RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-09-20 15:26:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into fix_lf_bps

Browse source 
Signed-off-by: Iceman <iceman@iuse.se>
This commit is contained in:
Iceman 2023-01-29 04:32:57 +01:00 committed by GitHub
parent 7e8ffb46b7 aa8d56cb14
commit 1c9fc565cb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
31 changed files with 1330 additions and 328 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGELOG.md
View file

@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
## [unreleased][unreleased]
- Added new magic gen4 cards command in docs (@McEloff)
- Added `hf tesla info` - intital information command to read TESLA cards (@iceman1001)
- Changed `hf emrtd info` - looking for lower case .bin extensions (@iceman1001)
- Changed `hf emrtd dump` - looking for lower case .bin extensions (@iceman1001)
@ -42,6 +43,8 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
- Fixed `trace list -t mf` - now also finds UID if anticollision is partial captured, to be used for mfkey (@iceman1001)
- Fixed `make accessrights` on Fedora (@mooey5775)
- Fixed the lf sampling when bits_per_sample is less than 8 (@wh201906)
- Fixed `hf mfu info` - can now identify the 50 pF version of NTAG 210u(micro) (@mjacksn)
- Added `hf 15` sub-commands for controlling EAS, AFI, privacy mode, and the setting of passwords on SLIX tags (@mjacksn)
## [Radium.4.15864][2022-10-29]
- Changed `lf indala sim` - now accepts fc / cn (@iceman1001)
@ -1364,6 +1367,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
- Mifare simulation, `hf mf sim` (was broken a long time) (@pwpiwi)
- Major improvements in LF area and data operations. (@marshmellow42, @iceman1001)
- Issues regarding LF simulation (@pwpiwi)
- Issue interpreting NXP "get sys info" command return value for icode tags. (@mjacksn)
### Added
- iClass functionality: full simulation of iclass tags, so tags can be simulated with data (not only CSN). Not yet support for write/update, but readers do not seem to enforce update. (@holiman).

2
Makefile.platform.sample
View file

@ -13,4 +13,4 @@ PLATFORM=PM3RDV4
#export PATH := /usr/lib64/ccache:/usr/lib/ccache:${PATH}
# To install with sudo:
INSTALLSUDO=sudo
INSTALLSUDO=sudo

12
armsrc/Standalone/Makefile.hal
View file

@ -50,12 +50,12 @@ define KNOWN_STANDALONE_DEFINITIONS
| LF_ICEHID | LF HID collector to flashmem |
| (RDV4 only) | |
+----------------------------------------------------------+
| LF_NEXID | LF Nexwatch collector to flashmem |
| (RDV4 only) | |
+----------------------------------------------------------+
| LF_NEDAP_SIM | LF Nedap ID simple simulator |
| | |
+----------------------------------------------------------+
| LF_NEXID | LF Nexwatch collector to flashmem |
| (RDV4 only) | |
+----------------------------------------------------------+
| LF_PROXBRUTE | HID ProxII bruteforce |
| | - Brad Antoniewicz |
+----------------------------------------------------------+
@ -125,8 +125,10 @@ define KNOWN_STANDALONE_DEFINITIONS
endef
STANDALONE_MODES := LF_SKELETON LF_EM4100EMUL LF_EM4100RSWB LF_EM4100RSWW LF_EM4100RWC LF_HIDBRUTE LF_HIDFCBRUTE LF_ICEHID LF_PROXBRUTE LF_PROX2BRUTE LF_SAMYRUN LF_THAREXDE LF_NEXID LF_NEDAP_SIM
STANDALONE_MODES += HF_14ASNIFF HF_14BSNIFF HF_15SNIFF HF_AVEFUL HF_BOG HF_COLIN HF_CRAFTBYTE HF_ICECLASS HF_LEGIC HF_LEGICSIM HF_MATTYRUN HF_MFCSIM HF_MSDSAL HF_TCPRST HF_TMUDFORD HF_YOUNG HF_REBLAY DANKARMULTI
STANDALONE_MODES := LF_SKELETON
STANDALONE_MODES += LF_EM4100EMUL LF_EM4100RSWB LF_EM4100RSWW LF_EM4100RWC LF_HIDBRUTE LF_HIDFCBRUTE LF_ICEHID LF_NEDAP_SIM LF_NEXID LF_PROXBRUTE LF_PROX2BRUTE LF_SAMYRUN LF_THAREXDE
STANDALONE_MODES += HF_14ASNIFF HF_14BSNIFF HF_15SNIFF HF_AVEFUL HF_BOG HF_COLIN HF_CRAFTBYTE HF_ICECLASS HF_LEGIC HF_LEGICSIM HF_MATTYRUN HF_MFCSIM HF_MSDSAL HF_REBLAY HF_TCPRST HF_TMUDFORD HF_YOUNG
STANDALONE_MODES += DANKARMULTI
STANDALONE_MODES_REQ_BT := HF_REBLAY
STANDALONE_MODES_REQ_SMARTCARD :=
STANDALONE_MODES_REQ_FLASH := LF_HIDFCBRUTE LF_ICEHID LF_NEXID LF_THAREXDE HF_BOG HF_COLIN HF_ICECLASS HF_LEGICSIM HF_MFCSIM

136
armsrc/Standalone/Makefile.inc
View file

@ -21,6 +21,42 @@ SRC_STANDALONE = placeholder.c
ifneq (,$(findstring WITH_STANDALONE_LF_SKELETON,$(APP_CFLAGS)))
SRC_STANDALONE = lf_skeleton.c
endif
# WITH_STANDALONE_LF_EM4100EMUL
ifneq (,$(findstring WITH_STANDALONE_LF_EM4100EMUL,$(APP_CFLAGS)))
SRC_STANDALONE = lf_em4100emul.c
endif
# WITH_STANDALONE_LF_EM4100RSWB
ifneq (,$(findstring WITH_STANDALONE_LF_EM4100RSWB,$(APP_CFLAGS)))
SRC_STANDALONE = lf_em4100rswb.c
endif
# WITH_STANDALONE_LF_EM4100RSWW
ifneq (,$(findstring WITH_STANDALONE_LF_EM4100RSWW,$(APP_CFLAGS)))
SRC_STANDALONE = lf_em4100rsww.c
endif
# WITH_STANDALONE_LF_EM4100RWC
ifneq (,$(findstring WITH_STANDALONE_LF_EM4100RWC,$(APP_CFLAGS)))
SRC_STANDALONE = lf_em4100rwc.c
endif
# WITH_STANDALONE_LF_HIDBRUTE
ifneq (,$(findstring WITH_STANDALONE_LF_HIDBRUTE,$(APP_CFLAGS)))
SRC_STANDALONE = lf_hidbrute.c
endif
# WITH_STANDALONE_LF_HIDFCBRUTE
ifneq (,$(findstring WITH_STANDALONE_LF_HIDFCBRUTE,$(APP_CFLAGS)))
SRC_STANDALONE = lf_hidfcbrute.c
endif
# WITH_STANDALONE_LF_ICEHID
ifneq (,$(findstring WITH_STANDALONE_LF_ICEHID,$(APP_CFLAGS)))
SRC_STANDALONE = lf_icehid.c
endif
# WITH_STANDALONE_LF_NEDAP_SIM
ifneq (,$(findstring WITH_STANDALONE_LF_NEDAP_SIM,$(APP_CFLAGS)))
SRC_STANDALONE = lf_nedap_sim.c
endif
# WITH_STANDALONE_LF_NEXID
ifneq (,$(findstring WITH_STANDALONE_LF_NEXID,$(APP_CFLAGS)))
SRC_STANDALONE = lf_nexid.c
endif
# WITH_STANDALONE_LF_SAMYRUN
ifneq (,$(findstring WITH_STANDALONE_LF_SAMYRUN,$(APP_CFLAGS)))
SRC_STANDALONE = lf_samyrun.c
@ -33,29 +69,9 @@ endif
ifneq (,$(findstring WITH_STANDALONE_LF_PROX2BRUTE,$(APP_CFLAGS)))
SRC_STANDALONE = lf_prox2brute.c
endif
# WITH_STANDALONE_LF_HIDBRUTE
ifneq (,$(findstring WITH_STANDALONE_LF_HIDBRUTE,$(APP_CFLAGS)))
SRC_STANDALONE = lf_hidbrute.c
endif
# WITH_STANDALONE_LF_HIDFCBRUTE
ifneq (,$(findstring WITH_STANDALONE_LF_HIDFCBRUTE,$(APP_CFLAGS)))
SRC_STANDALONE = lf_hidfcbrute.c
endif
# WITH_STANDALONE_HF_YOUNG
ifneq (,$(findstring WITH_STANDALONE_HF_YOUNG,$(APP_CFLAGS)))
SRC_STANDALONE = hf_young.c
endif
# WITH_STANDALONE_HF_MATTYRUN
ifneq (,$(findstring WITH_STANDALONE_HF_MATTYRUN,$(APP_CFLAGS)))
SRC_STANDALONE = hf_mattyrun.c
endif
# WITH_STANDALONE_HF_COLIN
ifneq (,$(findstring WITH_STANDALONE_HF_COLIN,$(APP_CFLAGS)))
SRC_STANDALONE = vtsend.c hf_colin.c frozen.c nprintf.c
endif
# WITH_STANDALONE_HF_BOG
ifneq (,$(findstring WITH_STANDALONE_HF_BOG,$(APP_CFLAGS)))
SRC_STANDALONE = hf_bog.c
# WITH_STANDALONE_LF_THAREXDE
ifneq (,$(findstring WITH_STANDALONE_LF_THAREXDE,$(APP_CFLAGS)))
SRC_STANDALONE = lf_tharexde.c
endif
# WITH_STANDALONE_HF_14ASNIFF
ifneq (,$(findstring WITH_STANDALONE_HF_14ASNIFF,$(APP_CFLAGS)))
@ -73,33 +89,21 @@ endif
ifneq (,$(findstring WITH_STANDALONE_HF_AVEFUL,$(APP_CFLAGS)))
SRC_STANDALONE = hf_aveful.c
endif
# WITH_STANDALONE_HF_TCPRST
ifneq (,$(findstring WITH_STANDALONE_HF_TCPRST,$(APP_CFLAGS)))
SRC_STANDALONE = hf_tcprst.c
# WITH_STANDALONE_HF_BOG
ifneq (,$(findstring WITH_STANDALONE_HF_BOG,$(APP_CFLAGS)))
SRC_STANDALONE = hf_bog.c
endif
# WITH_STANDALONE_LF_ICEHID
ifneq (,$(findstring WITH_STANDALONE_LF_ICEHID,$(APP_CFLAGS)))
SRC_STANDALONE = lf_icehid.c
# WITH_STANDALONE_HF_COLIN
ifneq (,$(findstring WITH_STANDALONE_HF_COLIN,$(APP_CFLAGS)))
SRC_STANDALONE = vtsend.c hf_colin.c frozen.c nprintf.c
endif
# WITH_STANDALONE_LF_NEXID
ifneq (,$(findstring WITH_STANDALONE_LF_NEXID,$(APP_CFLAGS)))
SRC_STANDALONE = lf_nexid.c
# WITH_STANDALONE_HF_CRAFTBYTE
ifneq (,$(findstring WITH_STANDALONE_HF_CRAFTBYTE,$(APP_CFLAGS)))
SRC_STANDALONE = hf_craftbyte.c
endif
# WITH_STANDALONE_LF_EM4100EMUL
ifneq (,$(findstring WITH_STANDALONE_LF_EM4100EMUL,$(APP_CFLAGS)))
SRC_STANDALONE = lf_em4100emul.c
endif
# WITH_STANDALONE_LF_EM4100RSWB
ifneq (,$(findstring WITH_STANDALONE_LF_EM4100RSWB,$(APP_CFLAGS)))
SRC_STANDALONE = lf_em4100rswb.c
endif
# WITH_STANDALONE_LF_EM4100RSWW
ifneq (,$(findstring WITH_STANDALONE_LF_EM4100RSWW,$(APP_CFLAGS)))
SRC_STANDALONE = lf_em4100rsww.c
endif
# WITH_STANDALONE_LF_EM4100RWC
ifneq (,$(findstring WITH_STANDALONE_LF_EM4100RWC,$(APP_CFLAGS)))
SRC_STANDALONE = lf_em4100rwc.c
# WITH_STANDALONE_HF_ICECLASS
ifneq (,$(findstring WITH_STANDALONE_HF_ICECLASS,$(APP_CFLAGS)))
SRC_STANDALONE = hf_iceclass.c
endif
# WITH_STANDALONE_HF_LEGIC
ifneq (,$(findstring WITH_STANDALONE_HF_LEGIC,$(APP_CFLAGS)))
@ -109,37 +113,33 @@ endif
ifneq (,$(findstring WITH_STANDALONE_HF_LEGICSIM,$(APP_CFLAGS)))
SRC_STANDALONE = hf_legicsim.c
endif
# WITH_STANDALONE_HF_MATTYRUN
ifneq (,$(findstring WITH_STANDALONE_HF_MATTYRUN,$(APP_CFLAGS)))
SRC_STANDALONE = hf_mattyrun.c
endif
# WITH_STANDALONE_HF_MFCSIM
ifneq (,$(findstring WITH_STANDALONE_HF_MFCSIM,$(APP_CFLAGS)))
SRC_STANDALONE = hf_mfcsim.c
endif
# WITH_STANDALONE_HF_MSDSAL
ifneq (,$(findstring WITH_STANDALONE_HF_MSDSAL,$(APP_CFLAGS)))
SRC_STANDALONE = hf_msdsal.c
endif
# WITH_STANDALONE_HF_ICECLASS
ifneq (,$(findstring WITH_STANDALONE_HF_ICECLASS,$(APP_CFLAGS)))
SRC_STANDALONE = hf_iceclass.c
# WITH_STANDALONE_HF_REBLAY
ifneq (,$(findstring WITH_STANDALONE_HF_REBLAY,$(APP_CFLAGS)))
SRC_STANDALONE = hf_reblay.c
endif
# WITH_STANDALONE_LF_THAREXDE
ifneq (,$(findstring WITH_STANDALONE_LF_THAREXDE,$(APP_CFLAGS)))
SRC_STANDALONE = lf_tharexde.c
endif
# WITH_STANDALONE_HF_CRAFTBYTE
ifneq (,$(findstring WITH_STANDALONE_HF_CRAFTBYTE,$(APP_CFLAGS)))
SRC_STANDALONE = hf_craftbyte.c
# WITH_STANDALONE_HF_TCPRST
ifneq (,$(findstring WITH_STANDALONE_HF_TCPRST,$(APP_CFLAGS)))
SRC_STANDALONE = hf_tcprst.c
endif
# WITH_STANDALONE_HF_TMUDFORD
ifneq (,$(findstring WITH_STANDALONE_HF_TMUDFORD,$(APP_CFLAGS)))
SRC_STANDALONE = hf_tmudford.c
endif
# WITH_STANDALONE_HF_REBLAY
ifneq (,$(findstring WITH_STANDALONE_HF_REBLAY,$(APP_CFLAGS)))
SRC_STANDALONE = hf_reblay.c
endif
# WITH_STANDALONE_HF_MFCSIM
ifneq (,$(findstring WITH_STANDALONE_HF_MFCSIM,$(APP_CFLAGS)))
SRC_STANDALONE = hf_mfcsim.c
endif
# WITH_STANDALONE_LF_NEDAP_SIM
ifneq (,$(findstring WITH_STANDALONE_LF_NEDAP_SIM,$(APP_CFLAGS)))
SRC_STANDALONE = lf_nedap_sim.c
# WITH_STANDALONE_HF_YOUNG
ifneq (,$(findstring WITH_STANDALONE_HF_YOUNG,$(APP_CFLAGS)))
SRC_STANDALONE = hf_young.c
endif
ifneq (,$(findstring WITH_STANDALONE_DANKARMULTI,$(APP_CFLAGS)))

