| 9206d3b0 |
1 | //Peter Fillmore - 2014 |
| 2 | // |
| 3 | //-------------------------------------------------------------------------------- |
| 4 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, |
| 5 | // at your option, any later version. See the LICENSE.txt file for the text of |
| 6 | // the license. |
| 7 | //-------------------------------------------------------------------------------- |
| 8 | //-------------------------------------------------------------------------------- |
| 9 | //Routines to support EMV transactions |
| 10 | //-------------------------------------------------------------------------------- |
| 9206d3b0 |
11 | #include "emvcmd.h" |
| 9206d3b0 |
12 | |
| 99136c6e |
13 | static emvcard currentcard; //use to hold emv tags for the reader/card during communications |
| 9206d3b0 |
14 | |
| 99136c6e |
15 | void EMVTest() |
| 16 | { |
| 17 | uint8_t rats[0x0b] = {0x0b,0x78,0x80,0x81,0x02,0x4b,0x4f,0x4e,0x41, 0x14, 0x11}; |
| 18 | EMVFuzz_RATS(0xb, rats); |
| 19 | //grab card |
| 20 | //EMVClone(1,1); |
| 21 | /* |
| 22 | uint8_t tagvalbuffer[256]; |
| 23 | uint8_t tagvallen; |
| 24 | uint8_t template6F[] = {0x6F,0x00}; |
| 25 | uint8_t templateA5[] = {0xA5,0x00}; |
| 26 | uint8_t tag1[] = {0x50,0x00,0x00}; |
| 27 | uint8_t tag2[] = {0x87,0x00,0x00}; |
| 28 | uint8_t tag3[] = {0x9f,0x38,0x00}; |
| 29 | uint8_t tag4[] = {0x5F,0x2D,0x00}; |
| 30 | uint8_t tag5[] = {0x9F,0x11,0x00}; |
| 31 | uint8_t tag6[] = {0x9F,0x12,0x00}; |
| 32 | |
| 33 | uint8_t tag7[] = {0x84, 0x00}; |
| 34 | uint8_t tag8[] = {0xA5, 0x00}; |
| 35 | emv_generatetemplate(templateA5,¤tcard,tagvalbuffer,&tagvallen, 6, tag1, tag2, tag3, tag4, tag5, tag6); |
| 36 | memcpy(currentcard.tag_A5, tagvalbuffer+2, tagvallen-2); |
| 37 | currentcard.tag_A5_len = tagvallen-2; |
| 38 | emv_generatetemplate(template6F,¤tcard,currentcard.tag_6F ,¤tcard.tag_6F_len, 2, tag7, tag8); |
| 39 | Dbprintf("TAG A5="); |
| 40 | Dbhexdump(currentcard.tag_A5_len,currentcard.tag_A5 , false); |
| 41 | */ |
| 42 | //EMVSim(); |
| 43 | } |
| d627a2fd |
44 | |
| 9206d3b0 |
45 | |
| 46 | //load individual tag into current card |
| 47 | void EMVloadvalue(uint32_t tag, uint8_t *datain){ |
| 48 | //Dbprintf("TAG=%i\n", tag); |
| 49 | //Dbprintf("DATA=%s\n", datain); |
| 50 | emv_settag(tag, datain, ¤tcard); |
| 51 | } |
| 52 | |
| 99136c6e |
53 | void EMVReadRecord(uint8_t arg0, uint8_t arg1,emvcard *currentcard) |
| 9206d3b0 |
54 | { |
| 55 | uint8_t record = arg0; |
| d627a2fd |
56 | uint8_t sfi = arg1 & 0x0F; // convert arg1 to number |
| 99136c6e |
57 | uint8_t *resp = BigBuf_malloc(256); |
| d627a2fd |
58 | // variables |
| 59 | tlvtag inputtag; // create the tag structure |
| 99136c6e |
60 | LED_A_ON(); |
| 61 | LED_B_OFF(); |
| 62 | LED_C_OFF(); |
| 63 | |
| d627a2fd |
64 | // perform read |
| 65 | // write the result to the provided card |
| 99136c6e |
66 | while(true) { |
| 67 | if(!emv_readrecord(record, sfi, resp)) { |
| 07bc72b8 |
68 | if(MF_DBGLEVEL >= 1) Dbprintf("readrecord failed"); |
| 9206d3b0 |
69 | } |
| 99136c6e |
70 | if(*(resp+1) == 0x70){ |
| 71 | decode_ber_tlv_item(resp+1, &inputtag); |
| 9206d3b0 |
72 | emv_decode_field(inputtag.value, inputtag.valuelength, currentcard); |
| 73 | } |
| 74 | else |
| 75 | { |
| 07bc72b8 |
76 | if(MF_DBGLEVEL >= 1) |
| 9206d3b0 |
77 | Dbprintf("Record not found SFI=%i RECORD=%i", sfi, record); |
| 78 | } |
| 99136c6e |
79 | LED_B_ON(); |
| 80 | LED_B_OFF(); |
| 81 | break; |
| 82 | } |
| 83 | LEDsoff(); |
| 9206d3b0 |
84 | } |
| 85 | |
| 99136c6e |
86 | void EMVSelectAID(uint8_t *AID, uint8_t AIDlen, emvcard* inputcard) |
| 87 | { |
| 88 | uint8_t* resp = BigBuf_malloc(256); |
| d627a2fd |
89 | // variables |
| 99136c6e |
90 | tlvtag inputtag; // create the tag structure |
| 91 | LED_A_ON(); |
| 92 | LED_B_OFF(); |
| 93 | LED_C_OFF(); |
| 94 | |
| 95 | while(true) { |
| 96 | |
| 97 | if(!emv_select(AID, AIDlen, resp)){ |
| 98 | if(MF_DBGLEVEL == 1) DbpString("AID Select failed"); |
| 99 | break; |
| 100 | } |
| 101 | |
| 102 | // write the result to the provided card |
| 103 | if(*(resp+1) == 0x6F){ |
| 104 | // decode the 6F template |
| 105 | decode_ber_tlv_item(resp+1, &inputtag); |
| 106 | |
| 107 | // store 84 and A5 tags |
| 108 | emv_decode_field(inputtag.value, inputtag.valuelength, ¤tcard); |
| 109 | |
| 110 | // decode the A5 tag |
| 111 | if(currentcard.tag_A5_len > 0) |
| 112 | emv_decode_field(currentcard.tag_A5, currentcard.tag_A5_len, ¤tcard); |
| 9206d3b0 |
113 | |
| 99136c6e |
114 | // copy this result to the DFName |
| 115 | if(currentcard.tag_84_len == 0) |
| 116 | memcpy(currentcard.tag_DFName, currentcard.tag_84, currentcard.tag_84_len); |
| 9206d3b0 |
117 | |
| 99136c6e |
118 | // decode the BF0C result, assuming 1 directory entry for now |
| 119 | if(currentcard.tag_BF0C_len !=0){ |
| 120 | emv_decode_field(currentcard.tag_BF0C, currentcard.tag_BF0C_len, ¤tcard);} |
| 121 | |
| 122 | // retrieve the AID, use the AID to decide what transaction flow to use |
| 123 | if(currentcard.tag_61_len !=0) |
| 124 | emv_decode_field(currentcard.tag_61, currentcard.tag_61_len, ¤tcard); |
| 125 | } |
| 126 | LED_B_ON(); |
| 127 | LED_B_OFF(); |
| 128 | break; |
| 129 | } |
| 130 | |
| 131 | if(MF_DBGLEVEL >= 2) DbpString("SELECT AID COMPLETED"); |
| 132 | LEDsoff(); |
| 133 | } |
| 134 | |
| 135 | void EMVSelectPPSE() |
| 136 | { |
| 137 | while(true) { |
| 138 | if(!emv_selectPPSE()) { |
| 139 | if(MF_DBGLEVEL >= 1) DbpString("PPSE failed"); |
| 140 | break; |
| 141 | } |
| 142 | |
| 143 | LED_B_ON(); |
| 144 | LED_B_OFF(); |
| 145 | break; |
| 9206d3b0 |
146 | } |
| 99136c6e |
147 | if(MF_DBGLEVEL >= 2) DbpString("SELECT PPSE COMPLETED"); |
| 148 | LEDsoff(); |
| 9206d3b0 |
149 | } |
| 150 | |
| 99136c6e |
151 | int EMVGetProcessingOptions(uint8_t *PDOL, uint8_t PDOLlen, emvcard* inputcard) |
| 9206d3b0 |
152 | { |
| 153 | uint8_t receivedAnswer[MAX_FRAME_SIZE]; |
| 9206d3b0 |
154 | |
| d627a2fd |
155 | // variables |
| 9206d3b0 |
156 | tlvtag inputtag; //create the tag structure |
| d627a2fd |
157 | // perform pdol |
