mfu info / dump attempt at missing auths

NOT TESTED. will test soon. probably has bugs!
2025-01-31 04:20:28 +08:00 · 2015-05-16 01:00:31 -04:00 · 2015-05-16 01:00:31 -04:00 · cceabb79e6
commit cceabb79e6
parent ae8303c13c
6 changed files with 129 additions and 91 deletions
--- a/armsrc/apps.h
+++ b/armsrc/apps.h
@ -167,7 +167,7 @@ int32_t dist_nt(uint32_t nt1, uint32_t nt2);
 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data);
 void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain);
 void MifareUC_Auth1(uint8_t arg0, uint8_t *datain);
-void MifareUC_Auth2(uint32_t arg0, uint8_t *datain);
+void MifareUC_Auth2(uint8_t arg0, uint8_t *datain);
 void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain);
 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
--- a/armsrc/mifarecmd.c
+++ b/armsrc/mifarecmd.c
@ -121,7 +121,7 @@ void MifareUC_Auth1(uint8_t arg0, uint8_t *datain){
    cmd_send(CMD_ACK,1,cuid,0,dataoutbuf,11);
 	LEDsoff();
 }
-void MifareUC_Auth2(uint32_t arg0, uint8_t *datain){
+void MifareUC_Auth2(uint8_t arg0, uint8_t *datain){

 	uint8_t key[16] = {0x00};
 	byte_t dataoutbuf[16] = {0x00};
@ -139,8 +139,10 @@ void MifareUC_Auth2(uint32_t arg0, uint8_t *datain){
 	if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 2 FINISHED");
    
 	cmd_send(CMD_ACK,1,0,0,dataoutbuf,11);
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-	LEDsoff();
+	if (arg0) {
+		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+		LEDsoff();
+	}
 }

 // Arg0 = BlockNo,
@ -346,7 +348,8 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
 	// params
 	uint8_t blockNo = arg0;
 	uint16_t blocks = arg1;
-	bool useKey = (arg2 == 1);
+	bool useKey = (arg2 == 1); //UL_C
+	bool usePwd = (arg2 == 2); //UL_EV1/NTAG
 	int countblocks = 0;
 	uint8_t dataout[176] = {0x00};

@ -373,12 +376,12 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
 		uint8_t rnd_ab[16] = {0x00};
 		uint8_t IV[8] = {0x00};

-		uint16_t len;
+		uint16_t len2;
 		uint8_t receivedAnswer[MAX_FRAME_SIZE];
 		uint8_t receivedAnswerPar[MAX_PARITY_SIZE];

-		len = mifare_sendcmd_short(NULL, 1, 0x1A, 0x00, receivedAnswer,receivedAnswerPar ,NULL);
-		if (len != 11) {
+		len2 = mifare_sendcmd_short(NULL, 1, 0x1A, 0x00, receivedAnswer,receivedAnswerPar ,NULL);
+		if (len2 != 11) {
 			if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x", receivedAnswer[0]);
 			OnError(1);
 			return;
@ -396,8 +399,8 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
 		// encrypt    out, in, length, key, iv
 		tdes_2key_enc(rnd_ab, rnd_ab, sizeof(rnd_ab), key, enc_random_b);

-		len = mifare_sendcmd_short_mfucauth(NULL, 1, 0xAF, rnd_ab, receivedAnswer, receivedAnswerPar, NULL);
-		if (len != 11) {
+		len2 = mifare_sendcmd_short_mfucauth(NULL, 1, 0xAF, rnd_ab, receivedAnswer, receivedAnswerPar, NULL);
+		if (len2 != 11) {
 			OnError(1);
 			return;
 		}
@ -412,6 +415,18 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
 			Dbprintf("failed authentication");	
 	}

+	if (usePwd) { //ev1 or ntag auth
+		uint8_t Pwd[4] = {0x00};
+		memcpy(Pwd, datain, 4);
+		uint8_t pack[4] = {0,0,0,0};
+
+		if (mifare_ul_ev1_auth(Pwd, pack)){
+			OnError(1);
+			Dbprintf("failed authentication");
+			return;			
+		}
+	}
+
 	for (int i = 0; i < blocks; i++){
 		len = mifare_ultra_readblock(blockNo * 4 + i, dataout + 4 * i);

--- a/armsrc/mifareutil.c
+++ b/armsrc/mifareutil.c
@ -288,6 +288,26 @@ int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blo
 }

