]>
Commit | Line | Data |
---|---|---|
1 | //----------------------------------------------------------------------------- | |
2 | // Merlok - June 2011, 2012 | |
3 | // Gerhard de Koning Gans - May 2008 | |
4 | // Hagen Fritsch - June 2010 | |
5 | // | |
6 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, | |
7 | // at your option, any later version. See the LICENSE.txt file for the text of | |
8 | // the license. | |
9 | //----------------------------------------------------------------------------- | |
10 | // Mifare Classic Card Simulation | |
11 | //----------------------------------------------------------------------------- | |
12 | ||
13 | #include "mifaresim.h" | |
14 | #include "iso14443a.h" | |
15 | #include "iso14443crc.h" | |
16 | #include "crapto1/crapto1.h" | |
17 | #include "BigBuf.h" | |
18 | #include "string.h" | |
19 | #include "mifareutil.h" | |
20 | #include "fpgaloader.h" | |
21 | #include "proxmark3.h" | |
22 | #include "usb_cdc.h" | |
23 | #include "cmd.h" | |
24 | #include "protocols.h" | |
25 | #include "apps.h" | |
26 | ||
27 | //mifare emulator states | |
28 | #define MFEMUL_NOFIELD 0 | |
29 | #define MFEMUL_IDLE 1 | |
30 | #define MFEMUL_SELECT1 2 | |
31 | #define MFEMUL_SELECT2 3 | |
32 | #define MFEMUL_SELECT3 4 | |
33 | #define MFEMUL_AUTH1 5 | |
34 | #define MFEMUL_AUTH2 6 | |
35 | #define MFEMUL_WORK 7 | |
36 | #define MFEMUL_WRITEBL2 8 | |
37 | #define MFEMUL_INTREG_INC 9 | |
38 | #define MFEMUL_INTREG_DEC 10 | |
39 | #define MFEMUL_INTREG_REST 11 | |
40 | #define MFEMUL_HALTED 12 | |
41 | ||
42 | #define cardSTATE_TO_IDLE() { cardSTATE = MFEMUL_IDLE; LED_B_OFF(); LED_C_OFF(); } | |
43 | ||
44 | ||
45 | ||
46 | static void MifareSimInit(uint8_t flags, uint8_t *datain, tag_response_info_t **responses, uint32_t *cuid, uint8_t *uid_len) { | |
47 | ||
48 | #define TAG_RESPONSE_COUNT 5 // number of precompiled responses | |
49 | static uint8_t rATQA[] = {0x04, 0x00}; // indicate Mifare classic 1k 4Byte UID | |
50 | static uint8_t rUIDBCC1[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 1st cascade level | |
51 | static uint8_t rUIDBCC2[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 2nd cascade level | |
52 | static uint8_t rSAKfinal[]= {0x08, 0xb6, 0xdd}; // mifare 1k indicated | |
53 | static uint8_t rSAK1[] = {0x04, 0xda, 0x17}; // indicate UID not finished | |
54 | ||
55 | *uid_len = 4; | |
56 | // UID can be set from emulator memory or incoming data and can be 4 or 7 bytes long | |
57 | if (flags & FLAG_4B_UID_IN_DATA) { // get UID from datain | |
58 | memcpy(rUIDBCC1, datain, 4); | |
59 | } else if (flags & FLAG_7B_UID_IN_DATA) { | |
60 | rUIDBCC1[0] = 0x88; | |
61 | memcpy(rUIDBCC1+1, datain, 3); | |
62 | memcpy(rUIDBCC2, datain+3, 4); | |
63 | *uid_len = 7; | |
64 | } else { | |
65 | uint8_t probable_atqa; | |
66 | emlGetMemBt(&probable_atqa, 7, 1); // get UID from emul memory - weak guess at length | |
67 | if (probable_atqa == 0x00) { // ---------- 4BUID | |
68 | emlGetMemBt(rUIDBCC1, 0, 4); | |
69 | } else { // ---------- 7BUID | |
70 | rUIDBCC1[0] = 0x88; | |
71 | emlGetMemBt(rUIDBCC1+1, 0, 3); | |
72 | emlGetMemBt(rUIDBCC2, 3, 4); | |
73 | *uid_len = 7; | |
74 | } | |
75 | } | |
76 | ||
77 | switch (*uid_len) { | |
78 | case 4: | |
79 | *cuid = bytes_to_num(rUIDBCC1, 4); | |
80 | rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3]; | |
81 | if (MF_DBGLEVEL >= 2) { | |
82 | Dbprintf("4B UID: %02x%02x%02x%02x", | |
83 | rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3] ); | |
84 | } | |
85 | break; | |
86 | case 7: | |
87 | rATQA[0] |= 0x40; | |