| 9206d3b0 |
158 | if(!emv_getprocessingoptions(PDOL, PDOLlen, receivedAnswer)){ |
| 07bc72b8 |
159 | if(MF_DBGLEVEL >= 1) Dbprintf("get processing options failed"); |
| 9206d3b0 |
160 | return 0; |
| 161 | } |
| d627a2fd |
162 | // write the result to the provided card |
| 163 | // FORMAT 1 received |
| 9206d3b0 |
164 | if(receivedAnswer[1] == 0x80){ |
| d627a2fd |
165 | // store AIP |
| 166 | // decode tag 80 |
| 9206d3b0 |
167 | decode_ber_tlv_item(receivedAnswer+1, &inputtag); |
| 168 | memcpy(currentcard.tag_82, &inputtag.value, sizeof(currentcard.tag_82)); |
| 169 | memcpy(currentcard.tag_94, &inputtag.value[2], inputtag.valuelength - sizeof(currentcard.tag_82)); |
| 170 | currentcard.tag_94_len = inputtag.valuelength - sizeof(currentcard.tag_82); |
| 171 | } |
| 172 | else if(receivedAnswer[1] == 0x77){ |
| d627a2fd |
173 | // decode the 77 template |
| 9206d3b0 |
174 | decode_ber_tlv_item(receivedAnswer+1, &inputtag); |
| d627a2fd |
175 | // store 82 and 94 tags (AIP, AFL) |
| 9206d3b0 |
176 | emv_decode_field(inputtag.value, inputtag.valuelength, ¤tcard); |
| 177 | } |
| 07bc72b8 |
178 | if(MF_DBGLEVEL >= 2) |
| 9206d3b0 |
179 | DbpString("GET PROCESSING OPTIONS COMPLETE"); |
| 180 | return 1; |
| 181 | } |
| 182 | |
| 99136c6e |
183 | int EMVGetChallenge(emvcard* inputcard) |
| 9206d3b0 |
184 | { |
| 185 | uint8_t receivedAnswer[MAX_FRAME_SIZE]; |
| d627a2fd |
186 | // variables |
| 187 | // tlvtag inputtag; //create the tag structure |
| 188 | // perform select |
| 9206d3b0 |
189 | if(!emv_getchallenge(receivedAnswer)){ |
| 07bc72b8 |
190 | if(MF_DBGLEVEL >= 1) Dbprintf("get processing options failed"); |
| 9206d3b0 |
191 | return 1; |
| 192 | } |
| 193 | return 0; |
| 194 | } |
| 195 | |
| 99136c6e |
196 | int EMVGenerateAC(uint8_t refcontrol, emvcard* inputcard) |
| 9206d3b0 |
197 | { |
| 198 | uint8_t receivedAnswer[MAX_FRAME_SIZE]; |
| 199 | uint8_t cdolcommand[MAX_FRAME_SIZE]; |
| 200 | uint8_t cdolcommandlen = 0; |
| 201 | tlvtag temptag; |
| 202 | |
| 9206d3b0 |
203 | if(currentcard.tag_8C_len > 0) { |
| 204 | emv_generateDOL(currentcard.tag_8C, currentcard.tag_8C_len, ¤tcard, cdolcommand, &cdolcommandlen); } |
| 205 | else{ |
| d627a2fd |
206 | // cdolcommand = NULL; //cdol val is null |
| 9206d3b0 |
207 | cdolcommandlen = 0; |
| 208 | } |
| d627a2fd |
209 | // variables |
| 210 | // tlvtag inputtag; //create the tag structure |
| 211 | // perform select |
| 9206d3b0 |
212 | if(!emv_generateAC(refcontrol, cdolcommand, cdolcommandlen,receivedAnswer)){ |
| 07bc72b8 |
213 | if(MF_DBGLEVEL >= 1) Dbprintf("get processing options failed"); |
| 9206d3b0 |
214 | return 1; |
| 215 | } |
| 216 | if(receivedAnswer[2] == 0x77) //format 2 data field returned |
| 217 | { |
| 218 | decode_ber_tlv_item(&receivedAnswer[2], &temptag); |
| 219 | emv_decode_field(temptag.value, temptag.valuelength, ¤tcard); |
| 220 | } |
| 221 | |
| 222 | return 0; |
| 223 | } |
| 224 | |
| 225 | //function to perform paywave transaction |
| 226 | //takes in TTQ, amount authorised, unpredicable number and transaction currency code |
| 227 | int EMV_PaywaveTransaction() |
| 228 | { |
| 99136c6e |
229 | uint8_t *resp = BigBuf_malloc(256); |
| 230 | tlvtag temptag; |
| 231 | //get the current block counter |
| 232 | //select the AID (Mastercard |
| 233 | EMVSelectAID(currentcard.tag_4F,currentcard.tag_4F_len, ¤tcard); |
| 234 | |
| 235 | if(resp[1] == 0x6F){ //decode template |
| 236 | decode_ber_tlv_item(&resp[1], &temptag); |
| 237 | //decode 84 and A5 tags |
| 238 | emv_decode_field(temptag.value, temptag.valuelength, ¤tcard); |
| 239 | //decode the A5 tag |
| 240 | emv_decode_field(currentcard.tag_A5, currentcard.tag_A5_len, ¤tcard); |
| 241 | //decode the BF0C result, assuming 1 directory entry for now |
| 242 | //retrieve the AID |
| 9206d3b0 |
243 | } |
| d627a2fd |
244 | // get PDOL |
| 9206d3b0 |
245 | uint8_t pdolcommand[20]; //20 byte buffer for pdol data |
| 246 | uint8_t pdolcommandlen = 0; |
| 247 | if(currentcard.tag_9F38_len > 0) { |
| 248 | emv_generateDOL(currentcard.tag_9F38, currentcard.tag_9F38_len, ¤tcard, pdolcommand, &pdolcommandlen); |
| 99136c6e |
249 | } else { |
| 250 | pdolcommandlen = 0; |
| 9206d3b0 |
251 | } |
| 9206d3b0 |
252 | |
| 99136c6e |
253 | if(!EMVGetProcessingOptions(pdolcommand, pdolcommandlen, ¤tcard)) { |
| 07bc72b8 |
254 | if(MF_DBGLEVEL >= 1) Dbprintf("PDOL failed"); |
| 9206d3b0 |
255 | return 1; |
| 256 | } |
| 99136c6e |
257 | if(resp[1] == 0x80) //format 1 data field returned |
| 258 | { |
| 259 | memcpy(currentcard.tag_82, &resp[3],2); //copy AIP |
| 260 | currentcard.tag_94_len = resp[2]-2; //AFL len |
| 261 | memcpy(currentcard.tag_94, &resp[5], currentcard.tag_94_len); //copy AFL |
| 262 | } |
| 263 | else if(resp[1] == 0x77) //format 2 data field returned |
| 264 | { |
| 265 | decode_ber_tlv_item(&resp[1], &temptag); |
| 266 | emv_decode_field(temptag.value, temptag.valuelength, ¤tcard); |
| 267 | } |
| 268 | else |
| 269 | { |
| 270 | //throw an error |
| 271 | } |
| 9206d3b0 |
272 | Dbprintf("AFL="); |
| 273 | Dbhexdump(currentcard.tag_94_len, currentcard.tag_94,false); |
| 274 | Dbprintf("AIP="); |
| 275 | Dbhexdump(2, currentcard.tag_82, false); |
| 276 | emv_decodeAIP(currentcard.tag_82); |
| 277 | // |
| d627a2fd |
278 | // decode the AFL list and read records |
| 99136c6e |
279 | |
| 280 | //record, sfi |
| 281 | EMVReadRecord(1,1,¤tcard); |
| 282 | Dbhexdump(200, resp, false); |
| 283 | EMVReadRecord(2,1,¤tcard); |
| 284 | Dbhexdump(200, resp,false); |
| 285 | EMVReadRecord( 1,2, ¤tcard); |
| 286 | Dbhexdump(200, resp,false); |
| 287 | EMVReadRecord(2,2,¤tcard); |
| 288 | Dbhexdump(200, resp,false); |
| 289 | EMVReadRecord( 3,2, ¤tcard); |
| 290 | Dbhexdump(200, resp,false); |
| 291 | EMVReadRecord( 4,2, ¤tcard); |
| 292 | Dbhexdump(200, resp,false); |
| 293 | EMVReadRecord( 1,3, ¤tcard); |
| 294 | Dbhexdump(200, resp,false); |
| 295 | EMVReadRecord(2,3,¤tcard); |
| 296 | Dbhexdump(200, resp,false); |
| 297 | EMVReadRecord(4,2,¤tcard); |
| 298 | EMVReadRecord( 1,3, ¤tcard); |
