44 #endif // HAVE_CONFIG_H
63 static mifare_param mp;
64 static mifare_classic_tag mtKeys;
65 static mifare_classic_tag mtDump;
67 static bool bUseKeyFile;
68 static bool bForceKeyFile;
69 static bool bTolerateFailures;
70 static bool magic2 =
false;
71 static uint8_t uiBlocks;
72 static uint8_t keys[] = {
73 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
74 0xd3, 0xf7, 0xd3, 0xf7, 0xd3, 0xf7,
75 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5,
76 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5,
77 0x4d, 0x3a, 0x99, 0xc3, 0x51, 0xdd,
78 0x1a, 0x98, 0x2c, 0x7e, 0x45, 0x9a,
79 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
80 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
81 0xab, 0xcd, 0xef, 0x12, 0x34, 0x56
89 static size_t num_keys =
sizeof(keys) / 6;
91 #define MAX_FRAME_LEN 264
93 static uint8_t abtRx[MAX_FRAME_LEN];
96 uint8_t abtHalt[4] = { 0x50, 0x00, 0x00, 0x00 };
99 uint8_t abtUnlock1[1] = { 0x40 };
100 uint8_t abtUnlock2[1] = { 0x43 };
103 transmit_bits(
const uint8_t *pbtTx,
const size_t szTxBits)
106 printf(
"Sent bits: ");
107 print_hex_bits(pbtTx, szTxBits);
113 printf(
"Received bits: ");
114 print_hex_bits(abtRx, szRxBits);
121 transmit_bytes(
const uint8_t *pbtTx,
const size_t szTx)
124 printf(
"Sent bits: ");
125 print_hex(pbtTx, szTx);
132 printf(
"Received bits: ");
133 print_hex(abtRx, res);
139 print_success_or_failure(
bool bFailure, uint32_t *uiBlockCounter)
141 printf(
"%c", (bFailure) ?
'x' :
'.');
142 if (uiBlockCounter && !bFailure)
143 *uiBlockCounter += 1;
147 is_first_block(uint32_t uiBlock)
151 return ((uiBlock) % 4 == 0);
153 return ((uiBlock) % 16 == 0);
157 is_trailer_block(uint32_t uiBlock)
161 return ((uiBlock + 1) % 4 == 0);
163 return ((uiBlock + 1) % 16 == 0);
167 get_trailer_block(uint32_t uiFirstBlock)
170 uint32_t trailer_block = 0;
171 if (uiFirstBlock < 128) {
172 trailer_block = uiFirstBlock + (3 - (uiFirstBlock % 4));
174 trailer_block = uiFirstBlock + (15 - (uiFirstBlock % 16));
176 return trailer_block;
180 authenticate(uint32_t uiBlock)
183 uint32_t uiTrailerBlock;
186 memcpy(mp.mpa.abtAuthUid, nt.nti.nai.abtUid + nt.nti.nai.szUidLen - 4, 4);
189 mc = (bUseKeyA) ? MC_AUTH_A : MC_AUTH_B;
195 uiTrailerBlock = get_trailer_block(uiBlock);
199 memcpy(mp.mpa.abtKey, mtKeys.amb[uiTrailerBlock].mbt.abtKeyA, 6);
201 memcpy(mp.mpa.abtKey, mtKeys.amb[uiTrailerBlock].mbt.abtKeyB, 6);
208 for (
size_t key_index = 0; key_index < num_keys; key_index++) {
209 memcpy(mp.mpa.abtKey, keys + (key_index * 6), 6);
212 memcpy(mtKeys.amb[uiBlock].mbt.abtKeyA, &mp.mpa.abtKey, 6);
214 memcpy(mtKeys.amb[uiBlock].mbt.abtKeyB, &mp.mpa.abtKey, 6);
228 printf(
"Don't use R/W with this card, this is not required!\n");
243 iso14443a_crc_append(abtHalt, 2);
244 transmit_bytes(abtHalt, 4);
246 if (!transmit_bits(abtUnlock1, 7)) {
247 printf(
"unlock failure!\n");
250 if (!transmit_bytes(abtUnlock2, 1)) {
251 printf(
"unlock failure!\n");
258 nfc_perror(pnd,
"nfc_device_set_property_bool");
263 nfc_perror(pnd,
"nfc_device_set_property_bool");
273 uint8_t abtRats[2] = { 0xe0, 0x50};
287 printf(
"Error: tag disappeared\n");
296 read_card(
int read_unlocked)
299 bool bFailure =
false;
300 uint32_t uiReadBlocks = 0;
306 printf(
"Reading out %d blocks |", uiBlocks + 1);
308 for (iBlock = uiBlocks; iBlock >= 0; iBlock--) {
310 if (is_trailer_block(iBlock)) {
314 printf(
"!\nError: tag was removed\n");
323 if (!read_unlocked && !authenticate(iBlock)) {
324 printf(
"!\nError: authentication failed for block 0x%02x\n", iBlock);
330 memcpy(mtDump.amb[iBlock].mbd.abtData, mp.mpd.abtData, 16);
333 memcpy(mtDump.amb[iBlock].mbt.abtKeyA, mtKeys.amb[iBlock].mbt.abtKeyA, 6);
334 memcpy(mtDump.amb[iBlock].mbt.abtAccessBits, mp.mpd.abtData + 6, 4);
335 memcpy(mtDump.amb[iBlock].mbt.abtKeyB, mtKeys.amb[iBlock].mbt.abtKeyB, 6);
338 printf(
"!\nfailed to read trailer block 0x%02x\n", iBlock);
346 memcpy(mtDump.amb[iBlock].mbd.abtData, mp.mpd.abtData, 16);
348 printf(
"!\nError: unable to read block 0x%02x\n", iBlock);
354 print_success_or_failure(bFailure, &uiReadBlocks);
355 if ((! bTolerateFailures) && bFailure)
359 printf(
"Done, %d of %d blocks read.\n", uiReadBlocks, uiBlocks + 1);
366 write_card(
int write_block_zero)
369 bool bFailure =
false;
370 uint32_t uiWriteBlocks = 0;
372 if (write_block_zero)
376 printf(
"Writing %d blocks |", uiBlocks + 1);
378 for (uiBlock = 0; uiBlock <= uiBlocks; uiBlock++) {
380 if (is_first_block(uiBlock)) {
384 printf(
"!\nError: tag was removed\n");
393 if (!write_block_zero && !authenticate(uiBlock)) {
394 printf(
"!\nError: authentication failed for block %02x\n", uiBlock);
399 if (is_trailer_block(uiBlock)) {
401 memcpy(mp.mpd.abtData, mtDump.amb[uiBlock].mbt.abtKeyA, 6);
402 memcpy(mp.mpd.abtData + 6, mtDump.amb[uiBlock].mbt.abtAccessBits, 4);
403 memcpy(mp.mpd.abtData + 10, mtDump.amb[uiBlock].mbt.abtKeyB, 6);
407 printf(
"failed to write trailer block %d \n", uiBlock);
412 if (uiBlock == 0 && ! write_block_zero && ! magic2)
419 memcpy(mp.mpd.abtData, mtDump.amb[uiBlock].mbd.abtData, 16);
422 if ((mp.mpd.abtData[0] ^ mp.mpd.abtData[1] ^ mp.mpd.abtData[2] ^ mp.mpd.abtData[3] ^ mp.mpd.abtData[4]) != 0x00 && !magic2) {
423 printf(
"!\nError: incorrect BCC in MFD file!\n");
424 printf(
"Expecting BCC=%02X\n", mp.mpd.abtData[0] ^ mp.mpd.abtData[1] ^ mp.mpd.abtData[2] ^ mp.mpd.abtData[3]);
433 print_success_or_failure(bFailure, &uiWriteBlocks);
434 if ((! bTolerateFailures) && bFailure)
438 printf(
"Done, %d of %d blocks written.\n", uiWriteBlocks, uiBlocks + 1);
451 print_usage(
const char *pcProgramName)
454 printf(
"%s r|R|w|W a|b <dump.mfd> [<keys.mfd> [f]]\n", pcProgramName);
455 printf(
" r|R|w|W - Perform read from (r) or unlocked read from (R) or write to (w) or unlocked write to (W) card\n");
456 printf(
" *** note that unlocked write will attempt to overwrite block 0 including UID\n");
457 printf(
" *** unlocked read does not require authentication and will reveal A and B keys\n");
458 printf(
" *** unlocking only works with special Mifare 1K cards (Chinese clones)\n");
459 printf(
" a|A|b|B - Use A or B keys for action; Halt on errors (a|b) or tolerate errors (A|B)\n");
460 printf(
" <dump.mfd> - MiFare Dump (MFD) used to write (card to MFD) or (MFD to card)\n");
461 printf(
" <keys.mfd> - MiFare Dump (MFD) that contain the keys (optional)\n");
462 printf(
" f - Force using the keyfile even if UID does not match (optional)\n");
466 main(
int argc,
const char *argv[])
468 action_t atAction = ACTION_USAGE;
473 print_usage(argv[0]);
476 const char *command = argv[1];
478 if (strcmp(command,
"r") == 0 || strcmp(command,
"R") == 0) {
480 print_usage(argv[0]);
483 atAction = ACTION_READ;
484 if (strcmp(command,
"R") == 0)
486 bUseKeyA = tolower((
int)((
