]> cvs.zerfleddert.de Git - proxmark3-svn/blame - client/cmdlfhitag.c
fix 'hf iclass replay' (#888)
[proxmark3-svn] / client / cmdlfhitag.c
CommitLineData
db09cb3a 1//-----------------------------------------------------------------------------
2// Copyright (C) 2012 Roel Verdult
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// Low frequency Hitag support
9//-----------------------------------------------------------------------------
10
ad939de5 11#include "cmdlfhitag.h"
12
db09cb3a 13#include <stdio.h>
14#include <stdlib.h>
15#include <string.h>
ad939de5 16#include "comms.h"
db09cb3a 17#include "ui.h"
18#include "cmdparser.h"
19#include "common.h"
20#include "util.h"
1f065e1d 21#include "parity.h"
5866c187 22#include "hitag.h"
902cb3c0 23#include "cmdmain.h"
db09cb3a 24
f2dbf3d2 25static size_t nbytes(size_t nbits) {
26 return (nbits/8) + ((nbits%8)>0);
47e18126 27}
28
f2dbf3d2 29
30static int CmdLFHitagList(const char *Cmd) {
31 uint8_t *got = malloc(USB_CMD_DATA_SIZE);
f71f4deb 32 // Query for the actual size of the trace
33 UsbCommand response;
babca445 34 GetFromBigBuf(got, USB_CMD_DATA_SIZE, 0, &response, -1, false);
f71f4deb 35 uint16_t traceLen = response.arg[2];
36 if (traceLen > USB_CMD_DATA_SIZE) {
37 uint8_t *p = realloc(got, traceLen);
38 if (p == NULL) {
39 PrintAndLog("Cannot allocate memory for trace");
40 free(got);
41 return 2;
42 }
43 got = p;
babca445 44 GetFromBigBuf(got, traceLen, 0, NULL, -1, false);
f71f4deb 45 }
f2dbf3d2 46
f71f4deb 47 PrintAndLog("recorded activity (TraceLen = %d bytes):");
48 PrintAndLog(" ETU :nbits: who bytes");
49 PrintAndLog("---------+-----+----+-----------");
db09cb3a 50
7b6e3205 51 int j;
f71f4deb 52 int i = 0;
53 int prev = -1;
54 int len = strlen(Cmd);
b915fda3 55
f71f4deb 56 char filename[FILE_PATH_SIZE] = { 0x00 };
57 FILE* pf = NULL;
f2dbf3d2 58
59 if (len > FILE_PATH_SIZE)
f71f4deb 60 len = FILE_PATH_SIZE;
61 memcpy(filename, Cmd, len);
f2dbf3d2 62
f71f4deb 63 if (strlen(filename) > 0) {
64 if ((pf = fopen(filename,"wb")) == NULL) {
65 PrintAndLog("Error: Could not open file [%s]",filename);
44964fd1 66 free(got);
f71f4deb 67 return 1;
68 }
b915fda3 69 }
db09cb3a 70
f71f4deb 71 for (;;) {
f2dbf3d2 72
00848e09 73 if(i >= traceLen) { break; }
f71f4deb 74
75 bool isResponse;
76 int timestamp = *((uint32_t *)(got+i));
77 if (timestamp & 0x80000000) {
78 timestamp &= 0x7fffffff;
79 isResponse = 1;
80 } else {
81 isResponse = 0;
82 }
83
84 int parityBits = *((uint32_t *)(got+i+4));
85 // 4 bytes of additional information...
86 // maximum of 32 additional parity bit information
87 //
88 // TODO:
89 // at each quarter bit period we can send power level (16 levels)
90 // or each half bit period in 256 levels.
