AnsweredAssumed Answered

PN7150 Stops Detecting Any NFC Devices after repeated Read Failures

Question asked by andrew balogh on Nov 13, 2019
Latest reply on Nov 25, 2019 by Mario Ignacio Castaneda Lopez

I'm Developing with the PN7150 

OM5578/PN7150-Kit 

 

With the LPC82X

LPC82X MCU's

 

And have been following and using the given Example (AN11990) as a baseline

PN150 Example Code

NXP-NCI MCUXpresso example Project (REV 1.5)

 

So far I've gotten the board to function as expected when operating in the Reader/Writer and Card Emulation Modes,

where I've been focusing on performing Raw exchanges (Non-NDEF) of data between the PN170 and other NFC-Devices.

 

I have found a Bug in either the Software, Hardware or both that causes the 

PN7150 to Stop Detecting Any NFC Devices; 

Specifically it occurs after repeated Read Failures reading against an NFC-Card or NFC-Host-Card-Emulated device

 

For my example, I am using an Android-Device operating in Host-Card-Emulation mode.

Example Implementation

 

But where I am purposefully having the Android-Device send back a Response APDU with Null

values for both the SW1 and SW2 bytes.

 

For the PN170-Example, I have the following settings changed from the default state;

P2P_SUPPORT symbol not defined (global)

RW_RAW_EXCHANGE defined (/Application/nfc_task.c)
- CARDEMU_RAW_EXCHANGE defined (/Application/nfc_task.c)

- in the PCD_ISO14443_4_scenario function (/Application/nfc_task.c),

I've changed the  SelectPPSE array (SELECT APDU Command) to use a custom AID to target the HCE Application running on the Android-Device;

{

  0x00, 0xA4, 0x04, 0x00,
  0x09,
  0xF0, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
  0x00
};

 

The resulting behavior is as follows;

- I bring the Android-Device to the PN170

- within /Application/nfc_task.c we have the following sequence of function calls repeat while the Android-Device

is by the PN170;

     task_nfc ->

     task_nfc_reader -> 

     PCD_ISO14443_4_scenario ->

     NxpNci_ReaderTagCmd

Ending with a "Select PPSE failed with error.." print line, before we start back at the top of the task_nfc main loop once more.

 

- Eventually (within a minute or less), the prior sequence stops occuring.

Removing the Android-Device, then bringing it, or any other NFC device to the PN170 will now not have any effect. The PN170 can no longer detect any NFC devices at this point!

 

- From pausing execution, we seem to be stuck in an NFC signal detection loop of;

 

    tml_WaitForRx (/TML/src/tml.c) ->  

    gpio_GetValue (/Drivers/src/gpio.c) ->

    Chip_GPIO_GetPinState (/LPC82X/inc/gpio_8xx.h)

 

Where gpio_GetValue(PORT_IRQ, PIN_IRQ) == LOW is now forever true.

 

- Only in restarting the PN170 can I get it to again detect NFC Devices normally as before.

 

Is there anything that can be done to fix the state of the PN170 application without having to restart it,

once it gets into this state?

Perhaps a command to drive a signal to the affected Pins/Ports, to get them to reset themselves?

 

 

I ask since I view this behavior as a potential exploit, that could be carried out either by chance or through malicious intent.

Outcomes