dash/proxmark3
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

CHG: FeliCa implemenation by @satsuoni

Browse Source
This commit is contained in:
iceman1001
2017-10-20 20:27:44 +02:00
parent 530c046060
commit 4b63f940f1
20 changed files with 705 additions and 232 deletions
Download Patch File Download Diff File Expand all files Collapse all files

116
client/cmdhf.c
View File

@@ -745,6 +745,114 @@ uint16_t printTraceLine(uint16_t tracepos, uint16_t traceLen, uint8_t *trace, ui
return tracepos;
}
void printFelica(uint16_t traceLen, uint8_t *trace)
{
PrintAndLog(" Gap | Src | Data | CRC | Annotation |");
PrintAndLog("--------|-----|---------------------------------|----------|-------------------|");
uint16_t tracepos=0;
//I am stripping SYNC
while(tracepos<traceLen)
{
if(tracepos+3>=traceLen) break;
uint16_t gap= (uint16_t)trace[tracepos+1]+((uint16_t)trace[tracepos]>>8);
uint16_t crc_ok=trace[tracepos+2];
tracepos+=3;
if(tracepos+3>=traceLen) break;
uint16_t len=trace[tracepos+2];
//printf("!!! %02x %02x %02x %02x %02x %02x %d",trace[tracepos+0],trace[tracepos+1],trace[tracepos+2],trace[tracepos+3],trace[tracepos+4],trace[tracepos+5],len);
tracepos+=3; //skip SYNC
if(tracepos+len+1>=traceLen) break;
uint8_t cmd=trace[tracepos];
uint8_t isResponse=cmd&1;
char line[32][110];
for (int j = 0; j < len+1 && j/8 < 32; j++)
{
snprintf(line[j/8]+(( j % 8) * 4), 110, " %02x ", trace[tracepos+j]);
}
char expbuf[50];
switch(cmd)
{
case FELICA_POLL_REQ:snprintf(expbuf,49,"Poll Req");break;
case FELICA_POLL_ACK :snprintf(expbuf,49,"Poll Resp");break;
case FELICA_REQSRV_REQ :snprintf(expbuf,49,"Request Srvc Req");break;
case FELICA_REQSRV_ACK :snprintf(expbuf,49,"Request Srv Resp");break;
case FELICA_RDBLK_REQ :snprintf(expbuf,49,"Read block(s) Req");break;
case FELICA_RDBLK_ACK :snprintf(expbuf,49,"Read block(s) Resp");break;
case FELICA_WRTBLK_REQ :snprintf(expbuf,49,"Write block(s) Req");break;
case FELICA_WRTBLK_ACK :snprintf(expbuf,49,"Write block(s) Resp");break;
case FELICA_SRCHSYSCODE_REQ :snprintf(expbuf,49,"Search syscode Req");break;
case FELICA_SRCHSYSCODE_ACK :snprintf(expbuf,49,"Search syscode Resp");break;
case FELICA_REQSYSCODE_REQ :snprintf(expbuf,49,"Request syscode Req");break;
case FELICA_REQSYSCODE_ACK :snprintf(expbuf,49,"Request syscode Resp");break;
case FELICA_AUTH1_REQ :snprintf(expbuf,49,"Auth1 Req");break;
case FELICA_AUTH1_ACK :snprintf(expbuf,49,"Auth1 Resp");break;
case FELICA_AUTH2_REQ :snprintf(expbuf,49,"Auth2 Req");break;
case FELICA_AUTH2_ACK :snprintf(expbuf,49,"Auth2 Resp");break;
case FELICA_RDSEC_REQ :snprintf(expbuf,49,"Secure read Req");break;
case FELICA_RDSEC_ACK :snprintf(expbuf,49,"Secure read Resp");break;
case FELICA_WRTSEC_REQ :snprintf(expbuf,49,"Secure write Req");break;
case FELICA_WRTSEC_ACK :snprintf(expbuf,49,"Secure write Resp");break;
case FELICA_REQSRV2_REQ :snprintf(expbuf,49,"Request Srvc v2 Req");break;
case FELICA_REQSRV2_ACK :snprintf(expbuf,49,"Request Srvc v2 Resp");break;
