]> git.zerfleddert.de Git - proxmark3-svn/blobdiff - client/cmdhficlass.c
projects / proxmark3-svn / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
CHG: rename a local scope variable "data"->"cmd"
[proxmark3-svn] / client / cmdhficlass.c
diff --git a/client/cmdhficlass.c b/client/cmdhficlass.c
index b8e1e0989f62abc5bca9d409f2fe53b43500c83e..90856e919d7c85f30da20695749ae8ad69bc4775 100644 (file)
--- a/client/cmdhficlass.c
+++ b/client/cmdhficlass.c
@@ -1,6 +1,7 @@
 //-----------------------------------------------------------------------------
 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
 // Copyright (C) 2011 Gerhard de Koning Gans
 //-----------------------------------------------------------------------------
 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
 // Copyright (C) 2011 Gerhard de Koning Gans
+// Copyright (C) 2014 Midnitesnake & Andy Davies & Martin Holst Swende
 //
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of
 //
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of
@@ -9,25 +10,196 @@
 // High frequency iClass commands
 //-----------------------------------------------------------------------------
 
 // High frequency iClass commands
 //-----------------------------------------------------------------------------
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/stat.h>
-#include "iso14443crc.h" // Can also be used for iClass, using 0xE012 as CRC-type
-#include "data.h"
-//#include "proxusb.h"
-#include "proxmark3.h"
-#include "ui.h"
-#include "cmdparser.h"
 #include "cmdhficlass.h"
 #include "cmdhficlass.h"
-#include "common.h"
-#include "util.h"
-#include "cmdmain.h"
 
 static int CmdHelp(const char *Cmd);
 
 
 static int CmdHelp(const char *Cmd);
 
-int xorbits_8(uint8_t val)
-{
+#define NUM_CSNS 15
+#define ICLASS_KEYS_MAX 8
+static uint8_t iClass_Key_Table[ICLASS_KEYS_MAX][8] = {
+               { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
+               { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
+               { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
+               { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
+               { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
+               { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
+               { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
+               { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }
+};
+
+typedef struct iclass_block {
+    uint8_t d[8];
+} iclass_block_t;
+
+int usage_hf_iclass_sim(void) {
+       PrintAndLog("Usage:  hf iclass sim <option> [CSN]");
+       PrintAndLog("        options");
+       PrintAndLog("                0 <CSN> simulate the given CSN");
+       PrintAndLog("                1       simulate default CSN");
+       PrintAndLog("                2       Reader-attack, gather reader responses to extract elite key");
+       PrintAndLog("                3       Full simulation using emulator memory (see 'hf iclass eload')");
+       PrintAndLog("        example: hf iclass sim 0 031FEC8AF7FF12E0");
+       PrintAndLog("        example: hf iclass sim 2");
+       PrintAndLog("        example: hf iclass eload 'tagdump.bin'");
+       PrintAndLog("                 hf iclass sim 3");
+       return 0;
+}
+int usage_hf_iclass_eload(void) {
+       PrintAndLog("Loads iclass tag-dump into emulator memory on device");
+       PrintAndLog("Usage:  hf iclass eload f <filename>");
+       PrintAndLog("");
+       PrintAndLog("Example: hf iclass eload f iclass_tagdump-aa162d30f8ff12f1.bin");
+       return 0;
+}
+int usage_hf_iclass_decrypt(void) {
+       PrintAndLog("Usage: hf iclass decrypt f <tagdump>");
+       PrintAndLog("");
+       PrintAndLog("OBS! In order to use this function, the file 'iclass_decryptionkey.bin' must reside");
+       PrintAndLog("in the working directory. The file should be 16 bytes binary data");
+       PrintAndLog("");
+       PrintAndLog("example: hf iclass decrypt f tagdump_12312342343.bin");
+       PrintAndLog("");
+       PrintAndLog("OBS! This is pretty stupid implementation, it tries to decrypt every block after block 6. ");
+       PrintAndLog("Correct behaviour would be to decrypt only the application areas where the key is valid,");
+       PrintAndLog("which is defined by the configuration block.");
+       return 1;
+}
+int usage_hf_iclass_encrypt(void) {
+       PrintAndLog("Usage: hf iclass encrypt <BlockData>");
+       PrintAndLog("");
+       PrintAndLog("OBS! In order to use this function, the file 'iclass_decryptionkey.bin' must reside");
+       PrintAndLog("in the working directory. The file should be 16 bytes binary data");
+       PrintAndLog("");
+       PrintAndLog("example: hf iclass encrypt 0102030405060708");
+       PrintAndLog("");
+       return 0;
+}
+int usage_hf_iclass_dump(void) {
+       PrintAndLog("Usage:  hf iclass dump f <fileName> k <Key> c <CreditKey> e|r\n");
+       PrintAndLog("Options:");
+       PrintAndLog("  f <filename> : specify a filename to save dump to");
+       PrintAndLog("  k <Key>      : *Access Key as 16 hex symbols or 1 hex to select key from memory");
+       PrintAndLog("  c <CreditKey>: Credit Key as 16 hex symbols or 1 hex to select key from memory");
+       PrintAndLog("  e            : If 'e' is specified, the key is interpreted as the 16 byte");
+       PrintAndLog("                 Custom Key (KCus), which can be obtained via reader-attack");
+       PrintAndLog("                 See 'hf iclass sim 2'. This key should be on iclass-format");
+       PrintAndLog("  r            : If 'r' is specified, the key is interpreted as raw block 3/4");
+       PrintAndLog("  NOTE: * = required");
+       PrintAndLog("Samples:");
+       PrintAndLog("  hf iclass dump k 001122334455667B");
+       PrintAndLog("  hf iclass dump k AAAAAAAAAAAAAAAA c 001122334455667B");
+       PrintAndLog("  hf iclass dump k AAAAAAAAAAAAAAAA e");
+       return 0;
+}
+int usage_hf_iclass_clone(void) {
+       PrintAndLog("Usage:  hf iclass clone f <tagfile.bin> b <first block> l <last block> k <KEY> c e|r");
+       PrintAndLog("Options:");
+       PrintAndLog("  f <filename>: specify a filename to clone from");
+       PrintAndLog("  b <Block>   : The first block to clone as 2 hex symbols");
+       PrintAndLog("  l <Last Blk>: Set the Data to write as 16 hex symbols");
+       PrintAndLog("  k <Key>     : Access Key as 16 hex symbols or 1 hex to select key from memory");
+       PrintAndLog("  c           : If 'c' is specified, the key set is assumed to be the credit key\n");
+       PrintAndLog("  e           : If 'e' is specified, elite computations applied to key");
+       PrintAndLog("  r           : If 'r' is specified, no computations applied to key");
+       PrintAndLog("Samples:");
+       PrintAndLog("  hf iclass clone f iclass_tagdump-121345.bin b 06 l 1A k 1122334455667788 e");
+       PrintAndLog("  hf iclass clone f iclass_tagdump-121345.bin b 05 l 19 k 0");
+       PrintAndLog("  hf iclass clone f iclass_tagdump-121345.bin b 06 l 19 k 0 e");
+       return -1;
+}
+int usage_hf_iclass_writeblock(void) {
+       PrintAndLog("Options:");
+       PrintAndLog("  b <Block> : The block number as 2 hex symbols");
+       PrintAndLog("  d <data>  : Set the Data to write as 16 hex symbols");
+       PrintAndLog("  k <Key>   : Access Key as 16 hex symbols or 1 hex to select key from memory");
+       PrintAndLog("  c         : If 'c' is specified, the key set is assumed to be the credit key\n");
+       PrintAndLog("  e         : If 'e' is specified, elite computations applied to key");
+       PrintAndLog("  r         : If 'r' is specified, no computations applied to key");
+       PrintAndLog("Samples:");
+       PrintAndLog("  hf iclass writeblk b 0A d AAAAAAAAAAAAAAAA k 001122334455667B");
+       PrintAndLog("  hf iclass writeblk b 1B d AAAAAAAAAAAAAAAA k 001122334455667B c");
+       PrintAndLog("  hf iclass writeblk b 0A d AAAAAAAAAAAAAAAA n 0");
+       return 0;
+}
+int usage_hf_iclass_readblock(void) {
+       PrintAndLog("Usage:  hf iclass readblk b <Block> k <Key> c e|r\n");
+       PrintAndLog("Options:");
+       PrintAndLog("  b <Block> : The block number as 2 hex symbols");
+       PrintAndLog("  k <Key>   : Access Key as 16 hex symbols or 1 hex to select key from memory");
+       PrintAndLog("  c         : If 'c' is specified, the key set is assumed to be the credit key\n");
+       PrintAndLog("  e         : If 'e' is specified, elite computations applied to key");
+       PrintAndLog("  r         : If 'r' is specified, no computations applied to key");
+       PrintAndLog("Samples:");
+       PrintAndLog("  hf iclass readblk b 06 k 0011223344556677");
+       PrintAndLog("  hf iclass readblk b 1B k 0011223344556677 c");
+       PrintAndLog("  hf iclass readblk b 0A k 0");
+       return 0;
+}
+int usage_hf_iclass_readtagfile() {
+       PrintAndLog("Usage: hf iclass readtagfile <filename> [startblock] [endblock]");
+       return 1;
+}
+int usage_hf_iclass_calc_newkey(void) {
+       PrintAndLog("HELP :  Manage iClass Keys in client memory:\n");
+       PrintAndLog("Usage:  hf iclass calc_newkey o <Old key> n <New key> s [csn] e");
+       PrintAndLog("  Options:");
+       PrintAndLog("  o <oldkey> : *specify a key as 16 hex symbols or a key number as 1 symbol");
+       PrintAndLog("  n <newkey> : *specify a key as 16 hex symbols or a key number as 1 symbol");
+       PrintAndLog("  s <csn>    : specify a card Serial number to diversify the key (if omitted will attempt to read a csn)");
+       PrintAndLog("  e          : specify new key as elite calc");
+       PrintAndLog("  ee         : specify old and new key as elite calc");
+       PrintAndLog("Samples:");
+       PrintAndLog(" e key to e key given csn : hf iclass calcnewkey o 1122334455667788 n 2233445566778899 s deadbeafdeadbeaf ee");
+       PrintAndLog(" std key to e key read csn: hf iclass calcnewkey o 1122334455667788 n 2233445566778899 e");
+       PrintAndLog(" std to std read csn      : hf iclass calcnewkey o 1122334455667788 n 2233445566778899");
+       PrintAndLog("NOTE: * = required\n");
+       return 1;
+}
+int usage_hf_iclass_managekeys(void) {
+       PrintAndLog("HELP :  Manage iClass Keys in client memory:\n");
+       PrintAndLog("Usage:  hf iclass managekeys n [keynbr] k [key] f [filename] s l p\n");
+       PrintAndLog("  Options:");
+       PrintAndLog("  n <keynbr>  : specify the keyNbr to set in memory");
+       PrintAndLog("  k <key>     : set a key in memory");
+       PrintAndLog("  f <filename>: specify a filename to use with load or save operations");
+       PrintAndLog("  s           : save keys in memory to file specified by filename");
+       PrintAndLog("  l           : load keys to memory from file specified by filename");
+       PrintAndLog("  p           : print keys loaded into memory\n");
+       PrintAndLog("Samples:");
+       PrintAndLog(" set key      : hf iclass managekeys n 0 k 1122334455667788");
+       PrintAndLog(" save key file: hf iclass managekeys f mykeys.bin s");
+       PrintAndLog(" load key file: hf iclass managekeys f mykeys.bin l");
+       PrintAndLog(" print keys   : hf iclass managekeys p\n");
+       return 0;
+}
+int usage_hf_iclass_reader(void) {
+       PrintAndLog("HELP :  Act as a Iclass reader:\n");
+       PrintAndLog("Usage:  hf iclass reader [h] [1]\n");
+       PrintAndLog("Options:");
+       PrintAndLog("    h   This help text");
+       PrintAndLog("    1   read only 1 tag");
+       PrintAndLog("Samples:");
+       PrintAndLog("        hf iclass reader 1");
+       return 0;
+}
+int usage_hf_iclass_replay(void){
+       PrintAndLog("HELP:   Replay a collected mac message");
+       PrintAndLog("Usage:  hf iclass replay [h] <mac>");
+       PrintAndLog("Options:");
+       PrintAndLog("    h       This help text");
+       PrintAndLog("    <mac>   Mac bytes to replay (8 hexsymbols)");
+       PrintAndLog("Samples:");
+       PrintAndLog("        hf iclass replay 00112233");       
+       return 0;
+}
+int usage_hf_iclass_snoop(void){
+       PrintAndLog("HELP:   Snoops the communication between reader and tag");
+       PrintAndLog("Usage:  hf iclass snoop [h]");
+       PrintAndLog("Samples:");
+       PrintAndLog("            hf iclass snoop");     
+       return 0;
+}
+int xorbits_8(uint8_t val) {
        uint8_t res = val ^ (val >> 1); //1st pass
        res = res ^ (res >> 1);                 // 2nd pass
        res = res ^ (res >> 2);                 // 3rd pass
        uint8_t res = val ^ (val >> 1); //1st pass
        res = res ^ (res >> 1);                 // 2nd pass
        res = res ^ (res >> 2);                 // 3rd pass
@@ -35,463 +207,1519 @@ int xorbits_8(uint8_t val)
        return res & 1;
 }
 
