From d793c41aa56a6f30ea33dea09124056ed2b5b139 Mon Sep 17 00:00:00 2001 From: wh201906 Date: Sat, 25 Apr 2020 00:57:28 +0800 Subject: [PATCH] Support backdoor command for Chinese Magic Card(GEN 1a) --- Proxmark3GUI.pro | 3 + module/mifare.cpp | 96 +++++++++++++++++++++++++++ module/mifare.h | 6 ++ ui/mainwindow.cpp | 41 ++++++++---- ui/mainwindow.h | 12 +++- ui/mainwindow.ui | 12 ++-- ui/mf_uid_parameterdialog.cpp | 14 ++++ ui/mf_uid_parameterdialog.h | 22 +++++++ ui/mf_uid_parameterdialog.ui | 121 ++++++++++++++++++++++++++++++++++ 9 files changed, 308 insertions(+), 19 deletions(-) create mode 100644 ui/mf_uid_parameterdialog.cpp create mode 100644 ui/mf_uid_parameterdialog.h create mode 100644 ui/mf_uid_parameterdialog.ui diff --git a/Proxmark3GUI.pro b/Proxmark3GUI.pro index c450bfa..8fc53e0 100644 --- a/Proxmark3GUI.pro +++ b/Proxmark3GUI.pro @@ -20,6 +20,7 @@ SOURCES += \ common/pm3process.cpp \ common/util.cpp \ module/mifare.cpp \ + ui/mf_uid_parameterdialog.cpp \ ui/mainwindow.cpp \ ui/mf_attack_hardnesteddialog.cpp \ @@ -27,10 +28,12 @@ HEADERS += \ common/pm3process.h \ common/util.h \ module/mifare.h \ + ui/mf_uid_parameterdialog.h \ ui/mainwindow.h \ ui/mf_attack_hardnesteddialog.h \ FORMS += \ + ui/mf_uid_parameterdialog.ui \ ui/mainwindow.ui \ ui/mf_attack_hardnesteddialog.ui diff --git a/module/mifare.cpp b/module/mifare.cpp index 76c63c5..5d127a1 100644 --- a/module/mifare.cpp +++ b/module/mifare.cpp @@ -308,6 +308,102 @@ void Mifare::writeAll() } } +void Mifare::readC() +{ + int waitTime = 300; + int currblk = ui->MF_RW_blockBox->currentText().toInt(); + QString result = util->execCMDWithOutput("hf mf cgetblk " + + QString::number(currblk), waitTime); + if(result.indexOf("No chinese") == -1) + { + result = result.mid(result.indexOf(*dataPattern, 0), 47).toUpper(); + ui->MF_RW_dataEdit->setText(result); + } +} + +void Mifare::readAllC() +{ + QString result; + const int waitTime = 150; + + QString tmp; + int offset = 0; + for(int i = 0; i < cardType.sectors; i++) + { + result = util->execCMDWithOutput("hf mf cgetsc " + + QString::number(i), waitTime); + qDebug() << result; + if(result.indexOf("No chinese") == -1) + { + offset = 0; + for(int j = 0; j < cardType.blk[i]; j++) + { + offset = result.indexOf(*dataPattern, offset); + tmp = result.mid(offset, 47).toUpper(); + offset += 47; + qDebug() << tmp; + tmp.replace(" ", ""); + dataList->replace(cardType.blks[i] + j, tmp); + data_syncWithDataWidget(false, cardType.blks[i] + j); + } + keyAList->replace(i, dataList->at(cardType.blks[i] + cardType.blk[i] - 1).left(12)); + keyBList->replace(i, dataList->at(cardType.blks[i] + cardType.blk[i] - 1).right(12)); + data_syncWithKeyWidget(false, i, true); + data_syncWithKeyWidget(false, i, false); + } + } +} + +void Mifare::writeC() +{ + int waitTime = 150; + QString result = util->execCMDWithOutput("hf mf csetblk " + + ui->MF_RW_blockBox->currentText() + + " " + + ui->MF_RW_dataEdit->text().replace(" ", ""), waitTime); + if(result.indexOf("No chinese") == -1) + { + QMessageBox::information(parent, tr("info"), tr("Success!")); + } + else + { + QMessageBox::information(parent, tr("info"), tr("Failed!")); + } +} + +void Mifare::writeAllC() +{ + const int waitTime = 150; + QString result; + for(int i = 0; i < cardType.sectors; i++) + { + for(int j = 0; j < cardType.blk[i]; j++) + { + result = ""; // if the KeyA is invalid and the result is not empty, the KeyB will not be tested. + if(data_isDataValid(dataList->at(cardType.blks[i] + j)) != DATA_NOSPACE || dataList->at(cardType.blks[i] + j).contains('?')) + continue; + result = util->execCMDWithOutput("hf mf csetblk " + + QString::number(cardType.blks[i] + j) + + " " + + dataList->at(cardType.blks[i] + j), waitTime); + } + } +} + +void Mifare::wipeC() +{ + util->execCMD("hf mf cwipe " + + QString::number(cardType.type) + + " f"); + ui->funcTab->setCurrentIndex(1); +} + +void Mifare::setParameterC() +{ + +} + + void Mifare::dump() { util->execCMD("hf mf dump"); diff --git a/module/mifare.h b/module/mifare.h index 6afa996..3057c43 100644 --- a/module/mifare.h +++ b/module/mifare.h @@ -82,6 +82,12 @@ public: CardType cardType; Mifare::CardType getCardType(); void setCardType(int type); + void writeAllC(); + void