Merge branch 'master' into cherry_pick_emv

Signed-off-by: Iceman <[email protected]>

.github/workflows/codeql-analysis.yml

@@ -12,6 +12,7 @@
 name: "CodeQL"
 
 on:
+  workflow_dispatch:
   push:
     branches: [ master ]
   pull_request:

.github/workflows/rebase.yml

@@ -2,6 +2,7 @@ on: pull_request_target
 name: Changelog Reminder
 jobs:
   remind:
+    if: github.repository_owner = 'RfidResearchGroup'
     name: Changelog Reminder
     runs-on: ubuntu-latest
     steps:

.github/workflows/uniq.yaml

@@ -18,5 +18,5 @@ jobs:
       - name: check unique keys in dic files
         shell: bash
         run: |
-          find . -type f -name "*.dic" | xargs -I {} sh -c "echo {} && cat {} | sed 's/ *#.*//;/^$/d' | sort | uniq -i -d -c | sort -n -r "
-          if [[ $(find . -type f -name "*.dic" | xargs -I {} sh -c "echo {} && cat {} | sed 's/ *#.*//;/^$/d' | sort | uniq -i -d -c | sort -n -r " | grep -v '^\./' | wc -l) -gt 0 ]]; then exit 1; fi
+          find . -type f -name "*.dic" | xargs -I {} sh -c "echo {} && cat {} | sed 's/ *#.*//;/^$/d' | sed 's/\(.*\)/\U\1/' | sort | uniq -i -d -c | sort -n -r "
+          if [[ $(find . -type f -name "*.dic" | xargs -I {} sh -c "echo {} && cat {} | sed 's/ *#.*//;/^$/d' | sed 's/\(.*\)/\U\1/' | sort | uniq -i -d -c | sort -n -r " | grep -v '^\./' | wc -l) -gt 0 ]]; then exit 1; fi

