Fixed FAST_READ command and handling of dynamic and static locks for NTG213 NTG215 and NTG216 tags

Author: dogty

CHANGELOG.md

@@ -3,6 +3,8 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
 
 ## [unreleased][unreleased]
+ - Fix for FAST_READ command for nfc - mf0 tags
+ - Rewrite of the dynamic and static locks logic for NTAG213, NTAG215 and NTAG216
  - Fix for static nested key recovery (@jekkos)
 
 ## [v2.1.0][2025-09-02]

firmware/application/src/rfid/nfctag/hf/nfc_14a.c

@@ -397,6 +397,15 @@ void nfc_tag_14a_data_process(uint8_t *p_data) {
                             m_tag_state_14a = NFC_TAG_STATE_14A_IDLE;
                         }
                         return;
+                    case NFC_TAG_14A_CMD_REQA:
+                    case NFC_TAG_14A_CMD_WUPA:
+                        // Reader is re-sending REQA/WUPA while in READY state
+                        // This can happen if reader retries or if frame was received incorrectly
+                        // Respond with ATQA again and stay in READY state
+                        if (auto_coll_res != NULL) {
+                            nfc_tag_14a_tx_bytes(auto_coll_res->atqa, 2, false);
+                        }
+                        return;
                     default: {
                         // After receiving the wrong level instruction, directly reset the status machine
                         NRF_LOG_INFO("[MFEMUL_SELECT] Incorrect cascade level received: %02x", p_data[0]);

firmware/application/src/rfid/nfctag/hf/nfc_mf0_ntag.c

@@ -675,20 +675,127 @@ static void handle_fast_read_command(uint8_t block_num, uint8_t end_block_num) {
 
     int block_max = get_block_max_by_tag_type(m_tag_type, true);
 
-    if (block_num >= end_block_num || end_block_num >= block_max) {
+    if (block_num > end_block_num || end_block_num >= block_max) {
         nfc_tag_14a_tx_nbit(NAK_INVALID_OPERATION_TBV, 4);
         return;
     }
 
     NRF_LOG_INFO("HANDLING FAST READ %02x %02x", block_num, end_block_num);
+    // FAST_READ is inclusive: read from block_num to end_block_num (both included)
+    handle_any_read(block_num, end_block_num - block_num + 1, block_max);
+}
+
+// Call with:
+//  - page: page number to check
+//  - user_memory_end_page: page index of the first config page (end of user memory page index + 1), used to locate dynamic lock bytes
+//  - dyn_lock_bit_page_cnt: 2 NTAG212/213, 16 for NTAG215/216
+static bool is_page_locked_ntag21x(uint16_t page,
+                                   uint16_t user_memory_end_page,
+                                   int dyn_lock_bit_page_cnt)
+{
+    if (page < 3) {
+        return true;
+    }
+
+    if (page >= 3 && page <= 7) {
+        uint8_t bit_index = (uint8_t)(page - 3); // 0 -> page3,4 -> page 7 
+        return (((m_tag_information->memory[2][2] >> 4 ) >> bit_index) & 0x1) != 0;
+    }
+    if (page >= 8 && page <= 15) {
+        uint8_t bit_index = (uint8_t)(page - 8); // 0 -> page3, 12 -> page15
+        return (((m_tag_information->memory[2][3] ) >> bit_index) & 0x1) != 0;
+    }
+
+    // Determine the start and end of the dynamic-lock-covered user pages:
+    const uint16_t dyn_start = 16;
+    const uint16_t dyn_end = (uint16_t)(user_memory_end_page - 1); // inclusive
 
-    handle_any_read(block_num, end_block_num - block_num, block_max);
+    if (page >= dyn_start && page <= dyn_end) {
+
+        // For NTAG21x the dynamic lock bytes are in bytes 0..2 of that page.
+        // We'll interpret them as three bytes [b0, b1, b2].
+        uint8_t b0 = m_tag_information->memory[user_memory_end_page][0];
+        uint8_t b1 = m_tag_information->memory[user_memory_end_page][1];
+        uint8_t b2 = m_tag_information->memory[user_memory_end_page][2];
+        // Each dynamic lock bit covers 'dyn_lock_bit_page_cnt' pages.
+        uint32_t relative = (uint32_t)(page - dyn_start);
+        uint32_t block_index = relative / (uint32_t)dyn_lock_bit_page_cnt; // which bit overall
+
+        // block_index maps into b0..b2 (bits 0..23)
+        uint8_t which_byte = (uint8_t)(block_index / 8);
+        uint8_t which_bit  = (uint8_t)(block_index % 8);
+
+        uint8_t target = 0;
+        if (which_byte == 0) target = b0;
+        else if (which_byte == 1) target = b1;
+        else if (which_byte == 2) target = b2;
+        else target = 0; // out-of-range -> treated as unlocked
+
+        return (((target >> which_bit) & 1) != 0);
+    }
+    return false;
 }
 
