MultiDiag : the all-in-one tool to help SpringCard Support diagnose your configuration

Presentation

SpringCard Support Team is commited into giving the best support service to our customers. In most situations, the first step to solve an issue or only to answer a particular information request is to collect a few technical data regarding the computer – and to clearly identify the SpringCard devices that are involved.

MultiDiag is a small Windows-based tool that retrieves quickly and easily the technical data we need to help you efficiently.

For instance, if you have a Prox’N’Roll PC/SC or any other reader like a CrazyWriter HSP connected to your PC, MultiDiag shows :

  • the status of the PC/SC Service (ScardService)
  • the status of our PC/SC Driver (sd16055)
  • the reader’s serial number and firmware version.

The « copy all to clipboard » button pushes all these information into Windows’ clipboard, so you just have to paste it (Ctrl+V shortcut) into an email to forwared it to out Support Team.

We have tested the program on :

  • Windows XP
  • Windows 7
  • Windows 8

Installation

Download SpringCard MultiDiag setup here.

Run the setup program with administrative priviledges to install MultiDiag.

After installation, launch the application from Start Menu -> SpringCard -> MultiDiag.

Usage

The application displays a single window.

The content of the « General information » and « HID and PC/SC Readers » will be different on your computer.

Multidiag

Multidiag

In the upper right corner you have a button used to copy all system information to the clipboard.
In the top of the screen you have some information about the Scard Service, our PC/SC driver and about your Windows User Account (Control).

The bottom part is used to list the PC/SC and HID readers connected to your PC.
You can double click on each line or click on the « Information » button to get some information about your reader.

Using Mifare Classic EV1 with SpringCard PC/SC readers

NXP has recently started shipping a new generation of Mifare Classic chips, called Mifare Classic EV1 (part numbers MF1S50yyX/V1 for Mifare Classic EV1 1K and MF1S70yyX/V1 for Mifare Classic EV1 4K).

The chips are 100% compliant with earlier Mifare Classic 1K and 4K, with 2 subtle differences:

  • the kind of protocol-level ID to be used must be configured once for all during the pre-personalisation step. Possible choices are 7-byte UID, 4-byte fixed but non-unique ID, and 4-byte random ID,
  • the load modulation level could be set to ‘high’ or ‘low’.

In this short article we’ll show how to configure both the kind of ID and the load modulation.

Personalize UID usage

This command can be only issued once. The choosen configuration is then locked forever. If you have ordered Mifare Classic EV1 with a specific configuration, the command has been issued in factory and will always fail adterwards.

The Mifare Classic EV1′ “personalize UID usage” allows to select one of four different modes:

  1. UIDF0 (value 0x00): anti-collision and selection with the 7-B UID
  2. UIDF1 (value 0x40): anti-collision and selection with the 7-B UID plus a possible shortcut (select only the 4 first bytes and read block 0, bypassing the second step of the selection)
  3. UIDF2 (value 0x20): anti-collision and selection with a 4-B random ID
  4. UIDF3 (value 0x60): anti-collision and selection with a 4-B non-unique ID (calculated out of the 7-B UID)

The command code is 0x40 and must be sent in a CRYPTO1-ciphered stream, after a successfull authentication on sector 0.

To do so, here’s the sequence of commands that must be send to the reader in a SCardTransmit stream (you may for instance write a script for csScriptor). We assume that the card is in transport condition, i.e. that the key A of sector 0 (as well as all other sectors) is the transport key FF FF FF FF FF FF and gives full access to the sector.

# Load the transport key in the reader's volatile memory
FF 82 00 00 06 FF FF FF FF FF FF

# Get authenticated over sector 0 using the transport key as key A
FF 86 00 00 05 01 00 03 60 00

# Check that the authentication is OK by reading block 0
FF B0 00 00 10

# Send the 'personalize UID' command within an ENCAPSULATE APDU
# P1 = 0x01 -> ISO 14443-3
# P2 = 0x08 -> timeout = 125ms
# The last byte is the value to be set, here we choose 0x60 for UIDF3
FF FE 01 08 02 40 60

The reader returns 90 00 if the card acknowledges the command.

If you receive 6F 02 instead (CRC error), it is likely that the card has sent a NACK, meaning that the configuration has already been set and is therefore locked.

