]> cvs.zerfleddert.de Git - proxmark3-svn/blame - client/cmdlfhitag.c
CHG: "hf 14a sim" now uses mfkey32 and mfkey32_moebius as methods to retrive the...
[proxmark3-svn] / client / cmdlfhitag.c
CommitLineData
db09cb3a 1//-----------------------------------------------------------------------------
2// Copyright (C) 2012 Roel Verdult
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// Low frequency Hitag support
9//-----------------------------------------------------------------------------
10
11#include <stdio.h>
12#include <stdlib.h>
13#include <string.h>
14#include "data.h"
902cb3c0 15#include "proxmark3.h"
db09cb3a 16#include "ui.h"
17#include "cmdparser.h"
18#include "common.h"
19#include "util.h"
20#include "hitag2.h"
0db11b71 21#include "hitagS.h"
902cb3c0 22#include "sleep.h"
23#include "cmdmain.h"
db09cb3a 24
25static int CmdHelp(const char *Cmd);
26
47e18126 27size_t nbytes(size_t nbits) {
28 return (nbits/8)+((nbits%8)>0);
29}
30
db09cb3a 31int CmdLFHitagList(const char *Cmd)
32{
f71f4deb 33 uint8_t *got = malloc(USB_CMD_DATA_SIZE);
34
35 // Query for the actual size of the trace
36 UsbCommand response;
37 GetFromBigBuf(got, USB_CMD_DATA_SIZE, 0);
38 WaitForResponse(CMD_ACK, &response);
39 uint16_t traceLen = response.arg[2];
40 if (traceLen > USB_CMD_DATA_SIZE) {
41 uint8_t *p = realloc(got, traceLen);
42 if (p == NULL) {
43 PrintAndLog("Cannot allocate memory for trace");
44 free(got);
45 return 2;
46 }
47 got = p;
48 GetFromBigBuf(got, traceLen, 0);
49 WaitForResponse(CMD_ACK,NULL);
50 }
51
52 PrintAndLog("recorded activity (TraceLen = %d bytes):");
53 PrintAndLog(" ETU :nbits: who bytes");
54 PrintAndLog("---------+-----+----+-----------");
db09cb3a 55
f71f4deb 56 int i = 0;
57 int prev = -1;
58 int len = strlen(Cmd);
b915fda3 59
f71f4deb 60 char filename[FILE_PATH_SIZE] = { 0x00 };
61 FILE* pf = NULL;
b915fda3 62
09181a54 63 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
f71f4deb 64 memcpy(filename, Cmd, len);
b915fda3 65
f71f4deb 66 if (strlen(filename) > 0) {
67 if ((pf = fopen(filename,"wb")) == NULL) {
68 PrintAndLog("Error: Could not open file [%s]",filename);
69 return 1;
70 }
b915fda3 71 }
db09cb3a 72
f71f4deb 73 for (;;) {
b915fda3 74
ab7bb494 75 if(i >= traceLen) { break; }
f71f4deb 76
77 bool isResponse;
78 int timestamp = *((uint32_t *)(got+i));
79 if (timestamp & 0x80000000) {
80 timestamp &= 0x7fffffff;
81 isResponse = 1;
82 } else {
83 isResponse = 0;
84 }
85
86 int parityBits = *((uint32_t *)(got+i+4));
87 // 4 bytes of additional information...
88 // maximum of 32 additional parity bit information
89 //
90 // TODO:
91 // at each quarter bit period we can send power level (16 levels)
92 // or each half bit period in 256 levels.
93
94 int bits = got[i+8];
95 int len = nbytes(got[i+8]);
96
97 if (len > 100) {
98 break;
99 }
100 if (i + len > traceLen) { break;}
101
102 uint8_t *frame = (got+i+9);
103
104 // Break and stick with current result if buffer was not completely full
105 if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; }
106
107 char line[1000] = "";
108 int j;
109 for (j = 0; j < len; j++) {
110 int oddparity = 0x01;
111 int k;
112
113 for (k=0;k<8;k++) {
114 oddparity ^= (((frame[j] & 0xFF) >> k) & 0x01);
115 }
116
117 //if((parityBits >> (len - j - 1)) & 0x01) {
118 if (isResponse && (oddparity != ((parityBits >> (len - j - 1)) & 0x01))) {
119 sprintf(line+(j*4), "%02x! ", frame[j]);
120 }
121 else {
122 sprintf(line+(j*4), "%02x ", frame[j]);
123 }
124 }
125
126 PrintAndLog(" +%7d: %3d: %s %s",
127 (prev < 0 ? 0 : (timestamp - prev)),
128 bits,
129 (isResponse ? "TAG" : " "),
130 line);
131
132 if (pf) {
133 fprintf(pf," +%7d: %3d: %s %s\n",
134 (prev < 0 ? 0 : (timestamp - prev)),
135 bits,
136 (isResponse ? "TAG" : " "),
137 line);
138 }
139
140 prev = timestamp;
141 i += (len + 9);
142 }
2d495a81 143
f71f4deb 144 if (pf) {
145 fclose(pf);
146 PrintAndLog("Recorded activity succesfully written to file: %s", filename);
147 }
97d582a6 148
f71f4deb 149 free(got);
