Overwriting OffHostApduService to route APDU to SIM Card

Question

I'm working on a project to emulate a transport card on an Android phone, I've read through the Android Kitkat documentation and found that in order to emulate a card with a secure element I need to inherit from OffHostApduService.

How ever after spending a lot of time on Google I couldn't find what to write on the onBind function to redirect APDU from the other NFC device to my mobile device SIM card.

The card is NFC A & B compatible does it means I can send commands to it using the NfcA or NfcB Class ?

I work on a Samsung Galaxy 3, Samsung Galaxy 4 Mini, which both have the openmobile api or at least the SmartCard API. I can't patch my system since the goal is to proove that it's possible to do so on market devices.

Thanks for your help !!

Answer 1

The following patches will turn on NFC card emulation routing to the UICC on 4.4 on Nexus 5 :

First in device/lge/hammerhead folder

diff --git a/nfc/libnfc-brcm-20791b05.conf b/nfc/libnfc-brcm-20791b05.conf
index 0ef61c3..9348673 100644
--- a/nfc/libnfc-brcm-20791b05.conf
+++ b/nfc/libnfc-brcm-20791b05.conf
@@ -26,10 +26,10 @@ LPTD_CFG={38:B9:36:01:00:FF:FF:08:00:00:00:A0:0F:40:00:00:12:02:10:00:00:00:2D:0
 #
 # This is applied at stack startup.
 # Use for Host based CE
-NFA_DM_START_UP_CFG={45:CB:01:01:A5:01:01:CA:17:00:00:00:00:06:00:00:00:00:0F:00:00:00:00:E0:67:35:00:14:01:00:00:10:B5:03:01:02:FF:80:01:01:C9:03:03:0F:AB:5B:01:00:B2:04:E8:03:00:00:CF:02:02:08:B1:06:00:20:00:00:00:12:C2:02
+#NFA_DM_START_UP_CFG={45:CB:01:01:A5:01:01:CA:17:00:00:00:00:06:00:00:00:00:0F:00:00:00:00:E0:67:35:00:14:01:00:00:10:B5:03:01:02:FF:80:01:01:C9:03:03:0F:AB:5B:01:00:B2:04:E8:03:00:00:CF:02:02:08:B1:06:00:20:00:00:00:12:C2:0

 # Support UICC
-#NFA_DM_START_UP_CFG={45:CB:01:01:A5:01:01:CA:17:00:00:00:00:06:00:00:00:00:0F:00:00:00:00:E0:67:35:00:14:01:00:00:10:B5:03:01:03:FF:80:01:01:C9:03:03:0F:AB:5B:01:02:B2:04:E8:03:00:00:CF:02:02:08:B1:06:00:20:00:00:00:12:C2:0
+NFA_DM_START_UP_CFG={45:CB:01:01:A5:01:01:CA:17:00:00:00:00:06:00:00:00:00:0F:00:00:00:00:E0:67:35:00:14:01:00:00:10:B5:03:01:03:FF:80:01:01:C9:03:03:0F:AB:5B:01:02:B2:04:E8:03:00:00:CF:02:02:08:B1:06:00:20:00:00:00:12:C2:02

 ###############################################################################
 # Pre-Discovery Startup Configuration (256 bytes maximum)
@@ -39,7 +39,7 @@ NFA_DM_START_UP_CFG={45:CB:01:01:A5:01:01:CA:17:00:00:00:00:06:00:00:00:00:0F:00
 # Do not set NFA_DM_PRE_DISCOVERY_CFG

 # Support UICC
-#NFA_DM_PRE_DISCOVERY_CFG={0A:C2:08:01:88:00:04:40:4B:4C:00}
+NFA_DM_PRE_DISCOVERY_CFG={0A:C2:08:01:88:00:04:40:4B:4C:00}

 ###############################################################################
 # Antenna Configuration - This data is used when setting 0xC8 config item
diff --git a/nfc/libnfc-brcm.conf b/nfc/libnfc-brcm.conf
index 4840a54..afe80cd 100644
--- a/nfc/libnfc-brcm.conf
+++ b/nfc/libnfc-brcm.conf
@@ -2,8 +2,10 @@

 ###############################################################################
 # Application options
-APPL_TRACE_LEVEL=0x01
-PROTOCOL_TRACE_LEVEL=0x00000000
+#APPL_TRACE_LEVEL=0x01
+#PROTOCOL_TRACE_LEVEL=0x00000000
+APPL_TRACE_LEVEL=0xFF
+PROTOCOL_TRACE_LEVEL=0xFFFFFFFF

 ###############################################################################
 # performance measurement
@@ -75,7 +77,7 @@ NFCC_ENABLE_TIMEOUT=1000
 # so that the stack will not wait any longer than necessary.
 #
 # Use for Host based CE
-NFA_MAX_EE_SUPPORTED=0
+#NFA_MAX_EE_SUPPORTED=0

 # Use for UICC support
 # NFA_MAX_EE_SUPPORTED=3
@@ -88,10 +90,10 @@ NFA_MAX_EE_SUPPORTED=0
 # system in order to skip SE initialization.
 #
 # Use for Host based CE
-ACTIVE_SE=0x0
+#ACTIVE_SE=0x0

 # Use for UICC support
-#ACTIVE_SE=0xF3
+ACTIVE_SE=0xF3

 ###############################################################################
 # Configure the NFC Extras to open and use a static pipe.  If the value is

Then in folder packages/apps/Nfc :

diff --git a/src/com/android/nfc/cardemulation/AidRoutingManager.java b/src/com/android/nfc/cardemulation/AidRoutingManager.java
index 154bcf3..951fb2d 100644
--- a/src/com/android/nfc/cardemulation/AidRoutingManager.java
+++ b/src/com/android/nfc/cardemulation/AidRoutingManager.java
@@ -41,7 +41,8 @@ public class AidRoutingManager {
     // For Nexus devices, just a static route to the eSE
     // OEMs/Carriers could manually map off-host AIDs
     // to the correct eSE/UICC based on state they keep.
-    static final int DEFAULT_OFFHOST_ROUTE = 0xF4;
+//    static final int DEFAULT_OFFHOST_ROUTE = 0xF4;
+    static final int DEFAULT_OFFHOST_ROUTE = 0xF3; // pkvk9345

     final Object mLock = new Object();

diff --git a/nci/jni/RoutingManager.cpp b/nci/jni/RoutingManager.cpp
index 83e97d0..885e403 100644
--- a/nci/jni/RoutingManager.cpp
+++ b/nci/jni/RoutingManager.cpp
@@ -89,7 +89,8 @@ void RoutingManager::setDefaultRouting()
         ALOGE ("Fail to set default proto routing");

     // Tell the UICC to only listen on Nfc-A
-    nfaStat = NFA_CeConfigureUiccListenTech (mDefaultEe, 0x01);
+    //nfaStat = NFA_CeConfigureUiccListenTech (mDefaultEe, 0x01);
+    nfaStat = NFA_CeConfigureUiccListenTech (0xF3, 0x03);
     if (nfaStat != NFA_STATUS_OK)
         ALOGE ("Failed to configure UICC listen technologies");

Routing to the UICC does not seem possible on the Nexus 4 since the SWP contact is not wired to the NFC chip on this device.

Exchanging APDUs to your cardlet for ticket loading can be done through seek-for-android smartcard API as you suggest, or over-the-air in a binary SMS. The former is the most simple (but maybe not the most secure, depending on the context).