]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhfmfu.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'master' of https://github.com/Proxmark/proxmark3
[proxmark3-svn] / client / cmdhfmfu.c
1 //-----------------------------------------------------------------------------
2 // Ultralight Code (c) 2013,2014 Midnitesnake & Andy Davies of Pentura
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // High frequency MIFARE ULTRALIGHT (C) commands
9 //-----------------------------------------------------------------------------
10 #include "loclass/des.h"
11 #include "cmdhfmfu.h"
12 #include "cmdhfmf.h"
13 #include "cmdhf14a.h"
14 #include "mifare.h"
15 #include "util.h"
16 #include "../common/protocols.h"
17 #include "data.h"
18
19 #define MAX_UL_BLOCKS 0x0f
20 #define MAX_ULC_BLOCKS 0x2b
21 #define MAX_ULEV1a_BLOCKS 0x13
22 #define MAX_ULEV1b_BLOCKS 0x28
23 #define MAX_NTAG_203 0x29
24 #define MAX_NTAG_210 0x13
25 #define MAX_NTAG_212 0x28
26 #define MAX_NTAG_213 0x2c
27 #define MAX_NTAG_215 0x86
28 #define MAX_NTAG_216 0xe6
29
30 #define KEYS_3DES_COUNT 7
31 uint8_t default_3des_keys[KEYS_3DES_COUNT][16] = {
32 { 0x42,0x52,0x45,0x41,0x4b,0x4d,0x45,0x49,0x46,0x59,0x4f,0x55,0x43,0x41,0x4e,0x21 },// 3des std key
33 { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },// all zeroes
34 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f },// 0x00-0x0F
35 { 0x49,0x45,0x4D,0x4B,0x41,0x45,0x52,0x42,0x21,0x4E,0x41,0x43,0x55,0x4F,0x59,0x46 },// NFC-key
36 { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 },// all ones
37 { 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF },// all FF
38 { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF } // 11 22 33
39 };
40
41 #define KEYS_PWD_COUNT 10
42 uint8_t default_pwd_pack[KEYS_PWD_COUNT][4] = {
43 {0xFF,0xFF,0xFF,0xFF}, // PACK 0x00,0x00 -- factory default
44
45 {0x4A,0xF8,0x4B,0x19}, // PACK 0xE5,0xBE -- italian bus (sniffed)
46 {0x33,0x6B,0xA1,0x19}, // PACK 0x9c,0x2d -- italian bus (sniffed)
47 {0xFF,0x90,0x6C,0xB2}, // PACK 0x12,0x9e -- italian bus (sniffed)
48 {0x46,0x1c,0xA3,0x19}, // PACK 0xE9,0x5A -- italian bus (sniffed)
49 {0x35,0x1C,0xD0,0x19}, // PACK 0x9A,0x5a -- italian bus (sniffed)
50
51 {0x05,0x22,0xE6,0xB4}, // PACK 0x80,0x80 -- Amiiboo (sniffed) pikachu-b UID:
52 {0x7E,0x22,0xE6,0xB4}, // PACK 0x80,0x80 -- AMiiboo (sniffed)
53 {0x02,0xE1,0xEE,0x36}, // PACK 0x80,0x80 -- AMiiboo (sniffed) sonic UID: 04d257 7ae33e8027
54 {0x32,0x0C,0x16,0x17}, // PACK 0x80,0x80 -- AMiiboo (sniffed)
55 };
56
57 #define MAX_UL_TYPES 16
58 uint16_t UL_TYPES_ARRAY[MAX_UL_TYPES] = {UNKNOWN, UL, UL_C, UL_EV1_48, UL_EV1_128, NTAG, NTAG_203,
59 NTAG_210, NTAG_212, NTAG_213, NTAG_215, NTAG_216, MY_D, MY_D_NFC, MY_D_MOVE, MY_D_MOVE_NFC};
60
61 uint8_t UL_MEMORY_ARRAY[MAX_UL_TYPES] = {MAX_UL_BLOCKS, MAX_UL_BLOCKS, MAX_ULC_BLOCKS, MAX_ULEV1a_BLOCKS,
62 MAX_ULEV1b_BLOCKS, MAX_NTAG_203, MAX_NTAG_203, MAX_NTAG_210, MAX_NTAG_212, MAX_NTAG_213,
63 MAX_NTAG_215, MAX_NTAG_216, MAX_UL_BLOCKS, MAX_UL_BLOCKS, MAX_UL_BLOCKS, MAX_UL_BLOCKS};
64
65
66 static int CmdHelp(const char *Cmd);
67
68 char *getProductTypeStr( uint8_t id){
69
70 static char buf[20];
71 char *retStr = buf;
72
73 switch(id) {
74 case 3: sprintf(retStr, "%02X, Ultralight", id); break;
75 case 4: sprintf(retStr, "%02X, NTAG", id); break;
76 default: sprintf(retStr, "%02X, unknown", id); break;
77 }
78 return buf;
79 }
80
81 /*
82 The 7 MSBits (=n) code the storage size itself based on 2^n,
83 the LSBit is set to '0' if the size is exactly 2^n
84 and set to '1' if the storage size is between 2^n and 2^(n+1).
85 */
86 char *getUlev1CardSizeStr( uint8_t fsize ){
87
88 static char buf[40];
89 char *retStr = buf;
90 memset(buf, 0, sizeof(buf));
91
92 uint16_t usize = 1 << ((fsize >>1) + 1);
93 uint16_t lsize = 1 << (fsize >>1);
94
95 // is LSB set?
96 if ( fsize & 1 )
97 sprintf(retStr, "%02X, (%u <-> %u bytes)",fsize, usize, lsize);
98 else
99 sprintf(retStr, "%02X, (%u bytes)", fsize, lsize);
100 return buf;
101 }
102
103 static void ul_switch_on_field(void) {
104 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}};
105 SendCommand(&c);
106 }
107
108 void ul_switch_off_field(void) {
109 UsbCommand c = {CMD_READER_ISO_14443a, {0, 0, 0}};
110 SendCommand(&c);
111 }
112
113 static int ul_send_cmd_raw( uint8_t *cmd, uint8_t cmdlen, uint8_t *response, uint16_t responseLength ) {
114 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_RAW | ISO14A_NO_DISCONNECT | ISO14A_APPEND_CRC, cmdlen, 0}};
115 memcpy(c.d.asBytes, cmd, cmdlen);
116 SendCommand(&c);
117 UsbCommand resp;
118 if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) return -1;
119 if (!resp.arg[0] && responseLength) return -1;
120
121 uint16_t resplen = (resp.arg[0] < responseLength) ? resp.arg[0] : responseLength;
122 memcpy(response, resp.d.asBytes, resplen);
123 return resplen;
124 }
125 /*
126 static int ul_send_cmd_raw_crc( uint8_t *cmd, uint8_t cmdlen, uint8_t *response, uint16_t responseLength, bool append_crc ) {
127 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_RAW | ISO14A_NO_DISCONNECT , cmdlen, 0}};
128 if (append_crc)
129 c.arg[0] |= ISO14A_APPEND_CRC;
130
131 memcpy(c.d.asBytes, cmd, cmdlen);
132 SendCommand(&c);
133 UsbCommand resp;
134 if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) return -1;
135 if (!resp.arg[0] && responseLength) return -1;
136
137 uint16_t resplen = (resp.arg[0] < responseLength) ? resp.arg[0] : responseLength;
138 memcpy(response, resp.d.asBytes, resplen);
139 return resplen;
140 }
141 */
142 static int ul_select( iso14a_card_select_t *card ){
143
144 ul_switch_on_field();
145
146 UsbCommand resp;
147 bool ans = false;
148 ans = WaitForResponseTimeout(CMD_ACK, &resp, 1500);
149 if (!ans || resp.arg[0] < 1) {
150 PrintAndLog("iso14443a card select failed");
151 ul_switch_off_field();
152 return 0;
153 }
154
155 memcpy(card, resp.d.asBytes, sizeof(iso14a_card_select_t));
156 return 1;
157 }
158
159 // This read command will at least return 16bytes.
160 static int ul_read( uint8_t page, uint8_t *response, uint16_t responseLength ){
161
162 uint8_t cmd[] = {ISO14443A_CMD_READBLOCK, page};
163 int len = ul_send_cmd_raw(cmd, sizeof(cmd), response, responseLength);
164 return len;
165 }
166
167 static int ul_comp_write( uint8_t page, uint8_t *data, uint8_t datalen ){
168
169 uint8_t cmd[18];
170 memset(cmd, 0x00, sizeof(cmd));
171 datalen = ( datalen > 16) ? 16 : datalen;
172
173 cmd[0] = ISO14443A_CMD_WRITEBLOCK;
174 cmd[1] = page;
175 memcpy(cmd+2, data, datalen);
176
177 uint8_t response[1] = {0xff};
178 ul_send_cmd_raw(cmd, 2+datalen, response, sizeof(response));
179 // ACK
180 if ( response[0] == 0x0a ) return 0;
181 // NACK
182 return -1;
183 }
184
185 static int ulc_requestAuthentication( uint8_t *nonce, uint16_t nonceLength ){
186
187 uint8_t cmd[] = {MIFARE_ULC_AUTH_1, 0x00};
188 int len = ul_send_cmd_raw(cmd, sizeof(cmd), nonce, nonceLength);
189 return len;
190 }
191
192 static int ulc_authentication( uint8_t *key, bool switch_off_field ){
193
194 UsbCommand c = {CMD_MIFAREUC_AUTH, {switch_off_field}};
195 memcpy(c.d.asBytes, key, 16);
196 SendCommand(&c);
197 UsbCommand resp;
198 if ( !WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) return 0;
199 if ( resp.arg[0] == 1 ) return 1;
200
201 return 0;
202 }
203
204 static int ulev1_requestAuthentication( uint8_t *pwd, uint8_t *pack, uint16_t packLength ){
205
206 uint8_t cmd[] = {MIFARE_ULEV1_AUTH, pwd[0], pwd[1], pwd[2], pwd[3]};
207 int len = ul_send_cmd_raw(cmd, sizeof(cmd), pack, packLength);
208 return len;
209 }
210
211 static int ul_auth_select( iso14a_card_select_t *card, TagTypeUL_t tagtype, bool hasAuthKey, uint8_t *authenticationkey, uint8_t *pack, uint8_t packSize){
212 if ( hasAuthKey && (tagtype & UL_C)) {
213 //will select card automatically and close connection on error
214 if (!ulc_authentication(authenticationkey, false)) {
215 PrintAndLog("Error: Authentication Failed UL-C");
216 return 0;
217 }
218
219 memcpy(card, resp.d.asBytes, sizeof(iso14a_card_select_t));
220 return 1;
221 }
222
223 // This read command will at least return 16bytes.
