]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhfmf.c
projects / proxmark3-svn / blob
? search:


54c5fc87788192c3ad7936e1de36bc818ce17435
[proxmark3-svn] / client / cmdhfmf.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2011,2012 Merlok
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // High frequency MIFARE commands
9 //-----------------------------------------------------------------------------
10
11 #include <inttypes.h>
12 #include "cmdhfmf.h"
13 #include "./nonce2key/nonce2key.h"
14
15 static int CmdHelp(const char *Cmd);
16
17 int CmdHF14AMifare(const char *Cmd)
18 {
19 uint32_t uid = 0;
20 uint32_t nt = 0, nr = 0;
21 uint64_t par_list = 0, ks_list = 0, r_key = 0;
22 int16_t isOK = 0;
23
24 UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}};
25
26 // message
27 printf("-------------------------------------------------------------------------\n");
28 printf("Executing command. Expected execution time: 25sec on average :-)\n");
29 printf("Press button on the proxmark3 device to abort both proxmark3 and client.\n");
30 printf("-------------------------------------------------------------------------\n");
31
32
33 start:
34 clearCommandBuffer();
35 SendCommand(&c);
36
37 //flush queue
38 while (ukbhit()) getchar();
39
40 // wait cycle
41 while (true) {
42 printf(".");
43 fflush(stdout);
44 if (ukbhit()) {
45 getchar();
46 printf("\naborted via keyboard!\n");
47 break;
48 }
49
50 UsbCommand resp;
51 if (WaitForResponseTimeout(CMD_ACK, &resp, 1000)) {
52 isOK = resp.arg[0];
53 uid = (uint32_t)bytes_to_num(resp.d.asBytes + 0, 4);
54 nt = (uint32_t)bytes_to_num(resp.d.asBytes + 4, 4);
55 par_list = bytes_to_num(resp.d.asBytes + 8, 8);
56 ks_list = bytes_to_num(resp.d.asBytes + 16, 8);
57 nr = bytes_to_num(resp.d.asBytes + 24, 4);
58 printf("\n\n");
59 switch (isOK) {
60 case -1 : PrintAndLog("Button pressed. Aborted.\n"); break;
61 case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break;
62 case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break;
63 case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");
64 PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break;
65 default: ;
66 }
67 break;
68 }
69 }
70
71 printf("\n");
72
73 // error
74 if (isOK != 1) return 1;
75
76 // execute original function from util nonce2key
77 if (nonce2key(uid, nt, nr, par_list, ks_list, &r_key)) {
78 isOK = 2;
79 PrintAndLog("Key not found (lfsr_common_prefix list is null). Nt=%08x", nt);
80 PrintAndLog("Failing is expected to happen in 25%% of all cases. Trying again with a different reader nonce...");
81 c.arg[0] = false;
82 goto start;
83 } else {
84 isOK = 0;
85 printf("------------------------------------------------------------------\n");
86 PrintAndLog("Found valid key:%012" PRIx64 " \n", r_key);
87 }
88
89 PrintAndLog("");
90 return 0;
91 }
92
93 int CmdHF14AMfWrBl(const char *Cmd)
94 {
95 uint8_t blockNo = 0;
96 uint8_t keyType = 0;
97 uint8_t key[6] = {0, 0, 0, 0, 0, 0};
98 uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
99
100 char cmdp = 0x00;
101
102 if (strlen(Cmd)<3) {
103 PrintAndLog("Usage: hf mf wrbl <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>");
104 PrintAndLog(" sample: hf mf wrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F");
105 return 0;
106 }
107
108 blockNo = param_get8(Cmd, 0);
109 cmdp = param_getchar(Cmd, 1);
110 if (cmdp == 0x00) {
111 PrintAndLog("Key type must be A or B");
112 return 1;
113 }
114 if (cmdp != 'A' && cmdp != 'a') keyType = 1;
115 if (param_gethex(Cmd, 2, key, 12)) {
116 PrintAndLog("Key must include 12 HEX symbols");
117 return 1;
118 }
119 if (param_gethex(Cmd, 3, bldata, 32)) {
120 PrintAndLog("Block data must include 32 HEX symbols");
121 return 1;
122 }
123 PrintAndLog("--block no:%d, key type:%c, key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6));
124 PrintAndLog("--data: %s", sprint_hex(bldata, 16));
125
126 UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}};
127 memcpy(c.d.asBytes, key, 6);
128 memcpy(c.d.asBytes + 10, bldata, 16);
129 SendCommand(&c);
130
131 UsbCommand resp;
132 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
133 uint8_t isOK = resp.arg[0] & 0xff;
134 PrintAndLog("isOk:%02x", isOK);
135 } else {
136 PrintAndLog("Command execute timeout");
137 }
138
139 return 0;
140 }
141
142 int CmdHF14AMfRdBl(const char *Cmd)
143 {
144 uint8_t blockNo = 0;
145 uint8_t keyType = 0;
146 uint8_t key[6] = {0, 0, 0, 0, 0, 0};
147
148 char cmdp = 0x00;
149
150
151 if (strlen(Cmd)<3) {
152 PrintAndLog("Usage: hf mf rdbl <block number> <key A/B> <key (12 hex symbols)>");
153 PrintAndLog(" sample: hf mf rdbl 0 A FFFFFFFFFFFF ");
154 return 0;
155 }
156
157 blockNo = param_get8(Cmd, 0);
158 cmdp = param_getchar(Cmd, 1);
159 if (cmdp == 0x00) {
160 PrintAndLog("Key type must be A or B");
161 return 1;
162 }
163 if (cmdp != 'A' && cmdp != 'a') keyType = 1;
164 if (param_gethex(Cmd, 2, key, 12)) {
165 PrintAndLog("Key must include 12 HEX symbols");
166 return 1;
167 }
168 PrintAndLog("--block no:%d, key type:%c, key:%s ", blockNo, keyType?'B':'A', sprint_hex(key, 6));
169
170 UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}};
171 memcpy(c.d.asBytes, key, 6);
172 SendCommand(&c);
173
174 UsbCommand resp;
175 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
176 uint8_t isOK = resp.arg[0] & 0xff;
177 uint8_t *data = resp.d.asBytes;
178
179 if (isOK)
180 PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 16));
181 else
182 PrintAndLog("isOk:%02x", isOK);
183 } else {
184 PrintAndLog("Command execute timeout");
185 }
186
187 return 0;
188 }
189
190 int CmdHF14AMfRdSc(const char *Cmd)
191 {
192 int i;
193 uint8_t sectorNo = 0;
194 uint8_t keyType = 0;
195 uint8_t key[6] = {0, 0, 0, 0, 0, 0};
196 uint8_t isOK = 0;
197 uint8_t *data = NULL;
198 char cmdp = 0x00;
199
200 if (strlen(Cmd)<3) {
201 PrintAndLog("Usage: hf mf rdsc <sector number> <key A/B> <key (12 hex symbols)>");
202 PrintAndLog(" sample: hf mf rdsc 0 A FFFFFFFFFFFF ");
203 return 0;
204 }
205
206 sectorNo = param_get8(Cmd, 0);
207 if (sectorNo > 39) {
208 PrintAndLog("Sector number must be less than 40");
209 return 1;
210 }
211 cmdp = param_getchar(Cmd, 1);
212 if (cmdp != 'a' && cmdp != 'A' && cmdp != 'b' && cmdp != 'B') {
213 PrintAndLog("Key type must be A or B");
214 return 1;
215 }
216 if (cmdp != 'A' && cmdp != 'a') keyType = 1;
217 if (param_gethex(Cmd, 2, key, 12)) {
218 PrintAndLog("Key must include 12 HEX symbols");
219 return 1;
220 }
221 PrintAndLog("--sector no:%d key type:%c key:%s ", sectorNo, keyType?'B':'A', sprint_hex(key, 6));
222
223 UsbCommand c = {CMD_MIFARE_READSC, {sectorNo, keyType, 0}};
224 memcpy(c.d.asBytes, key, 6);
225 SendCommand(&c);
226 PrintAndLog(" ");
227
228 UsbCommand resp;
229 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
230 isOK = resp.arg[0] & 0xff;
231 data = resp.d.asBytes;
232
233 PrintAndLog("isOk:%02x", isOK);
234 if (isOK) {
235 for (i = 0; i < (sectorNo<32?3:15); i++) {
236 PrintAndLog("data : %s", sprint_hex(data + i * 16, 16));
237 }
238 PrintAndLog("trailer: %s", sprint_hex(data + (sectorNo<32?3:15) * 16, 16));
239 }
240 } else {
241 PrintAndLog("Command execute timeout");
242 }
243
244 return 0;
245 }
246
247 uint8_t FirstBlockOfSector(uint8_t sectorNo)
248 {
249 if (sectorNo < 32) {
250 return sectorNo * 4;
251 } else {
252 return 32 * 4 + (sectorNo - 32) * 16;
253 }
254 }
255
256 uint8_t NumBlocksPerSector(uint8_t sectorNo)
257 {
258 if (sectorNo < 32) {
259 return 4;
260 } else {
261 return 16;
262 }
263 }
264
265 int CmdHF14AMfDump(const char *Cmd)
266 {
267 uint8_t sectorNo, blockNo;
268
269 uint8_t keyA[40][6];
270 uint8_t keyB[40][6];
271 uint8_t rights[40][4];
272 uint8_t carddata[256][16];
273 uint8_t numSectors = 16;
274
275 FILE *fin;
276 FILE *fout;
277
278 UsbCommand resp;
279
280 char cmdp = param_getchar(Cmd, 0);
281 switch (cmdp) {
282 case '0' : numSectors = 5; break;
283 case '1' :
284 case '\0': numSectors = 16; break;
285 case '2' : numSectors = 32; break;
286 case '4' : numSectors = 40; break;
287 default: numSectors = 16;
288 }
289
290 if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') {
291 PrintAndLog("Usage: hf mf dump [card memory]");
292 PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
293 PrintAndLog("");
294 PrintAndLog("Samples: hf mf dump");
295 PrintAndLog(" hf mf dump 4");
296 return 0;
297 }
298
299 if ((fin = fopen("dumpkeys.bin","rb")) == NULL) {
300 PrintAndLog("Could not find file dumpkeys.bin");
301 return 1;
302 }
303
304 // Read keys A from file
305 for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
306 if (fread( keyA[sectorNo], 1, 6, fin ) == 0) {
307 PrintAndLog("File reading error.");
308 fclose(fin);
309 return 2;
310 }
311 }
312
313 // Read keys B from file
314 for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
315 if (fread( keyB[sectorNo], 1, 6, fin ) == 0) {
316 PrintAndLog("File reading error.");
317 fclose(fin);
318 return 2;
319 }
320 }
321
322 fclose(fin);
323
324 PrintAndLog("|-----------------------------------------|");
325 PrintAndLog("|------ Reading sector access bits...-----|");
326 PrintAndLog("|-----------------------------------------|");
327
328 for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
329 UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 0, 0}};
330 memcpy(c.d.asBytes, keyA[sectorNo], 6);
331 SendCommand(&c);
332
333 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
334 uint8_t isOK = resp.arg[0] & 0xff;
335 uint8_t *data = resp.d.asBytes;
336 if (isOK){
337 rights[sectorNo][0] = ((data[7] & 0x10)>>2) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>4); // C1C2C3 for data area 0
338 rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1
339 rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2
340 rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer
341 } else {
342 PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo);
343 rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;
344 rights[sectorNo][3] = 0x01;
345 }
346 } else {
347 PrintAndLog("Command execute timeout when trying to read access rights for sector %2d. Trying with defaults...", sectorNo);
348 rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;
349 rights[sectorNo][3] = 0x01;
350 }
351 }
352
353 PrintAndLog("|-----------------------------------------|");
354 PrintAndLog("|----- Dumping all blocks to file... -----|");
355 PrintAndLog("|-----------------------------------------|");
356
357 bool isOK = true;
358 for (sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
359 for (blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
360 bool received = false;
361
362 if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer. At least the Access Conditions can always be read with key A.
