From 328e5461f8896f1a26295dc5fe573cbdc5e81549 Mon Sep 17 00:00:00 2001
From: iceman1001 <iceman@iuse.se>
Date: Sat, 27 May 2023 10:46:42 +0200
Subject: [PATCH] added "--sk" param to hf mf eview and view commands.  This
 param extracts and saves keys to binary key file

---
 CHANGELOG.md         | 10 +++++---
 client/src/cmdhfmf.c | 59 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 85593f3b2..0906e8800 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,8 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
 
 ## [unreleased][unreleased]
+ - Changed `hf mf eview --sk` - now can extract keys and save to file (@iceman1001)
+ - Changed `hf mf view --sk` - now can extract keys and save to file (@iceman1001)
  - Changed `hf mf sim` - reduce 6ms threshold to 4ms for reset to idle #1974 (@net147)
  - Rebuilt the Spartan-2 `fpga_*.bit` files to include the `hi_iso14443a.v` update (@d18c7db)
  - Added minor orphaned change from `hi_iso14443a.v` in `fpga-xc3s100e` to `hi_iso14443a.v` in `fpga-xc2s30` (@d18c7db)
@@ -22,7 +24,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
  - Changed `hf mf supercard` - Support editing UID and recovery of keys from second generation card (@AloneLiberty)
  - Added iClass credit key to default iClass key table and reorganized key order (@GuruSteve)
  - Changed `hf mf value` - ability to use transfer on different block (@AloneLiberty)
- - Change `hf mf dump --ns` - dump command now supports `no save` of MFC card memory (@iceman1001)
+ - Changed `hf mf dump --ns` - dump command now supports `no save` of MFC card memory (@iceman1001)
  - Added `hf mf gdmsetcfg` - Supprt Gen4 GDM write configuration block (@iceman1001)
  - Added `hf mf gdmcfg` - Support Gen4 GDM read configuration block (@iceman1001)
  - Changed magic note to include a section about GDM tags (@iceman1001)
@@ -62,11 +64,11 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
  - Added `hf legic info` command for other sources (@0xdeb)
  - Added `hf legic einfo` - views emulator menory (@0xdeb)
  - Changed `hf legic view` - now also print the decoded info of the dump file (@0xdeb)
- - Now `script run hf_mf_ultimatecard.lua -u` supports 10bytes UID (@alejandro12120)
- - Update documentation for installation on macOS with MacPorts (@linuxgemini)
+ - Changed `script run hf_mf_ultimatecard.lua -u` to support 10bytes UID (@alejandro12120)
+ - Updated documentation for installation on macOS with MacPorts (@linuxgemini)
  - Added possible Paxton id to hitag2 tag info output
  - Changed `hf mf sim` - reduce 50ms threshold to 6ms for reset to idle #1974 (@net147)
- - Update `amiibo_tools.lua` with new identifiers and create a python script `update_amiibo_tools_lua.py` to automate the process in the future. (@CorySolovewicz)
+ - Updated `amiibo_tools.lua` with new identifiers and create a python script `update_amiibo_tools_lua.py` to automate the process in the future. (@CorySolovewicz)
 
 ## [Nitride.4.16191][2023-01-29]
  - Changed `build_all_firmwares.sh` to fit GENERIC 256kb firmware images (@doegox)
diff --git a/client/src/cmdhfmf.c b/client/src/cmdhfmf.c
index aebce5737..7487088dd 100644
--- a/client/src/cmdhfmf.c
+++ b/client/src/cmdhfmf.c
@@ -320,6 +320,52 @@ static int mf_print_keys(uint16_t n, uint8_t *d) {
     return PM3_SUCCESS;
 }
 
