search

flipperdevices / flipperzero-firmware

Flipper Zero firmware source code
https://flipperzero.one
GNU General Public License v3.0
13.04k stars 2.75k forks source link

NFC Emulation of previously saved Mifare classic 1k card does not work. #1468

Open Pingvin0 opened 2 years ago

Pingvin0 commented 2 years ago

Describe the bug.

I have multiple saved cards from 0.62.1, and in the latest release candidate, when I emulate the card, my phone cannot detect it at all. When I emulate a saved NTAG/Ultralight there is no issue.

Reproduction

On 0.62, save a Mifare classic 1k card Update to RC NFC->Saved->saved card->Emulate Phone cannot detect emulated card

Target

e28446de49db99093c33dd43a1c4773d94e35942 (release-candidate)

Logs

This is for a wifi tag I had: https://pastebin.com/R8s1gY2L

And this is for a contact (VCARD) mifare classic 1k card: https://pastebin.com/vA5HdcwK

Anything else?

No response

doomwastaken commented 1 year ago

@rvalitov @goutchye @BestPig @Pingvin0 could you please verify it with latest release firmware? There are was an entire NFC refactor

BestPig commented 1 year ago

Upgraded to 0.94.1 and reading the emulated tag with my Android phone seems stable now. Will try on a reader that never worked on previous version in some hours :pray:

Pingvin0 commented 1 year ago

@rvalitov @goutchye @BestPig @Pingvin0 could you please verify it with latest release firmware? There are was an entire NFC refactor

The firmware works perfectly for my use-case now. Don't know about the rest of the issues reported in the comments.

Hugal31 commented 1 year ago

It now works every time with the Classic Mifare Tools app, but still no dice with my Vigik reader v1. Great job though!

BestPig commented 1 year ago

I also tried on a reader that never worked (I don't have the brand of the reader as it's built-in in a machine), but also not working. There is no react of the reader.

rvalitov commented 1 year ago

Can't check, temporarily out of country, sorry.

AkechiShiro commented 1 year ago

Picture of your reader ? @BestPig and brand please ?

fridgepoet commented 1 year ago

I have a badge that was read and emulated and works on a Vigik V2 reader on v0.93.0. On v0.94.1, the emulation has stopped working on this same reader. (Edit: Same as @theblackhole below: a fresh clone of the badge on v0.94.1 also does not work.)

Is there any information I can provide to help out?

theblackhole commented 1 year ago

I have a badge that was read and emulated and works on a Vigik V2 reader on v0.93.0. On v0.94.1, the emulation has stopped working on this same reader.

Same here. I tried with a previous clone (v2 file) and a fresh clone after the update (v4): both don't work anymore on a Vigik V2 reader (Urmet) as if the #2825 patch no longer works with this big NFC refactoring.

doomwastaken commented 1 year ago

Thank you for details, we will look into this shortly

doomwastaken commented 1 year ago

@theblackhole could you please show me the exact model (or at least a photo) of the Vigik V2 reader you are referencing, we will try to order on for testing

theblackhole commented 1 year ago

@doomwastaken Of course! Not 100% sure but I think it's a Urmet T25VK2. It has been installed between 2019 and 2020.

And here's the intercom for context Urmet intercom Urmet intercom

I think they sell access control standalone kits if you need a full kit

goutchye commented 12 months ago

Hi @doomwastaken

Sorry for the delay of my answer. I updated my Flipper today, with the last firmware available and the emulation still doesn't work for me. I dump a legitime vigik tag and tried on a vigik reader (comelit UG1) without success, and moreover I tried on a Pixel 4a with the MFC app and the app didn't findthe tag, it didn't even find any UID. Sorry

skotopes commented 11 months ago

@goutchye check latest dev, there were couple improvements.

goutchye commented 11 months ago

Hi @skotopes Unfortunately, same thing than I described in my last message, even after the last firmware update.

skotopes commented 11 months ago

@doomwastaken did we manage to get vigik reader?

theblackhole commented 11 months ago

Hi @doomwastaken and @skotopes FYI, in my case, MFC emulation works again with the Urmet Vigik reader after updating to 0.97.1 (thanks to #3291 I suppose?)

doomwastaken commented 11 months ago

@skotopes Wasn't able to sort any shipping before new year. Found a company locally, but they didn't get back to me yet

nekolab commented 10 months ago

Encountered the same issue too, but I found when I attached a CLI and ran log debug (must be log debug but not log), the reader started to react to the emulation. If I exit the log debug (just press Ctrl-C), the emulation fails again. I suspect it's a timing issue based on the behavior. Hope this can help

