github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-14 10:37:23 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

make style changes

Browse source
This commit is contained in:
Henry Gabryjelski 2024-03-11 17:28:05 -07:00
commit 0a598b254c
5 changed files with 138 additions and 130 deletions
Download patch file Download diff file Expand all files Collapse all files

156
client/src/cmdlfem4x70.c
View file

@ -161,11 +161,11 @@ typedef struct _em4x70_cmd_input_verify_auth_t {
static int CmdHelp(const char *Cmd);
static void fill_buffer_prng_bytes(void* buffer, size_t byte_count) {
static void fill_buffer_prng_bytes(void *buffer, size_t byte_count) {
if (byte_count <= 0) return;
srand((unsigned) time(NULL));
for (size_t i = 0; i < byte_count; i++) {
((uint8_t*)buffer)[i] = (uint8_t)rand();
((uint8_t *)buffer)[i] = (uint8_t)rand();
}
}
static void print_info_result(const em4x70_tag_info_t *data) {
@ -205,7 +205,7 @@ static void print_info_result(const em4x70_tag_info_t *data) {
PrintAndLogEx(NORMAL, "");
}
static int get_em4x70_info(const em4x70_cmd_input_info_t* opts, em4x70_tag_info_t * data_out) {
static int get_em4x70_info(const em4x70_cmd_input_info_t *opts, em4x70_tag_info_t *data_out) {
memset(data_out, 0, sizeof(em4x70_tag_info_t));
@ -224,7 +224,7 @@ static int get_em4x70_info(const em4x70_cmd_input_info_t* opts, em4x70_tag_info_
}
return PM3_ESOFT;
}
static int writeblock_em4x70(const em4x70_cmd_input_writeblock_t* opts, em4x70_tag_info_t* data_out) {
static int writeblock_em4x70(const em4x70_cmd_input_writeblock_t *opts, em4x70_tag_info_t *data_out) {
memset(data_out, 0, sizeof(em4x70_tag_info_t));
@ -248,7 +248,7 @@ static int writeblock_em4x70(const em4x70_cmd_input_writeblock_t* opts, em4x70_t
}
return PM3_ESOFT;
}
static int auth_em4x70(const em4x70_cmd_input_auth_t* opts, em4x70_cmd_output_auth_t* data_out) {
static int auth_em4x70(const em4x70_cmd_input_auth_t *opts, em4x70_cmd_output_auth_t *data_out) {
memset(data_out, 0, sizeof(ID48LIB_GRN));
// TODO: change firmware to use per-cmd structures
@ -256,7 +256,7 @@ static int auth_em4x70(const em4x70_cmd_input_auth_t* opts, em4x70_cmd_output_au
etd.parity = opts->use_parity;
memcpy(&etd.rnd[0], &opts->rn.rn[0], 7);
memcpy(&etd.frnd[0], &opts->frn.frn[0], 4);
clearCommandBuffer();
SendCommandNG(CMD_LF_EM4X70_AUTH, (uint8_t *)&etd, sizeof(etd));
@ -276,7 +276,7 @@ static int auth_em4x70(const em4x70_cmd_input_auth_t* opts, em4x70_cmd_output_au
}
return PM3_ESOFT;
}
static int writekey_em4x70(const em4x70_cmd_input_writekey_t* opts) {
static int writekey_em4x70(const em4x70_cmd_input_writekey_t *opts) {
// TODO: change firmware to use per-cmd structures
em4x70_data_t etd = {0};
@ -295,7 +295,7 @@ static int writekey_em4x70(const em4x70_cmd_input_writekey_t* opts) {
}
return PM3_ESOFT;
}
static int brute_em4x70(const em4x70_cmd_input_brute_t* opts, em4x70_cmd_output_brute_t* data_out) {
static int brute_em4x70(const em4x70_cmd_input_brute_t *opts, em4x70_cmd_output_brute_t *data_out) {
memset(data_out, 0, sizeof(em4x70_cmd_output_brute_t));
// TODO: change firmware to use per-cmd structures
@ -346,7 +346,7 @@ static int brute_em4x70(const em4x70_cmd_input_brute_t* opts, em4x70_cmd_output_
timeout++;
}
}
static int unlock_em4x70(const em4x70_cmd_input_unlock_t* opts, em4x70_tag_info_t* data_out) {
static int unlock_em4x70(const em4x70_cmd_input_unlock_t *opts, em4x70_tag_info_t *data_out) {
memset(data_out, 0, sizeof(em4x70_tag_info_t));
// TODO: change firmware to use per-cmd structures
@ -369,7 +369,7 @@ static int unlock_em4x70(const em4x70_cmd_input_unlock_t* opts, em4x70_tag_info_
return PM3_ESOFT;
}
static int writepin_em4x70(const em4x70_cmd_input_writepin_t* opts, em4x70_tag_info_t* data_out) {
static int writepin_em4x70(const em4x70_cmd_input_writepin_t *opts, em4x70_tag_info_t *data_out) {
memset(data_out, 0, sizeof(em4x70_tag_info_t));
// TODO: change firmware to use per-cmd structures
@ -390,7 +390,7 @@ static int writepin_em4x70(const em4x70_cmd_input_writepin_t* opts, em4x70_tag_i
}
return PM3_ESOFT;
}
static int recover_em4x70(const em4x70_cmd_input_recover_t* opts, em4x70_cmd_output_recover_t* data_out) {
static int recover_em4x70(const em4x70_cmd_input_recover_t *opts, em4x70_cmd_output_recover_t *data_out) {
memset(data_out, 0, sizeof(em4x70_cmd_output_recover_t));
// The library is stateful. First must initialize its internal context.
