github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 22:03:42 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into loud-nightingale

Browse source 
Signed-off-by: Iceman <iceman@iuse.se>
This commit is contained in:
Iceman 2024-05-15 09:41:50 +02:00 committed by GitHub
commit 184393ee41
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
77 changed files with 1688 additions and 825 deletions
Download patch file Download diff file Expand all files Collapse all files

27
.github/workflows/macos.yml vendored
View file

@ -21,6 +21,10 @@ jobs:
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Set Git http.postBuffer to something high
run: git config --global http.postBuffer 524288000
@ -39,10 +43,7 @@ jobs:
continue-on-error: true
- name: Install Python dependencies
run: |
python3 -m pip install --upgrade pip
python3 -m pip install setuptools ansicolors sslcrypto
if [ -f requirements.txt ]; then python3 -m pip install -r requirements.txt; fi
run: pip install -r tools/requirements.txt
- name: make clean
run: make clean
@ -61,6 +62,10 @@ jobs:
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Set Git http.postBuffer to something high
run: git config --global http.postBuffer 524288000
@ -79,10 +84,7 @@ jobs:
continue-on-error: true
- name: Install Python dependencies
run: |
python3 -m pip install --upgrade pip
python3 -m pip install setuptools ansicolors sslcrypto
if [ -f requirements.txt ]; then python3 -m pip install -r requirements.txt; fi
run: pip install -r tools/requirements.txt
- name: make clean
run: make clean
@ -102,6 +104,10 @@ jobs:
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Set Git http.postBuffer to something high
run: git config --global http.postBuffer 524288000
@ -120,10 +126,7 @@ jobs:
continue-on-error: true
- name: Install Python dependencies
run: |
python3 -m pip install --upgrade pip
python3 -m pip install setuptools ansicolors sslcrypto
if [ -f requirements.txt ]; then python3 -m pip install -r requirements.txt; fi
run: pip install -r tools/requirements.txt
- name: Prepare Build Folders
run: |

30
.github/workflows/ubuntu.yml vendored
View file

@ -22,6 +22,10 @@ jobs:
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Update apt repos
run: sudo apt-get update
@ -29,11 +33,7 @@ jobs:
run: sudo apt-get install -yqq make autoconf build-essential ca-certificates pkg-config libreadline-dev gcc-arm-none-eabi libnewlib-dev qtbase5-dev libbz2-dev liblz4-dev libbluetooth-dev libpython3-dev python3 python3-dev libpython3-all-dev liblua5.2-dev liblua5.2-0 lua5.2 sed libssl-dev libgd-dev
- name: Install Python dependencies
run: |
python3 -m pip install --upgrade pip
python3 -m pip install setuptools
python3 -m pip install ansicolors sslcrypto
if [ -f requirements.txt ]; then python3 -m pip install -r requirements.txt; fi
run: pip install -r tools/requirements.txt
- name: make clean
run: make clean
@ -52,6 +52,10 @@ jobs:
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Update apt repos
run: sudo apt-get update
@ -59,11 +63,7 @@ jobs:
run: sudo apt-get install -yqq make autoconf build-essential ca-certificates pkg-config libreadline-dev gcc-arm-none-eabi libnewlib-dev qtbase5-dev libbz2-dev liblz4-dev libbluetooth-dev libpython3-dev python3 python3-dev libpython3-all-dev liblua5.2-dev liblua5.2-0 lua5.2 sed libssl-dev libgd-dev
- name: Install Python dependencies
run: |
python3 -m pip install --upgrade pip
python3 -m pip install setuptools
python3 -m pip install ansicolors sslcrypto
if [ -f requirements.txt ]; then python3 -m pip install -r requirements.txt; fi
run: pip install -r tools/requirements.txt
- name: make clean
run: make clean
@ -83,6 +83,10 @@ jobs:
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Update apt repos
run: sudo apt-get update
@ -90,11 +94,7 @@ jobs:
run: sudo apt-get install -yqq make autoconf build-essential ca-certificates pkg-config libreadline-dev gcc-arm-none-eabi libnewlib-dev qtbase5-dev libbz2-dev liblz4-dev libbluetooth-dev libpython3-dev python3 python3-dev libpython3-all-dev liblua5.2-dev liblua5.2-0 lua5.2 sed libssl-dev libgd-dev
- name: Install Python dependencies
run: |
python3 -m pip install --upgrade pip
python3 -m pip install setuptools
python3 -m pip install ansicolors sslcrypto
if [ -f requirements.txt ]; then python3 -m pip install -r requirements.txt; fi
run: pip install -r tools/requirements.txt
- name: Prepare Build Folders
run: |

8
CHANGELOG.md
View file

@ -3,6 +3,13 @@ All notable changes to this project will be documented in this file.
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
## [unreleased][unreleased]
- Fixed wrong use of free() in desfire crypto on arm src, thanks @jlitewski! (@iceman1001)
- Added `lf em 4x70 calc` - calculate `frn`/`grn` for a given `key` + `rnd`
- Fixed `hf 15 dump` memory leaks (@jlitewski)
- Changed `hf search` - topaz is detect before ISO14443a and commented out WIP ICT code path (@iceman1001)
- Fixed `hf search` - where felica reader now doesnt timeout and give wrong response (@iceman1001)
- Fixed overflow in deps/jansson library (@iceman1001)
- Added `lf hitag crack2` - WIP. Trying to add the second attack vector against Hitag2 (@iceman1001)
- Changed `hf 14b reader --plot` - made the anticollision signal trace download optional (@iceman1001)
- Added `lf_hitag_crypto.trace` - trace file of a complete read out of a Hitag2 in crypto mode (@iceman1001)
- Fix `lf cmdread` - uninitialised memory usage (@iceman1001)
@ -31,6 +38,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
- Changed `data load` - now shows loaded number as comma printed. (@iceman1001)
- Updated `/tools/hitag2crack/common/OpenCL-Headers/CL` with latest from KhronosGroup github page (@iceman1001)
- Fixed `lf hitag list` - improved HITAG2 protocol annotation (@iceman1001)
- Added AIDs `002000` and `FF30FF` from Metrolinx Presto Card (@RunTheBot)
## [Zenith.4.18340][2024-03-20]
- Changed `hf mf info` - some detections (@iceman1001)

3
armsrc/Standalone/lf_prox2brute.c
View file

@ -48,7 +48,6 @@ void RunMod(void) {
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
const uint32_t high = 0x20; // LF high value is always 0x20 here
uint32_t low = 0;
uint32_t fac = FACILITY_CODE, cardnum = 0;
@ -80,7 +79,7 @@ void RunMod(void) {
if (BUTTON_HELD(1000) == BUTTON_HOLD) break; // long button press (>=1sec) exit
// calculate the new LF low value including Card number, Facility code and checksum
low = (cardnum << 1) | (fac << 17);
uint32_t low = (cardnum << 1) | (fac << 17);
low |= oddparity32((low >> 1) & 0xFFF);
low |= evenparity32((low >> 13) & 0xFFF) << 25;

7
armsrc/appmain.c
View file

@ -1141,7 +1141,12 @@ static void PacketReceived(PacketCommandNG *packet) {
}
case CMD_LF_HITAG2_CRACK: {
lf_hitag_data_t *payload = (lf_hitag_data_t *) packet->data.asBytes;
ht2_crack(payload->NrAr);
ht2_crack1(payload->NrAr);
break;
}
case CMD_LF_HITAG2_CRACK_2: {
lf_hitag_data_t *payload = (lf_hitag_data_t *) packet->data.asBytes;
ht2_crack2(payload->NrAr);
break;
}
case CMD_LF_HITAG_READER: { // Reader for Hitag tags, args = type and function

6
armsrc/dbprint.c
View file

@ -101,9 +101,9 @@ void Dbhexdump(int len, const uint8_t *d, bool bAsci) {
d += 16;
}
#endif
}
}void print_result(const char *name, const uint8_t *d, size_t
void print_result(const char *name, const uint8_t *d, size_t n) {
n) {
const uint8_t *p = d;
uint16_t tmp = n & 0xFFF0;
@ -129,7 +129,7 @@ void print_result(const char *name, const uint8_t *d, size_t n) {
}
// Prints message and hexdump
void print_dbg(char *msg, uint8_t *d, uint16_t n) {
void print_dbg(const char *msg, const uint8_t *d, uint16_t n) {
if (g_dbglevel == DBG_DEBUG) {
print_result(msg, d, n);
}

4
armsrc/dbprint.h
View file

@ -27,8 +27,8 @@ void DbpStringEx(uint32_t flags, const char *src, size_t srclen);
void Dbprintf(const char *fmt, ...);
void DbprintfEx(uint32_t flags, const char *fmt, ...);
void Dbhexdump(int len, const uint8_t *d, bool bAsci);
void print_result(const char *name, const uint8_t *buf, size_t len);
void print_dbg(char *msg, uint8_t *d, uint16_t n);
void print_result(const char *name, const uint8_t *d, size_t n);
void print_dbg(const char *msg, const uint8_t *d, uint16_t n);
//void PrintToSendBuffer(void);
#endif

111
armsrc/desfire_crypto.c
View file

@ -543,30 +543,35 @@ void *mifare_cryto_preprocess_data(desfiretag_t tag, void *data, size_t *nbytes,
void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes, int communication_settings) {
void *res = data;
void *edata = NULL;
uint8_t first_cmac_byte = 0x00;
desfirekey_t key = DESFIRE(tag)->session_key;
if (!key)
if (!key) {
return data;
}
// Return directly if we just have a status code.
if (1 == *nbytes)
if (1 == *nbytes) {
return res;
}
switch (communication_settings & MDCM_MASK) {
case MDCM_PLAIN:
case MDCM_PLAIN: {
if (AS_LEGACY == DESFIRE(tag)->authentication_scheme)
if (AS_LEGACY == DESFIRE(tag)->authentication_scheme) {
break;
}
}
/* pass through */
case MDCM_MACED:
case MDCM_MACED: {
switch (DESFIRE(tag)->authentication_scheme) {
case AS_LEGACY:
if (communication_settings & MAC_VERIFY) {
case AS_LEGACY: {
if ((communication_settings & MAC_VERIFY) == MAC_VERIFY) {
*nbytes -= key_macing_length(key);
if (*nbytes == 0) {
*nbytes = -1;
res = NULL;
@ -577,18 +582,17 @@ void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes
}
size_t edl = enciphered_data_length(tag, *nbytes - 1, communication_settings);
edata = BigBuf_malloc(edl);
uint8_t edata[edl];
memset(edata, 0, sizeof(edata));
memcpy(edata, data, *nbytes - 1);
memset((uint8_t *)edata + *nbytes - 1, 0, edl - *nbytes + 1);
mifare_cypher_blocks_chained(tag, NULL, NULL, edata, edl, MCD_SEND, MCO_ENCYPHER);
if (0 != memcmp((uint8_t *)data + *nbytes - 1, (uint8_t *)edata + edl - 8, 4)) {
if (0 != memcmp((uint8_t *)data + *nbytes - 1, edata + edl - 8, 4)) {
#ifdef WITH_DEBUG
Dbprintf("MACing not verified");
hexdump((uint8_t *)data + *nbytes - 1, key_macing_length(key), "Expect ", 0);
hexdump((uint8_t *)edata + edl - 8, key_macing_length(key), "Actual ", 0);
hexdump(edata + edl - 8, key_macing_length(key), "Actual ", 0);
#endif
DESFIRE(tag)->last_pcd_error = CRYPTO_ERROR;
*nbytes = -1;
@ -596,10 +600,16 @@ void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes
}
}
break;
case AS_NEW:
if (!(communication_settings & CMAC_COMMAND))
}
case AS_NEW: {
if ((communication_settings & CMAC_COMMAND) != CMAC_COMMAND) {
break;
if (communication_settings & CMAC_VERIFY) {
}
int n = 0;
if ((communication_settings & CMAC_VERIFY) == CMAC_VERIFY) {
if (*nbytes < 9) {
*nbytes = -1;
res = NULL;
@ -607,13 +617,16 @@ void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes
}
first_cmac_byte = ((uint8_t *)data)[*nbytes - 9];
((uint8_t *)data)[*nbytes - 9] = ((uint8_t *)data)[*nbytes - 1];
n = 8;
}
int n = (communication_settings & CMAC_VERIFY) ? 8 : 0;
cmac(key, DESFIRE(tag)->ivect, ((uint8_t *)data), *nbytes - n, DESFIRE(tag)->cmac);
if (communication_settings & CMAC_VERIFY) {
if ((communication_settings & CMAC_VERIFY) == CMAC_VERIFY) {
((uint8_t *)data)[*nbytes - 9] = first_cmac_byte;
if (0 != memcmp(DESFIRE(tag)->cmac, (uint8_t *)data + *nbytes - 9, 8)) {
#ifdef WITH_DEBUG
Dbprintf("CMAC NOT verified :-(");
@ -629,11 +642,10 @@ void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes
}
break;
}
free(edata);
}
break;
case MDCM_ENCIPHERED:
}
case MDCM_ENCIPHERED: {
(*nbytes)--;
bool verified = false;
int crc_pos = 0x00;
@ -670,48 +682,50 @@ void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes
* verified, and accumulating 0's in it should not change it.
*/
switch (DESFIRE(tag)->authentication_scheme) {
case AS_LEGACY:
case AS_LEGACY: {
crc_pos = *nbytes - 8 - 1; // The CRC can be over two blocks
if (crc_pos < 0) {
/* Single block */
crc_pos = 0;
crc_pos = 0; // Single block
}
break;
case AS_NEW:
}
case AS_NEW: {
/* Move status between payload and CRC */
res = DESFIRE(tag)->crypto_buffer;
memcpy(res, data, *nbytes);
crc_pos = (*nbytes) - 16 - 3;
if (crc_pos < 0) {
/* Single block */
crc_pos = 0;
crc_pos = 0; // Single block
}
memcpy((uint8_t *)res + crc_pos + 1, (uint8_t *)res + crc_pos, *nbytes - crc_pos);
((uint8_t *)res)[crc_pos] = 0x00;
crc_pos++;
*nbytes += 1;
break;
}
}
do {
uint16_t crc_16 = 0x00;
uint32_t crc = 0x00;
switch (DESFIRE(tag)->authentication_scheme) {
case AS_LEGACY:
case AS_LEGACY: {
AddCrc14A((uint8_t *)res, end_crc_pos);
end_crc_pos = crc_pos + 2;
//
crc = crc_16;
break;
case AS_NEW:
}
case AS_NEW: {
end_crc_pos = crc_pos + 4;
crc32_ex(res, end_crc_pos, (uint8_t *)&crc);
break;
}
if (!crc) {
}
if (crc == 0) {
verified = true;
for (int n = end_crc_pos; n < *nbytes - 1; n++) {
uint8_t byte = ((uint8_t *)res)[n];
@ -719,31 +733,40 @@ void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes
verified = false;
}
}
if (verified) {
*nbytes = crc_pos;
switch (DESFIRE(tag)->authentication_scheme) {
case AS_LEGACY:
case AS_LEGACY: {
((uint8_t *)data)[(*nbytes)++] = 0x00;
break;
case AS_NEW:
}
case AS_NEW: {
/* The status byte was already before the CRC */
break;
}
}
} else {
switch (DESFIRE(tag)->authentication_scheme) {
case AS_LEGACY:
case AS_LEGACY: {
break;
case AS_NEW:
}
case AS_NEW: {
x = ((uint8_t *)res)[crc_pos - 1];
((uint8_t *)res)[crc_pos - 1] = ((uint8_t *)res)[crc_pos];
((uint8_t *)res)[crc_pos] = x;
break;
}
}
crc_pos++;
}
} while (!verified && (end_crc_pos < *nbytes));
if (!verified) {
} while (verified == false && (end_crc_pos < *nbytes));
if (verified == false) {
#ifdef WITH_DEBUG
/* FIXME In some configurations, the file is transmitted PLAIN */
Dbprintf("CRC not verified in decyphered stream");
@ -752,14 +775,14 @@ void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes
*nbytes = -1;
res = NULL;
}
break;
default:
}
default: {
Dbprintf("Unknown communication settings");
*nbytes = -1;
res = NULL;
break;
}
}
return res;
}

173
armsrc/em4x70.c
View file

@ -30,6 +30,8 @@ static em4x70_tag_t tag = { 0 };
// EM4170 requires a parity bit on commands, other variants do not.
static bool command_parity = true;
#if 1 // Calculation of ticks for timing functions
// Conversion from Ticks to RF periods
// 1 us = 1.5 ticks
// 1RF Period = 8us = 12 Ticks
@ -55,11 +57,15 @@ static bool command_parity = true;
#define EM4X70_COMMAND_RETRIES 5 // Attempts to send/read command
#define EM4X70_MAX_RECEIVE_LENGTH 96 // Maximum bits to expect from any command
#endif // Calculation of ticks for timing functions
#if 1 // EM4x70 Command IDs
/**
* These IDs are from the EM4170 datasheet
* These IDs are from the EM4170 datasheet.
* Some versions of the chip require a
* (even) parity bit, others do not
* (even) parity bit, others do not.
* The command is thus stored only in the
* three least significant bits (mask 0x07).
*/
#define EM4X70_COMMAND_ID 0x01
#define EM4X70_COMMAND_UM1 0x02
@ -67,6 +73,7 @@ static bool command_parity = true;
#define EM4X70_COMMAND_PIN 0x04
#define EM4X70_COMMAND_WRITE 0x05
#define EM4X70_COMMAND_UM2 0x07
#endif // EM4x70 Command IDs
// Constants used to determine high/low state of signal
#define EM4X70_NOISE_THRESHOLD 13 // May depend on noise in environment
@ -80,9 +87,9 @@ static bool command_parity = true;
#define IS_TIMEOUT(timeout_ticks) (GetTicks() > timeout_ticks)
#define TICKS_ELAPSED(start_ticks) (GetTicks() - start_ticks)
static uint8_t bits2byte(const uint8_t *bits, int length);
static void bits2bytes(const uint8_t *bits, int length, uint8_t *out);
static int em4x70_receive(uint8_t *bits, size_t length);
static uint8_t encoded_bit_array_to_byte(const uint8_t *bits, int count_of_bits);
static void encoded_bit_array_to_bytes(const uint8_t *bits, int count_of_bits, uint8_t *out);
static int em4x70_receive(uint8_t *bits, size_t maximum_bits_to_read);
static bool find_listen_window(bool command);
static void init_tag(void) {
@ -207,9 +214,10 @@ static uint32_t get_pulse_length(edge_detection_t edge) {
return 0;
}
static bool check_pulse_length(uint32_t pl, uint32_t length) {
// check if pulse length <pl> corresponds to given length <length>
return ((pl >= (length - EM4X70_T_TAG_TOLERANCE)) && (pl <= (length + EM4X70_T_TAG_TOLERANCE)));
static bool check_pulse_length(uint32_t pulse_tick_length, uint32_t target_tick_length) {
// check if pulse tick length corresponds to target length (+/- tolerance)
return ((pulse_tick_length >= (target_tick_length - EM4X70_T_TAG_TOLERANCE)) &&
(pulse_tick_length <= (target_tick_length + EM4X70_T_TAG_TOLERANCE)));
}
static void em4x70_send_bit(bool bit) {
@ -344,7 +352,11 @@ static int authenticate(const uint8_t *rnd, const uint8_t *frnd, uint8_t *respon
if (g_dbglevel >= DBG_EXTENDED) Dbprintf("Auth failed");
return PM3_ESOFT;
}
bits2bytes(grnd, 24, response);
// although only received 20 bits
// ask for 24 bits converted because
// this utility function requires
// decoding in multiples of 8 bits
encoded_bit_array_to_bytes(grnd, 24, response);
return PM3_SUCCESS;
}
@ -455,12 +467,12 @@ static int send_pin(const uint32_t pin) {
WaitTicks(EM4X70_T_TAG_WEE);
// <-- Receive header + ID
uint8_t tag_id[EM4X70_MAX_RECEIVE_LENGTH];
int num = em4x70_receive(tag_id, 32);
if (num < 32) {
int count_of_bits_received = em4x70_receive(tag_id, 32);
if (count_of_bits_received < 32) {
Dbprintf("Invalid ID Received");
return PM3_ESOFT;
}
bits2bytes(tag_id, num, &tag.data[4]);
encoded_bit_array_to_bytes(tag_id, count_of_bits_received, &tag.data[4]);
return PM3_SUCCESS;
}
}
@ -537,36 +549,38 @@ static bool find_listen_window(bool command) {
return false;
}
static void bits2bytes(const uint8_t *bits, int length, uint8_t *out) {
// *bits == array of bytes, each byte storing a single bit.
// *out == array of bytes, storing converted bits --> bytes.
//
// [in, bcount(count_of_bits) ] const uint8_t *bits
// [out, bcount(count_of_bits/8)] uint8_t *out
static void encoded_bit_array_to_bytes(const uint8_t *bits, int count_of_bits, uint8_t *out) {
if (length % 8 != 0) {
Dbprintf("Should have a multiple of 8 bits, was sent %d", length);
if (count_of_bits % 8 != 0) {
Dbprintf("Should have a multiple of 8 bits, was sent %d", count_of_bits);
}
int num_bytes = length / 8; // We should have a multiple of 8 here
int num_bytes = count_of_bits / 8; // We should have a multiple of 8 here
for (int i = 1; i <= num_bytes; i++) {
out[num_bytes - i] = bits2byte(bits, 8);
out[num_bytes - i] = encoded_bit_array_to_byte(bits, 8);
bits += 8;
}
}
static uint8_t bits2byte(const uint8_t *bits, int length) {
static uint8_t encoded_bit_array_to_byte(const uint8_t *bits, int count_of_bits) {
// converts <length> separate bits into a single "byte"
// converts <count_of_bits> separate bits into a single "byte"
uint8_t byte = 0;
for (int i = 0; i < length; i++) {
byte |= bits[i];
if (i != length - 1)
for (int i = 0; i < count_of_bits; i++) {
byte <<= 1;
byte |= bits[i];
}
return byte;
}
static bool send_command_and_read(uint8_t command, uint8_t *bytes, size_t length) {
static bool send_command_and_read(uint8_t command, uint8_t *bytes, size_t expected_byte_count) {
int retries = EM4X70_COMMAND_RETRIES;
while (retries) {
@ -574,19 +588,14 @@ static bool send_command_and_read(uint8_t command, uint8_t *bytes, size_t length
if (find_listen_window(true)) {
uint8_t bits[EM4X70_MAX_RECEIVE_LENGTH] = {0};
size_t out_length_bits = length * 8;
size_t out_length_bits = expected_byte_count * 8;
em4x70_send_nibble(command, command_parity);
int len = em4x70_receive(bits, out_length_bits);
if (len < out_length_bits) {
Dbprintf("Invalid data received length: %d, expected %d", len, out_length_bits);
return false;
}
// TODO: Figure out why getting an extra bit (quite often) here
// e.g., write block and info commands both reach here and output:
// [#] Should have a multiple of 8 bits, was sent 33
// [#] Should have a multiple of 8 bits, was sent 65
// Extra bits are currently just dropped, with no ill effect noticed.
bits2bytes(bits, len, bytes);
encoded_bit_array_to_bytes(bits, len, bytes);
return true;
}
}
@ -617,7 +626,6 @@ static bool em4x70_read_um1(void) {
}
/**
* em4x70_read_um2
*
@ -635,7 +643,7 @@ static bool find_em4x70_tag(void) {
return find_listen_window(false);
}
static int em4x70_receive(uint8_t *bits, size_t length) {
static int em4x70_receive(uint8_t *bits, size_t maximum_bits_to_read) {
uint32_t pl;
int bit_pos = 0;
@ -673,7 +681,7 @@ static int em4x70_receive(uint8_t *bits, size_t length) {
// identify remaining bits based on pulse lengths
// between listen windows only pulse lengths of 1, 1.5 and 2 are possible
while (bit_pos < length) {
while (bit_pos < maximum_bits_to_read) {
pl = get_pulse_length(edge);
@ -687,13 +695,13 @@ static int em4x70_receive(uint8_t *bits, size_t length) {
// pulse length 1.5 -> 2 bits + flip edge detection
if (edge == FALLING_EDGE) {
bits[bit_pos++] = 0;
if (bit_pos < length) {
if (bit_pos < maximum_bits_to_read) {
bits[bit_pos++] = 0;
}
edge = RISING_EDGE;
} else {
bits[bit_pos++] = 1;
if (bit_pos < length) {
if (bit_pos < maximum_bits_to_read) {
bits[bit_pos++] = 1;
}
edge = FALLING_EDGE;
@ -704,12 +712,12 @@ static int em4x70_receive(uint8_t *bits, size_t length) {
// pulse length of 2 -> two bits
if (edge == FALLING_EDGE) {
bits[bit_pos++] = 0;
if (bit_pos < length) {
if (bit_pos < maximum_bits_to_read) {
bits[bit_pos++] = 1;
}
} else {
bits[bit_pos++] = 1;
if (bit_pos < length) {
if (bit_pos < maximum_bits_to_read) {
bits[bit_pos++] = 0;
}
}
@ -725,7 +733,7 @@ static int em4x70_receive(uint8_t *bits, size_t length) {
void em4x70_info(const em4x70_data_t *etd, bool ledcontrol) {
uint8_t status = 0;
bool success = false;
// Support tags with and without command parity bits
command_parity = etd->parity;
@ -736,20 +744,27 @@ void em4x70_info(const em4x70_data_t *etd, bool ledcontrol) {
// Find the Tag
if (get_signalproperties() && find_em4x70_tag()) {
// Read ID, UM1 and UM2
status = em4x70_read_id() && em4x70_read_um1() && em4x70_read_um2();
success = em4x70_read_id() && em4x70_read_um1() && em4x70_read_um2();
}
StopTicks();
lf_finalize(ledcontrol);
int status = success ? PM3_SUCCESS : PM3_ESOFT;
reply_ng(CMD_LF_EM4X70_INFO, status, tag.data, sizeof(tag.data));
}
void em4x70_write(const em4x70_data_t *etd, bool ledcontrol) {
uint8_t status = 0;
int status = PM3_ESOFT;
command_parity = etd->parity;
// Disable to prevent sending corrupted data to the tag.
if (command_parity) {
Dbprintf("Use of `--par` option with `lf em 4x70 write` is disabled to prevent corrupting tag data");
reply_ng(CMD_LF_EM4X70_WRITE, PM3_ENOTIMPL, NULL, 0);
return;
}
init_tag();
em4x70_setup_read();
@ -757,16 +772,15 @@ void em4x70_write(const em4x70_data_t *etd, bool ledcontrol) {
if (get_signalproperties() && find_em4x70_tag()) {
// Write
status = write(etd->word, etd->address) == PM3_SUCCESS;
status = write(etd->word, etd->address);
if (status) {
if (status == PM3_SUCCESS) {
// Read Tag after writing
if (em4x70_read_id()) {
em4x70_read_um1();
em4x70_read_um2();
}
}
}
StopTicks();
@ -776,7 +790,7 @@ void em4x70_write(const em4x70_data_t *etd, bool ledcontrol) {
void em4x70_unlock(const em4x70_data_t *etd, bool ledcontrol) {
uint8_t status = 0;
int status = PM3_ESOFT;
command_parity = etd->parity;
@ -790,10 +804,10 @@ void em4x70_unlock(const em4x70_data_t *etd, bool ledcontrol) {
if (em4x70_read_id()) {
// Send PIN
status = send_pin(etd->pin) == PM3_SUCCESS;
status = send_pin(etd->pin);
// If the write succeeded, read the rest of the tag
if (status) {
if (status == PM3_SUCCESS) {
// Read Tag
// ID doesn't change
em4x70_read_um1();
@ -809,11 +823,19 @@ void em4x70_unlock(const em4x70_data_t *etd, bool ledcontrol) {
void em4x70_auth(const em4x70_data_t *etd, bool ledcontrol) {
uint8_t status = 0;
int status = PM3_ESOFT;
uint8_t response[3] = {0};
command_parity = etd->parity;
// Disable to prevent sending corrupted data to the tag.
if (command_parity) {
Dbprintf("Use of `--par` option with `lf em 4x70 auth` is disabled to prevent corrupting tag data");
reply_ng(CMD_LF_EM4X70_WRITE, PM3_ENOTIMPL, NULL, 0);
return;
}
init_tag();
em4x70_setup_read();
@ -821,7 +843,7 @@ void em4x70_auth(const em4x70_data_t *etd, bool ledcontrol) {
if (get_signalproperties() && find_em4x70_tag()) {
// Authenticate and get tag response
status = authenticate(etd->rnd, etd->frnd, response) == PM3_SUCCESS;
status = authenticate(etd->rnd, etd->frnd, response);
}
StopTicks();
@ -830,11 +852,18 @@ void em4x70_auth(const em4x70_data_t *etd, bool ledcontrol) {
}
void em4x70_brute(const em4x70_data_t *etd, bool ledcontrol) {
uint8_t status = 0;
int status = PM3_ESOFT;
uint8_t response[2] = {0};
command_parity = etd->parity;
// Disable to prevent sending corrupted data to the tag.
if (command_parity) {
Dbprintf("Use of `--par` option with `lf em 4x70 brute` is disabled to prevent corrupting tag data");
reply_ng(CMD_LF_EM4X70_WRITE, PM3_ENOTIMPL, NULL, 0);
return;
}
init_tag();
em4x70_setup_read();
@ -842,7 +871,7 @@ void em4x70_brute(const em4x70_data_t *etd, bool ledcontrol) {
if (get_signalproperties() && find_em4x70_tag()) {
// Bruteforce partial key
status = bruteforce(etd->address, etd->rnd, etd->frnd, etd->start_key, response) == PM3_SUCCESS;
status = bruteforce(etd->address, etd->rnd, etd->frnd, etd->start_key, response);
}
StopTicks();
@ -852,10 +881,17 @@ void em4x70_brute(const em4x70_data_t *etd, bool ledcontrol) {
void em4x70_write_pin(const em4x70_data_t *etd, bool ledcontrol) {
uint8_t status = 0;
int status = PM3_ESOFT;
command_parity = etd->parity;
// Disable to prevent sending corrupted data to the tag.
if (command_parity) {
Dbprintf("Use of `--par` option with `lf em 4x70 setpin` is disabled to prevent corrupting tag data");
reply_ng(CMD_LF_EM4X70_WRITE, PM3_ENOTIMPL, NULL, 0);
return;
}
init_tag();
em4x70_setup_read();
@ -865,17 +901,19 @@ void em4x70_write_pin(const em4x70_data_t *etd, bool ledcontrol) {
// Read ID (required for send_pin command)
if (em4x70_read_id()) {
// Write new PIN
if ((write((etd->pin) & 0xFFFF, EM4X70_PIN_WORD_UPPER) == PM3_SUCCESS) &&
(write((etd->pin >> 16) & 0xFFFF, EM4X70_PIN_WORD_LOWER) == PM3_SUCCESS)) {
// Write the pin
status = write((etd->pin) & 0xFFFF, EM4X70_PIN_WORD_UPPER);
if (status == PM3_SUCCESS) {
status = write((etd->pin >> 16) & 0xFFFF, EM4X70_PIN_WORD_LOWER);
}
if (status == PM3_SUCCESS) {
// Now Try to authenticate using the new PIN
// Send PIN
status = send_pin(etd->pin) == PM3_SUCCESS;
status = send_pin(etd->pin);
// If the write succeeded, read the rest of the tag
if (status) {
if (status == PM3_SUCCESS) {
// Read Tag
// ID doesn't change
em4x70_read_um1();
@ -892,10 +930,17 @@ void em4x70_write_pin(const em4x70_data_t *etd, bool ledcontrol) {
void em4x70_write_key(const em4x70_data_t *etd, bool ledcontrol) {
uint8_t status = 0;
int status = PM3_ESOFT;
command_parity = etd->parity;
// Disable to prevent sending corrupted data to the tag.
if (command_parity) {
Dbprintf("Use of `--par` option with `lf em 4x70 setkey` is disabled to prevent corrupting tag data");
reply_ng(CMD_LF_EM4X70_WRITE, PM3_ENOTIMPL, NULL, 0);
return;
}
init_tag();
em4x70_setup_read();
@ -904,15 +949,15 @@ void em4x70_write_key(const em4x70_data_t *etd, bool ledcontrol) {
// Read ID to ensure we can write to card
if (em4x70_read_id()) {
status = 1;
status = PM3_SUCCESS;
// Write each crypto block
for (int i = 0; i < 6; i++) {
uint16_t key_word = (etd->crypt_key[(i * 2) + 1] << 8) + etd->crypt_key[i * 2];
// Write each word, abort if any failure occurs
if (write(key_word, 9 - i) != PM3_SUCCESS) {
status = 0;
status = write(key_word, 9 - i);
if (status != PM3_SUCCESS) {
break;
}
}

94
armsrc/felica.c
View file

@ -236,9 +236,10 @@ static uint8_t felica_select_card(felica_card_select_t *card) {
// 0x00 = timeslot
// 0x09 0x21 = crc
static uint8_t poll[10] = {0xb2, 0x4d, 0x06, FELICA_POLL_REQ, 0xFF, 0xFF, 0x00, 0x00, 0x09, 0x21};
int len = 10;
// We try 10 times, or if answer was received.
int len = 25;
do {
// end-of-reception response packet data, wait approx. 501μs
// end-of-transmission command packet data, wait approx. 197μs
@ -246,39 +247,34 @@ static uint8_t felica_select_card(felica_card_select_t *card) {
TransmitFor18092_AsReader(poll, sizeof(poll), NULL, 1, 0);
// polling card, break if success
if (WaitForFelicaReply(1024) && FelicaFrame.framebytes[3] == FELICA_POLL_ACK)
if (WaitForFelicaReply(1024) && FelicaFrame.framebytes[3] == FELICA_POLL_ACK) {
break;
}
WDT_HIT();
} while (--len);
// timed-out
// 1. timed-out
if (len == 0) {
if (g_dbglevel >= DBG_DEBUG)
Dbprintf("Error: Time out card selection!");
return 1;
}
// wrong answer
// 2. wrong answer
if (FelicaFrame.framebytes[3] != FELICA_POLL_ACK) {
if (g_dbglevel >= DBG_DEBUG)
Dbprintf("Error: Wrong answer selecting card!");
return 2;
}
// VALIDATE CRC residue is 0, hence if crc is a value it failed.
if (!check_crc(CRC_FELICA, FelicaFrame.framebytes + 2, FelicaFrame.len - 2)) {
// 3. wrong crc. residue is 0, hence if crc is a value it failed.
if (check_crc(CRC_FELICA, FelicaFrame.framebytes + 2, FelicaFrame.len - 2) == false) {
if (g_dbglevel >= DBG_DEBUG) {
Dbprintf("Error: CRC check failed!");
Dbprintf("CRC check was done on Frame: ");
Dbhexdump(FelicaFrame.len - 2, FelicaFrame.framebytes + 2, 0);
}
return 3;
}
if (g_dbglevel >= DBG_DEBUG)
Dbprintf("Card selection successful!");
// copy UID
// idm 8
if (card) {
@ -294,7 +290,7 @@ static uint8_t felica_select_card(felica_card_select_t *card) {
Dbhexdump(FelicaFrame.len, FelicaFrame.framebytes, 0);
}
}
// more status bytes?
// 0. OK
return 0;
}
@ -311,8 +307,10 @@ static uint8_t felica_select_card(felica_card_select_t *card) {
// 8-byte IDm, number of blocks, blocks numbers
// number of blocks limited to 4 for FelicaLite(S)
static void BuildFliteRdblk(const uint8_t *idm, uint8_t blocknum, const uint16_t *blocks) {
if (blocknum > 4 || blocknum == 0)
if (blocknum > 4 || blocknum == 0) {
Dbprintf("Invalid number of blocks, %d != 4", blocknum);
}
uint8_t c = 0, i = 0;
@ -366,7 +364,7 @@ static void BuildFliteRdblk(const uint8_t *idm, uint8_t blocknum, const uint16_t
static void TransmitFor18092_AsReader(const uint8_t *frame, uint16_t len, const uint32_t *NYI_timing_NYI, uint8_t power, uint8_t highspeed) {
if (NYI_timing_NYI != NULL) {
Dbprintf("Error: TransmitFor18092_AsReader does not check or set parameter NYI_timing_NYI");
DbpString("Error: TransmitFor18092_AsReader does not check or set parameter NYI_timing_NYI");
return;
}
@ -400,10 +398,6 @@ static void TransmitFor18092_AsReader(const uint8_t *frame, uint16_t len, const
}
// sending data with sync bytes
c = 0;
if (g_dbglevel >= DBG_DEBUG) {
Dbprintf("Sending frame:");
Dbhexdump(len, frame, 0);
}
while (c < len) {
// Put byte into tx holding register as soon as it is ready
@ -438,9 +432,7 @@ static void TransmitFor18092_AsReader(const uint8_t *frame, uint16_t len, const
// or return TRUE when command is captured
bool WaitForFelicaReply(uint16_t maxbytes) {
if (g_dbglevel >= DBG_DEBUG) {
Dbprintf("WaitForFelicaReply Start");
}
// if (g_dbglevel >= DBG_DEBUG) { Dbprintf("WaitForFelicaReply Start"); }
uint32_t c = 0;
@ -478,14 +470,11 @@ bool WaitForFelicaReply(uint16_t maxbytes) {
NULL,
false
);
if (g_dbglevel >= DBG_DEBUG) Dbprintf("All bytes received! STATE_FULL");
return true;
} else if (c++ > timeout && (FelicaFrame.state == STATE_UNSYNCD || FelicaFrame.state == STATE_TRYING_SYNC)) {
if (g_dbglevel >= DBG_DEBUG) Dbprintf("Error: Timeout! STATE_UNSYNCD");
// if (g_dbglevel >= DBG_DEBUG) Dbprintf("Error: Timeout! STATE_UNSYNCD");
return false;
}
@ -496,7 +485,6 @@ bool WaitForFelicaReply(uint16_t maxbytes) {
// Set up FeliCa communication (similar to iso14443a_setup)
// field is setup for "Sending as Reader"
static void iso18092_setup(uint8_t fpga_minor_mode) {
if (g_dbglevel >= DBG_DEBUG) Dbprintf("Start iso18092_setup");
LEDsoff();
#if defined XC3
@ -510,7 +498,7 @@ static void iso18092_setup(uint8_t fpga_minor_mode) {
// Initialize Demod and Uart structs
// DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
FelicaFrameinit(BigBuf_malloc(FELICA_MAX_FRAME_SIZE));
FelicaFrameinit(BigBuf_calloc(FELICA_MAX_FRAME_SIZE));
felica_nexttransfertime = 2 * DELAY_ARM2AIR_AS_READER; // 418
// iso18092_set_timeout(2120); // 106 * 20ms maximum start-up time of card
@ -553,63 +541,63 @@ static void felica_reset_frame_mode(void) {
// arg1 len of commandbytes
// d.asBytes command bytes to send
void felica_sendraw(const PacketCommandNG *c) {
if (g_dbglevel >= DBG_DEBUG) Dbprintf("FeliCa_sendraw Enter");
felica_command_t param = c->oldarg[0];
size_t len = c->oldarg[1] & 0xffff;
const uint8_t *cmd = c->data.asBytes;
uint32_t arg0;
felica_card_select_t card;
if ((param & FELICA_CONNECT))
if (g_dbglevel >= DBG_DEBUG) Dbprintf("Clear trace");
if ((param & FELICA_CONNECT) == FELICA_CONNECT) {
clear_trace();
}
set_tracing(true);
iso18092_setup(FPGA_HF_ISO18092_FLAG_READER | FPGA_HF_ISO18092_FLAG_NOMOD);
if ((param & FELICA_CONNECT)) {
if ((param & FELICA_CONNECT) == FELICA_CONNECT) {
// notify client selecting status.
// if failed selecting, turn off antenna and quite.
if (!(param & FELICA_NO_SELECT)) {
if ((param & FELICA_NO_SELECT) != FELICA_NO_SELECT) {
felica_card_select_t card;
arg0 = felica_select_card(&card);
reply_mix(CMD_ACK, arg0, sizeof(card.uid), 0, &card, sizeof(felica_card_select_t));
if (arg0 > 0) {
if (g_dbglevel >= DBG_DEBUG) Dbprintf("Error: Failed selecting card! ");
if (arg0) {
felica_reset_frame_mode();
return;
}
}
} else {
if (g_dbglevel >= DBG_DEBUG) Dbprintf("No card selection");
}
if ((param & FELICA_RAW)) {
if ((param & FELICA_RAW) == FELICA_RAW) {
// 2 sync, 1 len, 2crc == 5
uint8_t *buf = BigBuf_malloc(len + 5);
uint8_t *buf = BigBuf_calloc(len + 5);
// add sync bits
buf[0] = 0xb2;
buf[1] = 0x4d;
buf[2] = len;
// copy command
memcpy(buf + 2, cmd, len);
memcpy(buf + 2, c->data.asBytes, len);
if ((param & FELICA_APPEND_CRC)) {
if ((param & FELICA_APPEND_CRC) == FELICA_APPEND_CRC) {
// Don't append crc on empty bytearray...
if (len > 0) {
AddCrc(buf + 2, len);
}
}
if (g_dbglevel >= DBG_DEBUG) {
Dbprintf("Transmit Frame (no CRC shown):");
Dbhexdump(len, buf, 0);
Dbprintf("Buffer Length: %i", buf[2] + 4);
};
TransmitFor18092_AsReader(buf, buf[2] + 4, NULL, 1, 0);
arg0 = WaitForFelicaReply(1024);
if (g_dbglevel >= DBG_DEBUG) {
Dbprintf("Received Frame Code: %d", arg0);
Dbhexdump(FelicaFrame.len, FelicaFrame.framebytes, 0);
@ -620,11 +608,11 @@ void felica_sendraw(const PacketCommandNG *c) {
Dbprintf("Reply to Client Error Code: %i", result);
}
}
if ((param & FELICA_NO_DISCONNECT)) {
Dbprintf("Disconnect");
if ((param & FELICA_NO_DISCONNECT) == FELICA_NO_DISCONNECT) {
return;
}
if (g_dbglevel >= DBG_DEBUG)
Dbprintf("FeliCa_sendraw Exit");
felica_reset_frame_mode();
return;
}
@ -641,7 +629,7 @@ void felica_sniff(uint32_t samplesToSkip, uint32_t triggersToSkip) {
int remFrames = (samplesToSkip) ? samplesToSkip : 0;
int trigger_cnt = 0;
uint32_t timeout = iso18092_get_timeout();
bool isReaderFrame = true;
bool isReaderFrame;
uint8_t flip = 0;
uint16_t checker = 0;
@ -744,7 +732,7 @@ void felica_sim_lite(const uint8_t *uid) {
int retval = PM3_SUCCESS;
int curlen = 0;
uint8_t *curresp = NULL;
const uint8_t *curresp = NULL;
bool listenmode = true;
// uint32_t frtm = GetCountSspClk();
@ -894,7 +882,7 @@ void felica_dump_lite_s(void) {
dest[cnt++] = liteblks[blknum];
uint8_t *fb = FelicaFrame.framebytes;
const uint8_t *fb = FelicaFrame.framebytes;
dest[cnt++] = fb[12];
dest[cnt++] = fb[13];

27
armsrc/hitag2.c
View file

@ -17,7 +17,7 @@
#define DBG if (g_dbglevel >= DBG_EXTENDED)
#include "hitag2.h"
#include "hitag2_crypto.h"
#include "hitag2/hitag2_crypto.h"
#include "string.h"
#include "proxmark3_arm.h"
#include "cmd.h"
@ -380,13 +380,17 @@ static uint32_t hitag_reader_send_frame(const uint8_t *frame, size_t frame_len)
// frame_len is in number of bits?
static uint32_t hitag_reader_send_framebits(const uint8_t *frame, size_t frame_len) {
WDT_HIT();
uint32_t wait = 0;
// Send the content of the frame
for (size_t i = 0; i < frame_len; i++) {
wait += hitag_reader_send_bit(frame[i]);
}
// EOF
// Enable modulation, which means, drop the field
// set GPIO_SSC_DOUT to HIGH
lf_modulation(true);
// Wait for 4-10 times the carrier period
@ -394,12 +398,15 @@ static uint32_t hitag_reader_send_framebits(const uint8_t *frame, size_t frame_l
wait += HITAG_T_LOW;
// Disable modulation, just activates the field again
// set GPIO_SSC_DOUT to LOW
lf_modulation(false);
// t_stop, high field for stop condition (> 36)
lf_wait_periods(HITAG_T_STOP);
wait += HITAG_T_STOP;
WDT_HIT();
return wait;
}
@ -768,6 +775,8 @@ static bool hitag2_crypto(uint8_t *rx, const size_t rxlen, uint8_t *tx, size_t *
}
if (bCrypto && (bAuthenticating == false) && write) {
SpinDelay(2);
if (hitag2_write_page(rx, rxlen, tx, txlen) == false) {
return false;
}
@ -2583,8 +2592,7 @@ bool ht2_packbits(uint8_t *nrz_samples, size_t nrzs, uint8_t *rx, size_t *rxlen)
int ht2_read_uid(uint8_t *uid, bool ledcontrol, bool send_answer, bool keep_field_up) {
// Clean up trace and prepare it for storing frames
set_tracing(true);
g_logging = false;
// keep field up indicates there are more traffic to be done.
if (keep_field_up == false) {
@ -2685,12 +2693,7 @@ int ht2_tx_rx(uint8_t *tx, size_t txlen, uint8_t *rx, size_t *rxlen, bool ledcon
int res = PM3_EFAILED;
size_t nrzs = 0;
uint8_t samples[HT2_MAX_NRSZ];
// waith between sending commands
lf_wait_periods(HITAG_T_WAIT_2_MIN);
WDT_HIT();
uint8_t samples[HT2_MAX_NRSZ] = {0};
uint32_t command_start = 0, command_duration = 0;
uint32_t response_start = 0, response_duration = 0;
@ -2709,19 +2712,15 @@ int ht2_tx_rx(uint8_t *tx, size_t txlen, uint8_t *rx, size_t *rxlen, bool ledcon
}
// pack bits to bytes
if (ht2_packbits(samples, nrzs, rx, rxlen) == false) {
if (rx && (ht2_packbits(samples, nrzs, rx, rxlen) == false)) {
goto out;
}
// log Receive data
LogTraceBits(rx, *rxlen, response_start, response_start + response_duration, false);
res = PM3_SUCCESS;
out:
if (keep_field_up == false) {
lf_finalize(false);
BigBuf_free_keep_EM();
}
return res;
}

297
armsrc/hitag2_crack.c
View file

@ -19,7 +19,7 @@
#include "hitag2_crack.h"
#include "hitag2_crypto.h"
#include "hitag2/hitag2_crypto.h"
#include "hitag2.h"
#include "proxmark3_arm.h"
#include "commonutil.h"
@ -28,6 +28,7 @@
#include "string.h"
#include "BigBuf.h"
#include "cmd.h"
#include "lfadc.h"
const static uint8_t ERROR_RESPONSE[] = { 0xF4, 0x02, 0x88, 0x9C };
@ -48,20 +49,18 @@ static void hitag2crack_xor(uint8_t *target, const uint8_t *source, const uint8_
// nrar is the 64 bit binarray of the nR aR pair;
// cmd is the binarray of the encrypted command to send;
// len is the length of the encrypted command.
static bool hitag2crack_send_e_cmd(uint8_t *resp, uint8_t *nrar, uint8_t *cmd, int len) {
static bool hitag2crack_send_e_cmd(uint8_t *resp, uint8_t *nrar, uint8_t *cmd, size_t len) {
memset(resp, 0, 4);
// Get UID
uint8_t uid[4];
if (ht2_read_uid(uid, false, false, true) != PM3_SUCCESS) {
if (ht2_read_uid(NULL, true, false, true) != PM3_SUCCESS) {
return false;
}
// send nrar and receive (useless) encrypted page 3 value
uint8_t e_page3[4];
size_t n = 0;
if (ht2_tx_rx(nrar, 64, e_page3, &n, true, true) != PM3_SUCCESS) {
if (ht2_tx_rx(nrar, 64, NULL, &n, true, true) != PM3_SUCCESS) {
return false;
}
@ -146,12 +145,12 @@ static bool hitag2crack_read_page(uint8_t *resp, uint8_t pagenum, uint8_t *nrar,
// e_uid is the binarray of the encrypted version of the UID.
static bool hitag2crack_test_e_p0cmd(uint8_t *keybits, uint8_t *nrar, uint8_t *e_cmd, uint8_t *uid, uint8_t *e_uid) {
uint8_t cipherbits[42];
uint8_t cipherbits[42] = {0};
memcpy(cipherbits, e_cmd, 10); // copy encrypted cmd to cipherbits
memcpy(cipherbits + 10, e_uid, 32); // copy encrypted uid to cipherbits
uint8_t plainbits[42];
uint8_t plainbits[42] = {0};
memcpy(plainbits, read_p0_cmd, sizeof(read_p0_cmd)); // copy cmd to plainbits
memcpy(plainbits + 10, uid, 32); // copy uid to plainbits
@ -159,23 +158,23 @@ static bool hitag2crack_test_e_p0cmd(uint8_t *keybits, uint8_t *nrar, uint8_t *e
hitag2crack_xor(keybits, plainbits, cipherbits, 42);
// create extended cmd -> 4 * READP0CMD = 40 bits
uint8_t ext_cmd[40];
memcpy(ext_cmd, read_p0_cmd, sizeof(read_p0_cmd));
memcpy(ext_cmd + 10, read_p0_cmd, sizeof(read_p0_cmd));
memcpy(ext_cmd + 20, read_p0_cmd, sizeof(read_p0_cmd));
memcpy(ext_cmd + 30, read_p0_cmd, sizeof(read_p0_cmd));
// xor extended cmd with keybits
uint8_t e_ext_cmd[40];
hitag2crack_xor(e_ext_cmd, ext_cmd, keybits, 40);
uint8_t e_ext_cmd[40] = {0};
hitag2crack_xor(e_ext_cmd, read_p0_cmd, keybits, 10);
hitag2crack_xor(e_ext_cmd + 10, read_p0_cmd, keybits + 10, 10);
hitag2crack_xor(e_ext_cmd + 20, read_p0_cmd, keybits + 20, 10);
hitag2crack_xor(e_ext_cmd + 30, read_p0_cmd, keybits + 30, 10);
// send extended encrypted cmd
uint8_t resp[4];
uint8_t resp[4] = {0};
if (hitag2crack_send_e_cmd(resp, nrar, e_ext_cmd, 40)) {
// test if it was valid
if (memcmp(resp, ERROR_RESPONSE, 4)) {
return true;
} else {
DbpString("test enc-page0 cmd. got error-response");
Dbhexdump(4, resp, false);
}
}
return false;
@ -230,6 +229,7 @@ static bool hitag2crack_find_e_page0_cmd(uint8_t *keybits, uint8_t *e_firstcmd,
if (memcmp(resp, ERROR_RESPONSE, 4)) {
// convert response to binarray
// response should been encrypted UID
uint8_t e_uid[32];
hex2binarray((char *)e_uid, (char *)resp);
@ -296,11 +296,119 @@ static bool hitag2crack_find_valid_e_cmd(uint8_t *e_cmd, uint8_t *nrar) {
return false;
}
typedef struct {
uint8_t keybits[2080];
uint8_t uid[32];
uint8_t nrar[64];
uint8_t e_ext_cmd[2080];
uint8_t ext_cmd[2080];
} PACKED lf_hitag_crack2_t;
// hitag2crack_consume_keystream sends an extended command (up to 510 bits in
// length) to consume keystream.
// keybits is the binarray of keystream bits;
// kslen is the length of keystream;
// ksoffset is a pointer to the current keystream offset (updated by this fn);
// nrar is the 64 bit binarray of the nR aR pair.
//static bool ht2crack_consume_keystream(uint8_t *keybits, int kslen, int *ksoffset) {
/*
static bool ht2crack_consume_keystream(lf_hitag_crack2_t *c2, int kslen, int *ksoffset) {
// calculate the length of keybits to consume with the extended command.
// 42 = 32 bit response + 10 bit command reserved for next command. conlen
// cannot be longer than 510 bits to fit into the small RWD buffer.
int conlen = kslen - *ksoffset - 42;
if (conlen < 10) {
DbpString("ht2crack_consume_keystream: conlen < 10");
return false;
}
// calculate how many repeated commands to send in this extended command.
int numcmds = conlen / 10;
// xor extended cmd with keybits
hitag2crack_xor(c2->e_ext_cmd, c2->ext_cmd, c2->keybits + *ksoffset, (numcmds * 10));
// send encrypted command
size_t n = 0;
uint8_t resp[4];
if (ht2_tx_rx(c2->e_ext_cmd, numcmds * 10, resp, &n, true, true) != PM3_SUCCESS) {
Dbprintf("ht2crack_consume_keystream: tx/rx cmd failed, got %zu", n);
return false;
}
// test response
if (memcmp(resp, ERROR_RESPONSE, 4) == 0) {
DbpString("ht2crack_consume_keystream: got error response from card");
return false;
}
// dont bother decrypting the response - we already know the keybits
// update ksoffset with command length and response
*ksoffset += (numcmds * 10) + 32;
return true;
}
*/
// hitag2crack_extend_keystream sends an extended command to retrieve more keybits.
// keybits is the binarray of the keystream bits;
// kslen is a pointer to the current keybits length;
// ksoffset is the offset into the keybits array;
// nrar is the 64 bit binarray of the nR aR pair;
// uid is the 32 bit binarray of the UID.
//static bool ht2crack_extend_keystream(uint8_t *keybits, int *kslen, int ksoffset, uint8_t *nrar, uint8_t *uid) {
/*
static bool ht2crack_extend_keystream(lf_hitag_crack2_t *c2, int *kslen, int ksoffset) {
// calc number of command iterations to send
int cmdlen = *kslen - ksoffset;
if (cmdlen < 10) {
DbpString("extend_keystream: cmdlen < 10");
return false;
}
int numcmds = cmdlen / 10;
// xor extended cmd with keybits
hitag2crack_xor(c2->e_ext_cmd, c2->ext_cmd, c2->keybits + ksoffset, numcmds * 10);
// send extended encrypted cmd
size_t n = 0;
uint8_t resp[4];
if (ht2_tx_rx(c2->e_ext_cmd, numcmds * 10, resp, &n, true, true) != PM3_SUCCESS) {
DbpString("extend_keystream: tx/rx cmd failed");
Dbhexdump(numcmds * 10, c2->e_ext_cmd, false);
return false;
}
// test response
if (memcmp(resp, ERROR_RESPONSE, 4) == 0) {
return false;
}
// convert response to binarray
uint8_t e_response[32];
hex2binarray((char*)e_response, (char*)resp);
// recover keystream from encrypted response
hitag2crack_xor(c2->keybits + ksoffset + (numcmds * 10), e_response, c2->uid, 32);
// update kslen
*kslen = ksoffset + (numcmds * 10) + 32;
return true;
}
*/
// hitag2_crack implements the first crack algorithm described in the paper,
// Gone In 360 Seconds by Verdult, Garcia and Balasch.
// response is a multi-line text response containing the 8 pages of the cracked tag
// nrarhex is a string containing hex representations of the 32 bit nR and aR values
void ht2_crack(uint8_t *nrar_hex) {
void ht2_crack1(uint8_t *nrar_hex) {
clear_trace();
@ -340,7 +448,6 @@ void ht2_crack(uint8_t *nrar_hex) {
res = PM3_EFAILED;
goto out;
}
// read all pages using key stream
for (uint8_t i = 1; i < 8; i++) {
hitag2crack_read_page(packet.data + (i * 4), i, nrar, keybits);
@ -354,3 +461,155 @@ void ht2_crack(uint8_t *nrar_hex) {
out:
reply_ng(CMD_LF_HITAG2_CRACK, res, (uint8_t *)&packet, sizeof(lf_hitag_crack_response_t));
}
// hitag2_keystream uses the first crack algorithm described in the paper,
// Gone In 360 Seconds by Verdult, Garcia and Balasch, to retrieve 2048 bits of keystream.
// response is a multi-line text response containing the hex of the keystream;
// nrar_hex is the 32 bit nR and aR in hex
void ht2_crack2(uint8_t *nrar_hex) {
lf_hitag_crack2_t *c2 = (lf_hitag_crack2_t *)BigBuf_calloc(sizeof(lf_hitag_crack2_t));
lf_hitag_crack_response_t *packet = (lf_hitag_crack_response_t *)BigBuf_calloc(sizeof(lf_hitag_crack_response_t));
g_logging = false;
LEDsoff();
set_tracing(false);
clear_trace();
int res = PM3_SUCCESS;
// find the 'read page 0' command and recover key stream
// get uid as hexstring
uint8_t uid_hex[4];
if (ht2_read_uid(uid_hex, false, false, false) != PM3_SUCCESS) {
res = PM3_EFAILED;
goto out;
}
hex2binarray_n((char *)c2->uid, (char *)uid_hex, 4);
hex2binarray_n((char *)c2->nrar, (char *)nrar_hex, 8);
// find a valid encrypted command
uint8_t e_firstcmd[10];
if (hitag2crack_find_valid_e_cmd(e_firstcmd, c2->nrar) == false) {
res = PM3_EFAILED;
goto out;
}
if (hitag2crack_find_e_page0_cmd(c2->keybits, e_firstcmd, c2->nrar, c2->uid) == false) {
res = PM3_EFAILED;
goto out;
}
// Now we got 40 bits of keystream in c2->keybits.
// using the 40 bits of keystream in keybits, sending commands with ever
// increasing lengths to acquire 2048 bits of key stream.
int kslen = 40;
// build extended command
for (int i = 0; i < 208 ; i++) {
memcpy(c2->ext_cmd + (i * 10), read_p0_cmd, 10);
}
DbpString("enter main keystream rec");
Dbhexdump(160, c2->ext_cmd, false);
DbpString("enter main keystream recover loop");
while (kslen < 2048) {
//int ksoffset = 0;
// Get UID
if (ht2_read_uid(NULL, true, false, true) != PM3_SUCCESS) {
res = PM3_EFAILED;
goto out;
}
// send nrar and receive (useless) encrypted page 3 value
size_t n = 0;
if (ht2_tx_rx(c2->nrar, 64, NULL, &n, true, true) != PM3_SUCCESS) {
res = PM3_EFAILED;
goto out;
}
// while we have at least 52 bits of keystream, consume it with
// extended read page 0 commands.
// 52 = 10 (min command len) + 32 (response) + 10 (min command len we'll send)
/*
while ((kslen - ksoffset) >= 52) {
// consume the keystream, updating ksoffset as we go
//if (ht2crack_consume_keystream(c2->keybits, kslen, &ksoffset, c2->nrar) == false) {
if (ht2crack_consume_keystream(c2, kslen, &ksoffset) == false) {
DbpString("ht2crack_consume_keystream failed");
res = PM3_EFAILED;
goto out;
}
}
// send an extended command to retrieve more keystream,
// updating kslen as we go
if (ht2crack_extend_keystream(c2, &kslen, ksoffset) == false) {
DbpString("ht2crack_extend_keystream failed");
res = PM3_EFAILED;
goto out;
}
*/
// xor extended cmd with keybits
hitag2crack_xor(c2->e_ext_cmd, c2->ext_cmd, c2->keybits, kslen);
// send extended encrypted cmd
uint8_t resp[4];
if (ht2_tx_rx(c2->e_ext_cmd, kslen, resp, &n, true, false) != PM3_SUCCESS) {
DbpString("extend_keystream: tx/rx cmd failed");
break;
}
// test response
if (memcmp(resp, ERROR_RESPONSE, 4) == 0) {
break;
}
// convert response to binarray
uint8_t e_response[32];
hex2binarray((char *)e_response, (char *)resp);
// recover keystream from encrypted response
hitag2crack_xor(c2->keybits + kslen + 40, e_response, c2->uid, 32);
// update kslen
kslen += (40 + 32);
Dbprintf("Recovered " _YELLOW_("%i") " bits of keystream", kslen);
}
/*
uint8_t *keybitshex = BigBuf_calloc(64);
for (int i = 0; i < 2048; i += 256) {
binarray2hex(c2->keybits + i, 256, keybitshex);
Dbhexdump(256, keybitshex, false);
}
*/
BigBuf_free();
// copy UID since we already have it...
memcpy(packet->data, uid_hex, 4);
packet->status = 1;
out:
/*
DbpString("keybits:");
Dbhexdump(2080, c2->keybits, false);
DbpString("uid:");
Dbhexdump(32, c2->uid, false);
DbpString("nrar:");
Dbhexdump(64, c2->nrar, false);
*/
reply_ng(CMD_LF_HITAG2_CRACK_2, res, (uint8_t *)packet, sizeof(lf_hitag_crack_response_t));
}

4
armsrc/hitag2_crack.h
View file

@ -22,6 +22,6 @@
#include <stdbool.h>
#include "common.h"
void ht2_crack(uint8_t *nrar_hex);
void ht2_crack1(uint8_t *nrar_hex);
void ht2_crack2(uint8_t *nrar_hex);
#endif

6
armsrc/hitagS.c
View file

@ -29,7 +29,7 @@
#include "util.h"
#include "string.h"
#include "commonutil.h"
#include "hitag2_crypto.h"
#include "hitag2/hitag2_crypto.h"
#include "lfadc.h"
#include "crc.h"
@ -1090,7 +1090,7 @@ static void hitagS_receive_frame(uint8_t *rx, size_t sizeofrx, size_t *rxlen, ui
// Dbprintf("RX0 %i:%02X.. err:%i resptime:%i", *rxlen, rx[0], errorCount, *resptime);
}
static void sendReceiveHitagS(uint8_t *tx, size_t txlen, uint8_t *rx, size_t sizeofrx, size_t *prxbits, int t_wait, bool ledcontrol, bool ac_seq) {
static void sendReceiveHitagS( const uint8_t *tx, size_t txlen, uint8_t *rx, size_t sizeofrx, size_t *prxbits, int t_wait, bool ledcontrol, bool ac_seq) {
LogTraceBits(tx, txlen, HITAG_T_WAIT_2, HITAG_T_WAIT_2, true);
@ -1557,7 +1557,7 @@ void WritePageHitagS(const lf_hitag_data_t *payload, bool ledcontrol) {
break;
default: {
res = PM3_EINVARG;
return;
goto write_end;
}
}

4
armsrc/i2c.c
View file

@ -764,7 +764,7 @@ bool sc_rx_bytes(uint8_t *dest, uint16_t *destlen, uint32_t wait) {
break;
} else if (len == 1) {
continue;
} else if (len <= 0) {
} else {
return false;
}
}
@ -937,7 +937,7 @@ void SmartCardUpgrade(uint64_t arg0) {
bool isOK = true;
uint16_t length = arg0, pos = 0;
uint8_t *fwdata = BigBuf_get_addr();
const uint8_t *fwdata = BigBuf_get_addr();
uint8_t *verfiydata = BigBuf_malloc(I2C_BLOCK_SIZE);
while (length) {

2
armsrc/i2c.h
View file

@ -68,6 +68,6 @@ void SmartCardUpgrade(uint64_t arg0);
void SmartCardSetBaud(uint64_t arg0);
void SmartCardSetClock(uint64_t arg0);
void I2C_print_status(void);
int I2C_get_version(uint8_t *maj, uint8_t *min);
int I2C_get_version(uint8_t *major, uint8_t *minor);
#endif

10
armsrc/iso14443b.c
View file

@ -774,7 +774,7 @@ void SimulateIso14443bTag(const uint8_t *pupi) {
int cardSTATE = SIM_NOFIELD;
int vHf = 0; // in mV
tosend_t *ts = get_tosend();
const tosend_t *ts = get_tosend();
uint8_t *receivedCmd = BigBuf_calloc(MAX_FRAME_SIZE);
@ -1566,7 +1566,7 @@ static void CodeIso14443bAsReader(const uint8_t *cmd, int len, bool framing) {
* Convenience function to encode, transmit and trace iso 14443b comms
*/
static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len, uint32_t *start_time, uint32_t *eof_time, bool framing) {
tosend_t *ts = get_tosend();
const tosend_t *ts = get_tosend();
CodeIso14443bAsReader(cmd, len, framing);
TransmitFor14443b_AsReader(start_time);
if (g_trigger) LED_A_ON();
@ -1582,7 +1582,7 @@ static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len, uint32_t
/* Sends an APDU to the tag
* TODO: check CRC and preamble
*/
int iso14443b_apdu(uint8_t const *msg, size_t msg_len, bool send_chaining, void *rxdata, uint16_t rxmaxlen, uint8_t *response_byte, uint16_t *reponselen) {
int iso14443b_apdu(uint8_t const *msg, size_t msg_len, bool send_chaining, void *rxdata, uint16_t rxmaxlen, uint8_t *response_byte, uint16_t *responselen) {
uint8_t real_cmd[msg_len + 4];
@ -1693,8 +1693,8 @@ int iso14443b_apdu(uint8_t const *msg, size_t msg_len, bool send_chaining, void
}
}
if (reponselen) {
*reponselen = len;
if (responselen) {
*responselen = len;
}
return PM3_SUCCESS;
}

2
armsrc/iso14443b.h
View file

@ -39,7 +39,7 @@
#endif
void iso14443b_setup(void);
int iso14443b_apdu(uint8_t const *msg, size_t msg_len, bool send_chaining, void *rxdata, uint16_t rxmaxlen, uint8_t *res, uint16_t *responselen);
int iso14443b_apdu(uint8_t const *msg, size_t msg_len, bool send_chaining, void *rxdata, uint16_t rxmaxlen, uint8_t *response_byte, uint16_t *responselen);
int iso14443b_select_card(iso14b_card_select_t *card);

28
armsrc/iso15693.c
View file

@ -1009,7 +1009,7 @@ int GetIso15693AnswerFromTag(uint8_t *response, uint16_t max_len, uint16_t timeo
}
uint32_t dma_start_time = 0;
uint16_t *upTo = dma->buf;
const uint16_t *upTo = dma->buf;
for (;;) {
@ -1502,7 +1502,7 @@ int GetIso15693CommandFromReader(uint8_t *received, size_t max_len, uint32_t *eo
if (g_dbglevel > DBG_ERROR) Dbprintf("FpgaSetupSscDma failed. Exiting");
return -4;
}
uint8_t *upTo = dma->buf;
const uint8_t *upTo = dma->buf;
uint32_t dma_start_time = GetCountSspClk() & 0xfffffff8;
@ -1603,7 +1603,7 @@ void AcquireRawAdcSamplesIso15693(void) {
SpinDelay(250);
// Now send the command
tosend_t *ts = get_tosend();
const tosend_t *ts = get_tosend();
uint32_t start_time = 0;
TransmitTo15693Tag(ts->buf, ts->max, &start_time, false);
@ -1681,7 +1681,7 @@ void SniffIso15693(uint8_t jam_search_len, uint8_t *jam_search_string, bool icla
// Count of samples received so far, so that we can include timing
int samples = 0;
uint16_t *upTo = dma->buf;
const uint16_t *upTo = dma->buf;
for (;;) {
@ -1902,7 +1902,7 @@ static void BuildIdentifyRequest(uint8_t *cmd) {
// If you do not need the answer use NULL for *recv[]
// return: length of received data
// logging enabled
int SendDataTag(uint8_t *send, int sendlen, bool init, bool speed_fast, uint8_t *recv,
int SendDataTag(const uint8_t *send, int sendlen, bool init, bool speed_fast, uint8_t *recv,
uint16_t max_recv_len, uint32_t start_time, uint16_t timeout, uint32_t *eof_time, uint16_t *resp_len) {
if (init) {
@ -1918,7 +1918,7 @@ int SendDataTag(uint8_t *send, int sendlen, bool init, bool speed_fast, uint8_t
CodeIso15693AsReader256(send, sendlen);
}
tosend_t *ts = get_tosend();
const tosend_t *ts = get_tosend();
TransmitTo15693Tag(ts->buf, ts->max, &start_time, false);
if (tearoff_hook() == PM3_ETEAROFF) { // tearoff occurred
@ -1941,7 +1941,7 @@ int SendDataTag(uint8_t *send, int sendlen, bool init, bool speed_fast, uint8_t
int SendDataTagEOF(uint8_t *recv, uint16_t max_recv_len, uint32_t start_time, uint16_t timeout, uint32_t *eof_time, bool fsk, bool recv_speed, uint16_t *resp_len) {
CodeIso15693AsReaderEOF();
tosend_t *ts = get_tosend();
const tosend_t *ts = get_tosend();
TransmitTo15693Tag(ts->buf, ts->max, &start_time, false);
uint32_t end_time = start_time + 32 * (8 * ts->max - 4); // subtract the 4 padding bits after EOF
LogTrace_ISO15693(NULL, 0, (start_time * 4), (end_time * 4), NULL, true);
@ -1959,9 +1959,9 @@ int SendDataTagEOF(uint8_t *recv, uint16_t max_recv_len, uint32_t start_time, ui
// Decodes a message from a tag and displays its metadata and content
#define DBD15STATLEN 48
static void DbdecodeIso15693Answer(int len, uint8_t *d) {
static void DbdecodeIso15693Answer(int n, const uint8_t *d) {
if (len > 3) {
if (n > 3) {
char status[DBD15STATLEN + 1] = {0};
@ -2007,7 +2007,7 @@ static void DbdecodeIso15693Answer(int len, uint8_t *d) {
strncat(status, "No error ", DBD15STATLEN - strlen(status));
}
if (CheckCrc15(d, len))
if (CheckCrc15(d, n))
strncat(status, "[+] crc ( " _GREEN_("ok") " )", DBD15STATLEN - strlen(status));
else
strncat(status, "[!] crc ( " _RED_("fail") " )", DBD15STATLEN - strlen(status));
@ -2127,7 +2127,7 @@ void EmlClearIso15693(void) {
// Simulate an ISO15693 TAG, perform anti-collision and then print any reader commands
// all demodulation performed in arm rather than host. - greg
void SimTagIso15693(uint8_t *uid, uint8_t block_size) {
void SimTagIso15693(const uint8_t *uid, uint8_t block_size) {
// free eventually allocated BigBuf memory
BigBuf_free_keep_EM();
@ -2581,7 +2581,7 @@ void SimTagIso15693(uint8_t *uid, uint8_t block_size) {
AddCrc15(recv, recvLen);
recvLen += 2;
CodeIso15693AsTag(recv, recvLen);
tosend_t *ts = get_tosend();
const tosend_t *ts = get_tosend();
uint32_t response_time = reader_eof_time + DELAY_ISO15693_VCD_TO_VICC_SIM;
if (tag->expectFsk) { // Not suppoted yet
@ -3028,7 +3028,7 @@ static uint32_t disable_privacy_15693_Slix(uint32_t start_time, uint32_t *eof_ti
return PM3_SUCCESS;
}
static uint32_t set_pass_15693_Slix(uint32_t start_time, uint32_t *eof_time, uint8_t pass_id, const uint8_t *password, uint8_t *uid) {
static uint32_t set_pass_15693_Slix(uint32_t start_time, uint32_t *eof_time, uint8_t pass_id, const uint8_t *password, const uint8_t *uid) {
uint8_t rnd[2];
@ -3141,7 +3141,7 @@ static uint32_t enable_eas_15693_Slix(uint32_t start_time, uint32_t *eof_time, c
return PM3_SUCCESS;
}
static uint32_t write_password_15693_Slix(uint32_t start_time, uint32_t *eof_time, uint8_t pwd_id, const uint8_t *password, uint8_t *uid) {
static uint32_t write_password_15693_Slix(uint32_t start_time, uint32_t *eof_time, uint8_t pwd_id, const uint8_t *password, const uint8_t *uid) {
uint8_t new_pwd_cmd[] = { (ISO15_REQ_DATARATE_HIGH | ISO15_REQ_ADDRESS), ISO15693_WRITE_PASSWORD, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, pwd_id, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};

6
armsrc/iso15693.h
View file

@ -47,13 +47,13 @@ int GetIso15693AnswerFromTag(uint8_t *response, uint16_t max_len, uint16_t timeo
void AcquireRawAdcSamplesIso15693(void);
void ReaderIso15693(iso15_card_select_t *p_card); // ISO15693 reader
void EmlClearIso15693(void);
void SimTagIso15693(uint8_t *uid, uint8_t block_size); // simulate an ISO15693 tag
void SimTagIso15693(const uint8_t *uid, uint8_t block_size); // simulate an ISO15693 tag
void BruteforceIso15693Afi(uint32_t flags); // find an AFI of a tag
void SendRawCommand15693(iso15_raw_cmd_t *packet); // send arbitrary commands from CLI
void SniffIso15693(uint8_t jam_search_len, uint8_t *jam_search_string, bool iclass);
int SendDataTag(uint8_t *send, int sendlen, bool init, bool speed_fast, uint8_t *recv,
int SendDataTag(const uint8_t *send, int sendlen, bool init, bool speed_fast, uint8_t *recv,
uint16_t max_recv_len, uint32_t start_time, uint16_t timeout, uint32_t *eof_time, uint16_t *resp_len);
int SendDataTagEOF(uint8_t *recv, uint16_t max_recv_len, uint32_t start_time, uint16_t timeout, uint32_t *eof_time, bool fsk, bool recv_speed, uint16_t *resp_len);
@ -68,5 +68,5 @@ void DisableEAS_AFISlixIso15693(const uint8_t *password, bool usepwd);
void EnableEAS_AFISlixIso15693(const uint8_t *password, bool usepwd);
void PassProtextEASSlixIso15693(const uint8_t *password);
void PassProtectAFISlixIso15693(const uint8_t *password);
void WriteAFIIso15693(const uint8_t *password, bool usepwd, uint8_t *uid, bool use_uid, uint8_t afi);
void WriteAFIIso15693(const uint8_t *password, bool use_pwd, uint8_t *uid, bool use_uid, uint8_t afi);
#endif