88 | *cuid = bytes_to_num(rUIDBCC2, 4); | |
89 | rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3]; | |
90 | rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3]; | |
91 | if (MF_DBGLEVEL >= 2) { | |
92 | Dbprintf("7B UID: %02x %02x %02x %02x %02x %02x %02x", | |
93 | rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3], rUIDBCC2[0], rUIDBCC2[1], rUIDBCC2[2], rUIDBCC2[3] ); | |
94 | } | |
95 | break; | |
96 | default: | |
97 | break; | |
98 | } | |
99 | ||
100 | static tag_response_info_t responses_init[TAG_RESPONSE_COUNT] = { | |
101 | { .response = rATQA, .response_n = sizeof(rATQA) }, // Answer to request - respond with card type | |
102 | { .response = rUIDBCC1, .response_n = sizeof(rUIDBCC1) }, // Anticollision cascade1 - respond with first part of uid | |
103 | { .response = rUIDBCC2, .response_n = sizeof(rUIDBCC2) }, // Anticollision cascade2 - respond with 2nd part of uid | |
104 | { .response = rSAKfinal, .response_n = sizeof(rSAKfinal) }, // Acknowledge select - last cascade | |
105 | { .response = rSAK1, .response_n = sizeof(rSAK1) } // Acknowledge select - previous cascades | |
106 | }; | |
107 | ||
108 | // Prepare ("precompile") the responses of the anticollision phase. There will be not enough time to do this at the moment the reader sends its REQA or SELECT | |
109 | // There are 7 predefined responses with a total of 18 bytes data to transmit. Coded responses need one byte per bit to transfer (data, parity, start, stop, correction) | |
110 | // 18 * 8 data bits, 18 * 1 parity bits, 5 start bits, 5 stop bits, 5 correction bits -> need 177 bytes buffer | |
111 | #define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 177 // number of bytes required for precompiled responses | |
112 | ||
113 | uint8_t *free_buffer_pointer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE); | |
114 | size_t free_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE; | |
115 | for (size_t i = 0; i < TAG_RESPONSE_COUNT; i++) { | |
116 | prepare_allocated_tag_modulation(&responses_init[i], &free_buffer_pointer, &free_buffer_size); | |
117 | } | |
118 | ||
119 | *responses = responses_init; | |
120 | ||
121 | // indices into responses array: | |
122 | #define ATQA 0 | |
123 | #define UIDBCC1 1 | |
124 | #define UIDBCC2 2 | |
125 | #define SAKfinal 3 | |
126 | #define SAK1 4 | |
127 | ||
128 | } | |
129 | ||
130 | ||
131 | static bool HasValidCRC(uint8_t *receivedCmd, uint16_t receivedCmd_len) { | |
132 | uint8_t CRC_byte_1, CRC_byte_2; | |
133 | ComputeCrc14443(CRC_14443_A, receivedCmd, receivedCmd_len-2, &CRC_byte_1, &CRC_byte_2); | |
134 | return (receivedCmd[receivedCmd_len-2] == CRC_byte_1 && receivedCmd[receivedCmd_len-1] == CRC_byte_2); | |
135 | } | |
136 | ||
137 | ||
138 | /** | |
139 | *MIFARE 1K simulate. | |
140 | * | |
141 | *@param flags : | |
142 | * FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK | |
143 | * FLAG_4B_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that | |
144 | * FLAG_7B_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that | |
145 | * FLAG_10B_UID_IN_DATA - use 10-byte UID in the data-section not finished | |
146 | * FLAG_NR_AR_ATTACK - means we should collect NR_AR responses for bruteforcing later | |
147 | * FLAG_RANDOM_NONCE - means we should generate some pseudo-random nonce data (only allows moebius attack) | |
148 | *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is infinite ... | |
149 | * (unless reader attack mode enabled then it runs util it gets enough nonces to recover all keys attmpted) | |
150 | */ | |
