]> cvs.zerfleddert.de Git - proxmark3-svn/blame - client/cmdlfhitag.c
Experimental HitagS support
[proxmark3-svn] / client / cmdlfhitag.c
CommitLineData
db09cb3a 1//-----------------------------------------------------------------------------
2// Copyright (C) 2012 Roel Verdult
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// Low frequency Hitag support
9//-----------------------------------------------------------------------------
10
11#include <stdio.h>
12#include <stdlib.h>
13#include <string.h>
14#include "data.h"
902cb3c0 15#include "proxmark3.h"
db09cb3a 16#include "ui.h"
17#include "cmdparser.h"
18#include "common.h"
19#include "util.h"
20#include "hitag2.h"
4e12287d 21#include "hitagS.h"
902cb3c0 22#include "sleep.h"
23#include "cmdmain.h"
db09cb3a 24
25static int CmdHelp(const char *Cmd);
26
47e18126 27size_t nbytes(size_t nbits) {
28 return (nbits/8)+((nbits%8)>0);
29}
30
db09cb3a 31int CmdLFHitagList(const char *Cmd)
32{
f71f4deb 33 uint8_t *got = malloc(USB_CMD_DATA_SIZE);
34
35 // Query for the actual size of the trace
36 UsbCommand response;
37 GetFromBigBuf(got, USB_CMD_DATA_SIZE, 0);
38 WaitForResponse(CMD_ACK, &response);
39 uint16_t traceLen = response.arg[2];
40 if (traceLen > USB_CMD_DATA_SIZE) {
41 uint8_t *p = realloc(got, traceLen);
42 if (p == NULL) {
43 PrintAndLog("Cannot allocate memory for trace");
44 free(got);
45 return 2;
46 }
47 got = p;
48 GetFromBigBuf(got, traceLen, 0);
49 WaitForResponse(CMD_ACK,NULL);
50 }
51
52 PrintAndLog("recorded activity (TraceLen = %d bytes):");
53 PrintAndLog(" ETU :nbits: who bytes");
54 PrintAndLog("---------+-----+----+-----------");
db09cb3a 55
f71f4deb 56 int i = 0;
57 int prev = -1;
58 int len = strlen(Cmd);
b915fda3 59
f71f4deb 60 char filename[FILE_PATH_SIZE] = { 0x00 };
61 FILE* pf = NULL;
b915fda3 62
f71f4deb 63 if (len > FILE_PATH_SIZE)
64 len = FILE_PATH_SIZE;
65 memcpy(filename, Cmd, len);
b915fda3 66
f71f4deb 67 if (strlen(filename) > 0) {
68 if ((pf = fopen(filename,"wb")) == NULL) {
69 PrintAndLog("Error: Could not open file [%s]",filename);
70 return 1;
71 }
b915fda3 72 }
db09cb3a 73
f71f4deb 74 for (;;) {
b915fda3 75
f71f4deb 76 if(i > traceLen) { break; }
77
78 bool isResponse;
79 int timestamp = *((uint32_t *)(got+i));
80 if (timestamp & 0x80000000) {
81 timestamp &= 0x7fffffff;
82 isResponse = 1;
83 } else {
84 isResponse = 0;
85 }
86
87 int parityBits = *((uint32_t *)(got+i+4));
88 // 4 bytes of additional information...
89 // maximum of 32 additional parity bit information
90 //
91 // TODO:
92 // at each quarter bit period we can send power level (16 levels)
93 // or each half bit period in 256 levels.
