int CmdHF14AMifare(const char *Cmd)\r
{\r
uint32_t uid = 0;\r
- uint32_t nt = 0;\r
+ uint32_t nt = 0, nr = 0;\r
uint64_t par_list = 0, ks_list = 0, r_key = 0;\r
uint8_t isOK = 0;\r
uint8_t keyBlock[8] = {0};\r
\r
- if (param_getchar(Cmd, 0) && param_gethex(Cmd, 0, keyBlock, 8)) {\r
- PrintAndLog("Nt must include 8 HEX symbols");\r
- return 1;\r
- }\r
+ UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}};\r
+\r
+ // message\r
+ printf("-------------------------------------------------------------------------\n");\r
+ printf("Executing command. Expected execution time: 25sec on average :-)\n");\r
+ printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");\r
+ printf("-------------------------------------------------------------------------\n");\r
\r
\r
- UsbCommand c = {CMD_READER_MIFARE, {(uint32_t)bytes_to_num(keyBlock, 4), 0, 0}};\r
start:\r
- SendCommand(&c);\r
+ clearCommandBuffer();\r
+ SendCommand(&c);\r
\r
//flush queue\r
while (ukbhit()) getchar();\r
\r
- // message\r
- printf("-------------------------------------------------------------------------\n");\r
- printf("Executing command. It may take up to 30 min.\n");\r
- printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");\r
- printf("-------------------------------------------------------------------------\n");\r
\r
// wait cycle\r
while (true) {\r
- printf(".");\r
+ printf(".");\r
fflush(stdout);\r
if (ukbhit()) {\r
getchar();\r
}\r
\r
UsbCommand resp;\r
- if (WaitForResponseTimeout(CMD_ACK,&resp,2000)) {\r
+ if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {\r
isOK = resp.arg[0] & 0xff;\r
- \r
uid = (uint32_t)bytes_to_num(resp.d.asBytes + 0, 4);\r
nt = (uint32_t)bytes_to_num(resp.d.asBytes + 4, 4);\r
par_list = bytes_to_num(resp.d.asBytes + 8, 8);\r
ks_list = bytes_to_num(resp.d.asBytes + 16, 8);\r
- \r
+ nr = bytes_to_num(resp.d.asBytes + 24, 4);\r
printf("\n\n");\r
- PrintAndLog("isOk:%02x", isOK);\r
if (!isOK) PrintAndLog("Proxmark can't get statistic info. Execution aborted.\n");\r
break;\r
}\r
} \r
+\r
printf("\n");\r
\r
// error\r
if (isOK != 1) return 1;\r
\r
// execute original function from util nonce2key\r
- if (nonce2key(uid, nt, par_list, ks_list, &r_key))\r
+ if (nonce2key(uid, nt, nr, par_list, ks_list, &r_key))\r
{\r
isOK = 2;\r
PrintAndLog("Key not found (lfsr_common_prefix list is null). Nt=%08x", nt); \r
PrintAndLog("Found valid key:%012"llx, r_key);\r
else\r
{\r
- if (isOK != 2) PrintAndLog("Found invalid key. ( Nt=%08x ,Trying use it to run again...", nt); \r
- c.arg[0] = nt;\r
+ if (isOK != 2) PrintAndLog("Found invalid key. "); \r
+ PrintAndLog("Failing is expected to happen in 25%% of all cases. Trying again with a different reader nonce...");\r
+ c.arg[0] = false;\r
goto start;\r
}\r
\r
PrintAndLog("Command execute timeout");\r
}\r
\r
- return 0;\r
-}\r
-\r
-int CmdHF14AMfRdBl(const char *Cmd)\r
-{\r
- uint8_t blockNo = 0;\r
+ return 0;
+}
+
+int CmdHF14AMfUWrBl(const char *Cmd)
+{
+ uint8_t blockNo = 0;
+ uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+ UsbCommand resp;
+
+ if (strlen(Cmd)<3) {
+ PrintAndLog("Usage: hf mf uwrbl <block number> <block data (8 hex symbols)>");
+ PrintAndLog(" sample: hf mf uwrbl 0 01020304");
+ return 0;
+ }
+
+ blockNo = param_get8(Cmd, 0);
+ if (param_gethex(Cmd, 1, bldata, 8)) {