16
armsrc/Standalone/lf_prox2brute.c
View file

@ -1,5 +1,5 @@
//-----------------------------------------------------------------------------
// Copyright (C) Brad Antoniewicz 2011
// Copyright (C) Yann Gascuel 2023
// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
//
// This program is free software: you can redistribute it and/or modify
@ -57,19 +57,19 @@ void RunMod(void) {
WDT_HIT();
// exit from SamyRun, send a usbcommand.
if (data_available()) { // early exit
DbpString("[=] You can take the shell back :) ...");
DbpString("[=] You can take the shell back :) ...");
LEDsoff();
return;
}
}
LED_C_ON();
WAIT_BUTTON_RELEASED(); // We are now ready to start brutforcing card numbers
LEDsoff();
Dbprintf("[=] Starting HID ProxII Bruteforce from card %08x to %08x",
CARDNUM_START, MIN(CARDNUM_END, 0xFFFF));
for (cardnum = CARDNUM_START ; cardnum <= MIN(CARDNUM_END, 0xFFFF) ; cardnum++) {
WDT_HIT();
@ -92,14 +92,14 @@ void RunMod(void) {
// switch leds to be able to know (aproximatly) which card number worked (64 tries loop)
LED_A_INV(); // switch led A every try
if ((cardnum-CARDNUM_START) % 8 == 7) // switch led B every 8 tries
if ((cardnum - CARDNUM_START) % 8 == 7) // switch led B every 8 tries
LED_B_INV();
if ((cardnum-CARDNUM_START) % 16 == 15) // switch led C every 16 tries
if ((cardnum - CARDNUM_START) % 16 == 15) // switch led C every 16 tries
LED_C_INV();
if ((cardnum-CARDNUM_START) % 32 == 31) // switch led D every 32 tries
if ((cardnum - CARDNUM_START) % 32 == 31) // switch led D every 32 tries
LED_D_INV();
}
SpinErr((LED_A | LED_B | LED_C | LED_D), 250, 5); // Xmax tree
Dbprintf("[=] Ending HID ProxII Bruteforce from card %08x to %08x",
CARDNUM_START, cardnum - 1);

10
armsrc/Standalone/readme.md
View file

@ -100,6 +100,8 @@ STANDALONE_MODES_REQ_FLASH :=
STANDALONE_MODES_REQ_BT :=
```
Please respect alphabetic order!
## Update MAKEFILE.INC
^[Top](#top)
@ -117,6 +119,8 @@ ifneq (,$(findstring WITH_STANDALONE_LF_FOO,$(APP_CFLAGS)))
endif
```
Please respect alphabetic order!
## Adding identification string of your mode
^[Top](#top)
@ -174,9 +178,11 @@ Once you're ready to share your mode, please
* add a line in CHANGELOG.md
* add your mode in the modes table in `doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md`
* add your mode in `tools/build_all_firmwares.sh`
* add your mode in `tools/build_all_firmwares.sh` such that it reflects `armsrc/Standalone/Makefile.hal` list of firmwares to build.
and submit your PR.
Please respect alphabetic order of standalone modes everywhere!
Then submit your PR.
Once approved, add also your mode in https://github.com/RfidResearchGroup/proxmark3/wiki/Standalone-mode

74
armsrc/appmain.c
View file

@ -453,6 +453,12 @@ static void SendCapabilities(void) {
capabilities.baudrate = g_usart_baudrate;
#endif
#ifdef RDV4
capabilities.is_rdv4 = true;
#else
capabilities.is_rdv4 = false;
#endif
#ifdef WITH_FLASH
capabilities.compiled_with_flash = true;
capabilities.hw_available_flash = FlashInit();
@ -1287,23 +1293,79 @@ static void PacketReceived(PacketCommandNG *packet) {
SetTag15693Uid(payload->uid);
break;
}
case CMD_HF_ISO15693_SLIX_L_DISABLE_PRIVACY: {
case CMD_HF_ISO15693_SLIX_DISABLE_EAS: {
struct p {
uint8_t pwd[4];
bool usepwd;
} PACKED;
struct p *payload = (struct p *) packet->data.asBytes;
DisableEAS_AFISlixIso15693(payload->pwd, payload->usepwd);
break;
}
case CMD_HF_ISO15693_SLIX_ENABLE_EAS: {
struct p {
uint8_t pwd[4];
bool usepwd;
} PACKED;
struct p *payload = (struct p *) packet->data.asBytes;
EnableEAS_AFISlixIso15693(payload->pwd, payload->usepwd);
break;
}
case CMD_HF_ISO15693_SLIX_WRITE_PWD: {
struct p {
uint8_t old_pwd[4];
uint8_t new_pwd[4];
uint8_t pwd_id;
} PACKED;
struct p *payload = (struct p *) packet->data.asBytes;
WritePasswordSlixIso15693(payload->old_pwd, payload->new_pwd, payload->pwd_id);
break;
}
case CMD_HF_ISO15693_SLIX_DISABLE_PRIVACY: {
struct p {
uint8_t pwd[4];
} PACKED;
struct p *payload = (struct p *) packet->data.asBytes;
DisablePrivacySlixLIso15693(payload->pwd);
DisablePrivacySlixIso15693(payload->pwd);
break;
}
case CMD_HF_ISO15693_SLIX_L_DISABLE_AESAFI: {
case CMD_HF_ISO15693_SLIX_ENABLE_PRIVACY: {
struct p {
uint8_t pwd[4];
} PACKED;
struct p *payload = (struct p *) packet->data.asBytes;
DisableEAS_AFISlixLIso15693(payload->pwd);
struct p* payload = (struct p*)packet->data.asBytes;
EnablePrivacySlixIso15693(payload->pwd);
break;
}
case CMD_HF_ISO15693_SLIX_PASS_PROTECT_AFI: {
struct p {
uint8_t pwd[4];
} PACKED;
struct p* payload = (struct p*)packet->data.asBytes;
PassProtectAFISlixIso15693(payload->pwd);
break;
}
case CMD_HF_ISO15693_WRITE_AFI: {
struct p {
uint8_t pwd[4];
bool use_pwd;
uint8_t uid[8];
bool use_uid;
uint8_t afi;
} PACKED;
struct p* payload = (struct p*)packet->data.asBytes;
WriteAFIIso15693(payload->pwd, payload->use_pwd, payload->uid, payload->use_uid, payload->afi);
break;
}
case CMD_HF_ISO15693_SLIX_PASS_PROTECT_EAS: {
struct p {
uint8_t pwd[4];
} PACKED;
struct p* payload = (struct p*)packet->data.asBytes;
PassProtextEASSlixIso15693(payload->pwd);
break;
}
#endif
#ifdef WITH_LEGICRF

11
armsrc/iso14443a.c
View file

@ -1229,6 +1229,17 @@ bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data, tag_r
AddCrc14A(rPPS, sizeof(rPPS) - 2);
if (tagType == 7) {
uint8_t pwd[4];
uint8_t gen_pwd[4];
uint16_t start = (*pages - 1) * 4 + MFU_DUMP_PREFIX_LENGTH;
emlGetMemBt(pwd, start, sizeof(pwd));
Uint4byteToMemBe(gen_pwd, ul_ev1_pwdgenB(data));
if (memcmp(pwd, gen_pwd, sizeof(pwd)) == 0) {
rPACK[0] = 0x80;
rPACK[1] = 0x80;
}
}
AddCrc14A(rPACK, sizeof(rPACK) - 2);
static tag_response_info_t responses_init[] = {