224 static int ul_read( uint8_t page, uint8_t *response, uint16_t responseLength ){
225
226 uint8_t cmd[] = {ISO14443A_CMD_READBLOCK, page};
227 int len = ul_send_cmd_raw(cmd, sizeof(cmd), response, responseLength);
228 return len;
229 }
230
231 static int ul_comp_write( uint8_t page, uint8_t *data, uint8_t datalen ){
232
233 uint8_t cmd[18];
234 memset(cmd, 0x00, sizeof(cmd));
235 datalen = ( datalen > 16) ? 16 : datalen;
236
237 cmd[0] = ISO14443A_CMD_WRITEBLOCK;
238 cmd[1] = page;
239 memcpy(cmd+2, data, datalen);
240
241 uint8_t response[1] = {0xff};
242 ul_send_cmd_raw(cmd, 2+datalen, response, sizeof(response));
243 // ACK
244 if ( response[0] == 0x0a ) return 0;
245 // NACK
246 return -1;
247 }
248
249 static int ulc_requestAuthentication( uint8_t *nonce, uint16_t nonceLength ){
250
251 uint8_t cmd[] = {MIFARE_ULC_AUTH_1, 0x00};
252 int len = ul_send_cmd_raw(cmd, sizeof(cmd), nonce, nonceLength);
253 return len;
254 }
255
256 static int ulc_authentication( uint8_t *key, bool switch_off_field ){
257
258 UsbCommand c = {CMD_MIFAREUC_AUTH, {switch_off_field}};
259 memcpy(c.d.asBytes, key, 16);
260 SendCommand(&c);
261 UsbCommand resp;
262 if ( !WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) return 0;
263 if ( resp.arg[0] == 1 ) return 1;
264
265 return 0;
266 }
267
268 static int ulev1_requestAuthentication( uint8_t *pwd, uint8_t *pack, uint16_t packLength ){
269
270 uint8_t cmd[] = {MIFARE_ULEV1_AUTH, pwd[0], pwd[1], pwd[2], pwd[3]};
271 int len = ul_send_cmd_raw(cmd, sizeof(cmd), pack, packLength);
272 return len;
273 }
274
275 static int ul_auth_select( iso14a_card_select_t *card, TagTypeUL_t tagtype, bool hasAuthKey, uint8_t *authenticationkey, uint8_t *pack, uint8_t packSize){
276 if ( hasAuthKey && (tagtype & UL_C)) {
277 //will select card automatically and close connection on error
278 if (!ulc_authentication(authenticationkey, false)) {
279 PrintAndLog("Error: Authentication Failed UL-C");
280 return 0;
281 }
282 } else {
283 if ( !ul_select(card) ) return 0;
284
285 if (hasAuthKey) {
286 if (ulev1_requestAuthentication(authenticationkey, pack, packSize) < 1) {
287 ul_switch_off_field();
288 PrintAndLog("Error: Authentication Failed UL-EV1/NTAG");
289 return 0;
290 }
291 }
292 }
293 return 1;
294 }
295
296 static int ulev1_getVersion( uint8_t *response, uint16_t responseLength ){
297
298 uint8_t cmd[] = {MIFARE_ULEV1_VERSION};
299 int len = ul_send_cmd_raw(cmd, sizeof(cmd), response, responseLength);
300 return len;
301 }
302
303 // static int ulev1_fastRead( uint8_t startblock, uint8_t endblock, uint8_t *response ){
304
305 // uint8_t cmd[] = {MIFARE_ULEV1_FASTREAD, startblock, endblock};
306
307 // if ( !ul_send_cmd_raw(cmd, sizeof(cmd), response)){
308 // return -1;
309 // }
310 // return 0;
311 // }
312
313 static int ulev1_readCounter( uint8_t counter, uint8_t *response, uint16_t responseLength ){
314
315 uint8_t cmd[] = {MIFARE_ULEV1_READ_CNT, counter};
316 int len = ul_send_cmd_raw(cmd, sizeof(cmd), response, responseLength);
317 return len;
318 }
319
320 static int ulev1_readTearing( uint8_t counter, uint8_t *response, uint16_t responseLength ){
321
322 uint8_t cmd[] = {MIFARE_ULEV1_CHECKTEAR, counter};
323 int len = ul_send_cmd_raw(cmd, sizeof(cmd), response, responseLength);
324 return len;
325 }
326
327 static int ulev1_readSignature( uint8_t *response, uint16_t responseLength ){
328
329 uint8_t cmd[] = {MIFARE_ULEV1_READSIG, 0x00};
330 int len = ul_send_cmd_raw(cmd, sizeof(cmd), response, responseLength);
331 return len;
332 }
333
334 static int ul_print_default( uint8_t *data){
335
336 uint8_t uid[7];
337 uid[0] = data[0];
338 uid[1] = data[1];
339 uid[2] = data[2];
340 uid[3] = data[4];
341 uid[4] = data[5];
342 uid[5] = data[6];
343 uid[6] = data[7];
344
345 PrintAndLog(" UID : %s ", sprint_hex(uid, 7));
346 PrintAndLog(" UID[0] : %02X, Manufacturer: %s", uid[0], getTagInfo(uid[0]) );
347 if ( uid[0] == 0x05 ) {
348 uint8_t chip = (data[8] & 0xC7); // 11000111 mask, bit 3,4,5 RFU
349 switch (chip){
350 case 0xc2: PrintAndLog(" IC type : SLE 66R04P"); break;
351 case 0xc4: PrintAndLog(" IC type : SLE 66R16P"); break;
352 case 0xc6: PrintAndLog(" IC type : SLE 66R32P"); break;
353 }
354 }
355 // CT (cascade tag byte) 0x88 xor SN0 xor SN1 xor SN2
356 int crc0 = 0x88 ^ data[0] ^ data[1] ^data[2];
357 if ( data[3] == crc0 )
358 PrintAndLog(" BCC0 : %02X, Ok", data[3]);
359 else
360 PrintAndLog(" BCC0 : %02X, crc should be %02X", data[3], crc0);
361
362 int crc1 = data[4] ^ data[5] ^ data[6] ^data[7];
363 if ( data[8] == crc1 )
364 PrintAndLog(" BCC1 : %02X, Ok", data[8]);
365 else
366 PrintAndLog(" BCC1 : %02X, crc should be %02X", data[8], crc1 );
367
368 PrintAndLog(" Internal : %02X, %sdefault", data[9], (data[9]==0x48)?"":"not " );
369
370 PrintAndLog(" Lock : %s - %s",
371 sprint_hex(data+10, 2),
372 printBits(2, data+10)
373 );
374
375 PrintAndLog("OneTimePad : %s - %s\n",
376 sprint_hex(data + 12, 4),
377 printBits(4, data+12)
378 );
379
380 return 0;
381 }
382
383 static int ndef_print_CC(uint8_t *data) {
384 // no NDEF message
385 if(data[0] != 0xe1)
386 return -1;
387
388 PrintAndLog("--- NDEF Message");
389 PrintAndLog("Capability Container: %s", sprint_hex(data,4) );
390 PrintAndLog(" %02X : NDEF Magic Number", data[0]);
391 PrintAndLog(" %02X : version %d.%d supported by tag", data[1], (data[1] & 0xF0) >> 4, data[1] & 0x0f);
392 PrintAndLog(" %02X : Physical Memory Size: %d bytes", data[2], (data[2] + 1) * 8);
393 if ( data[2] == 0x12 )
394 PrintAndLog(" %02X : NDEF Memory Size: %d bytes", data[2], 144);
395 else if ( data[2] == 0x3e )
396 PrintAndLog(" %02X : NDEF Memory Size: %d bytes", data[2], 496);
397 else if ( data[2] == 0x6d )
398 PrintAndLog(" %02X : NDEF Memory Size: %d bytes", data[2], 872);
399
400 PrintAndLog(" %02X : %s / %s", data[3],
401 (data[3] & 0xF0) ? "(RFU)" : "Read access granted without any security",
402 (data[3] & 0x0F)==0 ? "Write access granted without any security" : (data[3] & 0x0F)==0x0F ? "No write access granted at all" : "(RFU)");
403 return 0;
404 }
405
406 int ul_print_type(uint32_t tagtype, uint8_t spaces){
407 char spc[11] = " ";
408 spc[10]=0x00;
409 char *spacer = spc + (10-spaces);
410
411 if ( tagtype & UL )
412 PrintAndLog("%sTYPE : MIFARE Ultralight (MF0ICU1) %s", spacer, (tagtype & MAGIC) ? "<magic>" : "" );
413 else if ( tagtype & UL_C)
414 PrintAndLog("%sTYPE : MIFARE Ultralight C (MF0ULC) %s", spacer, (tagtype & MAGIC) ? "<magic>" : "" );
415 else if ( tagtype & UL_EV1_48)
416 PrintAndLog("%sTYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)", spacer);
417 else if ( tagtype & UL_EV1_128)
418 PrintAndLog("%sTYPE : MIFARE Ultralight EV1 128bytes (MF0UL2101)", spacer);
419 else if ( tagtype & NTAG )
420 PrintAndLog("%sTYPE : NTAG UNKNOWN", spacer);
421 else if ( tagtype & NTAG_203 )
422 PrintAndLog("%sTYPE : NTAG 203 144bytes (NT2H0301F0DT)", spacer);
423 else if ( tagtype & NTAG_210 )
424 PrintAndLog("%sTYPE : NTAG 210 48bytes (NT2L1011G0DU)", spacer);
425 else if ( tagtype & NTAG_212 )
426 PrintAndLog("%sTYPE : NTAG 212 128bytes (NT2L1211G0DU)", spacer);
427 else if ( tagtype & NTAG_213 )
428 PrintAndLog("%sTYPE : NTAG 213 144bytes (NT2H1311G0DU)", spacer);
429 else if ( tagtype & NTAG_215 )
430 PrintAndLog("%sTYPE : NTAG 215 504bytes (NT2H1511G0DU)", spacer);
431 else if ( tagtype & NTAG_216 )
432 PrintAndLog("%sTYPE : NTAG 216 888bytes (NT2H1611G0DU)", spacer);
433 else if ( tagtype & NTAG_I2C_1K )
434 PrintAndLog("%sTYPE : NTAG I%sC 888bytes (NT3H1101FHK)", spacer, "\xFD");
435 else if ( tagtype & NTAG_I2C_2K )
436 PrintAndLog("%sTYPE : NTAG I%sC 1904bytes (NT3H1201FHK)", spacer, "\xFD");
437 else if ( tagtype & MY_D )
438 PrintAndLog("%sTYPE : INFINEON my-d\x99", spacer);
439 else if ( tagtype & MY_D_NFC )
440 PrintAndLog("%sTYPE : INFINEON my-d\x99 NFC", spacer);
441 else if ( tagtype & MY_D_MOVE )
442 PrintAndLog("%sTYPE : INFINEON my-d\x99 move", spacer);
443 else if ( tagtype & MY_D_MOVE_NFC )
444 PrintAndLog("%sTYPE : INFINEON my-d\x99 move NFC", spacer);
445 else
446 PrintAndLog("%sTYPE : Unknown %06x", spacer, tagtype);
447 return 0;
448 }
449
450 static int ulc_print_3deskey( uint8_t *data){
451 PrintAndLog(" deskey1 [44/0x2C] : %s [%.4s]", sprint_hex(data ,4),data);
452 PrintAndLog(" deskey1 [45/0x2D] : %s [%.4s]", sprint_hex(data+4 ,4),data+4);
453 PrintAndLog(" deskey2 [46/0x2E] : %s [%.4s]", sprint_hex(data+8 ,4),data+8);
454 PrintAndLog(" deskey2 [47/0x2F] : %s [%.4s]", sprint_hex(data+12,4),data+12);
455 PrintAndLog("\n 3des key : %s", sprint_hex(SwapEndian64(data, 16, 8), 16));
456 return 0;
457 }
458
459 static int ulc_print_configuration( uint8_t *data){
460
461 PrintAndLog("--- UL-C Configuration");
462 PrintAndLog(" Higher Lockbits [40/0x28] : %s - %s", sprint_hex(data, 4), printBits(2, data));
463 PrintAndLog(" Counter [41/0x29] : %s - %s", sprint_hex(data+4, 4), printBits(2, data+4));
464
465 bool validAuth = (data[8] >= 0x03 && data[8] <= 0x30);
466 if ( validAuth )
467 PrintAndLog(" Auth0 [42/0x2A] : %s page %d/0x%02X and above need authentication", sprint_hex(data+8, 4), data[8],data[8] );
468 else{
469 if ( data[8] == 0){
470 PrintAndLog(" Auth0 [42/0x2A] : %s default", sprint_hex(data+8, 4) );
471 } else {
472 PrintAndLog(" Auth0 [42/0x2A] : %s auth byte is out-of-range", sprint_hex(data+8, 4) );
473 }
474 }
475 PrintAndLog(" Auth1 [43/0x2B] : %s %s",
476 sprint_hex(data+12, 4),
477 (data[12] & 1) ? "write access restricted": "read and write access restricted"
478 );
479 return 0;
480 }
481
482 static int ulev1_print_configuration( uint8_t *data, uint8_t startPage){
483
484 PrintAndLog("\n--- Tag Configuration");
485
486 bool strg_mod_en = (data[0] & 2);
487 uint8_t authlim = (data[4] & 0x07);
488 bool cfglck = (data[4] & 0x40);
489 bool prot = (data[4] & 0x80);
490 uint8_t vctid = data[5];
491
492 PrintAndLog(" cfg0 [%u/0x%02X] : %s", startPage, startPage, sprint_hex(data, 4));
493 if ( data[3] < 0xff )
494 PrintAndLog(" - page %d and above need authentication",data[3]);
495 else
496 PrintAndLog(" - pages don't need authentication");
497 PrintAndLog(" - strong modulation mode %s", (strg_mod_en) ? "enabled":"disabled");
498 PrintAndLog(" cfg1 [%u/0x%02X] : %s", startPage + 1, startPage + 1, sprint_hex(data+4, 4) );
499 if ( authlim == 0)
500 PrintAndLog(" - Unlimited password attempts");
501 else
502 PrintAndLog(" - Max number of password attempts is %d", authlim);
503 PrintAndLog(" - user configuration %s", cfglck ? "permanently locked":"writeable");
504 PrintAndLog(" - %s access is protected with password", prot ? "read and write":"write");
505 PrintAndLog(" - %02X, Virtual Card Type Identifier is %s default", vctid, (vctid==0x05)? "":"not");
506 PrintAndLog(" PWD [%u/0x%02X] : %s- (cannot be read)", startPage + 2, startPage + 2, sprint_hex(data+8, 4));
507 PrintAndLog(" PACK [%u/0x%02X] : %s - (cannot be read)", startPage + 3, startPage + 3, sprint_hex(data+12, 2));
508 PrintAndLog(" RFU [%u/0x%02X] : %s- (cannot be read)", startPage + 3, startPage + 3, sprint_hex(data+12, 2));
509 return 0;
510 }
511
512 static int ulev1_print_counters(){
513 PrintAndLog("--- Tag Counters");
514 uint8_t tear[1] = {0};
515 uint8_t counter[3] = {0,0,0};
516 uint16_t len = 0;
517 for ( uint8_t i = 0; i<3; ++i) {
518 ulev1_readTearing(i,tear,sizeof(tear));
519 len = ulev1_readCounter(i,counter, sizeof(counter) );
520 if (len == 3) {
521 PrintAndLog(" [%0d] : %s", i, sprint_hex(counter,3));
522 PrintAndLog(" - %02X tearing %s", tear[0], ( tear[0]==0xBD)?"Ok":"failure");
523 }
524 }
525 return len;
526 }
527
528 static int ulev1_print_signature( uint8_t *data, uint8_t len){
529 PrintAndLog("\n--- Tag Signature");
530 //PrintAndLog("IC signature public key name : NXP NTAG21x 2013"); // don't know if there is other NXP public keys.. :(
531 PrintAndLog("IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61");
532 PrintAndLog(" Elliptic curve parameters : secp128r1");
533 PrintAndLog(" Tag ECC Signature : %s", sprint_hex(data, len));
534 //to do: verify if signature is valid
535 //PrintAndLog("IC signature status: %s valid", (iseccvalid() )?"":"not");
536 return 0;
537 }
538
539 static int ulev1_print_version(uint8_t *data){
540 PrintAndLog("\n--- Tag Version");
541 PrintAndLog(" Raw bytes : %s",sprint_hex(data, 8) );
542 PrintAndLog(" Vendor ID : %02X, %s", data[1], getTagInfo(data[1]));
543 PrintAndLog(" Product type : %s", getProductTypeStr(data[2]));
544 PrintAndLog(" Product subtype : %02X, %s", data[3], (data[3]==1) ?"17 pF":"50pF");
545 PrintAndLog(" Major version : %02X", data[4]);
546 PrintAndLog(" Minor version : %02X", data[5]);
547 PrintAndLog(" Size : %s", getUlev1CardSizeStr(data[6]));
548 PrintAndLog(" Protocol type : %02X", data[7]);
549 return 0;
550 }
551
552 /*
553 static int ulc_magic_test(){
554 // Magic Ultralight test
555 // Magic UL-C, by observation,
556 // 1) it seems to have a static nonce response to 0x1A command.
