Merge pull request #2888 from Antiklesys/master

Updated hf iclass sim -t 6
2025-08-21 05:43:48 -07:00 · 2025-06-07 11:01:59 +02:00 · 2025-06-07 11:01:59 +02:00 · 9a2395d40f
commit 9a2395d40f
parent 32e29d9340 f49bc8ebaa
2 changed files with 23 additions and 9 deletions
--- a/armsrc/iclass.c
+++ b/armsrc/iclass.c
@ -608,10 +608,16 @@ int do_iclass_simulation(int simulationMode, uint8_t *reader_mac_buf) {
                    trace_data_size = sizeof(ff_data);
                } else { // use data from emulator memory
                    if (simulationMode == ICLASS_SIM_MODE_FULL_GLITCH){
-                        uint8_t block_check[8] ={0};
-                        memcpy(block_check, emulator + (current_page * page_size) + (31 * 8), 8);
-                        if (block == block_check[7]){
-                            goto send;
+                        //Jam the read based on the last SIO block
+                        if (memcmp(emulator + (current_page * page_size) + (5 * 8), ff_data, PICOPASS_BLOCK_SIZE) == 0){ //SR card
+                            if (block == 16){ //SR cards use a standard legth SIO
+                                goto send;
+                            }
+                        }else{ //For SE cards we have to account for different SIO lengths depending if a standard or custom key is used
+                            uint8_t *sio = emulator + (current_page * page_size) + (6 * 8);
+                            if (block == (5 + ((sio[1] + 12) / 8))) {
+                                goto send;
+                            }
                        }
                    }

@ -798,10 +804,18 @@ int do_iclass_simulation(int simulationMode, uint8_t *reader_mac_buf) {
            }

            if (simulationMode == ICLASS_SIM_MODE_FULL_GLITCH){
-                uint8_t block_check[8] ={0};
-                memcpy(block_check, emulator + (current_page * page_size) + (31 * 8), 8);
-                if (block == block_check[7]){
-                    goto send;
+                //Jam the read based on the last SIO block
+                uint8_t *sr_or_sio = emulator + (current_page * page_size) + (6 * 8);
+                if (memcmp(emulator + (current_page * page_size) + (5 * 8), ff_data, PICOPASS_BLOCK_SIZE) == 0){ //SR card
+                    if (block == 16){ //SR cards use a standard legth SIO
+                        //update block 6 byte 1 from 03 to A3
+                        sr_or_sio[0] |= 0xA0;
+                        goto send;
+                    }
+                }else{ //For SE cards we have to account for different SIO lengths depending if a standard or custom key is used
+                    if (block == (5 + ((sr_or_sio[1] + 12) / 8))) {
+                        goto send;
+                    }
                }
            }

--- a/client/src/cmdhficlass.c
+++ b/client/src/cmdhficlass.c
@ -845,7 +845,7 @@ static int CmdHFiClassSim(const char *Cmd) {
                  "hf iclass sim -t 2                          --> execute loclass attack online part\n"
                  "hf iclass sim -t 3                          --> simulate full iCLASS 2k tag\n"
                  "hf iclass sim -t 4                          --> Reader-attack, adapted for KeyRoll mode, gather reader responses to extract elite key\n"
-                  "hf iclass sim -t 6                          --> same as -t 3, but doesn't respond to r/w for the block specified in last byte of blk 31");
+                  "hf iclass sim -t 6                          --> simulate full iCLASS 2k tag that doesn't respond to r/w requests to the last SIO block");

    void *argtable[] = {
        arg_param_begin,