From ec877e04ea930ceed65b020b20c32db0e7117fde Mon Sep 17 00:00:00 2001 From: Ave Date: Thu, 3 Sep 2020 17:33:36 +0300 Subject: [PATCH 1/9] Add hf_aveul standalone mode --- armsrc/Standalone/Makefile.hal | 5 +- armsrc/Standalone/Makefile.inc | 4 ++ armsrc/Standalone/hf_aveul.c | 119 +++++++++++++++++++++++++++++++++ 3 files changed, 127 insertions(+), 1 deletion(-) create mode 100644 armsrc/Standalone/hf_aveul.c diff --git a/armsrc/Standalone/Makefile.hal b/armsrc/Standalone/Makefile.hal index bd66d538c9..bab78be83e 100644 --- a/armsrc/Standalone/Makefile.hal +++ b/armsrc/Standalone/Makefile.hal @@ -59,10 +59,13 @@ define KNOWN_STANDALONE_DEFINITIONS | HF_YOUNG | Mifare sniff/simulation | | | - Craig Young | +----------------------------------------------------------+ +| HF_AVEUL | Mifare ultralight read/simulation | +| | - Ave Ozkal | ++----------------------------------------------------------+ endef STANDALONE_MODES := LF_SKELETON LF_EM4100EMUL LF_EM4100RSWB LF_EM4100RWC LF_HIDBRUTE LF_ICEHID LF_PROXBRUTE LF_SAMYRUN -STANDALONE_MODES += HF_14ASNIFF HF_BOG HF_COLIN HF_ICECLASS HF_LEGIC HF_MATTYRUN HF_MSDSAL HF_YOUNG +STANDALONE_MODES += HF_14ASNIFF HF_BOG HF_COLIN HF_ICECLASS HF_LEGIC HF_MATTYRUN HF_MSDSAL HF_YOUNG HF_AVEUL STANDALONE_MODES_REQ_SMARTCARD := STANDALONE_MODES_REQ_FLASH := LF_ICEHID HF_14ASNIFF HF_BOG HF_COLIN HF_ICECLASS ifneq ($(filter $(STANDALONE),$(STANDALONE_MODES)),) diff --git a/armsrc/Standalone/Makefile.inc b/armsrc/Standalone/Makefile.inc index 131e26e790..d903b02f89 100644 --- a/armsrc/Standalone/Makefile.inc +++ b/armsrc/Standalone/Makefile.inc @@ -37,6 +37,10 @@ endif ifneq (,$(findstring WITH_STANDALONE_HF_14ASNIFF,$(APP_CFLAGS))) SRC_STANDALONE = hf_14asniff.c endif +# WITH_STANDALONE_HF_AVEUL +ifneq (,$(findstring WITH_STANDALONE_HF_AVEUL,$(APP_CFLAGS))) + SRC_STANDALONE = hf_aveul.c +endif # WITH_STANDALONE_LF_ICEHID ifneq (,$(findstring WITH_STANDALONE_LF_ICEHID,$(APP_CFLAGS))) SRC_STANDALONE = lf_icehid.c diff --git a/armsrc/Standalone/hf_aveul.c b/armsrc/Standalone/hf_aveul.c new file mode 100644 index 0000000000..64d2b9f22e --- /dev/null +++ b/armsrc/Standalone/hf_aveul.c @@ -0,0 +1,119 @@ +//----------------------------------------------------------------------------- +// A. Ozkal, 2020 +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// main code for HF Mifare Ultralight read/simulation by Ave Ozkal +//----------------------------------------------------------------------------- + +/* Several parts of this code is based on code by Craig Young from HF_YOUNG */ + +#include "standalone.h" // standalone definitions +#include "proxmark3_arm.h" +#include "appmain.h" +#include "fpgaloader.h" +#include "util.h" +#include "dbprint.h" + +#include "ticks.h" // SpinDelay +#include "mifareutil.h" +#include "iso14443a.h" + +typedef struct { + uint8_t uid[10]; + uint8_t uidlen; + uint8_t atqa[2]; + uint8_t sak; +} PACKED card_clone_t; + +void ModInfo(void) { + DbpString(" HF Mifare Ultralight read/simulation by Ave Ozkal"); +} + +void RunMod(void) { + StandAloneMode(); + Dbprintf("[=] AveUL (MF Ultralight read/emul) started"); + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + + // the main loop for your standalone mode + for (;;) { + WDT_HIT(); + + // exit from RunMod, send a usbcommand. + if (data_available()) break; + + iso14a_card_select_t card; + + SpinDelay(500); + iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD); + + // 0 = search, 1 = read, 2 = emul + int stage = 0; + + DbpString("Scanning..."); + for (;;) { + // Was our button held down or pressed? + int button_pressed = BUTTON_HELD(1000); + + if (button_pressed != BUTTON_NO_CLICK || data_available()) + break; + else if (stage == 0) { + if (!iso14443a_select_card(NULL, &card, NULL, true, 0, true)) { + continue; + } else { + if (card.sak == 0x00 && card.atqa[0] == 0x44 && card.atqa[1] == 0 && card.uidlen == 7) { + DbpString("Found ultralight with UID: "); + Dbhexdump(7, card.uid, 0); + stage = 1; + } + else { + DbpString("Found non-ultralight card, ignoring"); + } + } + } + else if (stage == 1) { + iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); + iso14443a_select_card(NULL, NULL, NULL, true, 0, true); + int i; + bool read_successful = true; + Dbprintf("Contents:"); + + for (i = 0; i < 16; ++i) + { + uint8_t dataout[4] = {0x00}; + if (mifare_ultra_readblock(i, dataout)) { + // If there's an error reading, go back to stage 0 + read_successful = false; + break; + } + // TODO: I'm not 100% on why I need to do + 14. The bin->eml results have 14 blocks of almost all 0 at start. + // and