        return res & 1;
 }
 
-int CmdHFiClassList(const char *Cmd)
-{
+int CmdHFiClassList(const char *Cmd) {
+       //PrintAndLog("Deprecated command, use 'hf list iclass' instead");
+       CmdHFList("iclass");
+       return 0;
+}
 
 
-       bool ShowWaitCycles = false;
-       char param = param_getchar(Cmd, 0);
+int CmdHFiClassSnoop(const char *Cmd) {
+       char cmdp = param_getchar(Cmd, 0);
+       if (cmdp == 'h' || cmdp == 'H') return usage_hf_iclass_snoop();
 
 
-       if (param != 0) {
-               PrintAndLog("List data in trace buffer.");
-               PrintAndLog("Usage:  hf iclass list");
-               PrintAndLog("h - help");
-               PrintAndLog("sample: hf iclass list");
-               return 0;
-       }
+       UsbCommand c = {CMD_SNOOP_ICLASS};
+       SendCommand(&c);
+       return 0;
+}
 
 
-       uint8_t got[1920];
-       GetFromBigBuf(got,sizeof(got),0);
-       WaitForResponse(CMD_ACK,NULL);
+int CmdHFiClassSim(const char *Cmd) {
+       uint8_t simType = 0;
+       uint8_t CSN[8] = {0, 0, 0, 0, 0, 0, 0, 0};
 
 
-       PrintAndLog("Recorded Activity");
-       PrintAndLog("");
-       PrintAndLog("Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer");
-       PrintAndLog("All times are in carrier periods (1/13.56Mhz)");
-       PrintAndLog("");
-       PrintAndLog("     Start |       End | Src | Data");
-       PrintAndLog("-----------|-----------|-----|--------");
+       if (strlen(Cmd)<1) return usage_hf_iclass_sim();
 
 
-       int i;
-       uint32_t first_timestamp = 0;
-       uint32_t timestamp;
-       bool tagToReader;
-       uint32_t parityBits;
-       uint8_t len;
-       uint8_t *frame;
-       uint32_t EndOfTransmissionTimestamp = 0;
+       simType = param_get8ex(Cmd, 0, 0, 10);
+
+       if(simType == 0)
+       {
+               if (param_gethex(Cmd, 1, CSN, 16)) {
+                       PrintAndLog("A CSN should consist of 16 HEX symbols");
+                       return usage_hf_iclass_sim();
+               }
+
+               PrintAndLog("--simtype:%02x csn:%s", simType, sprint_hex(CSN, 8));
+       }
 
 
+       if(simType > 3)
+       {
+               PrintAndLog("Undefined simptype %d", simType);
+               return usage_hf_iclass_sim();
+       }
 
 
-       for( i=0; i < 1900;)
+       uint8_t numberOfCSNs=0;
+       if(simType == 2)
        {
        {
-               //First 32 bits contain
-               // isResponse (1 bit)
-               // timestamp (remaining)
-               //Then paritybits
-               //Then length
-               timestamp = *((uint32_t *)(got+i));
-               parityBits = *((uint32_t *)(got+i+4));
-               len = got[i+8];
-               frame = (got+i+9);
-               uint32_t next_timestamp = (*((uint32_t *)(got+i+9))) & 0x7fffffff;
-
-               tagToReader = timestamp & 0x80000000;
-               timestamp &= 0x7fffffff;
-
-               if(i==0) {
-                       first_timestamp = timestamp;
+               UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,NUM_CSNS}};
+               UsbCommand resp = {0};
+
+               uint8_t csns[8*NUM_CSNS] = {
+                       0x00, 0x0B, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0,
+                       0x00, 0x04, 0x0E, 0x08, 0xF7, 0xFF, 0x12, 0xE0,
+                       0x00, 0x09, 0x0D, 0x05, 0xF7, 0xFF, 0x12, 0xE0,
+                       0x00, 0x0A, 0x0C, 0x06, 0xF7, 0xFF, 0x12, 0xE0,
+                       0x00, 0x0F, 0x0B, 0x03, 0xF7, 0xFF, 0x12, 0xE0,
+                       0x00, 0x08, 0x0A, 0x0C, 0xF7, 0xFF, 0x12, 0xE0,
+                       0x00, 0x0D, 0x09, 0x09, 0xF7, 0xFF, 0x12, 0xE0,
+                       0x00, 0x0E, 0x08, 0x0A, 0xF7, 0xFF, 0x12, 0xE0,
+                       0x00, 0x03, 0x07, 0x17, 0xF7, 0xFF, 0x12, 0xE0,
+                       0x00, 0x3C, 0x06, 0xE0, 0xF7, 0xFF, 0x12, 0xE0,
+                       0x00, 0x01, 0x05, 0x1D, 0xF7, 0xFF, 0x12, 0xE0,
+                       0x00, 0x02, 0x04, 0x1E, 0xF7, 0xFF, 0x12, 0xE0,
+                       0x00, 0x07, 0x03, 0x1B, 0xF7, 0xFF, 0x12, 0xE0,
+                       0x00, 0x00, 0x02, 0x24, 0xF7, 0xFF, 0x12, 0xE0,
+                       0x00, 0x05, 0x01, 0x21, 0xF7, 0xFF, 0x12, 0xE0 };
+
+               memcpy(c.d.asBytes, csns, 8*NUM_CSNS);
+               clearCommandBuffer();
+               SendCommand(&c);
+               if (!WaitForResponseTimeout(CMD_ACK, &resp, -1)) {
+                       PrintAndLog("Command timed out");
+                       return 0;
                }
 
                }
 
-               // Break and stick with current result if buffer was not completely full
-               if (frame[0] == 0x44 && frame[1] == 0x44 && frame[2] == 0x44 && frame[3] == 0x44) break;
+               uint8_t num_mac_responses  = resp.arg[1];
+               PrintAndLog("Mac responses: %d MACs obtained (should be %d)", num_mac_responses,NUM_CSNS);
 
 
-               char line[1000] = "";
+               size_t datalen = NUM_CSNS*24;
+               /*
+                * Now, time to dump to file. We'll use this format:
+                * <8-byte CSN><8-byte CC><4 byte NR><4 byte MAC>....
+                * So, it should wind up as
+                * 8 * 24 bytes.
+                *
+                * The returndata from the pm3 is on the following format
+                * <4 byte NR><4 byte MAC>
+                * CC are all zeroes, CSN is the same as was sent in
+                **/
+               void* dump = malloc(datalen);
+               memset(dump,0,datalen);//<-- Need zeroes for the CC-field
+               uint8_t i = 0;
+               for(i = 0 ; i < NUM_CSNS ; i++) {
+                       memcpy(dump+i*24, csns+i*8, 8); //CSN
+                       //8 zero bytes here...
+                       //Then comes NR_MAC (eight bytes from the response)
+                       memcpy(dump+i*24+16, resp.d.asBytes+i*8, 8);
+               }
+               /** Now, save to dumpfile **/
+               saveFile("iclass_mac_attack", "bin", dump, datalen);
+               free(dump);
+       } else {
+               UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,numberOfCSNs}};
+               memcpy(c.d.asBytes, CSN, 8);
+               clearCommandBuffer();
+               SendCommand(&c);
+       }
+       return 0;
+}
 
