]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhfmf.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
adjust CI testscript for new emv commands (#758)
[proxmark3-svn] / client / cmdhfmf.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2011,2012 Merlok
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // High frequency MIFARE commands
9 //-----------------------------------------------------------------------------
10
11 #include "cmdhfmf.h"
12
13 #include <inttypes.h>
14 #include <string.h>
15 #include <stdio.h>
16 #include <stdlib.h>
17 #include <ctype.h>
18 #include "comms.h"
19 #include "cmdmain.h"
20 #include "cmdhfmfhard.h"
21 #include "parity.h"
22 #include "util.h"
23 #include "util_posix.h"
24 #include "usb_cmd.h"
25 #include "ui.h"
26 #include "mifarehost.h"
27 #include "mifare.h"
28 #include "mfkey.h"
29 #include "hardnested/hardnested_bf_core.h"
30 #include "cliparser/cliparser.h"
31 #include "cmdhf14a.h"
32 #include "mifare4.h"
33
34 #define NESTED_SECTOR_RETRY 10 // how often we try mfested() until we give up
35
36 static int CmdHelp(const char *Cmd);
37
38 int CmdHF14AMifare(const char *Cmd)
39 {
40 int isOK = 0;
41 uint64_t key = 0;
42 isOK = mfDarkside(&key);
43 switch (isOK) {
44 case -1 : PrintAndLog("Button pressed. Aborted."); return 1;
45 case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests)."); return 1;
46 case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable)."); return 1;
47 case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");
48 PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour."); return 1;
49 case -5 : PrintAndLog("Aborted via keyboard."); return 1;
50 default : PrintAndLog("Found valid key:%012" PRIx64 "\n", key);
51 }
52
53 PrintAndLog("");
54 return 0;
55 }
56
57
58 int CmdHF14AMfWrBl(const char *Cmd)
59 {
60 uint8_t blockNo = 0;
61 uint8_t keyType = 0;
62 uint8_t key[6] = {0, 0, 0, 0, 0, 0};
63 uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
64
65 char cmdp = 0x00;
66
67 if (strlen(Cmd)<3) {
68 PrintAndLog("Usage: hf mf wrbl <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>");
69 PrintAndLog(" sample: hf mf wrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F");
70 return 0;
71 }
72
73 blockNo = param_get8(Cmd, 0);
74 cmdp = param_getchar(Cmd, 1);
75 if (cmdp == 0x00) {
76 PrintAndLog("Key type must be A or B");
77 return 1;
78 }
79 if (cmdp != 'A' && cmdp != 'a') keyType = 1;
80 if (param_gethex(Cmd, 2, key, 12)) {
81 PrintAndLog("Key must include 12 HEX symbols");
82 return 1;
83 }
84 if (param_gethex(Cmd, 3, bldata, 32)) {
85 PrintAndLog("Block data must include 32 HEX symbols");
86 return 1;
87 }
88 PrintAndLog("--block no:%d, key type:%c, key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6));
89 PrintAndLog("--data: %s", sprint_hex(bldata, 16));
90
91 UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}};
92 memcpy(c.d.asBytes, key, 6);
93 memcpy(c.d.asBytes + 10, bldata, 16);
94 SendCommand(&c);
95
96 UsbCommand resp;
97 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
98 uint8_t isOK = resp.arg[0] & 0xff;
99 PrintAndLog("isOk:%02x", isOK);
100 } else {
101 PrintAndLog("Command execute timeout");
102 }
103
104 return 0;
105 }
106
107 int CmdHF14AMfRdBl(const char *Cmd)
108 {
109 uint8_t blockNo = 0;
110 uint8_t keyType = 0;
111 uint8_t key[6] = {0, 0, 0, 0, 0, 0};
112
113 char cmdp = 0x00;
114
115
116 if (strlen(Cmd)<3) {
117 PrintAndLog("Usage: hf mf rdbl <block number> <key A/B> <key (12 hex symbols)>");
118 PrintAndLog(" sample: hf mf rdbl 0 A FFFFFFFFFFFF ");
119 return 0;
120 }
121
122 blockNo = param_get8(Cmd, 0);
123 cmdp = param_getchar(Cmd, 1);
124 if (cmdp == 0x00) {
125 PrintAndLog("Key type must be A or B");
126 return 1;
127 }
128 if (cmdp != 'A' && cmdp != 'a') keyType = 1;
129 if (param_gethex(Cmd, 2, key, 12)) {
130 PrintAndLog("Key must include 12 HEX symbols");
131 return 1;
132 }
133 PrintAndLog("--block no:%d, key type:%c, key:%s ", blockNo, keyType?'B':'A', sprint_hex(key, 6));
134
135 UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}};
136 memcpy(c.d.asBytes, key, 6);
137 SendCommand(&c);
138
139 UsbCommand resp;
140 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
141 uint8_t isOK = resp.arg[0] & 0xff;
142 uint8_t *data = resp.d.asBytes;
143
144 if (isOK) {
145 PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 16));
146 } else {
147 PrintAndLog("isOk:%02x", isOK);
148 return 1;
149 }
150
151 if (mfIsSectorTrailer(blockNo) && (data[6] || data[7] || data[8])) {
152 PrintAndLogEx(NORMAL, "Trailer decoded:");
153 int bln = mfFirstBlockOfSector(mfSectorNum(blockNo));
154 int blinc = (mfNumBlocksPerSector(mfSectorNum(blockNo)) > 4) ? 5 : 1;
155 for (int i = 0; i < 4; i++) {
156 PrintAndLogEx(NORMAL, "Access block %d%s: %s", bln, ((blinc > 1) && (i < 3) ? "+" : "") , mfGetAccessConditionsDesc(i, &data[6]));
157 bln += blinc;
158 }
159 PrintAndLogEx(NORMAL, "UserData: %s", sprint_hex_inrow(&data[9], 1));
160 }
161 } else {
162 PrintAndLog("Command execute timeout");
163 return 2;
164 }
165
166 return 0;
167 }
168
169 int CmdHF14AMfRdSc(const char *Cmd)
170 {
171 int i;
172 uint8_t sectorNo = 0;
173 uint8_t keyType = 0;
174 uint8_t key[6] = {0, 0, 0, 0, 0, 0};
175 uint8_t isOK = 0;
176 uint8_t *data = NULL;
177 char cmdp = 0x00;
178
179 if (strlen(Cmd)<3) {
180 PrintAndLog("Usage: hf mf rdsc <sector number> <key A/B> <key (12 hex symbols)>");
181 PrintAndLog(" sample: hf mf rdsc 0 A FFFFFFFFFFFF ");
182 return 0;
183 }
184
185 sectorNo = param_get8(Cmd, 0);
186 if (sectorNo > 39) {
187 PrintAndLog("Sector number must be less than 40");
188 return 1;
189 }
190 cmdp = param_getchar(Cmd, 1);
191 if (cmdp != 'a' && cmdp != 'A' && cmdp != 'b' && cmdp != 'B') {
192 PrintAndLog("Key type must be A or B");
193 return 1;
194 }
195 if (cmdp != 'A' && cmdp != 'a') keyType = 1;
196 if (param_gethex(Cmd, 2, key, 12)) {
197 PrintAndLog("Key must include 12 HEX symbols");
198 return 1;
199 }
200 PrintAndLog("--sector no:%d key type:%c key:%s ", sectorNo, keyType?'B':'A', sprint_hex(key, 6));
201
202 UsbCommand c = {CMD_MIFARE_READSC, {sectorNo, keyType, 0}};
203 memcpy(c.d.asBytes, key, 6);
204 SendCommand(&c);
205 PrintAndLog(" ");
206
207 UsbCommand resp;
208 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
209 isOK = resp.arg[0] & 0xff;
210 data = resp.d.asBytes;
211
212 PrintAndLog("isOk:%02x", isOK);
213 if (isOK) {
214 for (i = 0; i < (sectorNo<32?3:15); i++) {
215 PrintAndLog("data : %s", sprint_hex(data + i * 16, 16));
216 }
217 PrintAndLog("trailer: %s", sprint_hex(data + (sectorNo<32?3:15) * 16, 16));
218
219 PrintAndLogEx(NORMAL, "Trailer decoded:");
220 int bln = mfFirstBlockOfSector(sectorNo);
221 int blinc = (mfNumBlocksPerSector(sectorNo) > 4) ? 5 : 1;
222 for (i = 0; i < 4; i++) {
223 PrintAndLogEx(NORMAL, "Access block %d%s: %s", bln, ((blinc > 1) && (i < 3) ? "+" : "") , mfGetAccessConditionsDesc(i, &(data + (sectorNo<32?3:15) * 16)[6]));
224 bln += blinc;
225 }
226 PrintAndLogEx(NORMAL, "UserData: %s", sprint_hex_inrow(&(data + (sectorNo<32?3:15) * 16)[9], 1));
227 }
228 } else {
229 PrintAndLog("Command execute timeout");
230 }
231
232 return 0;
233 }
234
235 uint8_t FirstBlockOfSector(uint8_t sectorNo)
236 {
237 if (sectorNo < 32) {
238 return sectorNo * 4;
239 } else {
240 return 32 * 4 + (sectorNo - 32) * 16;
241 }
242 }
243
244 uint8_t NumBlocksPerSector(uint8_t sectorNo)
245 {
246 if (sectorNo < 32) {
247 return 4;
248 } else {
249 return 16;
250 }
251 }
252
253 static int ParamCardSizeSectors(const char c) {
254 int numBlocks = 16;
255 switch (c) {
256 case '0' : numBlocks = 5; break;
257 case '2' : numBlocks = 32; break;
258 case '4' : numBlocks = 40; break;
259 default: numBlocks = 16;
260 }
261 return numBlocks;
262 }
263
264 static int ParamCardSizeBlocks(const char c) {
265 int numBlocks = 16 * 4;
266 switch (c) {
267 case '0' : numBlocks = 5 * 4; break;
268 case '2' : numBlocks = 32 * 4; break;
269 case '4' : numBlocks = 32 * 4 + 8 * 16; break;
270 default: numBlocks = 16 * 4;
271 }
272 return numBlocks;
273 }
274
275 int CmdHF14AMfDump(const char *Cmd)
276 {
277 uint8_t sectorNo, blockNo;
278
279 uint8_t keyA[40][6];
280 uint8_t keyB[40][6];
281 uint8_t rights[40][4];
282 uint8_t carddata[256][16];
283 uint8_t numSectors = 16;
284
285 FILE *fin;
286 FILE *fout;
287
288 UsbCommand resp;
289
290 char cmdp = param_getchar(Cmd, 0);
291 numSectors = ParamCardSizeSectors(cmdp);
292
293 if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') {
294 PrintAndLog("Usage: hf mf dump [card memory]");
295 PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
296 PrintAndLog("");
297 PrintAndLog("Samples: hf mf dump");
298 PrintAndLog(" hf mf dump 4");
299 return 0;
300 }
301
302 if ((fin = fopen("dumpkeys.bin","rb")) == NULL) {
303 PrintAndLog("Could not find file dumpkeys.bin");
304 return 1;
305 }
306
307 // Read keys A from file
308 for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
309 size_t bytes_read = fread(keyA[sectorNo], 1, 6, fin);
310 if (bytes_read != 6) {
311 PrintAndLog("File reading error.");
312 fclose(fin);
313 return 2;
314 }
315 }
316
317 // Read keys B from file
318 for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
319 size_t bytes_read = fread(keyB[sectorNo], 1, 6, fin);
320 if (bytes_read != 6) {
321 PrintAndLog("File reading error.");
322 fclose(fin);
323 return 2;
324 }
325 }
326
327 fclose(fin);
328
329 PrintAndLog("|-----------------------------------------|");
330 PrintAndLog("|------ Reading sector access bits...-----|");
331 PrintAndLog("|-----------------------------------------|");
332 uint8_t tries = 0;
333 for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
334 for (tries = 0; tries < 3; tries++) {
335 UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 0, 0}};
336 memcpy(c.d.asBytes, keyA[sectorNo], 6);
337 SendCommand(&c);
338
339 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
340 uint8_t isOK = resp.arg[0] & 0xff;
341 uint8_t *data = resp.d.asBytes;
342 if (isOK){
343 rights[sectorNo][0] = ((data[7] & 0x10)>>2) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>4); // C1C2C3 for data area 0
344 rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1
345 rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2
346 rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer
347 break;
348 } else if (tries == 2) { // on last try set defaults
349 PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo);
350 rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;
351 rights[sectorNo][3] = 0x01;
352 }
353 } else {
354 PrintAndLog("Command execute timeout when trying to read access rights for sector %2d. Trying with defaults...", sectorNo);
355 rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;
356 rights[sectorNo][3] = 0x01;
357 }
358 }
359 }
360
361 PrintAndLog("|-----------------------------------------|");
362 PrintAndLog("|----- Dumping all blocks to file... -----|");
363 PrintAndLog("|-----------------------------------------|");
364
365 bool isOK = true;
366 for (sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
367 for (blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
368 bool received = false;
369 for (tries = 0; tries < 3; tries++) {
370 if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer. At least the Access Conditions can always be read with key A.
