1 /*****************************************************************************
2 * Copyright (C) 2015 ST Microelectronics S.A.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *******************************************************************************/
16
17 /******************************************************************************
18 *
19 * This file contains the implementation for Mifare Classic tag in
20 * Reader/Writer mode.
21 *
22 ******************************************************************************/
23 #include <android-base/logging.h>
24 #include <android-base/stringprintf.h>
25 #include <com_android_nfc_nci_flags.h>
26 #include <log/log.h>
27 #include <string.h>
28
29 #include "bt_types.h"
30 #include "gki.h"
31 #include "nfc_api.h"
32 #include "nfc_int.h"
33 #include "nfc_target.h"
34 #include "rw_api.h"
35 #include "rw_int.h"
36 #include "tags_int.h"
37
38 using com::android::nfc::nci::flags::mfc_read_mad;
39
40 #define MFC_KeyA 0x60
41 #define MFC_KeyB 0x61
42 #define MFC_Read 0x30
43 #define MFC_Write 0xA0
44
45 /* main state */
46 /* Mifare Classic is not activated */
47 #define RW_MFC_STATE_NOT_ACTIVATED 0x00
48 /* waiting for upper layer API */
49 #define RW_MFC_STATE_IDLE 0x01
50 /* performing NDEF detection precedure */
51 #define RW_MFC_STATE_DETECT_NDEF 0x02
52 /* performing read NDEF procedure */
53 #define RW_MFC_STATE_READ_NDEF 0x03
54 /* performing update NDEF procedure */
55 #define RW_MFC_STATE_UPDATE_NDEF 0x04
56 /* checking presence of tag */
57 #define RW_MFC_STATE_PRESENCE_CHECK 0x05
58 /* convert tag to read only */
59 #define RW_MFC_STATE_SET_READ_ONLY 0x06
60 /* detect tlv */
61 #define RW_MFC_STATE_DETECT_TLV 0x7
62 /* NDef Format */
63 #define RW_MFC_STATE_NDEF_FORMAT 0x8
64
65 #define RW_MFC_STATE_DETECT_MAD 0x09
66 #define RW_MFC_SUBSTATE_NONE 0x00
67 #define RW_MFC_SUBSTATE_IDLE 0x01
68 #define RW_MFC_SUBSTATE_WAIT_ACK 0x02
69 #define RW_MFC_SUBSTATE_READ_BLOCK 0x03
70 #define RW_MFC_SUBSTATE_FORMAT_BLOCK 0x04
71 #define RW_MFC_SUBSTATE_WRITE_BLOCK 0x05
72
73 #define RW_MFC_LONG_TLV_SIZE 4
74 #define RW_MFC_SHORT_TLV_SIZE 2
75
76 #define RW_MFC_4K_Support 0x10
77
78 #define RW_MFC_1K_BLOCK_SIZE 16
79
80 uint8_t KeyNDEF[6] = {0xD3, 0XF7, 0xD3, 0XF7, 0xD3, 0XF7};
81 uint8_t KeyMAD[6] = {0xA0, 0XA1, 0xA2, 0XA3, 0xA4, 0XA5};
82 uint8_t KeyDefault[6] = {0xFF, 0XFF, 0xFF, 0XFF, 0xFF, 0XFF};
83 uint8_t access_permission_nfc[4] = {0x7F, 0x07, 0x88, 0x40};
84 uint8_t access_permission_mad[4] = {0x78, 0x77, 0x88, 0xC1};
85 uint8_t MAD_B1[16] = {0x14, 0x01, 0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1,
86 0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1};
87 uint8_t MAD_B2[16] = {0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1,
88 0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1};
89 uint8_t MAD_B64[16] = {0xE8, 0x01, 0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1,
90 0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1};
91 uint8_t NFC_B0[16] = {0x03, 0x00, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x00,
92 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
93
94 static bool rw_mfc_send_to_lower(NFC_HDR* p_c_apdu);
95 static bool rw_mfc_authenticate(int sector, bool KeyA);
96 static tNFC_STATUS rw_mfc_readBlock(int block);
97 static void rw_mfc_handle_tlv_detect_rsp(uint8_t* p_data);
98 static tNFC_STATUS rw_MfcLocateTlv(uint8_t tlv_type);
99 static void rw_mfc_conn_cback(uint8_t conn_id, tNFC_CONN_EVT event,
100 tNFC_CONN* p_data);
101 static void rw_mfc_resume_op();
102 static bool rw_nfc_decodeTlv(uint8_t* p_data);
103 static void rw_mfc_ntf_tlv_detect_complete(tNFC_STATUS status);
104 static void rw_mfc_handle_read_op(uint8_t* data);
105 static void rw_mfc_handle_op_complete(void);
106 static void rw_mfc_handle_ndef_read_rsp(uint8_t* p_data);
107 static void rw_mfc_process_error();
108
109 static tNFC_STATUS rw_mfc_formatBlock(int block);
110 static void rw_mfc_handle_format_rsp(uint8_t* p_data);
111 static void rw_mfc_handle_format_op();
112 static tNFC_STATUS rw_mfc_writeBlock(int block);
113 static void rw_mfc_handle_write_rsp(uint8_t* p_data);
114 static void rw_mfc_handle_write_op();
115 static tNFC_STATUS rw_MfcCheckMad();
116 static void rw_mfc_handle_mad_detect_rsp(uint8_t* p_data);
117 static bool rw_nfc_StoreMad(uint8_t* data);
118
119 using android::base::StringPrintf;
120
121 /*****************************************************************************
122 **
123 ** Function RW_MfcFormatNDef
124 **
125 ** Description
126 ** Format Tag content
127 **
128 ** Returns
129 ** NFC_STATUS_OK, Command sent to format Tag
130 ** NFC_STATUS_REJECTED: cannot format the tag
131 ** NFC_STATUS_FAILED: other error
132 **
133 *****************************************************************************/
RW_MfcFormatNDef(void)134 tNFC_STATUS RW_MfcFormatNDef(void) {
135 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
136 tNFC_STATUS status = NFC_STATUS_OK;
137
138 if (p_mfc->state != RW_MFC_STATE_IDLE) {
139 LOG(ERROR) << StringPrintf(
140 "%s Mifare Classic tag not activated or Busy - State:%d", __func__,
141 p_mfc->state);
142 return NFC_STATUS_BUSY;
143 }
144
145 p_mfc->state = RW_MFC_STATE_NDEF_FORMAT;
146 p_mfc->substate = RW_MFC_SUBSTATE_NONE;
147 p_mfc->last_block_accessed.block = 1;
148 p_mfc->next_block.block = 1;
149
150 status = rw_mfc_formatBlock(p_mfc->next_block.block);
151 if (status == NFC_STATUS_OK) {
152 p_mfc->state = RW_MFC_STATE_NDEF_FORMAT;
153 } else {
154 p_mfc->substate = RW_MFC_SUBSTATE_NONE;
155 }
156
157 return status;
158 }
159
160 /*******************************************************************************
161 **
162 ** Function rw_mfc_formatBlock
163 **
164 ** Description This function format a given block.
