int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKeys) { int i, m, len; uint8_t isEOF; uint32_t uid; fnVector * vector = NULL; countKeys *ck; int lenVector = 0; UsbCommand * resp = NULL; memset(resultKeys, 0x00, 16 * 6); // flush queue while (WaitForResponseTimeout(CMD_ACK, 500) != NULL) ; UsbCommand c = {CMD_MIFARE_NESTED, {blockNo, keyType, trgBlockNo + trgKeyType * 0x100}}; memcpy(c.d.asBytes, key, 6); SendCommand(&c); PrintAndLog("\n"); // wait cycle while (true) { printf("."); if (ukbhit()) { getchar(); printf("\naborted via keyboard!\n"); break; } resp = WaitForResponseTimeout(CMD_ACK, 1500); if (resp != NULL) { isEOF = resp->arg[0] & 0xff; if (isEOF) break; len = resp->arg[1] & 0xff; if (len == 0) continue; memcpy(&uid, resp->d.asBytes, 4); PrintAndLog("uid:%08x len=%d trgbl=%d trgkey=%x", uid, len, resp->arg[2] & 0xff, (resp->arg[2] >> 8) & 0xff); vector = (fnVector *) realloc((void *)vector, (lenVector + len) * sizeof(fnVector) + 200); if (vector == NULL) { PrintAndLog("Memory allocation error for fnVector. len: %d bytes: %d", lenVector + len, (lenVector + len) * sizeof(fnVector)); break; } for (i = 0; i < len; i++) { vector[lenVector + i].blockNo = resp->arg[2] & 0xff; vector[lenVector + i].keyType = (resp->arg[2] >> 8) & 0xff; vector[lenVector + i].uid = uid; memcpy(&vector[lenVector + i].nt, (void *)(resp->d.asBytes + 8 + i * 8 + 0), 4); memcpy(&vector[lenVector + i].ks1, (void *)(resp->d.asBytes + 8 + i * 8 + 4), 4); } lenVector += len; } }
int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKey, bool calibrate) { uint16_t i, len; uint32_t uid; UsbCommand resp; StateList_t statelists[2]; struct Crypto1State *p1, *p2, *p3, *p4; // flush queue WaitForResponseTimeout(CMD_ACK,NULL,100); UsbCommand c = {CMD_MIFARE_NESTED, {blockNo + keyType * 0x100, trgBlockNo + trgKeyType * 0x100, calibrate}}; memcpy(c.d.asBytes, key, 6); SendCommand(&c); if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { len = resp.arg[1]; if (len == 2) { memcpy(&uid, resp.d.asBytes, 4); PrintAndLog("uid:%08x len=%d trgbl=%d trgkey=%x", uid, len, (uint16_t)resp.arg[2] & 0xff, (uint16_t)resp.arg[2] >> 8); for (i = 0; i < 2; i++) { statelists[i].blockNo = resp.arg[2] & 0xff; statelists[i].keyType = (resp.arg[2] >> 8) & 0xff; statelists[i].uid = uid; memcpy(&statelists[i].nt, (void *)(resp.d.asBytes + 4 + i * 8 + 0), 4); memcpy(&statelists[i].ks1, (void *)(resp.d.asBytes + 4 + i * 8 + 4), 4); } }
int CmdHFDES(const char *Cmd) { //flush WaitForResponseTimeout(CMD_ACK,NULL,100); CmdsParse(CommandTable, Cmd); return 0; }
int CmdHF15CmdInquiry(const char *Cmd) { UsbCommand resp; uint8_t *recv; UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv? uint8_t *req=c.d.asBytes; int reqlen=0; req[0]= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH | ISO15_REQ_INVENTORY | ISO15_REQINV_SLOT1; req[1]=ISO15_CMD_INVENTORY; req[2]=0; // mask length reqlen=AddCrc(req,3); c.arg[0]=reqlen; SendCommand(&c); if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) { if (resp.arg[0]>=12) { recv = resp.d.asBytes; PrintAndLog("UID=%s",sprintUID(NULL,&recv[2])); PrintAndLog("Tag Info: %s",getTagInfo(&recv[2])); } else { PrintAndLog("Response to short, just %i bytes. No tag?\n",resp.arg[0]); } } else { PrintAndLog("timeout."); } return 0; }
// fast method to just read the UID of a tag (collission detection not supported) // *buf should be large enough to fit the 64bit uid // returns 1 if suceeded int getUID(uint8_t *buf) { UsbCommand resp; uint8_t *recv; UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv? uint8_t *req=c.d.asBytes; int reqlen=0; for (int retry=0;retry<3; retry++) { // don't give up the at the first try req[0]= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH | ISO15_REQ_INVENTORY | ISO15_REQINV_SLOT1; req[1]=ISO15_CMD_INVENTORY; req[2]=0; // mask length reqlen=AddCrc(req,3); c.arg[0]=reqlen; SendCommand(&c); if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) { recv = resp.d.asBytes; if (resp.arg[0]>=12 && ISO15_CRC_CHECK==Crc(recv,12)) { memcpy(buf,&recv[2],8); return 1; } } } // retry return 0; }
