+ bytes_remaining -= bytes_in_packet;
+ bytes_sent += bytes_in_packet;
+ }
+ free(dump);
+ PrintAndLog("Sent %d bytes of data to device emulator memory", bytes_sent);
+ return 0;
+}
+
+static int readKeyfile(const char *filename, size_t len, uint8_t* buffer) {
+ FILE *f = fopen(filename, "rb");
+ if(!f) {
+ PrintAndLog("Failed to read from file '%s'", filename);
+ return 1;
+ }
+ fseek(f, 0, SEEK_END);
+ long fsize = ftell(f);
+ fseek(f, 0, SEEK_SET);
+ size_t bytes_read = fread(buffer, 1, len, f);
+ fclose(f);
+
+ if(fsize != len) {
+ PrintAndLog("Warning, file size is %d, expected %d", fsize, len);
+ return 1;
+ }
+
+ if(bytes_read != len) {
+ PrintAndLog("Warning, could only read %d bytes, expected %d" ,bytes_read, len);
+ return 1;
+ }
+ return 0;
+}
+
+int CmdHFiClassDecrypt(const char *Cmd) {
+
+ char opt = param_getchar(Cmd, 0);
+ if (strlen(Cmd)<1 || opt == 'h' || opt == 'H') return usage_hf_iclass_decrypt();
+
+ uint8_t key[16] = { 0 };
+ if(readKeyfile("iclass_decryptionkey.bin", 16, key)) return usage_hf_iclass_decrypt();
+
+ PrintAndLog("Decryption key loaded from file [ok]");
+
+ //Open the tagdump-file
+ FILE *f;
+ char filename[FILE_PATH_SIZE];
+ if(opt == 'f' && param_getstr(Cmd, 1, filename) > 0) {
+ f = fopen(filename, "rb");
+ if (!f) {
+ PrintAndLog("Could not find file %s", filename);
+ return 1;
+ }
+ } else {
+ return usage_hf_iclass_decrypt();
+ }
+
+ fseek(f, 0, SEEK_END);
+ long fsize = ftell(f);
+ fseek(f, 0, SEEK_SET);
+
+ if ( fsize < 0 ) {
+ PrintAndLog("Error, when getting filesize");
+ fclose(f);
+ return 2;
+ }
+
+ uint8_t *decrypted = malloc(fsize);
+
+ size_t bytes_read = fread(decrypted, 1, fsize, f);
+ fclose(f);
+ if ( bytes_read == 0) {
+ PrintAndLog("File reading error");
+ free(decrypted);
+ return 3;
+ }
+
+ picopass_hdr *hdr = (picopass_hdr *)decrypted;
+
+ uint8_t mem = hdr->conf.mem_config;
+ uint8_t chip = hdr->conf.chip_config;
+ uint8_t applimit = hdr->conf.app_limit;
+ uint8_t kb = 2;
+ uint8_t app_areas = 2;
+ uint8_t max_blk = 31;
+ getMemConfig(mem, chip, &max_blk, &app_areas, &kb);
+
+ //Use the first block (CSN) for filename
+ char outfilename[FILE_PATH_SIZE] = {0};
+ snprintf(outfilename, FILE_PATH_SIZE, "iclass_tagdump-%02x%02x%02x%02x%02x%02x%02x%02x-decrypted",
+ hdr->csn[0],hdr->csn[1],hdr->csn[2],hdr->csn[3],
+ hdr->csn[4],hdr->csn[5],hdr->csn[6],hdr->csn[7]);
+
+ // tripledes
+ des3_context ctx = { DES_DECRYPT ,{ 0 } };
+ des3_set2key_dec( &ctx, key);
+
+ uint8_t enc_dump[8] = {0};
+ uint8_t empty[8] = {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF};
+ for(uint16_t blocknum=0; blocknum < applimit; ++blocknum) {
+
+ uint8_t idx = blocknum*8;
+ memcpy(enc_dump, decrypted + idx, 8);
+
+ // block 7 or higher, and not empty 0xFF
+ if(blocknum > 6 && memcmp(enc_dump, empty, 8) != 0 ) {
+ des3_crypt_ecb(&ctx, enc_dump, decrypted + idx );
+ }
+ //printvar("decrypted block", decrypted + idx, 8);
+ }
+
+ saveFile(outfilename, "bin", decrypted, fsize);
+ free(decrypted);
+
+ printIclassDumpContents(decrypted, 1, (fsize/8), fsize);
+ return 0;
+}
+
+static int iClassEncryptBlkData(uint8_t *blkData) {
+ uint8_t key[16] = { 0 };
+ if(readKeyfile("iclass_decryptionkey.bin", 16, key)) {
+ usage_hf_iclass_encrypt();
+ return 1;
+ }
+ PrintAndLog("Decryption file found... ");
+ uint8_t encryptedData[16];
+ uint8_t *encrypted = encryptedData;
+ des3_context ctx = { DES_DECRYPT ,{ 0 } };
+ des3_set2key_enc( &ctx, key);
+
+ des3_crypt_ecb(&ctx, blkData,encrypted);
+ //printvar("decrypted block", decrypted, 8);
+ memcpy(blkData,encrypted,8);
+
+ return 1;
+}
+
+int CmdHFiClassEncryptBlk(const char *Cmd) {
+ uint8_t blkData[8] = {0};
+ char opt = param_getchar(Cmd, 0);
+ if (strlen(Cmd)<1 || opt == 'h' || opt == 'H') return usage_hf_iclass_encrypt();
+
+ //get the bytes to encrypt
+ if (param_gethex(Cmd, 0, blkData, 16)) {
