diff --git a/client/pyscripts/spi_flash_decode.py b/client/pyscripts/spi_flash_decode.py index 2a89f57af..1e3aab578 100644 --- a/client/pyscripts/spi_flash_decode.py +++ b/client/pyscripts/spi_flash_decode.py @@ -21,7 +21,7 @@ spi = { "size": "16mbits", "sizeB": "2MB", }, - }, + }, }, }, 0x85:{ diff --git a/client/src/cmdhficlass.c b/client/src/cmdhficlass.c index b701aeb19..42d23d0f1 100644 --- a/client/src/cmdhficlass.c +++ b/client/src/cmdhficlass.c @@ -305,7 +305,7 @@ static iclass_config_card_item_t iclass_config_options[33] = { //Sets block 3 of card 0 presented to the reader to 0, sets block 3 of card 1 presented to the reader to the original value of card 0's block 3 //Continues setting block 3 of presented cards to block 3 of the previous card the reader scanned //This renders cards unreadable and hardly recoverable unless the order of the scanned cards is known. - {"(ELITE Bugger) - Renders cards unusable." , {0x0C, 0x00, 0x00, 0x01, 0x00, 0x00, 0xBF, 0x18, 0xBF, 0x02, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}}, + {"(ELITE Bugger) - Renders cards unusable.", {0x0C, 0x00, 0x00, 0x01, 0x00, 0x00, 0xBF, 0x18, 0xBF, 0x02, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}}, //Reset Operations {"(RESET) - Reset READER to defaults", {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, {"(RESET) - Reset ENROLLER to defaults", {0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1C, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0xFF, 0xFF, 0xFF}}, @@ -4181,7 +4181,7 @@ static void generate_single_key_block_inverted_opt(const uint8_t *startingKey, u 0x95, 0x96, 0x99, 0x9A, 0x9C, 0xA3, 0xA5, 0xA6, 0xA9, 0xAA, 0xAC, 0xB1, 0xB2, 0xB4, 0xB8, 0xC3, 0xC5, 0xC6, 0xC9, 0xCA, 0xCC, 0xD1, 0xD2, 0xD4, 0xD8, 0xE1, 0xE2, 0xE4, 0xE8, 0xF0 - }; + }; uint8_t binary_endings[8]; // Array to store binary values for each ending bit // Extract each bit from the ending_bits[k] and store it in binary_endings @@ -4226,25 +4226,25 @@ static int CmdHFiClassLegacyRecSim(void) { return PM3_ESOFT; } HFiClassCalcDivKey(csn, iClass_Key_Table[0], new_div_key, false); - memcpy(key,new_div_key,PICOPASS_BLOCK_SIZE); + memcpy(key, new_div_key, PICOPASS_BLOCK_SIZE); memcpy(original_key, key, PICOPASS_BLOCK_SIZE); uint8_t zero_key[PICOPASS_BLOCK_SIZE] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; uint8_t zero_key_two[PICOPASS_BLOCK_SIZE] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; int bits_found = -1; uint32_t index = 0; - #define MAX_UPDATES 16777216 +#define MAX_UPDATES 16777216 while (bits_found == -1 && index < MAX_UPDATES) { uint8_t genkeyblock[PICOPASS_BLOCK_SIZE]; uint8_t xorkeyblock[PICOPASS_BLOCK_SIZE] = {0}; - generate_single_key_block_inverted_opt(zero_key, index, genkeyblock); - memcpy(xorkeyblock, genkeyblock, PICOPASS_BLOCK_SIZE); + generate_single_key_block_inverted_opt(zero_key, index, genkeyblock); + memcpy(xorkeyblock, genkeyblock, PICOPASS_BLOCK_SIZE); - for (int i = 0; i < 8 ; i++) { - key[i] = xorkeyblock[i] ^ original_key[i]; - memcpy(zero_key_two, xorkeyblock, PICOPASS_BLOCK_SIZE); - } + for (int i = 0; i < 8 ; i++) { + key[i] = xorkeyblock[i] ^ original_key[i]; + memcpy(zero_key_two, xorkeyblock, PICOPASS_BLOCK_SIZE); + } // Extract the last 3 bits of the first byte uint8_t last_three_bits = key[0] & 0x07; // 0x07 is 00000111 in binary - bitmask @@ -4255,15 +4255,15 @@ static int CmdHFiClassLegacyRecSim(void) { same_bits = false; } } - if (same_bits){ + if (same_bits) { bits_found = index; PrintAndLogEx(SUCCESS, "Original Key: " _GREEN_("%s"), sprint_hex(original_key, sizeof(original_key))); PrintAndLogEx(SUCCESS, "Weak Key: " _GREEN_("%s"), sprint_hex(key, sizeof(key))); PrintAndLogEx(SUCCESS, "Key Updates