45 #endif // HAVE_CONFIG_H
64 static mifare_param mp;
65 static mifare_classic_tag mtKeys;
66 static mifare_classic_tag mtDump;
68 static bool bUseKeyFile;
69 static bool bForceKeyFile;
70 static bool bTolerateFailures;
71 static bool magic2 =
false;
72 static uint8_t uiBlocks;
73 static uint8_t keys[] = {
74 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
75 0xd3, 0xf7, 0xd3, 0xf7, 0xd3, 0xf7,
76 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5,
77 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5,
78 0x4d, 0x3a, 0x99, 0xc3, 0x51, 0xdd,
79 0x1a, 0x98, 0x2c, 0x7e, 0x45, 0x9a,
80 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
81 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
82 0xab, 0xcd, 0xef, 0x12, 0x34, 0x56
90 static size_t num_keys =
sizeof(keys) / 6;
92 #define MAX_FRAME_LEN 264
94 static uint8_t abtRx[MAX_FRAME_LEN];
97 uint8_t abtHalt[4] = { 0x50, 0x00, 0x00, 0x00 };
100 uint8_t abtUnlock1[1] = { 0x40 };
101 uint8_t abtUnlock2[1] = { 0x43 };
104 transmit_bits(
const uint8_t *pbtTx,
const size_t szTxBits)
107 printf(
"Sent bits: ");
108 print_hex_bits(pbtTx, szTxBits);
114 printf(
"Received bits: ");
115 print_hex_bits(abtRx, szRxBits);
122 transmit_bytes(
const uint8_t *pbtTx,
const size_t szTx)
125 printf(
"Sent bits: ");
126 print_hex(pbtTx, szTx);
133 printf(
"Received bits: ");
134 print_hex(abtRx, res);
140 print_success_or_failure(
bool bFailure, uint32_t *uiBlockCounter)
142 printf(
"%c", (bFailure) ?
'x' :
'.');
143 if (uiBlockCounter && !bFailure)
144 *uiBlockCounter += 1;
148 is_first_block(uint32_t uiBlock)
152 return ((uiBlock) % 4 == 0);
154 return ((uiBlock) % 16 == 0);
158 is_trailer_block(uint32_t uiBlock)
162 return ((uiBlock + 1) % 4 == 0);
164 return ((uiBlock + 1) % 16 == 0);
168 get_trailer_block(uint32_t uiFirstBlock)
171 uint32_t trailer_block = 0;
172 if (uiFirstBlock < 128) {
173 trailer_block = uiFirstBlock + (3 - (uiFirstBlock % 4));
175 trailer_block = uiFirstBlock + (15 - (uiFirstBlock % 16));
177 return trailer_block;
181 authenticate(uint32_t uiBlock)
184 uint32_t uiTrailerBlock;
187 memcpy(mp.mpa.abtAuthUid, nt.nti.nai.abtUid + nt.nti.nai.szUidLen - 4, 4);
190 mc = (bUseKeyA) ? MC_AUTH_A : MC_AUTH_B;
196 uiTrailerBlock = get_trailer_block(uiBlock);
200 memcpy(mp.mpa.abtKey, mtKeys.amb[uiTrailerBlock].mbt.abtKeyA, 6);
202 memcpy(mp.mpa.abtKey, mtKeys.amb[uiTrailerBlock].mbt.abtKeyB, 6);
209 for (
size_t key_index = 0; key_index < num_keys; key_index++) {
210 memcpy(mp.mpa.abtKey, keys + (key_index * 6), 6);
213 memcpy(mtKeys.amb[uiBlock].mbt.abtKeyA, &mp.mpa.abtKey, 6);
215 memcpy(mtKeys.amb[uiBlock].mbt.abtKeyB, &mp.mpa.abtKey, 6);
229 printf(
"Don't use R/W with this card, this is not required!\n");
244 iso14443a_crc_append(abtHalt, 2);
245 transmit_bytes(abtHalt, 4);
247 if (!transmit_bits(abtUnlock1, 7)) {
248 printf(
"unlock failure!\n");
251 if (!transmit_bytes(abtUnlock2, 1)) {
252 printf(
"unlock failure!\n");
259 nfc_perror(pnd,
"nfc_device_set_property_bool");
264 nfc_perror(pnd,
"nfc_device_set_property_bool");
274 uint8_t abtRats[2] = { 0xe0, 0x50};
288 printf(
"Error: tag disappeared\n");
297 read_card(
int read_unlocked)
300 bool bFailure =
false;
301 uint32_t uiReadBlocks = 0;
307 printf(
"Reading out %d blocks |", uiBlocks + 1);
309 for (iBlock = uiBlocks; iBlock >= 0; iBlock--) {
311 if (is_trailer_block(iBlock)) {
315 printf(
"!\nError: tag was removed\n");
