Repackaged CryptoRF/LibNFC Example Code

Earlier, I tried to build the “NFC-CryptoRF” example code from the LibNFC Wiki, without success against LibNFC 1.7.0-rc4-9-g3584338, under Ubuntu 12.10.

Unsurprisingly, thanks to the LibNFC developers constantly changing their public APIs (for good reasons, I’m sure), said example code has succumbed to bit-rot, and only builds against obsolete versions of LibNFC.

Therefore, it seems that the only immediately obvious way for this code to be useful is to either downgrade the installed library version, or attempt to fix the hacky code to compensate for changes.

Luckily, after temporarily uninstalling my trunk version; downloading, and installing a LibNFC 1.3.4 source archive, applying the patch from a member of the LibNFC Forums to the example code, and attempting to rebuild everything, it seems that the example code works as it should.

After reinstating my modern LibNFC version; configuring 1.3.4′s build process to install to a temporary directory, copying the resulting ancient shared object file to “libnfc.so.0” in the example code directory, and creating a wrapper shell (“crf134“) script based upon the arguments passing technique mentioned here, it seems that I can now enjoy being able to use this tool, alongside more modern, “global” versions of LibNFC…

Anyway, to save others the hassle, I’ve uploaded the resulting product to Google Code.

As proof of peaceful co-existence with a more modern version of LibNFC:

Finally, in order to satisfy the terms of the (L)GPL, I have also included the original, uncompressed LibNFC 1.3.4 archive, the patched example source code, a copy of the patch, and the unpacked LibNFC directory containing both source, and 32-bit Linux binaries.

Finally, CryptoRF

Yesterday, I finally received a package from Atmel USA containing some sample ISO/IEC14443 Type-B CryptoRF tags, after numerous failed attempts at requesting some via their sample request form.

I ordered 1 sample of the 8KB AT88SC0808CRF-MX1 variant, and 2 samples of the 4KB AT88RF04C-MX1G variant.

The 4KB tags seem to be unusually packaged, and I don’t know if it’d be safe to carefully attempt to cut the strip in half using scissors, in order to make it easier to work with each:

I was probably expecting to receive paper-mounted tags, similar to my FeliCa Lite, and MiFare UltraLight ones – but the product seems to work as advertised.

Curiously, I was able to trigger an unusual hardware glitch in the PN532 chipset, if I carefully placed the strip of 4KB tags in the reader’s field in a specific way, which manifested in the following output from nfc-list -v:

I’ve also uploaded a USB trace file demonstrating this phenomenon, here.

It seems that I’m supposed to see this, instead:

Unsurprisingly, I can’t seem to be able to reliably read either of these two, without even more careful positioning – which suggests anti-collision problems (probably since both have the same unique ID, as supplied)…

The 8KB version, and its accompanying protective packaging looks like:

(Hand not included!)

…and nfc-list -v says:

When I get time, I intend to study the datasheet, and probably play with building TAMA shell scripts, with a view to trying to write another command set dissector.

That said, I have, however tried to compile the sample code on the LibNFC wiki, without success.

Maybe someone else has succeeded in building it against the latest revisions of LibNFC?

Minor Wireshark NFC/RFID Dissector Updates

Recently, I updated my FeliCa, and NXP PN532 Wireshark dissectors to support the following functionality:

PN532 dissector:

• Support for dissection of MiFare command payloads in PN532 InDataExchange packets (bug #8291)
  • This means that command packets (but not responses) from tools such as MFOC, and the tools from LibNFC for accessing MiFare Classic, and MiFare UltraLight tokens are dissected.
• Support for dissection of FeliCa payloads in PN532 InCommunicateThru packets (bug #8246)
  • This means that dissection of packets from almost all of an “NFC Tag Type 3” (barring NDEF payload data) tag reading session should be dissected, using the FeliCa “flavour” of notation.

FeliCa dissector:

• Support for the FeliCa Plug system code (bug #7767)
  • This theoretically means that Sony’s new FeliCa Plug should be identified in “Polling Response” packets.
• Update to identify commands from the full FeliCa Standard profile (bug #8243)
  • This theoretically means that commands related to enciphered reading/writing, authentication, searching for system/service codes, and requesting system information from the latest FeliCa Standard tokens should be at least identified.

