From: pwpiwi <pwpiwi@users.noreply.github.com>
Date: Wed, 4 Dec 2019 17:34:53 +0000 (+0100)
Subject: fix 'hf iclass replay' (#888)
X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/28ae37b74612436cc2e5fee4dbcc3e42cc9aaf03?hp=00848e096b408a43786ea283d4e77d32189994b9
fix 'hf iclass replay' (#888)
* implement option -n for authentication with replayed NR/MAC pairs in 'dump' and 'readbl'
* delete 'hf iclass replay'
---
diff --git a/armsrc/appmain.c b/armsrc/appmain.c
index 589f394d..cb8fd291 100644
--- a/armsrc/appmain.c
+++ b/armsrc/appmain.c
@@ -1315,9 +1315,6 @@ void UsbPacketReceived(uint8_t *packet, int len)
case CMD_READER_ICLASS:
ReaderIClass(c->arg[0]);
break;
- case CMD_READER_ICLASS_REPLAY:
- ReaderIClass_Replay(c->arg[0], c->d.asBytes);
- break;
case CMD_ICLASS_EML_MEMSET:
emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
break;
diff --git a/armsrc/iclass.c b/armsrc/iclass.c
index 6a2fd648..9f5bc7ce 100644
--- a/armsrc/iclass.c
+++ b/armsrc/iclass.c
@@ -3,6 +3,7 @@
// Hagen Fritsch - June 2010
// Gerhard de Koning Gans - May 2011
// Gerhard de Koning Gans - June 2012 - Added iClass card and reader emulation
+// piwi - 2019
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
@@ -10,31 +11,10 @@
//-----------------------------------------------------------------------------
// Routines to support iClass.
//-----------------------------------------------------------------------------
-// Based on ISO14443a implementation. Still in experimental phase.
// Contribution made during a security research at Radboud University Nijmegen
//
// Please feel free to contribute and extend iClass support!!
//-----------------------------------------------------------------------------
-//
-// FIX:
-// ====
-// We still have sometimes a demodulation error when snooping iClass communication.
-// The resulting trace of a read-block-03 command may look something like this:
-//
-// + 22279: : 0c 03 e8 01
-//
-// ...with an incorrect answer...
-//
-// + 85: 0: TAG ff! ff! ff! ff! ff! ff! ff! ff! bb 33 bb 00 01! 0e! 04! bb !crc
-//
-// We still left the error signalling bytes in the traces like 0xbb
-//
-// A correct trace should look like this:
-//
-// + 21112: : 0c 03 e8 01
-// + 85: 0: TAG ff ff ff ff ff ff ff ff ea f5
-//
-//-----------------------------------------------------------------------------
#include "iclass.h"
@@ -676,6 +656,7 @@ static bool sendCmdGetResponseWithRetries(uint8_t* command, size_t cmdsize, uint
return false;//Error
}
+
/**
* @brief Selects an iclass tag
* @param card_data where the CSN is stored for return
@@ -795,164 +776,10 @@ void ReaderIClass(uint8_t flags) {
}
-void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
-
- LED_A_ON();
-
- bool use_credit_key = false;
- uint8_t card_data[USB_CMD_DATA_SIZE]={0};
- uint16_t block_crc_LUT[255] = {0};
-
- //Generate a lookup table for block crc
- for (int block = 0; block < 255; block++){
- char bl = block;
- block_crc_LUT[block] = iclass_crc16(&bl ,1);
- }
- //Dbprintf("Lookup table: %02x %02x %02x" ,block_crc_LUT[0],block_crc_LUT[1],block_crc_LUT[2]);
-
- uint8_t readcheck_cc[] = { ICLASS_CMD_READCHECK_KD, 0x02 };
- if (use_credit_key)
- readcheck_cc[0] = ICLASS_CMD_READCHECK_KC;
- uint8_t check[] = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
- uint8_t read[] = { 0x0c, 0x00, 0x00, 0x00 };
-
- uint16_t crc = 0;
