RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-02-21 06:35:04 +08:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' of github.com:RfidResearchGroup/proxmark3 into fpga

Browse source
This commit is contained in:
iceman1001 2020-08-03 21:22:13 +02:00
commit 62d9b403b4
14 changed files with 368 additions and 240 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
README.md
View file

@ -57,7 +57,7 @@ On the software side: quite a lot, see the [Changelog file](CHANGELOG.md).
This repo compiles nicely on
- Proxspace v3.x
- [latest release v3.4](https://github.com/Gator96100/ProxSpace/releases)
- [latest release v3.5](https://github.com/Gator96100/ProxSpace/releases)
- Windows/mingw environment with Qt5.6.1 & GCC 4.9
- Ubuntu 1604 -> 2004
- ParrotOS, Gentoo, Pentoo, Kali, Nethunter, Archlinux, Fedora, Debian
@ -109,8 +109,9 @@ Offical channels
- [Proxmark3 IRC channel](http://webchat.freenode.net/?channels=#proxmark3)
- [Proxmark3 sub reddit](https://www.reddit.com/r/proxmark3/)
- [Twitter](https://twitter.com/proxmark3/)
_no discord or slack channel_
- [Proxmark3 community discord server](https://discord.gg/zjxc8ZB)
_no slack channel_
Iceman has quite a few videos on his [youtube channel](https://www.youtube.com/c/ChrisHerrmann1001)

2
armsrc/Makefile
View file

@ -20,7 +20,7 @@ endif
#in the next section to remove that particular feature from compilation.
# NO space,TABs after the "\" sign.
APP_CFLAGS = $(PLATFORM_DEFS) \
-ffunction-sections -fdata-sections -fno-common
-ffunction-sections -fdata-sections
SRC_LF = lfops.c lfsampling.c pcf7931.c lfdemod.c lfadc.c
SRC_ISO15693 = iso15693.c iso15693tools.c

4
client/gen_pm3mfsim_script.sh
View file

@ -11,7 +11,7 @@ show_usage()
{
echo
echo "Usage:"
echo "${0##/} input_eml_without_extension output.pm3scr"
echo "${0##/} input_eml_without_extension output.cmd"
exit
}
@ -32,4 +32,4 @@ rm $2
echo "hf mf eclr" >> $2
echo "hf mf eload" $1 >> $2
echo "hf mf ekeyprn" >> $2
echo "hf mf sim" `cat $1.eml | (read -n 8 uid; echo $uid)` >> $2
echo "hf mf sim u" `cat $1.eml | (read -n 8 uid; echo $uid)` >> $2

61
client/src/cmdhflto.c
View file

@ -32,7 +32,7 @@ static int usage_lto_info(void) {
PrintAndLogEx(NORMAL, " h this help");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, " hf lto info");
PrintAndLogEx(NORMAL, _YELLOW_(" hf lto info"));
return PM3_SUCCESS;
}
@ -44,7 +44,7 @@ static int usage_lto_rdbl(void) {
PrintAndLogEx(NORMAL, " e end block in decimal <= 254");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, " hf lto rdbl s 0 e 254 - Read data block from 0 to 254");
PrintAndLogEx(NORMAL, _YELLOW_(" hf lto rdbl s 0 e 254") " - Read data block from 0 to 254");
return PM3_SUCCESS;
}
@ -56,8 +56,7 @@ static int usage_lto_wrbl(void) {
PrintAndLogEx(NORMAL, " d 32 bytes of data to write (64 hex characters, no space)");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, " hf lto wrbl b 128 d 0001020304050607080910111213141516171819202122232425262728293031 - write 00..31 to block address 128");
PrintAndLogEx(NORMAL, " Use 'hf lto rdbl' for verification");
PrintAndLogEx(NORMAL, _YELLOW_(" hf lto wrbl b 128 d 0001020304050607080910111213141516171819202122232425262728293031") " - write 00..31 to block address 128");
return PM3_SUCCESS;
}
@ -68,7 +67,7 @@ static int usage_lto_dump(void) {
PrintAndLogEx(NORMAL, " f file name");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, " hf lto dump f myfile");
PrintAndLogEx(NORMAL, _YELLOW_(" hf lto dump f myfile"));
return PM3_SUCCESS;
}
@ -79,7 +78,7 @@ static int usage_lto_restore(void) {
PrintAndLogEx(NORMAL, " f file name [.bin|.eml]");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, " hf lto restore f hf_lto_92C7842CFF.bin|.eml");
PrintAndLogEx(NORMAL, _YELLOW_(" hf lto restore f hf_lto_92C7842CFF.bin|.eml"));
return PM3_SUCCESS;
}
@ -180,8 +179,7 @@ static int CmdHfLTOInfo(const char *Cmd) {
//Validations
if (errors) {
usage_lto_info();
return PM3_EINVARG;
return usage_lto_info();
}
return infoLTO(true);
@ -384,7 +382,7 @@ static int CmdHfLTOWriteBlock(const char *Cmd) {
bool b_opt_selected = false;
bool d_opt_selected = false;
uint8_t blk = 128;
uint8_t blkData[32] = {0};
uint8_t block_data[32] = {0};
while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
switch (tolower(param_getchar(Cmd, cmdp))) {
@ -396,7 +394,7 @@ static int CmdHfLTOWriteBlock(const char *Cmd) {
cmdp += 2;
break;
case 'd':
if (param_gethex(Cmd, cmdp + 1, blkData, 64)) {
if (param_gethex(Cmd, cmdp + 1, block_data, 64)) {
PrintAndLogEx(WARNING, "block data must include 64 HEX symbols");
errors = true;
break;
@ -413,14 +411,17 @@ static int CmdHfLTOWriteBlock(const char *Cmd) {
//Validations
if (errors) {
usage_lto_wrbl();
return PM3_EINVARG;
return usage_lto_wrbl();
} else if (b_opt_selected == false || d_opt_selected == false) {
PrintAndLogEx(WARNING, "Need to specify block address and data. See usage, h option");
return PM3_EINVARG;
PrintAndLogEx(WARNING, "Need to specify block address and data.");
return usage_lto_wrbl();
}
return wrblLTO(blk, blkData, true);
int res = wrblLTO(blk, block_data, true);
if (res == PM3_SUCCESS)
PrintAndLogEx(HINT, "Try use 'hf lto rdbl' for verification");
return res;
}
int dumpLTO(uint8_t *dump, bool verbose) {
@ -446,11 +447,9 @@ int dumpLTO(uint8_t *dump, bool verbose) {
ret_val = lto_rdbl(i, block_data_d00_d15, block_data_d16_d31, verbose);
if (ret_val == PM3_SUCCESS) {
//Remove CRCs
for (int t = 0; t < 16; t++) {
dump[t + i * 32] = block_data_d00_d15[t];
dump[t + i * 32 + 16] = block_data_d16_d31[t];
}
// remove CRCs
memcpy(dump + i * 32, block_data_d00_d15, 16);
memcpy(dump + (i * 32) + 16, block_data_d16_d31, 16);
} else {
lto_switch_off_field();
return ret_val;
@ -467,7 +466,6 @@ static int CmdHfLTODump(const char *Cmd) {
bool errors = false;
uint32_t dump_len = CM_MEM_MAX_SIZE;
char filename[FILE_PATH_SIZE] = {0};
char serial_number[10] = {0};
while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
switch (tolower(param_getchar(Cmd, cmdp))) {
@ -488,39 +486,32 @@ static int CmdHfLTODump(const char *Cmd) {
}
}
//Validations
if (errors) {
usage_lto_dump();
return PM3_EINVARG;
}
// alloc memory
uint8_t *dump = calloc(dump_len, sizeof(uint8_t));
if (!dump) {
PrintAndLogEx(ERR, "error, cannot allocate memory");
return PM3_EMALLOC;
}
// loop all blocks
int ret_val = dumpLTO(dump, true);
if (ret_val != PM3_SUCCESS) {
free(dump);
return ret_val;
}
// save to file
if (filename[0] == '\0') {
memcpy(serial_number, sprint_hex_inrow(dump, sizeof(serial_number)), sizeof(serial_number));
char tmp_name[17] = "hf_lto_";
strcat(tmp_name, serial_number);
memcpy(filename, tmp_name, sizeof(tmp_name));
char *fptr = filename;
fptr += sprintf(fptr, "hf-lto-");
FillFileNameByUID(fptr, dump, "-dump", 5);
}
saveFile(filename, ".bin", dump, dump_len);
saveFileEML(filename, dump, dump_len, 32);
// free memory
free(dump);
return PM3_SUCCESS;
}
@ -539,16 +530,14 @@ int restoreLTO(uint8_t *dump, bool verbose) {
return ret_val;
}
uint8_t blkData[32] = {0};
uint8_t block_data[32] = {0};
//Block address 0 and 1 are read-only
for (uint8_t blk = 2; blk < 255; blk++) {
for (int i = 0; i < 32; i++) {
blkData[i] = dump[i + blk * 32];
}
memcpy(block_data, dump + (blk * 32), 32);
ret_val = lto_wrbl(blk, blkData, verbose);
ret_val = lto_wrbl(blk, block_data, verbose);
if (ret_val == PM3_SUCCESS) {
PrintAndLogEx(SUCCESS, "Block %03d - " _YELLOW_("write success"), blk);

