3 * neard - Near Field Communication manager
5 * Copyright (C) 2012 Intel Corporation. All rights reserved.
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
29 #include <sys/socket.h>
31 #include <linux/socket.h>
32 #include <linux/nfc.h>
34 #include <near/plugin.h>
36 #include <near/types.h>
37 #include <near/adapter.h>
38 #include <near/target.h>
40 #include <near/ndef.h>
43 /* NXP Application Notes:
45 * http://www.nxp.com/technical-support-portal/53420/71108/application-notes
49 int mifare_read_tag(uint32_t adapter_idx, uint32_t target_idx,
50 near_tag_io_cb cb, enum near_tag_sub_type tgt_subtype);
52 /* MIFARE command set */
53 #define MF_CMD_WRITE 0xA2
54 #define MF_CMD_READ 0x30
55 #define MF_CMD_AUTH_KEY_A 0x60
57 #define NFC_AID_TAG 0xE103
59 /* Define boundaries for 1K / 2K / 4K
60 * 1K: sector 0 to 15 (3 blocks each + trailer block )
61 * 2K: sector 0 to 31 (3 blocks each + trailer block )
62 * 4K: sector 0 to 31 (3 blocks each + trailer block )
63 * and sector 32 to 39 (15 blocks each + trailer block )
65 #define DEFAULT_BLOCK_SIZE 16 /* MF_CMD_READ */
67 #define STD_BLK_SECT_TRAILER 4 /* bl per sect with trailer 1K/2K */
68 #define EXT_BLK_SECT_TRAILER 16 /* bl per sect with trailer 4K */
70 #define STD_BLK_PER_SECT 3 /* 1 sect == 3blocks */
71 #define EXT_BLK_PER_SECT 15 /* for 4K tags */
73 /* Usual sector size, including trailer */
74 #define STD_SECTOR_SIZE (4 * DEFAULT_BLOCK_SIZE) /* 00-31 */
75 #define EXT_SECTOR_SIZE (16 * DEFAULT_BLOCK_SIZE) /* 32-39 */
77 /* Usual sector size, without trailer */
78 #define SECTOR_SIZE (3 * DEFAULT_BLOCK_SIZE)
79 #define BIG_SECTOR_SIZE (15 * DEFAULT_BLOCK_SIZE)
81 #define T4K_BOUNDARY 32
82 #define T4K_BLK_OFF 0x80 /* blocks count before sector 32 */
85 #define WITH_TRAILER 1
88 /* Default MAD keys. Key length = 6 bytes */
90 static uint8_t MAD_public_key[] = {0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5};
91 static uint8_t MAD_NFC_key[] = {0xd3, 0xf7, 0xd3, 0xf7, 0xd3, 0xf7};
93 #define MAD1_SECTOR 0x00 /* Sector 0 is for MAD1 */
94 #define MAD1_1ST_BLOCK 0x00 /* 1st block of sector 0 */
95 #define MAD2_GPB_BITS 0x02 /* MAD v2 flag */
97 #define MAD2_SECTOR 0x10 /* Sector 0 is for MAD2 */
98 #define MAD2_1ST_BLOCK 0x40 /* 1st block of MAD2 */
100 #define MAD_V1_AIDS_LEN 15 /* 1 to 0x0F */
101 #define MAD_V2_AIDS_LEN 23 /*0x11 to 0x27 */
103 /* MAD1 sector structure. Start at block 0x00 */
105 uint8_t man_info[16];
107 uint16_t aids[MAD_V1_AIDS_LEN];
109 uint8_t key_A[MAD_KEY_LEN];
110 uint8_t access_cond[3];
112 uint8_t key_B[MAD_KEY_LEN];
113 } __attribute__((packed));
115 /* MAD2 sector structure. Start at block 0x40 */
118 uint16_t aids[MAD_V2_AIDS_LEN];
120 uint8_t key_A[MAD_KEY_LEN];
121 uint8_t access_cond[3];
123 uint8_t key_B[MAD_KEY_LEN];
124 } __attribute__((packed));
126 struct mifare_cookie {
127 uint32_t adapter_idx;
132 struct near_tag *tag;
134 near_recv next_far_func;
139 GSList *g_sect_list; /* Global sectors list */
141 /* For read functions */
142 near_recv rs_next_fct; /* next function */
143 int rs_block_start; /* first block */
144 int rs_block_end; /* last block */
145 int rs_completed; /* read blocks */
146 int rs_length; /* read length */
147 uint8_t *rs_pmem; /* Stored read sector */
148 int rs_max_length; /* available size */
157 } __attribute__((packed));
162 uint8_t key[MAD_KEY_LEN];
163 uint8_t nfcid[NFC_NFCID1_MAXSIZE];
164 } __attribute__((packed));
166 /* Common free func */
167 static int mifare_release(int err, struct mifare_cookie *cookie)
174 if (err < 0 && cookie->cb) {
175 cookie->cb(cookie->adapter_idx, cookie->target_idx, err);
176 near_adapter_disconnect(cookie->adapter_idx);
179 /* Now free allocs */
180 g_free(cookie->nfcid1);
181 g_slist_free(cookie->g_sect_list);
182 g_free(cookie->mad_1);
183 g_free(cookie->mad_2);
190 /* Mifare_generic MAD unlock block function
191 * This function send unlock code to the tag, and so, allow access
192 * to the complete related sector.