371 UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};
372 memcpy(c.d.asBytes, keyA[sectorNo], 6);
373 SendCommand(&c);
374 received = WaitForResponseTimeout(CMD_ACK,&resp,1500);
375 } else { // data block. Check if it can be read with key A or key B
376 uint8_t data_area = sectorNo<32?blockNo:blockNo/5;
377 if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) { // only key B would work
378 UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}};
379 memcpy(c.d.asBytes, keyB[sectorNo], 6);
380 SendCommand(&c);
381 received = WaitForResponseTimeout(CMD_ACK,&resp,1500);
382 } else if (rights[sectorNo][data_area] == 0x07) { // no key would work
383 isOK = false;
384 PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo);
385 tries = 2;
386 } else { // key A would work
387 UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};
388 memcpy(c.d.asBytes, keyA[sectorNo], 6);
389 SendCommand(&c);
390 received = WaitForResponseTimeout(CMD_ACK,&resp,1500);
391 }
392 }
393 if (received) {
394 isOK = resp.arg[0] & 0xff;
395 if (isOK) break;
396 }
397 }
398
399 if (received) {
400 isOK = resp.arg[0] & 0xff;
401 uint8_t *data = resp.d.asBytes;
402 if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer. Fill in the keys.
403 data[0] = (keyA[sectorNo][0]);
404 data[1] = (keyA[sectorNo][1]);
405 data[2] = (keyA[sectorNo][2]);
406 data[3] = (keyA[sectorNo][3]);
407 data[4] = (keyA[sectorNo][4]);
408 data[5] = (keyA[sectorNo][5]);
409 data[10] = (keyB[sectorNo][0]);
410 data[11] = (keyB[sectorNo][1]);
411 data[12] = (keyB[sectorNo][2]);
412 data[13] = (keyB[sectorNo][3]);
413 data[14] = (keyB[sectorNo][4]);
414 data[15] = (keyB[sectorNo][5]);
415 }
416 if (isOK) {
417 memcpy(carddata[FirstBlockOfSector(sectorNo) + blockNo], data, 16);
418 PrintAndLog("Successfully read block %2d of sector %2d.", blockNo, sectorNo);
419 } else {
420 PrintAndLog("Could not read block %2d of sector %2d", blockNo, sectorNo);
421 break;
422 }
423 }
424 else {
425 isOK = false;
426 PrintAndLog("Command execute timeout when trying to read block %2d of sector %2d.", blockNo, sectorNo);
427 break;
428 }
429 }
430 }
431
432 if (isOK) {
433 if ((fout = fopen("dumpdata.bin","wb")) == NULL) {
434 PrintAndLog("Could not create file name dumpdata.bin");
435 return 1;
436 }
437 uint16_t numblocks = FirstBlockOfSector(numSectors - 1) + NumBlocksPerSector(numSectors - 1);
438 fwrite(carddata, 1, 16*numblocks, fout);
439 fclose(fout);
440 PrintAndLog("Dumped %d blocks (%d bytes) to file dumpdata.bin", numblocks, 16*numblocks);
441 }
442
443 return 0;
444 }
445
446 int CmdHF14AMfRestore(const char *Cmd)
447 {
448 uint8_t sectorNo,blockNo;
449 uint8_t keyType = 0;
450 uint8_t key[6] = {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF};
451 uint8_t bldata[16] = {0x00};
452 uint8_t keyA[40][6];
453 uint8_t keyB[40][6];
454 uint8_t numSectors;
455
456 FILE *fdump;
457 FILE *fkeys;
458
459 char cmdp = param_getchar(Cmd, 0);
460 switch (cmdp) {
461 case '0' : numSectors = 5; break;
462 case '1' :
463 case '\0': numSectors = 16; break;
464 case '2' : numSectors = 32; break;
465 case '4' : numSectors = 40; break;
466 default: numSectors = 16;
467 }
468
469 if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') {
470 PrintAndLog("Usage: hf mf restore [card memory]");
471 PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
472 PrintAndLog("");
473 PrintAndLog("Samples: hf mf restore");
474 PrintAndLog(" hf mf restore 4");
475 return 0;
476 }
477
478 if ((fkeys = fopen("dumpkeys.bin","rb")) == NULL) {
479 PrintAndLog("Could not find file dumpkeys.bin");
480 return 1;
481 }
482
483 for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
484 size_t bytes_read = fread(keyA[sectorNo], 1, 6, fkeys);
485 if (bytes_read != 6) {
486 PrintAndLog("File reading error (dumpkeys.bin).");
487 fclose(fkeys);
488 return 2;
489 }
490 }
491
492 for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
493 size_t bytes_read = fread(keyB[sectorNo], 1, 6, fkeys);
494 if (bytes_read != 6) {
495 PrintAndLog("File reading error (dumpkeys.bin).");
496 fclose(fkeys);
497 return 2;
498 }
499 }
500
501 fclose(fkeys);
502
503 if ((fdump = fopen("dumpdata.bin","rb")) == NULL) {
504 PrintAndLog("Could not find file dumpdata.bin");
505 return 1;
506 }
507 PrintAndLog("Restoring dumpdata.bin to card");
508
509 for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
510 for(blockNo = 0; blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
511 UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}};
512 memcpy(c.d.asBytes, key, 6);
513
514 size_t bytes_read = fread(bldata, 1, 16, fdump);
515 if (bytes_read != 16) {
516 PrintAndLog("File reading error (dumpdata.bin).");
517 fclose(fdump);
518 return 2;
519 }
520
521 if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer
522 bldata[0] = (keyA[sectorNo][0]);
523 bldata[1] = (keyA[sectorNo][1]);
524 bldata[2] = (keyA[sectorNo][2]);
525 bldata[3] = (keyA[sectorNo][3]);
526 bldata[4] = (keyA[sectorNo][4]);
527 bldata[5] = (keyA[sectorNo][5]);
528 bldata[10] = (keyB[sectorNo][0]);
529 bldata[11] = (keyB[sectorNo][1]);
530 bldata[12] = (keyB[sectorNo][2]);
531 bldata[13] = (keyB[sectorNo][3]);
532 bldata[14] = (keyB[sectorNo][4]);
533 bldata[15] = (keyB[sectorNo][5]);
534 }
535
536 PrintAndLog("Writing to block %3d: %s", FirstBlockOfSector(sectorNo) + blockNo, sprint_hex(bldata, 16));
537
538 memcpy(c.d.asBytes + 10, bldata, 16);
539 SendCommand(&c);
540
541 UsbCommand resp;
542 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
543 uint8_t isOK = resp.arg[0] & 0xff;
544 PrintAndLog("isOk:%02x", isOK);
545 } else {
546 PrintAndLog("Command execute timeout");
547 }
548 }
549 }
550
551 fclose(fdump);
552 return 0;
553 }
554
555 //----------------------------------------------
556 // Nested
557 //----------------------------------------------
558
559 static void parseParamTDS(const char *Cmd, const uint8_t indx, bool *paramT, bool *paramD, uint8_t *timeout) {
560 char ctmp3[4] = {0};
561 int len = param_getlength(Cmd, indx);
562 if (len > 0 && len < 4){
563 param_getstr(Cmd, indx, ctmp3, sizeof(ctmp3));
564
565 *paramT |= (ctmp3[0] == 't' || ctmp3[0] == 'T');
566 *paramD |= (ctmp3[0] == 'd' || ctmp3[0] == 'D');
567 bool paramS1 = *paramT || *paramD;
568
569 // slow and very slow
570 if (ctmp3[0] == 's' || ctmp3[0] == 'S' || ctmp3[1] == 's' || ctmp3[1] == 'S') {
571 *timeout = 11; // slow
572
573 if (!paramS1 && (ctmp3[1] == 's' || ctmp3[1] == 'S')) {
574 *timeout = 53; // very slow
575 }
576 if (paramS1 && (ctmp3[2] == 's' || ctmp3[2] == 'S')) {
577 *timeout = 53; // very slow
578 }
579 }
580 }
581 }
582
583 int CmdHF14AMfNested(const char *Cmd)
584 {
585 int i, j, res, iterations;
586 sector_t *e_sector = NULL;
587 uint8_t blockNo = 0;
588 uint8_t keyType = 0;
589 uint8_t trgBlockNo = 0;
590 uint8_t trgKeyType = 0;
591 uint8_t SectorsCnt = 0;
592 uint8_t key[6] = {0, 0, 0, 0, 0, 0};
593 uint8_t keyBlock[MifareDefaultKeysSize * 6];
594 uint64_t key64 = 0;
595 // timeout in units. (ms * 106)/10 or us*0.0106
596 uint8_t btimeout14a = MF_CHKKEYS_DEFTIMEOUT; // fast by default
597
598 bool autosearchKey = false;
599
600 bool transferToEml = false;
601 bool createDumpFile = false;
602 FILE *fkeys;
603 uint8_t standart[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
604 uint8_t tempkey[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
605
606 char cmdp, ctmp;
607
608 if (strlen(Cmd)<3) {
609 PrintAndLog("Usage:");
610 PrintAndLog(" all sectors: hf mf nested <card memory> <block number> <key A/B> <key (12 hex symbols)> [t|d|s|ss]");
611 PrintAndLog(" all sectors autosearch key: hf mf nested <card memory> * [t|d|s|ss]");
612 PrintAndLog(" one sector: hf mf nested o <block number> <key A/B> <key (12 hex symbols)>");
613 PrintAndLog(" <target block number> <target key A/B> [t]");
614 PrintAndLog(" ");
615 PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");
616 PrintAndLog("t - transfer keys to emulator memory");
617 PrintAndLog("d - write keys to binary file dumpkeys.bin");
618 PrintAndLog("s - Slow (1ms) check keys (required by some non standard cards)");
619 PrintAndLog("ss - Very slow (5ms) check keys");
620 PrintAndLog(" ");
621 PrintAndLog(" sample1: hf mf nested 1 0 A FFFFFFFFFFFF ");
622 PrintAndLog(" sample2: hf mf nested 1 0 A FFFFFFFFFFFF t ");
623 PrintAndLog(" sample3: hf mf nested 1 0 A FFFFFFFFFFFF d ");
624 PrintAndLog(" sample4: hf mf nested o 0 A FFFFFFFFFFFF 4 A");
625 PrintAndLog(" sample5: hf mf nested 1 * t");
626 PrintAndLog(" sample6: hf mf nested 1 * ss");
627 return 0;
628 }
629
630 // <card memory>
631 cmdp = param_getchar(Cmd, 0);
632 if (cmdp == 'o' || cmdp == 'O') {
633 cmdp = 'o';
634 SectorsCnt = 1;
635 } else {
636 SectorsCnt = ParamCardSizeSectors(cmdp);
637 }
638
639 // <block number>. number or autosearch key (*)
640 if (param_getchar(Cmd, 1) == '*') {
641 autosearchKey = true;
642
643 parseParamTDS(Cmd, 2, &transferToEml, &createDumpFile, &btimeout14a);
644
645 PrintAndLog("--nested. sectors:%2d, block no:*, eml:%c, dmp=%c checktimeout=%d us",
646 SectorsCnt, transferToEml?'y':'n', createDumpFile?'y':'n', ((int)btimeout14a * 10000) / 106);
647 } else {
648 blockNo = param_get8(Cmd, 1);
649
650 ctmp = param_getchar(Cmd, 2);
651 if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {
652 PrintAndLog("Key type must be A or B");
653 return 1;
654 }
655
656 if (ctmp != 'A' && ctmp != 'a')
657 keyType = 1;
658
659 if (param_gethex(Cmd, 3, key, 12)) {
660 PrintAndLog("Key must include 12 HEX symbols");
661 return 1;
662 }
663
664 // check if we can authenticate to sector
665 res = mfCheckKeys(blockNo, keyType, true, 1, key, &key64);
666 if (res) {
667 PrintAndLog("Can't authenticate to block:%3d key type:%c key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6));
668 return 3;
669 }
670
671 // one sector nested
672 if (cmdp == 'o') {
673 trgBlockNo = param_get8(Cmd, 4);
674
675 ctmp = param_getchar(Cmd, 5);
676 if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {
677 PrintAndLog("Target key type must be A or B");
678 return 1;
679 }
680 if (ctmp != 'A' && ctmp != 'a')
681 trgKeyType = 1;
682
683 parseParamTDS(Cmd, 6, &transferToEml, &createDumpFile, &btimeout14a);
684 } else {
685 parseParamTDS(Cmd, 4, &transferToEml, &createDumpFile, &btimeout14a);
686 }
687
688 PrintAndLog("--nested. sectors:%2d, block no:%3d, key type:%c, eml:%c, dmp=%c checktimeout=%d us",
689 SectorsCnt, blockNo, keyType?'B':'A', transferToEml?'y':'n', createDumpFile?'y':'n', ((int)btimeout14a * 10000) / 106);
690 }
691
692 // one-sector nested
693 if (cmdp == 'o') { // ------------------------------------ one sector working
694 PrintAndLog("--target block no:%3d, target key type:%c ", trgBlockNo, trgKeyType?'B':'A');
695 int16_t isOK = mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true);
696 if (isOK) {
697 switch (isOK) {
698 case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;
699 case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;
700 case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;
701 default : PrintAndLog("Unknown Error.\n");
702 }
703 return 2;
704 }
705 key64 = bytes_to_num(keyBlock, 6);
706 if (key64) {
707 PrintAndLog("Found valid key:%012" PRIx64, key64);
708
709 // transfer key to the emulator
710 if (transferToEml) {
711 uint8_t sectortrailer;
712 if (trgBlockNo < 32*4) { // 4 block sector
713 sectortrailer = trgBlockNo | 0x03;
714 } else { // 16 block sector
715 sectortrailer = trgBlockNo | 0x0f;
716 }
717 mfEmlGetMem(keyBlock, sectortrailer, 1);
718
719 if (!trgKeyType)
720 num_to_bytes(key64, 6, keyBlock);
721 else
722 num_to_bytes(key64, 6, &keyBlock[10]);
723 mfEmlSetMem(keyBlock, sectortrailer, 1);
724 PrintAndLog("Key transferred to emulator memory.");
725 }
726 } else {
727 PrintAndLog("No valid key found");
728 }
729 }
730 else { // ------------------------------------ multiple sectors working
731 uint64_t msclock1;
732 msclock1 = msclock();
733
734 e_sector = calloc(SectorsCnt, sizeof(sector_t));
735 if (e_sector == NULL) return 1;
736
737 //test current key and additional standard keys first
738 for (int defaultKeyCounter = 0; defaultKeyCounter < MifareDefaultKeysSize; defaultKeyCounter++){
739 num_to_bytes(MifareDefaultKeys[defaultKeyCounter], 6, (uint8_t*)(keyBlock + defaultKeyCounter * 6));
740 }
741
742 PrintAndLog("Testing known keys. Sector count=%d", SectorsCnt);
743 mfCheckKeysSec(SectorsCnt, 2, btimeout14a, true, MifareDefaultKeysSize, keyBlock, e_sector);
744
745 // get known key from array
746 bool keyFound = false;
747 if (autosearchKey) {
748 for (i = 0; i < SectorsCnt; i++) {
749 for (j = 0; j < 2; j++) {
750 if (e_sector[i].foundKey[j]) {
751 // get known key
752 blockNo = i * 4;
753 keyType = j;
754 num_to_bytes(e_sector[i].Key[j], 6, key);
755 keyFound = true;
756 break;
757 }
758 }
759 if (keyFound) break;
760 }
761
762 // Can't found a key....
