X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/2ec87733142000646c7ce86c74f61330f451b110..5247c0c193eb0b66e57946589c1d05cc67f56b22:/client/cmdhfmfu.c diff --git a/client/cmdhfmfu.c b/client/cmdhfmfu.c index 25a073d3..aad7f886 100644 --- a/client/cmdhfmfu.c +++ b/client/cmdhfmfu.c @@ -16,16 +16,16 @@ #include "protocols.h" #include "data.h" -#define MAX_UL_BLOCKS 0x0f -#define MAX_ULC_BLOCKS 0x2b -#define MAX_ULEV1a_BLOCKS 0x13 -#define MAX_ULEV1b_BLOCKS 0x28 -#define MAX_NTAG_203 0x29 -#define MAX_NTAG_210 0x13 -#define MAX_NTAG_212 0x28 -#define MAX_NTAG_213 0x2c -#define MAX_NTAG_215 0x86 -#define MAX_NTAG_216 0xe6 +#define MAX_UL_BLOCKS 0x0f +#define MAX_ULC_BLOCKS 0x2b +#define MAX_ULEV1a_BLOCKS 0x13 +#define MAX_ULEV1b_BLOCKS 0x28 +#define MAX_NTAG_203 0x29 +#define MAX_NTAG_210 0x13 +#define MAX_NTAG_212 0x28 +#define MAX_NTAG_213 0x2c +#define MAX_NTAG_215 0x86 +#define MAX_NTAG_216 0xe6 #define MAX_MY_D_NFC 0xff #define MAX_MY_D_MOVE 0x25 #define MAX_MY_D_MOVE_LEAN 0x0f @@ -41,30 +41,76 @@ uint8_t default_3des_keys[KEYS_3DES_COUNT][16] = { { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF } // 11 22 33 }; -#define KEYS_PWD_COUNT 10 +#define KEYS_PWD_COUNT 1 uint8_t default_pwd_pack[KEYS_PWD_COUNT][4] = { {0xFF,0xFF,0xFF,0xFF}, // PACK 0x00,0x00 -- factory default - - {0x4A,0xF8,0x4B,0x19}, // PACK 0xE5,0xBE -- italian bus (sniffed) - {0x33,0x6B,0xA1,0x19}, // PACK 0x9c,0x2d -- italian bus (sniffed) - {0xFF,0x90,0x6C,0xB2}, // PACK 0x12,0x9e -- italian bus (sniffed) - {0x46,0x1c,0xA3,0x19}, // PACK 0xE9,0x5A -- italian bus (sniffed) - {0x35,0x1C,0xD0,0x19}, // PACK 0x9A,0x5a -- italian bus (sniffed) - - {0x05,0x22,0xE6,0xB4}, // PACK 0x80,0x80 -- Amiiboo (sniffed) pikachu-b UID: - {0x7E,0x22,0xE6,0xB4}, // PACK 0x80,0x80 -- AMiiboo (sniffed) - {0x02,0xE1,0xEE,0x36}, // PACK 0x80,0x80 -- AMiiboo (sniffed) sonic UID: 04d257 7ae33e8027 - {0x32,0x0C,0x16,0x17}, // PACK 0x80,0x80 -- AMiiboo (sniffed) }; #define MAX_UL_TYPES 18 -uint32_t UL_TYPES_ARRAY[MAX_UL_TYPES] = {UNKNOWN, UL, UL_C, UL_EV1_48, UL_EV1_128, NTAG, NTAG_203, - NTAG_210, NTAG_212, NTAG_213, NTAG_215, NTAG_216, MY_D, MY_D_NFC, MY_D_MOVE, MY_D_MOVE_NFC, MY_D_MOVE_LEAN, FUDAN_UL}; +uint32_t UL_TYPES_ARRAY[MAX_UL_TYPES] = { + UNKNOWN, UL, UL_C, + UL_EV1_48, UL_EV1_128, NTAG, + NTAG_203, NTAG_210, NTAG_212, + NTAG_213, NTAG_215, NTAG_216, + MY_D, MY_D_NFC, MY_D_MOVE, + MY_D_MOVE_NFC, MY_D_MOVE_LEAN, FUDAN_UL}; + +uint8_t UL_MEMORY_ARRAY[MAX_UL_TYPES] = { + MAX_UL_BLOCKS, MAX_UL_BLOCKS, MAX_ULC_BLOCKS, + MAX_ULEV1a_BLOCKS, MAX_ULEV1b_BLOCKS, MAX_NTAG_203, + MAX_NTAG_203, MAX_NTAG_210, MAX_NTAG_212, + MAX_NTAG_213, MAX_NTAG_215, MAX_NTAG_216, + MAX_UL_BLOCKS, MAX_MY_D_NFC, MAX_MY_D_MOVE, + MAX_MY_D_MOVE, MAX_MY_D_MOVE_LEAN, MAX_UL_BLOCKS}; + +// Certain pwd generation algo nickname A. +uint32_t ul_ev1_pwdgenA(uint8_t* uid) { + + uint8_t pos = (uid[3] ^ uid[4] ^ uid[5] ^ uid[6]) % 32; + + uint32_t