From 26b8f38b63d9054a7626d529610416928a9c0e92 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Thu, 9 Apr 2015 20:36:12 +0200 Subject: [PATCH 01/16] CHG: changed some help texts. --- client/scripts/tnp3clone.lua | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/client/scripts/tnp3clone.lua b/client/scripts/tnp3clone.lua index cad1ab70..6c4a148c 100644 --- a/client/scripts/tnp3clone.lua +++ b/client/scripts/tnp3clone.lua @@ -25,6 +25,14 @@ Arguments: -h : this help -t : toytype id, 4hex symbols. -s : subtype id, 4hex symbols + + For fun, try the following subtype id: + 0612 - Lightcore + 0118 - Series 1 + 0138 - Series 2 + 0234 - Special + 023c - Special + ]] -- 2.39.5 From 9c09e006d667665f7e81eaddfd977a55442854ff Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Thu, 9 Apr 2015 20:38:38 +0200 Subject: [PATCH 02/16] CHG: removed unused code. FIX: moved some checks to make the script run a tad bit faster. --- client/scripts/tnp3dump.lua | 55 ++++++++++++------------------------- 1 file changed, 17 insertions(+), 38 deletions(-) diff --git a/client/scripts/tnp3dump.lua b/client/scripts/tnp3dump.lua index f93f9728..cd547e8a 100644 --- a/client/scripts/tnp3dump.lua +++ b/client/scripts/tnp3dump.lua @@ -30,9 +30,7 @@ Arguments: -p : Use the precalc to find all keys -o : filename for the saved dumps ]] - -local HASHCONSTANT = '20436F707972696768742028432920323031302041637469766973696F6E2E20416C6C205269676874732052657365727665642E20' - +local RANDOM = '20436F707972696768742028432920323031302041637469766973696F6E2E20416C6C205269676874732052657365727665642E20' local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds local DEBUG = false -- the debug flag local numBlocks = 64 @@ -96,16 +94,6 @@ local function waitCmd() return nil, "No response from device" end -local function computeCrc16(s) - local hash = core.crc16(utils.ConvertHexToAscii(s)) - return hash -end - -local function reverseCrcBytes(crc) - crc2 = crc:sub(3,4)..crc:sub(1,2) - return tonumber(crc2,16) -end - local function main(args) print( string.rep('--',20) ) @@ -146,10 +134,6 @@ local function main(args) core.clearCommandBuffer() - if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx - -- return oops('This is not a TNP3xxx tag. aborting.') - end - -- Show tag info print((' Found tag %s'):format(result.name)) @@ -189,6 +173,8 @@ local function main(args) local block1, err = waitCmd() if err then return oops(err) end + local tmpHash = block0..block1..'%02x'..RANDOM + local key local pos = 0 local blockNo @@ -221,20 +207,16 @@ local function main(args) -- Block 0-7 not encrypted blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,blockdata) else - local base = ('%s%s%02x%s'):format(block0, block1, blockNo, HASHCONSTANT) - local baseStr = utils.ConvertHexToAscii(base) - local md5hash = md5.sumhexa(baseStr) - local aestest = core.aes(md5hash, blockdata) - - local hex = utils.ConvertAsciiToBytes(aestest) - hex = utils.ConvertBytesToHex(hex) - -- blocks with zero not encrypted. if string.find(blockdata, '^0+$') then blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,blockdata) else - blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,hex) - io.write( blockNo..',') + local baseStr = utils.ConvertHexToAscii(tmpHash:format(blockNo)) + local key = md5.sumhexa(baseStr) + local aestest = core.aes128_decrypt(key, blockdata) + local hex = utils.ConvertAsciiToBytes(aestest) + hex = utils.ConvertBytesToHex(hex) + blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,hex) end end else @@ -258,11 +240,10 @@ local function main(args) emldata = emldata..slice..'\n' for c in (str):gmatch('.') do bindata[#bindata+1] = c - end + end end print( string.rep('--',20) ) - local uid = block0:sub(1,8) local toytype = block1:sub(1,4) @@ -273,26 +254,24 @@ local function main(args) -- Write dump to files if not DEBUG then - local foo = dumplib.SaveAsBinary(bindata, outputTemplate..'_uid_'..uid..'.bin') + local foo = dumplib.SaveAsBinary(bindata, outputTemplate..'-'..uid..'.bin') print(("Wrote a BIN dump to: %s"):format(foo)) - local bar = dumplib.SaveAsText(emldata, outputTemplate..'_uid_'..uid..'.eml') + local bar = dumplib.SaveAsText(emldata, outputTemplate..'-'..uid..'.eml') print(("Wrote a EML dump to: %s"):format(bar)) end + + print( string.rep('--',20) ) + -- Show info local item = toys.Find(toytype, subtype) if item then - local itemStr = ('%s - %s (%s)'):format(item[6],item[5], item[4]) - print(' ITEM TYPE : '..itemStr ) + print((' ITEM TYPE : %s - %s (%s)'):format(item[6],item[5], item[4]) ) else print((' ITEM TYPE : 0x%s 0x%s'):format(toytype, subtype)) end - - -- Show info - print( (' Alter ego / traptype : 0x%s'):format(traptype) ) + print( (' UID : 0x%s'):format(uid) ) print( (' CARDID : 0x%s'):format(cardid ) ) - print( string.rep('--',20) ) - end main(args) \ No newline at end of file -- 2.39.5 From 8e0cf02308a732bf5ddf5bd9263e2895905a9d59 Mon Sep 17 00:00:00 2001 From: marshmellow42 Date: Fri, 10 Apr 2015 00:06:59 -0400 Subject: [PATCH 03/16] minor change to lf em4x menu & iceman script... ...updates --- client/cmdlfem4x.c | 4 +-- client/lualibs/default_toys.lua | 17 ++++++---- client/scripts/tnp3clone.lua | 8 +++++ client/scripts/tnp3dump.lua | 55 ++++++++++----------------------- 4 files changed, 38 insertions(+), 46 deletions(-) diff --git a/client/cmdlfem4x.c b/client/cmdlfem4x.c index 614624a6..c492a64d 100644 --- a/client/cmdlfem4x.c +++ b/client/cmdlfem4x.c @@ -604,11 +604,11 @@ static command_t CommandTable[] = { {"help", CmdHelp, 1, "This help"}, {"em410xdemod", CmdEMdemodASK, 0, "[findone] -- Extract ID from EM410x tag (option 0 for continuous loop, 1 for only 1 tag)"}, - {"em410xread", CmdEM410xRead, 1, "[clock rate] -- Extract ID from EM410x tag"}, + {"em410xread", CmdEM410xRead, 1, "[clock rate] -- Extract ID from EM410x tag in GraphBuffer"}, {"em410xsim", CmdEM410xSim, 0, " -- Simulate EM410x tag"}, {"em410xwatch", CmdEM410xWatch, 0, "['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)"}, {"em410xspoof", CmdEM410xWatchnSpoof, 0, "['h'] --- Watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)" }, - {"em410xwrite", CmdEM410xWrite, 1, " <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"}, + {"em410xwrite", CmdEM410xWrite, 0, " <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"}, {"em4x50read", CmdEM4x50Read, 1, "Extract data from EM4x50 tag"}, {"readword", CmdReadWord, 1, " -- Read EM4xxx word data"}, {"readwordPWD", CmdReadWordPWD, 1, " -- Read EM4xxx word data in password mode"}, diff --git a/client/lualibs/default_toys.lua b/client/lualibs/default_toys.lua index 64eed9b3..f34d510d 100644 --- a/client/lualibs/default_toys.lua +++ b/client/lualibs/default_toys.lua @@ -45,6 +45,7 @@ local _names = { --{"26", "1a00", "0030", "life", "regular", "Elite Stealth Elf"}, --{"26", "1a00", "0030", "life", "regular", "Dark Stealth Elf"}, {"27", "1b00", "0030", "life", "regular", "Stump Smash"}, +{"27", "1b00", "0118", "life", "regular", "Stump Smash"}, --{"27", "1b00", "0030", "life", "regular", "Autumn Stump Smash"}, {"28", "1c00", "0030", "magic", "regular", "Dark Spyro"}, --{"28", "1c00", "0030", "magic", "regular", "Elite Spyro"}, @@ -70,7 +71,7 @@ local _names = { --{"107", "6b00", "0030", "water", "giant", "Admiral Thumpback"}, {"108", "6c00", "0030", "magic", "giant", "Pop Fizz"}, --{"108", "6c00", "0030", "magic", "giant", "Hoppity Pop Fizz"}, ---{"108", "6c00", "0030", "magic", "giant", "Love Potion Pop Fizz"}, +{"108", "6c00", "023c", "magic", "giant", "Love Potion Pop Fizz"}, --{"108", "6c00", "0030", "magic", "giant", "Punch Pop Fizz"}, {"109", "6d00", "0030", "magic", "giant", "Nin Jini"}, {"110", "6e00", "0030", "tech", "giant", "Bouncer"}, @@ -174,8 +175,8 @@ local _names = { {"304", "3001", "0030", "none", "location", "Volcanic Vault"}, {"305", "3101", "0030", "none", "location", "Mirror Of Mystery"}, {"306", "3201", "0030", "none", "location", "Nightmare Express"}, -{"307", "3301", "0030", "none", "location", "Sunscraper Spire"}, -{"308", "3401", "0030", "none", "location", "Midnight Museum"}, +{"307", "3301", "0030", "light", "location", "Sunscraper Spire"}, +{"308", "3401", "0030", "dark", "location", "Midnight Museum"}, {"404", "9401", "0030", "earth", "legendary","Bash"}, {"416", "a001", "0030", "magic", "legendary", "Spyro"}, @@ -219,7 +220,7 @@ local _names = { {"461", "cd01", "0030", "fire", "regular", "Torch"}, {"462", "ce01", "0030", "water", "trapmaster", "Snap Shot"}, {"462", "ce01", "0234", "water", "trapmaster", "Dark Snap Shot"}, ---, "water", "trapmaster", "Instant Snap Shot"}, +{"462", "6c00", "023c", "water", "trapmaster", "Instant Snap Shot"}, --, "water", "trapmaster", "Merry Snap Shot"}, {"463", "cf01", "0030", "water", "trapmaster", "Lob Star"}, {"463", "cf01", "0234", "water", "trapmaster", "Winterfest Lob Star"}, @@ -245,6 +246,7 @@ local _names = { {"475", "db01", "0030", "life", "trapmaster", "Tuff Luck"}, --{"475", "db01", "0234", "life", "trapmaster", "Special Tuff Luck"}, {"476", "dc01", "0030", "life", "regular", "Food Fight"}, +{"476", "dc01", "0612", "life", "regular", "LightCore Food Fight"}, --{"476", "dc01", "0030", "life", "regular", "Dark Food Fight"}, --{"476", "dc01", "0030", "life", "regular", "Frosted Food Fight"}, --{"476", "dc01", "0030", "life", "regular", "Instant Food Fight"}, @@ -255,6 +257,7 @@ local _names = { --{"479", "df01", "0234", "undead", "trapmaster", "Special Short Cut"}, {"480", "e001", "0030", "undead", "regular", "Bat Spin"}, {"481", "e101", "0030", "undead", "regular", "Funny Bone"}, +{"481", "e101", "0612", "undead", "regular", "LightCore Funny Bone"}, --{"481", "e101", "0030", "undead", "regular", "Fortune Funny Bone"}, {"482", "e201", "0030", "light", "trapmaster", "Knight light"}, --{"482", "e201", "0234", "light", "trapmaster", "Special Knight light"}, @@ -292,6 +295,7 @@ local _names = { --{"3002", "ba0b", "0030", "earth", "SWAPFORCE", "Dark Slobber Tooth"}, --{"3002", "ba0b", "0030", "earth", "SWAPFORCE", "Sundae Slobber Tooth"}, {"3003", "bb0b", "0030", "earth", "SWAPFORCE", "Scorp"}, +{"3004", "bc0b", "0030", "fire", "SWAPFORCE", "Fryno"}, {"3004", "bc0b", "0138", "fire", "SWAPFORCE", "Hog Wild Fryno"}, --{"3004", "bc0b", "0138", "fire", "SWAPFORCE", "Flip flop Fryno"}, {"3005", "bd0b", "0030", "fire", "SWAPFORCE", "Smolderdash"}, @@ -314,9 +318,10 @@ local _names = { } local function find( main, sub) - + main = main:lower() + sub = sub:lower() for k, v in pairs(_names) do - if ( v[2] == main and v[3] == sub) then + if ( v[2]:lower() == main and v[3]:lower() == sub) then return v end end diff --git a/client/scripts/tnp3clone.lua b/client/scripts/tnp3clone.lua index cad1ab70..6c4a148c 100644 --- a/client/scripts/tnp3clone.lua +++ b/client/scripts/tnp3clone.lua @@ -25,6 +25,14 @@ Arguments: -h : this help -t : toytype id, 4hex symbols. -s : subtype id, 4hex symbols + + For fun, try the following subtype id: + 0612 - Lightcore + 0118 - Series 1 + 0138 - Series 2 + 0234 - Special + 023c - Special + ]] diff --git a/client/scripts/tnp3dump.lua b/client/scripts/tnp3dump.lua index f93f9728..cd547e8a 100644 --- a/client/scripts/tnp3dump.lua +++ b/client/scripts/tnp3dump.lua @@ -30,9 +30,7 @@ Arguments: -p : Use the precalc to find all keys -o : filename for the saved dumps ]] - -local HASHCONSTANT = '20436F707972696768742028432920323031302041637469766973696F6E2E20416C6C205269676874732052657365727665642E20' - +local RANDOM = '20436F707972696768742028432920323031302041637469766973696F6E2E20416C6C205269676874732052657365727665642E20' local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds local DEBUG = false -- the debug flag local numBlocks = 64 @@ -96,16 +94,6 @@ local function waitCmd() return nil, "No response from device" end -local function computeCrc16(s) - local hash = core.crc16(utils.ConvertHexToAscii(s)) - return hash -end - -local function reverseCrcBytes(crc) - crc2 = crc:sub(3,4)..crc:sub(1,2) - return tonumber(crc2,16) -end - local function main(args) print( string.rep('--',20) ) @@ -146,10 +134,6 @@ local function main(args) core.clearCommandBuffer() - if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx - -- return oops('This is not a TNP3xxx tag. aborting.') - end - -- Show tag info print((' Found tag %s'):format(result.name)) @@ -189,6 +173,8 @@ local function main(args) local block1, err = waitCmd() if err then return oops(err) end + local tmpHash = block0..block1..'%02x'..RANDOM + local key local pos = 0 local blockNo @@ -221,20 +207,16 @@ local function main(args) -- Block 0-7 not encrypted blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,blockdata) else - local base = ('%s%s%02x%s'):format(block0, block1, blockNo, HASHCONSTANT) - local baseStr = utils.ConvertHexToAscii(base) - local md5hash = md5.sumhexa(baseStr) - local aestest = core.aes(md5hash, blockdata) - - local hex = utils.ConvertAsciiToBytes(aestest) - hex = utils.ConvertBytesToHex(hex) - -- blocks with zero not encrypted. if string.find(blockdata, '^0+$') then blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,blockdata) else - blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,hex) - io.write( blockNo..',') + local baseStr = utils.ConvertHexToAscii(tmpHash:format(blockNo)) + local key = md5.sumhexa(baseStr) + local aestest = core.aes128_decrypt(key, blockdata) + local hex = utils.ConvertAsciiToBytes(aestest) + hex = utils.ConvertBytesToHex(hex) + blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,hex) end end else @@ -258,11 +240,10 @@ local function main(args) emldata = emldata..slice..'\n' for c in (str):gmatch('.') do bindata[#bindata+1] = c - end + end end print( string.rep('--',20) ) - local uid = block0:sub(1,8) local toytype = block1:sub(1,4) @@ -273,26 +254,24 @@ local function main(args) -- Write dump to files if not DEBUG then - local foo = dumplib.SaveAsBinary(bindata, outputTemplate..'_uid_'..uid..'.bin') + local foo = dumplib.SaveAsBinary(bindata, outputTemplate..'-'..uid..'.bin') print(("Wrote a BIN dump to: %s"):format(foo)) - local bar = dumplib.SaveAsText(emldata, outputTemplate..'_uid_'..uid..'.eml') + local bar = dumplib.SaveAsText(emldata, outputTemplate..'-'..uid..'.eml') print(("Wrote a EML dump to: %s"):format(bar)) end + + print( string.rep('--',20) ) + -- Show info local item = toys.Find(toytype, subtype) if item then - local itemStr = ('%s - %s (%s)'):format(item[6],item[5], item[4]) - print(' ITEM TYPE : '..itemStr ) + print((' ITEM TYPE : %s - %s (%s)'):format(item[6],item[5], item[4]) ) else print((' ITEM TYPE : 0x%s 0x%s'):format(toytype, subtype)) end - - -- Show info - print( (' Alter ego / traptype : 0x%s'):format(traptype) ) + print( (' UID : 0x%s'):format(uid) ) print( (' CARDID : 0x%s'):format(cardid ) ) - print( string.rep('--',20) ) - end main(args) \ No newline at end of file -- 2.39.5 From 0e6c7336b09102432a728796cf4903efc6d3ec5b Mon Sep 17 00:00:00 2001 From: Martin Holst Swende Date: Thu, 23 Apr 2015 09:50:44 +0200 Subject: [PATCH 04/16] Fixed issue with dumping iclass tags > 2KB in size --- client/cmdhficlass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/cmdhficlass.c b/client/cmdhficlass.c index 44b074b3..b8337196 100644 --- a/client/cmdhficlass.c +++ b/client/cmdhficlass.c @@ -345,7 +345,7 @@ int CmdHFiClassReader_Dump(const char *Cmd) if(dataLength > 0) { PrintAndLog("Got %d bytes data (total so far %d)" ,dataLength,iclass_datalen); - memcpy(iclass_data, resp.d.asBytes,dataLength); + memcpy(iclass_data+iclass_datalen, resp.d.asBytes,dataLength); iclass_datalen += dataLength; }else {//Last transfer, datalength 0 means the dump is finished -- 2.39.5 From abcb166ffe26cab359cd80e0109e6131e31bef49 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Fri, 24 Apr 2015 18:19:51 +0200 Subject: [PATCH 05/16] ADD: a minor modification to "HF 14A READ" to enable the correct identification between ULTRALIGHT / ULTRALIGHT-C / ULTRALIGHT EV1 tags. --- client/cmdhf14a.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/client/cmdhf14a.c b/client/cmdhf14a.c index 6fc4d2a0..1a31c71f 100644 --- a/client/cmdhf14a.c +++ b/client/cmdhf14a.c @@ -154,7 +154,7 @@ int CmdHF14AReader(const char *Cmd) if(select_status == 3) { PrintAndLog("Card doesn't support standard iso14443-3 anticollision"); - PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]); + PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]); // disconnect c.arg[0] = 0; c.arg[1] = 0; @@ -175,7 +175,27 @@ int CmdHF14AReader(const char *Cmd) } switch (card.sak) { - case 0x00: PrintAndLog("TYPE : NXP MIFARE Ultralight | Ultralight C"); break; + case 0x00: + // check if the tag answers to GETVERSION (0x60) + c.arg[0] = ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT; + c.arg[1] = 1; + c.arg[2] = 0; + c.d.asBytes[0] = 0x60; + SendCommand(&c); + WaitForResponse(CMD_ACK,&resp); + + uint8_t version[8] = {0x00}; + memcpy(&version, resp.d.asBytes, resp.arg[0]); + uint8_t isOK = resp.arg[0] & 0xff; + if ( isOK ){ + // size of tag, check version[4] == 0x0b == smaller. + PrintAndLog("TYPE : NXP MIFARE Ultralight EV1 %d bytes", (version[6] == 0xB) ? 48 : 128); + } + else { + PrintAndLog("TYPE : NXP MIFARE Ultralight | Ultralight C"); + } + + break; case 0x01: PrintAndLog("TYPE : NXP TNP3xxx Activision Game Appliance"); break; case 0x04: PrintAndLog("TYPE : NXP MIFARE (various !DESFire !DESFire EV1)"); break; case 0x08: PrintAndLog("TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1"); break; -- 2.39.5 From 64ad618e9c0572ef792e7fe412bfb3552cf9a186 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Fri, 24 Apr 2015 18:33:31 +0200 Subject: [PATCH 06/16] ADD: some missing enums: ISO14A_SET_TIMEOUT = 0x40, ISO14A_NO_SELECT = 0x80, ISO14A_TOPAZMODE = 0x100 --- client/lualibs/read14a.lua | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/client/lualibs/read14a.lua b/client/lualibs/read14a.lua index 10e7c2d4..943a1722 100644 --- a/client/lualibs/read14a.lua +++ b/client/lualibs/read14a.lua @@ -20,7 +20,9 @@ local ISO14A_COMMAND = { ISO14A_RAW = 8, ISO14A_REQUEST_TRIGGER = 0x10, ISO14A_APPEND_CRC = 0x20, - ISO14A_SET_TIMEOUT = 0x40 + ISO14A_SET_TIMEOUT = 0x40, + ISO14A_NO_SELECT = 0x80, + ISO14A_TOPAZMODE = 0x100 } local ISO14443a_TYPES = {} -- 2.39.5 From e8b07838ab6119cc3b90f48b51bd2b54eece94be Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Fri, 24 Apr 2015 18:34:24 +0200 Subject: [PATCH 07/16] ADD: more toy-tokens, among others some missing swapforce. --- client/lualibs/default_toys.lua | 52 ++++++++++++++++++++++++++++----- 1 file changed, 44 insertions(+), 8 deletions(-) diff --git a/client/lualibs/default_toys.lua b/client/lualibs/default_toys.lua index f34d510d..5a680a20 100644 --- a/client/lualibs/default_toys.lua +++ b/client/lualibs/default_toys.lua @@ -24,6 +24,7 @@ local _names = { {"13", "0d00", "0030", "water", "regular", "Wham Shell"}, {"14", "0e00", "0030", "water", "regular", "Gill Grunt"}, --{"14", "0e00", "0030", "water", "regular", "Elite Gill Grunt"}, +--{"14", "0e00", "0030", "water", "regular", "Tidal Wave Gill Grunt"}, {"15", "0f00", "0030", "water", "regular", "Slam Bam"}, --{"15", "0f00", "0030", "water", "regular", "Surfer Slam Bam"}, {"16", "1000", "0030", "magic", "regular", "Spyro"}, @@ -43,7 +44,8 @@ local _names = { {"25", "1900", "0030", "life", "regular", "Zook"}, {"26", "1a00", "0030", "life", "regular", "Stealth Elf"}, --{"26", "1a00", "0030", "life", "regular", "Elite Stealth Elf"}, ---{"26", "1a00", "0030", "life", "regular", "Dark Stealth Elf"}, +--{"26", "1a00", "0528", "life", "regular", "Dark Stealth Elf"}, +{"26", "1a00", "0528", "life", "swapforce", "Ninja Stealth Elf"}, {"27", "1b00", "0030", "life", "regular", "Stump Smash"}, {"27", "1b00", "0118", "life", "regular", "Stump Smash"}, --{"27", "1b00", "0030", "life", "regular", "Autumn Stump Smash"}, @@ -59,6 +61,7 @@ local _names = { --{"32", "2000", "0030", "undead", "regular", "Skeletal Cynder"}, {"100", "6400", "0030", "air", "giant", "Jet Vac"}, +--{"100", "6400", "0030", "air", "giant", "Full blast Jet Vac"}, {"101", "6500", "0030", "air", "giant", "Swarm"}, {"102", "6600", "0030", "earth", "giant", "Crusher"}, {"103", "6700", "0030", "earth", "giant", "Flashwing"}, @@ -73,12 +76,14 @@ local _names = { --{"108", "6c00", "0030", "magic", "giant", "Hoppity Pop Fizz"}, {"108", "6c00", "023c", "magic", "giant", "Love Potion Pop Fizz"}, --{"108", "6c00", "0030", "magic", "giant", "Punch Pop Fizz"}, +--{"108", "6c00", "0030", "magic", "giant", "Fizzy Frenzy Pop Fizz"}, {"109", "6d00", "0030", "magic", "giant", "Nin Jini"}, {"110", "6e00", "0030", "tech", "giant", "Bouncer"}, {"111", "6f00", "0030", "tech", "giant", "Sprocket"}, {"112", "7000", "0030", "life", "giant", "Tree Rex"}, --{"112", "7000", "0030", "life", "giant", "Gnarly Tree Rex"}, -{"113", "7100", "0030", "life", "giant", "Shroomboom"}, --lightcore +{"113", "7100", "0030", "life", "giant", "Shroomboom"}, +--{"113", "7100", "0030", "life", "giant", "Sure shot Shroomboom"}, {"114", "7200", "0030", "undead", "giant", "Eye Broawl"}, {"115", "7300", "0030", "undead", "giant", "Fright Rider"}, @@ -268,27 +273,35 @@ local _names = { {"485", "e501", "0030", "dark", "regular", "Blackout"}, --{"485", "e501", "0234", "dark", "regular", "Special Blackout"}, +-- MINI's {"502", "f601", "0030", "earth", "mini", "Bop"}, -{"503", "f701", "0030", "magic", "mini", "Spry"}, -{"504", "f801", "0030", "undead", "mini", "Hijinx"}, {"505", "f901", "0030", "earth", "mini", "Terrabite"}, + {"506", "fa01", "0030", "air", "mini", "Breeze"}, -{"507", "fb01", "0030", "fire", "mini", "Weeruptor"}, ---{"507", "fb01", "0030", "fire", "mini", "Eggsellent Weeruptor"}, {"508", "fc01", "0030", "air", "mini", "Pet Vac"}, --{"508", "fc01", "0030", "air", "mini", "Power Punch Pet Vac"}, + +{"507", "fb01", "0030", "fire", "mini", "Weeruptor"}, +--{"507", "fb01", "0030", "fire", "mini", "Eggsellent Weeruptor"}, {"509", "fd01", "0030", "fire", "mini", "Small Fry"}, + {"510", "fe01", "0030", "tech", "mini", "Drobit"}, -{"514", "0202", "0030", "water", "mini", "Gill Runt"}, {"519", "0702", "0030", "tech", "mini", "Trigger Snappy"}, + {"526", "0e02", "0030", "life", "mini", "Whisper Elf"}, {"540", "1c02", "0030", "life", "mini", "Barkley"}, --{"540", "1c02", "0030", "life", "mini", "Gnarly Barkley"}, + {"541", "1d02", "0030", "water", "mini", "Thumpling"}, +{"514", "0202", "0030", "water", "mini", "Gill Runt"}, + {"542", "1e02", "0030", "magic", "mini", "mini Jini"}, +{"503", "f701", "0030", "magic", "mini", "Spry"}, + +{"504", "f801", "0030", "undead", "mini", "Hijinx"}, {"543", "1f02", "0030", "undead", "mini", "Eye Small"}, -{"3000", "b80b", "0030", "air", "SWAPFORCE", "Scratch"}, +{"3000", "b80b", "0030", "air", "mini", "Scratch", "SWAPFORCE"}, {"3001", "b90b", "0030", "air", "SWAPFORCE", "Pop Thorn"}, --{"3001", "b90b", "0030", "air", "SWAPFORCE", "Buttered Pop Thorn"}, {"3002", "ba0b", "0030", "earth", "SWAPFORCE", "Slobber Tooth"}, @@ -315,6 +328,29 @@ local _names = { {"3013", "c50b", "0030", "undead", "SWAPFORCE", "Grim Creeper"}, {"3014", "c60b", "0030", "water", "SWAPFORCE", "Rip Tide"}, {"3015", "c70b", "0030", "water", "SWAPFORCE", "Punk Shock"}, + +--{"", "", "0030", "water", "SWAPFORCE", "Hoot Loop"}, +--{"", "", "0030", "water", "SWAPFORCE", "Trap Shadow"}, +--{"", "", "0030", "water", "SWAPFORCE", "Wash Buckler"}, +--{"", "", "0030", "water", "SWAPFORCE", "Freeze Blade"}, +--{"", "", "0030", "fire", "SWAPFORCE", "Magna Charge"}, +--{"", "", "0030", "fire", "SWAPFORCE", "Spy Rise"}, + +--{"", "", "0030", "fire", "SWAPFORCE", "Doom Stone"}, +--{"", "", "0030", "fire", "SWAPFORCE", "Rubble Rouser"}, + +--{"", "", "0030", "fire", "SWAPFORCE", "Blast Zone"} +--{"", "", "0030", "fire", "SWAPFORCE", "Fire Kraken"}, + +--{"", "", "0030", "fire", "SWAPFORCE", "Rattle Shake"}, +--{"", "", "0030", "fire", "SWAPFORCE", "Night Shift"}, + +--{"", "", "0030", "life", "SWAPFORCE", "Stink Bomb"}, +--{"", "", "0030", "life", "SWAPFORCE", "Grilla Drilla"}, + +--{"", "", "0030", "air", "SWAPFORCE", "Free Ranger"}, +--{"", "", "0030", "air", "SWAPFORCE", "Boom Jet"}, + } local function find( main, sub) -- 2.39.5 From bb84c38196e5d16fc8105a6d9c7340cd11b72692 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Fri, 24 Apr 2015 18:35:09 +0200 Subject: [PATCH 08/16] ADD: found another sub-type, --- client/scripts/tnp3clone.