Set modulation strength

The Mifare Classic EV1’s “set modulation strength” command allows configuring the chip for either the strong modulation strength (default, value 0x01), or the weak modulation strength (value 0x00).

The command code is 0x43 and must be sent in a CRYPTO1-ciphered stream, after a successfull authentication on sector 0.

To do so, here’s the sequence of commands that must be send to the reader in a SCardTransmit stream (you may for instance write a script for csScriptor). We assume that the card is in transport condition, i.e. that the key A of sector 0 (as well as all other sectors) is the transport key FF FF FF FF FF FF and gives full access to the sector.

# Load the transport key in the reader's volatile memory
FF 82 00 00 06 FF FF FF FF FF FF

# Get authenticated over sector 0 using the transport key as key A
FF 86 00 00 05 01 00 03 60 00

# Check that the authentication is OK by reading block 0
FF B0 00 00 10

# Send the 'set modulation strength' command within an ENCAPSULATE APDU
# P1 = 0x01 -> ISO 14443-3
# P2 = 0x08 -> timeout = 125ms
# The last byte is the value to be set, here we choose 0x00 for weak strength
FF FE 01 08 02 43 00

rfidscan-tool : driving your Prox’N’Roll RFID Scanner’s LEDs and buzzer

The rfidscan-tool command line

The rfidscan-tool command line application is available for any OS that supports libusb, HID-API or hidraw.

We’ve tested it on:

  • Windows XP / Vista / 7 / 8
  • Mac OS X
  • Linux (Ubuntu, Debian, etc)
  • Raspberry Pi (on Raspbian distro)

rfidscan-tool has been inspired by blink1-tool, the command-line application that controls the blink(1) USB notification light. Most of the source code comes from this application. and therefore we use the same licence model.

Note for Mac OS X: currently the tool is able to send commands to the RFID Scanner, but fails to receive its response (IOHIDDeviceGetReport always returns a timeout error — without waiting). This issue is under investigation.

Binary download

To get rfidscan-tool for your machine, visit our github releases page, and search for a version supported by your OS / target CPU.

Here’s 4 direct links to the first public version (v14.11):

Source code download

To compile your own version of rfidscan-tool, just checkout the rfidscan project from github and compile the rfidscan-tool subproject. Something like the below will work 99% of the time:


# git clone https://github.com/springcard/rfidscan-tool.git
# cd rfidscan-tool
# make

For a Windows target, we provide .SLN projects to be opened with the (free of charge) Microsoft Visual C++ 2010 Express IDE.

Usage

On Windows, you may invoke the binary from any command line box without restriction.

On MacOS X and on most versions of Linux (including on Raspberry Pi), you will need to either run as root (sudo rfidscan-tool <...>) or install udev rules as described in https://github.com/springcard/rfidscan-tool/blob/master/51-rfidscan.rules.

When running rfidscan-tool without any argument, it will print a help page like the one below.

rfidscan-tool-win

Here’s the detail of all commands:

rfidscan-tool <cmd> [options]

rfidscan-tool list

List all connected RFID Scanners.

rfidscan-tool version

Show the RFID Scanner’s firmware version.

rfidscan-tool test

Perform a routine test on the RFID Scanner(s).

rfidscan-tool leds <red>,<green>,<blue> [–during <time_ms>]

Drive the RFID Scanner’s LEDs. Allowed values for the red, green and blue parameters are

  • off : the LED is switched OFF
  • on : the LED is switched ON
  • slow : slow blinking
  • fast : fast blinking
  • heart : “heart beat”
  • slowinv : slow blinking, inverted
  • fastinv : fast blinking, inverted
  • heartinv : “heart beat”, inverted

The during parameter is optionnal ans specify how long (in milliseconds) the specified value remains active, before the RFID Scanner goes back to the default sequence.

If this parameter is missing, the LED command lasts forever (at least until another LED command is issued).

rfidscan-tool leds-default

Let the RFID Scanner drives its LEDs itself as usual.

rfidscan-tool beep [during <time_ms>]

Switch ON the RFID Scanner’s buzzer for the specified time (in milliseconds).

rfidscan-tool read <addr>

Read the configuration register at the specified address.

rfidscan-tool write <addr>=<value>

Write the specified value into the configuration register at the specified address. Leavevalue empty to erase the register.

rfidscan-tool dump

Dump all the configuration registers.

