Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Key a0a1a2a3a4a5 is always returned #1

Open
alfs opened this issue Jul 10, 2015 · 1 comment
Open

Key a0a1a2a3a4a5 is always returned #1

alfs opened this issue Jul 10, 2015 · 1 comment
Labels
bug help wanted

Comments

@alfs
Copy link
Owner

alfs commented Jul 10, 2015

Bug: The same key (a0a1a2a3a4a5) is always recovered. This is because the phone performs an authentication attempt before sending the RATS and extraction commands. The card thus captures the authentication attempt and overwrites the first captures.

Trace from a scan, where the KeyExtractor app is already opened:

...
5737516 |    5738572 | Rdr |26                                                               |     | REQA          
5739760 |    5742128 | Tag |04  00                                                           |     |           
5749452 |    5751916 | Rdr |93  20                                                           |     | ANTICOLL          
5753104 |    5758928 | Tag |6a  63  a8  01  a0                                               |     |           
5762844 |    5773372 | Rdr |93  70  6a  63  a8  01  a0  69  fd                               |  ok | SELECT_UID          
5774560 |    5778080 | Tag |08  b6  dd                                                       |     |           
6262780 |    6267548 | Rdr |50  00  57  cd                                                   |  ok | HALT          
6309068 |    6310060 | Rdr |52                                                               |     | WUPA          
6311312 |    6313680 | Tag |04  00                                                           |     |           
6321452 |    6331980 | Rdr |93  70  6a  63  a8  01  a0  69  fd                               |  ok | SELECT_UID          
6333168 |    6336688 | Tag |08  b6  dd                                                       |     |           
6406380 |    6411148 | Rdr |50  00  57  cd                                                   |  ok | HALT          
6452652 |    6453644 | Rdr |52                                                               |     | WUPA          
6454896 |    6457264 | Tag |04  00                                                           |     |           
6465036 |    6475564 | Rdr |93  70  6a  63  a8  01  a0  69  fd                               |  ok | SELECT_UID          
6476752 |    6480272 | Tag |08  b6  dd                                                       |     |           
6539084 |    6543852 | Rdr |50  00  57  cd                                                   |  ok | HALT          
6584636 |    6585628 | Rdr |52                                                               |     | WUPA          
6586880 |    6589248 | Tag |04  00                                                           |     |           
6597020 |    6607548 | Rdr |93  70  6a  63  a8  01  a0  69  fd                               |  ok | SELECT_UID          
6608736 |    6612256 | Tag |08  b6  dd                                                       |     |           
6683292 |    6687996 | Rdr |60  01  7c  6a                                                   |  ok | AUTH-A(1)          
6694240 |    6698976 | Tag |d4  bb  85  4f                                                   |     |           
6702844 |    6712220 | Rdr |b3  83  17  dc  c2  f6  32  c4                                   | !crc| ?          
6781180 |    6785948 | Rdr |50  00  57  cd                                                   |  ok | HALT          
...   
7684556 |    7685548 | Rdr |52                                                               |     | WUPA          
7686816 |    7689184 | Tag |04  00                                                           |     |           
7696956 |    7707484 | Rdr |93  70  6a  63  a8  01  a0  69  fd                               |  ok | SELECT_UID          
7708672 |    7712192 | Tag |08  b6  dd                                                       |     |           
7785564 |    7790268 | Rdr |60  01  7c  6a                                                   |  ok | AUTH-A(1)          
7795744 |    7800480 | Tag |d5  0b  04  a8                                                   |     |           
7804364 |    7813740 | Rdr |5d  65  5a  3d  95  ac  f1  33                                   | !crc| ?          
7890204 |    7894972 | Rdr |50  00  57  cd                                                   |  ok | HALT          
...
8747600 |    8749968 | Tag |04  00                                                           |     |           
8757772 |    8768300 | Rdr |93  70  6a  63  a8  01  a0  69  fd                               |  ok | SELECT_UID          
8769472 |    8772992 | Tag |08  b6  dd                                                       |     |           
9127996 |    9132700 | Rdr |e0  50  bc  a5                                                   |  ok | RATS          
9283340 |    9293804 | Rdr |0a  00  00  a6  b0  00  10  14  1d                               |  ok | ?          
9308352 |    9333824 | Tag |0a  00  a8  bb  2d  3a  56  40  8b  ae  9a  20  4e  9d  2c  c1   |     |           
        |            |     |36  d7  90  00  7e  e3                                           |  ok |           
9486044 |    9496572 | Rdr |0b  00  00  a6  b0  01  10  19  9b                               |  ok | ?          
9510928 |    9536400 | Tag |0b  00  9d  cd  9b  64  a5  29  ca  12  f5  9c  60  a3  73  69   |     |           
        |            |     |59  dd  90  00  14  31                                           |  ok |           
11325212 |   11329980 | Rdr |50  00  57  cd                                                   |  ok | HALT          
11370876 |   11371868 | Rdr |52                                                               |     | WUPA

The source of this authentication attempt is unknown, but could be a part of the identification procedure of android. A broader intent filter may capture the card before such scanning is done.
@alfs
Copy link
Owner Author

alfs commented Jul 11, 2015

Key a0a1a2a3a4a5 is the mifare application directory key. After looking through android sources, this authentication is probably part of the card identification procedure, to resolve which tech the card supports.

It would probably require changes to the android source, starting point could be external/libnfc-nxp/src/phFriNfc_MifareStdMap.c

./external/libnfc-nxp/src/phFriNfc_MifareStdMap.c
...
authentication happens in phFriNfc_MifStd_H_AuthSector()
called by phFriNfc_MifStd_H_RemainTLV()
called by phFriNfc_MifareStdMap_Process()

referenced in phFriNfc_NdefMap.c / phFriNfc_NdefMap_Process
This is a callback, set e.g. by
NdefMap->MapCompletionInfo.CompletionRoutine = phFriNfc_NdefMap_Process;

Called by ./external/libnfc-nxp/src/phFriNfc_OvrHal.c
phFriNfc_OvrHal_CB_Send()
via phFriNfc_OvrHal_Send()

From ./external/libnfc-nxp/src/phFriNfc_LlcpMacNfcip.c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@alfs