123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655 |
- /**
- * Copyright (C) 2011 Anders Sundman <anders@4zm.org>
- *
- * This file is part of mfterm.
- *
- * mfterm is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- * mfterm is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- * You should have received a copy of the GNU General Public License
- * along with mfterm. If not, see <http://www.gnu.org/licenses/>.
- *
- * Parts of code used in this file are based on the Public platform
- * independent Near Field Communication (NFC) library example
- * nfc-mfclassic.c. It is thus covered by that license as well:
- *
- * Copyright (C) 2009, Roel Verdult
- * Copyright (C) 2010, Romuald Conty, Romain Tartière
- * Copyright (C) 2011, Adam Laurie
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * 1) Redistributions of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- * 2 )Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
- #include <stdio.h>
- #include <string.h>
- #include <nfc/nfc.h>
- #include "mifare.h"
- #include "tag.h"
- #include "mifare_ctrl.h"
- // State of the device/tag - should be NULL between high level calls.
- static nfc_device* device = NULL;
- static nfc_target target;
- static mf_size_t size;
- static nfc_context* context;
- static const nfc_modulation mf_nfc_modulation = {
- .nmt = NMT_ISO14443A,
- .nbr = NBR_106,
- };
- // Buffers used for raw bit/byte writes
- #define MAX_FRAME_LEN 264
- static uint8_t abtRx[MAX_FRAME_LEN];
- static int szRxBits;
- int mf_connect();
- int mf_disconnect(int ret_state);
- bool mf_configure_device();
- bool mf_select_target();
- bool mf_authenticate(size_t block,
- const uint8_t* key,
- mf_key_type_t key_type);
- bool mf_unlock();
- bool mf_read_tag_internal(mf_tag_t* tag,
- const mf_tag_t* keys,
- mf_key_type_t key_type);
- bool mf_write_tag_internal(const mf_tag_t* tag,
- const mf_tag_t* keys,
- mf_key_type_t key_type);
- bool mf_dictionary_attack_internal(mf_tag_t* tag);
- bool mf_test_auth_internal(const mf_tag_t* keys,
- mf_size_t size,
- mf_key_type_t key_type);
- bool transmit_bits(const uint8_t *pbtTx, const size_t szTxBits);
- bool transmit_bytes(const uint8_t *pbtTx, const size_t szTx);
- int mf_disconnect(int ret_state) {
- nfc_close(device);
- nfc_exit(context);
- device = NULL;
- memset(&target, 0, sizeof(target));
- return ret_state;
- }
- int mf_connect() {
- // Initialize libnfc and set the nfc_context
- nfc_init(&context);
- // Connect to (any) NFC reader
- device = nfc_open(context, NULL);
- if (device == NULL) {
- printf ("Could not connect to any NFC device\n");
- return -1; // Don't jump here, since we don't need to disconnect
- }
- // Initialize the device as a reader
- if (!mf_configure_device()) {
- printf("Error initializing NFC device\n");
- return mf_disconnect(-1);
- }
- // Try to find a tag
- if (!mf_select_target() || target.nti.nai.btSak == 0) {
- printf("Connected to device, but no tag found.\n");
- return mf_disconnect(-1);
- }
- // Allow SAK & ATQA == 0. Assume 1k pirate card.
