+ int i;\r
+ uint8_t numSectors;\r
+ uint8_t data[16];\r
+ uint64_t keyA, keyB;\r
+\r
+ char cmdp = param_getchar(Cmd, 0);\r
+ \r
+ if ( cmdp == 'h' || cmdp == 'H' ) {\r
+ PrintAndLog("It prints the keys loaded in the emulator memory");\r
+ PrintAndLog("Usage: hf mf ekeyprn [card memory]");\r
+ PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");\r
+ PrintAndLog("");\r
+ PrintAndLog(" sample: hf mf ekeyprn 1");\r
+ return 0;\r
+ } \r
+\r
+ switch (cmdp) {\r
+ case '0' : numSectors = 5; break;\r
+ case '1' : \r
+ case '\0': numSectors = 16; break;\r
+ case '2' : numSectors = 32; break;\r
+ case '4' : numSectors = 40; break;\r
+ default: numSectors = 16;\r
+ } \r
+ \r
+ PrintAndLog("|---|----------------|----------------|");\r
+ PrintAndLog("|sec|key A |key B |");\r
+ PrintAndLog("|---|----------------|----------------|");\r
+ for (i = 0; i < numSectors; i++) {\r
+ if (mfEmlGetMem(data, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1)) {\r
+ PrintAndLog("error get block %d", FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1);\r
+ break;\r
+ }\r
+ keyA = bytes_to_num(data, 6);\r
+ keyB = bytes_to_num(data + 10, 6);\r
+ PrintAndLog("|%03d| %012"llx" | %012"llx" |", i, keyA, keyB);\r
+ }\r
+ PrintAndLog("|---|----------------|----------------|");\r
+ \r
+ return 0;\r
+}\r
+\r
+// CHINESE MAGIC COMMANDS \r
+\r
+int CmdHF14AMfCSetUID(const char *Cmd) {\r
+ uint8_t wipeCard = 0;\r
+ uint8_t uid[8] = {0x00};\r
+ uint8_t oldUid[8] = {0x00};\r
+ uint8_t atqa[2] = {0x00};\r
+ uint8_t sak[1] = {0x00};\r
+ uint8_t atqaPresent = 1;\r
+ int res;\r
+ char ctmp;\r
+ int argi=0;\r
+\r
+ if (strlen(Cmd) < 1 || param_getchar(Cmd, argi) == 'h') {\r
+ PrintAndLog("Set UID, ATQA, and SAK for magic Chinese card (only works with such cards)");\r
+ PrintAndLog("If you also want to wipe the card then add 'w' at the end of the command line.");\r
+ PrintAndLog("");\r
+ PrintAndLog("Usage: hf mf csetuid <UID 8 hex symbols> [ATQA 4 hex symbols SAK 2 hex symbols] [w]");\r
+ PrintAndLog("");\r
+ PrintAndLog("sample: hf mf csetuid 01020304");\r
+ PrintAndLog(" hf mf csetuid 01020304 0004 08 w");\r
+ return 0;\r
+ }\r
+\r
+ if (param_getchar(Cmd, argi) && param_gethex(Cmd, argi, uid, 8)) {\r
+ PrintAndLog("UID must include 8 HEX symbols");\r
+ return 1;\r
+ }\r
+ argi++;\r
+\r
+ ctmp = param_getchar(Cmd, argi);\r
+ if (ctmp == 'w' || ctmp == 'W') {\r
+ wipeCard = 1;\r
+ atqaPresent = 0;\r
+ }\r
+\r
+ if (atqaPresent) {\r
+ if (param_getchar(Cmd, argi)) {\r
+ if (param_gethex(Cmd, argi, atqa, 4)) {\r
+ PrintAndLog("ATQA must include 4 HEX symbols");\r
+ return 1;\r
+ }\r
+ argi++;\r
+ if (!param_getchar(Cmd, argi) || param_gethex(Cmd, argi, sak, 2)) {\r
+ PrintAndLog("SAK must include 2 HEX symbols");\r
+ return 1;\r
+ }\r
+ argi++;\r
+ } else\r
+ atqaPresent = 0;\r
+ }\r
+\r
+ if(!wipeCard) {\r
+ ctmp = param_getchar(Cmd, argi);\r
+ if (ctmp == 'w' || ctmp == 'W') {\r
