libnfc  1.8.0
nfc-mfsetuid.c
Go to the documentation of this file.
1 /*-
2  * Free/Libre Near Field Communication (NFC) library
3  *
4  * Libnfc historical contributors:
5  * Copyright (C) 2009 Roel Verdult
6  * Copyright (C) 2009-2013 Romuald Conty
7  * Copyright (C) 2010-2012 Romain Tartière
8  * Copyright (C) 2010-2013 Philippe Teuwen
9  * Copyright (C) 2012-2013 Ludovic Rousseau
10  * See AUTHORS file for a more comprehensive list of contributors.
11  * Additional contributors of this file:
12  * Copyright (C) 2011 Adam Laurie
13  * Copyright (C) 2014 Dario Carluccio
14  *
15  * Redistribution and use in source and binary forms, with or without
16  * modification, are permitted provided that the following conditions are met:
17  * 1) Redistributions of source code must retain the above copyright notice,
18  * this list of conditions and the following disclaimer.
19  * 2 )Redistributions in binary form must reproduce the above copyright
20  * notice, this list of conditions and the following disclaimer in the
21  * documentation and/or other materials provided with the distribution.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
24  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
27  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
28  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33  * POSSIBILITY OF SUCH DAMAGE.
34  *
35  * Note that this license only applies on the examples, NFC library itself is under LGPL
36  *
37  */
38 
48 #ifdef HAVE_CONFIG_H
49 # include "config.h"
50 #endif // HAVE_CONFIG_H
51 
52 #include <stdio.h>
53 #include <stdlib.h>
54 #include <stddef.h>
55 #include <stdint.h>
56 #include <stdbool.h>
57 #include <string.h>
58 
59 #include <nfc/nfc.h>
60 
61 #include "utils/nfc-utils.h"
62 
63 #define SAK_FLAG_ATS_SUPPORTED 0x20
64 
65 #define MAX_FRAME_LEN 264
66 
67 static uint8_t abtRx[MAX_FRAME_LEN];
68 static int szRxBits;
69 static uint8_t abtRawUid[12];
70 static uint8_t abtAtqa[2];
71 static uint8_t abtSak;
72 static uint8_t abtAts[MAX_FRAME_LEN];
73 static uint8_t szAts = 0;
74 static size_t szCL = 1;//Always start with Cascade Level 1 (CL1)
75 static nfc_device *pnd;
76 
77 bool quiet_output = false;
78 bool iso_ats_supported = false;
79 
80 // ISO14443A Anti-Collision Commands
81 uint8_t abtReqa[1] = { 0x26 };
82 uint8_t abtSelectAll[2] = { 0x93, 0x20 };
83 uint8_t abtSelectTag[9] = { 0x93, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
84 uint8_t abtRats[4] = { 0xe0, 0x50, 0x00, 0x00 };
85 uint8_t abtHalt[4] = { 0x50, 0x00, 0x00, 0x00 };
86 #define CASCADE_BIT 0x04
87 
88 // special unlock command
89 uint8_t abtUnlock1[1] = { 0x40 };
90 uint8_t abtUnlock2[1] = { 0x43 };
91 uint8_t abtWipe[1] = { 0x41 };
92 uint8_t abtWrite[4] = { 0xa0, 0x00, 0x5f, 0xb1 };
93 uint8_t abtData[18] = { 0x01, 0x23, 0x45, 0x67, 0x00, 0x08, 0x04, 0x00, 0x46, 0x59, 0x25, 0x58, 0x49, 0x10, 0x23, 0x02, 0x23, 0xeb };
94 uint8_t abtBlank[18] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x07, 0x80, 0x69, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x36, 0xCC };
95 
96 
97 static bool
98 transmit_bits(const uint8_t *pbtTx, const size_t szTxBits)
99 {
100  // Show transmitted command
101  if (!quiet_output) {
102  printf("Sent bits: ");
103  print_hex_bits(pbtTx, szTxBits);
104  }
105  // Transmit the bit frame command, we don't use the arbitrary parity feature
106  if ((szRxBits = nfc_initiator_transceive_bits(pnd, pbtTx, szTxBits, NULL, abtRx, sizeof(abtRx), NULL)) < 0)
107  return false;
108 
109  // Show received answer
110  if (!quiet_output) {
111  printf("Received bits: ");
112  print_hex_bits(abtRx, szRxBits);
113  }
114  // Succesful transfer
115  return true;
116 }
117 
118 
119 static bool
120 transmit_bytes(const uint8_t *pbtTx, const size_t szTx)
121 {
122  // Show transmitted command
123  if (!quiet_output) {
124  printf("Sent bits: ");
125  print_hex(pbtTx, szTx);
126  }
127  int res;
128  // Transmit the command bytes
129  if ((res = nfc_initiator_transceive_bytes(pnd, pbtTx, szTx, abtRx, sizeof(abtRx), 0)) < 0)
130  return false;
131 
132  // Show received answer
133  if (!quiet_output) {
134  printf("Received bits: ");
135  print_hex(abtRx, res);
136  }
137  // Succesful transfer
138  return true;
139 }
140 
141 static void
142 print_usage(char *argv[])
143 {
144  printf("Usage: %s [OPTIONS] [UID|BLOCK0]\n", argv[0]);
145  printf("Options:\n");
146  printf("\t-h\tHelp. Print this message.\n");
147  printf("\t-f\tFormat. Delete all data (set to 0xFF) and reset ACLs to default.\n");
148  printf("\t-q\tQuiet mode. Suppress output of READER and CARD data (improves timing).\n");
149  printf("\n\tSpecify UID (4 HEX bytes) to set UID, or leave blank for default '01234567'.\n");
150  printf("\n\tSpecify BLOCK0 (16 HEX bytes) to set content of Block0. CRC (Byte 4) is recalculated an overwritten'.\n");
151  printf("\tThis utility can be used to recover cards that have been damaged by writing bad\n");
152  printf("\tdata (e.g. wrong BCC), thus making them non-selectable by most tools/readers.\n");
153  printf("\n\t*** Note: this utility only works with special Mifare 1K cards (Chinese clones).\n\n");
154 }
155 
156 int
157 main(int argc, char *argv[])
158 {
159  int arg, i;
160  bool format = false;
161  unsigned int c;
162  char tmp[3] = { 0x00, 0x00, 0x00 };
163 
164 
165  // Get commandline options
166  for (arg = 1; arg < argc; arg++) {
167  if (0 == strcmp(argv[arg], "-h")) {
168  print_usage(argv);
169  exit(EXIT_SUCCESS);
170  } else if (0 == strcmp(argv[arg], "-f")) {
171  format = true;
172  } else if (0 == strcmp(argv[arg], "-q")) {
173  quiet_output = true;
174  } else if (strlen(argv[arg]) == 8) {
175  for (i = 0 ; i < 4 ; ++i) {
176  memcpy(tmp, argv[arg] + i * 2, 2);
177  sscanf(tmp, "%02x", &c);
178  abtData[i] = (char) c;
179  }
180  abtData[4] = abtData[0] ^ abtData[1] ^ abtData[2] ^ abtData[3];
181  iso14443a_crc_append(abtData, 16);
182  } else if (strlen(argv[arg]) == 32) {
183  for (i = 0 ; i < 16 ; ++i) {
184  memcpy(tmp, argv[arg] + i * 2, 2);
185  sscanf(tmp, "%02x", &c);
186  abtData[i] = (char) c;
187  }
188  abtData[4] = abtData[0] ^ abtData[1] ^ abtData[2] ^ abtData[3];
189  iso14443a_crc_append(abtData, 16);
190  } else {
191  ERR("%s is not supported option.", argv[arg]);
192  print_usage(argv);
193  exit(EXIT_FAILURE);
194  }
195  }
196 
197  nfc_context *context;
198  nfc_init(&context);
199  if (context == NULL) {
200  ERR("Unable to init libnfc (malloc)");
201  exit(EXIT_FAILURE);
202  }
203 
204  // Try to open the NFC reader
205  pnd = nfc_open(context, NULL);
206 
207  if (pnd == NULL) {
208  ERR("Error opening NFC reader");
209  nfc_exit(context);
210  exit(EXIT_FAILURE);
211  }
212 
213  // Initialise NFC device as "initiator"
214  if (nfc_initiator_init(pnd) < 0) {
215  nfc_perror(pnd, "nfc_initiator_init");
216  nfc_close(pnd);
217  nfc_exit(context);
218  exit(EXIT_FAILURE);
219  }
220 
221  // Configure the CRC
222  if (nfc_device_set_property_bool(pnd, NP_HANDLE_CRC, false) < 0) {
223  nfc_perror(pnd, "nfc_device_set_property_bool");