 
-               if(len)//We have some data to display
-               {
-                       int j,oddparity;
+int HFiClassReader(const char *Cmd, bool loop, bool verbose) {
+       bool tagFound = false;
+       UsbCommand c = {CMD_READER_ICLASS, {FLAG_ICLASS_READER_CSN |
+                                       FLAG_ICLASS_READER_CONF | FLAG_ICLASS_READER_AA}};
+       // loop in client not device - else on windows have a communication error
+       c.arg[0] |= FLAG_ICLASS_READER_ONLY_ONCE | FLAG_ICLASS_READER_ONE_TRY;
+       UsbCommand resp;
+       while(!ukbhit()){
+               clearCommandBuffer();
+               SendCommand(&c);
+               if (WaitForResponseTimeout(CMD_ACK,&resp, 4500)) {
+                       uint8_t readStatus = resp.arg[0] & 0xff;
+                       uint8_t *data = resp.d.asBytes;
+
+                       if (verbose) PrintAndLog("Readstatus:%02x", readStatus);
+                       if( readStatus == 0){
+                               //Aborted
+                               if (verbose) PrintAndLog("Quitting...");
+                               return 0;
+                       }
+                       if( readStatus & FLAG_ICLASS_READER_CSN){
+                               PrintAndLog("CSN: %s",sprint_hex(data,8));
+                               tagFound = true;
+                       }
+                       if( readStatus & FLAG_ICLASS_READER_CC)   PrintAndLog("CC: %s", sprint_hex(data+16, 8));
+                       if( readStatus & FLAG_ICLASS_READER_CONF) printIclassDumpInfo(data);                    
+                       if (tagFound && !loop) return 1;
+               } else {
+                       if (verbose) PrintAndLog("Command execute timeout");
+               }
+               if (!loop) break;
+       }
+       return 0;
+}
 
 
-                       for(j = 0; j < len ; j++)
-                       {
-                               oddparity = 0x01 ^ xorbits_8(frame[j] & 0xFF);
+int CmdHFiClassReader(const char *Cmd) {       
+       char cmdp = param_getchar(Cmd, 0);
+       if (cmdp == 'h' || cmdp == 'H') return usage_hf_iclass_reader();
+       bool findone = (cmdp == '1') ? FALSE : TRUE;
+       return HFiClassReader(Cmd, findone, true);
+}
+
+int CmdHFiClassReader_Replay(const char *Cmd) {
+       uint8_t readerType = 0;
+       uint8_t MAC[4]={0x00, 0x00, 0x00, 0x00};
+
+       if (strlen(Cmd)<1) return usage_hf_iclass_replay();
+
+       if (param_gethex(Cmd, 0, MAC, 8)) {
+               PrintAndLog("MAC must include 8 HEX symbols");
+               return 1;
+       }
+
+       UsbCommand c = {CMD_READER_ICLASS_REPLAY, {readerType}};
+       memcpy(c.d.asBytes, MAC, 4);
+       clearCommandBuffer();
+       SendCommand(&c);
+       return 0;
+}
+
+int iclassEmlSetMem(uint8_t *data, int blockNum, int blocksCount) {
+       UsbCommand c = {CMD_MIFARE_EML_MEMSET, {blockNum, blocksCount, 0}};
+       memcpy(c.d.asBytes, data, blocksCount * 16);
+       clearCommandBuffer();
+       SendCommand(&c);
+       return 0;
+}
+
+int CmdHFiClassELoad(const char *Cmd) {
+
+       char opt = param_getchar(Cmd, 0);
+       if (strlen(Cmd)<1 || opt == 'h' || opt == 'H') return usage_hf_iclass_eload();
+
+       //File handling and reading
+       FILE *f;
+       char filename[FILE_PATH_SIZE];
+       if(opt == 'f' && param_getstr(Cmd, 1, filename) > 0) {
+               f = fopen(filename, "rb");
+       } else {
+               return usage_hf_iclass_eload();
+       }
+
+       if(!f) {
+               PrintAndLog("Failed to read from file '%s'", filename);
+               return 1;
+       }
+
+       fseek(f, 0, SEEK_END);
+       long fsize = ftell(f);
+       fseek(f, 0, SEEK_SET);
+
+       if (fsize < 0)  {
+               prnlog("Error, when getting filesize");
+               fclose(f);
+               return 1;
+       }
+
+       uint8_t *dump = malloc(fsize);
 
