+int CmdHF14AMfCGetBlk(const char *Cmd) {\r
+ uint8_t memBlock[16];\r
+ uint8_t blockNo = 0;\r
+ int res, gen = 0;\r
+ memset(memBlock, 0x00, sizeof(memBlock));\r
+\r
+ if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
+ PrintAndLog("Usage: hf mf cgetblk <block number>");\r
+ PrintAndLog("sample: hf mf cgetblk 1");\r
+ PrintAndLog("Get block data from magic Chinese card (only works with such cards)\n");\r
+ return 0;\r
+ }\r
+\r
+ gen = mfCIdentify();\r
+\r
+ blockNo = param_get8(Cmd, 0);\r
+\r
+ PrintAndLog("--block number:%2d ", blockNo);\r
+\r
+ if (gen == 2) {\r
+ /* generation 1b magic card */\r
+ res = mfCGetBlock(blockNo, memBlock, CSETBLOCK_SINGLE_OPER | CSETBLOCK_MAGIC_1B);\r
+ } else {\r
+ /* generation 1a magic card by default */\r
+ res = mfCGetBlock(blockNo, memBlock, CSETBLOCK_SINGLE_OPER);\r
+ }\r
+ if (res) {\r
+ PrintAndLog("Can't read block. error=%d", res);\r
+ return 1;\r
+ }\r
+\r
+ PrintAndLog("block data:%s", sprint_hex(memBlock, 16));\r
+\r
+ if (mfIsSectorTrailer(blockNo)) {\r
+ PrintAndLogEx(NORMAL, "Trailer decoded:");\r
+ PrintAndLogEx(NORMAL, "Key A: %s", sprint_hex_inrow(memBlock, 6));\r
+ PrintAndLogEx(NORMAL, "Key B: %s", sprint_hex_inrow(&memBlock[10], 6));\r
+ int bln = mfFirstBlockOfSector(mfSectorNum(blockNo));\r
+ int blinc = (mfNumBlocksPerSector(mfSectorNum(blockNo)) > 4) ? 5 : 1;\r
+ for (int i = 0; i < 4; i++) {\r
+ PrintAndLogEx(NORMAL, "Access block %d%s: %s", bln, ((blinc > 1) && (i < 3) ? "+" : "") , mfGetAccessConditionsDesc(i, &memBlock[6]));\r
+ bln += blinc;\r
+ }\r
+ PrintAndLogEx(NORMAL, "UserData: %s", sprint_hex_inrow(&memBlock[9], 1));\r
+ }\r
+\r
+ return 0;\r
+}\r
+\r
+int CmdHF14AMfCGetSc(const char *Cmd) {\r
+ uint8_t memBlock[16] = {0x00};\r
+ uint8_t sectorNo = 0;\r
+ int i, res, flags, gen = 0, baseblock = 0, sect_size = 4;\r
+\r
+ if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
+ PrintAndLog("Usage: hf mf cgetsc <sector number>");\r
+ PrintAndLog("sample: hf mf cgetsc 0");\r
+ PrintAndLog("Get sector data from magic Chinese card (only works with such cards)\n");\r
+ return 0;\r
+ }\r
+\r
+ sectorNo = param_get8(Cmd, 0);\r
+\r
+ if (sectorNo > 39) {\r
+ PrintAndLog("Sector number must be in [0..15] in MIFARE classic 1k and [0..39] in MIFARE classic 4k.");\r
+ return 1;\r
+ }\r
+\r
+ PrintAndLog("--sector number:%d ", sectorNo);\r
+\r
+ gen = mfCIdentify();\r
+\r
+ flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
+ if (sectorNo < 32 ) {\r
+ baseblock = sectorNo * 4;\r
+ } else {\r
+ baseblock = 128 + 16 * (sectorNo - 32);\r
+\r
+ }\r
+ if (sectorNo > 31) sect_size = 16;\r
+\r
+ for (i = 0; i < sect_size; i++) {\r
+ if (i == 1) flags = 0;\r
+ if (i == sect_size - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
+\r
+ if (gen == 2)\r
+ /* generation 1b magic card */\r
+ flags |= CSETBLOCK_MAGIC_1B;\r
+\r
+ res = mfCGetBlock(baseblock + i, memBlock, flags);\r
+ if (res) {\r
+ PrintAndLog("Can't read block. %d error=%d", baseblock + i, res);\r
+ return 1;\r
+ }\r
+\r
+ PrintAndLog("block %3d data:%s", baseblock + i, sprint_hex(memBlock, 16));\r
