diff --git a/CHANGELOG.md b/CHANGELOG.md index f34b78f0..da0e30ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac ### Changed - Improved backdoor detection missbehaving magic s50/1k tag (Fl0-0) +- Deleted wipe functionality from `hf mf csetuid` (Merlok) ### Fixed @@ -17,6 +18,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac - Added backdoor detection for gen1b magic s70/4k tag (Fl0-0) - Added data fsktonrz, a fsk cleaning/demodulating routine for weak fsk signal. Note: follow this up with a `data rawdemod nr` to finish demoding your signal. (marshmellow) - Added lf em 410xbrute, LF EM410x reader bruteforce attack by simulating UIDs from a file (Fl0-0) +- Added `hf mf cwipe` command. It wipes "magic Chinese" card. For 1a generation it uses card's "wipe" command. For gen1a and gen1b it uses a write command. (Merlok) ## [3.0.1][2017-06-08] diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 4411a0c5..b375c3ce 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -1199,6 +1199,9 @@ void UsbPacketReceived(uint8_t *packet, int len) break; // Work with "magic Chinese" card + case CMD_MIFARE_CWIPE: + MifareCWipe(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); + break; case CMD_MIFARE_CSETBLOCK: MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); break; @@ -1294,6 +1297,15 @@ void UsbPacketReceived(uint8_t *packet, int len) break; case CMD_DOWNLOADED_SIM_SAMPLES_125K: { + // iceman; since changing fpga_bitstreams clears bigbuff, Its better to call it before. + // to be able to use this one for uploading data to device + // arg1 = 0 upload for LF usage + // 1 upload for HF usage + if (c->arg[1] == 0) + FpgaDownloadAndGo(FPGA_BITSTREAM_LF); + else + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + uint8_t *b = BigBuf_get_addr(); memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE); cmd_send(CMD_ACK,0,0,0,0,0); @@ -1304,7 +1316,7 @@ void UsbPacketReceived(uint8_t *packet, int len) break; case CMD_SET_LF_DIVISOR: - FpgaDownloadAndGo(FPGA_BITSTREAM_LF); + FpgaDownloadAndGo(FPGA_BITSTREAM_LF); FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]); break; diff --git a/armsrc/apps.h b/armsrc/apps.h index aa5b47fb..1ce3215f 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -134,7 +134,8 @@ void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); -void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); // Work with "magic Chinese" card +void MifareCWipe(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); // Work with "magic Chinese" card +void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); void MifareCIdent(); // is "magic chinese" card? void MifareUSetPwd(uint8_t arg0, uint8_t *datain); diff --git a/armsrc/lfops.c b/armsrc/lfops.c index 393d05a9..641c02e8 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -387,8 +387,8 @@ void SimulateTagLowFrequency(int period, int gap, int ledcontrol) int i; uint8_t *tab = BigBuf_get_addr(); - //note this may destroy the bigbuf so be sure this is called before now... - FpgaDownloadAndGo(FPGA_BITSTREAM_LF); + //note FpgaDownloadAndGo destroys the bigbuf so be sure this is called before now... + //FpgaDownloadAndGo(FPGA_BITSTREAM_LF); FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT); AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK; @@ -1417,10 +1417,10 @@ void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t //Program the 7 data blocks for supplied 224bit UID uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7}; // and the block 0 for Indala224 format - //Config for Indala (RF/32;PSK1 with RF/2;Maxblock=7) - data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (7 << T55x7_MAXBLOCK_SHIFT); + //Config for Indala (RF/32;PSK2 with RF/2;Maxblock=7) + data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK2 | (7 << T55x7_MAXBLOCK_SHIFT); //TODO add selection of chip for Q5 or T55x7 - // data[0] = (((32-2)>>1)<>1)<= 0 && blockN < 128) { + return ((blockN & 0x03) == 0x03); + } + if (blockN >= 128 && blockN <= 256) { + return ((blockN & 0x0F) == 0x0F); + } + return FALSE; +} + +void MifareCWipe(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){ + // var + byte_t isOK = 0; + uint32_t numBlocks = arg0; + // cmdParams: + // bit 0 - wipe gen1a + // bit 1 - fill card with default data + // bit 2 - gen1a = 0, gen1b = 1 + uint8_t cmdParams = arg1; + bool needWipe = cmdParams & 0x01; + bool needFill = cmdParams & 0x02; + bool gen1b = cmdParams & 0x04; + + uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE]; + uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE]; + + uint8_t block0[16] = {0x01, 0x02, 0x03, 0x04, 0x04, 0x08, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBE, 0xAF}; + uint8_t block1[16] = {0x00}; + uint8_t blockK[16] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x08, 0x77, 0x8F, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; + uint8_t d_block[18] = {0x00}; + + // card commands + uint8_t wupC1[] = { 0x40 }; + uint8_t wupC2[] = { 0x43 }; + uint8_t wipeC[] = { 0x41 }; + + // iso14443 setup + LED_A_ON(); + LED_B_OFF(); + LED_C_OFF(); + iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); + + // tracing + clear_trace(); + set_tracing(true); + + while (true){ + // wipe + if (needWipe){ + ReaderTransmitBitsPar(wupC1,7,0, NULL); + if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) { + if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error"); + break; + }; + + ReaderTransmit(wipeC, sizeof(wipeC), NULL); + if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) { + if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error"); + break; + }; + + if(mifare_classic_halt(NULL, 