X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/3ac22ee1cf91686111aea2a4bb85d9f2b94ec1fe..f9f0e83b7cf98887fc5dbe97bcb491b8c45c7d69:/client/cmdhficlass.c?ds=sidebyside diff --git a/client/cmdhficlass.c b/client/cmdhficlass.c index ace50698..ce7d1f93 100644 --- a/client/cmdhficlass.c +++ b/client/cmdhficlass.c @@ -33,8 +33,6 @@ #include "usb_cmd.h" #include "cmdhfmfu.h" -#define llX PRIx64 - static int CmdHelp(const char *Cmd); #define ICLASS_KEYS_MAX 8 @@ -283,8 +281,13 @@ int CmdHFiClassELoad(const char *Cmd) { long fsize = ftell(f); fseek(f, 0, SEEK_SET); - uint8_t *dump = malloc(fsize); + if (fsize < 0) { + PrintAndLog("Error, when getting filesize"); + fclose(f); + return 1; + } + uint8_t *dump = malloc(fsize); size_t bytes_read = fread(dump, 1, fsize, f); fclose(f); @@ -368,10 +371,13 @@ int CmdHFiClassDecrypt(const char *Cmd) { //Open the tagdump-file FILE *f; char filename[FILE_PATH_SIZE]; - if(opt == 'f' && param_getstr(Cmd, 1, filename) > 0) - { + if(opt == 'f' && param_getstr(Cmd, 1, filename) > 0) { f = fopen(filename, "rb"); - }else{ + if ( f == NULL ) { + PrintAndLog("Could not find file %s", filename); + return 1; + } + } else { return usage_hf_iclass_decrypt(); } @@ -406,7 +412,7 @@ int CmdHFiClassDecrypt(const char *Cmd) { fclose(f); saveFile(outfilename,"bin", decrypted, blocknum*8); - + free(decrypted); return 0; } @@ -500,7 +506,7 @@ static bool select_only(uint8_t *CSN, uint8_t *CCNR, bool use_credit_key, bool v return true; } -static bool select_and_auth(uint8_t *KEY, uint8_t *MAC, uint8_t *div_key, bool use_credit_key, bool elite, bool verbose) { +static bool select_and_auth(uint8_t *KEY, uint8_t *MAC, uint8_t *div_key, bool use_credit_key, bool elite, bool rawkey, bool verbose) { uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; @@ -508,7 +514,11 @@ static bool select_and_auth(uint8_t *KEY, uint8_t *MAC, uint8_t *div_key, bool u return false; //get div_key - HFiClassCalcDivKey(CSN, KEY, div_key, elite); + if(rawkey) + memcpy(div_key, KEY, 8); + else + HFiClassCalcDivKey(CSN, KEY, div_key, elite); + PrintAndLog("Authing with %s: %02x%02x%02x%02x%02x%02x%02x%02x", rawkey ? "raw key" : "diversified key", div_key[0],div_key[1],div_key[2],div_key[3],div_key[4],div_key[5],div_key[6],div_key[7]); doMAC(CCNR, div_key, MAC); UsbCommand resp; @@ -530,7 +540,7 @@ static bool select_and_auth(uint8_t *KEY, uint8_t *MAC, uint8_t *div_key, bool u } int usage_hf_iclass_dump(void) { - PrintAndLog("Usage: hf iclass dump f k c e\n"); + PrintAndLog("Usage: hf iclass dump f k c e|r\n"); PrintAndLog("Options:"); PrintAndLog(" f : specify a filename to save dump to"); PrintAndLog(" k : *Access Key as 16 hex symbols or 1 hex to select key from memory"); @@ -538,6 +548,7 @@ int usage_hf_iclass_dump(void) { PrintAndLog(" e : If 'e' is specified, the key is interpreted as the 16 byte"); PrintAndLog(" Custom Key (KCus), which can be obtained via reader-attack"); PrintAndLog(" See 'hf iclass sim 2'. This key should be on iclass-format"); + PrintAndLog(" r : If 'r' is specified, the key is interpreted as raw block 3/4"); PrintAndLog(" NOTE: * = required"); PrintAndLog("Samples:"); PrintAndLog(" hf iclass dump k 001122334455667B"); @@ -554,6 +565,8 @@ int CmdHFiClassReader_Dump(const char *Cmd) { uint8_t blockno = 0; uint8_t numblks = 0; uint8_t maxBlk = 31; + uint8_t app_areas = 1; + uint8_t kb = 2; uint8_t KEY[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; uint8_t CreditKEY[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; uint8_t keyNbr = 0; @@ -565,6 +578,7 @@ int CmdHFiClassReader_Dump(const char *Cmd) { bool have_credit_key = false; bool use_credit_key = false; bool elite = false; + bool rawkey = false; bool errors = false; uint8_t cmdp = 0; @@ -583,7 +597,7 @@ int CmdHFiClassReader_Dump(const char *Cmd) { errors = param_gethex(tempStr, 0, CreditKEY, dataLen); } else if (dataLen == 1) { keyNbr = param_get8(Cmd, cmdp+1); - if (keyNbr <= ICLASS_KEYS_MAX) { + if (keyNbr < ICLASS_KEYS_MAX) { memcpy(CreditKEY, iClass_Key_Table[keyNbr], 8); } else { PrintAndLog("\nERROR: Credit KeyNbr is invalid\n"); @@ -617,7 +631,7 @@ int CmdHFiClassReader_Dump(const char *Cmd) { errors = param_gethex(tempStr, 0, KEY, dataLen); } else if (dataLen == 1) { keyNbr = param_get8(Cmd, cmdp+1); - if (keyNbr <= ICLASS_KEYS_MAX) { + if (keyNbr < ICLASS_KEYS_MAX) { memcpy(KEY, iClass_Key_Table[keyNbr], 8); } else { PrintAndLog("\nERROR: Credit KeyNbr is invalid\n"); @@ -629,6 +643,11 @@ int CmdHFiClassReader_Dump(const char *Cmd) { } cmdp += 2; break; + case 'r': + case 'R': + rawkey = true; + cmdp++; + break; default: PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp)); errors = true; @@ -666,20 +685,15 @@ int CmdHFiClassReader_Dump(const char *Cmd) { memcpy(tag_data, data, 8*3); blockno+=2; // 2 to force re-read of block 2 later. (seems to respond differently..) numblks = data[8]; - - if (data[13] & 0x80) { - // large memory - not able to dump pages currently - maxBlk = 255; - } else { - maxBlk = 31; - } + getMemConfig(data[13], data[12], &maxBlk, &app_areas, &kb); + // large memory - not able to dump pages currently if (numblks > maxBlk) numblks = maxBlk; } ul_switch_off_field(); // authenticate debit key and get div_key - later store in dump block 3 - if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, false)){ + if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, false)){ //try twice - for some reason it sometimes fails the first time... - if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, false)){ + if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, false)){ ul_switch_off_field(); return 0; } @@ -717,9 +731,9 @@ int CmdHFiClassReader_Dump(const char *Cmd) { ul_switch_off_field(); memset(MAC,0,4); // AA2 authenticate credit key and git c_div_key - later store in dump block 4 - if (!select_and_auth(CreditKEY, MAC, c_div_key, true, false, false)){ + if (!select_and_auth(CreditKEY, MAC, c_div_key, true, false, false, false)){ //try twice - for some reason it sometimes fails the first time... - if (!select_and_auth(CreditKEY, MAC, c_div_key, true, false, false)){ + if (!select_and_auth(CreditKEY, MAC, c_div_key, true, false, false, false)){ ul_switch_off_field(); return 0; } @@ -763,10 +777,10 @@ int CmdHFiClassReader_Dump(const char *Cmd) { if (have_debit_key) memcpy(tag_data+(3*8),div_key,8); if (have_credit_key) memcpy(tag_data+(4*8),c_div_key,8); // print the dump - printf("CSN |00| %02X %02X %02X %02X %02X %02X %02X %02X |\n",tag_data[0],tag_data[1],tag_data[2] - ,tag_data[3],tag_data[4],tag_data[5],tag_data[6],tag_data[7]); - printIclassDumpContents(tag_data, 1, (gotBytes/8)-1, gotBytes-8); - + printf("------+--+-------------------------+\n"); + printf("CSN |00| %s|\n",sprint_hex(tag_data, 8)); + printIclassDumpContents(tag_data, 1, (gotBytes/8), gotBytes); + if (filename[0] == 0){ snprintf(filename, FILE_PATH_SIZE,"iclass_tagdump-%02x%02x%02x%02x%02x%02x%02x%02x", tag_data[0],tag_data[1],tag_data[2],tag_data[3], @@ -779,10 +793,10 @@ int CmdHFiClassReader_Dump(const char *Cmd) { return 1; } -static int WriteBlock(uint8_t blockno, uint8_t *bldata, uint8_t *KEY, bool use_credit_key, bool elite, bool verbose) { +static int WriteBlock(uint8_t blockno, uint8_t *bldata, uint8_t *KEY, bool use_credit_key, bool elite, bool rawkey, bool verbose) { uint8_t MAC[4]={0x00,0x00,0x00,0x00}; uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; - if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, verbose)) + if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, verbose)) return 0; UsbCommand resp; @@ -815,6 +829,7 @@ int usage_hf_iclass_writeblock(void) { PrintAndLog(" k : Access Key as 16 hex symbols or 1 hex to select key from memory"); PrintAndLog(" c : If 'c' is specified, the key set is assumed to be the credit key\n"); PrintAndLog(" e : If 'e' is specified, elite computations applied to key"); + PrintAndLog(" r : If 'r' is specified, no computations applied to key"); PrintAndLog("Samples:"); PrintAndLog(" hf iclass writeblk b 0A d AAAAAAAAAAAAAAAA k 001122334455667B"); PrintAndLog(" hf iclass writeblk b 1B d AAAAAAAAAAAAAAAA k 001122334455667B c"); @@ -831,6 +846,7 @@ int CmdHFiClass_WriteBlock(const char *Cmd) { char tempStr[50] = {0}; bool use_credit_key = false; bool elite = false; + bool rawkey= false; bool errors = false; uint8_t cmdp = 0; while(param_getchar(Cmd, cmdp) != 0x00) @@ -874,7 +890,7 @@ int CmdHFiClass_WriteBlock(const char *Cmd) { errors = param_gethex(tempStr, 0, KEY, dataLen); } else if (dataLen == 1) { keyNbr = param_get8(Cmd, cmdp+1); - if (keyNbr <= ICLASS_KEYS_MAX) { + if (keyNbr < ICLASS_KEYS_MAX) { memcpy(KEY, iClass_Key_Table[keyNbr], 8); } else { PrintAndLog("\nERROR: Credit KeyNbr is invalid\n"); @@ -886,6 +902,11 @@ int CmdHFiClass_WriteBlock(const char *Cmd) { } cmdp += 2; break; + case 'r': + case 'R': + rawkey = true; + cmdp++; + break; default: PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp)); errors = true; @@ -895,13 +916,13 @@ int CmdHFiClass_WriteBlock(const char *Cmd) { } if (cmdp < 6) return usage_hf_iclass_writeblock(); - int ans = WriteBlock(blockno, bldata, KEY, use_credit_key, elite, true); + int ans = WriteBlock(blockno, bldata, KEY, use_credit_key, elite, rawkey, true); ul_switch_off_field(); return ans; } int