Merge remote-tracking branch 'Proxmark/master' into iclass
authormarshmellow42 <marshmellowrf@gmail.com>
Wed, 7 Oct 2015 13:34:47 +0000 (09:34 -0400)
committermarshmellow42 <marshmellowrf@gmail.com>
Wed, 7 Oct 2015 13:34:47 +0000 (09:34 -0400)
Conflicts:
CHANGELOG.md

21 files changed:
CHANGELOG.md
armsrc/appmain.c
armsrc/apps.h
armsrc/iclass.c
client/cmdhf.c
client/cmdhficlass.c
client/cmdhficlass.h
client/cmdhfmf.c
client/cmdlf.c
client/cmdlft55xx.c
client/hid-flasher/usb_cmd.h
client/loclass/cipher.c
client/loclass/cipher.h
client/lualibs/commands.lua
client/mifarehost.c
client/mifarehost.h
client/util.c
client/util.h
common/protocols.c
common/protocols.h
include/usb_cmd.h

index e2196a39afb8ed1c1d54fdf2311d4bb813cae4db..c5ccc8f751a1c28176dd7382c64c2966b9a861c0 100644 (file)
@@ -5,6 +5,12 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
 ## [unreleased][unreleased]
 
 ### Added
+- `hf iclass managekeys` to save, load and manage iclass keys.  (adjusted most commands to accept a loaded key in memory) (marshmellow)
+- `hf iclass readblk` to select, authenticate, and read 1 block from an iclass card (marshmellow)
+- `hf iclass writeblk` to select, authenticate, and write 1 block to an iclass card (or picopass) (marshmellow + others)
+- `hf iclass clone` to take a saved dump file and clone selected blocks to a new tag (marshmellow + others)
+- `hf iclass calcnewkey` - to calculate the div_key change to change a key - (experimental) (marshmellow + others)
+- `hf iclass encryptblk` - to encrypt a data block hex to prep for writing that block (marshmellow)
 - ISO14443a stand-alone operation with ARM CFLAG="WITH_ISO14443a_StandAlone". This code can read & emulate two banks of 14a tag UIDs and write to "magic" cards  (Craig Young) 
 - AWID26 command context added as 'lf awid' containing realtime demodulation as well as cloning/simulation based on tag numbers (Craig Young)
 - Added 'hw status'. This command makes the ARM print out some runtime information. (holiman) 
@@ -12,7 +18,12 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
 - Added `data hex2bin` and `data bin2hex` for command line conversion between binary and hexadecimal (holiman)
 
 ### Changed
+<<<<<<< HEAD
+- changed `lf config t <threshold>` to be 0 - 128 and will trigger on + or - threshold value (marshmellow) 
+- `hf iclass dump` cli options - can now dump AA1 and AA2 with different keys in one run (does not go to muliple pages for the larger tags yet)
+=======
 - Revised workflow for StandAloneMode14a (Craig Young)
+>>>>>>> Proxmark/master
 - EPA functions (`hf epa`) now support both ISO 14443-A and 14443-B cards (frederikmoellers)
 - 'hw version' only talks to ARM at startup, after that the info is cached. (pwpiwi)
 
index 321782da8ee7af9f249dd392c220d0912ba03b90..48c9caef638975f3f4d22d338eb42918c090ffa0 100644 (file)
@@ -1178,11 +1178,29 @@ void UsbPacketReceived(uint8_t *packet, int len)
                        ReaderIClass(c->arg[0]);
                        break;
                case CMD_READER_ICLASS_REPLAY:
-                   ReaderIClass_Replay(c->arg[0], c->d.asBytes);
+                       ReaderIClass_Replay(c->arg[0], c->d.asBytes);
                        break;
-       case CMD_ICLASS_EML_MEMSET:
+               case CMD_ICLASS_EML_MEMSET:
                        emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
                        break;
+               case CMD_ICLASS_WRITEBLOCK:
+                       iClass_WriteBlock(c->arg[0], c->d.asBytes);
+                       break;
+               case CMD_ICLASS_READCHECK:  // auth step 1
+                       iClass_ReadCheck(c->arg[0], c->arg[1]);
+                       break;
+               case CMD_ICLASS_READBLOCK:
+                       iClass_ReadBlk(c->arg[0]);
+                       break;
+               case CMD_ICLASS_AUTHENTICATION: //check
+                       iClass_Authentication(c->d.asBytes);
+                       break;
+               case CMD_ICLASS_DUMP:
+                       iClass_Dump(c->arg[0], c->arg[1]);
+                       break;
+               case CMD_ICLASS_CLONE:
+                       iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
+                       break;
 #endif
 
                case CMD_BUFF_CLEAR:
index d5c8ba0ae888112365bfd7888645989fb6e24d5f..79c9da8620b9b1db2996a6c26abbf2c211948df2 100644 (file)
@@ -156,9 +156,6 @@ void        OnSuccess();
 void   OnError(uint8_t reason);
 
 
-
-
-
 /// iso15693.h
 void RecordRawAdcSamplesIso15693(void);
 void AcquireRawAdcSamplesIso15693(void);
@@ -174,6 +171,13 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain
 void ReaderIClass(uint8_t arg0);
 void ReaderIClass_Replay(uint8_t arg0,uint8_t *MAC);
 void IClass_iso14443A_GetPublic(uint8_t arg0);
+void iClass_Authentication(uint8_t *MAC);
+void iClass_WriteBlock(uint8_t blockNo, uint8_t *data);
+void iClass_ReadBlk(uint8_t blockNo);
+bool iClass_ReadBlock(uint8_t blockNo, uint8_t *readdata);
+void iClass_Dump(uint8_t blockno, uint8_t numblks);
+void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data);
+void iClass_ReadCheck(uint8_t  blockNo, uint8_t keyType);
 
 // hitag2.h
 void SnoopHitag(uint32_t type);
index 97c62bb60daf7c4d3367f1a49a5bdd9f7c001468..4e4854caa11943d061ad66e0ed3ae9d6328c6be6 100644 (file)
@@ -1601,16 +1601,16 @@ void setupIclassReader()
 
 }
 
-size_t sendCmdGetResponseWithRetries(uint8_t* command, size_t cmdsize, uint8_t* resp, uint8_t expected_size, uint8_t retries)
+bool sendCmdGetResponseWithRetries(uint8_t* command, size_t cmdsize, uint8_t* resp, uint8_t expected_size, uint8_t retries)
 {
        while(retries-- > 0)
        {
                ReaderTransmitIClass(command, cmdsize);
                if(expected_size == ReaderReceiveIClass(resp)){
-                       return 0;
+                       return true;
                }
        }
-       return 1;//Error
+       return false;//Error
 }
 
 /**
@@ -1620,14 +1620,17 @@ size_t sendCmdGetResponseWithRetries(uint8_t* command, size_t cmdsize, uint8_t*
  *         1 = Got CSN
  *         2 = Got CSN and CC
  */
-uint8_t handshakeIclassTag(uint8_t *card_data)
+uint8_t handshakeIclassTag_ext(uint8_t *card_data, bool use_credit_key)
 {
        static uint8_t act_all[]     = { 0x0a };
-       static uint8_t identify[]    = { 0x0c };
+       //static uint8_t identify[]    = { 0x0c };
+       static uint8_t identify[]    = { 0x0c, 0x00, 0x73, 0x33 };
        static uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-
-
-       static uint8_t readcheck_cc[]= { 0x88, 0x02,};
+       static uint8_t readcheck_cc[]= { 0x88, 0x02 };
+       if (use_credit_key)
+               readcheck_cc[0] = 0x18;
+       else
+               readcheck_cc[0] = 0x88;
 
        uint8_t resp[ICLASS_BUFFER_SIZE];
 
@@ -1668,6 +1671,9 @@ uint8_t handshakeIclassTag(uint8_t *card_data)
 
        return read_status;
 }
+uint8_t handshakeIclassTag(uint8_t *card_data){
+       return handshakeIclassTag_ext(card_data, false);
+}
 
 
 // Reader iClass Anticollission
@@ -1687,6 +1693,9 @@ void ReaderIClass(uint8_t arg0) {
        uint8_t result_status = 0;
        bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE;
        bool try_once = arg0 & FLAG_ICLASS_READER_ONE_TRY;
+       bool use_credit_key = false;
+       if (arg0 & FLAG_ICLASS_READER_CEDITKEY)
+               use_credit_key = true;
        set_tracing(TRUE);
        setupIclassReader();
 
@@ -1701,7 +1710,7 @@ void ReaderIClass(uint8_t arg0) {
                }
                WDT_HIT();
 
-               read_status = handshakeIclassTag(card_data);
+               read_status = handshakeIclassTag_ext(card_data, use_credit_key);
 
                if(read_status == 0) continue;
                if(read_status == 1) result_status = FLAG_ICLASS_READER_CSN;
@@ -1715,11 +1724,10 @@ void ReaderIClass(uint8_t arg0) {
                if(arg0 & FLAG_ICLASS_READER_CONF)
                {
                        if(sendCmdGetResponseWithRetries(readConf, sizeof(readConf),card_data+8, 10, 10))
-                       {
-                               Dbprintf("Failed to dump config block");
-                       }else
                        {
                                result_status |= FLAG_ICLASS_READER_CONF;
+                       } else {
+                               Dbprintf("Failed to dump config block");
                        }
                }
 
@@ -1727,10 +1735,9 @@ void ReaderIClass(uint8_t arg0) {
                if(arg0 & FLAG_ICLASS_READER_AA){
                        if(sendCmdGetResponseWithRetries(readAA, sizeof(readAA),card_data+(8*4), 10, 10))
                        {
-//                             Dbprintf("Failed to dump AA block");
-                       }else
-                       {
                                result_status |= FLAG_ICLASS_READER_AA;
+                       } else {
+                               //Dbprintf("Failed to dump AA block");
                        }
                }
 
@@ -1762,8 +1769,8 @@ void ReaderIClass(uint8_t arg0) {
                }
                LED_B_OFF();
        }
-    cmd_send(CMD_ACK,0,0,0,card_data, 0);
-    LED_A_OFF();
+       cmd_send(CMD_ACK,0,0,0,card_data, 0);
+       LED_A_OFF();
 }
 
 void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
@@ -1814,7 +1821,7 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
                //for now replay captured auth (as cc not updated)
                memcpy(check+5,MAC,4);
 
-               if(sendCmdGetResponseWithRetries(check, sizeof(check),resp, 4, 5))
+               if(!sendCmdGetResponseWithRetries(check, sizeof(check),resp, 4, 5))
                {
                        Dbprintf("Error: Authentication Fail!");
                        continue;
@@ -1826,7 +1833,7 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
                read[2] = crc >> 8;
                read[3] = crc & 0xff;
 
-               if(sendCmdGetResponseWithRetries(read, sizeof(read),resp, 10, 10))
+               if(!sendCmdGetResponseWithRetries(read, sizeof(read),resp, 10, 10))
                {
                        Dbprintf("Dump config (block 1) failed");
                        continue;
@@ -1853,7 +1860,7 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
                        read[2] = crc >> 8;
                        read[3] = crc & 0xff;
 
-                       if(!sendCmdGetResponseWithRetries(read, sizeof(read), resp, 10, 10))
+                       if(sendCmdGetResponseWithRetries(read, sizeof(read), resp, 10, 10))
                        {
                                Dbprintf("     %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
                                                 block, resp[0], resp[1], resp[2],
@@ -1904,130 +1911,129 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
        LED_A_OFF();
 }
 
-//2. Create Read method (cut-down from above) based off responses from 1. 
-//   Since we have the MAC could continue to use replay function.
-//3. Create Write method
-/*
-void IClass_iso14443A_write(uint8_t arg0, uint8_t blockNo, uint8_t *data, uint8_t *MAC) {
-       uint8_t act_all[]     = { 0x0a };
-       uint8_t identify[]    = { 0x0c };
-       uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-       uint8_t readcheck_cc[]= { 0x88, 0x02 };
-       uint8_t check[]       = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-       uint8_t read[]        = { 0x0c, 0x00, 0x00, 0x00 };
-       uint8_t write[]       = { 0x87, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-       
-    uint16_t crc = 0;
-       
-       uint8_t* resp = (((uint8_t *)BigBuf) + 3560);
-
-       // Reset trace buffer
-    memset(trace, 0x44, RECV_CMD_OFFSET);
-       traceLen = 0;
+void iClass_ReadCheck(uint8_t  blockNo, uint8_t keyType) {
+       uint8_t readcheck[] = { keyType, blockNo };
+       uint8_t resp[] = {0,0,0,0,0,0,0,0};
+       size_t isOK = 0;
+       isOK = sendCmdGetResponseWithRetries(readcheck, sizeof(readcheck), resp, sizeof(resp), 6);
+       cmd_send(CMD_ACK,isOK,0,0,0,0);
+}
 