-static bool check_ro_lock_on_page(int block_num) {
-    if (block_num < 3) return true;
-    else if (block_num == 3) return (m_tag_information->memory[2][2] & 9) != 0; // bits 0 and 3
-    else if (block_num <= MF0ICU1_PAGES) {
+// Get user memory end page for NTAG21x tags, returns 0 for non-NTAG21x tags
+static int get_user_memory_end_page_by_tag_type(tag_specific_type_t tag_type) {
+    switch (tag_type) {
+        case TAG_TYPE_NTAG_213:
+            return NTAG213_USER_MEMORY_END;
+        case TAG_TYPE_NTAG_215:
+            return NTAG215_USER_MEMORY_END;
+        case TAG_TYPE_NTAG_216:
+            return NTAG216_USER_MEMORY_END;
+        default:
+            return 0;
+    }
+}
+
+// Handle special write cases for dynamic lock bytes and config pages
+// Returns ACK_VALUE if handled, 0 if not a special case
+static int handle_special_page_write(uint8_t block_num, uint8_t *p_data) {
+    int user_memory_end_page = get_user_memory_end_page_by_tag_type(m_tag_type);
+    int first_cfg_page = get_first_cfg_page_by_tag_type(m_tag_type);
+
+    // Handle dynamic lock bytes page (user_memory_end page) for NTAG21x tags
+    if (user_memory_end_page > 0 && block_num == user_memory_end_page) {
+        // Dynamic lock bytes are OR'ed just like static lock bytes
+        // Only bytes 0-2 contain lock bits, byte 3 is RFU (reserved, typically 0x00)
+        m_tag_information->memory[block_num][0] |= p_data[0];
+        m_tag_information->memory[block_num][1] |= p_data[1];
+        m_tag_information->memory[block_num][2] |= p_data[2];
+        m_tag_information->memory[block_num][3] = p_data[3];  // Byte 3 is RFU, write it directly
+        return ACK_VALUE;
+    }
+
+    // Handle PWD and PACK pages (always writable even when CFGLCK is set)
+    // PWD and PACK remain writable to allow password changes
+    if (first_cfg_page > 0 && (block_num == first_cfg_page + 2 || block_num == first_cfg_page + 3)) {
+        memcpy(m_tag_information->memory[block_num], p_data, NFC_TAG_MF0_NTAG_DATA_SIZE);
+        return ACK_VALUE;
+    }
+
+    // Handle config pages (CFG0 and CFG1) - check CFGLCK protection
+    if (first_cfg_page > 0 && (block_num == first_cfg_page || block_num == first_cfg_page + 1)) {
+        // Check CFGLCK bit (bit 6 of CFG0 byte 0)
+        // Per spec: CFGLCK permanently write-protects configuration pages
+        uint8_t cfglck = m_tag_information->memory[first_cfg_page][0] & 0x40;
+        if (cfglck != 0) {
+            // Config pages are locked
+            return NAK_INVALID_OPERATION_TBV;
+        }
+        // Not locked, allow write
+        memcpy(m_tag_information->memory[block_num], p_data, NFC_TAG_MF0_NTAG_DATA_SIZE);
+        return ACK_VALUE;
+    }
+
+    // Not a special case
+    return 0;
+}
+
+// Old v2.1.0 algorithm for MF0ICU1, MF0ICU2, MF0UL11, MF0UL21 tags
+static bool check_ro_lock_on_page_mf0(int block_num) {
+    // This function assumes block_num > 3 (pages 0-3 are handled by caller)
+    if (block_num <= MF0ICU1_PAGES) {
         bool locked = false;
 