| 299 | Dbhexdump(200, resp,false); |
| 300 | |
| 301 | //DDA supported, so read more records |
| 302 | if((currentcard.tag_82[0] & AIP_CDA_SUPPORTED) == AIP_CDA_SUPPORTED){ |
| 303 | EMVReadRecord( 1,4, ¤tcard); |
| 304 | EMVReadRecord( 2,4, ¤tcard); |
| 9206d3b0 |
305 | } |
| 9206d3b0 |
306 | |
| 99136c6e |
307 | |
| 308 | emv_decodeCVM(currentcard.tag_8E, currentcard.tag_8E_len); |
| 309 | /* get ICC dynamic data */ |
| 310 | //if((currentcard.tag_82[0] & AIP_CDA_SUPPORTED) == AIP_CDA_SUPPORTED) |
| 311 | { |
| 312 | //DDA supported, so perform GENERATE AC |
| 313 | uint8_t cdolcommand[40]; //20 byte buffer for pdol data |
| 314 | uint8_t cdolcommandlen; |
| 315 | //generate the iCC UN |
| 316 | EMVGetChallenge(¤tcard); |
| 317 | |
| 318 | memcpy(currentcard.tag_9F37,&resp[1],8); // ICC UN |
| 319 | memcpy(currentcard.tag_9F4C,&resp[1],8); // ICC UN |
| 320 | if(currentcard.tag_8C_len > 0) { |
| 321 | emv_generateDOL(currentcard.tag_8C, currentcard.tag_8C_len, ¤tcard, cdolcommand, &cdolcommandlen); |
| 322 | } else { |
| 323 | cdolcommandlen = 0; |
| 324 | } |
| 325 | Dbhexdump(currentcard.tag_8C_len, currentcard.tag_8C,false); |
| 326 | Dbhexdump(cdolcommandlen, cdolcommand,false); |
| 327 | |
| 328 | EMVGenerateAC(0x41, ¤tcard); |
| 329 | |
| 330 | Dbhexdump(100, resp,false); |
| 331 | } |
| 9206d3b0 |
332 | return 0; |
| 333 | } |
| 334 | |
| 9206d3b0 |
335 | int EMV_PaypassTransaction() |
| 336 | { |
| 99136c6e |
337 | uint8_t *resp = BigBuf_malloc(256); |
| 338 | tlvtag temptag; //buffer for decoded tags |
| d627a2fd |
339 | // get the current block counter |
| 340 | // select the AID (Mastercard |
| 9206d3b0 |
341 | EMVSelectAID(currentcard.tag_4F,currentcard.tag_4F_len, ¤tcard); |
| 342 | |
| 99136c6e |
343 | if(resp[1] == 0x6F){ //decode template |
| 344 | decode_ber_tlv_item(&resp[1], &temptag); |
| 345 | //decode 84 and A5 tags |
| 346 | emv_decode_field(temptag.value, temptag.valuelength, ¤tcard); |
| 347 | //decode the A5 tag |
| 348 | emv_decode_field(currentcard.tag_A5, currentcard.tag_A5_len, ¤tcard); |
| 349 | //decode the BF0C result, assuming 1 directory entry for now |
| 350 | //retrieve the AID |
| 351 | } |
| d627a2fd |
352 | // get PDOL |
| 353 | uint8_t pdolcommand[20]; // 20 byte buffer for pdol data |
| 9206d3b0 |
354 | uint8_t pdolcommandlen = 0; |
| 355 | if(currentcard.tag_9F38_len > 0) { |
| 356 | emv_generateDOL(currentcard.tag_9F38, currentcard.tag_9F38_len, ¤tcard, pdolcommand, &pdolcommandlen); |
| 99136c6e |
357 | } else { |
| 358 | pdolcommandlen = 0; |
| 9206d3b0 |
359 | } |
| 360 | if(EMVGetProcessingOptions(pdolcommand,pdolcommandlen, ¤tcard)) { |
| 07bc72b8 |
361 | if(MF_DBGLEVEL >= 1) Dbprintf("PDOL failed"); |
| 9206d3b0 |
362 | return 1; |
| 363 | } |
| 99136c6e |
364 | if(resp[1] == 0x80) //format 1 data field returned |
| 365 | { |
| 366 | memcpy(currentcard.tag_82, &resp[3],2); //copy AIP |
| 367 | currentcard.tag_94_len = resp[2]-2; //AFL len |
| 368 | memcpy(currentcard.tag_94, &resp[5],currentcard.tag_94_len); //copy AFL |
| 369 | } |
| 370 | else if(resp[1] == 0x77) //format 2 data field returned |
| 371 | { |
| 372 | decode_ber_tlv_item(&resp[1], &temptag); |
| 373 | emv_decode_field(temptag.value, temptag.valuelength, ¤tcard); |
| 374 | } |
| 375 | else |
| 376 | { |
| 377 | //throw an error |
| 378 | } |
| 9206d3b0 |
379 | Dbprintf("AFL="); |
| 380 | Dbhexdump(currentcard.tag_94_len, currentcard.tag_94,false); |
| 381 | Dbprintf("AIP="); |
| 382 | Dbhexdump(2, currentcard.tag_82, false); |
| 383 | emv_decodeAIP(currentcard.tag_82); |
| 384 | |
| d627a2fd |
385 | // decode the AFL list and read records |
| 99136c6e |
386 | |
| 387 | //record, sfi |
| 388 | EMVReadRecord( 1,1, ¤tcard); |
| 389 | EMVReadRecord( 1,2, ¤tcard); |
| 390 | EMVReadRecord( 1,3, ¤tcard); |
| 391 | EMVReadRecord( 2,3, ¤tcard); |
| 392 | |
| 393 | //DDA supported, so read more records |
| 394 | if((currentcard.tag_82[0] & AIP_CDA_SUPPORTED) == AIP_CDA_SUPPORTED){ |
| 395 | EMVReadRecord( 1,4, ¤tcard); |
| 396 | EMVReadRecord( 2,4, ¤tcard); |
| 9206d3b0 |
397 | } |
| 99136c6e |
398 | |
| 399 | |
| 9206d3b0 |
400 | /* get ICC dynamic data */ |
| 401 | if((currentcard.tag_82[0] & AIP_CDA_SUPPORTED) == AIP_CDA_SUPPORTED) |
| 402 | { |
| d627a2fd |
403 | // DDA supported, so perform GENERATE AC |
| 99136c6e |
404 | uint8_t cdolcommand[40]; //20 byte buffer for pdol data |
| 405 | uint8_t cdolcommandlen; |
| d627a2fd |
406 | // generate the iCC UN |
| 9206d3b0 |
407 | EMVGetChallenge(¤tcard); |
| 99136c6e |
408 | memcpy(currentcard.tag_9F4C, &resp[1],8); // ICC UN |
| 409 | |
| 410 | if(currentcard.tag_8C_len > 0) { |
| 411 | emv_generateDOL(currentcard.tag_8C, currentcard.tag_8C_len, ¤tcard, cdolcommand, &cdolcommandlen); |
| 412 | } else { |
| 413 | cdolcommandlen = 0; |
| 414 | } |
| 415 | EMVGenerateAC(0x80, ¤tcard); |
| 416 | |
| 417 | if(resp[1] == 0x77) //format 2 data field returned |
| 418 | { |
| 419 | decode_ber_tlv_item(&resp[1], &temptag); |
| 420 | emv_decode_field(temptag.value, temptag.valuelength, ¤tcard); |
| 421 | } |
| 9206d3b0 |
422 | |
| d627a2fd |
423 | // generate AC2 |
| 99136c6e |
424 | if(currentcard.tag_8D_len > 0) { |
| 425 | emv_generateDOL(currentcard.tag_8D, currentcard.tag_8D_len, ¤tcard, cdolcommand, &cdolcommandlen); } |
| 426 | else{ |
| 427 | //cdolcommand = NULL; //cdol val is null |
| 428 | cdolcommandlen = 0; |
| 429 | } |
| 430 | |
| 431 | EMVGenerateAC(0x80, ¤tcard); |
| 9206d3b0 |
432 | |
| 99136c6e |
433 | if(resp[1] == 0x77) //format 2 data field returned |
| 434 | { |
| 435 | decode_ber_tlv_item(&resp[1], &temptag); |
| 436 | emv_decode_field(temptag.value, temptag.valuelength, ¤tcard); |
| 437 | } |
| 9206d3b0 |
438 | } |
| d627a2fd |
439 | // generate cryptographic checksum |
| 99136c6e |
440 | uint8_t udol[4] = {0x00,0x00,0x00,0x00}; |
| 441 | |
| 442 | emv_computecryptogram(udol, sizeof(udol), resp); |
| 443 | |
| 444 | if(resp[1] == 0x77) //format 2 data field returned |
| 445 | { |
| 446 | decode_ber_tlv_item(&resp[1], &temptag); |
| 447 | emv_decode_field(temptag.value, temptag.valuelength, ¤tcard); |