8
armsrc/lfsampling.c
View file

@ -518,7 +518,7 @@ int ReadLF_realtime(bool reader_field) {
// Request USB transmission and change FIFO bank
if (async_usb_write_requestWrite() == false) {
return_value = PM3_EIO;
break;
goto out;
}
// Reset sample
@ -535,10 +535,14 @@ int ReadLF_realtime(bool reader_field) {
}
}
}
LED_D_OFF();
return_value = async_usb_write_stop();
out:
LED_D_OFF();
// DoAcquisition() end
StopTicks();
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
return return_value;

2
armsrc/optimized_elite.c
View file

@ -153,7 +153,7 @@ Definition 14. Define the rotate key function rk : (F 82 ) 8 × N → (F 82 ) 8
rk(x [0] . . . x [7] , 0) = x [0] . . . x [7]
rk(x [0] . . . x [7] , n + 1) = rk(rl(x [0] ) . . . rl(x [7] ), n)
**/
static void rk(uint8_t *key, uint8_t n, uint8_t *outp_key) {
static void rk(const uint8_t *key, uint8_t n, uint8_t *outp_key) {
memcpy(outp_key, key, 8);
uint8_t j;
while (n-- > 0) {

127
armsrc/printf.c
View file

@ -113,11 +113,14 @@ kvsprintf(char const *fmt, void *arg, int radix, va_list ap) {
for (;;) {
padc = ' ';
width = 0;
while ((ch = (u_char) * fmt++) != '%' || stop) {
PCHAR(ch);
if (ch == '\0')
if (ch == '\0') {
return (retval);
}
}
percent = fmt - 1;
qflag = 0;
lflag = 0;
@ -178,36 +181,43 @@ reswitch:
for (n = 0;; ++fmt) {
n = n * 10 + ch - '0';
ch = *fmt;
if (ch < '0' || ch > '9')
if (ch < '0' || ch > '9') {
break;
}
if (dot)
}
if (dot) {
dwidth = n;
else
} else {
width = n;
}
goto reswitch;
case 'b':
num = (u_int)va_arg(ap, int);
p = va_arg(ap, char *);
for (q = ksprintn(nbuf, num, *p++, NULL, 0); *q;)
for (q = ksprintn(nbuf, num, *p++, NULL, 0); *q;) {
PCHAR(*q--);
}
if (num == 0)
if (num == 0) {
break;
}
for (tmp = 0; *p;) {
n = *p++;
if (num & (1 << (n - 1))) {
PCHAR(tmp ? ',' : '<');
for (; (n = *p) > ' '; ++p)
for (; (n = *p) > ' '; ++p) {
PCHAR(n);
tmp = 1;
} else
for (; *p > ' '; ++p)
continue;
}
if (tmp)
tmp = 1;
} else {
for (; *p > ' '; ++p) {};
}
}
if (tmp) {
PCHAR('>');
}
break;
case 'c':
PCHAR(va_arg(ap, int));
@ -215,16 +225,20 @@ reswitch:
case 'D':
up = va_arg(ap, u_char *);
p = va_arg(ap, char *);
if (!width)
if (!width) {
width = 16;
}
while (width--) {
PCHAR(hex2ascii(*up >> 4));
PCHAR(hex2ascii(*up & 0x0f));
up++;
if (width)
for (q = p; *q; q++)
if (width) {
for (q = p; *q; q++) {
PCHAR(*q);
}
}
}
break;
case 'd':
case 'i':
@ -235,8 +249,9 @@ reswitch:
if (hflag) {
hflag = 0;
cflag = 1;
} else
} else {
hflag = 1;
}
goto reswitch;
case 'j':
jflag = 1;
@ -245,8 +260,9 @@ reswitch:
if (lflag) {
lflag = 0;
qflag = 1;
} else
} else {
lflag = 1;
}
goto reswitch;
case 'n':
if (jflag)
@ -278,29 +294,38 @@ reswitch:
goto reswitch;
case 'r':
base = radix;
if (sign)
if (sign) {
goto handle_sign;
}
goto handle_nosign;
case 's':
p = va_arg(ap, char *);
if (p == NULL)
if (p == NULL) {
p = "(null)";
if (!dot)
}
if (!dot) {
n = strlen(p);
else
for (n = 0; n < dwidth && p[n]; n++)
continue;
} else {
for (n = 0; n < dwidth && p[n]; n++) {};
}
width -= n;
if (!ladjust && width > 0)
while (width--)
if (!ladjust && width > 0) {
while (width--) {
PCHAR(padc);
while (n--)
}
}
while (n--) {
PCHAR(*p++);
if (ladjust && width > 0)
while (width--)
}
if (ladjust && width > 0) {
while (width--) {
PCHAR(padc);
}
}
break;
case 't':
tflag = 1;
@ -361,22 +386,31 @@ number:
neg = 1;
num = -(intmax_t)num;
}
p = ksprintn(nbuf, num, base, &tmp, upper);
if (sharpflag && num != 0) {
if (base == 8)
if (base == 8) {
tmp++;
else if (base == 16)
} else if (base == 16) {
tmp += 2;
}
if (neg)
tmp++;
}
if (!ladjust && padc != '0' && width
&& (width -= tmp) > 0)
while (width--)
if (neg) {
tmp++;
}
if (!ladjust && padc != '0' && width && (width -= tmp) > 0) {
while (width--) {
PCHAR(padc);
if (neg)
}
}
if (neg) {
PCHAR('-');
}
if (sharpflag && num != 0) {
if (base == 8) {
PCHAR('0');
@ -385,21 +419,28 @@ number:
PCHAR('x');
}
}
if (!ladjust && width && (width -= tmp) > 0)
while (width--)
PCHAR(padc);
while (*p)
if (!ladjust && width && (width -= tmp) > 0) {
while (width--) {
PCHAR(padc);
}
}
while (*p) {
PCHAR(*p--);
}
if (ladjust && width && (width -= tmp) > 0)
while (width--)
if (ladjust && width && (width -= tmp) > 0) {
while (width--) {
PCHAR(padc);
}
}
break;
default:
while (percent < fmt)
while (percent < fmt) {
PCHAR(*percent++);
}
/*
* Since we ignore an formatting argument it is no
* longer safe to obey the remaining formatting

2
armsrc/usart.c
View file

@ -85,7 +85,7 @@ static size_t us_rxfifo_high = 0;
static void usart_fill_rxfifo(void) {
uint16_t rxfifo_free = 0;
uint16_t rxfifo_free;
if (pUS1->US_RNCR == 0) { // One buffer got filled, backup buffer being used

2
armsrc/util.c
View file

@ -86,7 +86,7 @@ int hex2binarray(char *target, char *source) {
return hex2binarray_n(target, source, strlen(source));
}
int hex2binarray_n(char *target, char *source, int sourcelen) {
int hex2binarray_n(char *target, const char *source, int sourcelen) {
int count = 0;
// process 4 bits (1 hex digit) at a time

4
armsrc/util.h
View file

@ -82,10 +82,10 @@
#endif
size_t nbytes(size_t nbits);
uint8_t hex2int(char hexchar);
uint8_t hex2int(char x);
int hex2binarray(char *target, char *source);
int hex2binarray_n(char *target, char *source, int sourcelen);
int hex2binarray_n(char *target, const char *source, int sourcelen);
int binarray2hex(const uint8_t *bs, int bs_len, uint8_t *hex);
void LED(int led, int ms);

4
bootrom/bootrom.c
View file

@ -296,9 +296,9 @@ static void UsbPacketReceived(uint8_t *packet) {
}
// delay_loop(1) = 3.07us
static volatile uint32_t c;
static volatile uint32_t ccc;
static void __attribute__((optimize("O0"))) delay_loop(uint32_t delay) {
for (c = delay * 2; c; c--) {};
for (ccc = delay * 2; ccc; ccc--) {};
}
static void flash_mode(void) {

9
client/deps/jansson/load.c
View file

@ -54,7 +54,7 @@ typedef int (*get_func)(void *data);
typedef struct {
get_func get;
void *data;
char buffer[5];
char buffer[7];
size_t buffer_pos;
int state;
int line;
@ -179,11 +179,16 @@ static int stream_get(stream_t *stream, json_error_t *error) {
size_t i, count;
count = utf8_check_first(c);
if (!count)
if (count == 0) {
goto out;
}
// whatif count == 1 ?!?
assert(count >= 2);
assert(count <= 4);
// if count == 4 , i will become 5 and overflow.
for (i = 1; i < count; i++)
stream->buffer[i] = stream->get(stream->data);

16
client/resources/aid_desfire.json
View file

@ -567,5 +567,21 @@
"Name": "Prima FlexAir Access Control",
"Description": "FIDs: 00 - DRM, 01 - Access Event Log, 04 - Access Permissions",
"Type": "pacs"
},
{
"AID": "FF30FF",
"Vendor": "Metrolinx",
"Country": "CA",
"Name": "Presto Card",
"Description": "",
"Type": "transport"
},
{
"AID": "002000",
"Vendor": "Metrolinx",
"Country": "CA",
"Name": "Presto Card",
"Description": "",
"Type": "transport"
}
]

11
client/src/cmdflashmemspiffs.c
View file

@ -26,7 +26,7 @@
static int CmdHelp(const char *Cmd);
int flashmem_spiffs_load(char *destfn, uint8_t *data, size_t datalen) {
int flashmem_spiffs_load(const char *destfn, const uint8_t *data, size_t datalen) {
int ret_val = PM3_SUCCESS;
@ -429,9 +429,14 @@ static int CmdFlashMemSpiFFSDump(const char *Cmd) {
PrintAndLogEx(HINT, "Use 'trace list -1 -t ...' to view, 'trace save -f ...' to save");
}
if (dlen) {
if (dlen || slen) {
// save to file
char fn[FILE_PATH_SIZE] = {0};
// prefer dest name
// else source name
if (dlen) {
strncpy(fn, dest, dlen);
} else {
@ -439,7 +444,7 @@ static int CmdFlashMemSpiFFSDump(const char *Cmd) {
}
// set file extension
char *suffix = strchr(fn, '.');
const char *suffix = strchr(fn, '.');
if (suffix) {
saveFile(fn, suffix, dump, len);
} else {

2
client/src/cmdflashmemspiffs.h
View file

@ -22,7 +22,7 @@
#include "common.h"
int CmdFlashMemSpiFFS(const char *Cmd);
int flashmem_spiffs_load(char *destfn, uint8_t *data, size_t datalen);
int flashmem_spiffs_load(const char *destfn, const uint8_t *data, size_t datalen);
int flashmem_spiffs_download(char *fn, uint8_t fnlen, void **pdest, size_t *destlen);
#endif

22
client/src/cmdhf.c
View file

@ -95,6 +95,16 @@ int CmdHFSearch(const char *Cmd) {
}
}
PROMPT_CLEARLINE;
PrintAndLogEx(INPLACE, " Searching for Topaz tag...");
if (IfPm3Iso14443a()) {
if (readTopazUid(false, false) == PM3_SUCCESS) {
PrintAndLogEx(SUCCESS, "\nValid " _GREEN_("Topaz tag") " found\n");
success[TOPAZ] = true;
res = PM3_SUCCESS;
}
}
PROMPT_CLEARLINE;
PrintAndLogEx(INPLACE, " Searching for LTO-CM tag...");
if (IfPm3Iso14443a()) {
@ -119,6 +129,7 @@ int CmdHFSearch(const char *Cmd) {
}
}
/*
// ICT
if (IfPm3Iso14443a()) {
int sel_state = infoHF14A(false, false, false);
@ -131,6 +142,7 @@ int CmdHFSearch(const char *Cmd) {
infoHF14A4Applications(verbose);
}
}
*/
PROMPT_CLEARLINE;
PrintAndLogEx(INPLACE, " Searching for LEGIC tag...");
@ -142,16 +154,6 @@ int CmdHFSearch(const char *Cmd) {
}
}
PROMPT_CLEARLINE;
PrintAndLogEx(INPLACE, " Searching for Topaz tag...");
if (IfPm3Iso14443a()) {
if (readTopazUid(false, false) == PM3_SUCCESS) {
PrintAndLogEx(SUCCESS, "\nValid " _GREEN_("Topaz tag") " found\n");
success[TOPAZ] = true;
res = PM3_SUCCESS;
}
}
// texkom
PROMPT_CLEARLINE;
PrintAndLogEx(INPLACE, " Searching for TEXKOM tag...");

10
client/src/cmdhf14a.c
View file

@ -863,7 +863,7 @@ int CmdHF14ASim(const char *Cmd) {
if ((flags & FLAG_NR_AR_ATTACK) != FLAG_NR_AR_ATTACK)
break;
nonces_t *data = (nonces_t *)resp.data.asBytes;
const nonces_t *data = (nonces_t *)resp.data.asBytes;
readerAttack(k_sector, k_sectors_cnt, data[0], setEmulatorMem, verbose);
keypress = kbd_enter_pressed();
@ -1099,7 +1099,7 @@ int SelectCard14443A_4(bool disconnect, bool verbose, iso14a_card_select_t *card
return SelectCard14443A_4_WithParameters(disconnect, verbose, card, NULL);
}
static int CmdExchangeAPDU(bool chainingin, uint8_t *datain, int datainlen, bool activateField, uint8_t *dataout, int maxdataoutlen, int *dataoutlen, bool *chainingout) {
static int CmdExchangeAPDU(bool chainingin, const uint8_t *datain, int datainlen, bool activateField, uint8_t *dataout, int maxdataoutlen, int *dataoutlen, bool *chainingout) {
*chainingout = false;
size_t timeout = 1500;
@ -1158,7 +1158,7 @@ static int CmdExchangeAPDU(bool chainingin, uint8_t *datain, int datainlen, bool
PacketResponseNG resp;
if (WaitForResponseTimeout(CMD_ACK, &resp, timeout)) {
uint8_t *recv = resp.data.asBytes;
const uint8_t *recv = resp.data.asBytes;
int iLen = resp.oldarg[0];
uint8_t res = resp.oldarg[1];
@ -1216,7 +1216,7 @@ static int CmdExchangeAPDU(bool chainingin, uint8_t *datain, int datainlen, bool
return PM3_SUCCESS;
}
int ExchangeAPDU14a(uint8_t *datain, int datainlen, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) {
int ExchangeAPDU14a(const uint8_t *datain, int datainlen, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) {
*dataoutlen = 0;
bool chaining = false;
int res;
@ -1519,7 +1519,7 @@ static int CmdHF14ACmdRaw(const char *Cmd) {
}
// TODO: allow to use reader command with both data and polling configuration
if (use_ecp | use_magsafe) {
if (use_ecp || use_magsafe) {
PrintAndLogEx(WARNING, "ECP and Magsafe not supported with this command at this moment. Instead use 'hf 14a reader -sk --ecp/--mag'");
// flags |= ISO14A_USE_MAGSAFE;
// flags |= ISO14A_USE_ECP;

2
client/src/cmdhf14a.h
View file

@ -66,7 +66,7 @@ int infoHF14A(bool verbose, bool do_nack_test, bool do_aid_search);
int infoHF14A4Applications(bool verbose);
const char *getTagInfo(uint8_t uid);
int Hf14443_4aGetCardData(iso14a_card_select_t *card);
int ExchangeAPDU14a(uint8_t *datain, int datainlen, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen);
int ExchangeAPDU14a(const uint8_t *datain, int datainlen, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen);
int ExchangeRAW14a(uint8_t *datain, int datainlen, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen, bool silentMode);
iso14a_polling_parameters_t iso14a_get_polling_parameters(bool use_ecp, bool use_magsafe);

74
client/src/cmdhf15.c
View file

@ -416,7 +416,7 @@ static int nxp_15693_print_signature(uint8_t *uid, uint8_t *signature) {
// get a product description based on the UID
// uid[8] tag uid
// returns description of the best match
static const char *getTagInfo_15(uint8_t *uid) {
static const char *getTagInfo_15(const uint8_t *uid) {
if (uid == NULL) {
return "";
}
@ -473,6 +473,26 @@ static const char *TagErrorStr(uint8_t error) {
}
}
static int iso15_error_handling_card_response(uint8_t *d, uint16_t n) {
if (check_crc(CRC_15693, d, n) == false) {
PrintAndLogEx(FAILED, "crc ( " _RED_("fail") " )");
return PM3_ECRC;
}
if ((d[0] & ISO15_RES_ERROR) == ISO15_RES_ERROR) {
if (d[1] == 0x0F || d[1] == 0x10) {
return PM3_EOUTOFBOUND;
}
PrintAndLogEx(ERR, "iso15693 card returned error %i: %s", d[0], TagErrorStr(d[0]));
return PM3_EWRONGANSWER;
}
return PM3_SUCCESS;
}
// fast method to just read the UID of a tag (collision detection not supported)
// *buf should be large enough to fit the 64bit uid
// returns 1 if succeeded
@ -714,7 +734,7 @@ static int CmdHF15Samples(const char *Cmd) {
return PM3_SUCCESS;
}
static int NxpTestEAS(uint8_t *uid) {
static int NxpTestEAS(const uint8_t *uid) {
if (uid == NULL) {
return PM3_EINVARG;
@ -1162,7 +1182,7 @@ static void hf15EmlClear(void) {
WaitForResponse(CMD_HF_ISO15693_EML_CLEAR, &resp);
}
static int hf15EmlSetMem(uint8_t *data, uint16_t count, size_t offset) {
static int hf15EmlSetMem(const uint8_t *data, uint16_t count, size_t offset) {
struct p {
uint32_t offset;
uint16_t count;
@ -1212,13 +1232,14 @@ static int CmdHF15ELoad(const char *Cmd) {
return res;
}
if (bytes_read != sizeof(iso15_tag_t)) {
PrintAndLogEx(FAILED, "Memory image is not matching tag structure.");
if (bytes_read == 0) {
PrintAndLogEx(FAILED, "Memory image empty.");
free(tag);
return PM3_EINVARG;
}
if (bytes_read == 0) {
PrintAndLogEx(FAILED, "Memory image empty.");
if (bytes_read != sizeof(iso15_tag_t)) {
PrintAndLogEx(FAILED, "Memory image is not matching tag structure.");
free(tag);
return PM3_EINVARG;
}
@ -1335,7 +1356,7 @@ static void print_blocks_15693(iso15_tag_t *tag, bool dense_output) {
for (int i = 0; i < tag->pagesCount; i++) {
uint8_t *blk = d + (i * blocksize);
const uint8_t *blk = d + (i * blocksize);
// suppress repeating blocks, truncate as such that the first and last block with the same data is shown
// but the blocks in between are replaced with a single line of "......" if dense_output is enabled
@ -1830,6 +1851,7 @@ static int CmdHF15Dump(const char *Cmd) {
iso15_tag_t *tag = (iso15_tag_t *)calloc(1, sizeof(iso15_tag_t));
if (tag == NULL) {
PrintAndLogEx(FAILED, "failed to allocate memory");
free(packet);
return PM3_EMALLOC;
};
@ -1844,6 +1866,7 @@ static int CmdHF15Dump(const char *Cmd) {
PrintAndLogEx(INFO, "Using scan mode");
if (getUID(verbose, false, uid) != PM3_SUCCESS) {
free(packet);
free(tag);
PrintAndLogEx(WARNING, "no tag found");
return PM3_EINVARG;
}
@ -1873,18 +1896,27 @@ static int CmdHF15Dump(const char *Cmd) {
PacketResponseNG resp;
if (WaitForResponseTimeout(CMD_HF_ISO15693_COMMAND, &resp, 2000) == false) {
PrintAndLogEx(DEBUG, "iso15693 timeout");
free(packet);
free(tag);
return PM3_ETIMEOUT;
}
if (resp.length < 2) {
PrintAndLogEx(WARNING, "iso15693 card doesn't answer to systeminfo command (%d)", resp.length);
free(packet);
free(tag);
return PM3_EWRONGANSWER;
}
uint8_t *d = resp.data.asBytes;
uint8_t dCpt = 10;
ISO15_ERROR_HANDLING_CARD_RESPONSE(d, resp.length);
int res = iso15_error_handling_card_response(d, resp.length);
if (res != PM3_SUCCESS) {
free(tag);
free(packet);
return res;
}
memcpy(tag->uid, &d[2], 8);
@ -1991,6 +2023,7 @@ static int CmdHF15Dump(const char *Cmd) {
if (no_save) {
PrintAndLogEx(INFO, "Called with no save option");
PrintAndLogEx(NORMAL, "");
free(tag);
return PM3_SUCCESS;
}
@ -2004,6 +2037,7 @@ static int CmdHF15Dump(const char *Cmd) {
pm3_save_dump(filename, (uint8_t *)tag, sizeof(iso15_tag_t), jsf15_v4);
free(tag);
return PM3_SUCCESS;
}
@ -2436,7 +2470,7 @@ static int CmdHF15Readblock(const char *Cmd) {
return PM3_SUCCESS;
}
static int hf_15_write_blk(uint8_t *pm3flags, uint16_t flags, uint8_t *uid, bool fast, uint8_t blockno, uint8_t *data, uint8_t dlen) {
static int hf_15_write_blk(const uint8_t *pm3flags, uint16_t flags, const uint8_t *uid, bool fast, uint8_t blockno, const uint8_t *data, uint8_t dlen) {
// request to be sent to device/card
// 2 + 8 + 1 + (4|8) + 2
@ -2660,13 +2694,14 @@ static int CmdHF15Restore(const char *Cmd) {
return res;
}
if (bytes_read != sizeof(iso15_tag_t)) {
PrintAndLogEx(FAILED, "Memory image is not matching tag structure.");
if (bytes_read == 0) {
PrintAndLogEx(FAILED, "Memory image empty.");
free(tag);
return PM3_EINVARG;
}
if (bytes_read == 0) {
PrintAndLogEx(FAILED, "Memory image empty.");
if (bytes_read != sizeof(iso15_tag_t)) {
PrintAndLogEx(FAILED, "Memory image is not matching tag structure.");
free(tag);
return PM3_EINVARG;
}
@ -2694,7 +2729,7 @@ static int CmdHF15Restore(const char *Cmd) {
size_t bytes = 0;
uint16_t i = 0;
uint8_t *data = calloc(tag->bytesPerPage, sizeof(uint8_t));
uint32_t tried = 0;
uint32_t tried;
while (bytes < (tag->pagesCount * tag->bytesPerPage)) {
// copy over the data to the request
@ -3324,13 +3359,14 @@ static int CmdHF15View(const char *Cmd) {
return res;
}
if (bytes_read != sizeof(iso15_tag_t)) {
PrintAndLogEx(FAILED, "Memory image is not matching tag structure.");
if (bytes_read == 0) {
PrintAndLogEx(FAILED, "Memory image empty.");
free(tag);
return PM3_EINVARG;
}
if (bytes_read == 0) {
PrintAndLogEx(FAILED, "Memory image empty.");
if (bytes_read != sizeof(iso15_tag_t)) {
PrintAndLogEx(FAILED, "Memory image is not matching tag structure.");
free(tag);
return PM3_EINVARG;
}

7
client/src/cmdhffelica.c
View file

@ -312,13 +312,13 @@ static int CmdHFFelicaList(const char *Cmd) {
int read_felica_uid(bool loop, bool verbose) {
int res = PM3_SUCCESS;
int res = PM3_ETIMEOUT;
do {
clearCommandBuffer();
SendCommandMIX(CMD_HF_FELICA_COMMAND, FELICA_CONNECT, 0, 0, NULL, 0);
PacketResponseNG resp;
if (WaitForResponseTimeout(CMD_ACK, &resp, 2000)) {
if (WaitForResponseTimeout(CMD_ACK, &resp, 2500)) {
uint8_t status = resp.oldarg[0] & 0xFF;
@ -342,7 +342,10 @@ int read_felica_uid(bool loop, bool verbose) {
}
PrintAndLogEx(SUCCESS, "IDm: " _GREEN_("%s"), sprint_hex_inrow(card.IDm, sizeof(card.IDm)));
set_last_known_card(card);
res = PM3_SUCCESS;
}
} while (loop && kbd_enter_pressed() == false);
DropField();

