search

marcus905 / libnfc

Automatically exported from code.google.com/p/libnfc
GNU Lesser General Public License v3.0
0 stars 0 forks source link

Authentication succeeds with any KeyA/B value with Nexus-S in emulation mode #229

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?

  1. Attached sfoc.c will try to authenticate to emulated Mifare 4K in Nexus S (PN544 chip)
  2. Authentication always succeeds in 'nfc_initiator_mifare_cmd(r.pdi, MC_AUTH_A, 0, &mp)' no matter which key-A value is provided
  3. Reading authenticated sector fails with 'nfc_initiator_mifare_cmd(r.pdi, MC_READ, 0, &mp))'

What is the expected output? What do you see instead?
  - Expected output is the block 0 values including the UID. Sector 0 is readable in Nexus S's emulated Mifare 4k with ProxMark3 (hf 14a reader).

What version of the product are you using? On what operating system?

  - libnfc version: latest git commit 0203ade66c4168cbb7bf835e2c35b3d35e86d84a (verion 1.7.0-rc4)
  - Operating system: Linux

Please provide any additional information below.

  - I have checked the Nexus S in emulation mode with ProxMark3 and I can read sector 0 with default key FFFFFFFFFFFF (although no other sectors can be authenticated other than sector 0). 
  - With libnfc and SCL3711 (PN533) reader, authentication appears to work with any key. But reading obviously fails which probably means that the authentication was false.
  - I have captured PN533's activity with nfc-tool's dev-tools. The output is as shown below.
  - The modified sfoc.c from MFOC tool, that simply just tries to authenticate and read sector 0 block 0, is attached  which produced the PN533 trace.
  - To compile sfoc.c (quick & dirty), after compiling MFOC, I left it in MFOC's source directory and ran 'gcc -ggdb sfoc.c crapto1.o crypto1.o mifare.o nfc-utils.o -L /usr/local/lib -lusb -lnfc -I../ -std=c99 -o sfoc'

PN533 (SCL3711) Trace

----
d4 02                                   -> GetFirmwareVersion
d5 03 33 02 07 07 
d4 02                                   -> GetFirmwareVersion
d5 03 33 02 07 07 
d4 12 14                                -> SetParameters: 0x14
d5 13 
d4 06 63 02 63 03 63 0d 63 38 63 3d     -> ReadRegister 0x6302
d5 07 00 80 80 00 01 00 
d4 32 01 00                             -> RFConfiguration RFfield: 00
d5 33 
d4 06 ff b0                             -> ReadRegister 0xffb0
d5 07 00 3a 
d4 08 ff b0 3e                          -> WriteRegister 0xffb0
d5 09 00 
d4 32 01 01                             -> RFConfiguration RFfield: 01
d5 33 
d4 06 ff b0                             -> ReadRegister 0xffb0
d5 07 00 3e 
d4 08 ff b0 3a                          -> WriteRegister 0xffb0
d5 09 00 
d4 32 05 ff ff ff                       -> RFConfiguration MaxRetries: ff ff ff
d5 33 
d4 06 63 02 63 03 63 05 63 38 63 3c 63 3d -> ReadRegister 0x6302
d5 07 00 80 80 44 01 10 00 
d4 32 01 01                             -> RFConfiguration RFfield: 01
d5 33 
d4 06 ff b0                             -> ReadRegister 0xffb0
d5 07 00 3a 
d4 32 05 00 01 02                       -> RFConfiguration MaxRetries: 00 01 02
d5 33 
d4 4a 01 00                             -> InListPassiveTarget
d5 4b 01 01 00 02 38 04 cf d9 0e 44 0f 78 80 70 02 00 31 c1 73 c8 40 00 00 
d4 40 01 60 00 00 00 00 00 00 00 00 00 00 00 -> InDataExchange
d5 41 00 67 00 
d4 40 01 30 00                          -> InDataExchange
d5 41 00 67 00 
----

Original issue reported on code.google.com by gsbabil on 11 Feb 2013 at 7:51

Attachments:

GoogleCodeExporter commented 9 years ago 
Hello,

Did you tried to use a real mifare card ? Because, I did and I saw that 
perfectly works: it fails with:
nfc_initiator_transceive_bytes: Mifare Authentication Failed
         Authentication failed with KeyA, reconfiguring ...

Next, could you provide a full log produced with this command line, please:

LIBNFC_LOG_LEVEL=3 ./sfoc

Thanks

Original comment by romu...@libnfc.org on 14 Feb 2013 at 7:13

GoogleCodeExporter commented 9 years ago 
Hi Romuald,
many thanks. I am observing something a bit more strange.

1. I have tried a *real* Mifare 1k/4k with 'nfc-mfclassic' from libnfc [1] and 
it works as expected ('real-mifare.mfd' dump attached). Keys for all sectors 
are either FF-FF-FF-FF-FF-FF or 00-00-00-00-00-00.

