Permalink
Browse files

nfc patches as module of the mainproject

  • Loading branch information...
UweM committed Feb 27, 2015
1 parent a964cbb commit dcd8b67f9a80b5a2f9ef4bc592500b88cf59a9a6
View
@@ -20,5 +20,6 @@ android {
}
dependencies {
compile fileTree(dir: 'libs', include: ['*.jar'])
compile fileTree(include: ['*.jar'], dir: 'libs')
compile project(':nfcd')
}
View
@@ -0,0 +1 @@
/build
View
@@ -0,0 +1,34 @@
apply plugin: 'com.android.library'
android {
compileSdkVersion 19
buildToolsVersion "19.1.0"
defaultConfig {
minSdkVersion 19
targetSdkVersion 19
versionCode 1
versionName "1.0"
ndk {
moduleName "nfc.cy"
cFlags "-std=c++11 -fexceptions"
ldLibs "log", "substrate-dvm", "substrate -L${project.buildDir}/../src/main/libs/armeabi"
abiFilters "armeabi"
}
}
buildTypes {
release {
minifyEnabled false
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
}
productFlavors {
}
sourceSets.main {
jniLibs.srcDir 'src/main/libs'
}
}
dependencies {
compile fileTree(dir: 'libs', include: ['*.jar'])
}
View
@@ -0,0 +1,17 @@
# Add project specific ProGuard rules here.
# By default, the flags in this file are appended to flags specified
# in /opt/android-sdk/tools/proguard/proguard-android.txt
# You can edit the include path and order by changing the proguardFiles
# directive in build.gradle.
#
# For more details, see
# http://developer.android.com/guide/developing/tools/proguard.html
# Add any project specific keep options here:
# If your project uses WebView with JS, uncomment the following
# and specify the fully qualified class name to the JavaScript interface
# class:
#-keepclassmembers class fqcn.of.javascript.interface.for.webview {
# public *;
#}
@@ -0,0 +1,9 @@
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="tud.seemuh.nfcgate.nfcd">
<application android:hasCode="false">
</application>
<uses-permission android:name="cydia.permission.SUBSTRATE"/>
</manifest>
@@ -0,0 +1,41 @@
#include "nfcd.h"
NFC_SetStaticRfCback *oldSetRfCback;
NFC_SetConfig *oldNfcSetConfig;
tCE_CB *ce_cb;
tNFC_STATUS newNfcSetConfig (UINT8 tlv_size, UINT8 *p_param_tlvs) {
LOGI("newNfcSetConfig, %02x", tlv_size);
for(UINT8 i=0; i<tlv_size; i++) {
LOGI("byte: %02x", p_param_tlvs[i]);
}
if(tlv_size == 0x06) {
p_param_tlvs[2] = 0x20; // SAK
UINT8 var_arr[] = {
// UID
0x33, 0x07, 0x04, 0x7e, 0x89, 0x49, 0xbe, 0x25, 0x80,
// HIST byte
0x59, 0x01, 0x80,
// ATQA (First byte)
0x31, 0x01, 0x03
};
oldNfcSetConfig(sizeof(var_arr), var_arr);
}
return oldNfcSetConfig(tlv_size, p_param_tlvs);
}
void newSetRfCback(tNFC_CONN_CBACK *p_cback) {
oldSetRfCback(p_cback);
if(p_cback != NULL) {
// fake that the default aid is selected
ce_cb->mem.t4t.status &= ~ (CE_T4T_STATUS_CC_FILE_SELECTED);
ce_cb->mem.t4t.status &= ~ (CE_T4T_STATUS_NDEF_SELECTED);
ce_cb->mem.t4t.status &= ~ (CE_T4T_STATUS_T4T_APP_SELECTED);
ce_cb->mem.t4t.status &= ~ (CE_T4T_STATUS_REG_AID_SELECTED);
ce_cb->mem.t4t.status |= CE_T4T_STATUS_WILDCARD_AID_SELECTED;
}
}
View
@@ -0,0 +1,24 @@
#include "nfcd.h"
/**
