From c176524fca3d8ab3485fd5ef5220b8c7f3cdae2d Mon Sep 17 00:00:00 2001 From: Aaron Tulino Date: Sun, 25 Jan 2026 15:47:12 -0700 Subject: [PATCH] NFC: ISO 15693-3 emulation READ_MULTI and GET_BLOCK_SECURITY fixes (#501) * Fix ISO15693 crash (hopefully) * NFC: Fix off-by-one block count in ISO 15693-3 READ MULTI command * NFC: Handle 256 long BLOCK SECURITY response and too large READ MULTI response * Move the define so correlation is clearer * Oops * Change to no reply if too many blocks requested than can be handled * Update CHANGELOG.md --------- Co-authored-by: WillyJL --- CHANGELOG.md | 1 + .../presets/nfc/iso15693_signal.c | 6 +++++- .../iso15693_3/iso15693_3_listener.c | 2 -- .../iso15693_3/iso15693_3_listener_i.c | 20 ++++++++++++++++--- .../iso15693_3/iso15693_3_listener_i.h | 12 +++++++++++ 5 files changed, 35 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cc8ed1259..5f94135d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -42,6 +42,7 @@ - UL: Nice Flor S remove extra uint64 variable (by @xMasterX) - NFC: - Fix sending 32+ byte ISO 15693-3 commands (by @WillyJL) + - Fixes to `READ_MULTI` and `GET_BLOCK_SECURITY` commands in ISO 15693-3 emulation (#501 by @WillyJL & aaronjamt) - UL: Fix LED not blinking at SLIX unlock (by @xMasterX) - UL: UI: Some small changes (by @xMasterX) diff --git a/lib/digital_signal/presets/nfc/iso15693_signal.c b/lib/digital_signal/presets/nfc/iso15693_signal.c index 43066b5bf..560a393a0 100644 --- a/lib/digital_signal/presets/nfc/iso15693_signal.c +++ b/lib/digital_signal/presets/nfc/iso15693_signal.c @@ -2,8 +2,12 @@ #include +#include + #define BITS_IN_BYTE (8U) +#define ISO15693_SIGNAL_BUFFER_SIZE (ISO15693_3_LISTENER_BUFFER_SIZE * BITS_IN_BYTE + 2) + #define ISO15693_SIGNAL_COEFF_HI (1U) #define ISO15693_SIGNAL_COEFF_LO (4U) @@ -151,7 +155,7 @@ Iso15693Signal* iso15693_signal_alloc(const GpioPin* pin) { Iso15693Signal* instance = malloc(sizeof(Iso15693Signal)); - instance->tx_sequence = digital_sequence_alloc(BITS_IN_BYTE * 255 + 2, pin); + instance->tx_sequence = digital_sequence_alloc(ISO15693_SIGNAL_BUFFER_SIZE, pin); for(uint32_t i = 0; i < Iso15693SignalDataRateNum; ++i) { iso15693_signal_bank_fill(instance, i); diff --git a/lib/nfc/protocols/iso15693_3/iso15693_3_listener.c b/lib/nfc/protocols/iso15693_3/iso15693_3_listener.c index 151e4ae4a..2d1d053c3 100644 --- a/lib/nfc/protocols/iso15693_3/iso15693_3_listener.c +++ b/lib/nfc/protocols/iso15693_3/iso15693_3_listener.c @@ -8,8 +8,6 @@ #define TAG "Iso15693_3Listener" -#define ISO15693_3_LISTENER_BUFFER_SIZE (256U) - Iso15693_3Listener* iso15693_3_listener_alloc(Nfc* nfc, Iso15693_3Data* data) { furi_assert(nfc); diff --git a/lib/nfc/protocols/iso15693_3/iso15693_3_listener_i.c b/lib/nfc/protocols/iso15693_3/iso15693_3_listener_i.c index 6132fbf47..1e0f65bfd 100644 --- a/lib/nfc/protocols/iso15693_3/iso15693_3_listener_i.c +++ b/lib/nfc/protocols/iso15693_3/iso15693_3_listener_i.c @@ -263,8 +263,9 @@ static Iso15693_3Error iso15693_3_listener_read_multi_blocks_handler( const uint32_t block_index_start = request->first_block_num; const uint32_t block_index_end = - MIN((block_index_start + request->block_count + 1), + MIN((block_index_start + request->block_count), ((uint32_t)instance->data->system_info.block_count - 1)); + const uint32_t block_count = block_index_end - block_index_start + 1; error = iso15693_3_listener_extension_handler( instance, @@ -273,8 +274,21 @@ static Iso15693_3Error iso15693_3_listener_read_multi_blocks_handler( (uint32_t)block_index_end); if(error != Iso15693_3ErrorNone) break; + const bool include_block_security = (flags & ISO15693_3_REQ_FLAG_T4_OPTION) != 0; + const uint8_t bytes_per_block = + (include_block_security ? 1 : 0) + instance->data->system_info.block_size; + const uint32_t response_data_max = + bit_buffer_get_capacity_bytes(instance->tx_buffer) - 1 - 2; // Flags and CRC + const uint32_t response_blocks_max = response_data_max / bytes_per_block; + if(block_count > response_blocks_max) { + // Tested on SLIX2, if asked for more blocks than supported at once there is no reply + // Let's do the same + error = Iso15693_3ErrorIgnore; + break; + } + for(uint32_t i = block_index_start; i <= block_index_end; ++i) { - if(flags & ISO15693_3_REQ_FLAG_T4_OPTION) { + if(include_block_security) { iso15693_3_append_block_security( instance->data, i, instance->tx_buffer); // Block security (optional) } @@ -341,7 +355,7 @@ static Iso15693_3Error iso15693_3_listener_write_multi_blocks_handler( if(error != Iso15693_3ErrorNone) break; - for(uint32_t i = block_index_start; i < block_count + request->first_block_num; ++i) { + for(uint32_t i = block_index_start; i <= block_index_end; ++i) { const uint8_t* block_data = &request->block_data[block_size * i]; iso15693_3_set_block_data(instance->data, i, block_data, block_size); } diff --git a/lib/nfc/protocols/iso15693_3/iso15693_3_listener_i.h b/lib/nfc/protocols/iso15693_3/iso15693_3_listener_i.h index a9e0822bf..24a2d1cf0 100644 --- a/lib/nfc/protocols/iso15693_3/iso15693_3_listener_i.h +++ b/lib/nfc/protocols/iso15693_3/iso15693_3_listener_i.h @@ -10,6 +10,18 @@ extern "C" { #endif +// Based on GET_BLOCKS_SECURITY, one of the commands with lengthier responses: +// - 1 byte flags +// - 1 byte security status * 256 max block count +// - 2 byte crc +// for a response size of 259 bytes. +// There is also READ_MULTI_BLOCKS which has no explicit limit on requested block count +// and ISO 15693-3 also does not specify a maximum overall response length, so this command could +// theoretically result in a 8195 byte response (1 byte flags + 32 byte block * 256 blocks + 2 byte crc); +// for practicality we use a sufficient buffer for a full GET_BLOCKS_SECURITY and +// limit READ_MULTI_BLOCKS to how many blocks we can fit into that buffer size. +#define ISO15693_3_LISTENER_BUFFER_SIZE (259U) + typedef enum { Iso15693_3ListenerStateReady, Iso15693_3ListenerStateSelected,