Merge remote-tracking branch 'noproto/nestednonces' into dev

applications/debug/unit_tests/tests/nfc/nfc_test.c

@@ -496,7 +496,7 @@ NfcCommand mf_classic_poller_send_frame_callback(NfcGenericEventEx event, void*
             MfClassicKey key = {
                 .data = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
             };
-            error = mf_classic_poller_auth(instance, 0, &key, MfClassicKeyTypeA, NULL);
+            error = mf_classic_poller_auth(instance, 0, &key, MfClassicKeyTypeA, NULL, false);
             frame_test->state = (error == MfClassicErrorNone) ?
                                     NfcTestMfClassicSendFrameTestStateReadBlock :
                                     NfcTestMfClassicSendFrameTestStateFail;

applications/main/nfc/nfc_app_i.h

@@ -75,8 +75,12 @@
 #define NFC_APP_MFKEY32_LOGS_FILE_NAME ".mfkey32.log"
 #define NFC_APP_MFKEY32_LOGS_FILE_PATH (NFC_APP_FOLDER "/" NFC_APP_MFKEY32_LOGS_FILE_NAME)
 
-#define NFC_APP_MF_CLASSIC_DICT_USER_PATH   (NFC_APP_FOLDER "/assets/mf_classic_dict_user.nfc")
+#define NFC_APP_MF_CLASSIC_DICT_USER_PATH (NFC_APP_FOLDER "/assets/mf_classic_dict_user.nfc")
+#define NFC_APP_MF_CLASSIC_DICT_USER_NESTED_PATH \
+    (NFC_APP_FOLDER "/assets/mf_classic_dict_user_nested.nfc")
 #define NFC_APP_MF_CLASSIC_DICT_SYSTEM_PATH (NFC_APP_FOLDER "/assets/mf_classic_dict.nfc")
+#define NFC_APP_MF_CLASSIC_DICT_SYSTEM_NESTED_PATH \
+    (NFC_APP_FOLDER "/assets/mf_classic_dict_nested.nfc")
 
 typedef enum {
     NfcRpcStateIdle,
@@ -94,6 +98,12 @@ typedef struct {
     bool is_key_attack;
     uint8_t key_attack_current_sector;
     bool is_card_present;
+    uint8_t nested_phase;
+    uint8_t prng_type;
+    uint8_t backdoor;
+    uint16_t nested_target_key;
+    uint16_t msb_count;
+    bool enhanced_dict;
 } NfcMfClassicDictAttackContext;
 
 struct NfcApp {

applications/main/nfc/scenes/nfc_scene_mf_classic_dict_attack.c

@@ -1,11 +1,16 @@
 #include "../nfc_app_i.h"
 
+#include <bit_lib/bit_lib.h>
 #include <dolphin/dolphin.h>
 #include <lib/nfc/protocols/mf_classic/mf_classic_poller.h>
 
 #define TAG "NfcMfClassicDictAttack"
 
+// TODO: Fix lag when leaving the dictionary attack view after Hardnested
+// TODO: Re-enters backdoor detection between user and system dictionary if no backdoor is found
+
 typedef enum {
+    DictAttackStateCUIDDictInProgress,
     DictAttackStateUserDictInProgress,
     DictAttackStateSystemDictInProgress,
 } DictAttackState;
@@ -29,7 +34,9 @@ NfcCommand nfc_dict_attack_worker_callback(NfcGenericEvent event, void* context)
     } else if(mfc_event->type == MfClassicPollerEventTypeRequestMode) {
         const MfClassicData* mfc_data =
             nfc_device_get_data(instance->nfc_device, NfcProtocolMfClassic);
-        mfc_event->data->poller_mode.mode = MfClassicPollerModeDictAttack;
+        mfc_event->data->poller_mode.mode = (instance->nfc_dict_context.enhanced_dict) ?
+                                                MfClassicPollerModeDictAttackEnhanced :
+                                                MfClassicPollerModeDictAttackStandard;
         mfc_event->data->poller_mode.data = mfc_data;
         instance->nfc_dict_context.sectors_total =
             mf_classic_get_total_sectors_num(mfc_data->type);
@@ -58,6 +65,11 @@ NfcCommand nfc_dict_attack_worker_callback(NfcGenericEvent event, void* context)
         instance->nfc_dict_context.sectors_read = data_update->sectors_read;
         instance->nfc_dict_context.keys_found = data_update->keys_found;
         instance->nfc_dict_context.current_sector = data_update->current_sector;
+        instance->nfc_dict_context.nested_phase = data_update->nested_phase;
+        instance->nfc_dict_context.prng_type = data_update->prng_type;
+        instance->nfc_dict_context.backdoor = data_update->backdoor;
+        instance->nfc_dict_context.nested_target_key = data_update->nested_target_key;
+        instance->nfc_dict_context.msb_count = data_update->msb_count;
         view_dispatcher_send_custom_event(
             instance->view_dispatcher, NfcCustomEventDictAttackDataUpdate);
     } else if(mfc_event->type == MfClassicPollerEventTypeNextSector) {
@@ -117,19 +129,72 @@ static void nfc_scene_mf_classic_dict_attack_update_view(NfcApp* instance) {
         dict_attack_set_keys_found(instance->dict_attack, mfc_dict->keys_found);
         dict_attack_set_current_dict_key(instance->dict_attack, mfc_dict->dict_keys_current);
         dict_attack_set_current_sector(instance->dict_attack, mfc_dict->current_sector);
+        dict_attack_set_nested_phase(instance->dict_attack, mfc_dict->nested_phase);
+        dict_attack_set_prng_type(instance->dict_attack, mfc_dict->prng_type);
+        dict_attack_set_backdoor(instance->dict_attack, mfc_dict->backdoor);
+        dict_attack_set_nested_target_key(instance->dict_attack, mfc_dict->nested_target_key);
+        dict_attack_set_msb_count(instance->dict_attack, mfc_dict->msb_count);
     }
 }
 
 static void nfc_scene_mf_classic_dict_attack_prepare_view(NfcApp* instance) {
     uint32_t state =
         scene_manager_get_scene_state(instance->scene_manager, NfcSceneMfClassicDictAttack);
+    if(state == DictAttackStateCUIDDictInProgress) {
+        do {
+            size_t cuid_len = 0;
+            const uint8_t* cuid = nfc_device_get_uid(instance->nfc_device, &cuid_len);
+            FuriString* cuid_dict_path = furi_string_alloc_printf(
+                "%s/mf_classic_dict_%08lx.nfc",
+                EXT_PATH("nfc/assets"),
+                (uint32_t)bit_lib_bytes_to_num_be(cuid + (cuid_len - 4), 4));
+
+            if(!keys_dict_check_presence(furi_string_get_cstr(cuid_dict_path))) {
+                state = DictAttackStateUserDictInProgress;
+                break;
+            }
+
+            instance->nfc_dict_context.dict = keys_dict_alloc(
+                furi_string_get_cstr(cuid_dict_path),
+                KeysDictModeOpenExisting,
+                sizeof(MfClassicKey));
+            if(keys_dict_get_total_keys(instance->nfc_dict_context.dict) == 0) {
+                keys_dict_free(instance->nfc_dict_context.dict);
+                state = DictAttackStateUserDictInProgress;
+                break;
+            }
+
+            dict_attack_set_header(instance->dict_attack, "MF Classic CUID Dictionary");
+        } while(false);
+    }
     if(state == DictAttackStateUserDictInProgress) {
         do {
+            instance->nfc_dict_context.enhanced_dict = true;
+
+            if(keys_dict_check_presence(NFC_APP_MF_CLASSIC_DICT_SYSTEM_NESTED_PATH)) {
+                storage_common_remove(
+                    instance->storage, NFC_APP_MF_CLASSIC_DICT_SYSTEM_NESTED_PATH);
+            }
+            if(keys_dict_check_presence(NFC_APP_MF_CLASSIC_DICT_SYSTEM_PATH)) {
+                storage_common_copy(
+                    instance->storage,
+                    NFC_APP_MF_CLASSIC_DICT_SYSTEM_PATH,
+                    NFC_APP_MF_CLASSIC_DICT_SYSTEM_NESTED_PATH);
+            }
+
             if(!keys_dict_check_presence(NFC_APP_MF_CLASSIC_DICT_USER_PATH)) {
                 state = DictAttackStateSystemDictInProgress;
                 break;
             }
 