31
client/src/cmdsmartcard.c
View file

@ -27,7 +27,7 @@
static int CmdHelp(const char *Cmd);
static int usage_sm_raw(void) {
PrintAndLogEx(NORMAL, "Usage: sc raw [h|r|c] d <0A 0B 0C ... hex>");
PrintAndLogEx(NORMAL, "Usage: smart raw [h|r|c] d <0A 0B 0C ... hex>");
PrintAndLogEx(NORMAL, " h : this help");
PrintAndLogEx(NORMAL, " r : do not read response");
PrintAndLogEx(NORMAL, " a : active smartcard without select (reset sc module)");
@ -37,58 +37,58 @@ static int usage_sm_raw(void) {
PrintAndLogEx(NORMAL, " d <bytes> : bytes to send");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, " sc raw s 0 d 00a404000e315041592e5359532e4444463031 - `1PAY.SYS.DDF01` PPSE directory with get ATR");
PrintAndLogEx(NORMAL, " sc raw 0 d 00a404000e325041592e5359532e4444463031 - `2PAY.SYS.DDF01` PPSE directory");
PrintAndLogEx(NORMAL, " sc raw 0 t d 00a4040007a0000000041010 - Mastercard");
PrintAndLogEx(NORMAL, " sc raw 0 t d 00a4040007a0000000031010 - Visa");
PrintAndLogEx(NORMAL, " smart raw s 0 d 00a404000e315041592e5359532e4444463031 - `1PAY.SYS.DDF01` PPSE directory with get ATR");
PrintAndLogEx(NORMAL, " smart raw 0 d 00a404000e325041592e5359532e4444463031 - `2PAY.SYS.DDF01` PPSE directory");
PrintAndLogEx(NORMAL, " smart raw 0 t d 00a4040007a0000000041010 - Mastercard");
PrintAndLogEx(NORMAL, " smart raw 0 t d 00a4040007a0000000031010 - Visa");
return PM3_SUCCESS;
}
static int usage_sm_reader(void) {
PrintAndLogEx(NORMAL, "Usage: sc reader [h|s]");
PrintAndLogEx(NORMAL, "Usage: smart reader [h|s]");
PrintAndLogEx(NORMAL, " h : this help");
PrintAndLogEx(NORMAL, " s : silent (no messages)");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, " sc reader");
PrintAndLogEx(NORMAL, " smart reader");
return PM3_SUCCESS;
}
static int usage_sm_info(void) {
PrintAndLogEx(NORMAL, "Usage: sc info [h|s]");
PrintAndLogEx(NORMAL, "Usage: smart info [h|s]");
PrintAndLogEx(NORMAL, " h : this help");
PrintAndLogEx(NORMAL, " s : silent (no messages)");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, " sc info");
PrintAndLogEx(NORMAL, " smart info");
return PM3_SUCCESS;
}
static int usage_sm_upgrade(void) {
PrintAndLogEx(NORMAL, "Upgrade RDV4.0 Sim module firmware");
PrintAndLogEx(NORMAL, "Usage: sc upgrade f <file name>");
PrintAndLogEx(NORMAL, "Usage: smart upgrade f <file name>");
PrintAndLogEx(NORMAL, " h : this help");
PrintAndLogEx(NORMAL, " f <filename> : firmware file name");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, " sc upgrade f ../tools/simmodule/sim011.bin");
PrintAndLogEx(NORMAL, " smart upgrade f ../tools/simmodule/sim011.bin");
return PM3_SUCCESS;
}
static int usage_sm_setclock(void) {
PrintAndLogEx(NORMAL, "Usage: sc setclock [h] c <clockspeed>");
PrintAndLogEx(NORMAL, "Usage: smart setclock [h] c <clockspeed>");
PrintAndLogEx(NORMAL, " h : this help");
PrintAndLogEx(NORMAL, " c <> : clockspeed (0 = 16MHz, 1=8MHz, 2=4MHz) ");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, " sc setclock c 2");
PrintAndLogEx(NORMAL, " smart setclock c 2");
return PM3_SUCCESS;
}
static int usage_sm_brute(void) {
PrintAndLogEx(NORMAL, "Tries to bruteforce SFI, using a known list of AID's ");
PrintAndLogEx(NORMAL, "Usage: sc brute [h]");
PrintAndLogEx(NORMAL, "Usage: smart brute [h]");
PrintAndLogEx(NORMAL, " h : this help");
PrintAndLogEx(NORMAL, " t : executes TLV decoder if it possible");
// PrintAndLogEx(NORMAL, " 0 : use protocol T=0");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, " sc brute t");
PrintAndLogEx(NORMAL, " smart brute t");
return PM3_SUCCESS;
}
@ -1203,3 +1203,4 @@ bool smart_select(bool silent, smart_card_atr_t *atr) {
return true;
}

