RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-09-21 07:46:12 +08:00
Code Issues Packages Projects Releases Wiki Activity

FIX: 'mfu authentication' bug where the pack-length was wrong

Browse source 
ADD: 'hf mfu restore'  - added a restore from file command, see helptext for instructions
CHG: some help-text updates and refactored to functions
CHG: 'hf mfu gen'  - added the possibility to read uid from card as input
CHG: 'hf mfu dump' - refactored out the dump-printing
This commit is contained in:
iceman1001 2017-07-13 13:10:46 +02:00
parent de97a6f1b0
commit 7cf0bf19e5
4 changed files with 407 additions and 201 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
client/cmdhfmf.c
View file

@ -143,6 +143,14 @@ int usage_hf14_keybrute(void){
PrintAndLog(" hf mf keybrute 1 A 000011223344");
return 0;
}
int usage_hf14_restore(void){
PrintAndLog("Usage: hf mf restore [card memory]");
PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
PrintAndLog("");
PrintAndLog("Samples: hf mf restore");
PrintAndLog(" hf mf restore 4");
return 0;
}
int usage_hf14_eget(void){
PrintAndLog("Usage: hf mf eget <block number>");
@ -188,7 +196,7 @@ int usage_hf14_ecfill(void){
PrintAndLog(" hf mf ecfill A 4");
return 0;
}
int usage_hf14a_ekeyprn(void){
int usage_hf14_ekeyprn(void){
PrintAndLog("It prints the keys loaded in the emulator memory");
PrintAndLog("Usage: hf mf ekeyprn [card memory]");
PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
@ -772,14 +780,8 @@ int CmdHF14AMfRestore(const char *Cmd) {
char cmdp = param_getchar(Cmd, 0);
numSectors = NumOfSectors(cmdp);
if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') {
PrintAndLog("Usage: hf mf restore [card memory]");
PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
PrintAndLog("");
PrintAndLog("Samples: hf mf restore");
PrintAndLog(" hf mf restore 4");
return 0;
}
if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H')
return usage_hf14_restore();
if ((fkeys = fopen("dumpkeys.bin","rb")) == NULL) {
PrintAndLog("Could not find file dumpkeys.bin");
@ -2116,7 +2118,7 @@ int CmdHF14AMfEKeyPrn(const char *Cmd) {
char c = param_getchar(Cmd, 0);
if ( c == 'h' || c == 'H' )
return usage_hf14a_ekeyprn();
return usage_hf14_ekeyprn();
numSectors = NumOfSectors(c);

64
client/cmdhfmf.h
View file

@ -26,39 +26,39 @@
#include "cmdhfmfhard.h"
#include "nonce2key/nonce2key.h"
int CmdHFMF(const char *Cmd);
extern int CmdHFMF(const char *Cmd);
int CmdHF14AMfDbg(const char* cmd);
int CmdHF14AMfRdBl(const char* cmd);
int CmdHF14AMfURdBl(const char* cmd);
int CmdHF14AMfRdSc(const char* cmd);
int CmdHF14SMfURdCard(const char* cmd);
int CmdHF14AMfDump(const char* cmd);
int CmdHF14AMfRestore(const char* cmd);
int CmdHF14AMfWrBl(const char* cmd);
int CmdHF14AMfUWrBl(const char* cmd);
int CmdHF14AMfChk(const char* cmd);
int CmdHF14AMifare(const char* cmd);
int CmdHF14AMfNested(const char* cmd);
int CmdHF14AMfNestedHard(const char *Cmd);
int CmdHF14AMfSniff(const char* cmd);
int CmdHF14AMf1kSim(const char* cmd);
int CmdHF14AMfKeyBrute(const char *Cmd);
int CmdHF14AMfEClear(const char* cmd);
int CmdHF14AMfEGet(const char* cmd);
int CmdHF14AMfESet(const char* cmd);
int CmdHF14AMfELoad(const char* cmd);
int CmdHF14AMfESave(const char* cmd);
int CmdHF14AMfECFill(const char* cmd);
int CmdHF14AMfEKeyPrn(const char* cmd);
int CmdHF14AMfCSetUID(const char* cmd);
int CmdHF14AMfCSetBlk(const char* cmd);
int CmdHF14AMfCGetBlk(const char* cmd);
int CmdHF14AMfCGetSc(const char* cmd);
int CmdHF14AMfCLoad(const char* cmd);
int CmdHF14AMfCSave(const char* cmd);
int CmdHf14MfDecryptBytes(const char *Cmd);
int CmdHf14AMfSetMod(const char *Cmd);
extern int CmdHF14AMfDbg(const char* cmd);
extern int CmdHF14AMfRdBl(const char* cmd);
extern int CmdHF14AMfURdBl(const char* cmd);
extern int CmdHF14AMfRdSc(const char* cmd);
extern int CmdHF14SMfURdCard(const char* cmd);
extern int CmdHF14AMfDump(const char* cmd);
extern int CmdHF14AMfRestore(const char* cmd);
extern int CmdHF14AMfWrBl(const char* cmd);
extern int CmdHF14AMfUWrBl(const char* cmd);
extern int CmdHF14AMfChk(const char* cmd);
extern int CmdHF14AMifare(const char* cmd);
extern int CmdHF14AMfNested(const char* cmd);
extern int CmdHF14AMfNestedHard(const char *Cmd);
extern int CmdHF14AMfSniff(const char* cmd);
extern int CmdHF14AMf1kSim(const char* cmd);
extern int CmdHF14AMfKeyBrute(const char *Cmd);
extern int CmdHF14AMfEClear(const char* cmd);
extern int CmdHF14AMfEGet(const char* cmd);
extern int CmdHF14AMfESet(const char* cmd);
extern int CmdHF14AMfELoad(const char* cmd);
extern int CmdHF14AMfESave(const char* cmd);
extern int CmdHF14AMfECFill(const char* cmd);
extern int CmdHF14AMfEKeyPrn(const char* cmd);
extern int CmdHF14AMfCSetUID(const char* cmd);
extern int CmdHF14AMfCSetBlk(const char* cmd);
extern int CmdHF14AMfCGetBlk(const char* cmd);
extern int CmdHF14AMfCGetSc(const char* cmd);
extern int CmdHF14AMfCLoad(const char* cmd);
extern int CmdHF14AMfCSave(const char* cmd);
extern int CmdHf14MfDecryptBytes(const char *Cmd);
extern int CmdHf14AMfSetMod(const char *Cmd);
void showSectorTable(void);
void readerAttack(nonces_t data, bool setEmulatorMem, bool verbose);

506
client/cmdhfmfu.c
View file

@ -285,10 +285,10 @@ static int ulev1_requestAuthentication( uint8_t *pwd, uint8_t *pack, uint16_t pa
return len;
}
static int ul_auth_select( iso14a_card_select_t *card, TagTypeUL_t tagtype, bool hasAuthKey, uint8_t *authenticationkey, uint8_t *pack, uint8_t packSize){
static int ul_auth_select( iso14a_card_select_t *card, TagTypeUL_t tagtype, bool hasAuthKey, uint8_t *authkey, uint8_t *pack, uint8_t packSize){
if ( hasAuthKey && (tagtype & UL_C)) {
//will select card automatically and close connection on error
if (!ulc_authentication(authenticationkey, false)) {
if (!ulc_authentication(authkey, false)) {
PrintAndLog("Error: Authentication Failed UL-C");
return 0;
}
@ -296,7 +296,7 @@ static int ul_auth_select( iso14a_card_select_t *card, TagTypeUL_t tagtype, bool
if ( !ul_select(card) ) return 0;
if (hasAuthKey) {
if ( ulev1_requestAuthentication(authenticationkey, pack, packSize > -1 )) {
if ( ulev1_requestAuthentication(authkey, pack, packSize) == -1 ) {
ul_switch_off_field();
PrintAndLog("Error: Authentication Failed UL-EV1/NTAG");
return 0;
@ -1272,6 +1272,21 @@ int usage_hf_mfu_dump(void) {
return 0;
}
int usage_hf_mfu_restore(void){
PrintAndLog("Restore dumpfile onto card.");