case FELICA_GETSTATUS_REQ :snprintf(expbuf,49,"Get status Req");break;
case FELICA_GETSTATUS_ACK :snprintf(expbuf,49,"Get status Resp");break;
case FELICA_OSVER_REQ :snprintf(expbuf,49,"Get OS Version Req");break;
case FELICA_OSVER_ACK :snprintf(expbuf,49,"Get OS Version Resp");break;
case FELICA_RESET_MODE_REQ :snprintf(expbuf,49,"Reset mode Req");break;
case FELICA_RESET_MODE_ACK :snprintf(expbuf,49,"Reset mode Resp");break;
case FELICA_AUTH1V2_REQ :snprintf(expbuf,49,"Auth1 v2 Req");break;
case FELICA_AUTH1V2_ACK :snprintf(expbuf,49,"Auth1 v2 Resp");break;
case FELICA_AUTH2V2_REQ :snprintf(expbuf,49,"Auth2 v2 Req");break;
case FELICA_AUTH2V2_ACK :snprintf(expbuf,49,"Auth2 v2 Resp");break;
case FELICA_RDSECV2_REQ :snprintf(expbuf,49,"Secure read v2 Req");break;
case FELICA_RDSECV2_ACK :snprintf(expbuf,49,"Secure read v2 Resp");break;
case FELICA_WRTSECV2_REQ :snprintf(expbuf,49,"Secure write v2 Req");break;
case FELICA_WRTSECV2_ACK :snprintf(expbuf,49,"Secure write v2 Resp");break;
case FELICA_UPDATE_RNDID_REQ :snprintf(expbuf,49,"Update IDr Req");break;
case FELICA_UPDATE_RNDID_ACK :snprintf(expbuf,49,"Update IDr Resp");break;
default: snprintf(expbuf,49,"Unknown");break;
}
int num_lines = MIN((len )/16 + 1, 16);
for (int j = 0; j < num_lines ; j++)
{
if (j == 0) {
PrintAndLog("%7d | %s |%-32s |%02x %02x %s| %s",
gap,
(isResponse ? "Tag" : "Rdr"),
line[j],
trace[tracepos+len],
trace[tracepos+len+1],
(crc_ok) ? "OK" : "NG",
expbuf);
} else {
PrintAndLog(" | |%-32s | | ",
line[j]);
}
}
tracepos+=len+1;
}
PrintAndLog("");
}
int usage_hf_list(){
PrintAndLog("List protocol data in trace buffer.");
PrintAndLog("Usage: hf list <protocol> [f][c]");
@@ -863,6 +971,12 @@ int CmdHFList(const char *Cmd) {
PrintAndLog("Recorded Activity (TraceLen = %d bytes)", traceLen);
PrintAndLog("");
if(protocol==FELICA)
{
printFelica(traceLen,trace);
}
else
{
PrintAndLog("Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer");
if ( protocol == ISO_14443A )
PrintAndLog("iso14443a - All times are in carrier periods (1/13.56Mhz)");
@@ -882,7 +996,7 @@ int CmdHFList(const char *Cmd) {
while(tracepos < traceLen) {
tracepos = printTraceLine(tracepos, traceLen, trace, protocol, showWaitCycles, markCRCBytes);
}
}
free(trace);
return 0;
}

274
client/cmdhffelica.c
View File

@@ -13,23 +13,44 @@ static int CmdHelp(const char *Cmd);
int usage_hf_felica_sim(void) {
PrintAndLog("\n Emulating ISO/18092 FeliCa tag \n");
PrintAndLog("usage: hf felica sim [h] t <type> u <uid> [v]");
PrintAndLog("usage: hf felica sim [h] t <type> [v]");
PrintAndLog("options: ");
PrintAndLog(" h : This help");
PrintAndLog(" t : 1 = FeliCa");
PrintAndLog(" : 2 = FeliCaS");
PrintAndLog(" : 2 = FeliCaLiteS");
PrintAndLog(" v : (Optional) Verbose");
PrintAndLog("samples:");
PrintAndLog(" hf felica sim t 1 u 11223344556677");
PrintAndLog(" hf felica sim t 1 ");
return 0;
}
int usage_hf_felica_sniff(void){
PrintAndLog("It get data from the field and saves it into command buffer.");
PrintAndLog("Buffer accessible from command 'hf list felica'");
