RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-09-20 15:26:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'RfidResearchGroup:master' into pm3generic-flash

Browse source
This commit is contained in:
Alejandro 2023-01-27 15:02:19 +01:00 committed by GitHub
parent c9fb1f2cc7 648e49f36f
commit 63e54e94a8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
15 changed files with 225 additions and 107 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
## [unreleased][unreleased]
- Added new magic gen4 cards command in docs (@McEloff)
- Added `hf tesla info` - intital information command to read TESLA cards (@iceman1001)
- Changed `hf emrtd info` - looking for lower case .bin extensions (@iceman1001)
- Changed `hf emrtd dump` - looking for lower case .bin extensions (@iceman1001)

14
armsrc/Standalone/lf_prox2brute.c
View file

@ -57,19 +57,19 @@ void RunMod(void) {
WDT_HIT();
// exit from SamyRun, send a usbcommand.
if (data_available()) { // early exit
DbpString("[=] You can take the shell back :) ...");
DbpString("[=] You can take the shell back :) ...");
LEDsoff();
return;
}
}
LED_C_ON();
WAIT_BUTTON_RELEASED(); // We are now ready to start brutforcing card numbers
LEDsoff();
Dbprintf("[=] Starting HID ProxII Bruteforce from card %08x to %08x",
CARDNUM_START, MIN(CARDNUM_END, 0xFFFF));
for (cardnum = CARDNUM_START ; cardnum <= MIN(CARDNUM_END, 0xFFFF) ; cardnum++) {
WDT_HIT();
@ -92,14 +92,14 @@ void RunMod(void) {
// switch leds to be able to know (aproximatly) which card number worked (64 tries loop)
LED_A_INV(); // switch led A every try
if ((cardnum-CARDNUM_START) % 8 == 7) // switch led B every 8 tries
if ((cardnum - CARDNUM_START) % 8 == 7) // switch led B every 8 tries
LED_B_INV();
if ((cardnum-CARDNUM_START) % 16 == 15) // switch led C every 16 tries
if ((cardnum - CARDNUM_START) % 16 == 15) // switch led C every 16 tries
LED_C_INV();
if ((cardnum-CARDNUM_START) % 32 == 31) // switch led D every 32 tries
if ((cardnum - CARDNUM_START) % 32 == 31) // switch led D every 32 tries
LED_D_INV();
}
SpinErr((LED_A | LED_B | LED_C | LED_D), 250, 5); // Xmax tree
Dbprintf("[=] Ending HID ProxII Bruteforce from card %08x to %08x",
CARDNUM_START, cardnum - 1);

11
armsrc/iso14443a.c
View file

@ -1229,6 +1229,17 @@ bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data, tag_r
AddCrc14A(rPPS, sizeof(rPPS) - 2);
if (tagType == 7) {
uint8_t pwd[4];
uint8_t gen_pwd[4];
uint16_t start = (*pages - 1) * 4 + MFU_DUMP_PREFIX_LENGTH;
emlGetMemBt(pwd, start, sizeof(pwd));
Uint4byteToMemBe(gen_pwd, ul_ev1_pwdgenB(data));
if (memcmp(pwd, gen_pwd, sizeof(pwd)) == 0) {
rPACK[0] = 0x80;
rPACK[1] = 0x80;
}
}
AddCrc14A(rPACK, sizeof(rPACK) - 2);
static tag_response_info_t responses_init[] = {

10
client/luascripts/hf_mfu_amiibo_sim.lua
View file

@ -139,14 +139,10 @@ local function main(args)
-- force lock bytes, otherwise the Amiibo won't be recognized
blocks[16] = blocks[16]:sub(1, 4)..'0FE0'
-- add PWD and PACK if necessary
-- add PWD and PACK
local uid = blocks[14]:sub(1, 6)..blocks[15]:sub(1, 8)
if blocks[147] == nil or blocks[147] == '00000000' then
blocks[147] = ("%08x"):format(bxor(bxor(tonumber(sub(uid, 2, 10), 16), tonumber(sub(uid, 6, 14), 16)), 0xaa55aa55))
end
if blocks[148] == nil or blocks[148] == '00000000' then
blocks[148] = "80800000"
end
blocks[147] = ("%08x"):format(bxor(bxor(tonumber(sub(uid, 2, 10), 16), tonumber(sub(uid, 6, 14), 16)), 0xaa55aa55))
blocks[148] = "80800000"
err = LoadEmulator(uid, blocks)
if err then return oops(err) end

