]> cvs.zerfleddert.de Git - proxmark3-svn/blame_incremental - armsrc/emvcmd.c
projects / proxmark3-svn / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
removed some duplicates.
[proxmark3-svn] / armsrc / emvcmd.c
... / ...
CommitLineData
1//Peter Fillmore - 2014
2//
3//--------------------------------------------------------------------------------
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//--------------------------------------------------------------------------------
8//--------------------------------------------------------------------------------
9//Routines to support EMV transactions
10//--------------------------------------------------------------------------------
11#include "emvcmd.h"
12
13static emvcard currentcard; //use to hold emv tags for the reader/card during communications
14
15void EMVTest()
16{
17 uint8_t rats[0x0b] = {0x0b,0x78,0x80,0x81,0x02,0x4b,0x4f,0x4e,0x41, 0x14, 0x11};
18 EMVFuzz_RATS(0xb, rats);
19 //grab card
20 //EMVClone(1,1);
21 /*
22 uint8_t tagvalbuffer[256];
23 uint8_t tagvallen;
24 uint8_t template6F[] = {0x6F,0x00};
25 uint8_t templateA5[] = {0xA5,0x00};
26 uint8_t tag1[] = {0x50,0x00,0x00};
27 uint8_t tag2[] = {0x87,0x00,0x00};
28 uint8_t tag3[] = {0x9f,0x38,0x00};
29 uint8_t tag4[] = {0x5F,0x2D,0x00};
30 uint8_t tag5[] = {0x9F,0x11,0x00};
31 uint8_t tag6[] = {0x9F,0x12,0x00};
32
33 uint8_t tag7[] = {0x84, 0x00};
34 uint8_t tag8[] = {0xA5, 0x00};
35 emv_generatetemplate(templateA5,&currentcard,tagvalbuffer,&tagvallen, 6, tag1, tag2, tag3, tag4, tag5, tag6);
36 memcpy(currentcard.tag_A5, tagvalbuffer+2, tagvallen-2);
37 currentcard.tag_A5_len = tagvallen-2;
38 emv_generatetemplate(template6F,&currentcard,currentcard.tag_6F ,&currentcard.tag_6F_len, 2, tag7, tag8);
39 Dbprintf("TAG A5=");
40 Dbhexdump(currentcard.tag_A5_len,currentcard.tag_A5 , false);
41 */
42 //EMVSim();
43}
44
45
46//load individual tag into current card
47void EMVloadvalue(uint32_t tag, uint8_t *datain){
48 //Dbprintf("TAG=%i\n", tag);
49 //Dbprintf("DATA=%s\n", datain);
50 emv_settag(tag, datain, &currentcard);
51}
52
53void EMVReadRecord(uint8_t arg0, uint8_t arg1,emvcard *currentcard)
54{
55 uint8_t record = arg0;
56 uint8_t sfi = arg1 & 0x0F; // convert arg1 to number
57 uint8_t *resp = BigBuf_malloc(256);
58 // variables
59 tlvtag inputtag; // create the tag structure
60 LED_A_ON();
61 LED_B_OFF();
62 LED_C_OFF();
63
64 // perform read
65 // write the result to the provided card
66 while(true) {
67 if(!emv_readrecord(record, sfi, resp)) {
68 if(MF_DBGLEVEL >= 1) Dbprintf("readrecord failed");
69 }
70 if(*(resp+1) == 0x70){
71 decode_ber_tlv_item(resp+1, &inputtag);
72 emv_decode_field(inputtag.value, inputtag.valuelength, currentcard);
73 }
74 else
75 {
76 if(MF_DBGLEVEL >= 1)
77 Dbprintf("Record not found SFI=%i RECORD=%i", sfi, record);
78 }
79 LED_B_ON();
80 LED_B_OFF();
81 break;
82 }
83 LEDsoff();
84}
85
86void EMVSelectAID(uint8_t *AID, uint8_t AIDlen, emvcard* inputcard)
87{
88 uint8_t* resp = BigBuf_malloc(256);
89 // variables
90 tlvtag inputtag; // create the tag structure
91 LED_A_ON();
92 LED_B_OFF();
93 LED_C_OFF();
94
95 while(true) {
96
97 if(!emv_select(AID, AIDlen, resp)){
98 if(MF_DBGLEVEL == 1) DbpString("AID Select failed");
99 break;
100 }
101
102 // write the result to the provided card
103 if(*(resp+1) == 0x6F){
104 // decode the 6F template
105 decode_ber_tlv_item(resp+1, &inputtag);
106
107 // store 84 and A5 tags
108 emv_decode_field(inputtag.value, inputtag.valuelength, &currentcard);
109
110 // decode the A5 tag
111 if(currentcard.tag_A5_len > 0)
112 emv_decode_field(currentcard.tag_A5, currentcard.tag_A5_len, &currentcard);
113
114 // copy this result to the DFName
115 if(currentcard.tag_84_len == 0)
116 memcpy(currentcard.tag_DFName, currentcard.tag_84, currentcard.tag_84_len);
117
118 // decode the BF0C result, assuming 1 directory entry for now
119 if(currentcard.tag_BF0C_len !=0){
120 emv_decode_field(currentcard.tag_BF0C, currentcard.tag_BF0C_len, &currentcard);}
121
122 // retrieve the AID, use the AID to decide what transaction flow to use
123 if(currentcard.tag_61_len !=0)
124 emv_decode_field(currentcard.tag_61, currentcard.tag_61_len, &currentcard);
125 }
126 LED_B_ON();
127 LED_B_OFF();
128 break;
129 }
130
131 if(MF_DBGLEVEL >= 2) DbpString("SELECT AID COMPLETED");
132 LEDsoff();
133}
134
135void EMVSelectPPSE()
136{
137 while(true) {
138 if(!emv_selectPPSE()) {
139 if(MF_DBGLEVEL >= 1) DbpString("PPSE failed");
140 break;
141 }
142
143 LED_B_ON();
144 LED_B_OFF();
