add: hf mf personlize - Personalize the UID of a Mifare Classic EV1 card (@pwpiwi) see 0b4efbdef2

2025-08-19 21:03:48 -07:00 · 2020-03-09 11:02:26 +01:00 · 2020-03-09 11:02:26 +01:00 · 074f6c374e
commit 074f6c374e
parent b5aad6759c
6 changed files with 171 additions and 6 deletions
--- a/armsrc/appmain.c
+++ b/armsrc/appmain.c
@ -42,6 +42,7 @@
 #include "Standalone/standalone.h"
 #include "util.h"
 #include "ticks.h"
+#include "commonutil.h"

 #ifdef WITH_LCD
 #include "LCD.h"
@ -1247,6 +1248,17 @@ static void PacketReceived(PacketCommandNG *packet) {
 //            SniffMifare(packet->oldarg[0]);
 //            break;
 //        }
+		case CMD_HF_MIFARE_PERSONALIZE_UID: {
+            struct p {
+                uint8_t keytype;
+                uint8_t pers_option;
+                uint8_t key[6];
+            } PACKED;
+            struct p *payload = (struct p *) packet->data.asBytes;
+            uint64_t authkey = bytes_to_num(payload->key, 6);
+			MifarePersonalizeUID(payload->keytype, payload->pers_option, authkey);
+			break;
+        }
        case CMD_HF_MIFARE_SETMOD: {
            MifareSetMod(packet->data.asBytes);
            break;
--- a/armsrc/mifarecmd.c
+++ b/armsrc/mifarecmd.c
@ -1805,6 +1805,63 @@ void MifareChkKeys_file(uint8_t *fn) {
 #endif
 }

+//-----------------------------------------------------------------------------
+// MIFARE Personalize UID. Only for Mifare Classic EV1 7Byte UID
+//-----------------------------------------------------------------------------
+void MifarePersonalizeUID(uint8_t keyType, uint8_t perso_option, uint64_t key) {
+
+    uint16_t isOK = PM3_EUNDEF;
+	uint8_t uid[10];
+	uint32_t cuid;
+	struct Crypto1State mpcs = {0, 0};
+	struct Crypto1State *pcs;
+	pcs = &mpcs;
+
+	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
+    clear_trace();
+    set_tracing(true);
+    
+	LED_A_ON();
+
+	while (true) {
+		if (!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
+			if (DBGLEVEL >= DBG_ERROR) Dbprintf("Can't select card");
+			break;
+		}
+
+		uint8_t block_number = 0;
+		if (mifare_classic_auth(pcs, cuid, block_number, keyType, key, AUTH_FIRST)) {
+			if (DBGLEVEL >= DBG_ERROR) Dbprintf("Auth error");
+			break;
+		}
+
+		uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
+		uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
+		int len = mifare_sendcmd_short(pcs, true, MIFARE_EV1_PERSONAL_UID, perso_option, receivedAnswer, receivedAnswerPar, NULL);
+		if (len != 1 || receivedAnswer[0] != CARD_ACK) {
+			if (DBGLEVEL >= DBG_ERROR) Dbprintf("Cmd Error: %02x", receivedAnswer[0]);
+			break;;
+		}
+
+        if (mifare_classic_halt(pcs, cuid)) {
+            if (DBGLEVEL >= DBG_ERROR) Dbprintf("Halt error");
+            break;
+        }
+		isOK = PM3_SUCCESS;
+		break;
+	}
+
+	crypto1_deinit(pcs);
+
+    LED_B_ON();
+    reply_ng(CMD_HF_MIFARE_PERSONALIZE_UID, isOK, NULL, 0);
+    LED_B_OFF();
+
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+    LEDsoff();    
+}
+
+
 //-----------------------------------------------------------------------------
 // Work with emulator memory
 //
@ -2276,23 +2333,23 @@ void MifareSetMod(uint8_t *datain) {

    while (true) {
        if (!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
-            if (DBGLEVEL >= 1) Dbprintf("Can't select card");
+            if (DBGLEVEL >= DBG_ERROR) Dbprintf("Can't select card");
            break;
        }

        if (mifare_classic_auth(pcs, cuid, 0, 0, ui64Key, AUTH_FIRST)) {
-            if (DBGLEVEL >= 1) Dbprintf("Auth error");
+            if (DBGLEVEL >= DBG_ERROR) Dbprintf("Auth error");
            break;
        }

