Merge pull request #3021 from Foxushka/hf-mf-keygen

iceman1001 · web-flow · commit 7b65dfb3b590 · 2025-11-10T20:11:24.000+01:00
Replaced hf mf bambukeys with hf mf keygen with multiple KDFs support + Snapmaker U1 filament spool KDF
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,8 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
 
 ## [unreleased][unreleased]
+- Added Snapmaker U1 filament spool KDF in `hf mf keygen` (@Foxushka)
+- Replaced `hf mf bambukeys` with `hf mf keygen` with multiple KDFs support (@Foxushka)
 - Fix `hf seos adf/pacs` handling of cards with different diversifier lengths and different ADF OIDs (@nvx)
 - Added `data qrcode` - to generate QR codes from inside the pm3 client (@iceman1001)
 - Fix unicode on mingw/proxspace (@nvx)
diff --git a/README.md b/README.md
@@ -22,7 +22,7 @@ The Proxmark3 is the swiss-army tool of RFID, allowing for interactions with the
   - [Generic Proxmark3 platforms](#generic-proxmark3-platforms)
 - [What has changed?](#what-has-changed)
 - [Development](#development)
-  - [Supported operative systems](#supported-operative-systems)
+  - [Supported operating systems](#supported-operating-systems)
   - [Precompiled binaries](#precompiled-binaries)
   - [Proxmark3 GUI](#proxmark3-gui)
   - [Official channels](#official-channels)
@@ -183,7 +183,7 @@ We usually merge your contributions fast since we do like the idea of getting a
 The [public roadmap](https://github.com/RfidResearchGroup/proxmark3/wiki/Public-Roadmap) is an excellent start to read if you are interesting in contributing.
 
 
-## Supported operating systems 
+## Supported operating systems
 
 This repo compiles nicely on 
    - WSL1 on Windows 10
diff --git a/client/src/cmdhfmf.c b/client/src/cmdhfmf.c
@@ -5008,7 +5008,7 @@ void printKeyTableEx(size_t sectorscnt, sector_t *e_sector, uint8_t start_sector
                       _YELLOW_("H") ":Hardnested / "
                       _YELLOW_("C") ":statiCnested / "
                       _YELLOW_("A") ":keyA "
-                      " )"
+                            " )"
                      );
         if (sectorscnt == 18) {
             PrintAndLogEx(INFO, "( " _MAGENTA_("*") " ) These sectors used for signature. Lays outside of user memory");
@@ -10880,20 +10880,39 @@ static int CmdHF14AMfISEN(const char *Cmd) {
     return PM3_SUCCESS;
 }
 
-static int CmdHF14AMfBambuKeys(const char *Cmd) {
+static int CmdHF14AMfKeyGen(const char *Cmd) {
     CLIParserContext *ctx;
-    CLIParserInit(&ctx, "hf mf bambukeys",
-                  "Generate keys for a Bambu Lab filament tag",
-                  "hf mf bambukeys -r\n"
-                  "hf mf bambukeys -r -d\n"
-                  "hf mf bambukeys -u 11223344\n"
+
+    char kdf_list[256] = {0};
+    snprintf(kdf_list, sizeof(kdf_list), "Available KDFs:");
+
+    const kdf_t *kdf_table = get_kdf_table();
+    size_t kdf_table_size = get_kdf_table_size();
+
+    for (size_t i = 0; i < kdf_table_size; i++) {
+        char tmp[128];
+        snprintf(tmp, sizeof(tmp), "\n    %zu - %s", i, kdf_table[i].name);
+        strncat(kdf_list, tmp, sizeof(kdf_list) - strlen(kdf_list) - 1);
+    }
+
+    char help_text[512] = {0};
+    snprintf(help_text, sizeof(help_text),
+             "Generate key table for some known KDFs\n%s", kdf_list);
+
+    CLIParserInit(&ctx, "hf mf keygen",
+                  help_text,
+                  "hf mf keygen -r -k 0\n"
+                  "hf mf keygen -r -d -k 0\n"
+                  "hf mf keygen -u 11223344 -k 0\n"
+                  "hf mf keygen -u 11223344 -k 1\n"
                  );
 