CHANGELOG.md

@@ -3,20 +3,51 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
 
 ## [unreleased][unreleased]
-- Fixed symlink name in `mem spiffs tree` (@ANTodorov)
-- Fixed reported file/link names when `mem spiffs wipe` (ANTodorov)
+- Changed `hf mf info` - now differentiates between full USCUID and cut down ZUID chips (@nvx)
+- Changed `lf hitag chk` - added key counter, client side abort and minor delay (@iceman1001) 
+- Added `hf seos sam` - Added support for HID SAM SEOS communications (@jkramarz)
+- Changed (extended) area accessible by spiffs into last page of FLASH (@piotrva)
+- Changed flash-stored key dictionaries (Mifare, iClass, T55XX) and T55XX configurations to SPIFFS files (@piotrva)
+- Changed `lf em 410x sim` to use default gap value of 0 and extended help (@piotrva)
+- Changed `hf 14a info` - now identifies MIAFRE Duox (@iceman1001)
+- Added `hf iclass trbl` to perform tear-off attacks on iClass (@antiklesys)
+- Added support for connection to host device in all Docker envs (@doegox)
+- Changed `hf 15 info` to show all type matches and check ST25TVxC signature (@doegox)
+- Added initial support for ST25TN and its signature verification (@doegox)
+- Changed originality checks handling to refactor code and pk data (@doegox)
+- Changed `uniq.yaml` workflow to be case-insensitive (@iceman1001)
+- Fixed `mem load --mfc` not erasing all SPI flash blocks after extending to 4095 keys (@piotrva)
+- Changed extended area for Mifare keys in SPI flash to hold 4095 keys (@piotrva)
+- Fixed DESFire D40 secure channel crypto (@nvx)
+- Fixed `hf mfp info` fix signature check on 4b UID cards (@doegox)
+- Automatically set maximum read/write block when using predefined types in `hf_mf_ultimatecard` script (@piotrva)
+- Changed SPI flash detection to calculate the size instead of table lookup, updated spi_flash_decode.py script with more ICs (@ANTodorov)
+- Fixed `hf/lf tune` segfault when called from script (@doegox)
+- Added option to set and get maximum read/write block number using `hf_mf_ultimatecard` script (@piotrva)
+- Added JEDEC information for SPI flash W25Q64JV (@ANTodorov)
+- Added special iclass legacy config cards in `hf iclass configcard` (@antiklesys)
+- Added simulation function to `hf iclass legrec` (@antiklesys)
+- Added keys from Momentum firmware projects. (@onovy)
+- Added Dutch Statistics Agency default key (@eagle00789)
+- Fixed Wiegand decode with hex input dropping the first bit (@emilyastranova)
+- Changed `hf mf autopwn` - now allows for custom suffix (@zxkmm)
+
+## [Orca.4.19552][2024-11-22]
+- Fixed `hf_legic.lua` - removed bit32 commands from the script (@diorch1968)
+- Fixed `mem spiffs tree` - now show correct symlink name (@ANTodorov)
+- Fixed `mem spiffs wipe` - reported file/link names is now correct  (@ANTodorov)
 - Updated atrs list (@iceman1001)
 - Added support for a new KDF (@iceman1001)
 - Added Inner range aid and mad entries (@iceman1001)
 - Changed `mem spiffs` - Use all available space in SPI flash (@ANTodorov)
-- Fixed wrong size check in MifareSim (@iceman1001)
+- Fixed `hf mf sim` - wrong size check in MifareSim (@iceman1001)
 - Fixed `hf mf sim` not to respond to authentication attempts for sectors out of bound for selected Mifare type (@piotrva)
 - Added option to build against non-default python3 with CMake as well (@doegox)
 - Added option to build against non-default python3 with Makefile (@ANTodorov)
 - Changed `hf 14a info` `hf mf info` - now detects FM1216-137 CPU cards (@iceman1001)
-- Changed `hf iclass configcard` expanding the list of available options and functionalities (@antiklesys)
+- Changed `hf iclass configcard` - expanding the list of available options and functionalities (@antiklesys)
 - Fixed `intertic.py` - missing comma in array (@iceman1001)
-- Added improved algorithm for `hf iclass legrec` leveraging reduced entropy from hash0 constraints (@antiklesys)
+- Changed `hf iclass legrec` - improved algorithm leveraging reduced entropy from hash0 constraints (@antiklesys)
 - Fixed `hf iclass configcard` when generating elite or keyroll elite configcards for Rev.C legacy readers (@antiklesys)