-       // Setup SSC
-       FpgaSetupSsc();
-       // Start from off (no field generated)
-       // Signal field is off with the appropriate LED
-       LED_D_OFF();
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-       SpinDelay(200);
+void iClass_Authentication(uint8_t *MAC) {
+       uint8_t check[] = { ICLASS_CMD_CHECK, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+       uint8_t resp[ICLASS_BUFFER_SIZE];
+       memcpy(check+5,MAC,4);
+       bool isOK;
+       isOK = sendCmdGetResponseWithRetries(check, sizeof(check), resp, 4, 6);
+       cmd_send(CMD_ACK,isOK,0,0,0,0);
+}
+bool iClass_ReadBlock(uint8_t blockNo, uint8_t *readdata) {
+       uint8_t readcmd[] = {ICLASS_CMD_READ_OR_IDENTIFY, blockNo, 0x00, 0x00}; //0x88, 0x00 // can i use 0C?
+       char bl = blockNo;
+       uint16_t rdCrc = iclass_crc16(&bl, 1);
+       readcmd[2] = rdCrc >> 8;
+       readcmd[3] = rdCrc & 0xff;
+       uint8_t resp[] = {0,0,0,0,0,0,0,0,0,0};
+       bool isOK = false;
+
+       //readcmd[1] = blockNo;
+       isOK = sendCmdGetResponseWithRetries(readcmd, sizeof(readcmd), resp, 10, 10);
+       memcpy(readdata, resp, sizeof(resp));
+
+       return isOK;
+}
 
-       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+void iClass_ReadBlk(uint8_t blockno) {
+       uint8_t readblockdata[] = {0,0,0,0,0,0,0,0,0,0};
+       bool isOK = false;
+       isOK = iClass_ReadBlock(blockno, readblockdata);
+       cmd_send(CMD_ACK, isOK, 0, 0, readblockdata, 8);
+}
 
-       // Now give it time to spin up.
-       // Signal field is on with the appropriate LED
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
-       SpinDelay(200);
+void iClass_Dump(uint8_t blockno, uint8_t numblks) {
+       uint8_t readblockdata[] = {0,0,0,0,0,0,0,0,0,0};
+       bool isOK = false;
+       uint8_t blkCnt = 0;
 
-       LED_A_ON();
+       BigBuf_free();
+       uint8_t *dataout = BigBuf_malloc(255*8);
+       if (dataout == NULL){
+               Dbprintf("out of memory");
+               OnError(1);
+               return;
+       }
+       memset(dataout,0xFF,255*8);
+
+       for (;blkCnt < numblks; blkCnt++) {
+               isOK = iClass_ReadBlock(blockno+blkCnt, readblockdata);
+               if (!isOK || (readblockdata[0] == 0xBB || readblockdata[7] == 0xBB || readblockdata[2] == 0xBB)) { //try again
+                       isOK = iClass_ReadBlock(blockno+blkCnt, readblockdata);
+                       if (!isOK) {
+                               Dbprintf("Block %02X failed to read", blkCnt+blockno);
+                               break;
+                       }
+               }
+               memcpy(dataout+(blkCnt*8),readblockdata,8);
+       }
+       //return pointer to dump memory in arg3
+       cmd_send(CMD_ACK,isOK,blkCnt,BigBuf_max_traceLen(),0,0);
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       LEDsoff();
+       BigBuf_free();
+}
 
-       for(int i=0;i<1;i++) {
-       
-               if(traceLen > TRACE_SIZE) {
-                       DbpString("Trace full");
-                       break;
+bool iClass_WriteBlock_ext(uint8_t blockNo, uint8_t *data) {
+       uint8_t write[] = { ICLASS_CMD_UPDATE, blockNo, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+       //uint8_t readblockdata[10];
+       //write[1] = blockNo;
+       memcpy(write+2, data, 12); // data + mac
+       uint8_t resp[] = {0,0,0,0,0,0,0,0,0,0};
+       bool isOK;
+       isOK = sendCmdGetResponseWithRetries(write,sizeof(write),resp,sizeof(resp),10);
+       if (isOK) {
+               //Dbprintf("WriteResp: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X",resp[0],resp[1],resp[2],resp[3],resp[4],resp[5],resp[6],resp[7],resp[8],resp[9]);
+               if (memcmp(write+2,resp,8)) {
+                       //error try again
+                       isOK = sendCmdGetResponseWithRetries(write,sizeof(write),resp,sizeof(resp),10);
                }
-               
-               if (BUTTON_PRESS()) break;
-
-               // Send act_all
-               ReaderTransmitIClass(act_all, 1);
-               // Card present?
-               if(ReaderReceiveIClass(resp)) {
-                       ReaderTransmitIClass(identify, 1);
-                       if(ReaderReceiveIClass(resp) == 10) {
-                               // Select card          
-                               memcpy(&select[1],resp,8);
-                               ReaderTransmitIClass(select, sizeof(select));
-
-                               if(ReaderReceiveIClass(resp) == 10) {
-                                       Dbprintf("     Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
-                                       resp[0], resp[1], resp[2],
-                                       resp[3], resp[4], resp[5],
-                                       resp[6], resp[7]);
-                               }
-                               // Card selected
-                               Dbprintf("Readcheck on Sector 2");
-                               ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
-                               if(ReaderReceiveIClass(resp) == 8) {
-                                  Dbprintf("     CC: %02x %02x %02x %02x %02x %02x %02x %02x",
-                                       resp[0], resp[1], resp[2],
-                                       resp[3], resp[4], resp[5],
-                                       resp[6], resp[7]);
-                               }else return;
-                               Dbprintf("Authenticate");
-                               //for now replay captured auth (as cc not updated)
-                               memcpy(check+5,MAC,4);
-                               Dbprintf("     AA: %02x %02x %02x %02x",
-                                       check[5], check[6], check[7],check[8]);
-                               ReaderTransmitIClass(check, sizeof(check));
-                               if(ReaderReceiveIClass(resp) == 4) {
-                                  Dbprintf("     AR: %02x %02x %02x %02x",
-                                       resp[0], resp[1], resp[2],resp[3]);
-                               }else {
-                                 Dbprintf("Error: Authentication Fail!");
-                                 return;
-                               }
-                               Dbprintf("Write Block");
-                               
-                               //read configuration for max block number
-                               read_success=false;
-                               read[1]=1;
-                               uint8_t *blockno=&read[1];
-                               crc = iclass_crc16((char *)blockno,1);
-                               read[2] = crc >> 8;
-                               read[3] = crc & 0xff;
-                               while(!read_success){
-                                     ReaderTransmitIClass(read, sizeof(read));
-                                     if(ReaderReceiveIClass(resp) == 10) {
-                                        read_success=true;
-                                        mem=resp[5];
-                                        memory.k16= (mem & 0x80);
-                                        memory.book= (mem & 0x20);
-                                        memory.k2= (mem & 0x8);
-                                        memory.lockauth= (mem & 0x2);
-                                        memory.keyaccess= (mem & 0x1);
-
-                                     }
-                               }
-                               if (memory.k16){
-                                 cardsize=255;
-                               }else cardsize=32;
-                               //check card_size
-                               
-                               memcpy(write+1,blockNo,1);
-                               memcpy(write+2,data,8);
-                               memcpy(write+10,mac,4);
-                               while(!send_success){
-                                 ReaderTransmitIClass(write, sizeof(write));
-                                 if(ReaderReceiveIClass(resp) == 10) {
-                                   write_success=true;
-                               }
-                       }//
+       }
+       return isOK;
+}
+
+void iClass_WriteBlock(uint8_t blockNo, uint8_t *data) {
+       bool isOK = iClass_WriteBlock_ext(blockNo, data);
+       if (isOK){
+               Dbprintf("Write block [%02x] successful",blockNo);
+       } else {
+               Dbprintf("Write block [%02x] failed",blockNo);          
+       }
+       cmd_send(CMD_ACK,isOK,0,0,0,0); 
+}
+
+void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data) {
+       int i;
+       int written = 0;
+       int total_block = (endblock - startblock) + 1;
+       for (i = 0; i < total_block;i++){
+               // block number
+               if (iClass_WriteBlock_ext(i+startblock, data+(i*12))){
+                       Dbprintf("Write block [%02x] successful",i + startblock);
+                       written++;
+               } else {
+                       if (iClass_WriteBlock_ext(i+startblock, data+(i*12))){
+                               Dbprintf("Write block [%02x] successful",i + startblock);
+                               written++;
+                       } else {
+                               Dbprintf("Write block [%02x] failed",i + startblock);
+                       }
                }
-               WDT_HIT();
        }
-       
-       LED_A_OFF();
-}*/
+       if (written == total_block)
+               Dbprintf("Clone complete");
+       else
+               Dbprintf("Clone incomplete");   
+
+       cmd_send(CMD_ACK,1,0,0,0,0);
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       LEDsoff();
+}
index f8daff7e5ef106f20721ef1dfd53a706648da8f2..8406fe7601b69937833772303579662754cee3c5 100644 (file)
@@ -557,14 +557,14 @@ int CmdHFSearch(const char *Cmd){
                PrintAndLog("\nValid ISO14443A Tag Found - Quiting Search\n");
                return ans;
        }
-       ans = HF14BInfo(false);
+       ans = HFiClassReader("", false, false);
        if (ans) {
-               PrintAndLog("\nValid ISO14443B Tag Found - Quiting Search\n");
+               PrintAndLog("\nValid iClass Tag (or PicoPass Tag) Found - Quiting Search\n");
                return ans;
        }
-       ans = HFiClassReader("", false, false);
+       ans = HF14BInfo(false);
        if (ans) {
-               PrintAndLog("\nValid iClass Tag (or PicoPass Tag) Found - Quiting Search\n");
+               PrintAndLog("\nValid ISO14443B Tag Found - Quiting Search\n");
                return ans;
        }
        ans = HF15Reader("", false);
index 824aaa3674cc1bd5cf84d38174968d0e3fbd468e..aca8ff50befb6dace604933b0d0681692197bd09 100644 (file)
 #include "loclass/fileutils.h"
 #include "protocols.h"
 #include "usb_cmd.h"
+#include "cmdhfmfu.h"
+
+#define llX PRIx64
 
 static int CmdHelp(const char *Cmd);
 
-int xorbits_8(uint8_t val)
-{
+#define ICLASS_KEYS_MAX 8
+static uint8_t iClass_Key_Table[ICLASS_KEYS_MAX][8] = {
+               { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
+               { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
+               { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
+               { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
+               { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
+               { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
+               { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
+               { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }
+};
+
+typedef struct iclass_block {
+    uint8_t d[8];
+} iclass_block_t;
+
+int xorbits_8(uint8_t val) {
        uint8_t res = val ^ (val >> 1); //1st pass
        res = res ^ (res >> 1);                 // 2nd pass
        res = res ^ (res >> 2);                 // 3rd pass
@@ -43,20 +61,18 @@ int xorbits_8(uint8_t val)
        return res & 1;
 }
 
-int CmdHFiClassList(const char *Cmd)
-{
+int CmdHFiClassList(const char *Cmd) {
        PrintAndLog("Deprecated command, use 'hf list iclass' instead");
        return 0;
 }
 
-int CmdHFiClassSnoop(const char *Cmd)
-{
+int CmdHFiClassSnoop(const char *Cmd) {
        UsbCommand c = {CMD_SNOOP_ICLASS};
        SendCommand(&c);
        return 0;
 }
-int usage_hf_iclass_sim()
-{
+
+int usage_hf_iclass_sim(void) {
        PrintAndLog("Usage:  hf iclass sim <option> [CSN]");
        PrintAndLog("        options");
        PrintAndLog("                0 <CSN> simulate the given CSN");
@@ -71,8 +87,7 @@ int usage_hf_iclass_sim()
 }
 
 #define NUM_CSNS 15
-int CmdHFiClassSim(const char *Cmd)
-{
+int CmdHFiClassSim(const char *Cmd) {
        uint8_t simType = 0;
        uint8_t CSN[8] = {0, 0, 0, 0, 0, 0, 0, 0};
 
@@ -165,15 +180,15 @@ int CmdHFiClassSim(const char *Cmd)
        return 0;
 }
 
-int HFiClassReader(const char *Cmd, bool loop, bool verbose)
-{
+int HFiClassReader(const char *Cmd, bool loop, bool verbose) {
        bool tagFound = false;
        UsbCommand c = {CMD_READER_ICLASS, {FLAG_ICLASS_READER_CSN|
                                        FLAG_ICLASS_READER_CONF|FLAG_ICLASS_READER_AA}};
-       if (!loop) c.arg[0] |= FLAG_ICLASS_READER_ONLY_ONCE | FLAG_ICLASS_READER_ONE_TRY;
-       SendCommand(&c);
+       // loop in client not device - else on windows have a communication error
+       c.arg[0] |= FLAG_ICLASS_READER_ONLY_ONCE | FLAG_ICLASS_READER_ONE_TRY;
        UsbCommand resp;
        while(!ukbhit()){
+               SendCommand(&c);
                if (WaitForResponseTimeout(CMD_ACK,&resp, 4500)) {
                        uint8_t readStatus = resp.arg[0] & 0xff;
                        uint8_t *data = resp.d.asBytes;
@@ -200,16 +215,13 @@ int HFiClassReader(const char *Cmd, bool loop, bool verbose)
                if (!loop) break;
        }
        return 0;
-
 }
 
-int CmdHFiClassReader(const char *Cmd)
-{
+int CmdHFiClassReader(const char *Cmd) {
        return HFiClassReader(Cmd, true, true);
 }
 
-int CmdHFiClassReader_Replay(const char *Cmd)
-{
+int CmdHFiClassReader_Replay(const char *Cmd) {
        uint8_t readerType = 0;
        uint8_t MAC[4]={0x00, 0x00, 0x00, 0x00};
 
@@ -231,181 +243,22 @@ int CmdHFiClassReader_Replay(const char *Cmd)
        return 0;
 }
 