194 static int mifare_unlock_sector(int block_id,
195 near_recv next_far_fct,
198 struct mifare_cmd cmd;
199 struct mifare_cookie *cookie = data;
202 /* For MADs sectors we use public key A (a0a1a2a3a4a5) but
203 * for NFC sectors we use NFC_KEY_A (d3f7d3f7d3f7)
205 if ((block_id == MAD1_1ST_BLOCK) || (block_id == MAD2_1ST_BLOCK))
206 key_ref = MAD_public_key;
208 key_ref = MAD_NFC_key;
210 /* CMD AUTHENTICATION */
211 cmd.cmd = MF_CMD_AUTH_KEY_A;
213 /* We want to authenticate the 1st bloc of the sector */
214 cmd.block = block_id;
216 /* Store the AUTH KEY */
217 memcpy(&cmd.key, key_ref, MAD_KEY_LEN);
220 memcpy(&cmd.nfcid, cookie->nfcid1, cookie->nfcid1_len);
222 return near_adapter_send(cookie->adapter_idx, (uint8_t *)&cmd,
223 sizeof(cmd) - NFC_NFCID1_MAXSIZE + cookie->nfcid1_len,
228 /* Common MIFARE Bloc read:
229 * Each call will read 16 bytes from tag... so to read 1 sector,
230 * we must call it 4 times or 16 times (minus 1 or not for the trailer block)
232 * data: mifare_cookie *mf_ck
233 * mf_ck->read_block: block number to read
235 static int mifare_read_block(uint8_t block_id,
239 struct type2_cmd cmd;
240 struct mifare_cookie *mf_ck = data;
242 cmd.cmd = MF_CMD_READ; /* MIFARE READ */
243 cmd.block = block_id;
245 return near_adapter_send(mf_ck->adapter_idx,
250 static int mifare_read_sector_cb(uint8_t *resp, int length, void *data)
252 struct mifare_cookie *mf_ck = data;
261 length = length - 1; /* ignore first byte - Reader byte */
263 /* save the length: */
264 mf_ck->rs_length = mf_ck->rs_length + length;
266 memcpy(mf_ck->rs_pmem + mf_ck->rs_completed * DEFAULT_BLOCK_SIZE,
267 resp + 1,/* ignore reader byte */
271 mf_ck->rs_completed = mf_ck->rs_completed + 1;
273 if ((mf_ck->rs_block_start + mf_ck->rs_completed) < mf_ck->rs_block_end)
274 err = mifare_read_block(
275 (mf_ck->rs_block_start + mf_ck->rs_completed),
277 mifare_read_sector_cb);
279 /* Now Process the callback ! */
280 err = (*mf_ck->rs_next_fct)(mf_ck->rs_pmem,
281 mf_ck->rs_length, data);
289 return mifare_release(err, mf_ck);
292 static int mifare_read_sector_unlocked(uint8_t *resp, int length, void *data)
294 struct mifare_cookie *mf_ck = data;
301 /* And run the read process on the first block of the sector */
302 err = mifare_read_block(mf_ck->rs_block_start, data,
303 mifare_read_sector_cb);
313 /* This function reads a complete sector, using block per block function.
314 * sector sizes can be:
316 * 48 bytes: 3*16 no trailer
317 * 64 bytes: 4*16 with trailer
319 * 240 bytes: 15*16 no trailer
320 * 256 bytes: 16*16 with trailer
322 * Unlock is done at the beginning of first sector.