165 **
166 ** Returns true if success
167 **
168 *******************************************************************************/
rw_mfc_formatBlock(int block)169 static tNFC_STATUS rw_mfc_formatBlock(int block) {
170 NFC_HDR* mfcbuf;
171 uint8_t* p;
172 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
173 int sectorlength = block / 4;
174 tNFC_STATUS status = NFC_STATUS_OK;
175
176 LOG(VERBOSE) << __func__ << ": block : " << block;
177
178 if (block > 128) {
179 sectorlength = (p_mfc->next_block.block - 128) / 16 + 32;
180 }
181
182 if (sectorlength != p_mfc->sector_authentified) {
183 if (rw_mfc_authenticate(block, true) == true) {
184 return NFC_STATUS_OK;
185 }
186 return NFC_STATUS_FAILED;
187 }
188
189 mfcbuf = (NFC_HDR*)GKI_getpoolbuf(NFC_RW_POOL_ID);
190
191 if (!mfcbuf) {
192 LOG(ERROR) << __func__ << ": Cannot allocate buffer";
193 return NFC_STATUS_REJECTED;
194 }
195
196 mfcbuf->offset = NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE;
197 p = (uint8_t*)(mfcbuf + 1) + mfcbuf->offset;
198
199 UINT8_TO_BE_STREAM(p, MFC_Write);
200 UINT8_TO_BE_STREAM(p, block);
201
202 if (block == 1) {
203 ARRAY_TO_BE_STREAM(p, MAD_B1, 16);
204 } else if (block == 64) {
205 if (mfc_read_mad()) {
206 ARRAY_TO_BE_STREAM(p, MAD_B1, 16);
207 } else {
208 ARRAY_TO_BE_STREAM(p, MAD_B64, 16);
209 }
210 } else if ((block == 2) || (block == 65) || (block == 66)) {
211 ARRAY_TO_BE_STREAM(p, MAD_B2, 16);
212 } else if ((block == 3) || (block == 67)) {
213 ARRAY_TO_BE_STREAM(p, KeyMAD, 6);
214 ARRAY_TO_BE_STREAM(p, access_permission_mad, 4);
215 ARRAY_TO_BE_STREAM(p, KeyDefault, 6);
216 } else if (block == 4) {
217 ARRAY_TO_BE_STREAM(p, NFC_B0, 16);
218 } else {
219 ARRAY_TO_BE_STREAM(p, KeyNDEF, 6);
220 ARRAY_TO_BE_STREAM(p, access_permission_nfc, 4);
221 ARRAY_TO_BE_STREAM(p, KeyDefault, 6);
222 }
223 mfcbuf->len = 18;
224
225 if (!rw_mfc_send_to_lower(mfcbuf)) {
226 return NFC_STATUS_REJECTED;
227 }
228 p_mfc->current_block = block;
229 p_mfc->substate = RW_MFC_SUBSTATE_FORMAT_BLOCK;
230
231 return status;
232 }
233
rw_mfc_handle_format_rsp(uint8_t * p_data)234 static void rw_mfc_handle_format_rsp(uint8_t* p_data) {
235 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
236 NFC_HDR* mfc_data;
237 uint8_t* p;
238
239 mfc_data = (NFC_HDR*)p_data;
240 /* Assume the data is just the response byte sequence */
241 p = (uint8_t*)(mfc_data + 1) + mfc_data->offset;
242
243 switch (p_mfc->substate) {
244 case RW_MFC_SUBSTATE_WAIT_ACK:
245 p_mfc->last_block_accessed.block = p_mfc->current_block;
246
247 if (p[0] == 0x0) {
248 p_mfc->next_block.auth = true;
249 p_mfc->last_block_accessed.auth = true;
250
251 if (mfc_read_mad() && p_mfc->current_block < 127) {
252 p_mfc->sector_authentified = p_mfc->next_block.block / 4;
253 } else if (!mfc_read_mad() && p_mfc->next_block.block < 128) {
254 p_mfc->sector_authentified = p_mfc->next_block.block / 4;
255 } else {
256 p_mfc->sector_authentified =
257 (p_mfc->next_block.block - 128) / 16 + 32;
258 }
259 rw_mfc_resume_op();
260 } else {
261 p_mfc->next_block.auth = false;
262 p_mfc->last_block_accessed.auth = false;
263 nfc_stop_quick_timer(&p_mfc->timer);
264 rw_mfc_process_error();
265 }
266 break;
267
268 case RW_MFC_SUBSTATE_FORMAT_BLOCK:
269 if (p[0] == 0x0) {
270 rw_mfc_handle_format_op();
271 } else {
272 nfc_stop_quick_timer(&p_mfc->timer);
273 rw_mfc_process_error();
274 }
275 break;
276 }
277 }
278
rw_mfc_handle_format_op()279 static void rw_mfc_handle_format_op() {
280 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
281 tRW_READ_DATA evt_data;
282 int num_of_blocks = 0;
283
284 /* Total blockes of Mifare 1k/4K */
285 if (p_mfc->selres & RW_MFC_4K_Support)
286 num_of_blocks = 256;
287 else
288 num_of_blocks = 64;
289
290 p_mfc->last_block_accessed.block = p_mfc->current_block;
291
292 // Find next block needed to format
293 if (p_mfc->current_block < 4) {
294 p_mfc->next_block.block = p_mfc->current_block + 1;
295 } else if (p_mfc->current_block == 4) {
296 p_mfc->next_block.block = 7;
297 } else if (p_mfc->current_block >= 63 && p_mfc->current_block < 67) {
298 p_mfc->next_block.block = p_mfc->current_block + 1;
299 } else if (p_mfc->current_block < 127) {
300 p_mfc->next_block.block = p_mfc->current_block + 4;
301 } else {
302 p_mfc->next_block.block = p_mfc->current_block + 16;
303 }
304
305 if (p_mfc->next_block.block < num_of_blocks) {
306 /* Format next blocks */
307 if (rw_mfc_formatBlock(p_mfc->next_block.block) != NFC_STATUS_OK) {
308 evt_data.status = NFC_STATUS_FAILED;
309 evt_data.p_data = NULL;
310 (*rw_cb.p_cback)(RW_MFC_NDEF_FORMAT_CPLT_EVT, (tRW_DATA*)&evt_data);
311 }
312 } else {
313 evt_data.status = NFC_STATUS_OK;
314 evt_data.p_data = NULL;
315 rw_mfc_handle_op_complete();
316 (*rw_cb.p_cback)(RW_MFC_NDEF_FORMAT_CPLT_EVT, (tRW_DATA*)&evt_data);
317 }
318 }
319
320 /*******************************************************************************
321 **
322 ** Function RW_MfcWriteNDef
323 **
324 ** Description This function can be called to write an NDEF message to the
325 ** tag.
326 **
327 ** Parameters: buf_len: The length of the buffer
328 ** p_buffer: The NDEF message to write
329 **
330 ** Returns NCI_STATUS_OK, if write was started. Otherwise, error
331 ** status.
332 **
333 *******************************************************************************/
RW_MfcWriteNDef(uint16_t buf_len,uint8_t * p_buffer)334 tNFC_STATUS RW_MfcWriteNDef(uint16_t buf_len, uint8_t* p_buffer) {
335 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
336 tNFC_STATUS status = NFC_STATUS_OK;
337
338 int i = 0;
339 if (p_mfc->state != RW_MFC_STATE_IDLE) {
340 return NFC_STATUS_BUSY;
341 }
342
343 p_mfc->state = RW_MFC_STATE_UPDATE_NDEF;
344 p_mfc->substate = RW_MFC_SUBSTATE_NONE;
345 if (mfc_read_mad()) {
346 for (i = 0; i < MFC_MAX_SECTOR_NUMBER; i++) {
347 // Search the 1st NDEF sector
348 if (p_mfc->mifare_ndefsector[i] == true) {
349 break;
350 }
351 }
352 if (i < MFC_LAST_4BLOCK_SECTOR) {
353 // Block of the 1st NDEF sector, if in the 4-blocks sector area
354 p_mfc->last_block_accessed.block = i * 4; // 4 blocks per sector
355 p_mfc->next_block.block = i * 4; // 4 blocks per sector
356 } else {
357 // block is in the 16blocks per sector area:
358 // - skip the 4blocks * MFC_LAST_4BLOCK_SECTOR ( = 128 )
359 // - then add 16 blocks for each additional sector
360 p_mfc->last_block_accessed.block =
361 (4 * MFC_LAST_4BLOCK_SECTOR) + (i - MFC_LAST_4BLOCK_SECTOR) * 16;
362 p_mfc->next_block.block =
363 (4 * MFC_LAST_4BLOCK_SECTOR) + (i - MFC_LAST_4BLOCK_SECTOR) * 16;
364 }
365 LOG(DEBUG) << __func__
366 << "; first ndef block : " << p_mfc->next_block.block;
367 } else {
368 p_mfc->last_block_accessed.block = 4;
369 p_mfc->next_block.block = 4;
370 }
371
372 p_mfc->p_ndef_buffer = p_buffer;
373 p_mfc->ndef_length = buf_len;
374 p_mfc->work_offset = 0;
375
376 status = rw_mfc_writeBlock(p_mfc->next_block.block);
377 if (status == NFC_STATUS_OK) {
378 p_mfc->state = RW_MFC_STATE_UPDATE_NDEF;
379 } else {
380 p_mfc->substate = RW_MFC_SUBSTATE_NONE;
381 }
382
383 return status;
384 }
385
386 /*******************************************************************************
387 **
388 ** Function rw_mfc_writeBlock
389 **
390 ** Description This function write a given block.