151 | void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain) | |
152 | { | |
153 | tag_response_info_t *responses; | |
154 | uint8_t uid_len = 4; | |
155 | uint32_t cuid = 0; | |
156 | uint8_t cardWRBL = 0; | |
157 | uint8_t cardAUTHSC = 0; | |
158 | uint8_t cardAUTHKEY = 0xff; // no authentication | |
159 | uint32_t cardRr = 0; | |
160 | //uint32_t rn_enc = 0; | |
161 | uint32_t ans = 0; | |
162 | uint32_t cardINTREG = 0; | |
163 | uint8_t cardINTBLOCK = 0; | |
164 | struct Crypto1State mpcs = {0, 0}; | |
165 | struct Crypto1State *pcs; | |
166 | pcs = &mpcs; | |
167 | uint32_t numReads = 0;//Counts numer of times reader reads a block | |
168 | uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE]; | |
169 | uint8_t receivedCmd_dec[MAX_MIFARE_FRAME_SIZE]; | |
170 | uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE]; | |
171 | uint16_t receivedCmd_len; | |
172 | uint8_t response[MAX_MIFARE_FRAME_SIZE]; | |
173 | uint8_t response_par[MAX_MIFARE_PARITY_SIZE]; | |
174 | ||
175 | uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04}; | |
176 | uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00}; | |
177 | ||
178 | //Here, we collect UID,sector,keytype,NT,AR,NR,NT2,AR2,NR2 | |
179 | // This will be used in the reader-only attack. | |
180 | ||
181 | //allow collecting up to 7 sets of nonces to allow recovery of up to 7 keys | |
182 | #define ATTACK_KEY_COUNT 7 // keep same as define in cmdhfmf.c -> readerAttack() (Cannot be more than 7) | |
183 | nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; //*2 for 2 separate attack types (nml, moebius) 36 * 7 * 2 bytes = 504 bytes | |
184 | memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp)); | |
185 | ||
186 | uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; //*2 for 2nd attack type (moebius) | |
187 | memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected)); | |
188 | uint8_t nonce1_count = 0; | |
189 | uint8_t nonce2_count = 0; | |
190 | uint8_t moebius_n_count = 0; | |
191 | bool gettingMoebius = false; | |
192 | uint8_t mM = 0; //moebius_modifier for collection storage | |
193 | ||
194 | // Authenticate response - nonce | |
195 | uint32_t nonce; | |
196 | if (flags & FLAG_RANDOM_NONCE) { | |
197 | nonce = prand(); | |
198 | } else { | |
199 | nonce = bytes_to_num(rAUTH_NT, 4); | |
200 | } | |
201 | ||
202 | // free eventually allocated BigBuf memory but keep Emulator Memory | |
203 | BigBuf_free_keep_EM(); | |
204 | ||
205 | MifareSimInit(flags, datain, &responses, &cuid, &uid_len); | |
206 | ||
207 | // We need to listen to the high-frequency, peak-detected path. | |
208 | iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN); | |
209 | ||
210 | // clear trace | |
211 | clear_trace(); | |
212 | set_tracing(true); | |
213 | ResetSspClk(); | |
214 | ||
215 | bool finished = false; | |
216 | bool button_pushed = BUTTON_PRESS(); | |
217 | int cardSTATE = MFEMUL_NOFIELD; | |
218 | ||
219 | while (!button_pushed && !finished && !usb_poll_validate_length()) { | |
220 | WDT_HIT(); | |
221 | ||
222 | // find reader field | |
223 | if (cardSTATE == MFEMUL_NOFIELD) { | |
224 | int vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10; | |
225 | if (vHf > MF_MINFIELDV) { | |
226 | LED_A_ON(); | |
227 | cardSTATE_TO_IDLE(); | |
228 | } | |
229 | button_pushed = BUTTON_PRESS(); | |
230 | continue; | |
231 | } | |
232 | ||
233 | //Now, get data | |
234 | int res = EmGetCmd(receivedCmd, &receivedCmd_len, receivedCmd_par); | |
235 | ||
236 | if (res == 2) { //Field is off! | |
237 | LEDsoff(); | |
238 | cardSTATE = MFEMUL_NOFIELD; | |
239 | continue; | |