391
armsrc/iso15693.c
View file

@ -177,6 +177,37 @@ static void CodeIso15693AsReaderEOF(void) {
}
static int get_uid_slix(uint32_t start_time, uint32_t* eof_time, uint8_t* uid) {
uint8_t *answer = BigBuf_malloc(ISO15693_MAX_RESPONSE_LENGTH);
memset(answer, 0x00, ISO15693_MAX_RESPONSE_LENGTH);
start_time = *eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
uint8_t cmd[5] = {0};
BuildIdentifyRequest(cmd);
uint16_t recvlen = 0;
SendDataTag(cmd, sizeof(cmd), false, true, answer, ISO15693_MAX_RESPONSE_LENGTH, start_time, ISO15693_READER_TIMEOUT, eof_time, &recvlen);
if(recvlen != 12)
{
return PM3_ETIMEOUT;
}
uid[0] = answer[2];
uid[1] = answer[3];
uid[2] = answer[4];
uid[3] = answer[5];
uid[4] = answer[6];
uid[5] = answer[7];
uid[6] = answer[8];
uid[7] = answer[9];
BigBuf_free();
return PM3_SUCCESS;
}
// encode data using "1 out of 256" scheme
// data rate is 1,66 kbit/s (fc/8192)
// is designed for more robust communication over longer distances
@ -2431,6 +2462,8 @@ void DirectTag15693Command(uint32_t datalen, uint32_t speed, uint32_t recv, uint
case ISO15693_WRITE_AFI:
case ISO15693_LOCK_AFI:
case ISO15693_WRITE_DSFID:
case ISO15693_WRITE_PASSWORD:
case ISO15693_PASSWORD_PROTECT_EAS:
case ISO15693_LOCK_DSFID:
timeout = ISO15693_READER_TIMEOUT_WRITE;
request_answer = data[0] & ISO15_REQ_OPTION;
@ -2640,7 +2673,7 @@ void SetTag15693Uid(const uint8_t *uid) {
switch_off();
}
static void init_password_15693_slixl(uint8_t *buffer, uint8_t *pwd, const uint8_t *rnd) {
static void init_password_15693_Slix(uint8_t *buffer, uint8_t *pwd, const uint8_t *rnd) {
memcpy(buffer, pwd, 4);
if (rnd) {
buffer[0] ^= rnd[0];
@ -2650,14 +2683,14 @@ static void init_password_15693_slixl(uint8_t *buffer, uint8_t *pwd, const uint8
}
}
static bool get_rnd_15693_slixl(uint32_t start_time, uint32_t *eof_time, uint8_t *rnd) {
static bool get_rnd_15693_Slix(uint32_t start_time, uint32_t *eof_time, uint8_t *rnd) {
// 0x04, == NXP from manufacture id list.
uint8_t c[] = {ISO15_REQ_DATARATE_HIGH, ISO15693_GET_RANDOM_NUMBER, 0x04, 0x00, 0x00 };
AddCrc15(c, 3);
uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
uint16_t recvlen = 0;
int res = SendDataTag(c, sizeof(c), false, true, recvbuf, sizeof(recvbuf), start_time, ISO15693_READER_TIMEOUT_WRITE, eof_time, &recvlen);
int res = SendDataTag(c, sizeof(c), true, true, recvbuf, sizeof(recvbuf), start_time, ISO15693_READER_TIMEOUT_WRITE, eof_time, &recvlen);
if (res != PM3_SUCCESS && recvlen != 5) {
return false;
}
@ -2668,15 +2701,16 @@ static bool get_rnd_15693_slixl(uint32_t start_time, uint32_t *eof_time, uint8_t
return true;
}
static uint32_t set_pass_15693_slixl(uint32_t start_time, uint32_t *eof_time, uint8_t pass_id, uint8_t *password) {
static uint32_t disable_privacy_15693_Slix(uint32_t start_time, uint32_t* eof_time, uint8_t pass_id, uint8_t* password) {
uint8_t rnd[2];
if (get_rnd_15693_slixl(start_time, eof_time, rnd) == false) {
if (get_rnd_15693_Slix(start_time, eof_time, rnd) == false) {
return PM3_ETIMEOUT;
}
// 0x04, == NXP from manufacture id list.
uint8_t c[] = {ISO15_REQ_DATARATE_HIGH, ISO15693_SET_PASSWORD, 0x04, pass_id, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
init_password_15693_slixl(&c[4], password, rnd);
uint8_t c[] = { ISO15_REQ_DATARATE_HIGH, ISO15693_SET_PASSWORD, 0x04, pass_id, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
init_password_15693_Slix(&c[4], password, rnd);
AddCrc15(c, 8);
start_time = *eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
@ -2689,16 +2723,236 @@ static uint32_t set_pass_15693_slixl(uint32_t start_time, uint32_t *eof_time, ui
return PM3_SUCCESS;
}
/*
static uint32_t enable_privacy_15693_slixl(uint32_t start_time, uint32_t *eof_time, uint8_t *uid, uint8_t pass_id, uint8_t *password) {
static uint32_t set_pass_15693_Slix(uint32_t start_time, uint32_t* eof_time, uint8_t pass_id, uint8_t* password, uint8_t* uid) {
uint8_t rnd[2];
if (get_rnd_15693_slixl(start_time, eof_time, rnd) == false) {
if (get_rnd_15693_Slix(start_time, eof_time, rnd) == false) {
return PM3_ETIMEOUT;
}
// 0x04, == NXP from manufacture id list.
uint8_t c[] = { (ISO15_REQ_DATARATE_HIGH | ISO15_REQ_ADDRESS), ISO15693_SET_PASSWORD, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, pass_id, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
init_password_15693_Slix(&c[12], password, rnd);
memcpy(&c[3], uid, 8);
AddCrc15(c, 16);
start_time = *eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
uint16_t recvlen = 0;
int res = SendDataTag(c, sizeof(c), false, true, recvbuf, sizeof(recvbuf), start_time, ISO15693_READER_TIMEOUT_WRITE, eof_time, &recvlen);
if (res != PM3_SUCCESS && recvlen != 3) {
return PM3_EWRONGANSWER;
}
return PM3_SUCCESS;
}
static uint32_t set_privacy_15693_Slix(uint32_t start_time, uint32_t* eof_time, uint8_t* password) {
uint8_t rnd[2];
if (get_rnd_15693_Slix(start_time, eof_time, rnd) == false) {
return PM3_ETIMEOUT;
}
// 0x04, == NXP from manufacture id list.
uint8_t c[] = { ISO15_REQ_DATARATE_HIGH, 0xBA, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
init_password_15693_Slix(&c[3], password, rnd);
AddCrc15(c, 7);
start_time = *eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
uint16_t recvlen = 0;
int res = SendDataTag(c, sizeof(c), false, true, recvbuf, sizeof(recvbuf), start_time, ISO15693_READER_TIMEOUT_WRITE, eof_time, &recvlen);
if (res != PM3_SUCCESS && recvlen != 3) {
return PM3_EWRONGANSWER;
}
return PM3_SUCCESS;
}
static uint32_t disable_eas_15693_Slix(uint32_t start_time, uint32_t* eof_time, uint8_t* password, bool usepwd) {
uint8_t uid[8];
get_uid_slix(start_time, eof_time, uid);
uint8_t rnd[2];
if (get_rnd_15693_Slix(start_time, eof_time, rnd) == false) {
return PM3_ETIMEOUT;
}
if(usepwd)
{
int res_setpass = set_pass_15693_Slix(start_time, eof_time, 0x10, password, uid);
if(res_setpass != PM3_SUCCESS)
{
return PM3_EWRONGANSWER;
}
}
// 0x04, == NXP from manufacture id list.
uint8_t c[] = { ISO15_REQ_DATARATE_HIGH, 0xA3, 0x04, 0x00, 0x00};
AddCrc15(c, 3);
start_time = *eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
uint16_t recvlen = 0;
int res = SendDataTag(c, sizeof(c), false, true, recvbuf, sizeof(recvbuf), start_time, ISO15693_READER_TIMEOUT_WRITE, eof_time, &recvlen);
if (res != PM3_SUCCESS && recvlen != 3) {
return PM3_EWRONGANSWER;
}
return PM3_SUCCESS;
}
static uint32_t enable_eas_15693_Slix(uint32_t start_time, uint32_t* eof_time, uint8_t* password, bool usepwd) {
uint8_t uid[8];
get_uid_slix(start_time, eof_time, uid);
uint8_t rnd[2];
if (get_rnd_15693_Slix(start_time, eof_time, rnd) == false) {
return PM3_ETIMEOUT;
}
if(usepwd)
{
int res_setpass = set_pass_15693_Slix(start_time, eof_time, 0x10, password, uid);
if(res_setpass != PM3_SUCCESS)
{
return PM3_EWRONGANSWER;
}
}
// 0x04, == NXP from manufacture id list.
uint8_t c[] = { ISO15_REQ_DATARATE_HIGH, 0xA2, 0x04, 0x00, 0x00};
//init_password_15693_Slix(&c[3], password, rnd);
AddCrc15(c, 3);
start_time = *eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
uint16_t recvlen = 0;
int res = SendDataTag(c, sizeof(c), false, true, recvbuf, sizeof(recvbuf), start_time, ISO15693_READER_TIMEOUT_WRITE, eof_time, &recvlen);
if (res != PM3_SUCCESS && recvlen != 3) {
return PM3_EWRONGANSWER;
}
return PM3_SUCCESS;
}
static uint32_t write_password_15693_Slix(uint32_t start_time, uint32_t *eof_time, uint8_t pwd_id, uint8_t *password, uint8_t* uid) {
uint8_t new_pwd_cmd[] = { (ISO15_REQ_DATARATE_HIGH | ISO15_REQ_ADDRESS), ISO15693_WRITE_PASSWORD, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, pwd_id, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
memcpy(&new_pwd_cmd[3], uid, 8);
memcpy(&new_pwd_cmd[12], password, 4);
AddCrc15(new_pwd_cmd, 16);
start_time = *eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
uint16_t recvlen = 0;
int res_wrp = SendDataTag(new_pwd_cmd, sizeof(new_pwd_cmd), false, true, recvbuf, sizeof(recvbuf), start_time, ISO15693_READER_TIMEOUT_WRITE, eof_time, &recvlen);
if (res_wrp != PM3_SUCCESS && recvlen != 3) {
return PM3_EWRONGANSWER;
}
return PM3_SUCCESS;
}
static uint32_t pass_protect_EASAFI_15693_Slix(uint32_t start_time, uint32_t *eof_time, bool set_option_flag, uint8_t* password) {
uint8_t flags;
if(set_option_flag)
flags = ISO15_REQ_DATARATE_HIGH | ISO15_REQ_OPTION;
else
flags = ISO15_REQ_DATARATE_HIGH;
uint8_t uid[8];
get_uid_slix(start_time, eof_time, uid);
uint8_t rnd[2];
if (get_rnd_15693_Slix(start_time, eof_time, rnd) == false) {
return PM3_ETIMEOUT;
}
int res_setpass = set_pass_15693_Slix(start_time, eof_time, 0x10, password, uid);
if(res_setpass != PM3_SUCCESS)
{
return PM3_EWRONGANSWER;
}
uint8_t new_pass_protect_cmd[] = { flags, ISO15693_PASSWORD_PROTECT_EAS, 0x04, 0x00, 0x00};
AddCrc15(new_pass_protect_cmd, 3);
start_time = *eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
uint16_t recvlen = 0;
int res = SendDataTag(new_pass_protect_cmd, sizeof(new_pass_protect_cmd), false, true, recvbuf, sizeof(recvbuf), start_time, ISO15693_READER_TIMEOUT_WRITE, eof_time, &recvlen);
if (res != PM3_SUCCESS && recvlen != 3) {
return PM3_EWRONGANSWER;
}
return PM3_SUCCESS;
}
static uint32_t write_afi_15693(uint32_t start_time, uint32_t *eof_time, uint8_t *password, bool usepwd, uint8_t *uid, bool use_uid, uint8_t afi)
{
if(!use_uid)
{
int res_getuid = get_uid_slix(start_time, eof_time, uid);
if(res_getuid != PM3_SUCCESS)
{
return res_getuid;
}
}
if(usepwd)
{
int res_setpass = set_pass_15693_Slix(start_time, eof_time, 0x10, password, uid);
if(res_setpass != PM3_SUCCESS)
{
return PM3_EWRONGANSWER;
}
}
uint8_t cmd[] = { ISO15_REQ_DATARATE_HIGH | ISO15_REQ_ADDRESS, ISO15693_WRITE_AFI, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
memcpy(&cmd[2], uid, 8);
cmd[10] = afi;
AddCrc15(cmd, 11);
start_time = *eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
uint16_t recvlen = 0;
int res = SendDataTag(cmd, sizeof(cmd), false, true, recvbuf, sizeof(recvbuf), start_time, ISO15693_READER_TIMEOUT_WRITE, eof_time, &recvlen);
if (res != PM3_SUCCESS || recvlen != 3) {
return PM3_EWRONGANSWER;
}
return PM3_SUCCESS;
}
/*
static uint32_t enable_privacy_15693_Slix(uint32_t start_time, uint32_t *eof_time, uint8_t *uid, uint8_t pass_id, uint8_t *password) {
uint8_t rnd[2];
if (get_rnd_15693_Slix(start_time, eof_time, rnd) == false) {
return PM3_ETIMEOUT;
}
uint8_t c[] = {ISO15_REQ_DATARATE_HIGH | ISO15_REQ_ADDRESS, ISO15693_ENABLE_PRIVACY, pass_id, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
memcpy(&c[3], uid, 8);
init_password_15693_slixl(&c[11], password, rnd);
init_password_15693_Slix(&c[11], password, rnd);
AddCrc15(c, 15);
start_time = *eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
@ -2711,16 +2965,16 @@ static uint32_t enable_privacy_15693_slixl(uint32_t start_time, uint32_t *eof_ti
return PM3_SUCCESS;
}
static uint32_t write_password_15693_slixl(uint32_t start_time, uint32_t *eof_time, uint8_t *uid, uint8_t pass_id, uint8_t *password) {
static uint32_t write_password_15693_Slix(uint32_t start_time, uint32_t *eof_time, uint8_t *uid, uint8_t pass_id, uint8_t *password) {
uint8_t rnd[2];
if (get_rnd_15693_slixl(start_time, eof_time, rnd) == false) {
if (get_rnd_15693_Slix(start_time, eof_time, rnd) == false) {
return PM3_ETIMEOUT;
}
uint8_t c[] = {ISO15_REQ_DATARATE_HIGH | ISO15_REQ_ADDRESS, ISO15693_WRITE_PASSWORD, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
memcpy(&c[3], uid, 8);
c[11] = pass_id;
init_password_15693_slixl(&c[12], password, NULL);
init_password_15693_Slix(&c[12], password, NULL);
AddCrc15(c, 16);
start_time = *eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
@ -2734,16 +2988,16 @@ static uint32_t write_password_15693_slixl(uint32_t start_time, uint32_t *eof_ti
return PM3_SUCCESS;
}
static uint32_t destroy_15693_slixl(uint32_t start_time, uint32_t *eof_time, uint8_t *uid, uint8_t *password) {
static uint32_t destroy_15693_Slix(uint32_t start_time, uint32_t *eof_time, uint8_t *uid, uint8_t *password) {
uint8_t rnd[2];
if (get_rnd_15693_slixl(start_time, eof_time, rnd) == false) {
if (get_rnd_15693_Slix(start_time, eof_time, rnd) == false) {
return PM3_ETIMEOUT;
}
uint8_t c[] = {ISO15_REQ_DATARATE_HIGH | ISO15_REQ_ADDRESS, ISO15693_DESTROY, ISO15693_ENABLE_PRIVACY, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
memcpy(&c[3], uid, 8);
init_password_15693_slixl(&c[11], password, rnd);
init_password_15693_Slix(&c[11], password, rnd);
AddCrc15(c, 15);
start_time = *eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
@ -2758,8 +3012,33 @@ static uint32_t destroy_15693_slixl(uint32_t start_time, uint32_t *eof_time, uin
*/
// Sets a PRIVACY password to all ZEROS
void DisablePrivacySlixLIso15693(uint8_t *password) {
void WritePasswordSlixIso15693(uint8_t *old_password, uint8_t *new_password, uint8_t pwd_id) {
LED_D_ON();
Iso15693InitReader();
StartCountSspClk();
uint32_t start_time = 0, eof_time = 0;
int res = PM3_EFAILED;
uint8_t uid[8];
get_uid_slix(start_time, &eof_time, uid);
res = set_pass_15693_Slix(start_time, &eof_time, pwd_id, old_password, uid);
if(res != PM3_SUCCESS)
{
reply_ng(CMD_HF_ISO15693_SLIX_WRITE_PWD, res, NULL, 0);
switch_off();
return;
}
res = write_password_15693_Slix(start_time, &eof_time, pwd_id, new_password, uid);
reply_ng(CMD_HF_ISO15693_SLIX_WRITE_PWD, res, NULL, 0);
switch_off();
}
void DisablePrivacySlixIso15693(uint8_t *password) {
LED_D_ON();
Iso15693InitReader();
StartCountSspClk();
@ -2769,13 +3048,12 @@ void DisablePrivacySlixLIso15693(uint8_t *password) {
// 0x04 Privacy
// 0x08 Destroy SLIX-L
// 0x10 EAS/AFI
int res = set_pass_15693_slixl(start_time, &eof_time, 0x04, password);
reply_ng(CMD_HF_ISO15693_SLIX_L_DISABLE_PRIVACY, res, NULL, 0);
int res = disable_privacy_15693_Slix(start_time, &eof_time, 0x04, password);
reply_ng(CMD_HF_ISO15693_SLIX_DISABLE_PRIVACY, res, NULL, 0);
switch_off();
}
// Sets a EAS/AFI password to all ZEROS
void DisableEAS_AFISlixLIso15693(uint8_t *password) {
void EnablePrivacySlixIso15693(uint8_t* password) {
LED_D_ON();
Iso15693InitReader();
StartCountSspClk();
@ -2785,8 +3063,71 @@ void DisableEAS_AFISlixLIso15693(uint8_t *password) {
// 0x04 Privacy
// 0x08 Destroy SLIX-L
// 0x10 EAS/AFI
int res = set_pass_15693_slixl(start_time, &eof_time, 0x10, password);
reply_ng(CMD_HF_ISO15693_SLIX_L_DISABLE_AESAFI, res, NULL, 0);
int res = set_privacy_15693_Slix(start_time, &eof_time, password);
reply_ng(CMD_HF_ISO15693_SLIX_ENABLE_PRIVACY, res, NULL, 0);
switch_off();
}
void DisableEAS_AFISlixIso15693(uint8_t *password, bool usepwd) {
LED_D_ON();
Iso15693InitReader();
StartCountSspClk();
uint32_t start_time = 0, eof_time = 0;
// Password identifier Password byte
// 0x04 Privacy
// 0x08 Destroy SLIX-L
// 0x10 EAS/AFI
int res = disable_eas_15693_Slix(start_time, &eof_time, password, usepwd);
reply_ng(CMD_HF_ISO15693_SLIX_DISABLE_EAS, res, NULL, 0);
switch_off();
}
void EnableEAS_AFISlixIso15693(uint8_t *password, bool usepwd) {
LED_D_ON();
Iso15693InitReader();
StartCountSspClk();
uint32_t start_time = 0, eof_time = 0;
// Password identifier Password byte
// 0x04 Privacy
// 0x08 Destroy SLIX-L
// 0x10 EAS/AFI
int res = enable_eas_15693_Slix(start_time, &eof_time, password, usepwd);
reply_ng(CMD_HF_ISO15693_SLIX_ENABLE_EAS, res, NULL, 0);
switch_off();
}
void PassProtextEASSlixIso15693(uint8_t *password) {
LED_D_ON();
Iso15693InitReader();
StartCountSspClk();
uint32_t start_time = 0, eof_time = 0;
int res = pass_protect_EASAFI_15693_Slix(start_time, &eof_time, false, password);
reply_ng(CMD_HF_ISO15693_SLIX_PASS_PROTECT_EAS, res, NULL, 0);
switch_off();
}
void PassProtectAFISlixIso15693(uint8_t *password) {
LED_D_ON();
Iso15693InitReader();
StartCountSspClk();
uint32_t start_time = 0, eof_time = 0;
int res = pass_protect_EASAFI_15693_Slix(start_time, &eof_time, true, password);
reply_ng(CMD_HF_ISO15693_SLIX_PASS_PROTECT_AFI, res, NULL, 0);
switch_off();
}
void WriteAFIIso15693(uint8_t *password, bool use_pwd, uint8_t *uid, bool use_uid, uint8_t afi) {
LED_D_ON();
Iso15693InitReader();
StartCountSspClk();
uint32_t start_time = 0, eof_time = 0;
int res = write_afi_15693(start_time, &eof_time, password, use_pwd, uid, use_uid, afi);
//int res = PM3_SUCCESS;
reply_ng(CMD_HF_ISO15693_WRITE_AFI, res, NULL, 0);
switch_off();
}

