//----------------------------------------------------------------------------- // Ultralight Code (c) 2013,2014 Midnitesnake & Andy Davies of Pentura // 2015,2016,2017 Iceman, Marshmellow // This code is licensed to you under the terms of the GNU GPL, version 2 or, // at your option, any later version. See the LICENSE.txt file for the text of // the license. //----------------------------------------------------------------------------- // High frequency MIFARE ULTRALIGHT (C) commands //----------------------------------------------------------------------------- #include "cmdhfmfu.h" #include #include "cmdparser.h" #include "commonutil.h" #include "crypto/libpcrypto.h" #include "des.h" #include "cmdhfmf.h" #include "cmdhf14a.h" #include "comms.h" #include "fileutils.h" #include "protocols.h" #include "generator.h" #include "mifare/ndef.h" #include "cliparser.h" #include "cmdmain.h" #define MAX_UL_BLOCKS 0x0F #define MAX_ULC_BLOCKS 0x2F #define MAX_ULEV1a_BLOCKS 0x13 #define MAX_ULEV1b_BLOCKS 0x28 #define MAX_NTAG_203 0x29 #define MAX_NTAG_210 0x13 #define MAX_NTAG_212 0x28 #define MAX_NTAG_213 0x2C #define MAX_NTAG_215 0x86 #define MAX_NTAG_216 0xE6 #define MAX_NTAG_I2C_1K 0xE9 #define MAX_MY_D_NFC 0xFF #define MAX_MY_D_MOVE 0x25 #define MAX_MY_D_MOVE_LEAN 0x0F #define MAX_UL_NANO_40 0x0A static int CmdHelp(const char *Cmd); static int usage_hf_mfu_info(void) { PrintAndLogEx(NORMAL, "It gathers information about the tag and tries to detect what kind it is."); PrintAndLogEx(NORMAL, "Sometimes the tags are locked down, and you may need a key to be able to read the information"); PrintAndLogEx(NORMAL, "The following tags can be identified:\n"); PrintAndLogEx(NORMAL, "Ultralight, Ultralight-C, Ultralight EV1, NTAG 203, NTAG 210,"); PrintAndLogEx(NORMAL, "NTAG 212, NTAG 213, NTAG 215, NTAG 216, NTAG I2C 1K & 2K"); PrintAndLogEx(NORMAL, "my-d, my-d NFC, my-d move, my-d move NFC\n"); PrintAndLogEx(NORMAL, "Usage: hf mfu info k l"); PrintAndLogEx(NORMAL, " Options : "); PrintAndLogEx(NORMAL, " k : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]"); PrintAndLogEx(NORMAL, " l : (optional) swap entered key's endianness"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu info")); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu info k 00112233445566778899AABBCCDDEEFF")); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu info k AABBCCDD")); PrintAndLogEx(NORMAL, ""); return PM3_SUCCESS; } static int usage_hf_mfu_dump(void) { PrintAndLogEx(NORMAL, "Reads all pages from Ultralight, Ultralight-C, Ultralight EV1"); PrintAndLogEx(NORMAL, "NTAG 203, NTAG 210, NTAG 212, NTAG 213, NTAG 215, NTAG 216"); PrintAndLogEx(NORMAL, "and saves binary dump into the file " _YELLOW_("`filename.bin`") " or " _YELLOW_("`cardUID.bin`")); PrintAndLogEx(NORMAL, "It autodetects card type.\n"); PrintAndLogEx(NORMAL, "Usage: hf mfu dump k l f p q <#pages>"); PrintAndLogEx(NORMAL, " Options :"); PrintAndLogEx(NORMAL, " k : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]"); PrintAndLogEx(NORMAL, " l : (optional) swap entered key's endianness"); PrintAndLogEx(NORMAL, " f : " _YELLOW_("filename w/o .bin") " to save the dump as"); PrintAndLogEx(NORMAL, " p : starting Page number to manually set a page to start the dump at"); PrintAndLogEx(NORMAL, " q : number of Pages to manually set how many pages to dump"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu dump")); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu dump f myfile")); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu dump k 00112233445566778899AABBCCDDEEFF")); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu dump k AABBCCDD")); PrintAndLogEx(NORMAL, ""); return PM3_SUCCESS; } static int usage_hf_mfu_restore(void) { PrintAndLogEx(NORMAL, "Restore dumpfile onto card."); PrintAndLogEx(NORMAL, "Usage: hf mfu restore [h] [l] [s] k n "); PrintAndLogEx(NORMAL, " Options :"); PrintAndLogEx(NORMAL, " k : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]"); PrintAndLogEx(NORMAL, " l : (optional) swap entered key's endianness"); PrintAndLogEx(NORMAL, " s : (optional) enable special write UID " _BLUE_("-MAGIC TAG ONLY-")); PrintAndLogEx(NORMAL, " e : (optional) enable special write version/signature " _BLUE_("-MAGIC NTAG 21* ONLY-")); PrintAndLogEx(NORMAL, " r : (optional) use the password found in dumpfile to configure tag. requires " _YELLOW_("'e'") " parameter to work"); PrintAndLogEx(NORMAL, " f : " _YELLOW_("filename w .bin") " to restore"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu restore s f myfile")); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu restore k AABBCCDD s f myfile")); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu restore k AABBCCDD s e r f myfile")); PrintAndLogEx(NORMAL, ""); return PM3_SUCCESS; } static int usage_hf_mfu_rdbl(void) { PrintAndLogEx(NORMAL, "Read a block and print. It autodetects card type.\n"); PrintAndLogEx(NORMAL, "Usage: hf mfu rdbl b k l\n"); PrintAndLogEx(NORMAL, "Options:"); PrintAndLogEx(NORMAL, " b : block to read"); PrintAndLogEx(NORMAL, " k : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]"); PrintAndLogEx(NORMAL, " l : (optional) swap entered key's endianness"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu rdbl b 0")); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu rdbl b 0 k 00112233445566778899AABBCCDDEEFF")); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu rdbl b 0 k AABBCCDD")); PrintAndLogEx(NORMAL, ""); return PM3_SUCCESS; } static int usage_hf_mfu_wrbl(void) { PrintAndLogEx(NORMAL, "Write a block. It autodetects card type.\n"); PrintAndLogEx(NORMAL, "Usage: hf mfu wrbl b d k l\n"); PrintAndLogEx(NORMAL, "Options:"); PrintAndLogEx(NORMAL, " b : block to write"); PrintAndLogEx(NORMAL, " d : block data - (8 or 32 hex symbols, 32 hex symbols will do a compatibility write)"); PrintAndLogEx(NORMAL, " k : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]"); PrintAndLogEx(NORMAL, " l : (optional) swap entered key's endianness"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu wrbl b 0 d 01234567")); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu wrbl b 0 d 01234567 k AABBCCDD")); PrintAndLogEx(NORMAL, ""); return PM3_SUCCESS; } static int usage_hf_mfu_eload(void) { PrintAndLogEx(NORMAL, "It loads emul dump from the file " _YELLOW_("`filename.eml`")); PrintAndLogEx(NORMAL, "Hint: See " _YELLOW_("`script run hf_mfu_dumptoemulator`") " to convert the .bin to the eml"); PrintAndLogEx(NORMAL, "Usage: hf mfu eload u [numblocks]"); PrintAndLogEx(NORMAL, " Options:"); PrintAndLogEx(NORMAL, " h : this help"); PrintAndLogEx(NORMAL, " u : UL (required)"); PrintAndLogEx(NORMAL, " [filename] : without `.eml` (required)"); PrintAndLogEx(NORMAL, " numblocks : number of blocks to load from eml file (optional)"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu eload u filename")); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu eload u filename 57")); PrintAndLogEx(NORMAL, ""); return PM3_SUCCESS; } static int usage_hf_mfu_sim(void) { PrintAndLogEx(NORMAL, "\nEmulating Ultralight tag from emulator memory\n"); PrintAndLogEx(NORMAL, "\nBe sure to load the emulator memory first!