 
-                               if (tagToReader && (oddparity != ((parityBits >> (len - j - 1)) & 0x01))) {
-                                       sprintf(line+(j*4), "%02x!  ", frame[j]);
+       size_t bytes_read = fread(dump, 1, fsize, f);
+       fclose(f);
+
+       printIclassDumpInfo(dump);
+       //Validate
+
+       if (bytes_read < fsize) {
+               prnlog("Error, could only read %d bytes (should be %d)",bytes_read, fsize );
+               free(dump);
+               return 1;
+       }
+       //Send to device
+       uint32_t bytes_sent = 0;
+       uint32_t bytes_remaining  = bytes_read;
+
+       while(bytes_remaining > 0){
+               uint32_t bytes_in_packet = MIN(USB_CMD_DATA_SIZE, bytes_remaining);
+               UsbCommand c = {CMD_ICLASS_EML_MEMSET, {bytes_sent,bytes_in_packet,0}};
+               memcpy(c.d.asBytes, dump, bytes_in_packet);
+               clearCommandBuffer();
+               SendCommand(&c);
+               bytes_remaining -= bytes_in_packet;
+               bytes_sent += bytes_in_packet;
+       }
+       free(dump);
+       PrintAndLog("Sent %d bytes of data to device emulator memory", bytes_sent);
+       return 0;
+}
+
+static int readKeyfile(const char *filename, size_t len, uint8_t* buffer) {
+       FILE *f = fopen(filename, "rb");
+       if(!f) {
+               PrintAndLog("Failed to read from file '%s'", filename);
+               return 1;
+       }
+       fseek(f, 0, SEEK_END);
+       long fsize = ftell(f);
+       fseek(f, 0, SEEK_SET);
+       size_t bytes_read = fread(buffer, 1, len, f);
+       fclose(f);
+       
+       if(fsize != len) {
+               PrintAndLog("Warning, file size is %d, expected %d", fsize, len);
+               return 1;
+       }
+       
+       if(bytes_read != len) {
+               PrintAndLog("Warning, could only read %d bytes, expected %d" ,bytes_read, len);
+               return 1;
+       }
+       return 0;
+}
+
+int CmdHFiClassDecrypt(const char *Cmd) {
+
+       char opt = param_getchar(Cmd, 0);
+       if (strlen(Cmd)<1 || opt == 'h' || opt == 'H') return usage_hf_iclass_decrypt();
+       
+       uint8_t key[16] = { 0 };
+       if(readKeyfile("iclass_decryptionkey.bin", 16, key)) return usage_hf_iclass_decrypt();
+       
+       PrintAndLog("Decryption key loaded from file [ok]");
+
+       //Open the tagdump-file
+       FILE *f;
+       char filename[FILE_PATH_SIZE];
+       if(opt == 'f' && param_getstr(Cmd, 1, filename) > 0) {
+               f = fopen(filename, "rb");
+               if (!f) {
+                       PrintAndLog("Could not find file %s", filename);
+                       return 1;
+               }               
+       } else {
+               return usage_hf_iclass_decrypt();
+       }       
+
+       fseek(f, 0, SEEK_END);
+       long fsize = ftell(f);
+       fseek(f, 0, SEEK_SET);
+               
+       if ( fsize < 0 ) {
+               PrintAndLog("Error, when getting filesize");
+               fclose(f);
+               return 2;
+       }
+       
+       uint8_t *decrypted = malloc(fsize);
+       
+       size_t bytes_read = fread(decrypted, 1, fsize, f);
+       fclose(f);
+       if ( bytes_read == 0) {
+               PrintAndLog("File reading error");
+               free(decrypted);
+               return 3;
+       }
+
+       picopass_hdr *hdr = (picopass_hdr *)decrypted;
+               
+       uint8_t mem = hdr->conf.mem_config;
+       uint8_t chip = hdr->conf.chip_config;
+       uint8_t applimit = hdr->conf.app_limit;
+       uint8_t kb = 2;
+       uint8_t app_areas = 2;
+       uint8_t max_blk = 31;
+       getMemConfig(mem, chip, &max_blk, &app_areas, &kb);     
+       
+       //Use the first block (CSN) for filename
+       char outfilename[FILE_PATH_SIZE] = {0};
+       snprintf(outfilename, FILE_PATH_SIZE, "iclass_tagdump-%02x%02x%02x%02x%02x%02x%02x%02x-decrypted",
+                        hdr->csn[0],hdr->csn[1],hdr->csn[2],hdr->csn[3],
+                        hdr->csn[4],hdr->csn[5],hdr->csn[6],hdr->csn[7]);
+
+       // tripledes
+       des3_context ctx = { DES_DECRYPT ,{ 0 } };
+       des3_set2key_dec( &ctx, key);
+
+       uint8_t enc_dump[8] = {0};
+       uint8_t empty[8] = {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF};
+       for(uint16_t blocknum=0; blocknum < applimit; ++blocknum) {
+               
+               uint8_t idx = blocknum*8;
+               memcpy(enc_dump, decrypted + idx, 8);
+               
+               // block 7 or higher,  and not empty 0xFF
+               if(blocknum > 6 &&  memcmp(enc_dump, empty, 8) != 0 ) {
+                       des3_crypt_ecb(&ctx, enc_dump, decrypted + idx );
+               }
+               //printvar("decrypted block", decrypted + idx, 8);
+       }
+       
+       saveFile(outfilename, "bin", decrypted, fsize);
+       free(decrypted);
+       
+       printIclassDumpContents(decrypted, 1, (fsize/8), fsize);
+       return 0;
+}
+
+static int iClassEncryptBlkData(uint8_t *blkData) {
+       uint8_t key[16] = { 0 };
+       if(readKeyfile("iclass_decryptionkey.bin", 16, key)) {
+               usage_hf_iclass_encrypt();
+               return 1;
+       }
+       PrintAndLog("Decryption file found... ");
+       uint8_t encryptedData[16];
+       uint8_t *encrypted = encryptedData;
+       des3_context ctx = { DES_DECRYPT ,{ 0 } };
+       des3_set2key_enc( &ctx, key);
+       
+       des3_crypt_ecb(&ctx, blkData,encrypted);
+       //printvar("decrypted block", decrypted, 8);
+       memcpy(blkData,encrypted,8);
+
+       return 1;
+}
+
+int CmdHFiClassEncryptBlk(const char *Cmd) {
+       uint8_t blkData[8] = {0};
+       char opt = param_getchar(Cmd, 0);
+       if (strlen(Cmd)<1 || opt == 'h' || opt == 'H') return usage_hf_iclass_encrypt();
+
+       //get the bytes to encrypt
+       if (param_gethex(Cmd, 0, blkData, 16)) {
+               PrintAndLog("BlockData must include 16 HEX symbols");
+               return 0;
+       }
+       if (!iClassEncryptBlkData(blkData)) return 0;
+
+       printvar("encrypted block", blkData, 8);
+       return 1;
+}
+
+void Calc_wb_mac(uint8_t blockno, uint8_t *data, uint8_t *div_key, uint8_t MAC[4]) {
+       uint8_t WB[9];
+       WB[0] = blockno;
+       memcpy(WB + 1,data,8);
+       doMAC_N(WB,sizeof(WB),div_key,MAC);
+       //printf("Cal wb mac block [%02x][%02x%02x%02x%02x%02x%02x%02x%02x] : MAC [%02x%02x%02x%02x]",WB[0],WB[1],WB[2],WB[3],WB[4],WB[5],WB[6],WB[7],WB[8],MAC[0],MAC[1],MAC[2],MAC[3]);
+}
+
+static bool select_only(uint8_t *CSN, uint8_t *CCNR, bool use_credit_key, bool verbose) {
+       UsbCommand resp;
+
+       UsbCommand c = {CMD_READER_ICLASS, {0}};
+       c.arg[0] = FLAG_ICLASS_READER_ONLY_ONCE | FLAG_ICLASS_READER_CC | FLAG_ICLASS_READER_ONE_TRY;
+       if (use_credit_key)
+               c.arg[0] |= FLAG_ICLASS_READER_CEDITKEY;
+
+       clearCommandBuffer();
+       SendCommand(&c);
+       if (!WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
+               PrintAndLog("Command execute timeout");
+               return false;
+       }
+
+       uint8_t isOK = resp.arg[0] & 0xff;
+       uint8_t *data = resp.d.asBytes;
+
+       memcpy(CSN,data,8);
+       
+       if (CCNR!=NULL) 
+               memcpy(CCNR,data+16,8);
+       
+       if(isOK > 0) {
+               if (verbose) PrintAndLog("CSN: %s",sprint_hex(CSN,8));
+       }
+       
+       if(isOK <= 1){
+               PrintAndLog("Failed to obtain CC! Aborting");
+               return false;
+       }
+       return true;    
+}
+
+static bool select_and_auth(uint8_t *KEY, uint8_t *MAC, uint8_t *div_key, bool use_credit_key, bool elite, bool rawkey, bool verbose) {
+       uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+
+       if (!select_only(CSN, CCNR, use_credit_key, verbose))
+               return false;
+
+       //get div_key
+       if(rawkey)
+               memcpy(div_key, KEY, 8);
+       else
+               HFiClassCalcDivKey(CSN, KEY, div_key, elite);
+       
+       PrintAndLog("Authing with %s: %02x%02x%02x%02x%02x%02x%02x%02x", rawkey ? "raw key" : "diversified key", div_key[0],div_key[1],div_key[2],div_key[3],div_key[4],div_key[5],div_key[6],div_key[7]);
+
+       doMAC(CCNR, div_key, MAC);
+       UsbCommand resp;
+       UsbCommand d = {CMD_ICLASS_AUTHENTICATION, {0}};
+       memcpy(d.d.asBytes, MAC, 4);
+       clearCommandBuffer();
+       SendCommand(&d);
+       if (!WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
+               PrintAndLog("Auth Command execute timeout");
+               return false;
+       }
+       uint8_t isOK = resp.arg[0] & 0xff;
+       if (!isOK) {
+               PrintAndLog("Authentication error");
+               return false;
+       }
+       return true;
+}
+
+int CmdHFiClassReader_Dump(const char *Cmd) {
+
+       uint8_t MAC[4] = {0x00,0x00,0x00,0x00};
+       uint8_t div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t c_div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t blockno = 0;
+       uint8_t numblks = 0;
+       uint8_t maxBlk = 31;
+       uint8_t app_areas = 1;
+       uint8_t kb = 2;
+       uint8_t KEY[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t CreditKEY[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t keyNbr = 0;
+       uint8_t dataLen = 0;
+       uint8_t fileNameLen = 0;
+       char filename[FILE_PATH_SIZE]={0};
+       char tempStr[50] = {0};
+       bool have_debit_key = false;
+       bool have_credit_key = false;
+       bool use_credit_key = false;
+       bool elite = false;
+       bool rawkey = false;
+       bool errors = false;
+       uint8_t cmdp = 0;
+
+       while(param_getchar(Cmd, cmdp) != 0x00)
+       {
+               switch(param_getchar(Cmd, cmdp))
+               {
+               case 'h':
+               case 'H':
+                       return usage_hf_iclass_dump();
+               case 'c':
+               case 'C':
+                       have_credit_key = true;
+                       dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+                       if (dataLen == 16) {
+                               errors = param_gethex(tempStr, 0, CreditKEY, dataLen);
+                       } else if (dataLen == 1) {
+                               keyNbr = param_get8(Cmd, cmdp+1);
+                               if (keyNbr < ICLASS_KEYS_MAX) {
+                                       memcpy(CreditKEY, iClass_Key_Table[keyNbr], 8);
                                } else {
                                } else {
-                                       sprintf(line+(j*4), "%02x   ", frame[j]);
+                                       PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+                                       errors = true;
                                }
                                }
+                       } else {
+                               PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+                               errors = true;
                        }
                        }
-               }else
+                       cmdp += 2;
+                       break;
+               case 'e':
+               case 'E':
+                       elite = true;
+                       cmdp++;
+                       break;
+               case 'f':
+               case 'F':
+                       fileNameLen = param_getstr(Cmd, cmdp+1, filename); 
+                       if (fileNameLen < 1) {
+                               PrintAndLog("No filename found after f");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'k':
+               case 'K':
+                       have_debit_key = true;
+                       dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+                       if (dataLen == 16) { 
+                               errors = param_gethex(tempStr, 0, KEY, dataLen);
+                       } else if (dataLen == 1) {
+                               keyNbr = param_get8(Cmd, cmdp+1);
+                               if (keyNbr < ICLASS_KEYS_MAX) {
+                                       memcpy(KEY, iClass_Key_Table[keyNbr], 8);
+                               } else {
+                                       PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+                                       errors = true;
+                               }
+                       } else {
+                               PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'r':
+               case 'R':
+                       rawkey = true;
+                       cmdp++;
+                       break;
+               default:
+                       PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
+                       errors = true;
+                       break;
+               }
+               if(errors) return usage_hf_iclass_dump();
+       }
+
+       if (cmdp < 2) return usage_hf_iclass_dump();
+       // if no debit key given try credit key on AA1 (not for iclass but for some picopass this will work)
+       if (!have_debit_key && have_credit_key) use_credit_key = true;
+
+       //get config and first 3 blocks
+       UsbCommand c = {CMD_READER_ICLASS, {FLAG_ICLASS_READER_CSN |
+                                       FLAG_ICLASS_READER_CONF | FLAG_ICLASS_READER_ONLY_ONCE | FLAG_ICLASS_READER_ONE_TRY}};
+       UsbCommand resp;
+       uint8_t tag_data[255*8];
+
+       clearCommandBuffer();
+       SendCommand(&c);
+       if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
+               PrintAndLog("Command execute timeout");
+               ul_switch_off_field();
+               return 0;
+       }
+       uint8_t readStatus = resp.arg[0] & 0xff;
+       uint8_t * data  = resp.d.asBytes;
+
+       if(readStatus == 0){
+               PrintAndLog("No tag found...");
+               ul_switch_off_field();
+               return 0;
+       }
+       
+       if( readStatus & (FLAG_ICLASS_READER_CSN | FLAG_ICLASS_READER_CONF | FLAG_ICLASS_READER_CC)){
+               memcpy(tag_data, data, 8*3);
+               blockno += 2; // 2 to force re-read of block 2 later. (seems to respond differently..)
+               numblks = data[8];
+               getMemConfig(data[13], data[12], &maxBlk, &app_areas, &kb);
+               // large memory - not able to dump pages currently
+               if (numblks > maxBlk) numblks = maxBlk;
+       }
+       
+       ul_switch_off_field();
+       // authenticate debit key and get div_key - later store in dump block 3
+       if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, false)){
+               //try twice - for some reason it sometimes fails the first time...
+               if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, false)){
+                       ul_switch_off_field();
+                       return 0;
+               }
+       }
+       
+       // begin dump
+       UsbCommand w = {CMD_ICLASS_DUMP, {blockno, numblks-blockno+1}};
+       clearCommandBuffer();
+       SendCommand(&w);
+       if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
+               PrintAndLog("Command execute time-out 1");
+               ul_switch_off_field();
+               return 1;
+       }
+       uint32_t blocksRead = resp.arg[1];
+       uint8_t isOK = resp.arg[0] & 0xff;
+       if (!isOK && !blocksRead) {
+               PrintAndLog("Read Block Failed");
+               ul_switch_off_field();
+               return 0;
+       }
+       uint32_t startindex = resp.arg[2];
+       if (blocksRead*8 > sizeof(tag_data)-(blockno*8)) {
+               PrintAndLog("Data exceeded Buffer size!");
+               blocksRead = (sizeof(tag_data)/8) - blockno;
+       }
+       // response ok - now get bigbuf content of the dump
+       GetFromBigBuf(tag_data+(blockno*8), blocksRead*8, startindex);
+       WaitForResponse(CMD_ACK,NULL);
+       size_t gotBytes = blocksRead*8 + blockno*8;
+
+       // try AA2
+       if (have_credit_key) {
+               //turn off hf field before authenticating with different key
+               ul_switch_off_field();
+               memset(MAC,0,4);
+               // AA2 authenticate credit key and git c_div_key - later store in dump block 4
+               if (!select_and_auth(CreditKEY, MAC, c_div_key, true, false, false, false)){
+                       //try twice - for some reason it sometimes fails the first time...
+                       if (!select_and_auth(CreditKEY, MAC, c_div_key, true, false, false, false)){
+                               ul_switch_off_field();
+                               return 0;
+                       }
+               }
+               // do we still need to read more block?  (aa2 enabled?)
+               if (maxBlk > blockno+numblks+1) {
+                       // setup dump and start
+                       w.arg[0] = blockno + blocksRead;
+                       w.arg[1] = maxBlk - (blockno + blocksRead);
+                       clearCommandBuffer();
+                       SendCommand(&w);
+                       if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
+                               PrintAndLog("Command execute timeout 2");
+                               ul_switch_off_field();
+                               return 0;
+                       }
+                       uint8_t isOK = resp.arg[0] & 0xff;
+                       blocksRead = resp.arg[1];
+                       if (!isOK && !blocksRead) {
+                               PrintAndLog("Read Block Failed 2");
+                               ul_switch_off_field();
+                               return 0;
+                       }               
+
+                       startindex = resp.arg[2];
+                       if (blocksRead*8 > sizeof(tag_data)-gotBytes) {
+                               PrintAndLog("Data exceeded Buffer size!");
+                               blocksRead = (sizeof(tag_data) - gotBytes)/8;
+                       }
+                       // get dumped data from bigbuf
+                       GetFromBigBuf(tag_data+gotBytes, blocksRead*8, startindex);
+                       WaitForResponse(CMD_ACK,NULL);
+
+                       gotBytes += blocksRead*8;                       
+               } else { //field is still on - turn it off...
+                       ul_switch_off_field();
+               }
+       }
+
+       // add diversified keys to dump
+       if (have_debit_key) memcpy(tag_data+(3*8),div_key,8);
+       if (have_credit_key) memcpy(tag_data+(4*8),c_div_key,8);
+       
+       printf("Num of bytes:  %zu\n", gotBytes);
+       
+       // print the dump
+       printf("------+--+-------------------------+\n");
+       printf("CSN   |00| %s|\n", sprint_hex(tag_data, 8));    
+       //printIclassDumpContents(tag_data, 1, (gotBytes/8)-1, gotBytes-8);
+       printIclassDumpContents(tag_data, 1, (gotBytes/8), gotBytes);
+
+       if (filename[0] == 0){
+               snprintf(filename, FILE_PATH_SIZE,"iclass_tagdump-%02x%02x%02x%02x%02x%02x%02x%02x",
+                   tag_data[0],tag_data[1],tag_data[2],tag_data[3],
+                   tag_data[4],tag_data[5],tag_data[6],tag_data[7]);
+       }
+
+       // save the dump to .bin file
+       PrintAndLog("Saving dump file - %d blocks read", gotBytes/8);
+       saveFile(filename, "bin", tag_data, gotBytes);
+       return 1;
+}
+
+static int WriteBlock(uint8_t blockno, uint8_t *bldata, uint8_t *KEY, bool use_credit_key, bool elite, bool rawkey, bool verbose) {
+       uint8_t MAC[4]={0x00,0x00,0x00,0x00};
+       uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, verbose))
+               return 0;
+
+       UsbCommand resp;
+
+       Calc_wb_mac(blockno,bldata,div_key,MAC);
+       UsbCommand w = {CMD_ICLASS_WRITEBLOCK, {blockno}};
+       memcpy(w.d.asBytes, bldata, 8);
+       memcpy(w.d.asBytes + 8, MAC, 4);
+       
+       clearCommandBuffer();
+       SendCommand(&w);
+       if (!WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
+               PrintAndLog("Write Command execute timeout");
+               return 0;
+       }
+       uint8_t isOK = resp.arg[0] & 0xff;
+       if (!isOK) {
+               PrintAndLog("Write Block Failed");
+               return 0;
+       }
+       PrintAndLog("Write Block Successful");
+       return 1;
+}
+
+int CmdHFiClass_WriteBlock(const char *Cmd) {
+       uint8_t blockno=0;
+       uint8_t bldata[8]={0,0,0,0,0,0,0,0};
+       uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t keyNbr = 0;
+       uint8_t dataLen = 0;
+       char tempStr[50] = {0};
+       bool use_credit_key = false;
+       bool elite = false;
+       bool rawkey= false;
+       bool errors = false;
+       uint8_t cmdp = 0;
+       while(param_getchar(Cmd, cmdp) != 0x00)
+       {
+               switch(param_getchar(Cmd, cmdp))
                {
                {
-                       if (ShowWaitCycles) {
-                               sprintf(line, "fdt (Frame Delay Time): %d", (next_timestamp - timestamp));
+               case 'h':
+               case 'H':
+                       return usage_hf_iclass_writeblock();
+               case 'b':
+               case 'B':
+                       if (param_gethex(Cmd, cmdp+1, &blockno, 2)) {
+                               PrintAndLog("Block No must include 2 HEX symbols\n");
+                               errors = true;
                        }
                        }
+                       cmdp += 2;
+                       break;
+               case 'c':
+               case 'C':
+                       use_credit_key = true;
+                       cmdp++;
+                       break;
+               case 'd':
+               case 'D':
+                       if (param_gethex(Cmd, cmdp+1, bldata, 16))
+                       {
+                               PrintAndLog("KEY must include 16 HEX symbols\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'e':
+               case 'E':
+                       elite = true;
+                       cmdp++;
+                       break;
+               case 'k':
+               case 'K':
+                       dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+                       if (dataLen == 16) { 
+                               errors = param_gethex(tempStr, 0, KEY, dataLen);
+                       } else if (dataLen == 1) {
+                               keyNbr = param_get8(Cmd, cmdp+1);
+                               if (keyNbr < ICLASS_KEYS_MAX) {
+                                       memcpy(KEY, iClass_Key_Table[keyNbr], 8);
+                               } else {
+                                       PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+                                       errors = true;
+                               }
+                       } else {
+                               PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'r':
+               case 'R':
+                       rawkey = true;
+                       cmdp++;
+                       break;
+               default:
+                       PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
+                       errors = true;
+                       break;
                }
                }
+               if(errors) return usage_hf_iclass_writeblock();
+       }
 