0)) { + if (MF_DBGLEVEL > 2) Dbprintf("Halt error"); + }; + }; + + // put default data + if (needFill){ + // select commands + ReaderTransmitBitsPar(wupC1, 7, 0, NULL); + + // gen1b magic tag : do no issue wupC2 and don't expect 0x0a response after SELECT_UID (after getting UID from chip in 'hf mf csetuid' command) + if (!gen1b) { + + if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) { + if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error"); + break; + }; + + ReaderTransmit(wupC2, sizeof(wupC2), NULL); + if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) { + if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error"); + break; + }; + } + + // send blocks command + for (int blockNo = 0; blockNo < numBlocks; blockNo++) { + if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) { + if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error"); + break; + }; + + // check type of block and add crc + if (!isBlockTrailer(blockNo)){ + memcpy(d_block, block1, 16); + } else { + memcpy(d_block, blockK, 16); + } + if (blockNo == 0) { + memcpy(d_block, block0, 16); + } + AppendCrc14443a(d_block, 16); + + // send write command + ReaderTransmit(d_block, sizeof(d_block), NULL); + if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) { + if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error"); + break; + }; + } + + // halt + // do no issue halt command for gen1b + if (!gen1b) { + if (mifare_classic_halt(NULL, 0)) { + if (MF_DBGLEVEL > 2) Dbprintf("Halt error"); + break; + } + } + } + break; + } + + // send USB response + LED_B_ON(); + cmd_send(CMD_ACK,isOK,0,0,NULL,0); + LED_B_OFF(); + + // reset fpga + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + LEDsoff(); + + return; +} + void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){ // params @@ -1214,13 +1351,14 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai if (workFlags & 0x01) { if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) { if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); - break; + // Continue, if we set wrong UID or wrong UID checksum or some ATQA or SAK we will can't select card. But we need to write block 0 to make card work. + //break; }; if(mifare_classic_halt(NULL, cuid)) { if (MF_DBGLEVEL > 2) Dbprintf("Halt error"); // Continue, some magic tags misbehavies and send an answer to it. - // break; + // break; }; }; @@ -1239,7 +1377,7 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai break; }; - if(mifare_classic_halt(NULL, cuid)) { + if(mifare_classic_halt(NULL, 0)) { if (MF_DBGLEVEL > 2) Dbprintf("Halt error"); // Continue, some magic tags misbehavies and send an answer to it. // break; @@ -1283,7 +1421,7 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai if (workFlags & 0x04) { // do no issue halt command for gen1b magic tag (#db# halt error. response len: 1) if (!(workFlags & 0x40)) { - if (mifare_classic_halt(NULL, cuid)) { + if (mifare_classic_halt(NULL, 0)) { if (MF_DBGLEVEL > 2) Dbprintf("Halt error"); // Continue, some magic tags misbehavies and send an answer to it. // break; diff --git a/client/Makefile b/client/Makefile index 5cdaebb0..fd2ae290 100644 --- a/client/Makefile +++ b/client/Makefile @@ -184,14 +184,21 @@ MULTIARCHOBJS = $(MULTIARCHSRCS:%.c=$(OBJDIR)/%_NOSIMD.o) \ $(MULTIARCHSRCS:%.c=$(OBJDIR)/%_AVX.o) \ $(MULTIARCHSRCS:%.c=$(OBJDIR)/%_AVX2.o) -GCC_GTEQ_490 := $(shell expr `gcc --version | awk '/gcc/{print $$NF;}' | sed -e 's/\.\([0-9][0-9]\)/\1/g' -e 's/\.\([0-9]\)/0\1/g' -e 's/^[0-9]\{3,4\}$$/&00/'` \>= 40900) +GCC_VERSION := $(shell gcc --version | awk '/gcc/{print $$NF;}' | sed -e 's/\.\([0-9][0-9]\)/\1/g' -e 's/\.\([0-9]\)/0\1/g' -e 's/^[0-9]\{3,4\}$$/&00/') +CLANG_VERSION := $(shell gcc --version | awk '/Apple LLVM version/{print $$4;}' | sed -e 's/\.\([0-9][0-9]\)/\1/g' -e 's/\.\([0-9]\)/0\1/g' -e 's/^[0-9]\{3,4\}$$/&00/') +ifneq ($(CLANG_VERSION), ) + SUPPORTS_AVX512 := $(shell [ $(CLANG_VERSION) -ge 80000 ] && echo "True" ) +endif +ifneq ($(GCC_VERSION), ) + SUPPORTS_AVX512 := $(shell [ $(GCC_VERSION) -ge 40900 ] && echo "True" ) +endif HARD_SWITCH_NOSIMD = -mno-mmx -mno-sse2 -mno-avx -mno-avx2 HARD_SWITCH_MMX = -mmmx -mno-sse2 -mno-avx -mno-avx2 HARD_SWITCH_SSE2 = -mmmx -msse2 -mno-avx -mno-avx2 HARD_SWITCH_AVX = -mmmx -msse2 -mavx -mno-avx2 HARD_SWITCH_AVX2 = -mmmx -msse2 -mavx -mavx2 HARD_SWITCH_AVX512 = -mmmx -msse2 -mavx -mavx2 -mavx512f -ifeq "$(GCC_GTEQ_490)" "1" +ifeq "$(SUPPORTS_AVX512)" "True" HARD_SWITCH_NOSIMD += -mno-avx512f HARD_SWITCH_MMX += -mno-avx512f HARD_SWITCH_SSE2 += -mno-avx512f diff --git a/client/cmdhflegic.c b/client/cmdhflegic.c index 493256a9..c9f3485e 100644 --- a/client/cmdhflegic.c +++ b/client/cmdhflegic.c @@ -251,7 +251,7 @@ int CmdLegicLoad(const char *Cmd) fclose(f); return -1; } - UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 0, 0}}; + UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 1, 0}}; int j; for(j = 0; j < 8; j++) { c.d.asBytes[j] = data[j]; } @@ -351,7 +351,7 @@ int CmdLegicRfFill(const char *Cmd) } int i; - UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 0, 0}}; + UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 1, 0}}; for(i = 0; i < 48; i++) { c.d.asBytes[i] = cmd.arg[2]; } diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 90ebc27b..5999d20e 