PrintAndLog("Usage: hf felica sniff [c][r]");
PrintAndLog("c - triggered by first data from card");
PrintAndLog("r - triggered by first 7-bit request from reader (REQ,WUP,...)");
PrintAndLog("sample: hf felica sniff c r");
PrintAndLog("Usage: hf felica sniff <s > <t>");
PrintAndLog(" s samples to skip (decimal)");
PrintAndLog(" t triggers to skip (decimal)");
PrintAndLog("samples:");
PrintAndLog(" hf felica sniff s 1000");
return 0;
}
int usage_hf_felica_simlite(void) {
PrintAndLog("\n Emulating ISO/18092 FeliCa Lite tag \n");
PrintAndLog("usage: hf felica litesim [h] u <uid>");
PrintAndLog("options: ");
PrintAndLog(" h : This help");
PrintAndLog(" uid : UID in hexsymbol");
PrintAndLog("samples:");
PrintAndLog(" hf felica litesim 11223344556677");
return 0;
}
int usage_hf_felica_dumplite(void) {
PrintAndLog("\n Dump ISO/18092 FeliCa Lite tag \n");
PrintAndLog("usage: hf felica litedump [h]");
PrintAndLog("options: ");
PrintAndLog(" h : This help");
PrintAndLog("samples:");
PrintAndLog(" hf felica litedump");
return 0;
}
int usage_hf_felica_raw(void){
@@ -66,13 +87,6 @@ int CmdHFFelicaReader(const char *Cmd) {
iso14a_card_select_t card;
memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
/*
0: couldn't read
1: OK, with ATS
2: OK, no ATS
3: proprietary Anticollision
*/
uint64_t select_status = resp.arg[0];
if (select_status == 0) {
@@ -81,10 +95,6 @@ int CmdHFFelicaReader(const char *Cmd) {
return 0;
}
PrintAndLog(" UID : %s", sprint_hex(card.uid, card.uidlen));
PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]);
PrintAndLog(" SAK : %02x [%d]", card.sak, resp.arg[0]);
return select_status;
}
@@ -98,8 +108,8 @@ int CmdHFFelicaSim(const char *Cmd) {
int uidlen = 0;
bool verbose = false;
while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
switch(param_getchar(Cmd, cmdp)) {
while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
switch (param_getchar(Cmd, cmdp)) {
case 'h':
case 'H':
return usage_hf_felica_sim();
@@ -155,22 +165,211 @@ int CmdHFFelicaSim(const char *Cmd) {
return 0;
}
int CmdHFFelicaSniff(const char *Cmd) {
int param = 0;
uint8_t ctmp;
for (int i = 0; i < 2; i++) {
ctmp = param_getchar(Cmd, i);
if (ctmp == 'h' || ctmp == 'H') return usage_hf_felica_sniff();
if (ctmp == 'c' || ctmp == 'C') param |= 0x01;
if (ctmp == 'r' || ctmp == 'R') param |= 0x02;
}
int CmdHFFelicaSniff(const char *Cmd) {
UsbCommand c = {CMD_FELICA_SNOOP, {param, 0, 0}};
uint8_t cmdp = 0;
uint64_t samples2skip = 0;
uint64_t triggers2skip = 0;
bool errors = false;
while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
switch(param_getchar(Cmd, cmdp)) {
case 'h':
case 'H':
return usage_hf_felica_sniff();
case 's':
case 'S':
samples2skip = param_get32ex(Cmd, cmdp+1, 0, 10);
cmdp += 2;
break;
case 't':
case 'T':
triggers2skip = param_get32ex(Cmd, cmdp+1, 0, 10);
cmdp += 2;
break;
default:
PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
errors = true;
break;
}
}
//Validations
if (errors || cmdp == 0) return usage_hf_felica_sniff();
