Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NFC: Emulating of SAVED Mifare Classic not working #2577

Closed
AlexMilender opened this issue Apr 12, 2023 · 41 comments
Closed

NFC: Emulating of SAVED Mifare Classic not working #2577

AlexMilender opened this issue Apr 12, 2023 · 41 comments
Assignees
Labels
Bug NFC NFC-related

Comments

@AlexMilender
Copy link

Describe the bug.

Emulation of Mifare Classic produces different results depending on if the Mifare Classic fob has been saved or not.

I am able to successfully read a Mifare Classic key fob using NFC read functionality.
If I do NOT save the read, but instead emulate it directly after the read. The emulation works as expected and i am able to open my key fob lock

If I DO save the read and then try to emulate that saved read. The emulation does not work as expected and I am unable to open my key fob lock

Reproduction

Successful able to open keyfob lock

  1. NFC
  2. Read
  3. More
  4. Emulate

Unsuccessful in opening keyfob lock

  1. NFC
  2. Read
  3. More
  4. Save the read
  5. NFC
  6. Saved
  7. Naviatege to saved read from step 4
  8. Emulate

Target

Flipper Zero Release 0.80.1

Logs

No response

Anything else?

No response

@bettse
Copy link
Contributor

bettse commented Apr 12, 2023

What brand is the lock? I'd like to see if this is a problem for all emulation, or against a specific lock.

@hedger hedger added the NFC NFC-related label Apr 12, 2023
@doomwastaken
Copy link
Member

Going to research it now on 0.81.1-rc

@doomwastaken
Copy link
Member

If you could provide additional details about lock and what card you are using, that would be helpful, tried Mifare Classic 1k and 4k and was not succesful so far

@Astrrra
Copy link
Member

Astrrra commented Apr 12, 2023

Also, having the full card dump will help out a lot

@Indigo94
Copy link

I’m experiencing the same issue as OP. The reader is a Schlage lock

@Panduhsaur
Copy link

@gornekich
Copy link
Member

gornekich commented Apr 12, 2023

Could you please try to reproduce the issue on previous release

@AlexMilender
Copy link
Author

AlexMilender commented Apr 12, 2023

What brand is the lock? I'd like to see if this is a problem for all emulation, or against a specific lock.
@doomwastaken

The lock brand is Schlage. The same one @Panduhsaur mentioned (https://www.schlage.com/en/home/products/BE467GRWFFF.html)

Key fob is a Schlage 9651t

@Indigo94
Copy link

Could you please try to reproduce the issue on previous release

How can I do this? I attempted to download the .zip and the tar.gz file, but when I go on qFlipper (windows) -> install from file -> and select one or the other, the downgrade fails

@AlexMilender
Copy link
Author

AlexMilender commented Apr 13, 2023

Could you please try to reproduce the issue on the previous release

@gornekich That did it! I used fbt to build and flash version 0.79.1 and I am now able to save and then emulate the key fob with success

Additional note ill mention for debugging purposes:

  1. Before downgrading to version 0.79.1 I updated to 0.81.1 and saw the same issues as I did in 0.80.1
  2. I am not able fully to extract all the keys from the fob (on any version of firmware that I have used) but I am still able to open the lock regardless
    Keys Found: 30/32
    Sectors Read: 16/16

@AlexMilender
Copy link
Author

Update: After successfully saving and emulating the keyfob in version 0.79.1. I then updated the firmware to version 0.81.1 and could emulate the saved keyfob with success.

@Indigo94
Copy link

As the previous user mentioned, downgrading to version 0.79.1 fixed the issue.
For users that would like to do this, do the following:

  1. Clone the following repository using the following command:
    git clone --recursive --branch 0.79.1 https://github.com/flipperdevices/flipperzero-firmware.git
  2. Go into the new 'flipper-zero firmware' folder
  3. run the fbt command:
    ./fbt
  4. Connect your Flipper and run the following command:
    ./fbt flash_usb

@doomwastaken
Copy link
Member

Could you please us dump of a key with latest release and 0.79.1, we would like to compare files. You could mail them to [email protected].