2
client/src/cmdusart.c
View file

@ -36,7 +36,7 @@ static int usage_usart_bt_pin(void) {
PrintAndLogEx(NORMAL, " d NNNN Desired PIN");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Example:");
PrintAndLogEx(NORMAL, " usart btpin 1234");
PrintAndLogEx(NORMAL, " usart btpin d 1234");
PrintAndLogEx(NORMAL, "expected output: nothing");
return PM3_SUCCESS;
}

64
common/crapto1/crapto1.c
View file

@ -332,41 +332,43 @@ uint8_t lfsr_rollback_byte(struct Crypto1State *s, uint32_t in, int fb) {
uint32_t lfsr_rollback_word(struct Crypto1State *s, uint32_t in, int fb) {
uint32_t ret = 0;
ret |= lfsr_rollback_bit(s, BEBIT(in, 31), fb) << (31 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 30), fb) << (30 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 29), fb) << (29 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 28), fb) << (28 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 27), fb) << (27 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 26), fb) << (26 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 25), fb) << (25 ^ 24);
// note: xor args have been swapped because some compilers emit a warning
// for 10^x and 2^x as possible misuses for exponentiation. No comment.
ret |= lfsr_rollback_bit(s, BEBIT(in, 31), fb) << (24 ^ 31);
ret |= lfsr_rollback_bit(s, BEBIT(in, 30), fb) << (24 ^ 30);
ret |= lfsr_rollback_bit(s, BEBIT(in, 29), fb) << (24 ^ 29);
ret |= lfsr_rollback_bit(s, BEBIT(in, 28), fb) << (24 ^ 28);
ret |= lfsr_rollback_bit(s, BEBIT(in, 27), fb) << (24 ^ 27);
ret |= lfsr_rollback_bit(s, BEBIT(in, 26), fb) << (24 ^ 26);
ret |= lfsr_rollback_bit(s, BEBIT(in, 25), fb) << (24 ^ 25);
ret |= lfsr_rollback_bit(s, BEBIT(in, 24), fb) << (24 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 23), fb) << (23 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 22), fb) << (22 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 21), fb) << (21 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 20), fb) << (20 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 19), fb) << (19 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 18), fb) << (18 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 17), fb) << (17 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 16), fb) << (16 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 23), fb) << (24 ^ 23);
ret |= lfsr_rollback_bit(s, BEBIT(in, 22), fb) << (24 ^ 22);
ret |= lfsr_rollback_bit(s, BEBIT(in, 21), fb) << (24 ^ 21);
ret |= lfsr_rollback_bit(s, BEBIT(in, 20), fb) << (24 ^ 20);
ret |= lfsr_rollback_bit(s, BEBIT(in, 19), fb) << (24 ^ 19);
ret |= lfsr_rollback_bit(s, BEBIT(in, 18), fb) << (24 ^ 18);
ret |= lfsr_rollback_bit(s, BEBIT(in, 17), fb) << (24 ^ 17);
ret |= lfsr_rollback_bit(s, BEBIT(in, 16), fb) << (24 ^ 16);
ret |= lfsr_rollback_bit(s, BEBIT(in, 15), fb) << (15 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 14), fb) << (14 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 13), fb) << (13 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 12), fb) << (12 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 11), fb) << (11 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 10), fb) << (10 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 9), fb) << (9 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 8), fb) << (8 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 15), fb) << (24 ^ 15);
ret |= lfsr_rollback_bit(s, BEBIT(in, 14), fb) << (24 ^ 14);
ret |= lfsr_rollback_bit(s, BEBIT(in, 13), fb) << (24 ^ 13);
ret |= lfsr_rollback_bit(s, BEBIT(in, 12), fb) << (24 ^ 12);
ret |= lfsr_rollback_bit(s, BEBIT(in, 11), fb) << (24 ^ 11);
ret |= lfsr_rollback_bit(s, BEBIT(in, 10), fb) << (24 ^ 10);
ret |= lfsr_rollback_bit(s, BEBIT(in, 9), fb) << (24 ^ 9);
ret |= lfsr_rollback_bit(s, BEBIT(in, 8), fb) << (24 ^ 8);
ret |= lfsr_rollback_bit(s, BEBIT(in, 7), fb) << (7 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 6), fb) << (6 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 5), fb) << (5 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 4), fb) << (4 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 3), fb) << (3 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 2), fb) << (2 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 1), fb) << (1 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 0), fb) << (0 ^ 24);
ret |= lfsr_rollback_bit(s, BEBIT(in, 7), fb) << (24 ^ 7);
ret |= lfsr_rollback_bit(s, BEBIT(in, 6), fb) << (24 ^ 6);
ret |= lfsr_rollback_bit(s, BEBIT(in, 5), fb) << (24 ^ 5);
ret |= lfsr_rollback_bit(s, BEBIT(in, 4), fb) << (24 ^ 4);
ret |= lfsr_rollback_bit(s, BEBIT(in, 3), fb) << (24 ^ 3);
ret |= lfsr_rollback_bit(s, BEBIT(in, 2), fb) << (24 ^ 2);
ret |= lfsr_rollback_bit(s, BEBIT(in, 1), fb) << (24 ^ 1);
ret |= lfsr_rollback_bit(s, BEBIT(in, 0), fb) << (24 ^ 0);
return ret;
}