Note: the “sensitive” registers (keys for the Master Card and password) are hidden by “XX” chars.

rfidscan-tool write-conf <filename>

Write the configuration registers from the specified file (use a file produced by MultiConf software).

Usage options

Values for [options] are

  • -d <device num> --devices <device num> : perform the command only to this device (from --list), default is all devices (same as -d all)
  • -q --quiet : suppress most output messages
  • -v --verbose : verbose debugging messages
  • -r --reset : reset the RFID Scanner (to apply the new configuration)
  • -p --password <password> : to access a RFID Scanner that is password-protected

Other tool

On this page you will find a Python script used to control the LEDs and Buzzer of a Prox’N’Roll (thanks Armel Esnault)

Reading and writing data in a Mifare UltraLight Card, with a Prox’N’Roll

DOWNLOAD AND READ THE DOCUMENTATIONS

First thing to do is to obtain the documentation of the card from the manufacturer (NXP in this case) and the Prox’N’Roll developer’s reference manual.

From the card’s functional specifications, we can see that the memory is structured in 16 pages of 4 bytes. The four first pages (0-3) contain special bytes: so, we’ll only cover pages 4 to 16.

STEP BY STEP PROCEDURE

The goal is to read and write the card memory.

READ BINARY

In the developer’s reference manual, the READ BINARY instruction is described in §2.2.4 at the time of this writing.

The APDU is :

  • CLA: FF
  • INS: B0
  • P1: Address MSB
  • P2: Address LSB
  • Lc: not needed
  • Data in: not needed
  • Le: number of bytes to be read

The specifics to read Mifare Ultralight cards are detailed in §4.3.3.a (at the time of this writing).
Here, we can see that :

  • P1 must be 00
  • P2 is the address of the first page to be read
  • Le must a multiple of 4.

We want to read the whole memory, starting from page 4: this means we want to read 12 pages of 4 bytes, so 48 bytes (ie: 30 in hexadecimal).
So the APDU is :
FF B0 00 04 30

To send this APDU, please use our PC/SC Diagnostic tool, available on our main site (QuickStart for PC/SC).

Put the card on the reader: its ATR prints. To understand what this means, you can check §4.1.2 (at the time of this writing) in the developer’s reference manual.

ATRNow, double-clic on the line corresponding to the reader and enter the above-mentioned APDU :

read_capduClic on Transmit, or press “Enter”: the APDU is sent to the card and its response is printed in the bottom.

read_rapduThe card has obviously been previously written and the ASCII translation is provided: “Mifare Ultralight card, used with Prox’N’Roll”.
Please note that the card’s reponse ends with “90 00”, which means success.

UPDATE BINARY

In the developer’s reference manual, the UPDATE BINARY instruction is described in §2.2.5 at the time of this writing.

The APDU is :

  • CLA: FF
  • INS: D6
  • P1: Address MSB
  • P2: Address LSB
  • Lc: Lenght of Data In
  • Data in: Bytes to be written
  • Le: not needed

The specifics to write Mifare Ultralight cards are detailed in §4.3.3.b (at the time of this writing).
Here, we can see that :

  • P1 must be 00
  • P2 is the address of the unique page to be written
  • Le must be 4.

We want to replace “Prox’N’Roll” by “SpringCard” in the card memory, so we first have to determine which pages must be updated. Remember that Le must be 4 : this means that we can write exactely 4 bytes at a time (one page), no more, no less.

To determine the content of each page, just use the READ BINARY APDU.
For example, for page 12, the APDU should be : FF B0 00 0C 04

read_single_pageUsing those commands, we can see that:

  • content of page 12 (0x0C) is 68 20 50 72 (in ASCII : “h Pr”)
  • content of page 13 (0x0D) is 6F 78 27 4E (in ASCII: “ox’N”)
  • content of page 14 (0x0E) is 27 52 6F 6C (in ASCII: “‘Rol”)
  • content of page 15 (0x0F) is 6C 00 00 00 (in ASCII: “l” followed by invalid characters)

So, we’ll need to change 4 pages : pages 12, 13, 14 and 15.

