libnfc  1.7.0-rc7
nfc-mfsetuid.c
Go to the documentation of this file.
1 /*-
2  * Free/Libre Near Field Communication (NFC) library
3  *
4  * Libnfc historical contributors:
5  * Copyright (C) 2009 Roel Verdult
6  * Copyright (C) 2009-2013 Romuald Conty
7  * Copyright (C) 2010-2012 Romain Tartière
8  * Copyright (C) 2010-2013 Philippe Teuwen
9  * Copyright (C) 2012-2013 Ludovic Rousseau
10  * Additional contributors of this file:
11  * Copyright (C) 2011 Adam Laurie
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions are met:
15  * 1) Redistributions of source code must retain the above copyright notice,
16  * this list of conditions and the following disclaimer.
17  * 2 )Redistributions in binary form must reproduce the above copyright
18  * notice, this list of conditions and the following disclaimer in the
19  * documentation and/or other materials provided with the distribution.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
22  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
25  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
26  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
27  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
28  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
29  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31  * POSSIBILITY OF SUCH DAMAGE.
32  *
33  * Note that this license only applies on the examples, NFC library itself is under LGPL
34  *
35  */
36 
46 #ifdef HAVE_CONFIG_H
47 # include "config.h"
48 #endif // HAVE_CONFIG_H
49 
50 #include <stdio.h>
51 #include <stdlib.h>
52 #include <stddef.h>
53 #include <stdint.h>
54 #include <stdbool.h>
55 #include <string.h>
56 
57 #include <nfc/nfc.h>
58 
59 #include "utils/nfc-utils.h"
60 
61 #define SAK_FLAG_ATS_SUPPORTED 0x20
62 
63 #define MAX_FRAME_LEN 264
64 
65 static uint8_t abtRx[MAX_FRAME_LEN];
66 static int szRxBits;
67 static uint8_t abtRawUid[12];
68 static uint8_t abtAtqa[2];
69 static uint8_t abtSak;
70 static uint8_t abtAts[MAX_FRAME_LEN];
71 static uint8_t szAts = 0;
72 static size_t szCL = 1;//Always start with Cascade Level 1 (CL1)
73 static nfc_device *pnd;
74 
75 bool quiet_output = false;
76 bool iso_ats_supported = false;
77 
78 // ISO14443A Anti-Collision Commands
79 uint8_t abtReqa[1] = { 0x26 };
80 uint8_t abtSelectAll[2] = { 0x93, 0x20 };
81 uint8_t abtSelectTag[9] = { 0x93, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
82 uint8_t abtRats[4] = { 0xe0, 0x50, 0x00, 0x00 };
83 uint8_t abtHalt[4] = { 0x50, 0x00, 0x00, 0x00 };
84 #define CASCADE_BIT 0x04
85 
86 // special unlock command
87 uint8_t abtUnlock1[1] = { 0x40 };
88 uint8_t abtUnlock2[1] = { 0x43 };
89 uint8_t abtWipe[1] = { 0x41 };
90 uint8_t abtWrite[4] = { 0xa0, 0x00, 0x5f, 0xb1 };
91 uint8_t abtData[18] = { 0x01, 0x23, 0x45, 0x67, 0x00, 0x08, 0x04, 0x00, 0x46, 0x59, 0x25, 0x58, 0x49, 0x10, 0x23, 0x02, 0x23, 0xeb };
92 uint8_t abtBlank[18] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x07, 0x80, 0x69, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x36, 0xCC };
93 
94 
95 static bool
96 transmit_bits(const uint8_t *pbtTx, const size_t szTxBits)
97 {
98  // Show transmitted command
99  if (!quiet_output) {
100  printf("Sent bits: ");
101  print_hex_bits(pbtTx, szTxBits);
102  }
103  // Transmit the bit frame command, we don't use the arbitrary parity feature
104  if ((szRxBits = nfc_initiator_transceive_bits(pnd, pbtTx, szTxBits, NULL, abtRx, sizeof(abtRx), NULL)) < 0)
105  return false;
106 
107  // Show received answer
108  if (!quiet_output) {
109  printf("Received bits: ");
110  print_hex_bits(abtRx, szRxBits);
111  }
112  // Succesful transfer
113  return true;
114 }
115 
116 
117 static bool
118 transmit_bytes(const uint8_t *pbtTx, const size_t szTx)
119 {
120  // Show transmitted command
121  if (!quiet_output) {
