1.0.0 - Public release

Author: AloneLiberty

FAQ.md

@@ -0,0 +1,59 @@
+# FAQ
+
+Q: What is that?
+
+A: This app implements nested and static nested attacks (nonces collection part)
+
+Q: Why can't I recover keys on Flipper Zero itself?
+
+A: In fact, you can. There is already an implementation of https://github.com/noproto/FlipperMfkey, and although the author has done a great job with optimization, for a nested attack it would just take a huge amount of time (~~2 hours in worst case for 1 key in regular~~ 30 minutes for 1 key, days in worst case for 1 key in delay + PRNG prediction). Maybe in a great future we will be able to know the exact PRNG value and then we can fit ourselves into these 30 minues. So it's all down to my lack of knowledge of the low-level NFC protocol/Flipper Zero itself.
+
+Q: I don't have keys, how I can read tag?
+
+A: You need to use darkside/reader attack. Reader attack is already implemented in Flipper firmware. Darkside attack isn't available now.
+
+Q: App says "Scan tag and find at least one key to start", but I already scanned tag and found keys. What I need to do?
+
+A: You need to save tag. More -> Save after scanning tag.
+
+Q: How I can recover keys?
+
+A: You need script: https://github.com/AloneLiberty/FlipperNestedRecovery
+
+Q: App name is "Mifare Nested" or "Flipper Nested"?
+
+A: In the early stages of development it was called Mifare Nested. But then I thought it was just better to avoid Mifare in the name, so I replaced it with Flipper. "Flipper Nested" does not really make it clear what this app is for, so it is called "Flipper (Mifare) Nested" in the app list. App can be called by any name: Flipper Nested, Mifare Nested, Flipper (Mifare) Nested, Mifare Nested Attacks for Flipper Zero, etc... But I prefer Flipper Nested.
+
+Q: How to check Flipper Zero/app logs?
+
+A: You need access to CLI. You can use lab.flipper.net (if you are chromium user) or use ./fbt cli. Then type: log debug.
+
+Q: How I can recover keys on phone?
+
+A: Probably you can't. The only way is to forward serial port to Termux and run script (never tried it).
+
+Q: Where are collected nonces/found keys located?
+
+A: App/desktop script write files in /ext/nfc/nested/ folder. "Check found keys" adds keys directly to your user dictionary.
+
+Q: I recovered keys via script, but still no new keys found when I try to scan tag?
+
+A: You need to run "Check found keys" in app, it will check keys on your tag and add valid to user dictionary. Then you can scan it via NFC app.
+
+Q: What is nonces?
+
+A: By nonces I mean authorization attempts on the tag. Because we can predict PRNG of the tag we can recover keys used in authorization attempts. If you want more info about Nested attach you can read [this paper](https://www.cs.umd.edu/~jkatz/security/downloads/Mifare3.pdf).
+
+Q: How I can ask for help?
+
+A: Create issue **with label "Question"** or use [discussions](https://github.com/AloneLiberty/FlipperNested/discussions). If you can't share private info in issue you can contact me in [Telegram](https://t.me/liberydev). 
+
+Q: What is being done at the moment and what are the plans?
+
+A: Check TODO.md. 
+
+Q: When darkside/hardnested attacks?
+
+A: Hardnested attack requires active connection to PC so I'm not going to do it. 
+
+Darkside is easier but I don't have time for that (nested took me extra ~~month~~ two months). I would be happy to accept PR if you implement it.