324 if (!read_unlocked && !authenticate(iBlock)) {
325 printf(
"!\nError: authentication failed for block 0x%02x\n", iBlock);
331 memcpy(mtDump.amb[iBlock].mbd.abtData, mp.mpd.abtData, 16);
334 memcpy(mtDump.amb[iBlock].mbt.abtKeyA, mtKeys.amb[iBlock].mbt.abtKeyA, 6);
335 memcpy(mtDump.amb[iBlock].mbt.abtAccessBits, mp.mpd.abtData + 6, 4);
336 memcpy(mtDump.amb[iBlock].mbt.abtKeyB, mtKeys.amb[iBlock].mbt.abtKeyB, 6);
339 printf(
"!\nfailed to read trailer block 0x%02x\n", iBlock);
347 memcpy(mtDump.amb[iBlock].mbd.abtData, mp.mpd.abtData, 16);
349 printf(
"!\nError: unable to read block 0x%02x\n", iBlock);
355 print_success_or_failure(bFailure, &uiReadBlocks);
356 if ((! bTolerateFailures) && bFailure)
360 printf(
"Done, %d of %d blocks read.\n", uiReadBlocks, uiBlocks + 1);
367 write_card(
int write_block_zero)
370 bool bFailure =
false;
371 uint32_t uiWriteBlocks = 0;
373 if (write_block_zero)
377 printf(
"Writing %d blocks |", uiBlocks + 1);
379 for (uiBlock = 0; uiBlock <= uiBlocks; uiBlock++) {
381 if (is_first_block(uiBlock)) {
385 printf(
"!\nError: tag was removed\n");
394 if (!write_block_zero && !authenticate(uiBlock)) {
395 printf(
"!\nError: authentication failed for block %02x\n", uiBlock);
400 if (is_trailer_block(uiBlock)) {
402 memcpy(mp.mpd.abtData, mtDump.amb[uiBlock].mbt.abtKeyA, 6);
403 memcpy(mp.mpd.abtData + 6, mtDump.amb[uiBlock].mbt.abtAccessBits, 4);
404 memcpy(mp.mpd.abtData + 10, mtDump.amb[uiBlock].mbt.abtKeyB, 6);
408 printf(
"failed to write trailer block %d \n", uiBlock);
413 if (uiBlock == 0 && ! write_block_zero && ! magic2)
420 memcpy(mp.mpd.abtData, mtDump.amb[uiBlock].mbd.abtData, 16);
423 if ((mp.mpd.abtData[0] ^ mp.mpd.abtData[1] ^ mp.mpd.abtData[2] ^ mp.mpd.abtData[3] ^ mp.mpd.abtData[4]) != 0x00 && !magic2) {
424 printf(
"!\nError: incorrect BCC in MFD file!\n");
425 printf(
"Expecting BCC=%02X\n", mp.mpd.abtData[0] ^ mp.mpd.abtData[1] ^ mp.mpd.abtData[2] ^ mp.mpd.abtData[3]);
434 print_success_or_failure(bFailure, &uiWriteBlocks);
435 if ((! bTolerateFailures) && bFailure)
439 printf(
"Done, %d of %d blocks written.\n", uiWriteBlocks, uiBlocks + 1);
452 print_usage(
const char *pcProgramName)
455 printf(
"%s r|R|w|W a|b <dump.mfd> [<keys.mfd> [f]]\n", pcProgramName);
456 printf(
" r|R|w|W - Perform read from (r) or unlocked read from (R) or write to (w) or unlocked write to (W) card\n");
457 printf(
" *** note that unlocked write will attempt to overwrite block 0 including UID\n");
458 printf(
" *** unlocked read does not require authentication and will reveal A and B keys\n");
459 printf(
" *** unlocking only works with special Mifare 1K cards (Chinese clones)\n");
460 printf(
" a|A|b|B - Use A or B keys for action; Halt on errors (a|b) or tolerate errors (A|B)\n");
461 printf(
" <dump.mfd> - MiFare Dump (MFD) used to write (card to MFD) or (MFD to card)\n");
462 printf(
" <keys.mfd> - MiFare Dump (MFD) that contain the keys (optional)\n");
463 printf(
" f - Force using the keyfile even if UID does not match (optional)\n");
467 main(
int argc,
const char *argv[])
469 action_t atAction = ACTION_USAGE;
474 print_usage(argv[0]);
477 const char *command = argv[1];
479 if (strcmp(command,
"r") == 0 || strcmp(command,
"R") == 0) {
481 print_usage(argv[0]);
484 atAction = ACTION_READ;
485 if (strcmp(command,
"R") == 0)
487 bUseKeyA = tolower((
int)((
unsigned char) * (argv[2]))) ==
'a';
488 bTolerateFailures = tolower((