145 break;
146 }
147 if(MF_DBGLEVEL >= 2) DbpString("SELECT PPSE COMPLETED");
148 LEDsoff();
149}
150
151int EMVGetProcessingOptions(uint8_t *PDOL, uint8_t PDOLlen, emvcard* inputcard)
152{
153 uint8_t receivedAnswer[MAX_FRAME_SIZE];
154
155 // variables
156 tlvtag inputtag; //create the tag structure
157 // perform pdol
158 if(!emv_getprocessingoptions(PDOL, PDOLlen, receivedAnswer)){
159 if(MF_DBGLEVEL >= 1) Dbprintf("get processing options failed");
160 return 0;
161 }
162 // write the result to the provided card
163 // FORMAT 1 received
164 if(receivedAnswer[1] == 0x80){
165 // store AIP
166 // decode tag 80
167 decode_ber_tlv_item(receivedAnswer+1, &inputtag);
168 memcpy(currentcard.tag_82, &inputtag.value, sizeof(currentcard.tag_82));
169 memcpy(currentcard.tag_94, &inputtag.value[2], inputtag.valuelength - sizeof(currentcard.tag_82));
170 currentcard.tag_94_len = inputtag.valuelength - sizeof(currentcard.tag_82);
171 }
172 else if(receivedAnswer[1] == 0x77){
173 // decode the 77 template
174 decode_ber_tlv_item(receivedAnswer+1, &inputtag);
175 // store 82 and 94 tags (AIP, AFL)
176 emv_decode_field(inputtag.value, inputtag.valuelength, &currentcard);
177 }
178 if(MF_DBGLEVEL >= 2)
179 DbpString("GET PROCESSING OPTIONS COMPLETE");
180 return 1;
181}
182
183int EMVGetChallenge(emvcard* inputcard)
184{
185 uint8_t receivedAnswer[MAX_FRAME_SIZE];
186 // variables
187 // tlvtag inputtag; //create the tag structure
188 // perform select
189 if(!emv_getchallenge(receivedAnswer)){
190 if(MF_DBGLEVEL >= 1) Dbprintf("get processing options failed");
191 return 1;
192 }
193 return 0;
194}
195
196int EMVGenerateAC(uint8_t refcontrol, emvcard* inputcard)
197{
198 uint8_t receivedAnswer[MAX_FRAME_SIZE];
199 uint8_t cdolcommand[MAX_FRAME_SIZE];
200 uint8_t cdolcommandlen = 0;
201 tlvtag temptag;
202
203 if(currentcard.tag_8C_len > 0) {
204 emv_generateDOL(currentcard.tag_8C, currentcard.tag_8C_len, &currentcard, cdolcommand, &cdolcommandlen); }
205 else{
206 // cdolcommand = NULL; //cdol val is null
207 cdolcommandlen = 0;
208 }
209 // variables
210 // tlvtag inputtag; //create the tag structure
211 // perform select
212 if(!emv_generateAC(refcontrol, cdolcommand, cdolcommandlen,receivedAnswer)){
213 if(MF_DBGLEVEL >= 1) Dbprintf("get processing options failed");
214 return 1;
215 }
216 if(receivedAnswer[2] == 0x77) //format 2 data field returned
217 {
218 decode_ber_tlv_item(&receivedAnswer[2], &temptag);
219 emv_decode_field(temptag.value, temptag.valuelength, &currentcard);
220 }
221
222 return 0;
223}
224
225//function to perform paywave transaction
226//takes in TTQ, amount authorised, unpredicable number and transaction currency code
227int EMV_PaywaveTransaction()
228{
229 uint8_t *resp = BigBuf_malloc(256);
230 tlvtag temptag;
231 //get the current block counter
232 //select the AID (Mastercard
233 EMVSelectAID(currentcard.tag_4F,currentcard.tag_4F_len, &currentcard);
234
235 if(resp[1] == 0x6F){ //decode template
236 decode_ber_tlv_item(&resp[1], &temptag);
237 //decode 84 and A5 tags
238 emv_decode_field(temptag.value, temptag.valuelength, &currentcard);
239 //decode the A5 tag
240 emv_decode_field(currentcard.tag_A5, currentcard.tag_A5_len, &currentcard);
241 //decode the BF0C result, assuming 1 directory entry for now
242 //retrieve the AID
243 }
244 // get PDOL
245 uint8_t pdolcommand[20]; //20 byte buffer for pdol data
246 uint8_t pdolcommandlen = 0;
247 if(currentcard.tag_9F38_len > 0) {
248 emv_generateDOL(currentcard.tag_9F38, currentcard.tag_9F38_len, &currentcard, pdolcommand, &pdolcommandlen);
249 } else {
250 pdolcommandlen = 0;
251 }
252
253 if(!EMVGetProcessingOptions(pdolcommand, pdolcommandlen, &currentcard)) {
254 if(MF_DBGLEVEL >= 1) Dbprintf("PDOL failed");
255 return 1;
256 }
257 if(resp[1] == 0x80) //format 1 data field returned
258 {
259 memcpy(currentcard.tag_82, &resp[3],2); //copy AIP
260 currentcard.tag_94_len = resp[2]-2; //AFL len
261 memcpy(currentcard.tag_94, &resp[5], currentcard.tag_94_len); //copy AFL
262 }
263 else if(resp[1] == 0x77) //format 2 data field returned
264 {
265 decode_ber_tlv_item(&resp[1], &temptag);
266 emv_decode_field(temptag.value, temptag.valuelength, &currentcard);
267 }
268 else
269 {
270 //throw an error
271 }
272 Dbprintf("AFL=");
273 Dbhexdump(currentcard.tag_94_len, currentcard.tag_94,false);
274 Dbprintf("AIP=");
275 Dbhexdump(2, currentcard.tag_82, false);
276 emv_decodeAIP(currentcard.tag_82);
277//
278// decode the AFL list and read records
279
280 //record, sfi
281 EMVReadRecord(1,1,&currentcard);
282 Dbhexdump(200, resp, false);
283 EMVReadRecord(2,1,&currentcard);
284 Dbhexdump(200, resp,false);
285 EMVReadRecord( 1,2, &currentcard);
286 Dbhexdump(200, resp,false);
287 EMVReadRecord(2,2,&currentcard);
288 Dbhexdump(200, resp,false);
289 EMVReadRecord( 3,2, &currentcard);
290 Dbhexdump(200, resp,false);
291 EMVReadRecord( 4,2, &currentcard);
292 Dbhexdump(200, resp,false);
293 EMVReadRecord( 1,3, &currentcard);
294 Dbhexdump(200, resp,false);
295 EMVReadRecord(2,3,&currentcard);
296 Dbhexdump(200, resp,false);
297 EMVReadRecord(4,2,&currentcard);
298 EMVReadRecord( 1,3, &currentcard);
299 Dbhexdump(200, resp,false);
300
301 //DDA supported, so read more records
302 if((currentcard.tag_82[0] & AIP_CDA_SUPPORTED) == AIP_CDA_SUPPORTED){
303 EMVReadRecord( 1,4, &currentcard);
304 EMVReadRecord( 2,4, &currentcard);
305 }
306
307
308 emv_decodeCVM(currentcard.tag_8E, currentcard.tag_8E_len);
309 /* get ICC dynamic data */
310 //if((currentcard.tag_82[0] & AIP_CDA_SUPPORTED) == AIP_CDA_SUPPORTED)
311 {
312 //DDA supported, so perform GENERATE AC
313 uint8_t cdolcommand[40]; //20 byte buffer for pdol data
314 uint8_t cdolcommandlen;
315 //generate the iCC UN
316 EMVGetChallenge(&currentcard);
317
318 memcpy(currentcard.tag_9F37,&resp[1],8); // ICC UN
319 memcpy(currentcard.tag_9F4C,&resp[1],8); // ICC UN
320 if(currentcard.tag_8C_len > 0) {
321 emv_generateDOL(currentcard.tag_8C, currentcard.tag_8C_len, &currentcard, cdolcommand, &cdolcommandlen);
322 } else {
323 cdolcommandlen = 0;
324 }
325 Dbhexdump(currentcard.tag_8C_len, currentcard.tag_8C,false);
326 Dbhexdump(cdolcommandlen, cdolcommand,false);
327
328 EMVGenerateAC(0x41, &currentcard);
329
330 Dbhexdump(100, resp,false);
331 }
332 return 0;
333}
334
335int EMV_PaypassTransaction()
336{
337 uint8_t *resp = BigBuf_malloc(256);
338 tlvtag temptag; //buffer for decoded tags
339 // get the current block counter
340 // select the AID (Mastercard
341 EMVSelectAID(currentcard.tag_4F,currentcard.tag_4F_len, &currentcard);
342
343 if(resp[1] == 0x6F){ //decode template
344 decode_ber_tlv_item(&resp[1], &temptag);
345 //decode 84 and A5 tags
346 emv_decode_field(temptag.value, temptag.valuelength, &currentcard);
347 //decode the A5 tag
348 emv_decode_field(currentcard.tag_A5, currentcard.tag_A5_len, &currentcard);
349 //decode the BF0C result, assuming 1 directory entry for now
350 //retrieve the AID
351 }
352 // get PDOL
353 uint8_t pdolcommand[20]; // 20 byte buffer for pdol data
354 uint8_t pdolcommandlen = 0;
355 if(currentcard.tag_9F38_len > 0) {
356 emv_generateDOL(currentcard.tag_9F38, currentcard.tag_9F38_len, &currentcard, pdolcommand, &pdolcommandlen);
357 } else {
358 pdolcommandlen = 0;
359 }
360 if(EMVGetProcessingOptions(pdolcommand,pdolcommandlen, &currentcard)) {
361 if(MF_DBGLEVEL >= 1) Dbprintf("PDOL failed");
362 return 1;
363 }
364 if(resp[1] == 0x80) //format 1 data field returned
365 {
366 memcpy(currentcard.tag_82, &resp[3],2); //copy AIP
367 currentcard.tag_94_len = resp[2]-2; //AFL len
368 memcpy(currentcard.tag_94, &resp[5],currentcard.tag_94_len); //copy AFL
369 }
370 else if(resp[1] == 0x77) //format 2 data field returned
371 {
372 decode_ber_tlv_item(&resp[1], &temptag);
373 emv_decode_field(temptag.value, temptag.valuelength, &currentcard);
374 }
375 else
376 {
377 //throw an error
378 }
379 Dbprintf("AFL=");
380 Dbhexdump(currentcard.tag_94_len, currentcard.tag_94,false);
381 Dbprintf("AIP=");
382 Dbhexdump(2, currentcard.tag_82, false);
383 emv_decodeAIP(currentcard.tag_82);
384
385 // decode the AFL list and read records
386
387 //record, sfi
388 EMVReadRecord( 1,1, &currentcard);
389 EMVReadRecord( 1,2, &currentcard);
390 EMVReadRecord( 1,3, &currentcard);
391 EMVReadRecord( 2,3, &currentcard);
392
393 //DDA supported, so read more records
394 if((currentcard.tag_82[0] & AIP_CDA_SUPPORTED) == AIP_CDA_SUPPORTED){
395 EMVReadRecord( 1,4, &currentcard);
396 EMVReadRecord( 2,4, &currentcard);
397 }
398
399
400 /* get ICC dynamic data */
401 if((currentcard.tag_82[0] & AIP_CDA_SUPPORTED) == AIP_CDA_SUPPORTED)
402 {
403 // DDA supported, so perform GENERATE AC
404 uint8_t cdolcommand[40]; //20 byte buffer for pdol data
405 uint8_t cdolcommandlen;
406 // generate the iCC UN
407 EMVGetChallenge(&currentcard);
408 memcpy(currentcard.tag_9F4C, &resp[1],8); // ICC UN
409
410 if(currentcard.tag_8C_len > 0) {
411 emv_generateDOL(currentcard.tag_8C, currentcard.tag_8C_len, &currentcard, cdolcommand, &cdolcommandlen);
412 } else {
413 cdolcommandlen = 0;
414 }