150 return 0;
db09cb3a 151}
152
153int CmdLFHitagSnoop(const char *Cmd) {
09181a54 154 UsbCommand c = {CMD_SNOOP_HITAG};
155 clearCommandBuffer();
156 SendCommand(&c);
157 return 0;
db09cb3a 158}
159
160int CmdLFHitagSim(const char *Cmd) {
b915fda3 161
09181a54 162 UsbCommand c = {CMD_SIMULATE_HITAG};
b915fda3 163 char filename[FILE_PATH_SIZE] = { 0x00 };
db09cb3a 164 FILE* pf;
165 bool tag_mem_supplied;
09181a54 166
b915fda3 167 int len = strlen(Cmd);
168 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
169 memcpy(filename, Cmd, len);
09181a54 170
db09cb3a 171 if (strlen(filename) > 0) {
172 if ((pf = fopen(filename,"rb+")) == NULL) {
173 PrintAndLog("Error: Could not open file [%s]",filename);
174 return 1;
175 }
176 tag_mem_supplied = true;
841d7af0 177 size_t bytes_read = fread(c.d.asBytes, 48, 1, pf);
178 if ( bytes_read == 0) {
09181a54 179 PrintAndLog("Error: File reading error");
180 fclose(pf);
759c16b3 181 return 1;
09181a54 182 }
db09cb3a 183 fclose(pf);
184 } else {
185 tag_mem_supplied = false;
186 }
09181a54 187
db09cb3a 188 // Does the tag comes with memory
189 c.arg[0] = (uint32_t)tag_mem_supplied;
190
09181a54 191 clearCommandBuffer();
192 SendCommand(&c);
193 return 0;
db09cb3a 194}
195
196int CmdLFHitagReader(const char *Cmd) {
db09cb3a 197
09181a54 198
db09cb3a 199 UsbCommand c = {CMD_READER_HITAG};//, {param_get32ex(Cmd,0,0,10),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),param_get32ex(Cmd,3,0,16)}};
200 hitag_data* htd = (hitag_data*)c.d.asBytes;
201 hitag_function htf = param_get32ex(Cmd,0,0,10);
202
203 switch (htf) {
0db11b71 204 case 01: { //RHTSF_CHALLENGE
205 c = (UsbCommand){ CMD_READ_HITAG_S };
206 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr);
207 num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
208 } break;
209 case 02: { //RHTSF_KEY
210 c = (UsbCommand){ CMD_READ_HITAG_S };
211 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
212 } break;
db09cb3a 213 case RHT2F_PASSWORD: {
214 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->pwd.password);
215 } break;
216 case RHT2F_AUTHENTICATE: {
217 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr);
218 num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
219 } break;
bde10a50 220 case RHT2F_CRYPTO: {
221 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
bde10a50 222 } break;
db09cb3a 223 case RHT2F_TEST_AUTH_ATTEMPTS: {
224 // No additional parameters needed
225 } break;
226 default: {
227 PrintAndLog("Error: unkown reader function %d",htf);
ab4da50d 228 PrintAndLog("Hitag reader functions");
229 PrintAndLog(" HitagS (0*)");
0db11b71 230 PrintAndLog(" 01 <nr> <ar> (Challenge) read all pages from a Hitag S tag");
231 PrintAndLog(" 02 <key> (set to 0 if no authentication is needed) read all pages from a Hitag S tag");
ab4da50d 232 PrintAndLog(" Hitag1 (1*)");
233 PrintAndLog(" Hitag2 (2*)");
234 PrintAndLog(" 21 <password> (password mode)");
235 PrintAndLog(" 22 <nr> <ar> (authentication)");
236 PrintAndLog(" 23 <key> (authentication) key is in format: ISK high + ISK low");
237 PrintAndLog(" 25 (test recorded authentications)");
db09cb3a 238 return 1;
239 } break;
240 }
241
242 // Copy the hitag2 function into the first argument
243 c.arg[0] = htf;
244
09181a54 245 clearCommandBuffer();
246 // Send the command to the proxmark
247 SendCommand(&c);
ab4da50d 248
09181a54 249 UsbCommand resp;
250 WaitForResponse(CMD_ACK,&resp);
251
252 // Check the return status, stored in the first argument
253 if (resp.arg[0] == false) return 1;
254
255 uint32_t id = bytes_to_num(resp.d.asBytes,4);
256 char filename[FILE_PATH_SIZE];
257 FILE* pf = NULL;
258
259 sprintf(filename,"%08x_%04x.ht2",id,(rand() & 0xffff));
260 if ((pf = fopen(filename,"wb")) == NULL) {
261 PrintAndLog("Error: Could not open file [%s]",filename);
262 return 1;
263 }
264
265 // Write the 48 tag memory bytes to file and finalize
266 fwrite(resp.d.asBytes,1,48,pf);
267 fclose(pf);
268
269 PrintAndLog("Succesfully saved tag memory to [%s]",filename);
