable to post links yet. This was a bit of a suprisr, ive been reading this site for like 2 and a half years or more, just never post.. Oh well..
This info was from a user on this site called 'lilcza1' so thanks to Lilcza1 for this
So i don't think i can be accused of being lazy here, just perhaps a little behind in getting to the point of considering myself a developer, which i do hope to be able to do one day.
So a big thanks in advance for any help or guidance you might provide!
kl file
# Copyright (C) 2010 The Android Open Source Project
# Copyright (C) 2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at the apache org site
# license 2-0
#
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# DualShock 4 Controller
#
# Buttons
key 164 MEDIA_PLAY_PAUSE
key 168 MEDIA_REWIND
key 172 HOME
key 208 MEDIA_FAST_FORWARD
key 304 BUTTON_X
key 305 BUTTON_A
key 306 BUTTON_B
key 307 BUTTON_Y
key 308 BUTTON_L1
key 309 BUTTON_R1
key 310 BUTTON_L2
key 311 BUTTON_R2
key 312 BUTTON_SELECT
key 313 BUTTON_START
key 314 BUTTON_THUMBL
key 315 BUTTON_THUMBR
key 317 MENU
# Joystick and game controller axes.
axis 0x00 X flat 0
axis 0x01 Y flat 0
axis 0x02 Z flat 0
axis 0x05 RZ flat 0
axis 0x09 GAS
axis 0x0a BRAKE
axis 0x10 HAT_X
axis 0x11 HAT_Y
an answerable question?
Ok, since we so many have viewed this without comment, i realize now, that i'm in the raft alone and help is just not coming. But, maybe, just maybe, a single part of this can be answered for me. I have decided this is important enough for me to jump in and start swimming for it.. I just don't want it to be for nothing. I need to know there is land to swim toward.. Would it be feasible to do something like i suggested above? Develop an apk that will simply load/edit/save keymap files in the location mentioned above? It doesn't seem like a properly created / signed application would have the same restrictions a basic user would have, i just don't know enough about how android works to know if programs are able to manipulate or create their own files in the area i am suggesting, or if that kind of action would be seen as virus activity or some other kind of a security risk. I just don't want to waste my time.
Thanks in advance

[MOD][Xposed] Patch SmartcardService for use with SIM-card-based banking apps

Hi!
I've written another Xposed module for my LEX720 for a very specific purpose, so probably it won't be of much use for the most. But I'm still publishing it for reference reasons.
Background:
First the good news: The stock firmware of LeEco includes the "SmardcardService" (which also often is referred to as "Open Mobile API" or short "OMAPI") which is an extension API to plain Android (i.e. not existing in the Nexus devices or the Pixels) to allow apps accessing Secure Elements (i.e. secure applications embedded in a tamper-resistant hardware) within the SIM-card.
A real world example: in Austria some banks (in cooperation with the 3 largest network operators) support Tap'n'Pay with your phone by installing the NFC-capable banking card as an additional application into the SIM card (which is the same secure chipcard technology as a banking card). This means you get a new SIM card and then you can tap'n'pay with your phone (without Google, without VISA or MasterCard, just as with the Austrian NFC banking cards). AFAIK in some other countries the same concept is used for public transport and others.
The main difference to Android Pay is, that this system is backed by the chipcard (the SIM) and not by a cloud service. But this just as background information.
The problem:
The LEX720 is a dual-sim phone, and so the (banking) apps could read SIM-cards from either SIM1 or SIM2 slot (I tested, SmartcardService works with both). But if you also want to use NFC for payment it has to be inserted into SIM1 (as it seems that only the SIM1 slot ist connected over an SWP line to the NFC chipset). Unfortunately the Austrian banking apps don't seem to handle the dual-SIM situation correctly and only try to read SIM2 (which is empty for me) and therefore don't work.
Additionally, at the end of an transaction, when the application running within the SIM card signalizes that it just had finished a payment transaction to the Android system, the NFC service (/system/vendor/app/NQNfcNci/NQNfcNci.apk) broadcasts this message as an intent to the relevant (banking) app, so that the app can display a transaction result activity.
Unfortunately this mechanism is implemented often very different by different OEMs and so also by LeEco. There exists a standard (GSMA NFC Handset APIs Requirement Specification) but it seems there are a lot of different implementations in the wild.
(Note: this is probably the case because this type of functionality is not part of the official reference Android source code. Plain open source Android like it is running on all Nexus phones and the Pixels just doesn't support these type of applications - which is very unfortunate).
My workaround:
TL;DR I just made an Xposed module which fixes these 2 issues for me. Look into the README on Github for more details.
