Skip to content

Commit

Permalink
Fix MFU authentication to send PACK correctly.
Browse files Browse the repository at this point in the history
  • Loading branch information
shallax committed Aug 30, 2023
1 parent 32f892e commit e3cc8a9
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 18 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
- Fixed the timeout of TCP connections (@wh201906)
- Changed the connection timeout configurable (@wh201906)
- Add hf_cardhopper standalone mode for long-distance relay attacks (@startrekdude)
- Fix MFU authentication to send PACK correctly (@shallax)

## [Seven.4.16717][2023-06-25]
- Change `hf 14a info` - now identifes QL88 tags (@iceman1001)
Expand Down
40 changes: 22 additions & 18 deletions armsrc/iso14443a.c
Original file line number Diff line number Diff line change
Expand Up @@ -1284,8 +1284,16 @@ bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data, tag_r
if (memcmp(pwd, gen_pwd, sizeof(pwd)) == 0) {
rPACK[0] = 0x80;
rPACK[1] = 0x80;
} else {
uint16_t start = (*pages) * 4 + MFU_DUMP_PREFIX_LENGTH;
emlGetMemBt(rPACK, start, sizeof(rPACK));
if (g_dbglevel >= DBG_DEBUG) {
Dbprintf("PACK loaded from memory: ");
Dbhexdump(4, rPACK, 0);
}
}
}

AddCrc14A(rPACK, sizeof(rPACK) - 2);

static tag_response_info_t responses_init[] = {
Expand Down Expand Up @@ -1703,33 +1711,29 @@ void SimulateIso14443aTag(uint8_t tagType, uint16_t flags, uint8_t *data, uint8_
} else if (receivedCmd[0] == MIFARE_ULC_AUTH_1) { // ULC authentication, or Desfire Authentication
LogTrace(receivedCmd, Uart.len, Uart.startTime * 16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime * 16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, true);
p_response = NULL;
} else if (receivedCmd[0] == MIFARE_ULEV1_AUTH && len == 7 && tagType == 7) { // NTAG / EV-1 authentication

/*
// PWD stored in dump now
} else if (receivedCmd[0] == MIFARE_ULEV1_AUTH && len == 7 && tagType == 7) { // NTAG / EV-1
uint8_t pwd[4];
emlGetMemBt(pwd, (pages - 1) * 4 + MFU_DUMP_PREFIX_LENGTH, sizeof(pwd));
if (g_dbglevel >= DBG_DEBUG) {
Dbprintf("Reader sent password: ");
Dbhexdump(4, receivedCmd + 1, 0);
Dbprintf("Loaded password from memory: ");
Dbhexdump(4, pwd, 0);
}

if (memcmp(pwd, "\x00\x00\x00\x00", 4) == 0) {
Uint4byteToMemLe(pwd, ul_ev1_pwdgenB(data));
Dbprintf("Calc pwd... %02X %02X %02X %02X", pwd[0], pwd[1], pwd[2], pwd[3]);
if (g_dbglevel >= DBG_DEBUG) Dbprintf("Calc pwd... %02X %02X %02X %02X", pwd[0], pwd[1], pwd[2], pwd[3]);
}

if (memcmp(receivedCmd + 1, pwd, 4) == 0) {
uint8_t pack[4];
emlGetMemBt(pack, pages * 4 + MFU_DUMP_PREFIX_LENGTH, 2);
if (memcmp(pack, "\x00\x00\x00\x00", 4) == 0) {
pack[0] = 0x80;
pack[1] = 0x80;
}
AddCrc14A(pack, sizeof(pack) - 2);
EmSendCmd(pack, sizeof(pack));
if (g_dbglevel >= DBG_DEBUG) Dbprintf("Password match, responding with PACK.");
p_response = &responses[RESP_INDEX_PACK];
} else {
EmSend4bit(CARD_NACK_NA);
if (g_dbglevel >= DBG_DEBUG) Dbprintf("Auth attempt: %08x", bytes_to_num(receivedCmd + 1, 4));
if (g_dbglevel >= DBG_DEBUG) Dbprintf("Password did not match, NACK_IV.");
p_response = NULL;
EmSend4bit(CARD_NACK_IV);
}
p_response = NULL;
*/
p_response = &responses[RESP_INDEX_PACK];
} else if (receivedCmd[0] == MIFARE_ULEV1_VCSL && len == 23 && tagType == 7) {
uint8_t cmd[3];
Expand Down

0 comments on commit e3cc8a9

Please sign in to comment.