3 * neard - Near Field Communication manager
5 * Copyright (C) 2012 Intel Corporation. All rights reserved.
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
29 #include <sys/socket.h>
31 #include <linux/socket.h>
32 #include <linux/nfc.h>
34 #include <near/plugin.h>
36 #include <near/types.h>
37 #include <near/adapter.h>
39 #include <near/ndef.h>
42 /* NXP Application Notes:
44 * http://www.nxp.com/technical-support-portal/53420/71108/application-notes
48 int mifare_read(uint32_t adapter_idx, uint32_t target_idx,
49 near_tag_io_cb cb, enum near_tag_sub_type tgt_subtype);
51 /* MIFARE command set */
52 #define MF_CMD_WRITE 0xA2
53 #define MF_CMD_READ 0x30
54 #define MF_CMD_AUTH_KEY_A 0x60
56 #define NFC_AID_TAG 0xE103
58 /* Define boundaries for 1K / 2K / 4K
59 * 1K: sector 0 to 15 (3 blocks each + trailer block )
60 * 2K: sector 0 to 31 (3 blocks each + trailer block )
61 * 4K: sector 0 to 31 (3 blocks each + trailer block )
62 * and sector 32 to 39 (15 blocks each + trailer block )
64 #define DEFAULT_BLOCK_SIZE 16 /* MF_CMD_READ */
66 #define STD_BLK_SECT_TRAILER 4 /* bl per sect with trailer 1K/2K */
67 #define EXT_BLK_SECT_TRAILER 16 /* bl per sect with trailer 4K */
69 #define STD_BLK_PER_SECT 3 /* 1 sect == 3blocks */
70 #define EXT_BLK_PER_SECT 15 /* for 4K tags */
72 /* Usual sector size, including trailer */
73 #define STD_SECTOR_SIZE (4 * DEFAULT_BLOCK_SIZE) /* 00-31 */
74 #define EXT_SECTOR_SIZE (16 * DEFAULT_BLOCK_SIZE) /* 32-39 */
76 /* Usual sector size, without trailer */
77 #define SECTOR_SIZE (3 * DEFAULT_BLOCK_SIZE)
78 #define BIG_SECTOR_SIZE (15 * DEFAULT_BLOCK_SIZE)
80 #define T4K_BOUNDARY 32
81 #define T4K_BLK_OFF 0x80 /* blocks count before sector 32 */
84 #define WITH_TRAILER 1
87 /* Default MAD keys. Key length = 6 bytes */
89 static uint8_t MAD_public_key[] = {0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5};
90 static uint8_t MAD_NFC_key[] = {0xd3, 0xf7, 0xd3, 0xf7, 0xd3, 0xf7};
92 #define MAD1_SECTOR 0x00 /* Sector 0 is for MAD1 */
93 #define MAD1_1ST_BLOCK 0x00 /* 1st block of sector 0 */
94 #define MAD2_GPB_BITS 0x02 /* MAD v2 flag */
96 #define MAD2_SECTOR 0x10 /* Sector 0 is for MAD2 */
97 #define MAD2_1ST_BLOCK 0x40 /* 1st block of MAD2 */
99 #define MAD_V1_AIDS_LEN 15 /* 1 to 0x0F */
100 #define MAD_V2_AIDS_LEN 23 /*0x11 to 0x27 */
102 /* MAD1 sector structure. Start at block 0x00 */
104 uint8_t man_info[16];
106 uint16_t aids[MAD_V1_AIDS_LEN];
108 uint8_t key_A[MAD_KEY_LEN];
109 uint8_t access_cond[3];
111 uint8_t key_B[MAD_KEY_LEN];
112 } __attribute__((packed));
114 /* MAD2 sector structure. Start at block 0x40 */
117 uint16_t aids[MAD_V2_AIDS_LEN];
119 uint8_t key_A[MAD_KEY_LEN];
120 uint8_t access_cond[3];
122 uint8_t key_B[MAD_KEY_LEN];
123 } __attribute__((packed));
125 struct mifare_cookie {
126 uint32_t adapter_idx;
131 struct near_tag *tag;
133 near_recv next_far_func;
138 GSList *g_sect_list; /* Global sectors list */
140 /* For read functions */
141 near_recv rs_next_fct; /* next function */
142 int rs_block_start; /* first block */
143 int rs_block_end; /* last block */
144 int rs_completed; /* read blocks */
145 int rs_length; /* read length */
146 uint8_t *rs_pmem; /* Stored read sector */
147 int rs_max_length; /* available size */
149 size_t nfc_data_length;
156 } __attribute__((packed));
161 uint8_t key[MAD_KEY_LEN];
162 uint8_t nfcid[NFC_NFCID1_MAXSIZE];
163 } __attribute__((packed));
165 /* Common free func */
166 static int mifare_release(int err, struct mifare_cookie *cookie)
173 if (err < 0 && cookie->cb) {
174 cookie->cb(cookie->adapter_idx, cookie->target_idx, err);
175 near_adapter_disconnect(cookie->adapter_idx);
178 /* Now free allocs */
179 g_free(cookie->nfcid1);
180 g_slist_free(cookie->g_sect_list);
181 g_free(cookie->mad_1);
182 g_free(cookie->mad_2);
189 /* Mifare_generic MAD unlock block function
190 * This function send unlock code to the tag, and so, allow access
191 * to the complete related sector.
