Terminal for working with Mifare Classic 1-4k Tags, originally by 4ZM

Anders Sundman 374ee954da Version bump to 1.0.3 11 years ago
debian 2c89822e5a Debian packaging. 11 years ago
.gitignore 2c89822e5a Debian packaging. 11 years ago
AUTHORS 44bd4d2b2d Added Magnus to list of authors 11 years ago
COPYING 99083097eb Initial src import 12 years ago
INSTALL 9243990288 Updated documentation 11 years ago
Makefile.am 5d7a4b3306 Created man page 11 years ago
README e6c04022b9 Updated docs 11 years ago
autogen.sh e2e4a3aaa7 Switched to autotools build system 11 years ago
configure.ac 374ee954da Version bump to 1.0.3 11 years ago
dictionary.c 9e85d344ae Refactorization: Extracted parser from dictionary 12 years ago
dictionary.h 9e85d344ae Refactorization: Extracted parser from dictionary 12 years ago
dictionary.txt 203e4e430d Added sample key dictionary 12 years ago
dictionary_parser.l e5dde93859 Added dp_ prefix for the dictionary parser 12 years ago
mac.c 8069517b28 Fixed all compilation warnings 11 years ago
mac.h 8069517b28 Fixed all compilation warnings 11 years ago
mfc-spec.txt 6736c0e485 Doc update for the specification language 12 years ago
mfterm.c 247109b6d7 Added cmd options for loading a tag and dictionary 11 years ago
mfterm.h c5d5c3f4ab Documentation fixup 12 years ago
mfterm.man 5d7a4b3306 Created man page 11 years ago
mifare.c 701015e185 Suppress auth errors 11 years ago
mifare.h 6204899993 Changes to make compilation work under libnfc 1.7.0 11 years ago
mifare_ctrl.c 29fbb80fda Partial key restore on dict attack 11 years ago
mifare_ctrl.h 2f49bc445b Support for unlocked write (block 0) 11 years ago
spec_parser.y b1f671ff1d Handle erronous field decls more gracefully 12 years ago
spec_syntax.c 8069517b28 Fixed all compilation warnings 11 years ago
spec_syntax.h ce49de93c1 Added some functions for parsing a specification path 12 years ago
spec_tokenizer.l e2e4a3aaa7 Switched to autotools build system 11 years ago
tag.c 9ea72ea447 Fixed bug in trailer block computation 11 years ago
tag.h a79408d350 Print command for access bits 11 years ago
term_cmd.c ea4f09e8b9 Implemented unlocked read 11 years ago
term_cmd.h ea4f09e8b9 Implemented unlocked read 11 years ago
util.c 02b65a1eab Added strdup function to util 12 years ago
util.h 02b65a1eab Added strdup function to util 12 years ago

README

mfterm is a terminal interface for working with Mifare Classic tags.

Tab completion on commands is available. Also, commands that have file
name arguments provide tab completion on files. There is also a
command history, like in most normal shells.

Working with the mfterm program there are a few state variables that
are used.

Current Tag
-----------
The "current tag" is populated with the 'load' or 'read' commands. The
'read' command will read data from a physical tag and requires the
"current keys" to be set to the keys of the tag. Clear the "current
tag" by using the 'clear' command.

Display the "current tag" by using the 'print' command. The keys of
the "current tag" are displayed with the 'print keys' command. Note:
the tag keys could be different from the "current keys" displayed by
the 'keys print' command.

The data of the "current tag" can be manipulated with the 'set'
command.

The "current tag" can be persisted by writing it to a file with the
'save' command. It can also be written to a physical tag with the
'write' command. For the 'write' command to succeed, the "current
keys" have to be set to appropriate values. The 'write unlocked'
command can be used to write to block 0 on some 1k pirate cards.

If you are reading or loading a 1k tag, the mfterm program will still
use a full 4k tag to represent it. The last 3k will be all
zeroes. This is in analogy with the other libnfc tools.

Current Keys
------------
The "current keys" are used to authenticate when performing operations
on a physical tag. They can be displayed using the 'keys'
command. Clear the "current keys" by using the 'keys clear' command.

The keys are stored just like a tag in a file using the 'keys save',
but with all the data fields except the sector trailers cleared. The
keys can be loaded from a file, either a real tag dump or a key tag
dump, with the 'keys load' command.

The "current keys" can be set to match the "current tag" by using the
'keys import' command. It is also possible to manually set a key using
the 'keys set' command.

Use the 'keys test' command to test if the "current keys" can be used
to authenticate with a physical tag.

Dictionary
----------
A key dictionary can be imported from a file using the 'dict load'
command. This dictionary can then be used to perform a dictionary
attack on the sectors of a tag by using the 'dict attack' command.

The format of the dictionary file is simple. One key (6 bytes, 12 hex
characters) per line and # is a comment.

Performing 'dict load' on several files will produce a dictionary that
is the union of those files. Duplicates will be removed.

To list all the keys in the dictionary, use the command 'dict'. To
clear the dictionary use 'dict clear'.

Other commands
--------------
Quit the mfterm program by issuing the 'quit' command.

Help is available by writing 'help'


MAC Computation
---------------

The function 'mac compute' is used for computing DES MACs (message
authentication codes). They require a 64 bit key that can be set using
the command 'mac key'. The same command, without arguments, is used to
display the current key.

The input to the DES MAC is UID + 14 left most bytes of the specified
block.

Using the command 'mac update' is shorthand for a MAC computation and
then setting the MAC of the same block.

Specification Files
-------------------
A specification file defines names for parts of the tag data. See the
file mfc-spec.txt for a sample specification.

Specification files are loaded with the command 'spec load'. They can
be cleared with 'spec clear'. To display the data structure loaded use
the command 'spec'.

Once a specification has been loaded, it can be used to access the
data in the tag by using a specification path. In the sample
specification, the path: '.sector_0.block_0.atqa', when entered in the
terminal, will display the two bytes of data starting with byte 6.


Building mfterm
---------------

Standard: ./configure; make; make install

See INSTALL file for details.


WARNING:
--------
The mfterm software is neither thoroughly tested nor widely used. It
likely contains a number of serious bugs that can be exploited to
compromise your computer. Do NOT run the mfterm software as a
privileged user (e.g. root), and ONLY load tag, dictionary and
specification files that you get from people you trust.