• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*****************************************************************************
2  * Copyright (C) 2015 ST Microelectronics S.A.
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  *******************************************************************************/
16 
17 /******************************************************************************
18  *
19  *  This file contains the implementation for Mifare Classic tag in
20  *  Reader/Writer mode.
21  *
22  ******************************************************************************/
23 #include <android-base/stringprintf.h>
24 #include <base/logging.h>
25 #include <log/log.h>
26 #include <string.h>
27 
28 #include "bt_types.h"
29 #include "gki.h"
30 #include "nfc_api.h"
31 #include "nfc_int.h"
32 #include "nfc_target.h"
33 #include "rw_api.h"
34 #include "rw_int.h"
35 #include "tags_int.h"
36 
37 #define MFC_KeyA 0x60
38 #define MFC_KeyB 0x61
39 #define MFC_Read 0x30
40 #define MFC_Write 0xA0
41 
42 /* main state */
43 /* Mifare Classic is not activated */
44 #define RW_MFC_STATE_NOT_ACTIVATED 0x00
45 /* waiting for upper layer API */
46 #define RW_MFC_STATE_IDLE 0x01
47 /* performing NDEF detection precedure */
48 #define RW_MFC_STATE_DETECT_NDEF 0x02
49 /* performing read NDEF procedure */
50 #define RW_MFC_STATE_READ_NDEF 0x03
51 /* performing update NDEF procedure */
52 #define RW_MFC_STATE_UPDATE_NDEF 0x04
53 /* checking presence of tag */
54 #define RW_MFC_STATE_PRESENCE_CHECK 0x05
55 /* convert tag to read only */
56 #define RW_MFC_STATE_SET_READ_ONLY 0x06
57 /* detect tlv */
58 #define RW_MFC_STATE_DETECT_TLV 0x7
59 /* NDef Format */
60 #define RW_MFC_STATE_NDEF_FORMAT 0x8
61 
62 #define RW_MFC_SUBSTATE_NONE 0x00
63 #define RW_MFC_SUBSTATE_IDLE 0x01
64 #define RW_MFC_SUBSTATE_WAIT_ACK 0x02
65 #define RW_MFC_SUBSTATE_READ_BLOCK 0x03
66 #define RW_MFC_SUBSTATE_FORMAT_BLOCK 0x04
67 #define RW_MFC_SUBSTATE_WRITE_BLOCK 0x05
68 
69 #define RW_MFC_LONG_TLV_SIZE 4
70 #define RW_MFC_SHORT_TLV_SIZE 2
71 
72 #define RW_MFC_4K_Support 0x10
73 
74 #define RW_MFC_1K_BLOCK_SIZE 16
75 
76 uint8_t KeyNDEF[6] = {0xD3, 0XF7, 0xD3, 0XF7, 0xD3, 0XF7};
77 uint8_t KeyMAD[6] = {0xA0, 0XA1, 0xA2, 0XA3, 0xA4, 0XA5};
78 uint8_t KeyDefault[6] = {0xFF, 0XFF, 0xFF, 0XFF, 0xFF, 0XFF};
79 uint8_t access_permission_nfc[4] = {0x7F, 0x07, 0x88, 0x40};
80 uint8_t access_permission_mad[4] = {0x78, 0x77, 0x88, 0xC1};
81 uint8_t MAD_B1[16] = {0x14, 0x01, 0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1,
82                       0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1};
83 uint8_t MAD_B2[16] = {0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1,
84                       0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1};
85 uint8_t MAD_B64[16] = {0xE8, 0x01, 0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1,
86                        0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1, 0x03, 0xE1};
87 uint8_t NFC_B0[16] = {0x03, 0x00, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x00,
88                       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
89 
90 static bool rw_mfc_send_to_lower(NFC_HDR* p_c_apdu);
91 static bool rw_mfc_authenticate(int sector, bool KeyA);
92 static tNFC_STATUS rw_mfc_readBlock(int block);
93 static void rw_mfc_handle_tlv_detect_rsp(uint8_t* p_data);
94 static tNFC_STATUS rw_MfcLocateTlv(uint8_t tlv_type);
95 static void rw_mfc_conn_cback(uint8_t conn_id, tNFC_CONN_EVT event,
96                               tNFC_CONN* p_data);
97 static void rw_mfc_resume_op();
98 static bool rw_nfc_decodeTlv(uint8_t* p_data);
99 static void rw_mfc_ntf_tlv_detect_complete(tNFC_STATUS status);
100 static void rw_mfc_handle_read_op(uint8_t* data);
101 static void rw_mfc_handle_op_complete(void);
102 static void rw_mfc_handle_ndef_read_rsp(uint8_t* p_data);
103 static void rw_mfc_process_error();
104 
105 static tNFC_STATUS rw_mfc_formatBlock(int block);
106 static void rw_mfc_handle_format_rsp(uint8_t* p_data);
107 static void rw_mfc_handle_format_op();
108 static tNFC_STATUS rw_mfc_writeBlock(int block);
109 static void rw_mfc_handle_write_rsp(uint8_t* p_data);
110 static void rw_mfc_handle_write_op();
111 
112 using android::base::StringPrintf;
113 extern bool nfc_debug_enabled;
114 
115 /*****************************************************************************
116 **
117 ** Function         RW_MfcFormatNDef
118 **
119 ** Description
120 **      Format Tag content
121 **
122 ** Returns
123 **      NFC_STATUS_OK, Command sent to format Tag
124 **      NFC_STATUS_REJECTED: cannot format the tag
125 **      NFC_STATUS_FAILED: other error
126 **
127 *****************************************************************************/
RW_MfcFormatNDef(void)128 tNFC_STATUS RW_MfcFormatNDef(void) {
129   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
130   tNFC_STATUS status = NFC_STATUS_OK;
131 
132   if (p_mfc->state != RW_MFC_STATE_IDLE) {
133     LOG(ERROR) << StringPrintf(
134         "%s Mifare Classic tag not activated or Busy - State:%d", __func__,
135         p_mfc->state);
136     return NFC_STATUS_BUSY;
137   }
138 
139   p_mfc->state = RW_MFC_STATE_NDEF_FORMAT;
140   p_mfc->substate = RW_MFC_SUBSTATE_NONE;
141   p_mfc->last_block_accessed.block = 1;
142   p_mfc->next_block.block = 1;
143 
144   status = rw_mfc_formatBlock(p_mfc->next_block.block);
145   if (status == NFC_STATUS_OK) {
146     p_mfc->state = RW_MFC_STATE_NDEF_FORMAT;
147   } else {
148     p_mfc->substate = RW_MFC_SUBSTATE_NONE;
149   }
150 
151   return status;
152 }
153 
154 /*******************************************************************************
155  **
156  ** Function         rw_mfc_formatBlock
157  **
158  ** Description      This function format a given block.