763 if (!keyFound) {
764 PrintAndLog("Can't found any of the known keys.");
765 free(e_sector);
766 return 4;
767 }
768 PrintAndLog("--auto key. block no:%3d, key type:%c key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6));
769 }
770
771 // nested sectors
772 iterations = 0;
773 PrintAndLog("nested...");
774 bool calibrate = true;
775 for (i = 0; i < NESTED_SECTOR_RETRY; i++) {
776 for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {
777 for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) {
778 if (e_sector[sectorNo].foundKey[trgKeyType]) continue;
779 PrintAndLog("-----------------------------------------------");
780 int16_t isOK = mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate);
781 if(isOK) {
782 switch (isOK) {
783 case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;
784 case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;
785 case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;
786 default : PrintAndLog("Unknown Error.\n");
787 }
788 free(e_sector);
789 return 2;
790 } else {
791 calibrate = false;
792 }
793
794 iterations++;
795
796 key64 = bytes_to_num(keyBlock, 6);
797 if (key64) {
798 PrintAndLog("Found valid key:%012" PRIx64, key64);
799 e_sector[sectorNo].foundKey[trgKeyType] = 1;
800 e_sector[sectorNo].Key[trgKeyType] = key64;
801
802 // try to check this key as a key to the other sectors
803 mfCheckKeysSec(SectorsCnt, 2, btimeout14a, true, 1, keyBlock, e_sector);
804 }
805 }
806 }
807 }
808
809 // print nested statistic
810 PrintAndLog("\n\n-----------------------------------------------\nNested statistic:\nIterations count: %d", iterations);
811 PrintAndLog("Time in nested: %1.3f (%1.3f sec per key)", ((float)(msclock() - msclock1))/1000.0, ((float)(msclock() - msclock1))/iterations/1000.0);
812
813 // print result
814 PrintAndLog("|---|----------------|---|----------------|---|");
815 PrintAndLog("|sec|key A |res|key B |res|");
816 PrintAndLog("|---|----------------|---|----------------|---|");
817 for (i = 0; i < SectorsCnt; i++) {
818 PrintAndLog("|%03d| %012" PRIx64 " | %d | %012" PRIx64 " | %d |", i,
819 e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);
820 }
821 PrintAndLog("|---|----------------|---|----------------|---|");
822
823 // transfer keys to the emulator memory
824 if (transferToEml) {
825 for (i = 0; i < SectorsCnt; i++) {
826 mfEmlGetMem(keyBlock, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1);
827 if (e_sector[i].foundKey[0])
828 num_to_bytes(e_sector[i].Key[0], 6, keyBlock);
829 if (e_sector[i].foundKey[1])
830 num_to_bytes(e_sector[i].Key[1], 6, &keyBlock[10]);
831 mfEmlSetMem(keyBlock, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1);
832 }
833 PrintAndLog("Keys transferred to emulator memory.");
834 }
835
836 // Create dump file
837 if (createDumpFile) {
838 if ((fkeys = fopen("dumpkeys.bin","wb")) == NULL) {
839 PrintAndLog("Could not create file dumpkeys.bin");
840 free(e_sector);
841 return 1;
842 }
843 PrintAndLog("Printing keys to binary file dumpkeys.bin...");
844 for(i=0; i<SectorsCnt; i++) {
845 if (e_sector[i].foundKey[0]){
846 num_to_bytes(e_sector[i].Key[0], 6, tempkey);
847 fwrite ( tempkey, 1, 6, fkeys );
848 }
849 else{
850 fwrite ( &standart, 1, 6, fkeys );
851 }
852 }
853 for(i=0; i<SectorsCnt; i++) {
854 if (e_sector[i].foundKey[1]){
855 num_to_bytes(e_sector[i].Key[1], 6, tempkey);
856 fwrite ( tempkey, 1, 6, fkeys );
857 }
858 else{
859 fwrite ( &standart, 1, 6, fkeys );
860 }
861 }
862 fclose(fkeys);
863 }
864
865 free(e_sector);
866 }
867 return 0;
868 }
869
870
871 int CmdHF14AMfNestedHard(const char *Cmd)
872 {
873 uint8_t blockNo = 0;
874 uint8_t keyType = 0;
875 uint8_t trgBlockNo = 0;
876 uint8_t trgKeyType = 0;
877 uint8_t key[6] = {0, 0, 0, 0, 0, 0};
878 uint8_t trgkey[6] = {0, 0, 0, 0, 0, 0};
879
880 char ctmp;
881 ctmp = param_getchar(Cmd, 0);
882
883 if (ctmp != 'R' && ctmp != 'r' && ctmp != 'T' && ctmp != 't' && strlen(Cmd) < 20) {
884 PrintAndLog("Usage:");
885 PrintAndLog(" hf mf hardnested <block number> <key A|B> <key (12 hex symbols)>");
886 PrintAndLog(" <target block number> <target key A|B> [known target key (12 hex symbols)] [w] [s]");
887 PrintAndLog(" or hf mf hardnested r [known target key]");
888 PrintAndLog(" ");
889 PrintAndLog("Options: ");
890 PrintAndLog(" w: Acquire nonces and write them to binary file nonces.bin");
891 PrintAndLog(" s: Slower acquisition (required by some non standard cards)");
892 PrintAndLog(" r: Read nonces.bin and start attack");
893 PrintAndLog(" iX: set type of SIMD instructions. Without this flag programs autodetect it.");
894 PrintAndLog(" i5: AVX512");
895 PrintAndLog(" i2: AVX2");
896 PrintAndLog(" ia: AVX");
897 PrintAndLog(" is: SSE2");
898 PrintAndLog(" im: MMX");
899 PrintAndLog(" in: none (use CPU regular instruction set)");
900 PrintAndLog(" ");
901 PrintAndLog(" sample1: hf mf hardnested 0 A FFFFFFFFFFFF 4 A");
902 PrintAndLog(" sample2: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w");
903 PrintAndLog(" sample3: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w s");
904 PrintAndLog(" sample4: hf mf hardnested r");
905 PrintAndLog(" ");
906 PrintAndLog("Add the known target key to check if it is present in the remaining key space:");
907 PrintAndLog(" sample5: hf mf hardnested 0 A A0A1A2A3A4A5 4 A FFFFFFFFFFFF");
908 return 0;
909 }
910
911 bool know_target_key = false;
912 bool nonce_file_read = false;
913 bool nonce_file_write = false;
914 bool slow = false;
915 int tests = 0;
916
917
918 uint16_t iindx = 0;
919 if (ctmp == 'R' || ctmp == 'r') {
920 nonce_file_read = true;
921 iindx = 1;
922 if (!param_gethex(Cmd, 1, trgkey, 12)) {
923 know_target_key = true;
924 iindx = 2;
925 }
926 } else if (ctmp == 'T' || ctmp == 't') {
927 tests = param_get32ex(Cmd, 1, 100, 10);
928 iindx = 2;
929 if (!param_gethex(Cmd, 2, trgkey, 12)) {
930 know_target_key = true;
931 iindx = 3;
932 }
933 } else {
934 blockNo = param_get8(Cmd, 0);
935 ctmp = param_getchar(Cmd, 1);
936 if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {
937 PrintAndLog("Key type must be A or B");
938 return 1;
939 }
940 if (ctmp != 'A' && ctmp != 'a') {
941 keyType = 1;
942 }
943
944 if (param_gethex(Cmd, 2, key, 12)) {
945 PrintAndLog("Key must include 12 HEX symbols");
946 return 1;
947 }
948
949 trgBlockNo = param_get8(Cmd, 3);
950 ctmp = param_getchar(Cmd, 4);
951 if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {
952 PrintAndLog("Target key type must be A or B");
953 return 1;
954 }
955 if (ctmp != 'A' && ctmp != 'a') {
956 trgKeyType = 1;
957 }
958
959 uint16_t i = 5;
960
961 if (!param_gethex(Cmd, 5, trgkey, 12)) {
962 know_target_key = true;
963 i++;
964 }
965 iindx = i;
966
967 while ((ctmp = param_getchar(Cmd, i))) {
968 if (ctmp == 's' || ctmp == 'S') {
969 slow = true;
970 } else if (ctmp == 'w' || ctmp == 'W') {
971 nonce_file_write = true;
972 } else if (param_getlength(Cmd, i) == 2 && ctmp == 'i') {
973 iindx = i;
974 } else {
975 PrintAndLog("Possible options are w , s and/or iX");
976 return 1;
977 }
978 i++;
979 }
980 }
981
982 SetSIMDInstr(SIMD_AUTO);
983 if (iindx > 0) {
984 while ((ctmp = param_getchar(Cmd, iindx))) {
985 if (param_getlength(Cmd, iindx) == 2 && ctmp == 'i') {
986 switch(param_getchar_indx(Cmd, 1, iindx)) {
987 case '5':
988 SetSIMDInstr(SIMD_AVX512);
989 break;
990 case '2':
991 SetSIMDInstr(SIMD_AVX2);
992 break;
993 case 'a':
994 SetSIMDInstr(SIMD_AVX);
995 break;
996 case 's':
997 SetSIMDInstr(SIMD_SSE2);
998 break;
999 case 'm':
1000 SetSIMDInstr(SIMD_MMX);
1001 break;
1002 case 'n':
1003 SetSIMDInstr(SIMD_NONE);
1004 break;
1005 default:
1006 PrintAndLog("Unknown SIMD type. %c", param_getchar_indx(Cmd, 1, iindx));
1007 return 1;
1008 }
1009 }
1010 iindx++;
1011 }
1012 }
1013
1014 PrintAndLog("--target block no:%3d, target key type:%c, known target key: 0x%02x%02x%02x%02x%02x%02x%s, file action: %s, Slow: %s, Tests: %d ",
1015 trgBlockNo,
1016 trgKeyType?'B':'A',
1017 trgkey[0], trgkey[1], trgkey[2], trgkey[3], trgkey[4], trgkey[5],
1018 know_target_key?"":" (not set)",
1019 nonce_file_write?"write":nonce_file_read?"read":"none",
1020 slow?"Yes":"No",
1021 tests);
1022
1023 int16_t isOK = mfnestedhard(blockNo, keyType, key, trgBlockNo, trgKeyType, know_target_key?trgkey:NULL, nonce_file_read, nonce_file_write, slow, tests);
1024
1025 if (isOK) {
1026 switch (isOK) {
1027 case 1 : PrintAndLog("Error: No response from Proxmark.\n"); break;
1028 case 2 : PrintAndLog("Button pressed. Aborted.\n"); break;
1029 default : break;
1030 }
1031 return 2;
1032 }
1033
1034 return 0;
1035 }
1036
1037
1038 int CmdHF14AMfChk(const char *Cmd)
1039 {
1040 if (strlen(Cmd)<3) {
1041 PrintAndLog("Usage: hf mf chk <block number>|<*card memory> <key type (A/B/?)> [t|d|s|ss] [<key (12 hex symbols)>] [<dic (*.dic)>]");
1042 PrintAndLog(" * - all sectors");
1043 PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");
1044 PrintAndLog("d - write keys to binary file\n");
1045 PrintAndLog("t - write keys to emulator memory");
1046 PrintAndLog("s - slow execute. timeout 1ms");
1047 PrintAndLog("ss - very slow execute. timeout 5ms");
1048 PrintAndLog(" sample: hf mf chk 0 A 1234567890ab keys.dic");
1049 PrintAndLog(" hf mf chk *1 ? t");
1050 PrintAndLog(" hf mf chk *1 ? d");
1051 PrintAndLog(" hf mf chk *1 ? s");
1052 PrintAndLog(" hf mf chk *1 ? dss");
1053 return 0;
1054 }
1055
1056 FILE * f;
1057 char filename[FILE_PATH_SIZE]={0};
1058 char buf[13];
1059 uint8_t *keyBlock = NULL, *p;
1060 uint16_t stKeyBlock = 20;
1061
1062 int i, res;
1063 int keycnt = 0;
1064 char ctmp = 0x00;
1065 int clen = 0;
1066 uint8_t blockNo = 0;
1067 uint8_t SectorsCnt = 0;
1068 uint8_t keyType = 0;
1069 uint64_t key64 = 0;
1070 // timeout in units. (ms * 106)/10 or us*0.0106
1071 uint8_t btimeout14a = MF_CHKKEYS_DEFTIMEOUT; // fast by default
1072 bool param3InUse = false;
1073
1074 bool transferToEml = 0;
1075 bool createDumpFile = 0;
1076
1077 sector_t *e_sector = NULL;
1078
1079 keyBlock = calloc(stKeyBlock, 6);
1080 if (keyBlock == NULL) return 1;
1081
1082 int defaultKeysSize = MifareDefaultKeysSize;
1083 for (int defaultKeyCounter = 0; defaultKeyCounter < defaultKeysSize; defaultKeyCounter++){
1084 num_to_bytes(MifareDefaultKeys[defaultKeyCounter], 6, (uint8_t*)(keyBlock + defaultKeyCounter * 6));
1085 }
1086
1087 if (param_getchar(Cmd, 0)=='*') {
1088 SectorsCnt = ParamCardSizeSectors(param_getchar(Cmd + 1, 0));
1089 }
1090 else
1091 blockNo = param_get8(Cmd, 0);
1092
1093 ctmp = param_getchar(Cmd, 1);
1094 clen = param_getlength(Cmd, 1);
1095 if (clen == 1) {
1096 switch (ctmp) {
1097 case 'a': case 'A':
1098 keyType = 0;
1099 break;
1100 case 'b': case 'B':
1101 keyType = 1;
1102 break;
1103 case '?':
1104 keyType = 2;
1105 break;
1106 default:
1107 PrintAndLog("Key type must be A , B or ?");
1108 free(keyBlock);
1109 return 1;
1110 };
1111 }
1112
1113 parseParamTDS(Cmd, 2, &transferToEml, &createDumpFile, &btimeout14a);
1114
1115 param3InUse = transferToEml | createDumpFile | (btimeout14a != MF_CHKKEYS_DEFTIMEOUT);