- uint8_t cardsize = 0;
- uint8_t mem = 0;
-
- static struct memory_t {
- int k16;
- int book;
- int k2;
- int lockauth;
- int keyaccess;
- } memory;
-
- uint8_t resp[ICLASS_BUFFER_SIZE];
-
- set_tracing(true);
- clear_trace();
- Iso15693InitReader();
-
- StartCountSspClk();
- uint32_t start_time = 0;
- uint32_t eof_time = 0;
-
- while (!BUTTON_PRESS()) {
-
- WDT_HIT();
-
- if (!get_tracing()) {
- DbpString("Trace full");
- break;
- }
-
- if (!selectIclassTag(card_data, &eof_time)) continue;
-
- start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
- if (!sendCmdGetResponseWithRetries(readcheck_cc, sizeof(readcheck_cc), resp, sizeof(resp), 8, 3, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time)) continue;
-
- // replay captured auth (cc must not have been updated)
- memcpy(check+5, MAC, 4);
-
- start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
- if (!sendCmdGetResponseWithRetries(check, sizeof(check), resp, sizeof(resp), 4, 5, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time)) {
- Dbprintf("Error: Authentication Fail!");
- continue;
- }
-
- //first get configuration block (block 1)
- crc = block_crc_LUT[1];
- read[1] = 1;
- read[2] = crc >> 8;
- read[3] = crc & 0xff;
-
- start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
- if (!sendCmdGetResponseWithRetries(read, sizeof(read), resp, sizeof(resp), 10, 10, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time)) {
- start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
- Dbprintf("Dump config (block 1) failed");
- continue;
- }
-
- mem = resp[5];
- memory.k16 = (mem & 0x80);
- memory.book = (mem & 0x20);
- memory.k2 = (mem & 0x8);
- memory.lockauth = (mem & 0x2);
- memory.keyaccess = (mem & 0x1);
-
- cardsize = memory.k16 ? 255 : 32;
- WDT_HIT();
- //Set card_data to all zeroes, we'll fill it with data
- memset(card_data, 0x0, USB_CMD_DATA_SIZE);
- uint8_t failedRead = 0;
- uint32_t stored_data_length = 0;
- //then loop around remaining blocks
- for (int block = 0; block < cardsize; block++) {
- read[1] = block;
- crc = block_crc_LUT[block];
- read[2] = crc >> 8;
- read[3] = crc & 0xff;
-
- start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
- if (sendCmdGetResponseWithRetries(read, sizeof(read), resp, sizeof(resp), 10, 10, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time)) {
- Dbprintf(" %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
- block, resp[0], resp[1], resp[2],
- resp[3], resp[4], resp[5],
- resp[6], resp[7]);
-
- //Fill up the buffer
- memcpy(card_data+stored_data_length, resp, 8);
- stored_data_length += 8;
- if (stored_data_length +8 > USB_CMD_DATA_SIZE) {
- //Time to send this off and start afresh
- cmd_send(CMD_ACK,
- stored_data_length,//data length
- failedRead,//Failed blocks?
- 0,//Not used ATM
- card_data, stored_data_length);
- //reset
- stored_data_length = 0;
- failedRead = 0;
- }
-
- } else {
- failedRead = 1;
- stored_data_length += 8;//Otherwise, data becomes misaligned
- Dbprintf("Failed to dump block %d", block);
- }
- }
-
- //Send off any remaining data
- if (stored_data_length > 0) {
- cmd_send(CMD_ACK,
- stored_data_length,//data length
- failedRead,//Failed blocks?
- 0,//Not used ATM
- card_data,
- stored_data_length);
- }
- //If we got here, let's break
- break;
- }
- //Signal end of transmission
- cmd_send(CMD_ACK,
- 0,//data length
- 0,//Failed blocks?
