From 9ea6665a244b7ec5e2ab2ad2a110d20dc0ca48fe Mon Sep 17 00:00:00 2001 From: cyberpunk-re Date: Mon, 7 Dec 2020 12:55:11 +0000 Subject: [PATCH 1/6] Fix issue #844 --- CHANGELOG.md | 4 +- client/luascripts/hf_mf_unbrick_baduid.lua | 125 +++++++++++++++++++++ client/src/cmdlft55xx.c | 5 +- 3 files changed, 131 insertions(+), 3 deletions(-) create mode 100644 client/luascripts/hf_mf_unbrick_baduid.lua diff --git a/CHANGELOG.md b/CHANGELOG.md index de0373163..39c602ad9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,9 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] - - Fix `hf 15 sim` - Added basic response to GET_SYSTEM_INFO and READBLOCK requests in order to fix iso15693 tag sim + - Fix issue #844 - `lf t55xx config` => recompute block0 (@cyberpunk-re) + - Add script hf_mf_unbrick_baduid.lua to revive mifare cards with bad BCC (@cyberpunk-re) + - Fix `hf 15 sim` - Added basic response to GET_SYSTEM_INFO and READBLOCK requests in order to fix iso15693 tag sim (@cyberpunk-re) - Added `mf mfu sim t 7 n ` - MFU emulation now supports automatic exit after blocks read. (@cyberpunk-re) - Added T55xx Guide to assist in learning how to use the T55xx chip (@mwalker33) - Fix 'hf iclass wrbl' - dealing with tags in unsecured vs secured pagemode now is correct (@iceman1001) diff --git a/client/luascripts/hf_mf_unbrick_baduid.lua b/client/luascripts/hf_mf_unbrick_baduid.lua new file mode 100644 index 000000000..b96b8828e --- /dev/null +++ b/client/luascripts/hf_mf_unbrick_baduid.lua @@ -0,0 +1,125 @@ +local getopt = require('getopt') +local ansicolors = require('ansicolors') + +copyright = '' +author = 'cyberpunk-re' +version = 'v1.0.0' +desc = [[ +This script brings back to life a mifare UID modifiable card which has bad data written to block 0 or block 1, typically having a bad BCC (Block Check Character). It should workd on Mifare classic 1k/4k and Mifare Ultralight UID Modifiable and Direct write tags. +]] +example = [[ + -- target a Ultralight based card + 1. script run hf_mf_unbrick_baduid -u + +]] +usage = [[ +script run hf_mf_unbrick_baduid [-h] [-u] +]] +arguments = [[ + -h this help + -u unbrick UID Modifiable/Direct Write Ultralight tag with 7 bytes UID. +]] + +-- Helper functions borrowed from Iceman script hf_mf_magicrevive.lua + +--- +-- A debug printout-function +local function dbg(args) + if not DEBUG then return end + if type(args) == 'table' then + local i = 1 + while result[i] do + dbg(result[i]) + i = i+1 + end + else + print('###', args) + end +end +--- +-- This is only meant to be used when errors occur +local function oops(err) + print('ERROR:', err) + core.clearCommandBuffer() + return nil, err +end +--- +-- Usage help +local function help() + print(copyright) + print(author) + print(version) + print(desc) + print(ansicolors.cyan..'Usage'..ansicolors.reset) + print(usage) + print(ansicolors.cyan..'Arguments'..ansicolors.reset) + print(arguments) + print(ansicolors.cyan..'Example usage'..ansicolors.reset) + print(example) +end + +local function cmdUltralight() + return { + [0] = 'hf 14a config b 2', + [1] = 'hf 14a raw -k -a 43', + [2] = 'hf 14a raw -c -a A2005380712A', + [3] = 'hf 14a raw -k -a -b 7 40', + [4] = 'hf 14a raw -k -a 43', + [5] = 'hf 14a raw -c -a A2010200D980', + [6] = 'hf 14a raw -k -a -b 7 40', + [7] = 'hf 14a raw -k -a 43', + [8] = 'hf 14a raw -c -a A2025B480000', + [9] = 'hf 14a config b 0', + } +end +local function cmdClassic() + return { + [0] = 'hf 14a raw -k -a -b 7 40', + [1] = 'hf 14a raw -k -a 43', + [2] = 'hf 14a raw -c -k -a A000', + [3] = 'hf 14a raw -c -k -a 01020304049802000000000000001001', + [4] = 'hf 14a raw -c -a 5000', + } +end +local function cmdRestoreST() + local arr = {} + for i = 0, 15 do + local blk = 3 + (4*i) + arr[i] = 'hf mf csetbl '..blk..' FFFFFFFFFFFFFF078000FFFFFFFFFFFF' + end + return arr +end +local function sendCmds( cmds ) + for i = 0, #cmds do + if cmds[i] then + print ( cmds[i] ) + core.console( cmds[i] ) + core.clearCommandBuffer() + end + end +end +--- +-- The main entry point +function main(args) + + local i + local cmds = {} + local isUltralight = false + + -- Read the parameters + for o, a in getopt.getopt(args, 'hu') do + if o == 'h' then return help() end + if o == 'u' then isUltralight = true end + end + + core.clearCommandBuffer() + + if isUltralight then + sendCmds ( cmdUltralight() ) + else + sendCmds( cmdClassic() ) + sendCmds( cmdRestoreST() ) + end +end + +main(args) diff --git a/client/src/cmdlft55xx.c b/client/src/cmdlft55xx.c index 80c8eda4f..df00da6b1 100644 --- a/client/src/cmdlft55xx.c +++ b/client/src/cmdlft55xx.c @@ -739,6 +739,7 @@ static int CmdT55xxSetConfig(const char *Cmd) { for (; i < 9; i++) { if (rates[i] == bitRate) { config.bitrate = i; + config.block0 = ((config.block0 & ~(0x1c0000)) | (i << 18)); break; } } @@ -789,6 +790,7 @@ static int CmdT55xxSetConfig(const char *Cmd) { PrintAndLogEx(WARNING, "Unknown modulation '%s'", modulation); errors = true; } + config.block0 = ((config.block0 & ~(0x1f0000)) | (config.modulation << 12)); break; case 'i': if ((param_getchar(Cmd, cmdp + 1) == '0') || (param_getchar(Cmd, cmdp + 1) == '1')) { @@ -822,6 +824,7 @@ static int CmdT55xxSetConfig(const char *Cmd) { config.ST = true; cmdp += 1; } + config.block0 = ((config.block0 & ~(0x8)) | (config.ST << 3)); break; case 'r': errors = param_getdec(Cmd, cmdp + 1, &downlink_mode); @@ -843,8 +846,6 @@ static int CmdT55xxSetConfig(const char *Cmd) { if (gotconf) { SetConfigWithBlock0Ex(block0, config.offset, config.Q5); - } else { - config.block0 = 0; } return printConfiguration(config); From cc324b83ec3b78a959988d1bdd79eeaea549e472 Mon Sep 17 00:00:00 2001 From: cyberpunk-re Date: Mon, 7 Dec 2020 13:49:35 +0000 Subject: [PATCH 2/6] Correction on CHANGELOG --- CHANGELOG.md | 1 - 1 file changed, 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 39c602ad9..a6e8e76b3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,6 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac ## [unreleased][unreleased] - Fix issue #844 - `lf t55xx config` => recompute block0 (@cyberpunk-re) - - Add script hf_mf_unbrick_baduid.lua to revive mifare cards with bad BCC (@cyberpunk-re) - Fix `hf 15 sim` - Added basic response to GET_SYSTEM_INFO and READBLOCK requests in order to fix iso15693 tag sim (@cyberpunk-re) - Added `mf mfu sim t 7 n ` - MFU emulation now supports automatic exit after blocks read. (@cyberpunk-re) - Added T55xx Guide to assist in learning how to use the T55xx chip (@mwalker33) From dcf7e52b01f5756b3cf0fc6010b0e8c8403d2c4d Mon Sep 17 00:00:00 2001 From: cyberpunk-re Date: Mon, 7 Dec 2020 13:51:23 +0000 Subject: [PATCH 3/6] Remove lua script not belonging to this PR --- client/luascripts/hf_mf_unbrick_baduid.lua | 125 --------------------- 1 file changed, 125 deletions(-) delete mode 100644 client/luascripts/hf_mf_unbrick_baduid.lua diff --git a/client/luascripts/hf_mf_unbrick_baduid.lua b/client/luascripts/hf_mf_unbrick_baduid.lua deleted file mode 100644 index b96b8828e..000000000 --- a/client/luascripts/hf_mf_unbrick_baduid.lua +++ /dev/null @@ -1,125 +0,0 @@ -local getopt = require('getopt') -local ansicolors = require('ansicolors') - -copyright = '' -author = 'cyberpunk-re' -version = 'v1.0.0' -desc = [[ -This script brings back to life a mifare UID modifiable card which has bad data written to block 0 or block 1, typically having a bad BCC (Block Check Character). It should workd on Mifare classic 1k/4k and Mifare Ultralight UID Modifiable and Direct write tags. -]] -example = [[ - -- target a Ultralight based card - 1. script run hf_mf_unbrick_baduid -u - -]] -usage = [[ -script run hf_mf_unbrick_baduid [-h] [-u] -]] -arguments = [[ - -h this help - -u unbrick UID Modifiable/Direct Write Ultralight tag with 7 bytes UID. -]] - --- Helper functions borrowed from Iceman script hf_mf_magicrevive.lua - ---- --- A debug printout-function -local function dbg(args) - if not DEBUG then return end - if type(args) == 'table' then - local i = 1 - while result[i] do - dbg(result[i]) - i = i+1 - end - else - print('###', args) - end -end ---- --- This is only meant to be used when errors occur -local function oops(err) - print('ERROR:', err) - core.clearCommandBuffer() - return nil, err -end ---- --- Usage help -local function help() - print(copyright) - print(author) - print(version) - print(desc) - print(ansicolors.cyan..'Usage'..ansicolors.reset) - print(usage) - print(ansicolors.cyan..'Arguments'..ansicolors.reset) - print(arguments) - print(ansicolors.cyan..'Example usage'..ansicolors.reset) - print(example) -end - -local function cmdUltralight() - return { - [0] = 'hf 14a config b 2', - [1] = 'hf 14a raw -k -a 43', - [2] = 'hf 14a raw -c -a A2005380712A', - [3] = 'hf 14a raw -k -a -b 7 40', - [4] = 'hf 14a raw -k -a 43', - [5] = 'hf 14a raw -c -a A2010200D980', - [6] = 'hf 14a raw -k -a -b 7 40', - [7] = 'hf 14a raw -k -a 43', - [8] = 'hf 14a raw -c -a A2025B480000', - [9] = 'hf 14a config b 0', - } -end -local function cmdClassic() - return { - [0] = 'hf 14a raw -k -a -b 7 40', - [1] = 'hf 14a raw -k -a 43', - [2] = 'hf 14a raw -c -k -a A000', - [3] = 'hf 14a raw -c -k -a 01020304049802000000000000001001', - [4] = 'hf 14a raw -c -a 5000', - } -end -local function cmdRestoreST() - local arr = {} - for i = 0, 15 do - local blk = 3 + (4*i) - arr[i] = 'hf mf csetbl '..blk..' FFFFFFFFFFFFFF078000FFFFFFFFFFFF' - end - return arr -end -local function sendCmds( cmds ) - for i = 0, #cmds do - if cmds[i] then - print ( cmds[i] ) - core.console( cmds[i] ) - core.clearCommandBuffer() - end - end -end ---- --- The main entry point -function main(args) - - local i - local cmds = {} - local isUltralight = false - - -- Read the parameters - for o, a in getopt.getopt(args, 'hu') do - if o == 'h' then return help() end - if o == 'u' then isUltralight = true end - end - - core.clearCommandBuffer() - - if isUltralight then - sendCmds ( cmdUltralight() ) - else - sendCmds( cmdClassic() ) - sendCmds( cmdRestoreST() ) - end -end - -main(args) From 00cff49f9d985cfe1fa8691ff5ddf10c8c19bdce Mon Sep 17 00:00:00 2001 From: cyberpunk-re Date: Mon, 7 Dec 2020 23:33:58 +0000 Subject: [PATCH 4/6] fixed incorrect bitmask on modulation --- client/src/cmdlft55xx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/src/cmdlft55xx.c b/client/src/cmdlft55xx.c index df00da6b1..9eed344d7 100644 --- a/client/src/cmdlft55xx.c +++ b/client/src/cmdlft55xx.c @@ -790,7 +790,7 @@ static int CmdT55xxSetConfig(const char *Cmd) { PrintAndLogEx(WARNING, "Unknown modulation '%s'", modulation); errors = true; } - config.block0 = ((config.block0 & ~(0x1f0000)) | (config.modulation << 12)); + config.block0 = ((config.block0 & ~(0x1f000)) | (config.modulation << 12)); break; case 'i': if ((param_getchar(Cmd, cmdp + 1) == '0') || (param_getchar(Cmd, cmdp + 1) == '1')) { From b52d50d30a8af37ad46180b54b11456841b83f1c Mon Sep 17 00:00:00 2001 From: cyberpunk-re Date: Tue, 8 Dec 2020 22:54:29 +0000 Subject: [PATCH 5/6] Block0 source explicit in lf t55xx config and color coded --- client/src/cmdlft55xx.c | 28 +++++++++++++++++++++++++++- client/src/cmdlft55xx.h | 7 +++++++ 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/client/src/cmdlft55xx.c b/client/src/cmdlft55xx.c index 9eed344d7..40cc0be5a 100644 --- a/client/src/cmdlft55xx.c +++ b/client/src/cmdlft55xx.c @@ -51,6 +51,7 @@ t55xx_conf_block_t config = { .inverted = false, .offset = 0x00, .block0 = 0x00, + .block0Status = notSet, .Q5 = false, .usepwd = false, .downlink_mode = refFixedBit @@ -844,6 +845,7 @@ static int CmdT55xxSetConfig(const char *Cmd) { //Validations if (errors) return usage_t55xx_config(); + config.block0Status = userSet; if (gotconf) { SetConfigWithBlock0Ex(block0, config.offset, config.Q5); } @@ -1336,6 +1338,7 @@ bool t55xxTryDetectModulationEx(uint8_t downlink_mode, bool print_config, uint32 config.pwd = pwd & 0xffffffff; } + config.block0Status = autoDetect; if (print_config) printConfiguration(config); @@ -1371,6 +1374,7 @@ bool t55xxTryDetectModulationEx(uint8_t downlink_mode, bool print_config, uint32 PrintAndLogEx(NORMAL, "--[%d]---------------", i + 1); } + config.block0Status = autoDetect; if (print_config) printConfiguration(tests[i]); } @@ -1641,7 +1645,7 @@ int printConfiguration(t55xx_conf_block_t b) { PrintAndLogEx(INFO, " Inverted : %s", (b.inverted) ? _GREEN_("Yes") : "No"); PrintAndLogEx(INFO, " Offset : %d", b.offset); PrintAndLogEx(INFO, " Seq. Term. : %s", (b.ST) ? _GREEN_("Yes") : "No"); - PrintAndLogEx(INFO, " Block0 : 0x%08X", b.block0); + PrintAndLogEx(INFO, " Block0 : 0x%08X %s", b.block0, GetConfigBlock0Source(b.block0Status)); PrintAndLogEx(INFO, " Downlink Mode : %s", GetDownlinkModeStr(b.downlink_mode)); PrintAndLogEx(INFO, " Password Set : %s", (b.usepwd) ? _RED_("Yes") : _GREEN_("No")); if (b.usepwd) { @@ -2801,6 +2805,28 @@ char *GetModelStrFromCID(uint32_t cid) { return buf; } +char *GetConfigBlock0Source(uint8_t id) { + + static char buf[20]; + char *retStr = buf; + + switch (id) { + case autoDetect: + snprintf(retStr, sizeof(buf), _YELLOW_("(Auto detect)")); + break; + case userSet: + snprintf(retStr, sizeof(buf), _YELLOW_("(User set)")); + break; + case tagRead: + snprintf(retStr, sizeof(buf), _GREEN_("(Tag read)")); + break; + default: + snprintf(retStr, sizeof(buf), _RED_("(Unknown)")); + break; + } + return buf; +} + char *GetSelectedModulationStr(uint8_t id) { static char buf[20]; diff --git a/client/src/cmdlft55xx.h b/client/src/cmdlft55xx.h index 4352eed64..90fbaa85d 100644 --- a/client/src/cmdlft55xx.h +++ b/client/src/cmdlft55xx.h @@ -125,6 +125,12 @@ typedef struct { bool inverted; uint8_t offset; uint32_t block0; + enum { + notSet = 0x00, + autoDetect = 0x01, + userSet = 0x02, + tagRead = 0x03, + } block0Status; enum { RF_8 = 0x00, RF_16 = 0x01, @@ -166,6 +172,7 @@ char *GetSaferStr(uint32_t id); char *GetQ5ModulationStr(uint32_t id); char *GetModulationStr(uint32_t id, bool xmode); char *GetModelStrFromCID(uint32_t cid); +char *GetConfigBlock0Source(uint8_t id); char *GetSelectedModulationStr(uint8_t id); char *GetDownlinkModeStr(uint8_t downlink_mode); void printT5xxHeader(uint8_t page); From 7f4fe79aaa44d6664627cf6f32ff1f1d44b06d6b Mon Sep 17 00:00:00 2001 From: cyberpunk-re Date: Tue, 8 Dec 2020 23:32:23 +0000 Subject: [PATCH 6/6] Made GetConfigBlock0Source string buf larger to acomodate ASCII color escape expansion --- client/src/cmdlft55xx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/src/cmdlft55xx.c b/client/src/cmdlft55xx.c index 40cc0be5a..a3f5ca20b 100644 --- a/client/src/cmdlft55xx.c +++ b/client/src/cmdlft55xx.c @@ -2807,7 +2807,7 @@ char *GetModelStrFromCID(uint32_t cid) { char *GetConfigBlock0Source(uint8_t id) { - static char buf[20]; + static char buf[40]; char *retStr = buf; switch (id) {