391 **
392 ** Returns true if success
393 **
394 *******************************************************************************/
rw_mfc_writeBlock(int block)395 static tNFC_STATUS rw_mfc_writeBlock(int block) {
396 NFC_HDR* mfcbuf;
397 uint8_t* p;
398 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
399 int sectorlength = block / 4;
400 tNFC_STATUS status = NFC_STATUS_OK;
401
402 LOG(VERBOSE) << __func__ << ": block : " << block;
403
404 if (block > 128) {
405 sectorlength = (p_mfc->next_block.block - 128) / 16 + 32;
406 }
407
408 if (sectorlength != p_mfc->sector_authentified) {
409 if (rw_mfc_authenticate(block, true) == true) {
410 return NFC_STATUS_OK;
411 }
412 return NFC_STATUS_FAILED;
413 }
414
415 mfcbuf = (NFC_HDR*)GKI_getpoolbuf(NFC_RW_POOL_ID);
416
417 if (!mfcbuf) {
418 LOG(ERROR) << __func__ << ": Cannot allocate buffer";
419 return NFC_STATUS_REJECTED;
420 }
421
422 mfcbuf->offset = NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE;
423 p = (uint8_t*)(mfcbuf + 1) + mfcbuf->offset;
424
425 UINT8_TO_BE_STREAM(p, MFC_Write);
426 UINT8_TO_BE_STREAM(p, block);
427 int index = 0;
428 while (index < RW_MFC_1K_BLOCK_SIZE) {
429 if (p_mfc->work_offset == 0) {
430 if (p_mfc->ndef_length <= 0xFE) {
431 UINT8_TO_BE_STREAM(p, 0x03);
432 UINT8_TO_BE_STREAM(p, p_mfc->ndef_length);
433 index = index + 2;
434 } else {
435 UINT8_TO_BE_STREAM(p, 0x03);
436 UINT8_TO_BE_STREAM(p, 0xFF);
437 UINT8_TO_BE_STREAM(p, (uint8_t)(p_mfc->ndef_length >> 8));
438 UINT8_TO_BE_STREAM(p, (uint8_t)(p_mfc->ndef_length & 0xFF));
439 index = index + 4;
440 }
441 }
442
443 if (p_mfc->work_offset == p_mfc->ndef_length) {
444 UINT8_TO_BE_STREAM(p, 0xFE);
445 } else if (p_mfc->work_offset > p_mfc->ndef_length) {
446 UINT8_TO_BE_STREAM(p, 0x00);
447 } else {
448 UINT8_TO_BE_STREAM(p, p_mfc->p_ndef_buffer[p_mfc->work_offset]);
449 }
450 p_mfc->work_offset++;
451 index++;
452 }
453 mfcbuf->len = 18;
454
455 if (!rw_mfc_send_to_lower(mfcbuf)) {
456 return NFC_STATUS_REJECTED;
457 }
458 p_mfc->current_block = block;
459 p_mfc->substate = RW_MFC_SUBSTATE_WRITE_BLOCK;
460
461 return status;
462 }
463
rw_mfc_handle_write_rsp(uint8_t * p_data)464 static void rw_mfc_handle_write_rsp(uint8_t* p_data) {
465 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
466 NFC_HDR* mfc_data;
467 uint8_t* p;
468
469 mfc_data = (NFC_HDR*)p_data;
470 /* Assume the data is just the response byte sequence */
471 p = (uint8_t*)(mfc_data + 1) + mfc_data->offset;
472
473 switch (p_mfc->substate) {
474 case RW_MFC_SUBSTATE_WAIT_ACK:
475 p_mfc->last_block_accessed.block = p_mfc->current_block;
476
477 if (p[0] == 0x0) {
478 p_mfc->next_block.auth = true;
479 p_mfc->last_block_accessed.auth = true;
480
481 if (mfc_read_mad() && p_mfc->current_block < 128) {
482 p_mfc->sector_authentified = p_mfc->next_block.block / 4;
483 } else if (!mfc_read_mad() && p_mfc->next_block.block < 128) {
484 p_mfc->sector_authentified = p_mfc->next_block.block / 4;
485 } else {
486 p_mfc->sector_authentified =
487 (p_mfc->next_block.block - 128) / 16 + 32;
488 }
489 rw_mfc_resume_op();
490 } else {
491 p_mfc->next_block.auth = false;
492 p_mfc->last_block_accessed.auth = false;
493 nfc_stop_quick_timer(&p_mfc->timer);
494 rw_mfc_process_error();
495 }
496 break;
497
498 case RW_MFC_SUBSTATE_WRITE_BLOCK:
499 if (p[0] == 0x0) {
500 rw_mfc_handle_write_op();
501 } else {
502 nfc_stop_quick_timer(&p_mfc->timer);
503 rw_mfc_process_error();
504 }
505 break;
506 }
507 }
508
rw_mfc_handle_write_op()509 static void rw_mfc_handle_write_op() {
510 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
511 tRW_READ_DATA evt_data;
512
513 if (p_mfc->work_offset >= p_mfc->ndef_length) {
514 evt_data.status = NFC_STATUS_OK;
515 evt_data.p_data = NULL;
516 rw_mfc_handle_op_complete();
517 (*rw_cb.p_cback)(RW_MFC_NDEF_WRITE_CPLT_EVT, (tRW_DATA*)&evt_data);
518 } else {
519 p_mfc->last_block_accessed.block = p_mfc->current_block;
520
521 if (p_mfc->current_block % 4 == 2) {
522 p_mfc->next_block.block = p_mfc->current_block + 2;
523 } else {
524 p_mfc->next_block.block = p_mfc->current_block + 1;
525 }
526
527 /* Do not read block 16 (MAD2) - Mifare Classic4 k */
528 if (p_mfc->next_block.block == 64) {
529 p_mfc->next_block.block += 4;
530 }
531
532 if ((p_mfc->selres & RW_MFC_4K_Support) &&
533 (p_mfc->next_block.block >= 128)) {
534 if (p_mfc->current_block % 16 == 14) {
535 p_mfc->next_block.block = p_mfc->current_block + 2;
536 } else {
537 p_mfc->next_block.block = p_mfc->current_block + 1;
538 }
539 }
540
541 /* Write next blocks */
542 if (rw_mfc_writeBlock(p_mfc->next_block.block) != NFC_STATUS_OK) {
543 evt_data.status = NFC_STATUS_FAILED;
544 evt_data.p_data = NULL;
545 rw_mfc_handle_op_complete();
546 (*rw_cb.p_cback)(RW_MFC_NDEF_WRITE_FAIL_EVT, (tRW_DATA*)&evt_data);
547 }
548 }
549 }
550
551 /*****************************************************************************
552 **
553 ** Function RW_MfcDetectNDef
554 **
555 ** Description
556 ** This function is used to perform NDEF detection on a Mifare Classic
557 ** tag, and retrieve the tag's NDEF attribute information.
558 ** Before using this API, the application must call RW_SelectTagType to
559 ** indicate that a Type 1 tag has been activated.
560 **
561 ** Returns
562 ** NFC_STATUS_OK: ndef detection procedure started
563 ** NFC_STATUS_WRONG_PROTOCOL: type 1 tag not activated
564 ** NFC_STATUS_BUSY: another command is already in progress
565 ** NFC_STATUS_FAILED: other error
566 **
567 *****************************************************************************/
RW_MfcDetectNDef(void)568 tNFC_STATUS RW_MfcDetectNDef(void) {
569 LOG(DEBUG) << __func__;
570 if (mfc_read_mad()) {
571 return rw_MfcCheckMad();
572 } else {
573 return rw_MfcLocateTlv(TAG_NDEF_TLV);
574 }
575 }
576
577 /*******************************************************************************
578 **
579 ** Function rw_mfc_select
580 **
581 ** Description This function will set the callback function to
582 ** receive data from lower layers.
583 **
584 ** Returns tNFC_STATUS
585 **
586 *******************************************************************************/
rw_mfc_select(uint8_t selres,uint8_t uid[MFC_UID_LEN])587 tNFC_STATUS rw_mfc_select(uint8_t selres, uint8_t uid[MFC_UID_LEN]) {
588 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
589
590 p_mfc->state = RW_MFC_STATE_NOT_ACTIVATED;
591
592 /* Alloc cmd buf for retransmissions */
593 if (p_mfc->p_cur_cmd_buf == NULL) {
594 LOG(VERBOSE) << __func__;
595 p_mfc->p_cur_cmd_buf = (NFC_HDR*)GKI_getpoolbuf(NFC_RW_POOL_ID);
596 if (p_mfc->p_cur_cmd_buf == NULL) {
597 LOG(ERROR) << __func__
598 << ": unable to allocate buffer for retransmission";
599
600 return NFC_STATUS_FAILED;
601 }
602 }
603 p_mfc->selres = selres;
604 memcpy(p_mfc->uid, uid, MFC_UID_LEN);
605
606 if (mfc_read_mad()) {
607 memset(p_mfc->mifare_ndefsector, 0, 40);
608 }
609 NFC_SetStaticRfCback(rw_mfc_conn_cback);
610
611 p_mfc->state = RW_MFC_STATE_IDLE;
612 p_mfc->substate = RW_MFC_SUBSTATE_IDLE;
613 p_mfc->last_block_accessed.block = -1;
614 p_mfc->last_block_accessed.auth = false;
615 if (mfc_read_mad()) {
616 p_mfc->next_block.block = 1;
617 } else {
618 p_mfc->next_block.block = 4;
619 }
620 p_mfc->next_block.auth = false;
621 p_mfc->sector_authentified = -1;
622
623 return NFC_STATUS_OK;
624 }
625
626 /*******************************************************************************
627 **
628 ** Function rw_mfc_send_to_lower
629 **
630 ** Description Send C-APDU to lower layer
631 **
632 ** Returns true if success
633 **
634 *******************************************************************************/
rw_mfc_send_to_lower(NFC_HDR * p_data)635 static bool rw_mfc_send_to_lower(NFC_HDR* p_data) {
636 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
637 /* Indicate first attempt to send command, back up cmd buffer in case needed
638 * for retransmission */
639 rw_cb.cur_retry = 0;
640 memcpy(p_mfc->p_cur_cmd_buf, p_data,
641 sizeof(NFC_HDR) + p_data->offset + p_data->len);
642
643 if (NFC_SendData(NFC_RF_CONN_ID, p_data) != NFC_STATUS_OK) {
644 LOG(ERROR) << __func__ << ": NFC_SendData () failed";
645 return false;
646 }
647
648 nfc_start_quick_timer(&rw_cb.tcb.mfc.timer, NFC_TTYPE_RW_MFC_RESPONSE,
649 (RW_MFC_TOUT_RESP * QUICK_TIMER_TICKS_PER_SEC) / 1000);
650
651 return true;
652 }
653
654 /*******************************************************************************
655 **
656 ** Function rw_mfc_process_timeout
657 **
658 ** Description handles timeout event
659 **
660 ** Returns none
661 **
662 *******************************************************************************/
rw_mfc_process_timeout(TIMER_LIST_ENT * p_tle)663 void rw_mfc_process_timeout(TIMER_LIST_ENT* p_tle) {
664 LOG(VERBOSE) << __func__ << " event=" << p_tle->event;
665
666 if (p_tle->event == NFC_TTYPE_RW_MFC_RESPONSE) {
667 rw_mfc_process_error();
668 } else {
669 LOG(ERROR) << __func__ << " unknown event=" << p_tle->event;
670 }
671 }
672
673 /*******************************************************************************
674 **
675 ** Function rw_mfc_conn_cback
676 **
677 ** Description This callback function receives the events/data from NFCC.