-int CmdHFiClassReader_Dump(const char *Cmd)
-{
-       uint8_t readerType = 0;
-       uint8_t MAC[4]={0x00,0x00,0x00,0x00};
-       uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
-       uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
-       uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
-       //uint8_t CC_temp[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
-       uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
-       uint8_t keytable[128] = {0};
-       int elite = 0;
-       uint8_t *used_key;
-       int i;
-       if (strlen(Cmd)<1)
-       {
-               PrintAndLog("Usage:  hf iclass dump <Key> [e]");
-               PrintAndLog("        Key    - A 16 byte master key");
-               PrintAndLog("        e      - If 'e' is specified, the key is interpreted as the 16 byte");
-               PrintAndLog("                 Custom Key (KCus), which can be obtained via reader-attack");
-               PrintAndLog("                 See 'hf iclass sim 2'. This key should be on iclass-format");
-               PrintAndLog("        sample: hf iclass dump 0011223344556677");
-
-
-               return 0;
-       }
-
-       if (param_gethex(Cmd, 0, KEY, 16))
-       {
-               PrintAndLog("KEY must include 16 HEX symbols");
-               return 1;
-       }
-
-       if (param_getchar(Cmd, 1) == 'e')
-       {
-               PrintAndLog("Elite switch on");
-               elite = 1;
-
-               //calc h2
-               hash2(KEY, keytable);
-               printarr_human_readable("keytable", keytable, 128);
-
-       }
-
-       UsbCommand resp;
-       uint8_t key_sel[8] = {0};
-       uint8_t key_sel_p[8] = { 0 };
-
-       UsbCommand c = {CMD_READER_ICLASS, {0}};
-       c.arg[0] = FLAG_ICLASS_READER_ONLY_ONCE| FLAG_ICLASS_READER_CC;
+int iclassEmlSetMem(uint8_t *data, int blockNum, int blocksCount) {
+       UsbCommand c = {CMD_MIFARE_EML_MEMSET, {blockNum, blocksCount, 0}};
+       memcpy(c.d.asBytes, data, blocksCount * 16);
        SendCommand(&c);
-
-
-
-       if (!WaitForResponseTimeout(CMD_ACK,&resp,4500))
-       {
-               PrintAndLog("Command execute timeout");
-               return 0;
-       }
-
-       uint8_t isOK    = resp.arg[0] & 0xff;
-       uint8_t * data  = resp.d.asBytes;
-
-       memcpy(CSN,data,8);
-       memcpy(CCNR,data+16,8);
-
-       PrintAndLog("isOk:%02x", isOK);
-
-       if(isOK > 0)
-       {
-               PrintAndLog("CSN: %s",sprint_hex(CSN,8));
-       }
-       if(isOK <= 1){
-               PrintAndLog("Failed to obtain CC! Aborting");
-               return 0;
-       }
-       //Status 2 or higher
-
-       if(elite)
-       {
-               //Get the key index (hash1)
-               uint8_t key_index[8] = {0};
-
-               hash1(CSN, key_index);
-               printvar("hash1", key_index,8);
-               for(i = 0; i < 8 ; i++)
-                       key_sel[i] = keytable[key_index[i]] & 0xFF;
-               PrintAndLog("Pre-fortified 'permuted' HS key that would be needed by an iclass reader to talk to above CSN:");
-               printvar("k_sel", key_sel,8);
-               //Permute from iclass format to standard format
-               permutekey_rev(key_sel,key_sel_p);
-               used_key = key_sel_p;
-       }else{
-               used_key = KEY;
-       }
-
-       PrintAndLog("Pre-fortified key that would be needed by the OmniKey reader to talk to above CSN:");
-       printvar("Used key",used_key,8);
-       diversifyKey(CSN,used_key, div_key);
-       PrintAndLog("Hash0, a.k.a diversified key, that is computed using Ksel and stored in the card (Block 3):");
-       printvar("Div key", div_key, 8);
-       printvar("CC_NR:",CCNR,12);
-       doMAC(CCNR,div_key, MAC);
-       printvar("MAC", MAC, 4);
-
-       uint8_t iclass_data[32000] = {0};
-       uint32_t iclass_datalen = 0;
-       uint32_t iclass_blocksFailed = 0;//Set to 1 if dump was incomplete
-
-       UsbCommand d = {CMD_READER_ICLASS_REPLAY, {readerType}};
-       memcpy(d.d.asBytes, MAC, 4);
-       clearCommandBuffer();
-       SendCommand(&d);
-       PrintAndLog("Waiting for device to dump data. Press button on device and key on keyboard to abort...");
-       while (true) {
-               printf(".");
-               if (ukbhit()) {
-                       getchar();
-                       printf("\naborted via keyboard!\n");
-                       break;
-               }
-               if(WaitForResponseTimeout(CMD_ACK,&resp,4500))
-               {
-                       uint32_t dataLength = resp.arg[0];
-                       iclass_blocksFailed |= resp.arg[1];
-                       if(dataLength > 0)
-                       {
-                               PrintAndLog("Got %d bytes data (total so far %d)" ,dataLength,iclass_datalen);
-                               memcpy(iclass_data+iclass_datalen, resp.d.asBytes,dataLength);
-                               iclass_datalen += dataLength;
-                       }else
-                       {//Last transfer, datalength 0 means the dump is finished
-                               PrintAndLog("Dumped %d bytes of data from tag. ", iclass_datalen);
-                               if(iclass_blocksFailed)
-                               {
-                                       PrintAndLog("OBS! Some blocks failed to be dumped correctly!");
-                               }
-                               if(iclass_datalen > 0)
-                               {
-                                       char filename[100] = {0};
-                                       //create a preferred filename
-                                       snprintf(filename, 100,"iclass_tagdump-%02x%02x%02x%02x%02x%02x%02x%02x",
-                                                        CSN[0],CSN[1],CSN[2],CSN[3],
-                                                       CSN[4],CSN[5],CSN[6],CSN[7]);
-                                       //Place the div_key in block 3
-                                       memcpy(iclass_data+(3*8), div_key, 8);
-                                       saveFile(filename,"bin",iclass_data, iclass_datalen );
-                               }
-                               //Aaaand we're finished
-                               return 0;
-                       }
-               }
-       }
-
-
        return 0;
 }
 
-int hf_iclass_eload_usage()
-{
+int hf_iclass_eload_usage(void) {
        PrintAndLog("Loads iclass tag-dump into emulator memory on device");
        PrintAndLog("Usage:  hf iclass eload f <filename>");
        PrintAndLog("");
        PrintAndLog("Example: hf iclass eload f iclass_tagdump-aa162d30f8ff12f1.bin");
        return 0;
-
 }
 
-int iclassEmlSetMem(uint8_t *data, int blockNum, int blocksCount) {
-       UsbCommand c = {CMD_MIFARE_EML_MEMSET, {blockNum, blocksCount, 0}};
-       memcpy(c.d.asBytes, data, blocksCount * 16);
-       SendCommand(&c);
-       return 0;
-}
-int CmdHFiClassELoad(const char *Cmd)
-{
+int CmdHFiClassELoad(const char *Cmd) {
 
        char opt = param_getchar(Cmd, 0);
        if (strlen(Cmd)<1 || opt == 'h')
@@ -462,23 +315,7 @@ int CmdHFiClassELoad(const char *Cmd)
        return 0;
 }
 
-int usage_hf_iclass_decrypt()
-{
-       PrintAndLog("Usage: hf iclass decrypt f <tagdump> o ");
-       PrintAndLog("");
-       PrintAndLog("OBS! In order to use this function, the file 'iclass_decryptionkey.bin' must reside");
-       PrintAndLog("in the working directory. The file should be 16 bytes binary data");
-       PrintAndLog("");
-       PrintAndLog("example: hf iclass decrypt f tagdump_12312342343.bin");
-       PrintAndLog("");
-       PrintAndLog("OBS! This is pretty stupid implementation, it tries to decrypt every block after block 6. ");
-       PrintAndLog("Correct behaviour would be to decrypt only the application areas where the key is valid,");
-       PrintAndLog("which is defined by the configuration block.");
-       return 1;
-}
-
-int readKeyfile(const char *filename, size_t len, uint8_t* buffer)
-{
+static int readKeyfile(const char *filename, size_t len, uint8_t* buffer) {
        FILE *f = fopen(filename, "rb");
        if(!f) {
                PrintAndLog("Failed to read from file '%s'", filename);
@@ -502,8 +339,21 @@ int readKeyfile(const char *filename, size_t len, uint8_t* buffer)
        return 0;
 }
 
-int CmdHFiClassDecrypt(const char *Cmd)
-{
+int usage_hf_iclass_decrypt(void) {
+       PrintAndLog("Usage: hf iclass decrypt f <tagdump>");
+       PrintAndLog("");
+       PrintAndLog("OBS! In order to use this function, the file 'iclass_decryptionkey.bin' must reside");
+       PrintAndLog("in the working directory. The file should be 16 bytes binary data");
+       PrintAndLog("");
+       PrintAndLog("example: hf iclass decrypt f tagdump_12312342343.bin");
+       PrintAndLog("");
+       PrintAndLog("OBS! This is pretty stupid implementation, it tries to decrypt every block after block 6. ");
+       PrintAndLog("Correct behaviour would be to decrypt only the application areas where the key is valid,");
+       PrintAndLog("which is defined by the configuration block.");
+       return 1;
+}
+
+int CmdHFiClassDecrypt(const char *Cmd) {
        uint8_t key[16] = { 0 };
        if(readKeyfile("iclass_decryptionkey.bin", 16, key))
        {
@@ -560,85 +410,763 @@ int CmdHFiClassDecrypt(const char *Cmd)
        return 0;
 }
 
-int CmdHFiClass_iso14443A_write(const char *Cmd)
-{
-       uint8_t readerType = 0;
-       uint8_t MAC[4]={0x00,0x00,0x00,0x00};
-       uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
-       uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
-       uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
-       uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+int usage_hf_iclass_encrypt(void) {
+       PrintAndLog("Usage: hf iclass encrypt <BlockData>");
+       PrintAndLog("");
+       PrintAndLog("OBS! In order to use this function, the file 'iclass_decryptionkey.bin' must reside");
+       PrintAndLog("in the working directory. The file should be 16 bytes binary data");
+       PrintAndLog("");
+       PrintAndLog("example: hf iclass encrypt 0102030405060708");
+       PrintAndLog("");
+       return 0;
+}
+
+static int iClassEncryptBlkData(uint8_t *blkData) {
+       uint8_t key[16] = { 0 };
+       if(readKeyfile("iclass_decryptionkey.bin", 16, key))
+       {
+               usage_hf_iclass_encrypt();
+               return 1;
+       }
+       PrintAndLog("Decryption file found... ");
+
+       uint8_t encryptedData[16];
+       uint8_t *encrypted = encryptedData;
+       des3_context ctx = { DES_DECRYPT ,{ 0 } };
+       des3_set2key_enc( &ctx, key);
+       
+       des3_crypt_ecb(&ctx, blkData,encrypted);
+       //printvar("decrypted block", decrypted, 8);
+       memcpy(blkData,encrypted,8);
+
+       return 1;
+}
 
-       uint8_t blockNo=0;
-       uint8_t bldata[8]={0};
+int CmdHFiClassEncryptBlk(const char *Cmd) {
+       uint8_t blkData[8] = {0};
+       char opt = param_getchar(Cmd, 0);
+       if (strlen(Cmd)<1 || opt == 'h')
+               return usage_hf_iclass_encrypt();
 
-       if (strlen(Cmd)<3)
+       //get the bytes to encrypt
+       if (param_gethex(Cmd, 0, blkData, 16))
        {
-               PrintAndLog("Usage:  hf iclass write <Key> <Block> <Data>");
-               PrintAndLog("        sample: hf iclass write 0011223344556677 10 AAAAAAAAAAAAAAAA");
+               PrintAndLog("BlockData must include 16 HEX symbols");
                return 0;
        }
+       if (!iClassEncryptBlkData(blkData)) return 0;
+
+       printvar("encrypted block", blkData, 8);
+       return 1;
+}
+
+void Calc_wb_mac(uint8_t blockno, uint8_t *data, uint8_t *div_key, uint8_t MAC[4]) {
+       uint8_t WB[9];
+       WB[0] = blockno;
+       memcpy(WB + 1,data,8);
+       doMAC_N(WB,sizeof(WB),div_key,MAC);
+       //printf("Cal wb mac block [%02x][%02x%02x%02x%02x%02x%02x%02x%02x] : MAC [%02x%02x%02x%02x]",WB[0],WB[1],WB[2],WB[3],WB[4],WB[5],WB[6],WB[7],WB[8],MAC[0],MAC[1],MAC[2],MAC[3]);
+}
+
+static bool select_only(uint8_t *CSN, uint8_t *CCNR, bool use_credit_key, bool verbose) {
+       UsbCommand resp;
+
+       UsbCommand c = {CMD_READER_ICLASS, {0}};
+       c.arg[0] = FLAG_ICLASS_READER_ONLY_ONCE | FLAG_ICLASS_READER_CC | FLAG_ICLASS_READER_ONE_TRY;
+       if (use_credit_key)
+               c.arg[0] |= FLAG_ICLASS_READER_CEDITKEY;
 
-       if (param_gethex(Cmd, 0, KEY, 16))
+       clearCommandBuffer();
+       SendCommand(&c);
+       if (!WaitForResponseTimeout(CMD_ACK,&resp,4500))
        {
-               PrintAndLog("KEY must include 16 HEX symbols");
-               return 1;
+               PrintAndLog("Command execute timeout");
+               return false;
        }
 
