dash/proxmark3
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' into allin

Browse Source 
update 201110
This commit is contained in:
tharexde
2020-11-10 00:47:13 +01:00
parent 8682d48419 089ae507be
commit 8a1558757c
62 changed files with 2074 additions and 1149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
armsrc/BigBuf.c
View File

@@ -129,6 +129,16 @@ uint8_t *BigBuf_malloc(uint16_t chunksize) {
return (uint8_t *)BigBuf + s_bigbuf_hi;
}
// allocate a chunk of memory from BigBuf, and returns a pointer to it.
// sets the memory to zero
uint8_t *BigBuf_calloc(uint16_t chunksize) {
uint8_t *mem = BigBuf_malloc(chunksize);
if (mem != NULL) {
memset(mem, 0x00, chunksize);
}
return mem;
}
// free ALL allocated chunks. The whole BigBuf is available for traces or samples again.
void BigBuf_free(void) {
s_bigbuf_hi = s_bigbuf_size;

3
armsrc/BigBuf.h
View File

@@ -34,6 +34,7 @@ void BigBuf_Clear_ext(bool verbose);
void BigBuf_Clear_keep_EM(void);
void BigBuf_Clear_EM(void);
uint8_t *BigBuf_malloc(uint16_t);
uint8_t *BigBuf_calloc(uint16_t);
void BigBuf_free(void);
void BigBuf_free_keep_EM(void);
void BigBuf_print_status(void);
@@ -46,10 +47,8 @@ bool get_tracing(void);
bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag);
bool LogTrace_ISO15693(const uint8_t *bytes, uint16_t len, uint32_t ts_start, uint32_t ts_end, uint8_t *parity, bool reader2tag);
uint8_t emlSet(uint8_t *data, uint32_t offset, uint32_t length);
typedef struct {
int max;
int bit;

2
armsrc/Standalone/hf_iceclass.c
View File

@@ -132,7 +132,7 @@ static void download_instructions(uint8_t t) {
DbpString("The collected data was saved to SPIFFS. The file names below may differ");
DbpString("1. " _YELLOW_("mem spiffs tree"));
DbpString("2. " _YELLOW_("mem spiffs dump o " HF_ICLASS_ATTACK_BIN " f " HF_ICLASS_ATTACK_BIN));
DbpString("3. " _YELLOW_("hf iclass loclass f " HF_ICLASS_ATTACK_BIN));
DbpString("3. " _YELLOW_("hf iclass loclass -f " HF_ICLASS_ATTACK_BIN));
break;
}
case ICE_STATE_READER: {

73
armsrc/Standalone/hf_tcprst.c
View File

@@ -26,7 +26,7 @@ void ModInfo(void) {
/* This standalone implements four different modes: reading, simulating, dumping, & emulating.
*
* The initial mode is reading with LEDs A & D.
* The initial mode is reading with LEDs A & D.
* In this mode, the Proxmark is looking for an ST25TA card like those used by the IKEA Rothult,
* it will act as reader, and store the UID for simulation.
*
@@ -37,8 +37,8 @@ void ModInfo(void) {
* Once it gets the key, it will switch to dump mode (LEDs C & D) automatically. During this mode the Proxmark
* will act as a reader once again, but now we know the Read Protection key to authenticate to the card to dump
* it's contents so we can achieve full emulation.
*
* Once it dumps the contents of the card, it will switch to emulation mode (LED C) automatically.
*
* Once it dumps the contents of the card, it will switch to emulation mode (LED C) automatically.
* During this mode the Proxmark should function as the original ST25TA IKEA Rothult Master Key
*
* Keep pressing the button down will quit the standalone cycle.
@@ -68,13 +68,13 @@ void RunMod(void) {
// APDUs necessary to dump NDEF
// ----------------------------
// Select NDEF Application
uint8_t ndef_app[13] = {0x00, 0xa4, 0x04, 0x00, 0x07, 0xd2, 0x76, 0x00, 0x00, 0x85, 0x01, 0x01, 0x00};
uint8_t ndef_app[13] = {0x00, 0xa4, 0x04, 0x00, 0x07, 0xd2, 0x76, 0x00, 0x00, 0x85, 0x01, 0x01, 0x00};
// Select NDEF File
uint8_t ndef_sel[7] = {0x00, 0xa4, 0x00, 0x0c, 0x02, 0x00, 0x01};
uint8_t ndef_sel[7] = {0x00, 0xa4, 0x00, 0x0c, 0x02, 0x00, 0x01};
// Read verification without password
uint8_t verify[5] = {0x00, 0x20, 0x00, 0x01, 0x00};
uint8_t verify[5] = {0x00, 0x20, 0x00, 0x01, 0x00};
// Read verification with password
uint8_t verify_pwd[21] = {0x00, 0x20, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
uint8_t verify_pwd[21] = {0x00, 0x20, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
// Read NDEF file contents
uint8_t ndef_read[5] = {0x00, 0xb0, 0x00, 0x00, 0x1d};
@@ -90,15 +90,6 @@ void RunMod(void) {
// Did we get the NDEF file contents from the card
bool gotndef = false;
//For emulation steps
#define ATQA 0
#define UIDC1 1
#define UIDC2 2
#define SAKC1 3
#define SAKC2 4
#define RATS 5
#define SIGNATURE 7
#define PPS 8
//ST25TA Rothult values
#define SAK 0x20
@@ -173,12 +164,12 @@ void RunMod(void) {
DbpString(_YELLOW_("+") "Found ISO 14443 Type A!");
if (card_a_info.sak == SAK && card_a_info.atqa[0] == ATQA0 && card_a_info.atqa[1] == ATQA1 && card_a_info.uidlen == 7) {
DbpString(_YELLOW_("+") "Found ST25TA with UID: ");
Dbhexdump(card_a_info.uidlen, card_a_info.uid, 0);
memcpy(stuid, card_a_info.uid, card_a_info.uidlen);
state = STATE_SIM;
DbpString(_YELLOW_("+") "Found ST25TA with UID: ");
Dbhexdump(card_a_info.uidlen, card_a_info.uid, 0);
memcpy(stuid, card_a_info.uid, card_a_info.uidlen);
state = STATE_SIM;
} else {
DbpString("Found non-ST25TA card, ignoring.");
DbpString("Found non-ST25TA card, ignoring.");
}
}
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
@@ -232,23 +223,23 @@ void RunMod(void) {
if (receivedCmd[0] == ISO14443A_CMD_REQA && len == 1) { // Received a REQUEST
odd_reply = !odd_reply;
if (odd_reply)
p_response = &responses[ATQA];
p_response = &responses[RESP_INDEX_ATQA];
} else if (receivedCmd[0] == ISO14443A_CMD_HALT && len == 4) { // Received a HALT
p_response = NULL;
} else if (receivedCmd[0] == ISO14443A_CMD_WUPA && len == 1) { // Received a WAKEUP
p_response = &responses[ATQA];
} else if (receivedCmd[0] == ISO14443A_CMD_WUPA && len == 1) { // Received a WAKEUP
p_response = &responses[RESP_INDEX_ATQA];
} else if (receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && len == 2) { // Received request for UID (cascade 1)
p_response = &responses[UIDC1];
p_response = &responses[RESP_INDEX_UIDC1];
} else if (receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && len == 2) { // Received request for UID (cascade 2)
p_response = &responses[UIDC2];
p_response = &responses[RESP_INDEX_UIDC2];
} else if (receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && len == 9) { // Received a SELECT (cascade 1)
p_response = &responses[SAKC1];
p_response = &responses[RESP_INDEX_SAKC1];
} else if (receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && len == 9) { // Received a SELECT (cascade 2)
p_response = &responses[SAKC2];
p_response = &responses[RESP_INDEX_SAKC2];
} else if (receivedCmd[0] == ISO14443A_CMD_RATS && len == 4) { // Received a RATS request
p_response = &responses[RATS];
p_response = &responses[RESP_INDEX_RATS];
} else if (receivedCmd[0] == ISO14443A_CMD_PPS) {
p_response = &responses[PPS];
p_response = &responses[RESP_INDEX_PPS];
} else {
DbpString(_YELLOW_("[ ") "Card reader command" _YELLOW_(" ]"));
Dbhexdump(len, receivedCmd, false);
@@ -337,7 +328,7 @@ void RunMod(void) {
Dbhexdump(apdulen - 2, apdubuffer, false);
DbpString("----");
if (i == 4) {
if (apdubuffer[1] == 0x1b && apdubuffer[2] == 0xd1 && !gotndef) { //Get NDEF Data
gotndef = true;
@@ -345,7 +336,7 @@ void RunMod(void) {
break;
}
}
} else {
DbpString(_YELLOW_("!!") "Error reading the card");
}
@@ -413,23 +404,23 @@ void RunMod(void) {
if (receivedCmd[0] == ISO14443A_CMD_REQA && len == 1) { // Received a REQUEST
odd_reply = !odd_reply;
if (odd_reply)
p_response = &responses[ATQA];
p_response = &responses[RESP_INDEX_ATQA];
} else if (receivedCmd[0] == ISO14443A_CMD_HALT && len == 4) { // Received a HALT
p_response = NULL;
} else if (receivedCmd[0] == ISO14443A_CMD_WUPA && len == 1) { // Received a WAKEUP
p_response = &responses[ATQA];
} else if (receivedCmd[0] == ISO14443A_CMD_WUPA && len == 1) { // Received a WAKEUP
p_response = &responses[RESP_INDEX_ATQA];
} else if (receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && len == 2) { // Received request for UID (cascade 1)
p_response = &responses[UIDC1];
p_response = &responses[RESP_INDEX_UIDC1];
} else if (receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && len == 2) { // Received request for UID (cascade 2)
p_response = &responses[UIDC2];
p_response = &responses[RESP_INDEX_UIDC2];
} else if (receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && len == 9) { // Received a SELECT (cascade 1)
p_response = &responses[SAKC1];
p_response = &responses[RESP_INDEX_SAKC1];
} else if (receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && len == 9) { // Received a SELECT (cascade 2)
p_response = &responses[SAKC2];
p_response = &responses[RESP_INDEX_SAKC2];
} else if (receivedCmd[0] == ISO14443A_CMD_RATS && len == 4) { // Received a RATS request
p_response = &responses[RATS];
p_response = &responses[RESP_INDEX_RATS];
} else if (receivedCmd[0] == ISO14443A_CMD_PPS) {
p_response = &responses[PPS];
p_response = &responses[RESP_INDEX_PPS];
} else {
DbpString(_YELLOW_("[ ") "Card reader command" _YELLOW_(" ]"));
Dbhexdump(len, receivedCmd, false);

26
armsrc/appmain.c
View File

@@ -65,6 +65,9 @@
#include "spiffs.h"
#endif
int DBGLEVEL = DBG_ERROR;
uint8_t g_trigger = 0;
bool g_hf_field_active = false;
extern uint32_t _stack_start, _stack_end;
struct common_area common_area __attribute__((section(".commonarea")));
static int button_status = BUTTON_NO_CLICK;
@@ -88,6 +91,12 @@ int tearoff_hook(void) {
}
}
void hf_field_off(void) {
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
g_hf_field_active = false;
}
void send_wtx(uint16_t wtx) {
if (allow_send_wtx) {
reply_ng(CMD_WTX, PM3_SUCCESS, (uint8_t *)&wtx, sizeof(wtx));
@@ -1545,9 +1554,10 @@ static void PacketReceived(PacketCommandNG *packet) {
struct p {
uint8_t counter;
uint32_t tearoff_time;
uint8_t value[4];
} PACKED;
struct p *payload = (struct p *) packet->data.asBytes;
MifareU_Counter_Tearoff(payload->counter, payload->tearoff_time);
MifareU_Counter_Tearoff(payload->counter, payload->tearoff_time, payload->value);
break;
}
case CMD_HF_MIFARE_STATIC_NONCE: {
@@ -1686,7 +1696,7 @@ static void PacketReceived(PacketCommandNG *packet) {
struct p *payload = (struct p *)packet->data.asBytes;
uint8_t *mem = BigBuf_get_addr();
memcpy(mem + payload->idx, payload->data, payload->bytes_in_packet);
uint8_t a = 0, b = 0;
compute_crc(CRC_14443_A, mem + payload->idx, payload->bytes_in_packet, &a, &b);
int res = PM3_SUCCESS;
@@ -1704,14 +1714,14 @@ static void PacketReceived(PacketCommandNG *packet) {
} PACKED;
struct p *payload = (struct p *)packet->data.asBytes;
uint8_t *fwdata = BigBuf_get_addr();
uint8_t *fwdata = BigBuf_get_addr();
uint8_t a = 0, b = 0;
compute_crc(CRC_14443_A, fwdata, payload->fw_size, &a, &b);
if (payload->crc != (a << 8 | b)) {
Dbprintf("CRC Failed, 0x[%04x] != 0x[%02x%02x]", payload->crc, a, b);
reply_ng(CMD_SMART_UPGRADE, PM3_ESOFT, NULL, 0);
} else {
} else {
SmartCardUpgrade(payload->fw_size);
}
fwdata = NULL;
@@ -2341,14 +2351,6 @@ void __attribute__((noreturn)) AppMain(void) {
*p = 0xdeadbeef;
}
if (common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
/* Initialize common area */
memset(&common_area, 0, sizeof(common_area));
common_area.magic = COMMON_AREA_MAGIC;
common_area.version = 1;
}
common_area.flags.osimage_present = 1;
LEDsoff();
// The FPGA gets its clock from us from PCK0 output, so set that up.

4
armsrc/appmain.h
View File

@@ -13,9 +13,9 @@
#include "common.h"
extern int g_rsamples; // = 0;
extern uint8_t g_trigger;
extern bool g_hf_field_active;
void hf_field_off(void);
int tearoff_hook(void);
// ADC Vref = 3300mV, and an (10M+1M):1M voltage divider on the HF input can measure voltages up to 36300 mV

