]> cvs.zerfleddert.de Git - proxmark3-svn/commitdiff
Added work with "magic Chinese" card (card from: ouyangweidaxian@live.cn) with wipe...
authorMerlokbr@gmail.com <Merlokbr@gmail.com@ef4ab9da-24cd-11de-8aaa-f3a34680c41f>
Thu, 5 Jul 2012 07:31:56 +0000 (07:31 +0000)
committerMerlokbr@gmail.com <Merlokbr@gmail.com@ef4ab9da-24cd-11de-8aaa-f3a34680c41f>
Thu, 5 Jul 2012 07:31:56 +0000 (07:31 +0000)
armsrc/appmain.c
armsrc/apps.h
armsrc/mifarecmd.c
armsrc/mifareutil.c
client/cmdhfmf.c
client/mifarehost.c
client/mifarehost.h
include/usb_cmd.h

index 63b8383f1d6886f27ec6b7ffb3b2df11e9d9035a..820a03782c883138e574ae262acade14aa5dc4b6 100644 (file)
@@ -753,6 +753,11 @@ void UsbPacketReceived(uint8_t *packet, int len)
                case CMD_MIFARE_EML_CARDLOAD:
                        MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
                        break;
+                       
+               // Work with "magic Chinese" card
+               case CMD_MIFARE_EML_CSETBLOCK:
+                       MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
+                       break;
 #endif
 
 #ifdef WITH_ICLASS
index ac49ccad06c3b5b735035ec332ab54dc89deb254..3723357e918b549fe134b9bac1f416f59e3e4346 100644 (file)
@@ -149,6 +149,7 @@ void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain)
 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
+void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);  // Work with "magic Chinese" card
 
 /// iso15693.h
 void RecordRawAdcSamplesIso15693(void);
index b2b38edf91f87cf1c294c28f62507ee873059da0..848207309783a82a5e156e1bdc8902c7c8029865 100644 (file)
@@ -726,3 +726,129 @@ void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
 // \r
 //-----------------------------------------------------------------------------\r
 \r
+\r
+//-----------------------------------------------------------------------------\r
+// Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)\r
+// \r
+//-----------------------------------------------------------------------------\r
+void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
+  \r
+  // params\r
+       uint8_t needWipe = arg0;\r
+       uint8_t needGetUID = arg1;\r
+       uint8_t blockNo = arg2;\r
+       \r
+       // card commands\r
+       uint8_t wupC1[]       = { 0x40 }; \r
+       uint8_t wupC2[]       = { 0x43 }; \r
+       uint8_t wipeC[]       = { 0x41 }; \r
+       \r
+       // variables\r
+       byte_t isOK = 0;\r
+       uint8_t uid[8];\r
+       uint8_t d_block[18];\r
+       uint32_t cuid;\r
+       \r
+       memset(uid, 0x00, 8);\r
+       uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+       \r
+       // clear trace\r
+       iso14a_clear_tracelen();\r
+  iso14a_set_tracing(TRUE);\r
+\r
+       iso14443a_setup();\r
+\r
+       LED_A_ON();\r
+       LED_B_OFF();\r
+       LED_C_OFF();\r
+       \r
+       SpinDelay(300);\r
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+       SpinDelay(100);\r
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);\r
+\r
+       while (true) {\r
+               // get UID from chip\r
+               if (needGetUID) {\r
+                       if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
+                               break;\r
+                       };\r
+\r
+                       if(mifare_classic_halt(NULL, cuid)) {\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
+                               break;\r
+                       };\r
+               };\r
+       \r
+               // reset chip\r
+               if (needWipe){\r
+                       ReaderTransmitShort(wupC1);\r
+                       if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("wupC1 error");\r
+                               break;\r
+                       };\r
+\r
+                       ReaderTransmit(wipeC, sizeof(wipeC));\r
+                       if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("wipeC error");\r
+                               break;\r
+                       };\r
+\r
+                       if(mifare_classic_halt(NULL, cuid)) {\r
+                               if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
+                               break;\r
+                       };\r
+               };      \r
+\r
+               // write UID block\r
+               ReaderTransmitShort(wupC1);\r
+               if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
+                       if (MF_DBGLEVEL >= 1)   Dbprintf("wupC1 error");\r
+                       break;\r
+               };\r
+\r
+               ReaderTransmit(wupC2, sizeof(wupC2));\r
+               if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
+                       if (MF_DBGLEVEL >= 1)   Dbprintf("wupC2 error");\r
+                       break;\r
+               };\r
+\r
+               if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer) != 1) || (receivedAnswer[0] != 0x0a)) {\r
+                       if (MF_DBGLEVEL >= 1)   Dbprintf("write block send command error");\r
+                       break;\r
+               };\r
+       \r
+               memcpy(d_block, datain, 16);\r
+               AppendCrc14443a(d_block, 16);\r
+       \r
+               ReaderTransmit(d_block, sizeof(d_block));\r
+               if ((ReaderReceive(receivedAnswer) != 1) || (receivedAnswer[0] != 0x0a)) {\r
+                       if (MF_DBGLEVEL >= 1)   Dbprintf("write block send data error");\r
+                       break;\r
+               };      \r
+       \r
+               if(mifare_classic_halt(NULL, cuid)) {\r
+                       if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
+                       break;\r
+               };\r
+               \r
+               isOK = 1;\r
+               break;\r
+       }\r
+       \r
+       UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};\r
+       if (isOK) memcpy(ack.d.asBytes, uid, 4);\r
+       \r
+       // add trace trailer\r
+       memset(uid, 0x44, 4);\r
+       LogTrace(uid, 4, 0, 0, TRUE);\r
+\r
+       LED_B_ON();\r
+       UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));\r
+       LED_B_OFF();\r
+\r
+  // Thats it...\r
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+       LEDsoff();\r
+}\r
index a88f21bca154916e31989bfdece0a8527c5665c8..c20a387a8f99f58087beda0b5b0becb6a72c2881 100644 (file)