324 static int mifare_read_sector(void *cookie,
325 uint8_t *pmem, /* memory to fill */
326 uint16_t memsize, /* remaining free size */
327 uint8_t sector_id, /* sector to read */
328 near_bool_t trailer, /* Add trailer or not */
331 struct mifare_cookie *mf_ck = cookie;
337 /* Prepare call values */
338 mf_ck->rs_pmem = pmem; /* where to store */
339 mf_ck->rs_max_length = memsize; /* max size to store */
340 mf_ck->rs_length = 0; /* no bytes yet */
341 mf_ck->rs_completed = 0; /* blocks read */
343 /* According to tag size, compute the correct block offset */
344 if (sector_id < T4K_BOUNDARY)
345 mf_ck->rs_block_start = sector_id * 4; /* 1st block to read */
347 mf_ck->rs_block_start =
348 (sector_id - T4K_BOUNDARY) * 16 + T4K_BLK_OFF;
350 /* Find blocks_per_sect, according to position and trailer or not */
351 if (sector_id < T4K_BOUNDARY)
352 blocks_count = (STD_BLK_PER_SECT + trailer);
354 blocks_count = (EXT_BLK_PER_SECT + trailer);
356 mf_ck->rs_block_end = mf_ck->rs_block_start + blocks_count;
358 mf_ck->rs_next_fct = next_func; /* leaving function */
360 /* As we are on the first block of a sector, we unlock it */
361 err = mifare_unlock_sector(mf_ck->rs_block_start,
362 mifare_read_sector_unlocked, mf_ck);
367 static int mifare_read_NFC_loop(uint8_t *resp, int length, void *data)
369 struct mifare_cookie *mf_ck = data;
379 /* ptr to the next read ptr */
380 mf_ck->nfc_data = mf_ck->nfc_data + length;
382 /* remaining free mem */
383 mf_ck->nfc_data_length = mf_ck->nfc_data_length - length;
386 /* Addtionnal sectors to read ? */;
387 if (mf_ck->g_sect_list->next != NULL) {
389 err = mifare_read_sector(data, /* cookie */
390 mf_ck->nfc_data, /* where to store */
391 (int) mf_ck->nfc_data_length, /* global length */
392 GPOINTER_TO_INT(mf_ck->g_sect_list->data), /* id */
393 NO_TRAILER, /* Trailer ? */
394 mifare_read_NFC_loop); /* next function */
396 mf_ck->g_sect_list = g_slist_remove(mf_ck->g_sect_list,
397 mf_ck->g_sect_list->data);
404 err = near_tlv_parse(mf_ck->tag, mf_ck->cb);
408 return mifare_release(err, mf_ck);
411 /* Prepare read NFC loop
413 static int mifare_read_NFC(void *data)
415 struct mifare_cookie *mf_ck = data;
418 /* save tag memory pointer to data_block */
419 mf_ck->nfc_data = near_tag_get_data(mf_ck->tag,
420 (size_t *)&mf_ck->nfc_data_length);
422 /* First read here: */
423 err = mifare_read_sector(data, /* cookie */
424 mf_ck->nfc_data, /* where to store */
425 mf_ck->nfc_data_length, /* global length */
426 GPOINTER_TO_INT(mf_ck->g_sect_list->data), /* sector id */
427 NO_TRAILER, /* Don't want Trailer */
428 mifare_read_NFC_loop); /* next function */
430 mf_ck->g_sect_list = g_slist_remove(mf_ck->g_sect_list,
431 mf_ck->g_sect_list->data);
437 return mifare_release(err, mf_ck);
440 static int mifare_process_MADs(void *data)
442 struct mifare_cookie *mf_ck = data;
445 int global_tag_size = 0;
450 /* Parse MAD entries to get the global size and fill the array */
451 if (mf_ck->mad_1 == NULL) {
456 for (i = 0; i < MAD_V1_AIDS_LEN; i++) {
457 if (mf_ck->mad_1->aids[i] != NFC_AID_TAG)
460 /* Save in the global list */
461 mf_ck->g_sect_list = g_slist_append(mf_ck->g_sect_list,
462 GINT_TO_POINTER(i + 1));
463 global_tag_size += SECTOR_SIZE;
467 ioffset = MAD_V1_AIDS_LEN + 1 + 1; /* skip 0x10 */
468 if (mf_ck->mad_2 == NULL)
471 for (i = 0; i < MAD_V2_AIDS_LEN; i++) {
472 if (mf_ck->mad_2->aids[i] != NFC_AID_TAG)
475 mf_ck->g_sect_list = g_slist_append( mf_ck->g_sect_list,
476 GINT_TO_POINTER(ioffset + i));
477 if (i < EXT_BLK_PER_SECT)