* Hook Java Code to overwrite findSelectAid() behavior
**/
static jstring $HostEmulationManager$findSelectAid(JNIEnv *jni, jobject _this, jbyteArray byteArr) {
return jni->NewStringUTF("F0010203040506");
}
void hookJava(JNIEnv *jni, jclass _class) {
// hook into the findSelectAid method in the HostEmulationManager
jmethodID method = jni->GetMethodID(_class, "findSelectAid", "([B)Ljava/lang/String;");
if (method != NULL) {
LOGI("captain hook");
MSJavaHookMethod(jni, _class, method, (void *) &$HostEmulationManager$findSelectAid, NULL);
} else {
LOGE("nope");
LOGI("Exception");
jni->ExceptionDescribe();
jni->ExceptionClear();
}
}
View
@@ -0,0 +1,59 @@
#include "nfcd.h"
#include <dlfcn.h>
#include <unistd.h>
static void onHostEmulationLoad(JNIEnv *jni, jclass _class, void *data);
static void hookNative();
// configure substrate to hook into the app_process process (zygote)
MSConfig(MSFilterExecutable, "/system/bin/app_process")
MSInitialize {
// when in zygote, register for a callback when the HostEmulationManager gets loaded.
// this is our signal that we reached the nfd daemon process
const char *classname = "com/android/nfc/cardemulation/HostEmulationManager";
MSJavaHookClassLoad(NULL, classname, &onHostEmulationLoad);
}
static void onHostEmulationLoad(JNIEnv *jni, jclass _class, void *data) {
LOGI("onHostEmulationLoad, loading hooks");
// hooking into the java and native part of the nfcd
hookJava(jni, _class);
hookNative();
}
static void hookNative() {
const char *libfile = "/system/lib/libnfc-nci.so";
if( access(libfile, F_OK) == -1 ) {
LOGE("could not access %s to load symbols", libfile);
return;
}
void *handle = dlopen(libfile, 0);
// find function pointer to NFC_SetStaticRfCback symbol and hook into it
void *fptr = dlsym(handle, "NFC_SetStaticRfCback");
if(fptr) {
MSHookFunction(fptr, (void*)&newSetRfCback, (void**)&oldSetRfCback);
LOGI("hooked: NFC_SetStaticRfCback");
} else {
LOGE("could NOT hook: NFC_SetStaticRfCback");
}
// find pointer to ce_t4t control structure
ce_cb = (tCE_CB*)dlsym(handle, "ce_cb");
// find NFC_SetConfig
void *fptr2 = dlsym(handle, "NFC_SetConfig");
if(fptr2) {
MSHookFunction(fptr2, (void *) &newNfcSetConfig, (void **) &oldNfcSetConfig);
LOGI("hooked: NFC_SetConfig()");
} else {
LOGE("could NOT hook: NFC_SetConfig()");
}
}
View
@@ -0,0 +1,23 @@
#ifndef __ANDROID__
#define __ANDROID__
#endif
#include <android/log.h>
#include <jni.h>
#include "vendor/substrate.h"
#include "vendor/libnfc.h"
#define LOG_TAG "NATIVENFC"
#define LOGI(...) __android_log_print(ANDROID_LOG_INFO, LOG_TAG, __VA_ARGS__ )
#define LOGE(...) __android_log_print(ANDROID_LOG_ERROR, LOG_TAG, __VA_ARGS__)
// java.cpp
void hookJava(JNIEnv *jni, jclass _class);
// hooks.cpp
tNFC_STATUS newNfcSetConfig (UINT8 tlv_size, UINT8 *p_param_tlvs);
void newSetRfCback(tNFC_CONN_CBACK *p_cback);
extern NFC_SetStaticRfCback *oldSetRfCback;
extern NFC_SetConfig *oldNfcSetConfig;
extern tCE_CB *ce_cb;
Oops, something went wrong.

0 comments on commit dcd8b67

Please sign in to comment.