2
client/src/cmddata.c
View file

@ -1230,7 +1230,7 @@ int FSKrawDemod(uint8_t rfLen, uint8_t invert, uint8_t fchigh, uint8_t fclow, bo
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(SUCCESS, _YELLOW_("%s") " decoded bitstream", GetFSKType(fchigh, fclow, invert));
PrintAndLogEx(INFO, "-----------------------");
printDemodBuff(0, false, invert, false);
printDemodBuff(0, false, false, false);
}
goto out;
} else {

95
client/src/cmdhf15.c
View file

@ -652,14 +652,13 @@ static int CmdHF15Samples(const char *Cmd) {
return PM3_SUCCESS;
}
static int NxpTestEAS(uint8_t *uid)
{
uint8_t fast = 1;
static int NxpTestEAS(uint8_t *uid) {
uint8_t fast = 1;
uint8_t reply = 1;
PacketResponseNG resp;
uint16_t reqlen = 0;
uint8_t req[PM3_CMD_DATA_SIZE] = {0};
req[reqlen++] |= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH | ISO15_REQ_NONINVENTORY | ISO15_REQ_ADDRESS;
req[reqlen++] = ISO15693_EAS_ALARM;
req[reqlen++] = 0x04; // IC manufacturer code
@ -681,7 +680,7 @@ static int NxpTestEAS(uint8_t *uid)
if (resp.length < 2) {
PrintAndLogEx(INFO, " EAS (Electronic Article Surveillance) is not active");
} else {
uint8_t * recv = resp.data.asBytes;
uint8_t *recv = resp.data.asBytes;
if (!(recv[0] & ISO15_RES_ERROR)) {
PrintAndLogEx(INFO, " EAS (Electronic Article Surveillance) is active.");
@ -689,56 +688,56 @@ static int NxpTestEAS(uint8_t *uid)
}
}
}
return PM3_SUCCESS;
}
}
static int NxpCheckSig(uint8_t *uid) {
uint8_t fast = 1;
uint8_t fast = 1;
uint8_t reply = 1;
PacketResponseNG resp;
uint16_t reqlen = 0;
uint8_t req[PM3_CMD_DATA_SIZE] = {0};
// Check if we can also read the signature
req[reqlen++] |= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH | ISO15_REQ_NONINVENTORY | ISO15_REQ_ADDRESS;
req[reqlen++] = ISO15693_READ_SIGNATURE;
req[reqlen++] = 0x04; // IC manufacturer code
memcpy(req + 3, uid, 8); // add UID
reqlen += 8;
AddCrc15(req, reqlen);
reqlen += 2;
// Check if we can also read the signature
req[reqlen++] |= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH | ISO15_REQ_NONINVENTORY | ISO15_REQ_ADDRESS;
req[reqlen++] = ISO15693_READ_SIGNATURE;
req[reqlen++] = 0x04; // IC manufacturer code
memcpy(req + 3, uid, 8); // add UID
reqlen += 8;
clearCommandBuffer();
SendCommandMIX(CMD_HF_ISO15693_COMMAND, reqlen, fast, reply, req, reqlen);
AddCrc15(req, reqlen);
reqlen += 2;
if (WaitForResponseTimeout(CMD_HF_ISO15693_COMMAND, &resp, 2000) == false) {
PrintAndLogEx(WARNING, "iso15693 timeout");
DropField();
return PM3_ETIMEOUT;
}
clearCommandBuffer();
SendCommandMIX(CMD_HF_ISO15693_COMMAND, reqlen, fast, reply, req, reqlen);