-       blockNo = param_get8(Cmd, 1);
-       if (blockNo>32)
+       uint8_t isOK = resp.arg[0] & 0xff;
+       uint8_t *data = resp.d.asBytes;
+
+       memcpy(CSN,data,8);
+       if (CCNR!=NULL)memcpy(CCNR,data+16,8);
+       if(isOK > 0)
        {
-               PrintAndLog("Error: Maximum number of blocks is 32 for iClass 2K Cards!");
-               return 1;
+               if (verbose) PrintAndLog("CSN: %s",sprint_hex(CSN,8));
+       }
+       if(isOK <= 1){
+               PrintAndLog("Failed to obtain CC! Aborting");
+               return false;
+       }
+       return true;    
+}
+
+static bool select_and_auth(uint8_t *KEY, uint8_t *MAC, uint8_t *div_key, bool use_credit_key, bool elite, bool verbose) {
+       uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+
+       if (!select_only(CSN, CCNR, use_credit_key, verbose))
+               return false;
+
+       //get div_key
+       HFiClassCalcDivKey(CSN, KEY, div_key, elite);
+
+       doMAC(CCNR, div_key, MAC);
+       UsbCommand resp;
+       UsbCommand d = {CMD_ICLASS_AUTHENTICATION, {0}};
+       memcpy(d.d.asBytes, MAC, 4);
+       clearCommandBuffer();
+       SendCommand(&d);
+       if (!WaitForResponseTimeout(CMD_ACK,&resp,4500))
+       {
+               PrintAndLog("Auth Command execute timeout");
+               return false;
+       }
+       uint8_t isOK = resp.arg[0] & 0xff;
+       if (!isOK) {
+               PrintAndLog("Authentication error");
+               return false;
        }
-       if (param_gethex(Cmd, 2, bldata, 8))
+       return true;
+}
+
+int usage_hf_iclass_dump(void) {
+       PrintAndLog("Usage:  hf iclass dump f <fileName> k <Key> c <CreditKey> e\n");
+       PrintAndLog("Options:");
+       PrintAndLog("  f <filename> : specify a filename to save dump to");
+       PrintAndLog("  k <Key>      : *Access Key as 16 hex symbols or 1 hex to select key from memory");
+       PrintAndLog("  c <CreditKey>: Credit Key as 16 hex symbols or 1 hex to select key from memory");
+       PrintAndLog("  e            : If 'e' is specified, the key is interpreted as the 16 byte");
+       PrintAndLog("                 Custom Key (KCus), which can be obtained via reader-attack");
+       PrintAndLog("                 See 'hf iclass sim 2'. This key should be on iclass-format");
+       PrintAndLog("  NOTE: * = required");
+  PrintAndLog("Samples:");
+       PrintAndLog("  hf iclass dump k 001122334455667B");
+       PrintAndLog("  hf iclass dump k AAAAAAAAAAAAAAAA c 001122334455667B");
+       PrintAndLog("  hf iclass dump k AAAAAAAAAAAAAAAA e");
+       return 0;
+}
+
+int CmdHFiClassReader_Dump(const char *Cmd) {
+
+       uint8_t MAC[4] = {0x00,0x00,0x00,0x00};
+       uint8_t div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t c_div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t blockno = 0;
+       uint8_t numblks = 0;
+       uint8_t maxBlk = 31;
+       uint8_t app_areas = 1;
+       uint8_t kb = 2;
+       uint8_t KEY[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t CreditKEY[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t keyNbr = 0;
+       uint8_t dataLen = 0;
+       uint8_t fileNameLen = 0;
+       char filename[FILE_PATH_SIZE]={0};
+       char tempStr[50] = {0};
+       bool have_debit_key = false;
+       bool have_credit_key = false;
+       bool use_credit_key = false;
+       bool elite = false;
+       bool errors = false;
+       uint8_t cmdp = 0;
+
+       while(param_getchar(Cmd, cmdp) != 0x00)
        {
-               PrintAndLog("Block data must include 8 HEX symbols");
-               return 1;
+               switch(param_getchar(Cmd, cmdp))
+               {
+               case 'h':
+               case 'H':
+                       return usage_hf_iclass_dump();
+               case 'c':
+               case 'C':
+                       have_credit_key = true;
+                       dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+                       if (dataLen == 16) {
+                               errors = param_gethex(tempStr, 0, CreditKEY, dataLen);
+                       } else if (dataLen == 1) {
+                               keyNbr = param_get8(Cmd, cmdp+1);
+                               if (keyNbr <= ICLASS_KEYS_MAX) {
+                                       memcpy(CreditKEY, iClass_Key_Table[keyNbr], 8);
+                               } else {
+                                       PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+                                       errors = true;
+                               }
+                       } else {
+                               PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'e':
+               case 'E':
+                       elite = true;
+                       cmdp++;
+                       break;
+               case 'f':
+               case 'F':
+                       fileNameLen = param_getstr(Cmd, cmdp+1, filename); 
+                       if (fileNameLen < 1) {
+                               PrintAndLog("No filename found after f");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'k':
+               case 'K':
+                       have_debit_key = true;
+                       dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+                       if (dataLen == 16) { 
+                               errors = param_gethex(tempStr, 0, KEY, dataLen);
+                       } else if (dataLen == 1) {
+                               keyNbr = param_get8(Cmd, cmdp+1);
+                               if (keyNbr <= ICLASS_KEYS_MAX) {
+                                       memcpy(KEY, iClass_Key_Table[keyNbr], 8);
+                               } else {
+                                       PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+                                       errors = true;
+                               }
+                       } else {
+                               PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               default:
+                       PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
+                       errors = true;
+                       break;
+               }
+               if(errors) return usage_hf_iclass_dump();
        }
 
-       UsbCommand c = {CMD_ICLASS_ISO14443A_WRITE, {0}};
+       if (cmdp < 2) return usage_hf_iclass_dump();
+       // if no debit key given try credit key on AA1 (not for iclass but for some picopass this will work)
+       if (!have_debit_key && have_credit_key) use_credit_key = true;
+
+       //get config and first 3 blocks
+       UsbCommand c = {CMD_READER_ICLASS, {FLAG_ICLASS_READER_CSN |
+                                       FLAG_ICLASS_READER_CONF | FLAG_ICLASS_READER_ONLY_ONCE | FLAG_ICLASS_READER_ONE_TRY}};
+       UsbCommand resp;
+       uint8_t tag_data[255*8];
+
+       clearCommandBuffer();
        SendCommand(&c);
+       if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
+               PrintAndLog("Command execute timeout");
+               ul_switch_off_field();
+               return 0;
+       }
+       uint8_t readStatus = resp.arg[0] & 0xff;
+       uint8_t *data = resp.d.asBytes;
+
+       if(readStatus == 0){
+               PrintAndLog("No tag found...");
+               ul_switch_off_field();
+               return 0;
+       }
+       if( readStatus & (FLAG_ICLASS_READER_CSN|FLAG_ICLASS_READER_CONF|FLAG_ICLASS_READER_CC)){
+               memcpy(tag_data, data, 8*3);
+               blockno+=2; // 2 to force re-read of block 2 later. (seems to respond differently..)
+               numblks = data[8];
+               getMemConfig(data[13], data[12], &maxBlk, &app_areas, &kb);
+               // large memory - not able to dump pages currently
+               if (numblks > maxBlk) numblks = maxBlk;
+       }
+       ul_switch_off_field();
+       // authenticate debit key and get div_key - later store in dump block 3
+       if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, false)){
+               //try twice - for some reason it sometimes fails the first time...
+               if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, false)){
+                       ul_switch_off_field();
+                       return 0;
+               }
+       }
+       
+       // begin dump
+       UsbCommand w = {CMD_ICLASS_DUMP, {blockno, numblks-blockno+1}};
+       clearCommandBuffer();
+       SendCommand(&w);
+       if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
+               PrintAndLog("Command execute time-out 1");
+               ul_switch_off_field();
+               return 1;
+       }
+       uint32_t blocksRead = resp.arg[1];
+       uint8_t isOK = resp.arg[0] & 0xff;
+       if (!isOK && !blocksRead) {
+               PrintAndLog("Read Block Failed");
+               ul_switch_off_field();
+               return 0;
+       }
+       uint32_t startindex = resp.arg[2];
+       if (blocksRead*8 > sizeof(tag_data)-(blockno*8)) {
+               PrintAndLog("Data exceeded Buffer size!");
+               blocksRead = (sizeof(tag_data)/8) - blockno;
+       }
+       // response ok - now get bigbuf content of the dump
+       GetFromBigBuf(tag_data+(blockno*8), blocksRead*8, startindex);
+       WaitForResponse(CMD_ACK,NULL);
+       size_t gotBytes = blocksRead*8 + blockno*8;
+
+       // try AA2
+       if (have_credit_key) {
+               //turn off hf field before authenticating with different key
+               ul_switch_off_field();
+               memset(MAC,0,4);
+               // AA2 authenticate credit key and git c_div_key - later store in dump block 4
+               if (!select_and_auth(CreditKEY, MAC, c_div_key, true, false, false)){
+                       //try twice - for some reason it sometimes fails the first time...
+                       if (!select_and_auth(CreditKEY, MAC, c_div_key, true, false, false)){
+                               ul_switch_off_field();
+                               return 0;
+                       }
+               }
+               // do we still need to read more block?  (aa2 enabled?)
+               if (maxBlk > blockno+numblks+1) {
+                       // setup dump and start
+                       w.arg[0] = blockno + blocksRead;
+                       w.arg[1] = maxBlk - (blockno + blocksRead);
+                       clearCommandBuffer();
+                       SendCommand(&w);
+                       if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
+                               PrintAndLog("Command execute timeout 2");
+                               ul_switch_off_field();
+                               return 0;
+                       }
+                       uint8_t isOK = resp.arg[0] & 0xff;
+                       blocksRead = resp.arg[1];
+                       if (!isOK && !blocksRead) {
+                               PrintAndLog("Read Block Failed 2");
+                               ul_switch_off_field();
+                               return 0;
+                       }               
+
+                       startindex = resp.arg[2];
+                       if (blocksRead*8 > sizeof(tag_data)-gotBytes) {
+                               PrintAndLog("Data exceeded Buffer size!");
+                               blocksRead = (sizeof(tag_data) - gotBytes)/8;
+                       }
+                       // get dumped data from bigbuf
+                       GetFromBigBuf(tag_data+gotBytes, blocksRead*8, startindex);
+                       WaitForResponse(CMD_ACK,NULL);
+
+                       gotBytes += blocksRead*8;                       
+               } else { //field is still on - turn it off...
+                       ul_switch_off_field();
+               }
+       }
+
+       // add diversified keys to dump
+       if (have_debit_key) memcpy(tag_data+(3*8),div_key,8);
+       if (have_credit_key) memcpy(tag_data+(4*8),c_div_key,8);
+       // print the dump
+       printf("CSN   |00| %02X %02X %02X %02X %02X %02X %02X %02X |\n",tag_data[0],tag_data[1],tag_data[2]
+                 ,tag_data[3],tag_data[4],tag_data[5],tag_data[6],tag_data[7]);
+       printIclassDumpContents(tag_data, 1, (gotBytes/8)-1, gotBytes-8);
+
+       if (filename[0] == 0){
+               snprintf(filename, FILE_PATH_SIZE,"iclass_tagdump-%02x%02x%02x%02x%02x%02x%02x%02x",
+                   tag_data[0],tag_data[1],tag_data[2],tag_data[3],
+                   tag_data[4],tag_data[5],tag_data[6],tag_data[7]);
+       }
+
+       // save the dump to .bin file
+       PrintAndLog("Saving dump file - %d blocks read", gotBytes/8);
+       saveFile(filename, "bin", tag_data, gotBytes);
+       return 1;
+}
+
+static int WriteBlock(uint8_t blockno, uint8_t *bldata, uint8_t *KEY, bool use_credit_key, bool elite, bool verbose) {
+       uint8_t MAC[4]={0x00,0x00,0x00,0x00};
+       uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, verbose))
+               return 0;
+
        UsbCommand resp;
 
-       if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
-               uint8_t isOK    = resp.arg[0] & 0xff;
-               uint8_t * data  = resp.d.asBytes;
+       Calc_wb_mac(blockno,bldata,div_key,MAC);
+       UsbCommand w = {CMD_ICLASS_WRITEBLOCK, {blockno}};
+       memcpy(w.d.asBytes, bldata, 8);
+       memcpy(w.d.asBytes + 8, MAC, 4);
+       
+       clearCommandBuffer();
+       SendCommand(&w);
+       if (!WaitForResponseTimeout(CMD_ACK,&resp,4500))
+       {
+               PrintAndLog("Write Command execute timeout");
+               return 0;
+       }
+       uint8_t isOK = resp.arg[0] & 0xff;
+       if (!isOK) {
+               PrintAndLog("Write Block Failed");
+               return 0;
+       }
+       PrintAndLog("Write Block Successful");
+       return 1;
+}
 
