Skip to content

Add mode fuzzing for MF1 emulation#193

Open
rickNmorty2 wants to merge 11 commits intoRfidResearchGroup:mainfrom
rickNmorty2:enh-mode-fuzzing
Open

Add mode fuzzing for MF1 emulation#193
rickNmorty2 wants to merge 11 commits intoRfidResearchGroup:mainfrom
rickNmorty2:enh-mode-fuzzing

Conversation

@rickNmorty2
Copy link

@rickNmorty2 rickNmorty2 commented Dec 29, 2023
edited
Loading

This PR aims to provide a new mode called fuzzing. When in fuzzing mode, the slot generate a new (random)
content each time it is read. This allows to fuzz a reader for which the keys are known but required UID/bitfield values are not.

For example, we read twice the same slot on the ChameleonUltra, configured in fuzzing mode:

rick@linux-desktop:~$ nfc-mfclassic r a u first_read
rick@linux-desktop:~$ nfc-mfclassic r a u second_read

And we obtain different data:

rick@linux-desktop:~$ diff --git a/first_read.hx b/second_read.hx
index 6684444..1490847 100644
--- a/first_read.hx
+++ b/second_read.hx
@@ -1,65 +1,65 @@
-0000000 5d62 07fb 9a55 3f74 3436 5906 f41a 0f63
-0000010 620d 6f7c 729e 6ef8 a4f2 c548 8286 d0a5
-0000020 23b1 4760 c362 55fd b8bd f955 763c 6345
+0000000 9647 7409 79c7 b9bc 0515 5029 0ce7 c242
+0000010 d765 adf5 586c 2d9b 1343 901c c473 6bb9
+0000020 cd17 e2b3 19e2 72ec 78f0 35ed 64d1 ca56
 0000030 ffff ffff ffff 07ff 6980 0000 0000 0000
-0000040 0018 d9a8 6c68 148f dcee d4fa f29b 3db0
-0000050 16f0 2d2f 62c9 4571 22a3 3108 3b7c f0dc
-0000060 8ac1 c1e9 d2a0 b1dd 7281 bf6d e258 70cc
+0000040 9c67 bb13 14e4 6172 1dce ab2d 83f4 06df
+0000050 5879 a04b 3a8e 0154 a204 03b2 a546 4fe7
+0000060 dc79 0e49 e3d9 e5f0 f21e aab8 2f31 1da2
 0000070 ffff ffff ffff 07ff 6980 0000 0000 0000
-0000080 ffe4 3590 d7fe 3efd 0393 e6dd af4f 1eb0
-0000090 58d2 5771 6b80 f207 feaa 5138 a07f 1d37
-00000a0 9d70 5020 adc3 7bed 59d1 4ec7 f6ab 3376
+0000080 bba8 07fd dd73 4e3a 6541 22a2 c8ba 620e
+0000090 88ff f33b 9c2a 8de9 e593 33a7 f565 ae41
+00000a0 c0da f377 c865 d31e ed7b 5d02 4036 9f5e
 00000b0 ffff ffff ffff 07ff 6980 0000 0000 0000

It is a per-slot setting, configurable through the CLI:

[USB] chameleon --> hw slot list
 - Slot 1:(active)
   HF:  Mifare Classic 1k
      UID:                                    DEADBEEF
      ATQA:                                   0400 (0x0004)
      SAK:                                    08
      Gen1A magic mode:                       disabled
      Gen2 magic mode:                        disabled
      Use anti-collision data from block 0:   disabled
      Write mode:                             Normal
      Log (mfkey32) mode:                     disabled
      Fuzzing mode:                           disabled
   LF:  EM410X
      ID:                                     DEADBEEF88
[USB] chameleon --> hf mf econfig --enable-fuzzing -s 1
 - MF1 Emulator settings updated
[USB] chameleon --> hw slot list
 - Slot 1:(active)
   HF:  Mifare Classic 1k
      UID:                                    DEADBEEF
      ATQA:                                   0400 (0x0004)
      SAK:                                    08
      Gen1A magic mode:                       disabled
      Gen2 magic mode:                        disabled
      Use anti-collision data from block 0:   disabled
      Write mode:                             Normal
      Log (mfkey32) mode:                     disabled
      Fuzzing mode:                           enabled
   LF:  EM410X
      ID:

It is also possible to specify keys to use for fuzzing mode for each sector:

[USB] chameleon --> hf mf fuzz -h
--------------------------------------------------------------------------------
hf mf fuzz

Mifare Classic fuzzer tag

usage:
  hf mf fuzz [-h] [-k KEY [KEY ...]]

options:
  -h, --help            show this help message and exit
  -k KEY [KEY ...], --key KEY [KEY ...]
                        Key to use for a given sector

Note that the current implementation does not randomize keys and access mode when generating new data.

Any feedback on the idea and/or on the implementation (client or firmware side) is welcome.

@github-actions
Copy link

github-actions bot commented Dec 29, 2023

You are welcome to add an entry to the CHANGELOG.md as well

@github-actions
Copy link

github-actions bot commented Dec 29, 2023
edited
Loading

Built artifacts for commit 6a03449

Firmware

Client

p-l-
p-l- reviewed Jan 4, 2024
View reviewed changes
Copy link
Contributor

@p-l- p-l- left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a great PR! I have a couple of improvements to suggest.

Also, a nice addition would be to (optionally) log the commands and answers. WDYT?

p-l-
p-l- reviewed Jan 5, 2024
View reviewed changes
@rickNmorty2
Copy link
Author

rickNmorty2 commented Jan 28, 2024

Thanks for the suggestions @p-l-

p-l-
p-l- reviewed Jan 29, 2024
View reviewed changes
@rickNmorty2
Copy link
Author

rickNmorty2 commented Apr 23, 2024

Hi,

For me this PR is ready to be merged. Or if you think it is not relevant I am OK to close it as well. Just let me know.

zeusricote pushed a commit to zeusricote/ChameleonUltra that referenced this pull request Jun 18, 2025
@zricote
RfidResearchGroup#239, RfidResearchGroup#231, RfidResearchGroup#201, R…
50bc73d 
…fidResearchGroup#193, and RfidResearchGroup#96(thread locking issue should have been fixed) merged
@GameTec-live
Copy link
Contributor

GameTec-live commented Aug 13, 2025

Hi! Are you still interested in working on this PR? would you consider resolving the merge conflicts and ensuring your code is up to date?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@p-l- p-l- p-l- left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rickNmorty2 @GameTec-live @p-l-