557 // 2) the deskey bytes is not-zero:d out on as datasheet states.
558 // 3) UID - changeable, not only, but pages 0-1-2-3.
559 // 4) use the ul_magic_test ! magic tags answers specially!
560 int returnValue = UL_ERROR;
561 iso14a_card_select_t card;
562 uint8_t nonce1[11] = {0x00};
563 uint8_t nonce2[11] = {0x00};
564 int status = ul_select(&card);
565 if ( !status ){
566 return UL_ERROR;
567 }
568 status = ulc_requestAuthentication(nonce1, sizeof(nonce1));
569 if ( status > 0 ) {
570 status = ulc_requestAuthentication(nonce2, sizeof(nonce2));
571 returnValue = ( !memcmp(nonce1, nonce2, 11) ) ? UL_C_MAGIC : UL_C;
572 } else {
573 returnValue = UL;
574 }
575 ul_switch_off_field();
576 return returnValue;
577 }
578 */
579 static int ul_magic_test(){
580
581 // Magic Ultralight tests
582 // 1) take present UID, and try to write it back. OBSOLETE
583 // 2) make a wrong length write to page0, and see if tag answers with ACK/NACK:
584 iso14a_card_select_t card;
585 if ( !ul_select(&card) )
586 return UL_ERROR;
587 int status = ul_comp_write(0, NULL, 0);
588 ul_switch_off_field();
589 if ( status == 0 )
590 return MAGIC;
591 return 0;
592 }
593
594 uint32_t GetHF14AMfU_Type(void){
595
596 TagTypeUL_t tagtype = UNKNOWN;
597 iso14a_card_select_t card;
598 uint8_t version[10] = {0x00};
599 int status = 0;
600 int len;
601
602 if (!ul_select(&card)) return UL_ERROR;
603
604 // Ultralight - ATQA / SAK
605 if ( card.atqa[1] != 0x00 || card.atqa[0] != 0x44 || card.sak != 0x00 ) {
606 PrintAndLog("Tag is not Ultralight | NTAG | MY-D [ATQA: %02X %02X SAK: %02X]\n", card.atqa[1], card.atqa[0], card.sak);
607 ul_switch_off_field();
608 return UL_ERROR;
609 }
610
611 if ( card.uid[0] != 0x05) {
612
613 len = ulev1_getVersion(version, sizeof(version));
614 ul_switch_off_field();
615
616 switch (len) {
617 case 0x0A: {
618
619 if ( version[2] == 0x03 && version[6] == 0x0B )
620 tagtype = UL_EV1_48;
621 else if ( version[2] == 0x03 && version[6] != 0x0B )
622 tagtype = UL_EV1_128;
623 else if ( version[2] == 0x04 && version[3] == 0x01 && version[6] == 0x0B )
624 tagtype = NTAG_210;
625 else if ( version[2] == 0x04 && version[3] == 0x01 && version[6] == 0x0E )
626 tagtype = NTAG_212;
627 else if ( version[2] == 0x04 && version[3] == 0x02 && version[6] == 0x0F )
628 tagtype = NTAG_213;
629 else if ( version[2] == 0x04 && version[3] == 0x02 && version[6] == 0x11 )
630 tagtype = NTAG_215;
631 else if ( version[2] == 0x04 && version[3] == 0x02 && version[6] == 0x13 )
632 tagtype = NTAG_216;
633 else if ( version[2] == 0x04 && version[3] == 0x05 && version[6] == 0x13 )
634 tagtype = NTAG_I2C_1K;
635 else if ( version[2] == 0x04 && version[3] == 0x05 && version[6] == 0x15 )
636 tagtype = NTAG_I2C_2K;
637 else if ( version[2] == 0x04 )
638 tagtype = NTAG;
639
640 break;
641 }
642 case 0x01: tagtype = UL_C; break;
643 case 0x00: tagtype = UL; break;
644 case -1 : tagtype = (UL | UL_C | NTAG_203); break; // could be UL | UL_C magic tags
645 default : tagtype = UNKNOWN; break;
646 }
647 // UL vs UL-C vs ntag203 test
648 if (tagtype & (UL | UL_C | NTAG_203)) {
649 if ( !ul_select(&card) ) return UL_ERROR;
650
651 // do UL_C check first...
652 uint8_t nonce[11] = {0x00};
653 status = ulc_requestAuthentication(nonce, sizeof(nonce));
654 ul_switch_off_field();
655 if (status > 1) {
656 tagtype = UL_C;
657 } else {
658 // need to re-select after authentication error
659 if ( !ul_select(&card) ) return UL_ERROR;
660
661 uint8_t data[16] = {0x00};
662 // read page 0x26-0x29 (last valid ntag203 page)
663 status = ul_read(0x26, data, sizeof(data));
664 if ( status <= 1 ) {
665 tagtype = UL;
666 } else {
667 // read page 0x30 (should error if it is a ntag203)
668 status = ul_read(0x30, data, sizeof(data));
669 if ( status <= 1 ){
670 tagtype = NTAG_203;
671 } else {
672 tagtype = UNKNOWN;
673 }
674 }
675 ul_switch_off_field();
676 }
677 }
678 } else {
679 // Infinition MY-D tests Exam high nibble
680 uint8_t nib = (card.uid[1] & 0xf0) >> 4;
681 switch ( nib ){
682 case 1: tagtype = MY_D; break;
683 case 2: tagtype = (MY_D | MY_D_NFC); break; //notice: we can not currently distinguish between these two
684 case 3: tagtype = (MY_D_MOVE | MY_D_MOVE_NFC); break; //notice: we can not currently distinguish between these two
685 }
686 }
687
688 tagtype |= ul_magic_test();
689 if (tagtype == (UNKNOWN | MAGIC)) tagtype = (UL_MAGIC);
690 return tagtype;
691 }
692
693 int CmdHF14AMfUInfo(const char *Cmd){
694
695 uint8_t authlim = 0xff;
696 uint8_t data[16] = {0x00};
697 iso14a_card_select_t card;
698 int status;
699 bool errors = false;
700 bool hasAuthKey = false;
701 bool locked = false;
702 bool swapEndian = false;
703 uint8_t cmdp = 0;
704 uint8_t dataLen = 0;
705 uint8_t authenticationkey[16] = {0x00};
706 uint8_t *authkeyptr = authenticationkey;
707 uint8_t *key;
708 uint8_t pack[4] = {0,0,0,0};
709 int len = 0;
710 char tempStr[50];
711
712 while(param_getchar(Cmd, cmdp) != 0x00)
713 {
714 switch(param_getchar(Cmd, cmdp))
715 {
716 case 'h':
717 case 'H':
718 return usage_hf_mfu_info();
719 case 'k':
720 case 'K':
721 dataLen = param_getstr(Cmd, cmdp+1, tempStr);
722 if (dataLen == 32 || dataLen == 8) { //ul-c or ev1/ntag key length
723 errors = param_gethex(tempStr, 0, authenticationkey, dataLen);
724 dataLen /= 2; // handled as bytes from now on
725 } else {
726 PrintAndLog("\nERROR: Key is incorrect length\n");
727 errors = true;
728 }
729 cmdp += 2;
730 hasAuthKey = true;
731 break;
732 case 'l':
733 case 'L':
734 swapEndian = true;
735 cmdp++;
736 break;
737 default:
738 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
739 errors = true;
740 break;
741 }
742 if(errors) break;
743 }
744
745 //Validations
746 if(errors) return usage_hf_mfu_info();
747
748 TagTypeUL_t tagtype = GetHF14AMfU_Type();
749 if (tagtype == UL_ERROR) return -1;
750
751 PrintAndLog("\n--- Tag Information ---------");
752 PrintAndLog("-------------------------------------------------------------");
753 ul_print_type(tagtype, 6);
754
755 // Swap endianness
756 if (swapEndian && hasAuthKey) authkeyptr = SwapEndian64(authenticationkey, dataLen, (dataLen == 16) ? 8 : 4 );
757
758 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
759
760 // read pages 0,1,2,3 (should read 4pages)
761 status = ul_read(0, data, sizeof(data));
762 if ( status == -1 ) {
763 ul_switch_off_field();
764 PrintAndLog("Error: tag didn't answer to READ");
765 return status;
766 } else if (status == 16) {
767 ul_print_default(data);
768 ndef_print_CC(data+12);
769 } else {
770 locked = true;
771 }
772
773 // UL_C Specific
774 if ((tagtype & UL_C)) {
775
776 // read pages 0x28, 0x29, 0x2A, 0x2B
777 uint8_t ulc_conf[16] = {0x00};
778 status = ul_read(0x28, ulc_conf, sizeof(ulc_conf));
779 if ( status == -1 ){
780 PrintAndLog("Error: tag didn't answer to READ UL-C");
781 ul_switch_off_field();
782 return status;
783 }
784 if (status == 16) ulc_print_configuration(ulc_conf);
785 else locked = true;
786
787 if ((tagtype & MAGIC)) {
788 //just read key
789 uint8_t ulc_deskey[16] = {0x00};
790 status = ul_read(0x2C, ulc_deskey, sizeof(ulc_deskey));
791 if ( status == -1 ) {
792 ul_switch_off_field();
793 PrintAndLog("Error: tag didn't answer to READ magic");
794 return status;
795 }
796 if (status == 16) ulc_print_3deskey(ulc_deskey);
797
798 } else {
799 ul_switch_off_field();
800 // if we called info with key, just return
801 if ( hasAuthKey ) return 1;
802
803 // also try to diversify default keys.. look into CmdHF14AMfuGenDiverseKeys
804 PrintAndLog("Trying some default 3des keys");
805 for (uint8_t i = 0; i < KEYS_3DES_COUNT; ++i ) {
806 key = default_3des_keys[i];
807 if (ulc_authentication(key, true)) {
808 PrintAndLog("Found default 3des key: ");
809 uint8_t keySwap[16];
810 memcpy(keySwap, SwapEndian64(key,16,8), 16);
811 ulc_print_3deskey(keySwap);
812 return 1;
813 }
814 }
815 return 1;
816 }
817 }
818
819 // do counters and signature first (don't neet auth)
820
821 // ul counters are different than ntag counters
822 if ((tagtype & (UL_EV1_48 | UL_EV1_128))) {
823 if (ulev1_print_counters() != 3) {
824 // failed - re-select
825 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
826 }
827 }
828
829 if ((tagtype & (UL_EV1_48 | UL_EV1_128 | NTAG_213 | NTAG_215 | NTAG_216 | NTAG_I2C_1K | NTAG_I2C_2K ))) {
830 uint8_t ulev1_signature[32] = {0x00};
831 status = ulev1_readSignature( ulev1_signature, sizeof(ulev1_signature));
832 if ( status == -1 ) {
833 PrintAndLog("Error: tag didn't answer to READ SIGNATURE");
834 ul_switch_off_field();
835 return status;
836 }
837 if (status == 32) ulev1_print_signature( ulev1_signature, sizeof(ulev1_signature));
838 else {
839 // re-select
840 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
841 }
842 }
843
844 if ((tagtype & (UL_EV1_48 | UL_EV1_128 | NTAG_210 | NTAG_212 | NTAG_213 | NTAG_215 | NTAG_216 | NTAG_I2C_1K | NTAG_I2C_2K))) {
845 uint8_t version[10] = {0x00};
846 status = ulev1_getVersion(version, sizeof(version));
847 if ( status == -1 ) {
848 PrintAndLog("Error: tag didn't answer to GETVERSION");
849 ul_switch_off_field();
850 return status;
851 } else if (status == 10) {
852 ulev1_print_version(version);
853 } else {
854 locked = true;
855 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
856 }
857
858 uint8_t startconfigblock = 0;
859 uint8_t ulev1_conf[16] = {0x00};
860 // config blocks always are last 4 pages
861 for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++)
862 if (tagtype & UL_TYPES_ARRAY[idx])
863 startconfigblock = UL_MEMORY_ARRAY[idx]-3;
864
865 if (startconfigblock){ // if we know where the config block is...