122  printf("Sent bits: ");
123  print_hex(pbtTx, szTx);
124  }
125  int res;
126  // Transmit the command bytes
127  if ((res = nfc_initiator_transceive_bytes(pnd, pbtTx, szTx, abtRx, sizeof(abtRx), 0)) < 0)
128  return false;
129 
130  // Show received answer
131  if (!quiet_output) {
132  printf("Received bits: ");
133  print_hex(abtRx, res);
134  }
135  // Succesful transfer
136  return true;
137 }
138 
139 static void
140 print_usage(char *argv[])
141 {
142  printf("Usage: %s [OPTIONS] [UID]\n", argv[0]);
143  printf("Options:\n");
144  printf("\t-h\tHelp. Print this message.\n");
145  printf("\t-f\tFormat. Delete all data (set to 0xFF) and reset ACLs to default.\n");
146  printf("\t-q\tQuiet mode. Suppress output of READER and CARD data (improves timing).\n");
147  printf("\n\tSpecify UID (4 HEX bytes) to set UID, or leave blank for default '01234567'.\n");
148  printf("\tThis utility can be used to recover cards that have been damaged by writing bad\n");
149  printf("\tdata (e.g. wrong BCC), thus making them non-selectable by most tools/readers.\n");
150  printf("\n\t*** Note: this utility only works with special Mifare 1K cards (Chinese clones).\n\n");
151 }
152 
153 int
154 main(int argc, char *argv[])
155 {
156  int arg, i;
157  bool format = false;
158  unsigned int c;
159  char tmp[3] = { 0x00, 0x00, 0x00 };
160 
161 
162  // Get commandline options
163  for (arg = 1; arg < argc; arg++) {
164  if (0 == strcmp(argv[arg], "-h")) {
165  print_usage(argv);
166  exit(EXIT_SUCCESS);
167  } else if (0 == strcmp(argv[arg], "-f")) {
168  format = true;
169  } else if (0 == strcmp(argv[arg], "-q")) {
170  quiet_output = true;
171  } else if (strlen(argv[arg]) == 8) {
172  for (i = 0 ; i < 4 ; ++i) {
173  memcpy(tmp, argv[arg] + i * 2, 2);
174  sscanf(tmp, "%02x", &c);
175  abtData[i] = (char) c;
176  }
177  abtData[4] = abtData[0] ^ abtData[1] ^ abtData[2] ^ abtData[3];
178  iso14443a_crc_append(abtData, 16);
179  } else {
180  ERR("%s is not supported option.", argv[arg]);
181  print_usage(argv);
182  exit(EXIT_FAILURE);
183  }
184  }
185 
186  nfc_context *context;
187  nfc_init(&context);
188  if (context == NULL) {
189  ERR("Unable to init libnfc (malloc)");
190  exit(EXIT_FAILURE);
191  }
192 
193  // Try to open the NFC reader
194  pnd = nfc_open(context, NULL);
195 
196  if (pnd == NULL) {
197  ERR("Error opening NFC reader");
198  nfc_exit(context);
199  exit(EXIT_FAILURE);
200  }
201 
202  // Initialise NFC device as "initiator"
203  if (nfc_initiator_init(pnd) < 0) {
204  nfc_perror(pnd, "nfc_initiator_init");
205  nfc_close(pnd);
206  nfc_exit(context);
207  exit(EXIT_FAILURE);
208  }
209 
210  // Configure the CRC
211  if (nfc_device_set_property_bool(pnd, NP_HANDLE_CRC, false) < 0) {
212  nfc_perror(pnd, "nfc_device_set_property_bool");
213  nfc_close(pnd);
214  nfc_exit(context);
215  exit(EXIT_FAILURE);
216  }
217  // Use raw send/receive methods
218  if (nfc_device_set_property_bool(pnd, NP_EASY_FRAMING, false) < 0) {
219  nfc_perror(pnd, "nfc_device_set_property_bool");
220  nfc_close(pnd);
221  nfc_exit(context);
222  exit(EXIT_FAILURE);
223  }
224  // Disable 14443-4 autoswitching
225  if (nfc_device_set_property_bool(pnd, NP_AUTO_ISO14443_4, false) < 0) {
226  nfc_perror(pnd, "nfc_device_set_property_bool");
227  nfc_close(pnd);
228  nfc_exit(context);
229  exit(EXIT_FAILURE);
230  }
231 
232  printf("NFC reader: %s opened\n", nfc_device_get_name(pnd));
233 
234  // Send the 7 bits request command specified in ISO 14443A (0x26)
235  if (!transmit_bits(abtReqa, 7)) {
236  printf("Error: No tag available\n");
237  nfc_close(pnd);
238  nfc_exit(context);
239  exit(EXIT_FAILURE);
240  }
241  memcpy(abtAtqa, abtRx, 2);
242 
243  // Anti-collision
244  transmit_bytes(abtSelectAll, 2);
245 
246  // Check answer