I have also been trying to update Google’s dissectors to work with the latest SVN revisions of Wireshark, with mixed success. However, it seems that project has temporarily stalled – save for some brief exchanges on its mailing list, that didn’t really go anywhere.

Anyway, I remain willing to assist with that effort; and in the interim, I hope that this new functionality is useful.

Notes on installing the MDaemon BlackBerry Enterprise Server component under Windows 7

Recently, I decided to try and install a demo version of Alt-N’s MDaemon Messaging Server for Windows, out of curiosity.

It seems that the main server component installation completes successfully – although I didn’t try to use any of the newly-installed components, immediately.

Unfortunately, installation of the optional BlackBerry Enterprise Server component fails with:

According to a page on the FalconView Wiki; and an MS KnowledgeBase article, this error relates to a permissions issue on a non-existent directory (C:\Documents and Settings\NetworkService\Application Data\Microsoft\Protect).

Under Windows 7, the equivalent directory is supposed to exist at C:\Windows\ServiceProfiles\NetworkService\AppData\
Roaming\Microsoft\Protect – but I had to manually create it, after gaining permission to access C:\Windows\ServiceProfiles\NetworkService\.

It seems that a similar error that occurred whilst trying to install a slightly older version of MS SQL Server under Windows XP, has also been reported.

I also ended up uninstalling some existing MS SQL Server 2008 components that were supplied as with other software.

Afterwards, I re-launched the installation process, and got a little further – only to encounter another error:

It appears that rebooting Windows is the favoured workaround for this issue (that apparently relates to a (Microsoft.SqlServer.Setup.Chainer.Workflow.
ActionExecutionException) being triggered)  - which worked for me, in this scenario, and meant that I was able to successfully use the product.

Unsurprisingly, the official product support KnowledgeBase has limited information regarding installation failures.

That said, others have reported seeing a related error under Windows XP – despite using an Administrator account; and it appears that the problem also occurred with earlier releases of MS SQL Server.

Anyway, I hope that this belated, short post is vaguely useful.

Workaround for VMAlloc errors from Linux-ZFS under Ubuntu 11.10

Earlier on, today, I decided to stress-test the “ZFS on Linux” project’s drivers under my Ubuntu VirtualBox VM, by creating a new ZPool spanning two virtual SATA hard disks, and trying to extract a Wireshark SVN source archive within it.

However, after my initial attempt at extracting the archive seemingly stalled, and discovering that the kernel logs were full of “vmap allocation for size 4198400 failed: use vmalloc=<size> to increase size” errors, I ended up reading a page on the MythTV Wiki detailing a similar problem.

Unfortunately, the suggestions provided there weren’t entirely up-to-date with the configuration of GRUB in that version of Ubuntu – although they provided some useful recommendations for identifying a remedy for this issue.

Finally, after searching for “3.0.0-14-generic” within ”/boot/grub/grub.cfg”, appending “vmalloc=400M” to the line beginning with “linux /boot/vmlinuz-3.0.0-14-generic“, and rebooting the VM, I was able to successfully unpack the archive, and build the software itself.

Obviously, this is just a temporary method that will probably get broken when upgrading the GRUB, or Linux kernel versions – but I thought that I’d quickly share this workaround, for future reference.

A renovated PureDarwin XMas disk image

Recently, I spent a few hours on modifying the “PureDarwin XMas” disk image, in the hope of trying to boot it under VirtualBox, and QEMU, with mixed success.

The modifications themselves entailed the following steps…

• Using an installation of Mac OS X 10.6 under VirtualBox to mount said disk image
• Extracting its primary partition from the rather Byzantine partitioning scheme in use using Disk Utility’s new disk image creation feature
• Re-partitioning the original image to use a standard x86 MBR partitioning scheme, and creating a single partition
• Mounting the newly created partition image using Disk Copy, again
• Copying the raw sector contents of the mounted partition image to the newly created MBR partition, using “DD”
• Installing the Chameleon v2.0-RC4 r684 bootloader

Under some versions of QEMU, it seems to be possible to boot it as far as a working shell, where the startx command can be issued, in order to launch a customised version of WindowMaker:
 However, under VirtualBox on my AMD Phenom II-based HP G62 laptop, booting fails at:

If I attach the modified image to a Ubuntu virtual machine, copy its raw sectors to an SD card, and reboot my laptop with it inserted into a USB card reader, I can also attempt to boot it, and launch WindowMaker with some success:

Unfortunately, the ancient version of XFree86 supplied in the image doesn’t support the AMD graphics chipset in this G62-series model – so graphical corruption, similar to that seen when trying to boot certain old Linux distributions on incompatible hardware can be witnessed.