363 UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};
364 memcpy(c.d.asBytes, keyA[sectorNo], 6);
365 SendCommand(&c);
366 received = WaitForResponseTimeout(CMD_ACK,&resp,1500);
367 } else { // data block. Check if it can be read with key A or key B
368 uint8_t data_area = sectorNo<32?blockNo:blockNo/5;
369 if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) { // only key B would work
370 UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}};
371 memcpy(c.d.asBytes, keyB[sectorNo], 6);
372 SendCommand(&c);
373 received = WaitForResponseTimeout(CMD_ACK,&resp,1500);
374 } else if (rights[sectorNo][data_area] == 0x07) { // no key would work
375 isOK = false;
376 PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo);
377 } else { // key A would work
378 UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};
379 memcpy(c.d.asBytes, keyA[sectorNo], 6);
380 SendCommand(&c);
381 received = WaitForResponseTimeout(CMD_ACK,&resp,1500);
382 }
383 }
384
385 if (received) {
386 isOK = resp.arg[0] & 0xff;
387 uint8_t *data = resp.d.asBytes;
388 if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer. Fill in the keys.
389 data[0] = (keyA[sectorNo][0]);
390 data[1] = (keyA[sectorNo][1]);
391 data[2] = (keyA[sectorNo][2]);
392 data[3] = (keyA[sectorNo][3]);
393 data[4] = (keyA[sectorNo][4]);
394 data[5] = (keyA[sectorNo][5]);
395 data[10] = (keyB[sectorNo][0]);
396 data[11] = (keyB[sectorNo][1]);
397 data[12] = (keyB[sectorNo][2]);
398 data[13] = (keyB[sectorNo][3]);
399 data[14] = (keyB[sectorNo][4]);
400 data[15] = (keyB[sectorNo][5]);
401 }
402 if (isOK) {
403 memcpy(carddata[FirstBlockOfSector(sectorNo) + blockNo], data, 16);
404 PrintAndLog("Successfully read block %2d of sector %2d.", blockNo, sectorNo);
405 } else {
406 PrintAndLog("Could not read block %2d of sector %2d", blockNo, sectorNo);
407 break;
408 }
409 }
410 else {
411 isOK = false;
412 PrintAndLog("Command execute timeout when trying to read block %2d of sector %2d.", blockNo, sectorNo);
413 break;
414 }
415 }
416 }
417
418 if (isOK) {
419 if ((fout = fopen("dumpdata.bin","wb")) == NULL) {
420 PrintAndLog("Could not create file name dumpdata.bin");
421 return 1;
422 }
423 uint16_t numblocks = FirstBlockOfSector(numSectors - 1) + NumBlocksPerSector(numSectors - 1);
424 fwrite(carddata, 1, 16*numblocks, fout);
425 fclose(fout);
426 PrintAndLog("Dumped %d blocks (%d bytes) to file dumpdata.bin", numblocks, 16*numblocks);
427 }
428
429 return 0;
430 }
431
432 int CmdHF14AMfRestore(const char *Cmd)
433 {
434 uint8_t sectorNo,blockNo;
435 uint8_t keyType = 0;
436 uint8_t key[6] = {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF};
437 uint8_t bldata[16] = {0x00};
438 uint8_t keyA[40][6];
439 uint8_t keyB[40][6];
440 uint8_t numSectors;
441
442 FILE *fdump;
443 FILE *fkeys;
444
445 char cmdp = param_getchar(Cmd, 0);
446 switch (cmdp) {
447 case '0' : numSectors = 5; break;
448 case '1' :
449 case '\0': numSectors = 16; break;
450 case '2' : numSectors = 32; break;
451 case '4' : numSectors = 40; break;
452 default: numSectors = 16;
453 }
454
455 if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') {
456 PrintAndLog("Usage: hf mf restore [card memory]");
457 PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
458 PrintAndLog("");
459 PrintAndLog("Samples: hf mf restore");
460 PrintAndLog(" hf mf restore 4");
461 return 0;
462 }
463
464 if ((fkeys = fopen("dumpkeys.bin","rb")) == NULL) {
465 PrintAndLog("Could not find file dumpkeys.bin");
466 return 1;
467 }
468
469 for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
470 if (fread(keyA[sectorNo], 1, 6, fkeys) == 0) {
471 PrintAndLog("File reading error (dumpkeys.bin).");
472
473 fclose(fkeys);
474 return 2;
475 }
476 }
477
478 for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
479 if (fread(keyB[sectorNo], 1, 6, fkeys) == 0) {
480 PrintAndLog("File reading error (dumpkeys.bin).");
481 fclose(fkeys);
482 return 2;
483 }
484 }
485
486 fclose(fkeys);
487
488 if ((fdump = fopen("dumpdata.bin","rb")) == NULL) {
489 PrintAndLog("Could not find file dumpdata.bin");
490 return 1;
491 }
492 PrintAndLog("Restoring dumpdata.bin to card");
493
494 for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
495 for(blockNo = 0; blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
496 UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}};
497 memcpy(c.d.asBytes, key, 6);
498
499 if (fread(bldata, 1, 16, fdump) == 0) {
500 PrintAndLog("File reading error (dumpdata.bin).");
501 fclose(fdump);
502 return 2;
503 }
504
505 if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer
506 bldata[0] = (keyA[sectorNo][0]);
507 bldata[1] = (keyA[sectorNo][1]);
508 bldata[2] = (keyA[sectorNo][2]);
509 bldata[3] = (keyA[sectorNo][3]);
510 bldata[4] = (keyA[sectorNo][4]);
511 bldata[5] = (keyA[sectorNo][5]);
512 bldata[10] = (keyB[sectorNo][0]);
513 bldata[11] = (keyB[sectorNo][1]);
514 bldata[12] = (keyB[sectorNo][2]);
515 bldata[13] = (keyB[sectorNo][3]);
516 bldata[14] = (keyB[sectorNo][4]);
517 bldata[15] = (keyB[sectorNo][5]);
518 }
519
520 PrintAndLog("Writing to block %3d: %s", FirstBlockOfSector(sectorNo) + blockNo, sprint_hex(bldata, 16));
521
522 memcpy(c.d.asBytes + 10, bldata, 16);
523 SendCommand(&c);
524
525 UsbCommand resp;
526 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
527 uint8_t isOK = resp.arg[0] & 0xff;
528 PrintAndLog("isOk:%02x", isOK);
529 } else {
530 PrintAndLog("Command execute timeout");
531 }
532 }
533 }
534
535 fclose(fdump);
536 return 0;
537 }
538
539 int CmdHF14AMfNested(const char *Cmd)
540 {
541 int i, j, res, iterations;
542 sector *e_sector = NULL;
543 uint8_t blockNo = 0;
544 uint8_t keyType = 0;
545 uint8_t trgBlockNo = 0;
546 uint8_t trgKeyType = 0;
547 uint8_t SectorsCnt = 0;
548 uint8_t key[6] = {0, 0, 0, 0, 0, 0};
549 uint8_t keyBlock[14*6];
550 uint64_t key64 = 0;
551 bool transferToEml = false;
552
553 bool createDumpFile = false;
554 FILE *fkeys;
555 uint8_t standart[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
556 uint8_t tempkey[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
557
558 char cmdp, ctmp;
559
560 if (strlen(Cmd)<3) {
561 PrintAndLog("Usage:");
562 PrintAndLog(" all sectors: hf mf nested <card memory> <block number> <key A/B> <key (12 hex symbols)> [t,d]");
563 PrintAndLog(" one sector: hf mf nested o <block number> <key A/B> <key (12 hex symbols)>");
564 PrintAndLog(" <target block number> <target key A/B> [t]");
565 PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");
566 PrintAndLog("t - transfer keys into emulator memory");
567 PrintAndLog("d - write keys to binary file");
568 PrintAndLog(" ");
569 PrintAndLog(" sample1: hf mf nested 1 0 A FFFFFFFFFFFF ");
570 PrintAndLog(" sample2: hf mf nested 1 0 A FFFFFFFFFFFF t ");
571 PrintAndLog(" sample3: hf mf nested 1 0 A FFFFFFFFFFFF d ");
572 PrintAndLog(" sample4: hf mf nested o 0 A FFFFFFFFFFFF 4 A");
573 return 0;
574 }
575
576 cmdp = param_getchar(Cmd, 0);
577 blockNo = param_get8(Cmd, 1);
578 ctmp = param_getchar(Cmd, 2);
579
580 if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {
581 PrintAndLog("Key type must be A or B");
582 return 1;
583 }
584
585 if (ctmp != 'A' && ctmp != 'a')
586 keyType = 1;
587
588 if (param_gethex(Cmd, 3, key, 12)) {
589 PrintAndLog("Key must include 12 HEX symbols");
590 return 1;
591 }
592
593 if (cmdp == 'o' || cmdp == 'O') {
594 cmdp = 'o';
595 trgBlockNo = param_get8(Cmd, 4);
596 ctmp = param_getchar(Cmd, 5);
597 if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {
598 PrintAndLog("Target key type must be A or B");
599 return 1;
600 }
601 if (ctmp != 'A' && ctmp != 'a')
602 trgKeyType = 1;
603 } else {
604
605 switch (cmdp) {
606 case '0': SectorsCnt = 05; break;
607 case '1': SectorsCnt = 16; break;
608 case '2': SectorsCnt = 32; break;
609 case '4': SectorsCnt = 40; break;
610 default: SectorsCnt = 16;
611 }
612 }
613
614 ctmp = param_getchar(Cmd, 4);
615 if (ctmp == 't' || ctmp == 'T') transferToEml = true;
616 else if (ctmp == 'd' || ctmp == 'D') createDumpFile = true;
617
618 ctmp = param_getchar(Cmd, 6);
619 transferToEml |= (ctmp == 't' || ctmp == 'T');
620 transferToEml |= (ctmp == 'd' || ctmp == 'D');
621
622 if (cmdp == 'o') {
623 PrintAndLog("--target block no:%3d, target key type:%c ", trgBlockNo, trgKeyType?'B':'A');