+            if(keys_dict_check_presence(NFC_APP_MF_CLASSIC_DICT_USER_NESTED_PATH)) {
+                storage_common_remove(instance->storage, NFC_APP_MF_CLASSIC_DICT_USER_NESTED_PATH);
+            }
+            storage_common_copy(
+                instance->storage,
+                NFC_APP_MF_CLASSIC_DICT_USER_PATH,
+                NFC_APP_MF_CLASSIC_DICT_USER_NESTED_PATH);
+
             instance->nfc_dict_context.dict = keys_dict_alloc(
                 NFC_APP_MF_CLASSIC_DICT_USER_PATH, KeysDictModeOpenAlways, sizeof(MfClassicKey));
             if(keys_dict_get_total_keys(instance->nfc_dict_context.dict) == 0) {
@@ -164,7 +229,7 @@ void nfc_scene_mf_classic_dict_attack_on_enter(void* context) {
     NfcApp* instance = context;
 
     scene_manager_set_scene_state(
-        instance->scene_manager, NfcSceneMfClassicDictAttack, DictAttackStateUserDictInProgress);
+        instance->scene_manager, NfcSceneMfClassicDictAttack, DictAttackStateCUIDDictInProgress);
     nfc_scene_mf_classic_dict_attack_prepare_view(instance);
     dict_attack_set_card_state(instance->dict_attack, true);
     view_dispatcher_switch_to_view(instance->view_dispatcher, NfcViewDictAttack);
@@ -193,7 +258,21 @@ bool nfc_scene_mf_classic_dict_attack_on_event(void* context, SceneManagerEvent
         scene_manager_get_scene_state(instance->scene_manager, NfcSceneMfClassicDictAttack);
     if(event.type == SceneManagerEventTypeCustom) {
         if(event.event == NfcCustomEventDictAttackComplete) {
-            if(state == DictAttackStateUserDictInProgress) {
+            bool ran_nested_dict = instance->nfc_dict_context.nested_phase !=
+                                   MfClassicNestedPhaseNone;
+            if(state == DictAttackStateCUIDDictInProgress) {
+                nfc_poller_stop(instance->poller);
+                nfc_poller_free(instance->poller);
+                keys_dict_free(instance->nfc_dict_context.dict);
+                scene_manager_set_scene_state(
+                    instance->scene_manager,
+                    NfcSceneMfClassicDictAttack,
+                    DictAttackStateUserDictInProgress);
+                nfc_scene_mf_classic_dict_attack_prepare_view(instance);
+                instance->poller = nfc_poller_alloc(instance->nfc, NfcProtocolMfClassic);
+                nfc_poller_start(instance->poller, nfc_dict_attack_worker_callback, instance);
+                consumed = true;
+            } else if(state == DictAttackStateUserDictInProgress && !(ran_nested_dict)) {
                 nfc_poller_stop(instance->poller);
                 nfc_poller_free(instance->poller);
                 keys_dict_free(instance->nfc_dict_context.dict);
@@ -222,7 +301,27 @@ bool nfc_scene_mf_classic_dict_attack_on_event(void* context, SceneManagerEvent
         } else if(event.event == NfcCustomEventDictAttackSkip) {
             const MfClassicData* mfc_data = nfc_poller_get_data(instance->poller);
             nfc_device_set_data(instance->nfc_device, NfcProtocolMfClassic, mfc_data);
-            if(state == DictAttackStateUserDictInProgress) {
+            bool ran_nested_dict = instance->nfc_dict_context.nested_phase !=
+                                   MfClassicNestedPhaseNone;
+            if(state == DictAttackStateCUIDDictInProgress) {
+                if(instance->nfc_dict_context.is_card_present) {
+                    nfc_poller_stop(instance->poller);
+                    nfc_poller_free(instance->poller);
+                    keys_dict_free(instance->nfc_dict_context.dict);
+                    scene_manager_set_scene_state(
+                        instance->scene_manager,
+                        NfcSceneMfClassicDictAttack,
+                        DictAttackStateUserDictInProgress);
+                    nfc_scene_mf_classic_dict_attack_prepare_view(instance);
+                    instance->poller = nfc_poller_alloc(instance->nfc, NfcProtocolMfClassic);
+                    nfc_poller_start(instance->poller, nfc_dict_attack_worker_callback, instance);
+                } else {
+                    nfc_scene_mf_classic_dict_attack_notify_read(instance);
+                    scene_manager_next_scene(instance->scene_manager, NfcSceneReadSuccess);
+                    dolphin_deed(DolphinDeedNfcReadSuccess);
+                }
+                consumed = true;
+            } else if(state == DictAttackStateUserDictInProgress && !(ran_nested_dict)) {
                 if(instance->nfc_dict_context.is_card_present) {
                     nfc_poller_stop(instance->poller);
                     nfc_poller_free(instance->poller);
@@ -240,7 +339,7 @@ bool nfc_scene_mf_classic_dict_attack_on_event(void* context, SceneManagerEvent
                     dolphin_deed(DolphinDeedNfcReadSuccess);
                 }
                 consumed = true;
-            } else if(state == DictAttackStateSystemDictInProgress) {
+            } else {
                 nfc_scene_mf_classic_dict_attack_notify_read(instance);
                 scene_manager_next_scene(instance->scene_manager, NfcSceneReadSuccess);
                 dolphin_deed(DolphinDeedNfcReadSuccess);
@@ -262,7 +361,7 @@ void nfc_scene_mf_classic_dict_attack_on_exit(void* context) {
 
     dict_attack_reset(instance->dict_attack);
     scene_manager_set_scene_state(
-        instance->scene_manager, NfcSceneMfClassicDictAttack, DictAttackStateUserDictInProgress);
+        instance->scene_manager, NfcSceneMfClassicDictAttack, DictAttackStateCUIDDictInProgress);
 
     keys_dict_free(instance->nfc_dict_context.dict);
 