@ -412,7 +412,7 @@ static int recover_em4x70(const em4x70_cmd_input_recover_t* opts, em4x70_cmd_out
}
return result;
}
static int verify_auth_em4x70(const em4x70_cmd_input_verify_auth_t* opts) {
static int verify_auth_em4x70(const em4x70_cmd_input_verify_auth_t *opts) {
em4x70_cmd_input_auth_t opts_auth = {
.use_parity = opts->use_parity,
.rn = opts->rn,
@ -534,7 +534,7 @@ int CmdEM4x70Write(const char *Cmd) {
}
return result;
}
int CmdEM4x70Brute(const char *Cmd) {
// From paper "Dismantling Megamos Crypto", Roel Verdult, Flavio D. Garcia and Barıs¸ Ege.
@ -820,26 +820,26 @@ int CmdEM4x70WriteKey(const char *Cmd) {
// dump the auth command to the screen, to enable the user to manually check validity
PrintAndLogEx(INFO,
"Verifying auth for new key: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
" --> " _YELLOW_("lf em 4x70 auth --rnd %02X%02X%02X%02X%02X%02X%02X --frn %02X%02X%02X%02X")
" --> %02X%02X%02X",
opts.key.k[ 0], opts.key.k[ 1], opts.key.k[ 2], opts.key.k[ 3], opts.key.k[ 4], opts.key.k[ 5],
opts.key.k[ 6], opts.key.k[ 7], opts.key.k[ 8], opts.key.k[ 9], opts.key.k[10], opts.key.k[11],
opts_v.rn.rn[0],
opts_v.rn.rn[1],
opts_v.rn.rn[2],
opts_v.rn.rn[3],
opts_v.rn.rn[4],
opts_v.rn.rn[5],
opts_v.rn.rn[6],
opts_v.frn.frn[0],
opts_v.frn.frn[1],
opts_v.frn.frn[2],
opts_v.frn.frn[3],
opts_v.grn.grn[0],
opts_v.grn.grn[1],
opts_v.grn.grn[2]
);
"Verifying auth for new key: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
" --> " _YELLOW_("lf em 4x70 auth --rnd %02X%02X%02X%02X%02X%02X%02X --frn %02X%02X%02X%02X")
" --> %02X%02X%02X",
opts.key.k[ 0], opts.key.k[ 1], opts.key.k[ 2], opts.key.k[ 3], opts.key.k[ 4], opts.key.k[ 5],
opts.key.k[ 6], opts.key.k[ 7], opts.key.k[ 8], opts.key.k[ 9], opts.key.k[10], opts.key.k[11],
opts_v.rn.rn[0],
opts_v.rn.rn[1],
opts_v.rn.rn[2],
opts_v.rn.rn[3],
opts_v.rn.rn[4],
opts_v.rn.rn[5],
opts_v.rn.rn[6],
opts_v.frn.frn[0],
opts_v.frn.frn[1],
opts_v.frn.frn[2],
opts_v.frn.frn[3],
opts_v.grn.grn[0],
opts_v.grn.grn[1],
opts_v.grn.grn[2]
);
result = verify_auth_em4x70(&opts_v);
if (PM3_ETIMEOUT == result) {
PrintAndLogEx(WARNING, "Timeout while waiting for reply.");
@ -865,11 +865,11 @@ typedef struct _em4x70_recovery_data_t {
bool potential_keys_validated[MAXIMUM_ID48_RECOVERED_KEY_COUNT];
} em4x70_recovery_data_t;
static int CmdEM4x70Recover_ParseArgs(const char *Cmd, em4x70_cmd_input_recover_t* out_results) {
static int CmdEM4x70Recover_ParseArgs(const char *Cmd, em4x70_cmd_input_recover_t *out_results) {
memset(out_results, 0, sizeof(em4x70_recovery_data_t));
int result = PM3_SUCCESS;
CLIParserContext *ctx;
CLIParserInit(
&ctx,
@ -888,7 +888,7 @@ static int CmdEM4x70Recover_ParseArgs(const char *Cmd, em4x70_cmd_input_recover_
,
"lf em 4x70 recover --key F32AA98CF5BE --rnd 45F54ADA252AAC --frn 4866BB70 --grn 9BD180 (pm3 test key)\n"
"lf em 4x70 recover --key A090A0A02080 --rnd 3FFE1FB6CC513F --frn F355F1A0 --grn 609D60 (research paper key)\n"
);
);
void *argtable[] = {
arg_param_begin,
@ -926,7 +926,7 @@ static int CmdEM4x70Recover_ParseArgs(const char *Cmd, em4x70_cmd_input_recover_
if (CLIParamHexToBuf(arg_get_str(ctx, 5), &(out_results->grn.grn[0]), 3, &grn_len)) {
result = PM3_ESOFT;
}