678 **
679 ** Returns none
680 **
681 *******************************************************************************/
rw_mfc_conn_cback(uint8_t conn_id,tNFC_CONN_EVT event,tNFC_CONN * p_data)682 static void rw_mfc_conn_cback(uint8_t conn_id, tNFC_CONN_EVT event,
683 tNFC_CONN* p_data) {
684 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
685 tRW_READ_DATA evt_data;
686 NFC_HDR* mfc_data = nullptr;
687 tRW_DATA rw_data;
688
689 if (!p_data) {
690 LOG(ERROR) << __func__ << "Invalid p_data";
691 return;
692 }
693
694 LOG(VERBOSE) << StringPrintf("%s conn_id=%i, evt=0x%x", __func__, conn_id,
695 event);
696 /* Only handle static conn_id */
697 if (conn_id != NFC_RF_CONN_ID) {
698 LOG(ERROR) << StringPrintf("%s Not static connection id =%d", __func__,
699 conn_id);
700 return;
701 }
702
703 switch (event) {
704 case NFC_CONN_CREATE_CEVT:
705 case NFC_CONN_CLOSE_CEVT:
706 break;
707
708 case NFC_DEACTIVATE_CEVT:
709
710 /* Stop mfc timer (if started) */
711 nfc_stop_quick_timer(&p_mfc->timer);
712 /* Free cmd buf for retransmissions */
713 if (p_mfc->p_cur_cmd_buf) {
714 GKI_freebuf(p_mfc->p_cur_cmd_buf);
715 p_mfc->p_cur_cmd_buf = NULL;
716 }
717
718 p_mfc->state = RW_MFC_STATE_NOT_ACTIVATED;
719 NFC_SetStaticRfCback(NULL);
720 return;
721
722 case NFC_DATA_CEVT:
723 if ((p_data != NULL) && (p_data->data.status == NFC_STATUS_OK)) {
724 mfc_data = (NFC_HDR*)p_data->data.p_data;
725 break;
726 }
727 /* Data event with error status...fall through to NFC_ERROR_CEVT case */
728 FALLTHROUGH_INTENDED;
729 case NFC_ERROR_CEVT:
730 if ((p_mfc->state == RW_MFC_STATE_NOT_ACTIVATED) ||
731 (p_mfc->state == RW_MFC_STATE_IDLE)) {
732 if (event == NFC_ERROR_CEVT) {
733 evt_data.status = (tNFC_STATUS)(*(uint8_t*)p_data);
734 } else if (p_data) {
735 evt_data.status = p_data->status;
736 }
737 evt_data.p_data = NULL;
738 (*rw_cb.p_cback)(RW_MFC_INTF_ERROR_EVT, (tRW_DATA*)&evt_data);
739 break;
740 }
741 nfc_stop_quick_timer(&p_mfc->timer);
742 break;
743
744 default:
745 break;
746 }
747
748 if ((p_mfc->state != RW_MFC_STATE_IDLE) && (mfc_data == NULL)) {
749 if (p_mfc->state != RW_MFC_STATE_NOT_ACTIVATED) {
750 LOG(ERROR) << StringPrintf("%s NULL pointer", __func__);
751 }
752 return;
753 }
754
755 switch (p_mfc->state) {
756 case RW_MFC_STATE_IDLE:
757 /* Unexpected R-APDU, it should be raw frame response */
758 /* forward to upper layer without parsing */
759 if (rw_cb.p_cback) {
760 rw_data.raw_frame.status = p_data->data.status;
761 rw_data.raw_frame.p_data = mfc_data;
762 (*(rw_cb.p_cback))(RW_MFC_RAW_FRAME_EVT, &rw_data);
763 mfc_data = NULL;
764 } else {
765 GKI_freebuf(mfc_data);
766 }
767 break;
768 case RW_MFC_STATE_DETECT_MAD:
769 rw_mfc_handle_mad_detect_rsp((uint8_t*)mfc_data);
770 GKI_freebuf(mfc_data);
771 break;
772 case RW_MFC_STATE_DETECT_TLV:
773 rw_mfc_handle_tlv_detect_rsp((uint8_t*)mfc_data);
774 GKI_freebuf(mfc_data);
775 break;
776
777 case RW_MFC_STATE_READ_NDEF:
778 rw_mfc_handle_ndef_read_rsp((uint8_t*)mfc_data);
779 GKI_freebuf(mfc_data);
780 break;
781 case RW_MFC_STATE_NOT_ACTIVATED:
782 LOG(VERBOSE) << __func__ << " RW_MFC_STATE_NOT_ACTIVATED";
783 /* p_r_apdu may send upper layer */
784 break;
785 case RW_MFC_STATE_NDEF_FORMAT:
786 rw_mfc_handle_format_rsp((uint8_t*)mfc_data);
787 GKI_freebuf(mfc_data);
788 break;
789 case RW_MFC_STATE_UPDATE_NDEF:
790 rw_mfc_handle_write_rsp((uint8_t*)mfc_data);
791 GKI_freebuf(mfc_data);
792 break;
793 default:
794 LOG(ERROR) << StringPrintf("%s : invalid state=%d", __func__,
795 p_mfc->state);
796 break;
797 }
798 }
799
800 /*******************************************************************************
801 **
802 ** Function rw_MfcCheckMad
803 **
804 ** Description This function checks the MAD sectors for NDEF capability.
805 **
806 **
807 ** Returns NFC_STATUS_OK if success
808 ** NFC_STATUS_FAILED if Mifare classic tag is busy or other
809 ** error
810 **
811 *******************************************************************************/
rw_MfcCheckMad()812 static tNFC_STATUS rw_MfcCheckMad() {
813 LOG(DEBUG) << __func__;
814
815 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
816 tNFC_STATUS success = NFC_STATUS_OK;
817
818 if (p_mfc->state != RW_MFC_STATE_IDLE) {
819 LOG(ERROR) << __func__
820 << "; Mifare Classic tag not activated or Busy - State:"
821 << p_mfc->state;
822 return NFC_STATUS_BUSY;
823 }
824 p_mfc->next_block.block = 1;
825 p_mfc->substate = RW_MFC_SUBSTATE_READ_BLOCK;
826 p_mfc->state = RW_MFC_STATE_DETECT_MAD;
827 // MAD1 block
828 success = rw_mfc_readBlock(p_mfc->next_block.block);
829 if (success == NFC_STATUS_OK) {
830 p_mfc->state = RW_MFC_STATE_DETECT_MAD;
831 LOG(DEBUG) << __func__
832 << "; RW_MFC_STATE_DETECT_TLV state=" << p_mfc->state;
833 } else {
834 p_mfc->substate = RW_MFC_SUBSTATE_NONE;
835 LOG(DEBUG) << __func__ << "; rw_MfcLocateTlv state=" << p_mfc->state;
836 }
837
838 return NFC_STATUS_OK;
839 }
840 /*******************************************************************************
841 **
842 ** Function rw_MfcLocateTlv
843 **
844 ** Description This function performs NDEF detection procedure
845 **
846 ** RW_MFC_NDEF_DETECT_EVT will be returned
847 **
848 ** Returns NFC_STATUS_OK if success
849 ** NFC_STATUS_FAILED if Mifare classic tag is busy or other
850 ** error
851 **
852 *******************************************************************************/
rw_MfcLocateTlv(uint8_t tlv_type)853 static tNFC_STATUS rw_MfcLocateTlv(uint8_t tlv_type) {
854 LOG(VERBOSE) << __func__;
855
856 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
857 tNFC_STATUS success = NFC_STATUS_OK;
858 if (mfc_read_mad()) {
859 if (p_mfc->state != RW_MFC_STATE_DETECT_MAD) {
860 LOG(ERROR) << StringPrintf(
861 "%s Mifare Classic tag not activated or Busy - State:%d", __func__,
862 p_mfc->state);
863
864 return NFC_STATUS_BUSY;
865 }
866 } else {
867 if (p_mfc->state != RW_MFC_STATE_IDLE) {
868 LOG(ERROR) << StringPrintf(
869 "%s Mifare Classic tag not activated or Busy - State:%d", __func__,
870 p_mfc->state);
871
872 return NFC_STATUS_BUSY;
873 }
874 }
875
876 if ((tlv_type != TAG_LOCK_CTRL_TLV) && (tlv_type != TAG_MEM_CTRL_TLV) &&
877 (tlv_type != TAG_NDEF_TLV) && (tlv_type != TAG_PROPRIETARY_TLV)) {
878 LOG(VERBOSE) << StringPrintf("%s - Cannot search TLV: 0x%02x", __func__,
879 tlv_type);
880 return NFC_STATUS_FAILED;
881 }
882 if (tlv_type == TAG_NDEF_TLV) {
883 p_mfc->ndef_length = 0;
884 p_mfc->ndef_start_pos = 0;
885 p_mfc->ndef_first_block = 0;
886 p_mfc->work_offset = 0;
887 p_mfc->ndef_status = MFC_NDEF_NOT_DETECTED;
888 }
889 if (mfc_read_mad()) {
890 for (int i = 0; i < 40; i++) {
891 if (p_mfc->mifare_ndefsector[i] == true) {
892 p_mfc->next_block.block = 4 * i;
893 break;
894 }
895 }
896 }
897 p_mfc->substate = RW_MFC_SUBSTATE_READ_BLOCK;
898 p_mfc->state = RW_MFC_STATE_DETECT_TLV;
899
900 success = rw_mfc_readBlock(p_mfc->next_block.block);
901 if (success == NFC_STATUS_OK) {
902 p_mfc->state = RW_MFC_STATE_DETECT_TLV;
903 LOG(VERBOSE) << StringPrintf("%s RW_MFC_STATE_DETECT_TLV state=%d", __func__,
904 p_mfc->state);
905 } else {
906 p_mfc->substate = RW_MFC_SUBSTATE_NONE;
907 LOG(VERBOSE) << StringPrintf("%s rw_MfcLocateTlv state=%d", __func__,
908 p_mfc->state);
909 }
910
911 return NFC_STATUS_OK;
912 }
913
914 /*******************************************************************************
915 **
916 ** Function rw_mfc_authenticate
917 **
918 ** Description This function performs the authentication of a given
919 ** block.