unsigned char) * (argv[2]))) ==
'a';
487 bTolerateFailures = tolower((
int)((
unsigned char) * (argv[2]))) != (int)((
unsigned char) * (argv[2]));
488 bUseKeyFile = (argc > 4);
489 }
else if (strcmp(command,
"w") == 0 || strcmp(command,
"W") == 0) {
491 print_usage(argv[0]);
494 atAction = ACTION_WRITE;
495 if (strcmp(command,
"W") == 0)
497 bUseKeyA = tolower((
int)((
unsigned char) * (argv[2]))) ==
'a';
498 bTolerateFailures = tolower((
int)((
unsigned char) * (argv[2]))) != (int)((
unsigned char) * (argv[2]));
499 bUseKeyFile = (argc > 4);
500 bForceKeyFile = ((argc > 5) && (strcmp((
char *)argv[5],
"f") == 0));
503 if (atAction == ACTION_USAGE) {
504 print_usage(argv[0]);
509 FILE *pfKeys = fopen(argv[4],
"rb");
510 if (pfKeys == NULL) {
511 printf(
"Could not open keys file: %s\n", argv[4]);
514 if (fread(&mtKeys, 1, 4, pfKeys) != 4) {
515 printf(
"Could not read UID from key file: %s\n", argv[4]);
522 if (context == NULL) {
523 ERR(
"Unable to init libnfc (malloc)");
530 ERR(
"Error opening NFC reader");
544 nfc_perror(pnd,
"nfc_device_set_property_bool");
556 printf(
"Error: no tag was found\n");
562 if ((nt.nti.nai.btSak & 0x08) == 0) {
563 printf(
"Warning: tag is probably not a MFC!\n");
567 pbtUID = nt.nti.nai.abtUid;
571 memcpy(fileUid, mtKeys.amb[0].mbm.abtUID, 4);
573 if (memcmp(pbtUID, fileUid, 4) != 0) {
574 printf(
"Expected MIFARE Classic card with UID starting as: %02x%02x%02x%02x\n",
575 fileUid[0], fileUid[1], fileUid[2], fileUid[3]);
576 printf(
"Got card with UID starting as: %02x%02x%02x%02x\n",
577 pbtUID[0], pbtUID[1], pbtUID[2], pbtUID[3]);
578 if (! bForceKeyFile) {
579 printf(
"Aborting!\n");
586 printf(
"Found MIFARE Classic card:\n");
587 print_nfc_target(&nt,
false);
590 if ((nt.nti.nai.abtAtqa[1] & 0x02) == 0x02)
593 else if ((nt.nti.nai.btSak & 0x01) == 0x01)
601 if ((res = get_rats()) > 0) {
602 if ((res >= 10) && (abtRx[5] == 0xc1) && (abtRx[6] == 0x05)
603 && (abtRx[7] == 0x2f) && (abtRx[8] == 0x2f)
604 && ((nt.nti.nai.abtAtqa[1] & 0x02) == 0x00)) {
609 if ((res == 9) && (abtRx[5] == 0xda) && (abtRx[6] == 0xbc)
610 && (abtRx[7] == 0x19) && (abtRx[8] == 0x10)) {
614 printf(
"Guessing size: seems to be a %i-byte card\n", (uiBlocks + 1) * 16);
617 FILE *pfKeys = fopen(argv[4],
"rb");
618 if (pfKeys == NULL) {
619 printf(
"Could not open keys file: %s\n", argv[4]);
622 if (fread(&mtKeys, 1, (uiBlocks + 1) *
sizeof(mifare_classic_block), pfKeys) != (uiBlocks + 1) *
sizeof(mifare_classic_block)) {
623 printf(
"Could not read keys file: %s\n", argv[4]);
630 if (atAction == ACTION_READ) {
631 memset(&mtDump, 0x00,
sizeof(mtDump));
633 FILE *pfDump = fopen(argv[3],
"rb");
635 if (pfDump == NULL) {
636 printf(
"Could not open dump file: %s\n", argv[3]);
641 if (fread(&mtDump, 1, (uiBlocks + 1) *
sizeof(mifare_classic_block), pfDump) != (uiBlocks + 1) *
sizeof(mifare_classic_block)) {
642 printf(
"Could not read dump file: %s\n", argv[3]);
650 if (atAction == ACTION_READ) {
651 if (read_card(unlock)) {
652 printf(
"Writing data to file: %s ...", argv[3]);
654 FILE *pfDump = fopen(argv[3],
"wb");
655 if (pfDump == NULL) {
656 printf(
"Could not open dump file: %s\n", argv[3]);
661 if (fwrite(&mtDump, 1, (uiBlocks + 1) *
sizeof(mifare_classic_block), pfDump) != ((uiBlocks + 1) *
sizeof(mifare_classic_block))) {
662 printf(
"\nCould not write to file: %s\n", argv[3]);
671 }
else if (atAction == ACTION_WRITE) {