- 0,//Not used ATM
- card_data,
- 0);
-
- FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
- LED_D_OFF();
- LED_A_OFF();
-}
-
-
-void iClass_Check(uint8_t *MAC) {
+void iClass_Check(uint8_t *NRMAC) {
uint8_t check[9] = {ICLASS_CMD_CHECK_KD, 0x00};
uint8_t resp[4];
- memcpy(check+5, MAC, 4);
+ memcpy(check+1, NRMAC, 8);
uint32_t eof_time;
bool isOK = sendCmdGetResponseWithRetries(check, sizeof(check), resp, sizeof(resp), 4, 6, 0, ICLASS_READER_TIMEOUT_OTHERS, &eof_time);
cmd_send(CMD_ACK, isOK, 0, 0, resp, sizeof(resp));
@@ -973,7 +800,7 @@ void iClass_Readcheck(uint8_t block, bool use_credit_key) {
static bool iClass_ReadBlock(uint8_t blockNo, uint8_t *readdata) {
uint8_t readcmd[] = {ICLASS_CMD_READ_OR_IDENTIFY, blockNo, 0x00, 0x00}; //0x88, 0x00 // can i use 0C?
- char bl = blockNo;
+ uint8_t bl = blockNo;
uint16_t rdCrc = iclass_crc16(&bl, 1);
readcmd[2] = rdCrc >> 8;
readcmd[3] = rdCrc & 0xff;
@@ -991,7 +818,7 @@ void iClass_ReadBlk(uint8_t blockno) {
LED_A_ON();
- uint8_t readblockdata[] = {0,0,0,0,0,0,0,0,0,0};
+ uint8_t readblockdata[10];
bool isOK = iClass_ReadBlock(blockno, readblockdata);
cmd_send(CMD_ACK, isOK, 0, 0, readblockdata, 8);
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
diff --git a/client/cmdhficlass.c b/client/cmdhficlass.c
index b59c0bdc..3b9fccdc 100644
--- a/client/cmdhficlass.c
+++ b/client/cmdhficlass.c
@@ -2,6 +2,7 @@
// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
// Copyright (C) 2011 Gerhard de Koning Gans
// Copyright (C) 2014 Midnitesnake & Andy Davies & Martin Holst Swende
+// Copyright (C) 2019 piwi
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
@@ -404,29 +405,6 @@ static int CmdHFiClassReader(const char *Cmd) {
}
-static int CmdHFiClassReader_Replay(const char *Cmd) {
- uint8_t readerType = 0;
- uint8_t MAC[4]={0x00, 0x00, 0x00, 0x00};
-
- if (strlen(Cmd)<1) {
- PrintAndLog("Usage: hf iclass replay <MAC>");
- PrintAndLog(" sample: hf iclass replay 00112233");
- return 0;
- }
-
- if (param_gethex(Cmd, 0, MAC, 8)) {
- PrintAndLog("MAC must include 8 HEX symbols");
- return 1;
- }
-
- UsbCommand c = {CMD_READER_ICLASS_REPLAY, {readerType}};
- memcpy(c.d.asBytes, MAC, 4);
- SendCommand(&c);
-
- return 0;
-}
-
-
static void usage_hf_iclass_eload(void) {
PrintAndLog("Loads iclass tag-dump into emulator memory on device");
PrintAndLog("Usage: hf iclass eload f <filename>");
@@ -710,15 +688,24 @@ static void HFiClassCalcDivKey(uint8_t *CSN, uint8_t *KEY, uint8_t *div_key, boo
}
-static bool iClass_authenticate(uint8_t *CSN, uint8_t *KEY, uint8_t *MAC, uint8_t *div_key, bool use_credit_key, bool elite, bool rawkey, bool verbose) {
+static bool iClass_authenticate(uint8_t *CSN, uint8_t *KEY, uint8_t *MAC, uint8_t *div_key, bool use_credit_key, bool elite, bool rawkey, bool replay, bool verbose) {
//get div_key
- if (rawkey)
+ if (rawkey || replay)
memcpy(div_key, KEY, 8);
else
HFiClassCalcDivKey(CSN, KEY, div_key, elite);
- if (verbose) PrintAndLog("Authenticating with %s: %s", rawkey ? "raw key" : "diversified key", sprint_hex(div_key, 8));
