From 1bd811f7a139d1f6f012c50e9880f1c56b6acd7e Mon Sep 17 00:00:00 2001
From: iceman1001 <iceman@iuse.se>
Date: Wed, 19 Mar 2025 15:34:20 +0100
Subject: [PATCH] better OTP update sanity check by @jmichelp.  Checks every
 bytewise if any bit is 0

---
 armsrc/iso14443a.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c
index 250b25dce..e95c36662 100644
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
@@ -1742,12 +1742,17 @@ void SimulateIso14443aTag(uint8_t tagType, uint16_t flags, uint8_t *useruid, uin
                 }
 
                 // OTP sanity check
-                // Quite a bad one,  one should look at all individual bits and see if anyone tries be set as zero
-                // we cheat and do fat 00000000 check instead
                 if (block == 0x03) {
-                    if (memcmp(receivedCmd + 2, "\x00\x00\x00\x00", 4) == 0) {
-                        // OTP can't be set back to zero
-                        // send NACK 0x0 == invalid argument,
+
+                    uint8_t orig[4] = {0};
+                    emlGet(orig, 12 + MFU_DUMP_PREFIX_LENGTH, 4);
+
+                    bool risky = false;
+                    for (int i = 0; i < len; i++) {
+                        risky |= orig[i] & ~receivedCmd[2 + i];
+                    }
+
+                    if (risky) {
                         EmSend4bit(CARD_NACK_IV);
                         goto jump;
                     }