From 116ac0c66b5cbae473b129126866dc5f847ab035 Mon Sep 17 00:00:00 2001
From: Philippe Teuwen <phil@teuwen.org>
Date: Fri, 16 Aug 2024 12:09:20 +0200
Subject: [PATCH] Added more fingerprinting to hf mf info

---
 CHANGELOG.md         |  1 +
 client/src/cmdhfmf.c | 46 ++++++++++++++++++++++++++++++++++++++------
 include/mifare.h     |  2 ++
 3 files changed, 43 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b3163be38..b409ff060 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
 
 ## [unreleased][unreleased]
+- Added more fingerprinting in `hf mf info` (@doegox)
 - Added --issue and (--emu)lator support to `hf iclass encode` command (@micsen)
 - Added custom CTF Wiegand format from Defcon32 with comments (@micsen)
 - Added native output grabbing for Python and Lua: less hacky than `output_grabber.py`, should work on ProxSpace as well (@doegox)
diff --git a/client/src/cmdhfmf.c b/client/src/cmdhfmf.c
index 513f3ef7c..49b67517c 100644
--- a/client/src/cmdhfmf.c
+++ b/client/src/cmdhfmf.c
@@ -9540,20 +9540,54 @@ static int CmdHF14AMfInfo(const char *Cmd) {
             PrintAndLogEx(SUCCESS, "Sector 1 key A... " _GREEN_("%012" PRIX64), e_sector[1].Key[MF_KEY_A]);
         }
 
+        uint8_t k08s[6] = {0xA3, 0x96, 0xEF, 0xA4, 0xE2, 0x4F};
+        if (mfReadBlock(0, 4, k08s, blockdata) == PM3_SUCCESS) {
+            PrintAndLogEx(SUCCESS, "Backdoor key..... " _RED_("%02X%02X%02X%02X%02X%02X"), k08s[0], k08s[1], k08s[2], k08s[3], k08s[4], k08s[5]);
+            fKeyType = MF_KEY_BD08S;
+        }
+        uint8_t k08[6] = {0xA3, 0x16, 0x67, 0xA8, 0xCE, 0xC1};
+        if (mfReadBlock(0, 4, k08, blockdata) == PM3_SUCCESS) {
+            PrintAndLogEx(SUCCESS, "Backdoor key..... " _RED_("%02X%02X%02X%02X%02X%02X"), k08[0], k08[1], k08[2], k08[3], k08[4], k08[5]);
+            fKeyType = MF_KEY_BD08;
+        }
+
         if (fKeyType != 0xFF) {
             PrintAndLogEx(SUCCESS, "Block 0.......... %s", sprint_hex(blockdata, MFBLOCK_SIZE));
         }
 
         PrintAndLogEx(NORMAL, "");
         PrintAndLogEx(INFO, "--- " _CYAN_("Fingerprint"));
-        if (
-            (blockdata[8] == 0x03 && blockdata[15] == 0x90) ||
-            (blockdata[9] == 0x02 && blockdata[14] == 0x1D) ||
-            (blockdata[8] == 0x04 && blockdata[15] == 0x90) ||
-            (memcmp(blockdata + 8, "\x62\x63\x64\x65\x66\x67\x68\x69", 8) == 0)
-        ) {
+        if (memcmp(blockdata + 8, "\x62\x63\x64\x65\x66\x67\x68\x69", 8) == 0) {
             PrintAndLogEx(SUCCESS, "FUDAN based card");
         }
+        if (card.sak == 0x08 && memcmp(blockdata + 5, "\x08\x04\x00", 3) == 0
+        && (blockdata[8] == 0x03 || blockdata[8] == 0x04) && blockdata[15] == 0x90) {
+            PrintAndLogEx(SUCCESS, "Fudan FM11RF08S");
+        } else if (card.sak == 0x08 && memcmp(blockdata + 5, "\x00\x03\x00\x10", 4) == 0
+        && blockdata[15] == 0x90) {
+            PrintAndLogEx(SUCCESS, "Fudan FM11RF08S-7B");
+        } else if (card.sak == 0x08 && memcmp(blockdata + 5, "\x08\x04\x00", 3) == 0
+        && (blockdata[8] >= 0x01 || blockdata[8] <= 0x03) && blockdata[15] == 0x1D) {
+            PrintAndLogEx(SUCCESS, "Fudan FM11RF08");
+        } else if (card.sak == 0x88 && memcmp(blockdata + 5, "\x88\x04\x00\x43", 4) == 0) {
+            PrintAndLogEx(SUCCESS, "Infineon SLE66R35");
+        } else if (card.sak == 0x08 && memcmp(blockdata + 5, "\x88\x04\x00\x44", 4) == 0) {
+            PrintAndLogEx(SUCCESS, "NXP MF1ICS5003");
+        } else if (card.sak == 0x08 && memcmp(blockdata + 5, "\x88\x04\x00\x45", 4) == 0) {
+            PrintAndLogEx(SUCCESS, "NXP MF1ICS5004");
+        } else if (card.sak == 0x08 && memcmp(blockdata + 5, "\x88\x04\x00\x46", 4) == 0) {
+            PrintAndLogEx(SUCCESS, "NXP MF1ICS5005");
+        } else if (card.sak == 0x08 && memcmp(blockdata + 5, "\x88\x04\x00\x47", 4) == 0) {
+            PrintAndLogEx(SUCCESS, "NXP MF1ICS5006");
+        } else if (card.sak == 0x09 && memcmp(blockdata + 5, "\x89\x04\x00\x47", 4) == 0) {
+            PrintAndLogEx(SUCCESS, "NXP MF1ICS2006");
+        } else if (card.sak == 0x08 && memcmp(blockdata + 5, "\x88\x04\x00\x48", 4) == 0) {
+            PrintAndLogEx(SUCCESS, "NXP MF1ICS5007");
+        } else if (card.sak == 0x08 && memcmp(blockdata + 5, "\x88\x04\x00\xc0", 4) == 0) {
+            PrintAndLogEx(SUCCESS, "NXP MF1ICS5035");
+        } else if (fKeyType == MF_KEY_BD08 || fKeyType == MF_KEY_BD08S) {
+            PrintAndLogEx(SUCCESS, _RED_("Unknown card with backdoor, please report details!"));
+        }
 
         if (e_sector[1].foundKey[MF_KEY_A] && (e_sector[1].Key[MF_KEY_A] == 0x2A2C13CC242A)) {
             PrintAndLogEx(SUCCESS, "Dorma Kaba SAFLOK detected");
diff --git a/include/mifare.h b/include/mifare.h
index 5dc04e0c7..ac09ae40c 100644
--- a/include/mifare.h
+++ b/include/mifare.h
@@ -23,6 +23,8 @@
 
 #define MF_KEY_A 0
 #define MF_KEY_B 1
+#define MF_KEY_BD08S 2
+#define MF_KEY_BD08 3
 
 #define MF_MAD1_SECTOR 0x00
 #define MF_MAD2_SECTOR 0x10