DropField();
if (WaitForResponseTimeout(CMD_HF_ISO15693_COMMAND, &resp, 2000) == false) {
PrintAndLogEx(WARNING, "iso15693 timeout");
DropField();
return PM3_ETIMEOUT;
}
if (resp.length < 2) {
PrintAndLogEx(WARNING, "iso15693 card doesn't answer to READ SIGNATURE command");
return PM3_EWRONGANSWER;
}
DropField();
uint8_t *recv = resp.data.asBytes;
if (resp.length < 2) {
PrintAndLogEx(WARNING, "iso15693 card doesn't answer to READ SIGNATURE command");
return PM3_EWRONGANSWER;
}
if ((recv[0] & ISO15_RES_ERROR) == ISO15_RES_ERROR) {
PrintAndLogEx(ERR, "iso15693 card returned error %i: %s", recv[0], TagErrorStr(recv[0]));
return PM3_EWRONGANSWER;
}
uint8_t *recv = resp.data.asBytes;
uint8_t signature[32] = {0x00};
memcpy(signature, recv + 1, 32);
if ((recv[0] & ISO15_RES_ERROR) == ISO15_RES_ERROR) {
PrintAndLogEx(ERR, "iso15693 card returned error %i: %s", recv[0], TagErrorStr(recv[0]));
return PM3_EWRONGANSWER;
}
nxp_15693_print_signature(uid, signature);
return PM3_SUCCESS;
uint8_t signature[32] = {0x00};
memcpy(signature, recv + 1, 32);
nxp_15693_print_signature(uid, signature);
return PM3_SUCCESS;
}
// Get NXP system information from SLIX2 tag/VICC
@ -822,11 +821,11 @@ static int NxpSysInfo(uint8_t *uid) {
PrintAndLogEx(INFO, " * Additional 32 bits feature flags are%s transmitted", ((recv[5] & 0x80) ? "" : " not"));
if (support_easmode) {
NxpTestEAS(uid);
NxpTestEAS(uid);
}
if (support_signature) {
NxpCheckSig(uid);
NxpCheckSig(uid);
}
return PM3_SUCCESS;
@ -968,16 +967,12 @@ static int CmdHF15Info(const char *Cmd) {
if (data[8] == 0x04 && data[7] == 0x01 && nxp_version == 0x08) {
PrintAndLogEx(DEBUG, "SLIX2 Detected, getting NXP System Info");
return NxpSysInfo(uid);
}
else if(data[8] == 0x04 && data[7] == 0x01 && nxp_version == 0x18) //If it is an NTAG 5
{
PrintAndLogEx(DEBUG, "NTAG 5 Detected, getting NXP System Info");
} else if (data[8] == 0x04 && data[7] == 0x01 && nxp_version == 0x18) { //If it is an NTAG 5
PrintAndLogEx(DEBUG, "NTAG 5 Detected, getting NXP System Info");
return NxpSysInfo(uid);
}
else if(data[8] == 0x04 && (data[7] == 0x01 || data[7] == 0x02 || data[7] == 0x03)) //If SLI, SLIX, SLIX-l, or SLIX-S check EAS status
{
PrintAndLogEx(DEBUG, "SLI, SLIX, SLIX-L, or SLIX-S Detected checking EAS status");
return NxpTestEAS(uid);
} else if (data[8] == 0x04 && (data[7] == 0x01 || data[7] == 0x02 || data[7] == 0x03)) { //If SLI, SLIX, SLIX-l, or SLIX-S check EAS status
PrintAndLogEx(DEBUG, "SLI, SLIX, SLIX-L, or SLIX-S Detected checking EAS status");
return NxpTestEAS(uid);
}
PrintAndLogEx(NORMAL, "");

