Hello,
I read about virtual card mode in NXP papers and I wonder is it possible to emulate mifare card using this mode and touchatag reader. Touchatag reader has pn532 chip and SAM slot.
According to this document¹ in virtual mode the couple PN532+SAM is seen as only one contactless SAM card from the external world. I suppose that SAM card can be replaced with SMX card. According to the second document² once configured in virtual card mode, the PN532 only acts a bridge between SMX and the external reader. Depending on the first command, after initialisation, sent by the reader, the PN532+SMX will act as a Mifare card or as a T=CL card.
I hope you get my idea.

[1]http://www.nxp.com/documents/user_manual/141520.pdf
[2]http://www.adafruit.com/datasheets/PN53 … e_v1.2.pdf

Hi again,
I just share my attempt at using touchatag reader with Android phone.

bigjay:

... seems like dbus isn't running (or even installed) ...

Thanks, I'm a beginner in Linux.
I did the following:

localhost:/# dbus-daemon --system
Faild to start message bus: The pid file "/var/run/dbus/pid" exists, if the message bus is not running, remove this file
localhost:/# rm /var/run/dbus/pid
localhost:/# dbus-daemon --system
localhost:/# hald

than I ran pcscd -adf:

pcscdaemon.c:280:main() pcscd set to foreground with debug send to stderr
debuglog.c:239:DebugLogSetLevel() debug level=debug
debuglog.c:268:DebugLogSetCategory() Debug options: APDU
pcscdaemon.c:498:main() pcsc-lite 1.4.102 daemon ready.
hotplug_libhal.c:305:get_driver() Looking a driver for VID: 0x072F, PID: 0x90CC
hotplug_libhal.c:342:HPAddDevice() Adding USB device: usb_device_72f_90cc_noserial_if0
readerfactory.c:1082:RFInitializeReader() Attempting startup of ACS ACR 38U-CCID 00 00 using /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so
readerfactory.c:949:RFBindFunctions() Loading IFD Handler 3.0
ifdhandler.c:1323:init_driver() Driver version: 1.3.8
ifdhandler.c:1336:init_driver() LogLevel: 0x0003
ifdhandler.c:1356:init_driver() DriverOptions: 0x0000
ifdhandler.c:81:IFDHCreateChannelByName() lun: 0, device: usb:072f/90cc:libhal:/org/freedesktop/Hal/devices/usb_device_72f_90cc_noserial_if0
ccid_usb.c:236:OpenUSBByName() Manufacturer: Ludovic Rousseau (ludovic.rousseau@free.fr)
ccid_usb.c:246:OpenUSBByName() ProductString: Generic CCID driver
ccid_usb.c:252:OpenUSBByName() Copyright: This driver is protected by terms of the GNU Lesser General Public License version 2.1, or (at your option) any later version.
ccid_usb.c:408:OpenUSBByName() Found Vendor/Product: 072F/90CC (ACS ACR 38U-CCID)
ccid_usb.c:410:OpenUSBByName() Using USB bus/device: 001/002
ccid_usb.c:780:get_data_rates() IFD does not support GET_DATA_RATES request: Success
ifdhandler.c:307:IFDHGetCapabilities() lun: 0, tag: 0xFB0
readerfactory.c:267:RFAddReader() Using the pcscd polling thread
ifdhandler.c:307:IFDHGetCapabilities() lun: 0, tag: 0xFAE
ifdhandler.c:353:IFDHGetCapabilities() Reader supports 1 slot(s)
ifdhandler.c:924:IFDHPowerICC() lun: 0, action: PowerUp
hotplug_libhal.c:305:get_driver() Looking a driver for VID: 0x1D6B, PID: 0x0002
Card ATR: 3B BE 96 00 00 41 03 00 00 00 00 00 00 00 00 00 02 90 00 

Now everything looks fine but when I try to run ./nfc-list I receive "Bus error". Any suggestions? Thanks! Kind regatds, Andy

EDIT:

echo 2 > /proc/cpu/alignment

This fixs the problem! Now everything is working!

Hi there,
I'm trying to use my ACR122 contactless smartcard reader connected to HTC Dream/T-mobile G1 phone. First I enabled the usb host of my G1¹ . Than I installed Debian Leny² and ACR drivers on sdcard as I do on my PC.

