github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-07-16 10:03:04 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

add support for generation 2 magic command when setting UID on ISO15693 cards. ref:: https://github.com/RfidResearchGroup/proxmark3/issues/1604#issuecomment-2068444071

Browse source
This commit is contained in:
iceman1001 2024-04-22 09:04:01 +02:00
parent 508a4ed064
commit 87c6633de1
7 changed files with 91 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

3
CHANGELOG.md
View file

@ -3,7 +3,8 @@ All notable changes to this project will be documented in this file.
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
## [unreleased][unreleased]
- Changed `hf mfp info` to identify Ev2 (@iceman1001)
- Changed `hf 15 csetuid` - now supports gen2 command (@iceman1001)
- Changed `hf mfp info` - to identify Ev2 (@iceman1001)
- Updated Graph Markers implementation to include temporary markers and marker labels (@HACKhalo2)
- Updated to SWIG 4.2.1 (@iceman1001)
- Removed `data bin2hex` - replaced by `data num` (@iceman1001)

8
armsrc/appmain.c
View file

@ -1364,6 +1364,14 @@ static void PacketReceived(PacketCommandNG *packet) {
SetTag15693Uid(payload->uid);
break;
}
case CMD_HF_ISO15693_CSETUID_V2: {
struct p {
uint8_t uid[8];
} PACKED;
struct p *payload = (struct p *) packet->data.asBytes;
SetTag15693Uid_v2(payload->uid);
break;
}
case CMD_HF_ISO15693_SLIX_DISABLE_EAS: {
struct p {
uint8_t pwd[4];

67
armsrc/iso15693.c
View file

@ -2890,21 +2890,14 @@ void SetTag15693Uid(const uint8_t *uid) {
uint8_t cmd[4][9] = {
{ISO15_REQ_DATARATE_HIGH, ISO15693_WRITEBLOCK, 0x3e, 0x00, 0x00, 0x00, 0x00, 0xE9, 0x8F},
{ISO15_REQ_DATARATE_HIGH, ISO15693_WRITEBLOCK, 0x3f, 0x69, 0x96, 0x00, 0x00, 0x8A, 0xBB},
{ISO15_REQ_DATARATE_HIGH, ISO15693_WRITEBLOCK, 0x38},
{ISO15_REQ_DATARATE_HIGH, ISO15693_WRITEBLOCK, 0x39}
// Command 3 : 02 21 38 u8u7u6u5 (where uX = uid byte X)
{ISO15_REQ_DATARATE_HIGH, ISO15693_WRITEBLOCK, 0x38, uid[7], uid[6], uid[5], uid[4]},
// Command 4 : 02 21 39 u4u3u2u1 (where uX = uid byte X)
{ISO15_REQ_DATARATE_HIGH, ISO15693_WRITEBLOCK, 0x39, uid[3], uid[2], uid[1], uid[0]}
};
// Command 3 : 02 21 38 u8u7u6u5 (where uX = uid byte X)
cmd[2][3] = uid[7];
cmd[2][4] = uid[6];
cmd[2][5] = uid[5];
cmd[2][6] = uid[4];
// Command 4 : 02 21 39 u4u3u2u1 (where uX = uid byte X)
cmd[3][3] = uid[3];
cmd[3][4] = uid[2];
cmd[3][5] = uid[1];
cmd[3][6] = uid[0];
AddCrc15(cmd[2], 7);
AddCrc15(cmd[3], 7);
@ -2938,6 +2931,54 @@ void SetTag15693Uid(const uint8_t *uid) {
switch_off();
}
// Set the UID on Magic ISO15693 tag ( Gen2 ?)
// E0 00 09 - seem to be command
// 0x41, 0x40 - seem to be block referens
void SetTag15693Uid_v2(const uint8_t *uid) {
LED_A_ON();
uint8_t cmd[2][11] = {
// hf 15 raw -wac -d 02e00941 + uid first four bytes
{ISO15_REQ_DATARATE_HIGH, ISO15693_MAGIC_WRITE, 0x00, 0x09, 0x41, uid[7], uid[6], uid[5], uid[4], 0x00, 0x00},
// hf 15 raw -wac -d 02e00940 + uid last four bytes
{ISO15_REQ_DATARATE_HIGH, ISO15693_MAGIC_WRITE, 0x00, 0x09, 0x40, uid[3], uid[2], uid[1], uid[0], 0x00, 0x00}
};
AddCrc15(cmd[0], 9);
AddCrc15(cmd[1], 9);
uint8_t buf[ISO15693_MAX_RESPONSE_LENGTH] = {0x00};
uint32_t start_time = 0;
uint32_t eof_time = 0;
uint16_t recvlen = 0;
int res = PM3_SUCCESS;
for (int i = 0; i < 2; i++) {
res = SendDataTag(
cmd[i],
sizeof(cmd[i]),
(i == 0) ? true : false,
true,
buf,
sizeof(buf),
start_time,
ISO15693_READER_TIMEOUT_WRITE,
&eof_time,
&recvlen
);
start_time = eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
}
reply_ng(CMD_HF_ISO15693_CSETUID_V2, res, NULL, 0);
switch_off();
}
static void init_password_15693_Slix(uint8_t *buffer, const uint8_t *pwd, const uint8_t *rnd) {
memcpy(buffer, pwd, 4);
if (rnd) {

