45 #endif // HAVE_CONFIG_H
64 static mifare_param mp;
65 static mifare_classic_tag mtKeys;
66 static mifare_classic_tag mtDump;
68 static bool bUseKeyFile;
69 static bool bForceKeyFile;
70 static bool bTolerateFailures;
71 static bool bFormatCard;
72 static bool magic2 =
false;
73 static uint8_t uiBlocks;
74 static uint8_t keys[] = {
75 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
76 0xd3, 0xf7, 0xd3, 0xf7, 0xd3, 0xf7,
77 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5,
78 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5,
79 0x4d, 0x3a, 0x99, 0xc3, 0x51, 0xdd,
80 0x1a, 0x98, 0x2c, 0x7e, 0x45, 0x9a,
81 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
82 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
83 0xab, 0xcd, 0xef, 0x12, 0x34, 0x56
85 static uint8_t default_key[] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
86 static uint8_t default_acl[] = {0xff, 0x07, 0x80, 0x69};
93 static size_t num_keys =
sizeof(keys) / 6;
95 #define MAX_FRAME_LEN 264
97 static uint8_t abtRx[MAX_FRAME_LEN];
100 uint8_t abtHalt[4] = { 0x50, 0x00, 0x00, 0x00 };
103 uint8_t abtUnlock1[1] = { 0x40 };
104 uint8_t abtUnlock2[1] = { 0x43 };
107 transmit_bits(
const uint8_t *pbtTx,
const size_t szTxBits)
110 printf(
"Sent bits: ");
111 print_hex_bits(pbtTx, szTxBits);
117 printf(
"Received bits: ");
118 print_hex_bits(abtRx, szRxBits);
125 transmit_bytes(
const uint8_t *pbtTx,
const size_t szTx)
128 printf(
"Sent bits: ");
129 print_hex(pbtTx, szTx);
136 printf(
"Received bits: ");
137 print_hex(abtRx, res);
143 print_success_or_failure(
bool bFailure, uint32_t *uiBlockCounter)
145 printf(
"%c", (bFailure) ?
'x' :
'.');
146 if (uiBlockCounter && !bFailure)
147 *uiBlockCounter += 1;
151 is_first_block(uint32_t uiBlock)
155 return ((uiBlock) % 4 == 0);
157 return ((uiBlock) % 16 == 0);
161 is_trailer_block(uint32_t uiBlock)
165 return ((uiBlock + 1) % 4 == 0);
167 return ((uiBlock + 1) % 16 == 0);
171 get_trailer_block(uint32_t uiFirstBlock)
174 uint32_t trailer_block = 0;
175 if (uiFirstBlock < 128) {
176 trailer_block = uiFirstBlock + (3 - (uiFirstBlock % 4));
178 trailer_block = uiFirstBlock + (15 - (uiFirstBlock % 16));
180 return trailer_block;
184 authenticate(uint32_t uiBlock)
187 uint32_t uiTrailerBlock;
190 memcpy(mp.mpa.abtAuthUid, nt.nti.nai.abtUid + nt.nti.nai.szUidLen - 4, 4);
193 mc = (bUseKeyA) ? MC_AUTH_A : MC_AUTH_B;
199 uiTrailerBlock = get_trailer_block(uiBlock);
203 memcpy(mp.mpa.abtKey, mtKeys.amb[uiTrailerBlock].mbt.abtKeyA, 6);
205 memcpy(mp.mpa.abtKey, mtKeys.amb[uiTrailerBlock].mbt.abtKeyB, 6);
213 if (bFormatCard || !bUseKeyFile) {
214 for (
size_t key_index = 0; key_index < num_keys; key_index++) {
215 memcpy(mp.mpa.abtKey, keys + (key_index * 6), 6);
218 memcpy(mtKeys.amb[uiBlock].mbt.abtKeyA, &mp.mpa.abtKey, 6);
220 memcpy(mtKeys.amb[uiBlock].mbt.abtKeyB, &mp.mpa.abtKey, 6);
224 ERR(
"tag was removed");