2
client/src/cmdhflist.c
View file

@ -318,7 +318,7 @@ int applyIso14443a(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize, bool i
snprintf(exp, size, "AUTH-B(%d)", cmd[1]);
break;
}
case MIFARE_MAGIC_GDM_AUTH_KEYA:{
case MIFARE_MAGIC_GDM_AUTH_KEYA: {
if (cmdsize > 3) {
snprintf(exp, size, "MAGIC AUTH-A(%d)", cmd[1]);
MifareAuthState = masNt;

12
client/src/cmdhftesla.c
View file

@ -29,7 +29,7 @@
#include "commonutil.h" // get_sw
#include "protocols.h" // ISO7816 APDU return co-des
#include "ui.h"
#include "cmdhf14a.h" // apdu chaining
#include "cmdhf14a.h" // apdu chaining
#define TIMEOUT 2000
@ -160,10 +160,10 @@ static int info_hf_tesla(void) {
sw = get_sw(response, resplen);
if (sw == ISO7816_OK) {
// save CETT for later
// save CETT for later
uint8_t cert[515] = {0};
memcpy(cert, response, resplen - 2);
PrintAndLogEx(INFO, "CERT # %i", i);
PrintAndLogEx(INFO, "%s", sprint_hex_inrow(cert, resplen - 2));
}
@ -198,12 +198,12 @@ static int info_hf_tesla(void) {
PrintAndLogEx(INFO, "--- " _CYAN_("Tag Information") " ---------------------------");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(INFO, "PUBLIC KEY");
for (int i=0; i < 3; i++) {
for (int i = 0; i < 3; i++) {
PrintAndLogEx(INFO, "%d - %s", i, sprint_hex_inrow(pk[i], 65));
}
if (form_factor[1] == 1) {
PrintAndLogEx(INFO, "Form factor... %s (card)", sprint_hex_inrow(form_factor, sizeof(form_factor)));
} else if (form_factor[1] == 2){
} else if (form_factor[1] == 2) {
PrintAndLogEx(INFO, "Form factor... %s (phone app)", sprint_hex_inrow(form_factor, sizeof(form_factor)));
}
@ -217,7 +217,7 @@ static int info_hf_tesla(void) {
if ((memcmp(pk[0], pk[1], 65) == 0)) {
PrintAndLogEx(INFO, " GaussKey detected");
}
//
//
return PM3_SUCCESS;
}

2
client/src/cmdscript.c
View file

@ -433,7 +433,7 @@ static int CmdScriptRun(const char *Cmd) {
#else
// The following line will implicitly pre-initialize Python
PyConfig_SetBytesArgv(&py_conf, argc + 1, argv);
// We disallowed in py_conf environment variables interfering with python interpreter's behavior.
// Let's manually enable the ones we truly need.
// This is required by Proxspace to work with an isolated Python configuration

9
client/src/pm3line_vocabulory.h
View file

@ -438,6 +438,12 @@ const static vocabulory_t vocabulory[] = {
{ 0, "hf st25ta protect" },
{ 0, "hf st25ta pwd" },
{ 0, "hf st25ta sim" },
{ 1, "hf tesla help" },
{ 0, "hf tesla info" },
{ 1, "hf tesla list" },
{ 1, "hf texkom help" },
{ 0, "hf texkom reader" },
{ 0, "hf texkom sim" },
{ 1, "hf thinfilm help" },
{ 0, "hf thinfilm info" },
{ 1, "hf thinfilm list" },
@ -453,9 +459,6 @@ const static vocabulory_t vocabulory[] = {
{ 0, "hf topaz rdbl" },
{ 1, "hf topaz view" },
{ 0, "hf topaz wrbl" },
{ 1, "hf texkom help" },
{ 0, "hf texkom reader" },
{ 0, "hf texkom sim" },
{ 1, "hf xerox help" },
{ 0, "hf xerox info" },
{ 0, "hf xerox reader" },

8
client/src/util.c
View file

@ -266,7 +266,7 @@ void print_hex_break(const uint8_t *data, const size_t len, uint8_t breaks) {
uint8_t mod = len % breaks;
if (mod) {
char buf[UTIL_BUFFER_SIZE_SPRINT + 3];
char buf[UTIL_BUFFER_SIZE_SPRINT + 3] = {0};
hex_to_buffer((uint8_t *)buf, data + i, mod, (sizeof(buf) - 1), 0, 1, true);
// add the spaces...
@ -291,7 +291,7 @@ void print_hex_noascii_break(const uint8_t *data, const size_t len, uint8_t brea
uint8_t mod = len % breaks;
if (mod) {
char buf[UTIL_BUFFER_SIZE_SPRINT + 3];
char buf[UTIL_BUFFER_SIZE_SPRINT + 3] = {0};
hex_to_buffer((uint8_t *)buf, data + i, mod, (sizeof(buf) - 1), 0, 0, true);
// add the spaces...
@ -307,7 +307,7 @@ static void print_buffer_ex(const uint8_t *data, const size_t len, int level, ui
if ((data == NULL) || (len < 1))
return;
char buf[UTIL_BUFFER_SIZE_SPRINT + 3];
char buf[UTIL_BUFFER_SIZE_SPRINT + 3] = {0};
int i;
for (i = 0; i < len; i += breaks) {
@ -614,7 +614,7 @@ void bytes_to_bytebits(const void *src, const size_t srclen, void *dest) {
// hh,gg,ff,ee,dd,cc,bb,aa, pp,oo,nn,mm,ll,kk,jj,ii
// up to 64 bytes or 512 bits
uint8_t *SwapEndian64(const uint8_t *src, const size_t len, const uint8_t blockSize) {
static uint8_t buf[64];
static uint8_t buf[64] = {0};
memset(buf, 0x00, 64);
uint8_t *tmp = buf;
for (uint8_t block = 0; block < (uint8_t)(len / blockSize); block++) {

