]> cvs.zerfleddert.de Git - proxmark3-svn/blame - client/cmdlfhitag.c
add: 'hf mf personalize' (personalize UID on Mifare Classic EV1 7byte UID cards)
[proxmark3-svn] / client / cmdlfhitag.c
CommitLineData
db09cb3a 1//-----------------------------------------------------------------------------
2// Copyright (C) 2012 Roel Verdult
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// Low frequency Hitag support
9//-----------------------------------------------------------------------------
10
ad939de5 11#include "cmdlfhitag.h"
12
db09cb3a 13#include <stdio.h>
14#include <stdlib.h>
15#include <string.h>
ad939de5 16#include "comms.h"
db09cb3a 17#include "ui.h"
18#include "cmdparser.h"
19#include "common.h"
20#include "util.h"
1f065e1d 21#include "parity.h"
5866c187 22#include "hitag.h"
902cb3c0 23#include "cmdmain.h"
db09cb3a 24
25static int CmdHelp(const char *Cmd);
26
47e18126 27size_t nbytes(size_t nbits) {
28 return (nbits/8)+((nbits%8)>0);
29}
30
db09cb3a 31int CmdLFHitagList(const char *Cmd)
32{
f71f4deb 33 uint8_t *got = malloc(USB_CMD_DATA_SIZE);
f71f4deb 34 // Query for the actual size of the trace
35 UsbCommand response;
babca445 36 GetFromBigBuf(got, USB_CMD_DATA_SIZE, 0, &response, -1, false);
f71f4deb 37 uint16_t traceLen = response.arg[2];
38 if (traceLen > USB_CMD_DATA_SIZE) {
39 uint8_t *p = realloc(got, traceLen);
40 if (p == NULL) {
41 PrintAndLog("Cannot allocate memory for trace");
42 free(got);
43 return 2;
44 }
45 got = p;
babca445 46 GetFromBigBuf(got, traceLen, 0, NULL, -1, false);
f71f4deb 47 }
48
49 PrintAndLog("recorded activity (TraceLen = %d bytes):");
50 PrintAndLog(" ETU :nbits: who bytes");
51 PrintAndLog("---------+-----+----+-----------");
db09cb3a 52
7b6e3205 53 int j;
f71f4deb 54 int i = 0;
55 int prev = -1;
56 int len = strlen(Cmd);
b915fda3 57
f71f4deb 58 char filename[FILE_PATH_SIZE] = { 0x00 };
59 FILE* pf = NULL;
b915fda3 60
f71f4deb 61 if (len > FILE_PATH_SIZE)
62 len = FILE_PATH_SIZE;
63 memcpy(filename, Cmd, len);
b915fda3 64
f71f4deb 65 if (strlen(filename) > 0) {
66 if ((pf = fopen(filename,"wb")) == NULL) {
67 PrintAndLog("Error: Could not open file [%s]",filename);
44964fd1 68 free(got);
f71f4deb 69 return 1;
70 }
b915fda3 71 }
db09cb3a 72
f71f4deb 73 for (;;) {
b915fda3 74
f71f4deb 75 if(i > traceLen) { break; }
76
77 bool isResponse;
78 int timestamp = *((uint32_t *)(got+i));
79 if (timestamp & 0x80000000) {
80 timestamp &= 0x7fffffff;
81 isResponse = 1;
82 } else {
83 isResponse = 0;
84 }
85
86 int parityBits = *((uint32_t *)(got+i+4));
87 // 4 bytes of additional information...
88 // maximum of 32 additional parity bit information
89 //
90 // TODO:
91 // at each quarter bit period we can send power level (16 levels)
92 // or each half bit period in 256 levels.
