2019-09-29

Bonaverde - Emulating NFC cards

Project history

  1. old posting: Bonaverde: testing Henry Hück
  2. current posting
  3. next posting: 

The problem

For my Bonaverde "Berlin" machine,
I still have some green beans in the large 500g bags around.
They contain no NFC tag and where shipped to Kickstarter backers.

Since serveral weeks and 3 app-updates the myBonaverde app no longer offers many types of coffee beans including these for roasting.
It also has many other issues with the list such as listing the same entry 3-5 times, listing lots of 80g profiles when having 50g selected,....
Support couldn't find the issue yet. (Yes, uninstalling does NOT help in any way.)

NFC to the rescue

So I decided to have a look at their NFC tags. They work offline after all.
I do have a number of used-up single-use cards of the typed of coffee.

The ISO 14443-3A compatible "NXP MIFARE Ultralight EV1 - 48 Byte" cards with 20 memory pages of 4 byte each.

Card format

I quickly found out the following facts:
  • sector 00 - unique ID by Mifare. Doesn't matter.
  • sector 01 - still UID
  • sector 02 - card type and other bits we don't care about
  • sector 03 - these are OTP = one time programmable. 
    • Single use cards are made single-use by setting ALL bits 1.
    • They can be reset by emulating the same cards with these fuses set back to 0.
    • The same mechanism is used for single-use air filters.
  • sector 04 - always the same content
  • sector 05 - byte 2 is different for NFC tags on air filters.
  • sector 06 - byte 3 indicates the type of card. 
    • 56=air filter 
    • A2=coffee changers badge
    • AC=single use coffee pouch
    • update: AE=Advent_ure#4
    • update: B2=roast only, roast and grind
    • update: B5=grind only, brew only, 80g universal tool
    • update: B6=Advent_use#14 slow roast(+brew)
    • ...
  • sector 07 - always the same content
  • sector 08 - byte 0 is different for NFC tags on *unused* air filters
  • sector 09 - byte 2 is different for NFC tags on air filters.
  • sector 0A - byte 1 is different for NFC tags on air filters
  • sector 0B - byte 2+3 differ. 
    • meaning unknown
  • sector 0C - always 0x00000000
  • sector 0D - always 0x00000000
  • sector 0E - always 0x00000000 
  • sector 0F - first byte differs
    • meaning unknown
  • sector 10 - CFG 0 (MIRROR / AUTH0), content given by Mifare
  • sector 11 - CFG 1 (ACCESS), content given by Mifare
  • sector 12 - PWD0 - PWD3 always 0x00000000
  • sector 13 - PACK0 - PACK1 always 0x00000000
The description of sector 7-0F does not refer to the card types marked as "update:". I didn't have the time to have a closer look at these yet. 

Emulation?

I can not emulate these types of card using my Android phone. But you can get card emulators with a switch to make sector 03 writable.
I got one, set up with a firmware emulating the 48 byte version of the EV1 cards.
I used the MIFARE++ Ultralight app to write to one of these emulators.
The NFC Tools app (pro) app looked promising but can't write what it can read. It can only write NDEF recordd.

Implications

It's your own coffee machine.
You can't do anything unsafe with this.
You purchased the green beans from Bonaverde to get the NFC tag in the first place.
You can't get the beans matching the bean-specific roasting profile referenced in the NFC tag anywhere else.
So I see no problem in sharing this absolutely trivial bit of information.

TBD

I could not find out how the roasting profiles are stored.
According to the FAQ there are 6 roasting degrees. 
The content is too small to store a list of time+temperature values forming a the curve of a roasting profile. So my guess is that there is a fixed or updatable table of profiles in the machine and the card just selects it. Or the card contains a single pair of duration+intensity.

Links:

Keine Kommentare: