]>
Commit | Line | Data |
---|---|---|
1 | //----------------------------------------------------------------------------- | |
2 | // Copyright (C) 2012 Roel Verdult | |
3 | // | |
4 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, | |
5 | // at your option, any later version. See the LICENSE.txt file for the text of | |
6 | // the license. | |
7 | //----------------------------------------------------------------------------- | |
8 | // Low frequency Hitag support | |
9 | //----------------------------------------------------------------------------- | |
10 | ||
11 | #include "cmdlfhitag.h" | |
12 | ||
13 | #include <stdio.h> | |
14 | #include <stdlib.h> | |
15 | #include <string.h> | |
16 | #include "comms.h" | |
17 | #include "ui.h" | |
18 | #include "cmdparser.h" | |
19 | #include "common.h" | |
20 | #include "util.h" | |
21 | #include "parity.h" | |
22 | #include "hitag.h" | |
23 | #include "cmdmain.h" | |
24 | ||
25 | static int CmdHelp(const char *Cmd); | |
26 | ||
27 | size_t nbytes(size_t nbits) { | |
28 | return (nbits/8)+((nbits%8)>0); | |
29 | } | |
30 | ||
31 | int CmdLFHitagList(const char *Cmd) | |
32 | { | |
33 | uint8_t *got = malloc(USB_CMD_DATA_SIZE); | |
34 | // Query for the actual size of the trace | |
35 | UsbCommand response; | |
36 | GetFromBigBuf(got, USB_CMD_DATA_SIZE, 0, &response, -1, false); | |
37 | uint16_t traceLen = response.arg[2]; | |
38 | if (traceLen > USB_CMD_DATA_SIZE) { | |
39 | uint8_t *p = realloc(got, traceLen); | |
40 | if (p == NULL) { | |
41 | PrintAndLog("Cannot allocate memory for trace"); | |
42 | free(got); | |
43 | return 2; | |
44 | } | |
45 | got = p; | |
46 | GetFromBigBuf(got, traceLen, 0, NULL, -1, false); | |
47 | } | |
48 | ||
49 | PrintAndLog("recorded activity (TraceLen = %d bytes):"); | |
50 | PrintAndLog(" ETU :nbits: who bytes"); | |
51 | PrintAndLog("---------+-----+----+-----------"); | |
52 | ||
53 | int j; | |
54 | int i = 0; | |
55 | int prev = -1; | |
56 | int len = strlen(Cmd); | |
57 | ||
58 | char filename[FILE_PATH_SIZE] = { 0x00 }; | |
59 | FILE* pf = NULL; | |
60 | ||
61 | if (len > FILE_PATH_SIZE) | |
62 | len = FILE_PATH_SIZE; | |
63 | memcpy(filename, Cmd, len); | |
64 | ||
65 | if (strlen(filename) > 0) { | |
66 | if ((pf = fopen(filename,"wb")) == NULL) { | |
67 | PrintAndLog("Error: Could not open file [%s]",filename); | |
68 | free(got); | |
69 | return 1; | |
70 | } | |
71 | } | |
72 | ||
73 | for (;;) { | |
74 | ||
75 | if(i > traceLen) { break; } | |
76 | ||
77 | bool isResponse; | |
78 | int timestamp = *((uint32_t *)(got+i)); | |
79 | if (timestamp & 0x80000000) { | |
80 | timestamp &= 0x7fffffff; | |
81 | isResponse = 1; | |
82 | } else { | |
83 | isResponse = 0; | |
84 | } | |
85 | ||
86 | int parityBits = *((uint32_t *)(got+i+4)); | |
87 | // 4 bytes of additional information... | |
88 | // maximum of 32 additional parity bit information | |
89 | // | |
90 | // TODO: | |
91 | // at each quarter bit period we can send power level (16 levels) | |
92 | // or each half bit period in 256 levels. | |
93 | ||
94 | int bits = got[i+8]; | |
95 | int len = nbytes(bits); | |
96 | ||
97 | if (len > 100) { | |
98 | break; | |
99 | } | |
100 | if (i + len > traceLen) { break;} | |
101 | ||
102 | uint8_t *frame = (got+i+9); | |
103 | /* | |
104 | int fillupBits = 8 - (bits % 8); | |
105 | byte_t framefilled[bits+fillupBits]; | |
106 | byte_t* ff = framefilled; | |
107 | ||
108 | int response_bit[200] = {0}; | |
109 | int z = 0; | |
110 | for (int y = 0; y < len; y++) { | |
111 | for (j = 0; j < 8; j++) { | |
112 | response_bit[z] = 0; | |
113 | if ((frame[y] & ((mask << 7) >> j)) != 0) | |
114 | response_bit[z] = 1; | |
115 | z++; | |
116 | } | |
117 | } | |
118 | z = 0; | |
119 | for (int y = 0; y < len; y++) { | |
120 | ff[y] = (response_bit[z] << 7) | (response_bit[z + 1] << 6) | |
121 | | (response_bit[z + 2] << 5) | (response_bit[z + 3] << 4) | |
122 | | (response_bit[z + 4] << 3) | (response_bit[z + 5] << 2) | |
123 | | (response_bit[z + 6] << 1) | response_bit[z + 7]; | |
124 | z += 8; | |
125 | } | |
126 | */ | |
127 | ||
128 | ||
129 | ||
130 | ||
131 | // Break and stick with current result if buffer was not completely full | |
132 | if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; } | |
133 | ||
134 | char line[1000] = ""; | |
135 | for (j = 0; j < len; j++) { | |
136 | //if((parityBits >> (len - j - 1)) & 0x01) { | |
137 | if (isResponse && (oddparity8(frame[j]) != ((parityBits >> (len - j - 1)) & 0x01))) { | |
138 | sprintf(line+(j*4), "%02x! ", frame[j]); | |
139 | } else { | |
140 | sprintf(line+(j*4), "%02x ", frame[j]); | |
141 | } | |
142 | } | |
143 | ||
144 | PrintAndLog(" +%7d: %3d: %s %s", | |
145 | (prev < 0 ? 0 : (timestamp - prev)), | |
146 | bits, | |
147 | (isResponse ? "TAG" : " "), | |
148 | line); | |
149 | ||
150 | if (pf) { | |
151 | fprintf(pf," +%7d: %3d: %s %s\n", | |
152 | (prev < 0 ? 0 : (timestamp - prev)), | |
153 | bits, | |
154 | (isResponse ? "TAG" : " "), | |
155 | line); | |
156 | } | |
157 | ||
158 | prev = timestamp; | |
159 | i += (len + 9); | |
160 | } | |
161 | ||
162 | if (pf) { | |
163 | fclose(pf); | |
164 | PrintAndLog("Recorded activity succesfully written to file: %s", filename); | |
165 | } | |
166 | ||
167 | free(got); | |
168 | return 0; | |
169 | } | |
170 | ||
171 | int CmdLFHitagSnoop(const char *Cmd) { | |
172 | UsbCommand c = {CMD_SNOOP_HITAG}; | |
173 | SendCommand(&c); | |
174 | return 0; | |
175 | } | |
176 | ||
177 | int CmdLFHitagSim(const char *Cmd) { | |
178 | ||
179 | UsbCommand c = {CMD_SIMULATE_HITAG}; | |
180 | char filename[FILE_PATH_SIZE] = { 0x00 }; | |
181 | FILE* pf; | |
182 | bool tag_mem_supplied; | |
183 | int len = strlen(Cmd); | |
184 | if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; | |
185 | memcpy(filename, Cmd, len); | |
186 | ||
187 | if (strlen(filename) > 0) { | |
188 | if ((pf = fopen(filename,"rb+")) == NULL) { | |
189 | PrintAndLog("Error: Could not open file [%s]",filename); | |
190 | return 1; | |
191 | } | |
192 | tag_mem_supplied = true; | |
193 | if (fread(c.d.asBytes,1,48,pf) != 48) { | |
194 | PrintAndLog("Error: File reading error"); | |
195 | fclose(pf); | |
196 | return 1; | |
197 | } | |
198 | fclose(pf); | |
199 | } else { | |
200 | tag_mem_supplied = false; | |
201 | } | |
202 | ||
203 | // Does the tag comes with memory | |
204 | c.arg[0] = (uint32_t)tag_mem_supplied; | |
205 | ||
206 | SendCommand(&c); | |
207 | return 0; | |
208 | } | |
