]> cvs.zerfleddert.de Git - proxmark3-svn/blame - armsrc/mifaresniff.c
fix 'hf iclass snoop'
[proxmark3-svn] / armsrc / mifaresniff.c
CommitLineData
3544b997 1//-----------------------------------------------------------------------------
2// Merlok - 2012
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// Routines to support mifare classic sniffer.
9//-----------------------------------------------------------------------------
10
11#include "mifaresniff.h"
fc52fbd4 12
3544b997 13#include "proxmark3.h"
14#include "util.h"
15#include "string.h"
16#include "iso14443crc.h"
17#include "iso14443a.h"
18#include "crapto1/crapto1.h"
19#include "mifareutil.h"
20#include "common.h"
fc52fbd4 21#include "cmd.h"
22#include "BigBuf.h"
23#include "fpgaloader.h"
3544b997 24
25
26static int sniffState = SNF_INIT;
27static uint8_t sniffUIDType;
28static uint8_t sniffUID[8] = {0x00};
29static uint8_t sniffATQA[2] = {0x00};
30static uint8_t sniffSAK;
31static uint8_t sniffBuf[16] = {0x00};
32static uint32_t timerData = 0;
33
34
35bool MfSniffInit(void){
36 memset(sniffUID, 0x00, 8);
37 memset(sniffATQA, 0x00, 2);
38 sniffSAK = 0;
39 sniffUIDType = SNF_UID_4;
40
44964fd1 41 return false;
3544b997 42}
43
44bool MfSniffEnd(void){
45 LED_B_ON();
46 cmd_send(CMD_ACK,0,0,0,0,0);
47 LED_B_OFF();
48
44964fd1 49 return false;
3544b997 50}
51
52bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, uint16_t bitCnt, bool reader) {
53
54 if (reader && (len == 1) && (bitCnt == 7)) { // reset on 7-Bit commands from reader
55 sniffState = SNF_INIT;
56 }
57
58 switch (sniffState) {
59 case SNF_INIT:{
60 if ((len == 1) && (reader) && (bitCnt == 7) ) { // REQA or WUPA from reader
61 sniffUIDType = SNF_UID_4;
62 memset(sniffUID, 0x00, 8);
63 memset(sniffATQA, 0x00, 2);
64 sniffSAK = 0;
543a6ed3 65 sniffState = SNF_ATQA;
f7887fa8 66 if (data[0] == 0x40)
67 sniffState = SNF_MAGIC_WUPC2;
3544b997 68 }
69 break;
70 }
f7887fa8 71 case SNF_MAGIC_WUPC2:
72 if ((len == 1) && (reader) && (data[0] == 0x43) ) {
73 sniffState = SNF_CARD_IDLE;
74 }
75 break;
543a6ed3 76 case SNF_ATQA:{
3544b997 77 if ((!reader) && (len == 2)) { // ATQA from tag
78 memcpy(sniffATQA, data, 2);
543a6ed3 79 sniffState = SNF_UID1;
3544b997 80 }
81 break;
82 }
39864b0b 83 case SNF_UID1:{\r
7bc95e2e 84 if ((reader) && (len == 9) && (data[0] == 0x93) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) { // Select 4 Byte UID from reader\r
3544b997 85 memcpy(sniffUID + 3, &data[2], 4);\r
39864b0b
M
86 sniffState = SNF_SAK;\r
87 }\r
3544b997 88 break;
39864b0b 89 }\r
3544b997 90 case SNF_SAK:{
91 if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) { // SAK from card?
92 sniffSAK = data[0];
93 if ((sniffUID[3] == 0x88) && (sniffUIDType == SNF_UID_4)) { // CL2 UID part to be expected
94 sniffUIDType = SNF_UID_7;\r
95 memcpy(sniffUID, sniffUID + 4, 3);\r
96 sniffState = SNF_UID2;
97 } else { // select completed
98 sniffState = SNF_CARD_IDLE;
99 }
100 }
101 break;
102 }
39864b0b 103 case SNF_UID2:{\r
3544b997 104 if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) {\r
105 memcpy(sniffUID + 3, &data[2], 4);\r
39864b0b 106 sniffState = SNF_SAK;\r
39864b0b
M
107 }\r
108 break;\r
109 }\r
3544b997 110 case SNF_CARD_IDLE:{ // trace the card select sequence
111 sniffBuf[0] = 0xFF;
112 sniffBuf[1] = 0xFF;
113 memcpy(sniffBuf + 2, sniffUID, 7);
114 memcpy(sniffBuf + 9, sniffATQA, 2);
115 sniffBuf[11] = sniffSAK;
116 sniffBuf[12] = 0xFF;
117 sniffBuf[13] = 0xFF;
44964fd1 118 LogTrace(sniffBuf, 14, 0, 0, NULL, true);
3544b997 119 sniffState = SNF_CARD_CMD;
120 } // intentionally no break;
121 case SNF_CARD_CMD:{
a37725fa 122 LogTrace(data, len, 0, 0, parity, reader);
3544b997 123 timerData = GetTickCount();
124 break;
125 }
126
127 default:
128 sniffState = SNF_INIT;
129 break;
130 }
131
132
44964fd1 133 return false;
3544b997 134}
135
136bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs) {
137 if (BigBuf_get_traceLen() && (GetTickCount() > timerData + maxTimeoutMs)) {
138 return intMfSniffSend();
139 }
44964fd1 140 return false;
3544b997 141}
142
143// internal sending function. not a RAMFUNC.
144bool intMfSniffSend() {
145
146 int pckSize = 0;
147 int pckLen = BigBuf_get_traceLen();
148 int pckNum = 0;
149 uint8_t *trace = BigBuf_get_addr();
150
151 FpgaDisableSscDma();
152 while (pckLen > 0) {
153 pckSize = MIN(USB_CMD_DATA_SIZE, pckLen);
154 LED_B_ON();
155 cmd_send(CMD_ACK, 1, BigBuf_get_traceLen(), pckSize, trace + BigBuf_get_traceLen() - pckLen, pckSize);
156 LED_B_OFF();
157
158 pckLen -= pckSize;
159 pckNum++;
160 }
161
162 LED_B_ON();
163 cmd_send(CMD_ACK,2,0,0,0,0);
164 LED_B_OFF();
165
166 clear_trace();
167
44964fd1 168 return true;
3544b997 169}
Impressum, Datenschutz