added a --override MAD crc check parameter to NDEF read commands

2025-09-04 19:54:39 +08:00 · 2025-08-29 13:55:00 +02:00 · 2025-08-29 13:55:00 +02:00 · c3e29789a9
commit c3e29789a9
parent 35f144dac0
7 changed files with 43 additions and 23 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...

 ## [unreleased][unreleased]
+- Added `--override` parameter to NDEF read for overriding MAD CRC check (@iceman1001)
 - Added `hf saflok` commands (@stiebeljoshua)
 - Added `ntag_clean.lua` script for easier NTAG memory wipe (@trigat)
 - Changed from Bigbuf malloc to Bigbuf calloc calls on device side (@iceman1001)
--- a/client/src/cmdhfmf.c
+++ b/client/src/cmdhfmf.c
@ -6787,6 +6787,7 @@ static int CmdHF14AMfMAD(const char *Cmd) {
    bool swapmad = arg_get_lit(ctx, 5);
    bool decodeholder = arg_get_lit(ctx, 6);
    bool force = arg_get_lit(ctx, 8);
+    bool override = arg_get_lit(ctx, 9);

    int fnlen = 0;
    char filename[FILE_PATH_SIZE] = {0};
@ -6874,7 +6875,7 @@ static int CmdHF14AMfMAD(const char *Cmd) {
        if (aidlen == 2 || decodeholder) {
            uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};
            size_t madlen = 0;
-            if (MADDecode(dump, dump + (0x10 * MIFARE_1K_MAXBLOCK), mad, &madlen, swapmad)) {
+            if (MADDecode(dump, dump + (0x10 * MIFARE_1K_MAXBLOCK), mad, &madlen, swapmad, override)) {
                PrintAndLogEx(ERR, "can't decode MAD");
                free(dump);
                return PM3_ESOFT;
@ -6959,7 +6960,7 @@ static int CmdHF14AMfMAD(const char *Cmd) {
    if (aidlen == 2 || decodeholder) {
        uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};
        size_t madlen = 0;
-        if (MADDecode(sector0, sector10, mad, &madlen, swapmad)) {
+        if (MADDecode(sector0, sector10, mad, &madlen, swapmad, override)) {
            PrintAndLogEx(ERR, "can't decode MAD");
            return PM3_ESOFT;
        }
@ -7052,8 +7053,8 @@ int CmdHFMFNDEFRead(const char *Cmd) {
                  "Prints NFC Data Exchange Format (NDEF)",
                  "hf mf ndefread -> shows NDEF parsed data\n"
                  "hf mf ndefread -vv -> shows NDEF parsed and raw data\n"
+                  "hf mf ndefread -f myfilename                   -> save raw NDEF to file\n"
                  "hf mf ndefread --aid e103 -k ffffffffffff -b -> shows NDEF data with custom AID, key and with key B\n"
-                  "hf mf ndefread -f myfilename -> save raw NDEF to file"
                 );

    void *argtable[] = {
@ -7063,6 +7064,7 @@ int CmdHFMFNDEFRead(const char *Cmd) {
        arg_str0("k",  "key",      "<key>", "replace default key for NDEF"),
        arg_lit0("b",  "keyb",     "use key B for access sectors (by default: key A)"),
        arg_str0("f", "file", "<fn>", "save raw NDEF to file"),
+        arg_lit0(NULL, "override", "override failed crc check"),
        arg_param_end
    };
    CLIExecWithReturn(ctx, Cmd, argtable, true);
@ -7083,6 +7085,7 @@ int CmdHFMFNDEFRead(const char *Cmd) {
    char filename[FILE_PATH_SIZE] = {0};
    CLIParamStrToBuf(arg_get_str(ctx, 5), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen);

+    bool override = arg_get_lit(ctx, 6);
    CLIParserFree(ctx);

    uint16_t ndef_aid = NDEF_MFC_AID;
@ -7131,7 +7134,7 @@ int CmdHFMFNDEFRead(const char *Cmd) {

    uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};
    size_t madlen = 0;
-    res = MADDecode(sector0, sector10, mad, &madlen, false);
+    res = MADDecode(sector0, sector10, mad, &madlen, false, override);
    if (res != PM3_SUCCESS) {
        PrintAndLogEx(ERR, "can't decode MAD");
        return res;
@ -7561,7 +7564,7 @@ int CmdHFMFNDEFWrite(const char *Cmd) {
    // decode MAD v1
    uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};
    size_t madlen = 0;
-    res = MADDecode(sector0, sector10, mad, &madlen, false);
+    res = MADDecode(sector0, sector10, mad, &madlen, false, false);
    if (res != PM3_SUCCESS) {
        PrintAndLogEx(ERR, "can't decode MAD");
        return res;
@ -8441,7 +8444,7 @@ static int CmdHF14AMfView(const char *Cmd) {
        // decode MAD v1
        uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};
        size_t madlen = 0;
-        res = MADDecode(dump, NULL, mad, &madlen, false);
+        res = MADDecode(dump, NULL, mad, &madlen, false, true);
        if (res != PM3_SUCCESS) {
            PrintAndLogEx(ERR, "can't decode MAD");
            return res;
--- a/client/src/cmdhfmfp.c
+++ b/client/src/cmdhfmfp.c
@ -1981,6 +1981,7 @@ static int CmdHFMFPMAD(const char *Cmd) {
        arg_lit0("b",  "keyb",     "Use key B for access printing sectors (def: key A)"),
        arg_lit0(NULL, "be",       "(optional: BigEndian)"),
        arg_lit0(NULL, "dch",      "Decode Card Holder information"),
+        arg_lit0(NULL, "override", "override failed crc check"),
        arg_param_end
    };
    CLIExecWithReturn(ctx, Cmd, argtable, true);
@ -1995,6 +1996,7 @@ static int CmdHFMFPMAD(const char *Cmd) {
    bool keyB = arg_get_lit(ctx, 4);
    bool swapmad = arg_get_lit(ctx, 5);
    bool decodeholder = arg_get_lit(ctx, 6);
+    bool override = arg_get_lit(ctx, 7);

    CLIParserFree(ctx);

@ -2035,7 +2037,7 @@ static int CmdHFMFPMAD(const char *Cmd) {
    if (aidlen == 2 || decodeholder) {
        uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};
        size_t madlen = 0;
-        if (MADDecode(sector0, sector16, mad, &madlen, swapmad)) {
+        if (MADDecode(sector0, sector16, mad, &madlen, swapmad, override)) {
            PrintAndLogEx(ERR, "can't decode MAD");
            return PM3_EWRONGANSWER;
        }
@ -2140,8 +2142,8 @@ int CmdHFMFPNDEFRead(const char *Cmd) {
                  "Prints NFC Data Exchange Format (NDEF)",
                  "hf mfp ndefread \n"
                  "hf mfp ndefread -vv                                            -> shows NDEF parsed and raw data\n"
+                  "hf mfp ndefread -f myfilename                                  -> save raw NDEF to file\n"
                  "hf mfp ndefread --aid e103 -k d3f7d3f7d3f7d3f7d3f7d3f7d3f7d3f7 -> shows NDEF data with custom AID and key\n"
-                  "hf mfp ndefread -f myfilename -> save raw NDEF to file"
                 );

    void *argtable[] = {
@ -2151,6 +2153,7 @@ int CmdHFMFPNDEFRead(const char *Cmd) {
        arg_str0("k",  "key",      "<key>", "replace default key for NDEF"),
        arg_lit0("b",  "keyb",     "use key B for access sectors (by default: key A)"),
        arg_str0("f",  "file", "<fn>", "save raw NDEF to file"),
+        arg_lit0(NULL, "override", "override failed crc check"),
        arg_param_end
    };
    CLIExecWithReturn(ctx, Cmd, argtable, true);
@ -2168,6 +2171,8 @@ int CmdHFMFPNDEFRead(const char *Cmd) {
    int fnlen = 0;
    char filename[FILE_PATH_SIZE] = {0};
    CLIParamStrToBuf(arg_get_str(ctx, 5), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen);
+
+    bool override = arg_get_lit(ctx, 6);
    CLIParserFree(ctx);

