From c0e169a22940973ad503e29af3de0b79fefc3c81 Mon Sep 17 00:00:00 2001
From: Mykhailo Shevchuk <myte@ukr.net>
Date: Tue, 29 Apr 2025 02:31:41 +0300
Subject: [PATCH] Attempt to auth with default 3DES key

---
 .../mf_ultralight/mf_ultralight_poller.c      | 74 +++++++++++++++----
 .../mf_ultralight/mf_ultralight_poller_i.c    |  6 +-
 .../mf_ultralight/mf_ultralight_poller_i.h    |  1 +
 targets/f7/api_symbols.csv                    |  2 +-
 4 files changed, 65 insertions(+), 18 deletions(-)

diff --git a/lib/nfc/protocols/mf_ultralight/mf_ultralight_poller.c b/lib/nfc/protocols/mf_ultralight/mf_ultralight_poller.c
index 3eb6524ed..6c6e230f0 100644
--- a/lib/nfc/protocols/mf_ultralight/mf_ultralight_poller.c
+++ b/lib/nfc/protocols/mf_ultralight/mf_ultralight_poller.c
@@ -445,25 +445,35 @@ static NfcCommand mf_ultralight_poller_handler_auth(MfUltralightPoller* instance
 static NfcCommand mf_ultralight_poller_handler_auth_ultralight_c(MfUltralightPoller* instance) {
     NfcCommand command = NfcCommandContinue;
     FURI_LOG_D(TAG, "MfulC auth");
-    if(mf_ultralight_support_feature(
-           instance->feature_set, MfUltralightFeatureSupportAuthenticate)) {
-        instance->mfu_event.type = MfUltralightPollerEventTypeAuthRequest;
 
-        command = instance->callback(instance->general_event, instance->context);
-        if(!instance->mfu_event.data->auth_context.skip_auth) {
-            FURI_LOG_D(TAG, "Trying to authenticate with 3des key");
-            instance->auth_context.tdes_key = instance->mfu_event.data->auth_context.tdes_key;
-            instance->error = mf_ultralight_poller_auth_tdes(instance, &instance->auth_context);
+    do {
+        if(mf_ultralight_support_feature(
+               instance->feature_set, MfUltralightFeatureSupportAuthenticate)) {
+            instance->mfu_event.type = MfUltralightPollerEventTypeAuthRequest;
 
-            if(instance->error == MfUltralightErrorNone && instance->auth_context.auth_success) {
-                FURI_LOG_D(TAG, "Auth success");
+            command = instance->callback(instance->general_event, instance->context);
+            if(!instance->mfu_event.data->auth_context.skip_auth) {
+                FURI_LOG_D(TAG, "Trying to authenticate with 3des key");
+                instance->auth_context.tdes_key = instance->mfu_event.data->auth_context.tdes_key;
+                instance->error =
+                    mf_ultralight_poller_auth_tdes(instance, &instance->auth_context);
+
+                if(instance->error == MfUltralightErrorNone &&
+                   instance->auth_context.auth_success) {
+                    FURI_LOG_D(TAG, "Auth success");
+                } else {
+                    FURI_LOG_D(TAG, "Auth failed");
+                    iso14443_3a_poller_halt(instance->iso14443_3a_poller);
+                }
             } else {
-                FURI_LOG_D(TAG, "Auth failed");
-                iso14443_3a_poller_halt(instance->iso14443_3a_poller);
+                // We assume here that it is card read without explicitly provided key
+                // So we try to auth with default one
+                instance->state = MfUltralightPollerStateTryDefaultMfulCKey;
+                break;
             }
         }
-    }
-    instance->state = MfUltralightPollerStateReadPages;
+        instance->state = MfUltralightPollerStateReadPages;
+    } while(false);
 
     return command;
 }
@@ -560,6 +570,40 @@ static NfcCommand mf_ultralight_poller_handler_try_default_pass(MfUltralightPoll
     return NfcCommandContinue;
 }
 