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/scripts/tnp3clone.lua b/client/scripts/tnp3clone.lua index 6c4a148c..80748691 100644 --- a/client/scripts/tnp3clone.lua +++ b/client/scripts/tnp3clone.lua @@ -32,7 +32,7 @@ Arguments: 0138 - Series 2 0234 - Special 023c - Special - + 0020 - Swapforce ]] -- 2.39.5 From 0beb94e67b00139083add193e4ab83b14a81960c Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Fri, 24 Apr 2015 18:36:11 +0200 Subject: [PATCH 09/16] CHG: some minor code cleanup. --- client/scripts/tnp3dump.lua | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/client/scripts/tnp3dump.lua b/client/scripts/tnp3dump.lua index cd547e8a..211d146f 100644 --- a/client/scripts/tnp3dump.lua +++ b/client/scripts/tnp3dump.lua @@ -205,18 +205,19 @@ local function main(args) if blockNo < 8 then -- Block 0-7 not encrypted - blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,blockdata) + blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,blockdata) else -- blocks with zero not encrypted. if string.find(blockdata, '^0+$') then - blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,blockdata) + blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,blockdata) else local baseStr = utils.ConvertHexToAscii(tmpHash:format(blockNo)) local key = md5.sumhexa(baseStr) local aestest = core.aes128_decrypt(key, blockdata) - local hex = utils.ConvertAsciiToBytes(aestest) + local hex = utils.ConvertAsciiToBytes(aestest) hex = utils.ConvertBytesToHex(hex) - blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,hex) + blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,hex) + io.write(blockNo..',') end end else @@ -273,5 +274,7 @@ local function main(args) print( (' UID : 0x%s'):format(uid) ) print( (' CARDID : 0x%s'):format(cardid ) ) print( string.rep('--',20) ) + + core.clearCommandBuffer() end main(args) \ No newline at end of file -- 2.39.5 From 1b3c567df229f873ed93e0148c7781a2ee74f804 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Fri, 24 Apr 2015 18:37:40 +0200 Subject: [PATCH 10/16] ADD: charatect name, level, sequence number, CHG: minor code clean up. --- client/scripts/tnp3sim.lua | 56 ++++++++++++++++++++------------------ 1 file changed, 30 insertions(+), 26 deletions(-) diff --git a/client/scripts/tnp3sim.lua b/client/scripts/tnp3sim.lua index af3d2d4c..6d17a09b 100644 --- a/client/scripts/tnp3sim.lua +++ b/client/scripts/tnp3sim.lua @@ -23,11 +23,12 @@ Arguments: -h : this help -m : Maxed out items (experimental) -i : filename for the datadump to read (bin) -]] -local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds -local DEBUG = true -- the debug flag + ]] +local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds +local DEBUG = false -- the debug flag +local RANDOM = '20436F707972696768742028432920323031302041637469766973696F6E2E20416C6C205269676874732052657365727665642E20' local band = bit32.band local bor = bit32.bor @@ -198,7 +199,7 @@ local function ValidateCheckSums(blocks) end local function LoadEmulator(blocks) - local HASHCONSTANT = '20436F707972696768742028432920323031302041637469766973696F6E2E20416C6C205269676874732052657365727665642E20' + local cmd local blockdata for _,b in pairs(blocks) do @@ -207,10 +208,10 @@ local function LoadEmulator(blocks) if _%4 ~= 3 then if (_ >= 8 and _<=21) or (_ >= 36 and _<=49) then - local base = ('%s%s%02x%s'):format(blocks[0], blocks[1], _ , HASHCONSTANT) + local base = ('%s%s%02x%s'):format(blocks[0], blocks[1], _ , RANDOM) local baseStr = utils.ConvertHexToAscii(base) local key = md5.sumhexa(baseStr) - local enc = core.aes(key, blockdata) + local enc = core.aes128_encrypt(key, blockdata) local hex = utils.ConvertAsciiToBytes(enc) hex = utils.ConvertBytesToHex(hex) @@ -346,21 +347,6 @@ local function main(args) local cmdSetDbgOff = "hf mf dbg 0" core.console( cmdSetDbgOff) - -- if not loadFromDump then - -- -- Look for tag present on reader, - -- result, err = lib14a.read1443a(false) - -- if not result then return oops(err) end - - -- core.clearCommandBuffer() - - -- if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx - -- return oops('This is not a TNP3xxx tag. aborting.') - -- end - - -- -- Show tag info - -- print((' Found tag : %s'):format(result.name)) - -- end - -- Load dump.bin file print( (' Load data from %s'):format(inputTemplate)) hex, err = utils.ReadDumpFile(inputTemplate) @@ -374,7 +360,7 @@ local function main(args) end if DEBUG then - print('Validating checksums in the loaded datadump') + print(' Validating checksums') ValidateCheckSums(blocks) end @@ -393,7 +379,7 @@ local function main(args) local item = toys.Find( toytype, subtype) if item then local itemStr = ('%s - %s (%s)'):format(item[6],item[5], item[4]) - print(' ITEM TYPE :'..itemStr ) + print(' ITEM TYPE : '..itemStr ) else print( (' ITEM TYPE : 0x%s 0x%s'):format(toytype, subtype) ) end @@ -407,12 +393,19 @@ local function main(args) print( string.rep('--',20) ) - -- lets do something. - -- + -- Experience should be: local experience = blocks[8]:sub(1,6) - print(('Experience : %d'):format(utils.SwapEndianness(experience,24))) + print(('Experience : %d'):format(utils.SwapEndianness(experience,16))) + local