81
armsrc/epa.c
View File

@@ -22,10 +22,12 @@
#include "commonutil.h"
#include "ticks.h"
#ifdef WITH_ISO14443a
// Protocol and Parameter Selection Request for ISO 14443 type A cards
// use regular (1x) speed in both directions
// CRC is already included
static const uint8_t pps[] = {0xD0, 0x11, 0x00, 0x52, 0xA6};
#endif
// APDUs for communication with German Identification Card
@@ -116,9 +118,25 @@ static char iso_type = 0;
static int EPA_APDU(uint8_t *apdu, size_t length, uint8_t *response, uint16_t respmaxlen) {
switch (iso_type) {
case 'a':
#ifdef WITH_ISO14443a
return iso14_apdu(apdu, (uint16_t) length, false, response, NULL);
#else
(void) apdu;
(void) length;
(void) response;
(void) respmaxlen;
return PM3_ENOTIMPL;
#endif
case 'b':
#ifdef WITH_ISO14443b
return iso14443b_apdu(apdu, length, false, response, respmaxlen, NULL);
#else
(void) apdu;
(void) length;
(void) response;
(void) respmaxlen;
return PM3_ENOTIMPL;
#endif
default:
return 0;
}
@@ -522,39 +540,46 @@ void EPA_PACE_Replay(PacketCommandNG *c) {
//-----------------------------------------------------------------------------
int EPA_Setup(void) {
// first, look for type A cards
// power up the field
iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
iso14a_card_select_t card_a_info;
int return_code = iso14443a_select_card(NULL, &card_a_info, NULL, true, 0, false);
#ifdef WITH_ISO14443a
{
// first, look for type A cards
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
// power up the field
iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
iso14a_card_select_t card_a_info;
int return_code = iso14443a_select_card(NULL, &card_a_info, NULL, true, 0, false);
if (return_code == 1) {
uint8_t pps_response[3];
uint8_t pps_response_par[1];
// send the PPS request
ReaderTransmit((uint8_t *)pps, sizeof(pps), NULL);
return_code = ReaderReceive(pps_response, pps_response_par);
if (return_code != 3 || pps_response[0] != 0xD0) {
return return_code == 0 ? 2 : return_code;
if (return_code == 1) {
uint8_t pps_response[3];
uint8_t pps_response_par[1];
// send the PPS request
ReaderTransmit((uint8_t *)pps, sizeof(pps), NULL);
return_code = ReaderReceive(pps_response, pps_response_par);
if (return_code != 3 || pps_response[0] != 0xD0) {
return return_code == 0 ? 2 : return_code;
}
Dbprintf("ISO 14443 Type A");
iso_type = 'a';
return 0;
}
Dbprintf("ISO 14443 Type A");
iso_type = 'a';
return 0;
}
#endif
#ifdef WITH_ISO14443b
{
// if we're here, there is no type A card, so we look for type B
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
// power up the field
iso14443b_setup();
iso14b_card_select_t card_b_info;
int return_code = iso14443b_select_card(&card_b_info);
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
// if we're here, there is no type A card, so we look for type B
// power up the field
iso14443b_setup();
iso14b_card_select_t card_b_info;
return_code = iso14443b_select_card(&card_b_info);
if (return_code == 0) {
Dbprintf("ISO 14443 Type B");
iso_type = 'b';
return 0;
if (return_code == 0) {
Dbprintf("ISO 14443 Type B");
iso_type = 'b';
return 0;
}
}
#endif
Dbprintf("No card found");
return 1;
}

2
armsrc/hitagS.c
View File

@@ -103,8 +103,6 @@ static bool end = false;
#define HITAG_T_TAG_CAPTURE_THREE_HALF 41
#define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
#define DBGLEVEL 0
/*
* Implementation of the crc8 calculation from Hitag S
* from http://www.proxmark.org/files/Documents/125%20kHz%20-%20Hitag/HitagS.V11.pdf

8
armsrc/i2c.c
View File

@@ -670,7 +670,7 @@ bool GetATR(smart_card_atr_t *card_ptr, bool verbose) {
// 1byte = 1ms , max frame 256bytes. Should wait 256ms atleast just in case.
if (I2C_WaitForSim() == false)
return false;
// read bytes from module
uint8_t len = sizeof(card_ptr->atr);
if (sc_rx_bytes(card_ptr->atr, &len) == false)
@@ -713,8 +713,8 @@ void SmartCardAtr(void) {
set_tracing(true);
I2C_Reset_EnterMainProgram();
smart_card_atr_t card;
int res = GetATR(&card, true) ? PM3_SUCCESS : PM3_ETIMEOUT;
reply_ng(CMD_SMART_ATR, res, (uint8_t*)&card, sizeof(smart_card_atr_t));
int res = GetATR(&card, true) ? PM3_SUCCESS : PM3_ETIMEOUT;
reply_ng(CMD_SMART_ATR, res, (uint8_t *)&card, sizeof(smart_card_atr_t));
set_tracing(false);
LEDsoff();
}
@@ -827,7 +827,7 @@ void SmartCardUpgrade(uint64_t arg0) {
length -= size;
pos += size;
}
reply_ng(CMD_SMART_UPGRADE, (isOK) ? PM3_SUCCESS : PM3_ESOFT, NULL, 0);
LED_C_OFF();
BigBuf_free();

74
armsrc/iclass.c
View File

@@ -1776,13 +1776,19 @@ void iClass_Dump(uint8_t *msg) {
BigBuf_free();
}
static bool iclass_writeblock_ext(uint8_t blockno, uint8_t *data, uint8_t *mac) {
static bool iclass_writeblock_ext(uint8_t blockno, uint8_t *data, uint8_t *mac, bool use_mac) {
// write command: cmd, 1 blockno, 8 data, 4 mac
uint8_t write[16] = { 0x80 | ICLASS_CMD_UPDATE, blockno };
uint8_t write[14] = { 0x80 | ICLASS_CMD_UPDATE, blockno };
uint8_t write_len = 14;
memcpy(write + 2, data, 8);
memcpy(write + 10, mac, 4);
AddCrc(write + 1, 13);
if (use_mac) {
memcpy(write + 10, mac, 4);
} else {
AddCrc(write + 1, 9);
write_len -= 2;
}
uint8_t resp[10] = {0};
uint32_t eof_time = 0, start_time = 0;
@@ -1819,7 +1825,8 @@ void iClass_WriteBlock(uint8_t *msg) {
iclass_writeblock_req_t *payload = (iclass_writeblock_req_t *)msg;
uint8_t write[16] = { 0x80 | ICLASS_CMD_UPDATE, payload->req.blockno };
uint8_t write[14] = { 0x80 | ICLASS_CMD_UPDATE, payload->req.blockno };
uint8_t write_len = 14;
Iso15693InitReader();
@@ -1844,23 +1851,30 @@ void iClass_WriteBlock(uint8_t *msg) {
}
}
// calc new mac for write
uint8_t wb[9];
wb[0] = payload->req.blockno;
memcpy(wb + 1, payload->data, 8);
if (payload->req.use_replay) {
doMAC_N(wb, sizeof(wb), payload->req.key + 4, mac);
// new block data
memcpy(write + 2, payload->data, 8);
uint8_t pagemap = get_pagemap(&hdr);
if (pagemap == PICOPASS_NON_SECURE_PAGEMODE) {
// Unsecured tags uses CRC16, but don't include the UPDATE operation code
// byte0 = update op
// byte1 = block no
// byte2..9 = new block data
AddCrc(write + 1, 9);
write_len -= 2;
} else {
// Secure tags uses MAC
uint8_t wb[9];
wb[0] = payload->req.blockno;
memcpy(wb + 1, payload->data, 8);
if (payload->req.use_credit_key)
doMAC_N(wb, sizeof(wb), hdr.key_c, mac);
else
doMAC_N(wb, sizeof(wb), hdr.key_d, mac);
}
memcpy(write + 2, payload->data, 8); // data
memcpy(write + 10, mac, sizeof(mac)); // mac
AddCrc(write + 1, 13);
memcpy(write + 10, mac, sizeof(mac));
}
start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
@@ -1869,7 +1883,7 @@ void iClass_WriteBlock(uint8_t *msg) {
uint8_t tries = 3;
while (tries-- > 0) {
iclass_send_as_reader(write, sizeof(write), &start_time, &eof_time);
iclass_send_as_reader(write, write_len, &start_time, &eof_time);
if (tearoff_hook() == PM3_ETEAROFF) { // tearoff occured
res = false;
@@ -1961,22 +1975,30 @@ void iClass_Restore(iclass_restore_req_t *msg) {
}
// main loop
bool use_mac;
for (uint8_t i = 0; i < msg->item_cnt; i++) {
iclass_restore_item_t item = msg->blocks[i];
// calc new mac for data, using 1b blockno, 8b data,
uint8_t wb[9] = {0};
wb[0] = item.blockno;
memcpy(wb + 1, item.data, 8);
uint8_t pagemap = get_pagemap(&hdr);
if (pagemap == PICOPASS_NON_SECURE_PAGEMODE) {
// Unsecured tags uses CRC16
use_mac = false;
} else {
// Secure tags uses MAC
use_mac = true;
uint8_t wb[9] = {0};
wb[0] = item.blockno;
memcpy(wb + 1, item.data, 8);
if (msg->req.use_credit_key)
doMAC_N(wb, sizeof(wb), hdr.key_c, mac);
else
doMAC_N(wb, sizeof(wb), hdr.key_d, mac);
if (msg->req.use_credit_key)
doMAC_N(wb, sizeof(wb), hdr.key_c, mac);
else
doMAC_N(wb, sizeof(wb), hdr.key_d, mac);
}
// data + mac
if (iclass_writeblock_ext(item.blockno, item.data, mac)) {
if (iclass_writeblock_ext(item.blockno, item.data, mac, use_mac)) {
Dbprintf("Write block [%02x] " _GREEN_("successful"), item.blockno);
written++;
} else {

172
armsrc/iso14443a.c
View File

@@ -28,12 +28,9 @@
#define MAX_ISO14A_TIMEOUT 524288
static uint32_t iso14a_timeout;
// if iso14443a not active - transmit/receive dont try to execute
static bool hf_field_active = false;
static uint8_t colpos = 0;
int g_rsamples = 0;
uint8_t g_trigger = 0;
// the block number for the ISO14443-4 PCB
static uint8_t iso14_pcb_blocknum = 0;
@@ -161,7 +158,7 @@ void printHf14aConfig(void) {
);
Dbprintf(" [r] RATS override.......%i %s%s%s",
hf14aconfig.forcerats,
(hf14aconfig.forcerats == 0) ? "( " _GREEN_("No") " q follow standard " : "",
(hf14aconfig.forcerats == 0) ? "( " _GREEN_("No") " ) follow standard " : "",
(hf14aconfig.forcerats == 1) ? "( " _RED_("Yes") " ) always do RATS" : "",
(hf14aconfig.forcerats == 2) ? "( " _RED_("Yes") " ) always skip RATS" : ""
);
@@ -1005,10 +1002,14 @@ bool SimulateIso14443aInit(int tagType, int flags, uint8_t *data, tag_response_i
static uint8_t rUIDc1[5] = { 0x00 };
// For UID size 7,
static uint8_t rUIDc2[5] = { 0x00 };
// Prepare the mandatory SAK (for 4 and 7 byte UID)
// For UID size 10,
static uint8_t rUIDc3[5] = { 0x00 };
// Prepare the mandatory SAK (for 4, 7 and 10 byte UID)
static uint8_t rSAKc1[3] = { 0x00 };
// Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
// Prepare the optional second SAK (for 7 and 10 byte UID), drop the cascade bit for 7b
static uint8_t rSAKc2[3] = { 0x00 };
// Prepare the optional third SAK (for 10 byte UID), drop the cascade bit
static uint8_t rSAKc3[3] = { 0x00 };
// dummy ATS (pseudo-ATR), answer to RATS
// static uint8_t rRATS[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 };
static uint8_t rRATS[] = { 0x05, 0x75, 0x80, 0x60, 0x02, 0x00, 0x00 };
@@ -1017,7 +1018,7 @@ bool SimulateIso14443aInit(int tagType, int flags, uint8_t *data, tag_response_i
static uint8_t rVERSION[10] = { 0x00 };
// READ_SIG response for EV1/NTAG
static uint8_t rSIGN[34] = { 0x00 };
// PPS respoonse
// PPS response
static uint8_t rPPS[3] = { 0xD0 };
switch (tagType) {
@@ -1101,7 +1102,7 @@ bool SimulateIso14443aInit(int tagType, int flags, uint8_t *data, tag_response_i
case 10: { // ST25TA IKEA Rothult
rATQA[0] = 0x42;
rATQA[1] = 0x00;
sak = 0x00;
sak = 0x20;
}
break;
@@ -1127,11 +1128,25 @@ bool SimulateIso14443aInit(int tagType, int flags, uint8_t *data, tag_response_i
}
}
if ((flags & FLAG_7B_UID_IN_DATA) == FLAG_7B_UID_IN_DATA) {
if ((flags & FLAG_4B_UID_IN_DATA) == FLAG_4B_UID_IN_DATA) {
rUIDc1[0] = data[0];
rUIDc1[1] = data[1];
rUIDc1[2] = data[2];
rUIDc1[3] = data[3];
rUIDc1[4] = rUIDc1[0] ^ rUIDc1[1] ^ rUIDc1[2] ^ rUIDc1[3];
// Configure the ATQA and SAK accordingly
rATQA[0] &= 0xBF;
rSAKc1[0] = sak & 0xFB;
AddCrc14A(rSAKc1, sizeof(rSAKc1) - 2);
*cuid = bytes_to_num(data, 4);
} else if ((flags & FLAG_7B_UID_IN_DATA) == FLAG_7B_UID_IN_DATA) {
rUIDc1[0] = 0x88; // Cascade Tag marker
rUIDc1[1] = data[0];
rUIDc1[2] = data[1];
rUIDc1[3] = data[2];
rUIDc1[4] = rUIDc1[0] ^ rUIDc1[1] ^ rUIDc1[2] ^ rUIDc1[3];
rUIDc2[0] = data[3];
rUIDc2[1] = data[4];
@@ -1140,37 +1155,49 @@ bool SimulateIso14443aInit(int tagType, int flags, uint8_t *data, tag_response_i
rUIDc2[4] = rUIDc2[0] ^ rUIDc2[1] ^ rUIDc2[2] ^ rUIDc2[3];
// Configure the ATQA and SAK accordingly
rATQA[0] &= 0xBF;
rATQA[0] |= 0x40;
sak |= 0x04;
rSAKc1[0] = 0x04;
rSAKc2[0] = sak & 0xFB;
AddCrc14A(rSAKc1, sizeof(rSAKc1) - 2);
AddCrc14A(rSAKc2, sizeof(rSAKc2) - 2);
*cuid = bytes_to_num(data + 3, 4);
} else if ((flags & FLAG_4B_UID_IN_DATA) == FLAG_4B_UID_IN_DATA) {
memcpy(rUIDc1, data, 4);
} else if ((flags & FLAG_10B_UID_IN_DATA) == FLAG_10B_UID_IN_DATA) {
rUIDc1[0] = 0x88; // Cascade Tag marker
rUIDc1[1] = data[0];
rUIDc1[2] = data[1];
rUIDc1[3] = data[2];
rUIDc1[4] = rUIDc1[0] ^ rUIDc1[1] ^ rUIDc1[2] ^ rUIDc1[3];
rUIDc2[0] = 0x88; // Cascade Tag marker
rUIDc2[1] = data[3];
rUIDc2[2] = data[4];
rUIDc2[3] = data[5];
rUIDc2[4] = rUIDc2[0] ^ rUIDc2[1] ^ rUIDc2[2] ^ rUIDc2[3];
rUIDc3[0] = data[6];
rUIDc3[1] = data[7];
rUIDc3[2] = data[8];
rUIDc3[3] = data[9];
rUIDc3[4] = rUIDc3[0] ^ rUIDc3[1] ^ rUIDc3[2] ^ rUIDc3[3];
// Configure the ATQA and SAK accordingly
rATQA[0] &= 0xBF;
sak &= 0xFB;
*cuid = bytes_to_num(data, 4);
rATQA[0] |= 0x80;
rSAKc1[0] = 0x04;
rSAKc2[0] = 0x04;
rSAKc3[0] = sak & 0xFB;
AddCrc14A(rSAKc1, sizeof(rSAKc1) - 2);
AddCrc14A(rSAKc2, sizeof(rSAKc2) - 2);
AddCrc14A(rSAKc3, sizeof(rSAKc3) - 2);
*cuid = bytes_to_num(data + 3 + 3, 4);
} else {
if (DBGLEVEL >= DBG_ERROR) Dbprintf("[-] ERROR: UID size not defined");
return false;
}
// Calculate BCC for the first 4 bytes of the UID.
rUIDc1[4] = rUIDc1[0] ^ rUIDc1[1] ^ rUIDc1[2] ^ rUIDc1[3];
if (tagType == 10) {
rSAKc1[0] = 0x04;
rSAKc2[0] = 0x20;
} else {
rSAKc1[0] = sak;
rSAKc2[0] = sak & 0xFB;
}
// crc
AddCrc14A(rSAKc1, sizeof(rSAKc1) - 2);
AddCrc14A(rSAKc2, sizeof(rSAKc2) - 2);
// Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present,
// TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
// TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
@@ -1179,24 +1206,25 @@ bool SimulateIso14443aInit(int tagType, int flags, uint8_t *data, tag_response_i
AddCrc14A(rPPS, sizeof(rPPS) - 2);
#define TAG_RESPONSE_COUNT 9
static tag_response_info_t responses_init[TAG_RESPONSE_COUNT] = {
static tag_response_info_t responses_init[] = {
{ .response = rATQA, .response_n = sizeof(rATQA) }, // Answer to request - respond with card type
{ .response = rUIDc1, .response_n = sizeof(rUIDc1) }, // Anticollision cascade1 - respond with uid
{ .response = rUIDc2, .response_n = sizeof(rUIDc2) }, // Anticollision cascade2 - respond with 2nd half of uid if asked
{ .response = rUIDc3, .response_n = sizeof(rUIDc3) }, // Anticollision cascade3 - respond with 3rd half of uid if asked
{ .response = rSAKc1, .response_n = sizeof(rSAKc1) }, // Acknowledge select - cascade 1
{ .response = rSAKc2, .response_n = sizeof(rSAKc2) }, // Acknowledge select - cascade 2
{ .response = rSAKc3, .response_n = sizeof(rSAKc3) }, // Acknowledge select - cascade 3
{ .response = rRATS, .response_n = sizeof(rRATS) }, // dummy ATS (pseudo-ATR), answer to RATS
{ .response = rVERSION, .response_n = sizeof(rVERSION) }, // EV1/NTAG GET_VERSION response
{ .response = rSIGN, .response_n = sizeof(rSIGN) }, // EV1/NTAG READ_SIG response
{ .response = rPPS, .response_n = sizeof(rPPS) } // PPS response
};
// "precompile" responses. There are 9 predefined responses with a total of 72 bytes data to transmit.
// "precompile" responses. There are 11 predefined responses with a total of 80 bytes data to transmit.
// Coded responses need one byte per bit to transfer (data, parity, start, stop, correction)
// 72 * 8 data bits, 72 * 1 parity bits, 9 start bits, 9 stop bits, 9 correction bits -- 677 bytes buffer
#define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 675
// 576 + 72 + 9 + 9 + 9 == 675
// 80 * 8 data bits, 80 * 1 parity bits, 11 start bits, 11 stop bits, 11 correction bits
// 80 * 8 + 80 + 11 + 11 + 11 == 753
#define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 753
uint8_t *free_buffer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
// modulation buffer pointer and current buffer free space size
@@ -1205,7 +1233,7 @@ bool SimulateIso14443aInit(int tagType, int flags, uint8_t *data, tag_response_i
// Prepare the responses of the anticollision phase
// there will be not enough time to do this at the moment the reader sends it REQA
for (size_t i = 0; i < TAG_RESPONSE_COUNT; i++) {
for (size_t i = 0; i < ARRAYLEN(responses_init); i++) {
if (prepare_allocated_tag_modulation(&responses_init[i], &free_buffer_pointer, &free_buffer_size) == false) {
BigBuf_free_keep_EM();
if (DBGLEVEL >= DBG_ERROR) Dbprintf("Not enough modulation buffer size, exit after %d elements", i);
@@ -1215,16 +1243,6 @@ bool SimulateIso14443aInit(int tagType, int flags, uint8_t *data, tag_response_i
*responses = responses_init;
// indices into responses array:
#define ATQA 0
#define UIDC1 1
#define UIDC2 2
#define SAKC1 3
#define SAKC2 4
#define RATS 5
#define VERSION 6
#define SIGNATURE 7
#define PPS 8
return true;
}
@@ -1289,16 +1307,18 @@ void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data) {
// To control where we are in the protocol
#define ORDER_NONE 0
#define ORDER_REQA 1
#define ORDER_SELECT_ALL_CL1 2
#define ORDER_SELECT_CL1 3
//#define ORDER_REQA 1
//#define ORDER_SELECT_ALL_CL1 2
//#define ORDER_SELECT_CL1 3
#define ORDER_HALTED 5
#define ORDER_WUPA 6
#define ORDER_AUTH 7
#define ORDER_SELECT_ALL_CL2 20
#define ORDER_SELECT_CL2 30
//#define ORDER_SELECT_ALL_CL2 20
//#define ORDER_SELECT_CL2 25
//#define ORDER_SELECT_ALL_CL3 30
//#define ORDER_SELECT_CL3 35
#define ORDER_EV1_COMP_WRITE 40
#define ORDER_RATS 70
//#define ORDER_RATS 70
uint8_t order = ORDER_NONE;
int retval = PM3_SUCCESS;
@@ -1416,19 +1436,23 @@ void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data) {
} else if (receivedCmd[0] == ISO14443A_CMD_REQA && len == 1) { // Received a REQUEST, but in HALTED, skip
odd_reply = !odd_reply;
if (odd_reply)
p_response = &responses[ATQA];
p_response = &responses[RESP_INDEX_ATQA];
} else if (receivedCmd[0] == ISO14443A_CMD_WUPA && len == 1) { // Received a WAKEUP
p_response = &responses[ATQA];
p_response = &responses[RESP_INDEX_ATQA];
} else if (receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && len == 2) { // Received request for UID (cascade 1)
p_response = &responses[UIDC1];
p_response = &responses[RESP_INDEX_UIDC1];
} else if (receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && len == 2) { // Received request for UID (cascade 2)
p_response = &responses[UIDC2];
p_response = &responses[RESP_INDEX_UIDC2];
} else if (receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3 && len == 2) { // Received request for UID (cascade 3)
p_response = &responses[RESP_INDEX_UIDC3];