PrintAndLog("Usage: hf mfu restore [h] [l] [s] k <key> n <filename w/o .bin> ");
PrintAndLog(" Options :");
PrintAndLog(" k <key> : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]");
PrintAndLog(" l : (optional) swap entered key's endianness");
PrintAndLog(" s : (optional) enable special write -MAGIC TAG ONLY-");
PrintAndLog(" f <FN> : filename w/o .bin to restore");
PrintAndLog("");
PrintAndLog(" samples:");
PrintAndLog(" : hf mfu restore s f myfile");
PrintAndLog(" : hf mfu restore k AABBCCDDD s f myfile\n");
return 0;
}
int usage_hf_mfu_rdbl(void) {
PrintAndLog("Read a block and print. It autodetects card type.\n");
PrintAndLog("Usage: hf mfu rdbl b <block number> k <key> l\n");
@ -1362,17 +1377,22 @@ int usage_hf_mfu_ucsetuid(void) {
return 0;
}
int usage_hf_mfu_gendiverse(void){
PrintAndLog("Usage: hf mfu gen <uid (8 hex symbols)>");
PrintAndLog("");
PrintAndLog("sample: hf mfu gen 11223344");
int usage_hf_mfu_gendiverse(void){
PrintAndLog("Usage: hf mfu gen [h] [r] <uid (8 hex symbols)>");
PrintAndLog("options:");
PrintAndLog(" h : this help");
PrintAndLog(" r : read uid from tag");
PrintAndLog(" <uid> : 4 byte UID (optional)");
PrintAndLog("samples:");
PrintAndLog(" hf mfu gen r");
PrintAndLog(" hf mfu gen 11223344");
PrintAndLog("");
return 0;
}
int usage_hf_mfu_pwdgen(void){
int usage_hf_mfu_pwdgen(void){
PrintAndLog("Usage: hf mfu pwdgen [h] [r] <uid (14 hex symbols)>");
PrintAndLog(" Options:");
PrintAndLog("options:");
PrintAndLog(" h : this help");
PrintAndLog(" r : read uid from tag");
PrintAndLog(" <uid> : 7 byte UID (optional)");
@ -1384,6 +1404,105 @@ int usage_hf_mfu_pwdgen(void){
}
#define DUMP_PREFIX_LENGTH 48
void printMFUdump(mfu_dump_t* card) {
printMFUdumpEx(card, 255, 0);
}
void printMFUdumpEx(mfu_dump_t* card, uint16_t pages, uint8_t startpage) {
PrintAndLog("\n*special* data\n");
PrintAndLog("\nDataType | Data | Ascii");
PrintAndLog("----------+-------------------------+---------");
PrintAndLog("Version | %s| %s", sprint_hex(card->version, sizeof(card->version)), sprint_ascii(card->version, sizeof(card->version)) );
PrintAndLog("TBD | %-24s| %s", sprint_hex(card->tbo, sizeof(card->tbo)), sprint_ascii(card->tbo, sizeof(card->tbo)));
PrintAndLog("Tearing | %-24s| %s", sprint_hex(card->tearing, sizeof(card->tearing)), sprint_ascii(card->tearing, sizeof(card->tearing)));
PrintAndLog("Pack | %-24s| %s", sprint_hex(card->pack, sizeof(card->pack)), sprint_ascii(card->pack, sizeof(card->pack)));
PrintAndLog("TBD | %-24s| %s", sprint_hex(card->tbo1, sizeof(card->tbo1)), sprint_ascii(card->tbo1, sizeof(card->tbo1)));
PrintAndLog("Signature1| %s| %s", sprint_hex(card->signature, 16), sprint_ascii(card->signature, 16));
PrintAndLog("Signature2| %s| %s", sprint_hex(card->signature+16, 16), sprint_ascii(card->signature+16, 16));
PrintAndLog("-------------------------------------------------------------");
PrintAndLog("\nBlock# | Data |lck| Ascii");
PrintAndLog("---------+-------------+---+------");
uint8_t j = 0;
bool lckbit = false;
uint8_t *data = card->data;
uint8_t lockbytes_sta[] = {0,0};
uint8_t lockbytes_dyn[] = {0,0};
bool bit_stat[16] = {0};
bool bit_dyn[16] = {0};
// Load static lock bytes.
lockbytes_sta[0] = *data + 10;
lockbytes_sta[1] = *data + 11;
for(j = 0; j < 16; j++){
bit_stat[j] = lockbytes_sta[j/8] & ( 1 <<(7-j%8));
}
// Load dynamic lockbytes if available
// TODO -- FIGURE OUT LOCK BYTES FOR TO EV1 and/or NTAG
if ( pages == 44 ) {
lockbytes_dyn[0] = *data + (40*4) + 3;
lockbytes_dyn[1] = *data + (40*4) + 4;
for (j = 0; j < 16; j++) {
bit_dyn[j] = lockbytes_dyn[j/8] & ( 1 <<(7-j%8));
}
}
for (uint8_t i = 0; i < pages; ++i) {
if ( i < 3 ) {
PrintAndLog("%3d/0x%02X | %s| | %s", i+startpage, i+startpage, sprint_hex(data + i * 4, 4), sprint_ascii(data + i * 4,4) );
continue;
}
switch(i){
case 3: lckbit = bit_stat[4]; break;
case 4: lckbit = bit_stat[3]; break;
case 5: lckbit = bit_stat[2]; break;
case 6: lckbit = bit_stat[1]; break;
case 7: lckbit = bit_stat[0]; break;
case 8: lckbit = bit_stat[15]; break;
case 9: lckbit = bit_stat[14]; break;
case 10: lckbit = bit_stat[13]; break;
case 11: lckbit = bit_stat[12]; break;
case 12: lckbit = bit_stat[11]; break;
case 13: lckbit = bit_stat[10]; break;
case 14: lckbit = bit_stat[9]; break;
case 15: lckbit = bit_stat[8]; break;
case 16:
case 17:
case 18:
case 19: lckbit = bit_dyn[6]; break;
case 20:
case 21:
case 22:
case 23: lckbit = bit_dyn[5]; break;
case 24:
case 25:
case 26:
case 27: lckbit = bit_dyn[4]; break;
case 28:
case 29:
case 30:
case 31: lckbit = bit_dyn[2]; break;
case 32:
case 33:
case 34:
case 35: lckbit = bit_dyn[1]; break;
case 36:
case 37:
case 38:
case 39: lckbit = bit_dyn[0]; break;
case 40: lckbit = bit_dyn[12]; break;
case 41: lckbit = bit_dyn[11]; break;
case 42: lckbit = bit_dyn[10]; break; //auth0
case 43: lckbit = bit_dyn[9]; break; //auth1
default: break;
}
PrintAndLog("%3d/0x%02X | %s| %d | %s", i+startpage, i+startpage, sprint_hex(data + i * 4, 4), lckbit, sprint_ascii(data + i * 4,4));
}
PrintAndLog("---------------------------------");
}
//
// Mifare Ultralight / Ultralight-C / Ultralight-EV1
// Read and Dump Card Contents, using auto detection of tag size.
@ -1392,17 +1511,11 @@ int CmdHF14AMfUDump(const char *Cmd){
FILE *fout;
char filename[FILE_PATH_SIZE] = {0x00};
char *fnameptr = filename;
uint8_t *lockbytes_t = NULL;
uint8_t lockbytes[2] = {0x00};
uint8_t *lockbytes_t2 = NULL;
uint8_t lockbytes2[2] = {0x00};
bool bit[16] = {0x00};
bool bit2[16] = {0x00};
uint8_t data[1024] = {0x00};
bool hasAuthKey = false;
int i = 0;
int Pages = 16;
bool tmplockbit = false;
uint8_t dataLen = 0;
uint8_t cmdp = 0;
uint8_t authenticationkey[16] = {0x00};
@ -1497,7 +1610,7 @@ int CmdHF14AMfUDump(const char *Cmd){
clearCommandBuffer();
SendCommand(&c);
UsbCommand resp;
if (!WaitForResponseTimeout(CMD_ACK, &resp,1500)) {
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
PrintAndLog("Command execute time-out");
return 1;
}
@ -1516,31 +1629,11 @@ int CmdHF14AMfUDump(const char *Cmd){
WaitForResponse(CMD_ACK,NULL);
Pages = bufferSize/4;
// Load lock bytes.
