PrintAndLog("Command execute timeout");\r
}\r
\r
- return 0;\r
-}\r
-\r
-int CmdHF14AMfRdBl(const char *Cmd)\r
-{\r
- uint8_t blockNo = 0;\r
+ return 0;
+}
+
+int CmdHF14AMfUWrBl(const char *Cmd)
+{
+ uint8_t blockNo = 0;
+ uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+ UsbCommand resp;
+
+ if (strlen(Cmd)<3) {
+ PrintAndLog("Usage: hf mf uwrbl <block number> <block data (8 hex symbols)>");
+ PrintAndLog(" sample: hf mf uwrbl 0 01020304");
+ return 0;
+ }
+
+ blockNo = param_get8(Cmd, 0);
+ if (param_gethex(Cmd, 1, bldata, 8)) {
+ PrintAndLog("Block data must include 8 HEX symbols");
+ return 1;
+ }
+
+ switch(blockNo)
+ {
+ case 0:
+ PrintAndLog("Access Denied");
+ break;
+ case 1:
+ PrintAndLog("Access Denied");
+ break;
+ case 2:
+ PrintAndLog("--specialblock no:%02x", blockNo);
+ PrintAndLog("--data: %s", sprint_hex(bldata, 4));
+ UsbCommand c = {CMD_MIFAREU_WRITEBL, {blockNo}};
+ memcpy(c.d.asBytes, bldata, 4);
+ SendCommand(&c);
+
+ if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+ uint8_t isOK = resp.arg[0] & 0xff;
+ PrintAndLog("isOk:%02x", isOK);
+ } else {
+ PrintAndLog("Command execute timeout");
+ }
+ break;
+ case 3:
+ PrintAndLog("--specialblock no:%02x", blockNo);
+ PrintAndLog("--data: %s", sprint_hex(bldata, 4));
+ UsbCommand d = {CMD_MIFAREU_WRITEBL, {blockNo}};
+ memcpy(d.d.asBytes,bldata, 4);
+ SendCommand(&d);
+
+ if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+ uint8_t isOK = resp.arg[0] & 0xff;
+ PrintAndLog("isOk:%02x", isOK);
+ } else {
+ PrintAndLog("Command execute timeout");
+ }
+ break;
+ default:
+ PrintAndLog("--block no:%02x", blockNo);
+ PrintAndLog("--data: %s", sprint_hex(bldata, 4));
+ //UsbCommand e = {CMD_MIFAREU_WRITEBL_COMPAT, {blockNo}};
+ //memcpy(e.d.asBytes,bldata, 16);
+ UsbCommand e = {CMD_MIFAREU_WRITEBL, {blockNo}};
+ memcpy(e.d.asBytes,bldata, 4);
+ SendCommand(&e);
+
+ if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+ uint8_t isOK = resp.arg[0] & 0xff;
+ PrintAndLog("isOk:%02x", isOK);
+ } else {
+ PrintAndLog("Command execute timeout");
+ }
+ break;
+ }
+ return 0;
+}
+
+int CmdHF14AMfRdBl(const char *Cmd)
+{
+ uint8_t blockNo = 0;
uint8_t keyType = 0;\r
uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
\r
PrintAndLog("Command execute timeout");\r
}\r
\r
- return 0;\r
-}\r
-\r
-int CmdHF14AMfRdSc(const char *Cmd)\r
-{\r
- int i;\r
+ return 0;
+}
+
+int CmdHF14AMfURdBl(const char *Cmd)
+{
+ uint8_t blockNo = 0;
+
+ if (strlen(Cmd)<1) {
+ PrintAndLog("Usage: hf mf urdbl <block number>");
+ PrintAndLog(" sample: hf mf urdbl 0");
+ return 0;
+ }
+
+ blockNo = param_get8(Cmd, 0);
+ PrintAndLog("--block no:%02x", blockNo);
+
+ UsbCommand c = {CMD_MIFAREU_READBL, {blockNo}};
+ SendCommand(&c);
+
+ UsbCommand resp;
+ if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+ uint8_t isOK = resp.arg[0] & 0xff;
+ uint8_t * data = resp.d.asBytes;
+
+ if (isOK)
+ PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 4));
+ else
+ PrintAndLog("isOk:%02x", isOK);
+ } else {