//out_results->verify = arg_get_lit(ctx, 6);
//out_results->verify = arg_get_lit(ctx, 6);
}
// if all OK so far, do additional parameter validation
if (PM3_SUCCESS == result) {
@ -961,7 +961,7 @@ int CmdEM4x70Recover(const char *Cmd) {
// Partial Key-Update Attack -- final 48 bits (after optimized version gets k95..k48)
em4x70_recovery_data_t recover_ctx = {0};
int result = PM3_SUCCESS;
result = CmdEM4x70Recover_ParseArgs(Cmd, &recover_ctx.opts);
// recover the potential keys -- no more than a few seconds
if (PM3_SUCCESS == result) {
@ -992,27 +992,27 @@ int CmdEM4x70Recover(const char *Cmd) {
// dump the results to screen, to enable the user to manually check validity
PrintAndLogEx(INFO,
"Potential Key #%d: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
" --> " _YELLOW_("lf em 4x70 auth --rnd %02X%02X%02X%02X%02X%02X%02X --frn %02X%02X%02X%02X")
" --> %02X%02X%02X",
i,
q.k[ 0], q.k[ 1], q.k[ 2], q.k[ 3], q.k[ 4], q.k[ 5],
q.k[ 6], q.k[ 7], q.k[ 8], q.k[ 9], q.k[10], q.k[11],
recover_ctx.alt_nonce.rn[0],
recover_ctx.alt_nonce.rn[1],
recover_ctx.alt_nonce.rn[2],
recover_ctx.alt_nonce.rn[3],
recover_ctx.alt_nonce.rn[4],
recover_ctx.alt_nonce.rn[5],
recover_ctx.alt_nonce.rn[6],
alt_frn.frn[0],
alt_frn.frn[1],
alt_frn.frn[2],
alt_frn.frn[3],
alt_grn.grn[0],
alt_grn.grn[1],
alt_grn.grn[2]
);
"Potential Key #%d: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
" --> " _YELLOW_("lf em 4x70 auth --rnd %02X%02X%02X%02X%02X%02X%02X --frn %02X%02X%02X%02X")
" --> %02X%02X%02X",
i,
q.k[ 0], q.k[ 1], q.k[ 2], q.k[ 3], q.k[ 4], q.k[ 5],
q.k[ 6], q.k[ 7], q.k[ 8], q.k[ 9], q.k[10], q.k[11],
recover_ctx.alt_nonce.rn[0],
recover_ctx.alt_nonce.rn[1],
recover_ctx.alt_nonce.rn[2],
recover_ctx.alt_nonce.rn[3],
recover_ctx.alt_nonce.rn[4],
recover_ctx.alt_nonce.rn[5],
recover_ctx.alt_nonce.rn[6],
alt_frn.frn[0],
alt_frn.frn[1],
alt_frn.frn[2],
alt_frn.frn[3],
alt_grn.grn[0],
alt_grn.grn[1],
alt_grn.grn[2]
);
}
printf("\n");
}
@ -1040,7 +1040,7 @@ int CmdEM4x70Recover(const char *Cmd) {
return result;
}
static int CmdEM4x70AutoRecover_ParseArgs(const char *Cmd, em4x70_cmd_input_recover_t* out_results) {
static int CmdEM4x70AutoRecover_ParseArgs(const char *Cmd, em4x70_cmd_input_recover_t *out_results) {
memset(out_results, 0, sizeof(em4x70_cmd_input_recover_t));
int result = PM3_SUCCESS;
@ -1085,7 +1085,7 @@ static int CmdEM4x70AutoRecover_ParseArgs(const char *Cmd, em4x70_cmd_input_reco
,
"lf em 4x70 autorecover --rnd 45F54ADA252AAC --frn 4866BB70 --grn 9BD180 (pm3 test key)\n"
"lf em 4x70 autorecover --rnd 3FFE1FB6CC513F --frn F355F1A0 --grn 609D60 (research paper key)\n"
);
);
void *argtable[] = {
arg_param_begin,
@ -1096,7 +1096,7 @@ static int CmdEM4x70AutoRecover_ParseArgs(const char *Cmd, em4x70_cmd_input_reco
//arg_lit0(NULL, "verify", "automatically use tag for validation"),
arg_param_end
};
CLIExecWithReturn(ctx, Cmd, argtable, true);
int rnd_len = 0; // must be 7 bytes hex data
@ -1138,7 +1138,7 @@ static int CmdEM4x70AutoRecover(const char *Cmd) {
// of summarizing the failure (and providing options for recovery in case of failures)
// at a single point at the end of the function. It will also undoubtedly reduce
// code coverage numbers, when those are tracked.
