+ int blockNo = -1;
+ bool errors = false;
+ bool hasAuthKey = false;
+ bool hasPwdKey = false;
+ bool swapEndian = false;
+ uint8_t cmdp = 0;
+ uint8_t keylen = 0;
+ uint8_t data[16] = {0x00};
+ uint8_t authenticationkey[16] = {0x00};
+ uint8_t *authKeyPtr = authenticationkey;
+
+ while(param_getchar(Cmd, cmdp) != 0x00)
+ {
+ switch(param_getchar(Cmd, cmdp))
+ {
+ case 'h':
+ case 'H':
+ return usage_hf_mfu_rdbl();
+ case 'k':
+ case 'K':
+ // EV1/NTAG size key
+ keylen = param_gethex(Cmd, cmdp+1, data, 8);
+ if ( !keylen ) {
+ memcpy(authenticationkey, data, 4);
+ cmdp += 2;
+ hasPwdKey = true;
+ break;
+ }
+ // UL-C size key
+ keylen = param_gethex(Cmd, cmdp+1, data, 32);
+ if (!keylen){
+ memcpy(authenticationkey, data, 16);
+ cmdp += 2;
+ hasAuthKey = true;
+ break;
+ }
+ PrintAndLog("\nERROR: Key is incorrect length\n");
+ errors = true;
+ break;
+ case 'b':
+ case 'B':
+ blockNo = param_get8(Cmd, cmdp+1);
+ if (blockNo < 0) {
+ PrintAndLog("Wrong block number");
+ errors = true;
+ }
+ cmdp += 2;
+ break;
+ case 'l':
+ case 'L':
+ swapEndian = true;
+ cmdp++;
+ break;
+ default:
+ PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
+ errors = true;
+ break;
+ }
+ //Validations
+ if(errors) return usage_hf_mfu_rdbl();
+ }
+
+ if ( blockNo == -1 ) return usage_hf_mfu_rdbl();
+ // start with getting tagtype
+ TagTypeUL_t tagtype = GetHF14AMfU_Type();
+ if (tagtype == UL_ERROR) return -1;
+
+ uint8_t maxblockno = 0;
+ for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++){
+ if (tagtype & UL_TYPES_ARRAY[idx])
+ maxblockno = UL_MEMORY_ARRAY[idx];
+ }
+ if (blockNo > maxblockno){
+ PrintAndLog("block number to large. Max block is %u/0x%02X \n", maxblockno,maxblockno);
+ return usage_hf_mfu_rdbl();
+ }
+
+ // Swap endianness
+ if (swapEndian && hasAuthKey) authKeyPtr = SwapEndian64(authenticationkey, 16, 8);
+ if (swapEndian && hasPwdKey) authKeyPtr = SwapEndian64(authenticationkey, 4, 4);
+
+ //Read Block
+ UsbCommand c = {CMD_MIFAREU_READBL, {blockNo}};
+ if ( hasAuthKey ){
+ c.arg[1] = 1;
+ memcpy(c.d.asBytes,authKeyPtr,16);
+ }
+ else if ( hasPwdKey ) {
+ c.arg[1] = 2;
+ memcpy(c.d.asBytes,authKeyPtr,4);
+ }
+
+ clearCommandBuffer();
+ SendCommand(&c);
+ UsbCommand resp;
+ if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+ uint8_t isOK = resp.arg[0] & 0xff;
+ if (isOK) {
+ uint8_t *data = resp.d.asBytes;
+ PrintAndLog("\nBlock# | Data | Ascii");
+ PrintAndLog("-----------------------------");
+ PrintAndLog("%02d/0x%02X | %s| %.4s\n", blockNo, blockNo, sprint_hex(data, 4), data);
+ }
+ else {
+ PrintAndLog("Failed reading block: (%02x)", isOK);
+ }
+ } else {
+ PrintAndLog("Command execute time-out");
+ }
+ return 0;
+}
+
+int usage_hf_mfu_info(void) {
+ PrintAndLog("It gathers information about the tag and tries to detect what kind it is.");
+ PrintAndLog("Sometimes the tags are locked down, and you may need a key to be able to read the information");
+ PrintAndLog("The following tags can be identified:\n");
+ PrintAndLog("Ultralight, Ultralight-C, Ultralight EV1, NTAG 203, NTAG 210,");
+ PrintAndLog("NTAG 212, NTAG 213, NTAG 215, NTAG 216, NTAG I2C 1K & 2K");
+ PrintAndLog("my-d, my-d NFC, my-d move, my-d move NFC\n");
+ PrintAndLog("Usage: hf mfu info k <key> l");
+ PrintAndLog(" Options : ");
+ PrintAndLog(" k <key> : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]");
+ PrintAndLog(" l : (optional) swap entered key's endianness");
+ PrintAndLog("");
+ PrintAndLog(" sample : hf mfu info");
+ PrintAndLog(" : hf mfu info k 00112233445566778899AABBCCDDEEFF");
+ PrintAndLog(" : hf mfu info k AABBCCDDD");
+ return 0;
+}
+
+int usage_hf_mfu_dump(void) {
+ PrintAndLog("Reads all pages from Ultralight, Ultralight-C, Ultralight EV1");
+ PrintAndLog("NTAG 203, NTAG 210, NTAG 212, NTAG 213, NTAG 215, NTAG 216");
+ PrintAndLog("and saves binary dump into the file `filename.bin` or `cardUID.bin`");
+ PrintAndLog("It autodetects card type.\n");
+ PrintAndLog("Usage: hf mfu dump k <key> l n <filename w/o .bin> p <page#> q <#pages>");
+ PrintAndLog(" Options :");
+ PrintAndLog(" k <key> : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]");
+ PrintAndLog(" l : (optional) swap entered key's endianness");
+ PrintAndLog(" n <FN > : filename w/o .bin to save the dump as");
+ PrintAndLog(" p <Pg > : starting Page number to manually set a page to start the dump at");
+ PrintAndLog(" q <qty> : number of Pages to manually set how many pages to dump");
+ PrintAndLog("");
+ PrintAndLog(" sample : hf mfu dump");
+ PrintAndLog(" : hf mfu dump n myfile");
+ PrintAndLog(" : hf mfu dump k 00112233445566778899AABBCCDDEEFF");
+ PrintAndLog(" : hf mfu dump k AABBCCDDD\n");
+ return 0;
+}
+
+int usage_hf_mfu_rdbl(void) {
+ PrintAndLog("Read a block and print. It autodetects card type.\n");
+ PrintAndLog("Usage: hf mfu rdbl b <block number> k <key> l\n");
+ PrintAndLog(" Options:");
+ PrintAndLog(" b <no> : block to read");
+ PrintAndLog(" k <key> : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]");
+ PrintAndLog(" l : (optional) swap entered key's endianness");
+ PrintAndLog("");
+ PrintAndLog(" sample : hf mfu rdbl b 0");
+ PrintAndLog(" : hf mfu rdbl b 0 k 00112233445566778899AABBCCDDEEFF");
+ PrintAndLog(" : hf mfu rdbl b 0 k AABBCCDDD\n");
+ return 0;
+}
+
+int usage_hf_mfu_wrbl(void) {
+ PrintAndLog("Write a block. It autodetects card type.\n");
+ PrintAndLog("Usage: hf mfu wrbl b <block number> d <data> k <key> l\n");
+ PrintAndLog(" Options:");
+ PrintAndLog(" b <no> : block to write");
+ PrintAndLog(" d <data> : block data - (8 hex symbols)");
+ PrintAndLog(" k <key> : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]");
+ PrintAndLog(" l : (optional) swap entered key's endianness");
+ PrintAndLog("");
+ PrintAndLog(" sample : hf mfu wrbl b 0 d 01234567");
+ PrintAndLog(" : hf mfu wrbl b 0 d 01234567 k AABBCCDDD\n");
+ return 0;
+}
+
+int usage_hf_mfu_eload(void) {
+ PrintAndLog("It loads emul dump from the file `filename.eml`");
+ PrintAndLog("Hint: See script dumptoemul-mfu.lua to convert the .bin to the eml");
+ PrintAndLog("Usage: hf mfu eload u <file name w/o `.eml`> [numblocks]");
+ PrintAndLog(" Options:");
+ PrintAndLog(" h : this help");
+ PrintAndLog(" u : UL (required)");
+ PrintAndLog(" [filename] : without `.eml` (required)");
+ PrintAndLog(" numblocks : number of blocks to load from eml file (optional)");
+ PrintAndLog("");
+ PrintAndLog(" sample: hf mfu eload u filename");
+ PrintAndLog(" hf mfu eload u filename 57");
+ return 0;
+}
+
+int usage_hf_mfu_sim(void) {
+ PrintAndLog("\nEmulating Ultralight tag from emulator memory\n");
+ PrintAndLog("\nBe sure to load the emulator memory first!\n");
+ PrintAndLog("Usage: hf mfu sim t 7 u <uid>");
+ PrintAndLog(" Options:");
+ PrintAndLog(" h : this help");
+ PrintAndLog(" t 7 : 7 = NTAG or Ultralight sim (required)");
+ PrintAndLog(" u <uid> : 4 or 7 byte UID (optional)");
+ PrintAndLog("\n sample : hf mfu sim t 7");
+ PrintAndLog(" : hf mfu sim t 7 u 1122344556677\n");
+
+ return 0;
+}
+
+int usage_hf_mfu_ucauth(void) {
+ PrintAndLog("Usage: hf mfu cauth k <key number>");
+ PrintAndLog(" 0 (default): 3DES standard key");
+ PrintAndLog(" 1 : all 0x00 key");
+ PrintAndLog(" 2 : 0x00-0x0F key");
+ PrintAndLog(" 3 : nfc key");
+ PrintAndLog(" 4 : all 0x01 key");
+ PrintAndLog(" 5 : all 0xff key");
+ PrintAndLog(" 6 : 0x00-0xFF key");
+ PrintAndLog("\n sample : hf mfu cauth k");
+ PrintAndLog(" : hf mfu cauth k 3");
+ return 0;
+}
+
+int usage_hf_mfu_ucsetpwd(void) {
+ PrintAndLog("Usage: hf mfu setpwd <password (32 hex symbols)>");
+ PrintAndLog(" [password] - (32 hex symbols)");
+ PrintAndLog("");
+ PrintAndLog("sample: hf mfu setpwd 000102030405060708090a0b0c0d0e0f");
+ PrintAndLog("");
+ return 0;
+}
+
+int usage_hf_mfu_ucsetuid(void) {
+ PrintAndLog("Usage: hf mfu setuid <uid (14 hex symbols)>");
+ PrintAndLog(" [uid] - (14 hex symbols)");
+ PrintAndLog("\nThis only works for Magic Ultralight tags.");
+ PrintAndLog("");
+ PrintAndLog("sample: hf mfu setuid 11223344556677");
+ PrintAndLog("");
+ return 0;
+}
+
+int usage_hf_mfu_gendiverse(void){
+ PrintAndLog("Usage: hf mfu gen <uid (8 hex symbols)>");
+ PrintAndLog("");
+ PrintAndLog("sample: hf mfu gen 11223344");
+ PrintAndLog("");
+ return 0;
+}
+
+#define DUMP_PREFIX_LENGTH 48
+//
+// Mifare Ultralight / Ultralight-C / Ultralight-EV1
+// Read and Dump Card Contents, using auto detection of tag size.
+int CmdHF14AMfUDump(const char *Cmd){
+
+ FILE *fout;
+ char filename[FILE_PATH_SIZE] = {0x00};
+ char *fnameptr = filename;
+ uint8_t *lockbytes_t = NULL;
+ uint8_t lockbytes[2] = {0x00};
+ uint8_t *lockbytes_t2 = NULL;
+ uint8_t lockbytes2[2] = {0x00};
+ bool bit[16] = {0x00};
+ bool bit2[16] = {0x00};
+ uint8_t data[1024] = {0x00};
+ bool hasAuthKey = false;
+ int i = 0;
+ int Pages = 16;
+ bool tmplockbit = false;
+ uint8_t dataLen = 0;
+ uint8_t cmdp = 0;
+ uint8_t authenticationkey[16] = {0x00};
+ memset(authenticationkey, 0x00, sizeof(authenticationkey));
+ uint8_t *authKeyPtr = authenticationkey;
+ size_t fileNlen = 0;
+ bool errors = false;
+ bool swapEndian = false;
+ bool manualPages = false;
+ uint8_t startPage = 0;
+ char tempStr[50];
+
+ while(param_getchar(Cmd, cmdp) != 0x00)
+ {
+ switch(param_getchar(Cmd, cmdp))
+ {
+ case 'h':
+ case 'H':
+ return usage_hf_mfu_dump();
+ case 'k':
+ case 'K':
+ dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+ if (dataLen == 32 || dataLen == 8) { //ul-c or ev1/ntag key length
+ errors = param_gethex(tempStr, 0, authenticationkey, dataLen);
+ dataLen /= 2;
+ } else {
+ PrintAndLog("\nERROR: Key is incorrect length\n");
+ errors = true;
+ }
+ cmdp += 2;
+ hasAuthKey = true;
+ break;
+ case 'l':
+ case 'L':
+ swapEndian = true;
+ cmdp++;
+ break;
+ case 'n':
+ case 'N':
+ fileNlen = param_getstr(Cmd, cmdp+1, filename);
+ if (!fileNlen) errors = true;
+ if (fileNlen > FILE_PATH_SIZE-5) fileNlen = FILE_PATH_SIZE-5;
+ cmdp += 2;
+ break;
+ case 'p':
+ case 'P': //set start page
+ startPage = param_get8(Cmd, cmdp+1);
+ manualPages = true;
+ cmdp += 2;
+ break;
+ case 'q':
+ case 'Q':
+ Pages = param_get8(Cmd, cmdp+1);
+ cmdp += 2;
+ manualPages = true;
+ break;
+ default:
+ PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
+ errors = true;
+ break;
+ }
+ if(errors) break;
+ }
+
+ //Validations
+ if(errors) return usage_hf_mfu_dump();
+
+ if (swapEndian && hasAuthKey)
+ authKeyPtr = SwapEndian64(authenticationkey, dataLen, (dataLen == 16) ? 8 : 4);
+
+ TagTypeUL_t tagtype = GetHF14AMfU_Type();
+ if (tagtype == UL_ERROR) return -1;
+
+ if (!manualPages) //get number of pages to read
+ for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++)
+ if (tagtype & UL_TYPES_ARRAY[idx])
+ Pages = UL_MEMORY_ARRAY[idx]+1; //add one as maxblks starts at 0
+
+ ul_print_type(tagtype, 0);
+ PrintAndLog("Reading tag memory...");
+ UsbCommand c = {CMD_MIFAREU_READCARD, {startPage,Pages}};
+ if ( hasAuthKey ) {
+ if (tagtype & UL_C)
+ c.arg[2] = 1; //UL_C auth
+ else
+ c.arg[2] = 2; //UL_EV1/NTAG auth
+
+ memcpy(c.d.asBytes, authKeyPtr, dataLen);
+ }
+
+ clearCommandBuffer();
+ SendCommand(&c);
+ UsbCommand resp;
+ if (!WaitForResponseTimeout(CMD_ACK, &resp,1500)) {
+ PrintAndLog("Command execute time-out");
+ return 1;
+ }
+ if (resp.arg[0] != 1) {
+ PrintAndLog("Failed reading block: (%02x)", i);
+ return 1;
+ }
+
+ uint32_t startindex = resp.arg[2];
+ uint32_t bufferSize = resp.arg[1];
+ if (bufferSize > sizeof(data)) {
+ PrintAndLog("Data exceeded Buffer size!");
+ bufferSize = sizeof(data);
+ }
+ GetFromBigBuf(data, bufferSize, startindex);
+ WaitForResponse(CMD_ACK,NULL);
+
+ Pages = bufferSize/4;
+ // Load lock bytes.
+ int j = 0;
+
+ lockbytes_t = data + 8;
+ lockbytes[0] = lockbytes_t[2];
+ lockbytes[1] = lockbytes_t[3];
+ for(j = 0; j < 16; j++){
+ bit[j] = lockbytes[j/8] & ( 1 <<(7-j%8));
+ }
+
+ // Load bottom lockbytes if available
+ // TODO -- FIGURE OUT LOCK BYTES FOR TO EV1 and/or NTAG
+ if ( Pages == 44 ) {
+ lockbytes_t2 = data + (40*4);
+ lockbytes2[0] = lockbytes_t2[2];
+ lockbytes2[1] = lockbytes_t2[3];
+ for (j = 0; j < 16; j++) {
+ bit2[j] = lockbytes2[j/8] & ( 1 <<(7-j%8));
+ }
+ }
+
+ // add keys to block dump
+ if (hasAuthKey) {
+ if (tagtype & UL_C){ //add 4 pages
+ memcpy(data + Pages*4, authKeyPtr, dataLen);
+ Pages += dataLen/4;
+ } else { // 2nd page from end
+ memcpy(data + (Pages*4) - 8, authenticationkey, dataLen);
+ }
+ }
+
+ uint8_t get_pack[] = {0,0};
+ iso14a_card_select_t card;
+ //attempt to read pack
+ if (!ul_auth_select( &card, tagtype, hasAuthKey, authKeyPtr, get_pack, sizeof(get_pack))) {
+ //reset pack
+ get_pack[0]=0;
+ get_pack[1]=0;
+ }
+ ul_switch_off_field();
+ // add pack to block read
+ memcpy(data + (Pages*4) - 4, get_pack, sizeof(get_pack));
+
+ uint8_t dump_file_data[1024+DUMP_PREFIX_LENGTH] = {0x00};
+ uint8_t get_version[] = {0,0,0,0,0,0,0,0,0};
+ uint8_t get_tearing[] = {0,0,0};
+ uint8_t get_counter[] = {0,0,0};
+ uint8_t dummy_pack[] = {0,0};
+ uint8_t get_signature[32];
+ memset( get_signature, 0, sizeof(get_signature) );
+
+ if ( hasAuthKey )
+ ul_auth_select( &card, tagtype, hasAuthKey, authKeyPtr, dummy_pack, sizeof(dummy_pack));
+ else
+ ul_select(&card);
+
+ ulev1_getVersion( get_version, sizeof(get_version) );
+ for ( uint8_t i = 0; i<3; ++i) {
+ ulev1_readTearing(i, get_tearing+i, 1);
+ ulev1_readCounter(i, get_counter, sizeof(get_counter) );
+ }
+ ul_switch_off_field();
+ if ( hasAuthKey )
+ ul_auth_select( &card, tagtype, hasAuthKey, authKeyPtr, dummy_pack, sizeof(dummy_pack));
+ else
+ ul_select(&card);
+ ulev1_readSignature( get_signature, sizeof(get_signature));
+ ul_switch_off_field();
+ //get version
+ memcpy(dump_file_data, get_version, sizeof(get_version));
+ //tearing
+ memcpy(dump_file_data+10, get_tearing, sizeof(get_tearing));
+ //pack
+ memcpy(dump_file_data+13, get_pack, sizeof(get_pack));
+ //signature
+ memcpy(dump_file_data+16, get_signature, sizeof(get_signature));
+ //block read data
+ memcpy(dump_file_data+DUMP_PREFIX_LENGTH, data, Pages*4);
+
+ PrintAndLog("\nDataType| Data | | Ascii");
+ PrintAndLog("---------------------------------");
+ PrintAndLog("GetVer-1| %s| | %.4s", sprint_hex(dump_file_data, 4), dump_file_data);
+ PrintAndLog("GetVer-2| %s| | %.4s", sprint_hex(dump_file_data+4, 4), dump_file_data+4);
+ PrintAndLog("TBD | 00 00 | | ");
+ PrintAndLog("Tearing | %s| | %.3s", sprint_hex(dump_file_data+10, 3), dump_file_data+10);
+ PrintAndLog("Pack | %s | | %.2s", sprint_hex(dump_file_data+13, 2), dump_file_data+13);
+ PrintAndLog("TBD | 00 | | ");
+ PrintAndLog("Sig-1 | %s| | %.4s", sprint_hex(dump_file_data+16, 4), dump_file_data+16);
+ PrintAndLog("Sig-2 | %s| | %.4s", sprint_hex(dump_file_data+20, 4), dump_file_data+20);
+ PrintAndLog("Sig-3 | %s| | %.4s", sprint_hex(dump_file_data+24, 4), dump_file_data+24);
+ PrintAndLog("Sig-4 | %s| | %.4s", sprint_hex(dump_file_data+28, 4), dump_file_data+28);
+ PrintAndLog("Sig-5 | %s| | %.4s", sprint_hex(dump_file_data+32, 4), dump_file_data+32);
+ PrintAndLog("Sig-6 | %s| | %.4s", sprint_hex(dump_file_data+36, 4), dump_file_data+36);
+ PrintAndLog("Sig-7 | %s| | %.4s", sprint_hex(dump_file_data+40, 4), dump_file_data+40);
+ PrintAndLog("Sig-8 | %s| | %.4s", sprint_hex(dump_file_data+44, 4), dump_file_data+44);
+
+ PrintAndLog("\nBlock# | Data |lck| Ascii");
+ PrintAndLog("---------------------------------");
+ for (i = 0; i < Pages; ++i) {
+ if ( i < 3 ) {
+ PrintAndLog("%02d/0x%02X | %s| | ", i+startPage, i+startPage, sprint_hex(data + i * 4, 4));
+ continue;
+ }
+ switch(i){
+ case 3: tmplockbit = bit[4]; break;
+ case 4: tmplockbit = bit[3]; break;
+ case 5: tmplockbit = bit[2]; break;
+ case 6: tmplockbit = bit[1]; break;
+ case 7: tmplockbit = bit[0]; break;
+ case 8: tmplockbit = bit[15]; break;
+ case 9: tmplockbit = bit[14]; break;
+ case 10: tmplockbit = bit[13]; break;
+ case 11: tmplockbit = bit[12]; break;
+ case 12: tmplockbit = bit[11]; break;
+ case 13: tmplockbit = bit[10]; break;
+ case 14: tmplockbit = bit[9]; break;
+ case 15: tmplockbit = bit[8]; break;
+ case 16:
+ case 17:
+ case 18:
+ case 19: tmplockbit = bit2[6]; break;
+ case 20:
+ case 21:
+ case 22:
+ case 23: tmplockbit = bit2[5]; break;
+ case 24:
+ case 25:
+ case 26:
+ case 27: tmplockbit = bit2[4]; break;
+ case 28:
+ case 29:
+ case 30:
+ case 31: tmplockbit = bit2[2]; break;
+ case 32:
+ case 33:
+ case 34:
+ case 35: tmplockbit = bit2[1]; break;
+ case 36:
+ case 37:
+ case 38:
+ case 39: tmplockbit = bit2[0]; break;
+ case 40: tmplockbit = bit2[12]; break;
+ case 41: tmplockbit = bit2[11]; break;
+ case 42: tmplockbit = bit2[10]; break; //auth0
+ case 43: tmplockbit = bit2[9]; break; //auth1
+ default: break;
+ }
+ PrintAndLog("%02d/0x%02X | %s| %d | %.4s", i+startPage, i+startPage, sprint_hex(data + i * 4, 4), tmplockbit, data+i*4);
+ }
+ PrintAndLog("---------------------------------");
+
+ // user supplied filename?
+ if (fileNlen < 1) {
+ // UID = data 0-1-2 4-5-6-7 (skips a beat)
+ sprintf(fnameptr,"%02X%02X%02X%02X%02X%02X%02X.bin",
+ data[0],data[1], data[2], data[4],data[5],data[6], data[7]);
+ } else {
+ sprintf(fnameptr + fileNlen,".bin");
+ }
+
+ if ((fout = fopen(filename,"wb")) == NULL) {
+ PrintAndLog("Could not create file name %s", filename);
+ return 1;
+ }
+ fwrite( dump_file_data, 1, Pages*4 + DUMP_PREFIX_LENGTH, fout );
+ fclose(fout);
+
+ PrintAndLog("Dumped %d pages, wrote %d bytes to %s", Pages+(DUMP_PREFIX_LENGTH/4), Pages*4 + DUMP_PREFIX_LENGTH, filename);
+ return 0;