866 status = ul_read(startconfigblock, ulev1_conf, sizeof(ulev1_conf));
867 if ( status == -1 ) {
868 PrintAndLog("Error: tag didn't answer to READ EV1");
869 ul_switch_off_field();
870 return status;
871 } else if (status == 16) {
872 // save AUTHENTICATION LIMITS for later:
873 authlim = (ulev1_conf[4] & 0x07);
874 ulev1_print_configuration(ulev1_conf, startconfigblock);
875 }
876 }
877
878 // AUTHLIMIT, (number of failed authentications)
879 // 0 = limitless.
880 // 1-7 = limit. No automatic tries then.
881 // hasAuthKey, if we was called with key, skip test.
882 if ( !authlim && !hasAuthKey ) {
883 PrintAndLog("\n--- Known EV1/NTAG passwords.");
884 len = 0;
885 for (uint8_t i = 0; i < KEYS_PWD_COUNT; ++i ) {
886 key = default_pwd_pack[i];
887 len = ulev1_requestAuthentication(key, pack, sizeof(pack));
888 if (len >= 1) {
889 PrintAndLog("Found a default password: %s || Pack: %02X %02X",sprint_hex(key, 4), pack[0], pack[1]);
890 break;
891 } else {
892 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
893 }
894 }
895 if (len < 1) PrintAndLog("password not known");
896 }
897 }
898
899 ul_switch_off_field();
900 if (locked) PrintAndLog("\nTag appears to be locked, try using the key to get more info");
901 PrintAndLog("");
902 return 1;
903 }
904
905 //
906 // Mifare Ultralight Write Single Block
907 //
908 int CmdHF14AMfUWrBl(const char *Cmd){
909 uint8_t blockNo = -1;
910 bool chinese_card = FALSE;
911 uint8_t bldata[16] = {0x00};
912 UsbCommand resp;
913
914 PrintAndLog("\n--- Tag Configuration");
915
916 bool strg_mod_en = (data[0] & 2);
917 uint8_t authlim = (data[4] & 0x07);
918 bool cfglck = (data[4] & 0x40);
919 bool prot = (data[4] & 0x80);
920 uint8_t vctid = data[5];
921
922 PrintAndLog(" cfg0 [16/0x10]: %s", sprint_hex(data, 4));
923 if ( data[3] < 0xff )
924 PrintAndLog(" - page %d and above need authentication",data[3]);
925 else
926 PrintAndLog(" - pages don't need authentication");
927 PrintAndLog(" - strong modulation mode %s", (strg_mod_en) ? "enabled":"disabled");
928 PrintAndLog(" cfg1 [17/0x11]: %s", sprint_hex(data+4, 4) );
929 if ( authlim == 0)
930 PrintAndLog(" - Unlimited password attempts");
931 else
932 PrintAndLog(" - Max number of password attempts is %d", authlim);
933 PrintAndLog(" - user configuration %s", cfglck ? "permanently locked":"writeable");
934 PrintAndLog(" - %s access is protected with password", prot ? "read and write":"write");
935 PrintAndLog(" %02X - Virtual Card Type Identifier is %s default", vctid, (vctid==0x05)? "":"not");
936 PrintAndLog(" PWD [18/0x12]: %s", sprint_hex(data+8, 4));
937 PrintAndLog(" PACK [19/0x13]: %s", sprint_hex(data+12, 4));
938 return 0;
939 }
940
941 static int ulev1_print_counters(){
942 PrintAndLog("--- Tag Counters");
943 uint8_t tear[1] = {0};
944 uint8_t counter[3] = {0,0,0};
945 uint16_t len = 0;
946 for ( uint8_t i = 0; i<3; ++i) {
947 ulev1_readTearing(i,tear,sizeof(tear));
948 len = ulev1_readCounter(i,counter, sizeof(counter) );
949 if (len == 3) {
950 PrintAndLog(" [%0d] : %s", i, sprint_hex(counter,3));
951 PrintAndLog(" - %02X tearing %s", tear[0], ( tear[0]==0xBD)?"Ok":"failure");
952 }
953 }
954 return len;
955 }
956
957 static int ulev1_print_signature( uint8_t *data, uint8_t len){
958 PrintAndLog("\n--- Tag Signature");
959 //PrintAndLog("IC signature public key name : NXP NTAG21x 2013"); // don't know if there is other NXP public keys.. :(
960 PrintAndLog("IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61");
961 PrintAndLog(" Elliptic curve parameters : secp128r1");
962 PrintAndLog(" Tag ECC Signature : %s", sprint_hex(data, len));
963 //to do: verify if signature is valid
964 //PrintAndLog("IC signature status: %s valid", (iseccvalid() )?"":"not");
965 return 0;
966 }
967
968 static int ulev1_print_version(uint8_t *data){
969 PrintAndLog("\n--- Tag Version");
970 PrintAndLog(" Raw bytes : %s", sprint_hex(data, 8) );
971 PrintAndLog(" Vendor ID : %02X, %s", data[1], getTagInfo(data[1]));
972 PrintAndLog(" Product type : %s" , getProductTypeStr(data[2]));
973 PrintAndLog(" Product subtype : %02X, %s" , data[3], (data[3]==1) ?"17 pF":"50pF");
974 PrintAndLog(" Major version : %02X" , data[4]);
975 PrintAndLog(" Minor version : %02X" , data[5]);
976 PrintAndLog(" Size : %s", getUlev1CardSizeStr(data[6]));
977 PrintAndLog(" Protocol type : %02X" , data[7]);
978 return 0;
979 }
980
981 /*
982 static int ulc_magic_test(){
983 // Magic Ultralight test
984 // Magic UL-C, by observation,
985 // 1) it seems to have a static nonce response to 0x1A command.
986 // 2) the deskey bytes is not-zero:d out on as datasheet states.
987 // 3) UID - changeable, not only, but pages 0-1-2-3.
988 // 4) use the ul_magic_test ! magic tags answers specially!
989 int returnValue = UL_ERROR;
990 iso14a_card_select_t card;
991 uint8_t nonce1[11] = {0x00};
992 uint8_t nonce2[11] = {0x00};
993 int status = ul_select(&card);
994 if ( !status ){
995 return UL_ERROR;
996 }
997 status = ulc_requestAuthentication(nonce1, sizeof(nonce1));
998 if ( status > 0 ) {
999 status = ulc_requestAuthentication(nonce2, sizeof(nonce2));
1000 returnValue = ( !memcmp(nonce1, nonce2, 11) ) ? UL_C_MAGIC : UL_C;
1001 } else {
1002 returnValue = UL;
1003 }
1004 ul_switch_off_field();
1005 return returnValue;
1006 }
1007 */
1008 static int ul_magic_test(){
1009
1010 // Magic Ultralight tests
1011 // 1) take present UID, and try to write it back. OBSOLETE
1012 // 2) make a wrong length write to page0, and see if tag answers with ACK/NACK:
1013 iso14a_card_select_t card;
1014 if ( !ul_select(&card) )
1015 return UL_ERROR;
1016 int status = ul_comp_write(0, NULL, 0);
1017 ul_switch_off_field();
1018 if ( status == 0 )
1019 return MAGIC;
1020 return 0;
1021 }
1022
1023 if (blockNo > MAX_UL_BLOCKS){
1024 PrintAndLog("Error: Maximum number of blocks is 15 for Ultralight Cards!");
1025 return 1;
1026 }
1027
1028 if ( card.uid[0] != 0x05) {
1029
1030 len = ulev1_getVersion(version, sizeof(version));
1031 ul_switch_off_field();
1032
1033 switch (len) {
1034 case 0x0A: {
1035
1036 if ( version[2] == 0x03 && version[6] == 0x0B )
1037 tagtype = UL_EV1_48;
1038 else if ( version[2] == 0x03 && version[6] != 0x0B )
1039 tagtype = UL_EV1_128;
1040 else if ( version[2] == 0x04 && version[3] == 0x01 && version[6] == 0x0B )
1041 tagtype = NTAG_210;
1042 else if ( version[2] == 0x04 && version[3] == 0x01 && version[6] == 0x0E )
1043 tagtype = NTAG_212;
1044 else if ( version[2] == 0x04 && version[3] == 0x02 && version[6] == 0x0F )
1045 tagtype = NTAG_213;
1046 else if ( version[2] == 0x04 && version[3] == 0x02 && version[6] == 0x11 )
1047 tagtype = NTAG_215;
1048 else if ( version[2] == 0x04 && version[3] == 0x02 && version[6] == 0x13 )
1049 tagtype = NTAG_216;
1050 else if ( version[2] == 0x04 && version[3] == 0x05 && version[6] == 0x13 )
1051 tagtype = NTAG_I2C_1K;
1052 else if ( version[2] == 0x04 && version[3] == 0x05 && version[6] == 0x15 )
1053 tagtype = NTAG_I2C_2K;
1054 else if ( version[2] == 0x04 )
1055 tagtype = NTAG;
1056
1057 break;
1058 }
1059 case 0x01: tagtype = UL_C; break;
1060 case 0x00: tagtype = UL; break;
1061 case -1 : tagtype = (UL | UL_C | NTAG_203); break; // could be UL | UL_C magic tags
1062 default : tagtype = UNKNOWN; break;
1063 }
1064 // UL vs UL-C vs ntag203 test
1065 if (tagtype & (UL | UL_C | NTAG_203)) {
1066 if ( !ul_select(&card) ) return UL_ERROR;
1067
1068 // do UL_C check first...
