github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-19 21:03:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

chg: 'hf 14a sim' - possibility to simulate FM11RF005SH (@maozhenyu123)

Browse source 
chg: 'hf 14a info' - tag identification for FM11RF005SH (@maozhenyu123)

Fudan FM11RF005SH , has 512bit mem,  16blocks w 4bytes / block.
Support REQA, READ, WRITE, AUTH.   Unknown how the auth is done.

The ATQA/SAK ,  or a trace from one of these tags would be intersting to look at.
This commit is contained in:
iceman1001 2018-05-06 09:24:28 +02:00
commit 110a7b28cb
3 changed files with 50 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

11
armsrc/iso14443a.c
View file

@ -898,6 +898,11 @@ void SimulateIso14443aTag(int tagType, int flags, uint8_t* data) {
response1[0] = 0x02; response1[0] = 0x02;
sak = 0x18; sak = 0x18;
} break; } break;
case 9 : { // FM11RF005SH (Shanghai Metro)
response1[0] = 0x03;
response1[1] = 0x00;
sak = 0x0A;
}
default: { default: {
Dbprintf("Error: unkown tagtype (%d)",tagType); Dbprintf("Error: unkown tagtype (%d)",tagType);
return; return;
@ -951,6 +956,7 @@ void SimulateIso14443aTag(int tagType, int flags, uint8_t* data) {
uint8_t response5[4]; uint8_t response5[4];
uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS: uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS:
// Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present, // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present,
// TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1 // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
// TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us) // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
@ -1058,6 +1064,11 @@ void SimulateIso14443aTag(int tagType, int flags, uint8_t* data) {
EmSendCmd(emdata, sizeof(emdata)); EmSendCmd(emdata, sizeof(emdata));
// We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
p_response = NULL; p_response = NULL;
} else if ( tagType == 9 && block == 1 ) {
// FM11005SH. 16blocks, 4bytes / block.
// block0 = 2byte Customer ID (CID), 2byte Manufacture ID (MID)
// block1 = 4byte UID.
p_response = &responses[1];
} else { // all other tags (16 byte block tags) } else { // all other tags (16 byte block tags)
uint8_t emdata[MAX_MIFARE_FRAME_SIZE]; uint8_t emdata[MAX_MIFARE_FRAME_SIZE];
emlGetMemBt( emdata, block, 16); emlGetMemBt( emdata, block, 16);