+ PrintAndLog("Block data must include 8 HEX symbols");
+ return 1;
+ }
+
+ switch(blockNo)
+ {
+ case 0:
+ PrintAndLog("Access Denied");
+ break;
+ case 1:
+ PrintAndLog("Access Denied");
+ break;
+ case 2:
+ PrintAndLog("--specialblock no:%02x", blockNo);
+ PrintAndLog("--data: %s", sprint_hex(bldata, 4));
+ UsbCommand c = {CMD_MIFAREU_WRITEBL, {blockNo}};
+ memcpy(c.d.asBytes, bldata, 4);
+ SendCommand(&c);
+
+ if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+ uint8_t isOK = resp.arg[0] & 0xff;
+ PrintAndLog("isOk:%02x", isOK);
+ } else {
+ PrintAndLog("Command execute timeout");
+ }
+ break;
+ case 3:
+ PrintAndLog("--specialblock no:%02x", blockNo);
+ PrintAndLog("--data: %s", sprint_hex(bldata, 4));
+ UsbCommand d = {CMD_MIFAREU_WRITEBL, {blockNo}};
+ memcpy(d.d.asBytes,bldata, 4);
+ SendCommand(&d);
+
+ if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+ uint8_t isOK = resp.arg[0] & 0xff;
+ PrintAndLog("isOk:%02x", isOK);
+ } else {
+ PrintAndLog("Command execute timeout");
+ }
+ break;
+ default:
+ PrintAndLog("--block no:%02x", blockNo);
+ PrintAndLog("--data: %s", sprint_hex(bldata, 4));
+ //UsbCommand e = {CMD_MIFAREU_WRITEBL_COMPAT, {blockNo}};
+ //memcpy(e.d.asBytes,bldata, 16);
+ UsbCommand e = {CMD_MIFAREU_WRITEBL, {blockNo}};
+ memcpy(e.d.asBytes,bldata, 4);
+ SendCommand(&e);
+
+ if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+ uint8_t isOK = resp.arg[0] & 0xff;
+ PrintAndLog("isOk:%02x", isOK);
+ } else {
+ PrintAndLog("Command execute timeout");
+ }
+ break;
+ }
+ return 0;
+}
+
+int CmdHF14AMfRdBl(const char *Cmd)
+{
+ uint8_t blockNo = 0;
uint8_t keyType = 0;\r
uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
\r
PrintAndLog("Command execute timeout");\r
}\r
\r
- return 0;\r
-}\r
-\r
-int CmdHF14AMfRdSc(const char *Cmd)\r
-{\r
- int i;\r
+ return 0;
+}
+
+int CmdHF14AMfURdBl(const char *Cmd)
+{
+ uint8_t blockNo = 0;
+
+ if (strlen(Cmd)<1) {
+ PrintAndLog("Usage: hf mf urdbl <block number>");
+ PrintAndLog(" sample: hf mf urdbl 0");
+ return 0;
+ }
+
+ blockNo = param_get8(Cmd, 0);
+ PrintAndLog("--block no:%02x", blockNo);
+
+ UsbCommand c = {CMD_MIFAREU_READBL, {blockNo}};
+ SendCommand(&c);
+
+ UsbCommand resp;
+ if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+ uint8_t isOK = resp.arg[0] & 0xff;
+ uint8_t * data = resp.d.asBytes;
+
+ if (isOK)
+ PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 4));
+ else
+ PrintAndLog("isOk:%02x", isOK);
+ } else {
+ PrintAndLog("Command execute timeout");
+ }
+
+ return 0;
+}
+
+int CmdHF14AMfURdCard(const char *Cmd)
+{
+ int i;
+ uint8_t sectorNo = 0;
+ uint8_t *lockbytes_t=NULL;
+ uint8_t lockbytes[2]={0,0};
+ bool bit[16]={0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
+
+ uint8_t isOK = 0;
+ uint8_t * data = NULL;
+
+ if (sectorNo > 15) {
+ PrintAndLog("Sector number must be less than 16");
+ return 1;
+ }
+ PrintAndLog("Attempting to Read Ultralight... ");
+
+ UsbCommand c = {CMD_MIFAREU_READCARD, {sectorNo}};
+ SendCommand(&c);
+
+ UsbCommand resp;
+ if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+ isOK = resp.arg[0] & 0xff;
+ data = resp.d.asBytes;
+
+ PrintAndLog("isOk:%02x", isOK);
+ if (isOK)
+ for (i = 0; i < 16; i++) {
+ switch(i){
+ case 2:
+ //process lock bytes
+ lockbytes_t=data+(i*4);
+ lockbytes[0]=lockbytes_t[2];