920 **
921 ** Returns true if success
922 **
923 *******************************************************************************/
rw_mfc_authenticate(int block,bool KeyA)924 static bool rw_mfc_authenticate(int block, bool KeyA) {
925 NFC_HDR* mfcbuf;
926 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
927 uint8_t* p;
928
929 LOG(VERBOSE) << __func__ << ": block:" << block;
930
931 uint8_t* KeyToUse;
932
933 mfcbuf = (NFC_HDR*)GKI_getpoolbuf(NFC_RW_POOL_ID);
934
935 if (!mfcbuf) {
936 LOG(ERROR) << __func__ << ": Cannot allocate buffer";
937 return false;
938 }
939
940 mfcbuf->offset = NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE;
941 p = (uint8_t*)(mfcbuf + 1) + mfcbuf->offset;
942
943 if (KeyA) {
944 UINT8_TO_BE_STREAM(p, MFC_KeyA);
945 } else {
946 UINT8_TO_BE_STREAM(p, MFC_KeyB);
947 }
948
949 UINT8_TO_BE_STREAM(p, block);
950 ARRAY_TO_BE_STREAM(p, p_mfc->uid, 4);
951
952 if (p_mfc->state == RW_MFC_STATE_NDEF_FORMAT)
953 KeyToUse = KeyDefault;
954 else {
955 if (mfc_read_mad()) {
956 // support large memory size mapping
957 if ((block >= 0 && block < 4) || (block >= 64 && block < 68)) {
958 KeyToUse = KeyMAD;
959 } else {
960 KeyToUse = KeyNDEF;
961 }
962 } else {
963 if ((block >= 0 && block < 4)) {
964 KeyToUse = KeyMAD;
965 } else {
966 KeyToUse = KeyNDEF;
967 }
968 }
969 }
970 ARRAY_TO_BE_STREAM(p, KeyToUse, 6);
971
972 mfcbuf->len = 12;
973
974 if (!rw_mfc_send_to_lower(mfcbuf)) {
975 return false;
976 }
977 /* Backup the current substate to move back to this substate after changing
978 * sector */
979 p_mfc->prev_substate = p_mfc->substate;
980 p_mfc->substate = RW_MFC_SUBSTATE_WAIT_ACK;
981 return true;
982 }
983
984 /*******************************************************************************
985 **
986 ** Function rw_mfc_readBlock
987 **
988 ** Description This function read a given block.
989 **
990 ** Returns true if success
991 **
992 *******************************************************************************/
rw_mfc_readBlock(int block)993 static tNFC_STATUS rw_mfc_readBlock(int block) {
994 NFC_HDR* mfcbuf;
995 uint8_t* p;
996 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
997 int sectorlength = block / 4;
998 tNFC_STATUS status = NFC_STATUS_OK;
999
1000 LOG(VERBOSE) << __func__ << ": block : " << block;
1001
1002 if (block > 128) {
1003 sectorlength = (p_mfc->next_block.block - 128) / 16 + 32;
1004 }
1005
1006 if (sectorlength != p_mfc->sector_authentified) {
1007 if (rw_mfc_authenticate(block, true) == true) {
1008 LOG(DEBUG) << __func__ << ": RW_MFC_SUBSTATE_WAIT_ACK";
1009 return NFC_STATUS_OK;
1010 }
1011 return NFC_STATUS_FAILED;
1012 }
1013
1014 mfcbuf = (NFC_HDR*)GKI_getpoolbuf(NFC_RW_POOL_ID);
1015
1016 if (!mfcbuf) {
1017 LOG(ERROR) << __func__ << ": Cannot allocate buffer";
1018 return NFC_STATUS_REJECTED;
1019 }
1020
1021 mfcbuf->offset = NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE;
1022 p = (uint8_t*)(mfcbuf + 1) + mfcbuf->offset;
1023
1024 UINT8_TO_BE_STREAM(p, MFC_Read);
1025 UINT8_TO_BE_STREAM(p, block);
1026
1027 mfcbuf->len = 2;
1028
1029 if (!rw_mfc_send_to_lower(mfcbuf)) {
1030 return NFC_STATUS_REJECTED;
1031 }
1032 p_mfc->current_block = block;
1033 p_mfc->substate = RW_MFC_SUBSTATE_READ_BLOCK;
1034
1035 return status;
1036 }
1037 /*******************************************************************************
1038 **
1039 ** Function rw_mfc_handle_mad_detect_rsp
1040 **
1041 ** Description Handle MAD detection.
1042 **
1043 ** Returns none
1044 **
1045 *******************************************************************************/
rw_mfc_handle_mad_detect_rsp(uint8_t * p_data)1046 static void rw_mfc_handle_mad_detect_rsp(uint8_t* p_data) {
1047 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
1048 NFC_HDR* mfc_data;
1049 uint8_t* p;
1050
1051 mfc_data = (NFC_HDR*)p_data;
1052 /* Assume the data is just the response byte sequence */
1053 p = (uint8_t*)(mfc_data + 1) + mfc_data->offset;
1054
1055 p_mfc->last_block_accessed.block = p_mfc->next_block.block;
1056 switch (p_mfc->substate) {
1057 case RW_MFC_SUBSTATE_WAIT_ACK:
1058 /* Search for the tlv */
1059 if (p[0] == 0x0) {
1060 p_mfc->next_block.auth = true;
1061 p_mfc->last_block_accessed.auth = true;
1062 p_mfc->sector_authentified = p_mfc->next_block.block / 4;
1063
1064 rw_mfc_resume_op();
1065 } else {
1066 p_mfc->next_block.auth = false;
1067 p_mfc->last_block_accessed.auth = false;
1068 LOG(DEBUG) << __func__ << "; status=" << p[0];
1069 nfc_stop_quick_timer(&p_mfc->timer);
1070 rw_mfc_process_error();
1071 }
1072 break;
1073
1074 case RW_MFC_SUBSTATE_READ_BLOCK:
1075 /* Search for the tlv */
1076 if (mfc_data->len == 0x10) {
1077 p_mfc->last_block_accessed.block = p_mfc->next_block.block;
1078 p_mfc->next_block.block += 1;
1079 p_mfc->next_block.auth = false;
1080 rw_mfc_handle_read_op((uint8_t*)mfc_data);
1081 } else if (mfc_read_mad()) {
1082 LOG(DEBUG) << __func__ << "; inval len status=" << p[0];
1083 nfc_stop_quick_timer(&p_mfc->timer);
1084 rw_mfc_process_error();
1085 }
1086 break;
1087 }
1088 }
1089
1090 /*******************************************************************************
1091 **
1092 ** Function rw_mfc_handle_tlv_detect_rsp
1093 **
1094 ** Description Handle TLV detection.