LICENSE.md

@@ -0,0 +1,62 @@
+# Mifare Nested Attacks for Flipper Zero
+
+Ported nested attacks from proxmark3 (Iceman fork)
+
+## Download
+
+[![FAP Factory](https://flipc.org/api/v1/AloneLiberty/FlipperNested/badge)](https://flipc.org/AloneLiberty/FlipperNested)
+
+## Currently supported attacks:
+
+ - static nested attack
+ - nested attack
+
+## Warning
+
+App is still in early development, so there may be bugs. Your Flipper Zero may randomly crash/froze. Please create issue if you find any bugs (one bug = one issue).
+
+## Disclaimer
+
+The app provided for personal use only. Developer does not take responsibility for any loss or damage caused by the misuse of this app. In addition, the app developer does not guarantee the performance or compatibility of the app with all tags, and cannot be held liable for any damage caused to your tags/Flipper Zero as a result of using the app. By using this app you confirm that the tag belongs to you, you have permission to preform the attack and you agree to hold the app developer harmless from any and all claims, damages, or losses that may arise from its use.
+
+## I need **your** help!
+
+To successfuly recover keys from nested attack we need to correctly predict PRNG value. But we have a problem with that. Due to lack of my knowlege of Flipper Zero NFC HAL, PRNG can jump by quite large values (not like Proxmark3). So app is trying to find a delay where PRNG can be predicted accurately enough. This is not the best option, because we have to try to recover a bunch of unnecessary keys, which takes a lot of time and RAM and also spend a lot of time on timings. I don't know how to fix it. 
+
+UPD: Chameleon Ultra devs [faced same issue](https://youtu.be/_wfikmXNQzE?t=202). They seems to use same method: [nested.c](https://github.com/RfidResearchGroup/ChameleonUltra/blob/main/software/src/nested.c) (better know from the beginning of development...)
+
+## How to use it?
+
+This guide assumes that you have already installed the app.
+
+To recover keys from card you first need to collect nonces.
+
+That's what this app was created for. App can't recover keys on Flipper Zero (yet). You need to use external device (PC) to recover keys. You can't use Mfkey32 on your phone with this app.
+
+1. Save tag after scanning (you must have found at least one key). This action will create key cache that app will use for authorization on tag.
+
+2. Run "Nested attack" from app menu
+
+3. Wait until calibration complete
+
+If the calibration passed and nonce collection began, you are very lucky and the tag is vulnerable. If not, you cannot use this app to recover keys from this tag.
+
+Calibration can take a lot of time. If the calibration takes longer than 10 minutes, it is better to see the logs. Some static encrypted nonce tags may lead to inifnity calibration loop.
+
+4. Wait until "Nonces collected!"
+
+5. Recover keys via [desktop script](https://github.com/AloneLiberty/FlipperNestedRecovery)
+
+6. Run "Check found keys" in app menu
+
+When all keys are checked, they will be added to your user key dictonary. You can rescan your tag now. 
+
+If not all keys found - run Nested attack again.
+
+## FAQ
+
+For frequently asked questions, please refer to the [FAQ.md](./FAQ.md) file.
+
+## Contacts
+
+Telegram: [@libertydev](https://t.me/libertydev)

README.md

@@ -0,0 +1,9 @@
+# TODO:
+
+1. Better (faster) detection of delay in a nested attack
+2. Fix infinite calibration on static encrypted nonce tags
+
+## Thinking about:
+
+1. Files (.nonces and .keys) in Flipper file format (why?)
+2. Collect nonces without turning off the tag (no idea how PRNG will react to this and what speed increase will it give?) HALT=0x50

TODO.md

@@ -0,0 +1,26 @@
+App(
+    appid="mifare_nested",
+    name="Flipper (Mifare) Nested",
+    apptype=FlipperAppType.EXTERNAL,
+    entry_point="mifare_nested_app",
+    requires=[
+        "storage",
+        "gui",
+    ],
+    stack_size=4 * 1024,
+    order=30,
+    fap_icon="assets/icon.png",
+    fap_category="NFC",
+    fap_private_libs=[
+        Lib(
+            name="nested",
+        ),
+        Lib(
+            name="parity",
+        ),
+        Lib(
+            name="crypto1",
+        )
+    ],
+    fap_icon_assets="assets",
+)