+ wipeCard = 1;\r
+ }\r
+ }\r
+\r
+ PrintAndLog("--wipe card:%s uid:%s", (wipeCard)?"YES":"NO", sprint_hex(uid, 4));\r
+\r
+ res = mfCSetUID(uid, (atqaPresent) ? atqa : NULL, (atqaPresent) ? sak : NULL, oldUid, wipeCard);\r
+ if (res) {\r
+ PrintAndLog("Can't set UID. error=%d", res);\r
+ return 1;\r
+ }\r
+ \r
+ PrintAndLog("old UID:%s", sprint_hex(oldUid, 4));\r
+ PrintAndLog("new UID:%s", sprint_hex(uid, 4));\r
+ return 0;\r
+}\r
+\r
+int CmdHF14AMfCSetBlk(const char *Cmd) {\r
+ uint8_t block[16] = {0x00};\r
+ uint8_t blockNo = 0;\r
+ uint8_t params = MAGIC_SINGLE;\r
+ int res;\r
+\r
+ if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
+ PrintAndLog("Usage: hf mf csetblk <block number> <block data (32 hex symbols)> [w]");\r
+ PrintAndLog("sample: hf mf csetblk 1 01020304050607080910111213141516");\r
+ PrintAndLog("Set block data for magic Chinese card (only works with such cards)");\r
+ PrintAndLog("If you also want wipe the card then add 'w' at the end of the command line");\r
+ return 0;\r
+ } \r
+\r
+ blockNo = param_get8(Cmd, 0);\r
+\r
+ if (param_gethex(Cmd, 1, block, 32)) {\r
+ PrintAndLog("block data must include 32 HEX symbols");\r
+ return 1;\r
+ }\r
+\r
+ char ctmp = param_getchar(Cmd, 2);\r
+ if (ctmp == 'w' || ctmp == 'W')\r
+ params |= MAGIC_WIPE;\r
+ \r
+ PrintAndLog("--block number:%2d data:%s", blockNo, sprint_hex(block, 16));\r
+\r
+ res = mfCSetBlock(blockNo, block, NULL, params);\r
+ if (res) {\r
+ PrintAndLog("Can't write block. error=%d", res);\r
+ return 1;\r
+ }\r
+ return 0;\r
+}\r
+\r
+int CmdHF14AMfCLoad(const char *Cmd) {\r
+ FILE * f;\r
+ char filename[FILE_PATH_SIZE];\r
+ char * fnameptr = filename;\r
+ char buf[64] = {0x00};\r
+ uint8_t buf8[64] = {0x00};\r
+ uint8_t fillFromEmulator = 0;\r
+ int i, len, blockNum, flags=0;\r
+\r
+ memset(filename, 0, sizeof(filename));\r
+ \r
+ char ctmp = param_getchar(Cmd, 0);\r
+ \r
+ if (ctmp == 'h' || ctmp == 'H' || ctmp == 0x00) {\r
+ PrintAndLog("It loads magic Chinese card from the file `filename.eml`");\r
+ PrintAndLog("or from emulator memory (option `e`)");\r
+ PrintAndLog("Usage: hf mf cload <file name w/o `.eml`>");\r
+ PrintAndLog(" or: hf mf cload e ");\r
+ PrintAndLog(" sample: hf mf cload filename");\r
+ return 0;\r
+ } \r
+\r
+ if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;\r
+ \r
+ if (fillFromEmulator) {\r
+ for (blockNum = 0; blockNum < 16 * 4; blockNum += 1) {\r
+ if (mfEmlGetMem(buf8, blockNum, 1)) {\r
+ PrintAndLog("Cant get block: %d", blockNum);\r
+ return 2;\r
+ }\r
+ if (blockNum == 0) flags = MAGIC_INIT + MAGIC_WUPC; // switch on field and send magic sequence\r
+ if (blockNum == 1) flags = 0; // just write\r
+ if (blockNum == 16 * 4 - 1) flags = MAGIC_HALT + MAGIC_OFF; // Done. Magic Halt and switch off field.\r
+\r
+ if (mfCSetBlock(blockNum, buf8, NULL, flags)) {\r
+ PrintAndLog("Cant set magic card block: %d", blockNum);\r