159  **
160  ** Returns          true if success
161  **
162  *******************************************************************************/
rw_mfc_formatBlock(int block)163 static tNFC_STATUS rw_mfc_formatBlock(int block) {
164   NFC_HDR* mfcbuf;
165   uint8_t* p;
166   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
167   int sectorlength = block / 4;
168   tNFC_STATUS status = NFC_STATUS_OK;
169 
170   DLOG_IF(INFO, nfc_debug_enabled) << __func__ << ": block : " << block;
171 
172   if (block > 128) {
173     sectorlength = (p_mfc->next_block.block - 128) / 16 + 32;
174   }
175 
176   if (sectorlength != p_mfc->sector_authentified) {
177     if (rw_mfc_authenticate(block, true) == true) {
178       return NFC_STATUS_OK;
179     }
180     return NFC_STATUS_FAILED;
181   }
182 
183   mfcbuf = (NFC_HDR*)GKI_getpoolbuf(NFC_RW_POOL_ID);
184 
185   if (!mfcbuf) {
186     LOG(ERROR) << __func__ << ": Cannot allocate buffer";
187     return NFC_STATUS_REJECTED;
188   }
189 
190   mfcbuf->offset = NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE;
191   p = (uint8_t*)(mfcbuf + 1) + mfcbuf->offset;
192 
193   UINT8_TO_BE_STREAM(p, MFC_Write);
194   UINT8_TO_BE_STREAM(p, block);
195 
196   if (block == 1) {
197     ARRAY_TO_BE_STREAM(p, MAD_B1, 16);
198   } else if (block == 2 || block == 65 || block == 66) {
199     ARRAY_TO_BE_STREAM(p, MAD_B2, 16);
200   } else if (block == 3 || block == 67) {
201     ARRAY_TO_BE_STREAM(p, KeyMAD, 6);
202     ARRAY_TO_BE_STREAM(p, access_permission_mad, 4);
203     ARRAY_TO_BE_STREAM(p, KeyDefault, 6);
204   } else if (block == 4) {
205     ARRAY_TO_BE_STREAM(p, NFC_B0, 16);
206   } else if (block == 64) {
207     ARRAY_TO_BE_STREAM(p, MAD_B64, 16);
208   } else {
209     ARRAY_TO_BE_STREAM(p, KeyNDEF, 6);
210     ARRAY_TO_BE_STREAM(p, access_permission_nfc, 4);
211     ARRAY_TO_BE_STREAM(p, KeyDefault, 6);
212   }
213   mfcbuf->len = 18;
214 
215   if (!rw_mfc_send_to_lower(mfcbuf)) {
216     return NFC_STATUS_REJECTED;
217   }
218   p_mfc->current_block = block;
219   p_mfc->substate = RW_MFC_SUBSTATE_FORMAT_BLOCK;
220 
221   return status;
222 }
223 
rw_mfc_handle_format_rsp(uint8_t * p_data)224 static void rw_mfc_handle_format_rsp(uint8_t* p_data) {
225   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
226   NFC_HDR* mfc_data;
227   uint8_t* p;
228 
229   mfc_data = (NFC_HDR*)p_data;
230   /* Assume the data is just the response byte sequence */
231   p = (uint8_t*)(mfc_data + 1) + mfc_data->offset;
232 
233   switch (p_mfc->substate) {
234     case RW_MFC_SUBSTATE_WAIT_ACK:
235       p_mfc->last_block_accessed.block = p_mfc->current_block;
236 
237       if (p[0] == 0x0) {
238         p_mfc->next_block.auth = true;
239         p_mfc->last_block_accessed.auth = true;
240 
241         if (p_mfc->next_block.block < 128) {
242           p_mfc->sector_authentified = p_mfc->next_block.block / 4;
243         } else {
244           p_mfc->sector_authentified =
245               (p_mfc->next_block.block - 128) / 16 + 32;
246         }
247         rw_mfc_resume_op();
248       } else {
249         p_mfc->next_block.auth = false;
250         p_mfc->last_block_accessed.auth = false;
251         nfc_stop_quick_timer(&p_mfc->timer);
252         rw_mfc_process_error();
253       }
254       break;
255 
256     case RW_MFC_SUBSTATE_FORMAT_BLOCK:
257       if (p[0] == 0x0) {
258         rw_mfc_handle_format_op();
259       } else {
260         nfc_stop_quick_timer(&p_mfc->timer);
261         rw_mfc_process_error();
262       }
263       break;
264   }
265 }
266 
rw_mfc_handle_format_op()267 static void rw_mfc_handle_format_op() {
268   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
269   tRW_READ_DATA evt_data;
270   int num_of_blocks = 0;
271 
272   /* Total blockes of Mifare 1k/4K */
273   if (p_mfc->selres & RW_MFC_4K_Support)
274     num_of_blocks = 256;
275   else
276     num_of_blocks = 64;
277 
278   p_mfc->last_block_accessed.block = p_mfc->current_block;
279 
280   // Find next block needed to format
281   if (p_mfc->current_block < 4) {
282     p_mfc->next_block.block = p_mfc->current_block + 1;
283   } else if (p_mfc->current_block == 4) {
284     p_mfc->next_block.block = 7;
285   } else if (p_mfc->current_block >= 63 && p_mfc->current_block < 67) {
286     p_mfc->next_block.block = p_mfc->current_block + 1;
287   } else if (p_mfc->current_block < 127) {
288     p_mfc->next_block.block = p_mfc->current_block + 4;
289   } else {
290     p_mfc->next_block.block = p_mfc->current_block + 16;
291   }
292 
293   if (p_mfc->next_block.block < num_of_blocks) {
294     /* Format next blocks */
295     if (rw_mfc_formatBlock(p_mfc->next_block.block) != NFC_STATUS_OK) {
296       evt_data.status = NFC_STATUS_FAILED;
297       evt_data.p_data = NULL;
298       (*rw_cb.p_cback)(RW_MFC_NDEF_FORMAT_CPLT_EVT, (tRW_DATA*)&evt_data);
299     }
300   } else {
301     evt_data.status = NFC_STATUS_OK;
302     evt_data.p_data = NULL;
303     rw_mfc_handle_op_complete();
304     (*rw_cb.p_cback)(RW_MFC_NDEF_FORMAT_CPLT_EVT, (tRW_DATA*)&evt_data);
305   }
306 }
307 
308 /*******************************************************************************
309 **
310 ** Function         RW_MfcWriteNDef
311 **
312 ** Description      This function can be called to write an NDEF message to the
313 **                  tag.
314 **
315 ** Parameters:      buf_len:    The length of the buffer
316 **                  p_buffer:   The NDEF message to write
317 **
318 ** Returns          NCI_STATUS_OK, if write was started. Otherwise, error
319 **                  status.
320 **
321 *******************************************************************************/
RW_MfcWriteNDef(uint16_t buf_len,uint8_t * p_buffer)322 tNFC_STATUS RW_MfcWriteNDef(uint16_t buf_len, uint8_t* p_buffer) {
323   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
324   tNFC_STATUS status = NFC_STATUS_OK;
325 
326   if (p_mfc->state != RW_MFC_STATE_IDLE) {
327     return NFC_STATUS_BUSY;
328   }
329 
330   p_mfc->state = RW_MFC_STATE_UPDATE_NDEF;
331   p_mfc->substate = RW_MFC_SUBSTATE_NONE;
332   p_mfc->last_block_accessed.block = 4;
333   p_mfc->next_block.block = 4;
334 
335   p_mfc->p_ndef_buffer = p_buffer;
336   p_mfc->ndef_length = buf_len;
337   p_mfc->work_offset = 0;
338 
339   status = rw_mfc_writeBlock(p_mfc->next_block.block);
340   if (status == NFC_STATUS_OK) {
341     p_mfc->state = RW_MFC_STATE_UPDATE_NDEF;
342   } else {
343     p_mfc->substate = RW_MFC_SUBSTATE_NONE;
344   }
345 
346   return status;
347 }
348 
349 /*******************************************************************************
350  **
351  ** Function         rw_mfc_writeBlock
352  **
353  ** Description      This function write a given block.