+ PrintAndLog("BlockData must include 16 HEX symbols");
+ return 0;
+ }
+ if (!iClassEncryptBlkData(blkData)) return 0;
+
+ printvar("encrypted block", blkData, 8);
+ return 1;
+}
+
+void Calc_wb_mac(uint8_t blockno, uint8_t *data, uint8_t *div_key, uint8_t MAC[4]) {
+ uint8_t WB[9];
+ WB[0] = blockno;
+ memcpy(WB + 1,data,8);
+ doMAC_N(WB,sizeof(WB),div_key,MAC);
+ //printf("Cal wb mac block [%02x][%02x%02x%02x%02x%02x%02x%02x%02x] : MAC [%02x%02x%02x%02x]",WB[0],WB[1],WB[2],WB[3],WB[4],WB[5],WB[6],WB[7],WB[8],MAC[0],MAC[1],MAC[2],MAC[3]);
+}
+
+static bool select_only(uint8_t *CSN, uint8_t *CCNR, bool use_credit_key, bool verbose) {
+ UsbCommand resp;
+
+ UsbCommand c = {CMD_READER_ICLASS, {0}};
+ c.arg[0] = FLAG_ICLASS_READER_ONLY_ONCE | FLAG_ICLASS_READER_CC | FLAG_ICLASS_READER_ONE_TRY;
+ if (use_credit_key)
+ c.arg[0] |= FLAG_ICLASS_READER_CEDITKEY;
+
+ clearCommandBuffer();
+ SendCommand(&c);
+ if (!WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
+ PrintAndLog("Command execute timeout");
+ return false;
+ }
+
+ uint8_t isOK = resp.arg[0] & 0xff;
+ uint8_t *data = resp.d.asBytes;
+
+ memcpy(CSN,data,8);
+
+ if (CCNR!=NULL)
+ memcpy(CCNR,data+16,8);
+
+ if(isOK > 0) {
+ if (verbose) PrintAndLog("CSN: %s",sprint_hex(CSN,8));
+ }
+
+ if(isOK <= 1){
+ PrintAndLog("Failed to obtain CC! Aborting");
+ return false;
+ }
+ return true;
+}
+
+static bool select_and_auth(uint8_t *KEY, uint8_t *MAC, uint8_t *div_key, bool use_credit_key, bool elite, bool rawkey, bool verbose) {
+ uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+ uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+
+ if (!select_only(CSN, CCNR, use_credit_key, verbose))
+ return false;
+
+ //get div_key
+ if(rawkey)
+ memcpy(div_key, KEY, 8);
+ else
+ HFiClassCalcDivKey(CSN, KEY, div_key, elite);
+
+ PrintAndLog("Authing with %s: %02x%02x%02x%02x%02x%02x%02x%02x", rawkey ? "raw key" : "diversified key", div_key[0],div_key[1],div_key[2],div_key[3],div_key[4],div_key[5],div_key[6],div_key[7]);
+
+ doMAC(CCNR, div_key, MAC);
+ UsbCommand resp;
+ UsbCommand d = {CMD_ICLASS_AUTHENTICATION, {0}};
+ memcpy(d.d.asBytes, MAC, 4);
+ clearCommandBuffer();
+ SendCommand(&d);
+ if (!WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
+ PrintAndLog("Auth Command execute timeout");
+ return false;
+ }
+ uint8_t isOK = resp.arg[0] & 0xff;
+ if (!isOK) {
+ PrintAndLog("Authentication error");
+ return false;
+ }
+ return true;
+}
+
+int CmdHFiClassReader_Dump(const char *Cmd) {
+
+ uint8_t MAC[4] = {0x00,0x00,0x00,0x00};
+ uint8_t div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+ uint8_t c_div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+ uint8_t blockno = 0;
+ uint8_t numblks = 0;
+ uint8_t maxBlk = 31;
+ uint8_t app_areas = 1;
+ uint8_t kb = 2;
+ uint8_t KEY[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+ uint8_t CreditKEY[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+ uint8_t keyNbr = 0;
+ uint8_t dataLen = 0;
+ uint8_t fileNameLen = 0;
+ char filename[FILE_PATH_SIZE]={0};
+ char tempStr[50] = {0};
+ bool have_debit_key = false;
+ bool have_credit_key = false;
+ bool use_credit_key = false;
+ bool elite = false;
+ bool rawkey = false;
+ bool errors = false;
+ uint8_t cmdp = 0;
+
+ while(param_getchar(Cmd, cmdp) != 0x00)
+ {
+ switch(param_getchar(Cmd, cmdp))
+ {
+ case 'h':
+ case 'H':
+ return usage_hf_iclass_dump();
+ case 'c':
+ case 'C':
+ have_credit_key = true;
+ dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+ if (dataLen == 16) {
+ errors = param_gethex(tempStr, 0, CreditKEY, dataLen);
+ } else if (dataLen == 1) {
+ keyNbr = param_get8(Cmd, cmdp+1);
+ if (keyNbr < ICLASS_KEYS_MAX) {
+ memcpy(CreditKEY, iClass_Key_Table[keyNbr], 8);
+ } else {
+ PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+ errors = true;
+ }
+ } else {
+ PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+ errors = true;
+ }
+ cmdp += 2;
+ break;
+ case 'e':
+ case 'E':
+ elite = true;
+ cmdp++;
+ break;
+ case 'f':
+ case 'F':
+ fileNameLen = param_getstr(Cmd, cmdp+1, filename);
+ if (fileNameLen < 1) {
+ PrintAndLog("No filename found after f");
+ errors = true;
+ }
+ cmdp += 2;
+ break;
+ case 'k':
+ case 'K':
+ have_debit_key = true;
+ dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+ if (dataLen == 16) {
+ errors = param_gethex(tempStr, 0, KEY, dataLen);
+ } else if (dataLen == 1) {
+ keyNbr = param_get8(Cmd, cmdp+1);
+ if (keyNbr < ICLASS_KEYS_MAX) {
+ memcpy(KEY, iClass_Key_Table[keyNbr], 8);
+ } else {
+ PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+ errors = true;
+ }
+ } else {
+ PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+ errors = true;
+ }
+ cmdp += 2;
+ break;
+ case 'r':
+ case 'R':
+ rawkey = true;
+ cmdp++;
+ break;
+ default:
+ PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
+ errors = true;
+ break;
+ }
+ if(errors) return usage_hf_iclass_dump();
+ }
+
+ if (cmdp < 2) return usage_hf_iclass_dump();
+ // if no debit key given try credit key on AA1 (not for iclass but for some picopass this will work)
+ if (!have_debit_key && have_credit_key) use_credit_key = true;
+
+ //get config and first 3 blocks
+ UsbCommand c = {CMD_READER_ICLASS, {FLAG_ICLASS_READER_CSN |
+ FLAG_ICLASS_READER_CONF | FLAG_ICLASS_READER_ONLY_ONCE | FLAG_ICLASS_READER_ONE_TRY}};
+ UsbCommand resp;
+ uint8_t tag_data[255*8];
+
+ clearCommandBuffer();
+ SendCommand(&c);
+ if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
+ PrintAndLog("Command execute timeout");
+ ul_switch_off_field();
+ return 0;
+ }
+ uint8_t readStatus = resp.arg[0] & 0xff;
+ uint8_t * data = resp.d.asBytes;
+
+ if(readStatus == 0){
+ PrintAndLog("No tag found...");
+ ul_switch_off_field();
+ return 0;
+ }
+
+ if( readStatus & (FLAG_ICLASS_READER_CSN | FLAG_ICLASS_READER_CONF | FLAG_ICLASS_READER_CC)){
+ memcpy(tag_data, data, 8*3);
+ blockno += 2; // 2 to force re-read of block 2 later. (seems to respond differently..)
+ numblks = data[8];
+ getMemConfig(data[13], data[12], &maxBlk, &app_areas, &kb);
+ // large memory - not able to dump pages currently
+ if (numblks > maxBlk) numblks = maxBlk;
+ }
+
+ ul_switch_off_field();
+ // authenticate debit key and get div_key - later store in dump block 3
+ if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, false)){
+ //try twice - for some reason it sometimes fails the first time...
+ if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, false)){
+ ul_switch_off_field();
+ return 0;
+ }
+ }
+
+ // begin dump
+ UsbCommand w = {CMD_ICLASS_DUMP, {blockno, numblks-blockno+1}};
+ clearCommandBuffer();
+ SendCommand(&w);
+ if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
+ PrintAndLog("Command execute time-out 1");
+ ul_switch_off_field();
+ return 1;
+ }
+ uint32_t blocksRead = resp.arg[1];
+ uint8_t isOK = resp.arg[0] & 0xff;
+ if (!isOK && !blocksRead) {
+ PrintAndLog("Read Block Failed");
+ ul_switch_off_field();
+ return 0;
+ }
+ uint32_t startindex = resp.arg[2];
+ if (blocksRead*8 > sizeof(tag_data)-(blockno*8)) {
+ PrintAndLog("Data exceeded Buffer size!");
+ blocksRead = (sizeof(tag_data)/8) - blockno;
+ }
+ // response ok - now get bigbuf content of the dump
+ GetFromBigBuf(tag_data+(blockno*8), blocksRead*8, startindex);
+ WaitForResponse(CMD_ACK,NULL);
+ size_t gotBytes = blocksRead*8 + blockno*8;
+
+ // try AA2
+ if (have_credit_key) {
+ //turn off hf field before authenticating with different key
+ ul_switch_off_field();
+ memset(MAC,0,4);
+ // AA2 authenticate credit key and git c_div_key - later store in dump block 4
+ if (!select_and_auth(CreditKEY, MAC, c_div_key, true, false, false, false)){
+ //try twice - for some reason it sometimes fails the first time...