237 printf(
"Don't use R/W with this card, this is not required!\n");
252 iso14443a_crc_append(abtHalt, 2);
253 transmit_bytes(abtHalt, 4);
255 if (!transmit_bits(abtUnlock1, 7)) {
256 printf(
"unlock failure!\n");
259 if (!transmit_bytes(abtUnlock2, 1)) {
260 printf(
"unlock failure!\n");
267 nfc_perror(pnd,
"nfc_device_set_property_bool");
272 nfc_perror(pnd,
"nfc_device_set_property_bool");
282 uint8_t abtRats[2] = { 0xe0, 0x50};
302 printf(
"Error: tag disappeared\n");
311 read_card(
int read_unlocked)
314 bool bFailure =
false;
315 uint32_t uiReadBlocks = 0;
321 printf(
"Reading out %d blocks |", uiBlocks + 1);
323 for (iBlock = uiBlocks; iBlock >= 0; iBlock--) {
325 if (is_trailer_block(iBlock)) {
329 printf(
"!\nError: tag was removed\n");
338 if (!read_unlocked && !authenticate(iBlock)) {
339 printf(
"!\nError: authentication failed for block 0x%02x\n", iBlock);
345 memcpy(mtDump.amb[iBlock].mbd.abtData, mp.mpd.abtData, 16);
348 memcpy(mtDump.amb[iBlock].mbt.abtKeyA, mtKeys.amb[iBlock].mbt.abtKeyA, 6);
349 memcpy(mtDump.amb[iBlock].mbt.abtAccessBits, mp.mpd.abtData + 6, 4);
350 memcpy(mtDump.amb[iBlock].mbt.abtKeyB, mtKeys.amb[iBlock].mbt.abtKeyB, 6);
353 printf(
"!\nfailed to read trailer block 0x%02x\n", iBlock);
361 memcpy(mtDump.amb[iBlock].mbd.abtData, mp.mpd.abtData, 16);
363 printf(
"!\nError: unable to read block 0x%02x\n", iBlock);
369 print_success_or_failure(bFailure, &uiReadBlocks);
370 if ((! bTolerateFailures) && bFailure)
374 printf(
"Done, %d of %d blocks read.\n", uiReadBlocks, uiBlocks + 1);
381 write_card(
int write_block_zero)
384 bool bFailure =
false;
385 uint32_t uiWriteBlocks = 0;
387 if (write_block_zero)
391 printf(
"Writing %d blocks |", uiBlocks + 1);
393 for (uiBlock = 0; uiBlock <= uiBlocks; uiBlock++) {
395 if (is_first_block(uiBlock)) {
399 printf(
"!\nError: tag was removed\n");
408 if (!write_block_zero && !authenticate(uiBlock)) {
409 printf(
"!\nError: authentication failed for block %02x\n", uiBlock);
414 if (is_trailer_block(uiBlock)) {
417 memcpy(mp.mpd.abtData, default_key, 6);
418 memcpy(mp.mpd.abtData + 6, default_acl, 4);
419 memcpy(mp.mpd.abtData + 10, default_key, 6);
422 memcpy(mp.mpd.abtData, mtDump.amb[uiBlock].mbt.abtKeyA, 6);
423 memcpy(mp.mpd.abtData + 6, mtDump.amb[uiBlock].mbt.abtAccessBits, 4);
424 memcpy(mp.mpd.abtData + 10, mtDump.amb[uiBlock].mbt.abtKeyB, 6);
429 printf(
"failed to write trailer block %d \n", uiBlock);
434 if (uiBlock == 0 && ! write_block_zero && ! magic2)
441 if (bFormatCard && uiBlock)
442 memset(mp.mpd.abtData, 0x00, 16);
444 memcpy(mp.mpd.abtData, mtDump.amb[uiBlock].mbd.abtData, 16);
447 if ((mp.mpd.abtData[0] ^ mp.mpd.abtData[1] ^ mp.mpd.abtData[2] ^ mp.mpd.abtData[3] ^ mp.mpd.abtData[4]) != 0x00 && !magic2) {
448 printf(
"!\nError: incorrect BCC in MFD file!\n");
449 printf(
"Expecting BCC=%02X\n", mp.mpd.abtData[0] ^ mp.mpd.abtData[1] ^ mp.mpd.abtData[2] ^ mp.mpd.abtData[3]);
