Attempting to read DESFire Card causes furi_check() crash

[5aji]

Describe the bug.

Reading a DESFire card crashes the Flipper with a furi_check() error. It seems to crash after trying to read the second block. This is a card I had lying around, and I do not possess the keys (nor am I trying to get them). This happens on both 0.104.0 and 0.105.0-RC.

Reproduction

1. Open NFC App -> Read
2. Alternatively, select Extra-> Read Specific -> DESFire
3. Touch Flipper to keycard
4. Lights blink for a split second and then the system reboots.

Target

Mifare DESFire Card

Logs

1050914 [D][NfcSupportedCards] Loaded 19 plugins
1050929 [D][Iso14443_4aPoller] Read ATS success
1050938 [D][MfDesfirePoller] Read version success
1050942 [D][MfDesfirePoller] Read free memory success
1050946 [D][MfDesfirePoller] Read master key settings success
1050950 [D][MfDesfirePoller] Read master key version success
1050955 [D][MfDesfirePoller] Read application ids success
1050958 [D][MfDesfirePoller] Selecting app 0
1050963 [D][MfDesfirePoller] Reading app 0
1050974 [D][MfDesfirePoller] Can't read file 0 data without authentication
1050978 [D][MfDesfirePoller] Selecting app 1
1050983 [D][MfDesfirePoller] Reading app 1
1050999 [D][MfDesfirePoller] Can't read file 1 data without authentication
1051002 [D][MfDesfirePoller] Selecting app 2
1051007 [D][MfDesfirePoller] Reading app 2

[CRASH][NfcWorker] furi_check failed
        r0 : 20025fe8
        r1 : 200251d0
        r2 : 0
        r3 : 0
        r4 : 0
        r5 : 0
        r6 : 20025fe8
        r7 : 200251d0
        r8 : 80a22e7
        r9 : 80a23d6
        r10 : 80a23e8
        r11 : 20031364
        lr : 80389d9
        stack watermark: 7556
             heap total: 186064
              heap free: 31576
         heap watermark: 27568
        core2: not faulted
Rebooting system�0

Anything else?

I have a Proxmark3 if that would help provide more information.

[skotopes]

@5aji any details on the card itself? Vendor? Type? if you have proxmark can you also post details scan details from it?

[5aji]

The key is a Walt Disney World keycard. I believe the vendor is NXP, DESFire EV1.

Image of back of card

There are no markings on the front.

Proxmark info

[usb] pm3 --> hf 14a info

[+]  UID: 04 3A 34 4A 52 67 80 
[+] ATQA: 03 44
[+]  SAK: 20 [1]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE DESFire CL2
[+]    MIFARE DESFire EV1 256B/2K/4K/8K CL2
[+]    MIFARE DESFire EV2 2K/4K/8K/16K/32K
[+]    MIFARE DESFire EV3 2K/4K/8K
[+]    MIFARE DESFire Light 640B
[+]    NTAG 4xx
[=] -------------------------- ATS --------------------------
[+] ATS: 06 75 77 81 02 80 [ F0 00 ]
[=]      06...............  TL    length is 6 bytes
[=]         75............  T0    TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
[=]            77.........  TA1   different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
[=]               81......  TB1   SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
[=]                  02...  TC1   NAD is NOT supported, CID is supported

[=] -------------------- Historical bytes --------------------
[+] 80  (compact TLV data object)


[usb] pm3 --> hf mfdes info

[=] ---------------------------------- Tag Information ----------------------------------
[+]               UID: 04 3A 34 4A 52 67 80 
[+]      Batch number: B9 0C 10 45 60 
[+]   Production date: week 16 / 2020

[=] --- Hardware Information
[=]    raw: 04010201001205
[=]      Vendor Id: NXP Semiconductors Germany
[=]           Type: 0x01 ( DESFire )
[=]        Subtype: 0x02
[=]        Version: 1.0 ( DESFire EV1 )
[=]   Storage size: 0x12 ( 512 bytes )
[=]       Protocol: 0x05 ( ISO 14443-2, 14443-3 )

[=] --- Software Information
[=]    raw: 04010101051205
[=]      Vendor Id: NXP Semiconductors Germany
[=]           Type: 0x01 ( DESFire )
[=]        Subtype: 0x01
[=]        Version: 1.5
[=]   Storage size: 0x12 ( 512 bytes )
[=]       Protocol: 0x05 ( ISO 14443-3, 14443-4 )

[=] --------------------------------- Card capabilities ---------------------------------

[+] --- AID list
[+] AIDs:  f70090, 78e127, 4c4344

[+] ------------------------------------ PICC level -------------------------------------
[+] Applications count: 3 free memory 128 bytes
[+] PICC level auth commands: 
[+]    Auth.............. NO
[+]    Auth ISO.......... NO
[+]    Auth AES.......... YES
[+]    Auth Ev2.......... NO
[+]    Auth ISO Native... YES
[+]    Auth LRP.......... NO
[+] PICC level rights:
[+] [1...] CMK Configuration changeable   : YES
[+] [.1..] CMK required for create/delete : NO
[+] [..1.] Directory list access with CMK : NO
[+] [...1] CMK is changeable              : YES
[+] 
[+] Key: 2TDEA
[+] key count: 1
[+] PICC key 0 version: 254 (0xfe)

[=] --- Free memory
[+]    Available free memory on card         : 128 bytes

[=] Standalone DESFire

If necessary I can pull out my debugger and try and find exactly what check fails.

