Android NFC Card emulation with fixed UID

Question

I've downloaded NFC parts from AOSP and I'm looking for the method used by Android to generate the random UID used by card emulation. My goal is to fix the UID instead of having a different one each time there is a communication with the target. I found inside "libnfc-nci" module the file "nfa_ce_act.c" containing this:

void nfa_ce_t3t_generate_rand_nfcid (UINT8 nfcid2[NCI_RF_F_UID_LEN])
{
UINT32 rand_seed = GKI_get_tick_count ();

/* For Type-3 tag, nfcid2 starts witn 02:fe */
nfcid2[0] = 0x02;
nfcid2[1] = 0xFE;

/* The remaining 6 bytes are random */
nfcid2[2] = (UINT8) (rand_seed & 0xFF);
nfcid2[3] = (UINT8) (rand_seed>>8 & 0xFF);
rand_seed>>=(rand_seed&3);
nfcid2[4] = (UINT8) (rand_seed & 0xFF);
nfcid2[5] = (UINT8) (rand_seed>>8 & 0xFF);
rand_seed>>=(rand_seed&3);
nfcid2[6] = (UINT8) (rand_seed & 0xFF);
nfcid2[7] = (UINT8) (rand_seed>>8 & 0xFF);
}

This method generate an UID for FeliCa tags. I'm not able to find the one for ISO14443 cards (MIFARE) which generate an UID beginning with 0x08 by default. According to Martijn Coenen, as explained in his G+ Post, it's something possible.

Sorry, I realize many people wanted this, but it's not possible in the official version. (You could of course do it with some AOSP hacking). The reason is that HCE is designed around background operation. If we allow apps to set the UID, every app possibly wants to set their own UID, and there's no way to resolve the conflict. We hope that with HCE, NFC infrastructure will move to higher levels of the protocol stack to do authentication instead of relying on the UID (which is easily cloned anyway). https://plus.google.com/+MartijnCoenen/posts/iX6LLoQmZLZ

Is anyone know how to achieve it?

Thanks

Answer 1

One important thing to know is that the UID transfered at a very low level of the nfc protocol. This means that it is done independently by the nfc firmware and not within the android operating system. We had the same problem in our NFCGate project and found a solution for Broadcom BCM20793 chips like the ones in the Nexus4/5 and others by writing the UID with NFC_SetConfig directly into the chip firmware.

You can see a working version in our repository on github. Here is a non-tested version to show the principle:

uint8_t cfg[] = {
    CFG_TYPE_UID, // config type
    3,            // uid length
    0x0A,         // uid byte 1
    0x0B,         // uid byte 2
    0x0C          // uid byte 3
};
NFC_SetConfig(sizeof(cfg), cfg);

Our tests revealed that android sometimes sets the UID back to random (length=0 if I recall correctly), so you need to find a good place to set it when you need it or do something similar as we did and intercept NFC_SetConfig calls from android to re-set our own UID.