4
client/cmdhf14a.c
View file

@ -119,6 +119,7 @@ int usage_hf_14a_sim(void) {
PrintAndLogEx(NORMAL, " 6 = MIFARE Mini"); PrintAndLogEx(NORMAL, " 6 = MIFARE Mini");
PrintAndLogEx(NORMAL, " 7 = AMIIBO (NTAG 215), pack 0x8080"); PrintAndLogEx(NORMAL, " 7 = AMIIBO (NTAG 215), pack 0x8080");
PrintAndLogEx(NORMAL, " 8 = MIFARE Classic 4k"); PrintAndLogEx(NORMAL, " 8 = MIFARE Classic 4k");
PrintAndLogEx(NORMAL, " 9 = FM11RF005SH Shanghai Metro");
// PrintAndLogEx(NORMAL, " u : 4, 7 or 10 byte UID"); // PrintAndLogEx(NORMAL, " u : 4, 7 or 10 byte UID");
PrintAndLogEx(NORMAL, " u : 4, 7 byte UID"); PrintAndLogEx(NORMAL, " u : 4, 7 byte UID");
PrintAndLogEx(NORMAL, " x : (Optional) Performs the 'reader attack', nr/ar attack against a reader"); PrintAndLogEx(NORMAL, " x : (Optional) Performs the 'reader attack', nr/ar attack against a reader");
@ -271,6 +272,7 @@ int CmdHF14AReader(const char *Cmd) {
if(card.ats_len >= 3) { // a valid ATS consists of at least the length byte (TL) and 2 CRC bytes if(card.ats_len >= 3) { // a valid ATS consists of at least the length byte (TL) and 2 CRC bytes
PrintAndLogEx(NORMAL, " ATS : %s", sprint_hex(card.ats, card.ats_len)); PrintAndLogEx(NORMAL, " ATS : %s", sprint_hex(card.ats, card.ats_len));
} }
if (!disconnectAfter) { if (!disconnectAfter) {
if (!silent) PrintAndLogEx(SUCCESS, "Card is selected. You can now start sending commands"); if (!silent) PrintAndLogEx(SUCCESS, "Card is selected. You can now start sending commands");
} }
@ -364,6 +366,7 @@ int CmdHF14AInfo(const char *Cmd) {
case 0x04: PrintAndLogEx(NORMAL, "TYPE : NXP MIFARE (various !DESFire !DESFire EV1)"); isMifareClassic = false; break; case 0x04: PrintAndLogEx(NORMAL, "TYPE : NXP MIFARE (various !DESFire !DESFire EV1)"); isMifareClassic = false; break;
case 0x08: PrintAndLogEx(NORMAL, "TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1"); break; case 0x08: PrintAndLogEx(NORMAL, "TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1"); break;
case 0x09: PrintAndLogEx(NORMAL, "TYPE : NXP MIFARE Mini 0.3k"); break; case 0x09: PrintAndLogEx(NORMAL, "TYPE : NXP MIFARE Mini 0.3k"); break;
case 0x0A: PrintAndLogEx(NORMAL, "TYPE : FM11RF005SH (Shanghai Metro)"); break;
case 0x10: PrintAndLogEx(NORMAL, "TYPE : NXP MIFARE Plus 2k SL2"); break; case 0x10: PrintAndLogEx(NORMAL, "TYPE : NXP MIFARE Plus 2k SL2"); break;
case 0x11: PrintAndLogEx(NORMAL, "TYPE : NXP MIFARE Plus 4k SL2"); break; case 0x11: PrintAndLogEx(NORMAL, "TYPE : NXP MIFARE Plus 4k SL2"); break;
case 0x18: PrintAndLogEx(NORMAL, "TYPE : NXP MIFARE Classic 4k | Plus 4k SL1 | 4k Ev1"); break; case 0x18: PrintAndLogEx(NORMAL, "TYPE : NXP MIFARE Classic 4k | Plus 4k SL1 | 4k Ev1"); break;
@ -568,7 +571,6 @@ int CmdHF14ACUIDs(const char *Cmd) {
} }
// ## simulate iso14443a tag // ## simulate iso14443a tag
// ## greg - added ability to specify tag UID
int CmdHF14ASim(const char *Cmd) { int CmdHF14ASim(const char *Cmd) {
bool errors = false; bool errors = false;
uint8_t flags = 0; uint8_t flags = 0;

1
client/lualibs/read14a.lua
View file

@ -32,6 +32,7 @@ ISO14443a_TYPES[0x01] = "NXP MIFARE TNP3xxx Activision Game Appliance"
ISO14443a_TYPES[0x04] = "NXP MIFARE (various !DESFire !DESFire EV1)" ISO14443a_TYPES[0x04] = "NXP MIFARE (various !DESFire !DESFire EV1)"
ISO14443a_TYPES[0x08] = "NXP MIFARE CLASSIC 1k | Plus 2k" ISO14443a_TYPES[0x08] = "NXP MIFARE CLASSIC 1k | Plus 2k"
ISO14443a_TYPES[0x09] = "NXP MIFARE Mini 0.3k" ISO14443a_TYPES[0x09] = "NXP MIFARE Mini 0.3k"
ISO14443a_TYPES[0x0A} = "FM11RF005SH (Shanghai Metro)")
ISO14443a_TYPES[0x10] = "NXP MIFARE Plus 2k" ISO14443a_TYPES[0x10] = "NXP MIFARE Plus 2k"
ISO14443a_TYPES[0x11] = "NXP MIFARE Plus 4k" ISO14443a_TYPES[0x11] = "NXP MIFARE Plus 4k"
ISO14443a_TYPES[0x18] = "NXP MIFARE Classic 4k | Plus 4k" ISO14443a_TYPES[0x18] = "NXP MIFARE Classic 4k | Plus 4k"