SpringCard in ASCII is : “53 70 72 69 6E 67 43 61 72 64”

The 4 APDUs (one for each page) should be:

  • page 12: FF D6 00 0C 04 68 20 53 70 (the first two bytes remain unchanged)
  • page 13: FF D6 00 0D 04 72 69 6E 67
  • page 14: FF D6 00 0E 04 43 61 72 64
  • page 15: FF D6 00 0F 04 00 00 00 00 (we replace the first byte)

Enter those APDUs and click on “Transmit” :

write_single_pageOperation is successful if the card answers 90 00.

Now, you can read back the whole memory, using FF B0 00 04 0C:

final_readWe can see that “Prox’N’Roll” has been replaced by “SpringCard” in the card memory.

 

 

PC/SC Troubleshooting on Windows

Following our PC/SC installation guide on Windows, you’ve installed the appropriate driver, and made sure the “Smart Card” service is running on your Windows computer.
But still, your PC/SC reader doens’t appear on PC/SC Diagnostic.

Please first check in your device manager that your SpringCard PC/SC reader is properly installed (it should appear under Smart Card Reader).

Now, if the drivers are properly installed, the “Smart Card” service is running, but the reader doesn’t show up on the diagnostic tool, the reason must be one of the following :

  1. A third party security-related software or single-login solution takes full control over the PC/SC subsystem
  2. The computer is either running in a virtual machine or in a remote session on a terminal server
  3. Access to PC/SC readers has been disabled by the corporate administrators through a group policy
  4. A driver from one of our competitors has corrupted the registry

For reasons 1 and 2, SpringCard cannot offer any help.

For reason 3 : you should try to run a copy of our PC/SC Diagnostic tool, located on the C: drive, being logged in as Administrator. If this works, your reader is properly installed.

For reason 4, the problem is in the registry permission for LOCAL_SERVICE :
Open the registry editor (“regedit”) :

  1. Right-click on the key HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Cryptography/Calais and select Permissions…
  2. Click Add.
  3. Click Advanced.
  4. Click Locations.
  5. Click on the computer name and click OK.
  6. In the window ‘Select user or groups’, click on Find now.
  7. Select LOCAL SERVICE.
  8. Click OK.
  9. In the window ‘Select user or groups’, click OK.
  10. In the window ‘Permissions for Calais’, click on LOCAL SERVICE and make sure ‘Full control’ , ‘Read’ and ‘special permissions’ are allowed.
  11. In the window “Advance Security Settings for Calais”, deactivate the options “Inherit from parent the permission entries that apply to child objects…”
  12. When the window “Security” appears, click Copy.
  13. In the window “Advance Security Settings for Calais”, activate the option “Replace permission entries on all child objects with entries shown here that apply to child objects” and click OK.
  14. In the window “Security” click Yes
  15. In the window “Permissions for Calais”, click OK.

Restart the computer.

Accessing Reader’s configuration from command line and in batch mode

All SpringCard PC/SC Readers feature a set of Configuration Registers that allow to alter the Reader behaviour to match a particular hardware setup or end-user requirement.

Editing the configuration is easy thanks to MultiConf, the new versatile configuration tool that covers all SpringCard products. But MultiConf is a GUI-application. When it comes to configuring numerous readers at once (with the same settings of course), a command-line tool, suitable to operate in batch mode, could be preferred.

This is typically the aim of pcscconf, a simple command-line utility (targetting Windows systems).

Getting started with pcscconf

Download pcscconf (and its companion tool pcscinfo) (ZIP)

Extract the ZIP archive in the directory of the choice. There are 3 files in the archive:

  • pcscconf.exe, the tool we’ll be using
  • pcscinfo.exe, a software to retrieve all information regarding the connected readers (version, serial numbers, etc)
  • pcsctool.dll, the library that makes both software work.

Open a command-line box in the directory where you’ve extracted the archive, and at the prompt enter

pcscconf

pcscconf-1
pcscconf-2

Reading current configuration

Enter

pcscconf -d

to dump the current configuration.

pcscconf-3

It is also possible to enter

pcscconf -d <Filename>

to dump the configuration to a file. pcscconf uses the same file format as MultiConf.

If the file already exists, use

pcscconf -df <Filename>

to force the overwrite.

Changing a configuration register

Use syntax

pcscconf -s <RegisterAddress>=<RegisterValue>

 

pcscconf-4

To erase a register (i.e. restore product’s default value), use syntax

pcscconf -s <RegisterAddress>

Applying a new configuration from a file

Use syntax

pcscconf -u <Filename>

to upload the configuration from the file into the reader.