the bins just don't, so I'll admit that I am a little confused, but it works, so I won't question it much. + emlSetMem_xt(dataout, 14 + i, 1, 4); + Dbhexdump(4, dataout, 0); + } + + if (read_successful) { + Dbprintf("Successfully loaded into emulator memory"); + stage = 2; + } else { + Dbprintf("Read failure, going back to stage 0."); + stage = 0; + } + } + else if (stage == 2) { + uint8_t flags = FLAG_7B_UID_IN_DATA; + + Dbprintf("Starting simulation, press pm3-button to stop and go back to scan"); + SimulateIso14443aTag(2, flags, card.uid); + + // Go back to stage 0 if user presses pm3-button + stage = 0; + } + } + } + + DbpString("[=] exiting"); + LEDsoff(); +} From 51360c4d1a3bc6676ebbed187bc8b5999d3df164 Mon Sep 17 00:00:00 2001 From: Ave Date: Thu, 3 Sep 2020 17:43:47 +0300 Subject: [PATCH 2/9] hf_aveul: Extend comments --- armsrc/Standalone/hf_aveul.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/armsrc/Standalone/hf_aveul.c b/armsrc/Standalone/hf_aveul.c index 64d2b9f22e..49f9c6f6f9 100644 --- a/armsrc/Standalone/hf_aveul.c +++ b/armsrc/Standalone/hf_aveul.c @@ -10,6 +10,10 @@ /* Several parts of this code is based on code by Craig Young from HF_YOUNG */ +/* This code does not account for: +- Cards with block counts other than 16 +- Cards with authentication (MFU EV1 etc) */ + #include "standalone.h" // standalone definitions #include "proxmark3_arm.h" #include "appmain.h" @@ -34,7 +38,7 @@ void ModInfo(void) { void RunMod(void) { StandAloneMode(); - Dbprintf("[=] AveUL (MF Ultralight read/emul) started"); + Dbprintf("AveUL (MF Ultralight read/emul) started"); FpgaDownloadAndGo(FPGA_BITSTREAM_HF); // the main loop for your standalone mode @@ -88,8 +92,8 @@ void RunMod(void) { read_successful = false; break; } - // TODO: I'm not 100% on why I need to do + 14. The bin->eml results have 14 blocks of almost all 0 at start. - // and the bins just don't, so I'll admit that I am a little confused, but it works, so I won't question it much. + // We're skipping 14 blocks (56 bytes) here, as that "[...] has version/signature/counter data here" according to comments on dumptoemul-mfu + // When converting a bin, it's almost all 0 other than one 0x0F byte, and functionality seems to be unaffected if that byte is set to 0x00. emlSetMem_xt(dataout, 14 + i, 1, 4); Dbhexdump(4, dataout, 0); } @@ -114,6 +118,6 @@ void RunMod(void) { } } - DbpString("[=] exiting"); + DbpString("exiting"); LEDsoff(); } From c4e01ce81ebc28fa39c99efd0a193e46b35c6715 Mon Sep 17 00:00:00 2001 From: Ave Date: Thu, 3 Sep 2020 18:29:18 +0300 Subject: [PATCH 3/9] hf_aveul: Use defines to make the code easier to configure for other card types --- armsrc/Standalone/hf_aveul.c | 50 +++++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 21 deletions(-) diff --git a/armsrc/Standalone/hf_aveul.c b/armsrc/Standalone/hf_aveul.c index 49f9c6f6f9..3c3388fb27 100644 --- a/armsrc/Standalone/hf_aveul.c +++ b/armsrc/Standalone/hf_aveul.c @@ -10,9 +10,9 @@ /* Several parts of this code is based on code by Craig Young from HF_YOUNG */ -/* This code does not account for: -- Cards with block counts other than 16 -- Cards with authentication (MFU EV1 etc) */ +/* This code does not: +- Account for cards with authentication (MFU EV1 etc) +- Determine if cards have block count that's not the same as the BLOCKS def */ #include "standalone.h" // standalone definitions #include "proxmark3_arm.h" @@ -25,6 +25,15 @@ #include "mifareutil.h" #include "iso14443a.h" +#define BLOCKS 16 +#define SAK 0x00 +#define ATQA0 0x44 +#define ATQA1 0x00 + +#define STATE_SEARCH 0 +#define STATE_READ 1 +#define STATE_EMUL 2 + typedef struct { uint8_t uid[10]; uint8_t uidlen; @@ -54,7 +63,7 @@ void RunMod(void) { iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD); // 0 = search, 1 = read, 2 = emul - int stage = 0; + int state = STATE_SEARCH; DbpString("Scanning..."); for (;;) { @@ -63,32 +72,31 @@ void RunMod(void) { if (button_pressed != BUTTON_NO_CLICK || data_available()) break; - else if (stage == 0) { + else if (state == STATE_SEARCH) { if (!iso14443a_select_card(NULL, &card, NULL, true, 0, true)) { continue; } else { - if (card.sak == 0x00 && card.atqa[0] == 0x44 && card.atqa[1] == 0 && card.uidlen == 7) { + if (card.sak == SAK && card.atqa[0] == ATQA0 && card.atqa[1] == ATQA1 && card.uidlen == 7) { DbpString("Found ultralight with UID: "); - Dbhexdump(7, card.uid, 0); - stage = 1; + Dbhexdump(card.uidlen, card.uid, 0); + state = STATE_READ; } else { - DbpString("Found non-ultralight card, ignoring"); + DbpString("Found non-ultralight