Skip to content

nfc: NTAG21x complete emulation #1313

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
skotopes merged 39 commits into from
Jun 21, 2022
Merged

nfc: NTAG21x complete emulation #1313

skotopes merged 39 commits into from
Jun 21, 2022

Conversation

@GMMan
Copy link
Contributor

@GMMan GMMan commented Jun 13, 2022
edited by skotopes
Loading

What's new

This is a complete implementation of NTAG21x emulation, including quirks and datasheet non-conformance from a genuine NTAG216.

  • Authentication mechanism: PWD_AUTH, negative authentication limit, read permission check, write permission check, associated NAKs when checks fail
  • Page locking: capability container, static locks, dynamic locks, OTP behavior, NAK on trying to write to locked page, NAK on trying to write locked config pages
  • ASCII mirror: UID mirror, counter mirror, UID+counter mirror, associated odd behaviors depending on whether counter is enabled and where the mirror starts
  • Read counter: self-incrementing
  • Compatibility write
  • Read roll-over, including when encountering AUTH0 with PROT set while unauthenticated
  • Mifare Ultralight EV1: VCSL command
  • Mifare Ultralight + EV1: counter behavior
  • Refactoring, including unified feature flags and config pages access

Verification

  • Emulation should behave in accordance with NTAG21x datasheet. For any deviations, compare behavior with genuine NTAG21x. Timing was not considered for implementation, so that may be off.
  • Examples of datasheet deviations:
    • ASCII mirror ranges for UID+counter in datasheet do not apply; instead, UID and counter ranges are evaluated separately, so e.g. if one of UID or counter mirror will fit within the user memory pages, it will be mirrored, while the other won't.
    • ASCII mirror max MIRROR_BYTE bits is 10b, not 01b as documented in the datasheet
    • Negative verification counter can be reset when AUTHLIM is set to 0 and PWD_AUTH is successful. This is not documented in the datasheet.
  • Notes on edge case experiments here
  • Known deviations from actual NTAG21x:
    • 0h NAK response from NTAG21x appears to not be 4 bits of zeroes, but either 0 bits, or something with invalid parity. I don't have a Proxmark so I can't tell which it is. Flipper will respond with 4 bits of zeroes with correct parity.
    • Current emulation framework does not tell handler about field detect status, so there is no way to simulate a power on reset aside from waiting for the 5 second RX timeout. That means if you're trying to increment the read counter, it will only go up if RX timeout occurs.

Checklist (For Reviewer)

  • PR has description of feature/bug or link to Confluence/Jira task
  • Description contains actions to verify feature/bugfix
  • I've built this code, uploaded it to the device and verified feature/bugfix

GMMan added 28 commits June 13, 2022 22:17
@GMMan
nfc: Refactor Mifare Ultralight feature flags
7158b30 
Unify them in both reader and emulator to make handling easier
@GMMan
nfc: Refactor MFUL PWD_AUTH and add AUTHLIM counter
0973207
@GMMan
nfc: Add MFUL EV1 VCSL command emulation
98c2190
@GMMan
nfc: Enforce message size check in MFUL emulation
7f64628 
Also fix READ_CNT byte order, but it's not fully working
@GMMan
nfc: Add MFUL auth counter serialization
cd0e3fb 
Also fill counter on successful read from tag
@GMMan
nfc: Fix MFUL INCR_CNT emulation
3eb7634
@GMMan
nfc: Fix MFUL READ_CNT emulation
4bed98e
@GMMan
nfc: Refactor MFUL emulation and implement full write support
fba99c3
@GMMan
nfc: Fix Mifare Ultralight serialization
b4b3a00
@GMMan
nfc: Add MFUL OTP/CC handling
4cfa709
@GMMan
nfc: Make sure MF0UL21 dynamic lock byte 3 also reads 0xBD
0cdfb9b
@GMMan
nfc: Small MFUL refactor and fix CFGLCK behavior
1147762
@GMMan
WIP: nfc: MFUL read support with ASCII mirror and auth roll-over
207bff6 
This is too complex and I don't like it
@GMMan
nfc: Simplify MFUL read emulation, fix mirror range check
b2673f6
@GMMan
nfc: Minor
e530ddf
@GMMan
nfc: Implement MFUL auth and ASCII mirror for FAST_READ
b23b3e5
@GMMan
nfc: Fix MFUL read roll-over with AUTH0 set
f353c75
@GMMan
nfc: Implement MFUL read counter increment
b4602e4
@GMMan
nfc: Align ASCII mirror to NTAG21x behavior
7640ee0
@GMMan
nfc: Handle invalid command in MFUL emulation
49a1e4d
@GMMan
nfc: Fix MFUL static lock check
5d166a0
@GMMan
nfc: Refactor MFUL emulation to use cached config pages
e013430
@GMMan
nfc: Refactor MFUL auth counter to count up instead of down
47c54dd
@GMMan
nfc: Add missing NULL check
dadd8d1
@GMMan
WIP: nfc: Various MFUL emulation behavior tweaks
3d70efc
@GMMan
WIP: nfc: More MFUL emulation behavior adjustments
3f38df5
@GMMan
nfc: Match AUTHLIM emulation to NTAG21x behavior
061184a
@GMMan
nfc: Fix MFUL dynamic lock emulation
4cb4c4e
@GMMan GMMan force-pushed the ntag21x-full-emu branch from 6070911 to 4cb4c4e Compare June 14, 2022 04:17
@GMMan GMMan marked this pull request as ready for review June 14, 2022 04:46
GMMan added 2 commits June 14, 2022 00:53
@GMMan
nfc: Fix typo in MFUL FAST_READ emulation
67cbee1
@GMMan
nfc: Increase emulation TX buffer size
b9965fc 
Enough space for if someone requests FAST_READ of all pages of an NTAG
@RogueMaster