93
94 int bits = got[i+8];
7b6e3205 95 int len = nbytes(bits);
f71f4deb 96
97 if (len > 100) {
98 break;
99 }
100 if (i + len > traceLen) { break;}
101
102 uint8_t *frame = (got+i+9);
7b6e3205 103/*
104 int fillupBits = 8 - (bits % 8);
105 byte_t framefilled[bits+fillupBits];
106 byte_t* ff = framefilled;
107
108 int response_bit[200] = {0};
109 int z = 0;
110 for (int y = 0; y < len; y++) {
111 for (j = 0; j < 8; j++) {
112 response_bit[z] = 0;
113 if ((frame[y] & ((mask << 7) >> j)) != 0)
114 response_bit[z] = 1;
115 z++;
116 }
117 }
118 z = 0;
119 for (int y = 0; y < len; y++) {
120 ff[y] = (response_bit[z] << 7) | (response_bit[z + 1] << 6)
121 | (response_bit[z + 2] << 5) | (response_bit[z + 3] << 4)
122 | (response_bit[z + 4] << 3) | (response_bit[z + 5] << 2)
123 | (response_bit[z + 6] << 1) | response_bit[z + 7];
124 z += 8;
125 }
126*/
127
128
129
f71f4deb 130
131 // Break and stick with current result if buffer was not completely full
132 if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; }
133
134 char line[1000] = "";
f71f4deb 135 for (j = 0; j < len; j++) {
f71f4deb 136 //if((parityBits >> (len - j - 1)) & 0x01) {
1f065e1d 137 if (isResponse && (oddparity8(frame[j]) != ((parityBits >> (len - j - 1)) & 0x01))) {
f71f4deb 138 sprintf(line+(j*4), "%02x! ", frame[j]);
7b6e3205 139 } else {
f71f4deb 140 sprintf(line+(j*4), "%02x ", frame[j]);
141 }
142 }
143
144 PrintAndLog(" +%7d: %3d: %s %s",
145 (prev < 0 ? 0 : (timestamp - prev)),
146 bits,
147 (isResponse ? "TAG" : " "),
148 line);
149
150 if (pf) {
151 fprintf(pf," +%7d: %3d: %s %s\n",
152 (prev < 0 ? 0 : (timestamp - prev)),
153 bits,
154 (isResponse ? "TAG" : " "),
155 line);
156 }
157
158 prev = timestamp;
159 i += (len + 9);
160 }
2d495a81 161
f71f4deb 162 if (pf) {
163 fclose(pf);
164 PrintAndLog("Recorded activity succesfully written to file: %s", filename);
165 }
97d582a6 166
f71f4deb 167 free(got);
168 return 0;
db09cb3a 169}
170
171int CmdLFHitagSnoop(const char *Cmd) {
172 UsbCommand c = {CMD_SNOOP_HITAG};
173 SendCommand(&c);
174 return 0;
175}
176
177int CmdLFHitagSim(const char *Cmd) {
b915fda3 178
db09cb3a 179 UsbCommand c = {CMD_SIMULATE_HITAG};
b915fda3 180 char filename[FILE_PATH_SIZE] = { 0x00 };
db09cb3a 181 FILE* pf;
182 bool tag_mem_supplied;
b915fda3 183 int len = strlen(Cmd);
184 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
185 memcpy(filename, Cmd, len);
db09cb3a 186
187 if (strlen(filename) > 0) {
188 if ((pf = fopen(filename,"rb+")) == NULL) {
189 PrintAndLog("Error: Could not open file [%s]",filename);
190 return 1;
191 }
192 tag_mem_supplied = true;
44964fd1 193 if (fread(c.d.asBytes,1,48,pf) != 48) {
194 PrintAndLog("Error: File reading error");
195 fclose(pf);
759c16b3 196 return 1;
44964fd1 197 }
db09cb3a 198 fclose(pf);
199 } else {
200 tag_mem_supplied = false;
201 }
202
203 // Does the tag comes with memory
204 c.arg[0] = (uint32_t)tag_mem_supplied;
205
206 SendCommand(&c);
207 return 0;
208}
209
210int CmdLFHitagReader(const char *Cmd) {
db09cb3a 211 UsbCommand c = {CMD_READER_HITAG};//, {param_get32ex(Cmd,0,0,10),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),param_get32ex(Cmd,3,0,16)}};
212 hitag_data* htd = (hitag_data*)c.d.asBytes;
213 hitag_function htf = param_get32ex(Cmd,0,0,10);
214
215 switch (htf) {
4e12287d
RS
216 case 01: { //RHTSF_CHALLENGE
217 c = (UsbCommand){ CMD_READ_HITAG_S };
218 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr);
219 num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
7b6e3205 220 c.arg[1] = param_get64ex(Cmd,3,0,0); //firstpage
221 c.arg[2] = param_get64ex(Cmd,4,0,0); //tag mode
4e12287d
RS
222 } break;
223 case 02: { //RHTSF_KEY
224 c = (UsbCommand){ CMD_READ_HITAG_S };
225 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
7b6e3205 226 c.arg[1] = param_get64ex(Cmd,2,0,0); //firstpage
227 c.arg[2] = param_get64ex(Cmd,3,0,0); //tag mode