//
//
// As to clarity, if failures occurred in steps 2-4, it was expected that the cleanup
// code would, in a single location, verify if the original authentication worked.
// If so, then the tag was left in a good state (even if an error occurred).
@ -1150,9 +1150,9 @@ static int CmdEM4x70AutoRecover(const char *Cmd) {
// perform that additional cleanup? Not a great solution. Pity, as the
// cleanup code was much more helpful than the below print statements.
int last_successful_step = 0;
char rnd_string[14+1] = {0};
char frn_string[8+1] = {0};
char grn_string[6+1] = {0};
char rnd_string[14 + 1] = {0};
char frn_string[ 8 + 1] = {0};
char grn_string[ 6 + 1] = {0};
// These strings will be re-used often, are safe to pre-allocate, and make later PrintAndLogEx() calls cleaner.
snprintf(rnd_string, 15, "%02X%02X%02X%02X%02X%02X%02X", opts.nonce.rn[0], opts.nonce.rn[1], opts.nonce.rn[2], opts.nonce.rn[3], opts.nonce.rn[4], opts.nonce.rn[5], opts.nonce.rn[6]);
snprintf(frn_string, 9, "%02X%02X%02X%02X", opts.frn.frn[0], opts.frn.frn[1], opts.frn.frn[2], opts.frn.frn[3]);
@ -1178,9 +1178,9 @@ static int CmdEM4x70AutoRecover(const char *Cmd) {
return result;
} else if (memcmp(&opts.grn, &tag_grn, sizeof(ID48LIB_GRN)) != 0) {
PrintAndLogEx(FAILED, "Authenticating with new key returned %02x %02x %02x, expected %s (maybe 5 lsb of key wrong?): " _RED_("failed"),
tag_grn.grn.grn[0], tag_grn.grn.grn[1], tag_grn.grn.grn[2],
grn_string
);
tag_grn.grn.grn[0], tag_grn.grn.grn[1], tag_grn.grn.grn[2],
grn_string
);
result = PM3_EWRONGANSWER;
return result;
}
@ -1279,7 +1279,7 @@ static int CmdEM4x70AutoRecover(const char *Cmd) {
}
// The good news is that, if the above succeeded, then from this point forward, the tag remains in a known-good state.
char key_string[24+1] = {0}; // holds partial key initially, full key later
char key_string[24 + 1] = {0}; // holds partial key initially, full key later
snprintf(key_string, 25, "%02X%02X%02X%02X%02X%02X", opts.key.k[0], opts.key.k[1], opts.key.k[2], opts.key.k[3], opts.key.k[4], opts.key.k[5]);
// 5. Recover potential values of the lower 48 bits of the key
@ -1299,10 +1299,10 @@ static int CmdEM4x70AutoRecover(const char *Cmd) {
for (uint8_t idx = 0; idx < data.potential_key_count; ++idx) {
ID48LIB_KEY q = data.potential_keys[idx];
PrintAndLogEx(DEBUG, " Potential Key %d: %s %02X%02X%02X%02X%02X%02X",
idx,
key_string,
q.k[ 6], q.k[ 7], q.k[ 8], q.k[ 9], q.k[10], q.k[11]
);
idx,
key_string,
q.k[ 6], q.k[ 7], q.k[ 8], q.k[ 9], q.k[10], q.k[11]
);
}
last_successful_step = 5;
}
@ -1325,7 +1325,7 @@ static int CmdEM4x70AutoRecover(const char *Cmd) {
bool found_more_than_one_key = false;
uint8_t first_validated_key_idx = 0xFF;
for (uint8_t attempt = 0; continue_loop && (attempt < 10); ++attempt ) {
for (uint8_t attempt = 0; continue_loop && (attempt < 10); ++attempt) {
continue_loop = false;
found_one_key = false;
found_more_than_one_key = false;
@ -1364,9 +1364,9 @@ static int CmdEM4x70AutoRecover(const char *Cmd) {
// print the validated key to the string buffer (for step 7)
ID48LIB_KEY q = data.potential_keys[first_validated_key_idx];
snprintf(key_string, 25, "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X",
q.k[ 0], q.k[ 1], q.k[ 2], q.k[ 3], q.k[ 4], q.k[ 5],
q.k[ 6], q.k[ 7], q.k[ 8], q.k[ 9], q.k[10], q.k[11]
);
q.k[ 0], q.k[ 1], q.k[ 2], q.k[ 3], q.k[ 4], q.k[ 5],
q.k[ 6], q.k[ 7], q.k[ 8], q.k[ 9], q.k[10], q.k[11]
);
}
}
// 7. Print the validated key

8
client/src/pm3line_vocabulary.h
View file

@ -415,19 +415,19 @@ const static vocabulary_t vocabulary[] = {
{ 1, "hf mfu pwdgen" },
{ 0, "hf mfu otptear" },
{ 0, "hf mfu cauth" },
{ 0, "hf mfu setpwd" },
{ 0, "hf mfu dump" },
{ 0, "hf mfu info" },
{ 0, "hf mfu ndefread" },