There’s no confirmation prompt or ‘Are you sure’ dialog box. Be sure to double-check the content of your file before uploading it into the reader.

pcscconf-5

Do not forget…

Changing a reader’s configuration will change its behaviour! You’re using this software at one risk. Always refer to the reader’s detailed Developer’s Guide or use MultiConf to choose the appropriate values.

Some registers play a special role and are therefore protected before delivery. This is the case of registers C0 and F0 to FF. Trying to write in one of these registers will always fail.

pcscconf targets the SpringCard PC/SC Readers only (and not the RFID Scanners, /RDR family and access control readers, nor the Legacy products).

pcscconf is able to work with only one PC/SC Reader at once. If you run pcscconf with two readers or more connected to your computer, the software will issue a warning and exit.

Introducing the new FunkyGate-IP NFC

SpringCard‘s technical team is proud to announce the launch of a new generation of contactless readers for high-end access control applications, the FunkyGate NFC family.

Using the same shell as previous generation’s FunkyGate-DW (Dataclock, Wiegand and RS485 interfaces) and FunkyGate-SU (RS232 and USB interfaces), the FunkyGate NFC family introduces a brand-new member, the FunkyGate-IP NFC.

As the name suggests, the FunkyGate-IP NFC brings the power of TCP/IP up to the door or gate. A standard RJ45 plug connects the reader to any Ethernet LAN (10 or 100 Mbps). More than that, the FunkyGate-IP+POE NFC reader is powered directly by the network (Power Over Ethernet), thus removing the need for the classical 12V power cable.

The FunkyGate-IP+POE eases the job of wiring the building to before installing the access control system. With only a single Cat5e right to the door, the reader is operational as soon as it is plugged to the network.

The FunkyGate-IP+POE eases the job of wiring the building before installing the access control system. With only a single Cat5e right to the door, the reader is operational as soon as it is plugged to the network.

The FunkyGate-IP NFC and FunkyGate-IP+POE NFC readers take full benefit of SpringCard‘s know-how in all the various 13.56MHz protocols, and pave the way for a easier and wider use of NFC mobile phones in access control and identification applications.

SpringCard MultiConf is a new, versatile, configuration application for all SpringCard products. Define the FunkyGate-IP NFC's configuration, write this configuration into a Master Card, apply this Card to all the readers you want to configure, and voila!

SpringCard MultiConf is a new, versatile, configuration application for all SpringCard products. Define the FunkyGate-IP NFC’s configuration, write this configuration into a Master Card, apply this Card to all the readers you want to configure, and voila!

Thanks to the 4 card processing templates -a concept shared with the Prox’N’Roll RFID Scanner and among all SpringCard standalone readers-, the FunkyGate-IP NFC is able to fetch virtually any data from current contactless cards and RFID tags.

The ‘NFC’ in the product’s name denotes the exclusive ability to support new reading schemes based on NFC Forum’s concepts :

  • Read an NDEF record stored on a NFC Tag and retrieve its data,
  • Receive an NDEF message from a mobile phone, using NFC Peer-to-peer technology (SNEP over LLCP, Push mode : PUT request from smartphone to reader),
  • Get data from a card-emulation application, possibly running on an Android system thanks to the HCE (Host Card Emulation) feature.
Thanks to Android's 4.4 HCE mode, the FunkyGate-IP is able to get an identifier or perform a transaction over the NFC smartphone, even in screen-off mode. (this is also an unusual selfie)

Thanks to Android’s 4.4 HCE mode, the FunkyGate-IP is able to get an identifier or perform a transaction over the NFC smartphone, even in screen-off mode.
(this is also an unusual selfie)

When it comes to communication with the access control system (embedded control unit or computer running an access control server application), FunkyGate-IP NFC provides an efficient, low-overhead, fully secured communication protocol using TCP sockets and AES cipher for authentication, integrity and confidentiality.

An SDK will be released soon, together with a demo of an access control server application running on a small Linux system, typically a Raspberry Pi.

The reader also embeds a tiny HTTP server that makes it possible to develop a client application in no-time using high-level languages. A simple REST API exposes the reader’s behaviour (basically controlling the LEDs and buzzer) and the card/tag numbers to the outer world.

An example setup of using the FunkyGate-IP in the cloud: the reader provides data using a REST API (HTTP request, JSON content). The demo application runs in the browser (JavaScript).

