diff --git a/armsrc/Standalone/Makefile.hal b/armsrc/Standalone/Makefile.hal index bd66d538c..eef4ecf6f 100644 --- a/armsrc/Standalone/Makefile.hal +++ b/armsrc/Standalone/Makefile.hal @@ -38,6 +38,9 @@ define KNOWN_STANDALONE_DEFINITIONS | HF_14ASNIFF | 14a sniff to flashmem | | (RDV4 only) | | +----------------------------------------------------------+ +| HF_AVEFUL | Mifare ultralight read/simulation | +| | - Ave Ozkal | ++----------------------------------------------------------+ | HF_BOG | 14a sniff with ULC/ULEV1/NTAG auth | | (RDV4 only) | storing in flashmem - Bogito | +----------------------------------------------------------+ @@ -62,7 +65,7 @@ define KNOWN_STANDALONE_DEFINITIONS endef STANDALONE_MODES := LF_SKELETON LF_EM4100EMUL LF_EM4100RSWB LF_EM4100RWC LF_HIDBRUTE LF_ICEHID LF_PROXBRUTE LF_SAMYRUN -STANDALONE_MODES += HF_14ASNIFF HF_BOG HF_COLIN HF_ICECLASS HF_LEGIC HF_MATTYRUN HF_MSDSAL HF_YOUNG +STANDALONE_MODES += HF_14ASNIFF HF_AVEFUL HF_BOG HF_COLIN HF_ICECLASS HF_LEGIC HF_MATTYRUN HF_MSDSAL HF_YOUNG STANDALONE_MODES_REQ_SMARTCARD := STANDALONE_MODES_REQ_FLASH := LF_ICEHID HF_14ASNIFF HF_BOG HF_COLIN HF_ICECLASS ifneq ($(filter $(STANDALONE),$(STANDALONE_MODES)),) diff --git a/armsrc/Standalone/Makefile.inc b/armsrc/Standalone/Makefile.inc index 131e26e79..c5730965b 100644 --- a/armsrc/Standalone/Makefile.inc +++ b/armsrc/Standalone/Makefile.inc @@ -37,6 +37,10 @@ endif ifneq (,$(findstring WITH_STANDALONE_HF_14ASNIFF,$(APP_CFLAGS))) SRC_STANDALONE = hf_14asniff.c endif +# WITH_STANDALONE_HF_AVEFUL +ifneq (,$(findstring WITH_STANDALONE_HF_AVEFUL,$(APP_CFLAGS))) + SRC_STANDALONE = hf_aveful.c +endif # WITH_STANDALONE_LF_ICEHID ifneq (,$(findstring WITH_STANDALONE_LF_ICEHID,$(APP_CFLAGS))) SRC_STANDALONE = lf_icehid.c diff --git a/armsrc/Standalone/hf_aveful.c b/armsrc/Standalone/hf_aveful.c new file mode 100644 index 000000000..a619459f5 --- /dev/null +++ b/armsrc/Standalone/hf_aveful.c @@ -0,0 +1,127 @@ +//----------------------------------------------------------------------------- +// A. Ozkal, 2020 +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// main code for HF Mifare Ultralight read/simulation by Ave Ozkal +//----------------------------------------------------------------------------- + +// Several parts of this code is based on code by Craig Young from HF_YOUNG + +// This code does not: +// - Account for cards with authentication (MFU EV1 etc) +// - Determine if cards have block count that's not the same as the BLOCKS def + +#include "standalone.h" // standalone definitions +#include "proxmark3_arm.h" +#include "appmain.h" +#include "fpgaloader.h" +#include "util.h" +#include "dbprint.h" + +#include "ticks.h" // SpinDelay +#include "mifareutil.h" +#include "iso14443a.h" + +#define BLOCKS 16 +#define SAK 0x00 +#define ATQA0 0x44 +#define ATQA1 0x00 + +#define STATE_SEARCH 0 +#define STATE_READ 1 +#define STATE_EMUL 2 + +typedef struct { + uint8_t uid[10]; + uint8_t uidlen; + uint8_t atqa[2]; + uint8_t sak; +} PACKED card_clone_t; + +void ModInfo(void) { + DbpString(" HF Mifare Ultralight read/simulation by Ave Ozkal"); +} + +void RunMod(void) { + StandAloneMode(); + Dbprintf("AveFUL (MF Ultralight read/emul) started"); + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + + // the main loop for your standalone mode + for (;;) { + WDT_HIT(); + + // exit from RunMod, send a usbcommand. + if (data_available()) break; + + iso14a_card_select_t card; + + SpinDelay(500); + iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD); + + // 0 = search, 1 = read, 2 = emul + int state = STATE_SEARCH; + + DbpString("Scanning..."); + for (;;) { + // Was our button held down or pressed? + int button_pressed = BUTTON_HELD(1000); + + if (button_pressed != BUTTON_NO_CLICK || data_available()) + break; + else if (state == STATE_SEARCH) { + if (!iso14443a_select_card(NULL, &card, NULL, true, 0, true)) { + continue; + } else { + if (card.sak == SAK && card.atqa[0] == ATQA0 && card.atqa[1] == ATQA1 && card.uidlen == 7) { + DbpString("Found ultralight with UID: "); + Dbhexdump(card.uidlen, card.uid, 0); + state = STATE_READ; + } else { + DbpString("Found non-ultralight card, ignoring."); + } + } + } else if (state == STATE_READ) { + iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); + iso14443a_select_card(NULL, NULL, NULL, true, 0, true); + bool read_successful = true; + Dbprintf("Contents:"); + + for (int i = 0; i < BLOCKS; i++) { + uint8_t dataout[4] = {0x00}; + if (mifare_ultra_readblock(i, dataout)) { + // If there's an error reading, go back to search state + read_successful = false; + break; + } + // We're skipping 14 blocks (56 bytes) here, as that "[...] has version/signature/counter data here" according to comments on dumptoemul-mfu + // When converting a bin, it's almost all 0 other than one 0x0F byte, and functionality seems to be unaffected if that byte is set to 0x00. + emlSetMem_xt(dataout, 14 + i, 1, 4); + Dbhexdump(4, dataout, 0); + } + + if (read_successful) { + Dbprintf("Successfully loaded into emulator memory..."); + state = STATE_EMUL; + } else { + Dbprintf("Read failure, going back to search state."); + state = STATE_SEARCH; + } + } else if (state == 2) { + uint8_t flags = FLAG_7B_UID_IN_DATA; + + Dbprintf("Starting simulation, press pm3-button to stop and go back to search state."); + SimulateIso14443aTag(2, flags, card.uid); + + // Go back to search state if user presses pm3-button + state = STATE_SEARCH; + } + } + } + + DbpString("exiting"); + LEDsoff(); +}