Skip to content

Commit

Permalink
Merge pull request #2505 from douniwan5788/8268
Browse files Browse the repository at this point in the history 
Added support for 8268/8310
  • Loading branch information
@iceman1001
iceman1001 authored Sep 13, 2024
2 parents edb74d0 + 0c79640 commit 3e4f157
Show file tree
Hide file tree
Showing 5 changed files with 132 additions and 45 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...

## [unreleased][unreleased]
- Added support for 8268/8310 (@douniwan5788)
- Changed scripting string params to accept 1024 chars, Thanks @evildaemond! (@iceman1001)
- Added detection for FM11NT021 (@iceman1001)
- Added detection of a magic NTAG 215 (@iceman1001)
Expand Down
66 changes: 55 additions & 11 deletions armsrc/hitagS.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,19 @@
#define CRC_PRESET 0xFF
#define CRC_POLYNOM 0x1D

static struct hitagS_tag tag;
static struct hitagS_tag tag = {
.pages =
{
// Plain mode: | Authentication mode:
[0] = {0x88, 0xcd, 0x6d, 0xf3}, // UID | UID
[1] = {0xca, 0x24, 0x00, 0x00}, // CON0 CON1 CON2 Reserved | CON0 CON1 CON2 PWDH0
[2] = {0xaa, 0xaa, 0xaa, 0xaa}, // Data | PWDL0 PWDL1 KEYH0 KEYH1
[3] = {0x55, 0x55, 0x55, 0x55}, // Data | KEYL0 KEYL1 KEYL2 KEYL3
[4] = {0xff, 0x80, 0x00, 0x00}, // Data
[5] = {0x00, 0x00, 0x00, 0x00}, // Data
// up to index 63 for HITAG S2048 public data
},
};
static uint8_t page_to_be_written = 0;
static int block_data_left = 0;

Expand Down Expand Up @@ -1360,6 +1372,40 @@ static int selectHitagS(const lf_hitag_data_t *packet, uint8_t *tx, size_t sizeo
tx[i] = ((NrAr >> (56 - (i * 8))) & 0xFF);
}

} else if (packet->cmd == RHTSF_82xx || packet->cmd == WHTSF_82xx) {
// 8268/8310 Authentication by writing password to block 64

//send write page request
txlen = 0;
cmd = HITAGS_WRITE_PAGE;
txlen = concatbits(tx, txlen, &cmd, 0, 4);

uint8_t addr = 64;
txlen = concatbits(tx, txlen, &addr, 0, 8);

crc = CRC8Hitag1Bits(tx, txlen);
txlen = concatbits(tx, txlen, &crc, 0, 8);

sendReceiveHitagS(tx, txlen, rx, sizeofrx, &rxlen, HITAG_T_WAIT_SC, ledcontrol, false);

if ((rxlen != 2) || (rx[0] >> (8 - 2) != 0x01)) {
Dbprintf("no write access on page " _YELLOW_("64") ". not 82xx?");
return -1;
}

txlen = 0;
txlen = concatbits(tx, txlen, packet->pwd, 0, 32);
crc = CRC8Hitag1Bits(tx, txlen);
txlen = concatbits(tx, txlen, &crc, 0, 8);

sendReceiveHitagS(tx, txlen, rx, sizeofrx, &rxlen, HITAG_T_WAIT_SC, ledcontrol, false);

if ((rxlen != 2) || (rx[0] >> (8 - 2) != 0x01)) {
Dbprintf("write to page " _YELLOW_("64") " failed! wrong password?");
return -1;
}

return 0;
} else if (packet->cmd == RHTSF_PLAIN || packet->cmd == WHTSF_PLAIN) {
Dbprintf("Error, " _YELLOW_("AUT=1") " This tag is configured in Authentication Mode");
return -1;
Expand Down Expand Up @@ -1413,19 +1459,15 @@ static int selectHitagS(const lf_hitag_data_t *packet, uint8_t *tx, size_t sizeo
* Reads every page of a hitag S transpoder.
*/
void ReadHitagS(const lf_hitag_data_t *payload, bool ledcontrol) {

int status = PM3_SUCCESS;
uint8_t rx[HITAG_FRAME_LEN];
size_t rxlen = 0;

uint8_t tx[HITAG_FRAME_LEN];

if (selectHitagS(payload, tx, ARRAYLEN(tx), rx, ARRAYLEN(rx), HITAG_T_WAIT_FIRST, ledcontrol) == -1) {

hitagS_stop_clock();
set_tracing(false);
lf_finalize(ledcontrol);
reply_ng(CMD_LF_HITAGS_READ, PM3_ERFTRANS, NULL, 0);
return;
status = PM3_ERFTRANS;
goto read_end;
}

int pageNum = 0;
Expand All @@ -1445,9 +1487,10 @@ void ReadHitagS(const lf_hitag_data_t *payload, bool ledcontrol) {

sendReceiveHitagS(tx, txlen, rx, ARRAYLEN(rx), &rxlen, HITAG_T_WAIT_SC, ledcontrol, false);

if (rxlen == 0) {
if (rxlen != 40) {
Dbprintf("Read page failed!");
break;
status = PM3_ERFTRANS;
goto read_end;
}