There is also an unresolved glitch where the image fails to reboot, under certain circumstances, seemingly due to some issues involving file system drivers, and replaying the volume journal during mounting. This problem may also be encountered when trying to boot it from a locked SD card, for the first time.

Anyway, for others wishing to try it, I’ve uploaded a copy of the modified disk image to Google Code.

Let’s Try RTL-SDR! – Part 1

Recently, I received a device that was originally marketed as a USB DAB/DVB/FM receiver, containing a chipset compatible with the utilities from the RTL-SDR project.

It cost £17.50 (roughly €22.42/2159円/US$27.45, according to WolframAlpha) including free shipping from the US.

What’s in the kit?

The receiver that I ordered was supplied with only a remote control, and a stubby antenna with a magnetic base. No CD-ROMs, or user manuals were included.

About the hardware

The eBay listing page claims that it contains an Elonics E4000 tuner IC, and a RealTek RTL2832U DVB-T demodulator IC.

lsusb -v Reports:

Installing RTL-SDR, and associated utilities

Download and run the build-gnuradio script, as recommended by Andrew Back:

At this stage, the script will request elevated privileges, in order to search for prerequisite packages using the system package management utilities.

Since the disclaimer warns that the process may take a long time, I’d recommend obtaining one’s favourite beverage; ensuring that the PC used has a sufficient amount of free disk space, and is well-ventilated (if using a laptop), to prevent it from potentially overheating, and unexpectedly shutting down; and searching for something else to do in the meantime…

For some reason, the Checking for package python-gtk2 step seems to take an unusually long time on my laptop; and temporarily stopping the script yielded:

It seems that despite my best efforts to prepare things in advance, I ran out of disk space at that stage:

Eventually, I resorted to running apt-get clean && apt-get autoclean, and moving some large files to an external disk, in order to free 1.5GB of 9.4GB; and re-ran the script, with more successful results:

It seems that on a 64-bit Ubuntu installation, a full instance of the script’s working directory (containing all source code, and binaries) is about 520MB in size.

Notes on AirProbe installation

For readers wishing to install AirProbe using the instructions on the project’s Website, I recommend running sudo ln -s /usr/local/include/gruel/swig/gruel_common.i /usr/local/include/gnuradio/swig/ && ldconfig, after installing GNURadio, in order to avoid some frustrating bugs in various build scripts related to missing “Gruel”, and “SWIG”-related files.

Testing the result

Since this post is becoming rather long, and I’m unsatisfied with the content that I planned for this section, I’ll follow up with a second post related to testing the software post-installation, soon.

Google’s Wireshark Dissectors for NFC

Earlier, I noticed that @hiro99ma had ReTweeted a post from @eggman stating the following:

欲しかったやつだ。Googleの中の人が作ってるね。 / “wireshark-nfc – NFC dissectors for Wireshark. – Google Project Hosting”http://htn.to/pRdVY8 

The Japanese text roughly means something like “Fellows wanted. People inside Google are making this”, from what I understand.

That aside, after cloning the Git repository into my local Wireshark SVN plugins directory, my initial attempt at building the code failed with:

However, I was quickly able to rectify the problem by exporting some environment variables:

export WIRESHARK_INCLUDE=$HOME/wireshark/
export WIRESHARK_LIB=$HOME/wireshark/lib/

Under my VirtualBox-based Ubuntu installation, the plug-in binary (nfc-wireshark.so) was installed in /home/tyson/.wireshark/plugins, after running make install again.

However, after starting Wireshark using sudo, it appears that the plug-in itself was undetected – since the aforementioned path isn’t the default plug-in search path for the root user.

When the dissector plug-in is unavailable, it is possible to open an LLCP trace file – but packets are displayed in a generic manner:

After moving the binary to /usr/local/lib/wireshark/plugins/1.7.2/, and restarting Wireshark, I was successfully able to dissect the packets in the example trace file:

Hopefully, Google will work with the upstream Wireshark developers in order to integrate this functionality into mainline, so that I can investigate integration of the NDEF payload dissector into my FeliCa and MiFare dissectors; and also see if it’s possible to integrate the main LLCP dissector with my NXP PN532 chipset-specific protocol one.