1069 uint8_t nonce[11] = {0x00};
1070 status = ulc_requestAuthentication(nonce, sizeof(nonce));
1071 ul_switch_off_field();
1072 if (status > 1) {
1073 tagtype = UL_C;
1074 } else {
1075 // need to re-select after authentication error
1076 if ( !ul_select(&card) ) return UL_ERROR;
1077
1078 uint8_t data[16] = {0x00};
1079 // read page 0x26-0x29 (last valid ntag203 page)
1080 status = ul_read(0x26, data, sizeof(data));
1081 if ( status <= 1 ) {
1082 tagtype = UL;
1083 } else {
1084 // read page 0x30 (should error if it is a ntag203)
1085 status = ul_read(0x30, data, sizeof(data));
1086 if ( status <= 1 ){
1087 tagtype = NTAG_203;
1088 } else {
1089 tagtype = UNKNOWN;
1090 }
1091 }
1092 ul_switch_off_field();
1093 }
1094 }
1095 } else {
1096 // Infinition MY-D tests Exam high nibble
1097 uint8_t nib = (card.uid[1] & 0xf0) >> 4;
1098 switch ( nib ){
1099 case 1: tagtype = MY_D; break;
1100 case 2: tagtype = (MY_D | MY_D_NFC); break; //notice: we can not currently distinguish between these two
1101 case 3: tagtype = (MY_D_MOVE | MY_D_MOVE_NFC); break; //notice: we can not currently distinguish between these two
1102 }
1103 }
1104
1105
1106 tagtype |= ul_magic_test();
1107 if (tagtype == (UNKNOWN | MAGIC)) tagtype = (UL_MAGIC);
1108 return tagtype;
1109 }
1110
1111 int CmdHF14AMfUInfo(const char *Cmd){
1112
1113 uint8_t authlim = 0xff;
1114 uint8_t data[16] = {0x00};
1115 iso14a_card_select_t card;
1116 int status;
1117 bool errors = false;
1118 bool hasAuthKey = false;
1119 bool locked = false;
1120 bool swapEndian = false;
1121 uint8_t cmdp = 0;
1122 uint8_t dataLen = 0;
1123 uint8_t authenticationkey[16] = {0x00};
1124 uint8_t *authkeyptr = authenticationkey;
1125 uint8_t *key;
1126 uint8_t pack[4] = {0,0,0,0};
1127 int len = 0;
1128 char tempStr[50];
1129
1130 while(param_getchar(Cmd, cmdp) != 0x00)
1131 {
1132 switch(param_getchar(Cmd, cmdp))
1133 {
1134 case 'h':
1135 case 'H':
1136 return usage_hf_mfu_info();
1137 case 'k':
1138 case 'K':
1139 dataLen = param_getstr(Cmd, cmdp+1, tempStr);
1140 if (dataLen == 32 || dataLen == 8) { //ul-c or ev1/ntag key length
1141 errors = param_gethex(tempStr, 0, authenticationkey, dataLen);
1142 dataLen /= 2; // handled as bytes from now on
1143 } else {
1144 PrintAndLog("\nERROR: Key is incorrect length\n");
1145 errors = true;
1146 }
1147 cmdp += 2;
1148 hasAuthKey = true;
1149 break;
1150 case 'l':
1151 case 'L':
1152 swapEndian = true;
1153 cmdp++;
1154 break;
1155 default:
1156 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
1157 errors = true;
1158 break;
1159 }
1160 if(errors) break;
1161 }
1162
1163 //Validations
1164 if(errors) return usage_hf_mfu_info();
1165
1166 TagTypeUL_t tagtype = GetHF14AMfU_Type();
1167 if (tagtype == UL_ERROR) return -1;
1168
1169 PrintAndLog("\n--- Tag Information ---------");
1170 PrintAndLog("-------------------------------------------------------------");
1171 ul_print_type(tagtype, 6);
1172
1173 // Swap endianness
1174 if (swapEndian && hasAuthKey) authkeyptr = SwapEndian64(authenticationkey, dataLen, (dataLen == 16) ? 8 : 4 );
1175
1176 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
1177
1178 // read pages 0,1,2,3 (should read 4pages)
1179 status = ul_read(0, data, sizeof(data));
1180 if ( status == -1 ){
1181 ul_switch_off_field();
1182 PrintAndLog("Error: tag didn't answer to READ");
1183 return status;
1184 } else if (status == 16) {
1185 ul_print_default(data);
1186 ndef_print_CC(data+12);
1187 } else {
1188 locked = true;
1189 }
1190
1191 // UL_C Specific
1192 if ((tagtype & UL_C)){
1193
1194 // read pages 0x28, 0x29, 0x2A, 0x2B
1195 uint8_t ulc_conf[16] = {0x00};
1196 status = ul_read(0x28, ulc_conf, sizeof(ulc_conf));
1197 if ( status == -1 ){
1198 PrintAndLog("Error: tag didn't answer to READ UL-C");
1199 ul_switch_off_field();
1200 return status;
1201 }
1202 if (status == 16) ulc_print_configuration(ulc_conf);
1203 else locked = true;
1204
1205 if ((tagtype & MAGIC)){
1206 //just read key
1207 uint8_t ulc_deskey[16] = {0x00};
1208 status = ul_read(0x2C, ulc_deskey, sizeof(ulc_deskey));
1209 if ( status == -1 ){
1210 ul_switch_off_field();
1211 PrintAndLog("Error: tag didn't answer to READ magic");
1212 return status;
1213 }
1214 if (status == 16) ulc_print_3deskey(ulc_deskey);
1215
1216 } else {
1217 ul_switch_off_field();
1218 // if we called info with key, just return
1219 if ( hasAuthKey ) return 1;
1220
1221 // also try to diversify default keys.. look into CmdHF14AMfuGenDiverseKeys
1222 PrintAndLog("Trying some default 3des keys");
1223 for (uint8_t i = 0; i < KEYS_3DES_COUNT; ++i ){
1224 key = default_3des_keys[i];
1225 if (ulc_authentication(key, true)){
1226 PrintAndLog("Found default 3des key: ");
1227 uint8_t keySwap[16];
1228 memcpy(keySwap, SwapEndian64(key,16,8), 16);
1229 ulc_print_3deskey(keySwap);
1230 return 1;
1231 }
1232 }
1233 return 1;
1234 }
1235 }
1236
1237 // do counters and signature first (don't neet auth)
1238
1239 // ul counters are different than ntag counters
1240 if ((tagtype & (UL_EV1_48 | UL_EV1_128))) {
1241 if (ulev1_print_counters() != 3) {
1242 // failed - re-select
1243 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
1244 }
1245 }
1246
1247 if ((tagtype & (UL_EV1_48 | UL_EV1_128 | NTAG_213 | NTAG_215 | NTAG_216 | NTAG_I2C_1K | NTAG_I2C_2K ))) {
1248 uint8_t ulev1_signature[32] = {0x00};
1249 status = ulev1_readSignature( ulev1_signature, sizeof(ulev1_signature));
1250 if ( status == -1 ){
1251 PrintAndLog("Error: tag didn't answer to READ SIGNATURE");
1252 ul_switch_off_field();
1253 return status;
1254 }
1255 if (status == 32) ulev1_print_signature( ulev1_signature, sizeof(ulev1_signature));
1256 else {
1257 // re-select
1258 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
1259 }
1260 }
1261
1262 if ((tagtype & (UL_EV1_48 | UL_EV1_128 | NTAG_210 | NTAG_212 | NTAG_213 | NTAG_215 | NTAG_216 | NTAG_I2C_1K | NTAG_I2C_2K))) {
1263 uint8_t version[10] = {0x00};
1264 status = ulev1_getVersion(version, sizeof(version));
1265 if ( status == -1 ){
1266 PrintAndLog("Error: tag didn't answer to GETVERSION");
1267 ul_switch_off_field();
1268 return status;
1269 } else if (status == 10) {
1270 ulev1_print_version(version);
1271 } else {
1272 locked = true;
1273 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
1274 }
1275
1276 uint8_t startconfigblock = 0;
1277 uint8_t ulev1_conf[16] = {0x00};
1278 // config blocks always are last 4 pages
1279 for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++)
1280 if (tagtype & UL_TYPES_ARRAY[idx])
1281 startconfigblock = UL_MEMORY_ARRAY[idx]-3;
1282
1283 if (startconfigblock){ // if we know where the config block is...
1284 status = ul_read(startconfigblock, ulev1_conf, sizeof(ulev1_conf));
1285 if ( status == -1 ) {
1286 PrintAndLog("Error: tag didn't answer to READ EV1");
1287 ul_switch_off_field();
1288 return status;
1289 } else if (status == 16) {
1290 // save AUTHENTICATION LIMITS for later:
1291 authlim = (ulev1_conf[4] & 0x07);
1292 ulev1_print_configuration(ulev1_conf);
1293 }
1294 }
1295
1296 // AUTHLIMIT, (number of failed authentications)
1297 // 0 = limitless.
1298 // 1-7 = limit. No automatic tries then.
1299 // hasAuthKey, if we was called with key, skip test.