 - Changed `hf mf c*` - now accepts a --gdm flag to write using uscuid/gdm 20/23 alt magic wakeup (@nvx)
 - Changed `pm3_console()` - Python/Lua/C: replace `passthru` by `capture` and `quiet` (@doegox)
@@ -26,12 +57,12 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
 - Changed `hf iclass legrec` - updated script implementation to ensure functionality (@antiklesys)
 - Added recovered iclass custom key to dictionary (@antiklesys)
 - Added support for all Hitag S response protocol mode (@douniwan5788)
-- Fixed 'hf_young.c' - flags declaration was missing a semicolon (@jakkpotts)
+- Fixed `hf_young` - flags declaration was missing a semicolon (@jakkpotts)
 - Changed `hf mf sim` - add option to allow key b to be used even if readable (@doegox)
 - Changed `data num` - outputed binary strings are now properly zero padded (@iceman1001)
 - Changed `hf iclass info` - now tries default keys and decode if legacy (@iceman1001)
 - Changed `hf iclass chk` - now loads dictionary file by default (@iceman1001)
-- Added an Makefile variable `DONT_BUILD_NATIVE` in mfd_aes_brute Makefile to easify downstream package
+- Added Makefile variable `DONT_BUILD_NATIVE` in mfd_aes_brute Makefile to easify downstream package (@Cryolitia)
 - Auto detect whether compile option `march=native` is supported for mfd_aes_brute Makefile
 - Changed `hf mf sim` - support data-first and nested reader attacks (@doegox)
 - Fixed `lf search` and `lf em 4x50 rdbl -b <blk>` does not coredump reading EM4450 tag (@ANTodorov)
@@ -45,14 +76,14 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
 - Added `hf 14b setuid` - set uid on magic 14b tag (@iceman1001)
 - Changed `hf 14b info` - now detect Tiananxin (@iceman1001)
 - Fixed `lf em 410x brute` - better filehandling and memory handling (@iceman1001)
-- Changed split PacketResponseNG status into status and reason(@douniwan5788)
-- add a helper script to decode JEDEC data `script run spi_flash_decode` (@ANTodorov)
-- show SPI flash JEDEC Manufacturer ID and Device ID in `hw status` output (@ANTodorov)
-- Improved `hf iclass configcards` to support generating config cards using a different key than the default k0 as the card's key (@antiklesys)
+- Changed split PacketResponseNG status into status and reason (@douniwan5788)
+- Added `spi_flash_decode.py` - helper script to decode JEDEC data (@ANTodorov)
+- Changed `hw status` - now show SPI flash JEDEC Manufacturer ID and Device ID in output (@ANTodorov)
+- Changed `hf iclass configcards` to support generating config cards using a different key than the default k0 as the card's key (@antiklesys)
 - Added maur keys (@iceman1001)
 - Fixed `hf mfu pwdgen` for the 7 byte UID (@ANTodorov)
 - Added `hf iclass unhash` command to reverse an iclass diversified key to hash0 pre-images (@antiklesys)
-- Added crypto1 support to `hf 14a raw` (@doegox)
+- Changed `hf 14a raw` - now supports crypto  (@doegox)
 - Changed `hw version` command to print LUA and Python versions (@jmichelp)
 - Updated LUA to v5.4.7 which adds utf-8 support (@jmichelp)
 - Moved `lf hitag sim --hts` -> `lf hitag hts sim` (@douniwan5788)
@@ -70,11 +101,11 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
 - Added detection for FM11NT021 (@iceman1001)
 - Added detection of a magic NTAG 215 (@iceman1001)
 - Fixed hardnested on AVX512F #2410 (@xianglin1998)
-- Added `hf 14a aidsim` - simulates a PICC (like `14a sim`), and allows you to respond to specific AIDs and getData responses (@evildaemond)
+- Added `hf 14a aidsim` - simulates a PICC and allows you to respond to specific AIDs and getData responses (@evildaemond)
 - Fixed arguments for `SimulateIso14443aTag` and `SimulateIso14443aInit` in `hf_young.c`, `hf_aveful.c`, `hf_msdsal.c`, `hf_cardhopper.c`, `hf_reblay.c`, `hf_tcprst.c` and `hf_craftbyte.c` (@archi)
 - Added `mf_backdoor_dump.py` script that dumps FM11RF08S and similar (Mifare Classic 1k) tag data that can be directly read by known backdoor keys. (@Aptimex)
 - Added keys for Metro Q transit cards in Huston, TX. (@Anarchothulhu)
-- Add new Mifare Classic keys from MifareClassicTool and Flipper projects. (@onovy)
+- Added keys from MifareClassicTool and Flipper projects. (@onovy)
 
 ## [Backdoor.4.18994][2024-09-10]
 - Changed flashing messages to be less scary (@iceman1001)

armsrc/Makefile

@@ -37,7 +37,8 @@ APP_CFLAGS = $(PLATFORM_DEFS) \
 SRC_LF = lfops.c lfsampling.c pcf7931.c lfdemod.c lfadc.c
 SRC_HF = hfops.c
 SRC_ISO15693 = iso15693.c iso15693tools.c
-SRC_ISO14443a = iso14443a.c mifareutil.c mifarecmd.c epa.c mifaresim.c sam_mfc.c sam_seos.c emvsim.c
+SRC_ISO14443a = iso14443a.c mifareutil.c mifarecmd.c epa.c mifaresim.c sam_common.c sam_mfc.c sam_seos.c emvsim.c
+
 #UNUSED: mifaresniff.c
 SRC_ISO14443b = iso14443b.c
 SRC_FELICA = felica.c

armsrc/appmain.c

@@ -441,7 +441,41 @@ static void SendStatus(uint32_t wait) {
     ModInfo();
 
 #ifdef WITH_FLASH
-    Flashmem_print_info();
+    DbpString(_CYAN_("Flash memory dictionary loaded"));
+    uint32_t num = 0;
+
+    if (exists_in_spiffs(MF_KEYS_FILE)) {
+        num = size_in_spiffs(MF_KEYS_FILE) / MF_KEY_LENGTH;
+    } else {
+        num = 0;
+    }
+    if (num > 0) {
+        Dbprintf("  Mifare.................. "_YELLOW_("%u")" keys (spiffs: "_GREEN_("%s")")", num, MF_KEYS_FILE);
+    } else {
+        Dbprintf("  Mifare.................. "_RED_("%u")" keys (spiffs: "_RED_("%s")")", num, MF_KEYS_FILE);
+    }
+
+    if (exists_in_spiffs(T55XX_KEYS_FILE)) {
+        num = size_in_spiffs(T55XX_KEYS_FILE) / T55XX_KEY_LENGTH;
+    } else {
+        num = 0;
+    }
+    if (num > 0) {
+        Dbprintf("  T55xx................... "_YELLOW_("%u")" keys (spiffs: "_GREEN_("%s")")", num, T55XX_KEYS_FILE);
+    } else {
+        Dbprintf("  T55xx................... "_RED_("%u")" keys (spiffs: "_RED_("%s")")", num, T55XX_KEYS_FILE);
+    }
+
+    if (exists_in_spiffs(ICLASS_KEYS_FILE)) {
+        num = size_in_spiffs(ICLASS_KEYS_FILE) / ICLASS_KEY_LENGTH;
+    } else {
+        num = 0;
+    }
+    if (num > 0) {
+        Dbprintf("  iClass.................. "_YELLOW_("%u")" keys (spiffs: "_GREEN_("%s")")", num, ICLASS_KEYS_FILE);
+    } else {
+        Dbprintf("  iClass.................. "_RED_("%u")" keys (spiffs: "_RED_("%s")")", num, ICLASS_KEYS_FILE);
+    }
 #endif
     DbpString("");
     reply_ng(CMD_STATUS, PM3_SUCCESS, NULL, 0);
@@ -1792,7 +1826,7 @@ static void PacketReceived(PacketCommandNG *packet) {
             break;
         }
         case CMD_HF_MIFARE_ACQ_STATIC_ENCRYPTED_NONCES: {
-            MifareAcquireStaticEncryptedNonces(packet->oldarg[0], packet->data.asBytes, true);
+            MifareAcquireStaticEncryptedNonces(packet->oldarg[0], packet->data.asBytes, true, packet->oldarg[1], packet->oldarg[2]);
             break;
         }
         case CMD_HF_MIFARE_ACQ_NONCES: {
@@ -2226,7 +2260,7 @@ static void PacketReceived(PacketCommandNG *packet) {
             break;
         }
         case CMD_HF_SAM_SEOS: {
-//            sam_seos_get_pacs();
+            sam_seos_get_pacs(packet);
             break;
         }
 
@@ -2762,28 +2796,10 @@ static void PacketReceived(PacketCommandNG *packet) {
                 break;
             }
 