    uint16_t ndefAID = 0xe103;
@ -2215,7 +2220,7 @@ int CmdHFMFPNDEFRead(const char *Cmd) {

    uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};
    size_t madlen = 0;
-    res = MADDecode(sector0, (haveMAD2 ? sector16 : NULL), mad, &madlen, false);
+    res = MADDecode(sector0, (haveMAD2 ? sector16 : NULL), mad, &madlen, false, override);
    if (res != PM3_SUCCESS) {
        PrintAndLogEx(ERR, "can't decode MAD");
        return res;
--- a/client/src/cmdnfc.c
+++ b/client/src/cmdnfc.c
@ -83,6 +83,7 @@ static int CmdNfcDecode(const char *Cmd) {
        arg_param_begin,
        arg_str0("d",  "data", "<hex>", "NDEF data to decode"),
        arg_str0("f", "file", "<fn>", "file to load"),
+        arg_lit0(NULL, "override", "override failed crc check"),
        arg_lit0("v",  "verbose", "verbose output"),
        arg_param_end
    };
@ -96,7 +97,8 @@ static int CmdNfcDecode(const char *Cmd) {
    char filename[FILE_PATH_SIZE] = {0};
    CLIParamStrToBuf(arg_get_str(ctx, 2), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen);

-    bool verbose = arg_get_lit(ctx, 3);
+    bool override = arg_get_lit(ctx, 3);
+    bool verbose = arg_get_lit(ctx, 4);
    CLIParserFree(ctx);
    if (((datalen != 0) && (fnlen != 0)) || ((datalen == 0) && (fnlen == 0))) {
        PrintAndLogEx(ERR, "You must provide either data in hex or a filename");
@ -141,7 +143,7 @@ static int CmdNfcDecode(const char *Cmd) {
                uint8_t ndef[4096] = {0};
                uint16_t ndeflen = 0;

-                if (convert_mad_to_arr(tmp, bytes_read, ndef, &ndeflen) != PM3_SUCCESS) {
+                if (convert_mad_to_arr(tmp, bytes_read, ndef, &ndeflen, override) != PM3_SUCCESS) {
                    PrintAndLogEx(FAILED, "Failed converting, aborting...");
                    free(dump);
                    return PM3_ESOFT;
--- a/client/src/mifare/mad.c
+++ b/client/src/mifare/mad.c
@ -198,16 +198,17 @@ int MADCheck(uint8_t *sector0, uint8_t *sector16, bool verbose, bool *haveMAD2)
        return PM3_EINVARG;

    uint8_t GPB = sector0[(3 * 16) + 9];
-    if (verbose)
+    if (verbose) {
        PrintAndLogEx(SUCCESS, "GPB....... " _GREEN_("0x%02X"), GPB);
+    }

    // DA (MAD available)
-    if (!(GPB & 0x80)) {
+    if ((GPB & 0x80) == 0x00) {
        PrintAndLogEx(ERR, "DA = 0! MAD not available");
        return PM3_ESOFT;
    }

-    uint8_t mad_ver = GPB & 0x03;
+    uint8_t mad_ver = (GPB & 0x03);
    if (verbose)
        PrintAndLogEx(SUCCESS, "Version... " _GREEN_("%d"), mad_ver);

@ -228,12 +229,14 @@ int MADCheck(uint8_t *sector0, uint8_t *sector16, bool verbose, bool *haveMAD2)

    if (mad_ver == 2 && sector16) {
        int res2 = madCRCCheck(sector16, true, 2);
-        if (res == PM3_SUCCESS)
+        if (res == PM3_SUCCESS) {
            res = res2;
+        }

-        if (verbose && !res2)
+        if (verbose && !res2) {
            PrintAndLogEx(SUCCESS, "CRC8...... 0x%02X ( %s )", sector16[0], _GREEN_("ok"));
    }
+    }