This is the output when I run dmesg:

[ 196.719024] msm_hsusb msm_hsusb: GetStatus port 1 status 80001803 POWER sig=j CSC CONNECT
[ 196.719573] hub 1-0:1.0: port 1: status 0101 change 0001
[ 196.819427] hub 1-0:1.0: state 7 ports 1 chg 0002 evt 0000
[ 196.820007] hub 1-0:1.0: port 1, status 0101, change 0000, 12 Mb/s
[ 196.939056] usb 1-1: new full speed USB device using msm_hsusb and address 2
[ 197.089111] usb 1-1: ep0 maxpacket = 8
[ 197.093750] usb 1-1: skipped 1 descriptor after interface
[ 197.095733] usb 1-1: default language 0x0409
[ 197.098724] usb 1-1: udev 2, busnum 1, minor = 1
[ 197.099426] usb 1-1: New USB device found, idVendor=072f, idProduct=90cc
[ 197.100280] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 197.100769] usb 1-1: Product: CCID USB Reader
[ 197.101593] usb 1-1: Manufacturer:
[ 197.106353] usb 1-1: usb_probe_device
[ 197.106872] usb 1-1: configuration #1 chosen from 1 choice
[ 197.108795] usb 1-1: adding 1-1:1.0 (config #1, interface 0)
[ 197.116180] drivers/usb/core/inode.c: creating file '002'
[ 197.117492] hub 1-0:1.0: state 7 ports 1 chg 0000 evt 0002

This is the output of pcscdaemon:

00000000 pcscdaemon.c:280:main() pcscd set to foreground with debug send to stderr
00000336 debuglog.c:239: DebugLogSetLevel() debug level=debug
00018596 pcscdaemon.c:498:main() pcsc-lite 1.4.102 deamon ready
01416524 hotplug_libhal.c:460:HPRegisterForHotplugEvents() error: dbus_bus_get: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /var/run/dbus/system_bus_socket: Connection refused
00000244 pcscdaemon.c:517:main() SVCServiceRunLoop returned
00000091 pcscdaemon.c523:at_exit() cleaning /var/run/pcscd

[1] http://forum.xda-developers.com/showthread.php?t=794643
[2] http://bayleshanks.com/tips-computer-android-g1

4

(9 replies, posted in NXP MIFARE Classic)

Hi Kung Lao,
yes, there are lots of uncertainties.
I can manipulate:
- sector 0: block 1 and block 2
- sector 1: all blocks
- sector 2: block 2
I can replace sector 2, block 0&1 (together) with the same blocks from another card.
I can't manipulate sector 3, althought I know checksum algoritm for this sector.
So in my case these 4 byte may protect data integrity and authenticity in:
- sector 0: block 0 (this block can't be changed but can be used for IV)
- whole sector 3
- sector 4: block 1 and block 2
Maybe someone will point us to some simpler algoritm.
I found this guide and try to brute force CRC16 and CRC32 again. It was easy with so called "difference message" but without success.

5

(9 replies, posted in NXP MIFARE Classic)

OK, some progress with checksums.
I found a C routine for MAD and NSCP Directories in NSCP_Mifare4k_Spec_V2.
CRC8-SAE J1850: polynom = 0x1D, Initial = 0xC7, Final Xor = 0
This function is used in Sector 4, block 2 (last trip) and whole sector 3 too.

Now the final challenge is to understand how the last 4 byte from sector 4, block 2 is calculated .
Standart CRCs-32 don't work.  If someone is interested in this just let me know. Regards, Andy

Problem solved!

I tried to use libfreefare for crc mad calculation but I'm Windows XP user and it is a little bit difficult.
I found a C routine for MAD and NSCP Directories in NSCP_Mifare4k_Spec_V2.
The problem is that it doesn't calculate crc corect.
These are some real MAD (block 1 and 2):

73 00 04 00 0c 18 0c 18 36 88 36 88 36 88 36 88
0c 18 0c 18 0c 18 0c 18 00 00 00 00 00 00 00 00

b6 00 04 00 15 00 09 07 2f 18 2f 18 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

6e 00 04 00 15 00 09 07 2f 18 2f 18 2f 18 2f 18
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

38 00 04 00 15 00 09 07 2f 18 2f 18 2f 18 2f 18
2f 18 2f 18 00 00 00 00 00 00 00 00 00 00 00 00

I found my mistake.  Everything is OK, my input was in ASCII format.
CRC8: polynom = 0x1D, Initial = 0xC7, Final Xor = 0

Hi there,
I successfully compiled libfreefare, but how to start test or examples files. Thank you!

9

(9 replies, posted in NXP MIFARE Classic)

OK, I found out how to calculate the start and end date:
start date: byte9/0x20 + 1 + byte10*8 = days since 19.03.2008
end date: ((byte12 + (byte13 << 8))/0x40 + 1 = days since 19.03.2008

I need some help with next block that protects data integrity and its authenticity.
This document guides me to Message Authentication Code calculation.
Sector 4, block 2 format:
aa aa bb 00 00 00 00 00 00 00 cc 00 dd dd dd dd
aa aa - Line number
bb - 01=Trolley-bus/02=Tram/03=Bus/04=Subway/FF=All
cc - byte0 form sector 3, block 2
dd dd dd dd - ??? MAC

10

(9 replies, posted in NXP MIFARE Classic)

Yes, I have some progress.
Expiration date is written in block 0,sector 4. I cannot figure it out the format of the date.
Example:
41 00 00 44 00 00 10 1e 71 0a 00 00 00 00 00 00 (empty card)
41 00 00 44 00 41 10 1e 71 2a 3c 02 00 8f  f4 59 (14.07.2009-13.10.2009)
41 00 00 44 00 41 10 1e 71 2a 53 02 80 bc f4 59 (14.01.2010-13.04.2010)
So it seems that only the red bytes are significant.

