]> git.zerfleddert.de Git - proxmark3-svn/blame - client/cmdhfmfu.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'master' of https://github.com/Proxmark/proxmark3
[proxmark3-svn] / client / cmdhfmfu.c
CommitLineData
81740aa5 1//-----------------------------------------------------------------------------
2// Ultralight Code (c) 2013,2014 Midnitesnake & Andy Davies of Pentura
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// High frequency MIFARE ULTRALIGHT (C) commands
9//-----------------------------------------------------------------------------
afceaf40 10#include "loclass/des.h"
81740aa5 11#include "cmdhfmfu.h"
12#include "cmdhfmf.h"
13#include "cmdhf14a.h"
5d554ea6 14#include "mifare.h"
2c74558d 15#include "util.h"
16#include "../common/protocols.h"
e7e95088 17#include "data.h"
81740aa5 18
75377d29 19#define MAX_UL_BLOCKS 0x0f
9d87eb66 20#define MAX_ULC_BLOCKS 0x2b
8241872c 21#define MAX_ULEV1a_BLOCKS 0x13
a383f4b7 22#define MAX_ULEV1b_BLOCKS 0x28
23#define MAX_NTAG_203 0x29
24#define MAX_NTAG_210 0x13
25#define MAX_NTAG_212 0x28
75377d29 26#define MAX_NTAG_213 0x2c
27#define MAX_NTAG_215 0x86
28#define MAX_NTAG_216 0xe6
2c74558d 29
ebd7412d 30#define KEYS_3DES_COUNT 7
31uint8_t default_3des_keys[KEYS_3DES_COUNT][16] = {
a8be77af 32 { 0x42,0x52,0x45,0x41,0x4b,0x4d,0x45,0x49,0x46,0x59,0x4f,0x55,0x43,0x41,0x4e,0x21 },// 3des std key
33 { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },// all zeroes
34 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f },// 0x00-0x0F
35 { 0x49,0x45,0x4D,0x4B,0x41,0x45,0x52,0x42,0x21,0x4E,0x41,0x43,0x55,0x4F,0x59,0x46 },// NFC-key
36 { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 },// all ones
37 { 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF },// all FF
f168b263 38 { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF } // 11 22 33
75377d29 39};
aebe7790 40
833081e3 41#define KEYS_PWD_COUNT 10
ebd7412d 42uint8_t default_pwd_pack[KEYS_PWD_COUNT][4] = {
aebe7790 43 {0xFF,0xFF,0xFF,0xFF}, // PACK 0x00,0x00 -- factory default
8258f409 44
802319a3 45 {0x4A,0xF8,0x4B,0x19}, // PACK 0xE5,0xBE -- italian bus (sniffed)
ebd7412d 46 {0x33,0x6B,0xA1,0x19}, // PACK 0x9c,0x2d -- italian bus (sniffed)
47 {0xFF,0x90,0x6C,0xB2}, // PACK 0x12,0x9e -- italian bus (sniffed)
833081e3 48 {0x46,0x1c,0xA3,0x19}, // PACK 0xE9,0x5A -- italian bus (sniffed)
49 {0x35,0x1C,0xD0,0x19}, // PACK 0x9A,0x5a -- italian bus (sniffed)
8258f409 50
ebd7412d 51 {0x05,0x22,0xE6,0xB4}, // PACK 0x80,0x80 -- Amiiboo (sniffed) pikachu-b UID:
52 {0x7E,0x22,0xE6,0xB4}, // PACK 0x80,0x80 -- AMiiboo (sniffed)
53 {0x02,0xE1,0xEE,0x36}, // PACK 0x80,0x80 -- AMiiboo (sniffed) sonic UID: 04d257 7ae33e8027
54 {0x32,0x0C,0x16,0x17}, // PACK 0x80,0x80 -- AMiiboo (sniffed)
c585a5cf 55};
56
b61e3979 57#define MAX_UL_TYPES 16
05f7accd 58uint16_t UL_TYPES_ARRAY[MAX_UL_TYPES] = {UNKNOWN, UL, UL_C, UL_EV1_48, UL_EV1_128, NTAG, NTAG_203,
59 NTAG_210, NTAG_212, NTAG_213, NTAG_215, NTAG_216, MY_D, MY_D_NFC, MY_D_MOVE, MY_D_MOVE_NFC};
60
61uint8_t UL_MEMORY_ARRAY[MAX_UL_TYPES] = {MAX_UL_BLOCKS, MAX_UL_BLOCKS, MAX_ULC_BLOCKS, MAX_ULEV1a_BLOCKS,
62 MAX_ULEV1b_BLOCKS, MAX_NTAG_203, MAX_NTAG_203, MAX_NTAG_210, MAX_NTAG_212, MAX_NTAG_213,
63 MAX_NTAG_215, MAX_NTAG_216, MAX_UL_BLOCKS, MAX_UL_BLOCKS, MAX_UL_BLOCKS, MAX_UL_BLOCKS};
833081e3 64
65
81740aa5 66static int CmdHelp(const char *Cmd);
67
8258f409 68char *getProductTypeStr( uint8_t id){
2c74558d 69
75377d29 70 static char buf[20];
2c74558d 71 char *retStr = buf;
72
73 switch(id) {
329f5cf2 74 case 3: sprintf(retStr, "%02X, Ultralight", id); break;
75 case 4: sprintf(retStr, "%02X, NTAG", id); break;
76 default: sprintf(retStr, "%02X, unknown", id); break;
2c74558d 77 }
78 return buf;
79}
a8be77af 80
2c74558d 81/*
82 The 7 MSBits (=n) code the storage size itself based on 2^n,
83 the LSBit is set to '0' if the size is exactly 2^n
84 and set to '1' if the storage size is between 2^n and 2^(n+1).
85*/
8258f409 86char *getUlev1CardSizeStr( uint8_t fsize ){
75377d29 87
345fb24a 88 static char buf[40];
2c74558d 89 char *retStr = buf;
2be768af 90 memset(buf, 0, sizeof(buf));
75377d29 91
fce738fc 92 uint16_t usize = 1 << ((fsize >>1) + 1);
93 uint16_t lsize = 1 << (fsize >>1);
94
2c74558d 95 // is LSB set?
75377d29 96 if ( fsize & 1 )
06561c34 97 sprintf(retStr, "%02X, (%u <-> %u bytes)",fsize, usize, lsize);
2c74558d 98 else
329f5cf2 99 sprintf(retStr, "%02X, (%u bytes)", fsize, lsize);
2c74558d 100 return buf;
101}
102
103static void ul_switch_on_field(void) {
104 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}};
a8be77af 105 SendCommand(&c);
2c74558d 106}
a8be77af 107
98cdd568 108void ul_switch_off_field(void) {
2c74558d 109 UsbCommand c = {CMD_READER_ISO_14443a, {0, 0, 0}};
110 SendCommand(&c);
a8be77af 111}
112
8297860e 113static int ul_send_cmd_raw( uint8_t *cmd, uint8_t cmdlen, uint8_t *response, uint16_t responseLength ) {
114 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_RAW | ISO14A_NO_DISCONNECT | ISO14A_APPEND_CRC, cmdlen, 0}};
115 memcpy(c.d.asBytes, cmd, cmdlen);
2c74558d 116 SendCommand(&c);
117 UsbCommand resp;
75377d29 118 if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) return -1;
372a8257 119 if (!resp.arg[0] && responseLength) return -1;
75377d29 120
802319a3 121 uint16_t resplen = (resp.arg[0] < responseLength) ? resp.arg[0] : responseLength;
aebe7790 122 memcpy(response, resp.d.asBytes, resplen);
123 return resplen;
2c74558d 124}
2b03dea7 125/*
8297860e 126static int ul_send_cmd_raw_crc( uint8_t *cmd, uint8_t cmdlen, uint8_t *response, uint16_t responseLength, bool append_crc ) {
8297860e 127 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_RAW | ISO14A_NO_DISCONNECT , cmdlen, 0}};
2c74558d 128 if (append_crc)
129 c.arg[0] |= ISO14A_APPEND_CRC;
75377d29 130
8297860e 131 memcpy(c.d.asBytes, cmd, cmdlen);
1ec21089 132 SendCommand(&c);
133 UsbCommand resp;
2c74558d 134 if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) return -1;
ebd7412d 135 if (!resp.arg[0] && responseLength) return -1;
1ec21089 136
8297860e 137 uint16_t resplen = (resp.arg[0] < responseLength) ? resp.arg[0] : responseLength;
c585a5cf 138 memcpy(response, resp.d.asBytes, resplen);
8297860e 139 return resplen;
2c74558d 140}
2b03dea7 141*/
2c74558d 142static int ul_select( iso14a_card_select_t *card ){
75377d29 143
2c74558d 144 ul_switch_on_field();
145
146 UsbCommand resp;
1fa96198 147 bool ans = false;
148 ans = WaitForResponseTimeout(CMD_ACK, &resp, 1500);
149 if (!ans || resp.arg[0] < 1) {
150 PrintAndLog("iso14443a card select failed");
151 ul_switch_off_field();
152 return 0;
153 }
75377d29 154
155 memcpy(card, resp.d.asBytes, sizeof(iso14a_card_select_t));
c7442b76 156 return 1;
75377d29 157}
158
159// This read command will at least return 16bytes.
160static int ul_read( uint8_t page, uint8_t *response, uint16_t responseLength ){
161
162 uint8_t cmd[] = {ISO14443A_CMD_READBLOCK, page};
163 int len = ul_send_cmd_raw(cmd, sizeof(cmd), response, responseLength);
75377d29 164 return len;
165}
166
c585a5cf 167static int ul_comp_write( uint8_t page, uint8_t *data, uint8_t datalen ){
168
169 uint8_t cmd[18];
170 memset(cmd, 0x00, sizeof(cmd));
171 datalen = ( datalen > 16) ? 16 : datalen;
172
173 cmd[0] = ISO14443A_CMD_WRITEBLOCK;
174 cmd[1] = page;
175 memcpy(cmd+2, data, datalen);
176
177 uint8_t response[1] = {0xff};
8258f409 178 ul_send_cmd_raw(cmd, 2+datalen, response, sizeof(response));
c585a5cf 179 // ACK
180 if ( response[0] == 0x0a ) return 0;
181 // NACK
182 return -1;
183}
345fb24a 184
a2e2bb8a 185static int ulc_requestAuthentication( uint8_t *nonce, uint16_t nonceLength ){
75377d29 186
a2e2bb8a 187 uint8_t cmd[] = {MIFARE_ULC_AUTH_1, 0x00};
75377d29 188 int len = ul_send_cmd_raw(cmd, sizeof(cmd), nonce, nonceLength);
75377d29 189 return len;
190}
345fb24a 191
8258f409 192static int ulc_authentication( uint8_t *key, bool switch_off_field ){
193
194 UsbCommand c = {CMD_MIFAREUC_AUTH, {switch_off_field}};
195 memcpy(c.d.asBytes, key, 16);
196 SendCommand(&c);
197 UsbCommand resp;
9d87eb66 198 if ( !WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) return 0;
199 if ( resp.arg[0] == 1 ) return 1;
8258f409 200
9d87eb66 201 return 0;
8258f409 202}
203
75377d29 204static int ulev1_requestAuthentication( uint8_t *pwd, uint8_t *pack, uint16_t packLength ){
205
206 uint8_t cmd[] = {MIFARE_ULEV1_AUTH, pwd[0], pwd[1], pwd[2], pwd[3]};
207 int len = ul_send_cmd_raw(cmd, sizeof(cmd), pack, packLength);
75377d29 208 return len;
209}
210
bcf61bd3 211static int ul_auth_select( iso14a_card_select_t *card, TagTypeUL_t tagtype, bool hasAuthKey, uint8_t *authenticationkey, uint8_t *pack, uint8_t packSize){
212 if ( hasAuthKey && (tagtype & UL_C)) {
213 //will select card automatically and close connection on error
214 if (!ulc_authentication(authenticationkey, false)) {
215 PrintAndLog("Error: Authentication Failed UL-C");
216 return 0;
217 }
2b03dea7 218
219 memcpy(card, resp.d.asBytes, sizeof(iso14a_card_select_t));
1fa96198 220 return 1;
2c74558d 221}
222
996fda30 223// This read command will at least return 16bytes.