     void *argtable[] = {
         arg_param_begin,
-        arg_str0("u", "uid", "<hex>", "UID (4 hex bytes)"),
+        arg_str0("u", "uid", "<hex>", "UID 4/7 hex bytes"),
         arg_lit0("r", NULL, "Read UID from tag"),
         arg_lit0("d", NULL, "Dump keys to file"),
+        arg_int0("k", "kdf", "<dec>", "KDF algorithm"),
         arg_param_end
     };
     CLIExecWithReturn(ctx, Cmd, argtable, true);
@@ -10903,8 +10922,16 @@ static int CmdHF14AMfBambuKeys(const char *Cmd) {
     CLIGetHexWithReturn(ctx, 1, uid, &u_len);
     bool use_tag = arg_get_lit(ctx, 2);
     bool dump_keys = arg_get_lit(ctx, 3);
+    int kdf_idx = arg_get_int_def(ctx, 4, -1);
     CLIParserFree(ctx);
 
+    if (kdf_idx < 0 || kdf_idx >= kdf_table_size) {
+        PrintAndLogEx(WARNING, "Invalid KDF algorithm index. Must be 0-%zu", kdf_table_size - 1);
+        return PM3_EINVARG;
+    }
+
+    kdf_t kdf = kdf_table[kdf_idx];
+
     if (use_tag) {
         // read uid from tag
         int res = mf_read_uid(uid, &u_len, NULL);
@@ -10913,28 +10940,51 @@ static int CmdHF14AMfBambuKeys(const char *Cmd) {
         }
     }
 
-    if (u_len != 4) {
-        PrintAndLogEx(WARNING, "Key must be 4 hex bytes");
+    if (u_len != kdf.uid_length) {
+        PrintAndLogEx(WARNING, "UID with length %d is required for %s",
+                      kdf.uid_length,
+                      kdf.name);
         return PM3_EINVARG;
     }
 
     PrintAndLogEx(INFO, "-----------------------------------");
-    PrintAndLogEx(INFO, " UID 4b... " _YELLOW_("%s"), sprint_hex(uid, 4));
+    PrintAndLogEx(INFO, " KDF...... " _YELLOW_("%s"), kdf.name);
+    PrintAndLogEx(INFO, " UID %db... " _YELLOW_("%s"), u_len, sprint_hex(uid, u_len));
     PrintAndLogEx(INFO, "-----------------------------------");
 
-    uint8_t keys[32 * 6];
-    mfc_algo_bambu_all(uid, (void *)keys);
+    int sector_count = kdf.sector_count;
+    uint8_t *keys = calloc(sector_count * 2 * 6, sizeof(uint8_t));
+    if (keys == NULL) {
+        PrintAndLogEx(WARNING, "Failed to allocate memory");
+        return PM3_EMALLOC;
+    }
 
-    for (int block = 0; block < 32; block++) {
-        PrintAndLogEx(INFO, "%d: %012" PRIX64, block, bytes_to_num(keys + (block * 6), 6));
+    kdf.kdf_function(uid, keys);
+
+    sector_t *e_sector = NULL;
+    if (initSectorTable(&e_sector, sector_count) != PM3_SUCCESS) {
+        free(keys);
+        return PM3_EMALLOC;
     }
 
+    // write required info for table
+    for (int i = 0; i < sector_count; i++) {
+        e_sector[i].foundKey[0] = true;
+        e_sector[i].foundKey[1] = true;
+        e_sector[i].Key[0] = bytes_to_num(keys + (i * 6), 6);
+        e_sector[i].Key[1] = bytes_to_num(keys + ((sector_count + i) * 6), 6);
+    }
+
+    printKeyTable(sector_count, e_sector);
+
     if (dump_keys) {
         char fn[FILE_PATH_SIZE] = {0};
-        snprintf(fn, sizeof(fn), "hf-mf-%s-key", sprint_hex_inrow(uid, 4));
-        saveFileEx(fn, ".bin", keys, 32 * 6, spDump);
+        snprintf(fn, sizeof(fn), "hf-mf-%s-key", sprint_hex_inrow(uid, u_len));
+        saveFileEx(fn, ".bin", keys, sector_count * 2 * 6, spDump);
     }
 