int j = 0;
lockbytes_t = data + 8;
lockbytes[0] = lockbytes_t[2];
lockbytes[1] = lockbytes_t[3];
for(j = 0; j < 16; j++){
bit[j] = lockbytes[j/8] & ( 1 <<(7-j%8));
}
// Load bottom lockbytes if available
// TODO -- FIGURE OUT LOCK BYTES FOR TO EV1 and/or NTAG
if ( Pages == 44 ) {
lockbytes_t2 = data + (40*4);
lockbytes2[0] = lockbytes_t2[2];
lockbytes2[1] = lockbytes_t2[3];
for (j = 0; j < 16; j++) {
bit2[j] = lockbytes2[j/8] & ( 1 <<(7-j%8));
}
}
uint8_t get_pack[] = {0,0};
iso14a_card_select_t card;
uint8_t dump_file_data[1024+DUMP_PREFIX_LENGTH] = {0x00};
uint8_t get_version[] = {0,0,0,0,0,0,0,0,0};
mfu_dump_t dump_file_data;
uint8_t get_version[] = {0,0,0,0,0,0,0,0};
uint8_t get_tearing[] = {0,0,0};
uint8_t get_counter[] = {0,0,0};
uint8_t dummy_pack[] = {0,0};
@ -1558,23 +1651,25 @@ int CmdHF14AMfUDump(const char *Cmd){
ul_switch_off_field();
// add pack to block read
memcpy(data + (Pages*4) - 4, get_pack, sizeof(get_pack));
if ( hasAuthKey )
ul_auth_select( &card, tagtype, hasAuthKey, authKeyPtr, dummy_pack, sizeof(dummy_pack));
else
ul_select(&card);
if ( hasAuthKey )
ul_auth_select( &card, tagtype, hasAuthKey, authKeyPtr, dummy_pack, sizeof(dummy_pack));
else
ul_select(&card);
ulev1_getVersion( get_version, sizeof(get_version) );
for ( uint8_t i = 0; i<3; ++i) {
ulev1_readTearing(i, get_tearing+i, 1);
ulev1_readCounter(i, get_counter, sizeof(get_counter) );
}
ul_switch_off_field();
if ( hasAuthKey )
ul_auth_select( &card, tagtype, hasAuthKey, authKeyPtr, dummy_pack, sizeof(dummy_pack));
else
ul_select(&card);
ulev1_readSignature( get_signature, sizeof(get_signature));
ul_switch_off_field();
ulev1_getVersion( get_version, sizeof(get_version) );
for ( uint8_t i = 0; i<3; ++i) {
ulev1_readTearing(i, get_tearing+i, 1);
ulev1_readCounter(i, get_counter, sizeof(get_counter) );
}
ul_switch_off_field();
if ( hasAuthKey )
ul_auth_select( &card, tagtype, hasAuthKey, authKeyPtr, dummy_pack, sizeof(dummy_pack));
else
ul_select(&card);
ulev1_readSignature( get_signature, sizeof(get_signature));
ul_switch_off_field();
}
// format and add keys to block dump output
@ -1597,89 +1692,15 @@ int CmdHF14AMfUDump(const char *Cmd){
}
//add *special* blocks to dump
//get version
memcpy(dump_file_data, get_version, sizeof(get_version));
//tearing
memcpy(dump_file_data+10, get_tearing, sizeof(get_tearing));
//pack
memcpy(dump_file_data+13, get_pack, sizeof(get_pack));
//signature
memcpy(dump_file_data+16, get_signature, sizeof(get_signature));
//add regular block read data to dump
memcpy(dump_file_data+DUMP_PREFIX_LENGTH, data, Pages*4);
PrintAndLog("\n*Special* block data:");
PrintAndLog("\nDataType| Data | | Ascii");
PrintAndLog("---------------------------------");
PrintAndLog("GetVer-1| %s| | %s", sprint_hex(dump_file_data, 4), sprint_ascii(dump_file_data, 4));
PrintAndLog("GetVer-2| %s| | %s", sprint_hex(dump_file_data+4, 4), sprint_ascii(dump_file_data+4,4));
PrintAndLog("TBD | 00 00 | | ");
PrintAndLog("Tearing | %s| | %s", sprint_hex(dump_file_data+10, 3), sprint_ascii(dump_file_data+10,3) );