8297860e 224static int ul_read( uint8_t page, uint8_t *response, uint16_t responseLength ){
2c74558d 225
226 uint8_t cmd[] = {ISO14443A_CMD_READBLOCK, page};
8297860e 227 int len = ul_send_cmd_raw(cmd, sizeof(cmd), response, responseLength);
2c74558d 228 return len;
229}
230
802319a3 231static int ul_comp_write( uint8_t page, uint8_t *data, uint8_t datalen ){
232
233 uint8_t cmd[18];
234 memset(cmd, 0x00, sizeof(cmd));
235 datalen = ( datalen > 16) ? 16 : datalen;
236
237 cmd[0] = ISO14443A_CMD_WRITEBLOCK;
238 cmd[1] = page;
aebe7790 239 memcpy(cmd+2, data, datalen);
802319a3 240
aebe7790 241 uint8_t response[1] = {0xff};
e7e95088 242 ul_send_cmd_raw(cmd, 2+datalen, response, sizeof(response));
aebe7790 243 // ACK
244 if ( response[0] == 0x0a ) return 0;
245 // NACK
246 return -1;
247}
248
98cdd568 249static int ulc_requestAuthentication( uint8_t *nonce, uint16_t nonceLength ){
2c74558d 250
98cdd568 251 uint8_t cmd[] = {MIFARE_ULC_AUTH_1, 0x00};
8297860e 252 int len = ul_send_cmd_raw(cmd, sizeof(cmd), nonce, nonceLength);
2c74558d 253 return len;
254}
255
833081e3 256static int ulc_authentication( uint8_t *key, bool switch_off_field ){
257
258 UsbCommand c = {CMD_MIFAREUC_AUTH, {switch_off_field}};
259 memcpy(c.d.asBytes, key, 16);
260 SendCommand(&c);
261 UsbCommand resp;
e7e95088 262 if ( !WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) return 0;
263 if ( resp.arg[0] == 1 ) return 1;
833081e3 264
e7e95088 265 return 0;
833081e3 266}
267
8297860e 268static int ulev1_requestAuthentication( uint8_t *pwd, uint8_t *pack, uint16_t packLength ){
2c74558d 269
270 uint8_t cmd[] = {MIFARE_ULEV1_AUTH, pwd[0], pwd[1], pwd[2], pwd[3]};
8297860e 271 int len = ul_send_cmd_raw(cmd, sizeof(cmd), pack, packLength);
2c74558d 272 return len;
273}
1ec21089 274
fff69a1e 275static int ul_auth_select( iso14a_card_select_t *card, TagTypeUL_t tagtype, bool hasAuthKey, uint8_t *authenticationkey, uint8_t *pack, uint8_t packSize){
276 if ( hasAuthKey && (tagtype & UL_C)) {
277 //will select card automatically and close connection on error
278 if (!ulc_authentication(authenticationkey, false)) {
279 PrintAndLog("Error: Authentication Failed UL-C");
280 return 0;
281 }
282 } else {
283 if ( !ul_select(card) ) return 0;
284
285 if (hasAuthKey) {
286 if (ulev1_requestAuthentication(authenticationkey, pack, packSize) < 1) {
287 ul_switch_off_field();
288 PrintAndLog("Error: Authentication Failed UL-EV1/NTAG");
289 return 0;
290 }
291 }
292 }
293 return 1;
294}
295
8297860e 296static int ulev1_getVersion( uint8_t *response, uint16_t responseLength ){
75377d29 297
2c74558d 298 uint8_t cmd[] = {MIFARE_ULEV1_VERSION};
8297860e 299 int len = ul_send_cmd_raw(cmd, sizeof(cmd), response, responseLength);
2c74558d 300 return len;
301}
302
303// static int ulev1_fastRead( uint8_t startblock, uint8_t endblock, uint8_t *response ){
304
305 // uint8_t cmd[] = {MIFARE_ULEV1_FASTREAD, startblock, endblock};
306
307 // if ( !ul_send_cmd_raw(cmd, sizeof(cmd), response)){
2c74558d 308 // return -1;
309 // }
310 // return 0;
311// }
312
8297860e 313static int ulev1_readCounter( uint8_t counter, uint8_t *response, uint16_t responseLength ){
2c74558d 314
315 uint8_t cmd[] = {MIFARE_ULEV1_READ_CNT, counter};
8297860e 316 int len = ul_send_cmd_raw(cmd, sizeof(cmd), response, responseLength);
2c74558d 317 return len;
318}
319
98cdd568 320static int ulev1_readTearing( uint8_t counter, uint8_t *response, uint16_t responseLength ){
321
322 uint8_t cmd[] = {MIFARE_ULEV1_CHECKTEAR, counter};
323 int len = ul_send_cmd_raw(cmd, sizeof(cmd), response, responseLength);
98cdd568 324 return len;
325}
326
69a29536 327static int ulev1_readSignature( uint8_t *response, uint16_t responseLength ){
328
329 uint8_t cmd[] = {MIFARE_ULEV1_READSIG, 0x00};
330 int len = ul_send_cmd_raw(cmd, sizeof(cmd), response, responseLength);
69a29536 331 return len;
332}
333
a903be43 334static int ul_print_default( uint8_t *data){
75377d29 335
a903be43 336 uint8_t uid[7];
a903be43 337 uid[0] = data[0];
338 uid[1] = data[1];
339 uid[2] = data[2];
340 uid[3] = data[4];
341 uid[4] = data[5];
342 uid[5] = data[6];
343 uid[6] = data[7];
344
345 PrintAndLog(" UID : %s ", sprint_hex(uid, 7));
1c429594 346 PrintAndLog(" UID[0] : %02X, Manufacturer: %s", uid[0], getTagInfo(uid[0]) );
fce738fc 347 if ( uid[0] == 0x05 ) {
348 uint8_t chip = (data[8] & 0xC7); // 11000111 mask, bit 3,4,5 RFU
349 switch (chip){
350 case 0xc2: PrintAndLog(" IC type : SLE 66R04P"); break;
351 case 0xc4: PrintAndLog(" IC type : SLE 66R16P"); break;
352 case 0xc6: PrintAndLog(" IC type : SLE 66R32P"); break;
353 }
354 }
a903be43 355 // CT (cascade tag byte) 0x88 xor SN0 xor SN1 xor SN2
356 int crc0 = 0x88 ^ data[0] ^ data[1] ^data[2];
357 if ( data[3] == crc0 )
fce738fc 358 PrintAndLog(" BCC0 : %02X, Ok", data[3]);
a903be43 359 else
fce738fc 360 PrintAndLog(" BCC0 : %02X, crc should be %02X", data[3], crc0);
75377d29 361
a903be43 362 int crc1 = data[4] ^ data[5] ^ data[6] ^data[7];
363 if ( data[8] == crc1 )
fce738fc 364 PrintAndLog(" BCC1 : %02X, Ok", data[8]);
a903be43 365 else
fce738fc 366 PrintAndLog(" BCC1 : %02X, crc should be %02X", data[8], crc1 );
75377d29 367
fce738fc 368 PrintAndLog(" Internal : %02X, %sdefault", data[9], (data[9]==0x48)?"":"not " );
fce738fc 369
7a5d49b5 370 PrintAndLog(" Lock : %s - %s",
371 sprint_hex(data+10, 2),
372 printBits(2, data+10)
373 );
374
6fdf42c6 375 PrintAndLog("OneTimePad : %s - %s\n",
376 sprint_hex(data + 12, 4),
377 printBits(4, data+12)
378 );
29250969 379
75377d29 380 return 0;
381}
382
a383f4b7 383static int ndef_print_CC(uint8_t *data) {
1c429594 384 // no NDEF message
385 if(data[0] != 0xe1)
386 return -1;
75377d29 387
a383f4b7 388 PrintAndLog("--- NDEF Message");
75377d29 389 PrintAndLog("Capability Container: %s", sprint_hex(data,4) );
1c429594 390 PrintAndLog(" %02X : NDEF Magic Number", data[0]);
391 PrintAndLog(" %02X : version %d.%d supported by tag", data[1], (data[1] & 0xF0) >> 4, data[1] & 0x0f);
392 PrintAndLog(" %02X : Physical Memory Size: %d bytes", data[2], (data[2] + 1) * 8);
c585a5cf 393 if ( data[2] == 0x12 )
1c429594 394 PrintAndLog(" %02X : NDEF Memory Size: %d bytes", data[2], 144);
c585a5cf 395 else if ( data[2] == 0x3e )
1c429594 396 PrintAndLog(" %02X : NDEF Memory Size: %d bytes", data[2], 496);
c585a5cf 397 else if ( data[2] == 0x6d )
1c429594 398 PrintAndLog(" %02X : NDEF Memory Size: %d bytes", data[2], 872);
399
400 PrintAndLog(" %02X : %s / %s", data[3],
75377d29 401 (data[3] & 0xF0) ? "(RFU)" : "Read access granted without any security",
402 (data[3] & 0x0F)==0 ? "Write access granted without any security" : (data[3] & 0x0F)==0x0F ? "No write access granted at all" : "(RFU)");
75377d29 403 return 0;
404}
405
c7442b76 406int ul_print_type(uint32_t tagtype, uint8_t spaces){
8ceb6b03 407 char spc[11] = " ";
408 spc[10]=0x00;
409 char *spacer = spc + (10-spaces);
410
75377d29 411 if ( tagtype & UL )
1c429594 412 PrintAndLog("%sTYPE : MIFARE Ultralight (MF0ICU1) %s", spacer, (tagtype & MAGIC) ? "<magic>" : "" );
75377d29 413 else if ( tagtype & UL_C)
1c429594 414 PrintAndLog("%sTYPE : MIFARE Ultralight C (MF0ULC) %s", spacer, (tagtype & MAGIC) ? "<magic>" : "" );
75377d29 415 else if ( tagtype & UL_EV1_48)
8ceb6b03 416 PrintAndLog("%sTYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)", spacer);
1c429594 417 else if ( tagtype & UL_EV1_128)
8ceb6b03 418 PrintAndLog("%sTYPE : MIFARE Ultralight EV1 128bytes (MF0UL2101)", spacer);
a383f4b7 419 else if ( tagtype & NTAG )
420 PrintAndLog("%sTYPE : NTAG UNKNOWN", spacer);
421 else if ( tagtype & NTAG_203 )
422 PrintAndLog("%sTYPE : NTAG 203 144bytes (NT2H0301F0DT)", spacer);
c7442b76 423 else if ( tagtype & NTAG_210 )
1c429594 424 PrintAndLog("%sTYPE : NTAG 210 48bytes (NT2L1011G0DU)", spacer);
c7442b76 425 else if ( tagtype & NTAG_212 )
a383f4b7 426 PrintAndLog("%sTYPE : NTAG 212 128bytes (NT2L1211G0DU)", spacer);
427 else if ( tagtype & NTAG_213 )
428 PrintAndLog("%sTYPE : NTAG 213 144bytes (NT2H1311G0DU)", spacer);
75377d29 429 else if ( tagtype & NTAG_215 )
a383f4b7 430 PrintAndLog("%sTYPE : NTAG 215 504bytes (NT2H1511G0DU)", spacer);
75377d29 431 else if ( tagtype & NTAG_216 )
a383f4b7 432 PrintAndLog("%sTYPE : NTAG 216 888bytes (NT2H1611G0DU)", spacer);
46fcd738 433 else if ( tagtype & NTAG_I2C_1K )
cd87ee91 434 PrintAndLog("%sTYPE : NTAG I%sC 888bytes (NT3H1101FHK)", spacer, "\xFD");
46fcd738 435 else if ( tagtype & NTAG_I2C_2K )
cd87ee91 436 PrintAndLog("%sTYPE : NTAG I%sC 1904bytes (NT3H1201FHK)", spacer, "\xFD");
345fb24a 437 else if ( tagtype & MY_D )
8ceb6b03 438 PrintAndLog("%sTYPE : INFINEON my-d\x99", spacer);
345fb24a 439 else if ( tagtype & MY_D_NFC )
8ceb6b03 440 PrintAndLog("%sTYPE : INFINEON my-d\x99 NFC", spacer);
345fb24a 441 else if ( tagtype & MY_D_MOVE )
8ceb6b03 442 PrintAndLog("%sTYPE : INFINEON my-d\x99 move", spacer);
345fb24a 443 else if ( tagtype & MY_D_MOVE_NFC )
8ceb6b03 444 PrintAndLog("%sTYPE : INFINEON my-d\x99 move NFC", spacer);
75377d29 445 else
c7442b76 446 PrintAndLog("%sTYPE : Unknown %06x", spacer, tagtype);
75377d29 447 return 0;
448}
449
450static int ulc_print_3deskey( uint8_t *data){
1c429594 451 PrintAndLog(" deskey1 [44/0x2C] : %s [%.4s]", sprint_hex(data ,4),data);
452 PrintAndLog(" deskey1 [45/0x2D] : %s [%.4s]", sprint_hex(data+4 ,4),data+4);
453 PrintAndLog(" deskey2 [46/0x2E] : %s [%.4s]", sprint_hex(data+8 ,4),data+8);
454 PrintAndLog(" deskey2 [47/0x2F] : %s [%.4s]", sprint_hex(data+12,4),data+12);
2b3af97d 455 PrintAndLog("\n 3des key : %s", sprint_hex(SwapEndian64(data, 16, 8), 16));
75377d29 456 return 0;
457}
458
459static int ulc_print_configuration( uint8_t *data){
460
461 PrintAndLog("--- UL-C Configuration");
1c429594 462 PrintAndLog(" Higher Lockbits [40/0x28] : %s - %s", sprint_hex(data, 4), printBits(2, data));
463 PrintAndLog(" Counter [41/0x29] : %s - %s", sprint_hex(data+4, 4), printBits(2, data+4));
75377d29 464
465 bool validAuth = (data[8] >= 0x03 && data[8] <= 0x30);
466 if ( validAuth )
1c429594 467 PrintAndLog(" Auth0 [42/0x2A] : %s page %d/0x%02X and above need authentication", sprint_hex(data+8, 4), data[8],data[8] );
75377d29 468 else{
469 if ( data[8] == 0){
1c429594 470 PrintAndLog(" Auth0 [42/0x2A] : %s default", sprint_hex(data+8, 4) );
75377d29 471 } else {
1c429594 472 PrintAndLog(" Auth0 [42/0x2A] : %s auth byte is out-of-range", sprint_hex(data+8, 4) );
f168b263 473 }
75377d29 474 }
1c429594 475 PrintAndLog(" Auth1 [43/0x2B] : %s %s",
75377d29 476 sprint_hex(data+12, 4),
477 (data[12] & 1) ? "write access restricted": "read and write access restricted"
478 );
f168b263 479 return 0;
480}
81740aa5 481
012c0761 482static int ulev1_print_configuration( uint8_t *data, uint8_t startPage){
f168b263 483
a383f4b7 484 PrintAndLog("\n--- Tag Configuration");
75377d29 485
486 bool strg_mod_en = (data[0] & 2);
487 uint8_t authlim = (data[4] & 0x07);
488 bool cfglck = (data[4] & 0x40);
489 bool prot = (data[4] & 0x80);
490 uint8_t vctid = data[5];
491
012c0761 492 PrintAndLog(" cfg0 [%u/0x%02X] : %s", startPage, startPage, sprint_hex(data, 4));
345fb24a 493 if ( data[3] < 0xff )
a2e2bb8a 494 PrintAndLog(" - page %d and above need authentication",data[3]);
345fb24a 495 else
496 PrintAndLog(" - pages don't need authentication");
75377d29 497 PrintAndLog(" - strong modulation mode %s", (strg_mod_en) ? "enabled":"disabled");
012c0761 498 PrintAndLog(" cfg1 [%u/0x%02X] : %s", startPage + 1, startPage + 1, sprint_hex(data+4, 4) );
75377d29 499 if ( authlim == 0)
345fb24a 500 PrintAndLog(" - Unlimited password attempts");
75377d29 501 else
502 PrintAndLog(" - Max number of password attempts is %d", authlim);
503 PrintAndLog(" - user configuration %s", cfglck ? "permanently locked":"writeable");
504 PrintAndLog(" - %s access is protected with password", prot ? "read and write":"write");
1c429594 505 PrintAndLog(" - %02X, Virtual Card Type Identifier is %s default", vctid, (vctid==0x05)? "":"not");
012c0761 506 PrintAndLog(" PWD [%u/0x%02X] : %s- (cannot be read)", startPage + 2, startPage + 2, sprint_hex(data+8, 4));
507 PrintAndLog(" PACK [%u/0x%02X] : %s - (cannot be read)", startPage + 3, startPage + 3, sprint_hex(data+12, 2));
508 PrintAndLog(" RFU [%u/0x%02X] : %s- (cannot be read)", startPage + 3, startPage + 3, sprint_hex(data+12, 2));
75377d29 509 return 0;
510}
511
512static int ulev1_print_counters(){
a383f4b7 513 PrintAndLog("--- Tag Counters");
a2e2bb8a 514 uint8_t tear[1] = {0};
75377d29 515 uint8_t counter[3] = {0,0,0};
c7442b76 516 uint16_t len = 0;
75377d29 517 for ( uint8_t i = 0; i<3; ++i) {
a2e2bb8a 518 ulev1_readTearing(i,tear,sizeof(tear));
c7442b76 519 len = ulev1_readCounter(i,counter, sizeof(counter) );
520 if (len == 3) {
521 PrintAndLog(" [%0d] : %s", i, sprint_hex(counter,3));
522 PrintAndLog(" - %02X tearing %s", tear[0], ( tear[0]==0xBD)?"Ok":"failure");
523 }
75377d29 524 }
c7442b76 525 return len;
75377d29 526}
527
c585a5cf 528static int ulev1_print_signature( uint8_t *data, uint8_t len){
a383f4b7 529 PrintAndLog("\n--- Tag Signature");
06561c34 530 //PrintAndLog("IC signature public key name : NXP NTAG21x 2013"); // don't know if there is other NXP public keys.. :(
c585a5cf 531 PrintAndLog("IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61");
532 PrintAndLog(" Elliptic curve parameters : secp128r1");
533 PrintAndLog(" Tag ECC Signature : %s", sprint_hex(data, len));
534 //to do: verify if signature is valid
535 //PrintAndLog("IC signature status: %s valid", (iseccvalid() )?"":"not");
536 return 0;
537}
345fb24a 538
539static int ulev1_print_version(uint8_t *data){
a383f4b7 540 PrintAndLog("\n--- Tag Version");
1c429594 541 PrintAndLog(" Raw bytes : %s",sprint_hex(data, 8) );
542 PrintAndLog(" Vendor ID : %02X, %s", data[1], getTagInfo(data[1]));
345fb24a 543 PrintAndLog(" Product type : %s", getProductTypeStr(data[2]));
1c429594 544 PrintAndLog(" Product subtype : %02X, %s", data[3], (data[3]==1) ?"17 pF":"50pF");
345fb24a 545 PrintAndLog(" Major version : %02X", data[4]);
546 PrintAndLog(" Minor version : %02X", data[5]);
547 PrintAndLog(" Size : %s", getUlev1CardSizeStr(data[6]));
548 PrintAndLog(" Protocol type : %02X", data[7]);
549 return 0;
550}
551
f04ef473 552/*
c585a5cf 553static int ulc_magic_test(){
554 // Magic Ultralight test
555 // Magic UL-C, by observation,
556 // 1) it seems to have a static nonce response to 0x1A command.