{ 0, "hf mfu rdbl" },
{ 0, "hf mfu restore" },
{ 0, "hf mfu tamper" },
{ 1, "hf mfu view" },
{ 0, "hf mfu wrbl" },
{ 0, "hf mfu tamper" },
{ 0, "hf mfu eload" },
{ 0, "hf mfu esave" },
{ 0, "hf mfu eview" },
{ 0, "hf mfu sim" },
{ 0, "hf mfu setpwd" },
{ 0, "hf mfu setuid" },
{ 0, "hf mfu amiibo" },
{ 1, "hf mfdes help" },
@ -512,8 +512,6 @@ const static vocabulary_t vocabulary[] = {
{ 1, "hf vas help" },
{ 0, "hf vas reader" },
{ 1, "hf vas decrypt" },
{ 1, "hf waveshare help" },
{ 1, "hf waveshare load" },
{ 1, "hf xerox help" },
{ 1, "hf xerox list" },
{ 0, "hf xerox info" },
@ -617,6 +615,8 @@ const static vocabulary_t vocabulary[] = {
{ 0, "lf em 4x70 auth" },
{ 0, "lf em 4x70 writepin" },
{ 0, "lf em 4x70 writekey" },
{ 0, "lf em 4x70 recover" },
{ 0, "lf em 4x70 autorecover" },
{ 1, "lf fdxb help" },
{ 1, "lf fdxb demod" },
{ 0, "lf fdxb reader" },

78
doc/commands.json
View file

@ -3061,7 +3061,7 @@
},
"hf help": {
"command": "hf help",
"description": "-------- ----------------------- High Frequency ----------------------- 14a { ISO14443A RFIDs... } 14b { ISO14443B RFIDs... } 15 { ISO15693 RFIDs... } cipurse { Cipurse transport Cards... } epa { German Identification Card... } emrtd { Machine Readable Travel Document... } felica { ISO18092 / FeliCa RFIDs... } fido { FIDO and FIDO2 authenticators... } fudan { Fudan RFIDs... } gallagher { Gallagher DESFire RFIDs... } iclass { ICLASS RFIDs... } ict { ICT MFC/DESfire RFIDs... } jooki { Jooki RFIDs... } ksx6924 { KS X 6924 (T-Money, Snapper+) RFIDs } legic { LEGIC RFIDs... } lto { LTO Cartridge Memory RFIDs... } mf { MIFARE RFIDs... } mfp { MIFARE Plus RFIDs... } mfu { MIFARE Ultralight RFIDs... } mfdes { MIFARE Desfire RFIDs... } ntag424 { NXP NTAG 4242 DNA RFIDs... } seos { SEOS RFIDs... } st25ta { ST25TA RFIDs... } tesla { TESLA Cards... } texkom { Texkom RFIDs... } thinfilm { Thinfilm RFIDs... } topaz { TOPAZ (NFC Type 1) RFIDs... } vas { Apple Value Added Service } waveshare { Waveshare NFC ePaper... } xerox { Fuji/Xerox cartridge RFIDs... } ----------- --------------------- General --------------------- help This help list List protocol data in trace buffer search Search for known HF tags --------------------------------------------------------------------------------------- hf list available offline: yes Alias of `trace list -t raw` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
"description": "-------- ----------------------- High Frequency ----------------------- 14a { ISO14443A RFIDs... } 14b { ISO14443B RFIDs... } 15 { ISO15693 RFIDs... } cipurse { Cipurse transport Cards... } epa { German Identification Card... } emrtd { Machine Readable Travel Document... } felica { ISO18092 / FeliCa RFIDs... } fido { FIDO and FIDO2 authenticators... } fudan { Fudan RFIDs... } gallagher { Gallagher DESFire RFIDs... } iclass { ICLASS RFIDs... } ict { ICT MFC/DESfire RFIDs... } jooki { Jooki RFIDs... } ksx6924 { KS X 6924 (T-Money, Snapper+) RFIDs } legic { LEGIC RFIDs... } lto { LTO Cartridge Memory RFIDs... } mf { MIFARE RFIDs... } mfp { MIFARE Plus RFIDs... } mfu { MIFARE Ultralight RFIDs... } mfdes { MIFARE Desfire RFIDs... } ntag424 { NXP NTAG 4242 DNA RFIDs... } seos { SEOS RFIDs... } st25ta { ST25TA RFIDs... } tesla { TESLA Cards... } texkom { Texkom RFIDs... } thinfilm { Thinfilm RFIDs... } topaz { TOPAZ (NFC Type 1) RFIDs... } vas { Apple Value Added Service } xerox { Fuji/Xerox cartridge RFIDs... } ----------- --------------------- General --------------------- help This help list List protocol data in trace buffer search Search for known HF tags --------------------------------------------------------------------------------------- hf list available offline: yes Alias of `trace list -t raw` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