10
armsrc/iso15693.h
View file

@ -62,6 +62,12 @@ int SendDataTagEOF(uint8_t *recv, uint16_t max_recv_len, uint32_t start_time, ui
void SetTag15693Uid(const uint8_t *uid);
void DisablePrivacySlixLIso15693(uint8_t *password);
void DisableEAS_AFISlixLIso15693(uint8_t *password);
void WritePasswordSlixIso15693(uint8_t *old_password, uint8_t *new_password, uint8_t pwd_id);
void DisablePrivacySlixIso15693(uint8_t *password);
void EnablePrivacySlixIso15693(uint8_t* password);
void DisableEAS_AFISlixIso15693(uint8_t *password, bool usepwd);
void EnableEAS_AFISlixIso15693(uint8_t *password, bool usepwd);
void PassProtextEASSlixIso15693(uint8_t *password);
void PassProtectAFISlixIso15693(uint8_t *password);
void WriteAFIIso15693(uint8_t *password, bool usepwd, uint8_t *uid, bool use_uid, uint8_t afi);
#endif

1
client/experimental_lib/CMakeLists.txt
View file

@ -294,6 +294,7 @@ set (TARGET_SOURCES
${PM3_ROOT}/client/src/cmdhfseos.c
${PM3_ROOT}/client/src/cmdhfst.c
${PM3_ROOT}/client/src/cmdhfst25ta.c
${PM3_ROOT}/client/src/cmdhftesla.c
${PM3_ROOT}/client/src/cmdhftexkom.c
${PM3_ROOT}/client/src/cmdhfthinfilm.c
${PM3_ROOT}/client/src/cmdhftopaz.c

10
client/luascripts/hf_mfu_amiibo_sim.lua
View file

@ -139,14 +139,10 @@ local function main(args)
-- force lock bytes, otherwise the Amiibo won't be recognized
blocks[16] = blocks[16]:sub(1, 4)..'0FE0'
-- add PWD and PACK if necessary
-- add PWD and PACK
local uid = blocks[14]:sub(1, 6)..blocks[15]:sub(1, 8)
if blocks[147] == nil or blocks[147] == '00000000' then
blocks[147] = ("%08x"):format(bxor(bxor(tonumber(sub(uid, 2, 10), 16), tonumber(sub(uid, 6, 14), 16)), 0xaa55aa55))
end
if blocks[148] == nil or blocks[148] == '00000000' then
blocks[148] = "80800000"
end
blocks[147] = ("%08x"):format(bxor(bxor(tonumber(sub(uid, 2, 10), 16), tonumber(sub(uid, 6, 14), 16)), 0xaa55aa55))
blocks[148] = "80800000"
err = LoadEmulator(uid, blocks)
if err then return oops(err) end

2
client/src/cmddata.c
View file

@ -1230,7 +1230,7 @@ int FSKrawDemod(uint8_t rfLen, uint8_t invert, uint8_t fchigh, uint8_t fclow, bo
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(SUCCESS, _YELLOW_("%s") " decoded bitstream", GetFSKType(fchigh, fclow, invert));
PrintAndLogEx(INFO, "-----------------------");
printDemodBuff(0, false, invert, false);
printDemodBuff(0, false, false, false);
}
goto out;
} else {

