diff --git a/CHANGELOG.md b/CHANGELOG.md index c0960aac9..57e0f2e90 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac - EM4x50: switched to cliparser for all functions (@tharexde) - EM4x50: stabilized and accelerated tag detection (@tharexde) - EM4x50: removed global tag structure on device side (@tharexde) + - Added `mf mfu sim t 7 n ` - MFU emulation now supports automatic exit after blocks read. (@cyberpunk-re) - Added T55xx Guide to assist in learning how to use the T55xx chip (@mwalker33) - Fix 'hf iclass wrbl' - dealing with tags in unsecured vs secured pagemode now is correct (@iceman1001) - Change many commands to cliparser (@iceman1001, @tcprst, @mwalker33,...) diff --git a/armsrc/Standalone/hf_aveful.c b/armsrc/Standalone/hf_aveful.c index 97ef78745..c9464e3d1 100644 --- a/armsrc/Standalone/hf_aveful.c +++ b/armsrc/Standalone/hf_aveful.c @@ -243,7 +243,7 @@ void RunMod(void) { uint8_t flags = FLAG_7B_UID_IN_DATA; Dbprintf("Starting simulation, press pm3-button to stop and go back to search state."); - SimulateIso14443aTag(7, flags, card.uid); + SimulateIso14443aTag(7, flags, card.uid, 0); // Go back to search state if user presses pm3-button state = STATE_SEARCH; diff --git a/armsrc/Standalone/hf_young.c b/armsrc/Standalone/hf_young.c index 1673b8975..e7b69d550 100644 --- a/armsrc/Standalone/hf_young.c +++ b/armsrc/Standalone/hf_young.c @@ -244,22 +244,22 @@ void RunMod(void) { if (uids[selected].sak == 0x08 && uids[selected].atqa[0] == 0x04 && uids[selected].atqa[1] == 0) { DbpString("Mifare Classic 1k"); - SimulateIso14443aTag(1, flags, data); + SimulateIso14443aTag(1, flags, data, 0); } else if (uids[selected].sak == 0x18 && uids[selected].atqa[0] == 0x02 && uids[selected].atqa[1] == 0) { DbpString("Mifare Classic 4k (4b uid)"); - SimulateIso14443aTag(8, flags, data); + SimulateIso14443aTag(8, flags, data, 0); } else if (uids[selected].sak == 0x08 && uids[selected].atqa[0] == 0x44 && uids[selected].atqa[1] == 0) { DbpString("Mifare Classic 4k (7b uid)"); - SimulateIso14443aTag(8, flags, data); + SimulateIso14443aTag(8, flags, data, 0); } else if (uids[selected].sak == 0x00 && uids[selected].atqa[0] == 0x44 && uids[selected].atqa[1] == 0) { DbpString("Mifare Ultralight"); - SimulateIso14443aTag(2, flags, data); + SimulateIso14443aTag(2, flags, data, 0); } else if (uids[selected].sak == 0x20 && uids[selected].atqa[0] == 0x04 && uids[selected].atqa[1] == 0x03) { DbpString("Mifare DESFire"); - SimulateIso14443aTag(3, flags, data); + SimulateIso14443aTag(3, flags, data, 0); } else { Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation"); - SimulateIso14443aTag(1, flags, data); + SimulateIso14443aTag(1, flags, data, 0); } } else if (button_pressed == BUTTON_SINGLE_CLICK) { diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 243f01b81..822b4beab 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -1308,9 +1308,10 @@ static void PacketReceived(PacketCommandNG *packet) { uint8_t tagtype; uint8_t flags; uint8_t uid[10]; + uint8_t exitAfter; } PACKED; struct p *payload = (struct p *) packet->data.asBytes; - SimulateIso14443aTag(payload->tagtype, payload->flags, payload->uid); // ## Simulate iso14443a tag - pass tag type & UID + SimulateIso14443aTag(payload->tagtype, payload->flags, payload->uid, payload->exitAfter); // ## Simulate iso14443a tag - pass tag type & UID break; } case CMD_HF_ISO14443A_ANTIFUZZ: { diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index 9852b15d5..db00f5494 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -1252,7 +1252,7 @@ bool SimulateIso14443aInit(int tagType, int flags, uint8_t *data, tag_response_i // response to send, and send it. // 'hf 14a sim' //----------------------------------------------------------------------------- -void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data) { +void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data, uint8_t exitAfterNReads) { #define ATTACK_KEY_COUNT 8 // keep same as define in cmdhfmf.c -> readerAttack() @@ -1328,6 +1328,7 @@ void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data) { int happened = 0; int happened2 = 0; int cmdsRecvd = 0; + uint32_t numReads = 0; //Counts numer of times reader reads a block // compatible write block number uint8_t wrblock = 0; @@ -1339,7 +1340,10 @@ void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data) { LED_A_ON(); // main loop - for (;;) { + //for (;;) { + bool finished = false; + bool button_pushed = BUTTON_PRESS(); + while (!button_pushed && !finished) { WDT_HIT(); tag_response_info_t *p_response = NULL; @@ -1468,6 +1472,12 @@ void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data) { emlGetMemBt(emdata, start, 16); AddCrc14A(emdata, 16); EmSendCmd(emdata, sizeof(emdata)); + numReads++; // Increment number of times reader requested a block + + if (exitAfterNReads > 0 && numReads == exitAfterNReads) { + Dbprintf("[MFUEMUL_WORK] %d reads done, exiting", numReads); + finished = true; + } } // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below p_response = NULL; diff --git a/armsrc/iso14443a.h b/armsrc/iso14443a.h index 49317628b..325eed056 100644 --- a/armsrc/iso14443a.h +++ b/armsrc/iso14443a.h @@ -129,7 +129,7 @@ RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time); RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time); void RAMFUNC SniffIso14443a(uint8_t param); -void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data); +void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data, uint8_t numReads); bool SimulateIso14443aInit(int tagType, int flags, uint8_t *data, tag_response_info_t **responses, uint32_t *cuid, uint32_t counters[3], uint8_t tearings[3], uint8_t *pages); bool GetIso14443aCommandFromReader(uint8_t *received, uint8_t *par, int *len); void iso14443a_antifuzz(uint32_t flags); diff --git a/client/src/cmdhf14a.c b/client/src/cmdhf14a.c index c8d0a57eb..e5d5042f8 100644 --- a/client/src/cmdhf14a.c +++ b/client/src/cmdhf14a.c @@ -211,7 +211,7 @@ static int usage_hf_14a_config(void) { static int usage_hf_14a_sim(void) { PrintAndLogEx(NORMAL, "\n Emulating ISO/IEC 14443 type A tag with 4,7 or 10 byte UID\n"); - PrintAndLogEx(NORMAL, "Usage: hf 14a sim [h] t u [x] [e] [v]"); + PrintAndLogEx(NORMAL, "Usage: hf 14a sim [h] t u [n ] [x] [e] [v]"); PrintAndLogEx(NORMAL, "Options:"); PrintAndLogEx(NORMAL, " h : This help"); PrintAndLogEx(NORMAL, " t : 1 = MIFARE Classic 1k"); @@ -225,6 +225,7 @@ static int usage_hf_14a_sim(void) { PrintAndLogEx(NORMAL, " 9 = FM11RF005SH Shanghai Metro"); PrintAndLogEx(NORMAL, " 10 = JCOP 31/41 Rothult"); PrintAndLogEx(NORMAL, " u : 4, 7 or 10 byte UID"); + PrintAndLogEx(NORMAL, " n : (Optional) Exit simulation after blocks have been read by reader. 0 = infinite"); PrintAndLogEx(NORMAL, " x : (Optional) Performs the 'reader attack', nr/ar attack against a reader"); PrintAndLogEx(NORMAL, " e : (Optional) Fill simulator keys from found keys"); PrintAndLogEx(NORMAL, " v : (Optional) Verbose"); @@ -657,6 +658,7 @@ int CmdHF14ASim(const char *Cmd) { bool errors = false; sector_t *k_sector = NULL; uint8_t k_sectorsCount = 40; + uint8_t exitAfterNReads = 0; while (param_getchar(Cmd, cmdp) != 0x00 && !errors) { switch (tolower(param_getchar(Cmd, cmdp))) { @@ -693,6 +695,10 @@ int CmdHF14ASim(const char *Cmd) { } cmdp += 2; break; + case 'n': + exitAfterNReads = param_get8(Cmd, cmdp + 1); + cmdp += 2; + break; case 'v': verbose = true; cmdp++; @@ -722,10 +728,12 @@ int CmdHF14ASim(const char *Cmd) { uint8_t tagtype; uint8_t flags; uint8_t uid[10]; + uint8_t exitAfter; } PACKED payload; payload.tagtype = tagtype; payload.flags = flags; + payload.exitAfter = exitAfterNReads; memcpy(payload.uid, uid, uidlen); clearCommandBuffer(); diff --git a/client/src/cmdhfmfu.c b/client/src/cmdhfmfu.c index 55e03a848..c69de053b 100644 --- a/client/src/cmdhfmfu.c +++ b/client/src/cmdhfmfu.c @@ -155,15 +155,17 @@ static int usage_hf_mfu_eload(void) { static int usage_hf_mfu_sim(void) { PrintAndLogEx(NORMAL, "\nEmulating Ultralight tag from emulator memory\n"); PrintAndLogEx(NORMAL, "\nBe sure to load the emulator memory first!\n"); - PrintAndLogEx(NORMAL, "Usage: hf mfu sim t 7 u "); + PrintAndLogEx(NORMAL, "Usage: hf mfu sim t 7 u [n ]"); PrintAndLogEx(NORMAL, "Options:"); PrintAndLogEx(NORMAL, " h : this help"); PrintAndLogEx(NORMAL, " t 7 : 7 = NTAG or Ultralight sim (required)"); + PrintAndLogEx(NORMAL, " n : exit simulation after blocks have been read by reader. 0 = infinite (optional)"); PrintAndLogEx(NORMAL, " u : 4 or 7 byte UID (optional)"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu sim t 7")); PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu sim t 7 u 1122344556677")); + PrintAndLogEx(NORMAL, _YELLOW_(" hf mfu sim t 7 u 1122344556677 n 5")); PrintAndLogEx(NORMAL, ""); return PM3_SUCCESS; }