         // check block locking bits
@@ -751,18 +858,6 @@ static bool check_ro_lock_on_page(int block_num) {
                 user_memory_end = NTAG212_USER_MEMORY_END;
                 dyn_lock_bit_page_cnt = 2;
                 break;
-            case TAG_TYPE_NTAG_213:
-                user_memory_end = NTAG213_USER_MEMORY_END;
-                dyn_lock_bit_page_cnt = 2;
-                break;
-            case TAG_TYPE_NTAG_215:
-                user_memory_end = NTAG215_USER_MEMORY_END;
-                dyn_lock_bit_page_cnt = 16;
-                break;
-            case TAG_TYPE_NTAG_216:
-                user_memory_end = NTAG216_USER_MEMORY_END;
-                dyn_lock_bit_page_cnt = 16;
-                break;
             default:
                 ASSERT(false);
                 break;
@@ -790,14 +885,90 @@ static bool check_ro_lock_on_page(int block_num) {
     }
 }
 
+// Check if a page is read-only locked
+// NOTE: This function is only called for block_num >= 3
+// Blocks 0-2, dynamic locks, and config pages are handled elsewhere
+static bool check_ro_lock_on_page(int block_num) {
+    // Page 3 (OTP/CC page) - check lock bits
+    if (block_num == 3) {
+        return (m_tag_information->memory[2][2] & 9) != 0; // bits 0 and 3
+    }
+
+    // For MF0ICU1, MF0ICU2, MF0UL11, MF0UL21, NTAG_210 and NTAG_212 tags - use old v2.1.0 algorithm. TODO try to merge the two
+    switch (m_tag_type) {
+        case TAG_TYPE_MF0ICU1:
+        case TAG_TYPE_MF0ICU2:
+        case TAG_TYPE_MF0UL11:
+        case TAG_TYPE_MF0UL21:
+        case TAG_TYPE_NTAG_210:
+        case TAG_TYPE_NTAG_212:
+            return check_ro_lock_on_page_mf0(block_num);
+        default:
+            break;
+    }
+
+    // For NTAG21x tags
+    int user_memory_end = get_user_memory_end_page_by_tag_type(m_tag_type);
+    if (user_memory_end == 0) {
+        ASSERT(false);
+        return false;
+    }
+
+    if (block_num < user_memory_end) {
+
+        switch (m_tag_type) {
+            case TAG_TYPE_NTAG_213: {
+                return is_page_locked_ntag21x(block_num,
+                                            NTAG213_USER_MEMORY_END, 2);
+            }
+            case TAG_TYPE_NTAG_215: {
+                return is_page_locked_ntag21x(block_num,
+                                            NTAG215_USER_MEMORY_END, 16);
+            }
+            case TAG_TYPE_NTAG_216: {
+                return is_page_locked_ntag21x(block_num,
+                                            NTAG216_USER_MEMORY_END, 16);
+            }
+            default:
+                ASSERT(false);
+                break;
+        }
+        return false;
+
+    } else {
+        // Pages beyond user memory end (password, pack, etc.) are always writable
+        // Note: Config pages and dynamic lock bytes are handled by handle_special_page_write()
+        // before this function is ever called
+        return false;
+    }
+}
+
 static int handle_write_command(uint8_t block_num, uint8_t *p_data) {
     int block_max = get_block_max_by_tag_type(m_tag_type, false);
-
-    if (block_num >= block_max) {
+    int first_cfg_page = get_first_cfg_page_by_tag_type(m_tag_type);
+    uint8_t cfglck = m_tag_information->memory[first_cfg_page][0] & 0x40;
+
+    // Check if block_num is within valid range
+    // Note: block_max already takes AUTH0 protection into account
+    //TODO Check if other tag types need special handling here
+    bool is_config_page = ((m_tag_type == TAG_TYPE_NTAG_213) 
+        || (m_tag_type == TAG_TYPE_NTAG_215) || (m_tag_type == TAG_TYPE_NTAG_216))
+        && (block_num >= first_cfg_page) && (block_num <= first_cfg_page + 1);
+    bool is_beyond_user_memory = (block_num >= block_max);
+    bool config_locked = (cfglck != 0);
+
+    // Reject out-of-bounds writes (except config pages)
+    if (is_beyond_user_memory && !is_config_page) {
         NRF_LOG_ERROR("Write failed: block_num %08x >= block_max %08x", block_num, block_max);
         return NAK_INVALID_OPERATION_TBV;
     }
 
