diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5711c10902f692de580aabc19bf3d38a0a7d5f69..292bd4c12fdccc68377b3023015b2eeaeec2b4b0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
## [unreleased][unreleased]
+ - Added `hf mfp list` - interprets MIFARE Plus commands in traces (@DidierA)
- Changed `hf legic sim` - loop and return codes on deviceside updated to DEFINES (@iceman1001)
- Changed `hf legic einfo` - now accepts the three different cardsizes as params (@iceman1001)
- Fix `lf cotag reader -1` - now doesn't fail (@iceman1001)
diff --git a/client/src/cmdhflist.c b/client/src/cmdhflist.c
index 5ddd3f1fa7c34f28c5d15e46b18f3020117322bc..64f88571373ceed1e338cff313e8502d9906cd32 100644
--- a/client/src/cmdhflist.c
+++ b/client/src/cmdhflist.c
@@ -1197,6 +1197,230 @@ }
}
}
//-----------------------------------------------------------------------------
+ case MAGSAFE_CMD_WUPA_4:
+const char *mfpGetAnnotationForCode(uint8_t code) {
+ struct mfp_code_msg {
+ uint8_t code;
+ const char *annotation;
+ } messages[] = {
+ { MFP_GETVERSION, "GET VERSION"},
+ { MFP_ADDITIONALFRAME, "NEXT FRAME"},
+ { MFP_AUTHENTICATENONFIRST, "FOLLOWING AUTH"},
+ { MFP_AUTHENTICATECONTINUE, "SECOND AUTH STEP"},
+ { MFP_RESETAUTH, "RESET AUTH"},
+ { MFP_COMMITPERSO, "COMMIT PERSO"},
+ { MFP_VCSUPPORTLASTISOL3, "CHECK VIRTUAL CARD"},
+ { MFP_ISOSELECT, "SELECT VIRTUAL CARD"},
+ { MFP_SETCONFIGSL1, "SET CONFIG SL1"},
+ { MFP_MF_PERSONALIZEUIDUSAGE, "PERSONALIZE UID USAGE"},
+ { MFP_READ_SIG, "READ SIGNATURE"},
+ { MFDES_PREPARE_PC, "PREPARE PROXIMITY CHECK"},
+ { MFDES_PROXIMITY_CHECK, "PROXIMITY CHECK"},
+ { MFDES_VERIFY_PC, "VERIFY PROXIMITY CHECK"},
+ { 0, NULL}
+ } ;
+
+ for (struct mfp_code_msg *p=messages ; p->annotation != NULL ; p++) {
+ if (p->code == code) {
+ return p->annotation ;
+ }
+ }
+ return NULL ;
+}
+
+// MIFARE Plus
+void annotateMfPlus(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) {
+
+ // If we are in Mifare Classic Authenticated mode, all the work has already be done elsewhere
+ if ((MifareAuthState != masNone) && (MifareAuthState != masError)) {
+ return ;
+ }
+
+ // it's basically a ISO14443a tag, so try annotation from there
+ if (applyIso14443a(exp, size, cmd, cmdsize, false) == PM3_SUCCESS) {
+ return ;
+ }
+
+ // ok this part is copy paste from annotateMfDesfire, it seems to work for MIFARE Plus also
+ if (((cmd[0] & 0xC0) == 0x00) && (cmdsize > 2)) {
+
+ // PCB [CID] [NAD] [INF] CRC CRC
+ int pos = 1;
+ if ((cmd[0] & 0x08) == 0x08) // cid byte following
+ pos++;
+
+ if ((cmd[0] & 0x04) == 0x04) // nad byte following
+ pos++;
+
+ for (uint8_t i = 0; i < 2; i++, pos++) {
+ bool found_annotation = true;
+
+ uint8_t *data = cmd + pos + 1;
+ // if the byte prior to the command is 90 the command is wrapped, so data starts 3 bytes later
+ if (i > 0 && cmd[pos - 1] == 0x90) {
+ data += 3;
+ }
+ uint8_t data_size = 0;
