Fix: emv scan truncation

Author: nieldk

firmware/application/src/app_cmd.c

@@ -2110,7 +2110,7 @@ static data_frame_tx_t *cmd_processor_hf14a_4_reader_apdu(uint16_t cmd, uint16_t
 
     /* ISO14443-4 chaining: PCB bit5 (0x20) set means more blocks follow */
     while (resp_pcb & 0x20) {
-        uint8_t rack = 0xA2 | (blk_num & 0x01); /* R(ACK) */
+        uint8_t rack = 0xA2 | (resp_pcb & 0x01); /* R(ACK) block_num matches received I-block */
         uint8_t rack_frame[3];
         rack_frame[0] = rack;
         crc_14a_append(rack_frame, 1);
@@ -2135,6 +2135,81 @@ static data_frame_tx_t *cmd_processor_hf14a_4_reader_apdu(uint16_t cmd, uint16_t
     return data_frame_make(cmd, STATUS_HF_TAG_OK, resp_chain_len, resp_chain);
 }
 
+/* -----------------------------------------------------------------------
+ * tcl_apdu_: ISO 14443-4 APDU helper used by cmd_processor_hf14a_4_emv_scan.
+ * Sends one I-block, receives full response handling card-side chaining.
+ * ----------------------------------------------------------------------- */
+static bool tcl_apdu_(
+        const uint8_t *apdu, uint8_t apdu_sz,
+        uint8_t **rdata_ptr, uint16_t *rlen_ptr,
+        uint8_t *abuf, uint8_t *rbuf, uint8_t *chain_buf,
+        uint16_t *rbits_p, uint8_t *blk_p)
+{
+    /* Build I-block: PCB + APDU + CRC */
+    abuf[0] = 0x02 | (*blk_p & 0x01);
+    memcpy(&abuf[1], apdu, apdu_sz);
+    crc_14a_append(abuf, apdu_sz + 1);
+    uint8_t frame_len = apdu_sz + 3;   /* PCB + APDU + CRC */
+
+    /* Clear stale RxIRq before transmit.
+     * bytes_transfer only clears ComIrqReg bit7 (Set1).
+     * RxIRq (bit4) stays set from the previous receive and causes the
+     * wait-loop to exit instantly, returning garbage from FIFO. */
+    write_register_single(ComIrqReg, 0x7F);
+    pcd_14a_reader_timeout_set(600);
+    uint16_t rbits = 0;
+    uint8_t st = pcd_14a_reader_bytes_transfer(
+            PCD_TRANSCEIVE, abuf, frame_len, rbuf, &rbits, 70u * 8u);
+    if (st != STATUS_HF_TAG_OK || rbits < 24u) return false;
+
+    uint16_t rb = rbits / 8u;
+    uint8_t crc[2];
+    crc_14a_calculate(rbuf, rb - 2u, crc);
+    if (rbuf[rb-2] != crc[0] || rbuf[rb-1] != crc[1]) return false;
+
+    *blk_p ^= 1;
+    uint8_t  resp_pcb  = rbuf[0];
+    uint16_t chain_len = 0;
+    uint8_t  dlen      = (uint8_t)(rb - 3u);
+    if (dlen > 0 && dlen < 512u) {
+        memcpy(chain_buf, &rbuf[1], dlen);
+        chain_len = dlen;
+    }
+
+    /* Handle card-side chaining ---------------------------------------- */
+    while (resp_pcb & 0x20u) {
+        if ((resp_pcb & 0xC0u) != 0x00u) break;  /* not an I-block */
+
+        /* R(ACK) block_num must match the received I-block's block_num */
+        uint8_t rf[3];
+        rf[0] = 0xA2u | (resp_pcb & 0x01u);
+        crc_14a_append(rf, 1);
+
+        /* Use bytes_transfer for chain R(ACK) — clear stale RxIRq first */
+        write_register_single(ComIrqReg, 0x7F);
+        pcd_14a_reader_timeout_set(600);
+        uint16_t chain_rbits = 0;
+        uint8_t chain_st = pcd_14a_reader_bytes_transfer(
+                PCD_TRANSCEIVE, rf, 3, rbuf, &chain_rbits, 70u * 8u);
+        if (chain_st != STATUS_HF_TAG_OK || chain_rbits < 24u) break;
+        rb = chain_rbits / 8u;   /* bytes_transfer returns BIT count */
+
+        crc_14a_calculate(rbuf, rb - 2u, crc);
+        if (rbuf[rb-2] != crc[0] || rbuf[rb-1] != crc[1]) break;
+
+        resp_pcb = rbuf[0];
+        dlen = (uint8_t)(rb - 3u);
+        if (dlen > 0u && chain_len + dlen < 512u) {
+            memcpy(&chain_buf[chain_len], &rbuf[1], dlen);
+            chain_len += dlen;
+        }
+    }
+
+    *rdata_ptr = chain_buf;
+    *rlen_ptr  = chain_len;
+    return chain_len > 0u;
+}
+
 /**
  * HF14A-4 EMV scan — complete EMV card read in a single firmware call.
  *
@@ -2157,16 +2232,15 @@ static data_frame_tx_t *cmd_processor_hf14a_4_emv_scan(uint16_t cmd, uint16_t st
 