| 448 | } |
| 9206d3b0 |
449 | return 0; |
| 450 | } |
| 451 | |
| 452 | void EMVTransaction() |
| 453 | { |
| 454 | //params |
| 455 | uint8_t uid[10] = {0x00}; |
| 456 | uint32_t cuid = 0; |
| 457 | |
| 458 | //setup stuff |
| 459 | BigBuf_free(); BigBuf_Clear_ext(false); |
| 460 | clear_trace(); |
| 461 | set_tracing(TRUE); |
| 462 | |
| 99136c6e |
463 | |
| 464 | uint8_t *resp = BigBuf_malloc(256); |
| 465 | //variables |
| 466 | tlvtag temptag; //used to buffer decoded tag valuesd |
| 467 | //initialize the emv card structure |
| 468 | //extern emvcard currentcard; |
| 469 | |
| 470 | memset(¤tcard, 0x00, sizeof(currentcard)); //set all to zeros |
| 471 | memcpy(currentcard.tag_9F66,"\xD7\x20\xC0\x00",4); |
| 472 | memcpy(currentcard.tag_9F02,"\x00\x00\x00\x00\x00\x20",6); //20 dollars |
| 473 | memcpy(currentcard.tag_9F37, "\x01\x02\x03\x04", 4); //UN |
| 474 | memcpy(currentcard.tag_5F2A, "\x00\x36",2); //currency code |
| 475 | //CDOL stuff |
| 476 | memcpy(currentcard.tag_9F03,"\x00\x00\x00\x00\x00\x00",6); |
| 477 | memcpy(currentcard.tag_9F1A,"\x00\x36",2); //country code |
| 478 | memcpy(currentcard.tag_95,"\x00\x00\x00\x00\x00",5); //TVR |
| 479 | memcpy(currentcard.tag_9A,"\x14\x04\x01",3); //date |
| 480 | memcpy(currentcard.tag_9C,"\x00",1); //processingcode; |
| 481 | memcpy(currentcard.tag_9F45, "\x00\x00", 2); //Data Authentication Code |
| 482 | memset(currentcard.tag_9F4C,0x00,8); // ICC UN |
| 483 | memcpy(currentcard.tag_9F35,"\x12",1); |
| 484 | memcpy(currentcard.tag_9F34,"\x3F\x00\x00", 3); //CVM |
| 485 | |
| 486 | |
| 9206d3b0 |
487 | LED_A_ON(); |
| 488 | LED_B_OFF(); |
| 489 | LED_C_OFF(); |
| 490 | |
| 491 | iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); |
| d627a2fd |
492 | |
| 9206d3b0 |
493 | while(true) { |
| 16cfceb6 |
494 | if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) { |
| 07bc72b8 |
495 | if(MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); |
| 9206d3b0 |
496 | break; |
| 497 | } |
| 99136c6e |
498 | EMVSelectPPSE(); |
| 9206d3b0 |
499 | //get response |
| 99136c6e |
500 | if (resp[1] == 0x6F){ //decode template |
| 501 | decode_ber_tlv_item(&resp[1], &temptag); |
| 502 | //decode 84 and A5 tags |
| 503 | emv_decode_field(temptag.value, temptag.valuelength, ¤tcard); |
| 504 | //decode the A5 tag |
| 505 | emv_decode_field(currentcard.tag_A5, currentcard.tag_A5_len, ¤tcard); |
| 506 | //decode the BF0C result, assuming 1 directory entry for now |
| 507 | if(currentcard.tag_BF0C_len !=0){ |
| 508 | emv_decode_field(currentcard.tag_BF0C, currentcard.tag_BF0C_len, ¤tcard);} |
| 509 | //retrieve the AID, use the AID to decide what transaction flow to use |
| 510 | if(currentcard.tag_61_len !=0){ |
| 511 | emv_decode_field(currentcard.tag_61, currentcard.tag_61_len, ¤tcard);} |
| 512 | } |
| 9206d3b0 |
513 | if (!memcmp(currentcard.tag_4F, AID_MASTERCARD, sizeof(AID_MASTERCARD))){ |
| 514 | Dbprintf("Mastercard Paypass Card Detected"); |
| 515 | EMV_PaypassTransaction(); |
| 516 | } |
| 517 | else if (!memcmp(currentcard.tag_4F, AID_VISA, sizeof(AID_VISA))){ |
| 518 | Dbprintf("VISA Paywave Card Detected"); |
| 519 | EMV_PaywaveTransaction(); |
| 520 | } |
| 521 | //TODO: add other card schemes like AMEX, JCB, China Unionpay etc |
| 99136c6e |
522 | LED_B_ON(); |
| 523 | //output the sensitive data |
| 524 | cmd_send(CMD_ACK, 0, 0,0,resp,100); |
| 525 | LED_B_OFF(); |
| 9206d3b0 |
526 | break; |
| 527 | } |
| 07bc72b8 |
528 | if (MF_DBGLEVEL >= 2) DbpString("EMV TRANSACTION FINISHED"); |
| 9206d3b0 |
529 | //finish up |
| 530 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); |
| 531 | LEDsoff(); |
| 532 | } |
| 533 | |
| 534 | void EMVdumpcard(void){ |
| 535 | dumpCard(¤tcard); |
| 536 | } |
| 99136c6e |
537 | |
| 538 | //EMV clone a card - read up to the max SFI and max records for that SFI |
| 539 | void EMVClone(uint8_t maxsfi, uint8_t maxrecord) |
| 540 | { |
| 541 | //params |
| 542 | uint8_t uid[10]; |
| 543 | uint32_t cuid; |
| 544 | uint8_t *resp = BigBuf_malloc(256); |
| 545 | iso14a_card_select_t hi14a_card; //card select values |
| 546 | //variables |
| 547 | tlvtag temptag; //used to buffer decoded tag valuesd |
| 548 | |
| 549 | memset(¤tcard, 0x00, sizeof(currentcard)); //set all to zeros |
| 550 | //memcpy(currentcard.tag_9F66,"\x20\x00\x00\x00",4); |
| 551 | memcpy(currentcard.tag_9F66,"\xD7\x20\xC0\x00",4); |
| 552 | //memcpy(currentcard.tag_9F66,"\xC0\x00\x00\x00",2); |
| 553 | memcpy(currentcard.tag_9F02,"\x00\x00\x00\x00\x00\x20",6); //20 dollars |
| 554 | memcpy(currentcard.tag_9F37, "\x01\x02\x03\x04", 4); //UN |
| 555 | memcpy(currentcard.tag_5F2A, "\x00\x36",2); //currency code |
| 556 | //CDOL stuff |
| 557 | //memcpy(currentcard.tag_9F02,"\x00\x00\x00\x00\x00\x20",6); |
| 558 | memcpy(currentcard.tag_9F03,"\x00\x00\x00\x00\x00\x00",6); |
| 559 | memcpy(currentcard.tag_9F1A,"\x00\x36",2); //country code |
| 560 | memcpy(currentcard.tag_95,"\x00\x00\x00\x00\x00",5); //TVR |
| 561 | //memcpy(currentcard.tag_5F2A,"\x00\x36",2); |
| 562 | memcpy(currentcard.tag_9A,"\x14\x04x01",3); //date |
| 563 | memcpy(currentcard.tag_9C,"\x00",1); //processingcode; |
| 564 | memcpy(currentcard.tag_9F45, "\x00\x00", 2); //Data Authentication Code |
| 565 | memset(currentcard.tag_9F4C,0x00,8); // ICC UN |
| 566 | memcpy(currentcard.tag_9F35,"\x12",1); |
| 567 | memcpy(currentcard.tag_9F34,"\x3F\x00\x00", 3); //CVM |
| 568 | |
| 569 | iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); |
| 570 | LED_A_ON(); |
| 571 | LED_B_OFF(); |
| 572 | LED_C_OFF(); |
| 573 | |
| 574 | while(true) { |
| 575 | if(!iso14443a_select_card(uid, &hi14a_card, &cuid, true, 0)) { |
| 576 | if(MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); |
| 577 | break; |
| 578 | } |
| 579 | //copy UID and ATQA SAK and ATS values |
| 580 | memcpy(currentcard.UID, hi14a_card.uid, hi14a_card.uidlen); |
| 581 | currentcard.UID_len = hi14a_card.uidlen; |
| 582 | memcpy(currentcard.ATQA, hi14a_card.atqa, 2); |
| 583 | currentcard.SAK = (uint8_t)hi14a_card.sak; |
