Incorrect read of Mifare Ultralight tag with password locked pages

[mishamyte]

Describe the bug.

I'm doing research with PWD locked MFUL tags (for devs: Vizit RF3.1).

Those tags have locked pages after 0x22:

[usb] pm3 --> hf mfu info -k ...
...
[=] --- Tag Configuration
[=]   cfg0 [37/0x25]: 00000022
[=]                     - strong modulation mode disabled
[=]                     - page 34 and above need authentication
...

From the datasheet:

AUTH0 defines the page address from which the password verification
is required. Valid address range for byte AUTH0 is 00h to FFh.
If AUTH0 is set to a page address which is higher than the last user
configuration page, the password protection is effectively disabled.

For such kind of tags, if they are being read without pwd, FZ reads 36 pages instead of 34, but last two pages in that case are filled with the data of blocks 0 & 1 + sets like there are 36 pages unlocked (which is wrong):

...
Pages total: 41
Pages read: 36
Page 0: 04 C9 D0 95
Page 1: 42 7A 17 90
...
Page 34: 04 C9 D0 95
Page 35: 42 7A 17 90
...
Page 37: 00 00 00 24
...

Other devices like Proxmark3, TMD-5S, SMKey works correctly and read 34 pages, as it should be by AUTH0

---

Attached files: Proxmark3.log (tag info + dumps with and without password) Locked.nfc Unlocked.nfc

---

Many thanks!

Reproduction

1. Enter NFC app
2. Read MFUL21 tag with password and locked pages, starting from 0x22
3. Inspect the dump

Target

v.1.0.1

Logs

No response

Anything else?

No response