Merge branch 'master' into master

Signed-off-by: Iceman <[email protected]>

CHANGELOG.md

@@ -3,8 +3,18 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
 
 ## [unreleased][unreleased]
+- Extended area for Mifare keys in SPI flash to hold 4095 keys (@piotrva)
+- Fixed DESFire D40 secure channel crypto (@nvx)
+- Fixed `hf mfp info` fix signature check on 4b UID cards (@doegox)
+- Automatically set maximum read/write block when using predefined types in `hf_mf_ultimatecard` script (@piotrva)
+- Changed SPI flash detection to calculate the size instead of table lookup, updated spi_flash_decode.py script with more ICs (@ANTodorov)
+- Fixed `hf/lf tune` segfault when called from script (@doegox)
+- Added option to set and get maximum read/write block number using `hf_mf_ultimatecard` script (@piotrva)
+- Added JEDEC information for SPI flash W25Q64JV (@ANTodorov)
+- Added special iclass legacy config cards in `hf iclass configcard` (@antiklesys)
 - Added simulation function to `hf iclass legrec` (@antiklesys)
 - Added keys from Momentum firmware projects. (@onovy)
+- Added Dutch Statistics Agency default key (@eagle00789)
 
 ## [Orca.4.19552][2024-11-22]
 - Fixed `hf_legic.lua` - removed bit32 commands from the script (@diorch1968)

armsrc/appmain.c

@@ -1778,7 +1778,7 @@ static void PacketReceived(PacketCommandNG *packet) {
             break;
         }
         case CMD_HF_MIFARE_ACQ_STATIC_ENCRYPTED_NONCES: {
-            MifareAcquireStaticEncryptedNonces(packet->oldarg[0], packet->data.asBytes, true);
+            MifareAcquireStaticEncryptedNonces(packet->oldarg[0], packet->data.asBytes, true, packet->oldarg[1], packet->oldarg[2]);
             break;
         }
         case CMD_HF_MIFARE_ACQ_NONCES: {

armsrc/mifarecmd.h

@@ -37,7 +37,7 @@ void MifareNested(uint8_t blockNo, uint8_t keyType, uint8_t targetBlockNo, uint8
 void MifareStaticNested(uint8_t blockNo, uint8_t keyType, uint8_t targetBlockNo, uint8_t targetKeyType, uint8_t *key);
 
 void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, uint8_t *datain);
-int MifareAcquireStaticEncryptedNonces(uint32_t flags, const uint8_t *key, bool reply);
+int MifareAcquireStaticEncryptedNonces(uint32_t flags, const uint8_t *key, bool reply, uint8_t first_block_no, uint8_t first_key_type);
 void MifareAcquireNonces(uint32_t arg0, uint32_t flags);
 void MifareChkKeys(uint8_t *datain, uint8_t reserved_mem);
 void MifareChkKeys_fast(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);

armsrc/mifareutil.c

@@ -983,3 +983,12 @@ int nonce_distance(uint32_t from, uint32_t to) {
 int nonce16_index(uint16_t nt) {
     return nonce16_distance(0x0100, nt) + 1;
 }
+
+uint32_t rewind_nonce(uint32_t from, uint16_t dist) {
+    uint16_t x = from >> 16;
+    for (uint16_t i = 0; i < dist; i++) {
+        x = ((x << 1 | x >> 15) & 0xffff) ^ ((x >> 1 ^ x >> 2 ^ x >> 4) & 0x100);
+    }
+    uint32_t nt = x;
+    return nt << 16 | prng_successor(nt, 16);
+}

armsrc/mifareutil.h

@@ -128,4 +128,5 @@ bool validate_parity_nonce(uint32_t ntenc, uint8_t ntparenc, uint32_t nt);
 int nonce_distance(uint32_t from, uint32_t to);
 int nonce16_distance(uint16_t x, uint16_t y);
 int nonce16_index(uint16_t nt);
+uint32_t rewind_nonce(uint32_t from, uint16_t dist);
 #endif

client/dictionaries/mfc_default_keys.dic

@@ -2755,7 +2755,8 @@ D37C8F1793F7
 543071543071
 5F01015F0101
 200510241234
-# Momentum-Firmware
+#
+# Momentum-Firmware  20241201
 AC935925A876
 ADC169F922CB
 AD00EFD353E4
@@ -3022,3 +3023,18 @@ F833E24C3F1C
 93FB38FE585A
 96AECCC0F7EB
 96227EDADBCF
+#
+# BW Kantine
+56cf3acd90ca
+542089792be2
+5420aeada758
+#
+# CSC Laundry
+212223242555
+717273747555
+#
+# Hotel cards, BETECH brand, Vietnam
+AAC34D9A4E65
+#
+# Dutch Statistics Agency (CBS)
+DC7B15AA0938

client/dictionaries/t55xx_default_pwds.dic

@@ -22,6 +22,8 @@ F9DCEBA0
 89A69E60
 # ref lock
 314159E0
+#Zonsin ZX-COPY10
+7B3D5C48
 # ref. http://www.proxmark.org/forum/viewtopic.php?pid=28115#p28115
 AA55BBBB
 # ref. http://www.proxmark.org/forum/viewtopic.php?pid=33376#p33376