415 EMVGenerateAC(0x80, &currentcard);
416
417 if(resp[1] == 0x77) //format 2 data field returned
418 {
419 decode_ber_tlv_item(&resp[1], &temptag);
420 emv_decode_field(temptag.value, temptag.valuelength, &currentcard);
421 }
422
423 // generate AC2
424 if(currentcard.tag_8D_len > 0) {
425 emv_generateDOL(currentcard.tag_8D, currentcard.tag_8D_len, &currentcard, cdolcommand, &cdolcommandlen); }
426 else{
427 //cdolcommand = NULL; //cdol val is null
428 cdolcommandlen = 0;
429 }
430
431 EMVGenerateAC(0x80, &currentcard);
432
433 if(resp[1] == 0x77) //format 2 data field returned
434 {
435 decode_ber_tlv_item(&resp[1], &temptag);
436 emv_decode_field(temptag.value, temptag.valuelength, &currentcard);
437 }
438 }
439 // generate cryptographic checksum
440 uint8_t udol[4] = {0x00,0x00,0x00,0x00};
441
442 emv_computecryptogram(udol, sizeof(udol), resp);
443
444 if(resp[1] == 0x77) //format 2 data field returned
445 {
446 decode_ber_tlv_item(&resp[1], &temptag);
447 emv_decode_field(temptag.value, temptag.valuelength, &currentcard);
448 }
449 return 0;
450}
451
452void EMVTransaction()
453{
454 //params
455 uint8_t uid[10] = {0x00};
456 uint32_t cuid = 0;
457
458 //setup stuff
459 BigBuf_free(); BigBuf_Clear_ext(false);
460 clear_trace();
461 set_tracing(TRUE);
462
463
464 uint8_t *resp = BigBuf_malloc(256);
465 //variables
466 tlvtag temptag; //used to buffer decoded tag valuesd
467 //initialize the emv card structure
468 //extern emvcard currentcard;
469
470 memset(&currentcard, 0x00, sizeof(currentcard)); //set all to zeros
471 memcpy(currentcard.tag_9F66,"\xD7\x20\xC0\x00",4);
472 memcpy(currentcard.tag_9F02,"\x00\x00\x00\x00\x00\x20",6); //20 dollars
473 memcpy(currentcard.tag_9F37, "\x01\x02\x03\x04", 4); //UN
474 memcpy(currentcard.tag_5F2A, "\x00\x36",2); //currency code
475 //CDOL stuff
476 memcpy(currentcard.tag_9F03,"\x00\x00\x00\x00\x00\x00",6);
477 memcpy(currentcard.tag_9F1A,"\x00\x36",2); //country code
478 memcpy(currentcard.tag_95,"\x00\x00\x00\x00\x00",5); //TVR
479 memcpy(currentcard.tag_9A,"\x14\x04\x01",3); //date
480 memcpy(currentcard.tag_9C,"\x00",1); //processingcode;
481 memcpy(currentcard.tag_9F45, "\x00\x00", 2); //Data Authentication Code
482 memset(currentcard.tag_9F4C,0x00,8); // ICC UN
483 memcpy(currentcard.tag_9F35,"\x12",1);
484 memcpy(currentcard.tag_9F34,"\x3F\x00\x00", 3); //CVM
485
486
487 LED_A_ON();
488 LED_B_OFF();
489 LED_C_OFF();
490
491 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
492
493 while(true) {
494 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
495 if(MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
496 break;
497 }
498 EMVSelectPPSE();
499 //get response
500 if (resp[1] == 0x6F){ //decode template
501 decode_ber_tlv_item(&resp[1], &temptag);
502 //decode 84 and A5 tags
503 emv_decode_field(temptag.value, temptag.valuelength, &currentcard);
504 //decode the A5 tag
505 emv_decode_field(currentcard.tag_A5, currentcard.tag_A5_len, &currentcard);
506 //decode the BF0C result, assuming 1 directory entry for now
507 if(currentcard.tag_BF0C_len !=0){
508 emv_decode_field(currentcard.tag_BF0C, currentcard.tag_BF0C_len, &currentcard);}
509 //retrieve the AID, use the AID to decide what transaction flow to use
510 if(currentcard.tag_61_len !=0){
511 emv_decode_field(currentcard.tag_61, currentcard.tag_61_len, &currentcard);}
512 }
513 if (!memcmp(currentcard.tag_4F, AID_MASTERCARD, sizeof(AID_MASTERCARD))){
514 Dbprintf("Mastercard Paypass Card Detected");
515 EMV_PaypassTransaction();
516 }
517 else if (!memcmp(currentcard.tag_4F, AID_VISA, sizeof(AID_VISA))){
518 Dbprintf("VISA Paywave Card Detected");
519 EMV_PaywaveTransaction();
520 }
521 //TODO: add other card schemes like AMEX, JCB, China Unionpay etc
522 LED_B_ON();
523 //output the sensitive data
524 cmd_send(CMD_ACK, 0, 0,0,resp,100);
525 LED_B_OFF();
526 break;
527 }
528 if (MF_DBGLEVEL >= 2) DbpString("EMV TRANSACTION FINISHED");
529 //finish up
530 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
531 LEDsoff();
532}
533
534void EMVdumpcard(void){
535 dumpCard(&currentcard);
536}
537
538//EMV clone a card - read up to the max SFI and max records for that SFI
539void EMVClone(uint8_t maxsfi, uint8_t maxrecord)
540{
541 //params
542 uint8_t uid[10];
543 uint32_t cuid;
544 uint8_t *resp = BigBuf_malloc(256);
545 iso14a_card_select_t hi14a_card; //card select values
546 //variables
547 tlvtag temptag; //used to buffer decoded tag valuesd
548
549 memset(&currentcard, 0x00, sizeof(currentcard)); //set all to zeros