| 584 | memcpy(currentcard.ATS, hi14a_card.ats, hi14a_card.ats_len); |
| 585 | currentcard.ATS_len = hi14a_card.ats_len; |
| 586 | |
| 587 | if(MF_DBGLEVEL >= 1){ |
| 588 | Dbprintf("UID="); |
| 589 | Dbhexdump(currentcard.UID_len, currentcard.UID, false); |
| 590 | Dbprintf("ATQA="); |
| 591 | Dbhexdump(2, currentcard.ATQA,false); |
| 592 | Dbprintf("SAK="); |
| 593 | Dbhexdump(1, ¤tcard.SAK,false); |
| 594 | Dbprintf("ATS="); |
| 595 | Dbhexdump(currentcard.ATS_len, currentcard.ATS,false); |
| 596 | } |
| 597 | EMVSelectPPSE(); |
| 598 | //get response |
| 599 | if(resp[1] == 0x6F){ //decode template |
| 600 | decode_ber_tlv_item(&resp[1], &temptag); |
| 601 | //decode 84 and A5 tags |
| 602 | emv_decode_field(temptag.value, temptag.valuelength, ¤tcard); |
| 603 | //decode the A5 tag |
| 604 | emv_decode_field(currentcard.tag_A5, currentcard.tag_A5_len, ¤tcard); |
| 605 | //decode the BF0C result, assuming 1 directory entry for now |
| 606 | if(currentcard.tag_BF0C_len !=0){ |
| 607 | emv_decode_field(currentcard.tag_BF0C, currentcard.tag_BF0C_len, ¤tcard);} |
| 608 | //retrieve the AID, use the AID to decide what transaction flow to use |
| 609 | if(currentcard.tag_61_len !=0){ |
| 610 | emv_decode_field(currentcard.tag_61, currentcard.tag_61_len, ¤tcard);} |
| 611 | } |
| 612 | //perform AID selection |
| 613 | EMVSelectAID(currentcard.tag_4F,currentcard.tag_4F_len, ¤tcard); |
| 614 | if(resp[1] == 0x6F){ //decode template |
| 615 | decode_ber_tlv_item(&resp[1], &temptag); |
| 616 | //decode 84 and A5 tags |
| 617 | emv_decode_field(temptag.value, temptag.valuelength, ¤tcard); |
| 618 | //decode the A5 tag |
| 619 | emv_decode_field(currentcard.tag_A5, currentcard.tag_A5_len, ¤tcard); |
| 620 | //decode the BF0C result, assuming 1 directory entry for now |
| 621 | } |
| 622 | //decode the AFL list and read records |
| 623 | |
| 624 | //scan all card records |
| 625 | Dbprintf("Reading %u SFIs and %u records...", maxsfi, maxrecord); |
| 626 | for(uint8_t sfi = 1; sfi < maxsfi; sfi++){ //all possible SFI values |
| 627 | for(uint8_t record = 1; record < maxrecord; record++){ |
| 628 | EMVReadRecord(record,sfi, ¤tcard); |
| 629 | if(resp[1] == 0x70){ |
| 630 | Dbprintf("Record Found! SFI=%u RECORD=%u", sfi, record); |
| 631 | } |
| 632 | } |
| 633 | } |
| 634 | Dbprintf("Reading finished"); |
| 635 | |
| 636 | LED_B_ON(); |
| 637 | //output the sensitive data |
| 638 | cmd_send(CMD_ACK, 0, 0,0,resp,100); |
| 639 | LED_B_OFF(); |
| 640 | break; |
| 641 | } |
| 642 | |
| 643 | if(MF_DBGLEVEL >= 2) DbpString("EMV TRANSACTION FINISHED"); |
| 644 | //finish up |
| 645 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); |
| 646 | LEDsoff(); |
| 647 | } |
| 9206d3b0 |
648 | |
| 649 | //SIMULATOR CODE |
| 650 | //----------------------------------------------------------------------------- |
| 651 | // Main loop of simulated tag: receive commands from reader, decide what |
| 652 | // response to send, and send it. |
| 653 | //----------------------------------------------------------------------------- |
| 654 | void SimulateEMVcard() |
| 655 | { |
| 3e83ff21 |
656 | /* |
| 657 | |
| 9206d3b0 |
658 | //uint8_t sak; //select ACKnowledge |
| 659 | uint16_t readerPacketLen = 64; //reader packet length - provided by RATS, default to 64 bytes if RATS not supported |
| 660 | |
| 661 | // The first response contains the ATQA (note: bytes are transmitted in reverse order). |
| 662 | //uint8_t atqapacket[2]; |
| 663 | |
| 664 | // The second response contains the (mandatory) first 24 bits of the UID |
| 665 | uint8_t uid0packet[5] = {0x00}; |
| 666 | memcpy(uid0packet, currentcard.UID, sizeof(uid0packet)); |
| 667 | // Check if the uid uses the (optional) part |
| 668 | uint8_t uid1packet[5] = {0x00}; |
| 669 | memcpy(uid1packet, currentcard.UID, sizeof(uid1packet)); |
| 670 | |
| 671 | // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID. |
| 672 | uid0packet[4] = uid0packet[0] ^ uid0packet[1] ^ uid0packet[2] ^ uid0packet[3]; |
| 673 | |
| 674 | // Prepare the mandatory SAK (for 4 and 7 byte UID) |
| 675 | uint8_t sak0packet[3] = {0x00}; |
| 676 | memcpy(sak0packet,¤tcard.SAK1,1); |
| 677 | ComputeCrc14443(CRC_14443_A, sak0packet, 1, &sak0packet[1], &sak0packet[2]); |
| 678 | uint8_t sak1packet[3] = {0x00}; |
| 679 | memcpy(sak1packet,¤tcard.SAK2,1); |
| 680 | // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit |
| 681 | ComputeCrc14443(CRC_14443_A, sak1packet, 1, &sak1packet[1], &sak1packet[2]); |
| 682 | |
| 683 | uint8_t authanspacket[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce |
| 684 | //setup response to ATS |
| 685 | uint8_t ratspacket[currentcard.ATS_len]; |
| 686 | memcpy(ratspacket,currentcard.ATS, currentcard.ATS_len); |
| 687 | AppendCrc14443a(ratspacket,sizeof(ratspacket)-2); |
| 688 | |
| 689 | // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present, |
| 690 | // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1 |
| 691 | // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us) |
| 692 | // TC(1) = 0x02: CID supported, NAD not supported |
| 693 | //ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]); |
| 694 | |
| 695 | //Receive Acknowledge responses differ by PCB byte |
| 696 | uint8_t rack0packet[] = {0xa2,0x00,0x00}; |
| 697 | AppendCrc14443a(rack0packet,1); |
| 698 | uint8_t rack1packet[] = {0xa3,0x00,0x00}; |
| 699 | AppendCrc14443a(rack1packet,1); |
| 700 | //Negative Acknowledge |
| 701 | uint8_t rnak0packet[] = {0xb2,0x00,0x00}; |
| 702 | uint8_t rnak1packet[] = {0xb3,0x00,0x00}; |
| 703 | AppendCrc14443a(rnak0packet,1); |
| 704 | AppendCrc14443a(rnak1packet,1); |
| 705 | |
| 706 | //Protocol and parameter selection response, just say yes |
| 707 | uint8_t ppspacket[] = {0xd0,0x00,0x00}; |
| 708 | AppendCrc14443a(ppspacket,1); |
| 709 | |
| 710 | //hardcoded WTX packet - set to max time (49) |
| 711 | uint8_t wtxpacket[] ={0xf2,0x31,0x00,0x00}; |
| 712 | AppendCrc14443a(wtxpacket,2); |
| 713 | |
| 714 | //added additional responses for different readers, namely protocol parameter select and Receive acknowledments. - peter fillmore. |
