option --force to hf mfu rdb/wrbl and document how to set version & s…

…ig on ultimate card
wintrmvte · Dec 30, 2021 · 02f2318 · 02f2318
1 parent 85def31
commit 02f2318
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,9 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
 
 ## [unreleased][unreleased]
+ - Added option `--force` to `hf mfu rdb/wrbl` to force operation even if address is out of range (@doegox)
+ - Added documentation for detailed usage of the Ultimate Magic Card (@doegox)
+ - Changed HitagS trace record and parsing to deal with partial bytes and to check CRC8 (@doegox)
  - Added support for KS X 6924 (South Korea's T-money card) (@toucan12)
  - Fixed `hf 15 dump` - now correctly dumps 256 blocks w/o crashing the client (@iceman1001)
  - Changed `hf 14a sim -t 3` - anticollision for DESFire simulation now uses different RATS (@mosci)

diff --git a/client/src/cmdhfmfu.c b/client/src/cmdhfmfu.c
@@ -1772,6 +1772,7 @@ static int CmdHF14AMfUWrBl(const char *Cmd) {
         arg_lit0("l", NULL, "swap entered key's endianness"),
         arg_int1("b", "block", "<dec>", "block number to write"),
         arg_str1("d", "data", "<hex>", "block data (4 or 16 hex bytes, 16 hex bytes will do a compatibility write)"),
+        arg_lit0(NULL, "force", "force operation even if address is out of range"),
         arg_param_end
     };
     CLIExecWithReturn(ctx, Cmd, argtable, false);
@@ -1786,6 +1787,7 @@ static int CmdHF14AMfUWrBl(const char *Cmd) {
     int datalen = 0;
     uint8_t data[16] = {0x00};
     CLIGetHexWithReturn(ctx, 4, data, &datalen);
+    bool force = arg_get_lit(ctx, 5);
     CLIParserFree(ctx);
 
     bool has_auth_key = false;
@@ -1823,7 +1825,7 @@ static int CmdHF14AMfUWrBl(const char *Cmd) {
             break;
         }
     }
-    if (blockno > maxblockno) {
+    if ((blockno > maxblockno) && (!force)) {
         PrintAndLogEx(WARNING, "block number too large. Max block is %u/0x%02X \n", maxblockno, maxblockno);
         return PM3_EINVARG;
     }
@@ -1901,6 +1903,7 @@ static int CmdHF14AMfURdBl(const char *Cmd) {
         arg_str0("k", "key", "<hex>", "key for authentication (UL-C 16 bytes, EV1/NTAG 4 bytes)"),
         arg_lit0("l", NULL, "swap entered key's endianness"),
         arg_int1("b", "block", "<dec>", "block number to read"),
+        arg_lit0(NULL, "force", "force operation even if address is out of range"),
         arg_param_end
     };
     CLIExecWithReturn(ctx, Cmd, argtable, false);
@@ -1910,6 +1913,7 @@ static int CmdHF14AMfURdBl(const char *Cmd) {
     CLIGetHexWithReturn(ctx, 1, authenticationkey, &ak_len);
     bool swap_endian = arg_get_lit(ctx, 2);
     int blockno = arg_get_int_def(ctx, 3, -1);
+    bool force = arg_get_lit(ctx, 4);
     CLIParserFree(ctx);
 
     bool has_auth_key = false;
@@ -1942,7 +1946,7 @@ static int CmdHF14AMfURdBl(const char *Cmd) {
             break;
         }
     }
-    if (blockno > maxblockno) {
+    if ((blockno > maxblockno) && (!force)) {
         PrintAndLogEx(WARNING, "block number to large. Max block is %u/0x%02X \n", maxblockno, maxblockno);
         return PM3_EINVARG;
     }

diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md
@@ -793,6 +793,46 @@ hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC1910101112131
 hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000001
 ```
 
+### Version and Signature
+
+Ultralight EV1 and NTAG Version info and Signature are stored respectively in blocks 250-251 and 242-249.
+
+Example for an Ultralight EV1 128b with the signature sample from tools/recover_pk.py
+```
+hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000000
+hf mfu wrbl -b 0 -d 04C12865
+hf mfu wrbl -b 1 -d 5A373080
+hf mfu wrbl -b 242 -d CEA2EB0B --force
+hf mfu wrbl -b 243 -d 3C95D084 --force
+hf mfu wrbl -b 244 -d 4A95B824 --force
+hf mfu wrbl -b 245 -d A7553703 --force
+hf mfu wrbl -b 246 -d B3702378 --force
+hf mfu wrbl -b 247 -d 033BF098 --force
+hf mfu wrbl -b 248 -d 7899DB70 --force
+hf mfu wrbl -b 249 -d 151A19E7 --force
+hf mfu wrbl -b 250 -d 00040301 --force
+hf mfu wrbl -b 251 -d 01000E03 --force
+hf mfu info
+```
+
+Example for an NTAG216 with the signature sample from tools/recover_pk.py
+```
+hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000001
+hf mfu wrbl -b 0 -d 04E10C61
+hf mfu wrbl -b 1 -d DA993C80
+hf mfu wrbl -b 242 -d 8B76052E --force
+hf mfu wrbl -b 243 -d E42F5567 --force
+hf mfu wrbl -b 244 -d BEB53238 --force
+hf mfu wrbl -b 245 -d B3E3F995 --force
+hf mfu wrbl -b 246 -d 0707C0DC --force
+hf mfu wrbl -b 247 -d C956B5C5 --force
+hf mfu wrbl -b 248 -d EFCFDB70 --force
+hf mfu wrbl -b 249 -d 9B2D82B3 --force
+hf mfu wrbl -b 250 -d 00040402 --force
+hf mfu wrbl -b 251 -d 01001303 --force
+hf mfu info
+```
+
 ## MIFARE Classic Super
 
 It behaves like DirectWrite but records reader auth attempts.