-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect read of Mifare Ultralight tag with password locked pages #3945
Comments
The reason for that issue is next. In case if you read (for example) latest unlocked block and following will be blocked, you will get 1st available blocks. So in our case: 33 0 1 2. Because FZ iterates by 4 Personally, based on that, I would propose remove that optimization (potential) and read by one (also that's implementation approach in mentioned in 1st post devices). |
Thank you @RebornedBrain, I think we have the same vision on mechanisms (referring to my previous message). The issue is the optimization for UL when FL reads by 4. And it doesn't know are the blocks actual or cycled from the beginning. That's why false information appeared (see initial post's attachments). I still think the solution would be to read block by block (from answer get first 4 bytes), until we will get NACK. That mechanism is implemented in a bunch of professional tools (like PM3, TMD-5S, SMKey) and leads to correct data read. So, unfortunately, I can't agree with you about the correctness of that behaviour (putting into read result data from the cycled blocks). But it's 💯 understandable that optimization was done to use the whole response of the READ BLOCK command. |
So just to summarize, because I'm feeling like I confused you a bit with info:
Thanks for understanding and sorry if my formulations are chaotic |
Hi, I agree that we can fix this. And your solution is right. Actually this solution was already been tested by me few months ago, when Ultralight C auth was implemented, but I decided not to do that. Well now seems that it's time to fix that, but we need to test it on our side. I saw you've already done such PR, so could you please open it here also. Then qa will test it and once they confirm everything is ok, we can merge. P.s. Actually there is an idea to keep both read features, so users can choose how they want to read 4 pages at once or one by one, but this requires a little bit more tweaks on the app side, therefore it can be posponded for now. |
Yeah, that makes sense. Actually it could be done in read by 4 feature, when you get a first NACK, you just rewind to check if actual NACK was from the previous quartet. But so far as it's now needed, I would just create a PR there for a validation too. Thanks for the answer! |
We thought about that also and came to the conclusion that such approach increases complexity and we discarded that also, so nevermind on that 😄 |
Yeah, agree about complexity, also don't like that idea. So good you discarded it |
Describe the bug.
I'm doing research with PWD locked MFUL tags (for devs: Vizit RF3.1).
Those tags have locked pages after 0x22:
From the datasheet:
For such kind of tags, if they are being read without pwd, FZ reads 36 pages instead of 34, but last two pages in that case are filled with the data of blocks 0 & 1 + sets like there are 36 pages unlocked (which is wrong):
Other devices like Proxmark3, TMD-5S, SMKey works correctly and read 34 pages, as it should be by AUTH0
Attached files:
Proxmark3.log (tag info + dumps with and without password)
Locked.nfc
Unlocked.nfc
Many thanks!
Reproduction
Target
v.1.0.1
Logs
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: