github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 13:53:55 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Supercard UID changing from backdoor command

Browse source
This commit is contained in:
AloneLiberty 2023-03-25 02:00:08 +03:00
commit 2661a2a034
3 changed files with 42 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
## [unreleased][unreleased]
- Changed `hf mf supercard` - Support editing UID (@AloneLiberty)
- Added `hf mf gdmsetblk` - Support Gen4 GDM write block (@iceman1001)
- Changed `hf 14a info` - detect Gen GDM magic tags (@iceman1001)
- Changed CLI max string argument length limit from 512 to 4096 (@iceman1001)

46
client/src/cmdhfmf.c
View file

@ -6572,29 +6572,62 @@ static int CmdHf14AMfSuperCard(const char *Cmd) {
CLIParserContext *ctx;
CLIParserInit(&ctx, "hf mf supercard",
"Extract info from a `super card`",
"hf mf supercard");
"hf mf supercard -> recover key\n"
"hf mf supercard -r -> reset card\n"
"hf mf supercard -u 11223344 -> change UID\n");
void *argtable[] = {
arg_param_begin,
arg_lit0("r", "reset", "reset card"),
arg_lit0("r", "reset", "reset card"),
arg_str0("u", "uid", "<hex>", "New UID (4 hex bytes)"),
arg_param_end
};
CLIExecWithReturn(ctx, Cmd, argtable, true);
bool reset_card = arg_get_lit(ctx, 1);
uint8_t uid[4];
int uidlen = 0;
CLIParamHexToBuf(arg_get_str(ctx, 2), uid, sizeof(uid), &uidlen);
CLIParserFree(ctx);
if (uidlen && uidlen != 4) {
PrintAndLogEx(ERR, "UID must include 8 HEX symbols");
return PM3_EINVARG;
}
bool activate_field = true;
bool keep_field_on = true;
int res = 0;
if (reset_card) {
// Commands:
// a0 - set UID
// b0 - read traces
// c0 - clear card
if (uidlen) {
keep_field_on = false;
uint8_t response[6];
int resplen = 0;
// --------------- CHANGE UID ----------------
uint8_t aCHANGE[] = {0x00, 0xa6, 0xa0, 0x00, 0x05, 0xff, 0xff, 0xff, 0xff, 0x00};
memcpy(aCHANGE + 5, uid, uidlen);
res = ExchangeAPDU14a(aCHANGE, sizeof(aCHANGE), activate_field, keep_field_on, response, sizeof(response), &resplen);
if (res != PM3_SUCCESS) {
PrintAndLogEx(FAILED, "Super card UID change [ " _RED_("fail") " ]");
DropField();
return res;
}
PrintAndLogEx(SUCCESS, "Super card UID change ( " _GREEN_("ok") " )");
return PM3_SUCCESS;
}
if (reset_card) {
keep_field_on = false;
uint8_t response[6];
int resplen = 0;
// --------------- RESET CARD ----------------
uint8_t aRESET[] = { 0x00, 0xa6, 0xc0, 0x00 };
uint8_t aRESET[] = { 0x00, 0xa6, 0xc0, 0x00 };
res = ExchangeAPDU14a(aRESET, sizeof(aRESET), activate_field, keep_field_on, response, sizeof(response), &resplen);
if (res != PM3_SUCCESS) {
PrintAndLogEx(FAILED, "Super card reset [ " _RED_("fail") " ]");
@ -6630,9 +6663,6 @@ static int CmdHf14AMfSuperCard(const char *Cmd) {
return res;
}
// uint8_t inA[] = { 0x72, 0xD7, 0xF4, 0x3E, 0xFD, 0xAB, 0xF2, 0x35, 0xFD, 0x49, 0xEE, 0xDC, 0x44, 0x95, 0x43, 0xC4};
// uint8_t inB[] = { 0xF0, 0xA2, 0x67, 0x6A, 0x04, 0x6A, 0x72, 0x12, 0x76, 0xA4, 0x1D, 0x02, 0x1F, 0xEA, 0x20, 0x85};
uint8_t outA[16] = {0};
uint8_t outB[16] = {0};
@ -6670,7 +6700,7 @@ static int CmdHf14AMfSuperCard(const char *Cmd) {
// second
NT0 = (outB[6] << 8) | outB[7];
data.nonce2 = prng_successor(NT0, 31);;
data.nonce2 = prng_successor(NT0, 31);
data.nr2 = bytes_to_num(outB + 8, 4);
data.ar2 = bytes_to_num(outB + 12, 4);
data.sector = mfSectorNum(outA[5]);

5
doc/commands.json
View file

@ -4827,9 +4827,10 @@
"offline": false,
"options": [
"-h, --help This help",
"-r, --reset reset card"
"-r, --reset Reset card",
"-u, --uid <hex> Change UID"
],
"usage": "hf mf supercard [-hr]"
"usage": "hf mf supercard [-hru]"
},
"hf mf value": {
"command": "hf mf value",