91
92 int bits = got[i+8];
7b6e3205 93 int len = nbytes(bits);
f71f4deb 94
95 if (len > 100) {
f2dbf3d2 96 break;
f71f4deb 97 }
98 if (i + len > traceLen) { break;}
99
100 uint8_t *frame = (got+i+9);
7b6e3205 101/*
102 int fillupBits = 8 - (bits % 8);
103 byte_t framefilled[bits+fillupBits];
104 byte_t* ff = framefilled;
f2dbf3d2 105
7b6e3205 106 int response_bit[200] = {0};
107 int z = 0;
108 for (int y = 0; y < len; y++) {
109 for (j = 0; j < 8; j++) {
110 response_bit[z] = 0;
111 if ((frame[y] & ((mask << 7) >> j)) != 0)
112 response_bit[z] = 1;
113 z++;
114 }
115 }
116 z = 0;
117 for (int y = 0; y < len; y++) {
118 ff[y] = (response_bit[z] << 7) | (response_bit[z + 1] << 6)
119 | (response_bit[z + 2] << 5) | (response_bit[z + 3] << 4)
120 | (response_bit[z + 4] << 3) | (response_bit[z + 5] << 2)
121 | (response_bit[z + 6] << 1) | response_bit[z + 7];
122 z += 8;
123 }
124*/
125
126
127
f71f4deb 128
129 // Break and stick with current result if buffer was not completely full
130 if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; }
131
132 char line[1000] = "";
f71f4deb 133 for (j = 0; j < len; j++) {
f2dbf3d2 134 //if((parityBits >> (len - j - 1)) & 0x01) {
135 if (isResponse && (oddparity8(frame[j]) != ((parityBits >> (len - j - 1)) & 0x01))) {
136 sprintf(line+(j*4), "%02x! ", frame[j]);
137 } else {
138 sprintf(line+(j*4), "%02x ", frame[j]);
139 }
f71f4deb 140 }
141
142 PrintAndLog(" +%7d: %3d: %s %s",
143 (prev < 0 ? 0 : (timestamp - prev)),
144 bits,
145 (isResponse ? "TAG" : " "),
146 line);
147
148 if (pf) {
149 fprintf(pf," +%7d: %3d: %s %s\n",
150 (prev < 0 ? 0 : (timestamp - prev)),
151 bits,
152 (isResponse ? "TAG" : " "),
153 line);
154 }
f2dbf3d2 155
f71f4deb 156 prev = timestamp;
157 i += (len + 9);
158 }
f2dbf3d2 159
f71f4deb 160 if (pf) {
161 fclose(pf);
162 PrintAndLog("Recorded activity succesfully written to file: %s", filename);
163 }
97d582a6 164
f71f4deb 165 free(got);
166 return 0;
db09cb3a 167}
168
f2dbf3d2 169
170static int CmdLFHitagSnoop(const char *Cmd) {
171 UsbCommand c = {CMD_SNOOP_HITAG};
172 SendCommand(&c);
173 return 0;
db09cb3a 174}
175
f2dbf3d2 176
177static int CmdLFHitagSim(const char *Cmd) {
178
179 UsbCommand c = {CMD_SIMULATE_HITAG};
b915fda3 180 char filename[FILE_PATH_SIZE] = { 0x00 };
db09cb3a 181 FILE* pf;
182 bool tag_mem_supplied;
b915fda3 183 int len = strlen(Cmd);
184 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
185 memcpy(filename, Cmd, len);
f2dbf3d2 186
db09cb3a 187 if (strlen(filename) > 0) {
188 if ((pf = fopen(filename,"rb+")) == NULL) {
189 PrintAndLog("Error: Could not open file [%s]",filename);
190 return 1;
191 }
192 tag_mem_supplied = true;
44964fd1 193 if (fread(c.d.asBytes,1,48,pf) != 48) {
194 PrintAndLog("Error: File reading error");
195 fclose(pf);
759c16b3 196 return 1;
44964fd1 197 }
db09cb3a 198 fclose(pf);
199 } else {
200 tag_mem_supplied = false;
201 }
f2dbf3d2 202
db09cb3a 203 // Does the tag comes with memory
204 c.arg[0] = (uint32_t)tag_mem_supplied;
205
f2dbf3d2 206 SendCommand(&c);
207 return 0;
208}
209
210
00848e09 211bool getHitagUid(uint32_t *uid, bool quiet) {
f2dbf3d2 212 // ToDo: this is for Hitag2 only (??)
