diff --git a/CHANGELOG.md b/CHANGELOG.md index 537b0a721..3fb4060b8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,8 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] -- Changed `hf mfp info` to identify Ev2 (@iceman1001) +- Changed `hf 15 csetuid` - now supports gen2 command (@iceman1001) +- Changed `hf mfp info` - to identify Ev2 (@iceman1001) - Updated Graph Markers implementation to include temporary markers and marker labels (@HACKhalo2) - Updated to SWIG 4.2.1 (@iceman1001) - Removed `data bin2hex` - replaced by `data num` (@iceman1001) diff --git a/armsrc/appmain.c b/armsrc/appmain.c index fa1e9cd58..22bdc0ca1 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -1364,6 +1364,14 @@ static void PacketReceived(PacketCommandNG *packet) { SetTag15693Uid(payload->uid); break; } + case CMD_HF_ISO15693_CSETUID_V2: { + struct p { + uint8_t uid[8]; + } PACKED; + struct p *payload = (struct p *) packet->data.asBytes; + SetTag15693Uid_v2(payload->uid); + break; + } case CMD_HF_ISO15693_SLIX_DISABLE_EAS: { struct p { uint8_t pwd[4]; diff --git a/armsrc/iso15693.c b/armsrc/iso15693.c index f9cc574ba..460bc9749 100644 --- a/armsrc/iso15693.c +++ b/armsrc/iso15693.c @@ -2890,21 +2890,14 @@ void SetTag15693Uid(const uint8_t *uid) { uint8_t cmd[4][9] = { {ISO15_REQ_DATARATE_HIGH, ISO15693_WRITEBLOCK, 0x3e, 0x00, 0x00, 0x00, 0x00, 0xE9, 0x8F}, {ISO15_REQ_DATARATE_HIGH, ISO15693_WRITEBLOCK, 0x3f, 0x69, 0x96, 0x00, 0x00, 0x8A, 0xBB}, - {ISO15_REQ_DATARATE_HIGH, ISO15693_WRITEBLOCK, 0x38}, - {ISO15_REQ_DATARATE_HIGH, ISO15693_WRITEBLOCK, 0x39} + + // Command 3 : 02 21 38 u8u7u6u5 (where uX = uid byte X) + {ISO15_REQ_DATARATE_HIGH, ISO15693_WRITEBLOCK, 0x38, uid[7], uid[6], uid[5], uid[4]}, + + // Command 4 : 02 21 39 u4u3u2u1 (where uX = uid byte X) + {ISO15_REQ_DATARATE_HIGH, ISO15693_WRITEBLOCK, 0x39, uid[3], uid[2], uid[1], uid[0]} }; - // Command 3 : 02 21 38 u8u7u6u5 (where uX = uid byte X) - cmd[2][3] = uid[7]; - cmd[2][4] = uid[6]; - cmd[2][5] = uid[5]; - cmd[2][6] = uid[4]; - - // Command 4 : 02 21 39 u4u3u2u1 (where uX = uid byte X) - cmd[3][3] = uid[3]; - cmd[3][4] = uid[2]; - cmd[3][5] = uid[1]; - cmd[3][6] = uid[0]; AddCrc15(cmd[2], 7); AddCrc15(cmd[3], 7); @@ -2938,6 +2931,54 @@ void SetTag15693Uid(const uint8_t *uid) { switch_off(); } +// Set the UID on Magic ISO15693 tag ( Gen2 ?) +// E0 00 09 - seem to be command +// 0x41, 0x40 - seem to be block referens +void SetTag15693Uid_v2(const uint8_t *uid) { + + LED_A_ON(); + uint8_t cmd[2][11] = { + + // hf 15 raw -wac -d 02e00941 + uid first four bytes + {ISO15_REQ_DATARATE_HIGH, ISO15693_MAGIC_WRITE, 0x00, 0x09, 0x41, uid[7], uid[6], uid[5], uid[4], 0x00, 0x00}, + + // hf 15 raw -wac -d 02e00940 + uid last four bytes + {ISO15_REQ_DATARATE_HIGH, ISO15693_MAGIC_WRITE, 0x00, 0x09, 0x40, uid[3], uid[2], uid[1], uid[0], 0x00, 0x00} + }; + + AddCrc15(cmd[0], 9); + AddCrc15(cmd[1], 9); + + uint8_t buf[ISO15693_MAX_RESPONSE_LENGTH] = {0x00}; + + uint32_t start_time = 0; + uint32_t eof_time = 0; + uint16_t recvlen = 0; + + int res = PM3_SUCCESS; + + for (int i = 0; i < 2; i++) { + res = SendDataTag( + cmd[i], + sizeof(cmd[i]), + (i == 0) ? true : false, + true, + buf, + sizeof(buf), + start_time, + ISO15693_READER_TIMEOUT_WRITE, + &eof_time, + &recvlen + ); + + start_time = eof_time + DELAY_ISO15693_VICC_TO_VCD_READER; + } + + reply_ng(CMD_HF_ISO15693_CSETUID_V2, res, NULL, 0); + switch_off(); +} + + static void init_password_15693_Slix(uint8_t *buffer, const uint8_t *pwd, const uint8_t *rnd) { memcpy(buffer, pwd, 4); if (rnd) { diff --git a/client/src/cmdhf15.c b/client/src/cmdhf15.c index 11831dd5e..0144f7fcf 100644 --- a/client/src/cmdhf15.c +++ b/client/src/cmdhf15.c @@ -2735,11 +2735,14 @@ static int CmdHF15CSetUID(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "hf 15 csetuid", "Set UID for magic Chinese card (only works with such cards)\n", - "hf 15 csetuid -u E011223344556677"); + "hf 15 csetuid -u E011223344556677 -> use gen1 command\n" + "hf 15 csetuid -u E011223344556677 --v2 -> use gen2 command" + ); void *argtable[] = { arg_param_begin, arg_str1("u", "uid", "", "UID, 8 hex bytes"), + arg_lit0("2", "v2", "Use gen2 magic command"), arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, false); @@ -2750,6 +2753,7 @@ static int CmdHF15CSetUID(const char *Cmd) { int uidlen = 0; CLIGetHexWithReturn(ctx, 1, payload.uid, &uidlen); + bool use_v2 = arg_get_lit(ctx, 2); CLIParserFree(ctx); if (uidlen != HF15_UID_LENGTH) { @@ -2775,8 +2779,14 @@ static int CmdHF15CSetUID(const char *Cmd) { PrintAndLogEx(INFO, "Writing..."); PacketResponseNG resp; clearCommandBuffer(); - SendCommandNG(CMD_HF_ISO15693_CSETUID, (uint8_t *)&payload, sizeof(payload)); - if (WaitForResponseTimeout(CMD_HF_ISO15693_CSETUID, &resp, 2000) == false) { + + uint16_t cmd = CMD_HF_ISO15693_CSETUID; + if (use_v2) { + cmd = CMD_HF_ISO15693_CSETUID_V2; + } + + SendCommandNG(cmd, (uint8_t *)&payload, sizeof(payload)); + if (WaitForResponseTimeout(cmd, &resp, 2000) == false) { PrintAndLogEx(WARNING, "timeout while waiting for reply"); DropField(); return PM3_ESOFT; diff --git a/client/src/cmdhflist.c b/client/src/cmdhflist.c index be429561c..d76119482 100644 --- a/client/src/cmdhflist.c +++ b/client/src/cmdhflist.c @@ -704,6 +704,9 @@ void annotateIso15693(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) { case ISO15693_READ_SIGNATURE: snprintf(exp, size, "READ_SIGNATURE"); return; + case ISO15693_MAGIC_WRITE: + snprintf(exp, size, "MAGIC_WRITEBLOCK"); + return; default: break; } @@ -2223,7 +2226,7 @@ bool DecodeMifareData(uint8_t *cmd, uint8_t cmdsize, uint8_t *parity, bool isRes char sat[5] = {0, 0, 0, 0, 0}; mf_get_paritybinstr(sat, AuthData.at_enc, AuthData.at_enc_par); - PrintAndLogEx(NORMAL, "Nested authentication detected. "); + PrintAndLogEx(NORMAL, "Nested authentication detected!"); PrintAndLogEx(NORMAL, "tools/mf_nonce_brute/mf_nonce_brute %x %x %s %x %x %s %x %s %s\n" , AuthData.uid , AuthData.nt_enc diff --git a/include/pm3_cmd.h b/include/pm3_cmd.h index f82a31d69..5cc15946b 100644 --- a/include/pm3_cmd.h +++ b/include/pm3_cmd.h @@ -564,7 +564,6 @@ typedef struct { #define CMD_HF_ISO15693_SNIFF 0x0312 #define CMD_HF_ISO15693_COMMAND 0x0313 #define CMD_HF_ISO15693_FINDAFI 0x0315 -#define CMD_HF_ISO15693_CSETUID 0x0316 #define CMD_HF_ISO15693_SLIX_ENABLE_PRIVACY 0x0867 #define CMD_HF_ISO15693_SLIX_DISABLE_PRIVACY 0x0317 #define CMD_HF_ISO15693_SLIX_DISABLE_EAS 0x0318 @@ -578,12 +577,17 @@ typedef struct { #define CMD_HF_ISO15693_EML_SETMEM 0x0331 #define CMD_HF_ISO15693_EML_GETMEM 0x0332 +#define CMD_HF_ISO15693_CSETUID 0x0316 +#define CMD_HF_ISO15693_CSETUID_V2 0x0333 + #define CMD_LF_SNIFF_RAW_ADC 0x0360 // For Hitag2 transponders #define CMD_LF_HITAG_SNIFF 0x0370 #define CMD_LF_HITAG_SIMULATE 0x0371 #define CMD_LF_HITAG_READER 0x0372 +#define CMD_LF_HITAG2_WRITE 0x0377 +#define CMD_LF_HITAG2_CRACK 0x0378 // For HitagS #define CMD_LF_HITAGS_TEST_TRACES 0x0367 diff --git a/include/protocols.h b/include/protocols.h index 68fa344eb..6cf5c5c2d 100644 --- a/include/protocols.h +++ b/include/protocols.h @@ -369,10 +369,10 @@ ISO 7816-4 Basic interindustry commands. For command APDU's. #define CRYPTORF_ERR_MEMORY_ACCESS 0xEE #define CRYPTORF_ERR_MEMORY_ACCESS_SEC 0xF9 -//First byte is 26 +// First byte is 26 #define ISO15693_INVENTORY 0x01 #define ISO15693_STAYQUIET 0x02 -//First byte is 02 +// First byte is 02 #define ISO15693_READBLOCK 0x20 #define ISO15693_WRITEBLOCK 0x21 #define ISO15693_LOCKBLOCK 0x22 @@ -412,6 +412,9 @@ ISO 7816-4 Basic interindustry commands. For command APDU's. #define ISO15693_STAYQUIET_PERSISTENT 0xBC #define ISO15693_READ_SIGNATURE 0xBD +// +#define ISO15693_MAGIC_WRITE 0xE0 + // Topaz command set: #define TOPAZ_REQA 0x26 // Request #define TOPAZ_WUPA 0x52 // WakeUp