"notes": [
"hf list --frame -> show frame delay times",
"hf list -1 -> use trace buffer"
@ -4411,9 +4411,10 @@
"--1k MIFARE Classic 1k / S50 (def)",
"--2k MIFARE Classic/Plus 2k",
"--4k MIFARE Classic 4k / S70",
"--ns no save to file"
"--ns no save to file",
"-v, --verbose verbose output"
],
"usage": "hf mf dump [-h] [-f <fn>] [-k <fn>] [--mini] [--1k] [--2k] [--4k] [--ns]"
"usage": "hf mf dump [-hv] [-f <fn>] [-k <fn>] [--mini] [--1k] [--2k] [--4k] [--ns]"
},
"hf mf ecfill": {
"command": "hf mf ecfill",
@ -7721,28 +7722,6 @@
],
"usage": "hf vas reader [-h@v] [--pid <str>] [-f <fn>] [--url <str>]"
},
"hf waveshare help": {
"command": "hf waveshare help",
"description": "help This help load Load image file to Waveshare NFC ePaper --------------------------------------------------------------------------------------- hf waveshare load available offline: yes Load image file to Waveshare NFC ePaper",
"notes": [
"hf waveshare load -f myfile -m 0 -> 2.13 inch e-paper ( 122, 250 )",
"hf waveshare load -f myfile -m 1 -> 2.9 inch e-paper ( 296, 128 )",
"hf waveshare load -f myfile -m 2 -> 4.2 inch e-paper ( 400, 300 )",
"hf waveshare load -f myfile -m 3 -> 7.5 inch e-paper ( 800, 480 )",
"hf waveshare load -f myfile -m 4 -> 2.7 inch e-paper ( 176, 276 )",
"hf waveshare load -f myfile -m 5 -> 2.13 inch e-paper B (with red) ( 104, 212 )",
"hf waveshare load -f myfile -m 6 -> 1.54 inch e-paper B (with red) ( 200, 200 )",
"hf waveshare load -f myfile -m 7 -> 7.5 inch e-paper HD ( 880, 528 )"
],
"offline": true,
"options": [
"-h, --help This help",
"-m <nr> model number [0 - 7] of your tag",
"-f, --file <fn> specify image to upload to tag",
"-s, --save <fn> save paletized version in file"
],
"usage": "hf waveshare load [-h] -m <nr> -f <fn> [-s <fn>]"
},
"hf xerox dump": {
"command": "hf xerox dump",
"description": "Dump all memory from a Fuji/Xerox tag ISO/IEC 14443 type B based communications",
@ -8877,9 +8856,10 @@
},
"lf em 4x70 auth": {
"command": "lf em 4x70 auth",
"description": "Authenticate against an EM4x70 by sending random number (RN) and F(RN) If F(RN) is incorrect based on the tag crypt key, the tag will not respond",
"description": "Authenticate against an EM4x70 by sending random number (RN) and F(RN) If F(RN) is incorrect based on the tag key, the tag will not respond If F(RN) is correct based on the tag key, the tag will give a 20-bit response",
"notes": [
"lf em 4x70 auth --rnd 45F54ADA252AAC --frn 4866BB70 -> Test authentication, tag will respond if successful"
"lf em 4x70 auth --rnd 45F54ADA252AAC --frn 4866BB70 -> (using pm3 test key)",
"lf em 4x70 auth --rnd 3FFE1FB6CC513F --frn F355F1A0 -> (using research paper key)"
],
"offline": false,
"options": [
@ -8890,6 +8870,23 @@
],
"usage": "lf em 4x70 auth [-h] [--par] --rnd <hex> --frn <hex>"
},
"lf em 4x70 autorecover": {
"command": "lf em 4x70 autorecover",
"description": "This command will perform automatic recovery of the key from a writable tag. All steps are possible to do manually. The corresponding sequence, if done manually, is as follows: 1. Verify passed parameters authenticate with the tag (safety check) lf em 4x70 auth --rnd <rnd_1> --frn <frn_1> 2. Brute force the key bits in block 9 lf em 4x70 write -b 9 -d 0000 lf em 4x70 recover -b 9 --rnd <rnd_1> --frn <frn_1> lf em 4x70 write -b 9 -d <key_block_9> 3. Brute force the key bits in block 8 lf em 4x70 write -b 8 -d 0000 lf em 4x70 recover -b 8 --rnd <rnd_1> --frn <frn_1> lf em 4x70 write -b 8 -d <key_block_8> 4. Brute force the key bits in block 7 lf em 4x70 write -b 7 -d 0000) lf em 4x70 recover -b 7 --rnd <rnd_1> --frn <frn_1> lf em 4x70 write -b 7 -d <key_block_7> 5. Recover potential values of the lower 48 bits of the key lf em 4x70 recover --key <key_block_9><key_block_8><key_block_7> --rnd <rnd_1> --frn <frn_1> 6. Verify which potential key is actually on the tag (using a different rnd/frn combination) lf em 4x70 auth --rnd <rnd_2> --frn <frn_N> 7. Print the validated key This command simply requires the rnd/frn/grn from a single known-good authentication.",