228 } break;
229 case 03: { //RHTSF_CHALLENGE BLOCK
230 c = (UsbCommand){ CMD_READ_HITAG_S_BLK };
231 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr);
232 num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
233 c.arg[1] = param_get64ex(Cmd,3,0,0); //firstpage
234 c.arg[2] = param_get64ex(Cmd,4,0,0); //tag mode
235 } break;
236 case 04: { //RHTSF_KEY BLOCK
237 c = (UsbCommand){ CMD_READ_HITAG_S_BLK };
238 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
239 c.arg[1] = param_get64ex(Cmd,2,0,0); //firstpage
240 c.arg[2] = param_get64ex(Cmd,3,0,0); //tag mode
4e12287d 241 } break;
db09cb3a 242 case RHT2F_PASSWORD: {
243 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->pwd.password);
244 } break;
245 case RHT2F_AUTHENTICATE: {
246 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr);
247 num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
248 } break;
bde10a50 249 case RHT2F_CRYPTO: {
250 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
f86d6b55 251 // num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
bde10a50 252 } break;
db09cb3a 253 case RHT2F_TEST_AUTH_ATTEMPTS: {
254 // No additional parameters needed
255 } break;
f86d6b55 256 case RHT2F_UID_ONLY: {
257 // No additional parameters needed
258 } break;
db09cb3a 259 default: {
f86d6b55 260 PrintAndLog("\nError: unkown reader function %d",htf);
261 PrintAndLog("");
262 PrintAndLog("Usage: hitag reader <Reader Function #>");
263 PrintAndLog("Reader Functions:");
ab4da50d 264 PrintAndLog(" HitagS (0*)");
7b6e3205 265 PrintAndLog(" 01 <nr> <ar> (Challenge) <firstPage> <tagmode> read all pages from a Hitag S tag");
266 PrintAndLog(" 02 <key> (set to 0 if no authentication is needed) <firstPage> <tagmode> read all pages from a Hitag S tag");
267 PrintAndLog(" 03 <nr> <ar> (Challenge) <firstPage> <tagmode> read all blocks from a Hitag S tag");
268 PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <firstPage> <tagmode> read all blocks from a Hitag S tag");
269 PrintAndLog(" Valid tagmodes are 0=STANDARD, 1=ADVANCED, 2=FAST_ADVANCED (default is ADVANCED)");
ab4da50d 270 PrintAndLog(" Hitag1 (1*)");
271 PrintAndLog(" Hitag2 (2*)");
272 PrintAndLog(" 21 <password> (password mode)");
273 PrintAndLog(" 22 <nr> <ar> (authentication)");
274 PrintAndLog(" 23 <key> (authentication) key is in format: ISK high + ISK low");
275 PrintAndLog(" 25 (test recorded authentications)");
f86d6b55 276 PrintAndLog(" 26 just read UID");
db09cb3a 277 return 1;
278 } break;
279 }
280
281 // Copy the hitag2 function into the first argument
282 c.arg[0] = htf;
283
f86d6b55 284 // Send the command to the proxmark
217cfb6b 285 clearCommandBuffer();
f86d6b55 286 SendCommand(&c);
ab4da50d 287
f86d6b55 288 UsbCommand resp;
289 WaitForResponse(CMD_ACK,&resp);
290
291 // Check the return status, stored in the first argument
292 if (resp.arg[0] == false) return 1;
293
294 uint32_t id = bytes_to_num(resp.d.asBytes,4);
295
296 if (htf == RHT2F_UID_ONLY){
297 PrintAndLog("Valid Hitag2 tag found - UID: %08x",id);
298 } else {
299 char filename[256];
300 FILE* pf = NULL;
301
302 sprintf(filename,"%08x_%04x.ht2",id,(rand() & 0xffff));
303 if ((pf = fopen(filename,"wb")) == NULL) {
304 PrintAndLog("Error: Could not open file [%s]",filename);
305 return 1;
306 }
307
308 // Write the 48 tag memory bytes to file and finalize
309 fwrite(resp.d.asBytes,1,48,pf);
310 fclose(pf);
311
312 PrintAndLog("Succesfully saved tag memory to [%s]",filename);
313 }
314
315
316 return 0;
db09cb3a 317}
318
4e12287d
RS
319
320int CmdLFHitagSimS(const char *Cmd) {
321 UsbCommand c = { CMD_SIMULATE_HITAG_S };
322 char filename[FILE_PATH_SIZE] = { 0x00 };
323 FILE* pf;
324 bool tag_mem_supplied;
325 int len = strlen(Cmd);
326 if (len > FILE_PATH_SIZE)
327 len = FILE_PATH_SIZE;
328 memcpy(filename, Cmd, len);
329
330 if (strlen(filename) > 0) {