+ char keytypetext[23] = "legacy diversified key";
+ if (rawkey) {
+ strcpy(keytypetext, "raw key");
+ } else if (replay) {
+ strcpy(keytypetext, "replayed NR/MAC");
+ } else if (elite) {
+ strcpy(keytypetext, "Elite diversified key");
+ }
+
+ if (verbose) PrintAndLog("Authenticating with %s: %s", keytypetext, sprint_hex(div_key, 8));
UsbCommand resp;
UsbCommand d = {CMD_ICLASS_READCHECK, {2, use_credit_key, 0}};
@@ -736,14 +723,22 @@ static bool iClass_authenticate(uint8_t *CSN, uint8_t *KEY, uint8_t *MAC, uint8_
return false;
}
- uint8_t CCNR[12];
- memcpy(CCNR, resp.d.asBytes, 8);
- memset(CCNR+8, 0x00, 4); // NR = {0, 0, 0, 0}
-
- doMAC(CCNR, div_key, MAC);
+ if (replay) {
+ memcpy(MAC, KEY+4, 4);
+ } else {
+ uint8_t CCNR[12];
+ memcpy(CCNR, resp.d.asBytes, 8);
+ memset(CCNR+8, 0x00, 4); // default NR = {0, 0, 0, 0}
+ doMAC(CCNR, div_key, MAC);
+ }
d.cmd = CMD_ICLASS_CHECK;
- memcpy(d.d.asBytes, MAC, 4);
+ if (replay) {
+ memcpy(d.d.asBytes, KEY, 8);
+ } else {
+ memset(d.d.asBytes, 0x00, 4); // default NR = {0, 0, 0, 0}
+ memcpy(d.d.asBytes+4, MAC, 4);
+ }
clearCommandBuffer();
SendCommand(&d);
if (!WaitForResponseTimeout(CMD_ACK, &resp, 4500)) {
@@ -760,15 +755,16 @@ static bool iClass_authenticate(uint8_t *CSN, uint8_t *KEY, uint8_t *MAC, uint8_
static void usage_hf_iclass_dump(void) {
- PrintAndLog("Usage: hf iclass dump f <fileName> k <Key> c <CreditKey> e|r\n");
+ PrintAndLog("Usage: hf iclass dump f <fileName> k <Key> c <CreditKey> e|r|n\n");
PrintAndLog("Options:");
PrintAndLog(" f <filename> : specify a filename to save dump to");
- PrintAndLog(" k <Key> : *Access Key as 16 hex symbols or 1 hex to select key from memory");
- PrintAndLog(" c <CreditKey>: Credit Key as 16 hex symbols or 1 hex to select key from memory");
- PrintAndLog(" e : If 'e' is specified, the key is interpreted as the 16 byte");
- PrintAndLog(" Custom Key (KCus), which can be obtained via reader-attack");
+ PrintAndLog(" k <Key> : *Debit Key (AA1) as 16 hex symbols (8 bytes) or 1 hex to select key from memory");
+ PrintAndLog(" c <CreditKey>: Credit Key (AA2) as 16 hex symbols (8 bytes) or 1 hex to select key from memory");
+ PrintAndLog(" e : If 'e' is specified, the keys are interpreted as Elite");
+ PrintAndLog(" Custom Keys (KCus), which can be obtained via reader-attack");
PrintAndLog(" See 'hf iclass sim 2'. This key should be on iclass-format");
- PrintAndLog(" r : If 'r' is specified, the key is interpreted as raw block 3/4");
+ PrintAndLog(" r : If 'r' is specified, keys are interpreted as raw blocks 3/4");
+ PrintAndLog(" n : If 'n' is specified, keys are interpreted as NR/MAC pairs which can be obtained by 'hf iclass snoop'");
PrintAndLog(" NOTE: * = required");
PrintAndLog("Samples:");
PrintAndLog(" hf iclass dump k 001122334455667B");
@@ -830,6 +826,7 @@ static int CmdHFiClassReader_Dump(const char *Cmd) {
bool use_credit_key = false;
bool elite = false;
bool rawkey = false;
+ bool NRMAC_replay = false;
bool errors = false;
bool verbose = false;
uint8_t cmdp = 0;
@@ -899,6 +896,11 @@ static int CmdHFiClassReader_Dump(const char *Cmd) {
