mount/flipperzero-firmware
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

NFC: Fix gen1 writing with invalid BCC (lost fix from PR #2511) (#2710)

Browse Source 
Co-authored-by: あく <alleteam@gmail.com>
This commit is contained in:
AloneLiberty 2023-05-31 13:56:04 +00:00 committed by GitHub
parent d09c59fd2f
commit 86a64487cb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 45 additions and 228 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
applications/external/nfc_magic/lib/magic/classic_gen1.c vendored
View File

@ -5,7 +5,6 @@
#define TAG "Magic" #define TAG "Magic"
#define MAGIC_CMD_WUPA (0x40) #define MAGIC_CMD_WUPA (0x40)
#define MAGIC_CMD_WIPE (0x41)
#define MAGIC_CMD_ACCESS (0x43) #define MAGIC_CMD_ACCESS (0x43)
#define MAGIC_MIFARE_READ_CMD (0x30) #define MAGIC_MIFARE_READ_CMD (0x30)
@ -144,32 +143,3 @@ bool magic_gen1_write_blk(uint8_t block_num, MfClassicBlock* data) {
return write_success; return write_success;
} }
bool magic_gen1_wipe() {
bool wipe_success = false;
uint8_t tx_data[MAGIC_BUFFER_SIZE] = {};
uint8_t rx_data[MAGIC_BUFFER_SIZE] = {};
uint16_t rx_len = 0;
FuriHalNfcReturn ret = 0;
do {
tx_data[0] = MAGIC_CMD_WIPE;
ret = furi_hal_nfc_ll_txrx_bits(
tx_data,
8,
rx_data,
sizeof(rx_data),
&rx_len,
FURI_HAL_NFC_LL_TXRX_FLAGS_CRC_TX_MANUAL | FURI_HAL_NFC_LL_TXRX_FLAGS_AGC_ON |
FURI_HAL_NFC_LL_TXRX_FLAGS_CRC_RX_KEEP,
furi_hal_nfc_ll_ms2fc(2000));
if(ret != FuriHalNfcReturnIncompleteByte) break;
if(rx_len != 4) break;
if(rx_data[0] != MAGIC_ACK) break;
wipe_success = true;
} while(false);
return wipe_success;
}

2
applications/external/nfc_magic/lib/magic/classic_gen1.h vendored
View File

@ -9,5 +9,3 @@ bool magic_gen1_read_block(uint8_t block_num, MfClassicBlock* data);
bool magic_gen1_data_access_cmd(); bool magic_gen1_data_access_cmd();
bool magic_gen1_write_blk(uint8_t block_num, MfClassicBlock* data); bool magic_gen1_write_blk(uint8_t block_num, MfClassicBlock* data);
bool magic_gen1_wipe();