224  nfc_close(pnd);
225  nfc_exit(context);
226  exit(EXIT_FAILURE);
227  }
228  // Use raw send/receive methods
229  if (nfc_device_set_property_bool(pnd, NP_EASY_FRAMING, false) < 0) {
230  nfc_perror(pnd, "nfc_device_set_property_bool");
231  nfc_close(pnd);
232  nfc_exit(context);
233  exit(EXIT_FAILURE);
234  }
235  // Disable 14443-4 autoswitching
236  if (nfc_device_set_property_bool(pnd, NP_AUTO_ISO14443_4, false) < 0) {
237  nfc_perror(pnd, "nfc_device_set_property_bool");
238  nfc_close(pnd);
239  nfc_exit(context);
240  exit(EXIT_FAILURE);
241  }
242 
243  printf("NFC reader: %s opened\n", nfc_device_get_name(pnd));
244 
245  // Send the 7 bits request command specified in ISO 14443A (0x26)
246  if (!transmit_bits(abtReqa, 7)) {
247  printf("Error: No tag available\n");
248  nfc_close(pnd);
249  nfc_exit(context);
250  exit(EXIT_FAILURE);
251  }
252  memcpy(abtAtqa, abtRx, 2);
253 
254  // Anti-collision
255  transmit_bytes(abtSelectAll, 2);
256 
257  // Check answer
258  if ((abtRx[0] ^ abtRx[1] ^ abtRx[2] ^ abtRx[3] ^ abtRx[4]) != 0) {
259  printf("WARNING: BCC check failed!\n");
260  }
261 
262  // Save the UID CL1
263  memcpy(abtRawUid, abtRx, 4);
264 
265  //Prepare and send CL1 Select-Command
266  memcpy(abtSelectTag + 2, abtRx, 5);
267  iso14443a_crc_append(abtSelectTag, 7);
268  transmit_bytes(abtSelectTag, 9);
269  abtSak = abtRx[0];
270 
271  // Test if we are dealing with a CL2
272  if (abtSak & CASCADE_BIT) {
273  szCL = 2;//or more
274  // Check answer
275  if (abtRawUid[0] != 0x88) {
276  printf("WARNING: Cascade bit set but CT != 0x88!\n");
277  }
278  }
279 
280  if (szCL == 2) {
281  // We have to do the anti-collision for cascade level 2
282 
283  // Prepare CL2 commands
284  abtSelectAll[0] = 0x95;
285 
286  // Anti-collision
287  transmit_bytes(abtSelectAll, 2);
288 
289  // Check answer
290  if ((abtRx[0] ^ abtRx[1] ^ abtRx[2] ^ abtRx[3] ^ abtRx[4]) != 0) {
291  printf("WARNING: BCC check failed!\n");
292  }
293 
294  // Save UID CL2
295  memcpy(abtRawUid + 4, abtRx, 4);
296 
297  // Selection
298  abtSelectTag[0] = 0x95;
299  memcpy(abtSelectTag + 2, abtRx, 5);
300  iso14443a_crc_append(abtSelectTag, 7);
301  transmit_bytes(abtSelectTag, 9);
302  abtSak = abtRx[0];
303 
304  // Test if we are dealing with a CL3
305  if (abtSak & CASCADE_BIT) {
306  szCL = 3;
307  // Check answer
308  if (abtRawUid[0] != 0x88) {
309  printf("WARNING: Cascade bit set but CT != 0x88!\n");
310  }
311  }
312 
313  if (szCL == 3) {
314  // We have to do the anti-collision for cascade level 3
315 
316  // Prepare and send CL3 AC-Command
317  abtSelectAll[0] = 0x97;
318  transmit_bytes(abtSelectAll, 2);
319 
320  // Check answer
321  if ((abtRx[0] ^ abtRx[1] ^ abtRx[2] ^ abtRx[3] ^ abtRx[4]) != 0) {
322  printf("WARNING: BCC check failed!\n");
323  }
324 
325  // Save UID CL3
326  memcpy(abtRawUid + 8, abtRx, 4);
327 
328  // Prepare and send final Select-Command
329  abtSelectTag[0] = 0x97;
330  memcpy(abtSelectTag + 2, abtRx, 5);
331  iso14443a_crc_append(abtSelectTag, 7);
332  transmit_bytes(abtSelectTag, 9);
333  abtSak = abtRx[0];
334  }
335  }
336 
337  // Request ATS, this only applies to tags that support ISO 14443A-4
338  if (abtRx[0] & SAK_FLAG_ATS_SUPPORTED) {
339  iso_ats_supported = true;
340  }
341 
342  printf("\nFound tag with\n UID: ");
343  switch (szCL) {
344  case 1:
345  printf("%02x%02x%02x%02x", abtRawUid[0], abtRawUid[1], abtRawUid[2], abtRawUid[3]);
346  break;
347  case 2:
348  printf("%02x%02x%02x", abtRawUid[1], abtRawUid[2], abtRawUid[3]);