// fast method to just read the UID of a tag (collission detection not supported) // *buf should be large enough to fit the 64bit uid // returns 1 if suceeded int getUID(uint8_t *buf) { UsbCommand resp; UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv? c.d.asBytes[0] = ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH | ISO15_REQ_INVENTORY | ISO15_REQINV_SLOT1; c.d.asBytes[1] = ISO15_CMD_INVENTORY; c.d.asBytes[2] = 0; // mask length AddCrc(c.d.asBytes, 3); c.arg[0] = 5; // len uint8_t retry; // don't give up the at the first try for (retry = 0; retry < 3; retry++) { clearCommandBuffer(); SendCommand(&c); if (WaitForResponseTimeout(CMD_ACK, &resp, 2000)) { uint8_t resplen = resp.arg[0]; if (resplen >= 12 && CheckCrc(resp.d.asBytes, 12)) { memcpy(buf, resp.d.asBytes + 2, 8); return 1; } } } // retry if ( retry >= 3 ) PrintAndLogEx(WARNING, "timeout while waiting for reply."); return 0; }
int CmdHFDESReader(const char *Cmd) { UsbCommand c ={CMD_MIFARE_DES_READER, {3, 0x60, 0}}; SendCommand(&c); UsbCommand resp; WaitForResponseTimeout(CMD_ACK,&resp,2000); return 0; }
int mfEmlGetMem(uint8_t *data, int blockNum, int blocksCount) { UsbCommand c = {CMD_MIFARE_EML_MEMGET, {blockNum, blocksCount, 0}}; SendCommand(&c); UsbCommand resp; if (!WaitForResponseTimeout(CMD_ACK,&resp,1500)) return 1; memcpy(data, resp.d.asBytes, blocksCount * 16); return 0; }
int CmdHFDESReader(const char *Cmd) { UsbCommand c = { CMD_MIFARE_DES_READER, {3, 0x60, 0} }; SendCommand(&c); UsbCommand resp; if (!WaitForResponseTimeout(CMD_ACK,&resp,2000) ){ PrintAndLog("Command time-out"); return 1; } return 0; }
int CmdPyramidClone(const char *Cmd) { char cmdp = param_getchar(Cmd, 0); if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_lf_pyramid_clone(); uint32_t facilitycode=0, cardnumber=0, fc = 0, cn = 0; uint32_t blocks[5]; uint8_t i; uint8_t bs[128]; memset(bs, 0x00, sizeof(bs)); if (sscanf(Cmd, "%u %u", &fc, &cn ) != 2) return usage_lf_pyramid_clone(); facilitycode = (fc & 0x000000FF); cardnumber = (cn & 0x0000FFFF); if ( !GetPyramidBits(facilitycode, cardnumber, bs)) { PrintAndLog("Error with tag bitstream generation."); return 1; } //Pyramid - compat mode, FSK2a, data rate 50, 4 data blocks blocks[0] = T55x7_MODULATION_FSK2a | T55x7_BITRATE_RF_50 | 4<<T55x7_MAXBLOCK_SHIFT; if (param_getchar(Cmd, 3) == 'Q' || param_getchar(Cmd, 3) == 'q') blocks[0] = T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | 50<<T5555_BITRATE_SHIFT | 4<<T5555_MAXBLOCK_SHIFT; blocks[1] = bytebits_to_byte(bs,32); blocks[2] = bytebits_to_byte(bs+32,32); blocks[3] = bytebits_to_byte(bs+64,32); blocks[4] = bytebits_to_byte(bs+96,32); PrintAndLog("Preparing to clone Farpointe/Pyramid to T55x7 with Facility Code: %u, Card Number: %u", facilitycode, cardnumber); PrintAndLog("Blk | Data "); PrintAndLog("----+------------"); for ( i = 0; i<5; ++i ) PrintAndLog(" %02d | %08" PRIx32, i, blocks[i]); UsbCommand resp; UsbCommand c = {CMD_T55XX_WRITE_BLOCK, {0,0,0}}; for ( i = 0; i<5; ++i ) { c.arg[0] = blocks[i]; c.arg[1] = i; clearCommandBuffer(); SendCommand(&c); if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){ PrintAndLog("Error occurred, device did not respond during write operation."); return -1; } } return 0; }
int mfCheckKeys (uint8_t blockNo, uint8_t keyType, bool clear_trace, uint8_t keycnt, uint8_t * keyBlock, uint64_t * key){ *key = 0; UsbCommand c = {CMD_MIFARE_CHKKEYS, { (blockNo | (keyType<<8)), clear_trace, keycnt}}; memcpy(c.d.asBytes, keyBlock, 6 * keycnt); clearCommandBuffer(); SendCommand(&c); UsbCommand resp; if (!WaitForResponseTimeout(CMD_ACK, &resp, 2500)) return 1; if ((resp.arg[0] & 0xff) != 0x01) return 2; *key = bytes_to_num(resp.d.asBytes, 6); return 0; }
int CmdStatus(const char *Cmd) { uint8_t speed_test_buffer[USB_CMD_DATA_SIZE]; sample_buf = speed_test_buffer; clearCommandBuffer(); UsbCommand c = {CMD_STATUS}; SendCommand(&c); if (!WaitForResponseTimeout(CMD_ACK,&c,1900)) { PrintAndLog("Status command failed. USB Speed Test timed out"); } return 0; }
int CmdPing(const char *Cmd) { clearCommandBuffer(); UsbCommand resp; UsbCommand c = {CMD_PING}; SendCommand(&c); if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) { PrintAndLog("Ping successfull"); }else{ PrintAndLog("Ping failed"); } return 0; }
int CmdLegicSave(const char *Cmd) { int requested = 1024; int offset = 0; int delivered = 0; char filename[FILE_PATH_SIZE]; uint8_t got[1024] = {0x00}; sscanf(Cmd, " %s %i %i", filename, &requested, &offset); /* If no length given save entire legic read buffer */ /* round up to nearest 8 bytes so the saved data can be used with legicload */ if (requested == 0) requested = 1024; if (requested % 8 != 0) { int remainder = requested % 8; requested = requested + 8 - remainder; } if (offset + requested > sizeof(got)) { PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024"); return 0; } GetFromBigBuf(got, requested, offset); if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000)){ PrintAndLog("Command execute timeout"); return 1; } FILE *f = fopen(filename, "w"); if(!f) { PrintAndLog("couldn't open '%s'", Cmd+1); return -1; } for (int j = 0; j < requested; j += 8) { fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n", got[j+0], got[j+1], got[j+2], got[j+3], got[j+4], got[j+5], got[j+6], got[j+7] ); delivered += 8; if (delivered >= requested) break; } fclose(f); PrintAndLog("saved %u samples", delivered); return 0; }
