CR95HF Python script to read NXP ICODE tags in privacy mode

CR95HF_ICODE_psw_dump.py

#!/usr/bin/python3

# Author: ceres-c 2019-12-29

# Authenticate to ICODE SLI tags

import hid

# Global defines & commands
password = [0x00, 0x00, 0x00, 0x00] # You have to find it yourself, try to search online in german ;-)
cmd_get_random = [0x02, 0xB2, 0x04]
cmd_set_pswd = [0x02, 0xB3, 0x04, 0x04] # The password must be appended
cmd_read_data = [0x02, 0x20] # The sector you want to read must be appended

'''
Allows to configure ISO15693 reader parameters

Args:
    h (hid device object)
    append_crc (bool): If True ISO15 CRC is added after the data APDU.
    dual_subcarrier (bool): If True data is sent in dual subcarrier mode, else single sub
    modulation_10 (bool): If True 10% modulation, else 100% mod
    wait_for_SOF (bool): If True the reader will wait for tag's SOF, else it'll respects ISO's standard 312-μs delay
    speed (int): Can assume the following values
        0: 26 Kbps (H)
        1: 52 Kbps
        2: 6 Kbps (L)
        3: RFU
'''
def CR95HF_ISO15_configure(h, append_crc=True, dual_subcarrier=False, modulation_10=False, wait_for_SOF=False, speed=0):
    payload = []
    payload.append(0x01) # HID related, not relevant
    payload.append(0x02) # CR95HF ProtocolSelect command
    payload.append(0x02) # Length of following data
    payload.append(0x01) # ISO15693 protocol selection
    parameters = 0
    parameters |= (append_crc << 0)
    parameters |= (dual_subcarrier << 1)
    parameters |= (modulation_10 << 2)
    parameters |= (wait_for_SOF << 3)
    parameters |= (speed << 4)
    payload.append(parameters)

    h.write(payload)
    h.read(64) # This is used only to empty the buffer


'''
Allows to send and receive data from an NFC ISO15693 tag

Args:
    h (hid device object)
    data (byte list)

Return:
    (int, byte list) A tuple with the error code and the data from the tag.
                        Successful read has a 0x80 error code
                        Other errors can be found in the CR95HF datasheet
'''
def CR95HF_ISO15_send_recv(h, data):
    payload = []
    payload.append(0x01) # HID related, not relevant
    payload.append(0x04) # SendRecv command
    payload.append(len(data))
    payload.extend(data)

    h.write(payload)

    d = h.read(64)
    ret_code = d[1]
    ret_data = d[3:d[2]+2] # Data length is in response byte 2
    return (ret_code, ret_data)

# connect to reader
h = hid.device()
h.open(0x0483, 0xd0d0)

CR95HF_ISO15_configure(h, wait_for_SOF=True)

ret_code, random = CR95HF_ISO15_send_recv(h, cmd_get_random)
if ret_code != 0x80:
    print("Error code 0x{:02X} reading random from the tag!".format(ret_code))
    exit(1)

password_xor = []
password_xor.append(password[0] ^ random[1])
password_xor.append(password[1] ^ random[2])
password_xor.append(password[2] ^ random[1])
password_xor.append(password[3] ^ random[2])

cmd_set_pswd.extend(password_xor)
print ("Auth command paylod:", [hex(i) for i in cmd_set_pswd])
ret_code, auth_res = CR95HF_ISO15_send_recv(h, cmd_set_pswd)
if ret_code != 0x80:
    print("Error code 0x{:02X} authenticating to the tag!".format(ret_code))
    exit(1)
else:
    print("Successfully authenticated to the tag")

for i in range(0, 8):
    cmd_read_data_updated = cmd_read_data + [i]
    ret_code, read_data = CR95HF_ISO15_send_recv(h, cmd_read_data_updated)
    print("Block:", i, "data:", [hex(i) for i in read_data])

h.close()
exit(1)

@ceres-c
I just ordered the device you suggested here (emsec #218). It will be here in a few days. In the meantime, do you want to collaborate on a more detailed set of controller Python scripts for the device? I can already tell that I'm going to want to modify your code to make some extensive tests for the DESFire project. Probably better to break some of this up into multiple Python scripts.

I'm in.
Fire me an email when you can to exchange contacts, so we can coordinate.

@ceres-c
It might be a moot point after this success today. I will still have the device at my door next week to look at. I might not have as much time to swing writing good code with it if my good luck persists with the KAOS device. Let's still plan on working on a repo together. Do you want to create the repo so I can fork it? Then I can submit a PR or two with my piece if that's good with you.

Well, if you solved your issue we can mark this up as low priority.
I can still create a repo and generalize this code, of course, but it'd probably be smarter on my end to finally polish and get merged an old branch of my chameleon fork with a new application. If this is not needed for you ATM we can delay this a bit? If you want to create your own repo in the meantime with the code you already have, I'll work on it in the coming days (weeks?)

Nice you got the code to work smoothly, btw :)

Yeah, let's put it on the back burner for now. Unless my current NFC USB stick starts acting up again, then I will create the repo and send you a collaborator invite. At some point I will get to that device.