     /* ---- helpers -------------------------------------------------- */
     static uint8_t  abuf[64];   /* TX frame: PCB + APDU + CRC */
-    static uint8_t  rbuf[64];   /* single-frame receive buffer (RC522 FIFO = 64 bytes) */
+    static uint8_t  rbuf[70];   /* single-frame receive buffer: FIFO(64) + PCB(1) + CRC(2) + slack */
     static uint8_t  chain_buf[512]; /* reassembled chained response */
     uint16_t rbits;
     uint8_t  blk = 0;  /* alternating block number */
 
-    /* Send one I-block APDU, handling ISO14443-4 response chaining.
-     * The RC522 FIFO is 64 bytes. If the card chains its response
-     * (PCB bit4=1), we send R(ACK) blocks and reassemble here.
-     * Returns pointer into chain_buf, sets *rlen_ptr to total length. */
-    #define SEND_APDU(apdu_ptr, apdu_sz, rdata_ptr, rlen_ptr) ({         bool _ok = false;         uint8_t _pcb = 0x02 | (blk & 0x01);         abuf[0] = _pcb;         memcpy(&abuf[1], (apdu_ptr), (apdu_sz));         rbits = 0;         uint8_t _st = pcd_14a_reader_raw_cmd(             false, true, true, false, true, false,             600, ((apdu_sz) + 1) * 8, abuf,             rbuf, &rbits, sizeof(rbuf) * 8);         if (_st == STATUS_HF_TAG_OK && rbits > 0) {             uint16_t _rb = rbits;  /* raw_cmd checkCrc=false returns byte count */             /* Verify and strip CRC manually (checkCrc=false above) */             if (_rb >= 3) {                 uint8_t _crc[2]; crc_14a_calculate(rbuf, _rb - 2, _crc);                 if (rbuf[_rb-2] == _crc[0] && rbuf[_rb-1] == _crc[1]) {                     blk ^= 1;                     uint16_t _chain_len = 0;                     uint8_t _resp_pcb = rbuf[0];                     /* Copy data portion (strip PCB and CRC) */                     uint8_t _dlen = _rb - 3;                     if (_dlen > 0 && _chain_len + _dlen < sizeof(chain_buf)) {                         memcpy(&chain_buf[_chain_len], &rbuf[1], _dlen);                         _chain_len += _dlen;                     }                     /* Handle chaining: PCB bit5=1 (b6 in ISO14443-4) means more data */                     while (_resp_pcb & 0x20) {                         /* Send R(ACK) to request next block */                         uint8_t _rack = 0xA2 | (blk & 0x01);                         abuf[0] = _rack;                         crc_14a_append(abuf, 1);                         rbits = 0;                         _st = pcd_14a_reader_bytes_transfer(PCD_TRANSCEIVE,                             abuf, 3, rbuf, &rbits, sizeof(rbuf) * 8);                         if (_st != STATUS_HF_TAG_OK || rbits < 24) break;                         _rb = rbits / 8;  /* bytes_transfer returns bits */                         crc_14a_calculate(rbuf, _rb - 2, _crc);                         if (rbuf[_rb-2] != _crc[0] || rbuf[_rb-1] != _crc[1]) break;                         blk ^= 1;                         _resp_pcb = rbuf[0];                         _dlen = _rb - 3;                         if (_dlen > 0 && _chain_len + _dlen < sizeof(chain_buf)) {                             memcpy(&chain_buf[_chain_len], &rbuf[1], _dlen);                             _chain_len += _dlen;                         }                     }                     *(rdata_ptr) = chain_buf;                     *(rlen_ptr)  = (_chain_len < sizeof(chain_buf) ? _chain_len : (uint16_t)(sizeof(chain_buf) - 1));                     _ok = true;                 }             }         }         _ok;     })
+    /* SEND_APDU: thin wrapper that calls the static tcl_apdu_ helper. */
+    #define SEND_APDU(ap, asz, rd, rl)         tcl_apdu_((ap),(asz),(rd),(rl),abuf,rbuf,chain_buf,&rbits,&blk)
+
+
 