- if (target.nti.nai.btSak == 0 && target.nti.nai.abtAtqa[1] == 0) {
- size = MF_1K;
- return 0;
- }
- // Test if we are dealing with a Mifare Classic compatible tag
- if ((target.nti.nai.btSak & 0x08) == 0) {
- printf("Incompatible tag type: 0x%02x (i.e. not Mifare Classic).\n",
- target.nti.nai.btSak);
- return mf_disconnect(-1);
- }
- // Guessing tag size
- if ((target.nti.nai.abtAtqa[1] & 0x02)) { // 4K
- size = MF_4K;
- }
- else if ((target.nti.nai.abtAtqa[1] & 0x04)) { // 1K
- size = MF_1K;
- }
- else {
- printf("Unsupported tag size. ATQA 0x%02x 0x%02x (i.e. not [1|4]K.)\n",
- target.nti.nai.abtAtqa[0], target.nti.nai.abtAtqa[1]);
- return mf_disconnect(-1);
- }
- return 0; // Indicate success - we are now connected
- }
- int mf_read_tag(mf_tag_t* tag, mf_key_type_t key_type) {
- if (mf_connect())
- return -1; // No need to disconnect here
- if (key_type == MF_KEY_UNLOCKED) {
- if (!mf_unlock()) {
- printf("Unlocked read requested, but unlock failed!\n");
- return false;
- }
- }
- if (!mf_read_tag_internal(tag, ¤t_auth, key_type)) {
- printf("Read failed!\n");
- return mf_disconnect(-1);
- }
- // Print the type of card
- if (target.nti.nai.btSak == 0x08 &&
- target.nti.nai.abtAtqa[0] == 0x00 && target.nti.nai.abtAtqa[1] == 0x04) {
- printf("Read MIFARE Classic 1k (SAK: 08, ATQA: 00 04)\n");
- }
- else if (target.nti.nai.btSak == 0x18 &&
- target.nti.nai.abtAtqa[0] == 0x00 && target.nti.nai.abtAtqa[1] == 0x02) {
- printf("Read MIFARE Classic 4k (SAK: 18, ATQA: 00 02)\n");
- }
- else {
- printf("Read unknown tag.\n");
- }
- return mf_disconnect(0);
- }
- int mf_write_tag(const mf_tag_t* tag, mf_key_type_t key_type) {
- if (mf_connect())
- return -1; // No need to disconnect here
- if (key_type == MF_KEY_UNLOCKED) {
- if (!mf_unlock()) {
- printf("Unlocked write requested, but unlock failed!\n");
- return false;
- }
- }
- if (!mf_write_tag_internal(tag, ¤t_auth, key_type)) {
- printf("Write failed!\n");
- return mf_disconnect(-1);
- }
- return mf_disconnect(0);
- }
- int mf_dictionary_attack(mf_tag_t* tag) {
- if (mf_connect()) {
- return -1; // No need to disconnect here
- }
- if (!mf_dictionary_attack_internal(tag)) {
- printf("Dictionary attack failed!\n");
- return mf_disconnect(-1);
- }
- return mf_disconnect(0);
- }
- int mf_test_auth(const mf_tag_t* keys,
- mf_size_t size,
- mf_key_type_t key_type) {
- if (mf_connect()) {
- return -1; // No need to disconnect here
- }
- if (!mf_test_auth_internal(keys, size, key_type)) {
- printf("Test authentication failed!\n");
- return mf_disconnect(-1);
- }
- return mf_disconnect(0);
- }
- bool mf_configure_device() {
- // Disallow invalid frame
- if (nfc_device_set_property_bool(device, NP_ACCEPT_INVALID_FRAMES, false) < 0)
- return false;
- // Disallow multiple frames
- if (nfc_device_set_property_bool(device, NP_ACCEPT_MULTIPLE_FRAMES, false) < 0)
- return false;
- // Make sure we reset the CRC and parity to chip handling.
- if (nfc_device_set_property_bool(device, NP_HANDLE_CRC, true) < 0)
- return false;
- if (nfc_device_set_property_bool(device, NP_HANDLE_PARITY, true) < 0)
- return false;
- // Disable ISO14443-4 switching in order to read devices that emulate
- // Mifare Classic with ISO14443-4 compliance.
- if (nfc_device_set_property_bool(device, NP_AUTO_ISO14443_4, false) < 0)
- return false;
- // Activate "easy framing" feature by default
- if (nfc_device_set_property_bool(device, NP_EASY_FRAMING, true) < 0)
- return false;
- // Deactivate the CRYPTO1 cipher, it may could cause problems when
- // still active
- if (nfc_device_set_property_bool(device, NP_ACTIVATE_CRYPTO1, false) < 0)
- return false;
- // Drop explicitely the field
- if (nfc_device_set_property_bool(device, NP_ACTIVATE_FIELD, false) < 0)
- return false;
- // Override default initialization option, only try to select a tag once.
