#include "usb_cmd.h"
#include "cmdhfmfu.h"
-#define llX PRIx64
-
static int CmdHelp(const char *Cmd);
#define ICLASS_KEYS_MAX 8
long fsize = ftell(f);
fseek(f, 0, SEEK_SET);
- uint8_t *dump = malloc(fsize);
+ if (fsize < 0) {
+ PrintAndLog("Error, when getting filesize");
+ fclose(f);
+ return 1;
+ }
+ uint8_t *dump = malloc(fsize);
size_t bytes_read = fread(dump, 1, fsize, f);
fclose(f);
//Open the tagdump-file
FILE *f;
char filename[FILE_PATH_SIZE];
- if(opt == 'f' && param_getstr(Cmd, 1, filename) > 0)
- {
+ if(opt == 'f' && param_getstr(Cmd, 1, filename) > 0) {
f = fopen(filename, "rb");
- }else{
+ if ( f == NULL ) {
+ PrintAndLog("Could not find file %s", filename);
+ return 1;
+ }
+ } else {
return usage_hf_iclass_decrypt();
}
fclose(f);
saveFile(outfilename,"bin", decrypted, blocknum*8);
-
+ free(decrypted);
return 0;
}
UsbCommand resp;
UsbCommand c = {CMD_READER_ICLASS, {0}};
- c.arg[0] = FLAG_ICLASS_READER_ONLY_ONCE| FLAG_ICLASS_READER_CC;
+ c.arg[0] = FLAG_ICLASS_READER_ONLY_ONCE | FLAG_ICLASS_READER_CC | FLAG_ICLASS_READER_ONE_TRY;
if (use_credit_key)
c.arg[0] |= FLAG_ICLASS_READER_CEDITKEY;
return true;
}
-static bool select_and_auth(uint8_t *KEY, uint8_t *MAC, uint8_t *div_key, bool use_credit_key, bool elite, bool verbose) {
+static bool select_and_auth(uint8_t *KEY, uint8_t *MAC, uint8_t *div_key, bool use_credit_key, bool elite, bool rawkey, bool verbose) {
uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
return false;
//get div_key
- HFiClassCalcDivKey(CSN, KEY, div_key, elite);
+ if(rawkey)
+ memcpy(div_key, KEY, 8);
+ else
+ HFiClassCalcDivKey(CSN, KEY, div_key, elite);
+ PrintAndLog("Authing with %s: %02x%02x%02x%02x%02x%02x%02x%02x", rawkey ? "raw key" : "diversified key", div_key[0],div_key[1],div_key[2],div_key[3],div_key[4],div_key[5],div_key[6],div_key[7]);
doMAC(CCNR, div_key, MAC);
UsbCommand resp;
}
int usage_hf_iclass_dump(void) {
- PrintAndLog("Usage: hf iclass dump f <fileName> k <Key> c <CreditKey> e\n");
+ PrintAndLog("Usage: hf iclass dump f <fileName> k <Key> c <CreditKey> e|r\n");
PrintAndLog("Options:");
PrintAndLog(" f <filename> : specify a filename to save dump to");
PrintAndLog(" k <Key> : *Access Key as 16 hex symbols or 1 hex to select key from memory");
PrintAndLog(" e : If 'e' is specified, the key is interpreted as the 16 byte");
PrintAndLog(" Custom Key (KCus), which can be obtained via reader-attack");
PrintAndLog(" See 'hf iclass sim 2'. This key should be on iclass-format");
+ PrintAndLog(" r : If 'r' is specified, the key is interpreted as raw block 3/4");
PrintAndLog(" NOTE: * = required");
PrintAndLog("Samples:");
PrintAndLog(" hf iclass dump k 001122334455667B");
uint8_t blockno = 0;
uint8_t numblks = 0;
uint8_t maxBlk = 31;
+ uint8_t app_areas = 1;
+ uint8_t kb = 2;
uint8_t KEY[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
uint8_t CreditKEY[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
uint8_t keyNbr = 0;
bool have_credit_key = false;
