Repackaged CryptoRF/LibNFC Example Code

Earlier, I tried to build the “NFC-CryptoRF” example code from the LibNFC Wiki, without success against LibNFC 1.7.0-rc4-9-g3584338, under Ubuntu 12.10.

Unsurprisingly, thanks to the LibNFC developers constantly changing their public APIs (for good reasons, I’m sure), said example code has succumbed to bit-rot, and only builds against obsolete versions of LibNFC.

Therefore, it seems that the only immediately obvious way for this code to be useful is to either downgrade the installed library version, or attempt to fix the hacky code to compensate for changes.

Luckily, after temporarily uninstalling my trunk version; downloading, and installing a LibNFC 1.3.4 source archive, applying the patch from a member of the LibNFC Forums to the example code, and attempting to rebuild everything, it seems that the example code works as it should.

After reinstating my modern LibNFC version; configuring 1.3.4’s build process to install to a temporary directory, copying the resulting ancient shared object file to “libnfc.so.0” in the example code directory, and creating a wrapper shell (“crf134“) script based upon the arguments passing technique mentioned here, it seems that I can now enjoy being able to use this tool, alongside more modern, “global” versions of LibNFC…

Anyway, to save others the hassle, I’ve uploaded the resulting product to Google Code.

As proof of peaceful co-existence with a more modern version of LibNFC:

	tyson@tyson-HP-Compaq-2510p-Notebook-PC:~/CM$ ./crf134 0 0 0 0
	CryptoRF example – (c) Radboud University Nijmegen
	Connected to NFC device: ACS ACR122U 00 00 / ACR122U103 – PN532 v1.6 (0x07)
	The following (NFC) ISO14443-B tag was found:
	ATQB: 50 ff ff ff ff ff ff ff 33 00 10 51
	ID: 01 3d 84 04
	CID: 00
	PARAMS: 08 00 04 d4
	Changing active userzone
	R: 11 00
	T: 11 00 00
	Reading first Ci(0) from the system zone (offset = 0x50)
	R: 16 00 50 07
	T: 16 00 88 ff ff ff ff ff ff ff 00
	* Computing authentication values with card secret
	Authenticate using Gc, Ci and random Q
	R: 18 00 c9 73 ee ed 1d 5e cc e0 bd d9 9e 4e f3 91 a9 09
	T: 18 41 a9
	Reading new Ci value from the system zone (tag-answer)
	R: 16 00 50 07
	T: 16 00 00 ff ff ff ff ff ff ff 00
	ERROR: Authentication failed
	tyson@tyson-HP-Compaq-2510p-Notebook-PC:~/CM$ nfc-list
	nfc-list uses libnfc libnfc-1.7.0-rc4-9-g3584338
	NFC device: ACS ACR122U 00 00 / ACR122U103 opened

view raw

gistfile1.txt

hosted with ❤ by GitHub

Finally, in order to satisfy the terms of the (L)GPL, I have also included the original, uncompressed LibNFC 1.3.4 archive, the patched example source code, a copy of the patch, and the unpacked LibNFC directory containing both source, and 32-bit Linux binaries.

Finally, CryptoRF

Yesterday, I finally received a package from Atmel USA containing some sample ISO/IEC14443 Type-B CryptoRF tags, after numerous failed attempts at requesting some via their sample request form.

I ordered 1 sample of the 8KB AT88SC0808CRF-MX1 variant, and 2 samples of the 4KB AT88RF04C-MX1G variant.

The 4KB tags seem to be unusually packaged, and I don’t know if it’d be safe to carefully attempt to cut the strip in half using scissors, in order to make it easier to work with each:

I was probably expecting to receive paper-mounted tags, similar to my FeliCa Lite, and MiFare UltraLight ones – but the product seems to work as advertised.

Curiously, I was able to trigger an unusual hardware glitch in the PN532 chipset, if I carefully placed the strip of 4KB tags in the reader’s field in a specific way, which manifested in the following output from nfc-list -v:

	1 ISO14443B passive target(s) found:
	ISO/IEC 14443-4B (106 kbps) target:
	PUPI: 50 ff ff ff
	Application Data: ff ff ff ff
	Protocol Info: 22 00 10
	* Bit Rate Capability:
	* PICC to PCD, 1etu=32/fc, bitrate 424 kbits/s supported
	* PCD to PICC, 1etu=32/fc, bitrate 424 kbits/s supported
	* Maximum frame sizes: 16 bytes
	* Frame Waiting Time: 0.6041 ms

view raw

gistfile1.txt

hosted with ❤ by GitHub

I’ve also uploaded a USB trace file demonstrating this phenomenon, here.

It seems that I’m supposed to see this, instead:

	1 ISO14443B passive target(s) found:
	ISO/IEC 14443-4B (106 kbps) target:
	PUPI: ff ff ff ff
	Application Data: ff ff ff 22
	Protocol Info: 00 10 51
	* Bit Rate Capability:
	* PICC supports only 106 kbits/s in both directions
	* Maximum frame sizes: 24 bytes
	* Frame Waiting Time: 9.666 ms
	* Frame options supported: NAD

view raw

gistfile1.txt

hosted with ❤ by GitHub

Unsurprisingly, I can’t seem to be able to reliably read either of these two, without even more careful positioning – which suggests anti-collision problems (probably since both have the same unique ID, as supplied)…

The 8KB version, and its accompanying protective packaging looks like:

(Hand not included!)

…and nfc-list -v says:

	1 ISO14443B passive target(s) found:
	ISO/IEC 14443-4B (106 kbps) target:
	PUPI: ff ff ff ff
	Application Data: ff ff ff 33
	Protocol Info: 00 10 51
	* Bit Rate Capability:
	* PICC supports only 106 kbits/s in both directions
	* Maximum frame sizes: 24 bytes
	* Frame Waiting Time: 9.666 ms
	* Frame options supported: NAD

view raw

gistfile1.txt

hosted with ❤ by GitHub

When I get time, I intend to study the datasheet, and probably play with building TAMA shell scripts, with a view to trying to write another command set dissector.

That said, I have, however tried to compile the sample code on the LibNFC wiki, without success.

Maybe someone else has succeeded in building it against the latest revisions of LibNFC?