+ return 3;\r
+ }\r
+ }\r
+ return 0;\r
+ } else {\r
+ len = strlen(Cmd);\r
+ if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
+\r
+ memcpy(filename, Cmd, len);\r
+ fnameptr += len;\r
+\r
+ sprintf(fnameptr, ".eml"); \r
+ \r
+ // open file\r
+ f = fopen(filename, "r");\r
+ if (f == NULL) {\r
+ PrintAndLog("File not found or locked.");\r
+ return 1;\r
+ }\r
+ \r
+ blockNum = 0;\r
+ while(!feof(f)){\r
+ \r
+ memset(buf, 0, sizeof(buf));\r
+ \r
+ if (fgets(buf, sizeof(buf), f) == NULL) {\r
+ fclose(f);\r
+ PrintAndLog("File reading error.");\r
+ return 2;\r
+ }\r
+\r
+ if (strlen(buf) < 32) {\r
+ if(strlen(buf) && feof(f))\r
+ break;\r
+ PrintAndLog("File content error. Block data must include 32 HEX symbols");\r
+ fclose(f);\r
+ return 2;\r
+ }\r
+ for (i = 0; i < 32; i += 2)\r
+ sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);\r
+\r
+ if (blockNum == 0) flags = MAGIC_INIT + MAGIC_WUPC; // switch on field and send magic sequence\r
+ if (blockNum == 1) flags = 0; // just write\r
+ if (blockNum == 16 * 4 - 1) flags = MAGIC_HALT + MAGIC_OFF; // Done. Switch off field.\r
+\r
+ if (mfCSetBlock(blockNum, buf8, NULL, flags)) {\r
+ PrintAndLog("Can't set magic card block: %d", blockNum);\r
+ fclose(f);\r
+ return 3;\r
+ }\r
+ blockNum++;\r
+ \r
+ if (blockNum >= 16 * 4) break; // magic card type - mifare 1K\r
+ }\r
+ fclose(f);\r
+ \r
+ // 64 or 256blocks.\r
+ if (blockNum != 16 * 4 && blockNum != 32 * 4 + 8 * 16){\r
+ PrintAndLog("File content error. There must be 64 blocks");\r
+ return 4;\r
+ }\r
+ PrintAndLog("Loaded from file: %s", filename);\r
+ return 0;\r
+ }\r
+ return 0;\r
+}\r
+\r
+int CmdHF14AMfCGetBlk(const char *Cmd) {\r
+ uint8_t data[16];\r
+ uint8_t blockNo = 0;\r
+ int res;\r
+ memset(data, 0x00, sizeof(data));\r
+ char ctmp = param_getchar(Cmd, 0);\r
+\r
+ if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') {\r
+ PrintAndLog("Usage: hf mf cgetblk <block number>");\r
+ PrintAndLog("sample: hf mf cgetblk 1");\r
+ PrintAndLog("Get block data from magic Chinese card (only works with such cards)\n");\r
+ return 0;\r
+ } \r
+\r
+ blockNo = param_get8(Cmd, 0);\r
+\r
+ PrintAndLog("--block number:%2d ", blockNo);\r
+\r
+ res = mfCGetBlock(blockNo, data, MAGIC_SINGLE);\r
+ if (res) {\r
+ PrintAndLog("Can't read block. error=%d", res);\r
+ return 1;\r
+ }\r
+ \r
+ PrintAndLog("data: %s", sprint_hex(data, sizeof(data)));\r
+ return 0;\r
+}\r
+\r
+int CmdHF14AMfCGetSc(const char *Cmd) {\r
+ uint8_t data[16];\r
+ uint8_t sectorNo = 0;\r
+ int i, res, flags;\r
+ memset(data, 0x00, sizeof(data));\r
+ char ctmp = param_getchar(Cmd, 0);\r
+ \r
+ if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') {\r
+ PrintAndLog("Usage: hf mf cgetsc <sector number>");\r
+ PrintAndLog("sample: hf mf cgetsc 0");\r
+ PrintAndLog("Get sector data from magic Chinese card (only works with such cards)\n");\r
+ return 0;\r
+ } \r
+\r