213
214 UsbCommand c = {CMD_READER_HITAG, {RHT2F_UID_ONLY}};
215
216 SendCommand(&c);
217
218 UsbCommand resp;
219 if (!WaitForResponseTimeout(CMD_ACK, &resp, 2500)) {
00848e09 220 if (!quiet) PrintAndLogEx(WARNING, "timeout while waiting for reply.");
f2dbf3d2 221 return false;
222 }
223
224 if (resp.arg[0] == false) {
00848e09 225 if (!quiet) PrintAndLogEx(DEBUG, "DEBUG: Error - failed getting UID");
f2dbf3d2 226 return false;
227 }
228
229 if (uid)
230 *uid = bytes_to_num(resp.d.asBytes, 4);
231
232 return true;
db09cb3a 233}
234
f2dbf3d2 235
236static int CmdLFHitagInfo(const char *Cmd) {
237 char ctmp = param_getchar(Cmd, 0);
238 if (ctmp != '\0') {
239 PrintAndLog("Usage: lf hitag info [h]");
240 PrintAndLog("Options:");
241 PrintAndLog(" h This help");
242 PrintAndLog("Examples:");
243 PrintAndLog(" lf hitag info");
244 return 0;
245 }
246
247 // read UID
248 uint32_t uid = 0;
00848e09 249 if (getHitagUid(&uid, false) == false)
f2dbf3d2 250 return 1;
251
252 PrintAndLogEx(SUCCESS, "UID: %08X", uid);
253
254 // how to detemine Hitag types?
255 // read block3, get configuration byte.
256 // PrintAndLogEx(FAILED, _RED_("TODO: This is a hardcoded example!"));
257
258 // common configurations.
259 // printHitagConfiguration(0x06);
260 //printHitagConfiguration( 0x0E );
261 //printHitagConfiguration( 0x02 );
262 //printHitagConfiguration( 0x00 );
263 //printHitagConfiguration( 0x04 );
264 return 0;
265}
266
267
db09cb3a 268int CmdLFHitagReader(const char *Cmd) {
f2dbf3d2 269 UsbCommand c = {CMD_READER_HITAG};
db09cb3a 270 hitag_data* htd = (hitag_data*)c.d.asBytes;
f2dbf3d2 271 hitag_function htf = param_get32ex(Cmd, 0, 0, 10);
272
db09cb3a 273 switch (htf) {
00848e09 274 case RHTSF_CHALLENGE: {
4e12287d 275 c = (UsbCommand){ CMD_READ_HITAG_S };
f2dbf3d2 276 num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->auth.NrAr);
277 num_to_bytes(param_get32ex(Cmd, 2, 0, 16), 4, htd->auth.NrAr+4);
278 c.arg[1] = param_get64ex(Cmd, 3, 0, 0); //firstpage
279 c.arg[2] = param_get64ex(Cmd, 4, 0, 0); //tag mode
4e12287d 280 } break;
00848e09 281 case RHTSF_KEY: {
4e12287d 282 c = (UsbCommand){ CMD_READ_HITAG_S };
f2dbf3d2 283 num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 6, htd->crypto.key);
284 c.arg[1] = param_get64ex(Cmd, 2, 0, 0); //firstpage
285 c.arg[2] = param_get64ex(Cmd, 3, 0, 0); //tag mode
7b6e3205 286 } break;
db09cb3a 287 case RHT2F_PASSWORD: {
f2dbf3d2 288 num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->pwd.password);
db09cb3a 289 } break;
290 case RHT2F_AUTHENTICATE: {
f2dbf3d2 291 num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->auth.NrAr);
292 num_to_bytes(param_get32ex(Cmd, 2, 0, 16), 4, htd->auth.NrAr+4);
db09cb3a 293 } break;
bde10a50 294 case RHT2F_CRYPTO: {
f2dbf3d2 295 num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 6, htd->crypto.key);
296 // num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
bde10a50 297 } break;
db09cb3a 298 case RHT2F_TEST_AUTH_ATTEMPTS: {
299 // No additional parameters needed
300 } break;
f86d6b55 301 case RHT2F_UID_ONLY: {
302 // No additional parameters needed
303 } break;
db09cb3a 304 default: {
f86d6b55 305 PrintAndLog("\nError: unkown reader function %d",htf);
306 PrintAndLog("");
307 PrintAndLog("Usage: hitag reader <Reader Function #>");
308 PrintAndLog("Reader Functions:");
f2dbf3d2 309 PrintAndLog(" HitagS (0*):");
310 PrintAndLog(" 01 <nr> <ar> (Challenge) <firstPage> <tagmode> read all pages from a Hitag S tag");