-               memcpy(CSN,data,8);
-               memcpy(CCNR,data+8,8);
-               PrintAndLog("DEBUG: %s",sprint_hex(CSN,8));
-               PrintAndLog("DEBUG: %s",sprint_hex(CCNR,8));
-               PrintAndLog("isOk:%02x", isOK);
-       } else {
-               PrintAndLog("Command execute timeout");
+int usage_hf_iclass_writeblock(void) {
+       PrintAndLog("Options:");
+  PrintAndLog("  b <Block> : The block number as 2 hex symbols");
+  PrintAndLog("  d <data>  : Set the Data to write as 16 hex symbols");
+       PrintAndLog("  k <Key>   : Access Key as 16 hex symbols or 1 hex to select key from memory");
+  PrintAndLog("  c         : If 'c' is specified, the key set is assumed to be the credit key\n");
+  PrintAndLog("  e         : If 'e' is specified, elite computations applied to key");
+  PrintAndLog("Samples:");
+       PrintAndLog("  hf iclass writeblk b 0A d AAAAAAAAAAAAAAAA k 001122334455667B");
+       PrintAndLog("  hf iclass writeblk b 1B d AAAAAAAAAAAAAAAA k 001122334455667B c");
+       PrintAndLog("  hf iclass writeblk b 0A d AAAAAAAAAAAAAAAA n 0");
+       return 0;
+}
+
+int CmdHFiClass_WriteBlock(const char *Cmd) {
+       uint8_t blockno=0;
+       uint8_t bldata[8]={0,0,0,0,0,0,0,0};
+       uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t keyNbr = 0;
+       uint8_t dataLen = 0;
+       char tempStr[50] = {0};
+       bool use_credit_key = false;
+       bool elite = false;
+       bool errors = false;
+       uint8_t cmdp = 0;
+       while(param_getchar(Cmd, cmdp) != 0x00)
+       {
+               switch(param_getchar(Cmd, cmdp))
+               {
+               case 'h':
+               case 'H':
+                       return usage_hf_iclass_writeblock();
+               case 'b':
+               case 'B':
+                       if (param_gethex(Cmd, cmdp+1, &blockno, 2)) {
+                               PrintAndLog("Block No must include 2 HEX symbols\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'c':
+               case 'C':
+                       use_credit_key = true;
+                       cmdp++;
+                       break;
+               case 'd':
+               case 'D':
+                       if (param_gethex(Cmd, cmdp+1, bldata, 16))
+                       {
+                               PrintAndLog("KEY must include 16 HEX symbols\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'e':
+               case 'E':
+                       elite = true;
+                       cmdp++;
+                       break;
+               case 'k':
+               case 'K':
+                       dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+                       if (dataLen == 16) { 
+                               errors = param_gethex(tempStr, 0, KEY, dataLen);
+                       } else if (dataLen == 1) {
+                               keyNbr = param_get8(Cmd, cmdp+1);
+                               if (keyNbr <= ICLASS_KEYS_MAX) {
+                                       memcpy(KEY, iClass_Key_Table[keyNbr], 8);
+                               } else {
+                                       PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+                                       errors = true;
+                               }
+                       } else {
+                               PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               default:
+                       PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
+                       errors = true;
+                       break;
+               }
+               if(errors) return usage_hf_iclass_writeblock();
        }
 
-       diversifyKey(CSN,KEY, div_key);
+       if (cmdp < 6) return usage_hf_iclass_writeblock();
+       int ans = WriteBlock(blockno, bldata, KEY, use_credit_key, elite, true);
+       ul_switch_off_field();
+       return ans;
+}
 
-       PrintAndLog("Div Key: %s",sprint_hex(div_key,8));
-       doMAC(CCNR, div_key, MAC);
+int usage_hf_iclass_clone(void) {
+       PrintAndLog("Usage:  hf iclass clone f <tagfile.bin> b <first block> l <last block> k <KEY> e c");
+       PrintAndLog("Options:");
+       PrintAndLog("  f <filename>: specify a filename to clone from");
+       PrintAndLog("  b <Block>   : The first block to clone as 2 hex symbols");
+       PrintAndLog("  l <Last Blk>: Set the Data to write as 16 hex symbols");
+       PrintAndLog("  k <Key>     : Access Key as 16 hex symbols or 1 hex to select key from memory");
+       PrintAndLog("  c           : If 'c' is specified, the key set is assumed to be the credit key\n");
+       PrintAndLog("  e           : If 'e' is specified, elite computations applied to key");
+       PrintAndLog("Samples:");
+       PrintAndLog("  hf iclass clone f iclass_tagdump-121345.bin b 06 l 1A k 1122334455667788 e");
+       PrintAndLog("  hf iclass clone f iclass_tagdump-121345.bin b 05 l 19 k 0");
+       PrintAndLog("  hf iclass clone f iclass_tagdump-121345.bin b 06 l 19 k 0 e");
+       return -1;
+}
 
-       UsbCommand c2 = {CMD_ICLASS_ISO14443A_WRITE, {readerType,blockNo}};
-       memcpy(c2.d.asBytes, bldata, 8);
-       memcpy(c2.d.asBytes+8, MAC, 4);
-       SendCommand(&c2);
+int CmdHFiClassCloneTag(const char *Cmd) {
+       char filename[FILE_PATH_SIZE];
+       char tempStr[50]={0};
+       uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t keyNbr = 0;
+       uint8_t fileNameLen = 0;
+       uint8_t startblock = 0;
+       uint8_t endblock = 0;
+       uint8_t dataLen = 0;
+       bool use_credit_key = false;
+       bool elite = false;
+       bool errors = false;
+       uint8_t cmdp = 0;
+       while(param_getchar(Cmd, cmdp) != 0x00)
+       {
+               switch(param_getchar(Cmd, cmdp))
+               {
+               case 'h':
+               case 'H':
+                       return usage_hf_iclass_clone();
+               case 'b':
+               case 'B':
+                       if (param_gethex(Cmd, cmdp+1, &startblock, 2)) {
+                               PrintAndLog("Start Block No must include 2 HEX symbols\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'c':
+               case 'C':
+                       use_credit_key = true;
+                       cmdp++;
+                       break;
+               case 'e':
+               case 'E':
+                       elite = true;
+                       cmdp++;
+                       break;
+               case 'f':
+               case 'F':
+                       fileNameLen = param_getstr(Cmd, cmdp+1, filename); 
+                       if (fileNameLen < 1) {
+                               PrintAndLog("No filename found after f");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'k':
+               case 'K':
+                       dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+                       if (dataLen == 16) { 
+                               errors = param_gethex(tempStr, 0, KEY, dataLen);
+                       } else if (dataLen == 1) {
+                               keyNbr = param_get8(Cmd, cmdp+1);
+                               if (keyNbr <= ICLASS_KEYS_MAX) {
+                                       memcpy(KEY, iClass_Key_Table[keyNbr], 8);
+                               } else {
+                                       PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+                                       errors = true;
+                               }
+                       } else {
+                               PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'l':
+               case 'L':
+                       if (param_gethex(Cmd, cmdp+1, &endblock, 2)) {
+                               PrintAndLog("Start Block No must include 2 HEX symbols\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               default:
+                       PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
+                       errors = true;
+                       break;
+               }
+               if(errors) return usage_hf_iclass_clone();
+       }
 
-       if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
-               uint8_t isOK    = resp.arg[0] & 0xff;
-               uint8_t * data  = resp.d.asBytes;
+       if (cmdp < 8) return usage_hf_iclass_clone();
 
-               if (isOK)
-                       PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 4));
-               else
-                       PrintAndLog("isOk:%02x", isOK);
-       } else {
+       FILE *f;
+
+       iclass_block_t tag_data[USB_CMD_DATA_SIZE/12];
+
+       if ((endblock-startblock+1)*12 > USB_CMD_DATA_SIZE) {
+               PrintAndLog("Trying to write too many blocks at once.  Max: %d", USB_CMD_DATA_SIZE/8);
+       }
+       // file handling and reading
+       f = fopen(filename,"rb");
+       if(!f) {
+               PrintAndLog("Failed to read from file '%s'", filename);
+               return 1;
+       }
+
+       if (startblock<5) {
+               PrintAndLog("You cannot write key blocks this way. yet... make your start block > 4");
+               return 0;
+       }
+       // now read data from the file from block 6 --- 19
+       // ok we will use this struct [data 8 bytes][MAC 4 bytes] for each block calculate all mac number for each data
+       // then copy to usbcommand->asbytes; the max is 32 - 6 = 24 block 12 bytes each block 288 bytes then we can only accept to clone 21 blocks at the time,
+       // else we have to create a share memory
+       int i;
+       fseek(f,startblock*8,SEEK_SET);
+       fread(tag_data,sizeof(iclass_block_t),endblock - startblock + 1,f);
+
+       uint8_t MAC[4]={0x00,0x00,0x00,0x00};
+       uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+
+       if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, true))
+               return 0;
+
+       UsbCommand w = {CMD_ICLASS_CLONE,{startblock,endblock}};
+       uint8_t *ptr;
+       // calculate all mac for every the block we will write
+       for (i = startblock; i <= endblock; i++){
+           Calc_wb_mac(i,tag_data[i - startblock].d,div_key,MAC);
+           // usb command d start pointer = d + (i - 6) * 12
+           // memcpy(pointer,tag_data[i - 6],8) 8 bytes
+           // memcpy(pointer + 8,mac,sizoof(mac) 4 bytes;
+           // next one
+           ptr = w.d.asBytes + (i - startblock) * 12;
+           memcpy(ptr, &(tag_data[i - startblock].d[0]), 8);
+           memcpy(ptr + 8,MAC, 4);
+       }
+       uint8_t p[12];
+       for (i = 0; i <= endblock - startblock;i++){
+           memcpy(p,w.d.asBytes + (i * 12),12);
+           printf("Block |%02x|",i + startblock);
+           printf(" %02x%02x%02x%02x%02x%02x%02x%02x |",p[0],p[1],p[2],p[3],p[4],p[5],p[6],p[7]);
+           printf(" MAC |%02x%02x%02x%02x|\n",p[8],p[9],p[10],p[11]);
+       }
+       UsbCommand resp;
+       SendCommand(&w);
+       if (!WaitForResponseTimeout(CMD_ACK,&resp,4500))
+       {
+               PrintAndLog("Command execute timeout");
+               return 0;
+       }
+       return 1;
+}
+
+static int ReadBlock(uint8_t *KEY, uint8_t blockno, uint8_t keyType, bool elite, bool verbose) {
+       uint8_t MAC[4]={0x00,0x00,0x00,0x00};
+       uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+
+       if (!select_and_auth(KEY, MAC, div_key, (keyType==0x18), elite, verbose))
+               return 0;
+
+       UsbCommand resp;
+       UsbCommand w = {CMD_ICLASS_READBLOCK, {blockno}};
+       clearCommandBuffer();
+       SendCommand(&w);
+       if (!WaitForResponseTimeout(CMD_ACK,&resp,4500))
+       {
                PrintAndLog("Command execute timeout");
+               return 0;
+       }
+       uint8_t isOK = resp.arg[0] & 0xff;
+       if (!isOK) {
+               PrintAndLog("Read Block Failed");
+               return 0;
        }
+       //data read is stored in: resp.d.asBytes[0-15]
+       if (verbose) PrintAndLog("Block %02X: %s\n",blockno, sprint_hex(resp.d.asBytes,8));
+       return 1;
+}
+
+int usage_hf_iclass_readblock(void) {
+       PrintAndLog("Usage:  hf iclass readblk b <Block> k <Key> c e\n");
+       PrintAndLog("Options:");
+  PrintAndLog("  b <Block> : The block number as 2 hex symbols");
+       PrintAndLog("  k <Key>   : Access Key as 16 hex symbols or 1 hex to select key from memory");
+  PrintAndLog("  c         : If 'c' is specified, the key set is assumed to be the credit key\n");
+  PrintAndLog("  e         : If 'e' is specified, elite computations applied to key");
+  PrintAndLog("Samples:");
+       PrintAndLog("  hf iclass readblk b 06 k 0011223344556677");
+       PrintAndLog("  hf iclass readblk b 1B k 0011223344556677 c");
+       PrintAndLog("  hf iclass readblk b 0A k 0");
        return 0;
 }
-int CmdHFiClass_loclass(const char *Cmd)
-{
+
+int CmdHFiClass_ReadBlock(const char *Cmd) {
+       uint8_t blockno=0;
+       uint8_t keyType = 0x88; //debit key
+       uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t keyNbr = 0;
+       uint8_t dataLen = 0;
+       char tempStr[50] = {0};
+       bool elite = false;
+       bool errors = false;
+       uint8_t cmdp = 0;
+       while(param_getchar(Cmd, cmdp) != 0x00)
+       {
+               switch(param_getchar(Cmd, cmdp))
+               {
+               case 'h':
+               case 'H':
+                       return usage_hf_iclass_readblock();
+               case 'b':
+               case 'B':
+                       if (param_gethex(Cmd, cmdp+1, &blockno, 2)) {
+                               PrintAndLog("Block No must include 2 HEX symbols\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'c':
+               case 'C':
+                       keyType = 0x18;
+                       cmdp++;
+                       break;
+               case 'e':
+               case 'E':
+                       elite = true;
+                       cmdp++;
+                       break;
+               case 'k':
+               case 'K':
+                       dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+                       if (dataLen == 16) { 
+                               errors = param_gethex(tempStr, 0, KEY, dataLen);
+                       } else if (dataLen == 1) {
+                               keyNbr = param_get8(Cmd, cmdp+1);
+                               if (keyNbr <= ICLASS_KEYS_MAX) {
+                                       memcpy(KEY, iClass_Key_Table[keyNbr], 8);
+                               } else {
+                                       PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+                                       errors = true;
+                               }
+                       } else {
+                               PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               default:
+                       PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
+                       errors = true;
+                       break;
+               }
+               if(errors) return usage_hf_iclass_readblock();
+       }
+
+       if (cmdp < 4) return usage_hf_iclass_readblock();
+
+       return ReadBlock(KEY, blockno, keyType, elite, true);
+}
+
+int CmdHFiClass_loclass(const char *Cmd) {
        char opt = param_getchar(Cmd, 0);
 
        if (strlen(Cmd)<1 || opt == 'h') {
@@ -683,19 +1211,435 @@ int CmdHFiClass_loclass(const char *Cmd)
        return 0;
 }
 