550 //memcpy(currentcard.tag_9F66,"\x20\x00\x00\x00",4);
551 memcpy(currentcard.tag_9F66,"\xD7\x20\xC0\x00",4);
552 //memcpy(currentcard.tag_9F66,"\xC0\x00\x00\x00",2);
553 memcpy(currentcard.tag_9F02,"\x00\x00\x00\x00\x00\x20",6); //20 dollars
554 memcpy(currentcard.tag_9F37, "\x01\x02\x03\x04", 4); //UN
555 memcpy(currentcard.tag_5F2A, "\x00\x36",2); //currency code
556 //CDOL stuff
557 //memcpy(currentcard.tag_9F02,"\x00\x00\x00\x00\x00\x20",6);
558 memcpy(currentcard.tag_9F03,"\x00\x00\x00\x00\x00\x00",6);
559 memcpy(currentcard.tag_9F1A,"\x00\x36",2); //country code
560 memcpy(currentcard.tag_95,"\x00\x00\x00\x00\x00",5); //TVR
561 //memcpy(currentcard.tag_5F2A,"\x00\x36",2);
562 memcpy(currentcard.tag_9A,"\x14\x04x01",3); //date
563 memcpy(currentcard.tag_9C,"\x00",1); //processingcode;
564 memcpy(currentcard.tag_9F45, "\x00\x00", 2); //Data Authentication Code
565 memset(currentcard.tag_9F4C,0x00,8); // ICC UN
566 memcpy(currentcard.tag_9F35,"\x12",1);
567 memcpy(currentcard.tag_9F34,"\x3F\x00\x00", 3); //CVM
568
569 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
570 LED_A_ON();
571 LED_B_OFF();
572 LED_C_OFF();
573
574 while(true) {
575 if(!iso14443a_select_card(uid, &hi14a_card, &cuid, true, 0)) {
576 if(MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
577 break;
578 }
579 //copy UID and ATQA SAK and ATS values
580 memcpy(currentcard.UID, hi14a_card.uid, hi14a_card.uidlen);
581 currentcard.UID_len = hi14a_card.uidlen;
582 memcpy(currentcard.ATQA, hi14a_card.atqa, 2);
583 currentcard.SAK = (uint8_t)hi14a_card.sak;
584 memcpy(currentcard.ATS, hi14a_card.ats, hi14a_card.ats_len);
585 currentcard.ATS_len = hi14a_card.ats_len;
586
587 if(MF_DBGLEVEL >= 1){
588 Dbprintf("UID=");
589 Dbhexdump(currentcard.UID_len, currentcard.UID, false);
590 Dbprintf("ATQA=");
591 Dbhexdump(2, currentcard.ATQA,false);
592 Dbprintf("SAK=");
593 Dbhexdump(1, &currentcard.SAK,false);
594 Dbprintf("ATS=");
595 Dbhexdump(currentcard.ATS_len, currentcard.ATS,false);
596 }
597 EMVSelectPPSE();
598 //get response
599 if(resp[1] == 0x6F){ //decode template
600 decode_ber_tlv_item(&resp[1], &temptag);
601 //decode 84 and A5 tags
602 emv_decode_field(temptag.value, temptag.valuelength, &currentcard);
603 //decode the A5 tag
604 emv_decode_field(currentcard.tag_A5, currentcard.tag_A5_len, &currentcard);
605 //decode the BF0C result, assuming 1 directory entry for now
606 if(currentcard.tag_BF0C_len !=0){
607 emv_decode_field(currentcard.tag_BF0C, currentcard.tag_BF0C_len, &currentcard);}
608 //retrieve the AID, use the AID to decide what transaction flow to use
609 if(currentcard.tag_61_len !=0){
610 emv_decode_field(currentcard.tag_61, currentcard.tag_61_len, &currentcard);}
611 }
612 //perform AID selection
613 EMVSelectAID(currentcard.tag_4F,currentcard.tag_4F_len, &currentcard);
614 if(resp[1] == 0x6F){ //decode template
615 decode_ber_tlv_item(&resp[1], &temptag);
616 //decode 84 and A5 tags
617 emv_decode_field(temptag.value, temptag.valuelength, &currentcard);
618 //decode the A5 tag
619 emv_decode_field(currentcard.tag_A5, currentcard.tag_A5_len, &currentcard);
620 //decode the BF0C result, assuming 1 directory entry for now
621 }
622 //decode the AFL list and read records
623
624 //scan all card records
625 Dbprintf("Reading %u SFIs and %u records...", maxsfi, maxrecord);
626 for(uint8_t sfi = 1; sfi < maxsfi; sfi++){ //all possible SFI values
627 for(uint8_t record = 1; record < maxrecord; record++){
628 EMVReadRecord(record,sfi, &currentcard);
629 if(resp[1] == 0x70){
630 Dbprintf("Record Found! SFI=%u RECORD=%u", sfi, record);
631 }
632 }
633 }
634 Dbprintf("Reading finished");
635
636 LED_B_ON();
637 //output the sensitive data
638 cmd_send(CMD_ACK, 0, 0,0,resp,100);
639 LED_B_OFF();
640 break;
641 }
642
643 if(MF_DBGLEVEL >= 2) DbpString("EMV TRANSACTION FINISHED");
644 //finish up
645 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
646 LEDsoff();
647}
648
649//SIMULATOR CODE
650//-----------------------------------------------------------------------------
651// Main loop of simulated tag: receive commands from reader, decide what
652// response to send, and send it.
653//-----------------------------------------------------------------------------
654void SimulateEMVcard()
655{
656 /*
657
658 //uint8_t sak; //select ACKnowledge
659 uint16_t readerPacketLen = 64; //reader packet length - provided by RATS, default to 64 bytes if RATS not supported
660
661 // The first response contains the ATQA (note: bytes are transmitted in reverse order).