557 // 2) the deskey bytes is not-zero:d out on as datasheet states.
558 // 3) UID - changeable, not only, but pages 0-1-2-3.
559 // 4) use the ul_magic_test ! magic tags answers specially!
560 int returnValue = UL_ERROR;
561 iso14a_card_select_t card;
562 uint8_t nonce1[11] = {0x00};
563 uint8_t nonce2[11] = {0x00};
564 int status = ul_select(&card);
c7442b76 565 if ( !status ){
c585a5cf 566 return UL_ERROR;
567 }
a2e2bb8a 568 status = ulc_requestAuthentication(nonce1, sizeof(nonce1));
c585a5cf 569 if ( status > 0 ) {
a2e2bb8a 570 status = ulc_requestAuthentication(nonce2, sizeof(nonce2));
c585a5cf 571 returnValue = ( !memcmp(nonce1, nonce2, 11) ) ? UL_C_MAGIC : UL_C;
572 } else {
573 returnValue = UL;
574 }
575 ul_switch_off_field();
576 return returnValue;
577}
f04ef473 578*/
c585a5cf 579static int ul_magic_test(){
580
581 // Magic Ultralight tests
582 // 1) take present UID, and try to write it back. OBSOLETE
583 // 2) make a wrong length write to page0, and see if tag answers with ACK/NACK:
584 iso14a_card_select_t card;
c7442b76 585 if ( !ul_select(&card) )
c585a5cf 586 return UL_ERROR;
46fcd738 587 int status = ul_comp_write(0, NULL, 0);
c585a5cf 588 ul_switch_off_field();
a2e2bb8a 589 if ( status == 0 )
46fcd738 590 return MAGIC;
591 return 0;
c585a5cf 592}
f04ef473 593
c7442b76 594uint32_t GetHF14AMfU_Type(void){
81740aa5 595
92690507 596 TagTypeUL_t tagtype = UNKNOWN;
597 iso14a_card_select_t card;
75377d29 598 uint8_t version[10] = {0x00};
75377d29 599 int status = 0;
600 int len;
601
c7442b76 602 if (!ul_select(&card)) return UL_ERROR;
603
92690507 604 // Ultralight - ATQA / SAK
abab60ae 605 if ( card.atqa[1] != 0x00 || card.atqa[0] != 0x44 || card.sak != 0x00 ) {
4693c188 606 PrintAndLog("Tag is not Ultralight | NTAG | MY-D [ATQA: %02X %02X SAK: %02X]\n", card.atqa[1], card.atqa[0], card.sak);
75377d29 607 ul_switch_off_field();
608 return UL_ERROR;
609 }
92690507 610
345fb24a 611 if ( card.uid[0] != 0x05) {
75377d29 612
345fb24a 613 len = ulev1_getVersion(version, sizeof(version));
8258f409 614 ul_switch_off_field();
345fb24a 615
616 switch (len) {
617 case 0x0A: {
618
619 if ( version[2] == 0x03 && version[6] == 0x0B )
620 tagtype = UL_EV1_48;
621 else if ( version[2] == 0x03 && version[6] != 0x0B )
622 tagtype = UL_EV1_128;
a383f4b7 623 else if ( version[2] == 0x04 && version[3] == 0x01 && version[6] == 0x0B )
624 tagtype = NTAG_210;
625 else if ( version[2] == 0x04 && version[3] == 0x01 && version[6] == 0x0E )
626 tagtype = NTAG_212;
627 else if ( version[2] == 0x04 && version[3] == 0x02 && version[6] == 0x0F )
345fb24a 628 tagtype = NTAG_213;
a383f4b7 629 else if ( version[2] == 0x04 && version[3] == 0x02 && version[6] == 0x11 )
345fb24a 630 tagtype = NTAG_215;
a383f4b7 631 else if ( version[2] == 0x04 && version[3] == 0x02 && version[6] == 0x13 )
345fb24a 632 tagtype = NTAG_216;
c7442b76 633 else if ( version[2] == 0x04 && version[3] == 0x05 && version[6] == 0x13 )
634 tagtype = NTAG_I2C_1K;
635 else if ( version[2] == 0x04 && version[3] == 0x05 && version[6] == 0x15 )
636 tagtype = NTAG_I2C_2K;
345fb24a 637 else if ( version[2] == 0x04 )
638 tagtype = NTAG;
639
640 break;
641 }
642 case 0x01: tagtype = UL_C; break;
643 case 0x00: tagtype = UL; break;
46fcd738 644 case -1 : tagtype = (UL | UL_C | NTAG_203); break; // could be UL | UL_C magic tags
345fb24a 645 default : tagtype = UNKNOWN; break;
646 }
a383f4b7 647 // UL vs UL-C vs ntag203 test
648 if (tagtype & (UL | UL_C | NTAG_203)) {
c7442b76 649 if ( !ul_select(&card) ) return UL_ERROR;
a383f4b7 650
651 // do UL_C check first...
8258f409 652 uint8_t nonce[11] = {0x00};
653 status = ulc_requestAuthentication(nonce, sizeof(nonce));
8258f409 654 ul_switch_off_field();
a383f4b7 655 if (status > 1) {
656 tagtype = UL_C;
657 } else {
658 // need to re-select after authentication error
c7442b76 659 if ( !ul_select(&card) ) return UL_ERROR;
660
a383f4b7 661 uint8_t data[16] = {0x00};
662 // read page 0x26-0x29 (last valid ntag203 page)
663 status = ul_read(0x26, data, sizeof(data));
664 if ( status <= 1 ) {
665 tagtype = UL;
666 } else {
667 // read page 0x30 (should error if it is a ntag203)
efd19351 668 status = ul_read(0x30, data, sizeof(data));
a383f4b7 669 if ( status <= 1 ){
670 tagtype = NTAG_203;
671 } else {
672 tagtype = UNKNOWN;
673 }
674 }
675 ul_switch_off_field();
676 }
345fb24a 677 }
678 } else {
679 // Infinition MY-D tests Exam high nibble
680 uint8_t nib = (card.uid[1] & 0xf0) >> 4;
681 switch ( nib ){
682 case 1: tagtype = MY_D; break;
a383f4b7 683 case 2: tagtype = (MY_D | MY_D_NFC); break; //notice: we can not currently distinguish between these two
684 case 3: tagtype = (MY_D_MOVE | MY_D_MOVE_NFC); break; //notice: we can not currently distinguish between these two
75377d29 685 }
f168b263 686 }
75377d29 687
46fcd738 688 tagtype |= ul_magic_test();
689 if (tagtype == (UNKNOWN | MAGIC)) tagtype = (UL_MAGIC);
f168b263 690 return tagtype;
691}
692
693int CmdHF14AMfUInfo(const char *Cmd){
694
c585a5cf 695 uint8_t authlim = 0xff;
f168b263 696 uint8_t data[16] = {0x00};
75377d29 697 iso14a_card_select_t card;
75377d29 698 int status;
a2e2bb8a 699 bool errors = false;
700 bool hasAuthKey = false;
a383f4b7 701 bool locked = false;
06561c34 702 bool swapEndian = false;
a2e2bb8a 703 uint8_t cmdp = 0;
06561c34 704 uint8_t dataLen = 0;
a2e2bb8a 705 uint8_t authenticationkey[16] = {0x00};
06561c34 706 uint8_t *authkeyptr = authenticationkey;
707 uint8_t *key;
a2e2bb8a 708 uint8_t pack[4] = {0,0,0,0};
06561c34 709 int len = 0;
710 char tempStr[50];
f168b263 711
a2e2bb8a 712 while(param_getchar(Cmd, cmdp) != 0x00)
713 {
714 switch(param_getchar(Cmd, cmdp))
715 {
716 case 'h':
717 case 'H':
718 return usage_hf_mfu_info();
719 case 'k':
720 case 'K':
06561c34 721 dataLen = param_getstr(Cmd, cmdp+1, tempStr);
722 if (dataLen == 32 || dataLen == 8) { //ul-c or ev1/ntag key length
723 errors = param_gethex(tempStr, 0, authenticationkey, dataLen);
724 dataLen /= 2; // handled as bytes from now on
725 } else {
726 PrintAndLog("\nERROR: Key is incorrect length\n");
bcf61bd3 727 errors = true;
728 }
729 cmdp += 2;
730 hasAuthKey = true;
731 break;
732 case 'l':
733 case 'L':
734 swapEndian = true;
735 cmdp++;
736 break;
737 default:
738 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
739 errors = true;
740 break;
741 }
742 if(errors) break;
743 }
744
745 //Validations
746 if(errors) return usage_hf_mfu_info();
747
748 TagTypeUL_t tagtype = GetHF14AMfU_Type();
749 if (tagtype == UL_ERROR) return -1;
750
751 PrintAndLog("\n--- Tag Information ---------");
752 PrintAndLog("-------------------------------------------------------------");
753 ul_print_type(tagtype, 6);
754
755 // Swap endianness
756 if (swapEndian && hasAuthKey) authkeyptr = SwapEndian64(authenticationkey, dataLen, (dataLen == 16) ? 8 : 4 );
757
758 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
759
760 // read pages 0,1,2,3 (should read 4pages)
761 status = ul_read(0, data, sizeof(data));
762 if ( status == -1 ) {
763 ul_switch_off_field();
764 PrintAndLog("Error: tag didn't answer to READ");
765 return status;
766 } else if (status == 16) {
767 ul_print_default(data);
768 ndef_print_CC(data+12);
769 } else {
770 locked = true;
771 }
772
773 // UL_C Specific
774 if ((tagtype & UL_C)) {
fce738fc 775
bcf61bd3 776 // read pages 0x28, 0x29, 0x2A, 0x2B
777 uint8_t ulc_conf[16] = {0x00};
778 status = ul_read(0x28, ulc_conf, sizeof(ulc_conf));
779 if ( status == -1 ){
780 PrintAndLog("Error: tag didn't answer to READ UL-C");
781 ul_switch_off_field();
782 return status;
783 }
784 if (status == 16) ulc_print_configuration(ulc_conf);
785 else locked = true;
a903be43 786
bcf61bd3 787 if ((tagtype & MAGIC)) {
788 //just read key
789 uint8_t ulc_deskey[16] = {0x00};
790 status = ul_read(0x2C, ulc_deskey, sizeof(ulc_deskey));
791 if ( status == -1 ) {
792 ul_switch_off_field();
793 PrintAndLog("Error: tag didn't answer to READ magic");
794 return status;
795 }
796 if (status == 16) ulc_print_3deskey(ulc_deskey);
fce738fc 797
bcf61bd3 798 } else {
799 ul_switch_off_field();
800 // if we called info with key, just return
801 if ( hasAuthKey ) return 1;
1ec21089 802
bcf61bd3 803 // also try to diversify default keys.. look into CmdHF14AMfuGenDiverseKeys
804 PrintAndLog("Trying some default 3des keys");
805 for (uint8_t i = 0; i < KEYS_3DES_COUNT; ++i ) {
806 key = default_3des_keys[i];
807 if (ulc_authentication(key, true)) {
808 PrintAndLog("Found default 3des key: ");
809 uint8_t keySwap[16];
810 memcpy(keySwap, SwapEndian64(key,16,8), 16);
811 ulc_print_3deskey(keySwap);
812 return 1;
813 }
814 }
815 return 1;
816 }
817 }
98cdd568 818
bcf61bd3 819 // do counters and signature first (don't neet auth)
2c74558d 820
bcf61bd3 821 // ul counters are different than ntag counters
822 if ((tagtype & (UL_EV1_48 | UL_EV1_128))) {
823 if (ulev1_print_counters() != 3) {
824 // failed - re-select
825 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
826 }
827 }
b9a3c864 828
bcf61bd3 829 if ((tagtype & (UL_EV1_48 | UL_EV1_128 | NTAG_213 | NTAG_215 | NTAG_216 | NTAG_I2C_1K | NTAG_I2C_2K ))) {
830 uint8_t ulev1_signature[32] = {0x00};
831 status = ulev1_readSignature( ulev1_signature, sizeof(ulev1_signature));
832 if ( status == -1 ) {
833 PrintAndLog("Error: tag didn't answer to READ SIGNATURE");
834 ul_switch_off_field();
835 return status;
836 }
837 if (status == 32) ulev1_print_signature( ulev1_signature, sizeof(ulev1_signature));
838 else {
839 // re-select
840 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
841 }
842 }
b9a3c864 843
bcf61bd3 844 if ((tagtype & (UL_EV1_48 | UL_EV1_128 | NTAG_210 | NTAG_212 | NTAG_213 | NTAG_215 | NTAG_216 | NTAG_I2C_1K | NTAG_I2C_2K))) {
845 uint8_t version[10] = {0x00};
846 status = ulev1_getVersion(version, sizeof(version));
847 if ( status == -1 ) {
848 PrintAndLog("Error: tag didn't answer to GETVERSION");
849 ul_switch_off_field();
850 return status;
851 } else if (status == 10) {
852 ulev1_print_version(version);
b9a3c864 853 } else {
bcf61bd3 854 locked = true;
855 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
856 }
857
858 uint8_t startconfigblock = 0;
859 uint8_t ulev1_conf[16] = {0x00};
860 // config blocks always are last 4 pages
861 for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++)
862 if (tagtype & UL_TYPES_ARRAY[idx])
863 startconfigblock = UL_MEMORY_ARRAY[idx]-3;
864
865 if (startconfigblock){ // if we know where the config block is...