193 static int mifare_unlock_sector(int block_id,
194 near_recv next_far_fct,
197 struct mifare_cmd cmd;
198 struct mifare_cookie *cookie = data;
201 /* For MADs sectors we use public key A (a0a1a2a3a4a5) but
202 * for NFC sectors we use NFC_KEY_A (d3f7d3f7d3f7)
204 if ((block_id == MAD1_1ST_BLOCK) || (block_id == MAD2_1ST_BLOCK))
205 key_ref = MAD_public_key;
207 key_ref = MAD_NFC_key;
209 /* CMD AUTHENTICATION */
210 cmd.cmd = MF_CMD_AUTH_KEY_A;
212 /* We want to authenticate the 1st bloc of the sector */
213 cmd.block = block_id;
215 /* Store the AUTH KEY */
216 memcpy(&cmd.key, key_ref, MAD_KEY_LEN);
219 memcpy(&cmd.nfcid, cookie->nfcid1, cookie->nfcid1_len);
221 return near_adapter_send(cookie->adapter_idx, (uint8_t *)&cmd,
222 sizeof(cmd) - NFC_NFCID1_MAXSIZE + cookie->nfcid1_len,
227 /* Common MIFARE Bloc read:
228 * Each call will read 16 bytes from tag... so to read 1 sector,
229 * we must call it 4 times or 16 times (minus 1 or not for the trailer block)
231 * data: mifare_cookie *mf_ck
232 * mf_ck->read_block: block number to read
234 static int mifare_read_block(uint8_t block_id,
238 struct type2_cmd cmd;
239 struct mifare_cookie *mf_ck = data;
241 cmd.cmd = MF_CMD_READ; /* MIFARE READ */
242 cmd.block = block_id;
244 return near_adapter_send(mf_ck->adapter_idx,
249 static int mifare_read_sector_cb(uint8_t *resp, int length, void *data)
251 struct mifare_cookie *mf_ck = data;
260 length = length - 1; /* ignore first byte - Reader byte */
262 /* save the length: */
263 mf_ck->rs_length = mf_ck->rs_length + length;
265 memcpy(mf_ck->rs_pmem + mf_ck->rs_completed * DEFAULT_BLOCK_SIZE,
266 resp + 1,/* ignore reader byte */
270 mf_ck->rs_completed = mf_ck->rs_completed + 1;
272 if ((mf_ck->rs_block_start + mf_ck->rs_completed) < mf_ck->rs_block_end)
273 err = mifare_read_block(
274 (mf_ck->rs_block_start + mf_ck->rs_completed),
276 mifare_read_sector_cb);
278 /* Now Process the callback ! */
279 err = (*mf_ck->rs_next_fct)(mf_ck->rs_pmem,
280 mf_ck->rs_length, data);
288 return mifare_release(err, mf_ck);
291 static int mifare_read_sector_unlocked(uint8_t *resp, int length, void *data)
293 struct mifare_cookie *mf_ck = data;
300 /* And run the read process on the first block of the sector */
301 err = mifare_read_block(mf_ck->rs_block_start, data,
302 mifare_read_sector_cb);
312 /* This function reads a complete sector, using block per block function.
313 * sector sizes can be:
315 * 48 bytes: 3*16 no trailer
316 * 64 bytes: 4*16 with trailer
318 * 240 bytes: 15*16 no trailer
319 * 256 bytes: 16*16 with trailer
321 * Unlock is done at the beginning of first sector.