If by chance any of you have proxmark, then let us know a way to contact you

@m-kozlowski
Copy link

Here are some of my observations:
I have two mfc cards, one for workplace (A) and one for public transport (B)

(A) is purely UID based, all sectors are filled with zeroes with FFFFFFFFFFFF as both keys and 000/000/000/001 access bits
(B) has non-default keys and is using sectors 0-8. Moreover single block of sector 4 has read and write disabled by access bits (111)

Results of emulating card A with flipper:

  • did not work with door sensors at my workplace
  • it did work with storage locker (some kind of battery powered reader)
  • Mifare Classic tool throws "NFC read error"
  • ACR122U
    • nfc-list lists card properly
    • trying to read card with mfoc or nfc-mfclassic immediately says "no tag was found"

Results of emulating card B:

  • Mifare Classic tool detects card, show it's UID but i'm unable to read card (guess that's to be expected with the way emulation works)
  • ACR122U
    • nfc-list works
    • trying to read card with mfoc or nfc-mfclassic also didn't work, but this time nfc-mfclassic displayed card details before throwing "tag disappeared" error.

There are no notable differences between 0.79.1 and 0.81 dumps in my case.
For both cards it's limited to header:

@@ -1,9 +1,10 @@
 Filetype: Flipper NFC device
 Version: 3
-# Nfc device type can be UID, Mifare Ultralight, Mifare Classic
+# Nfc device type can be UID, Mifare Ultralight, Mifare Classic, Bank card or ISO15693
 Device type: Mifare Classic
 # UID, ATQA and SAK are common for all formats
 UID: .. .. .. ..
+# ISO14443 specific fields
 ATQA: 00 04
 SAK: 08
 # Mifare Classic specific data

@AlexMilender
Copy link
Author

Could you please us dump of a key with latest release and 0.79.1, we would like to compare files. You could mail them to [email protected].

If by chance any of you have proxmark, then let us know a way to contact you

A key dump of the 2 versions you mentioned have been emailed to the link you provided. Unfortunately I do not own a proxmark

@davenukem
Copy link

I can confirm this issue is still ongoing on most recent firmware. When reading an NFC fob and emulating from the initial read it will function.

As soon as you save that read, the emulation will no longer work. I have the same Schlage device as the one previously listed.

@meppss
Copy link

meppss commented May 23, 2023

I also have identical Schlage lock and fob type. Confirming that on the latest version installed (0.83.1), I am unable to emulate the NFC from a saved Mifare classic 1K. I have 30/32 keys found and 16/16 sectors read.

When I read the key fob, I am able to confirm that emulation DOES work. However after saving emulation no longer functions/detected by the reader.

@doomwastaken
Copy link
Member

Currently this fix is blocked by NFC refactoring process. I will update this issue once refactor is done, cannot give any ETA.

@meppss
Copy link

meppss commented Jun 4, 2023

Currently this fix is blocked by NFC refactoring process. I will update this issue once refactor is done, cannot give any ETA.

I'm confirming that this is still broken in the latest release [0.84.1]. Attempted on a freshly updated flipper.

@warnerlowe
Copy link

I was just wondering about this issue. Glad it's being worked on.

@skotopes
Copy link
Member

skotopes commented Jun 9, 2023

fixed in dev

@skotopes skotopes closed this as completed Jun 9, 2023
@meppss
Copy link

meppss commented Jun 9, 2023

fixed in dev

Can you share the PR this was fixed in? Thanks!

@doomwastaken
Copy link
Member

fixed in dev

Can you share the PR this was fixed in? Thanks!

#2620

@davenukem
Copy link

fixed in dev

Just installed the .85 RC. Completely possible I'm doing something wrong but this seems to actually eliminate the ability of the Flipper to even emulate the MIFARE classic initially. In the current firmware, you can emulate your MIFARE classic NFC after an initial read but upon saving it will no longer function if you attempt to emulate.

On the RC firmware .85, even the initial emulation fails for me now.

Rolling back to the .84.2 firmware initial emulation once again functions, saved emulation fails.

Not sure if this ties into the NFC refactoring you mentioned - but the issue doesn't appear to be fixed in .85

@doomwastaken
Copy link
Member

fixed in dev

Just installed the .85 RC. Completely possible I'm doing something wrong but this seems to actually eliminate the ability of the Flipper to even emulate the MIFARE classic initially. In the current firmware, you can emulate your MIFARE classic NFC after an initial read but upon saving it will no longer function if you attempt to emulate.

On the RC firmware .85, even the initial emulation fails for me now.

Rolling back to the .84.2 firmware initial emulation once again functions, saved emulation fails.

Not sure if this ties into the NFC refactoring you mentioned - but the issue doesn't appear to be fixed in .85

So you actually get all keys and sectors on the card, but emulation does not work? Did you go through detect reader step again?

