[proxmark3-svn] / client / cmdhficlass.c

//-----------------------------------------------------------------------------
// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
// Copyright (C) 2011 Gerhard de Koning Gans
// Copyright (C) 2014 Midnitesnake & Andy Davies & Martin Holst Swende
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// High frequency iClass commands
//-----------------------------------------------------------------------------

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include "iso14443crc.h" // Can also be used for iClass, using 0xE012 as CRC-type
#include "data.h"
#include "proxmark3.h"
#include "ui.h"
#include "cmdparser.h"
#include "cmdhficlass.h"
#include "common.h"
#include "util.h"
#include "cmdmain.h"
#include "loclass/des.h"
#include "loclass/cipherutils.h"
#include "loclass/cipher.h"
#include "loclass/ikeys.h"
#include "loclass/elite_crack.h"
#include "loclass/fileutils.h"

static int CmdHelp(const char *Cmd);

int xorbits_8(uint8_t val)
{
    uint8_t res = val ^ (val >> 1); //1st pass
    res = res ^ (res >> 1); 		// 2nd pass
    res = res ^ (res >> 2); 		// 3rd pass
    res = res ^ (res >> 4); 			// 4th pass
    return res & 1;
}

int CmdHFiClassList(const char *Cmd)
{
	PrintAndLog("Deprecated command, use 'hf list iclass' instead");
	return 0;
}

int CmdHFiClassSnoop(const char *Cmd)
{
  UsbCommand c = {CMD_SNOOP_ICLASS};
  SendCommand(&c);
  return 0;
}
#define NUM_CSNS 15
int CmdHFiClassSim(const char *Cmd)
{
  uint8_t simType = 0;
  uint8_t CSN[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  if (strlen(Cmd)<1) {
	PrintAndLog("Usage:  hf iclass sim [0 <CSN>] | x");
	PrintAndLog("        options");
	PrintAndLog("                0 <CSN> simulate the given CSN");
	PrintAndLog("                1       simulate default CSN");
	PrintAndLog("                2       iterate CSNs, gather MACs");
	PrintAndLog("        sample: hf iclass sim 0 031FEC8AF7FF12E0");
	PrintAndLog("        sample: hf iclass sim 2");
	return 0;
  }	

  simType = param_get8(Cmd, 0);

  if(simType == 0)
  {
	  if (param_gethex(Cmd, 1, CSN, 16)) {
		  PrintAndLog("A CSN should consist of 16 HEX symbols");
		  return 1;
	  }
	  PrintAndLog("--simtype:%02x csn:%s", simType, sprint_hex(CSN, 8));

  }
  if(simType > 2)
  {
	  PrintAndLog("Undefined simptype %d", simType);
	  return 1;
  }
  uint8_t numberOfCSNs=0;

	if(simType == 2)
	{
		UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,NUM_CSNS}};
		UsbCommand resp = {0};

		/*uint8_t csns[8 * NUM_CSNS] = {
			 0x00,0x0B,0x0F,0xFF,0xF7,0xFF,0x12,0xE0 ,
			 0x00,0x13,0x94,0x7e,0x76,0xff,0x12,0xe0 ,
			 0x2a,0x99,0xac,0x79,0xec,0xff,0x12,0xe0 ,
			 0x17,0x12,0x01,0xfd,0xf7,0xff,0x12,0xe0 ,
			 0xcd,0x56,0x01,0x7c,0x6f,0xff,0x12,0xe0 ,
			 0x4b,0x5e,0x0b,0x72,0xef,0xff,0x12,0xe0 ,
			 0x00,0x73,0xd8,0x75,0x58,0xff,0x12,0xe0 ,
			 0x0c,0x90,0x32,0xf3,0x5d,0xff,0x12,0xe0 };
*/
      
       uint8_t csns[8*NUM_CSNS] = {
        0x00, 0x0B, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x04, 0x0E, 0x08, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x09, 0x0D, 0x05, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x0A, 0x0C, 0x06, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x0F, 0x0B, 0x03, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x08, 0x0A, 0x0C, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x0D, 0x09, 0x09, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x0E, 0x08, 0x0A, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x03, 0x07, 0x17, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x3C, 0x06, 0xE0, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x01, 0x05, 0x1D, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x02, 0x04, 0x1E, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x07, 0x03, 0x1B, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x00, 0x02, 0x24, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x05, 0x01, 0x21, 0xF7, 0xFF, 0x12, 0xE0 };

		memcpy(c.d.asBytes, csns, 8*NUM_CSNS);

		SendCommand(&c);
		if (!WaitForResponseTimeout(CMD_ACK, &resp, -1)) {
			PrintAndLog("Command timed out");
			return 0;
		}

		uint8_t num_mac_responses  = resp.arg[1];
		PrintAndLog("Mac responses: %d MACs obtained (should be %d)", num_mac_responses,NUM_CSNS);

		size_t datalen = NUM_CSNS*24;
		/*
		 * Now, time to dump to file. We'll use this format:
		 * <8-byte CSN><8-byte CC><4 byte NR><4 byte MAC>....
		 * So, it should wind up as
		 * 8 * 24 bytes.
		 *
		 * The returndata from the pm3 is on the following format
		 * <4 byte NR><4 byte MAC>
		 * CC are all zeroes, CSN is the same as was sent in
		 **/
		void* dump = malloc(datalen);
		memset(dump,0,datalen);//<-- Need zeroes for the CC-field
		uint8_t i = 0;
		for(i = 0 ; i < NUM_CSNS ; i++)
		{
			memcpy(dump+i*24, csns+i*8,8); //CSN
			//8 zero bytes here...
			//Then comes NR_MAC (eight bytes from the response)
			memcpy(dump+i*24+16,resp.d.asBytes+i*8,8);

		}
		/** Now, save to dumpfile **/
		saveFile("iclass_mac_attack", "bin", dump,datalen);
		free(dump);
	}else
	{
		UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,numberOfCSNs}};
		memcpy(c.d.asBytes, CSN, 8);
		SendCommand(&c);
	}

  return 0;
}

int CmdHFiClassReader(const char *Cmd)
{
  UsbCommand c = {CMD_READER_ICLASS, {0}};
  SendCommand(&c);
    UsbCommand resp;
  while(!ukbhit()){
      if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
            uint8_t isOK    = resp.arg[0] & 0xff;
            uint8_t * data  = resp.d.asBytes;