55
doc/commands.json
View file

@ -1101,14 +1101,16 @@
"command": "hf 14a chaining",
"description": "Enable/Disable ISO14443a input chaining. Maximum input length goes from ATS.",
"notes": [
"hf 14a chaining disable -> disable chaining",
"hf 14a chaining --off -> disable chaining",
"hf 14a chaining -> show chaining enable/disable state"
],
"offline": false,
"options": [
"-h, --help This help"
"-h, --help This help",
"-1, --on enabled chaining",
"-0, --off disable chaining"
],
"usage": "hf 14a chaining [-h] [<enable/disable or 0/1>]"
"usage": "hf 14a chaining [-h10]"
},
"hf 14a config": {
"command": "hf 14a config",
@ -2881,7 +2883,7 @@
},
"hf help": {
"command": "hf help",
"description": "-------- ----------------------- High Frequency ----------------------- 14a { ISO14443A RFIDs... } 14b { ISO14443B RFIDs... } 15 { ISO15693 RFIDs... } cipurse { Cipurse transport Cards... } epa { German Identification Card... } emrtd { Machine Readable Travel Document... } felica { ISO18092 / FeliCa RFIDs... } fido { FIDO and FIDO2 authenticators... } fudan { Fudan RFIDs... } gallagher { Gallagher DESFire RFIDs... } ksx6924 { KS X 6924 (T-Money, Snapper+) RFIDs } jooki { Jooki RFIDs... } iclass { ICLASS RFIDs... } legic { LEGIC RFIDs... } lto { LTO Cartridge Memory RFIDs... } mf { MIFARE RFIDs... } mfp { MIFARE Plus RFIDs... } mfu { MIFARE Ultralight RFIDs... } mfdes { MIFARE Desfire RFIDs... } ntag424 { NXP NTAG 4242 DNA RFIDs... } seos { SEOS RFIDs... } st25ta { ST25TA RFIDs... } thinfilm { Thinfilm RFIDs... } topaz { TOPAZ (NFC Type 1) RFIDs... } texkom { Texkom RFIDs... } xerox { Fuji/Xerox cartridge RFIDs... } waveshare { Waveshare NFC ePaper... } ----------- --------------------- General --------------------- help This help list List protocol data in trace buffer search Search for known HF tags",
"description": "-------- ----------------------- High Frequency ----------------------- 14a { ISO14443A RFIDs... } 14b { ISO14443B RFIDs... } 15 { ISO15693 RFIDs... } cipurse { Cipurse transport Cards... } epa { German Identification Card... } emrtd { Machine Readable Travel Document... } felica { ISO18092 / FeliCa RFIDs... } fido { FIDO and FIDO2 authenticators... } fudan { Fudan RFIDs... } gallagher { Gallagher DESFire RFIDs... } ksx6924 { KS X 6924 (T-Money, Snapper+) RFIDs } jooki { Jooki RFIDs... } iclass { ICLASS RFIDs... } legic { LEGIC RFIDs... } lto { LTO Cartridge Memory RFIDs... } mf { MIFARE RFIDs... } mfp { MIFARE Plus RFIDs... } mfu { MIFARE Ultralight RFIDs... } mfdes { MIFARE Desfire RFIDs... } ntag424 { NXP NTAG 4242 DNA RFIDs... } seos { SEOS RFIDs... } st25ta { ST25TA RFIDs... } tesla { TESLA Cards... } texkom { Texkom RFIDs... } thinfilm { Thinfilm RFIDs... } topaz { TOPAZ (NFC Type 1) RFIDs... } xerox { Fuji/Xerox cartridge RFIDs... } waveshare { Waveshare NFC ePaper... } ----------- --------------------- General --------------------- help This help list List protocol data in trace buffer search Search for known HF tags",
"notes": [],
"offline": true,
"options": [],
@ -6684,6 +6686,47 @@
],
"usage": "hf st25ta sim [-h] -u <hex>"
},
"hf tesla help": {
"command": "hf tesla help",
"description": "help This help list List ISO 14443A/7816 history",
"notes": [],
"offline": true,
"options": [],
"usage": ""
},
"hf tesla info": {
"command": "hf tesla info",
"description": "Get info about TESLA Key tag",
"notes": [
"hf tesla info"
],
"offline": false,
"options": [
"-h, --help This help"
],
"usage": "hf telsa info [-h]"
},
"hf tesla list": {
"command": "hf tesla list",
"description": "Alias of `trace list -t 7816` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
"notes": [
"hf tesla list --frame -> show frame delay times",
"hf tesla list -1 -> use trace buffer"
],
"offline": true,
"options": [
"-h, --help This help",
"-1, --buffer use data from trace buffer",
"--frame show frame delay times",
"-c mark CRC bytes",
"-r show relative times (gap and duration)",
"-u display times in microseconds instead of clock cycles",
"-x show hexdump to convert to pcap(ng)",
"or to import into Wireshark using encapsulation type \"ISO 14443\"",
"-f, --file <fn> filename of dictionary"
],
"usage": "hf tesla list [-h1crux] [--frame] [-f <fn>]"
},
"hf texkom help": {
"command": "hf texkom help",
"description": "help This help",
@ -11760,8 +11803,8 @@
}
},
"metadata": {
"commands_extracted": 739,
"commands_extracted": 742,
"extracted_by": "PM3Help2JSON v1.00",
"extracted_on": "2023-01-15T01:24:39"
"extracted_on": "2023-01-27T01:57:37"
}
}

