使用 Android 4.4 模拟 Mifare 卡
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20055497/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Emulate Mifare card with Android 4.4
提问by user2570174
I have researched Mifare and other card emulation I have very good knowledge in programming (not Android, but C/C++). I have proxmark and I have made multiple emulation codes for proxmark, so I know how the cards communicate.
我研究了 Mifare 和其他卡模拟,我在编程方面有很好的知识(不是 Android,而是 C/C++)。我有 proxmark 并且我为 proxmark 制作了多个仿真代码,所以我知道这些卡是如何通信的。
I don't understand currently, does android enable full card emulation. I have researched this for about 3 days now, and the conclusion is there is no one constant pattern. Some people say it is possible, some say it is not. I looked through android API and the Host-based card emulation seems to be able to do the trick, but as I understand it is new thing in 4.4 Kitkat, does anyone have any experience with that?
我目前不明白,android 是否启用全卡模拟。我已经研究了大约 3 天,结论是没有一个恒定的模式。有人说可能,有人说不可能。我查看了 android API,基于主机的卡模拟似乎能够做到这一点,但据我所知,这是 4.4 Kitkat 中的新事物,有没有人有这方面的经验?
To make things simple, currently I'm investigating the basic most simple emulation for Mifare Ultralight. This card is a security nightmare, there is no encryption and only about 10 functions it does. So I'm interested in starting research with this card, because it is the easiest one to reproduce.
为简单起见,目前我正在研究 Mifare Ultralight 的最基本最简单的仿真。这张卡是安全噩梦,没有加密,只有大约 10 个功能。所以我有兴趣用这张卡开始研究,因为它是最容易复制的。
So does anyone have any knowledge in card emulation on android. Maybe not using the stock OS. Any thing that is worth knowing would be very appreciated.
有没有人对android上的卡模拟有任何了解。也许不使用股票操作系统。任何值得了解的事情将不胜感激。
Thanks.
谢谢。
回答by Michael Roland
With host-based card emulation (HCE) in Android 4.4 you can only emulate the ISO/IEC 14443-4 protocol. More specifically you can only emulate application structures according to ISO/IEC 7816-4 (thus card emulation applications need to be selected though an AID). Moreover, the API doesn't give you any means to specify if card emulation should be done using Type A or Type B protocol.
使用 Android 4.4 中的基于主机的卡模拟 (HCE),您只能模拟 ISO/IEC 14443-4 协议。更具体地说,您只能根据 ISO/IEC 7816-4 模拟应用程序结构(因此需要通过 AID 选择卡模拟应用程序)。此外,API 没有为您提供任何方法来指定是否应使用 A 类或 B 类协议进行卡模拟。
So regarding emulation of various MIFARE protocols:
因此,关于模拟各种 MIFARE 协议:
- MIFARE Ultralight(and derivates) protocol operates on top of ISO/IEC 14443-3. It is not possible to emulate cards using such low layer protocols using Android HCE.
- MIFARE Classicprotocol partially operates on top of ISO/IEC 14443-3 (with some different framing). Thus, its also not possible to emulate MIFARE Classic using Android HCE.
MIFARE DESFireprotocols operate on top of ISO/IEC 14443-4. There are three variants of the DESFire protocol:
- native protocol: As this protocol does not use APDUs according to ISO/IEC 7816-4 its not possible to emulate it using Android HCE.
- wrapped native protocol: This protocol uses APDUs according to ISO/IEC 7816-4, however, readers will typically not issue a SELECT command using the DESFire AID when starting to communicate with a card in wrapped native command mode. (Note: Newer reader implementations are more likely to issue a SELECT command that is compatible with Android HCE as this is also required for some of NXP's newer smartcard products with DESFire protocol emulation.)
- ISO protocol: This protocol is based on ISO/IEC 7816-4 and uses application selection by AID. Thus, it may be possible to emulate this protocol using Android HCE.
Some readers may require certain parameter values in lower protocol layers (such as a specific UID cascade-level, a certain ATQA value, a certain SAK value, or a certain ATS). Android HCE does not have any means to set these values. See Editing Functionality of Host Card Emulation in Androidfor a possible approach to modify those values on certain rooted devices and my answer to Host-based Card Emulation with Fixed Card IDfor a strategy to programatically change those values in a custom ROM.