 // mifare ultralight commands
+int mifare_ul_ev1_auth(uint8_t *key, uint8_t *pack){
+
+	uint16_t len;
+	uint8_t receivedAnswer[MAX_FRAME_SIZE];
+	uint8_t receivedAnswerPar[MAX_PARITY_SIZE];
+	
+	len = mifare_sendcmd_short_mfucauth(NULL, 0, 0x1B, key, receivedAnswer, receivedAnswerPar, NULL);
+	if (len != 4) {
+		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x %u", receivedAnswer[0], len);
+		return 1;
+	}
+	
+	if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
+		Dbprintf("Auth Resp: %02x%02x%02x%02x",
+			receivedAnswer[0],receivedAnswer[1],receivedAnswer[2],receivedAnswer[3]);
+	}
+	memcpy(pack, receivedAnswer, 4);
+	return 0;
+}
+
 int mifare_ultra_auth1(uint8_t *blockData){

 	uint16_t len;
--- a/armsrc/mifareutil.h
+++ b/armsrc/mifareutil.h
@ -62,6 +62,7 @@ int mifare_sendcmd_shortex(struct Crypto1State *pcs, uint8_t crypted, uint8_t cm
 int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested);
 int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested, uint32_t * ntptr, uint32_t *timing);
 int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData);
+int mifare_ul_ev1_auth(uint8_t *key, uint8_t *pack);
 int mifare_ultra_auth1(uint8_t *blockData);
 int mifare_ultra_auth2(uint8_t *key, uint8_t *blockData);
 int mifare_ultra_readblock(uint8_t blockNo, uint8_t *blockData);
--- a/client/cmdhfmfu.c
+++ b/client/cmdhfmfu.c
@ -586,6 +586,7 @@ int CmdHF14AMfUInfo(const char *Cmd){
 	uint8_t datalen = 0;
 	uint8_t authenticationkey[16] = {0x00};
 	uint8_t pack[4] = {0,0,0,0};
+	int len=0;

 	while(param_getchar(Cmd, cmdp) != 0x00)
 	{
@ -640,12 +641,25 @@ int CmdHF14AMfUInfo(const char *Cmd){
 	}

 	if ( hasAuthKey ) {
-		if ((tagtype & UL_C)) 
-			try3DesAuthentication(authenticationkey);
-		else
-			ulev1_requestAuthentication(authenticationkey, pack, sizeof(pack));
+		if ((tagtype & UL_C)) {
+			ul_switch_off_field();
+			//will select card automatically
+			if (try3DesAuthentication(authenticationkey, false) != 1) {
+				ul_switch_off_field();
+				PrintAndLog("Error: Authentication Failed UL-C");
+				return 0;
+			}
+		} else {
+			len = ulev1_requestAuthentication(authenticationkey, pack, sizeof(pack));
+			if (len < 1) {
+				if (!len) ul_switch_off_field();
+				PrintAndLog("Error: Authentication Failed UL-EV1/NTAG");
+				return 0;
+			}
+		}
 	}

+
 	// read pages 0,1,2,4 (should read 4pages)
 	status = ul_read(0, data, sizeof(data));
 	if ( status == -1 ){
@ -681,10 +695,10 @@ int CmdHF14AMfUInfo(const char *Cmd){
 			if ( hasAuthKey ) return 1;

 			PrintAndLog("Trying some default 3des keys");
-			ul_switch_off_field();
+			ul_switch_off_field(); //will select again in try3DesAuth...
 			for (uint8_t i = 0; i < KEYS_3DES_COUNT; ++i ){
 				key = default_3des_keys[i];
-				if (try3DesAuthentication(key) == 1){
+				if (try3DesAuthentication(key, true) == 1){
 					PrintAndLog("Found default 3des key: "); //%s", sprint_hex(key,16));
 					uint8_t keySwap[16];
 					memcpy(keySwap, SwapEndian64(key,16,8), 16);
@ -692,6 +706,7 @@ int CmdHF14AMfUInfo(const char *Cmd){
 					return 1;
 				} 
 			}
+			return 1; //return even if key not found (UL_C is done)
 		}
 	}

@ -743,13 +758,14 @@ int CmdHF14AMfUInfo(const char *Cmd){
 		if ( authlim == 0 ){
 			PrintAndLog("\n--- Known EV1/NTAG passwords.");