64
common/crapto1/crypto1.c
View file

@ -103,41 +103,43 @@ uint8_t crypto1_byte(struct Crypto1State *s, uint8_t in, int is_encrypted) {
}
uint32_t crypto1_word(struct Crypto1State *s, uint32_t in, int is_encrypted) {
uint32_t ret = 0;
ret |= crypto1_bit(s, BEBIT(in, 0), is_encrypted) << (0 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 1), is_encrypted) << (1 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 2), is_encrypted) << (2 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 3), is_encrypted) << (3 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 4), is_encrypted) << (4 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 5), is_encrypted) << (5 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 6), is_encrypted) << (6 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 7), is_encrypted) << (7 ^ 24);
// note: xor args have been swapped because some compilers emit a warning
// for 10^x and 2^x as possible misuses for exponentiation. No comment.
ret |= crypto1_bit(s, BEBIT(in, 0), is_encrypted) << (24 ^ 0);
ret |= crypto1_bit(s, BEBIT(in, 1), is_encrypted) << (24 ^ 1);
ret |= crypto1_bit(s, BEBIT(in, 2), is_encrypted) << (24 ^ 2);
ret |= crypto1_bit(s, BEBIT(in, 3), is_encrypted) << (24 ^ 3);
ret |= crypto1_bit(s, BEBIT(in, 4), is_encrypted) << (24 ^ 4);
ret |= crypto1_bit(s, BEBIT(in, 5), is_encrypted) << (24 ^ 5);
ret |= crypto1_bit(s, BEBIT(in, 6), is_encrypted) << (24 ^ 6);
ret |= crypto1_bit(s, BEBIT(in, 7), is_encrypted) << (24 ^ 7);
ret |= crypto1_bit(s, BEBIT(in, 8), is_encrypted) << (8 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 9), is_encrypted) << (9 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 10), is_encrypted) << (10 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 11), is_encrypted) << (11 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 12), is_encrypted) << (12 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 13), is_encrypted) << (13 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 14), is_encrypted) << (14 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 15), is_encrypted) << (15 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 8), is_encrypted) << (24 ^ 8);
ret |= crypto1_bit(s, BEBIT(in, 9), is_encrypted) << (24 ^ 9);
ret |= crypto1_bit(s, BEBIT(in, 10), is_encrypted) << (24 ^ 10);
ret |= crypto1_bit(s, BEBIT(in, 11), is_encrypted) << (24 ^ 11);
ret |= crypto1_bit(s, BEBIT(in, 12), is_encrypted) << (24 ^ 12);
ret |= crypto1_bit(s, BEBIT(in, 13), is_encrypted) << (24 ^ 13);
ret |= crypto1_bit(s, BEBIT(in, 14), is_encrypted) << (24 ^ 14);
ret |= crypto1_bit(s, BEBIT(in, 15), is_encrypted) << (24 ^ 15);
ret |= crypto1_bit(s, BEBIT(in, 16), is_encrypted) << (16 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 17), is_encrypted) << (17 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 18), is_encrypted) << (18 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 19), is_encrypted) << (19 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 20), is_encrypted) << (20 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 21), is_encrypted) << (21 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 22), is_encrypted) << (22 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 23), is_encrypted) << (23 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 16), is_encrypted) << (24 ^ 16);
ret |= crypto1_bit(s, BEBIT(in, 17), is_encrypted) << (24 ^ 17);
ret |= crypto1_bit(s, BEBIT(in, 18), is_encrypted) << (24 ^ 18);
ret |= crypto1_bit(s, BEBIT(in, 19), is_encrypted) << (24 ^ 19);
ret |= crypto1_bit(s, BEBIT(in, 20), is_encrypted) << (24 ^ 20);
ret |= crypto1_bit(s, BEBIT(in, 21), is_encrypted) << (24 ^ 21);
ret |= crypto1_bit(s, BEBIT(in, 22), is_encrypted) << (24 ^ 22);
ret |= crypto1_bit(s, BEBIT(in, 23), is_encrypted) << (24 ^ 23);
ret |= crypto1_bit(s, BEBIT(in, 24), is_encrypted) << (24 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 25), is_encrypted) << (25 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 26), is_encrypted) << (26 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 27), is_encrypted) << (27 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 28), is_encrypted) << (28 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 29), is_encrypted) << (29 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 30), is_encrypted) << (30 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 31), is_encrypted) << (31 ^ 24);
ret |= crypto1_bit(s, BEBIT(in, 25), is_encrypted) << (24 ^ 25);
ret |= crypto1_bit(s, BEBIT(in, 26), is_encrypted) << (24 ^ 26);
ret |= crypto1_bit(s, BEBIT(in, 27), is_encrypted) << (24 ^ 27);
ret |= crypto1_bit(s, BEBIT(in, 28), is_encrypted) << (24 ^ 28);
ret |= crypto1_bit(s, BEBIT(in, 29), is_encrypted) << (24 ^ 29);
ret |= crypto1_bit(s, BEBIT(in, 30), is_encrypted) << (24 ^ 30);
ret |= crypto1_bit(s, BEBIT(in, 31), is_encrypted) << (24 ^ 31);
return ret;
}

