]> cvs.zerfleddert.de Git - proxmark3-svn/blame - client/cmdlfhitag.c
Adds random nonce (r) option to `hf mf sim`.
[proxmark3-svn] / client / cmdlfhitag.c
CommitLineData
db09cb3a 1//-----------------------------------------------------------------------------
2// Copyright (C) 2012 Roel Verdult
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// Low frequency Hitag support
9//-----------------------------------------------------------------------------
10
11#include <stdio.h>
12#include <stdlib.h>
13#include <string.h>
14#include "data.h"
902cb3c0 15#include "proxmark3.h"
db09cb3a 16#include "ui.h"
17#include "cmdparser.h"
18#include "common.h"
19#include "util.h"
20#include "hitag2.h"
4e12287d 21#include "hitagS.h"
902cb3c0 22#include "sleep.h"
23#include "cmdmain.h"
db09cb3a 24
25static int CmdHelp(const char *Cmd);
26
47e18126 27size_t nbytes(size_t nbits) {
28 return (nbits/8)+((nbits%8)>0);
29}
30
db09cb3a 31int CmdLFHitagList(const char *Cmd)
32{
f71f4deb 33 uint8_t *got = malloc(USB_CMD_DATA_SIZE);
34
35 // Query for the actual size of the trace
36 UsbCommand response;
37 GetFromBigBuf(got, USB_CMD_DATA_SIZE, 0);
38 WaitForResponse(CMD_ACK, &response);
39 uint16_t traceLen = response.arg[2];
40 if (traceLen > USB_CMD_DATA_SIZE) {
41 uint8_t *p = realloc(got, traceLen);
42 if (p == NULL) {
43 PrintAndLog("Cannot allocate memory for trace");
44 free(got);
45 return 2;
46 }
47 got = p;
48 GetFromBigBuf(got, traceLen, 0);
49 WaitForResponse(CMD_ACK,NULL);
50 }
51
52 PrintAndLog("recorded activity (TraceLen = %d bytes):");
53 PrintAndLog(" ETU :nbits: who bytes");
54 PrintAndLog("---------+-----+----+-----------");
db09cb3a 55
f71f4deb 56 int i = 0;
57 int prev = -1;
58 int len = strlen(Cmd);
b915fda3 59
f71f4deb 60 char filename[FILE_PATH_SIZE] = { 0x00 };
61 FILE* pf = NULL;
b915fda3 62
f71f4deb 63 if (len > FILE_PATH_SIZE)
64 len = FILE_PATH_SIZE;
65 memcpy(filename, Cmd, len);
b915fda3 66
f71f4deb 67 if (strlen(filename) > 0) {
68 if ((pf = fopen(filename,"wb")) == NULL) {
69 PrintAndLog("Error: Could not open file [%s]",filename);
70 return 1;
71 }
b915fda3 72 }
db09cb3a 73
f71f4deb 74 for (;;) {
b915fda3 75
f71f4deb 76 if(i > traceLen) { break; }
77
78 bool isResponse;
79 int timestamp = *((uint32_t *)(got+i));
80 if (timestamp & 0x80000000) {
81 timestamp &= 0x7fffffff;
82 isResponse = 1;
83 } else {
84 isResponse = 0;
85 }
86
87 int parityBits = *((uint32_t *)(got+i+4));
88 // 4 bytes of additional information...
89 // maximum of 32 additional parity bit information
90 //
91 // TODO:
92 // at each quarter bit period we can send power level (16 levels)
93 // or each half bit period in 256 levels.
94
95 int bits = got[i+8];
96 int len = nbytes(got[i+8]);
97
98 if (len > 100) {
99 break;
100 }
101 if (i + len > traceLen) { break;}
102
103 uint8_t *frame = (got+i+9);
104
105 // Break and stick with current result if buffer was not completely full
106 if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; }
107
108 char line[1000] = "";
109 int j;
110 for (j = 0; j < len; j++) {
111 int oddparity = 0x01;
112 int k;
113
114 for (k=0;k<8;k++) {
115 oddparity ^= (((frame[j] & 0xFF) >> k) & 0x01);
116 }
117
118 //if((parityBits >> (len - j - 1)) & 0x01) {
119 if (isResponse && (oddparity != ((parityBits >> (len - j - 1)) & 0x01))) {
120 sprintf(line+(j*4), "%02x! ", frame[j]);
121 }
122 else {
123 sprintf(line+(j*4), "%02x ", frame[j]);
124 }
125 }
126
127 PrintAndLog(" +%7d: %3d: %s %s",
128 (prev < 0 ? 0 : (timestamp - prev)),
129 bits,
130 (isResponse ? "TAG" : " "),
131 line);
132
133 if (pf) {
134 fprintf(pf," +%7d: %3d: %s %s\n",
135 (prev < 0 ? 0 : (timestamp - prev)),
136 bits,
137 (isResponse ? "TAG" : " "),
138 line);
139 }
140
141 prev = timestamp;
142 i += (len + 9);
143 }
2d495a81 144
f71f4deb 145 if (pf) {
146 fclose(pf);
147 PrintAndLog("Recorded activity succesfully written to file: %s", filename);
148 }
97d582a6 149
f71f4deb 150 free(got);
151 return 0;
db09cb3a 152}
153
154int CmdLFHitagSnoop(const char *Cmd) {
155 UsbCommand c = {CMD_SNOOP_HITAG};