+ if (cmdsize > (data - cmd)) {
+ data_size = cmdsize - (data - cmd);
+ }
+
+ switch (cmd[pos]) {
+ case MFP_AUTHENTICATEFIRST:
+ case MFP_AUTHENTICATEFIRST_VARIANT:
+ if (data_size > 1) {
+ // key : uint16_t uKeyNum = 0x4000 + sectorNum * 2 + (keyB ? 1 : 0);
+ uint16_t uKeyNum = MemLeToUint2byte(data) ;
+ snprintf(exp, size, "FIRST AUTH (Keynr 0x%04X: %c sector %d)", uKeyNum, uKeyNum & 0x0001 ? 'B' : 'A', (uKeyNum - 0x4000)/2 );
+ } else {
+ snprintf(exp, size, "FIRST AUTH") ;
+ }
+ break;
+
+ case MFP_WRITEPERSO:
+ if (data_size > 1) {
+ uint16_t uKeyNum = MemLeToUint2byte(data) ;
+ snprintf(exp, size, "WRITE PERSO (Keynr 0x%04X)", uKeyNum);
+ } else {
+ snprintf(exp, size, "WRITE PERSO");
+ }
+ break;
+
+ case MFP_READENCRYPTEDNOMAC_MACED:
+ case MFP_READENCRYPTEDMAC_MACED:
+ case MFP_READENCRYPTEDNOMAC_UNMACED:
+ case MFP_READENCRYPTEDMAC_UNMACED:
+ if (data_size > 2) {
+ uint16_t uBlockNum = MemLeToUint2byte(data) ;
+ uint8_t uQty = data[2] ;
+ if (uQty != 1) {
+ snprintf(exp, size, "READ ENCRYPTED(%u-%u)", uBlockNum, uBlockNum+uQty-1);
+ } else {
+ snprintf(exp, size, "READ ENCRYPTED(%u)", uBlockNum);
+ }
+ } else {
+ snprintf(exp, size, "READ ENCRYPTED ?");
+ }
+ break;
+
+ case MFP_READPLAINNOMAC_MACED:
+ case MFP_READPLAINMAC_MACED:
+ case MFP_READPLAINNOMAC_UNMACED:
+ case MFP_READPLAINMAC_UNMACED:
+ if (data_size > 2) {
+ uint16_t uBlockNum = MemLeToUint2byte(data) ;
+ uint8_t uQty = data[2] ;
+ if (uQty != 1) {
+ snprintf(exp, size, "READ PLAIN(%u-%u)", uBlockNum, uBlockNum+uQty-1);
+ } else {
+ snprintf(exp, size, "READ PLAIN(%u)", uBlockNum);
+ }
+ } else {
+ snprintf(exp, size, "READ PLAIN ?");
+ }
+ break;
+
+ case MFP_WRITEPLAINNOMAC :
+ case MFP_WRITEPLAINMAC :
+ if (data_size > 1) {
+ uint16_t uBlockNum = MemLeToUint2byte(data) ;
+ snprintf(exp, size, "WRITE PLAIN(%u)", uBlockNum);
+ } else {
+ snprintf(exp, size, "WRITE PLAIN ?");
+ }
+ break;
+
+ case MFP_WRITEENCRYPTEDNOMAC:
+ case MFP_WRITEENCRYPTEDMAC :
+ if (data_size > 1) {
+ uint16_t uBlockNum = MemLeToUint2byte(data) ;
+ snprintf(exp, size, "WRITE ENCRYPTED(%u)", uBlockNum);
+ } else {
+ snprintf(exp, size, "WRITE ENCRYPTED ?");
+ }
+ break;
+
+ case MFP_INCREMENTNOMAC :
+ case MFP_INCREMENTMAC :
+ if (data_size > 1) {
+ uint16_t uBlockNum = MemLeToUint2byte(data) ;
+ snprintf(exp, size, "INCREMENT(%u)", uBlockNum);
+ } else {
+ snprintf(exp, size, "INCREMENT ?");
+ }
+ break;
+
+ case MFP_DECREMENTNOMAC :
+ case MFP_DECREMENTMAC :
+ if (data_size > 1) {
+ uint16_t uBlockNum = MemLeToUint2byte(data) ;
+ snprintf(exp, size, "DECREMENT(%u)", uBlockNum);
+ } else {
+ snprintf(exp, size, "DECREMENT ?");
+ }
+ break;
+
+ case MFP_TRANSFERNOMAC :
+ case MFP_TRANSFERMAC :
+ if (data_size > 1) {
+ uint16_t uBlockNum = MemLeToUint2byte(data) ;
+ snprintf(exp, size, "TRANSFER(%u)", uBlockNum);
+ } else {
+ snprintf(exp, size, "TRANSFER ?");
+ }
+ break;