14
client/src/cmdhfict.c
View file

@ -120,7 +120,7 @@ static int derive_app_key(uint8_t *uid, uint8_t *app_key) {
}
// Might miss payload..
static int diversify_mifare_key(uint8_t *uid, uint8_t *app_key) {
static int diversify_mifare_key(const uint8_t *uid, uint8_t *app_key) {
if (uid == NULL || app_key == NULL) {
return PM3_EINVARG;
}
@ -152,7 +152,7 @@ static int diversify_mifare_key(uint8_t *uid, uint8_t *app_key) {
return PM3_SUCCESS;
}
static int decrypt_card_sector(uint8_t *uid, uint8_t *sector_data, uint8_t len, uint8_t *plain) {
static int decrypt_card_sector(uint8_t *uid, const uint8_t *sector_data, uint8_t len, uint8_t *plain) {
if (uid == NULL || sector_data == NULL || plain == NULL) {
return PM3_EINVARG;
}
@ -203,7 +203,7 @@ static int derive_mifare_key_b(uint8_t *uid, uint8_t *app_key) {
return derive_mifare_key(uid, ICT_MIFARE_B_KEY, app_key);
}
static int decrypt_card_file(uint8_t *card_file, uint8_t len, uint8_t *plain) {
static int decrypt_card_file(const uint8_t *card_file, uint8_t len, uint8_t *plain) {
if (card_file == NULL || plain == NULL) {
return PM3_EINVARG;
}
@ -211,7 +211,7 @@ static int decrypt_card_file(uint8_t *card_file, uint8_t len, uint8_t *plain) {
uint8_t input[ICT_FILE_SIZE];
memcpy(input, card_file, len);
uint8_t key[AES_KEY_LEN];
uint8_t key[AES_KEY_LEN] = {0};
// memcpy(key, ICT_DESFIRE_FILEKEY, AES_KEY_LEN);
uint8_t iv[16] = {0};
@ -230,7 +230,7 @@ static int decrypt_card_file(uint8_t *card_file, uint8_t len, uint8_t *plain) {
return PM3_SUCCESS;
}
static int encrypt_card_file(uint8_t *card_file, uint8_t len, bool padding, uint8_t *enc) {
static int encrypt_card_file(const uint8_t *card_file, uint8_t len, bool padding, uint8_t *enc) {
if (len > ICT_FILE_SIZE) {
return PM3_EINVARG;
@ -243,7 +243,7 @@ static int encrypt_card_file(uint8_t *card_file, uint8_t len, bool padding, uint
memset(input + len, 0x4C, 128 - len);
}
uint8_t key[AES_KEY_LEN];
uint8_t key[AES_KEY_LEN] = {0};
// memcpy(key, ICT_DESFIRE_FILEKEY, AES_KEY_LEN);
uint8_t iv[16] = {0};
@ -262,7 +262,7 @@ static int encrypt_card_file(uint8_t *card_file, uint8_t len, bool padding, uint
return PM3_SUCCESS;
}
static void itc_decode_card_blob(uint8_t *data, uint8_t card_type) {
static void itc_decode_card_blob(const uint8_t *data, uint8_t card_type) {
if (data == NULL) {
return;
}

2
client/src/cmdhfmfu.c
View file

@ -3253,7 +3253,7 @@ int CmdHF14MfUTamper(const char *Cmd) {
}
}
if (enable | disable | lock_msg) {
if (enable || disable || lock_msg) {
if (ul_select(&card) == false) {
PrintAndLogEx(ERR, "Unable to select tag");

13
client/src/cmdhfntag424.c
View file

@ -38,6 +38,7 @@
// NTAG424 commands currently implemented
// icenam: should be able to use 14a / msdes to annotate NTAG424 communications
#define NTAG424_CMD_GET_FILE_SETTINGS 0xF5
#define NTAG424_CMD_CHANGE_FILE_SETTINGS 0x5F
#define NTAG424_CMD_CHANGE_KEY 0xC4
@ -280,7 +281,7 @@ static void ntag424_calc_receive_iv(ntag424_session_keys_t *session_keys, uint8_
aes_encode(zero_iv, session_keys->encryption, iv_clear, out_ivc, 16);
}
static void ntag424_calc_mac(ntag424_session_keys_t *session_keys, uint8_t command, uint8_t *data, uint8_t datalen, uint8_t *out_mac) {
static void ntag424_calc_mac(const ntag424_session_keys_t *session_keys, uint8_t command, const uint8_t *data, uint8_t datalen, uint8_t *out_mac) {
uint8_t mac_input_header[] = { command,
(uint8_t)session_keys->command_counter, (uint8_t)(session_keys->command_counter >> 8),
session_keys->ti[0], session_keys->ti[1], session_keys->ti[2], session_keys->ti[3]
@ -445,7 +446,7 @@ static int ntag424_get_file_settings(uint8_t fileno, ntag424_file_settings_t *se
return PM3_SUCCESS;
}
static int ntag424_write_file_settings(uint8_t fileno, ntag424_file_settings_t *settings, ntag424_session_keys_t *session_keys) {
static int ntag424_write_file_settings(uint8_t fileno, const ntag424_file_settings_t *settings, ntag424_session_keys_t *session_keys) {
// ------- Convert file settings to the format for writing
file_settings_write_t write_settings = {
@ -807,7 +808,7 @@ static int ntag424_get_signature(uint8_t *signature_out) {
return PM3_SUCCESS;
}
static int ntag424_change_key(uint8_t keyno, uint8_t *new_key, uint8_t *old_key, uint8_t version, ntag424_session_keys_t *session_keys) {
static int ntag424_change_key(uint8_t keyno, const uint8_t *new_key, const uint8_t *old_key, uint8_t version, ntag424_session_keys_t *session_keys) {
// -------- Calculate xor and crc
uint8_t key[16] = {0};
uint8_t crc[4] = {0};
@ -965,7 +966,7 @@ static int CmdHF_ntag424_auth(const char *Cmd) {
};
CLIExecWithReturn(ctx, Cmd, argtable, false);
int keyno;
int keyno = 0;
uint8_t key[16] = {0};
if (ntag424_cli_get_auth_information(ctx, 1, 2, &keyno, key) != PM3_SUCCESS) {
CLIParserFree(ctx);
@ -1019,7 +1020,7 @@ static int CmdHF_ntag424_read(const char *Cmd) {
int fileno = arg_get_int(ctx, 1);
int keyno;
int keyno = 0;
uint8_t key[16] = {0};
bool auth = (ntag424_cli_get_auth_information(ctx, 2, 3, &keyno, key) == PM3_SUCCESS);
@ -1248,7 +1249,7 @@ static int CmdHF_ntag424_changefilesettings(const char *Cmd) {
CLIExecWithReturn(ctx, Cmd, argtable, false);
int fileno = arg_get_int(ctx, 1);
int keyno;
int keyno = 0;
uint8_t key[16] = {0};
uint8_t has_options = 0;

221
client/src/cmdlfem4x70.c
View file

@ -164,10 +164,18 @@ typedef struct _em4x70_cmd_input_verify_auth_t {
ID48LIB_GRN grn;
} em4x70_cmd_input_verify_auth_t;
static int CmdHelp(const char *Cmd);
typedef struct _em4x70_cmd_input_calculate_t {
ID48LIB_KEY key;
ID48LIB_NONCE rn;
} em4x70_cmd_input_calculate_t;
typedef struct _em4x70_cmd_output_calculate_t {
ID48LIB_FRN frn;
ID48LIB_GRN grn;
} em4x70_cmd_output_calculate_t;
static void fill_buffer_prng_bytes(void *buffer, size_t byte_count) {
if (byte_count <= 0) {
if (byte_count == 0) {
return;
}
@ -225,14 +233,10 @@ static int get_em4x70_info(const em4x70_cmd_input_info_t *opts, em4x70_tag_info_
if (WaitForResponseTimeout(CMD_LF_EM4X70_INFO, &resp, TIMEOUT) == false) {
return PM3_ETIMEOUT;
}
//iceman: prefer to have specific return code check.
// like resp.status != PM3_SUCCESS if looking for failure
if (resp.status) {
if (resp.status == PM3_SUCCESS) {
memcpy(data_out, resp.data.asBytes, sizeof(em4x70_tag_info_t));
return PM3_SUCCESS;
}
return PM3_ESOFT;
return resp.status;
}
static int writeblock_em4x70(const em4x70_cmd_input_writeblock_t *opts, em4x70_tag_info_t *data_out) {
@ -251,14 +255,10 @@ static int writeblock_em4x70(const em4x70_cmd_input_writeblock_t *opts, em4x70_t
if (WaitForResponseTimeout(CMD_LF_EM4X70_WRITE, &resp, TIMEOUT) == false) {
return PM3_ETIMEOUT;
}
//iceman: prefer to have specific return code check.
// like resp.status != PM3_SUCCESS if looking for failure
if (resp.status) {
if (resp.status == PM3_SUCCESS) {
memcpy(data_out, resp.data.asBytes, sizeof(em4x70_tag_info_t));
return PM3_SUCCESS;
}
return PM3_ESOFT;
return resp.status;
}
static int auth_em4x70(const em4x70_cmd_input_auth_t *opts, em4x70_cmd_output_auth_t *data_out) {
@ -276,20 +276,15 @@ static int auth_em4x70(const em4x70_cmd_input_auth_t *opts, em4x70_cmd_output_au
if (WaitForResponseTimeout(CMD_LF_EM4X70_AUTH, &resp, TIMEOUT) == false) {
return PM3_ETIMEOUT;
}
//iceman: prefer to have specific return code check.
// like resp.status != PM3_SUCCESS if looking for failure
if (resp.status) {
if (resp.status == PM3_SUCCESS) {
// Response is 20-bit from tag
// HACKHACK -- It appears the byte order differs from what is expected?
data_out->grn.grn[0] = resp.data.asBytes[2];
data_out->grn.grn[1] = resp.data.asBytes[1];
data_out->grn.grn[2] = resp.data.asBytes[0];
//memcpy(data_out, &resp.data.asBytes[0], sizeof(ID48LIB_GRN));
return PM3_SUCCESS;
}
return PM3_ESOFT;
return resp.status;
}
static int setkey_em4x70(const em4x70_cmd_input_setkey_t *opts) {
@ -305,13 +300,7 @@ static int setkey_em4x70(const em4x70_cmd_input_setkey_t *opts) {
if (WaitForResponseTimeout(CMD_LF_EM4X70_SETKEY, &resp, TIMEOUT) == false) {
return PM3_ETIMEOUT;
}
//iceman: prefer to have specific return code check.
// like resp.status != PM3_SUCCESS if looking for failure
if (resp.status) {
return PM3_SUCCESS;
}
return PM3_ESOFT;
return resp.status;
}
static int brute_em4x70(const em4x70_cmd_input_brute_t *opts, em4x70_cmd_output_brute_t *data_out) {
@ -346,14 +335,10 @@ static int brute_em4x70(const em4x70_cmd_input_brute_t *opts, em4x70_cmd_output_
}
if (WaitForResponseTimeout(CMD_LF_EM4X70_BRUTE, &resp, TIMEOUT)) {
//iceman: prefer to have specific return code check.
// like resp.status != PM3_SUCCESS if looking for failure
if (resp.status) {
if (resp.status == PM3_SUCCESS) {
memcpy(data_out, resp.data.asBytes, sizeof(em4x70_cmd_output_brute_t));
return PM3_SUCCESS;
}
return PM3_ESOFT;
return resp.status;
}
// NOTE: It takes about 11 seconds per 0x0100 authentication attempts.
@ -383,15 +368,10 @@ static int unlock_em4x70(const em4x70_cmd_input_unlock_t *opts, em4x70_tag_info_
if (WaitForResponseTimeout(CMD_LF_EM4X70_UNLOCK, &resp, TIMEOUT) == false) {
return PM3_ETIMEOUT;
}
//iceman: prefer to have specific return code check.
// like resp.status != PM3_SUCCESS if looking for failure
if (resp.status) {
if (resp.status == PM3_SUCCESS) {
memcpy(data_out, resp.data.asBytes, sizeof(em4x70_tag_info_t));
return PM3_SUCCESS;
}
return PM3_ESOFT;
return resp.status;
}
static int setpin_em4x70(const em4x70_cmd_input_setpin_t *opts, em4x70_tag_info_t *data_out) {
@ -408,14 +388,10 @@ static int setpin_em4x70(const em4x70_cmd_input_setpin_t *opts, em4x70_tag_info_
if (WaitForResponseTimeout(CMD_LF_EM4X70_SETPIN, &resp, TIMEOUT) == false) {
return PM3_ETIMEOUT;
}
//iceman: prefer to have specific return code check.
// like resp.status != PM3_SUCCESS if looking for failure
if (resp.status) {
if (resp.status == PM3_SUCCESS) {
memcpy(data_out, resp.data.asBytes, sizeof(em4x70_tag_info_t));
return PM3_SUCCESS;
}
return PM3_ESOFT;
return resp.status;
}
static int recover_em4x70(const em4x70_cmd_input_recover_t *opts, em4x70_cmd_output_recover_t *data_out) {
@ -463,23 +439,8 @@ static int verify_auth_em4x70(const em4x70_cmd_input_verify_auth_t *opts) {
return result;
}
// used by `lf search` and `search`, this is a quick test for EM4x70 tag
// In alignment with other tags implementations, this also dumps basic information
// about the tag, if one is found.
// Use helper function `get_em4x70_info()` if wanting to limit / avoid output.
bool detect_4x70_block(void) {
em4x70_tag_info_t info;
em4x70_cmd_input_info_t opts = { 0 };
int result = get_em4x70_info(&opts, &info);
if (result == PM3_ETIMEOUT) { // consider removing this output?
PrintAndLogEx(WARNING, "Timeout while waiting for reply.");
}
return result == PM3_SUCCESS;
}
int CmdEM4x70Info(const char *Cmd) {
static int CmdEM4x70Info(const char *Cmd) {
// invoke reading of a EM4x70 tag which has to be on the antenna because
// decoding is done by the device (not on client side)
@ -519,7 +480,7 @@ int CmdEM4x70Info(const char *Cmd) {
return result;
}
int CmdEM4x70Write(const char *Cmd) {
static int CmdEM4x70Write(const char *Cmd) {
// write one block/word (16 bits) to the tag at given block address (0-15)
CLIParserContext *ctx;
@ -571,7 +532,7 @@ int CmdEM4x70Write(const char *Cmd) {
return result;
}
int CmdEM4x70Brute(const char *Cmd) {
static int CmdEM4x70Brute(const char *Cmd) {
// From paper "Dismantling Megamos Crypto", Roel Verdult, Flavio D. Garcia and Barıs¸ Ege.
// Partial Key-Update Attack (optimized version)
@ -581,7 +542,9 @@ int CmdEM4x70Brute(const char *Cmd) {
"This attack does NOT write anything to the tag.\n"
"Before starting this attack, 0000 must be written to the 16-bit key block: 'lf em 4x70 write -b 9 -d 0000'.\n"
"After success, the 16-bit key block have to be restored with the key found: 'lf em 4x70 write -b 9 -d c0de'\n",
"lf em 4x70 brute -b 9 --rnd 45F54ADA252AAC --frn 4866BB70 --> bruteforcing key bits k95...k80\n"
"lf em 4x70 brute -b 9 --rnd 45F54ADA252AAC --frn 4866BB70 --> bruteforcing key bits k95...k80 (pm3 test key)\n"
"lf em 4x70 brute -b 8 --rnd 3FFE1FB6CC513F --frn F355F1A0 --> bruteforcing key bits k79...k64 (research paper key)\n"
"lf em 4x70 brute -b 7 --rnd 7D5167003571F8 --frn 982DBCC0 --> bruteforcing key bits k63...k48 (autorecovery test key)\n"
);
void *argtable[] = {
arg_param_begin,
@ -655,7 +618,7 @@ int CmdEM4x70Brute(const char *Cmd) {
return result;
}
int CmdEM4x70Unlock(const char *Cmd) {
static int CmdEM4x70Unlock(const char *Cmd) {
// send pin code to device, unlocking it for writing
CLIParserContext *ctx;
@ -703,7 +666,7 @@ int CmdEM4x70Unlock(const char *Cmd) {
return result;
}
int CmdEM4x70Auth(const char *Cmd) {
static int CmdEM4x70Auth(const char *Cmd) {
// Authenticate transponder
// Send 56-bit random number + pre-computed f(rnd, k) to transponder.
@ -716,6 +679,7 @@ int CmdEM4x70Auth(const char *Cmd) {
" If F(RN) is correct based on the tag key, the tag will give a 20-bit response\n",
"lf em 4x70 auth --rnd 45F54ADA252AAC --frn 4866BB70 --> (using pm3 test key)\n"
"lf em 4x70 auth --rnd 3FFE1FB6CC513F --frn F355F1A0 --> (using research paper key)\n"
"lf em 4x70 auth --rnd 7D5167003571F8 --frn 982DBCC0 --> (autorecovery test key)\n"
);
void *argtable[] = {
@ -762,7 +726,7 @@ int CmdEM4x70Auth(const char *Cmd) {
return result;
}
int CmdEM4x70SetPIN(const char *Cmd) {
static int CmdEM4x70SetPIN(const char *Cmd) {
CLIParserContext *ctx;
CLIParserInit(&ctx, "lf em 4x70 setpin",
"Write new PIN\n",
@ -807,12 +771,13 @@ int CmdEM4x70SetPIN(const char *Cmd) {
return result;
}
int CmdEM4x70SetKey(const char *Cmd) {
static int CmdEM4x70SetKey(const char *Cmd) {
CLIParserContext *ctx;
CLIParserInit(&ctx, "lf em 4x70 setkey",
"Write new 96-bit key to tag\n",
"lf em 4x70 setkey -k F32AA98CF5BE4ADFA6D3480B (pm3 test key)\n"
"lf em 4x70 setkey -k A090A0A02080000000000000 (research paper key)\n"
"lf em 4x70 setkey -k 022A028C02BE000102030405 (autorecovery test key)\n"
);
void *argtable[] = {
@ -932,6 +897,7 @@ static int CmdEM4x70Recover_ParseArgs(const char *Cmd, em4x70_cmd_input_recover_
,
"lf em 4x70 recover --key F32AA98CF5BE --rnd 45F54ADA252AAC --frn 4866BB70 --grn 9BD180 (pm3 test key)\n"
"lf em 4x70 recover --key A090A0A02080 --rnd 3FFE1FB6CC513F --frn F355F1A0 --grn 609D60 (research paper key)\n"
"lf em 4x70 recover --key 022A028C02BE --rnd 7D5167003571F8 --frn 982DBCC0 --grn 36C0E0 (autorecovery test key)\n"
);
void *argtable[] = {
@ -1003,7 +969,7 @@ static int CmdEM4x70Recover_ParseArgs(const char *Cmd, em4x70_cmd_input_recover_
return result;
}
int CmdEM4x70Recover(const char *Cmd) {
static int CmdEM4x70Recover(const char *Cmd) {
// From paper "Dismantling Megamos Crypto", Roel Verdult, Flavio D. Garcia and Barıs¸ Ege.
// Partial Key-Update Attack -- final 48 bits (after optimized version gets k95..k48)
em4x70_recovery_data_t recover_ctx = {0};
@ -1137,6 +1103,7 @@ static int CmdEM4x70AutoRecover_ParseArgs(const char *Cmd, em4x70_cmd_input_reco
,
"lf em 4x70 autorecover --rnd 45F54ADA252AAC --frn 4866BB70 --grn 9BD180 (pm3 test key)\n"
"lf em 4x70 autorecover --rnd 3FFE1FB6CC513F --frn F355F1A0 --grn 609D60 (research paper key)\n"
"lf em 4x70 autorecover --rnd 7D5167003571F8 --frn 982DBCC0 --grn 36C0E0 (autorecovery test key)\n"
);
void *argtable[] = {
@ -1471,6 +1438,97 @@ static int CmdEM4x70AutoRecover(const char *Cmd) {
return result;
}
static int CmdEM4x70Calc_ParseArgs(const char *Cmd, em4x70_cmd_input_calculate_t *out_results) {
memset(out_results, 0, sizeof(em4x70_cmd_input_calculate_t));
int result = PM3_SUCCESS;
CLIParserContext *ctx;
CLIParserInit(
&ctx,
"lf em 4x70 calc",
"Calculates both the reader and tag challenge for a user-provided key and rnd.\n"
,
"lf em 4x70 calc --key F32AA98CF5BE4ADFA6D3480B --rnd 45F54ADA252AAC (pm3 test key)\n" // --frn 4866BB70 --grn 9BD180
"lf em 4x70 calc --key A090A0A02080000000000000 --rnd 3FFE1FB6CC513F (research paper key)\n" // --frn F355F1A0 --grn 609D60
"lf em 4x70 calc --key 022A028C02BE000102030405 --rnd 7D5167003571F8 (autorecovery test key)\n" // --frn 982DBCC0 --grn 36C0E0
);
void *argtable[] = {
arg_param_begin,
arg_str1(NULL, "key", "<hex>", "Key 96-bit as 12 hex bytes"),
arg_str1(NULL, "rnd", "<hex>", "56-bit random value sent to tag for authentication"),
arg_param_end
};
CLIExecWithReturn(ctx, Cmd, argtable, true);
int key_len = 0; // must be 12 bytes hex data
int rnd_len = 0; // must be 7 bytes hex data
// These macros hide early function return on error ... including free'ing ctx.
CLIGetHexWithReturn(ctx, 1, out_results->key.k, &key_len);
CLIGetHexWithReturn(ctx, 2, out_results->rn.rn, &rnd_len);
CLIParserFree(ctx);
if (key_len != 12) {
PrintAndLogEx(FAILED, "Key length must be 12 bytes, got %d", key_len);
result = PM3_EINVARG;
}
if (rnd_len != 7) {
PrintAndLogEx(FAILED, "Random number length must be 7 bytes, got %d", rnd_len);
result = PM3_EINVARG;
}
return result;
}
static int CmdEM4x70Calc(const char *Cmd) {
em4x70_cmd_input_calculate_t opts = {0};
em4x70_cmd_output_calculate_t data = {0};
// 0. Parse the command line
int result = CmdEM4x70Calc_ParseArgs(Cmd, &opts);
if (PM3_SUCCESS != result) {
return result;
}
// There are no failure paths. All inputs are valid, and ID48LIB doesn't add any failure paths.
id48lib_generator(&opts.key, &opts.rn, &data.frn, &data.grn);
char key_string[24 + 1] = {0};
char rnd_string[14 + 1] = {0};
char frn_string[ 8 + 1] = {0};
char grn_string[ 6 + 1] = {0};
if (true) {
snprintf(
key_string, 25,
"%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X",
opts.key.k[ 0], opts.key.k[ 1], opts.key.k[ 2], opts.key.k[ 3],
opts.key.k[ 4], opts.key.k[ 5], opts.key.k[ 6], opts.key.k[ 7],
opts.key.k[ 8], opts.key.k[ 9], opts.key.k[10], opts.key.k[11]
);
snprintf(
rnd_string, 15,
"%02X%02X%02X%02X%02X%02X%02X",
opts.rn.rn[0], opts.rn.rn[1], opts.rn.rn[2], opts.rn.rn[3], opts.rn.rn[4], opts.rn.rn[5], opts.rn.rn[6]
);
snprintf(
frn_string, 9,
"%02X%02X%02X%02X",
data.frn.frn[0], data.frn.frn[1], data.frn.frn[2], data.frn.frn[3]
);
snprintf(
grn_string, 7,
"%02X%02X%02X",
data.grn.grn[0], data.grn.grn[1], data.grn.grn[2]
);
}
PrintAndLogEx(SUCCESS, "KEY: %s RND: %s FRN: " _GREEN_("%s") " GRN: " _GREEN_("%s"), key_string, rnd_string, frn_string, grn_string);
return PM3_SUCCESS;
}
// Must be declared to be used in the table,
// but cannot be defined yet because it uses the table.
static int CmdHelp(const char *Cmd);
static command_t CommandTable[] = {
{"help", CmdHelp, AlwaysAvailable, "This help"},
@ -1481,6 +1539,7 @@ static command_t CommandTable[] = {
{"auth", CmdEM4x70Auth, IfPm3EM4x70, "Authenticate EM4x70"},
{"setpin", CmdEM4x70SetPIN, IfPm3EM4x70, "Write PIN"},
{"setkey", CmdEM4x70SetKey, IfPm3EM4x70, "Write key"},
{"calc", CmdEM4x70Calc, AlwaysAvailable, "Calculate EM4x70 challenge and response"},
{"recover", CmdEM4x70Recover, AlwaysAvailable, "Recover remaining key from partial key"},
{"autorecover", CmdEM4x70AutoRecover, IfPm3EM4x70, "Recover entire key from writable tag"},
{NULL, NULL, NULL, NULL}
@ -1492,7 +1551,27 @@ static int CmdHelp(const char *Cmd) {
return PM3_SUCCESS;
}
///////////////////////////////////////////////////////////////////////////////
// Only two functions need to be non-static:
// * CmdLFEM4X70()
// * detect_4x70_block()
int CmdLFEM4X70(const char *Cmd) {
clearCommandBuffer();
return CmdsParse(CommandTable, Cmd);
}
// used by `lf search` and `search`, this is a quick test for EM4x70 tag
// In alignment with other tags implementations, this also dumps basic information
// about the tag, if one is found.
// Use helper function `get_em4x70_info()` if wanting to limit / avoid output.
bool detect_4x70_block(void) {
em4x70_tag_info_t info;
em4x70_cmd_input_info_t opts = { 0 };
int result = get_em4x70_info(&opts, &info);
if (result == PM3_ETIMEOUT) { // consider removing this output?
PrintAndLogEx(WARNING, "Timeout while waiting for reply.");
}
return result == PM3_SUCCESS;
}