usage_hf_iclass_clone(void) { - PrintAndLog("Usage: hf iclass clone f b l k e c"); + PrintAndLog("Usage: hf iclass clone f b l k c e|r"); PrintAndLog("Options:"); PrintAndLog(" f : specify a filename to clone from"); PrintAndLog(" b : The first block to clone as 2 hex symbols"); @@ -909,6 +930,7 @@ int usage_hf_iclass_clone(void) { PrintAndLog(" k : Access Key as 16 hex symbols or 1 hex to select key from memory"); PrintAndLog(" c : If 'c' is specified, the key set is assumed to be the credit key\n"); PrintAndLog(" e : If 'e' is specified, elite computations applied to key"); + PrintAndLog(" r : If 'r' is specified, no computations applied to key"); PrintAndLog("Samples:"); PrintAndLog(" hf iclass clone f iclass_tagdump-121345.bin b 06 l 1A k 1122334455667788 e"); PrintAndLog(" hf iclass clone f iclass_tagdump-121345.bin b 05 l 19 k 0"); @@ -917,7 +939,7 @@ int usage_hf_iclass_clone(void) { } int CmdHFiClassCloneTag(const char *Cmd) { - char filename[FILE_PATH_SIZE]; + char filename[FILE_PATH_SIZE] = {0}; char tempStr[50]={0}; uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; uint8_t keyNbr = 0; @@ -927,6 +949,7 @@ int CmdHFiClassCloneTag(const char *Cmd) { uint8_t dataLen = 0; bool use_credit_key = false; bool elite = false; + bool rawkey = false; bool errors = false; uint8_t cmdp = 0; while(param_getchar(Cmd, cmdp) != 0x00) @@ -970,7 +993,7 @@ int CmdHFiClassCloneTag(const char *Cmd) { errors = param_gethex(tempStr, 0, KEY, dataLen); } else if (dataLen == 1) { keyNbr = param_get8(Cmd, cmdp+1); - if (keyNbr <= ICLASS_KEYS_MAX) { + if (keyNbr < ICLASS_KEYS_MAX) { memcpy(KEY, iClass_Key_Table[keyNbr], 8); } else { PrintAndLog("\nERROR: Credit KeyNbr is invalid\n"); @@ -990,6 +1013,11 @@ int CmdHFiClassCloneTag(const char *Cmd) { } cmdp += 2; break; + case 'r': + case 'R': + rawkey = true; + cmdp++; + break; default: PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp)); errors = true; @@ -1016,6 +1044,7 @@ int CmdHFiClassCloneTag(const char *Cmd) { if (startblock<5) { PrintAndLog("You cannot write key blocks this way. yet... make your start block > 4"); + fclose(f); return 0; } // now read data from the file from block 6 --- 19 @@ -1024,12 +1053,16 @@ int CmdHFiClassCloneTag(const char *Cmd) { // else we have to create a share memory int i; fseek(f,startblock*8,SEEK_SET); - fread(tag_data,sizeof(iclass_block_t),endblock - startblock + 1,f); + if ( fread(tag_data,sizeof(iclass_block_t),endblock - startblock + 1,f) == 0 ) { + PrintAndLog("File reading error."); + fclose(f); + return 2; + } uint8_t MAC[4]={0x00,0x00,0x00,0x00}; uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; - if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, true)) + if (!select_and_auth(KEY, MAC, div_key, use_credit_key, elite, rawkey, true)) return 0; UsbCommand w = {CMD_ICLASS_CLONE,{startblock,endblock}}; @@ -1062,11 +1095,11 @@ int CmdHFiClassCloneTag(const char *Cmd) { return 1; } -static int ReadBlock(uint8_t *KEY, uint8_t blockno, uint8_t keyType, bool elite, bool verbose) { +static int ReadBlock(uint8_t *KEY, uint8_t blockno, uint8_t keyType, bool