card, ignoring."); } } } - else if (stage == 1) { + else if (state == STATE_READ) { iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); iso14443a_select_card(NULL, NULL, NULL, true, 0, true); - int i; bool read_successful = true; Dbprintf("Contents:"); - for (i = 0; i < 16; ++i) + for (int i = 0; i < BLOCKS; i++) { uint8_t dataout[4] = {0x00}; if (mifare_ultra_readblock(i, dataout)) { - // If there's an error reading, go back to stage 0 + // If there's an error reading, go back to search state read_successful = false; break; } @@ -99,21 +107,21 @@ void RunMod(void) { } if (read_successful) { - Dbprintf("Successfully loaded into emulator memory"); - stage = 2; + Dbprintf("Successfully loaded into emulator memory..."); + state = STATE_EMUL; } else { - Dbprintf("Read failure, going back to stage 0."); - stage = 0; + Dbprintf("Read failure, going back to search state."); + state = STATE_SEARCH; } } - else if (stage == 2) { + else if (state == 2) { uint8_t flags = FLAG_7B_UID_IN_DATA; - Dbprintf("Starting simulation, press pm3-button to stop and go back to scan"); + Dbprintf("Starting simulation, press pm3-button to stop and go back to search state."); SimulateIso14443aTag(2, flags, card.uid); - // Go back to stage 0 if user presses pm3-button - stage = 0; + // Go back to search state if user presses pm3-button + state = STATE_SEARCH; } } } From 6c92b9d1ed2d332ab56f4d2b6a28b0f205cab0c2 Mon Sep 17 00:00:00 2001 From: Ave Date: Thu, 3 Sep 2020 18:38:58 +0300 Subject: [PATCH 4/9] hf_aveful: rename from hf_aveul to hf_aveful --- armsrc/Standalone/Makefile.hal | 4 ++-- armsrc/Standalone/Makefile.inc | 6 +++--- armsrc/Standalone/{hf_aveul.c => hf_aveful.c} | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) rename armsrc/Standalone/{hf_aveul.c => hf_aveful.c} (98%) diff --git a/armsrc/Standalone/Makefile.hal b/armsrc/Standalone/Makefile.hal index bab78be83e..1c3bfb02ac 100644 --- a/armsrc/Standalone/Makefile.hal +++ b/armsrc/Standalone/Makefile.hal @@ -59,13 +59,13 @@ define KNOWN_STANDALONE_DEFINITIONS | HF_YOUNG | Mifare sniff/simulation | | | - Craig Young | +----------------------------------------------------------+ -| HF_AVEUL | Mifare ultralight read/simulation | +| HF_AVEFUL | Mifare ultralight read/simulation | | | - Ave Ozkal | +----------------------------------------------------------+ endef STANDALONE_MODES := LF_SKELETON LF_EM4100EMUL LF_EM4100RSWB LF_EM4100RWC LF_HIDBRUTE LF_ICEHID LF_PROXBRUTE LF_SAMYRUN -STANDALONE_MODES += HF_14ASNIFF HF_BOG HF_COLIN HF_ICECLASS HF_LEGIC HF_MATTYRUN HF_MSDSAL HF_YOUNG HF_AVEUL +STANDALONE_MODES += HF_14ASNIFF HF_BOG HF_COLIN HF_ICECLASS HF_LEGIC HF_MATTYRUN HF_MSDSAL HF_YOUNG HF_AVEFUL STANDALONE_MODES_REQ_SMARTCARD := STANDALONE_MODES_REQ_FLASH := LF_ICEHID HF_14ASNIFF HF_BOG HF_COLIN HF_ICECLASS ifneq ($(filter $(STANDALONE),$(STANDALONE_MODES)),) diff --git a/armsrc/Standalone/Makefile.inc b/armsrc/Standalone/Makefile.inc index d903b02f89..c5730965b3 100644 --- a/armsrc/Standalone/Makefile.inc +++ b/armsrc/Standalone/Makefile.inc @@ -37,9 +37,9 @@ endif ifneq (,$(findstring WITH_STANDALONE_HF_14ASNIFF,$(APP_CFLAGS))) SRC_STANDALONE = hf_14asniff.c endif -# WITH_STANDALONE_HF_AVEUL -ifneq (,$(findstring WITH_STANDALONE_HF_AVEUL,$(APP_CFLAGS))) - SRC_STANDALONE = hf_aveul.c +# WITH_STANDALONE_HF_AVEFUL +ifneq (,$(findstring WITH_STANDALONE_HF_AVEFUL,$(APP_CFLAGS))) + SRC_STANDALONE = hf_aveful.c endif # WITH_STANDALONE_LF_ICEHID ifneq (,$(findstring WITH_STANDALONE_LF_ICEHID,$(APP_CFLAGS))) diff --git a/armsrc/Standalone/hf_aveul.c b/armsrc/Standalone/hf_aveful.c similarity index 98% rename from armsrc/Standalone/hf_aveul.c rename to armsrc/Standalone/hf_aveful.c index 3c3388fb27..cc2cffbf6d 100644 --- a/armsrc/Standalone/hf_aveul.c +++ b/armsrc/Standalone/hf_aveful.c @@ -47,7 +47,7 @@ void ModInfo(void) { void RunMod(void) { StandAloneMode(); - Dbprintf("AveUL (MF Ultralight read/emul) started"); + Dbprintf("AveFUL (MF Ultralight read/emul) started"); FpgaDownloadAndGo(FPGA_BITSTREAM_HF); // the main loop for your standalone mode From 2687d9f3ecbff0e7683a410c2ab7b1abece93af3 Mon Sep 17 00:00:00 2001 From: Ave Date: Thu, 3 Sep 2020 18:44:30 +0300 Subject: [PATCH 5/9] hf_aveful: last minute code formatting --- armsrc/Standalone/hf_aveful.c | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/armsrc/Standalone/hf_aveful.c b/armsrc/Standalone/hf_aveful.c index cc2cffbf6d..a619459f5c 100644 --- a/armsrc/Standalone/hf_aveful.c +++ b/armsrc/Standalone/hf_aveful.c @@ -8,11 +8,11 @@ // main code for HF Mifare Ultralight read/simulation by Ave