LED_A_OFF();
}
+//-----------------------------------------------------------------------------
+// Work with "magic Chinese" card.
+//
+//-----------------------------------------------------------------------------
+
+// Set the UID to the tag (based on Iceman work).
+void SetTag15693Uid(uint8_t *uid)
+{
+ uint8_t cmd[4][9] = {0x00};
+
+ uint16_t crc;
+
+ int recvlen = 0;
+ uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
+
+ LED_A_ON();
+
+ // Command 1 : 02213E00000000
+ cmd[0][0] = 0x02;
+ cmd[0][1] = 0x21;
+ cmd[0][2] = 0x3e;
+ cmd[0][3] = 0x00;
+ cmd[0][4] = 0x00;
+ cmd[0][5] = 0x00;
+ cmd[0][6] = 0x00;
+
+ // Command 2 : 02213F69960000
+ cmd[1][0] = 0x02;
+ cmd[1][1] = 0x21;
+ cmd[1][2] = 0x3f;
+ cmd[1][3] = 0x69;
+ cmd[1][4] = 0x96;
+ cmd[1][5] = 0x00;
+ cmd[1][6] = 0x00;
+
+ // Command 3 : 022138u8u7u6u5 (where uX = uid byte X)
+ cmd[2][0] = 0x02;
+ cmd[2][1] = 0x21;
+ cmd[2][2] = 0x38;
+ cmd[2][3] = uid[7];
+ cmd[2][4] = uid[6];
+ cmd[2][5] = uid[5];
+ cmd[2][6] = uid[4];
+
+ // Command 4 : 022139u4u3u2u1 (where uX = uid byte X)
+ cmd[3][0] = 0x02;
+ cmd[3][1] = 0x21;
+ cmd[3][2] = 0x39;
+ cmd[3][3] = uid[3];
+ cmd[3][4] = uid[2];
+ cmd[3][5] = uid[1];
+ cmd[3][6] = uid[0];
+
+ for (int i=0; i<4; i++) {
+ // Add the CRC
+ crc = Crc(cmd[i], 7);
+ cmd[i][7] = crc & 0xff;
+ cmd[i][8] = crc >> 8;
+
+ if (DEBUG) {
+ Dbprintf("SEND:");
+ Dbhexdump(sizeof(cmd[i]), cmd[i], false);
+ }
+
+ recvlen = SendDataTag(cmd[i], sizeof(cmd[i]), true, 1, recvbuf, sizeof(recvbuf), 0);
+
+ if (DEBUG) {
+ Dbprintf("RECV:");
+ Dbhexdump(recvlen, recvbuf, false);
+ DbdecodeIso15693Answer(recvlen, recvbuf);
+ }
+
+ cmd_send(CMD_ACK, recvlen>ISO15693_MAX_RESPONSE_LENGTH?ISO15693_MAX_RESPONSE_LENGTH:recvlen, 0, 0, recvbuf, ISO15693_MAX_RESPONSE_LENGTH);
+ }
+
+ LED_D_OFF();
+
+ LED_A_OFF();
+}
{"cmd", CmdHF15Cmd, 0, "Send direct commands to ISO15693 tag"},
{"findafi", CmdHF15Afi, 0, "Brute force AFI of an ISO15693 tag"},
{"dumpmemory", CmdHF15DumpMem, 0, "Read all memory pages of an ISO15693 tag"},
+ {"csetuid", CmdHF15CSetUID, 0, "Set UID for magic Chinese card"},
{NULL, NULL, 0, NULL}
};
return 0;
}
+int CmdHF15CSetUID(const char *Cmd)
+{
+ uint8_t uid[8] = {0x00};
+ uint8_t oldUid[8], newUid[8] = {0x00};
+
+ uint8_t needHelp = 0;
+ char cmdp = 1;
+
+ if (param_getchar(Cmd, 0) && param_gethex(Cmd, 0, uid, 16)) {
+ PrintAndLog("UID must include 16 HEX symbols");
+ return 1;
+ }
+
+ if (uid[0] != 0xe0) {
+ PrintAndLog("UID must begin with the byte 'E0'");
+ return 1;
+ }
+
+ while(param_getchar(Cmd, cmdp) != 0x00)
+ {
+ switch(param_getchar(Cmd, cmdp))
+ {
+ case 'h':
+ case 'H':
+ needHelp = 1;
+ break;
+ default:
+ PrintAndLog("ERROR: Unknown parameter '%c'", param_getchar(Cmd, cmdp));
+ needHelp = 1;
+ break;
+ }
+ cmdp++;
+ }
+
+ if (strlen(Cmd) < 1 || needHelp) {
+ PrintAndLog("");
+ PrintAndLog("Usage: hf 15 csetuid <UID 16 hex symbols>");
+ PrintAndLog("sample: hf 15 csetuid E004013344556677");
+ PrintAndLog("Set UID for magic Chinese card (only works with such cards)");
+ return 0;
+ }
+
+ PrintAndLog("");
+ PrintAndLog("new UID | %s", sprint_hex(uid, 8));
+ PrintAndLog("Using backdoor Magic tag function");
+
+ if (!getUID(oldUid)) {
+ PrintAndLog("Can't get old UID.");
+ return 1;
+ }
+
+ UsbCommand resp;
+ uint8_t *recv;
+ char *hexout;
+ UsbCommand c = {CMD_CSETUID_ISO_15693, {0, 0, 0}};
+ memcpy(c.d.asBytes, uid, 8);
+
+ SendCommand(&c);
+
+ for (int i=0; i<4; i++) {
+ if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
+ recv = resp.d.asBytes;
+ PrintAndLog("received %i octets",resp.arg[0]);
+ hexout = (char *)malloc(resp.arg[0] * 3 + 1);
+ if (hexout != NULL) {
+ for (int i = 0; i < resp.arg[0]; i++) { // data in hex
+ sprintf(&hexout[i * 3], "%02X ", recv[i]);
+ }
+ PrintAndLog("%s", hexout);
+ free(hexout);
+ }
+ } else {
+ PrintAndLog("timeout while waiting for reply.");
+ }
+ }
+
+ if (!getUID(newUid)) {
+ PrintAndLog("Can't get new UID.");
+ return 1;
+ }
+
+ PrintAndLog("");
+ PrintAndLog("old UID : %02X %02X %02X %02X %02X %02X %02X %02X", oldUid[7], oldUid[6], oldUid[5], oldUid[4], oldUid[3], oldUid[2], oldUid[1], oldUid[0]);
+ PrintAndLog("new UID : %02X %02X %02X %02X %02X %02X %02X %02X", newUid[7], newUid[6], newUid[5], newUid[4], newUid[3], newUid[2], newUid[1], newUid[0]);
+ return 0;
+}
static command_t CommandTable15Cmd[] =
{"write", CmdHF15CmdWrite, 0, "Write a block"},
{"readmulti",CmdHF15CmdReadmulti, 0, "Reads multiple Blocks"},
{"sysinfo",CmdHF15CmdSysinfo, 0, "Get Card Information"},
- {"raw", CmdHF15CmdRaw, 0, "Send raw hex data to tag"},
+ {"raw", CmdHF15CmdRaw, 0, "Send raw hex data to tag"},
+ {"csetuid", CmdHF15CSetUID, 0, "Set UID for magic Chinese card"},
{"debug", CmdHF15CmdDebug, 0, "Turn debugging on/off"},
{NULL, NULL, 0, NULL}
};
projects / proxmark3-svn / commitdiff