- MIFARE Ultralight(及其衍生)协议在 ISO/IEC 14443-3 之上运行。使用 Android HCE 无法使用此类低层协议模拟卡。
- MIFARE Classic协议部分运行在 ISO/IEC 14443-3 之上(具有一些不同的框架)。因此,也不可能使用 Android HCE 模拟 MIFARE Classic。
MIFARE DESFire协议在 ISO/IEC 14443-4 之上运行。DESFire 协议共有三种变体:
- 本机协议:由于此协议不使用符合 ISO/IEC 7816-4 的 APDU,因此无法使用 Android HCE 模拟它。
- 封装本机协议:该协议使用符合 ISO/IEC 7816-4 的 APDU,但是,在封装本机命令模式下开始与卡通信时,读卡器通常不会使用 DESFire AID 发出 SELECT 命令。(注意:较新的读卡器实现更有可能发出与 Android HCE 兼容的 SELECT 命令,因为这也是一些具有 DESFire 协议仿真的 NXP 较新智能卡产品所必需的。)
- ISO 协议:该协议基于 ISO/IEC 7816-4 并使用 AID 的应用程序选择。因此,可以使用 Android HCE 模拟此协议。
某些阅读器可能需要较低协议层中的某些参数值(例如特定的 UID 级联级别、特定的 ATQA 值、特定的 SAK 值或特定的 ATS)。Android HCE 没有任何方法来设置这些值。请参阅Android 中主机卡仿真的编辑功能,了解在某些有根设备上修改这些值的可能方法,以及我对带有固定卡 ID 的基于主机的卡仿真的回答,以了解以编程方式更改自定义 ROM 中这些值的策略。
A note on the HCE feature available in CyanogenMod from version 9.1 to version 10.2: This will emulate any ISO/IEC 14443-4 based protocol without the requirement for an application structure according to ISO/IEC 7816-4. You can even choose if you want to emulate Type A or Type B protocol. So it should be possible (though I haven't tested) to emulate any of the three DESFire protocols. However, even with the HCE feature of CyanogenMod it is not possible to emulate MIFARE Ultralight or Classic protocols. Moreover, it's also not possible to influence low-level protocol parameters such as a UID, ATQA, SAK, or ATS.
关于 CyanogenMod从 9.1 版到 10.2 版的 HCE 功能的说明:这将模拟任何基于 ISO/IEC 14443-4 的协议,而不需要根据 ISO/IEC 7816-4 的应用程序结构。您甚至可以选择是要模拟 A 类协议还是 B 类协议。所以应该可以(虽然我没有测试过)模拟三种 DESFire 协议中的任何一种。但是,即使使用 CyanogenMod 的 HCE 功能,也无法模拟 MIFARE Ultralight 或 Classic 协议。此外,也不可能影响低级协议参数,例如 UID、ATQA、SAK 或 ATS。
回答by Simplect
I have spent weeks researching this topic a year ago and my conclusion based on the current implementation was: The emulation of MIFARE Classic is possible, but only through the Embedded Secure Element, this element is embedded within NXP's NFC chip (PN65 chip built in for example the Samsung I9300).
一年前我花了数周时间研究这个主题,我基于当前实现的结论是:MIFARE Classic 的仿真是可能的,但只有通过嵌入式安全元件,这个元件才能嵌入恩智浦的 NFC 芯片(内置 PN65 芯片,用于例如三星 I9300)。
I have been able to fully emulate a Mifare Classic card using hidden functions in the android_external_libnfc-nxp library. Though i could only read the card and for it to be useful you need access to the Secure Element where a applet by NXP exists in most cases, this applet servers as front-end for managing the emulated cards.
我已经能够使用 android_external_libnfc-nxp 库中的隐藏函数完全模拟 Mifare Classic 卡。虽然我只能读取卡,并且要使其有用,您需要访问在大多数情况下存在 NXP 小程序的安全元件,该小程序服务器作为管理模拟卡的前端。
A good way to continue this search would be by reverse engineering Google's wallet application.
继续此搜索的一个好方法是对 Google 的钱包应用程序进行逆向工程。
回答by nCipher
The MIFARE Ultralight chip MF0ICU1 (16 pages x 4 bytes each) is indeed a nightmare, but cannot be emulated on any NXP interfaces including PN53x, because they hardwired the first UIDbyte (UID0) to 0x08, so it means the tag has a random UID(according to NXP standards). You need UID0 = 0x04to emulate MIFARE Ultralight.