458 print_success_or_failure(bFailure, &uiWriteBlocks);
459 if ((! bTolerateFailures) && bFailure)
463 printf(
"Done, %d of %d blocks written.\n", uiWriteBlocks, uiBlocks + 1);
476 print_usage(
const char *pcProgramName)
479 printf(
"%s f|r|R|w|W a|b <dump.mfd> [<keys.mfd> [f]]\n", pcProgramName);
480 printf(
" f|r|R|w|W - Perform format (f) or read from (r) or unlocked read from (R) or write to (w) or unlocked write to (W) card\n");
481 printf(
" *** format will reset all keys to FFFFFFFFFFFF and all data to 00 and all ACLs to default\n");
482 printf(
" *** unlocked read does not require authentication and will reveal A and B keys\n");
483 printf(
" *** note that unlocked write will attempt to overwrite block 0 including UID\n");
484 printf(
" *** unlocking only works with special Mifare 1K cards (Chinese clones)\n");
485 printf(
" a|A|b|B - Use A or B keys for action; Halt on errors (a|b) or tolerate errors (A|B)\n");
486 printf(
" <dump.mfd> - MiFare Dump (MFD) used to write (card to MFD) or (MFD to card)\n");
487 printf(
" <keys.mfd> - MiFare Dump (MFD) that contain the keys (optional)\n");
488 printf(
" f - Force using the keyfile even if UID does not match (optional)\n");
489 printf(
"Examples: \n\n");
490 printf(
" Read card to file, using key A:\n\n");
491 printf(
" %s r a mycard.mfd\n\n", pcProgramName);
492 printf(
" Write file to blank card, using key A:\n\n");
493 printf(
" %s w a mycard.mfd\n\n", pcProgramName);
494 printf(
" Write new data and/or keys to previously written card, using key A:\n\n");
495 printf(
" %s w a newdata.mfd mycard.mfd\n\n", pcProgramName);
496 printf(
" Format/wipe card (note two passes required to ensure writes for all ACL cases):\n\n");
497 printf(
" %s f A dummy.mfd keyfile.mfd f\n", pcProgramName);
498 printf(
" %s f B dummy.mfd keyfile.mfd f\n\n", pcProgramName);
502 main(
int argc,
const char *argv[])
504 action_t atAction = ACTION_USAGE;
509 print_usage(argv[0]);
512 const char *command = argv[1];
514 if (strcmp(command,
"r") == 0 || strcmp(command,
"R") == 0) {
516 print_usage(argv[0]);
519 atAction = ACTION_READ;
520 if (strcmp(command,
"R") == 0)
522 bUseKeyA = tolower((
int)((
unsigned char) * (argv[2]))) ==
'a';
523 bTolerateFailures = tolower((
int)((
unsigned char) * (argv[2]))) != (int)((
unsigned char) * (argv[2]));
524 bUseKeyFile = (argc > 4);
525 bForceKeyFile = ((argc > 5) && (strcmp((
char *)argv[5],
"f") == 0));
526 }
else if (strcmp(command,
"w") == 0 || strcmp(command,
"W") == 0 || strcmp(command,
"f") == 0) {
528 print_usage(argv[0]);
531 atAction = ACTION_WRITE;
532 if (strcmp(command,
"W") == 0)
534 bFormatCard = (strcmp(command,
"f") == 0);
535 bUseKeyA = tolower((
int)((
unsigned char) * (argv[2]))) ==
'a';
536 bTolerateFailures = tolower((
int)((
unsigned char) * (argv[2]))) != (int)((
unsigned char) * (argv[2]));
537 bUseKeyFile = (argc > 4);
