search

flipperdevices / flipperzero-firmware

Flipper Zero firmware source code
https://flipperzero.one
GNU General Public License v3.0
12.42k stars 2.67k forks source link

Attempting to read DESFire Card causes `furi_check()` crash #3835

Open 5aji opened 1 month ago

5aji commented 1 month ago

Describe the bug.

Reading a DESFire card crashes the Flipper with a furi_check() error. It seems to crash after trying to read the second block. This is a card I had lying around, and I do not possess the keys (nor am I trying to get them). This happens on both 0.104.0 and 0.105.0-RC.

Reproduction

  1. Open NFC App -> Read
  2. Alternatively, select Extra-> Read Specific -> DESFire
  3. Touch Flipper to keycard
  4. Lights blink for a split second and then the system reboots.

Target

Mifare DESFire Card

Logs

1050914 [D][NfcSupportedCards] Loaded 19 plugins
1050929 [D][Iso14443_4aPoller] Read ATS success
1050938 [D][MfDesfirePoller] Read version success
1050942 [D][MfDesfirePoller] Read free memory success
1050946 [D][MfDesfirePoller] Read master key settings success
1050950 [D][MfDesfirePoller] Read master key version success
1050955 [D][MfDesfirePoller] Read application ids success
1050958 [D][MfDesfirePoller] Selecting app 0
1050963 [D][MfDesfirePoller] Reading app 0
1050974 [D][MfDesfirePoller] Can't read file 0 data without authentication
1050978 [D][MfDesfirePoller] Selecting app 1
1050983 [D][MfDesfirePoller] Reading app 1
1050999 [D][MfDesfirePoller] Can't read file 1 data without authentication
1051002 [D][MfDesfirePoller] Selecting app 2
1051007 [D][MfDesfirePoller] Reading app 2

[CRASH][NfcWorker] furi_check failed
        r0 : 20025fe8
        r1 : 200251d0
        r2 : 0
        r3 : 0
        r4 : 0
        r5 : 0
        r6 : 20025fe8
        r7 : 200251d0
        r8 : 80a22e7
        r9 : 80a23d6
        r10 : 80a23e8
        r11 : 20031364
        lr : 80389d9
        stack watermark: 7556
             heap total: 186064
              heap free: 31576
         heap watermark: 27568
        core2: not faulted
Rebooting system�0

Anything else?

I have a Proxmark3 if that would help provide more information.

skotopes commented 1 month ago

@5aji any details on the card itself? Vendor? Type? if you have proxmark can you also post details scan details from it?

5aji commented 1 month ago

The key is a Walt Disney World keycard. I believe the vendor is NXP, DESFire EV1.

Image of back of card

There are no markings on the front. ![image](https://github.com/user-attachments/assets/45486bb6-6544-47c4-b967-ab53f2a958e3)

Proxmark info

``` [usb] pm3 --> hf 14a info [+] UID: 04 3A 34 4A 52 67 80 [+] ATQA: 03 44 [+] SAK: 20 [1] [+] MANUFACTURER: NXP Semiconductors Germany [+] Possible types: [+] MIFARE DESFire CL2 [+] MIFARE DESFire EV1 256B/2K/4K/8K CL2 [+] MIFARE DESFire EV2 2K/4K/8K/16K/32K [+] MIFARE DESFire EV3 2K/4K/8K [+] MIFARE DESFire Light 640B [+] NTAG 4xx [=] -------------------------- ATS -------------------------- [+] ATS: 06 75 77 81 02 80 [ F0 00 ] [=] 06............... TL length is 6 bytes [=] 75............ T0 TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64) [=] 77......... TA1 different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8] [=] 81...... TB1 SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc) [=] 02... TC1 NAD is NOT supported, CID is supported [=] -------------------- Historical bytes -------------------- [+] 80 (compact TLV data object) [usb] pm3 --> hf mfdes info [=] ---------------------------------- Tag Information ---------------------------------- [+] UID: 04 3A 34 4A 52 67 80 [+] Batch number: B9 0C 10 45 60 [+] Production date: week 16 / 2020 [=] --- Hardware Information [=] raw: 04010201001205 [=] Vendor Id: NXP Semiconductors Germany [=] Type: 0x01 ( DESFire ) [=] Subtype: 0x02 [=] Version: 1.0 ( DESFire EV1 ) [=] Storage size: 0x12 ( 512 bytes ) [=] Protocol: 0x05 ( ISO 14443-2, 14443-3 ) [=] --- Software Information [=] raw: 04010101051205 [=] Vendor Id: NXP Semiconductors Germany [=] Type: 0x01 ( DESFire ) [=] Subtype: 0x01 [=] Version: 1.5 [=] Storage size: 0x12 ( 512 bytes ) [=] Protocol: 0x05 ( ISO 14443-3, 14443-4 ) [=] --------------------------------- Card capabilities --------------------------------- [+] --- AID list [+] AIDs: f70090, 78e127, 4c4344 [+] ------------------------------------ PICC level ------------------------------------- [+] Applications count: 3 free memory 128 bytes [+] PICC level auth commands: [+] Auth.............. NO [+] Auth ISO.......... NO [+] Auth AES.......... YES [+] Auth Ev2.......... NO [+] Auth ISO Native... YES [+] Auth LRP.......... NO [+] PICC level rights: [+] [1...] CMK Configuration changeable : YES [+] [.1..] CMK required for create/delete : NO [+] [..1.] Directory list access with CMK : NO [+] [...1] CMK is changeable : YES [+] [+] Key: 2TDEA [+] key count: 1 [+] PICC key 0 version: 254 (0xfe) [=] --- Free memory [+] Available free memory on card : 128 bytes [=] Standalone DESFire ```

If necessary I can pull out my debugger and try and find exactly what check fails.

skotopes commented 1 month ago

If you can get backtrace from debugger that will simplify everything

5aji commented 1 month ago

got the backtrace:

Backtrace