354  **
355  ** Returns          true if success
356  **
357  *******************************************************************************/
rw_mfc_writeBlock(int block)358 static tNFC_STATUS rw_mfc_writeBlock(int block) {
359   NFC_HDR* mfcbuf;
360   uint8_t* p;
361   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
362   int sectorlength = block / 4;
363   tNFC_STATUS status = NFC_STATUS_OK;
364 
365   DLOG_IF(INFO, nfc_debug_enabled) << __func__ << ": block : " << block;
366 
367   if (block > 128) {
368     sectorlength = (p_mfc->next_block.block - 128) / 16 + 32;
369   }
370 
371   if (sectorlength != p_mfc->sector_authentified) {
372     if (rw_mfc_authenticate(block, true) == true) {
373       return NFC_STATUS_OK;
374     }
375     return NFC_STATUS_FAILED;
376   }
377 
378   mfcbuf = (NFC_HDR*)GKI_getpoolbuf(NFC_RW_POOL_ID);
379 
380   if (!mfcbuf) {
381     LOG(ERROR) << __func__ << ": Cannot allocate buffer";
382     return NFC_STATUS_REJECTED;
383   }
384 
385   mfcbuf->offset = NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE;
386   p = (uint8_t*)(mfcbuf + 1) + mfcbuf->offset;
387 
388   UINT8_TO_BE_STREAM(p, MFC_Write);
389   UINT8_TO_BE_STREAM(p, block);
390   int index = 0;
391   while (index < RW_MFC_1K_BLOCK_SIZE) {
392     if (p_mfc->work_offset == 0) {
393       if (p_mfc->ndef_length < 0xFF) {
394         UINT8_TO_BE_STREAM(p, 0x03);
395         UINT8_TO_BE_STREAM(p, p_mfc->ndef_length);
396         index = index + 2;
397       } else {
398         UINT8_TO_BE_STREAM(p, 0x03);
399         UINT8_TO_BE_STREAM(p, 0xFF);
400         UINT8_TO_BE_STREAM(p, (uint8_t)(p_mfc->ndef_length >> 8));
401         UINT8_TO_BE_STREAM(p, (uint8_t)(p_mfc->ndef_length & 0xFF));
402         index = index + 4;
403       }
404     }
405 
406     if (p_mfc->work_offset == p_mfc->ndef_length) {
407       UINT8_TO_BE_STREAM(p, 0xFE);
408     } else if (p_mfc->work_offset > p_mfc->ndef_length) {
409       UINT8_TO_BE_STREAM(p, 0x00);
410     } else {
411       UINT8_TO_BE_STREAM(p, p_mfc->p_ndef_buffer[p_mfc->work_offset]);
412     }
413     p_mfc->work_offset++;
414     index++;
415   }
416   mfcbuf->len = 18;
417 
418   if (!rw_mfc_send_to_lower(mfcbuf)) {
419     return NFC_STATUS_REJECTED;
420   }
421   p_mfc->current_block = block;
422   p_mfc->substate = RW_MFC_SUBSTATE_WRITE_BLOCK;
423 
424   return status;
425 }
426 
rw_mfc_handle_write_rsp(uint8_t * p_data)427 static void rw_mfc_handle_write_rsp(uint8_t* p_data) {
428   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
429   NFC_HDR* mfc_data;
430   uint8_t* p;
431 
432   mfc_data = (NFC_HDR*)p_data;
433   /* Assume the data is just the response byte sequence */
434   p = (uint8_t*)(mfc_data + 1) + mfc_data->offset;
435 
436   switch (p_mfc->substate) {
437     case RW_MFC_SUBSTATE_WAIT_ACK:
438       p_mfc->last_block_accessed.block = p_mfc->current_block;
439 
440       if (p[0] == 0x0) {
441         p_mfc->next_block.auth = true;
442         p_mfc->last_block_accessed.auth = true;
443 
444         if (p_mfc->next_block.block < 128) {
445           p_mfc->sector_authentified = p_mfc->next_block.block / 4;
446         } else {
447           p_mfc->sector_authentified =
448               (p_mfc->next_block.block - 128) / 16 + 32;
449         }
450         rw_mfc_resume_op();
451       } else {
452         p_mfc->next_block.auth = false;
453         p_mfc->last_block_accessed.auth = false;
454         nfc_stop_quick_timer(&p_mfc->timer);
455         rw_mfc_process_error();
456       }
457       break;
458 
459     case RW_MFC_SUBSTATE_WRITE_BLOCK:
460       if (p[0] == 0x0) {
461         rw_mfc_handle_write_op();
462       } else {
463         nfc_stop_quick_timer(&p_mfc->timer);
464         rw_mfc_process_error();
465       }
466       break;
467   }
468 }
469 
rw_mfc_handle_write_op()470 static void rw_mfc_handle_write_op() {
471   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
472   tRW_READ_DATA evt_data;
473 
474   if (p_mfc->work_offset >= p_mfc->ndef_length) {
475     evt_data.status = NFC_STATUS_OK;
476     evt_data.p_data = NULL;
477     rw_mfc_handle_op_complete();
478     (*rw_cb.p_cback)(RW_MFC_NDEF_WRITE_CPLT_EVT, (tRW_DATA*)&evt_data);
479   } else {
480     p_mfc->last_block_accessed.block = p_mfc->current_block;
481 
482     if (p_mfc->current_block % 4 == 2) {
483       p_mfc->next_block.block = p_mfc->current_block + 2;
484     } else {
485       p_mfc->next_block.block = p_mfc->current_block + 1;
486     }
487 
488     /* Do not read block 16 (MAD2) - Mifare Classic4 k */
489     if (p_mfc->next_block.block == 64) {
490       p_mfc->next_block.block += 4;
491     }
492 
493     if ((p_mfc->selres & RW_MFC_4K_Support) &&
494         (p_mfc->next_block.block >= 128)) {
495       if (p_mfc->current_block % 16 == 14) {
496         p_mfc->next_block.block = p_mfc->current_block + 2;
497       } else {
498         p_mfc->next_block.block = p_mfc->current_block + 1;
499       }
500     }
501 
502     /* Write next blocks */
503     if (rw_mfc_writeBlock(p_mfc->next_block.block) != NFC_STATUS_OK) {
504       evt_data.status = NFC_STATUS_FAILED;
505       evt_data.p_data = NULL;
506       rw_mfc_handle_op_complete();
507       (*rw_cb.p_cback)(RW_MFC_NDEF_WRITE_FAIL_EVT, (tRW_DATA*)&evt_data);
508     }
509   }
510 }
511 
512 /*****************************************************************************
513  **
514  ** Function         RW_MfcDetectNDef
515  **
516  ** Description
517  **      This function is used to perform NDEF detection on a Mifare Classic
518  **      tag, and retrieve the tag's NDEF attribute information.
519  **      Before using this API, the application must call RW_SelectTagType to
520  **      indicate that a Type 1 tag has been activated.
521  **
522  ** Returns
523  **      NFC_STATUS_OK: ndef detection procedure started
524  **      NFC_STATUS_WRONG_PROTOCOL: type 1 tag not activated
525  **      NFC_STATUS_BUSY: another command is already in progress
526  **      NFC_STATUS_FAILED: other error
527  **
528  *****************************************************************************/
RW_MfcDetectNDef(void)529 tNFC_STATUS RW_MfcDetectNDef(void) {
530   LOG(ERROR) << __func__;
531   return rw_MfcLocateTlv(TAG_NDEF_TLV);
532 }
533 
534 /*******************************************************************************
535  **
536  ** Function         rw_mfc_select
537  **
538  ** Description      This function will set the callback function to
539  **                  receive data from lower layers.