@@ -311,7 +311,7 @@ int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid)
        // Mifare HALT\r
        uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
 \r
-       len = mifare_sendcmd_short(pcs, 1, 0x50, 0x00, receivedAnswer);\r
+       len = mifare_sendcmd_short(pcs, pcs == NULL ? 0:1, 0x50, 0x00, receivedAnswer);\r
        if (len != 0) {\r
                if (MF_DBGLEVEL >= 1)   Dbprintf("halt error. response len: %x", len);  \r
                return 1;\r
index 081d197c1ffe7027ab6798f61c1ed4080d3caa8b..9928cb1b899de4f42ff1e7a8e210d78b87eb3e49 100644 (file)
@@ -1218,6 +1218,51 @@ int CmdHF14AMfEKeyPrn(const char *Cmd)
        return 0;\r
 }\r
 \r
+int CmdHF14AMfCSetUID(const char *Cmd)\r
+{\r
+       uint8_t wipeCard = 0;\r
+       uint8_t uid[8];\r
+       uint8_t oldUid[8];\r
+       int res;\r
+\r
+       if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
+               PrintAndLog("Usage:  hf mf csetuid <UID 8 hex symbols> <w>");\r
+               PrintAndLog("sample:  hf mf csetuid 01020304 w");\r
+               PrintAndLog("Set UID for magic Chinese card (only works with!!!)");\r
+               PrintAndLog("If you want wipe card then add 'w' into command line. \n");\r
+               return 0;\r
+       }       \r
+\r
+       if (param_getchar(Cmd, 0) && param_gethex(Cmd, 0, uid, 8)) {\r
+               PrintAndLog("UID must include 8 HEX symbols");\r
+               return 1;\r
+       }\r
+\r
+       char ctmp = param_getchar(Cmd, 1);\r
+       if (ctmp == 'w' || ctmp == 'W') wipeCard = 1;\r
+       \r
+       PrintAndLog("--wipe card:%02x uid:%s", wipeCard, sprint_hex(uid, 4));\r
+\r
+       res = mfCSetUID(uid, oldUid, wipeCard);\r
+       if (res) {\r
+                       PrintAndLog("Can't set UID. error=%d", res);\r
+                       return 1;\r
+               }\r
+       \r
+       PrintAndLog("old UID:%s", sprint_hex(oldUid, 4));\r
+       return 0;\r
+}\r
+\r
+int CmdHF14AMfCSetBlk(const char *Cmd)\r
+{\r
+       return 0;\r
+}\r
+\r
+int CmdHF14AMfCLoad(const char *Cmd)\r
+{\r
+       return 0;\r
+}\r
+\r
 static command_t CommandTable[] =\r
 {\r
   {"help",             CmdHelp,                                1, "This help"},\r
@@ -1238,6 +1283,9 @@ static command_t CommandTable[] =
   {"esave",            CmdHF14AMfESave,                0, "Save to file emul dump"},\r
   {"ecfill",   CmdHF14AMfECFill,               0, "Fill simulator memory with help of keys from simulator"},\r
   {"ekeyprn",  CmdHF14AMfEKeyPrn,      0, "Print keys from simulator memory"},\r
+  {"csetuid",  CmdHF14AMfCSetUID,      0, "Set UID for magic Chinese card"},\r
+  {"csetblk",  CmdHF14AMfCSetBlk,      0, "(n/a)Write block into magic Chinese card"},\r
+  {"cload",            CmdHF14AMfCLoad,                0, "(n/a)Load dump into magic Chinese card"},\r
   {NULL, NULL, 0, NULL}\r
 };\r
 \r
index 394d2471ec7c0fba5be74aaea494bb297a68839a..529c248d9604a9c9d8fcee815aab7e17f476d564 100644 (file)
@@ -216,3 +216,27 @@ int mfEmlSetMem(uint8_t *data, int blockNum, int blocksCount) {
        return 0;\r
 }\r
 \r
+int mfCSetUID(uint8_t *uid, uint8_t *oldUID, int wantWipe) {\r
+       uint8_t isOK = 0;\r
+       uint8_t block0[16];\r
+       memset(block0, 0, 16);\r
+       memcpy(block0, uid, 4); \r
+       block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // Mifare UID BCC\r
+\r
+  UsbCommand c = {CMD_MIFARE_EML_CSETBLOCK, {wantWipe, 1, 0}};\r
+       memcpy(c.d.asBytes, block0, 16); \r
+  SendCommand(&c);\r
+\r
+       UsbCommand * resp = WaitForResponseTimeout(CMD_ACK, 1500);\r
+\r
+       if (resp != NULL) {\r
+               isOK  = resp->arg[0] & 0xff;\r
+               PrintAndLog("isOk:%02x", isOK);\r
+               memcpy(oldUID, resp->d.asBytes, 4); \r
+               if (!isOK) return 2;\r
+       } else {\r
+               PrintAndLog("Command execute timeout");\r
+               return 1;\r
+       }\r
+       return 0;\r
+}\r
index fe506f9b1228e5f31ad23b1d52c494a8f9dd14bc..e5d7c84a6388a1f48a21ff87a3fdb6e1cfad2716 100644 (file)
@@ -44,4 +44,5 @@ int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo
 int mfCheckKeys (uint8_t blockNo, uint8_t keyType, uint8_t keycnt, uint8_t * keyBlock, uint64_t * key);\r
 int mfEmlGetMem(uint8_t *data, int blockNum, int blocksCount);\r
 int mfEmlSetMem(uint8_t *data, int blockNum, int blocksCount);\r
+int mfCSetUID(uint8_t *uid, uint8_t *oldUID, int wantWipe);\r
 \r
index 7d7093b5cd434223cebe5d5f5bc205abf768fc6e..a0c6d8a8d6bcc97ec21f55c5eebde3df7b04e28e 100644 (file)
@@ -114,6 +114,7 @@ typedef struct {
 #define CMD_MIFARE_EML_MEMSET                                          0x0602
 #define CMD_MIFARE_EML_MEMGET                                          0x0603
 #define CMD_MIFARE_EML_CARDLOAD                                        0x0604
+#define CMD_MIFARE_EML_CSETBLOCK                               0x0605
 
 #define CMD_SIMULATE_MIFARE_CARD                               0x0610
 
Impressum, Datenschutz