Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nothing happens when mapping [Galaxy S7 SM-G930U] #267

Closed
Gigelf opened this issue Sep 25, 2019 · 19 comments
Closed

Nothing happens when mapping [Galaxy S7 SM-G930U] #267

Gigelf opened this issue Sep 25, 2019 · 19 comments
Labels
bug

Comments

@Gigelf
Copy link

Gigelf commented Sep 25, 2019

Hi,

I bought a Galaxy S7 to use MCT.
I got a SM-G930U (usa firmware), patched it with latest june patch.
When I start "mapping and read tag", nothing happens, continuous wheel.
NXP TagInfo "freezes" same way but NFC Tools can read without problem.
A friend of mine as a European version of the S7 (SM-G930F), and it works perfectly.

Any idea from what it can be? NFC chip can read mifare because NFC tools app can.

Thanks
@Gigelf
Copy link
Author

Gigelf commented Sep 25, 2019

Here are some debug logs, if it can help
logcat.txt
run.txt

@ikarus23 ikarus23 added the bug label Sep 26, 2019
@ikarus23
Copy link
Owner

Very interesting. At this point I'm have no idea what could cause this. It is weird that an official app from the manufacturer of Mifare Classic tags can not read them, but a third party app can.

Does the tag have default keys? Can NFC Tools display the content of the whole tag?

@Gigelf
Copy link
Author

Gigelf commented Sep 28, 2019

Tried a blank card with default keys and a door tag with keys i cracked.
Can't test door tag to read whole content on NFC Tools as it has a non default key.

MCT Video: https://www.youtube.com/watch?v=y8dc3bAaq9E&feature=youtu.be

NFC Tools video: https://www.youtube.com/watch?v=T3Vv0TpX18s&feature=youtu.be

@Gigelf
Copy link
Author

Gigelf commented Sep 29, 2019

Forgot to point out something: the nfc service seems to crash when trying to read a tag. I have to uncheck/check the nfc service to be able to read an other tag. This problem does not appear with NFC Tools.

@ikarus23
Copy link
Owner

ikarus23 commented Oct 3, 2019

I can't watch the videos, they are marked private.

@Gigelf
Copy link
Author

Gigelf commented Oct 3, 2019

Oops, repaired that.

@masongaffney
Copy link

I can’t even get mine to flash now and I think it’s bricked I might of used the wrong firmware. But I have the same phone as you.

@ikarus23
Copy link
Owner

Sorry for not reporting back earlier. It looks like the tag has 000000000000 as key. This causes issues on some devices. Maybe your model/firmware of the S7 has this issue. There is a thread over at #66. Especially #66 (comment) is worth a read. But I'm still puzzled why NFCTools can read something...

@ikarus23 ikarus23 changed the title Nothing happens when mapping on Galaxy S7 SM-G930U latest firmware Nothing happens when mapping [Galaxy S7 SM-G930U] Aug 15, 2020
@ferehcarb
Copy link

Hi, I've exactly the same problem here with my S7 SM-G930U.
I can't read any tag memory but I can write a block on it with my custom keys.

@ikarus23
Copy link
Owner

ikarus23 commented Sep 13, 2020
edited
Loading

I can't read any tag memory

Have you tried reading new/empty/factory formatted tag?

@ferehcarb
Copy link

Have you tried reading new/empty/factory formatted tag?

No, I didn't. I just tried and it works for an empty tag.

@ikarus23
Copy link
Owner

Hmm. Again, this sounds like the key 000000000000 issue from #66. I don't think there is much I can do. At least not without owning a Galaxy S7 for debugging.

@ferehcarb
Copy link

I don't think there is much I can do. At least not without owning a Galaxy S7 for debugging.

This is my only phone, I can't send it to you but I can do some tests if you want. I'm able to use adb and compile Android apps if necessary.

@ikarus23
Copy link
Owner

I guess the first step is to verify, if the tag in question has a key of 000000000000. Do you have e.g. a USB reader to try it?

@ferehcarb
Copy link

I guess the first step is to verify, if the tag in question has a key of 000000000000. Do you have e.g. a USB reader to try it?

Yes, I've one.
The tag does not have a 000000000000 key. Only FFFFFFFFFFFF, EDEDEDEDEDED and a random one.

@ikarus23
Copy link
Owner

Strange. So a factory formatted tag can be read, but this one not, even though it has "normal" keys. If you know your way around Andorid Studio, Java and debuggers you can try to set a break-point somewhere around here. At least this is the section where the authentication is for the key mapping process is. But I'm not sure what to expect. I've never head this error and I have no clue what is causing it.

@ferehcarb
Copy link

ferehcarb commented Sep 29, 2020
edited
Loading

Thanks for your advices, I found the root cause:
The call to transceive from the function authenticate in MifareClassic.java never returns when you use a wrong key.
I tried to hard-code the mKeyMap with the keys of my tag, short-circuit buildNextKeyMapPart and it works, I can read the tag.
When I use wrong keys, I've got a lot of error in logcat even when MFCT is terminated:

2020-09-29 07:01:45.053 7994-8016/? E/BrcmNfcJni: setReconnectState = 0x0
2020-09-29 07:01:45.058 7994-8016/? E/NxpExtns: Mifare Error in payload response
2020-09-29 07:01:45.058 7994-8016/? E/BrcmNfcJni: setReconnectState = 0x0
2020-09-29 07:01:45.065 7994-8070/? E/BrcmNfcJni: getReconnectState = 0x0
2020-09-29 07:01:45.072 7994-8016/? E/BrcmNfcJni: setReconnectState = 0x0
2020-09-29 07:01:45.081 7994-8016/? E/NxpExtns: Mifare Error in payload response
2020-09-29 07:01:45.082 7994-8016/? E/BrcmNfcJni: setReconnectState = 0x0
2020-09-29 07:01:45.087 7994-8070/? E/BrcmNfcJni: getReconnectState = 0x0
2020-09-29 07:01:45.098 7994-8016/? E/BrcmNfcJni: setReconnectState = 0x0
2020-09-29 07:01:45.103 7994-8016/? E/NxpExtns: Mifare Error in payload `response

I must deactivate and reactivate NFC in Android to stop errors.

I don't know why transceive function doesn't return with the wrong key, maybe a bug or a "security" feature.
So if I want to use MifareClassicTool, I need to know the whole key mapping, and to know the key mapping I need to read the tag .... this is a vicious circle.
The two solutions I see:

  • Add a feature to MifareClassicTool to use a complete key mapping file (keys A and B from all sectors), useless for many users I think.
  • Find why transceive function doesn't work with wrong key.

@ikarus23
Copy link
Owner

Thanks for investigating! For me this looks like a bug in the NFC stack. Not the first time something like this comes up. Regarding your solutions:

  1. This is already on the roadmap for quite some time... Quick dump #43
  2. Even if you find the bug, Android or Samsung has to fix it, I guess.

@ikarus23
Copy link
Owner

After some reading: transceive(byte[]) can block until the tag is done with the operation and answers. So there might be a chance that the tag is broken (only answers if key is correct). The easiest way to check this would be to use a Proxmark3 and sniff. However, I don't think this is very likely.

There is a setTimeout(int) function to cancel the transceive(). It may be used to improve the user experience, but it won't fix the issue.

I don't this there is anything helpful I can do for now. Therefore I'm closing this issue. Feel free to reopen it, if you find any promising lead on how to fix it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Gigelf @ikarus23 @ferehcarb @masongaffney