540  **
541  ** Returns          tNFC_STATUS
542  **
543  *******************************************************************************/
rw_mfc_select(uint8_t selres,uint8_t uid[MFC_UID_LEN])544 tNFC_STATUS rw_mfc_select(uint8_t selres, uint8_t uid[MFC_UID_LEN]) {
545   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
546 
547   p_mfc->state = RW_MFC_STATE_NOT_ACTIVATED;
548 
549   /* Alloc cmd buf for retransmissions */
550   if (p_mfc->p_cur_cmd_buf == NULL) {
551     DLOG_IF(INFO, nfc_debug_enabled) << __func__;
552     p_mfc->p_cur_cmd_buf = (NFC_HDR*)GKI_getpoolbuf(NFC_RW_POOL_ID);
553     if (p_mfc->p_cur_cmd_buf == NULL) {
554       LOG(ERROR) << __func__
555                  << ": unable to allocate buffer for retransmission";
556 
557       return NFC_STATUS_FAILED;
558     }
559   }
560   p_mfc->selres = selres;
561   memcpy(p_mfc->uid, uid, MFC_UID_LEN);
562 
563   NFC_SetStaticRfCback(rw_mfc_conn_cback);
564 
565   p_mfc->state = RW_MFC_STATE_IDLE;
566   p_mfc->substate = RW_MFC_SUBSTATE_IDLE;
567   p_mfc->last_block_accessed.block = -1;
568   p_mfc->last_block_accessed.auth = false;
569   p_mfc->next_block.block = 4;
570   p_mfc->next_block.auth = false;
571   p_mfc->sector_authentified = -1;
572 
573   return NFC_STATUS_OK;
574 }
575 
576 /*******************************************************************************
577  **
578  ** Function         rw_mfc_send_to_lower
579  **
580  ** Description      Send C-APDU to lower layer
581  **
582  ** Returns          true if success
583  **
584  *******************************************************************************/
rw_mfc_send_to_lower(NFC_HDR * p_data)585 static bool rw_mfc_send_to_lower(NFC_HDR* p_data) {
586   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
587   /* Indicate first attempt to send command, back up cmd buffer in case needed
588    * for retransmission */
589   rw_cb.cur_retry = 0;
590   memcpy(p_mfc->p_cur_cmd_buf, p_data,
591          sizeof(NFC_HDR) + p_data->offset + p_data->len);
592 
593   if (NFC_SendData(NFC_RF_CONN_ID, p_data) != NFC_STATUS_OK) {
594     LOG(ERROR) << __func__ << ": NFC_SendData () failed";
595     return false;
596   }
597 
598   nfc_start_quick_timer(&rw_cb.tcb.mfc.timer, NFC_TTYPE_RW_MFC_RESPONSE,
599                         (RW_MFC_TOUT_RESP * QUICK_TIMER_TICKS_PER_SEC) / 1000);
600 
601   return true;
602 }
603 
604 /*******************************************************************************
605  **
606  ** Function         rw_mfc_process_timeout
607  **
608  ** Description      handles timeout event
609  **
610  ** Returns          none
611  **
612  *******************************************************************************/
rw_mfc_process_timeout(TIMER_LIST_ENT * p_tle)613 void rw_mfc_process_timeout(TIMER_LIST_ENT* p_tle) {
614   DLOG_IF(INFO, nfc_debug_enabled) << __func__ << " event=" << p_tle->event;
615 
616   if (p_tle->event == NFC_TTYPE_RW_MFC_RESPONSE) {
617     rw_mfc_process_error();
618   } else {
619     LOG(ERROR) << __func__ << " unknown event=" << p_tle->event;
620   }
621 }
622 
623 /*******************************************************************************
624  **
625  ** Function         rw_mfc_conn_cback
626  **
627  ** Description      This callback function receives the events/data from NFCC.
628  **
629  ** Returns          none
630  **
631  *******************************************************************************/
rw_mfc_conn_cback(uint8_t conn_id,tNFC_CONN_EVT event,tNFC_CONN * p_data)632 static void rw_mfc_conn_cback(uint8_t conn_id, tNFC_CONN_EVT event,
633                               tNFC_CONN* p_data) {
634   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
635   tRW_READ_DATA evt_data;
636   NFC_HDR* mfc_data = nullptr;
637   tRW_DATA rw_data;
638 
639   if (!p_data) {
640     LOG(ERROR) << __func__ << "Invalid p_data";
641     return;
642   }
643 
644   DLOG_IF(INFO, nfc_debug_enabled)
645       << StringPrintf("%s conn_id=%i, evt=0x%x", __func__, conn_id, event);
646   /* Only handle static conn_id */
647   if (conn_id != NFC_RF_CONN_ID) {
648     LOG(ERROR) << StringPrintf("%s Not static connection id =%d", __func__,
649                                conn_id);
650     return;
651   }
652 
653   switch (event) {
654     case NFC_CONN_CREATE_CEVT:
655     case NFC_CONN_CLOSE_CEVT:
656       break;
657 
658     case NFC_DEACTIVATE_CEVT:
659 
660       /* Stop mfc timer (if started) */
661       nfc_stop_quick_timer(&p_mfc->timer);
662       /* Free cmd buf for retransmissions */
663       if (p_mfc->p_cur_cmd_buf) {
664         GKI_freebuf(p_mfc->p_cur_cmd_buf);
665         p_mfc->p_cur_cmd_buf = NULL;
666       }
667 
668       p_mfc->state = RW_MFC_STATE_NOT_ACTIVATED;
669       NFC_SetStaticRfCback(NULL);
670       break;
671 
672     case NFC_DATA_CEVT:
673       if ((p_data != NULL) && (p_data->data.status == NFC_STATUS_OK)) {
674         mfc_data = (NFC_HDR*)p_data->data.p_data;
675         break;
676       }
677       /* Data event with error status...fall through to NFC_ERROR_CEVT case */
678       FALLTHROUGH_INTENDED;
679     case NFC_ERROR_CEVT:
680 
681       if ((p_mfc->state == RW_MFC_STATE_NOT_ACTIVATED) ||
682           (p_mfc->state == RW_MFC_STATE_IDLE)) {
683         if (event == NFC_ERROR_CEVT) {
684           evt_data.status = (tNFC_STATUS)(*(uint8_t*)p_data);
685         } else if (p_data) {
686           evt_data.status = p_data->status;
687         }
688         evt_data.p_data = NULL;
689         (*rw_cb.p_cback)(RW_MFC_INTF_ERROR_EVT, (tRW_DATA*)&evt_data);
690         break;
691       }
692       nfc_stop_quick_timer(&p_mfc->timer);
693       break;
694 
695     default:
696       break;
697   }
698 
699   if ((p_mfc->state != RW_MFC_STATE_IDLE) && (mfc_data == NULL)) {
700     if (p_mfc->state != RW_MFC_STATE_NOT_ACTIVATED) {
701       LOG(ERROR) << StringPrintf("%s NULL pointer", __func__);
702     }
703     return;
704   }
705 
706   switch (p_mfc->state) {
707     case RW_MFC_STATE_IDLE:
708       /* Unexpected R-APDU, it should be raw frame response */
709       /* forward to upper layer without parsing */
710       if (rw_cb.p_cback) {
711         rw_data.raw_frame.status = p_data->data.status;
712         rw_data.raw_frame.p_data = mfc_data;
713         (*(rw_cb.p_cback))(RW_MFC_RAW_FRAME_EVT, &rw_data);
714         mfc_data = NULL;
715       } else {
716         GKI_freebuf(mfc_data);
717       }
718       break;
719     case RW_MFC_STATE_DETECT_TLV:
720       rw_mfc_handle_tlv_detect_rsp((uint8_t*)mfc_data);
721       GKI_freebuf(mfc_data);
722       break;
723 
724     case RW_MFC_STATE_READ_NDEF:
725       rw_mfc_handle_ndef_read_rsp((uint8_t*)mfc_data);