157
doc/cheatsheet.md
View file

@ -3,8 +3,8 @@
|Generic|Low Frequence 125 kHz|High Frequence 13.56 MHz|
|---|---|---|
|[Generic](#Generic)|[T55XX](#T55XX)|[Mifare](#Mifare)|
|[Data](#Data)|[HID Prox](#HID-Prox)|[iClass](#iClass)|
|[Generic](#Generic)|[T55XX](#T55XX)|[MIFARE](#MIFARE)|
|[Data](#Data)|[HID Prox](#HID-Prox)|[iCLASS](#iCLASS)|
|[Memory](#Memory)|[Indala](#Indala)||
|[Sim Module](#Sim-Module)|[Hitag](#Hitag)||
|[Lua Scripts](#Lua-Scripts)|||
@ -39,10 +39,10 @@ Check overall status
pm3 --> hw status
```
## iClass
## iCLASS
^[Top](#top)
Reverse permute iClass master key
Reverse permute iCLASS master key
```
Options
---
@ -51,12 +51,13 @@ r reverse permuted key
pm3 --> hf iclass permute r 3F90EBF0910F7B6F
```
iClass Reader
iCLASS Reader
```
pm3 --> hf iclass reader
```
Dump iClass card contents
Dump iCLASS card contents
```
Options
---
@ -65,7 +66,7 @@ k <key> : *Access Key as 16 hex symbols or 1 hex to select key from memory
m3 --> hf iclass dump k 0
```
Read iClass Block
Read iCLASS Block
```
Options
---
@ -75,7 +76,7 @@ k <key> : Access Key as 16 hex symbols or 1 hex to select key from memory
pm3 --> hf iclass rdbl b 7 k 0
```
Write to iClass Block
Write to iCLASS Block
```
Options
---
@ -105,21 +106,44 @@ k <key> : set a key in memory
pm3 --> hf iclass managekeys n 3 k AFA785A7DAB33378
```
Encrypt iClass Block
```
pm3 --> hf iclass encrypt 0000000f2aa3dba8
```
Load iClass dump into memory for simulation
Encrypt iCLASS Block
```
Options
---
f <filename> : load iclass tag-dump filename
d <block data> : 16 bytes hex
k <transport key> : 16 bytes hex
pm3 --> hf iclass encrypt d 0000000f2aa3dba8
```
Decrypt iCLASS Block / file
```
Options
---
d <encrypted blk> : 16 bytes hex
f <filename> : filename of dump
k <transport key> : 16 bytes hex
pm3 --> hf iclass decrypt d 2AD4C8211F996871
pm3 --> hf iclass decrypt f hf-iclass-db883702f8ff12e0.bin
```
Load iCLASS dump into memory for simulation
```
Options
---
f <filename> : load iCLASS tag-dump filename
pm3 --> hf iclass eload f hf-iclass-db883702f8ff12e0.bin
```
Simulate iClass
Clone iCLASS Legacy Sequence
```
pm3 --> hf iclass rdbl b 7 k 0
pm3 --> hf iclass wrbl b 7 d 6ce099fe7e614fd0 k 0
```
Simulate iCLASS
```
Options
---
@ -132,20 +156,14 @@ Options
pm3 --> hf iclass sim 3
```
Clone iClass Legacy Sequence
```
pm3 --> hf iclass rdbl b 7 k 0
pm3 --> hf iclass wrbl b 7 d 6ce099fe7e614fd0 k 0
```
Simulate iClass Sequence
Simulate iCLASS Sequence
```
pm3 --> hf iclass dump k 0
pm3 --> hf iclass eload f hf-iclass-db883702f8ff12e0.bin
pm3 --> hf iclass sim 3
```
Extract custom iClass key (loclass attack)
Extract custom iCLASS key (loclass attack)
```
Options
---
@ -155,14 +173,15 @@ e : If 'e' is specified, elite computations applied to key
pm3 --> hf iclass sim 2
pm3 --> hf iclass loclass f iclass_mac_attack.bin
pm3 --> hf iclass dump k <Kcus> e
pm3 --> hf iclass managekeys n 7 k <Kcus>
pm3 --> hf iclass dump k 7 e
```
Verify custom iClass key
Verify custom iCLASS key
```
Options
---
f <filename> : Dictionary file with default iclass keys
f <filename> : Dictionary file with default iCLASS keys
u : CSN
p : EPURSE
m : macs
@ -171,7 +190,7 @@ e : elite
pm3 --> hf iclass lookup u 010a0ffff7ff12e0 p feffffffffffffff m 66348979153c41b9 f iclass_default_keys e
```
## Mifare
## MIFARE
^[Top](#top)
Check for default keys
@ -196,11 +215,11 @@ m : use dictionary from flashmemory
pm3 --> hf mf fchk 1 m
```
Dump Mifare card contents
Dump MIFARE card contents
```
Options
---
<card memory> : 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K
<card memory> : 0 = 320 bytes (MIFARE Mini), 1 = 1K (default), 2 = 2K, 4 = 4K
k <name> : key filename, if no <name> given, UID will be used as filename"
f <name> : data filename, if no <name> given, UID will be used as filename
@ -217,7 +236,7 @@ i <file> : Specifies the dump-file (input). If omitted, 'dumpdata.bin' is us
pm3 --> script run dumptoemul -i dumpdata.bin
```
Write to Mifare block
Write to MIFARE block
```
Options
---
@ -226,7 +245,7 @@ Options
pm3 --> hf mf wrbl 0 A FFFFFFFFFFFF d3a2859f6b880400c801002000000016
```
Run autopwn
Run autopwn, to backup a MIFARE tag
```
Options
---
@ -234,7 +253,7 @@ Options
pm3 --> hf mf autopwn
```
Run Hardnested attack
Run hardnested attack
```
Options
---
@ -244,25 +263,25 @@ w : Acquire nonces and write them to binary file nonces.bin
pm3 --> hf mf hardnested 0 A 8829da9daf76 0 A w
```
Load Mifare emul dump file into memory for simulation
Load MIFARE emul dump file into memory for simulation
```
Options
---
<card memory> <file name w/o `.eml`>
[card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K, u = UL
[card memory]: 0 = 320 bytes (MIFARE Mini), 1 = 1K (default), 2 = 2K, 4 = 4K, u = UL