33
doc/commands.md
View file

@ -651,6 +651,28 @@ Check column "offline" for their availability.
|`hf st25ta sim `|N |`Fake ISO 14443A/ST tag`
### hf tesla
{ TESLA Cards... }
|command |offline |description
|------- |------- |-----------
|`hf tesla help `|Y |`This help`
|`hf tesla info `|N |`Tag information`
|`hf tesla list `|Y |`List ISO 14443A/7816 history`
### hf texkom
{ Texkom RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf texkom help `|Y |`This help`
|`hf texkom reader `|N |`Act like a Texkom reader`
|`hf texkom sim `|N |`Simulate a Texkom tag`
### hf thinfilm
{ Thinfilm RFIDs... }
@ -682,17 +704,6 @@ Check column "offline" for their availability.
|`hf topaz wrbl `|N |`Write block`
### hf texkom
{ Texkom RFIDs... }
|command |offline |description
|------- |------- |-----------
|`hf texkom help `|Y |`This help`
|`hf texkom reader `|N |`Act like a Texkom reader`
|`hf texkom sim `|N |`Simulate a Texkom tag`
### hf xerox
{ Fuji/Xerox cartridge RFIDs... }

35
doc/magic_cards_notes.md
View file

@ -1086,10 +1086,12 @@ CF <passwd> 35 <2b ATQA><1b SAK> // Configure ATQA/SAK (swap ATQ
CF <passwd> 68 <00-02> // Configure UID length
CF <passwd> 69 <00-01> // (De)Activate Ultralight mode
CF <passwd> 6A <00-03> // Select Ultralight mode
CF <passwd> 6B <1b> // Set Ultralight and M1 maximum read/write sectors
CF <passwd> C6 // Dump configuration
CF <passwd> CC // Factory test, returns 6666
CF <passwd> CD <1b block number><16b block data> // Backdoor write 16b block
CF <passwd> CE <1b block number> // Backdoor read 16b block
CF <passwd> CF <1b param> // Unknown
CF <passwd> F0 <30b configuration data> // Configure all params in one cmd
CF <passwd> F1 <30b configuration data> // Configure all params in one cmd and fuse the configuration permanently
CF <passwd> FE <4b new_password> // change password
@ -1304,6 +1306,19 @@ script run hf_mf_ultimatecard -m 02
```
Now the card supports the 3DES UL-C authentication.
### Set Ultralight and M1 maximum read/write sectors
^[Top](#top) ^^[Gen4](#g4top)
```
hf 14a raw -s -c -t 1000 CF<passwd>6B<1b blocks>
```
Hexadecimal, maximum sector data, default 0xFF, range 0x00-0xFF
Example: set maximum 63 blocks read/write for Mifare Classic 1K
```
hf 14a raw -s -c -t 1000 CF000000006B3F
```
### Set shadow mode (GTU)
^[Top](#top) ^^[Gen4](#g4top)
@ -1365,6 +1380,20 @@ Example: write block0 with factory data, default pwd
hf 14a raw -s -c -t 1000 CF00000000CD00112233441C000011778185BA18000000
```
### Unknown command
^[Top](#top) ^^[Gen4](#g4top)
This command modifies one byte in configuration dump, but purpose one is unknown.
```
hf 14a raw -s -c -t 1000 CF<passwd>CF<1b param>
```
* `<param>`
* `??`: ???
Example:
hf 14a raw -s -c -t 1000 CF00000000CF02
### Change backdoor password
^[Top](#top) ^^[Gen4](#g4top)
@ -1391,8 +1420,10 @@ hf 14a raw -s -c -t 1000 CF<passwd>C6
```
Default configuration:
```
00000000000002000978009102DABC191010111213141516040008004F6B
^^^^ ??
00000000000002000978009102DABC191010111213141516040008006B024F6B
^^^^ ??
^^ cf cmd cf: ?? this byte set by cmd cf<pwd>cf<param>, factory value 0x02
^^ cf cmd 6b: maximum read/write sectors, factory value 0x6b
^^ cf cmd 6a: UL mode
^^^^^^ cf cmd 35: ATQA/SAK
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cf cmd 34: ATS length & content