+ PrintAndLog("Command execute timeout");
+ }
+
+ return 0;
+}
+
+int CmdHF14AMfURdCard(const char *Cmd)
+{
+ int i;
+ uint8_t sectorNo = 0;
+ uint8_t *lockbytes_t=NULL;
+ uint8_t lockbytes[2]={0,0};
+ bool bit[16]={0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
+
+ uint8_t isOK = 0;
+ uint8_t * data = NULL;
+
+ if (sectorNo > 15) {
+ PrintAndLog("Sector number must be less than 16");
+ return 1;
+ }
+ PrintAndLog("Attempting to Read Ultralight... ");
+
+ UsbCommand c = {CMD_MIFAREU_READCARD, {sectorNo}};
+ SendCommand(&c);
+
+ UsbCommand resp;
+ if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+ isOK = resp.arg[0] & 0xff;
+ data = resp.d.asBytes;
+
+ PrintAndLog("isOk:%02x", isOK);
+ if (isOK)
+ for (i = 0; i < 16; i++) {
+ switch(i){
+ case 2:
+ //process lock bytes
+ lockbytes_t=data+(i*4);
+ lockbytes[0]=lockbytes_t[2];
+ lockbytes[1]=lockbytes_t[3];
+ for(int j=0; j<16; j++){
+ bit[j]=lockbytes[j/8] & ( 1 <<(7-j%8));
+ }
+ //PrintAndLog("LB %02x %02x", lockbytes[0],lockbytes[1]);
+ //PrintAndLog("LB2b %02x %02x %02x %02x %02x %02x %02x %02x",bit[8],bit[9],bit[10],bit[11],bit[12],bit[13],bit[14],bit[15]);
+ PrintAndLog("Block %02x:%s ", i,sprint_hex(data + i * 4, 4));
+ break;
+ case 3:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[4]);
+ break;
+ case 4:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[3]);
+ break;
+ case 5:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[2]);
+ break;
+ case 6:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[1]);
+ break;
+ case 7:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[0]);
+ break;
+ case 8:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[15]);
+ break;
+ case 9:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[14]);
+ break;
+ case 10:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[13]);
+ break;
+ case 11:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[12]);
+ break;
+ case 12:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[11]);
+ break;
+ case 13:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[10]);
+ break;
+ case 14:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[9]);
+ break;
+ case 15:
+ PrintAndLog("Block %02x:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[8]);
+ break;
+ default:
+ PrintAndLog("Block %02x:%s ", i,sprint_hex(data + i * 4, 4));
+ break;
+ }
+ }
+ } else {
+ PrintAndLog("Command1 execute timeout");
+ }
+ return 0;
+}
+
+int CmdHF14AMfRdSc(const char *Cmd)
+{
+ int i;
uint8_t sectorNo = 0;\r
uint8_t keyType = 0;\r
uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
}\r
if (isOK) {\r
fwrite ( data, 1, 16, fout );\r
+ PrintAndLog("Dumped card data into 'dumpdata.bin'");\r
+\r
}\r
else {\r
PrintAndLog("Could not get access rights for block %d", i);\r
\r
fclose(fin);\r
fclose(fout);\r
- \r
return 0;\r
}\r
\r
uint8_t blDiff = 0;\r
int SectorsCnt = 0;\r
uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
- uint8_t keyBlock[16 * 6];\r
+ uint8_t keyBlock[6*6];\r
uint64_t key64 = 0;\r
int transferToEml = 0;\r
\r