int CmdLFPCF7931Read(const char *Cmd) { uint8_t ctmp = param_getchar(Cmd, 0); if ( ctmp == 'H' || ctmp == 'h' ) return usage_pcf7931_read(); UsbCommand resp; UsbCommand c = {CMD_PCF7931_READ, {0, 0, 0}}; clearCommandBuffer(); SendCommand(&c); if ( !WaitForResponseTimeout(CMD_ACK, &resp, 2500) ) { PrintAndLog("command execution time out"); return 1; } return 0; }
int mfCGetBlock(uint8_t blockNo, uint8_t *data, uint8_t params) { uint8_t isOK = 0; UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, blockNo, 0}}; clearCommandBuffer(); SendCommand(&c); UsbCommand resp; if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { isOK = resp.arg[0] & 0xff; memcpy(data, resp.d.asBytes, 16); if (!isOK) return 2; } else { PrintAndLog("Command execute timeout"); return 1; } return 0; }
int mfCSetBlock(uint8_t blockNo, uint8_t *data, uint8_t *uid, bool wantWipe, uint8_t params) { uint8_t isOK = 0; UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}}; memcpy(c.d.asBytes, data, 16); SendCommand(&c); UsbCommand resp; if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { isOK = resp.arg[0] & 0xff; if (uid != NULL) memcpy(uid, resp.d.asBytes, 4); if (!isOK) return 2; } else { PrintAndLog("Command execute timeout"); return 1; } return 0; }
/** * @brief The following params expected: * uint32_t cmd * size_t ms_timeout * @param L * @return */ static int l_WaitForResponseTimeout(lua_State *L) { uint32_t cmd = 0; size_t ms_timeout = -1; //Check number of arguments int n = lua_gettop(L); if(n == 0) { //signal error by returning Nil, errorstring lua_pushnil(L); lua_pushstring(L,"You need to supply at least command to wait for"); return 2; // two return values } if(n >= 1) { //pop cmd cmd = luaL_checkunsigned(L,1); } if(n >= 2) { //Did the user send a timeout ? //Check if the current top of stack is an integer ms_timeout = luaL_checkunsigned(L,2); //printf("Timeout set to %dms\n" , (int) ms_timeout); } UsbCommand response; if(WaitForResponseTimeout(cmd, &response, ms_timeout)) { //Push it as a string lua_pushlstring(L,(const char *)&response, sizeof(UsbCommand)); return 1;// return 1 to signal one return value } else { //Push a Nil instead lua_pushnil(L); return 1;// one return value } }
int CmdVersion(const char *Cmd) { clearCommandBuffer(); UsbCommand c = {CMD_VERSION}; static UsbCommand resp = {0, {0, 0, 0}}; if (resp.arg[0] == 0 && resp.arg[1] == 0) { // no cached information available SendCommand(&c); if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) { PrintAndLog("Prox/RFID mark3 RFID instrument"); PrintAndLog((char*)resp.d.asBytes); lookupChipID(resp.arg[0], resp.arg[1]); } } else { PrintAndLog("[[[ Cached information ]]]\n"); PrintAndLog("Prox/RFID mark3 RFID instrument"); PrintAndLog((char*)resp.d.asBytes); lookupChipID(resp.arg[0], resp.arg[1]); PrintAndLog(""); } return 0; }
int CmdHF14AMfDESAuth(const char *Cmd){ uint8_t blockNo = 0; //keyNo=0; uint32_t cuid=0; uint8_t reply[16]; //DES_cblock r1_b1; uint8_t b1[8]={ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; uint8_t b2[8]={ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; DES_cblock nr, b0, r1, r0; uint8_t key[8]={ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; //DES_cblock iv={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; DES_key_schedule ks1; DES_cblock key1; if (strlen(Cmd)<1) { PrintAndLog("Usage: hf desfire des-auth k <key number>"); PrintAndLog(" sample: hf desfire des-auth k 0"); return 0; } //Change key to user defined one memcpy(key1,key,8); //memcpy(key2,key+8,8); DES_set_key((DES_cblock *)key1,&ks1); //DES_set_key((DES_cblock *)key2,&ks2); //Auth1 UsbCommand c = {CMD_MIFARE_DES_AUTH1, {blockNo}}; SendCommand(&c); UsbCommand resp; if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { uint8_t isOK = resp.arg[0] & 0xff; cuid = resp.arg[1]; uint8_t * data= resp.d.asBytes; if (isOK){ PrintAndLog("enc(nc)/b0:%s", sprint_hex(data+2,8)); memcpy(b0,data+2,8); } } else { PrintAndLog("Command execute timeout"); } //Do