MIFARE Ultralight 芯片 MF0ICU1(16 页 x 每个 4 字节)确实是一场噩梦,但不能在包括 PN53x 在内的任何 NXP 接口上进行仿真,因为它们将第一个UID字节 ( UID0)硬连线到0x08,因此这意味着标签具有随机UID(根据恩智浦标准)。您需要UID0 = 0x04模拟 MIFARE Ultralight。
There exists a standalone MIFARE Ultralight emulatorwhich allows any value for UID0, has resettable OTP, lock, and block-locking bits. See the manual for more information.
存在一个独立的 MIFARE Ultralight 仿真器,它允许 的任何值UID0,具有可重置的 OTP、锁定和块锁定位。有关更多信息,请参阅手册。
回答by JCM
The short answer is YES. However depends on many factors such as android version, phone's NFC chip, etc.
简短的回答是YES。但是取决于许多因素,例如android版本,手机的NFC芯片等。
To know if your device support it just download some app such as "NFC Check" by Tapkey, and it will inform you if MiFare Classic & Mifare Ultralight are supported. There is also a list up-to-date but apparently there might be some mismatch: https://www.shopnfc.com/en/content/7-nfc-compatibility
要知道您的设备是否支持它,只需通过 Tapkey下载一些应用程序,例如“ NFC Check”,它会通知您是否支持 MiFare Classic 和 Mifare Ultralight。还有一个列表是最新的,但显然可能有一些不匹配:https: //www.shopnfc.com/en/content/7-nfc-compatibility
Now the question is "how". I have not found an app yet to use the new Android's host-based card emulation (HCE) for this purpose (see here): How well does the Android NFC API support Mifare Desfire?
现在的问题是“如何”。我还没有找到为此目的使用新的 Android 的基于主机的卡模拟 ( HCE)的应用程序(请参阅此处):Android NFC API 对 Mifare Desfire 的支持程度如何?
In fact it is suggested recently by MiFare that you should use the "secure element" method instead: https://www.mifare.net/support/forum/topic/emulate-mifare-classic-1k/
事实上,最近 MiFare 建议您应该使用“安全元素”方法:https: //www.mifare.net/support/forum/topic/emulate-mifare-classic-1k/
Back to your question of the Ultralight, the main difficulty is that Android API defines as-today sending a random UID on each tap, as suggested by a previous user nCypher: https://developer.android.com/guide/topics/connectivity/nfc/hce
回到您关于 Ultralight 的问题,主要困难在于 Android API 定义为今天在每次点击时发送随机 UID,正如以前的用户 nCypher 所建议的:https: //developer.android.com/guide/topics/connectivity /nfc/hce
As an alternative root access (or custom cyanogen ROMs) might help to modify the UID such as in this example: http://osgt7405i.bkt.clouddn.com/help/en/index.html?t=1536931682474
作为替代的根访问(或自定义氰 ROM)可能有助于修改 UID,例如在此示例中:http: //osgt7405i.bkt.clouddn.com/help/en/index.html?t=1536931682474
However the newest Android API refers directly to the Ultralight object: https://developer.android.com/reference/android/nfc/tech/MifareUltralight
然而,最新的 Android API 直接引用 Ultralight 对象:https: //developer.android.com/reference/android/nfc/tech/MifareUltralight
I know some companies that are emulating this by the SIM storage. For using your phone as RFID card of these MIFARE types, MiFare has already made one solution where business can load cards in the cloud https://www.mifare4mobile.org/associated to their carrier SIM. There is a list of the officially certified NFC chips which work, most of them NPX which are broadly included in smartphones.
我知道一些公司正在通过 SIM 存储来模拟这一点。为了将您的手机用作这些 MIFARE 类型的 RFID 卡,MiFare 已经制定了一种解决方案,企业可以将卡加载到云中https://www.mifare4mobile.org/与其运营商 SIM 相关联。有一份官方认证的 NFC 芯片列表,其中大部分是 NPX,广泛包含在智能手机中。
However their solution is an SDK API (namely TapLinx). There is no pure software product from NXP available like any phone emulation software or a cloud base solution.
然而,他们的解决方案是一个 SDK API(即 TapLinx)。没有像任何电话仿真软件或基于云的解决方案那样来自恩智浦的纯软件产品可用。
What's more, the MiFare forum speaks about this: https://www.mifare.net/support/forum/topic/creating-nfc-android-app-to-act-as-mifare-card-to-interact-with-mifare-readers/
更重要的是,MiFare 论坛谈到了这个:https: //www.mifare.net/support/forum/topic/creating-nfc-android-app-to-act-as-mifare-card-to-interact-with- mifare-读者/