662 //uint8_t atqapacket[2];
663
664 // The second response contains the (mandatory) first 24 bits of the UID
665 uint8_t uid0packet[5] = {0x00};
666 memcpy(uid0packet, currentcard.UID, sizeof(uid0packet));
667 // Check if the uid uses the (optional) part
668 uint8_t uid1packet[5] = {0x00};
669 memcpy(uid1packet, currentcard.UID, sizeof(uid1packet));
670
671 // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
672 uid0packet[4] = uid0packet[0] ^ uid0packet[1] ^ uid0packet[2] ^ uid0packet[3];
673
674 // Prepare the mandatory SAK (for 4 and 7 byte UID)
675 uint8_t sak0packet[3] = {0x00};
676 memcpy(sak0packet,&currentcard.SAK1,1);
677 ComputeCrc14443(CRC_14443_A, sak0packet, 1, &sak0packet[1], &sak0packet[2]);
678 uint8_t sak1packet[3] = {0x00};
679 memcpy(sak1packet,&currentcard.SAK2,1);
680 // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
681 ComputeCrc14443(CRC_14443_A, sak1packet, 1, &sak1packet[1], &sak1packet[2]);
682
683 uint8_t authanspacket[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
684 //setup response to ATS
685 uint8_t ratspacket[currentcard.ATS_len];
686 memcpy(ratspacket,currentcard.ATS, currentcard.ATS_len);
687 AppendCrc14443a(ratspacket,sizeof(ratspacket)-2);
688
689 // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present,
690 // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
691 // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
692 // TC(1) = 0x02: CID supported, NAD not supported
693 //ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]);
694
695 //Receive Acknowledge responses differ by PCB byte
696 uint8_t rack0packet[] = {0xa2,0x00,0x00};
697 AppendCrc14443a(rack0packet,1);
698 uint8_t rack1packet[] = {0xa3,0x00,0x00};
699 AppendCrc14443a(rack1packet,1);
700 //Negative Acknowledge
701 uint8_t rnak0packet[] = {0xb2,0x00,0x00};
702 uint8_t rnak1packet[] = {0xb3,0x00,0x00};
703 AppendCrc14443a(rnak0packet,1);
704 AppendCrc14443a(rnak1packet,1);
705
706 //Protocol and parameter selection response, just say yes
707 uint8_t ppspacket[] = {0xd0,0x00,0x00};
708 AppendCrc14443a(ppspacket,1);
709
710 //hardcoded WTX packet - set to max time (49)
711 uint8_t wtxpacket[] ={0xf2,0x31,0x00,0x00};
712 AppendCrc14443a(wtxpacket,2);
713
714 //added additional responses for different readers, namely protocol parameter select and Receive acknowledments. - peter fillmore.
715 //added defininitions for predone responses to aid readability
716 #define ATR 0
717 #define UID1 1
718 #define UID2 2
719 #define SELACK1 3
720 #define SELACK2 4
721 #define AUTH_ANS 5
722 #define ATS 6
723 #define RACK0 7
724 #define RACK1 8
725 #define RNAK0 9
726 #define RNAK1 10
727 #define PPSresponse 11
728 #define WTX 12
729
730 #define TAG_RESPONSE_COUNT 13
731 tag_response_info_t responses[TAG_RESPONSE_COUNT] = {
732 { .response = currentcard.ATQA, .response_n = sizeof(currentcard.ATQA) }, // Answer to request - respond with card type
733 { .response = uid0packet, .response_n = sizeof(uid0packet) }, // Anticollision cascade1 - respond with uid
734 { .response = uid1packet, .response_n = sizeof(uid1packet) }, // Anticollision cascade2 - respond with 2nd half of uid if asked
735 { .response = sak0packet, .response_n = sizeof(sak0packet) }, // Acknowledge select - cascade 1
736 { .response = sak1packet, .response_n = sizeof(sak1packet) }, // Acknowledge select - cascade 2
737 { .response = authanspacket, .response_n = sizeof(authanspacket) }, // Authentication answer (random nonce)
738 { .response = ratspacket, .response_n = sizeof(ratspacket) }, // dummy ATS (pseudo-ATR), answer to RATS
739 { .response = rack0packet, .response_n = sizeof(rack0packet) }, //R(ACK)0
740 { .response = rack1packet, .response_n = sizeof(rack1packet) }, //R(ACK)0
741 { .response = rnak0packet, .response_n = sizeof(rnak0packet) }, //R(NAK)0
742 { .response = rnak1packet, .response_n = sizeof(rnak1packet) }, //R(NAK)1
743 { .response = ppspacket, .response_n = sizeof(ppspacket)}, //PPS packet
744 { .response = wtxpacket, .response_n = sizeof(wtxpacket)}, //WTX packet
745};
746
747 //calculated length of predone responses
748 uint16_t allocatedtaglen = 0;
749 for(int i=0;i<TAG_RESPONSE_COUNT;i++){
750 allocatedtaglen += responses[i].response_n;
751 }
752 //uint8_t selectOrder = 0;
753
754 BigBuf_free_keep_EM();
755 // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it
756 // Such a response is less time critical, so we can prepare them on the fly
757
758 #define DYNAMIC_RESPONSE_BUFFER_SIZE 64
759 #define DYNAMIC_MODULATION_BUFFER_SIZE 512
760
761 //uint8_t dynamic_response_buffer[DYNAMIC_RESPONSE_BUFFER_SIZE];
762 //uint8_t dynamic_modulation_buffer[DYNAMIC_MODULATION_BUFFER_SIZE];
763 uint8_t *dynamic_response_buffer = BigBuf_malloc(DYNAMIC_RESPONSE_BUFFER_SIZE);
764 uint8_t *dynamic_modulation_buffer = BigBuf_malloc(DYNAMIC_MODULATION_BUFFER_SIZE);
765
766 tag_response_info_t dynamic_response_info = {
767 .response = dynamic_response_buffer,
768 .response_n = 0,
769 .modulation = dynamic_modulation_buffer,
770 .modulation_n = 0
771 };
772 // allocate buffers from BigBuf (so we're not in the stack)
773 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
774 uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
775 //uint8_t* free_buffer_pointer;
776 //free_buffer_pointer = BigBuf_malloc((allocatedtaglen*8) +(allocatedtaglen) + (TAG_RESPONSE_COUNT * 3));
777 BigBuf_malloc((allocatedtaglen*8) +(allocatedtaglen) + (TAG_RESPONSE_COUNT * 3));
778 // clear trace
779 clear_trace();
780 set_tracing(TRUE);
781
782 // Prepare the responses of the anticollision phase
783 // there will be not enough time to do this at the moment the reader sends it REQA
784 for (size_t i=0; i<TAG_RESPONSE_COUNT; i++)
785 prepare_allocated_tag_modulation(&responses[i]);
786
787 int len = 0;
788
789 // To control where we are in the protocol
790 int order = 0;
791 int lastorder;
792 int currentblock = 1; //init to 1
793 int previousblock = 0; //used to store previous block counter
794
795 // Just to allow some checks
796 int happened = 0;
797 int happened2 = 0;
798 int cmdsRecvd = 0;
799
800 // We need to listen to the high-frequency, peak-detected path.