1095 **
1096 ** Returns none
1097 **
1098 *******************************************************************************/
rw_mfc_handle_tlv_detect_rsp(uint8_t * p_data)1099 static void rw_mfc_handle_tlv_detect_rsp(uint8_t* p_data) {
1100 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
1101 NFC_HDR* mfc_data;
1102 uint8_t* p;
1103
1104 mfc_data = (NFC_HDR*)p_data;
1105 /* Assume the data is just the response byte sequence */
1106 p = (uint8_t*)(mfc_data + 1) + mfc_data->offset;
1107
1108 p_mfc->last_block_accessed.block = p_mfc->next_block.block;
1109 switch (p_mfc->substate) {
1110 case RW_MFC_SUBSTATE_WAIT_ACK:
1111 /* Search for the tlv */
1112 if (p[0] == 0x0) {
1113 p_mfc->next_block.auth = true;
1114 p_mfc->last_block_accessed.auth = true;
1115 p_mfc->sector_authentified = p_mfc->next_block.block / 4;
1116
1117 rw_mfc_resume_op();
1118 } else {
1119 p_mfc->next_block.auth = false;
1120 p_mfc->last_block_accessed.auth = false;
1121 LOG(VERBOSE) << StringPrintf("%s : status=%d", __func__, p[0]);
1122 nfc_stop_quick_timer(&p_mfc->timer);
1123 rw_mfc_process_error();
1124 }
1125 break;
1126
1127 case RW_MFC_SUBSTATE_READ_BLOCK:
1128 /* Search for the tlv */
1129 if (mfc_data->len == 0x10) {
1130 p_mfc->last_block_accessed.block = p_mfc->next_block.block;
1131 p_mfc->next_block.block += 1;
1132 p_mfc->next_block.auth = false;
1133 rw_mfc_handle_read_op((uint8_t*)mfc_data);
1134 } else if (mfc_read_mad()) {
1135 LOG(DEBUG) << __func__ << "; inval len status=" << p[0];
1136 nfc_stop_quick_timer(&p_mfc->timer);
1137 rw_mfc_process_error();
1138 }
1139 break;
1140 }
1141 }
1142 /*******************************************************************************
1143 **
1144 ** Function rw_mfc_resume_op
1145 **
1146 ** Description This function will continue operation after moving to new
1147 ** sector
1148 **
1149 ** Returns none
1150 **
1151 *******************************************************************************/
rw_mfc_resume_op()1152 static void rw_mfc_resume_op() {
1153 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
1154
1155 switch (p_mfc->state) {
1156 case RW_MFC_STATE_DETECT_MAD:
1157 if (rw_mfc_readBlock(p_mfc->next_block.block) != NFC_STATUS_OK) {
1158 LOG(ERROR) << __func__ << "; Error calling rw_mfc_readBlock()";
1159 }
1160 break;
1161 case RW_MFC_STATE_DETECT_TLV:
1162 if (rw_mfc_readBlock(p_mfc->next_block.block) != NFC_STATUS_OK) {
1163 LOG(ERROR) << __func__ << "; Error calling rw_mfc_readBlock()";
1164 }
1165 break;
1166 case RW_MFC_STATE_READ_NDEF:
1167 if (rw_mfc_readBlock(p_mfc->next_block.block) != NFC_STATUS_OK) {
1168 LOG(ERROR) << __func__ << "; Error calling rw_mfc_readBlock()";
1169 }
1170 break;
1171 case RW_MFC_STATE_NDEF_FORMAT:
1172 if (rw_mfc_formatBlock(p_mfc->next_block.block) != NFC_STATUS_OK) {
1173 LOG(ERROR) << __func__ << "; Error calling rw_mfc_formatBlock()";
1174 }
1175 break;
1176 case RW_MFC_STATE_UPDATE_NDEF:
1177 if (rw_mfc_writeBlock(p_mfc->next_block.block) != NFC_STATUS_OK) {
1178 LOG(ERROR) << __func__ << "; Error calling rw_mfc_writeBlock()";
1179 }
1180 break;
1181 }
1182 }
1183
1184 /*******************************************************************************
1185 **
1186 ** Function rw_mfc_handle_read_op
1187 **
1188 ** Description This function handles all the read operation.
1189 **
1190 ** Returns none
1191 **
1192 *******************************************************************************/
rw_mfc_handle_read_op(uint8_t * data)1193 static void rw_mfc_handle_read_op(uint8_t* data) {
1194 uint8_t* p;
1195 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
1196 bool tlv_found = false;
1197 NFC_HDR* mfc_data;
1198 uint16_t len;
1199 uint16_t offset;
1200 uint16_t saved_length;
1201 bool failed = false;
1202 bool done = false;
1203 tRW_READ_DATA evt_data;
1204
1205 mfc_data = (NFC_HDR*)data;
1206 p = (uint8_t*)(mfc_data + 1) + mfc_data->offset;
1207
1208 switch (p_mfc->state) {
1209 case RW_MFC_STATE_DETECT_MAD:
1210 rw_nfc_StoreMad(data);
1211 if (p_mfc->current_block == 1 || p_mfc->current_block == 64 ||
1212 p_mfc->current_block ==
1213 65) { // need to read next block (2 or 65 or 66)
1214 if (rw_mfc_readBlock(p_mfc->next_block.block) != NFC_STATUS_OK) {
1215 failed = true;
1216 LOG(DEBUG) << __func__ << "; FAILED reading next";
1217 }
1218 } else if (p_mfc->current_block == 2 && // 2 is last block of MAD1
1219 !(p_mfc->selres & RW_MFC_4K_Support)) {
1220 LOG(DEBUG) << __func__ << "; Finished reading the MAD1 sector";
1221 for (int k = 0; k < 16; k++) {
1222 LOG(DEBUG) << __func__ << "; k= " << k
1223 << " value = " << p_mfc->mifare_ndefsector[k];
1224 }
1225 rw_MfcLocateTlv(TAG_NDEF_TLV);
1226
1227 } else if (p_mfc->current_block == 2 && // 2 is last block of MAD1
1228 (p_mfc->selres & RW_MFC_4K_Support)) {
1229 p_mfc->next_block.block = 64;
1230 if (rw_mfc_readBlock(p_mfc->next_block.block) != NFC_STATUS_OK) {
1231 failed = true;
1232 LOG(DEBUG) << __func__ << "; FAILED reading next";
1233 }
1234 } else if (p_mfc->current_block == 66) { // 66 is last block of MAD2
1235 LOG(DEBUG) << __func__ << "; Finished reading the MAD1 & MAD2 sectors";
1236 for (int k = 0; k < 40; k++) {
1237 LOG(DEBUG) << __func__ << "; k= " << k
1238 << " value = " << p_mfc->mifare_ndefsector[k];
1239 }
1240 rw_MfcLocateTlv(TAG_NDEF_TLV);
1241 }
1242
1243 break;
1244 case RW_MFC_STATE_DETECT_TLV:
1245 tlv_found = rw_nfc_decodeTlv(data);
1246 if (tlv_found) {
1247 p_mfc->ndef_status = MFC_NDEF_DETECTED;
1248 p_mfc->ndef_first_block = p_mfc->last_block_accessed.block;
1249 rw_mfc_ntf_tlv_detect_complete(NFC_STATUS_OK);
1250 } else if (mfc_read_mad()) {
1251 tRW_DETECT_NDEF_DATA ndef_data;
1252 ndef_data.status = NFC_STATUS_FAILED;
1253 ndef_data.protocol = NFC_PROTOCOL_MIFARE;
1254 ndef_data.flags = RW_NDEF_FL_UNKNOWN;
1255 ndef_data.max_size = 0;
1256 ndef_data.cur_size = 0;
1257 LOG(DEBUG) << __func__ << "; status=NFC_STATUS_FAILED";
1258 /* If not Halt move to idle state */
1259 rw_mfc_handle_op_complete();
1260
1261 (*rw_cb.p_cback)(RW_MFC_NDEF_DETECT_EVT, (tRW_DATA*)&ndef_data);
1262 }
1263 break;
1264
1265 case RW_MFC_STATE_READ_NDEF:
1266 /* On the first read, adjust for any partial block offset */
1267 offset = 0;
1268 len = RW_MFC_1K_BLOCK_SIZE;
1269 saved_length = p_mfc->ndef_length;
1270
1271 if (p_mfc->work_offset == 0) {
1272 if (!rw_nfc_decodeTlv(data)) {
1273 failed = true;
1274 LOG(VERBOSE) << __func__ << " FAILED finding TLV";
1275 }
1276 /* Ndef message offset update post response TLV decode */
1277 offset = p_mfc->ndef_start_pos;
1278 }
1279
1280 if (!failed && saved_length >= p_mfc->ndef_length) {
1281 /* Skip all reserved and lock bytes */
1282 while ((offset < len) && (p_mfc->work_offset < p_mfc->ndef_length))
1283
1284 {
1285 /* Collect the NDEF Message */
1286 p_mfc->p_ndef_buffer[p_mfc->work_offset] = p[offset];
1287 p_mfc->work_offset++;
1288 offset++;
1289 }
1290 } else {
1291 android_errorWriteLog(0x534e4554, "178725766");
1292 }
1293
1294 if (p_mfc->work_offset >= p_mfc->ndef_length) {
1295 done = true;
1296 p_mfc->ndef_status = MFC_NDEF_READ;
1297 } else {
1298 /* Read next blocks */
1299 if (rw_mfc_readBlock(p_mfc->next_block.block) != NFC_STATUS_OK) {
1300 failed = true;
1301 LOG(VERBOSE) << __func__ << " FAILED reading next";
1302 }
1303 }
1304
1305 if (failed || done) {
1306 evt_data.status = failed ? NFC_STATUS_FAILED : NFC_STATUS_OK;
1307 evt_data.p_data = NULL;
1308 rw_mfc_handle_op_complete();
1309 (*rw_cb.p_cback)(RW_MFC_NDEF_READ_EVT, (tRW_DATA*)&evt_data);
1310 }
1311 break;
1312 }
1313 }
1314 /*******************************************************************************