538 bForceKeyFile = ((argc > 5) && (strcmp((
char *)argv[5],
"f") == 0));
541 if (atAction == ACTION_USAGE) {
542 print_usage(argv[0]);
547 FILE *pfKeys = fopen(argv[4],
"rb");
548 if (pfKeys == NULL) {
549 printf(
"Could not open keys file: %s\n", argv[4]);
552 if (fread(&mtKeys, 1, 4, pfKeys) != 4) {
553 printf(
"Could not read UID from key file: %s\n", argv[4]);
560 if (context == NULL) {
561 ERR(
"Unable to init libnfc (malloc)");
568 ERR(
"Error opening NFC reader");
582 nfc_perror(pnd,
"nfc_device_set_property_bool");
589 nfc_perror(pnd,
"nfc_device_set_property_bool");
599 printf(
"Error: no tag was found\n");
605 if ((nt.nti.nai.btSak & 0x08) == 0) {
606 printf(
"Warning: tag is probably not a MFC!\n");
610 pbtUID = nt.nti.nai.abtUid;
614 memcpy(fileUid, mtKeys.amb[0].mbm.abtUID, 4);
616 if (memcmp(pbtUID, fileUid, 4) != 0) {
617 printf(
"Expected MIFARE Classic card with UID starting as: %02x%02x%02x%02x\n",
618 fileUid[0], fileUid[1], fileUid[2], fileUid[3]);
619 printf(
"Got card with UID starting as: %02x%02x%02x%02x\n",
620 pbtUID[0], pbtUID[1], pbtUID[2], pbtUID[3]);
621 if (! bForceKeyFile) {
622 printf(
"Aborting!\n");
629 printf(
"Found MIFARE Classic card:\n");
630 print_nfc_target(&nt,
false);
633 if ((nt.nti.nai.abtAtqa[1] & 0x02) == 0x02)
636 else if ((nt.nti.nai.btSak & 0x01) == 0x01)
644 if ((res = get_rats()) > 0) {
645 if ((res >= 10) && (abtRx[5] == 0xc1) && (abtRx[6] == 0x05)
646 && (abtRx[7] == 0x2f) && (abtRx[8] == 0x2f)
647 && ((nt.nti.nai.abtAtqa[1] & 0x02) == 0x00)) {
652 if ((res == 9) && (abtRx[5] == 0xda) && (abtRx[6] == 0xbc)
653 && (abtRx[7] == 0x19) && (abtRx[8] == 0x10)) {
657 printf(
"Guessing size: seems to be a %i-byte card\n", (uiBlocks + 1) * 16);
660 FILE *pfKeys = fopen(argv[4],
"rb");
661 if (pfKeys == NULL) {
662 printf(
"Could not open keys file: %s\n", argv[4]);
665 if (fread(&mtKeys, 1, (uiBlocks + 1) *
sizeof(mifare_classic_block), pfKeys) != (uiBlocks + 1) *
sizeof(mifare_classic_block)) {
666 printf(
"Could not read keys file: %s\n", argv[4]);
673 if (atAction == ACTION_READ) {
674 memset(&mtDump, 0x00,
sizeof(mtDump));
676 FILE *pfDump = fopen(argv[3],
"rb");
678 if (pfDump == NULL) {
679 printf(
"Could not open dump file: %s\n", argv[3]);
684 if (fread(&mtDump, 1, (uiBlocks + 1) *
sizeof(mifare_classic_block), pfDump) != (uiBlocks + 1) *
sizeof(mifare_classic_block)) {
685 printf(
"Could not read dump file: %s\n", argv[3]);
693 if (atAction == ACTION_READ) {
694 if (read_card(unlock)) {
695 printf(
"Writing data to file: %s ...", argv[3]);
697 FILE *pfDump = fopen(argv[3],
"wb");
698 if (pfDump == NULL) {
699 printf(
"Could not open dump file: %s\n", argv[3]);
704 if (fwrite(&mtDump, 1, (uiBlocks + 1) *
sizeof(mifare_classic_block), pfDump) != ((uiBlocks + 1) *
sizeof(mifare_classic_block))) {
705 printf(
"\nCould not write to file: %s\n", argv[3]);
714 }
else if (atAction == ACTION_WRITE) {