+ lockbytes[1]=lockbytes_t[3];
+ for(int j=0; j<16; j++){
+ bit[j]=lockbytes[j/8] & ( 1 <<(7-j%8));
+ }
+ //PrintAndLog("LB %02x %02x", lockbytes[0],lockbytes[1]);
+ //PrintAndLog("LB2b %02x %02x %02x %02x %02x %02x %02x %02x",bit[8],bit[9],bit[10],bit[11],bit[12],bit[13],bit[14],bit[15]);
+ PrintAndLog("Block %02x:%s ", i,sprint_hex(data + i * 4, 4));
+ break;
+ case 3:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[4]);
+ break;
+ case 4:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[3]);
+ break;
+ case 5:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[2]);
+ break;
+ case 6:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[1]);
+ break;
+ case 7:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[0]);
+ break;
+ case 8:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[15]);
+ break;
+ case 9:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[14]);
+ break;
+ case 10:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[13]);
+ break;
+ case 11:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[12]);
+ break;
+ case 12:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[11]);
+ break;
+ case 13:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[10]);
+ break;
+ case 14:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[9]);
+ break;
+ case 15:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[8]);
+ break;
+ default:
+ PrintAndLog("Block %02x:%s ", i,sprint_hex(data + i * 4, 4));
+ break;
+ }
+ }
+ } else {
+ PrintAndLog("Command1 execute timeout");
+ }
+ return 0;
+}
+
+int CmdHF14AMfRdSc(const char *Cmd)
+{
+ int i;
uint8_t sectorNo = 0;\r
uint8_t keyType = 0;\r
uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
// Read key file\r
\r
for (i=0 ; i<16 ; i++) {\r
- fread ( keyA[i], 1, 6, fin );\r
+ if (fread( keyA[i], 1, 6, fin ) == 0) {\r
+ PrintAndLog("File reading error.");\r
+ return 2;\r
+ }\r
}\r
for (i=0 ; i<16 ; i++) {\r
- fread ( keyB[i], 1, 6, fin );\r
+ if (fread( keyB[i], 1, 6, fin ) == 0) {\r
+ PrintAndLog("File reading error.");\r
+ return 2;\r
+ }\r
}\r
\r
// Read access rights to sectors\r
}\r
if (isOK) {\r
fwrite ( data, 1, 16, fout );\r
+ PrintAndLog("Dumped card data into 'dumpdata.bin'");\r
+\r
}\r
else {\r
PrintAndLog("Could not get access rights for block %d", i);\r
\r
fclose(fin);\r
fclose(fout);\r
- \r
return 0;\r
}\r
\r
}\r
\r
for (i=0 ; i<16 ; i++) {\r
- fread(keyA[i], 1, 6, fkeys);\r
+ if (fread(keyA[i], 1, 6, fkeys) == 0) {\r
+ PrintAndLog("File reading error.");\r
+ return 2;\r
+ }\r
}\r
for (i=0 ; i<16 ; i++) {\r
- fread(keyB[i], 1, 6, fkeys);\r
+ if (fread(keyB[i], 1, 6, fkeys) == 0) {\r
+ PrintAndLog("File reading error.");\r
+ return 2;\r
+ }\r
}\r
\r
PrintAndLog("Restoring dumpdata.bin to card");\r
UsbCommand c = {CMD_MIFARE_WRITEBL, {i*4 + j, keyType, 0}};\r
memcpy(c.d.asBytes, key, 6);\r
\r
- fread(bldata, 1, 16, fdump);\r
+ if (fread(bldata, 1, 16, fdump) == 0) {\r
+ PrintAndLog("File reading error.");\r
+ return 2;\r
+ }\r
\r
if (j == 3) {\r
bldata[0] = (keyA[i][0]);\r
uint8_t blDiff = 0;\r
int SectorsCnt = 0;\r
uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
- uint8_t keyBlock[16 * 6];\r
+ uint8_t keyBlock[6*6];\r
uint64_t key64 = 0;\r
int transferToEml = 0;\r
\r
PrintAndLog("--target block no:%02x target key type:%02x ", trgBlockNo, trgKeyType);\r