        int respLen;
        if (((respLen = mifare_sendcmd_short(pcs, CRYPT_ALL, 0x43, mod, receivedAnswer, receivedAnswerPar, NULL)) != 1) || (receivedAnswer[0] != 0x0a)) {
-            if (DBGLEVEL >= 1) Dbprintf("SetMod error; response[0]: %hhX, len: %d", receivedAnswer[0], respLen);
+            if (DBGLEVEL >= DBG_ERROR) Dbprintf("SetMod error; response[0]: %hhX, len: %d", receivedAnswer[0], respLen);
            break;
        }

        if (mifare_classic_halt(pcs, cuid)) {
-            if (DBGLEVEL >= 1) Dbprintf("Halt error");
+            if (DBGLEVEL >= DBG_ERROR) Dbprintf("Halt error");
            break;
        }

@ -2304,7 +2361,6 @@ void MifareSetMod(uint8_t *datain) {

    LED_B_ON();
    reply_ng(CMD_HF_MIFARE_SETMOD, isOK, NULL, 0);
-
    LED_B_OFF();

    FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
--- a/armsrc/mifarecmd.h
+++ b/armsrc/mifarecmd.h
@ -45,6 +45,8 @@ void MifareCIdent();  // is "magic chinese" card?
 void MifareHasStaticNonce();  // Has the tag a static nonce?

 void MifareSetMod(uint8_t *datain);
+void MifarePersonalizeUID(uint8_t keyType, uint8_t perso_option, uint64_t key);
+
 void MifareUSetPwd(uint8_t arg0, uint8_t *datain);
 void OnSuccessMagic();
 void OnErrorMagic(uint8_t reason);
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@ -4798,6 +4798,95 @@ static int CmdHFMFNDEF(const char *Cmd) {
    return PM3_SUCCESS;
 }

