//-----------------------------------------------------------------------------
// High frequency MIFARE ULTRALIGHT (C) commands
//-----------------------------------------------------------------------------
-#include "loclass/des.h"
+
#include "cmdhfmfu.h"
+
+#include <stdint.h>
+#include <stdio.h>
+#include "comms.h"
+#include "usb_cmd.h"
+#include "cmdmain.h"
+#include "ui.h"
+#include "mbedtls/des.h"
#include "cmdhfmf.h"
#include "cmdhf14a.h"
#include "mifare.h"
#include "util.h"
#include "protocols.h"
-#include "data.h"
-
-#define MAX_UL_BLOCKS 0x0f
-#define MAX_ULC_BLOCKS 0x2b
-#define MAX_ULEV1a_BLOCKS 0x13
-#define MAX_ULEV1b_BLOCKS 0x28
-#define MAX_NTAG_203 0x29
-#define MAX_NTAG_210 0x13
-#define MAX_NTAG_212 0x28
-#define MAX_NTAG_213 0x2c
-#define MAX_NTAG_215 0x86
-#define MAX_NTAG_216 0xe6
+
+#define MAX_UL_BLOCKS 0x0f
+#define MAX_ULC_BLOCKS 0x2b
+#define MAX_ULEV1a_BLOCKS 0x13
+#define MAX_ULEV1b_BLOCKS 0x28
+#define MAX_NTAG_203 0x29
+#define MAX_NTAG_210 0x13
+#define MAX_NTAG_212 0x28
+#define MAX_NTAG_213 0x2c
+#define MAX_NTAG_215 0x86
+#define MAX_NTAG_216 0xe6
+#define MAX_MY_D_NFC 0xff
+#define MAX_MY_D_MOVE 0x25
+#define MAX_MY_D_MOVE_LEAN 0x0f
#define KEYS_3DES_COUNT 7
uint8_t default_3des_keys[KEYS_3DES_COUNT][16] = {
{ 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF } // 11 22 33
};
-#define KEYS_PWD_COUNT 10
+#define KEYS_PWD_COUNT 6
uint8_t default_pwd_pack[KEYS_PWD_COUNT][4] = {
{0xFF,0xFF,0xFF,0xFF}, // PACK 0x00,0x00 -- factory default
{0xFF,0x90,0x6C,0xB2}, // PACK 0x12,0x9e -- italian bus (sniffed)
{0x46,0x1c,0xA3,0x19}, // PACK 0xE9,0x5A -- italian bus (sniffed)
{0x35,0x1C,0xD0,0x19}, // PACK 0x9A,0x5a -- italian bus (sniffed)
-
- {0x05,0x22,0xE6,0xB4}, // PACK 0x80,0x80 -- Amiiboo (sniffed) pikachu-b UID:
- {0x7E,0x22,0xE6,0xB4}, // PACK 0x80,0x80 -- AMiiboo (sniffed)
- {0x02,0xE1,0xEE,0x36}, // PACK 0x80,0x80 -- AMiiboo (sniffed) sonic UID: 04d257 7ae33e8027
- {0x32,0x0C,0x16,0x17}, // PACK 0x80,0x80 -- AMiiboo (sniffed)
};
-#define MAX_UL_TYPES 16
-uint16_t UL_TYPES_ARRAY[MAX_UL_TYPES] = {UNKNOWN, UL, UL_C, UL_EV1_48, UL_EV1_128, NTAG, NTAG_203,
- NTAG_210, NTAG_212, NTAG_213, NTAG_215, NTAG_216, MY_D, MY_D_NFC, MY_D_MOVE, MY_D_MOVE_NFC};
+#define MAX_UL_TYPES 18
+uint32_t UL_TYPES_ARRAY[MAX_UL_TYPES] = {UNKNOWN, UL, UL_C, UL_EV1_48, UL_EV1_128, NTAG, NTAG_203,
+ NTAG_210, NTAG_212, NTAG_213, NTAG_215, NTAG_216, MY_D, MY_D_NFC, MY_D_MOVE, MY_D_MOVE_NFC, MY_D_MOVE_LEAN, FUDAN_UL};
uint8_t UL_MEMORY_ARRAY[MAX_UL_TYPES] = {MAX_UL_BLOCKS, MAX_UL_BLOCKS, MAX_ULC_BLOCKS, MAX_ULEV1a_BLOCKS,
MAX_ULEV1b_BLOCKS, MAX_NTAG_203, MAX_NTAG_203, MAX_NTAG_210, MAX_NTAG_212, MAX_NTAG_213,
- MAX_NTAG_215, MAX_NTAG_216, MAX_UL_BLOCKS, MAX_UL_BLOCKS, MAX_UL_BLOCKS, MAX_UL_BLOCKS};