rawkey = true;
cmdp++;
break;
+ case 'n':
+ case 'N':
+ NRMAC_replay = true;
+ cmdp++;
+ break;
case 'v':
case 'V':
verbose = true;
@@ -911,6 +913,11 @@ static int CmdHFiClassReader_Dump(const char *Cmd) {
}
}
+ if (elite + rawkey + NRMAC_replay > 1) {
+ PrintAndLog("You cannot combine the 'e', 'r', and 'n' options\n");
+ errors = true;
+ }
+
if (errors || cmdp < 2) {
usage_hf_iclass_dump();
return 0;
@@ -951,8 +958,8 @@ static int CmdHFiClassReader_Dump(const char *Cmd) {
if (AA1_maxBlk > maxBlk) AA1_maxBlk = maxBlk;
}
- // authenticate debit key (or credit key if we have no debit key) and get div_key - later store in dump block 3
- if (!iClass_authenticate(tag_data, KEY, MAC, div_key, use_credit_key, elite, rawkey, verbose)){
+ // authenticate with debit key (or credit key if we have no debit key) and get div_key - later store in dump block 3
+ if (!iClass_authenticate(tag_data, KEY, MAC, div_key, use_credit_key, elite, rawkey, NRMAC_replay, verbose)){
DropField();
return 0;
}
@@ -987,7 +994,7 @@ static int CmdHFiClassReader_Dump(const char *Cmd) {
DropField();
// AA2 authenticate credit key and git c_div_key - later store in dump block 4
uint8_t CSN[8];
- if (!iClass_select(CSN, verbose, false, true) || !iClass_authenticate(CSN, CreditKEY, MAC, c_div_key, true, false, false, verbose)){
+ if (!iClass_select(CSN, verbose, false, true) || !iClass_authenticate(CSN, CreditKEY, MAC, c_div_key, true, false, false, NRMAC_replay, verbose)){
DropField();
return 0;
}
@@ -1045,13 +1052,13 @@ static int CmdHFiClassReader_Dump(const char *Cmd) {
}
-static int WriteBlock(uint8_t blockno, uint8_t *bldata, uint8_t *KEY, bool use_credit_key, bool elite, bool rawkey, bool verbose) {
+static int WriteBlock(uint8_t blockno, uint8_t *bldata, uint8_t *KEY, bool use_credit_key, bool elite, bool rawkey, bool NRMAC_replay, bool verbose) {
uint8_t MAC[4] = {0x00,0x00,0x00,0x00};
uint8_t div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
uint8_t CSN[8];
- if (!iClass_select(CSN, verbose, true, true) || !iClass_authenticate(CSN, KEY, MAC, div_key, use_credit_key, elite, rawkey, verbose)) {
+ if (!iClass_select(CSN, verbose, true, true) || !iClass_authenticate(CSN, KEY, MAC, div_key, use_credit_key, elite, rawkey, NRMAC_replay, verbose)) {
DropField();
return 0;
}
@@ -1107,13 +1114,12 @@ static int CmdHFiClass_WriteBlock(const char *Cmd) {
char tempStr[50] = {0};
bool use_credit_key = false;
bool elite = false;
- bool rawkey= false;
+ bool rawkey = false;
bool errors = false;
uint8_t cmdp = 0;
- while(param_getchar(Cmd, cmdp) != 0x00)
- {
- switch(param_getchar(Cmd, cmdp))
- {
+
+ while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
+ switch(param_getchar(Cmd, cmdp)) {
case 'h':
case 'H':
usage_hf_iclass_writeblock();
@@ -1179,11 +1185,16 @@ static int CmdHFiClass_WriteBlock(const char *Cmd) {
}
}
+ if (elite && rawkey) {
+ PrintAndLog("You cannot combine the 'e' and 'r' options\n");
+ errors = true;
+ }
+
if (cmdp < 6) {
usage_hf_iclass_writeblock();
return 0;
}
- int ans = WriteBlock(blockno, bldata, KEY, use_credit_key, elite, rawkey, true);