1116
1117 PrintAndLog("--chk keys. sectors:%2d, block no:%3d, key type:%c, eml:%c, dmp=%c checktimeout=%d us",
1118 SectorsCnt, blockNo, keyType?'B':'A', transferToEml?'y':'n', createDumpFile?'y':'n', ((int)btimeout14a * 10000) / 106);
1119
1120 for (i = param3InUse; param_getchar(Cmd, 2 + i); i++) {
1121 if (!param_gethex(Cmd, 2 + i, keyBlock + 6 * keycnt, 12)) {
1122 if ( stKeyBlock - keycnt < 2) {
1123 p = realloc(keyBlock, 6*(stKeyBlock+=10));
1124 if (!p) {
1125 PrintAndLog("Cannot allocate memory for Keys");
1126 free(keyBlock);
1127 return 2;
1128 }
1129 keyBlock = p;
1130 }
1131 PrintAndLog("chk key[%2d] %02x%02x%02x%02x%02x%02x", keycnt,
1132 (keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2],
1133 (keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4], (keyBlock + 6*keycnt)[5], 6);
1134 keycnt++;
1135 } else {
1136 // May be a dic file
1137 if ( param_getstr(Cmd, 2 + i, filename, sizeof(filename)) >= FILE_PATH_SIZE ) {
1138 PrintAndLog("File name too long");
1139 free(keyBlock);
1140 return 2;
1141 }
1142
1143 if ( (f = fopen( filename , "r")) ) {
1144 while( fgets(buf, sizeof(buf), f) ){
1145 if (strlen(buf) < 12 || buf[11] == '\n')
1146 continue;
1147
1148 while (fgetc(f) != '\n' && !feof(f)) ; //goto next line
1149
1150 if( buf[0]=='#' ) continue; //The line start with # is comment, skip
1151
1152 if (!isxdigit((unsigned char)buf[0])){
1153 PrintAndLog("File content error. '%s' must include 12 HEX symbols",buf);
1154 continue;
1155 }
1156
1157 buf[12] = 0;
1158
1159 if ( stKeyBlock - keycnt < 2) {
1160 p = realloc(keyBlock, 6*(stKeyBlock+=10));
1161 if (!p) {
1162 PrintAndLog("Cannot allocate memory for defKeys");
1163 free(keyBlock);
1164 fclose(f);
1165 return 2;
1166 }
1167 keyBlock = p;
1168 }
1169 memset(keyBlock + 6 * keycnt, 0, 6);
1170 num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt);
1171 PrintAndLog("chk custom key[%2d] %012" PRIx64 , keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));
1172 keycnt++;
1173 memset(buf, 0, sizeof(buf));
1174 }
1175 fclose(f);
1176 } else {
1177 PrintAndLog("File: %s: not found or locked.", filename);
1178 free(keyBlock);
1179 return 1;
1180
1181 }
1182 }
1183 }
1184
1185 // fill with default keys
1186 if (keycnt == 0) {
1187 PrintAndLog("No key specified, trying default keys");
1188 for (;keycnt < defaultKeysSize; keycnt++)
1189 PrintAndLog("chk default key[%2d] %02x%02x%02x%02x%02x%02x", keycnt,
1190 (keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2],
1191 (keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4], (keyBlock + 6*keycnt)[5], 6);
1192 }
1193
1194 // initialize storage for found keys
1195 e_sector = calloc(SectorsCnt, sizeof(sector_t));
1196 if (e_sector == NULL) {
1197 free(keyBlock);
1198 return 1;
1199 }
1200 for (uint8_t keyAB = 0; keyAB < 2; keyAB++) {
1201 for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {
1202 e_sector[sectorNo].Key[keyAB] = 0xffffffffffff;
1203 e_sector[sectorNo].foundKey[keyAB] = 0;
1204 }
1205 }
1206 printf("\n");
1207
1208 bool foundAKey = false;
1209 uint32_t max_keys = keycnt > USB_CMD_DATA_SIZE / 6 ? USB_CMD_DATA_SIZE / 6 : keycnt;
1210 if (SectorsCnt) {
1211 PrintAndLog("To cancel this operation press the button on the proxmark...");
1212 printf("--");
1213 for (uint32_t c = 0; c < keycnt; c += max_keys) {
1214
1215 uint32_t size = keycnt-c > max_keys ? max_keys : keycnt-c;
1216 res = mfCheckKeysSec(SectorsCnt, keyType, btimeout14a, true, size, &keyBlock[6 * c], e_sector); // timeout is (ms * 106)/10 or us*0.0106
1217
1218 if (res != 1) {
1219 if (!res) {
1220 printf("o");
1221 foundAKey = true;
1222 } else {
1223 printf(".");
1224 }
1225 } else {
1226 printf("\n");
1227 PrintAndLog("Command execute timeout");
1228 }
1229 }
1230 } else {
1231 int keyAB = keyType;
1232 do {
1233 for (uint32_t c = 0; c < keycnt; c+=max_keys) {
1234
1235 uint32_t size = keycnt-c > max_keys ? max_keys : keycnt-c;
1236 res = mfCheckKeys(blockNo, keyAB & 0x01, true, size, &keyBlock[6 * c], &key64);
1237
1238 if (res != 1) {
1239 if (!res) {
1240 PrintAndLog("Found valid key:[%d:%c]%012" PRIx64, blockNo, (keyAB & 0x01)?'B':'A', key64);
1241 foundAKey = true;
1242 }
1243 } else {
1244 PrintAndLog("Command execute timeout");
1245 }
1246 }
1247 } while(--keyAB > 0);
1248 }
1249
1250 // print result
1251 if (foundAKey) {
1252 if (SectorsCnt) {
1253 PrintAndLog("");
1254 PrintAndLog("|---|----------------|---|----------------|---|");
1255 PrintAndLog("|sec|key A |res|key B |res|");
1256 PrintAndLog("|---|----------------|---|----------------|---|");
1257 for (i = 0; i < SectorsCnt; i++) {
1258 PrintAndLog("|%03d| %012" PRIx64 " | %d | %012" PRIx64 " | %d |", i,
1259 e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);
1260 }
1261 PrintAndLog("|---|----------------|---|----------------|---|");
1262 }
1263 } else {
1264 PrintAndLog("");
1265 PrintAndLog("No valid keys found.");
1266 }
1267
1268 if (transferToEml) {
1269 uint8_t block[16];
1270 for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {
1271 if (e_sector[sectorNo].foundKey[0] || e_sector[sectorNo].foundKey[1]) {
1272 mfEmlGetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1);
1273 for (uint16_t t = 0; t < 2; t++) {
1274 if (e_sector[sectorNo].foundKey[t]) {
1275 num_to_bytes(e_sector[sectorNo].Key[t], 6, block + t * 10);
1276 }
1277 }
1278 mfEmlSetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1);
1279 }
1280 }
1281 PrintAndLog("Found keys have been transferred to the emulator memory");
1282 }
1283
1284 if (createDumpFile) {
1285 FILE *fkeys = fopen("dumpkeys.bin","wb");
1286 if (fkeys == NULL) {
1287 PrintAndLog("Could not create file dumpkeys.bin");
1288 free(e_sector);
1289 free(keyBlock);
1290 return 1;
1291 }
1292 uint8_t mkey[6];
1293 for (uint8_t t = 0; t < 2; t++) {
1294 for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {
1295 num_to_bytes(e_sector[sectorNo].Key[t], 6, mkey);
1296 fwrite(mkey, 1, 6, fkeys);
1297 }
1298 }
1299 fclose(fkeys);
1300 PrintAndLog("Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.");
1301 }
1302
1303 free(e_sector);
1304 free(keyBlock);
1305 PrintAndLog("");
1306 return 0;
1307 }
1308
1309 void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) {
1310 #define ATTACK_KEY_COUNT 7 // keep same as define in iso14443a.c -> Mifare1ksim()
1311 // cannot be more than 7 or it will overrun c.d.asBytes(512)
1312 uint64_t key = 0;
1313 typedef struct {
1314 uint64_t keyA;
1315 uint64_t keyB;
1316 } st_t;
1317 st_t sector_trailer[ATTACK_KEY_COUNT];
1318 memset(sector_trailer, 0x00, sizeof(sector_trailer));
1319
1320 uint8_t stSector[ATTACK_KEY_COUNT];
1321 memset(stSector, 0x00, sizeof(stSector));
1322 uint8_t key_cnt[ATTACK_KEY_COUNT];
1323 memset(key_cnt, 0x00, sizeof(key_cnt));
1324
1325 for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {
1326 if (ar_resp[i].ar2 > 0) {
1327 //PrintAndLog("DEBUG: Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);
1328 if (doStandardAttack && mfkey32(ar_resp[i], &key)) {
1329 PrintAndLog(" Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));
1330
1331 for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {
1332 if (key_cnt[ii]==0 || stSector[ii]==ar_resp[i].sector) {
1333 if (ar_resp[i].keytype==0) {
1334 //keyA
1335 sector_trailer[ii].keyA = key;
1336 stSector[ii] = ar_resp[i].sector;
1337 key_cnt[ii]++;
1338 break;
1339 } else {
1340 //keyB
1341 sector_trailer[ii].keyB = key;
1342 stSector[ii] = ar_resp[i].sector;
1343 key_cnt[ii]++;
1344 break;
1345 }
1346 }
1347 }
1348 } else if (mfkey32_moebius(ar_resp[i+ATTACK_KEY_COUNT], &key)) {
1349 uint8_t sectorNum = ar_resp[i+ATTACK_KEY_COUNT].sector;
1350 uint8_t keyType = ar_resp[i+ATTACK_KEY_COUNT].keytype;
1351
1352 PrintAndLog("M-Found Key%s for sector %02d: [%012" PRIx64 "]"
1353 , keyType ? "B" : "A"
1354 , sectorNum
1355 , key
1356 );
1357
1358 for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {
1359 if (key_cnt[ii]==0 || stSector[ii]==sectorNum) {
1360 if (keyType==0) {
1361 //keyA
1362 sector_trailer[ii].keyA = key;
1363 stSector[ii] = sectorNum;
1364 key_cnt[ii]++;
1365 break;
1366 } else {
1367 //keyB
1368 sector_trailer[ii].keyB = key;
1369 stSector[ii] = sectorNum;
1370 key_cnt[ii]++;
1371 break;
1372 }
1373 }
1374 }
1375 continue;
1376 }
1377 }
1378 }
1379 //set emulator memory for keys
1380 if (setEmulatorMem) {
1381 for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {
1382 if (key_cnt[i]>0) {
1383 uint8_t memBlock[16];
1384 memset(memBlock, 0x00, sizeof(memBlock));
1385 char cmd1[36];
1386 memset(cmd1,0x00,sizeof(cmd1));
1387 snprintf(cmd1,sizeof(cmd1),"%04x%08xFF078069%04x%08x",(uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF));
1388 PrintAndLog("Setting Emulator Memory Block %02d: [%s]",stSector[i]*4+3, cmd1);
1389 if (param_gethex(cmd1, 0, memBlock, 32)) {
1390 PrintAndLog("block data must include 32 HEX symbols");
1391 return;
1392 }
1393
1394 UsbCommand c = {CMD_MIFARE_EML_MEMSET, {(stSector[i]*4+3), 1, 0}};
1395 memcpy(c.d.asBytes, memBlock, 16);
1396 clearCommandBuffer();
1397 SendCommand(&c);
1398 }
1399 }
1400 }
1401 /*
1402 //un-comment to use as well moebius attack
1403 for (uint8_t i = ATTACK_KEY_COUNT; i<ATTACK_KEY_COUNT*2; i++) {
1404 if (ar_resp[i].ar2 > 0) {
1405 if (tryMfk32_moebius(ar_resp[i], &key)) {
1406 PrintAndLog("M-Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));
1407 }
1408 }
1409 }*/
1410 }
1411
1412 int usage_hf14_mf1ksim(void) {
1413 PrintAndLog("Usage: hf mf sim h u <uid (8, 14, or 20 hex symbols)> n <numreads> i x");
1414 PrintAndLog("options:");
1415 PrintAndLog(" h this help");
1416 PrintAndLog(" u (Optional) UID 4,7 or 10 bytes. If not specified, the UID 4B from emulator memory will be used");
1417 PrintAndLog(" n (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");
1418 PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");
1419 PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");
1420 PrintAndLog(" e (Optional) set keys found from 'reader attack' to emulator memory (implies x and i)");
1421 PrintAndLog(" f (Optional) get UIDs to use for 'reader attack' from file 'f <filename.txt>' (implies x and i)");
1422 PrintAndLog(" r (Optional) Generate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works.");
1423 PrintAndLog("samples:");
1424 PrintAndLog(" hf mf sim u 0a0a0a0a");
1425 PrintAndLog(" hf mf sim u 11223344556677");
1426 PrintAndLog(" hf mf sim u 112233445566778899AA");
1427 PrintAndLog(" hf mf sim f uids.txt");
1428 PrintAndLog(" hf mf sim u 0a0a0a0a e");
1429
1430 return 0;
1431 }
1432
1433 int CmdHF14AMf1kSim(const char *Cmd) {
1434 UsbCommand resp;
1435 uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
1436 uint8_t exitAfterNReads = 0;
1437 uint8_t flags = 0;
1438 int uidlen = 0;
1439 uint8_t pnr = 0;
1440 bool setEmulatorMem = false;
1441 bool attackFromFile = false;
1442 FILE *f;
1443 char filename[FILE_PATH_SIZE];
1444 memset(filename, 0x00, sizeof(filename));
1445 int len = 0;
1446 char buf[64];
1447
1448 uint8_t cmdp = 0;