Ozkal //----------------------------------------------------------------------------- -/* Several parts of this code is based on code by Craig Young from HF_YOUNG */ +// Several parts of this code is based on code by Craig Young from HF_YOUNG -/* This code does not: -- Account for cards with authentication (MFU EV1 etc) -- Determine if cards have block count that's not the same as the BLOCKS def */ +// This code does not: +// - Account for cards with authentication (MFU EV1 etc) +// - Determine if cards have block count that's not the same as the BLOCKS def #include "standalone.h" // standalone definitions #include "proxmark3_arm.h" @@ -80,20 +80,17 @@ void RunMod(void) { DbpString("Found ultralight with UID: "); Dbhexdump(card.uidlen, card.uid, 0); state = STATE_READ; - } - else { + } else { DbpString("Found non-ultralight card, ignoring."); } } - } - else if (state == STATE_READ) { + } else if (state == STATE_READ) { iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); iso14443a_select_card(NULL, NULL, NULL, true, 0, true); bool read_successful = true; Dbprintf("Contents:"); - for (int i = 0; i < BLOCKS; i++) - { + for (int i = 0; i < BLOCKS; i++) { uint8_t dataout[4] = {0x00}; if (mifare_ultra_readblock(i, dataout)) { // If there's an error reading, go back to search state @@ -113,8 +110,7 @@ void RunMod(void) { Dbprintf("Read failure, going back to search state."); state = STATE_SEARCH; } - } - else if (state == 2) { + } else if (state == 2) { uint8_t flags = FLAG_7B_UID_IN_DATA; Dbprintf("Starting simulation, press pm3-button to stop and go back to search state."); From befb5f1c01feae7f7e0cd8b2f1468f5cab4e37cd Mon Sep 17 00:00:00 2001 From: Ave Date: Fri, 4 Sep 2020 00:13:41 +0300 Subject: [PATCH 6/9] hf_aveful: Move Makefile.hal entry to be alphabetic --- armsrc/Standalone/Makefile.hal | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/armsrc/Standalone/Makefile.hal b/armsrc/Standalone/Makefile.hal index 1c3bfb02ac..eef4ecf6f9 100644 --- a/armsrc/Standalone/Makefile.hal +++ b/armsrc/Standalone/Makefile.hal @@ -38,6 +38,9 @@ define KNOWN_STANDALONE_DEFINITIONS | HF_14ASNIFF | 14a sniff to flashmem | | (RDV4 only) | | +----------------------------------------------------------+ +| HF_AVEFUL | Mifare ultralight read/simulation | +| | - Ave Ozkal | ++----------------------------------------------------------+ | HF_BOG | 14a sniff with ULC/ULEV1/NTAG auth | | (RDV4 only) | storing in flashmem - Bogito | +----------------------------------------------------------+ @@ -59,13 +62,10 @@ define KNOWN_STANDALONE_DEFINITIONS | HF_YOUNG | Mifare sniff/simulation | | | - Craig Young | +----------------------------------------------------------+ -| HF_AVEFUL | Mifare ultralight read/simulation | -| | - Ave Ozkal | -+----------------------------------------------------------+ endef STANDALONE_MODES := LF_SKELETON LF_EM4100EMUL LF_EM4100RSWB LF_EM4100RWC LF_HIDBRUTE LF_ICEHID LF_PROXBRUTE LF_SAMYRUN -STANDALONE_MODES += HF_14ASNIFF HF_BOG HF_COLIN HF_ICECLASS HF_LEGIC HF_MATTYRUN HF_MSDSAL HF_YOUNG HF_AVEFUL +STANDALONE_MODES += HF_14ASNIFF HF_AVEFUL HF_BOG HF_COLIN HF_ICECLASS HF_LEGIC HF_MATTYRUN HF_MSDSAL HF_YOUNG STANDALONE_MODES_REQ_SMARTCARD := STANDALONE_MODES_REQ_FLASH := LF_ICEHID HF_14ASNIFF HF_BOG HF_COLIN HF_ICECLASS ifneq ($(filter $(STANDALONE),$(STANDALONE_MODES)),) From c46d22d38fad7c036a89acdb79cf0111596ae592 Mon Sep 17 00:00:00 2001 From: Winds Date: Thu, 23 Apr 2020 20:26:28 +0200 Subject: [PATCH 7/9] Moving mfc_gen3_writer.lua to a branch till it becomes useable --- client/luascripts/mfc_gen3_writer.lua | 390 ++++++++++++++++++++++++++ 1 file changed, 390 insertions(+) create mode 100644 client/luascripts/mfc_gen3_writer.lua diff --git a/client/luascripts/mfc_gen3_writer.lua b/client/luascripts/mfc_gen3_writer.lua new file mode 100644 index 0000000000..5222c0d39f --- /dev/null +++ b/client/luascripts/mfc_gen3_writer.lua @@ -0,0 +1,390 @@ +local utils = require('utils') +local getopt = require('getopt') +local cmds = require('commands') +local read14a = require('read14a') +-- +--- +------------------------------- +-- Notes +------------------------------- +--- +-- +--[[ +---Suggestions of improvement: +--- Add support another types of dumps: BIN, JSON +--- Maybe it will be not only as `mfc_gen3_writer`, like a universal dump manager. +--- Add undependence from the operation system. At the moment code not working in Linux. +--- Add more chinesse backdoors RAW commands for UID changing (find RAW for the 4 byte familiar chinese card, from native it soft: http://bit.ly/39VIDsU) +--- Hide