Home Explore Help
Register Sign In
mmn
/
mfterm
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
mfterm
/
README

README 4.2 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119 
  1. mfterm is a terminal interface for working with Mifare Classic tags.
    2. 

  2. 

  3. Tab completion on commands is available. Also, commands that have file
    4. 

  4. name arguments provide tab completion on files. There is also a
    5. 

  5. command history, like in most normal shells.
    6. 

  6. 

  7. Working with the mfterm program there are a few state variables that
    8. 

  8. are used.
    9. 

  9. 

  10. Current Tag
    11. 

  11. -----------
    12. 

  12. The "current tag" is populated with the 'load' or 'read' commands. The
    13. 

  13. 'read' command will read data from a physical tag and requires the
    14. 

  14. "current keys" to be set to the keys of the tag. Clear the "current
    15. 

  15. tag" by using the 'clear' command.
    16. 

  16. 

  17. Display the "current tag" by using the 'print' command. The keys of
    18. 

  18. the "current tag" are displayed with the 'print keys' command. Note:
    19. 

  19. the tag keys could be different from the "current keys" displayed by
    20. 

  20. the 'keys print' command.
    21. 

  21. 

  22. The data of the "current tag" can be manipulated with the 'set'
    23. 

  23. command.
    24. 

  24. 

  25. The "current tag" can be persisted by writing it to a file with the
    26. 

  26. 'save' command. It can also be written to a physical tag with the
    27. 

  27. 'write' command. For the 'write' command to succeed, the "current
    28. 

  28. keys" have to be set to appropriate values. The 'write unlocked'
    29. 

  29. command can be used to write to block 0 on some 1k pirate cards.
    30. 

  30. 

  31. If you are reading or loading a 1k tag, the mfterm program will still
    32. 

  32. use a full 4k tag to represent it. The last 3k will be all
    33. 

  33. zeroes. This is in analogy with the other libnfc tools.
    34. 

  34. 

  35. Current Keys
    36. 

  36. ------------
    37. 

  37. The "current keys" are used to authenticate when performing operations
    38. 

  38. on a physical tag. They can be displayed using the 'keys'
    39. 

  39. command. Clear the "current keys" by using the 'keys clear' command.
    40. 

  40. 

  41. The keys are stored just like a tag in a file using the 'keys save',
    42. 

  42. but with all the data fields except the sector trailers cleared. The
    43. 

  43. keys can be loaded from a file, either a real tag dump or a key tag
    44. 

  44. dump, with the 'keys load' command.
    45. 

  45. 

  46. The "current keys" can be set to match the "current tag" by using the
    47. 

  47. 'keys import' command. It is also possible to manually set a key using
    48. 

  48. the 'keys set' command.
    49. 

  49. 

  50. Use the 'keys test' command to test if the "current keys" can be used
    51. 

  51. to authenticate with a physical tag.
    52. 

  52. 

  53. Dictionary
    54. 

  54. ----------
    55. 

  55. A key dictionary can be imported from a file using the 'dict load'
    56. 

  56. command. This dictionary can then be used to perform a dictionary
    57. 

  57. attack on the sectors of a tag by using the 'dict attack' command.
    58. 

  58. 

  59. The format of the dictionary file is simple. One key (6 bytes, 12 hex
    60. 

  60. characters) per line and # is a comment. 
    61. 

  61. 

  62. Performing 'dict load' on several files will produce a dictionary that
    63. 

  63. is the union of those files. Duplicates will be removed.
    64. 

  64. 

  65. To list all the keys in the dictionary, use the command 'dict'. To
    66. 

  66. clear the dictionary use 'dict clear'.
    67. 

  67. 

  68. Other commands
    69. 

  69. --------------
    70. 

  70. Quit the mfterm program by issuing the 'quit' command.
    71. 

  71. 

  72. Help is available by writing 'help'
    73. 

  73. 

  74. 

  75. MAC Computation
    76. 

  76. ---------------
    77. 

  77. 

  78. The function 'mac compute' is used for computing DES MACs (message
    79. 

  79. authentication codes). They require a 64 bit key that can be set using
    80. 

  80. the command 'mac key'. The same command, without arguments, is used to
    81. 

  81. display the current key.
    82. 

  82. 

  83. The input to the DES MAC is UID + 14 left most bytes of the specified
    84. 

  84. block.
    85. 

  85. 

  86. Using the command 'mac update' is shorthand for a MAC computation and
    87. 

  87. then setting the MAC of the same block.
    88. 

  88. 

  89. Specification Files
    90. 

  90. -------------------
    91. 

  91. A specification file defines names for parts of the tag data. See the
    92. 

  92. file mfc-spec.txt for a sample specification.
    93. 

  93. 

  94. Specification files are loaded with the command 'spec load'. They can
    95. 

  95. be cleared with 'spec clear'. To display the data structure loaded use
    96. 

  96. the command 'spec'.
    97. 

  97. 

  98. Once a specification has been loaded, it can be used to access the
    99. 

  99. data in the tag by using a specification path. In the sample
    100. 

  100. specification, the path: '.sector_0.block_0.atqa', when entered in the
    101. 

  101. terminal, will display the two bytes of data starting with byte 6.
    102. 

  102. 

  103. 

  104. Building mfterm
    105. 

  105. ---------------
    106. 

  106. 

  107. Standard: ./configure; make; make install
    108. 

  108. 

  109. See INSTALL file for details.
    110. 

  110. 

  111. 

  112. WARNING:
    113. 

  113. --------
    114. 

  114. The mfterm software is neither thoroughly tested nor widely used. It
    115. 

  115. likely contains a number of serious bugs that can be exploited to
    116. 

  116. compromise your computer. Do NOT run the mfterm software as a
    117. 

  117. privileged user (e.g. root), and ONLY load tag, dictionary and
    118. 

  118. specification files that you get from people you trust.
    119. 

  119.