8
client/src/cmdlfem4x70.h
View file

@ -24,14 +24,6 @@
#define TIMEOUT 2000
int CmdLFEM4X70(const char *Cmd);
int CmdEM4x70Info(const char *Cmd);
int CmdEM4x70Write(const char *Cmd);
int CmdEM4x70Brute(const char *Cmd);
int CmdEM4x70Unlock(const char *Cmd);
int CmdEM4x70Auth(const char *Cmd);
int CmdEM4x70SetPIN(const char *Cmd);
int CmdEM4x70SetKey(const char *Cmd);
int CmdEM4x70Recover(const char *Cmd);
// for `lf search`:
bool detect_4x70_block(void);

80
client/src/cmdlfhitag.c
View file

@ -2167,6 +2167,77 @@ static int CmdLFHitag2Lookup(const char *Cmd) {
return PM3_SUCCESS;
}
static int CmdLFHitag2Crack2(const char *Cmd) {
CLIParserContext *ctx;
CLIParserInit(&ctx, "lf hitag lookup",
"This command tries to recover 2048 bits of Hitag2 crypto stream data.\n",
"lf hitag crack2 --nrar 73AA5A62EAB8529C"
);
void *argtable[] = {
arg_param_begin,
arg_str0(NULL, "nrar", "<hex>", "specify nonce / answer as 8 hex bytes"),
arg_param_end
};
CLIExecWithReturn(ctx, Cmd, argtable, false);
int nalen = 0;
uint8_t nrar[8] = {0};
CLIGetHexWithReturn(ctx, 1, nrar, &nalen);
CLIParserFree(ctx);
// sanity checks
if (nalen && nalen != 8) {
PrintAndLogEx(INFO, "NrAr wrong length. expected 8, got %i", nalen);
return PM3_EINVARG;
}
lf_hitag_data_t packet;
memset(&packet, 0, sizeof(packet));
memcpy(packet.NrAr, nrar, sizeof(packet.NrAr));
PrintAndLogEx(INFO, _YELLOW_("Hitag 2") " - Crack2 (NrAR)");
uint64_t t1 = msclock();
PacketResponseNG resp;
clearCommandBuffer();
SendCommandNG(CMD_LF_HITAG2_CRACK_2, (uint8_t *) &packet, sizeof(packet));
// loop
uint8_t attempt = 30;
do {
PrintAndLogEx(INPLACE, "Attack 2 running...");
fflush(stdout);
if (WaitForResponseTimeout(CMD_LF_HITAG2_CRACK_2, &resp, 1000) == false) {
attempt--;
continue;
}
// lf_hitag_crack_response_t *payload = (lf_hitag_crack_response_t *)resp.data.asBytes;
if (resp.status == PM3_SUCCESS) {
PrintAndLogEx(NORMAL, " ( %s )", _GREEN_("ok"));
break;
} else {
PrintAndLogEx(NORMAL, " ( %s )", _RED_("fail"));
break;
}
} while (attempt);
if (attempt == 0) {
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(WARNING, "timeout while waiting for reply.");
return PM3_ESOFT;
}
t1 = msclock() - t1;
PrintAndLogEx(SUCCESS, "\ntime " _YELLOW_("%.0f") " seconds\n", (float)t1 / 1000.0);
return PM3_SUCCESS;
}
/* Test code
Test data and below information about it comes from
@ -2285,9 +2356,9 @@ static uint64_t hitag2_verify_crypto_test_round(void) {
static int CmdLFHitag2Selftest(const char *Cmd) {
CLIParserContext *ctx;
CLIParserInit(&ctx, "lf hitag selftest",
"Perform selftest of Hitag crypto engine",
"lf hitag selftest\n"
CLIParserInit(&ctx, "lf hitag test",
"Perform self tests of Hitag crypto engine",
"lf hitag test\n"
);
void *argtable[] = {
@ -2324,7 +2395,7 @@ static command_t CommandTable[] = {
{"list", CmdLFHitagList, AlwaysAvailable, "List Hitag trace history"},
{"-----------", CmdHelp, IfPm3Hitag, "------------------------ " _CYAN_("General") " ------------------------"},
{"info", CmdLFHitagInfo, IfPm3Hitag, "Hitag 2 tag information"},
{"selftest", CmdLFHitag2Selftest, AlwaysAvailable, "Perform self test"},
{"test", CmdLFHitag2Selftest, AlwaysAvailable, "Perform self tests"},
{"-----------", CmdHelp, IfPm3Hitag, "----------------------- " _CYAN_("Operations") " -----------------------"},
// {"demod", CmdLFHitag2PWMDemod, IfPm3Hitag, "PWM Hitag 2 reader message demodulation"},
{"dump", CmdLFHitag2Dump, IfPm3Hitag, "Dump Hitag 2 tag"},
@ -2339,6 +2410,7 @@ static command_t CommandTable[] = {
{"sim", CmdLFHitagSim, IfPm3Hitag, "Simulate Hitag transponder"},
{"-----------", CmdHelp, IfPm3Hitag, "----------------------- " _CYAN_("Recovery") " -----------------------"},
{"cc", CmdLFHitagSCheckChallenges, IfPm3Hitag, "Hitag S: test all provided challenges"},
{"crack2", CmdLFHitag2Crack2, IfPm3Hitag, "Recover 2048bits of crypto stream"},
{"chk", CmdLFHitag2Chk, IfPm3Hitag, "Check keys"},
{"lookup", CmdLFHitag2Lookup, AlwaysAvailable, "Uses authentication trace to check for key in dictionary file"},
{"ta", CmdLFHitag2CheckChallenges, IfPm3Hitag, "Hitag 2: test all recorded authentications"},

2
client/src/cmdlfnedap.c
View file

@ -530,7 +530,7 @@ static int CmdLFNedapSim(const char *Cmd) {
uint8_t data[16];
NedapGen(sub_type, customer_code, id, is_long, data);
uint8_t bs[16 * 8];
uint8_t bs[16 * 8] = {0};
for (uint8_t i = 0; i < max; i++) {
num_to_bytebits(data[i], 8, bs + i * 8);
}

38
client/src/cmdtrace.c
View file

@ -42,12 +42,12 @@ static bool is_last_record(uint16_t tracepos, uint16_t traceLen) {
}
static bool next_record_is_response(uint16_t tracepos, uint8_t *trace) {
tracelog_hdr_t *hdr = (tracelog_hdr_t *)(trace + tracepos);
const tracelog_hdr_t *hdr = (tracelog_hdr_t *)(trace + tracepos);
return (hdr->isResponse);
}
static bool merge_topaz_reader_frames(uint32_t timestamp, uint32_t *duration, uint16_t *tracepos, uint16_t traceLen,
uint8_t *trace, uint8_t *frame, uint8_t *topaz_reader_command, uint16_t *data_len) {
uint8_t *trace, const uint8_t *frame, uint8_t *topaz_reader_command, uint16_t *data_len) {
#define MAX_TOPAZ_READER_CMD_LEN 16
@ -59,7 +59,7 @@ static bool merge_topaz_reader_frames(uint32_t timestamp, uint32_t *duration, ui
while (!is_last_record(*tracepos, traceLen) && !next_record_is_response(*tracepos, trace)) {
tracelog_hdr_t *hdr = (tracelog_hdr_t *)(trace + *tracepos);
const tracelog_hdr_t *hdr = (tracelog_hdr_t *)(trace + *tracepos);
*tracepos += TRACELOG_HDR_LEN + hdr->data_len;
@ -93,7 +93,7 @@ static uint8_t calc_pos(const uint8_t *d) {
// Copy an existing buffer into client trace buffer
// I think this is cleaner than further globalizing gs_trace, and may lend itself to more modularity later?
bool ImportTraceBuffer(uint8_t *trace_src, uint16_t trace_len) {
bool ImportTraceBuffer(const uint8_t *trace_src, uint16_t trace_len) {
if (trace_len == 0 || trace_src == NULL) return (false);
if (gs_trace) {
free(gs_trace);
@ -218,7 +218,7 @@ static uint16_t extractChallenges(uint16_t tracepos, uint16_t traceLen, uint8_t
switch (c) {
case ICLASS_CMD_SELECT: {
tracelog_hdr_t *next_hdr = (tracelog_hdr_t *)(trace + tracepos);
const tracelog_hdr_t *next_hdr = (tracelog_hdr_t *)(trace + tracepos);
tracepos += SKIP_TO_NEXT(next_hdr);
if (next_hdr->data_len != 10) {
break;
@ -231,7 +231,7 @@ static uint16_t extractChallenges(uint16_t tracepos, uint16_t traceLen, uint8_t
// get epurse
if (frame[1] == 2 && data_len == 2) {
tracelog_hdr_t *next_hdr = (tracelog_hdr_t *)(trace + tracepos);
const tracelog_hdr_t *next_hdr = (tracelog_hdr_t *)(trace + tracepos);
tracepos += SKIP_TO_NEXT(next_hdr);
if (next_hdr->data_len < 8) {
break;
@ -641,25 +641,22 @@ static uint16_t printTraceLine(uint16_t tracepos, uint16_t traceLen, uint8_t *tr
} else if (((protocol == PROTO_HITAG1) || (protocol == PROTO_HITAG2) || (protocol == PROTO_HITAGS))) {
if (j == 0) {
// handle partial bytes. The parity array[0] is used to store number of left over bits from NBYTES
// This part prints the number of bits in the trace entry for hitag.
uint8_t nbits = parityBytes[0];
if (j == 0) {
// only apply this to lesser than one byte
if (data_len == 1) {
if (nbits == 5) {
snprintf(line[0], 120, "%2u: %02X ", nbits, frame[0] >> (8 - nbits));
} else {
snprintf(line[0], 120, "%2u: %02X ", nbits, frame[0] >> (8 - nbits));
}
} else {
if (nbits == 0) {
snprintf(line[0], 120, "%2u: %02X ", (data_len * 8), frame[0]);
snprintf(line[0], 120, "%2u: %02X ", (uint16_t)(data_len * 8), frame[0]);
} else {
snprintf(line[0], 120, "%2u: %02X ", ((data_len - 1) * 8) + nbits, frame[0]);
snprintf(line[0], 120, "%2u: %02X ", (uint16_t)(((data_len - 1) * 8) + nbits), frame[0]);
}
}
offset = 4;
@ -676,7 +673,7 @@ static uint16_t printTraceLine(uint16_t tracepos, uint16_t traceLen, uint8_t *tr
if (markCRCBytes && data_len > 2) {
// CRC-command
if (((protocol == PROTO_HITAG1) || (protocol == PROTO_HITAGS)) && (data_len > 1)) {
if (((protocol == PROTO_HITAG1) || (protocol == PROTO_HITAGS))) {
// Note that UID REQUEST response has no CRC, but we don't know
// if the response we see is a UID
char *pos1 = line[(data_len - 1) / 18] + (((data_len - 1) % 18) * 4) + offset - 1;
@ -989,7 +986,6 @@ static uint16_t printTraceLine(uint16_t tracepos, uint16_t traceLen, uint8_t *tr
// handle partial bytes. The parity array[0] is used to store number of left over bits from NBYTES
// This part prints the number of bits in the trace entry for hitag.
uint8_t nbits = parityBytes[0];
annotateHitag2(explanation, sizeof(explanation), ht2plain, n, nbits, hdr->isResponse, NULL, 0, true);
// iceman: colorise crc bytes here will need a refactor of code from above.
@ -1000,19 +996,13 @@ static uint16_t printTraceLine(uint16_t tracepos, uint16_t traceLen, uint8_t *tr
// only apply this to lesser than one byte
if (n == 1) {
if (nbits == 5) {
snprintf(line[0], 120, "%2u: %02X ", nbits, ht2plain[0] >> (8 - nbits));
} else {
snprintf(line[0], 120, "%2u: %02X ", nbits, ht2plain[0] >> (8 - nbits));
}
} else {
if (nbits == 0) {
snprintf(line[0], 120, "%2u: %02X ", (n * 8), ht2plain[0]);
snprintf(line[0], 120, "%2u: %02X ", (uint16_t)(n * 8), ht2plain[0]);
} else {
snprintf(line[0], 120, "%2u: %02X ", ((n - 1) * 8) + nbits, ht2plain[0]);
snprintf(line[0], 120, "%2u: %02X ", (uint16_t)(((n - 1) * 8) + nbits), ht2plain[0]);
}
}
offset = 4;
@ -1049,7 +1039,7 @@ static uint16_t printTraceLine(uint16_t tracepos, uint16_t traceLen, uint8_t *tr
if (showWaitCycles && hdr->isResponse == false && next_record_is_response(tracepos, trace)) {
tracelog_hdr_t *next_hdr = (tracelog_hdr_t *)(trace + tracepos);
const tracelog_hdr_t *next_hdr = (tracelog_hdr_t *)(trace + tracepos);
uint32_t time1 = end_of_transmission_timestamp - first_hdr->timestamp;
uint32_t time2 = next_hdr->timestamp - first_hdr->timestamp;

2
client/src/cmdtrace.h
View file

@ -24,6 +24,6 @@
int CmdTrace(const char *Cmd);
int CmdTraceList(const char *Cmd);
int CmdTraceListAlias(const char *Cmd, const char *alias, const char *protocol);
bool ImportTraceBuffer(uint8_t *trace_src, uint16_t trace_len);
bool ImportTraceBuffer(const uint8_t *trace_src, uint16_t trace_len);
#endif

16
client/src/comms.c
View file

@ -87,7 +87,7 @@ void SendCommandBL(uint64_t cmd, uint64_t arg0, uint64_t arg1, uint64_t arg2, vo
SendCommandOLD(cmd, arg0, arg1, arg2, data, len);
}
void SendCommandOLD(uint64_t cmd, uint64_t arg0, uint64_t arg1, uint64_t arg2, void *data, size_t len) {
void SendCommandOLD(uint64_t cmd, uint64_t arg0, uint64_t arg1, uint64_t arg2, const void *data, size_t len) {
PacketCommandOLD c = {CMD_UNKNOWN, {0, 0, 0}, {{0}}};
c.cmd = cmd;
c.arg[0] = arg0;
@ -198,7 +198,7 @@ void SendCommandNG(uint16_t cmd, uint8_t *data, size_t len) {
SendCommandNG_internal(cmd, data, len, true);
}
void SendCommandMIX(uint64_t cmd, uint64_t arg0, uint64_t arg1, uint64_t arg2, void *data, size_t len) {
void SendCommandMIX(uint64_t cmd, uint64_t arg0, uint64_t arg1, uint64_t arg2, const void *data, size_t len) {
uint64_t arg[3] = {arg0, arg1, arg2};
if (len > PM3_CMD_DATA_SIZE_MIX) {
PrintAndLogEx(WARNING, "Sending %zu bytes of payload is too much for MIX frames, abort", len);
@ -228,7 +228,7 @@ void clearCommandBuffer(void) {
* @brief storeCommand stores a USB command in a circular buffer
* @param UC
*/
static void storeReply(PacketResponseNG *packet) {
static void storeReply(const PacketResponseNG *packet) {
pthread_mutex_lock(&rxBufferMutex);
if ((cmd_head + 1) % CMD_BUFFER_SIZE == cmd_tail) {
//If these two are equal, we're about to overwrite in the
@ -296,7 +296,7 @@ static void PacketResponseReceived(PacketResponseNG *packet) {
uint16_t flag;
uint8_t buf[PM3_CMD_DATA_SIZE - sizeof(uint16_t)];
} PACKED;
struct d *data = (struct d *)&packet->data.asBytes;
const struct d *data = (struct d *)&packet->data.asBytes;
len = packet->length - sizeof(data->flag);
flag = data->flag;
memcpy(s, data->buf, len);
@ -350,7 +350,7 @@ static void PacketResponseReceived(PacketResponseNG *packet) {
// When communication thread is dead, start up and try to start it again
void *uart_reconnect(void *targ) {
communication_arg_t *connection = (communication_arg_t *)targ;
const communication_arg_t *connection = (communication_arg_t *)targ;
#if defined(__MACH__) && defined(__APPLE__)
disableAppNap("Proxmark3 polling UART");
@ -405,7 +405,7 @@ __attribute__((force_align_arg_pointer))
#endif
#endif
*uart_communication(void *targ) {
communication_arg_t *connection = (communication_arg_t *)targ;
const communication_arg_t *connection = (communication_arg_t *)targ;
uint32_t rxlen;
bool commfailed = false;
PacketResponseNG rx;
@ -686,7 +686,7 @@ bool IsCommunicationThreadDead(void) {
bool SetCommunicationReceiveMode(bool isRawMode) {
if (isRawMode) {
uint8_t *buffer = __atomic_load_n(&comm_raw_data, __ATOMIC_SEQ_CST);
const uint8_t *buffer = __atomic_load_n(&comm_raw_data, __ATOMIC_SEQ_CST);
if (buffer == NULL) {
PrintAndLogEx(ERR, "Buffer for raw data is not set");
return false;
@ -850,7 +850,7 @@ int TestProxmark(pm3_device_t *dev) {
return PM3_EDEVNOTSUPP;
}
memcpy(&g_pm3_capabilities, resp.data.asBytes, MIN(sizeof(capabilities_t), resp.length));
memcpy(&g_pm3_capabilities, resp.data.asBytes, sizeof(capabilities_t));
g_conn.send_via_fpc_usart = g_pm3_capabilities.via_fpc;
g_conn.uart_speed = g_pm3_capabilities.baudrate;

4
client/src/comms.h
View file

@ -96,9 +96,9 @@ void *uart_reconnect(void *targ);
void *uart_receiver(void *targ);
void SendCommandBL(uint64_t cmd, uint64_t arg0, uint64_t arg1, uint64_t arg2, void *data, size_t len);
void SendCommandOLD(uint64_t cmd, uint64_t arg0, uint64_t arg1, uint64_t arg2, void *data, size_t len);
void SendCommandOLD(uint64_t cmd, uint64_t arg0, uint64_t arg1, uint64_t arg2, const void *data, size_t len);
void SendCommandNG(uint16_t cmd, uint8_t *data, size_t len);
void SendCommandMIX(uint64_t cmd, uint64_t arg0, uint64_t arg1, uint64_t arg2, void *data, size_t len);
void SendCommandMIX(uint64_t cmd, uint64_t arg0, uint64_t arg1, uint64_t arg2, const void *data, size_t len);
void clearCommandBuffer(void);
#define FLASHMODE_SPEED 460800

2
client/src/emv/cmdemv.c
View file

@ -292,7 +292,7 @@ static int emv_parse_track1(const uint8_t *d, size_t n, bool verbose) {
// decoder
char *tmp = str_ndup((const char *)d, n);
uint8_t i = 0;
char delim[2] = "^";
const char delim[2] = "^";
char *token = strtok(tmp, delim);
while (token != NULL) {

10
client/src/fileutils.c
View file

@ -747,7 +747,7 @@ out:
int saveFileJSONroot(const char *preferredName, void *root, size_t flags, bool verbose) {
return saveFileJSONrootEx(preferredName, root, flags, verbose, false);
}
int saveFileJSONrootEx(const char *preferredName, void *root, size_t flags, bool verbose, bool overwrite) {
int saveFileJSONrootEx(const char *preferredName, const void *root, size_t flags, bool verbose, bool overwrite) {
if (root == NULL)
return PM3_EINVARG;
@ -863,7 +863,7 @@ out:
}
// key file dump
int createMfcKeyDump(const char *preferredName, uint8_t sectorsCnt, sector_t *e_sector) {
int createMfcKeyDump(const char *preferredName, uint8_t sectorsCnt, const sector_t *e_sector) {
if (e_sector == NULL) return PM3_EINVARG;
@ -1743,7 +1743,7 @@ int loadFileJSONex(const char *preferredName, void *data, size_t maxdatalen, siz
goto out;
}
snprintf(blocks, sizeof(blocks), "$.blocks.%d", i);
snprintf(blocks, sizeof(blocks), "$.blocks.%u", i);
JsonLoadBufAsHex(root, blocks, &tag->data[sptr], 4, &len);
if (load_file_sanity(ctype, tag->bytesPerPage, i, len) == false) {
break;
@ -1790,7 +1790,7 @@ int loadFileJSONex(const char *preferredName, void *data, size_t maxdatalen, siz
goto out;
}
snprintf(blocks, sizeof(blocks), "$.blocks.%d", i);
snprintf(blocks, sizeof(blocks), "$.blocks.%u", i);
JsonLoadBufAsHex(root, blocks, &tag->data[sptr], 8, &len);
if (load_file_sanity(ctype, tag->bytesPerPage, i, len) == false) {
break;
@ -2426,7 +2426,7 @@ mfu_df_e detect_mfu_dump_format(uint8_t **dump, bool verbose) {
// detect plain
if (retval == MFU_DF_UNKNOWN) {
uint8_t *plain = *dump;
const uint8_t *plain = *dump;
bcc0 = ct ^ plain[0] ^ plain[1] ^ plain[2];
bcc1 = plain[4] ^ plain[5] ^ plain[6] ^ plain[7];
if ((bcc0 == plain[3]) && (bcc1 == plain[8])) {

8
client/src/fileutils.h
View file

@ -107,8 +107,8 @@ int fileExists(const char *filename);
bool setDefaultPath(savePaths_t pathIndex, const char *path);
char *newfilenamemcopy(const char *preferredName, const char *suffix);
char *newfilenamemcopyEx(const char *preferredName, const char *suffix, savePaths_t save_path);
void truncate_filename(char *fn, uint16_t len);
char *newfilenamemcopyEx(const char *preferredName, const char *suffix, savePaths_t e_save_path);
void truncate_filename(char *fn, uint16_t maxlen);
/**
@ -138,7 +138,7 @@ int saveFile(const char *preferredName, const char *suffix, const void *data, si
int saveFileJSON(const char *preferredName, JSONFileType ftype, uint8_t *data, size_t datalen, void (*callback)(json_t *));
int saveFileJSONex(const char *preferredName, JSONFileType ftype, uint8_t *data, size_t datalen, bool verbose, void (*callback)(json_t *), savePaths_t e_save_path);
int saveFileJSONroot(const char *preferredName, void *root, size_t flags, bool verbose);
int saveFileJSONrootEx(const char *preferredName, void *root, size_t flags, bool verbose, bool overwrite);
int saveFileJSONrootEx(const char *preferredName, const void *root, size_t flags, bool verbose, bool overwrite);
/** STUB
* @brief Utility function to save WAVE data to a file. This method takes a preferred name, but if that
* file already exists, it tries with another name until it finds something suitable.
@ -171,7 +171,7 @@ int saveFilePM3(const char *preferredName, int *data, size_t datalen);
* @param e_sector the keys in question
* @return 0 for ok, 1 for failz
*/
int createMfcKeyDump(const char *preferredName, uint8_t sectorsCnt, sector_t *e_sector);
int createMfcKeyDump(const char *preferredName, uint8_t sectorsCnt, const sector_t *e_sector);
/**
* @brief Utility function to load data from a binary file. This method takes a preferred name.