money = blocks[8]:sub(7,10) print(('Money : %d'):format(utils.SwapEndianness(money,16))) + + -- + + -- Sequence number + local seqnum = blocks[8]:sub(18,19) + print(('Sequence number : %d'):format( tonumber(seqnum,16))) + local fairy = blocks[9]:sub(1,8) --FD0F = Left, FF0F = Right local path = 'not choosen' @@ -425,6 +418,12 @@ local function main(args) local hat = blocks[9]:sub(8,11) print(('Hat : %d'):format(utils.SwapEndianness(hat,16))) + + local level = blocks[13]:sub(27,28) + print(('LEVEL : %d'):format( tonumber(level,16))) + --hälsa: 667 029b + --local health = blocks[]:sub(); + --print(('Health : %d'):format( tonumber(health,16)) --0x0D 0x29 0x0A 0x02 16-bit hero points value. Maximum 100. local heropoints = blocks[13]:sub(20,23) @@ -434,6 +433,11 @@ local function main(args) local challenges = blocks[16]:sub(25,32) print(('Finished hero challenges : %d'):format(utils.SwapEndianness(challenges,32))) + -- Character Name + local name1 = blocks[10]:sub(1,32) + local name2 = blocks[12]:sub(1,32) + print('Custom name : '..utils.ConvertHexToAscii(name1..name2)) + if maxed then print('Lets try to max out some values') -- max out money, experience -- 2.39.5 From 395f6a814f1ce7c3f3379222c84551cf9747e894 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Fri, 24 Apr 2015 18:38:24 +0200 Subject: [PATCH 11/16] ADD: changes to the Ultralight diviersification algo. --- client/cmdhfmfu.c | 52 +++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 46 insertions(+), 6 deletions(-) diff --git a/client/cmdhfmfu.c b/client/cmdhfmfu.c index 310d5bdc..9a6983ff 100644 --- a/client/cmdhfmfu.c +++ b/client/cmdhfmfu.c @@ -840,16 +840,20 @@ int CmdHF14AMfuGenDiverseKeys(const char *Cmd){ uint8_t block = 0x07; uint8_t uid[] = { 0xF4,0xEA, 0x54, 0x8E }; - uint8_t mifarekey[] = { 0xA0,0xA1,0xA2,0xA3,0xA4,0xA5 }; + uint8_t mifarekeyA[] = { 0xA0,0xA1,0xA2,0xA3,0xA4,0xA5 }; + uint8_t mifarekeyB[] = { 0xB0,0xB1,0xB2,0xB3,0xB4,0xB5 }; + uint8_t dkeyA[8] = { 0x00 }; + uint8_t dkeyB[8] = { 0x00 }; + uint8_t masterkey[] = { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x99,0xaa,0xbb,0xcc,0xdd,0xee,0xff }; uint8_t mix[8] = { 0x00 }; uint8_t divkey[8] = { 0x00 }; - memcpy(mix, mifarekey, 4); + memcpy(mix, mifarekeyA, 4); - mix[4] = mifarekey[4] ^ uid[0]; - mix[5] = mifarekey[5] ^ uid[1]; + mix[4] = mifarekeyA[4] ^ uid[0]; + mix[5] = mifarekeyA[5] ^ uid[1]; mix[6] = block ^ uid[2]; mix[7] = uid[3]; @@ -868,14 +872,50 @@ int CmdHF14AMfuGenDiverseKeys(const char *Cmd){ PrintAndLog("Masterkey :\t %s", sprint_hex(masterkey,sizeof(masterkey))); PrintAndLog("UID :\t %s", sprint_hex(uid, sizeof(uid))); PrintAndLog("Sector :\t %0d", block); - PrintAndLog("Mifare key :\t %s", sprint_hex(mifarekey, sizeof(mifarekey))); + PrintAndLog("Mifare key :\t %s", sprint_hex(mifarekeyA, sizeof(mifarekeyA))); PrintAndLog("Message :\t %s", sprint_hex(mix, sizeof(mix))); PrintAndLog("Diversified key: %s", sprint_hex(divkey+1, 6)); + PrintAndLog("\n DES version"); + + for (int i=0; i < sizeof(mifarekeyA); ++i){ + dkeyA[i] = (mifarekeyA[i] << 1) & 0xff; + dkeyA[6] |= ((mifarekeyA[i] >> 7) & 1) << (i+1); + } + + for (int i=0; i < sizeof(mifarekeyB); ++i){ + dkeyB[1] |= ((mifarekeyB[i] >> 7) & 1) << (i+1); + dkeyB[2+i] = (mifarekeyB[i] << 1) & 0xff; + } + + uint8_t zeros[8] = {0x00}; + uint8_t newpwd[8] = {0x00}; + uint8_t dmkey[24] = {0x00}; + memcpy(dmkey, dkeyA, 8); + memcpy(dmkey+8, dkeyB, 8); + memcpy(dmkey+16, dkeyA, 8); + memset(iv, 0x00, 8); + + des3_set3key_enc(&ctx, dmkey); + + des3_crypt_cbc(&ctx // des3_context + , DES_ENCRYPT // int mode + , sizeof(newpwd) // length + , iv // iv[8] + , zeros // input + , newpwd // output + ); + + PrintAndLog("Mifare dkeyA :\t %s", sprint_hex(dkeyA, sizeof(dkeyA))); + PrintAndLog("Mifare dkeyB :\t %s", sprint_hex(dkeyB, sizeof(dkeyB))); + PrintAndLog("Mifare ABA :\t %s", sprint_hex(dmkey, sizeof(dmkey))); + PrintAndLog("Mifare Pwd :\t %s", sprint_hex(newpwd, sizeof(newpwd))); + return 0; } -// uint8_t * diversify_key(uint8_t * key){ +// static uint8_t * diversify_key(uint8_t * key){ + // for(int i=0; i<16; i++){ // if(i<=6) key[i]^=cuid[i]; // if(i>6) key[i]^=cuid[i%7]; -- 2.39.5 From add0504deaacb2736dd7ff04c95daf9ce1d025ad Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Fri, 24 Apr 2015 18:41:49 +0200 Subject: [PATCH 12/16] ADD: Started a "collect nonces" concept to be able to analyse the tag generated nonces. --- armsrc/appmain.c | 3 ++ armsrc/apps.h | 3 ++ armsrc/mifarecmd.c | 70 +++++++++++++++++++++++++++++++++++++++++- armsrc/mifaredesfire.c | 2 +- armsrc/mifareutil.c | 6 ++-- include/usb_cmd.h | 2 ++ 6 files changed, 81 insertions(+), 5 deletions(-) diff --git a/armsrc/appmain.c b/armsrc/appmain.c index f3136fa0..f5989bd6 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -919,6 +919,9 @@ void UsbPacketReceived(uint8_t *packet, int len) MifareSendCommand(c->arg[0], c->arg[1], c->d.asBytes); break; + case CMD_MIFARE_COLLECT_NONCES: + MifareCollectNonces(c->arg[0], c->[1]); + break; #endif #ifdef WITH_ICLASS diff --git a/armsrc/apps.h b/armsrc/apps.h index 84376ed6..81203001 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -19,6 +19,7 @@ #include #include #include "../common/crc32.h" +#include "../common/lfdemod.h" #include "BigBuf.h" #include "../include/hitag2.h" #include "../include/mifare.h" @@ -196,6 +197,8 @@ void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai void MifareCIdent(); // is "magic chinese" card? void MifareUSetPwd(uint8_t arg0, uint8_t *datain); +void MifareCollectNonces(uint32_t arg0, uint32_t arg1); + //desfire void Mifare_DES_Auth1(uint8_t arg0,uint8_t *datain); void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain); diff --git a/armsrc/mifarecmd.c b/armsrc/mifarecmd.c index a240bed4..ef536d96 100644 --- a/armsrc/mifarecmd.c +++ b/armsrc/mifarecmd.c @@ -1218,7 +1218,75 @@ void MifareCIdent(){ cmd_send(CMD_ACK,isOK,0,0,0,0); } - // +void MifareCollectNonces(uint32_t arg0, uint32_t arg1){ + + BigBuf_free(); + + uint32_t iterations = arg0; + uint8_t uid[10] = {0x00}; + + uint8_t *response = BigBuf_malloc(MAX_MIFARE_FRAME_SIZE); + uint8_t *responsePar = BigBuf_malloc(MAX_MIFARE_PARITY_SIZE); + + uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b }; + + // get memory from BigBuf. + uint8_t *nonces = BigBuf_malloc(iterations * 4); + + LED_A_ON(); + LED_B_OFF(); + LED_C_OFF(); + + clear_trace(); + set_tracing(TRUE); + iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); + + for (int i = 0; i < iterations; i++) { + + WDT_HIT(); + + // Test if the action was cancelled + if(BUTTON_PRESS()) break; + + // if(mifare_classic_halt(pcs, cuid)) { + // if (MF_DBGLEVEL >= 1) Dbprintf("Halt error"); + //} + + if(!iso14443a_select_card(uid, NULL, NULL)) { + if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); + continue; + }; + + // Transmit MIFARE_CLASSIC_AUTH. + ReaderTransmit(mf_auth, sizeof(mf_auth), NULL); + + // Receive the (4 Byte) "random" nonce + if (!ReaderReceive(response, responsePar)) { + if (MF_DBGLEVEL >= 1) Dbprintf("Couldn't receive tag nonce"); + continue; + } + + nonces[i*4] = bytes_to_num(response, 4); + } + + int packLen = iterations * 4; + int packSize = 0; + int packNum = 0; + while (packLen > 0) { + packSize = MIN(USB_CMD_DATA_SIZE, packLen); + LED_B_ON(); + cmd_send(CMD_ACK, 77, 0, packSize, nonces - packLen, packSize); + LED_B_OFF(); + + packLen -= packSize; + packNum++; + } + + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + LEDsoff(); +} + +// // DESFIRE // diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index 979e2f39..e7632c96 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -433,7 +433,7 @@ int DesfireAPDU(uint8_t *cmd, size_t cmd_len, uint8_t *dataout){ size_t len = 0; size_t wrappedLen = 0; - uint8_t wCmd[USB_CMD_DATA_SIZE] = {0}; + uint8_t wCmd[USB_CMD_DATA_SIZE] = {0x00}; uint8_t resp[MAX_FRAME_SIZE]; uint8_t par[MAX_PARITY_SIZE]; diff --git a/armsrc/mifareutil.c b/armsrc/mifareutil.c index 8fa5e498..987a858c 100644 --- a/armsrc/mifareutil.c +++ b/armsrc/mifareutil.c @@ -365,9 +365,9 @@ int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t bl { // variables uint16_t len, i; - uint32_t pos; - uint8_t par[3] = {0}; // enough for 18 Bytes to send - byte_t res; + uint32_t pos = 0; + uint8_t par[3] = {0x00}; // enough for 18 Bytes to send + byte_t res = 0; uint8_t d_block[18], d_block_enc[18]; uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE]; diff --git a/include/usb_cmd.h b/include/usb_cmd.h index 74d494c2..d61a2558 100644 --- a/include/usb_cmd.h +++ b/include/usb_cmd.h @@ -193,6 +193,8 @@ typedef struct{ #define CMD_MIFARE_DESFIRE_INFO 0x072d #define CMD_MIFARE_DESFIRE 0x072e +#define CMD_MIFARE_COLLECT_NONCES 0x072f + #define CMD_UNKNOWN 0xFFFF -- 2.39.5 From 11b1e2e506dec11aba29116e2fb926b497b6d87b Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sun, 26 Apr 2015 18:03:21 +0200 Subject: [PATCH 13/16] ADD: "HF 14A READ", got ULTRALIGHT C / EV1 annotation --- client/cmdhf.c | 21 ++++++++++++++++++++- common/protocols.h | 14 ++++++++++++-- 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/client/cmdhf.c b/client/cmdhf.c index b4d3e531..65cc1c18 100644 --- a/client/cmdhf.c +++ b/client/cmdhf.c @@ -73,11 +73,30 @@ void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) case MIFARE_CMD_DEC: snprintf(exp,size,"DEC(%d)",cmd[1]); break; case MIFARE_CMD_RESTORE: snprintf(exp,size,"RESTORE(%d)",cmd[1]); break; case MIFARE_CMD_TRANSFER: snprintf(exp,size,"TRANSFER(%d)",cmd[1]); break; - case MIFARE_AUTH_KEYA: snprintf(exp,size,"AUTH-A(%d)",cmd[1]); break; + case MIFARE_AUTH_KEYA:{ + if ( cmdsize > 3) + snprintf(exp,size,"AUTH-A(%d)",cmd[1]); + else + // case MIFARE_ULEV1_VERS : both 0x60. + snprintf(exp,size,"EV1 VERSION"); + break; + } case MIFARE_AUTH_KEYB: snprintf(exp,size,"AUTH-B(%d)",cmd[1]); break; case MIFARE_MAGICWUPC1: snprintf(exp,size,"MAGIC WUPC1"); break; case MIFARE_MAGICWUPC2: snprintf(exp,size,"MAGIC WUPC2"); break; case MIFARE_MAGICWIPEC: snprintf(exp,size,"MAGIC WIPEC"); break; + case MIFARE_ULC_AUTH_1 : snprintf(exp,size,"AUTH "); break; + case MIFARE_ULC_AUTH_2 : snprintf(exp,size,"AUTH_ANSW"); break; + case MIFARE_ULEV1_AUTH : snprintf(exp,size,"PWD-AUTH"); break; + + case MIFARE_ULEV1_FASTREAD : snprintf(exp,size,"READ RANGE (%d-%d)",cmd[1],cmd[2]); break; + case MIFARE_ULEV1_WRITE : snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); break; + case MIFARE_ULEV1_READ_CNT : snprintf(exp,size,"READ CNT(%d)",cmd[1]); break; + case MIFARE_ULEV1_INCR_CNT : snprintf(exp,size,"INC(%d)",cmd[1]); break; + case MIFARE_ULEV1_READSIG : snprintf(exp,size,"READ_SIG"); break; + case MIFARE_ULEV1_CHECKTEAR : snprintf(exp,size,"CHK_TEARING(%d)",cmd[1]); break; + case MIFARE_ULEV1_VCSL : snprintf(exp,size,"VCSL"); break; + default: snprintf(exp,size,"?"); break; } return; diff --git a/common/protocols.h b/common/protocols.h index 3cdf79f9..c3591804 100644 --- a/common/protocols.h +++ b/common/protocols.h @@ -123,9 +123,19 @@ NXP/Philips CUSTOM COMMANDS #define MIFARE_CMD_RESTORE 0xC2 #define MIFARE_CMD_TRANSFER 0xB0 -#define MIFARE_ULC_WRITE 0xA0 +//#define MIFARE_ULC_WRITE 0xA0 #define MIFARE_ULC_AUTH_1 0x1A -#define MIFARE_ULC_AUTH_2 0xAF +#define MIFARE_ULC_AUTH_2 0xAF +#define MIFARE_ULEV1_AUTH 0x1B +#define MIFARE_ULEV1_VERS 0x60 +#define MIFARE_ULEV1_FASTREAD 0x3A +#define MIFARE_ULEV1_WRITE 0xA2 +//#define MIFARE_ULEV1_COMP_WRITE 0xA0 +#define MIFARE_ULEV1_READ_CNT 0x39 +#define MIFARE_ULEV1_INCR_CNT 0xA5 +#define MIFARE_ULEV1_READSIG 0x3C +#define MIFARE_ULEV1_CHECKTEAR 0x3E +#define MIFARE_ULEV1_VCSL 0x4B /** 06 00 = INITIATE -- 2.39.5 From c309eca94aa9ed5030d38f01250af863ea2a3c8c Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sun, 26 Apr 2015 18:03:57 +0200 Subject: [PATCH 14/16] CHG: added some linebreaks for the help output in LF. --- client/cmdlf.