search

flipperdevices / flipperzero-firmware

Flipper Zero firmware source code
https://flipperzero.one
GNU General Public License v3.0
12.22k stars 2.66k forks source link

MIFARE Ultralight C hex dump shows bogus data for locked pages #3772

Open supersat opened 2 months ago

supersat commented 2 months ago

Describe the bug.

At a recent event, we gave everyone MIFARE Ultralight C wristbands with some pages locked as part of a CTF. Many people tried reading their wristband with their Flipper Zero, and unfortunately, rather than seeing some pages locked in the hex dump, they saw bogus data (seemingly copied starting from page 0). The NXP TagInfo app for Android correctly showed those pages as XX XX XX XX.

Reproduction

  1. Auth-protect some pages on a MIFARE Ultralight C card. This can be done by writing 25 00 00 00 to page 0x2a and 00 00 00 00 to page 0x2b. This locks pages 0x25 and up from being read without authentication.
  2. Read the tag with the Flipper Zero.
  3. Select Info, then more, then scroll down to the bottom. The last 3 pages should show as locked, but are copies of pages 0, 1, and 2.

Target

No response

Logs

No response

Anything else?

FW version 0.103.1

gornekich commented 2 months ago

Thanks for the report, working on it