+ sectorNo = param_get8(Cmd, 0);\r
+ if (sectorNo > 15) {\r
+ PrintAndLog("Sector number must be in [0..15] as in MIFARE classic.");\r
+ return 1;\r
+ }\r
+\r
+ PrintAndLog("--sector number:%d ", sectorNo);\r
+ PrintAndLog("block | data");\r
+\r
+ flags = MAGIC_INIT + MAGIC_WUPC;\r
+ for (i = 0; i < 4; i++) {\r
+ if (i == 1) flags = 0;\r
+ if (i == 3) flags = MAGIC_HALT + MAGIC_OFF;\r
+\r
+ res = mfCGetBlock(sectorNo * 4 + i, data, flags);\r
+ if (res) {\r
+ PrintAndLog("Can't read block. %d error=%d", sectorNo * 4 + i, res);\r
+ return 1;\r
+ } \r
+ PrintAndLog(" %3d | %s", sectorNo * 4 + i, sprint_hex(data, sizeof(data)));\r
+ }\r
+ return 0;\r
+}\r
+\r
+int CmdHF14AMfCSave(const char *Cmd) {\r
+\r
+ FILE * f;\r
+ char filename[FILE_PATH_SIZE];\r
+ char * fnameptr = filename;\r
+ uint8_t fillFromEmulator = 0;\r
+ uint8_t buf[64];\r
+ int i, j, len, flags;\r
+ \r
+ memset(filename, 0, sizeof(filename));\r
+ memset(buf, 0, sizeof(buf));\r
+ char ctmp = param_getchar(Cmd, 0);\r
+ \r
+ if ( ctmp == 'h' || ctmp == 'H' ) {\r
+ PrintAndLog("It saves `magic Chinese` card dump into the file `filename.eml` or `cardID.eml`");\r
+ PrintAndLog("or into emulator memory (option `e`)");\r
+ PrintAndLog("Usage: hf mf esave [file name w/o `.eml`][e]");\r
+ PrintAndLog(" sample: hf mf esave ");\r
+ PrintAndLog(" hf mf esave filename");\r
+ PrintAndLog(" hf mf esave e \n");\r
+ return 0;\r
+ } \r
+ if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;\r
+\r
+ if (fillFromEmulator) {\r
+ // put into emulator\r
+ flags = MAGIC_INIT + MAGIC_WUPC;\r
+ for (i = 0; i < 16 * 4; i++) {\r
+ if (i == 1) flags = 0;\r
+ if (i == 16 * 4 - 1) flags = MAGIC_HALT + MAGIC_OFF;\r
+ \r
+ if (mfCGetBlock(i, buf, flags)) {\r
+ PrintAndLog("Cant get block: %d", i);\r
+ break;\r
+ }\r
+ \r
+ if (mfEmlSetMem(buf, i, 1)) {\r
+ PrintAndLog("Cant set emul block: %d", i);\r
+ return 3;\r
+ }\r
+ }\r
+ return 0;\r
+ } else {\r
+ len = strlen(Cmd);\r
+ if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
+ \r
+ // get filename based on UID\r
+ if (len < 1) {\r
+ \r
+ if (mfCGetBlock(0, buf, MAGIC_SINGLE)) {\r
+ PrintAndLog("Cant get block: %d", 0);\r
+ len = sprintf(fnameptr, "dump");\r
+ fnameptr += len;\r
+ } else {\r
+ for (j = 0; j < 7; j++, fnameptr += 2)\r
+ sprintf(fnameptr, "%02x", buf[j]); \r
+ }\r
+ } else {\r
+ memcpy(filename, Cmd, len);\r
+ fnameptr += len;\r
+ }\r
+\r
+ // add .eml extension\r
+ sprintf(fnameptr, ".eml"); \r
+ \r
+ // open file\r
+ f = fopen(filename, "w+");\r
+\r
+ if (f == NULL) {\r
+ PrintAndLog("File not found or locked.");\r
+ return 1;\r
+ }\r
+\r
+ // put hex\r
+ flags = MAGIC_INIT + MAGIC_WUPC;\r
+ for (i = 0; i < 16 * 4; i++) {\r
+ if (i == 1) flags = 0;\r
+ if (i == 16 * 4 - 1) flags = MAGIC_HALT + MAGIC_OFF;\r
+ \r
+ if (mfCGetBlock(i, buf, flags)) {\r
+ PrintAndLog("Cant get block: %d", i);\r
+ break;\r
+ }\r
+ for (j = 0; j < 16; j++)\r