- if (nfc_device_set_property_bool(device, NP_INFINITE_SELECT, false) < 0)
- return false;
- return true;
- }
- bool mf_select_target() {
- if (nfc_initiator_select_passive_target(device,
- mf_nfc_modulation,
- NULL, // init data
- 0, // init data len
- &target) < 0) {
- return false;
- }
- return true;
- }
- /**
- * Unlocking the card allows writing to block 0 of some pirate cards.
- */
- bool mf_unlock() {
- static uint8_t abtHalt[4] = { 0x50, 0x00, 0x00, 0x00 };
- // Special unlock command
- static const uint8_t abtUnlock1[1] = { 0x40 };
- static const uint8_t abtUnlock2[1] = { 0x43 };
- // Disable CRC and parity checking
- if (nfc_device_set_property_bool(device, NP_HANDLE_CRC, false) < 0)
- return false;
- // Disable easy framing. Use raw send/receive methods
- if (nfc_device_set_property_bool (device, NP_EASY_FRAMING, false) < 0)
- return false;
- // Initialize transmision
- iso14443a_crc_append(abtHalt, 2);
- transmit_bytes(abtHalt, 4);
- // Send unlock
- if (!transmit_bits (abtUnlock1, 7))
- return false;
- if (!transmit_bytes (abtUnlock2, 1))
- return false;
- // Reset reader configuration. CRC and easy framing.
- if (nfc_device_set_property_bool (device, NP_HANDLE_CRC, true) < 0)
- return false;
- if (nfc_device_set_property_bool (device, NP_EASY_FRAMING, true) < 0)
- return false;
- return true;
- }
- bool mf_read_tag_internal(mf_tag_t* tag,
- const mf_tag_t* keys, mf_key_type_t key_type) {
- mifare_param mp;
- static mf_tag_t buffer_tag;
- clear_tag(&buffer_tag);
- int error = 0;
- printf("Reading: ["); fflush(stdout);
- // Read the card from end to begin
- for (int block_it = (int)block_count(size) - 1; block_it >= 0; --block_it) {
- size_t block = (size_t)block_it;
- // Print progress for the unlocked read
- if (key_type == MF_KEY_UNLOCKED && is_trailer_block(block))
- printf("."); fflush(stdout);
- // Authenticate everytime we reach a trailer block
- // unless we are doing an unlocked read
- if (key_type != MF_KEY_UNLOCKED && is_trailer_block(block)) {
- // Try to authenticate for the current sector
- uint8_t* key = key_from_tag(keys, key_type, block);
- if (!mf_authenticate(block, key, key_type)) {
- // Progress indication and error report
- printf("0x%02zx", block_to_sector(block));
- if (block != 3) printf(".");
- fflush(stdout);
- block_it -= (int)sector_size(block) - 1; // Skip the rest of the sector blocks
- error = 1;
- }
- else {
- // Try to read the trailer (only to *read* the access bits)
- if (nfc_initiator_mifare_cmd(device, MC_READ, (uint8_t)block, &mp)) {
- // Copy the keys over to our tag buffer
- key_to_tag(&buffer_tag, keys->amb[block].mbt.abtKeyA, MF_KEY_A, block);
- key_to_tag(&buffer_tag, keys->amb[block].mbt.abtKeyB, MF_KEY_B, block);
- // Store the retrieved access bits in the tag buffer
- memcpy(buffer_tag.amb[block].mbt.abtAccessBits,
- mp.mpd.abtData + 6, 4);
- } else {
- printf ("\nUnable to read trailer block: 0x%02zx.\n", block);
- return false;
- }
- printf("."); fflush(stdout); // Progress indicator
- }
- }
- else { // I.e. not a sector trailer
- // Try to read out the block
- if (!nfc_initiator_mifare_cmd(device, MC_READ, (uint8_t)block, &mp)) {
- printf("\nUnable to read block: 0x%02zx.\n", block);
- return false;
- }
- memcpy(buffer_tag.amb[block].mbd.abtData, mp.mpd.abtData, 0x10);
- }
- }
- // Terminate progress indicator
- if (error)
- printf("] Auth errors in indicated sectors.\n");
- else
- printf("] Success!\n");
- // Success! Copy the data
- // todo: Or return static ptr?