175
applications/external/nfc_magic/lib/magic/magic.c vendored
View File

@ -1,175 +0,0 @@
#include "classic_gen1.h"
#include <furi_hal_nfc.h>
#define TAG "Magic"
#define MAGIC_CMD_WUPA (0x40)
#define MAGIC_CMD_WIPE (0x41)
#define MAGIC_CMD_ACCESS (0x43)
#define MAGIC_MIFARE_READ_CMD (0x30)
#define MAGIC_MIFARE_WRITE_CMD (0xA0)
#define MAGIC_ACK (0x0A)
#define MAGIC_BUFFER_SIZE (32)
bool magic_gen1_wupa() {
bool magic_activated = false;
uint8_t tx_data[MAGIC_BUFFER_SIZE] = {};
uint8_t rx_data[MAGIC_BUFFER_SIZE] = {};
uint16_t rx_len = 0;
FuriHalNfcReturn ret = 0;
do {
// Start communication
tx_data[0] = MAGIC_CMD_WUPA;
ret = furi_hal_nfc_ll_txrx_bits(
tx_data,
7,
rx_data,
sizeof(rx_data),
&rx_len,
FURI_HAL_NFC_LL_TXRX_FLAGS_CRC_TX_MANUAL | FURI_HAL_NFC_LL_TXRX_FLAGS_AGC_ON |
FURI_HAL_NFC_LL_TXRX_FLAGS_CRC_RX_KEEP,
furi_hal_nfc_ll_ms2fc(20));
if(ret != FuriHalNfcReturnIncompleteByte) break;
if(rx_len != 4) break;
if(rx_data[0] != MAGIC_ACK) break;
magic_activated = true;
} while(false);
return magic_activated;
}
bool magic_gen1_data_access_cmd() {
bool write_cmd_success = false;
uint8_t tx_data[MAGIC_BUFFER_SIZE] = {};
uint8_t rx_data[MAGIC_BUFFER_SIZE] = {};
uint16_t rx_len = 0;
FuriHalNfcReturn ret = 0;
do {
tx_data[0] = MAGIC_CMD_ACCESS;
ret = furi_hal_nfc_ll_txrx_bits(
tx_data,
8,
rx_data,
sizeof(rx_data),
&rx_len,
FURI_HAL_NFC_LL_TXRX_FLAGS_CRC_TX_MANUAL | FURI_HAL_NFC_LL_TXRX_FLAGS_AGC_ON |
FURI_HAL_NFC_LL_TXRX_FLAGS_CRC_RX_KEEP,
furi_hal_nfc_ll_ms2fc(20));
if(ret != FuriHalNfcReturnIncompleteByte) break;
if(rx_len != 4) break;
if(rx_data[0] != MAGIC_ACK) break;
write_cmd_success = true;
} while(false);
return write_cmd_success;
}
bool magic_gen1_read_block(uint8_t block_num, MfClassicBlock* data) {
furi_assert(data);
bool read_success = false;
uint8_t tx_data[MAGIC_BUFFER_SIZE] = {};
uint8_t rx_data[MAGIC_BUFFER_SIZE] = {};
uint16_t rx_len = 0;
FuriHalNfcReturn ret = 0;
do {
tx_data[0] = MAGIC_MIFARE_READ_CMD;
tx_data[1] = block_num;
ret = furi_hal_nfc_ll_txrx_bits(
tx_data,
2 * 8,
rx_data,
sizeof(rx_data),
&rx_len,
FURI_HAL_NFC_LL_TXRX_FLAGS_AGC_ON,
furi_hal_nfc_ll_ms2fc(20));
if(ret != FuriHalNfcReturnOk) break;
if(rx_len != 16 * 8) break;
memcpy(data->value, rx_data, sizeof(data->value));
read_success = true;
} while(false);
return read_success;
}
bool magic_gen1_write_blk(uint8_t block_num, MfClassicBlock* data) {
furi_assert(data);
bool write_success = false;
uint8_t tx_data[MAGIC_BUFFER_SIZE] = {};
uint8_t rx_data[MAGIC_BUFFER_SIZE] = {};
uint16_t rx_len = 0;
FuriHalNfcReturn ret = 0;
do {
tx_data[0] = MAGIC_MIFARE_WRITE_CMD;
tx_data[1] = block_num;
ret = furi_hal_nfc_ll_txrx_bits(
tx_data,
2 * 8,
rx_data,
sizeof(rx_data),
&rx_len,
FURI_HAL_NFC_LL_TXRX_FLAGS_AGC_ON | FURI_HAL_NFC_LL_TXRX_FLAGS_CRC_RX_KEEP,
furi_hal_nfc_ll_ms2fc(20));
if(ret != FuriHalNfcReturnIncompleteByte) break;
if(rx_len != 4) break;
if(rx_data[0] != MAGIC_ACK) break;
memcpy(tx_data, data->value, sizeof(data->value));
ret = furi_hal_nfc_ll_txrx_bits(
tx_data,
16 * 8,
rx_data,
sizeof(rx_data),
&rx_len,
FURI_HAL_NFC_LL_TXRX_FLAGS_AGC_ON | FURI_HAL_NFC_LL_TXRX_FLAGS_CRC_RX_KEEP,
furi_hal_nfc_ll_ms2fc(20));
if(ret != FuriHalNfcReturnIncompleteByte) break;
if(rx_len != 4) break;
if(rx_data[0] != MAGIC_ACK) break;
write_success = true;
} while(false);
return write_success;
}
bool magic_gen1_wipe() {
bool wipe_success = false;
uint8_t tx_data[MAGIC_BUFFER_SIZE] = {};
uint8_t rx_data[MAGIC_BUFFER_SIZE] = {};
uint16_t rx_len = 0;
FuriHalNfcReturn ret = 0;
do {
tx_data[0] = MAGIC_CMD_WIPE;
ret = furi_hal_nfc_ll_txrx_bits(
tx_data,
8,
rx_data,
sizeof(rx_data),
&rx_len,
FURI_HAL_NFC_LL_TXRX_FLAGS_CRC_TX_MANUAL | FURI_HAL_NFC_LL_TXRX_FLAGS_AGC_ON |
FURI_HAL_NFC_LL_TXRX_FLAGS_CRC_RX_KEEP,
furi_hal_nfc_ll_ms2fc(2000));
if(ret != FuriHalNfcReturnIncompleteByte) break;
if(rx_len != 4) break;
if(rx_data[0] != MAGIC_ACK) break;
wipe_success = true;
} while(false);
return wipe_success;
}