[skotopes]

If you can get backtrace from debugger that will simplify everything

[5aji]

got the backtrace:

Backtrace

(gdb) bt
#0  0x080121f4 in __furi_crash_implementation () at furi/core/check.c:170
#1  0x08038a88 in mf_desfire_poller_read_key_versions (instance=0x20025078, data=0x20024260 <mbedtls_internal_sha1_process+2360>, count=0)
    at lib/nfc/protocols/mf_desfire/mf_desfire_poller_i.c:186
#2  0x08038e24 in mf_desfire_poller_read_application (instance=instance@entry=0x20025078, data=0x20024198 <mbedtls_internal_sha1_process+2160>)
    at lib/nfc/protocols/mf_desfire/mf_desfire_poller_i.c:493
#3  0x08038efe in mf_desfire_poller_read_applications (instance=instance@entry=0x20025078, app_ids=0x200251f8, data=0x20025228)
    at lib/nfc/protocols/mf_desfire/mf_desfire_poller_i.c:543
#4  0x08041d2e in mf_desfire_poller_handler_read_applications (instance=0x20025078) at lib/nfc/protocols/mf_desfire/mf_desfire_poller.c:157
#5  0x0803d23c in iso14443_3a_poller_run (event=..., context=0x20024650 <mbedtls_internal_sha1_process+3368>)
    at lib/nfc/protocols/iso14443_3a/iso14443_3a_poller.c:80
#6  iso14443_3a_poller_run (event=..., context=0x20024650 <mbedtls_internal_sha1_process+3368>)
    at lib/nfc/protocols/iso14443_3a/iso14443_3a_poller.c:63
#7  0x0803ca22 in nfc_poller_start_callback (event=..., context=0x20024580 <mbedtls_internal_sha1_process+3160>) at lib/nfc/nfc_poller.c:111
#8  0x0803bb10 in nfc_worker_poller_ready_handler (instance=0x20010528) at lib/nfc/nfc.c:182
#9  0x0803bb94 in nfc_worker_poller (context=0x20010528) at lib/nfc/nfc.c:232
#10 0x08015cea in furi_thread_body (context=0x20010760) at furi/core/thread.c:103
#11 0x08015c9a in furi_thread_catch () at furi/core/thread.c:75
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

haven't dug into it much, but it seems to be getting further than it should without the keys. the actual failure is the max_keys being zero for some reason.

EDIT: Dug into it some more, found something interesting about the third app on this card:

[+] Application number: 0x4C4344
[+]   ISO id.... 0x0000
[+]   DF name...  ( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 )
[=]   DF AID Function... 4C4344  : (unknown)
[+] Auth commands: 
[+]    Auth.............. NO
[+]    Auth ISO.......... NO
[+]    Auth AES.......... NO
[+]    Auth Ev2.......... NO
[+]    Auth ISO Native... YES
[+]    Auth LRP.......... NO
[+] 

Full `lsapp` output

[+] ------------------------------------ PICC level -------------------------------------
[+] Applications count: 3 free memory 128 bytes
[+] PICC level auth commands: 
[+]    Auth.............. NO
[+]    Auth ISO.......... NO
[+]    Auth AES.......... YES
[+]    Auth Ev2.......... NO
[+]    Auth ISO Native... YES
[+]    Auth LRP.......... NO
[+] PICC level rights:
[+] [1...] CMK Configuration changeable   : YES
[+] [.1..] CMK required for create/delete : NO
[+] [..1.] Directory list access with CMK : NO
[+] [...1] CMK is changeable              : YES
[+] 
[+] Key: 2TDEA
[+] key count: 1
[+] PICC key 0 version: 254 (0xfe)

[+] --------------------------------- Applications list ---------------------------------
[+] Application number: 0xF70090
[+]   ISO id.... 0x0000
[+]   DF name...  ( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 )
[+]   AID mapped to MIFARE Classic AID (MAD): 7009
[+]   MAD AID Cluster  0x70      : hotel
[=]   MAD AID Function 0x7009    : Access control data for electronic locks [Timelox AB]
[+] Auth commands: 
[+]    Auth.............. NO
[+]    Auth ISO.......... NO
[+]    Auth AES.......... YES
[+]    Auth Ev2.......... NO
[+]    Auth ISO Native... YES
[+]    Auth LRP.......... NO
[+] 
[+] Application level rights:
[+] -- AMK authentication is necessary to change any key (default)
[+] [1...] AMK Configuration changeable   : YES
[+] [.0..] AMK required for create/delete : YES
[+] [..1.] Directory list access with AMK : NO
[+] [...1] AMK is changeable              : YES
[+] 
[+] Key: AES
[+] key count: 3
[+] 
[+] Key versions [0..2]:  00, 00, 00

[+] Application number: 0x78E127
[+]   ISO id.... 0x0000
[+]   DF name...  ( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 )
[=]   DF AID Function... 78E127  : Disney MagicBand [Disney]
[+] Auth commands: 
[+]    Auth.............. NO
[+]    Auth ISO.......... NO
[+]    Auth AES.......... YES
[+]    Auth Ev2.......... NO
[+]    Auth ISO Native... YES
[+]    Auth LRP.......... NO
[+] 
[+] Application level rights:
[+] -- AMK authentication is necessary to change any key (default)
[+] [1...] AMK Configuration changeable   : YES
[+] [.0..] AMK required for create/delete : YES
[+] [..1.] Directory list access with AMK : NO
[+] [...1] AMK is changeable              : YES
[+] 
[+] Key: AES
[+] key count: 2
[+] 
[+] Key versions [0..1]:  01, 01

[+] Application number: 0x4C4344
[+]   ISO id.... 0x0000
[+]   DF name...  ( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 )
[=]   DF AID Function... 4C4344  : (unknown)
[+] Auth commands: 
[+]    Auth.............. NO
[+]    Auth ISO.......... NO
[+]    Auth AES.......... NO
[+]    Auth Ev2.......... NO
[+]    Auth ISO Native... YES
[+]    Auth LRP.......... NO
[+]