xortable[] = { + 0x4f2711c1, 0x07D7BB83, 0x9636EF07, 0xB5F4460E, 0xF271141C, 0x7D7BB038, 0x636EF871, 0x5F4468E3, + 0x271149C7, 0xD7BB0B8F, 0x36EF8F1E, 0xF446863D, 0x7114947A, 0x7BB0B0F5, 0x6EF8F9EB, 0x44686BD7, + 0x11494fAF, 0xBB0B075F, 0xEF8F96BE, 0x4686B57C, 0x1494F2F9, 0xB0B07DF3, 0xF8F963E6, 0x686B5FCC, + 0x494F2799, 0x0B07D733, 0x8F963667, 0x86B5F4CE, 0x94F2719C, 0xB07D7B38, 0xF9636E70, 0x6B5F44E0 + }; + + uint8_t entry[] = {0x00,0x00,0x00,0x00}; + uint8_t pwd[] = {0x00,0x00,0x00,0x00}; + + num_to_bytes( xortable[pos], 4, entry); + + pwd[0] = entry[0] ^ uid[1] ^ uid[2] ^ uid[3]; + pwd[1] = entry[1] ^ uid[0] ^ uid[2] ^ uid[4]; + pwd[2] = entry[2] ^ uid[0] ^ uid[1] ^ uid[5]; + pwd[3] = entry[3] ^ uid[6]; -uint8_t UL_MEMORY_ARRAY[MAX_UL_TYPES] = {MAX_UL_BLOCKS, MAX_UL_BLOCKS, MAX_ULC_BLOCKS, MAX_ULEV1a_BLOCKS, - MAX_ULEV1b_BLOCKS, MAX_NTAG_203, MAX_NTAG_203, MAX_NTAG_210, MAX_NTAG_212, MAX_NTAG_213, - MAX_NTAG_215, MAX_NTAG_216, MAX_UL_BLOCKS, MAX_MY_D_NFC, MAX_MY_D_MOVE, MAX_MY_D_MOVE, MAX_MY_D_MOVE_LEAN, MAX_UL_BLOCKS}; + return (uint32_t)bytes_to_num(pwd, 4); +} + +// Certain pwd generation algo nickname B. (very simple) +uint32_t ul_ev1_pwdgenB(uint8_t* uid) { + + uint8_t pwd[] = {0x00,0x00,0x00,0x00}; + + pwd[0] = uid[1] ^ uid[3] ^ 0xAA; + pwd[1] = uid[2] ^ uid[4] ^ 0x55; + pwd[2] = uid[3] ^ uid[5] ^ 0xAA; + pwd[3] = uid[4] ^ uid[6] ^ 0x55; + return (uint32_t)bytes_to_num(pwd, 4); +} +void ul_ev1_pwdgen_selftest(){ + + uint8_t uid1[] = {0x04,0x11,0x12,0x11,0x12,0x11,0x10}; + uint32_t pwd1 = ul_ev1_pwdgenA(uid1); + PrintAndLog("UID | %s | %08X | %s", sprint_hex(uid1,7), pwd1, (pwd1 == 0x8432EB17)?"OK":"->8432EB17<-"); + + uint8_t uid2[] = {0x04,0x1f,0x98,0xea,0x1e,0x3e,0x81}; + uint32_t pwd2 = ul_ev1_pwdgenB(uid2); + PrintAndLog("UID | %s | %08X | %s", sprint_hex(uid2,7), pwd2, (pwd2 == 0x5fd37eca)?"OK":"->5fd37eca<--"); + return; +} static int CmdHelp(const char *Cmd); @@ -129,24 +175,7 @@ static int ul_send_cmd_raw( uint8_t *cmd, uint8_t cmdlen, uint8_t *response, uin memcpy(response, resp.d.asBytes, resplen); return resplen; } -/* -static int ul_send_cmd_raw_crc( uint8_t *cmd, uint8_t cmdlen, uint8_t *response, uint16_t responseLength, bool append_crc ) { - UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_RAW | ISO14A_NO_DISCONNECT , cmdlen, 0}}; - if (append_crc) - c.arg[0] |= ISO14A_APPEND_CRC; - - memcpy(c.d.asBytes, cmd, cmdlen); - clearCommandBuffer(); - SendCommand(&c); - UsbCommand resp; - if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) return -1; - if (!resp.arg[0] && responseLength) return -1; - uint16_t resplen = (resp.arg[0] < responseLength) ? resp.arg[0] : responseLength; - memcpy(response, resp.d.asBytes, resplen); - return resplen; -} -*/ static int ul_select( iso14a_card_select_t *card ){ ul_switch_on_field(); @@ -245,16 +274,6 @@ static int ulev1_getVersion( uint8_t *response, uint16_t responseLength ){ return