This comment was marked as abuse.

Sign in to view
@GMMan GMMan mentioned this pull request Jun 15, 2022
Closed
@gornekich
Copy link
Member

gornekich commented Jun 20, 2022

Great work!
We will merge it after #1269 , when we have extra free FLASH memory

@skotopes skotopes merged commit 556af0b into flipperdevices:dev Jun 21, 2022
@skotopes
Copy link
Contributor

skotopes commented Jun 21, 2022

Good Job!

hedger pushed a commit that referenced this pull request Jun 21, 2022
@GMMan @skotopes @hedger
nfc: NTAG21x complete emulation (#1313)
d06e61f 
* nfc: Refactor Mifare Ultralight feature flags
  Unify them in both reader and emulator to make handling easier
* nfc: Refactor MFUL PWD_AUTH and add AUTHLIM counter
* nfc: Add MFUL EV1 VCSL command emulation
* nfc: Enforce message size check in MFUL emulation
  Also fix READ_CNT byte order, but it's not fully working
* nfc: Add MFUL auth counter serialization
  Also fill counter on successful read from tag
* nfc: Fix MFUL INCR_CNT emulation
* nfc: Fix MFUL READ_CNT emulation
* nfc: Refactor MFUL emulation and implement full write support
* nfc: Fix Mifare Ultralight serialization
* nfc: Add MFUL OTP/CC handling
* nfc: Make sure MF0UL21 dynamic lock byte 3 also reads 0xBD
* nfc: Small MFUL refactor and fix CFGLCK behavior
* WIP: nfc: MFUL read support with ASCII mirror and auth roll-over
  This is too complex and I don't like it
* nfc: Simplify MFUL read emulation, fix mirror range check
* nfc: Implement MFUL auth and ASCII mirror for FAST_READ
* nfc: Fix MFUL read roll-over with AUTH0 set
* nfc: Implement MFUL read counter increment
* nfc: Align ASCII mirror to NTAG21x behavior
* nfc: Handle invalid command in MFUL emulation
* nfc: Fix MFUL static lock check
* nfc: Refactor MFUL emulation to use cached config pages
* nfc: Refactor MFUL auth counter to count up instead of down
* nfc: Add missing NULL check
* WIP: nfc: Various MFUL emulation behavior tweaks
* WIP: nfc: More MFUL emulation behavior adjustments
* nfc: Match AUTHLIM emulation to NTAG21x behavior
* nfc: Fix MFUL dynamic lock emulation
* nfc: Fix typo in MFUL read counters
* nfc: Fix typo in MFUL FAST_READ emulation
* nfc: Increase emulation TX buffer size
  Enough space for if someone requests FAST_READ of all pages of an NTAG
* nfc: Fix MFUL negative verification counter overflow
* nfc: Change auth counter kv name
* nfc: Fix NTAG I2C FAST_READ emulation
* nfc: Fix NTAG21x config reload behavior

Co-authored-by: あく <[email protected]>
@djsime1 djsime1 mentioned this pull request Jun 21, 2022
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gornekich gornekich gornekich approved these changes

@DrZlo13 DrZlo13 Awaiting requested review from DrZlo13 DrZlo13 is a code owner

@hedger hedger Awaiting requested review from hedger hedger is a code owner

+1 more reviewer

@skotopes skotopes skotopes approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@GMMan @RogueMaster @gornekich @skotopes