bool use_credit_key = false;
bool elite = false;
+ bool rawkey = false;
bool errors = false;
uint8_t cmdp = 0;
errors = param_gethex(tempStr, 0, CreditKEY, dataLen);
} else if (dataLen == 1) {
keyNbr = param_get8(Cmd, cmdp+1);
- if (keyNbr <= ICLASS_KEYS_MAX) {
+ if (keyNbr < ICLASS_KEYS_MAX) {
memcpy(CreditKEY, iClass_Key_Table[keyNbr], 8);
} else {
PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
errors = param_gethex(tempStr, 0, KEY, dataLen);
} else if (dataLen == 1) {
keyNbr = param_get8(Cmd, cmdp+1);
- if (keyNbr <= ICLASS_KEYS_MAX) {
+ if (keyNbr < ICLASS_KEYS_MAX) {
memcpy(KEY, iClass_Key_Table[keyNbr], 8);
} else {
PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
}
cmdp += 2;
break;
+ case 'r':
+ case 'R':
+ rawkey = true;
+ cmdp++;
+ break;
default:
PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
errors = true;
SendCommand(&c);
if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
PrintAndLog("Command execute timeout");
+ ul_switch_off_field();
return 0;
}
uint8_t readStatus = resp.arg[0] & 0xff;
if(readStatus == 0){
PrintAndLog("No tag found...");
+ ul_switch_off_field();
return 0;
}
if( readStatus & (FLAG_ICLASS_READER_CSN|FLAG_ICLASS_READER_CONF|FLAG_ICLASS_READER_CC)){
memcpy(tag_data, data, 8*3);
blockno+=2; // 2 to force re-read of block 2 later. (seems to respond differently..)
numblks = data[8];
-
- if (data[13] & 0x80) {
- // large memory - not able to dump pages currently
- maxBlk = 255;
- } else {
- maxBlk = 31;
- }
+ getMemConfig(data[13], data[12], &maxBlk, &app_areas, &kb);
+ // large memory - not able to dump pages currently
if (numblks > maxBlk) numblks = maxBlk;
}
+ ul_switch_off_field();
// authenticate debit key and get div_key - later store in dump block 3
- if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, false)){
+ if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, false)){
//try twice - for some reason it sometimes fails the first time...
- if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, false)){
+ if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, false)){
ul_switch_off_field();
return 0;
}
}
// begin dump
- UsbCommand w = {CMD_ICLASS_DUMP, {blockno, numblks-blockno+1, 0x88}};
+ UsbCommand w = {CMD_ICLASS_DUMP, {blockno, numblks-blockno+1}};
clearCommandBuffer();
SendCommand(&w);
if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
PrintAndLog("Command execute time-out 1");
+ ul_switch_off_field();
return 1;
}
uint32_t blocksRead = resp.arg[1];
uint8_t isOK = resp.arg[0] & 0xff;
if (!isOK && !blocksRead) {
PrintAndLog("Read Block Failed");
+ ul_switch_off_field();
return 0;
}
uint32_t startindex = resp.arg[2];
ul_switch_off_field();
memset(MAC,0,4);
// AA2 authenticate credit key and git c_div_key - later store in dump block 4
- if (!select_and_auth(CreditKEY, MAC, c_div_key, true, false, false)){
+ if (!select_and_auth(CreditKEY, MAC, c_div_key, true, false, false, false)){
//try twice - for some reason it sometimes fails the first time...