    // MA (multi-application card)
    if (verbose) {
@ -245,15 +248,20 @@ int MADCheck(uint8_t *sector0, uint8_t *sector16, bool verbose, bool *haveMAD2)
    return res;
 }

-int MADDecode(uint8_t *sector0, uint8_t *sector16, uint16_t *mad, size_t *madlen, bool swapmad) {
+int MADDecode(uint8_t *sector0, uint8_t *sector16, uint16_t *mad, size_t *madlen, bool swapmad, bool override) {
    *madlen = 0;
    bool haveMAD2 = false;
    int res = MADCheck(sector0, sector16, false, &haveMAD2);
-    if (res != PM3_SUCCESS) {
+
+    if (res != PM3_SUCCESS && override == false) {
        PrintAndLogEx(WARNING, "Not a valid MAD");
        return res;
    }

+    if (override) {
+        PrintAndLogEx(INFO, "overriding crc check");
+    }
+
    // 7 + 8 == 15
    for (int i = 1; i <= 16; i++) {
        mad[*madlen] = madGetAID(sector0, swapmad, 1, i);
@ -472,7 +480,7 @@ int DetectHID(uint8_t *d, uint16_t manufacture) {
    return -1;
 }

-int convert_mad_to_arr(uint8_t *in, uint16_t ilen, uint8_t *out, uint16_t *olen) {
+int convert_mad_to_arr(uint8_t *in, uint16_t ilen, uint8_t *out, uint16_t *olen, bool override) {

    if (in == NULL || out == NULL || ilen == 0) {
        return PM3_EINVARG;
@ -494,7 +502,7 @@ int convert_mad_to_arr(uint8_t *in, uint16_t ilen, uint8_t *out, uint16_t *olen)

    uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};
    size_t madlen = 0;
-    if (MADDecode(sector0, sector16, mad, &madlen, false)) {
+    if (MADDecode(sector0, sector16, mad, &madlen, false, override)) {
        PrintAndLogEx(ERR, "can't decode MAD");
        return PM3_ESOFT;
    }
--- a/client/src/mifare/mad.h
+++ b/client/src/mifare/mad.h
@ -22,7 +22,7 @@
 #include "common.h"

 int MADCheck(uint8_t *sector0, uint8_t *sector16, bool verbose, bool *haveMAD2);
-int MADDecode(uint8_t *sector0, uint8_t *sector16, uint16_t *mad, size_t *madlen, bool swapmad);
+int MADDecode(uint8_t *sector0, uint8_t *sector16, uint16_t *mad, size_t *madlen, bool swapmad, bool override);
 int MAD1DecodeAndPrint(uint8_t *sector, bool swapmad, bool verbose, bool *haveMAD2);
 int MAD2DecodeAndPrint(uint8_t *sector, bool swapmad, bool verbose);
 int MADDFDecodeAndPrint(uint32_t short_aid, bool verbose);
@ -30,5 +30,5 @@ int MADCardHolderInfoDecode(uint8_t *data, size_t datalen, bool verbose);
 void MADPrintHeader(void);
 bool HasMADKey(uint8_t *d);
 int DetectHID(uint8_t *d, uint16_t manufacture);
-int convert_mad_to_arr(uint8_t *in, uint16_t ilen, uint8_t *out, uint16_t *olen);
+int convert_mad_to_arr(uint8_t *in, uint16_t ilen, uint8_t *out, uint16_t *olen, bool override);
 #endif // _MAD_H_
--- a/include/pm3_cmd.h
+++ b/include/pm3_cmd.h
@ -767,7 +767,8 @@ typedef struct {
 #define CMD_HF_MFU_OTP_TEAROFF                                            0x0740
 // MFU_Ev1 Counter TearOff
 #define CMD_HF_MFU_COUNTER_TEAROFF                                        0x0741
-
+#define CMD_HF_MFU_ULC_CHKKEYS                                            0x0742
+#define CMD_HF_MFU_ULAES_CHKKEYS                                          0x0743


 #define CMD_HF_SNIFF                                                      0x0800