311 PrintAndLog(" 02 <key> (set to 0 if no authentication is needed) <firstPage> <tagmode> read all pages from a Hitag S tag");
f2dbf3d2 312 PrintAndLog(" Valid tagmodes are 0=STANDARD, 1=ADVANCED, 2=FAST_ADVANCED (default is ADVANCED)");
313 PrintAndLog(" Hitag1 (1*):");
314 PrintAndLog(" (not yet implemented)");
315 PrintAndLog(" Hitag2 (2*):");
316 PrintAndLog(" 21 <password> (password mode)");
317 PrintAndLog(" 22 <nr> <ar> (authentication)");
318 PrintAndLog(" 23 <key> (authentication) key is in format: ISK high + ISK low");
319 PrintAndLog(" 25 (test recorded authentications)");
320 PrintAndLog(" 26 just read UID");
db09cb3a 321 return 1;
322 } break;
323 }
324
325 // Copy the hitag2 function into the first argument
326 c.arg[0] = htf;
327
f86d6b55 328 // Send the command to the proxmark
217cfb6b 329 clearCommandBuffer();
f86d6b55 330 SendCommand(&c);
ab4da50d 331
f86d6b55 332 UsbCommand resp;
f2dbf3d2 333 if (!WaitForResponseTimeout(CMD_ACK, &resp, 4000)) {
334 PrintAndLogEx(WARNING, "timeout while waiting for reply.");
335 return 1;
336 }
f86d6b55 337
338 // Check the return status, stored in the first argument
f2dbf3d2 339 if (resp.arg[0] == false) {
340 PrintAndLogEx(DEBUG, "DEBUG: Error - hitag failed");
341 return 1;
342 }
343
00848e09 344 uint32_t id = bytes_to_num(resp.d.asBytes, 4);
f2dbf3d2 345
00848e09 346 PrintAndLog("Valid Hitag2 tag found - UID: %08x", id);
347 if (htf != RHT2F_UID_ONLY) {
348 PrintAndLogEx(SUCCESS, "Dumping tag memory...");
f86d6b55 349 char filename[256];
350 FILE* pf = NULL;
351
352 sprintf(filename,"%08x_%04x.ht2",id,(rand() & 0xffff));
353 if ((pf = fopen(filename,"wb")) == NULL) {
354 PrintAndLog("Error: Could not open file [%s]",filename);
355 return 1;
356 }
357
358 // Write the 48 tag memory bytes to file and finalize
359 fwrite(resp.d.asBytes,1,48,pf);
360 fclose(pf);
361
362 PrintAndLog("Succesfully saved tag memory to [%s]",filename);
363 }
364
f86d6b55 365 return 0;
db09cb3a 366}
367
4e12287d 368
f2dbf3d2 369static int CmdLFHitagSimS(const char *Cmd) {
4e12287d
RS
370 UsbCommand c = { CMD_SIMULATE_HITAG_S };
371 char filename[FILE_PATH_SIZE] = { 0x00 };
372 FILE* pf;
373 bool tag_mem_supplied;
374 int len = strlen(Cmd);
375 if (len > FILE_PATH_SIZE)
376 len = FILE_PATH_SIZE;
377 memcpy(filename, Cmd, len);
378
379 if (strlen(filename) > 0) {
380 if ((pf = fopen(filename, "rb+")) == NULL) {
381 PrintAndLog("Error: Could not open file [%s]", filename);
382 return 1;
383 }
384 tag_mem_supplied = true;
44964fd1 385 if (fread(c.d.asBytes, 1, 4*64, pf) != 4*64) {
4e12287d
RS
386 PrintAndLog("Error: File reading error");
387 fclose(pf);
388 return 1;
389 }
390 fclose(pf);
391 } else {
392 tag_mem_supplied = false;
393 }
394
395 // Does the tag comes with memory
396 c.arg[0] = (uint32_t) tag_mem_supplied;
397
398 SendCommand(&c);
399 return 0;
400}
401
f2dbf3d2 402
403static int CmdLFHitagCheckChallenges(const char *Cmd) {
4e12287d
RS
404 UsbCommand c = { CMD_TEST_HITAGS_TRACES };
405 char filename[FILE_PATH_SIZE] = { 0x00 };
406 FILE* pf;
407 bool file_given;
408 int len = strlen(Cmd);
409 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
410 memcpy(filename, Cmd, len);
f2dbf3d2 411
4e12287d
RS
412 if (strlen(filename) > 0) {
413 if ((pf = fopen(filename,"rb+")) == NULL) {
414 PrintAndLog("Error: Could not open file [%s]",filename);
415 return 1;
416 }
417 file_given = true;
44964fd1 418 if (fread(c.d.asBytes,1,8*60,pf) != 8*60) {
419 PrintAndLog("Error: File reading error");
420 fclose(pf);
4e12287d 421 return 1;