len; } -// static int ulev1_fastRead( uint8_t startblock, uint8_t endblock, uint8_t *response ){ - - // uint8_t cmd[] = {MIFARE_ULEV1_FASTREAD, startblock, endblock}; - - // if ( !ul_send_cmd_raw(cmd, sizeof(cmd), response)){ - // return -1; - // } - // return 0; -// } - static int ulev1_readCounter( uint8_t counter, uint8_t *response, uint16_t responseLength ){ uint8_t cmd[] = {MIFARE_ULEV1_READ_CNT, counter}; @@ -276,7 +295,6 @@ static int ulev1_readSignature( uint8_t *response, uint16_t responseLength ){ return len; } - // Fudan check checks for which error is given for a command with incorrect crc // NXP UL chip responds with 01, fudan 00. // other possible checks: @@ -346,12 +364,12 @@ static int ul_print_default( uint8_t *data){ PrintAndLog(" Lock : %s - %s", sprint_hex(data+10, 2), - printBits(2, data+10) + sprint_bin(data+10, 2) ); PrintAndLog("OneTimePad : %s - %s\n", sprint_hex(data + 12, 4), - printBits(4, data+12) + sprint_bin(data+12, 4) ); return 0; @@ -367,7 +385,9 @@ static int ndef_print_CC(uint8_t *data) { PrintAndLog(" %02X : NDEF Magic Number", data[0]); PrintAndLog(" %02X : version %d.%d supported by tag", data[1], (data[1] & 0xF0) >> 4, data[1] & 0x0f); PrintAndLog(" %02X : Physical Memory Size: %d bytes", data[2], (data[2] + 1) * 8); - if ( data[2] == 0x12 ) + if ( data[2] == 0x96 ) + PrintAndLog(" %02X : NDEF Memory Size: %d bytes", data[2], 48); + else if ( data[2] == 0x12 ) PrintAndLog(" %02X : NDEF Memory Size: %d bytes", data[2], 144); else if ( data[2] == 0x3e ) PrintAndLog(" %02X : NDEF Memory Size: %d bytes", data[2], 496); @@ -440,8 +460,8 @@ static int ulc_print_3deskey( uint8_t *data){ static int ulc_print_configuration( uint8_t *data){ PrintAndLog("--- UL-C Configuration"); - PrintAndLog(" Higher Lockbits [40/0x28] : %s - %s", sprint_hex(data, 4), printBits(2, data)); - PrintAndLog(" Counter [41/0x29] : %s - %s", sprint_hex(data+4, 4), printBits(2, data+4)); + PrintAndLog(" Higher Lockbits [40/0x28] : %s - %s", sprint_hex(data, 4), sprint_bin(data, 2)); + PrintAndLog(" Counter [41/0x29] : %s - %s", sprint_hex(data+4, 4), sprint_bin(data+4, 2)); bool validAuth = (data[8] >= 0x03 && data[8] <= 0x30); if ( validAuth ) @@ -466,6 +486,8 @@ static int ulev1_print_configuration( uint8_t *data, uint8_t startPage){ bool strg_mod_en = (data[0] & 2); uint8_t authlim = (data[4] & 0x07); + bool nfc_cnf_en = (data[4] & 0x08); + bool nfc_cnf_prot_pwd = (data[4] & 0x10); bool cfglck = (data[4] & 0x40); bool prot = (data[4] & 0x80); uint8_t vctid = data[5]; @@ -481,6 +503,10 @@ static int ulev1_print_configuration( uint8_t *data, uint8_t startPage){ PrintAndLog(" - Unlimited password attempts"); else PrintAndLog(" - Max number of password attempts is %d", authlim); + + PrintAndLog(" - NFC counter %s", (nfc_cnf_en) ? "enabled":"disabled"); + PrintAndLog(" - NFC counter %s", (nfc_cnf_prot_pwd) ? "not protected":"password protection enabled"); + PrintAndLog(" - user