+ if (!select_and_auth(CreditKEY, MAC, c_div_key, true, false, false, false)){
+ ul_switch_off_field();
+ return 0;
+ }
+ }
+ // do we still need to read more block? (aa2 enabled?)
+ if (maxBlk > blockno+numblks+1) {
+ // setup dump and start
+ w.arg[0] = blockno + blocksRead;
+ w.arg[1] = maxBlk - (blockno + blocksRead);
+ clearCommandBuffer();
+ SendCommand(&w);
+ if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
+ PrintAndLog("Command execute timeout 2");
+ ul_switch_off_field();
+ return 0;
+ }
+ uint8_t isOK = resp.arg[0] & 0xff;
+ blocksRead = resp.arg[1];
+ if (!isOK && !blocksRead) {
+ PrintAndLog("Read Block Failed 2");
+ ul_switch_off_field();
+ return 0;
+ }
+
+ startindex = resp.arg[2];
+ if (blocksRead*8 > sizeof(tag_data)-gotBytes) {
+ PrintAndLog("Data exceeded Buffer size!");
+ blocksRead = (sizeof(tag_data) - gotBytes)/8;
+ }
+ // get dumped data from bigbuf
+ GetFromBigBuf(tag_data+gotBytes, blocksRead*8, startindex);
+ WaitForResponse(CMD_ACK,NULL);
+
+ gotBytes += blocksRead*8;
+ } else { //field is still on - turn it off...
+ ul_switch_off_field();
+ }
+ }
+
+ // add diversified keys to dump
+ if (have_debit_key) memcpy(tag_data+(3*8),div_key,8);
+ if (have_credit_key) memcpy(tag_data+(4*8),c_div_key,8);
+
+ printf("Num of bytes: %d\n", gotBytes);
+
+ // print the dump
+ printf("------+--+-------------------------+\n");
+ printf("CSN |00| %s|\n", sprint_hex(tag_data, 8));
+ //printIclassDumpContents(tag_data, 1, (gotBytes/8)-1, gotBytes-8);
+ printIclassDumpContents(tag_data, 1, (gotBytes/8), gotBytes);
+
+ if (filename[0] == 0){
+ snprintf(filename, FILE_PATH_SIZE,"iclass_tagdump-%02x%02x%02x%02x%02x%02x%02x%02x",
+ tag_data[0],tag_data[1],tag_data[2],tag_data[3],
+ tag_data[4],tag_data[5],tag_data[6],tag_data[7]);
+ }
+
+ // save the dump to .bin file
+ PrintAndLog("Saving dump file - %d blocks read", gotBytes/8);
+ saveFile(filename, "bin", tag_data, gotBytes);
+ return 1;
+}
+
+static int WriteBlock(uint8_t blockno, uint8_t *bldata, uint8_t *KEY, bool use_credit_key, bool elite, bool rawkey, bool verbose) {
+ uint8_t MAC[4]={0x00,0x00,0x00,0x00};
+ uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+ if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, verbose))
+ return 0;
+
+ UsbCommand resp;
+
+ Calc_wb_mac(blockno,bldata,div_key,MAC);
+ UsbCommand w = {CMD_ICLASS_WRITEBLOCK, {blockno}};
+ memcpy(w.d.asBytes, bldata, 8);
+ memcpy(w.d.asBytes + 8, MAC, 4);
+
+ clearCommandBuffer();
+ SendCommand(&w);
+ if (!WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
+ PrintAndLog("Write Command execute timeout");
+ return 0;
+ }
+ uint8_t isOK = resp.arg[0] & 0xff;
+ if (!isOK) {
+ PrintAndLog("Write Block Failed");
+ return 0;
+ }
+ PrintAndLog("Write Block Successful");
+ return 1;
+}
+
+int CmdHFiClass_WriteBlock(const char *Cmd) {
+ uint8_t blockno=0;
+ uint8_t bldata[8]={0,0,0,0,0,0,0,0};
+ uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+ uint8_t keyNbr = 0;
+ uint8_t dataLen = 0;
+ char tempStr[50] = {0};
+ bool use_credit_key = false;
+ bool elite = false;
+ bool rawkey= false;
+ bool errors = false;
+ uint8_t cmdp = 0;
+ while(param_getchar(Cmd, cmdp) != 0x00)
+ {
+ switch(param_getchar(Cmd, cmdp))
+ {
+ case 'h':
+ case 'H':
+ return usage_hf_iclass_writeblock();
+ case 'b':
+ case 'B':
+ if (param_gethex(Cmd, cmdp+1, &blockno, 2)) {
+ PrintAndLog("Block No must include 2 HEX symbols\n");
+ errors = true;
+ }
+ cmdp += 2;
+ break;
+ case 'c':
+ case 'C':
+ use_credit_key = true;
+ cmdp++;
+ break;
+ case 'd':
+ case 'D':
+ if (param_gethex(Cmd, cmdp+1, bldata, 16))
+ {
+ PrintAndLog("KEY must include 16 HEX symbols\n");
+ errors = true;
+ }
+ cmdp += 2;
+ break;
+ case 'e':
+ case 'E':
+ elite = true;
+ cmdp++;
+ break;
+ case 'k':
+ case 'K':
+ dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+ if (dataLen == 16) {
+ errors = param_gethex(tempStr, 0, KEY, dataLen);
+ } else if (dataLen == 1) {
+ keyNbr = param_get8(Cmd, cmdp+1);
+ if (keyNbr < ICLASS_KEYS_MAX) {
+ memcpy(KEY, iClass_Key_Table[keyNbr], 8);
+ } else {
+ PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+ errors = true;