Attempting to install MOST4Linux 1.0.0 under Ubuntu – Part 1

Earlier on today, I decided to see if I could build the Media-Oriented Systems Transport protocol stack from the MOST4Linux project under Ubuntu 11.04.

However, it was originally designed for earlier versions of the Linux kernel than 2.6.38; and is no longer actively maintained by its developers – which makes compiling, and using it a challenge.

When I initially attempted to build the code, after downloading and extracting the most recent source code archive, the build process failed with:

By making a number of modifications to the source code and build scripts, I was eventually able to reach this stage:

Unfortunately, I’m unsure of the best way to continue – so I’ve decided to dump my modified code on BitBucket.

Those curious about my modifications to achieve the aforementioned result can deduce them from the “reversed” difference list – which was created by adding my modified version of the code into a special branch in a new Mercurial repository (“Initial_Ubuntu_Port_Attempt“), and then retroactively importing the original version of the code into yet another branch (“Original_Code“).

When I get the chance, I’ll probably document how I arrived at that conclusion, and share some resources that I discovered along the way.

Interfacing with a PayPass card under Linux using LibNFC

This morning, I received an Orange Cash prepaid debit MasterCard, and preceded to see if I could use its ISO/IEC 14443-A interface to access its EMV application directory.

After spending some time searching the Web, I realised that not many people have successfully attempted to do so using LibNFC (or if they have, they’ve decided to remain quiet about it, for reasons unknown); and resorted to trying to use CardPeek‘s EMV script – which worked successfully with the ISO/IEC 7816 contact interfaces of all of the cards that I’ve tried (until I accidentally broke one of the contact interface pins), but doesn’t work with my reader’s RFID transceiver…

Using LibNFC’s nfc-list -v command, I was able to obtain the following information regarding the contactless interface:

1 ISO14443A passive target(s) found:
    ATQA (SENS_RES): 00  04
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): 29  8b  cf  51
      SAK (SEL_RES): 28
* Compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
   ATS: 78 80 82 02 80 31 80 66 b0 84
 12 01 6e 01 83 00 90 00
* Max Frame Size accepted by PICC: 256 bytes
* Bit Rate Capability:
  * Same bitrate in both directions mandatory
* Frame Waiting Time: 77.33 ms
* Start-up Frame Guard Time: 1.208 ms
* Node ADdress not supported
* Card IDentifier supported
* Historical bytes Tk: 80 31 80 66 b0 84 12 01 6e 01 83 00 90 00
  * Tk after 0x80 consist of optional consecutive
      COMPACT-TLV data objects;
    the last data object may carry a status indicator of one,
      two or three bytes.
    See ISO/IEC 7816-4 8.1.1.3 for more info
Fingerprinting based on ATQA & SAK values:
* JCOP31 v2.3.1
* SmartMX with Mifare 1K emulation

I’ve modified the formatting of that command’s output slightly, so that it fits within this blog’s template boundaries –  but the data is identical to what I see when running it.

Since I couldn’t find any useful example code in C or C++ for exchanging ISO/IEC 7816 APDUs with contactless cards, I decided to investigate the possibility of modifying one of the TAMA scripts (UltraLightRead.cmd) in the LibNFC repository, and discovered that by prefixing the EMV commands mentioned in Saush’s blog post with 40 01, I was able to make the card respond to a request for the Payment System Environment.

The resulting script looks like this:

02; // Get firmware version
4A 01 00; // 1 target requested
// Select the payment system environment
40 01 00 A4 04 00 0E 31 50 41 59 2E 53 59 53 2E 44 44 46 30 31;

And the resulting packet received from the card reader’s PN532 chipset looks like:

If I get chance, I’ll probably see if I can modify CardPeek’s EMV script somehow to generate APDUs with InDataExchange (0x40) framing, and hopefully get contactless mode working with my reader (so that I don’t have to implement EMV by myself, in order to test other commands) – but I have my doubts, somehow.

In the meantime, I hope that this discovery is vaguely helpful for others…