209 | ||
210 | int CmdLFHitagReader(const char *Cmd) { | |
211 | UsbCommand c = {CMD_READER_HITAG};//, {param_get32ex(Cmd,0,0,10),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),param_get32ex(Cmd,3,0,16)}}; | |
212 | hitag_data* htd = (hitag_data*)c.d.asBytes; | |
213 | hitag_function htf = param_get32ex(Cmd,0,0,10); | |
214 | ||
215 | switch (htf) { | |
216 | case 01: { //RHTSF_CHALLENGE | |
217 | c = (UsbCommand){ CMD_READ_HITAG_S }; | |
218 | num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr); | |
219 | num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4); | |
220 | c.arg[1] = param_get64ex(Cmd,3,0,0); //firstpage | |
221 | c.arg[2] = param_get64ex(Cmd,4,0,0); //tag mode | |
222 | } break; | |
223 | case 02: { //RHTSF_KEY | |
224 | c = (UsbCommand){ CMD_READ_HITAG_S }; | |
225 | num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key); | |
226 | c.arg[1] = param_get64ex(Cmd,2,0,0); //firstpage | |
227 | c.arg[2] = param_get64ex(Cmd,3,0,0); //tag mode | |
228 | } break; | |
229 | case 03: { //RHTSF_CHALLENGE BLOCK | |
230 | c = (UsbCommand){ CMD_READ_HITAG_S_BLK }; | |
231 | num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr); | |
232 | num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4); | |
233 | c.arg[1] = param_get64ex(Cmd,3,0,0); //firstpage | |
234 | c.arg[2] = param_get64ex(Cmd,4,0,0); //tag mode | |
235 | } break; | |
236 | case 04: { //RHTSF_KEY BLOCK | |
237 | c = (UsbCommand){ CMD_READ_HITAG_S_BLK }; | |
238 | num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key); | |
239 | c.arg[1] = param_get64ex(Cmd,2,0,0); //firstpage | |
240 | c.arg[2] = param_get64ex(Cmd,3,0,0); //tag mode | |
241 | } break; | |
242 | case RHT2F_PASSWORD: { | |
243 | num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->pwd.password); | |
244 | } break; | |
245 | case RHT2F_AUTHENTICATE: { | |
246 | num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr); | |
247 | num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4); | |
248 | } break; | |
249 | case RHT2F_CRYPTO: { | |
250 | num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key); | |
251 | // num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4); | |
252 | } break; | |
253 | case RHT2F_TEST_AUTH_ATTEMPTS: { | |
254 | // No additional parameters needed | |
255 | } break; | |
256 | case RHT2F_UID_ONLY: { | |
257 | // No additional parameters needed | |
258 | } break; | |
259 | default: { | |
260 | PrintAndLog("\nError: unkown reader function %d",htf); | |
261 | PrintAndLog(""); | |
262 | PrintAndLog("Usage: hitag reader <Reader Function #>"); | |
263 | PrintAndLog("Reader Functions:"); | |
264 | PrintAndLog(" HitagS (0*)"); | |
265 | PrintAndLog(" 01 <nr> <ar> (Challenge) <firstPage> <tagmode> read all pages from a Hitag S tag"); | |
266 | PrintAndLog(" 02 <key> (set to 0 if no authentication is needed) <firstPage> <tagmode> read all pages from a Hitag S tag"); | |
267 | PrintAndLog(" 03 <nr> <ar> (Challenge) <firstPage> <tagmode> read all blocks from a Hitag S tag"); | |
268 | PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <firstPage> <tagmode> read all blocks from a Hitag S tag"); | |
269 | PrintAndLog(" Valid tagmodes are 0=STANDARD, 1=ADVANCED, 2=FAST_ADVANCED (default is ADVANCED)"); | |
