Nfc: NTAG password auto capture (and other password-related changes) (#1843)

* nfc: MFUL minor cleanup * nfc: Add mechanism to pass event data * nfc: Add NTAG authentication event to emulation * nfc: Rename enum member to align with existing convention * nfc: Add function to determine whether MFUL is fully captured * nfc: Fix emulation of incompletely-read password-protected MFUL * nfc: Add reader password capture scene * nfc: Set default MFUL password input to 0xFFFFFFFF * nfc: Fix MFUL auth counter loading * nfc: Be explicit about using manual auth method when using auto unlock * nfc: Fill in MFUL has_auth when loading file * nfc: Fix MFUL auth success usage, remove unused variable * nfc: Display PWD and PACK in MFUL info if available * nfc: Remove unnecessary include * nfc: Add unlock options to loaded MFUL menu * nfc: Move set default MFUL password. This way it can be edited if needed instead of reentered * nfc: Fix unlock menu not maintaining selection index * nfc: Move captured MFUL auth data from worker to device data * nfc: Attempt to authenticate with default PWD when possible when reading NTAG * nfc: Don't try to auth NTAG on read if we already authed * nfc: Add title for all pages read but failed auth for NTAG auth * nfc: Add faster auth callback patch * lib: Remove scons submodule from index * nfc: Revise MFUL unlock UI flow * nfc: Disallow MFUL unlock with reader if card not read yet. Trying to read first results in either needing to make a new scene or badly jury rigging other scenes, so let's just not do that * f7: Bump API symbols * Format code Co-authored-by: gornekich <n.gorbadey@gmail.com> Co-authored-by: あく <alleteam@gmail.com>
2022-11-28 11:16:22 -07:00
parent 1b3156521c
commit 6b47bc1af4
17 changed files with 326 additions and 42 deletions
--- a/lib/nfc/protocols/mifare_ultralight.c
+++ b/lib/nfc/protocols/mifare_ultralight.c
@@ -51,7 +51,7 @@ void mf_ul_reset(MfUltralightData* data) {
    data->data_size = 0;
    data->data_read = 0;
    data->curr_authlim = 0;
-    data->has_auth = false;
+    data->auth_success = false;
 }

 static MfUltralightFeatures mf_ul_get_features(MfUltralightType type) {
@@ -756,6 +756,34 @@ bool mf_ul_read_card(
            mf_ultralight_read_tearing_flags(tx_rx, data);
        }
        data->curr_authlim = 0;
+
+        if(reader->pages_read == reader->pages_to_read &&
+           reader->supported_features & MfUltralightSupportAuth && !data->auth_success) {
+            MfUltralightConfigPages* config = mf_ultralight_get_config_pages(data);
+            if(config->access.authlim == 0) {
+                // Attempt to auth with default PWD
+                uint16_t pack;
+                data->auth_success = mf_ultralight_authenticate(tx_rx, MF_UL_DEFAULT_PWD, &pack);
+                if(data->auth_success) {
+                    config->auth_data.pwd.value = MF_UL_DEFAULT_PWD;
+                    config->auth_data.pack.value = pack;
+                } else {
+                    furi_hal_nfc_sleep();
+                    furi_hal_nfc_activate_nfca(300, NULL);
+                }
+            }
+        }
+    }
+
+    if(reader->pages_read != reader->pages_to_read) {
+        if(reader->supported_features & MfUltralightSupportAuth) {
+            // Probably password protected, fix AUTH0 and PROT so before AUTH0
+            // can be written and since AUTH0 won't be readable, like on the
+            // original card
+            MfUltralightConfigPages* config = mf_ultralight_get_config_pages(data);
+            config->auth0 = reader->pages_read;
+            config->access.prot = true;
+        }
    }

    return card_read;
@@ -1201,6 +1229,8 @@ static void mf_ul_emulate_write(
 }

 void mf_ul_reset_emulation(MfUltralightEmulator* emulator, bool is_power_cycle) {
+    emulator->comp_write_cmd_started = false;
+    emulator->sector_select_cmd_started = false;
    emulator->curr_sector = 0;
    emulator->ntag_i2c_plus_sector3_lockout = false;
    emulator->auth_success = false;
@@ -1244,8 +1274,7 @@ void mf_ul_prepare_emulation(MfUltralightEmulator* emulator, MfUltralightData* d
    emulator->config = mf_ultralight_get_config_pages(&emulator->data);
    emulator->page_num = emulator->data.data_size / 4;
    emulator->data_changed = false;
-    emulator->comp_write_cmd_started = false;
-    emulator->sector_select_cmd_started = false;
+    memset(&emulator->auth_attempt, 0, sizeof(MfUltralightAuth));
    mf_ul_reset_emulation(emulator, true);
 }