"notes": [
"lf em 4x70 autorecover --rnd 45F54ADA252AAC --frn 4866BB70 --grn 9BD180 (pm3 test key)",
"lf em 4x70 autorecover --rnd 3FFE1FB6CC513F --frn F355F1A0 --grn 609D60 (research paper key)"
],
"offline": false,
"options": [
"-h, --help This help",
"--par Add parity bit when sending commands",
"--rnd <hex> Random 56-bit from known-good authentication",
"--frn <hex> F(RN) 28-bit as 4 hex bytes from known-good authentication",
"--grn <hex> G(RN) 20-bit as 3 hex bytes from known-good authentication"
],
"usage": "lf em 4x70 autorecover [-h] [--par] --rnd <hex> --frn <hex> --grn <hex>"
},
"lf em 4x70 help": {
"command": "lf em 4x70 help",
"description": "help This help --------------------------------------------------------------------------------------- lf em 4x70 brute available offline: no Optimized partial key-update attack of 16-bit key block 7, 8 or 9 of an EM4x70 This attack does NOT write anything to the tag. Before starting this attack, 0000 must be written to the 16-bit key block: 'lf em 4x70 write -b 9 -d 0000'. After success, the 16-bit key block have to be restored with the key found: 'lf em 4x70 write -b 9 -d c0de'",
@ -8921,6 +8918,24 @@
],
"usage": "lf em 4x70 info [-h] [--par]"
},
"lf em 4x70 recover": {
"command": "lf em 4x70 recover",
"description": "After obtaining key bits 95..48 (such as via 'lf em 4x70 brute'), this command will recover key bits 47..00. By default, this process does NOT require a tag to be present. By default, the potential keys are shown (typically 1-6) along with a corresponding 'lf em 4x70 auth' command that will authenticate, if that potential key is correct. The user can copy/paste these commands when the tag is present to manually check which of the potential keys is correct.",
"notes": [
"lf em 4x70 recover --key F32AA98CF5BE --rnd 45F54ADA252AAC --frn 4866BB70 --grn 9BD180 (pm3 test key)",
"lf em 4x70 recover --key A090A0A02080 --rnd 3FFE1FB6CC513F --frn F355F1A0 --grn 609D60 (research paper key)"
],
"offline": false,
"options": [
"-h, --help This help",
"--par Add parity bit when sending commands",
"-k, --key <hex> Key as 6 hex bytes",
"--rnd <hex> Random 56-bit",
"--frn <hex> F(RN) 28-bit as 4 hex bytes",
"--grn <hex> G(RN) 20-bit as 3 hex bytes"
],
"usage": "lf em 4x70 recover [-h] [--par] -k <hex> --rnd <hex> --frn <hex> --grn <hex>"
},
"lf em 4x70 unlock": {
"command": "lf em 4x70 unlock",
"description": "Unlock EM4x70 by sending PIN Default pin may be: AAAAAAAA 00000000",
@ -8956,13 +8971,14 @@
"command": "lf em 4x70 writekey",
"description": "Write new 96-bit key to tag",
"notes": [
"lf em 4x70 writekey -k F32AA98CF5BE4ADFA6D3480B"
"lf em 4x70 writekey -k F32AA98CF5BE4ADFA6D3480B (pm3 test key)",
"lf em 4x70 writekey -k A090A0A02080000000000000 (research paper key)"
],
"offline": false,
"options": [
"-h, --help This help",
"--par Add parity bit when sending commands",
"-k, --key <hex> Crypt Key as 12 hex bytes"
"-k, --key <hex> Key as 12 hex bytes"
],
"usage": "lf em 4x70 writekey [-h] [--par] -k <hex>"
},
@ -12513,8 +12529,8 @@
}
},
"metadata": {
"commands_extracted": 722,
"commands_extracted": 723,
"extracted_by": "PM3Help2JSON v1.00",
"extracted_on": "2024-02-21T21:49:16"
"extracted_on": "2024-03-12T00:21:47"
}
}

24
doc/commands.md
View file

@ -601,20 +601,20 @@ Check column "offline" for their availability.