+// MFC dump ,  extract and save the keys to key file
+static int mf_save_keys_from_arr(uint16_t n, uint8_t *d) {
+    uint8_t sectors = 0;
+    switch (n) {
+        case MIFARE_MINI_MAXBLOCK:
+            sectors = MIFARE_MINI_MAXSECTOR;
+            break;
+        case MIFARE_2K_MAXBLOCK:
+            sectors = MIFARE_2K_MAXSECTOR;
+            break;
+        case MIFARE_4K_MAXBLOCK:
+            sectors = MIFARE_4K_MAXSECTOR;
+            break;
+        case MIFARE_1K_MAXBLOCK:
+        default:
+            sectors = MIFARE_1K_MAXSECTOR;
+            break;
+    }
+
+    uint16_t keysize = 2 * MIFARE_KEY_SIZE * sectors;
+
+    uint8_t *keys = calloc(keysize, sizeof(uint8_t));
+    if (keys == NULL) {
+        return PM3_EMALLOC;
+    }
+
+    uint8_t sector = 0;
+    for (uint16_t i = 0; i < n; i++) {
+        if (mfIsSectorTrailer(i)) {
+           // key A offset in ST block
+           memcpy(keys + (MIFARE_KEY_SIZE * sector), d + (i * MFBLOCK_SIZE), MIFARE_KEY_SIZE);
+
+           // key B offset in ST block
+           memcpy(keys + (MIFARE_KEY_SIZE * sectors) + (MIFARE_KEY_SIZE * sector), d + (i * MFBLOCK_SIZE) + 10, MIFARE_KEY_SIZE);
+
+           sector++;
+        }
+    }
+
+    char fn[FILE_PATH_SIZE] = {0};
+    snprintf(fn, sizeof(fn), "hf-mf-%s-keys", sprint_hex_inrow(d, 4));
+    saveFile(fn, ".bin", keys, keysize);
+    free(keys);
+    return PM3_SUCCESS;
+}
+
 /*
 static void mf_print_values(uint16_t n, uint8_t *d) {
 
@@ -4396,6 +4442,7 @@ static int CmdHF14AMfEView(const char *Cmd) {
         arg_lit0(NULL, "2k", "MIFARE Classic/Plus 2k"),
         arg_lit0(NULL, "4k", "MIFARE Classic 4k / S70"),
         arg_lit0("v", "verbose", "verbose output"),
+        arg_lit0(NULL, "sk", "Save extracted keys to file"),         
         arg_param_end
     };
     CLIExecWithReturn(ctx, Cmd, argtable, true);
@@ -4404,6 +4451,7 @@ static int CmdHF14AMfEView(const char *Cmd) {
     bool m2 = arg_get_lit(ctx, 3);
     bool m4 = arg_get_lit(ctx, 4);
     bool verbose = arg_get_lit(ctx, 5);
+    bool save_keys = arg_get_lit(ctx, 6);
     CLIParserFree(ctx);
 
     // validations
@@ -4449,6 +4497,11 @@ static int CmdHF14AMfEView(const char *Cmd) {
     if (verbose) {
         mf_print_keys(block_cnt, dump);
     }
+
+    if (save_keys) {
+        mf_save_keys_from_arr(block_cnt, dump);
+    }
+
     free(dump);
     return PM3_SUCCESS;
 }
@@ -7028,6 +7081,7 @@ static int CmdHF14AMfView(const char *Cmd) {
         arg_param_begin,
         arg_str1("f", "file", "<fn>", "filename of dump"),
         arg_lit0("v", "verbose", "verbose output"),
+        arg_lit0(NULL, "sk", "Save extracted keys to file"), 
         arg_param_end
     };
     CLIExecWithReturn(ctx, Cmd, argtable, false);
@@ -7035,6 +7089,7 @@ static int CmdHF14AMfView(const char *Cmd) {
     char filename[FILE_PATH_SIZE];
     CLIParamStrToBuf(arg_get_str(ctx, 1), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen);
     bool verbose = arg_get_lit(ctx, 2);
+    bool save_keys = arg_get_lit(ctx, 3);
     CLIParserFree(ctx);
 
     // read dump file
@@ -7065,6 +7120,10 @@ static int CmdHF14AMfView(const char *Cmd) {
         mf_analyse_acl(block_cnt, dump);
     }
 
+    if (save_keys) {
+        mf_save_keys_from_arr(block_cnt, dump);
+    }
+
     int sector = DetectHID(dump, 0x4910);
     if (sector > -1) {
         // decode it