PrintAndLog("Pack | %s | | %s", sprint_hex(dump_file_data+13, 2), sprint_ascii(dump_file_data+13,2) );
PrintAndLog("TBD | 00 | | ");
PrintAndLog("Sig-1 | %s| | %s", sprint_hex(dump_file_data+16, 4), sprint_ascii(dump_file_data+16,4));
PrintAndLog("Sig-2 | %s| | %s", sprint_hex(dump_file_data+20, 4), sprint_ascii(dump_file_data+20,4));
PrintAndLog("Sig-3 | %s| | %s", sprint_hex(dump_file_data+24, 4), sprint_ascii(dump_file_data+24,4));
PrintAndLog("Sig-4 | %s| | %s", sprint_hex(dump_file_data+28, 4), sprint_ascii(dump_file_data+28,4));
PrintAndLog("Sig-5 | %s| | %s", sprint_hex(dump_file_data+32, 4), sprint_ascii(dump_file_data+32,4));
PrintAndLog("Sig-6 | %s| | %s", sprint_hex(dump_file_data+36, 4), sprint_ascii(dump_file_data+36,4));
PrintAndLog("Sig-7 | %s| | %s", sprint_hex(dump_file_data+40, 4), sprint_ascii(dump_file_data+40,4));
PrintAndLog("Sig-8 | %s| | %s", sprint_hex(dump_file_data+44, 4), sprint_ascii(dump_file_data+44,4));
PrintAndLog("\nBlock# | Data |lck| Ascii");
PrintAndLog("---------------------------------");
for (i = 0; i < Pages; ++i) {
if ( i < 3 ) {
PrintAndLog("%02d/0x%02X | %s| | %s", i+startPage, i+startPage, sprint_hex(data + i * 4, 4), sprint_ascii(data + i * 4,4) );
continue;
}
switch(i){
case 3: tmplockbit = bit[4]; break;
case 4: tmplockbit = bit[3]; break;
case 5: tmplockbit = bit[2]; break;
case 6: tmplockbit = bit[1]; break;
case 7: tmplockbit = bit[0]; break;
case 8: tmplockbit = bit[15]; break;
case 9: tmplockbit = bit[14]; break;
case 10: tmplockbit = bit[13]; break;
case 11: tmplockbit = bit[12]; break;
case 12: tmplockbit = bit[11]; break;
case 13: tmplockbit = bit[10]; break;
case 14: tmplockbit = bit[9]; break;
case 15: tmplockbit = bit[8]; break;
case 16:
case 17:
case 18:
case 19: tmplockbit = bit2[6]; break;
case 20:
case 21:
case 22:
case 23: tmplockbit = bit2[5]; break;
case 24:
case 25:
case 26:
case 27: tmplockbit = bit2[4]; break;
case 28:
case 29:
case 30:
case 31: tmplockbit = bit2[2]; break;
case 32:
case 33:
case 34:
case 35: tmplockbit = bit2[1]; break;
case 36:
case 37:
case 38:
case 39: tmplockbit = bit2[0]; break;
case 40: tmplockbit = bit2[12]; break;
case 41: tmplockbit = bit2[11]; break;
case 42: tmplockbit = bit2[10]; break; //auth0
case 43: tmplockbit = bit2[9]; break; //auth1
default: break;
}
PrintAndLog("%02d/0x%02X | %s| %d | %s", i+startPage, i+startPage, sprint_hex(data + i * 4, 4), tmplockbit, sprint_ascii(data + i * 4,4));
}
PrintAndLog("---------------------------------");
//iceman: need to add counters and pwd values to the dump format
memcpy(dump_file_data.version, get_version, sizeof(dump_file_data.version));
memcpy(dump_file_data.tearing, get_tearing, sizeof(dump_file_data.tearing));
memcpy(dump_file_data.pack, get_pack, sizeof(dump_file_data.pack));
memcpy(dump_file_data.signature, get_signature, sizeof(dump_file_data.signature));
memcpy(dump_file_data.data, data, Pages*4);
printMFUdumpEx(&dump_file_data, Pages, startPage);
// user supplied filename?