PrintAndLog("--target block no:%02x target key type:%02x ", trgBlockNo, trgKeyType);\r
\r
if (cmdp == 'o') {\r
- if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock)) {\r
+ if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true)) {\r
PrintAndLog("Nested error.");\r
return 2;\r
}\r
-\r
- for (i = 0; i < 16; i++) {\r
- PrintAndLog("count=%d key= %s", i, sprint_hex(keyBlock + i * 6, 6));\r
- }\r
- \r
- // test keys\r
- res = mfCheckKeys(trgBlockNo, trgKeyType, 8, keyBlock, &key64);\r
- if (res)\r
- res = mfCheckKeys(trgBlockNo, trgKeyType, 8, &keyBlock[6 * 8], &key64);\r
- if (!res) {\r
+ key64 = bytes_to_num(keyBlock, 6);\r
+ if (key64) {\r
PrintAndLog("Found valid key:%012"llx, key64);\r
\r
// transfer key to the emulator\r
}\r
}\r
else { // ------------------------------------ multiple sectors working\r
+ clock_t time1;\r
+ time1 = clock();\r
+\r
blDiff = blockNo % 4;\r
PrintAndLog("Block shift=%d", blDiff);\r
e_sector = calloc(SectorsCnt, sizeof(sector));\r
\r
//test current key 4 sectors\r
memcpy(keyBlock, key, 6);\r
- num_to_bytes(0xa0a1a2a3a4a5, 6, (uint8_t*)(keyBlock + 1 * 6));\r
- num_to_bytes(0xb0b1b2b3b4b5, 6, (uint8_t*)(keyBlock + 2 * 6));\r
- num_to_bytes(0xffffffffffff, 6, (uint8_t*)(keyBlock + 3 * 6));\r
- num_to_bytes(0x000000000000, 6, (uint8_t*)(keyBlock + 4 * 6));\r
+ num_to_bytes(0xffffffffffff, 6, (uint8_t*)(keyBlock + 1 * 6));\r
+ num_to_bytes(0x000000000000, 6, (uint8_t*)(keyBlock + 2 * 6));\r
+ num_to_bytes(0xa0a1a2a3a4a5, 6, (uint8_t*)(keyBlock + 3 * 6));\r
+ num_to_bytes(0xb0b1b2b3b4b5, 6, (uint8_t*)(keyBlock + 4 * 6));\r
num_to_bytes(0xaabbccddeeff, 6, (uint8_t*)(keyBlock + 5 * 6));\r
\r
PrintAndLog("Testing known keys. Sector count=%d", SectorsCnt);\r
e_sector[i].foundKey[j] = 1;\r
}\r
}\r
- } \r
+ }\r
+ \r
\r
// nested sectors\r
iterations = 0;\r
PrintAndLog("nested...");\r
+ bool calibrate = true;\r
for (i = 0; i < NESTED_SECTOR_RETRY; i++) {\r
- for (trgBlockNo = blDiff; trgBlockNo < SectorsCnt * 4; trgBlockNo = trgBlockNo + 4) \r
+ for (trgBlockNo = blDiff; trgBlockNo < SectorsCnt * 4; trgBlockNo = trgBlockNo + 4) {\r
for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) { \r
if (e_sector[trgBlockNo / 4].foundKey[trgKeyType]) continue;\r
- if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock)) continue;\r
+ PrintAndLog("-----------------------------------------------");\r
+ if(mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, calibrate)) {\r
+ PrintAndLog("Nested error.\n");\r
+ return 2;\r
+ }\r
+ else {\r
+ calibrate = false;\r
+ }\r
\r
iterations++;\r
- \r
- //try keys from nested\r
- res = mfCheckKeys(trgBlockNo, trgKeyType, 8, keyBlock, &key64);\r
- if (res)\r
- res = mfCheckKeys(trgBlockNo, trgKeyType, 8, &keyBlock[6 * 8], &key64);\r
- if (!res) {\r
+\r
+ key64 = bytes_to_num(keyBlock, 6);\r
+ if (key64) {\r
PrintAndLog("Found valid key:%012"llx, key64);\r
e_sector[trgBlockNo / 4].foundKey[trgKeyType] = 1;\r
e_sector[trgBlockNo / 4].Key[trgKeyType] = key64;\r
}\r
}\r
+ }\r
}\r
\r
- PrintAndLog("Iterations count: %d", iterations);\r