247  if ((abtRx[0] ^ abtRx[1] ^ abtRx[2] ^ abtRx[3] ^ abtRx[4]) != 0) {
248  printf("WARNING: BCC check failed!\n");
249  }
250 
251  // Save the UID CL1
252  memcpy(abtRawUid, abtRx, 4);
253 
254  //Prepare and send CL1 Select-Command
255  memcpy(abtSelectTag + 2, abtRx, 5);
256  iso14443a_crc_append(abtSelectTag, 7);
257  transmit_bytes(abtSelectTag, 9);
258  abtSak = abtRx[0];
259 
260  // Test if we are dealing with a CL2
261  if (abtSak & CASCADE_BIT) {
262  szCL = 2;//or more
263  // Check answer
264  if (abtRawUid[0] != 0x88) {
265  printf("WARNING: Cascade bit set but CT != 0x88!\n");
266  }
267  }
268 
269  if (szCL == 2) {
270  // We have to do the anti-collision for cascade level 2
271 
272  // Prepare CL2 commands
273  abtSelectAll[0] = 0x95;
274 
275  // Anti-collision
276  transmit_bytes(abtSelectAll, 2);
277 
278  // Check answer
279  if ((abtRx[0] ^ abtRx[1] ^ abtRx[2] ^ abtRx[3] ^ abtRx[4]) != 0) {
280  printf("WARNING: BCC check failed!\n");
281  }
282 
283  // Save UID CL2
284  memcpy(abtRawUid + 4, abtRx, 4);
285 
286  // Selection
287  abtSelectTag[0] = 0x95;
288  memcpy(abtSelectTag + 2, abtRx, 5);
289  iso14443a_crc_append(abtSelectTag, 7);
290  transmit_bytes(abtSelectTag, 9);
291  abtSak = abtRx[0];
292 
293  // Test if we are dealing with a CL3
294  if (abtSak & CASCADE_BIT) {
295  szCL = 3;
296  // Check answer
297  if (abtRawUid[0] != 0x88) {
298  printf("WARNING: Cascade bit set but CT != 0x88!\n");
299  }
300  }
301 
302  if (szCL == 3) {
303  // We have to do the anti-collision for cascade level 3
304 
305  // Prepare and send CL3 AC-Command
306  abtSelectAll[0] = 0x97;
307  transmit_bytes(abtSelectAll, 2);
308 
309  // Check answer
310  if ((abtRx[0] ^ abtRx[1] ^ abtRx[2] ^ abtRx[3] ^ abtRx[4]) != 0) {
311  printf("WARNING: BCC check failed!\n");
312  }
313 
314  // Save UID CL3
315  memcpy(abtRawUid + 8, abtRx, 4);
316 
317  // Prepare and send final Select-Command
318  abtSelectTag[0] = 0x97;
319  memcpy(abtSelectTag + 2, abtRx, 5);
320  iso14443a_crc_append(abtSelectTag, 7);
321  transmit_bytes(abtSelectTag, 9);
322  abtSak = abtRx[0];
323  }
324  }
325 
326  // Request ATS, this only applies to tags that support ISO 14443A-4
327  if (abtRx[0] & SAK_FLAG_ATS_SUPPORTED) {
328  iso_ats_supported = true;
329  }
330 
331  printf("\nFound tag with\n UID: ");
332  switch (szCL) {
333  case 1:
334  printf("%02x%02x%02x%02x", abtRawUid[0], abtRawUid[1], abtRawUid[2], abtRawUid[3]);
335  break;
336  case 2:
337  printf("%02x%02x%02x", abtRawUid[1], abtRawUid[2], abtRawUid[3]);
338  printf("%02x%02x%02x%02x", abtRawUid[4], abtRawUid[5], abtRawUid[6], abtRawUid[7]);
339  break;
340  case 3:
341  printf("%02x%02x%02x", abtRawUid[1], abtRawUid[2], abtRawUid[3]);
342  printf("%02x%02x%02x", abtRawUid[5], abtRawUid[6], abtRawUid[7]);
343  printf("%02x%02x%02x%02x", abtRawUid[8], abtRawUid[9], abtRawUid[10], abtRawUid[11]);
344  break;
345  }
346  printf("\n");
347  printf("ATQA: %02x%02x\n SAK: %02x\n", abtAtqa[1], abtAtqa[0], abtSak);
348  if (szAts > 1) { // if = 1, it's not actual ATS but error code
349  printf(" ATS: ");
350  print_hex(abtAts, szAts);
351  }
352  printf("\n");
353 
354  // now reset UID
355  iso14443a_crc_append(abtHalt, 2);
356  transmit_bytes(abtHalt, 4);
357  transmit_bits(abtUnlock1, 7);
358  if (format) {
359  transmit_bytes(abtWipe, 1);
360  transmit_bytes(abtHalt, 4);
361  transmit_bits(abtUnlock1, 7);
362  }
363  transmit_bytes(abtUnlock2, 1);
364  transmit_bytes(abtWrite, 4);
365  transmit_bytes(abtData, 18);
366  if (format) {
367  for (i = 3 ; i < 64 ; i += 4) {
368  abtWrite[1] = (char) i;
369  iso14443a_crc_append(abtWrite, 2);
370  transmit_bytes(abtWrite, 4);
371  transmit_bytes(abtBlank, 18);
372  }
373  }
374 
375  nfc_close(pnd);
376  nfc_exit(context);
377  exit(EXIT_SUCCESS);
378 }