• Jmax
  • New member
  • Offline
  • Registered: 2011-01-05
  • Posts: 3

Topic: nfc-emulate-tag

I tried running this built-in example as is in the latest stable release and it doesn't work.

I'm using a PN533.

When I run it, I can get the other initiator to see the 'tag' (the PN533) and they go through the ATQA and the everything else just fine. The initiator then sends a MifareAuthA command, but when replying I get a 'Invalid DEP State' error and the command never gets sent back.

Upon further debugging I've found that the library incorrectly tries to do TX/RX using TGSetData and TGGetData instead of TGResponseToInitiator and TGGetInitiatorCommand (these are commands to PN533). TGSetData and TGGetData are only allowed in DEP mode -- which this is not.

I made the change and at least the command gets sent correctly however I get a response of 50 00 from the other Initiator -- which I can't find anywhere in any NFC/ISO14443 or any other spec.


Has anyone ever successfully used the nfc-emulate-tag?! It seems the code that is checked in is buggy  -- you at least have to change the TX/RX commands.

Thanks.

  • rconty
  • Administrator
  • Offline
  • Registered: 2009-04-22
  • Posts: 673

Re: nfc-emulate-tag

Helle Jmax,

Jmax wrote:

Upon further debugging I've found that the library incorrectly tries to do TX/RX using TGSetData and TGGetData instead of TGResponseToInitiator and TGGetInitiatorCommand (these are commands to PN533).

You made a good job, you find the first problem source.

Jmax wrote:

TGSetData and TGGetData are only allowed in DEP mode -- which this is not.

In fact, that's not only for DEP while using it on a PN532:

NXP wrote:

This command is used in case of the PN532 configured as target for Data Exchange Protocol (DEP) or for ISO/IEC14443-4 protocol when PN532 is activated in ISO/IEC14443-4 PICC emulated

BTW, you can toogle the usage of TgSetData/TgResponseToInitiator with NDO_EASY_FRAMING option.

Jmax wrote:

I made the change and at least the command gets sent correctly however I get a response of 50 00 from the other Initiator -- which I can't find anywhere in any NFC/ISO14443 or any other spec.

I've commited a little fix to disable NDO_EASY_FRAMING when trying to emulate a non-ISO14443-4 target.
After this commit, it continue to fail due to CRC error but that's normal: Mifare Classic CRC is not implemented in the example. AFAIK, to emulate a Mifare Classic, you have to implement Crypto1 and some commands.

Jmax wrote:

Has anyone ever successfully used the nfc-emulate-tag?! It seems the code that is checked in is buggy  -- you at least have to change the TX/RX commands.

Yes, I do but I was emulating a ISO14443-4 device on a PN532 device...
nfc-emulate-tag doesn't provide a ready-to-use emulation, this is a simple C code to show how to emulate using libnfc's API but if you want to improve it and provide a ready-to-use Mifare Classic emulation, you are more than welcome!

Could you test the nfc-emulate-tag from trunk ? it should ended by something like that (in debug mode):

 TX: 32  00  00  ff  02  fe  d4  88  a4  00  
 RX: 00  00  ff  00  ff  00  00  00  ff  03  fd  d5  89  02  a0  00  
nfc_target_receive_bytes: CRC Error
nfc_target_emulate_tag: CRC Error

Note: tested with Nokia 6212 Classic as initiator.

I hope it helps,
Many thanks for this excellent bug report!

Romuald Conty
  • Jmax
  • New member
  • Offline
  • Registered: 2011-01-05
  • Posts: 3

Re: nfc-emulate-tag

I'm also getting CRC Error and couldn't figure out why.

I thought PN532 would generate the correct CRC. I'm emulating a MiFare Ultralight, should I just disable CRC and generate my own CRC?

  • rconty
  • Administrator
  • Offline
  • Registered: 2009-04-22
  • Posts: 673

Re: nfc-emulate-tag

Jmax wrote:

I'm emulating a MiFare Ultralight, should I just disable CRC and generate my own CRC?

First, you have to know that you can't emulate an ultralight due to UID: its 7 bytes long when PN53x emulation only allow 4 bytes long with fixed first byte (0x08).
Before the last revision (r857), libnfc silently truncated UID and don't care about the first byte. Now, an error is raised if you want to emulated an target with an "unemulable" (with PN53x) UID. This way should be less confusing.

Jmax wrote:

I'm also getting CRC Error and couldn't figure out why.

I talked to yobibe and he did some investigations (I'm only reporting here what we talked about, I didn't experiment so far myself):
- some Mifare commands was missing, but that's now fixed (you should look at r855 and r856 commit diffs)
- it seems that PN53x don't handle correctly some low-level commands in ISO14443-3 emulation
- finally, multiple tries doesn't give the same result, that seems to be related to timing issue

Note: to be able to implement emulation, its recommend to have some equipment like proxmark3

I hope it helps.

Romuald Conty
  • Jmax
  • New member
  • Offline
  • Registered: 2011-01-05
  • Posts: 3

Re: nfc-emulate-tag

My initiator doesn't care about the UID. It accepts the 4 byte UID because after autocoll is finished it gives me a 30 02 (read page 2).

However after I give it the 16 bytes of data it gives me a 50 00 (i.e. SLEEP). But this doesn't happen all the time, every once in a while it will give me a 30 04 (i.e. read page 4) and when I give it that data it returns 50 00.

If everything goes correctly the sequence should be:
Initiator -> 30 02
Target (me) -> 16 bytes of data
Initiator -> 30 04
Target (me) -> 16 bytes of data
Initiator -> 30 06
Target (me) -> 16 bytes of data
Initiator -> 30 08
Target (me) -> 16 bytes of data
Initiator -> 50 00

The initiator code is good and works. It is a Nexus S and I can get it to read the *exact* same data from an actual Ultralight. They are using the NXP provided HAL for PN544 and the code is available in Android tree -- and I looked through it, everything is going as part of the sequence.


I can't understand why most times it stops after 30 02, and other times I get to 30 04 but it stops after that.

The only thing I can think of is that the CRC or something else is set incorrectly.

Is there a way to put another PN53x into sniff mode, or any other way to see what *exactly* is being sent out of the PN53x and what the initiator is sending it?

I even tried disabling CRC by setting NDO_HANDLE_CRC to false and generating my own CRC but the result was the same.

I know this isn't a proximity or quality issue because the antenna are right next to each other and both the PN53x and the Nexus S can read a regular Ultralight just fine.

Any ideas?!

  • rconty
  • Administrator
  • Offline
  • Registered: 2009-04-22
  • Posts: 673

Re: nfc-emulate-tag

Hello,

Jmax wrote:

Is there a way to put another PN53x into sniff mode, or any other way to see what *exactly* is being sent out of the PN53x and what the initiator is sending it?

To be able to sniff on-air, you couldn't use a PN53x. There is an open source RFID sniffer that can sniff @13,56MHz:
Proxmark3: http://proxmark3.com/

Romuald Conty
  • Registered: 2011-04-28
  • Posts: 2

Re: nfc-emulate-tag

Jmax wrote:

My initiator doesn't care about the UID. It accepts the 4 byte UID because after autocoll is finished it gives me a 30 02 (read page 2).

However after I give it the 16 bytes of data it gives me a 50 00 (i.e. SLEEP). But this doesn't happen all the time, every once in a while it will give me a 30 04 (i.e. read page 4) and when I give it that data it returns 50 00.

....

I know this isn't a proximity or quality issue because the antenna are right next to each other and both the PN53x and the Nexus S can read a regular Ultralight just fine.

Any ideas?!

Having the same problem. Suggestions? Jmax, did you eventually get this working?