- if (!select_and_auth(CreditKEY, MAC, c_div_key, true, false, false)){
+ if (!select_and_auth(CreditKEY, MAC, c_div_key, true, false, false, false)){
ul_switch_off_field();
return 0;
}
// setup dump and start
w.arg[0] = blockno + blocksRead;
w.arg[1] = maxBlk - (blockno + blocksRead);
- w.arg[2] = 0x18;
clearCommandBuffer();
SendCommand(&w);
if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
PrintAndLog("Command execute timeout 2");
+ ul_switch_off_field();
return 0;
}
uint8_t isOK = resp.arg[0] & 0xff;
blocksRead = resp.arg[1];
if (!isOK && !blocksRead) {
PrintAndLog("Read Block Failed 2");
+ ul_switch_off_field();
return 0;
}
return 1;
}
-static int WriteBlock(uint8_t blockno, uint8_t *bldata, uint8_t *KEY, bool use_credit_key, bool elite, bool verbose) {
+static int WriteBlock(uint8_t blockno, uint8_t *bldata, uint8_t *KEY, bool use_credit_key, bool elite, bool rawkey, bool verbose) {
uint8_t MAC[4]={0x00,0x00,0x00,0x00};
uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
- uint8_t keyType = (use_credit_key) ? 0x18 : 0x88;
- if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, verbose))
+ if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, verbose))
return 0;
UsbCommand resp;
Calc_wb_mac(blockno,bldata,div_key,MAC);
- UsbCommand w = {CMD_ICLASS_WRITEBLOCK, {blockno, keyType}};
+ UsbCommand w = {CMD_ICLASS_WRITEBLOCK, {blockno}};
memcpy(w.d.asBytes, bldata, 8);
- memcpy(w.d.asBytes + 8,MAC, 4);
+ memcpy(w.d.asBytes + 8, MAC, 4);
clearCommandBuffer();
SendCommand(&w);
return 0;
}
PrintAndLog("Write Block Successful");
-
return 1;
}
PrintAndLog(" k <Key> : Access Key as 16 hex symbols or 1 hex to select key from memory");
PrintAndLog(" c : If 'c' is specified, the key set is assumed to be the credit key\n");
PrintAndLog(" e : If 'e' is specified, elite computations applied to key");
+ PrintAndLog(" r : If 'r' is specified, no computations applied to key");
PrintAndLog("Samples:");
PrintAndLog(" hf iclass writeblk b 0A d AAAAAAAAAAAAAAAA k 001122334455667B");
PrintAndLog(" hf iclass writeblk b 1B d AAAAAAAAAAAAAAAA k 001122334455667B c");
int CmdHFiClass_WriteBlock(const char *Cmd) {
uint8_t blockno=0;
- uint8_t bldata[8]={0};
+ uint8_t bldata[8]={0,0,0,0,0,0,0,0};
uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
uint8_t keyNbr = 0;
uint8_t dataLen = 0;
char tempStr[50] = {0};
bool use_credit_key = false;
bool elite = false;
+ bool rawkey= false;
bool errors = false;
uint8_t cmdp = 0;
while(param_getchar(Cmd, cmdp) != 0x00)
errors = param_gethex(tempStr, 0, KEY, dataLen);
} else if (dataLen == 1) {
keyNbr = param_get8(Cmd, cmdp+1);
- if (keyNbr <= ICLASS_KEYS_MAX) {
+ if (keyNbr < ICLASS_KEYS_MAX) {
memcpy(KEY, iClass_Key_Table[keyNbr], 8);
} else {
PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
}
cmdp += 2;
break;
+ case 'r':
+ case 'R':
+ rawkey = true;
+ cmdp++;
+ break;
default:
PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
errors = true;
}
if (cmdp < 6) return usage_hf_iclass_writeblock();
-
- return WriteBlock(blockno, bldata, KEY, use_credit_key, elite, true);
+ int ans = WriteBlock(blockno, bldata, KEY, use_credit_key, elite, rawkey, true);
+ ul_switch_off_field();
+ return ans;
}
int usage_hf_iclass_clone(void) {
- PrintAndLog("Usage: hf iclass clone f <tagfile.bin> b <first block> l <last block> k <KEY> e c");
+ PrintAndLog("Usage: hf iclass clone f <tagfile.bin> b <first block> l <last block> k <KEY> c e|r");