44
client/src/graph.c
View file

@ -32,6 +32,9 @@ int32_t g_OverlayBuffer[MAX_GRAPH_TRACE_LEN];
bool g_useOverlays = false;
size_t g_GraphTraceLen;
buffer_savestate_t g_saveState_gb;
marker_t g_MarkerA, g_MarkerB, g_MarkerC, g_MarkerD;
marker_t *g_TempMarkers;
uint8_t g_TempMarkerSize = 0;
/* write a manchester bit to the graph
*/
@ -465,6 +468,47 @@ bool fskClocks(uint8_t *fc1, uint8_t *fc2, uint8_t *rf1, int *firstClockEdge) {
return true;
}
void add_temporary_marker(uint32_t position, const char *label) {
if (g_TempMarkerSize == 0) { //Initialize the marker array
g_TempMarkers = (marker_t *)calloc(1, sizeof(marker_t));
} else { //add more space to the marker array using realloc()
marker_t *temp = (marker_t *)realloc(g_TempMarkers, ((g_TempMarkerSize + 1) * sizeof(marker_t)));
if (temp == NULL) { //Unable to reallocate memory for a new marker
PrintAndLogEx(FAILED, "Unable to allocate memory for a new temporary marker!");
free(temp);
return;
} else {
//Set g_TempMarkers to the new pointer
g_TempMarkers = temp;
}
}
g_TempMarkers[g_TempMarkerSize].pos = position;
char *markerLabel = (char *)calloc(1, strlen(label) + 1);
strcpy(markerLabel, label);
if (strlen(markerLabel) > 30) {
PrintAndLogEx(WARNING, "Label for temporary marker too long! Trunicating...");
markerLabel[30] = '\0';
}
strncpy(g_TempMarkers[g_TempMarkerSize].label, markerLabel, 30);
g_TempMarkerSize++;
memset(markerLabel, 0x00, strlen(label));
free(markerLabel);
}
void remove_temporary_markers(void) {
if (g_TempMarkerSize == 0) return;
memset(g_TempMarkers, 0x00, (g_TempMarkerSize * sizeof(marker_t)));
free(g_TempMarkers);
g_TempMarkerSize = 0;
}
buffer_savestate_t save_buffer32(uint32_t *src, size_t length) {
//calloc the memory needed
uint32_t *savedBuffer = (uint32_t *)calloc(length, sizeof(uint32_t));

12
client/src/graph.h
View file

@ -34,6 +34,11 @@ typedef struct {
uint32_t clock; // (optional) Clock data for the buffer
} buffer_savestate_t;
typedef struct {
uint32_t pos;
char label[30];
} marker_t;
void AppendGraph(bool redraw, uint16_t clock, int bit);
size_t ClearGraph(bool redraw);
bool HasGraphData(void);
@ -52,6 +57,9 @@ int GetNrzClock(const char *str, bool verbose);
int GetFskClock(const char *str, bool verbose);
bool fskClocks(uint8_t *fc1, uint8_t *fc2, uint8_t *rf1, int *firstClockEdge);
extern void add_temporary_marker(uint32_t position, const char *label);
extern void remove_temporary_markers(void);
buffer_savestate_t save_buffer32(uint32_t *src, size_t length);
buffer_savestate_t save_bufferS32(int32_t *src, size_t length);
buffer_savestate_t save_buffer8(uint8_t *src, size_t length);
@ -69,6 +77,10 @@ extern int32_t g_OverlayBuffer[MAX_GRAPH_TRACE_LEN];
extern bool g_useOverlays;
extern size_t g_GraphTraceLen;
extern marker_t g_MarkerA, g_MarkerB, g_MarkerC, g_MarkerD;
extern marker_t *g_TempMarkers;
extern uint8_t g_TempMarkerSize;
extern double g_GridOffset;
extern buffer_savestate_t g_saveState_gb;

2
client/src/loclass/elite_crack.c
View file

@ -158,7 +158,7 @@ Definition 14. Define the rotate key function rk : (F 82 ) 8 × N → (F 82 ) 8
rk(x [0] . . . x [7] , 0) = x [0] . . . x [7]
rk(x [0] . . . x [7] , n + 1) = rk(rl(x [0] ) . . . rl(x [7] ), n)
**/
static void rk(uint8_t *key, uint8_t n, uint8_t *outp_key) {
static void rk(const uint8_t *key, uint8_t n, uint8_t *outp_key) {
memcpy(outp_key, key, 8);
while (n-- > 0) {
outp_key[0] = rl(outp_key[0]);

6
client/src/mifare/mifare4.c
View file

@ -203,7 +203,7 @@ int CalculateMAC(mf4Session_t *mf4session, MACType_t mtype, uint8_t blockNum, ui
return aes_cmac8(NULL, mf4session->Kmac, macdata, mac, macdatalen);
}
int MifareAuth4(mf4Session_t *mf4session, uint8_t *keyn, uint8_t *key, bool activateField, bool leaveSignalON, bool dropFieldIfError, bool verbose, bool silentMode) {
int MifareAuth4(mf4Session_t *mf4session, const uint8_t *keyn, uint8_t *key, bool activateField, bool leaveSignalON, bool dropFieldIfError, bool verbose, bool silentMode) {
uint8_t data[257] = {0};
int datalen = 0;
@ -375,7 +375,7 @@ static int intExchangeRAW14aPlus(uint8_t *datain, int datainlen, bool activateFi
return res;
}
int MFPWritePerso(uint8_t *keyNum, uint8_t *key, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) {
int MFPWritePerso(const uint8_t *keyNum, const uint8_t *key, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) {
uint8_t rcmd[3 + 16] = {0xa8, keyNum[1], keyNum[0], 0x00};
memmove(&rcmd[3], key, 16);
@ -432,7 +432,7 @@ int MFPReadBlock(mf4Session_t *mf4session, bool plain, bool nomaccmd, bool nomac
return PM3_SUCCESS;
}
int MFPWriteBlock(mf4Session_t *mf4session, bool plain, bool nomacres, uint8_t blockNum, uint8_t blockHdr, uint8_t *data, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen, uint8_t *mac) {
int MFPWriteBlock(mf4Session_t *mf4session, bool plain, bool nomacres, uint8_t blockNum, uint8_t blockHdr, const uint8_t *data, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen, uint8_t *mac) {
int cmdb = 0xA1;
if (nomacres) {
cmdb = cmdb ^ 0x01; // If we do not want MAC in reply, remove 0x01

9
client/src/mifare/mifare4.h
View file

@ -20,6 +20,7 @@
#define MIFARE4_H
#include "common.h"
#include <stdbool.h>
typedef struct {
bool Authenticated;
@ -59,12 +60,12 @@ void mfpSetVerboseMode(bool verbose);
const char *mfpGetErrorDescription(uint8_t errorCode);
int CalculateMAC(mf4Session_t *mf4session, MACType_t mtype, uint8_t blockNum, uint8_t blockCount, uint8_t *data, int datalen, uint8_t *mac, bool verbose);
int MifareAuth4(mf4Session_t *mf4session, uint8_t *keyn, uint8_t *key, bool activateField, bool leaveSignalON, bool dropFieldIfError, bool verbose, bool silentMode);
int MifareAuth4(mf4Session_t *mf4session, const uint8_t *keyn, uint8_t *key, bool activateField, bool leaveSignalON, bool dropFieldIfError, bool verbose, bool silentMode);
int MFPWritePerso(uint8_t *keyNum, uint8_t *key, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen);
int MFPWritePerso(const uint8_t *keyNum, const uint8_t *key, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen);
int MFPCommitPerso(bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen);
int MFPReadBlock(mf4Session_t *mf4session, bool plain, bool maccmd, bool macres, uint8_t blockNum, uint8_t blockCount, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen, uint8_t *mac);
int MFPWriteBlock(mf4Session_t *mf4session, bool plain, bool nomacres, uint8_t blockNum, uint8_t blockHdr, uint8_t *data, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen, uint8_t *mac);
int MFPReadBlock(mf4Session_t *mf4session, bool plain, bool nomaccmd, bool nomacres, uint8_t blockNum, uint8_t blockCount, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen, uint8_t *mac);
int MFPWriteBlock(mf4Session_t *mf4session, bool plain, bool nomacres, uint8_t blockNum, uint8_t blockHdr, const uint8_t *data, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen, uint8_t *mac);
int mfpReadSector(uint8_t sectorNo, uint8_t keyType, uint8_t *key, uint8_t *dataout, bool verbose);
int MFPGetSignature(bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen);

8
client/src/pm3line_vocabulary.h
View file

@ -118,6 +118,9 @@ const static vocabulary_t vocabulary[] = {
{ 1, "data diff" },
{ 0, "data hexsamples" },
{ 0, "data samples" },
{ 0, "data test_ss8" },
{ 0, "data test_ss32" },
{ 0, "data test_ss32s" },
{ 1, "emv help" },
{ 1, "emv list" },
{ 1, "emv test" },
@ -170,6 +173,8 @@ const static vocabulary_t vocabulary[] = {
{ 0, "hf 14b wrbl" },
{ 1, "hf 14b view" },
{ 1, "hf 14b valid" },
{ 0, "hf 14b calypso" },
{ 0, "hf 14b mobib" },
{ 1, "hf 15 help" },
{ 1, "hf 15 list" },
{ 1, "hf 15 demod" },
@ -645,7 +650,7 @@ const static vocabulary_t vocabulary[] = {
{ 1, "lf hitag help" },
{ 1, "lf hitag list" },
{ 0, "lf hitag info" },
{ 1, "lf hitag selftest" },
{ 1, "lf hitag test" },
{ 0, "lf hitag dump" },
{ 0, "lf hitag read" },
{ 0, "lf hitag sniff" },
@ -655,6 +660,7 @@ const static vocabulary_t vocabulary[] = {
{ 0, "lf hitag eview" },
{ 0, "lf hitag sim" },
{ 0, "lf hitag cc" },
{ 0, "lf hitag crack2" },
{ 0, "lf hitag chk" },
{ 1, "lf hitag lookup" },
{ 0, "lf hitag ta" },

44
client/src/proxgui.cpp
View file

@ -24,9 +24,6 @@
#include "ui.h" // for prints
static ProxGuiQT *gui = NULL;
marker_t g_MarkerA, g_MarkerB, g_MarkerC, g_MarkerD;
marker_t *g_TempMarkers;
uint8_t g_TempMarkerSize = 0;
static WorkerThread *main_loop_thread = NULL;
WorkerThread::WorkerThread(char *script_cmds_file, char *script_cmd, bool stayInCommandLoop) : script_cmds_file(script_cmds_file), script_cmd(script_cmd), stayInCommandLoop(stayInCommandLoop) {
@ -137,47 +134,6 @@ extern "C" void InitGraphics(int argc, char **argv, char *script_cmds_file, char
gui = new ProxGuiQT(argc, argv, main_loop_thread);
}
void add_temporary_marker(uint32_t position, const char *label) {
if (g_TempMarkerSize == 0) { //Initialize the marker array
g_TempMarkers = (marker_t *)calloc(1, sizeof(marker_t));
} else { //add more space to the marker array using realloc()
marker_t *temp = (marker_t *)realloc(g_TempMarkers, ((g_TempMarkerSize + 1) * sizeof(marker_t)));
if (temp == NULL) { //Unable to reallocate memory for a new marker
PrintAndLogEx(FAILED, "Unable to allocate memory for a new temporary marker!");
free(temp);
return;
} else {
//Set g_TempMarkers to the new pointer
g_TempMarkers = temp;
}
}
g_TempMarkers[g_TempMarkerSize].pos = position;
char *markerLabel = (char *)calloc(1, strlen(label) + 1);
strcpy(markerLabel, label);
if (strlen(markerLabel) > 30) {
PrintAndLogEx(WARNING, "Label for temporary marker too long! Trunicating...");
markerLabel[30] = '\0';
}
strncpy(g_TempMarkers[g_TempMarkerSize].label, markerLabel, 30);
g_TempMarkerSize++;
memset(markerLabel, 0x00, strlen(label));
free(markerLabel);
}
void remove_temporary_markers(void) {
if (g_TempMarkerSize == 0) return;
memset(g_TempMarkers, 0x00, (g_TempMarkerSize * sizeof(marker_t)));
free(g_TempMarkers);
g_TempMarkerSize = 0;
}
extern "C" void ExitGraphics(void) {
if (!gui)
return;

12
client/src/proxgui.h
View file

@ -27,11 +27,6 @@ extern "C" {
#include <stddef.h>
#include <stdbool.h>
typedef struct {
uint32_t pos;
char label[30];
} marker_t;
void ShowGraphWindow(void);
void HideGraphWindow(void);
void RepaintGraphWindow(void);
@ -46,16 +41,9 @@ void MainGraphics(void);
void InitGraphics(int argc, char **argv, char *script_cmds_file, char *script_cmd, bool stayInCommandLoop);
void ExitGraphics(void);
//Temporary Marker Functions
extern void add_temporary_marker(uint32_t position, const char *label);
extern void remove_temporary_markers(void);
extern double g_CursorScaleFactor;
extern char g_CursorScaleFactorUnit[11];
extern double g_PlotGridX, g_PlotGridY, g_DefaultGridX, g_DefaultGridY;
extern marker_t g_MarkerA, g_MarkerB, g_MarkerC, g_MarkerD;
extern marker_t *g_TempMarkers;
extern uint8_t g_TempMarkerSize;
extern uint32_t g_GraphStart, g_GraphStart_old, g_GraphStop;
extern int CommandFinished;
extern int offline;

12
client/src/proxguiqt.cpp
View file

@ -1268,15 +1268,23 @@ void Plot::wheelEvent(QWheelEvent *event) {
void Plot::mouseMoveEvent(QMouseEvent *event) {
int x = event->x();
//Only run the marker place code if a mouse button is pressed
if ((event->buttons() & Qt::LeftButton) || (event->buttons() & Qt::RightButton)) {
x -= WIDTH_AXES;
x = (int)(x / g_GraphPixelsPerPoint);
x += g_GraphStart;
if ((event->buttons() & Qt::LeftButton)) {
if (x > (int)g_GraphTraceLen) x = 0; // Set to 0 if the number is stupidly big
else if (x < (int)g_GraphStart) x = (int)g_GraphStart; // Bounds checking for the start of the Graph Window
else if (x > (int)g_GraphStop) x = (int)g_GraphStop; // Bounds checking for the end of the Graph Window
if ((event->buttons() & Qt::LeftButton)) { // True for left click, false otherwise
g_MarkerA.pos = x;
} else if (event->buttons() & Qt::RightButton) {
} else {
g_MarkerB.pos = x;
}
}
this->update();
}

1
client/src/proxguiqt.h
View file

@ -30,6 +30,7 @@
#include <QtGui>
#include "proxgui.h"
#include "graph.h"
#include "ui/ui_overlays.h"
#include "ui/ui_image.h"

20
client/src/proxmark3.c
View file

@ -385,7 +385,7 @@ void
__attribute__((force_align_arg_pointer))
#endif
#endif
main_loop(char *script_cmds_file, char *script_cmd, bool stayInCommandLoop) {
main_loop(const char *script_cmds_file, char *script_cmd, bool stayInCommandLoop) {
char *cmd = NULL;
bool execCommand = (script_cmd != NULL);
@ -777,31 +777,29 @@ static void show_help(bool showFullHelp, char *exec_name) {
}
static int dumpmem_to_file(const char *filename, uint32_t addr, uint32_t len, bool raw, bool in_bootloader) {
int res = PM3_EUNDEF;
uint8_t *buffer = calloc(len, sizeof(uint8_t));
if (!buffer) {
if (buffer == NULL) {
PrintAndLogEx(ERR, "error, cannot allocate memory ");
res = PM3_EMALLOC;
goto fail;
return PM3_EMALLOC;
}
size_t read = 0;
int res = PM3_EUNDEF;
size_t readlen = 0;
DeviceMemType_t type = raw ? MCU_MEM : MCU_FLASH;
if (GetFromDevice(type, buffer, len, addr, NULL, 0, NULL, 1000, true)) {
res = PM3_SUCCESS;
read = len; // GetFromDevice does not report the actual number of bytes received.
readlen = len; // GetFromDevice does not report the actual number of bytes received.
}
if (res == PM3_SUCCESS) {
if (saveFile(filename, ".bin", buffer, read) != 0) {
res = saveFile(filename, ".bin", buffer, readlen);
if (res != PM3_SUCCESS) {
PrintAndLogEx(ERR, "error writing to file "_YELLOW_("%s"), filename);
res = PM3_EFILE;
}
}
free(buffer);
fail:
return res;
}
@ -1441,7 +1439,7 @@ int main(int argc, char *argv[]) {
MainGraphics();
# else
// for *nix distro's, check environment variable to verify a display
char *display = getenv("DISPLAY");
const char *display = getenv("DISPLAY");
if (display && strlen(display) > 1) {
InitGraphics(argc, argv, script_cmds_file, script_cmd, stayInCommandLoop);
MainGraphics();

2
client/src/proxmark3.h
View file

@ -64,7 +64,7 @@ const char *get_my_executable_path(void);
const char *get_my_executable_directory(void);
const char *get_my_user_directory(void);
void pm3_init(void);
void main_loop(char *script_cmds_file, char *script_cmd, bool stayInCommandLoop);
void main_loop(const char *script_cmds_file, char *script_cmd, bool stayInCommandLoop);
#ifdef __cplusplus
}

65
common/bruteforce.c
View file

@ -63,14 +63,16 @@ int bf_generator_set_charset(generator_context_t *ctx, uint8_t charsets) {
int bf_generate(generator_context_t *ctx) {
switch (ctx->mode) {
case BF_MODE_RANGE:
case BF_MODE_RANGE: {
return _bf_generate_mode_range(ctx);
case BF_MODE_CHARSET:
}
case BF_MODE_CHARSET: {
return _bf_generate_mode_charset(ctx);
case BF_MODE_SMART:
}
case BF_MODE_SMART: {
return _bf_generate_mode_smart(ctx);
}
}
return BF_GENERATOR_ERROR;
}
@ -81,23 +83,27 @@ int bf_generate(generator_context_t *ctx) {
// returns -1 if incrementing reaches its end
int bf_array_increment(uint8_t *data, uint8_t data_len, uint8_t modulo) {
uint8_t prev_value;
// check if we reached max value already
uint8_t i;
for (i = 0; i < data_len; i++)
if (data[i] < modulo - 1)
for (i = 0; i < data_len; i++) {
if (data[i] < modulo - 1) {
break;
}
}
if (i == data_len)
if (i == data_len) {
return -1;
}
for (uint8_t pos = data_len - 1;; pos--) {
prev_value = ++data[pos];
uint8_t prev_value = ++data[pos];
data[pos] = data[pos] % modulo;
if (prev_value == data[pos])
if (prev_value == data[pos]) {
return 0;
else if (pos == 0) {
} else if (pos == 0) {
// we cannot carryover to next byte
// with the max value check in place before, we should not reach this place
return -1;
@ -108,12 +114,12 @@ int bf_array_increment(uint8_t *data, uint8_t data_len, uint8_t modulo) {
}
// get current key casted to 32 bit
uint32_t bf_get_key32(generator_context_t *ctx) {
uint32_t bf_get_key32(const generator_context_t *ctx) {
return ctx->current_key & 0xFFFFFFFF;
}
// get current key casted to 48 bit
uint64_t bf_get_key48(generator_context_t *ctx) {
uint64_t bf_get_key48(const generator_context_t *ctx) {
return ctx->current_key & 0xFFFFFFFFFFFF;
}
@ -127,8 +133,9 @@ void bf_generator_clear(generator_context_t *ctx) {
int _bf_generate_mode_range(generator_context_t *ctx) {
if (ctx->key_length != BF_KEY_SIZE_32 && ctx->key_length != BF_KEY_SIZE_48)
if (ctx->key_length != BF_KEY_SIZE_32 && ctx->key_length != BF_KEY_SIZE_48) {
return BF_GENERATOR_ERROR;
}
if (ctx->current_key >= ctx->range_high) {
return BF_GENERATOR_END;
@ -152,8 +159,9 @@ int _bf_generate_mode_charset(generator_context_t *ctx) {
return BF_GENERATOR_ERROR;
}
if (ctx->flag1)
if (ctx->flag1) {
return BF_GENERATOR_END;
}
uint8_t key_byte = 0;
ctx->current_key = 0;
@ -162,43 +170,47 @@ int _bf_generate_mode_charset(generator_context_t *ctx) {
ctx->current_key |= (uint64_t) ctx->charset[ctx->pos[key_byte]] << ((ctx->key_length - key_byte - 1) * 8);
}
if (bf_array_increment(ctx->pos, ctx->key_length, ctx->charset_length) == -1)
if (bf_array_increment(ctx->pos, ctx->key_length, ctx->charset_length) == -1) {
// set flag1 to emit value last time and end generation on next call
ctx->flag1 = true;
}
return BF_GENERATOR_NEXT;
}
int _bf_generate_mode_smart(generator_context_t *ctx) {
int ret;
while (1) {
if (smart_generators[ctx->smart_mode_stage] == NULL)
if (smart_generators[ctx->smart_mode_stage] == NULL) {
return BF_GENERATOR_END;
}
ret = smart_generators[ctx->smart_mode_stage](ctx);
int ret = smart_generators[ctx->smart_mode_stage](ctx);
switch (ret) {
case BF_GENERATOR_NEXT:
case BF_GENERATOR_NEXT: {
return ret;
case BF_GENERATOR_ERROR:
}
case BF_GENERATOR_ERROR: {
return ret;
case BF_GENERATOR_END:
}
case BF_GENERATOR_END: {
ctx->smart_mode_stage++;
bf_generator_clear(ctx);
continue;
}
}
}
}
int smart_generator_byte_repeat(generator_context_t *ctx) {
// key consists of repeated single byte
uint32_t current_byte = ctx->counter1;
if (current_byte > 0xFF)
if (current_byte > 0xFF) {
return BF_GENERATOR_END;
}
ctx->current_key = 0;
@ -213,8 +225,9 @@ int smart_generator_msb_byte_only(generator_context_t *ctx) {
// key of one byte (most significant one) and all others being zero
uint32_t current_byte = ctx->counter1;
if (current_byte > 0xFF)
if (current_byte > 0xFF) {
return BF_GENERATOR_END;
}
ctx->current_key = (uint64_t)current_byte << ((ctx->key_length - 1) * 8);

6
common/bruteforce.h
View file

@ -79,7 +79,7 @@ typedef struct {
} generator_context_t;
void bf_generator_init(generator_context_t *ctx, uint8_t mode, uint8_t key_size);
void bf_generator_init(generator_context_t *ctx, uint8_t mode, uint8_t key_length);
void bf_generator_clear(generator_context_t *ctx); // clear flags and counters used by generators
int bf_generator_set_charset(generator_context_t *ctx, uint8_t charsets);
int bf_generate(generator_context_t *ctx);
@ -87,8 +87,8 @@ int _bf_generate_mode_range(generator_context_t *ctx);
int _bf_generate_mode_charset(generator_context_t *ctx);
int _bf_generate_mode_smart(generator_context_t *ctx);
int bf_array_increment(uint8_t *data, uint8_t data_len, uint8_t modulo);
uint32_t bf_get_key32(generator_context_t *ctx);
uint64_t bf_get_key48(generator_context_t *ctx);
uint32_t bf_get_key32(const generator_context_t *ctx);
uint64_t bf_get_key48(const generator_context_t *ctx);
// smart mode
typedef int (smart_generator_t)(generator_context_t *ctx);