Source on Github: https://github.com/johnzweng/XposedOmapiBankcardFix
Download Xposed Module: Xposed-module-OMAPI-BankcardMobil-Fix-1.1.apk
Maybe it's also useful for other applications which use the SIM card as secure storage for keys of any type. Use at your own risk.
As a reference: these are the Austrian banking apps this module should work with:
Bank Austria Mobile Geldbörse
BankCard Mobil
Oberbank Bankomatkarte Mobil
Raiffeisen ELBA-pay
VKB-Pay - Bankomatkarte mobil
The module might also help to get other similiar apps working which have problems with Dual-SIM or don't show Transaction confirmation screens. I am talking here about apps which use a special SIM card for payment, ticketing or similiar use-cases via NFC. This has nothing to do with "normal" NFC apps or cloud-based HCE (host card emulation) NFC apps. This module is only for apps which use special SIM cards.
[edit]
Updated download link to version 1.1.
For details see the CHANGELOG in the Github repoistory.
[/edit]
Btw, during debugging I noticed another small bug in the LeEco NFC service:
The package com.android.nfc (/system/vendor/app/NQNfcNci/NQNfcNci.apk) declares a permission which allows apps to receive Intents about EVT_TRANSACTION events. On the LeEco LePro 3 (LEX720, running 5.8.018S, WAXCNFN5801811012S) this permission looks like this
Code:
declared permissions:
com.gsma.service.nfc.permission.TRANSACTION_EVENT: prot=dangerous, INSTALLED
You can check this easyily yourself with this adb command:
Code:
adb shell pm dump com.android.nfc > dump-nfc-service.txt
This will dump all infos into a file named dump-nfc-service.txt. Open the file with an editor and search for "declared permissions:".
The problem with this permission is, that its name is missing a letter!
Correctly it should be called: com.gsma.services.nfc.action.TRANSACTION_EVENT (note the missing "s").
This is specified in the GSMA NFC Handset APIs Requirement Specification (see at the top of page 13 in the PDF)
Funny enough the specification in the PDF also contains a typo in the very same permission name the Intent action name (the dot "." after the word "gsma" is a comma "," in the PDF). It must be really hard to type this correctly.
Nevertheless this typo leads to errors like:
Code:
W/PackageManager( 2357): Unknown permission com.gsma.services.nfc.permission.TRANSACTION_EVENT in package ......
and prevents applications of requesting the correct permission.
Does anybody know if and how it's the best way to report bugs to LeEco?
[edit1]
I contacted them on Twitter. I hope they will forward this issue to developers.
Btw, it seems that also LG had included the same typo in some of its devices:
Devices without the "s": https://census.tsyrklevich.net/permissions/com.gsma.service.nfc.permission.TRANSACTION_EVENT
vs.:
Devices with the "s": https://census.tsyrklevich.net/permissions/com.gsma.services.nfc.permission.TRANSACTION_EVENT
[/edit1]
Hi androcheck,
first i am really impressed that somebody found a solution for that problem (i already have several posts with no answer at all)
But now i have a problem as when i install the fix i stuck in a boot loop. Is this maybe cause i am on custom ROM (Turbo MIUI) ?
Hope you have an idea
thanks
Robert
viercp said:
Hi androcheck,
first i am really impressed that somebody found a solution for that problem (i already have several posts with no answer at all)
But now i have a problem as when i install the fix i stuck in a boot loop. Is this maybe cause i am on custom ROM (Turbo MIUI) ?
Hope you have an idea
thanks
Robert
Click to expand...
Click to collapse
So far seems a "one time bug" - all ok with patch but i still get the very same error mssg
Any poss to tell me where i can check if entries provided by fix are really done ?
viercp said:
So far seems a "one time bug" - all ok with patch but i still get the very same error mssg
Any poss to tell me where i can check if entries provided by fix are really done ?
Click to expand...
Click to collapse
Hi!
Sorry for the delayed answer.
First of all the ROM you are using must have the SmartcardService (=implementation of OpenMobile API), the corresponding library (org.simalliance.openmobileapi.jar) and permission manifest (org.simalliance.openmobileapi.xml) installed. I downloaded miau_destroyer_v12.zip from this thread here, extracted it and it seems that it contains all three of them.
My Xposed module "XposedOmapiBankcardFix" doesn't do very much besides forcing the apps which are using the OpenMobile API to always use "SIM1" as SmartcardReader. This was necessary because at the time of writing the Bankcard apps in Austria from PSA (Payment Services Austria) didn't correctly check for multiple SIM slots. So in fact this was a bug in the PSA apps, not in the phone.