156 SendCommand(&c);
157 return 0;
158}
159
160int CmdLFHitagSim(const char *Cmd) {
b915fda3 161
db09cb3a 162 UsbCommand c = {CMD_SIMULATE_HITAG};
b915fda3 163 char filename[FILE_PATH_SIZE] = { 0x00 };
db09cb3a 164 FILE* pf;
165 bool tag_mem_supplied;
b915fda3 166 int len = strlen(Cmd);
167 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
168 memcpy(filename, Cmd, len);
db09cb3a 169
170 if (strlen(filename) > 0) {
171 if ((pf = fopen(filename,"rb+")) == NULL) {
172 PrintAndLog("Error: Could not open file [%s]",filename);
173 return 1;
174 }
175 tag_mem_supplied = true;
759c16b3 176 if (fread(c.d.asBytes,48,1,pf) == 0) {
177 PrintAndLog("Error: File reading error");
90e278d3 178 fclose(pf);
759c16b3 179 return 1;
180 }
db09cb3a 181 fclose(pf);
182 } else {
183 tag_mem_supplied = false;
184 }
185
186 // Does the tag comes with memory
187 c.arg[0] = (uint32_t)tag_mem_supplied;
188
189 SendCommand(&c);
190 return 0;
191}
192
193int CmdLFHitagReader(const char *Cmd) {
db09cb3a 194 UsbCommand c = {CMD_READER_HITAG};//, {param_get32ex(Cmd,0,0,10),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),param_get32ex(Cmd,3,0,16)}};
195 hitag_data* htd = (hitag_data*)c.d.asBytes;
196 hitag_function htf = param_get32ex(Cmd,0,0,10);
197
198 switch (htf) {
4e12287d
RS
199 case 01: { //RHTSF_CHALLENGE
200 c = (UsbCommand){ CMD_READ_HITAG_S };
201 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr);
202 num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
203 } break;
204 case 02: { //RHTSF_KEY
205 c = (UsbCommand){ CMD_READ_HITAG_S };
206 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
207 } break;
db09cb3a 208 case RHT2F_PASSWORD: {
209 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->pwd.password);
210 } break;
211 case RHT2F_AUTHENTICATE: {
212 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr);
213 num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
214 } break;
bde10a50 215 case RHT2F_CRYPTO: {
216 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
f86d6b55 217 // num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
bde10a50 218 } break;
db09cb3a 219 case RHT2F_TEST_AUTH_ATTEMPTS: {
220 // No additional parameters needed
221 } break;
f86d6b55 222 case RHT2F_UID_ONLY: {
223 // No additional parameters needed
224 } break;
db09cb3a 225 default: {
f86d6b55 226 PrintAndLog("\nError: unkown reader function %d",htf);
227 PrintAndLog("");
228 PrintAndLog("Usage: hitag reader <Reader Function #>");
229 PrintAndLog("Reader Functions:");
ab4da50d 230 PrintAndLog(" HitagS (0*)");
4e12287d
RS
231 PrintAndLog(" 01 <nr> <ar> (Challenge) read all pages from a Hitag S tag");
232 PrintAndLog(" 02 <key> (set to 0 if no authentication is needed) read all pages from a Hitag S tag");
ab4da50d 233 PrintAndLog(" Hitag1 (1*)");
234 PrintAndLog(" Hitag2 (2*)");
235 PrintAndLog(" 21 <password> (password mode)");
236 PrintAndLog(" 22 <nr> <ar> (authentication)");
237 PrintAndLog(" 23 <key> (authentication) key is in format: ISK high + ISK low");
238 PrintAndLog(" 25 (test recorded authentications)");
f86d6b55 239 PrintAndLog(" 26 just read UID");
db09cb3a 240 return 1;
241 } break;
242 }
243
244 // Copy the hitag2 function into the first argument
245 c.arg[0] = htf;
246
f86d6b55 247 // Send the command to the proxmark
248 SendCommand(&c);
ab4da50d 249
f86d6b55 250 UsbCommand resp;
251 WaitForResponse(CMD_ACK,&resp);
252
253 // Check the return status, stored in the first argument
254 if (resp.arg[0] == false) return 1;
255
256 uint32_t id = bytes_to_num(resp.d.asBytes,4);
257
258 if (htf == RHT2F_UID_ONLY){
259 PrintAndLog("Valid Hitag2 tag found - UID: %08x",id);
260 } else {
261 char filename[256];
262 FILE* pf = NULL;
263
264 sprintf(filename,"%08x_%04x.ht2",id,(rand() & 0xffff));
265 if ((pf = fopen(filename,"wb")) == NULL) {
266 PrintAndLog("Error: Could not open file [%s]",filename);
267 return 1;
268 }
269
270 // Write the 48 tag memory bytes to file and finalize
271 fwrite(resp.d.asBytes,1,48,pf);
272 fclose(pf);
273