66
applications/external/nfc_magic/nfc_magic_worker.c vendored
View File

@ -92,51 +92,49 @@ void nfc_magic_worker_write(NfcMagicWorker* nfc_magic_worker) {
while(nfc_magic_worker->state == NfcMagicWorkerStateWrite) { while(nfc_magic_worker->state == NfcMagicWorkerStateWrite) {
do { do {
if(furi_hal_nfc_detect(&nfc_data, 200)) { if(magic_dev->type == MagicTypeClassicGen1) {
if(nfc_data.cuid != magic_dev->cuid) break; if(furi_hal_nfc_detect(&nfc_data, 200)) {
if(!card_found_notified) { magic_deactivate();
nfc_magic_worker->callback( magic_activate();
NfcMagicWorkerEventCardDetected, nfc_magic_worker->context);
card_found_notified = true;
}
furi_hal_nfc_sleep();
magic_activate();
if(magic_dev->type == MagicTypeClassicGen1) {
if(dev_protocol != NfcDeviceProtocolMifareClassic) break;
MfClassicData* mfc_data = &dev_data->mf_classic_data;
if(mfc_data->type != MfClassicType1k) break;
if(!magic_gen1_wupa()) { if(!magic_gen1_wupa()) {
FURI_LOG_E(TAG, "Not Magic card"); FURI_LOG_E(TAG, "No card response to WUPA (not a magic card)");
nfc_magic_worker->callback( nfc_magic_worker->callback(
NfcMagicWorkerEventWrongCard, nfc_magic_worker->context); NfcMagicWorkerEventWrongCard, nfc_magic_worker->context);
done = true; done = true;
break; break;
} }
magic_deactivate();
}
magic_activate();
if(magic_gen1_wupa()) {
if(!magic_gen1_data_access_cmd()) { if(!magic_gen1_data_access_cmd()) {
FURI_LOG_E(TAG, "Not Magic card"); FURI_LOG_E(
TAG, "No card response to data access command (not a magic card)");
nfc_magic_worker->callback( nfc_magic_worker->callback(
NfcMagicWorkerEventWrongCard, nfc_magic_worker->context); NfcMagicWorkerEventWrongCard, nfc_magic_worker->context);
done = true; done = true;
break; break;
} }
MfClassicData* mfc_data = &dev_data->mf_classic_data;
for(size_t i = 0; i < 64; i++) { for(size_t i = 0; i < 64; i++) {
FURI_LOG_D(TAG, "Writing block %d", i); FURI_LOG_D(TAG, "Writing block %d", i);
if(!magic_gen1_write_blk(i, &mfc_data->block[i])) { if(!magic_gen1_write_blk(i, &mfc_data->block[i])) {
FURI_LOG_E(TAG, "Failed to write %d block", i); FURI_LOG_E(TAG, "Failed to write %d block", i);
done = true;
nfc_magic_worker->callback( nfc_magic_worker->callback(
NfcMagicWorkerEventFail, nfc_magic_worker->context); NfcMagicWorkerEventFail, nfc_magic_worker->context);
done = true;
break; break;
} }
} }
done = true;
nfc_magic_worker->callback( nfc_magic_worker->callback(
NfcMagicWorkerEventSuccess, nfc_magic_worker->context); NfcMagicWorkerEventSuccess, nfc_magic_worker->context);
done = true;
break; break;
} else if(magic_dev->type == MagicTypeGen4) { }
} else if(magic_dev->type == MagicTypeGen4) {
if(furi_hal_nfc_detect(&nfc_data, 200)) {