writeC(); + void readAllC(); + void readC(); + void wipeC(); + void setParameterC(); public slots: signals: diff --git a/ui/mainwindow.cpp b/ui/mainwindow.cpp index 3b3dc5e..54c7190 100644 --- a/ui/mainwindow.cpp +++ b/ui/mainwindow.cpp @@ -198,16 +198,6 @@ void MainWindow::on_MF_Attack_hardnestedButton_clicked() mifare->hardnested(); } -void MainWindow::on_MF_Attack_sniffButton_clicked() -{ - mifare->sniff(); -} - -void MainWindow::on_MF_Attack_listButton_clicked() -{ - mifare->list(); -} - void MainWindow::on_MF_RW_readAllButton_clicked() { mifare->readAll(); @@ -238,6 +228,36 @@ void MainWindow::on_MF_RW_restoreButton_clicked() mifare->restore(); } +void MainWindow::on_MF_UID_readAllButton_clicked() +{ + mifare->readAllC(); +} + +void MainWindow::on_MF_UID_readBlockButton_clicked() +{ + mifare->readC(); +} + +void MainWindow::on_MF_UID_writeAllButton_clicked() +{ + mifare->writeAllC(); +} + +void MainWindow::on_MF_UID_writeBlockButton_clicked() +{ + mifare->writeC(); +} + +void MainWindow::on_MF_Sniff_sniffButton_clicked() +{ + mifare->sniff(); +} + +void MainWindow::on_MF_Sniff_listButton_clicked() +{ + mifare->list(); +} + void MainWindow::MF_widgetReset() { int secs = mifare->cardType.sectors; @@ -352,4 +372,3 @@ void MainWindow::setTableItem(QTableWidget* widget, int row, int column, const Q widget->item(row, column)->setText(text); } // *********************************************** - diff --git a/ui/mainwindow.h b/ui/mainwindow.h index efa5e33..45a39f7 100644 --- a/ui/mainwindow.h +++ b/ui/mainwindow.h @@ -61,9 +61,9 @@ private slots: void on_MF_Attack_hardnestedButton_clicked(); - void on_MF_Attack_sniffButton_clicked(); + void on_MF_Sniff_sniffButton_clicked(); - void on_MF_Attack_listButton_clicked(); + void on_MF_Sniff_listButton_clicked(); void on_MF_RW_readAllButton_clicked(); @@ -80,6 +80,14 @@ private slots: void on_MF_RW_restoreButton_clicked(); + void on_MF_UID_readAllButton_clicked(); + + void on_MF_UID_readBlockButton_clicked(); + + void on_MF_UID_writeAllButton_clicked(); + + void on_MF_UID_writeBlockButton_clicked(); + private: Ui::MainWindow *ui; QButtonGroup* typeBtnGroup; diff --git a/ui/mainwindow.ui b/ui/mainwindow.ui index 82ed96d..399b511 100644 --- a/ui/mainwindow.ui +++ b/ui/mainwindow.ui @@ -670,7 +670,7 @@ - + 0 @@ -678,7 +678,7 @@ - Write UID + Set Parameter @@ -824,7 +824,7 @@ - + 40 @@ -837,14 +837,14 @@ - + List Sniff Data - + 40 @@ -857,7 +857,7 @@ - + 40 diff --git a/ui/mf_uid_parameterdialog.cpp b/ui/mf_uid_parameterdialog.cpp new file mode 100644 index 0000000..6f22472 --- /dev/null +++ b/ui/mf_uid_parameterdialog.cpp @@ -0,0 +1,14 @@ +#include "mf_uid_parameterdialog.h" +#include "ui_mf_uid_parameterdialog.h" + +MF_UID_parameterDialog::MF_UID_parameterDialog(QWidget *parent) : + QDialog(parent), + ui(new Ui::MF_UID_parameterDialog) +{ + ui->setupUi(this); +} + +MF_UID_parameterDialog::~MF_UID_parameterDialog() +{ + delete ui; +} diff --git a/ui/mf_uid_parameterdialog.h b/ui/mf_uid_parameterdialog.h new file mode 100644 index 0000000..047b647 --- /dev/null +++ b/ui/mf_uid_parameterdialog.h @@ -0,0 +1,22 @@ +#ifndef MF_UID_PARAMETERDIALOG_H +#define MF_UID_PARAMETERDIALOG_H + +#include + +namespace Ui { +class MF_UID_parameterDialog; +} + +class MF_UID_parameterDialog : public QDialog +{ + Q_OBJECT + +public: + explicit MF_UID_parameterDialog(QWidget *parent = nullptr); + ~MF_UID_parameterDialog(); + +private: + Ui::MF_UID_parameterDialog *ui; +}; + +#endif // MF_UID_PARAMETERDIALOG_H diff --git a/ui/mf_uid_parameterdialog.ui b/ui/mf_uid_parameterdialog.ui new file mode 100644 index 0000000..6cee732 --- /dev/null +++ b/ui/mf_uid_parameterdialog.ui @@ -0,0 +1,121 @@ + + + MF_UID_parameterDialog + + + + 0 + 0 + 205 + 186 + + + + Dialog + + + + + + + + UID: + + + + + + + + + + ATQA: + + + + + + + + + + SAK: + + + + + + + + + + + + The parameter will not change if you leave it empty. + + + true + + + + + + + Qt::Vertical + + + + 20 + 40 + + + + + + + + Qt::Horizontal + + + QDialogButtonBox::Cancel|QDialogButtonBox::Ok + + + + + + + + + buttonBox + accepted() + MF_UID_parameterDialog + accept() + + + 248 + 254 + + + 157 + 274 + + + + + buttonBox + rejected() + MF_UID_parameterDialog + reject() + + + 316 + 260 + + + 286 + 274 + + + + +