+void printIclassDumpContents(uint8_t *iclass_dump, uint8_t startblock, uint8_t endblock, size_t filesize) {
+       uint8_t blockdata[8];
+       uint8_t mem_config;
+       memcpy(&mem_config, iclass_dump + 13,1);
+       uint8_t maxmemcount;
+       uint8_t filemaxblock = filesize / 8;
+       if (mem_config & 0x80)
+               maxmemcount = 255;
+       else
+               maxmemcount = 31;
+       //PrintAndLog   ("endblock: %d, filesize: %d, maxmemcount: %d, filemaxblock: %d", endblock,filesize, maxmemcount, filemaxblock);
+
+       if (startblock == 0)
+               startblock = 6;
+       if ((endblock > maxmemcount) || (endblock == 0))
+               endblock = maxmemcount;
+       if (endblock > filemaxblock)
+               endblock = filemaxblock;
+       int i = startblock;
+       int j;
+       while (i <= endblock){
+               printf("Block |%02X| ",i);
+               memcpy(blockdata,iclass_dump + (i * 8),8);
+               for (j = 0;j < 8;j++)
+                       printf("%02X ",blockdata[j]);
+               printf("|\n");
+               i++;
+       }
+}
+
+int usage_hf_iclass_readtagfile() {
+       PrintAndLog("Usage: hf iclass readtagfile <filename> [startblock] [endblock]");
+       return 1;
+}
+
+int CmdHFiClassReadTagFile(const char *Cmd) {
+       int startblock = 0;
+       int endblock = 0;
+       char tempnum[5];
+       FILE *f;
+       char filename[FILE_PATH_SIZE];
+       if (param_getstr(Cmd, 0, filename) < 1)
+               return usage_hf_iclass_readtagfile();
+       if (param_getstr(Cmd,1,(char *)&tempnum) < 1)
+               startblock = 0;
+       else
+               sscanf(tempnum,"%d",&startblock);
+
+       if (param_getstr(Cmd,2,(char *)&tempnum) < 1)
+               endblock = 0;
+       else
+               sscanf(tempnum,"%d",&endblock);
+       // file handling and reading
+       f = fopen(filename,"rb");
+       if(!f) {
+               PrintAndLog("Failed to read from file '%s'", filename);
+               return 1;
+       }
+       fseek(f, 0, SEEK_END);
+       long fsize = ftell(f);
+       fseek(f, 0, SEEK_SET);
+
+       uint8_t *dump = malloc(fsize);
+
+
+       size_t bytes_read = fread(dump, 1, fsize, f);
+       fclose(f);
+       uint8_t *csn = dump;
+       printf("CSN   [00] | %02X %02X %02X %02X %02X %02X %02X %02X |\n",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
+       //    printIclassDumpInfo(dump);
+       printIclassDumpContents(dump,startblock,endblock,bytes_read);
+       free(dump);
+       return 0;
+}
+
+/*
+uint64_t xorcheck(uint64_t sdiv,uint64_t hdiv) {
+       uint64_t new_div = 0x00;
+       new_div ^= sdiv;
+       new_div ^= hdiv;
+       return new_div;
+}
+
+uint64_t hexarray_to_uint64(uint8_t *key) {
+       char temp[17];
+       uint64_t uint_key;
+       for (int i = 0;i < 8;i++)
+               sprintf(&temp[(i *2)],"%02X",key[i]);
+       temp[16] = '\0';
+       if (sscanf(temp,"%016"llX,&uint_key) < 1)
+               return 0;
+       return uint_key;
+}
+*/
+void HFiClassCalcDivKey(uint8_t        *CSN, uint8_t   *KEY, uint8_t *div_key, bool elite){
+       uint8_t keytable[128] = {0};
+       uint8_t key_index[8] = {0};
+       if (elite) {
+               uint8_t key_sel[8] = { 0 };
+               uint8_t key_sel_p[8] = { 0 };
+               hash2(KEY, keytable);
+               hash1(CSN, key_index);
+               for(uint8_t i = 0; i < 8 ; i++)
+                       key_sel[i] = keytable[key_index[i]] & 0xFF;
+
+               //Permute from iclass format to standard format
+               permutekey_rev(key_sel, key_sel_p);
+               diversifyKey(CSN, key_sel_p, div_key);  
+       } else {
+               diversifyKey(CSN, KEY, div_key);
+       }               
+}
+
+//when told CSN, oldkey, newkey, if new key is elite (elite), and if old key was elite (oldElite)
+//calculate and return xor_div_key (ready for a key write command)
+//print all div_keys if verbose
+static void HFiClassCalcNewKey(uint8_t *CSN, uint8_t *OLDKEY, uint8_t *NEWKEY, uint8_t *xor_div_key, bool elite, bool oldElite, bool verbose){
+       uint8_t old_div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t new_div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       //get old div key
+       HFiClassCalcDivKey(CSN, OLDKEY, old_div_key, oldElite);
+       //get new div key
+       HFiClassCalcDivKey(CSN, NEWKEY, new_div_key, elite);
+       
+       for (uint8_t i = 0; i < sizeof(old_div_key); i++){
+               xor_div_key[i] = old_div_key[i] ^ new_div_key[i];
+       }
+       if (verbose) {
+               printf("Old Div Key : %s\n",sprint_hex(old_div_key,8));
+               printf("New Div Key : %s\n",sprint_hex(new_div_key,8));
+               printf("Xor Div Key : %s\n",sprint_hex(xor_div_key,8));         
+       }
+}
+
+int usage_hf_iclass_calc_newkey(void) {
+       PrintAndLog("HELP :  Manage iClass Keys in client memory:\n");
+       PrintAndLog("Usage:  hf iclass calc_newkey o <Old key> n <New key> s [csn] e");
+       PrintAndLog("  Options:");
+       PrintAndLog("  o <oldkey> : *specify a key as 16 hex symbols or a key number as 1 symbol");
+       PrintAndLog("  n <newkey> : *specify a key as 16 hex symbols or a key number as 1 symbol");
+       PrintAndLog("  s <csn>    : specify a card Serial number to diversify the key (if omitted will attempt to read a csn)");
+       PrintAndLog("  e          : specify new key as elite calc");
+       PrintAndLog("  ee         : specify old and new key as elite calc");
+       PrintAndLog("Samples:");
+       PrintAndLog(" e key to e key given csn : hf iclass calcnewkey o 1122334455667788 n 2233445566778899 s deadbeafdeadbeaf ee");
+       PrintAndLog(" std key to e key read csn: hf iclass calcnewkey o 1122334455667788 n 2233445566778899 e");
+       PrintAndLog(" std to std read csn      : hf iclass calcnewkey o 1122334455667788 n 2233445566778899");
+       PrintAndLog("NOTE: * = required\n");
+
+       return 1;
+}
+
+int CmdHFiClassCalcNewKey(const char *Cmd) {
+       uint8_t OLDKEY[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t NEWKEY[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t xor_div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t CSN[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t CCNR[12] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t keyNbr = 0;
+       uint8_t dataLen = 0;
+       char tempStr[50] = {0};
+       bool givenCSN = false;
+       bool oldElite = false;
+       bool elite = false;
+       bool errors = false;
+       uint8_t cmdp = 0;
+       while(param_getchar(Cmd, cmdp) != 0x00)
+       {
+               switch(param_getchar(Cmd, cmdp))
+               {
+               case 'h':
+               case 'H':
+                       return usage_hf_iclass_calc_newkey();
+               case 'e':
+               case 'E':
+                       dataLen = param_getstr(Cmd, cmdp, tempStr);
+                       if (dataLen==2)
+                               oldElite = true;
+                       elite = true;
+                       cmdp++;
+                       break;
+               case 'n':
+               case 'N':
+                       dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+                       if (dataLen == 16) { 
+                               errors = param_gethex(tempStr, 0, NEWKEY, dataLen);
+                       } else if (dataLen == 1) {
+                               keyNbr = param_get8(Cmd, cmdp+1);
+                               if (keyNbr <= ICLASS_KEYS_MAX) {
+                                       memcpy(NEWKEY, iClass_Key_Table[keyNbr], 8);
+                               } else {
+                                       PrintAndLog("\nERROR: NewKey Nbr is invalid\n");
+                                       errors = true;
+                               }
+                       } else {
+                               PrintAndLog("\nERROR: NewKey is incorrect length\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'o':
+               case 'O':
+                       dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+                       if (dataLen == 16) { 
+                               errors = param_gethex(tempStr, 0, OLDKEY, dataLen);
+                       } else if (dataLen == 1) {
+                               keyNbr = param_get8(Cmd, cmdp+1);
+                               if (keyNbr <= ICLASS_KEYS_MAX) {
+                                       memcpy(OLDKEY, iClass_Key_Table[keyNbr], 8);
+                               } else {
+                                       PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+                                       errors = true;
+                               }
+                       } else {
+                               PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 's':
+               case 'S':
+                       givenCSN = true;
+                       if (param_gethex(Cmd, cmdp+1, CSN, 16))
+                               return usage_hf_iclass_calc_newkey();
+                       cmdp += 2;
+                       break;
+               default:
+                       PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
+                       errors = true;
+                       break;
+               }
+               if(errors) return usage_hf_iclass_calc_newkey();
+       }
+
+       if (cmdp < 4) return usage_hf_iclass_calc_newkey();
+
+       if (!givenCSN)
+               if (!select_only(CSN, CCNR, false, true))
+                       return 0;
+       
+       HFiClassCalcNewKey(CSN, OLDKEY, NEWKEY, xor_div_key, elite, oldElite, true);
+       return 0;
+}
+
+static int loadKeys(char *filename) {
+       FILE *f;
+       f = fopen(filename,"rb");
+       if(!f) {
+               PrintAndLog("Failed to read from file '%s'", filename);
+               return 0;
+       }
+       fseek(f, 0, SEEK_END);
+       long fsize = ftell(f);
+       fseek(f, 0, SEEK_SET);
+
+       uint8_t *dump = malloc(fsize);
+
+       size_t bytes_read = fread(dump, 1, fsize, f);
+       fclose(f);
+       if (bytes_read > ICLASS_KEYS_MAX * 8){
+               PrintAndLog("File is too long to load - bytes: %u", bytes_read);
+               free(dump);
+               return 0;
+       }
+       uint8_t i = 0;
+       for (; i < bytes_read/8; i++){
+               memcpy(iClass_Key_Table[i],dump+(i*8),8);
+       }
+       free(dump);
+       PrintAndLog("%u keys loaded", i);
+       return 1;
+}
+
+static int saveKeys(char *filename) {
+       FILE *f;
+       f = fopen(filename,"wb");
+       if (f == NULL) {
+               printf("error opening file %s\n",filename);
+               return 0;
+       }
+       for (uint8_t i = 0; i < ICLASS_KEYS_MAX; i++){
+               if (fwrite(iClass_Key_Table[i],8,1,f) != 1){
+                       PrintAndLog("save key failed to write to file: %s", filename);
+                       break;
+               }
+       }
+       fclose(f);
+       return 0;
+}
+
+static int printKeys(void) {
+       PrintAndLog("");
+       for (uint8_t i = 0; i < ICLASS_KEYS_MAX; i++){
+               PrintAndLog("%u: %s",i,sprint_hex(iClass_Key_Table[i],8));
+       }
+       PrintAndLog("");        
+       return 0;
+}
+
+int usage_hf_iclass_managekeys(void) {
+       PrintAndLog("HELP :  Manage iClass Keys in client memory:\n");
+       PrintAndLog("Usage:  hf iclass managekeys n [keynbr] k [key] f [filename] s l p\n");
+       PrintAndLog("  Options:");
+       PrintAndLog("  n <keynbr>  : specify the keyNbr to set in memory");
+       PrintAndLog("  k <key>     : set a key in memory");
+       PrintAndLog("  f <filename>: specify a filename to use with load or save operations");
+       PrintAndLog("  s           : save keys in memory to file specified by filename");
+       PrintAndLog("  l           : load keys to memory from file specified by filename");
+       PrintAndLog("  p           : print keys loaded into memory\n");
+       PrintAndLog("Samples:");
+       PrintAndLog(" set key      : hf iclass managekeys n 0 k 1122334455667788");
+       PrintAndLog(" save key file: hf iclass managekeys f mykeys.bin s");
+       PrintAndLog(" load key file: hf iclass managekeys f mykeys.bin l");
+       PrintAndLog(" print keys   : hf iclass managekeys p\n");
+       return 0;
+}
+
+int CmdHFiClassManageKeys(const char *Cmd) {
+       uint8_t keyNbr = 0;
+       uint8_t dataLen = 0;
+       uint8_t KEY[8] = {0};
+       char filename[FILE_PATH_SIZE];
+       uint8_t fileNameLen = 0;
+       bool errors = false;
+       uint8_t operation = 0;
+       char tempStr[20];
+       uint8_t cmdp = 0;
+
+       while(param_getchar(Cmd, cmdp) != 0x00)
+       {
+               switch(param_getchar(Cmd, cmdp))
+               {
+               case 'h':
+               case 'H':
+                       return usage_hf_iclass_managekeys();
+               case 'f':
+               case 'F':
+                       fileNameLen = param_getstr(Cmd, cmdp+1, filename); 
+                       if (fileNameLen < 1) {
+                               PrintAndLog("No filename found after f");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'n':
+               case 'N':
+                       keyNbr = param_get8(Cmd, cmdp+1);
+                       if (keyNbr < 0) {
+                               PrintAndLog("Wrong block number");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'k':
+               case 'K':
+                       operation += 3; //set key 
+                       dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+                       if (dataLen == 16) { //ul-c or ev1/ntag key length
+                               errors = param_gethex(tempStr, 0, KEY, dataLen);
+                       } else {
+                               PrintAndLog("\nERROR: Key is incorrect length\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'p':
+               case 'P':
+                       operation += 4; //print keys in memory
+                       cmdp++;
+                       break;
+               case 'l':
+               case 'L':
+                       operation += 5; //load keys from file
+                       cmdp++;
+                       break;
+               case 's':
+               case 'S':
+                       operation += 6; //save keys to file
+                       cmdp++;
+                       break;
+               default:
+                       PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
+                       errors = true;
+                       break;
+               }
+               if(errors) return usage_hf_iclass_managekeys();
+       }
+       if (operation == 0){
+               PrintAndLog("no operation specified (load, save, or print)\n");
+               return usage_hf_iclass_managekeys();
+       }
+       if (operation > 6){
+               PrintAndLog("Too many operations specified\n");
+               return usage_hf_iclass_managekeys();
+       }
+       if (operation > 4 && fileNameLen == 0){
+               PrintAndLog("You must enter a filename when loading or saving\n");
+               return usage_hf_iclass_managekeys();
+       }
+
+       switch (operation){
+               case 3: memcpy(iClass_Key_Table[keyNbr], KEY, 8); return 1;
+               case 4: return printKeys();
+               case 5: return loadKeys(filename);
+               case 6: return saveKeys(filename);
+               break;
+       }
+       return 0;
+}
+
 static command_t CommandTable[] = 
 {
-       {"help",        CmdHelp,                        1,      "This help"},
-       {"list",        CmdHFiClassList,        0,      "[Deprecated] List iClass history"},
-       {"snoop",       CmdHFiClassSnoop,       0,      "Eavesdrop iClass communication"},
-       {"sim", CmdHFiClassSim,         0,      "Simulate iClass tag"},
-       {"reader",CmdHFiClassReader,    0,      "Read an iClass tag"},
-       {"replay",CmdHFiClassReader_Replay,     0,      "Read an iClass tag via Reply Attack"},
-       {"dump",        CmdHFiClassReader_Dump, 0,              "Authenticate and Dump iClass tag"},
-//     {"write",       CmdHFiClass_iso14443A_write,    0,      "Authenticate and Write iClass block"},
-       {"loclass",     CmdHFiClass_loclass,    1,      "Use loclass to perform bruteforce of reader attack dump"},
-       {"eload",   CmdHFiClassELoad,    0,     "[experimental] Load data into iclass emulator memory"},
-       {"decrypt", CmdHFiClassDecrypt,  1,     "Decrypt tagdump" },
+       {"help",        CmdHelp,                        1,      "This help"},
+       {"calcnewkey",  CmdHFiClassCalcNewKey,          1,      "[options..] Calc Diversified keys (blocks 3 & 4) to write new keys"},
+       {"clone",       CmdHFiClassCloneTag,            0,      "[options..] Authenticate and Clone from iClass bin file"},
+       {"decrypt",     CmdHFiClassDecrypt,             1,      "[f <fname>] Decrypt tagdump" },
+       {"dump",        CmdHFiClassReader_Dump,         0,      "[options..] Authenticate and Dump iClass tag's AA1"},
+       {"eload",       CmdHFiClassELoad,               0,      "[f <fname>] (experimental) Load data into iClass emulator memory"},
+       {"encryptblk",  CmdHFiClassEncryptBlk,          1,      "<BlockData> Encrypt given block data"},
+       {"list",        CmdHFiClassList,                0,      "            (Deprecated) List iClass history"},
+       {"loclass",     CmdHFiClass_loclass,            1,      "[options..] Use loclass to perform bruteforce of reader attack dump"},
+       {"managekeys",  CmdHFiClassManageKeys,          1,      "[options..] Manage the keys to use with iClass"},
+       {"readblk",     CmdHFiClass_ReadBlock,          0,      "[options..] Authenticate and Read iClass block"},
+       {"reader",      CmdHFiClassReader,              0,      "            Read an iClass tag"},
+       {"readtagfile", CmdHFiClassReadTagFile,         1,      "[options..] Display Content from tagfile"},
+       {"replay",      CmdHFiClassReader_Replay,       0,      "<mac>       Read an iClass tag via Reply Attack"},
+       {"sim",         CmdHFiClassSim,                 0,      "[options..] Simulate iClass tag"},
+       {"snoop",       CmdHFiClassSnoop,               0,      "            Eavesdrop iClass communication"},
+       {"writeblk",    CmdHFiClass_WriteBlock,         0,      "[options..] Authenticate and Write iClass block"},
        {NULL, NULL, 0, NULL}
 };
 