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -1783,65 +1783,69 @@ int CmdHF14AMfEKeyPrn(const char *Cmd) int CmdHF14AMfCSetUID(const char *Cmd) { - uint8_t wipeCard = 0; uint8_t uid[8] = {0x00}; uint8_t oldUid[8] = {0x00}; uint8_t atqa[2] = {0x00}; uint8_t sak[1] = {0x00}; - uint8_t atqaPresent = 1; + uint8_t atqaPresent = 0; int res; - char ctmp; - int argi=0; - if (strlen(Cmd) < 1 || param_getchar(Cmd, argi) == 'h') { - PrintAndLog("Usage: hf mf csetuid [ATQA 4 hex symbols SAK 2 hex symbols] [w]"); - PrintAndLog("sample: hf mf csetuid 01020304"); - PrintAndLog("sample: hf mf csetuid 01020304 0004 08 w"); - PrintAndLog("Set UID, ATQA, and SAK for magic Chinese card (only works with such cards)"); - PrintAndLog("If you also want to wipe the card then add 'w' at the end of the command line."); - return 0; - } - - if (param_getchar(Cmd, argi) && param_gethex(Cmd, argi, uid, 8)) { + uint8_t needHelp = 0; + char cmdp = 1; + + if (param_getchar(Cmd, 0) && param_gethex(Cmd, 0, uid, 8)) { PrintAndLog("UID must include 8 HEX symbols"); return 1; } - argi++; - ctmp = param_getchar(Cmd, argi); - if (ctmp == 'w' || ctmp == 'W') { - wipeCard = 1; - atqaPresent = 0; - } - - if (atqaPresent) { - if (param_getchar(Cmd, argi)) { - if (param_gethex(Cmd, argi, atqa, 4)) { - PrintAndLog("ATQA must include 4 HEX symbols"); - return 1; - } - argi++; - if (!param_getchar(Cmd, argi) || param_gethex(Cmd, argi, sak, 2)) { - PrintAndLog("SAK must include 2 HEX symbols"); - return 1; - } - argi++; - } else - atqaPresent = 0; - } - - if(!wipeCard) { - ctmp = param_getchar(Cmd, argi); - if (ctmp == 'w' || ctmp == 'W') { - wipeCard = 1; + if (param_getlength(Cmd, 1) > 1 && param_getlength(Cmd, 2) > 1) { + atqaPresent = 1; + cmdp = 3; + + if (param_gethex(Cmd, 1, atqa, 4)) { + PrintAndLog("ATQA must include 4 HEX symbols"); + return 1; + } + + if (param_gethex(Cmd, 2, sak, 2)) { + PrintAndLog("SAK must include 2 HEX symbols"); + return 1; } } - PrintAndLog("--wipe card:%s uid:%s", (wipeCard)?"YES":"NO", sprint_hex(uid, 4)); + while(param_getchar(Cmd, cmdp) != 0x00) + { + switch(param_getchar(Cmd, cmdp)) + { + case 'h': + case 'H': + needHelp = 1; + break; + default: + PrintAndLog("ERROR: Unknown parameter '%c'", param_getchar(Cmd, cmdp)); + needHelp = 1; + break; + } + cmdp++; + } - res = mfCSetUID(uid, (atqaPresent)?atqa:NULL, (atqaPresent)?sak:NULL, oldUid, wipeCard); + if (strlen(Cmd) < 1 || needHelp) { + PrintAndLog(""); + PrintAndLog("Usage: hf mf csetuid [ATQA 4 hex symbols SAK 2 hex symbols]"); + PrintAndLog("sample: hf mf csetuid 01020304"); + PrintAndLog("sample: hf mf csetuid 01020304 0004 08"); + PrintAndLog("Set UID, ATQA, and SAK for magic Chinese card (only works with such cards)"); + return 0; + } + + PrintAndLog("uid:%s", sprint_hex(uid, 4)); + if (atqaPresent) { + PrintAndLog("--atqa:%s sak:%02x", sprint_hex(atqa, 2), sak[0]); + } + + res = mfCSetUID(uid, (atqaPresent)?atqa:NULL, (atqaPresent)?sak:NULL, oldUid); if (res) { - PrintAndLog("Can't set UID. error=%d", res); + PrintAndLog("Can't set UID. Error=%d", res); return 1; } @@ -1850,6 +1854,80 @@ int CmdHF14AMfCSetUID(const char *Cmd) return 0; } +static int ParamGetCardSize(const char c) { + int numBlocks = 16 * 4; + switch (c) { + case '0' : numBlocks = 5 * 4; break; + case '2' : numBlocks = 32 * 4; break; + case '4' : numBlocks = 32 * 4 + 8 * 16; break; + default: numBlocks = 16 * 4; + } + return numBlocks; +} + +int CmdHF14AMfCWipe(const char *Cmd) +{ + int res, gen = 0; + int numBlocks = 16 * 4; + bool wipeCard = false; + bool fillCard = false; + + if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') { + PrintAndLog("Usage: hf mf cwipe [card size] [w] [p]"); + PrintAndLog("sample: hf mf cwipe 1 w s"); + PrintAndLog("[card size]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K"); + PrintAndLog("w - Wipe magic Chinese card (only works with gen:1a cards)"); + PrintAndLog("f - Fill the card with default data and keys (works with gen:1a and gen:1b cards only)"); + return 0; + } + + gen = mfCIdentify(); + if ((gen != 1) && (gen != 2)) + return 1; + + numBlocks = ParamGetCardSize(param_getchar(Cmd, 0)); + + char cmdp = 0; + while(param_getchar(Cmd, cmdp) != 0x00){ + switch(param_getchar(Cmd, cmdp)) { + case 'w': + case 'W': + wipeCard = 1; + break; + case 'f': + case 'F': + fillCard = 1; + break; + default: + break; + } + cmdp++; + } + + if (!wipeCard && !fillCard) + wipeCard = true; + + PrintAndLog("--blocks count:%2d wipe:%c fill:%c", numBlocks, (wipeCard)?'y':'n', (fillCard)?'y':'n'); + + if (gen == 2) { + /* generation 1b magic card */ + if (wipeCard) { + PrintAndLog("WARNING: can't wipe magic card 1b generation"); + } + res = mfCWipe(numBlocks, true, false, fillCard); + } else { + /* generation 1a magic card by default */ + res = mfCWipe(numBlocks, false, wipeCard, fillCard); + } + + if (res) { + PrintAndLog("Can't wipe. error=%d", res); + return 1; + } + PrintAndLog("OK"); + return 0; +} + int CmdHF14AMfCSetBlk(const char *Cmd) { uint8_t memBlock[16] = {0x00}; @@ -1866,6 +1944,8 @@ int CmdHF14AMfCSetBlk(const char *Cmd) } gen = mfCIdentify(); + if ((gen != 1) && (gen != 2)) + return 1; blockNo = param_get8(Cmd, 0); @@ -2398,6 +2478,7 @@ static command_t CommandTable[] = {"esave", CmdHF14AMfESave, 0, "Save to file emul dump"}, {"ecfill", CmdHF14AMfECFill, 0, "Fill simulator memory with help of keys from simulator"}, {"ekeyprn", CmdHF14AMfEKeyPrn, 0, "Print keys from simulator memory"}, + {"cwipe", CmdHF14AMfCWipe, 