Mifare DESFire tag emulation support

[maxieds]

Overview of this pull request

This pull request is effective culmination of my efforts starting this summer to add DESFire tag emulation support to the stock Chameleon Mini firmware sources. I threw my gray hat in the ring offering to get this to work in #218, and it finally seems to be working well after months of head banging and hacking code. Please see the credits for this project -- It has been in part sponsored through GA Tech where I am still a graduate student.

Modular commits to this branch

I made a point to break down the commit history from my separate repo into those made in this fork. This pull request also absorbs #285 and #286 as requisite components. The following is a summary of what has been added to this branch:

1. LibNFC based software to test the DESFire implementation. This code is important to keep for reference as there are so many moving components with this spec that we should have a sanity check to make sure things don't get broken when modifications are made down the line. At the suggestion of @ceres-c, I put this code into a new directory in Software.
2. Added detailed documentation here. I was not sure where exactly to file all of this, so I placed the markdown file in the Doc folder.
3. Sample dump files, including a description of the contents it represents. The dump data includes some new AID types and files.
4. The core of the DESFire tag support for the bulk of the completely new files that were added to make this happen. I decided to create a new directory to hold most of this implementation: Firmware/Chameleon-Mini/Application/DESFire. Because throwing all of this lengthy source code into a few files in the Application directory makes things impossible to read and maintain, I decided it was best to package up all of the innards of this new functionality and keep the necessary multiple files from cluttering up the main directory.
5. Changes to the Makefile (see below).
6. Other smaller changes to the stock sources during development.

Makefile changes (compendia and rationale)

• Separated the configuration-specific settings into a new CONFIG_SETTINGS variable. This makes it very much painless to add new targets for normal, but non-default builds:

desfire: CONFIG_SETTINGS:= -DCONFIG_MF_DESFIRE_SUPPORT -DDEFAULT_CONFIGURATION=CONFIG_NONE -DDESFIRE_CRYPTO1_SAVE_SPACE
desfire: local-clean $(TARGET).elf $(TARGET).hex $(TARGET).eep
     @cp $(TARGET).hex $(TARGET)-DESFire.hex
     @cp $(TARGET).eep $(TARGET)-DESFire.eep
     @avr-size $(TARGET).elf

• DESFire tag specific configuration and settings. Most of the big changes to the stock sources are easily disabled by default in the Makefile.
• There is a new build target: make desfire. This configuration requires so much space on the AVR that it really only works as a standalone version.

The resulting two builds enabled by the make targets

$ make
$ avr-size Chameleon-Mini.elf
   text	   data	    bss	    dec	    hex	filename
  54256	   1226	   4708	  60190	   eb1e	Chameleon-Mini.elf

$ make desfire
$ avr-size Chameleon-Mini.elf     
   text	   data	    bss	    dec	    hex	filename
  60220	    316	   4417	  64953	   fdb9	Chameleon-Mini.elf

Concluding notes

Thanks to the testers on discord and to the developer / maintainers that oversee the main sources for all of the help and informative discussions while I was putting this code together! 🐧 💪

For what it's worth, the first testing release of the DESFire firmware mod came together around the night of RBG's sad passing on Rosh Hashanah this year. The images on the releases page of the intermediate repository I have been working in are carefully chosen and important to me. If you have some time, please glance through these tags and reflect.

[maxieds]

I want to point out another really nice feature of the code. The DESFire extensions of the Chameleon terminal command set can be used whenever the Chameleon is running CONFIG=MF_DESFIRE. I will point out a couple of interesting examples of use cases quoted from the docs:

DF_SETHDR=ATS xxxxxxxxxx
DF_SETHDR=HardwareVersion xxxx
DF_SETHDR=SoftwareVersion xxxx
DF_SETHDR=BatchNumber xxxxxxxxxx
DF_SETHDR=ProductionDate xxxx

These terminal commands should let users completely clone a DESFire tag. For example, to set the ATS bytes reported to emulate a JCOP tag:

DF_SETHDR=ATS 0675f7b102

This leads to nfc-anticol reporting the following tag data (the UID is pseudo-randomly generated):

Sent bits:     26 (7 bits)
Received bits: 03  44  
Sent bits:     93  20  
Received bits: 88  12  70  a7  4d  
Sent bits:     93  70  88  12  70  a7  4d  f0  08  
Received bits: 04  da  17  
Sent bits:     95  20  
Received bits: e2  c2  6c  b2  fe  
Sent bits:     95  70  e2  c2  6c  b2  fe  51  09  
Received bits: 20  fc  70  
Sent bits:     e0  50  bc  a5  
Received bits: 75  f7  b1  02  80  
Sent bits:     50  00  57  cd  

Found tag with
 UID: 1270a7e2c26cb2
ATQA: 4403
 SAK: 20
 ATS: 75  f7  b1  02  80

A convenient interface that can be used to control the device on the fly in the field is found in the latest versions of my Android logger app for the Chameleon Mini:

🎃 🎃 🎃

[david-oswald]

Just to say: many thanks @maxieds for your contribution, that is really a massive improvement of the Chameleon firmware!