+ }
+ } else {
+ PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+ errors = true;
+ }
+ cmdp += 2;
+ break;
+ case 'r':
+ case 'R':
+ rawkey = true;
+ cmdp++;
+ break;
+ default:
+ PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
+ errors = true;
+ break;
+ }
+ if(errors) return usage_hf_iclass_writeblock();
+ }
+
+ if (cmdp < 6) return usage_hf_iclass_writeblock();
+ int ans = WriteBlock(blockno, bldata, KEY, use_credit_key, elite, rawkey, true);
+ ul_switch_off_field();
+ return ans;
+}
+
+int CmdHFiClassCloneTag(const char *Cmd) {
+ char filename[FILE_PATH_SIZE] = { 0x00 };
+ char tempStr[50]={0};
+ uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+ uint8_t keyNbr = 0;
+ uint8_t fileNameLen = 0;
+ uint8_t startblock = 0;
+ uint8_t endblock = 0;
+ uint8_t dataLen = 0;
+ bool use_credit_key = false;
+ bool elite = false;
+ bool rawkey = false;
+ bool errors = false;
+ uint8_t cmdp = 0;
+ while(param_getchar(Cmd, cmdp) != 0x00)
+ {
+ switch(param_getchar(Cmd, cmdp))
+ {
+ case 'h':
+ case 'H':
+ return usage_hf_iclass_clone();
+ case 'b':
+ case 'B':
+ if (param_gethex(Cmd, cmdp+1, &startblock, 2)) {
+ PrintAndLog("Start Block No must include 2 HEX symbols\n");
+ errors = true;
+ }
+ cmdp += 2;
+ break;
+ case 'c':
+ case 'C':
+ use_credit_key = true;
+ cmdp++;
+ break;
+ case 'e':
+ case 'E':
+ elite = true;
+ cmdp++;
+ break;
+ case 'f':
+ case 'F':
+ fileNameLen = param_getstr(Cmd, cmdp+1, filename);
+ if (fileNameLen < 1) {
+ PrintAndLog("No filename found after f");
+ errors = true;
+ }
+ cmdp += 2;
+ break;
+ case 'k':
+ case 'K':
+ dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+ if (dataLen == 16) {
+ errors = param_gethex(tempStr, 0, KEY, dataLen);
+ } else if (dataLen == 1) {
+ keyNbr = param_get8(Cmd, cmdp+1);
+ if (keyNbr < ICLASS_KEYS_MAX) {
+ memcpy(KEY, iClass_Key_Table[keyNbr], 8);
+ } else {
+ PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+ errors = true;
+ }
+ } else {
+ PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+ errors = true;
+ }
+ cmdp += 2;
+ break;
+ case 'l':
+ case 'L':
+ if (param_gethex(Cmd, cmdp+1, &endblock, 2)) {
+ PrintAndLog("Start Block No must include 2 HEX symbols\n");
+ errors = true;
+ }
+ cmdp += 2;
+ break;
+ case 'r':
+ case 'R':
+ rawkey = true;
+ cmdp++;
+ break;
+ default:
+ PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
+ errors = true;
+ break;
+ }
+ if(errors) return usage_hf_iclass_clone();
+ }
+
+ if (cmdp < 8) return usage_hf_iclass_clone();
+
+ FILE *f;
+
+ iclass_block_t tag_data[USB_CMD_DATA_SIZE/12];
+
+ if ((endblock-startblock+1)*12 > USB_CMD_DATA_SIZE) {
+ PrintAndLog("Trying to write too many blocks at once. Max: %d", USB_CMD_DATA_SIZE/8);
+ }
+ // file handling and reading
+ f = fopen(filename,"rb");
+ if(!f) {
+ PrintAndLog("Failed to read from file '%s'", filename);
+ return 1;
+ }
+
+ if (startblock<5) {
+ PrintAndLog("You cannot write key blocks this way. yet... make your start block > 4");
+ fclose(f);
+ return 0;
+ }
+ // now read data from the file from block 6 --- 19
+ // ok we will use this struct [data 8 bytes][MAC 4 bytes] for each block calculate all mac number for each data
+ // then copy to usbcommand->asbytes; the max is 32 - 6 = 24 block 12 bytes each block 288 bytes then we can only accept to clone 21 blocks at the time,
+ // else we have to create a share memory
+ int i;
+ fseek(f,startblock*8,SEEK_SET);
+ size_t bytes_read = fread(tag_data,sizeof(iclass_block_t),endblock - startblock + 1,f);
+ if ( bytes_read == 0){
+ PrintAndLog("File reading error.");
+ fclose(f);
+ return 2;
+ }
+
+ uint8_t MAC[4]={0x00,0x00,0x00,0x00};
+ uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+
+ if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, true))
+ return 0;
+
+ UsbCommand w = {CMD_ICLASS_CLONE,{startblock,endblock}};
+ uint8_t *ptr;
+ // calculate all mac for every the block we will write
+ for (i = startblock; i <= endblock; i++){
+ Calc_wb_mac(i,tag_data[i - startblock].d,div_key,MAC);
+ // usb command d start pointer = d + (i - 6) * 12
+ // memcpy(pointer,tag_data[i - 6],8) 8 bytes