738
client/src/cmdhf15.c
View file

@ -652,14 +652,13 @@ static int CmdHF15Samples(const char *Cmd) {
return PM3_SUCCESS;
}
static int NxpTestEAS(uint8_t *uid)
{
uint8_t fast = 1;
static int NxpTestEAS(uint8_t *uid) {
uint8_t fast = 1;
uint8_t reply = 1;
PacketResponseNG resp;
uint16_t reqlen = 0;
uint8_t req[PM3_CMD_DATA_SIZE] = {0};
req[reqlen++] |= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH | ISO15_REQ_NONINVENTORY | ISO15_REQ_ADDRESS;
req[reqlen++] = ISO15693_EAS_ALARM;
req[reqlen++] = 0x04; // IC manufacturer code
@ -681,7 +680,7 @@ static int NxpTestEAS(uint8_t *uid)
if (resp.length < 2) {
PrintAndLogEx(INFO, " EAS (Electronic Article Surveillance) is not active");
} else {
uint8_t * recv = resp.data.asBytes;
uint8_t *recv = resp.data.asBytes;
if (!(recv[0] & ISO15_RES_ERROR)) {
PrintAndLogEx(INFO, " EAS (Electronic Article Surveillance) is active.");
@ -689,56 +688,56 @@ static int NxpTestEAS(uint8_t *uid)
}
}
}
return PM3_SUCCESS;
}
}
static int NxpCheckSig(uint8_t *uid) {
uint8_t fast = 1;
uint8_t fast = 1;
uint8_t reply = 1;
PacketResponseNG resp;
uint16_t reqlen = 0;
uint8_t req[PM3_CMD_DATA_SIZE] = {0};
// Check if we can also read the signature
req[reqlen++] |= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH | ISO15_REQ_NONINVENTORY | ISO15_REQ_ADDRESS;
req[reqlen++] = ISO15693_READ_SIGNATURE;
req[reqlen++] = 0x04; // IC manufacturer code
memcpy(req + 3, uid, 8); // add UID
reqlen += 8;
// Check if we can also read the signature
req[reqlen++] |= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH | ISO15_REQ_NONINVENTORY | ISO15_REQ_ADDRESS;
req[reqlen++] = ISO15693_READ_SIGNATURE;
req[reqlen++] = 0x04; // IC manufacturer code
memcpy(req + 3, uid, 8); // add UID
reqlen += 8;
AddCrc15(req, reqlen);
reqlen += 2;
AddCrc15(req, reqlen);
reqlen += 2;
clearCommandBuffer();
SendCommandMIX(CMD_HF_ISO15693_COMMAND, reqlen, fast, reply, req, reqlen);
clearCommandBuffer();
SendCommandMIX(CMD_HF_ISO15693_COMMAND, reqlen, fast, reply, req, reqlen);
if (WaitForResponseTimeout(CMD_HF_ISO15693_COMMAND, &resp, 2000) == false) {
PrintAndLogEx(WARNING, "iso15693 timeout");
DropField();
return PM3_ETIMEOUT;
}
if (WaitForResponseTimeout(CMD_HF_ISO15693_COMMAND, &resp, 2000) == false) {
PrintAndLogEx(WARNING, "iso15693 timeout");
DropField();
return PM3_ETIMEOUT;
}
DropField();
DropField();
if (resp.length < 2) {
PrintAndLogEx(WARNING, "iso15693 card doesn't answer to READ SIGNATURE command");
return PM3_EWRONGANSWER;
}
if (resp.length < 2) {
PrintAndLogEx(WARNING, "iso15693 card doesn't answer to READ SIGNATURE command");
return PM3_EWRONGANSWER;
}
uint8_t *recv = resp.data.asBytes;
uint8_t *recv = resp.data.asBytes;
if ((recv[0] & ISO15_RES_ERROR) == ISO15_RES_ERROR) {
PrintAndLogEx(ERR, "iso15693 card returned error %i: %s", recv[0], TagErrorStr(recv[0]));
return PM3_EWRONGANSWER;
}
if ((recv[0] & ISO15_RES_ERROR) == ISO15_RES_ERROR) {
PrintAndLogEx(ERR, "iso15693 card returned error %i: %s", recv[0], TagErrorStr(recv[0]));
return PM3_EWRONGANSWER;
}
uint8_t signature[32] = {0x00};
memcpy(signature, recv + 1, 32);
uint8_t signature[32] = {0x00};
memcpy(signature, recv + 1, 32);
nxp_15693_print_signature(uid, signature);
return PM3_SUCCESS;
nxp_15693_print_signature(uid, signature);
return PM3_SUCCESS;
}
// Get NXP system information from SLIX2 tag/VICC
@ -790,14 +789,14 @@ static int NxpSysInfo(uint8_t *uid) {
}
bool support_signature = (recv[5] & 0x01);
bool support_easmode = (recv[4] & 0x03);
bool support_easmode = (recv[4] & 0x04);
PrintAndLogEx(INFO, "--------- " _CYAN_("NXP Sysinfo") " ---------");
PrintAndLogEx(INFO, " raw : %s", sprint_hex(recv, 8));
PrintAndLogEx(INFO, " Password protection configuration:");
PrintAndLogEx(INFO, " * Page L read%s password protected", ((recv[2] & 0x01) ? "" : " not"));
PrintAndLogEx(INFO, " * Page L write%s password protected", ((recv[2] & 0x02) ? "" : " not"));
PrintAndLogEx(INFO, " * Page H read%s password protected", ((recv[2] & 0x08) ? "" : " not"));
PrintAndLogEx(INFO, " * Page H read%s password protected", ((recv[2] & 0x10) ? "" : " not"));
PrintAndLogEx(INFO, " * Page H write%s password protected", ((recv[2] & 0x20) ? "" : " not"));
PrintAndLogEx(INFO, " Lock bits:");
@ -810,23 +809,23 @@ static int NxpSysInfo(uint8_t *uid) {
PrintAndLogEx(INFO, " * User memory password protection%s supported", ((recv[4] & 0x01) ? "" : " not"));
PrintAndLogEx(INFO, " * Counter feature%s supported", ((recv[4] & 0x02) ? "" : " not"));
PrintAndLogEx(INFO, " * EAS ID%s supported by EAS ALARM command", support_easmode ? "" : " not");
PrintAndLogEx(INFO, " * EAS password protection%s supported", ((recv[4] & 0x04) ? "" : " not"));
PrintAndLogEx(INFO, " * EAS password protection%s supported", ((recv[4] & 0x08) ? "" : " not"));
PrintAndLogEx(INFO, " * AFI password protection%s supported", ((recv[4] & 0x10) ? "" : " not"));
PrintAndLogEx(INFO, " * Extended mode%s supported by INVENTORY READ command", ((recv[4] & 0x20) ? "" : " not"));
PrintAndLogEx(INFO, " * EAS selection%s supported by extended mode in INVENTORY READ command", ((recv[4] & 0x40) ? "" : " not"));
PrintAndLogEx(INFO, " * READ SIGNATURE command%s supported", support_signature ? "" : " not");
PrintAndLogEx(INFO, " * Password protection for READ SIGNATURE command%s supported", ((recv[5] & 0x02) ? "" : " not"));
PrintAndLogEx(INFO, " * STAY QUIET PERSISTENT command%s supported", ((recv[5] & 0x03) ? "" : " not"));
PrintAndLogEx(INFO, " * STAY QUIET PERSISTENT command%s supported", ((recv[5] & 0x04) ? "" : " not"));
PrintAndLogEx(INFO, " * ENABLE PRIVACY command%s supported", ((recv[5] & 0x10) ? "" : " not"));
PrintAndLogEx(INFO, " * DESTROY command%s supported", ((recv[5] & 0x20) ? "" : " not"));
PrintAndLogEx(INFO, " * Additional 32 bits feature flags are%s transmitted", ((recv[5] & 0x80) ? "" : " not"));
PrintAndLogEx(INFO, " * Additional 32 bits feature flags are%s transmitted", ((recv[7] & 0x80) ? "" : " not"));
if (support_easmode) {
NxpTestEAS(uid);
NxpTestEAS(uid);
}
if (support_signature) {
NxpCheckSig(uid);
NxpCheckSig(uid);
}
return PM3_SUCCESS;
@ -968,16 +967,12 @@ static int CmdHF15Info(const char *Cmd) {
if (data[8] == 0x04 && data[7] == 0x01 && nxp_version == 0x08) {
PrintAndLogEx(DEBUG, "SLIX2 Detected, getting NXP System Info");
return NxpSysInfo(uid);
}
else if(data[8] == 0x04 && data[7] == 0x01 && nxp_version == 0x18) //If it is an NTAG 5
{
PrintAndLogEx(DEBUG, "NTAG 5 Detected, getting NXP System Info");
} else if (data[8] == 0x04 && data[7] == 0x01 && nxp_version == 0x18) { //If it is an NTAG 5
PrintAndLogEx(DEBUG, "NTAG 5 Detected, getting NXP System Info");
return NxpSysInfo(uid);
}
else if(data[8] == 0x04 && (data[7] == 0x01 || data[7] == 0x02 || data[7] == 0x03)) //If SLI, SLIX, SLIX-l, or SLIX-S check EAS status
{
PrintAndLogEx(DEBUG, "SLI, SLIX, SLIX-L, or SLIX-S Detected checking EAS status");
return NxpTestEAS(uid);
} else if (data[8] == 0x04 && (data[7] == 0x01 || data[7] == 0x02 || data[7] == 0x03)) { //If SLI, SLIX, SLIX-l, or SLIX-S check EAS status
PrintAndLogEx(DEBUG, "SLI, SLIX, SLIX-L, or SLIX-S Detected checking EAS status");
return NxpTestEAS(uid);
}
PrintAndLogEx(NORMAL, "");
@ -1357,94 +1352,83 @@ static int CmdHF15WriteAfi(const char *Cmd) {
CLIParserInit(&ctx, "hf 15 writeafi",
"Write AFI on card",
"hf 15 writeafi -* --afi 12\n"
"hf 15 writeafi -u E011223344556677 --afi 12"
"hf 15 writeafi -u E011223344556677 --afi 12 -p 0F0F0F0F"
);
void *argtable[6 + 2] = {};
uint8_t arglen = arg_add_default(argtable);
argtable[arglen++] = arg_int1(NULL, "afi", "<dec>", "AFI number (0-255)");
argtable[arglen++] = arg_param_end;
void *argtable[5] = {};
argtable[0] = arg_param_begin;
argtable[1] = arg_str0("u", "uid", "<hex>", "full UID, 8 bytes");
argtable[2] = arg_int1(NULL, "afi", "<dec>", "AFI number (0-255)");
argtable[3] = arg_str0("p", "pwd", "<hex>", "optional AFI/EAS password");
argtable[4] = arg_param_end;
CLIExecWithReturn(ctx, Cmd, argtable, false);
CLIExecWithReturn(ctx, Cmd, argtable, true);
struct {
uint8_t pwd[4];
bool use_pwd;
uint8_t uid[8];
bool use_uid;
uint8_t afi;
} PACKED payload;
uint8_t uid[8];
int uidlen = 0;
CLIGetHexWithReturn(ctx, 1, uid, &uidlen);
bool unaddressed = arg_get_lit(ctx, 2);
bool scan = arg_get_lit(ctx, 3);
int fast = (arg_get_lit(ctx, 4) == false);
bool add_option = arg_get_lit(ctx, 5);
CLIGetHexWithReturn(ctx, 1, payload.uid, &uidlen);
int afi = arg_get_int_def(ctx, 6, 0);
payload.afi = arg_get_int_def(ctx, 2, 0);
int pwdlen;
CLIGetHexWithReturn(ctx, 3, payload.pwd, &pwdlen);
CLIParserFree(ctx);
if(pwdlen == 4)
{
payload.use_pwd = true;
}
if(uidlen == 8)
{
payload.use_uid = true;
}
// sanity checks
if ((scan + unaddressed + uidlen) > 1) {
PrintAndLogEx(WARNING, "Select only one option /scan/unaddress/uid");
if (uidlen != 0 && uidlen != 8) {
PrintAndLogEx(WARNING, "uid must be 8 hex bytes if provided");
return PM3_EINVARG;
}
// request to be sent to device/card
uint16_t flags = arg_get_raw_flag(uidlen, unaddressed, scan, add_option);
uint8_t req[16] = {flags, ISO15693_WRITE_AFI};
uint16_t reqlen = 2;
if (unaddressed == false) {
if (scan) {
if (getUID(false, uid) != PM3_SUCCESS) {
PrintAndLogEx(WARNING, "no tag found");
return PM3_EINVARG;
}
uidlen = 8;
}
if (uidlen == 8) {
// add UID (scan, uid)
memcpy(req + reqlen, uid, sizeof(uid));
reqlen += sizeof(uid);
}
PrintAndLogEx(SUCCESS, "Using UID... " _GREEN_("%s"), iso15693_sprintUID(NULL, uid));
if(pwdlen > 0 && pwdlen != 4)
{
PrintAndLogEx(WARNING, "password must be 4 hex bytes if provided");
return PM3_ESOFT;
}
// enforce, since we are writing
req[0] |= ISO15_REQ_OPTION;
req[reqlen++] = (uint8_t)afi;
AddCrc15(req, reqlen);
reqlen += 2;
// arg: len, speed, recv?
// arg0 (datalen, cmd len? .arg0 == crc?)
// arg1 (speed == 0 == 1 of 256, == 1 == 1 of 4 )
// arg2 (recv == 1 == expect a response)
uint8_t read_response = 1;
PacketResponseNG resp;
clearCommandBuffer();
SendCommandMIX(CMD_HF_ISO15693_COMMAND, reqlen, fast, read_response, req, reqlen);
if (WaitForResponseTimeout(CMD_HF_ISO15693_COMMAND, &resp, 2000) == false) {
PrintAndLogEx(ERR, "iso15693 timeout");
SendCommandNG(CMD_HF_ISO15693_WRITE_AFI, (uint8_t *)&payload, sizeof(payload));
if (WaitForResponseTimeout(CMD_HF_ISO15693_WRITE_AFI, &resp, 2000) == false) {
PrintAndLogEx(WARNING, "timeout while waiting for reply");
DropField();
return PM3_ETIMEOUT;
}
DropField();
if (resp.status == PM3_ETEAROFF) {
return resp.status;
return PM3_ESOFT;
}
uint8_t *data = resp.data.asBytes;
if ((data[0] & ISO15_RES_ERROR) == ISO15_RES_ERROR) {
PrintAndLogEx(ERR, "iso15693 card returned error %i: %s", data[0], TagErrorStr(data[0]));
return PM3_EWRONGANSWER;
switch (resp.status) {
case PM3_ETIMEOUT: {
PrintAndLogEx(WARNING, "no tag found");
break;
}
case PM3_EWRONGANSWER: {
PrintAndLogEx(WARNING, "error writing AFI");
break;
}
case PM3_SUCCESS: {
PrintAndLogEx(SUCCESS, "Wrote AFI 0x%02X", payload.afi);
break;
}
}
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(SUCCESS, "Wrote AFI 0x%02X", afi);
return PM3_SUCCESS;
return resp.status;
}
// Writes the DSFID (Data Storage Format Identifier) of a card
@ -2383,10 +2367,164 @@ static int CmdHF15CSetUID(const char *Cmd) {
}
}
static int CmdHF15SlixEASEnable(const char *Cmd) {
CLIParserContext *ctx;
CLIParserInit(&ctx, "hf 15 slixeasenable",
"Enable EAS mode on SLIX ISO-15693 tag",
"hf 15 slixeasenable -p 0F0F0F0F");
void *argtable[] = {
arg_param_begin,
arg_str0("p", "pwd", "<hex>", "optional password, 8 hex bytes"),
arg_param_end
};
CLIExecWithReturn(ctx, Cmd, argtable, true);
struct {
uint8_t pwd[4];
bool usepwd;
} PACKED payload;
int pwdlen = 0;
int ret_pwdparse = CLIParamHexToBuf(arg_get_str(ctx, 1), payload.pwd, 4, &pwdlen);
if((pwdlen > 0 && pwdlen != 4) || ret_pwdparse != 0)
{
PrintAndLogEx(WARNING, "password must be 4 hex bytes if provided");
return PM3_ESOFT;
}
//CLIGetHexWithReturn(ctx, 1, payload.pwd, &pwdlen);
CLIParserFree(ctx);
if(pwdlen > 0 )
{
PrintAndLogEx(INFO, "Trying to enable EAS mode using password " _GREEN_("%s")
, sprint_hex_inrow(payload.pwd, sizeof(payload.pwd))
);
payload.usepwd = true;
}
else
{
PrintAndLogEx(INFO, "Trying to enable EAS mode without using a password");
payload.usepwd = false;
}
PacketResponseNG resp;
clearCommandBuffer();
SendCommandNG(CMD_HF_ISO15693_SLIX_ENABLE_EAS, (uint8_t *)&payload, sizeof(payload));
if (WaitForResponseTimeout(CMD_HF_ISO15693_SLIX_ENABLE_EAS, &resp, 2000) == false) {
PrintAndLogEx(WARNING, "timeout while waiting for reply");
DropField();
return PM3_ESOFT;
}
switch (resp.status) {
case PM3_ETIMEOUT: {
PrintAndLogEx(WARNING, "no tag found");
break;
}
case PM3_EWRONGANSWER: {
if(pwdlen > 0 )
{
PrintAndLogEx(WARNING, "the password provided was not accepted");
}
else
{
PrintAndLogEx(WARNING, "either a password is required or EAS mode is locked");
}
break;
}
case PM3_SUCCESS: {
PrintAndLogEx(SUCCESS, "EAS mode is now enabled ( " _GREEN_("ok") " ) ");
break;
}
}
return resp.status;
}
static int CmdHF15SlixEASDisable(const char *Cmd) {
CLIParserContext *ctx;
CLIParserInit(&ctx, "hf 15 slixeasdisable",
"Disable EAS mode on SLIX ISO-15693 tag",
"hf 15 slixeasdisable -p 0F0F0F0F");
void *argtable[] = {
arg_param_begin,
arg_str0("p", "pwd", "<hex>", "optional password, 8 hex bytes"),
arg_param_end
};
CLIExecWithReturn(ctx, Cmd, argtable, true);
struct {
uint8_t pwd[4];
bool usepwd;
} PACKED payload;
int pwdlen = 0;
int ret_pwdparse = CLIParamHexToBuf(arg_get_str(ctx, 1), payload.pwd, 4, &pwdlen);
if((pwdlen > 0 && pwdlen != 4) || ret_pwdparse != 0)
{
PrintAndLogEx(WARNING, "password must be 4 hex bytes if provided");
return PM3_ESOFT;
}
//CLIGetHexWithReturn(ctx, 1, payload.pwd, &pwdlen);
CLIParserFree(ctx);
