flipperzero-firmware

flipperzero-firmware copied to clipboard

Describe the bug.

I have multiple saved cards from 0.62.1, and in the latest release candidate, when I emulate the card, my phone cannot detect it at all. When I emulate a saved NTAG/Ultralight there is no issue.

Reproduction

On 0.62, save a Mifare classic 1k card Update to RC NFC->Saved->saved card->Emulate Phone cannot detect emulated card

Target

e28446de49db99093c33dd43a1c4773d94e35942 (release-candidate)

Logs

This is for a wifi tag I had: https://pastebin.com/R8s1gY2L

And this is for a contact (VCARD) mifare classic 1k card: https://pastebin.com/vA5HdcwK

Anything else?

No response

Thanks. Working on fix

Just tested this on c7772060657afc8ee5a160ea3ed62246d989c136 Reading a brand new MFC card with content and emulating it fails as well. I don't think it's about previous save data being wrong.

The reason can be enabled log level debug in Settings->System. Please confirm that you set log level to Info / Warning / Error / Default

Log level was on Debug.

I have the same problem on my side, yesterday tried to brute-force attack a Mifare-classif ... which succeeded after 15 minutes. Anyway, once I tried to emulate the tag in front of the reader : not working (it was a VIGIK like this one : VIGIK READER)

I have some blanks NFC Mifare-Classic cards (white ones with UID/Sector 0 writable), but faced the fact that there are no ways to write NFC tags at all for now in the Flipper Zero firmware.

Exactly in the same situation as @simkard69 : NFC Mifare Classic 1k card's keys and content are well extracted by the Flipper (👍) but the emulation seems to be the issue. The VIGIK denies the emulated version.

From what I've understood it's a timing issue with the Flipper's NFC chip onboard not natively supporting the Mifare Classic 1k (and the current soft implementation is leading to timeout with the VIGIK communication), right ?

Anyway, hope software workaround will be enough to go through this issue !

Following commit c40e8811, I have been able to emulate a Mifare Classic 1k card successfully! I've been able to read it with NFC Tools on my phone, so now if it fails I'm going to blame the reader.

Thanks for the fix @gornekich, you may be waiting for other confirmations but in my case we're good!

@Xenthys I still cannot emulate freshly scanned or saved MFC 1k cards on c40e8811d68e9f4b8f603ae5d5826b814521014d.

Flipper firmware changed from stable to dev https://github.com/flipperdevices/flipperzero-firmware/commit/c40e8811d68e9f4b8f603ae5d5826b814521014d

Results:

• Previous saved MFC 1k file emulated -> doesn't recognized by the VIGIK reader
• Fresh scanned and keys retrieved then emulate -> still KO

Thanks for the update though ;)

Still have some issue at some point for me.

Unable to read the whole contents with MIFARE Classic Tool (Android) And also with an ACR122U with the libnfc

It seems the tag disappears during the read.

All my cards work so this is odd, maybe try with one of mine / compare the content?

This one is safe, it's an old metrovalencia ticket from months ago: https://gist.github.com/Xenthys/4a7cc356b1a1caf052c9986495fb9c46

Hi guys!

I have also tried to emulate mifare classic cards on a vigik reader, with no success.

To check if the flipper zero emulation was working I have also tried to "read" it using a mfrc522 rfid reader, it was a failure except for the first sector which was good. I discovered that I could read each sector with success but never read many of them in a row.

SO, I have tried to add a delay between each reading attempt and it was working when I added a delay of 700ms.

Do you think this it is a hardware limitation of the flipper zero or "just" a software issue?

I hope that maybe this information would help. To finish, thx all of you for the amazing job on the project :-)

EDIT: my flipper zero has the dev firmware released the 9th of august https://github.com/flipperdevices/flipperzero-firmware/commit/01eb92db0695fe73f8866580af36cc03362d297c

Any news on this issue ? With 0.67.2, I still can't get saved Mifare Classic 1k tags to work with Vigik readers (and some parts are missing when I read my emulated badge with Mifare Classic Tool)

@theblackhole yes. When you put your badge on the VIGIK READER, the reader check if your badge is correct, it increments a value, and after he check if the value was incremented.