Back then I reported this back to the developers (of the banking app) and today it seems to be fixed (I didn't check in detail but the Bank Austria app now is working for me on Android 7 without Xposed installed - with the SIM inserted in slot 1).
Another point I realized: By looking into the build.props of the miau_destroyer_v12 ROM it seemed to me that this ROM is configured for single SIM use. This means that the SmartcardService also only sees one cardreader (SIM slot). Maybe this also interferes with the Xposed module?
For clarification:
Before I wrote my Xposed module, the Bank Austria banking app worked already perfectly (no errors displayed, recognized the NFC SIM card, personalization of the bankcard worked ok) when I inserted the SIM card into slot 2. It just didn't work when the SIM card was inserted in slot 1. The problem is that it must be inserted in slot 1 if you want to use it over NFC. This is why I decided to work around this limitation with my Xposed module.
The second feature ("Fix EVT_TRANSACTION Intent") of my module was just a gimmick "on the way". I realized that the confirmation dialog after paying is not displayed, but this was just a "cosmetic" problem. Payments did still work, even if the confirmation dialog on the phone is not displayed.
Another sidenote:
As I have mentioned before I have switched already to an Android 7.1 based ROM on my personal phone (as a developer I want to use some of the new APIs) so I don't have Xposed anymore (as Xposed is not available for Android 7). So at the moment I cannot really test anything.
Which error exactly do you get? What do you see in logcat?
Kind regards,
john
androcheck said:
Hi!
Another point I realized: By looking into the build.props of the miau_destroyer_v12 ROM it seemed to me that this ROM is configured for single SIM use. This means that the SmartcardService also only sees one cardreader (SIM slot). Maybe this also interferes with the Xposed module?
Click to expand...
Click to collapse
Changed in build.prob to enable Dual SIM
Which error exactly do you get? What do you see in logcat?
Click to expand...
Click to collapse
Havent worked with before - which entry you are looking for ?
Lot Of Thanks for your great work!
Btw,Do you use AOSP 8.1(such as AICP8.1)
On these roms,after add SmartCardService.apk ,it still cann't work with these bank apps. Actually,it can read other nfc tags,but it's HCE (Host-based Card Emulation) can not work
Could you have a try to fix it?
My post:
https://forum.xda-developers.com/le...a-zl1-x727-x720-t3698058/page356#post76274677
Hi,
Google says that Pixel 7 series don't support SWP-SIM while Pixel 6 and others supported.
So I started googling that if there's any 'Magisk way' to solve this issue, then I find your xda posts.
If you happen to be a Pixel 7 user, are you interested in looking into this issue?
I'd like to buy you a $30 coffee or more if I can use the SWP-SIM for payment on my Pixel 7.
jasonlee0315 said:
Google says that Pixel 7 series don't support SWP-SIM while Pixel 6 and others supported.
So I started googling that if there's any 'Magisk way' to solve this issue, then I find your xda posts.
Click to expand...
Click to collapse
Hi!
I don't have Pixel 7 and currently I am not working in this field, but for clarification:
"SWP-SIM support" is (also) a hardware feature.
To be able to use SWP-SIMs there must be a physical connection between the SWP pin of the NFC controller (this is a separate chip on the mainboard of your phone, not the main application processor, where Android runs on) and the respective pin of the SIM card slot.
Google in the past tended to not connect these 2 pins. I don't know if the Pixel 7 has this connection. I just wanted to let you know, that if this connection does not exist, there is no way to solve this in software.
[edit]
(see also this old question on stackexchange, this was about the Nexus 5X and 6P: https://stackoverflow.com/questions...-to-the-uicc-on-the-nexus-5x-and-the-nexus-6p)
[/edit]
androcheck said:
Hi!
I don't have Pixel 7 and currently I am not working in this field, but for clarification:
"SWP-SIM support" is (also) a hardware feature.
To be able to use SWP-SIMs there must be a physical connection between the SWP pin of the NFC controller (this is a separate chip on the mainboard of your phone, not the main application processor, where Android runs on) and the respective pin of the SIM card slot.
Google in the past tended to not connect these 2 pins. I don't know if the Pixel 7 has this connection. I just wanted to let you know, that if this connection does not exist, there is no way to solve this in software.
[edit]
(see also this old question on stackexchange, this was about the Nexus 5X and 6P: https://stackoverflow.com/questions...-to-the-uicc-on-the-nexus-5x-and-the-nexus-6p)
[/edit]
Click to expand...
Click to collapse
Thanks for replying. I guess I might give up trying to get SWP-SIM working on Pixel 7.

Categories

Resources