configuration %s", cfglck ? "permanently locked":"writeable"); PrintAndLog(" - %s access is protected with password", prot ? "read and write":"write"); PrintAndLog(" - %02X, Virtual Card Type Identifier is %s default", vctid, (vctid==0x05)? "":"not"); @@ -692,7 +718,8 @@ int CmdHF14AMfUInfo(const char *Cmd){ uint8_t dataLen = 0; uint8_t authenticationkey[16] = {0x00}; uint8_t *authkeyptr = authenticationkey; - uint8_t *key; + uint8_t pwd[4] = {0,0,0,0}; + uint8_t *key = pwd; uint8_t pack[4] = {0,0,0,0}; int len = 0; char tempStr[50]; @@ -814,6 +841,7 @@ int CmdHF14AMfUInfo(const char *Cmd){ } } + // Read signature if ((tagtype & (UL_EV1_48 | UL_EV1_128 | NTAG_213 | NTAG_215 | NTAG_216 | NTAG_I2C_1K | NTAG_I2C_2K ))) { uint8_t ulev1_signature[32] = {0x00}; status = ulev1_readSignature( ulev1_signature, sizeof(ulev1_signature)); @@ -829,6 +857,7 @@ int CmdHF14AMfUInfo(const char *Cmd){ } } + // Get Version if ((tagtype & (UL_EV1_48 | UL_EV1_128 | NTAG_210 | NTAG_212 | NTAG_213 | NTAG_215 | NTAG_216 | NTAG_I2C_1K | NTAG_I2C_2K))) { uint8_t version[10] = {0x00}; status = ulev1_getVersion(version, sizeof(version)); @@ -870,6 +899,23 @@ int CmdHF14AMfUInfo(const char *Cmd){ if ( !authlim && !hasAuthKey ) { PrintAndLog("\n--- Known EV1/NTAG passwords."); len = 0; + + // test pwd gen A + num_to_bytes( ul_ev1_pwdgenA(card.uid), 4, key); + len = ulev1_requestAuthentication(key, pack, sizeof(pack)); + if (len >= 1) { + PrintAndLog("Found a default password: %s || Pack: %02X %02X",sprint_hex(key, 4), pack[0], pack[1]); + } + if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1; + + // test pwd gen B + num_to_bytes( ul_ev1_pwdgenB(card.uid), 4, key); + len = ulev1_requestAuthentication(key, pack, sizeof(pack)); + if (len >= 1) { + PrintAndLog("Found a default password: %s || Pack: %02X %02X",sprint_hex(key, 4), pack[0], pack[1]); + } + if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1; + for (uint8_t i = 0; i < KEYS_PWD_COUNT; ++i ) { key = default_pwd_pack[i]; len = ulev1_requestAuthentication(key, pack, sizeof(pack)); @@ -895,7 +941,7 @@ int CmdHF14AMfUInfo(const char *Cmd){ // int CmdHF14AMfUWrBl(const char *Cmd){ - int blockNo = -1; + int blockNo = -1; bool errors = false; bool hasAuthKey = false; bool hasPwdKey = false; @@ -941,7 +987,7 @@ int CmdHF14AMfUWrBl(const char *Cmd){ blockNo = param_get8(Cmd, cmdp+1); if (blockNo < 0) { PrintAndLog("Wrong block number"); - errors = true; + errors = true; } cmdp += 2; break; @@ -987,16 +1033,16 @@ int CmdHF14AMfUWrBl(const char *Cmd){ if (swapEndian && hasAuthKey) authKeyPtr = SwapEndian64(authenticationkey, 16, 8); if (swapEndian && hasPwdKey) authKeyPtr = SwapEndian64(authenticationkey, 4, 4); - if ( blockNo <= 3) + if ( blockNo <= 3) PrintAndLog("Special Block: %0d (0x%02X) [ %s]", blockNo, blockNo, sprint_hex(blockdata, 4)); else PrintAndLog("Block: %0d (0x%02X) [ %s]", blockNo, blockNo, sprint_hex(blockdata, 