1

We are now developing a payment card with NXP NQ220 (has embedded SE, called eSE) on Android N. The platform is MTK. Now, we can interact with eSE using OMA (using org.simalliance.openmobileapi.jar). It works as expected.

I was wondering if there is any ways to open channel in session without AID? Besides, is there any ways to control the power of eSE(power-on and power-off) and reset eSE in some situations?

My investigation as follows:

  1. About open channel without AID, I have found following sentences in page 16 of Open Mobile API specification V3.

(h)Method: Channel openLogicalChannel(byte[] aid, Byte P2)
Open a logical channel with the SE, selecting the applet represented by the >given AID. If the AID is null, which means no applet is to be selected on >this channel, the default applet is used. It's up to the SE to choose which >logical channel will be used.

However, if we set aid to null in openLogicalChannel(byte[] aid), following exception will be shows. What happens about it? Is the default applet or eSE have problems?

01-30 01:06:39.941 V/SmartcardService( 2587): OpenLogicalChannel Exception: Access Control Enforcer: no APDU access allowed!
01-30 01:06:39.947 E/SeControlClient( 3239): Error occured:
01-30 01:06:39.947 E/SeControlClient( 3239): java.lang.SecurityException: Access Control Enforcer: no APDU access allowed!
01-30 01:06:39.947 E/SeControlClient( 3239):    at org.simalliance.openmobileapi.SEService.checkForException(SEService.java:255)
01-30 01:06:39.947 E/SeControlClient( 3239):    at org.simalliance.openmobileapi.Session.openLogicalChannel(Session.java:295)

  1. It seems there is no method in OMA to reset eSE. But I found reset() method in INxpNfcAdapterExtras. However, when I use INxpNfcAdapterExtras.reset(), it always return false. Following codes is how we get INxpNfcAdapterExtras.

    private INxpNfcAdapterExtras getNxpNfcAdapterExtras() {  
    if (mNfcAdapter != null) {  
        try {  
            INxpNfcAdapter nxpNfcAdapter =  
                mNfcAdapter.getService().getNxpNfcAdapterInterface();     
            return nxpNfcAdapter.getNxpNfcAdapterExtrasInterface();  
        } catch (Exception e) {  
            Log.e(LOGTAG, "Exception occured:", e);  
        }  
    } else {  
        Log.e(LOGTAG, "Please initialize NfcAdapter first.");  
    }  
    return null;   
}

  2. About control the power of eSE, is it related to the platform? Can you give me some suggestions? Thank you very much.

Sojoy
  • 11
  • 3

2 Answers2

0

  1. Dont known

  2. To access SE functions your application must be execute with owner of android device.

You could check this in : https://github.com/NXPNFCLinux/android_nxp-nci/blob/1d95fe24334fa12c9d9eccd1141f8739972c4288/aosp/packages/apps/Nfc/src/com/android/nfc/NfcService.java

The reset method check permission before:

public boolean reset(String pkg) throws RemoteException {
    NfcService.this.enforceNfceeAdminPerm(pkg);
    Bundle result;
    boolean stat = false;
    try {
        stat = _nfcEeReset();
        result = writeNoException();
    } catch (IOException e) {
        result = writeEeException(EE_ERROR_IO, e.getMessage());
    }
    Log.d(TAG,"reset" + stat);
    return stat;
}

The check permission method:

public void enforceNfceeAdminPerm(String pkg) {
    if (pkg == null) {
        throw new SecurityException("caller must pass a package name");
    }
    NfcPermissions.enforceUserPermissions(mContext);
    if (!mNfceeAccessControl.check(Binder.getCallingUid(), pkg)) {
        throw new SecurityException(NfceeAccessControl.NFCEE_ACCESS_PATH +
                " denies NFCEE access to " + pkg);
    }
    if (UserHandle.getCallingUserId() != UserHandle.USER_OWNER) {
        throw new SecurityException("only the owner is allowed to call SE APIs");
    }
}

To execute your app with device owner, you could follow my anwser here: Device Admin API, how to be a device owner?

  1. I'm not sure about what you mean "control the power of eSE". If it's on/off eSE, then eSE is integrated with NFC chip so if you disable NFC in Android eSE will be power off.
Community
  • 1
  • 1
LaurentY
  • 7,495
  • 3
  • 37
  • 55
  • About the second point, I have added some logs in the codes and found following codes in reset() always return false. I think it may be related to hardware or NFC driver. Do you have any idea? stat = _nfcEeReset(); About the third point, your understand is right and we just want to enable&disable eSE. Is there any way other than enable&disable NFC to solve this problem? – Sojoy Apr 05 '17 at 01:36
  • 2. Do you still have a "return false" with device owner app ? 3. It's only way I know – LaurentY Apr 05 '17 at 07:23
  • 2. Yes. I do. 3. I have found following file. In 2.3 chapter, I have found "Power-up and power-down reset". But I can't found how to use it. May be I need NXP's help. http://www.bdtic.com/DataSheet/NXP/P5CD016_021_041_51_CX081_FAM_SDS.pdf – Sojoy Apr 05 '17 at 09:56
  • @Sojoy Is it useful ? – LaurentY Apr 20 '17 at 10:24
  • Not useful for me. – Sojoy Apr 24 '17 at 07:06
0

I have found another way to solve this issue. It used NXP's own class NxpNfcAdapterExtrasService.

1.I still don't know why the exception happens when we open channel use the default Applet(without AID). But, with the method in NxpNfcAdapterExtrasService, we can establish connection with eSE.

2.About the second question. The codes is right but the way of how to use INxpNfcAdapterExtras.reset() is wrong. This method will return true only when you do something with eSE. Like transmit and execute APDU commands. So you can use this method when you want to disconnect the connection with eSE.

3.About the third question, I don't know whether the openUicc()/closeUicc() method can control the eSE power. But, it seems this two method works as expected.

Sojoy
  • 11
  • 3