db09cb3a |
1 | //----------------------------------------------------------------------------- |
2 | // Copyright (C) 2012 Roel Verdult |
3 | // |
4 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, |
5 | // at your option, any later version. See the LICENSE.txt file for the text of |
6 | // the license. |
7 | //----------------------------------------------------------------------------- |
8 | // Low frequency Hitag support |
9 | //----------------------------------------------------------------------------- |
10 | |
11 | #include <stdio.h> |
12 | #include <stdlib.h> |
13 | #include <string.h> |
14 | #include "data.h" |
902cb3c0 |
15 | #include "proxmark3.h" |
db09cb3a |
16 | #include "ui.h" |
17 | #include "cmdparser.h" |
18 | #include "common.h" |
19 | #include "util.h" |
20 | #include "hitag2.h" |
0db11b71 |
21 | #include "hitagS.h" |
902cb3c0 |
22 | #include "sleep.h" |
23 | #include "cmdmain.h" |
db09cb3a |
24 | |
25 | static int CmdHelp(const char *Cmd); |
26 | |
47e18126 |
27 | size_t nbytes(size_t nbits) { |
28 | return (nbits/8)+((nbits%8)>0); |
29 | } |
30 | |
cd777a05 |
31 | int CmdLFHitagList(const char *Cmd) { |
f71f4deb |
32 | uint8_t *got = malloc(USB_CMD_DATA_SIZE); |
33 | |
34 | // Query for the actual size of the trace |
35 | UsbCommand response; |
36 | GetFromBigBuf(got, USB_CMD_DATA_SIZE, 0); |
37 | WaitForResponse(CMD_ACK, &response); |
38 | uint16_t traceLen = response.arg[2]; |
39 | if (traceLen > USB_CMD_DATA_SIZE) { |
40 | uint8_t *p = realloc(got, traceLen); |
41 | if (p == NULL) { |
42 | PrintAndLog("Cannot allocate memory for trace"); |
43 | free(got); |
44 | return 2; |
45 | } |
46 | got = p; |
47 | GetFromBigBuf(got, traceLen, 0); |
48 | WaitForResponse(CMD_ACK,NULL); |
49 | } |
50 | |
51 | PrintAndLog("recorded activity (TraceLen = %d bytes):"); |
52 | PrintAndLog(" ETU :nbits: who bytes"); |
53 | PrintAndLog("---------+-----+----+-----------"); |
db09cb3a |
54 | |
f71f4deb |
55 | int i = 0; |
56 | int prev = -1; |
57 | int len = strlen(Cmd); |
b915fda3 |
58 | |
f71f4deb |
59 | char filename[FILE_PATH_SIZE] = { 0x00 }; |
cd777a05 |
60 | FILE* f = NULL; |
b915fda3 |
61 | |
09181a54 |
62 | if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; |
f71f4deb |
63 | memcpy(filename, Cmd, len); |
b915fda3 |
64 | |
f71f4deb |
65 | if (strlen(filename) > 0) { |
cd777a05 |
66 | f = fopen(filename,"wb"); |
67 | if (!f) { |
f71f4deb |
68 | PrintAndLog("Error: Could not open file [%s]",filename); |
69 | return 1; |
70 | } |
b915fda3 |
71 | } |
db09cb3a |
72 | |
f71f4deb |
73 | for (;;) { |
b915fda3 |
74 | |
ab7bb494 |
75 | if(i >= traceLen) { break; } |
f71f4deb |
76 | |
77 | bool isResponse; |
78 | int timestamp = *((uint32_t *)(got+i)); |
79 | if (timestamp & 0x80000000) { |
80 | timestamp &= 0x7fffffff; |
81 | isResponse = 1; |
82 | } else { |
83 | isResponse = 0; |
84 | } |
85 | |
86 | int parityBits = *((uint32_t *)(got+i+4)); |
87 | // 4 bytes of additional information... |