+ MAX_NTAG_215, MAX_NTAG_216, MAX_UL_BLOCKS, MAX_MY_D_NFC, MAX_MY_D_MOVE, MAX_MY_D_MOVE, MAX_MY_D_MOVE_LEAN, MAX_UL_BLOCKS};
static int CmdHelp(const char *Cmd);
+// get version nxp product type
char *getProductTypeStr( uint8_t id){
static char buf[20];
}
static void ul_switch_on_field(void) {
- UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}};
- clearCommandBuffer();
- SendCommand(&c);
-}
-
-void ul_switch_off_field(void) {
- UsbCommand c = {CMD_READER_ISO_14443a, {0, 0, 0}};
+ UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT | ISO14A_NO_RATS, 0, 0}};
clearCommandBuffer();
SendCommand(&c);
}
ans = WaitForResponseTimeout(CMD_ACK, &resp, 1500);
if (!ans || resp.arg[0] < 1) {
PrintAndLog("iso14443a card select failed");
- ul_switch_off_field();
+ DropField();
return 0;
}
if (hasAuthKey) {
if (ulev1_requestAuthentication(authenticationkey, pack, packSize) < 1) {
- ul_switch_off_field();
+ DropField();
PrintAndLog("Error: Authentication Failed UL-EV1/NTAG");
return 0;
}
return len;
}
+
+// Fudan check checks for which error is given for a command with incorrect crc
+// NXP UL chip responds with 01, fudan 00.
+// other possible checks:
+// send a0 + crc
+// UL responds with 00, fudan doesn't respond
+// or
+// send a200 + crc
+// UL doesn't respond, fudan responds with 00
+// or
+// send 300000 + crc (read with extra byte(s))
+// UL responds with read of page 0, fudan doesn't respond.
+//
+// make sure field is off before calling this function
+static int ul_fudan_check( void ){
+ iso14a_card_select_t card;
+ if ( !ul_select(&card) )
+ return UL_ERROR;
+
+ UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_RAW | ISO14A_NO_DISCONNECT, 4, 0}};
+
+ uint8_t cmd[4] = {0x30,0x00,0x02,0xa7}; //wrong crc on purpose should be 0xa8
+ memcpy(c.d.asBytes, cmd, 4);
+ clearCommandBuffer();
+ SendCommand(&c);
+ UsbCommand resp;
+ if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) return UL_ERROR;
+ if (resp.arg[0] != 1) return UL_ERROR;
+
+ return (!resp.d.asBytes[0]) ? FUDAN_UL : UL; //if response == 0x00 then Fudan, else Genuine NXP
+}
+
static int ul_print_default( uint8_t *data){
uint8_t uid[7];
PrintAndLog(" UID : %s ", sprint_hex(uid, 7));
PrintAndLog(" UID[0] : %02X, %s", uid[0], getTagInfo(uid[0]) );
- if ( uid[0] == 0x05 ) {
+ if ( uid[0] == 0x05 && ((uid[1] & 0xf0) >> 4) == 2 ) { // is infineon and 66RxxP
uint8_t chip = (data[8] & 0xC7); // 11000111 mask, bit 3,4,5 RFU
switch (chip){
- case 0xc2: PrintAndLog(" IC type : SLE 66R04P"); break;
- case 0xc4: PrintAndLog(" IC type : SLE 66R16P"); break;
- case 0xc6: PrintAndLog(" IC type : SLE 66R32P"); break;
+ case 0xc2: PrintAndLog(" IC type : SLE 66R04P 770 Bytes"); break; //77 pages
+ case 0xc4: PrintAndLog(" IC type : SLE 66R16P 2560 Bytes"); break; //256 pages
+ case 0xc6: PrintAndLog(" IC type : SLE 66R32P 5120 Bytes"); break; //512 pages /2 sectors