\r
if (cmdp == 'o') {\r
- if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock)) {\r
+ if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true)) {\r
PrintAndLog("Nested error.");\r
return 2;\r
}\r
-\r
- for (i = 0; i < 16; i++) {\r
- PrintAndLog("count=%d key= %s", i, sprint_hex(keyBlock + i * 6, 6));\r
- }\r
- \r
- // test keys\r
- res = mfCheckKeys(trgBlockNo, trgKeyType, 8, keyBlock, &key64);\r
- if (res)\r
- res = mfCheckKeys(trgBlockNo, trgKeyType, 8, &keyBlock[6 * 8], &key64);\r
- if (!res) {\r
+ key64 = bytes_to_num(keyBlock, 6);\r
+ if (key64) {\r
PrintAndLog("Found valid key:%012"llx, key64);\r
\r
// transfer key to the emulator\r
}\r
}\r
else { // ------------------------------------ multiple sectors working\r
+ clock_t time1;\r
+ time1 = clock();\r
+\r
blDiff = blockNo % 4;\r
PrintAndLog("Block shift=%d", blDiff);\r
e_sector = calloc(SectorsCnt, sizeof(sector));\r
\r
//test current key 4 sectors\r
memcpy(keyBlock, key, 6);\r
- num_to_bytes(0xa0a1a2a3a4a5, 6, (uint8_t*)(keyBlock + 1 * 6));\r
- num_to_bytes(0xb0b1b2b3b4b5, 6, (uint8_t*)(keyBlock + 2 * 6));\r
- num_to_bytes(0xffffffffffff, 6, (uint8_t*)(keyBlock + 3 * 6));\r
- num_to_bytes(0x000000000000, 6, (uint8_t*)(keyBlock + 4 * 6));\r
+ num_to_bytes(0xffffffffffff, 6, (uint8_t*)(keyBlock + 1 * 6));\r
+ num_to_bytes(0x000000000000, 6, (uint8_t*)(keyBlock + 2 * 6));\r
+ num_to_bytes(0xa0a1a2a3a4a5, 6, (uint8_t*)(keyBlock + 3 * 6));\r
+ num_to_bytes(0xb0b1b2b3b4b5, 6, (uint8_t*)(keyBlock + 4 * 6));\r
num_to_bytes(0xaabbccddeeff, 6, (uint8_t*)(keyBlock + 5 * 6));\r
\r
PrintAndLog("Testing known keys. Sector count=%d", SectorsCnt);\r
e_sector[i].foundKey[j] = 1;\r
}\r
}\r
- } \r
+ }\r
+ \r
\r
// nested sectors\r
iterations = 0;\r
PrintAndLog("nested...");\r
+ bool calibrate = true;\r
for (i = 0; i < NESTED_SECTOR_RETRY; i++) {\r
- for (trgBlockNo = blDiff; trgBlockNo < SectorsCnt * 4; trgBlockNo = trgBlockNo + 4) \r
+ for (trgBlockNo = blDiff; trgBlockNo < SectorsCnt * 4; trgBlockNo = trgBlockNo + 4) {\r
for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) { \r
if (e_sector[trgBlockNo / 4].foundKey[trgKeyType]) continue;\r
- if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock)) continue;\r
+ PrintAndLog("-----------------------------------------------");\r
+ if(mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, calibrate)) {\r
+ PrintAndLog("Nested error.\n");\r
+ return 2;\r
+ }\r
+ else {\r
+ calibrate = false;\r
+ }\r
\r
iterations++;\r
- \r
- //try keys from nested\r
- res = mfCheckKeys(trgBlockNo, trgKeyType, 8, keyBlock, &key64);\r
- if (res)\r
- res = mfCheckKeys(trgBlockNo, trgKeyType, 8, &keyBlock[6 * 8], &key64);\r
- if (!res) {\r
+\r
+ key64 = bytes_to_num(keyBlock, 6);\r
+ if (key64) {\r
PrintAndLog("Found valid key:%012"llx, key64);\r
e_sector[trgBlockNo / 4].foundKey[trgKeyType] = 1;\r
e_sector[trgBlockNo / 4].Key[trgKeyType] = key64;\r
}\r
}\r
+ }\r
}\r
\r
- PrintAndLog("Iterations count: %d", iterations);\r
+ printf("Time in nested: %1.3f (%1.3f sec per key)\n\n", ((float)clock() - time1)/1000.0, ((float)clock() - time1)/iterations/1000.0);\r
+ \r
+ PrintAndLog("-----------------------------------------------\nIterations count: %d\n\n", iterations);\r
//print them\r