0, "Wipe magic Chinese card"}, {"csetuid", CmdHF14AMfCSetUID, 0, "Set UID for magic Chinese card"}, {"csetblk", CmdHF14AMfCSetBlk, 0, "Write block - Magic Chinese card"}, {"cgetblk", CmdHF14AMfCGetBlk, 0, "Read block - Magic Chinese card"}, diff --git a/client/cmdhfmf.h b/client/cmdhfmf.h index fc87b228..235fd86d 100644 --- a/client/cmdhfmf.h +++ b/client/cmdhfmf.h @@ -34,6 +34,7 @@ extern int CmdHF14AMfELoad(const char* cmd); extern int CmdHF14AMfESave(const char* cmd); extern int CmdHF14AMfECFill(const char* cmd); extern int CmdHF14AMfEKeyPrn(const char* cmd); +extern int CmdHF14AMfCWipe(const char* cmd); extern int CmdHF14AMfCSetUID(const char* cmd); extern int CmdHF14AMfCSetBlk(const char* cmd); extern int CmdHF14AMfCGetBlk(const char* cmd); diff --git a/client/cmdhfmfhard.c b/client/cmdhfmfhard.c index fd5fbbf9..0153541e 100644 --- a/client/cmdhfmfhard.c +++ b/client/cmdhfmfhard.c @@ -72,7 +72,7 @@ static float brute_force_per_second; static void get_SIMD_instruction_set(char* instruction_set) { #if defined (__i386__) || defined (__x86_64__) - #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8)) + #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8 || __clang_major__ == 8 && __clang_minor__ >= 1)) #if (__GNUC__ >= 5) && (__GNUC__ > 5 || __GNUC_MINOR__ > 2) if (__builtin_cpu_supports("avx512f")) strcpy(instruction_set, "AVX512F"); else if (__builtin_cpu_supports("avx2")) strcpy(instruction_set, "AVX2"); diff --git a/client/cmdlf.c b/client/cmdlf.c index 6a5a2fbe..eb664a11 100644 --- a/client/cmdlf.c +++ b/client/cmdlf.c @@ -410,14 +410,13 @@ int CmdLFSim(const char *Cmd) sscanf(Cmd, "%i", &gap); - // convert to bitstream if necessary - + // convert to bitstream if necessary ChkBitstream(Cmd); //can send only 512 bits at a time (1 byte sent per bit...) printf("Sending [%d bytes]", GraphTraceLen); for (i = 0; i < GraphTraceLen; i += USB_CMD_DATA_SIZE) { - UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {i, 0, 0}}; + UsbCommand c = {CMD_DOWNLOADED_SIM_SAMPLES_125K, {i, 0, 0}}; for (j = 0; j < USB_CMD_DATA_SIZE; j++) { c.d.asBytes[j] = GraphBuffer[i+j]; diff --git a/client/cmdlfindala.c b/client/cmdlfindala.c index 8ec04cbb..0a4f7834 100644 --- a/client/cmdlfindala.c +++ b/client/cmdlfindala.c @@ -40,10 +40,16 @@ int CmdIndalaDecode(const char *Cmd) { } uint8_t invert=0; size_t size = DemodBufferLen; - int startIdx = indala26decode(DemodBuffer, &size, &invert); - if (startIdx < 0 || size > 224) { - if (g_debugMode) PrintAndLog("Error2: %i",startIdx); - return -1; + int startIdx = indala64decode(DemodBuffer, &size, &invert); + if (startIdx < 0 || size != 64) { + // try 224 indala + invert = 0; + size = DemodBufferLen; + startIdx = indala224decode(DemodBuffer, &size, &invert); + if (startIdx < 0 || size != 224) { + if (g_debugMode) PrintAndLog("Error2: %i",startIdx); + return -1; + } } setDemodBuf(DemodBuffer, size, (size_t)startIdx); setClockGrid(g_DemodClock, g_DemodStartIdx + (startIdx*g_DemodClock)); diff --git a/client/hardnested/hardnested_bf_core.c b/client/hardnested/hardnested_bf_core.c index 2388f6f5..5e81c2ba 100644 --- a/client/hardnested/hardnested_bf_core.c +++ b/client/hardnested/hardnested_bf_core.c @@ -551,7 +551,7 @@ bitslice_test_nonces_t *bitslice_test_nonces_function_p = &bitslice_test_nonces_ // determine the available instruction set at runtime and call the correct function const uint64_t crack_states_bitsliced_dispatch(uint32_t cuid, uint8_t *best_first_bytes, statelist_t *p, uint32_t *keys_found, uint64_t *num_keys_tested, uint32_t nonces_to_bruteforce, uint8_t *bf_test_nonce_2nd_byte, noncelist_t *nonces) { #if defined (__i386__) || defined (__x86_64__) - #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8)) + #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8 || __clang_major__ == 8 && __clang_minor__ >= 1)) #if (__GNUC__ >= 5) && (__GNUC__ > 5 || __GNUC_MINOR__ > 2) if (__builtin_cpu_supports("avx512f")) crack_states_bitsliced_function_p = &crack_states_bitsliced_AVX512; else if (__builtin_cpu_supports("avx2")) crack_states_bitsliced_function_p = &crack_states_bitsliced_AVX2; @@ -572,7 +572,7 @@ const uint64_t crack_states_bitsliced_dispatch(uint32_t cuid, uint8_t *best_firs void bitslice_test_nonces_dispatch(uint32_t nonces_to_bruteforce, uint32_t *bf_test_nonce, uint8_t *bf_test_nonce_par) { #if defined (__i386__) || defined (__x86_64__) - #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8)) + #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8 || __clang_major__ == 8 && __clang_minor__ >= 1)) #if (__GNUC__ >= 5) && (__GNUC__ > 5 || __GNUC_MINOR__ > 2) if (__builtin_cpu_supports("avx512f")) bitslice_test_nonces_function_p = &bitslice_test_nonces_AVX512; else if (__builtin_cpu_supports("avx2")) bitslice_test_nonces_function_p = &bitslice_test_nonces_AVX2; diff --git a/client/hardnested/hardnested_bitarray_core.c b/client/hardnested/hardnested_bitarray_core.c index 5615d006..aca4f149 100644 --- a/client/hardnested/hardnested_bitarray_core.c +++ b/client/hardnested/hardnested_bitarray_core.c @@ -319,7 +319,7 @@ count_bitarray_AND4_t *count_bitarray_AND4_function_p = &count_bitarray_AND4_dis // determine the available instruction set at runtime and call the correct function uint32_t *malloc_bitarray_dispatch(uint32_t x) { #if defined (__i386__) || defined (__x86_64__) - #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8)) + #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8 || __clang_major__ == 8 && __clang_minor__ >= 1)) #if (__GNUC__ >= 5) && (__GNUC__ > 5 || __GNUC_MINOR__ > 2) if (__builtin_cpu_supports("avx512f")) malloc_bitarray_function_p = &malloc_bitarray_AVX512; else if (__builtin_cpu_supports("avx2")) malloc_bitarray_function_p = &malloc_bitarray_AVX2; @@ -340,7 +340,7 @@ uint32_t *malloc_bitarray_dispatch(uint32_t x) { void free_bitarray_dispatch(uint32_t *x) { #if defined (__i386__) || defined (__x86_64__) - #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8)) + #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8 || __clang_major__ == 8 && __clang_minor__ >= 1)) #if (__GNUC__ >= 5) && (__GNUC__ > 5 || __GNUC_MINOR__ > 2) if (__builtin_cpu_supports("avx512f")) free_bitarray_function_p = &free_bitarray_AVX512; else if (__builtin_cpu_supports("avx2")) free_bitarray_function_p = &free_bitarray_AVX2; @@ -361,7 +361,7 @@ void free_bitarray_dispatch(uint32_t *x) { uint32_t bitcount_dispatch(uint32_t a) { #if defined (__i386__) || defined (__x86_64__) - #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8)) + #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8 || __clang_major__ == 8 && __clang_minor__ >= 1)) #if (__GNUC__ >= 5) && (__GNUC__ > 5 || __GNUC_MINOR__ > 2) if (__builtin_cpu_supports("avx512f")) bitcount_function_p = &bitcount_AVX512; else if (__builtin_cpu_supports("avx2")) bitcount_function_p = &bitcount_AVX2; @@ -382,7 +382,7 @@ uint32_t bitcount_dispatch(uint32_t a) { uint32_t count_states_dispatch(uint32_t *bitarray) { #if defined (__i386__) || defined (__x86_64__) - #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8)) + #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8 || __clang_major__ == 8 && __clang_minor__ >= 1)) #if (__GNUC__ >= 5) && (__GNUC__ > 5 || __GNUC_MINOR__ > 2) if (__builtin_cpu_supports("avx512f")) count_states_function_p = &count_states_AVX512; else if (__builtin_cpu_supports("avx2")) count_states_function_p = &count_states_AVX2; @@ -403,7 +403,7 @@ uint32_t count_states_dispatch(uint32_t *bitarray) { void bitarray_AND_dispatch(uint32_t *A, uint32_t *B) { #if defined (__i386__) || defined (__x86_64__) - #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8)) + #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8 || __clang_major__ == 8 && __clang_minor__ >= 1)) #if (__GNUC__ >= 5) && (__GNUC__ > 5 || __GNUC_MINOR__ > 2) if (__builtin_cpu_supports("avx512f")) bitarray_AND_function_p = &bitarray_AND_AVX512; else if (__builtin_cpu_supports("avx2")) bitarray_AND_function_p = &bitarray_AND_AVX2; @@ -424,7 +424,7 @@ void bitarray_AND_dispatch(uint32_t *A, uint32_t *B) { void bitarray_low20_AND_dispatch(uint32_t *A, uint32_t *B) { #if defined (__i386__) || defined (__x86_64__) - #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8)) + #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8 || __clang_major__ == 8 && __clang_minor__ >= 1)) #if (__GNUC__ >= 5) && (__GNUC__ > 5 || __GNUC_MINOR__ > 2) if (__builtin_cpu_supports("avx512f")) bitarray_low20_AND_function_p = &bitarray_low20_AND_AVX512; else if (__builtin_cpu_supports("avx2")) bitarray_low20_AND_function_p = &bitarray_low20_AND_AVX2; @@ -445,7 +445,7 @@ void bitarray_low20_AND_dispatch(uint32_t *A, uint32_t *B) { uint32_t count_bitarray_AND_dispatch(uint32_t *A, uint32_t *B) { #if defined (__i386__) || defined (__x86_64__) - #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8)) + #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8 || __clang_major__ == 8 && __clang_minor__ >= 1)) #if (__GNUC__ >= 5) && (__GNUC__ > 5 || __GNUC_MINOR__ > 2) if (__builtin_cpu_supports("avx512f")) count_bitarray_AND_function_p = &count_bitarray_AND_AVX512; else if (__builtin_cpu_supports("avx2")) count_bitarray_AND_function_p = &count_bitarray_AND_AVX2; @@ -466,7 +466,7 @@ uint32_t count_bitarray_AND_dispatch(uint32_t *A, uint32_t *B) { uint32_t count_bitarray_low20_AND_dispatch(uint32_t *A, uint32_t *B) { #if defined (__i386__) || defined (__x86_64__) - #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8)) + #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8 || __clang_major__ == 8 && __clang_minor__ >= 1)) #if (__GNUC__ >= 5) && (__GNUC__ > 5 || __GNUC_MINOR__ > 2) if (__builtin_cpu_supports("avx512f")) count_bitarray_low20_AND_function_p = &count_bitarray_low20_AND_AVX512; else if (__builtin_cpu_supports("avx2")) count_bitarray_low20_AND_function_p = &count_bitarray_low20_AND_AVX2; @@ -487,7 +487,7 @@ uint32_t count_bitarray_low20_AND_dispatch(uint32_t *A, uint32_t *B) { void bitarray_AND4_dispatch(uint32_t *A, uint32_t *B, uint32_t *C, uint32_t *D) { #if defined (__i386__) || defined (__x86_64__) - #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8)) + #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8 || __clang_major__ == 8 && __clang_minor__ >= 1)) #if (__GNUC__ >= 5) && (__GNUC__ > 5 || __GNUC_MINOR__ > 2) if (__builtin_cpu_supports("avx512f")) bitarray_AND4_function_p = &bitarray_AND4_AVX512; else if (__builtin_cpu_supports("avx2")) bitarray_AND4_function_p = &bitarray_AND4_AVX2; @@ -508,7 +508,7 @@ void bitarray_AND4_dispatch(uint32_t *A, uint32_t *B, uint32_t *C, uint32_t *D) void bitarray_OR_dispatch(uint32_t *A, uint32_t *B) { #if defined (__i386__) || defined (__x86_64__) - #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8)) + #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8 || __clang_major__ == 8 && __clang_minor__ >= 1)) #if (__GNUC__ >= 5) && (__GNUC__ > 5 || __GNUC_MINOR__ > 2) if (__builtin_cpu_supports("avx512f")) bitarray_OR_function_p = &bitarray_OR_AVX512; else if (__builtin_cpu_supports("avx2")) bitarray_OR_function_p = &bitarray_OR_AVX2; @@ -529,7 +529,7 @@ void bitarray_OR_dispatch(uint32_t *A, uint32_t *B) { uint32_t count_bitarray_AND2_dispatch(uint32_t *A, uint32_t *B) { #if defined (__i386__) || defined (__x86_64__) - #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8)) + #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8 || __clang_major__ == 8 && __clang_minor__ >= 1)) #if (__GNUC__ >= 5) && (__GNUC__ > 5 || __GNUC_MINOR__ > 2) if (__builtin_cpu_supports("avx512f")) count_bitarray_AND2_function_p = &count_bitarray_AND2_AVX512; else if (__builtin_cpu_supports("avx2")) count_bitarray_AND2_function_p = &count_bitarray_AND2_AVX2; @@ -550,7 +550,7 @@ uint32_t count_bitarray_AND2_dispatch(uint32_t *A, uint32_t *B) { uint32_t count_bitarray_AND3_dispatch(uint32_t *A, uint32_t *B, uint32_t *C) { #if defined (__i386__) || defined (__x86_64__) - #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8)) + #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8 || __clang_major__ == 8 && __clang_minor__ >= 1)) #if (__GNUC__ >= 5) && (__GNUC__ > 5 || __GNUC_MINOR__ > 2) if (__builtin_cpu_supports("avx512f")) count_bitarray_AND3_function_p = &count_bitarray_AND3_AVX512; else if (__builtin_cpu_supports("avx2")) count_bitarray_AND3_function_p = &count_bitarray_AND3_AVX2; @@ -571,7 +571,7 @@ uint32_t count_bitarray_AND3_dispatch(uint32_t *A, uint32_t *B, uint32_t *C) { uint32_t count_bitarray_AND4_dispatch(uint32_t *A, uint32_t *B, uint32_t *C, uint32_t *D) { #if defined (__i386__) || defined (__x86_64__) - #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8)) + #if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8 || __clang_major__ == 8 && __clang_minor__ >= 1)) #if (__GNUC__ >= 5) && (__GNUC__ > 5 || __GNUC_MINOR__ > 2) if (__builtin_cpu_supports("avx512f")) count_bitarray_AND4_function_p = &count_bitarray_AND4_AVX512; else if (__builtin_cpu_supports("avx2")) count_bitarray_AND4_function_p = &count_bitarray_AND4_AVX2; diff --git a/client/mifarehost.c b/client/mifarehost.c index 92ffbd4e..8a840d47 100644 --- a/client/mifarehost.c +++ b/client/mifarehost.c @@ -396,7 +396,8 @@ int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint8_t trgBlockNo, int mfEmlGetMem(uint8_t *data, int blockNum, int blocksCount) { UsbCommand c = {CMD_MIFARE_EML_MEMGET, {blockNum, blocksCount, 0}}; SendCommand(&c); - UsbCommand resp; + + UsbCommand resp; if (!WaitForResponseTimeout(CMD_ACK,&resp,1500)) return 1; memcpy(data, resp.d.asBytes, blocksCount * 16); return 0; @@ -416,6 +417,7 @@ int mfCGetBlock(uint8_t blockNo, uint8_t *data, uint8_t params) { UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}}; SendCommand(&c); + UsbCommand resp; if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { isOK = resp.arg[0] & 0xff; @@ -434,8 +436,9 @@ int mfCSetBlock(uint8_t blockNo, uint8_t *data, uint8_t *uid, bool wantWipe, uin UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}}; memcpy(c.d.asBytes, data, 16); SendCommand(&c); + UsbCommand resp; - if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { + if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) { isOK = resp.arg[0] & 0xff; if (uid != NULL) memcpy(uid, resp.d.asBytes, 4); @@ -445,25 +448,40 @@ int mfCSetBlock(uint8_t blockNo, uint8_t *data, uint8_t *uid, bool wantWipe, uin PrintAndLog("Command execute timeout"); return 1; } + return 0; } -int mfCSetUID(uint8_t *uid, uint8_t *atqa, uint8_t *sak, uint8_t *oldUID, bool wantWipe) { +int mfCWipe(uint32_t numSectors, bool gen1b, bool wantWipe, bool wantFill) { + uint8_t isOK = 0; + uint8_t cmdParams = wantWipe + wantFill * 0x02 + gen1b * 0x04; + UsbCommand c = {CMD_MIFARE_CWIPE, {numSectors, cmdParams, 0}}; + SendCommand(&c); + + UsbCommand resp; + WaitForResponse(CMD_ACK,&resp); + isOK = resp.arg[0] & 0xff; + + return isOK; +} + +int mfCSetUID(uint8_t *uid, uint8_t *atqa, uint8_t *sak, uint8_t *oldUID) { uint8_t oldblock0[16] = {0x00}; uint8_t block0[16] = {0x00}; - int old, gen = 0; + int gen = 0, res; gen = mfCIdentify(); + /* generation 1a magic card by default */ + uint8_t cmdParams = CSETBLOCK_SINGLE_OPER; if (gen == 2) { /* generation 1b magic card */ - old = mfCGetBlock(0, oldblock0, CSETBLOCK_SINGLE_OPER | CSETBLOCK_MAGIC_1B); - } else { - /* generation 1a magic card by default */ - old = mfCGetBlock(0, oldblock0, CSETBLOCK_SINGLE_OPER); + cmdParams = CSETBLOCK_SINGLE_OPER | CSETBLOCK_MAGIC_1B; } + + res = mfCGetBlock(0, oldblock0, cmdParams); - if (old == 0) { + if (res == 0) { memcpy(block0, oldblock0, 16); PrintAndLog("old block 0: %s", sprint_hex(block0,16)); } else { @@ -474,25 +492,73 @@ int mfCSetUID(uint8_t *uid, uint8_t *atqa, uint8_t *sak, uint8_t *oldUID, bool w // UID memcpy(block0, uid, 4); // Mifare UID BCC - block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; + block0[4] = block0[0] ^ block0[1] ^ block0[2] ^ block0[3]; // mifare classic SAK(byte 5) and ATQA(byte 6 and 7, reversed) - if (sak!=NULL) - block0[5]=sak[0]; - if (atqa!