UsbCommand c = {CMD_FELICA_SNOOP, {samples2skip, triggers2skip, 0}};
clearCommandBuffer();
SendCommand(&c);
return 0;
}
// uid hex
int CmdHFFelicaSimLite(const char *Cmd) {
uint64_t uid = param_get64ex(Cmd, 0, 0, 16);
if (!uid)
return usage_hf_felica_simlite();
UsbCommand c = {CMD_FELICA_LITE_SIM, {uid, 0, 0} };
clearCommandBuffer();
SendCommand(&c);
return 0;
}
uint16_t PrintFliteBlock(uint16_t tracepos, uint8_t *trace,uint16_t tracelen) {
if (tracepos+19 >= tracelen)
return tracelen;
trace += tracepos;
uint8_t blocknum = trace[0];
uint8_t status1 = trace[1];
uint8_t status2 = trace[2];
char line[110] = {0};
for (int j = 0; j < 16; j++) {
snprintf(line+( j * 4),110, "%02x ", trace[j+3]);
}
PrintAndLog( "Block number %02x, status: %02x %02x",blocknum,status1, status2);
switch (blocknum) {
case 0x00: PrintAndLog( "S_PAD0: %s",line);break;
case 0x01: PrintAndLog( "S_PAD1: %s",line);break;
case 0x02: PrintAndLog( "S_PAD2: %s",line);break;
case 0x03: PrintAndLog( "S_PAD3: %s",line);break;
case 0x04: PrintAndLog( "S_PAD4: %s",line);break;
case 0x05: PrintAndLog( "S_PAD5: %s",line);break;
case 0x06: PrintAndLog( "S_PAD6: %s",line);break;
case 0x07: PrintAndLog( "S_PAD7: %s",line);break;
case 0x08: PrintAndLog( "S_PAD8: %s",line);break;
case 0x09: PrintAndLog( "S_PAD9: %s",line);break;
case 0x0a: PrintAndLog( "S_PAD10: %s",line);break;
case 0x0b: PrintAndLog( "S_PAD11: %s",line);break;
case 0x0c: PrintAndLog( "S_PAD12: %s",line);break;
case 0x0d: PrintAndLog( "S_PAD13: %s",line);break;
case 0x0E: {
uint32_t regA = trace[3] + (trace[4]>>8) + (trace[5]>>16) + (trace[6]>>24);
uint32_t regB = trace[7] + (trace[8]>>8) + (trace[9]>>16) + (trace[10]>>24);
line[0] = 0;
for (int j = 0; j < 8; j++)
snprintf(line+( j * 2),110, "%02x", trace[j+11]);
PrintAndLog( "REG: regA: %d regB: %d regC: %s ", regA, regB, line);
}
break;
case 0x80: PrintAndLog( "Random Challenge, WO: %s ", line); break;
case 0x81: PrintAndLog( "MAC, only set on dual read: %s ", line); break;
case 0x82: {
char idd[20];
char idm[20];
for (int j = 0; j < 8; j++)
snprintf(idd+( j * 2),20, "%02x", trace[j+3]);
for (int j = 0; j < 6; j++)
snprintf(idm+( j * 2),20, "%02x", trace[j+13]);
PrintAndLog( "ID Block, IDd: 0x%s DFC: 0x%02x%02x Arb: %s ", idd, trace[11], trace [12], idm);
}
break;
case 0x83: {
char idm[20];
char pmm[20];
for (int j = 0; j < 8; j++)
snprintf(idm+( j * 2),20, "%02x", trace[j+3]);
for (int j = 0; j < 8; j++)
snprintf(pmm+( j * 2),20, "%02x", trace[j+11]);
PrintAndLog( "DeviceId: IDm: 0x%s PMm: 0x%s ", idm, pmm);
}
break;
case 0x84: PrintAndLog( "SER_C: 0x%02x%02x ", trace[3], trace[4]); break;
case 0x85: PrintAndLog( "SYS_Cl 0x%02x%02x ", trace[3], trace[4]); break;
case 0x86: PrintAndLog( "CKV (key version): 0x%02x%02x ", trace[3], trace[4]); break;
case 0x87: PrintAndLog( "CK (card key), WO: %s ", line); break;
case 0x88: {
PrintAndLog( "Memory Configuration (MC):");
PrintAndLog( "MAC needed to write state: %s", trace[3+12]? "on" : "off");
//order might be off here...