331 if ((pf = fopen(filename, "rb+")) == NULL) {
332 PrintAndLog("Error: Could not open file [%s]", filename);
333 return 1;
334 }
335 tag_mem_supplied = true;
44964fd1 336 if (fread(c.d.asBytes, 1, 4*64, pf) != 4*64) {
4e12287d
RS
337 PrintAndLog("Error: File reading error");
338 fclose(pf);
339 return 1;
340 }
341 fclose(pf);
342 } else {
343 tag_mem_supplied = false;
344 }
345
346 // Does the tag comes with memory
347 c.arg[0] = (uint32_t) tag_mem_supplied;
348
349 SendCommand(&c);
350 return 0;
351}
352
353int CmdLFHitagCheckChallenges(const char *Cmd) {
354 UsbCommand c = { CMD_TEST_HITAGS_TRACES };
355 char filename[FILE_PATH_SIZE] = { 0x00 };
356 FILE* pf;
357 bool file_given;
358 int len = strlen(Cmd);
359 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
360 memcpy(filename, Cmd, len);
361
362 if (strlen(filename) > 0) {
363 if ((pf = fopen(filename,"rb+")) == NULL) {
364 PrintAndLog("Error: Could not open file [%s]",filename);
365 return 1;
366 }
367 file_given = true;
44964fd1 368 if (fread(c.d.asBytes,1,8*60,pf) != 8*60) {
369 PrintAndLog("Error: File reading error");
370 fclose(pf);
4e12287d
RS
371 return 1;
372 }
373 fclose(pf);
374 } else {
375 file_given = false;
376 }
377
378 //file with all the challenges to try
379 c.arg[0] = (uint32_t)file_given;
7b6e3205 380 c.arg[1] = param_get64ex(Cmd,2,0,0); //get mode
4e12287d
RS
381
382 SendCommand(&c);
383 return 0;
384}
385
386
387int CmdLFHitagWP(const char *Cmd) {
388 UsbCommand c = { CMD_WR_HITAG_S };
389 hitag_data* htd = (hitag_data*)c.d.asBytes;
390 hitag_function htf = param_get32ex(Cmd,0,0,10);
391 switch (htf) {
392 case 03: { //WHTSF_CHALLENGE
393 num_to_bytes(param_get64ex(Cmd,1,0,16),8,htd->auth.NrAr);
394 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
395 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->auth.data);
396 } break;
52244230
HJ
397 case 04:
398 case 24:
399 { //WHTSF_KEY
4e12287d
RS
400 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
401 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
402 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->crypto.data);
403
404 } break;
405 default: {
406 PrintAndLog("Error: unkown writer function %d",htf);
407 PrintAndLog("Hitag writer functions");
408 PrintAndLog(" HitagS (0*)");
409 PrintAndLog(" 03 <nr,ar> (Challenge) <page> <byte0...byte3> write page on a Hitag S tag");
410 PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
411 PrintAndLog(" Hitag1 (1*)");
412 PrintAndLog(" Hitag2 (2*)");
52244230 413 PrintAndLog(" 24 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
4e12287d
RS
414 return 1;
415 } break;
416 }
417 // Copy the hitag function into the first argument
418 c.arg[0] = htf;
419
420 // Send the command to the proxmark
421 SendCommand(&c);
422
423 UsbCommand resp;
424 WaitForResponse(CMD_ACK,&resp);
425
426 // Check the return status, stored in the first argument
427 if (resp.arg[0] == false) return 1;
428 return 0;
429}
430
431
3fe4ff4f 432static command_t CommandTable[] =
db09cb3a 433{
4e12287d
RS
434 {"help", CmdHelp, 1, "This help"},
435 {"list", CmdLFHitagList, 1, "<outfile> List Hitag trace history"},
436 {"reader", CmdLFHitagReader, 1, "Act like a Hitag Reader"},
437 {"sim", CmdLFHitagSim, 1, "<infile> Simulate Hitag transponder"},
438 {"snoop", CmdLFHitagSnoop, 1, "Eavesdrop Hitag communication"},
439 {"writer", CmdLFHitagWP, 1, "Act like a Hitag Writer" },
440 {"simS", CmdLFHitagSimS, 1, "<hitagS.hts> Simulate HitagS transponder" },
7b6e3205 441 {"checkChallenges", CmdLFHitagCheckChallenges, 1, "<challenges.cc> <tagmode> test all challenges" }, {
4e12287d 442 NULL,NULL, 0, NULL }
db09cb3a 443};
444
445int CmdLFHitag(const char *Cmd)
446{
3fe4ff4f 447 CmdsParse(CommandTable, Cmd);
db09cb3a 448 return 0;
449}
450
451int CmdHelp(const char *Cmd)
452{
3fe4ff4f 453 CmdsHelp(CommandTable);
db09cb3a 454 return 0;
455}
Impressum, Datenschutz