=NULL) { - block0[6]=atqa[1]; - block0[7]=atqa[0]; + if (sak != NULL) + block0[5] = sak[0]; + if (atqa != NULL) { + block0[6] = atqa[1]; + block0[7] = atqa[0]; } - PrintAndLog("new block 0: %s", sprint_hex(block0,16)); + PrintAndLog("new block 0: %s", sprint_hex(block0, 16)); - if (gen == 2) { - /* generation 1b magic card */ - return mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER | CSETBLOCK_MAGIC_1B); - } else { - /* generation 1a magic card by default */ - return mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER); + res = mfCSetBlock(0, block0, oldUID, false, cmdParams); + if (res) { + PrintAndLog("Can't set block 0. Error: %d", res); + return res; } + + return 0; } +int mfCIdentify() +{ + UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}}; + SendCommand(&c); + + UsbCommand resp; + WaitForResponse(CMD_ACK,&resp); + + iso14a_card_select_t card; + memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t)); + + uint64_t select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision + + if(select_status != 0) { + uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0 + c.arg[0] = ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT; + c.arg[1] = 2; + c.arg[2] = 0; + memcpy(c.d.asBytes, rats, 2); + SendCommand(&c); + WaitForResponse(CMD_ACK,&resp); + } + + c.cmd = CMD_MIFARE_CIDENT; + c.arg[0] = 0; + c.arg[1] = 0; + c.arg[2] = 0; + SendCommand(&c); + WaitForResponse(CMD_ACK,&resp); + + uint8_t isGeneration = resp.arg[0] & 0xff; + switch( isGeneration ){ + case 1: PrintAndLog("Chinese magic backdoor commands (GEN 1a) detected"); break; + case 2: PrintAndLog("Chinese magic backdoor command (GEN 1b) detected"); break; + default: PrintAndLog("No chinese magic backdoor command detected"); break; + } + + // disconnect + c.cmd = CMD_READER_ISO_14443a; + c.arg[0] = 0; + c.arg[1] = 0; + c.arg[2] = 0; + SendCommand(&c); + + return (int) isGeneration; +} + + // SNIFFER // constants @@ -531,7 +597,7 @@ int isBlockEmpty(int blockN) { } int isBlockTrailer(int blockN) { - return ((blockN & 0x03) == 0x03); + return ((blockN & 0x03) == 0x03); } int saveTraceCard(void) { @@ -593,6 +659,7 @@ int loadTraceCard(uint8_t *tuid) { blockNum++; } fclose(f); + return 0; } @@ -613,6 +680,7 @@ int mfTraceInit(uint8_t *tuid, uint8_t *atqa, uint8_t sak, bool wantSaveToEmlFil uid = bytes_to_num(tuid + 3, 4); traceState = TRACE_IDLE; + return 0; } @@ -815,6 +883,8 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) { return 0; } +// DECODING + int tryDecryptWord(uint32_t nt, uint32_t ar_enc, uint32_t at_enc, uint8_t *data, int len){ /* uint32_t nt; // tag challenge @@ -835,48 +905,3 @@ int tryDecryptWord(uint32_t nt, uint32_t ar_enc, uint32_t at_enc, uint8_t *data, return 0; } -int mfCIdentify() -{ - UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}}; - SendCommand(&c); - UsbCommand resp; - WaitForResponse(CMD_ACK,&resp); - - iso14a_card_select_t card; - memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t)); - - uint64_t select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision - - if(select_status != 0) { - uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0 - c.arg[0] = ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT; - c.arg[1] = 2; - c.arg[2] = 0; - memcpy(c.d.asBytes, rats, 2); - SendCommand(&c); - WaitForResponse(CMD_ACK,&resp); - } - - c.cmd = CMD_MIFARE_CIDENT; - c.arg[0] = 0; - c.arg[1] = 0; - c.arg[2] = 0; - SendCommand(&c); - WaitForResponse(CMD_ACK,&resp); - - uint8_t isGeneration = resp.arg[0] & 0xff; - switch( isGeneration ){ - case 1: PrintAndLog("Chinese magic backdoor commands (GEN 1a) detected"); break; - case 2: PrintAndLog("Chinese magic backdoor command (GEN 1b) detected"); break; - default: PrintAndLog("No chinese magic backdoor command detected"); break; - } - - // disconnect - c.cmd = CMD_READER_ISO_14443a; - c.arg[0] = 0; - c.arg[1] = 0; - c.arg[2] = 0; - SendCommand(&c); - - return (int) isGeneration; -} diff --git a/client/mifarehost.h b/client/mifarehost.h index 7f9a2b45..34793a29 100644 --- a/client/mifarehost.h +++ b/client/mifarehost.h @@ -33,7 +33,8 @@ extern int mfCheckKeys (uint8_t blockNo, uint8_t keyType, bool clear_trace, uint extern int mfEmlGetMem(uint8_t *data, int blockNum, int blocksCount); extern int mfEmlSetMem(uint8_t *data, int blockNum, int blocksCount); -extern int mfCSetUID(uint8_t *uid, uint8_t *atqa, uint8_t *sak, uint8_t *oldUID, bool wantWipe); +extern int mfCWipe(uint32_t numSectors, bool gen1b, bool wantWipe, bool wantFill); +extern int mfCSetUID(uint8_t *uid, uint8_t *atqa, uint8_t *sak, uint8_t *oldUID); extern int mfCSetBlock(uint8_t blockNo, uint8_t *data, uint8_t *uid, bool wantWipe, uint8_t params); extern int mfCGetBlock(uint8_t blockNo, uint8_t *data, uint8_t params); diff --git a/client/proxmark3.c b/client/proxmark3.c index fa389dd1..956eb6a8 100644 --- a/client/proxmark3.c +++ b/client/proxmark3.c @@ -274,8 +274,22 @@ int main(int argc, char* argv[]) { pthread_mutex_init(&print_lock, NULL); #ifdef HAVE_GUI +#ifdef _WIN32 InitGraphics(argc, argv, script_cmds_file, usb_present); MainGraphics(); +#else + char* display = getenv("DISPLAY"); + + if (display && strlen(display) > 1) + { + InitGraphics(argc, argv, script_cmds_file, usb_present); + MainGraphics(); + } + else + { + main_loop(script_cmds_file, usb_present); + } +#endif #else main_loop(script_cmds_file, usb_present); #endif diff --git a/client/util.c b/client/util.c index 38dd3a12..86e8c502 100644 --- a/client/util.c +++ b/client/util.c @@ -322,7 +322,7 @@ char * printBits(size_t const size, void const * const ptr) // ------------------------------------------------------------------------- // line - param line -// bg, en - symbol numbers in param line of beginning an ending parameter +// bg, en - symbol numbers in param line of beginning and ending parameter // paramnum - param number (from 0) // ------------------------------------------------------------------------- int param_getptr(const char *line, int *bg, int *en, int paramnum) @@ -355,6 +355,15 @@ int param_getptr(const char *line, int *bg, int *en, int paramnum) } +int param_getlength(const char *line, int paramnum) +{ + int bg, en; + + if (param_getptr(line, &bg, &en, paramnum)) return 0; + + return en - bg + 1; +} + char param_getchar(const char *line, int paramnum) { int bg, en; diff --git a/client/util.h b/client/util.h index 640ef434..6177dd93 100644 --- a/client/util.h +++ b/client/util.h @@ -51,6 +51,7 @@ extern uint32_t SwapBits(uint32_t value, int nrbits); extern uint8_t *SwapEndian64(const uint8_t *src, const size_t len, const uint8_t blockSize); extern void SwapEndian64ex(const uint8_t *src, const size_t len, const uint8_t blockSize, uint8_t *dest); +extern int param_getlength(const char *line, int paramnum); extern char param_getchar(const char *line, int paramnum); extern int param_getptr(const char *line, int *bg, int *en, int paramnum); extern uint8_t param_get8(const char *line, int paramnum); diff --git a/common/lfdemod.c b/common/lfdemod.c index 880e2c2b..f470371a 100644 --- a/common/lfdemod.c +++ b/common/lfdemod.c @@ -1777,22 +1777,53 @@ int IOdemodFSK(uint8_t *dest, size_t size, int *waveStartIdx) { } // redesigned by marshmellow adjusted from existing decode functions -// indala id decoding - only tested on 26 bit tags, but attempted to make it work for more -int indala26decode(uint8_t *bitStream, size_t *size, uint8_t *invert) { - //26 bit 40134 format (don't know other formats) - uint8_t preamble[] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1}; - uint8_t preamble_i[] = {1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0}; - size_t startidx = 0; - if (!preambleSearch(bitStream, preamble, sizeof(preamble), size, &startidx)){ - // if didn't find preamble try again inverting - if (!preambleSearch(bitStream, preamble_i, sizeof(preamble_i), size, &startidx)) return -1; +// indala id decoding +int indala64decode(uint8_t *bitStream, size_t *size, uint8_t *invert) { + //standard 64 bit indala formats including 26 bit 40134 format + uint8_t preamble64[] = {1,0,1,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 1}; + uint8_t preamble64_i[] = {0,1,0,1, 1,1,1,1, 1,1,1,1, 1,1,1,1, 1,1,1,1, 1,1,1,1, 1,1,1,1, 1,1,1,1, 0}; + size_t startidx = 0; + size_t found_size = *size; + bool found = preambleSearch(bitStream, preamble64, sizeof(preamble64), &found_size, &startidx); + if (!found) { + found = preambleSearch(bitStream, preamble64_i, sizeof(preamble64_i), &found_size, &startidx); + if (!found) return -1; *invert ^= 1; - } - if (*size != 64 && *size != 224) return -2; + } + if (found_size != 64) return -2; if (*invert==1) - for (size_t i = startidx; i < *size + startidx; i++) + for (size_t i = startidx; i < found_size + startidx; i++) bitStream[i] ^= 1; + // note: don't change *size until we are sure we got it... + *size = found_size; + return (int) startidx; +} + +int indala224decode(uint8_t *bitStream, size_t *size, uint8_t *invert) { + //large 224 bit indala formats (different preamble too...) + uint8_t preamble224[] = {1,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,1}; + uint8_t preamble224_i[] = {0,1,1,1, 1,1,1,1, 1,1,1,1, 1,1,1,1, 1,1,1,1, 1,1,1,1, 1,1,1,1, 1,1,1,0}; + size_t startidx = 0; + size_t found_size = *size; + bool found = preambleSearch(bitStream, preamble224, sizeof(preamble224), &found_size, &startidx); + if (!found) { + found = preambleSearch(bitStream, preamble224_i, sizeof(preamble224_i), &found_size, &startidx); + if (!found) return -1; + *invert ^= 1; + } + if (found_size != 224) return -2; + if (*invert==1 && startidx > 0) + for (size_t i = startidx-1; i < found_size + startidx + 2; i++) + bitStream[i] ^= 1; + + // 224 formats are typically PSK2 (afaik 2017 Marshmellow) + // note loses 1 bit at beginning of transformation... + // don't need to verify array is big enough as to get here there has to be a full preamble after all of our data + psk1TOpsk2(bitStream + (startidx-1), found_size+2); + startidx++; + + *size = found_size; return (int) startidx; } diff --git a/common/lfdemod.h b/common/lfdemod.h index c926a8a4..f18c2784 100644 --- a/common/lfdemod.h +++ b/common/lfdemod.h @@ -54,7 +54,8 @@ extern int FDXBdemodBI(uint8_t *dest, size_t *size); extern int gProxII_Demod(uint8_t BitStream[], size_t *size); extern int HIDdemodFSK(uint8_t *dest, size_t *size, uint32_t *hi2, uint32_t *hi, uint32_t *lo, int *waveStartIdx); extern int IOdemodFSK(uint8_t *dest, size_t size, int *waveStartIdx); -extern int indala26decode(uint8_t *bitStream, size_t *size, uint8_t *invert); +extern int indala64decode(uint8_t *bitStream, size_t *size, uint8_t *invert); +extern int indala224decode(uint8_t *bitStream, size_t *size, uint8_t *invert); extern int ParadoxdemodFSK(uint8_t *dest, size_t *size, uint32_t *hi2, uint32_t *hi, uint32_t *lo, int *waveStartIdx); extern int PrescoDemod(uint8_t *dest, size_t *size); extern int PyramiddemodFSK(uint8_t *dest, size_t *size, int *waveStartIdx); diff --git a/include/usb_cmd.h b/include/usb_cmd.h index 0ab9730e..194a9d53 100644 --- a/include/usb_cmd.h +++ b/include/usb_cmd.h @@ -175,6 +175,7 @@ typedef struct{ #define CMD_MIFARE_CSETBLOCK 0x0605 #define CMD_MIFARE_CGETBLOCK 0x0606 #define CMD_MIFARE_CIDENT 0x0607 +#define CMD_MIFARE_CWIPE 0x0608 #define CMD_SIMULATE_MIFARE_CARD 0x0610