Add support for Ultralight emulation.

[turbocool3r]

This PR adds support for Mifare Ultralight emulation.

Currently it's a bit untested and lacks functionality of newer ultralight versions and NTAGs (e.g. password auth). I'll convert it from a WIP PR when it's ready. In the current state it can emulate the original Ultralight and the UID magic mode works.

[github-actions]

You are welcome to add an entry to the CHANGELOG.md as well

[xianglin1998]

Perfect👍

[turbocool3r]

There is currently some memory corruption bug that in some cases overwrites the m_tag_handler structure, I need to figure that out first before finishing it. I don't have a lot of time now though but I hope to do that soon.

[github-actions]

Built artifacts for commit 25a1230

Firmware

• Ultra APP DFU Package
• Ultra binaries
• Lite APP DFU Package
• Lite binaries

Client

• Linux
• macOS
• Windows

[turbocool3r]

I've tested that this works with a proxmark so looks good to me. If someone could test this thoroughly as well it would be nice.

Currently I've tested:

• Password auth for MF0UL11 with various AUTH0 values, enabled/disabled UID mode,
• R/O locking using static lock bytes (both block and page) for MF0ICU1, MF0UL11,
• R/O locking using dynamic lock bytes (both block and page) for MF0UL11,
• CFGLCK bit,
• signature reading, get version, counters for MF0UL11 and MF0UL21. checked that this doesn't work on MF0ICU1.
• invalid commands returning NAK (though I'm not sure which values are to be used in certain cases),
• PWD/PACK reading in non-UID mode returns zeroes, in UID the actual values.

Problems:

• state is always authenticated after the first successful auth. not sure if the reset handler is the right place to change that (though it seems so),
• no mirroring support on NTAG (should I add it rn?)
• maybe something else

[taichunmin]

Should we support the ASCII mirror function of NTAG?
ref: https://www.nxp.com/docs/en/data-sheet/NTAG213_215_216.pdf page 20

[turbocool3r]

I could add this as well.

[xianglin1998]

Everything ready?

I'll do last tests on write locking in the evening and then it should be done.

OK, and you can reuse 'STATUS_PAR_ERR'.

[turbocool3r]

I think the NAK of the NTAG emulation should not only return 0x04.

I'll check what the original cards reply. So far Ultralight cards mostly ignore bad commands while NTAGs reply with NAKs.

[turbocool3r]

The addr of NTAG213/215/216's READ_CNT cmd is 2?

Indeed. I'll compare with an original card and patch that.

[turbocool3r]

OK, and you can reuse 'STATUS_PAR_ERR'.

Where exactly do you want me to reuse this status, @xianglin1998? Isn't it more clear what the message is when the statuses are different? Also in some places this helps to understand whether wrong slot type is chosen or arguments are invalid.

[turbocool3r]

@taichunmin get/set counter is done, NAKs seem to be fixed and now work like real cards, NTAG counter index fixed.

[cyber-vi-king]

Is there support for 7B ULEV1?

pm3 shows such cards as MIFARE Ultralight EV1 48bytes (MF0UL1101)
but if I configure a slot to MF0UL11 it want's 80 bytes and has a 4b UID

[turbocool3r]

Is there support for 7B ULEV1?

pm3 shows such cards as MIFARE Ultralight EV1 48bytes (MF0UL1101)

but if I configure a slot to MF0UL11 it want's 80 bytes and has a 4b UID

Are you sure about the UID size? The code for slot initialization sets 7 byte size explicitly. Did you initialize the slot by doing hw slot type -s n -t MF0UL11 and later hw slot init -s n -t MF0UL11 (n is the slot number)?

48 bytes mean the amount of memory usable as general-purpose storage, the tag has more memory than that.

[turbocool3r]

I've fixed some bugs and added support for NTAG 210/212. So far all commands seem to be tested. Each MFU compatible tag type is properly detected by proxmark. Controlling counters and version/signature works. Loading and saving dumps from emulator also works. The only thing that is missing is Ultralight C authentication, but that's something that I think can be done in a follow up PR.

[xianglin1998]

Perfect!!! Can i merge it?

[turbocool3r]

@xianglin1998 yes, let's merge. I'll add Ultralight C auth and more cards in another PR or two.