|`hf mfu keygen `|Y |`Generate DES/3DES/AES MIFARE diversified keys`
|`hf mfu pwdgen `|Y |`Generate pwd from known algos`
|`hf mfu otptear `|N |`Tear-off test on OTP bits`
|`hf mfu cauth `|N |`Authentication - Ultralight-C`
|`hf mfu cauth `|N |`Ultralight-C - Authentication`
|`hf mfu setpwd `|N |`Ultralight-C - Set 3DES key`
|`hf mfu dump `|N |`Dump MIFARE Ultralight family tag to binary file`
|`hf mfu info `|N |`Tag information`
|`hf mfu ndefread `|N |`Prints NDEF records from card`
|`hf mfu rdbl `|N |`Read block`
|`hf mfu restore `|N |`Restore a dump onto a MFU MAGIC tag`
|`hf mfu restore `|N |`Restore a dump file onto a tag`
|`hf mfu tamper `|N |`NTAG 213TT - Configure the tamper feature`
|`hf mfu view `|Y |`Display content from tag dump file`
|`hf mfu wrbl `|N |`Write block`
|`hf mfu tamper `|N |`Configure the tamper feature on an NTAG 213TT`
|`hf mfu eload `|N |`Upload file into emulator memory`
|`hf mfu esave `|N |`Save emulator memory to file`
|`hf mfu eview `|N |`View emulator memory`
|`hf mfu sim `|N |`Simulate MIFARE Ultralight from emulator memory`
|`hf mfu setpwd `|N |`Set 3DES key - Ultralight-C`
|`hf mfu setuid `|N |`Set UID - MAGIC tags only`
|`hf mfu amiibo `|N |`Amiibo tag operations`
@ -773,16 +773,6 @@ Check column "offline" for their availability.
|`hf vas decrypt `|Y |`Decrypt a previously captured VAS cryptogram`
### hf waveshare
{ Waveshare NFC ePaper... }
|command |offline |description
|------- |------- |-----------
|`hf waveshare help `|Y |`This help`
|`hf waveshare load `|Y |`Load image file to Waveshare NFC ePaper`
### hf xerox
{ Fuji/Xerox cartridge RFIDs... }
@ -965,13 +955,15 @@ Check column "offline" for their availability.
|command |offline |description
|------- |------- |-----------
|`lf em 4x70 help `|Y |`This help`
|`lf em 4x70 brute `|N |`Bruteforce EM4X70 to find partial Crypt Key`
|`lf em 4x70 brute `|N |`Bruteforce EM4X70 to find partial key`
|`lf em 4x70 info `|N |`Tag information EM4x70`
|`lf em 4x70 write `|N |`Write EM4x70`
|`lf em 4x70 unlock `|N |`Unlock EM4x70 for writing`
|`lf em 4x70 auth `|N |`Authenticate EM4x70`
|`lf em 4x70 writepin `|N |`Write PIN`
|`lf em 4x70 writekey `|N |`Write Crypt Key`
|`lf em 4x70 writekey `|N |`Write key`
|`lf em 4x70 recover `|N |`Recover remaining key from partial key`
|`lf em 4x70 autorecover `|N |`Recover entire key from writable tag`
### lf fdxb

2
include/em4x70.h
View file

@ -30,7 +30,7 @@
typedef struct {
// ISSUE: `bool` type does not have a standard-defined size.
// therefore, compatibility between architectures /
// therefore, compatibility between architectures /
// compilers is not guaranteed.
// ISSUE: C99 has no _Static_assert() ... was added in C11
// TODO: add _Static_assert(sizeof(bool)==1);