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/client/cmdlf.c b/client/cmdlf.c index e4fadadc..7c5d273f 100644 --- a/client/cmdlf.c +++ b/client/cmdlf.c @@ -1160,18 +1160,18 @@ static command_t CommandTable[] = {"config", CmdLFSetConfig, 0, "Set config for LF sampling, bit/sample, decimation, frequency"}, - {"cmdread", CmdLFCommandRead, 0, " <'0' period> <'1' period> ['h'] -- Modulate LF reader field to send command before read (all periods in microseconds) (option 'h' for 134)"}, + {"cmdread", CmdLFCommandRead, 0, " <'0' period> <'1' period> ['h' 134] \n\t\t-- Modulate LF reader field to send command before read (all periods in microseconds)"}, {"flexdemod", CmdFlexdemod, 1, "Demodulate samples for FlexPass"}, {"indalademod", CmdIndalaDemod, 1, "['224'] -- Demodulate samples for Indala 64 bit UID (option '224' for 224 bit)"}, {"indalaclone", CmdIndalaClone, 0, " ['l']-- Clone Indala to T55x7 (tag must be in antenna)(UID in HEX)(option 'l' for 224 UID"}, {"read", CmdLFRead, 0, "['s' silent] Read 125/134 kHz LF ID-only tag. Do 'lf read h' for help"}, - {"search", CmdLFfind, 1, "[offline] ['u'] Read and Search for valid known tag (in offline mode it you can load first then search) - 'u' to search for unknown tags"}, + {"search", CmdLFfind, 1, "[offline] ['u'] Read and Search for valid known tag (in offline mode it you can load first then search) \n\t\t- 'u' to search for unknown tags"}, {"sim", CmdLFSim, 0, "[GAP] -- Simulate LF tag from buffer with optional GAP (in microseconds)"}, - {"simask", CmdLFaskSim, 0, "[clock] [invert <1|0>] [manchester/raw <'m'|'r'>] [msg separator 's'] [d ] -- Simulate LF ASK tag from demodbuffer or input"}, - {"simfsk", CmdLFfskSim, 0, "[c ] [i] [H ] [L ] [d ] -- Simulate LF FSK tag from demodbuffer or input"}, - {"simpsk", CmdLFpskSim, 0, "[1|2|3] [c ] [i] [r ] [d ] -- Simulate LF PSK tag from demodbuffer or input"}, + {"simask", CmdLFaskSim, 0, "[clock] [invert <1|0>] [manchester/raw <'m'|'r'>] [msg separator 's'] [d ] \n\t\t-- Simulate LF ASK tag from demodbuffer or input"}, + {"simfsk", CmdLFfskSim, 0, "[c ] [i] [H ] [L ] [d ] \n\t\t-- Simulate LF FSK tag from demodbuffer or input"}, + {"simpsk", CmdLFpskSim, 0, "[1|2|3] [c ] [i] [r ] [d ] \n\t\t-- Simulate LF PSK tag from demodbuffer or input"}, {"simbidir", CmdLFSimBidir, 0, "Simulate LF tag (with bidirectional data transmission between reader and tag)"}, - {"snoop", CmdLFSnoop, 0, "['l'|'h'|] [trigger threshold]-- Snoop LF (l:125khz, h:134khz)"}, + {"snoop", CmdLFSnoop, 0, "['l'|'h'|] [trigger threshold] -- Snoop LF (l:125khz, h:134khz)"}, {"vchdemod", CmdVchDemod, 1, "['clone'] -- Demodulate samples for VeriChip"}, {NULL, NULL, 0, NULL} }; -- 2.39.5 From 984f95710584d8e983ac723f3c032f166ec96ef9 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sun, 26 Apr 2015 18:05:06 +0200 Subject: [PATCH 15/16] ADD: some more default keys. --- client/default_keys.dic | 13 ++++++++++++- client/lualibs/mf_default_keys.lua | 8 +++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/client/default_keys.dic b/client/default_keys.dic index 5c277300..9c501417 100644 --- a/client/default_keys.dic +++ b/client/default_keys.dic @@ -11,7 +11,7 @@ d3f7d3f7d3f7, 587ee5f9350f, a0478cc39091, 533cb6c723f6, -8fd0a4f256e9 +8fd0a4f256e9, # more Keys from mf_default_keys.lua 000000000001, 000000000002, @@ -42,6 +42,7 @@ a0478cc39091, 47524f555041,--RKFJOJOGROUPKeyA 47524f555042,--RKFJOJOGROUPKeyB 4AF9D7ADEBE4,--DirectoryandeventlogKeyA +4b0b20107ccb,--TNP3xxx 505249564141,--RKFJOJOPRIVAKeyA 505249564142,--RKFJOJOPRIVAKeyB 505249565441, @@ -49,14 +50,19 @@ a0478cc39091, 54726176656c,--VästtrafikenKeyA 555555555555, 55f5a5dd38c9, +569369c5a0e5,--kiev 5c598c9c58b5,--RKFSLKeyB +632193be1c3c,--kiev +644672bd4afe,--kiev 666666666666, 722bfcc5375f,--RKFRejskortDanmarkKeyA 776974687573,--VästtrafikenKeyB 777777777777, 888888888888, +8fe644038790,--kiev 999999999999, 99c636334433, +9de89e070277,--kiev a00000000000, a053a292a4af, a64598a77478,--RKFSLKeyA @@ -65,6 +71,7 @@ aaaaaaaaaaaa, abcdef123456,--Keyfromladyada.net b00000000000, b127c6f41436, +b5ff67cba951,--kiev bbbbbbbbbbbb, bd493a3962b6, c934fe34d934, @@ -73,7 +80,11 @@ dddddddddddd, e4d2770a89be,--RKFSLKeyB ee0042f88840,--VästtrafikenKeyB eeeeeeeeeeee, +eff603e1efe9,--kiev +f14ee7cae863,--kiev f1a97341a9fc, f1d83f964314,--RKFRejskortDanmarkKeyB fc00018778f7,--VästtrafikenKeyA fc0001877bf7,--RKFÖstgötaTrafikenKeyA +44ab09010845,-- hotel system +85fed980ea5a,-- hotel system \ No newline at end of file diff --git a/client/lualibs/mf_default_keys.lua b/client/lualibs/mf_default_keys.lua index 810f0d6e..b5b7fff6 100644 --- a/client/lualibs/mf_default_keys.lua +++ b/client/lualibs/mf_default_keys.lua @@ -157,8 +157,14 @@ local _keys = { '9de89e070277', 'eff603e1efe9', '644672bd4afe', - 'b5ff67cba951', + + --[[ + hotel system cards, + http://www.proxmark.org/forum/viewtopic.php?id=2430 + --]] + '44ab09010845', + '85fed980ea5a', } --- -- 2.39.5 From fab0b3796869fa87369ec3f801c123c58ee11248 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sun, 26 Apr 2015 18:05:45 +0200 Subject: [PATCH 16/16] CHG: removed linebreak in string. --- client/cmdhfmf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index b96c9c1a..0cf5bd7f 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -781,8 +781,8 @@ int CmdHF14AMfChk(const char *Cmd) PrintAndLog("Usage: hf mf chk |<*card memory> [t|d] [] []"); PrintAndLog(" * - all sectors"); PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, - 1K"); - PrintAndLog("d - write keys to binary file\n"); - PrintAndLog("t - write keys to emulator memory"); + PrintAndLog("d - write keys to binary file"); + PrintAndLog("t - write keys to emulator memory\n"); PrintAndLog(" sample: hf mf chk 0 A 1234567890ab keys.dic"); PrintAndLog(" hf mf chk *1 ? t"); PrintAndLog(" hf mf chk *1 ? d"); -- 2.39.5