f2dbf3d2 422 }
4e12287d
RS
423 fclose(pf);
424 } else {
425 file_given = false;
426 }
f2dbf3d2 427
4e12287d
RS
428 //file with all the challenges to try
429 c.arg[0] = (uint32_t)file_given;
7b6e3205 430 c.arg[1] = param_get64ex(Cmd,2,0,0); //get mode
4e12287d 431
f2dbf3d2 432 SendCommand(&c);
433 return 0;
4e12287d
RS
434}
435
436
f2dbf3d2 437static int CmdLFHitagWriter(const char *Cmd) {
4e12287d
RS
438 UsbCommand c = { CMD_WR_HITAG_S };
439 hitag_data* htd = (hitag_data*)c.d.asBytes;
440 hitag_function htf = param_get32ex(Cmd,0,0,10);
441 switch (htf) {
f2dbf3d2 442 case WHTSF_CHALLENGE: {
4e12287d
RS
443 num_to_bytes(param_get64ex(Cmd,1,0,16),8,htd->auth.NrAr);
444 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
445 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->auth.data);
446 } break;
f2dbf3d2 447 case WHTSF_KEY:
448 case WHT2F_CRYPTO: {
4e12287d
RS
449 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
450 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
451 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->crypto.data);
f2dbf3d2 452 } break;
453 case WHT2F_PASSWORD: {
454 num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 4, htd->pwd.password);
455 c.arg[2] = param_get32ex(Cmd, 2, 0, 10);
456 num_to_bytes(param_get32ex(Cmd, 3, 0, 16), 4, htd->crypto.data);
4e12287d
RS
457 } break;
458 default: {
459 PrintAndLog("Error: unkown writer function %d",htf);
460 PrintAndLog("Hitag writer functions");
f2dbf3d2 461 PrintAndLog(" HitagS (0*):");
462 PrintAndLog(" 03 <nr,ar> (Challenge) <page> <byte0...byte3> write page on a Hitag S tag");
463 PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
464 PrintAndLog(" Hitag1 (1*)");
465 PrintAndLog(" (not yet implemented)");
466 PrintAndLog(" Hitag2 (2*):");
467 PrintAndLog(" 24 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
468 PrintAndLog(" 27 <password> <page> <byte0...byte3> write page on a Hitag2 tag");
4e12287d
RS
469 return 1;
470 } break;
471 }
472 // Copy the hitag function into the first argument
473 c.arg[0] = htf;
474
f2dbf3d2 475 // Send the command to the proxmark
476 SendCommand(&c);
477
478 UsbCommand resp;
479 if (!WaitForResponseTimeout(CMD_ACK, &resp, 4000)) {
480 PrintAndLogEx(WARNING, "timeout while waiting for reply.");
481 return 1;
482 }
483
484 // Check the return status, stored in the first argument
485 if (resp.arg[0] == false) {
486 PrintAndLogEx(DEBUG, "DEBUG: Error - hitag write failed");
487 return 1;
488 }
489 return 0;
4e12287d
RS
490}
491
492
f2dbf3d2 493static int CmdHelp(const char *Cmd);
494
495static command_t CommandTable[] =
db09cb3a 496{
f2dbf3d2 497 {"help", CmdHelp, 1, "This help"},
498 {"list", CmdLFHitagList, 0, "<outfile> List Hitag trace history"},
499 {"info", CmdLFHitagInfo, 0, "Tag information" },
500 {"reader", CmdLFHitagReader, 0, "Act like a Hitag Reader"},
501 {"sim", CmdLFHitagSim, 0, "Simulate Hitag transponder"},
502 {"snoop", CmdLFHitagSnoop, 0, "Eavesdrop Hitag communication"},
503 {"writer", CmdLFHitagWriter, 0, "Act like a Hitag Writer" },
504 {"simS", CmdLFHitagSimS, 0, "Simulate HitagS transponder" },
505 {"checkChallenges", CmdLFHitagCheckChallenges, 0, "Test challenges from a file" },
506 { NULL, NULL, 0, NULL }
db09cb3a 507};
508
f2dbf3d2 509
510static int CmdHelp(const char *Cmd) {
511 CmdsHelp(CommandTable);
512 return 0;
db09cb3a 513}
514
f2dbf3d2 515
516int CmdLFHitag(const char *Cmd) {
517 CmdsParse(CommandTable, Cmd);
518 return 0;
db09cb3a 519}
Impressum, Datenschutz