16
client/src/cmdhf15.c
View file

@ -2735,11 +2735,14 @@ static int CmdHF15CSetUID(const char *Cmd) {
CLIParserContext *ctx;
CLIParserInit(&ctx, "hf 15 csetuid",
"Set UID for magic Chinese card (only works with such cards)\n",
"hf 15 csetuid -u E011223344556677");
"hf 15 csetuid -u E011223344556677 -> use gen1 command\n"
"hf 15 csetuid -u E011223344556677 --v2 -> use gen2 command"
);
void *argtable[] = {
arg_param_begin,
arg_str1("u", "uid", "<hex>", "UID, 8 hex bytes"),
arg_lit0("2", "v2", "Use gen2 magic command"),
arg_param_end
};
CLIExecWithReturn(ctx, Cmd, argtable, false);
@ -2750,6 +2753,7 @@ static int CmdHF15CSetUID(const char *Cmd) {
int uidlen = 0;
CLIGetHexWithReturn(ctx, 1, payload.uid, &uidlen);
bool use_v2 = arg_get_lit(ctx, 2);
CLIParserFree(ctx);
if (uidlen != HF15_UID_LENGTH) {
@ -2775,8 +2779,14 @@ static int CmdHF15CSetUID(const char *Cmd) {
PrintAndLogEx(INFO, "Writing...");
PacketResponseNG resp;
clearCommandBuffer();
SendCommandNG(CMD_HF_ISO15693_CSETUID, (uint8_t *)&payload, sizeof(payload));
if (WaitForResponseTimeout(CMD_HF_ISO15693_CSETUID, &resp, 2000) == false) {
uint16_t cmd = CMD_HF_ISO15693_CSETUID;
if (use_v2) {
cmd = CMD_HF_ISO15693_CSETUID_V2;
}
SendCommandNG(cmd, (uint8_t *)&payload, sizeof(payload));
if (WaitForResponseTimeout(cmd, &resp, 2000) == false) {
PrintAndLogEx(WARNING, "timeout while waiting for reply");
DropField();
return PM3_ESOFT;

5
client/src/cmdhflist.c
View file

@ -704,6 +704,9 @@ void annotateIso15693(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) {
case ISO15693_READ_SIGNATURE:
snprintf(exp, size, "READ_SIGNATURE");
return;
case ISO15693_MAGIC_WRITE:
snprintf(exp, size, "MAGIC_WRITEBLOCK");
return;
default:
break;
}
@ -2223,7 +2226,7 @@ bool DecodeMifareData(uint8_t *cmd, uint8_t cmdsize, uint8_t *parity, bool isRes
char sat[5] = {0, 0, 0, 0, 0};
mf_get_paritybinstr(sat, AuthData.at_enc, AuthData.at_enc_par);
PrintAndLogEx(NORMAL, "Nested authentication detected. ");
PrintAndLogEx(NORMAL, "Nested authentication detected!");
PrintAndLogEx(NORMAL, "tools/mf_nonce_brute/mf_nonce_brute %x %x %s %x %x %s %x %s %s\n"
, AuthData.uid
, AuthData.nt_enc

6
include/pm3_cmd.h
View file

@ -564,7 +564,6 @@ typedef struct {
#define CMD_HF_ISO15693_SNIFF 0x0312
#define CMD_HF_ISO15693_COMMAND 0x0313
#define CMD_HF_ISO15693_FINDAFI 0x0315
#define CMD_HF_ISO15693_CSETUID 0x0316
#define CMD_HF_ISO15693_SLIX_ENABLE_PRIVACY 0x0867
#define CMD_HF_ISO15693_SLIX_DISABLE_PRIVACY 0x0317
#define CMD_HF_ISO15693_SLIX_DISABLE_EAS 0x0318
@ -578,12 +577,17 @@ typedef struct {
#define CMD_HF_ISO15693_EML_SETMEM 0x0331
#define CMD_HF_ISO15693_EML_GETMEM 0x0332
#define CMD_HF_ISO15693_CSETUID 0x0316
#define CMD_HF_ISO15693_CSETUID_V2 0x0333
#define CMD_LF_SNIFF_RAW_ADC 0x0360
// For Hitag2 transponders
#define CMD_LF_HITAG_SNIFF 0x0370
#define CMD_LF_HITAG_SIMULATE 0x0371
#define CMD_LF_HITAG_READER 0x0372
#define CMD_LF_HITAG2_WRITE 0x0377
#define CMD_LF_HITAG2_CRACK 0x0378
// For HitagS
#define CMD_LF_HITAGS_TEST_TRACES 0x0367

7
include/protocols.h
View file

@ -369,10 +369,10 @@ ISO 7816-4 Basic interindustry commands. For command APDU's.
#define CRYPTORF_ERR_MEMORY_ACCESS 0xEE
#define CRYPTORF_ERR_MEMORY_ACCESS_SEC 0xF9
//First byte is 26
// First byte is 26
#define ISO15693_INVENTORY 0x01
#define ISO15693_STAYQUIET 0x02
//First byte is 02
// First byte is 02
#define ISO15693_READBLOCK 0x20
#define ISO15693_WRITEBLOCK 0x21
#define ISO15693_LOCKBLOCK 0x22
@ -412,6 +412,9 @@ ISO 7816-4 Basic interindustry commands. For command APDU's.
#define ISO15693_STAYQUIET_PERSISTENT 0xBC
#define ISO15693_READ_SIGNATURE 0xBD
//
#define ISO15693_MAGIC_WRITE 0xE0
// Topaz command set:
#define TOPAZ_REQA 0x26 // Request
#define TOPAZ_WUPA 0x52 // WakeUp