client/luascripts/hf_mf_ultimatecard.lua

@@ -50,20 +50,20 @@ arguments = [[
     -c      read magic configuration
     -u      UID (8-20 hexsymbols), set UID on tag
     -t      tag type to impersonate
-                 1 = Mifare Mini S20 4-byte
-                 2 = Mifare Mini S20 7-byte 15 = NTAG 210
-                 3 = Mifare Mini S20 10-byte 16 = NTAG 212
-                 4 = Mifare 1k S50 4-byte   17 = NTAG 213
-                 5 = Mifare 1k S50 7-byte   18 = NTAG 215
-                 6 = Mifare 1k S50 10-byte  19 = NTAG 216
-                 7 = Mifare 4k S70 4-byte   20 = NTAG I2C 1K
-                 8 = Mifare 4k S70 7-byte   21 = NTAG I2C 2K
-                 9 = Mifare 4k S70 10-byte  22 = NTAG I2C 1K PLUS
-            ***  10 = UL -   NOT WORKING FULLY   23 = NTAG I2C 2K PLUS
-            ***  11 = UL-C - NOT WORKING FULLY   24 = NTAG 213F
-                 12 = UL EV1 48b                25 = NTAG 216F
-                 13 = UL EV1 128b
-            ***  14 = UL Plus - NOT WORKING YET
+                 1 = Mifare Mini S20 4-byte     |  15 = NTAG 210
+                 2 = Mifare Mini S20 7-byte     |  16 = NTAG 212
+                 3 = Mifare Mini S20 10-byte    |  17 = NTAG 213
+                 4 = Mifare 1k S50 4-byte       |  18 = NTAG 215
+                 5 = Mifare 1k S50 7-byte       |  19 = NTAG 216
+                 6 = Mifare 1k S50 10-byte      |  20 = NTAG I2C 1K
+                 7 = Mifare 4k S70 4-byte       |  21 = NTAG I2C 2K
+                 8 = Mifare 4k S70 7-byte       |  22 = NTAG I2C 1K PLUS
+                 9 = Mifare 4k S70 10-byte      |  23 = NTAG I2C 2K PLUS
+            ***  10 = UL -   NOT WORKING FULLY  |  24 = NTAG 213F
+            ***  11 = UL-C - NOT WORKING FULLY  |  25 = NTAG 216F
+                 12 = UL EV1 48b                |
+                 13 = UL EV1 128b               |
+            ***  14 = UL Plus - NOT WORKING YET |
 
     -p      NTAG password (8 hexsymbols),  set NTAG password on tag.
     -a      NTAG pack ( 4 hexsymbols), set NTAG pack on tag.
@@ -75,7 +75,11 @@ arguments = [[
     -z      ATS (<1b length><0-16 ATS> hexsymbols), Configure ATS. Length set to 00 will disable ATS.
     -w      Wipe tag. 0 for Mifare or 1 for UL. Fills tag with zeros and put default values for type selected.
     -m      Ultralight mode (00 UL EV1, 01 NTAG, 02 UL-C, 03 UL) Set type of UL.
-    -n      Ultralight protocol (00 MFC, 01 UL), switches between UL and MFC mode
+    -n      Ultralight protocol (00 MFC, 01 UL), switches between UL and MFC mode]]
+-- Need to split because reached maximum string length processed by lua
+arguments2 = [[
+    -b      Set maximum read/write blocks (2 hexsymbols)
+            NOTE: Ultralight EV1 and NTAG Version info and Signature are stored respectively in blocks 250-251 and 242-249
     -k      Ultimate Magic Card Key (IF DIFFERENT THAN DEFAULT 00000000)
 ]]
 ---
@@ -110,6 +114,7 @@ local function help()
     print(usage)
     print(ansicolors.cyan..'Arguments'..ansicolors.reset)
     print(arguments)
+    print(arguments2)
     print(ansicolors.cyan..'Example usage'..ansicolors.reset)
     print(example)
 end
@@ -186,6 +191,7 @@ local function read_config()
     end
     -- extract data from CONFIG - based on CONFIG in https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/magic_cards_notes.md#gen-4-gtu
     ulprotocol, uidlength, readpass, gtumode, ats, atqa1, atqa2, sak, ulmode = magicconfig:sub(1,2), magicconfig:sub(3,4), magicconfig:sub(5,12), magicconfig:sub(13,14), magicconfig:sub(15,48), magicconfig:sub(51,52), magicconfig:sub(49,50), magicconfig:sub(53,54), magicconfig:sub(55,56)
+    maxRWblk = magicconfig:sub(57, 58)
     atqaf = atqa1..' '..atqa2
     cardtype, cardprotocol, gtustr, atsstr = 'unknown', 'unknown', 'unknown', 'unknown'
     if magicconfig == nil then lib14a.disconnect(); return nil, "can't read configuration, "..err_lock end
@@ -291,6 +297,7 @@ local function read_config()
         print(' - Version      ', cversion)
         print(' - Signature    ', signature1..signature2)
     end
+    print(' - Max R/W Block  ', maxRWblk)
     end
 lib14a.disconnect()
 return true, 'Ok'
@@ -637,6 +644,26 @@ local function write_ulm(ulm)
     return true, 'Ok'
 end
 ---
+-- Write maximum read/write block number,
+local function write_maxRWblk(data)
+    -- input number check
+    if data == nil then return nil, 'empty block number' end
+    if #data == 0 then return nil, 'empty block number' end
+    if #data ~= 2 then return nil, 'block number wrong length. Should be 1 hex byte' end
+
+    print('Set max R/W block', data)
+    local info = connect()
+    if not info then return false, "Can't select card" end
+    local resp
+    -- set maximum read/write block
+    resp = send("CF".._key.."6B"..data)
+    lib14a.disconnect()
+    if resp ~= '9000FD07' then return nil, 'Failed to write maximum read/write block'
+    else
+        return true, 'Ok'
+    end
+end
+---
 --  Set type for magic card presets.
 local function set_type(tagtype)
     -- tagtype checks
@@ -649,62 +676,71 @@ local function set_type(tagtype)
     send("CF".._key.."F000000000000002000978009102DABC19101011121314151604000900")
     lib14a.disconnect()
         write_uid('04112233')
+        write_maxRWblk('13')
     -- Setting Mifare mini S20 7-byte
     elseif tagtype == 2 then
         print('Setting: Ultimate Magic card to Mifare mini S20 7-byte')
         connect()
     send("CF".._key.."F000010000000002000978009102DABC19101011121314151644000900")
     lib14a.disconnect()
         write_uid('04112233445566')
+        write_maxRWblk('13')
     -- Setting Mifare mini S20 10-byte
     elseif tagtype == 3 then
         print('Setting: Ultimate Magic card to Mifare mini S20 10-byte')
         connect()
     send("CF".._key.."F000020000000002000978009102DABC19101011121314151684000900")
     lib14a.disconnect()
         write_uid('04112233445566778899')
+        write_maxRWblk('13')
     -- Setting Mifare 1k S50 4--byte
     elseif tagtype == 4 then
         print('Setting: Ultimate Magic card to Mifare 1k S50 4-byte')
         connect()
     send("CF".._key.."F000000000000002000978009102DABC19101011121314151604000800")
     lib14a.disconnect()
         write_uid('04112233')
+        write_maxRWblk('3F')
     -- Setting Mifare 1k S50 7-byte
     elseif tagtype == 5 then
         print('Setting: Ultimate Magic card to Mifare 1k S50 7-byte')
         connect()
     send("CF".._key.."F000010000000002000978009102DABC19101011121314151644000800")
     lib14a.disconnect()
         write_uid('04112233445566')
+        write_maxRWblk('3F')
     -- Setting Mifare 1k S50 10-byte
     elseif tagtype == 6 then
         print('Setting: Ultimate Magic card to Mifare 1k S50 10-byte')
         connect()
     send("CF".._key.."F000020000000002000978009102DABC19101011121314151684000800")
     lib14a.disconnect()
         write_uid('04112233445566778899')
+        write_maxRWblk('3F')
     -- Setting Mifare 4k S70 4-byte
     elseif tagtype == 7 then
         print('Setting: Ultimate Magic card to Mifare 4k S70 4-byte')
         connect()
     send("CF".._key.."F000000000000002000978009102DABC19101011121314151602001800")
     lib14a.disconnect()
         write_uid('04112233')
+        write_maxRWblk('FF')
     -- Setting Mifare 4k S70 7-byte
     elseif tagtype == 8 then
         print('Setting: Ultimate Magic card to Mifare 4k S70 7-byte')
         connect()
     send("CF".._key.."F000010000000002000978009102DABC19101011121314151642001800")
     lib14a.disconnect()
         write_uid('04112233445566')
+        write_maxRWblk('FF')
     -- Setting Mifare 4k S70 10-byte
     elseif tagtype == 9 then
         print('Setting: Ultimate Magic card to Mifare 4k S70 10-byte')
         connect()
     send("CF".._key.."F000020000000002000978009102DABC19101011121314151682001800")
     lib14a.disconnect()
         write_uid('04112233445566778899')
+        write_maxRWblk('FF')
     -- Setting UL
     elseif tagtype == 10 then
         print('Setting: Ultimate Magic card to UL')
@@ -1016,7 +1052,7 @@ function main(args)
     local err, msg
     if #args == 0 then return help() end
     -- Read the parameters
-    for o, a in getopt.getopt(args, 'hck:u:t:p:a:s:o:v:q:g:z:n:m:w:') do
+    for o, a in getopt.getopt(args, 'hck:u:t:p:a:s:o:v:q:g:z:n:m:w:b:') do
         -- help
         if o == "h" then return help() end
         -- set Ultimate Magic Card Key for read write
@@ -1049,6 +1085,8 @@ function main(args)
         if o == "m" then err, msg = write_ulm(a) end
         -- write UL protocol
         if o == "n" then err, msg = write_ulp(a) end
+        -- write max r/w block
+        if o == "b" then err, msg = write_maxRWblk(a) end
         if err == nil then return oops(msg) end
     end
 end