PrintAndLog("|---|----------------|---|----------------|---|");\r
PrintAndLog("|sec|key A |res|key B |res|");\r
if ( (f = fopen( filename , "r")) ) {\r
while( !feof(f) ){\r
memset(buf, 0, sizeof(buf));\r
- fgets(buf, sizeof(buf), f);\r
- \r
+ if (fgets(buf, sizeof(buf), f) == NULL) {\r
+ PrintAndLog("File reading error.");\r
+ return 2;\r
+ }\r
+ \r
if (strlen(buf) < 12 || buf[11] == '\n')\r
continue;\r
\r
while (fgetc(f) != '\n' && !feof(f)) ; //goto next line\r
\r
- if( buf[0]=='#' ) continue; //The line start with # is remcommnet,skip\r
+ if( buf[0]=='#' ) continue; //The line start with # is comment, skip\r
\r
if (!isxdigit(buf[0])){\r
PrintAndLog("File content error. '%s' must include 12 HEX symbols",buf);\r
int b=blockNo;\r
for (int i=0; i<SectorsCnt; ++i) {\r
PrintAndLog("--SectorsCnt:%d block no:0x%02x key type:%C key count:%d ", i, b, t?'B':'A', keycnt);\r
- int size = keycnt>8?8:keycnt;\r
- for (int c = 0; c < keycnt; c+=size) {\r
- size=keycnt-c>8?8:keycnt-c; \r
- res = mfCheckKeys(b, t, size, keyBlock +6*c, &key64);\r
+ uint32_t max_keys = keycnt>USB_CMD_DATA_SIZE/6?USB_CMD_DATA_SIZE/6:keycnt;\r
+ for (uint32_t c = 0; c < keycnt; c+=max_keys) {\r
+ uint32_t size = keycnt-c>max_keys?max_keys:keycnt-c;\r
+ res = mfCheckKeys(b, t, size, &keyBlock[6*c], &key64);\r
if (res !=1) {\r
if (!res) {\r
PrintAndLog("Found valid key:[%012"llx"]",key64);\r
num_to_bytes(key64, 6, block + t*10);\r
mfEmlSetMem(block, get_trailer_block(b), 1);\r
}\r
- break;\r
- }\r
- else {\r
- printf("Not found yet, keycnt:%d\r", c+size);\r
- fflush(stdout);\r
}\r
} else {\r
PrintAndLog("Command execute timeout");\r
blockNum = 0;\r
while(!feof(f)){\r
memset(buf, 0, sizeof(buf));\r
- fgets(buf, sizeof(buf), f);\r
+ if (fgets(buf, sizeof(buf), f) == NULL) {\r
+ PrintAndLog("File reading error.");\r
+ return 2;\r
+ }\r
\r
if (strlen(buf) < 32){\r
if(strlen(buf) && feof(f))\r
flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
while(!feof(f)){\r
memset(buf, 0, sizeof(buf));\r
- fgets(buf, sizeof(buf), f);\r
+ if (fgets(buf, sizeof(buf), f) == NULL) {\r
+ PrintAndLog("File reading error.");\r
+ return 2;\r
+ }\r
\r
if (strlen(buf) < 32){\r
if(strlen(buf) && feof(f))\r
\r
static command_t CommandTable[] =\r
{\r
- {"help", CmdHelp, 1, "This help"},\r
- {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},\r
- {"rdbl", CmdHF14AMfRdBl, 0, "Read MIFARE classic block"},\r
- {"rdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"},\r
- {"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"},\r
- {"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"},\r
+ {"help", CmdHelp, 1, "This help"},
+ {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},
+ {"rdbl", CmdHF14AMfRdBl, 0, "Read MIFARE classic block"},
+ {"urdbl", CmdHF14AMfURdBl, 0, "Read MIFARE Ultralight block"},
+ {"urdcard", CmdHF14AMfURdCard, 0,"Read MIFARE Ultralight Card"},
+ {"uwrbl", CmdHF14AMfUWrBl, 0,"Write MIFARE Ultralight block"},
+ {"rdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"},
+ {"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"},
+ {"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"},
{"wrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"},\r
{"chk", CmdHF14AMfChk, 0, "Test block keys"},\r
{"mifare", CmdHF14AMifare, 0, "Read parity error messages. param - <used card nonce>"},\r