4)); - + //Send write Block UsbCommand c = {CMD_MIFAREU_WRITEBL, {blockNo}}; memcpy(c.d.asBytes,blockdata,4); - if ( hasAuthKey ) { + if ( hasAuthKey ){ c.arg[1] = 1; memcpy(c.d.asBytes+4,authKeyPtr,16); } @@ -1004,7 +1050,7 @@ int CmdHF14AMfUWrBl(const char *Cmd){ c.arg[1] = 2; memcpy(c.d.asBytes+4,authKeyPtr,4); } - + clearCommandBuffer(); SendCommand(&c); UsbCommand resp; @@ -1014,7 +1060,7 @@ int CmdHF14AMfUWrBl(const char *Cmd){ } else { PrintAndLog("Command execute timeout"); } - + return 0; } // @@ -1066,15 +1112,15 @@ int CmdHF14AMfURdBl(const char *Cmd){ blockNo = param_get8(Cmd, cmdp+1); if (blockNo < 0) { PrintAndLog("Wrong block number"); - errors = true; + errors = true; } cmdp += 2; break; case 'l': case 'L': swapEndian = true; - cmdp++; - break; + cmdp++; + break; default: PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); errors = true; @@ -1102,7 +1148,7 @@ int CmdHF14AMfURdBl(const char *Cmd){ // Swap endianness if (swapEndian && hasAuthKey) authKeyPtr = SwapEndian64(authenticationkey, 16, 8); if (swapEndian && hasPwdKey) authKeyPtr = SwapEndian64(authenticationkey, 4, 4); - + //Read Block UsbCommand c = {CMD_MIFAREU_READBL, {blockNo}}; if ( hasAuthKey ){ @@ -1113,7 +1159,7 @@ int CmdHF14AMfURdBl(const char *Cmd){ c.arg[1] = 2; memcpy(c.d.asBytes,authKeyPtr,4); } - + clearCommandBuffer(); SendCommand(&c); UsbCommand resp; @@ -1190,7 +1236,7 @@ int usage_hf_mfu_rdbl(void) { int usage_hf_mfu_wrbl(void) { PrintAndLog("Write a block. It autodetects card type.\n"); PrintAndLog("Usage: hf mfu wrbl b d k l\n"); - PrintAndLog(" Options:"); + PrintAndLog(" Options:"); PrintAndLog(" b : block to write"); PrintAndLog(" d : block data - (8 hex symbols)"); PrintAndLog(" k : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]"); @@ -1201,7 +1247,61 @@ int usage_hf_mfu_wrbl(void) { return 0; } +int usage_hf_mfu_eload(void) { + PrintAndLog("It loads emulator dump from the file `filename.eml`\n"); + PrintAndLog("Usage: hf mfu eload t i \n"); + PrintAndLog(" Options:"); + PrintAndLog(" t : Tag memorysize/type"); + PrintAndLog(" i : file name w/o `.eml`"); + PrintAndLog(""); + PrintAndLog(" sample : hf mfu eload filename"); + PrintAndLog(" : hf mfu eload 4 filename"); + return 0; +} + +int usage_hf_mfu_ucauth(void) { + PrintAndLog("Usage: hf mfu cauth k "); + PrintAndLog(" 0 (default): 3DES standard key"); + PrintAndLog(" 1 : all 0x00 key"); + PrintAndLog(" 2 : 0x00-0x0F key"); + PrintAndLog(" 3 : nfc key"); + PrintAndLog(" 4 : all 0x01 key"); + PrintAndLog(" 5 : all 0xff key"); + PrintAndLog(" 6 : 0x00-0xFF key"); + PrintAndLog("\n sample : hf mfu cauth k"); + PrintAndLog(" : hf mfu cauth k 3"); + return 0; +} + +int usage_hf_mfu_ucsetpwd(void) { + PrintAndLog("Usage: hf mfu setpwd "); + PrintAndLog(" [password] - (32 hex symbols)"); + PrintAndLog(""); + PrintAndLog("sample: hf mfu setpwd 000102030405060708090a0b0c0d0e0f"); + PrintAndLog(""); + return 