+    free(keys);
+    free(e_sector);
     return PM3_SUCCESS;
 }
 
@@ -10954,7 +11004,7 @@ static command_t CommandTable[] = {
     {"fchk",        CmdHF14AMfChk_fast,     IfPm3Iso14443a,  "Check keys fast, targets all keys on card"},
     {"decrypt",     CmdHf14AMfDecryptBytes, AlwaysAvailable, "Decrypt Crypto1 data from sniff or trace"},
     {"supercard",   CmdHf14AMfSuperCard,    IfPm3Iso14443a,  "Extract info from a `super card`"},
-    {"bambukeys",   CmdHF14AMfBambuKeys,    AlwaysAvailable, "Generate key table for Bambu Lab filament tag"},
+    {"keygen",      CmdHF14AMfKeyGen,       AlwaysAvailable, "Generate key table for some known KDFs"},
     {"-----------", CmdHelp,                IfPm3Iso14443a,  "----------------------- " _CYAN_("operations") " -----------------------"},
     {"auth4",       CmdHF14AMfAuth4,        IfPm3Iso14443a,  "ISO14443-4 AES authentication"},
     {"acl",         CmdHF14AMfAcl,          AlwaysAvailable, "Decode and print MIFARE Classic access rights bytes"},
diff --git a/common/generator.c b/common/generator.c
@@ -280,6 +280,7 @@ uint32_t ul_c_otpgenA(const uint8_t *uid) {
 // Each algo implementation should offer two key generation functions.
 // 1. function that returns all keys
 // 2. function that returns one key, target sector | block
+// Then add function to KDFTable with allowed UID sizes
 //------------------------------------
 
 //------------------------------------
@@ -576,6 +577,68 @@ int mfc_algo_bambu_all(uint8_t *uid, uint8_t *keys) {
     return PM3_SUCCESS;
 }
 
+const uint8_t snapmaker_salt_a[] = "Snapmaker_qwertyuiop[,.;]";
+const uint8_t snapmaker_salt_b[] = "Snapmaker_qwertyuiop[,.;]_1q2w3e";
+
+int mfc_algo_snapmaker_one(uint8_t *uid, uint8_t sector, uint8_t keytype, uint64_t *key) {
+    if (uid == NULL) return PM3_EINVARG;
+    if (key == NULL) return PM3_EINVARG;
+    if (sector >= 16) return PM3_EINVARG;
+
+    const uint8_t *salt = (keytype == 0) ? snapmaker_salt_a : snapmaker_salt_b;
+    size_t salt_len = (keytype == 0) ? sizeof(snapmaker_salt_a) - 1 : sizeof(snapmaker_salt_b) - 1;
+    char key_char = (keytype == 0) ? 'a' : 'b';
+
+    // "key_a_0", "key_b_15"
+    char info[16];
+    snprintf(info, sizeof(info), "key_%c_%d", key_char, sector);
+
+    uint8_t output[6];
+    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
+    mbedtls_hkdf(md_info, salt, salt_len, uid, 4, (const uint8_t *)info, strlen(info), output, 6);
+
+    *key = bytes_to_num(output, 6);
+    return PM3_SUCCESS;
+}
+
+int mfc_algo_snapmaker_all(uint8_t *uid, uint8_t *keys) {
+    if (uid == NULL) return PM3_EINVARG;
+    if (keys == NULL) return PM3_EINVARG;
+
+    for (int i = 0; i < 16; i++) {
+        uint64_t key = 0;
+        mfc_algo_snapmaker_one(uid, i, 0, &key);
+        num_to_bytes(key, 6, keys + (i * 6));
+    }
+
+    for (int i = 0; i < 16; i++) {
+        uint64_t key = 0;
+        mfc_algo_snapmaker_one(uid, i, 1, &key);
+        num_to_bytes(key, 6, keys + ((16 + i) * 6));
+    }
+
+    return PM3_SUCCESS;
+}
+
+static kdf_t KDFTable[] = {
+    {"Saflok / Maid", 16, mfc_algo_saflok_all, 4},
+    {"MIZIP", 5, mfc_algo_mizip_all, 4},
+    {"Disney Infinity", 5, mfc_algo_di_all, 7},
+    {"Skylanders", 16, mfc_algo_sky_all, 4},
+    {"Bambu Lab Filament Spool", 16, mfc_algo_bambu_all, 4},
+    {"Snapmaker Filament Spool", 16, mfc_algo_snapmaker_all, 4},
+    // {"Vinglock", 16, mfc_algo_ving_all, 4}, // not implemented
+    // {"Yale Doorman", 16, mfc_algo_yale_all, 4}, // not implemented
+};
+
+const kdf_t *get_kdf_table(void) {
+    return KDFTable;
+}
+
+size_t get_kdf_table_size(void) {
+    return ARRAYLEN(KDFTable);
+}
+
 // LF T55x7 White gun cloner algo
 uint32_t lf_t55xx_white_pwdgen(uint32_t id) {
     uint32_t r1 = rotl(id & 0x000000ec, 8);
diff --git a/common/generator.h b/common/generator.h
@@ -40,6 +40,17 @@ uint16_t ul_ev1_packgenG(const uint8_t *uid, const uint8_t *mfg);
 