801 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
802
803 cmdsRecvd = 0;
804 tag_response_info_t* p_response;
805
806 LED_A_ON();
807 for(;;) {
808 // Clean receive command buffer
809
810 if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
811 DbpString("Button press");
812 break;
813 }
814
815 p_response = NULL;
816
817 // Okay, look at the command now.
818 previousblock = currentblock; //get previous block
819 lastorder = order;
820 currentblock = receivedCmd[0] & 0x01;
821
822 if(receivedCmd[0] == 0x26) { // Received a REQUEST
823 p_response = &responses[ATR]; order = ISO14443A_CMD_REQA;
824 } else if(receivedCmd[0] == 0x52) { // Received a WAKEUP
825 p_response = &responses[ATR]; order = ISO14443A_CMD_WUPA;
826 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // Received request for UID (cascade 1)
827 p_response = &responses[UID1]; order = ISO14443A_CMD_ANTICOLL_OR_SELECT;
828 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x95) { // Received request for UID (cascade 2)
829 p_response = &responses[UID2]; order = ISO14443A_CMD_ANTICOLL_OR_SELECT_2;
830 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) { // Received a SELECT (cascade 1)
831 p_response = &responses[SELACK1]; order = ISO14443A_CMD_ANTICOLL_OR_SELECT;
832 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) { // Received a SELECT (cascade 2)
833 p_response = &responses[SELACK2]; order = ISO14443A_CMD_ANTICOLL_OR_SELECT_2;
834 } else if((receivedCmd[0] & 0xA2) == 0xA2){ //R-Block received
835 if(previousblock == currentblock){ //rule 11, retransmit last block
836 p_response = &dynamic_response_info;
837 } else {
838 if((receivedCmd[0] & 0xB2) == 0xB2){ //RNAK, rule 12
839 if(currentblock == 0)
840 p_response = &responses[RACK0];
841 else
842 p_response = &responses[RACK1];
843 } else {
844 //rule 13
845 //TODO: implement chaining
846 }
847 }
848 }
849 else if(receivedCmd[0] == 0xD0){ //Protocol and parameter selection response
850 p_response = &responses[PPSresponse];
851 order = PPS;
852 }
853 else if(receivedCmd[0] == 0x30) { // Received a (plain) READ
854 //we're an EMV card - so no read commands
855 p_response = NULL;
856 } else if(receivedCmd[0] == 0x50) { // Received a HALT
857 LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
858 p_response = NULL;
859 order = HLTA;
860 } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) { // Received an authentication request
861 p_response = &responses[AUTH_ANS];
862 order = AUTH;
863 } else if(receivedCmd[0] == 0xE0) { // Received a RATS request
864 readerPacketLen = GetReaderLength(receivedCmd); //get length of supported packet
865 p_response = &responses[ATS];
866 order = RATS;
867 } else if (order == AUTH && len == 8) { // Received {nr] and {ar} (part of authentication)
868 LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
869 uint32_t nr = bytes_to_num(receivedCmd,4);
870 uint32_t ar = bytes_to_num(receivedCmd+4,4);
871 Dbprintf("Auth attempt {nr}{ar}: %08x %08x",nr,ar);
872 } else {
873 // Check for ISO 14443A-4 compliant commands, look at left nibble
874 switch (receivedCmd[0]) {
875 case 0x0B:
876 case 0x0A: // IBlock (command)
877 case 0x02:
878 case 0x03: {
879 dynamic_response_info.response_n = 0;
880 dynamic_response_info.response[0] = receivedCmd[0]; // copy PCB
881 //dynamic_response_info.response[1] = receivedCmd[1]; // copy PCB
882 dynamic_response_info.response_n++ ;
883 switch(receivedCmd[1]) {
884 case 0x00:
885 switch(receivedCmd[2]){
886 case 0xA4: //select
887 if(receivedCmd[5] == 0x0E){
888 }
889 else if(receivedCmd[5] == 0x07){
890 //selectOrder = 0;
891 }
892 else{ //send not supported msg
893 memcpy(dynamic_response_info.response+1, "\x6a\x82", 2);
894 dynamic_response_info.response_n += 2;
895 }
896 break;
897 case 0xB2: //read record
898 if(receivedCmd[3] == 0x01 && receivedCmd[4] == 0x0C){
899 dynamic_response_info.response_n += 2;
900 Dbprintf("READ RECORD 1 1");
901 }
902 break;
903 }
904 break;
905 case 0x80:
906 switch(receivedCmd[2]){
907 case 0xA8: //get processing options
908 break;
909 }
910 }
911 }break;
912 case 0x1A:
913 case 0x1B: { // Chaining command
914 dynamic_response_info.response[0] = 0xaa | ((receivedCmd[0]) & 1);
915 dynamic_response_info.response_n = 2;
916 } break;
917
918 case 0xaa:
919 case 0xbb: {
920 dynamic_response_info.response[0] = receivedCmd[0] ^ 0x11;
921 dynamic_response_info.response_n = 2;
922 } break;
923
924 case 0xBA: { //
925 memcpy(dynamic_response_info.response,"\xAB\x00",2);
926 dynamic_response_info.response_n = 2;
927 } break;
928
929 case 0xCA:
930 case 0xC2: { // Readers sends deselect command
931 //we send the command back - this is what tags do in android implemenation i believe - peterfillmore
932 memcpy(dynamic_response_info.response,receivedCmd,1);
933 dynamic_response_info.response_n = 1;
934 } break;
935
936 default: {
937 // Never seen this command before
938 LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
939 Dbprintf("Received unknown command (len=%d):",len);
940 Dbhexdump(len,receivedCmd,false);
941 // Do not respond
942 dynamic_response_info.response_n = 0;
943 } break;
944 }
945
946 if (dynamic_response_info.response_n > 0) {
947 // Copy the CID from the reader query
948 //dynamic_response_info.response[1] = receivedCmd[1];
949
950 // Add CRC bytes, always used in ISO 14443A-4 compliant cards
951 AppendCrc14443a(dynamic_response_info.response,dynamic_response_info.response_n);
952 dynamic_response_info.response_n += 2;
953 if(dynamic_response_info.response_n > readerPacketLen){ //throw error if our reader doesn't support the send packet length
954 Dbprintf("Error: tag response is longer then what the reader supports, TODO:implement command chaining");
955 LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
956 break;
957 }
958 if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
959 Dbprintf("Error preparing tag response");
960 LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
961 break;
962 }
963 p_response = &dynamic_response_info;
964 }
965 }
966
967 // Count number of wakeups received after a halt
968 if(order == HLTA && lastorder == PPS) { happened++; }
969
970 // Count number of other messages after a halt
971 if(order != HLTA && lastorder == PPS) { happened2++; }
972
973 if(cmdsRecvd > 999) {
974 DbpString("1000 commands later...");
975 break;
976 }
977 cmdsRecvd++;
978
979 if (p_response != NULL) {
980 EmSendCmd14443aRaw(p_response->modulation, p_response->modulation_n);
981 // do the tracing for the previous reader request and this tag answer:
982
983
984 // EmLogTrace(Uart.output,
985 // Uart.len,
986 // Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG,
987 // Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG,
988 // Uart.parity,
989 // p_response->response,
990 // p_response->response_n,
991 // LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG,
992 // (LastTimeProxToAirStart + p_response->ProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG,
993 // par);
994
995 }
996
997// if (!tracing) {
998// Dbprintf("Trace Full. Simulation stopped.");
999// break;
1000// }
1001
1002 }
1003
1004 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1005 LED_A_OFF();
1006 BigBuf_free_keep_EM();
1007
1008 */
1009}
1010//-----------------------------------------------------------------------------
1011// Main loop of simulated tag: receive commands from reader, decide what
1012// response to send, and send it.