+\r
+ if (mfIsSectorTrailer(baseblock + i)) {\r
+ PrintAndLogEx(NORMAL, "Trailer decoded:");\r
+ PrintAndLogEx(NORMAL, "Key A: %s", sprint_hex_inrow(memBlock, 6));\r
+ PrintAndLogEx(NORMAL, "Key B: %s", sprint_hex_inrow(&memBlock[10], 6));\r
+ int bln = baseblock;\r
+ int blinc = (mfNumBlocksPerSector(sectorNo) > 4) ? 5 : 1;\r
+ for (int i = 0; i < 4; i++) {\r
+ PrintAndLogEx(NORMAL, "Access block %d%s: %s", bln, ((blinc > 1) && (i < 3) ? "+" : "") , mfGetAccessConditionsDesc(i, &memBlock[6]));\r
+ bln += blinc;\r
+ }\r
+ PrintAndLogEx(NORMAL, "UserData: %s", sprint_hex_inrow(&memBlock[9], 1));\r
+ }\r
+ }\r
+ return 0;\r
+}\r
+\r
+\r
+int CmdHF14AMfCSave(const char *Cmd) {\r
+\r
+ FILE * f;\r
+ char filename[FILE_PATH_SIZE] = {0x00};\r
+ char * fnameptr = filename;\r
+ uint8_t fillFromEmulator = 0;\r
+ uint8_t buf[256] = {0x00};\r
+ int i, j, len, flags, gen = 0, numblock = 64;\r
+\r
+ // memset(filename, 0, sizeof(filename));\r
+ // memset(buf, 0, sizeof(buf));\r
+\r
+ if (param_getchar(Cmd, 0) == 'h') {\r
+ PrintAndLog("It saves `magic Chinese` card dump into the file `filename.eml` or `cardID.eml`");\r
+ PrintAndLog("or into emulator memory (option `e`). 4K card: (option `4`)");\r
+ PrintAndLog("Usage: hf mf csave [file name w/o `.eml`][e][4]");\r
+ PrintAndLog("Sample: hf mf csave ");\r
+ PrintAndLog(" hf mf csave filename");\r
+ PrintAndLog(" hf mf csave e");\r
+ PrintAndLog(" hf mf csave 4");\r
+ PrintAndLog(" hf mf csave filename 4");\r
+ PrintAndLog(" hf mf csave e 4");\r
+ return 0;\r
+ }\r
+\r
+ char ctmp = param_getchar(Cmd, 0);\r
+ if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;\r
+ if (ctmp == '4') numblock = 256;\r
+ ctmp = param_getchar(Cmd, 1);\r
+ if (ctmp == '4') numblock = 256;\r
+\r
+ gen = mfCIdentify();\r
+ PrintAndLog("Saving magic mifare %dK", numblock == 256 ? 4:1);\r
+\r
+ if (fillFromEmulator) {\r
+ // put into emulator\r
+ flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
+ for (i = 0; i < numblock; i++) {\r
+ if (i == 1) flags = 0;\r
+ if (i == numblock - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
+\r
+ if (gen == 2)\r
+ /* generation 1b magic card */\r
+ flags |= CSETBLOCK_MAGIC_1B;\r
+\r
+ if (mfCGetBlock(i, buf, flags)) {\r
+ PrintAndLog("Cant get block: %d", i);\r
+ break;\r
+ }\r
+\r
+ if (mfEmlSetMem(buf, i, 1)) {\r
+ PrintAndLog("Cant set emul block: %d", i);\r
+ return 3;\r
+ }\r
+ }\r
+ return 0;\r
+ } else {\r
+ param_getstr(Cmd, 0, filename, sizeof(filename));\r
+\r
+ len = strlen(filename);\r
+ if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
+\r
+ ctmp = param_getchar(Cmd, 0);\r
+ if (len < 1 || (ctmp == '4')) {\r
+ // get filename\r
+\r
+ flags = CSETBLOCK_SINGLE_OPER;\r
+ if (gen == 2)\r
+ /* generation 1b magic card */\r
+ flags |= CSETBLOCK_MAGIC_1B;\r
+ if (mfCGetBlock(0, buf, flags)) {\r
+ PrintAndLog("Cant get block: %d", 0);\r
+ len = sprintf(fnameptr, "dump");\r
+ fnameptr += len;\r
+ }\r
+ else {\r
+ for (j = 0; j < 7; j++, fnameptr += 2)\r
+ sprintf(fnameptr, "%02x", buf[j]);\r
+ }\r
+ } else {\r