            PrintAndLog("isOk:%02x", isOK);
            if( isOK == 0){
                //Aborted
                PrintAndLog("Quitting...");
                return 0;
            }
            if(isOK > 0)
            {
                PrintAndLog("CSN: %s",sprint_hex(data,8));
            }
            if(isOK >= 1)
            {
                PrintAndLog("CC: %s",sprint_hex(data+8,8));
            }else{
                PrintAndLog("No CC obtained");
            }
        } else {
            PrintAndLog("Command execute timeout");
        }
    }

  return 0;
}

int CmdHFiClassReader_Replay(const char *Cmd)
{
  uint8_t readerType = 0;
  uint8_t MAC[4]={0x00, 0x00, 0x00, 0x00};

  if (strlen(Cmd)<1) {
    PrintAndLog("Usage:  hf iclass replay <MAC>");
    PrintAndLog("        sample: hf iclass replay 00112233");
    return 0;
  }

  if (param_gethex(Cmd, 0, MAC, 8)) {
    PrintAndLog("MAC must include 8 HEX symbols");
    return 1;
  }

  UsbCommand c = {CMD_READER_ICLASS_REPLAY, {readerType}};
  memcpy(c.d.asBytes, MAC, 4);
  SendCommand(&c);

  return 0;
}

int CmdHFiClassReader_Dump(const char *Cmd)
{
  uint8_t readerType = 0;
  uint8_t MAC[4]={0x00,0x00,0x00,0x00};
  uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
  uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
  uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
  //uint8_t CC_temp[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
  uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
  uint8_t keytable[128] = {0};
  int elite = 0;
  uint8_t *used_key;
  int i;
  if (strlen(Cmd)<1) 
  {
    PrintAndLog("Usage:  hf iclass dump <Key> [e]");
    PrintAndLog("        Key    - A 16 byte master key");
    PrintAndLog("        e      - If 'e' is specified, the key is interpreted as the 16 byte");
    PrintAndLog("                 Custom Key (KCus), which can be obtained via reader-attack");
    PrintAndLog("                 See 'hf iclass sim 2'. This key should be on iclass-format");
    PrintAndLog("        sample: hf iclass dump 0011223344556677");


    return 0;
  }

  if (param_gethex(Cmd, 0, KEY, 16)) 
  {
    PrintAndLog("KEY must include 16 HEX symbols");
    return 1;
  }

  if (param_getchar(Cmd, 1) == 'e')
  {
    PrintAndLog("Elite switch on");
    elite = 1;

    //calc h2
    hash2(KEY, keytable);
    printarr_human_readable("keytable", keytable, 128);

  }

  UsbCommand resp;
  uint8_t key_sel[8] = {0};
  uint8_t key_sel_p[8] = { 0 };

  UsbCommand c = {CMD_READER_ICLASS, {0}};
  c.arg[0] = FLAG_ICLASS_READER_ONLY_ONCE| FLAG_ICLASS_READER_GET_CC;
  SendCommand(&c);
  

  if (!WaitForResponseTimeout(CMD_ACK,&resp,4500))
  {
	  PrintAndLog("Command execute timeout");
	  return 0;
  }

	uint8_t isOK    = resp.arg[0] & 0xff;
	uint8_t * data  = resp.d.asBytes;

	memcpy(CSN,data,8);
	memcpy(CCNR,data+8,8);

	PrintAndLog("isOk:%02x", isOK);

	if(isOK > 0)
	{
		PrintAndLog("CSN: %s",sprint_hex(CSN,8));
	}
	if(isOK <= 1){
		PrintAndLog("Failed to obtain CC! Aborting");
		return 0;
	}
	//Status 2 or higher

	if(elite)
	{
		//Get the key index (hash1)
		uint8_t key_index[8] = {0};

		hash1(CSN, key_index);
		printvar("hash1", key_index,8);
		for(i = 0; i < 8 ; i++)
			key_sel[i] = keytable[key_index[i]] & 0xFF;
		PrintAndLog("Pre-fortified 'permuted' HS key that would be needed by an iclass reader to talk to above CSN:");
		printvar("k_sel", key_sel,8);
		//Permute from iclass format to standard format
		permutekey_rev(key_sel,key_sel_p);
		used_key = key_sel_p;
	}else{
		used_key = KEY;
	}

	PrintAndLog("Pre-fortified key that would be needed by the OmniKey reader to talk to above CSN:");
	printvar("Used key",used_key,8);
	diversifyKey(CSN,used_key, div_key);
	PrintAndLog("Hash0, a.k.a diversified key, that is computed using Ksel and stored in the card (Block 3):");
	printvar("Div key", div_key, 8);
	printvar("CC_NR:",CCNR,12);
	doMAC(CCNR,12,div_key, MAC);
	printvar("MAC", MAC, 4);

	uint8_t iclass_data[32000] = {0};
	uint32_t iclass_datalen = 0;
	uint32_t iclass_blocksFailed = 0;//Set to 1 if dump was incomplete