270 return 0;
db09cb3a 271}
272
0db11b71 273
274int CmdLFHitagSimS(const char *Cmd) {
275 UsbCommand c = { CMD_SIMULATE_HITAG_S };
276 char filename[FILE_PATH_SIZE] = { 0x00 };
277 FILE* pf;
278 bool tag_mem_supplied;
279 int len = strlen(Cmd);
280 if (len > FILE_PATH_SIZE)
281 len = FILE_PATH_SIZE;
282 memcpy(filename, Cmd, len);
283
284 if (strlen(filename) > 0) {
285 if ((pf = fopen(filename, "rb+")) == NULL) {
286 PrintAndLog("Error: Could not open file [%s]", filename);
287 return 1;
288 }
289 tag_mem_supplied = true;
290 if (fread(c.d.asBytes, 4*64, 1, pf) == 0) {
291 PrintAndLog("Error: File reading error");
292 fclose(pf);
293 return 1;
294 }
295 fclose(pf);
296 } else {
297 tag_mem_supplied = false;
298 }
299
300 // Does the tag comes with memory
301 c.arg[0] = (uint32_t) tag_mem_supplied;
302
303 SendCommand(&c);
304 return 0;
305}
306
307int CmdLFHitagCheckChallenges(const char *Cmd) {
308 UsbCommand c = { CMD_TEST_HITAGS_TRACES };
309 char filename[FILE_PATH_SIZE] = { 0x00 };
310 FILE* pf;
311 bool file_given;
312 int len = strlen(Cmd);
313 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
314 memcpy(filename, Cmd, len);
315
316 if (strlen(filename) > 0) {
317 if ((pf = fopen(filename,"rb+")) == NULL) {
318 PrintAndLog("Error: Could not open file [%s]",filename);
319 return 1;
320 }
321 file_given = true;
322 if (fread(c.d.asBytes,8*60,1,pf) == 0) {
323 PrintAndLog("Error: File reading error");
324 fclose(pf);
325 return 1;
326 }
327 fclose(pf);
328 } else {
329 file_given = false;
330 }
331
332 //file with all the challenges to try
333 c.arg[0] = (uint32_t)file_given;
334
335 SendCommand(&c);
336 return 0;
337}
338
339
340int CmdLFHitagWP(const char *Cmd) {
341 UsbCommand c = { CMD_WR_HITAG_S };
342 hitag_data* htd = (hitag_data*)c.d.asBytes;
343 hitag_function htf = param_get32ex(Cmd,0,0,10);
344 switch (htf) {
345 case 03: { //WHTSF_CHALLENGE
346 num_to_bytes(param_get64ex(Cmd,1,0,16),8,htd->auth.NrAr);
347 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
348 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->auth.data);
349 } break;
350 case 04: { //WHTSF_KEY
351 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
352 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
353 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->crypto.data);
354
355 } break;
356 default: {
357 PrintAndLog("Error: unkown writer function %d",htf);
358 PrintAndLog("Hitag writer functions");
359 PrintAndLog(" HitagS (0*)");
360 PrintAndLog(" 03 <nr,ar> (Challenge) <page> <byte0...byte3> write page on a Hitag S tag");
361 PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
362 PrintAndLog(" Hitag1 (1*)");
363 PrintAndLog(" Hitag2 (2*)");
364 return 1;
365 } break;
366 }
367 // Copy the hitag function into the first argument
368 c.arg[0] = htf;
369
370 // Send the command to the proxmark
371 SendCommand(&c);
372
373 UsbCommand resp;
374 WaitForResponse(CMD_ACK,&resp);
375
376 // Check the return status, stored in the first argument
377 if (resp.arg[0] == false) return 1;
378 return 0;
379}
380
381
382static command_t CommandTable[] =
383{
09181a54 384 {"help", CmdHelp, 1, "This help"},
385 {"list", CmdLFHitagList, 1, "<outfile> List Hitag trace history"},
386 {"reader", CmdLFHitagReader, 1, "Act like a Hitag Reader"},
387 {"sim", CmdLFHitagSim, 1, "<infile> Simulate Hitag transponder"},
388 {"snoop", CmdLFHitagSnoop, 1, "Eavesdrop Hitag communication"},
0db11b71 389 {"writer", CmdLFHitagWP, 1, "Act like a Hitag Writer" },
390 {"simS", CmdLFHitagSimS, 1, "<hitagS.hts> Simulate HitagS transponder" },
391 {"checkChallenges", CmdLFHitagCheckChallenges, 1, "<challenges.cc> test all challenges" }, {
392 NULL,NULL, 0, NULL }
db09cb3a 393};
394
4c36581b 395int CmdLFHitag(const char *Cmd) {
396 clearCommandBuffer();
09181a54 397 CmdsParse(CommandTable, Cmd);
398 return 0;
db09cb3a 399}
400
4c36581b 401int CmdHelp(const char *Cmd) {
09181a54 402 CmdsHelp(CommandTable);
403 return 0;
db09cb3a 404}
Impressum, Datenschutz