if(pwdlen > 0 )
{
PrintAndLogEx(INFO, "Trying to disable EAS mode using password " _GREEN_("%s")
, sprint_hex_inrow(payload.pwd, sizeof(payload.pwd))
);
payload.usepwd = true;
}
else
{
PrintAndLogEx(INFO, "Trying to enable EAS mode without using a password");
payload.usepwd = false;
}
PacketResponseNG resp;
clearCommandBuffer();
SendCommandNG(CMD_HF_ISO15693_SLIX_DISABLE_EAS, (uint8_t *)&payload, sizeof(payload));
if (WaitForResponseTimeout(CMD_HF_ISO15693_SLIX_DISABLE_EAS, &resp, 2000) == false) {
PrintAndLogEx(WARNING, "timeout while waiting for reply");
DropField();
return PM3_ESOFT;
}
switch (resp.status) {
case PM3_ETIMEOUT: {
PrintAndLogEx(WARNING, "no tag found");
break;
}
case PM3_EWRONGANSWER: {
if(pwdlen > 0 )
{
PrintAndLogEx(WARNING, "the password provided was not accepted");
}
else
{
PrintAndLogEx(WARNING, "either a password is required or EAS mode is locked");
}
break;
}
case PM3_SUCCESS: {
PrintAndLogEx(SUCCESS, "EAS mode is now disabled ( " _GREEN_("ok") " ) ");
break;
}
}
return resp.status;
}
static int CmdHF15SlixDisable(const char *Cmd) {
CLIParserContext *ctx;
CLIParserInit(&ctx, "hf 15 slixdisable",
CLIParserInit(&ctx, "hf 15 slixprivacydisable",
"Disable privacy mode on SLIX ISO-15693 tag",
"hf 15 slixdisable -p 0F0F0F0F");
@ -2409,8 +2547,8 @@ static int CmdHF15SlixDisable(const char *Cmd) {
PacketResponseNG resp;
clearCommandBuffer();
SendCommandNG(CMD_HF_ISO15693_SLIX_L_DISABLE_PRIVACY, (uint8_t *)&payload, sizeof(payload));
if (WaitForResponseTimeout(CMD_HF_ISO15693_SLIX_L_DISABLE_PRIVACY, &resp, 2000) == false) {
SendCommandNG(CMD_HF_ISO15693_SLIX_DISABLE_PRIVACY, (uint8_t *)&payload, sizeof(payload));
if (WaitForResponseTimeout(CMD_HF_ISO15693_SLIX_DISABLE_PRIVACY, &resp, 2000) == false) {
PrintAndLogEx(WARNING, "timeout while waiting for reply");
DropField();
return PM3_ESOFT;
@ -2433,32 +2571,330 @@ static int CmdHF15SlixDisable(const char *Cmd) {
return resp.status;
}
static int CmdHF15SlixEnable(const char* Cmd) {
CLIParserContext* ctx;
CLIParserInit(&ctx, "hf 15 slixprivacyenable",
"Enable privacy mode on SLIX ISO-15693 tag",
"hf 15 slixenable -p 0F0F0F0F");
void* argtable[] = {
arg_param_begin,
arg_str1("p", "pwd", "<hex>", "password, 8 hex bytes"),
arg_param_end
};
CLIExecWithReturn(ctx, Cmd, argtable, false);
struct {
uint8_t pwd[4];
} PACKED payload;
int pwdlen = 0;
CLIGetHexWithReturn(ctx, 1, payload.pwd, &pwdlen);
CLIParserFree(ctx);
PrintAndLogEx(INFO, "Trying to enable privacy mode using password " _GREEN_("%s")
, sprint_hex_inrow(payload.pwd, sizeof(payload.pwd))
);
PacketResponseNG resp;
clearCommandBuffer();
SendCommandNG(CMD_HF_ISO15693_SLIX_ENABLE_PRIVACY, (uint8_t*)&payload, sizeof(payload));
if (WaitForResponseTimeout(CMD_HF_ISO15693_SLIX_ENABLE_PRIVACY, &resp, 2000) == false) {
PrintAndLogEx(WARNING, "timeout while waiting for reply");
DropField();
return PM3_ESOFT;
}
switch (resp.status) {
case PM3_ETIMEOUT: {
PrintAndLogEx(WARNING, "no tag found");
break;
}
case PM3_EWRONGANSWER: {
PrintAndLogEx(WARNING, "password was not accepted");
break;
}
case PM3_SUCCESS: {
PrintAndLogEx(SUCCESS, "privacy mode is now enabled ( " _GREEN_("ok") " ) ");
break;
}
}
return resp.status;
}
static int CmdHF15SlixWritePassword(const char *Cmd) {
CLIParserContext *ctx;
CLIParserInit(&ctx, "hf 15 slixwritepwd",
"Write a password on a SLIX family ISO-15693 tag",
"hf 15 slixwritepwd -t READ -o 00000000 -n 12131415");
void *argtable[] = {
arg_param_begin,
arg_str1("t", "type", "<read|write|privacy|destroy|easafi>", "which password field to write to (some tags do not support all password types)"),
arg_str0("o", "old", "<hex>", "old password (if present), 8 hex bytes"),
arg_str1("n", "new", "<hex>", "new password, 8 hex bytes"),
arg_param_end
};
CLIExecWithReturn(ctx, Cmd, argtable, false);
struct {
uint8_t old_pwd[4];
uint8_t new_pwd[4];
uint8_t pwd_id;
} PACKED payload;
int pwdlen = 0;
CLIGetHexWithReturn(ctx, 2, payload.old_pwd, &pwdlen);
if(pwdlen > 0 && pwdlen != 4)
{
PrintAndLogEx(WARNING, "old password must be 4 hex bytes if provided");
return PM3_ESOFT;
}
CLIGetHexWithReturn(ctx, 3, payload.new_pwd, &pwdlen);
if(pwdlen != 4)
{
PrintAndLogEx(WARNING, "new password must be 4 hex bytes");
return PM3_ESOFT;
}
int vlen = 0;
char value[10];
CLIParamStrToBuf(arg_get_str(ctx, 1), (uint8_t *)value, sizeof(value), &vlen);
if (vlen > 0) {
if (strcmp(value, "read") == 0)
{
PrintAndLogEx(SUCCESS, "Selected read pass");
payload.pwd_id = 0x01;
}
else if (strcmp(value, "write") == 0)
{
PrintAndLogEx(SUCCESS, "Selected write pass");
payload.pwd_id = 0x02;
}
else if (strcmp(value, "privacy") == 0)
{
PrintAndLogEx(SUCCESS, "Selected privacy pass");
payload.pwd_id = 0x04;
}
else if (strcmp(value, "destroy") == 0)
{
PrintAndLogEx(SUCCESS, "Selected destroy pass");
payload.pwd_id = 0x08;
}
else if (strcmp(value, "easafi") == 0)
{
PrintAndLogEx(SUCCESS, "Selected easafi pass");
payload.pwd_id = 0x10;
}
else
{
PrintAndLogEx(ERR, "t argument must be 'read', 'write', 'privacy', 'destroy', or 'easafi'");
return PM3_EINVARG;
}
}
CLIParserFree(ctx);
PrintAndLogEx(INFO, "Trying to write " _YELLOW_("%s") " as " _YELLOW_("%s") " password"
, sprint_hex_inrow(payload.new_pwd, sizeof(payload.new_pwd)), value);
PacketResponseNG resp;
clearCommandBuffer();
SendCommandNG(CMD_HF_ISO15693_SLIX_WRITE_PWD, (uint8_t *)&payload, sizeof(payload));
if (WaitForResponseTimeout(CMD_HF_ISO15693_SLIX_WRITE_PWD, &resp, 2000) == false) {
PrintAndLogEx(WARNING, "timeout while waiting for reply");
DropField();
return PM3_ESOFT;
}
switch (resp.status) {
case PM3_ETIMEOUT: {
PrintAndLogEx(WARNING, "no tag found");
break;
}
case PM3_EWRONGANSWER: {
PrintAndLogEx(WARNING, "password was not accepted");
break;
}
case PM3_SUCCESS: {
PrintAndLogEx(SUCCESS, "password written ( " _GREEN_("ok") " ) ");
break;
}
}
return resp.status;
}
static int CmdHF15AFIPassProtect(const char *Cmd) {
CLIParserContext *ctx;
CLIParserInit(&ctx, "hf 15 passprotectafi",
"Password protect AFI. Cannot be undone.",
"hf 15 passprotectafi -p 00000000 -c");
void *argtable[] = {
arg_param_begin,
arg_str1("p", "password", "<hex>", "EAS/AFI password, 8 hex bytes"),
arg_lit0("c", "confirm", "confirm the execution of this irreversible command"),
arg_param_end
};
CLIExecWithReturn(ctx, Cmd, argtable, true);
struct {
uint8_t pwd[4];
} PACKED payload;
int pwdlen = 0;
CLIGetHexWithReturn(ctx, 1, payload.pwd, &pwdlen);
bool confirmation = arg_get_lit(ctx, 2);
if(pwdlen != 4)
{
PrintAndLogEx(WARNING, "password must be 4 hex bytes");
return PM3_ESOFT;
}
if(confirmation == 0)
{
PrintAndLogEx(WARNING, "This irreversible command must be confirmed with the -c flag");
return PM3_ESOFT;
}
PrintAndLogEx(INFO, "Trying to enable AFI password protection");
PacketResponseNG resp;
clearCommandBuffer();
SendCommandNG(CMD_HF_ISO15693_SLIX_PASS_PROTECT_AFI, (uint8_t*)&payload, sizeof(payload));
if (WaitForResponseTimeout(CMD_HF_ISO15693_SLIX_PASS_PROTECT_AFI, &resp, 2000) == false) {
PrintAndLogEx(WARNING, "timeout while waiting for reply");
DropField();
return PM3_ESOFT;
}
switch (resp.status) {
case PM3_ETIMEOUT: {
PrintAndLogEx(WARNING, "no tag found");
break;
}
case PM3_EWRONGANSWER: {
PrintAndLogEx(WARNING, "error enabling AFI password protection");
break;
}
case PM3_SUCCESS: {
PrintAndLogEx(SUCCESS, "AFI password protected ( " _GREEN_("ok") " ) ");
break;
}
}
return resp.status;
}
static int CmdHF15EASPassProtect(const char *Cmd) {
CLIParserContext *ctx;
CLIParserInit(&ctx, "hf 15 passprotecteas",
"Password protect EAS. Cannot be undone.",
"hf 15 passprotecteas -p 00000000 -c");
void *argtable[] = {
arg_param_begin,
arg_str1("p", "password", "<hex>", "EAS/AFI password, 8 hex bytes"),
arg_lit0("c", "confirm", "confirm the execution of this irreversible command"),
arg_param_end
};
CLIExecWithReturn(ctx, Cmd, argtable, true);
struct {
uint8_t pwd[4];
} PACKED payload;
int pwdlen = 0;
CLIGetHexWithReturn(ctx, 1, payload.pwd, &pwdlen);
bool confirmation = arg_get_lit(ctx, 2);
if(pwdlen != 4)
{
PrintAndLogEx(WARNING, "password must be 4 hex bytes");
return PM3_ESOFT;
}
if(confirmation == 0)
{
PrintAndLogEx(WARNING, "This irreversible command must be confirmed with the -c flag");
return PM3_ESOFT;
}
PrintAndLogEx(INFO, "Trying to enable EAS password protection");
PacketResponseNG resp;
clearCommandBuffer();
SendCommandNG(CMD_HF_ISO15693_SLIX_PASS_PROTECT_EAS, (uint8_t*)&payload, sizeof(payload));
if (WaitForResponseTimeout(CMD_HF_ISO15693_SLIX_PASS_PROTECT_EAS, &resp, 2000) == false) {
PrintAndLogEx(WARNING, "timeout while waiting for reply");
DropField();
return PM3_ESOFT;
}
switch (resp.status) {
case PM3_ETIMEOUT: {
PrintAndLogEx(WARNING, "no tag found");
break;
}
case PM3_EWRONGANSWER: {
PrintAndLogEx(WARNING, "error enabling EAS password protection");
break;
}
case PM3_SUCCESS: {
PrintAndLogEx(SUCCESS, "EAS password protected ( " _GREEN_("ok") " ) ");
break;
}
}
return resp.status;
}
static command_t CommandTable[] = {
{"-----------", CmdHF15Help, AlwaysAvailable, "--------------------- " _CYAN_("General") " ---------------------"},
{"help", CmdHF15Help, AlwaysAvailable, "This help"},
{"list", CmdHF15List, AlwaysAvailable, "List ISO-15693 history"},
{"demod", CmdHF15Demod, AlwaysAvailable, "Demodulate ISO-15693 from tag"},
{"dump", CmdHF15Dump, IfPm3Iso15693, "Read all memory pages of an ISO-15693 tag, save to file"},
{"info", CmdHF15Info, IfPm3Iso15693, "Tag information"},
{"sniff", CmdHF15Sniff, IfPm3Iso15693, "Sniff ISO-15693 traffic"},
{"raw", CmdHF15Raw, IfPm3Iso15693, "Send raw hex data to tag"},
{"rdbl", CmdHF15Readblock, IfPm3Iso15693, "Read a block"},
{"rdmulti", CmdHF15Readmulti, IfPm3Iso15693, "Reads multiple blocks"},
{"reader", CmdHF15Reader, IfPm3Iso15693, "Act like an ISO-15693 reader"},
{"restore", CmdHF15Restore, IfPm3Iso15693, "Restore from file to all memory pages of an ISO-15693 tag"},
{"samples", CmdHF15Samples, IfPm3Iso15693, "Acquire samples as reader (enables carrier, sends inquiry)"},
{"eload", CmdHF15ELoad, IfPm3Iso15693, "Load image file into emulator to be used by 'sim' command"},
{"esave", CmdHF15ESave, IfPm3Iso15693, "Save emulator memory into image file"},
{"eview", CmdHF15EView, IfPm3Iso15693, "View emulator memory"},
{"sim", CmdHF15Sim, IfPm3Iso15693, "Fake an ISO-15693 tag"},
{"slixdisable", CmdHF15SlixDisable, IfPm3Iso15693, "Disable privacy mode on SLIX ISO-15693 tag"},
{"wrbl", CmdHF15Write, IfPm3Iso15693, "Write a block"},
{"-----------", CmdHF15Help, IfPm3Iso15693, "----------------------- " _CYAN_("afi") " -----------------------"},
{"findafi", CmdHF15FindAfi, IfPm3Iso15693, "Brute force AFI of an ISO-15693 tag"},
{"writeafi", CmdHF15WriteAfi, IfPm3Iso15693, "Writes the AFI on an ISO-15693 tag"},
{"writedsfid", CmdHF15WriteDsfid, IfPm3Iso15693, "Writes the DSFID on an ISO-15693 tag"},
{"-----------", CmdHF15Help, IfPm3Iso15693, "----------------------- " _CYAN_("magic") " -----------------------"},
{"csetuid", CmdHF15CSetUID, IfPm3Iso15693, "Set UID for magic card"},
{"-----------", CmdHF15Help, AlwaysAvailable, "--------------------- " _CYAN_("General") " ---------------------"},
{"help", CmdHF15Help, AlwaysAvailable, "This help"},
{"list", CmdHF15List, AlwaysAvailable, "List ISO-15693 history"},
{"demod", CmdHF15Demod, AlwaysAvailable, "Demodulate ISO-15693 from tag"},
{"dump", CmdHF15Dump, IfPm3Iso15693, "Read all memory pages of an ISO-15693 tag, save to file"},
{"info", CmdHF15Info, IfPm3Iso15693, "Tag information"},
{"sniff", CmdHF15Sniff, IfPm3Iso15693, "Sniff ISO-15693 traffic"},
{"raw", CmdHF15Raw, IfPm3Iso15693, "Send raw hex data to tag"},
{"rdbl", CmdHF15Readblock, IfPm3Iso15693, "Read a block"},
{"rdmulti", CmdHF15Readmulti, IfPm3Iso15693, "Reads multiple blocks"},
{"reader", CmdHF15Reader, IfPm3Iso15693, "Act like an ISO-15693 reader"},
{"restore", CmdHF15Restore, IfPm3Iso15693, "Restore from file to all memory pages of an ISO-15693 tag"},
{"samples", CmdHF15Samples, IfPm3Iso15693, "Acquire samples as reader (enables carrier, sends inquiry)"},
{"eload", CmdHF15ELoad, IfPm3Iso15693, "Load image file into emulator to be used by 'sim' command"},
{"esave", CmdHF15ESave, IfPm3Iso15693, "Save emulator memory into image file"},
{"eview", CmdHF15EView, IfPm3Iso15693, "View emulator memory"},
{"sim", CmdHF15Sim, IfPm3Iso15693, "Fake an ISO-15693 tag"},
{"slixwritepwd", CmdHF15SlixWritePassword, IfPm3Iso15693, "Writes a password on a SLIX ISO-15693 tag"},
{"slixeasdisable", CmdHF15SlixEASDisable, IfPm3Iso15693, "Disable EAS mode on SLIX ISO-15693 tag"},
{"slixeasenable", CmdHF15SlixEASEnable, IfPm3Iso15693, "Enable EAS mode on SLIX ISO-15693 tag"},
{"slixprivacydisable", CmdHF15SlixDisable, IfPm3Iso15693, "Disable privacy mode on SLIX ISO-15693 tag"},
{"slixprivacyenable", CmdHF15SlixEnable, IfPm3Iso15693, "Enable privacy mode on SLIX ISO-15693 tag"},
{"passprotectafi", CmdHF15AFIPassProtect, IfPm3Iso15693, "Password protect AFI - Cannot be undone"},
{"passprotecteas", CmdHF15EASPassProtect, IfPm3Iso15693, "Password protect EAS - Cannot be undone"},
{"wrbl", CmdHF15Write, IfPm3Iso15693, "Write a block"},
{"-----------", CmdHF15Help, IfPm3Iso15693, "----------------------- " _CYAN_("afi") " -----------------------"},
{"findafi", CmdHF15FindAfi, IfPm3Iso15693, "Brute force AFI of an ISO-15693 tag"},
{"writeafi", CmdHF15WriteAfi, IfPm3Iso15693, "Writes the AFI on an ISO-15693 tag"},
{"writedsfid", CmdHF15WriteDsfid, IfPm3Iso15693, "Writes the DSFID on an ISO-15693 tag"},
{"-----------", CmdHF15Help, IfPm3Iso15693, "----------------------- " _CYAN_("magic") " -----------------------"},
{"csetuid", CmdHF15CSetUID, IfPm3Iso15693, "Set UID for magic card"},
{NULL, NULL, NULL, NULL}
};