323 static int mifare_read_sector(void *cookie,
324 uint8_t *pmem, /* memory to fill */
325 uint16_t memsize, /* remaining free size */
326 uint8_t sector_id, /* sector to read */
327 near_bool_t trailer, /* Add trailer or not */
330 struct mifare_cookie *mf_ck = cookie;
336 /* Prepare call values */
337 mf_ck->rs_pmem = pmem; /* where to store */
338 mf_ck->rs_max_length = memsize; /* max size to store */
339 mf_ck->rs_length = 0; /* no bytes yet */
340 mf_ck->rs_completed = 0; /* blocks read */
342 /* According to tag size, compute the correct block offset */
343 if (sector_id < T4K_BOUNDARY)
344 mf_ck->rs_block_start = sector_id * 4; /* 1st block to read */
346 mf_ck->rs_block_start =
347 (sector_id - T4K_BOUNDARY) * 16 + T4K_BLK_OFF;
349 /* Find blocks_per_sect, according to position and trailer or not */
350 if (sector_id < T4K_BOUNDARY)
351 blocks_count = (STD_BLK_PER_SECT + trailer);
353 blocks_count = (EXT_BLK_PER_SECT + trailer);
355 mf_ck->rs_block_end = mf_ck->rs_block_start + blocks_count;
357 mf_ck->rs_next_fct = next_func; /* leaving function */
359 /* As we are on the first block of a sector, we unlock it */
360 err = mifare_unlock_sector(mf_ck->rs_block_start,
361 mifare_read_sector_unlocked, mf_ck);
366 static int mifare_read_NFC_loop(uint8_t *resp, int length, void *data)
368 struct mifare_cookie *mf_ck = data;
378 /* ptr to the next read ptr */
379 mf_ck->nfc_data = mf_ck->nfc_data + length;
381 /* remaining free mem */
382 mf_ck->nfc_data_length = mf_ck->nfc_data_length - length;
385 /* Additional sectors to read ? */;
386 if (mf_ck->g_sect_list->next != NULL) {
388 err = mifare_read_sector(data, /* cookie */
389 mf_ck->nfc_data, /* where to store */
390 (int) mf_ck->nfc_data_length, /* global length */
391 GPOINTER_TO_INT(mf_ck->g_sect_list->data), /* id */
392 NO_TRAILER, /* Trailer ? */
393 mifare_read_NFC_loop); /* next function */
395 mf_ck->g_sect_list = g_slist_remove(mf_ck->g_sect_list,
396 mf_ck->g_sect_list->data);
404 size_t nfc_data_length;
408 nfc_data = near_tag_get_data(mf_ck->tag, &nfc_data_length);
409 if (nfc_data == NULL) {
414 records = near_tlv_parse(nfc_data, nfc_data_length);
415 near_tag_add_records(mf_ck->tag, records, mf_ck->cb, 0);
421 return mifare_release(err, mf_ck);
424 /* Prepare read NFC loop
426 static int mifare_read_NFC(void *data)
428 struct mifare_cookie *mf_ck = data;
431 /* save tag memory pointer to data_block */
432 mf_ck->nfc_data = near_tag_get_data(mf_ck->tag,
433 &mf_ck->nfc_data_length);
435 /* First read here: */
436 err = mifare_read_sector(data, /* cookie */
437 mf_ck->nfc_data, /* where to store */
438 mf_ck->nfc_data_length, /* global length */
439 GPOINTER_TO_INT(mf_ck->g_sect_list->data), /* sector id */
440 NO_TRAILER, /* Don't want Trailer */
441 mifare_read_NFC_loop); /* next function */
443 mf_ck->g_sect_list = g_slist_remove(mf_ck->g_sect_list,
444 mf_ck->g_sect_list->data);
450 return mifare_release(err, mf_ck);
453 static int mifare_process_MADs(void *data)
455 struct mifare_cookie *mf_ck = data;
458 int global_tag_size = 0;
463 /* Parse MAD entries to get the global size and fill the array */
464 if (mf_ck->mad_1 == NULL) {
469 for (i = 0; i < MAD_V1_AIDS_LEN; i++) {
470 if (mf_ck->mad_1->aids[i] != NFC_AID_TAG)
473 /* Save in the global list */
474 mf_ck->g_sect_list = g_slist_append(mf_ck->g_sect_list,
475 GINT_TO_POINTER(i + 1));
476 global_tag_size += SECTOR_SIZE;
480 ioffset = MAD_V1_AIDS_LEN + 1 + 1; /* skip 0x10 */
481 if (mf_ck->mad_2 == NULL)
484 for (i = 0; i < MAD_V2_AIDS_LEN; i++) {
485 if (mf_ck->mad_2->aids[i] != NFC_AID_TAG)
488 mf_ck->g_sect_list = g_slist_append( mf_ck->g_sect_list,
