Merge branch 'RfidResearchGroup:master' into master

CHANGELOG.md

@@ -3,6 +3,8 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
 
 ## [unreleased][unreleased]
+- Updated atrs list (@iceman1001)
+- Added support for a new KDF (@iceman1001)
 - Added Inner range aid and mad entries (@iceman1001)
 - Changed `mem spiffs` - Use all available space in SPI flash (@ANTodorov)
 - Fixed wrong size check in MifareSim (@iceman1001)
@@ -70,6 +72,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
 - Fixed arguments for `SimulateIso14443aTag` and `SimulateIso14443aInit` in `hf_young.c`, `hf_aveful.c`, `hf_msdsal.c`, `hf_cardhopper.c`, `hf_reblay.c`, `hf_tcprst.c` and `hf_craftbyte.c` (@archi)
 - Added `mf_backdoor_dump.py` script that dumps FM11RF08S and similar (Mifare Classic 1k) tag data that can be directly read by known backdoor keys. (@Aptimex)
 - Added keys for Metro Q transit cards in Huston, TX. (@Anarchothulhu)
+- Add new Mifare Classic keys from MifareClassicTool and Flipper projects. (@onovy)
 
 ## [Backdoor.4.18994][2024-09-10]
 - Changed flashing messages to be less scary (@iceman1001)

armsrc/Standalone/hf_cardhopper.c

@@ -232,7 +232,7 @@ static void become_card(void) {
     uint32_t counters[3] = { 0 };
     uint8_t tearings[3] = { 0xbd, 0xbd, 0xbd };
     uint8_t pages;
-    SimulateIso14443aInit(tagType, flags, data, NULL, &canned, &cuid, counters, tearings, &pages);
+    SimulateIso14443aInit(tagType, flags, data, NULL, 0, &canned, &cuid, counters, tearings, &pages);
 
     DbpString(_CYAN_("[@]") " Setup done - entering emulation loop");
     int fromReaderLen;

armsrc/Standalone/hf_msdsal.c

@@ -379,7 +379,7 @@ void RunMod(void) {
             BigBuf_free_keep_EM();
 
             // tag type: 11 = ISO/IEC 14443-4 - javacard (JCOP)
-            if (SimulateIso14443aInit(11, flags, data, NULL, &responses, &cuid, NULL, NULL, NULL) == false) {
+            if (SimulateIso14443aInit(11, flags, data, NULL, 0, &responses, &cuid, NULL, NULL, NULL) == false) {
                 BigBuf_free_keep_EM();
                 reply_ng(CMD_HF_MIFARE_SIMULATE, PM3_EINIT, NULL, 0);
                 DbpString(_RED_("Error initializing the emulation process!"));

armsrc/Standalone/hf_reblay.c

@@ -268,7 +268,7 @@ void RunMod() {
             BigBuf_free_keep_EM();
 
             // 4 = ISO/IEC 14443-4 - javacard (JCOP)
-            if (SimulateIso14443aInit(4, flags, data, NULL, &responses, &cuid, NULL, NULL, NULL) == false) {
+            if (SimulateIso14443aInit(4, flags, data, NULL, 0, &responses, &cuid, NULL, NULL, NULL) == false) {
                 BigBuf_free_keep_EM();
                 reply_ng(CMD_HF_MIFARE_SIMULATE, PM3_EINIT, NULL, 0);
                 DbpString(_RED_("Error initializing the emulation process!"));

armsrc/Standalone/hf_tcprst.c

@@ -193,7 +193,7 @@ void RunMod(void) {
 
             memcpy(data, stuid, sizeof(stuid));
 
-            if (SimulateIso14443aInit(tagType, flags, data, NULL, &responses, &cuid, counters, tearings, &pages) == false) {
+            if (SimulateIso14443aInit(tagType, flags, data, NULL, 0, &responses, &cuid, counters, tearings, &pages) == false) {
                 BigBuf_free_keep_EM();
                 reply_ng(CMD_HF_MIFARE_SIMULATE, PM3_EINIT, NULL, 0);
                 DbpString(_YELLOW_("!!") "Error initializing the simulation process!");
@@ -371,7 +371,7 @@ void RunMod(void) {
 
             memcpy(data, stuid, sizeof(stuid));
 
-            if (SimulateIso14443aInit(tagType, flags, data, NULL, &responses, &cuid, counters, tearings, &pages) == false) {
+            if (SimulateIso14443aInit(tagType, flags, data, NULL, 0, &responses, &cuid, counters, tearings, &pages) == false) {
                 BigBuf_free_keep_EM();
                 reply_ng(CMD_HF_MIFARE_SIMULATE, PM3_EINIT, NULL, 0);
                 DbpString(_YELLOW_("!!") "Error initializing the simulation process!");

armsrc/appmain.c

@@ -2748,11 +2748,11 @@ static void PacketReceived(PacketCommandNG *packet) {
                 break;
             }
 