@@ -275,6 +374,20 @@ void nfc_scene_mf_classic_dict_attack_on_exit(void* context) {
     instance->nfc_dict_context.is_key_attack = false;
     instance->nfc_dict_context.key_attack_current_sector = 0;
     instance->nfc_dict_context.is_card_present = false;
+    instance->nfc_dict_context.nested_phase = MfClassicNestedPhaseNone;
+    instance->nfc_dict_context.prng_type = MfClassicPrngTypeUnknown;
+    instance->nfc_dict_context.backdoor = MfClassicBackdoorUnknown;
+    instance->nfc_dict_context.nested_target_key = 0;
+    instance->nfc_dict_context.msb_count = 0;
+    instance->nfc_dict_context.enhanced_dict = false;
+
+    // Clean up temporary files used for nested dictionary attack
+    if(keys_dict_check_presence(NFC_APP_MF_CLASSIC_DICT_USER_NESTED_PATH)) {
+        storage_common_remove(instance->storage, NFC_APP_MF_CLASSIC_DICT_USER_NESTED_PATH);
+    }
+    if(keys_dict_check_presence(NFC_APP_MF_CLASSIC_DICT_SYSTEM_NESTED_PATH)) {
+        storage_common_remove(instance->storage, NFC_APP_MF_CLASSIC_DICT_SYSTEM_NESTED_PATH);
+    }
 
     nfc_blink_stop(instance);
     notification_message(instance->notifications, &sequence_display_backlight_enforce_auto);

applications/main/nfc/views/dict_attack.c

@@ -21,6 +21,11 @@ typedef struct {
     size_t dict_keys_current;
     bool is_key_attack;
     uint8_t key_attack_current_sector;
+    MfClassicNestedPhase nested_phase;
+    MfClassicPrngType prng_type;
+    MfClassicBackdoor backdoor;
+    uint16_t nested_target_key;
+    uint16_t msb_count;
 } DictAttackViewModel;
 
 static void dict_attack_draw_callback(Canvas* canvas, void* model) {
@@ -34,9 +39,46 @@ static void dict_attack_draw_callback(Canvas* canvas, void* model) {
     } else {
         char draw_str[32] = {};
         canvas_set_font(canvas, FontSecondary);
+
+        switch(m->nested_phase) {
+        case MfClassicNestedPhaseAnalyzePRNG:
+            furi_string_set(m->header, "PRNG Analysis");
+            break;
+        case MfClassicNestedPhaseDictAttack:
+        case MfClassicNestedPhaseDictAttackResume:
+            furi_string_set(m->header, "Nested Dictionary");
+            break;
+        case MfClassicNestedPhaseCalibrate:
+        case MfClassicNestedPhaseRecalibrate:
+            furi_string_set(m->header, "Calibration");
+            break;
+        case MfClassicNestedPhaseCollectNtEnc:
+            furi_string_set(m->header, "Nonce Collection");
+            break;
+        default:
+            break;
+        }
+
+        if(m->prng_type == MfClassicPrngTypeHard) {
+            furi_string_cat(m->header, " (Hard)");
+        }
+
+        if(m->backdoor != MfClassicBackdoorNone && m->backdoor != MfClassicBackdoorUnknown) {
+            if(m->nested_phase != MfClassicNestedPhaseNone) {
+                furi_string_cat(m->header, " (Backdoor)");
+            } else {
+                furi_string_set(m->header, "Backdoor Read");
+            }
+        }
+
         canvas_draw_str_aligned(
-            canvas, 64, 0, AlignCenter, AlignTop, furi_string_get_cstr(m->header));
+            canvas, 0, 0, AlignLeft, AlignTop, furi_string_get_cstr(m->header));
-        if(m->is_key_attack) {
+        if(m->nested_phase == MfClassicNestedPhaseCollectNtEnc) {
+            uint8_t nonce_sector =
+                m->nested_target_key / (m->prng_type == MfClassicPrngTypeWeak ? 4 : 2);
+            snprintf(draw_str, sizeof(draw_str), "Collecting from sector: %d", nonce_sector);
+            canvas_draw_str_aligned(canvas, 0, 10, AlignLeft, AlignTop, draw_str);
+        } else if(m->is_key_attack) {
             snprintf(
                 draw_str,
                 sizeof(draw_str),
@@ -46,21 +88,47 @@ static void dict_attack_draw_callback(Canvas* canvas, void* model) {
             snprintf(draw_str, sizeof(draw_str), "Unlocking sector: %d", m->current_sector);
         }
         canvas_draw_str_aligned(canvas, 0, 10, AlignLeft, AlignTop, draw_str);
-        float dict_progress = m->dict_keys_total == 0 ?
+        float dict_progress = 0;
-                                  0 :
+        if(m->nested_phase == MfClassicNestedPhaseAnalyzePRNG ||
-                                  (float)(m->dict_keys_current) / (float)(m->dict_keys_total);
+           m->nested_phase == MfClassicNestedPhaseDictAttack ||
-        float progress = m->sectors_total == 0 ? 0 :
+           m->nested_phase == MfClassicNestedPhaseDictAttackResume) {
-                                                 ((float)(m->current_sector) + dict_progress) /
+            // Phase: Nested dictionary attack
-                                                     (float)(m->sectors_total);
+            uint8_t target_sector =
-        if(progress > 1.0f) {
+                m->nested_target_key / (m->prng_type == MfClassicPrngTypeWeak ? 2 : 16);
-            progress = 1.0f;
+            dict_progress = (float)(target_sector) / (float)(m->sectors_total);
-        }
+            snprintf(draw_str, sizeof(draw_str), "%d/%d", target_sector, m->sectors_total);
-        if(m->dict_keys_current == 0) {
+        } else if(
-            // Cause when people see 0 they think it's broken
+            m->nested_phase == MfClassicNestedPhaseCalibrate ||
-            snprintf(draw_str, sizeof(draw_str), "%d/%zu", 1, m->dict_keys_total);
+            m->nested_phase == MfClassicNestedPhaseRecalibrate ||
+            m->nested_phase == MfClassicNestedPhaseCollectNtEnc) {
+            // Phase: Nonce collection
+            if(m->prng_type == MfClassicPrngTypeWeak) {
+                uint8_t target_sector = m->nested_target_key / 4;
+                dict_progress = (float)(target_sector) / (float)(m->sectors_total);
+                snprintf(draw_str, sizeof(draw_str), "%d/%d", target_sector, m->sectors_total);
+            } else {
+                uint16_t max_msb = UINT8_MAX + 1;
+                dict_progress = (float)(m->msb_count) / (float)(max_msb);
+                snprintf(draw_str, sizeof(draw_str), "%d/%d", m->msb_count, max_msb);
+            }
         } else {
-            snprintf(
+            dict_progress = m->dict_keys_total == 0 ?
-                draw_str, sizeof(draw_str), "%zu/%zu", m->dict_keys_current, m->dict_keys_total);
+                                0 :
+                                (float)(m->dict_keys_current) / (float)(m->dict_keys_total);
+            if(m->dict_keys_current == 0) {
+                // Cause when people see 0 they think it's broken
+                snprintf(draw_str, sizeof(draw_str), "%d/%zu", 1, m->dict_keys_total);
+            } else {
+                snprintf(
+                    draw_str,
+                    sizeof(draw_str),
+                    "%zu/%zu",
+                    m->dict_keys_current,
+                    m->dict_keys_total);
+            }
+        }
+        if(dict_progress > 1.0f) {
+            dict_progress = 1.0f;
         }
         elements_progress_bar_with_text(canvas, 0, 20, 128, dict_progress, draw_str);
         canvas_set_font(canvas, FontSecondary);
@@ -132,6 +200,11 @@ void dict_attack_reset(DictAttack* instance) {
             model->dict_keys_total = 0;
             model->dict_keys_current = 0;
             model->is_key_attack = false;
+            model->nested_phase = MfClassicNestedPhaseNone;
+            model->prng_type = MfClassicPrngTypeUnknown;
+            model->backdoor = MfClassicBackdoorUnknown;
+            model->nested_target_key = 0;
+            model->msb_count = 0;
             furi_string_reset(model->header);
         },
         false);
@@ -242,3 +315,41 @@ void dict_attack_reset_key_attack(DictAttack* instance) {
     with_view_model(
         instance->view, DictAttackViewModel * model, { model->is_key_attack = false; }, true);
 }
+
+void dict_attack_set_nested_phase(DictAttack* instance, uint8_t nested_phase) {
+    furi_assert(instance);
+
+    with_view_model(
+        instance->view, DictAttackViewModel * model, { model->nested_phase = nested_phase; }, true);
+}
+
+void dict_attack_set_prng_type(DictAttack* instance, uint8_t prng_type) {
+    furi_assert(instance);
+
+    with_view_model(
+        instance->view, DictAttackViewModel * model, { model->prng_type = prng_type; }, true);
+}
+
+void dict_attack_set_backdoor(DictAttack* instance, uint8_t backdoor) {
+    furi_assert(instance);
+
+    with_view_model(
+        instance->view, DictAttackViewModel * model, { model->backdoor = backdoor; }, true);
+}
+
+void dict_attack_set_nested_target_key(DictAttack* instance, uint16_t nested_target_key) {
+    furi_assert(instance);
+
+    with_view_model(
+        instance->view,
+        DictAttackViewModel * model,
+        { model->nested_target_key = nested_target_key; },
+        true);
+}
+
+void dict_attack_set_msb_count(DictAttack* instance, uint16_t msb_count) {
+    furi_assert(instance);
+
+    with_view_model(
+        instance->view, DictAttackViewModel * model, { model->msb_count = msb_count; }, true);
+}

applications/main/nfc/views/dict_attack.h

@@ -9,6 +9,32 @@ extern "C" {
 
 typedef struct DictAttack DictAttack;
 