274 PrintAndLog("Succesfully saved tag memory to [%s]",filename);
275 }
276
277
278 return 0;
db09cb3a 279}
280
4e12287d
RS
281
282int CmdLFHitagSimS(const char *Cmd) {
283 UsbCommand c = { CMD_SIMULATE_HITAG_S };
284 char filename[FILE_PATH_SIZE] = { 0x00 };
285 FILE* pf;
286 bool tag_mem_supplied;
287 int len = strlen(Cmd);
288 if (len > FILE_PATH_SIZE)
289 len = FILE_PATH_SIZE;
290 memcpy(filename, Cmd, len);
291
292 if (strlen(filename) > 0) {
293 if ((pf = fopen(filename, "rb+")) == NULL) {
294 PrintAndLog("Error: Could not open file [%s]", filename);
295 return 1;
296 }
297 tag_mem_supplied = true;
298 if (fread(c.d.asBytes, 4*64, 1, pf) == 0) {
299 PrintAndLog("Error: File reading error");
300 fclose(pf);
301 return 1;
302 }
303 fclose(pf);
304 } else {
305 tag_mem_supplied = false;
306 }
307
308 // Does the tag comes with memory
309 c.arg[0] = (uint32_t) tag_mem_supplied;
310
311 SendCommand(&c);
312 return 0;
313}
314
315int CmdLFHitagCheckChallenges(const char *Cmd) {
316 UsbCommand c = { CMD_TEST_HITAGS_TRACES };
317 char filename[FILE_PATH_SIZE] = { 0x00 };
318 FILE* pf;
319 bool file_given;
320 int len = strlen(Cmd);
321 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
322 memcpy(filename, Cmd, len);
323
324 if (strlen(filename) > 0) {
325 if ((pf = fopen(filename,"rb+")) == NULL) {
326 PrintAndLog("Error: Could not open file [%s]",filename);
327 return 1;
328 }
329 file_given = true;
330 if (fread(c.d.asBytes,8*60,1,pf) == 0) {
331 PrintAndLog("Error: File reading error");
332 fclose(pf);
333 return 1;
334 }
335 fclose(pf);
336 } else {
337 file_given = false;
338 }
339
340 //file with all the challenges to try
341 c.arg[0] = (uint32_t)file_given;
342
343 SendCommand(&c);
344 return 0;
345}
346
347
348int CmdLFHitagWP(const char *Cmd) {
349 UsbCommand c = { CMD_WR_HITAG_S };
350 hitag_data* htd = (hitag_data*)c.d.asBytes;
351 hitag_function htf = param_get32ex(Cmd,0,0,10);
352 switch (htf) {
353 case 03: { //WHTSF_CHALLENGE
354 num_to_bytes(param_get64ex(Cmd,1,0,16),8,htd->auth.NrAr);
355 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
356 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->auth.data);
357 } break;
358 case 04: { //WHTSF_KEY
359 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
360 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
361 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->crypto.data);
362
363 } break;
364 default: {
365 PrintAndLog("Error: unkown writer function %d",htf);
366 PrintAndLog("Hitag writer functions");
367 PrintAndLog(" HitagS (0*)");
368 PrintAndLog(" 03 <nr,ar> (Challenge) <page> <byte0...byte3> write page on a Hitag S tag");
369 PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
370 PrintAndLog(" Hitag1 (1*)");
371 PrintAndLog(" Hitag2 (2*)");
372 return 1;
373 } break;
374 }
375 // Copy the hitag function into the first argument
376 c.arg[0] = htf;
377
378 // Send the command to the proxmark
379 SendCommand(&c);
380
381 UsbCommand resp;
382 WaitForResponse(CMD_ACK,&resp);
383
384 // Check the return status, stored in the first argument
385 if (resp.arg[0] == false) return 1;
386 return 0;
387}
388
389
3fe4ff4f 390static command_t CommandTable[] =
db09cb3a 391{
4e12287d
RS
392 {"help", CmdHelp, 1, "This help"},
393 {"list", CmdLFHitagList, 1, "<outfile> List Hitag trace history"},
394 {"reader", CmdLFHitagReader, 1, "Act like a Hitag Reader"},
395 {"sim", CmdLFHitagSim, 1, "<infile> Simulate Hitag transponder"},
396 {"snoop", CmdLFHitagSnoop, 1, "Eavesdrop Hitag communication"},
397 {"writer", CmdLFHitagWP, 1, "Act like a Hitag Writer" },
398 {"simS", CmdLFHitagSimS, 1, "<hitagS.hts> Simulate HitagS transponder" },
399 {"checkChallenges", CmdLFHitagCheckChallenges, 1, "<challenges.cc> test all challenges" }, {
400 NULL,NULL, 0, NULL }
db09cb3a 401};
402
403int CmdLFHitag(const char *Cmd)
404{
3fe4ff4f 405 CmdsParse(CommandTable, Cmd);
db09cb3a 406 return 0;
407}
408
409int CmdHelp(const char *Cmd)
410{
3fe4ff4f 411 CmdsHelp(CommandTable);
db09cb3a 412 return 0;
413}
Impressum, Datenschutz