uint8_t gen4_config[28]; uint8_t gen4_config[28];
uint32_t password = magic_dev->password; uint32_t password = magic_dev->password;
@ -196,6 +194,7 @@ void nfc_magic_worker_write(NfcMagicWorker* nfc_magic_worker) {
gen4_config[25] = dev_data->nfc_data.atqa[1]; gen4_config[25] = dev_data->nfc_data.atqa[1];
gen4_config[26] = dev_data->nfc_data.sak; gen4_config[26] = dev_data->nfc_data.sak;
furi_hal_nfc_sleep();
furi_hal_nfc_activate_nfca(200, &cuid); furi_hal_nfc_activate_nfca(200, &cuid);
if(!magic_gen4_set_cfg(password, gen4_config, sizeof(gen4_config), false)) { if(!magic_gen4_set_cfg(password, gen4_config, sizeof(gen4_config), false)) {
nfc_magic_worker->callback( nfc_magic_worker->callback(
@ -394,6 +393,11 @@ void nfc_magic_worker_wipe(NfcMagicWorker* nfc_magic_worker) {
MfClassicBlock block; MfClassicBlock block;
memset(&block, 0, sizeof(MfClassicBlock)); memset(&block, 0, sizeof(MfClassicBlock));
MfClassicBlock empty_block;
memset(&empty_block, 0, sizeof(MfClassicBlock));
MfClassicBlock trailer_block;
memset(&trailer_block, 0xff, sizeof(MfClassicBlock));
block.value[0] = 0x01; block.value[0] = 0x01;
block.value[1] = 0x02; block.value[1] = 0x02;
block.value[2] = 0x03; block.value[2] = 0x03;
@ -402,6 +406,10 @@ void nfc_magic_worker_wipe(NfcMagicWorker* nfc_magic_worker) {
block.value[5] = 0x08; block.value[5] = 0x08;
block.value[6] = 0x04; block.value[6] = 0x04;
trailer_block.value[7] = 0x07;
trailer_block.value[8] = 0x80;
trailer_block.value[9] = 0x69;
while(nfc_magic_worker->state == NfcMagicWorkerStateWipe) { while(nfc_magic_worker->state == NfcMagicWorkerStateWipe) {
do { do {
magic_deactivate(); magic_deactivate();
@ -415,10 +423,26 @@ void nfc_magic_worker_wipe(NfcMagicWorker* nfc_magic_worker) {
card_found_notified = true; card_found_notified = true;
} }
if(!magic_gen1_wipe()) break;
if(!magic_gen1_data_access_cmd()) break; if(!magic_gen1_data_access_cmd()) break;
if(!magic_gen1_write_blk(0, &block)) break; if(!magic_gen1_write_blk(0, &block)) break;
for(size_t i = 1; i < 64; i++) {
FURI_LOG_D(TAG, "Wiping block %d", i);
bool success = false;
if((i | 0x03) == i) {
success = magic_gen1_write_blk(i, &trailer_block);
} else {
success = magic_gen1_write_blk(i, &empty_block);
}
if(!success) {
FURI_LOG_E(TAG, "Failed to write %d block", i);
nfc_magic_worker->callback(
NfcMagicWorkerEventFail, nfc_magic_worker->context);
break;
}
}
card_wiped = true; card_wiped = true;
nfc_magic_worker->callback(NfcMagicWorkerEventSuccess, nfc_magic_worker->context); nfc_magic_worker->callback(NfcMagicWorkerEventSuccess, nfc_magic_worker->context);
} else if(magic_dev->type == MagicTypeGen4) { } else if(magic_dev->type == MagicTypeGen4) {