if (fileNlen < 1) {
// UID = data 0-1-2 4-5-6-7 (skips a beat)
@ -1693,15 +1714,173 @@ int CmdHF14AMfUDump(const char *Cmd){
PrintAndLog("Could not create file name %s", filename);
return 1;
}
fwrite( dump_file_data, 1, Pages*4 + DUMP_PREFIX_LENGTH, fout );
if (fout) {
fwrite( &dump_file_data, 1, Pages*4 + DUMP_PREFIX_LENGTH, fout );
if (fout)
fclose(fout);
fout = NULL;
}
PrintAndLog("Dumped %d pages, wrote %d bytes to %s", Pages+(DUMP_PREFIX_LENGTH/4), Pages*4 + DUMP_PREFIX_LENGTH, filename);
return 0;
}
int CmdHF14AMfURestore(const char *Cmd){
char tempStr[50] = {0};
char filename[FILE_PATH_SIZE] = {0};
uint8_t authkey[16] = {0};
uint8_t *p_authkey = authkey;
uint8_t cmdp = 0, keylen = 0;
//uint8_t bldata[16] = {0x00};
bool hasKey = false;
bool swapEndian = false;
bool errors = false;
bool write_special = false;
size_t filelen = 0;
FILE *f;
UsbCommand c = {CMD_MIFAREU_WRITEBL, {0,0,0}};
memset(authkey, 0x00, sizeof(authkey));
while(param_getchar(Cmd, cmdp) != 0x00)
{
switch(param_getchar(Cmd, cmdp))
{
case 'h':
case 'H':
return usage_hf_mfu_restore();
case 'k':
case 'K':
keylen = param_getstr(Cmd, cmdp+1, tempStr);
if (keylen == 32 || keylen == 8) { //ul-c or ev1/ntag key length
errors = param_gethex(tempStr, 0, authkey, keylen);
keylen /= 2;
} else {
PrintAndLog("\nERROR: Key is incorrect length\n");
errors = true;
}
cmdp += 2;
hasKey = true;
break;
case 'l':
case 'L':
swapEndian = true;
cmdp++;
break;
case 'f':
case 'F':
filelen = param_getstr(Cmd, cmdp+1, filename);
if (filelen > FILE_PATH_SIZE-5) filelen = FILE_PATH_SIZE-5;
if ( filelen < 0) {
sprintf(filename, "dumpdata.bin");
}
cmdp += 2;
break;
case 's':
case 'S':
cmdp++;
write_special = true;
break;
default:
PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
errors = true;
break;
}
if(errors) break;
}
//Validations
if(errors) return usage_hf_mfu_restore();
if ((f = fopen(filename,"rb")) == NULL) {
PrintAndLog("Could not find file %s", filename);
return 1;
}
// get filesize to know how memory to allocate
fseek(f, 0, SEEK_END);
long fsize = ftell(f);
fseek(f, 0, SEEK_SET);
if (fsize < 0) {
PrintAndLog("Error, when getting filesize");
fclose(f);
return 1;
}
uint8_t *dump = malloc(fsize);
// read all data
size_t bytes_read = fread(dump, 1, fsize, f);
fclose(f);
if ( bytes_read < 48 ) {
PrintAndLog("Error, dump file is too small");
return 1;
}
PrintAndLog("Restoring %s to card", filename);
mfu_dump_t *mem = (mfu_dump_t*)dump;
uint8_t pages = (bytes_read-48)/4;
// print dump
printMFUdumpEx(mem, pages, 0);
// Swap endianness
if (swapEndian && hasKey) {
if ( keylen == 16 )
p_authkey = SwapEndian64(authkey, keylen, 8);
else
p_authkey = SwapEndian64(authkey, len, 4);
}
for (uint8_t b = 0; b < pages; b++) {
// only magic tags can write to block 0,1,2,3
if ( b < 4 && !write_special )
continue;
//Send write Block
c.arg[0] = b;
memcpy(c.d.asBytes, mem->data + (b*4), 4);
if ( hasKey ){
c.arg[1] = (keylen == 16) ? 1 : 2;
memcpy(c.d.asBytes+4, p_authkey, keylen);
}
if ( b < 4)
printf("data written block %u - %s\n", b, sprint_hex(c.d.asBytes, 8) );
clearCommandBuffer();
SendCommand(&c);
UsbCommand resp;
if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
uint8_t isOK = resp.arg[0] & 0xff;
PrintAndLog("isOk:%02x", isOK);
} else {
PrintAndLog("Command execute timeout");
}
}
if ( write_special ) {
// write version, signature, pack
}
ul_switch_off_field();
free(dump);
return 0;
}
int CmdHF14AMfUeLoad(const char *Cmd){
char c = param_getchar(Cmd, 0);
if ( c == 'h' || c == 'H' || c == 0x00) return usage_hf_mfu_eload();
return CmdHF14AMfELoad(Cmd);
}
int CmdHF14AMfUSim(const char *Cmd){
char c = param_getchar(Cmd, 0);