+ // memcpy(pointer + 8,mac,sizoof(mac) 4 bytes;
+ // next one
+ ptr = w.d.asBytes + (i - startblock) * 12;
+ memcpy(ptr, &(tag_data[i - startblock].d[0]), 8);
+ memcpy(ptr + 8,MAC, 4);
+ }
+ uint8_t p[12];
+ for (i = 0; i <= endblock - startblock;i++){
+ memcpy(p,w.d.asBytes + (i * 12),12);
+ printf("Block |%02x|",i + startblock);
+ printf(" %02x%02x%02x%02x%02x%02x%02x%02x |",p[0],p[1],p[2],p[3],p[4],p[5],p[6],p[7]);
+ printf(" MAC |%02x%02x%02x%02x|\n",p[8],p[9],p[10],p[11]);
+ }
+ UsbCommand resp;
+ clearCommandBuffer();
+ SendCommand(&w);
+ if (!WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
+ PrintAndLog("Command execute timeout");
+ return 0;
+ }
+ return 1;
+}
+
+static int ReadBlock(uint8_t *KEY, uint8_t blockno, uint8_t keyType, bool elite, bool rawkey, bool verbose) {
+ uint8_t MAC[4]={0x00,0x00,0x00,0x00};
+ uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+
+ if (!select_and_auth(KEY, MAC, div_key, (keyType==0x18), elite, rawkey, verbose))
+ return 0;
+
+ UsbCommand resp;
+ UsbCommand w = {CMD_ICLASS_READBLOCK, {blockno}};
+ clearCommandBuffer();
+ SendCommand(&w);
+ if (!WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
+ PrintAndLog("Command execute timeout");
+ return 0;
+ }
+
+ uint8_t isOK = resp.arg[0] & 0xff;
+ if (!isOK) {
+ PrintAndLog("Read Block Failed");
+ return 0;
+ }
+ //data read is stored in: resp.d.asBytes[0-15]
+ if (verbose) PrintAndLog("Block %02X: %s\n",blockno, sprint_hex(resp.d.asBytes,8));
+ return 1;
+}
+
+int CmdHFiClass_ReadBlock(const char *Cmd) {
+ uint8_t blockno=0;
+ uint8_t keyType = 0x88; //debit key
+ uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+ uint8_t keyNbr = 0;
+ uint8_t dataLen = 0;
+ char tempStr[50] = {0};
+ bool elite = false;
+ bool rawkey = false;
+ bool errors = false;
+ uint8_t cmdp = 0;
+ while(param_getchar(Cmd, cmdp) != 0x00)
+ {
+ switch(param_getchar(Cmd, cmdp))
+ {
+ case 'h':
+ case 'H':
+ return usage_hf_iclass_readblock();
+ case 'b':
+ case 'B':
+ if (param_gethex(Cmd, cmdp+1, &blockno, 2)) {
+ PrintAndLog("Block No must include 2 HEX symbols\n");
+ errors = true;
+ }
+ cmdp += 2;
+ break;
+ case 'c':
+ case 'C':
+ keyType = 0x18;
+ cmdp++;
+ break;
+ case 'e':
+ case 'E':
+ elite = true;
+ cmdp++;
+ break;
+ case 'k':
+ case 'K':
+ dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+ if (dataLen == 16) {
+ errors = param_gethex(tempStr, 0, KEY, dataLen);
+ } else if (dataLen == 1) {
+ keyNbr = param_get8(Cmd, cmdp+1);
+ if (keyNbr < ICLASS_KEYS_MAX) {
+ memcpy(KEY, iClass_Key_Table[keyNbr], 8);
+ } else {
+ PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+ errors = true;
+ }
+ } else {
+ PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+ errors = true;
+ }
+ cmdp += 2;
+ break;
+ case 'r':
+ case 'R':
+ rawkey = true;
+ cmdp++;
+ break;
+ default:
+ PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
+ errors = true;
+ break;
+ }
+ if(errors) return usage_hf_iclass_readblock();
+ }
+
+ if (cmdp < 4) return usage_hf_iclass_readblock();
+
+ return ReadBlock(KEY, blockno, keyType, elite, rawkey, true);
+}
+
+int CmdHFiClass_loclass(const char *Cmd) {
+ char opt = param_getchar(Cmd, 0);
+
+ if (strlen(Cmd)<1 || opt == 'h') {
+ PrintAndLog("Usage: hf iclass loclass [options]");
+ PrintAndLog("Options:");
+ PrintAndLog("h Show this help");
+ PrintAndLog("t Perform self-test");
+ PrintAndLog("f <filename> Bruteforce iclass dumpfile");
+ PrintAndLog(" An iclass dumpfile is assumed to consist of an arbitrary number of");
+ PrintAndLog(" malicious CSNs, and their protocol responses");
+ PrintAndLog(" The binary format of the file is expected to be as follows: ");
+ PrintAndLog(" <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
+ PrintAndLog(" <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
+ PrintAndLog(" <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
+ PrintAndLog(" ... totalling N*24 bytes");
+ return 0;
+ }
+ char fileName[255] = {0};
+ if(opt == 'f') {
+ if(param_getstr(Cmd, 1, fileName) > 0) {
+ return bruteforceFileNoKeys(fileName);
+ } else {
+ PrintAndLog("You must specify a filename");
+ // no return?