	UsbCommand d = {CMD_READER_ICLASS_REPLAY, {readerType}};
	memcpy(d.d.asBytes, MAC, 4);
	clearCommandBuffer();
	SendCommand(&d);
	PrintAndLog("Waiting for device to dump data. Press button on device and key on keyboard to abort...");
	while (true) {
		printf(".");
		if (ukbhit()) {
			getchar();
			printf("\naborted via keyboard!\n");
			break;
		}
		if(WaitForResponseTimeout(CMD_ACK,&resp,4500))
		{
			uint32_t dataLength = resp.arg[0];
			iclass_blocksFailed |= resp.arg[1];
			if(dataLength > 0)
			{
				PrintAndLog("Got %d bytes data (total so far %d)" ,dataLength,iclass_datalen);
				memcpy(iclass_data, resp.d.asBytes,dataLength);
				iclass_datalen += dataLength;
			}else
			{//Last transfer, datalength 0 means the dump is finished
				PrintAndLog("Dumped %d bytes of data from tag. ", iclass_datalen);
				if(iclass_blocksFailed)
				{
					PrintAndLog("OBS! Some blocks failed to be dumped correctly!");
				}
				if(iclass_datalen > 0)
				{
					char filename[100] = {0};
					//create a preferred filename
					snprintf(filename, 100,"iclass_tagdump-%02x%02x%02x%02x%02x%02x%02x%02x",
							 CSN[0],CSN[1],CSN[2],CSN[3],
							 CSN[4],CSN[5],CSN[6],CSN[7]);
					saveFile(filename,"bin",iclass_data, iclass_datalen );
				}
				//Aaaand we're finished
				return 0;
			}
		}
	}


  return 0;
}

int hf_iclass_eload_usage()
{
	PrintAndLog("Loads iclass tag-dump into emulator memory on device");
	PrintAndLog("Usage:  hf iclass eload f <filename>");
	PrintAndLog("");
	PrintAndLog("Example: hf iclass eload f iclass_tagdump-aa162d30f8ff12f1.bin");
	return 0;

}

int iclassEmlSetMem(uint8_t *data, int blockNum, int blocksCount) {
	UsbCommand c = {CMD_MIFARE_EML_MEMSET, {blockNum, blocksCount, 0}};
	memcpy(c.d.asBytes, data, blocksCount * 16);
	SendCommand(&c);
	return 0;
}
int CmdHFiClassELoad(const char *Cmd)
{

	char opt = param_getchar(Cmd, 0);
	if (strlen(Cmd)<1 || opt == 'h')
		return hf_iclass_eload_usage();

	//File handling and reading
	FILE *f;
	char filename[FILE_PATH_SIZE];
	if(opt == 'f' && param_getstr(Cmd, 1, filename) > 0)
	{
		f = fopen(filename, "rb");
	}else{
		return hf_iclass_eload_usage();
	}

	if(!f) {
		PrintAndLog("Failed to read from file '%s'", filename);
		return 1;
	}

	fseek(f, 0, SEEK_END);
	long fsize = ftell(f);
	fseek(f, 0, SEEK_SET);

	uint8_t *dump = malloc(fsize);
	size_t bytes_read = fread(dump, 1, fsize, f);
	fclose(f);

	//Validate

	if (bytes_read < fsize)
	{
		prnlog("Error, could only read %d bytes (should be %d)",bytes_read, fsize );
		free(dump);
		return 1;
	}
	//Send to device
	uint32_t bytes_sent = 0;
	uint32_t bytes_remaining  = bytes_read;

	while(bytes_remaining > 0){
		uint32_t bytes_in_packet = MIN(USB_CMD_DATA_SIZE, bytes_remaining);
		UsbCommand c = {CMD_ICLASS_EML_MEMSET, {bytes_sent,bytes_in_packet,0}};
		memcpy(c.d.asBytes, dump, bytes_in_packet);
		SendCommand(&c);
		bytes_remaining -= bytes_in_packet;
		bytes_sent += bytes_in_packet;
	}
	free(dump);
	PrintAndLog("Sent %d bytes of data to device emulator memory", bytes_sent);
	return 0;
}


int CmdHFiClass_iso14443A_write(const char *Cmd)
{
  uint8_t readerType = 0;
  uint8_t MAC[4]={0x00,0x00,0x00,0x00};
  uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
  uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
  uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
  uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};

  uint8_t blockNo=0;
  uint8_t bldata[8]={0};

  if (strlen(Cmd)<3) 
  {
    PrintAndLog("Usage:  hf iclass write <Key> <Block> <Data>");
    PrintAndLog("        sample: hf iclass write 0011223344556677 10 AAAAAAAAAAAAAAAA");
    return 0;
  }

  if (param_gethex(Cmd, 0, KEY, 16)) 
  {
    PrintAndLog("KEY must include 16 HEX symbols");
    return 1;
  }
  
  blockNo = param_get8(Cmd, 1);
  if (blockNo>32)
  {
        PrintAndLog("Error: Maximum number of blocks is 32 for iClass 2K Cards!");
        return 1;
  }
  if (param_gethex(Cmd, 2, bldata, 8)) 
  {
        PrintAndLog("Block data must include 8 HEX symbols");
        return 1;
  }
  
  UsbCommand c = {CMD_ICLASS_ISO14443A_WRITE, {0}};
  SendCommand(&c);
  UsbCommand resp;

  if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
    uint8_t isOK    = resp.arg[0] & 0xff;
    uint8_t * data  = resp.d.asBytes;
    
    memcpy(CSN,data,8);
    memcpy(CCNR,data+8,8);
    PrintAndLog("DEBUG: %s",sprint_hex(CSN,8));
	PrintAndLog("DEBUG: %s",sprint_hex(CCNR,8));
	PrintAndLog("isOk:%02x", isOK);
  } else {
	PrintAndLog("Command execute timeout");
  }

  diversifyKey(CSN,KEY, div_key);

  PrintAndLog("Div Key: %s",sprint_hex(div_key,8));
  doMAC(CCNR, 12,div_key, MAC);