- memcpy(tag, &buffer_tag, MF_4K);
- return true;
- }
- bool mf_write_tag_internal(const mf_tag_t* tag,
- const mf_tag_t* keys,
- mf_key_type_t key_type) {
- mifare_param mp;
- int error = 0;
- printf("Writing %s tag [", sprint_size(size)); fflush(stdout);
- // Process each sector in turn
- for (int header_block_it = sector_header_iterator(0);
- header_block_it != -1;
- header_block_it = sector_header_iterator(size)) {
- size_t header_block = (size_t)header_block_it;
- // Authenticate
- uint8_t* key = key_from_tag(keys, key_type, header_block);
- if (key_type != MF_KEY_UNLOCKED) {
- if (!mf_authenticate(header_block, key, key_type)) {
- // Progress indication and error report
- if (header_block != 0) printf(".");
- printf("0x%02zx", block_to_sector(header_block));
- fflush(stdout);
- error = 1;
- continue; // Skip the rest of the sector blocks
- }
- }
- // Write the sectors blocks
- for (size_t block = header_block, trailer = block_to_trailer(header_block);
- block < trailer; ++block) {
- // First block on tag is read only - skip it unless unlocked
- if (block == 0 && key_type != MF_KEY_UNLOCKED)
- continue;
- // Try to write the data block
- memcpy (mp.mpd.abtData, tag->amb[block].mbd.abtData, 0x10);
- // do not write a block 0 with incorrect BCC - card will be made invalid!
- if (block == 0) {
- if((mp.mpd.abtData[0] ^ mp.mpd.abtData[1] ^ mp.mpd.abtData[2] ^
- mp.mpd.abtData[3] ^ mp.mpd.abtData[4]) != 0x00) {
- printf ("\nError: incorrect BCC in MFD file!\n"); // ADD DATA
- return false;
- }
- }
- // Write the data block
- if (!nfc_initiator_mifare_cmd(device, MC_WRITE, (uint8_t)block, &mp)) {
- printf("\nUnable to write block: 0x%02zx.\n", block);
- return false;
- }
- }
- // Auth ok and sector read ok, finish up by reading trailer
- size_t trailer_block = block_to_trailer(header_block);
- memcpy (mp.mpd.abtData, tag->amb[trailer_block].mbt.abtKeyA, 6);
- memcpy (mp.mpd.abtData + 6, tag->amb[trailer_block].mbt.abtAccessBits, 4);
- memcpy (mp.mpd.abtData + 10, tag->amb[trailer_block].mbt.abtKeyB, 6);
- // Try to write the trailer
- if (!nfc_initiator_mifare_cmd(device, MC_WRITE, (uint8_t)trailer_block, &mp)) {
- printf("\nUnable to write block: 0x%02zx.\n", trailer_block);
- return false;
- }
- printf("."); fflush(stdout); // Progress indicator
- }
- // Terminate progress indicator
- if (error)
- printf("] Auth errors in indicated sectors.\n");
- else
- printf("] Success!\n");
- return true;
- }
- bool mf_dictionary_attack_internal(mf_tag_t* tag) {
- // Tag buffer to swap in if we find all keys
- int all_keys_found = 1;
- static mf_tag_t buffer_tag;
- clear_tag(&buffer_tag);
- // Iterate over the start blocks in all sectors
- for (int block_it = sector_header_iterator(0);
- block_it != -1;
- block_it = sector_header_iterator(size)) {
- size_t block = (size_t)block_it;
- printf("Working on sector: %02zx [", block_to_sector(block));
- const uint8_t* key_a = NULL;
- const uint8_t* key_b = NULL;
- // Iterate we run out of dictionary keys or the sector is cracked