43
include/ansi.h
View file

@ -21,18 +21,45 @@
#define AEND "\x1b[0m"
#define _BLUE_(s) "\x1b[34m" s AEND
#define _RED_(s) "\x1b[31m" s AEND
#define _GREEN_(s) "\x1b[32m" s AEND
#define _YELLOW_(s) "\x1b[33m" s AEND
#define _MAGENTA_(s) "\x1b[35m" s AEND
#define _CYAN_(s) "\x1b[36m" s AEND
#define _WHITE_(s) "\x1b[37m" s AEND
#define _BLACK_(s) "\x1b[30m" s AEND
#define _RED_(s) "\x1b[31m" s AEND
#define _GREEN_(s) "\x1b[32m" s AEND
#define _YELLOW_(s) "\x1b[33m" s AEND
#define _BLUE_(s) "\x1b[34m" s AEND
#define _MAGENTA_(s) "\x1b[35m" s AEND
#define _CYAN_(s) "\x1b[36m" s AEND
#define _WHITE_(s) "\x1b[37m" s AEND
#define _BRIGHT_BLACK_(s) "\x1b[30;1m" s AEND
#define _BRIGHT_RED_(s) "\x1b[31;1m" s AEND
#define _BRIGHT_GREEN_(s) "\x1b[32;1m" s AEND
#define _BRIGHT_YELLOW_(s) "\x1b[33;1m" s AEND
#define _BRIGHT_BLUE_(s) "\x1b[34;1m" s AEND
#define _BRIGHT_MAGENTA_(s) "\x1b[35;1m" s AEND
#define _BRIGHT_CYAN_(s) "\x1b[36;1m" s AEND
#define _BRIGHT_WHITE_(s) "\x1b[37;1m" s AEND
#define _BACK_BLACK_(s) "\x1b[40m" s AEND
#define _BACK_RED_(s) "\x1b[41m" s AEND
#define _BACK_GREEN_(s) "\x1b[42m" s AEND
#define _BACK_YELLOW_(s) "\x1b[43m" s AEND
#define _BACK_BLUE_(s) "\x1b[44m" s AEND
#define _BACK_MAGENTA_(s) "\x1b[45m" s AEND
#define _BACK_CYAN_(s) "\x1b[46m" s AEND
#define _BACK_WHITE_(s) "\x1b[47m" s AEND
#define _BACK_BRIGHT_BLACK_(s) "\x1b[40;1m" s AEND
#define _BACK_BRIGHT_RED_(s) "\x1b[41;1m" s AEND
#define _BACK_BRIGHT_GREEN_(s) "\x1b[42;1m" s AEND
#define _BACK_BRIGHT_YELLOW_(s) "\x1b[43;1m" s AEND
#define _BACK_BRIGHT_BLUE_(s) "\x1b[44;1m" s AEND
#define _BACK_BRIGHT_MAGENTA_(s) "\x1b[45;1m" s AEND
#define _BACK_BRIGHT_CYAN_(s) "\x1b[46;1m" s AEND
#define _BACK_BRIGHT_WHITE_(s) "\x1b[47;1m" s AEND
#define _CLEAR_ "\x1b[2J"
#define _TOP_ "\x1b[1;1f"
#if defined(HAVE_READLINE)
// https://wiki.hackzine.org/development/misc/readline-color-prompt.html
// Applications may indicate that the prompt contains