1315 **
1316 ** Function rw_nfc_StoreMad
1317 **
1318 ** Description Store the MAD data in the Mifare Classic tag
1319 **
1320 ** Returns true if success
1321 **
1322 *******************************************************************************/
rw_nfc_StoreMad(uint8_t * data)1323 static bool rw_nfc_StoreMad(uint8_t* data) {
1324 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
1325 NFC_HDR* mfc_data;
1326 uint8_t* p;
1327 uint8_t start_position = 1;
1328 uint8_t start_block = 0;
1329 mfc_data = (NFC_HDR*)data;
1330 p = (uint8_t*)(mfc_data + 1) + mfc_data->offset;
1331 int i = 0;
1332
1333 switch (p_mfc->current_block) {
1334 case 2:
1335 start_position = 0;
1336 start_block = 8;
1337 break;
1338 case 64:
1339 start_position = 1;
1340 start_block = 16;
1341 break;
1342 case 65:
1343 start_position = 0;
1344 start_block = 24;
1345 break;
1346 case 66:
1347 start_position = 0;
1348 start_block = 32;
1349 break;
1350 }
1351
1352 for (i = start_position; i < 8; i++) {
1353 if ((p[2 * i] == 0x03) && (p[2 * i + 1] == 0xE1))
1354 p_mfc->mifare_ndefsector[i + start_block] = true;
1355 }
1356 return true;
1357 }
1358
1359 /*******************************************************************************
1360 **
1361 ** Function rw_nfc_decodeTlv
1362 **
1363 ** Description Decode the NDEF data length from the Mifare TLV
1364 ** Leading null TLVs (0x0) are skipped
1365 **
1366 ** Returns true if success
1367 **
1368 *******************************************************************************/
rw_nfc_decodeTlv(uint8_t * data)1369 static bool rw_nfc_decodeTlv(uint8_t* data) {
1370 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
1371 NFC_HDR* mfc_data;
1372 uint8_t* p;
1373
1374 mfc_data = (NFC_HDR*)data;
1375 p = (uint8_t*)(mfc_data + 1) + mfc_data->offset;
1376 int i = 0;
1377
1378 do {
1379 if (p[i] == 0x0) {
1380 // do nothing, skip
1381 } else if (p[i] == 0x3) {
1382 p_mfc->tlv_detect = TAG_NDEF_TLV;
1383 break;
1384
1385 } else {
1386 LOG(VERBOSE) << __func__ << ": Unknown TLV";
1387 p_mfc->tlv_detect = TAG_PROPRIETARY_TLV;
1388 break;
1389 }
1390 i++;
1391 } while (i < mfc_data->len);
1392
1393 LOG(VERBOSE) << __func__ << ": i=" << i;
1394
1395 if ((i + 1) >= mfc_data->len || i < 0 || p[i] != 0x3) {
1396 LOG(ERROR) << __func__ << ": Can't decode message length";
1397 } else {
1398 if (p[i + 1] != 0xFF) {
1399 p_mfc->ndef_length = p[i + 1];
1400 p_mfc->ndef_start_pos = i + RW_MFC_SHORT_TLV_SIZE;
1401 LOG(VERBOSE) << __func__ << " short NDEF SIZE=" << p_mfc->ndef_length;
1402 return true;
1403 } else if ((i + 3) < mfc_data->len) {
1404 p_mfc->ndef_length = (((uint16_t)p[i + 2]) << 8) | ((uint16_t)(p[i + 3]));
1405 p_mfc->ndef_start_pos = i + RW_MFC_LONG_TLV_SIZE;
1406 LOG(VERBOSE) << __func__ << " long NDEF SIZE=" << p_mfc->ndef_length;
1407 return true;
1408 } else {
1409 LOG(ERROR) << __func__ << ": Can't decode ndef length";
1410 }
1411 }
1412 return false;
1413 }
1414
1415 /*******************************************************************************
1416 **
1417 ** Function rw_mfc_ntf_tlv_detect_complete
1418 **
1419 ** Description Notify TLV detection complete to upper layer
1420 **
1421 ** Returns none
1422 **
1423 *******************************************************************************/
rw_mfc_ntf_tlv_detect_complete(tNFC_STATUS status)1424 static void rw_mfc_ntf_tlv_detect_complete(tNFC_STATUS status) {
1425 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
1426 tRW_DETECT_NDEF_DATA ndef_data = {};
1427
1428 LOG(VERBOSE) << __func__;
1429 if (p_mfc->tlv_detect == TAG_NDEF_TLV) {
1430 /* Notify upper layer the result of NDEF detect op */
1431 ndef_data.status = NFC_STATUS_OK; // status;
1432 ndef_data.protocol = NFC_PROTOCOL_MIFARE;
1433 ndef_data.flags = 0;
1434 ndef_data.cur_size = p_mfc->ndef_length;
1435
1436 if (status == NFC_STATUS_OK) {
1437 ndef_data.flags |= RW_NDEF_FL_FORMATED;
1438 }
1439
1440 // TODO - calculate max size based on MAD sectr NFC_AID condition
1441 // Set max size as format condition
1442 if (p_mfc->selres & RW_MFC_4K_Support) {
1443 ndef_data.max_size = mfc_read_mad() ? 3360 : 3356;
1444 } else {
1445 ndef_data.max_size = 716;
1446 }
1447
1448 rw_mfc_handle_op_complete();
1449 (*rw_cb.p_cback)(RW_MFC_NDEF_DETECT_EVT, (tRW_DATA*)&ndef_data);
1450 }
1451 }
1452
1453 /*******************************************************************************
1454 **
1455 ** Function RW_MfcReadNDef
1456 **
1457 ** Description Retrieve NDEF contents from a Mifare Classic tag..
1458 **
1459 ** The RW_MFC_NDEF_READ_EVT event is used to notify the
1460 ** application after reading the NDEF message.
1461 **
1462 ** Before using this API, the RW_MfcReadNDef function must
1463 ** be called to verify that the tag contains NDEF data, and to
1464 ** retrieve the NDEF attributes.
1465 **
1466 ** Internally, this command will be separated into multiple
1467 ** Mifare Classic Read commands (if necessary) - depending
1468 ** on the NDEF Msg size.
1469 **
1470 ** Parameters: p_buffer: The buffer into which to read the NDEF message
1471 ** buf_len: The length of the buffer
1472 **
1473 ** Returns NCI_STATUS_OK, if read was started. Otherwise, error
1474 ** status.
1475 **
1476 *******************************************************************************/
RW_MfcReadNDef(uint8_t * p_buffer,uint16_t buf_len)1477 tNFC_STATUS RW_MfcReadNDef(uint8_t* p_buffer, uint16_t buf_len) {
1478 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
1479 tNFC_STATUS status = NFC_STATUS_OK;
1480
1481 if (p_mfc->state != RW_MFC_STATE_IDLE) {
1482 LOG(ERROR) << StringPrintf(
1483 "%s Mifare Classic tag not activated or Busy - State=%d", __func__,
1484 p_mfc->state);
1485 return NFC_STATUS_FAILED;
1486 }
1487
1488 if (p_mfc->ndef_status == MFC_NDEF_NOT_DETECTED) {
1489 LOG(ERROR) << __func__ << " NDEF detection not performed yet";
1490 return NFC_STATUS_FAILED;
1491 }
1492
1493 if (buf_len < p_mfc->ndef_length) {
1494 LOG(ERROR) << __func__ << " buffer size=" << buf_len
1495 << "less than NDEF msg sise=" << p_mfc->ndef_length;
1496 return NFC_STATUS_FAILED;
1497 }
1498
1499 if (!p_mfc->ndef_length) {
1500 LOG(ERROR) << __func__ << " NDEF Message length is zero ";
1501 return NFC_STATUS_NOT_INITIALIZED;
1502 }
1503
1504 p_mfc->p_ndef_buffer = p_buffer;
1505 p_mfc->work_offset = 0;
1506
1507 p_mfc->last_block_accessed.block = 0;
1508 p_mfc->next_block.block = p_mfc->ndef_first_block;
1509 p_mfc->substate = RW_MFC_SUBSTATE_NONE;
1510
1511 /* Start reading NDEF Message */
1512 status = rw_mfc_readBlock(p_mfc->next_block.block);
1513 if (status == NFC_STATUS_OK) {
1514 p_mfc->state = RW_MFC_STATE_READ_NDEF;
1515 }
1516
1517 return status;
1518 }
1519
1520 /*****************************************************************************
1521 **
1522 ** Function rw_mfc_handle_op_complete
1523 **
1524 ** Description Reset to IDLE state
1525 **
1526 ** Returns none
1527 **
1528 *****************************************************************************/
rw_mfc_handle_op_complete(void)1529 static void rw_mfc_handle_op_complete(void) {
1530 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
1531
1532 p_mfc->last_block_accessed.auth = false;
1533 p_mfc->next_block.auth = false;
1534 p_mfc->current_block = 0;
1535 p_mfc->state = RW_MFC_STATE_IDLE;
1536 p_mfc->substate = RW_MFC_SUBSTATE_NONE;
1537 return;
1538 }
1539
1540 /*******************************************************************************
1541 **
1542 ** Function rw_mfc_handle_ndef_read_rsp
1543 **
1544 ** Description Handle TLV detection.