+ int ans = WriteBlock(blockno, bldata, KEY, use_credit_key, elite, rawkey, false, true);
DropField();
return ans;
}
@@ -1220,10 +1231,9 @@ static int CmdHFiClassCloneTag(const char *Cmd) {
bool rawkey = false;
bool errors = false;
uint8_t cmdp = 0;
- while(param_getchar(Cmd, cmdp) != 0x00)
- {
- switch(param_getchar(Cmd, cmdp))
- {
+
+ while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
+ switch(param_getchar(Cmd, cmdp)) {
case 'h':
case 'H':
usage_hf_iclass_clone();
@@ -1338,7 +1348,7 @@ static int CmdHFiClassCloneTag(const char *Cmd) {
uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
uint8_t CSN[8];
- if (!iClass_select(CSN, true, false, false) || !iClass_authenticate(CSN, KEY, MAC, div_key, use_credit_key, elite, rawkey, true)) {
+ if (!iClass_select(CSN, true, false, false) || !iClass_authenticate(CSN, KEY, MAC, div_key, use_credit_key, elite, rawkey, false, true)) {
DropField();
return 0;
}
@@ -1376,7 +1386,7 @@ static int CmdHFiClassCloneTag(const char *Cmd) {
}
-static int ReadBlock(uint8_t *KEY, uint8_t blockno, uint8_t keyType, bool elite, bool rawkey, bool verbose, bool auth) {
+static int ReadBlock(uint8_t *KEY, uint8_t blockno, uint8_t keyType, bool elite, bool rawkey, bool NRMAC_replay, bool verbose, bool auth) {
uint8_t MAC[4]={0x00,0x00,0x00,0x00};
uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
@@ -1388,7 +1398,7 @@ static int ReadBlock(uint8_t *KEY, uint8_t blockno, uint8_t keyType, bool elite,
}
if (auth) {
- if (!iClass_authenticate(CSN, KEY, MAC, div_key, (keyType==0x18), elite, rawkey, verbose)) {
+ if (!iClass_authenticate(CSN, KEY, MAC, div_key, (keyType==0x18), elite, rawkey, NRMAC_replay, verbose)) {
DropField();
return 0;
}
@@ -1418,13 +1428,14 @@ static int ReadBlock(uint8_t *KEY, uint8_t blockno, uint8_t keyType, bool elite,
static void usage_hf_iclass_readblock(void) {
- PrintAndLog("Usage: hf iclass readblk b <Block> k <Key> [c] [e|r]\n");
+ PrintAndLog("Usage: hf iclass readblk b <Block> k <Key> [c] [e|r|n]\n");
PrintAndLog("Options:");
PrintAndLog(" b <Block> : The block number as 2 hex symbols");
PrintAndLog(" k <Key> : Access Key as 16 hex symbols or 1 hex to select key from memory");
PrintAndLog(" c : If 'c' is specified, the key set is assumed to be the credit key\n");
PrintAndLog(" e : If 'e' is specified, elite computations applied to key");
PrintAndLog(" r : If 'r' is specified, no computations applied to key");
+ PrintAndLog(" n : If 'n' is specified, <Key> specifies a NR/MAC pair which can be obtained by 'hf iclass snoop'");
PrintAndLog("Samples:");
PrintAndLog(" hf iclass readblk b 06 k 0011223344556677");
PrintAndLog(" hf iclass readblk b 1B k 0011223344556677 c");
@@ -1441,10 +1452,12 @@ static int CmdHFiClass_ReadBlock(const char *Cmd) {
char tempStr[50] = {0};
bool elite = false;
bool rawkey = false;
+ bool NRMAC_replay = false;
bool errors = false;
bool auth = false;
uint8_t cmdp = 0;
- while (param_getchar(Cmd, cmdp) != 0x00) {
+
+ while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
switch (param_getchar(Cmd, cmdp)) {
case 'h':
case 'H':