pm3 --> hf mf eload hf-mf-353C2AA6
pm3 --> hf mf eload 1 hf-mf-353C2AA6
```
Simulate Mifare
Simulate MIFARE
```
u : (Optional) UID 4,7 or 10 bytes. If not specified, the UID 4B from emulator memory will be used
pm3 --> hf mf sim u 353c2aa6
```
Simulate Mifare Sequence
Simulate MIFARE Sequence
```
pm3 --> hf mf chk *1 ? d mfc_default_keys
pm3 --> hf mf dump 1
@ -271,19 +290,19 @@ pm3 --> hf mf eload 353C2AA6
pm3 --> hf mf sim u 353c2aa6
```
Clone Mifare 1K Sequence
Clone MIFARE 1K Sequence
```
pm3 --> hf mf chk *1 ? d mfc_default_keys
pm3 --> hf mf dump
pm3 --> hf mf restore 1 u 4A6CE843 k hf-mf-A29558E4-key.bin f hf-mf-A29558E4-dump.bin
```
Read Mifare Ultralight EV1
Read MIFARE Ultralight EV1
```
pm3 --> hf mfu info
```
Clone Mifare Ultralight EV1 Sequence
Clone MIFARE Ultralight EV1 Sequence
```
pm3 --> hf mfu dump k FFFFFFFF
pm3 --> script run dumptoemul-mfu -i hf-mfu-XXXX-dump.bin -o hf-mfu-XXXX-dump.eml
@ -291,12 +310,12 @@ pm3 --> hf mfu eload u hf-mfu-XXXX-dump.eml
pm3 --> hf mfu sim t 7 u hf-mfu-XXXX-dump.eml
```
Bruteforce Mifare Classic card numbers from 11223344 to 11223346
Bruteforce MIFARE Classic card numbers from 11223344 to 11223346
```
pm3 --> script run hf_bruteforce -s 0x11223344 -e 0x11223346 -t 1000 -x mfc
```
Bruteforce Mifare Ultralight EV1 card numbers from 11223344556677 to 11223344556679
Bruteforce MIFARE Ultralight EV1 card numbers from 11223344556677 to 11223344556679
```
pm3 --> script run hf_bruteforce -s 0x11223344556677 -e 0x11223344556679 -t 1000 -x mfu
```
@ -524,29 +543,47 @@ pm3 --> data load <filename>
## Lua Scripts
^[Top](#top)
List Lua Scripts
List lua Scripts
```
pm3 --> script list
```
View lua helptext
```
pm3 --> script run <nameofscript> -h
```
Convert .bin to .eml
```
Options
---
i <file> : Specifies the dump-file (input). If omitted, 'dumpdata.bin' is used
-i <file> Specifies the dump-file (input). If omitted, 'dumpdata.bin' is used
-o <filename> Specifies the output file. If omitted, <uid>.eml is used
pm3 --> script run dumptoemul -i xxxxxxxxxxxxxx.bin
```
Convert .eml to .bin
```
Options
---
-i <filename> Specifies the dump-file (input). If omitted, 'dumpdata.eml' is used
-o <filename> Specifies the output file. If omitted, <currdate>.bin is used
pm3 --> script run emul2dump -i myfile.eml -o myfile.bin
```
Format Mifare card
```
Options
---
k <key> : the current six byte key with write access
n <key> : the new key that will be written to the card
a <access> : the new access bytes that will be written to the card
x : execute the commands aswell.
-k <key> The current six byte key with write access
-n <key> The new key that will be written to the card
-a <access> The new access bytes that will be written to the card
-x Execute the commands aswell
pm3 --> script run formatMifare -k FFFFFFFFFFFF -n FFFFFFFFFFFF -x
```
@ -554,7 +591,7 @@ pm3 --> script run formatMifare -k FFFFFFFFFFFF -n FFFFFFFFFFFF -x
## Memory
^[Top](#top)
Load default keys into memory
Load default keys into flash memory (RDV4 only)
```
Options
---
@ -574,7 +611,7 @@ pm3 --> mem load f iclass_default_keys i
Upgrade Sim Module firmware
```
pm3 --> sc upgrade f ../tools/simmodule/sim011.bin
pm3 --> smart upgrade f ../tools/simmodule/sim011.bin
```
## Smart Card
@ -582,12 +619,12 @@ pm3 --> sc upgrade f ../tools/simmodule/sim011.bin
Get Smart Card Information
```
pm3 --> sc info
pm3 --> smart info
```
Act like an IS07816 reader
```
pm3 --> sc reader
pm3 --> smart reader
```
Set clock speed
@ -596,7 +633,7 @@ Options
---
c <speed> : clockspeed (0 = 16MHz, 1=8MHz, 2=4MHz)
pm3 --> sc setclock c 2
pm3 --> smart setclock c 2
```
Send raw hex data
@ -604,16 +641,16 @@ Send raw hex data
Options
---
r : do not read response
a : active smartcard without select (reset sc module)
a : active smartcard without select (reset smart module)
s : active smartcard with select (get ATR)
t : executes TLV decoder if it possible
0 : use protocol T=0
d <bytes> : bytes to send
pm3 --> sc raw s 0 d 00a404000e315041592e5359532e4444463031 : 1PAY.SYS.DDF01 PPSE directory with get ATR
pm3 --> sc raw 0 d 00a404000e325041592e5359532e4444463031 : 2PAY.SYS.DDF01 PPSE directory
pm3 --> sc raw 0 t d 00a4040007a0000000041010 : Mastercard
pm3 --> sc raw 0 t d 00a4040007a0000000031010 : Visa
pm3 --> smart raw s 0 d 00a404000e315041592e5359532e4444463031 : 1PAY.SYS.DDF01 PPSE directory with get ATR
pm3 --> smart raw 0 d 00a404000e325041592e5359532e4444463031 : 2PAY.SYS.DDF01 PPSE directory
pm3 --> smart raw 0 t d 00a4040007a0000000041010 : Mastercard
pm3 --> smart raw 0 t d 00a4040007a0000000031010 : Visa
````
Bruteforce SPI
@ -622,6 +659,6 @@ Options
---
t : executes TLV decoder if it possible
pm3 --> sc brute
pm3 --> sc brute t
pm3 --> smart brute
pm3 --> smart brute t
```

