Is it possible to read the iPhone's NFC chip as if it were an RFID tag?

Question

I know it's not possible for the iPhone 6 to read RFID tags, and I know that the iPhone API only allows use of NFC for Apple Pay, but is it possible to read an iPhone's NFC chip as if it were an RFID tag?

That is, would an RFID reader be able to retrieve any sort of passive information like a chip's unique ID or something of that nature, by using an RFID reader with something like an Arduino or Raspberry Pi?

Answer 1

It appears that it is possible to detect the signal coming from the iPhone when you hold down your thumb to attempt an Apple Pay payment. However, it sends out a different ID number with each press. This makes it pretty much impossible to do anything security related.

Here is a video of someone who got it working. https://www.youtube.com/watch?v=fhpMVFte2mE

because the iPhone spits out different NFC tag #'s each time. the reader is set to use any tag this is not good for secure applications like locks like in the video above.

Answer 2

As Michael Gillett already wrote, the anti-collision identifier (frequently used as the ID in RFID), is dynamic and changes on each activation of the secure element in the iPhone. What you could try to do is to access the EMV payment card ("tokenized" credit card) on the secure element. This credit card contains at least a PAN (tokenized primary account number) and possibly also public keys for signature verification. That information should be static (even in the tokenzation case) and, hence, could be used to identify the device.

Take a look at the EMV specifications for contactless payment systems (http://emvco.com) to find out how to access the payment application. Basically you would do something like the following:

• SELECT PPSE
• Find AID of payment application in select response
• SELECT payment application (by AID)
• READ RECORD (file + record number) for the record that contains the PAN/ICC public key

You would need some contactless smartcard reader to send the necessary APDU commands though. An RFID reader that only performs anti-collision to get an ID is not sufficient. However, for both, the Arduino and the RPI, there are such readers (e.g. NFC shield).

Answer 3

Use PN532 board. Simplify work with Arduino based host, use this library.

Define connection.

#include <Arduino.h>
#include <SPI.h>
#include <PN532_SPI.h>
#include <PN532.h>

PN532_SPI intfc(SPI,5);
PN532 nfc(intfc);

Check if card/phone is present :

success = nfc.inListPassiveTarget();
   if (success) { ...

Define comm buffer:

   uint8_t apdubuffer[255] = {};
   uint8_t apdulen;

and send SELECT PPSE command:

apdulen = 255;
success2 = sendAPDU(0x00, 0xA4, 0x04, 0x00, "2PAY.SYS.DDF01", 0x00, &apdubuffer[0], &apdulen);

if succedded, then:

//fromHEX("A0000000031010") - VISA
//fromHEX("A0000000041010") - MC
success2 = sendAPDU(0x00, 0xA4, 0x04, 0x00, fromHEX("A0000000031010"), 0x00, &apdubuffer[0], &apdulen);

and you're good to read card's internal files (SFI/RECs), eg.:

success2 = sendAPDU(0x00, 0xB2, rec_num, (sfi_num << 3)+4, 0x00, &apdubuffer[0], &apdulen);

It'll be best to find PAN/ICC public key, indeed, as unique to card, but there will be many bytes presented before PAN/ICC, imho quite unique and sufficient to perform authentication

Afterall, you'd need this overloads:

bool sendAPDU(byte cla, byte ins, byte p1, byte p2, String aid, byte le, uint8_t *response, uint8_t *resp_len)
{
  uint8_t cmdbuf[255];
  memset(&cmdbuf[0],0,255);
  cmdbuf[0] = cla;
  cmdbuf[1] = ins;
  cmdbuf[2] = p1;
  cmdbuf[3] = p2;
  cmdbuf[4] = aid.length();  
  int i;
  for (i=0;i<aid.length();i++)
    cmdbuf[5+i] = aid[i];
  cmdbuf[6+i] = le;
  //printbuf((char*)&cmdbuf[0],5+aid.length());
  return nfc.inDataExchange(&cmdbuf[0], 5+aid.length(), response, resp_len);
}

bool sendAPDU(byte cla, byte ins, byte p1, byte p2, uint8_t* aid, byte le, uint8_t *response, uint8_t *resp_len)
{
  uint8_t cmdbuf[255];
  memset(&cmdbuf[0],0,255);
  cmdbuf[0] = cla;
  cmdbuf[1] = ins;
  cmdbuf[2] = p1;
  cmdbuf[3] = p2;
  cmdbuf[4] = aid[0];  
  int i;
  for (i=0;i<aid[0];i++)
    cmdbuf[5+i] = aid[i+1];
  cmdbuf[6+i] = le;
  //printbuf((char*)&cmdbuf[0],5+cmdbuf[4]);
  return nfc.inDataExchange(&cmdbuf[0], 5+cmdbuf[4], response, resp_len);
}

bool sendAPDU(byte cla, byte ins, byte p1, byte p2, byte le, uint8_t *response, uint8_t *resp_len)
{
  uint8_t cmdbuf[255];
  memset(&cmdbuf[0],0,255);
  cmdbuf[0] = cla;
  cmdbuf[1] = ins;
  cmdbuf[2] = p1;
  cmdbuf[3] = p2;
  cmdbuf[4] = le;
  //printbuf((char*)&cmdbuf[0],5);
  return nfc.inDataExchange(&cmdbuf[0], 5, response, resp_len);
}

and this, too:

/*
  Funny, non-C approach to return array from a function
  Returns ptr to global static buf... 
  Just to improve readability of sendAPDU() function...
  Not really needed in real app,
*/
uint8_t fromHexBuf[255];  
uint8_t* fromHEX(String hexs) {
  int i = hexs.length()/2;
  fromHexBuf[0] = i;
  int x=0;
  while (i) {
    char buf[3];
    char *tmp;
    buf[0] = hexs[2*x];
    buf[1] = hexs[2*x+1];
    buf[2] = 0;    
    uint8_t v = strtol(&buf[0], &tmp, 16);
    //Serial.printf("-> %s = %x\n", buf, v);
    fromHexBuf[x+1] = v;
    x=x+1;
    i--;
  }
  return &fromHexBuf[0];
}