| 715 | //added defininitions for predone responses to aid readability |
| 716 | #define ATR 0 |
| 717 | #define UID1 1 |
| 718 | #define UID2 2 |
| 719 | #define SELACK1 3 |
| 720 | #define SELACK2 4 |
| 721 | #define AUTH_ANS 5 |
| 722 | #define ATS 6 |
| 723 | #define RACK0 7 |
| 724 | #define RACK1 8 |
| 725 | #define RNAK0 9 |
| 726 | #define RNAK1 10 |
| 727 | #define PPSresponse 11 |
| 728 | #define WTX 12 |
| 729 | |
| 730 | #define TAG_RESPONSE_COUNT 13 |
| 731 | tag_response_info_t responses[TAG_RESPONSE_COUNT] = { |
| 732 | { .response = currentcard.ATQA, .response_n = sizeof(currentcard.ATQA) }, // Answer to request - respond with card type |
| 733 | { .response = uid0packet, .response_n = sizeof(uid0packet) }, // Anticollision cascade1 - respond with uid |
| 734 | { .response = uid1packet, .response_n = sizeof(uid1packet) }, // Anticollision cascade2 - respond with 2nd half of uid if asked |
| 735 | { .response = sak0packet, .response_n = sizeof(sak0packet) }, // Acknowledge select - cascade 1 |
| 736 | { .response = sak1packet, .response_n = sizeof(sak1packet) }, // Acknowledge select - cascade 2 |
| 737 | { .response = authanspacket, .response_n = sizeof(authanspacket) }, // Authentication answer (random nonce) |
| 738 | { .response = ratspacket, .response_n = sizeof(ratspacket) }, // dummy ATS (pseudo-ATR), answer to RATS |
| 739 | { .response = rack0packet, .response_n = sizeof(rack0packet) }, //R(ACK)0 |
| 740 | { .response = rack1packet, .response_n = sizeof(rack1packet) }, //R(ACK)0 |
| 741 | { .response = rnak0packet, .response_n = sizeof(rnak0packet) }, //R(NAK)0 |
| 742 | { .response = rnak1packet, .response_n = sizeof(rnak1packet) }, //R(NAK)1 |
| 743 | { .response = ppspacket, .response_n = sizeof(ppspacket)}, //PPS packet |
| 744 | { .response = wtxpacket, .response_n = sizeof(wtxpacket)}, //WTX packet |
| 745 | }; |
| 746 | |
| 747 | //calculated length of predone responses |
| 748 | uint16_t allocatedtaglen = 0; |
| 749 | for(int i=0;i<TAG_RESPONSE_COUNT;i++){ |
| 750 | allocatedtaglen += responses[i].response_n; |
| 751 | } |
| 752 | //uint8_t selectOrder = 0; |
| 753 | |
| 754 | BigBuf_free_keep_EM(); |
| 755 | // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it |
| 756 | // Such a response is less time critical, so we can prepare them on the fly |
| 757 | |
| 99136c6e |
758 | #define DYNAMIC_RESPONSE_BUFFER_SIZE 64 |
| 759 | #define DYNAMIC_MODULATION_BUFFER_SIZE 512 |
| 9206d3b0 |
760 | |
| 761 | //uint8_t dynamic_response_buffer[DYNAMIC_RESPONSE_BUFFER_SIZE]; |
| 762 | //uint8_t dynamic_modulation_buffer[DYNAMIC_MODULATION_BUFFER_SIZE]; |
| 763 | uint8_t *dynamic_response_buffer = BigBuf_malloc(DYNAMIC_RESPONSE_BUFFER_SIZE); |
| 764 | uint8_t *dynamic_modulation_buffer = BigBuf_malloc(DYNAMIC_MODULATION_BUFFER_SIZE); |
| 765 | |
| 766 | tag_response_info_t dynamic_response_info = { |
| 767 | .response = dynamic_response_buffer, |
| 768 | .response_n = 0, |
| 769 | .modulation = dynamic_modulation_buffer, |
| 770 | .modulation_n = 0 |
| 771 | }; |
| 772 | // allocate buffers from BigBuf (so we're not in the stack) |
| 773 | uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE); |
| 774 | uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE); |
| 775 | //uint8_t* free_buffer_pointer; |
| 776 | //free_buffer_pointer = BigBuf_malloc((allocatedtaglen*8) +(allocatedtaglen) + (TAG_RESPONSE_COUNT * 3)); |
| 777 | BigBuf_malloc((allocatedtaglen*8) +(allocatedtaglen) + (TAG_RESPONSE_COUNT * 3)); |
| 778 | // clear trace |
| 779 | clear_trace(); |
| 780 | set_tracing(TRUE); |
| 781 | |
| 782 | // Prepare the responses of the anticollision phase |
| 783 | // there will be not enough time to do this at the moment the reader sends it REQA |
| 784 | for (size_t i=0; i<TAG_RESPONSE_COUNT; i++) |
| 785 | prepare_allocated_tag_modulation(&responses[i]); |
| 786 | |
| 787 | int len = 0; |
| 788 | |
| 789 | // To control where we are in the protocol |
| 790 | int order = 0; |
| 791 | int lastorder; |
| 792 | int currentblock = 1; //init to 1 |
| 793 | int previousblock = 0; //used to store previous block counter |
| 794 | |
| 795 | // Just to allow some checks |
| 796 | int happened = 0; |
| 797 | int happened2 = 0; |
| 798 | int cmdsRecvd = 0; |
| 799 | |
| 800 | // We need to listen to the high-frequency, peak-detected path. |
| 801 | iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN); |
| 802 | |
| 803 | cmdsRecvd = 0; |
| 804 | tag_response_info_t* p_response; |
| 805 | |
| 806 | LED_A_ON(); |
| 807 | for(;;) { |
| 808 | // Clean receive command buffer |
| 809 | |
| 810 | if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) { |
| 811 | DbpString("Button press"); |
| 812 | break; |
| 813 | } |
| 814 | |
| 815 | p_response = NULL; |
| 816 | |
| 817 | // Okay, look at the command now. |
| 818 | previousblock = currentblock; //get previous block |
| 819 | lastorder = order; |
| 820 | currentblock = receivedCmd[0] & 0x01; |
| 821 | |
| 822 | if(receivedCmd[0] == 0x26) { // Received a REQUEST |
| 3e83ff21 |
823 | p_response = &responses[ATR]; order = ISO14443A_CMD_REQA; |
| 9206d3b0 |
824 | } else if(receivedCmd[0] == 0x52) { // Received a WAKEUP |
| 3e83ff21 |
825 | p_response = &responses[ATR]; order = ISO14443A_CMD_WUPA; |
| 9206d3b0 |
826 | } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // Received request for UID (cascade 1) |
| 3e83ff21 |
827 | p_response = &responses[UID1]; order = ISO14443A_CMD_ANTICOLL_OR_SELECT; |
| 9206d3b0 |
828 | } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x95) { // Received request for UID (cascade 2) |
| 3e83ff21 |
829 | p_response = &responses[UID2]; order = ISO14443A_CMD_ANTICOLL_OR_SELECT_2; |
| 9206d3b0 |
830 | } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) { // Received a SELECT (cascade 1) |
| 3e83ff21 |
831 | p_response = &responses[SELACK1]; order = ISO14443A_CMD_ANTICOLL_OR_SELECT; |
| 9206d3b0 |
832 | } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) { // Received a SELECT (cascade 2) |
| 3e83ff21 |