//save received data - 40 bits
Expand Down Expand Up @@ -1499,10 +1542,11 @@ void ReadHitagS(const lf_hitag_data_t *payload, bool ledcontrol) {
}
}

read_end:
hitagS_stop_clock();
set_tracing(false);
lf_finalize(ledcontrol);
reply_ng(CMD_LF_HITAGS_READ, PM3_SUCCESS, (uint8_t *)tag.pages, sizeof(tag.pages));
reply_ng(CMD_LF_HITAGS_READ, status, (uint8_t *)tag.pages, sizeof(tag.pages));
}

/*
Expand Down
19 changes: 10 additions & 9 deletions client/src/cmdlfem410x.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -676,11 +676,11 @@ static size_t concatbits(uint8_t *dst, size_t dstskip, const uint8_t *src, size_
static int CmdEM410xClone(const char *Cmd) {
CLIParserContext *ctx;
CLIParserInit(&ctx, "lf em 410x clone",
"clone a EM410x ID to a T55x7, Q5/T5555, EM4305/4469 or Hitag S/8211 tag.",
"clone a EM410x ID to a T55x7, Q5/T5555, EM4305/4469 or Hitag S/8211/8268/8310 tag.",
"lf em 410x clone --id 0F0368568B -> encode for T55x7 tag\n"
"lf em 410x clone --id 0F0368568B --q5 -> encode for Q5/T5555 tag\n"
"lf em 410x clone --id 0F0368568B --em -> encode for EM4305/4469\n"
"lf em 410x clone --id 0F0368568B --hs -> encode for Hitag S/8211"
"lf em 410x clone --id 0F0368568B --hts -> encode for Hitag S/8211/8268/8310"
);

void *argtable[] = {
Expand All @@ -689,7 +689,7 @@ static int CmdEM410xClone(const char *Cmd) {
arg_str1(NULL, "id", "<hex>", "EM Tag ID number (5 hex bytes)"),
arg_lit0(NULL, "q5", "optional - specify writing to Q5/T5555 tag"),
arg_lit0(NULL, "em", "optional - specify writing to EM4305/4469 tag"),
arg_lit0(NULL, "hs", "optional - specify writing to Hitag S/8211 tag"),
arg_lit0(NULL, "hts", "optional - specify writing to Hitag S/8211/8268/8310 tag"),
arg_lit0(NULL, "electra", "optional - add Electra blocks to tag"),
arg_param_end
};
Expand All @@ -702,16 +702,16 @@ static int CmdEM410xClone(const char *Cmd) {
CLIGetHexWithReturn(ctx, 2, uid, &uid_len);
bool q5 = arg_get_lit(ctx, 3);
bool em = arg_get_lit(ctx, 4);
bool hs = arg_get_lit(ctx, 5);
bool hts = arg_get_lit(ctx, 5);
bool add_electra = arg_get_lit(ctx, 6);
CLIParserFree(ctx);

if (q5 + em + hs > 1) {
if (q5 + em + hts > 1) {
PrintAndLogEx(FAILED, "Only specify one tag Type");
return PM3_EINVARG;
}

if (hs) {
if (hts) {
if (IfPm3Hitag() == false) {
PrintAndLogEx(FAILED, "Device not compiled to support Hitag");
return PM3_EINVARG;
Expand All @@ -730,7 +730,7 @@ static int CmdEM410xClone(const char *Cmd) {

uint64_t id = bytes_to_num(uid, uid_len);
PrintAndLogEx(SUCCESS, "Preparing to clone EM4102 to " _YELLOW_("%s") " tag with EM Tag ID " _GREEN_("%010" PRIX64) " (RF/%d)",
q5 ? "Q5/T5555" : (em ? "EM4305/4469" : (hs ? "Hitag S/8211" : "T55x7")), id, clk);
q5 ? "Q5/T5555" : (em ? "EM4305/4469" : (hts ? "Hitag S/82xx" : "T55x7")), id, clk);

uint8_t data[HITAG_BLOCK_SIZE * 2] = {0xFF, 0x80}; // EM410X_HEADER 9 bits of one
uint32_t databits = 9;
Expand All @@ -754,7 +754,7 @@ static int CmdEM410xClone(const char *Cmd) {
clearCommandBuffer();
PacketResponseNG resp;

if (hs) {
if (hts) {
lf_hitag_data_t packet;
memset(&packet, 0, sizeof(packet));

Expand Down Expand Up @@ -791,7 +791,8 @@ static int CmdEM410xClone(const char *Cmd) {
break;
}

packet.cmd = WHTSF_PLAIN;
packet.cmd = WHTSF_82xx;
memcpy(packet.pwd, (uint8_t[]){0xBB, 0xDD, 0x33, 0x99}, 4);
SendCommandNG(CMD_LF_HITAGS_WRITE, (uint8_t *)&packet, sizeof(packet));
if (WaitForResponseTimeout(CMD_LF_HITAGS_WRITE, &resp, 4000) == false) {
PrintAndLogEx(WARNING, "timeout while waiting for reply.");
Expand Down
Loading

0 comments on commit 3e4f157

Please sign in to comment.