From: Martin Holst Swende Date: Fri, 19 Sep 2014 07:45:38 +0000 (+0200) Subject: Merge remote-tracking branch 'origin/master' into PenturaLabs-iclass-research X-Git-Tag: v2.0.0-rc1~88^2 X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/e6ee6c4cd135c29fcd3812e0ceea8fe17497700d?hp=9e28ee9f14e844ab073edca54404eda3cd5d2369 Merge remote-tracking branch 'origin/master' into PenturaLabs-iclass-research --- diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 00000000..ef225ce2 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,4 @@ +# .gitattributes +# prevent binary files from CRLF handling, diff and merge: +fpga/fpga.bit -crlf -diff + \ No newline at end of file diff --git a/.gitignore b/.gitignore index ea93d61f..07669e14 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,8 @@ # .gitignore # don't push these files to the repository +*.log +*.eml *.o *.a *.d diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index d5dd05ca..9a80a177 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -507,6 +507,7 @@ void RAMFUNC SnoopIso14443a(uint8_t param) { LEDsoff(); // init trace buffer iso14a_clear_trace(); + iso14a_set_tracing(TRUE); // We won't start recording the frames that we acquire until we trigger; // a good trigger condition to get started is probably when we see a @@ -1861,10 +1862,9 @@ void ReaderIso14443a(UsbCommand *c) if(param & ISO14A_APPEND_CRC) { AppendCrc14443a(cmd,len); len += 2; - lenbits += 16; + if (lenbits) lenbits += 16; } if(lenbits>0) { - ReaderTransmitBitsPar(cmd,lenbits,GetParity(cmd,lenbits/8), NULL); } else { ReaderTransmit(cmd,len, NULL); @@ -2206,9 +2206,12 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * if (MF_DBGLEVEL >= 1) { if (!_7BUID) { - Dbprintf("4B UID: %02x%02x%02x%02x",rUIDBCC1[0] , rUIDBCC1[1] , rUIDBCC1[2] , rUIDBCC1[3]); + Dbprintf("4B UID: %02x%02x%02x%02x", + rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3]); } else { - Dbprintf("7B UID: (%02x)%02x%02x%02x%02x%02x%02x%02x",rUIDBCC1[0] , rUIDBCC1[1] , rUIDBCC1[2] , rUIDBCC1[3],rUIDBCC2[0],rUIDBCC2[1] ,rUIDBCC2[2] , rUIDBCC2[3]); + Dbprintf("7B UID: (%02x)%02x%02x%02x%02x%02x%02x%02x", + rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3], + rUIDBCC2[0], rUIDBCC2[1] ,rUIDBCC2[2], rUIDBCC2[3]); } } @@ -2276,7 +2279,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * // select card if (len == 9 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) { - EmSendCmd(_7BUID?rSAK1:rSAK, sizeof(_7BUID?rSAK1:rSAK)); + EmSendCmd(_7BUID?rSAK1:rSAK, _7BUID?sizeof(rSAK1):sizeof(rSAK)); cuid = bytes_to_num(rUIDBCC1, 4); if (!_7BUID) { cardSTATE = MFEMUL_WORK; @@ -2318,10 +2321,13 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * // test if auth OK if (cardRr != prng_successor(nonce, 64)){ - if (MF_DBGLEVEL >= 2) Dbprintf("AUTH FAILED. cardRr=%08x, succ=%08x",cardRr, prng_successor(nonce, 64)); + if (MF_DBGLEVEL >= 2) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x", + cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B', + cardRr, prng_successor(nonce, 64)); // Shouldn't we respond anything here? // Right now, we don't nack or anything, which causes the // reader to do a WUPA after a while. /Martin + // -- which is the correct response. /piwi cardSTATE_TO_IDLE(); LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parityBits, TRUE); LogTrace(NULL, 0, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 0, TRUE); @@ -2335,7 +2341,9 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT)); LED_C_ON(); cardSTATE = MFEMUL_WORK; - if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED. sector=%d, key=%d time=%d", cardAUTHSC, cardAUTHKEY, GetTickCount() - authTimer); + if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED for sector %d with key %c. time=%d", + cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B', + GetTickCount() - authTimer); break; } case MFEMUL_SELECT2:{ @@ -2393,12 +2401,12 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY)); if (!encrypted_data) { // first authentication - if (MF_DBGLEVEL >= 2) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY ); + if (MF_DBGLEVEL >= 4) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY ); crypto1_word(pcs, cuid ^ nonce, 0);//Update crypto state num_to_bytes(nonce, 4, rAUTH_AT); // Send nonce } else { // nested authentication - if (MF_DBGLEVEL >= 2) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY ); + if (MF_DBGLEVEL >= 4) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY ); ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0); num_to_bytes(ans, 4, rAUTH_AT); } @@ -2429,9 +2437,9 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * if(receivedCmd[0] == 0x30 // read block || receivedCmd[0] == 0xA0 // write block - || receivedCmd[0] == 0xC0 - || receivedCmd[0] == 0xC1 - || receivedCmd[0] == 0xC2 // inc dec restore + || receivedCmd[0] == 0xC0 // inc + || receivedCmd[0] == 0xC1 // dec + || receivedCmd[0] == 0xC2 // restore || receivedCmd[0] == 0xB0) { // transfer if (receivedCmd[1] >= 16 * 4) { EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); @@ -2447,7 +2455,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * } // read block if (receivedCmd[0] == 0x30) { - if (MF_DBGLEVEL >= 2) { + if (MF_DBGLEVEL >= 4) { Dbprintf("Reader reading block %d (0x%02x)",receivedCmd[1],receivedCmd[1]); } emlGetMem(response, receivedCmd[1], 1); @@ -2463,7 +2471,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * } // write block if (receivedCmd[0] == 0xA0) { - if (MF_DBGLEVEL >= 2) Dbprintf("RECV 0xA0 write block %d (%02x)",receivedCmd[1],receivedCmd[1]); + if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0xA0 write block %d (%02x)",receivedCmd[1],receivedCmd[1]); EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); cardSTATE = MFEMUL_WRITEBL2; cardWRBL = receivedCmd[1]; @@ -2471,7 +2479,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * } // increment, decrement, restore if (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2) { - if (MF_DBGLEVEL >= 2) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd[0],receivedCmd[1],receivedCmd[1]); + if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd[0],receivedCmd[1],receivedCmd[1]); if (emlCheckValBl(receivedCmd[1])) { if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking"); EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); @@ -2489,7 +2497,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * } // transfer if (receivedCmd[0] == 0xB0) { - if (MF_DBGLEVEL >= 2) Dbprintf("RECV 0x%02x transfer block %d (%02x)",receivedCmd[0],receivedCmd[1],receivedCmd[1]); + if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x transfer block %d (%02x)",receivedCmd[0],receivedCmd[1],receivedCmd[1]); if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1])) EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); else @@ -2624,7 +2632,8 @@ void RAMFUNC SniffMifare(uint8_t param) { // C(red) A(yellow) B(green) LEDsoff(); // init trace buffer - iso14a_clear_trace(); + iso14a_clear_trace(); + iso14a_set_tracing(TRUE); // The command (reader -> tag) that we're receiving. // The length of a received command will in most cases be no more than 18 bytes. diff --git a/armsrc/mifarecmd.c b/armsrc/mifarecmd.c index 6a491b53..42dee56e 100644 --- a/armsrc/mifarecmd.c +++ b/armsrc/mifarecmd.c @@ -14,7 +14,7 @@ #include "apps.h" //----------------------------------------------------------------------------- -// Select, Authenticaate, Read an MIFARE tag. +// Select, Authenticate, Read a MIFARE tag. // read block //----------------------------------------------------------------------------- void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) @@ -35,7 +35,7 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) pcs = &mpcs; // clear trace - iso14a_clear_trace(); + iso14a_clear_trace(); // iso14a_set_tracing(false); iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); @@ -46,22 +46,22 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) while (true) { if(!iso14443a_select_card(uid, NULL, &cuid)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); + if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); break; }; if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Auth error"); + if (MF_DBGLEVEL >= 1) Dbprintf("Auth error"); break; }; if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Read block error"); + if (MF_DBGLEVEL >= 1) Dbprintf("Read block error"); break; }; if(mifare_classic_halt(pcs, cuid)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Halt error"); + if (MF_DBGLEVEL >= 1) Dbprintf("Halt error"); break; }; @@ -74,20 +74,11 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED"); - // add trace trailer - memset(uid, 0x44, 4); - LogTrace(uid, 4, 0, 0, TRUE); - -// UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; -// memcpy(ack.d.asBytes, dataoutbuf, 16); - LED_B_ON(); - cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16); -// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); + cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16); LED_B_OFF(); - - // Thats it... + // Thats it... FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); // iso14a_set_tracing(TRUE); @@ -148,9 +139,10 @@ void MifareUReadBlock(uint8_t arg0,uint8_t *datain) LEDsoff(); } + //----------------------------------------------------------------------------- -// Select, Authenticaate, Read an MIFARE tag. -// read sector (data = 4 x 16 bytes = 64 bytes) +// Select, Authenticate, Read a MIFARE tag. +// read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes) //----------------------------------------------------------------------------- void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) { @@ -161,8 +153,8 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) ui64Key = bytes_to_num(datain, 6); // variables - byte_t isOK = 0; - byte_t dataoutbuf[16 * 4]; + byte_t isOK; + byte_t dataoutbuf[16 * 16]; uint8_t uid[10]; uint32_t cuid; struct Crypto1State mpcs = {0, 0}; @@ -170,7 +162,7 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) pcs = &mpcs; // clear trace - iso14a_clear_trace(); + iso14a_clear_trace(); // iso14a_set_tracing(false); iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); @@ -179,72 +171,47 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) LED_B_OFF(); LED_C_OFF(); - while (true) { - if(!iso14443a_select_card(uid, NULL, &cuid)) { + isOK = 1; + if(!iso14443a_select_card(uid, NULL, &cuid)) { + isOK = 0; if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); - break; - }; + } - if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, AUTH_FIRST)) { + + if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) { + isOK = 0; if (MF_DBGLEVEL >= 1) Dbprintf("Auth error"); + } + + for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) { + if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) { + isOK = 0; + if (MF_DBGLEVEL >= 1) Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo); break; - }; - - if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 0, dataoutbuf + 16 * 0)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Read block 0 error"); - break; - }; - if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 1, dataoutbuf + 16 * 1)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Read block 1 error"); - break; - }; - if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 2, dataoutbuf + 16 * 2)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Read block 2 error"); - break; - }; - if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 3, dataoutbuf + 16 * 3)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Read block 3 error"); - break; - }; + } + } - if(mifare_classic_halt(pcs, cuid)) { + if(mifare_classic_halt(pcs, cuid)) { if (MF_DBGLEVEL >= 1) Dbprintf("Halt error"); - break; - }; - - isOK = 1; - break; } + // ----------------------------- crypto1 destroy crypto1_destroy(pcs); if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED"); - // add