121
doc/commands.json
View file

@ -720,7 +720,7 @@
"-h, --help This help",
"--keep keep the current values of the markers",
"-a <dec> yellow marker",
"-b <dec> pink marker",
"-b <dec> purple marker",
"-c <dec> orange marker",
"-d <dec> blue marker"
],
@ -740,6 +740,42 @@
],
"usage": "data shiftgraphzero [-h] -n <dec>"
},
"data test_ss32": {
"command": "data test_ss32",
"description": "Tests the implementation of Buffer Save States (32-bit buffer)",
"notes": [
"data test_ss32"
],
"offline": false,
"options": [
"-h, --help This help"
],
"usage": "data test_ss32 [-h]"
},
"data test_ss32s": {
"command": "data test_ss32s",
"description": "Tests the implementation of Buffer Save States (32-bit signed buffer)",
"notes": [
"data test_ss32s"
],
"offline": false,
"options": [
"-h, --help This help"
],
"usage": "data test_ss32s [-h]"
},
"data test_ss8": {
"command": "data test_ss8",
"description": "Tests the implementation of Buffer Save States (8-bit buffer)",
"notes": [
"data test_ss8"
],
"offline": false,
"options": [
"-h, --help This help"
],
"usage": "data test_ss8 [-h]"
},
"data timescale": {
"command": "data timescale",
"description": "Set cursor display timescale. Setting the timescale makes the differential `dt` reading between the yellow and purple markers meaningful. once the timescale is set, the differential reading between brackets can become a time duration.",
@ -1386,6 +1422,18 @@
],
"usage": "hf 14b apdu [-hskte] [--decode] [-m <hex>] [-l <int>] -d <hex> [--timeout <dec>]"
},
"hf 14b calypso": {
"command": "hf 14b calypso",
"description": "Reads out the contents of a ISO14443B Calypso card",
"notes": [
"hf 14b calypso"
],
"offline": false,
"options": [
"-h, --help This help"
],
"usage": "hf 14b calypso [-h]"
},
"hf 14b dump": {
"command": "hf 14b dump",
"description": "This command dumps the contents of a ISO-14443-B tag and save it to file Tries to autodetect cardtype, memory size defaults to SRI4K",
@ -1404,7 +1452,7 @@
},
"hf 14b help": {
"command": "hf 14b help",
"description": "--------- ----------------------- General ----------------------- help This help list List ISO-14443-B history --------- ----------------------- Operations ----------------------- view Display content from tag dump file valid SRIX4 checksum test --------------------------------------------------------------------------------------- hf 14b list available offline: yes Alias of `trace list -t 14b -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
"description": "--------- ----------------------- General ----------------------- help This help list List ISO-14443-B history --------- ----------------------- Operations ----------------------- view Display content from tag dump file valid SRIX4 checksum test --------- ------------------ Calypso / Mobib ------------------ --------------------------------------------------------------------------------------- hf 14b list available offline: yes Alias of `trace list -t 14b -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
"notes": [
"hf 14b list --frame -> show frame delay times",
"hf 14b list -1 -> use trace buffer"
@ -1437,6 +1485,18 @@
],
"usage": "hf 14b info [-hsv]"
},
"hf 14b mobib": {
"command": "hf 14b mobib",
"description": "Reads out the contents of a ISO14443B Mobib card",
"notes": [
"hf 14b mobib"
],
"offline": false,
"options": [
"-h, --help This help"
],
"usage": "hf 14b mobib [-h]"
},
"hf 14b ndefread": {
"command": "hf 14b ndefread",
"description": "Print NFC Data Exchange Format (NDEF)",
@ -1501,10 +1561,11 @@
"offline": false,
"options": [
"-h, --help This help",
"--plot show anticollision signal trace in plot window",
"-v, --verbose verbose output",
"-@ optional - continuous reader mode"
],
"usage": "hf 14b reader [-hv@]"
"usage": "hf 14b reader [-hv@] [--plot]"
},
"hf 14b restore": {
"command": "hf 14b restore",
@ -3102,7 +3163,7 @@
"description": "Checkkeys loads a dictionary text file with 8byte hex keys to test authenticating against a iClass tag",
"notes": [
"hf iclass chk -f iclass_default_keys.dic",
"hf iclass chk -f iclass_default_keys.dic --elite"
"hf iclass chk -f iclass_elite_keys.dic --elite"
],
"offline": false,
"options": [
@ -8925,7 +8986,8 @@
"description": "Authenticate against an EM4x70 by sending random number (RN) and F(RN) If F(RN) is incorrect based on the tag key, the tag will not respond If F(RN) is correct based on the tag key, the tag will give a 20-bit response",
"notes": [
"lf em 4x70 auth --rnd 45F54ADA252AAC --frn 4866BB70 -> (using pm3 test key)",
"lf em 4x70 auth --rnd 3FFE1FB6CC513F --frn F355F1A0 -> (using research paper key)"
"lf em 4x70 auth --rnd 3FFE1FB6CC513F --frn F355F1A0 -> (using research paper key)",
"lf em 4x70 auth --rnd 7D5167003571F8 --frn 982DBCC0 -> (autorecovery test key)"
],
"offline": false,
"options": [
@ -8941,7 +9003,8 @@
"description": "This command will perform automatic recovery of the key from a writable tag. All steps are possible to do manually. The corresponding sequence, if done manually, is as follows: 1. Verify passed parameters authenticate with the tag (safety check) lf em 4x70 auth --rnd <rnd_1> --frn <frn_1> 2. Brute force the key bits in block 9 lf em 4x70 write -b 9 -d 0000 lf em 4x70 recover -b 9 --rnd <rnd_1> --frn <frn_1> lf em 4x70 write -b 9 -d <key_block_9> 3. Brute force the key bits in block 8 lf em 4x70 write -b 8 -d 0000 lf em 4x70 recover -b 8 --rnd <rnd_1> --frn <frn_1> lf em 4x70 write -b 8 -d <key_block_8> 4. Brute force the key bits in block 7 lf em 4x70 write -b 7 -d 0000) lf em 4x70 recover -b 7 --rnd <rnd_1> --frn <frn_1> lf em 4x70 write -b 7 -d <key_block_7> 5. Recover potential values of the lower 48 bits of the key lf em 4x70 recover --key <key_block_9><key_block_8><key_block_7> --rnd <rnd_1> --frn <frn_1> 6. Verify which potential key is actually on the tag (using a different rnd/frn combination) lf em 4x70 auth --rnd <rnd_2> --frn <frn_N> 7. Print the validated key This command simply requires the rnd/frn/grn from a single known-good authentication.",
"notes": [
"lf em 4x70 autorecover --rnd 45F54ADA252AAC --frn 4866BB70 --grn 9BD180 (pm3 test key)",
"lf em 4x70 autorecover --rnd 3FFE1FB6CC513F --frn F355F1A0 --grn 609D60 (research paper key)"
"lf em 4x70 autorecover --rnd 3FFE1FB6CC513F --frn F355F1A0 --grn 609D60 (research paper key)",
"lf em 4x70 autorecover --rnd 7D5167003571F8 --frn 982DBCC0 --grn 36C0E0 (autorecovery test key)"
],
"offline": false,
"options": [
@ -9007,7 +9070,8 @@
"description": "Write new 96-bit key to tag",
"notes": [
"lf em 4x70 setkey -k F32AA98CF5BE4ADFA6D3480B (pm3 test key)",
"lf em 4x70 setkey -k A090A0A02080000000000000 (research paper key)"
"lf em 4x70 setkey -k A090A0A02080000000000000 (research paper key)",
"lf em 4x70 setkey -k 022A028C02BE000102030405 (autorecovery test key)"
],
"offline": false,
"options": [
@ -9443,6 +9507,19 @@
],
"usage": "lf hitag chk [-h] [-f <fn>] [--pwd] [--crypto]"
},
"lf hitag crack2": {
"command": "lf hitag crack2",
"description": "This command tries to recover 2048 bits of Hitag2 crypto stream data.",
"notes": [
"lf hitag crack2 --nrar 73AA5A62EAB8529C"
],
"offline": false,
"options": [
"-h, --help This help",
"--nrar <hex> specify nonce / answer as 8 hex bytes"
],
"usage": "lf hitag lookup [-h] [--nrar <hex>]"
},
"lf hitag dump": {
"command": "lf hitag dump",
"description": "Read all Hitag 2 card memory and save to file Crypto mode key format: ISK high + ISK low, 4F4E4D494B52 (ONMIKR) Password mode, default key 4D494B52 (MIKR)",
@ -9497,7 +9574,7 @@
},
"lf hitag help": {
"command": "lf hitag help",
"description": "help This help list List Hitag trace history selftest Perform self test view Display content from tag dump file lookup Uses authentication trace to check for key in dictionary file --------------------------------------------------------------------------------------- lf hitag list available offline: yes Alias of `trace list -t hitag2` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
"description": "help This help list List Hitag trace history test Perform self tests view Display content from tag dump file lookup Uses authentication trace to check for key in dictionary file --------------------------------------------------------------------------------------- lf hitag list available offline: yes Alias of `trace list -t hitag2` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
"notes": [
"lf hitag list --frame -> show frame delay times",
"lf hitag list -1 -> use trace buffer"
@ -9576,18 +9653,6 @@
],
"usage": "lf hitag read [-hs2] [--pwd] [--nrar <hex>] [--crypto] [-k <hex>]"
},
"lf hitag selftest": {
"command": "lf hitag selftest",
"description": "Perform selftest of Hitag crypto engine",
"notes": [
"lf hitag selftest"
],
"offline": true,
"options": [
"-h, --help This help"
],
"usage": "lf hitag selftest [-h]"
},
"lf hitag sim": {
"command": "lf hitag sim",
"description": "Simulate Hitag transponder You need to `lf hitag eload` first",
@ -9615,6 +9680,18 @@
],
"usage": "lf hitag sniff [-h]"
},
"lf hitag test": {
"command": "lf hitag test",
"description": "Perform self tests of Hitag crypto engine",
"notes": [
"lf hitag test"
],
"offline": true,
"options": [
"-h, --help This help"
],
"usage": "lf hitag test [-h]"
},
"lf hitag view": {
"command": "lf hitag view",
"description": "Print a HITAG dump file (bin/eml/json)",
@ -12622,8 +12699,8 @@
}
},
"metadata": {
"commands_extracted": 729,
"commands_extracted": 735,
"extracted_by": "PM3Help2JSON v1.00",
"extracted_on": "2024-04-22T14:35:02"
"extracted_on": "2024-05-14T08:02:41"
}
}

8
doc/commands.md
View file

@ -137,6 +137,9 @@ Check column "offline" for their availability.
|`data diff `|Y |`Diff of input files`
|`data hexsamples `|N |`Dump big buffer as hex bytes`
|`data samples `|N |`Get raw samples for graph window ( GraphBuffer )`
|`data test_ss8 `|N |`Test the implementation of Buffer Save States (8-bit buffer)`
|`data test_ss32 `|N |`Test the implementation of Buffer Save States (32-bit buffer)`
|`data test_ss32s `|N |`Test the implementation of Buffer Save States (32-bit signed buffer)`
### emv
@ -221,6 +224,8 @@ Check column "offline" for their availability.
|`hf 14b wrbl `|N |`Write data to a SRI512/SRIX4 tag`
|`hf 14b view `|Y |`Display content from tag dump file`
|`hf 14b valid `|Y |`SRIX4 checksum test`
|`hf 14b calypso `|N |`Read contents of a Calypso card`
|`hf 14b mobib `|N |`Read contents of a Mobib card`
### hf 15
@ -1041,7 +1046,7 @@ Check column "offline" for their availability.
|`lf hitag help `|Y |`This help`
|`lf hitag list `|Y |`List Hitag trace history`
|`lf hitag info `|N |`Hitag 2 tag information`
|`lf hitag selftest `|Y |`Perform self test`
|`lf hitag test `|Y |`Perform self tests`
|`lf hitag dump `|N |`Dump Hitag 2 tag`
|`lf hitag read `|N |`Read Hitag memory`
|`lf hitag sniff `|N |`Eavesdrop Hitag communication`
@ -1051,6 +1056,7 @@ Check column "offline" for their availability.
|`lf hitag eview `|N |`View emulator memory`
|`lf hitag sim `|N |`Simulate Hitag transponder`
|`lf hitag cc `|N |`Hitag S: test all provided challenges`
|`lf hitag crack2 `|N |`Recover 2048bits of crypto stream`
|`lf hitag chk `|N |`Check keys`
|`lf hitag lookup `|Y |`Uses authentication trace to check for key in dictionary file`
|`lf hitag ta `|N |`Hitag 2: test all recorded authentications`

195
doc/magic_cards_notes.md
View file

@ -51,6 +51,7 @@ Useful docs:
* [ULtra](#ultra)
* [UL-5](#ul-5)
* [UL, other chips](#ul-other-chips)
* [MIFARE Ultralight USCUID-UL](#mifare-ultralight-uscuid-ul)
* [NTAG](#ntag)
* [NTAG213 DirectWrite](#ntag213-directwrite)
* [NTAG21x](#ntag21x)
@ -823,7 +824,7 @@ hf 14a raw -s -c 90FD111100
^[Top](#top)
TLDR: These magic cards have a 16 byte long configuration page, which usually starts with 0x85.
All of the known tags using this, except for Ultralight tags, are listed here.
All of the known tags are using this, except for Ultralight tags, are listed here.
You cannot turn a Classic tag into an Ultralight and vice-versa!
@ -1142,8 +1143,6 @@ All commands are available before sealing. After the sealing acts as a Mifare Cl
* Magic wakeup: `40(7)`, `43`
* Backdoor read main block: `30xx+crc`
* Backdoor write main block: `A0xx+crc`, `[16 bytes data]+crc`
* Read hidden block: `38xx+crc`
* Write hidden block: `A8xx+crc`, `[16 bytes data]+crc`
* Read configuration: `E000+crc`
* Write configuration: `E100+crc`
* Example of the sealing, performed by Chinese copiers in raw commands:
@ -1607,7 +1606,7 @@ hf 14a info
[+] Magic capabilities : Gen 2 / CUID
```
It seems so far that all MFUL DW have an ATS.
It seems so far that all MFUL DW have an ATS response in factory configuration.
### Magic commands
@ -1638,14 +1637,6 @@ Issue three regular MFU write commands in a row to write first three blocks.
* ATS: 0A78008102DBA0C119402AB5
* Anticol shortcut (CL1/3000): fails
#### MIFARE Ultralight DirectWrite flavour 2
^[Top](#top)
* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
* ATS: 850000A00A000AB00000000000000000184D
* Anticol shortcut (CL1/3000): succeeds
### Proxmark3 commands
^[Top](#top)
@ -1977,6 +1968,186 @@ The manufacturer confirmed unpersonalized tags could be identified by first 3 by
UL-X, UL-Z - ?
## MIFARE Ultralight USCUID-UL
^[Top](#top)
TLDR: These magic cards, like the MFC USCUIDs have a 16 byte long configuration page, comprised of 4 blocks of 4 bytes each. This usually starts with 0x85. All of the known tags use the same format config page.
The cards will respond to a RATS with the config page in the factory configuration.
As with the MFC USCUIDs, one cannot turn a Classic tag into an Ultralight and vice-versa!
### Characteristics
^[Top](#top)
* UID: 7 bytes
* ATQA: always read from hidden block `F6`
* SAK: always read from hidden block `F6`
* BCC: read from blocks 0-1 per Ultralight specification
* ATS: These respond to an ATS request with the config page in factory mode.
### Identify
^[Top](#top)
In factory config state:
```
hf 14a info
...
[=] -------------------------- ATS --------------------------
[!] ATS may be corrupted. Length of ATS (18 bytes incl. 2 Bytes CRC) doesn't match TL
[+] ATS: 85 00 85 A0 00 00 0A A5 00 04 04 02 01 00 0F 03 [ 07 00 ]
```
If config has been modified to not display config block as ATS response:
```
hf 14a raw -akb 7 40; hf 14a raw -k 43
OR (depending on the magic wakeup method set)
hf 14a raw -akb 7 20; hf 14a raw -k 23
THEN
hf 14a raw -c e100
[+] 85 00 85 A0 00 00 0A A5 00 04 04 02 01 00 0F 03 [ 07 00 ]
```
Possible tag wakeup mechanisms are:
* Gen1 Magic Wakeup
* Alt Magic Wakeup
### Magic commands
^[Top](#top)
* Magic wakeup (A: 00): `40(7)`, `43`
* Magic wakeup (B: 85): `20(7)`, `23`
* Backdoor read main and hidden block: `30xx+crc`
* Backdoor write main and hidden block: `A2xx[4 bytes data]+crc`
* Read configuration: `E050+crc`
* Write configuration: `E2[offset*4, 1b][data, 4b]+crc`
* **DANGER**
* Set memory and config to 00 `F000+crc`
* Set memory and config to FF `F100+crc`
* Set memory and config to 55 (no 0A response) `F600+crc`
### USCUID-UL configuration guide
^[Top](#top)
1. Configuration
```
0 1 2 3
850000A0 00000AC3 00040301 01000B03
^^ >> ??? Mystery ???
^^^^ >> Gen1a mode (works with bitflip)
^^ >> Magic wakeup command (00 for 40-43; 85 for 20-23)
^^ >> Config available using regular mode (ON: A0)
^^ >> Do not reply to 1B, making auth impossible
^^ >> Do not enforce OTP properties (ON: A0)
^^ >> Maximum memory configuration*
^^^^^^^^ ^^^^^^^^ >> Version info
* This isn't a customizable value - it's a preset. So far:
C3 = UL11
3C = UL21
00 = UL-C
A5 = NTAG 213
5A = NTAG 215
AA = NTAG 216
55 = Unknown IC w/ 238 pgs.
```
* Gen1a mode: Allow using custom wakeup commands, like real gen1a chip, to run backdoor commands, as well as some extras.
* Magic wakeup command: Use different wakeup commands for entering Gen1a mode. A) 00 - 40(7), 43; B) 85 - 20(7), 23.
* Config available using regular mode: If this option is turned on via A0, the tag will reply to RATS with the config block and the config block can be modified without doing a magic wakeup.
To write config:
You must send config info in E2 packets of 4 bytes each (format: `E2[offset*4, 1b][data, 4b]`), eg for a UL-11 tag:
```
hf 14a raw -sck E200850000A0; hf 14a raw -ck E20100000AC3; hf 14a raw -ck E20200040301; hf 14a raw -c E20301000B03
```
2. Hidden blocks
```
F0: 00000000
^^^^^^^^ >> Unknown, usually always 00
F1: 00000000
^^^^^^^^ >> Unknown, usually always 00
F2: 000000BD
^^^^^^ >> Unknown, usually always 00
^^ >> Unknown, usually always BD, possible tearing counter value?
F3: 000000BD
^^^^^^ >> Unknown, usually always 00
^^ >> Unknown, usually always BD, possible tearing counter value?
F4: 000000BD
^^^^^^ >> Unknown, usually always 00
^^ >> Unknown, usually always BD, possible tearing counter value?
F5: 00000000
^^^^^^^^ >> Unknown, usually always 00
F6: 44000400
^^^^ >> ATQA in byte reverse order. 4400 = ATQA of 0044
^^ >> Unknown, usually always set to 04. Changing this value also has something to do with the SAK value in the next byte
^^ >> SAK, if previous byte set to 04
F7: 88AF0000
^^ >> First byte of UID BCC calculation, for Ultralight family is always 88 per the datasheet
^^ >> Unknown, usually always AF.
^^^^ >> Unknown, usually always 00
F8 - FF: xxxxxxxx >> signature
```
To read / write hidden blocks:
A config block beginning with `7AFF` must be set to enable a `40:43` / `20:23` magic wakeup. From limited testing, the `20:23` magic wakeup is not guaranteed to work, however the `40:43` wakeup works 100% of the time.
You must send config info in A2 packets of 4 bytes each (format: `A2[offset*4, 1b][data, 4b]`), eg for a UL-11 tag:
```
hf 14a raw -akb 7 40; hf 14a raw -k 43; hf 14a raw -ck A2F2000000BD; hf 14a raw -ck A2F3000000BD; hf 14a raw -ck A2F4000000BD; hf 14a raw -ck A2F644000400; hf 14a raw -c A2F888AF0000
```
### Proxmark3 commands
^[Top](#top)
No implemented commands at time of writing
### libnfc commands
^[Top](#top)
No implemented commands at time of writing
### Variations
^[Top](#top)
| Factory configuration | Name |
| --- | --- |
| 850000A0 00000AC3 00040301 01000B03 | UL-11 |
| 850000A0 00000A3C 00040301 01000E03 | UL-21 |
| 850000A0 0A000A00 00000000 00000000 | UL-C |
| 850085A0 00000AA5 00040402 01000F03 | NTAG213 |
| 850000A0 00000A5A 00040402 01001103 | NTAG215 |
| 850000A0 00000AAA 00040402 01001303 | NTAG216 |
# DESFire
^[Top](#top)

1
include/pm3_cmd.h
View file

@ -588,6 +588,7 @@ typedef struct {
#define CMD_LF_HITAG_READER 0x0372
#define CMD_LF_HITAG2_WRITE 0x0377
#define CMD_LF_HITAG2_CRACK 0x0378
#define CMD_LF_HITAG2_CRACK_2 0x0379
// For HitagS
#define CMD_LF_HITAGS_TEST_TRACES 0x0367

2
tools/mfd_aes_brute/mfd_multi_brute.c
View file

@ -222,6 +222,8 @@ static void *brute_thread(void *arguments) {
//make_key_borland_n(i, key, keylen);
uint8_t iv[keylen << 1];
memset(iv, 0, sizeof(iv));
uint8_t dec_tag[16] = {0x00};
uint8_t dec_rdr[32] = {0x00};

4
tools/mfkey/staticnested.c
View file

@ -166,7 +166,7 @@ static void pm3_staticnested(uint32_t uid, uint32_t nt1, uint32_t ks1, uint32_t
for (uint32_t k = 0; k < keycnt; k++) {
uint64_t key64 = 0;
crypto1_get_lfsr(statelists[0].head.slhead + k, &key64);
printf("[ %d ] " _GREEN_("%012" PRIx64) "\n", k + 1, key64);
printf("[ %u ] " _GREEN_("%012" PRIx64) "\n", k + 1, key64);
}
}
}
@ -222,7 +222,7 @@ int main(int argc, char *const argv[]) {
if (key_count) {
printf("Ultra Static nested --> Found " _YELLOW_("%u") " key candidates\n", key_count);
for (uint32_t k = 0; k < key_count; k++) {
printf("[ %d ] " _GREEN_("%012" PRIx64) "\n", k + 1, keys[k]);
printf("[ %u ] " _GREEN_("%012" PRIx64) "\n", k + 1, keys[k]);
}
}

6
tools/pm3_tests.sh
View file

@ -414,12 +414,16 @@ while true; do
if ! CheckExecute "nfc decode test - signature" "$CLIENTBIN -c 'nfc decode -d 03FF010194113870696C65742E65653A656B616172743A3266195F26063132303832325904202020205F28033233335F2701316E1B5A13333038363439303039303030323636343030355304EBF2CE704103000000AC536967010200803A2448FCA7D354A654A81BD021150D1A152D1DF4D7A55D2B771F12F094EAB6E5E10F2617A2F8DAD4FD38AFF8EA39B71C19BD42618CDA86EE7E144636C8E0E7CFC4096E19C3680E09C78A0CDBC05DA2D698E551D5D709717655E56FE3676880B897D2C70DF5F06ECE07C71435255144F8EE41AF110E7B180DA0E6C22FB8FDEF61800025687474703A2F2F70696C65742E65652F6372742F33303836343930302D303030312E637274FE'" "30864900-0001.crt"; then break; fi
echo -e "\n${C_BLUE}Testing LF:${C_NC}"
if ! CheckExecute "lf hitag2 test" "$CLIENTBIN -c 'lf hitag selftest'" "Tests \( ok"; then break; fi
if ! CheckExecute "lf hitag2 test" "$CLIENTBIN -c 'lf hitag test'" "Tests \( ok"; then break; fi
if ! CheckExecute "lf cotag demod test" "$CLIENTBIN -c 'data load -f traces/lf_cotag_220_8331.pm3; data norm; data cthreshold -u 50 -d -20; data envelope; data raw --ar -c 272; lf cotag demod'" \
"COTAG Found: FC 220, CN: 8331 Raw: FFB841170363FFFE00001E7F00000000"; then break; fi
if ! CheckExecute "lf AWID test" "$CLIENTBIN -c 'data load -f traces/lf_AWID-15-259.pm3;lf search -1'" "AWID ID found"; then break; fi
if ! CheckExecute "lf EM410x test" "$CLIENTBIN -c 'data load -f traces/lf_EM4102-1.pm3;lf search -1'" "EM410x ID found"; then break; fi
if ! CheckExecute "lf EM4x05 test" "$CLIENTBIN -c 'data load -f traces/lf_EM4x05.pm3;lf search -1'" "FDX-B ID found"; then break; fi
if ! CheckExecute "lf EM4x70 calc test" "$CLIENTBIN -c 'lf em 4x70 calc --key F32AA98CF5BE4ADFA6D3480B --rnd 45F54ADA252AAC'" "FRN: 4866BB70 GRN: 9BD180"; then break; fi
if ! CheckExecute "lf EM4x70 recover test 1/3" "$CLIENTBIN -c 'lf em 4x70 recover --key 022A028C02BE --rnd 7D5167003571F8 --frn 982DBCC0 --grn 36C0E0'" "022a028c02be000102030405"; then break; fi
if ! CheckExecute "lf EM4x70 recover test 2/3" "$CLIENTBIN -c 'lf em 4x70 recover --key 022A028C02BE --rnd 7D5167003571F8 --frn 982DBCC0 --grn 36C0E0'" "022a028c02be366866191b60"; then break; fi
if ! CheckExecute "lf EM4x70 recover test 3/3" "$CLIENTBIN -c 'lf em 4x70 recover --key 022A028C02BE --rnd 7D5167003571F8 --frn 982DBCC0 --grn 36C0E0'" "022a028c02bef1e352c2718d"; then break; fi
if ! CheckExecute "lf FDX-A FECAVA test" "$CLIENTBIN -c 'data load -f traces/lf_EM4305_fdxa_destron.pm3;lf search -1'" "FDX-A FECAVA Destron ID found"; then break; fi
if ! CheckExecute "lf FDX-B test" "$CLIENTBIN -c 'data load -f traces/lf_HomeAgain1600.pm3;lf search -1'" "FDX-B ID found"; then break; fi
if ! CheckExecute "lf FDX/BioThermo test" "$CLIENTBIN -c 'data load -f traces/lf_FDXB_Bio-Thermo.pm3; lf fdxb demod'" "95.2 F / 35.1 C"; then break; fi