} else if (receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && len == 9) { // Received a SELECT (cascade 1)
p_response = &responses[SAKC1];
p_response = &responses[RESP_INDEX_SAKC1];
} else if (receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && len == 9) { // Received a SELECT (cascade 2)
p_response = &responses[SAKC2];
p_response = &responses[RESP_INDEX_SAKC2];
} else if (receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3 && len == 9) { // Received a SELECT (cascade 3)
p_response = &responses[RESP_INDEX_SAKC3];
} else if (receivedCmd[0] == ISO14443A_CMD_PPS) {
p_response = &responses[PPS];
p_response = &responses[RESP_INDEX_PPS];
} else if (receivedCmd[0] == ISO14443A_CMD_READBLOCK && len == 4) { // Received a (plain) READ
uint8_t block = receivedCmd[1];
// if Ultralight or NTAG (4 byte blocks)
@@ -1450,7 +1474,7 @@ void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data) {
// FM11005SH. 16blocks, 4bytes / block.
// block0 = 2byte Customer ID (CID), 2byte Manufacture ID (MID)
// block1 = 4byte UID.
p_response = &responses[UIDC1];
p_response = &responses[RESP_INDEX_UIDC1];
} else { // all other tags (16 byte block tags)
uint8_t emdata[MAX_MIFARE_FRAME_SIZE];
emlGetMemBt(emdata, block, 16);
@@ -1512,7 +1536,7 @@ void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data) {
}
p_response = NULL;
} else if (receivedCmd[0] == MIFARE_ULEV1_READSIG && len == 4 && tagType == 7) { // Received a READ SIGNATURE --
p_response = &responses[SIGNATURE];
p_response = &responses[RESP_INDEX_SIGNATURE];
} else if (receivedCmd[0] == MIFARE_ULEV1_READ_CNT && len == 4 && tagType == 7) { // Received a READ COUNTER --
uint8_t index = receivedCmd[1];
if (index > 2) {
@@ -1561,7 +1585,7 @@ void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data) {
p_response = NULL;
order = ORDER_HALTED;
} else if (receivedCmd[0] == MIFARE_ULEV1_VERSION && len == 3 && (tagType == 2 || tagType == 7)) {
p_response = &responses[VERSION];
p_response = &responses[RESP_INDEX_VERSION];
} else if ((receivedCmd[0] == MIFARE_AUTH_KEYA || receivedCmd[0] == MIFARE_AUTH_KEYB) && len == 4 && tagType != 2 && tagType != 7) { // Received an authentication request
cardAUTHKEY = receivedCmd[0] - 0x60;
cardAUTHSC = receivedCmd[1] / 4; // received block num
@@ -1579,7 +1603,7 @@ void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data) {
EmSend4bit(CARD_NACK_NA);
p_response = NULL;
} else {
p_response = &responses[RATS];
p_response = &responses[RESP_INDEX_RATS];
}
} else if (receivedCmd[0] == MIFARE_ULC_AUTH_1) { // ULC authentication, or Desfire Authentication
LogTrace(receivedCmd, Uart.len, Uart.startTime * 16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime * 16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, true);
@@ -1633,7 +1657,7 @@ void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data) {
dynamic_response_info.response[0] = receivedCmd[0];
dynamic_response_info.response[1] = 0x90;
dynamic_response_info.response[2] = 0x00;
dynamic_response_info.response_n = 3;
dynamic_response_info.response_n = 3;
} else {
dynamic_response_info.response[0] = receivedCmd[0];
dynamic_response_info.response[1] = 0x90;
@@ -1787,7 +1811,7 @@ static void PrepareDelayedTransfer(uint16_t delay) {
//-------------------------------------------------------------------------------------
static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing) {
if (!hf_field_active) {
if (!g_hf_field_active) {
Dbprintf("Warning: HF field is off, ignoring TransmitFor14443a command");
return;
}
@@ -2187,7 +2211,7 @@ bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_Start
//-----------------------------------------------------------------------------
bool GetIso14443aAnswerFromTag_Thinfilm(uint8_t *receivedResponse, uint8_t *received_len) {
if (!hf_field_active) {
if (!g_hf_field_active) {
Dbprintf("Warning: HF field is off, ignoring GetIso14443aAnswerFromTag_Thinfilm command");
return false;
}
@@ -2237,7 +2261,7 @@ bool GetIso14443aAnswerFromTag_Thinfilm(uint8_t *receivedResponse, uint8_t *rec
static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receivedResponsePar, uint16_t offset) {
uint32_t c = 0;
if (!hf_field_active)
if (!g_hf_field_active)
return false;
// Set FPGA mode to "reader listen mode", no modulation (listen
@@ -2337,7 +2361,7 @@ void iso14443a_antifuzz(uint32_t flags) {
uint8_t *received = BigBuf_malloc(MAX_FRAME_SIZE);
uint8_t *receivedPar = BigBuf_malloc(MAX_PARITY_SIZE);
uint8_t *resp = BigBuf_malloc(20);
memset(received, 0x00, MAX_FRAME_SIZE);
memset(received, 0x00, MAX_PARITY_SIZE);
memset(resp, 0xFF, 20);
@@ -2731,13 +2755,7 @@ void iso14443a_setup(uint8_t fpga_minor_mode) {
NextTransferTime = 2 * DELAY_ARM2AIR_AS_READER;
iso14a_set_timeout(1060); // 106 * 10ms default
hf_field_active = true;
}
void hf_field_off(void) {
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
hf_field_active = false;
g_hf_field_active = true;
}
/* Peter Fillmore 2015