if ( c == 'h' || c == 'H' || c == 0x00) return usage_hf_mfu_sim();
return CmdHF14ASim(Cmd);
}
//-------------------------------------------------------------------------------
// Ultralight C Methods
//-------------------------------------------------------------------------------
@ -1937,8 +2116,7 @@ int CmdHF14AMfucSetUid(const char *Cmd){
if (!WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
PrintAndLog("Command execute timeout");
return 5;
}
}
return 0;
}
@ -1948,10 +2126,31 @@ int CmdHF14AMfuGenDiverseKeys(const char *Cmd){
char cmdp = param_getchar(Cmd, 0);
if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_hf_mfu_gendiverse();
if (param_gethex(Cmd, 0, uid, 8)) {
PrintAndLog("UID must include 8 HEX symbols");
return 1;
if ( cmdp == 'r' || cmdp == 'R') {
// read uid from tag
UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}};
clearCommandBuffer();
SendCommand(&c);
UsbCommand resp;
WaitForResponse(CMD_ACK, &resp);
iso14a_card_select_t card;
memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
uint64_t select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision
if(select_status == 0) {
PrintAndLog("iso14443a card select failed");
return 1;
}
if ( card.uidlen != 4 ) {
PrintAndLog("Wrong sized UID, expected 4bytes got %d", card.uidlen);
return 1;
}
memcpy(uid, card.uid, sizeof(uid));
}
else {
if (param_gethex(Cmd, 0, uid, 8)) return usage_hf_mfu_gendiverse();
}
uint8_t iv[8] = { 0x00 };
uint8_t block = 0x01;
@ -2030,18 +2229,6 @@ int CmdHF14AMfuGenDiverseKeys(const char *Cmd){
return 0;
}
int CmdHF14AMfUeLoad(const char *Cmd) {
char ctmp = param_getchar(Cmd, 0);
if ( ctmp == 'h' || ctmp == 'H' || ctmp == 0x00) return usage_hf_mfu_eload();
return CmdHF14AMfELoad(Cmd);
}
int CmdHF14AMfUSim(const char *Cmd) {
char ctmp = param_getchar(Cmd, 0);
if ( ctmp == 'h' || ctmp == 'H' || ctmp == 0x00) return usage_hf_mfu_sim();
return CmdHF14ASim(Cmd);
}
int CmdHF14AMfuPwdGen(const char *Cmd){
uint8_t uid[7] = {0x00};
@ -2092,6 +2279,7 @@ static command_t CommandTable[] =
{"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},
{"info", CmdHF14AMfUInfo, 0, "Tag information"},
{"dump", CmdHF14AMfUDump, 0, "Dump Ultralight / Ultralight-C / NTAG tag to binary file"},
{"restore", CmdHF14AMfURestore, 0, "Restore a dump onto a MFU MAGIC tag"},
{"eload", CmdHF14AMfUeLoad, 0, "load Ultralight .eml dump file into emulator memory"},
{"rdbl", CmdHF14AMfURdBl, 0, "Read block"},
{"wrbl", CmdHF14AMfUWrBl, 0, "Write block"},

16
client/cmdhfmfu.h
View file

@ -4,6 +4,17 @@
#ifndef CMDHFMFU_H__
#define CMDHFMFU_H__
typedef struct {
uint8_t version[8];
uint8_t tbo[2];
uint8_t tearing[3];
uint8_t pack[2];
uint8_t tbo1[1];
uint8_t signature[32];
//uint8_t counter[3];
uint8_t data[1024];
} mfu_dump_t;
extern int CmdHF14AMfUWrBl(const char *Cmd);
extern int CmdHF14AMfURdBl(const char *Cmd);
@ -16,6 +27,7 @@ extern int CmdHF14AMfuPwdGen(const char *Cmd);
//general stuff
extern int CmdHF14AMfUDump(const char *Cmd);
extern int CmdHF14AMfURestore(const char *Cmd);
extern int CmdHF14AMfUInfo(const char *Cmd);
extern int CmdHF14AMfUeLoad(const char *Cmd);
extern int CmdHF14AMfUSim(const char *Cmd);
@ -24,6 +36,9 @@ extern uint32_t GetHF14AMfU_Type(void);
extern int ul_print_type(uint32_t tagtype, uint8_t spacer);
extern void ul_switch_off_field(void);
void printMFUdump(mfu_dump_t* card);
void printMFUdumpEx(mfu_dump_t* card, uint16_t pages, uint8_t startpage);
extern int usage_hf_mfu_info(void);
extern int usage_hf_mfu_dump(void);
extern int usage_hf_mfu_rdbl(void);
@ -77,4 +92,5 @@ typedef enum TAGTYPE_UL {
UL_ERROR = 0xFFFFFF,
} TagTypeUL_t;
#endif