}
}
// CT (cascade tag byte) 0x88 xor SN0 xor SN1 xor SN2
else if ( tagtype & NTAG_I2C_2K )
PrintAndLog("%sTYPE : NTAG I%sC 1904bytes (NT3H1201FHK)", spacer, "\xFD");
else if ( tagtype & MY_D )
- PrintAndLog("%sTYPE : INFINEON my-d\x99", spacer);
+ PrintAndLog("%sTYPE : INFINEON my-d\x99 (SLE 66RxxS)", spacer);
else if ( tagtype & MY_D_NFC )
- PrintAndLog("%sTYPE : INFINEON my-d\x99 NFC", spacer);
+ PrintAndLog("%sTYPE : INFINEON my-d\x99 NFC (SLE 66RxxP)", spacer);
else if ( tagtype & MY_D_MOVE )
- PrintAndLog("%sTYPE : INFINEON my-d\x99 move", spacer);
+ PrintAndLog("%sTYPE : INFINEON my-d\x99 move (SLE 66R01P)", spacer);
else if ( tagtype & MY_D_MOVE_NFC )
- PrintAndLog("%sTYPE : INFINEON my-d\x99 move NFC", spacer);
+ PrintAndLog("%sTYPE : INFINEON my-d\x99 move NFC (SLE 66R01P)", spacer);
+ else if ( tagtype & MY_D_MOVE_LEAN )
+ PrintAndLog("%sTYPE : INFINEON my-d\x99 move lean (SLE 66R01L)", spacer);
+ else if ( tagtype & FUDAN_UL )
+ PrintAndLog("%sTYPE : FUDAN Ultralight Compatible (or other compatible) %s", spacer, (tagtype & MAGIC) ? "<magic>" : "" );
else
PrintAndLog("%sTYPE : Unknown %06x", spacer, tagtype);
return 0;
} else {
returnValue = UL;
}
- ul_switch_off_field();
+ DropField();
return returnValue;
}
*/
if ( !ul_select(&card) )
return UL_ERROR;
int status = ul_comp_write(0, NULL, 0);
- ul_switch_off_field();
+ DropField();
if ( status == 0 )
return MAGIC;
return 0;
// Ultralight - ATQA / SAK
if ( card.atqa[1] != 0x00 || card.atqa[0] != 0x44 || card.sak != 0x00 ) {
PrintAndLog("Tag is not Ultralight | NTAG | MY-D [ATQA: %02X %02X SAK: %02X]\n", card.atqa[1], card.atqa[0], card.sak);
- ul_switch_off_field();
+ DropField();
return UL_ERROR;
}
if ( card.uid[0] != 0x05) {
len = ulev1_getVersion(version, sizeof(version));
- ul_switch_off_field();
+ DropField();
switch (len) {
case 0x0A: {
// do UL_C check first...
uint8_t nonce[11] = {0x00};
status = ulc_requestAuthentication(nonce, sizeof(nonce));
- ul_switch_off_field();
+ DropField();
if (status > 1) {
tagtype = UL_C;
} else {
tagtype = UNKNOWN;
}
}
- ul_switch_off_field();
+ DropField();
}
}
+ if (tagtype & UL) {
+ tagtype = ul_fudan_check();
+ DropField();
+ }
} else {
- ul_switch_off_field();
+ DropField();
// Infinition MY-D tests Exam high nibble
uint8_t nib = (card.uid[1] & 0xf0) >> 4;
switch ( nib ){
- case 1: tagtype = MY_D; break;
- case 2: tagtype = (MY_D | MY_D_NFC); break; //notice: we can not currently distinguish between these two
- case 3: tagtype = (MY_D_MOVE | MY_D_MOVE_NFC); break; //notice: we can not currently distinguish between these two
+ // case 0: tagtype = SLE66R35E7; break; //or SLE 66R35E7 - mifare compat... should have different sak/atqa for mf 1k
+ case 1: tagtype = MY_D; break; //or SLE 66RxxS ... up to 512 pages of 8 user bytes...