index 30c6a8a7b1907f2bedf6f121b79ffad46293c9a1..9a3adf504b93ef59d322d62bb1cd9a6c3c13f7f7 100644 (file)
 
 int CmdHFiClass(const char *Cmd);
 
-int CmdHFiClassSnoop(const char *Cmd);
-int CmdHFiClassSim(const char *Cmd);
+int CmdHFiClassCalcNewKey(const char *Cmd);
+int CmdHFiClassCloneTag(const char *Cmd);
+int CmdHFiClassDecrypt(const char *Cmd);
+int CmdHFiClassEncryptBlk(const char *Cmd);
+int CmdHFiClassELoad(const char *Cmd);
 int CmdHFiClassList(const char *Cmd);
 int HFiClassReader(const char *Cmd, bool loop, bool verbose);
 int CmdHFiClassReader(const char *Cmd);
+int CmdHFiClassReader_Dump(const char *Cmd);
 int CmdHFiClassReader_Replay(const char *Cmd);
-
+int CmdHFiClassReadKeyFile(const char *filename);
+int CmdHFiClassReadTagFile(const char *Cmd);
+int CmdHFiClass_ReadBlock(const char *Cmd);
+int CmdHFiClass_TestMac(const char *Cmd);
+int CmdHFiClassManageKeys(const char *Cmd);
+int CmdHFiClass_loclass(const char *Cmd);
+int CmdHFiClassSnoop(const char *Cmd);
+int CmdHFiClassSim(const char *Cmd);
+int CmdHFiClassWriteKeyFile(const char *Cmd);
+int CmdHFiClass_WriteBlock(const char *Cmd);
+void printIclassDumpContents(uint8_t *iclass_dump, uint8_t startblock, uint8_t endblock, size_t filesize);
+void HFiClassCalcDivKey(uint8_t        *CSN, uint8_t   *KEY, uint8_t *div_key, bool elite);
 #endif
index 8a8a38fcaf19961b9ea059318acaa261dd2e7c5c..304e9c9c3b0d870e09f2f2096bec6785a7be50b3 100644 (file)
@@ -1950,6 +1950,13 @@ int CmdHF14AMfSniff(const char *Cmd){
        return 0;\r
 }\r
 \r
+//needs nt, ar, at, Data to decrypt\r
+int CmdDecryptTraceCmds(const char *Cmd){\r
+       uint8_t data[50];\r
+       int len = 0;\r
+       param_gethex_ex(Cmd,3,data,&len);\r
+       return tryDecryptWord(param_get32ex(Cmd,0,0,16),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),data,len/2);\r
+}\r
 \r
 static command_t CommandTable[] =\r
 {\r
@@ -1978,6 +1985,7 @@ static command_t CommandTable[] =
   {"cgetsc",   CmdHF14AMfCGetSc,               0, "Read sector - Magic Chinese card"},\r
   {"cload",            CmdHF14AMfCLoad,                0, "Load dump into magic Chinese card"},\r
   {"csave",            CmdHF14AMfCSave,                0, "Save dump from magic Chinese card into file or emulator"},\r
+  {"decrypt", CmdDecryptTraceCmds,1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},\r
   {NULL, NULL, 0, NULL}\r
 };\r
 \r
index 4c682a76f1b71cccfa682e6ed7ade580356975e7..edf6c3a9eb689a24f158d319e33f013a1b4cdcc3 100644 (file)
@@ -1138,7 +1138,7 @@ static command_t CommandTable[] =
        {"read",        CmdLFRead,          0, "['s' silent] Read 125/134 kHz LF ID-only tag. Do 'lf read h' for help"},
        {"search",      CmdLFfind,          1, "[offline] ['u'] Read and Search for valid known tag (in offline mode it you can load first then search) - 'u' to search for unknown tags"},
        {"sim",         CmdLFSim,           0, "[GAP] -- Simulate LF tag from buffer with optional GAP (in microseconds)"},
-       {"simask",      CmdLFaskSim,        0, "[clock] [invert <1|0>] [manchester/raw <'m'|'r'>] [msg separator 's'] [d <hexdata>] -- Simulate LF ASK tag from demodbuffer or input"},
+       {"simask",      CmdLFaskSim,        0, "[clock] [invert <1|0>] [biphase/manchester/raw <'b'|'m'|'r'>] [msg separator 's'] [d <hexdata>] -- Simulate LF ASK tag from demodbuffer or input"},
        {"simfsk",      CmdLFfskSim,        0, "[c <clock>] [i] [H <fcHigh>] [L <fcLow>] [d <hexdata>] -- Simulate LF FSK tag from demodbuffer or input"},
        {"simpsk",      CmdLFpskSim,        0, "[1|2|3] [c <clock>] [i] [r <carrier>] [d <raw hex to sim>] -- Simulate LF PSK tag from demodbuffer or input"},
        {"simbidir",    CmdLFSimBidir,      0, "Simulate LF tag (with bidirectional data transmission between reader and tag)"},
index 2291735cb8ecd46cd74986eb628cbc978b170f59..887547248abe6e3945a4f6153bbcd493972d0e93 100644 (file)
@@ -37,7 +37,7 @@ int usage_t55xx_config(){
        PrintAndLog("Options:        ");\r
        PrintAndLog("       h                        This help");\r
        PrintAndLog("       b <8|16|32|40|50|64|100|128>     Set bitrate");\r
-       PrintAndLog("       d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NZ|BI|BIa>  Set demodulation FSK / ASK / PSK / NZ / Biphase / Biphase A");\r
+       PrintAndLog("       d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa>  Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A");\r
        PrintAndLog("       i [1]                            Invert data signal, defaults to normal");\r
        PrintAndLog("       o [offset]                       Set offset, where data should start decode in bitstream");\r
        PrintAndLog("");\r
index f4013bab5102e42e149ff2b66a9af6d642651642..2f521f62a983376b4036f508300bc70c2374cc61 100644 (file)
@@ -115,9 +115,17 @@ typedef struct {
 #define CMD_WRITER_LEGIC_RF                                               0x0389
 #define CMD_EPA_PACE_COLLECT_NONCE                                        0x038A
 
+#define CMD_ICLASS_READCHECK                                              0x038F
+#define CMD_ICLASS_CLONE                                                  0x0390
+#define CMD_ICLASS_DUMP                                                   0x0391
 #define CMD_SNOOP_ICLASS                                                  0x0392
 #define CMD_SIMULATE_TAG_ICLASS                                           0x0393
 #define CMD_READER_ICLASS                                                 0x0394
+#define CMD_READER_ICLASS_REPLAY                                          0x0395
+#define CMD_ICLASS_READBLOCK                                              0x0396
+#define CMD_ICLASS_WRITEBLOCK                                             0x0397
+#define CMD_ICLASS_EML_MEMSET                                             0x0398
+#define CMD_ICLASS_AUTHENTICATION                                         0x0399
 
 // For measurements of the antenna tuning
 #define CMD_MEASURE_ANTENNA_TUNING                                        0x0400
index 7c9cc873a019f1ae67c9c84ba8cabd789d4e88bd..a701da31934164630e4df7f80605149a449c3dbd 100644 (file)
@@ -224,23 +224,44 @@ void MAC(uint8_t* k, BitstreamIn input, BitstreamOut out)
 void doMAC(uint8_t *cc_nr_p, uint8_t *div_key_p, uint8_t mac[4])
 {
        uint8_t cc_nr[13] = { 0 };
-    uint8_t div_key[8];
+       uint8_t div_key[8];
        //cc_nr=(uint8_t*)malloc(length+1);
 
