flipperzero-firmware
flipperzero-firmware copied to clipboard
flipperdevices
NFC - Machine Readable Travel Documents
Maybe not quite a finished PR yet. I'm looking for some feedback to make sure I'm going in the right direction.
Especially with the new FAP's, I can see you might prefer this to be an external application (FAP). On the other hand, maybe you're looking to support more and more NFC cards with the base firmware.
Please let me know your thoughts and any feedback on the code.
What's new
- Read some basic info from Machine Readable Travel Documents (spec. ICAO9303)
- Support Basic Access Authentication
Verification
- Start NFC reader
- Offer an MRTD to the reader
- Perform the Auth step
TODO
- [ ] PACE authentication
- [x] Indicate used authentication (BAC / PACE)
- [ ] Card Access Number access
- [ ] Active Authentication
- [ ] Passive Authentication (maybe even against ICAO Master List)
- [ ] Dump (selected) files (for external usage)
- [ ] Save (as much info as possible)
- [ ] Emulate (as much as possible) a saved MRTD
- [x] Support NFC-B MRTDs
- [x] Move helper files to
helperfolder - [ ] Determine size of files from header, instead of reading till end
- [ ] Remove some testing/debug statements and logging
- [ ] Show information about LDSv2 apps
- [x] Save/Load authentication parameters
Checklist (For Reviewer)
- [ ] PR has description of feature/bug or link to Confluence/Jira task
- [ ] Description contains actions to verify feature/bugfix
- [ ] I've built this code, uploaded it to the device and verified feature/bugfix
Would it be possible to add support for NFC-B EMRTDs? Also there is a compilation error right now (I think a few string-related functions were changed in dev).
Theoretically, yes NFC-B is possible. However I don't have a card to test and verify anything.
Oops, I forgot the remove some testing strings. Additional commit should be available tomorrow. From the top of my head, any lines using the missing strings could be removed.
I wonder if showing the ATS might be more interesting than ATQA/SAK? It might allow to determine the country even if the user does not wish to authenticate. Also if the auth fails perhaps it tell that to the user, otherwise it just loops back.
Thanks for your suggestions. I'm not really an NFC guy, so I'm curious to learn more about the ATS details and will look into that.
The authentication failed feedback is indeed one of the open TODOs. There is quite a lot more that's on my mind. I'll add these to the description.
Hello @qistoph ! Great work! We are looking for some suitable travel documents to test your PR and come back with feedback
Have you tried to recognize driving licenses as well? They should obey ISO/IEC FCD 18013-2 and the AID should be A0 00 00 02 48 and the PIX should be 02 00. I asked someone on telegram with a NL driving license to test this out but no luck, perhaps the PIX was chosen different.
Not sure if this falls under the category of MRTDs but it might be interesting to add it (unfortunately in my country they stopped producing licenses with chips so I can't test anything).
My documents are either NFC-A (PACE) or NFC-B (BAC), so will be glad to test when/if those are implemented
It looks to me like some of the code implemented in mrtd parts is actually iso7816-related. For example, the mrtd_select_app seems to me just like sending a classic iso7816 SELECT (by AID) APDU. Is that so?
I'm just asking cause if that's the case, carving out such code to an encapsulated iso7816 library could allow it to be better reused for other iso7816 cards. (I've been meaning to attempt to write some code for an iso7816 card myself)
Have you tried to recognize driving licenses as well? They should obey
ISO/IEC FCD 18013-2and the AID should beA0 00 00 02 48and the PIX should be02 00. I asked someone on telegram with a NL driving license to test this out but no luck, perhaps the PIX was chosen different.
I am focussing on reading Machine Readable Travel Documents as specified by ICAO9303. Driver license is not one of them. My Dutch (NL) driver's license doesn't have an NFC chip, so I probably won't be including it in the future either.
My documents are either NFC-A (PACE) or NFC-B (BAC), so will be glad to test when/if those are implemented
Thanks, @oleksiikutuzov! If either is implemented I'll let you know.
It looks to me like some of the code implemented in mrtd parts is actually iso7816-related. For example, the
mrtd_select_appseems to me just like sending a classic iso7816SELECT (by AID)APDU. Is that so?I'm just asking cause if that's the case, carving out such code to an encapsulated iso7816 library could allow it to be better reused for other iso7816 cards. (I've been meaning to attempt to write some code for an iso7816 card myself)
I noticed and realized this too. Some methods were already explicitly put into iso7816.c. There are of course many more. Even the already implemented EMV is actually using some ISO7816 commands.
