Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Emulate Mifare card with Android 4.4

I have researched Mifare and other card emulation I have very good knowledge in programming (not Android, but C/C++). I have proxmark and I have made multiple emulation codes for proxmark, so I know how the cards communicate.

I don't understand currently, does android enable full card emulation. I have researched this for about 3 days now, and the conclusion is there is no one constant pattern. Some people say it is possible, some say it is not. I looked through android API and the Host-based card emulation seems to be able to do the trick, but as I understand it is new thing in 4.4 Kitkat, does anyone have any experience with that?

To make things simple, currently I'm investigating the basic most simple emulation for Mifare Ultralight. This card is a security nightmare, there is no encryption and only about 10 functions it does. So I'm interested in starting research with this card, because it is the easiest one to reproduce.

So does anyone have any knowledge in card emulation on android. Maybe not using the stock OS. Any thing that is worth knowing would be very appreciated.

Thanks.

like image 429
user2570174 Avatar asked Nov 18 '13 18:11

user2570174


People also ask

Can Android emulate Mifare?

MIFARE Classic protocol partially operates on top of ISO/IEC 14443-3 (with some different framing). Thus, its also not possible to emulate MIFARE Classic using Android HCE. native protocol: As this protocol does not use APDUs according to ISO/IEC 7816-4 its not possible to emulate it using Android HCE.

Can I use my phone as a Mifare card?

To emulate a mifare card, you need an application running on your smartphone to simulate the phone as a Mifare Classic card. It makes your smartphone with no difference as a Mifare Classic card.

How do I transfer my Mifare card to my android?

The easiest way to clone Mifare NFC Classic 1K Cards is by using an Android smartphone with NFC capabilities. That's right, your cellphone can be used to compromise the security of a company if they are using these types of cards (RFID security system). Just download the “Mifare Classic Tool” for Android.

How does Mifare Classic work?

A mifare Classic card is in principle a memory card with few extra functionali- ties. The memory is divided into data blocks of 16 bytes. Those data blocks are grouped into sectors. The mifare Classic 1k card has 16 sectors of 4 data blocks each.


1 Answers

With host-based card emulation (HCE) in Android 4.4 you can only emulate the ISO/IEC 14443-4 protocol. More specifically you can only emulate application structures according to ISO/IEC 7816-4 (thus card emulation applications need to be selected though an AID). Moreover, the API doesn't give you any means to specify if card emulation should be done using Type A or Type B protocol.

So regarding emulation of various MIFARE protocols:

  • MIFARE Ultralight (and derivates) protocol operates on top of ISO/IEC 14443-3. It is not possible to emulate cards using such low layer protocols using Android HCE.
  • MIFARE Classic protocol partially operates on top of ISO/IEC 14443-3 (with some different framing). Thus, its also not possible to emulate MIFARE Classic using Android HCE.
  • MIFARE DESFire protocols operate on top of ISO/IEC 14443-4. There are three variants of the DESFire protocol:

    1. native protocol: As this protocol does not use APDUs according to ISO/IEC 7816-4 its not possible to emulate it using Android HCE.
    2. wrapped native protocol: This protocol uses APDUs according to ISO/IEC 7816-4, however, readers will typically not issue a SELECT command using the DESFire AID when starting to communicate with a card in wrapped native command mode. (Note: Newer reader implementations are more likely to issue a SELECT command that is compatible with Android HCE as this is also required for some of NXP's newer smartcard products with DESFire protocol emulation.)
    3. ISO protocol: This protocol is based on ISO/IEC 7816-4 and uses application selection by AID. Thus, it may be possible to emulate this protocol using Android HCE.

    Some readers may require certain parameter values in lower protocol layers (such as a specific UID cascade-level, a certain ATQA value, a certain SAK value, or a certain ATS). Android HCE does not have any means to set these values. See Editing Functionality of Host Card Emulation in Android for a possible approach to modify those values on certain rooted devices and my answer to Host-based Card Emulation with Fixed Card ID for a strategy to programatically change those values in a custom ROM.

A note on the HCE feature available in CyanogenMod from version 9.1 to version 10.2: This will emulate any ISO/IEC 14443-4 based protocol without the requirement for an application structure according to ISO/IEC 7816-4. You can even choose if you want to emulate Type A or Type B protocol. So it should be possible (though I haven't tested) to emulate any of the three DESFire protocols. However, even with the HCE feature of CyanogenMod it is not possible to emulate MIFARE Ultralight or Classic protocols. Moreover, it's also not possible to influence low-level protocol parameters such as a UID, ATQA, SAK, or ATS.

like image 149
Michael Roland Avatar answered Oct 05 '22 22:10

Michael Roland