 uint32_t ul_c_otpgenA(const uint8_t *uid);
 
+// Stucture for KDF function list
+typedef struct {
+    const char *name;
+    int sector_count;
+    int (*kdf_function)(uint8_t *, uint8_t *);
+    int uid_length;
+} kdf_t;
+
+const kdf_t *get_kdf_table(void);
+size_t get_kdf_table_size(void);
+
 int mfc_algo_ving_one(uint8_t *uid, uint8_t sector, uint8_t keytype, uint64_t *key);
 int mfc_algo_ving_all(uint8_t *uid, uint8_t *keys);
 
@@ -64,6 +75,10 @@ int mfc_algo_touch_one(uint8_t *uid, uint8_t sector, uint8_t keytype, uint64_t *
 
 int mfc_algo_bambu_one(uint8_t *uid, uint8_t sector, uint8_t keytype, uint64_t *key);
 int mfc_algo_bambu_all(uint8_t *uid, uint8_t *keys);
+
+int mfc_algo_snapmaker_one(uint8_t *uid, uint8_t sector, uint8_t keytype, uint64_t *key);
+int mfc_algo_snapmaker_all(uint8_t *uid, uint8_t *keys);
+
 uint32_t lf_t55xx_white_pwdgen(uint32_t id);
 
 int mfdes_kdf_input_gallagher(uint8_t *uid, uint8_t uidLen, uint8_t keyNo, uint32_t aid, uint8_t *kdfInputOut, uint8_t *kdfInputLen);
diff --git a/doc/commands.json b/doc/commands.json
@@ -4474,23 +4474,6 @@
             ],
             "usage": "hf mf autopwn [-hablv] [-k <hex>]... [-s <dec>] [-f <fn>] [--suffix <txt>] [--slow] [--mem] [--ns] [--mini] [--1k] [--2k] [--4k] [--in] [--im] [--is] [--ia] [--i2] [--i5]"
         },
-        "hf mf bambukeys": {
-            "command": "hf mf bambukeys",
-            "description": "Generate keys for a Bambu Lab filament tag",
-            "notes": [
-                "hf mf bambukeys -r",
-                "hf mf bambukeys -r -d",
-                "hf mf bambukeys -u 11223344"
-            ],
-            "offline": true,
-            "options": [
-                "-h, --help This help",
-                "-u, --uid <hex> UID (4 hex bytes)",
-                "-r Read UID from tag",
-                "-d Dump keys to file"
-            ],
-            "usage": "hf mf bambukeys [-hrd] [-u <hex>]"
-        },
         "hf mf brute": {
             "command": "hf mf brute",
             "description": "This is a smart bruteforce, exploiting common patterns, bugs and bad designs in key generators.",
@@ -5225,7 +5208,7 @@
         },
         "hf mf help": {
             "command": "hf mf help",
-            "description": "help This help list List MIFARE history hardnested Nested attack for hardened MIFARE Classic cards decrypt Decrypt Crypto1 data from sniff or trace bambukeys Generate key table for Bambu Lab filament tag acl Decode and print MIFARE Classic access rights bytes mad Checks and prints MAD value Value blocks view Display content from tag dump file ginfo Info about configuration of the card gdmparsecfg Parse config block to card --------------------------------------------------------------------------------------- hf mf list available offline: yes Alias of `trace list -t mf -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