+
+ case MFP_INCREMENTTRANSFERNOMAC:
+ case MFP_INCREMENTTRANSFERMAC :
+ if (data_size > 1) {
+ uint16_t uBlockNum = MemLeToUint2byte(data) ;
+ snprintf(exp, size, "INCREMENT, TRANSFER(%u)", uBlockNum);
+ } else {
+ snprintf(exp, size, "INCREMENT, TRANSFER ?");
+ }
+ break;
+
+ case MFP_DECREMENTTRANSFERNOMAC:
+ case MFP_DECREMENTTRANSFERMAC :
+ if (data_size > 1) {
+ uint16_t uBlockNum = MemLeToUint2byte(data) ;
+ snprintf(exp, size, "DECREMENT, TRANSFER(%u)", uBlockNum);
+ } else {
+ snprintf(exp, size, "DECREMENT, TRANSFER ?");
+ }
+ break;
+
+ case MFP_RESTORENOMAC :
+ case MFP_RESTOREMAC :
+ if (data_size > 1) {
+ uint16_t uBlockNum = MemLeToUint2byte(data) ;
+ snprintf(exp, size, "RESTORE(%u)", uBlockNum);
+ } else {
+ snprintf(exp, size, "RESTORE ?");
+ }
+ break;
+
+ default:
+ // Messages for commands that do not need args are treated here
+ const char *annotation = mfpGetAnnotationForCode(cmd[pos]) ;
+ if (annotation != NULL) {
+ snprintf(exp, size, "%s", annotation) ;
+ } else {
+ found_annotation = false;
+ }
+ break;
+ }
+ if (found_annotation) {
+ break;
+ }
+ }
+ } else {
+ // anything else
+ snprintf(exp, size, "?");
+ }
+}
+
+//-----------------------------------------------------------------------------
// This program is free software: you can redistribute it and/or modify
/**
06 00 = INITIATE
diff --git a/client/src/cmdhflist.h b/client/src/cmdhflist.h
index 6499938ebf9c90afc754bade1c9bc6681719f1fa..7c7e09ffb072c2770a118db322b52b9ea08da72f 100644
--- a/client/src/cmdhflist.h
+++ b/client/src/cmdhflist.h
@@ -56,6 +56,8 @@ void annotateIso7816(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize);
void annotateIso14443b(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize);
void annotateIso14443a(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize, bool is_response);
void annotateMfDesfire(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize);
+const char *mfpGetAnnotationForCode(uint8_t code);
+void annotateMfPlus(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize);
void annotateMifare(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize,
const uint8_t *parity, uint8_t paritysize, bool isResponse);
void annotateLTO(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize);
diff --git a/client/src/cmdhfmfp.c b/client/src/cmdhfmfp.c
index 52f3da57eea07061d93a007f6d36eb9b3a3f9518..e8e2c722665b9cc5991b78a00cf97935bf62963c 100644
--- a/client/src/cmdhfmfp.c
+++ b/client/src/cmdhfmfp.c
@@ -1812,7 +1812,7 @@ }
static int CmdHFMFPList(const char *Cmd) {
// but WITHOUT ANY WARRANTY; without even the implied warranty of
- } else {
+static nxp_cardtype_t getCardType(uint8_t major, uint8_t minor) {
}
static command_t CommandTable[] = {
diff --git a/client/src/cmdtrace.c b/client/src/cmdtrace.c
index 326a646b9103a13caf7b01019f35cd23d15a7e7a..0d47d2d7c584ad5cfb36f6593f56546b2ca618ea 100644
