How Can I Read NFC Card with IsoDep?

Roger picture Roger · Apr 15, 2014 · Viewed 13k times · Source

I want to read a RFID card through NFC, the card is from the local transportation system in Bogotá, Colombia. I know this is possible because I've downloaded an android app that does just this!

My progress so far... When I put the phone over the card, my app is launched, with the ACTION_TECH_DISCOVERED intent, and I can read things like card UID but I don't know how to read the info I want, especifically the money on the card.

I've reading here in stackoverflow that what I need to do is find the application I want to access and send ADPU commands, but it looks like my card doesn't have any application because exploring the card with any android app, it always says Found 0 Applications. So, I don't know where I must get this info.

The tech info for my card is:

  • TAG ID: 08 8B E2 D1 RF
  • Technology: TYPE A (ISO/IEC 14443 Type A)
  • TAG TYPE: ISO/IEC 14443-4 Smart Card
  • ATQA: 0004
  • SAK: 20
  • HISTORICAL BYTES: 01112003
  • TECHNOLOGY CLASSES: android.nfc.tech.IsoDep, android.nfc.tech.NfcA

Thanks!

Answer

Michael Roland picture Michael Roland · Apr 15, 2014

I've [read] here in stackoverflow that what I need to do is find the application I want to access and send ADPU commands.

Correct, that is exactly what you need to do. Once you got this information (i.e. a specification of the card's communication protocol), you would do something like the following:

Tag tag = ... // TODO: get tag handle from intent
IsoDep isoDep = IsoDep.get(tag);
if (isoDep != null) {
    isoDep.connect();

    byte[] response = isoDep.transceive(SELECT_APDU); // SELECT_APDU = 00 A4 0400 <Lc> <APPLICATION ID>

    // TODO: send further APDU commands according to the protocol specification
    //response = isoDep.transceive(APDU);

    isoDep.close();
}

[...] but it looks like my card doesn't have any application because exploring the card with any android app, it always says Found 0 Applications.

This usually only means that there is no application on the card **that is known to the scanner app*. Many ISO-DEP cards to not have a publicly readable directory of applications that are available on the card. (Though some cards may have an EF.DIR or something similar.)

So, I don't know where I must get this info.

Right, that's usually the tricky part. There are several approaches to this:

  1. Ask the transport system operator for the specification.
  2. Check if the card has an EF.DIR (or similar) and lists something in there (though this will only give you a starting point as it still does not reveal the card's protocol).
  3. Check if the card has a GlobalPlatform security domain/card manager and if that card manager is accessible with default keys (Google will help you find further reading). If it does, GP provides commands to list installed applications. Regarding the protocol, the same as in 2. applies.
  4. Reverse engineer the app that you know can access the card. (Note that this may be illegal in your country and/or prohibited by the app's license agreement.)