I suppose that the next block 1,sector 4 verify content of block 0.
At the moment I'm collecting data and looking for patterns. I'd appreciate some help. Andy

Thank you for quick reply. I managed to run a mtools. When I try to read a Mifare card it doesn't show correct data stored on it.

Look this topics: http://www.libnfc.org/community/topic/141/oysters/

13

(9 replies, posted in NXP MIFARE Classic)

Thanks to all in libnfc community I was able to read and analyze to some
extend Mifare classic 4K card used in public transport.

In my case:
Sector 0, Block 1&2 Mifare Application Directory (MAD)
http://www.nxp.com/acrobat_download2/ot … ad0107.pdf
Sector 1 (administration code 0x00 0x04) contains card holder information.
The recommented format for storing card holder information is Run-Lenght-Coding.
Sector 2 card publisher information (code 0x00, 0x15).
Sector 3 electronic purse, city traffic
These sectors don't change during card usage.
Sectors 4 and 5 - prepaid coupon, city traffic

I suspect that every administation code has a registered format.

Sector 4, Block 2 contains information about last travel.
Format type:
00 aa 00 bb 01 00 cc cc dd dd dd dd 00 ee 00 ff
aa = line number
bb = tram/trolley bus
cc cc  =  car number (dec)
dd dd dd dd = time and date
lower 14 bits = number of days since 01.01.1997
higher bits = number of minutes since the start of the day
ff = some sort of check sum

Is there a way to figure out what method is used to calculate check sum?

Sector 5 Block 0 and 1 Value blocks.

I would be happy if someone shared his observations. Regards
Andy

Hi there,
I found this project http://code.google.com/p/mtools/ but I cannot install the source.
Has anyone tried this?

root@ubuntu:~/Desktop# cd mtools
root@ubuntu:~/Desktop/mtools# autoreconf -vis
autoreconf2.50: Entering directory `.'
autoreconf2.50: configure.ac: not using Gettext
autoreconf2.50: running: aclocal 
configure.ac:17: warning: macro `AM_GLIB_GNU_GETTEXT' not found in library
autoreconf2.50: configure.ac: tracing
autoreconf2.50: configure.ac: not using Libtool
autoreconf2.50: running: /usr/bin/autoconf
configure.ac:17: error: possibly undefined macro: AM_GLIB_GNU_GETTEXT
      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.
autoreconf2.50: /usr/bin/autoconf failed with exit status: 1
root@ubuntu:~/Desktop/mtools# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
/bin/bash: /home/ubuntu/Desktop/mtools/missing: No such file or directory
configure: WARNING: `missing' script is too old or missing
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... yes
./configure: line 2657: syntax error near unexpected token `0.41.0'
./configure: line 2657: `IT_PROG_INTLTOOL(0.41.0)'
root@ubuntu:~/Desktop/mtools# 

15

(30 replies, posted in NXP MIFARE Classic)

Hi there,
Nice tool!!! It works fine for me until I make a mistake. If I write wrong key or sector for instance the program reject the right key too.  Then I just  close and open connection and start again.
Analysing trailer data will be more useful if instead of matrix there is a information about the state of the trailer and data access bits. There are nice figures and tables in "Making the Best of Mifare Classic". www.sos.cs.ru.nl/applications/rfid/2008-thebest.pdf
Something like this:
Trailer access bits C1,C2,C3 = 011 - this mean that you may change using key B: access bits and the keys.
Regards, Andy

16

(3 replies, posted in Questions and Requests)

Hi there,
The problem is with the linker finding a shared library.
Type:

root@ubuntu:~/Desktop# echo "/usr/local/lib" >> /etc/ld.so.conf.d/loc_lib.conf
root@ubuntu:~/Desktop# /sbin/ldconfig

Regards, Andy

Hi there,
I'm trying to read and write to a given block with known key.
This is a part of my school project. I managed to read a block first using Key A and then using Key B. In both ways the output is the same. Does it mean that the output is not encrypted? Thanks

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <stddef.h>
#include <stdbool.h>