94
95 int bits = got[i+8];
96 int len = nbytes(got[i+8]);
97
98 if (len > 100) {
99 break;
100 }
101 if (i + len > traceLen) { break;}
102
103 uint8_t *frame = (got+i+9);
104
105 // Break and stick with current result if buffer was not completely full
106 if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; }
107
108 char line[1000] = "";
109 int j;
110 for (j = 0; j < len; j++) {
111 int oddparity = 0x01;
112 int k;
113
114 for (k=0;k<8;k++) {
115 oddparity ^= (((frame[j] & 0xFF) >> k) & 0x01);
116 }
117
118 //if((parityBits >> (len - j - 1)) & 0x01) {
119 if (isResponse && (oddparity != ((parityBits >> (len - j - 1)) & 0x01))) {
120 sprintf(line+(j*4), "%02x! ", frame[j]);
121 }
122 else {
123 sprintf(line+(j*4), "%02x ", frame[j]);
124 }
125 }
126
127 PrintAndLog(" +%7d: %3d: %s %s",
128 (prev < 0 ? 0 : (timestamp - prev)),
129 bits,
130 (isResponse ? "TAG" : " "),
131 line);
132
133 if (pf) {
134 fprintf(pf," +%7d: %3d: %s %s\n",
135 (prev < 0 ? 0 : (timestamp - prev)),
136 bits,
137 (isResponse ? "TAG" : " "),
138 line);
139 }
140
141 prev = timestamp;
142 i += (len + 9);
143 }
2d495a81 144
f71f4deb 145 if (pf) {
146 fclose(pf);
147 PrintAndLog("Recorded activity succesfully written to file: %s", filename);
148 }
97d582a6 149
f71f4deb 150 free(got);
151 return 0;
db09cb3a 152}
153
154int CmdLFHitagSnoop(const char *Cmd) {
155 UsbCommand c = {CMD_SNOOP_HITAG};
156 SendCommand(&c);
157 return 0;
158}
159
160int CmdLFHitagSim(const char *Cmd) {
b915fda3 161
db09cb3a 162 UsbCommand c = {CMD_SIMULATE_HITAG};
b915fda3 163 char filename[FILE_PATH_SIZE] = { 0x00 };
db09cb3a 164 FILE* pf;
165 bool tag_mem_supplied;
b915fda3 166 int len = strlen(Cmd);
167 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
168 memcpy(filename, Cmd, len);
db09cb3a 169
170 if (strlen(filename) > 0) {
171 if ((pf = fopen(filename,"rb+")) == NULL) {
172 PrintAndLog("Error: Could not open file [%s]",filename);
173 return 1;
174 }
175 tag_mem_supplied = true;
759c16b3 176 if (fread(c.d.asBytes,48,1,pf) == 0) {
177 PrintAndLog("Error: File reading error");
90e278d3 178 fclose(pf);
759c16b3 179 return 1;
180 }
db09cb3a 181 fclose(pf);
182 } else {
183 tag_mem_supplied = false;
184 }
185
186 // Does the tag comes with memory
187 c.arg[0] = (uint32_t)tag_mem_supplied;
188
189 SendCommand(&c);
190 return 0;
191}
192
193int CmdLFHitagReader(const char *Cmd) {
db09cb3a 194 UsbCommand c = {CMD_READER_HITAG};//, {param_get32ex(Cmd,0,0,10),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),param_get32ex(Cmd,3,0,16)}};
195 hitag_data* htd = (hitag_data*)c.d.asBytes;
196 hitag_function htf = param_get32ex(Cmd,0,0,10);
197
198 switch (htf) {
4e12287d
RS
199 case 01: { //RHTSF_CHALLENGE
200 c = (UsbCommand){ CMD_READ_HITAG_S };
201 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr);
202 num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
203 } break;
204 case 02: { //RHTSF_KEY
205 c = (UsbCommand){ CMD_READ_HITAG_S };
206 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
207 } break;
db09cb3a 208 case RHT2F_PASSWORD: {
209 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->pwd.password);
210 } break;
211 case RHT2F_AUTHENTICATE: {
212 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr);
213 num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
214 } break;
bde10a50 215 case RHT2F_CRYPTO: {
216 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
217// num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
218 } break;
db09cb3a 219 case RHT2F_TEST_AUTH_ATTEMPTS: {
220 // No additional parameters needed
221 } break;
222 default: {
223 PrintAndLog("Error: unkown reader function %d",htf);
ab4da50d 224 PrintAndLog("Hitag reader functions");
225 PrintAndLog(" HitagS (0*)");
4e12287d
RS
226 PrintAndLog(" 01 <nr> <ar> (Challenge) read all pages from a Hitag S tag");
227 PrintAndLog(" 02 <key> (set to 0 if no authentication is needed) read all pages from a Hitag S tag");
ab4da50d 228 PrintAndLog(" Hitag1 (1*)");
229 PrintAndLog(" Hitag2 (2*)");
230 PrintAndLog(" 21 <password> (password mode)");
231 PrintAndLog(" 22 <nr> <ar> (authentication)");
232 PrintAndLog(" 23 <key> (authentication) key is in format: ISK high + ISK low");
233 PrintAndLog(" 25 (test recorded authentications)");
db09cb3a 234 return 1;
235 } break;
236 }
237
238 // Copy the hitag2 function into the first argument
239 c.arg[0] = htf;
240
ab4da50d 241 // Send the command to the proxmark
db09cb3a 242 SendCommand(&c);
ab4da50d 243
244 UsbCommand resp;
245 WaitForResponse(CMD_ACK,&resp);
246