866 status = ul_read(startconfigblock, ulev1_conf, sizeof(ulev1_conf));
867 if ( status == -1 ) {
868 PrintAndLog("Error: tag didn't answer to READ EV1");
869 ul_switch_off_field();
870 return status;
871 } else if (status == 16) {
872 // save AUTHENTICATION LIMITS for later:
873 authlim = (ulev1_conf[4] & 0x07);
874 ulev1_print_configuration(ulev1_conf, startconfigblock);
875 }
876 }
877
878 // AUTHLIMIT, (number of failed authentications)
879 // 0 = limitless.
880 // 1-7 = limit. No automatic tries then.
881 // hasAuthKey, if we was called with key, skip test.
882 if ( !authlim && !hasAuthKey ) {
883 PrintAndLog("\n--- Known EV1/NTAG passwords.");
884 len = 0;
885 for (uint8_t i = 0; i < KEYS_PWD_COUNT; ++i ) {
886 key = default_pwd_pack[i];
887 len = ulev1_requestAuthentication(key, pack, sizeof(pack));
888 if (len >= 1) {
889 PrintAndLog("Found a default password: %s || Pack: %02X %02X",sprint_hex(key, 4), pack[0], pack[1]);
890 break;
891 } else {
892 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
893 }
894 }
895 if (len < 1) PrintAndLog("password not known");
b9a3c864 896 }
897 }
bcf61bd3 898
899 ul_switch_off_field();
900 if (locked) PrintAndLog("\nTag appears to be locked, try using the key to get more info");
901 PrintAndLog("");
902 return 1;
b9a3c864 903}
904
bcf61bd3 905//
906// Mifare Ultralight Write Single Block
907//
908int CmdHF14AMfUWrBl(const char *Cmd){
909 uint8_t blockNo = -1;
910 bool chinese_card = FALSE;
911 uint8_t bldata[16] = {0x00};
912 UsbCommand resp;
b9a3c864 913
05f7accd 914 PrintAndLog("\n--- Tag Configuration");
b9a3c864 915
916 bool strg_mod_en = (data[0] & 2);
917 uint8_t authlim = (data[4] & 0x07);
918 bool cfglck = (data[4] & 0x40);
919 bool prot = (data[4] & 0x80);
920 uint8_t vctid = data[5];
fce738fc 921
b9a3c864 922 PrintAndLog(" cfg0 [16/0x10]: %s", sprint_hex(data, 4));
fce738fc 923 if ( data[3] < 0xff )
c92cf814 924 PrintAndLog(" - page %d and above need authentication",data[3]);
fce738fc 925 else
926 PrintAndLog(" - pages don't need authentication");
b9a3c864 927 PrintAndLog(" - strong modulation mode %s", (strg_mod_en) ? "enabled":"disabled");
928 PrintAndLog(" cfg1 [17/0x11]: %s", sprint_hex(data+4, 4) );
929 if ( authlim == 0)
fce738fc 930 PrintAndLog(" - Unlimited password attempts");
b9a3c864 931 else
932 PrintAndLog(" - Max number of password attempts is %d", authlim);
933 PrintAndLog(" - user configuration %s", cfglck ? "permanently locked":"writeable");
934 PrintAndLog(" - %s access is protected with password", prot ? "read and write":"write");
fce738fc 935 PrintAndLog(" %02X - Virtual Card Type Identifier is %s default", vctid, (vctid==0x05)? "":"not");
b9a3c864 936 PrintAndLog(" PWD [18/0x12]: %s", sprint_hex(data+8, 4));
937 PrintAndLog(" PACK [19/0x13]: %s", sprint_hex(data+12, 4));
938 return 0;
939}
940
a903be43 941static int ulev1_print_counters(){
05f7accd 942 PrintAndLog("--- Tag Counters");
98cdd568 943 uint8_t tear[1] = {0};
a903be43 944 uint8_t counter[3] = {0,0,0};
1fa96198 945 uint16_t len = 0;
a903be43 946 for ( uint8_t i = 0; i<3; ++i) {
98cdd568 947 ulev1_readTearing(i,tear,sizeof(tear));
1fa96198 948 len = ulev1_readCounter(i,counter, sizeof(counter) );
949 if (len == 3) {
fce738fc 950 PrintAndLog(" [%0d] : %s", i, sprint_hex(counter,3));
98cdd568 951 PrintAndLog(" - %02X tearing %s", tear[0], ( tear[0]==0xBD)?"Ok":"failure");
a903be43 952 }
1fa96198 953 }
954 return len;
a903be43 955}
956
2b03dea7 957static int ulev1_print_signature( uint8_t *data, uint8_t len){
05f7accd 958 PrintAndLog("\n--- Tag Signature");
959 //PrintAndLog("IC signature public key name : NXP NTAG21x 2013"); // don't know if there is other NXP public keys.. :(
2b03dea7 960 PrintAndLog("IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61");
961 PrintAndLog(" Elliptic curve parameters : secp128r1");
962 PrintAndLog(" Tag ECC Signature : %s", sprint_hex(data, len));
963 //to do: verify if signature is valid
964 //PrintAndLog("IC signature status: %s valid", (iseccvalid() )?"":"not");
965 return 0;
966}
967
fce738fc 968static int ulev1_print_version(uint8_t *data){
05f7accd 969 PrintAndLog("\n--- Tag Version");
fce738fc 970 PrintAndLog(" Raw bytes : %s", sprint_hex(data, 8) );
329f5cf2 971 PrintAndLog(" Vendor ID : %02X, %s", data[1], getTagInfo(data[1]));
fce738fc 972 PrintAndLog(" Product type : %s" , getProductTypeStr(data[2]));
973 PrintAndLog(" Product subtype : %02X, %s" , data[3], (data[3]==1) ?"17 pF":"50pF");
974 PrintAndLog(" Major version : %02X" , data[4]);
975 PrintAndLog(" Minor version : %02X" , data[5]);
976 PrintAndLog(" Size : %s", getUlev1CardSizeStr(data[6]));
977 PrintAndLog(" Protocol type : %02X" , data[7]);
978 return 0;
979}
980
98cdd568 981/*
aebe7790 982static int ulc_magic_test(){
983 // Magic Ultralight test
984 // Magic UL-C, by observation,
985 // 1) it seems to have a static nonce response to 0x1A command.
986 // 2) the deskey bytes is not-zero:d out on as datasheet states.
987 // 3) UID - changeable, not only, but pages 0-1-2-3.
802319a3 988 // 4) use the ul_magic_test ! magic tags answers specially!
aebe7790 989 int returnValue = UL_ERROR;
990 iso14a_card_select_t card;
991 uint8_t nonce1[11] = {0x00};
992 uint8_t nonce2[11] = {0x00};
993 int status = ul_select(&card);
1fa96198 994 if ( !status ){
aebe7790 995 return UL_ERROR;
996 }
98cdd568 997 status = ulc_requestAuthentication(nonce1, sizeof(nonce1));
aebe7790 998 if ( status > 0 ) {
98cdd568 999 status = ulc_requestAuthentication(nonce2, sizeof(nonce2));
aebe7790 1000 returnValue = ( !memcmp(nonce1, nonce2, 11) ) ? UL_C_MAGIC : UL_C;
1001 } else {
1002 returnValue = UL;
1003 }
1004 ul_switch_off_field();
1005 return returnValue;
1006}
98cdd568 1007*/
aebe7790 1008static int ul_magic_test(){
1009
ebd7412d 1010 // Magic Ultralight tests
1011 // 1) take present UID, and try to write it back. OBSOLETE
802319a3 1012 // 2) make a wrong length write to page0, and see if tag answers with ACK/NACK:
aebe7790 1013 iso14a_card_select_t card;
1fa96198 1014 if ( !ul_select(&card) )
aebe7790 1015 return UL_ERROR;
329f5cf2 1016 int status = ul_comp_write(0, NULL, 0);
aebe7790 1017 ul_switch_off_field();
98cdd568 1018 if ( status == 0 )
05f7accd 1019 return MAGIC;
329f5cf2 1020 return 0;
aebe7790 1021}
1022
bcf61bd3 1023 if (blockNo > MAX_UL_BLOCKS){
1024 PrintAndLog("Error: Maximum number of blocks is 15 for Ultralight Cards!");
1025 return 1;
2c74558d 1026 }
1027
fce738fc 1028 if ( card.uid[0] != 0x05) {
1029
1030 len = ulev1_getVersion(version, sizeof(version));
e7e95088 1031 ul_switch_off_field();
2c74558d 1032
fce738fc 1033 switch (len) {
1034 case 0x0A: {
2c74558d 1035
fce738fc 1036 if ( version[2] == 0x03 && version[6] == 0x0B )
1037 tagtype = UL_EV1_48;
1038 else if ( version[2] == 0x03 && version[6] != 0x0B )
1039 tagtype = UL_EV1_128;
05f7accd 1040 else if ( version[2] == 0x04 && version[3] == 0x01 && version[6] == 0x0B )
b61e3979 1041 tagtype = NTAG_210;
05f7accd 1042 else if ( version[2] == 0x04 && version[3] == 0x01 && version[6] == 0x0E )
b61e3979 1043 tagtype = NTAG_212;
05f7accd 1044 else if ( version[2] == 0x04 && version[3] == 0x02 && version[6] == 0x0F )
fce738fc 1045 tagtype = NTAG_213;
05f7accd 1046 else if ( version[2] == 0x04 && version[3] == 0x02 && version[6] == 0x11 )
fce738fc 1047 tagtype = NTAG_215;
05f7accd 1048 else if ( version[2] == 0x04 && version[3] == 0x02 && version[6] == 0x13 )
1049 tagtype = NTAG_216;
1050 else if ( version[2] == 0x04 && version[3] == 0x05 && version[6] == 0x13 )
1051 tagtype = NTAG_I2C_1K;
1052 else if ( version[2] == 0x04 && version[3] == 0x05 && version[6] == 0x15 )
1053 tagtype = NTAG_I2C_2K;
fce738fc 1054 else if ( version[2] == 0x04 )
1055 tagtype = NTAG;
1056
1057 break;
1058 }
1059 case 0x01: tagtype = UL_C; break;
1060 case 0x00: tagtype = UL; break;
2491a252 1061 case -1 : tagtype = (UL | UL_C | NTAG_203); break; // could be UL | UL_C magic tags
98cdd568 1062 default : tagtype = UNKNOWN; break;
fce738fc 1063 }
05f7accd 1064 // UL vs UL-C vs ntag203 test
1065 if (tagtype & (UL | UL_C | NTAG_203)) {
1fa96198 1066 if ( !ul_select(&card) ) return UL_ERROR;
05f7accd 1067
1068 // do UL_C check first...