+ }
+ }
+ else if(opt == 't') {
+ int errors = testCipherUtils();
+ errors += testMAC();
+ errors += doKeyTests(0);
+ errors += testElite();
+ if(errors) prnlog("OBS! There were errors!!!");
+ return errors;
+ }
+ return 0;
+}
+
+void printIclassDumpContents(uint8_t *iclass_dump, uint8_t startblock, uint8_t endblock, size_t filesize) {
+ uint8_t mem_config;
+ memcpy(&mem_config, iclass_dump + 13,1);
+ uint8_t maxmemcount;
+
+ uint8_t filemaxblock = filesize / 8;
+
+ if (mem_config & 0x80)
+ maxmemcount = 255;
+ else
+ maxmemcount = 31;
+
+ if (startblock == 0)
+ startblock = 6;
+
+ if ((endblock > maxmemcount) || (endblock == 0))
+ endblock = maxmemcount;
+
+ // remember endblock needs to relate to zero-index arrays.
+ if (endblock > filemaxblock-1)
+ endblock = filemaxblock-1;
+
+ //PrintAndLog ("startblock: %d, endblock: %d, filesize: %d, maxmemcount: %d, filemaxblock: %d",startblock, endblock,filesize, maxmemcount, filemaxblock);
+
+ int i = startblock;
+ printf("------+--+-------------------------+\n");
+ while (i <= endblock){
+ uint8_t *blk = iclass_dump + (i * 8);
+ printf("Block |%02X| %s\n", i, sprint_hex_ascii(blk, 8) );
+ i++;
+ }
+ printf("------+--+-------------------------+\n");
+}
+
+int CmdHFiClassReadTagFile(const char *Cmd) {
+ int startblock = 0;
+ int endblock = 0;
+ char tempnum[5];
+ FILE *f;
+ char filename[FILE_PATH_SIZE];
+ if (param_getstr(Cmd, 0, filename) < 1)
+ return usage_hf_iclass_readtagfile();
+
+ if (param_getstr(Cmd,1,(char *)&tempnum) < 1)
+ startblock = 0;
+ else
+ sscanf(tempnum,"%d",&startblock);
+
+ if (param_getstr(Cmd,2,(char *)&tempnum) < 1)
+ endblock = 0;
+ else
+ sscanf(tempnum,"%d",&endblock);
+
+ // file handling and reading
+ f = fopen(filename,"rb");
+ if(!f) {
+ PrintAndLog("Failed to read from file '%s'", filename);
+ return 1;
+ }
+ fseek(f, 0, SEEK_END);
+ long fsize = ftell(f);
+ fseek(f, 0, SEEK_SET);
+
+ if ( fsize < 0 ) {
+ PrintAndLog("Error, when getting filesize");
+ fclose(f);
+ return 1;
+ }
+
+ uint8_t *dump = malloc(fsize);
+ size_t bytes_read = fread(dump, 1, fsize, f);
+ fclose(f);
+
+ uint8_t *csn = dump;
+ printf("------+--+-------------------------+\n");
+ printf("CSN |00| %s|\n", sprint_hex(csn, 8) );
+ printIclassDumpContents(dump, startblock, endblock, bytes_read);
+ free(dump);
+ return 0;
+}
+
+/*
+uint64_t xorcheck(uint64_t sdiv,uint64_t hdiv) {
+ uint64_t new_div = 0x00;
+ new_div ^= sdiv;
+ new_div ^= hdiv;
+ return new_div;
+}
+
+uint64_t hexarray_to_uint64(uint8_t *key) {
+ char temp[17];
+ uint64_t uint_key;
+ for (int i = 0;i < 8;i++)
+ sprintf(&temp[(i *2)],"%02X",key[i]);
+ temp[16] = '\0';
+ if (sscanf(temp,"%016"llX,&uint_key) < 1)
+ return 0;
+ return uint_key;
+}
+*/
+void HFiClassCalcDivKey(uint8_t *CSN, uint8_t *KEY, uint8_t *div_key, bool elite){
+ uint8_t keytable[128] = {0};
+ uint8_t key_index[8] = {0};
+ if (elite) {
+ uint8_t key_sel[8] = { 0 };
+ uint8_t key_sel_p[8] = { 0 };
+ hash2(KEY, keytable);
+ hash1(CSN, key_index);
+ for(uint8_t i = 0; i < 8 ; i++)
+ key_sel[i] = keytable[key_index[i]] & 0xFF;
+
+ //Permute from iclass format to standard format
+ permutekey_rev(key_sel, key_sel_p);
+ diversifyKey(CSN, key_sel_p, div_key);
+ } else {
+ diversifyKey(CSN, KEY, div_key);
+ }
+}
+
+//when told CSN, oldkey, newkey, if new key is elite (elite), and if old key was elite (oldElite)
+//calculate and return xor_div_key (ready for a key write command)
+//print all div_keys if verbose