+ case 2: tagtype = (MY_D_NFC); break; //or SLE 66RxxP ... up to 512 pages of 8 user bytes... (or in nfc mode FF pages of 4 bytes)
+ case 3: tagtype = (MY_D_MOVE | MY_D_MOVE_NFC); break; //or SLE 66R01P // 38 pages of 4 bytes //notice: we can not currently distinguish between these two
+ case 7: tagtype = MY_D_MOVE_LEAN; break; //or SLE 66R01L // 16 pages of 4 bytes
}
}
return usage_hf_mfu_info();
case 'k':
case 'K':
- dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+ dataLen = param_getstr(Cmd, cmdp+1, tempStr, sizeof(tempStr));
if (dataLen == 32 || dataLen == 8) { //ul-c or ev1/ntag key length
errors = param_gethex(tempStr, 0, authenticationkey, dataLen);
dataLen /= 2; // handled as bytes from now on
// read pages 0,1,2,3 (should read 4pages)
status = ul_read(0, data, sizeof(data));
if ( status == -1 ) {
- ul_switch_off_field();
+ DropField();
PrintAndLog("Error: tag didn't answer to READ");
return status;
} else if (status == 16) {
status = ul_read(0x28, ulc_conf, sizeof(ulc_conf));
if ( status == -1 ){
PrintAndLog("Error: tag didn't answer to READ UL-C");
- ul_switch_off_field();
+ DropField();
return status;
}
if (status == 16) ulc_print_configuration(ulc_conf);
uint8_t ulc_deskey[16] = {0x00};
status = ul_read(0x2C, ulc_deskey, sizeof(ulc_deskey));
if ( status == -1 ) {
- ul_switch_off_field();
+ DropField();
PrintAndLog("Error: tag didn't answer to READ magic");
return status;
}
if (status == 16) ulc_print_3deskey(ulc_deskey);
} else {
- ul_switch_off_field();
+ DropField();
// if we called info with key, just return
if ( hasAuthKey ) return 1;
status = ulev1_readSignature( ulev1_signature, sizeof(ulev1_signature));
if ( status == -1 ) {
PrintAndLog("Error: tag didn't answer to READ SIGNATURE");
- ul_switch_off_field();
+ DropField();
return status;
}
if (status == 32) ulev1_print_signature( ulev1_signature, sizeof(ulev1_signature));
status = ulev1_getVersion(version, sizeof(version));
if ( status == -1 ) {
PrintAndLog("Error: tag didn't answer to GETVERSION");
- ul_switch_off_field();
+ DropField();
return status;
} else if (status == 10) {
ulev1_print_version(version);
status = ul_read(startconfigblock, ulev1_conf, sizeof(ulev1_conf));
if ( status == -1 ) {
PrintAndLog("Error: tag didn't answer to READ EV1");
- ul_switch_off_field();
+ DropField();
return status;
} else if (status == 16) {
// save AUTHENTICATION LIMITS for later:
}
}
- ul_switch_off_field();
+ DropField();
if (locked) PrintAndLog("\nTag appears to be locked, try using the key to get more info");
PrintAndLog("");
return 1;
uint8_t authenticationkey[16] = {0x00};
uint8_t *authKeyPtr = authenticationkey;
- // starting with getting tagtype
- TagTypeUL_t tagtype = GetHF14AMfU_Type();
- if (tagtype == UL_ERROR) return -1;
-
while(param_getchar(Cmd, cmdp) != 0x00)
{
switch(param_getchar(Cmd, cmdp))
case 'b':
case 'B':
blockNo = param_get8(Cmd, cmdp+1);
-
- uint8_t maxblockno = 0;
- for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++){
- if (tagtype & UL_TYPES_ARRAY[idx])
- maxblockno = UL_MEMORY_ARRAY[idx];
- }
-
if (blockNo < 0) {
PrintAndLog("Wrong block number");
errors = true;
}
- if (blockNo > maxblockno){
- PrintAndLog("block number too large. Max block is %u/0x%02X \n", maxblockno,maxblockno);
- errors = true;
- }
cmdp += 2;
break;
case 'l':
}
if ( blockNo == -1 ) return usage_hf_mfu_wrbl();