-       memcpy(cc_nr,cc_nr_p,12);
-    memcpy(div_key,div_key_p,8);
+       memcpy(cc_nr, cc_nr_p, 12);
+       memcpy(div_key, div_key_p, 8);
 
        reverse_arraybytes(cc_nr,12);
-       BitstreamIn bitstream = {cc_nr,12 * 8,0};
-    uint8_t dest []= {0,0,0,0,0,0,0,0};
-    BitstreamOut out = { dest, sizeof(dest)*8, 0 };
-    MAC(div_key,bitstream, out);
-    //The output MAC must also be reversed
-    reverse_arraybytes(dest, sizeof(dest));
-    memcpy(mac, dest, 4);
+       BitstreamIn bitstream = {cc_nr, 12 * 8, 0};
+       uint8_t dest []= {0,0,0,0,0,0,0,0};
+       BitstreamOut out = { dest, sizeof(dest)*8, 0 };
+       MAC(div_key,bitstream, out);
+       //The output MAC must also be reversed
+       reverse_arraybytes(dest, sizeof(dest));
+       memcpy(mac, dest, 4);
        //free(cc_nr);
-    return;
+       return;
 }
+void doMAC_N(uint8_t *address_data_p, uint8_t address_data_size, uint8_t *div_key_p, uint8_t mac[4])
+{
+       uint8_t *address_data;
+       uint8_t div_key[8];
+       address_data = (uint8_t*) malloc(address_data_size);
+
+       memcpy(address_data, address_data_p, address_data_size);
+       memcpy(div_key, div_key_p, 8);
+
+       reverse_arraybytes(address_data, address_data_size);
+       BitstreamIn bitstream = {address_data, address_data_size * 8, 0};
+       uint8_t dest []= {0,0,0,0,0,0,0,0};
+       BitstreamOut out = { dest, sizeof(dest)*8, 0 };
+       MAC(div_key, bitstream, out);
+       //The output MAC must also be reversed
+       reverse_arraybytes(dest, sizeof(dest));
+       memcpy(mac, dest, 4);
+       free(address_data);
+       return;
+}
+
 #ifndef ON_DEVICE
 int testMAC()
 {
index bdea94322a82aba0e06c95933a6b08e3e6123dd9..7afdb524cc4393273b5bd3e1af1c84c05f246bee 100644 (file)
@@ -42,6 +42,8 @@
 #include <stdint.h>
 
 void doMAC(uint8_t *cc_nr_p, uint8_t *div_key_p, uint8_t mac[4]);
+void doMAC_N(uint8_t *address_data_p,uint8_t address_data_size, uint8_t *div_key_p, uint8_t mac[4]);
+
 #ifndef ON_DEVICE
 int testMAC();
 #endif
index 64f16e4491ab95769e358b9f685d727242ef789c..5f34976fa41141748d41f531435ae45460f98f13 100644 (file)
@@ -88,11 +88,17 @@ local _commands = {
        CMD_EPA_PACE_COLLECT_NONCE =                                         0x038A,
        --//CMD_EPA_ =                                                         0x038B,
 
+       CMD_ICLASS_READCHECK =                                               0x038F,
+       CMD_ICLASS_CLONE =                                                   0x0390,
+       CMD_ICLASS_DUMP =                                                    0x0391,
        CMD_SNOOP_ICLASS =                                                   0x0392,
        CMD_SIMULATE_TAG_ICLASS =                                            0x0393,
        CMD_READER_ICLASS =                                                  0x0394,
-       CMD_READER_ICLASS_REPLAY =                                                                                       0x0395,
-       CMD_ICLASS_ISO14443A_WRITE =                                                                             0x0397,
+       CMD_READER_ICLASS_REPLAY =                                           0x0395,
+       CMD_ICLASS_READBLOCK =                                               0x0396,
+       CMD_ICLASS_WRITEBLOCK =                                              0x0397,
+       CMD_ICLASS_EML_MEMSET =                                              0x0398,
+       CMD_ICLASS_AUTHENTICATION =                                          0x0399,
 
        --// For measurements of the antenna tuning
        CMD_MEASURE_ANTENNA_TUNING =                                         0x0400,
index eb145123801d7f227ef150be27fb576303991336..4abb1137c41d0baf045f2d5e8fed9109cedb7873 100644 (file)
@@ -619,3 +619,23 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {
 \r
        return 0;\r
 }\r
+\r
+int tryDecryptWord(uint32_t nt, uint32_t ar_enc, uint32_t at_enc, uint8_t *data, int len){\r
+       /*\r
+       uint32_t nt;      // tag challenge\r
+       uint32_t ar_enc;  // encrypted reader response\r
+       uint32_t at_enc;  // encrypted tag response\r
+       */\r
+       if (traceCrypto1) {\r
+               crypto1_destroy(traceCrypto1);\r
+       }\r
+       ks2 = ar_enc ^ prng_successor(nt, 64);\r
+       ks3 = at_enc ^ prng_successor(nt, 96);\r
+       traceCrypto1 = lfsr_recovery64(ks2, ks3);\r
+\r
+       mf_crypto1_decrypt(traceCrypto1, data, len, 0);\r
+\r
+       PrintAndLog("Decrypted data: [%s]", sprint_hex(data,len) );\r
+       crypto1_destroy(traceCrypto1);\r
+       return 0;\r
+}\r
index f6ffab3f219896c93aaa9ca1e4f6162fd475bdad..9ccb8960ffb0cfb353caa6998ef376010739f108 100644 (file)
@@ -67,3 +67,4 @@ int isBlockEmpty(int blockN);
 int isBlockTrailer(int blockN);\r
 int loadTraceCard(uint8_t *tuid);\r
 int saveTraceCard(void);\r
+int tryDecryptWord(uint32_t nt, uint32_t ar_enc, uint32_t at_enc, uint8_t *data, int len);\r
index 9f2142c6a4114d7c2e6f50f6ac97fca70c709522..5e9fce858fe9606da93830da0eb9b4c4970883b9 100644 (file)
@@ -333,7 +333,28 @@ int param_gethex(const char *line, int paramnum, uint8_t * data, int hexcnt)
 
        return 0;
 }
+int param_gethex_ex(const char *line, int paramnum, uint8_t * data, int *hexcnt)
+{
+       int bg, en, temp, i;
+
+       //if (hexcnt % 2)
+       //      return 1;
+       
+       if (param_getptr(line, &bg, &en, paramnum)) return 1;
+
+       *hexcnt = en - bg + 1;
+       if (*hexcnt % 2) //error if not complete hex bytes
+               return 1;
 
+       for(i = 0; i < *hexcnt; i += 2) {
+               if (!(isxdigit(line[bg + i]) && isxdigit(line[bg + i + 1])) )   return 1;
+               
+               sscanf((char[]){line[bg + i], line[bg + i + 1], 0}, "%X", &temp);
+               data[i / 2] = temp & 0xff;
+       }       
+
+       return 0;
+}
 int param_getstr(const char *line, int paramnum, char * str)
 {
        int bg, en;
index 94021c2c78fe3c409c428a0e6fb4e3410a4c680c..8bf4f3881c28c624f13ec8026f0e0a03680791e5 100644 (file)
@@ -55,6 +55,7 @@ uint64_t param_get64ex(const char *line, int paramnum, int deflt, int base);
 uint8_t param_getdec(const char *line, int paramnum, uint8_t *destination);
 uint8_t param_isdec(const char *line, int paramnum);
 int param_gethex(const char *line, int paramnum, uint8_t * data, int hexcnt);
+int param_gethex_ex(const char *line, int paramnum, uint8_t * data, int *hexcnt);
 int param_getstr(const char *line, int paramnum, char * str);
 
  int hextobinarray( char *target,  char *source);
index aa80491b58f2b94d61313e01e1b4b4a2f64ac6a5..0a523da3ab993021fc13318903c3114a9326c16c 100644 (file)
 
 
 typedef struct {
-       uint8_t app_limit;
-       uint8_t otp[2];
-       uint8_t block_writelock;
-       uint8_t chip_config;
-       uint8_t mem_config;
-       uint8_t eas;
-       uint8_t fuses;
+       uint8_t app_limit;      //[8]
+       uint8_t otp[2];         //[9-10]
+       uint8_t block_writelock;//[11]
+       uint8_t chip_config;    //[12]
+       uint8_t mem_config;     //[13]
+       uint8_t eas;            //[14]
+       uint8_t fuses;          //[15]
 }picopass_conf_block;
 
 
@@ -74,24 +74,54 @@ void fuse_config(const picopass_hdr *hdr)
        if( isset( fuses, FUSE_RA)) prnt("      RA: Read access enabled");
        else prnt("     RA: Read access not enabled");
 }
-void mem_config(const picopass_hdr *hdr)
-{
-       uint8_t mem = hdr->conf.mem_config;
-       if( isset (mem, 0x80)) prnt("   Mem: 16KBits (255 * 8 bytes)");
-       else prnt("     Mem: 2 KBits ( 32 * 8 bytes)");
 
+void getMemConfig(uint8_t mem_cfg, uint8_t chip_cfg, uint8_t *max_blk, uint8_t *app_areas, uint8_t *kb) {
+       // mem-bit 5, mem-bit 7, chip-bit 4: defines chip type
+       if(isset(chip_cfg, 0x10) && notset(mem_cfg, 0x80) && notset(mem_cfg, 0x20)) {
+               *kb = 2;
+               *app_areas = 2;
+               *max_blk = 31;
+       } else if(isset(chip_cfg, 0x10) && isset(mem_cfg, 0x80) && notset(mem_cfg, 0x20)) {
+               *kb = 16;
+               *app_areas = 2;
+               *max_blk = 255; //16kb
+       } else if(notset(chip_cfg, 0x10) && notset(mem_cfg, 0x80) && notset(mem_cfg, 0x20)) {
+               *kb = 16;
+               *app_areas = 16;
+               *max_blk = 255; //16kb
+       } else if(isset(chip_cfg, 0x10) && isset(mem_cfg, 0x80) && isset(mem_cfg, 0x20)) {
+               *kb = 32;
+               *app_areas = 3;
+               *max_blk = 255; //16kb
+       } else if(notset(chip_cfg, 0x10) && notset(mem_cfg, 0x80) && isset(mem_cfg, 0x20)) {
+               *kb = 32;
+               *app_areas = 17;
+               *max_blk = 255; //16kb
+       } else {
+               *kb = 32;
+               *app_areas = 2;
+               *max_blk = 255;
+       }
 }
-void applimit_config(const picopass_hdr *hdr)
+
+void mem_app_config(const picopass_hdr *hdr)
 {
+       uint8_t mem = hdr->conf.mem_config;
+       uint8_t chip = hdr->conf.chip_config;
        uint8_t applimit = hdr->conf.app_limit;
-       prnt("  AA1: blocks 6-%d", applimit);
-       prnt("  AA2: blocks %d-", (applimit+1));
+       if (applimit < 6) applimit = 26;
+       uint8_t kb = 2;
+       uint8_t app_areas = 2;
+       uint8_t max_blk = 31;
+       getMemConfig(mem, chip, &max_blk, &app_areas, &kb);
+       prnt("  Mem: %u KBits/%u App Areas (%u * 8 bytes) [%02X]", kb, app_areas, max_blk, mem);
+       prnt("  AA1: blocks 06-%02X", applimit);
+       prnt("  AA2: blocks %02X-%02X", applimit+1, max_blk);
 }
 void print_picopass_info(const picopass_hdr *hdr)
 {
        fuse_config(hdr);
-       mem_config(hdr);
-       applimit_config(hdr);
+       mem_app_config(hdr);
 }
 void printIclassDumpInfo(uint8_t* iclass_dump)
 {
index 580342728b866ee7f76d3f09537580da1c43c72d..177632aafacf5afa4e042582156ab24914889333 100644 (file)
@@ -99,7 +99,7 @@ NXP/Philips CUSTOM COMMANDS
 #define ICLASS_CMD_CHECK            0x05
 #define ICLASS_CMD_DETECT           0x0F
 #define ICLASS_CMD_HALT             0x00
-#define ICLASS_CMD_UPDATE                      0x87
+#define ICLASS_CMD_UPDATE           0x87
 #define ICLASS_CMD_ACT              0x8E
 #define ICLASS_CMD_READ4            0x06
 
@@ -196,5 +196,6 @@ NXP/Philips CUSTOM COMMANDS
 
 
 void printIclassDumpInfo(uint8_t* iclass_dump);
+void getMemConfig(uint8_t mem_cfg, uint8_t chip_cfg, uint8_t *max_blk, uint8_t *app_areas, uint8_t *kb);
 
 #endif // PROTOCOLS_H
index a58feb383499e4cb85d4dffa7eef654ea432e6cf..0f649a69ab40490f7b95703cceba2cac02bc964c 100644 (file)
@@ -133,12 +133,17 @@ typedef struct{
 #define CMD_EPA_PACE_COLLECT_NONCE                                        0x038A
 #define CMD_EPA_PACE_REPLAY                                               0x038B
 
+#define CMD_ICLASS_READCHECK                                              0x038F
+#define CMD_ICLASS_CLONE                                                  0x0390
+#define CMD_ICLASS_DUMP                                                   0x0391
 #define CMD_SNOOP_ICLASS                                                  0x0392
 #define CMD_SIMULATE_TAG_ICLASS                                           0x0393
 #define CMD_READER_ICLASS                                                 0x0394
 #define CMD_READER_ICLASS_REPLAY                                          0x0395
-#define CMD_ICLASS_ISO14443A_WRITE                                        0x0397
+#define CMD_ICLASS_READBLOCK                                              0x0396
+#define CMD_ICLASS_WRITEBLOCK                                             0x0397
 #define CMD_ICLASS_EML_MEMSET                                             0x0398
+#define CMD_ICLASS_AUTHENTICATION                                         0x0399
 
 // For measurements of the antenna tuning
 #define CMD_MEASURE_ANTENNA_TUNING                                        0x0400
@@ -209,6 +214,7 @@ typedef struct{
 #define FLAG_ICLASS_READER_CONF         0x08
 #define FLAG_ICLASS_READER_AA           0x10
 #define FLAG_ICLASS_READER_ONE_TRY      0x20
+#define FLAG_ICLASS_READER_CEDITKEY     0x40
 
 
 
Impressum, Datenschutz