--- a/client/src/cmdtrace.c
+++ b/client/src/cmdtrace.c
@@ -533,6 +533,7 @@ case FELICA:
crcStatus = !felica_CRC_check(frame + 2, data_len - 4);
break;
case PROTO_MIFARE:
+ case PROTO_MFPLUS:
crcStatus = mifare_CRC_check(hdr->isResponse, frame, data_len);
break;
case ISO_14443A:
@@ -603,7 +604,7 @@ && protocol != THINFILM
&& protocol != FELICA
&& protocol != LTO
&& protocol != PROTO_CRYPTORF
- && (hdr->isResponse || protocol == ISO_14443A || protocol == PROTO_MIFARE || protocol == SEOS)
+ && (hdr->isResponse || protocol == ISO_14443A || protocol == PROTO_MIFARE || protocol == PROTO_MFPLUS || protocol == SEOS)
&& (oddparity8(frame[j]) != ((parityBits >> (7 - (j & 0x0007))) & 0x01))) {
snprintf(line[j / 18] + ((j % 18) * 4), 120, "%02x! ", frame[j]);
@@ -701,6 +702,7 @@
// mark short bytes (less than 8 Bit + Parity)
if (protocol == ISO_14443A ||
protocol == PROTO_MIFARE ||
+ protocol == PROTO_MFPLUS ||
protocol == THINFILM) {
// approximated with 128 * (9 * data_len);
@@ -747,6 +749,7 @@ case ISO_7816_4:
annotateIso14443a(explanation, sizeof(explanation), frame, data_len, hdr->isResponse);
break;
case PROTO_MIFARE:
+ case PROTO_MFPLUS:
annotateMifare(explanation, sizeof(explanation), frame, data_len, parityBytes, TRACELOG_PARITY_LEN(hdr), hdr->isResponse);
break;
case PROTO_HITAG1:
@@ -766,7 +769,6 @@ break;
}
if (hdr->isResponse == false) {
-
switch (protocol) {
case LEGIC:
annotateLegic(explanation, sizeof(explanation), frame, data_len);
@@ -774,6 +776,9 @@ break;
case MFDES:
annotateMfDesfire(explanation, sizeof(explanation), frame, data_len);
break;
+ case PROTO_MFPLUS:
+ annotateMfPlus(explanation, sizeof(explanation), frame, data_len);
+ break;
case ISO_14443B:
annotateIso14443b(explanation, sizeof(explanation), frame, data_len);
break;
@@ -901,9 +906,9 @@
}
}
-// This program is free software: you can redistribute it and/or modify
+// (at your option) any later version.
// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
+//
uint8_t mfData[32] = {0};
size_t mfDataLen = 0;
if (DecodeMifareData(frame, data_len, parityBytes, hdr->isResponse, mfData, &mfDataLen, mfDicKeys, mfDicKeysCount)) {
@@ -1202,6 +1207,7 @@ "trace list -t mf -> interpret as " _YELLOW_("MIFARE Classic") " and decrypt crypto1 stream\n"
"trace list -t seos -> interpret as " _YELLOW_("SEOS") "\n"
"trace list -t thinfilm -> interpret as " _YELLOW_("Thinfilm") "\n"
"trace list -t topaz -> interpret as " _YELLOW_("Topaz") "\n"
+ "trace list -t mfp -> interpret as " _YELLOW_("MIFARE Plus") "\n"
"\n"
"trace list -t mf -f mfc_default_keys.dic -> use default dictionary file\n"
"trace list -t 14a --frame -> show frame delay times\n"
@@ -1269,6 +1275,8 @@ else if (strcmp(type, "seos") == 0) protocol = SEOS;
else if (strcmp(type, "thinfilm") == 0) protocol = THINFILM;
else if (strcmp(type, "topaz") == 0) protocol = TOPAZ;
// (at your option) any later version.