624 int16_t isOK = mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true);
625 if (isOK) {
626 switch (isOK) {
627 case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;
628 case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;
629 case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;
630 default : PrintAndLog("Unknown Error.\n");
631 }
632 return 2;
633 }
634 key64 = bytes_to_num(keyBlock, 6);
635 if (key64) {
636 PrintAndLog("Found valid key:%012" PRIx64, key64);
637
638 // transfer key to the emulator
639 if (transferToEml) {
640 uint8_t sectortrailer;
641 if (trgBlockNo < 32*4) { // 4 block sector
642 sectortrailer = (trgBlockNo & 0x03) + 3;
643 } else { // 16 block sector
644 sectortrailer = (trgBlockNo & 0x0f) + 15;
645 }
646 mfEmlGetMem(keyBlock, sectortrailer, 1);
647
648 if (!trgKeyType)
649 num_to_bytes(key64, 6, keyBlock);
650 else
651 num_to_bytes(key64, 6, &keyBlock[10]);
652 mfEmlSetMem(keyBlock, sectortrailer, 1);
653 }
654 } else {
655 PrintAndLog("No valid key found");
656 }
657 }
658 else { // ------------------------------------ multiple sectors working
659 clock_t time1;
660 time1 = clock();
661
662 e_sector = calloc(SectorsCnt, sizeof(sector));
663 if (e_sector == NULL) return 1;
664
665 //test current key and additional standard keys first
666 memcpy(keyBlock, key, 6);
667 num_to_bytes(0xffffffffffff, 6, (uint8_t*)(keyBlock + 1 * 6));
668 num_to_bytes(0x000000000000, 6, (uint8_t*)(keyBlock + 2 * 6));
669 num_to_bytes(0xa0a1a2a3a4a5, 6, (uint8_t*)(keyBlock + 3 * 6));
670 num_to_bytes(0xb0b1b2b3b4b5, 6, (uint8_t*)(keyBlock + 4 * 6));
671 num_to_bytes(0xaabbccddeeff, 6, (uint8_t*)(keyBlock + 5 * 6));
672 num_to_bytes(0x4d3a99c351dd, 6, (uint8_t*)(keyBlock + 6 * 6));
673 num_to_bytes(0x1a982c7e459a, 6, (uint8_t*)(keyBlock + 7 * 6));
674 num_to_bytes(0xd3f7d3f7d3f7, 6, (uint8_t*)(keyBlock + 8 * 6));
675 num_to_bytes(0x714c5c886e97, 6, (uint8_t*)(keyBlock + 9 * 6));
676 num_to_bytes(0x587ee5f9350f, 6, (uint8_t*)(keyBlock + 10 * 6));
677 num_to_bytes(0xa0478cc39091, 6, (uint8_t*)(keyBlock + 11 * 6));
678 num_to_bytes(0x533cb6c723f6, 6, (uint8_t*)(keyBlock + 12 * 6));
679 num_to_bytes(0x8fd0a4f256e9, 6, (uint8_t*)(keyBlock + 13 * 6));
680
681 PrintAndLog("Testing known keys. Sector count=%d", SectorsCnt);
682 for (i = 0; i < SectorsCnt; i++) {
683 for (j = 0; j < 2; j++) {
684 if (e_sector[i].foundKey[j]) continue;
685
686 res = mfCheckKeys(FirstBlockOfSector(i), j, true, 6, keyBlock, &key64);
687
688 if (!res) {
689 e_sector[i].Key[j] = key64;
690 e_sector[i].foundKey[j] = 1;
691 }
692 }
693 }
694
695 // nested sectors
696 iterations = 0;
697 PrintAndLog("nested...");
698 bool calibrate = true;
699 for (i = 0; i < NESTED_SECTOR_RETRY; i++) {
700 for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {
701 for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) {
702 if (e_sector[sectorNo].foundKey[trgKeyType]) continue;
703 PrintAndLog("-----------------------------------------------");
704 int16_t isOK = mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate);
705 if(isOK) {
706 switch (isOK) {
707 case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;
708 case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;
709 case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;
710 default : PrintAndLog("Unknown Error.\n");
711 }
712 free(e_sector);
713 return 2;
714 } else {
715 calibrate = false;
716 }
717
718 iterations++;
719
720 key64 = bytes_to_num(keyBlock, 6);
721 if (key64) {
722 PrintAndLog("Found valid key:%012" PRIx64, key64);
723 e_sector[sectorNo].foundKey[trgKeyType] = 1;
724 e_sector[sectorNo].Key[trgKeyType] = key64;
725 }
726 }
727 }
728 }
729
730 printf("Time in nested: %1.3f (%1.3f sec per key)\n\n", ((float)clock() - time1)/CLOCKS_PER_SEC, ((float)clock() - time1)/iterations/CLOCKS_PER_SEC);
731
732 PrintAndLog("-----------------------------------------------\nIterations count: %d\n\n", iterations);
733 //print them
734 PrintAndLog("|---|----------------|---|----------------|---|");
735 PrintAndLog("|sec|key A |res|key B |res|");
736 PrintAndLog("|---|----------------|---|----------------|---|");
737 for (i = 0; i < SectorsCnt; i++) {
738 PrintAndLog("|%03d| %012" PRIx64 " | %d | %012" PRIx64 " | %d |", i,
739 e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);
740 }
741 PrintAndLog("|---|----------------|---|----------------|---|");
742
743 // transfer them to the emulator
744 if (transferToEml) {
745 for (i = 0; i < SectorsCnt; i++) {
746 mfEmlGetMem(keyBlock, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1);
747 if (e_sector[i].foundKey[0])
748 num_to_bytes(e_sector[i].Key[0], 6, keyBlock);
749 if (e_sector[i].foundKey[1])
750 num_to_bytes(e_sector[i].Key[1], 6, &keyBlock[10]);
751 mfEmlSetMem(keyBlock, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1);
752 }
753 }
754
755 // Create dump file
756 if (createDumpFile) {
757 if ((fkeys = fopen("dumpkeys.bin","wb")) == NULL) {
758 PrintAndLog("Could not create file dumpkeys.bin");
759 free(e_sector);
760 return 1;
761 }
762 PrintAndLog("Printing keys to binary file dumpkeys.bin...");
763 for(i=0; i<SectorsCnt; i++) {
764 if (e_sector[i].foundKey[0]){
765 num_to_bytes(e_sector[i].Key[0], 6, tempkey);
766 fwrite ( tempkey, 1, 6, fkeys );
767 }
768 else{
769 fwrite ( &standart, 1, 6, fkeys );
770 }
771 }
772 for(i=0; i<SectorsCnt; i++) {
773 if (e_sector[i].foundKey[1]){
774 num_to_bytes(e_sector[i].Key[1], 6, tempkey);
775 fwrite ( tempkey, 1, 6, fkeys );
776 }
777 else{
778 fwrite ( &standart, 1, 6, fkeys );
779 }
780 }
781 fclose(fkeys);
782 }
783
784 free(e_sector);
785 }
786 return 0;
787 }
788
789 int CmdHF14AMfChk(const char *Cmd)
790 {
791 if (strlen(Cmd)<3) {
792 PrintAndLog("Usage: hf mf chk <block number>|<*card memory> <key type (A/B/?)> [t|d] [<key (12 hex symbols)>] [<dic (*.dic)>]");
793 PrintAndLog(" * - all sectors");
794 PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");
795 PrintAndLog("d - write keys to binary file\n");
796 PrintAndLog("t - write keys to emulator memory");
797 PrintAndLog(" sample: hf mf chk 0 A 1234567890ab keys.dic");
798 PrintAndLog(" hf mf chk *1 ? t");
799 PrintAndLog(" hf mf chk *1 ? d");
800 return 0;
801 }
802
803 FILE * f;
804 char filename[FILE_PATH_SIZE]={0};
805 char buf[13];
806 uint8_t *keyBlock = NULL, *p;
807 uint8_t stKeyBlock = 20;
808
809 int i, res;
810 int keycnt = 0;
811 char ctmp = 0x00;
812 uint8_t blockNo = 0;
813 uint8_t SectorsCnt = 1;
814 uint8_t keyType = 0;
815 uint64_t key64 = 0;
816
817 int transferToEml = 0;
818 int createDumpFile = 0;
819
820 keyBlock = calloc(stKeyBlock, 6);
821 if (keyBlock == NULL) return 1;
822
823 uint64_t defaultKeys[] =
824 {
825 0xffffffffffff, // Default key (first key used by program if no user defined key)
826 0x000000000000, // Blank key
827 0xa0a1a2a3a4a5, // NFCForum MAD key
828 0xb0b1b2b3b4b5,
829 0xaabbccddeeff,
830 0x4d3a99c351dd,
831 0x1a982c7e459a,
832 0xd3f7d3f7d3f7,
833 0x714c5c886e97,
834 0x587ee5f9350f,
835 0xa0478cc39091,
836 0x533cb6c723f6,
837 0x8fd0a4f256e9
838 };
839 int defaultKeysSize = sizeof(defaultKeys) / sizeof(uint64_t);
840
841 for (int defaultKeyCounter = 0; defaultKeyCounter < defaultKeysSize; defaultKeyCounter++)
842 {
843 num_to_bytes(defaultKeys[defaultKeyCounter], 6, (uint8_t*)(keyBlock + defaultKeyCounter * 6));
844 }
845
846 if (param_getchar(Cmd, 0)=='*') {
847 blockNo = 3;
848 switch(param_getchar(Cmd+1, 0)) {
849 case '0': SectorsCnt = 5; break;
850 case '1': SectorsCnt = 16; break;
851 case '2': SectorsCnt = 32; break;
852 case '4': SectorsCnt = 40; break;
853 default: SectorsCnt = 16;
854 }
855 }
856 else
857 blockNo = param_get8(Cmd, 0);
858
859 ctmp = param_getchar(Cmd, 1);
860 switch (ctmp) {
861 case 'a': case 'A':
862 keyType = !0;
863 break;
864 case 'b': case 'B':
865 keyType = !1;
866 break;
867 case '?':
868 keyType = 2;
869 break;
870 default:
871 PrintAndLog("Key type must be A , B or ?");
872 return 1;
873 };
874
875 ctmp = param_getchar(Cmd, 2);
876 if (ctmp == 't' || ctmp == 'T') transferToEml = 1;
877 else if (ctmp == 'd' || ctmp == 'D') createDumpFile = 1;
878
879 for (i = transferToEml || createDumpFile; param_getchar(Cmd, 2 + i); i++) {
880 if (!param_gethex(Cmd, 2 + i, keyBlock + 6 * keycnt, 12)) {
881 if ( stKeyBlock - keycnt < 2) {
