github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-19 21:03:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Updated hf iclass sim -t 6

Browse source 
Updates to the functionality of iclass sim -t 6 to specifically target the last SIO block and to do it automatically.
It now checks the AIA to determine if the card is SR or SE and adjust the block to jam based on the SIO length declared in block 6 (if SE) or fixed length if SR.
This commit is contained in:
Antiklesys 2025-06-07 13:46:19 +08:00
commit b4edcb9510
2 changed files with 30 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

33
armsrc/iclass.c
View file

@ -608,11 +608,18 @@ int do_iclass_simulation(int simulationMode, uint8_t *reader_mac_buf) {
trace_data_size = sizeof(ff_data);
} else { // use data from emulator memory
if (simulationMode == ICLASS_SIM_MODE_FULL_GLITCH){
uint8_t block_check[8] ={0};
memcpy(block_check, emulator + (current_page * page_size) + (31 * 8), 8);
if (block == block_check[7]){
//Jam the read based on the last SIO block
if (memcmp(emulator + (current_page * page_size) + (5 * 8), ff_data, PICOPASS_BLOCK_SIZE) == 0){ //SR card
if (block == 16){ //SR cards use a standard legth SIO
goto send;
}
}else{ //For SE cards we have to account for different SIO lengths depending if a standard or custom key is used
uint8_t sio_size[8] = {0};
memcpy(sio_size,emulator + (current_page * page_size) + (6 * 8), PICOPASS_BLOCK_SIZE);
if (block == 5 + ((sio_size[1]+12)/8)){
goto send;
}
}
}
memcpy(data_generic_trace, emulator + (current_page * page_size) + (block * 8), 8);
@ -798,11 +805,25 @@ int do_iclass_simulation(int simulationMode, uint8_t *reader_mac_buf) {
}
if (simulationMode == ICLASS_SIM_MODE_FULL_GLITCH){
uint8_t block_check[8] ={0};
memcpy(block_check, emulator + (current_page * page_size) + (31 * 8), 8);
if (block == block_check[7]){
//Jam the read based on the last SIO block
if (memcmp(emulator + (current_page * page_size) + (5 * 8), ff_data, PICOPASS_BLOCK_SIZE) == 0){ //SR card
if (block == 16){ //SR cards use a standard legth SIO
//update block 6 byte 1 from 03 to A3
uint8_t sr_update[8] = {0};
memcpy(sr_update,emulator + (current_page * page_size) + (6 * 8), PICOPASS_BLOCK_SIZE);
if(sr_update[0] == 0x03){
sr_update[0] = 0xA3;
}
memcpy(emulator + (current_page * page_size) + (6 * 8), sr_update, PICOPASS_BLOCK_SIZE);
goto send;
}
}else{ //For SE cards we have to account for different SIO lengths depending if a standard or custom key is used
uint8_t sio_size[8] = {0};
memcpy(sio_size,emulator + (current_page * page_size) + (6 * 8), PICOPASS_BLOCK_SIZE);
if (block == 5 + ((sio_size[1]+12)/8)){
goto send;
}
}
}
memcpy(data_generic_trace, receivedCmd + 2, 8);

2
client/src/cmdhficlass.c
View file

@ -845,7 +845,7 @@ static int CmdHFiClassSim(const char *Cmd) {
"hf iclass sim -t 2 --> execute loclass attack online part\n"
"hf iclass sim -t 3 --> simulate full iCLASS 2k tag\n"
"hf iclass sim -t 4 --> Reader-attack, adapted for KeyRoll mode, gather reader responses to extract elite key\n"
"hf iclass sim -t 6 --> same as -t 3, but doesn't respond to r/w for the block specified in last byte of blk 31");
"hf iclass sim -t 6 --> simulate full iCLASS 2k tag that doesn't respond to r/w requests to the last SIO block");
void *argtable[] = {
arg_param_begin,