2
client/src/cmdhflist.c
View file

@ -318,7 +318,7 @@ int applyIso14443a(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize, bool i
snprintf(exp, size, "AUTH-B(%d)", cmd[1]);
break;
}
case MIFARE_MAGIC_GDM_AUTH_KEYA:{
case MIFARE_MAGIC_GDM_AUTH_KEYA: {
if (cmdsize > 3) {
snprintf(exp, size, "MAGIC AUTH-A(%d)", cmd[1]);
MifareAuthState = masNt;

1
client/src/cmdhfmfu.c
View file

@ -1472,6 +1472,7 @@ uint32_t GetHF14AMfU_Type(void) {
else if (memcmp(version, "\x00\x34\x21\x01\x01\x00\x0E", 7) == 0) { tagtype = UL_EV1_128; break; } // Mikron JSC Russia EV1 41 pages tag
else if (memcmp(version, "\x00\x04\x04\x01\x01\x00\x0B", 7) == 0) { tagtype = NTAG_210; break; }
else if (memcmp(version, "\x00\x04\x04\x01\x02\x00\x0B", 7) == 0) { tagtype = NTAG_210u; break; }
else if (memcmp(version, "\x00\x04\x04\x02\x02\x00\x0B", 7) == 0) { tagtype = NTAG_210u; break; }
else if (memcmp(version, "\x00\x04\x04\x01\x01\x00\x0E", 7) == 0) { tagtype = NTAG_212; break; }
else if (memcmp(version, "\x00\x04\x04\x02\x01\x00\x0F", 7) == 0) { tagtype = NTAG_213; break; }
else if (memcmp(version, "\x00\x53\x04\x02\x01\x00\x0F", 7) == 0) { tagtype = NTAG_213; break; } //Shanghai Feiju Microelectronics Co. Ltd. China (Xiaomi Air Purifier filter)

12
client/src/cmdhftesla.c
View file

@ -29,7 +29,7 @@
#include "commonutil.h" // get_sw
#include "protocols.h" // ISO7816 APDU return co-des
#include "ui.h"
#include "cmdhf14a.h" // apdu chaining
#include "cmdhf14a.h" // apdu chaining
#define TIMEOUT 2000
@ -160,10 +160,10 @@ static int info_hf_tesla(void) {
sw = get_sw(response, resplen);
if (sw == ISO7816_OK) {
// save CETT for later
// save CETT for later
uint8_t cert[515] = {0};
memcpy(cert, response, resplen - 2);
PrintAndLogEx(INFO, "CERT # %i", i);
PrintAndLogEx(INFO, "%s", sprint_hex_inrow(cert, resplen - 2));
}
@ -198,12 +198,12 @@ static int info_hf_tesla(void) {
PrintAndLogEx(INFO, "--- " _CYAN_("Tag Information") " ---------------------------");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(INFO, "PUBLIC KEY");
for (int i=0; i < 3; i++) {
for (int i = 0; i < 3; i++) {
PrintAndLogEx(INFO, "%d - %s", i, sprint_hex_inrow(pk[i], 65));
}
if (form_factor[1] == 1) {
PrintAndLogEx(INFO, "Form factor... %s (card)", sprint_hex_inrow(form_factor, sizeof(form_factor)));
} else if (form_factor[1] == 2){
} else if (form_factor[1] == 2) {
PrintAndLogEx(INFO, "Form factor... %s (phone app)", sprint_hex_inrow(form_factor, sizeof(form_factor)));
}
@ -217,7 +217,7 @@ static int info_hf_tesla(void) {
if ((memcmp(pk[0], pk[1], 65) == 0)) {
PrintAndLogEx(INFO, " GaussKey detected");
}
//
//
return PM3_SUCCESS;
}

4
client/src/cmdhw.c
View file

@ -1298,6 +1298,10 @@ void pm3_version(bool verbose, bool oneliner) {
PrintAndLogEx(NORMAL, " FPC USART for BT add-on... %s", IfPm3FpcUsartHost() ? _GREEN_("present") : _YELLOW_("absent"));
} else {
PrintAndLogEx(NORMAL, " firmware.................. %s", _YELLOW_("PM3 GENERIC"));
if (IfPm3Flash()) {
PrintAndLogEx(NORMAL, " external flash............ %s", _GREEN_("present"));
}
if (IfPm3FpcUsartHost()) {
PrintAndLogEx(NORMAL, " FPC USART for BT add-on... %s", _GREEN_("present"));
}

2
client/src/cmdparser.c
View file

@ -38,7 +38,7 @@ bool IfPm3Present(void) {
bool IfPm3Rdv4Fw(void) {
if (!IfPm3Present())
return false;
return (g_pm3_capabilities.compiled_with_flash) || (g_pm3_capabilities.compiled_with_smartcard);
return (g_pm3_capabilities.is_rdv4);
}
bool IfPm3Flash(void) {

2
client/src/cmdscript.c
View file

@ -433,7 +433,7 @@ static int CmdScriptRun(const char *Cmd) {
#else
// The following line will implicitly pre-initialize Python
PyConfig_SetBytesArgv(&py_conf, argc + 1, argv);
// We disallowed in py_conf environment variables interfering with python interpreter's behavior.
// Let's manually enable the ones we truly need.
// This is required by Proxspace to work with an isolated Python configuration

17
client/src/pm3line_vocabulory.h
View file

@ -177,7 +177,13 @@ const static vocabulory_t vocabulory[] = {
{ 0, "hf 15 esave" },
{ 0, "hf 15 eview" },
{ 0, "hf 15 sim" },
{ 0, "hf 15 slixdisable" },
{ 0, "hf 15 slixwritepwd" },
{ 0, "hf 15 slixeasdisable" },
{ 0, "hf 15 slixeasenable" },
{ 0, "hf 15 slixprivacydisable" },
{ 0, "hf 15 slixprivacyenable" },
{ 0, "hf 15 passprotectafi" },
{ 0, "hf 15 passprotecteas" },
{ 0, "hf 15 wrbl" },
{ 0, "hf 15 findafi" },
{ 0, "hf 15 writeafi" },
@ -438,6 +444,12 @@ const static vocabulory_t vocabulory[] = {
{ 0, "hf st25ta protect" },
{ 0, "hf st25ta pwd" },
{ 0, "hf st25ta sim" },
{ 1, "hf tesla help" },
{ 0, "hf tesla info" },
{ 1, "hf tesla list" },
{ 1, "hf texkom help" },
{ 0, "hf texkom reader" },
{ 0, "hf texkom sim" },
{ 1, "hf thinfilm help" },
{ 0, "hf thinfilm info" },
{ 1, "hf thinfilm list" },
@ -453,9 +465,6 @@ const static vocabulory_t vocabulory[] = {
{ 0, "hf topaz rdbl" },
{ 1, "hf topaz view" },
{ 0, "hf topaz wrbl" },
{ 1, "hf texkom help" },
{ 0, "hf texkom reader" },
{ 0, "hf texkom sim" },
{ 1, "hf xerox help" },
{ 0, "hf xerox info" },
{ 0, "hf xerox reader" },

8
client/src/util.c
View file

@ -266,7 +266,7 @@ void print_hex_break(const uint8_t *data, const size_t len, uint8_t breaks) {
uint8_t mod = len % breaks;
if (mod) {
char buf[UTIL_BUFFER_SIZE_SPRINT + 3];
char buf[UTIL_BUFFER_SIZE_SPRINT + 3] = {0};
hex_to_buffer((uint8_t *)buf, data + i, mod, (sizeof(buf) - 1), 0, 1, true);
// add the spaces...
@ -291,7 +291,7 @@ void print_hex_noascii_break(const uint8_t *data, const size_t len, uint8_t brea
uint8_t mod = len % breaks;
if (mod) {
char buf[UTIL_BUFFER_SIZE_SPRINT + 3];
char buf[UTIL_BUFFER_SIZE_SPRINT + 3] = {0};
hex_to_buffer((uint8_t *)buf, data + i, mod, (sizeof(buf) - 1), 0, 0, true);
// add the spaces...
@ -307,7 +307,7 @@ static void print_buffer_ex(const uint8_t *data, const size_t len, int level, ui
if ((data == NULL) || (len < 1))
return;
char buf[UTIL_BUFFER_SIZE_SPRINT + 3];
char buf[UTIL_BUFFER_SIZE_SPRINT + 3] = {0};
int i;
for (i = 0; i < len; i += breaks) {
@ -614,7 +614,7 @@ void bytes_to_bytebits(const void *src, const size_t srclen, void *dest) {
// hh,gg,ff,ee,dd,cc,bb,aa, pp,oo,nn,mm,ll,kk,jj,ii
// up to 64 bytes or 512 bits
uint8_t *SwapEndian64(const uint8_t *src, const size_t len, const uint8_t blockSize) {
static uint8_t buf[64];
static uint8_t buf[64] = {0};
memset(buf, 0x00, 64);
uint8_t *tmp = buf;
for (uint8_t block = 0; block < (uint8_t)(len / blockSize); block++) {

1
common_arm/Makefile.hal
View file

@ -95,6 +95,7 @@ ifeq ($(PLATFORM),PM3RDV4)
PLATFORM_DEFS = -DWITH_SMARTCARD -DWITH_FLASH -DRDV4
PLTNAME = Proxmark3 RDV4
PLATFORM_FPGA = xc2s30
RDV4 = yes
else ifeq ($(PLATFORM),PM3OTHER)
$(warning PLATFORM=PM3OTHER is deprecated, please use PLATFORM=PM3GENERIC)
PLTNAME = Proxmark3 generic target