crypto magic DES_random_key(&nr); //b1=dec(nr) //r0=dec(b0) DES_ecb_encrypt(&nr,&b1,&ks1,0); DES_ecb_encrypt(&b0,&r0,&ks1,0); //PrintAndLog("b1:%s",sprint_hex(b1, 8)); PrintAndLog("r0:%s",sprint_hex(r0, 8)); //r1=rol(r0) memcpy(r1,r0,8); rol(r1,8); PrintAndLog("r1:%s",sprint_hex(r1, 8)); for(int i=0;i<8;i++){ b2[i]=(r1[i] ^ b1[i]); } DES_ecb_encrypt(&b2,&b2,&ks1,0); //PrintAndLog("b1:%s",sprint_hex(b1, 8)); PrintAndLog("b2:%s",sprint_hex(b2, 8)); //Auth2 UsbCommand d = {CMD_MIFARE_DES_AUTH2, {cuid}}; memcpy(reply,b1,8); memcpy(reply+8,b2,8); memcpy(d.d.asBytes,reply, 16); SendCommand(&d); UsbCommand respb; if (WaitForResponseTimeout(CMD_ACK,&respb,1500)) { uint8_t isOK = respb.arg[0] & 0xff; uint8_t * data2= respb.d.asBytes; if (isOK){ PrintAndLog("b3:%s", sprint_hex(data2+2, 8)); } } else { PrintAndLog("Command execute timeout"); } return 1; }
UsbCommand * WaitForResponse(uint32_t response_type) { return WaitForResponseTimeout(response_type, -1); }
int CmdHF15Raw(const char *Cmd) { char cmdp = param_getchar(Cmd, 0); if (strlen(Cmd)<3 || cmdp == 'h' || cmdp == 'H') return usage_15_raw(); UsbCommand resp; UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv? int reply = 1, fast = 1, i = 0; bool crc = false; char buf[5] = ""; uint8_t data[100]; uint32_t datalen = 0, temp; // strip while (*Cmd==' ' || *Cmd=='\t') Cmd++; while (Cmd[i]!='\0') { if (Cmd[i]==' ' || Cmd[i]=='\t') { i++; continue; } if (Cmd[i]=='-') { switch (Cmd[i+1]) { case 'r': case 'R': reply = 0; break; case '2': fast = 0; break; case 'c': case 'C': crc = true; break; default: PrintAndLogEx(WARNING, "Invalid option"); return 0; } i+=2; continue; } if ((Cmd[i]>='0' && Cmd[i]<='9') || (Cmd[i]>='a' && Cmd[i]<='f') || (Cmd[i]>='A' && Cmd[i]<='F') ) { buf[strlen(buf)+1] = 0; buf[strlen(buf)] = Cmd[i]; i++; if (strlen(buf) >= 2) { sscanf(buf, "%x", &temp); data[datalen] = (uint8_t)(temp & 0xff); datalen++; *buf = 0; } continue; } PrintAndLogEx(WARNING, "Invalid char on input"); return 0; } if (crc) { AddCrc(data, datalen); datalen += 2; } c.arg[0] = datalen; c.arg[1] = fast; c.arg[2] = reply; memcpy(c.d.asBytes, data, datalen); clearCommandBuffer(); SendCommand(&c); if (reply) { if (WaitForResponseTimeout(CMD_ACK, &resp, 2000)) { uint8_t len = resp.arg[0]; PrintAndLogEx(NORMAL, "received %i octets", len); PrintAndLogEx(NORMAL, "%s", sprint_hex(resp.d.asBytes, len) ); } else { PrintAndLogEx(WARNING, "timeout while waiting for reply."); } } return 0; }
//EV1 // Reader 2 Card : 02AA, key (1 byte), CRC1 CRC2 ; auth // Card 2 Reader : 02AF, 16 Bytes(b0), CRC1 CRC2 // Reader 2 Card : 03AF, 16 Bytes(b1),16Bytes(b2) CRC1 CRC2 // Card 2 Reader : 0300, 16 bytes(b3), CRC1 CRC2 ; success int CmdHF14AMfAESAuth(const char *Cmd){ uint8_t blockNo = 0; //keyNo=0; uint32_t cuid=0; uint8_t reply[32]; //DES_cblock r1_b1; //unsigned char * b1, b2, nr, b0, r0, r1; uint8_t b1[16]={ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; uint8_t b2[16]={ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; uint8_t nr[16]={ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; uint8_t b0[16]={ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; uint8_t r0[16]={ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; uint8_t r1[16]={ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; // uint8_t key[16]={ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; uint8_t iv[16]={ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; AES_KEY key_e; AES_KEY key_d; if (strlen(Cmd)<1) { PrintAndLog("Usage: hf desfire aes-auth k <key number>"); PrintAndLog(" sample: hf desfire aes-auth k 0"); return 0; } //Change key to user defined one // // int private_AES_set_encrypt_key(const unsigned char *userKey, const int bits,AES_KEY *key); //int private_AES_set_decrypt_key(const unsigned char *userKey, const int bits,AES_KEY *key); // //memcpy(key1,key,16); //memcpy(key2,key+8,8); AES_set_encrypt_key(key,128,&key_e); AES_set_decrypt_key(key,128,&key_d); //Auth1 UsbCommand c = {CMD_MIFARE_DES_AUTH1, {blockNo}}; SendCommand(&c); UsbCommand resp; if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { uint8_t isOK = resp.arg[0] & 0xff; cuid = resp.arg[1]; uint8_t * data= resp.d.asBytes; if (isOK){ PrintAndLog("enc(nc)/b0:%s", sprint_hex(data+2,16)); memcpy(b0,data+2,16); } } else { PrintAndLog("Command execute timeout"); } // // void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, //size_t length, const AES_KEY *key, //unsigned char *ivec, const int enc); //Do crypto magic //DES_random_key(&nr); //b1=dec(nr) //r0=dec(b0) //AES_cbc_encrypt(&nr,&b1,16,&key,0); AES_cbc_encrypt(&b0,&r0,16,&key_d,iv,0); //PrintAndLog("b1:%s",sprint_hex(b1, 8)); PrintAndLog("r0:%s",sprint_hex(r0, 16)); //r1=rol(r0) memcpy(r1,r0,16); rol(r1,8); PrintAndLog("r1:%s",sprint_hex(r1, 16)); for(int i=0;i<16;i++){ b1[i]=(nr[i] ^ b0[i]); b2[i]=(r1[i] ^ b1[i]); } PrintAndLog("nr:%s",sprint_hex(nr, 16)); AES_cbc_encrypt(&b1,&b1,16,&key_e,iv,1); AES_cbc_encrypt(&b2,&b2,16,&key_e,iv,1); PrintAndLog("b1:%s",sprint_hex(b1, 16)); PrintAndLog("b2:%s",sprint_hex(b2, 16)); //Auth2 UsbCommand d = {CMD_MIFARE_DES_AUTH2, {cuid}}; memcpy(reply,b1,16); memcpy(reply+16,b2,16); memcpy(d.d.asBytes,reply, 32); SendCommand(&d); UsbCommand respb; if (WaitForResponseTimeout(CMD_ACK,&respb,1500)) { uint8_t isOK = respb.arg[0] & 0xff; uint8_t * data2= respb.d.asBytes; if (isOK){ PrintAndLog("b3:%s", sprint_hex(data2+2, 16)); } } else { PrintAndLog("Command execute timeout"); } return 1; }
/** * Commandline handling: HF15 CMD SYSINFO * get system information from tag/VICC */ int CmdHF15Info(const char *Cmd) { char cmdp = param_getchar(Cmd, 0); if (strlen(Cmd)<1 || cmdp == 'h' || cmdp == 'H') return usage_15_info(); UsbCommand resp; uint8_t *recv; UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv? uint8_t *req = c.d.asBytes; char cmdbuf[100]; char *cmd = cmdbuf; memset(cmdbuf, 0, sizeof(cmdbuf)); strncpy(cmd, Cmd, 99); if ( !prepareHF15Cmd(&cmd, &c, ISO15_CMD_SYSINFO) ) return 0; AddCrc(req, c.arg[0]); c.arg[0] += 2; //PrintAndLogEx(NORMAL, "cmd %s", sprint_hex(c.d.asBytes, reqlen) ); clearCommandBuffer(); SendCommand(&c); if ( !WaitForResponseTimeout(CMD_ACK, &resp, 2000) ) { PrintAndLogEx(NORMAL, "iso15693 card select failed"); return 1; } uint32_t status = resp.arg[0]; if ( status < 2 ) { PrintAndLogEx(NORMAL, "iso15693 card doesn't answer to systeminfo command"); return 1; } recv = resp.d.asBytes; if ( recv[0] & ISO15_RES_ERROR ) { PrintAndLogEx(NORMAL, "iso15693 card returned error %i: %s", recv[0], TagErrorStr(recv[0])); return 3; } PrintAndLogEx(NORMAL, " UID : %s", sprintUID(NULL, recv+2)); PrintAndLogEx(NORMAL, " TYPE : %s", getTagInfo_15(recv+2)); PrintAndLogEx(NORMAL, " SYSINFO : %s", sprint_hex(recv, status-2)); // DSFID if (recv[1] & 0x01) PrintAndLogEx(NORMAL, " - DSFID supported [0x%02X]", recv[10]); else PrintAndLogEx(NORMAL, " - DSFID not supported"); // AFI if (recv[1] & 0x02) PrintAndLogEx(NORMAL, " - AFI supported [0x%02X]", recv[11]); else PrintAndLogEx(NORMAL, " - AFI not supported"); // IC reference if (recv[1] & 0x08) PrintAndLogEx(NORMAL, " - IC reference supported [0x%02X]", recv[14]); else PrintAndLogEx(NORMAL, " - IC reference not supported"); // memory if (recv[1] & 0x04) { PrintAndLogEx(NORMAL, " - Tag provides info on memory layout (vendor dependent)"); uint8_t blocks = recv[12]+1; uint8_t size = (recv[13] & 0x1F); PrintAndLogEx(NORMAL, " %u (or %u) bytes/blocks x %u blocks", size+1, size, blocks ); } else { PrintAndLogEx(NORMAL, " - Tag does not provide information on memory layout"); } PrintAndLogEx(NORMAL, "\n"); return 0; }
// Reads all memory pages // need to write to file int CmdHF15Dump(const char*Cmd) { uint8_t fileNameLen = 0; char filename[FILE_PATH_SIZE] = {0}; char * fptr = filename; bool errors = false; uint8_t cmdp = 0; uint8_t uid[8] = {0,0,0,0,0,0,0,0}; while(param_getchar(Cmd, cmdp) != 0x00 && !errors) { switch(param_getchar(Cmd, cmdp)) { case 'h': case 'H': return usage_15_dump(); case 'f': case 'F': fileNameLen = param_getstr(Cmd, cmdp+1, filename, FILE_PATH_SIZE); cmdp += 2; break; default: PrintAndLogEx(WARNING, "Unknown parameter '%c'\n", param_getchar(Cmd, cmdp)); errors = true; break; } } //Validations if (errors) return usage_15_dump(); if (fileNameLen < 1) { PrintAndLogEx(INFO, "Using UID as filename"); if (!getUID(uid)) { PrintAndLogEx(WARNING, "No tag found."); return 1; } fptr += sprintf(fptr, "hf-15-"); FillFileNameByUID(fptr,uid,"-dump",sizeof(uid)); } // detect blocksize from card :) PrintAndLogEx(NORMAL, "Reading memory from tag UID %s", sprintUID(NULL, uid)); int blocknum = 0; uint8_t *recv = NULL; // memory. t15memory mem[256]; uint8_t data[256*4] = {0}; memset(data, 0, sizeof(data)); UsbCommand resp; UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv? uint8_t *req = c.d.asBytes; req[0] = ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH | ISO15_REQ_NONINVENTORY | ISO15_REQ_ADDRESS; req[1] = ISO15_CMD_READ; // copy uid to read command memcpy(req+2, uid, sizeof(uid)); for (int retry = 0; retry < 5; retry++) { req[10] = blocknum; AddCrc(req, 11); c.arg[0] = 13; clearCommandBuffer(); SendCommand(&c); if (WaitForResponseTimeout(CMD_ACK, &resp, 2000)) { uint8_t len = resp.arg[0]; if ( len < 2 ) { PrintAndLogEx(FAILED, "iso15693 card select failed"); continue; } recv = resp.d.asBytes; if ( !CheckCrc(recv, len) ) { PrintAndLogEx(FAILED, "crc fail"); continue; } if (recv[0] & ISO15_RES_ERROR) { PrintAndLogEx(FAILED, "Tag returned Error %i: %s", recv[1], TagErrorStr(recv[1]) ); break; } mem[blocknum].lock = resp.d.asBytes[0]; memcpy(mem[blocknum].block, resp.d.asBytes + 1, 4); memcpy(data + (blocknum * 4), resp.d.asBytes + 1, 4); retry = 0; blocknum++; printf("."); fflush(stdout); } } PrintAndLogEx(NORMAL, "\n"); PrintAndLogEx(NORMAL, "block# | data |lck| ascii"); PrintAndLogEx(NORMAL, "---------+--------------+---+----------"); for (int i = 0; i < blocknum; i++) { PrintAndLogEx(NORMAL, "%3d/0x%02X | %s | %d | %s", i, i, sprint_hex(mem[i].block, 4 ), mem[i].lock, sprint_ascii(mem[i].block, 4) ); } PrintAndLogEx(NORMAL, "\n"); size_t datalen = blocknum * 4; saveFileEML(filename, "eml", data, datalen, 4); saveFile(filename, "bin", data, datalen); return 0; }
/* * Output BigBuf and deobfuscate LEGIC RF tag data. * This is based on information given in the talk held * by Henryk Ploetz and Karsten Nohl at 26c3 */ int CmdLegicDecode(const char *Cmd) { // Index for the bytearray. int i = 0; int k = 0, segmentNum; int segment_len = 0; int segment_flag = 0; uint8_t stamp_len = 0; int crc = 0; int wrp = 0; int wrc = 0; uint8_t data_buf[1024]; // receiver buffer, should be 1024.. char token_type[4]; // download EML memory, where the "legic read" command puts the data. GetEMLFromBigBuf(data_buf, sizeof(data_buf), 0); if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000)){ PrintAndLog("Command execute timeout"); return 1; } // Output CDF System area (9 bytes) plus remaining header area (12 bytes) crc = data_buf[4]; uint32_t calc_crc = CRC8Legic(data_buf, 4); PrintAndLog("\nCDF: System Area"); PrintAndLog("------------------------------------------------------"); PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x %s", data_buf[0], data_buf[1], data_buf[2], data_buf[3], data_buf[4], (calc_crc == crc) ? "OK":"Fail" ); switch (data_buf[5] & 0x7f) { case 0x00 ... 0x2f: strncpy(token_type, "IAM",sizeof(token_type)); break; case 0x30 ... 0x6f: strncpy(token_type, "SAM",sizeof(token_type)); break; case 0x70 ... 0x7f: strncpy(token_type, "GAM",sizeof(token_type)); break; default: strncpy(token_type, "???",sizeof(token_type)); break; } stamp_len = 0xfc - data_buf[6]; PrintAndLog("DCF: %02x %02x, Token Type=%s (OLE=%01u), Stamp len=%02u", data_buf[5], data_buf[6], token_type, (data_buf[5]&0x80)>>7, stamp_len ); PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x", data_buf[7]&0x0f, (data_buf[7]&0x70)>>4, (data_buf[7]&0x80)>>7, data_buf[7], data_buf[8] ); PrintAndLog("Remaining Header Area"); PrintAndLog("%s", sprint_hex(data_buf+9, 13)); uint8_t segCrcBytes[8] = {0x00}; uint32_t segCalcCRC = 0; uint32_t segCRC = 0; // see if user area is xored or just zeros. int numOfZeros = 0; for (int index=22; index < 256; ++index){ if ( data_buf[index] == 0x00 ) ++numOfZeros; } // if possible zeros is less then 60%, lets assume data is xored // 256 - 22 (header) = 234 // 1024 - 22 (header) = 1002 int isXored = (numOfZeros*100/stamp_len) < 50; PrintAndLog("is data xored? %d ( %d %)", isXored, (numOfZeros*100/stamp_len)); print_hex_break( data_buf, 33, 16); return 0; PrintAndLog("\nADF: User Area"); PrintAndLog("------------------------------------------------------"); i = 22; // 64 potential segements // how to detect there is no segments?!? for ( segmentNum=0; segmentNum<64; segmentNum++ ) { segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc); segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4; wrp = (data_buf[i+2]^crc); wrc = ((data_buf[i+3]^crc)&0x70)>>4; bool hasWRC = (wrc > 0); bool hasWRP = (wrp > wrc); int wrp_len = (wrp - wrc); int remain_seg_payload_len = (segment_len - wrp - 5); // validate segment-crc segCrcBytes[0]=data_buf[0]; //uid0 segCrcBytes[1]=data_buf[1]; //uid1 segCrcBytes[2]=data_buf[2]; //uid2 segCrcBytes[3]=data_buf[3]; //uid3 segCrcBytes[4]=(data_buf[i]^crc); //hdr0 segCrcBytes[5]=(data_buf[i+1]^crc); //hdr1 segCrcBytes[6]=(data_buf[i+2]^crc); //hdr2 segCrcBytes[7]=(data_buf[i+3]^crc); //hdr3 segCalcCRC = CRC8Legic(segCrcBytes, 8); segCRC = data_buf[i+4]^crc; PrintAndLog("Segment %02u \nraw header | 0x%02X 0x%02X 0x%02X 0x%02X \nSegment len: %u, Flag: 0x%X (valid:%01u, last:%01u), WRP: %02u, WRC: %02u, RD: %01u, CRC: 0x%02X (%s)", segmentNum, data_buf[i]^crc, data_buf[i+1]^crc, data_buf[i+2]^crc, data_buf[i+3]^crc, segment_len, segment_flag, (segment_flag & 0x4) >> 2, (segment_flag & 0x8) >> 3, wrp, wrc, ((data_buf[i+3]^crc) & 0x80) >> 7, segCRC, ( segCRC == segCalcCRC ) ? "OK" : "fail" ); i += 5; if ( hasWRC ) { PrintAndLog("WRC protected area: (I %d | K %d| WRC %d)", i, k, wrc); PrintAndLog("\nrow | data"); PrintAndLog("-----+------------------------------------------------"); // de-xor? if not zero, assume it needs xoring. if ( isXored) { for ( k=i; k < wrc; ++k) data_buf[k] ^= crc; } print_hex_break( data_buf+i, wrc, 16); i += wrc; } if ( hasWRP ) { PrintAndLog("Remaining write protected area: (I %d | K %d | WRC %d | WRP %d WRP_LEN %d)",i, k, wrc, wrp, wrp_len); PrintAndLog("\nrow | data"); PrintAndLog("-----+------------------------------------------------"); if (isXored) { for (k=i; k < wrp_len; ++k) data_buf[k] ^= crc; } print_hex_break( data_buf+i, wrp_len, 16); i += wrp_len; // does this one work? if( wrp_len == 8 ) PrintAndLog("Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc); } PrintAndLog("Remaining segment payload: (I %d | K %d | Remain LEN %d)", i, k, remain_seg_payload_len); PrintAndLog("\nrow | data"); PrintAndLog("-----+------------------------------------------------"); if ( isXored ) { for ( k=i; k < remain_seg_payload_len; ++k) data_buf[k] ^= crc; } print_hex_break( data_buf+i, remain_seg_payload_len, 16); i += remain_seg_payload_len; PrintAndLog("-----+------------------------------------------------\n"); // end with last segment if (segment_flag & 0x8) return 0; } // end for loop return 0; }
int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKey, bool calibrate) { uint16_t i; uint32_t uid; UsbCommand resp; StateList_t statelists[2]; struct Crypto1State *p1, *p2, *p3, *p4; // flush queue WaitForResponseTimeout(CMD_ACK,NULL,100); UsbCommand c = {CMD_MIFARE_NESTED, {blockNo + keyType * 0x100, trgBlockNo + trgKeyType * 0x100, calibrate}}; memcpy(c.d.asBytes, key, 6); SendCommand(&c); if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) { return -1; } if (resp.arg[0]) { return resp.arg[0]; // error during nested } memcpy(&uid, resp.d.asBytes, 4); PrintAndLog("uid:%08x trgbl=%d trgkey=%x", uid, (uint16_t)resp.arg[2] & 0xff, (uint16_t)resp.arg[2] >> 8); for (i = 0; i < 2; i++) { statelists[i].blockNo = resp.arg[2] & 0xff; statelists[i].keyType = (resp.arg[2] >> 8) & 0xff; statelists[i].uid = uid; memcpy(&statelists[i].nt, (void *)(resp.d.asBytes + 4 + i * 8 + 0), 4); memcpy(&statelists[i].ks1, (void *)(resp.d.asBytes + 4 + i * 8 + 4), 4); } // calc keys pthread_t thread_id[2]; // create and run worker threads for (i = 0; i < 2; i++) { pthread_create(thread_id + i, NULL, nested_worker_thread, &statelists[i]); } // wait for threads to terminate: for (i = 0; i < 2; i++) { pthread_join(thread_id[i], (void*)&statelists[i].head.slhead); } // the first 16 Bits of the cryptostate already contain part of our key. // Create the intersection of the two lists based on these 16 Bits and // roll back the cryptostate p1 = p3 = statelists[0].head.slhead; p2 = p4 = statelists[1].head.slhead; while (p1 <= statelists[0].tail.sltail && p2 <= statelists[1].tail.sltail) { if (Compare16Bits(p1, p2) == 0) { struct Crypto1State savestate, *savep = &savestate; savestate = *p1; while(Compare16Bits(p1, savep) == 0 && p1 <= statelists[0].tail.sltail) { *p3 = *p1; lfsr_rollback_word(p3, statelists[0].nt ^ statelists[0].uid, 0); p3++; p1++; } savestate = *p2; while(Compare16Bits(p2, savep) == 0 && p2 <= statelists[1].tail.sltail) { *p4 = *p2; lfsr_rollback_word(p4, statelists[1].nt ^ statelists[1].uid, 0); p4++; p2++; } } else { while (Compare16Bits(p1, p2) == -1) p1++; while (Compare16Bits(p1, p2) == 1) p2++; } } p3->even = 0; p3->odd = 0; p4->even = 0; p4->odd = 0; statelists[0].len = p3 - statelists[0].head.slhead; statelists[1].len = p4 - statelists[1].head.slhead; statelists[0].tail.sltail=--p3; statelists[1].tail.sltail=--p4; // the statelists now contain possible keys. The key we are searching for must be in the // intersection of both lists. Create the intersection: qsort(statelists[0].head.keyhead, statelists[0].len, sizeof(uint64_t), compar_int); qsort(statelists[1].head.keyhead, statelists[1].len, sizeof(uint64_t), compar_int); uint64_t *p5, *p6, *p7; p5 = p7 = statelists[0].head.keyhead; p6 = statelists[1].head.keyhead; while (p5 <= statelists[0].tail.keytail && p6 <= statelists[1].tail.keytail) { if (compar_int(p5, p6) == 0) { *p7++ = *p5++; p6++; } else { while (compar_int(p5, p6) == -1) p5++; while (compar_int(p5, p6) == 1) p6++; } } statelists[0].len = p7 - statelists[0].head.keyhead; statelists[0].tail.keytail=--p7; memset(resultKey, 0, 6); // The list may still contain several key candidates. Test each of them with mfCheckKeys for (i = 0; i < statelists[0].len; i++) { uint8_t keyBlock[6]; uint64_t key64; crypto1_get_lfsr(statelists[0].head.slhead + i, &key64); num_to_bytes(key64, 6, keyBlock); key64 = 0; if (!mfCheckKeys(statelists[0].blockNo, statelists[0].keyType, false, 1, keyBlock, &key64)) { num_to_bytes(key64, 6, resultKey); break; } } free(statelists[0].head.slhead); free(statelists[1].head.slhead); return 0; }
// Reads all memory pages int CmdHF15DumpMem(const char*Cmd) { UsbCommand resp; uint8_t uid[8]; uint8_t *recv=NULL; UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv? uint8_t *req=c.d.asBytes; int reqlen=0; int blocknum=0; char output[80]; if (!getUID(uid)) { PrintAndLog("No Tag found."); return 0; } PrintAndLog("Reading memory from tag UID=%s",sprintUID(NULL,uid)); PrintAndLog("Tag Info: %s",getTagInfo(uid)); for (int retry=0; retry<5; retry++) { req[0]= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH | ISO15_REQ_NONINVENTORY | ISO15_REQ_ADDRESS; req[1]=ISO15_CMD_READ; memcpy(&req[2],uid,8); req[10]=blocknum; reqlen=AddCrc(req,11); c.arg[0]=reqlen; SendCommand(&c); if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) { recv = resp.d.asBytes; if (ISO15_CRC_CHECK==Crc(recv,resp.arg[0])) { if (!(recv[0] & ISO15_RES_ERROR)) { retry=0; *output=0; // reset outputstring sprintf(output, "Block %02x ",blocknum); for ( int i=1; i<resp.arg[0]-2; i++) { // data in hex sprintf(output+strlen(output),"%02X ",recv[i]); } strcat(output," "); for ( int i=1; i<resp.arg[0]-2; i++) { // data in cleaned ascii sprintf(output+strlen(output),"%c",(recv[i]>31 && recv[i]<127)?recv[i]:'.'); } PrintAndLog("%s",output); blocknum++; // PrintAndLog("bn=%i",blocknum); } else { PrintAndLog("Tag returned Error %i: %s",recv[1],TagErrorStr(recv[1])); return 0; } } // else PrintAndLog("crc"); } // else PrintAndLog("r null"); } // retry // TODO: need fix // if (resp.arg[0]<3) // PrintAndLog("Lost Connection"); // else if (ISO15_CRC_CHECK!=Crc(resp.d.asBytes,resp.arg[0])) // PrintAndLog("CRC Failed"); // else // PrintAndLog("Tag returned Error %i: %s",recv[1],TagErrorStr(recv[1])); return 0; }
int CmdHF15CmdRaw (const char *cmd) { UsbCommand resp; uint8_t *recv; UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv? int reply=1; int fast=1; int crc=0; char buf[5]=""; int i=0; uint8_t data[100]; unsigned int datalen=0, temp; char *hexout; if (strlen(cmd)<3) { PrintAndLog("Usage: hf 15 cmd raw [-r] [-2] [-c] <0A 0B 0C ... hex>"); PrintAndLog(" -r do not read response"); PrintAndLog(" -2 use slower '1 out of 256' mode"); PrintAndLog(" -c calculate and append CRC"); PrintAndLog(" Tip: turn on debugging for verbose output"); return 0; } // strip while (*cmd==' ' || *cmd=='\t') cmd++; while (cmd[i]!='\0') { if (cmd[i]==' ' || cmd[i]=='\t') { i++; continue; } if (cmd[i]=='-') { switch (cmd[i+1]) { case 'r': case 'R': reply=0; break; case '2': fast=0; break; case 'c': case 'C': crc=1; break; default: PrintAndLog("Invalid option"); return 0; } i+=2; continue; } if ((cmd[i]>='0' && cmd[i]<='9') || (cmd[i]>='a' && cmd[i]<='f') || (cmd[i]>='A' && cmd[i]<='F') ) { buf[strlen(buf)+1]=0; buf[strlen(buf)]=cmd[i]; i++; if (strlen(buf)>=2) { sscanf(buf,"%x",&temp); data[datalen]=(uint8_t)(temp & 0xff); datalen++; *buf=0; } continue; } PrintAndLog("Invalid char on input"); return 0; } if (crc) datalen=AddCrc(data,datalen); c.arg[0]=datalen; c.arg[1]=fast; c.arg[2]=reply; memcpy(c.d.asBytes,data,datalen); SendCommand(&c); if (reply) { if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) { recv = resp.d.asBytes; PrintAndLog("received %i octets",resp.arg[0]); hexout = (char *)malloc(resp.arg[0] * 3 + 1); if (hexout != NULL) { for (int i = 0; i < resp.arg[0]; i++) { // data in hex sprintf(&hexout[i * 3], "%02X ", recv[i]); } PrintAndLog("%s", hexout); free(hexout); } } else { PrintAndLog("timeout while waiting for reply."); } } // if reply return 0; }
bool WaitForResponse(uint32_t cmd, UsbCommand* response) { return WaitForResponseTimeout(cmd,response,-1); }