63 #define SAK_FLAG_ATS_SUPPORTED 0x20
65 #define MAX_FRAME_LEN 264
67 static uint8_t abtRx[MAX_FRAME_LEN];
69 static uint8_t abtRawUid[12];
70 static uint8_t abtAtqa[2];
71 static uint8_t abtSak;
72 static uint8_t abtAts[MAX_FRAME_LEN];
73 static uint8_t szAts = 0;
74 static size_t szCL = 1;
77 bool quiet_output =
false;
78 bool iso_ats_supported =
false;
81 uint8_t abtReqa[1] = { 0x26 };
82 uint8_t abtSelectAll[2] = { 0x93, 0x20 };
83 uint8_t abtSelectTag[9] = { 0x93, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
84 uint8_t abtRats[4] = { 0xe0, 0x50, 0x00, 0x00 };
85 uint8_t abtHalt[4] = { 0x50, 0x00, 0x00, 0x00 };
86 #define CASCADE_BIT 0x04
89 uint8_t abtUnlock1[1] = { 0x40 };
90 uint8_t abtUnlock2[1] = { 0x43 };
91 uint8_t abtWipe[1] = { 0x41 };
92 uint8_t abtWrite[4] = { 0xa0, 0x00, 0x5f, 0xb1 };
93 uint8_t abtData[18] = { 0x01, 0x23, 0x45, 0x67, 0x00, 0x08, 0x04, 0x00, 0x46, 0x59, 0x25, 0x58, 0x49, 0x10, 0x23, 0x02, 0x23, 0xeb };
94 uint8_t abtBlank[18] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x07, 0x80, 0x69, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x36, 0xCC };
98 transmit_bits(
const uint8_t *pbtTx,
const size_t szTxBits)
102 printf(
"Sent bits: ");
103 print_hex_bits(pbtTx, szTxBits);
111 printf(
"Received bits: ");
112 print_hex_bits(abtRx, szRxBits);
120 transmit_bytes(
const uint8_t *pbtTx,
const size_t szTx)
124 printf(
"Sent bits: ");
125 print_hex(pbtTx, szTx);
134 printf(
"Received bits: ");
135 print_hex(abtRx, res);
142 print_usage(
char *argv[])
144 printf(
"Usage: %s [OPTIONS] [UID|BLOCK0]\n", argv[0]);
145 printf(
"Options:\n");
146 printf(
"\t-h\tHelp. Print this message.\n");
147 printf(
"\t-f\tFormat. Delete all data (set to 0xFF) and reset ACLs to default.\n");
148 printf(
"\t-q\tQuiet mode. Suppress output of READER and CARD data (improves timing).\n");
149 printf(
"\n\tSpecify UID (4 HEX bytes) to set UID, or leave blank for default '01234567'.\n");
150 printf(
"\n\tSpecify BLOCK0 (16 HEX bytes) to set content of Block0. CRC (Byte 4) is recalculated an overwritten'.\n");
151 printf(
"\tThis utility can be used to recover cards that have been damaged by writing bad\n");
152 printf(
"\tdata (e.g. wrong BCC), thus making them non-selectable by most tools/readers.\n");
153 printf(
"\n\t*** Note: this utility only works with special Mifare 1K cards (Chinese clones).\n\n");
157 main(
int argc,
char *argv[])
162 char tmp[3] = { 0x00, 0x00, 0x00 };
166 for (arg = 1; arg < argc; arg++) {
167 if (0 == strcmp(argv[arg],
"-h")) {
170 }
else if (0 == strcmp(argv[arg],
"-f")) {
172 }
else if (0 == strcmp(argv[arg],
"-q")) {
174 }
else if (strlen(argv[arg]) == 8) {
175 for (i = 0 ; i < 4 ; ++i) {
176 memcpy(tmp, argv[arg] + i * 2, 2);
177 sscanf(tmp,
"%02x", &c);
178 abtData[i] = (char) c;
180 abtData[4] = abtData[0] ^ abtData[1] ^ abtData[2] ^ abtData[3];
181 iso14443a_crc_append(abtData, 16);
182 }
else if (strlen(argv[arg]) == 32) {
183 for (i = 0 ; i < 16 ; ++i) {
184 memcpy(tmp, argv[arg] + i * 2, 2);
185 sscanf(tmp,
"%02x", &c);
186 abtData[i] = (char) c;
188 abtData[4] = abtData[0] ^ abtData[1] ^ abtData[2] ^ abtData[3];
189 iso14443a_crc_append(abtData, 16);
191 ERR(
"%s is not supported option.", argv[arg]);
199 if (context == NULL) {
200 ERR(
"Unable to init libnfc (malloc)");
208 ERR(
"Error opening NFC reader");
223 nfc_perror(pnd,
"nfc_device_set_property_bool");
230 nfc_perror(pnd,
"nfc_device_set_property_bool");
237 nfc_perror(pnd,
"nfc_device_set_property_bool");
246 if (!transmit_bits(abtReqa, 7)) {
247 printf(
"Error: No tag available\n");
252 memcpy(abtAtqa, abtRx, 2);
255 transmit_bytes(abtSelectAll, 2);
258 if ((abtRx[0] ^ abtRx[1] ^ abtRx[2] ^ abtRx[3] ^ abtRx[4]) != 0) {
259 printf(
"WARNING: BCC check failed!\n");
263 memcpy(abtRawUid, abtRx, 4);
266 memcpy(abtSelectTag + 2, abtRx, 5);
267 iso14443a_crc_append(abtSelectTag, 7);