16
doc/commands.md
View file

@ -845,14 +845,14 @@ Check column "offline" for their availability.
|command |offline |description
|------- |------- |-----------
|`sc help `|Y |`This help`
|`sc list `|N |`List ISO 7816 history`
|`sc info `|N |`Tag information`
|`sc reader `|N |`Act like an IS07816 reader`
|`sc raw `|N |`Send raw hex data to tag`
|`sc upgrade `|Y |`Upgrade sim module firmware`
|`sc setclock `|N |`Set clock speed`
|`sc brute `|N |`Bruteforce SFI`
|`smart help `|Y |`This help`
|`smart list `|N |`List ISO 7816 history`
|`smart info `|N |`Tag information`
|`smart reader `|N |`Act like an IS07816 reader`
|`smart raw `|N |`Send raw hex data to tag`
|`smart upgrade `|Y |`Upgrade sim module firmware`
|`smart setclock `|N |`Set clock speed`
|`smart brute `|N |`Bruteforce SFI`
### script

8
doc/md/Installation_Instructions/Troubleshooting.md
View file

@ -127,9 +127,9 @@ proxmark3 <YOUR_PORT_HERE> --flash --image /usr/local/share/proxmark3/firmware/f
<>
proxmark3 <YOUR_PORT_HERE> --flash --image /usr/share/proxmark3/firmware/fullimage.elf
pm3 --> sc upgrade f /usr/local/share/proxmark3/firmware/sim011.bin
pm3 --> smart upgrade f /usr/local/share/proxmark3/firmware/sim011.bin
<>
pm3 --> sc upgrade f /usr/share/proxmark3/firmware/sim011.bin
pm3 --> smart upgrade f /usr/share/proxmark3/firmware/sim011.bin
```
If you didn't install the PRoxmark but you're working from the sources directory and depending how you launch the client, your working directory might be the root of the repository:
@ -152,9 +152,9 @@ client/proxmark3 <YOUR_PORT_HERE> --flash --image armsrc/obj/fullimage.elf
<>
./proxmark3 <YOUR_PORT_HERE> --flash --image ../armsrc/obj/fullimage.elf
pm3 --> sc upgrade f tools/simmodule/sim011.bin
pm3 --> smart upgrade f tools/simmodule/sim011.bin
<>
pm3 --> sc upgrade f ../tools/simmodule/sim011.bin
pm3 --> smart upgrade f ../tools/simmodule/sim011.bin
```
etc.

4
doc/md/Use_of_Proxmark/2_Configuration-and-Verification.md
View file

@ -46,9 +46,9 @@ Don't not turn off your device during the execution of this command!!
Even its a quite fast command you should be warned. You may brick it if you interrupt it.
```
[usb] pm3 --> sc upgrade f /usr/local/share/proxmark3/firmware/sim011.bin
[usb] pm3 --> smart upgrade f /usr/local/share/proxmark3/firmware/sim011.bin
# or if from local repo
[usb] pm3 --> sc upgrade f tools/simmodule/sim011.bin
[usb] pm3 --> smart upgrade f tools/simmodule/sim011.bin
```
You get the following output if the execution was successful:

90
doc/termux_notes.md
View file

@ -12,22 +12,27 @@
* [ Setup ](#setup)
* [ Setting up Termux ](#setting-up-termux)
* [ Install Proxmark3 package ](#install-proxmark3-package)
* [ PC-like method ](#pc-like-method)
* [ Specific requirements ](#specific-requirements)
* [ USB_ACM ](#usb_acm)
* [ Enable the driver ](#enable-the-driver)
* [ Building the kernel ](#building-the-kernel)
* [ Flashing the kernel ](#flashing-the-kernel)
* [ Testing ](#testing)
* [ Troubleshooting ](#troubleshooting)
* [ Testing ](#testing)
* [ Troubleshooting ](#troubleshooting)
* [ TCP bridge method ](#tcp-bridge-method)
* [ USB connection ](#usb-connection)
* [ USB-UART bridge application ](#usb-uart-bridge-application)
* [ Setting up usb socket ](#setting-up-usb-socket)
* [ Bluetooth connection ](#bluetooth-connection)
* [ BT-UART bridge application ](#bt-uart-bridge-application)
* [ Setting up bt socket ](#setting-up-bt-socket)
* [ Termux connection ](#termux-connection)
## Requirements
^[Top](#top)
- Android phone
- Kernel with one of:
- USB_ACM driver
- module loading enabled
- published sources
- Root
- [Termux](https://play.google.com/store/apps/details?id=com.termux)
## Notes
@ -81,16 +86,33 @@ Install [Termux](https://play.google.com/store/apps/details?id=com.termux) and s
Run the following commands:
```
pkg install proxmark3 tsu
pkg install proxmark3
```
### Optional: Building Proxmark3 client from source
```
pkg install make clang clang++ readline libc++ git tsu
pkg install make clang clang++ readline libc++ git
git clone https://github.com/RfidResearchGroup/proxmark3.git
cd proxmark
make clean && make client
```
## PC-like method
^[Top](#top)
### Specific requirements
^[Top](#top)
- Kernel with one of:
- USB_ACM driver
- module loading enabled
- published sources
- Root
termux shell:
```
pkg install tsu
```
### USB_ACM
^[Top](#top)
@ -125,3 +147,53 @@ Everything should work just like if it was your PC!
- `dmesg | grep usb` - useful debug info
- `/proc/config.gz` - contains your kernel's build configuration. Look for `CONFIG_USB_ACM`, which should be enabled
## TCP bridge method
^[Top](#top)
Termux doesn't come with usb serial neither bluetooth serial drivers.
However, it is fully integrated with phone's network, so we need to talk to the proxmark using serial to tcp sockets (carried out by android apps).
### USB connection
^[Top](#top)
### USB-UART Bridge Application
^[Top](#top)
Install [this free app](https://play.google.com/store/apps/details?id=com.hardcodedjoy.tcpuart) on the Play Store
### Setting up usb socket
^[Top](#top)
The app lets you choose the baudrate. Default value (115 200 baud) is fine.
Plug the PM3 in and click connect.
Set the toggle in server mode and choose a random port not used by system (e.g. 4321) and start the server.
### Bluetooth connection
^[Top](#top)
### BT-UART Bridge Application
^[Top](#top)
Install [this free app](https://play.google.com/store/apps/details?id=masar.bb) or [the paid version](https://play.google.com/store/apps/details?id=masar.bluetoothbridge.pro) (which includes usb bridge)
### Setting up bt socket
^[Top](#top)
You need to pair the proxmark3 in the Android settings.
In the app choose your registred PM3 device as 'device A'.
Select TCP server as 'Device B' and choose an unused port (e.g. 4321).
Ensure 'Retransmission' is set to 'both ways'.
### Termux connection
^[Top](#top)
Start a new session, then:
```
proxmark3 tcp:localhost:<chosenPort>
```
Alternatively, if you have made the client in the git repo:
```
./client/proxmark3 tcp:localhost:<chosenPort>
```
ENJOY !