 
-               char *crc = "";
+       if (cmdp < 6) return usage_hf_iclass_writeblock();
+       int ans = WriteBlock(blockno, bldata, KEY, use_credit_key, elite, rawkey, true);
+       ul_switch_off_field();
+       return ans;
+}
 
 
-               if(len > 2)
+int CmdHFiClassCloneTag(const char *Cmd) {
+       char filename[FILE_PATH_SIZE] = { 0x00 };
+       char tempStr[50]={0};
+       uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t keyNbr = 0;
+       uint8_t fileNameLen = 0;
+       uint8_t startblock = 0;
+       uint8_t endblock = 0;
+       uint8_t dataLen = 0;
+       bool use_credit_key = false;
+       bool elite = false;
+       bool rawkey = false;
+       bool errors = false;
+       uint8_t cmdp = 0;
+       while(param_getchar(Cmd, cmdp) != 0x00)
+       {
+               switch(param_getchar(Cmd, cmdp))
                {
                {
-                       uint8_t b1, b2;
-                       if(!tagToReader && len == 4) {
-                               // Rough guess that this is a command from the reader
-                               // For iClass the command byte is not part of the CRC
-                                       ComputeCrc14443(CRC_ICLASS, &frame[1], len-3, &b1, &b2);
+               case 'h':
+               case 'H':
+                       return usage_hf_iclass_clone();
+               case 'b':
+               case 'B':
+                       if (param_gethex(Cmd, cmdp+1, &startblock, 2)) {
+                               PrintAndLog("Start Block No must include 2 HEX symbols\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'c':
+               case 'C':
+                       use_credit_key = true;
+                       cmdp++;
+                       break;
+               case 'e':
+               case 'E':
+                       elite = true;
+                       cmdp++;
+                       break;
+               case 'f':
+               case 'F':
+                       fileNameLen = param_getstr(Cmd, cmdp+1, filename); 
+                       if (fileNameLen < 1) {
+                               PrintAndLog("No filename found after f");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'k':
+               case 'K':
+                       dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+                       if (dataLen == 16) { 
+                               errors = param_gethex(tempStr, 0, KEY, dataLen);
+                       } else if (dataLen == 1) {
+                               keyNbr = param_get8(Cmd, cmdp+1);
+                               if (keyNbr < ICLASS_KEYS_MAX) {
+                                       memcpy(KEY, iClass_Key_Table[keyNbr], 8);
+                               } else {
+                                       PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+                                       errors = true;
+                               }
+                       } else {
+                               PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+                               errors = true;
                        }
                        }
-                       else {
-                                 // For other data.. CRC might not be applicable (UPDATE commands etc.)
-                               ComputeCrc14443(CRC_ICLASS, frame, len-2, &b1, &b2);
+                       cmdp += 2;
+                       break;
+               case 'l':
+               case 'L':
+                       if (param_gethex(Cmd, cmdp+1, &endblock, 2)) {
+                               PrintAndLog("Start Block No must include 2 HEX symbols\n");
+                               errors = true;
                        }
                        }
+                       cmdp += 2;
+                       break;
+               case 'r':
+               case 'R':
+                       rawkey = true;
+                       cmdp++;
+                       break;
+               default:
+                       PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
+                       errors = true;
+                       break;
+               }
+               if(errors) return usage_hf_iclass_clone();
+       }
+
+       if (cmdp < 8) return usage_hf_iclass_clone();
+
+       FILE *f;
+
+       iclass_block_t tag_data[USB_CMD_DATA_SIZE/12];
+
+       if ((endblock-startblock+1)*12 > USB_CMD_DATA_SIZE) {
+               PrintAndLog("Trying to write too many blocks at once.  Max: %d", USB_CMD_DATA_SIZE/8);
+       }
+       // file handling and reading
+       f = fopen(filename,"rb");
+       if(!f) {
+               PrintAndLog("Failed to read from file '%s'", filename);
+               return 1;
+       }
+
+       if (startblock<5) {
+               PrintAndLog("You cannot write key blocks this way. yet... make your start block > 4");
+               fclose(f);      
+               return 0;
+       }
+       // now read data from the file from block 6 --- 19
+       // ok we will use this struct [data 8 bytes][MAC 4 bytes] for each block calculate all mac number for each data
+       // then copy to usbcommand->asbytes; the max is 32 - 6 = 24 block 12 bytes each block 288 bytes then we can only accept to clone 21 blocks at the time,
+       // else we have to create a share memory
+       int i;
+       fseek(f,startblock*8,SEEK_SET);
+       size_t bytes_read = fread(tag_data,sizeof(iclass_block_t),endblock - startblock + 1,f);
+       if ( bytes_read == 0){
+               PrintAndLog("File reading error.");
+               fclose(f);
+               return 2;
+       }
+
+       uint8_t MAC[4]={0x00,0x00,0x00,0x00};
+       uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+
+       if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, true))
+               return 0;
+
+       UsbCommand w = {CMD_ICLASS_CLONE,{startblock,endblock}};
+       uint8_t *ptr;
+       // calculate all mac for every the block we will write
+       for (i = startblock; i <= endblock; i++){
+           Calc_wb_mac(i,tag_data[i - startblock].d,div_key,MAC);
+           // usb command d start pointer = d + (i - 6) * 12
+           // memcpy(pointer,tag_data[i - 6],8) 8 bytes
+           // memcpy(pointer + 8,mac,sizoof(mac) 4 bytes;
+           // next one
+           ptr = w.d.asBytes + (i - startblock) * 12;
+           memcpy(ptr, &(tag_data[i - startblock].d[0]), 8);
+           memcpy(ptr + 8,MAC, 4);
+       }
+       uint8_t p[12];
+       for (i = 0; i <= endblock - startblock;i++){
+           memcpy(p,w.d.asBytes + (i * 12),12);
+           printf("Block |%02x|",i + startblock);
+           printf(" %02x%02x%02x%02x%02x%02x%02x%02x |",p[0],p[1],p[2],p[3],p[4],p[5],p[6],p[7]);
+           printf(" MAC |%02x%02x%02x%02x|\n",p[8],p[9],p[10],p[11]);
+       }
+       UsbCommand resp;
+       clearCommandBuffer();
+       SendCommand(&w);
+       if (!WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
+               PrintAndLog("Command execute timeout");
+               return 0;
+       }
+       return 1;
+}
 