int)((
unsigned char) * (argv[2]))) != (int)((
unsigned char) * (argv[2]));
489 bUseKeyFile = (argc > 4);
490 bForceKeyFile = ((argc > 5) && (strcmp((
char *)argv[5],
"f") == 0));
491 }
else if (strcmp(command,
"w") == 0 || strcmp(command,
"W") == 0) {
493 print_usage(argv[0]);
496 atAction = ACTION_WRITE;
497 if (strcmp(command,
"W") == 0)
499 bUseKeyA = tolower((
int)((
unsigned char) * (argv[2]))) ==
'a';
500 bTolerateFailures = tolower((
int)((
unsigned char) * (argv[2]))) != (int)((
unsigned char) * (argv[2]));
501 bUseKeyFile = (argc > 4);
502 bForceKeyFile = ((argc > 5) && (strcmp((
char *)argv[5],
"f") == 0));
505 if (atAction == ACTION_USAGE) {
506 print_usage(argv[0]);
511 FILE *pfKeys = fopen(argv[4],
"rb");
512 if (pfKeys == NULL) {
513 printf(
"Could not open keys file: %s\n", argv[4]);
516 if (fread(&mtKeys, 1, 4, pfKeys) != 4) {
517 printf(
"Could not read UID from key file: %s\n", argv[4]);
524 if (context == NULL) {
525 ERR(
"Unable to init libnfc (malloc)");
532 ERR(
"Error opening NFC reader");
546 nfc_perror(pnd,
"nfc_device_set_property_bool");
558 printf(
"Error: no tag was found\n");
564 if ((nt.nti.nai.btSak & 0x08) == 0) {
565 printf(
"Warning: tag is probably not a MFC!\n");
569 pbtUID = nt.nti.nai.abtUid;
573 memcpy(fileUid, mtKeys.amb[0].mbm.abtUID, 4);
575 if (memcmp(pbtUID, fileUid, 4) != 0) {
576 printf(
"Expected MIFARE Classic card with UID starting as: %02x%02x%02x%02x\n",
577 fileUid[0], fileUid[1], fileUid[2], fileUid[3]);
578 printf(
"Got card with UID starting as: %02x%02x%02x%02x\n",
579 pbtUID[0], pbtUID[1], pbtUID[2], pbtUID[3]);
580 if (! bForceKeyFile) {
581 printf(
"Aborting!\n");
588 printf(
"Found MIFARE Classic card:\n");
589 print_nfc_target(&nt,
false);
592 if ((nt.nti.nai.abtAtqa[1] & 0x02) == 0x02)
595 else if ((nt.nti.nai.btSak & 0x01) == 0x01)
603 if ((res = get_rats()) > 0) {
604 if ((res >= 10) && (abtRx[5] == 0xc1) && (abtRx[6] == 0x05)
605 && (abtRx[7] == 0x2f) && (abtRx[8] == 0x2f)
606 && ((nt.nti.nai.abtAtqa[1] & 0x02) == 0x00)) {
611 if ((res == 9) && (abtRx[5] == 0xda) && (abtRx[6] == 0xbc)
612 && (abtRx[7] == 0x19) && (abtRx[8] == 0x10)) {
616 printf(
"Guessing size: seems to be a %i-byte card\n", (uiBlocks + 1) * 16);
619 FILE *pfKeys = fopen(argv[4],
"rb");
620 if (pfKeys == NULL) {
621 printf(
"Could not open keys file: %s\n", argv[4]);
624 if (fread(&mtKeys, 1, (uiBlocks + 1) *
sizeof(mifare_classic_block), pfKeys) != (uiBlocks + 1) *
sizeof(mifare_classic_block)) {
625 printf(
"Could not read keys file: %s\n", argv[4]);
632 if (atAction == ACTION_READ) {
633 memset(&mtDump, 0x00,
sizeof(mtDump));
635 FILE *pfDump = fopen(argv[3],
"rb");
637 if (pfDump == NULL) {
638 printf(
"Could not open dump file: %s\n", argv[3]);
643 if (fread(&mtDump, 1, (uiBlocks + 1) *
sizeof(mifare_classic_block), pfDump) != (uiBlocks + 1) *
sizeof(mifare_classic_block)) {
644 printf(
"Could not read dump file: %s\n", argv[3]);
652 if (atAction == ACTION_READ) {
653 if (read_card(unlock)) {
654 printf(
"Writing data to file: %s ...", argv[3]);
656 FILE *pfDump = fopen(argv[3],
"wb");
657 if (pfDump == NULL) {
658 printf(
"Could not open dump file: %s\n", argv[3]);
663 if (fwrite(&mtDump, 1, (uiBlocks + 1) *
sizeof(mifare_classic_block), pfDump) != ((uiBlocks + 1) *
sizeof(mifare_classic_block))) {
664 printf(
"\nCould not write to file: %s\n", argv[3]);
673 }
else if (atAction == ACTION_WRITE) {