Geek Answers Handbook

NFC Offhost routes UICC to Nexus 5X and Nexus 6P

I am trying to configure an NFC chipset on a Nexus 5X (bullhead) or Nexus 6P (angler) in order to use UICC as an NFC route for AID hosts that I advertise in my OffHostApduService.

Edit January 17, 2016: I updated this question, and also included the Nexus 6P, as I had the opportunity to test it, and it behaves exactly like 5X. So all previous 5X results also seem to apply to 6P.

I managed to do this earlier on Nexus 5 (hammerhead) thanks to Michael Roland's answer to this question here , as well as on Nexus 6 (shamu) (see Nexus 6 bcm2079x config in my Github repository ).

However, the Nexus 5X (as well as 6P) seem different:

  • according to disabling ifixit, it contains a new chipset from NXP (PN548), not broadcom bcm2079x, such as Nexus 4, 5, and 6).
  • I can confirm that the device can read Mifare Classic tags (which reinforces the assumption that it contains the NXP chipset, since Broadcom chipsets do not support Mifare Classic), and the device file /dev/pn548 exists
  • but rather strange it contains both the libnfc-brcm.conf and libnfc-nxp.conf in the /system/etc/ section (they can also be found in my Github repository)

As a starting point, I changed the trace / log settings in both configuration files

  • set APPL_TRACE_LEVEL to 0x05 for brcm
  • set NXPLOG_*_LOGLEVEL to 0x03 for nxp

I was surprised that at boot time I saw a lot of BrcmNfcJni messages in logcat, similar to those that I saw on Nexus 5 and 6 (which I would not expect on a NXP device chipset):

 12-11 20:45:36.840 D/BrcmNfcJni( 3434): JNI_OnLoad: enter 12-11 20:45:36.841 I/BrcmNfcJni( 3434): NFC Service: loading nci JNI 12-11 20:45:36.841 D/BrcmNfcJni( 3434): register_com_android_nfc_NativeNfcManager: enter 12-11 20:45:36.841 D/BrcmNfcJni( 3434): PowerSwitch::initialize: level=PS-UNKNOWN (0) 12-11 20:45:36.923 D/BrcmNfcJni( 3434): PowerSwitch::initialize: desired screen-off state=1 12-11 20:45:36.923 D/BrcmNfcJni( 3434): register_com_android_nfc_NativeNfcManager: exit 12-11 20:45:36.923 D/BrcmNfcJni( 3434): register_com_android_nfc_NativeNfcTag 12-11 20:45:36.924 D/BrcmNfcJni( 3434): RoutingManager::RoutingManager(): default route is 0x00 12-11 20:45:36.924 D/BrcmNfcJni( 3434): RoutingManager::RoutingManager(): mOffHostEe=0xF2 12-11 20:45:36.924 D/BrcmNfcJni( 3434): RoutingManager::registerJniFunctions 12-11 20:45:36.924 D/BrcmNfcJni( 3434): JNI_OnLoad: exit .... ....

Edit 1: I learned from the source that these β€œBrcmNfc ..” log messages are emitted from the code in the libnfc-nci library . On previous NCI devices (stands for: N FC with ontroller i nterface), only Broadcom chipsets were used (I think the reason is that the code uses the "Brcm" prefix for logging). But apparently, the new NXP chipsets now also use this standardized interface (which is good), and now we also see the "Brcm ..." log messages even with the NXP chipset.

Edit 3: Both phones (Nexus 5X and 6P) seem to contain the NXP PN548 / C2 NFC chipset, supporting firmware version 10.01.19 (at least in Android 6.0.1 version).

Of course, there are also exits from the NXP pn54x halimpl:

 12-11 20:45:37.407 D/ ( 3434): phNxpLog_InitializeLogLevel: global =1, Fwdnld =3, extns =3, hal =3, tml =3, ncir =3, ncix =3 12-11 20:45:37.408 D/NxpHal ( 3434): Entering phNxpNciHal_init_monitor 12-11 20:45:37.408 D/NxpHal ( 3434): Returning with SUCCESS 12-11 20:45:37.408 D/NxpTml ( 3434): Opening port=/dev/pn54x 12-11 20:45:37.408 D/NxpTml ( 3434): phTmlNfc_i2c_reset(), VEN level 1 12-11 20:45:37.527 D/NxpTml ( 3434): phTmlNfc_i2c_reset(), VEN level 0 12-11 20:45:37.647 D/NxpTml ( 3434): phTmlNfc_i2c_reset(), VEN level 1 12-11 20:45:37.667 D/NxpTml ( 3434): PN54X - Tml Reader Thread Started................ 12-11 20:45:37.667 D/NxpTml ( 3434): PN54X - Read requested..... 12-11 20:45:37.667 D/NxpTml ( 3434): PN54X - Invoking I2C Read..... .... ....