@@ -1493,15 +1506,26 @@ static int CmdHFiClass_ReadBlock(const char *Cmd) {
rawkey = true;
cmdp++;
break;
+ case 'n':
+ case 'N':
+ NRMAC_replay = true;
+ cmdp++;
+ break;
default:
PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
errors = true;
break;
}
- if (errors) {
- usage_hf_iclass_readblock();
- return 0;
- }
+ }
+
+ if (elite + rawkey + NRMAC_replay > 1) {
+ PrintAndLog("You cannot combine the 'e', 'r', and 'n' options\n");
+ errors = true;
+ }
+
+ if (errors) {
+ usage_hf_iclass_readblock();
+ return 0;
}
if (cmdp < 2) {
@@ -1511,7 +1535,7 @@ static int CmdHFiClass_ReadBlock(const char *Cmd) {
if (!auth)
PrintAndLog("warning: no authentication used with read, only a few specific blocks can be read accurately without authentication.");
- return ReadBlock(KEY, blockno, keyType, elite, rawkey, true, auth);
+ return ReadBlock(KEY, blockno, keyType, elite, rawkey, NRMAC_replay, true, auth);
}
@@ -1681,10 +1705,9 @@ static int CmdHFiClassCalcNewKey(const char *Cmd) {
bool elite = false;
bool errors = false;
uint8_t cmdp = 0;
- while(param_getchar(Cmd, cmdp) != 0x00)
- {
- switch(param_getchar(Cmd, cmdp))
- {
+
+ while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
+ switch(param_getchar(Cmd, cmdp)) {
case 'h':
case 'H':
usage_hf_iclass_calc_newkey();
@@ -1865,10 +1888,8 @@ static int CmdHFiClassManageKeys(const char *Cmd) {
char tempStr[20];
uint8_t cmdp = 0;
- while(param_getchar(Cmd, cmdp) != 0x00)
- {
- switch(param_getchar(Cmd, cmdp))
- {
+ while(param_getchar(Cmd, cmdp) != 0x00) {
+ switch(param_getchar(Cmd, cmdp)) {
case 'h':
case 'H':
usage_hf_iclass_managekeys();
@@ -1928,11 +1949,13 @@ static int CmdHFiClassManageKeys(const char *Cmd) {
return 0;
}
}
+
if (operation == 0){
PrintAndLog("no operation specified (load, save, or print)\n");
usage_hf_iclass_managekeys();
return 0;
}
+
if (operation > 6){
PrintAndLog("Too many operations specified\n");
usage_hf_iclass_managekeys();
@@ -2006,6 +2029,7 @@ static int CmdHFiClassCheckKeys(const char *Cmd) {
break;
}
}
+
if (errors) {
usage_hf_iclass_chk();
return 0;
@@ -2071,7 +2095,7 @@ static int CmdHFiClassCheckKeys(const char *Cmd) {
memcpy(key, keyBlock + 8 * c , 8);
// debit key
- if (!iClass_authenticate(CSN, key, mac, div_key, false, use_elite, use_raw, false))
+ if (!iClass_authenticate(CSN, key, mac, div_key, false, use_elite, use_raw, false, false))
continue;
// key found.
@@ -2080,7 +2104,7 @@ static int CmdHFiClassCheckKeys(const char *Cmd) {
found_debit = true;
// credit key
- if (!iClass_authenticate(CSN, key, mac, div_key, true, use_elite, use_raw, false))
+ if (!iClass_authenticate(CSN, key, mac, div_key, true, use_elite, use_raw, false, false))
continue;
// key found
@@ -2172,7 +2196,7 @@ static command_t CommandTable[] = {
{"chk", CmdHFiClassCheckKeys, 0, " Check keys"},
{"clone", CmdHFiClassCloneTag, 0, "[options..] Authenticate and Clone from iClass bin file"},
{"decrypt", CmdHFiClassDecrypt, 1, "[f <fname>] Decrypt tagdump" },
- {"dump", CmdHFiClassReader_Dump, 0, "[options..] Authenticate and Dump iClass tag's AA1"},
