Merge pull request #1856 from szjiajin/MifareComplianceFix

Mifare compliance fix
2025-02-26 00:55:19 +08:00 · 2023-06-26 13:46:31 +02:00 · 2023-06-26 13:46:31 +02:00 · e83960a43d
commit e83960a43d
parent f7f1f2e6e7 55f6c8aea6
1 changed files with 23 additions and 2 deletions
--- a/armsrc/mifaresim.c
+++ b/armsrc/mifaresim.c
@ -46,6 +46,15 @@
 #include "dbprint.h"
 #include "ticks.h"

+static bool IsKeyBReadable(uint8_t blockNo) {
+    uint8_t sector_trailer[16];
+    emlGetMem(sector_trailer, SectorTrailer(blockNo), 1);
+    uint8_t AC = ((sector_trailer[7] >> 5) & 0x04)
+                 | ((sector_trailer[8] >> 2) & 0x02)
+                 | ((sector_trailer[8] >> 7) & 0x01);
+    return (AC == 0x00 || AC == 0x01 || AC == 0x02);
+}
+
 static bool IsTrailerAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action) {
    uint8_t sector_trailer[16];
    emlGetMem(sector_trailer, blockNo, 1);
@ -872,8 +881,8 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
                        break;
                    }
                    */
-
-                    if (MifareBlockToSector(receivedCmd_dec[1]) != cardAUTHSC) {
+                    blockNo = receivedCmd_dec[1];
+                    if (MifareBlockToSector(blockNo) != cardAUTHSC) {
                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                        FpgaDisableTracing();

@ -881,6 +890,18 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
                            Dbprintf("[MFEMUL_WORK] Reader tried to operate (0x%02x) on block (0x%02x) not authenticated for (0x%02x), nacking", receivedCmd_dec[0], receivedCmd_dec[1], cardAUTHSC);
                        break;
                    }
+
+                    // Compliance of MIFARE Classic EV1 1K Datasheet footnote of Table 8
+                    // If access bits show that key B is Readable, any subsequent memory access will be refused.
+                    
+                    if (cardAUTHKEY == AUTHKEYB && IsKeyBReadable(blockNo)) {
+                        EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+                        FpgaDisableTracing();
+
+                        if (g_dbglevel >= DBG_ERROR)
+                            Dbprintf("[MFEMUL_WORK] Access denied: Reader tried to access memory on authentication with key B while key B is readable in sector (0x%02x)", cardAUTHSC);
+                        break;
+                    }
                }

                // case MFEMUL_WORK => CMD READ block