+typedef enum {
+    MfClassicNestedPhaseNone,
+    MfClassicNestedPhaseAnalyzePRNG,
+    MfClassicNestedPhaseDictAttack,
+    MfClassicNestedPhaseDictAttackResume,
+    MfClassicNestedPhaseCalibrate,
+    MfClassicNestedPhaseRecalibrate,
+    MfClassicNestedPhaseCollectNtEnc,
+    MfClassicNestedPhaseFinished,
+} MfClassicNestedPhase;
+
+typedef enum {
+    MfClassicPrngTypeUnknown, // Tag not yet tested
+    MfClassicPrngTypeNoTag, // No tag detected during test
+    MfClassicPrngTypeWeak, // Weak PRNG, standard Nested
+    MfClassicPrngTypeHard, // Hard PRNG, Hardnested
+} MfClassicPrngType;
+
+typedef enum {
+    MfClassicBackdoorUnknown, // Tag not yet tested
+    MfClassicBackdoorNone, // No observed backdoor
+    MfClassicBackdoorAuth1, // Tag responds to v1 auth backdoor
+    MfClassicBackdoorAuth2, // Tag responds to v2 auth backdoor
+    MfClassicBackdoorAuth3, // Tag responds to v3 auth backdoor (static encrypted nonce)
+} MfClassicBackdoor;
+
 typedef enum {
     DictAttackEventSkipPressed,
 } DictAttackEvent;
@@ -45,6 +71,16 @@ void dict_attack_set_key_attack(DictAttack* instance, uint8_t sector);
 
 void dict_attack_reset_key_attack(DictAttack* instance);
 
+void dict_attack_set_nested_phase(DictAttack* instance, uint8_t nested_phase);
+
+void dict_attack_set_prng_type(DictAttack* instance, uint8_t prng_type);
+
+void dict_attack_set_backdoor(DictAttack* instance, uint8_t backdoor);
+
+void dict_attack_set_nested_target_key(DictAttack* instance, uint16_t target_key);
+
+void dict_attack_set_msb_count(DictAttack* instance, uint16_t msb_count);
+
 #ifdef __cplusplus
 }
 #endif

lib/nfc/helpers/crypto1.c

@@ -82,7 +82,7 @@ uint32_t crypto1_word(Crypto1* crypto1, uint32_t in, int is_encrypted) {
     return out;
 }
 
-uint32_t prng_successor(uint32_t x, uint32_t n) {
+uint32_t crypto1_prng_successor(uint32_t x, uint32_t n) {
     SWAPENDIAN(x);
     while(n--)
         x = x >> 1 | (x >> 16 ^ x >> 18 ^ x >> 19 ^ x >> 21) << 31;
@@ -169,11 +169,69 @@ void crypto1_encrypt_reader_nonce(
         nr[i] = byte;
     }
 
-    nt_num = prng_successor(nt_num, 32);
+    nt_num = crypto1_prng_successor(nt_num, 32);
     for(size_t i = 4; i < 8; i++) {
-        nt_num = prng_successor(nt_num, 8);
+        nt_num = crypto1_prng_successor(nt_num, 8);
         uint8_t byte = crypto1_byte(crypto, 0, 0) ^ (uint8_t)(nt_num);
         bool parity_bit = ((crypto1_filter(crypto->odd) ^ nfc_util_odd_parity8(nt_num)) & 0x01);
         bit_buffer_set_byte_with_parity(out, i, byte, parity_bit);
     }
 }
+
+static uint8_t lfsr_rollback_bit(Crypto1* crypto1, uint32_t in, int fb) {
+    int out;
+    uint8_t ret;
+    uint32_t t;
+
+    crypto1->odd &= 0xffffff;
+    t = crypto1->odd;
+    crypto1->odd = crypto1->even;
+    crypto1->even = t;
+
+    out = crypto1->even & 1;
+    out ^= LF_POLY_EVEN & (crypto1->even >>= 1);
+    out ^= LF_POLY_ODD & crypto1->odd;
+    out ^= !!in;
+    out ^= (ret = crypto1_filter(crypto1->odd)) & (!!fb);
+
+    crypto1->even |= (nfc_util_even_parity32(out)) << 23;
+    return ret;
+}
+
+uint32_t crypto1_lfsr_rollback_word(Crypto1* crypto1, uint32_t in, int fb) {
+    uint32_t ret = 0;
+    for(int i = 31; i >= 0; i--) {
+        ret |= lfsr_rollback_bit(crypto1, BEBIT(in, i), fb) << (24 ^ i);
+    }
+    return ret;
+}
+
+bool crypto1_nonce_matches_encrypted_parity_bits(uint32_t nt, uint32_t ks, uint8_t nt_par_enc) {
+    return (nfc_util_even_parity8((nt >> 24) & 0xFF) ==
+            (((nt_par_enc >> 3) & 1) ^ FURI_BIT(ks, 16))) &&
+           (nfc_util_even_parity8((nt >> 16) & 0xFF) ==
+            (((nt_par_enc >> 2) & 1) ^ FURI_BIT(ks, 8))) &&
+           (nfc_util_even_parity8((nt >> 8) & 0xFF) ==
+            (((nt_par_enc >> 1) & 1) ^ FURI_BIT(ks, 0)));
+}
+
+bool crypto1_is_weak_prng_nonce(uint32_t nonce) {
+    if(nonce == 0) return false;
+    uint16_t x = nonce >> 16;
+    x = (x & 0xff) << 8 | x >> 8;
+    for(uint8_t i = 0; i < 16; i++) {
+        x = x >> 1 | (x ^ x >> 2 ^ x >> 3 ^ x >> 5) << 15;
+    }
+    x = (x & 0xff) << 8 | x >> 8;
+    return x == (nonce & 0xFFFF);
+}
+
+uint32_t crypto1_decrypt_nt_enc(uint32_t cuid, uint32_t nt_enc, MfClassicKey known_key) {
+    uint64_t known_key_int = bit_lib_bytes_to_num_be(known_key.data, 6);
+    Crypto1 crypto_temp;
+    crypto1_init(&crypto_temp, known_key_int);
+    crypto1_word(&crypto_temp, nt_enc ^ cuid, 1);
+    uint32_t decrypted_nt_enc =
+        (nt_enc ^ crypto1_lfsr_rollback_word(&crypto_temp, nt_enc ^ cuid, 1));
+    return decrypted_nt_enc;
+}

lib/nfc/helpers/crypto1.h

@@ -1,5 +1,6 @@
 #pragma once
 
+#include <protocols/mf_classic/mf_classic.h>
 #include <toolbox/bit_buffer.h>
 
 #ifdef __cplusplus
@@ -38,7 +39,15 @@ void crypto1_encrypt_reader_nonce(
     BitBuffer* out,
     bool is_nested);
 