16
armsrc/iso14443a.h
View File

@@ -84,6 +84,21 @@ typedef struct {
uint8_t *parity;
} tUart14a;
// indices into responses array:
typedef enum {
RESP_INDEX_ATQA,
RESP_INDEX_UIDC1,
RESP_INDEX_UIDC2,
RESP_INDEX_UIDC3,
RESP_INDEX_SAKC1,
RESP_INDEX_SAKC2,
RESP_INDEX_SAKC3,
RESP_INDEX_RATS,
RESP_INDEX_VERSION,
RESP_INDEX_SIGNATURE,
RESP_INDEX_PPS
} resp_index_t;
#ifndef AddCrc14A
# define AddCrc14A(data, len) compute_crc(CRC_14443_A, (data), (len), (data)+(len), (data)+(len)+1)
#endif
@@ -129,7 +144,6 @@ int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, bool send_chaining, void *data, u
int iso14443a_select_card(uint8_t *uid_ptr, iso14a_card_select_t *p_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades, bool no_rats);
int iso14443a_fast_select_card(uint8_t *uid_ptr, uint8_t num_cascades);
void iso14a_set_trigger(bool enable);
void hf_field_off(void);
int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen);
int EmSend4bit(uint8_t resp);

218
armsrc/iso14443b.c
View File

@@ -717,6 +717,211 @@ void SimulateIso14443bTag(uint8_t *pupi) {
switch_off(); //simulate
}
/*
void Simulate_iso14443b_srx_tag(uint8_t *uid) {
LED_A_ON();
/ SRI512
> initiate 06 00 ISO14443B_INITIATE
< xx crc crc
> select 0e xx ISO14443B_SELECT
< xx nn nn
> readblock 08 blck_no ISO14443B_READ_BLK
< d0 d1 d2 d3 2byte crc
> get uid ISO14443B_GET_UID
< 81 93 99 20 92 11 02 (8byte UID in MSB D002 199220 999381)
#define ISO14443B_REQB 0x05
#define ISO14443B_ATTRIB 0x1D
#define ISO14443B_HALT 0x50
#define ISO14443B_INITIATE 0x06
#define ISO14443B_SELECT 0x0E
#define ISO14443B_GET_UID 0x0B
#define ISO14443B_READ_BLK 0x08
#define ISO14443B_WRITE_BLK 0x09
#define ISO14443B_RESET 0x0C
#define ISO14443B_COMPLETION 0x0F
#define ISO14443B_AUTHENTICATE 0x0A
#define ISO14443B_PING 0xBA
#define ISO14443B_PONG 0xAB
static const uint8_t resp_init_srx[] = { 0x73, 0x64, 0xb1 };
uint8_t resp_select_srx[] = { 0x73, 0x64, 0xb1 };
// a default uid, or user supplied
uint8_t resp_getuid_srx[10] = {
0x81, 0x93, 0x99, 0x20, 0x92, 0x11, 0x02, 0xD0, 0x00, 0x00
};
// ...UID supplied from user. Adjust ATQB response accordingly
if (memcmp("\x00\x00\x00\x00\x00\x00\x00\x00", uid, 8) != 0) {
memcpy(resp_getuid_srx, uid, 8);
AddCrc14B(resp_getuid_srx, 8);
}
// response to HLTB and ATTRIB
static const uint8_t respOK[] = {0x00, 0x78, 0xF0};
// setup device.
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
// connect Demodulated Signal to ADC:
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
// Set up the synchronous serial port
FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR);
// allocate command receive buffer
BigBuf_free();
BigBuf_Clear_ext(false);
clear_trace();
set_tracing(true);
uint16_t len, cmdsReceived = 0;
int cardSTATE = SIM_NOFIELD;
int vHf = 0; // in mV
tosend_t *ts = get_tosend();
uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
// prepare "ATQB" tag answer (encoded):
CodeIso14443bAsTag(respATQB, sizeof(respATQB));
uint8_t *encodedATQB = BigBuf_malloc(ts->max);
uint16_t encodedATQBLen = ts->max;
memcpy(encodedATQB, ts->buf, ts->max);
// prepare "OK" tag answer (encoded):
CodeIso14443bAsTag(respOK, sizeof(respOK));
uint8_t *encodedOK = BigBuf_malloc(ts->max);
uint16_t encodedOKLen = ts->max;
memcpy(encodedOK, ts->buf, ts->max);
// Simulation loop
while (BUTTON_PRESS() == false) {
WDT_HIT();
//iceman: limit with 2000 times..
if (data_available()) {
break;
}
// find reader field
if (cardSTATE == SIM_NOFIELD) {
#if defined RDV4
vHf = (MAX_ADC_HF_VOLTAGE_RDV40 * SumAdc(ADC_CHAN_HF_RDV40, 32)) >> 15;
#else
vHf = (MAX_ADC_HF_VOLTAGE * SumAdc(ADC_CHAN_HF, 32)) >> 15;
#endif
if (vHf > MF_MINFIELDV) {
cardSTATE = SIM_IDLE;
LED_A_ON();
}
}
if (cardSTATE == SIM_NOFIELD) continue;
// Get reader command
if (!GetIso14443bCommandFromReader(receivedCmd, &len)) {
Dbprintf("button pressed, received %d commands", cmdsReceived);
break;
}
// ISO14443-B protocol states:
// REQ or WUP request in ANY state
// WUP in HALTED state
if (len == 5) {
if ((receivedCmd[0] == ISO14443B_REQB && (receivedCmd[2] & 0x8) == 0x8 && cardSTATE == SIM_HALTED) ||
receivedCmd[0] == ISO14443B_REQB) {
LogTrace(receivedCmd, len, 0, 0, NULL, true);
cardSTATE = SIM_SELECTING;
}
}
/
* How should this flow go?
* REQB or WUPB
* send response ( waiting for Attrib)
* ATTRIB
* send response ( waiting for commands 7816)
* HALT
send halt response ( waiting for wupb )
/
switch (cardSTATE) {
//case SIM_NOFIELD:
case SIM_HALTED:
case SIM_IDLE: {
LogTrace(receivedCmd, len, 0, 0, NULL, true);
break;
}
case SIM_SELECTING: {
TransmitFor14443b_AsTag(encodedATQB, encodedATQBLen);
LogTrace(respATQB, sizeof(respATQB), 0, 0, NULL, false);
cardSTATE = SIM_WORK;
break;
}
case SIM_HALTING: {
TransmitFor14443b_AsTag(encodedOK, encodedOKLen);
LogTrace(respOK, sizeof(respOK), 0, 0, NULL, false);
cardSTATE = SIM_HALTED;
break;
}
case SIM_ACKNOWLEDGE: {
TransmitFor14443b_AsTag(encodedOK, encodedOKLen);
LogTrace(respOK, sizeof(respOK), 0, 0, NULL, false);
cardSTATE = SIM_IDLE;
break;
}
case SIM_WORK: {
if (len == 7 && receivedCmd[0] == ISO14443B_HALT) {
cardSTATE = SIM_HALTED;
} else if (len == 11 && receivedCmd[0] == ISO14443B_ATTRIB) {
cardSTATE = SIM_ACKNOWLEDGE;
} else {
// Todo:
// - SLOT MARKER
// - ISO7816
// - emulate with a memory dump
if (DBGLEVEL >= DBG_DEBUG)
Dbprintf("new cmd from reader: len=%d, cmdsRecvd=%d", len, cmdsReceived);
// CRC Check
if (len >= 3) { // if crc exists
if (!check_crc(CRC_14443_B, receivedCmd, len)) {
if (DBGLEVEL >= DBG_DEBUG) {
DbpString("CRC fail");
}
}
} else {
if (DBGLEVEL >= DBG_DEBUG) {
DbpString("CRC passed");
}
}
cardSTATE = SIM_IDLE;
}
break;
}
default:
break;
}
++cmdsReceived;
}
if (DBGLEVEL >= DBG_DEBUG)
Dbprintf("Emulator stopped. Trace length: %d ", BigBuf_get_traceLen());
switch_off(); //simulate
}
*/
//=============================================================================
// An ISO 14443 Type B reader. We take layer two commands, code them
// appropriately, and then send them to the tag. We then listen for the
@@ -1160,6 +1365,7 @@ static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len, uint32_t
tosend_t *ts = get_tosend();
CodeIso14443bAsReader(cmd, len);
TransmitFor14443b_AsReader(start_time);
if (g_trigger) LED_A_ON();
*eof_time = *start_time + (10 * ts->max) + 10 + 2 + 10;
LogTrace(cmd, len, *start_time, *eof_time, NULL, true);
}
@@ -1541,7 +1747,7 @@ void iso14443b_setup(void) {
// I tried to be systematic and check every answer of the tag, every CRC, etc...
//-----------------------------------------------------------------------------
static int read_srx_block(uint8_t blocknr, uint8_t *block) {
uint8_t cmd[] = {ISO14443B_READ_BLK, blocknr, 0x00, 0x00};
AddCrc14B(cmd, 2);
@@ -1572,10 +1778,10 @@ static int read_srx_block(uint8_t blocknr, uint8_t *block) {
if (DBGLEVEL >= DBG_DEBUG) {
Dbprintf("Address=%02x, Contents=%08x, CRC=%04x",
blocknr,
(r_block[3] << 24) + (r_block[2] << 16) + (r_block[1] << 8) + r_block[0],
(r_block[4] << 8) + r_block[5]
);
blocknr,
(r_block[3] << 24) + (r_block[2] << 16) + (r_block[1] << 8) + r_block[0],
(r_block[4] << 8) + r_block[5]
);
}
return PM3_SUCCESS;
@@ -1586,7 +1792,7 @@ void ReadSTBlock(uint8_t blocknr) {
iso14b_card_select_t card;
int res = iso14443b_select_srx_card(&card);
// 0: OK -1 wrong len, -2: attrib fail, -3:crc fail,
switch(res) {
switch (res) {
case -1:
case -3: {
reply_ng(CMD_HF_SRI_READ, PM3_EWRONGANSWER, NULL, 0);