-            if (payload->startidx == DEFAULT_T55XX_KEYS_OFFSET_P(spi_flash_p64k)) {
+            if (payload->startidx == DEFAULT_T55XX_KEYS_OFFSET_P(spi_flash_pages64k)) {
                 Flash_CheckBusy(BUSY_TIMEOUT);
                 Flash_WriteEnable();
                 Flash_Erase4k(3, 0xC);
-            } else if (payload->startidx ==  DEFAULT_MF_KEYS_OFFSET_P(spi_flash_p64k)) {
+            } else if (payload->startidx ==  DEFAULT_MF_KEYS_OFFSET_P(spi_flash_pages64k)) {
                 Flash_CheckBusy(BUSY_TIMEOUT);
                 Flash_WriteEnable();
                 Flash_Erase4k(3, 0x8);
@@ -2762,11 +2762,11 @@ static void PacketReceived(PacketCommandNG *packet) {
                 Flash_CheckBusy(BUSY_TIMEOUT);
                 Flash_WriteEnable();
                 Flash_Erase4k(3, 0xA);
-            } else if (payload->startidx == DEFAULT_ICLASS_KEYS_OFFSET_P(spi_flash_p64k)) {
+            } else if (payload->startidx == DEFAULT_ICLASS_KEYS_OFFSET_P(spi_flash_pages64k)) {
                 Flash_CheckBusy(BUSY_TIMEOUT);
                 Flash_WriteEnable();
                 Flash_Erase4k(3, 0xB);
-            } else if (payload->startidx == FLASH_MEM_SIGNATURE_OFFSET_P(spi_flash_p64k)) {
+            } else if (payload->startidx == FLASH_MEM_SIGNATURE_OFFSET_P(spi_flash_pages64k)) {
                 Flash_CheckBusy(BUSY_TIMEOUT);
                 Flash_WriteEnable();
                 Flash_Erase4k(3, 0xF);
@@ -2789,7 +2789,7 @@ static void PacketReceived(PacketCommandNG *packet) {
                 LED_B_OFF();
                 break;
             }
-            if (page < spi_flash_p64k-1) {
+            if (page < spi_flash_pages64k - 1) {
                 isok = Flash_WipeMemoryPage(page);
                 // let spiffs check and update its info post flash erase
                 rdv40_spiffs_check();
@@ -2836,7 +2836,7 @@ static void PacketReceived(PacketCommandNG *packet) {
             LED_B_ON();
             rdv40_validation_t *info = (rdv40_validation_t *)BigBuf_malloc(sizeof(rdv40_validation_t));
 
-            bool isok = Flash_ReadData(FLASH_MEM_SIGNATURE_OFFSET_P(spi_flash_p64k), info->signature, FLASH_MEM_SIGNATURE_LEN);
+            bool isok = Flash_ReadData(FLASH_MEM_SIGNATURE_OFFSET_P(spi_flash_pages64k), info->signature, FLASH_MEM_SIGNATURE_LEN);
 
             if (FlashInit()) {
                 Flash_UniqueID(info->flashid);
@@ -2856,11 +2856,11 @@ static void PacketReceived(PacketCommandNG *packet) {
             if (FlashInit()) {
                 isok = true;
                 if (g_dbglevel >= DBG_DEBUG) {
-                    Dbprintf("  CMD_FLASHMEM_PAGE64K 0x%02x (%d 64k pages)", spi_flash_p64k, spi_flash_p64k);
+                    Dbprintf("  CMD_FLASHMEM_PAGE64K 0x%02x (%d 64k pages)", spi_flash_pages64k, spi_flash_pages64k);
                 }
                 FlashStop();
             }
-            reply_mix(CMD_ACK, isok, 0, 0, &spi_flash_p64k, sizeof(uint8_t));
+            reply_mix(CMD_ACK, isok, 0, 0, &spi_flash_pages64k, sizeof(uint8_t));
 
             LED_B_OFF();
             break;

armsrc/lfops.c

@@ -2148,7 +2148,7 @@ void T55xx_ChkPwds(uint8_t flags, bool ledcontrol) {
     BigBuf_Clear_EM();
     uint16_t isok = 0;
     uint8_t counter[2] = {0x00, 0x00};
-    isok = Flash_ReadData(DEFAULT_T55XX_KEYS_OFFSET_P(spi_flash_p64k), counter, sizeof(counter));
+    isok = Flash_ReadData(DEFAULT_T55XX_KEYS_OFFSET_P(spi_flash_pages64k), counter, sizeof(counter));
     if (isok != sizeof(counter))
         goto OUT;
 
@@ -2164,7 +2164,7 @@ void T55xx_ChkPwds(uint8_t flags, bool ledcontrol) {
     // adjust available pwd_count
     pwd_count = pwd_size_available / 4;
 