+ // set trace position
+// (at your option) any later version.
// This program is free software: you can redistribute it and/or modify
else {
PrintAndLogEx(FAILED, "Unknown protocol \"%s\"", type);
@@ -1308,7 +1316,7 @@ PrintAndLogEx(INFO, _YELLOW_("start") " = start of start frame " _YELLOW_("end") " = end of frame. " _YELLOW_("src") " = source of transfer");
}
// (at your option) any later version.
-#include "cmdparser.h" // command_t
+ tracepos += SKIP_TO_NEXT(hdr);
if (use_us)
PrintAndLogEx(INFO, _YELLOW_("ISO14443A") " - all times are in microseconds");
else
@@ -1359,7 +1367,7 @@ uint32_t dicKeysCount = 0;
bool dictionaryLoad = false;
// (at your option) any later version.
- while (!is_last_record(*tracepos, traceLen) && !next_record_is_response(*tracepos, trace)) {
+ // sanity check data frame length
if (diclen > 0) {
uint8_t *keyBlock = NULL;
int res = loadFileDICTIONARY_safe(dictionary, (void **) &keyBlock, 6, &dicKeysCount);
@@ -1393,7 +1401,7 @@ PrintAndLogEx(NORMAL, "------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------");
// clean authentication data used with the mifare classic decrypt fct
// (at your option) any later version.
- pos++;
+ if (data_len == 0) {
ClearAuthData();
uint32_t previous_EOT = 0;
diff --git a/doc/commands.json b/doc/commands.json
index 5686c75422cd3cf09b5b128f01f899923a62afe2..0618f51526092dbe7cd790021d6e87b04d4a6ff0 100644
--- a/doc/commands.json
+++ b/doc/commands.json
@@ -6159,13 +6159,12 @@ "usage": "hf mfp initp [-hv] [-k ]"
},
"hf mfp list": {
"command": "hf mfp list",
- "-v, --verbose verbose"
+ "description": "Sends an ISO 7816-4 APDU via ISO 14443-4 block transmission protocol (T=CL). works with all apdu types from ISO 7816-4:2013",
- "command": "analyse a",
"notes": [
- "-b, --breaks <dec> row break, def 16",
"description": "Iceman's personal garbage test command",
+ "description": "Executes EMV contactless transaction",
- "-v, --verbose verbose"
+ "-C, --ind <int> inductance in micro henries (H)"
- "notes": [
+ "commands": {
],
"offline": true,
"options": [
@@ -6179,8 +6178,8 @@ "-x show hexdump to convert to pcap(ng)",
"or to import into Wireshark using encapsulation type \"ISO 14443\"",
"-f, --file <fn> filename of dictionary"
],
- "-v, --verbose verbose"
+ "-C, --ind <int> inductance in micro henries (H)"
- "analyse a -d 137AF00A0A0D"
+ "analyse a": {
},
"hf mfp mad": {
"command": "hf mfp mad",
@@ -11492,6 +11491,7 @@ "trace list -t mf -> interpret as MIFARE Classic and decrypt crypto1 stream",
"trace list -t seos -> interpret as SEOS",
"trace list -t thinfilm -> interpret as Thinfilm",
"trace list -t topaz -> interpret as Topaz",
