mfu info / dump attempt at missing auths

NOT TESTED. will test soon. probably has bugs!
2025-08-21 05:43:23 -07:00 · 2015-05-16 01:00:31 -04:00 · 2015-05-16 01:00:31 -04:00 · cceabb79e6
commit cceabb79e6
parent ae8303c13c
6 changed files with 129 additions and 91 deletions
--- a/armsrc/apps.h
+++ b/armsrc/apps.h
@ -167,7 +167,7 @@ int32_t dist_nt(uint32_t nt1, uint32_t nt2);
 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data);
 void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain);
 void MifareUC_Auth1(uint8_t arg0, uint8_t *datain);
-void MifareUC_Auth2(uint32_t arg0, uint8_t *datain);
+void MifareUC_Auth2(uint8_t arg0, uint8_t *datain);
 void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain);
 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
--- a/armsrc/mifarecmd.c
+++ b/armsrc/mifarecmd.c
@ -121,7 +121,7 @@ void MifareUC_Auth1(uint8_t arg0, uint8_t *datain){
    cmd_send(CMD_ACK,1,cuid,0,dataoutbuf,11);
 	LEDsoff();
 }
-void MifareUC_Auth2(uint32_t arg0, uint8_t *datain){
+void MifareUC_Auth2(uint8_t arg0, uint8_t *datain){

 	uint8_t key[16] = {0x00};
 	byte_t dataoutbuf[16] = {0x00};
@ -139,8 +139,10 @@ void MifareUC_Auth2(uint32_t arg0, uint8_t *datain){
 	if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 2 FINISHED");
    
 	cmd_send(CMD_ACK,1,0,0,dataoutbuf,11);
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-	LEDsoff();
+	if (arg0) {
+		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+		LEDsoff();
+	}
 }

 // Arg0 = BlockNo,
@ -346,7 +348,8 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
 	// params
 	uint8_t blockNo = arg0;
 	uint16_t blocks = arg1;
-	bool useKey = (arg2 == 1);
+	bool useKey = (arg2 == 1); //UL_C
+	bool usePwd = (arg2 == 2); //UL_EV1/NTAG
 	int countblocks = 0;
 	uint8_t dataout[176] = {0x00};

@ -373,12 +376,12 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
 		uint8_t rnd_ab[16] = {0x00};
 		uint8_t IV[8] = {0x00};

-		uint16_t len;
+		uint16_t len2;
 		uint8_t receivedAnswer[MAX_FRAME_SIZE];
 		uint8_t receivedAnswerPar[MAX_PARITY_SIZE];

-		len = mifare_sendcmd_short(NULL, 1, 0x1A, 0x00, receivedAnswer,receivedAnswerPar ,NULL);
-		if (len != 11) {
+		len2 = mifare_sendcmd_short(NULL, 1, 0x1A, 0x00, receivedAnswer,receivedAnswerPar ,NULL);
+		if (len2 != 11) {
 			if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x", receivedAnswer[0]);
 			OnError(1);
 			return;
@ -396,8 +399,8 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
 		// encrypt    out, in, length, key, iv
 		tdes_2key_enc(rnd_ab, rnd_ab, sizeof(rnd_ab), key, enc_random_b);

-		len = mifare_sendcmd_short_mfucauth(NULL, 1, 0xAF, rnd_ab, receivedAnswer, receivedAnswerPar, NULL);
-		if (len != 11) {
+		len2 = mifare_sendcmd_short_mfucauth(NULL, 1, 0xAF, rnd_ab, receivedAnswer, receivedAnswerPar, NULL);
+		if (len2 != 11) {
 			OnError(1);
 			return;
 		}
@ -412,6 +415,18 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
 			Dbprintf("failed authentication");	
 	}

+	if (usePwd) { //ev1 or ntag auth
+		uint8_t Pwd[4] = {0x00};
+		memcpy(Pwd, datain, 4);
+		uint8_t pack[4] = {0,0,0,0};
+
+		if (mifare_ul_ev1_auth(Pwd, pack)){
+			OnError(1);
+			Dbprintf("failed authentication");
+			return;			
+		}
+	}
+
 	for (int i = 0; i < blocks; i++){
 		len = mifare_ultra_readblock(blockNo * 4 + i, dataout + 4 * i);

--- a/armsrc/mifareutil.c
+++ b/armsrc/mifareutil.c
@ -288,6 +288,26 @@ int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blo
 }

 // mifare ultralight commands
+int mifare_ul_ev1_auth(uint8_t *key, uint8_t *pack){
+
+	uint16_t len;
+	uint8_t receivedAnswer[MAX_FRAME_SIZE];
+	uint8_t receivedAnswerPar[MAX_PARITY_SIZE];
+	
+	len = mifare_sendcmd_short_mfucauth(NULL, 0, 0x1B, key, receivedAnswer, receivedAnswerPar, NULL);
+	if (len != 4) {
+		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x %u", receivedAnswer[0], len);
+		return 1;
+	}
+	
+	if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
+		Dbprintf("Auth Resp: %02x%02x%02x%02x",
+			receivedAnswer[0],receivedAnswer[1],receivedAnswer[2],receivedAnswer[3]);
+	}
+	memcpy(pack, receivedAnswer, 4);
+	return 0;
+}
+
 int mifare_ultra_auth1(uint8_t *blockData){

 	uint16_t len;
--- a/armsrc/mifareutil.h
+++ b/armsrc/mifareutil.h
@ -61,7 +61,8 @@ int mifare_sendcmd_shortex(struct Crypto1State *pcs, uint8_t crypted, uint8_t cm

 int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested);
 int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested, uint32_t * ntptr, uint32_t *timing);
-int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData); 
+int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData);
+int mifare_ul_ev1_auth(uint8_t *key, uint8_t *pack);
 int mifare_ultra_auth1(uint8_t *blockData);
 int mifare_ultra_auth2(uint8_t *key, uint8_t *blockData);
 int mifare_ultra_readblock(uint8_t blockNo, uint8_t *blockData);