98cdd568 1069 uint8_t nonce[11] = {0x00};
1070 status = ulc_requestAuthentication(nonce, sizeof(nonce));
e7e95088 1071 ul_switch_off_field();
05f7accd 1072 if (status > 1) {
1073 tagtype = UL_C;
1074 } else {
1075 // need to re-select after authentication error
1fa96198 1076 if ( !ul_select(&card) ) return UL_ERROR;
1077
05f7accd 1078 uint8_t data[16] = {0x00};
1079 // read page 0x26-0x29 (last valid ntag203 page)
1080 status = ul_read(0x26, data, sizeof(data));
1081 if ( status <= 1 ) {
1082 tagtype = UL;
1083 } else {
1084 // read page 0x30 (should error if it is a ntag203)
2491a252 1085 status = ul_read(0x30, data, sizeof(data));
05f7accd 1086 if ( status <= 1 ){
1087 tagtype = NTAG_203;
1088 } else {
1089 tagtype = UNKNOWN;
1090 }
1091 }
1092 ul_switch_off_field();
1093 }
98cdd568 1094 }
1095 } else {
fce738fc 1096 // Infinition MY-D tests Exam high nibble
1097 uint8_t nib = (card.uid[1] & 0xf0) >> 4;
1098 switch ( nib ){
1099 case 1: tagtype = MY_D; break;
05f7accd 1100 case 2: tagtype = (MY_D | MY_D_NFC); break; //notice: we can not currently distinguish between these two
1101 case 3: tagtype = (MY_D_MOVE | MY_D_MOVE_NFC); break; //notice: we can not currently distinguish between these two
fce738fc 1102 }
1103 }
1104
329f5cf2 1105
1106 tagtype |= ul_magic_test();
1107 if (tagtype == (UNKNOWN | MAGIC)) tagtype = (UL_MAGIC);
1ec21089 1108 return tagtype;
1109}
1110
1111int CmdHF14AMfUInfo(const char *Cmd){
2b03dea7 1112
aebe7790 1113 uint8_t authlim = 0xff;
5d554ea6 1114 uint8_t data[16] = {0x00};
2c74558d 1115 iso14a_card_select_t card;
2c74558d 1116 int status;
98cdd568 1117 bool errors = false;
1118 bool hasAuthKey = false;
05f7accd 1119 bool locked = false;
2491a252 1120 bool swapEndian = false;
98cdd568 1121 uint8_t cmdp = 0;
a7e7cd41 1122 uint8_t dataLen = 0;
2491a252 1123 uint8_t authenticationkey[16] = {0x00};
1124 uint8_t *authkeyptr = authenticationkey;
1125 uint8_t *key;
98cdd568 1126 uint8_t pack[4] = {0,0,0,0};
c81a80dc 1127 int len = 0;
a7e7cd41 1128 char tempStr[50];
98cdd568 1129
1130 while(param_getchar(Cmd, cmdp) != 0x00)
1131 {
1132 switch(param_getchar(Cmd, cmdp))
1133 {
1134 case 'h':
1135 case 'H':
1136 return usage_hf_mfu_info();
1137 case 'k':
1138 case 'K':
a7e7cd41 1139 dataLen = param_getstr(Cmd, cmdp+1, tempStr);
1140 if (dataLen == 32 || dataLen == 8) { //ul-c or ev1/ntag key length
1141 errors = param_gethex(tempStr, 0, authenticationkey, dataLen);
1142 dataLen /= 2; // handled as bytes from now on
1143 } else {
1144 PrintAndLog("\nERROR: Key is incorrect length\n");
98cdd568 1145 errors = true;
a7e7cd41 1146 }
1147 cmdp += 2;
1148 hasAuthKey = true;
98cdd568 1149 break;
2491a252 1150 case 'l':
1151 case 'L':
1152 swapEndian = true;
1153 cmdp++;
1154 break;
98cdd568 1155 default:
1156 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
1157 errors = true;
1158 break;
1159 }
1160 if(errors) break;
1161 }
2c74558d 1162
98cdd568 1163 //Validations
1164 if(errors) return usage_hf_mfu_info();
1165
1ec21089 1166 TagTypeUL_t tagtype = GetHF14AMfU_Type();
1167 if (tagtype == UL_ERROR) return -1;
aebe7790 1168
1169 PrintAndLog("\n--- Tag Information ---------");
1170 PrintAndLog("-------------------------------------------------------------");
98cdd568 1171 ul_print_type(tagtype, 6);
2c74558d 1172
2491a252 1173 // Swap endianness
a7e7cd41 1174 if (swapEndian && hasAuthKey) authkeyptr = SwapEndian64(authenticationkey, dataLen, (dataLen == 16) ? 8 : 4 );
2491a252 1175
1176 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
833081e3 1177
05f7accd 1178 // read pages 0,1,2,3 (should read 4pages)
8297860e 1179 status = ul_read(0, data, sizeof(data));
2c74558d 1180 if ( status == -1 ){
e7e95088 1181 ul_switch_off_field();
1182 PrintAndLog("Error: tag didn't answer to READ");
2c74558d 1183 return status;
fff69a1e 1184 } else if (status == 16) {
05f7accd 1185 ul_print_default(data);
1186 ndef_print_CC(data+12);
fff69a1e 1187 } else {
05f7accd 1188 locked = true;
1189 }
fce738fc 1190
05f7accd 1191 // UL_C Specific
1c1c5f4c 1192 if ((tagtype & UL_C)){
8297860e 1193
1194 // read pages 0x28, 0x29, 0x2A, 0x2B
2c74558d 1195 uint8_t ulc_conf[16] = {0x00};
8297860e 1196 status = ul_read(0x28, ulc_conf, sizeof(ulc_conf));
2c74558d 1197 if ( status == -1 ){
224e8c1a 1198 PrintAndLog("Error: tag didn't answer to READ UL-C");
e7e95088 1199 ul_switch_off_field();
ebd7412d 1200 return status;
1201 }
05f7accd 1202 if (status == 16) ulc_print_configuration(ulc_conf);
1203 else locked = true;
b9a3c864 1204
2b03dea7 1205 if ((tagtype & MAGIC)){
05f7accd 1206 //just read key
b9a3c864 1207 uint8_t ulc_deskey[16] = {0x00};
1208 status = ul_read(0x2C, ulc_deskey, sizeof(ulc_deskey));
2c74558d 1209 if ( status == -1 ){
e7e95088 1210 ul_switch_off_field();
fce738fc 1211 PrintAndLog("Error: tag didn't answer to READ magic");
2c74558d 1212 return status;
1213 }
05f7accd 1214 if (status == 16) ulc_print_3deskey(ulc_deskey);
b9a3c864 1215
ebd7412d 1216 } else {
e7e95088 1217 ul_switch_off_field();
98cdd568 1218 // if we called info with key, just return
c92cf814 1219 if ( hasAuthKey ) return 1;
98cdd568 1220
224e8c1a 1221 // also try to diversify default keys.. look into CmdHF14AMfuGenDiverseKeys
8297860e 1222 PrintAndLog("Trying some default 3des keys");
ebd7412d 1223 for (uint8_t i = 0; i < KEYS_3DES_COUNT; ++i ){
8297860e 1224 key = default_3des_keys[i];
e7e95088 1225 if (ulc_authentication(key, true)){
05f7accd 1226 PrintAndLog("Found default 3des key: ");
224e8c1a 1227 uint8_t keySwap[16];
1228 memcpy(keySwap, SwapEndian64(key,16,8), 16);
1229 ulc_print_3deskey(keySwap);
2491a252 1230 return 1;
05f7accd 1231 }
1232 }
2491a252 1233 return 1;
8297860e 1234 }
a8be77af 1235 }
ebd7412d 1236
05f7accd 1237 // do counters and signature first (don't neet auth)
1238
1239 // ul counters are different than ntag counters
1fa96198 1240 if ((tagtype & (UL_EV1_48 | UL_EV1_128))) {
1241 if (ulev1_print_counters() != 3) {
1242 // failed - re-select
2491a252 1243 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
1fa96198 1244 }
1245 }
05f7accd 1246
1247 if ((tagtype & (UL_EV1_48 | UL_EV1_128 | NTAG_213 | NTAG_215 | NTAG_216 | NTAG_I2C_1K | NTAG_I2C_2K ))) {
69a29536 1248 uint8_t ulev1_signature[32] = {0x00};
1249 status = ulev1_readSignature( ulev1_signature, sizeof(ulev1_signature));
1250 if ( status == -1 ){
1251 PrintAndLog("Error: tag didn't answer to READ SIGNATURE");
e7e95088 1252 ul_switch_off_field();
69a29536 1253 return status;
aebe7790 1254 }
05f7accd 1255 if (status == 32) ulev1_print_signature( ulev1_signature, sizeof(ulev1_signature));
1fa96198 1256 else {
1257 // re-select
2491a252 1258 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
1fa96198 1259 }
2c74558d 1260 }
1261
05f7accd 1262 if ((tagtype & (UL_EV1_48 | UL_EV1_128 | NTAG_210 | NTAG_212 | NTAG_213 | NTAG_215 | NTAG_216 | NTAG_I2C_1K | NTAG_I2C_2K))) {
2c74558d 1263 uint8_t version[10] = {0x00};
8297860e 1264 status = ulev1_getVersion(version, sizeof(version));
2c74558d 1265 if ( status == -1 ){
e7e95088 1266 PrintAndLog("Error: tag didn't answer to GETVERSION");
1267 ul_switch_off_field();
2c74558d 1268 return status;
fff69a1e 1269 } else if (status == 10) {
1270 ulev1_print_version(version);
1271 } else {
1272 locked = true;
2491a252 1273 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
2c74558d 1274 }
98cdd568 1275
05f7accd 1276 uint8_t startconfigblock = 0;
1277 uint8_t ulev1_conf[16] = {0x00};
1278 // config blocks always are last 4 pages
1279 for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++)
1280 if (tagtype & UL_TYPES_ARRAY[idx])
1281 startconfigblock = UL_MEMORY_ARRAY[idx]-3;
1282
329f5cf2 1283 if (startconfigblock){ // if we know where the config block is...
05f7accd 1284 status = ul_read(startconfigblock, ulev1_conf, sizeof(ulev1_conf));
1285 if ( status == -1 ) {
1286 PrintAndLog("Error: tag didn't answer to READ EV1");
1287 ul_switch_off_field();
1288 return status;
1289 } else if (status == 16) {
1290 // save AUTHENTICATION LIMITS for later:
1291 authlim = (ulev1_conf[4] & 0x07);
1292 ulev1_print_configuration(ulev1_conf);
329f5cf2 1293 }
05f7accd 1294 }
e9bb4f47 1295
aebe7790 1296 // AUTHLIMIT, (number of failed authentications)
1297 // 0 = limitless.
e9bb4f47 1298 // 1-7 = limit. No automatic tries then.
1299 // hasAuthKey, if we was called with key, skip test.