1449 bool errors = false;
1450
1451 while(param_getchar(Cmd, cmdp) != 0x00) {
1452 switch(param_getchar(Cmd, cmdp)) {
1453 case 'e':
1454 case 'E':
1455 setEmulatorMem = true;
1456 //implies x and i
1457 flags |= FLAG_INTERACTIVE;
1458 flags |= FLAG_NR_AR_ATTACK;
1459 cmdp++;
1460 break;
1461 case 'f':
1462 case 'F':
1463 len = param_getstr(Cmd, cmdp+1, filename, sizeof(filename));
1464 if (len < 1) {
1465 PrintAndLog("error no filename found");
1466 return 0;
1467 }
1468 attackFromFile = true;
1469 //implies x and i
1470 flags |= FLAG_INTERACTIVE;
1471 flags |= FLAG_NR_AR_ATTACK;
1472 cmdp += 2;
1473 break;
1474 case 'h':
1475 case 'H':
1476 return usage_hf14_mf1ksim();
1477 case 'i':
1478 case 'I':
1479 flags |= FLAG_INTERACTIVE;
1480 cmdp++;
1481 break;
1482 case 'n':
1483 case 'N':
1484 exitAfterNReads = param_get8(Cmd, pnr+1);
1485 cmdp += 2;
1486 break;
1487 case 'r':
1488 case 'R':
1489 flags |= FLAG_RANDOM_NONCE;
1490 cmdp++;
1491 break;
1492 case 'u':
1493 case 'U':
1494 param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);
1495 switch(uidlen) {
1496 case 20: flags = FLAG_10B_UID_IN_DATA; break; //not complete
1497 case 14: flags = FLAG_7B_UID_IN_DATA; break;
1498 case 8: flags = FLAG_4B_UID_IN_DATA; break;
1499 default: return usage_hf14_mf1ksim();
1500 }
1501 cmdp += 2;
1502 break;
1503 case 'x':
1504 case 'X':
1505 flags |= FLAG_NR_AR_ATTACK;
1506 cmdp++;
1507 break;
1508 default:
1509 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
1510 errors = true;
1511 break;
1512 }
1513 if(errors) break;
1514 }
1515 //Validations
1516 if(errors) return usage_hf14_mf1ksim();
1517
1518 //get uid from file
1519 if (attackFromFile) {
1520 int count = 0;
1521 // open file
1522 f = fopen(filename, "r");
1523 if (f == NULL) {
1524 PrintAndLog("File %s not found or locked", filename);
1525 return 1;
1526 }
1527 PrintAndLog("Loading file and simulating. Press keyboard to abort");
1528 while(!feof(f) && !ukbhit()){
1529 memset(buf, 0, sizeof(buf));
1530 memset(uid, 0, sizeof(uid));
1531
1532 if (fgets(buf, sizeof(buf), f) == NULL) {
1533 if (count > 0) break;
1534
1535 PrintAndLog("File reading error.");
1536 fclose(f);
1537 return 2;
1538 }
1539 if(!strlen(buf) && feof(f)) break;
1540
1541 uidlen = strlen(buf)-1;
1542 switch(uidlen) {
1543 case 20: flags |= FLAG_10B_UID_IN_DATA; break; //not complete
1544 case 14: flags |= FLAG_7B_UID_IN_DATA; break;
1545 case 8: flags |= FLAG_4B_UID_IN_DATA; break;
1546 default:
1547 PrintAndLog("uid in file wrong length at %d (length: %d) [%s]",count, uidlen, buf);
1548 fclose(f);
1549 return 2;
1550 }
1551
1552 for (uint8_t i = 0; i < uidlen; i += 2) {
1553 sscanf(&buf[i], "%02x", (unsigned int *)&uid[i / 2]);
1554 }
1555
1556 PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) - press button to abort",
1557 flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):
1558 flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7):
1559 flags & FLAG_10B_UID_IN_DATA ? sprint_hex(uid,10): "N/A"
1560 , exitAfterNReads, flags, flags);
1561
1562 UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};
1563 memcpy(c.d.asBytes, uid, sizeof(uid));
1564 clearCommandBuffer();
1565 SendCommand(&c);
1566
1567 while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
1568 //We're waiting only 1.5 s at a time, otherwise we get the
1569 // annoying message about "Waiting for a response... "
1570 }
1571 //got a response
1572 nonces_t ar_resp[ATTACK_KEY_COUNT*2];
1573 memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));
1574 // We can skip the standard attack if we have RANDOM_NONCE set.
1575 readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));
1576 if ((bool)resp.arg[1]) {
1577 PrintAndLog("Device button pressed - quitting");
1578 fclose(f);
1579 return 4;
1580 }
1581 count++;
1582 }
1583 fclose(f);
1584 } else { //not from file
1585
1586 PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) ",
1587 flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):
1588 flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7):
1589 flags & FLAG_10B_UID_IN_DATA ? sprint_hex(uid,10): "N/A"
1590 , exitAfterNReads, flags, flags);
1591
1592 UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};
1593 memcpy(c.d.asBytes, uid, sizeof(uid));
1594 clearCommandBuffer();
1595 SendCommand(&c);
1596
1597 if(flags & FLAG_INTERACTIVE) {
1598 PrintAndLog("Press pm3-button to abort simulation");
1599 while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
1600 //We're waiting only 1.5 s at a time, otherwise we get the
1601 // annoying message about "Waiting for a response... "
1602 }
1603 //got a response
1604 if (flags & FLAG_NR_AR_ATTACK) {
1605 nonces_t ar_resp[ATTACK_KEY_COUNT*2];
1606 memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));
1607 // We can skip the standard attack if we have RANDOM_NONCE set.
1608 readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));
1609 }
1610 }
1611 }
1612
1613 return 0;
1614 }
1615
1616 int CmdHF14AMfDbg(const char *Cmd)
1617 {
1618 int dbgMode = param_get32ex(Cmd, 0, 0, 10);
1619 if (dbgMode > 4) {
1620 PrintAndLog("Max debug mode parameter is 4 \n");
1621 }
1622
1623 if (strlen(Cmd) < 1 || !param_getchar(Cmd, 0) || dbgMode > 4) {
1624 PrintAndLog("Usage: hf mf dbg <debug level>");
1625 PrintAndLog(" 0 - no debug messages");
1626 PrintAndLog(" 1 - error messages");
1627 PrintAndLog(" 2 - plus information messages");
1628 PrintAndLog(" 3 - plus debug messages");
1629 PrintAndLog(" 4 - print even debug messages in timing critical functions");
1630 PrintAndLog(" Note: this option therefore may cause malfunction itself");
1631 return 0;
1632 }
1633
1634 UsbCommand c = {CMD_MIFARE_SET_DBGMODE, {dbgMode, 0, 0}};
1635 SendCommand(&c);
1636
1637 return 0;
1638 }
1639
1640 int CmdHF14AMfEGet(const char *Cmd)
1641 {
1642 uint8_t blockNo = 0;
1643 uint8_t data[16] = {0x00};
1644
1645 if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
1646 PrintAndLog("Usage: hf mf eget <block number>");
1647 PrintAndLog(" sample: hf mf eget 0 ");
1648 return 0;
1649 }
1650
1651 blockNo = param_get8(Cmd, 0);
1652
1653 PrintAndLog(" ");
1654 if (!mfEmlGetMem(data, blockNo, 1)) {
1655 PrintAndLog("data[%3d]:%s", blockNo, sprint_hex(data, 16));
1656 } else {
1657 PrintAndLog("Command execute timeout");
1658 }
1659
1660 return 0;
1661 }
1662
1663 int CmdHF14AMfEClear(const char *Cmd)
1664 {
1665 if (param_getchar(Cmd, 0) == 'h') {
1666 PrintAndLog("Usage: hf mf eclr");
1667 PrintAndLog("It set card emulator memory to empty data blocks and key A/B FFFFFFFFFFFF \n");
1668 return 0;
1669 }
1670
1671 UsbCommand c = {CMD_MIFARE_EML_MEMCLR, {0, 0, 0}};
1672 SendCommand(&c);
1673 return 0;
1674 }
1675
1676
1677 int CmdHF14AMfESet(const char *Cmd)
1678 {
1679 uint8_t memBlock[16];
1680 uint8_t blockNo = 0;
1681
1682 memset(memBlock, 0x00, sizeof(memBlock));
1683
1684 if (strlen(Cmd) < 3 || param_getchar(Cmd, 0) == 'h') {
1685 PrintAndLog("Usage: hf mf eset <block number> <block data (32 hex symbols)>");
1686 PrintAndLog(" sample: hf mf eset 1 000102030405060708090a0b0c0d0e0f ");
1687 return 0;
1688 }
1689
1690 blockNo = param_get8(Cmd, 0);
1691
1692 if (param_gethex(Cmd, 1, memBlock, 32)) {
1693 PrintAndLog("block data must include 32 HEX symbols");
1694 return 1;
1695 }
1696
1697 // 1 - blocks count
1698 return mfEmlSetMem(memBlock, blockNo, 1);
1699 }
1700
1701
1702 int CmdHF14AMfELoad(const char *Cmd)
1703 {
1704 FILE * f;
1705 char filename[FILE_PATH_SIZE];
1706 char *fnameptr = filename;
1707 char buf[64] = {0x00};
1708 uint8_t buf8[64] = {0x00};
1709 int i, len, blockNum, numBlocks;
1710 int nameParamNo = 1;
1711
1712 char ctmp = param_getchar(Cmd, 0);
1713
1714 if ( ctmp == 'h' || ctmp == 0x00) {
1715 PrintAndLog("It loads emul dump from the file `filename.eml`");
1716 PrintAndLog("Usage: hf mf eload [card memory] <file name w/o `.eml`>");
1717 PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
1718 PrintAndLog("");
1719 PrintAndLog(" sample: hf mf eload filename");
1720 PrintAndLog(" hf mf eload 4 filename");
1721 return 0;
1722 }
1723
1724 switch (ctmp) {
1725 case '0' : numBlocks = 5*4; break;
1726 case '1' :
1727 case '\0': numBlocks = 16*4; break;
1728 case '2' : numBlocks = 32*4; break;
1729 case '4' : numBlocks = 256; break;
1730 default: {
1731 numBlocks = 16*4;
1732 nameParamNo = 0;
1733 }
1734 }
1735
1736 len = param_getstr(Cmd,nameParamNo,filename,sizeof(filename));
1737
1738 if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
1739
1740 fnameptr += len;
1741
1742 sprintf(fnameptr, ".eml");
1743
1744 // open file
1745 f = fopen(filename, "r");
1746 if (f == NULL) {
1747 PrintAndLog("File %s not found or locked", filename);
1748 return 1;
1749 }
1750
1751 blockNum = 0;
1752 while(!feof(f)){
1753 memset(buf, 0, sizeof(buf));
1754
1755 if (fgets(buf, sizeof(buf), f) == NULL) {
1756
1757 if (blockNum >= numBlocks) break;
1758
1759 PrintAndLog("File reading error.");
1760 fclose(f);
1761 return 2;
1762 }
1763
1764 if (strlen(buf) < 32){
1765 if(strlen(buf) && feof(f))
1766 break;
1767 PrintAndLog("File content error. Block data must include 32 HEX symbols");
1768 fclose(f);
1769 return 2;
1770 }
1771
1772 for (i = 0; i < 32; i += 2) {
1773 sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);
1774 }
1775
1776 if (mfEmlSetMem(buf8, blockNum, 1)) {
1777 PrintAndLog("Cant set emul block: %3d", blockNum);
1778 fclose(f);
1779 return 3;
1780 }
1781 printf(".");
1782 blockNum++;
1783
1784 if (blockNum >= numBlocks) break;
1785 }
1786 fclose(f);
1787 printf("\n");
1788
1789 if ((blockNum != numBlocks)) {
1790 PrintAndLog("File content error. Got %d must be %d blocks.",blockNum, numBlocks);
1791 return 4;
1792 }
1793 PrintAndLog("Loaded %d blocks from file: %s", blockNum, filename);
1794 return 0;
1795 }
1796
1797
1798 int CmdHF14AMfESave(const char *Cmd)
1799 {
1800 FILE * f;
1801 char filename[FILE_PATH_SIZE];
1802 char * fnameptr = filename;
1803 uint8_t buf[64];
1804 int i, j, len, numBlocks;
1805 int nameParamNo = 1;
1806
1807 memset(filename, 0, sizeof(filename));
1808 memset(buf, 0, sizeof(buf));
1809
1810 char ctmp = param_getchar(Cmd, 0);
1811
1812 if ( ctmp == 'h' || ctmp == 'H') {
1813 PrintAndLog("It saves emul dump into the file `filename.eml` or `cardID.eml`");
1814 PrintAndLog(" Usage: hf mf esave [card memory] [file name w/o `.eml`]");
1815 PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
1816 PrintAndLog("");
1817 PrintAndLog(" sample: hf mf esave ");
1818 PrintAndLog(" hf mf esave 4");
1819 PrintAndLog(" hf mf esave 4 filename");
1820 return 0;
1821 }
1822
1823 switch (ctmp) {
1824 case '0' : numBlocks = 5*4; break;
1825 case '1' :
1826 case '\0': numBlocks = 16*4; break;
1827 case '2' : numBlocks = 32*4; break;
1828 case '4' : numBlocks = 256; break;
1829 default: {
1830 numBlocks = 16*4;
1831 nameParamNo = 0;
1832 }
1833 }
1834
1835 len = param_getstr(Cmd,nameParamNo,filename,sizeof(filename));
1836
1837 if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
1838
1839 // user supplied filename?