+static void HFiClassCalcNewKey(uint8_t *CSN, uint8_t *OLDKEY, uint8_t *NEWKEY, uint8_t *xor_div_key, bool elite, bool oldElite, bool verbose){
+ uint8_t old_div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+ uint8_t new_div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+ //get old div key
+ HFiClassCalcDivKey(CSN, OLDKEY, old_div_key, oldElite);
+ //get new div key
+ HFiClassCalcDivKey(CSN, NEWKEY, new_div_key, elite);
+
+ for (uint8_t i = 0; i < sizeof(old_div_key); i++){
+ xor_div_key[i] = old_div_key[i] ^ new_div_key[i];
+ }
+ if (verbose) {
+ printf("Old div key : %s\n",sprint_hex(old_div_key,8));
+ printf("New div key : %s\n",sprint_hex(new_div_key,8));
+ printf("Xor div key : %s\n",sprint_hex(xor_div_key,8));
+ }
+}
+
+int CmdHFiClassCalcNewKey(const char *Cmd) {
+ uint8_t OLDKEY[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+ uint8_t NEWKEY[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+ uint8_t xor_div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+ uint8_t CSN[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+ uint8_t CCNR[12] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+ uint8_t keyNbr = 0;
+ uint8_t dataLen = 0;
+ char tempStr[50] = {0};
+ bool givenCSN = false;
+ bool oldElite = false;
+ bool elite = false;
+ bool errors = false;
+ uint8_t cmdp = 0;
+ while(param_getchar(Cmd, cmdp) != 0x00)
+ {
+ switch(param_getchar(Cmd, cmdp))
+ {
+ case 'h':
+ case 'H':
+ return usage_hf_iclass_calc_newkey();
+ case 'e':
+ case 'E':
+ dataLen = param_getstr(Cmd, cmdp, tempStr);
+ if (dataLen==2)
+ oldElite = true;
+ elite = true;
+ cmdp++;
+ break;
+ case 'n':
+ case 'N':
+ dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+ if (dataLen == 16) {
+ errors = param_gethex(tempStr, 0, NEWKEY, dataLen);
+ } else if (dataLen == 1) {
+ keyNbr = param_get8(Cmd, cmdp+1);
+ if (keyNbr < ICLASS_KEYS_MAX) {
+ memcpy(NEWKEY, iClass_Key_Table[keyNbr], 8);
+ } else {
+ PrintAndLog("\nERROR: NewKey Nbr is invalid\n");
+ errors = true;
+ }
+ } else {
+ PrintAndLog("\nERROR: NewKey is incorrect length\n");
+ errors = true;
+ }
+ cmdp += 2;
+ break;
+ case 'o':
+ case 'O':
+ dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+ if (dataLen == 16) {
+ errors = param_gethex(tempStr, 0, OLDKEY, dataLen);
+ } else if (dataLen == 1) {
+ keyNbr = param_get8(Cmd, cmdp+1);
+ if (keyNbr < ICLASS_KEYS_MAX) {
+ memcpy(OLDKEY, iClass_Key_Table[keyNbr], 8);
+ } else {
+ PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
+ errors = true;
+ }
+ } else {
+ PrintAndLog("\nERROR: Credit Key is incorrect length\n");
+ errors = true;
+ }
+ cmdp += 2;
+ break;
+ case 's':
+ case 'S':
+ givenCSN = true;
+ if (param_gethex(Cmd, cmdp+1, CSN, 16))
+ return usage_hf_iclass_calc_newkey();
+ cmdp += 2;
+ break;
+ default:
+ PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
+ errors = true;
+ break;
+ }
+ if(errors) return usage_hf_iclass_calc_newkey();
+ }
+
+ if (cmdp < 4) return usage_hf_iclass_calc_newkey();
+
+ if (!givenCSN)
+ if (!select_only(CSN, CCNR, false, true))
+ return 0;
+
+ HFiClassCalcNewKey(CSN, OLDKEY, NEWKEY, xor_div_key, elite, oldElite, true);
+ return 0;
+}
+
+static int loadKeys(char *filename) {
+ FILE *f;
+ f = fopen(filename,"rb");
+ if(!f) {
+ PrintAndLog("Failed to read from file '%s'", filename);
+ return 0;
+ }
+ fseek(f, 0, SEEK_END);
+ long fsize = ftell(f);
+ fseek(f, 0, SEEK_SET);
+
+ if ( fsize < 0 ) {
+ PrintAndLog("Error, when getting filesize");
+ fclose(f);
+ return 1;