270 | PrintAndLog(" Hitag1 (1*)"); | |
271 | PrintAndLog(" Hitag2 (2*)"); | |
272 | PrintAndLog(" 21 <password> (password mode)"); | |
273 | PrintAndLog(" 22 <nr> <ar> (authentication)"); | |
274 | PrintAndLog(" 23 <key> (authentication) key is in format: ISK high + ISK low"); | |
275 | PrintAndLog(" 25 (test recorded authentications)"); | |
276 | PrintAndLog(" 26 just read UID"); | |
277 | return 1; | |
278 | } break; | |
279 | } | |
280 | ||
281 | // Copy the hitag2 function into the first argument | |
282 | c.arg[0] = htf; | |
283 | ||
284 | // Send the command to the proxmark | |
285 | clearCommandBuffer(); | |
286 | SendCommand(&c); | |
287 | ||
288 | UsbCommand resp; | |
289 | WaitForResponse(CMD_ACK,&resp); | |
290 | ||
291 | // Check the return status, stored in the first argument | |
292 | if (resp.arg[0] == false) return 1; | |
293 | ||
294 | uint32_t id = bytes_to_num(resp.d.asBytes,4); | |
295 | ||
296 | if (htf == RHT2F_UID_ONLY){ | |
297 | PrintAndLog("Valid Hitag2 tag found - UID: %08x",id); | |
298 | } else { | |
299 | char filename[256]; | |
300 | FILE* pf = NULL; | |
301 | ||
302 | sprintf(filename,"%08x_%04x.ht2",id,(rand() & 0xffff)); | |
303 | if ((pf = fopen(filename,"wb")) == NULL) { | |
304 | PrintAndLog("Error: Could not open file [%s]",filename); | |
305 | return 1; | |
306 | } | |
307 | ||
308 | // Write the 48 tag memory bytes to file and finalize | |
309 | fwrite(resp.d.asBytes,1,48,pf); | |
310 | fclose(pf); | |
311 | ||
312 | PrintAndLog("Succesfully saved tag memory to [%s]",filename); | |
313 | } | |
314 | ||
315 | ||
316 | return 0; | |
317 | } | |
318 | ||
319 | ||
320 | int CmdLFHitagSimS(const char *Cmd) { | |
321 | UsbCommand c = { CMD_SIMULATE_HITAG_S }; | |
322 | char filename[FILE_PATH_SIZE] = { 0x00 }; | |
323 | FILE* pf; | |
324 | bool tag_mem_supplied; | |
325 | int len = strlen(Cmd); | |
326 | if (len > FILE_PATH_SIZE) | |
327 | len = FILE_PATH_SIZE; | |
328 | memcpy(filename, Cmd, len); | |
329 | ||
330 | if (strlen(filename) > 0) { | |
331 | if ((pf = fopen(filename, "rb+")) == NULL) { | |
332 | PrintAndLog("Error: Could not open file [%s]", filename); | |
333 | return 1; | |
334 | } | |
335 | tag_mem_supplied = true; | |
336 | if (fread(c.d.asBytes, 1, 4*64, pf) != 4*64) { | |
337 | PrintAndLog("Error: File reading error"); | |
338 | fclose(pf); | |
339 | return 1; | |
340 | } | |
341 | fclose(pf); | |
342 | } else { | |
343 | tag_mem_supplied = false; | |
344 | } | |
345 | ||
346 | // Does the tag comes with memory | |
347 | c.arg[0] = (uint32_t) tag_mem_supplied; | |
348 | ||
349 | SendCommand(&c); | |
350 | return 0; | |
351 | } | |
352 | ||
353 | int CmdLFHitagCheckChallenges(const char *Cmd) { | |
354 | UsbCommand c = { CMD_TEST_HITAGS_TRACES }; | |
355 | char filename[FILE_PATH_SIZE] = { 0x00 }; | |
356 | FILE* pf; | |
357 | bool file_given; | |
358 | int len = strlen(Cmd); | |
359 | if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; | |
360 | memcpy(filename, Cmd, len); | |
361 | ||
362 | if (strlen(filename) > 0) { | |
363 | if ((pf = fopen(filename,"rb+")) == NULL) { | |
364 | PrintAndLog("Error: Could not open file [%s]",filename); | |
365 | return 1; | |
366 | } | |