system messages when you writing a dumps, replace it to some of like [#####----------] 40% + +-- iceman notes: +-- doesn't take consideration filepaths for dump files. +-- doesn't allow A keys for authenticating when writing +-- doesn't verify that card is magic gen3. +-- doesn't take several versions of same dump ( -1, -2, -3 ) styles. +--]] +-- +--- +------------------------------- +-- Script hat +------------------------------- +--- +-- +copyright = '' +author = 'Winds' +version = 'v1.0.0' +desc = [[ + The script gives you a easy way to write your *.eml dumps onto normal MFC and magic Gen3 cards. + + Works with both 4 and 7 bytes NXP MIFARE Classic 1K cards. + The script also has the possibility to change UID and permanent lock uid on magic Gen3 cards. + + It supports the following functionality. + + 1. Write it to the same of current card UID. + 2. Write it to magic Gen3 card. + 3. Change uid to match dump on magic Gen3 card. + 4. Permanent lock UID on magic Gen3 card. + 5. Erase all data at the card and set the FF FF FF FF FF FF keys, and Access Conditions to 78778800. + + Script works in a wizard styled way. +]] +example = [[ + 1. script run mfc_gen3_writer +]] +usage = [[ + Select your *.eml dump from list to write to the card. +]] +-- +--- +------------------------------- +-- Global variables +------------------------------- +--- +-- +local DEBUG = false -- the debug flag +local files = {} -- Array for eml files +local b_keys = {} -- Array for B keys +local eml = {} -- Array for data in block 32 +local num_dumps = 0 -- num of found eml dump files +local tab = string.rep('-', 64) +local empty = string.rep('0', 32) -- Writing blocks +local default_key = 'FFFFFFFFFFFF' -- Writing blocks +local default_key_type = '01' --KeyA: 00, KeyB: 01 +local default_key_blk = 'FFFFFFFFFFFF78778800FFFFFFFFFFFF' -- Writing blocks +local piswords_uid_lock = 'hf 14a raw -s -c -t 2000 90fd111100' +local piswords_uid_change = 'hf 14a raw -s -c -t 2000 90f0cccc10' +local cmd_wrbl = 'hf mf wrbl %d B %s %s' -- Writing blocks +-- +--- +------------------------------- +-- A debug printout-function +------------------------------- +--- +-- +local function dbg(args) + if not DEBUG then return end + if type(args) == 'table' then + local i = 1 + while args[i] do + dbg(args[i]) + i = i+1 + end + else + print('###', args) + end +end +-- +--- +------------------------------- +-- This is only meant to be used when errors occur +------------------------------- +--- +-- +local function oops(err) + print('ERROR:', err) + core.clearCommandBuffer() + return nil, err +end +-- +--- +------------------------------- +-- Usage help +------------------------------- +--- +-- +local function help() + print(copyright) + print(author) + print(version) + print(desc) + print('Example usage') + print(example) + print(usage) +end +-- +--- +------------------------------- +-- GetUID +------------------------------- +--- +-- +local function GetUID() + return read14a.read(true, true).uid +end +-- +local function dropfield() + read14a.disconnect() + core.clearCommandBuffer() +end +-- +--- +------------------------------- +-- Wait for tag (MFC) +------------------------------- +--- +-- +local function wait() + read14a.waitFor14443a() +end +-- +--- +------------------------------- +-- Return key code 00/01 to string +------------------------------- +--- +-- +local function KeyAB() + if default_key_type == '00' then + return 'KeyA' + else + return 'KeyB' + end +end +-- +--- +------------------------------- +-- Check response from Proxmark +------------------------------- +--- +-- +local function getblockdata(response) + if response.Status == 0 then + return true + else + return false + end +end +-- +--- +------------------------------- +-- Check 0xFFFFFFFFFFFF key for tag (MFC) +------------------------------- +--- +-- +local function checkkey() + local status = 0 + for i = 1, #eml do + cmd = Command:newNG{cmd = cmds.CMD_HF_MIFARE_READBL, data = ('%02x%02x%s'):format((i-1), default_key_type, default_key)} + if (getblockdata(cmd:sendNG(false)) == true) then + status = status + 1 + print(('%s %02s %s %s %s'):format(' ', (i-1), KeyAB(), default_key, 'OK')) + else + break + end + end + if status == #eml then + return true + end +end +-- +--- +------------------------------- +-- Check Pissword backdor +------------------------------- +--- +-- +local function checkmagic() + --Have no RAW ISO14443A command in appmain.c + cmd = Command:newNG{cmd = cmds.CMD_HF_ISO14443A_READER, data = piswords_uid_change .. GetUID()} -- sample