-uint32_t prng_successor(uint32_t x, uint32_t n);
+uint32_t crypto1_lfsr_rollback_word(Crypto1* crypto1, uint32_t in, int fb);
+
+bool crypto1_nonce_matches_encrypted_parity_bits(uint32_t nt, uint32_t ks, uint8_t nt_par_enc);
+
+bool crypto1_is_weak_prng_nonce(uint32_t nonce);
+
+uint32_t crypto1_decrypt_nt_enc(uint32_t cuid, uint32_t nt_enc, MfClassicKey known_key);
+
+uint32_t crypto1_prng_successor(uint32_t x, uint32_t n);
 
 #ifdef __cplusplus
 }

lib/nfc/helpers/nfc_util.c

@@ -13,6 +13,10 @@ static const uint8_t nfc_util_odd_byte_parity[256] = {
     0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
     1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1};
 
+uint8_t nfc_util_even_parity8(uint8_t data) {
+    return !nfc_util_odd_byte_parity[data];
+}
+
 uint8_t nfc_util_even_parity32(uint32_t data) {
     // data ^= data >> 16;
     // data ^= data >> 8;

lib/nfc/helpers/nfc_util.h

@@ -6,6 +6,8 @@
 extern "C" {
 #endif
 
+uint8_t nfc_util_even_parity8(uint8_t data);
+
 uint8_t nfc_util_even_parity32(uint32_t data);
 
 uint8_t nfc_util_odd_parity8(uint8_t data);

lib/nfc/protocols/mf_classic/mf_classic.h

@@ -6,14 +6,16 @@
 extern "C" {
 #endif
 
-#define MF_CLASSIC_CMD_AUTH_KEY_A     (0x60U)
+#define MF_CLASSIC_CMD_AUTH_KEY_A          (0x60U)
-#define MF_CLASSIC_CMD_AUTH_KEY_B     (0x61U)
+#define MF_CLASSIC_CMD_AUTH_KEY_B          (0x61U)
-#define MF_CLASSIC_CMD_READ_BLOCK     (0x30U)
+#define MF_CLASSIC_CMD_BACKDOOR_AUTH_KEY_A (0x64U)
-#define MF_CLASSIC_CMD_WRITE_BLOCK    (0xA0U)
+#define MF_CLASSIC_CMD_BACKDOOR_AUTH_KEY_B (0x65U)
-#define MF_CLASSIC_CMD_VALUE_DEC      (0xC0U)
+#define MF_CLASSIC_CMD_READ_BLOCK          (0x30U)
-#define MF_CLASSIC_CMD_VALUE_INC      (0xC1U)
+#define MF_CLASSIC_CMD_WRITE_BLOCK         (0xA0U)
-#define MF_CLASSIC_CMD_VALUE_RESTORE  (0xC2U)
+#define MF_CLASSIC_CMD_VALUE_DEC           (0xC0U)
-#define MF_CLASSIC_CMD_VALUE_TRANSFER (0xB0U)
+#define MF_CLASSIC_CMD_VALUE_INC           (0xC1U)
+#define MF_CLASSIC_CMD_VALUE_RESTORE       (0xC2U)
+#define MF_CLASSIC_CMD_VALUE_TRANSFER      (0xB0U)
 
 #define MF_CLASSIC_CMD_HALT_MSB                (0x50)
 #define MF_CLASSIC_CMD_HALT_LSB                (0x00)

lib/nfc/protocols/mf_classic/mf_classic_listener.c

@@ -157,14 +157,17 @@ static MfClassicListenerCommand
         uint32_t nt_num =
             bit_lib_bytes_to_num_be(instance->auth_context.nt.data, sizeof(MfClassicNt));
         uint32_t secret_poller = ar_num ^ crypto1_word(instance->crypto, 0, 0);
-        if(secret_poller != prng_successor(nt_num, 64)) {
+        if(secret_poller != crypto1_prng_successor(nt_num, 64)) {
             FURI_LOG_T(
-                TAG, "Wrong reader key: %08lX != %08lX", secret_poller, prng_successor(nt_num, 64));
+                TAG,
+                "Wrong reader key: %08lX != %08lX",
+                secret_poller,
+                crypto1_prng_successor(nt_num, 64));
             command = MfClassicListenerCommandSleep;
             break;
         }
 
-        uint32_t at_num = prng_successor(nt_num, 96);
+        uint32_t at_num = crypto1_prng_successor(nt_num, 96);
         bit_lib_num_to_bytes_be(at_num, sizeof(uint32_t), instance->auth_context.at.data);
         bit_buffer_copy_bytes(
             instance->tx_plain_buffer, instance->auth_context.at.data, sizeof(MfClassicAr));

lib/nfc/protocols/mf_classic/mf_classic_poller.h

@@ -44,7 +44,8 @@ typedef enum {
 typedef enum {
     MfClassicPollerModeRead, /**< Poller reading mode. */
     MfClassicPollerModeWrite, /**< Poller writing mode. */
-    MfClassicPollerModeDictAttack, /**< Poller dictionary attack mode. */
+    MfClassicPollerModeDictAttackStandard, /**< Poller dictionary attack mode. */
+    MfClassicPollerModeDictAttackEnhanced, /**< Poller enhanced dictionary attack mode. */
 } MfClassicPollerMode;
 
 /**
@@ -77,6 +78,12 @@ typedef struct {
     uint8_t sectors_read; /**< Number of sectors read. */
     uint8_t keys_found; /**< Number of keys found. */
     uint8_t current_sector; /**< Current sector number. */
+    uint8_t nested_phase; /**< Nested attack phase. */
+    uint8_t prng_type; /**< PRNG (weak or hard). */
+    uint8_t backdoor; /**< Backdoor type. */
+    uint16_t nested_target_key; /**< Target key for nested attack. */
+    uint16_t
+        msb_count; /**< Number of unique most significant bytes seen during Hardnested attack. */
 } MfClassicPollerEventDataUpdate;
 
 /**
@@ -170,13 +177,15 @@ typedef struct {
  * @param[in] block_num block number for authentication.
  * @param[in] key_type key type to be used for authentication.
  * @param[out] nt pointer to the MfClassicNt structure to be filled with nonce data.
+ * @param[in] backdoor_auth flag indicating if backdoor authentication is used.
  * @return MfClassicErrorNone on success, an error code on failure.
  */
 MfClassicError mf_classic_poller_get_nt(
     MfClassicPoller* instance,
     uint8_t block_num,
     MfClassicKeyType key_type,
-    MfClassicNt* nt);
+    MfClassicNt* nt,
+    bool backdoor_auth);
 
 /**
  * @brief Collect tag nonce during nested authentication.
@@ -189,13 +198,15 @@ MfClassicError mf_classic_poller_get_nt(
  * @param[in] block_num block number for authentication.
  * @param[in] key_type key type to be used for authentication.
  * @param[out] nt pointer to the MfClassicNt structure to be filled with nonce data.
+ * @param[in] backdoor_auth flag indicating if backdoor authentication is used.
  * @return MfClassicErrorNone on success, an error code on failure.
  */
 MfClassicError mf_classic_poller_get_nt_nested(
     MfClassicPoller* instance,
     uint8_t block_num,
     MfClassicKeyType key_type,
-    MfClassicNt* nt);
+    MfClassicNt* nt,
+    bool backdoor_auth);
 