-			int len=0; //if len goes to -1 the connection will be turned off.
 			for (uint8_t i = 0; i < 3; ++i ){
 				key = default_pwd_pack[i];
 				if ( len > -1 ){
 					len = ulev1_requestAuthentication(key, pack, sizeof(pack));
-					PrintAndLog("Found a default password: %s || Pack: %02X %02X",sprint_hex(key, 4), pack[0], pack[1]);
-					break;
+					if (len == 1) {
+						PrintAndLog("Found a default password: %s || Pack: %02X %02X",sprint_hex(key, 4), pack[0], pack[1]);
+						break;
+					}
 				}
 			}
 			if (len > -1) ul_switch_off_field();
@ -907,9 +923,12 @@ int usage_hf_mfu_dump(void)
 	PrintAndLog("It autodetects card type.\n");	
 	PrintAndLog("Usage:  hf mfu dump s k <key> n <filename w/o .bin>");
 	PrintAndLog("  Options : ");
-	PrintAndLog("  k <key> : Enter key for authentication");
-	PrintAndLog("  n <FN > : Enter filename w/o .bin to save the dump as");	
-	PrintAndLog("        s : Swap entered key's endianness for auth");
+	PrintAndLog("  k <key> : key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]");
+	PrintAndLog("  l       : swap entered key's endianness for auth");
+	PrintAndLog("  n <FN > : filename w/o .bin to save the dump as");	
+	PrintAndLog("  p <Pg > : starting Page number to manually set a page to start the dump at");	
+	PrintAndLog("  q <qty> : number of Pages to manually set how many pages to dump");	
+
 	PrintAndLog("");
 	PrintAndLog("   sample : hf mfu dump");
 	PrintAndLog("          : hf mfu dump n myfile");
@ -948,6 +967,8 @@ int CmdHF14AMfUDump(const char *Cmd){
 	bool swapEndian = false;
 	bool manualPages = false;
 	uint8_t startPage = 0;
+	char tempStr[50];
+
 	while(param_getchar(Cmd, cmdp) != 0x00)
 	{
 		switch(param_getchar(Cmd, cmdp))
@ -957,15 +978,25 @@ int CmdHF14AMfUDump(const char *Cmd){
 			return usage_hf_mfu_dump();
 		case 'k':
 		case 'K':
-			dataLen = param_gethex(Cmd, cmdp+1, data, 32);
-			if (dataLen) {
+			dataLen = param_getstr(Cmd, cmdp+1, tempStr);
+			if (dataLen == 32) //ul-c
+				errors = param_gethex(tempStr, 0, key, dataLen);
+			else if (dataLen == 8) //ev1/ntag
+				errors = param_gethex(tempStr, 0, key, dataLen);
+			else
 				errors = true;
-			} else {
-				memcpy(key, data, 16);
-			}   
+
+			if (!errors) 
+				memcpy(key, data, dataLen/2);
+				
 			cmdp += 2;
 			hasPwd = true;
 			break;
+		case 'l':
+		case 'L':
+			swapEndian = true;
+			cmdp++;
+			break;
 		case 'n':
 		case 'N':
 			fileNlen = param_getstr(Cmd, cmdp+1, filename);
@ -985,17 +1016,6 @@ int CmdHF14AMfUDump(const char *Cmd){
 			cmdp += 2;
 			manualPages = true;
 			break;
-		case 's':
-		case 'S':
-			swapEndian = true;
-			cmdp++;
-			break;
-		case 't':
-		case 'T':
-			//key type  - ul-c or ev1/ntag
-			//TODO
-			cmdp += 2;
-			break;
 		default:
 			PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
 			errors = true;
@ -1007,7 +1027,7 @@ int CmdHF14AMfUDump(const char *Cmd){
 	//Validations
 	if(errors) return usage_hf_mfu_dump();

-	if (swapEndian)
+	if (swapEndian && dataLen == 32)
 		keyPtr = SwapEndian64(data, 16, 8);

 	TagTypeUL_t tagtype = GetHF14AMfU_Type();
@ -1020,50 +1040,29 @@ int CmdHF14AMfUDump(const char *Cmd){