1013//-----------------------------------------------------------------------------
1014void EMVFuzz_RATS(uint8_t ratslen, uint8_t* RATS)
1015{
1016 int len;
1017 uint8_t sak = 0x28;
1018 //copy input rats into a buffer
1019 uint8_t ratscmd[ratslen+2];
1020 memcpy(ratscmd, RATS, ratslen);
1021
1022 // The first response contains the ATQA (note: bytes are transmitted in reverse order).
1023 uint8_t atqa[2] = {0x04, 0x00};
1024
1025 // The second response contains the (mandatory) first 24 bits of the UID
1026 uint8_t uid0[5] = {0x12,0x34,0x56,0x78,0x9A};
1027
1028 // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
1029 uid0[4] = uid0[0] ^ uid0[1] ^ uid0[2] ^ uid0[3];
1030
1031 // Prepare the mandatory SAK (for 4 and 7 byte UID)
1032 uint8_t sakresponse[3];
1033 sakresponse[0] = sak;
1034 ComputeCrc14443(CRC_14443_A, sakresponse, 1, &sakresponse[1], &sakresponse[2]);
1035
1036 // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
1037
1038 uint8_t ACK1[] = {0xa3,0x6f,0xc6}; //ACK packets
1039 uint8_t ACK2[] = {0xa2,0x00,0x00};
1040 AppendCrc14443a(ACK2, 1);
1041
1042 AppendCrc14443a(ratscmd, sizeof(ratscmd)-2);
1043
1044 //handle the PPS selection
1045 uint8_t PPSR[3] = {0xD0,0x00,0x00};
1046 AppendCrc14443a(PPSR, 1);
1047
1048 //#define TAG_RESPONSE_COUNT 9
1049 tag_response_info_t responses[7] = {
1050 { .response = atqa, .response_n = sizeof(atqa) }, // Answer to request - respond with card type
1051 { .response = uid0, .response_n = sizeof(uid0) }, // Anticollision cascade1 - respond with uid
1052 { .response = sakresponse, .response_n = sizeof(sakresponse) }, // Acknowledge select - cascade 1
1053 { .response = ratscmd, .response_n = sizeof(ratscmd) }, // dummy ATS (pseudo-ATR), answer to RATS
1054 { .response = ACK1, .response_n = sizeof(ACK1) }, // dummy ATS (pseudo-ATR), answer to RATS
1055 { .response = ACK2, .response_n = sizeof(ACK2) }, // dummy ATS (pseudo-ATR), answer to RATS
1056 { .response = PPSR, .response_n = sizeof(PPSR) }, // dummy ATS (pseudo-ATR), answer to RATS
1057 };
1058
1059 // Reset the offset pointer of the free buffer
1060 //reset_free_buffer();
1061
1062 // Prepare the responses of the anticollision phase
1063 // there will be not enough time to do this at the moment the reader sends it REQA
1064 for (size_t i=0; i<7; i++) {
1065 prepare_allocated_tag_modulation(&responses[i]);
1066 }
1067 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
1068 uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
1069
1070 // To control where we are in the protocol
1071 int order = 0;
1072
1073 // We need to listen to the high-frequency, peak-detected path.
1074 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1075 tag_response_info_t* p_response;
1076
1077 LED_C_ON();
1078 // Clean receive command buffer
1079 for(;;){
1080 if (!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)){
1081 break;
1082 }
1083 p_response = NULL;
1084
1085 if ((receivedCmd[0] == 0x26) || (receivedCmd[0] == 0x52)) { // Received a REQUEST
1086 p_response = &responses[0]; order = 1;
1087 }
1088 if (receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // Received request for UID (cascade 1)
1089 p_response = &responses[1]; order = 2; //send the UID
1090 }
1091 if (receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) { // Received a SELECT (cascade 1)
1092 p_response = &responses[2]; order = 3; //send the SAK
1093 }
1094 if (receivedCmd[0] == 0xD0) { // Received a PPS request
1095 p_response = &responses[6]; order = 70;
1096 }
1097 if (receivedCmd[0] == 0xE0) { // Received a RATS request
1098 p_response = &responses[3]; order = 70;
1099 EmSendCmd14443aRaw(p_response->modulation, p_response->modulation_n);
1100 break;
1101 }
1102 if (p_response != NULL){
1103 EmSendCmd14443aRaw(p_response->modulation, p_response->modulation_n);
1104 } else {
1105 break;
1106 }
1107 }
1108
1109 if (order && (MF_DBGLEVEL >= 2)) DbpString("just using order vars");
1110
1111 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1112 LED_C_OFF();
1113 return;
1114}
Proxmark3 GIT tracking
Impressum, Datenschutz