 
-                       if (b1 != frame[len-2] || b2 != frame[len-1]) {
-                               crc = (tagToReader & (len < 8)) ? "" : " !crc";
+static int ReadBlock(uint8_t *KEY, uint8_t blockno, uint8_t keyType, bool elite, bool rawkey, bool verbose) {
+       uint8_t MAC[4]={0x00,0x00,0x00,0x00};
+       uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+
+       if (!select_and_auth(KEY, MAC, div_key, (keyType==0x18), elite, rawkey, verbose))
+               return 0;
+
+       UsbCommand resp;
+       UsbCommand w = {CMD_ICLASS_READBLOCK, {blockno}};
+       clearCommandBuffer();
+       SendCommand(&w);
+       if (!WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
+               PrintAndLog("Command execute timeout");
+               return 0;
+       }
+       
+       uint8_t isOK = resp.arg[0] & 0xff;
+       if (!isOK) {
+               PrintAndLog("Read Block Failed");
+               return 0;
+       }
+       //data read is stored in: resp.d.asBytes[0-15]
+       if (verbose) PrintAndLog("Block %02X: %s\n",blockno, sprint_hex(resp.d.asBytes,8));
+       return 1;
+}
+
+int CmdHFiClass_ReadBlock(const char *Cmd) {
+       uint8_t blockno=0;
+       uint8_t keyType = 0x88; //debit key
+       uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t keyNbr = 0;
+       uint8_t dataLen = 0;
+       char tempStr[50] = {0};
+       bool elite = false;
+       bool rawkey = false;
+       bool errors = false;
+       uint8_t cmdp = 0;
+       while(param_getchar(Cmd, cmdp) != 0x00)
+       {
+               switch(param_getchar(Cmd, cmdp))
+               {
+               case 'h':
+               case 'H':
+                       return usage_hf_iclass_readblock();
+               case 'b':
+               case 'B':
+                       if (param_gethex(Cmd, cmdp+1, &blockno, 2)) {
+                               PrintAndLog("Block No must include 2 HEX symbols\n");
+                               errors = true;
                        }
                        }
+                       cmdp += 2;
+                       break;
+               case 'c':
+               case 'C':
+                       keyType = 0x18;
+                       cmdp++;
+                       break;
+               case 'e':
+               case 'E':
+                       elite = true;
+                       cmdp++;
+                       break;
+               case 'k':
+               case 'K':
+                       dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+                       if (dataLen == 16) { 
+                               errors = param_gethex(tempStr, 0, KEY, dataLen);
+                       } else if (dataLen == 1) {
+                               keyNbr = param_get8(Cmd, cmdp+1);
+                               if (keyNbr < ICLASS_KEYS_MAX) {
+                                       memcpy(KEY, iClass_Key_Table[keyNbr], 8);
+                               } else {
+                                       PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+                                       errors = true;
+                               }
+                       } else {
+                               PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'r':
+               case 'R':
+                       rawkey = true;
+                       cmdp++;
+                       break;
+               default:
+                       PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
+                       errors = true;
+                       break;
                }
                }
+               if(errors) return usage_hf_iclass_readblock();
+       }
 
 
-               i += (len + 9);
-               EndOfTransmissionTimestamp = (*((uint32_t *)(got+i))) & 0x7fffffff;
+       if (cmdp < 4) return usage_hf_iclass_readblock();
 
 
-               // Not implemented for iclass on the ARM-side
-               //if (!ShowWaitCycles) i += 9;
+       return ReadBlock(KEY, blockno, keyType, elite, rawkey, true);
+}
 
 
-               PrintAndLog(" %9d | %9d | %s | %s %s",
-                       (timestamp - first_timestamp),
-                       (EndOfTransmissionTimestamp - first_timestamp),
-                       (len?(tagToReader ? "Tag" : "Rdr"):"   "),
-                       line, crc);
+int CmdHFiClass_loclass(const char *Cmd) {
+       char opt = param_getchar(Cmd, 0);
+
+       if (strlen(Cmd)<1 || opt == 'h') {
+               PrintAndLog("Usage: hf iclass loclass [options]");
+               PrintAndLog("Options:");
+               PrintAndLog("h             Show this help");
+               PrintAndLog("t             Perform self-test");
+               PrintAndLog("f <filename>  Bruteforce iclass dumpfile");
+               PrintAndLog("                   An iclass dumpfile is assumed to consist of an arbitrary number of");
+               PrintAndLog("                   malicious CSNs, and their protocol responses");
+               PrintAndLog("                   The binary format of the file is expected to be as follows: ");
+               PrintAndLog("                   <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
+               PrintAndLog("                   <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
+               PrintAndLog("                   <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
+               PrintAndLog("                  ... totalling N*24 bytes");
+               return 0;
+       }
+       char fileName[255] = {0};
+       if(opt == 'f')  {
+               if(param_getstr(Cmd, 1, fileName) > 0) {
+                       return bruteforceFileNoKeys(fileName);
+               } else {
+                       PrintAndLog("You must specify a filename");
+                       // no return?
+               }
+       }
+       else if(opt == 't') {
+               int errors = testCipherUtils();
+               errors += testMAC();
+               errors += doKeyTests(0);
+               errors += testElite();
+               if(errors) prnlog("OBS! There were errors!!!");
+               return errors;
        }
        return 0;
 }
 
        }
        return 0;
 }
 
-int CmdHFiClassListOld(const char *Cmd)
-{
-  uint8_t got[1920];
-  GetFromBigBuf(got,sizeof(got),0);
-
-  PrintAndLog("recorded activity:");
-  PrintAndLog(" ETU     :rssi: who bytes");
-  PrintAndLog("---------+----+----+-----------");
-
-  int i = 0;
-  int prev = -1;
-
-  for (;;) {
-    if(i >= 1900) {
-      break;
-    }
-
-    bool isResponse;
-    int timestamp = *((uint32_t *)(got+i));
-    if (timestamp & 0x80000000) {
-      timestamp &= 0x7fffffff;
-      isResponse = 1;
-    } else {
-      isResponse = 0;
-    }
-
-
-    int metric = 0;
-
-    int parityBits = *((uint32_t *)(got+i+4));
-    // 4 bytes of additional information...
-    // maximum of 32 additional parity bit information
-    //
-    // TODO:
-    // at each quarter bit period we can send power level (16 levels)
-    // or each half bit period in 256 levels.
-
-
-    int len = got[i+8];
-
-    if (len > 100) {
-      break;
-    }
-    if (i + len >= 1900) {
-      break;
-    }
-
-    uint8_t *frame = (got+i+9);
-
-    // Break and stick with current result if buffer was not completely full
-    if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; }
-
-    char line[1000] = "";
-    int j;
-    for (j = 0; j < len; j++) {
-      int oddparity = 0x01;
-      int k;
-
-      for (k=0;k<8;k++) {
-        oddparity ^= (((frame[j] & 0xFF) >> k) & 0x01);
-      }
-
-      //if((parityBits >> (len - j - 1)) & 0x01) {
-      if (isResponse && (oddparity != ((parityBits >> (len - j - 1)) & 0x01))) {
-        sprintf(line+(j*4), "%02x!  ", frame[j]);
-      }
-      else {
-        sprintf(line+(j*4), "%02x   ", frame[j]);
-      }
-    }
-
-    char *crc;
-    crc = "";
-    if (len > 2) {
-      uint8_t b1, b2;
-      for (j = 0; j < (len - 1); j++) {
-        // gives problems... search for the reason..
-        /*if(frame[j] == 0xAA) {
-          switch(frame[j+1]) {
-            case 0x01:
-              crc = "[1] Two drops close after each other";
-            break;
-            case 0x02:
-              crc = "[2] Potential SOC with a drop in second half of bitperiod";
-              break;
-            case 0x03:
-              crc = "[3] Segment Z after segment X is not possible";
-              break;
-            case 0x04:
-              crc = "[4] Parity bit of a fully received byte was wrong";
-              break;
-            default:
-              crc = "[?] Unknown error";
-              break;
-          }
-          break;
-        }*/
-      }
-
-      if (strlen(crc)==0) {
-       if(!isResponse && len == 4) {
-               // Rough guess that this is a command from the reader
-               // For iClass the command byte is not part of the CRC
-               ComputeCrc14443(CRC_ICLASS, &frame[1], len-3, &b1, &b2);
-       }
-       else {
-               // For other data.. CRC might not be applicable (UPDATE commands etc.)
-               ComputeCrc14443(CRC_ICLASS, frame, len-2, &b1, &b2);
-       }
-       //printf("%1x %1x",(unsigned)b1,(unsigned)b2);
-        if (b1 != frame[len-2] || b2 != frame[len-1]) {
-          crc = (isResponse & (len < 8)) ? "" : " !crc";
-        } else {
-          crc = "";
-        }
-      }
-    } else {
-      crc = ""; // SHORT
-    }
-
-    char metricString[100];
-    if (isResponse) {
-      sprintf(metricString, "%3d", metric);
-    } else {
-      strcpy(metricString, "   ");
-    }
-
-    PrintAndLog(" +%7d: %s: %s %s %s",
-      (prev < 0 ? 0 : (timestamp - prev)),
-      metricString,
-      (isResponse ? "TAG" : "   "), line, crc);
-
-    prev = timestamp;
-    i += (len + 9);
-  }
-  return 0;
-}
-
-/*void iso14a_set_timeout(uint32_t timeout) {
-       UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_SET_TIMEOUT, 0, timeout}};
-       SendCommand(&c);
-}*/
-
-int CmdHFiClassSnoop(const char *Cmd)
-{
-  UsbCommand c = {CMD_SNOOP_ICLASS};
-  SendCommand(&c);
-  return 0;
+void printIclassDumpContents(uint8_t *iclass_dump, uint8_t startblock, uint8_t endblock, size_t filesize) {
+       uint8_t mem_config;
+       memcpy(&mem_config, iclass_dump + 13,1);
+       uint8_t maxmemcount;
+       
+       uint8_t filemaxblock = filesize / 8;
+
+       if (mem_config & 0x80)
+               maxmemcount = 255;
+       else
+               maxmemcount = 31;
+
+       if (startblock == 0)
+               startblock = 6;
+       
+       if ((endblock > maxmemcount) || (endblock == 0))
+               endblock = maxmemcount;
+       
+       // remember endblock needs to relate to zero-index arrays.
+       if (endblock > filemaxblock-1)
+               endblock = filemaxblock-1;
+
+       //PrintAndLog   ("startblock: %d, endblock: %d, filesize: %d, maxmemcount: %d, filemaxblock: %d",startblock, endblock,filesize, maxmemcount, filemaxblock);
+       
+       int i = startblock;
+       printf("------+--+-------------------------+\n");
+       while (i <= endblock){
+               uint8_t *blk = iclass_dump + (i * 8);
+               printf("Block |%02X| %s\n", i, sprint_hex_ascii(blk, 8) );      
+               i++;
+       }
+       printf("------+--+-------------------------+\n");
 }
 