05f7accd 1300 if ( !authlim && !hasAuthKey ) {
aebe7790 1301 PrintAndLog("\n--- Known EV1/NTAG passwords.");
e7e95088 1302 len = 0;
ebd7412d 1303 for (uint8_t i = 0; i < KEYS_PWD_COUNT; ++i ){
aebe7790 1304 key = default_pwd_pack[i];
98cdd568 1305 len = ulev1_requestAuthentication(key, pack, sizeof(pack));
e7e95088 1306 if (len >= 1) {
aebe7790 1307 PrintAndLog("Found a default password: %s || Pack: %02X %02X",sprint_hex(key, 4), pack[0], pack[1]);
98cdd568 1308 break;
e7e95088 1309 } else {
2491a252 1310 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
aebe7790 1311 }
e7e95088 1312 }
05f7accd 1313 if (len < 1) PrintAndLog("password not known");
2c74558d 1314 }
2c74558d 1315 }
e9bb4f47 1316
2c74558d 1317 ul_switch_off_field();
05f7accd 1318 if (locked) PrintAndLog("\nTag appears to be locked, try using the key to get more info");
fce738fc 1319 PrintAndLog("");
c92cf814 1320 return 1;
81740aa5 1321}
1322
1323//
fff69a1e 1324// Write Single Block
81740aa5 1325//
1326int CmdHF14AMfUWrBl(const char *Cmd){
81740aa5 1327
fff69a1e 1328 int blockNo = -1;
1329 bool errors = false;
1330 bool hasAuthKey = false;
1331 bool hasPwdKey = false;
1332 bool swapEndian = false;
81740aa5 1333
fff69a1e 1334 uint8_t cmdp = 0;
1335 uint8_t keylen = 0;
1336 uint8_t blockdata[20] = {0x00};
1337 uint8_t data[16] = {0x00};
1338 uint8_t authenticationkey[16] = {0x00};
2491a252 1339 uint8_t *authkeyptr = authenticationkey;
81740aa5 1340
fff69a1e 1341 // starting with getting tagtype
1342 TagTypeUL_t tagtype = GetHF14AMfU_Type();
1343 if (tagtype == UL_ERROR) return -1;
1344
1345 while(param_getchar(Cmd, cmdp) != 0x00)
1346 {
1347 switch(param_getchar(Cmd, cmdp))
1348 {
1349 case 'h':
1350 case 'H':
1351 return usage_hf_mfu_wrbl();
1352 case 'k':
1353 case 'K':
1354 // EV1/NTAG size key
1355 keylen = param_gethex(Cmd, cmdp+1, data, 8);
1356 if ( !keylen ) {
1357 memcpy(authenticationkey, data, 4);
1358 cmdp += 2;
1359 hasPwdKey = true;
1360 break;
1361 }
1362 // UL-C size key
1363 keylen = param_gethex(Cmd, cmdp+1, data, 32);
1364 if (!keylen){
1365 memcpy(authenticationkey, data, 16);
1366 cmdp += 2;
1367 hasAuthKey = true;
1368 break;
1369 }
1370 PrintAndLog("\nERROR: Key is incorrect length\n");
1371 errors = true;
1372 break;
1373 case 'b':
1374 case 'B':
1375 blockNo = param_get8(Cmd, cmdp+1);
1376
1377 uint8_t maxblockno = 0;
1378 for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++){
1379 if (tagtype & UL_TYPES_ARRAY[idx])
1380 maxblockno = UL_MEMORY_ARRAY[idx]+1;
1381 }
1382
1383 if (blockNo < 0) {
1384 PrintAndLog("Wrong block number");
1385 errors = true;
1386 }
1387 if (blockNo > maxblockno){
1388 PrintAndLog("block number to large. Max block is %u/0x%02X \n", maxblockno,maxblockno);
1389 errors = true;
1390 }
1391 cmdp += 2;
1392 break;
1393 case 'l':
1394 case 'L':
1395 swapEndian = true;
1396 cmdp++;
1397 break;
1398 case 'd':
1399 case 'D':
1400 if ( param_gethex(Cmd, cmdp+1, blockdata, 8) ) {
1401 PrintAndLog("Block data must include 8 HEX symbols");
1402 errors = true;
1403 break;
1404 }
1405 cmdp += 2;
1406 break;
1407 default:
1408 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
1409 errors = true;
1410 break;
1411 }
1412 //Validations
1413 if(errors) return usage_hf_mfu_wrbl();
afceaf40 1414 }
fff69a1e 1415
f6059703 1416 if ( blockNo == -1 ) return usage_hf_mfu_wrbl();
fff69a1e 1417
1418 // Swap endianness
2491a252 1419 if (swapEndian && hasAuthKey) authkeyptr = SwapEndian64(authenticationkey, 16, 8);
1420 if (swapEndian && hasPwdKey) authkeyptr = SwapEndian64(authenticationkey, 4, 4);
1421
fff69a1e 1422
1423 if ( blockNo <= 3)
1424 PrintAndLog("Special Block: %0d (0x%02X) [ %s]", blockNo, blockNo, sprint_hex(blockdata, 4));
1425 else
1426 PrintAndLog("Block: %0d (0x%02X) [ %s]", blockNo, blockNo, sprint_hex(blockdata, 4));
81740aa5 1427
fff69a1e 1428
1429
1430 //Send write Block
1431 UsbCommand c = {CMD_MIFAREU_WRITEBL, {blockNo}};
1432 memcpy(c.d.asBytes,blockdata,4);
1433
1434 if ( hasAuthKey ){
1435 c.arg[1] = 1;
2491a252 1436 memcpy(c.d.asBytes+4,authkeyptr,16);
fff69a1e 1437 }
1438 else if ( hasPwdKey ) {
1439 c.arg[1] = 2;
2491a252 1440 memcpy(c.d.asBytes+4,authkeyptr,4);
afceaf40 1441 }
81740aa5 1442
fff69a1e 1443 SendCommand(&c);
1444 UsbCommand resp;
1445 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
1446 uint8_t isOK = resp.arg[0] & 0xff;
1447 PrintAndLog("isOk:%02x", isOK);
81740aa5 1448 } else {
fff69a1e 1449 PrintAndLog("Command execute timeout");
afceaf40 1450 }
fff69a1e 1451
afceaf40 1452 return 0;
81740aa5 1453}
81740aa5 1454//
fff69a1e 1455// Read Single Block
81740aa5 1456//
1457int CmdHF14AMfURdBl(const char *Cmd){
81740aa5 1458
fff69a1e 1459 int blockNo = -1;
1460 bool errors = false;
1461 bool hasAuthKey = false;
1462 bool hasPwdKey = false;
1463 bool swapEndian = false;
1464 uint8_t cmdp = 0;
1465 uint8_t keylen = 0;
1466 uint8_t data[16] = {0x00};
1467 uint8_t authenticationkey[16] = {0x00};
2491a252 1468 uint8_t *authkeyptr = authenticationkey;
1469
fff69a1e 1470 // starting with getting tagtype
1471 TagTypeUL_t tagtype = GetHF14AMfU_Type();
1472 if (tagtype == UL_ERROR) return -1;
1473
1474 while(param_getchar(Cmd, cmdp) != 0x00)
1475 {
1476 switch(param_getchar(Cmd, cmdp))
1477 {
1478 case 'h':
1479 case 'H':
1480 return usage_hf_mfu_rdbl();
1481 case 'k':
1482 case 'K':
1483 // EV1/NTAG size key
1484 keylen = param_gethex(Cmd, cmdp+1, data, 8);
1485 if ( !keylen ) {
1486 memcpy(authenticationkey, data, 4);
1487 cmdp += 2;
1488 hasPwdKey = true;
1489 break;
1490 }
1491 // UL-C size key
1492 keylen = param_gethex(Cmd, cmdp+1, data, 32);
1493 if (!keylen){
1494 memcpy(authenticationkey, data, 16);
1495 cmdp += 2;
1496 hasAuthKey = true;
1497 break;
1498 }
1499 PrintAndLog("\nERROR: Key is incorrect length\n");
1500 errors = true;
1501 break;
1502 case 'b':
1503 case 'B':
1504 blockNo = param_get8(Cmd, cmdp+1);
1505
1506 uint8_t maxblockno = 0;
1507 for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++){
1508 if (tagtype & UL_TYPES_ARRAY[idx])
1509 maxblockno = UL_MEMORY_ARRAY[idx]+1;
1510 }
afceaf40 1511
fff69a1e 1512 if (blockNo < 0) {
1513 PrintAndLog("Wrong block number");
1514 errors = true;
1515 }
1516 if (blockNo > maxblockno){
1517 PrintAndLog("block number to large. Max block is %u/0x%02X \n", maxblockno,maxblockno);
1518 errors = true;
1519 }
1520 cmdp += 2;
1521 break;
1522 case 'l':
1523 case 'L':
1524 swapEndian = true;
1525 cmdp++;
1526 break;
1527 default:
1528 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
1529 errors = true;
1530 break;
1531 }
1532 //Validations
1533 if(errors) return usage_hf_mfu_rdbl();
afceaf40 1534 }
fff69a1e 1535 if ( blockNo == -1 ) return usage_hf_mfu_rdbl();
1536
1537 // Swap endianness
2491a252 1538 if (swapEndian && hasAuthKey) authkeyptr = SwapEndian64(authenticationkey, 16, 8);
1539 if (swapEndian && hasPwdKey) authkeyptr = SwapEndian64(authenticationkey, 4, 4);
fff69a1e 1540
1541 //Read Block
afceaf40 1542 UsbCommand c = {CMD_MIFAREU_READBL, {blockNo}};
fff69a1e 1543 if ( hasAuthKey ){
1544 c.arg[1] = 1;
2491a252 1545 memcpy(c.d.asBytes,authkeyptr,16);
fff69a1e 1546 }
1547 else if ( hasPwdKey ) {
1548 c.arg[1] = 2;
2491a252 1549 memcpy(c.d.asBytes,authkeyptr,4);
fff69a1e 1550 }
1551
afceaf40
MHS		 1552 SendCommand(&c);
1553
afceaf40 1554 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
aa60d156 1555 uint8_t isOK = resp.arg[0] & 0xff;
1556 if (isOK) {
1557 uint8_t *data = resp.d.asBytes;
fff69a1e 1558 PrintAndLog("Block: %0d (0x%02X) [ %s]", blockNo, blockNo, sprint_hex(data, 4));
aa60d156 1559 }
1560 else {
1561 PrintAndLog("Failed reading block: (%02x)", isOK);
1562 }
81740aa5 1563 } else {
aa60d156 1564 PrintAndLog("Command execute time-out");
afceaf40 1565 }
f168b263 1566
afceaf40 1567 return 0;
81740aa5 1568}
1569
fff69a1e 1570int usage_hf_mfu_info(void) {
98cdd568 1571 PrintAndLog("It gathers information about the tag and tries to detect what kind it is.");
1572 PrintAndLog("Sometimes the tags are locked down, and you may need a key to be able to read the information");
1573 PrintAndLog("The following tags can be identified:\n");
2491a252 1574 PrintAndLog("Ultralight, Ultralight-C, Ultralight EV1, NTAG 203, NTAG 210,");
1575 PrintAndLog("NTAG 212, NTAG 213, NTAG 215, NTAG 216, NTAG I2C 1K & 2K");
98cdd568 1576 PrintAndLog("my-d, my-d NFC, my-d move, my-d move NFC\n");
2491a252 1577 PrintAndLog("Usage: hf mfu info k <key> l");
98cdd568 1578 PrintAndLog(" Options : ");
2491a252 1579 PrintAndLog(" k <key> : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]");
1580 PrintAndLog(" l : (optional) swap entered key's endianness");
98cdd568 1581 PrintAndLog("");
1582 PrintAndLog(" sample : hf mfu info");
2491a252 1583 PrintAndLog(" : hf mfu info k 00112233445566778899AABBCCDDEEFF");
1584 PrintAndLog(" : hf mfu info k AABBCCDDD");
98cdd568 1585 return 0;
1586}
1587
fff69a1e 1588int usage_hf_mfu_dump(void) {
1ec21089 1589 PrintAndLog("Reads all pages from Ultralight, Ultralight-C, Ultralight EV1");
2491a252 1590 PrintAndLog("NTAG 203, NTAG 210, NTAG 212, NTAG 213, NTAG 215, NTAG 216");
1ec21089 1591 PrintAndLog("and saves binary dump into the file `filename.bin` or `cardUID.bin`");
1592 PrintAndLog("It autodetects card type.\n");
2491a252 1593 PrintAndLog("Usage: hf mfu dump k <key> l n <filename w/o .bin>");
2b03dea7 1594 PrintAndLog(" Options : ");
2491a252 1595 PrintAndLog(" k <key> : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]");
1596 PrintAndLog(" l : (optional) swap entered key's endianness");
833081e3 1597 PrintAndLog(" n <FN > : filename w/o .bin to save the dump as");
1598 PrintAndLog(" p <Pg > : starting Page number to manually set a page to start the dump at");
1599 PrintAndLog(" q <qty> : number of Pages to manually set how many pages to dump");
1600
2b03dea7 1601 PrintAndLog("");
1ec21089 1602 PrintAndLog(" sample : hf mfu dump");
2c74558d 1603 PrintAndLog(" : hf mfu dump n myfile");
98cdd568 1604 PrintAndLog(" : hf mfu dump k 00112233445566778899AABBCCDDEEFF");
2491a252 1605 PrintAndLog(" : hf mfu dump k AABBCCDDD\n");
1ec21089 1606 return 0;
1607}
98cdd568 1608
fff69a1e 1609int usage_hf_mfu_rdbl(void) {
1610 PrintAndLog("Read a block and print. It autodetects card type.\n");
2491a252 1611 PrintAndLog("Usage: hf mfu rdbl b <block number> k <key> l\n");
fff69a1e 1612 PrintAndLog(" Options:");
fff69a1e 1613 PrintAndLog(" b <no> : block to read");
2491a252 1614 PrintAndLog(" k <key> : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]");
1615 PrintAndLog(" l : (optional) swap entered key's endianness");
fff69a1e 1616 PrintAndLog("");
2491a252 1617 PrintAndLog(" sample : hf mfu rdbl b 0");
fff69a1e 1618 PrintAndLog(" : hf mfu rdbl b 0 k 00112233445566778899AABBCCDDEEFF");
2491a252 1619 PrintAndLog(" : hf mfu rdbl b 0 k AABBCCDDD\n");
fff69a1e 1620 return 0;
1621}
1622
1623int usage_hf_mfu_wrbl(void) {
f6059703 1624 PrintAndLog("Write a block. It autodetects card type.\n");
1625 PrintAndLog("Usage: hf mfu wrbl b <block number> d <data> k <key> l\n");
2491a252 1626 PrintAndLog(" Options:");
fff69a1e 1627 PrintAndLog(" b <no> : block to write");
2491a252 1628 PrintAndLog(" d <data> : block data - (8 hex symbols)");
1629 PrintAndLog(" k <key> : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]");
1630 PrintAndLog(" l : (optional) swap entered key's endianness");
fff69a1e 1631 PrintAndLog("");
2491a252 1632 PrintAndLog(" sample : hf mfu wrbl b 0 d 01234567");
1633 PrintAndLog(" : hf mfu wrbl b 0 d 01234567 k AABBCCDDD\n");
fff69a1e 1634 return 0;
1635}
1636
81740aa5 1637//
1ec21089 1638// Mifare Ultralight / Ultralight-C / Ultralight-EV1
1639// Read and Dump Card Contents, using auto detection of tag size.
81740aa5 1640//
1ec21089 1641// TODO: take a password to read UL-C / UL-EV1 tags.