trace trailer - memset(uid, 0x44, 4); - LogTrace(uid, 4, 0, 0, TRUE); - -// UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; -// memcpy(ack.d.asBytes, dataoutbuf, 16 * 2); - LED_B_ON(); - cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,32); -// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); -// SpinDelay(100); - -// memcpy(ack.d.asBytes, dataoutbuf + 16 * 2, 16 * 2); -// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); - cmd_send(CMD_ACK,isOK,0,0,dataoutbuf+32, 32); + cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo)); LED_B_OFF(); // Thats it... FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); // iso14a_set_tracing(TRUE); - } + void MifareUReadCard(uint8_t arg0, uint8_t *datain) { // params @@ -288,25 +255,19 @@ void MifareUReadCard(uint8_t arg0, uint8_t *datain) if (MF_DBGLEVEL >= 2) DbpString("READ CARD FINISHED"); - // add trace trailer - memset(uid, 0x44, 4); - LogTrace(uid, 4, 0, 0, TRUE); - LED_B_ON(); cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,64); - //cmd_send(CMD_ACK,isOK,0,0,dataoutbuf+32, 32); LED_B_OFF(); // Thats it... FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); -// iso14a_set_tracing(TRUE); } //----------------------------------------------------------------------------- -// Select, Authenticaate, Read an MIFARE tag. +// Select, Authenticate, Write a MIFARE tag. // read block //----------------------------------------------------------------------------- void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) @@ -368,15 +329,8 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED"); - // add trace trailer - memset(uid, 0x44, 4); - LogTrace(uid, 4, 0, 0, TRUE); - -// UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; - LED_B_ON(); cmd_send(CMD_ACK,isOK,0,0,0,0); -// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); LED_B_OFF(); @@ -387,6 +341,7 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) } + void MifareUWriteBlock(uint8_t arg0, uint8_t *datain) { // params @@ -433,13 +388,8 @@ void MifareUWriteBlock(uint8_t arg0, uint8_t *datain) if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED"); - // add trace trailer - memset(uid, 0x44, 4); - LogTrace(uid, 4, 0, 0, TRUE); - LED_B_ON(); - cmd_send(CMD_ACK,isOK,0,0,0,0); -// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); + cmd_send(CMD_ACK,isOK,0,0,0,0); LED_B_OFF(); @@ -447,71 +397,67 @@ void MifareUWriteBlock(uint8_t arg0, uint8_t *datain) FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); // iso14a_set_tracing(TRUE); - } + void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain) { - // params - uint8_t blockNo = arg0; - byte_t blockdata[4]; - + // params + uint8_t blockNo = arg0; + byte_t blockdata[4]; + memcpy(blockdata, datain,4); - // variables - byte_t isOK = 0; - uint8_t uid[10]; - uint32_t cuid; - - // clear trace - iso14a_clear_trace(); - // iso14a_set_tracing(false); + // variables + byte_t isOK = 0; + uint8_t uid[10]; + uint32_t cuid; - iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); + // clear trace + iso14a_clear_trace(); + // iso14a_set_tracing(false); - LED_A_ON(); - LED_B_OFF(); - LED_C_OFF(); + iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); - while (true) { - if(!iso14443a_select_card(uid, NULL, &cuid)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); - break; - }; + LED_A_ON(); + LED_B_OFF(); + LED_C_OFF(); - if(mifare_ultra_special_writeblock(cuid, blockNo, blockdata)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Write block error"); - break; - }; + while (true) { + if(!iso14443a_select_card(uid, NULL, &cuid)) { + if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); + break; + }; - if(mifare_ultra_halt(cuid)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Halt error"); - break; - }; + if(mifare_ultra_special_writeblock(cuid, blockNo, blockdata)) { + if (MF_DBGLEVEL >= 1) Dbprintf("Write block error"); + break; + }; - isOK = 1; - break; - } + if(mifare_ultra_halt(cuid)) { + if (MF_DBGLEVEL >= 1) Dbprintf("Halt error"); + break; + }; - if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED"); + isOK = 1; + break; + } - // add trace trailer - memset(uid, 0x44, 4); - LogTrace(uid, 4, 0, 0, TRUE); + if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED"); - LED_B_ON(); - cmd_send(CMD_ACK,isOK,0,0,0,0); -// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); - LED_B_OFF(); + LED_B_ON(); + cmd_send(CMD_ACK,isOK,0,0,0,0); + LED_B_OFF(); - // Thats it... - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - LEDsoff(); + // Thats it... + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + LEDsoff(); // iso14a_set_tracing(TRUE); } + // Return 1 if the nonce is invalid else return 0 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, byte_t * parity) { return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \ @@ -520,7 +466,6 @@ int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, byte_t * parity) { } - //----------------------------------------------------------------------------- // MIFARE nested authentication. // @@ -769,18 +714,11 @@ void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) LED_B_OFF(); LED_C_OFF(); -// SpinDelay(300); for (i = 0; i < keyCount; i++) { -// FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); -// SpinDelay(100); -// FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); - // prepare next select by sending a HALT. There is no need to power down the card. if(mifare_classic_halt(pcs, cuid)) { if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Halt error"); } - // SpinDelay(50); - if(!iso14443a_select_card(uid, NULL, &cuid)) { if (OLD_MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card"); break; @@ -798,10 +736,6 @@ void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) // ----------------------------- crypto1 destroy crypto1_destroy(pcs); - // add trace trailer - memset(uid, 0x44, 4); - LogTrace(uid, 4, 0, 0, TRUE); - LED_B_ON(); cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6); LED_B_OFF(); @@ -823,6 +757,7 @@ void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai Dbprintf("Debug level: %d", MF_DBGLEVEL); } + //----------------------------------------------------------------------------- // Work with emulator memory // @@ -831,29 +766,29 @@ void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) emlClearMem(); } + void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){ emlSetMem(datain, arg0, arg1); // data, block num, blocks count } + void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){ -// UsbCommand ack = {CMD_ACK, {arg0, arg1, 0}}; - byte_t buf[48]; - emlGetMem(buf, arg0, arg1); // data, block num, blocks count + byte_t buf[48]; + emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4) LED_B_ON(); - cmd_send(CMD_ACK,arg0,arg1,0,buf,48); -// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); + cmd_send(CMD_ACK,arg0,arg1,0,buf,48); LED_B_OFF(); } + //----------------------------------------------------------------------------- // Load a card into the emulator memory // //----------------------------------------------------------------------------- void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){ - int i; - uint8_t sectorNo = 0; + uint8_t numSectors = arg0; uint8_t keyType = arg1; uint64_t ui64Key = 0; uint32_t cuid; @@ -876,63 +811,51 @@ void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai LED_B_OFF(); LED_C_OFF(); - while (true) { - if(!iso14443a_select_card(uid, NULL, &cuid)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); - break; - }; - - for (i = 0; i < 16; i++) { - sectorNo = i; - ui64Key = emlGetKey(sectorNo, keyType); - - if (!i){ - if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, AUTH_FIRST)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%d]. Auth error", i); - break; - } - } else { - if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, AUTH_NESTED)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%d]. Auth nested error", i); - break; - } - } + bool isOK = true; + + if(!iso14443a_select_card(uid, NULL, &cuid)) { + isOK = false; + if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); + } - if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 0, dataoutbuf)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Read block 0 error"); + for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) { + ui64Key = emlGetKey(sectorNo, keyType); + if (sectorNo == 0){ + if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) { + isOK = false; + if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo); break; - }; - emlSetMem(dataoutbuf, sectorNo * 4 + 0, 1); - - if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 1, dataoutbuf)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Read block 1 error"); - break; - }; - emlSetMem(dataoutbuf, sectorNo * 4 + 1, 1); - - if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 2, dataoutbuf)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Read block 2 error"); + } + } else { + if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) { + isOK = false; + if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo); break; - }; - emlSetMem(dataoutbuf, sectorNo * 4 + 2, 1); - - // get block 3 bytes 6-9 - if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 3, dataoutbuf)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Read block 3 error"); + } + } + + for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) { + if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) { + isOK = false; + if (MF_DBGLEVEL >= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo); break; }; - emlGetMem(dataoutbuf2, sectorNo * 4 + 3, 1); - memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4); - emlSetMem(dataoutbuf2, sectorNo * 4 + 3, 1); + if (isOK) { + if (blockNo < NumBlocksPerSector(sectorNo) - 1) { + emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1); + } else { // sector trailer, keep the keys, set only the AC + emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1); + memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4); + emlSetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1); + } + } } - if(mifare_classic_halt(pcs, cuid)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Halt error"); - break; - }; - - break; - } + } + + if(mifare_classic_halt(pcs, cuid)) { + if (MF_DBGLEVEL >= 1) Dbprintf("Halt error"); + }; // ----------------------------- crypto1 destroy crypto1_destroy(pcs); @@ -942,16 +865,8 @@ void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED"); - // add trace trailer - memset(uid, 0x44, 4); - LogTrace(uid, 4, 0, 0, TRUE); } -//----------------------------------------------------------------------------- -// MIFARE 1k emulator -// -//----------------------------------------------------------------------------- - //----------------------------------------------------------------------------- // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn) @@ -1074,22 +989,8 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai break; } -// UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; -// if (isOK) memcpy(ack.d.asBytes, uid, 4); - - // add trace trailer - /** - * Removed by Martin, the uid is overwritten with 0x44, - * which can 't be intended. - * - * memset(uid, 0x44, 4); - * LogTrace(uid, 4, 0, 0, TRUE); - **/ - - LED_B_ON(); - cmd_send(CMD_ACK,isOK,0,0,uid,4); -// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); + cmd_send(CMD_ACK,isOK,0,0,uid,4); LED_B_OFF(); if ((workFlags & 0x10) || (!isOK)) { @@ -1099,6 +1000,7 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai } } + void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){ // params @@ -1171,20 +1073,8 @@ void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai break; } -// UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; -// if (isOK) memcpy(ack.d.asBytes, data, 