  UsbCommand c2 = {CMD_ICLASS_ISO14443A_WRITE, {readerType,blockNo}};
  memcpy(c2.d.asBytes, bldata, 8);
  memcpy(c2.d.asBytes+8, MAC, 4);
  SendCommand(&c2);

  if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
    uint8_t isOK    = resp.arg[0] & 0xff;
    uint8_t * data  = resp.d.asBytes;

    if (isOK)
      PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 4));
    else
      PrintAndLog("isOk:%02x", isOK);
  } else {
      PrintAndLog("Command execute timeout");
  }
  return 0;
}
int CmdHFiClass_loclass(const char *Cmd)
{
	char opt = param_getchar(Cmd, 0);

	if (strlen(Cmd)<1 || opt == 'h') {
		PrintAndLog("Usage: hf iclass loclass [options]");
		PrintAndLog("Options:");
		PrintAndLog("h             Show this help");
		PrintAndLog("t             Perform self-test");
		PrintAndLog("f <filename>  Bruteforce iclass dumpfile");
		PrintAndLog("                   An iclass dumpfile is assumed to consist of an arbitrary number of");
		PrintAndLog("                   malicious CSNs, and their protocol responses");
		PrintAndLog("                   The the binary format of the file is expected to be as follows: ");
		PrintAndLog("                   <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
		PrintAndLog("                   <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
		PrintAndLog("                   <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
		PrintAndLog("                  ... totalling N*24 bytes");
		return 0;
	}
	char fileName[255] = {0};
	if(opt == 'f')
	{
			if(param_getstr(Cmd, 1, fileName) > 0)
			{
				return bruteforceFileNoKeys(fileName);
			}else
			{
				PrintAndLog("You must specify a filename");
			}
	}
	else if(opt == 't')
	{
		int errors = testCipherUtils();
		errors += testMAC();
		errors += doKeyTests(0);
		errors += testElite();
		if(errors)
		{
			prnlog("OBS! There were errors!!!");
		}
		return errors;
	}

	return 0;
}

static command_t CommandTable[] = 
{
	{"help",	CmdHelp,			1,	"This help"},
	{"list",	CmdHFiClassList,	0,	"[Deprecated] List iClass history"},
	{"snoop",	CmdHFiClassSnoop,	0,	"Eavesdrop iClass communication"},
	{"sim",	CmdHFiClassSim,		0,	"Simulate iClass tag"},
	{"reader",CmdHFiClassReader,	0,	"Read an iClass tag"},
	{"replay",CmdHFiClassReader_Replay,	0,	"Read an iClass tag via Reply Attack"},
	{"dump",	CmdHFiClassReader_Dump,	0,		"Authenticate and Dump iClass tag"},
	{"write",	CmdHFiClass_iso14443A_write,	0,	"Authenticate and Write iClass block"},
	{"loclass",	CmdHFiClass_loclass,	1,	"Use loclass to perform bruteforce of reader attack dump"},
	{"eload",   CmdHFiClassELoad,    0,     "[experimental] Load data into iclass emulator memory"},
	{NULL, NULL, 0, NULL}
};