+int CmdHFMFPersonalize(const char *cmd) {
+
+	CLIParserInit("hf mf personalize",
+				  "Personalize the UID of a Mifare Classic EV1 card. This is only possible if it is a 7Byte UID card and if it is not already personalized.",
+				  "Usage:\n\thf mf personalize UIDF0                        -> double size UID according to ISO/IEC14443-3\n"
+				  "\thf mf personalize UIDF1                        -> double size UID according to ISO/IEC14443-3, optional usage of selection process shortcut\n"
+				  "\thf mf personalize UIDF2                        -> single size random ID according to ISO/IEC14443-3\n"
+				  "\thf mf personalize UIDF3                        -> single size NUID according to ISO/IEC14443-3\n"
+				  "\thf mf personalize -t B -k B0B1B2B3B4B5 UIDF3   -> use key B = 0xB0B1B2B3B4B5 instead of default key A\n");
+
+	void *argtable[] = {
+		arg_param_begin,
+		arg_str0("tT",  "keytype", "<A|B>",                     "key type (A or B) to authenticate sector 0 (default: A)"),
+		arg_str0("kK",  "key",     "<key (hex 6 Bytes)>",       "key to authenticate sector 0 (default: FFFFFFFFFFFF)"),
+		arg_str1(NULL,  NULL,      "<UIDF0|UIDF1|UIDF2|UIDF3>", "Personalization Option"),
+		arg_param_end
+	};
+	CLIExecWithReturn(cmd, argtable, true);
+
+	char keytypestr[2] = "a";
+	uint8_t keytype = 0x00;
+	int keytypestr_len;
+	int res = CLIParamStrToBuf(arg_get_str(1), (uint8_t*)keytypestr, 1, &keytypestr_len);
+    str_lower(keytypestr);
+    
+	if (res || (keytypestr[0] != 'a' && keytypestr[0] != 'b')) {
+		PrintAndLogEx(ERR, "ERROR: not a valid key type. Key type must be A or B");
+		CLIParserFree();
+		return PM3_EINVARG;
+	}
+	if (keytypestr[0] == 'b') {
+		keytype = 0x01;
+	}
+
+	uint8_t key[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
+	int key_len;
+	res = CLIParamHexToBuf(arg_get_str(2), key, 6, &key_len);
+	if (res || (!res && key_len > 0 && key_len != 6)) {
+		PrintAndLogEx(ERR, "ERROR: not a valid key. Key must be 12 hex digits");
+		CLIParserFree();
+		return PM3_EINVARG;
+	}
+
+	char pers_optionstr[6];
+	int opt_len;
+	uint8_t pers_option;
+	res = CLIParamStrToBuf(arg_get_str(3), (uint8_t*)pers_optionstr, 5, &opt_len);
+    str_lower(pers_optionstr);
+
+	if (res || (!res && opt_len > 0 && opt_len != 5)
+			|| (strncmp(pers_optionstr, "uidf0", 5) && strncmp(pers_optionstr, "uidf1", 5) && strncmp(pers_optionstr, "uidf2", 5) && strncmp(pers_optionstr, "uidf3", 5))) {
+		PrintAndLogEx(ERR, "ERROR: invalid personalization option. Must be one of UIDF0, UIDF1, UIDF2, or UIDF3");
+		CLIParserFree();
+		return PM3_EINVARG;
+	}
+	if (!strncmp(pers_optionstr, "uidf0", 5)) {
+		pers_option = MIFARE_EV1_UIDF0;
+	} else if (!strncmp(pers_optionstr, "uidf1", 5)) {
+		pers_option = MIFARE_EV1_UIDF1;
+	} else if (!strncmp(pers_optionstr, "uidf2", 5)) {
+		pers_option = MIFARE_EV1_UIDF2;
+	} else {
+		pers_option = MIFARE_EV1_UIDF3;
+	}
+
+	CLIParserFree();
+
+    clearCommandBuffer();    
+
+    struct {
+        uint8_t keytype;
+        uint8_t pers_option;
+        uint8_t key[6];
+    } PACKED payload;
+    payload.keytype = keytype;
+    payload.pers_option = pers_option;
+
+	memcpy(payload.key, key, 6);
+
+    SendCommandNG(CMD_HF_MIFARE_PERSONALIZE_UID, (uint8_t *)&payload, sizeof(payload));
+
+	PacketResponseNG resp;
+    if (!WaitForResponseTimeout(CMD_HF_MIFARE_PERSONALIZE_UID, &resp, 2500)) return PM3_ETIMEOUT;
+
+    PrintAndLogEx(SUCCESS, "Personalization %s", resp.status == PM3_SUCCESS ? "SUCCEEDED" : "FAILED");
+
+	return PM3_SUCCESS;
+}
+
 static int CmdHF14AMfList(const char *Cmd) {
    (void)Cmd; // Cmd is not used so far
    return CmdTraceList("mf");
@ -4845,7 +4934,7 @@ static command_t CommandTable[] = {
    {"-----------", CmdHelp,                IfPm3Iso14443a,  ""},
    {"mad",         CmdHF14AMfMAD,          IfPm3Iso14443a,  "Checks and prints MAD"},
    {"ndef",        CmdHFMFNDEF,            IfPm3Iso14443a,  "Prints NDEF records from card"},
-
+	{"personalize", CmdHFMFPersonalize,     IfPm3Iso14443a,  "Personalize UID (Mifare Classic EV1 only)"},
    {"ice",         CmdHF14AMfice,          IfPm3Iso14443a,  "collect MIFARE Classic nonces to file"},
    {NULL, NULL, NULL, NULL}
 };
--- a/include/pm3_cmd.h
+++ b/include/pm3_cmd.h
@ -505,6 +505,8 @@ typedef struct {

 #define CMD_HF_MIFARE_SNIFF                                               0x0630
 #define CMD_HF_MIFARE_MFKEY                                               0x0631
+#define CMD_HF_MIFARE_PERSONALIZE_UID                                     0x0632
+
 //ultralightC
 #define CMD_HF_MIFAREUC_AUTH                                              0x0724
 //0x0725 and 0x0726 no longer used
--- a/include/protocols.h
+++ b/include/protocols.h
@ -163,6 +163,10 @@ ISO 7816-4 Basic interindustry commands. For command APDU's.

 #define MIFARE_EV1_PERSONAL_UID     0x40
 #define MIFARE_EV1_SETMODE          0x43
+#define MIFARE_EV1_UIDF0            0x00
+#define MIFARE_EV1_UIDF1            0x40
+#define MIFARE_EV1_UIDF2            0x20
+#define MIFARE_EV1_UIDF3            0x60

 #define MIFARE_ULC_WRITE            0xA2
 #define MIFARE_ULC_COMP_WRITE       0xA0