+ printf("Time in nested: %1.3f (%1.3f sec per key)\n\n", ((float)clock() - time1)/1000.0, ((float)clock() - time1)/iterations/1000.0);\r
+ \r
+ PrintAndLog("-----------------------------------------------\nIterations count: %d\n\n", iterations);\r
//print them\r
PrintAndLog("|---|----------------|---|----------------|---|");\r
PrintAndLog("|sec|key A |res|key B |res|");\r
while( !feof(f) ){\r
memset(buf, 0, sizeof(buf));\r
if (fgets(buf, sizeof(buf), f) == NULL) {\r
- PrintAndLog("File reading error.");\r
- return 2;\r
- }\r
+ PrintAndLog("File reading error.");\r
+ return 2;\r
+ }\r
\r
if (strlen(buf) < 12 || buf[11] == '\n')\r
continue;\r
\r
while (fgetc(f) != '\n' && !feof(f)) ; //goto next line\r
\r
- if( buf[0]=='#' ) continue; //The line start with # is remcommnet,skip\r
+ if( buf[0]=='#' ) continue; //The line start with # is comment, skip\r
\r
if (!isxdigit(buf[0])){\r
PrintAndLog("File content error. '%s' must include 12 HEX symbols",buf);\r
int b=blockNo;\r
for (int i=0; i<SectorsCnt; ++i) {\r
PrintAndLog("--SectorsCnt:%d block no:0x%02x key type:%C key count:%d ", i, b, t?'B':'A', keycnt);\r
- int size = keycnt>8?8:keycnt;\r
- for (int c = 0; c < keycnt; c+=size) {\r
- size=keycnt-c>8?8:keycnt-c; \r
- res = mfCheckKeys(b, t, size, keyBlock +6*c, &key64);\r
+ uint32_t max_keys = keycnt>USB_CMD_DATA_SIZE/6?USB_CMD_DATA_SIZE/6:keycnt;\r
+ for (uint32_t c = 0; c < keycnt; c+=max_keys) {\r
+ uint32_t size = keycnt-c>max_keys?max_keys:keycnt-c;\r
+ res = mfCheckKeys(b, t, size, &keyBlock[6*c], &key64);\r
if (res !=1) {\r
if (!res) {\r
PrintAndLog("Found valid key:[%012"llx"]",key64);\r
num_to_bytes(key64, 6, block + t*10);\r
mfEmlSetMem(block, get_trailer_block(b), 1);\r
}\r
- break;\r
- }\r
- else {\r
- printf("Not found yet, keycnt:%d\r", c+size);\r
- fflush(stdout);\r
}\r
} else {\r
PrintAndLog("Command execute timeout");\r
\r
static command_t CommandTable[] =\r
{\r
- {"help", CmdHelp, 1, "This help"},\r
- {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},\r
- {"rdbl", CmdHF14AMfRdBl, 0, "Read MIFARE classic block"},\r
- {"rdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"},\r
- {"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"},\r
- {"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"},\r
+ {"help", CmdHelp, 1, "This help"},
+ {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},
+ {"rdbl", CmdHF14AMfRdBl, 0, "Read MIFARE classic block"},
+ {"urdbl", CmdHF14AMfURdBl, 0, "Read MIFARE Ultralight block"},
+ {"urdcard", CmdHF14AMfURdCard, 0,"Read MIFARE Ultralight Card"},
+ {"uwrbl", CmdHF14AMfUWrBl, 0,"Write MIFARE Ultralight block"},
+ {"rdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"},
+ {"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"},
+ {"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"},
{"wrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"},\r
{"chk", CmdHF14AMfChk, 0, "Test block keys"},\r
{"mifare", CmdHF14AMifare, 0, "Read parity error messages. param - <used card nonce>"},\r