240 | } else if (res == 1) { // button pressed | |
241 | button_pushed = true; | |
242 | break; | |
243 | } | |
244 | ||
245 | // WUPA in HALTED state or REQA or WUPA in any other state | |
246 | if (receivedCmd_len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) { | |
247 | EmSendPrecompiledCmd(&responses[ATQA], (receivedCmd[0] == ISO14443A_CMD_WUPA)); | |
248 | ||
249 | // init crypto block | |
250 | crypto1_destroy(pcs); | |
251 | cardAUTHKEY = 0xff; | |
252 | if (flags & FLAG_RANDOM_NONCE) { | |
253 | nonce = prand(); | |
254 | } | |
255 | LED_B_OFF(); | |
256 | LED_C_OFF(); | |
257 | cardSTATE = MFEMUL_SELECT1; | |
258 | continue; | |
259 | } | |
260 | ||
261 | switch (cardSTATE) { | |
262 | case MFEMUL_NOFIELD: | |
263 | case MFEMUL_HALTED: | |
264 | case MFEMUL_IDLE:{ | |
265 | break; | |
266 | } | |
267 | case MFEMUL_SELECT1:{ | |
268 | // select all - 0x93 0x20 | |
269 | if (receivedCmd_len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x20)) { | |
270 | if (MF_DBGLEVEL >= 4) Dbprintf("SELECT ALL CL1 received"); | |
271 | EmSendPrecompiledCmd(&responses[UIDBCC1], false); | |
272 | break; | |
273 | } | |
274 | // select card - 0x93 0x70 ... | |
275 | if (receivedCmd_len == 9 && | |
276 | (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], responses[UIDBCC1].response, 4) == 0)) { | |
277 | if (MF_DBGLEVEL >= 4) Dbprintf("SELECT CL1 %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]); | |
278 | if (uid_len == 4) { | |
279 | EmSendPrecompiledCmd(&responses[SAKfinal], false); | |
280 | LED_B_ON(); | |
281 | cardSTATE = MFEMUL_WORK; | |
282 | break; | |
283 | } else if (uid_len == 7) { | |
284 | EmSendPrecompiledCmd(&responses[SAK1], false); | |
285 | cardSTATE = MFEMUL_SELECT2; | |
286 | break; | |
287 | } | |
288 | } | |
289 | cardSTATE_TO_IDLE(); | |
290 | break; | |
291 | } | |
292 | case MFEMUL_SELECT2:{ | |
293 | // select all cl2 - 0x95 0x20 | |
294 | if (receivedCmd_len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x20)) { | |
295 | if (MF_DBGLEVEL >= 4) Dbprintf("SELECT ALL CL2 received"); | |
296 | EmSendPrecompiledCmd(&responses[UIDBCC2], false); | |
297 | break; | |
298 | } | |
299 | // select cl2 card - 0x95 0x70 xxxxxxxxxxxx | |
300 | if (receivedCmd_len == 9 && | |
301 | (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], responses[UIDBCC2].response, 4) == 0)) { | |
302 | if (uid_len == 7) { | |
303 | if (MF_DBGLEVEL >= 4) Dbprintf("SELECT CL2 %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]); | |
304 | EmSendPrecompiledCmd(&responses[SAKfinal], false); | |
305 | LED_B_ON(); | |
306 | cardSTATE = MFEMUL_WORK; | |
307 | break; | |
308 | } | |
309 | } | |
310 | cardSTATE_TO_IDLE(); | |
311 | break; | |
312 | } | |
313 | case MFEMUL_WORK:{ | |
314 | if (receivedCmd_len != 4) { // all commands must have exactly 4 bytes | |
315 | break; | |
316 | } | |
317 | bool encrypted_data = (cardAUTHKEY != 0xFF) ; | |
318 | if (encrypted_data) { | |
319 | // decrypt seqence | |
320 | mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, receivedCmd_dec); | |
321 | } else { | |
322 | memcpy(receivedCmd_dec, receivedCmd, receivedCmd_len); | |
323 | } | |
324 | if (!HasValidCRC(receivedCmd_dec, receivedCmd_len)) { // all commands must have a valid CRC | |
325 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); | |
326 | break; | |
327 | } | |
328 | if (receivedCmd_dec[0] == MIFARE_AUTH_KEYA || receivedCmd_dec[0] == MIFARE_AUTH_KEYB) { | |
329 | // if authenticating to a block that shouldn't exist - as long as we are not doing the reader attack | |