@davenukem
Copy link

I read 16/16 sectors and get 30/32 keys (same as firmware .84.2). I ran through the entire card read process again and detected reader to get nonces again as well (on both firmwares). Ran through the same process on both firmwares.

Firmware .85 will not even succeed at initial emulation, .84.2 will.
Neither will allow an emulated saved read to function.

@doomwastaken
Copy link
Member

I read 16/16 sectors and get 30/32 keys (same as firmware .84.2). I ran through the entire card read process again and detected reader to get nonces again as well (on both firmwares). Ran through the same process on both firmwares.

And you ran the Mfkey attack and scanned the key again after?

@davenukem
Copy link

I read 16/16 sectors and get 30/32 keys (same as firmware .84.2). I ran through the entire card read process again and detected reader to get nonces again as well (on both firmwares). Ran through the same process on both firmwares.

And you ran the Mfkey attack and scanned the key again after?

Yes. This is something I would love to work… so I went through the whole process twice to make sure it wasn’t me messing up.

@Astrrra
Copy link
Member

Astrrra commented Jun 13, 2023

@davenukem can you please send all the files needed to reproduce your problem? Please include the card dumps from 0.84.2 and from 0.85, the nonce files from running Detect reader, along with the sector numbers and key letters to which the reader is trying authenticate (e.g. Sector 8 Key A).

If your card contains private data - you can send it to me directly: [email protected]. Also, do you have a proxmark3? Having a trace file from it would greatly simplify things.

@Astrrra Astrrra reopened this Jun 13, 2023
@davenukem
Copy link

davenukem commented Jun 13, 2023 via email

@warnerlowe
Copy link

I see your cellphone number.

@meppss
Copy link

meppss commented Jun 19, 2023

I tried this same process on the latest version. Emulation no longer functions after retrieving the keys, but before saving.

I've also tried saving the read and then doing a detect reader. That also does not work (the reader doesn't detect the NFC emulation).

However after completing a read, when performing a "detect reader" in that same menu, while collecting the nonces the reader detects the emulated signal and unlocks the door. This only occurs during the "detect reader" function while nonces are being collected.

I'm performing this on the latest stable 0.85.2

@davenukem
Copy link

I tried this same process on the latest version. Emulation no longer functions after retrieving the keys, but before saving.

I've also tried saving the read and then doing a detect reader. That also does not work (the reader doesn't detect the NFC emulation).

However after completing a read, when performing a "detect reader" in that same menu, while collecting the nonces the reader detects the emulated signal and unlocks the door. This only occurs during the "detect reader" function while nonces are being collected.

I'm performing this on the latest stable 0.85.2

I just sent an email with the key that is generated and the user dictionary I create from the nonces on the reader to Astrrra. Unfortunately wasn't able to roll back to old firmware due to some time constraints on my end. Upon doing it again today I can confirm what Meppss was saying. The detect reader function emulation actually does trigger the device while acquiring nonces and not when you try and emulate from the same menu post reading. Overall, extremely odd behavior and seems to be some kind of disconnect between how NFC reads are being saved and passed to the emulate function immediately post read.

Hopefully this helps move this issue along.

@meppss
Copy link

meppss commented Jul 20, 2023

Confirming this is fixed as of 0.86.2

@zhiyan114
Copy link
Contributor

Seems like I'm still having issue with this as of the latest release (0.87.0). Though could be a fluke, so I'll try again next week.

@tomaszkoperski
Copy link

I'm having the same issue. I successfully got the keys to a Mifare Classic 1K card (Keys found: 32/32, Sectors read: 16/16), but I'm unable to open the lock (either through directly emulating the card after read or after the card is saved). I'm using FW 0.87.1.

@bwachter
Copy link

Ran into this issue yesterday as well. Was originally assuming a corrupted card dump, but converting the flipper nfc file to proxmark bin and uploading it to a proxmark with HF_MFCSIM let me correctly emulate the card there.

@skotopes
Copy link
Member

we need exchange dump (can be sniffed with proxmark)

@doomwastaken
Copy link
Member

@bwachter @AlexMilender could you check this again on latest firmware?

@hmvs
Copy link

hmvs commented Nov 4, 2023

Now it is working! Thanks

@AlexMilender
Copy link
Author

@bwachter @AlexMilender could you check this again on latest firmware?

Yes, it is working in v0.94.1. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug NFC NFC-related
Projects
None yet
Development

No branches or pull requests