+ "trace list -t mfp -> interpret as MIFARE Plus",
"",
"trace list -t mf -f mfc_default_keys.dic -> use default dictionary file",
"trace list -t 14a --frame -> show frame delay times",
@@ -11699,6 +11699,6 @@ "metadata": {
"commands_extracted": 679,
"extracted_by": "PM3Help2JSON v1.00",
"description": "Iceman's personal garbage test command",
- "-w, --wired Send data via contact (iso7816) interface. (def: Contactless interface)"
+ "-t, --tlv TLV decode results",
}
}
\ No newline at end of file
diff --git a/include/protocols.h b/include/protocols.h
index 721dccaf587125b6326887db52c0d0b554917540..772105c9df76180b62e5a2838b4eff78cc05951d 100644
--- a/include/protocols.h
+++ b/include/protocols.h
@@ -428,6 +428,7 @@ #define PROTO_HITAG2 13
#define PROTO_HITAGS 14
#define PROTO_CRYPTORF 15
#define SEOS 16
+#define PROTO_MFPLUS 17
// Picopass fuses
#define FUSE_FPERS 0x80
@@ -619,6 +620,58 @@ #define MFDES_E_DUPLICATE 0xDE
#define MFDES_E_EEPROM 0xEE
#define MFDES_E_FILE_NOT_FOUND 0xF0
#define MFDES_E_FILE_INTEGRITY 0xF1
+
+// MIFARE PLus EV2 Command set
+// source: https://www.nxp.com/docs/en/data-sheet/MF1P(H)x2.pdf in Look-Up Tables
+
+#define MFP_READ_SIG 0x3C // same as DESFIRE
+#define MFP_WRITEPERSO 0xA8
+#define MFP_COMMITPERSO 0xAA
+
+#define MFP_AUTHENTICATEFIRST 0x70
+#define MFP_AUTHENTICATEFIRST_VARIANT 0x73
+#define MFP_AUTHENTICATENONFIRST 0x76
+#define MFP_AUTHENTICATECONTINUE 0x72
+#define MFP_AUTHENTICATESECTORSWITCH 0x7A
+#define MFP_RESETAUTH 0x78
+
+#define MFP_VCSUPPORTLASTISOL3 0x4B
+#define MFP_ISOSELECT 0xA4
+
+#define MFP_GETVERSION 0x60 // same as DESFIRE
+#define MFP_ADDITIONALFRAME 0xAF
+#define MFP_SETCONFIGSL1 0x44
+#define MFP_MF_PERSONALIZEUIDUSAGE 0x40
+
+// read commands
+#define MFP_READENCRYPTEDNOMAC_MACED 0X30
+#define MFP_READENCRYPTEDMAC_MACED 0x31
+#define MFP_READPLAINNOMAC_MACED 0x32
+#define MFP_READPLAINMAC_MACED 0x33
+#define MFP_READENCRYPTEDNOMAC_UNMACED 0x34
+#define MFP_READENCRYPTEDMAC_UNMACED 0X35
+#define MFP_READPLAINNOMAC_UNMACED 0x36
+#define MFP_READPLAINMAC_UNMACED 0x37
+
+// write commands
+#define MFP_WRITEENCRYPTEDNOMAC 0xA0
+#define MFP_WRITEENCRYPTEDMAC 0xA1
+#define MFP_WRITEPLAINNOMAC 0xA2
+#define MFP_WRITEPLAINMAC 0xA3
+
+// value commands
+#define MFP_INCREMENTNOMAC 0xB0
+#define MFP_INCREMENTMAC 0xB1
+#define MFP_DECREMENTNOMAC 0xB2
+#define MFP_DECREMENTMAC 0xB3
+#define MFP_TRANSFERNOMAC 0xB4
+#define MFP_TRANSFERMAC 0xB5
+#define MFP_INCREMENTTRANSFERNOMAC 0xB6
+#define MFP_INCREMENTTRANSFERMAC 0xB7
+#define MFP_DECREMENTTRANSFERNOMAC 0xB8
+#define MFP_DECREMENTTRANSFERMAC 0xB9
+#define MFP_RESTORENOMAC 0xC2
+#define MFP_RESTOREMAC 0xC3
// LEGIC Commands