     /* Append a cmd+resp pair to out buffer */
     #define APPEND_PAIR(cmd_ptr, cmd_sz, resp_ptr, resp_sz) do {         if (out_len + 1 + (cmd_sz) + 2 + (resp_sz) < NETDATA_MAX_DATA_LENGTH) {             out[out_len++] = (uint8_t)(cmd_sz);             memcpy(&out[out_len], (cmd_ptr), (cmd_sz)); out_len += (cmd_sz);             out[out_len++] = (uint8_t)((resp_sz) & 0xFF);             out[out_len++] = (uint8_t)((resp_sz) >> 8);             memcpy(&out[out_len], (resp_ptr), (resp_sz)); out_len += (resp_sz);         }     } while(0)
@@ -2243,6 +2317,23 @@ static data_frame_tx_t *cmd_processor_hf14a_4_emv_scan(uint16_t cmd, uint16_t st
     APPEND_PAIR(ppse_cmd, sizeof(ppse_cmd), ppse_resp, ppse_rlen);
     num_apdus++;
 
+    /* ---- Re-establish T=CL after PPSE ----------------------------
+     * The PPSE exchange leaves the RC522 in an unknown internal state.
+     * Rather than trying to clear it piecemeal, do a full reset:
+     * turn the field off briefly, rescan the card, re-run RATS.
+     * This guarantees a clean RC522 state before SELECT AID.
+     * blk resets to 0 because a new T=CL session starts after RATS. */
+    pcd_14a_reader_antenna_off();
+    bsp_delay_ms(10);
+    {
+        picc_14a_tag_t tag2;
+        pcd_14a_reader_reset();
+        pcd_14a_reader_antenna_on();
+        bsp_delay_ms(8);
+        if (pcd_14a_reader_scan_auto(&tag2) != STATUS_HF_TAG_OK) goto done;
+    }
+    blk = 0;   /* new T=CL session: block number restarts at 0 */
+
     /* ---- Extract first AID from PPSE ----------------------------- */
     uint8_t aid[16]; uint8_t aid_len = 0;
     for (uint8_t i = 0; i + 1 < ppse_rlen; i++) {

software/script/chameleon_cli_unit.py

@@ -8172,7 +8172,7 @@ def on_exec(self, args: argparse.Namespace):
         except Exception:
             time.sleep(0.3)
 
-        print(f' {CY}Scanning... (place card on antenna){C0}')
+        print(f' {CY}Scanning... (place card on antenna) [fw-canary:v5]{C0}')
 
         # Single firmware call — full EMV sequence without USB round-trips
         resp = cmd.hf14a_4_emv_scan()
@@ -8284,6 +8284,204 @@ def find_tag(data, tag):
                                  'Offline': '01', 'Data': tlv_to_dict(r_body)})
             result['Application']['Records'] = records
 