18); - - // add trace trailer - /* - * Removed by Martin, this piece of overwrites the 'data' variable - * which is sent two lines down, and is obviously not correct. - * - * memset(data, 0x44, 4); - * LogTrace(data, 4, 0, 0, TRUE); - */ LED_B_ON(); - cmd_send(CMD_ACK,isOK,0,0,data,18); -// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); + cmd_send(CMD_ACK,isOK,0,0,data,18); LED_B_OFF(); if ((workFlags & 0x10) || (!isOK)) { diff --git a/armsrc/mifareutil.c b/armsrc/mifareutil.c index b847043b..0b93db8f 100644 --- a/armsrc/mifareutil.c +++ b/armsrc/mifareutil.c @@ -453,6 +453,27 @@ int mifare_ultra_halt(uint32_t uid) return 0; } + +// Mifare Memory Structure: up to 32 Sectors with 4 blocks each (1k and 2k cards), +// plus evtl. 8 sectors with 16 blocks each (4k cards) +uint8_t NumBlocksPerSector(uint8_t sectorNo) +{ + if (sectorNo < 32) + return 4; + else + return 16; +} + +uint8_t FirstBlockOfSector(uint8_t sectorNo) +{ + if (sectorNo < 32) + return sectorNo * 4; + else + return 32*4 + (sectorNo - 32) * 16; + +} + + // work with emulator memory void emlSetMem(uint8_t *data, int blockNum, int blocksCount) { uint8_t* emCARD = eml_get_bigbufptr_cardmem(); @@ -522,7 +543,7 @@ uint64_t emlGetKey(int sectorNum, int keyType) { uint8_t key[6]; uint8_t* emCARD = eml_get_bigbufptr_cardmem(); - memcpy(key, emCARD + 3 * 16 + sectorNum * 4 * 16 + keyType * 10, 6); + memcpy(key, emCARD + 16 * (FirstBlockOfSector(sectorNum) + NumBlocksPerSector(sectorNum) - 1) + keyType * 10, 6); return bytes_to_num(key, 6); } diff --git a/armsrc/mifareutil.h b/armsrc/mifareutil.h index ad637ea0..8708d3dd 100644 --- a/armsrc/mifareutil.h +++ b/armsrc/mifareutil.h @@ -80,6 +80,10 @@ uint8_t* mifare_get_bigbufptr(void); uint8_t* eml_get_bigbufptr_sendbuf(void); uint8_t* eml_get_bigbufptr_recbuf(void); +// Mifare memory structure +uint8_t NumBlocksPerSector(uint8_t sectorNo); +uint8_t FirstBlockOfSector(uint8_t sectorNo); + // emulator functions void emlClearMem(void); void emlSetMem(uint8_t *data, int blockNum, int blocksCount); diff --git a/client/cmdhf14a.c b/client/cmdhf14a.c index d16d71ff..39bdcf40 100644 --- a/client/cmdhf14a.c +++ b/client/cmdhf14a.c @@ -183,27 +183,29 @@ void iso14a_set_timeout(uint32_t timeout) { int CmdHF14AReader(const char *Cmd) { - UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}}; + UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}}; SendCommand(&c); UsbCommand resp; WaitForResponse(CMD_ACK,&resp); - iso14a_card_select_t *card = (iso14a_card_select_t *)resp.d.asBytes; + iso14a_card_select_t card; + memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t)); - if(resp.arg[0] == 0) { + uint64_t select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS + + if(select_status == 0) { PrintAndLog("iso14443a card select failed"); return 0; } - PrintAndLog("ATQA : %02x %02x", card->atqa[0], card->atqa[1]); - PrintAndLog(" UID : %s", sprint_hex(card->uid, card->uidlen)); - PrintAndLog(" SAK : %02x [%d]", card->sak, resp.arg[0]); + PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]); + PrintAndLog(" UID : %s", sprint_hex(card.uid, card.uidlen)); + PrintAndLog(" SAK : %02x [%d]", card.sak, resp.arg[0]); - switch (card->sak) { + switch (card.sak) { case 0x00: PrintAndLog("TYPE : NXP MIFARE Ultralight | Ultralight C"); break; case 0x04: PrintAndLog("TYPE : NXP MIFARE (various !DESFire !DESFire EV1)"); break; - case 0x08: PrintAndLog("TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1"); break; case 0x09: PrintAndLog("TYPE : NXP MIFARE Mini 0.3k"); break; case 0x10: PrintAndLog("TYPE : NXP MIFARE Plus 2k SL2"); break; @@ -217,67 +219,107 @@ int CmdHF14AReader(const char *Cmd) case 0x98: PrintAndLog("TYPE : Gemplus MPCOS"); break; default: ; } - if(resp.arg[0] == 1) { + + + // try to request ATS even if tag claims not to support it + if (select_status == 2) { + uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0 + c.arg[0] = ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT; + c.arg[1] = 2; + c.arg[2] = 0; + memcpy(c.d.asBytes, rats, 2); + SendCommand(&c); + WaitForResponse(CMD_ACK,&resp); + + memcpy(&card.ats, resp.d.asBytes, resp.arg[0]); + card.ats_len = resp.arg[0]; // note: ats_len includes CRC Bytes + } + + // disconnect + c.arg[0] = 0; + c.arg[1] = 0; + c.arg[2] = 0; + SendCommand(&c); + + + if(card.ats_len >= 3) { // a valid ATS consists of at least the length byte (TL) and 2 CRC bytes bool ta1 = 0, tb1 = 0, tc1 = 0; int pos; - PrintAndLog(" ATS : %s", sprint_hex(card->ats, card->ats_len)); - if (card->ats_len > 0) { - PrintAndLog(" - TL : length is %d bytes", card->ats[0]); + if (select_status == 2) { + PrintAndLog("SAK incorrectly claims that card doesn't support RATS"); } - if (card->ats_len > 1) { - ta1 = (card->ats[1] & 0x10) == 0x10; - tb1 = (card->ats[1] & 0x20) == 0x20; - tc1 = (card->ats[1] & 0x40) == 0x40; + PrintAndLog(" ATS : %s", sprint_hex(card.ats, card.ats_len)); + PrintAndLog(" - TL : length is %d bytes", card.ats[0]); + if (card.ats[0] != card.ats_len - 2) { + PrintAndLog("ATS may be corrupted. Length of ATS (%d bytes incl. 2 Bytes CRC) doesn't match TL", card.ats_len); + } + + if (card.ats[0] > 1) { // there is a format byte (T0) + ta1 = (card.ats[1] & 0x10) == 0x10; + tb1 = (card.ats[1] & 0x20) == 0x20; + tc1 = (card.ats[1] & 0x40) == 0x40; + int16_t fsci = card.ats[1] & 0x0f; PrintAndLog(" - T0 : TA1 is%s present, TB1 is%s present, " - "TC1 is%s present, FSCI is %d", + "TC1 is%s present, FSCI is %d (FSC = %ld)", (ta1 ? "" : " NOT"), (tb1 ? "" : " NOT"), (tc1 ? "" : " NOT"), - (card->ats[1] & 0x0f)); + fsci, + fsci < 5 ? (fsci - 2) * 8 : + fsci < 8 ? (fsci - 3) * 32 : + fsci == 8 ? 256 : + -1 + ); } pos = 2; - if (ta1 && card->ats_len > pos) { + if (ta1) { char dr[16], ds[16]; dr[0] = ds[0] = '\0'; - if (card->ats[pos] & 0x10) strcat(ds, "2, "); - if (card->ats[pos] & 0x20) strcat(ds, "4, "); - if (card->ats[pos] & 0x40) strcat(ds, "8, "); - if (card->ats[pos] & 0x01) strcat(dr, "2, "); - if (card->ats[pos] & 0x02) strcat(dr, "4, "); - if (card->ats[pos] & 0x04) strcat(dr, "8, "); + if (card.ats[pos] & 0x10) strcat(ds, "2, "); + if (card.ats[pos] & 0x20) strcat(ds, "4, "); + if (card.ats[pos] & 0x40) strcat(ds, "8, "); + if (card.ats[pos] & 0x01) strcat(dr, "2, "); + if (card.ats[pos] & 0x02) strcat(dr, "4, "); + if (card.ats[pos] & 0x04) strcat(dr, "8, "); if (strlen(ds) != 0) ds[strlen(ds) - 2] = '\0'; if (strlen(dr) != 0) dr[strlen(dr) - 2] = '\0'; PrintAndLog(" - TA1 : different divisors are%s supported, " "DR: [%s], DS: [%s]", - (card->ats[pos] & 0x80 ? " NOT" : ""), dr, ds); + (card.ats[pos] & 0x80 ? " NOT" : ""), dr, ds); pos++; } - if (tb1 && card->ats_len > pos) { - PrintAndLog(" - TB1 : SFGI = %d, FWI = %d", - (card->ats[pos] & 0x08), - (card->ats[pos] & 0x80) >> 4); + if (tb1) { + uint32_t sfgi = card.ats[pos] & 0x0F; + uint32_t fwi = card.ats[pos] >> 4; + PrintAndLog(" - TB1 : SFGI = %d (SFGT = %s%ld/fc), FWI = %d (FWT = %ld/fc)", + (sfgi), + sfgi ? "" : "(not needed) ", + sfgi ? (1 << 12) << sfgi : 0, + fwi, + (1 << 12) << fwi + ); pos++; } - if (tc1 && card->ats_len > pos) { + if (tc1) { PrintAndLog(" - TC1 : NAD is%s supported, CID is%s supported", - (card->ats[pos] & 0x01) ? "" : " NOT", - (card->ats[pos] & 0x02) ? "" : " NOT"); + (card.ats[pos] & 0x01) ? "" : " NOT", + (card.ats[pos] & 0x02) ? "" : " NOT"); pos++; } - if (card->ats_len > pos) { + if (card.ats[0] > pos) { char *tip = ""; - if (card->ats_len - pos > 7) { - if (memcmp(card->ats + pos, "\xC1\x05\x2F\x2F\x01\xBC\xD6", 7) == 0) { + if (card.ats[0] - pos >= 7) { + if (memcmp(card.ats + pos, "\xC1\x05\x2F\x2F\x01\xBC\xD6", 7) == 0) { tip = "-> MIFARE Plus X 2K or 4K"; - } else if (memcmp(card->ats + pos, "\xC1\x05\x2F\x2F\x00\x35\xC7", 7) == 0) { + } else if (memcmp(card.ats + pos, "\xC1\x05\x2F\x2F\x00\x35\xC7", 7) == 0) { tip = "-> MIFARE Plus S 2K or 4K"; } } - PrintAndLog(" - HB : %s%s", sprint_hex(card->ats + pos, card->ats_len - pos - 2), tip); - if (card->ats[pos] == 0xC1) { + PrintAndLog(" - HB : %s%s", sprint_hex(card.ats + pos, card.ats[0] - pos), tip); + if (card.ats[pos] == 0xC1) { PrintAndLog(" c1 -> Mifare or (multiple) virtual cards of various type"); PrintAndLog(" %02x -> Length is %d bytes", - card->ats[pos + 1], card->ats[pos + 1]); - switch (card->ats[pos + 2] & 0xf0) { + card.ats[pos + 1], card.ats[pos + 1]); + switch (card.ats[pos + 2] & 0xf0) { case 0x10: PrintAndLog(" 1x -> MIFARE DESFire"); break; @@ -285,7 +327,7 @@ int CmdHF14AReader(const char *Cmd) PrintAndLog(" 2x -> MIFARE Plus"); break; } - switch (card->ats[pos + 2] & 0x0f) { + switch (card.ats[pos + 2] & 0x0f) { case 0x00: PrintAndLog(" x0 -> <1 kByte"); break; @@ -302,7 +344,7 @@ int CmdHF14AReader(const char *Cmd) PrintAndLog(" x0 -> 8 kByte"); break; } - switch (card->ats[pos + 3] & 0xf0) { + switch (card.ats[pos + 3] & 0xf0) { case 0x00: PrintAndLog(" 0x -> Engineering sample"); break; @@ -310,7 +352,7 @@ int CmdHF14AReader(const char *Cmd) PrintAndLog(" 2x -> Released"); break; } - switch (card->ats[pos + 3] & 0x0f) { + switch (card.ats[pos + 3] & 0x0f) { case 0x00: PrintAndLog(" x0 -> Generation 1"); break; @@ -321,7 +363,7 @@ int CmdHF14AReader(const char *Cmd) PrintAndLog(" x2 -> Generation 3"); break; } - switch (card->ats[pos + 4] & 0x0f) { + switch (card.ats[pos + 4] & 0x0f) { case 0x00: PrintAndLog(" x0 -> Only VCSL supported"); break; @@ -335,10 +377,10 @@ int CmdHF14AReader(const char *Cmd) } } } else { - PrintAndLog("proprietary non iso14443a-4 card found, RATS not supported"); - } + PrintAndLog("proprietary non iso14443-4 card found, RATS not supported"); + } - return resp.arg[0]; + return select_status; } // Collect ISO14443 Type A UIDs @@ -357,23 +399,20 @@ int CmdHF14ACUIDs(const char *Cmd) UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}}; SendCommand(&c); - UsbCommand resp; - WaitForResponse(CMD_ACK,&resp); + UsbCommand resp; + WaitForResponse(CMD_ACK,&resp); - uint8_t *uid = resp.d.asBytes; - iso14a_card_select_t *card = (iso14a_card_select_t *)(uid + 12); + iso14a_card_select_t *card = (iso14a_card_select_t *) resp.d.asBytes; // check if command failed if (resp.arg[0] == 0) { PrintAndLog("Card select failed."); } else { - // check if UID is 4 bytes - if ((card->atqa[1] & 0xC0) == 0) { - PrintAndLog("%02X%02X%02X%02X", - *uid, *(uid + 1), *(uid + 2), *(uid + 3)); - } else { - PrintAndLog("UID longer than 4 bytes"); + char uid_string[20]; + for (uint16_t i = 0; i < card->uidlen; i++) { + sprintf(&uid_string[2*i], "%02X", card->uid[i]); } + PrintAndLog("%s", uid_string); } } PrintAndLog("End: %u", time(NULL)); diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index a2665256..b66aa3a6 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -121,7 +121,7 @@ int CmdHF14AMfWrBl(const char *Cmd) PrintAndLog("Block data must include 32 HEX symbols"); return 1; } - PrintAndLog("--block no:%02x key type:%02x key:%s", blockNo, keyType, sprint_hex(key, 6)); + PrintAndLog("--block no:%d, key type:%c, key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6)); PrintAndLog("--data: %s", sprint_hex(bldata, 16)); UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}}; @@ -168,7 +168,7 @@ int CmdHF14AMfUWrBl(const char *Cmd) if (!chinese_card){ PrintAndLog("Access Denied"); }else{ - PrintAndLog("--specialblock no:%02x", blockNo); + PrintAndLog("--specialblock no:%d", blockNo); PrintAndLog("--data: %s", sprint_hex(bldata, 4)); UsbCommand d = {CMD_MIFAREU_WRITEBL, {blockNo}}; memcpy(d.d.asBytes,bldata, 4); @@ -186,7 +186,7 @@ int CmdHF14AMfUWrBl(const char *Cmd) if (!chinese_card){ PrintAndLog("Access Denied"); }else{ - PrintAndLog("--specialblock no:%02x", blockNo); + PrintAndLog("--specialblock no:%d", blockNo); PrintAndLog("--data: %s", sprint_hex(bldata, 4)); UsbCommand d = {CMD_MIFAREU_WRITEBL, {blockNo}}; memcpy(d.d.asBytes,bldata, 4); @@ -204,7 +204,7 @@ int CmdHF14AMfUWrBl(const char *Cmd) if (!chinese_card){ PrintAndLog("Access Denied"); }else{ - PrintAndLog("--specialblock no:%02x", blockNo); + PrintAndLog("--specialblock no:%d", blockNo); PrintAndLog("--data: %s", sprint_hex(bldata, 4)); UsbCommand c = {CMD_MIFAREU_WRITEBL, {blockNo}}; memcpy(c.d.asBytes, bldata, 4); @@ -219,7 +219,7 @@ int CmdHF14AMfUWrBl(const char *Cmd) } break; case 3: - PrintAndLog("--specialblock no:%02x", blockNo); + PrintAndLog("--specialblock no:%d", blockNo); PrintAndLog("--data: %s", sprint_hex(bldata, 4)); UsbCommand d = {CMD_MIFAREU_WRITEBL, {blockNo}}; memcpy(d.d.asBytes,bldata, 4); @@ -233,7 +233,7 @@ int CmdHF14AMfUWrBl(const char *Cmd) } break; default: - PrintAndLog("--block no:%02x", blockNo); + PrintAndLog("--block no:%d", blockNo); PrintAndLog("--data: %s", sprint_hex(bldata, 4)); UsbCommand e = {CMD_MIFAREU_WRITEBL, {blockNo}}; memcpy(e.d.asBytes,bldata, 4); @@ -250,6 +250,7 @@ int CmdHF14AMfUWrBl(const char *Cmd) return 0; } + int CmdHF14AMfRdBl(const char *Cmd) { uint8_t blockNo = 0; @@ -276,7 +277,7 @@ int CmdHF14AMfRdBl(const char *Cmd) PrintAndLog("Key must include 12 HEX symbols"); return 1; } - PrintAndLog("--block no:%02x key type:%02x key:%s ", blockNo, keyType, sprint_hex(key, 6)); + PrintAndLog("--block no:%d, key type:%c, key:%s ", blockNo, keyType?'B':'A', sprint_hex(key, 6)); UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}}; memcpy(c.d.asBytes, key, 6); @@ -284,8 +285,8 @@ int CmdHF14AMfRdBl(const char *Cmd) UsbCommand resp; if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { - uint8_t isOK = resp.arg[0] & 0xff; - uint8_t * data = resp.d.asBytes; + uint8_t isOK = resp.arg[0] & 0xff; + uint8_t *data = resp.d.asBytes; if (isOK) PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 16)); @@ -300,66 +301,67 @@ int CmdHF14AMfRdBl(const char *Cmd) int CmdHF14AMfURdBl(const char *Cmd) { - uint8_t blockNo = 0; + uint8_t blockNo = 0; - if (strlen(Cmd)<1) { - PrintAndLog("Usage: hf mf urdbl "); - PrintAndLog(" sample: hf mf urdbl 0"); - return 0; - } + if (strlen(Cmd)<1) { + PrintAndLog("Usage: hf mf urdbl "); + PrintAndLog(" sample: hf mf urdbl 0"); + return 0; + } - blockNo = param_get8(Cmd, 0); - PrintAndLog("--block no:%02x", blockNo); + blockNo = param_get8(Cmd, 0); + PrintAndLog("--block no:%d", blockNo); - UsbCommand c = {CMD_MIFAREU_READBL, {blockNo}}; - SendCommand(&c); - - UsbCommand resp; - if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { - uint8_t isOK = resp.arg[0] & 0xff; - uint8_t * data = resp.d.asBytes; + UsbCommand c = {CMD_MIFAREU_READBL, {blockNo}}; + SendCommand(&c); - if (isOK) - PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 4)); - else - PrintAndLog("isOk:%02x", isOK); - } else { - PrintAndLog("Command execute timeout"); - } + UsbCommand resp; + if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { + uint8_t isOK = resp.arg[0] & 0xff; + uint8_t *data = resp.d.asBytes; + + if (isOK) + PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 4)); + else + PrintAndLog("isOk:%02x", isOK); + } else { + PrintAndLog("Command execute timeout"); + } - return 0; + return 0; } + int CmdHF14AMfURdCard(const char *Cmd) { - int i; - uint8_t sectorNo = 0; + int i; + uint8_t sectorNo = 0; uint8_t *lockbytes_t=NULL; uint8_t lockbytes[2]={0,0}; bool bit[16]={0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}; - uint8_t isOK = 0; - uint8_t * data = NULL; + uint8_t isOK = 0; + uint8_t * data = NULL; - if (sectorNo > 15) { - PrintAndLog("Sector number must be less than 16"); - return 1; - } - PrintAndLog("Attempting to Read Ultralight... "); + if (sectorNo > 15) { + PrintAndLog("Sector number must be less than 16"); + return 1; + } + PrintAndLog("Attempting to Read Ultralight... "); UsbCommand c = {CMD_MIFAREU_READCARD, {sectorNo}}; SendCommand(&c); - UsbCommand resp; - if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { - isOK = resp.arg[0] & 0xff; - data = resp.d.asBytes; - - PrintAndLog("isOk:%02x", isOK); - if (isOK) - for (i = 0; i < 16; i++) { - switch(i){ - case 2: + UsbCommand resp; + if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { + isOK = resp.arg[0] & 0xff; + data = resp.d.asBytes; + + PrintAndLog("isOk:%02x", isOK); + if (isOK) + for (i = 0; i < 16; i++) { + switch(i){ + case 2: //process lock bytes lockbytes_t=data+(i*4); lockbytes[0]=lockbytes_t[2]; @@ -369,68 +371,67 @@ int CmdHF14AMfURdCard(const char *Cmd) } //PrintAndLog("LB %02x %02x", lockbytes[0],lockbytes[1]); //PrintAndLog("LB2b %02x %02x %02x %02x %02x %02x %02x %02x",bit[8],bit[9],bit[10],bit[11],bit[12],bit[13],bit[14],bit[15]); - PrintAndLog("Block %02x:%s ", i,sprint_hex(data + i * 4, 4)); + PrintAndLog("Block %3d:%s ", i,sprint_hex(data + i * 4, 4)); break; - case 3: - PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[4]); + case 3: + PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[4]); break; - case 4: - PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[3]); + case 4: + PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[3]); break; - case 5: - PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[2]); + case 5: + PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[2]); break; - case 6: - PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[1]); + case 6: + PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[1]); break; - case 7: - PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[0]); + case 7: + PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[0]); break; - case 8: - PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[15]); + case 8: + PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[15]); break; - case 9: - PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[14]); + case 9: + PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[14]); break; - case 10: - PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[13]); + case 10: + PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[13]); break; - case 11: - PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[12]); + case 11: + PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[12]); break; - case 12: - PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[11]); + case 12: + PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[11]); break; - case 13: - PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[10]); + case 13: + PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[10]); break; - case 14: - PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[9]); + case 14: + PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[9]); break; - case 15: - PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[8]); + case 15: + PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[8]); break; - default: - PrintAndLog("Block %02x:%s ", i,sprint_hex(data + i * 4, 4)); + default: + PrintAndLog("Block %3d:%s ", i,sprint_hex(data + i * 4, 4)); break; } } } else { - PrintAndLog("Command1 execute timeout"); + PrintAndLog("Command execute timeout"); } return 0; } + int CmdHF14AMfRdSc(const char *Cmd) { int i; uint8_t sectorNo = 0; uint8_t keyType = 0; uint8_t key[6] = {0, 0, 0, 0, 0, 0}; - uint8_t isOK = 0; - uint8_t * data = NULL; - + uint8_t *data = NULL; char cmdp = 0x00; if (strlen(Cmd)<3) { @@ -440,12 +441,12 @@ int CmdHF14AMfRdSc(const char *Cmd) } sectorNo = param_get8(Cmd, 0); - if (sectorNo > 63) { - PrintAndLog("Sector number must be less than 64"); + if (sectorNo > 39) { + PrintAndLog("Sector number must be less than 40"); return 1; } cmdp = param_getchar(Cmd, 1); - if (cmdp == 0x00) { + if (cmdp != 'a' && cmdp != 'A' && cmdp != 'b' && cmdp != 'B') { PrintAndLog("Key type must be A or B"); return 1; } @@ -454,11 +455,11 @@ int CmdHF14AMfRdSc(const char *Cmd) PrintAndLog("Key must include 12 HEX symbols"); return 1; } - PrintAndLog("--sector no:%02x key type:%02x key:%s ", sectorNo, keyType, sprint_hex(key, 6)); + PrintAndLog("--sector no:%d key type:%c key:%s ", sectorNo, keyType?'B':'A', sprint_hex(key, 6)); - UsbCommand c = {CMD_MIFARE_READSC, {sectorNo, keyType, 0}}; + UsbCommand c = {CMD_MIFARE_READSC, {sectorNo, keyType, 0}}; memcpy(c.d.asBytes, key, 6); - SendCommand(&c); + SendCommand(&c); PrintAndLog(" "); UsbCommand resp; @@ -467,95 +468,123 @@ int CmdHF14AMfRdSc(const char *Cmd) data = resp.d.asBytes; PrintAndLog("isOk:%02x", isOK); - if (isOK) - for (i = 0; i < 2; i++) { - PrintAndLog("data:%s", sprint_hex(data + i * 16, 16)); + if (isOK) { + for (i = 0; i < (sectorNo<32?3:15); i++) { + PrintAndLog("data : %s", sprint_hex(data + i * 16, 16)); } + PrintAndLog("trailer: %s", sprint_hex(data + (sectorNo<32?3:15) * 16, 16)); + } } else { - PrintAndLog("Command1 execute timeout"); + PrintAndLog("Command execute timeout"); } - // response2 - PrintAndLog(" "); - if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { - isOK = resp.arg[0] & 0xff; - data = resp.d.asBytes; + return 0; +} - if (isOK) - for (i = 0; i < 2; i++) { - PrintAndLog("data:%s", sprint_hex(data + i * 16, 16)); - } + +uint8_t FirstBlockOfSector(uint8_t sectorNo) +{ + if (sectorNo < 32) { + return sectorNo * 4; } else { - PrintAndLog("Command2 execute timeout"); + return 32 * 4 + (sectorNo - 32) * 16; } - - return 0; } + +uint8_t NumBlocksPerSector(uint8_t sectorNo) +{ + if (sectorNo < 32) { + return 4; + } else { + return 16; + } +} + + int CmdHF14AMfDump(const char *Cmd) { - int i, j; + uint8_t sectorNo, blockNo; uint8_t keyA[40][6]; uint8_t keyB[40][6]; uint8_t rights[40][4]; + uint8_t carddata[256][16]; + uint8_t numSectors = 16; FILE *fin; FILE *fout; UsbCommand resp; + + char cmdp = param_getchar(Cmd, 0); + switch (cmdp) { + case '0' : numSectors = 5; break; + case '1' : + case '\0': numSectors = 16; break; + case '2' : numSectors = 32; break; + case '4' : numSectors = 40; break; + default: numSectors = 16; + } - if ((fin = fopen("dumpkeys.bin","rb")) == NULL) { - PrintAndLog("Could not find file dumpkeys.bin"); - return 1; + if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') { + PrintAndLog("Usage: hf mf dump [card memory]"); + PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K"); + PrintAndLog(""); + PrintAndLog("Samples: hf mf dump"); + PrintAndLog(" hf mf dump 4"); + return 0; } - if ((fout = fopen("dumpdata.bin","wb")) == NULL) { - PrintAndLog("Could not create file name dumpdata.bin"); + if ((fin = fopen("dumpkeys.bin","rb")) == NULL) { + PrintAndLog("Could not find file dumpkeys.bin"); return 1; } // Read key file - - for (i=0 ; i<16 ; i++) { - if (fread( keyA[i], 1, 6, fin ) == 0) { - PrintAndLog("File reading error."); + + for (sectorNo=0; sectorNo>4) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>2); - rights[i][1] = ((data[7] & 0x20)>>5) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>3); - rights[i][2] = ((data[7] & 0x40)>>6) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>4); - rights[i][3] = ((data[7] & 0x80)>>7) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>5); - } - else{ - PrintAndLog("Could not get access rights for block %d", i); + rights[sectorNo][0] = ((data[7] & 0x10)>>2) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>4); // C1C2C3 for data area 0 + rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1 + rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2 + rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer + } else { + PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo); + rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00; + rights[sectorNo][3] = 0x01; } - } - else { - PrintAndLog("Command execute timeout"); + } else { + PrintAndLog("Command execute timeout when trying to read access rights for sector %2d. Trying with defaults...", sectorNo); + rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00; + rights[sectorNo][3] = 0x01; } } @@ -565,85 +594,116 @@ int CmdHF14AMfDump(const char *Cmd) PrintAndLog("|----- Dumping all blocks to file... -----|"); PrintAndLog("|-----------------------------------------|"); - - for (i=0 ; i<16 ; i++) { - for (j=0 ; j<4 ; j++) { - bool received = false; - - if (j == 3){ - UsbCommand c = {CMD_MIFARE_READBL, {i*4 + j, 0, 0}}; - memcpy(c.d.asBytes, keyA[i], 6); + bool isOK = true; + for (sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) { + for (blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) { + bool received = false; + if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer. At least the Access Conditions can always be read with key A. + UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}}; + memcpy(c.d.asBytes, keyA[sectorNo], 6); SendCommand(&c); - received = WaitForResponseTimeout(CMD_ACK,&resp,1500); - } - else{ - if ((rights[i][j] == 6) | (rights[i][j] == 5)) { - UsbCommand c = {CMD_MIFARE_READBL, {i*4+j, 1, 0}}; - memcpy(c.d.asBytes, keyB[i], 6); + received = WaitForResponseTimeout(CMD_ACK,&resp,1500); + } else { // data block. Check if it can be read with key A or key B + uint8_t data_area = sectorNo<32?blockNo:blockNo/5; + if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) { // only key B would work + UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}}; + memcpy(c.d.asBytes, keyB[sectorNo], 6); SendCommand(&c); - received = WaitForResponseTimeout(CMD_ACK,&resp,1500); - } - else if (rights[i][j] == 7) { - PrintAndLog("Access rights do not allow reading of sector %d block %d",i,j); - } - else { - UsbCommand c = {CMD_MIFARE_READBL, {i*4+j, 0, 0}}; - memcpy(c.d.asBytes, keyA[i], 6); + received = WaitForResponseTimeout(CMD_ACK,&resp,1500); + } else if (rights[sectorNo][data_area] == 0x07) { // no key would work + isOK = false; + PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo); + } else { // key A would work + UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}}; + memcpy(c.d.asBytes, keyA[sectorNo], 6); SendCommand(&c); - received = WaitForResponseTimeout(CMD_ACK,&resp,1500); + received = WaitForResponseTimeout(CMD_ACK,&resp,1500); } } if (received) { - uint8_t isOK = resp.arg[0] & 0xff; + isOK = resp.arg[0] & 0xff; uint8_t *data = resp.d.asBytes; - if (j == 3) { - data[0] = (keyA[i][0]); - data[1] = (keyA[i][1]); - data[2] = (keyA[i][2]); - data[3] = (keyA[i][3]); - data[4] = (keyA[i][4]); - data[5] = (keyA[i][5]); - data[10] = (keyB[i][0]); - data[11] = (keyB[i][1]); - data[12] = (keyB[i][2]); - data[13] = (keyB[i][3]); - data[14] = (keyB[i][4]); - data[15] = (keyB[i][5]); + if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer. Fill in the keys. + data[0] = (keyA[sectorNo][0]); + data[1] = (keyA[sectorNo][1]); + data[2] = (keyA[sectorNo][2]); + data[3] = (keyA[sectorNo][3]); + data[4] = (keyA[sectorNo][4]); + data[5] = (keyA[sectorNo][5]); + data[10] = (keyB[sectorNo][0]); + data[11] = (keyB[sectorNo][1]); + data[12] = (keyB[sectorNo][2]); + data[13] = (keyB[sectorNo][3]); + data[14] = (keyB[sectorNo][4]); + data[15] = (keyB[sectorNo][5]); } if (isOK) { - fwrite ( data, 1, 16, fout ); - PrintAndLog("Dumped card data into 'dumpdata.bin'"); - - } - else { - PrintAndLog("Could not get access rights for block %d", i); + memcpy(carddata[FirstBlockOfSector(sectorNo) + blockNo], data, 16); + PrintAndLog("Successfully read block %2d of sector %2d.", blockNo, sectorNo); + } else { + PrintAndLog("Could not read block %2d of sector %2d", blockNo, sectorNo); + break; } } else { - PrintAndLog("Command execute timeout"); + isOK = false; + PrintAndLog("Command execute timeout when trying to read block %2d of sector %2d.", blockNo, sectorNo); + break; } } + } - + + if (isOK) { + if ((fout = fopen("dumpdata.bin","wb")) == NULL) { + PrintAndLog("Could not create file name dumpdata.bin"); + return 1; + } + uint16_t numblocks = FirstBlockOfSector(numSectors - 1) + NumBlocksPerSector(numSectors - 1); + fwrite(carddata, 1, 16*numblocks, fout); + fclose(fout); + PrintAndLog("Dumped %d blocks (%d bytes) to file dumpdata.bin", numblocks, 16*numblocks); + } + fclose(fin); - fclose(fout); - return 0; + return 0; } + int CmdHF14AMfRestore(const char *Cmd) { - int i,j; + uint8_t sectorNo,blockNo; uint8_t keyType = 0; uint8_t key[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; - uint8_t keyA[16][6]; - uint8_t keyB[16][6]; + uint8_t keyA[40][6]; + uint8_t keyB[40][6]; + uint8_t numSectors; FILE *fdump; FILE *fkeys; - + + char cmdp = param_getchar(Cmd, 0); + switch (cmdp) { + case '0' : numSectors = 5; break; + case '1' : + case '\0': numSectors = 16; break; + case '2' : numSectors = 32; break; + case '4' : numSectors = 40; break; + default: numSectors = 16; + } + + if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') { + PrintAndLog("Usage: hf mf restore [card memory]"); + PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K"); + PrintAndLog(""); + PrintAndLog("Samples: hf mf restore"); + PrintAndLog(" hf mf restore 4"); + return 0; + } + if ((fdump = fopen("dumpdata.bin","rb")) == NULL) { PrintAndLog("Could not find file dumpdata.bin"); return 1; @@ -653,63 +713,54 @@ int CmdHF14AMfRestore(const char *Cmd) return 1; } - for (i=0 ; i<16 ; i++) { - if (fread(keyA[i], 1, 6, fkeys) == 0) { - PrintAndLog("File reading error."); + for (sectorNo = 0; sectorNo < numSectors; sectorNo++) { + if (fread(keyA[sectorNo], 1, 6, fkeys) == 0) { + PrintAndLog("File reading error (dumpkeys.bin)."); return 2; - } + } } - for (i=0 ; i<16 ; i++) { - if (fread(keyB[i], 1, 6, fkeys) == 0) { - PrintAndLog("File reading error."); + + for (sectorNo = 0; sectorNo < numSectors; sectorNo++) { + if (fread(keyB[sectorNo], 1, 6, fkeys) == 0) { + PrintAndLog("File reading error (dumpkeys.bin)."); return 2; - } + } } - + PrintAndLog("Restoring dumpdata.bin to card"); - for (i=0 ; i<16 ; i++) { - for( j=0 ; j<4 ; j++) { - UsbCommand c = {CMD_MIFARE_WRITEBL, {i*4 + j, keyType, 0}}; + for (sectorNo = 0; sectorNo < numSectors; sectorNo++) { + for(blockNo = 0; blockNo < NumBlocksPerSector(sectorNo); blockNo++) { + UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}}; memcpy(c.d.asBytes, key, 6); if (fread(bldata, 1, 16, fdump) == 0) { - PrintAndLog("File reading error."); - return 2; - } + PrintAndLog("File reading error (dumpdata.bin)."); + return 2; + } - if (j == 3) { - bldata[0] = (keyA[i][0]); - bldata[1] = (keyA[i][1]); - bldata[2] = (keyA[i][2]); - bldata[3] = (keyA[i][3]); - bldata[4] = (keyA[i][4]); - bldata[5] = (keyA[i][5]); - bldata[10] = (keyB[i][0]); - bldata[11] = (keyB[i][1]); - bldata[12] = (keyB[i][2]); - bldata[13] = (keyB[i][3]); - bldata[14] = (keyB[i][4]); - bldata[15] = (keyB[i][5]); + if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer + bldata[0] = (keyA[sectorNo][0]); + bldata[1] = (keyA[sectorNo][1]); + bldata[2] = (keyA[sectorNo][2]); + bldata[3] = (keyA[sectorNo][3]); + bldata[4] = (keyA[sectorNo][4]); + bldata[5] = (keyA[sectorNo][5]); + bldata[10] = (keyB[sectorNo][0]); + bldata[11] = (keyB[sectorNo][1]); + bldata[12] = (keyB[sectorNo][2]); + bldata[13] = (keyB[sectorNo][3]); + bldata[14] = (keyB[sectorNo][4]); + bldata[15] = (keyB[sectorNo][5]); } - PrintAndLog("Writing to block %2d: %s", i*4+j, sprint_hex(bldata, 16)); - - /* - PrintAndLog("Writing to block %2d: %s Confirm? [Y,N]", i*4+j, sprint_hex(bldata, 16)); - - scanf("%c",&ch); - if ((ch != 'y') && (ch != 'Y')){ - PrintAndLog("Aborting !"); - return 1; - } - */ + PrintAndLog("Writing to block %3d: %s", FirstBlockOfSector(sectorNo) + blockNo, sprint_hex(bldata, 16)); memcpy(c.d.asBytes + 10, bldata, 16); SendCommand(&c); UsbCommand resp; - if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { + if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { uint8_t isOK = resp.arg[0] & 0xff; PrintAndLog("isOk:%02x", isOK); } else { @@ -723,22 +774,22 @@ int CmdHF14AMfRestore(const char *Cmd) return 0; } + int CmdHF14AMfNested(const char *Cmd) { int i, j, res, iterations; - sector * e_sector = NULL; + sector *e_sector = NULL; uint8_t blockNo = 0; uint8_t keyType = 0; uint8_t trgBlockNo = 0; uint8_t trgKeyType = 0; - uint8_t blDiff = 0; - int SectorsCnt = 0; + uint8_t SectorsCnt = 0; uint8_t key[6] = {0, 0, 0, 0, 0, 0}; uint8_t keyBlock[6*6]; uint64_t key64 = 0; - int transferToEml = 0; + bool transferToEml = false; - int createDumpFile = 0; + bool createDumpFile = false; FILE *fkeys; uint8_t standart[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; uint8_t tempkey[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; @@ -755,16 +806,16 @@ int CmdHF14AMfNested(const char *Cmd) PrintAndLog("d - write keys to binary file"); PrintAndLog(" "); PrintAndLog(" sample1: hf mf nested 1 0 A FFFFFFFFFFFF "); - PrintAndLog(" sample1: hf mf nested 1 0 A FFFFFFFFFFFF t "); - PrintAndLog(" sample1: hf mf nested 1 0 A FFFFFFFFFFFF d "); - PrintAndLog(" sample2: hf mf nested o 0 A FFFFFFFFFFFF 4 A"); + PrintAndLog(" sample2: hf mf nested 1 0 A FFFFFFFFFFFF t "); + PrintAndLog(" sample3: hf mf nested 1 0 A FFFFFFFFFFFF d "); + PrintAndLog(" sample4: hf mf nested o 0 A FFFFFFFFFFFF 4 A"); return 0; } cmdp = param_getchar(Cmd, 0); blockNo = param_get8(Cmd, 1); ctmp = param_getchar(Cmd, 2); - if (ctmp == 0x00) { + if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') { PrintAndLog("Key type must be A or B"); return 1; } @@ -778,7 +829,7 @@ int CmdHF14AMfNested(const char *Cmd) cmdp = 'o'; trgBlockNo = param_get8(Cmd, 4); ctmp = param_getchar(Cmd, 5); - if (ctmp == 0x00) { + if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') { PrintAndLog("Target key type must be A or B"); return 1; } @@ -788,24 +839,21 @@ int CmdHF14AMfNested(const char *Cmd) case '0': SectorsCnt = 05; break; case '1': SectorsCnt = 16; break; case '2': SectorsCnt = 32; break; - case '4': SectorsCnt = 64; break; + case '4': SectorsCnt = 40; break; default: SectorsCnt = 16; } } ctmp = param_getchar(Cmd, 4); - if (ctmp == 't' || ctmp == 'T') transferToEml = 1; - else if (ctmp == 'd' || ctmp == 'D') createDumpFile = 1; + if (ctmp == 't' || ctmp == 'T') transferToEml = true; + else if (ctmp == 'd' || ctmp == 'D') createDumpFile = true; ctmp = param_getchar(Cmd, 6); transferToEml |= (ctmp == 't' || ctmp == 'T'); transferToEml |= (ctmp == 'd' || ctmp == 'D'); - PrintAndLog("--block no:%02x key type:%02x key:%s etrans:%d", blockNo, keyType, sprint_hex(key, 6), transferToEml); - if (cmdp == 'o') - PrintAndLog("--target block no:%02x target key type:%02x ", trgBlockNo, trgKeyType); - if (cmdp == 'o') { + PrintAndLog("--target block no:%3d, target key type:%c ", trgBlockNo, trgKeyType?'B':'A'); if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true)) { PrintAndLog("Nested error."); return 2; @@ -816,13 +864,19 @@ int CmdHF14AMfNested(const char *Cmd) // transfer key to the emulator if (transferToEml) { - mfEmlGetMem(keyBlock, (trgBlockNo / 4) * 4 + 3, 1); + uint8_t sectortrailer; + if (trgBlockNo < 32*4) { // 4 block sector + sectortrailer = (trgBlockNo & 0x03) + 3; + } else { // 16 block sector + sectortrailer = (trgBlockNo & 0x0f) + 15; + } + mfEmlGetMem(keyBlock, sectortrailer, 1); if (!trgKeyType) num_to_bytes(key64, 6, keyBlock); else num_to_bytes(key64, 6, &keyBlock[10]); - mfEmlSetMem(keyBlock, (trgBlockNo / 4) * 4 + 3, 1); + mfEmlSetMem(keyBlock, sectortrailer, 1); } } else { PrintAndLog("No valid key found"); @@ -832,12 +886,10 @@ int CmdHF14AMfNested(const char *Cmd) clock_t time1; time1 = clock(); - blDiff = blockNo % 4; - PrintAndLog("Block shift=%d", blDiff); e_sector = calloc(SectorsCnt, sizeof(sector)); if (e_sector == NULL) return 1; - //test current key 4 sectors + //test current key and additional standard keys first memcpy(keyBlock, key, 6); num_to_bytes(0xffffffffffff, 6, (uint8_t*)(keyBlock + 1 * 6)); num_to_bytes(0x000000000000, 6, (uint8_t*)(keyBlock + 2 * 6)); @@ -850,7 +902,7 @@ int CmdHF14AMfNested(const char *Cmd) for (j = 0; j < 2; j++) { if (e_sector[i].foundKey[j]) continue; - res = mfCheckKeys(i * 4 + blDiff, j, 6, keyBlock, &key64); + res = mfCheckKeys(FirstBlockOfSector(i), j, 6, keyBlock, &key64); if (!res) { e_sector[i].Key[j] = key64; @@ -865,11 +917,11 @@ int CmdHF14AMfNested(const char *Cmd) PrintAndLog("nested..."); bool calibrate = true; for (i = 0; i < NESTED_SECTOR_RETRY; i++) { - for (trgBlockNo = blDiff; trgBlockNo < SectorsCnt * 4; trgBlockNo = trgBlockNo + 4) { + for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) { for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) { - if (e_sector[trgBlockNo / 4].foundKey[trgKeyType]) continue; + if (e_sector[sectorNo].foundKey[trgKeyType]) continue; PrintAndLog("-----------------------------------------------"); - if(mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, calibrate)) { + if(mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate)) { PrintAndLog("Nested error.