iceman1001 [Thu, 21 May 2015 21:17:01 +0000 (23:17 +0200)]
FIX; the "L" optional parameter for swapping endianess on used authentication key. It is now implemented for following commands.
"HF MFU INFO"
"HF MFU DUMP"
"HF MFU RDBL"
"HF MFU WRBL"
CHG; I commented away the option to add the key to the dump, since it is not written in big-endian, like the data is on ULC. This needs to be addressed before it comes back. I like the idea of having keys inside the dumps on the correct places.
iceman1001 [Wed, 20 May 2015 21:44:11 +0000 (23:44 +0200)]
CHG: Merged the "hf mfu rdbl" and "hf mfu crdbl" commands into "hf mfu rdbl". One read command.
CHG: Merged the "hf mfu wrbl" and "hf mfu cwrbl" commands into "hf mfu wrbl". One write command.
Both new commands implement a help, authentication (0x1A/0x1B) for ULC and the rest,
iceman1001 [Tue, 19 May 2015 19:45:06 +0000 (21:45 +0200)]
FIX: comment out a #include to reveng (my experiment)
ADD: Started to add a NTAG203 identification. Its a hard tag to pinpoint. Doesn't have GET_VERSION,
iceman1001 [Sat, 16 May 2015 13:30:17 +0000 (15:30 +0200)]
chg: @marshmellows changes to "hf 14a reader"
add: the experimental "hf 14a sim x" attack impl.
chg: sorry, but I never liked that sniffing was called snooping in this command. So I changed it to "sniff".
iceman1001 [Tue, 12 May 2015 16:55:34 +0000 (18:55 +0200)]
ADD: added option to call "hf mfu info" with a authentication key.
ADD: added a help text for "hf mfu info" usage_hf_mfu_info
ADD: added @marshmellows changes & fixes.
iceman1001 [Wed, 6 May 2015 21:50:31 +0000 (23:50 +0200)]
ADD: added the new magic detection, where we send a partial ISO14443A_CMD_WRITEBLOCK (0xA0) command to page 0. if the tag answer 0xA ACK (its magic) or if it answers 0x00 NACK its not.
The normal behavior for a tag is to send NACK.
iceman1001 [Wed, 6 May 2015 20:40:46 +0000 (22:40 +0200)]
CHG: extracted the UL_C & UL magic tests.
ADD: a raw write command also there.
CHG: "hf mfu info" got some more love, looks better too.
UL_EV1 / NTAG, only try known passwords if AUTHLIM is set to 0.
iceman1001 [Tue, 5 May 2015 20:15:02 +0000 (22:15 +0200)]
CHG: making sure no buffer overflows will occure in ul_send_cmd_raw by adding responseLength parameter to all calls.
CHG: added UL-C configurations details to be printed
iceman1001 [Mon, 4 May 2015 22:25:10 +0000 (00:25 +0200)]
CHG: enhanced the "hf mfu info" a lot. It can detect UL/UL-C/UL-EV1/NTAG213/NTAG215/NTAG216
and at present it can detect if a UL-C tag is magic (uid changeable)
FOR UL it writes the first configuration pages 0-3.
For UL_C it tests some default 3des keys, and lock / confg bytes at pages 42-43,44-47
For UL_EV1 / NTAG it collects the GETVERSION command and tries to read 3 counters., it also tries one default password of 0xFF,0xFF,0xFF,0xFF for the EV1 /NTAG authentication 0x1B.
FOR UL_C_MAGIC, it tries to see if the gatherd nonces for authentication 0x1A is the same, which indicates on my tags that they are magic.
There is the @marshmellow changes to "hf mfu dump" command.
This commit needs testing, and is to be considered experimental.
CHG: the work in progress of making "HF MFU INFO" / "HF MFU DUMP" goes on.
ook @marshmellows changes and remade them a bit. TagTypeUL_t behaves like a flag-enum.
"HF MFU DUMP" now autodetects tagtype, and the deviceside should report back proper length.
CHG: re-factored the "HF MFU CAUTH" command to be simpler.
ADD: "HF MFU INFO", added detection of MAGIC UL-C tags and a simple loop test 5 default 3des keys.
ADD: HF MFU SETUID, this commands helps changing the UID on a magic UL, UL-C tag.
It reads block2, since only one byte is going to change. Then it proceds to write block 0,1,2 with recalc BCC1, BCC2 bytes.
CHG: HF MFU INFO, got some love in the form of detection of UL/UL-C/UL-EV1. Took same idea from HF 14A READER.
CHG: fixed a better detection for Ultralight, Ultralight-C, Ultralight-EV1 tags.
--see https://github.com/Proxmark/proxmark3/issues/96
-- still todo, finding a good way of detecting Magic Ultralight-C tags.
-- thanks @marshmellow for pointing out proper UL-C tags responses is different.
i think this functions fairly well...
still some issues with demod positioning for various reasons.
ASK/Biph/FSK work pretty well
the PSK Demod still needs a little attention to help it better demod
various carriers...
FIX: two parentheses were missing.
FIX: setting the default key to Oxff bug. (http://www.proxmark.org/forum/viewtopic.php?pid15325#p15325)
FIX: proper initialisation of variables ;)