1300 if ( !authlim && !hasAuthKey ) {
1301 PrintAndLog("\n--- Known EV1/NTAG passwords.");
1302 len = 0;
1303 for (uint8_t i = 0; i < KEYS_PWD_COUNT; ++i ){
1304 key = default_pwd_pack[i];
1305 len = ulev1_requestAuthentication(key, pack, sizeof(pack));
1306 if (len >= 1) {
1307 PrintAndLog("Found a default password: %s || Pack: %02X %02X",sprint_hex(key, 4), pack[0], pack[1]);
1308 break;
1309 } else {
1310 if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
1311 }
1312 }
1313 if (len < 1) PrintAndLog("password not known");
1314 }
1315 }
1316
1317 ul_switch_off_field();
1318 if (locked) PrintAndLog("\nTag appears to be locked, try using the key to get more info");
1319 PrintAndLog("");
1320 return 1;
1321 }
1322
1323 //
1324 // Write Single Block
1325 //
1326 int CmdHF14AMfUWrBl(const char *Cmd){
1327
1328 int blockNo = -1;
1329 bool errors = false;
1330 bool hasAuthKey = false;
1331 bool hasPwdKey = false;
1332 bool swapEndian = false;
1333
1334 uint8_t cmdp = 0;
1335 uint8_t keylen = 0;
1336 uint8_t blockdata[20] = {0x00};
1337 uint8_t data[16] = {0x00};
1338 uint8_t authenticationkey[16] = {0x00};
1339 uint8_t *authkeyptr = authenticationkey;
1340
1341 // starting with getting tagtype
1342 TagTypeUL_t tagtype = GetHF14AMfU_Type();
1343 if (tagtype == UL_ERROR) return -1;
1344
1345 while(param_getchar(Cmd, cmdp) != 0x00)
1346 {
1347 switch(param_getchar(Cmd, cmdp))
1348 {
1349 case 'h':
1350 case 'H':
1351 return usage_hf_mfu_wrbl();
1352 case 'k':
1353 case 'K':
1354 // EV1/NTAG size key
1355 keylen = param_gethex(Cmd, cmdp+1, data, 8);
1356 if ( !keylen ) {
1357 memcpy(authenticationkey, data, 4);
1358 cmdp += 2;
1359 hasPwdKey = true;
1360 break;
1361 }
1362 // UL-C size key
1363 keylen = param_gethex(Cmd, cmdp+1, data, 32);
1364 if (!keylen){
1365 memcpy(authenticationkey, data, 16);
1366 cmdp += 2;
1367 hasAuthKey = true;
1368 break;
1369 }
1370 PrintAndLog("\nERROR: Key is incorrect length\n");
1371 errors = true;
1372 break;
1373 case 'b':
1374 case 'B':
1375 blockNo = param_get8(Cmd, cmdp+1);
1376
1377 uint8_t maxblockno = 0;
1378 for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++){
1379 if (tagtype & UL_TYPES_ARRAY[idx])
1380 maxblockno = UL_MEMORY_ARRAY[idx]+1;
1381 }
1382
1383 if (blockNo < 0) {
1384 PrintAndLog("Wrong block number");
1385 errors = true;
1386 }
1387 if (blockNo > maxblockno){
1388 PrintAndLog("block number to large. Max block is %u/0x%02X \n", maxblockno,maxblockno);
1389 errors = true;
1390 }
1391 cmdp += 2;
1392 break;
1393 case 'l':
1394 case 'L':
1395 swapEndian = true;
1396 cmdp++;
1397 break;
1398 case 'd':
1399 case 'D':
1400 if ( param_gethex(Cmd, cmdp+1, blockdata, 8) ) {
1401 PrintAndLog("Block data must include 8 HEX symbols");
1402 errors = true;
1403 break;
1404 }
1405 cmdp += 2;
1406 break;
1407 default:
1408 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
1409 errors = true;
1410 break;
1411 }
1412 //Validations
1413 if(errors) return usage_hf_mfu_wrbl();
1414 }
1415
1416 if ( blockNo == -1 ) return usage_hf_mfu_wrbl();
1417
1418 // Swap endianness
1419 if (swapEndian && hasAuthKey) authkeyptr = SwapEndian64(authenticationkey, 16, 8);
1420 if (swapEndian && hasPwdKey) authkeyptr = SwapEndian64(authenticationkey, 4, 4);
1421
1422
1423 if ( blockNo <= 3)
1424 PrintAndLog("Special Block: %0d (0x%02X) [ %s]", blockNo, blockNo, sprint_hex(blockdata, 4));
1425 else
1426 PrintAndLog("Block: %0d (0x%02X) [ %s]", blockNo, blockNo, sprint_hex(blockdata, 4));
1427
1428
1429
1430 //Send write Block
1431 UsbCommand c = {CMD_MIFAREU_WRITEBL, {blockNo}};
1432 memcpy(c.d.asBytes,blockdata,4);
1433
1434 if ( hasAuthKey ){
1435 c.arg[1] = 1;
1436 memcpy(c.d.asBytes+4,authkeyptr,16);
1437 }
1438 else if ( hasPwdKey ) {
1439 c.arg[1] = 2;
1440 memcpy(c.d.asBytes+4,authkeyptr,4);
1441 }
1442
1443 SendCommand(&c);
1444 UsbCommand resp;
1445 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
1446 uint8_t isOK = resp.arg[0] & 0xff;
1447 PrintAndLog("isOk:%02x", isOK);
1448 } else {
1449 PrintAndLog("Command execute timeout");
1450 }
1451
1452 return 0;
1453 }
1454 //
1455 // Read Single Block
1456 //
1457 int CmdHF14AMfURdBl(const char *Cmd){
1458
1459 int blockNo = -1;
1460 bool errors = false;
1461 bool hasAuthKey = false;
1462 bool hasPwdKey = false;
1463 bool swapEndian = false;
1464 uint8_t cmdp = 0;
1465 uint8_t keylen = 0;
1466 uint8_t data[16] = {0x00};
1467 uint8_t authenticationkey[16] = {0x00};
1468 uint8_t *authkeyptr = authenticationkey;
1469
1470 // starting with getting tagtype
1471 TagTypeUL_t tagtype = GetHF14AMfU_Type();
1472 if (tagtype == UL_ERROR) return -1;
1473
1474 while(param_getchar(Cmd, cmdp) != 0x00)
1475 {
1476 switch(param_getchar(Cmd, cmdp))
1477 {
1478 case 'h':
1479 case 'H':
1480 return usage_hf_mfu_rdbl();
1481 case 'k':
1482 case 'K':
1483 // EV1/NTAG size key
1484 keylen = param_gethex(Cmd, cmdp+1, data, 8);
1485 if ( !keylen ) {
1486 memcpy(authenticationkey, data, 4);
1487 cmdp += 2;
1488 hasPwdKey = true;
1489 break;
1490 }
1491 // UL-C size key
1492 keylen = param_gethex(Cmd, cmdp+1, data, 32);
1493 if (!keylen){
1494 memcpy(authenticationkey, data, 16);
1495 cmdp += 2;
1496 hasAuthKey = true;
1497 break;
1498 }
1499 PrintAndLog("\nERROR: Key is incorrect length\n");
1500 errors = true;
1501 break;
1502 case 'b':
1503 case 'B':
1504 blockNo = param_get8(Cmd, cmdp+1);
1505
1506 uint8_t maxblockno = 0;
1507 for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++){
1508 if (tagtype & UL_TYPES_ARRAY[idx])
1509 maxblockno = UL_MEMORY_ARRAY[idx]+1;
1510 }
1511
1512 if (blockNo < 0) {
1513 PrintAndLog("Wrong block number");
1514 errors = true;
1515 }
1516 if (blockNo > maxblockno){
1517 PrintAndLog("block number to large. Max block is %u/0x%02X \n", maxblockno,maxblockno);
1518 errors = true;
1519 }
1520 cmdp += 2;
1521 break;
1522 case 'l':
1523 case 'L':
1524 swapEndian = true;
1525 cmdp++;
1526 break;
1527 default:
1528 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
1529 errors = true;
1530 break;
1531 }
1532 //Validations
1533 if(errors) return usage_hf_mfu_rdbl();
1534 }
1535 if ( blockNo == -1 ) return usage_hf_mfu_rdbl();
1536
1537 // Swap endianness
1538 if (swapEndian && hasAuthKey) authkeyptr = SwapEndian64(authenticationkey, 16, 8);
1539 if (swapEndian && hasPwdKey) authkeyptr = SwapEndian64(authenticationkey, 4, 4);
1540
1541 //Read Block
1542 UsbCommand c = {CMD_MIFAREU_READBL, {blockNo}};
1543 if ( hasAuthKey ){
1544 c.arg[1] = 1;
1545 memcpy(c.d.asBytes,authkeyptr,16);
1546 }
1547 else if ( hasPwdKey ) {
1548 c.arg[1] = 2;
1549 memcpy(c.d.asBytes,authkeyptr,4);
1550 }
1551
1552 SendCommand(&c);
1553
1554 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
1555 uint8_t isOK = resp.arg[0] & 0xff;
1556 if (isOK) {
1557 uint8_t *data = resp.d.asBytes;
1558 PrintAndLog("Block: %0d (0x%02X) [ %s]", blockNo, blockNo, sprint_hex(data, 4));
1559 }
1560 else {
1561 PrintAndLog("Failed reading block: (%02x)", isOK);
1562 }
1563 } else {
1564 PrintAndLog("Command execute time-out");
1565 }
1566
1567 return 0;
1568 }
1569
1570 int usage_hf_mfu_info(void) {
1571 PrintAndLog("It gathers information about the tag and tries to detect what kind it is.");
1572 PrintAndLog("Sometimes the tags are locked down, and you may need a key to be able to read the information");
1573 PrintAndLog("The following tags can be identified:\n");
1574 PrintAndLog("Ultralight, Ultralight-C, Ultralight EV1, NTAG 203, NTAG 210,");
1575 PrintAndLog("NTAG 212, NTAG 213, NTAG 215, NTAG 216, NTAG I2C 1K & 2K");
1576 PrintAndLog("my-d, my-d NFC, my-d move, my-d move NFC\n");
1577 PrintAndLog("Usage: hf mfu info k <key> l");
1578 PrintAndLog(" Options : ");
1579 PrintAndLog(" k <key> : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]");
1580 PrintAndLog(" l : (optional) swap entered key's endianness");
1581 PrintAndLog("");
1582 PrintAndLog(" sample : hf mfu info");
1583 PrintAndLog(" : hf mfu info k 00112233445566778899AABBCCDDEEFF");
1584 PrintAndLog(" : hf mfu info k AABBCCDDD");
1585 return 0;
1586 }
1587
1588 int usage_hf_mfu_dump(void) {
1589 PrintAndLog("Reads all pages from Ultralight, Ultralight-C, Ultralight EV1");
1590 PrintAndLog("NTAG 203, NTAG 210, NTAG 212, NTAG 213, NTAG 215, NTAG 216");
1591 PrintAndLog("and saves binary dump into the file `filename.bin` or `cardUID.bin`");
1592 PrintAndLog("It autodetects card type.\n");
1593 PrintAndLog("Usage: hf mfu dump k <key> l n <filename w/o .bin>");
1594 PrintAndLog(" Options : ");
1595 PrintAndLog(" k <key> : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]");
1596 PrintAndLog(" l : (optional) swap entered key's endianness");
1597 PrintAndLog(" n <FN > : filename w/o .bin to save the dump as");
1598 PrintAndLog(" p <Pg > : starting Page number to manually set a page to start the dump at");
1599 PrintAndLog(" q <qty> : number of Pages to manually set how many pages to dump");
1600
1601 PrintAndLog("");
1602 PrintAndLog(" sample : hf mfu dump");
1603 PrintAndLog(" : hf mfu dump n myfile");
1604 PrintAndLog(" : hf mfu dump k 00112233445566778899AABBCCDDEEFF");
1605 PrintAndLog(" : hf mfu dump k AABBCCDDD\n");
1606 return 0;
1607 }
1608
1609 int usage_hf_mfu_rdbl(void) {
1610 PrintAndLog("Read a block and print. It autodetects card type.\n");
1611 PrintAndLog("Usage: hf mfu rdbl b <block number> k <key> l\n");
1612 PrintAndLog(" Options:");
1613 PrintAndLog(" b <no> : block to read");
1614 PrintAndLog(" k <key> : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]");
1615 PrintAndLog(" l : (optional) swap entered key's endianness");
1616 PrintAndLog("");
1617 PrintAndLog(" sample : hf mfu rdbl b 0");
1618 PrintAndLog(" : hf mfu rdbl b 0 k 00112233445566778899AABBCCDDEEFF");
1619 PrintAndLog(" : hf mfu rdbl b 0 k AABBCCDDD\n");
1620 return 0;
1621 }
1622
1623 int usage_hf_mfu_wrbl(void) {
1624 PrintAndLog("Write a block. It autodetects card type.\n");
1625 PrintAndLog("Usage: hf mfu wrbl b <block number> d <data> k <key> l\n");
1626 PrintAndLog(" Options:");
1627 PrintAndLog(" b <no> : block to write");
1628 PrintAndLog(" d <data> : block data - (8 hex symbols)");
1629 PrintAndLog(" k <key> : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]");
1630 PrintAndLog(" l : (optional) swap entered key's endianness");
1631 PrintAndLog("");
1632 PrintAndLog(" sample : hf mfu wrbl b 0 d 01234567");
1633 PrintAndLog(" : hf mfu wrbl b 0 d 01234567 k AABBCCDDD\n");
1634 return 0;
1635 }
1636
1637 //
1638 // Mifare Ultralight / Ultralight-C / Ultralight-EV1
1639 // Read and Dump Card Contents, using auto detection of tag size.
1640 //
1641 // TODO: take a password to read UL-C / UL-EV1 tags.