application.fam

@@ -0,0 +1,118 @@
+#include "crypto1.h"
+#include <string.h>
+
+void crypto1_reset(Crypto1* crypto1) {
+    furi_assert(crypto1);
+    crypto1->even = 0;
+    crypto1->odd = 0;
+}
+
+void crypto1_init(Crypto1* crypto1, uint64_t key) {
+    furi_assert(crypto1);
+    crypto1->even = 0;
+    crypto1->odd = 0;
+    for(int8_t i = 47; i > 0; i -= 2) {
+        crypto1->odd = crypto1->odd << 1 | FURI_BIT(key, (i - 1) ^ 7);
+        crypto1->even = crypto1->even << 1 | FURI_BIT(key, i ^ 7);
+    }
+}
+
+uint32_t crypto1_filter(uint32_t in) {
+    uint32_t out = 0;
+    out = 0xf22c0 >> (in & 0xf) & 16;
+    out |= 0x6c9c0 >> (in >> 4 & 0xf) & 8;
+    out |= 0x3c8b0 >> (in >> 8 & 0xf) & 4;
+    out |= 0x1e458 >> (in >> 12 & 0xf) & 2;
+    out |= 0x0d938 >> (in >> 16 & 0xf) & 1;
+    return FURI_BIT(0xEC57E80A, out);
+}
+
+uint8_t crypto1_bit(Crypto1* crypto1, uint8_t in, int is_encrypted) {
+    furi_assert(crypto1);
+    uint8_t out = crypto1_filter(crypto1->odd);
+    uint32_t feed = out & (!!is_encrypted);
+    feed ^= !!in;
+    feed ^= LF_POLY_ODD & crypto1->odd;
+    feed ^= LF_POLY_EVEN & crypto1->even;
+    crypto1->even = crypto1->even << 1 | (evenparity32(feed));
+
+    FURI_SWAP(crypto1->odd, crypto1->even);
+    return out;
+}
+
+uint8_t crypto1_byte(Crypto1* crypto1, uint8_t in, int is_encrypted) {
+    furi_assert(crypto1);
+    uint8_t out = 0;
+    for(uint8_t i = 0; i < 8; i++) {
+        out |= crypto1_bit(crypto1, FURI_BIT(in, i), is_encrypted) << i;
+    }
+    return out;
+}
+
+uint32_t crypto1_word(Crypto1* crypto1, uint32_t in, int is_encrypted) {
+    furi_assert(crypto1);
+    uint32_t out = 0;
+    for(uint8_t i = 0; i < 32; i++) {
+        out |= crypto1_bit(crypto1, BEBIT(in, i), is_encrypted) << (24 ^ i);
+    }
+    return out;
+}
+
+uint32_t prng_successor(uint32_t x, uint32_t n) {
+    SWAPENDIAN(x);
+    while(n--) x = x >> 1 | (x >> 16 ^ x >> 18 ^ x >> 19 ^ x >> 21) << 31;
+
+    return SWAPENDIAN(x);
+}
+
+void crypto1_decrypt(
+    Crypto1* crypto,
+    uint8_t* encrypted_data,
+    uint16_t encrypted_data_bits,
+    uint8_t* decrypted_data) {
+    furi_assert(crypto);
+    furi_assert(encrypted_data);
+    furi_assert(decrypted_data);
+
+    if(encrypted_data_bits < 8) {
+        uint8_t decrypted_byte = 0;
+        decrypted_byte |= (crypto1_bit(crypto, 0, 0) ^ FURI_BIT(encrypted_data[0], 0)) << 0;
+        decrypted_byte |= (crypto1_bit(crypto, 0, 0) ^ FURI_BIT(encrypted_data[0], 1)) << 1;
+        decrypted_byte |= (crypto1_bit(crypto, 0, 0) ^ FURI_BIT(encrypted_data[0], 2)) << 2;
+        decrypted_byte |= (crypto1_bit(crypto, 0, 0) ^ FURI_BIT(encrypted_data[0], 3)) << 3;
+        decrypted_data[0] = decrypted_byte;
+    } else {
+        for(size_t i = 0; i < encrypted_data_bits / 8; i++) {
+            decrypted_data[i] = crypto1_byte(crypto, 0, 0) ^ encrypted_data[i];
+        }
+    }
+}
+
+void crypto1_encrypt(
+    Crypto1* crypto,
+    uint8_t* keystream,
+    uint8_t* plain_data,
+    uint16_t plain_data_bits,
+    uint8_t* encrypted_data,
+    uint8_t* encrypted_parity) {
+    furi_assert(crypto);
+    furi_assert(plain_data);
+    furi_assert(encrypted_data);
+    furi_assert(encrypted_parity);
+
+    if(plain_data_bits < 8) {
+        encrypted_data[0] = 0;
+        for(size_t i = 0; i < plain_data_bits; i++) {
+            encrypted_data[0] |= (crypto1_bit(crypto, 0, 0) ^ FURI_BIT(plain_data[0], i)) << i;
+        }
+    } else {
+        memset(encrypted_parity, 0, plain_data_bits / 8 + 1);
+        for(uint8_t i = 0; i < plain_data_bits / 8; i++) {
+            encrypted_data[i] = crypto1_byte(crypto, keystream ? keystream[i] : 0, 0) ^
+                                plain_data[i];
+            encrypted_parity[i / 8] |=
+                (((crypto1_filter(crypto->odd) ^ oddparity8(plain_data[i])) & 0x01)
+                 << (7 - (i & 0x0007)));
+        }
+    }
+}

assets/ApplyTag.png

@@ -0,0 +1,38 @@
+#include "../../lib/parity/parity.h"
+#include <lib/nfc/protocols/mifare_classic.h>
+#include <lib/nfc/protocols/crypto1.h>
+#include "stddef.h"
+
+#define LF_POLY_ODD (0x29CE5C)
+#define LF_POLY_EVEN (0x870804)
+
+#define SWAPENDIAN(x) (x = (x >> 8 & 0xff00ff) | (x & 0xff00ff) << 8, x = x >> 16 | x << 16)
+#define BEBIT(x, n) FURI_BIT(x, (n) ^ 24)
+
+void crypto1_reset(Crypto1* crypto1);
+
+void crypto1_init(Crypto1* crypto1, uint64_t key);
+
+uint32_t crypto1_filter(uint32_t in);
+
+uint8_t crypto1_bit(Crypto1* crypto1, uint8_t in, int is_encrypted);
+
+uint8_t crypto1_byte(Crypto1* crypto1, uint8_t in, int is_encrypted);
+
+uint32_t crypto1_word(Crypto1* crypto1, uint32_t in, int is_encrypted);
+
+uint32_t prng_successor(uint32_t x, uint32_t n);
+
+void crypto1_decrypt(
+    Crypto1* crypto,
+    uint8_t* encrypted_data,
+    uint16_t encrypted_data_bits,
+    uint8_t* decrypted_data);
+
+void crypto1_encrypt(
+    Crypto1* crypto,
+    uint8_t* keystream,
+    uint8_t* plain_data,
+    uint16_t plain_data_bits,
+    uint8_t* encrypted_data,
+    uint8_t* encrypted_parity);