882 p = realloc(keyBlock, 6*(stKeyBlock+=10));
883 if (!p) {
884 PrintAndLog("Cannot allocate memory for Keys");
885 free(keyBlock);
886 return 2;
887 }
888 keyBlock = p;
889 }
890 PrintAndLog("chk key[%2d] %02x%02x%02x%02x%02x%02x", keycnt,
891 (keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2],
892 (keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4], (keyBlock + 6*keycnt)[5], 6);
893 keycnt++;
894 } else {
895 // May be a dic file
896 if ( param_getstr(Cmd, 2 + i,filename) >= FILE_PATH_SIZE ) {
897 PrintAndLog("File name too long");
898 free(keyBlock);
899 return 2;
900 }
901
902 if ( (f = fopen( filename , "r")) ) {
903 while( fgets(buf, sizeof(buf), f) ){
904 if (strlen(buf) < 12 || buf[11] == '\n')
905 continue;
906
907 while (fgetc(f) != '\n' && !feof(f)) ; //goto next line
908
909 if( buf[0]=='#' ) continue; //The line start with # is comment, skip
910
911 if (!isxdigit(buf[0])){
912 PrintAndLog("File content error. '%s' must include 12 HEX symbols",buf);
913 continue;
914 }
915
916 buf[12] = 0;
917
918 if ( stKeyBlock - keycnt < 2) {
919 p = realloc(keyBlock, 6*(stKeyBlock+=10));
920 if (!p) {
921 PrintAndLog("Cannot allocate memory for defKeys");
922 free(keyBlock);
923 return 2;
924 }
925 keyBlock = p;
926 }
927 memset(keyBlock + 6 * keycnt, 0, 6);
928 num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt);
929 PrintAndLog("chk custom key[%2d] %012" PRIx64 , keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));
930 keycnt++;
931 memset(buf, 0, sizeof(buf));
932 }
933 fclose(f);
934 } else {
935 PrintAndLog("File: %s: not found or locked.", filename);
936 free(keyBlock);
937 return 1;
938
939 }
940 }
941 }
942
943 if (keycnt == 0) {
944 PrintAndLog("No key specified, trying default keys");
945 for (;keycnt < defaultKeysSize; keycnt++)
946 PrintAndLog("chk default key[%2d] %02x%02x%02x%02x%02x%02x", keycnt,
947 (keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2],
948 (keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4], (keyBlock + 6*keycnt)[5], 6);
949 }
950
951 // initialize storage for found keys
952 bool validKey[2][40];
953 uint8_t foundKey[2][40][6];
954 for (uint16_t t = 0; t < 2; t++) {
955 for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {
956 validKey[t][sectorNo] = false;
957 for (uint16_t i = 0; i < 6; i++) {
958 foundKey[t][sectorNo][i] = 0xff;
959 }
960 }
961 }
962
963 for ( int t = !keyType; t < 2; keyType==2?(t++):(t=2) ) {
964 int b=blockNo;
965 for (int i = 0; i < SectorsCnt; ++i) {
966 PrintAndLog("--sector:%2d, block:%3d, key type:%C, key count:%2d ", i, b, t?'B':'A', keycnt);
967 uint32_t max_keys = keycnt>USB_CMD_DATA_SIZE/6?USB_CMD_DATA_SIZE/6:keycnt;
968 for (uint32_t c = 0; c < keycnt; c+=max_keys) {
969 uint32_t size = keycnt-c>max_keys?max_keys:keycnt-c;
970 res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64);
971 if (res != 1) {
972 if (!res) {
973 PrintAndLog("Found valid key:[%012" PRIx64 "]",key64);
974 num_to_bytes(key64, 6, foundKey[t][i]);
975 validKey[t][i] = true;
976 }
977 } else {
978 PrintAndLog("Command execute timeout");
979 }
980 }
981 b<127?(b+=4):(b+=16);
982 }
983 }
984
985 if (transferToEml) {
986 uint8_t block[16];
987 for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {
988 if (validKey[0][sectorNo] || validKey[1][sectorNo]) {
989 mfEmlGetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1);
990 for (uint16_t t = 0; t < 2; t++) {
991 if (validKey[t][sectorNo]) {
992 memcpy(block + t*10, foundKey[t][sectorNo], 6);
993 }
994 }
995 mfEmlSetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1);
996 }
997 }
998 PrintAndLog("Found keys have been transferred to the emulator memory");
999 }
1000
1001 if (createDumpFile) {
1002 FILE *fkeys = fopen("dumpkeys.bin","wb");
1003 if (fkeys == NULL) {
1004 PrintAndLog("Could not create file dumpkeys.bin");
1005 free(keyBlock);
1006 return 1;
1007 }
1008 for (uint16_t t = 0; t < 2; t++) {
1009 fwrite(foundKey[t], 1, 6*SectorsCnt, fkeys);
1010 }
1011 fclose(fkeys);
1012 PrintAndLog("Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.");
1013 }
1014
1015 free(keyBlock);
1016 PrintAndLog("");
1017 return 0;
1018 }
1019
1020 void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) {
1021 #define ATTACK_KEY_COUNT 8 // keep same as define in iso14443a.c -> Mifare1ksim()
1022 uint64_t key = 0;
1023 typedef struct {
1024 uint64_t keyA;
1025 uint64_t keyB;
1026 } st_t;
1027 st_t sector_trailer[ATTACK_KEY_COUNT];
1028 memset(sector_trailer, 0x00, sizeof(sector_trailer));
1029
1030 uint8_t stSector[ATTACK_KEY_COUNT];
1031 memset(stSector, 0x00, sizeof(stSector));
1032 uint8_t key_cnt[ATTACK_KEY_COUNT];
1033 memset(key_cnt, 0x00, sizeof(key_cnt));
1034
1035 for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {
1036 if (ar_resp[i].ar2 > 0) {
1037 //PrintAndLog("DEBUG: Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);
1038 if (doStandardAttack && mfkey32(ar_resp[i], &key)) {
1039 PrintAndLog(" Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));
1040
1041 for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {
1042 if (key_cnt[ii]==0 || stSector[ii]==ar_resp[i].sector) {
1043 if (ar_resp[i].keytype==0) {
1044 //keyA
1045 sector_trailer[ii].keyA = key;
1046 stSector[ii] = ar_resp[i].sector;
1047 key_cnt[ii]++;
1048 break;
1049 } else {
1050 //keyB
1051 sector_trailer[ii].keyB = key;
1052 stSector[ii] = ar_resp[i].sector;
1053 key_cnt[ii]++;
1054 break;
1055 }
1056 }
1057 }
1058 } else if (tryMfk32_moebius(ar_resp[i+ATTACK_KEY_COUNT], &key)) {
1059 uint8_t sectorNum = ar_resp[i+ATTACK_KEY_COUNT].sector;
1060 uint8_t keyType = ar_resp[i+ATTACK_KEY_COUNT].keytype;
1061
1062 PrintAndLog("M-Found Key%s for sector %02d: [%012" PRIx64 "]"
1063 , keyType ? "B" : "A"
1064 , sectorNum
1065 , key
1066 );
1067
1068 for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {
1069 if (key_cnt[ii]==0 || stSector[ii]==sectorNum) {
1070 if (keyType==0) {
1071 //keyA
1072 sector_trailer[ii].keyA = key;
1073 stSector[ii] = sectorNum;
1074 key_cnt[ii]++;
1075 break;
1076 } else {
1077 //keyB
1078 sector_trailer[ii].keyB = key;
1079 stSector[ii] = sectorNum;
1080 key_cnt[ii]++;
1081 break;
1082 }
1083 }
1084 }
1085 continue;
1086 }
1087 }
1088 }
1089 //set emulator memory for keys
1090 if (setEmulatorMem) {
1091 for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {
1092 if (key_cnt[i]>0) {
1093 uint8_t memBlock[16];
1094 memset(memBlock, 0x00, sizeof(memBlock));
1095 char cmd1[36];
1096 memset(cmd1,0x00,sizeof(cmd1));
1097 snprintf(cmd1,sizeof(cmd1),"%04x%08xFF078069%04x%08x",(uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF));
1098 PrintAndLog("Setting Emulator Memory Block %02d: [%s]",stSector[i]*4+3, cmd1);
1099 if (param_gethex(cmd1, 0, memBlock, 32)) {
1100 PrintAndLog("block data must include 32 HEX symbols");
1101 return;
1102 }
1103
1104 UsbCommand c = {CMD_MIFARE_EML_MEMSET, {(stSector[i]*4+3), 1, 0}};
1105 memcpy(c.d.asBytes, memBlock, 16);
1106 clearCommandBuffer();
1107 SendCommand(&c);
1108 }
1109 }
1110 }
1111 /*
1112 //un-comment to use as well moebius attack
1113 for (uint8_t i = ATTACK_KEY_COUNT; i<ATTACK_KEY_COUNT*2; i++) {
1114 if (ar_resp[i].ar2 > 0) {
1115 if (tryMfk32_moebius(ar_resp[i], &key)) {
1116 PrintAndLog("M-Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));
1117 }
1118 }
1119 }*/
1120 }
1121
1122 int usage_hf14_mf1ksim(void) {
1123 PrintAndLog("Usage: hf mf sim h u <uid (8, 14, or 20 hex symbols)> n <numreads> i x");
1124 PrintAndLog("options:");
1125 PrintAndLog(" h this help");
1126 PrintAndLog(" u (Optional) UID 4,7 or 10 bytes. If not specified, the UID 4B from emulator memory will be used");
1127 PrintAndLog(" n (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");
1128 PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");
1129 PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");
1130 PrintAndLog(" e (Optional) set keys found from 'reader attack' to emulator memory (implies x and i)");
1131 PrintAndLog(" f (Optional) get UIDs to use for 'reader attack' from file 'f <filename.txt>' (implies x and i)");
1132 PrintAndLog(" r (Optional) Generate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works.");
1133 PrintAndLog("samples:");
1134 PrintAndLog(" hf mf sim u 0a0a0a0a");
1135 PrintAndLog(" hf mf sim u 11223344556677");