Required to Weak Key: " _GREEN_("%d"), index); - PrintAndLogEx(SUCCESS, "Estimated Time: ~" _GREEN_("%d")" hours", index/6545); + PrintAndLogEx(SUCCESS, "Estimated Time: ~" _GREEN_("%d")" hours", index / 6545); } - index++; + index++; }//end while PrintAndLogEx(NORMAL, ""); @@ -4305,7 +4305,7 @@ static int CmdHFiClassLegacyRecover(const char *Cmd) { bool allnight = arg_get_lit(ctx, 6); bool sim = arg_get_lit(ctx, 7); - if (sim){ + if (sim) { CmdHFiClassLegacyRecSim(); return PM3_SUCCESS; } diff --git a/client/src/cmdhfmfu.c b/client/src/cmdhfmfu.c index 68869a6fb..8e0259e2f 100644 --- a/client/src/cmdhfmfu.c +++ b/client/src/cmdhfmfu.c @@ -5828,10 +5828,10 @@ out: static int CmdHF14AMfUIncr(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "hf mfu incr", - "Increment a MIFARE Ultralight Ev1 counter\n" - "Will read but not increment counter if NTAG is detected", - "hf mfu incr -c 0 -v 1337\n" - "hf mfu incr -c 2 -v 0 -p FFFFFFFF"); + "Increment a MIFARE Ultralight Ev1 counter\n" + "Will read but not increment counter if NTAG is detected", + "hf mfu incr -c 0 -v 1337\n" + "hf mfu incr -c 2 -v 0 -p FFFFFFFF"); void *argtable[] = { arg_param_begin, arg_int1("c", "cnt", "", "Counter index from 0"), @@ -5840,10 +5840,10 @@ static int CmdHF14AMfUIncr(const char *Cmd) { arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, true); - + uint8_t counter = arg_get_int_def(ctx, 1, 3); uint32_t value = arg_get_u32_def(ctx, 2, 16777216); - + int pwd_len; uint8_t pwd[4] = { 0x00 }; CLIGetHexWithReturn(ctx, 3, pwd, &pwd_len); @@ -5855,9 +5855,9 @@ static int CmdHF14AMfUIncr(const char *Cmd) { return PM3_EINVARG; } } - + CLIParserFree(ctx); - + if (counter > 2) { PrintAndLogEx(WARNING, "Counter index must be in range 0-2"); return PM3_EINVARG; @@ -5866,19 +5866,19 @@ static int CmdHF14AMfUIncr(const char *Cmd) { PrintAndLogEx(WARNING, "Value to increment must be in range 0-16777215"); return PM3_EINVARG; } - + uint8_t increment_cmd[6] = { MIFARE_ULEV1_INCR_CNT, counter, 0x00, 0x00, 0x00, 0x00 }; - + for (uint8_t i = 0; i < 3; i++) { increment_cmd[i + 2] = (value >> (8 * i)) & 0xff; } - + iso14a_card_select_t card; if (ul_select(&card) == false) { PrintAndLogEx(FAILED, "failed to select card, exiting..."); return PM3_ESOFT; } - + uint64_t tagtype = GetHF14AMfU_Type(); uint64_t tags_with_counter_ul = MFU_TT_UL_EV1_48 | MFU_TT_UL_EV1_128 | MFU_TT_UL_EV1; uint64_t tags_with_counter_ntag = MFU_TT_NTAG_213 | MFU_TT_NTAG_213_F | MFU_TT_NTAG_213_C | MFU_TT_NTAG_213_TT | MFU_TT_NTAG_215 | MFU_TT_NTAG_216; @@ -5887,14 +5887,14 @@ static int CmdHF14AMfUIncr(const char *Cmd) { DropField(); return PM3_ESOFT; } - + bool is_ntag = (tagtype & tags_with_counter_ntag) != 0; if (is_ntag && (counter != 2)) { PrintAndLogEx(WARNING, "NTAG only has one counter at index 2"); DropField(); return PM3_EINVARG; } - + uint8_t pack[4] = { 0, 0, 0, 0 }; if (has_key) { if (ulev1_requestAuthentication(pwd, pack, sizeof(pack)) == PM3_EWRONGANSWER) { @@ -5903,7 +5903,7 @@ static int CmdHF14AMfUIncr(const char *Cmd) { return PM3_ESOFT; } } - + uint8_t current_counter[3] = { 0, 0, 0 }; int len = ulev1_readCounter(counter, current_counter, sizeof(current_counter)); if (len != sizeof(current_counter)) { @@ -5914,7 +5914,7 @@ static int CmdHF14AMfUIncr(const char *Cmd) { DropField(); return PM3_ESOFT; } - + uint32_t current_counter_num = current_counter[0] | (current_counter[1] << 8) | (current_counter[2] << 16); PrintAndLogEx(INFO, "Current counter... " _GREEN_("%8d") " - " _GREEN_("%s"), current_counter_num, sprint_hex(current_counter, 3)); @@ -5930,7 +5930,7 @@ static int CmdHF14AMfUIncr(const char *Cmd) { DropField(); return PM3_ESOFT; } - + uint8_t new_counter[3] = { 0, 0, 0 }; int