0; +} + +int usage_hf_mfu_ucsetuid(void) { + PrintAndLog("Usage: hf mfu setuid "); + PrintAndLog(" [uid] - (14 hex symbols)"); + PrintAndLog("\nThis only works for Magic Ultralight tags."); + PrintAndLog(""); + PrintAndLog("sample: hf mfu setuid 11223344556677"); + PrintAndLog(""); + return 0; +} + +int usage_hf_mfu_gendiverse(void){ + PrintAndLog("Usage: hf mfu gen "); + PrintAndLog(""); + PrintAndLog("sample: hf mfu gen 11223344"); + PrintAndLog(""); + return 0; +} + // + // Mifare Ultralight / Ultralight-C / Ultralight-EV1 // Read and Dump Card Contents, using auto detection of tag size. int CmdHF14AMfUDump(const char *Cmd){ @@ -1377,11 +1477,11 @@ int CmdHF14AMfUDump(const char *Cmd){ } switch(i){ case 3: tmplockbit = bit[4]; break; - case 4: tmplockbit = bit[3]; break; - case 5: tmplockbit = bit[2]; break; - case 6: tmplockbit = bit[1]; break; - case 7: tmplockbit = bit[0]; break; - case 8: tmplockbit = bit[15]; break; + case 4: tmplockbit = bit[3]; break; + case 5: tmplockbit = bit[2]; break; + case 6: tmplockbit = bit[1]; break; + case 7: tmplockbit = bit[0]; break; + case 8: tmplockbit = bit[15]; break; case 9: tmplockbit = bit[14]; break; case 10: tmplockbit = bit[13]; break; case 11: tmplockbit = bit[12]; break; @@ -1447,6 +1547,7 @@ int CmdHF14AMfUDump(const char *Cmd){ // Ultralight C Methods //------------------------------------------------------------------------------- + // // Ultralight C Authentication Demo {currently uses hard-coded key} // @@ -1464,22 +1565,9 @@ int CmdHF14AMfucAuth(const char *Cmd){ errors = true; } - if (cmdp == 'h' || cmdp == 'H') - errors = true; + if (cmdp == 'h' || cmdp == 'H') errors = true; - if (errors) { - PrintAndLog("Usage: hf mfu cauth k "); - PrintAndLog(" 0 (default): 3DES standard key"); - PrintAndLog(" 1 : all 0x00 key"); - PrintAndLog(" 2 : 0x00-0x0F key"); - PrintAndLog(" 3 : nfc key"); - PrintAndLog(" 4 : all 0x01 key"); - PrintAndLog(" 5 : all 0xff key"); - PrintAndLog(" 6 : 0x00-0xFF key"); - PrintAndLog("\n sample : hf mfu cauth k"); - PrintAndLog(" : hf mfu cauth k 3"); - return 0; - } + if (errors) return usage_hf_mfu_ucauth(); uint8_t *key = default_3des_keys[keyNo]; if (ulc_authentication(key, true)) @@ -1592,18 +1680,10 @@ int CmdTestDES(const char * cmd) // int CmdHF14AMfucSetPwd(const char *Cmd){ - uint8_t pwd[16] = {0x00}; - + uint8_t pwd[16] = {0x00}; char cmdp = param_getchar(Cmd, 0); - - if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') { - PrintAndLog("Usage: hf mfu setpwd "); - PrintAndLog(" [password] - (32 hex symbols)"); - PrintAndLog(""); - PrintAndLog("sample: hf mfu setpwd 000102030405060708090a0b0c0d0e0f"); - PrintAndLog(""); - return 0; - } + + if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_hf_mfu_ucsetpwd(); if (param_gethex(Cmd, 0, pwd, 32)) { PrintAndLog("Password must include 32 HEX symbols"); @@ -1616,7 +1696,6 @@ int CmdHF14AMfucSetPwd(const char *Cmd){ SendCommand(&c); UsbCommand resp; - if (WaitForResponseTimeout(CMD_ACK,&resp,1500) ) { if ( (resp.arg[0] & 0xff) == 1) PrintAndLog("Ultralight-C new password: %s", sprint_hex(pwd,16)); @@ -1628,8 +1707,7 @@ int CmdHF14AMfucSetPwd(const char *Cmd){ else { PrintAndLog("command execution time out"); return 1; - } - + } return 0; } @@ -1642,17 +1720,8 @@ int CmdHF14AMfucSetUid(const char *Cmd){ UsbCommand resp; uint8_t uid[7] = {0x00}; char cmdp = param_getchar(Cmd, 0); - - if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') { - PrintAndLog("Usage: hf mfu setuid "); - PrintAndLog(" [uid] - (14 hex symbols)"); - PrintAndLog("\nThis only works for Magic Ultralight tags."); - PrintAndLog(""); - PrintAndLog("sample: hf mfu setuid 11223344556677"); - PrintAndLog(""); - return 0; - } - + if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_hf_mfu_ucsetuid(); + if (param_gethex(Cmd, 0, uid, 14)) { PrintAndLog("UID must include 14 HEX symbols"); return 1; @@ -1667,7 +1736,7 @@ int CmdHF14AMfucSetUid(const char *Cmd){ PrintAndLog("Command execute timeout"); return 2; } - + // save old block2. uint8_t oldblock2[4] = {0x00}; memcpy(resp.d.asBytes, oldblock2, 4); @@ -1685,7 +1754,7 @@ int CmdHF14AMfucSetUid(const char *Cmd){ PrintAndLog("Command execute timeout"); return 3; } - + // block 1. c.arg[0] = 1; c.d.asBytes[0] = uid[3]; @@ -1717,13 +1786,19 @@ int CmdHF14AMfucSetUid(const char *Cmd){ int CmdHF14AMfuGenDiverseKeys(const char *Cmd){ - uint8_t iv[8] = { 0x00 }; - uint8_t block = 0x07; + uint8_t uid[4]; + + char cmdp = param_getchar(Cmd, 0); + if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_hf_mfu_gendiverse(); - // UL-EV1 - //04 57 b6 e2 05 3f 80 UID - //4a f8 4b 19 PWD - uint8_t uid[] = { 0xF4,0xEA, 0x54, 0x8E }; + if (param_gethex(Cmd, 0, uid, 8)) { + PrintAndLog("UID must include 8 HEX symbols"); + return 1; + } + + uint8_t iv[8] = { 0x00 }; + uint8_t block = 0x01; + uint8_t mifarekeyA[] = { 0xA0,0xA1,0xA2,0xA3,0xA4,0xA5 }; uint8_t mifarekeyB[] = { 0xB0,0xB1,0xB2,0xB3,0xB4,0xB5 }; uint8_t dkeyA[8] = { 0x00 }; @@ -1733,14 +1808,14 @@ int CmdHF14AMfuGenDiverseKeys(const char *Cmd){ uint8_t mix[8] = { 0x00 }; uint8_t divkey[8] = { 0x00 }; - + memcpy(mix, mifarekeyA, 4); - + mix[4] = mifarekeyA[4] ^ uid[0]; mix[5] = mifarekeyA[5] ^ uid[1]; mix[6] = block ^ uid[2]; mix[7] = uid[3]; - + des3_context ctx = { 0x00 }; des3_set2key_enc(&ctx, masterkey); @@ -1752,16 +1827,14 @@ int CmdHF14AMfuGenDiverseKeys(const char *Cmd){ , divkey // output ); - PrintAndLog("3DES version"); + PrintAndLog("-- 3DES version"); PrintAndLog("Masterkey :\t %s", sprint_hex(masterkey,sizeof(masterkey))); PrintAndLog("UID :\t %s", sprint_hex(uid, sizeof(uid))); - PrintAndLog("Sector :\t %0d", block); + PrintAndLog("block :\t %0d", block); PrintAndLog("Mifare key :\t %s", sprint_hex(mifarekeyA, sizeof(mifarekeyA))); PrintAndLog("Message :\t %s", sprint_hex(mix, sizeof(mix))); PrintAndLog("Diversified