So, as the first run, I tried to modify the libnfc-nxp.conf , starting with the parameters, where the comments indicated reality on UICC or SWP:

  # No secure element 0x00 # eSE 0x01 # UICC 0x02 -NXP_DEFAULT_SE=0x03 +NXP_DEFAULT_SE=0x02

and also set the A0EC tag in NXP_CORE_CONF_EXTN to 0x01 (since the comment indicates that this tag is responsible for the connector SWP1):

 # A0EC - SWP1 interface # 0x00 - Disabled # 0x01 - Enabled - A0, EC, 01, 00, + A0, EC, 01, 01,

Unfortunately, this did not work, and I still get APDUs intended for my offhost service on the host system (as indicated in this logcat message: E/HostEmulationManager( 3434): AID that was meant to go off-host was routed to host. ).

In later attempts, I also tried playing with parameters in libnfc-brcm.conf (as described by Michael Roland in the above question above), but still failed.

Question:

  • Has anyone been able to configure NFC routing on Nexus 5X or 6P on UICC?
  • Or maybe there are some tips where I can look for further ideas?
  • It would also be useful to provide a technical description of the PN548 chipset.

Edit 2: I still have not found a working solution, but so far I have brought my attempts to my github repository in the dev1 branch . I also pushed logcat summary outputs for each test. I am testing a new version of Nexus 5X on Android Android 6.0.1. (Editing: In the meantime, I also got the Nexus 6P for testing, but it behaves the same.) To change the configuration files in the system partition, I temporarily boot into the restored image with side loading: ( fastboot boot twrp-2.8.7.2-bullhead.img ) .

At the moment, I always get this error (I also tried already with 0xf2 and 0xf4 as a routing target outside the host):

 12-16 09:38:05.524 I/BrcmNfcNfa( 3480): NFA_EeAddAidRouting(): handle:<0xf3> 12-16 09:38:05.524 I/BrcmNfcNfa( 3480): nfa_ee_find_ecb () 12-16 09:38:05.524 E/BrcmNfcNfa( 3480): Bad ee_handle or AID (len=14) 12-16 09:38:05.524 E/BrcmNfcJni( 3480): RoutingManager::addAidRouting: failed to route AID
+8
android nfc hce apdu
source share
2 answers

As you already found out, SWP lines are not connected to the UICC slot. We usually do not do this for Nexus devices, since we do not support secure elements in UICC in AOSP. The one exception is Nexus 6 on Lollipop, which supports SoftCard mobile payments in the US (along with HCE). After SoftCard was acquired by Google, we again removed the UICC support code again in Marshmallow.

I am surprised by BTW that this worked on the N5 - it should not have SWP enabled. Perhaps this was done incorrectly on all devices.

+6
source share

Short answer:

NFC Offhost routing in UICC seems impossible on the Nexus 5X (edit: as well as on the Nexus 6P). As I understand it, the NFC chip's SWP lines are not connected to the UICC (on both phones).


Edit 1 : In the meantime, I got hands from the Nexus 6P, having done all the same tests as in 5X. Now I can confirm that 6P behaves the same. I even got the same errors in logcat when calling the phNxpNciHal_SwpTest function. Also on the Nexus 6P, the SWP line is not connected to the UICC.


Details:

After many unsuccessful attempts with various configuration file settings, I looked at the NXP implementation in the libnfc-hci library and found the interesting function " phNxpNciHal_SwpTest " in the "self-test / phNxpNciHal_SelfTest.c" , which, according to the comment, seems to test the SWP strings:

 /******************************************************************************* ** ** Function phNxpNciHal_SwpTest ** ** Description Test function to validate the SWP line. SWP line number is ** is sent as parameter to the API. ** ** Returns NFCSTATUS_SUCCESS if successful,otherwise NFCSTATUS_FAILED. ** *******************************************************************************/

Then I modified the hal/phNxpNciHal.c (a lot of debug log reports were added just to better understand the flow) and added 2 calls to this test function. First, I tried to add it at the end of the phNxpNciHal_open function (see My changes here on GitHub ), and then also tried to add it to the beginning of the phNxpNciHal_close function before actually closing the NFCC interface, to make sure that UICC and everything were initialized at this point in time (see . commit 6b33149 in my GitHub account linked above).

During tests, a SWIC-compatible UICC was inserted into the device.