1136 PrintAndLog(" hf mf sim u 112233445566778899AA");
1137 PrintAndLog(" hf mf sim f uids.txt");
1138 PrintAndLog(" hf mf sim u 0a0a0a0a e");
1139
1140 return 0;
1141 }
1142
1143 int CmdHF14AMf1kSim(const char *Cmd) {
1144 UsbCommand resp;
1145 uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
1146 uint8_t exitAfterNReads = 0;
1147 uint8_t flags = 0;
1148 int uidlen = 0;
1149 uint8_t pnr = 0;
1150 bool setEmulatorMem = false;
1151 bool attackFromFile = false;
1152 FILE *f;
1153 char filename[FILE_PATH_SIZE];
1154 memset(filename, 0x00, sizeof(filename));
1155 int len = 0;
1156 char buf[64];
1157
1158 uint8_t cmdp = 0;
1159 bool errors = false;
1160
1161 while(param_getchar(Cmd, cmdp) != 0x00) {
1162 switch(param_getchar(Cmd, cmdp)) {
1163 case 'e':
1164 case 'E':
1165 setEmulatorMem = true;
1166 //implies x and i
1167 flags |= FLAG_INTERACTIVE;
1168 flags |= FLAG_NR_AR_ATTACK;
1169 cmdp++;
1170 break;
1171 case 'f':
1172 case 'F':
1173 len = param_getstr(Cmd, cmdp+1, filename);
1174 if (len < 1) {
1175 PrintAndLog("error no filename found");
1176 return 0;
1177 }
1178 attackFromFile = true;
1179 //implies x and i
1180 flags |= FLAG_INTERACTIVE;
1181 flags |= FLAG_NR_AR_ATTACK;
1182 cmdp += 2;
1183 break;
1184 case 'h':
1185 case 'H':
1186 return usage_hf14_mf1ksim();
1187 case 'i':
1188 case 'I':
1189 flags |= FLAG_INTERACTIVE;
1190 cmdp++;
1191 break;
1192 case 'n':
1193 case 'N':
1194 exitAfterNReads = param_get8(Cmd, pnr+1);
1195 cmdp += 2;
1196 break;
1197 case 'r':
1198 case 'R':
1199 flags |= FLAG_RANDOM_NONCE;
1200 cmdp++;
1201 break;
1202 case 'u':
1203 case 'U':
1204 param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);
1205 switch(uidlen) {
1206 case 20: flags = FLAG_10B_UID_IN_DATA; break; //not complete
1207 case 14: flags = FLAG_7B_UID_IN_DATA; break;
1208 case 8: flags = FLAG_4B_UID_IN_DATA; break;
1209 default: return usage_hf14_mf1ksim();
1210 }
1211 cmdp += 2;
1212 break;
1213 case 'x':
1214 case 'X':
1215 flags |= FLAG_NR_AR_ATTACK;
1216 cmdp++;
1217 break;
1218 default:
1219 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
1220 errors = true;
1221 break;
1222 }
1223 if(errors) break;
1224 }
1225 //Validations
1226 if(errors) return usage_hf14_mf1ksim();
1227
1228 //get uid from file
1229 if (attackFromFile) {
1230 int count = 0;
1231 // open file
1232 f = fopen(filename, "r");
1233 if (f == NULL) {
1234 PrintAndLog("File %s not found or locked", filename);
1235 return 1;
1236 }
1237 PrintAndLog("Loading file and simulating. Press keyboard to abort");
1238 while(!feof(f) && !ukbhit()){
1239 memset(buf, 0, sizeof(buf));
1240 memset(uid, 0, sizeof(uid));
1241
1242 if (fgets(buf, sizeof(buf), f) == NULL) {
1243 if (count > 0) break;
1244
1245 PrintAndLog("File reading error.");
1246 fclose(f);
1247 return 2;
1248 }
1249 if(!strlen(buf) && feof(f)) break;
1250
1251 uidlen = strlen(buf)-1;
1252 switch(uidlen) {
1253 case 20: flags |= FLAG_10B_UID_IN_DATA; break; //not complete
1254 case 14: flags |= FLAG_7B_UID_IN_DATA; break;
1255 case 8: flags |= FLAG_4B_UID_IN_DATA; break;
1256 default:
1257 PrintAndLog("uid in file wrong length at %d (length: %d) [%s]",count, uidlen, buf);
1258 fclose(f);
1259 return 2;
1260 }
1261
1262 for (uint8_t i = 0; i < uidlen; i += 2) {
1263 sscanf(&buf[i], "%02x", (unsigned int *)&uid[i / 2]);
1264 }
1265
1266 PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) - press button to abort",
1267 flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):
1268 flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7):
1269 flags & FLAG_10B_UID_IN_DATA ? sprint_hex(uid,10): "N/A"
1270 , exitAfterNReads, flags, flags);
1271
1272 UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};
1273 memcpy(c.d.asBytes, uid, sizeof(uid));
1274 clearCommandBuffer();
1275 SendCommand(&c);
1276
1277 while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
1278 //We're waiting only 1.5 s at a time, otherwise we get the
1279 // annoying message about "Waiting for a response... "
1280 }
1281 //got a response
1282 nonces_t ar_resp[ATTACK_KEY_COUNT*2];
1283 memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));
1284 // We can skip the standard attack if we have RANDOM_NONCE set.
1285 readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));
1286 if ((bool)resp.arg[1]) {
1287 PrintAndLog("Device button pressed - quitting");
1288 fclose(f);
1289 return 4;
1290 }
1291 count++;
1292 }
1293 fclose(f);
1294 } else { //not from file
1295
1296 PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) ",
1297 flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):
1298 flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7):
1299 flags & FLAG_10B_UID_IN_DATA ? sprint_hex(uid,10): "N/A"
1300 , exitAfterNReads, flags, flags);
1301
1302 UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};
1303 memcpy(c.d.asBytes, uid, sizeof(uid));
1304 clearCommandBuffer();
1305 SendCommand(&c);
1306
1307 if(flags & FLAG_INTERACTIVE) {
1308 PrintAndLog("Press pm3-button to abort simulation");
1309 while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
1310 //We're waiting only 1.5 s at a time, otherwise we get the
1311 // annoying message about "Waiting for a response... "
1312 }
1313 //got a response
1314 if (flags & FLAG_NR_AR_ATTACK) {
1315 nonces_t ar_resp[ATTACK_KEY_COUNT*2];
1316 memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));
1317 // We can skip the standard attack if we have RANDOM_NONCE set.
1318 readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));
1319 }
1320 }
1321 }
1322
1323 return 0;
1324 }
1325
1326 int CmdHF14AMfDbg(const char *Cmd)
1327 {
1328 int dbgMode = param_get32ex(Cmd, 0, 0, 10);
1329 if (dbgMode > 4) {
1330 PrintAndLog("Max debug mode parameter is 4 \n");
1331 }
1332
1333 if (strlen(Cmd) < 1 || !param_getchar(Cmd, 0) || dbgMode > 4) {
1334 PrintAndLog("Usage: hf mf dbg <debug level>");
1335 PrintAndLog(" 0 - no debug messages");
1336 PrintAndLog(" 1 - error messages");
1337 PrintAndLog(" 2 - plus information messages");
1338 PrintAndLog(" 3 - plus debug messages");
1339 PrintAndLog(" 4 - print even debug messages in timing critical functions");
1340 PrintAndLog(" Note: this option therefore may cause malfunction itself");
1341 return 0;
1342 }
1343
1344 UsbCommand c = {CMD_MIFARE_SET_DBGMODE, {dbgMode, 0, 0}};
1345 SendCommand(&c);
1346
1347 return 0;
1348 }
1349
1350 int CmdHF14AMfEGet(const char *Cmd)
1351 {
1352 uint8_t blockNo = 0;
1353 uint8_t data[16] = {0x00};
1354
1355 if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
1356 PrintAndLog("Usage: hf mf eget <block number>");
1357 PrintAndLog(" sample: hf mf eget 0 ");
1358 return 0;
1359 }
1360
1361 blockNo = param_get8(Cmd, 0);
1362
1363 PrintAndLog(" ");
1364 if (!mfEmlGetMem(data, blockNo, 1)) {
1365 PrintAndLog("data[%3d]:%s", blockNo, sprint_hex(data, 16));
1366 } else {
1367 PrintAndLog("Command execute timeout");
1368 }
1369
1370 return 0;
1371 }
1372
1373 int CmdHF14AMfEClear(const char *Cmd)
1374 {
1375 if (param_getchar(Cmd, 0) == 'h') {
1376 PrintAndLog("Usage: hf mf eclr");
1377 PrintAndLog("It set card emulator memory to empty data blocks and key A/B FFFFFFFFFFFF \n");
1378 return 0;
1379 }
1380
1381 UsbCommand c = {CMD_MIFARE_EML_MEMCLR, {0, 0, 0}};
1382 SendCommand(&c);
1383 return 0;
1384 }
1385
1386
1387 int CmdHF14AMfESet(const char *Cmd)
1388 {
1389 uint8_t memBlock[16];
1390 uint8_t blockNo = 0;
1391
1392 memset(memBlock, 0x00, sizeof(memBlock));
1393
1394 if (strlen(Cmd) < 3 || param_getchar(Cmd, 0) == 'h') {
1395 PrintAndLog("Usage: hf mf eset <block number> <block data (32 hex symbols)>");
1396 PrintAndLog(" sample: hf mf eset 1 000102030405060708090a0b0c0d0e0f ");
1397 return 0;
1398 }
1399
1400 blockNo = param_get8(Cmd, 0);
1401
1402 if (param_gethex(Cmd, 1, memBlock, 32)) {
1403 PrintAndLog("block data must include 32 HEX symbols");
1404 return 1;
1405 }
1406
1407 // 1 - blocks count
1408 UsbCommand c = {CMD_MIFARE_EML_MEMSET, {blockNo, 1, 0}};
1409 memcpy(c.d.asBytes, memBlock, 16);
1410 SendCommand(&c);
1411 return 0;
1412 }
1413
1414
1415 int CmdHF14AMfELoad(const char *Cmd)
1416 {
1417 FILE * f;
1418 char filename[FILE_PATH_SIZE];
1419 char *fnameptr = filename;
1420 char buf[64] = {0x00};
1421 uint8_t buf8[64] = {0x00};
1422 int i, len, blockNum, numBlocks;