#include <string.h>
#include <ctype.h>

#include <libnfc.h>
#include "mifaretag.h"


int main(int argc, const char* argv[])
{    
bool b4K;
     mifare_tag mtDump;        
     byte_t* pbtUID;
     dev_info* pdi;
     tag_info ti;
     mifare_param mp;
     uint32_t block;
     int key;
     mifare_cmd mc;
     
     byte_t defaultKeys[][6] = { 
        {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, // First key
        {0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5},  // Second key
        {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5}, // Third key
        {0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
        {0x4d, 0x3a, 0x99, 0xc3, 0x51, 0xdd},
        {0x1a, 0x98, 0x2c, 0x7e, 0x45, 0x9a},
        {0xd3, 0xf7, 0xd3, 0xf7, 0xd3, 0xf7},
        {0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff}
    };

if (argc < 3)
  {
    printf("\nSyntax: %s <block number(0-FF)> <key number(1-8)>\n",argv[0]);
    printf("Default keys:\nffffffffffff - 1\na0a1a2a3a4a5 - 2\nb0b1b2b3b4b5 - 3\n000000000000 - 4\n4d3a99c351dd - 5\n1a982c7e459a - 6\nd3f7d3f7d3f7 - 7\naabbccddeeff - 8\n");
    return 1;
  }

  sscanf(argv[2],"%i",&key);
  sscanf(argv[1],"%02x",&block);

  // Try to open the NFC reader
  pdi = nfc_connect();

  if (pdi == INVALID_DEVICE_INFO)
  {
    printf("Error connecting NFC reader\n");
    return 1;
  }

  // Configure reader settings
  nfc_initiator_init(pdi);

  // Drop the field for a while
  nfc_configure(pdi,DCO_ACTIVATE_FIELD,false);
  
  // Let the reader only try once to find a tag
  nfc_configure(pdi,DCO_INFINITE_SELECT,false);
  nfc_configure(pdi,DCO_HANDLE_CRC,true);
  nfc_configure(pdi,DCO_HANDLE_PARITY,true);

  // Enable field so more power consuming cards can power themselves up
  nfc_configure(pdi,DCO_ACTIVATE_FIELD,true);

  printf("Connected to NFC reader: %s\n",pdi->acName);

  // Try to find a MIFARE Classic tag
  if (!nfc_initiator_select_tag(pdi,IM_ISO14443A_106,NULL,0,&ti))
  {
    printf("Error: no tag was found\n");
    nfc_disconnect(pdi);
    return 1;
  }

  // Test if we are dealing with a MIFARE compatible tag
  if ((ti.tia.btSak & 0x08) == 0)
  {
    printf("Error: tag is not a MIFARE Classic card\n");
    nfc_disconnect(pdi);
    return 1;
  }
  // Get the info from the current tag
  pbtUID = ti.tia.abtUid;
  b4K = (ti.tia.abtAtqa[1] == 0x02);
  printf("Found MIFARE Classic %cK card with uid: %08x\n",b4K?'4':'1',swap_endian32(pbtUID));

  // Set the authentication information (uid)
  memcpy(mp.mpa.abtUid,ti.tia.abtUid,4);
  memcpy(mp.mpa.abtKey,defaultKeys[key-1], 6);
                  
  if (!nfc_initiator_mifare_cmd(pdi,MC_AUTH_A,block,&mp))
  {
    printf("Authentication failed for block %02x\n", block);
    return 1;
  }  
    printf("Reading Block %02x\n", block); 
                
  //Try to read out the data block
  if (nfc_initiator_mifare_cmd(pdi,MC_READ,block,&mp))
  {
    memcpy(mtDump.amb[block].mbd.abtData,mp.mpd.abtData,16);
    print_hex(mtDump.amb[block].mbd.abtData, 16);
  } else 
    { 
    printf("Read Error!");         
    }
    
  // Reset the "advanced" configuration to normal
  nfc_configure(pdi,DCO_HANDLE_CRC,true);
  nfc_configure(pdi,DCO_HANDLE_PARITY,true);

  // Clean up and release device
  nfc_disconnect(pdi);
  return 0;
    
}

Compile

 gcc -o readtest readtest.c  -I/usr/local/include/libnfc -L/usr/local/lib/ -lnfc 

Console output

 root@ubuntu:~/Desktop# ./readtest 

Syntax: ./readtest <Block number(0-FF)> <Key number(1-8)>
Default keys:
ffffffffffff - 1
a0a1a2a3a4a5 - 2
b0b1b2b3b4b5 - 3
000000000000 - 4
4d3a99c351dd - 5
1a982c7e459a - 6
d3f7d3f7d3f7 - 7
aabbccddeeff - 8
root@ubuntu:~/Desktop# ./readtest 0 2
Connected to NFC reader: ACR122U102 - PN532 v1.4 (0x07)
Found MIFARE Classic 4K card with uid: 9ca69bc5
Reading Block 00
9c  a6  9b  c5  64  98  02  00  64  8e  85  99  4d  10  42  07  
root@ubuntu:~/Desktop#