98
tools/pm3_amii_bin2eml.pl
View file

@ -12,12 +12,13 @@
# perl -lne 'chomp; s/\s+(\S+)$//;$f=$1;if($f=~s/-(\S+)//){$g=hex($1);}else{$g=hex($f)}$f=hex($f); for$m($f..$g){print "0x" . substr(unpack("H4",pack("n",$m)),1) ." => \"$_\","}' /tmp/game >> game2
# perl -lne 'if(/^(\S.*?)\s+\w?\w\w\w\w(\s*-\s*\w?\w\w\w\w)?\s*$/){$l=$1} s/(\w{4,5}\s*-\s*)?(\w{4,5})$//; $a=$1;$b=$2; $b=hex($b); $a=$a?hex($a):$b; for$m($a..$b){print "0x" . substr(unpack("H4",pack("n",$m)),0) ." => \"$l\","}' /tmp/g2
my $BLOCKS = 255;
my $UIDLOC = -540; # UID is 540 bytes from the end
my $BLOCKSIZE = 4; # in bytes
my $AMIITOOL = '../client/amiitool/amiitool'; # path to amiitool (unless in $PATH)
my $KEYFILE = '../client/amiitool/key_retail.bin'; # path to retail key file
my $ADDHDR = 1; # add 48 byte header?
my $ADDHDR = 1; # add 56 byte header?
my $FIXPWD = 1; # recalculate PWD if dump value is 0
my $FIXACK = 1; # set ACK if dump value is 0
my $DECRYPT = 0; # auto-decrypt
my %game = (
@ -605,59 +606,80 @@ elsif (!$dec_check && !$enc_check)
die "Does not look like proper file format! Exiting.\n";
}
my $lines = $BLOCKS;
my @blocks = ();
my $uid = unpack("H14",
substr($file, length($file) + $UIDLOC, 3) .
substr($file, (length($file) + $UIDLOC) + 4, 4));
my $pwd = unpack("H8", substr($file, length($file) - 8, 4));
my $ack = unpack("H8", substr($file, length($file) - 4, 4));
# file does not contain our 48 byte header, let's add it
my $fixedpwd = 0;
if ($FIXPWD && hex($pwd) == 0) {
# calculate correct amiibo password according to UID
err "PWD is blank, recalculating";
my $uid_a = hex(substr $uid, 2, 8);
my $uid_b = hex(substr $uid, 6, 8);
$pwd = sprintf("%08x", $uid_a ^ $uid_b ^ 0xaa55aa55);
$fixedpwd = 1;
}
my $fixedack = 0;
if ($FIXACK && hex($ack) == 0) {
# this is the command to be sent back to the Switch if
# the Switch sends the correct PWD
err "ACK is blank, fixing";
$ack = "80808080";
$fixedack = 1;
}
# file does not contain our 56 byte header, let's add it
my $addedhdr = 0;
if ($ADDHDR && length($file) == -1 * $UIDLOC)
{
err "Does not contain header, adding";
while (<DATA>)
{
$lines--;
chomp; # there may not be a newline so chomp and add below
print "$_\n";
push @blocks, $_;
}
$addedhdr = 1;
}
my $pages = 0;
while (length($file))
{
my $out = substr($file, 0, $BLOCKSIZE, ""); # was 16
$out = unpack("H*", $out);
print "$out\n";
push @blocks, $out;
# grab UID
=cut
if ($BLOCKS - $lines == 12)
{
$uid = substr($out, 0, 6);
}
elsif ($BLOCKS - $lines == 13)
{
$uid .= substr($out, 0, 8);
}
=cut
$lines--;
$pages++;
}
# still need to pad to 255 4-byte (8 hex char) blocks
if ($lines > 0)
{
while ($lines--)
{
print "00000000\n";
}
if ($fixedpwd) {
@blocks[-2] = $pwd;
}
if ($fixedack) {
@blocks[-1] = $ack;
}
if ($addedhdr) {
@blocks[2] .= sprintf "%02X", ($pages - 1);
}
# finally, output the data
foreach(@blocks) {
print "$_\n";
}
print STDERR "\n";
print STDERR "$_\n" for @err;
print STDERR "UID: $uid\n";
print STDERR "PWD: $pwd\n";
print STDERR "ACK: $ack\n";
print STDERR "\n";
$uid = uc $uid;
#print STDERR "amiitool -d -k ../client/amiitool/key_retail.bin -i $input -o $input.decrypted\n";
@ -669,13 +691,15 @@ print STDERR "hf 14a sim t 7 u $uid\n";
__DATA__
00040402
01001103
01000000
00808000
92580b4c
45a9c42f
a90145ce
5e5f9c43
09a43d47
d232a3d1
68cbade6
7f8185c6
010000
92580B4C
45A9C42F
A90145CE
5E5F9C43
09A43D47
D232A3D1
68CBADE6
7F8185C6
00000000
00000000
00000000