726       GKI_freebuf(mfc_data);
727       break;
728     case RW_MFC_STATE_NOT_ACTIVATED:
729       DLOG_IF(INFO, nfc_debug_enabled)
730           << __func__ << " RW_MFC_STATE_NOT_ACTIVATED";
731       /* p_r_apdu may send upper layer */
732       break;
733     case RW_MFC_STATE_NDEF_FORMAT:
734       rw_mfc_handle_format_rsp((uint8_t*)mfc_data);
735       GKI_freebuf(mfc_data);
736       break;
737     case RW_MFC_STATE_UPDATE_NDEF:
738       rw_mfc_handle_write_rsp((uint8_t*)mfc_data);
739       GKI_freebuf(mfc_data);
740       break;
741     default:
742       LOG(ERROR) << StringPrintf("%s : invalid state=%d", __func__,
743                                  p_mfc->state);
744       break;
745   }
746 }
747 
748 /*******************************************************************************
749  **
750  ** Function         rw_MfcLocateTlv
751  **
752  ** Description      This function performs NDEF detection procedure
753  **
754  **                  RW_MFC_NDEF_DETECT_EVT will be returned
755  **
756  ** Returns          NFC_STATUS_OK if success
757  **                  NFC_STATUS_FAILED if Mifare classic tag is busy or other
758  **                  error
759  **
760  *******************************************************************************/
rw_MfcLocateTlv(uint8_t tlv_type)761 static tNFC_STATUS rw_MfcLocateTlv(uint8_t tlv_type) {
762   DLOG_IF(INFO, nfc_debug_enabled) << __func__;
763 
764   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
765   tNFC_STATUS success = NFC_STATUS_OK;
766 
767   if (p_mfc->state != RW_MFC_STATE_IDLE) {
768     LOG(ERROR) << StringPrintf(
769         "%s Mifare Classic tag not activated or Busy - State:%d", __func__,
770         p_mfc->state);
771 
772     return NFC_STATUS_BUSY;
773   }
774 
775   if ((tlv_type != TAG_LOCK_CTRL_TLV) && (tlv_type != TAG_MEM_CTRL_TLV) &&
776       (tlv_type != TAG_NDEF_TLV) && (tlv_type != TAG_PROPRIETARY_TLV)) {
777     DLOG_IF(INFO, nfc_debug_enabled)
778         << StringPrintf("%s - Cannot search TLV: 0x%02x", __func__, tlv_type);
779     return NFC_STATUS_FAILED;
780   }
781   if (tlv_type == TAG_NDEF_TLV) {
782     p_mfc->ndef_length = 0;
783     p_mfc->ndef_start_pos = 0;
784     p_mfc->ndef_first_block = 0;
785     p_mfc->work_offset = 0;
786     p_mfc->ndef_status = MFC_NDEF_NOT_DETECTED;
787   }
788 
789   p_mfc->substate = RW_MFC_SUBSTATE_READ_BLOCK;
790   p_mfc->state = RW_MFC_STATE_DETECT_TLV;
791 
792   success = rw_mfc_readBlock(p_mfc->next_block.block);
793   if (success == NFC_STATUS_OK) {
794     p_mfc->state = RW_MFC_STATE_DETECT_TLV;
795     DLOG_IF(INFO, nfc_debug_enabled) << StringPrintf(
796         "%s RW_MFC_STATE_DETECT_TLV state=%d", __func__, p_mfc->state);
797   } else {
798     p_mfc->substate = RW_MFC_SUBSTATE_NONE;
799     DLOG_IF(INFO, nfc_debug_enabled)
800         << StringPrintf("%s rw_MfcLocateTlv state=%d", __func__, p_mfc->state);
801   }
802 
803   return NFC_STATUS_OK;
804 }
805 
806 /*******************************************************************************
807  **
808  ** Function         rw_mfc_authenticate
809  **
810  ** Description      This function performs the authentication of a given
811  **                  block.
812  **
813  ** Returns          true if success
814  **
815  *******************************************************************************/
rw_mfc_authenticate(int block,bool KeyA)816 static bool rw_mfc_authenticate(int block, bool KeyA) {
817   NFC_HDR* mfcbuf;
818   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
819   uint8_t* p;
820 
821   DLOG_IF(INFO, nfc_debug_enabled) << __func__ << ": block:" << block;
822 
823   uint8_t* KeyToUse;
824 
825   mfcbuf = (NFC_HDR*)GKI_getpoolbuf(NFC_RW_POOL_ID);
826 
827   if (!mfcbuf) {
828     LOG(ERROR) << __func__ << ": Cannot allocate buffer";
829     return false;
830   }
831 
832   mfcbuf->offset = NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE;
833   p = (uint8_t*)(mfcbuf + 1) + mfcbuf->offset;
834 
835   if (KeyA) {
836     UINT8_TO_BE_STREAM(p, MFC_KeyA);
837   } else {
838     UINT8_TO_BE_STREAM(p, MFC_KeyB);
839   }
840 
841   UINT8_TO_BE_STREAM(p, block);
842   ARRAY_TO_BE_STREAM(p, p_mfc->uid, 4);
843 
844   if (p_mfc->state == RW_MFC_STATE_NDEF_FORMAT)
845     KeyToUse = KeyDefault;
846   else {
847     if (block >= 0 && block < 4) {
848       KeyToUse = KeyMAD;
849     } else {
850       KeyToUse = KeyNDEF;
851     }
852   }
853   ARRAY_TO_BE_STREAM(p, KeyToUse, 6);
854 
855   mfcbuf->len = 12;
856 
857   if (!rw_mfc_send_to_lower(mfcbuf)) {
858     return false;
859   }
860   /* Backup the current substate to move back to this substate after changing
861    * sector */
862   p_mfc->prev_substate = p_mfc->substate;
863   p_mfc->substate = RW_MFC_SUBSTATE_WAIT_ACK;
864   return true;
865 }
866 
867 /*******************************************************************************
868  **
869  ** Function         rw_mfc_readBlock
870  **
871  ** Description      This function read a given block.
872  **
873  ** Returns          true if success
874  **
875  *******************************************************************************/
rw_mfc_readBlock(int block)876 static tNFC_STATUS rw_mfc_readBlock(int block) {
877   NFC_HDR* mfcbuf;
878   uint8_t* p;
879   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
880   int sectorlength = block / 4;
881   tNFC_STATUS status = NFC_STATUS_OK;
882 
883   DLOG_IF(INFO, nfc_debug_enabled) << __func__ << ": block : " << block;
884 
885   if (block > 128) {
886     sectorlength = (p_mfc->next_block.block - 128) / 16 + 32;
887   }
888 
889   if (sectorlength != p_mfc->sector_authentified) {
890     if (rw_mfc_authenticate(block, true) == true) {
891       LOG(ERROR) << __func__ << ": RW_MFC_SUBSTATE_WAIT_ACK";
892       return NFC_STATUS_OK;
893     }
894     return NFC_STATUS_FAILED;
895   }
896 
897   mfcbuf = (NFC_HDR*)GKI_getpoolbuf(NFC_RW_POOL_ID);
898 
899   if (!mfcbuf) {
900     LOG(ERROR) << __func__ << ": Cannot allocate buffer";
901     return NFC_STATUS_REJECTED;
902   }
903 
904   mfcbuf->offset = NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE;
905   p = (uint8_t*)(mfcbuf + 1) + mfcbuf->offset;
906 
907   UINT8_TO_BE_STREAM(p, MFC_Read);
908   UINT8_TO_BE_STREAM(p, block);
909 
910   mfcbuf->len = 2;
911 
912   if (!rw_mfc_send_to_lower(mfcbuf)) {
913     return NFC_STATUS_REJECTED;
914   }
915   p_mfc->current_block = block;
916   p_mfc->substate = RW_MFC_SUBSTATE_READ_BLOCK;
917 
918   return status;
919 }
920 
921 /*******************************************************************************
922  **
923  ** Function         rw_mfc_handle_tlv_detect_rsp
924  **
925  ** Description      Handle TLV detection.