 }
 
-int CmdHFiClassSim(const char *Cmd)
-{
-  uint8_t simType = 0;
-  uint8_t CSN[8] = {0, 0, 0, 0, 0, 0, 0, 0};
+int CmdHFiClassReadTagFile(const char *Cmd) {
+       int startblock = 0;
+       int endblock = 0;
+       char tempnum[5];
+       FILE *f;
+       char filename[FILE_PATH_SIZE];
+       if (param_getstr(Cmd, 0, filename) < 1)
+               return usage_hf_iclass_readtagfile();
+       
+       if (param_getstr(Cmd,1,(char *)&tempnum) < 1)
+               startblock = 0;
+       else
+               sscanf(tempnum,"%d",&startblock);
+
+       if (param_getstr(Cmd,2,(char *)&tempnum) < 1)
+               endblock = 0;
+       else
+               sscanf(tempnum,"%d",&endblock);
+       
+       // file handling and reading
+       f = fopen(filename,"rb");
+       if(!f) {
+               PrintAndLog("Failed to read from file '%s'", filename);
+               return 1;
+       }
+       fseek(f, 0, SEEK_END);
+       long fsize = ftell(f);
+       fseek(f, 0, SEEK_SET);
+
+       if ( fsize < 0 ) {
+               PrintAndLog("Error, when getting filesize");
+               fclose(f);
+               return 1;
+       }
 
 
-  if (strlen(Cmd)<1) {
-       PrintAndLog("Usage:  hf iclass sim [0 <CSN>] | x");
-       PrintAndLog("        options");
-       PrintAndLog("                0 <CSN> simulate the given CSN");
-       PrintAndLog("                1       simulate default CSN");
-       PrintAndLog("                2       iterate CSNs, gather MACs");
-       PrintAndLog("        sample: hf iclass sim 0 031FEC8AF7FF12E0");
-       PrintAndLog("        sample: hf iclass sim 2");
+       uint8_t *dump = malloc(fsize);
+       size_t bytes_read = fread(dump, 1, fsize, f);
+       fclose(f);
+       
+       uint8_t *csn = dump;
+       printf("------+--+-------------------------+\n");
+       printf("CSN   |00| %s|\n", sprint_hex(csn, 8) );
+       printIclassDumpContents(dump, startblock, endblock, bytes_read);
+       free(dump);
        return 0;
        return 0;
-  }    
-
-  simType = param_get8(Cmd, 0);
-
-  if(simType == 0)
-  {
-         if (param_gethex(Cmd, 1, CSN, 16)) {
-                 PrintAndLog("A CSN should consist of 16 HEX symbols");
-                 return 1;
-         }
-         PrintAndLog("--simtype:%02x csn:%s", simType, sprint_hex(CSN, 8));
-
-  }
-  if(simType > 2)
-  {
-         PrintAndLog("Undefined simptype %d", simType);
-         return 1;
-  }
-  uint8_t numberOfCSNs=0;
+}
 
 
-       if(simType == 2)
-       {
-               UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,63}};
-               UsbCommand resp = {0};
+/*
+uint64_t xorcheck(uint64_t sdiv,uint64_t hdiv) {
+       uint64_t new_div = 0x00;
+       new_div ^= sdiv;
+       new_div ^= hdiv;
+       return new_div;
+}
 
 
-               uint8_t csns[64] = {
-                        0x00,0x0B,0x0F,0xFF,0xF7,0xFF,0x12,0xE0 ,
-                        0x00,0x13,0x94,0x7e,0x76,0xff,0x12,0xe0 ,
-                        0x2a,0x99,0xac,0x79,0xec,0xff,0x12,0xe0 ,
-                        0x17,0x12,0x01,0xfd,0xf7,0xff,0x12,0xe0 ,
-                        0xcd,0x56,0x01,0x7c,0x6f,0xff,0x12,0xe0 ,
-                        0x4b,0x5e,0x0b,0x72,0xef,0xff,0x12,0xe0 ,
-                        0x00,0x73,0xd8,0x75,0x58,0xff,0x12,0xe0 ,
-                        0x0c,0x90,0x32,0xf3,0x5d,0xff,0x12,0xe0 };
+uint64_t hexarray_to_uint64(uint8_t *key) {
+       char temp[17];
+       uint64_t uint_key;
+       for (int i = 0;i < 8;i++)
+               sprintf(&temp[(i *2)],"%02X",key[i]);
+       temp[16] = '\0';
+       if (sscanf(temp,"%016"llX,&uint_key) < 1)
+               return 0;
+       return uint_key;
+}
+*/
+void HFiClassCalcDivKey(uint8_t        *CSN, uint8_t   *KEY, uint8_t *div_key, bool elite){
+       uint8_t keytable[128] = {0};
+       uint8_t key_index[8] = {0};
+       if (elite) {
+               uint8_t key_sel[8] = { 0 };
+               uint8_t key_sel_p[8] = { 0 };
+               hash2(KEY, keytable);
+               hash1(CSN, key_index);
+               for(uint8_t i = 0; i < 8 ; i++)
+                       key_sel[i] = keytable[key_index[i]] & 0xFF;
+
+               //Permute from iclass format to standard format
+               permutekey_rev(key_sel, key_sel_p);
+               diversifyKey(CSN, key_sel_p, div_key);  
+       } else {
+               diversifyKey(CSN, KEY, div_key);
+       }               
+}
 
 
-               memcpy(c.d.asBytes, csns, 64);
+//when told CSN, oldkey, newkey, if new key is elite (elite), and if old key was elite (oldElite)
+//calculate and return xor_div_key (ready for a key write command)
+//print all div_keys if verbose
+static void HFiClassCalcNewKey(uint8_t *CSN, uint8_t *OLDKEY, uint8_t *NEWKEY, uint8_t *xor_div_key, bool elite, bool oldElite, bool verbose){
+       uint8_t old_div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t new_div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       //get old div key
+       HFiClassCalcDivKey(CSN, OLDKEY, old_div_key, oldElite);
+       //get new div key
+       HFiClassCalcDivKey(CSN, NEWKEY, new_div_key, elite);
+       
+       for (uint8_t i = 0; i < sizeof(old_div_key); i++){
+               xor_div_key[i] = old_div_key[i] ^ new_div_key[i];
+       }
+       if (verbose) {
+               printf("Old div key : %s\n",sprint_hex(old_div_key,8));
+               printf("New div key : %s\n",sprint_hex(new_div_key,8));
+               printf("Xor div key : %s\n",sprint_hex(xor_div_key,8));         
+       }
+}
 
 
-               SendCommand(&c);
-               if (!WaitForResponseTimeout(CMD_ACK, &resp, -1)) {
-                       PrintAndLog("Command timed out");
-                       return 0;
+int CmdHFiClassCalcNewKey(const char *Cmd) {
+       uint8_t OLDKEY[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t NEWKEY[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t xor_div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t CSN[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t CCNR[12] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+       uint8_t keyNbr = 0;
+       uint8_t dataLen = 0;
+       char tempStr[50] = {0};
+       bool givenCSN = false;
+       bool oldElite = false;
+       bool elite = false;
+       bool errors = false;
+       uint8_t cmdp = 0;
+       while(param_getchar(Cmd, cmdp) != 0x00)
+       {
+               switch(param_getchar(Cmd, cmdp))
+               {
+               case 'h':
+               case 'H':
+                       return usage_hf_iclass_calc_newkey();
+               case 'e':
+               case 'E':
+                       dataLen = param_getstr(Cmd, cmdp, tempStr);
+                       if (dataLen==2)
+                               oldElite = true;
+                       elite = true;
+                       cmdp++;
+                       break;
+               case 'n':
+               case 'N':
+                       dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+                       if (dataLen == 16) { 
+                               errors = param_gethex(tempStr, 0, NEWKEY, dataLen);
+                       } else if (dataLen == 1) {
+                               keyNbr = param_get8(Cmd, cmdp+1);
+                               if (keyNbr < ICLASS_KEYS_MAX) {
+                                       memcpy(NEWKEY, iClass_Key_Table[keyNbr], 8);
+                               } else {
+                                       PrintAndLog("\nERROR: NewKey Nbr is invalid\n");
+                                       errors = true;
+                               }
+                       } else {
+                               PrintAndLog("\nERROR: NewKey is incorrect length\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'o':
+               case 'O':
+                       dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+                       if (dataLen == 16) { 
+                               errors = param_gethex(tempStr, 0, OLDKEY, dataLen);
+                       } else if (dataLen == 1) {
+                               keyNbr = param_get8(Cmd, cmdp+1);
+                               if (keyNbr < ICLASS_KEYS_MAX) {
+                                       memcpy(OLDKEY, iClass_Key_Table[keyNbr], 8);
+                               } else {
+                                       PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+                                       errors = true;
+                               }
+                       } else {
+                               PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 's':
+               case 'S':
+                       givenCSN = true;
+                       if (param_gethex(Cmd, cmdp+1, CSN, 16))
+                               return usage_hf_iclass_calc_newkey();
+                       cmdp += 2;
+                       break;
+               default:
+                       PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
+                       errors = true;
+                       break;
                }
                }
+               if(errors) return usage_hf_iclass_calc_newkey();
+       }
 
 
-               uint8_t num_mac_responses  = resp.arg[1];
-               PrintAndLog("Mac responses: %d MACs obtained (should be 8)", num_mac_responses);
+       if (cmdp < 4) return usage_hf_iclass_calc_newkey();
 
 
-               size_t datalen = 8*24;
-               /*
-                * Now, time to dump to file. We'll use this format:
-                * <8-byte CSN><8-byte CC><4 byte NR><4 byte MAC>....
-                * So, it should wind up as
-                * 8 * 24 bytes.
-                *
-                * The returndata from the pm3 is on the following format
-                * <4 byte NR><4 byte MAC>
-                * CC are all zeroes, CSN is the same as was sent in
-                **/
-               void* dump = malloc(datalen);
-               memset(dump,0,datalen);//<-- Need zeroes for the CC-field
-               uint8_t i = 0;
-               for(i = 0 ; i < 8 ; i++)
-               {
-                       memcpy(dump+i*24, csns+i*8,8); //CSN
-                       //8 zero bytes here...
-                       //Then comes NR_MAC (eight bytes from the response)
-                       memcpy(dump+i*24+16,resp.d.asBytes+i*8,8);
+       if (!givenCSN)
+               if (!select_only(CSN, CCNR, false, true))
+                       return 0;
+       
+       HFiClassCalcNewKey(CSN, OLDKEY, NEWKEY, xor_div_key, elite, oldElite, true);
+       return 0;
+}
 