check to pull the same UID to card and check response + if (getblockdata(cmd:sendNG(false)) == true) then + print('Magic') + else + print('Not magic') + end +end +-- +--- +------------------------------- +-- Main function +------------------------------- +--- +-- +local function main(args) + -- + --- + ------------------------------- + -- Arguments for script + ------------------------------- + --- + -- + for o, a in getopt.getopt(args, 'hd') do + if o == 'h' then return help() end + if o == 'd' then DEBUG = true end + end + -- + wait() + print(tab) + -- + --- + ------------------------------- + -- Detect 7/4 byte card + ------------------------------- + --- + -- + if string.len(GetUID()) == 14 then + eml_file_uid_start = 18 -- For windows with '---------- ' prefix + eml_file_uid_end = 31 + eml_file_lengt = 40 + else + eml_file_uid_start = 18 -- For windows with '---------- ' prefix + eml_file_uid_end = 25 + eml_file_lengt = 34 + end + dropfield() + -- + --- + ------------------------------- + -- List all EML files in /client + ------------------------------- + --- + -- + local dumpEML = 'find "." "*dump.eml"' -- Fixed for windows + local p = assert(io.popen(dumpEML)) + for _ in p:lines() do + -- The length of eml file + if string.len(_) == eml_file_lengt then + num_dumps = num_dumps + 1 + -- cut UID from eml file + files[num_dumps] = string.sub(_, eml_file_uid_start, eml_file_uid_end) -- cut numeretic UID + print(' '..num_dumps..' | '..files[num_dumps]) + end + end + -- + p.close() + -- + if num_dumps == 0 then return oops("Didn't find any dump files") end + -- + print(tab) + print(' Your card has UID '..GetUID()) + print('') + print(' Select which dump to write (1 until '..num_dumps..')') + print(tab) + io.write(' --> ') + -- + local uid_no = tonumber(io.read()) + print(tab) + print(' You have been selected card dump No ' .. uid_no .. ', with UID: ' .. files[uid_no] .. '. Your card UID: ' .. GetUID()) + -- + -- + --- + ------------------------------- + -- Load eml file + ------------------------------- + --- + -- + local dumpfile = assert(io.open('./hf-mf-' .. files[uid_no] .. '-dump.eml', 'r')) + for _ in dumpfile:lines() do table.insert(eml, _); end + dumpfile.close() + -- + --- + ------------------------------- + -- Extract B key from EML file + ------------------------------- + --- + -- + local b = 0 + for i = 1, #eml do + if (i % 4 == 0) then + repeat + b = b + 1 + -- Cut key from block + b_keys[b] = string.sub(eml[i], (#eml[i] - 11), #eml[i]) + until b % 4 == 0 + end + end + print(tab) + dbg(b_keys) + dbg(eml) + -- + --- + ------------------------------- + -- Change UID on certain version of magic Gen3 card. + ------------------------------- + --- + -- + if (utils.confirm(' Change UID ?') == true) then + wait() + core.console(piswords_uid_change .. tostring(eml[1])) + print(tab) + print(' The new card UID : ' .. GetUID()) + end + print(tab) + --checkmagic() + -- + --- + ------------------------------- + -- Lock UID + ------------------------------- + --- + -- + if (utils.confirm(' Permanent lock UID ? (card can never change uid again) ') == true) then + wait() + core.console(piswords_uid_lock) + end + -- + print(tab) + print(' Going to check the all ' .. KeyAB() .. ' by ' .. default_key) + print(tab) + -- + if checkkey() == true then + print(tab) + if (utils.confirm(' Card is Empty. Write selected dump to card ?') == true) then + for i = 1, #eml do + core.console(string.format(cmd_wrbl, (i-1), default_key, eml[i])) + end + end + else + print(tab) + if (utils.confirm(' Delete ALL data and write all keys to 0x' .. default_key .. ' ?') == true) then + wait() + for i = 1, #eml do + if (i % 4 == 0) then + core.console(string.format(cmd_wrbl, (i-1), b_keys[i], default_key_blk)) + else + core.console(string.format(cmd_wrbl, (i-1), b_keys[i], empty)) + end + end + else + print(tab) + if (utils.confirm(' Write selected dump to card ?') == true) then + print(tab) + wait() + for i = 1, #eml do + core.console(string.format(cmd_wrbl, (i-1), b_keys[i], eml[i])) + end + end + end + end + dropfield() + print(tab) + print('You are welcome') +end +-- +--- +------------------------------- +-- Start Main function +------------------------------- +--- +-- +main(args) From ea6dbec7502d15d4975e1a8d0233104ba923beb0 Mon Sep 17 00:00:00 2001 From: Winds Date: Thu, 3 Sep 2020 22:55:35 +0200 Subject: [PATCH 8/9] Now it's working both with WIN and UNX --- client/luascripts/mfc_gen3_writer.lua | 105 ++++++++++++++++++-------- 1 file changed, 73 insertions(+), 32 deletions(-) diff --git a/client/luascripts/mfc_gen3_writer.lua