926  **
927  ** Returns          none
928  **
929  *******************************************************************************/
rw_mfc_handle_tlv_detect_rsp(uint8_t * p_data)930 static void rw_mfc_handle_tlv_detect_rsp(uint8_t* p_data) {
931   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
932   NFC_HDR* mfc_data;
933   uint8_t* p;
934 
935   mfc_data = (NFC_HDR*)p_data;
936   /* Assume the data is just the response byte sequence */
937   p = (uint8_t*)(mfc_data + 1) + mfc_data->offset;
938 
939   p_mfc->last_block_accessed.block = p_mfc->next_block.block;
940   switch (p_mfc->substate) {
941     case RW_MFC_SUBSTATE_WAIT_ACK:
942       /* Search for the tlv */
943       if (p[0] == 0x0) {
944         p_mfc->next_block.auth = true;
945         p_mfc->last_block_accessed.auth = true;
946         p_mfc->sector_authentified = p_mfc->next_block.block / 4;
947 
948         rw_mfc_resume_op();
949       } else {
950         p_mfc->next_block.auth = false;
951         p_mfc->last_block_accessed.auth = false;
952         DLOG_IF(INFO, nfc_debug_enabled)
953             << StringPrintf("%s : status=%d", __func__, p[0]);
954         nfc_stop_quick_timer(&p_mfc->timer);
955         rw_mfc_process_error();
956       }
957       break;
958 
959     case RW_MFC_SUBSTATE_READ_BLOCK:
960       /* Search for the tlv */
961       if (mfc_data->len == 0x10) {
962         p_mfc->last_block_accessed.block = p_mfc->next_block.block;
963         p_mfc->next_block.block += 1;
964         p_mfc->next_block.auth = false;
965         rw_mfc_handle_read_op((uint8_t*)mfc_data);
966       }
967       break;
968   }
969 }
970 /*******************************************************************************
971  **
972  ** Function         rw_mfc_resume_op
973  **
974  ** Description      This function will continue operation after moving to new
975  **                  sector
976  **
977  ** Returns          none
978  **
979  *******************************************************************************/
rw_mfc_resume_op()980 static void rw_mfc_resume_op() {
981   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
982 
983   switch (p_mfc->state) {
984     case RW_MFC_STATE_DETECT_TLV:
985       rw_mfc_readBlock(p_mfc->next_block.block);
986       break;
987     case RW_MFC_STATE_READ_NDEF:
988       rw_mfc_readBlock(p_mfc->next_block.block);
989       break;
990     case RW_MFC_STATE_NDEF_FORMAT:
991       rw_mfc_formatBlock(p_mfc->next_block.block);
992       break;
993     case RW_MFC_STATE_UPDATE_NDEF:
994       rw_mfc_writeBlock(p_mfc->next_block.block);
995       break;
996   }
997 }
998 
999 /*******************************************************************************
1000  **
1001  ** Function         rw_mfc_handle_read_op
1002  **
1003  ** Description      This function handles all the read operation.
1004  **
1005  ** Returns          none
1006  **
1007  *******************************************************************************/
rw_mfc_handle_read_op(uint8_t * data)1008 static void rw_mfc_handle_read_op(uint8_t* data) {
1009   uint8_t* p;
1010   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
1011   bool tlv_found = false;
1012   NFC_HDR* mfc_data;
1013   uint16_t len;
1014   uint16_t offset;
1015   uint16_t saved_length;
1016   bool failed = false;
1017   bool done = false;
1018   tRW_READ_DATA evt_data;
1019 
1020   mfc_data = (NFC_HDR*)data;
1021   p = (uint8_t*)(mfc_data + 1) + mfc_data->offset;
1022 
1023   switch (p_mfc->state) {
1024     case RW_MFC_STATE_DETECT_TLV:
1025       tlv_found = rw_nfc_decodeTlv(data);
1026       if (tlv_found) {
1027         p_mfc->ndef_status = MFC_NDEF_DETECTED;
1028         p_mfc->ndef_first_block = p_mfc->last_block_accessed.block;
1029         rw_mfc_ntf_tlv_detect_complete(NFC_STATUS_OK);
1030       }
1031       break;
1032 
1033     case RW_MFC_STATE_READ_NDEF:
1034       /* On the first read, adjust for any partial block offset */
1035       offset = 0;
1036       len = RW_MFC_1K_BLOCK_SIZE;
1037       saved_length = p_mfc->ndef_length;
1038 
1039       if (p_mfc->work_offset == 0) {
1040         if (!rw_nfc_decodeTlv(data)) {
1041           failed = true;
1042           DLOG_IF(INFO, nfc_debug_enabled) << __func__ << " FAILED finding TLV";
1043         }
1044         /* Ndef message offset update post response TLV decode */
1045         offset = p_mfc->ndef_start_pos;
1046       }
1047 
1048       if (!failed && saved_length >= p_mfc->ndef_length) {
1049         /* Skip all reserved and lock bytes */
1050         while ((offset < len) && (p_mfc->work_offset < p_mfc->ndef_length))
1051 
1052         {
1053           /* Collect the NDEF Message */
1054           p_mfc->p_ndef_buffer[p_mfc->work_offset] = p[offset];
1055           p_mfc->work_offset++;
1056           offset++;
1057         }
1058       } else {
1059         android_errorWriteLog(0x534e4554, "178725766");
1060       }
1061 
1062       if (p_mfc->work_offset >= p_mfc->ndef_length) {
1063         done = true;
1064         p_mfc->ndef_status = MFC_NDEF_READ;
1065       } else {
1066         /* Read next  blocks */
1067         if (rw_mfc_readBlock(p_mfc->next_block.block) != NFC_STATUS_OK) {
1068           failed = true;
1069           DLOG_IF(INFO, nfc_debug_enabled)
1070               << __func__ << " FAILED reading next";
1071         }
1072       }
1073 
1074       if (failed || done) {
1075         evt_data.status = failed ? NFC_STATUS_FAILED : NFC_STATUS_OK;
1076         evt_data.p_data = NULL;
1077         rw_mfc_handle_op_complete();
1078         (*rw_cb.p_cback)(RW_MFC_NDEF_READ_EVT, (tRW_DATA*)&evt_data);
1079       }
1080       break;
1081   }
1082 }
1083 /*******************************************************************************
1084  **
1085  ** Function         rw_nfc_decodeTlv
1086  **
1087  ** Description      Decode the NDEF data length from the Mifare TLV
1088  **                  Leading null TLVs (0x0) are skipped
1089  **
1090  ** Returns          true if success
1091  **
1092  *******************************************************************************/
rw_nfc_decodeTlv(uint8_t * data)1093 static bool rw_nfc_decodeTlv(uint8_t* data) {
1094   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
1095   NFC_HDR* mfc_data;
1096   uint8_t* p;
1097 
1098   mfc_data = (NFC_HDR*)data;
1099   p = (uint8_t*)(mfc_data + 1) + mfc_data->offset;
1100   int i = 0;
1101 
1102   do {
1103     if (p[i] == 0x0) {