1642 int CmdHF14AMfUDump(const char *Cmd){
1643
1644 FILE *fout;
1645 char filename[FILE_PATH_SIZE] = {0x00};
1646 char *fnameptr = filename;
1647 uint8_t *lockbytes_t = NULL;
1648 uint8_t lockbytes[2] = {0x00};
1649 uint8_t *lockbytes_t2 = NULL;
1650 uint8_t lockbytes2[2] = {0x00};
1651 bool bit[16] = {0x00};
1652 bool bit2[16] = {0x00};
1653 uint8_t data[1024] = {0x00};
1654 bool hasAuthKey = false;
1655 int i = 0;
1656 int Pages = 16;
1657 bool tmplockbit = false;
1658 uint8_t dataLen = 0;
1659 uint8_t cmdp = 0;
1660 uint8_t authenticationkey[16] = {0x00};
1661 uint8_t *authKeyPtr = authenticationkey;
1662 size_t fileNlen = 0;
1663 bool errors = false;
1664 bool swapEndian = false;
1665 bool manualPages = false;
1666 uint8_t startPage = 0;
1667 char tempStr[50];
1668
1669 while(param_getchar(Cmd, cmdp) != 0x00)
1670 {
1671 switch(param_getchar(Cmd, cmdp))
1672 {
1673 case 'h':
1674 case 'H':
1675 return usage_hf_mfu_dump();
1676 case 'k':
1677 case 'K':
1678 dataLen = param_getstr(Cmd, cmdp+1, tempStr);
1679 if (dataLen == 32 || dataLen == 8) { //ul-c or ev1/ntag key length
1680 errors = param_gethex(tempStr, 0, authenticationkey, dataLen);
1681 dataLen /= 2;
1682 } else {
1683 PrintAndLog("\nERROR: Key is incorrect length\n");
1684 errors = true;
1685 }
1686 cmdp += 2;
1687 hasAuthKey = true;
1688 break;
1689 case 'l':
1690 case 'L':
1691 swapEndian = true;
1692 cmdp++;
1693 break;
1694 case 'n':
1695 case 'N':
1696 fileNlen = param_getstr(Cmd, cmdp+1, filename);
1697 if (!fileNlen) errors = true;
1698 if (fileNlen > FILE_PATH_SIZE-5) fileNlen = FILE_PATH_SIZE-5;
1699 cmdp += 2;
1700 break;
1701 case 'p':
1702 case 'P':
1703 startPage = param_get8(Cmd, cmdp+1);
1704 manualPages = true;
1705 cmdp += 2;
1706 break;
1707 case 'q':
1708 case 'Q':
1709 Pages = param_get8(Cmd, cmdp+1);
1710 cmdp += 2;
1711 manualPages = true;
1712 break;
1713 default:
1714 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
1715 errors = true;
1716 break;
1717 }
1718 if(errors) break;
1719 }
1720
1721 //Validations
1722 if(errors) return usage_hf_mfu_dump();
1723
1724 if (swapEndian && hasAuthKey)
1725 authKeyPtr = SwapEndian64(authenticationkey, dataLen, (dataLen == 16) ? 8 : 4);
1726
1727 TagTypeUL_t tagtype = GetHF14AMfU_Type();
1728 if (tagtype == UL_ERROR) return -1;
1729
1730 if (!manualPages)
1731 for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++)
1732 if (tagtype & UL_TYPES_ARRAY[idx])
1733 Pages = UL_MEMORY_ARRAY[idx]+1;
1734
1735 ul_print_type(tagtype, 0);
1736 PrintAndLog("Reading tag memory...");
1737 UsbCommand c = {CMD_MIFAREU_READCARD, {startPage,Pages}};
1738 if ( hasAuthKey ) {
1739 if (tagtype & UL_C)
1740 c.arg[2] = 1; //UL_C auth
1741 else
1742 c.arg[2] = 2; //UL_EV1/NTAG auth
1743
1744 memcpy(c.d.asBytes, authKeyPtr, dataLen);
1745 }
1746 SendCommand(&c);
1747 UsbCommand resp;
1748 if (!WaitForResponseTimeout(CMD_ACK, &resp,1500)) {
1749 PrintAndLog("Command execute time-out");
1750 return 1;
1751 }
1752 if (resp.arg[0] != 1) {
1753 PrintAndLog("Failed reading block: (%02x)", i);
1754 return 1;
1755 }
1756
1757 uint32_t bufferSize = resp.arg[1];
1758 if (bufferSize > sizeof(data)) {
1759 PrintAndLog("Data exceeded Buffer size!");
1760 bufferSize = sizeof(data);
1761 }
1762 GetFromBigBuf(data, bufferSize, 0);
1763 WaitForResponse(CMD_ACK,NULL);
1764
1765 Pages = bufferSize/4;
1766 // Load lock bytes.
1767 int j = 0;
1768
1769 lockbytes_t = data + 8;
1770 lockbytes[0] = lockbytes_t[2];
1771 lockbytes[1] = lockbytes_t[3];
1772 for(j = 0; j < 16; j++){
1773 bit[j] = lockbytes[j/8] & ( 1 <<(7-j%8));
1774 }
1775
1776 // Load bottom lockbytes if available
1777 // TODO -- FIGURE OUT LOCK BYTES FOR TO EV1 and/or NTAG
1778 if ( Pages == 44 ) {
1779 lockbytes_t2 = data + (40*4);
1780 lockbytes2[0] = lockbytes_t2[2];
1781 lockbytes2[1] = lockbytes_t2[3];
1782 for (j = 0; j < 16; j++) {
1783 bit2[j] = lockbytes2[j/8] & ( 1 <<(7-j%8));
1784 }
1785 }
1786
1787 // add keys to block dump
1788 if (hasAuthKey) {
1789 if (!swapEndian){
1790 authKeyPtr = SwapEndian64(authenticationkey, dataLen, (dataLen == 16) ? 8 : 4);
1791 } else {
1792 authKeyPtr = authenticationkey;
1793 }
1794
1795 if (tagtype & UL_C){ //add 4 pages
1796 memcpy(data + Pages*4, authKeyPtr, dataLen);
1797 Pages += dataLen/4;
1798 } else { // 2nd page from end
1799 memcpy(data + (Pages*4) - 8, authenticationkey, dataLen);
1800 }
1801 }
1802
1803 for (i = 0; i < Pages; ++i) {
1804 if ( i < 3 ) {
1805 PrintAndLog("Block %02x:%s ", i,sprint_hex(data + i * 4, 4));
1806 continue;
1807 }
1808 switch(i){
1809 case 3: tmplockbit = bit[4]; break;
1810 case 4: tmplockbit = bit[3]; break;
1811 case 5: tmplockbit = bit[2]; break;
1812 case 6: tmplockbit = bit[1]; break;
1813 case 7: tmplockbit = bit[0]; break;
1814 case 8: tmplockbit = bit[15]; break;
1815 case 9: tmplockbit = bit[14]; break;
1816 case 10: tmplockbit = bit[13]; break;
1817 case 11: tmplockbit = bit[12]; break;
1818 case 12: tmplockbit = bit[11]; break;
1819 case 13: tmplockbit = bit[10]; break;
1820 case 14: tmplockbit = bit[9]; break;
1821 case 15: tmplockbit = bit[8]; break;
1822 case 16:
1823 case 17:
1824 case 18:
1825 case 19: tmplockbit = bit2[6]; break;
1826 case 20:
1827 case 21:
1828 case 22:
1829 case 23: tmplockbit = bit2[5]; break;
1830 case 24:
1831 case 25:
1832 case 26:
1833 case 27: tmplockbit = bit2[4]; break;
1834 case 28:
1835 case 29:
1836 case 30:
1837 case 31: tmplockbit = bit2[2]; break;
1838 case 32:
1839 case 33:
1840 case 34:
1841 case 35: tmplockbit = bit2[1]; break;
1842 case 36:
1843 case 37:
1844 case 38:
1845 case 39: tmplockbit = bit2[0]; break;
1846 case 40: tmplockbit = bit2[12]; break;
1847 case 41: tmplockbit = bit2[11]; break;
1848 case 42: tmplockbit = bit2[10]; break; //auth0
1849 case 43: tmplockbit = bit2[9]; break; //auth1
1850 default: break;
1851 }
1852 PrintAndLog("Block %02X:%s [%d] {%.4s}", i, sprint_hex(data + i * 4, 4), tmplockbit, data+i*4);
1853 }
1854
1855 // user supplied filename?
1856 if (fileNlen < 1) {
1857 // UID = data 0-1-2 4-5-6-7 (skips a beat)
1858 sprintf(fnameptr,"%02X%02X%02X%02X%02X%02X%02X.bin",
1859 data[0],data[1], data[2], data[4],data[5],data[6], data[7]);
1860 } else {
1861 sprintf(fnameptr + fileNlen,".bin");
1862 }
1863
1864 if ((fout = fopen(filename,"wb")) == NULL) {
1865 PrintAndLog("Could not create file name %s", filename);
1866 return 1;
1867 }
1868 fwrite( data, 1, Pages*4, fout );
1869 fclose(fout);
1870
1871 PrintAndLog("Dumped %d pages, wrote %d bytes to %s", Pages, Pages*4, filename);
1872 return 0;
1873 }
1874
1875 //-------------------------------------------------------------------------------
1876 // Ultralight C Methods
1877 //-------------------------------------------------------------------------------
1878
1879 //
1880 // Ultralight C Authentication Demo {currently uses hard-coded key}
1881 //
1882 int CmdHF14AMfucAuth(const char *Cmd){
1883
1884 uint8_t keyNo = 3;
1885 bool errors = false;
1886
1887 char cmdp = param_getchar(Cmd, 0);
1888
1889 //Change key to user defined one
1890 if (cmdp == 'k' || cmdp == 'K'){
1891 keyNo = param_get8(Cmd, 1);
1892 if(keyNo > KEYS_3DES_COUNT)
1893 errors = true;
1894 }
1895
1896 if (cmdp == 'h' || cmdp == 'H')
1897 errors = true;
1898
1899 if (errors) {
1900 PrintAndLog("Usage: hf mfu cauth k <key number>");
1901 PrintAndLog(" 0 (default): 3DES standard key");
1902 PrintAndLog(" 1 : all 0x00 key");
1903 PrintAndLog(" 2 : 0x00-0x0F key");
1904 PrintAndLog(" 3 : nfc key");
1905 PrintAndLog(" 4 : all 0x01 key");
1906 PrintAndLog(" 5 : all 0xff key");
1907 PrintAndLog(" 6 : 0x00-0xFF key");
1908 PrintAndLog("\n sample : hf mfu cauth k");
1909 PrintAndLog(" : hf mfu cauth k 3");
1910 return 0;
1911 }
1912
1913 uint8_t *key = default_3des_keys[keyNo];
1914 if (ulc_authentication(key, true))
1915 PrintAndLog("Authentication successful. 3des key: %s",sprint_hex(key, 16));
1916 else
1917 PrintAndLog("Authentication failed");
1918
1919 return 0;
1920 }
1921
1922 /**
1923 A test function to validate that the polarssl-function works the same
1924 was as the openssl-implementation.