1423 int nameParamNo = 1;
1424
1425 char ctmp = param_getchar(Cmd, 0);
1426
1427 if ( ctmp == 'h' || ctmp == 0x00) {
1428 PrintAndLog("It loads emul dump from the file `filename.eml`");
1429 PrintAndLog("Usage: hf mf eload [card memory] <file name w/o `.eml`>");
1430 PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
1431 PrintAndLog("");
1432 PrintAndLog(" sample: hf mf eload filename");
1433 PrintAndLog(" hf mf eload 4 filename");
1434 return 0;
1435 }
1436
1437 switch (ctmp) {
1438 case '0' : numBlocks = 5*4; break;
1439 case '1' :
1440 case '\0': numBlocks = 16*4; break;
1441 case '2' : numBlocks = 32*4; break;
1442 case '4' : numBlocks = 256; break;
1443 default: {
1444 numBlocks = 16*4;
1445 nameParamNo = 0;
1446 }
1447 }
1448
1449 len = param_getstr(Cmd,nameParamNo,filename);
1450
1451 if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
1452
1453 fnameptr += len;
1454
1455 sprintf(fnameptr, ".eml");
1456
1457 // open file
1458 f = fopen(filename, "r");
1459 if (f == NULL) {
1460 PrintAndLog("File %s not found or locked", filename);
1461 return 1;
1462 }
1463
1464 blockNum = 0;
1465 while(!feof(f)){
1466 memset(buf, 0, sizeof(buf));
1467
1468 if (fgets(buf, sizeof(buf), f) == NULL) {
1469
1470 if (blockNum >= numBlocks) break;
1471
1472 PrintAndLog("File reading error.");
1473 fclose(f);
1474 return 2;
1475 }
1476
1477 if (strlen(buf) < 32){
1478 if(strlen(buf) && feof(f))
1479 break;
1480 PrintAndLog("File content error. Block data must include 32 HEX symbols");
1481 fclose(f);
1482 return 2;
1483 }
1484
1485 for (i = 0; i < 32; i += 2) {
1486 sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);
1487 }
1488
1489 if (mfEmlSetMem(buf8, blockNum, 1)) {
1490 PrintAndLog("Cant set emul block: %3d", blockNum);
1491 fclose(f);
1492 return 3;
1493 }
1494 printf(".");
1495 blockNum++;
1496
1497 if (blockNum >= numBlocks) break;
1498 }
1499 fclose(f);
1500 printf("\n");
1501
1502 if ((blockNum != numBlocks)) {
1503 PrintAndLog("File content error. Got %d must be %d blocks.",blockNum, numBlocks);
1504 return 4;
1505 }
1506 PrintAndLog("Loaded %d blocks from file: %s", blockNum, filename);
1507 return 0;
1508 }
1509
1510
1511 int CmdHF14AMfESave(const char *Cmd)
1512 {
1513 FILE * f;
1514 char filename[FILE_PATH_SIZE];
1515 char * fnameptr = filename;
1516 uint8_t buf[64];
1517 int i, j, len, numBlocks;
1518 int nameParamNo = 1;
1519
1520 memset(filename, 0, sizeof(filename));
1521 memset(buf, 0, sizeof(buf));
1522
1523 char ctmp = param_getchar(Cmd, 0);
1524
1525 if ( ctmp == 'h' || ctmp == 'H') {
1526 PrintAndLog("It saves emul dump into the file `filename.eml` or `cardID.eml`");
1527 PrintAndLog(" Usage: hf mf esave [card memory] [file name w/o `.eml`]");
1528 PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
1529 PrintAndLog("");
1530 PrintAndLog(" sample: hf mf esave ");
1531 PrintAndLog(" hf mf esave 4");
1532 PrintAndLog(" hf mf esave 4 filename");
1533 return 0;
1534 }
1535
1536 switch (ctmp) {
1537 case '0' : numBlocks = 5*4; break;
1538 case '1' :
1539 case '\0': numBlocks = 16*4; break;
1540 case '2' : numBlocks = 32*4; break;
1541 case '4' : numBlocks = 256; break;
1542 default: {
1543 numBlocks = 16*4;
1544 nameParamNo = 0;
1545 }
1546 }
1547
1548 len = param_getstr(Cmd,nameParamNo,filename);
1549
1550 if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
1551
1552 // user supplied filename?
1553 if (len < 1) {
1554 // get filename (UID from memory)
1555 if (mfEmlGetMem(buf, 0, 1)) {
1556 PrintAndLog("Can\'t get UID from block: %d", 0);
1557 len = sprintf(fnameptr, "dump");
1558 fnameptr += len;
1559 }
1560 else {
1561 for (j = 0; j < 7; j++, fnameptr += 2)
1562 sprintf(fnameptr, "%02X", buf[j]);
1563 }
1564 } else {
1565 fnameptr += len;
1566 }
1567
1568 // add file extension
1569 sprintf(fnameptr, ".eml");
1570
1571 // open file
1572 f = fopen(filename, "w+");
1573
1574 if ( !f ) {
1575 PrintAndLog("Can't open file %s ", filename);
1576 return 1;
1577 }
1578
1579 // put hex
1580 for (i = 0; i < numBlocks; i++) {
1581 if (mfEmlGetMem(buf, i, 1)) {
1582 PrintAndLog("Cant get block: %d", i);
1583 break;
1584 }
1585 for (j = 0; j < 16; j++)
1586 fprintf(f, "%02X", buf[j]);
1587 fprintf(f,"\n");
1588 }
1589 fclose(f);
1590
1591 PrintAndLog("Saved %d blocks to file: %s", numBlocks, filename);
1592
1593 return 0;
1594 }
1595
1596
1597 int CmdHF14AMfECFill(const char *Cmd)
1598 {
1599 uint8_t keyType = 0;
1600 uint8_t numSectors = 16;
1601
1602 if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
1603 PrintAndLog("Usage: hf mf ecfill <key A/B> [card memory]");
1604 PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
1605 PrintAndLog("");
1606 PrintAndLog("samples: hf mf ecfill A");
1607 PrintAndLog(" hf mf ecfill A 4");
1608 PrintAndLog("Read card and transfer its data to emulator memory.");
1609 PrintAndLog("Keys must be laid in the emulator memory. \n");
1610 return 0;
1611 }
1612
1613 char ctmp = param_getchar(Cmd, 0);
1614 if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {
1615 PrintAndLog("Key type must be A or B");
1616 return 1;
1617 }
1618 if (ctmp != 'A' && ctmp != 'a') keyType = 1;
1619
1620 ctmp = param_getchar(Cmd, 1);
1621 switch (ctmp) {
1622 case '0' : numSectors = 5; break;
1623 case '1' :
1624 case '\0': numSectors = 16; break;
1625 case '2' : numSectors = 32; break;
1626 case '4' : numSectors = 40; break;
1627 default: numSectors = 16;
1628 }
1629
1630 printf("--params: numSectors: %d, keyType:%d", numSectors, keyType);
1631 UsbCommand c = {CMD_MIFARE_EML_CARDLOAD, {numSectors, keyType, 0}};
1632 SendCommand(&c);
1633 return 0;
1634 }
1635
1636
1637 int CmdHF14AMfEKeyPrn(const char *Cmd)
1638 {
1639 int i;
1640 uint8_t numSectors;
1641 uint8_t data[16];
1642 uint64_t keyA, keyB;
1643
1644 if (param_getchar(Cmd, 0) == 'h') {
1645 PrintAndLog("It prints the keys loaded in the emulator memory");
1646 PrintAndLog("Usage: hf mf ekeyprn [card memory]");
1647 PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
1648 PrintAndLog("");
1649 PrintAndLog(" sample: hf mf ekeyprn 1");
1650 return 0;
1651 }
1652
1653 char cmdp = param_getchar(Cmd, 0);
1654
1655 switch (cmdp) {
1656 case '0' : numSectors = 5; break;
1657 case '1' :
1658 case '\0': numSectors = 16; break;
1659 case '2' : numSectors = 32; break;
1660 case '4' : numSectors = 40; break;
1661 default: numSectors = 16;
1662 }
1663
1664 PrintAndLog("|---|----------------|----------------|");
1665 PrintAndLog("|sec|key A |key B |");
1666 PrintAndLog("|---|----------------|----------------|");
1667 for (i = 0; i < numSectors; i++) {
1668 if (mfEmlGetMem(data, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1)) {
1669 PrintAndLog("error get block %d", FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1);
1670 break;
1671 }
1672 keyA = bytes_to_num(data, 6);
1673 keyB = bytes_to_num(data + 10, 6);
1674 PrintAndLog("|%03d| %012" PRIx64 " | %012" PRIx64 " |", i, keyA, keyB);
1675 }
1676 PrintAndLog("|---|----------------|----------------|");
1677
1678 return 0;
1679 }
1680
1681
1682 int CmdHF14AMfCSetUID(const char *Cmd)
1683 {
1684 uint8_t wipeCard = 0;
1685 uint8_t uid[8] = {0x00};
1686 uint8_t oldUid[8] = {0x00};
1687 uint8_t atqa[2] = {0x00};
1688 uint8_t sak[1] = {0x00};
1689 uint8_t atqaPresent = 1;
1690 int res;
1691 char ctmp;
1692 int argi=0;
1693
1694 if (strlen(Cmd) < 1 || param_getchar(Cmd, argi) == 'h') {
1695 PrintAndLog("Usage: hf mf csetuid <UID 8 hex symbols> [ATQA 4 hex symbols SAK 2 hex symbols] [w]");
1696 PrintAndLog("sample: hf mf csetuid 01020304");
1697 PrintAndLog("sample: hf mf csetuid 01020304 0004 08 w");
1698 PrintAndLog("Set UID, ATQA, and SAK for magic Chinese card (only works with such cards)");
1699 PrintAndLog("If you also want to wipe the card then add 'w' at the end of the command line.");
1700 return 0;
1701 }
1702
1703 if (param_getchar(Cmd, argi) && param_gethex(Cmd, argi, uid, 8)) {
1704 PrintAndLog("UID must include 8 HEX symbols");
1705 return 1;
1706 }
1707 argi++;
1708
1709 ctmp = param_getchar(Cmd, argi);
1710 if (ctmp == 'w' || ctmp == 'W') {
1711 wipeCard = 1;
1712 atqaPresent = 0;
1713 }
1714
1715 if (atqaPresent) {
1716 if (param_getchar(Cmd, argi)) {
1717 if (param_gethex(Cmd, argi, atqa, 4)) {
1718 PrintAndLog("ATQA must include 4 HEX symbols");
1719 return 1;
1720 }