 
-               }
-               /** Now, save to dumpfile **/
-               saveFile("iclass_mac_attack", "bin", dump,datalen);
+static int loadKeys(char *filename) {
+       FILE *f;
+       f = fopen(filename,"rb");
+       if(!f) {
+               PrintAndLog("Failed to read from file '%s'", filename);
+               return 0;
+       }
+       fseek(f, 0, SEEK_END);
+       long fsize = ftell(f);
+       fseek(f, 0, SEEK_SET);
+
+       if ( fsize < 0 ) {
+               PrintAndLog("Error, when getting filesize");
+               fclose(f);
+               return 1;
+       }
+
+       uint8_t *dump = malloc(fsize);
+
+       size_t bytes_read = fread(dump, 1, fsize, f);
+       fclose(f);
+       if (bytes_read > ICLASS_KEYS_MAX * 8){
+               PrintAndLog("File is too long to load - bytes: %u", bytes_read);
                free(dump);
                free(dump);
-       }else
-       {
-               UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,numberOfCSNs}};
-               memcpy(c.d.asBytes, CSN, 8);
-               SendCommand(&c);
+               return 0;
        }
        }
-  return 0;
+       uint8_t i = 0;
+       for (; i < bytes_read/8; i++)
+               memcpy(iClass_Key_Table[i],dump+(i*8),8);
+       
+       free(dump);
+       PrintAndLog("%u keys loaded", i);
+       return 1;
 }
 
 }
 
-int CmdHFiClassReader(const char *Cmd)
-{
-  uint8_t readerType = 0;
+static int saveKeys(char *filename) {
+       FILE *f;
+       f = fopen(filename,"wb");
+       if (!f) {
+               printf("error opening file %s\n",filename);
+               return 0;
+       }
+       for (uint8_t i = 0; i < ICLASS_KEYS_MAX; i++){
+               if (fwrite(iClass_Key_Table[i],8,1,f) != 1){
+                       PrintAndLog("save key failed to write to file: %s", filename);
+                       break;
+               }
+       }
+       fclose(f);
+       return 0;
+}
 
 
-  if (strlen(Cmd)<1) {
-       PrintAndLog("Usage:  hf iclass reader    <reader type>");
-       PrintAndLog("        sample: hf iclass reader 0");
+static int printKeys(void) {
+       PrintAndLog("");
+       for (uint8_t i = 0; i < ICLASS_KEYS_MAX; i++)
+               PrintAndLog("%u: %s", i, sprint_hex(iClass_Key_Table[i],8));
+       PrintAndLog("");        
        return 0;
        return 0;
-  }    
-
-  readerType = param_get8(Cmd, 0);
-  PrintAndLog("--readertype:%02x", readerType);
-
-  UsbCommand c = {CMD_READER_ICLASS, {readerType}};
-  //memcpy(c.d.asBytes, CSN, 8);
-  SendCommand(&c);
-
-  /*UsbCommand * resp = WaitForResponseTimeout(CMD_ACK, 1500);
-  if (resp != NULL) {
-       uint8_t                isOK  = resp->arg[0] & 0xff;
-       PrintAndLog("isOk:%02x", isOK);
-  } else {
-       PrintAndLog("Command execute timeout");
-  }*/
-
-  return 0;
-}
-
-static command_t CommandTable[] = 
-{
-  {"help",    CmdHelp,        1, "This help"},
-  {"list",    CmdHFiClassList,   0, "List iClass history"},
-  {"snoop",   CmdHFiClassSnoop,  0, "Eavesdrop iClass communication"},
-  {"sim",     CmdHFiClassSim,    0, "Simulate iClass tag"},
-  {"reader",  CmdHFiClassReader, 0, "Read an iClass tag"},
-  {NULL, NULL, 0, NULL}
-};
+}
 
 
-int CmdHFiClass(const char *Cmd)
-{
-  CmdsParse(CommandTable, Cmd);
-  return 0;
-}
-
-int CmdHelp(const char *Cmd)
-{
-  CmdsHelp(CommandTable);
-  return 0;
-}
-
-/**
- * @brief checks if a file exists
- * @param filename
- * @return
- */
-int fileExists(const char *filename) {
-       struct stat st;
-       int result = stat(filename, &st);
-       return result == 0;
-}
-/**
- * @brief Utility function to save data to a file. This method takes a preferred name, but if that
- * file already exists, it tries with another name until it finds something suitable.
- * E.g. dumpdata-15.txt
- * @param preferredName
- * @param suffix the file suffix. Leave out the ".".
- * @param data The binary data to write to the file
- * @param datalen the length of the data
- * @return 0 for ok, 1 for failz
- */
-int saveFile(const char *preferredName, const char *suffix, const void* data, size_t datalen)
-{
-       FILE *f = fopen(preferredName, "wb");
-       int size = sizeof(char) * (strlen(preferredName)+strlen(suffix)+5);
-       char * fileName = malloc(size);
-
-       memset(fileName,0,size);
-       int num = 1;
-       sprintf(fileName,"%s.%s", preferredName, suffix);
-       while(fileExists(fileName))
+int CmdHFiClassManageKeys(const char *Cmd) {
+       uint8_t keyNbr = 0;
+       uint8_t dataLen = 0;
+       uint8_t KEY[8] = {0};
+       char filename[FILE_PATH_SIZE];
+       uint8_t fileNameLen = 0;
+       bool errors = false;
+       uint8_t operation = 0;
+       char tempStr[20];
+       uint8_t cmdp = 0;
+
+       while(param_getchar(Cmd, cmdp) != 0x00)
        {
        {
-               sprintf(fileName,"%s-%d.%s", preferredName, num, suffix);
-               num++;
+               switch(param_getchar(Cmd, cmdp))
+               {
+               case 'h':
+               case 'H':
+                       return usage_hf_iclass_managekeys();
+               case 'f':
+               case 'F':
+                       fileNameLen = param_getstr(Cmd, cmdp+1, filename); 
+                       if (fileNameLen < 1) {
+                               PrintAndLog("No filename found after f");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'n':
+               case 'N':
+                       keyNbr = param_get8(Cmd, cmdp+1);
+                       if (keyNbr == 0) {
+                               PrintAndLog("Wrong block number");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'k':
+               case 'K':
+                       operation += 3; //set key 
+                       dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+                       if (dataLen == 16) { //ul-c or ev1/ntag key length
+                               errors = param_gethex(tempStr, 0, KEY, dataLen);
+                       } else {
+                               PrintAndLog("\nERROR: Key is incorrect length\n");
+                               errors = true;
+                       }
+                       cmdp += 2;
+                       break;
+               case 'p':
+               case 'P':
+                       operation += 4; //print keys in memory
+                       cmdp++;
+                       break;
+               case 'l':
+               case 'L':
+                       operation += 5; //load keys from file
+                       cmdp++;
+                       break;
+               case 's':
+               case 'S':
+                       operation += 6; //save keys to file
+                       cmdp++;
+                       break;
+               default:
+                       PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
+                       errors = true;
+                       break;
+               }
+               if(errors) return usage_hf_iclass_managekeys();
+       }
+       if (operation == 0){
+               PrintAndLog("no operation specified (load, save, or print)\n");
+               return usage_hf_iclass_managekeys();
+       }
+       if (operation > 6){
+               PrintAndLog("Too many operations specified\n");
+               return usage_hf_iclass_managekeys();
+       }
+       if (operation > 4 && fileNameLen == 0){
+               PrintAndLog("You must enter a filename when loading or saving\n");
+               return usage_hf_iclass_managekeys();
        }
        }
-       /* We should have a valid filename now, e.g. dumpdata-3.bin */
 
 
-       /*Opening file for writing in binary mode*/
-       FILE *fileHandle=fopen(fileName,"wb");
-       if(!f) {
-               PrintAndLog("Failed to write to file '%s'", fileName);
-               return 0;
+       switch (operation){
+               case 3: memcpy(iClass_Key_Table[keyNbr], KEY, 8); return 1;
+               case 4: return printKeys();
+               case 5: return loadKeys(filename);
+               case 6: return saveKeys(filename);
+               break;
        }
        }
-       fwrite(data, 1, datalen, fileHandle);
-       fclose(fileHandle);
-       PrintAndLog("Saved data to '%s'", fileName);
+       return 0;
+}
+
+static command_t CommandTable[] = {
+       {"help",                CmdHelp,                                                1,      "This help"},
+       {"calcnewkey",  CmdHFiClassCalcNewKey,          1,      "[options..] Calc Diversified keys (blocks 3 & 4) to write new keys"},
+       {"clone",       CmdHFiClassCloneTag,            0,      "[options..] Authenticate and Clone from iClass bin file"},
+       {"decrypt",     CmdHFiClassDecrypt,             1,      "[f <fname>] Decrypt tagdump" },
+       {"dump",        CmdHFiClassReader_Dump,         0,      "[options..] Authenticate and Dump iClass tag's AA1"},
+       {"eload",       CmdHFiClassELoad,               0,      "[f <fname>] (experimental) Load data into iClass emulator memory"},
+       {"encryptblk",  CmdHFiClassEncryptBlk,          1,      "<BlockData> Encrypt given block data"},
+       {"list",        CmdHFiClassList,                0,      "            (Deprecated) List iClass history"},
+       {"loclass",     CmdHFiClass_loclass,            1,      "[options..] Use loclass to perform bruteforce of reader attack dump"},
+       {"managekeys",  CmdHFiClassManageKeys,          1,      "[options..] Manage the keys to use with iClass"},
+       {"readblk",     CmdHFiClass_ReadBlock,          0,      "[options..] Authenticate and Read iClass block"},
+       {"reader",              CmdHFiClassReader,                              0,      "Read an iClass tag"},
+       {"readtagfile", CmdHFiClassReadTagFile,         1,      "[options..] Display Content from tagfile"},
+       {"replay",      CmdHFiClassReader_Replay,       0,      "<mac>       Read an iClass tag via Reply Attack"},
+       {"sim",         CmdHFiClassSim,                 0,      "[options..] Simulate iClass tag"},
+       {"snoop",       CmdHFiClassSnoop,               0,      "            Eavesdrop iClass communication"},
+       {"writeblk",    CmdHFiClass_WriteBlock,         0,      "[options..] Authenticate and Write iClass block"},
+       {NULL, NULL, 0, NULL}
+};
+
+int CmdHFiClass(const char *Cmd) {
+       clearCommandBuffer();
+       CmdsParse(CommandTable, Cmd);
+       return 0;
+}
 
 
-       free(fileName);
+int CmdHelp(const char *Cmd) {
+       CmdsHelp(CommandTable);
        return 0;
 }
        return 0;
 }
Proxmark3 GIT tracking
Impressum, Datenschutz