Skip to content

grodanboll/mfterm

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

119 Commits

debian

debian

 
 

.gitignore

.gitignore

 
 

AUTHORS

AUTHORS

 
 

COPYING

COPYING

 
 

INSTALL

INSTALL

 
 

Makefile.am

Makefile.am

 
 

README

README

 
 

autogen.sh

autogen.sh

 
 

configure.ac

configure.ac

 
 

dictionary.c

dictionary.c

 
 

dictionary.h

dictionary.h

 
 

dictionary.txt

dictionary.txt

 
 

dictionary_parser.l

dictionary_parser.l

 
 

mac.c

mac.c

 
 

mac.h

mac.h

 
 

mfc-spec.txt

mfc-spec.txt

 
 

mfterm.c

mfterm.c

 
 

mfterm.h

mfterm.h

 
 

mifare.c

mifare.c

 
 

mifare.h

mifare.h

 
 

mifare_ctrl.c

mifare_ctrl.c

 
 

mifare_ctrl.h

mifare_ctrl.h

 
 

spec_parser.y

spec_parser.y

 
 

spec_syntax.c

spec_syntax.c

 
 

spec_syntax.h

spec_syntax.h

 
 

spec_tokenizer.l

spec_tokenizer.l

 
 

tag.c

tag.c

 
 

tag.h

tag.h

 
 

term_cmd.c

term_cmd.c

 
 

term_cmd.h

term_cmd.h

 
 

util.c

util.c

 
 

util.h

util.h

 
 

Repository files navigation

mfterm is a terminal interface for working with Mifare Classic tags.

Tab completion on commands is available. Also, commands that have file
name arguments provide tab completion on files. There is also a
command history, like in most normal shells.

Working with the mfterm program there are a few state variables that
are used.

Current Tag
-----------
The "current tag" is populated with the 'load' or 'read' commands. The
'read' command will read data from a physical tag and requires the
"current keys" to be set to the keys of the tag. Clear the "current
tag" by using the 'clear' command.

Display the "current tag" by using the 'print' command. The keys of
the "current tag" are displayed with the 'print keys' command. Note:
the tag keys could be different from the "current keys" displayed by
the 'keys print' command.

The data of the "current tag" can be manipulated with the 'set'
command.

The "current tag" can be persisted by writing it to a file with the
'save' command. It can also be written to a physical tag with the
'write' command. For the 'write' command to succeed, the "current
keys" have to be set to appropriate values. The 'write unlocked'
command can be used to write to block 0 on some 1k pirate cards.

If you are reading or loading a 1k tag, the mfterm program will still
use a full 4k tag to represent it. The last 3k will be all
zeroes. This is in analogy with the other libnfc tools.

Current Keys
------------
The "current keys" are used to authenticate when performing operations
on a physical tag. They can be displayed using the 'keys'
command. Clear the "current keys" by using the 'keys clear' command.

The keys are stored just like a tag in a file using the 'keys save',
but with all the data fields except the sector trailers cleared. The
keys can be loaded from a file, either a real tag dump or a key tag
dump, with the 'keys load' command.

The "current keys" can be set to match the "current tag" by using the
'keys import' command. It is also possible to manually set a key using
the 'keys set' command.

Use the 'keys test' command to test if the "current keys" can be used
to authenticate with a physical tag.

Dictionary
----------
A key dictionary can be imported from a file using the 'dict load'
command. This dictionary can then be used to perform a dictionary
attack on the sectors of a tag by using the 'dict attack' command.

The format of the dictionary file is simple. One key (6 bytes, 12 hex
characters) per line and # is a comment. 

Performing 'dict load' on several files will produce a dictionary that
is the union of those files. Duplicates will be removed.

To list all the keys in the dictionary, use the command 'dict'. To
clear the dictionary use 'dict clear'.

Other commands
--------------
Quit the mfterm program by issuing the 'quit' command.

Help is available by writing 'help'


MAC Computation
---------------

The function 'mac compute' is used for computing DES MACs (message
authentication codes). They require a 64 bit key that can be set using
the command 'mac key'. The same command, without arguments, is used to
display the current key.

The input to the DES MAC is UID + 14 left most bytes of the specified
block.

Using the command 'mac update' is shorthand for a MAC computation and
then setting the MAC of the same block.

Specification Files
-------------------
A specification file defines names for parts of the tag data. See the
file mfc-spec.txt for a sample specification.

Specification files are loaded with the command 'spec load'. They can
be cleared with 'spec clear'. To display the data structure loaded use
the command 'spec'.

Once a specification has been loaded, it can be used to access the
data in the tag by using a specification path. In the sample
specification, the path: '.sector_0.block_0.atqa', when entered in the
terminal, will display the two bytes of data starting with byte 6.


Building mfterm
---------------

Standard: ./configure; make; make install

See INSTALL file for details.


WARNING:
--------
The mfterm software is neither thoroughly tested nor widely used. It
likely contains a number of serious bugs that can be exploited to
compromise your computer. Do NOT run the mfterm software as a
privileged user (e.g. root), and ONLY load tag, dictionary and
specification files that you get from people you trust.

About

Terminal for working with Mifare Classic 1-4k Tags

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

3 tags

Packages

No packages published

Languages

  • C 99.9%
  • Shell 0.1%