\n"); return 2; } @@ -882,8 +934,8 @@ int CmdHF14AMfNested(const char *Cmd) key64 = bytes_to_num(keyBlock, 6); if (key64) { PrintAndLog("Found valid key:%012"llx, key64); - e_sector[trgBlockNo / 4].foundKey[trgKeyType] = 1; - e_sector[trgBlockNo / 4].Key[trgKeyType] = key64; + e_sector[sectorNo].foundKey[trgKeyType] = 1; + e_sector[sectorNo].Key[trgKeyType] = key64; } } } @@ -905,12 +957,12 @@ int CmdHF14AMfNested(const char *Cmd) // transfer them to the emulator if (transferToEml) { for (i = 0; i < SectorsCnt; i++) { - mfEmlGetMem(keyBlock, i * 4 + 3, 1); + mfEmlGetMem(keyBlock, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1); if (e_sector[i].foundKey[0]) num_to_bytes(e_sector[i].Key[0], 6, keyBlock); if (e_sector[i].foundKey[1]) num_to_bytes(e_sector[i].Key[1], 6, &keyBlock[10]); - mfEmlSetMem(keyBlock, i * 4 + 3, 1); + mfEmlSetMem(keyBlock, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1); } } @@ -921,8 +973,8 @@ int CmdHF14AMfNested(const char *Cmd) free(e_sector); return 1; } - PrintAndLog("Printing keys to bynary file dumpkeys.bin..."); - for(i=0; i<16; i++) { + PrintAndLog("Printing keys to binary file dumpkeys.bin..."); + for(i=0; i/<*card memory> [t] [] []"); + PrintAndLog("Usage: hf mf chk |<*card memory> [t] [] []"); PrintAndLog(" * - all sectors"); PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, - 1K"); -// PrintAndLog("d - write keys to binary file\n"); - + PrintAndLog("d - write keys to binary file\n"); PrintAndLog(" sample: hf mf chk 0 A 1234567890ab keys.dic"); PrintAndLog(" hf mf chk *1 ? t"); return 0; @@ -1061,7 +1101,7 @@ int CmdHF14AMfChk(const char *Cmd) } keyBlock = p; } - PrintAndLog("chk key[%d] %02x%02x%02x%02x%02x%02x", keycnt, + PrintAndLog("chk key[%2d] %02x%02x%02x%02x%02x%02x", keycnt, (keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2], (keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4], (keyBlock + 6*keycnt)[5], 6); keycnt++; @@ -1100,7 +1140,7 @@ int CmdHF14AMfChk(const char *Cmd) } memset(keyBlock + 6 * keycnt, 0, 6); num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt); - PrintAndLog("chk custom key[%d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6)); + PrintAndLog("chk custom key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6)); keycnt++; memset(buf, 0, sizeof(buf)); } @@ -1114,31 +1154,39 @@ int CmdHF14AMfChk(const char *Cmd) } if (keycnt == 0) { - PrintAndLog("No key specified,try default keys"); + PrintAndLog("No key specified, trying default keys"); for (;keycnt < defaultKeysSize; keycnt++) - PrintAndLog("chk default key[%d] %02x%02x%02x%02x%02x%02x", keycnt, - (keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2], - (keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4], (keyBlock + 6*keycnt)[5], 6); + PrintAndLog("chk default key[%2d] %02x%02x%02x%02x%02x%02x", keycnt, + (keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2], + (keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4], (keyBlock + 6*keycnt)[5], 6); + } + + // initialize storage for found keys + bool validKey[2][40]; + uint8_t foundKey[2][40][6]; + for (uint16_t t = 0; t < 2; t++) { + for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) { + validKey[t][sectorNo] = false; + for (uint16_t i = 0; i < 6; i++) { + foundKey[t][sectorNo][i] = 0xff; + } + } } - for ( int t = !keyType ; t < 2 ; keyType==2?(t++):(t=2) ) { + for ( int t = !keyType; t < 2; keyType==2?(t++):(t=2) ) { int b=blockNo; - for (int i=0; iUSB_CMD_DATA_SIZE/6?USB_CMD_DATA_SIZE/6:keycnt; for (uint32_t c = 0; c < keycnt; c+=max_keys) { uint32_t size = keycnt-c>max_keys?max_keys:keycnt-c; res = mfCheckKeys(b, t, size, &keyBlock[6*c], &key64); - if (res !=1) { + if (res != 1) { if (!res) { PrintAndLog("Found valid key:[%012"llx"]",key64); - if (transferToEml) { - uint8_t block[16]; - mfEmlGetMem(block, get_trailer_block(b), 1); - num_to_bytes(key64, 6, block + t*10); - mfEmlSetMem(block, get_trailer_block(b), 1); - } - } + num_to_bytes(key64, 6, foundKey[t][i]); + validKey[t][i] = true; + } } else { PrintAndLog("Command execute timeout"); } @@ -1146,42 +1194,43 @@ int CmdHF14AMfChk(const char *Cmd) b<127?(b+=4):(b+=16); } } - - free(keyBlock); -/* - // Create dump file + if (transferToEml) { + uint8_t block[16]; + for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) { + if (validKey[0][sectorNo] || validKey[1][sectorNo]) { + mfEmlGetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1); + for (uint16_t t = 0; t < 2; t++) { + if (validKey[t][sectorNo]) { + memcpy(block + t*10, foundKey[t][sectorNo], 6); + } + } + mfEmlSetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1); + } + } + PrintAndLog("Found keys have been transferred to the emulator memory"); + } + if (createDumpFile) { - if ((fkeys = fopen("dumpkeys.bin","wb")) == NULL) { + FILE *fkeys = fopen("dumpkeys.bin","wb"); + if (fkeys == NULL) { PrintAndLog("Could not create file dumpkeys.bin"); - free(e_sector); + free(keyBlock); return 1; } - PrintAndLog("Printing keys to bynary file dumpkeys.bin..."); - for(i=0; i<16; i++) { - if (e_sector[i].foundKey[0]){ - num_to_bytes(e_sector[i].Key[0], 6, tempkey); - fwrite ( tempkey, 1, 6, fkeys ); - } - else{ - fwrite ( &standart, 1, 6, fkeys ); - } - } - for(i=0; i<16; i++) { - if (e_sector[i].foundKey[1]){ - num_to_bytes(e_sector[i].Key[1], 6, tempkey); - fwrite ( tempkey, 1, 6, fkeys ); - } - else{ - fwrite ( &standart, 1, 6, fkeys ); - } + for (uint16_t t = 0; t < 2; t++) { + fwrite(foundKey[t], 1, 6*SectorsCnt, fkeys); } fclose(fkeys); + PrintAndLog("Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys."); } -*/ - return 0; + + free(keyBlock); + + return 0; } + int CmdHF14AMf1kSim(const char *Cmd) { uint8_t uid[7] = {0, 0, 0, 0, 0, 0, 0}; @@ -1194,21 +1243,19 @@ int CmdHF14AMf1kSim(const char *Cmd) PrintAndLog(" n (Optional) Automatically exit simulation after blocks have been read by reader. 0 = infinite"); PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted"); PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)"); - PrintAndLog(" sample: hf mf sim 0a0a0a0a "); + PrintAndLog(" sample: hf mf sim u 0a0a0a0a "); return 0; } uint8_t pnr = 0; if (param_getchar(Cmd, pnr) == 'u') { if(param_gethex(Cmd, pnr+1, uid, 8) == 0) { - flags |=FLAG_4B_UID_IN_DATA; // UID from packet - }else if(param_gethex(Cmd,pnr+1,uid,14) == 0) - { + flags |= FLAG_4B_UID_IN_DATA; // UID from packet + } else if(param_gethex(Cmd,pnr+1,uid,14) == 0) { flags |= FLAG_7B_UID_IN_DATA;// UID from packet - }else - { - PrintAndLog("UID, if specified, must include 8 or 14 HEX symbols"); - return 1; + } else { + PrintAndLog("UID, if specified, must include 8 or 14 HEX symbols"); + return 1; } pnr +=2; } @@ -1232,36 +1279,39 @@ int CmdHF14AMf1kSim(const char *Cmd) , exitAfterNReads, flags,flags); - UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}}; - memcpy(c.d.asBytes, uid, sizeof(uid)); - SendCommand(&c); - - if(flags & FLAG_INTERACTIVE) - { - UsbCommand resp; - PrintAndLog("Press pm3-button to abort simulation"); - while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) { - //We're waiting only 1.5 s at a time, otherwise we get the - // annoying message about "Waiting for a response... " - } - } + UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}}; + memcpy(c.d.asBytes, uid, sizeof(uid)); + SendCommand(&c); - return 0; + if(flags & FLAG_INTERACTIVE) + { + UsbCommand resp; + PrintAndLog("Press pm3-button to abort simulation"); + while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) { + //We're waiting only 1.5 s at a time, otherwise we get the + // annoying message about "Waiting for a response... " + } + } + + return 0; } + int CmdHF14AMfDbg(const char *Cmd) { int dbgMode = param_get32ex(Cmd, 0, 0, 10); if (dbgMode > 4) { - PrintAndLog("Max debud mode parameter is 4 \n"); + PrintAndLog("Max debug mode parameter is 4 \n"); } if (strlen(Cmd) < 1 || !param_getchar(Cmd, 0) || dbgMode > 4) { PrintAndLog("Usage: hf mf dbg "); PrintAndLog(" 0 - no debug messages"); PrintAndLog(" 1 - error messages"); - PrintAndLog(" 2 - all messages"); - PrintAndLog(" 4 - extended debug mode"); + PrintAndLog(" 2 - plus information messages"); + PrintAndLog(" 3 - plus debug messages"); + PrintAndLog(" 4 - print even debug messages in timing critical functions"); + PrintAndLog(" Note: this option therefore may cause malfunction itself"); return 0; } @@ -1271,11 +1321,11 @@ int CmdHF14AMfDbg(const char *Cmd) return 0; } + int CmdHF14AMfEGet(const char *Cmd) { uint8_t blockNo = 0; - uint8_t data[3 * 16]; - int i; + uint8_t data[16]; if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') { PrintAndLog("Usage: hf mf eget "); @@ -1286,10 +1336,8 @@ int CmdHF14AMfEGet(const char *Cmd) blockNo = param_get8(Cmd, 0); PrintAndLog(" "); - if (!mfEmlGetMem(data, blockNo, 3)) { - for (i = 0; i < 3; i++) { - PrintAndLog("data[%d]:%s", blockNo + i, sprint_hex(data + i * 16, 16)); - } + if (!mfEmlGetMem(data, blockNo, 1)) { + PrintAndLog("data[%3d]:%s", blockNo, sprint_hex(data, 16)); } else { PrintAndLog("Command execute timeout"); } @@ -1297,6 +1345,7 @@ int CmdHF14AMfEGet(const char *Cmd) return 0; } + int CmdHF14AMfEClear(const char *Cmd) { if (param_getchar(Cmd, 0) == 'h') { @@ -1310,6 +1359,7 @@ int CmdHF14AMfEClear(const char *Cmd) return 0; } + int CmdHF14AMfESet(const char *Cmd) { uint8_t memBlock[16]; @@ -1331,17 +1381,18 @@ int CmdHF14AMfESet(const char *Cmd) } // 1 - blocks count - UsbCommand c = {CMD_MIFARE_EML_MEMSET, {blockNo, 1, 0}}; + UsbCommand c = {CMD_MIFARE_EML_MEMSET, {blockNo, 1, 0}}; memcpy(c.d.asBytes, memBlock, 16); - SendCommand(&c); - return 0; + SendCommand(&c); + return 0; } + int CmdHF14AMfELoad(const char *Cmd) { FILE * f; char filename[20]; - char * fnameptr = filename; + char *fnameptr = filename; char buf[64]; uint8_t buf8[64]; int i, len, blockNum; @@ -1375,42 +1426,41 @@ int CmdHF14AMfELoad(const char *Cmd) while(!feof(f)){ memset(buf, 0, sizeof(buf)); if (fgets(buf, sizeof(buf), f) == NULL) { - if(blockNum == 16 * 4) - { + if((blockNum == 16*4) || (blockNum == 32*4 + 8*16)) { // supports both old (1K) and new (4K) .eml files) break; } PrintAndLog("File reading error."); return 2; - } - + } if (strlen(buf) < 32){ if(strlen(buf) && feof(f)) break; PrintAndLog("File content error. Block data must include 32 HEX symbols"); return 2; } - for (i = 0; i < 32; i += 2) - sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]); + for (i = 0; i < 32; i += 2) { + sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]); // PrintAndLog("data[%02d]:%s", blockNum, sprint_hex(buf8, 16)); - + } if (mfEmlSetMem(buf8, blockNum, 1)) { - PrintAndLog("Cant set emul block: %d", blockNum); + PrintAndLog("Cant set emul block: %3d", blockNum); return 3; } blockNum++; - if (blockNum >= 32 * 4 + 8 * 16) break; + if (blockNum >= 32*4 + 8*16) break; } fclose(f); - if (blockNum != 16 * 4 && blockNum != 32 * 4 + 8 * 16){ - PrintAndLog("File content error. There must be 64 blocks"); + if ((blockNum != 16*4) && (blockNum != 32*4 + 8*16)) { + PrintAndLog("File content error. There must be 64 or 256 blocks."); return 4; } PrintAndLog("Loaded %d blocks from file: %s", blockNum, filename); - return 0; + return 0; } + int CmdHF14AMfESave(const