349  printf("%02x%02x%02x%02x", abtRawUid[4], abtRawUid[5], abtRawUid[6], abtRawUid[7]);
350  break;
351  case 3:
352  printf("%02x%02x%02x", abtRawUid[1], abtRawUid[2], abtRawUid[3]);
353  printf("%02x%02x%02x", abtRawUid[5], abtRawUid[6], abtRawUid[7]);
354  printf("%02x%02x%02x%02x", abtRawUid[8], abtRawUid[9], abtRawUid[10], abtRawUid[11]);
355  break;
356  }
357  printf("\n");
358  printf("ATQA: %02x%02x\n SAK: %02x\n", abtAtqa[1], abtAtqa[0], abtSak);
359  if (szAts > 1) { // if = 1, it's not actual ATS but error code
360  printf(" ATS: ");
361  print_hex(abtAts, szAts);
362  }
363  printf("\n");
364 
365  // now reset UID
366  iso14443a_crc_append(abtHalt, 2);
367  transmit_bytes(abtHalt, 4);
368 
369  if (!transmit_bits(abtUnlock1, 7)) {
370  printf("Warning: Unlock command [1/2]: failed / not acknowledged.\n");
371  } else {
372  if (format) {
373  transmit_bytes(abtWipe, 1);
374  transmit_bytes(abtHalt, 4);
375  transmit_bits(abtUnlock1, 7);
376  }
377 
378  if (transmit_bytes(abtUnlock2, 1)) {
379  printf("Card unlocked\n");
380  } else {
381  printf("Warning: Unlock command [2/2]: failed / not acknowledged.\n");
382  }
383  }
384 
385  transmit_bytes(abtWrite, 4);
386  transmit_bytes(abtData, 18);
387  if (format) {
388  for (i = 3 ; i < 64 ; i += 4) {
389  abtWrite[1] = (char) i;
390  iso14443a_crc_append(abtWrite, 2);
391  transmit_bytes(abtWrite, 4);
392  transmit_bytes(abtBlank, 18);
393  }
394  }
395 
396  nfc_close(pnd);
397  nfc_exit(context);
398  exit(EXIT_SUCCESS);
399 }
const char * nfc_device_get_name(nfc_device *pnd)
Returns the device name.
Definition: nfc.c:1209
void nfc_close(nfc_device *pnd)
Close from a NFC device.
Definition: nfc.c:339
nfc_device * nfc_open(nfc_context *context, const nfc_connstring connstring)
Open a NFC device.
Definition: nfc.c:277
void nfc_perror(const nfc_device *pnd, const char *pcString)
Display the last error occured on a nfc_device.
Definition: nfc.c:1183
int nfc_initiator_transceive_bytes(nfc_device *pnd, const uint8_t *pbtTx, const size_t szTx, uint8_t *pbtRx, const size_t szRx, int timeout)
Send data to target then retrieve data from target.
Definition: nfc.c:809
int nfc_initiator_transceive_bits(nfc_device *pnd, const uint8_t *pbtTx, const size_t szTxBits, const uint8_t *pbtTxPar, uint8_t *pbtRx, const size_t szRx, uint8_t *pbtRxPar)
Transceive raw bit-frames to a target.
Definition: nfc.c:852
int nfc_initiator_init(nfc_device *pnd)
Initialize NFC device as initiator (reader)
Definition: nfc.c:493
void nfc_exit(nfc_context *context)
Deinitialize libnfc. Should be called after closing all open devices and before your application term...
Definition: nfc.c:248
void nfc_init(nfc_context **context)
Initialize libnfc. This function must be called before calling any other libnfc function.
Definition: nfc.c:231
int nfc_device_set_property_bool(nfc_device *pnd, const nfc_property property, const bool bEnable)
Set a device's boolean-property value.
Definition: nfc.c:466
#define SAK_FLAG_ATS_SUPPORTED
Definition: nfc-mfsetuid.c:63
@ NP_HANDLE_CRC
Definition: nfc-types.h:94
@ NP_AUTO_ISO14443_4
Definition: nfc-types.h:134
@ NP_EASY_FRAMING
Definition: nfc-types.h:136
Provide some examples shared functions like print, parity calculation, options parsing.
#define ERR(...)
Print a error message.
Definition: nfc-utils.h:85
libnfc interface
NFC library context Struct which contains internal options, references, pointers, etc....
Definition: nfc-internal.h:175
NFC device information.
Definition: nfc-internal.h:190