2. Then I tried 'sfoc' with 'LIBNFC_LOG_LEVEL=3' (attached 'real-mifare.log') 
[2] on the *real* Mifare. I have modified 'sfoc.c' slightly (new 'sfoc.c' 
attached) so that it attempts key-A authentication with FF-FF-FF-FF-FF-FF and 
key-B authentication with 00-00-00-00-00-00. If you take a look at my 
'real-mifare.mfd' dump (produced with 'nfc-mfclassic'), you'll find sector-0 
has FF-FF-FF-FF-FF-FF as key-A and  00-00-00-00-00-00 as key-B. But both key-A 
and key-B authentication fails in sfoc/libnfc this time!

------
xxd real-mifare.mfd | head -4

0000000: cd70 ce52 2108 0400 6263 6465 6667 6869  .p.R!...bcdefghi
0000010: ffff ffff ffff ff07 8069 ffff ffff ffff  .........i......
0000020: ffff ffff ffff ff07 8069 ffff ffff ffff  .........i......
0000030: ffff ffff ffff ff07 8069 0000 0000 0000  .........i......
------

3. I have tried to read the *emulated* Mifare 4k [3]:

  - with libnfc: authentication with key-A seems to succeed. But *reading* data fails. (attached emulated-mifare.log with LIBNFC_LOG_LEVEL=3)

  - with ProxMark3: and I can read sector 0 with key-A as FF-FF-FF-FF-FF-FF. I have not collected the ProxMark3 traces yet. But I can provide them if you want.

[1] nfc-mfclassic r a real-mifare.mfd
[2] LIBNFC_LOG_LEVEL=3 ./sfoc 2>&1 1 | tee real-mifare.log
[3] LIBNFC_LOG_LEVEL=3 ./sfoc 2>&1 1 | tee emulated-mifare.log

Original comment by gsbabil on 15 Feb 2013 at 4:17

Attachments:

GoogleCodeExporter commented 9 years ago 
Hi Romuald,
more information. So far I have tried two emulated Mifare 1k/4k cards with 
libnfc as listed below:

 - Emulated Mifare 4k through Android
 - Emulated Mifare 1k from dual-interfaced Paypass card

They both exhibit the exact same problem. On both of the emulated cards, my 
authentication succeeds with FF-FF-FF-FF-FF-FF key (I think this is erroneous). 
But then I can't perform any "MC_READ" with libnfc. Attached are the my 
"paypass-mifare.log" and "paypass-mifare.mfd" containing LIBNFC_LOG_LEVEL=3 and 
Mifare dump produced with "nfc-mfclassic".

Original comment by gsbabil on 15 Feb 2013 at 5:25

Attachments:

GoogleCodeExporter commented 9 years ago 
I think I got it.

Your tags are ISO14443-4 A compliant and you want to use them only at 
ISO14443-3 level so you have to disable automatic jump to ISO14443-4A 
communication protocol.

So before selecting tag, you have to use:

pn53x_set_property_bool(pnd, NP_AUTO_ISO14443_4, false)

Original comment by romu...@libnfc.org on 15 Feb 2013 at 8:31

GoogleCodeExporter commented 9 years ago 
Hi Romuald,
many thanks for your suggestion. 

I modified "sfoc.c" with a new function "force_iso14443_a()" which sets 
"NP_AUTO_ISO14443_4" to "false" and forces ISO14443_A. The good news is that 
now I can authenticate against sector 0 and read block 0. But all other blocks 
(1, 2 and 3) in sector 0 remain unreadable. I went through the captured log 
using "LIBNFC_LOG_LEVEL=3 ./sfoc" and it shows "Chip error" on read attempt for 
blocks 2, 3 and 4 on sector 0. The same applies for all other blocks and 
sectors. For example on sector 1 block 4, authentication succeeds but reading 
fails with "Chip error: "Invalid Received Frame" (13), returned error: "RF 
Transmission Error" (-20))". Please have a look. 

I am attaching:

 - modified sfoc.c and mfoc.h
 - modified make_sfoc.sh (you may have to change $libnfc_path inside)
 - emulated-mifare.log with LIBNFC_LOG_LEVEL=3

P.S.

Interestingly, if I remember correctly, I had the same issue with the firmware 
revision 653 on ProxMark. I could read sector 0 block 0 but nowhere else.

-----------------------------------------
void force_iso14443_a(nfc_device *pdi) {
  if (pn53x_set_property_bool(pdi, NP_AUTO_ISO14443_4, false)){
    nfc_perror(pdi, "pn53x_set_property_bool failed on: NP_AUTO_ISO14443_4");
  }

  if (pn53x_set_property_bool(pdi, NP_FORCE_ISO14443_A, true)){
    nfc_perror(pdi, "pn53x_set_property_bool failed on: NP_FORCE_ISO14443_A");
  }

  if (pn53x_set_property_bool(pdi, NP_FORCE_SPEED_106, true)){
    nfc_perror(pdi, "pn53x_set_property_bool failed on: NP_FORCE_SPEED_106");
  }
}
-----------------------------------------

Original comment by gsbabil on 21 Feb 2013 at 8:43

Attachments: