-static command_t CommandTable[] =\r
-{\r
- {"help", CmdHelp, 1, "This help"},\r
- {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},\r
- {"rdbl", CmdHF14AMfRdBl, 0, "Read MIFARE classic block"},\r
- {"rdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"},\r
- {"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"},\r
- {"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"},\r
- {"wrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"},\r
- {"chk", CmdHF14AMfChk, 0, "Test block keys"},\r
- {"mifare", CmdHF14AMifare, 0, "Read parity error messages."},\r
- {"hardnested", CmdHF14AMfNestedHard, 0, "Nested attack for hardened Mifare cards"},\r
- {"nested", CmdHF14AMfNested, 0, "Test nested authentication"},\r
- {"sniff", CmdHF14AMfSniff, 0, "Sniff card-reader communication"},\r
- {"sim", CmdHF14AMf1kSim, 0, "Simulate MIFARE card"},\r
- {"eclr", CmdHF14AMfEClear, 0, "Clear simulator memory block"},\r
- {"eget", CmdHF14AMfEGet, 0, "Get simulator memory block"},\r
- {"eset", CmdHF14AMfESet, 0, "Set simulator memory block"},\r
- {"eload", CmdHF14AMfELoad, 0, "Load from file emul dump"},\r
- {"esave", CmdHF14AMfESave, 0, "Save to file emul dump"},\r
- {"ecfill", CmdHF14AMfECFill, 0, "Fill simulator memory with help of keys from simulator"},\r
- {"ekeyprn", CmdHF14AMfEKeyPrn, 0, "Print keys from simulator memory"},\r
- {"csetuid", CmdHF14AMfCSetUID, 0, "Set UID for magic Chinese card"},\r
- {"csetblk", CmdHF14AMfCSetBlk, 0, "Write block - Magic Chinese card"},\r
- {"cgetblk", CmdHF14AMfCGetBlk, 0, "Read block - Magic Chinese card"},\r
- {"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector - Magic Chinese card"},\r
- {"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"},\r
- {"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"},\r
- {"decrypt", CmdDecryptTraceCmds, 1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},\r
- {NULL, NULL, 0, NULL}\r
+int CmdHF14AMfAuth4(const char *cmd) {\r
+ uint8_t keyn[20] = {0};\r
+ int keynlen = 0;\r
+ uint8_t key[16] = {0};\r
+ int keylen = 0;\r
+\r
+ CLIParserInit("hf mf auth4",\r
+ "Executes AES authentication command in ISO14443-4",\r
+ "Usage:\n\thf mf auth4 4000 000102030405060708090a0b0c0d0e0f -> executes authentication\n"\r
+ "\thf mf auth4 9003 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -> executes authentication\n");\r
+\r
+ void* argtable[] = {\r
+ arg_param_begin,\r
+ arg_str1(NULL, NULL, "<Key Num (HEX 2 bytes)>", NULL),\r
+ arg_str1(NULL, NULL, "<Key Value (HEX 16 bytes)>", NULL),\r
+ arg_param_end\r
+ };\r
+ CLIExecWithReturn(cmd, argtable, true);\r
+\r
+ CLIGetHexWithReturn(1, keyn, &keynlen);\r
+ CLIGetHexWithReturn(2, key, &keylen);\r
+ CLIParserFree();\r
+\r
+ if (keynlen != 2) {\r
+ PrintAndLog("ERROR: <Key Num> must be 2 bytes long instead of: %d", keynlen);\r
+ return 1;\r
+ }\r
+\r
+ if (keylen != 16) {\r
+ PrintAndLog("ERROR: <Key Value> must be 16 bytes long instead of: %d", keylen);\r
+ return 1;\r
+ }\r
+\r
+ return MifareAuth4(NULL, keyn, key, true, false, true);\r
+}\r
+\r
+// https://www.nxp.com/docs/en/application-note/AN10787.pdf\r
+int CmdHF14AMfMAD(const char *cmd) {\r
+\r
+ CLIParserInit("hf mf mad",\r
+ "Checks and prints Mifare Application Directory (MAD)",\r
+ "Usage:\n\thf mf mad -> shows MAD if exists\n"\r
+ "\thf mf mad -a 03e1 -k ffffffffffff -b -> shows NDEF data if exists. read card with custom key and key B\n");\r
+\r
+ void *argtable[] = {\r
+ arg_param_begin,\r
+ arg_lit0("vV", "verbose", "show technical data"),\r
+ arg_str0("aA", "aid", "print all sectors with aid", NULL),\r
+ arg_str0("kK", "key", "key for printing sectors", NULL),\r
+ arg_lit0("bB", "keyb", "use key B for access printing sectors (by default: key A)"),\r
+ arg_param_end\r
+ };\r
+ CLIExecWithReturn(cmd, argtable, true);\r
+ bool verbose = arg_get_lit(1);\r
+ uint8_t aid[2] = {0};\r
+ int aidlen;\r
+ CLIGetHexWithReturn(2, aid, &aidlen);\r
+ uint8_t key[6] = {0};\r
+ int keylen;\r
+ CLIGetHexWithReturn(3, key, &keylen);\r
+ bool keyB = arg_get_lit(4);\r
+\r
+ CLIParserFree();\r
+\r
+ if (aidlen != 2 && keylen > 0) {\r
+ PrintAndLogEx(WARNING, "do not need a key without aid.");\r
+ }\r
+\r
+ uint8_t sector0[16 * 4] = {0};\r
+ uint8_t sector10[16 * 4] = {0};\r
+ if (mfReadSector(MF_MAD1_SECTOR, MF_KEY_A, (uint8_t *)g_mifare_mad_key, sector0)) {\r
+ PrintAndLogEx(ERR, "read sector 0 error. card don't have MAD or don't have MAD on default keys.");\r
+ return 2;\r
+ }\r
+\r
+ if (verbose) {\r
+ for (int i = 0; i < 4; i ++)\r
+ PrintAndLogEx(NORMAL, "[%d] %s", i, sprint_hex(§or0[i * 16], 16));\r
+ }\r
+\r
+ bool haveMAD2 = false;\r
+ MAD1DecodeAndPrint(sector0, verbose, &haveMAD2);\r
+\r
+ if (haveMAD2) {\r
+ if (mfReadSector(MF_MAD2_SECTOR, MF_KEY_A, (uint8_t *)g_mifare_mad_key, sector10)) {\r
+ PrintAndLogEx(ERR, "read sector 0x10 error. card don't have MAD or don't have MAD on default keys.");\r
+ return 2;\r
+ }\r
+\r
+ MAD2DecodeAndPrint(sector10, verbose);\r
+ }\r
+\r
+ if (aidlen == 2) {\r
+ uint16_t aaid = (aid[0] << 8) + aid[1];\r
+ PrintAndLogEx(NORMAL, "\n-------------- AID 0x%04x ---------------", aaid);\r
+\r
+ uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};\r
+ size_t madlen = 0;\r
+ if (MADDecode(sector0, sector10, mad, &madlen)) {\r
+ PrintAndLogEx(ERR, "can't decode mad.");\r
+ return 10;\r
+ }\r
+\r
+ uint8_t akey[6] = {0};\r
+ memcpy(akey, g_mifare_ndef_key, 6);\r
+ if (keylen == 6) {\r
+ memcpy(akey, key, 6);\r
+ }\r
+\r
+ for (int i = 0; i < madlen; i++) {\r
+ if (aaid == mad[i]) {\r
+ uint8_t vsector[16 * 4] = {0};\r
+ if (mfReadSector(i + 1, keyB ? MF_KEY_B : MF_KEY_A, akey, vsector)) {\r
+ PrintAndLogEx(NORMAL, "");\r
+ PrintAndLogEx(ERR, "read sector %d error.", i + 1);\r
+ return 2;\r
+ }\r
+\r
+ for (int j = 0; j < (verbose ? 4 : 3); j ++)\r
+ PrintAndLogEx(NORMAL, " [%03d] %s", (i + 1) * 4 + j, sprint_hex(&vsector[j * 16], 16));\r
+ }\r
+ }\r
+ }\r
+\r
+ return 0;\r
+}\r
+\r
+int CmdHFMFNDEF(const char *cmd) {\r
+\r
+ CLIParserInit("hf mf ndef",\r
+ "Prints NFC Data Exchange Format (NDEF)",\r
+ "Usage:\n\thf mf ndef -> shows NDEF data\n"\r
+ "\thf mf ndef -a 03e1 -k ffffffffffff -b -> shows NDEF data with custom AID, key and with key B\n");\r
+\r
+ void *argtable[] = {\r
+ arg_param_begin,\r
+ arg_litn("vV", "verbose", 0, 2, "show technical data"),\r
+ arg_str0("aA", "aid", "replace default aid for NDEF", NULL),\r
+ arg_str0("kK", "key", "replace default key for NDEF", NULL),\r
+ arg_lit0("bB", "keyb", "use key B for access sectors (by default: key A)"),\r
+ arg_param_end\r
+ };\r
+ CLIExecWithReturn(cmd, argtable, true);\r
+\r
+ bool verbose = arg_get_lit(1);\r
+ bool verbose2 = arg_get_lit(1) > 1;\r
+ uint8_t aid[2] = {0};\r
+ int aidlen;\r
+ CLIGetHexWithReturn(2, aid, &aidlen);\r
+ uint8_t key[6] = {0};\r
+ int keylen;\r
+ CLIGetHexWithReturn(3, key, &keylen);\r
+ bool keyB = arg_get_lit(4);\r
+\r
+ CLIParserFree();\r
+\r
+ uint16_t ndefAID = 0x03e1;\r
+ if (aidlen == 2)\r
+ ndefAID = (aid[0] << 8) + aid[1];\r
+\r
+ uint8_t ndefkey[6] = {0};\r
+ memcpy(ndefkey, g_mifare_ndef_key, 6);\r
+ if (keylen == 6) {\r
+ memcpy(ndefkey, key, 6);\r
+ }\r
+\r
+ uint8_t sector0[16 * 4] = {0};\r
+ uint8_t sector10[16 * 4] = {0};\r
+ uint8_t data[4096] = {0};\r
+ int datalen = 0;\r
+\r
+ PrintAndLogEx(NORMAL, "");\r
+\r
+ if (mfReadSector(MF_MAD1_SECTOR, MF_KEY_A, (uint8_t *)g_mifare_mad_key, sector0)) {\r
+ PrintAndLogEx(ERR, "read sector 0 error. card don't have MAD or don't have MAD on default keys.");\r
+ return 2;\r
+ }\r
+\r
+ bool haveMAD2 = false;\r
+ int res = MADCheck(sector0, NULL, verbose, &haveMAD2);\r
+ if (res) {\r
+ PrintAndLogEx(ERR, "MAD error %d.", res);\r
+ return res;\r
+ }\r
+\r
+ if (haveMAD2) {\r
+ if (mfReadSector(MF_MAD2_SECTOR, MF_KEY_A, (uint8_t *)g_mifare_mad_key, sector10)) {\r
+ PrintAndLogEx(ERR, "read sector 0x10 error. card don't have MAD or don't have MAD on default keys.");\r
+ return 2;\r
+ }\r
+ }\r
+\r
+ uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};\r
+ size_t madlen = 0;\r
+ if (MADDecode(sector0, (haveMAD2 ? sector10 : NULL), mad, &madlen)) {\r
+ PrintAndLogEx(ERR, "can't decode mad.");\r
+ return 10;\r
+ }\r
+\r
+ printf("data reading:");\r
+ for (int i = 0; i < madlen; i++) {\r
+ if (ndefAID == mad[i]) {\r
+ uint8_t vsector[16 * 4] = {0};\r
+ if (mfReadSector(i + 1, keyB ? MF_KEY_B : MF_KEY_A, ndefkey, vsector)) {\r
+ PrintAndLogEx(ERR, "read sector %d error.", i + 1);\r
+ return 2;\r
+ }\r
+\r
+ memcpy(&data[datalen], vsector, 16 * 3);\r
+ datalen += 16 * 3;\r
+\r
+ printf(".");\r
+ }\r
+ }\r
+ printf(" OK\n");\r
+\r
+ if (!datalen) {\r
+ PrintAndLogEx(ERR, "no NDEF data.");\r
+ return 11;\r
+ }\r
+\r
+ if (verbose2) {\r
+ PrintAndLogEx(NORMAL, "NDEF data:");\r
+ dump_buffer(data, datalen, stdout, 1);\r
+ }\r
+\r
+ NDEFDecodeAndPrint(data, datalen, verbose);\r
+\r
+ return 0;\r
+}\r
+\r
+int CmdHFMFPersonalize(const char *cmd) {\r
+\r
+ CLIParserInit("hf mf personalize",\r
+ "Personalize the UID of a Mifare Classic EV1 card. This is only possible if it is a 7Byte UID card and if it is not already personalized.",\r
+ "Usage:\n\thf mf personalize UIDF0 -> double size UID according to ISO/IEC14443-3\n"\r
+ "\thf mf personalize UIDF1 -> double size UID according to ISO/IEC14443-3, optional usage of selection process shortcut\n"\r
+ "\thf mf personalize UIDF2 -> single size random ID according to ISO/IEC14443-3\n"\r
+ "\thf mf personalize UIDF3 -> single size NUID according to ISO/IEC14443-3\n"\r
+ "\thf mf personalize -t B -k B0B1B2B3B4B5 UIDF3 -> use key B = 0xB0B1B2B3B4B5 instead of default key A\n");\r
+\r
+ void *argtable[] = {\r
+ arg_param_begin,\r
+ arg_str0("tT", "keytype", "<A|B>", "key type (A or B) to authenticate sector 0 (default: A)"),\r
+ arg_str0("kK", "key", "<key (hex 6 Bytes)>", "key to authenticate sector 0 (default: FFFFFFFFFFFF)"),\r
+ arg_str1(NULL, NULL, "<UIDF0|UIDF1|UIDF2|UIDF3>", "Personalization Option"),\r
+ arg_param_end\r
+ };\r
+ CLIExecWithReturn(cmd, argtable, true);\r
+\r
+ char keytypestr[2] = "A";\r
+ uint8_t keytype = 0x00;\r
+ int keytypestr_len;\r
+ int res = CLIParamStrToBuf(arg_get_str(1), (uint8_t*)keytypestr, 1, &keytypestr_len);\r
+ if (res || (keytypestr[0] != 'a' && keytypestr[0] != 'A' && keytypestr[0] != 'b' && keytypestr[0] != 'B')) {\r
+ PrintAndLog("ERROR: not a valid key type. Key type must be A or B");\r
+ CLIParserFree();\r
+ return 1;\r
+ }\r
+ if (keytypestr[0] == 'B' || keytypestr[0] == 'b') {\r
+ keytype = 0x01;\r
+ }\r
+\r
+ uint8_t key[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};\r
+ int key_len;\r
+ res = CLIParamHexToBuf(arg_get_str(2), key, 6, &key_len);\r
+ if (res || (!res && key_len > 0 && key_len != 6)) {\r
+ PrintAndLog("ERROR: not a valid key. Key must be 12 hex digits");\r
+ CLIParserFree();\r
+ return 1;\r
+ }\r
+\r
+ char pers_optionstr[6];\r
+ int opt_len;\r
+ uint8_t pers_option;\r
+ res = CLIParamStrToBuf(arg_get_str(3), (uint8_t*)pers_optionstr, 5, &opt_len);\r
+ if (res || (!res && opt_len > 0 && opt_len != 5)\r
+ || (strncmp(pers_optionstr, "UIDF0", 5) && strncmp(pers_optionstr, "UIDF1", 5) && strncmp(pers_optionstr, "UIDF2", 5) && strncmp(pers_optionstr, "UIDF3", 5))) {\r
+ PrintAndLog("ERROR: invalid personalization option. Must be one of UIDF0, UIDF1, UIDF2, or UIDF3");\r
+ CLIParserFree();\r
+ return 1;\r
+ }\r
+ if (!strncmp(pers_optionstr, "UIDF0", 5)) {\r
+ pers_option = MIFARE_EV1_UIDF0;\r
+ } else if (!strncmp(pers_optionstr, "UIDF1", 5)) {\r