 /**
  * @brief Perform authentication.
@@ -210,6 +221,7 @@ MfClassicError mf_classic_poller_get_nt_nested(
  * @param[in] key key to be used for authentication.
  * @param[in] key_type key type to be used for authentication.
  * @param[out] data pointer to MfClassicAuthContext structure to be filled with authentication data.
+ * @param[in] backdoor_auth flag indicating if backdoor authentication is used.
  * @return MfClassicErrorNone on success, an error code on failure.
  */
 MfClassicError mf_classic_poller_auth(
@@ -217,20 +229,23 @@ MfClassicError mf_classic_poller_auth(
     uint8_t block_num,
     MfClassicKey* key,
     MfClassicKeyType key_type,
-    MfClassicAuthContext* data);
+    MfClassicAuthContext* data,
+    bool backdoor_auth);
 
 /**
  * @brief Perform nested authentication.
  *
  * Must ONLY be used inside the callback function.
  *
- * Perform nested  authentication as specified in Mf Classic protocol.
+ * Perform nested authentication as specified in Mf Classic protocol.
  *
  * @param[in, out] instance pointer to the instance to be used in the transaction.
  * @param[in] block_num block number for authentication.
  * @param[in] key key to be used for authentication.
  * @param[in] key_type key type to be used for authentication.
  * @param[out] data pointer to MfClassicAuthContext structure to be filled with authentication data.
+ * @param[in] backdoor_auth flag indicating if backdoor authentication is used.
+ * @param[in] early_ret return immediately after receiving encrypted nonce.
  * @return MfClassicErrorNone on success, an error code on failure.
  */
 MfClassicError mf_classic_poller_auth_nested(
@@ -238,7 +253,9 @@ MfClassicError mf_classic_poller_auth_nested(
     uint8_t block_num,
     MfClassicKey* key,
     MfClassicKeyType key_type,
-    MfClassicAuthContext* data);
+    MfClassicAuthContext* data,
+    bool backdoor_auth,
+    bool early_ret);
 
 /**
  * @brief Halt the tag.

lib/nfc/protocols/mf_classic/mf_classic_poller_i.c

@@ -38,13 +38,20 @@ static MfClassicError mf_classic_poller_get_nt_common(
     uint8_t block_num,
     MfClassicKeyType key_type,
     MfClassicNt* nt,
-    bool is_nested) {
+    bool is_nested,
+    bool backdoor_auth) {
     MfClassicError ret = MfClassicErrorNone;
     Iso14443_3aError error = Iso14443_3aErrorNone;
 
     do {
-        uint8_t auth_type = (key_type == MfClassicKeyTypeB) ? MF_CLASSIC_CMD_AUTH_KEY_B :
+        uint8_t auth_type;
-                                                              MF_CLASSIC_CMD_AUTH_KEY_A;
+        if(!backdoor_auth) {
+            auth_type = (key_type == MfClassicKeyTypeB) ? MF_CLASSIC_CMD_AUTH_KEY_B :
+                                                          MF_CLASSIC_CMD_AUTH_KEY_A;
+        } else {
+            auth_type = (key_type == MfClassicKeyTypeB) ? MF_CLASSIC_CMD_BACKDOOR_AUTH_KEY_B :
+                                                          MF_CLASSIC_CMD_BACKDOOR_AUTH_KEY_A;
+        }
         uint8_t auth_cmd[2] = {auth_type, block_num};
         bit_buffer_copy_bytes(instance->tx_plain_buffer, auth_cmd, sizeof(auth_cmd));
 
@@ -89,29 +96,34 @@ MfClassicError mf_classic_poller_get_nt(
     MfClassicPoller* instance,
     uint8_t block_num,
     MfClassicKeyType key_type,
-    MfClassicNt* nt) {
+    MfClassicNt* nt,
+    bool backdoor_auth) {
     furi_check(instance);
 
-    return mf_classic_poller_get_nt_common(instance, block_num, key_type, nt, false);
+    return mf_classic_poller_get_nt_common(
+        instance, block_num, key_type, nt, false, backdoor_auth);
 }
 
 MfClassicError mf_classic_poller_get_nt_nested(
     MfClassicPoller* instance,
     uint8_t block_num,
     MfClassicKeyType key_type,
-    MfClassicNt* nt) {
+    MfClassicNt* nt,
+    bool backdoor_auth) {
     furi_check(instance);
 
-    return mf_classic_poller_get_nt_common(instance, block_num, key_type, nt, true);
+    return mf_classic_poller_get_nt_common(instance, block_num, key_type, nt, true, backdoor_auth);
 }
 
-static MfClassicError mf_classic_poller_auth_common(
+MfClassicError mf_classic_poller_auth_common(
     MfClassicPoller* instance,
     uint8_t block_num,
     MfClassicKey* key,
     MfClassicKeyType key_type,
     MfClassicAuthContext* data,
-    bool is_nested) {
+    bool is_nested,
+    bool backdoor_auth,
+    bool early_ret) {
     MfClassicError ret = MfClassicErrorNone;
     Iso14443_3aError error = Iso14443_3aErrorNone;
 
@@ -122,14 +134,16 @@ static MfClassicError mf_classic_poller_auth_common(
 
         MfClassicNt nt = {};
         if(is_nested) {
-            ret = mf_classic_poller_get_nt_nested(instance, block_num, key_type, &nt);
+            ret =
+                mf_classic_poller_get_nt_nested(instance, block_num, key_type, &nt, backdoor_auth);
         } else {
-            ret = mf_classic_poller_get_nt(instance, block_num, key_type, &nt);
+            ret = mf_classic_poller_get_nt(instance, block_num, key_type, &nt, backdoor_auth);
         }
         if(ret != MfClassicErrorNone) break;
         if(data) {
             data->nt = nt;
         }
+        if(early_ret) break;
 
         uint32_t cuid = iso14443_3a_get_cuid(instance->data->iso14443_3a_data);
         uint64_t key_num = bit_lib_bytes_to_num_be(key->data, sizeof(MfClassicKey));
@@ -182,10 +196,12 @@ MfClassicError mf_classic_poller_auth(
     uint8_t block_num,
     MfClassicKey* key,
     MfClassicKeyType key_type,
-    MfClassicAuthContext* data) {
+    MfClassicAuthContext* data,
+    bool backdoor_auth) {
     furi_check(instance);
     furi_check(key);
-    return mf_classic_poller_auth_common(instance, block_num, key, key_type, data, false);
+    return mf_classic_poller_auth_common(
+        instance, block_num, key, key_type, data, false, backdoor_auth, false);
 }
 
 MfClassicError mf_classic_poller_auth_nested(
@@ -193,10 +209,13 @@ MfClassicError mf_classic_poller_auth_nested(
     uint8_t block_num,
     MfClassicKey* key,
     MfClassicKeyType key_type,
-    MfClassicAuthContext* data) {
+    MfClassicAuthContext* data,
+    bool backdoor_auth,
+    bool early_ret) {
     furi_check(instance);
     furi_check(key);
-    return mf_classic_poller_auth_common(instance, block_num, key, key_type, data, true);
+    return mf_classic_poller_auth_common(
+        instance, block_num, key, key_type, data, true, backdoor_auth, early_ret);
 }
 