833 | p_response = &responses[SELACK2]; order = ISO14443A_CMD_ANTICOLL_OR_SELECT_2; |
| 9206d3b0 |
834 | } else if((receivedCmd[0] & 0xA2) == 0xA2){ //R-Block received |
| 835 | if(previousblock == currentblock){ //rule 11, retransmit last block |
| 836 | p_response = &dynamic_response_info; |
| 837 | } else { |
| 838 | if((receivedCmd[0] & 0xB2) == 0xB2){ //RNAK, rule 12 |
| 839 | if(currentblock == 0) |
| 840 | p_response = &responses[RACK0]; |
| 841 | else |
| 842 | p_response = &responses[RACK1]; |
| 843 | } else { |
| 844 | //rule 13 |
| 845 | //TODO: implement chaining |
| 846 | } |
| 847 | } |
| 848 | } |
| 849 | else if(receivedCmd[0] == 0xD0){ //Protocol and parameter selection response |
| 850 | p_response = &responses[PPSresponse]; |
| 851 | order = PPS; |
| 852 | } |
| 853 | else if(receivedCmd[0] == 0x30) { // Received a (plain) READ |
| 854 | //we're an EMV card - so no read commands |
| 855 | p_response = NULL; |
| 856 | } else if(receivedCmd[0] == 0x50) { // Received a HALT |
| 857 | LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); |
| 858 | p_response = NULL; |
| 859 | order = HLTA; |
| 860 | } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) { // Received an authentication request |
| 861 | p_response = &responses[AUTH_ANS]; |
| 862 | order = AUTH; |
| 863 | } else if(receivedCmd[0] == 0xE0) { // Received a RATS request |
| 864 | readerPacketLen = GetReaderLength(receivedCmd); //get length of supported packet |
| 865 | p_response = &responses[ATS]; |
| 866 | order = RATS; |
| 867 | } else if (order == AUTH && len == 8) { // Received {nr] and {ar} (part of authentication) |
| 868 | LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); |
| 869 | uint32_t nr = bytes_to_num(receivedCmd,4); |
| 870 | uint32_t ar = bytes_to_num(receivedCmd+4,4); |
| 871 | Dbprintf("Auth attempt {nr}{ar}: %08x %08x",nr,ar); |
| 872 | } else { |
| 873 | // Check for ISO 14443A-4 compliant commands, look at left nibble |
| 874 | switch (receivedCmd[0]) { |
| 875 | case 0x0B: |
| 876 | case 0x0A: // IBlock (command) |
| 877 | case 0x02: |
| 878 | case 0x03: { |
| 879 | dynamic_response_info.response_n = 0; |
| 880 | dynamic_response_info.response[0] = receivedCmd[0]; // copy PCB |
| 881 | //dynamic_response_info.response[1] = receivedCmd[1]; // copy PCB |
| 882 | dynamic_response_info.response_n++ ; |
| 883 | switch(receivedCmd[1]) { |
| 884 | case 0x00: |
| 885 | switch(receivedCmd[2]){ |
| 886 | case 0xA4: //select |
| 887 | if(receivedCmd[5] == 0x0E){ |
| 888 | } |
| 889 | else if(receivedCmd[5] == 0x07){ |
| 890 | //selectOrder = 0; |
| 891 | } |
| 892 | else{ //send not supported msg |
| 893 | memcpy(dynamic_response_info.response+1, "\x6a\x82", 2); |
| 894 | dynamic_response_info.response_n += 2; |
| 895 | } |
| 896 | break; |
| 897 | case 0xB2: //read record |
| 898 | if(receivedCmd[3] == 0x01 && receivedCmd[4] == 0x0C){ |
| 899 | dynamic_response_info.response_n += 2; |
| 900 | Dbprintf("READ RECORD 1 1"); |
| 901 | } |
| 902 | break; |
| 903 | } |
| 904 | break; |
| 905 | case 0x80: |
| 906 | switch(receivedCmd[2]){ |
| 907 | case 0xA8: //get processing options |
| 908 | break; |
| 909 | } |
| 910 | } |
| 911 | }break; |
| 912 | case 0x1A: |
| 913 | case 0x1B: { // Chaining command |
| 914 | dynamic_response_info.response[0] = 0xaa | ((receivedCmd[0]) & 1); |
| 915 | dynamic_response_info.response_n = 2; |
| 916 | } break; |
| 917 | |
| 918 | case 0xaa: |
| 919 | case 0xbb: { |
| 920 | dynamic_response_info.response[0] = receivedCmd[0] ^ 0x11; |
| 921 | dynamic_response_info.response_n = 2; |
| 922 | } break; |
| 923 | |
| 924 | case 0xBA: { // |
| 925 | memcpy(dynamic_response_info.response,"\xAB\x00",2); |
| 926 | dynamic_response_info.response_n = 2; |
| 927 | } break; |
| 928 | |
| 929 | case 0xCA: |
| 930 | case 0xC2: { // Readers sends deselect command |
| 931 | //we send the command back - this is what tags do in android implemenation i believe - peterfillmore |
| 932 | memcpy(dynamic_response_info.response,receivedCmd,1); |
| 933 | dynamic_response_info.response_n = 1; |
| 934 | } break; |
| 935 | |
| 936 | default: { |
| 937 | // Never seen this command before |
| 938 | LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); |
| 939 | Dbprintf("Received unknown command (len=%d):",len); |
| 940 | Dbhexdump(len,receivedCmd,false); |
| 941 | // Do not respond |
| 942 | dynamic_response_info.response_n = 0; |
| 943 | } break; |
| 944 | } |
| 945 | |
| 946 | if (dynamic_response_info.response_n > 0) { |
| 947 | // Copy the CID from the reader query |
| 948 | //dynamic_response_info.response[1] = receivedCmd[1]; |
| 949 | |
| 950 | // Add CRC bytes, always used in ISO 14443A-4 compliant cards |
| 951 | AppendCrc14443a(dynamic_response_info.response,dynamic_response_info.response_n); |
| 952 | dynamic_response_info.response_n += 2; |
| 953 | if(dynamic_response_info.response_n > readerPacketLen){ //throw error if our reader doesn't support the send packet length |
| 954 | Dbprintf("Error: tag response is longer then what the reader supports, TODO:implement command chaining"); |
| 955 | LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); |
| 956 | break; |
| 957 | } |
| 958 | if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) { |
| 959 | Dbprintf("Error preparing tag response"); |
| 960 | LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); |
| 961 | break; |
| 962 | } |
| 963 | p_response = &dynamic_response_info; |
| 964 | } |
| 965 | } |
| 966 | |
| 967 | // Count number of wakeups received after a halt |
| 968 | if(order == HLTA && lastorder == PPS) { happened++; } |
| 969 | |
| 970 | // Count number of other messages after a halt |
| 971 | if(order != HLTA && lastorder == PPS) { happened2++; } |
| 972 | |
| 973 | if(cmdsRecvd > 999) { |
| 974 | DbpString("1000 commands later..."); |
| 975 | break; |
| 976 | } |
| 977 | cmdsRecvd++; |
| 978 | |
| 979 | if (p_response != NULL) { |
| 980 | EmSendCmd14443aRaw(p_response->modulation, p_response->modulation_n, receivedCmd[0] == 0x52); |