81740aa5 1642int CmdHF14AMfUDump(const char *Cmd){
1643
afceaf40 1644 FILE *fout;
81740aa5 1645 char filename[FILE_PATH_SIZE] = {0x00};
92690507 1646 char *fnameptr = filename;
afceaf40
MHS		 1647 uint8_t *lockbytes_t = NULL;
1648 uint8_t lockbytes[2] = {0x00};
afceaf40
MHS		 1649 uint8_t *lockbytes_t2 = NULL;
1650 uint8_t lockbytes2[2] = {0x00};
afceaf40 1651 bool bit[16] = {0x00};
81740aa5 1652 bool bit2[16] = {0x00};
2c74558d 1653 uint8_t data[1024] = {0x00};
2491a252 1654 bool hasAuthKey = false;
1ec21089 1655 int i = 0;
1656 int Pages = 16;
1657 bool tmplockbit = false;
06561c34 1658 uint8_t dataLen = 0;
1659 uint8_t cmdp = 0;
2491a252 1660 uint8_t authenticationkey[16] = {0x00};
06561c34 1661 uint8_t *authKeyPtr = authenticationkey;
2c74558d 1662 size_t fileNlen = 0;
2b03dea7 1663 bool errors = false;
1664 bool swapEndian = false;
833081e3 1665 bool manualPages = false;
1666 uint8_t startPage = 0;
1667 char tempStr[50];
2c74558d 1668
1669 while(param_getchar(Cmd, cmdp) != 0x00)
1670 {
1671 switch(param_getchar(Cmd, cmdp))
1672 {
1673 case 'h':
1674 case 'H':
1675 return usage_hf_mfu_dump();
1676 case 'k':
1677 case 'K':
833081e3 1678 dataLen = param_getstr(Cmd, cmdp+1, tempStr);
a7e7cd41 1679 if (dataLen == 32 || dataLen == 8) { //ul-c or ev1/ntag key length
2491a252 1680 errors = param_gethex(tempStr, 0, authenticationkey, dataLen);
a7e7cd41 1681 dataLen /= 2;
1682 } else {
e7e95088 1683 PrintAndLog("\nERROR: Key is incorrect length\n");
1684 errors = true;
833081e3 1685 }
2c74558d 1686 cmdp += 2;
2491a252 1687 hasAuthKey = true;
833081e3 1688 break;
1689 case 'l':
1690 case 'L':
1691 swapEndian = true;
1692 cmdp++;
2c74558d 1693 break;
1694 case 'n':
1695 case 'N':
1696 fileNlen = param_getstr(Cmd, cmdp+1, filename);
1697 if (!fileNlen) errors = true;
1698 if (fileNlen > FILE_PATH_SIZE-5) fileNlen = FILE_PATH_SIZE-5;
1699 cmdp += 2;
1700 break;
833081e3 1701 case 'p':
1702 case 'P':
1703 startPage = param_get8(Cmd, cmdp+1);
1704 manualPages = true;
1705 cmdp += 2;
1706 break;
1707 case 'q':
1708 case 'Q':
1709 Pages = param_get8(Cmd, cmdp+1);
1710 cmdp += 2;
1711 manualPages = true;
ebd7412d 1712 break;
2c74558d 1713 default:
1714 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
1715 errors = true;
1716 break;
1717 }
1718 if(errors) break;
1719 }
1720
1721 //Validations
1722 if(errors) return usage_hf_mfu_dump();
75377d29 1723
a7e7cd41 1724 if (swapEndian && hasAuthKey)
1725 authKeyPtr = SwapEndian64(authenticationkey, dataLen, (dataLen == 16) ? 8 : 4);
2b03dea7 1726
1ec21089 1727 TagTypeUL_t tagtype = GetHF14AMfU_Type();
1728 if (tagtype == UL_ERROR) return -1;
81740aa5 1729
833081e3 1730 if (!manualPages)
1731 for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++)
1732 if (tagtype & UL_TYPES_ARRAY[idx])
1733 Pages = UL_MEMORY_ARRAY[idx]+1;
1734
1735 ul_print_type(tagtype, 0);
1736 PrintAndLog("Reading tag memory...");
e7e95088 1737 UsbCommand c = {CMD_MIFAREU_READCARD, {startPage,Pages}};
06561c34 1738 if ( hasAuthKey ) {
e7e95088 1739 if (tagtype & UL_C)
1740 c.arg[2] = 1; //UL_C auth
1741 else
1742 c.arg[2] = 2; //UL_EV1/NTAG auth
1743
a7e7cd41 1744 memcpy(c.d.asBytes, authKeyPtr, dataLen);
833081e3 1745 }
afceaf40
MHS		 1746 SendCommand(&c);
1747 UsbCommand resp;
cceabb79 1748 if (!WaitForResponseTimeout(CMD_ACK, &resp,1500)) {
aa60d156 1749 PrintAndLog("Command execute time-out");
2c74558d 1750 return 1;
81740aa5 1751 }
e7e95088 1752 if (resp.arg[0] != 1) {
2c74558d 1753 PrintAndLog("Failed reading block: (%02x)", i);
1754 return 1;
1755 }
1756
e7e95088 1757 uint32_t bufferSize = resp.arg[1];
1758 if (bufferSize > sizeof(data)) {
1759 PrintAndLog("Data exceeded Buffer size!");
1760 bufferSize = sizeof(data);
1761 }
1762 GetFromBigBuf(data, bufferSize, 0);
1763 WaitForResponse(CMD_ACK,NULL);
1764
1765 Pages = bufferSize/4;
81740aa5 1766 // Load lock bytes.
1767 int j = 0;
92690507 1768
81740aa5 1769 lockbytes_t = data + 8;
1770 lockbytes[0] = lockbytes_t[2];
1771 lockbytes[1] = lockbytes_t[3];
1772 for(j = 0; j < 16; j++){
1773 bit[j] = lockbytes[j/8] & ( 1 <<(7-j%8));
92690507 1774 }
1775
81740aa5 1776 // Load bottom lockbytes if available
05f7accd 1777 // TODO -- FIGURE OUT LOCK BYTES FOR TO EV1 and/or NTAG
81740aa5 1778 if ( Pages == 44 ) {
81740aa5 1779 lockbytes_t2 = data + (40*4);
1780 lockbytes2[0] = lockbytes_t2[2];
1781 lockbytes2[1] = lockbytes_t2[3];
1782 for (j = 0; j < 16; j++) {
1783 bit2[j] = lockbytes2[j/8] & ( 1 <<(7-j%8));
1784 }
1785 }
1786
e7e95088 1787 // add keys to block dump
a7e7cd41 1788 if (hasAuthKey) {
012c0761 1789 if (!swapEndian){
a7e7cd41 1790 authKeyPtr = SwapEndian64(authenticationkey, dataLen, (dataLen == 16) ? 8 : 4);
a7e7cd41 1791 } else {
012c0761 1792 authKeyPtr = authenticationkey;
1793 }
1794
1795 if (tagtype & UL_C){ //add 4 pages
1796 memcpy(data + Pages*4, authKeyPtr, dataLen);
1797 Pages += dataLen/4;
1798 } else { // 2nd page from end
1799 memcpy(data + (Pages*4) - 8, authenticationkey, dataLen);
a7e7cd41 1800 }
a7e7cd41 1801 }
cceabb79 1802
81740aa5 1803 for (i = 0; i < Pages; ++i) {
81740aa5 1804 if ( i < 3 ) {
1805 PrintAndLog("Block %02x:%s ", i,sprint_hex(data + i * 4, 4));
1806 continue;
1807 }
81740aa5 1808 switch(i){
1809 case 3: tmplockbit = bit[4]; break;
1810 case 4: tmplockbit = bit[3]; break;
1811 case 5: tmplockbit = bit[2]; break;
1812 case 6: tmplockbit = bit[1]; break;
1813 case 7: tmplockbit = bit[0]; break;
1814 case 8: tmplockbit = bit[15]; break;
1815 case 9: tmplockbit = bit[14]; break;
1816 case 10: tmplockbit = bit[13]; break;
1817 case 11: tmplockbit = bit[12]; break;
1818 case 12: tmplockbit = bit[11]; break;
1819 case 13: tmplockbit = bit[10]; break;
1820 case 14: tmplockbit = bit[9]; break;
1821 case 15: tmplockbit = bit[8]; break;
1822 case 16:
1823 case 17:
1824 case 18:
1825 case 19: tmplockbit = bit2[6]; break;
1826 case 20:
1827 case 21:
1828 case 22:
1829 case 23: tmplockbit = bit2[5]; break;
1830 case 24:
1831 case 25:
1832 case 26:
06561c34 1833 case 27: tmplockbit = bit2[4]; break;
81740aa5 1834 case 28:
1835 case 29:
1836 case 30:
1837 case 31: tmplockbit = bit2[2]; break;
1838 case 32:
1839 case 33:
1840 case 34:
1841 case 35: tmplockbit = bit2[1]; break;
1842 case 36:
1843 case 37:
1844 case 38:
1845 case 39: tmplockbit = bit2[0]; break;
1846 case 40: tmplockbit = bit2[12]; break;
1847 case 41: tmplockbit = bit2[11]; break;
1848 case 42: tmplockbit = bit2[10]; break; //auth0
1849 case 43: tmplockbit = bit2[9]; break; //auth1
1850 default: break;
1851 }
012c0761 1852 PrintAndLog("Block %02X:%s [%d] {%.4s}", i, sprint_hex(data + i * 4, 4), tmplockbit, data+i*4);
06561c34 1853 }
81740aa5 1854
2c74558d 1855 // user supplied filename?
1856 if (fileNlen < 1) {
1857 // UID = data 0-1-2 4-5-6-7 (skips a beat)
afceaf40
MHS		 1858 sprintf(fnameptr,"%02X%02X%02X%02X%02X%02X%02X.bin",
1859 data[0],data[1], data[2], data[4],data[5],data[6], data[7]);
81740aa5 1860 } else {
2696349f 1861 sprintf(fnameptr + fileNlen,".bin");
81740aa5 1862 }
1863
81740aa5 1864 if ((fout = fopen(filename,"wb")) == NULL) {
1865 PrintAndLog("Could not create file name %s", filename);
06561c34 1866 return 1;
81740aa5 1867 }
1868 fwrite( data, 1, Pages*4, fout );
1869 fclose(fout);
1870
1871 PrintAndLog("Dumped %d pages, wrote %d bytes to %s", Pages, Pages*4, filename);
afceaf40 1872 return 0;
81740aa5 1873}
1874
81740aa5 1875//-------------------------------------------------------------------------------
1876// Ultralight C Methods
1877//-------------------------------------------------------------------------------
1878
1879//
1880// Ultralight C Authentication Demo {currently uses hard-coded key}
1881//
1882int CmdHF14AMfucAuth(const char *Cmd){
afceaf40 1883
9d87eb66 1884 uint8_t keyNo = 3;
afceaf40 1885 bool errors = false;
a8be77af 1886
1887 char cmdp = param_getchar(Cmd, 0);
1888
afceaf40
MHS		 1889 //Change key to user defined one
1890 if (cmdp == 'k' || cmdp == 'K'){
1891 keyNo = param_get8(Cmd, 1);
ebd7412d 1892 if(keyNo > KEYS_3DES_COUNT)
a8be77af 1893 errors = true;
afceaf40
MHS		 1894 }
1895
a8be77af 1896 if (cmdp == 'h' || cmdp == 'H')
afceaf40 1897 errors = true;
a8be77af 1898
afceaf40
MHS		 1899 if (errors) {
1900 PrintAndLog("Usage: hf mfu cauth k <key number>");
1901 PrintAndLog(" 0 (default): 3DES standard key");
aa60d156 1902 PrintAndLog(" 1 : all 0x00 key");
afceaf40
MHS		 1903 PrintAndLog(" 2 : 0x00-0x0F key");
1904 PrintAndLog(" 3 : nfc key");
aa60d156 1905 PrintAndLog(" 4 : all 0x01 key");
1906 PrintAndLog(" 5 : all 0xff key");
1907 PrintAndLog(" 6 : 0x00-0xFF key");
1908 PrintAndLog("\n sample : hf mfu cauth k");
81740aa5 1909 PrintAndLog(" : hf mfu cauth k 3");
afceaf40
MHS		 1910 return 0;
1911 }
1912
a8be77af 1913 uint8_t *key = default_3des_keys[keyNo];
e7e95088 1914 if (ulc_authentication(key, true))
1c1c5f4c 1915 PrintAndLog("Authentication successful. 3des key: %s",sprint_hex(key, 16));
a8be77af 1916 else
1917 PrintAndLog("Authentication failed");
9d87eb66 1918
a8be77af 1919 return 0;
1920}
1921
afceaf40
MHS		 1922/**
1923A test function to validate that the polarssl-function works the same
1924was as the openssl-implementation.