+static NfcCommand
+    mf_ultralight_poller_handler_try_default_ultralight_c_key(MfUltralightPoller* instance) {
+    do {
+        if(!mf_ultralight_support_feature(
+               instance->feature_set, MfUltralightFeatureSupportAuthenticate)) {
+            break;
+        }
+
+        if(instance->auth_context.auth_success) {
+            break;
+        }
+
+        FURI_LOG_D(TAG, "Trying authentication with default 3DES key");
+
+        memcpy(
+            &instance->auth_context.tdes_key.data,
+            MF_ULTRALIGHT_C_DEFAULT_KEY,
+            MF_ULTRALIGHT_C_AUTH_DES_KEY_SIZE);
+
+        instance->error = mf_ultralight_poller_auth_tdes(instance, &instance->auth_context);
+
+        if(instance->error == MfUltralightErrorNone && instance->auth_context.auth_success) {
+            FURI_LOG_D(TAG, "Default 3DES key detected");
+        } else {
+            FURI_LOG_D(TAG, "Authentication attempt with default 3DES key failed");
+            iso14443_3a_poller_halt(instance->iso14443_3a_poller);
+        }
+
+    } while(false);
+
+    instance->state = MfUltralightPollerStateReadPages;
+    return NfcCommandContinue;
+}
+
 static NfcCommand
     mf_ultralight_poller_handler_check_mfuc_auth_status(MfUltralightPoller* instance) {
     instance->state = MfUltralightPollerStateReadSuccess;
@@ -724,6 +768,8 @@ static const MfUltralightPollerReadHandler
             mf_ultralight_poller_handler_read_tearing_flags,
         [MfUltralightPollerStateAuth] = mf_ultralight_poller_handler_auth,
         [MfUltralightPollerStateTryDefaultPass] = mf_ultralight_poller_handler_try_default_pass,
+        [MfUltralightPollerStateTryDefaultMfulCKey] =
+            mf_ultralight_poller_handler_try_default_ultralight_c_key,
         [MfUltralightPollerStateCheckMfulCAuthStatus] =
             mf_ultralight_poller_handler_check_mfuc_auth_status,
         [MfUltralightPollerStateAuthMfulC] = mf_ultralight_poller_handler_auth_ultralight_c,
diff --git a/lib/nfc/protocols/mf_ultralight/mf_ultralight_poller_i.c b/lib/nfc/protocols/mf_ultralight/mf_ultralight_poller_i.c
index 79c7b1d1a..fdafaf37d 100644
--- a/lib/nfc/protocols/mf_ultralight/mf_ultralight_poller_i.c
+++ b/lib/nfc/protocols/mf_ultralight/mf_ultralight_poller_i.c
@@ -167,7 +167,7 @@ MfUltralightError mf_ultralight_poller_authenticate_start(
         uint8_t* RndB = output + MF_ULTRALIGHT_C_AUTH_RND_B_BLOCK_OFFSET;
         mf_ultralight_3des_decrypt(
             &instance->des_context,
-            instance->mfu_event.data->auth_context.tdes_key.data,
+            instance->auth_context.tdes_key.data,
             iv,
             encRndB,
             sizeof(encRndB),
@@ -178,7 +178,7 @@ MfUltralightError mf_ultralight_poller_authenticate_start(
 
         mf_ultralight_3des_encrypt(
             &instance->des_context,
-            instance->mfu_event.data->auth_context.tdes_key.data,
+            instance->auth_context.tdes_key.data,
             encRndB,
             output,
             MF_ULTRALIGHT_C_AUTH_DATA_SIZE,
@@ -212,7 +212,7 @@ MfUltralightError mf_ultralight_poller_authenticate_end(
 
         mf_ultralight_3des_decrypt(
             &instance->des_context,
-            instance->mfu_event.data->auth_context.tdes_key.data,
+            instance->auth_context.tdes_key.data,
             RndB,
             bit_buffer_get_data(instance->rx_buffer) + 1,
             MF_ULTRALIGHT_C_AUTH_RND_BLOCK_SIZE,
diff --git a/lib/nfc/protocols/mf_ultralight/mf_ultralight_poller_i.h b/lib/nfc/protocols/mf_ultralight/mf_ultralight_poller_i.h
index 6880a0c43..7db9a77d9 100644
--- a/lib/nfc/protocols/mf_ultralight/mf_ultralight_poller_i.h
+++ b/lib/nfc/protocols/mf_ultralight/mf_ultralight_poller_i.h
@@ -59,6 +59,7 @@ typedef enum {
     MfUltralightPollerStateAuthMfulC,
     MfUltralightPollerStateReadPages,
     MfUltralightPollerStateTryDefaultPass,
+    MfUltralightPollerStateTryDefaultMfulCKey,
     MfUltralightPollerStateCheckMfulCAuthStatus,
     MfUltralightPollerStateReadFailed,
     MfUltralightPollerStateReadSuccess,
diff --git a/targets/f7/api_symbols.csv b/targets/f7/api_symbols.csv
index 66b8bb703..101a9f1bb 100755
--- a/targets/f7/api_symbols.csv
+++ b/targets/f7/api_symbols.csv
@@ -1,5 +1,5 @@
 entry,status,name,type,params
-Version,+,86.2,,
+Version,+,86.0,,
 Header,+,applications/drivers/subghz/cc1101_ext/cc1101_ext_interconnect.h,,
 Header,+,applications/services/bt/bt_service/bt.h,,
 Header,+,applications/services/bt/bt_service/bt_keys_storage.h,,