I think there is a bug, someone whose non passport card replies 6A82 to the request 00 A4 04 0C 07 A0 00 00 02 47 10 01 has it recognized as a passport. It's from an unofficial firmware that I think pulled your PR
I think there is a bug, someone whose non passport card replies 6A82 to the request 00 A4 04 0C 07 A0 00 00 02 47 10 01 has it recognized as a passport. It's from an unofficial firmware that I think pulled your PR
I'm afraid you're correct about that. I was working on the implementation and am using the mrtd_test() function for that. The call however doesn't use a return value to confirm an MRTD was present. I'll try to fix it this week.
Could you, afterwards, inform the maintainers of that fork to update?
I'm afraid you're correct about that. I was working on the implementation and am using the
mrtd_test()function for that. The call however doesn't use a return value to confirm an MRTD was present. I'll try to fix it this week.Could you, afterwards, inform the maintainers of that fork to update?
Ok, that's what I thought when looking at the code, thanks for confirming. I'm not sure which fork that is but I'll contact the person who encountered the problem.
When testing with a Slovenian passport, I get a MemManage restart.
@craftbyte, would you be able to share some logging and debugging details with me? You can reach me at [my username]@gmail.com
Just to inform, Brazilian passports work flawlessly, I've tested 5 different and all worked as expected, awesome job @qistoph !
While I was testing with Russian international passport, no data from EF_DG1 were extracted I will look into it and maybe send you a patch to fix it
Log fragment:
66841725 [D][Mrtd] Read and parse COM (011E)
66841728 [D][Mrtd] Send select EF: COM (0x011E)
DES add: ***
DES buf: ***
DES add: ***
DES buf: ***
MAC: ***
DES add: ***
DES buf: ***
66841772 [D][Mrtd] Selected COM
66841774 [D][Mrtd] Read binary, offset: 0
DES add: ***
DES buf: ***
DES buf: ***
MAC: ***
66841808 [I][Mrtd] APDU answer is not 0x9000, but 0x6B00
66841810 [E][Mrtd] Failed to read
66841812 [E][Mrtd] Could not read COM
66841814 [D][Mrtd] Read and parse DG1 (0101)
66841817 [D][Mrtd] Send select EF: DG1 (0x0101)
DES add: ***
DES buf: ***
DES add: ***
DES buf: ***
MAC: ***
66841846 [I][Mrtd] APDU answer is not 0x9000, but 0x6988
66841848 [I][Mrtd] 'secure messaging data objects are incorrect'
66841851 [E][Mrtd] Failed select EF 0x0101
66841853 [E][Mrtd] Could not select DG1
66841876 [D][NFC] Read passport, auth: 1, success: 1
Hi ;-) Looks like it make sense to move this feature into separate application, doesn't it?
I'll switch this PR to Draft, un-draft it when ready.
Hi ;-) Looks like it make sense to move this feature into separate application, doesn't it?
I'll switch this PR to Draft, un-draft it when ready.
Maybe decoding yes but I'd argue it makes sense to at least detect mrtds in stock firmware.
Thanks @pawisoon!
I was really hoping to have this included in the firmware. The suggestion to convert into an app is a bit of a disappointment.
If anyone is willing to help me get that started, I'm willing to reconsider working on it.
@qistoph is there a limitation to what travel passports can be read? When I try to authenticate US passport flipper crashes with furi_check error.
@qistoph is there a limitation to what travel passports can be read? When I try to authenticate US passport flipper crashes with furi_check error.
You need to do BAC/PACE access control - based on DoE, DoB and document number in order to access Chip data. You can read everything whats present on data page + high resolution photo + sometimes some optional data is present (see ICAO 9303).
The fingerprints are not readable by regular users in any passports, need a cert that only country officials have access to. Most agencies won't even do this themselves due to the complexity and cost of reading them from the chip.
@qistoph is there a limitation to what travel passports can be read? When I try to authenticate US passport flipper crashes with furi_check error.
Sorry to reply again. Have you checked your DoE, DoB and document number correctness? Im not sure but maybe you are holding some newest model of US passport(post 2020) that migth be PACE only. You could verify this with a passport reader e.g. https://apps.apple.com/us/app/readid-me/id1463949991 After you read NFC using the above app, in result screen, go to security tab and see value of "Type of access control". You can also see what features chip supports above it.
I tried different access types (BAC and Any). If I mistype any of the fields on purpose I get the can't authenticate error. My passport is before 2020. I tried it with 2 different passports that are both US and have the same issues on both of them.
I tried different access types (BAC and Any). If I mistype any of the fields on purpose I get the can't authenticate error. My passport is before 2020. I tried it with 2 different passports that are both US and have the same issues on both of them.
Maybe its the implementation issue specific to US passport. Is the passport reader app I linked working with your document? Making sure NFC chip is intact and working.