 	ul_print_type(tagtype, 0);
 	PrintAndLog("Reading tag memory...");
-	/*
-	if ( tagtype & UL ) {
-		Pages = 16;
-		PrintAndLog(str,"", (tagtype & MAGIC)?" (magic)":"" );
+
+	UsbCommand c = {CMD_MIFAREUC_READCARD, {startPage,Pages}};
+	if ( hasPwd ) {
+		if (tagtype & UL_C)
+			c.arg[2] = 1; //UL_C auth
+		else
+			c.arg[2] = 2; //UL_EV1/NTAG auth
+
+		memcpy(c.d.asBytes, key, dataLen/2);
 	}
-	else if ( tagtype & UL_C ) {
-		Pages = 44;
-		PrintAndLog(str,"-C", (tagtype & MAGIC)?" (magic)":"" );
+	SendCommand(&c);
+	UsbCommand resp;
+	if (!WaitForResponseTimeout(CMD_ACK, &resp,1500)) {
+		PrintAndLog("Command execute time-out");
+		return 1;
 	}
-	else if ( tagtype & UL_EV1_48 ) {
-		Pages = 18; 
-		PrintAndLog(str," EV1_48","");
-	}
-	else if ( tagtype & UL_EV1_128 ) {
-		Pages = 32; 
-		PrintAndLog(str," EV1_128","");
+	PrintAndLog	("%u,%u",resp.arg[0],resp.arg[1]);
+	uint8_t isOK = resp.arg[0] & 0xff;
+	if (isOK) {
+		memcpy(data, resp.d.asBytes, resp.arg[1]);
 	} else {
-		Pages = 16;
-		PrintAndLog("Dumping unknown Ultralight, using default values.");
-	}
-	*/
-	if (!hasPwd || (tagtype & UL_C)){
-		UsbCommand c = {CMD_MIFAREUC_READCARD, {startPage,Pages}};
-		if ( hasPwd ) {
-			c.arg[2] = 1;
-			memcpy(c.d.asBytes, key, 16);
-		}
-		SendCommand(&c);
-		UsbCommand resp;
-		if (!WaitForResponseTimeout(CMD_ACK, &resp,1500)) {
-			PrintAndLog("Command execute time-out");
-			return 1;
-		}
-		PrintAndLog	("%u,%u",resp.arg[0],resp.arg[1]);
-		uint8_t isOK = resp.arg[0] & 0xff;
-		if (isOK) {
-			memcpy(data, resp.d.asBytes, resp.arg[1]);
-		} else {
-			PrintAndLog("Failed reading block: (%02x)", i);
-			return 1;
-		}	
-	} else {
-		PrintAndLog("EV1 and NTAG pwd mode not ready yet");
-		return 0;
+		PrintAndLog("Failed reading block: (%02x)", i);
+		return 1;
 	}

 	// Load lock bytes.
@ -1077,6 +1076,7 @@ int CmdHF14AMfUDump(const char *Cmd){
 	}

 	// Load bottom lockbytes if available
+	// HOW DOES THIS APPLY TO EV1 and/or NTAG???
 	if ( Pages == 44 ) {
 		lockbytes_t2 = data + (40*4);
 		lockbytes2[0] = lockbytes_t2[2];
@ -1087,10 +1087,12 @@ int CmdHF14AMfUDump(const char *Cmd){
 	}

 	// add keys
-	if (hasPwd){
+	if (hasPwd && dataLen == 32){ //UL_C
 		memcpy(data + Pages*4, key, 16);
 		Pages += 4;
 	} 
+	//TODO add key MEM location for other tags
+
 	for (i = 0; i < Pages; ++i) {
 		if ( i < 3 ) {
 			PrintAndLog("Block %02x:%s ", i,sprint_hex(data + i * 4, 4));
@ -1211,7 +1213,7 @@ int CmdHF14AMfucAuth(const char *Cmd){
 	} 

 	uint8_t *key = default_3des_keys[keyNo];
-	if (try3DesAuthentication(key)>0)
+	if (try3DesAuthentication(key, true) > 0)
 		PrintAndLog("Authentication successful. 3des key: %s",sprint_hex(key, 16));
 	else
 		PrintAndLog("Authentication failed");
@ -1219,9 +1221,9 @@ int CmdHF14AMfucAuth(const char *Cmd){
 	return 0;
 }

-int try3DesAuthentication( uint8_t *key){
+int try3DesAuthentication( uint8_t *key, bool switch_off_field ){
 	
-	uint32_t cuid = 0;
+	//uint32_t cuid = 0;

 	des3_context ctx = { 0 };
 	
@ -1237,7 +1239,7 @@ int try3DesAuthentication( uint8_t *key){
 	if ( !WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) 	return -1;
 	if ( !(resp.arg[0] & 0xff) ) return -2;
 	
-	cuid  = resp.arg[1];	
+	//cuid  = resp.arg[1];	
 	memcpy(enc_random_b,resp.d.asBytes+1,8);

 	des3_set2key_dec(&ctx, key);
@ -1254,7 +1256,7 @@ int try3DesAuthentication( uint8_t *key){

 	//Auth2
 	c.cmd = CMD_MIFAREUC_AUTH2;
-	c.arg[0] = cuid;
+	c.arg[0] = switch_off_field;
 	memcpy(c.d.asBytes, rnd_ab, 16);
 	SendCommand(&c);

--- a/client/cmdhfmfu.h
+++ b/client/cmdhfmfu.h
@ -14,7 +14,7 @@ int CmdHF14AMfUCRdCard(const char *Cmd);
 int CmdHF14AMfucAuth(const char *Cmd);

 uint8_t requestAuthentication( uint8_t *nonce);
-int try3DesAuthentication( uint8_t *key);
+int try3DesAuthentication( uint8_t *key, bool switch_off_field);

 //general stuff
 int CmdHF14AMfUDump(const char *Cmd);