+ pers_option = MIFARE_EV1_UIDF1;\r
+ } else if (!strncmp(pers_optionstr, "UIDF2", 5)) {\r
+ pers_option = MIFARE_EV1_UIDF2;\r
+ } else {\r
+ pers_option = MIFARE_EV1_UIDF3;\r
+ }\r
+\r
+ CLIParserFree();\r
+\r
+ UsbCommand c = {CMD_MIFARE_PERSONALIZE_UID, {keytype, pers_option, 0}};\r
+ memcpy(c.d.asBytes, key, 6);\r
+ SendCommand(&c);\r
+\r
+ UsbCommand resp;\r
+ if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {\r
+ uint8_t isOK = resp.arg[0] & 0xff;\r
+ PrintAndLog("Personalization %s", isOK ? "FAILED" : "SUCCEEDED");\r
+ } else {\r
+ PrintAndLog("Command execute timeout");\r
+ }\r
+\r
+ return 0;\r
+}\r
+\r
+\r
+static command_t CommandTable[] = {\r
+ {"help", CmdHelp, 1, "This help"},\r
+ {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},\r
+ {"rdbl", CmdHF14AMfRdBl, 0, "Read MIFARE classic block"},\r
+ {"rdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"},\r
+ {"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"},\r
+ {"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"},\r
+ {"wrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"},\r
+ {"auth4", CmdHF14AMfAuth4, 0, "ISO14443-4 AES authentication"},\r
+ {"chk", CmdHF14AMfChk, 0, "Test block keys"},\r
+ {"mifare", CmdHF14AMifare, 0, "Read parity error messages."},\r
+ {"hardnested", CmdHF14AMfNestedHard, 0, "Nested attack for hardened Mifare cards"},\r
+ {"nested", CmdHF14AMfNested, 0, "Test nested authentication"},\r
+ {"sniff", CmdHF14AMfSniff, 0, "Sniff card-reader communication"},\r
+ {"sim", CmdHF14AMfSim, 0, "Simulate MIFARE card"},\r
+ {"eclr", CmdHF14AMfEClear, 0, "Clear simulator memory"},\r
+ {"eget", CmdHF14AMfEGet, 0, "Get simulator memory block"},\r
+ {"eset", CmdHF14AMfESet, 0, "Set simulator memory block"},\r
+ {"eload", CmdHF14AMfELoad, 0, "Load from file emul dump"},\r
+ {"esave", CmdHF14AMfESave, 0, "Save to file emul dump"},\r
+ {"ecfill", CmdHF14AMfECFill, 0, "Fill simulator memory with help of keys from simulator"},\r
+ {"ekeyprn", CmdHF14AMfEKeyPrn, 0, "Print keys from simulator memory"},\r
+ {"cwipe", CmdHF14AMfCWipe, 0, "Wipe magic Chinese card"},\r
+ {"csetuid", CmdHF14AMfCSetUID, 0, "Set UID for magic Chinese card"},\r
+ {"csetblk", CmdHF14AMfCSetBlk, 0, "Write block - Magic Chinese card"},\r
+ {"cgetblk", CmdHF14AMfCGetBlk, 0, "Read block - Magic Chinese card"},\r
+ {"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector - Magic Chinese card"},\r
+ {"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"},\r
+ {"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"},\r
+ {"decrypt", CmdDecryptTraceCmds, 1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},\r
+ {"mad", CmdHF14AMfMAD, 0, "Checks and prints MAD"},\r
+ {"ndef", CmdHFMFNDEF, 0, "Prints NDEF records from card"},\r
+ {"personalize", CmdHFMFPersonalize, 0, "Personalize UID (Mifare Classic EV1 only)"},\r
+ {NULL, NULL, 0, NULL}\r