``` (gdb) bt #0 0x080121f4 in __furi_crash_implementation () at furi/core/check.c:170 #1 0x08038a88 in mf_desfire_poller_read_key_versions (instance=0x20025078, data=0x20024260 , count=0) at lib/nfc/protocols/mf_desfire/mf_desfire_poller_i.c:186 #2 0x08038e24 in mf_desfire_poller_read_application (instance=instance@entry=0x20025078, data=0x20024198 ) at lib/nfc/protocols/mf_desfire/mf_desfire_poller_i.c:493 #3 0x08038efe in mf_desfire_poller_read_applications (instance=instance@entry=0x20025078, app_ids=0x200251f8, data=0x20025228) at lib/nfc/protocols/mf_desfire/mf_desfire_poller_i.c:543 #4 0x08041d2e in mf_desfire_poller_handler_read_applications (instance=0x20025078) at lib/nfc/protocols/mf_desfire/mf_desfire_poller.c:157 #5 0x0803d23c in iso14443_3a_poller_run (event=..., context=0x20024650 ) at lib/nfc/protocols/iso14443_3a/iso14443_3a_poller.c:80 #6 iso14443_3a_poller_run (event=..., context=0x20024650 ) at lib/nfc/protocols/iso14443_3a/iso14443_3a_poller.c:63 #7 0x0803ca22 in nfc_poller_start_callback (event=..., context=0x20024580 ) at lib/nfc/nfc_poller.c:111 #8 0x0803bb10 in nfc_worker_poller_ready_handler (instance=0x20010528) at lib/nfc/nfc.c:182 #9 0x0803bb94 in nfc_worker_poller (context=0x20010528) at lib/nfc/nfc.c:232 #10 0x08015cea in furi_thread_body (context=0x20010760) at furi/core/thread.c:103 #11 0x08015c9a in furi_thread_catch () at furi/core/thread.c:75 Backtrace stopped: previous frame identical to this frame (corrupt stack?) ```

haven't dug into it much, but it seems to be getting further than it should without the keys. the actual failure is the max_keys being zero for some reason.

EDIT: Dug into it some more, found something interesting about the third app on this card:

[+] Application number: 0x4C4344
[+]   ISO id.... 0x0000
[+]   DF name...  ( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 )
[=]   DF AID Function... 4C4344  : (unknown)
[+] Auth commands: 
[+]    Auth.............. NO
[+]    Auth ISO.......... NO
[+]    Auth AES.......... NO
[+]    Auth Ev2.......... NO
[+]    Auth ISO Native... YES
[+]    Auth LRP.......... NO
[+]
Full `lsapp` output

``` [+] ------------------------------------ PICC level ------------------------------------- [+] Applications count: 3 free memory 128 bytes [+] PICC level auth commands: [+] Auth.............. NO [+] Auth ISO.......... NO [+] Auth AES.......... YES [+] Auth Ev2.......... NO [+] Auth ISO Native... YES [+] Auth LRP.......... NO [+] PICC level rights: [+] [1...] CMK Configuration changeable : YES [+] [.1..] CMK required for create/delete : NO [+] [..1.] Directory list access with CMK : NO [+] [...1] CMK is changeable : YES [+] [+] Key: 2TDEA [+] key count: 1 [+] PICC key 0 version: 254 (0xfe) [+] --------------------------------- Applications list --------------------------------- [+] Application number: 0xF70090 [+] ISO id.... 0x0000 [+] DF name... ( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) [+] AID mapped to MIFARE Classic AID (MAD): 7009 [+] MAD AID Cluster 0x70 : hotel [=] MAD AID Function 0x7009 : Access control data for electronic locks [Timelox AB] [+] Auth commands: [+] Auth.............. NO [+] Auth ISO.......... NO [+] Auth AES.......... YES [+] Auth Ev2.......... NO [+] Auth ISO Native... YES [+] Auth LRP.......... NO [+] [+] Application level rights: [+] -- AMK authentication is necessary to change any key (default) [+] [1...] AMK Configuration changeable : YES [+] [.0..] AMK required for create/delete : YES [+] [..1.] Directory list access with AMK : NO [+] [...1] AMK is changeable : YES [+] [+] Key: AES [+] key count: 3 [+] [+] Key versions [0..2]: 00, 00, 00 [+] Application number: 0x78E127 [+] ISO id.... 0x0000 [+] DF name... ( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) [=] DF AID Function... 78E127 : Disney MagicBand [Disney] [+] Auth commands: [+] Auth.............. NO [+] Auth ISO.......... NO [+] Auth AES.......... YES [+] Auth Ev2.......... NO [+] Auth ISO Native... YES [+] Auth LRP.......... NO [+] [+] Application level rights: [+] -- AMK authentication is necessary to change any key (default) [+] [1...] AMK Configuration changeable : YES [+] [.0..] AMK required for create/delete : YES [+] [..1.] Directory list access with AMK : NO [+] [...1] AMK is changeable : YES [+] [+] Key: AES [+] key count: 2 [+] [+] Key versions [0..1]: 01, 01 [+] Application number: 0x4C4344 [+] ISO id.... 0x0000 [+] DF name... ( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) [=] DF AID Function... 4C4344 : (unknown) [+] Auth commands: [+] Auth.............. NO [+] Auth ISO.......... NO [+] Auth AES.......... NO [+] Auth Ev2.......... NO [+] Auth ISO Native... YES [+] Auth LRP.......... NO [+] ```