88 | // maximum of 32 additional parity bit information |
89 | // |
90 | // TODO: |
91 | // at each quarter bit period we can send power level (16 levels) |
92 | // or each half bit period in 256 levels. |
93 | |
94 | int bits = got[i+8]; |
95 | int len = nbytes(got[i+8]); |
96 | |
97 | if (len > 100) { |
98 | break; |
99 | } |
100 | if (i + len > traceLen) { break;} |
101 | |
102 | uint8_t *frame = (got+i+9); |
103 | |
104 | // Break and stick with current result if buffer was not completely full |
105 | if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; } |
106 | |
107 | char line[1000] = ""; |
108 | int j; |
109 | for (j = 0; j < len; j++) { |
110 | int oddparity = 0x01; |
111 | int k; |
112 | |
113 | for (k=0;k<8;k++) { |
114 | oddparity ^= (((frame[j] & 0xFF) >> k) & 0x01); |
115 | } |
116 | |
117 | //if((parityBits >> (len - j - 1)) & 0x01) { |
118 | if (isResponse && (oddparity != ((parityBits >> (len - j - 1)) & 0x01))) { |
119 | sprintf(line+(j*4), "%02x! ", frame[j]); |
120 | } |
121 | else { |
122 | sprintf(line+(j*4), "%02x ", frame[j]); |
123 | } |
124 | } |
125 | |
126 | PrintAndLog(" +%7d: %3d: %s %s", |
127 | (prev < 0 ? 0 : (timestamp - prev)), |
128 | bits, |
129 | (isResponse ? "TAG" : " "), |
130 | line); |
131 | |
cd777a05 |
132 | if (f) { |
133 | fprintf(f," +%7d: %3d: %s %s\n", |
f71f4deb |
134 | (prev < 0 ? 0 : (timestamp - prev)), |
135 | bits, |
136 | (isResponse ? "TAG" : " "), |
137 | line); |
138 | } |
139 | |
140 | prev = timestamp; |
141 | i += (len + 9); |
142 | } |
2d495a81 |
143 | |
cd777a05 |
144 | if (f) { |
145 | fclose(f); |
f71f4deb |
146 | PrintAndLog("Recorded activity succesfully written to file: %s", filename); |
147 | } |
97d582a6 |
148 | |
f71f4deb |
149 | free(got); |
150 | return 0; |
db09cb3a |
151 | } |
152 | |
153 | int CmdLFHitagSnoop(const char *Cmd) { |
09181a54 |
154 | UsbCommand c = {CMD_SNOOP_HITAG}; |
155 | clearCommandBuffer(); |
156 | SendCommand(&c); |
157 | return 0; |
db09cb3a |
158 | } |
159 | |
160 | int CmdLFHitagSim(const char *Cmd) { |
b915fda3 |
161 | |
09181a54 |
162 | UsbCommand c = {CMD_SIMULATE_HITAG}; |
b915fda3 |
163 | char filename[FILE_PATH_SIZE] = { 0x00 }; |
cd777a05 |
164 | FILE* f; |
db09cb3a |
165 | bool tag_mem_supplied; |
09181a54 |
166 | |
b915fda3 |
167 | int len = strlen(Cmd); |
168 | if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; |
169 | memcpy(filename, Cmd, len); |
09181a54 |
170 | |
db09cb3a |
171 | if (strlen(filename) > 0) { |
cd777a05 |
172 | f = fopen(filename,"rb+"); |
173 | if (!f) { |
db09cb3a |
174 | PrintAndLog("Error: Could not open file [%s]",filename); |
175 | return 1; |
176 | } |
177 | tag_mem_supplied = true; |
cd777a05 |
178 | size_t bytes_read = fread(c.d.asBytes, 48, 1, f); |
841d7af0 |
179 | if ( bytes_read == 0) { |
09181a54 |
180 | PrintAndLog("Error: File reading error"); |
cd777a05 |
181 | fclose(f); |
759c16b3 |
182 | return 1; |
09181a54 |
183 | } |