1840 if (len < 1) {
1841 // get filename (UID from memory)
1842 if (mfEmlGetMem(buf, 0, 1)) {
1843 PrintAndLog("Can\'t get UID from block: %d", 0);
1844 len = sprintf(fnameptr, "dump");
1845 fnameptr += len;
1846 }
1847 else {
1848 for (j = 0; j < 7; j++, fnameptr += 2)
1849 sprintf(fnameptr, "%02X", buf[j]);
1850 }
1851 } else {
1852 fnameptr += len;
1853 }
1854
1855 // add file extension
1856 sprintf(fnameptr, ".eml");
1857
1858 // open file
1859 f = fopen(filename, "w+");
1860
1861 if ( !f ) {
1862 PrintAndLog("Can't open file %s ", filename);
1863 return 1;
1864 }
1865
1866 // put hex
1867 for (i = 0; i < numBlocks; i++) {
1868 if (mfEmlGetMem(buf, i, 1)) {
1869 PrintAndLog("Cant get block: %d", i);
1870 break;
1871 }
1872 for (j = 0; j < 16; j++)
1873 fprintf(f, "%02X", buf[j]);
1874 fprintf(f,"\n");
1875 }
1876 fclose(f);
1877
1878 PrintAndLog("Saved %d blocks to file: %s", numBlocks, filename);
1879
1880 return 0;
1881 }
1882
1883
1884 int CmdHF14AMfECFill(const char *Cmd)
1885 {
1886 uint8_t keyType = 0;
1887 uint8_t numSectors = 16;
1888
1889 if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
1890 PrintAndLog("Usage: hf mf ecfill <key A/B> [card memory]");
1891 PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
1892 PrintAndLog("");
1893 PrintAndLog("samples: hf mf ecfill A");
1894 PrintAndLog(" hf mf ecfill A 4");
1895 PrintAndLog("Read card and transfer its data to emulator memory.");
1896 PrintAndLog("Keys must be laid in the emulator memory. \n");
1897 return 0;
1898 }
1899
1900 char ctmp = param_getchar(Cmd, 0);
1901 if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {
1902 PrintAndLog("Key type must be A or B");
1903 return 1;
1904 }
1905 if (ctmp != 'A' && ctmp != 'a') keyType = 1;
1906
1907 ctmp = param_getchar(Cmd, 1);
1908 switch (ctmp) {
1909 case '0' : numSectors = 5; break;
1910 case '1' :
1911 case '\0': numSectors = 16; break;
1912 case '2' : numSectors = 32; break;
1913 case '4' : numSectors = 40; break;
1914 default: numSectors = 16;
1915 }
1916
1917 printf("--params: numSectors: %d, keyType:%d\n", numSectors, keyType);
1918 UsbCommand c = {CMD_MIFARE_EML_CARDLOAD, {numSectors, keyType, 0}};
1919 SendCommand(&c);
1920 return 0;
1921 }
1922
1923 int CmdHF14AMfEKeyPrn(const char *Cmd)
1924 {
1925 int i;
1926 uint8_t numSectors;
1927 uint8_t data[16];
1928 uint64_t keyA, keyB;
1929
1930 if (param_getchar(Cmd, 0) == 'h') {
1931 PrintAndLog("It prints the keys loaded in the emulator memory");
1932 PrintAndLog("Usage: hf mf ekeyprn [card memory]");
1933 PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
1934 PrintAndLog("");
1935 PrintAndLog(" sample: hf mf ekeyprn 1");
1936 return 0;
1937 }
1938
1939 char cmdp = param_getchar(Cmd, 0);
1940
1941 switch (cmdp) {
1942 case '0' : numSectors = 5; break;
1943 case '1' :
1944 case '\0': numSectors = 16; break;
1945 case '2' : numSectors = 32; break;
1946 case '4' : numSectors = 40; break;
1947 default: numSectors = 16;
1948 }
1949
1950 PrintAndLog("|---|----------------|----------------|");
1951 PrintAndLog("|sec|key A |key B |");
1952 PrintAndLog("|---|----------------|----------------|");
1953 for (i = 0; i < numSectors; i++) {
1954 if (mfEmlGetMem(data, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1)) {
1955 PrintAndLog("error get block %d", FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1);
1956 break;
1957 }
1958 keyA = bytes_to_num(data, 6);
1959 keyB = bytes_to_num(data + 10, 6);
1960 PrintAndLog("|%03d| %012" PRIx64 " | %012" PRIx64 " |", i, keyA, keyB);
1961 }
1962 PrintAndLog("|---|----------------|----------------|");
1963
1964 return 0;
1965 }
1966
1967 int CmdHF14AMfCSetUID(const char *Cmd)
1968 {
1969 uint8_t uid[8] = {0x00};
1970 uint8_t oldUid[8] = {0x00};
1971 uint8_t atqa[2] = {0x00};
1972 uint8_t sak[1] = {0x00};
1973 uint8_t atqaPresent = 0;
1974 int res;
1975
1976 uint8_t needHelp = 0;
1977 char cmdp = 1;
1978
1979 if (param_getchar(Cmd, 0) && param_gethex(Cmd, 0, uid, 8)) {
1980 PrintAndLog("UID must include 8 HEX symbols");
1981 return 1;
1982 }
1983
1984 if (param_getlength(Cmd, 1) > 1 && param_getlength(Cmd, 2) > 1) {
1985 atqaPresent = 1;
1986 cmdp = 3;
1987
1988 if (param_gethex(Cmd, 1, atqa, 4)) {
1989 PrintAndLog("ATQA must include 4 HEX symbols");
1990 return 1;
1991 }
1992
1993 if (param_gethex(Cmd, 2, sak, 2)) {
1994 PrintAndLog("SAK must include 2 HEX symbols");
1995 return 1;
1996 }
1997 }
1998
1999 while(param_getchar(Cmd, cmdp) != 0x00)
2000 {
2001 switch(param_getchar(Cmd, cmdp))
2002 {
2003 case 'h':
2004 case 'H':
2005 needHelp = 1;
2006 break;
2007 default:
2008 PrintAndLog("ERROR: Unknown parameter '%c'", param_getchar(Cmd, cmdp));
2009 needHelp = 1;
2010 break;
2011 }
2012 cmdp++;
2013 }
2014
2015 if (strlen(Cmd) < 1 || needHelp) {
2016 PrintAndLog("");
2017 PrintAndLog("Usage: hf mf csetuid <UID 8 hex symbols> [ATQA 4 hex symbols SAK 2 hex symbols]");
2018 PrintAndLog("sample: hf mf csetuid 01020304");
2019 PrintAndLog("sample: hf mf csetuid 01020304 0004 08");
2020 PrintAndLog("Set UID, ATQA, and SAK for magic Chinese card (only works with such cards)");
2021 return 0;
2022 }
2023
2024 PrintAndLog("uid:%s", sprint_hex(uid, 4));
2025 if (atqaPresent) {
2026 PrintAndLog("--atqa:%s sak:%02x", sprint_hex(atqa, 2), sak[0]);
2027 }
2028
2029 res = mfCSetUID(uid, (atqaPresent)?atqa:NULL, (atqaPresent)?sak:NULL, oldUid);
2030 if (res) {
2031 PrintAndLog("Can't set UID. Error=%d", res);
2032 return 1;
2033 }
2034
2035 PrintAndLog("old UID:%s", sprint_hex(oldUid, 4));
2036 PrintAndLog("new UID:%s", sprint_hex(uid, 4));
2037 return 0;
2038 }
2039
2040 int CmdHF14AMfCWipe(const char *Cmd)
2041 {
2042 int res, gen = 0;
2043 int numBlocks = 16 * 4;
2044 bool wipeCard = false;
2045 bool fillCard = false;
2046
2047 if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
2048 PrintAndLog("Usage: hf mf cwipe [card size] [w] [f]");
2049 PrintAndLog("sample: hf mf cwipe 1 w f");
2050 PrintAndLog("[card size]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
2051 PrintAndLog("w - Wipe magic Chinese card (only works with gen:1a cards)");
2052 PrintAndLog("f - Fill the card with default data and keys (works with gen:1a and gen:1b cards only)");
2053 return 0;
2054 }
2055
2056 gen = mfCIdentify();
2057 if ((gen != 1) && (gen != 2))
2058 return 1;
2059
2060 numBlocks = ParamCardSizeBlocks(param_getchar(Cmd, 0));
2061
2062 char cmdp = 0;
2063 while(param_getchar(Cmd, cmdp) != 0x00){
2064 switch(param_getchar(Cmd, cmdp)) {
2065 case 'w':
2066 case 'W':
2067 wipeCard = 1;
2068 break;
2069 case 'f':
2070 case 'F':
2071 fillCard = 1;
2072 break;
2073 default:
2074 break;
2075 }
2076 cmdp++;
2077 }
2078
2079 if (!wipeCard && !fillCard)
2080 wipeCard = true;
2081
2082 PrintAndLog("--blocks count:%2d wipe:%c fill:%c", numBlocks, (wipeCard)?'y':'n', (fillCard)?'y':'n');
2083
2084 if (gen == 2) {
2085 /* generation 1b magic card */
2086 if (wipeCard) {
2087 PrintAndLog("WARNING: can't wipe magic card 1b generation");
2088 }
2089 res = mfCWipe(numBlocks, true, false, fillCard);
2090 } else {
2091 /* generation 1a magic card by default */
2092 res = mfCWipe(numBlocks, false, wipeCard, fillCard);
2093 }
2094
2095 if (res) {
2096 PrintAndLog("Can't wipe. error=%d", res);
2097 return 1;
2098 }
2099 PrintAndLog("OK");
2100 return 0;
2101 }
2102
2103 int CmdHF14AMfCSetBlk(const char *Cmd)
2104 {
2105 uint8_t memBlock[16] = {0x00};
2106 uint8_t blockNo = 0;
2107 bool wipeCard = false;
2108 int res, gen = 0;
2109
2110 if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
2111 PrintAndLog("Usage: hf mf csetblk <block number> <block data (32 hex symbols)> [w]");
2112 PrintAndLog("sample: hf mf csetblk 1 01020304050607080910111213141516");
2113 PrintAndLog("Set block data for magic Chinese card (only works with such cards)");
2114 PrintAndLog("If you also want wipe the card then add 'w' at the end of the command line");
2115 return 0;
2116 }
2117
2118 gen = mfCIdentify();
2119 if ((gen != 1) && (gen != 2))
2120 return 1;
2121
2122 blockNo = param_get8(Cmd, 0);
2123
2124 if (param_gethex(Cmd, 1, memBlock, 32)) {
2125 PrintAndLog("block data must include 32 HEX symbols");
2126 return 1;
2127 }
2128
2129 char ctmp = param_getchar(Cmd, 2);
2130 wipeCard = (ctmp == 'w' || ctmp == 'W');
2131 PrintAndLog("--block number:%2d data:%s", blockNo, sprint_hex(memBlock, 16));
2132
2133 if (gen == 2) {
2134 /* generation 1b magic card */
2135 res = mfCSetBlock(blockNo, memBlock, NULL, wipeCard, CSETBLOCK_SINGLE_OPER | CSETBLOCK_MAGIC_1B);
2136 } else {
2137 /* generation 1a magic card by default */
2138 res = mfCSetBlock(blockNo, memBlock, NULL, wipeCard, CSETBLOCK_SINGLE_OPER);
2139 }
2140
2141 if (res) {
2142 PrintAndLog("Can't write block. error=%d", res);
2143 return 1;
2144 }
2145 return 0;
2146 }
2147
2148
2149 int CmdHF14AMfCLoad(const char *Cmd)
2150 {
2151 FILE * f;
2152 char filename[FILE_PATH_SIZE] = {0x00};
2153 char * fnameptr = filename;
2154 char buf[256] = {0x00};
2155 uint8_t buf8[256] = {0x00};
2156 uint8_t fillFromEmulator = 0;
2157 int i, len, blockNum, flags = 0, gen = 0, numblock = 64;
2158
2159 if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {
2160 PrintAndLog("It loads magic Chinese card from the file `filename.eml`");
2161 PrintAndLog("or from emulator memory (option `e`). 4K card: (option `4`)");
2162 PrintAndLog("Usage: hf mf cload [file name w/o `.eml`][e][4]");
2163 PrintAndLog(" or: hf mf cload e [4]");
2164 PrintAndLog("Sample: hf mf cload filename");
2165 PrintAndLog(" hf mf cload filname 4");
2166 PrintAndLog(" hf mf cload e");
2167 PrintAndLog(" hf mf cload e 4");
2168 return 0;
2169 }
2170
2171 char ctmp = param_getchar(Cmd, 0);
2172 if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;
2173 ctmp = param_getchar(Cmd, 1);
2174 if (ctmp == '4') numblock = 256;
2175
2176 gen = mfCIdentify();
2177 PrintAndLog("Loading magic mifare %dK", numblock == 256 ? 4:1);
2178
2179 if (fillFromEmulator) {
2180 for (blockNum = 0; blockNum < numblock; blockNum += 1) {
2181 if (mfEmlGetMem(buf8, blockNum, 1)) {
2182 PrintAndLog("Cant get block: %d", blockNum);
2183 return 2;
2184 }
2185 if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC; // switch on field and send magic sequence
2186 if (blockNum == 1) flags = 0; // just write
2187 if (blockNum == numblock - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD; // Done. Magic Halt and switch off field.
2188
2189 if (gen == 2)
2190 /* generation 1b magic card */
2191 flags |= CSETBLOCK_MAGIC_1B;
2192 if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {
2193 PrintAndLog("Cant set magic card block: %d", blockNum);
2194 return 3;
2195 }
2196 }
2197 return 0;
2198 } else {
2199 param_getstr(Cmd, 0, filename, sizeof(filename));
2200
2201 len = strlen(filename);
2202 if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
2203
2204 //memcpy(filename, Cmd, len);
2205 fnameptr += len;
2206
2207 sprintf(fnameptr, ".eml");
2208
2209 // open file
2210 f = fopen(filename, "r");
2211 if (f == NULL) {
2212 PrintAndLog("File not found or locked.");
2213 return 1;
2214 }
2215
2216 blockNum = 0;
2217 while(!feof(f)){
2218
2219 memset(buf, 0, sizeof(buf));
2220
2221 if (fgets(buf, sizeof(buf), f) == NULL) {
2222 fclose(f);
2223 PrintAndLog("File reading error.");
2224 return 2;
2225 }
2226
2227 if (strlen(buf) < 32) {
2228 if(strlen(buf) && feof(f))
2229 break;
2230 PrintAndLog("File content error. Block data must include 32 HEX symbols");
2231 fclose(f);
2232 return 2;
2233 }
2234 for (i = 0; i < 32; i += 2)
2235 sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);
2236
2237 if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC; // switch on field and send magic sequence
2238 if (blockNum == 1) flags = 0; // just write
2239 if (blockNum == numblock - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD; // Done. Switch off field.
2240
2241 if (gen == 2)
2242 /* generation 1b magic card */
2243 flags |= CSETBLOCK_MAGIC_1B;
2244 if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {
2245 PrintAndLog("Can't set magic card block: %d", blockNum);
2246 fclose(f);
2247 return 3;
2248 }
2249 blockNum++;
2250
2251 if (blockNum >= numblock) break; // magic card type - mifare 1K 64 blocks, mifare 4k 256 blocks
2252 }
2253 fclose(f);
2254
2255 //if (blockNum != 16 * 4 && blockNum != 32 * 4 + 8 * 16){
2256 if (blockNum != numblock){
2257 PrintAndLog("File content error. There must be %d blocks", numblock);
2258 return 4;
2259 }
2260 PrintAndLog("Loaded from file: %s", filename);
2261 return 0;
2262 }
2263 return 0;
2264 }
2265
2266 int CmdHF14AMfCGetBlk(const char *Cmd) {
2267 uint8_t memBlock[16];
2268 uint8_t blockNo = 0;
2269 int res, gen = 0;
2270 memset(memBlock, 0x00, sizeof(memBlock));
2271
2272 if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
2273 PrintAndLog("Usage: hf mf cgetblk <block number>");
2274 PrintAndLog("sample: hf mf cgetblk 1");
2275 PrintAndLog("Get block data from magic Chinese card (only works with such cards)\n");
2276 return 0;
2277 }
2278
2279 gen = mfCIdentify();
2280
2281 blockNo = param_get8(Cmd, 0);
2282
2283 PrintAndLog("--block number:%2d ", blockNo);
2284
2285 if (gen == 2) {
2286 /* generation 1b magic card */
2287 res = mfCGetBlock(blockNo, memBlock, CSETBLOCK_SINGLE_OPER | CSETBLOCK_MAGIC_1B);
2288 } else {
2289 /* generation 1a magic card by default */
2290 res = mfCGetBlock(blockNo, memBlock, CSETBLOCK_SINGLE_OPER);
2291 }
2292 if (res) {
2293 PrintAndLog("Can't read block. error=%d", res);
2294 return 1;
2295 }
2296
2297 PrintAndLog("block data:%s", sprint_hex(memBlock, 16));
2298
2299 if (mfIsSectorTrailer(blockNo)) {
2300 PrintAndLogEx(NORMAL, "Trailer decoded:");
2301 PrintAndLogEx(NORMAL, "Key A: %s", sprint_hex_inrow(memBlock, 6));
2302 PrintAndLogEx(NORMAL, "Key B: %s", sprint_hex_inrow(&memBlock[10], 6));
2303 int bln = mfFirstBlockOfSector(mfSectorNum(blockNo));
2304 int blinc = (mfNumBlocksPerSector(mfSectorNum(blockNo)) > 4) ? 5 : 1;
2305 for (int i = 0; i < 4; i++) {
2306 PrintAndLogEx(NORMAL, "Access block %d%s: %s", bln, ((blinc > 1) && (i < 3) ? "+" : "") , mfGetAccessConditionsDesc(i, &memBlock[6]));
2307 bln += blinc;
2308 }
2309 PrintAndLogEx(NORMAL, "UserData: %s", sprint_hex_inrow(&memBlock[9], 1));
2310 }
2311
2312 return 0;
2313 }
2314
2315 int CmdHF14AMfCGetSc(const char *Cmd) {
2316 uint8_t memBlock[16] = {0x00};
2317 uint8_t sectorNo = 0;
2318 int i, res, flags, gen = 0, baseblock = 0, sect_size = 4;
2319
2320 if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
2321 PrintAndLog("Usage: hf mf cgetsc <sector number>");
2322 PrintAndLog("sample: hf mf cgetsc 0");
2323 PrintAndLog("Get sector data from magic Chinese card (only works with such cards)\n");
2324 return 0;
2325 }
2326
2327 sectorNo = param_get8(Cmd, 0);
2328
2329 if (sectorNo > 39) {
2330 PrintAndLog("Sector number must be in [0..15] in MIFARE classic 1k and [0..39] in MIFARE classic 4k.");
2331 return 1;
2332 }
2333
2334 PrintAndLog("--sector number:%d ", sectorNo);
2335
2336 gen = mfCIdentify();
2337
2338 flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;
2339 if (sectorNo < 32 ) {
2340 baseblock = sectorNo * 4;
2341 } else {
2342 baseblock = 128 + 16 * (sectorNo - 32);
2343
2344 }
2345 if (sectorNo > 31) sect_size = 16;
2346
2347 for (i = 0; i < sect_size; i++) {
2348 if (i == 1) flags = 0;
2349 if (i == sect_size - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;
2350
2351 if (gen == 2)
2352 /* generation 1b magic card */
2353 flags |= CSETBLOCK_MAGIC_1B;
2354
2355 res = mfCGetBlock(baseblock + i, memBlock, flags);
2356 if (res) {
2357 PrintAndLog("Can't read block. %d error=%d", baseblock + i, res);
2358 return 1;
2359 }
2360
2361 PrintAndLog("block %3d data:%s", baseblock + i, sprint_hex(memBlock, 16));
2362
2363 if (mfIsSectorTrailer(baseblock + i)) {
2364 PrintAndLogEx(NORMAL, "Trailer decoded:");
2365 PrintAndLogEx(NORMAL, "Key A: %s", sprint_hex_inrow(memBlock, 6));
2366 PrintAndLogEx(NORMAL, "Key B: %s", sprint_hex_inrow(&memBlock[10], 6));
2367 int bln = baseblock;
2368 int blinc = (mfNumBlocksPerSector(sectorNo) > 4) ? 5 : 1;
2369 for (int i = 0; i < 4; i++) {
2370 PrintAndLogEx(NORMAL, "Access block %d%s: %s", bln, ((blinc > 1) && (i < 3) ? "+" : "") , mfGetAccessConditionsDesc(i, &memBlock[6]));
2371 bln += blinc;
2372 }
2373 PrintAndLogEx(NORMAL, "UserData: %s", sprint_hex_inrow(&memBlock[9], 1));
2374 }
2375 }
2376 return 0;
2377 }
2378
2379
2380 int CmdHF14AMfCSave(const char *Cmd) {
2381
2382 FILE * f;
2383 char filename[FILE_PATH_SIZE] = {0x00};
2384 char * fnameptr = filename;
2385 uint8_t fillFromEmulator = 0;
2386 uint8_t buf[256] = {0x00};
2387 int i, j, len, flags, gen = 0, numblock = 64;
2388
2389 // memset(filename, 0, sizeof(filename));
2390 // memset(buf, 0, sizeof(buf));
2391
2392 if (param_getchar(Cmd, 0) == 'h') {
2393 PrintAndLog("It saves `magic Chinese` card dump into the file `filename.eml` or `cardID.eml`");
2394 PrintAndLog("or into emulator memory (option `e`). 4K card: (option `4`)");
2395 PrintAndLog("Usage: hf mf csave [file name w/o `.eml`][e][4]");
2396 PrintAndLog("Sample: hf mf csave ");
2397 PrintAndLog(" hf mf csave filename");
2398 PrintAndLog(" hf mf csave e");
2399 PrintAndLog(" hf mf csave 4");
2400 PrintAndLog(" hf mf csave filename 4");
2401 PrintAndLog(" hf mf csave e 4");
2402 return 0;
2403 }
2404
2405 char ctmp = param_getchar(Cmd, 0);
2406 if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;
2407 if (ctmp == '4') numblock = 256;
2408 ctmp = param_getchar(Cmd, 1);
2409 if (ctmp == '4') numblock = 256;
2410
2411 gen = mfCIdentify();
2412 PrintAndLog("Saving magic mifare %dK", numblock == 256 ? 4:1);
2413
2414 if (fillFromEmulator) {
2415 // put into emulator
2416 flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;
2417 for (i = 0; i < numblock; i++) {
2418 if (i == 1) flags = 0;
2419 if (i == numblock - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;
2420
2421 if (gen == 2)
2422 /* generation 1b magic card */
2423 flags |= CSETBLOCK_MAGIC_1B;
2424
2425 if (mfCGetBlock(i, buf, flags)) {
2426 PrintAndLog("Cant get block: %d", i);
2427 break;
2428 }
2429
2430 if (mfEmlSetMem(buf, i, 1)) {
2431 PrintAndLog("Cant set emul block: %d", i);
2432 return 3;
2433 }
2434 }
2435 return 0;
2436 } else {
2437 param_getstr(Cmd, 0, filename, sizeof(filename));
2438
2439 len = strlen(filename);
2440 if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
2441
2442 ctmp = param_getchar(Cmd, 0);
2443 if (len < 1 || (ctmp == '4')) {
2444 // get filename
2445
2446 flags = CSETBLOCK_SINGLE_OPER;
2447 if (gen == 2)
2448 /* generation 1b magic card */
2449 flags |= CSETBLOCK_MAGIC_1B;
2450 if (mfCGetBlock(0, buf, flags)) {
2451 PrintAndLog("Cant get block: %d", 0);
2452 len = sprintf(fnameptr, "dump");
2453 fnameptr += len;
2454 }
2455 else {
2456 for (j = 0; j < 7; j++, fnameptr += 2)
2457 sprintf(fnameptr, "%02x", buf[j]);
2458 }
2459 } else {
2460 //memcpy(filename, Cmd, len);
2461 fnameptr += len;
2462 }
2463
2464 sprintf(fnameptr, ".eml");
2465
2466 // open file
2467 f = fopen(filename, "w+");
2468
2469 if (f == NULL) {
2470 PrintAndLog("File not found or locked.");
2471 return 1;
2472 }
2473
2474 // put hex
2475 flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;
2476 for (i = 0; i < numblock; i++) {
2477 if (i == 1) flags = 0;
2478 if (i == numblock - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;
2479
2480 if (gen == 2)
2481 /* generation 1b magic card */
2482 flags |= CSETBLOCK_MAGIC_1B;
2483 if (mfCGetBlock(i, buf, flags)) {
2484 PrintAndLog("Cant get block: %d", i);