+        # ---- Decode and display key card fields from EMV records --------
+        def _pan_luhn(pan: str) -> bool:
+            digits = [int(c) for c in pan if c.isdigit()]
+            digits.reverse()
+            total = sum(d if i % 2 == 0 else (d * 2 - 9 if d * 2 > 9 else d * 2)
+                        for i, d in enumerate(digits))
+            return total % 10 == 0
+
+        def _find_tag_all(data: bytes, *tags: int):
+            """Recursively find all values for any of the given tags."""
+            results = {}
+            for t in tags:
+                results[t] = []
+            i = 0
+            while i < len(data) - 1:
+                tl = 2 if (data[i] & 0x1F) == 0x1F else 1
+                if i + tl > len(data):
+                    break
+                cur_tag = int.from_bytes(data[i:i+tl], 'big')
+                i += tl
+                if i >= len(data):
+                    break
+                if data[i] & 0x80:
+                    nb = data[i] & 0x7F; i += 1
+                    vlen = int.from_bytes(data[i:i+nb], 'big'); i += nb
+                else:
+                    vlen = data[i]; i += 1
+                val = data[i:i+vlen]; i += vlen
+                if cur_tag in results:
+                    results[cur_tag].append(val)
+                # recurse into constructed TLV
+                if data[i - vlen - (1 if vlen < 128 else 2)] & 0x20 if False else                    (data[i - vlen - 1] & 0x20 if vlen < 128 else False):
+                    sub = _find_tag_all(val, *tags)
+                    for t in tags:
+                        results[t].extend(sub[t])
+            return results
+
+        # Simpler recursive TLV walker
+        def tlv_find(data: bytes, *want_tags: int) -> dict:
+            found = {t: [] for t in want_tags}
+            i = 0
+            while i < len(data):
+                if i + 1 >= len(data):
+                    break
+                b0 = data[i]
+                tl = 2 if (b0 & 0x1F) == 0x1F else 1
+                if i + tl > len(data):
+                    break
+                tag = int.from_bytes(data[i:i+tl], 'big')
+                i += tl
+                if i >= len(data):
+                    break
+                constructed = bool(b0 & 0x20)
+                if data[i] & 0x80:
+                    nb = data[i] & 0x7F; i += 1
+                    if i + nb > len(data):
+                        break
+                    vlen = int.from_bytes(data[i:i+nb], 'big'); i += nb
+                else:
+                    vlen = data[i]; i += 1
+                # For truncated TLV: read whatever bytes are available and
+                # continue parsing — don't break, so we can find tags inside
+                # truncated constructed TLV (e.g. 6F/A5 larger than received data)
+                truncated = (i + vlen > len(data))
+                val = data[i:i+vlen] if not truncated else data[i:]
+                i = (i + vlen) if not truncated else len(data)
+                if tag in found and not truncated:
+                    found[tag].append(val)
+                if constructed:
+                    sub = tlv_find(val, *want_tags)
+                    for t in want_tags:
+                        found[t].extend(sub[t])
+            return found
+
+        # Collect all response bodies for tag search.
+        # tlv_to_dict stores the VALUE (content) of the outermost tag —
+        # so rec['Data']['value'] is already the unwrapped inner bytes.
+        all_record_data = b''
+        for rec in result.get('Application', {}).get('Records', []):
+            raw_hex = rec.get('Data', {}).get('value', '')
+            try:
+                all_record_data += bytes.fromhex(raw_hex.replace(' ', ''))
+            except Exception:
+                pass
+        # Also include GPO and SELECT AID FCI values for label/name tags
+        extra_data = b''
+        for key in ('GPO', 'FCITemplate'):
+            v = result.get('Application', {}).get(key, {})
+            if isinstance(v, dict):
+                try:
+                    extra_data += bytes.fromhex(v.get('value', '').replace(' ', ''))
+                except Exception:
+                    pass
+        all_search_data = all_record_data + extra_data
+
+        # EMV tag definitions:
+        # 0x5A  = PAN
+        # 0x5F24 = Expiry Date (YYMMDD)
+        # 0x5F20 = Cardholder Name