PrintAndLog("Options:");
PrintAndLog(" f <filename>: specify a filename to clone from");
PrintAndLog(" b <Block> : The first block to clone as 2 hex symbols");
PrintAndLog(" k <Key> : Access Key as 16 hex symbols or 1 hex to select key from memory");
PrintAndLog(" c : If 'c' is specified, the key set is assumed to be the credit key\n");
PrintAndLog(" e : If 'e' is specified, elite computations applied to key");
+ PrintAndLog(" r : If 'r' is specified, no computations applied to key");
PrintAndLog("Samples:");
PrintAndLog(" hf iclass clone f iclass_tagdump-121345.bin b 06 l 1A k 1122334455667788 e");
PrintAndLog(" hf iclass clone f iclass_tagdump-121345.bin b 05 l 19 k 0");
}
int CmdHFiClassCloneTag(const char *Cmd) {
- char filename[FILE_PATH_SIZE];
+ char filename[FILE_PATH_SIZE] = {0};
char tempStr[50]={0};
uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
uint8_t keyNbr = 0;
uint8_t dataLen = 0;
bool use_credit_key = false;
bool elite = false;
+ bool rawkey = false;
bool errors = false;
uint8_t cmdp = 0;
while(param_getchar(Cmd, cmdp) != 0x00)
errors = param_gethex(tempStr, 0, KEY, dataLen);
} else if (dataLen == 1) {
keyNbr = param_get8(Cmd, cmdp+1);
- if (keyNbr <= ICLASS_KEYS_MAX) {
+ if (keyNbr < ICLASS_KEYS_MAX) {
memcpy(KEY, iClass_Key_Table[keyNbr], 8);
} else {
PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
}
cmdp += 2;
break;
+ case 'r':
+ case 'R':
+ rawkey = true;
+ cmdp++;
+ break;
default:
PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
errors = true;
if (startblock<5) {
PrintAndLog("You cannot write key blocks this way. yet... make your start block > 4");
+ fclose(f);
return 0;
}
// now read data from the file from block 6 --- 19
// else we have to create a share memory
int i;
fseek(f,startblock*8,SEEK_SET);
- fread(tag_data,sizeof(iclass_block_t),endblock - startblock + 1,f);
+ if ( fread(tag_data,sizeof(iclass_block_t),endblock - startblock + 1,f) == 0 ) {
+ PrintAndLog("File reading error.");
+ fclose(f);
+ return 2;
+ }
uint8_t MAC[4]={0x00,0x00,0x00,0x00};
uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
- if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, true))
+ if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, true))
return 0;
- UsbCommand w = {CMD_ICLASS_CLONE,{startblock,endblock,((use_credit_key) ? 0x18 : 0x88)}};
+ UsbCommand w = {CMD_ICLASS_CLONE,{startblock,endblock}};
uint8_t *ptr;
// calculate all mac for every the block we will write
for (i = startblock; i <= endblock; i++){
return 1;
}
-static int ReadBlock(uint8_t *KEY, uint8_t blockno, uint8_t keyType, bool elite, bool verbose) {
+static int ReadBlock(uint8_t *KEY, uint8_t blockno, uint8_t keyType, bool elite, bool rawkey, bool verbose) {
uint8_t MAC[4]={0x00,0x00,0x00,0x00};
uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
- if (!select_and_auth(KEY, MAC, div_key, (keyType==0x18), elite, verbose))
+ if (!select_and_auth(KEY, MAC, div_key, (keyType==0x18), elite, rawkey, verbose))
return 0;
UsbCommand resp;
- UsbCommand w = {CMD_ICLASS_READBLOCK, {blockno, keyType}};
+ UsbCommand w = {CMD_ICLASS_READBLOCK, {blockno}};
clearCommandBuffer();
SendCommand(&w);
if (!WaitForResponseTimeout(CMD_ACK,&resp,4500))
}
int usage_hf_iclass_readblock(void) {
- PrintAndLog("Usage: hf iclass readblk b <Block> k <Key> c e\n");
+ PrintAndLog("Usage: hf iclass readblk b <Block> k <Key> c e|r\n");
PrintAndLog("Options:");