1104       // do nothing, skip
1105     } else if (p[i] == 0x3) {
1106       p_mfc->tlv_detect = TAG_NDEF_TLV;
1107       break;
1108 
1109     } else {
1110       DLOG_IF(INFO, nfc_debug_enabled) << __func__ << ": Unknown TLV";
1111       p_mfc->tlv_detect = TAG_PROPRIETARY_TLV;
1112       break;
1113     }
1114     i++;
1115   } while (i < mfc_data->len);
1116 
1117   DLOG_IF(INFO, nfc_debug_enabled) << __func__ << ": i=" << i;
1118 
1119   if ((i + 1) >= mfc_data->len || i < 0 || p[i] != 0x3) {
1120     LOG(ERROR) << __func__ << ": Can't decode message length";
1121   } else {
1122     if (p[i + 1] != 0xFF) {
1123       p_mfc->ndef_length = p[i + 1];
1124       p_mfc->ndef_start_pos = i + RW_MFC_SHORT_TLV_SIZE;
1125       DLOG_IF(INFO, nfc_debug_enabled)
1126           << __func__ << " short NDEF SIZE=" << p_mfc->ndef_length;
1127       return true;
1128     } else if ((i + 3) < mfc_data->len) {
1129       p_mfc->ndef_length = (((uint16_t)p[i + 2]) << 8) | ((uint16_t)(p[i + 3]));
1130       p_mfc->ndef_start_pos = i + RW_MFC_LONG_TLV_SIZE;
1131       DLOG_IF(INFO, nfc_debug_enabled)
1132           << __func__ << " long NDEF SIZE=" << p_mfc->ndef_length;
1133       return true;
1134     } else {
1135       LOG(ERROR) << __func__ << ": Can't decode ndef length";
1136     }
1137   }
1138   return false;
1139 }
1140 
1141 /*******************************************************************************
1142  **
1143  ** Function         rw_mfc_ntf_tlv_detect_complete
1144  **
1145  ** Description      Notify TLV detection complete to upper layer
1146  **
1147  ** Returns          none
1148  **
1149  *******************************************************************************/
rw_mfc_ntf_tlv_detect_complete(tNFC_STATUS status)1150 static void rw_mfc_ntf_tlv_detect_complete(tNFC_STATUS status) {
1151   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
1152   tRW_DETECT_NDEF_DATA ndef_data = {};
1153 
1154   DLOG_IF(INFO, nfc_debug_enabled) << __func__;
1155   if (p_mfc->tlv_detect == TAG_NDEF_TLV) {
1156     /* Notify upper layer the result of NDEF detect op */
1157     ndef_data.status = NFC_STATUS_OK;  // status;
1158     ndef_data.protocol = NFC_PROTOCOL_MIFARE;
1159     ndef_data.flags = 0;
1160     ndef_data.cur_size = p_mfc->ndef_length;
1161 
1162     if (status == NFC_STATUS_OK) {
1163       ndef_data.flags |= RW_NDEF_FL_FORMATED;
1164     }
1165 
1166     // TODO - calculate max size based on MAD sectr NFC_AID condition
1167     // Set max size as format condition
1168     if (p_mfc->selres & RW_MFC_4K_Support)
1169       ndef_data.max_size = 3356;
1170     else
1171       ndef_data.max_size = 716;
1172 
1173     rw_mfc_handle_op_complete();
1174     (*rw_cb.p_cback)(RW_MFC_NDEF_DETECT_EVT, (tRW_DATA*)&ndef_data);
1175   }
1176 }
1177 
1178 /*******************************************************************************
1179  **
1180  ** Function         RW_MfcReadNDef
1181  **
1182  ** Description      Retrieve NDEF contents from a Mifare Classic tag..
1183  **
1184  **                  The RW_MFC_NDEF_READ_EVT event is used to notify the
1185  **                  application after reading the NDEF message.
1186  **
1187  **                  Before using this API, the RW_MfcReadNDef function must
1188  **                  be called to verify that the tag contains NDEF data, and to
1189  **                  retrieve the NDEF attributes.
1190  **
1191  **                  Internally, this command will be separated into multiple
1192  **                  Mifare Classic Read commands (if necessary) - depending
1193  **                  on the NDEF Msg size.
1194  **
1195  ** Parameters:      p_buffer:   The buffer into which to read the NDEF message
1196  **                  buf_len:    The length of the buffer
1197  **
1198  ** Returns          NCI_STATUS_OK, if read was started. Otherwise, error
1199  **                  status.
1200  **
1201  *******************************************************************************/
RW_MfcReadNDef(uint8_t * p_buffer,uint16_t buf_len)1202 tNFC_STATUS RW_MfcReadNDef(uint8_t* p_buffer, uint16_t buf_len) {
1203   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
1204   tNFC_STATUS status = NFC_STATUS_OK;
1205 
1206   if (p_mfc->state != RW_MFC_STATE_IDLE) {
1207     LOG(ERROR) << StringPrintf(
1208         "%s Mifare Classic tag not activated or Busy - State=%d", __func__,
1209         p_mfc->state);
1210     return NFC_STATUS_FAILED;
1211   }
1212 
1213   if (p_mfc->ndef_status == MFC_NDEF_NOT_DETECTED) {
1214     LOG(ERROR) << __func__ << " NDEF detection not performed yet";
1215     return NFC_STATUS_FAILED;
1216   }
1217 
1218   if (buf_len < p_mfc->ndef_length) {
1219     LOG(ERROR) << __func__ << " buffer size=" << buf_len
1220                << "less than NDEF msg sise=" << p_mfc->ndef_length;
1221     return NFC_STATUS_FAILED;
1222   }
1223 
1224   if (!p_mfc->ndef_length) {
1225     LOG(ERROR) << __func__ << " NDEF Message length is zero ";
1226     return NFC_STATUS_NOT_INITIALIZED;
1227   }
1228 
1229   p_mfc->p_ndef_buffer = p_buffer;
1230   p_mfc->work_offset = 0;
1231 
1232   p_mfc->last_block_accessed.block = 0;
1233   p_mfc->next_block.block = p_mfc->ndef_first_block;
1234   p_mfc->substate = RW_MFC_SUBSTATE_NONE;
1235 
1236   /* Start reading NDEF Message */
1237   status = rw_mfc_readBlock(p_mfc->next_block.block);
1238   if (status == NFC_STATUS_OK) {
1239     p_mfc->state = RW_MFC_STATE_READ_NDEF;
1240   }
1241 
1242   return status;
1243 }
1244 
1245 /*****************************************************************************
1246  **
1247  ** Function         rw_mfc_handle_op_complete
1248  **
1249  ** Description      Reset to IDLE state
1250  **
1251  ** Returns          none
1252  **
1253  *****************************************************************************/
rw_mfc_handle_op_complete(void)1254 static void rw_mfc_handle_op_complete(void) {
1255   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
1256 
1257   p_mfc->last_block_accessed.auth = false;
1258   p_mfc->next_block.auth = false;
1259   p_mfc->current_block = 0;
1260   p_mfc->state = RW_MFC_STATE_IDLE;
1261   p_mfc->substate = RW_MFC_SUBSTATE_NONE;
1262   return;
1263 }
1264 
1265 /*******************************************************************************
1266  **
1267  ** Function         rw_mfc_handle_ndef_read_rsp
1268  **
1269  ** Description      Handle TLV detection.