@@ -1706,6 +1735,17 @@ bool mf_ul_prepare_emulation_response(
        } else if(cmd == MF_UL_AUTH) {
            if(emulator->supported_features & MfUltralightSupportAuth) {
                if(buff_rx_len == (1 + 4) * 8) {
+                    // Record password sent by PCD
+                    memcpy(
+                        emulator->auth_attempt.pwd.raw,
+                        &buff_rx[1],
+                        sizeof(emulator->auth_attempt.pwd.raw));
+                    emulator->auth_attempted = true;
+                    if(emulator->auth_received_callback) {
+                        emulator->auth_received_callback(
+                            emulator->auth_attempt, emulator->context);
+                    }
+
                    uint16_t scaled_authlim = mf_ultralight_calc_auth_count(&emulator->data);
                    if(scaled_authlim != 0 && emulator->data.curr_authlim >= scaled_authlim) {
                        if(emulator->data.curr_authlim != UINT16_MAX) {
@@ -1863,3 +1903,14 @@ bool mf_ul_prepare_emulation_response(

    return tx_bits > 0;
 }
+
+bool mf_ul_is_full_capture(MfUltralightData* data) {
+    if(data->data_read != data->data_size) return false;
+
+    // Having read all the pages doesn't mean that we've got everything.
+    // By default PWD is 0xFFFFFFFF, but if read back it is always 0x00000000,
+    // so a default read on an auth-supported NTAG is never complete.
+    if(!(mf_ul_get_features(data->type) & MfUltralightSupportAuth)) return true;
+    MfUltralightConfigPages* config = mf_ultralight_get_config_pages(data);
+    return config->auth_data.pwd.value != 0 || config->auth_data.pack.value != 0;
+}
--- a/lib/nfc/protocols/mifare_ultralight.h
+++ b/lib/nfc/protocols/mifare_ultralight.h
@@ -28,10 +28,13 @@

 #define MF_UL_NTAG203_COUNTER_PAGE (41)

+#define MF_UL_DEFAULT_PWD (0xFFFFFFFF)
+
 typedef enum {
    MfUltralightAuthMethodManual,
    MfUltralightAuthMethodAmeebo,
    MfUltralightAuthMethodXiaomi,
+    MfUltralightAuthMethodAuto,
 } MfUltralightAuthMethod;

 // Important: order matters; some features are based on positioning in this enum
@@ -110,7 +113,6 @@ typedef struct {
    uint8_t signature[32];
    uint32_t counter[3];
    uint8_t tearing[3];
-    bool has_auth;
    MfUltralightAuthMethod auth_method;
    uint8_t auth_key[4];
    bool auth_success;
@@ -169,6 +171,9 @@ typedef struct {
    MfUltralightFeatures supported_features;
 } MfUltralightReader;

+// TODO rework with reader analyzer
+typedef void (*MfUltralightAuthReceivedCallback)(MfUltralightAuth auth, void* context);
+
 typedef struct {
    MfUltralightData data;
    MfUltralightConfigPages* config;
@@ -185,6 +190,12 @@ typedef struct {
    bool sector_select_cmd_started;
    bool ntag_i2c_plus_sector3_lockout;
    bool read_counter_incremented;
+    bool auth_attempted;
+    MfUltralightAuth auth_attempt;
+
+    // TODO rework with reader analyzer
+    MfUltralightAuthReceivedCallback auth_received_callback;
+    void* context;
 } MfUltralightEmulator;

 void mf_ul_reset(MfUltralightData* data);
@@ -241,3 +252,5 @@ bool mf_ul_prepare_emulation_response(
 uint32_t mf_ul_pwdgen_amiibo(FuriHalNfcDevData* data);

 uint32_t mf_ul_pwdgen_xiaomi(FuriHalNfcDevData* data);
+
+bool mf_ul_is_full_capture(MfUltralightData* data);