\n"); PrintAndLogEx(NORMAL, "Usage: hf mfu sim t 7 u [n ]"); PrintAndLogEx(NORMAL, "Options:"); PrintAndLogEx(NORMAL, " h : this help"); PrintAndLogEx(NORMAL, " t 7 : 7 = NTAG or Ultralight sim (required)"); PrintAndLogEx(NORMAL, " n : exit simulation after blocks have been read by reader. 0 = infinite (optional)"); PrintAndLogEx(NORMAL, " u : 4 or 7 byte UID (optional)"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu sim t 7")); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu sim t 7 u 1122344556677")); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu sim t 7 u 1122344556677 n 5")); PrintAndLogEx(NORMAL, ""); return PM3_SUCCESS; } static int usage_hf_mfu_ucauth(void) { PrintAndLogEx(NORMAL, "Tests 3DES password on Mifare Ultralight-C tag."); PrintAndLogEx(NORMAL, "If password is not specified, a set of known defaults will be tested."); PrintAndLogEx(NORMAL, "Usage: hf mfu cauth [k] "); PrintAndLogEx(NORMAL, " k - keep field on (only if a password is provided too)"); PrintAndLogEx(NORMAL, " [password] - (32 hex symbols)"); PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu cauth")); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu cauth 000102030405060708090a0b0c0d0e0f")); PrintAndLogEx(NORMAL, ""); return PM3_SUCCESS; } static int usage_hf_mfu_ucsetpwd(void) { PrintAndLogEx(NORMAL, "Set 3DES password on Mifare Ultralight-C tag."); PrintAndLogEx(NORMAL, "Usage: hf mfu setpwd "); PrintAndLogEx(NORMAL, " [password] - (32 hex symbols)"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu setpwd 000102030405060708090a0b0c0d0e0f")); PrintAndLogEx(NORMAL, ""); return PM3_SUCCESS; } static int usage_hf_mfu_ucsetuid(void) { PrintAndLogEx(NORMAL, "Usage: hf mfu setuid "); PrintAndLogEx(NORMAL, " [uid] - (14 hex symbols)"); PrintAndLogEx(NORMAL, "\n"); PrintAndLogEx(NORMAL, "This only works for " _BLUE_("Magic Ultralight") " tags."); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu setuid 11223344556677")); PrintAndLogEx(NORMAL, ""); return PM3_SUCCESS; } static int usage_hf_mfu_gendiverse(void) { PrintAndLogEx(NORMAL, "Usage: hf mfu gen [h] [r] "); PrintAndLogEx(NORMAL, "Options:"); PrintAndLogEx(NORMAL, " h : this help"); PrintAndLogEx(NORMAL, " r : read uid from tag"); PrintAndLogEx(NORMAL, " : 4 byte UID (optional)"); PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu gen r")); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu gen 11223344")); PrintAndLogEx(NORMAL, ""); return PM3_SUCCESS; } static int usage_hf_mfu_pwdgen(void) { PrintAndLogEx(NORMAL, "Usage: hf mfu pwdgen [h|t] [r] "); PrintAndLogEx(NORMAL, "Options:"); PrintAndLogEx(NORMAL, " h : this help"); PrintAndLogEx(NORMAL, " t : selftest"); PrintAndLogEx(NORMAL, " r : read uid from tag"); PrintAndLogEx(NORMAL, " : 7 byte UID (optional)"); PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu pwdgen r")); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu pwdgen 11223344556677")); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu pwdgen t")); PrintAndLogEx(NORMAL, ""); return PM3_SUCCESS; } static int usage_hf_mfu_otp_tearoff(void) { PrintAndLogEx(NORMAL, "Tear-off test against OTP block (no 3) on MFU tags - More help sooner or later\n"); PrintAndLogEx(NORMAL, "Usage: hf mfu otptear b i l s d t \n"); PrintAndLogEx(NORMAL, "Options:"); PrintAndLogEx(NORMAL, " b : (optional) block to run the test - default block: 8 (not OTP for safety)"); PrintAndLogEx(NORMAL, " i