+ //memcpy(filename, Cmd, len);\r
+ fnameptr += len;\r
+ }\r
+\r
+ sprintf(fnameptr, ".eml");\r
+\r
+ // open file\r
+ f = fopen(filename, "w+");\r
+\r
+ if (f == NULL) {\r
+ PrintAndLog("File not found or locked.");\r
+ return 1;\r
+ }\r
+\r
+ // put hex\r
+ flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
+ for (i = 0; i < numblock; i++) {\r
+ if (i == 1) flags = 0;\r
+ if (i == numblock - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
+\r
+ if (gen == 2)\r
+ /* generation 1b magic card */\r
+ flags |= CSETBLOCK_MAGIC_1B;\r
+ if (mfCGetBlock(i, buf, flags)) {\r
+ PrintAndLog("Cant get block: %d", i);\r
+ break;\r
+ }\r
+ for (j = 0; j < 16; j++)\r
+ fprintf(f, "%02x", buf[j]);\r
+ fprintf(f,"\n");\r
+ }\r
+ fclose(f);\r
+\r
+ PrintAndLog("Saved to file: %s", filename);\r
+\r
+ return 0;\r
+ }\r
+}\r
+\r
+\r
+int CmdHF14AMfSniff(const char *Cmd){\r
+\r
+ bool wantLogToFile = 0;\r
+ bool wantDecrypt = 0;\r
+ //bool wantSaveToEml = 0; TODO\r
+ bool wantSaveToEmlFile = 0;\r
+\r
+ //var\r
+ int res = 0;\r
+ int len = 0;\r
+ int parlen = 0;\r
+ int blockLen = 0;\r
+ int pckNum = 0;\r
+ int num = 0;\r
+ uint8_t uid[7];\r
+ uint8_t uid_len;\r
+ uint8_t atqa[2] = {0x00};\r
+ uint8_t sak;\r
+ bool isTag;\r
+ uint8_t *buf = NULL;\r
+ uint16_t bufsize = 0;\r
+ uint8_t *bufPtr = NULL;\r
+ uint8_t parity[16];\r
+\r
+ char ctmp = param_getchar(Cmd, 0);\r
+ if ( ctmp == 'h' || ctmp == 'H' ) {\r
+ PrintAndLog("It continuously gets data from the field and saves it to: log, emulator, emulator file.");\r
+ PrintAndLog("You can specify:");\r
+ PrintAndLog(" l - save encrypted sequence to logfile `uid.log`");\r
+ PrintAndLog(" d - decrypt sequence and put it to log file `uid.log`");\r
+ PrintAndLog(" n/a e - decrypt sequence, collect read and write commands and save the result of the sequence to emulator memory");\r
+ PrintAndLog(" f - decrypt sequence, collect read and write commands and save the result of the sequence to emulator dump file `uid.eml`");\r
+ PrintAndLog("Usage: hf mf sniff [l][d][e][f]");\r
+ PrintAndLog(" sample: hf mf sniff l d e");\r
+ return 0;\r
+ }\r
+\r
+ for (int i = 0; i < 4; i++) {\r
+ ctmp = param_getchar(Cmd, i);\r
+ if (ctmp == 'l' || ctmp == 'L') wantLogToFile = true;\r
+ if (ctmp == 'd' || ctmp == 'D') wantDecrypt = true;\r
+ //if (ctmp == 'e' || ctmp == 'E') wantSaveToEml = true; TODO\r
+ if (ctmp == 'f' || ctmp == 'F') wantSaveToEmlFile = true;\r
+ }\r
+\r
+ printf("-------------------------------------------------------------------------\n");\r
+ printf("Executing command. \n");\r
+ printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");\r
+ printf("Press the key on pc keyboard to abort the client.\n");\r
+ printf("-------------------------------------------------------------------------\n");\r
+\r
+ UsbCommand c = {CMD_MIFARE_SNIFFER, {0, 0, 0}};\r
+ clearCommandBuffer();\r
+ SendCommand(&c);\r
+\r
+ // wait cycle\r
+ while (true) {\r
+ printf(".");\r
+ fflush(stdout);\r
+ if (ukbhit()) {\r
+ getchar();\r
+ printf("\naborted via keyboard!\n");\r
+ break;\r
+ }\r
+\r
+ UsbCommand resp;\r
+ if (WaitForResponseTimeoutW(CMD_UNKNOWN, &resp, 2000, false)) {\r
+ res = resp.arg[0] & 0xff;\r
+ uint16_t traceLen = resp.arg[1];\r
+ len = resp.arg[2];\r
+\r
+ if (res == 0) { // we are done\r
+ break;\r
+ }\r
+\r
+ if (res == 1) { // there is (more) data to be transferred\r
+ if (pckNum == 0) { // first packet, (re)allocate necessary buffer\r
+ if (traceLen > bufsize || buf == NULL) {\r
+ uint8_t *p;\r
+ if (buf == NULL) { // not yet allocated\r
+ p = malloc(traceLen);\r
+ } else { // need more memory\r
+ p = realloc(buf, traceLen);\r
+ }\r
+ if (p == NULL) {\r
+ PrintAndLog("Cannot allocate memory for trace");\r
+ free(buf);\r
+ return 2;\r
+ }\r
+ buf = p;\r
+ }\r
+ bufPtr = buf;\r
+ bufsize = traceLen;\r
+ memset(buf, 0x00, traceLen);\r
+ }\r
+ memcpy(bufPtr, resp.d.asBytes, len);\r
+ bufPtr += len;\r
+ pckNum++;\r
+ }\r
+\r
+ if (res == 2) { // received all data, start displaying\r
+ blockLen = bufPtr - buf;\r
+ bufPtr = buf;\r
+ printf(">\n");\r
+ PrintAndLog("received trace len: %d packages: %d", blockLen, pckNum);\r
+ while (bufPtr - buf < blockLen) {\r
+ bufPtr += 6; // skip (void) timing information\r
+ len = *((uint16_t *)bufPtr);\r
+ if(len & 0x8000) {\r
+ isTag = true;\r
+ len &= 0x7fff;\r
+ } else {\r
+ isTag = false;\r
+ }\r
+ parlen = (len - 1) / 8 + 1;\r
+ bufPtr += 2;\r
+ if ((len == 14) && (bufPtr[0] == 0xff) && (bufPtr[1] == 0xff) && (bufPtr[12] == 0xff) && (bufPtr[13] == 0xff)) {\r
+ memcpy(uid, bufPtr + 2, 7);\r
+ memcpy(atqa, bufPtr + 2 + 7, 2);\r
+ uid_len = (atqa[0] & 0xC0) == 0x40 ? 7 : 4;\r
+ sak = bufPtr[11];\r
+ PrintAndLog("tag select uid:%s atqa:0x%02x%02x sak:0x%02x",\r
+ sprint_hex(uid + (7 - uid_len), uid_len),\r
+ atqa[1],\r
+ atqa[0],\r
+ sak);\r
+ if (wantLogToFile || wantDecrypt) {\r
+ FillFileNameByUID(logHexFileName, uid + (7 - uid_len), ".log", uid_len);\r
+ AddLogCurrentDT(logHexFileName);\r
+ }\r
+ if (wantDecrypt)\r
+ mfTraceInit(uid, atqa, sak, wantSaveToEmlFile);\r
+ } else {\r
+ oddparitybuf(bufPtr, len, parity);\r
+ PrintAndLog("%s(%d):%s [%s] c[%s]%c",\r
+ isTag ? "TAG":"RDR",\r
+ num,\r
+ sprint_hex(bufPtr, len),\r
+ printBitsPar(bufPtr + len, len),\r
+ printBitsPar(parity, len),\r
+ memcmp(bufPtr + len, parity, len / 8 + 1) ? '!' : ' ');\r
+ if (wantLogToFile)\r
+ AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len);\r
+ if (wantDecrypt)\r
+ mfTraceDecode(bufPtr, len, bufPtr[len], wantSaveToEmlFile);\r
+ num++;\r
+ }\r
+ bufPtr += len;\r
+ bufPtr += parlen; // ignore parity\r
+ }\r
+ pckNum = 0;\r
+ }\r
+ } // resp not NULL\r
+ } // while (true)\r
+\r
+ free(buf);\r
+\r
+ msleep(300); // wait for exiting arm side.\r
+ PrintAndLog("Done.");\r
+ return 0;\r
+}\r
+\r
+//needs nt, ar, at, Data to decrypt\r
+int CmdDecryptTraceCmds(const char *Cmd){\r
+ uint8_t data[50];\r
+ int len = 100;\r
+ param_gethex_ex(Cmd, 3, data, &len);\r
+ return tryDecryptWord(param_get32ex(Cmd, 0, 0, 16), param_get32ex(Cmd, 1, 0, 16), param_get32ex(Cmd, 2, 0, 16), data, len/2);\r
+}\r
+\r
+int CmdHF14AMfAuth4(const char *cmd) {\r
+ uint8_t keyn[20] = {0};\r
+ int keynlen = 0;\r
+ uint8_t key[16] = {0};\r
+ int keylen = 0;\r
+\r
+ CLIParserInit("hf mf auth4",\r
+ "Executes AES authentication command in ISO14443-4",\r
+ "Usage:\n\thf mf auth4 4000 000102030405060708090a0b0c0d0e0f -> executes authentication\n"\r
+ "\thf mf auth4 9003 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -> executes authentication\n");\r
+\r
+ void* argtable[] = {\r
+ arg_param_begin,\r
+ arg_str1(NULL, NULL, "<Key Num (HEX 2 bytes)>", NULL),\r
+ arg_str1(NULL, NULL, "<Key Value (HEX 16 bytes)>", NULL),\r
+ arg_param_end\r
+ };\r
+ CLIExecWithReturn(cmd, argtable, true);\r
+\r
+ CLIGetHexWithReturn(1, keyn, &keynlen);\r
+ CLIGetHexWithReturn(2, key, &keylen);\r
+ CLIParserFree();\r
+\r
+ if (keynlen != 2) {\r
+ PrintAndLog("ERROR: <Key Num> must be 2 bytes long instead of: %d", keynlen);\r
+ return 1;\r
+ }\r
+\r
+ if (keylen != 16) {\r
+ PrintAndLog("ERROR: <Key Value> must be 16 bytes long instead of: %d", keylen);\r
+ return 1;\r
+ }\r
+\r
+ return MifareAuth4(NULL, keyn, key, true, false, true);\r
+}\r
+\r
+// https://www.nxp.com/docs/en/application-note/AN10787.pdf\r
+int CmdHF14AMfMAD(const char *cmd) {\r
+\r
+ CLIParserInit("hf mf mad",\r
+ "Checks and prints Mifare Application Directory (MAD)",\r
+ "Usage:\n\thf mf mad -> shows MAD if exists\n"\r
+ "\thf mf mad -a 03e1 -k ffffffffffff -b -> shows NDEF data if exists. read card with custom key and key B\n");\r
+\r
+ void *argtable[] = {\r
+ arg_param_begin,\r
+ arg_lit0("vV", "verbose", "show technical data"),\r
+ arg_str0("aA", "aid", "print all sectors with aid", NULL),\r
+ arg_str0("kK", "key", "key for printing sectors", NULL),\r
+ arg_lit0("bB", "keyb", "use key B for access printing sectors (by default: key A)"),\r
+ arg_param_end\r
+ };\r
+ CLIExecWithReturn(cmd, argtable, true);\r
+ bool verbose = arg_get_lit(1);\r
+ uint8_t aid[2] = {0};\r
+ int aidlen;\r
+ CLIGetHexWithReturn(2, aid, &aidlen);\r
+ uint8_t key[6] = {0};\r
+ int keylen;\r
+ CLIGetHexWithReturn(3, key, &keylen);\r
+ bool keyB = arg_get_lit(4);\r
+\r
+ CLIParserFree();\r
+\r
+ if (aidlen != 2 && keylen > 0) {\r
+ PrintAndLogEx(WARNING, "do not need a key without aid.");\r
+ }\r
+\r
+ uint8_t sector0[16 * 4] = {0};\r
+ uint8_t sector10[16 * 4] = {0};\r
+ if (mfReadSector(MF_MAD1_SECTOR, MF_KEY_A, (uint8_t *)g_mifare_mad_key, sector0)) {\r
+ PrintAndLogEx(ERR, "read sector 0 error. card don't have MAD or don't have MAD on default keys.");\r
+ return 2;\r
+ }\r
+\r
+ if (verbose) {\r
+ for (int i = 0; i < 4; i ++)\r
+ PrintAndLogEx(NORMAL, "[%d] %s", i, sprint_hex(§or0[i * 16], 16));\r
+ }\r
+\r
+ bool haveMAD2 = false;\r
+ MAD1DecodeAndPrint(sector0, verbose, &haveMAD2);\r
+\r
+ if (haveMAD2) {\r
+ if (mfReadSector(MF_MAD2_SECTOR, MF_KEY_A, (uint8_t *)g_mifare_mad_key, sector10)) {\r
+ PrintAndLogEx(ERR, "read sector 0x10 error. card don't have MAD or don't have MAD on default keys.");\r
+ return 2;\r
+ }\r
+\r
+ MAD2DecodeAndPrint(sector10, verbose);\r
+ }\r
+\r
+ if (aidlen == 2) {\r
+ uint16_t aaid = (aid[0] << 8) + aid[1];\r
+ PrintAndLogEx(NORMAL, "\n-------------- AID 0x%04x ---------------", aaid);\r
+\r
+ uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};\r
+ size_t madlen = 0;\r
+ if (MADDecode(sector0, sector10, mad, &madlen)) {\r
+ PrintAndLogEx(ERR, "can't decode mad.");\r
+ return 10;\r
+ }\r
+\r
+ uint8_t akey[6] = {0};\r
+ memcpy(akey, g_mifare_ndef_key, 6);\r
+ if (keylen == 6) {\r
+ memcpy(akey, key, 6);\r
+ }\r
+\r
+ for (int i = 0; i < madlen; i++) {\r
+ if (aaid == mad[i]) {\r
+ uint8_t vsector[16 * 4] = {0};\r
+ if (mfReadSector(i + 1, keyB ? MF_KEY_B : MF_KEY_A, akey, vsector)) {\r
+ PrintAndLogEx(NORMAL, "");\r
+ PrintAndLogEx(ERR, "read sector %d error.", i + 1);\r
+ return 2;\r
+ }\r
+\r
+ for (int j = 0; j < (verbose ? 4 : 3); j ++)\r
+ PrintAndLogEx(NORMAL, " [%03d] %s", (i + 1) * 4 + j, sprint_hex(&vsector[j * 16], 16));\r
+ }\r
+ }\r
+ }\r
+\r
+ return 0;\r
+}\r
+\r
+int CmdHFMFNDEF(const char *cmd) {\r
+\r
+ CLIParserInit("hf mf ndef",\r
+ "Prints NFC Data Exchange Format (NDEF)",\r
+ "Usage:\n\thf mf ndef -> shows NDEF data\n"\r
+ "\thf mf ndef -a 03e1 -k ffffffffffff -b -> shows NDEF data with custom AID, key and with key B\n");\r
+\r
+ void *argtable[] = {\r
+ arg_param_begin,\r
+ arg_litn("vV", "verbose", 0, 2, "show technical data"),\r
+ arg_str0("aA", "aid", "replace default aid for NDEF", NULL),\r
+ arg_str0("kK", "key", "replace default key for NDEF", NULL),\r
+ arg_lit0("bB", "keyb", "use key B for access sectors (by default: key A)"),\r
+ arg_param_end\r
+ };\r
+ CLIExecWithReturn(cmd, argtable, true);\r
+\r
+ bool verbose = arg_get_lit(1);\r
+ bool verbose2 = arg_get_lit(1) > 1;\r
+ uint8_t aid[2] = {0};\r
+ int aidlen;\r
+ CLIGetHexWithReturn(2, aid, &aidlen);\r
+ uint8_t key[6] = {0};\r
+ int keylen;\r
+ CLIGetHexWithReturn(3, key, &keylen);\r
+ bool keyB = arg_get_lit(4);\r
+\r
+ CLIParserFree();\r
+\r
+ uint16_t ndefAID = 0x03e1;\r
+ if (aidlen == 2)\r
+ ndefAID = (aid[0] << 8) + aid[1];\r
+\r
+ uint8_t ndefkey[6] = {0};\r
+ memcpy(ndefkey, g_mifare_ndef_key, 6);\r
+ if (keylen == 6) {\r
+ memcpy(ndefkey, key, 6);\r
+ }\r
+\r
+ uint8_t sector0[16 * 4] = {0};\r
+ uint8_t sector10[16 * 4] = {0};\r
+ uint8_t data[4096] = {0};\r
+ int datalen = 0;\r
+\r
+ PrintAndLogEx(NORMAL, "");\r
+\r
+ if (mfReadSector(MF_MAD1_SECTOR, MF_KEY_A, (uint8_t *)g_mifare_mad_key, sector0)) {\r
+ PrintAndLogEx(ERR, "read sector 0 error. card don't have MAD or don't have MAD on default keys.");\r
+ return 2;\r
+ }\r
+\r
+ bool haveMAD2 = false;\r
+ int res = MADCheck(sector0, NULL, verbose, &haveMAD2);\r
+ if (res) {\r
+ PrintAndLogEx(ERR, "MAD error %d.", res);\r
+ return res;\r
+ }\r
+\r
+ if (haveMAD2) {\r
+ if (mfReadSector(MF_MAD2_SECTOR, MF_KEY_A, (uint8_t *)g_mifare_mad_key, sector10)) {\r
+ PrintAndLogEx(ERR, "read sector 0x10 error. card don't have MAD or don't have MAD on default keys.");\r
+ return 2;\r
+ }\r
+ }\r
+\r
+ uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};\r
+ size_t madlen = 0;\r
+ if (MADDecode(sector0, (haveMAD2 ? sector10 : NULL), mad, &madlen)) {\r
+ PrintAndLogEx(ERR, "can't decode mad.");\r
+ return 10;\r
+ }\r
+\r
+ printf("data reading:");\r
+ for (int i = 0; i < madlen; i++) {\r
+ if (ndefAID == mad[i]) {\r
+ uint8_t vsector[16 * 4] = {0};\r
+ if (mfReadSector(i + 1, keyB ? MF_KEY_B : MF_KEY_A, ndefkey, vsector)) {\r
+ PrintAndLogEx(ERR, "read sector %d error.", i + 1);\r
+ return 2;\r
+ }\r
+\r
+ memcpy(&data[datalen], vsector, 16 * 3);\r
+ datalen += 16 * 3;\r
+\r
+ printf(".");\r
+ }\r
+ }\r
+ printf(" OK\n");\r
+\r
+ if (!datalen) {\r
+ PrintAndLogEx(ERR, "no NDEF data.");\r
+ return 11;\r
+ }\r
+\r
+ if (verbose2) {\r
+ PrintAndLogEx(NORMAL, "NDEF data:");\r
+ dump_buffer(data, datalen, stdout, 1);\r
+ }\r
+\r
+ NDEFDecodeAndPrint(data, datalen, verbose);\r
+\r
+ return 0;\r
+}\r
+\r
+int CmdHFMFPersonalize(const char *cmd) {\r
+\r
+ CLIParserInit("hf mf personalize",\r
+ "Personalize the UID of a Mifare Classic EV1 card. This is only possible if it is a 7Byte UID card and if it is not already personalized.",\r
+ "Usage:\n\thf mf personalize UIDF0 -> double size UID according to ISO/IEC14443-3\n"\r
+ "\thf mf personalize UIDF1 -> double size UID according to ISO/IEC14443-3, optional usage of selection process shortcut\n"\r
+ "\thf mf personalize UIDF2 -> single size random ID according to ISO/IEC14443-3\n"\r
+ "\thf mf personalize UIDF3 -> single size NUID according to ISO/IEC14443-3\n"\r
+ "\thf mf personalize -t B -k B0B1B2B3B4B5 UIDF3 -> use key B = 0xB0B1B2B3B4B5 instead of default key A\n");\r
+\r
+ void *argtable[] = {\r
+ arg_param_begin,\r
+ arg_str0("tT", "keytype", "<A|B>", "key type (A or B) to authenticate sector 0 (default: A)"),\r
+ arg_str0("kK", "key", "<key (hex 6 Bytes)>", "key to authenticate sector 0 (default: FFFFFFFFFFFF)"),\r
+ arg_str1(NULL, NULL, "<UIDF0|UIDF1|UIDF2|UIDF3>", "Personalization Option"),\r
+ arg_param_end\r
+ };\r
+ CLIExecWithReturn(cmd, argtable, true);\r
+\r
+ char keytypestr[2] = "A";\r
+ uint8_t keytype = 0x00;\r
+ int keytypestr_len;\r
+ int res = CLIParamStrToBuf(arg_get_str(1), (uint8_t*)keytypestr, 1, &keytypestr_len);\r
+ if (res || (keytypestr[0] != 'a' && keytypestr[0] != 'A' && keytypestr[0] != 'b' && keytypestr[0] != 'B')) {\r
+ PrintAndLog("ERROR: not a valid key type. Key type must be A or B");\r
+ CLIParserFree();\r
+ return 1;\r
+ }\r
+ if (keytypestr[0] == 'B' || keytypestr[0] == 'b') {\r
+ keytype = 0x01;\r
+ }\r
+\r
+ uint8_t key[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};\r
+ int key_len;\r
+ res = CLIParamHexToBuf(arg_get_str(2), key, 6, &key_len);\r
+ if (res || (!res && key_len > 0 && key_len != 6)) {\r
+ PrintAndLog("ERROR: not a valid key. Key must be 12 hex digits");\r
+ CLIParserFree();\r
+ return 1;\r
+ }\r
+\r
+ char pers_optionstr[6];\r
+ int opt_len;\r
+ uint8_t pers_option;\r
+ res = CLIParamStrToBuf(arg_get_str(3), (uint8_t*)pers_optionstr, 5, &opt_len);\r
+ if (res || (!res && opt_len > 0 && opt_len != 5)\r
+ || (strncmp(pers_optionstr, "UIDF0", 5) && strncmp(pers_optionstr, "UIDF1", 5) && strncmp(pers_optionstr, "UIDF2", 5) && strncmp(pers_optionstr, "UIDF3", 5))) {\r
+ PrintAndLog("ERROR: invalid personalization option. Must be one of UIDF0, UIDF1, UIDF2, or UIDF3");\r
+ CLIParserFree();\r
+ return 1;\r
+ }\r
+ if (!strncmp(pers_optionstr, "UIDF0", 5)) {\r
+ pers_option = MIFARE_EV1_UIDF0;\r
+ } else if (!strncmp(pers_optionstr, "UIDF1", 5)) {\r
+ pers_option = MIFARE_EV1_UIDF1;\r
+ } else if (!strncmp(pers_optionstr, "UIDF2", 5)) {\r
+ pers_option = MIFARE_EV1_UIDF2;\r
+ } else {\r
+ pers_option = MIFARE_EV1_UIDF3;\r
+ }\r
+\r
+ CLIParserFree();\r
+\r
+ UsbCommand c = {CMD_MIFARE_PERSONALIZE_UID, {keytype, pers_option, 0}};\r
+ memcpy(c.d.asBytes, key, 6);\r
+ SendCommand(&c);\r
+\r
+ UsbCommand resp;\r
+ if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {\r
+ bool isOK = resp.arg[0];\r
+ PrintAndLog("Personalization %s", isOK ? "SUCCEEDED" : "FAILED");\r
+ } else {\r
+ PrintAndLog("Command execute timeout");\r
+ }\r
+\r
+ return 0;\r
+}\r
+\r
+\r
+static command_t CommandTable[] = {\r
+ {"help", CmdHelp, 1, "This help"},\r
+ {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},\r
+ {"rdbl", CmdHF14AMfRdBl, 0, "Read MIFARE classic block"},\r
+ {"rdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"},\r
+ {"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"},\r
+ {"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"},\r
+ {"wrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"},\r
+ {"auth4", CmdHF14AMfAuth4, 0, "ISO14443-4 AES authentication"},\r
+ {"chk", CmdHF14AMfChk, 0, "Test block keys"},\r
+ {"mifare", CmdHF14AMifare, 0, "Read parity error messages."},\r
+ {"hardnested", CmdHF14AMfNestedHard, 0, "Nested attack for hardened Mifare cards"},\r
+ {"nested", CmdHF14AMfNested, 0, "Test nested authentication"},\r
+ {"sniff", CmdHF14AMfSniff, 0, "Sniff card-reader communication"},\r
+ {"sim", CmdHF14AMfSim, 0, "Simulate MIFARE card"},\r
+ {"eclr", CmdHF14AMfEClear, 0, "Clear simulator memory"},\r
+ {"eget", CmdHF14AMfEGet, 0, "Get simulator memory block"},\r
+ {"eset", CmdHF14AMfESet, 0, "Set simulator memory block"},\r
+ {"eload", CmdHF14AMfELoad, 0, "Load from file emul dump"},\r
+ {"esave", CmdHF14AMfESave, 0, "Save to file emul dump"},\r
+ {"ecfill", CmdHF14AMfECFill, 0, "Fill simulator memory with help of keys from simulator"},\r
+ {"ekeyprn", CmdHF14AMfEKeyPrn, 0, "Print keys from simulator memory"},\r
+ {"cwipe", CmdHF14AMfCWipe, 0, "Wipe magic Chinese card"},\r
+ {"csetuid", CmdHF14AMfCSetUID, 0, "Set UID for magic Chinese card"},\r
+ {"csetblk", CmdHF14AMfCSetBlk, 0, "Write block - Magic Chinese card"},\r
+ {"cgetblk", CmdHF14AMfCGetBlk, 0, "Read block - Magic Chinese card"},\r
+ {"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector - Magic Chinese card"},\r
+ {"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"},\r
+ {"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"},\r
+ {"decrypt", CmdDecryptTraceCmds, 1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},\r
+ {"mad", CmdHF14AMfMAD, 0, "Checks and prints MAD"},\r
+ {"ndef", CmdHFMFNDEF, 0, "Prints NDEF records from card"},\r
+ {"personalize", CmdHFMFPersonalize, 0, "Personalize UID (Mifare Classic EV1 only)"},\r
+ {NULL, NULL, 0, NULL}\r