key: %s", sprint_hex(divkey+1, 6)); - - PrintAndLog("\n DES version"); - + for (int i=0; i < sizeof(mifarekeyA); ++i){ dkeyA[i] = (mifarekeyA[i] << 1) & 0xff; dkeyA[6] |= ((mifarekeyA[i] >> 7) & 1) << (i+1); @@ -1779,7 +1852,7 @@ int CmdHF14AMfuGenDiverseKeys(const char *Cmd){ memcpy(dmkey+8, dkeyB, 8); memcpy(dmkey+16, dkeyA, 8); memset(iv, 0x00, 8); - + des3_set3key_enc(&ctx, dmkey); des3_crypt_cbc(&ctx // des3_context @@ -1790,33 +1863,111 @@ int CmdHF14AMfuGenDiverseKeys(const char *Cmd){ , newpwd // output ); + PrintAndLog("\n-- DES version"); PrintAndLog("Mifare dkeyA :\t %s", sprint_hex(dkeyA, sizeof(dkeyA))); PrintAndLog("Mifare dkeyB :\t %s", sprint_hex(dkeyB, sizeof(dkeyB))); PrintAndLog("Mifare ABA :\t %s", sprint_hex(dmkey, sizeof(dmkey))); PrintAndLog("Mifare Pwd :\t %s", sprint_hex(newpwd, sizeof(newpwd))); + // next. from the diversify_key method. return 0; } -// static uint8_t * diversify_key(uint8_t * key){ - - // for(int i=0; i<16; i++){ - // if(i<=6) key[i]^=cuid[i]; - // if(i>6) key[i]^=cuid[i%7]; - // } - // return key; -// } - // static void GenerateUIDe( uint8_t *uid, uint8_t len){ // for (int i=0; i FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4; + + fnameptr += len; + + sprintf(fnameptr, ".eml"); + + // open file + f = fopen(filename, "r"); + if (f == NULL) { + PrintAndLog("File %s not found or locked", filename); + return 1; + } + + blockNum = 0; + while(!feof(f)){ + memset(buf, 0, sizeof(buf)); + + if (fgets(buf, sizeof(buf), f) == NULL) { + + if (blockNum >= numBlocks) break; + + PrintAndLog("File reading error."); + fclose(f); + return 2; + } + + if (strlen(buf) < 32){ + if(strlen(buf) && feof(f)) + break; + PrintAndLog("File content error. Block data must include 32 HEX symbols"); + fclose(f); + return 2; + } + + for (i = 0; i < 32; i += 2) { + sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]); + } + + if (mfEmlSetMem(buf8, blockNum, 1)) { + PrintAndLog("Cant set emul block: %3d", blockNum); + fclose(f); + return 3; + } + printf("."); + blockNum++; + + if (blockNum >= numBlocks) break; + } + fclose(f); + printf("\n"); + + if ((blockNum != numBlocks)) { + PrintAndLog("File content error. Got %d must be %d blocks.",blockNum, numBlocks); + return 4; + } + PrintAndLog("Loaded %d blocks from file: %s", blockNum, filename); + */ + return 0; +} + static command_t CommandTable[] = { {"help", CmdHelp, 1, "This help"}, @@ -1825,6 +1976,7 @@ static command_t CommandTable[] = {"dump", CmdHF14AMfUDump, 0, "Dump Ultralight / Ultralight-C / NTAG tag to binary file"}, {"rdbl", CmdHF14AMfURdBl, 0, "Read block"}, {"wrbl", CmdHF14AMfUWrBl, 0, "Write block"}, + {"eload", CmdHF14AMfuELoad, 0, " Load from file emulator dump"}, {"cauth", CmdHF14AMfucAuth, 0, "Authentication - Ultralight C"}, {"setpwd", CmdHF14AMfucSetPwd, 1, "Set 3des password - Ultralight-C"}, {"setuid", CmdHF14AMfucSetUid, 1, "Set UID - MAGIC tags only"},