PrintAndLog(" b <Block> : The block number as 2 hex symbols");
PrintAndLog(" k <Key> : Access Key as 16 hex symbols or 1 hex to select key from memory");
PrintAndLog(" c : If 'c' is specified, the key set is assumed to be the credit key\n");
PrintAndLog(" e : If 'e' is specified, elite computations applied to key");
+ PrintAndLog(" r : If 'r' is specified, no computations applied to key");
PrintAndLog("Samples:");
PrintAndLog(" hf iclass readblk b 06 k 0011223344556677");
PrintAndLog(" hf iclass readblk b 1B k 0011223344556677 c");
uint8_t dataLen = 0;
char tempStr[50] = {0};
bool elite = false;
+ bool rawkey = false;
bool errors = false;
uint8_t cmdp = 0;
while(param_getchar(Cmd, cmdp) != 0x00)
errors = param_gethex(tempStr, 0, KEY, dataLen);
} else if (dataLen == 1) {
keyNbr = param_get8(Cmd, cmdp+1);
- if (keyNbr <= ICLASS_KEYS_MAX) {
+ if (keyNbr < ICLASS_KEYS_MAX) {
memcpy(KEY, iClass_Key_Table[keyNbr], 8);
} else {
PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
}
cmdp += 2;
break;
+ case 'r':
+ case 'R':
+ rawkey = true;
+ cmdp++;
+ break;
default:
PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
errors = true;
if (cmdp < 4) return usage_hf_iclass_readblock();
- return ReadBlock(KEY, blockno, keyType, elite, true);
+ return ReadBlock(KEY, blockno, keyType, elite, rawkey, true);
}
int CmdHFiClass_loclass(const char *Cmd) {
PrintAndLog("f <filename> Bruteforce iclass dumpfile");
PrintAndLog(" An iclass dumpfile is assumed to consist of an arbitrary number of");
PrintAndLog(" malicious CSNs, and their protocol responses");
- PrintAndLog(" The the binary format of the file is expected to be as follows: ");
+ PrintAndLog(" The binary format of the file is expected to be as follows: ");
PrintAndLog(" <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
PrintAndLog(" <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
PrintAndLog(" <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
long fsize = ftell(f);
fseek(f, 0, SEEK_SET);
- uint8_t *dump = malloc(fsize);
+ if ( fsize < 0 ) {
+ PrintAndLog("Error, when getting filesize");
+ fclose(f);
+ return 1;
+ }
+ uint8_t *dump = malloc(fsize);
size_t bytes_read = fread(dump, 1, fsize, f);
fclose(f);
for (int i = 0;i < 8;i++)
sprintf(&temp[(i *2)],"%02X",key[i]);
temp[16] = '\0';
- if (sscanf(temp,"%016"llX,&uint_key) < 1)
+ if (sscanf(temp,"%016"llx,&uint_key) < 1)
return 0;
return uint_key;
}
errors = param_gethex(tempStr, 0, NEWKEY, dataLen);
} else if (dataLen == 1) {
keyNbr = param_get8(Cmd, cmdp+1);
- if (keyNbr <= ICLASS_KEYS_MAX) {
+ if (keyNbr < ICLASS_KEYS_MAX) {
memcpy(NEWKEY, iClass_Key_Table[keyNbr], 8);
} else {
PrintAndLog("\nERROR: NewKey Nbr is invalid\n");
errors = param_gethex(tempStr, 0, OLDKEY, dataLen);
} else if (dataLen == 1) {
keyNbr = param_get8(Cmd, cmdp+1);
- if (keyNbr <= ICLASS_KEYS_MAX) {
+ if (keyNbr < ICLASS_KEYS_MAX) {
memcpy(OLDKEY, iClass_Key_Table[keyNbr], 8);
} else {
PrintAndLog("\nERROR: Credit KeyNbr is invalid\n");
long fsize = ftell(f);
fseek(f, 0, SEEK_SET);
+ if ( fsize < 0 ) {
+ PrintAndLog("Error, when getting filesize");
+ fclose(f);
+ return 1;
+ }
+
uint8_t *dump = malloc(fsize);
size_t bytes_read = fread(dump, 1, fsize, f);
case 'n':
case 'N':
keyNbr = param_get8(Cmd, cmdp+1);
- if (keyNbr < 0) {
- PrintAndLog("Wrong block number");
+ if (keyNbr >= ICLASS_KEYS_MAX) {
+ PrintAndLog("Invalid block number");
errors = true;
}
cmdp += 2;