268 transmit_bytes(abtSelectTag, 9);
272 if (abtSak & CASCADE_BIT) {
275 if (abtRawUid[0] != 0x88) {
276 printf(
"WARNING: Cascade bit set but CT != 0x88!\n");
284 abtSelectAll[0] = 0x95;
287 transmit_bytes(abtSelectAll, 2);
290 if ((abtRx[0] ^ abtRx[1] ^ abtRx[2] ^ abtRx[3] ^ abtRx[4]) != 0) {
291 printf(
"WARNING: BCC check failed!\n");
295 memcpy(abtRawUid + 4, abtRx, 4);
298 abtSelectTag[0] = 0x95;
299 memcpy(abtSelectTag + 2, abtRx, 5);
300 iso14443a_crc_append(abtSelectTag, 7);
301 transmit_bytes(abtSelectTag, 9);
305 if (abtSak & CASCADE_BIT) {
308 if (abtRawUid[0] != 0x88) {
309 printf(
"WARNING: Cascade bit set but CT != 0x88!\n");
317 abtSelectAll[0] = 0x97;
318 transmit_bytes(abtSelectAll, 2);
321 if ((abtRx[0] ^ abtRx[1] ^ abtRx[2] ^ abtRx[3] ^ abtRx[4]) != 0) {
322 printf(
"WARNING: BCC check failed!\n");
326 memcpy(abtRawUid + 8, abtRx, 4);
329 abtSelectTag[0] = 0x97;
330 memcpy(abtSelectTag + 2, abtRx, 5);
331 iso14443a_crc_append(abtSelectTag, 7);
332 transmit_bytes(abtSelectTag, 9);
339 iso_ats_supported =
true;
342 printf(
"\nFound tag with\n UID: ");
345 printf(
"%02x%02x%02x%02x", abtRawUid[0], abtRawUid[1], abtRawUid[2], abtRawUid[3]);
348 printf(
"%02x%02x%02x", abtRawUid[1], abtRawUid[2], abtRawUid[3]);
349 printf(
"%02x%02x%02x%02x", abtRawUid[4], abtRawUid[5], abtRawUid[6], abtRawUid[7]);
352 printf(
"%02x%02x%02x", abtRawUid[1], abtRawUid[2], abtRawUid[3]);
353 printf(
"%02x%02x%02x", abtRawUid[5], abtRawUid[6], abtRawUid[7]);
354 printf(
"%02x%02x%02x%02x", abtRawUid[8], abtRawUid[9], abtRawUid[10], abtRawUid[11]);
358 printf(
"ATQA: %02x%02x\n SAK: %02x\n", abtAtqa[1], abtAtqa[0], abtSak);
361 print_hex(abtAts, szAts);
366 iso14443a_crc_append(abtHalt, 2);
367 transmit_bytes(abtHalt, 4);
369 if (!transmit_bits(abtUnlock1, 7)) {
370 printf(
"Warning: Unlock command [1/2]: failed / not acknowledged.\n");
373 transmit_bytes(abtWipe, 1);
374 transmit_bytes(abtHalt, 4);
375 transmit_bits(abtUnlock1, 7);
378 if (transmit_bytes(abtUnlock2, 1)) {
379 printf(
"Card unlocked\n");
381 printf(
"Warning: Unlock command [2/2]: failed / not acknowledged.\n");
385 transmit_bytes(abtWrite, 4);
386 transmit_bytes(abtData, 18);
388 for (i = 3 ; i < 64 ; i += 4) {
389 abtWrite[1] = (char) i;
390 iso14443a_crc_append(abtWrite, 2);
391 transmit_bytes(abtWrite, 4);
392 transmit_bytes(abtBlank, 18);
const char * nfc_device_get_name(nfc_device *pnd)
Returns the device name.
void nfc_close(nfc_device *pnd)
Close from a NFC device.
nfc_device * nfc_open(nfc_context *context, const nfc_connstring connstring)
Open a NFC device.
void nfc_perror(const nfc_device *pnd, const char *pcString)
Display the last error occured on a nfc_device.
int nfc_initiator_transceive_bytes(nfc_device *pnd, const uint8_t *pbtTx, const size_t szTx, uint8_t *pbtRx, const size_t szRx, int timeout)
Send data to target then retrieve data from target.
int nfc_initiator_transceive_bits(nfc_device *pnd, const uint8_t *pbtTx, const size_t szTxBits, const uint8_t *pbtTxPar, uint8_t *pbtRx, const size_t szRx, uint8_t *pbtRxPar)
Transceive raw bit-frames to a target.
int nfc_initiator_init(nfc_device *pnd)
Initialize NFC device as initiator (reader)
void nfc_exit(nfc_context *context)
Deinitialize libnfc. Should be called after closing all open devices and before your application term...
void nfc_init(nfc_context **context)
Initialize libnfc. This function must be called before calling any other libnfc function.
int nfc_device_set_property_bool(nfc_device *pnd, const nfc_property property, const bool bEnable)
Set a device's boolean-property value.
#define SAK_FLAG_ATS_SUPPORTED
Provide some examples shared functions like print, parity calculation, options parsing.
#define ERR(...)
Print a error message.
NFC library context Struct which contains internal options, references, pointers, etc....