1925Commented out, since it requires openssl
1926
1927int CmdTestDES(const char * cmd)
1928{
1929 uint8_t key[16] = {0x00};
1930
1931 memcpy(key,key3_3des_data,16);
1932 DES_cblock RndA, RndB;
1933
1934 PrintAndLog("----------OpenSSL DES implementation----------");
1935 {
1936 uint8_t e_RndB[8] = {0x00};
1937 unsigned char RndARndB[16] = {0x00};
1938
1939 DES_cblock iv = { 0 };
1940 DES_key_schedule ks1,ks2;
1941 DES_cblock key1,key2;
1942
1943 memcpy(key,key3_3des_data,16);
1944 memcpy(key1,key,8);
1945 memcpy(key2,key+8,8);
1946
1947
1948 DES_set_key((DES_cblock *)key1,&ks1);
1949 DES_set_key((DES_cblock *)key2,&ks2);
1950
1951 DES_random_key(&RndA);
1952 PrintAndLog(" RndA:%s",sprint_hex(RndA, 8));
1953 PrintAndLog(" e_RndB:%s",sprint_hex(e_RndB, 8));
1954 //void DES_ede2_cbc_encrypt(const unsigned char *input,
1955 // unsigned char *output, long length, DES_key_schedule *ks1,
1956 // DES_key_schedule *ks2, DES_cblock *ivec, int enc);
1957 DES_ede2_cbc_encrypt(e_RndB,RndB,sizeof(e_RndB),&ks1,&ks2,&iv,0);
1958
1959 PrintAndLog(" RndB:%s",sprint_hex(RndB, 8));
1960 rol(RndB,8);
1961 memcpy(RndARndB,RndA,8);
1962 memcpy(RndARndB+8,RndB,8);
1963 PrintAndLog(" RA+B:%s",sprint_hex(RndARndB, 16));
1964 DES_ede2_cbc_encrypt(RndARndB,RndARndB,sizeof(RndARndB),&ks1,&ks2,&e_RndB,1);
1965 PrintAndLog("enc(RA+B):%s",sprint_hex(RndARndB, 16));
1966
1967 }
1968 PrintAndLog("----------PolarSSL implementation----------");
1969 {
1970 uint8_t random_a[8] = { 0 };
1971 uint8_t enc_random_a[8] = { 0 };
1972 uint8_t random_b[8] = { 0 };
1973 uint8_t enc_random_b[8] = { 0 };
1974 uint8_t random_a_and_b[16] = { 0 };
1975 des3_context ctx = { 0 };
1976
1977 memcpy(random_a, RndA,8);
1978
1979 uint8_t output[8] = { 0 };
1980 uint8_t iv[8] = { 0 };
1981
1982 PrintAndLog(" RndA :%s",sprint_hex(random_a, 8));
1983 PrintAndLog(" e_RndB:%s",sprint_hex(enc_random_b, 8));
1984
1985 des3_set2key_dec(&ctx, key);
1986
1987 des3_crypt_cbc(&ctx // des3_context *ctx
1988 , DES_DECRYPT // int mode
1989 , sizeof(random_b) // size_t length
1990 , iv // unsigned char iv[8]
1991 , enc_random_b // const unsigned char *input
1992 , random_b // unsigned char *output
1993 );
1994
1995 PrintAndLog(" RndB:%s",sprint_hex(random_b, 8));
1996
1997 rol(random_b,8);
1998 memcpy(random_a_and_b ,random_a,8);
1999 memcpy(random_a_and_b+8,random_b,8);
2000
2001 PrintAndLog(" RA+B:%s",sprint_hex(random_a_and_b, 16));
2002
2003 des3_set2key_enc(&ctx, key);
81740aa5 2004
afceaf40
MHS		 2005 des3_crypt_cbc(&ctx // des3_context *ctx
2006 , DES_ENCRYPT // int mode
2007 , sizeof(random_a_and_b) // size_t length
2008 , enc_random_b // unsigned char iv[8]
2009 , random_a_and_b // const unsigned char *input
2010 , random_a_and_b // unsigned char *output
2011 );
2012
2013 PrintAndLog("enc(RA+B):%s",sprint_hex(random_a_and_b, 16));
2014 }
2015 return 0;
2016}
2017**/
2c74558d 2018
aa60d156 2019//
2020// Mifare Ultralight C - Set password
2021//
2022int CmdHF14AMfucSetPwd(const char *Cmd){
2023
1ec21089 2024 uint8_t pwd[16] = {0x00};
1c1c5f4c 2025
bcf61bd3 2026 uint8_t key[16];
aa60d156 2027 char cmdp = param_getchar(Cmd, 0);
bcf61bd3 2028
aa60d156 2029 if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') {
2030 PrintAndLog("Usage: hf mfu setpwd <password (32 hex symbols)>");
2031 PrintAndLog(" [password] - (32 hex symbols)");
2032 PrintAndLog("");
2033 PrintAndLog("sample: hf mfu setpwd 000102030405060708090a0b0c0d0e0f");
2034 PrintAndLog("");
2035 return 0;
2036 }
2037
2038 if (param_gethex(Cmd, 0, pwd, 32)) {
2039 PrintAndLog("Password must include 32 HEX symbols");
2040 return 1;
2041 }
bcf61bd3 2042
2043 if (blockNo > MAX_ULC_BLOCKS ){
2044 PrintAndLog("Error: Maximum number of blocks is 47 for Ultralight-C");
2045 return 1;
2046 }
aa60d156 2047
2048 UsbCommand c = {CMD_MIFAREUC_SETPWD};
2049 memcpy( c.d.asBytes, pwd, 16);
2050 SendCommand(&c);
2051
2052 UsbCommand resp;
2053
2054 if (WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
2055 if ( (resp.arg[0] & 0xff) == 1)
2056 PrintAndLog("Ultralight-C new password: %s", sprint_hex(pwd,16));
2057 else{
2058 PrintAndLog("Failed writing at block %d", resp.arg[1] & 0xff);
2059 return 1;
2060 }
2061 }
2062 else {
2063 PrintAndLog("command execution time out");
1c1c5f4c 2064 return 1;
aa60d156 2065 }
2066
2067 return 0;
2068}
2069
2070//
1ec21089 2071// Magic UL / UL-C tags - Set UID
aa60d156 2072//
2073int CmdHF14AMfucSetUid(const char *Cmd){
2074
5d554ea6 2075 UsbCommand c;
2076 UsbCommand resp;
aa60d156 2077 uint8_t uid[7] = {0x00};
2078 char cmdp = param_getchar(Cmd, 0);
2079
2080 if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') {
2081 PrintAndLog("Usage: hf mfu setuid <uid (14 hex symbols)>");
2082 PrintAndLog(" [uid] - (14 hex symbols)");
5d554ea6 2083 PrintAndLog("\nThis only works for Magic Ultralight tags.");
aa60d156 2084 PrintAndLog("");
2085 PrintAndLog("sample: hf mfu setuid 11223344556677");
2086 PrintAndLog("");
2087 return 0;
2088 }
2089
2090 if (param_gethex(Cmd, 0, uid, 14)) {
5d554ea6 2091 PrintAndLog("UID must include 14 HEX symbols");
aa60d156 2092 return 1;
2093 }
2094
5d554ea6 2095 // read block2.
2096 c.cmd = CMD_MIFAREU_READBL;
2097 c.arg[0] = 2;
aa60d156 2098 SendCommand(&c);
5d554ea6 2099 if (!WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
2100 PrintAndLog("Command execute timeout");
2101 return 2;
aa60d156 2102 }
bcf61bd3 2103
5d554ea6 2104 // save old block2.
2105 uint8_t oldblock2[4] = {0x00};
2106 memcpy(resp.d.asBytes, oldblock2, 4);
2107
2108 // block 0.
2109 c.cmd = CMD_MIFAREU_WRITEBL;
2110 c.arg[0] = 0;
2111 c.d.asBytes[0] = uid[0];
2112 c.d.asBytes[1] = uid[1];
2113 c.d.asBytes[2] = uid[2];
2114 c.d.asBytes[3] = 0x88 ^ uid[0] ^ uid[1] ^ uid[2];
2115 SendCommand(&c);
2116 if (!WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
2117 PrintAndLog("Command execute timeout");
2118 return 3;
aa60d156 2119 }
bcf61bd3 2120
5d554ea6 2121 // block 1.
2122 c.arg[0] = 1;
2123 c.d.asBytes[0] = uid[3];
2124 c.d.asBytes[1] = uid[4];
2125 c.d.asBytes[2] = uid[5];
2126 c.d.asBytes[3] = uid[6];
2127 SendCommand(&c);
2128 if (!WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
2129 PrintAndLog("Command execute timeout");
2130 return 4;
2131 }
2132
2133 // block 2.
2134 c.arg[0] = 2;
2135 c.d.asBytes[0] = uid[3] ^ uid[4] ^ uid[5] ^ uid[6];
2136 c.d.asBytes[1] = oldblock2[1];
2137 c.d.asBytes[2] = oldblock2[2];
2138 c.d.asBytes[3] = oldblock2[3];
2139 SendCommand(&c);
2140 if (!WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
2141 PrintAndLog("Command execute timeout");
2142 return 5;
2143 }
2144
aa60d156 2145 return 0;
2146}
2147
2148int CmdHF14AMfuGenDiverseKeys(const char *Cmd){
2149
2150 uint8_t iv[8] = { 0x00 };
2151 uint8_t block = 0x07;
2152
5d554ea6 2153 // UL-EV1
2154 //04 57 b6 e2 05 3f 80 UID
2155 //4a f8 4b 19 PWD
aa60d156 2156 uint8_t uid[] = { 0xF4,0xEA, 0x54, 0x8E };
395f6a81 2157 uint8_t mifarekeyA[] = { 0xA0,0xA1,0xA2,0xA3,0xA4,0xA5 };
2158 uint8_t mifarekeyB[] = { 0xB0,0xB1,0xB2,0xB3,0xB4,0xB5 };
2159 uint8_t dkeyA[8] = { 0x00 };
2160 uint8_t dkeyB[8] = { 0x00 };
2161
aa60d156 2162 uint8_t masterkey[] = { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x99,0xaa,0xbb,0xcc,0xdd,0xee,0xff };
2163
2164 uint8_t mix[8] = { 0x00 };
2165 uint8_t divkey[8] = { 0x00 };
2166
395f6a81 2167 memcpy(mix, mifarekeyA, 4);
aa60d156 2168
395f6a81 2169 mix[4] = mifarekeyA[4] ^ uid[0];
2170 mix[5] = mifarekeyA[5] ^ uid[1];
aa60d156 2171 mix[6] = block ^ uid[2];
2172 mix[7] = uid[3];
2173
2174 des3_context ctx = { 0x00 };
2175 des3_set2key_enc(&ctx, masterkey);
2176
f2019c77 2177 des3_crypt_cbc(&ctx // des3_context
2178 , DES_ENCRYPT // int mode
2179 , sizeof(mix) // length
2180 , iv // iv[8]
2181 , mix // input
2182 , divkey // output
aa60d156 2183 );
2184
2185 PrintAndLog("3DES version");
2186 PrintAndLog("Masterkey :\t %s", sprint_hex(masterkey,sizeof(masterkey)));
2187 PrintAndLog("UID :\t %s", sprint_hex(uid, sizeof(uid)));
2188 PrintAndLog("Sector :\t %0d", block);
395f6a81 2189 PrintAndLog("Mifare key :\t %s", sprint_hex(mifarekeyA, sizeof(mifarekeyA)));
aa60d156 2190 PrintAndLog("Message :\t %s", sprint_hex(mix, sizeof(mix)));
2191 PrintAndLog("Diversified key: %s", sprint_hex(divkey+1, 6));
2192
395f6a81 2193 PrintAndLog("\n DES version");
2194
2195 for (int i=0; i < sizeof(mifarekeyA); ++i){
2196 dkeyA[i] = (mifarekeyA[i] << 1) & 0xff;
2197 dkeyA[6] |= ((mifarekeyA[i] >> 7) & 1) << (i+1);
2198 }
2199
2200 for (int i=0; i < sizeof(mifarekeyB); ++i){
2201 dkeyB[1] |= ((mifarekeyB[i] >> 7) & 1) << (i+1);
2202 dkeyB[2+i] = (mifarekeyB[i] << 1) & 0xff;
2203 }
2204
2205 uint8_t zeros[8] = {0x00};
2206 uint8_t newpwd[8] = {0x00};
2207 uint8_t dmkey[24] = {0x00};
2208 memcpy(dmkey, dkeyA, 8);
2209 memcpy(dmkey+8, dkeyB, 8);
2210 memcpy(dmkey+16, dkeyA, 8);
2211 memset(iv, 0x00, 8);
2212
2213 des3_set3key_enc(&ctx, dmkey);
2214
2215 des3_crypt_cbc(&ctx // des3_context
2216 , DES_ENCRYPT // int mode
2217 , sizeof(newpwd) // length
2218 , iv // iv[8]
2219 , zeros // input
2220 , newpwd // output
2221 );
2222
2223 PrintAndLog("Mifare dkeyA :\t %s", sprint_hex(dkeyA, sizeof(dkeyA)));
2224 PrintAndLog("Mifare dkeyB :\t %s", sprint_hex(dkeyB, sizeof(dkeyB)));
2225 PrintAndLog("Mifare ABA :\t %s", sprint_hex(dmkey, sizeof(dmkey)));
2226 PrintAndLog("Mifare Pwd :\t %s", sprint_hex(newpwd, sizeof(newpwd)));
2227
aa60d156 2228 return 0;
2229}
2230
395f6a81 2231// static uint8_t * diversify_key(uint8_t * key){
2232
aa60d156 2233 // for(int i=0; i<16; i++){
2234 // if(i<=6) key[i]^=cuid[i];
2235 // if(i>6) key[i]^=cuid[i%7];
2236 // }
2237 // return key;
2238// }
2239
2240// static void GenerateUIDe( uint8_t *uid, uint8_t len){
2241 // for (int i=0; i<len; ++i){
2242
2243 // }
2244 // return;
2245// }
2246
e7e95088 2247//------------------------------------
2248// Menu Stuff
2249//------------------------------------
81740aa5 2250static command_t CommandTable[] =
2251{
1ec21089 2252 {"help", CmdHelp, 1, "This help"},
2253 {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},
2254 {"info", CmdHF14AMfUInfo, 0, "Tag information"},
2255 {"dump", CmdHF14AMfUDump, 0, "Dump Ultralight / Ultralight-C tag to binary file"},
fff69a1e 2256 {"rdbl", CmdHF14AMfURdBl, 0, "Read block"},
2257 {"wrbl", CmdHF14AMfUWrBl, 0, "Write block"},
1ec21089 2258 {"cauth", CmdHF14AMfucAuth, 0, "Authentication - Ultralight C"},
2259 {"setpwd", CmdHF14AMfucSetPwd, 1, "Set 3des password - Ultralight-C"},
2260 {"setuid", CmdHF14AMfucSetUid, 1, "Set UID - MAGIC tags only"},
a8be77af 2261 {"gen", CmdHF14AMfuGenDiverseKeys , 1, "Generate 3des mifare diversified keys"},
afceaf40 2262 {NULL, NULL, 0, NULL}
81740aa5 2263};
2264
2265int CmdHFMFUltra(const char *Cmd){
afceaf40
MHS		 2266 WaitForResponseTimeout(CMD_ACK,NULL,100);
2267 CmdsParse(CommandTable, Cmd);
2268 return 0;
81740aa5 2269}
2270
2271int CmdHelp(const char *Cmd){
afceaf40
MHS		 2272 CmdsHelp(CommandTable);
2273 return 0;
2b03dea7 2274}
Proxmark3 GIT tracking
Impressum, Datenschutz