int CmdHFiClass(const char *Cmd)
{
  CmdsParse(CommandTable, Cmd);
  return 0;
}

int CmdHelp(const char *Cmd)
{
  CmdsHelp(CommandTable);
  return 0;
}
Commit	Line	Data
cee5a30d	1	//-----------------------------------------------------------------------------
	2	// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
	3	// Copyright (C) 2011 Gerhard de Koning Gans
26c0d833	4	// Copyright (C) 2014 Midnitesnake & Andy Davies & Martin Holst Swende
cee5a30d	5	//
	6	// This code is licensed to you under the terms of the GNU GPL, version 2 or,
	7	// at your option, any later version. See the LICENSE.txt file for the text of
	8	// the license.
	9	//-----------------------------------------------------------------------------
	10	// High frequency iClass commands
	11	//-----------------------------------------------------------------------------
	12
	13	#include <stdio.h>
	14	#include <stdlib.h>
	15	#include <string.h>
9f6e9d15	16	#include <sys/stat.h>
cee5a30d	17	#include "iso14443crc.h" // Can also be used for iClass, using 0xE012 as CRC-type
cee5a30d	18	#include "data.h"
902cb3c0	19	#include "proxmark3.h"
cee5a30d	20	#include "ui.h"
	21	#include "cmdparser.h"
	22	#include "cmdhficlass.h"
	23	#include "common.h"
14006804	24	#include "util.h"
17cba269	25	#include "cmdmain.h"
a66fca86 AD	26	#include "loclass/des.h"
	27	#include "loclass/cipherutils.h"
	28	#include "loclass/cipher.h"
	29	#include "loclass/ikeys.h"
3ad48540 MHS	30	#include "loclass/elite_crack.h"
3ad48540 MHS	31	#include "loclass/fileutils.h"
cee5a30d	32
	33	static int CmdHelp(const char *Cmd);
	34
17cba269 MHS	35	int xorbits_8(uint8_t val)
17cba269 MHS	36	{
3ad48540 MHS	37	uint8_t res = val ^ (val >> 1); //1st pass
	38	res = res ^ (res >> 1); // 2nd pass
	39	res = res ^ (res >> 2); // 3rd pass
	40	res = res ^ (res >> 4); // 4th pass
	41	return res & 1;
17cba269 MHS	42	}
17cba269 MHS	43
cee5a30d	44	int CmdHFiClassList(const char *Cmd)
17cba269	45	{
4c3de57a	46	PrintAndLog("Deprecated command, use 'hf list iclass' instead");
17cba269 MHS	47	return 0;
	48	}
	49
cee5a30d	50	int CmdHFiClassSnoop(const char *Cmd)
	51	{
	52	UsbCommand c = {CMD_SNOOP_ICLASS};
	53	SendCommand(&c);
	54	return 0;
	55	}
6116c796	56	#define NUM_CSNS 15
1e262141	57	int CmdHFiClassSim(const char *Cmd)
	58	{
	59	uint8_t simType = 0;
	60	uint8_t CSN[8] = {0, 0, 0, 0, 0, 0, 0, 0};
	61
17cba269 MHS	62	if (strlen(Cmd)<1) {
	63	PrintAndLog("Usage: hf iclass sim [0 <CSN>] \| x");
	64	PrintAndLog(" options");
	65	PrintAndLog(" 0 <CSN> simulate the given CSN");
	66	PrintAndLog(" 1 simulate default CSN");
	67	PrintAndLog(" 2 iterate CSNs, gather MACs");
1e262141	68	PrintAndLog(" sample: hf iclass sim 0 031FEC8AF7FF12E0");
17cba269	69	PrintAndLog(" sample: hf iclass sim 2");
1e262141	70	return 0;
	71	}
	72
	73	simType = param_get8(Cmd, 0);
17cba269 MHS	74
	75	if(simType == 0)
	76	{
	77	if (param_gethex(Cmd, 1, CSN, 16)) {
	78	PrintAndLog("A CSN should consist of 16 HEX symbols");
	79	return 1;
	80	}
	81	PrintAndLog("--simtype:%02x csn:%s", simType, sprint_hex(CSN, 8));
	82
	83	}
77abe781	84	if(simType > 2)
17cba269 MHS	85	{
	86	PrintAndLog("Undefined simptype %d", simType);
	87	return 1;
1e262141	88	}
17cba269	89	uint8_t numberOfCSNs=0;
1e262141	90
9f6e9d15 MHS	91	if(simType == 2)
9f6e9d15 MHS	92	{
6116c796	93	UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,NUM_CSNS}};
9f6e9d15	94	UsbCommand resp = {0};
17cba269	95
6116c796	96	/uint8_t csns[8 NUM_CSNS] = {
77abe781 MHS	97	0x00,0x0B,0x0F,0xFF,0xF7,0xFF,0x12,0xE0 ,
	98	0x00,0x13,0x94,0x7e,0x76,0xff,0x12,0xe0 ,
	99	0x2a,0x99,0xac,0x79,0xec,0xff,0x12,0xe0 ,
	100	0x17,0x12,0x01,0xfd,0xf7,0xff,0x12,0xe0 ,
	101	0xcd,0x56,0x01,0x7c,0x6f,0xff,0x12,0xe0 ,
	102	0x4b,0x5e,0x0b,0x72,0xef,0xff,0x12,0xe0 ,
	103	0x00,0x73,0xd8,0x75,0x58,0xff,0x12,0xe0 ,
	104	0x0c,0x90,0x32,0xf3,0x5d,0xff,0x12,0xe0 };
6116c796 MHS	105	*/
	106
	107	uint8_t csns[8*NUM_CSNS] = {
	108	0x00, 0x0B, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0,
	109	0x00, 0x04, 0x0E, 0x08, 0xF7, 0xFF, 0x12, 0xE0,
	110	0x00, 0x09, 0x0D, 0x05, 0xF7, 0xFF, 0x12, 0xE0,
	111	0x00, 0x0A, 0x0C, 0x06, 0xF7, 0xFF, 0x12, 0xE0,
	112	0x00, 0x0F, 0x0B, 0x03, 0xF7, 0xFF, 0x12, 0xE0,
	113	0x00, 0x08, 0x0A, 0x0C, 0xF7, 0xFF, 0x12, 0xE0,
	114	0x00, 0x0D, 0x09, 0x09, 0xF7, 0xFF, 0x12, 0xE0,
	115	0x00, 0x0E, 0x08, 0x0A, 0xF7, 0xFF, 0x12, 0xE0,
	116	0x00, 0x03, 0x07, 0x17, 0xF7, 0xFF, 0x12, 0xE0,
	117	0x00, 0x3C, 0x06, 0xE0, 0xF7, 0xFF, 0x12, 0xE0,
	118	0x00, 0x01, 0x05, 0x1D, 0xF7, 0xFF, 0x12, 0xE0,
	119	0x00, 0x02, 0x04, 0x1E, 0xF7, 0xFF, 0x12, 0xE0,
	120	0x00, 0x07, 0x03, 0x1B, 0xF7, 0xFF, 0x12, 0xE0,
	121	0x00, 0x00, 0x02, 0x24, 0xF7, 0xFF, 0x12, 0xE0,
	122	0x00, 0x05, 0x01, 0x21, 0xF7, 0xFF, 0x12, 0xE0 };
	123
	124	memcpy(c.d.asBytes, csns, 8*NUM_CSNS);
9f6e9d15 MHS	125
	126	SendCommand(&c);
	127	if (!WaitForResponseTimeout(CMD_ACK, &resp, -1)) {
	128	PrintAndLog("Command timed out");
	129	return 0;
	130	}
1e262141	131
77abe781	132	uint8_t num_mac_responses = resp.arg[1];