An example setup of using the FunkyGate-IP in the cloud: the reader provides data using a REST API (HTTP request, JSON content). The demo application runs in the browser (JavaScript).
(click the image to enlarge)

FunkyGate-IP NFC HTTP access (REST) demo-page

Using the FunkyGate-IP NFC through HTTP: a demo-page showing how to use the REST API from a JavaScript application (if you have a FunkyGate-IP, use the demo at www.springcard.com/goto/iwm2/

First batches of FunkyGate-IP NFC (and FunkyGate-IP+POE NFC) are already shipping to our early-adopters. Don’t hesitate to contact us for a demo or to evaluate the product.

New documents and the SDK will be published on our web site in the oncoming weeks. In a second step, the E663, which is the core the FunkyGate-IP NFC is built on, will be offered to developers and integrators as a versatile Ethernet-based RFID/NFC OEM module. Stay tuned !

The FunkyGate-IP is built upon the new SpringCard E663 core. Supporting Ethernet and TCP/IP, this OEM RFID/NFC module could be the basis of new generation solutions that closes the gap between contactless smartcard technologies and today's cloud architectures.

The FunkyGate-IP is built upon the new SpringCard E663 core. Supporting Ethernet and TCP/IP, this OEM RFID/NFC module could be the basis of new generation solutions that closes the gap between contactless smartcard technologies and today’s cloud architectures.

.

EAS management for ICODE SLI/SLI-X (standard, type S and type L)

ICODE SLI are ISO 15693 compliant but feature proprietary extensions not implemented in the reader’s firmware. However, you can use those features in transparent mode. The following post will focus on EAS management with this type of tag. The function entries described are available in the CSB6 SDK.


EAS management in the different ICODE SLI types 

The way to access to the EAS field depend on the type of ICODE used. With ICODE SLI/SLI-X type L and S, EAS field can be password protected. Once password protected, a “set password” command must be sent to the card once in the RF field or if the password is modified. It will allow the execution of most of the other commands. This security is not available on classic ICODE SLI/SLI-X.


Transparent mode APDU structure

Most of the frames sent to the card contains :

Flags (1 byte) :
Those are detailed in the ISO 15693 documentation.

Command ID (1 byte) :
Allows to identify the type of command sent.

IC manufacturing code (1 byte) :
It refers to the tag type and is contained in the UID of the tag. For NXP Semiconductors, This code is 04h.

UID (8 bytes).

Some other fields are command specific and will be detailed below.


Command available in the SDK

*** AVAILABLE FOR ALL ICODE SLI TYPES ***

Set EAS
Available with void set_EAS(BYTE snr[8]);  
Set EAS status to 1.                                                                        

Reset EAS
Available with void reset_EAS(BYTE snr[8]); 
Set
 EAS status to 1.

Lock EAS
Available with void lock_EAS(BYTE snr[8]); 
This field is commented in the source code. Once locked, EAS cannot be modified anymore.

AVAILABLE FOR ICODE SLI/SLI-X S and L types

Protect EAS
Available with void protect_EAS(BYTE snr[8]);
This command allows to protect the EAS field with a password. Once set, this field cannot be changed and you will have to use the “set password” command to modify the EAS status.

Get random number
Available with short get_random_nb(BYTE snr[8], BYTE * rd_nb)      
It will request a 2 bytes randomly generated code required for a proper use of the “set password” command.

Set password
Available with void set_password(BYTE snr[8], BYTE password[4])
This command requires specific fileds : a password ID to inform the card of which fields are needed to be unlocked, and the previously stored password XOR two random numbers acquired with the “get random number” command.

ex :  if the last password was (00 00 00 00)h, and the last “get random number” command return you (0A 25)h, the 4 bytes to pass as command parameters will be (0A 25 0A 25)h.

Write password
Available with void write_password(BYTE snr[8], BYTE password[4])
Write a new password in the card (if the password field has not been locked).

Lock password
Available with void lock_password(BYTE snr[8])
This function is commented in the source code. Once locked, the password cannot be changed.


 About the reference application

The application manual is available via the executable call.
A simple [EXECUTABLE NAME] [COM] [HELP] will display the commands available.

KitKat: Impact of the latest Android OS on card emulation

“Who controls the smartphone?” is the obvious question that can lead to generating profits from every transaction by the controlling parties.