cd777a05 |
184 | fclose(f); |
db09cb3a |
185 | } else { |
186 | tag_mem_supplied = false; |
187 | } |
09181a54 |
188 | |
db09cb3a |
189 | // Does the tag comes with memory |
190 | c.arg[0] = (uint32_t)tag_mem_supplied; |
09181a54 |
191 | clearCommandBuffer(); |
192 | SendCommand(&c); |
193 | return 0; |
db09cb3a |
194 | } |
195 | |
196 | int CmdLFHitagReader(const char *Cmd) { |
db09cb3a |
197 | |
bdf387c7 |
198 | UsbCommand c = {CMD_READER_HITAG, {0,0,0} };//, {param_get32ex(Cmd,0,0,10),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),param_get32ex(Cmd,3,0,16)}}; |
db09cb3a |
199 | hitag_data* htd = (hitag_data*)c.d.asBytes; |
bdf387c7 |
200 | hitag_function htf = param_get32ex(Cmd, 0, 0, 10); |
db09cb3a |
201 | |
202 | switch (htf) { |
0db11b71 |
203 | case 01: { //RHTSF_CHALLENGE |
204 | c = (UsbCommand){ CMD_READ_HITAG_S }; |
205 | num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr); |
206 | num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4); |
207 | } break; |
208 | case 02: { //RHTSF_KEY |
209 | c = (UsbCommand){ CMD_READ_HITAG_S }; |
210 | num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key); |
211 | } break; |
db09cb3a |
212 | case RHT2F_PASSWORD: { |
213 | num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->pwd.password); |
214 | } break; |
215 | case RHT2F_AUTHENTICATE: { |
216 | num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr); |
217 | num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4); |
218 | } break; |
bde10a50 |
219 | case RHT2F_CRYPTO: { |
220 | num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key); |
bde10a50 |
221 | } break; |
db09cb3a |
222 | case RHT2F_TEST_AUTH_ATTEMPTS: { |
223 | // No additional parameters needed |
224 | } break; |
1b75698c |
225 | case RHT2F_UID_ONLY: { |
226 | // No additional parameters needed |
227 | } break; |
db09cb3a |
228 | default: { |
1b75698c |
229 | PrintAndLog("\nError: unkown reader function %d",htf); |
230 | PrintAndLog(""); |
231 | PrintAndLog("Usage: hitag reader <Reader Function #>"); |
232 | PrintAndLog("Reader Functions:"); |
ab4da50d |
233 | PrintAndLog(" HitagS (0*)"); |
0db11b71 |
234 | PrintAndLog(" 01 <nr> <ar> (Challenge) read all pages from a Hitag S tag"); |
235 | PrintAndLog(" 02 <key> (set to 0 if no authentication is needed) read all pages from a Hitag S tag"); |
ab4da50d |
236 | PrintAndLog(" Hitag1 (1*)"); |
237 | PrintAndLog(" Hitag2 (2*)"); |
238 | PrintAndLog(" 21 <password> (password mode)"); |
239 | PrintAndLog(" 22 <nr> <ar> (authentication)"); |
240 | PrintAndLog(" 23 <key> (authentication) key is in format: ISK high + ISK low"); |
241 | PrintAndLog(" 25 (test recorded authentications)"); |
1b75698c |
242 | PrintAndLog(" 26 just read UID"); |
db09cb3a |
243 | return 1; |
244 | } break; |
245 | } |
246 | |
247 | // Copy the hitag2 function into the first argument |
248 | c.arg[0] = htf; |
09181a54 |
249 | clearCommandBuffer(); |
09181a54 |
250 | SendCommand(&c); |