elite, bool rawkey, bool verbose) { uint8_t MAC[4]={0x00,0x00,0x00,0x00}; uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; - if (!select_and_auth(KEY, MAC, div_key, (keyType==0x18), elite, verbose)) + if (!select_and_auth(KEY, MAC, div_key, (keyType==0x18), elite, rawkey, verbose)) return 0; UsbCommand resp; @@ -1089,12 +1122,13 @@ static int ReadBlock(uint8_t *KEY, uint8_t blockno, uint8_t keyType, bool elite, } int usage_hf_iclass_readblock(void) { - PrintAndLog("Usage: hf iclass readblk b k c e\n"); + PrintAndLog("Usage: hf iclass readblk b k c e|r\n"); PrintAndLog("Options:"); PrintAndLog(" b : The block number as 2 hex symbols"); PrintAndLog(" k : Access Key as 16 hex symbols or 1 hex to select key from memory"); PrintAndLog(" c : If 'c' is specified, the key set is assumed to be the credit key\n"); PrintAndLog(" e : If 'e' is specified, elite computations applied to key"); + PrintAndLog(" r : If 'r' is specified, no computations applied to key"); PrintAndLog("Samples:"); PrintAndLog(" hf iclass readblk b 06 k 0011223344556677"); PrintAndLog(" hf iclass readblk b 1B k 0011223344556677 c"); @@ -1110,6 +1144,7 @@ int CmdHFiClass_ReadBlock(const char *Cmd) { uint8_t dataLen = 0; char tempStr[50] = {0}; bool elite = false; + bool rawkey = false; bool errors = false; uint8_t cmdp = 0; while(param_getchar(Cmd, cmdp) != 0x00) @@ -1144,7 +1179,7 @@ int CmdHFiClass_ReadBlock(const char *Cmd) { errors = param_gethex(tempStr, 0, KEY, dataLen); } else if (dataLen == 1) { keyNbr = param_get8(Cmd, cmdp+1); - if (keyNbr <= ICLASS_KEYS_MAX) { + if (keyNbr < ICLASS_KEYS_MAX) { memcpy(KEY, iClass_Key_Table[keyNbr], 8); } else { PrintAndLog("\nERROR: Credit KeyNbr is invalid\n"); @@ -1156,6 +1191,11 @@ int CmdHFiClass_ReadBlock(const char *Cmd) { } cmdp += 2; break; + case 'r': + case 'R': + rawkey = true; + cmdp++; + break; default: PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp)); errors = true; @@ -1166,7 +1206,7 @@ int CmdHFiClass_ReadBlock(const char *Cmd) { if (cmdp < 4) return usage_hf_iclass_readblock(); - return ReadBlock(KEY, blockno, keyType, elite, true); + return ReadBlock(KEY, blockno, keyType, elite, rawkey, true); } int CmdHFiClass_loclass(const char *Cmd) { @@ -1180,7 +1220,7 @@ int CmdHFiClass_loclass(const char *Cmd) { PrintAndLog("f Bruteforce iclass dumpfile"); PrintAndLog(" An iclass dumpfile is assumed to consist of an arbitrary number of"); PrintAndLog(" malicious CSNs, and their protocol responses"); - PrintAndLog(" The the binary format of the file is expected to be as follows: "); + PrintAndLog(" The binary format of the file is expected to be as follows: "); PrintAndLog(" <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>"); PrintAndLog(" <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>"); PrintAndLog(" <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>"); @@ -1215,7 +1255,6 @@ int CmdHFiClass_loclass(const char *Cmd) { } void printIclassDumpContents(uint8_t *iclass_dump, uint8_t startblock, uint8_t endblock, size_t filesize) { - uint8_t blockdata[8]; uint8_t mem_config; memcpy(&mem_config, iclass_dump + 13,1); uint8_t maxmemcount; @@ -1230,18 +1269,19 @@ void printIclassDumpContents(uint8_t *iclass_dump, uint8_t startblock, uint8_t e startblock = 6; if ((endblock > maxmemcount) || (endblock == 0)) endblock = maxmemcount; - if (endblock > filemaxblock) + + // remember endblock need to relate to zero-index arrays. + if (endblock > filemaxblock-1) endblock = filemaxblock; + int i = startblock; - int j; - while (i <= endblock){ - printf("Block |%02X| ",i); - memcpy(blockdata,iclass_dump + (i * 8),8); - for (j = 0;j < 8;j++) - printf("%02X ",blockdata[j]); - printf("|\n"); + printf("------+--+-------------------------+\n"); + while (i <= endblock) { + uint8_t *blk = iclass_dump + (i * 8); + printf("Block |%02X| %s|\n", i, sprint_hex(blk, 8) ); i++; } + printf("------+--+-------------------------+\n"); } int usage_hf_iclass_readtagfile() { @@ -1276,13 +1316,19 @@ int CmdHFiClassReadTagFile(const char *Cmd) { long fsize = ftell(f); fseek(f, 0, SEEK_SET); - uint8_t *dump = malloc(fsize); + if ( fsize < 0 ) { + PrintAndLog("Error, when getting filesize"); + fclose(f); + return 1; + } + uint8_t *dump = malloc(fsize); size_t bytes_read = fread(dump, 1, fsize, f); fclose(f); uint8_t *csn = dump; - printf("CSN [00] | %02X %02X %02X %02X %02X %02X %02X %02X |\n",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]); + printf("------+--+-------------------------+\n"); + printf("CSN |00| %s|\n", sprint_hex(csn, 8) ); // printIclassDumpInfo(dump); printIclassDumpContents(dump,startblock,endblock,bytes_read); free(dump); @@ -1303,7 +1349,7 @@ uint64_t hexarray_to_uint64(uint8_t *key) { for (int i = 0;i < 8;i++) sprintf(&temp[(i *2)],"%02X",key[i]); temp[16] = '\0'; - if (sscanf(temp,"%016"llX,&uint_key) < 1) + if (sscanf(temp,"%016" SCNx64,&uint_key) < 1) return 0; return uint_key; } @@ -1402,7 +1448,7 @@ int CmdHFiClassCalcNewKey(const char *Cmd) { errors = param_gethex(tempStr, 0, NEWKEY, dataLen); } else if (dataLen == 1) { keyNbr = param_get8(Cmd, cmdp+1); - if (keyNbr <= ICLASS_KEYS_MAX) { + if (keyNbr < ICLASS_KEYS_MAX) { memcpy(NEWKEY, iClass_Key_Table[keyNbr], 8); } else { PrintAndLog("\nERROR: NewKey Nbr is invalid\n"); @@ -1421,7 +1467,7 @@ int CmdHFiClassCalcNewKey(const char *Cmd) { errors = param_gethex(tempStr, 0, OLDKEY, dataLen); } else if (dataLen == 1) { keyNbr = param_get8(Cmd, cmdp+1); - if (keyNbr <= ICLASS_KEYS_MAX) { + if (keyNbr < ICLASS_KEYS_MAX) { memcpy(OLDKEY, iClass_Key_Table[keyNbr], 8); } else { PrintAndLog("\nERROR: Credit KeyNbr is invalid\n"); @@ -1469,6 +1515,12 @@ static int loadKeys(char *filename) { long fsize = ftell(f); fseek(f, 0, SEEK_SET); + if ( fsize < 0 ) { + PrintAndLog("Error, when getting filesize"); + fclose(f); + return 1; + } + uint8_t *dump = malloc(fsize); size_t bytes_read = fread(dump, 1, fsize, f); @@ -1561,8 +1613,8 @@ int CmdHFiClassManageKeys(const char *Cmd) { case 'n': case 'N': keyNbr = param_get8(Cmd, cmdp+1); - if (keyNbr < 0) { - PrintAndLog("Wrong block number"); + if (keyNbr >= ICLASS_KEYS_MAX) { + PrintAndLog("Invalid block number"); errors = true; } cmdp += 2;