+            "description": "help This help list List MIFARE history hardnested Nested attack for hardened MIFARE Classic cards decrypt Decrypt Crypto1 data from sniff or trace keygen Generate key table for some known KDFs acl Decode and print MIFARE Classic access rights bytes mad Checks and prints MAD value Value blocks view Display content from tag dump file ginfo Info about configuration of the card gdmparsecfg Parse config block to card --------------------------------------------------------------------------------------- hf mf list available offline: yes Alias of `trace list -t mf -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
             "notes": [
                 "hf mf list --frame -> show frame delay times",
                 "hf mf list -1 -> use trace buffer"
@@ -5303,6 +5286,25 @@
             ],
             "usage": "hf mf isen [-hab] [--blk <dec>] [-c <dec>] [-k <hex>] [--blk2 <dec>] [--a2] [--b2] [--c2 <dec>] [--key2 <hex>] [-n <dec>] [--reset] [--hardreset] [--addread] [--addauth] [--incblk2] [--corruptnrar] [--corruptnrarparity] FM11RF08S specific options: [--collect_fm11rf08s] [--collect_fm11rf08s_with_data] [--collect_fm11rf08s_without_backdoor] [-f <fn>]"
         },
+        "hf mf keygen": {
+            "command": "hf mf keygen",
+            "description": "Generate key table for some known KDFs Available KDFs: 0 - Saflok / Maid 1 - MIZIP 2 - Disney Infinity 3 - Skylanders 4 - Bambu Lab Filament Spool 5 - Snapmaker Filament Spool",
+            "notes": [
+                "hf mf keygen -r -k 0",
+                "hf mf keygen -r -d -k 0",
+                "hf mf keygen -u 11223344 -k 0",
+                "hf mf keygen -u 11223344 -k 1"
+            ],
+            "offline": true,
+            "options": [
+                "-h, --help This help",
+                "-u, --uid <hex> UID 4/7 hex bytes",
+                "-r Read UID from tag",
+                "-d Dump keys to file",
+                "-k, --kdf <dec> KDF algorithm"
+            ],
+            "usage": "hf mf keygen [-hrd] [-u <hex>] [-k <dec>]"
+        },
         "hf mf mad": {
             "command": "hf mf mad",
             "description": "Checks and prints MIFARE Application Directory (MAD)",
@@ -13699,6 +13701,6 @@
     "metadata": {
         "commands_extracted": 785,
         "extracted_by": "PM3Help2JSON v1.00",
-        "extracted_on": "2025-11-10T15:12:49"
+        "extracted_on": "2025-11-10T17:48:24"
     }
 }
diff --git a/doc/commands.md b/doc/commands.md
@@ -530,7 +530,7 @@ Check column "offline" for their availability.
 |`hf mf fchk             `|N       |`Check keys fast, targets all keys on card`
 |`hf mf decrypt          `|Y       |`Decrypt Crypto1 data from sniff or trace`
 |`hf mf supercard        `|N       |`Extract info from a `super card``
-|`hf mf bambukeys        `|Y       |`Generate key table for Bambu Lab filament tag`
+|`hf mf keygen           `|Y       |`Generate key table for some known KDFs`
 |`hf mf auth4            `|N       |`ISO14443-4 AES authentication`
 |`hf mf acl              `|Y       |`Decode and print MIFARE Classic access rights bytes`
 |`hf mf dump             `|N       |`Dump MIFARE Classic tag to binary file`