2485 break;
2486 }
2487 for (j = 0; j < 16; j++)
2488 fprintf(f, "%02x", buf[j]);
2489 fprintf(f,"\n");
2490 }
2491 fclose(f);
2492
2493 PrintAndLog("Saved to file: %s", filename);
2494
2495 return 0;
2496 }
2497 }
2498
2499
2500 int CmdHF14AMfSniff(const char *Cmd){
2501
2502 bool wantLogToFile = 0;
2503 bool wantDecrypt = 0;
2504 //bool wantSaveToEml = 0; TODO
2505 bool wantSaveToEmlFile = 0;
2506
2507 //var
2508 int res = 0;
2509 int len = 0;
2510 int parlen = 0;
2511 int blockLen = 0;
2512 int pckNum = 0;
2513 int num = 0;
2514 uint8_t uid[7];
2515 uint8_t uid_len;
2516 uint8_t atqa[2] = {0x00};
2517 uint8_t sak;
2518 bool isTag;
2519 uint8_t *buf = NULL;
2520 uint16_t bufsize = 0;
2521 uint8_t *bufPtr = NULL;
2522 uint8_t parity[16];
2523
2524 char ctmp = param_getchar(Cmd, 0);
2525 if ( ctmp == 'h' || ctmp == 'H' ) {
2526 PrintAndLog("It continuously gets data from the field and saves it to: log, emulator, emulator file.");
2527 PrintAndLog("You can specify:");
2528 PrintAndLog(" l - save encrypted sequence to logfile `uid.log`");
2529 PrintAndLog(" d - decrypt sequence and put it to log file `uid.log`");
2530 PrintAndLog(" n/a e - decrypt sequence, collect read and write commands and save the result of the sequence to emulator memory");
2531 PrintAndLog(" f - decrypt sequence, collect read and write commands and save the result of the sequence to emulator dump file `uid.eml`");
2532 PrintAndLog("Usage: hf mf sniff [l][d][e][f]");
2533 PrintAndLog(" sample: hf mf sniff l d e");
2534 return 0;
2535 }
2536
2537 for (int i = 0; i < 4; i++) {
2538 ctmp = param_getchar(Cmd, i);
2539 if (ctmp == 'l' || ctmp == 'L') wantLogToFile = true;
2540 if (ctmp == 'd' || ctmp == 'D') wantDecrypt = true;
2541 //if (ctmp == 'e' || ctmp == 'E') wantSaveToEml = true; TODO
2542 if (ctmp == 'f' || ctmp == 'F') wantSaveToEmlFile = true;
2543 }
2544
2545 printf("-------------------------------------------------------------------------\n");
2546 printf("Executing command. \n");
2547 printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");
2548 printf("Press the key on pc keyboard to abort the client.\n");
2549 printf("-------------------------------------------------------------------------\n");
2550
2551 UsbCommand c = {CMD_MIFARE_SNIFFER, {0, 0, 0}};
2552 clearCommandBuffer();
2553 SendCommand(&c);
2554
2555 // wait cycle
2556 while (true) {
2557 printf(".");
2558 fflush(stdout);
2559 if (ukbhit()) {
2560 getchar();
2561 printf("\naborted via keyboard!\n");
2562 break;
2563 }
2564
2565 UsbCommand resp;
2566 if (WaitForResponseTimeoutW(CMD_ACK, &resp, 2000, false)) {
2567 res = resp.arg[0] & 0xff;
2568 uint16_t traceLen = resp.arg[1];
2569 len = resp.arg[2];
2570
2571 if (res == 0) { // we are done
2572 break;
2573 }
2574
2575 if (res == 1) { // there is (more) data to be transferred
2576 if (pckNum == 0) { // first packet, (re)allocate necessary buffer
2577 if (traceLen > bufsize || buf == NULL) {
2578 uint8_t *p;
2579 if (buf == NULL) { // not yet allocated
2580 p = malloc(traceLen);
2581 } else { // need more memory
2582 p = realloc(buf, traceLen);
2583 }
2584 if (p == NULL) {
2585 PrintAndLog("Cannot allocate memory for trace");
2586 free(buf);
2587 return 2;
2588 }
2589 buf = p;
2590 }
2591 bufPtr = buf;
2592 bufsize = traceLen;
2593 memset(buf, 0x00, traceLen);
2594 }
2595 memcpy(bufPtr, resp.d.asBytes, len);
2596 bufPtr += len;
2597 pckNum++;
2598 }
2599
2600 if (res == 2) { // received all data, start displaying
2601 blockLen = bufPtr - buf;
2602 bufPtr = buf;
2603 printf(">\n");
2604 PrintAndLog("received trace len: %d packages: %d", blockLen, pckNum);
2605 while (bufPtr - buf < blockLen) {
2606 bufPtr += 6; // skip (void) timing information
2607 len = *((uint16_t *)bufPtr);
2608 if(len & 0x8000) {
2609 isTag = true;
2610 len &= 0x7fff;
2611 } else {
2612 isTag = false;
2613 }
2614 parlen = (len - 1) / 8 + 1;
2615 bufPtr += 2;
2616 if ((len == 14) && (bufPtr[0] == 0xff) && (bufPtr[1] == 0xff) && (bufPtr[12] == 0xff) && (bufPtr[13] == 0xff)) {
2617 memcpy(uid, bufPtr + 2, 7);
2618 memcpy(atqa, bufPtr + 2 + 7, 2);
2619 uid_len = (atqa[0] & 0xC0) == 0x40 ? 7 : 4;
2620 sak = bufPtr[11];
2621 PrintAndLog("tag select uid:%s atqa:0x%02x%02x sak:0x%02x",
2622 sprint_hex(uid + (7 - uid_len), uid_len),
2623 atqa[1],
2624 atqa[0],
2625 sak);
2626 if (wantLogToFile || wantDecrypt) {
2627 FillFileNameByUID(logHexFileName, uid + (7 - uid_len), ".log", uid_len);
2628 AddLogCurrentDT(logHexFileName);
2629 }
2630 if (wantDecrypt)
2631 mfTraceInit(uid, atqa, sak, wantSaveToEmlFile);
2632 } else {
2633 oddparitybuf(bufPtr, len, parity);
2634 PrintAndLog("%s(%d):%s [%s] c[%s]%c",
2635 isTag ? "TAG":"RDR",
2636 num,
2637 sprint_hex(bufPtr, len),
2638 printBitsPar(bufPtr + len, len),
2639 printBitsPar(parity, len),
2640 memcmp(bufPtr + len, parity, len / 8 + 1) ? '!' : ' ');
2641 if (wantLogToFile)
2642 AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len);
2643 if (wantDecrypt)
2644 mfTraceDecode(bufPtr, len, bufPtr[len], wantSaveToEmlFile);
2645 num++;
2646 }
2647 bufPtr += len;
2648 bufPtr += parlen; // ignore parity
2649 }
2650 pckNum = 0;
2651 }
2652 } // resp not NULL
2653 } // while (true)
2654
2655 free(buf);
2656
2657 msleep(300); // wait for exiting arm side.
2658 PrintAndLog("Done.");
2659 return 0;
2660 }
2661
2662 //needs nt, ar, at, Data to decrypt
2663 int CmdDecryptTraceCmds(const char *Cmd){
2664 uint8_t data[50];
2665 int len = 0;
2666 param_gethex_ex(Cmd,3,data,&len);
2667 return tryDecryptWord(param_get32ex(Cmd,0,0,16),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),data,len/2);
2668 }
2669
2670 int CmdHF14AMfAuth4(const char *cmd) {
2671 uint8_t keyn[20] = {0};
2672 int keynlen = 0;
2673 uint8_t key[16] = {0};
2674 int keylen = 0;
2675
2676 CLIParserInit("hf mf auth4",
2677 "Executes AES authentication command in ISO14443-4",
2678 "Usage:\n\thf mf auth4 4000 000102030405060708090a0b0c0d0e0f -> executes authentication\n"
2679 "\thf mf auth4 9003 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -> executes authentication\n");
2680
2681 void* argtable[] = {
2682 arg_param_begin,
2683 arg_str1(NULL, NULL, "<Key Num (HEX 2 bytes)>", NULL),
2684 arg_str1(NULL, NULL, "<Key Value (HEX 16 bytes)>", NULL),
2685 arg_param_end
2686 };
2687 CLIExecWithReturn(cmd, argtable, true);
2688
2689 CLIGetHexWithReturn(1, keyn, &keynlen);
2690 CLIGetHexWithReturn(2, key, &keylen);
2691 CLIParserFree();
2692
2693 if (keynlen != 2) {
2694 PrintAndLog("ERROR: <Key Num> must be 2 bytes long instead of: %d", keynlen);
2695 return 1;
2696 }
2697
2698 if (keylen != 16) {
2699 PrintAndLog("ERROR: <Key Value> must be 16 bytes long instead of: %d", keylen);
2700 return 1;
2701 }
2702
2703 return MifareAuth4(NULL, keyn, key, true, false, true);
2704 }
2705
2706 static command_t CommandTable[] =
2707 {
2708 {"help", CmdHelp, 1, "This help"},
2709 {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},
2710 {"rdbl", CmdHF14AMfRdBl, 0, "Read MIFARE classic block"},
2711 {"rdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"},
2712 {"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"},
2713 {"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"},
2714 {"wrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"},
2715 {"auth4", CmdHF14AMfAuth4, 0, "ISO14443-4 AES authentication"},
2716 {"chk", CmdHF14AMfChk, 0, "Test block keys"},
2717 {"mifare", CmdHF14AMifare, 0, "Read parity error messages."},
2718 {"hardnested", CmdHF14AMfNestedHard, 0, "Nested attack for hardened Mifare cards"},
2719 {"nested", CmdHF14AMfNested, 0, "Test nested authentication"},
2720 {"sniff", CmdHF14AMfSniff, 0, "Sniff card-reader communication"},
2721 {"sim", CmdHF14AMf1kSim, 0, "Simulate MIFARE card"},
2722 {"eclr", CmdHF14AMfEClear, 0, "Clear simulator memory block"},
2723 {"eget", CmdHF14AMfEGet, 0, "Get simulator memory block"},
2724 {"eset", CmdHF14AMfESet, 0, "Set simulator memory block"},
2725 {"eload", CmdHF14AMfELoad, 0, "Load from file emul dump"},
2726 {"esave", CmdHF14AMfESave, 0, "Save to file emul dump"},
2727 {"ecfill", CmdHF14AMfECFill, 0, "Fill simulator memory with help of keys from simulator"},
2728 {"ekeyprn", CmdHF14AMfEKeyPrn, 0, "Print keys from simulator memory"},
2729 {"cwipe", CmdHF14AMfCWipe, 0, "Wipe magic Chinese card"},
2730 {"csetuid", CmdHF14AMfCSetUID, 0, "Set UID for magic Chinese card"},
2731 {"csetblk", CmdHF14AMfCSetBlk, 0, "Write block - Magic Chinese card"},
2732 {"cgetblk", CmdHF14AMfCGetBlk, 0, "Read block - Magic Chinese card"},
2733 {"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector - Magic Chinese card"},
2734 {"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"},
2735 {"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"},
2736 {"decrypt", CmdDecryptTraceCmds, 1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},
2737 {NULL, NULL, 0, NULL}
2738 };
2739
2740 int CmdHFMF(const char *Cmd)
2741 {
2742 (void)WaitForResponseTimeout(CMD_ACK,NULL,100);
2743 CmdsParse(CommandTable, Cmd);
2744 return 0;
2745 }
2746
2747 int CmdHelp(const char *Cmd)
2748 {
2749 CmdsHelp(CommandTable);
2750 return 0;
2751 }
Proxmark3 GIT tracking
Impressum, Datenschutz