09181a54 |
251 | UsbCommand resp; |
bdf387c7 |
252 | WaitForResponse(CMD_ACK, &resp); |
09181a54 |
253 | |
254 | // Check the return status, stored in the first argument |
255 | if (resp.arg[0] == false) return 1; |
256 | |
257 | uint32_t id = bytes_to_num(resp.d.asBytes,4); |
09181a54 |
258 | |
1b75698c |
259 | if (htf == RHT2F_UID_ONLY){ |
260 | PrintAndLog("Valid Hitag2 tag found - UID: %08x",id); |
261 | } else { |
bdf387c7 |
262 | char filename[FILE_PATH_SIZE]; |
263 | FILE* f = NULL; |
264 | sprintf(filename,"%08x_%04x.ht2",id,(rand() & 0xffff)); |
265 | f = fopen(filename,"wb"); |
266 | if (!f) { |
267 | PrintAndLog("Error: Could not open file [%s]",filename); |
268 | return 1; |
269 | } |
09181a54 |
270 | |
bdf387c7 |
271 | // Write the 48 tag memory bytes to file and finalize |
272 | fwrite(resp.d.asBytes, 1, 48, f); |
273 | fclose(f); |
274 | PrintAndLog("Succesfully saved tag memory to [%s]",filename); |
1b75698c |
275 | } |
09181a54 |
276 | return 0; |
db09cb3a |
277 | } |
278 | |
0db11b71 |
279 | int CmdLFHitagSimS(const char *Cmd) { |
280 | UsbCommand c = { CMD_SIMULATE_HITAG_S }; |
281 | char filename[FILE_PATH_SIZE] = { 0x00 }; |
cd777a05 |
282 | FILE* f; |
0db11b71 |
283 | bool tag_mem_supplied; |
284 | int len = strlen(Cmd); |
285 | if (len > FILE_PATH_SIZE) |
286 | len = FILE_PATH_SIZE; |
287 | memcpy(filename, Cmd, len); |
288 | |
289 | if (strlen(filename) > 0) { |
cd777a05 |
290 | f = fopen(filename, "rb+"); |
291 | if (!f) { |
0db11b71 |
292 | PrintAndLog("Error: Could not open file [%s]", filename); |
293 | return 1; |
294 | } |
295 | tag_mem_supplied = true; |
cd777a05 |
296 | size_t bytes_read = fread(c.d.asBytes, 4*64, 1, f); |
297 | if ( bytes_read == 0) { |
0db11b71 |
298 | PrintAndLog("Error: File reading error"); |
cd777a05 |
299 | fclose(f); |
0db11b71 |
300 | return 1; |
301 | } |
cd777a05 |
302 | fclose(f); |
0db11b71 |
303 | } else { |
304 | tag_mem_supplied = false; |
305 | } |
306 | |
307 | // Does the tag comes with memory |
308 | c.arg[0] = (uint32_t) tag_mem_supplied; |
cd777a05 |
309 | clearCommandBuffer(); |
0db11b71 |
310 | SendCommand(&c); |
311 | return 0; |
312 | } |
313 | |
314 | int CmdLFHitagCheckChallenges(const char *Cmd) { |
315 | UsbCommand c = { CMD_TEST_HITAGS_TRACES }; |
316 | char filename[FILE_PATH_SIZE] = { 0x00 }; |
cd777a05 |
317 | FILE* f; |
0db11b71 |
318 | bool file_given; |
319 | int len = strlen(Cmd); |
320 | if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; |
321 | memcpy(filename, Cmd, len); |
322 | |
323 | if (strlen(filename) > 0) { |
cd777a05 |
324 | f = fopen(filename,"rb+"); |
325 | if( !f ) { |
326 | PrintAndLog("Error: Could not open file [%s]", filename); |
0db11b71 |
327 | return 1; |
328 | } |
329 | file_given = true; |
cd777a05 |
330 | size_t bytes_read = fread(c.d.asBytes, 8*60, 1, f); |
331 | if ( bytes_read == 0) { |
332 | PrintAndLog("Error: File reading error"); |
333 | fclose(f); |
0db11b71 |