 MfClassicError mf_classic_poller_halt(MfClassicPoller* instance) {

lib/nfc/protocols/mf_classic/mf_classic_poller_i.h

@@ -3,13 +3,40 @@
 #include "mf_classic_poller.h"
 #include <lib/nfc/protocols/iso14443_3a/iso14443_3a_poller_i.h>
 #include <bit_lib/bit_lib.h>
+#include <nfc/helpers/iso14443_crc.h>
 #include <nfc/helpers/crypto1.h>
+#include <stream/stream.h>
+#include <stream/buffered_file_stream.h>
+#include <toolbox/keys_dict.h>
+#include <helpers/nfc_util.h>
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
-#define MF_CLASSIC_FWT_FC (60000)
+#define MF_CLASSIC_FWT_FC                       (60000)
+#define NFC_FOLDER                              EXT_PATH("nfc")
+#define NFC_ASSETS_FOLDER                       EXT_PATH("nfc/assets")
+#define MF_CLASSIC_NESTED_ANALYZE_NT_COUNT      (5)
+#define MF_CLASSIC_NESTED_NT_HARD_MINIMUM       (3)
+#define MF_CLASSIC_NESTED_RETRY_MAXIMUM         (60)
+#define MF_CLASSIC_NESTED_HARD_RETRY_MAXIMUM    (3)
+#define MF_CLASSIC_NESTED_CALIBRATION_COUNT     (21)
+#define MF_CLASSIC_NESTED_LOGS_FILE_NAME        ".nested.log"
+#define MF_CLASSIC_NESTED_SYSTEM_DICT_FILE_NAME "mf_classic_dict_nested.nfc"
+#define MF_CLASSIC_NESTED_USER_DICT_FILE_NAME   "mf_classic_dict_user_nested.nfc"
+#define MF_CLASSIC_NESTED_LOGS_FILE_PATH        (NFC_FOLDER "/" MF_CLASSIC_NESTED_LOGS_FILE_NAME)
+#define MF_CLASSIC_NESTED_SYSTEM_DICT_PATH \
+    (NFC_ASSETS_FOLDER "/" MF_CLASSIC_NESTED_SYSTEM_DICT_FILE_NAME)
+#define MF_CLASSIC_NESTED_USER_DICT_PATH \
+    (NFC_ASSETS_FOLDER "/" MF_CLASSIC_NESTED_USER_DICT_FILE_NAME)
+#define SET_PACKED_BIT(arr, bit) ((arr)[(bit) / 8] |= (1 << ((bit) % 8)))
+#define GET_PACKED_BIT(arr, bit) ((arr)[(bit) / 8] & (1 << ((bit) % 8)))
+
+extern const MfClassicKey auth1_backdoor_key;
+extern const MfClassicKey auth2_backdoor_key;
+extern const MfClassicKey auth3_backdoor_key;
+extern const uint16_t valid_sums[19];
 
 typedef enum {
     MfClassicAuthStateIdle,
@@ -21,6 +48,54 @@ typedef enum {
     MfClassicCardStateLost,
 } MfClassicCardState;
 
+typedef enum {
+    MfClassicNestedPhaseNone,
+    MfClassicNestedPhaseAnalyzePRNG,
+    MfClassicNestedPhaseDictAttack,
+    MfClassicNestedPhaseDictAttackResume,
+    MfClassicNestedPhaseCalibrate,
+    MfClassicNestedPhaseRecalibrate,
+    MfClassicNestedPhaseCollectNtEnc,
+    MfClassicNestedPhaseFinished,
+} MfClassicNestedPhase;
+
+typedef enum {
+    MfClassicPrngTypeUnknown, // Tag not yet tested
+    MfClassicPrngTypeNoTag, // No tag detected during test
+    MfClassicPrngTypeWeak, // Weak PRNG, standard Nested
+    MfClassicPrngTypeHard, // Hard PRNG, Hardnested
+} MfClassicPrngType;
+
+typedef enum {
+    MfClassicBackdoorUnknown, // Tag not yet tested
+    MfClassicBackdoorNone, // No observed backdoor
+    MfClassicBackdoorAuth1, // Tag responds to v1 auth backdoor
+    MfClassicBackdoorAuth2, // Tag responds to v2 auth backdoor
+    MfClassicBackdoorAuth3, // Tag responds to v3 auth backdoor (static encrypted nonce)
+} MfClassicBackdoor;
+
+typedef struct {
+    MfClassicKey key;
+    MfClassicBackdoor type;
+} MfClassicBackdoorKeyPair;
+
+extern const MfClassicBackdoorKeyPair mf_classic_backdoor_keys[];
+extern const size_t mf_classic_backdoor_keys_count;
+
+typedef struct {
+    uint32_t cuid; // Card UID
+    uint8_t key_idx; // Key index
+    uint32_t nt; // Nonce
+    uint32_t nt_enc; // Encrypted nonce
+    uint8_t par; // Parity
+    uint16_t dist; // Distance
+} MfClassicNestedNonce;
+
+typedef struct {
+    MfClassicNestedNonce* nonces;
+    size_t count;
+} MfClassicNestedNonceArray;
+
 typedef enum {
     MfClassicPollerStateDetectType,
     MfClassicPollerStateStart,
@@ -38,17 +113,29 @@ typedef enum {
 
     // Dict attack states
     MfClassicPollerStateNextSector,
+    MfClassicPollerStateAnalyzeBackdoor,
+    MfClassicPollerStateBackdoorReadSector,
     MfClassicPollerStateRequestKey,
     MfClassicPollerStateReadSector,
     MfClassicPollerStateAuthKeyA,
     MfClassicPollerStateAuthKeyB,
     MfClassicPollerStateKeyReuseStart,
+    MfClassicPollerStateKeyReuseStartNoOffset,
     MfClassicPollerStateKeyReuseAuthKeyA,
     MfClassicPollerStateKeyReuseAuthKeyB,
     MfClassicPollerStateKeyReuseReadSector,
     MfClassicPollerStateSuccess,
     MfClassicPollerStateFail,
 
+    // Enhanced dictionary attack states
+    MfClassicPollerStateNestedAnalyzePRNG,
+    MfClassicPollerStateNestedCalibrate,
+    MfClassicPollerStateNestedCollectNt,
+    MfClassicPollerStateNestedController,
+    MfClassicPollerStateNestedCollectNtEnc,
+    MfClassicPollerStateNestedDictAttack,
+    MfClassicPollerStateNestedLog,
+
     MfClassicPollerStateNum,
 } MfClassicPollerState;
 
@@ -70,6 +157,30 @@ typedef struct {
     bool auth_passed;
     uint16_t current_block;
     uint8_t reuse_key_sector;
+    MfClassicBackdoor backdoor;
+    // Enhanced dictionary attack and nested nonce collection
+    bool enhanced_dict;
+    MfClassicNestedPhase nested_phase;
+    MfClassicKey nested_known_key;
+    MfClassicKeyType nested_known_key_type;
+    bool current_key_checked;
+    uint8_t nested_known_key_sector;
+    uint16_t nested_target_key;
+    MfClassicNestedNonceArray nested_nonce;
+    MfClassicPrngType prng_type;
+    bool static_encrypted;
+    uint32_t static_encrypted_nonce;
+    bool calibrated;
+    uint16_t d_min;
+    uint16_t d_max;
+    uint8_t attempt_count;
+    KeysDict* mf_classic_system_dict;
+    KeysDict* mf_classic_user_dict;
+    // Hardnested
+    uint8_t nt_enc_msb
+        [32]; // Bit-packed array to track which unique most significant bytes have been seen (256 bits = 32 bytes)
+    uint16_t msb_par_sum; // Sum of parity bits for each unique most significant byte
+    uint16_t msb_count; // Number of unique most significant bytes seen
 } MfClassicPollerDictAttackContext;
 
 typedef struct {

lib/nfc/protocols/mf_classic/mf_classic_poller_sync.c

@@ -37,7 +37,8 @@ static MfClassicError mf_classic_poller_collect_nt_handler(
         poller,
         data->collect_nt_context.block,
         data->collect_nt_context.key_type,
-        &data->collect_nt_context.nt);
+        &data->collect_nt_context.nt,
+        false);
 }
 