+ fprintf(f, "%02x", buf[j]); \r
+ fprintf(f,"\n");\r
+ }\r
+ fflush(f);\r
+ fclose(f);\r
+ PrintAndLog("Saved to file: %s", filename);\r
+ return 0;\r
+ }\r
+}\r
+\r
+//needs nt, ar, at, Data to decrypt\r
+int CmdHf14MfDecryptBytes(const char *Cmd){\r
+ uint8_t data[50];\r
+ uint32_t nt = param_get32ex(Cmd,0,0,16);\r
+ uint32_t ar_enc = param_get32ex(Cmd,1,0,16);\r
+ uint32_t at_enc = param_get32ex(Cmd,2,0,16);\r
+\r
+ int len = 0;\r
+ param_gethex_ex(Cmd, 3, data, &len);\r
+ \r
+ len /= 2; \r
+ int limit = sizeof(data) / 2;\r
+ \r
+ if ( len >= limit )\r
+ len = limit;\r
+ \r
+ return tryDecryptWord( nt, ar_enc, at_enc, data, len);\r
+}\r
+\r
+static command_t CommandTable[] = {\r
+ {"help", CmdHelp, 1, "This help"},\r
+ {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},\r
+ {"rdbl", CmdHF14AMfRdBl, 0, "Read MIFARE classic block"},\r
+ {"rdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"},\r
+ {"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"},\r
+ {"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"},\r
+ {"wrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"},\r
+ {"chk", CmdHF14AMfChk, 0, "Check keys"},\r
+ {"mifare", CmdHF14AMifare, 0, "Darkside attack. read parity error messages."},\r
+ {"nested", CmdHF14AMfNested, 0, "Nested attack. Test nested authentication"},\r
+ {"hardnested", CmdHF14AMfNestedHard, 0, "Nested attack for hardened Mifare cards"},\r
+ {"keybrute", CmdHF14AMfKeyBrute, 0, "J_Run's 2nd phase of multiple sector nested authentication key recovery"},\r
+ {"sniff", CmdHF14AMfSniff, 0, "Sniff card-reader communication"},\r
+ {"sim", CmdHF14AMf1kSim, 0, "Simulate MIFARE card"},\r
+ {"eclr", CmdHF14AMfEClear, 0, "Clear simulator memory block"},\r
+ {"eget", CmdHF14AMfEGet, 0, "Get simulator memory block"},\r
+ {"eset", CmdHF14AMfESet, 0, "Set simulator memory block"},\r
+ {"eload", CmdHF14AMfELoad, 0, "Load from file emul dump"},\r
+ {"esave", CmdHF14AMfESave, 0, "Save to file emul dump"},\r
+ {"ecfill", CmdHF14AMfECFill, 0, "Fill simulator memory with help of keys from simulator"},\r
+ {"ekeyprn", CmdHF14AMfEKeyPrn, 0, "Print keys from simulator memory"},\r
+ {"csetuid", CmdHF14AMfCSetUID, 0, "Set UID for magic Chinese card"},\r
+ {"csetblk", CmdHF14AMfCSetBlk, 0, "Write block - Magic Chinese card"},\r
+ {"cgetblk", CmdHF14AMfCGetBlk, 0, "Read block - Magic Chinese card"},\r
+ {"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector - Magic Chinese card"},\r
+ {"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"},\r
+ {"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"},\r
+ {"decrypt", CmdHf14MfDecryptBytes, 1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},\r
+ {NULL, NULL, 0, NULL}\r
+};\r
+\r
+int CmdHFMF(const char *Cmd) {\r
+ clearCommandBuffer();\r
+ CmdsParse(CommandTable, Cmd);\r
+ return 0;\r
+}\r
+\r
+int CmdHelp(const char *Cmd) {\r
+ CmdsHelp(CommandTable);\r
+ return 0;\r