Skip to content
Permalink
Browse files

Bypass ISO 7816 cmd requirements

Android requires the first command to conform to a ISO 7816 SELECT
command for AID selection. Bypassing this requirement allows NFCGate to
receive any NFC traffic.
This hook is only active if NFCGate is in tag mode.
  • Loading branch information
kleest committed Dec 28, 2019
1 parent e6bb089 commit 0f03e657de49f655d3faf7df65865fde55b40b9d
@@ -51,7 +51,7 @@ protected void afterHookedMethod(MethodHookParam param) throws Throwable {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {

if (isHookEnabled() && param.getResult() != null) {
if (isHookEnabled()) {
// setting a result will overwrite the original result
// F0010203040506 is a aid registered by the nfcgate hce service
param.setResult("F0010203040506");
@@ -39,6 +39,10 @@ class Hook {
return mHook != nullptr;
}

void *symbol() {
return mSymbol;
}

private:
bool constructTrampoline();

@@ -13,12 +13,15 @@
extern Config origValues, hookValues;
extern bool hookEnabled;
extern Hook *hNFC_SetConfig;
extern Hook *hce_select_t4t;
extern Hook *hce_cb;
tNFC_STATUS hook_NFC_SetConfig(UINT8 tlv_size, UINT8 *p_param_tlvs);
tNFC_STATUS hook_NFC_Deactivate(UINT8 deactivate_type);
tNFA_STATUS hook_NFA_StopRfDiscovery();
tNFA_STATUS hook_NFA_DisablePolling();
tNFA_STATUS hook_NFA_StartRfDiscovery();
tNFA_STATUS hook_NFA_EnablePolling(tNFA_TECHNOLOGY_MASK poll_mask);
tNFC_STATUS hook_ce_select_t4t (void);

inline const char *libnfc_path() {
#ifdef __aarch64__
@@ -5,6 +5,8 @@ SymbolTable *SymbolTable::mInstance;
Config origValues, hookValues;
bool hookEnabled = false;
Hook *hNFC_SetConfig;
Hook *hce_select_t4t;
Hook *hce_cb;
Hook *hNFC_Deactivate;
Hook *hNFA_StopRfDiscovery;
Hook *hNFA_DisablePolling;
@@ -99,6 +101,23 @@ tNFA_STATUS hook_NFA_EnablePolling(tNFA_TECHNOLOGY_MASK poll_mask) {
return r;
}

tNFC_STATUS hook_ce_select_t4t (void) {
hce_select_t4t->precall();

LOGD("hook_ce_select_t4t()");
LOGD("hook_ce_select_t4t Enabled: %d", hookEnabled);

tNFC_STATUS r = hce_select_t4t->call<decltype(hook_ce_select_t4t)>();
if (hookEnabled) {
auto ce_cb = (tCE_CB *) hce_cb->symbol();
// bypass ISO 7816 SELECT requirement for AID selection
ce_cb->mem.t4t.status |= CE_T4T_STATUS_WILDCARD_AID_SELECTED;
}

hce_select_t4t->postcall();
return r;
}

static void hookNative() {
// check if NCI library exists and is readable + is loaded
const char *lib_path = libnfc_path();
@@ -125,4 +144,6 @@ static void hookNative() {
hNFA_StartRfDiscovery = new Hook(handle, "NFA_StartRfDiscovery", nullptr);
hNFA_EnablePolling = new Hook(handle, "NFA_EnablePolling", nullptr);
#endif
hce_select_t4t = new Hook(handle, "ce_select_t4t", (void *)&hook_ce_select_t4t);
hce_cb = new Hook(handle, "ce_cb", nullptr);
}

0 comments on commit 0f03e65

Please sign in to comment.
You can’t perform that action at this time.