1270  **
1271  ** Returns          none
1272  **
1273  *******************************************************************************/
rw_mfc_handle_ndef_read_rsp(uint8_t * p_data)1274 static void rw_mfc_handle_ndef_read_rsp(uint8_t* p_data) {
1275   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
1276   NFC_HDR* mfc_data;
1277   uint8_t* p;
1278 
1279   mfc_data = (NFC_HDR*)p_data;
1280   /* Assume the data is just the response byte sequence */
1281   p = (uint8_t*)(mfc_data + 1) + mfc_data->offset;
1282 
1283   switch (p_mfc->substate) {
1284     case RW_MFC_SUBSTATE_WAIT_ACK:
1285       /* Search for the tlv */
1286       p_mfc->last_block_accessed.block = p_mfc->current_block;
1287 
1288       if (p[0] == 0x0) {
1289         p_mfc->next_block.auth = true;
1290         p_mfc->last_block_accessed.auth = true;
1291 
1292         if (p_mfc->current_block < 128) {
1293           p_mfc->sector_authentified = p_mfc->next_block.block / 4;
1294         }
1295 
1296         else
1297           p_mfc->sector_authentified =
1298               (p_mfc->next_block.block - 128) / 16 + 32;
1299 
1300         rw_mfc_resume_op();
1301         DLOG_IF(INFO, nfc_debug_enabled) << StringPrintf(
1302             "rw_mfc_handle_ndef_read_rsp () sector authentified: %d",
1303             p_mfc->sector_authentified);
1304       } else {
1305         p_mfc->next_block.auth = false;
1306         p_mfc->last_block_accessed.auth = false;
1307       }
1308       break;
1309 
1310     case RW_MFC_SUBSTATE_READ_BLOCK:
1311       /* Search for the tlv */
1312 
1313       if (mfc_data->len == 0x10) {
1314         p_mfc->last_block_accessed.block = p_mfc->current_block;
1315 
1316         if (p_mfc->current_block % 4 == 2) {
1317           p_mfc->next_block.block = p_mfc->current_block + 2;
1318         } else {
1319           p_mfc->next_block.block = p_mfc->current_block + 1;
1320         }
1321 
1322         /* Do not read block 16 (MAD2) - Mifare Classic4 k */
1323         if (p_mfc->next_block.block == 64) {
1324           p_mfc->next_block.block += 4;
1325         }
1326 
1327         if ((p_mfc->selres & RW_MFC_4K_Support) &&
1328             (p_mfc->next_block.block >= 128)) {
1329           if (p_mfc->current_block % 16 == 14) {
1330             p_mfc->next_block.block = p_mfc->current_block + 2;
1331           } else {
1332             p_mfc->next_block.block = p_mfc->current_block + 1;
1333           }
1334         }
1335 
1336         p_mfc->next_block.auth = false;
1337         rw_mfc_handle_read_op((uint8_t*)mfc_data);
1338       }
1339       break;
1340   }
1341 }
1342 
1343 /*******************************************************************************
1344  **
1345  ** Function         rw_mfc_process_error
1346  **
1347  ** Description      Process error including Timeout, Frame error. This function
1348  **                  will retry atleast till RW_MAX_RETRIES before give up and
1349  **                  sending negative notification to upper layer
1350  **
1351  ** Returns          none
1352  **
1353  *******************************************************************************/
rw_mfc_process_error()1354 static void rw_mfc_process_error() {
1355   tRW_READ_DATA evt_data = tRW_READ_DATA();
1356   tRW_EVENT rw_event = RW_MFC_NDEF_DETECT_EVT;
1357   NFC_HDR* p_cmd_buf;
1358   tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
1359   tRW_DETECT_NDEF_DATA ndef_data;
1360 
1361   DLOG_IF(INFO, nfc_debug_enabled)
1362       << StringPrintf("%s State=%d", __func__, p_mfc->state);
1363 
1364   evt_data.status = NFC_STATUS_FAILED;
1365 
1366   /* Retry sending command if retry-count < max */
1367   if (rw_cb.cur_retry < RW_MAX_RETRIES) {
1368     /* retry sending the command */
1369     rw_cb.cur_retry++;
1370 
1371     DLOG_IF(INFO, nfc_debug_enabled)
1372         << __func__ << "Mifare Classic retransmission attempt "
1373         << rw_cb.cur_retry << " of " << RW_MAX_RETRIES;
1374 
1375     /* allocate a new buffer for message */
1376     p_cmd_buf = (NFC_HDR*)GKI_getpoolbuf(NFC_RW_POOL_ID);
1377     if (p_cmd_buf != NULL) {
1378       memcpy(p_cmd_buf, p_mfc->p_cur_cmd_buf,
1379              sizeof(NFC_HDR) + p_mfc->p_cur_cmd_buf->offset +
1380                  p_mfc->p_cur_cmd_buf->len);
1381 
1382       if (NFC_SendData(NFC_RF_CONN_ID, p_cmd_buf) == NFC_STATUS_OK) {
1383         /* Start timer for waiting for response */
1384         nfc_start_quick_timer(
1385             &p_mfc->timer, NFC_TTYPE_RW_MFC_RESPONSE,
1386             (RW_MFC_TOUT_RESP * QUICK_TIMER_TICKS_PER_SEC) / 1000);
1387 
1388         return;
1389       }
1390     }
1391   } else {
1392     DLOG_IF(INFO, nfc_debug_enabled)
1393         << __func__ << "MFC maximum retransmission attempts reached "
1394         << RW_MAX_RETRIES;
1395   }
1396 
1397   if (p_mfc->state == RW_MFC_STATE_DETECT_TLV) {
1398     rw_event = RW_MFC_NDEF_DETECT_EVT;
1399   } else if (p_mfc->state == RW_MFC_STATE_READ_NDEF) {
1400     rw_event = RW_MFC_NDEF_READ_EVT;
1401   } else if (p_mfc->state == RW_MFC_STATE_UPDATE_NDEF) {
1402     rw_event = RW_MFC_NDEF_WRITE_FAIL_EVT;
1403   } else if (p_mfc->state == RW_MFC_STATE_NDEF_FORMAT) {
1404     rw_event = RW_MFC_NDEF_FORMAT_CPLT_EVT;
1405   }
1406 
1407   if (rw_event == RW_MFC_NDEF_DETECT_EVT) {
1408     ndef_data.status = evt_data.status;
1409     ndef_data.protocol = NFC_PROTOCOL_MIFARE;
1410     ndef_data.flags = RW_NDEF_FL_UNKNOWN;
1411     ndef_data.max_size = 0;
1412     ndef_data.cur_size = 0;
1413     DLOG_IF(INFO, nfc_debug_enabled)
1414         << StringPrintf("%s status=%d", __func__, evt_data.status);
1415     /* If not Halt move to idle state */
1416     rw_mfc_handle_op_complete();
1417 
1418     (*rw_cb.p_cback)(rw_event, (tRW_DATA*)&ndef_data);
1419   } else {
1420     evt_data.p_data = NULL;
1421     /* If activated and not Halt move to idle state */
1422     if (p_mfc->state != RW_MFC_STATE_NOT_ACTIVATED) {
1423       rw_mfc_handle_op_complete();
1424     }
1425 
1426     DLOG_IF(INFO, nfc_debug_enabled)
1427         << StringPrintf("%s status=%d", __func__, evt_data.status);
1428     p_mfc->substate = RW_MFC_SUBSTATE_NONE;
1429     (*rw_cb.p_cback)(rw_event, (tRW_DATA*)&evt_data);
1430   }
1431 }
1432