Unfortunately, all calls to phNxpNciHal_SwpTest return an error (for both lines of SWP). Find the line phNxpNciHal_SwpTest - FAILED in the logcat line:

 12-22 08:48:01.597 D/NxpHal ( 3691): JZJZ phNxpNciHal_SwpTest - testing SWP line 0x01 12-22 08:48:01.597 D/NxpHal ( 3691): JZJZ phNxpNciHal_SwpTest - performing test... 12-22 08:48:01.597 D/NxpTml ( 3691): PN54X - Write requested..... 12-22 08:48:01.597 D/NxpTml ( 3691): PN54X - Invoking I2C Write..... 12-22 08:48:01.598 D/NxpNciX ( 3691): len = 4 > 20000101 12-22 08:48:01.598 D/NxpTml ( 3691): PN54X - I2C Write successful..... 12-22 08:48:01.598 D/NxpTml ( 3691): PN54X - Posting Fresh Write message..... 12-22 08:48:01.598 D/NxpTml ( 3691): PN54X - Tml Writer Thread Running................ 12-22 08:48:01.598 D/NxpHal ( 3691): write successful status = 0x0 12-22 08:48:01.598 D/NxpHal ( 3691): JZJZ performTest: write success. staring read locked from NFCC.. 12-22 08:48:01.598 D/NxpHal ( 3691): JZJZ readLocked: semaphore created, starting tml nfc read.. 12-22 08:48:01.598 D/NxpHal ( 3691): JZJZ readLocked: read returned.. 12-22 08:48:01.598 E/NxpHal ( 3691): TML Read status error status = 16f 12-22 08:48:01.598 D/NxpHal ( 3691): JZJZ performTest: at clean_and_return label.. concurrency_unlock.. 12-22 08:48:01.598 D/NxpHal ( 3691): JZJZ phNxpNciHal_SwpTest - performing test FAILED...will break loop 12-22 08:48:01.598 D/NxpHal ( 3691): phNxpNciHal_SwpTest - FAILED 12-22 08:48:01.598 D/NxpHal ( 3691): phNxpNciHal_SwpTest - end 12-22 08:48:01.598 D/NxpHal ( 3691): JZJZ: SWP1 test done, will perform SWP2 test now. 12-22 08:48:01.598 D/NxpHal ( 3691): JZJZ phNxpNciHal_SwpTest - start 12-22 08:48:01.598 D/NxpHal ( 3691): JZJZ phNxpNciHal_SwpTest - testing SWP line 0x02 12-22 08:48:01.598 D/NxpHal ( 3691): JZJZ phNxpNciHal_SwpTest - performing test.. 12-22 08:48:01.598 D/NxpHal ( 3691): JZJZ performTest: concurrency locked. write locked to NFCC.. 12-22 08:48:01.598 D/NxpTml ( 3691): PN54X - Write requested..... 12-22 08:48:01.598 D/NxpTml ( 3691): PN54X - Invoking I2C Write..... 12-22 08:48:01.599 D/NxpNciX ( 3691): len = 4 > 20000101 12-22 08:48:01.599 D/NxpTml ( 3691): PN54X - I2C Write successful..... 12-22 08:48:01.599 D/NxpTml ( 3691): PN54X - Posting Fresh Write message..... 12-22 08:48:01.599 D/NxpTml ( 3691): PN54X - Tml Writer Thread Running................ 12-22 08:48:01.599 D/NxpHal ( 3691): write successful status = 0x0 12-22 08:48:01.599 D/NxpHal ( 3691): JZJZ performTest: write success. staring read locked from NFCC.. 12-22 08:48:01.599 D/NxpHal ( 3691): JZJZ readLocked: semaphore created, starting tml nfc read.. 12-22 08:48:01.599 D/NxpHal ( 3691): JZJZ readLocked: read returned.. 12-22 08:48:01.599 E/NxpHal ( 3691): TML Read status error status = 16f 12-22 08:48:01.599 D/NxpHal ( 3691): JZJZ performTest: at clean_and_return label.. concurrency_unlock.. 12-22 08:48:01.599 D/NxpHal ( 3691): JZJZ phNxpNciHal_SwpTest - performing test FAILED...will break loop. 12-22 08:48:01.599 D/NxpHal ( 3691): phNxpNciHal_SwpTest - FAILED 12-22 08:48:01.599 D/NxpHal ( 3691): phNxpNciHal_SwpTest - end 12-22 08:48:01.599 D/NxpHal ( 3691): JZJZ: SWP2 test done.

Output:

Without additional knowledge of the hardware details of the NXP PN548 / C2 chipset, I assume that this means that both lines of the SWP chipset are not connected to the Nexus 5X phone (bull phone).

If anyone has a deeper understanding of this topic, please feel free to me! :)

+5
source share

More articles:


All Articles