38
armsrc/mifarecmd.c
View File

@@ -450,7 +450,7 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain) {
// 2 = use 0x1B authentication.
// datain : 4 first bytes is data to be written.
// : 4/16 next bytes is authentication key.
void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain) {
static void MifareUWriteBlockEx(uint8_t arg0, uint8_t arg1, uint8_t *datain, bool reply) {
uint8_t blockNo = arg0;
bool useKey = (arg1 == 1); //UL_C
bool usePwd = (arg1 == 2); //UL_EV1/NTAG
@@ -507,12 +507,17 @@ void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain) {
if (DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
reply_mix(CMD_ACK, 1, 0, 0, 0, 0);
if (reply)
reply_mix(CMD_ACK, 1, 0, 0, 0, 0);
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
set_tracing(false);
}
void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain) {
MifareUWriteBlockEx(arg0, arg1, datain, true);
}
// Arg0 : Block to write to.
// Arg1 : 0 = use no authentication.
// 1 = use 0x1A authentication.
@@ -2283,7 +2288,7 @@ void MifareCIdent(bool is_mfc) {
ReaderTransmit(rats, sizeof(rats), NULL);
res = ReaderReceive(buf, par);
if (res ) {
if (res) {
// test for some MFC gen2
if (memcmp(buf, "\x09\x78\x00\x91\x02\xDA\xBC\x19\x10\xF0\x05", 11) == 0) {
@@ -2376,6 +2381,9 @@ void MifareHasStaticNonce(void) {
int retval = PM3_SUCCESS;
uint32_t nt = 0;
uint8_t *uid = BigBuf_malloc(10);
memset(uid, 0x00, 10);
uint8_t data[1] = { NONCE_FAIL };
struct Crypto1State mpcs = {0, 0};
struct Crypto1State *pcs;
@@ -2392,7 +2400,7 @@ void MifareHasStaticNonce(void) {
goto OUT;
}
uint8_t rec[1] = {0x00};
uint8_t rec[4] = {0x00};
uint8_t recpar[1] = {0x00};
// Transmit MIFARE_CLASSIC_AUTH 0x60, block 0
int len = mifare_sendcmd_short(pcs, false, MIFARE_AUTH_KEYA, 0, rec, recpar, NULL);
@@ -2412,6 +2420,8 @@ void MifareHasStaticNonce(void) {
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
CHK_TIMEOUT();
memset(rec, 0x00, sizeof(rec));
}
if (counter) {
@@ -2715,7 +2725,8 @@ void MifareU_Otp_Tearoff(uint8_t arg0, uint32_t tearoff_time, uint8_t *datain) {
if (tearoff_time > 43000)
tearoff_time = 43000;
MifareUWriteBlock(blockNo, 0, data_fullwrite);
MifareUWriteBlockEx(blockNo, 0, data_fullwrite, false);
LEDsoff();
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
@@ -2724,13 +2735,18 @@ void MifareU_Otp_Tearoff(uint8_t arg0, uint32_t tearoff_time, uint8_t *datain) {
// write cmd to send, include CRC
// 1b write, 1b block, 4b data, 2 crc
uint8_t cmd[] = {MIFARE_ULC_WRITE, blockNo, data_testwrite[0], data_testwrite[1], data_testwrite[2], data_testwrite[3], 0, 0};
uint8_t cmd[] = {
MIFARE_ULC_WRITE, blockNo,
data_testwrite[0], data_testwrite[1], data_testwrite[2], data_testwrite[3],
0, 0
};
AddCrc14A(cmd, sizeof(cmd) - 2);
// anticollision / select card
if (!iso14443a_select_card(NULL, NULL, NULL, true, 0, true)) {
if (DBGLEVEL >= DBG_ERROR) Dbprintf("Can't select card");
OnError(1);
reply_ng(CMD_HF_MFU_OTP_TEAROFF, PM3_EFAILED, NULL, 0);
return;
};
// send
@@ -2748,7 +2764,7 @@ void MifareU_Otp_Tearoff(uint8_t arg0, uint32_t tearoff_time, uint8_t *datain) {
//
// Tear-off attack against MFU counter
void MifareU_Counter_Tearoff(uint8_t counter, uint32_t tearoff_time) {
void MifareU_Counter_Tearoff(uint8_t counter, uint32_t tearoff_time, uint8_t *datain) {
if (tearoff_time > 43000)
tearoff_time = 43000;
@@ -2762,10 +2778,10 @@ void MifareU_Counter_Tearoff(uint8_t counter, uint32_t tearoff_time) {
uint8_t cmd[] = {
MIFARE_ULEV1_INCR_CNT,
counter,
0, // lsb
0,
0, // msb
0, // rfu
datain[0], // lsb
datain[1],
datain[2], // msb
datain[3], // rfu
0,
0,
};

2
armsrc/mifarecmd.h
View File

@@ -64,5 +64,5 @@ void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain);
// Tear-off test for MFU
void MifareU_Otp_Tearoff(uint8_t arg0, uint32_t arg1, uint8_t *datain);
void MifareU_Counter_Tearoff(uint8_t counter, uint32_t tearoff_time);
void MifareU_Counter_Tearoff(uint8_t counter, uint32_t tearoff_time, uint8_t *datain);
#endif

2
armsrc/mifareutil.c
View File

@@ -20,8 +20,6 @@
#include "protocols.h"
#include "desfire_crypto.h"
int DBGLEVEL = DBG_ERROR;
// crypto1 helpers
void mf_crypto1_decryptEx(struct Crypto1State *pcs, uint8_t *data_in, int len, uint8_t *data_out) {
if (len != 1) {

15
armsrc/start.c
View File

@@ -18,14 +18,13 @@
#include "BigBuf.h"
#include "string.h"
static uint8_t *next_free_memory;
extern struct common_area common_area;
extern char __data_src_start__, __data_start__, __data_end__, __bss_start__, __bss_end__;
static void uncompress_data_section(void) {
next_free_memory = BigBuf_get_addr();
int avail_in;
memcpy(&avail_in, &__data_start__, sizeof(int));
memcpy(&avail_in, &__data_src_start__, sizeof(int));
int avail_out = &__data_end__ - &__data_start__; // uncompressed size. Correct.
// uncompress data segment to RAM
uintptr_t p = (uintptr_t)&__data_src_start__;
@@ -34,13 +33,21 @@ static void uncompress_data_section(void) {
if (res < 0)
return;
// save the size of the compressed data section
common_area.arg1 = res;
common_area.arg1 = avail_in;
}
void __attribute__((section(".startos"))) Vector(void);
void Vector(void) {
/* Stack should have been set up by the bootloader */
if (common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
/* Initialize common area */
memset(&common_area, 0, sizeof(common_area));
common_area.magic = COMMON_AREA_MAGIC;
common_area.version = 1;
}
common_area.flags.osimage_present = 1;
uncompress_data_section();
/* Set up (that is: clear) BSS. */