334 | return 1; |
335 | } |
cd777a05 |
336 | fclose(f); |
0db11b71 |
337 | } else { |
338 | file_given = false; |
339 | } |
340 | |
341 | //file with all the challenges to try |
342 | c.arg[0] = (uint32_t)file_given; |
cd777a05 |
343 | clearCommandBuffer(); |
344 | SendCommand(&c); |
345 | return 0; |
0db11b71 |
346 | } |
347 | |
0db11b71 |
348 | int CmdLFHitagWP(const char *Cmd) { |
349 | UsbCommand c = { CMD_WR_HITAG_S }; |
350 | hitag_data* htd = (hitag_data*)c.d.asBytes; |
351 | hitag_function htf = param_get32ex(Cmd,0,0,10); |
352 | switch (htf) { |
353 | case 03: { //WHTSF_CHALLENGE |
354 | num_to_bytes(param_get64ex(Cmd,1,0,16),8,htd->auth.NrAr); |
355 | c.arg[2]= param_get32ex(Cmd, 2, 0, 10); |
356 | num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->auth.data); |
357 | } break; |
358 | case 04: { //WHTSF_KEY |
359 | num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key); |
360 | c.arg[2]= param_get32ex(Cmd, 2, 0, 10); |
361 | num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->crypto.data); |
362 | |
363 | } break; |
364 | default: { |
365 | PrintAndLog("Error: unkown writer function %d",htf); |
366 | PrintAndLog("Hitag writer functions"); |
367 | PrintAndLog(" HitagS (0*)"); |
368 | PrintAndLog(" 03 <nr,ar> (Challenge) <page> <byte0...byte3> write page on a Hitag S tag"); |
369 | PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag"); |
370 | PrintAndLog(" Hitag1 (1*)"); |
371 | PrintAndLog(" Hitag2 (2*)"); |
372 | return 1; |
373 | } break; |
374 | } |
375 | // Copy the hitag function into the first argument |
376 | c.arg[0] = htf; |
377 | |
cd777a05 |
378 | clearCommandBuffer(); |
379 | SendCommand(&c); |
380 | UsbCommand resp; |
381 | WaitForResponse(CMD_ACK,&resp); |
0db11b71 |
382 | |
cd777a05 |
383 | // Check the return status, stored in the first argument |
384 | if (resp.arg[0] == false) return 1; |
385 | return 0; |
386 | } |
0db11b71 |
387 | |
388 | static command_t CommandTable[] = |
389 | { |
09181a54 |
390 | {"help", CmdHelp, 1, "This help"}, |
391 | {"list", CmdLFHitagList, 1, "<outfile> List Hitag trace history"}, |
392 | {"reader", CmdLFHitagReader, 1, "Act like a Hitag Reader"}, |
393 | {"sim", CmdLFHitagSim, 1, "<infile> Simulate Hitag transponder"}, |
394 | {"snoop", CmdLFHitagSnoop, 1, "Eavesdrop Hitag communication"}, |
0db11b71 |
395 | {"writer", CmdLFHitagWP, 1, "Act like a Hitag Writer" }, |
396 | {"simS", CmdLFHitagSimS, 1, "<hitagS.hts> Simulate HitagS transponder" }, |
397 | {"checkChallenges", CmdLFHitagCheckChallenges, 1, "<challenges.cc> test all challenges" }, { |
398 | NULL,NULL, 0, NULL } |
db09cb3a |
399 | }; |
400 | |
4c36581b |
401 | int CmdLFHitag(const char *Cmd) { |
402 | clearCommandBuffer(); |
09181a54 |
403 | CmdsParse(CommandTable, Cmd); |
404 | return 0; |
db09cb3a |
405 | } |
406 | |
4c36581b |
407 | int CmdHelp(const char *Cmd) { |
09181a54 |
408 | CmdsHelp(CommandTable); |
409 | return 0; |
db09cb3a |
410 | } |