To reproduce, a custom build is needed with the following changes:

diff --git a/lib/nfc/nfc.c b/lib/nfc/nfc.c
index 22a21c9d2..9d5e0e99b 100644
--- a/lib/nfc/nfc.c
+++ b/lib/nfc/nfc.c
@@ -119,6 +119,7 @@ static int32_t nfc_worker_listener(void* context) {

     while(true) {
         FuriHalNfcEvent event = furi_hal_nfc_listener_wait_event(FURI_HAL_NFC_EVENT_WAIT_FOREVER);
+        FURI_LOG_D(TAG, "NFC HAL event: %d", event);
         if(event & FuriHalNfcEventAbortRequest) {
             nfc_event.type = NfcEventTypeUserAbort;
             instance->callback(nfc_event, instance->context);
skotopes commented 10 months ago

@gornekich some new information

nekolab commented 10 months ago

Attach some logs

The success one (when using android phone to read the emulated card)

156635 [D][Nfc] Field on
156637 [D][Nfc] Field off
156639 [D][MfClassicListener] ListenerRun event: 0
156648 [D][Nfc] Field off
156649 [D][MfClassicListener] ListenerRun event: 0
156654 [D][Nfc] Field on
156662 [D][Nfc] Listener activated
156672 [D][MfClassicListener] ListenerRun event: 1
156677 [D][Nfc] Listener activated
156685 [D][MfClassicListener] ListenerRun event: 1
156708 [D][Nfc] Listener activated
156711 [D][MfClassicListener] ListenerRun event: 2  (Iso14443_3aListenerEventTypeReceivedStandardFrame)
156713 [D][MfClassicListener] ListenerRun instance_state 0, comm_state 0
156715 [D][MfClassicListener] buffer_size: 16, first_byte: 96  (0x60, Command Authentication with Key A) 
156717 [D][MfClassicListener] for loop continue due to 2
156720 [D][MfClassicListener] for loop continue due to 1
156722 [D][MfClassicListener] ListenerRun in-loop command idx: 2, return: 0
156724 [D][Nfc] Field on
156725 [D][Nfc] Field off

The failed one (using the real reader):

43353489 [D][Nfc] Field on
43353512 [D][Nfc] Field off
43353513 [D][MfClassicListener] ListenerRun event: 0
43353531 [D][Nfc] Field on
43353547 [D][Nfc] Field off
43353549 [D][MfClassicListener] ListenerRun event: 0
43353566 [D][Nfc] Field on
43353590 [D][Nfc] Field off
43353592 [D][MfClassicListener] ListenerRun event: 0
43353700 [D][Nfc] Field on
43353710 [D][Nfc] Listener activated
43353713 [D][MfClassicListener] ListenerRun event: 3 (Iso14443_3aListenerEventTypeReceivedData)
43353716 [D][MfClassicListener] ListenerRun instance_state 0, comm_state 0
43353719 [D][MfClassicListener] buffer_size: 7, first_byte: 82 (0x52, Wake-up)
43353721 [D][MfClassicListener] for loop continue due to 1
43353723 [D][MfClassicListener] for loop continue due to 1
43353725 [D][MfClassicListener] for loop continue due to 1
43353727 [D][MfClassicListener] for loop continue due to 1
43353729 [D][MfClassicListener] for loop continue due to 1
43353731 [D][MfClassicListener] for loop continue due to 1
43353733 [D][MfClassicListener] for loop continue due to 1
43353734 [D][MfClassicListener] for loop continue due to 1
43353737 [D][MfClassicListener] for loop continue due to 1
43353740 [D][Nfc] Field on
43353747 [D][Nfc] Field off
43353749 [D][MfClassicListener] ListenerRun event: 0
43353766 [D][Nfc] Field on
43353773 [D][Nfc] Field off

It seems the return of the Wake-up command, which should be handled by hardware, is leaking to the MCU unexpectedly. I suspect it may caused by the MCU not clearing the FIFO in time.

Any ideas @gornekich? Thanks

gornekich commented 10 months ago

@nekolab thanks for sharing logs. It also would be helpful if you push code with your changes to see a full picture.

I agree that it seems like reader keeps sending Wake-up commands after anticollision is complete. In this case I expect MfClassicListener to send NACK as response to this command, since it's not Mifare Classic command. This may result in incorrect emulation. I will research how real cards respond in this situation.

It would be perfect for me if you create PR with your changes and let me push to your branch. We can go through some iterations changing code and looking at logs to fix this issue.

Btw, do you have a proxmark or other tools to sniff communication between your reader and flipper? This would speed up debugging as well.

nekolab commented 10 months ago

@gornekich Hi, I don't think at this time I can have any code for PR. So I've added you to my fork repo. If a PR with just add a log message more comforts you I can create a PR for this. I may move away from the place having this physical reader soon but I think I can cooperate with you to test and debug before that. But I don't have any sniffer tools now