The HCE demo card
Fin's Host Card Emulation demo teaches challenge-response using two of your own phones. It is a toy: a private app-owned AID and a clearly-labelled learning key, compatible with nothing real.
F0 46 49 4E 54 4F 59 ("FINTOY"). It deliberately
matches no payment, transit, hotel, or access-control application.
The toy protocol
After the reader selects the Fin AID, a tiny fixed instruction set is available:
| Command | APDU (CLA INS) | Returns |
|---|---|---|
| SELECT | 00 A4 04 00 | Info banner |
| GET_INFO | 80 CA | "FIN-TOY …" banner |
| GET_RANDOM_DEMO_ID | 80 10 | Throwaway random id (not the secret) |
| GET_NONCE | 80 20 | Fresh 16-byte random nonce |
| SIGN_CHALLENGE_DEMO | 80 30 | HMAC(secret, nonce‖challenge), truncated |
Why guessing & replay fail
Each GET_NONCE returns a different random value, and the card consumes it after one
signature. Recording an exchange teaches an attacker nothing reusable, and the 128-bit secret space
makes guessing hopeless. Rotating the learning credential in the app invalidates any value derived from
the old one — exactly how revoking a real credential works.
The Fin Reader companion
A second phone running Fin's reader runs only this fixed exchange — there is no arbitrary-APDU entry — and shows the SELECT → GET_INFO → GET_NONCE → SIGN transcript so you can watch challenge-response happen.