| 981 | // do the tracing for the previous reader request and this tag answer: |
| 99136c6e |
982 | |
| 9206d3b0 |
983 | |
| 99136c6e |
984 | // EmLogTrace(Uart.output, |
| 985 | // Uart.len, |
| 986 | // Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, |
| 987 | // Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, |
| 988 | // Uart.parity, |
| 989 | // p_response->response, |
| 990 | // p_response->response_n, |
| 991 | // LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG, |
| 992 | // (LastTimeProxToAirStart + p_response->ProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG, |
| 993 | // par); |
| 994 | |
| 9206d3b0 |
995 | } |
| 99136c6e |
996 | |
| 997 | // if (!tracing) { |
| 998 | // Dbprintf("Trace Full. Simulation stopped."); |
| 999 | // break; |
| 1000 | // } |
| 1001 | |
| 9206d3b0 |
1002 | } |
| 1003 | |
| 1004 | Dbprintf("%x %x %x", happened, happened2, cmdsRecvd); |
| 1005 | LED_A_OFF(); |
| 1006 | BigBuf_free_keep_EM(); |
| 3e83ff21 |
1007 | |
| 1008 | */ |
| 9206d3b0 |
1009 | } |
| 99136c6e |
1010 | //----------------------------------------------------------------------------- |
| 1011 | // Main loop of simulated tag: receive commands from reader, decide what |
| 1012 | // response to send, and send it. |
| 1013 | //----------------------------------------------------------------------------- |
| 1014 | void EMVFuzz_RATS(uint8_t ratslen, uint8_t* RATS) |
| 1015 | { |
| 1016 | int len; |
| 1017 | uint8_t sak = 0x28; |
| 1018 | //copy input rats into a buffer |
| 1019 | uint8_t ratscmd[ratslen+2]; |
| 1020 | memcpy(ratscmd, RATS, ratslen); |
| 1021 | |
| 1022 | // The first response contains the ATQA (note: bytes are transmitted in reverse order). |
| 1023 | uint8_t atqa[2] = {0x04, 0x00}; |
| 1024 | |
| 1025 | // The second response contains the (mandatory) first 24 bits of the UID |
| 1026 | uint8_t uid0[5] = {0x12,0x34,0x56,0x78,0x9A}; |
| 1027 | |
| 1028 | // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID. |
| 1029 | uid0[4] = uid0[0] ^ uid0[1] ^ uid0[2] ^ uid0[3]; |
| 1030 | |
| 1031 | // Prepare the mandatory SAK (for 4 and 7 byte UID) |
| 1032 | uint8_t sakresponse[3]; |
| 1033 | sakresponse[0] = sak; |
| 1034 | ComputeCrc14443(CRC_14443_A, sakresponse, 1, &sakresponse[1], &sakresponse[2]); |
| 1035 | |
| 1036 | // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit |
| 1037 | |
| 1038 | uint8_t ACK1[] = {0xa3,0x6f,0xc6}; //ACK packets |
| 1039 | uint8_t ACK2[] = {0xa2,0x00,0x00}; |
| 1040 | AppendCrc14443a(ACK2, 1); |
| 1041 | |
| 1042 | AppendCrc14443a(ratscmd, sizeof(ratscmd)-2); |
| 1043 | |
| 1044 | //handle the PPS selection |
| 1045 | uint8_t PPSR[3] = {0xD0,0x00,0x00}; |
| 1046 | AppendCrc14443a(PPSR, 1); |
| 1047 | |
| 1048 | //#define TAG_RESPONSE_COUNT 9 |
| 1049 | tag_response_info_t responses[7] = { |
| 1050 | { .response = atqa, .response_n = sizeof(atqa) }, // Answer to request - respond with card type |
| 1051 | { .response = uid0, .response_n = sizeof(uid0) }, // Anticollision cascade1 - respond with uid |
| 1052 | { .response = sakresponse, .response_n = sizeof(sakresponse) }, // Acknowledge select - cascade 1 |
| 1053 | { .response = ratscmd, .response_n = sizeof(ratscmd) }, // dummy ATS (pseudo-ATR), answer to RATS |
| 1054 | { .response = ACK1, .response_n = sizeof(ACK1) }, // dummy ATS (pseudo-ATR), answer to RATS |
| 1055 | { .response = ACK2, .response_n = sizeof(ACK2) }, // dummy ATS (pseudo-ATR), answer to RATS |
| 1056 | { .response = PPSR, .response_n = sizeof(PPSR) }, // dummy ATS (pseudo-ATR), answer to RATS |
| 1057 | }; |
| 1058 | |
| 1059 | // Reset the offset pointer of the free buffer |
| 1060 | //reset_free_buffer(); |
| 1061 | |
| 1062 | // Prepare the responses of the anticollision phase |
| 1063 | // there will be not enough time to do this at the moment the reader sends it REQA |
| 1064 | for (size_t i=0; i<7; i++) { |
| 1065 | prepare_allocated_tag_modulation(&responses[i]); |
| 1066 | } |
| 1067 | uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE); |
| 1068 | uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE); |
| 1069 | |
| 1070 | // To control where we are in the protocol |
| dfcf20d6 |
1071 | int order = 0; |
| 99136c6e |
1072 | |
| 1073 | // We need to listen to the high-frequency, peak-detected path. |
| 1074 | iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN); |
| 1075 | tag_response_info_t* p_response; |
| 1076 | |
| 1077 | LED_C_ON(); |
| 1078 | // Clean receive command buffer |
| 1079 | for(;;){ |
| 1080 | if (!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)){ |
| 1081 | break; |
| 1082 | } |
| 1083 | p_response = NULL; |
| 1084 | |
| 1085 | if ((receivedCmd[0] == 0x26) || (receivedCmd[0] == 0x52)) { // Received a REQUEST |
| 1086 | p_response = &responses[0]; order = 1; |
| 1087 | } |
| 1088 | if (receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // Received request for UID (cascade 1) |
| 1089 | p_response = &responses[1]; order = 2; //send the UID |
| 1090 | } |
| 1091 | if (receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) { // Received a SELECT (cascade 1) |
| 1092 | p_response = &responses[2]; order = 3; //send the SAK |
| 1093 | } |
| 1094 | if (receivedCmd[0] == 0xD0) { // Received a PPS request |
| 1095 | p_response = &responses[6]; order = 70; |
| 1096 | } |
| 1097 | if (receivedCmd[0] == 0xE0) { // Received a RATS request |
| 1098 | p_response = &responses[3]; order = 70; |
| 1099 | EmSendCmd14443aRaw(p_response->modulation, p_response->modulation_n, (receivedCmd[0] == 0x52) || (receivedCmd[0] == 0x26)); |
| 1100 | break; |
| 1101 | } |
| 1102 | if (p_response != NULL){ |
| 1103 | EmSendCmd14443aRaw(p_response->modulation, p_response->modulation_n, (receivedCmd[0] == 0x52) || (receivedCmd[0] == 0x26)); |
| 1104 | } else { |
| 1105 | break; |
| 1106 | } |
| 1107 | } |
| 1108 | |
| 1109 | if (order && (MF_DBGLEVEL >= 2)) DbpString("just using order vars"); |
| 1110 | |
| 1111 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); |
| 1112 | LED_C_OFF(); |
| 1113 | return; |
| 1114 | } |
projects / proxmark3-svn / blame