6116c796	133	PrintAndLog("Mac responses: %d MACs obtained (should be %d)", num_mac_responses,NUM_CSNS);
9f6e9d15	134
6116c796	135	size_t datalen = NUM_CSNS*24;
9f6e9d15 MHS	136	/*
9f6e9d15 MHS	137	* Now, time to dump to file. We'll use this format:
77abe781	138	* <8-byte CSN><8-byte CC><4 byte NR><4 byte MAC>....
9f6e9d15	139	* So, it should wind up as
77abe781 MHS	140	* 8 * 24 bytes.
	141	*
	142	* The returndata from the pm3 is on the following format
	143	* <4 byte NR><4 byte MAC>
	144	* CC are all zeroes, CSN is the same as was sent in
9f6e9d15	145	**/
77abe781 MHS	146	void* dump = malloc(datalen);
77abe781 MHS	147	memset(dump,0,datalen);//<-- Need zeroes for the CC-field
9f6e9d15	148	uint8_t i = 0;
6116c796	149	for(i = 0 ; i < NUM_CSNS ; i++)
9f6e9d15	150	{
77abe781 MHS	151	memcpy(dump+i24, csns+i8,8); //CSN
	152	//8 zero bytes here...
	153	//Then comes NR_MAC (eight bytes from the response)
	154	memcpy(dump+i24+16,resp.d.asBytes+i8,8);
1e262141	155
9f6e9d15 MHS	156	}
9f6e9d15 MHS	157	/ Now, save to dumpfile /
77abe781 MHS	158	saveFile("iclass_mac_attack", "bin", dump,datalen);
77abe781 MHS	159	free(dump);
9f6e9d15 MHS	160	}else
	161	{
	162	UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,numberOfCSNs}};
	163	memcpy(c.d.asBytes, CSN, 8);
	164	SendCommand(&c);
	165	}
1e262141	166
1e262141	167	return 0;
	168	}
	169
	170	int CmdHFiClassReader(const char *Cmd)
	171	{
aa41c605	172	UsbCommand c = {CMD_READER_ICLASS, {0}};
1e262141	173	SendCommand(&c);
aa41c605 MHS	174	UsbCommand resp;
	175	while(!ukbhit()){
	176	if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
	177	uint8_t isOK = resp.arg[0] & 0xff;
	178	uint8_t * data = resp.d.asBytes;
	179
	180	PrintAndLog("isOk:%02x", isOK);
2e9d4b3f MHS	181	if( isOK == 0){
	182	//Aborted
	183	PrintAndLog("Quitting...");
	184	return 0;
	185	}
aa41c605 MHS	186	if(isOK > 0)
	187	{
	188	PrintAndLog("CSN: %s",sprint_hex(data,8));
	189	}
	190	if(isOK >= 1)
	191	{
	192	PrintAndLog("CC: %s",sprint_hex(data+8,8));
	193	}else{
	194	PrintAndLog("No CC obtained");
	195	}
	196	} else {
	197	PrintAndLog("Command execute timeout");
	198	}
	199	}
1e262141	200
c3963755	201	return 0;
	202	}
	203
	204	int CmdHFiClassReader_Replay(const char *Cmd)
	205	{
	206	uint8_t readerType = 0;
	207	uint8_t MAC[4]={0x00, 0x00, 0x00, 0x00};
	208
	209	if (strlen(Cmd)<1) {
	210	PrintAndLog("Usage: hf iclass replay <MAC>");
	211	PrintAndLog(" sample: hf iclass replay 00112233");
	212	return 0;
	213	}
	214
	215	if (param_gethex(Cmd, 0, MAC, 8)) {
	216	PrintAndLog("MAC must include 8 HEX symbols");
	217	return 1;
	218	}
	219
	220	UsbCommand c = {CMD_READER_ICLASS_REPLAY, {readerType}};
	221	memcpy(c.d.asBytes, MAC, 4);
	222	SendCommand(&c);
1e262141	223
	224	return 0;
	225	}
	226
a66fca86 AD	227	int CmdHFiClassReader_Dump(const char *Cmd)
	228	{
	229	uint8_t readerType = 0;
	230	uint8_t MAC[4]={0x00,0x00,0x00,0x00};
	231	uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
	232	uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
	233	uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
fecd8202	234	//uint8_t CC_temp[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
a66fca86	235	uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
9b82de75 MHS	236	uint8_t keytable[128] = {0};
	237	int elite = 0;
	238	uint8_t *used_key;
	239	int i;
fecd8202	240	if (strlen(Cmd)<1)
fecd8202	241	{
9b82de75 MHS	242	PrintAndLog("Usage: hf iclass dump <Key> [e]");
	243	PrintAndLog(" Key - A 16 byte master key");
	244	PrintAndLog(" e - If 'e' is specified, the key is interpreted as the 16 byte");
	245	PrintAndLog(" Custom Key (KCus), which can be obtained via reader-attack");
	246	PrintAndLog(" See 'hf iclass sim 2'. This key should be on iclass-format");
fecd8202	247	PrintAndLog(" sample: hf iclass dump 0011223344556677");
9b82de75 MHS	248
9b82de75 MHS	249
a66fca86 AD	250	return 0;
	251	}
	252
fecd8202	253	if (param_gethex(Cmd, 0, KEY, 16))
fecd8202	254	{
a66fca86 AD	255	PrintAndLog("KEY must include 16 HEX symbols");
	256	return 1;
	257	}
9b82de75 MHS	258
	259	if (param_getchar(Cmd, 1) == 'e')
	260	{
	261	PrintAndLog("Elite switch on");
	262	elite = 1;
	263
	264	//calc h2
	265	hash2(KEY, keytable);
9e28ee9f	266	printarr_human_readable("keytable", keytable, 128);
9b82de75 MHS	267
	268	}
	269
0eea34a2 MHS	270	UsbCommand resp;
	271	uint8_t key_sel[8] = {0};
	272	uint8_t key_sel_p[8] = { 0 };
	273
aa41c605	274	UsbCommand c = {CMD_READER_ICLASS, {0}};
c8dd9b09	275	c.arg[0] = FLAG_ICLASS_READER_ONLY_ONCE\| FLAG_ICLASS_READER_GET_CC;
cb29e00a	276	SendCommand(&c);
fecd8202	277
26c0d833	278
0eea34a2	279
cb29e00a MHS	280	if (!WaitForResponseTimeout(CMD_ACK,&resp,4500))
	281	{
	282	PrintAndLog("Command execute timeout");
	283	return 0;
	284	}
26c0d833	285
cb29e00a MHS	286	uint8_t isOK = resp.arg[0] & 0xff;
cb29e00a MHS	287	uint8_t * data = resp.d.asBytes;
3ad48540	288
cb29e00a MHS	289	memcpy(CSN,data,8);
cb29e00a MHS	290	memcpy(CCNR,data+8,8);
a66fca86	291
cb29e00a	292	PrintAndLog("isOk:%02x", isOK);