b/client/luascripts/mfc_gen3_writer.lua index 5222c0d39f..22eae4387b 100644 --- a/client/luascripts/mfc_gen3_writer.lua +++ b/client/luascripts/mfc_gen3_writer.lua @@ -14,7 +14,6 @@ local read14a = require('read14a') --- Add support another types of dumps: BIN, JSON --- Maybe it will be not only as `mfc_gen3_writer`, like a universal dump manager. --- Add undependence from the operation system. At the moment code not working in Linux. ---- Add more chinesse backdoors RAW commands for UID changing (find RAW for the 4 byte familiar chinese card, from native it soft: http://bit.ly/39VIDsU) --- Hide system messages when you writing a dumps, replace it to some of like [#####----------] 40% -- iceman notes: @@ -30,13 +29,13 @@ local read14a = require('read14a') ------------------------------- --- -- -copyright = '' +copyright = 'RRG Team' author = 'Winds' version = 'v1.0.0' desc = [[ - The script gives you a easy way to write your *.eml dumps onto normal MFC and magic Gen3 cards. + This script gives you an easy way to write your *.eml dumps into normal MIFARE Classic and Magic Gen3 cards. - Works with both 4 and 7 bytes NXP MIFARE Classic 1K cards. + Works with both 4 and 7 bytes NXP MIFARE Classic 1K cards. The script also has the possibility to change UID and permanent lock uid on magic Gen3 cards. It supports the following functionality. @@ -48,12 +47,19 @@ desc = [[ 5. Erase all data at the card and set the FF FF FF FF FF FF keys, and Access Conditions to 78778800. Script works in a wizard styled way. + + Author Youtube channel: https://yev.ooo/ + + Many Thanks, + Best Regards ]] example = [[ 1. script run mfc_gen3_writer ]] usage = [[ + Give script to know if you uses an Windows OS Select your *.eml dump from list to write to the card. + Follow the wizard. ]] -- --- @@ -63,6 +69,7 @@ usage = [[ --- -- local DEBUG = false -- the debug flag +local dumpEML -- Find all *.EML files local files = {} -- Array for eml files local b_keys = {} -- Array for B keys local eml = {} -- Array for data in block 32 @@ -71,10 +78,11 @@ local tab = string.rep('-', 64) local empty = string.rep('0', 32) -- Writing blocks local default_key = 'FFFFFFFFFFFF' -- Writing blocks local default_key_type = '01' --KeyA: 00, KeyB: 01 -local default_key_blk = 'FFFFFFFFFFFF78778800FFFFFFFFFFFF' -- Writing blocks +local default_key_blk = 'FFFFFFFFFFFF7C378800FFFFFFFFFFFF' -- Writing blocks local piswords_uid_lock = 'hf 14a raw -s -c -t 2000 90fd111100' local piswords_uid_change = 'hf 14a raw -s -c -t 2000 90f0cccc10' -local cmd_wrbl = 'hf mf wrbl %d B %s %s' -- Writing blocks +local cmd_wrbl_a = 'hf mf wrbl %d A %s %s' -- Writing blocks by A key +local cmd_wrbl_b = 'hf mf wrbl %d B %s %s' -- Writing blocks by B key -- --- ------------------------------- @@ -155,11 +163,11 @@ end --- -- local function KeyAB() - if default_key_type == '00' then + if default_key_type == '00' then return 'KeyA' - else + else return 'KeyB' - end + end end -- --- @@ -200,17 +208,15 @@ end -- --- ------------------------------- --- Check Pissword backdor +-- Check user input A or B for blank tag (MFC) ------------------------------- --- -- -local function checkmagic() - --Have no RAW ISO14443A command in appmain.c - cmd = Command:newNG{cmd = cmds.CMD_HF_ISO14443A_READER, data = piswords_uid_change .. GetUID()} -- sample check to pull the same UID to card and check response - if (getblockdata(cmd:sendNG(false)) == true) then - print('Magic') - else - print('Not magic') +local function check_user_key(user_key_type) + if user_key_type == 'A' then + return cmd_wrbl_a + elseif user_key_type == 'B' then + return cmd_wrbl_b end end -- @@ -242,15 +248,30 @@ local function main(args) ------------------------------- --- -- - if string.len(GetUID()) == 14 then - eml_file_uid_start = 18 -- For windows with '---------- ' prefix - eml_file_uid_end = 31 - eml_file_lengt = 40 + if (utils.confirm(' Are you use a Windwos OS ?') == true) then + dumpEML = 'find "." "*dump.eml"' + if string.len(GetUID()) == 14 then + eml_file_uid_start = 18 + eml_file_uid_end = 31 + eml_file_lengt = 40 + else + eml_file_uid_start = 18 + eml_file_uid_end = 25 + eml_file_lengt = 34 + end else - eml_file_uid_start = 18 -- For windows with '---------- ' prefix - eml_file_uid_end = 25 - eml_file_lengt = 34 + dumpEML = "find '.' -iname '*dump.eml' -type f" + if string.len(GetUID()) == 14 then + eml_file_uid_start = 9 + eml_file_uid_end = 22 + eml_file_lengt = 31 + else + eml_file_uid_start = 9 + eml_file_uid_end = 16 + eml_file_lengt = 25 + end end + print(tab) dropfield() -- --- @@ -259,7 +280,6 @@ local function main(args) ------------------------------- --- -- - local dumpEML = 'find "." "*dump.eml"' -- Fixed for windows local p = assert(io.popen(dumpEML)) for _ in p:lines() do -- The length of eml file @@ -293,7 +313,7 @@ local function main(args) ------------------------------- --- -- - local dumpfile = assert(io.open('./hf-mf-' .. files[uid_no] .. '-dump.eml', 'r')) + local dumpfile = assert(io.open('hf-mf-' .. files[uid_no] .. '-dump.eml', 'r')) for _ in dumpfile:lines() do table.insert(eml, _); end dumpfile.close() -- @@ -330,7 +350,6 @@ local function main(args) print(' The new card UID : ' .. GetUID()) end print(tab) - --checkmagic() -- --- ------------------------------- @@ -351,18 +370,28 @@ local function main(args) print(tab) if (utils.confirm(' Card is Empty. Write selected dump to card ?') == true) then for i = 1, #eml do - core.console(string.format(cmd_wrbl, (i-1), default_key, eml[i])) + core.console(string.format(cmd_wrbl_b, (i-1), default_key, eml[i])) end end else print(tab) - if (utils.confirm(' Delete ALL data and write all keys to 0x' .. default_key .. ' ?') == true) then + if (utils.confirm(' It this is a new blank card ? Do you wishing to change Access Conditions to using B key ' .. default_key .. ' as main ?') == true) then + print(tab) + print(' With one key type we will use, A or B ?') + print(tab) + io.write(' --> ') + local user_key_type = tostring(io.read()) + print(tab) + print(' Enter 12 HEX chars of the key for access to card. By default ' .. default_key .. '.') + print(tab) + io.write(' --> ') + local user_key_input = tostring(io.read()) wait() for i = 1, #eml do if (i % 4 == 0) then - core.console(string.format(cmd_wrbl, (i-1), b_keys[i], default_key_blk)) + core.console(string.format(check_user_key(user_key_type), (i-1), user_key_input, default_key_blk)) else - core.console(string.format(cmd_wrbl, (i-1), b_keys[i], empty)) + core.console(string.format(check_user_key(user_key_type), (i-1), user_key_input, empty)) end end else @@ -371,7 +400,19 @@ local function main(args) print(tab) wait() for i = 1, #eml do - core.console(string.format(cmd_wrbl, (i-1), b_keys[i], eml[i])) + core.console(string.format(cmd_wrbl_b, (i-1), b_keys[i], eml[i])) + end + else + print(tab) + if (utils.confirm(' Delete ALL data and write all keys to 0x' .. default_key .. ' ?') == true) then + wait() + for i = 1, #eml do + if (i % 4 == 0) then + core.console(string.format(cmd_wrbl_b, (i-1), b_keys[i], default_key_blk)) + else + core.console(string.format(cmd_wrbl_b, (i-1), b_keys[i], empty)) + end + end end end end From 9814aa56e115a66e6a1a7b640f75569bf13ded62 Mon Sep 17 00:00:00 2001 From: Philippe Teuwen Date: Sat, 5 Sep 2020 00:12:38 +0200 Subject: [PATCH 9/9] Switch to 134kHz for --- client/src/cmdlffdx.c | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/client/src/cmdlffdx.c b/client/src/cmdlffdx.c index 868a567c51..496dad6919 100644 --- a/client/src/cmdlffdx.c +++ b/client/src/cmdlffdx.c @@ -292,7 +292,36 @@ static int CmdFdxDemod(const char *Cmd) { } static int CmdFdxRead(const char *Cmd) { - lf_read(false, 10000); + sample_config config; + memset(&config, 0, sizeof(sample_config)); + int retval = lf_getconfig(&config); + if (retval != PM3_SUCCESS) { + PrintAndLogEx(ERR, "failed to get current device LF config"); + return retval; + } + int16_t tmp_div = config.divisor; + if (tmp_div != LF_DIVISOR_134) { + config.divisor = LF_DIVISOR_134; + config.verbose = false; + retval = lf_config(&config); + if (retval != PM3_SUCCESS) { + PrintAndLogEx(ERR, "failed to change LF configuration"); + return retval; + } + } + retval = lf_read(false, 10000); + if (retval != PM3_SUCCESS) { + PrintAndLogEx(ERR, "failed to get LF read from device"); + return retval; + } + if (tmp_div != LF_DIVISOR_134) { + config.divisor = tmp_div; + retval = lf_config(&config); + if (retval != PM3_SUCCESS) { + PrintAndLogEx(ERR, "failed to restore LF configuration"); + return retval; + } + } return CmdFdxDemod(Cmd); } @@ -393,7 +422,7 @@ static int CmdFdxSim(const char *Cmd) { static command_t CommandTable[] = { {"help", CmdHelp, AlwaysAvailable, "this help"}, {"demod", CmdFdxDemod, AlwaysAvailable, "demodulate a FDX-B ISO11784/85 tag from the GraphBuffer"}, - {"read", CmdFdxRead, IfPm3Lf, "attempt to read and extract tag data"}, + {"read", CmdFdxRead, IfPm3Lf, "attempt to read at 134kHz and extract tag data"}, {"clone", CmdFdxClone, IfPm3Lf, "clone animal ID tag to T55x7 or Q5/T5555"}, {"sim", CmdFdxSim, IfPm3Lf, "simulate Animal ID tag"}, {NULL, NULL, NULL, NULL}