489 GINT_TO_POINTER(ioffset + i));
490 if (i < EXT_BLK_PER_SECT)
491 global_tag_size += SECTOR_SIZE;
493 global_tag_size += BIG_SECTOR_SIZE;
497 /* n sectors, each sector is 3 blocks, each block is 16 bytes */
498 DBG("TAG Global size: [%d]", global_tag_size);
500 err = near_tag_add_data(mf_ck->adapter_idx,
507 mf_ck->tag = near_tag_get_tag(mf_ck->adapter_idx, mf_ck->target_idx);
508 if (mf_ck->tag == NULL) {
513 /* Time to read the NFC data */
514 err = mifare_read_NFC(mf_ck);
519 return mifare_release(err, mf_ck);
522 /* Transitional function - async
524 static int read_MAD2_complete(uint8_t *empty, int iempty, void *data)
526 return mifare_process_MADs(data);
529 /* This function reads the MAD2 sector
531 static int mifare_read_MAD2(void *data)
533 struct mifare_cookie *mf_ck = data;
538 /* As auth is ok, we allocate Mifare Access Directory v1 */
539 mf_ck->mad_2 = g_try_malloc0(STD_SECTOR_SIZE);
540 if (mf_ck->mad_2 == NULL) {
541 near_error("Memory allocation failed (MAD2)");
546 err = mifare_read_sector(data,
547 (uint8_t *) mf_ck->mad_2,
548 (int) STD_SECTOR_SIZE,
549 MAD2_SECTOR, /* sector 0x10 */
550 WITH_TRAILER, /* Want Trailer */
558 return mifare_release(err, mf_ck);
561 /* This function checks, in MAD1, if there's a MAD2 directory
562 * available. This is is the case for 2K and 4K tag
563 * If MAD2 exists, we want to read it, elsewhere we process the
566 static int read_MAD1_complete(uint8_t *empty, int iempty, void *data)
568 struct mifare_cookie *mf_ck = data;
573 /* Check if we need to get MAD2 sector (bits 0..1)*/
574 if ((mf_ck->mad_1->GPB & 0x03) == MAD2_GPB_BITS)
575 err = mifare_read_MAD2(mf_ck);
577 err = mifare_process_MADs(data);
582 /* Function called to read the first MAD sector
585 static int mifare_read_MAD1(uint8_t *resp, int length, void *data)
587 struct mifare_cookie *mf_ck = data;
590 DBG("%p %d", data, length);
597 /* As auth is ok, we allocate Mifare Access Directory v1
598 * allocated size is also STD_SECTOR_SIZE */
599 mf_ck->mad_1 = g_try_malloc0(STD_SECTOR_SIZE);
600 if (mf_ck->mad_1 == NULL) {
601 near_error("Memory allocation failed (MAD1)");
606 /* Call to mifare_read_sector */
607 err = mifare_read_sector(data,
608 (uint8_t *)mf_ck->mad_1, /* where to store */
609 (int) STD_SECTOR_SIZE, /* allocated size */
610 MAD1_SECTOR, /* sector 0 */
611 WITH_TRAILER, /* Want Trailer */
619 return mifare_release(err, mf_ck);
622 /* MIFARE: entry point:
623 * Read all the MAD sectors (0x00, 0x10) to get the Application Directory
625 * On sector 0x00, App. directory is on block 0x01 & block 0x02
626 * On sector 0x10, App. directory is on block 0x40, 0x41 & 0x42
627 * On reading, we ignore the CRC.
629 int mifare_read(uint32_t adapter_idx, uint32_t target_idx,
630 near_tag_io_cb cb, enum near_tag_sub_type tgt_subtype)
632 struct mifare_cookie *cookie;
637 /*Check supported and tested Mifare type */
638 switch (tgt_subtype) {
639 case NEAR_TAG_NFC_T2_MIFARE_CLASSIC_1K:
640 case NEAR_TAG_NFC_T2_MIFARE_CLASSIC_4K:
643 near_error("Mifare tag type [%d] not supported.", tgt_subtype);
647 /* Alloc global cookie */
648 cookie = g_try_malloc0(sizeof(struct mifare_cookie));
653 cookie->nfcid1 = near_tag_get_nfcid(adapter_idx, target_idx,
654 &cookie->nfcid1_len);
655 cookie->adapter_idx = adapter_idx;
656 cookie->target_idx = target_idx;
659 /* Need to unlock before reading
660 * This will check if public keys are allowed (and, so, NDEF could
663 err = mifare_unlock_sector(MAD1_1ST_BLOCK, /* related block */
664 mifare_read_MAD1, /* callback function */
665 cookie); /* target data */
667 return mifare_release(err, cookie);