1545 **
1546 ** Returns none
1547 **
1548 *******************************************************************************/
rw_mfc_handle_ndef_read_rsp(uint8_t * p_data)1549 static void rw_mfc_handle_ndef_read_rsp(uint8_t* p_data) {
1550 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
1551 NFC_HDR* mfc_data;
1552 uint8_t* p;
1553
1554 mfc_data = (NFC_HDR*)p_data;
1555 /* Assume the data is just the response byte sequence */
1556 p = (uint8_t*)(mfc_data + 1) + mfc_data->offset;
1557
1558 switch (p_mfc->substate) {
1559 case RW_MFC_SUBSTATE_WAIT_ACK:
1560 /* Search for the tlv */
1561 p_mfc->last_block_accessed.block = p_mfc->current_block;
1562
1563 if (p[0] == 0x0) {
1564 p_mfc->next_block.auth = true;
1565 p_mfc->last_block_accessed.auth = true;
1566
1567 if (p_mfc->current_block < 128) {
1568 p_mfc->sector_authentified = p_mfc->next_block.block / 4;
1569 }
1570
1571 else
1572 p_mfc->sector_authentified =
1573 (p_mfc->next_block.block - 128) / 16 + 32;
1574
1575 rw_mfc_resume_op();
1576 LOG(VERBOSE) << StringPrintf(
1577 "rw_mfc_handle_ndef_read_rsp () sector authentified: %d",
1578 p_mfc->sector_authentified);
1579 } else {
1580 p_mfc->next_block.auth = false;
1581 p_mfc->last_block_accessed.auth = false;
1582 if (mfc_read_mad()) {
1583 LOG(DEBUG) << __func__ << "; status=" << p[0];
1584 nfc_stop_quick_timer(&p_mfc->timer);
1585 rw_mfc_process_error();
1586 }
1587 }
1588 break;
1589
1590 case RW_MFC_SUBSTATE_READ_BLOCK:
1591 /* Search for the tlv */
1592
1593 if (mfc_data->len == 0x10) {
1594 p_mfc->last_block_accessed.block = p_mfc->current_block;
1595
1596 if (p_mfc->current_block % 4 == 2) {
1597 p_mfc->next_block.block = p_mfc->current_block + 2;
1598 } else {
1599 p_mfc->next_block.block = p_mfc->current_block + 1;
1600 }
1601
1602 /* Do not read block 16 (MAD2) - Mifare Classic4 k */
1603 if (p_mfc->next_block.block == 64) {
1604 p_mfc->next_block.block += 4;
1605 }
1606
1607 if ((p_mfc->selres & RW_MFC_4K_Support) &&
1608 (p_mfc->next_block.block >= 128)) {
1609 if (p_mfc->current_block % 16 == 14) {
1610 p_mfc->next_block.block = p_mfc->current_block + 2;
1611 } else {
1612 p_mfc->next_block.block = p_mfc->current_block + 1;
1613 }
1614 }
1615
1616 p_mfc->next_block.auth = false;
1617 rw_mfc_handle_read_op((uint8_t*)mfc_data);
1618 } else if (mfc_read_mad()) {
1619 LOG(DEBUG) << __func__ << "; inval len status=" << p[0];
1620 nfc_stop_quick_timer(&p_mfc->timer);
1621 rw_mfc_process_error();
1622 }
1623 break;
1624 }
1625 }
1626
1627 /*******************************************************************************
1628 **
1629 ** Function rw_mfc_process_error
1630 **
1631 ** Description Process error including Timeout, Frame error. This function
1632 ** will retry atleast till RW_MAX_RETRIES before give up and
1633 ** sending negative notification to upper layer
1634 **
1635 ** Returns none
1636 **
1637 *******************************************************************************/
rw_mfc_process_error()1638 static void rw_mfc_process_error() {
1639 tRW_READ_DATA evt_data = tRW_READ_DATA();
1640 tRW_EVENT rw_event = RW_MFC_NDEF_DETECT_EVT;
1641 NFC_HDR* p_cmd_buf;
1642 tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
1643 tRW_DETECT_NDEF_DATA ndef_data;
1644
1645 LOG(VERBOSE) << StringPrintf("%s State=%d", __func__, p_mfc->state);
1646
1647 evt_data.status = NFC_STATUS_FAILED;
1648
1649 /* Retry sending command if retry-count < max */
1650 if (rw_cb.cur_retry < RW_MAX_RETRIES) {
1651 /* check if buffer is NULL due to NFC Off request in parellel */
1652 if (!p_mfc->p_cur_cmd_buf) {
1653 LOG(ERROR) << StringPrintf("%s: p_mfc->p_cur_cmd_buf null", __func__);
1654 return;
1655 }
1656 /* retry sending the command */
1657 rw_cb.cur_retry++;
1658
1659 LOG(VERBOSE) << __func__ << "Mifare Classic retransmission attempt "
1660 << rw_cb.cur_retry << " of " << RW_MAX_RETRIES;
1661
1662 /* allocate a new buffer for message */
1663 p_cmd_buf = (NFC_HDR*)GKI_getpoolbuf(NFC_RW_POOL_ID);
1664 if (p_cmd_buf != NULL) {
1665 memcpy(p_cmd_buf, p_mfc->p_cur_cmd_buf,
1666 sizeof(NFC_HDR) + p_mfc->p_cur_cmd_buf->offset +
1667 p_mfc->p_cur_cmd_buf->len);
1668
1669 if (NFC_SendData(NFC_RF_CONN_ID, p_cmd_buf) == NFC_STATUS_OK) {
1670 /* Start timer for waiting for response */
1671 nfc_start_quick_timer(
1672 &p_mfc->timer, NFC_TTYPE_RW_MFC_RESPONSE,
1673 (RW_MFC_TOUT_RESP * QUICK_TIMER_TICKS_PER_SEC) / 1000);
1674
1675 return;
1676 }
1677 }
1678 } else {
1679 LOG(VERBOSE) << __func__ << "MFC maximum retransmission attempts reached "
1680 << RW_MAX_RETRIES;
1681 }
1682
1683 if (p_mfc->state == RW_MFC_STATE_DETECT_TLV) {
1684 rw_event = RW_MFC_NDEF_DETECT_EVT;
1685 } else if (p_mfc->state == RW_MFC_STATE_READ_NDEF) {
1686 rw_event = RW_MFC_NDEF_READ_EVT;
1687 } else if (p_mfc->state == RW_MFC_STATE_UPDATE_NDEF) {
1688 rw_event = RW_MFC_NDEF_WRITE_FAIL_EVT;
1689 } else if (p_mfc->state == RW_MFC_STATE_NDEF_FORMAT) {
1690 rw_event = RW_MFC_NDEF_FORMAT_CPLT_EVT;
1691 }
1692
1693 if (rw_event == RW_MFC_NDEF_DETECT_EVT) {
1694 ndef_data.status = evt_data.status;
1695 ndef_data.protocol = NFC_PROTOCOL_MIFARE;
1696 ndef_data.flags = RW_NDEF_FL_UNKNOWN;
1697 ndef_data.max_size = 0;
1698 ndef_data.cur_size = 0;
1699 LOG(VERBOSE) << StringPrintf("%s status=%d", __func__, evt_data.status);
1700 /* If not Halt move to idle state */
1701 rw_mfc_handle_op_complete();
1702
1703 (*rw_cb.p_cback)(rw_event, (tRW_DATA*)&ndef_data);
1704 } else {
1705 evt_data.p_data = NULL;
1706 /* If activated and not Halt move to idle state */
1707 if (p_mfc->state != RW_MFC_STATE_NOT_ACTIVATED) {
1708 rw_mfc_handle_op_complete();
1709 }
1710
1711 LOG(VERBOSE) << StringPrintf("%s status=%d", __func__, evt_data.status);
1712 p_mfc->substate = RW_MFC_SUBSTATE_NONE;
1713 (*rw_cb.p_cback)(rw_event, (tRW_DATA*)&evt_data);
1714 }
1715 }
1716