1721 argi++;
1722 if (!param_getchar(Cmd, argi) || param_gethex(Cmd, argi, sak, 2)) {
1723 PrintAndLog("SAK must include 2 HEX symbols");
1724 return 1;
1725 }
1726 argi++;
1727 } else
1728 atqaPresent = 0;
1729 }
1730
1731 if(!wipeCard) {
1732 ctmp = param_getchar(Cmd, argi);
1733 if (ctmp == 'w' || ctmp == 'W') {
1734 wipeCard = 1;
1735 }
1736 }
1737
1738 PrintAndLog("--wipe card:%s uid:%s", (wipeCard)?"YES":"NO", sprint_hex(uid, 4));
1739
1740 res = mfCSetUID(uid, (atqaPresent)?atqa:NULL, (atqaPresent)?sak:NULL, oldUid, wipeCard);
1741 if (res) {
1742 PrintAndLog("Can't set UID. error=%d", res);
1743 return 1;
1744 }
1745
1746 PrintAndLog("old UID:%s", sprint_hex(oldUid, 4));
1747 PrintAndLog("new UID:%s", sprint_hex(uid, 4));
1748 return 0;
1749 }
1750
1751 int CmdHF14AMfCSetBlk(const char *Cmd)
1752 {
1753 uint8_t memBlock[16] = {0x00};
1754 uint8_t blockNo = 0;
1755 bool wipeCard = FALSE;
1756 int res;
1757
1758 if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
1759 PrintAndLog("Usage: hf mf csetblk <block number> <block data (32 hex symbols)> [w]");
1760 PrintAndLog("sample: hf mf csetblk 1 01020304050607080910111213141516");
1761 PrintAndLog("Set block data for magic Chinese card (only works with such cards)");
1762 PrintAndLog("If you also want wipe the card then add 'w' at the end of the command line");
1763 return 0;
1764 }
1765
1766 blockNo = param_get8(Cmd, 0);
1767
1768 if (param_gethex(Cmd, 1, memBlock, 32)) {
1769 PrintAndLog("block data must include 32 HEX symbols");
1770 return 1;
1771 }
1772
1773 char ctmp = param_getchar(Cmd, 2);
1774 wipeCard = (ctmp == 'w' || ctmp == 'W');
1775 PrintAndLog("--block number:%2d data:%s", blockNo, sprint_hex(memBlock, 16));
1776
1777 res = mfCSetBlock(blockNo, memBlock, NULL, wipeCard, CSETBLOCK_SINGLE_OPER);
1778 if (res) {
1779 PrintAndLog("Can't write block. error=%d", res);
1780 return 1;
1781 }
1782 return 0;
1783 }
1784
1785
1786 int CmdHF14AMfCLoad(const char *Cmd)
1787 {
1788 FILE * f;
1789 char filename[FILE_PATH_SIZE] = {0x00};
1790 char * fnameptr = filename;
1791 char buf[64] = {0x00};
1792 uint8_t buf8[64] = {0x00};
1793 uint8_t fillFromEmulator = 0;
1794 int i, len, blockNum, flags=0;
1795
1796 if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {
1797 PrintAndLog("It loads magic Chinese card from the file `filename.eml`");
1798 PrintAndLog("or from emulator memory (option `e`)");
1799 PrintAndLog("Usage: hf mf cload <file name w/o `.eml`>");
1800 PrintAndLog(" or: hf mf cload e ");
1801 PrintAndLog(" sample: hf mf cload filename");
1802 return 0;
1803 }
1804
1805 char ctmp = param_getchar(Cmd, 0);
1806 if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;
1807
1808 if (fillFromEmulator) {
1809 for (blockNum = 0; blockNum < 16 * 4; blockNum += 1) {
1810 if (mfEmlGetMem(buf8, blockNum, 1)) {
1811 PrintAndLog("Cant get block: %d", blockNum);
1812 return 2;
1813 }
1814 if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC; // switch on field and send magic sequence
1815 if (blockNum == 1) flags = 0; // just write
1816 if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD; // Done. Magic Halt and switch off field.
1817
1818 if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {
1819 PrintAndLog("Cant set magic card block: %d", blockNum);
1820 return 3;
1821 }
1822 }
1823 return 0;
1824 } else {
1825 len = strlen(Cmd);
1826 if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
1827
1828 memcpy(filename, Cmd, len);
1829 fnameptr += len;
1830
1831 sprintf(fnameptr, ".eml");
1832
1833 // open file
1834 f = fopen(filename, "r");
1835 if (f == NULL) {
1836 PrintAndLog("File not found or locked.");
1837 return 1;
1838 }
1839
1840 blockNum = 0;
1841 while(!feof(f)){
1842
1843 memset(buf, 0, sizeof(buf));
1844
1845 if (fgets(buf, sizeof(buf), f) == NULL) {
1846 fclose(f);
1847 PrintAndLog("File reading error.");
1848 return 2;
1849 }
1850
1851 if (strlen(buf) < 32) {
1852 if(strlen(buf) && feof(f))
1853 break;
1854 PrintAndLog("File content error. Block data must include 32 HEX symbols");
1855 fclose(f);
1856 return 2;
1857 }
1858 for (i = 0; i < 32; i += 2)
1859 sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);
1860
1861 if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC; // switch on field and send magic sequence
1862 if (blockNum == 1) flags = 0; // just write
1863 if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD; // Done. Switch off field.
1864
1865 if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {
1866 PrintAndLog("Can't set magic card block: %d", blockNum);
1867 return 3;
1868 }
1869 blockNum++;
1870
1871 if (blockNum >= 16 * 4) break; // magic card type - mifare 1K
1872 }
1873 fclose(f);
1874
1875 if (blockNum != 16 * 4 && blockNum != 32 * 4 + 8 * 16){
1876 PrintAndLog("File content error. There must be 64 blocks");
1877 return 4;
1878 }
1879 PrintAndLog("Loaded from file: %s", filename);
1880 return 0;
1881 }
1882 return 0;
1883 }
1884
1885 int CmdHF14AMfCGetBlk(const char *Cmd) {
1886 uint8_t memBlock[16];
1887 uint8_t blockNo = 0;
1888 int res;
1889 memset(memBlock, 0x00, sizeof(memBlock));
1890
1891 if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
1892 PrintAndLog("Usage: hf mf cgetblk <block number>");
1893 PrintAndLog("sample: hf mf cgetblk 1");
1894 PrintAndLog("Get block data from magic Chinese card (only works with such cards)\n");
1895 return 0;
1896 }
1897
1898 blockNo = param_get8(Cmd, 0);
1899
1900 PrintAndLog("--block number:%2d ", blockNo);
1901
1902 res = mfCGetBlock(blockNo, memBlock, CSETBLOCK_SINGLE_OPER);
1903 if (res) {
1904 PrintAndLog("Can't read block. error=%d", res);
1905 return 1;
1906 }
1907
1908 PrintAndLog("block data:%s", sprint_hex(memBlock, 16));
1909 return 0;
1910 }
1911
1912
1913 int CmdHF14AMfCGetSc(const char *Cmd) {
1914 uint8_t memBlock[16] = {0x00};
1915 uint8_t sectorNo = 0;
1916 int i, res, flags;
1917
1918 if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
1919 PrintAndLog("Usage: hf mf cgetsc <sector number>");
1920 PrintAndLog("sample: hf mf cgetsc 0");
1921 PrintAndLog("Get sector data from magic Chinese card (only works with such cards)\n");
1922 return 0;
1923 }
1924
1925 sectorNo = param_get8(Cmd, 0);
1926 if (sectorNo > 15) {
1927 PrintAndLog("Sector number must be in [0..15] as in MIFARE classic.");
1928 return 1;
1929 }
1930
1931 PrintAndLog("--sector number:%d ", sectorNo);
1932
1933 flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;
1934 for (i = 0; i < 4; i++) {
1935 if (i == 1) flags = 0;
1936 if (i == 3) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;
1937
1938 res = mfCGetBlock(sectorNo * 4 + i, memBlock, flags);
1939 if (res) {
1940 PrintAndLog("Can't read block. %d error=%d", sectorNo * 4 + i, res);
1941 return 1;
1942 }
1943
1944 PrintAndLog("block %3d data:%s", sectorNo * 4 + i, sprint_hex(memBlock, 16));
1945 }
1946 return 0;
1947 }
1948
1949
1950 int CmdHF14AMfCSave(const char *Cmd) {
1951
1952 FILE * f;
1953 char filename[FILE_PATH_SIZE] = {0x00};
1954 char * fnameptr = filename;
1955 uint8_t fillFromEmulator = 0;
1956 uint8_t buf[64] = {0x00};
1957 int i, j, len, flags;
1958
1959 // memset(filename, 0, sizeof(filename));
1960 // memset(buf, 0, sizeof(buf));
1961
1962 if (param_getchar(Cmd, 0) == 'h') {
1963 PrintAndLog("It saves `magic Chinese` card dump into the file `filename.eml` or `cardID.eml`");
1964 PrintAndLog("or into emulator memory (option `e`)");
1965 PrintAndLog("Usage: hf mf esave [file name w/o `.eml`][e]");
1966 PrintAndLog(" sample: hf mf esave ");
1967 PrintAndLog(" hf mf esave filename");
1968 PrintAndLog(" hf mf esave e \n");
1969 return 0;
1970 }
1971
1972 char ctmp = param_getchar(Cmd, 0);
1973 if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;
1974
1975 if (fillFromEmulator) {
1976 // put into emulator
1977 flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;
1978 for (i = 0; i < 16 * 4; i++) {
1979 if (i == 1) flags = 0;
1980 if (i == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;
1981
1982 if (mfCGetBlock(i, buf, flags)) {
1983 PrintAndLog("Cant get block: %d", i);
1984 break;
1985 }
1986
1987 if (mfEmlSetMem(buf, i, 1)) {
1988 PrintAndLog("Cant set emul block: %d", i);
1989 return 3;
1990 }
1991 }
1992 return 0;
1993 } else {
1994 len = strlen(Cmd);
