Added Support for MIFARE Plus 2K Cards in SL1 Mode

[LuemmelSec]

What's new

Added Support for MIFARE Plus 2K Cards in SL1 Mode
MIFARE Plus 2k cards in SL1 mode - emulating a MIFARE Classic card - would get recognized as MIFARE Classic 1K card and Flipper would stop checking after sector 16. However, 2k cards in SL1 mode offer more sectors, typically 2 additional ones, which Flipper would miss and break the cards and emulation if there is stuff written to these sectors that is needed for it to function.

There is now a detection logic for 2k cards and the additional sectors are also read and cam be emulated.
This is also in reference to: #4053

Verification

Scan a MIFARE Plus 2K card in SL1 mode an see that only 16 sectors are scanned and Flipper detects it as MIFARE Classic 1K card.
Install the new firmware and observer that the 2K card is now correctly recognized and the additional sectors read.

Checklist (For Reviewer)

• [x ] PR has description of feature/bug or link to Confluence/Jira task
• [x ] Description contains actions to verify feature/bugfix
• [x ] I've built this code, uploaded it to the device and verified feature/bugfix

[fantomazz26]

Vamos a aprovechar 🫠

[LuemmelSec]

Be careful though. While it 1:1 reads the emulated tag on another Flipper as well as on a PM3 easy, the original reader would not recognize it for some reason. Still trying to find out why that might be.

[mxcdoam]

Hello, are you sure 2k sl1 cards have 18 sectors? I'm asking because all of mine have 32 sectors. I've tested this change, fz was able to detect 2k sl1, but was able to read 18 sectors only.

[LuemmelSec]

Yes they potentially can, it's a 2k card.
However, as SL1 is emulating a 1K card, I only found 2k SL1s with 2 additional sectors written to.

[mishamyte]

Can u pls reference datasheet or source of truth, which led you to the assumption there are 18 sectors?

Because in datasheet it's clearly described there are 32 sectors (2 kb) for MFP 2K in SL1.

I validated bunch of tags from different suppliers and real systems (like old transport cards from my city) and all tags have 32 sectors as described in DS.

Mifare-Plus-S.pdf

UPD. I can assume prob ur system for some reason changed pwd for 19+ sectors from factory to custom ones?

[LuemmelSec]

My card also has 32 sectors, but written data is only on sectors 16 + 17 as an addition. All others show up as unresponsive / no data in there.
This also plays into the same observation as mentioned in #4053.
I can assure you that there are no passwords on sectors after 17 for my card.
Anyways, I changed the code to read and emulate all 32 sectors now.

[mishamyte]

@LuemmelSec WDYM by "unresponsive"? Not sure I get u correctly.

If you will call hf mf rdsc -s 20 from PM3, you prob will get the default data (zeroes) and factory keys, correct?

Yeah, I see the change. It has more sense now TBH

[LuemmelSec]

Nope, that is not correct. In my case it looks like this:

[mishamyte]

@LuemmelSec hmm, weird

[mxcdoam]

Nope, that is not correct. In my case it looks like this:

Those sectors might be blocked by AC, or put into sl3 mode (MF Plus EVs can do that sector-wise)

[aaronjamt]

FWIW I have some Mifare Plus 2k cards as well and all of the first 32 sectors are able to be read with my Proxmark:

The hf mf rdsc -s 20 command also works fine with the right key, as well as hf mf rdsc -s 31.

[LuemmelSec]

Nice, thanks for the addition.