478 global_tag_size += SECTOR_SIZE;
480 global_tag_size += BIG_SECTOR_SIZE;
484 /* n sectors, each sector is 3 blocks, each block is 16 bytes */
485 DBG("TAG Global size: [%d]", global_tag_size);
487 err = near_tag_add_data(mf_ck->adapter_idx,
494 mf_ck->tag = near_tag_get_tag(mf_ck->adapter_idx, mf_ck->target_idx);
495 if (mf_ck->tag == NULL) {
500 /* Time to read the NFC data */
501 err = mifare_read_NFC(mf_ck);
506 return mifare_release(err, mf_ck);
509 /* Transitional function - async
511 static int read_MAD2_complete(uint8_t *empty, int iempty, void *data)
513 return mifare_process_MADs(data);
516 /* This function reads the MAD2 sector
518 static int mifare_read_MAD2(void *data)
520 struct mifare_cookie *mf_ck = data;
525 /* As auth is ok, we allocate Mifare Access Directory v1 */
526 mf_ck->mad_2 = g_try_malloc0(STD_SECTOR_SIZE);
527 if (mf_ck->mad_2 == NULL) {
528 near_error("Memory allocation failed (MAD2)");
533 err = mifare_read_sector(data,
534 (uint8_t *) mf_ck->mad_2,
535 (int) STD_SECTOR_SIZE,
536 MAD2_SECTOR, /* sector 0x10 */
537 WITH_TRAILER, /* Want Trailer */
545 return mifare_release(err, mf_ck);
548 /* This function checks, in MAD1, if there's a MAD2 directory
549 * available. This is is the case for 2K and 4K tag
550 * If MAD2 exists, we want to read it, elsewhere we process the
553 static int read_MAD1_complete(uint8_t *empty, int iempty, void *data)
555 struct mifare_cookie *mf_ck = data;
560 /* Check if we need to get MAD2 sector (bits 0..1)*/
561 if ((mf_ck->mad_1->GPB & 0x03) == MAD2_GPB_BITS)
562 err = mifare_read_MAD2(mf_ck);
564 err = mifare_process_MADs(data);
569 /* Function called to read the first MAD sector
572 static int mifare_read_MAD1(uint8_t *resp, int length, void *data)
574 struct mifare_cookie *mf_ck = data;
577 DBG("%p %d", data, length);
584 /* As auth is ok, we allocate Mifare Access Directory v1
585 * allocated size is also STD_SECTOR_SIZE */
586 mf_ck->mad_1 = g_try_malloc0(STD_SECTOR_SIZE);
587 if (mf_ck->mad_1 == NULL) {
588 near_error("Memory allocation failed (MAD1)");
593 /* Call to mifare_read_sector */
594 err = mifare_read_sector(data,
595 (uint8_t *)mf_ck->mad_1, /* where to store */
596 (int) STD_SECTOR_SIZE, /* allocated size */
597 MAD1_SECTOR, /* sector 0 */
598 WITH_TRAILER, /* Want Trailer */
606 return mifare_release(err, mf_ck);
610 /* MIFARE: entry point:
611 * Read all the MAD sectors (0x00, 0x10) to get the Application Directory
613 * On sector 0x00, App. directory is on block 0x01 & block 0x02
614 * On sector 0x10, App. directory is on block 0x40, 0x41 & 0x42
615 * On reading, we ignore the CRC.
617 int mifare_read_tag(uint32_t adapter_idx, uint32_t target_idx,
618 near_tag_io_cb cb, enum near_tag_sub_type tgt_subtype)
620 struct mifare_cookie *cookie;
625 /*Check supported and tested Mifare type */
626 switch (tgt_subtype) {
627 case NEAR_TAG_NFC_T2_MIFARE_CLASSIC_1K:
628 case NEAR_TAG_NFC_T2_MIFARE_CLASSIC_4K:
631 near_error("Mifare tag type [%d] not supported.", tgt_subtype);
635 /* Alloc global cookie */
636 cookie = g_try_malloc0(sizeof(struct mifare_cookie));
639 cookie->nfcid1 = near_tag_get_nfcid(adapter_idx, target_idx,
640 &cookie->nfcid1_len);
641 cookie->adapter_idx = adapter_idx;
642 cookie->target_idx = target_idx;
645 /* Need to unlock before reading
646 * This will check if public keys are allowed (and, so, NDEF could
649 err = mifare_unlock_sector(MAD1_1ST_BLOCK, /* related block */
650 mifare_read_MAD1, /* callback function */
651 cookie); /* target data */
653 return mifare_release(err, cookie);