-    isok = Flash_ReadData(DEFAULT_T55XX_KEYS_OFFSET_P(spi_flash_p64k) + 2, pwds, pwd_size_available);
+    isok = Flash_ReadData(DEFAULT_T55XX_KEYS_OFFSET_P(spi_flash_pages64k) + 2, pwds, pwd_size_available);
     if (isok != pwd_size_available)
         goto OUT;
 

armsrc/mifarecmd.c

@@ -1789,7 +1789,7 @@ void MifareChkKeys_fast(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *da
         BigBuf_free();
         uint16_t isok = 0;
         uint8_t size[2] = {0x00, 0x00};
-        isok = Flash_ReadData(DEFAULT_MF_KEYS_OFFSET_P(spi_flash_p64k), size, 2);
+        isok = Flash_ReadData(DEFAULT_MF_KEYS_OFFSET_P(spi_flash_pages64k), size, 2);
         if (isok != 2)
             goto OUT;
 
@@ -1808,7 +1808,7 @@ void MifareChkKeys_fast(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *da
         if (datain == NULL)
             goto OUT;
 
-        isok = Flash_ReadData(DEFAULT_MF_KEYS_OFFSET_P(spi_flash_p64k) + 2, datain, key_mem_available);
+        isok = Flash_ReadData(DEFAULT_MF_KEYS_OFFSET_P(spi_flash_pages64k) + 2, datain, key_mem_available);
         if (isok != key_mem_available)
             goto OUT;
 

armsrc/spiffs_config.h

@@ -236,7 +236,7 @@ typedef uint8_t u8_t;
 // Instead of giving parameters in config struct, singleton build must
 // give parameters in defines below.
 #ifndef SPIFFS_CFG_PHYS_SZ
-#define SPIFFS_CFG_PHYS_SZ(ignore)        (1024 * 64 * (spi_flash_p64k - 1))
+#define SPIFFS_CFG_PHYS_SZ(ignore)        (1024 * 64 * (spi_flash_pages64k - 1))
 #endif
 #ifndef SPIFFS_CFG_PHYS_ERASE_SZ
 #define SPIFFS_CFG_PHYS_ERASE_SZ(ignore)  (4*1024)

client/deps/mbedtls.cmake

@@ -22,7 +22,8 @@ add_library(pm3rrg_rdv4_mbedtls STATIC
         ../../common/mbedtls/des.c
         ../../common/mbedtls/ecdsa.c
         ../../common/mbedtls/md.c
-        ../../common/mbedtls/md5.c
+        ../../common/mbedtls/hkdf.c
+        ../../common/mbedtls/md5.c        
         ../../common/mbedtls/oid.c
         ../../common/mbedtls/pem.c
         ../../common/mbedtls/arc4.c

client/dictionaries/mfc_default_keys.dic

@@ -2726,4 +2726,32 @@ D9D1C447E427
 93B43D689F85
 525A869053F1
 69B25667E0B4
-6AACA2D97645
+6AACA2D97645
+# UK London Office
+435DF6296EC4
+2338B4913222
+# Acces card of students, and more in Occitanie, France
+E9A553102EA5
+F982E971CFED
+1F42AB9159EE
+BBFB836A48B8
+B5D170B2E8F5
+E76978A05F10
+0B1A995DD007
+650DB9CEDB6B
+13E54B4448B7
+3E3540C2C273
+A76152840117
+066CCC7666BC
+3C0B3AC3AFA3
+CCB541598D72
+1988B5D48EC3
+892EEF0D30FB
+0FE5CE5CC640
+# Volgograd (Russia) Volna transport cards keys
+2B787A063D5D
+D37C8F1793F7
+# H World Hotel Chain Room Keys
+543071543071
+5F01015F0101
+200510241234

client/resources/aid_desfire.json

@@ -415,6 +415,14 @@
         "Description": "Digital Keys Sent To The dormakaba mobile access App",
         "Type": "pacs"
     },
+    {
+        "AID": "F534F1",
+        "Vendor": "MOBOTIX AG",
+        "Country": "DE",
+        "Name": "MOBOTIX AG Access Credential",
+        "Description": "T26 Outdoor Station and Access Module Credential",
+        "Type": "pacs"
+    },
     {
         "AID": "F518F0",
         "Vendor": "Telenot Electronic GmbH",
@@ -817,10 +825,10 @@
     },
     {
         "AID": "0000F0",
-        "Vendor": "Metropolitan Transportation Authority (MTA)",
-        "Country": "US",
-        "Name": "OMNY (One Metro New York) (JFK)",
-        "Description": "JFK OMNY (One Metro New York) Card",
+        "Vendor": "Metropolitan Transportation Authority (MTA) / Bayerische Motoren Werke (BMW) AG",
+        "Country": "US / DE",
+        "Name": "OMNY (One Metro New York) (JFK) / BMW Digital Key",
+        "Description": "JFK OMNY (One Metro New York) Card / BMW Digital Key 5B3611-01",
         "Type": "transport"
     },
     {