+        # 0x5F28 = Issuer Country Code
+        # 0x8C / 0x8D = CDOL — skip
+        # 0x9F12 = Application Preferred Name
+        # 0x50   = Application Label
+        tags = tlv_find(all_record_data, 0x5A, 0x57, 0x5F24, 0x5F20, 0x5F28)
+        app_tags = tlv_find(all_search_data, 0x9F12, 0x50)
+        tags[0x9F12] = app_tags[0x9F12]
+        tags[0x50]   = app_tags[0x50]
+
+        print(f'')
+        print(f' {CG}── Card Details ──────────────────────{C0}')
+
+        # App label
+        for v in tags.get(0x50, []):
+            try:
+                lbl = v.decode('ascii', errors='replace').strip()
+                if lbl:
+                    print(f' {CG}App Label     :{C0} {CY}{lbl}{C0}')
+            except Exception:
+                pass
+
+        # PAN — prefer Track2 D-separator (authoritative, no padding ambiguity)
+        pan_hex = None
+        for v in tags.get(0x57, []):
+            t2 = v.hex().upper()
+            sep = t2.find('D')
+            if sep > 0:
+                pan_hex = t2[:sep]
+                break
+        if not pan_hex:
+            for v in tags.get(0x5A, []):
+                raw = v.hex().upper()
+                pan_hex = raw.rstrip('F') if raw.endswith('F') else raw
+                break
+        if pan_hex:
+            pan_fmt = ' '.join(pan_hex[i:i+4] for i in range(0, len(pan_hex), 4))
+            luhn_ok = _pan_luhn(pan_hex)
+            luhn_str = f'{CG}✓{C0}' if luhn_ok else f'{CR}✗{C0}'
+            print(f' {CG}PAN           :{C0} {CY}{pan_fmt}{C0}  Luhn: {luhn_str}')
+            result.setdefault('Decoded', {})['PAN'] = pan_hex
+        else:
+            print(f' {CR}PAN           : not found{C0}')
+
+        # Expiry — 5F24 is 3 bytes BCD: YYMMDD
+        expiry_found = False
+        for v in tags.get(0x5F24, []):
+            if len(v) == 3:
+                exp = v.hex().upper()
+                exp_fmt = f'20{exp[0:2]}/{exp[2:4]}'
+                print(f' {CG}Expiry        :{C0} {CY}{exp_fmt}{C0}')
+                result.setdefault('Decoded', {})['Expiry'] = exp_fmt
+                expiry_found = True
+        # Fallback: extract expiry from Track2 after D separator (YYMM)
+        if not expiry_found and pan_hex:
+            for v in tags.get(0x57, []):
+                t2 = v.hex().upper()
+                sep = t2.find('D')
+                if sep > 0 and len(t2) >= sep + 5:
+                    yymm = t2[sep+1:sep+5]
+                    if yymm.isdigit():
+                        exp_fmt = f'20{yymm[0:2]}/{yymm[2:4]}'
+                        print(f' {CG}Expiry        :{C0} {CY}{exp_fmt}{C0} (from Track2)')
+                        result.setdefault('Decoded', {})['Expiry'] = exp_fmt
+                        expiry_found = True
+                        break
+        if not expiry_found:
+            print(f' {CR}Expiry        : not found{C0}')
+
+        # Cardholder Name (tag 5F20: printable ASCII only)
+        for v in tags[0x5F20]:
+            try:
+                if v and all(0x20 <= b <= 0x7E for b in v):
+                    name = v.decode('ascii').strip()
+                    if name:
+                        print(f' {CG}Cardholder    :{C0} {CY}{name}{C0}')
+                        result.setdefault('Decoded', {})['CardholderName'] = name
+            except Exception:
+                pass
+
+        # Issuer Country Code (ISO 3166-1 numeric, BCD)
+        for v in tags[0x5F28]:
+            country = v.hex().upper().lstrip('0') or '0'
+            print(f' {CG}Issuer Country:{C0} {CY}{country}{C0}')
+            result.setdefault('Decoded', {})['IssuerCountry'] = country
+
+        # Application Preferred Name / Label
+        for v in tags[0x9F12]:
+            try:
+                print(f' {CG}App Name      :{C0} {CY}{v.decode("ascii", errors="replace").strip()}{C0}')
+            except Exception:
+                pass
+        for v in tags[0x50]:
+            try:
+                print(f' {CG}App Label     :{C0} {CY}{v.decode("ascii", errors="replace").strip()}{C0}')
+            except Exception:
+                pass
+
+        print(f' {CG}──────────────────────────────────────{C0}')
+
         json_str = jsonlib.dumps(result, indent=2)
         if args.file:
             try:
@@ -8634,5 +8832,3 @@ def on_exec(self, args: argparse.Namespace):
                 break
 
         print(f'\n {C0}Relay ended. {exchange_count} APDU exchange(s) completed.{C0}')
-
-