-            if (payload->startidx == DEFAULT_T55XX_KEYS_OFFSET_P(spi_flash_pages64k)) {
-                Flash_CheckBusy(BUSY_TIMEOUT);
-                Flash_WriteEnable();
-                Flash_Erase4k(3, 0xC);
-            } else if (payload->startidx ==  DEFAULT_MF_KEYS_OFFSET_P(spi_flash_pages64k)) {
-                Flash_CheckBusy(BUSY_TIMEOUT);
-                Flash_WriteEnable();
-                Flash_Erase4k(3, 0x8);
-                Flash_CheckBusy(BUSY_TIMEOUT);
-                Flash_WriteEnable();
-                Flash_Erase4k(3, 0x9);
-                Flash_CheckBusy(BUSY_TIMEOUT);
-                Flash_WriteEnable();
-                Flash_Erase4k(3, 0xA);
-            } else if (payload->startidx == DEFAULT_ICLASS_KEYS_OFFSET_P(spi_flash_pages64k)) {
-                Flash_CheckBusy(BUSY_TIMEOUT);
-                Flash_WriteEnable();
-                Flash_Erase4k(3, 0xB);
-            } else if (payload->startidx == FLASH_MEM_SIGNATURE_OFFSET_P(spi_flash_pages64k)) {
+            if (payload->startidx == FLASH_MEM_SIGNATURE_OFFSET_P(spi_flash_pages64k)) {
                 Flash_CheckBusy(BUSY_TIMEOUT);
                 Flash_WriteEnable();
-                Flash_Erase4k(3, 0xF);
+                Flash_Erase4k(spi_flash_pages64k - 1, 0xF);
             }
 
             uint16_t res = Flash_Write(payload->startidx, payload->data, payload->len);

armsrc/lfops.c

@@ -37,7 +37,8 @@
 #include "protocols.h"
 #include "pmflash.h"
 #include "flashmem.h" // persistence on flash
-#include "appmain.h" // print stack
+#include "spiffs.h"   // spiffs
+#include "appmain.h"  // print stack
 
 /*
 Notes about EM4xxx timings.
@@ -324,31 +325,7 @@ void setT55xxConfig(uint8_t arg0, const t55xx_configurations_t *c) {
         return;
     }
 
-    if (!FlashInit()) {
-        BigBuf_free();
-        return;
-    }
-
-    uint8_t *buf = BigBuf_malloc(T55XX_CONFIG_LEN);
-    Flash_CheckBusy(BUSY_TIMEOUT);
-    uint16_t res = Flash_ReadDataCont(T55XX_CONFIG_OFFSET, buf, T55XX_CONFIG_LEN);
-    if (res == 0) {
-        FlashStop();
-        BigBuf_free();
-        return;
-    }
-
-    memcpy(buf, &T55xx_Timing, T55XX_CONFIG_LEN);
-
-    // delete old configuration
-    Flash_CheckBusy(BUSY_TIMEOUT);
-    Flash_WriteEnable();
-    Flash_Erase4k(3, 0xD);
-
-    // write new
-    res = Flash_Write(T55XX_CONFIG_OFFSET, buf, T55XX_CONFIG_LEN);
-
-    if (res == T55XX_CONFIG_LEN && g_dbglevel > 1) {
+    if (SPIFFS_OK == rdv40_spiffs_write(T55XX_CONFIG_FILE, (uint8_t *)&T55xx_Timing, T55XX_CONFIG_LEN, RDV40_SPIFFS_SAFETY_SAFE)) {
         DbpString("T55XX Config save " _GREEN_("success"));
     }
 
@@ -363,15 +340,23 @@ t55xx_configurations_t *getT55xxConfig(void) {
 void loadT55xxConfig(void) {
 #ifdef WITH_FLASH
 
-    if (!FlashInit()) {
+    uint8_t *buf = BigBuf_malloc(T55XX_CONFIG_LEN);
+
+    uint32_t size = 0;
+    if (exists_in_spiffs(T55XX_CONFIG_FILE)) {
+        size = size_in_spiffs(T55XX_CONFIG_FILE);
+    }
+    if (size == 0) {
+        Dbprintf("Spiffs file: %s does not exists or empty.", T55XX_CONFIG_FILE);
+        BigBuf_free();
         return;
     }
 