1995 if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
1996
1997 if (len < 1) {
1998 // get filename
1999 if (mfCGetBlock(0, buf, CSETBLOCK_SINGLE_OPER)) {
2000 PrintAndLog("Cant get block: %d", 0);
2001 len = sprintf(fnameptr, "dump");
2002 fnameptr += len;
2003 }
2004 else {
2005 for (j = 0; j < 7; j++, fnameptr += 2)
2006 sprintf(fnameptr, "%02x", buf[j]);
2007 }
2008 } else {
2009 memcpy(filename, Cmd, len);
2010 fnameptr += len;
2011 }
2012
2013 sprintf(fnameptr, ".eml");
2014
2015 // open file
2016 f = fopen(filename, "w+");
2017
2018 if (f == NULL) {
2019 PrintAndLog("File not found or locked.");
2020 return 1;
2021 }
2022
2023 // put hex
2024 flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;
2025 for (i = 0; i < 16 * 4; i++) {
2026 if (i == 1) flags = 0;
2027 if (i == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;
2028
2029 if (mfCGetBlock(i, buf, flags)) {
2030 PrintAndLog("Cant get block: %d", i);
2031 break;
2032 }
2033 for (j = 0; j < 16; j++)
2034 fprintf(f, "%02x", buf[j]);
2035 fprintf(f,"\n");
2036 }
2037 fclose(f);
2038
2039 PrintAndLog("Saved to file: %s", filename);
2040
2041 return 0;
2042 }
2043 }
2044
2045
2046 int CmdHF14AMfSniff(const char *Cmd){
2047
2048 bool wantLogToFile = 0;
2049 bool wantDecrypt = 0;
2050 //bool wantSaveToEml = 0; TODO
2051 bool wantSaveToEmlFile = 0;
2052
2053 //var
2054 int res = 0;
2055 int len = 0;
2056 int blockLen = 0;
2057 int pckNum = 0;
2058 int num = 0;
2059 uint8_t uid[7];
2060 uint8_t uid_len;
2061 uint8_t atqa[2] = {0x00};
2062 uint8_t sak;
2063 bool isTag;
2064 uint8_t *buf = NULL;
2065 uint16_t bufsize = 0;
2066 uint8_t *bufPtr = NULL;
2067
2068 char ctmp = param_getchar(Cmd, 0);
2069 if ( ctmp == 'h' || ctmp == 'H' ) {
2070 PrintAndLog("It continuously gets data from the field and saves it to: log, emulator, emulator file.");
2071 PrintAndLog("You can specify:");
2072 PrintAndLog(" l - save encrypted sequence to logfile `uid.log`");
2073 PrintAndLog(" d - decrypt sequence and put it to log file `uid.log`");
2074 PrintAndLog(" n/a e - decrypt sequence, collect read and write commands and save the result of the sequence to emulator memory");
2075 PrintAndLog(" f - decrypt sequence, collect read and write commands and save the result of the sequence to emulator dump file `uid.eml`");
2076 PrintAndLog("Usage: hf mf sniff [l][d][e][f]");
2077 PrintAndLog(" sample: hf mf sniff l d e");
2078 return 0;
2079 }
2080
2081 for (int i = 0; i < 4; i++) {
2082 ctmp = param_getchar(Cmd, i);
2083 if (ctmp == 'l' || ctmp == 'L') wantLogToFile = true;
2084 if (ctmp == 'd' || ctmp == 'D') wantDecrypt = true;
2085 //if (ctmp == 'e' || ctmp == 'E') wantSaveToEml = true; TODO
2086 if (ctmp == 'f' || ctmp == 'F') wantSaveToEmlFile = true;
2087 }
2088
2089 printf("-------------------------------------------------------------------------\n");
2090 printf("Executing command. \n");
2091 printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");
2092 printf("Press the key on pc keyboard to abort the client.\n");
2093 printf("-------------------------------------------------------------------------\n");
2094
2095 UsbCommand c = {CMD_MIFARE_SNIFFER, {0, 0, 0}};
2096 clearCommandBuffer();
2097 SendCommand(&c);
2098
2099 // wait cycle
2100 while (true) {
2101 printf(".");
2102 fflush(stdout);
2103 if (ukbhit()) {
2104 getchar();
2105 printf("\naborted via keyboard!\n");
2106 break;
2107 }
2108
2109 UsbCommand resp;
2110 if (WaitForResponseTimeout(CMD_ACK,&resp,2000)) {
2111 res = resp.arg[0] & 0xff;
2112 uint16_t traceLen = resp.arg[1];
2113 len = resp.arg[2];
2114
2115 if (res == 0) return 0; // we are done
2116
2117 if (res == 1) { // there is (more) data to be transferred
2118 if (pckNum == 0) { // first packet, (re)allocate necessary buffer
2119 if (traceLen > bufsize) {
2120 uint8_t *p;
2121 if (buf == NULL) { // not yet allocated
2122 p = malloc(traceLen);
2123 } else { // need more memory
2124 p = realloc(buf, traceLen);
2125 }
2126 if (p == NULL) {
2127 PrintAndLog("Cannot allocate memory for trace");
2128 free(buf);
2129 return 2;
2130 }
2131 buf = p;
2132 }
2133 bufPtr = buf;
2134 bufsize = traceLen;
2135 memset(buf, 0x00, traceLen);
2136 }
2137 memcpy(bufPtr, resp.d.asBytes, len);
2138 bufPtr += len;
2139 pckNum++;
2140 }
2141
2142 if (res == 2) { // received all data, start displaying
2143 blockLen = bufPtr - buf;
2144 bufPtr = buf;
2145 printf(">\n");
2146 PrintAndLog("received trace len: %d packages: %d", blockLen, pckNum);
2147 while (bufPtr - buf < blockLen) {
2148 bufPtr += 6; // skip (void) timing information
2149 len = *((uint16_t *)bufPtr);
2150 if(len & 0x8000) {
2151 isTag = true;
2152 len &= 0x7fff;
2153 } else {
2154 isTag = false;
2155 }
2156 bufPtr += 2;
2157 if ((len == 14) && (bufPtr[0] == 0xff) && (bufPtr[1] == 0xff) && (bufPtr[12] == 0xff) && (bufPtr[13] == 0xff)) {
2158 memcpy(uid, bufPtr + 2, 7);
2159 memcpy(atqa, bufPtr + 2 + 7, 2);
2160 uid_len = (atqa[0] & 0xC0) == 0x40 ? 7 : 4;
2161 sak = bufPtr[11];
2162 PrintAndLog("tag select uid:%s atqa:0x%02x%02x sak:0x%02x",
2163 sprint_hex(uid + (7 - uid_len), uid_len),
2164 atqa[1],
2165 atqa[0],
2166 sak);
2167 if (wantLogToFile || wantDecrypt) {
2168 FillFileNameByUID(logHexFileName, uid + (7 - uid_len), ".log", uid_len);
2169 AddLogCurrentDT(logHexFileName);
2170 }
2171 if (wantDecrypt)
2172 mfTraceInit(uid, atqa, sak, wantSaveToEmlFile);
2173 } else {
2174 PrintAndLog("%s(%d):%s", isTag ? "TAG":"RDR", num, sprint_hex(bufPtr, len));
2175 if (wantLogToFile)
2176 AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len);
2177 if (wantDecrypt)
2178 mfTraceDecode(bufPtr, len, wantSaveToEmlFile);
2179 num++;
2180 }
2181 bufPtr += len;
2182 bufPtr += ((len-1)/8+1); // ignore parity
2183 }
2184 pckNum = 0;
2185 }
2186 } // resp not NULL
2187 } // while (true)
2188
2189 free(buf);
2190 return 0;
2191 }
2192
2193 //needs nt, ar, at, Data to decrypt
2194 int CmdDecryptTraceCmds(const char *Cmd){
2195 uint8_t data[50];
2196 int len = 0;
2197 param_gethex_ex(Cmd,3,data,&len);
2198 return tryDecryptWord(param_get32ex(Cmd,0,0,16),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),data,len/2);
2199 }
2200
2201 static command_t CommandTable[] =
2202 {
2203 {"help", CmdHelp, 1, "This help"},
2204 {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},
2205 {"rdbl", CmdHF14AMfRdBl, 0, "Read MIFARE classic block"},
2206 {"rdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"},
2207 {"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"},
2208 {"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"},
2209 {"wrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"},
2210 {"chk", CmdHF14AMfChk, 0, "Test block keys"},
2211 {"mifare", CmdHF14AMifare, 0, "Read parity error messages."},
2212 {"nested", CmdHF14AMfNested, 0, "Test nested authentication"},
2213 {"sniff", CmdHF14AMfSniff, 0, "Sniff card-reader communication"},
2214 {"sim", CmdHF14AMf1kSim, 0, "Simulate MIFARE card"},
2215 {"eclr", CmdHF14AMfEClear, 0, "Clear simulator memory block"},
2216 {"eget", CmdHF14AMfEGet, 0, "Get simulator memory block"},
2217 {"eset", CmdHF14AMfESet, 0, "Set simulator memory block"},
2218 {"eload", CmdHF14AMfELoad, 0, "Load from file emul dump"},
2219 {"esave", CmdHF14AMfESave, 0, "Save to file emul dump"},
2220 {"ecfill", CmdHF14AMfECFill, 0, "Fill simulator memory with help of keys from simulator"},
2221 {"ekeyprn", CmdHF14AMfEKeyPrn, 0, "Print keys from simulator memory"},
2222 {"csetuid", CmdHF14AMfCSetUID, 0, "Set UID for magic Chinese card"},
2223 {"csetblk", CmdHF14AMfCSetBlk, 0, "Write block - Magic Chinese card"},
2224 {"cgetblk", CmdHF14AMfCGetBlk, 0, "Read block - Magic Chinese card"},
2225 {"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector - Magic Chinese card"},
2226 {"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"},
2227 {"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"},
2228 {"decrypt", CmdDecryptTraceCmds,1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},
2229 {NULL, NULL, 0, NULL}
2230 };
2231
2232 int CmdHFMF(const char *Cmd)
2233 {
2234 // flush
2235 WaitForResponseTimeout(CMD_ACK,NULL,100);
2236
2237 CmdsParse(CommandTable, Cmd);
2238 return 0;
2239 }
2240
2241 int CmdHelp(const char *Cmd)
2242 {
2243 CmdsHelp(CommandTable);
2244 return 0;
2245 }
Proxmark3 GIT tracking
Impressum, Datenschutz