NFC use on smartphones allows for 3 modes of operation:  tag reading/writing, peer-to-peer and card emulation. The card emulation mode is the most interesting mode for the companies involved in such developments because it immediately generates cash flow. The business model is simple: one just needs to replace the existing cards (payment, transportation, etc.). A fraction of the millions of transactions performed everyday by those cards can then be transformed into profit for those controlling the smartphone.

Since 2005-2006, when NFC made its start, we have been witnessing a war among manufacturers; between those controlling the hardware and/or controlling its operating system, neither of which have strong ties with final users; and the cellphone carriers who are controlling the SIM and have strong customer relations through subscription plans.

From each side of the battlefield, the same argument is always pointed out: a transaction implies security requirements, and a security requirement implies embedded applications in a secured processor. The cellphone carriers argue that the SIM card is the best choice, since it is a secured processor and it is already present without any additional cost. The manufacturers argue that a secured processor (Secure Element) has to be added on the motherboard, the extra cost being minimal and the user being able to freely change transaction service providers without having to transfer his or her telephone service to a new vendor requiring a new SIM card.

In the middle of the battle ground, a new contender has emerged: the TSM (Trusted Service Manager), provides a unique and portable service whatever the underlying technical context, for a fee of course.

Until last week, the position of each party had remained frozen since the war started in 2005-2006. And then KitKat arrived.

KitKat is the code name for Android’s new 4.4 Operating System. And in the presentation of KitKat, from the second paragraph, one can read:

Android 4.4 introduces new platform support for secure NFC-based transactions through Host Card Emulation (HCE), for payments, loyalty programs, card access, transit passes, and other custom services. With HCE, any app on an Android device can emulate an NFC smart card, letting users tap to initiate transactions with an app of their choice — no provisioned secure element (SE) in the device is needed.(http://developer.android.com/about/versions/android-4.4.html)

Technically nothing really new; BlackBerry offered the same principle in the latest version of its OS. But Android’s market share is significantly different from BlackBerry’s market share! With this support, developers of sector-specific applications (access control, loyalty) finally have a solution to develop the card emulation mode on smartphones easily and without depending on anyone.

A few technical points to keep in mind:

1.      Card emulation « within the host » (HCE) cannot work if the phone is turned off (deliberately turned off or out of battery), whereas within some SIM-centric or SE-centric architectures it is sometimes possible to perform a transaction with a turned off smartphone.

2.      The main processor of the smartphone (baseband) isn’t a secure processor. Applications requiring a critical level of security (i.e., whenever the profits from the fraud is higher than the cost of the fraud: payment, public transportation, high security level access control, ID cards…) shouldn’t be implemented in this mode.

3.      The transaction times may perform less well; furthermore, they may operate less consistently than a classic implementation within a secured processor – which by nature is independent from other applications running on the smartphone.

4.      The technical architecture is based on ISO 14443 layer 4, type A, ISO 7816-4 for APDUs formalism, and ISO 7816-5 for the application selection by the reader thanks to a unique AID. Any application out of this frame wouldn’t qualify for the HCE porting. This is especially the case of some French « public transportation » implementations for which the readers only implement ISO 14443 type B.

Now, how do you implement that in the real world?

Step one, own a smartphone or a tablet running Android 4.4. Step two, download the latest SDK (API version 19). Step three, start coding!

(http://developer.android.com/reference/android/nfc/cardemulation/HostApduService.html)

1.      Declare in the Manifest of your application that you want to create a HostApduService, and associate one or several AIDs,

2.      Implement the method processCommandApdu which receives the C-APDU from the reader – and has to return the R-APDU to be re-sent. The first C-APDU received is the SELECT AID that activated your application,

3.      Implement the method onDeactivated to perform the closing of the channel (reader lost, S-DESELECT reception, selection of another application).

JavaCard developers won’t be confused; the names are different but the overall mechanics are similar (except for the initial select).

Please note that processCommandApdu is called in the main thread of the application. If the answer isn’t immediately available (if it comes from a distant server or if a user input is needed, for example), the application logic has to return a “NULL”. In a second time the application will call the function sendResponseApdu to answer efficiently. In the meantime the OS and the NFC Chipset keep the reader waiting using S-WTX.

If you are interested in NFC applications, please check our NFC readers/encoders, H512 and NFC’Roll.