+ // starting with getting tagtype
+ TagTypeUL_t tagtype = GetHF14AMfU_Type();
+ if (tagtype == UL_ERROR) return -1;
+
+ uint8_t maxblockno = 0;
+ for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++){
+ if (tagtype & UL_TYPES_ARRAY[idx])
+ maxblockno = UL_MEMORY_ARRAY[idx];
+ }
+ if (blockNo > maxblockno){
+ PrintAndLog("block number too large. Max block is %u/0x%02X \n", maxblockno,maxblockno);
+ return usage_hf_mfu_wrbl();
+ }
// Swap endianness
if (swapEndian && hasAuthKey) authKeyPtr = SwapEndian64(authenticationkey, 16, 8);
uint8_t authenticationkey[16] = {0x00};
uint8_t *authKeyPtr = authenticationkey;
- // starting with getting tagtype
- TagTypeUL_t tagtype = GetHF14AMfU_Type();
- if (tagtype == UL_ERROR) return -1;
-
while(param_getchar(Cmd, cmdp) != 0x00)
{
switch(param_getchar(Cmd, cmdp))
case 'b':
case 'B':
blockNo = param_get8(Cmd, cmdp+1);
-
- uint8_t maxblockno = 0;
- for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++){
- if (tagtype & UL_TYPES_ARRAY[idx])
- maxblockno = UL_MEMORY_ARRAY[idx];
- }
-
if (blockNo < 0) {
PrintAndLog("Wrong block number");
errors = true;
}
- if (blockNo > maxblockno){
- PrintAndLog("block number to large. Max block is %u/0x%02X \n", maxblockno,maxblockno);
- errors = true;
- }
cmdp += 2;
break;
case 'l':
}
if ( blockNo == -1 ) return usage_hf_mfu_rdbl();
+ // start with getting tagtype
+ TagTypeUL_t tagtype = GetHF14AMfU_Type();
+ if (tagtype == UL_ERROR) return -1;
+
+ uint8_t maxblockno = 0;
+ for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++){
+ if (tagtype & UL_TYPES_ARRAY[idx])
+ maxblockno = UL_MEMORY_ARRAY[idx];
+ }
+ if (blockNo > maxblockno){
+ PrintAndLog("block number to large. Max block is %u/0x%02X \n", maxblockno,maxblockno);
+ return usage_hf_mfu_rdbl();
+ }
// Swap endianness
if (swapEndian && hasAuthKey) authKeyPtr = SwapEndian64(authenticationkey, 16, 8);
uint8_t isOK = resp.arg[0] & 0xff;
if (isOK) {
uint8_t *data = resp.d.asBytes;
- PrintAndLog("\nBlock# | Data | Ascii");
- PrintAndLog("-----------------------------");
- PrintAndLog("%02d/0x%02X | %s| %.4s\n", blockNo, blockNo, sprint_hex(data, 4), data);
+ PrintAndLog("\n Block# | Data | Ascii");
+ PrintAndLog("---------+-------------+------");
+ PrintAndLog(" %02d/0x%02X | %s| %.4s\n", blockNo, blockNo, sprint_hex(data, 4), data);
}
else {
PrintAndLog("Failed reading block: (%02x)", isOK);
bool manualPages = false;
uint8_t startPage = 0;
char tempStr[50];
+ unsigned char cleanASCII[4];
while(param_getchar(Cmd, cmdp) != 0x00)
{
return usage_hf_mfu_dump();
case 'k':
case 'K':
- dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+ dataLen = param_getstr(Cmd, cmdp+1, tempStr, sizeof(tempStr));
if (dataLen == 32 || dataLen == 8) { //ul-c or ev1/ntag key length
errors = param_gethex(tempStr, 0, authenticationkey, dataLen);
dataLen /= 2;
break;
case 'n':
case 'N':
- fileNlen = param_getstr(Cmd, cmdp+1, filename);
+ fileNlen = param_getstr(Cmd, cmdp+1, filename, sizeof(filename));
if (!fileNlen) errors = true;
if (fileNlen > FILE_PATH_SIZE-5) fileNlen = FILE_PATH_SIZE-5;
cmdp += 2;
PrintAndLog("Data exceeded Buffer size!");
bufferSize = sizeof(data);
}
- GetFromBigBuf(data, bufferSize, startindex);
- WaitForResponse(CMD_ACK,NULL);
+ GetFromBigBuf(data, bufferSize, startindex, NULL, -1, false);
Pages = bufferSize/4;
// Load lock bytes.
