From 28449aa580eecf4154f5531fd721bb7995804b49 Mon Sep 17 00:00:00 2001
From: iceman1001 <iceman@iuse.se>
Date: Sun, 21 Aug 2022 09:40:06 +0200
Subject: [PATCH] hf mf mad - detect and decode of HID PACS

---
 client/src/cmdhfmf.c    | 37 +++++++++++++++++++++++++++++++++++++
 client/src/mifare/mad.c | 15 +++++++++++++++
 client/src/mifare/mad.h |  1 +
 3 files changed, 53 insertions(+)

diff --git a/client/src/cmdhfmf.c b/client/src/cmdhfmf.c
index b79fc3b14..3cdd94bf2 100644
--- a/client/src/cmdhfmf.c
+++ b/client/src/cmdhfmf.c
@@ -35,6 +35,8 @@
 #include "crapto1/crapto1.h"    // prng_successor
 #include "cmdhf14a.h"           // exchange APDU
 #include "crypto/libpcrypto.h"
+#include "wiegand_formats.h"
+#include "wiegand_formatutils.h"
 
 #define MIFARE_4K_MAXBLOCK 256
 #define MIFARE_2K_MAXBLOCK 128
@@ -5388,6 +5390,41 @@ static int CmdHF14AMfMAD(const char *Cmd) {
         MADPrintHeader();
         bool haveMAD2 = false;
         MAD1DecodeAndPrint(dump, swapmad, verbose, &haveMAD2);
+
+        int sector = DetectHID(dump, 0x484d);
+        if (sector > -1) {
+
+            // decode it
+            PrintAndLogEx(INFO, "");
+            PrintAndLogEx(INFO, _CYAN_("HID PACS detected"));
+
+            uint8_t pacs_sector[MFBLOCK_SIZE * 3] = {0};
+            memcpy(pacs_sector, dump + (sector * 4 * 16), sizeof(pacs_sector));
+
+            if (pacs_sector[16] == 0x02) {
+
+                PrintAndLogEx(SUCCESS, "Raw...... " _GREEN_("%s"), sprint_hex_inrow(pacs_sector + 24, 8));
+
+                //todo:  remove preamble/sentinel
+                uint32_t top = 0, mid = 0, bot = 0;
+                char hexstr[16 + 1] = {0};
+                hex_to_buffer((uint8_t *)hexstr, pacs_sector + 24, 8, sizeof(hexstr) - 1, 0, 0, true);
+                hexstring_to_u96(&top, &mid, &bot, hexstr);
+
+                PrintAndLogEx(INFO, "top %x %x %x", top, mid, bot);
+
+                char binstr[64 + 1];
+                hextobinstring(binstr, hexstr);
+                char *pbin = binstr;
+                while (strlen(pbin) && *(++pbin) == '0');
+
+                PrintAndLogEx(SUCCESS, "Binary... " _GREEN_("%s"), pbin);
+
+                PrintAndLogEx(INFO, "Wiegand decode");
+                wiegand_message_t packed = initialize_message_object(top, mid, bot, 0);
+                HIDTryUnpack(&packed);
+            }
+        }
         free(dump);
         return PM3_SUCCESS;
     }
diff --git a/client/src/mifare/mad.c b/client/src/mifare/mad.c
index 807d0c287..62a77d988 100644
--- a/client/src/mifare/mad.c
+++ b/client/src/mifare/mad.c
@@ -406,3 +406,18 @@ bool HasMADKey(uint8_t *d) {
 
     return (memcmp(d + (3 * MFBLOCK_SIZE), g_mifare_mad_key, sizeof(g_mifare_mad_key)) == 0);
 }
+
+int DetectHID(uint8_t *d, uint16_t manufacture) {
+    if (d == NULL)
+        return -1;
+
+    // find HID
+    for (int i = 1; i < 16; i++) {
+        uint16_t aid = madGetAID(d, false, 1, i);
+        if (aid == manufacture) {
+            return i;
+        }
+    }
+
+    return -1;
+}
\ No newline at end of file
diff --git a/client/src/mifare/mad.h b/client/src/mifare/mad.h
index 14eae9b54..e1ebec62c 100644
--- a/client/src/mifare/mad.h
+++ b/client/src/mifare/mad.h
@@ -29,4 +29,5 @@ int MADDFDecodeAndPrint(uint32_t short_aid, bool verbose);
 int MADCardHolderInfoDecode(uint8_t *data, size_t datalen, bool verbose);
 void MADPrintHeader(void);
 bool HasMADKey(uint8_t *d);
+int DetectHID(uint8_t *d, uint16_t manufacture);
 #endif // _MAD_H_