new_len = ulev1_readCounter(counter, new_counter, sizeof(new_counter)); if (new_len != sizeof(current_counter)) { @@ -5938,10 +5938,10 @@ static int CmdHF14AMfUIncr(const char *Cmd) { DropField(); return PM3_ESOFT; } - + uint32_t new_counter_num = new_counter[0] | (new_counter[1] << 8) | (new_counter[2] << 16); PrintAndLogEx(INFO, "New counter....... " _GREEN_("%8d") " - " _GREEN_("%s"), new_counter_num, sprint_hex(new_counter, 3)); - + DropField(); return PM3_SUCCESS; } diff --git a/client/src/cmdlfhitaghts.c b/client/src/cmdlfhitaghts.c index 933427ec8..d3a8932a5 100644 --- a/client/src/cmdlfhitaghts.c +++ b/client/src/cmdlfhitaghts.c @@ -490,7 +490,7 @@ static int CmdLFHitagSDump(const char *Cmd) { // read all pages packet.page = 0; - packet.page_count = 0; + packet.page_count = 0; clearCommandBuffer(); SendCommandNG(CMD_LF_HITAGS_READ, (uint8_t *) &packet, sizeof(packet)); diff --git a/client/src/pm3line_vocabulary.h b/client/src/pm3line_vocabulary.h index bd7fdbc45..14c69c97c 100644 --- a/client/src/pm3line_vocabulary.h +++ b/client/src/pm3line_vocabulary.h @@ -428,6 +428,7 @@ const static vocabulary_t vocabulary[] = { { 0, "hf mfu cauth" }, { 0, "hf mfu setpwd" }, { 0, "hf mfu dump" }, + { 0, "hf mfu incr" }, { 0, "hf mfu info" }, { 0, "hf mfu ndefread" }, { 0, "hf mfu rdbl" }, @@ -677,6 +678,7 @@ const static vocabulary_t vocabulary[] = { { 1, "lf hitag hts list" }, { 0, "lf hitag hts reader" }, { 0, "lf hitag hts rdbl" }, + { 0, "lf hitag hts dump" }, { 0, "lf hitag hts wrbl" }, { 0, "lf hitag hts sim" }, { 1, "lf idteck help" }, diff --git a/doc/commands.json b/doc/commands.json index 2b38642f6..d5f9ca438 100644 --- a/doc/commands.json +++ b/doc/commands.json @@ -3500,9 +3500,10 @@ "--loop The number of key retrieval cycles to perform, max 10000, default 100", "--debug Re-enables tracing for debugging. Limits cycles to 1.", "--notest Perform real writes on the card!", - "--allnight Loops the loop for 10 times, recommended loop value of 5000." + "--allnight Loops the loop for 10 times, recommended loop value of 5000.", + "--est Estimates the key updates based on the card's CSN assuming standard key." ], - "usage": "hf iclass legrec [-h] --macs [--index ] [--loop ] [--debug] [--notest] [--allnight]" + "usage": "hf iclass legrec [-h] --macs [--index ] [--loop ] [--debug] [--notest] [--allnight] [--est]" }, "hf iclass loclass": { "command": "hf iclass loclass", @@ -4881,7 +4882,7 @@ }, "hf mf gen3blk": { "command": "hf mf gen3blk", - "description": "Overwrite full manufacturer block for magic Gen3 card - You can specify part of manufacturer block as 4/7-bytes for UID change only NOTE: BCC, SAK, ATQA will be calculated automatically", + "description": "Overwrite full manufacturer block for magic Gen3 card - You can specify part of manufacturer block as 4/7-bytes for UID change only NOTE: BCC and ATQA will be calculated automatically SAK will be automatically set to default values if not specified", "notes": [ "hf mf gen3blk -> print current data", "hf mf gen3blk -d 01020304 -> set 4 byte uid", @@ -5151,9 +5152,10 @@ "FM11RF08S specific options: Incompatible with above options, except -k; output in JSON", "--collect_fm11rf08s collect all nT/{nT}/par_err.", "--collect_fm11rf08s_with_data collect all nT/{nT}/par_err and data blocks.", + "--collect_fm11rf08s_without_backdoor collect all nT/{nT}/par_err without backdoor. Requires first auth keytype and block", "-f, --file Specify a filename for collected data" ], - "usage": "hf mf isen [-hab] [--blk ] [-c ] [-k ] [--blk2 ] [--a2] [--b2] [--c2 ] [--key2 ] [-n ] [--reset] [--hardreset] [--addread] [--addauth] [--incblk2] [--corruptnrar] [--corruptnrarparity] FM11RF08S specific options: [--collect_fm11rf08s] [--collect_fm11rf08s_with_data] [-f ]" + "usage": "hf mf isen [-hab] [--blk ] [-c ] [-k ] [--blk2 ] [--a2] [--b2] [--c2 ] [--key2 ] [-n ] [--reset] [--hardreset] [--addread] [--addauth] [--incblk2] [--corruptnrar] [--corruptnrarparity] FM11RF08S specific options: [--collect_fm11rf08s] [--collect_fm11rf08s_with_data] [--collect_fm11rf08s_without_backdoor] [-f ]" }, "hf mf mad": { "command": "hf mf mad", @@ -7116,6 +7118,22 @@ ], "usage": "hf 14a list [-h1crux] [--frame] [-f ]" }, + "hf mfu incr": { + "command": "hf mfu incr", + "description": "Increment a MIFARE Ultralight Ev1 counter Will read but not increment counter if NTAG is detected", + "notes": [ + "hf mfu incr -c 0 -v 1337", + "hf mfu incr -c 2 -v 0 -p FFFFFFFF" + ], + "offline": false, + "options": [ + "-h, --help This help", + "-c, --cnt Counter index from 0", + "-v, --val Value to increment by (0-16777215)", + "-p, --pwd PWD to authenticate with" + ], + "usage": "hf mfu incr [-h] -c -v [-p ]" + }, "hf mfu info": { "command": "hf mfu info", "description": "Get info about MIFARE Ultralight Family styled tag. Sometimes the tags are locked down, and you may need a key to be able to read the information", @@ -9798,6 +9816,28 @@ ], "usage": "lf hitag list [-h1crux] [--frame] [-f ]" }, + "lf hitag hts dump": { + "command": "lf hitag hts dump", + "description": "Read all Hitag S memory and save to file Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) 8268/8310 password mode: - default password BBDD3399", + "notes": [ + "lf hitag hts dump --82xx -k BBDD3399 -> pwd mode", + "lf hitag hts dump --crypto -> use def crypto", + "lf hitag hts dump -k 4F4E4D494B52 -> crypto mode", + "lf hitag hts dump --nrar 0102030411223344" + ], + "offline": false, + "options": [ + "-h, --help This help", + "-8, --82xx 8268/8310 mode", + "--nrar nonce / answer writer, 8 hex bytes", + "--crypto crypto mode", + "-k, --key pwd or key, 4 or 6 hex bytes", + "-m, --mode response protocol mode. 0 (Standard 00110), 1 (Advanced 11000), 2 (Advanced 11001), 3 (Fast Advanced 11010) (def: 3)", + "-f, --file specify file name", + "--ns no save to file" + ], + "usage": "lf hitag hts dump [-h8] [--nrar ] [--crypto] [-k ] [-m ] [-f ] [--ns]" + }, "lf hitag hts help": { "command": "lf hitag hts help", "description": "help This help list List Hitag S trace history --------------------------------------------------------------------------------------- lf hitag hts list available offline: yes Alias of `trace list -t hitags` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol", @@ -13001,8 +13041,8 @@ } }, "metadata": { - "commands_extracted": 749, + "commands_extracted": 751, "extracted_by": "PM3Help2JSON v1.00", - "extracted_on": "2024-11-22T02:17:04" + "extracted_on": "2024-12-09T14:16:07" } } diff --git a/doc/commands.md b/doc/commands.md index bf9b82edc..9cd60a66a 100644 --- a/doc/commands.md +++ b/doc/commands.md @@ -615,6 +615,7 @@ Check column "offline" for their availability. |`hf mfu cauth `|N |`Ultralight-C - Authentication` |`hf mfu setpwd `|N |`Ultralight-C - Set 3DES key` |`hf mfu dump `|N |`Dump MIFARE Ultralight family tag to binary file` +|`hf mfu incr `|N |`Increments Ev1/NTAG counter` |`hf mfu info `|N |`Tag information` |`hf mfu ndefread `|N |`Prints NDEF records from card` |`hf mfu rdbl `|N |`Read block` @@ -1081,6 +1082,7 @@ Check column "offline" for their availability. |`lf hitag hts list `|Y |`List Hitag S trace history` |`lf hitag hts reader `|N |`Act like a Hitag S reader` |`lf hitag hts rdbl `|N |`Read Hitag S page` +|`lf hitag hts dump `|N |`Dump Hitag S pages to a file` |`lf hitag hts wrbl `|N |`Write Hitag S page` |`lf hitag hts sim `|N |`Simulate Hitag S transponder`