}
}
- PrintAndLog("\nBlock# | Data |lck| Ascii");
- PrintAndLog("---------------------------------");
+ PrintAndLog("\n Block# | Data |lck| Ascii");
+ PrintAndLog("---------+-------------+---+------");
for (i = 0; i < Pages; ++i) {
if ( i < 3 ) {
- PrintAndLog("%02d/0x%02X | %s| | ", i+startPage, i+startPage, sprint_hex(data + i * 4, 4));
+ PrintAndLog("%3d/0x%02X | %s| | ", i+startPage, i+startPage, sprint_hex(data + i * 4, 4));
continue;
}
switch(i){
case 43: tmplockbit = bit2[9]; break; //auth1
default: break;
}
- PrintAndLog("%02d/0x%02X | %s| %d | %.4s", i+startPage, i+startPage, sprint_hex(data + i * 4, 4), tmplockbit, data+i*4);
+
+ // convert unprintable characters and line breaks to dots
+ memcpy(cleanASCII, data+i*4, 4);
+ clean_ascii(cleanASCII, 4);
+
+ PrintAndLog("%3d/0x%02X | %s| %d | %.4s", i+startPage, i+startPage, sprint_hex(data + i * 4, 4), tmplockbit, cleanASCII);
}
PrintAndLog("---------------------------------");
//Change key to user defined one
if (cmdp == 'k' || cmdp == 'K'){
keyNo = param_get8(Cmd, 1);
- if(keyNo > KEYS_3DES_COUNT)
+ if(keyNo > KEYS_3DES_COUNT-1)
errors = true;
}
mix[6] = block ^ uid[2];
mix[7] = uid[3];
- des3_context ctx = { 0x00 };
- des3_set2key_enc(&ctx, masterkey);
+ mbedtls_des3_context ctx = { {0} };
+ mbedtls_des3_set2key_enc(&ctx, masterkey);
- des3_crypt_cbc(&ctx // des3_context
- , DES_ENCRYPT // int mode
+ mbedtls_des3_crypt_cbc(&ctx // des3_context
+ , MBEDTLS_DES_ENCRYPT // int mode
, sizeof(mix) // length
, iv // iv[8]
, mix // input
memcpy(dmkey+16, dkeyA, 8);
memset(iv, 0x00, 8);
- des3_set3key_enc(&ctx, dmkey);
+ mbedtls_des3_set3key_enc(&ctx, dmkey);
- des3_crypt_cbc(&ctx // des3_context
- , DES_ENCRYPT // int mode
+ mbedtls_des3_crypt_cbc(&ctx // des3_context
+ , MBEDTLS_DES_ENCRYPT // int mode
, sizeof(newpwd) // length
, iv // iv[8]
, zeros // input
};
int CmdHFMFUltra(const char *Cmd){
- WaitForResponseTimeout(CMD_ACK,NULL,100);
+ (void)WaitForResponseTimeout(CMD_ACK,NULL,100);
CmdsParse(CommandTable, Cmd);
return 0;
}
projects / proxmark3-svn / blobdiff