 static MfClassicError
@@ -47,7 +48,8 @@ static MfClassicError
         data->auth_context.block_num,
         &data->auth_context.key,
         data->auth_context.key_type,
-        &data->auth_context);
+        &data->auth_context,
+        false);
 }
 
 static MfClassicError mf_classic_poller_read_block_handler(
@@ -61,7 +63,8 @@ static MfClassicError mf_classic_poller_read_block_handler(
             data->read_block_context.block_num,
             &data->read_block_context.key,
             data->read_block_context.key_type,
-            NULL);
+            NULL,
+            false);
         if(error != MfClassicErrorNone) break;
 
         error = mf_classic_poller_read_block(
@@ -87,7 +90,8 @@ static MfClassicError mf_classic_poller_write_block_handler(
             data->read_block_context.block_num,
             &data->read_block_context.key,
             data->read_block_context.key_type,
-            NULL);
+            NULL,
+            false);
         if(error != MfClassicErrorNone) break;
 
         error = mf_classic_poller_write_block(
@@ -113,7 +117,8 @@ static MfClassicError mf_classic_poller_read_value_handler(
             data->read_value_context.block_num,
             &data->read_value_context.key,
             data->read_value_context.key_type,
-            NULL);
+            NULL,
+            false);
         if(error != MfClassicErrorNone) break;
 
         MfClassicBlock block = {};
@@ -144,7 +149,8 @@ static MfClassicError mf_classic_poller_change_value_handler(
             data->change_value_context.block_num,
             &data->change_value_context.key,
             data->change_value_context.key_type,
-            NULL);
+            NULL,
+            false);
         if(error != MfClassicErrorNone) break;
 
         error = mf_classic_poller_value_cmd(

lib/toolbox/bit_buffer.c

@@ -114,7 +114,7 @@ void bit_buffer_copy_bytes_with_parity(BitBuffer* buf, const uint8_t* data, size
             uint8_t bit =
                 FURI_BIT(data[bits_processed / BITS_IN_BYTE + 1], bits_processed % BITS_IN_BYTE);
 
-            if(bits_processed % BITS_IN_BYTE) {
+            if((bits_processed % BITS_IN_BYTE) == 0) {
                 buf->parity[curr_byte / BITS_IN_BYTE] = bit;
             } else {
                 buf->parity[curr_byte / BITS_IN_BYTE] |= bit << (bits_processed % BITS_IN_BYTE);

targets/f7/api_symbols.csv

@@ -898,10 +898,15 @@ Function,+,crypto1_alloc,Crypto1*,
 Function,+,crypto1_bit,uint8_t,"Crypto1*, uint8_t, int"
 Function,+,crypto1_byte,uint8_t,"Crypto1*, uint8_t, int"
 Function,+,crypto1_decrypt,void,"Crypto1*, const BitBuffer*, BitBuffer*"
+Function,+,crypto1_decrypt_nt_enc,uint32_t,"uint32_t, uint32_t, MfClassicKey"
 Function,+,crypto1_encrypt,void,"Crypto1*, uint8_t*, const BitBuffer*, BitBuffer*"
 Function,+,crypto1_encrypt_reader_nonce,void,"Crypto1*, uint64_t, uint32_t, uint8_t*, uint8_t*, BitBuffer*, _Bool"
 Function,+,crypto1_free,void,Crypto1*
 Function,+,crypto1_init,void,"Crypto1*, uint64_t"
+Function,+,crypto1_is_weak_prng_nonce,_Bool,uint32_t
+Function,+,crypto1_lfsr_rollback_word,uint32_t,"Crypto1*, uint32_t, int"
+Function,+,crypto1_nonce_matches_encrypted_parity_bits,_Bool,"uint32_t, uint32_t, uint8_t"
+Function,+,crypto1_prng_successor,uint32_t,"uint32_t, uint32_t"
 Function,+,crypto1_reset,void,Crypto1*
 Function,+,crypto1_word,uint32_t,"Crypto1*, uint32_t, int"
 Function,-,ctermid,char*,char*
@@ -2561,10 +2566,10 @@ Function,+,mf_classic_is_sector_read,_Bool,"const MfClassicData*, uint8_t"
 Function,+,mf_classic_is_sector_trailer,_Bool,uint8_t
 Function,+,mf_classic_is_value_block,_Bool,"MfClassicSectorTrailer*, uint8_t"
 Function,+,mf_classic_load,_Bool,"MfClassicData*, FlipperFormat*, uint32_t"
-Function,+,mf_classic_poller_auth,MfClassicError,"MfClassicPoller*, uint8_t, MfClassicKey*, MfClassicKeyType, MfClassicAuthContext*"
+Function,+,mf_classic_poller_auth,MfClassicError,"MfClassicPoller*, uint8_t, MfClassicKey*, MfClassicKeyType, MfClassicAuthContext*, _Bool"
-Function,+,mf_classic_poller_auth_nested,MfClassicError,"MfClassicPoller*, uint8_t, MfClassicKey*, MfClassicKeyType, MfClassicAuthContext*"
+Function,+,mf_classic_poller_auth_nested,MfClassicError,"MfClassicPoller*, uint8_t, MfClassicKey*, MfClassicKeyType, MfClassicAuthContext*, _Bool, _Bool"
-Function,+,mf_classic_poller_get_nt,MfClassicError,"MfClassicPoller*, uint8_t, MfClassicKeyType, MfClassicNt*"
+Function,+,mf_classic_poller_get_nt,MfClassicError,"MfClassicPoller*, uint8_t, MfClassicKeyType, MfClassicNt*, _Bool"
-Function,+,mf_classic_poller_get_nt_nested,MfClassicError,"MfClassicPoller*, uint8_t, MfClassicKeyType, MfClassicNt*"
+Function,+,mf_classic_poller_get_nt_nested,MfClassicError,"MfClassicPoller*, uint8_t, MfClassicKeyType, MfClassicNt*, _Bool"
 Function,+,mf_classic_poller_halt,MfClassicError,MfClassicPoller*
 Function,+,mf_classic_poller_read_block,MfClassicError,"MfClassicPoller*, uint8_t, MfClassicBlock*"
 Function,+,mf_classic_poller_send_custom_parity_frame,MfClassicError,"MfClassicPoller*, const BitBuffer*, BitBuffer*, uint32_t"
@@ -2867,6 +2872,7 @@ Function,+,nfc_set_mask_receive_time_fc,void,"Nfc*, uint32_t"
 Function,+,nfc_start,void,"Nfc*, NfcEventCallback, void*"
 Function,+,nfc_stop,void,Nfc*
 Function,+,nfc_util_even_parity32,uint8_t,uint32_t
+Function,+,nfc_util_even_parity8,uint8_t,uint8_t
 Function,+,nfc_util_odd_parity,void,"const uint8_t*, uint8_t*, uint8_t"
 Function,+,nfc_util_odd_parity8,uint8_t,uint8_t
 Function,+,notification_internal_message,void,"NotificationApp*, const NotificationSequence*"
@@ -2982,7 +2988,6 @@ Function,+,powf,float,"float, float"
 Function,-,powl,long double,"long double, long double"
 Function,+,pretty_format_bytes_hex_canonical,void,"FuriString*, size_t, const char*, const uint8_t*, size_t"
 Function,-,printf,int,"const char*, ..."
-Function,+,prng_successor,uint32_t,"uint32_t, uint32_t"
 Function,+,property_value_out,void,"PropertyValueContext*, const char*, unsigned int, ..."
 Function,+,protocol_dict_alloc,ProtocolDict*,"const ProtocolBase**, size_t"
 Function,+,protocol_dict_decoders_feed,ProtocolId,"ProtocolDict*, _Bool, uint32_t"