PrintAndLog("Write with MAC for S_PAD : %s ", sprint_bin(trace+3+10, 2) );
PrintAndLog("Write with AUTH for S_PAD : %s ", sprint_bin(trace+3+8, 2) );
PrintAndLog("Read after AUTH for S_PAD : %s ", sprint_bin(trace+3+6, 2) );
PrintAndLog( "MAC needed to write CK and CKV: %s", trace[3+5] ? "on" : "off");
PrintAndLog( "RF parameter: %02x", (trace[3+4] & 0x7) );
PrintAndLog( "Compatible with NDEF: %s", trace[3+3] ? "yes" : "no");
PrintAndLog( "Memory config writable : %s", (trace[3+2] == 0xff) ? "yes" : "no");
PrintAndLog("RW access for S_PAD : %s ", sprint_bin(trace+3, 2) );
}
break;
case 0x90: {
PrintAndLog( "Write count, RO: %02x %02x %02x ", trace[3], trace[4], trace[5]);
}
break;
case 0x91: {
PrintAndLog( "MAC_A, RW (auth): %s ", line);
}
break;
case 0x92: {
PrintAndLog( "State:");
PrintAndLog( "Polling disabled: %s", trace[3+8] ? "yes" : "no");
PrintAndLog( "Authenticated: %s", trace[3] ? "yes" : "no");
}
break;
case 0xa0: {
PrintAndLog( "CRC of all bloacks match : %s", (trace[3+2]==0xff) ? "no" : "yes");
}
break;
default:
PrintAndLog( "INVALID %d: %s", blocknum, line);
break;
}
return tracepos+19;
}
int CmdHFFelicaDumpLite(const char *Cmd) {
//usage_hf_felica_dumplite();
UsbCommand c = {CMD_FELICA_LITE_DUMP, {0,0,0}};
clearCommandBuffer();
SendCommand(&c);
uint16_t tracepos = 0;
uint8_t *trace;
trace = malloc(USB_CMD_DATA_SIZE);
if ( trace == NULL ) {
PrintAndLog("Cannot allocate memory for trace");
return 1;
}
// Query for the size of the trace
UsbCommand response;
GetFromBigBuf(trace, USB_CMD_DATA_SIZE, 0);
if ( !WaitForResponseTimeout(CMD_ACK, &response, 4000) ) {
PrintAndLog("timeout while waiting for reply.");
return 1;
}
uint16_t traceLen = response.arg[2];
if (traceLen > USB_CMD_DATA_SIZE) {
uint8_t *p = realloc(trace, traceLen);
if (p == NULL) {
PrintAndLog("Cannot allocate memory for trace");
free(trace);
return 2;
}
trace = p;
GetFromBigBuf(trace, traceLen, 0);
WaitForResponse(CMD_ACK, NULL);
}
PrintAndLog("Recorded Activity (TraceLen = %d bytes)", traceLen);
while (tracepos < traceLen) {
tracepos = PrintFliteBlock(tracepos, trace, traceLen);
}
free(trace);
return 0;
}
int CmdHFFelicaCmdRaw(const char *cmd) {
UsbCommand c = {CMD_FELICA_COMMAND, {0, 0, 0}};
bool reply = 1;
@@ -323,12 +522,15 @@ void waitCmdFelica(uint8_t iSelect) {
}
static command_t CommandTable[] = {
{"help", CmdHelp, 1, "This help"},
{"list", CmdHFFelicaList, 0, "[Deprecated] List ISO 18092/FeliCa history"},
{"reader", CmdHFFelicaReader, 0, "Act like an ISO18092/FeliCa reader"},
{"sim", CmdHFFelicaSim, 0, "<UID> -- Simulate ISO 18092/FeliCa tag"},
{"sniff", CmdHFFelicaSniff, 0, "sniff ISO 18092/Felica traffic"},
{"raw", CmdHFFelicaCmdRaw, 0, "Send raw hex data to tag"},
{"help", CmdHelp, 1, "This help"},
{"list", CmdHFFelicaList, 0, "[Deprecated] List ISO 18092/FeliCa history"},
{"reader", CmdHFFelicaReader, 0, "Act like an ISO18092/FeliCa reader"},
{"sim", CmdHFFelicaSim, 0, "<UID> -- Simulate ISO 18092/FeliCa tag"},
{"sniff", CmdHFFelicaSniff, 0, "sniff ISO 18092/Felica traffic"},
{"raw", CmdHFFelicaCmdRaw, 0, "Send raw hex data to tag"},
{"litesim", CmdHFFelicaSimLite, 0, "<NDEF2> - only reply to poll request"},
{"litedump", CmdHFFelicaDumpLite, 0, "Wait for and try dumping FelicaLite"},
{NULL, NULL, 0, NULL}
};

5
client/cmdhffelica.h
View File

@@ -38,4 +38,9 @@ extern int usage_hf_felica_sniff(void);
extern int usage_hf_fFelica_raw(void);
void waitCmdFelica(uint8_t iSelect);
//temp
extern int CmdHFFelicaSimLite(const char *Cmd);
extern int CmdHFFelicaDumpLite(const char *Cmd);
#endif