So when you put your flipper on the vigik reader, it fails on the second step because you cannot write on the flipper during emulation.

This double security is only made by VIGIK.. The most of the other brands check only the badge.

I hope you understand what i'm trying to explain.

I have some dumps of universal VIGIK badges from LaPoste. They have to be re-writed every 3 to 4 days in order to continue working.

I'm pretty sure the reader cannot use that much encryption/cyphers in order to do what it needs. Should I try to dump a badge, use the VIGIK reader, then dump it again (... and so on), in order to find where is the increment number located on the memory ?

@Coroxx you are right but the value is incremented only if the badge is a "service provider" badge (postmail, electricity, gaz, etc.). In this case, the provider must encode a badge which will only be valid during 3.5 days as @simkard69 has mentioned, and the counter is probably useful to limit the use of the badge.

In the other case, if it is a "home" badge for people who live in the building, only the UID, or the first sector is used.

Each VIGIK central can work with both cases. FIY, the emulation of my own "home" badge fails on the vigik central of my building (test with the firmware released the 9th of august).

The "best" way to find an issue would be to sniff (thanks to a proxmark) the timing of the exchange between a vigik central and a valid badge, and try to reprocuce them on a flipper zero (who seems to be a little bit "slow" for the moment).

So is it a software or a hardware issue ?

Interesting... In my case, it is also a resident badge, not a service card.

In Mifare Classic Tool, the first sector is always read correctly. For other sectors, missing data occurs randomly (my last test result was a missing key on sector 14, and on the previous test result it was sector 10) So if only the first sector is used it should work in theory, unless Vigik readers are more finicky than smartphones ?

Also FYI, I also have an old UID-only dump of my badge (from a previous firmware) wich doesn't work either. And I compared my badges dumps from Mifare Classic Tool with the ones from Flipper and they are identical. So it seems like only the emulation mode might be affected by timing issues.

Is there a way to get logs of what is happening during emulation (or maybe with "Detect Reader" mode ?) ? Because while buying a Proxmark is tempting and would satisfy my curiosity, I think it is quite pricey for a beginner/hobbyist like me ^^

@Coroxx I don’t know. I hope it is « only » a software limitation.

@theblackhole yes in theory it « should » works. It also depends of the data writing on you badge. Is there data only in the first sector ?

For the logs questions, I don’t know. I also think than adding too much logs could slow down a little bit the flipper zero no? Yeah the proxmark is expensive but it is probably the best way to debug this problem.

I Hope I could try it in few weeks or months.

@theblackhole yes in theory it « should » works. It also depends of the data writing on you badge. Is there data only in the first sector ?

No, not only the first sector. In a valid dump (of my badge with Mifare Classic Tool directly) there's data on the first 4 sectors. For sectors 5 through 15, it's filled with zeros except the last block of each sector where keys are stored. (In my case, it's the same key everywhere). If I wasn't clear, I can post a "censored" version of my dump to clarify my point if you want.

While exploring the new features of 0.62.2, (keys extraction with mfkey32v2 in particular) I found out that there's a way to display flipper's logs via usb : https://github.com/equipter/mfkey32v2#using-log I'll see if I can make something out of it... but before that, I need to find a discrete setup because a pc is a little more noticable than the flipper hahaha Also, as you said, it might make things worse by slowing down the execution but we'll see.

@theblackhole any news on this, have you found anything relevant using the flipper's logs via USB ?

On this issue, I think it's important to mention a few things :

• Flipper Zero must not be in "Settings" -> "System" -> "Debug ON", if it is activated, reading any Emulated tags will always fails (tested on the latest stable release 0.69), reader was an Android Phone with NFC, make sure "Debug" (mode) is set to "OFF". (A PR into the documentation of Flipper Zero could help, I could make one, mentioning this).