1925 Commented out, since it requires openssl
1926
1927 int CmdTestDES(const char * cmd)
1928 {
1929 uint8_t key[16] = {0x00};
1930
1931 memcpy(key,key3_3des_data,16);
1932 DES_cblock RndA, RndB;
1933
1934 PrintAndLog("----------OpenSSL DES implementation----------");
1935 {
1936 uint8_t e_RndB[8] = {0x00};
1937 unsigned char RndARndB[16] = {0x00};
1938
1939 DES_cblock iv = { 0 };
1940 DES_key_schedule ks1,ks2;
1941 DES_cblock key1,key2;
1942
1943 memcpy(key,key3_3des_data,16);
1944 memcpy(key1,key,8);
1945 memcpy(key2,key+8,8);
1946
1947
1948 DES_set_key((DES_cblock *)key1,&ks1);
1949 DES_set_key((DES_cblock *)key2,&ks2);
1950
1951 DES_random_key(&RndA);
1952 PrintAndLog(" RndA:%s",sprint_hex(RndA, 8));
1953 PrintAndLog(" e_RndB:%s",sprint_hex(e_RndB, 8));
1954 //void DES_ede2_cbc_encrypt(const unsigned char *input,
1955 // unsigned char *output, long length, DES_key_schedule *ks1,
1956 // DES_key_schedule *ks2, DES_cblock *ivec, int enc);
1957 DES_ede2_cbc_encrypt(e_RndB,RndB,sizeof(e_RndB),&ks1,&ks2,&iv,0);
1958
1959 PrintAndLog(" RndB:%s",sprint_hex(RndB, 8));
1960 rol(RndB,8);
1961 memcpy(RndARndB,RndA,8);
1962 memcpy(RndARndB+8,RndB,8);
1963 PrintAndLog(" RA+B:%s",sprint_hex(RndARndB, 16));
1964 DES_ede2_cbc_encrypt(RndARndB,RndARndB,sizeof(RndARndB),&ks1,&ks2,&e_RndB,1);
1965 PrintAndLog("enc(RA+B):%s",sprint_hex(RndARndB, 16));
1966
1967 }
1968 PrintAndLog("----------PolarSSL implementation----------");
1969 {
1970 uint8_t random_a[8] = { 0 };
1971 uint8_t enc_random_a[8] = { 0 };
1972 uint8_t random_b[8] = { 0 };
1973 uint8_t enc_random_b[8] = { 0 };
1974 uint8_t random_a_and_b[16] = { 0 };
1975 des3_context ctx = { 0 };
1976
1977 memcpy(random_a, RndA,8);
1978
1979 uint8_t output[8] = { 0 };
1980 uint8_t iv[8] = { 0 };
1981
1982 PrintAndLog(" RndA :%s",sprint_hex(random_a, 8));
1983 PrintAndLog(" e_RndB:%s",sprint_hex(enc_random_b, 8));
1984
1985 des3_set2key_dec(&ctx, key);
1986
1987 des3_crypt_cbc(&ctx // des3_context *ctx
1988 , DES_DECRYPT // int mode
1989 , sizeof(random_b) // size_t length
1990 , iv // unsigned char iv[8]
1991 , enc_random_b // const unsigned char *input
1992 , random_b // unsigned char *output
1993 );
1994
1995 PrintAndLog(" RndB:%s",sprint_hex(random_b, 8));
1996
1997 rol(random_b,8);
1998 memcpy(random_a_and_b ,random_a,8);
1999 memcpy(random_a_and_b+8,random_b,8);
2000
2001 PrintAndLog(" RA+B:%s",sprint_hex(random_a_and_b, 16));
2002
2003 des3_set2key_enc(&ctx, key);
2004
2005 des3_crypt_cbc(&ctx // des3_context *ctx
2006 , DES_ENCRYPT // int mode
2007 , sizeof(random_a_and_b) // size_t length
2008 , enc_random_b // unsigned char iv[8]
2009 , random_a_and_b // const unsigned char *input
2010 , random_a_and_b // unsigned char *output
2011 );
2012
2013 PrintAndLog("enc(RA+B):%s",sprint_hex(random_a_and_b, 16));
2014 }
2015 return 0;
2016 }
2017 **/
2018
2019 //
2020 // Mifare Ultralight C - Set password
2021 //
2022 int CmdHF14AMfucSetPwd(const char *Cmd){
2023
2024 uint8_t pwd[16] = {0x00};
2025
2026 uint8_t key[16];
2027 char cmdp = param_getchar(Cmd, 0);
2028
2029 if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') {
2030 PrintAndLog("Usage: hf mfu setpwd <password (32 hex symbols)>");
2031 PrintAndLog(" [password] - (32 hex symbols)");
2032 PrintAndLog("");
2033 PrintAndLog("sample: hf mfu setpwd 000102030405060708090a0b0c0d0e0f");
2034 PrintAndLog("");
2035 return 0;
2036 }
2037
2038 if (param_gethex(Cmd, 0, pwd, 32)) {
2039 PrintAndLog("Password must include 32 HEX symbols");
2040 return 1;
2041 }
2042
2043 if (blockNo > MAX_ULC_BLOCKS ){
2044 PrintAndLog("Error: Maximum number of blocks is 47 for Ultralight-C");
2045 return 1;
2046 }
2047
2048 UsbCommand c = {CMD_MIFAREUC_SETPWD};
2049 memcpy( c.d.asBytes, pwd, 16);
2050 SendCommand(&c);
2051
2052 UsbCommand resp;
2053
2054 if (WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
2055 if ( (resp.arg[0] & 0xff) == 1)
2056 PrintAndLog("Ultralight-C new password: %s", sprint_hex(pwd,16));
2057 else{
2058 PrintAndLog("Failed writing at block %d", resp.arg[1] & 0xff);
2059 return 1;
2060 }
2061 }
2062 else {
2063 PrintAndLog("command execution time out");
2064 return 1;
2065 }
2066
2067 return 0;
2068 }
2069
2070 //
2071 // Magic UL / UL-C tags - Set UID
2072 //
2073 int CmdHF14AMfucSetUid(const char *Cmd){
2074
2075 UsbCommand c;
2076 UsbCommand resp;
2077 uint8_t uid[7] = {0x00};
2078 char cmdp = param_getchar(Cmd, 0);
2079
2080 if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') {
2081 PrintAndLog("Usage: hf mfu setuid <uid (14 hex symbols)>");
2082 PrintAndLog(" [uid] - (14 hex symbols)");
2083 PrintAndLog("\nThis only works for Magic Ultralight tags.");
2084 PrintAndLog("");
2085 PrintAndLog("sample: hf mfu setuid 11223344556677");
2086 PrintAndLog("");
2087 return 0;
2088 }
2089
2090 if (param_gethex(Cmd, 0, uid, 14)) {
2091 PrintAndLog("UID must include 14 HEX symbols");
2092 return 1;
2093 }
2094
2095 // read block2.
2096 c.cmd = CMD_MIFAREU_READBL;
2097 c.arg[0] = 2;
2098 SendCommand(&c);
2099 if (!WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
2100 PrintAndLog("Command execute timeout");
2101 return 2;
2102 }
2103
2104 // save old block2.
2105 uint8_t oldblock2[4] = {0x00};
2106 memcpy(resp.d.asBytes, oldblock2, 4);
2107
2108 // block 0.
2109 c.cmd = CMD_MIFAREU_WRITEBL;
2110 c.arg[0] = 0;
2111 c.d.asBytes[0] = uid[0];
2112 c.d.asBytes[1] = uid[1];
2113 c.d.asBytes[2] = uid[2];
2114 c.d.asBytes[3] = 0x88 ^ uid[0] ^ uid[1] ^ uid[2];
2115 SendCommand(&c);
2116 if (!WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
2117 PrintAndLog("Command execute timeout");
2118 return 3;
2119 }
2120
2121 // block 1.
2122 c.arg[0] = 1;
2123 c.d.asBytes[0] = uid[3];
2124 c.d.asBytes[1] = uid[4];
2125 c.d.asBytes[2] = uid[5];
2126 c.d.asBytes[3] = uid[6];
2127 SendCommand(&c);
2128 if (!WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
2129 PrintAndLog("Command execute timeout");
2130 return 4;
2131 }
2132
2133 // block 2.
2134 c.arg[0] = 2;
2135 c.d.asBytes[0] = uid[3] ^ uid[4] ^ uid[5] ^ uid[6];
2136 c.d.asBytes[1] = oldblock2[1];
2137 c.d.asBytes[2] = oldblock2[2];
2138 c.d.asBytes[3] = oldblock2[3];
2139 SendCommand(&c);
2140 if (!WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
2141 PrintAndLog("Command execute timeout");
2142 return 5;
2143 }
2144
2145 return 0;
2146 }
2147
2148 int CmdHF14AMfuGenDiverseKeys(const char *Cmd){
2149
2150 uint8_t iv[8] = { 0x00 };
2151 uint8_t block = 0x07;
2152
2153 // UL-EV1
2154 //04 57 b6 e2 05 3f 80 UID
2155 //4a f8 4b 19 PWD
2156 uint8_t uid[] = { 0xF4,0xEA, 0x54, 0x8E };
2157 uint8_t mifarekeyA[] = { 0xA0,0xA1,0xA2,0xA3,0xA4,0xA5 };
2158 uint8_t mifarekeyB[] = { 0xB0,0xB1,0xB2,0xB3,0xB4,0xB5 };
2159 uint8_t dkeyA[8] = { 0x00 };
2160 uint8_t dkeyB[8] = { 0x00 };
2161
2162 uint8_t masterkey[] = { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x99,0xaa,0xbb,0xcc,0xdd,0xee,0xff };
2163
2164 uint8_t mix[8] = { 0x00 };
2165 uint8_t divkey[8] = { 0x00 };
2166
2167 memcpy(mix, mifarekeyA, 4);
2168
2169 mix[4] = mifarekeyA[4] ^ uid[0];
2170 mix[5] = mifarekeyA[5] ^ uid[1];
2171 mix[6] = block ^ uid[2];
2172 mix[7] = uid[3];
2173
2174 des3_context ctx = { 0x00 };
2175 des3_set2key_enc(&ctx, masterkey);
2176
2177 des3_crypt_cbc(&ctx // des3_context
2178 , DES_ENCRYPT // int mode
2179 , sizeof(mix) // length
2180 , iv // iv[8]
2181 , mix // input
2182 , divkey // output
2183 );
2184
2185 PrintAndLog("3DES version");
2186 PrintAndLog("Masterkey :\t %s", sprint_hex(masterkey,sizeof(masterkey)));
2187 PrintAndLog("UID :\t %s", sprint_hex(uid, sizeof(uid)));
2188 PrintAndLog("Sector :\t %0d", block);
2189 PrintAndLog("Mifare key :\t %s", sprint_hex(mifarekeyA, sizeof(mifarekeyA)));
2190 PrintAndLog("Message :\t %s", sprint_hex(mix, sizeof(mix)));
2191 PrintAndLog("Diversified key: %s", sprint_hex(divkey+1, 6));
2192
2193 PrintAndLog("\n DES version");
2194
2195 for (int i=0; i < sizeof(mifarekeyA); ++i){
2196 dkeyA[i] = (mifarekeyA[i] << 1) & 0xff;
2197 dkeyA[6] |= ((mifarekeyA[i] >> 7) & 1) << (i+1);
2198 }
2199
2200 for (int i=0; i < sizeof(mifarekeyB); ++i){
2201 dkeyB[1] |= ((mifarekeyB[i] >> 7) & 1) << (i+1);
2202 dkeyB[2+i] = (mifarekeyB[i] << 1) & 0xff;
2203 }
2204
2205 uint8_t zeros[8] = {0x00};
2206 uint8_t newpwd[8] = {0x00};
2207 uint8_t dmkey[24] = {0x00};
2208 memcpy(dmkey, dkeyA, 8);
2209 memcpy(dmkey+8, dkeyB, 8);
2210 memcpy(dmkey+16, dkeyA, 8);
2211 memset(iv, 0x00, 8);
2212
2213 des3_set3key_enc(&ctx, dmkey);
2214
2215 des3_crypt_cbc(&ctx // des3_context
2216 , DES_ENCRYPT // int mode
2217 , sizeof(newpwd) // length
2218 , iv // iv[8]
2219 , zeros // input
2220 , newpwd // output
2221 );
2222
2223 PrintAndLog("Mifare dkeyA :\t %s", sprint_hex(dkeyA, sizeof(dkeyA)));
2224 PrintAndLog("Mifare dkeyB :\t %s", sprint_hex(dkeyB, sizeof(dkeyB)));
2225 PrintAndLog("Mifare ABA :\t %s", sprint_hex(dmkey, sizeof(dmkey)));
2226 PrintAndLog("Mifare Pwd :\t %s", sprint_hex(newpwd, sizeof(newpwd)));
2227
2228 return 0;
2229 }
2230
2231 // static uint8_t * diversify_key(uint8_t * key){
2232
2233 // for(int i=0; i<16; i++){
2234 // if(i<=6) key[i]^=cuid[i];
2235 // if(i>6) key[i]^=cuid[i%7];
2236 // }
2237 // return key;
2238 // }
2239
2240 // static void GenerateUIDe( uint8_t *uid, uint8_t len){
2241 // for (int i=0; i<len; ++i){
2242
2243 // }
2244 // return;
2245 // }
2246
2247 //------------------------------------
2248 // Menu Stuff
2249 //------------------------------------
2250 static command_t CommandTable[] =
2251 {
2252 {"help", CmdHelp, 1, "This help"},
2253 {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},
2254 {"info", CmdHF14AMfUInfo, 0, "Tag information"},
2255 {"dump", CmdHF14AMfUDump, 0, "Dump Ultralight / Ultralight-C tag to binary file"},
2256 {"rdbl", CmdHF14AMfURdBl, 0, "Read block"},
2257 {"wrbl", CmdHF14AMfUWrBl, 0, "Write block"},
2258 {"cauth", CmdHF14AMfucAuth, 0, "Authentication - Ultralight C"},
2259 {"setpwd", CmdHF14AMfucSetPwd, 1, "Set 3des password - Ultralight-C"},
2260 {"setuid", CmdHF14AMfucSetUid, 1, "Set UID - MAGIC tags only"},
2261 {"gen", CmdHF14AMfuGenDiverseKeys , 1, "Generate 3des mifare diversified keys"},
2262 {NULL, NULL, 0, NULL}
2263 };
2264
2265 int CmdHFMFUltra(const char *Cmd){
2266 WaitForResponseTimeout(CMD_ACK,NULL,100);
2267 CmdsParse(CommandTable, Cmd);
2268 return 0;
2269 }
2270
2271 int CmdHelp(const char *Cmd){
2272 CmdsHelp(CommandTable);
2273 return 0;
2274 }
Proxmark3 GIT tracking
Impressum, Datenschutz