6
doc/T5577_Guide.md
View file

@ -393,8 +393,8 @@ required, please do not proceed.
| Hex Data | Binary Data |
|:--------:|:---------------------------------------|
| 00088040 | 000000000000100010000000111***0***0000 |
| 00088050 | 000000000000100010000000111***1***0000 |
| 000880E0 | 000000000000100010000000111***0***0000 |
| 000880F0 | 000000000000100010000000111***1***0000 |
See how in the above we changed the bit in location 28 from a 0 to 1
0 = No Password, 1 = Use Password
@ -533,7 +533,7 @@ required, please do not proceed.
[=] Downlink mode..... default/fixed bit length
[=] Password set...... No
```
Yes we can! We can see Block 0 is the correct config 00088040
Yes we can! We can see Block 0 is the correct config 000880E0
# Part 2 Configuration Blocks
^[Top](#top)

55
doc/commands.json
View file

@ -1101,14 +1101,16 @@
"command": "hf 14a chaining",
"description": "Enable/Disable ISO14443a input chaining. Maximum input length goes from ATS.",
"notes": [
"hf 14a chaining disable -> disable chaining",
"hf 14a chaining --off -> disable chaining",
"hf 14a chaining -> show chaining enable/disable state"
],
"offline": false,
"options": [
"-h, --help This help"
"-h, --help This help",
"-1, --on enabled chaining",
"-0, --off disable chaining"
],
"usage": "hf 14a chaining [-h] [<enable/disable or 0/1>]"
"usage": "hf 14a chaining [-h10]"
},
"hf 14a config": {
"command": "hf 14a config",
@ -2881,7 +2883,7 @@
},
"hf help": {
"command": "hf help",
"description": "-------- ----------------------- High Frequency ----------------------- 14a { ISO14443A RFIDs... } 14b { ISO14443B RFIDs... } 15 { ISO15693 RFIDs... } cipurse { Cipurse transport Cards... } epa { German Identification Card... } emrtd { Machine Readable Travel Document... } felica { ISO18092 / FeliCa RFIDs... } fido { FIDO and FIDO2 authenticators... } fudan { Fudan RFIDs... } gallagher { Gallagher DESFire RFIDs... } ksx6924 { KS X 6924 (T-Money, Snapper+) RFIDs } jooki { Jooki RFIDs... } iclass { ICLASS RFIDs... } legic { LEGIC RFIDs... } lto { LTO Cartridge Memory RFIDs... } mf { MIFARE RFIDs... } mfp { MIFARE Plus RFIDs... } mfu { MIFARE Ultralight RFIDs... } mfdes { MIFARE Desfire RFIDs... } ntag424 { NXP NTAG 4242 DNA RFIDs... } seos { SEOS RFIDs... } st25ta { ST25TA RFIDs... } thinfilm { Thinfilm RFIDs... } topaz { TOPAZ (NFC Type 1) RFIDs... } texkom { Texkom RFIDs... } xerox { Fuji/Xerox cartridge RFIDs... } waveshare { Waveshare NFC ePaper... } ----------- --------------------- General --------------------- help This help list List protocol data in trace buffer search Search for known HF tags",
"description": "-------- ----------------------- High Frequency ----------------------- 14a { ISO14443A RFIDs... } 14b { ISO14443B RFIDs... } 15 { ISO15693 RFIDs... } cipurse { Cipurse transport Cards... } epa { German Identification Card... } emrtd { Machine Readable Travel Document... } felica { ISO18092 / FeliCa RFIDs... } fido { FIDO and FIDO2 authenticators... } fudan { Fudan RFIDs... } gallagher { Gallagher DESFire RFIDs... } ksx6924 { KS X 6924 (T-Money, Snapper+) RFIDs } jooki { Jooki RFIDs... } iclass { ICLASS RFIDs... } legic { LEGIC RFIDs... } lto { LTO Cartridge Memory RFIDs... } mf { MIFARE RFIDs... } mfp { MIFARE Plus RFIDs... } mfu { MIFARE Ultralight RFIDs... } mfdes { MIFARE Desfire RFIDs... } ntag424 { NXP NTAG 4242 DNA RFIDs... } seos { SEOS RFIDs... } st25ta { ST25TA RFIDs... } tesla { TESLA Cards... } texkom { Texkom RFIDs... } thinfilm { Thinfilm RFIDs... } topaz { TOPAZ (NFC Type 1) RFIDs... } xerox { Fuji/Xerox cartridge RFIDs... } waveshare { Waveshare NFC ePaper... } ----------- --------------------- General --------------------- help This help list List protocol data in trace buffer search Search for known HF tags",
"notes": [],
"offline": true,
"options": [],
@ -6684,6 +6686,47 @@
],
"usage": "hf st25ta sim [-h] -u <hex>"
},
"hf tesla help": {
"command": "hf tesla help",
"description": "help This help list List ISO 14443A/7816 history",
"notes": [],
"offline": true,
"options": [],
"usage": ""
},
"hf tesla info": {
"command": "hf tesla info",
"description": "Get info about TESLA Key tag",
"notes": [
"hf tesla info"
],
"offline": false,
"options": [
"-h, --help This help"
],
"usage": "hf telsa info [-h]"
},
"hf tesla list": {
"command": "hf tesla list",
"description": "Alias of `trace list -t 7816` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
"notes": [
"hf tesla list --frame -> show frame delay times",
"hf tesla list -1 -> use trace buffer"
],
"offline": true,
"options": [
"-h, --help This help",
"-1, --buffer use data from trace buffer",
"--frame show frame delay times",
"-c mark CRC bytes",
"-r show relative times (gap and duration)",
"-u display times in microseconds instead of clock cycles",
"-x show hexdump to convert to pcap(ng)",
"or to import into Wireshark using encapsulation type \"ISO 14443\"",
"-f, --file <fn> filename of dictionary"
],
"usage": "hf tesla list [-h1crux] [--frame] [-f <fn>]"
},
"hf texkom help": {
"command": "hf texkom help",
"description": "help This help",
@ -11760,8 +11803,8 @@
}
},
"metadata": {
"commands_extracted": 739,
"commands_extracted": 742,
"extracted_by": "PM3Help2JSON v1.00",
"extracted_on": "2023-01-15T01:24:39"
"extracted_on": "2023-01-27T01:57:37"
}
}

33
doc/commands.md
View file

@ -651,6 +651,28 @@ Check column "offline" for their availability.
|`hf st25ta sim `|N |`Fake ISO 14443A/ST tag`
### hf tesla
{ TESLA Cards... }
|command |offline |description
|------- |------- |-----------
|`hf tesla help `|Y |`This help`
|`hf tesla info `|N |`Tag information`
|`hf tesla list `|Y |`List ISO 14443A/7816 history`
### hf texkom
{ Texkom RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf texkom help `|Y |`This help`
|`hf texkom reader `|N |`Act like a Texkom reader`
|`hf texkom sim `|N |`Simulate a Texkom tag`
### hf thinfilm
{ Thinfilm RFIDs... }
@ -682,17 +704,6 @@ Check column "offline" for their availability.
|`hf topaz wrbl `|N |`Write block`
### hf texkom
{ Texkom RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf texkom help `|Y |`This help`
|`hf texkom reader `|N |`Act like a Texkom reader`
|`hf texkom sim `|N |`Simulate a Texkom tag`
### hf xerox
{ Fuji/Xerox cartridge RFIDs... }

35
doc/magic_cards_notes.md
View file

@ -1086,10 +1086,12 @@ CF <passwd> 35 <2b ATQA><1b SAK> // Configure ATQA/SAK (swap ATQ
CF <passwd> 68 <00-02> // Configure UID length
CF <passwd> 69 <00-01> // (De)Activate Ultralight mode
CF <passwd> 6A <00-03> // Select Ultralight mode
CF <passwd> 6B <1b> // Set Ultralight and M1 maximum read/write sectors
CF <passwd> C6 // Dump configuration
CF <passwd> CC // Factory test, returns 6666
CF <passwd> CD <1b block number><16b block data> // Backdoor write 16b block
CF <passwd> CE <1b block number> // Backdoor read 16b block
CF <passwd> CF <1b param> // Unknown
CF <passwd> F0 <30b configuration data> // Configure all params in one cmd
CF <passwd> F1 <30b configuration data> // Configure all params in one cmd and fuse the configuration permanently
CF <passwd> FE <4b new_password> // change password
@ -1304,6 +1306,19 @@ script run hf_mf_ultimatecard -m 02
```
Now the card supports the 3DES UL-C authentication.
### Set Ultralight and M1 maximum read/write sectors
^[Top](#top) ^^[Gen4](#g4top)
```
hf 14a raw -s -c -t 1000 CF<passwd>6B<1b blocks>
```
Hexadecimal, maximum sector data, default 0xFF, range 0x00-0xFF
Example: set maximum 63 blocks read/write for Mifare Classic 1K
```
hf 14a raw -s -c -t 1000 CF000000006B3F
```
### Set shadow mode (GTU)
^[Top](#top) ^^[Gen4](#g4top)
@ -1365,6 +1380,20 @@ Example: write block0 with factory data, default pwd
hf 14a raw -s -c -t 1000 CF00000000CD00112233441C000011778185BA18000000
```
### Unknown command
^[Top](#top) ^^[Gen4](#g4top)
This command modifies one byte in configuration dump, but purpose one is unknown.
```
hf 14a raw -s -c -t 1000 CF<passwd>CF<1b param>
```
* `<param>`
* `??`: ???
Example:
hf 14a raw -s -c -t 1000 CF00000000CF02
### Change backdoor password
^[Top](#top) ^^[Gen4](#g4top)
@ -1391,8 +1420,10 @@ hf 14a raw -s -c -t 1000 CF<passwd>C6
```
Default configuration:
```
00000000000002000978009102DABC191010111213141516040008004F6B
^^^^ ??
00000000000002000978009102DABC191010111213141516040008006B024F6B
^^^^ ??
^^ cf cmd cf: ?? this byte set by cmd cf<pwd>cf<param>, factory value 0x02
^^ cf cmd 6b: maximum read/write sectors, factory value 0x6b
^^ cf cmd 6a: UL mode
^^^^^^ cf cmd 35: ATQA/SAK
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cf cmd 34: ATS length & content

3
doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md
View file

@ -111,6 +111,7 @@ Here are the supported values you can assign to `STANDALONE` in `Makefile.platfo
| LF_NEDAP_SIM | LF Nedap ID simulator
| LF_NEXID | Nexwatch credentials detection mode - jrjgjk & Zolorah
| LF_PROXBRUTE | HID ProxII bruteforce - Brad Antoniewicz
| LF_PROX2BRUTE | HID ProxII bruteforce v2 - Yann Gascuel
| LF_SAMYRUN (def)| HID26 read/clone/sim - Samy Kamkar
| LF_SKELETON | standalone mode skeleton - Iceman1001
| LF_THAREXDE | LF EM4x50 simulator/read standalone mode - tharexde
@ -119,8 +120,8 @@ Here are the supported values you can assign to `STANDALONE` in `Makefile.platfo
| HF_15SNIFF | 15693 sniff storing to flashmem - Glaser
| HF_AVEFUL | MIFARE Ultralight read/simulation - Ave Ozkal
| HF_BOG | 14a sniff with ULC/ULEV1/NTAG auth storing in flashmem - Bogito
| HF_CRAFTBYTE | UID stealer - Emulates scanned 14a UID - Anze Jensterle
| HF_COLIN | Mifare ultra fast sniff/sim/clone - Colin Brigato
| HF_CRAFTBYTE | UID stealer - Emulates scanned 14a UID - Anze Jensterle
| HF_ICECLASS | iCLASS 4-1 mode sim/read & dump/loclass/glitch & config to flashmem - Iceman1001
| HF_LEGIC | HF Legic Prime Read/Store/Sim standalone - uhei
| HF_LEGICSIM | HF Legic Prime Simulate standalone - uhei

43
include/ansi.h
View file

@ -21,18 +21,45 @@
#define AEND "\x1b[0m"
#define _BLUE_(s) "\x1b[34m" s AEND
#define _RED_(s) "\x1b[31m" s AEND
#define _GREEN_(s) "\x1b[32m" s AEND
#define _YELLOW_(s) "\x1b[33m" s AEND
#define _MAGENTA_(s) "\x1b[35m" s AEND
#define _CYAN_(s) "\x1b[36m" s AEND
#define _WHITE_(s) "\x1b[37m" s AEND
#define _BLACK_(s) "\x1b[30m" s AEND
#define _RED_(s) "\x1b[31m" s AEND
#define _GREEN_(s) "\x1b[32m" s AEND
#define _YELLOW_(s) "\x1b[33m" s AEND
#define _BLUE_(s) "\x1b[34m" s AEND
#define _MAGENTA_(s) "\x1b[35m" s AEND
#define _CYAN_(s) "\x1b[36m" s AEND
#define _WHITE_(s) "\x1b[37m" s AEND
#define _BRIGHT_BLACK_(s) "\x1b[30;1m" s AEND
#define _BRIGHT_RED_(s) "\x1b[31;1m" s AEND
#define _BRIGHT_GREEN_(s) "\x1b[32;1m" s AEND
#define _BRIGHT_YELLOW_(s) "\x1b[33;1m" s AEND
#define _BRIGHT_BLUE_(s) "\x1b[34;1m" s AEND
#define _BRIGHT_MAGENTA_(s) "\x1b[35;1m" s AEND
#define _BRIGHT_CYAN_(s) "\x1b[36;1m" s AEND
#define _BRIGHT_WHITE_(s) "\x1b[37;1m" s AEND
#define _BACK_BLACK_(s) "\x1b[40m" s AEND
#define _BACK_RED_(s) "\x1b[41m" s AEND
#define _BACK_GREEN_(s) "\x1b[42m" s AEND
#define _BACK_YELLOW_(s) "\x1b[43m" s AEND
#define _BACK_BLUE_(s) "\x1b[44m" s AEND
#define _BACK_MAGENTA_(s) "\x1b[45m" s AEND
#define _BACK_CYAN_(s) "\x1b[46m" s AEND
#define _BACK_WHITE_(s) "\x1b[47m" s AEND
#define _BACK_BRIGHT_BLACK_(s) "\x1b[40;1m" s AEND
#define _BACK_BRIGHT_RED_(s) "\x1b[41;1m" s AEND
#define _BACK_BRIGHT_GREEN_(s) "\x1b[42;1m" s AEND
#define _BACK_BRIGHT_YELLOW_(s) "\x1b[43;1m" s AEND
#define _BACK_BRIGHT_BLUE_(s) "\x1b[44;1m" s AEND
#define _BACK_BRIGHT_MAGENTA_(s) "\x1b[45;1m" s AEND
#define _BACK_BRIGHT_CYAN_(s) "\x1b[46;1m" s AEND
#define _BACK_BRIGHT_WHITE_(s) "\x1b[47;1m" s AEND
#define _CLEAR_ "\x1b[2J"
#define _TOP_ "\x1b[1;1f"
#if defined(HAVE_READLINE)
// https://wiki.hackzine.org/development/misc/readline-color-prompt.html
// Applications may indicate that the prompt contains

11
include/pm3_cmd.h
View file

@ -205,6 +205,7 @@ typedef struct {
// rdv4
bool hw_available_flash : 1;
bool hw_available_smartcard : 1;
bool is_rdv4 : 1;
} PACKED capabilities_t;
#define CAPABILITIES_VERSION 6
extern capabilities_t g_pm3_capabilities;
@ -519,8 +520,14 @@ typedef struct {
#define CMD_HF_ISO15693_COMMAND 0x0313
#define CMD_HF_ISO15693_FINDAFI 0x0315
#define CMD_HF_ISO15693_CSETUID 0x0316
#define CMD_HF_ISO15693_SLIX_L_DISABLE_PRIVACY 0x0317
#define CMD_HF_ISO15693_SLIX_L_DISABLE_AESAFI 0x0318
#define CMD_HF_ISO15693_SLIX_ENABLE_PRIVACY 0x0867
#define CMD_HF_ISO15693_SLIX_DISABLE_PRIVACY 0x0317
#define CMD_HF_ISO15693_SLIX_DISABLE_EAS 0x0318
#define CMD_HF_ISO15693_SLIX_ENABLE_EAS 0x0862
#define CMD_HF_ISO15693_SLIX_PASS_PROTECT_AFI 0x0863
#define CMD_HF_ISO15693_SLIX_PASS_PROTECT_EAS 0x0864
#define CMD_HF_ISO15693_SLIX_WRITE_PWD 0x0865
#define CMD_HF_ISO15693_WRITE_AFI 0x0866
#define CMD_HF_TEXKOM_SIMULATE 0x0320
#define CMD_HF_ISO15693_EML_CLEAR 0x0330
#define CMD_HF_ISO15693_EML_SETMEM 0x0331

6
tools/build_all_firmwares.sh
View file

@ -30,8 +30,10 @@ mkdir -p "$DEST"
mv bootrom/obj/bootrom.elf "$DEST/PM3BOOTROM.elf"
# cf armsrc/Standalone/Makefile.hal
STANDALONE_MODES=(LF_SKELETON LF_EM4100EMUL LF_EM4100RSWB LF_EM4100RSWW LF_EM4100RWC LF_HIDBRUTE LF_HIDFCBRUTE LF_ICEHID LF_PROXBRUTE LF_SAMYRUN LF_THAREXDE LF_NEXID LF_NEDAP_SIM)
STANDALONE_MODES+=(HF_14ASNIFF HF_14BSNIFF HF_15SNIFF HF_AVEFUL HF_BOG HF_COLIN HF_CRAFTBYTE HF_ICECLASS HF_LEGIC HF_LEGICSIM HF_MATTYRUN HF_MFCSIM HF_MSDSAL HF_TCPRST HF_TMUDFORD HF_YOUNG HF_REBLAY DANKARMULTI)
STANDALONE_MODES=(LF_SKELETON)
STANDALONE_MODES+=(LF_EM4100EMUL LF_EM4100RSWB LF_EM4100RSWW LF_EM4100RWC LF_HIDBRUTE LF_HIDFCBRUTE LF_ICEHID LF_NEDAP_SIM LF_NEXID LF_PROXBRUTE LF_PROX2BRUTE LF_SAMYRUN LF_THAREXDE)
STANDALONE_MODES+=(HF_14ASNIFF HF_14BSNIFF HF_15SNIFF HF_AVEFUL HF_BOG HF_COLIN HF_CRAFTBYTE HF_ICECLASS HF_LEGIC HF_LEGICSIM HF_MATTYRUN HF_MFCSIM HF_MSDSAL HF_REBLAY HF_TCPRST HF_TMUDFORD HF_YOUNG)
STANDALONE_MODES+=(DANKARMULTI)
STANDALONE_MODES_REQ_BT=(HF_REBLAY)
STANDALONE_MODES_REQ_SMARTCARD=()
STANDALONE_MODES_REQ_FLASH=(LF_HIDFCBRUTE LF_ICEHID LF_NEXID LF_THAREXDE HF_BOG HF_COLIN HF_ICECLASS HF_LEGICSIM HF_MFCSIM)