About, a Mifare Classic 1k card, that I'm trying to emulate and get to work with a VIGIK reader.

To sum up, what's working on my end:

• [X] Reading the physical tag with my Flipper Zero (attack by dictionary works all right).
• [X] dumping with my phone the emulated tag from the Flipper Zero (previously acquired using read).

However, I've noticed a slight difference on sector 15 of my dump, emulated tag dump vs the real physical tag dump, I believe a specific block of the sector 15 is getting incremented by one.

This seems to be an anti-copy/duplication protection, that's updated by the VIGIK reader, each time the physical tag is used, a desync of the physical tag could happen, if the Flipper Zero emulation worked for me, the emulation needs to take into account, writes request, so that the tag could be modified in place.

That's unexpected given the nature of my tag, it is not a "service provider" one, it works without being updated for weeks and months on.

@AkechiShiro thanks for the Debug tip. It still cannot read the emulation with Mifare Classic Tool on my Fairephone 4 (it rarely detects it, and when it does it drops the connexion right away).

For the anti-copy feature of your tag, you can read about in #1345. The best test against it is what you did, scanning the real tag before and after using it and compare the two dumps.

@Hugal31 you tried on the latest 0.69 firmware version and it stills failed to read it with the Mifare Tool app ? That's what I used and it works on a Xiaomi Poco F3

Also @Hugal31 could you test NXP TagInfo in order to read your emulated tag on the Flipper Zero ?

Here is a scan log in XML of an emulated tag, I did, I redacted some information, but they were properly detected (UID, ATQA, SAK,...).

This does not try to dump the tag, but just tries to read a few information by scanning quickly (it takes on my phone about 10 seconds at most I believe, sometimes the communication is cut off if I move the Flipper Zero too much once the scan has begun, make sure you hold the phone and the Flipper Zero well together).

I failed to mention reading the tag header with NFC Tools works.

I tried using NXP with the firmware 0.69.1:

• Quick scan says "Tag communication was interrupted"
• Full scan says "There seems to be serious errors communicating with the tag"

The error happens just after the scan starts so I didn't even have the time to move the Flipper. I also have to stick it to the back of my phone and remove its protection to make it somewhat work. With any other NFC tag emulation (e.g. an Amiibo), it works even at 2 cm from the phone.

I'd like to note an interesting observation that there are numerous VIGIK readers versions (so far, I'm aware of V1/V2/V3), could everyone that mentioned that the emulation didn't work, look at the version at the bottom of the reader and precise for which version it did fail ?

This might help us, find maybe an old version of reader where emulation works still works with.

So far, looking around, I've seen V2 and V3 readers but not V1 readers, here is a picture of what it looks like :

@Coroxx V2 readers, can sometimes increment a value inside a sector of the badge as an anti-counterfeit protection (but they don't do ALL do that since I've seen a V2 VIGIK reader that does not increment the value and for which the FP Zero emulation still fails for, so this can't be due to some "write/increment" request failing on the emulation side).

I suspect that V2/V3 probably have some "features" or differences that V1 doesn't, I'm looking to know if a VIGIK V1 reader works with the Flipper Zero's emulation or not (of the latest version of the firmware 0.76.0).

@AkechiShiro Sorry, I have never seen a version like V1 or similar. Just no extra info except the VIGIK name. Some examples are below, perhaps that's useful for you

Hello, Will emulation ever work for "Vigik" or is it simply impossible to achieve?

@skotopes could we please have any official information on this issue, it's been awhile, I know that #2529 is a full refactor of the NFC stack of the FP Zero's firmware but I don't think there is any fix regarding the VIGIK issue.

If there is any way/investigation that you or @gornekich would recommend, any user could try using either a Proxmark RDV3 or using an SDR (Software Defined Radio) ?

So we can really hammer on whether this issue can be solved or not.

@AkechiShiro we currently don't have Vigik tags/readers. We were planning to revisit this issue after refactoring complete.