9e28ee9f	293
cb29e00a MHS	294	if(isOK > 0)
	295	{
	296	PrintAndLog("CSN: %s",sprint_hex(CSN,8));
	297	}
	298	if(isOK <= 1){
	299	PrintAndLog("Failed to obtain CC! Aborting");
	300	return 0;
	301	}
	302	//Status 2 or higher
9e28ee9f	303
cb29e00a MHS	304	if(elite)
	305	{
	306	//Get the key index (hash1)
	307	uint8_t key_index[8] = {0};
	308
	309	hash1(CSN, key_index);
	310	printvar("hash1", key_index,8);
	311	for(i = 0; i < 8 ; i++)
	312	key_sel[i] = keytable[key_index[i]] & 0xFF;
	313	PrintAndLog("Pre-fortified 'permuted' HS key that would be needed by an iclass reader to talk to above CSN:");
	314	printvar("k_sel", key_sel,8);
	315	//Permute from iclass format to standard format
	316	permutekey_rev(key_sel,key_sel_p);
	317	used_key = key_sel_p;
	318	}else{
	319	used_key = KEY;
	320	}
9b82de75	321
cb29e00a MHS	322	PrintAndLog("Pre-fortified key that would be needed by the OmniKey reader to talk to above CSN:");
	323	printvar("Used key",used_key,8);
	324	diversifyKey(CSN,used_key, div_key);
	325	PrintAndLog("Hash0, a.k.a diversified key, that is computed using Ksel and stored in the card (Block 3):");
	326	printvar("Div key", div_key, 8);
	327	printvar("CC_NR:",CCNR,12);
	328	doMAC(CCNR,12,div_key, MAC);
	329	printvar("MAC", MAC, 4);
	330
	331	uint8_t iclass_data[32000] = {0};
428d6221 MHS	332	uint32_t iclass_datalen = 0;
428d6221 MHS	333	uint32_t iclass_blocksFailed = 0;//Set to 1 if dump was incomplete
cb29e00a MHS	334
	335	UsbCommand d = {CMD_READER_ICLASS_REPLAY, {readerType}};
	336	memcpy(d.d.asBytes, MAC, 4);
	337	clearCommandBuffer();
	338	SendCommand(&d);
	339	PrintAndLog("Waiting for device to dump data. Press button on device and key on keyboard to abort...");
	340	while (true) {
	341	printf(".");
	342	if (ukbhit()) {
	343	getchar();
	344	printf("\naborted via keyboard!\n");
	345	break;
	346	}
	347	if(WaitForResponseTimeout(CMD_ACK,&resp,4500))
	348	{
428d6221	349	uint32_t dataLength = resp.arg[0];
cb29e00a	350	iclass_blocksFailed \|= resp.arg[1];
cb29e00a MHS	351	if(dataLength > 0)
cb29e00a MHS	352	{
428d6221	353	PrintAndLog("Got %d bytes data (total so far %d)" ,dataLength,iclass_datalen);
cb29e00a MHS	354	memcpy(iclass_data, resp.d.asBytes,dataLength);
	355	iclass_datalen += dataLength;
	356	}else
	357	{//Last transfer, datalength 0 means the dump is finished
	358	PrintAndLog("Dumped %d bytes of data from tag. ", iclass_datalen);
	359	if(iclass_blocksFailed)
	360	{
	361	PrintAndLog("OBS! Some blocks failed to be dumped correctly!");
	362	}
	363	if(iclass_datalen > 0)
	364	{
	365	char filename[100] = {0};
	366	//create a preferred filename
	367	snprintf(filename, 100,"iclass_tagdump-%02x%02x%02x%02x%02x%02x%02x%02x",
	368	CSN[0],CSN[1],CSN[2],CSN[3],
	369	CSN[4],CSN[5],CSN[6],CSN[7]);
	370	saveFile(filename,"bin",iclass_data, iclass_datalen );
cb29e00a MHS	371	}
	372	//Aaaand we're finished
	373	return 0;
	374	}
	375	}
	376	}
0eea34a2	377
1e262141	378
	379	return 0;
	380	}
	381
7781a656 MHS	382	int hf_iclass_eload_usage()
	383	{
	384	PrintAndLog("Loads iclass tag-dump into emulator memory on device");
	385	PrintAndLog("Usage: hf iclass eload f <filename>");
	386	PrintAndLog("");
	387	PrintAndLog("Example: hf iclass eload f iclass_tagdump-aa162d30f8ff12f1.bin");
	388	return 0;
	389
	390	}
	391
	392	int iclassEmlSetMem(uint8_t *data, int blockNum, int blocksCount) {
	393	UsbCommand c = {CMD_MIFARE_EML_MEMSET, {blockNum, blocksCount, 0}};
	394	memcpy(c.d.asBytes, data, blocksCount * 16);
	395	SendCommand(&c);
	396	return 0;
	397	}
	398	int CmdHFiClassELoad(const char *Cmd)
	399	{
	400
	401	char opt = param_getchar(Cmd, 0);
	402	if (strlen(Cmd)<1 \|\| opt == 'h')
	403	return hf_iclass_eload_usage();
	404
	405	//File handling and reading
	406	FILE *f;
	407	char filename[FILE_PATH_SIZE];
	408	if(opt == 'f' && param_getstr(Cmd, 1, filename) > 0)
	409	{
	410	f = fopen(filename, "rb");
	411	}else{
	412	return hf_iclass_eload_usage();
	413	}
	414
	415	if(!f) {
	416	PrintAndLog("Failed to read from file '%s'", filename);
	417	return 1;
	418	}
	419
	420	fseek(f, 0, SEEK_END);
	421	long fsize = ftell(f);
	422	fseek(f, 0, SEEK_SET);
	423
	424	uint8_t *dump = malloc(fsize);
	425	size_t bytes_read = fread(dump, 1, fsize, f);
	426	fclose(f);
	427
	428	//Validate
	429
	430	if (bytes_read < fsize)
	431	{
	432	prnlog("Error, could only read %d bytes (should be %d)",bytes_read, fsize );
	433	free(dump);
	434	return 1;
	435	}
	436	//Send to device
	437	uint32_t bytes_sent = 0;
	438	uint32_t bytes_remaining = bytes_read;
	439
	440	while(bytes_remaining > 0){
	441	uint32_t bytes_in_packet = MIN(USB_CMD_DATA_SIZE, bytes_remaining);
	442	UsbCommand c = {CMD_ICLASS_EML_MEMSET, {bytes_sent,bytes_in_packet,0}};
	443	memcpy(c.d.asBytes, dump, bytes_in_packet);
	444	SendCommand(&c);
	445	bytes_remaining -= bytes_in_packet;
446	bytes_sent += bytes_in_packet;
447	}
448	free(dump);
449	PrintAndLog("Sent %d bytes of data to device emulator memory", bytes_sent);
450	return 0;
451	}
452