247 // Check the return status, stored in the first argument
248 if (resp.arg[0] == false) return 1;
249
250 uint32_t id = bytes_to_num(resp.d.asBytes,4);
251 char filename[256];
252 FILE* pf = NULL;
253
254 sprintf(filename,"%08x_%04x.ht2",id,(rand() & 0xffff));
255 if ((pf = fopen(filename,"wb")) == NULL) {
256 PrintAndLog("Error: Could not open file [%s]",filename);
257 return 1;
258 }
259
260 // Write the 48 tag memory bytes to file and finalize
261 fwrite(resp.d.asBytes,1,48,pf);
262 fclose(pf);
263
264 PrintAndLog("Succesfully saved tag memory to [%s]",filename);
265
db09cb3a 266 return 0;
267}
268
4e12287d
RS
269
270int CmdLFHitagSimS(const char *Cmd) {
271 UsbCommand c = { CMD_SIMULATE_HITAG_S };
272 char filename[FILE_PATH_SIZE] = { 0x00 };
273 FILE* pf;
274 bool tag_mem_supplied;
275 int len = strlen(Cmd);
276 if (len > FILE_PATH_SIZE)
277 len = FILE_PATH_SIZE;
278 memcpy(filename, Cmd, len);
279
280 if (strlen(filename) > 0) {
281 if ((pf = fopen(filename, "rb+")) == NULL) {
282 PrintAndLog("Error: Could not open file [%s]", filename);
283 return 1;
284 }
285 tag_mem_supplied = true;
286 if (fread(c.d.asBytes, 4*64, 1, pf) == 0) {
287 PrintAndLog("Error: File reading error");
288 fclose(pf);
289 return 1;
290 }
291 fclose(pf);
292 } else {
293 tag_mem_supplied = false;
294 }
295
296 // Does the tag comes with memory
297 c.arg[0] = (uint32_t) tag_mem_supplied;
298
299 SendCommand(&c);
300 return 0;
301}
302
303int CmdLFHitagCheckChallenges(const char *Cmd) {
304 UsbCommand c = { CMD_TEST_HITAGS_TRACES };
305 char filename[FILE_PATH_SIZE] = { 0x00 };
306 FILE* pf;
307 bool file_given;
308 int len = strlen(Cmd);
309 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
310 memcpy(filename, Cmd, len);
311
312 if (strlen(filename) > 0) {
313 if ((pf = fopen(filename,"rb+")) == NULL) {
314 PrintAndLog("Error: Could not open file [%s]",filename);
315 return 1;
316 }
317 file_given = true;
318 if (fread(c.d.asBytes,8*60,1,pf) == 0) {
319 PrintAndLog("Error: File reading error");
320 fclose(pf);
321 return 1;
322 }
323 fclose(pf);
324 } else {
325 file_given = false;
326 }
327
328 //file with all the challenges to try
329 c.arg[0] = (uint32_t)file_given;
330
331 SendCommand(&c);
332 return 0;
333}
334
335
336int CmdLFHitagWP(const char *Cmd) {
337 UsbCommand c = { CMD_WR_HITAG_S };
338 hitag_data* htd = (hitag_data*)c.d.asBytes;
339 hitag_function htf = param_get32ex(Cmd,0,0,10);
340 switch (htf) {
341 case 03: { //WHTSF_CHALLENGE
342 num_to_bytes(param_get64ex(Cmd,1,0,16),8,htd->auth.NrAr);
343 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
344 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->auth.data);
345 } break;
346 case 04: { //WHTSF_KEY
347 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
348 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
349 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->crypto.data);
350
351 } break;
352 default: {
353 PrintAndLog("Error: unkown writer function %d",htf);
354 PrintAndLog("Hitag writer functions");
355 PrintAndLog(" HitagS (0*)");
356 PrintAndLog(" 03 <nr,ar> (Challenge) <page> <byte0...byte3> write page on a Hitag S tag");
357 PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
358 PrintAndLog(" Hitag1 (1*)");
359 PrintAndLog(" Hitag2 (2*)");
360 return 1;
361 } break;
362 }
363 // Copy the hitag function into the first argument
364 c.arg[0] = htf;
365
366 // Send the command to the proxmark
367 SendCommand(&c);
368
369 UsbCommand resp;
370 WaitForResponse(CMD_ACK,&resp);
371
372 // Check the return status, stored in the first argument
373 if (resp.arg[0] == false) return 1;
374 return 0;
375}
376
377
3fe4ff4f 378static command_t CommandTable[] =
db09cb3a 379{
4e12287d
RS
380 {"help", CmdHelp, 1, "This help"},
381 {"list", CmdLFHitagList, 1, "<outfile> List Hitag trace history"},
382 {"reader", CmdLFHitagReader, 1, "Act like a Hitag Reader"},
383 {"sim", CmdLFHitagSim, 1, "<infile> Simulate Hitag transponder"},
384 {"snoop", CmdLFHitagSnoop, 1, "Eavesdrop Hitag communication"},
385 {"writer", CmdLFHitagWP, 1, "Act like a Hitag Writer" },
386 {"simS", CmdLFHitagSimS, 1, "<hitagS.hts> Simulate HitagS transponder" },
387 {"checkChallenges", CmdLFHitagCheckChallenges, 1, "<challenges.cc> test all challenges" }, {
388 NULL,NULL, 0, NULL }
db09cb3a 389};
390
391int CmdLFHitag(const char *Cmd)
392{
3fe4ff4f 393 CmdsParse(CommandTable, Cmd);
db09cb3a 394 return 0;
395}
396
397int CmdHelp(const char *Cmd)
398{
3fe4ff4f 399 CmdsHelp(CommandTable);
db09cb3a 400 return 0;
401}
Impressum, Datenschutz