+ {"dump", CmdHFiClassReader_Dump, 0, "[options..] Authenticate and Dump iClass tag's AA1 and/or AA2"},
{"eload", CmdHFiClassELoad, 0, "[f <fname>] (experimental) Load data into iClass emulator memory"},
{"encryptblk", CmdHFiClassEncryptBlk, 1, "<BlockData> Encrypt given block data"},
{"list", CmdHFiClassList, 0, " (Deprecated) List iClass history"},
@@ -2182,7 +2206,6 @@ static command_t CommandTable[] = {
{"readblk", CmdHFiClass_ReadBlock, 0, "[options..] Authenticate and Read iClass block"},
{"reader", CmdHFiClassReader, 0, " Look for iClass tags until a key or the pm3 button is pressed"},
{"readtagfile", CmdHFiClassReadTagFile, 1, "[options..] Display Content from tagfile"},
- {"replay", CmdHFiClassReader_Replay, 0, "<mac> Read an iClass tag via Reply Attack"},
{"sim", CmdHFiClassSim, 0, "[options..] Simulate iClass tag"},
{"snoop", CmdHFiClassSnoop, 0, " Eavesdrop iClass communication"},
{"writeblk", CmdHFiClass_WriteBlock, 0, "[options..] Authenticate and Write iClass block"},
diff --git a/client/hid-flasher/usb_cmd.h b/client/hid-flasher/usb_cmd.h
index 5b2c1114..01cc69ea 100644
--- a/client/hid-flasher/usb_cmd.h
+++ b/client/hid-flasher/usb_cmd.h
@@ -129,7 +129,6 @@ typedef struct {
#define CMD_SNOOP_ICLASS 0x0392
#define CMD_SIMULATE_TAG_ICLASS 0x0393
#define CMD_READER_ICLASS 0x0394
-#define CMD_READER_ICLASS_REPLAY 0x0395
#define CMD_ICLASS_READBLOCK 0x0396
#define CMD_ICLASS_WRITEBLOCK 0x0397
#define CMD_ICLASS_EML_MEMSET 0x0398
diff --git a/common/iso15693tools.c b/common/iso15693tools.c
index 0769eefb..56b2fdb0 100644
--- a/common/iso15693tools.c
+++ b/common/iso15693tools.c
@@ -70,7 +70,7 @@ char* Iso15693sprintUID(char *target, uint8_t *uid) {
}
-uint16_t iclass_crc16(char *data_p, unsigned short length) {
+uint16_t iclass_crc16(uint8_t *data_p, unsigned short length) {
unsigned char i;
unsigned int data;
uint16_t crc = ISO15693_CRC_PRESET;
@@ -79,7 +79,7 @@ uint16_t iclass_crc16(char *data_p, unsigned short length) {
return (~crc);
do {
- for (i = 0, data = (unsigned int)0xff & *data_p++; i < 8; i++, data >>= 1) {
+ for (i = 0, data = 0xff & *data_p++; i < 8; i++, data >>= 1) {
if ((crc & 0x0001) ^ (data & 0x0001))
crc = (crc >> 1) ^ ISO15693_CRC_POLY;
else crc >>= 1;
diff --git a/common/iso15693tools.h b/common/iso15693tools.h
index b421c23f..9825eb04 100644
--- a/common/iso15693tools.h
+++ b/common/iso15693tools.h
@@ -11,6 +11,6 @@
uint16_t Iso15693Crc(uint8_t *v, int n);
int Iso15693AddCrc(uint8_t *req, int n);
char* Iso15693sprintUID(char *target, uint8_t *uid);
-unsigned short iclass_crc16(char *data_p, unsigned short length);
+unsigned short iclass_crc16(uint8_t *data_p, unsigned short length);
#endif
diff --git a/include/usb_cmd.h b/include/usb_cmd.h
index 0a463b22..c588328c 100644
--- a/include/usb_cmd.h
+++ b/include/usb_cmd.h
@@ -161,7 +161,6 @@ typedef struct{
#define CMD_SNOOP_ICLASS 0x0392
#define CMD_SIMULATE_TAG_ICLASS 0x0393
#define CMD_READER_ICLASS 0x0394
-#define CMD_READER_ICLASS_REPLAY 0x0395
#define CMD_ICLASS_READBLOCK 0x0396
#define CMD_ICLASS_WRITEBLOCK 0x0397
#define CMD_ICLASS_EML_MEMSET 0x0398