453
fecd8202	454	int CmdHFiClass_iso14443A_write(const char *Cmd)
	455	{
	456	uint8_t readerType = 0;
	457	uint8_t MAC[4]={0x00,0x00,0x00,0x00};
	458	uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
	459	uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
	460	uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
fecd8202	461	uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
3ad48540	462
fecd8202	463	uint8_t blockNo=0;
	464	uint8_t bldata[8]={0};
	465
	466	if (strlen(Cmd)<3)
	467	{
	468	PrintAndLog("Usage: hf iclass write <Key> <Block> <Data>");
	469	PrintAndLog(" sample: hf iclass write 0011223344556677 10 AAAAAAAAAAAAAAAA");
	470	return 0;
	471	}
	472
	473	if (param_gethex(Cmd, 0, KEY, 16))
	474	{
	475	PrintAndLog("KEY must include 16 HEX symbols");
	476	return 1;
	477	}
	478
	479	blockNo = param_get8(Cmd, 1);
	480	if (blockNo>32)
	481	{
	482	PrintAndLog("Error: Maximum number of blocks is 32 for iClass 2K Cards!");
	483	return 1;
	484	}
	485	if (param_gethex(Cmd, 2, bldata, 8))
	486	{
	487	PrintAndLog("Block data must include 8 HEX symbols");
	488	return 1;
	489	}
	490
aa41c605	491	UsbCommand c = {CMD_ICLASS_ISO14443A_WRITE, {0}};
fecd8202	492	SendCommand(&c);
fecd8202	493	UsbCommand resp;
3ad48540	494
fecd8202	495	if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
	496	uint8_t isOK = resp.arg[0] & 0xff;
	497	uint8_t * data = resp.d.asBytes;
	498
	499	memcpy(CSN,data,8);
	500	memcpy(CCNR,data+8,8);
	501	PrintAndLog("DEBUG: %s",sprint_hex(CSN,8));
7781a656	502	PrintAndLog("DEBUG: %s",sprint_hex(CCNR,8));
fecd8202	503	PrintAndLog("isOk:%02x", isOK);
	504	} else {
	505	PrintAndLog("Command execute timeout");
	506	}
3ad48540 MHS	507
	508	diversifyKey(CSN,KEY, div_key);
	509
fecd8202	510	PrintAndLog("Div Key: %s",sprint_hex(div_key,8));
74a38802	511	doMAC(CCNR, 12,div_key, MAC);
fecd8202	512
3ad48540 MHS	513	UsbCommand c2 = {CMD_ICLASS_ISO14443A_WRITE, {readerType,blockNo}};
	514	memcpy(c2.d.asBytes, bldata, 8);
	515	memcpy(c2.d.asBytes+8, MAC, 4);
	516	SendCommand(&c2);
a66fca86	517
fecd8202	518	if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
	519	uint8_t isOK = resp.arg[0] & 0xff;
	520	uint8_t * data = resp.d.asBytes;
	521
	522	if (isOK)
	523	PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 4));
	524	else
	525	PrintAndLog("isOk:%02x", isOK);
	526	} else {
	527	PrintAndLog("Command execute timeout");
	528	}
a66fca86 AD	529	return 0;
a66fca86 AD	530	}
6f101995 MHS	531	int CmdHFiClass_loclass(const char *Cmd)
	532	{
	533	char opt = param_getchar(Cmd, 0);
	534
	535	if (strlen(Cmd)<1 \|\| opt == 'h') {
	536	PrintAndLog("Usage: hf iclass loclass [options]");
	537	PrintAndLog("Options:");
	538	PrintAndLog("h Show this help");
	539	PrintAndLog("t Perform self-test");
	540	PrintAndLog("f <filename> Bruteforce iclass dumpfile");
	541	PrintAndLog(" An iclass dumpfile is assumed to consist of an arbitrary number of");
	542	PrintAndLog(" malicious CSNs, and their protocol responses");
	543	PrintAndLog(" The the binary format of the file is expected to be as follows: ");
	544	PrintAndLog(" <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
	545	PrintAndLog(" <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
	546	PrintAndLog(" <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
	547	PrintAndLog(" ... totalling N*24 bytes");
	548	return 0;
	549	}
	550	char fileName[255] = {0};
	551	if(opt == 'f')
	552	{
	553	if(param_getstr(Cmd, 1, fileName) > 0)
	554	{
	555	return bruteforceFileNoKeys(fileName);
	556	}else
	557	{
	558	PrintAndLog("You must specify a filename");
	559	}
	560	}
	561	else if(opt == 't')
	562	{
	563	int errors = testCipherUtils();
	564	errors += testMAC();
	565	errors += doKeyTests(0);
	566	errors += testElite();
	567	if(errors)
	568	{
	569	prnlog("OBS! There were errors!!!");
	570	}
	571	return errors;
	572	}
a66fca86	573
6f101995 MHS	574	return 0;
6f101995 MHS	575	}
c3963755	576
cee5a30d	577	static command_t CommandTable[] =
cee5a30d	578	{
6f101995 MHS	579	{"help", CmdHelp, 1, "This help"},
	580	{"list", CmdHFiClassList, 0, "[Deprecated] List iClass history"},
	581	{"snoop", CmdHFiClassSnoop, 0, "Eavesdrop iClass communication"},
	582	{"sim", CmdHFiClassSim, 0, "Simulate iClass tag"},
	583	{"reader",CmdHFiClassReader, 0, "Read an iClass tag"},
	584	{"replay",CmdHFiClassReader_Replay, 0, "Read an iClass tag via Reply Attack"},
	585	{"dump", CmdHFiClassReader_Dump, 0, "Authenticate and Dump iClass tag"},
	586	{"write", CmdHFiClass_iso14443A_write, 0, "Authenticate and Write iClass block"},
	587	{"loclass", CmdHFiClass_loclass, 1, "Use loclass to perform bruteforce of reader attack dump"},
7781a656	588	{"eload", CmdHFiClassELoad, 0, "[experimental] Load data into iclass emulator memory"},
6f101995	589	{NULL, NULL, 0, NULL}
cee5a30d	590	};
	591
	592	int CmdHFiClass(const char *Cmd)
	593	{
	594	CmdsParse(CommandTable, Cmd);
	595	return 0;
	596	}
	597
	598	int CmdHelp(const char *Cmd)
	599	{
	600	CmdsHelp(CommandTable);
	601	return 0;
	602	}