-    uint8_t *buf = BigBuf_malloc(T55XX_CONFIG_LEN);
-
-    Flash_CheckBusy(BUSY_TIMEOUT);
-    uint16_t isok = Flash_ReadDataCont(T55XX_CONFIG_OFFSET, buf, T55XX_CONFIG_LEN);
-    FlashStop();
+    if (SPIFFS_OK != rdv40_spiffs_read(T55XX_CONFIG_FILE, buf, T55XX_CONFIG_LEN, RDV40_SPIFFS_SAFETY_SAFE)) {
+        Dbprintf("Spiffs file: %s cannot be read.", T55XX_CONFIG_FILE);
+        BigBuf_free();
+        return;
+    }
 
     // verify read mem is actual data.
     uint8_t cntA = T55XX_CONFIG_LEN, cntB = T55XX_CONFIG_LEN;
@@ -380,14 +365,15 @@ void loadT55xxConfig(void) {
         if (buf[i] == 0x00) cntB--;
     }
     if (!cntA || !cntB) {
+        Dbprintf("Spiffs file: %s does not malformed or empty.", T55XX_CONFIG_FILE);
         BigBuf_free();
         return;
     }
 
     if (buf[0] != 0xFF) // if not set for clear
         memcpy((uint8_t *)&T55xx_Timing, buf, T55XX_CONFIG_LEN);
 
-    if (isok == T55XX_CONFIG_LEN) {
+    if (size == T55XX_CONFIG_LEN) {
         if (g_dbglevel > 1) DbpString("T55XX Config load success");
     }
 
@@ -2146,29 +2132,34 @@ void T55xx_ChkPwds(uint8_t flags, bool ledcontrol) {
 #ifdef WITH_FLASH
 
     BigBuf_Clear_EM();
-    uint16_t isok = 0;
-    uint8_t counter[2] = {0x00, 0x00};
-    isok = Flash_ReadData(DEFAULT_T55XX_KEYS_OFFSET_P(spi_flash_pages64k), counter, sizeof(counter));
-    if (isok != sizeof(counter))
+    uint32_t size = 0;
+
+    if (exists_in_spiffs(T55XX_KEYS_FILE)) {
+        size = size_in_spiffs(T55XX_KEYS_FILE);
+    }
+    if (size == 0) {
+        Dbprintf("Spiffs file: %s does not exists or empty.", T55XX_KEYS_FILE);
         goto OUT;
+    }
 
-    pwd_count = (uint16_t)(counter[1] << 8 | counter[0]);
+    pwd_count = size / T55XX_KEY_LENGTH;
     if (pwd_count == 0)
         goto OUT;
 
     // since flash can report way too many pwds, we need to limit it.
     // bigbuff EM size is determined by CARD_MEMORY_SIZE
     // a password is 4bytes.
-    uint16_t pwd_size_available = MIN(CARD_MEMORY_SIZE, pwd_count * 4);
+    uint16_t pwd_size_available = MIN(CARD_MEMORY_SIZE, pwd_count * T55XX_KEY_LENGTH);
 
     // adjust available pwd_count
-    pwd_count = pwd_size_available / 4;
+    pwd_count = pwd_size_available / T55XX_KEY_LENGTH;
 
-    isok = Flash_ReadData(DEFAULT_T55XX_KEYS_OFFSET_P(spi_flash_pages64k) + 2, pwds, pwd_size_available);
-    if (isok != pwd_size_available)
+    if (SPIFFS_OK == rdv40_spiffs_read_as_filetype(T55XX_KEYS_FILE, pwds, pwd_size_available, RDV40_SPIFFS_SAFETY_SAFE)) {
+        if (g_dbglevel >= DBG_ERROR) Dbprintf("Loaded %u passwords from spiffs file: %s", pwd_count, T55XX_KEYS_FILE);
+    } else {
+        Dbprintf("Spiffs file: %s cannot be read.", T55XX_KEYS_FILE);
         goto OUT;
-
-    Dbprintf("Password dictionary count " _YELLOW_("%d"), pwd_count);
+    }
 
 #endif