367 | file_given = true; | |
368 | if (fread(c.d.asBytes,1,8*60,pf) != 8*60) { | |
369 | PrintAndLog("Error: File reading error"); | |
370 | fclose(pf); | |
371 | return 1; | |
372 | } | |
373 | fclose(pf); | |
374 | } else { | |
375 | file_given = false; | |
376 | } | |
377 | ||
378 | //file with all the challenges to try | |
379 | c.arg[0] = (uint32_t)file_given; | |
380 | c.arg[1] = param_get64ex(Cmd,2,0,0); //get mode | |
381 | ||
382 | SendCommand(&c); | |
383 | return 0; | |
384 | } | |
385 | ||
386 | ||
387 | int CmdLFHitagWP(const char *Cmd) { | |
388 | UsbCommand c = { CMD_WR_HITAG_S }; | |
389 | hitag_data* htd = (hitag_data*)c.d.asBytes; | |
390 | hitag_function htf = param_get32ex(Cmd,0,0,10); | |
391 | switch (htf) { | |
392 | case 03: { //WHTSF_CHALLENGE | |
393 | num_to_bytes(param_get64ex(Cmd,1,0,16),8,htd->auth.NrAr); | |
394 | c.arg[2]= param_get32ex(Cmd, 2, 0, 10); | |
395 | num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->auth.data); | |
396 | } break; | |
397 | case 04: | |
398 | case 24: | |
399 | { //WHTSF_KEY | |
400 | num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key); | |
401 | c.arg[2]= param_get32ex(Cmd, 2, 0, 10); | |
402 | num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->crypto.data); | |
403 | ||
404 | } break; | |
405 | default: { | |
406 | PrintAndLog("Error: unkown writer function %d",htf); | |
407 | PrintAndLog("Hitag writer functions"); | |
408 | PrintAndLog(" HitagS (0*)"); | |
409 | PrintAndLog(" 03 <nr,ar> (Challenge) <page> <byte0...byte3> write page on a Hitag S tag"); | |
410 | PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag"); | |
411 | PrintAndLog(" Hitag1 (1*)"); | |
412 | PrintAndLog(" Hitag2 (2*)"); | |
413 | PrintAndLog(" 24 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag"); | |
414 | return 1; | |
415 | } break; | |
416 | } | |
417 | // Copy the hitag function into the first argument | |
418 | c.arg[0] = htf; | |
419 | ||
420 | // Send the command to the proxmark | |
421 | SendCommand(&c); | |
422 | ||
423 | UsbCommand resp; | |
424 | WaitForResponse(CMD_ACK,&resp); | |
425 | ||
426 | // Check the return status, stored in the first argument | |
427 | if (resp.arg[0] == false) return 1; | |
428 | return 0; | |
429 | } | |
430 | ||
431 | ||
432 | static command_t CommandTable[] = | |
433 | { | |
434 | {"help", CmdHelp, 1, "This help"}, | |
435 | {"list", CmdLFHitagList, 1, "<outfile> List Hitag trace history"}, | |
436 | {"reader", CmdLFHitagReader, 1, "Act like a Hitag Reader"}, | |
437 | {"sim", CmdLFHitagSim, 1, "<infile> Simulate Hitag transponder"}, | |
438 | {"snoop", CmdLFHitagSnoop, 1, "Eavesdrop Hitag communication"}, | |
439 | {"writer", CmdLFHitagWP, 1, "Act like a Hitag Writer" }, | |
440 | {"simS", CmdLFHitagSimS, 1, "<hitagS.hts> Simulate HitagS transponder" }, | |
441 | {"checkChallenges", CmdLFHitagCheckChallenges, 1, "<challenges.cc> <tagmode> test all challenges" }, { | |
442 | NULL,NULL, 0, NULL } | |
443 | }; | |
444 | ||
445 | int CmdLFHitag(const char *Cmd) | |
446 | { | |
447 | CmdsParse(CommandTable, Cmd); | |
448 | return 0; | |
449 | } | |
450 | ||
451 | int CmdHelp(const char *Cmd) | |
452 | { | |
453 | CmdsHelp(CommandTable); | |
454 | return 0; | |
455 | } |