char *Cmd) { FILE * f; @@ -1452,7 +1502,7 @@ int CmdHF14AMfESave(const char *Cmd) f = fopen(filename, "w+"); // put hex - for (i = 0; i < 32 * 4 + 8 * 16; i++) { + for (i = 0; i < 32*4 + 8*16; i++) { if (mfEmlGetMem(buf, i, 1)) { PrintAndLog("Cant get block: %d", i); break; @@ -1468,33 +1518,50 @@ int CmdHF14AMfESave(const char *Cmd) return 0; } + int CmdHF14AMfECFill(const char *Cmd) { uint8_t keyType = 0; - + uint8_t numSectors = 16; + if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') { - PrintAndLog("Usage: hf mf efill "); - PrintAndLog("sample: hf mf efill A"); - PrintAndLog("Card data blocks transfers to card emulator memory."); - PrintAndLog("Keys must be laid in the simulator memory. \n"); + PrintAndLog("Usage: hf mf ecfill [card memory]"); + PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K"); + PrintAndLog(""); + PrintAndLog("samples: hf mf ecfill A"); + PrintAndLog(" hf mf ecfill A 4"); + PrintAndLog("Read card and transfer its data to emulator memory."); + PrintAndLog("Keys must be laid in the emulator memory. \n"); return 0; } char ctmp = param_getchar(Cmd, 0); - if (ctmp == 0x00) { + if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') { PrintAndLog("Key type must be A or B"); return 1; } if (ctmp != 'A' && ctmp != 'a') keyType = 1; - UsbCommand c = {CMD_MIFARE_EML_CARDLOAD, {0, keyType, 0}}; - SendCommand(&c); - return 0; + ctmp = param_getchar(Cmd, 1); + switch (ctmp) { + case '0' : numSectors = 5; break; + case '1' : + case '\0': numSectors = 16; break; + case '2' : numSectors = 32; break; + case '4' : numSectors = 40; break; + default: numSectors = 16; + } + + printf("--params: numSectors: %d, keyType:%d", numSectors, keyType); + UsbCommand c = {CMD_MIFARE_EML_CARDLOAD, {numSectors, keyType, 0}}; + SendCommand(&c); + return 0; } + int CmdHF14AMfEKeyPrn(const char *Cmd) { - int i,b=-1; + int i; uint8_t data[16]; uint64_t keyA, keyB; @@ -1502,9 +1569,8 @@ int CmdHF14AMfEKeyPrn(const char *Cmd) PrintAndLog("|sec|key A |key B |"); PrintAndLog("|---|----------------|----------------|"); for (i = 0; i < 40; i++) { - b<127?(b+=4):(b+=16); - if (mfEmlGetMem(data, b, 1)) { - PrintAndLog("error get block %d", b); + if (mfEmlGetMem(data, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1)) { + PrintAndLog("error get block %d", FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1); break; } keyA = bytes_to_num(data, 6); @@ -1516,6 +1582,7 @@ int CmdHF14AMfEKeyPrn(const char *Cmd) return 0; } + int CmdHF14AMfCSetUID(const char *Cmd) { uint8_t wipeCard = 0; @@ -1551,6 +1618,7 @@ int CmdHF14AMfCSetUID(const char *Cmd) return 0; } + int CmdHF14AMfCSetBlk(const char *Cmd) { uint8_t uid[8]; @@ -1574,7 +1642,7 @@ int CmdHF14AMfCSetBlk(const char *Cmd) return 1; } - PrintAndLog("--block number:%02x data:%s", blockNo, sprint_hex(memBlock, 16)); + PrintAndLog("--block number:%2d data:%s", blockNo, sprint_hex(memBlock, 16)); res = mfCSetBlock(blockNo, memBlock, uid, 0, CSETBLOCK_SINGLE_OPER); if (res) { @@ -1586,6 +1654,7 @@ int CmdHF14AMfCSetBlk(const char *Cmd) return 0; } + int CmdHF14AMfCLoad(const char *Cmd) { FILE * f; @@ -1649,9 +1718,9 @@ int CmdHF14AMfCLoad(const char *Cmd) while(!feof(f)){ memset(buf, 0, sizeof(buf)); if (fgets(buf, sizeof(buf), f) == NULL) { - PrintAndLog("File reading error."); - return 2; - } + PrintAndLog("File reading error."); + return 2; + } if (strlen(buf) < 32){ if(strlen(buf) && feof(f)) @@ -1666,7 +1735,7 @@ int CmdHF14AMfCLoad(const char *Cmd) if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD; if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) { - PrintAndLog("Cant set magic card block: %d", blockNum); + PrintAndLog("Can't set magic card block: %d", blockNum); return 3; } blockNum++; @@ -1675,7 +1744,7 @@ int CmdHF14AMfCLoad(const char *Cmd) } fclose(f); - if (blockNum != 16 * 4 && blockNum != 32 * 4 + 8 * 16){ + if (blockNum != 16 * 4){ PrintAndLog("File content error. There must be 64 blocks"); return 4; } @@ -1684,6 +1753,7 @@ int CmdHF14AMfCLoad(const char *Cmd) } } + int CmdHF14AMfCGetBlk(const char *Cmd) { uint8_t memBlock[16]; uint8_t blockNo = 0; @@ -1699,7 +1769,7 @@ int CmdHF14AMfCGetBlk(const char *Cmd) { blockNo = param_get8(Cmd, 0); - PrintAndLog("--block number:%02x ", blockNo); + PrintAndLog("--block number:%2d ", blockNo); res = mfCGetBlock(blockNo, memBlock, CSETBLOCK_SINGLE_OPER); if (res) { @@ -1711,6 +1781,7 @@ int CmdHF14AMfCGetBlk(const char *Cmd) { return 0; } + int CmdHF14AMfCGetSc(const char *Cmd) { uint8_t memBlock[16]; uint8_t sectorNo = 0; @@ -1730,7 +1801,7 @@ int CmdHF14AMfCGetSc(const char *Cmd) { return 1; } - PrintAndLog("--sector number:%02x ", sectorNo); + PrintAndLog("--sector number:%d ", sectorNo); flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC; for (i = 0; i < 4; i++) { @@ -1739,15 +1810,16 @@ int CmdHF14AMfCGetSc(const char *Cmd) { res = mfCGetBlock(sectorNo * 4 + i, memBlock, flags); if (res) { - PrintAndLog("Can't read block. %02x error=%d", sectorNo * 4 + i, res); + PrintAndLog("Can't read block. %d error=%d", sectorNo * 4 + i, res); return 1; } - PrintAndLog("block %02x data:%s", sectorNo * 4 + i, sprint_hex(memBlock, 16)); + PrintAndLog("block %3d data:%s", sectorNo * 4 + i, sprint_hex(memBlock, 16)); } return 0; } + int CmdHF14AMfCSave(const char *Cmd) { FILE * f; @@ -1835,6 +1907,7 @@ int CmdHF14AMfCSave(const char *Cmd) { } } + int CmdHF14AMfSniff(const char *Cmd){ // params bool wantLogToFile = 0; @@ -1848,7 +1921,8 @@ int CmdHF14AMfSniff(const char *Cmd){ int blockLen = 0; int num = 0; int pckNum = 0; - uint8_t uid[8]; + uint8_t uid[7]; + uint8_t uid_len; uint8_t atqa[2]; uint8_t sak; bool isTag; @@ -1858,7 +1932,7 @@ int CmdHF14AMfSniff(const char *Cmd){ memset(buf, 0x00, 3000); if (param_getchar(Cmd, 0) == 'h') { - PrintAndLog("It continuously get data from the field and saves it to: log, emulator, emulator file."); + PrintAndLog("It continuously gets data from the field and saves it to: log, emulator, emulator file."); PrintAndLog("You can specify:"); PrintAndLog(" l - save encrypted sequence to logfile `uid.log`"); PrintAndLog(" d - decrypt sequence and put it to log file `uid.log`"); @@ -1926,14 +2000,19 @@ int CmdHF14AMfSniff(const char *Cmd){ bufPtr += 4; len = bufPtr[0]; bufPtr++; - if ((len == 14) && (bufPtr[0] = 0xff) && (bufPtr[1] = 0xff)) { + if ((len == 14) && (bufPtr[0] == 0xff) && (bufPtr[1] == 0xff)) { memcpy(uid, bufPtr + 2, 7); memcpy(atqa, bufPtr + 2 + 7, 2); + uid_len = (atqa[0] & 0xC0) == 0x40 ? 7 : 4; sak = bufPtr[11]; - PrintAndLog("tag select uid:%s atqa:%02x %02x sak:0x%02x", sprint_hex(uid, 7), atqa[0], atqa[1], sak); + PrintAndLog("tag select uid:%s atqa:0x%02x%02x sak:0x%02x", + sprint_hex(uid + (7 - uid_len), uid_len), + atqa[1], + atqa[0], + sak); if (wantLogToFile || wantDecrypt) { - FillFileNameByUID(logHexFileName, uid, ".log", 7); + FillFileNameByUID(logHexFileName, uid + (7 - uid_len), ".log", uid_len); AddLogCurrentDT(logHexFileName); } if (wantDecrypt) mfTraceInit(uid, atqa, sak, wantSaveToEmlFile); @@ -1954,31 +2033,31 @@ int CmdHF14AMfSniff(const char *Cmd){ static command_t CommandTable[] = { - {"help", CmdHelp, 1, "This help"}, - {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"}, + {"help", CmdHelp, 1, "This help"}, + {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"}, {"rdbl", CmdHF14AMfRdBl, 0, "Read MIFARE classic block"}, - {"urdbl", CmdHF14AMfURdBl, 0, "Read MIFARE Ultralight block"}, - {"urdcard", CmdHF14AMfURdCard, 0,"Read MIFARE Ultralight Card"}, + {"urdbl", CmdHF14AMfURdBl, 0, "Read MIFARE Ultralight block"}, + {"urdcard", CmdHF14AMfURdCard, 0,"Read MIFARE Ultralight Card"}, {"uwrbl", CmdHF14AMfUWrBl, 0,"Write MIFARE Ultralight block"}, {"rdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"}, {"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"}, - {"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"}, + {"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"}, {"wrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"}, - {"chk", CmdHF14AMfChk, 0, "Test block keys"}, + {"chk", CmdHF14AMfChk, 0, "Test block keys"}, {"mifare", CmdHF14AMifare, 0, "Read parity error messages."}, {"nested", CmdHF14AMfNested, 0, "Test nested authentication"}, {"sniff", CmdHF14AMfSniff, 0, "Sniff card-reader communication"}, - {"sim", CmdHF14AMf1kSim, 0, "Simulate MIFARE card"}, + {"sim", CmdHF14AMf1kSim, 0, "Simulate MIFARE card"}, {"eclr", CmdHF14AMfEClear, 0, "Clear simulator memory block"}, {"eget", CmdHF14AMfEGet, 0, "Get simulator memory block"}, {"eset", CmdHF14AMfESet, 0, "Set simulator memory block"}, {"eload", CmdHF14AMfELoad, 0, "Load from file emul dump"}, {"esave", CmdHF14AMfESave, 0, "Save to file emul dump"}, {"ecfill", CmdHF14AMfECFill, 0, "Fill simulator memory with help of keys from simulator"}, - {"ekeyprn", CmdHF14AMfEKeyPrn, 0, "Print keys from simulator memory"}, - {"csetuid", CmdHF14AMfCSetUID, 0, "Set UID for magic Chinese card"}, - {"csetblk", CmdHF14AMfCSetBlk, 0, "Write block into magic Chinese card"}, - {"cgetblk", CmdHF14AMfCGetBlk, 0, "Read block from magic Chinese card"}, + {"ekeyprn", CmdHF14AMfEKeyPrn, 0, "Print keys from simulator memory"}, + {"csetuid", CmdHF14AMfCSetUID, 0, "Set UID for magic Chinese card"}, + {"csetblk", CmdHF14AMfCSetBlk, 0, "Write block into magic Chinese card"}, + {"cgetblk", CmdHF14AMfCGetBlk, 0, "Read block from magic Chinese card"}, {"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector from magic Chinese card"}, {"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"}, {"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"}, diff --git a/client/default_keys.dic b/client/default_keys.dic new file mode 100644 index 00000000..5c277300 --- /dev/null +++ b/client/default_keys.dic @@ -0,0 +1,79 @@ +# Default Keys as already in Proxmark.exe: +ffffffffffff,//Defaultkey(firstkeyusedbyprogramifnouserdefinedkey) +000000000000,//Blankkey +a0a1a2a3a4a5,//NFCForumMADkey +b0b1b2b3b4b5, +aabbccddeeff, +4d3a99c351dd, +1a982c7e459a, +d3f7d3f7d3f7, +714c5c886e97, +587ee5f9350f, +a0478cc39091, +533cb6c723f6, +8fd0a4f256e9 +# more Keys from mf_default_keys.lua +000000000001, +000000000002, +00000000000a, +00000000000b, +00000ffe2488,--VästtrafikenKeyB +010203040506, +0123456789ab, +0297927c0f77,--VästtrafikenKeyA +100000000000, +111111111111, +123456789abc, +12f2ee3478c1, +14d446e33363, +1999a3554a55, +200000000000, +222222222222, +26940b21ff5d,--RKFSLKeyA +27dd91f1fcf1, +2BA9621E0A36,--DirectoryandeventlogKeyB +333333333333, +33f974b42769, +34d1df9934c5, +434f4d4d4f41,--RKFJOJOGROUPKeyA +434f4d4d4f42,--RKFJOJOGROUPKeyB +43ab19ef5c31, +444444444444, +47524f555041,--RKFJOJOGROUPKeyA +47524f555042,--RKFJOJOGROUPKeyB +4AF9D7ADEBE4,--DirectoryandeventlogKeyA +505249564141,--RKFJOJOPRIVAKeyA +505249564142,--RKFJOJOPRIVAKeyB +505249565441, +505249565442, +54726176656c,--VästtrafikenKeyA +555555555555, +55f5a5dd38c9, +5c598c9c58b5,--RKFSLKeyB +666666666666, +722bfcc5375f,--RKFRejskortDanmarkKeyA +776974687573,--VästtrafikenKeyB +777777777777, +888888888888, +999999999999, +99c636334433, +a00000000000, +a053a292a4af, +a64598a77478,--RKFSLKeyA +a94133013401, +aaaaaaaaaaaa, +abcdef123456,--Keyfromladyada.net +b00000000000, +b127c6f41436, +bbbbbbbbbbbb, +bd493a3962b6, +c934fe34d934, +cccccccccccc, +dddddddddddd, +e4d2770a89be,--RKFSLKeyB +ee0042f88840,--VästtrafikenKeyB +eeeeeeeeeeee, +f1a97341a9fc, +f1d83f964314,--RKFRejskortDanmarkKeyB +fc00018778f7,--VästtrafikenKeyA +fc0001877bf7,--RKFÖstgötaTrafikenKeyA diff --git a/client/lualibs/html_dumplib.lua b/client/lualibs/html_dumplib.lua index e730920c..b8c7ccaa 100644 --- a/client/lualibs/html_dumplib.lua +++ b/client/lualibs/html_dumplib.lua @@ -8,10 +8,17 @@ bin = require('bin') --- -- A debug printout-function local function dbg(args) - if DEBUG then + + if type(args) == "table" then + local i = 1 + while args[i] do + print("###", args[i]) + i = i+1 + end + else print("###", args) - end -end + end +end --- -- This is only meant to be used when errors occur local function oops(err) @@ -40,20 +47,38 @@ local function save_HTML(javascript, filename) end - +local function save_BIN(data, filename) + -- Open the output file + + local outfile = io.open(filename, "wb") + if outfile == nil then + return oops(string.format("Could not write to file %s",tostring(filename))) + end + + -- Write the data into it + local i = 1 + while data[i] do + outfile:write(data[i]) + i = i+1 + end + + io.close(outfile) + return filename +end local function convert_ascii_dump_to_JS(infile) local t = infile:read("*all") local output = "["; for line in string.gmatch(t, "[^\n]+") do - output = output .. "'"..line.."',\n" + if string.byte(line,1) ~= string.byte("+",1) then + output = output .. "'"..line.."',\n" + end end output = output .. "]" return output end - local function convert_binary_dump_to_JS(infile, blockLen) local bindata = infile:read("*all") len = string.len(bindata) @@ -78,6 +103,21 @@ local function convert_binary_dump_to_JS(infile, blockLen) return js end +local function convert_ascii_dump_to_BIN(infile) + local t = infile:read("*all") + + local output = {}; + for line in string.gmatch(t, "[^\n]+") do + if string.byte(line) ~= string.byte("+") then + for c in (line or ''):gmatch('..') do + output[#output+1] = string.char( tonumber(c,16) ) + end + end + end + return output +end + + --- -- Converts a .eml-file into a HTML/Javascript file. -- @param input the file to convert @@ -118,7 +158,27 @@ local function convert_bin_to_html(input, output, blockLen) return save_HTML(javascript, output ) end +--- Converts a eml dump into a binary file +-- @param input the file containing the eml-dump (defaults to dumpdata.eml) +-- @param output the file to write to ( defaults to dumpdata.bin) +local function convert_eml_to_bin(input, output) + input = input or 'dumpdata.eml' + output = output or 'dumpdata.bin' + + local infile = io.open(input, "rb") + if infile == nil then + return oops(string.format("Could not read file %s",tostring(input))) + end + -- Read file, get BIN + local data = convert_ascii_dump_to_BIN(infile) + io.close(infile) + + return save_BIN(data, output ) +end + + return { convert_bin_to_html = convert_bin_to_html, - convert_eml_to_html = convert_eml_to_html, + convert_eml_to_html = convert_eml_to_html, + convert_eml_to_bin = convert_eml_to_bin, } diff --git a/client/lualibs/mf_default_keys.lua b/client/lualibs/mf_default_keys.lua index f6264a33..4859ff0c 100644 --- a/client/lualibs/mf_default_keys.lua +++ b/client/lualibs/mf_default_keys.lua @@ -126,6 +126,21 @@ local _keys = { 'eeeeeeeeeeee', '0123456789ab', '123456789abc', + + --[[ + The keys below are taken from from https://github.com/4ZM/mfterm/blob/master/dictionary.txt + --]] + + 'abcdef123456', -- Key from ladyada.net + + '000000000001', + '000000000002', + '00000000000a', + '00000000000b', + '100000000000', + '200000000000', + 'a00000000000', + 'b00000000000', } --- @@ -148,4 +163,4 @@ local function uniq(list) return foobar end -return uniq(_keys) \ No newline at end of file +return uniq(_keys) diff --git a/client/lualibs/utils.lua b/client/lualibs/utils.lua new file mode 100644 index 00000000..3d27d5b6 --- /dev/null +++ b/client/lualibs/utils.lua @@ -0,0 +1,57 @@ +--[[ + This may be moved to a separate library at some point (Holiman) +--]] +local Utils = +{ + -- Asks the user for Yes or No + confirm = function(message, ...) + local answer + message = message .. " [y/n] ?" + repeat + io.write(message) + io.flush() + answer=io.read() + if answer == 'Y' or answer == "y" then + return true + elseif answer == 'N' or answer == 'n' then + return false + end + until false + end, + --- + -- Asks the user for input + input = function (message , default) + local answer + if default ~= nil then + message = message .. " (default: ".. default.. " )" + end + message = message .." \n > " + io.write(message) + io.flush() + answer=io.read() + if answer == '' then answer = default end + + return answer + end, + -- + -- Converts DECIMAL to HEX + ConvertDec2Hex = function(IN) + local B,K,OUT,I,D=16,"0123456789ABCDEF","",0 + while IN>0 do + I=I+1 + IN,D=math.floor(IN/B),math.mod(IN,B)+1 + OUT=string.sub(K,D,D)..OUT + end + return OUT + end, + --- + -- Convert Byte array to string of hex + ConvertBytes2String = function(bytes) + s = {} + for i = 1, #(bytes) do + s[i] = string.format("%02X",bytes[i]) + end + return table.concat(s) + end, +} +return Utils \ No newline at end of file diff --git a/client/scripts/dumptoemul.lua b/client/scripts/dumptoemul.lua index f4f91931..f9b71509 100644 --- a/client/scripts/dumptoemul.lua +++ b/client/scripts/dumptoemul.lua @@ -13,7 +13,7 @@ by the emulator Arguments: -h This help -i Specifies the dump-file (input). If omitted, 'dumpdata.bin' is used - -o Speciies the output file. If omitted, .eml is used. + -o Specifies the output file. If omitted, .eml is used. ]] diff --git a/client/scripts/emul2dump.lua b/client/scripts/emul2dump.lua new file mode 100644 index 00000000..315ad99a --- /dev/null +++ b/client/scripts/emul2dump.lua @@ -0,0 +1,60 @@ +local getopt = require('getopt') +local bin = require('bin') +local dumplib = require('html_dumplib') + +example =[[ + 1. script run emul2dump + 2. script run emul2dump -i myfile.eml + 3. script run emul2dump -i myfile.eml -o myfile.bin +]] +author = "Iceman" +usage = "script run emul2dump [-i ] [-o ]" +desc =[[ +This script takes an dumpfile on EML (ASCII) format and converts it to the PM3 dumpbin file to be used with "hf mf restore" + +Arguments: + -h This help + -i Specifies the dump-file (input). If omitted, 'dumpdata.eml' is used + -o Specifies the output file. If omitted, .bin is used. +]] + +--- +-- This is only meant to be used when errors occur +function oops(err) + print("ERROR: ",err) +end +--- +-- Usage help +function help() + print(desc) + print("Example usage") + print(example) +end +-- +-- Exit message +function ExitMsg(msg) + print( string.rep('--',20) ) + print( string.rep('--',20) ) + print(msg) + print() +end + +local function main(args) + + local input = "dumpdata.eml" + local output = os.date("%Y-%m-%d_%H%M%S.bin"); + + -- Arguments for the script + for o, a in getopt.getopt(args, 'hi:o:') do + if o == "h" then return help() end + if o == "i" then input = a end + if o == "o" then output = a end + end + + local filename, err = dumplib.convert_eml_to_bin(input,output) + if err then return oops(err) end + + ExitMsg(("Wrote a BIN dump to the file %s"):format(filename)) +end + +main(args) \ No newline at end of file diff --git a/client/scripts/formatMifare.lua b/client/scripts/formatMifare.lua new file mode 100644 index 00000000..1ced0c28 --- /dev/null +++ b/client/scripts/formatMifare.lua @@ -0,0 +1,196 @@ +local cmds = require('commands') +local getopt = require('getopt') +local bin = require('bin') +local lib14a = require('read14a') +local utils = require('utils') + +example =[[ + 1. script run formatMifare + 2. script run formatMifare -k aabbccddeeff -n 112233445566 -a FF0780 +]] +author = "Iceman" +usage = "script run formatMifare -k " +desc =[[ +This script will generate 'hf mf wrbl' commands for each block to format a Mifare card. + +Alla datablocks gets 0x00 +As default the script sets the keys A/B to 0xFFFFFFFFFFFF +and the access bytes will become 0x78,0x77,0x88 +The GDB will become 0x00 + +The script will skip the manufactoring block 0. + +Arguments: + -h - this help + -k - the current six byte key with write access + -n - the new key that will be written to the card + -a - the new access bytes that will be written to the card +]] +local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds +local DEBUG = true -- the debug flag +local CmdString = 'hf mf wrbl %d B %s %s' +local numBlocks = 64 +local numSectors = 16 +--- +-- A debug printout-function +function dbg(args) + if not DEBUG then + return + end + + if type(args) == "table" then + local i = 1 + while result[i] do + dbg(result[i]) + i = i+1 + end + else + print("###", args) + end +end +--- +-- This is only meant to be used when errors occur +function oops(err) + print("ERROR: ",err) +end +--- +-- Usage help +function help() + print(desc) + print("Example usage") + print(example) +end +-- +-- Exit message +function ExitMsg(msg) + print( string.rep('--',20) ) + print( string.rep('--',20) ) + print(msg) + print() +end +-- +-- Read information from a card +function GetCardInfo() + result, err = lib14a.read1443a(false) + if not result then + print(err) + return + end + print(("Found: %s"):format(result.name)) + + core.clearCommandBuffer() + + if 0x18 == result.sak then --NXP MIFARE Classic 4k | Plus 4k + -- IFARE Classic 4K offers 4096 bytes split into forty sectors, + -- of which 32 are same size as in the 1K with eight more that are quadruple size sectors. + numSectors = 40 + elseif 0x08 == result.sak then -- NXP MIFARE CLASSIC 1k | Plus 2k + -- 1K offers 1024 bytes of data storage, split into 16 sector + numSectors = 16 + elseif 0x09 == result.sak then -- NXP MIFARE Mini 0.3k + -- MIFARE Classic mini offers 320 bytes split into five sectors. + numSectors = 5 + elseif 0x10 == result.sak then-- "NXP MIFARE Plus 2k" + numSectors = 32 + else + print("I don't know how many sectors there are on this type of card, defaulting to 16") + end + --[[ + The mifare Classic 1k card has 16 sectors of 4 data blocks each. + The first 32 sectors of a mifare Classic 4k card consists of 4 data blocks and the remaining + 8 sectors consist of 16 data blocks. + --]] + + -- Defaults to 16 * 4 = 64 - 1 = 63 + numBlocks = numSectors * 4 - 1 + + if numSectors > 32 then + numBlocks = 32*4+ (numSectors-32)*16 -1 + end + +end + +local function main(args) + + print( string.rep('--',20) ) + print( string.rep('--',20) ) + print() + + local OldKey + local NewKey + local Accessbytes + + -- Arguments for the script + for o, a in getopt.getopt(args, 'hk:n:a:') do + if o == "h" then return help() end + if o == "k" then OldKey = a end + if o == "n" then NewKey = a end + if o == "a" then Accessbytes = a end + end + + -- validate input args. + OldKey = OldKey or 'FFFFFFFFFFFF' + if #(OldKey) ~= 12 then + return oops( string.format('Wrong length of write key (was %d) expected 12', #OldKey)) + end + + NewKey = NewKey or 'FFFFFFFFFFFF' + if #(NewKey) ~= 12 then + return oops( string.format('Wrong length of new key (was %d) expected 12', #NewKey)) + end + + --Accessbytes = Accessbytes or '787788' + Accessbytes = Accessbytes or 'FF0780' + if #(Accessbytes) ~= 6 then + return oops( string.format('Wrong length of accessbytes (was %d) expected 12', #Accessbytes)) + end + + GetCardInfo() + + -- Show info + print( string.format('Estimating number of blocks: %d', numBlocks)) + print( string.format('Old key: %s', OldKey)) + print( string.format('New key: %s', NewKey)) + print( string.format('New Access: %s', Accessbytes)) + print( string.rep('--',20) ) + + -- Set new block data + local EMPTY_BL = string.rep('00',16) + local EMPTY_SECTORTRAIL = string.format('%s%s%s%s',NewKey,Accessbytes,'00',NewKey) + + dbg( string.format('New sector-trailer : %s',EMPTY_SECTORTRAIL)) + dbg( string.format('New emptyblock: %s',EMPTY_BL)) + dbg('') + + -- Ask + local dialogResult = utils.confirm("Do you want to erase this card") + if dialogResult == false then + return ExitMsg('Quiting it is then. Your wish is my command...') + end + + print( string.rep('--',20) ) + + -- main loop + for block=0,numBlocks,1 do + + local reminder = (block+1) % 4 + local cmd + if reminder == 0 then + cmd = CmdString:format(block, OldKey , EMPTY_SECTORTRAIL) + else + cmd = CmdString:format(block, OldKey , EMPTY_BL) + end + + if block ~= 0 then + print(cmd) + --core.console(cmd) + end + + if core.ukbhit() then + print("aborted by user") + break + end + end +end + +main(args) \ No newline at end of file