- const key_list_t* key_it = dictionary_get();
- while(key_it && (key_a == NULL || key_b == NULL)) {
- // Try to authenticate for the current sector
- if (key_a == NULL &&
- mf_authenticate(block, key_it->key, MF_KEY_A)) {
- key_a = key_it->key;
- }
- // Try to authenticate for the current sector
- if (key_b == NULL &&
- mf_authenticate(block, key_it->key, MF_KEY_B)) {
- key_b = key_it->key;
- }
- key_it = key_it->next;
- printf("."); fflush(stdout); // Progress indicator
- }
- printf("]\n");
- printf(" A Key: ");
- if (key_a) {
- printf("%s\n", sprint_key(key_a));
- // Optimize dictionary by moving key to the front
- dictionary_add(key_a);
- // Save key in the buffer
- key_to_tag(&buffer_tag, key_a, MF_KEY_A, block);
- }
- else {
- all_keys_found = 0;
- printf("Not found\n");
- }
- printf(" B Key: ");
- if (key_b) {
- printf("%s\n", sprint_key(key_b));
- // Optimize dictionary by moving key to the front
- dictionary_add(key_b);
- // Save key in the buffer
- key_to_tag(&buffer_tag, key_b, MF_KEY_B, block);
- }
- else {
- all_keys_found = 0;
- printf("Not found\n");
- }
- }
- if (all_keys_found)
- printf("All keys were found\n");
- // Use the found keys
- memcpy(tag, &buffer_tag, MF_4K);
- return true;
- }
- bool mf_test_auth_internal(const mf_tag_t* keys,
- mf_size_t size,
- mf_key_type_t key_type) {
- printf("xS T Key Status\n");
- printf("----------------------------\n");
- for (int block_it = sector_header_iterator(0);
- block_it != -1;
- block_it = sector_header_iterator(size)) {
- size_t block = (size_t)block_it;
- uint8_t* key = key_from_tag(keys, key_type, block);
- printf("%02zx %c %s ",
- block_to_sector(block),
- key_type,
- sprint_key(key));
- if (!mf_authenticate(block, key, key_type)) {
- printf("Failure");
- }
- else {
- printf("Success");
- }
- printf("\n");
- }
- return true;
- }
- bool mf_authenticate(size_t block, const uint8_t* key, mf_key_type_t key_type) {
- mifare_param mp;
- // Set the authentication information (uid)
- memcpy(mp.mpa.abtAuthUid, target.nti.nai.abtUid + target.nti.nai.szUidLen - 4, 4);
- // Select key for authentication
- mifare_cmd mc = (key_type == MF_KEY_A) ? MC_AUTH_A : MC_AUTH_B;
- // Set the key
- memcpy(mp.mpa.abtKey, key, 6);
- // Try to authenticate for the current sector
- if (nfc_initiator_mifare_cmd(device, mc, (uint8_t)block, &mp))
- return true;
- // Do the hand shaking again if auth failed
- nfc_initiator_select_passive_target(device, mf_nfc_modulation,
- NULL, 0, &target);
- return false;
- }
- bool transmit_bits(const uint8_t *pbtTx, const size_t szTxBits)
- {
- // Transmit the bit frame command, we don't use the arbitrary parity feature
- if ((szRxBits = nfc_initiator_transceive_bits(device, pbtTx, szTxBits, NULL, abtRx, sizeof(abtRx), NULL)) < 0)
- return false;
- return true;
- }
- bool transmit_bytes(const uint8_t *pbtTx, const size_t szTx)
- {
- // Transmit the command bytes
- if (nfc_initiator_transceive_bytes(device, pbtTx, szTx, abtRx, sizeof(abtRx), 0) < 0)
- return false;
- return true;
- }
|