+    // Reject writes to locked config pages
+    if (config_locked && is_config_page) {
+        NRF_LOG_ERROR("Write failed: config pages locked (cfglck=0x40)");
+        return NAK_INVALID_OPERATION_TBV;
+    }
+
     // Handle writing based on the current write mode
     if (m_tag_information->config.mode_block_write == NFC_TAG_MF0_NTAG_WRITE_DENIED) {
         // In this mode, reject all write operations
@@ -816,6 +987,19 @@ static int handle_write_command(uint8_t block_num, uint8_t *p_data) {
         return ACK_VALUE;
     }
 
+    switch (m_tag_type) {
+        case TAG_TYPE_NTAG_213:
+        case TAG_TYPE_NTAG_215:
+        case TAG_TYPE_NTAG_216:
+        // Check if this is a special page (dynamic lock bytes or config pages) and handle it
+            int special_result = handle_special_page_write(block_num, p_data);
+            if (special_result != 0) {
+                return special_result;
+            }
+        default:
+            break;
+    }
+    
     switch (block_num) {
         case 0:
         case 1:
@@ -872,6 +1056,13 @@ static void handle_read_cnt_command(uint8_t index) {
 static void handle_incr_cnt_command(uint8_t block_num, uint8_t *p_data) {
     uint8_t ctr_page_off;
     uint8_t ctr_page_end;
+    uint8_t first_index;
+    uint8_t *cnt_data;
+    uint32_t incr_value;
+    uint32_t cnt;
+
+    first_index = 0;
+
     switch (m_tag_type) {
         case TAG_TYPE_MF0UL11:
             ctr_page_off = MF0UL11_PAGES;
@@ -881,20 +1072,36 @@ static void handle_incr_cnt_command(uint8_t block_num, uint8_t *p_data) {
             ctr_page_off = MF0UL21_PAGES;
             ctr_page_end = ctr_page_off + MF0ULx1_NUM_CTRS;
             break;
+        case TAG_TYPE_NTAG_213:
+            ctr_page_off = NTAG213_PAGES;
+            ctr_page_end = ctr_page_off + NTAG_NUM_CTRS;
+            first_index = 2;
+            break;
+        case TAG_TYPE_NTAG_215:
+            ctr_page_off = NTAG215_PAGES;
+            ctr_page_end = ctr_page_off + NTAG_NUM_CTRS;
+            first_index = 2;
+            break;
+        case TAG_TYPE_NTAG_216:
+            ctr_page_off = NTAG216_PAGES;
+            ctr_page_end = ctr_page_off + NTAG_NUM_CTRS;
+            first_index = 2;
+            break;
         default:
             if (is_ntag()) nfc_tag_14a_tx_nbit(NAK_INVALID_OPERATION_TBV, 4);
             return;
     }
 
     // check that counter index is in bounds
-    if (block_num >= (ctr_page_end - ctr_page_off)) {
+    // NTAG cards expect counter address 2, so adjust for internal storage at offset 0
+    if ((block_num < first_index) || ((block_num - first_index) >= (ctr_page_end - ctr_page_off))) {
         nfc_tag_14a_tx_nbit(NAK_INVALID_OPERATION_TBV, 4);
         return;
     }
 
-    uint8_t *cnt_data = m_tag_information->memory[ctr_page_off + block_num];
-    uint32_t incr_value = ((uint32_t)p_data[0] << 16) | ((uint32_t)p_data[1] << 8) | ((uint32_t)p_data[2]);
-    uint32_t cnt = ((uint32_t)cnt_data[0] << 16) | ((uint32_t)cnt_data[1] << 8) | ((uint32_t)cnt_data[2]);
+    cnt_data = m_tag_information->memory[ctr_page_off + block_num - first_index];
+    incr_value = ((uint32_t)p_data[0] << 16) | ((uint32_t)p_data[1] << 8) | ((uint32_t)p_data[2]);
+    cnt = ((uint32_t)cnt_data[0] << 16) | ((uint32_t)cnt_data[1] << 8) | ((uint32_t)cnt_data[2]);
 
     if ((0xFFFFFF - cnt) < incr_value) {
         // set tearing event flag