330 | if (receivedCmd_dec[1] >= 16 * 4 && !(flags & FLAG_NR_AR_ATTACK)) { | |
331 | //is this the correct response to an auth on a out of range block? marshmellow | |
332 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); | |
333 | if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],receivedCmd_dec[1]); | |
334 | break; | |
335 | } | |
336 | cardAUTHSC = receivedCmd_dec[1] / 4; // received block num | |
337 | cardAUTHKEY = receivedCmd_dec[0] & 0x01; | |
338 | crypto1_destroy(pcs);//Added by martin | |
339 | crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY)); | |
340 | if (!encrypted_data) { // first authentication | |
341 | if (MF_DBGLEVEL >= 4) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd_dec[1], receivedCmd_dec[1], cardAUTHKEY); | |
342 | crypto1_word(pcs, cuid ^ nonce, 0);//Update crypto state | |
343 | num_to_bytes(nonce, 4, rAUTH_AT); // Send nonce | |
344 | } else { // nested authentication | |
345 | if (MF_DBGLEVEL >= 4) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d", receivedCmd_dec[1], receivedCmd_dec[1], cardAUTHKEY); | |
346 | ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0); | |
347 | num_to_bytes(ans, 4, rAUTH_AT); | |
348 | } | |
349 | EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT)); | |
350 | cardSTATE = MFEMUL_AUTH1; | |
351 | break; | |
352 | } | |
353 | if (!encrypted_data) { // all other commands must be encrypted (authenticated) | |
354 | break; | |
355 | } | |
356 | if(receivedCmd_dec[0] == ISO14443A_CMD_READBLOCK | |
357 | || receivedCmd_dec[0] == ISO14443A_CMD_WRITEBLOCK | |
358 | || receivedCmd_dec[0] == MIFARE_CMD_INC | |
359 | || receivedCmd_dec[0] == MIFARE_CMD_DEC | |
360 | || receivedCmd_dec[0] == MIFARE_CMD_RESTORE | |
361 | || receivedCmd_dec[0] == MIFARE_CMD_TRANSFER) { | |
362 | if (receivedCmd_dec[1] >= 16 * 4) { | |
363 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); | |
364 | if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],receivedCmd_dec[1]); | |
365 | break; | |
366 | } | |
367 | if (receivedCmd_dec[1] / 4 != cardAUTHSC) { | |
368 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); | |
369 | if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02x) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],cardAUTHSC); | |
370 | break; | |
371 | } | |
372 | } | |
373 | if (receivedCmd_dec[0] == ISO14443A_CMD_READBLOCK) { | |
374 | if (MF_DBGLEVEL >= 4) { | |
375 | Dbprintf("Reader reading block %d (0x%02x)",receivedCmd_dec[1],receivedCmd_dec[1]); | |
376 | } | |
377 | emlGetMem(response, receivedCmd_dec[1], 1); | |
378 | AppendCrc14443a(response, 16); | |
379 | mf_crypto1_encrypt(pcs, response, 18, response_par); | |
380 | EmSendCmdPar(response, 18, response_par); | |
381 | numReads++; | |
382 | if(exitAfterNReads > 0 && numReads == exitAfterNReads) { | |
383 | Dbprintf("%d reads done, exiting", numReads); | |
384 | finished = true; | |
385 | } | |
386 | break; | |
387 | } | |
388 | if (receivedCmd_dec[0] == ISO14443A_CMD_WRITEBLOCK) { | |
389 | if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0xA0 write block %d (%02x)",receivedCmd_dec[1],receivedCmd_dec[1]); | |
390 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); | |
391 | cardWRBL = receivedCmd_dec[1]; | |
392 | cardSTATE = MFEMUL_WRITEBL2; | |
393 | break; | |
394 | } | |
395 | if (receivedCmd_dec[0] == MIFARE_CMD_INC || receivedCmd_dec[0] == MIFARE_CMD_DEC || receivedCmd_dec[0] == MIFARE_CMD_RESTORE) { | |
396 | if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd_dec[0],receivedCmd_dec[1],receivedCmd_dec[1]); | |
397 | if (emlCheckValBl(receivedCmd_dec[1])) { | |
398 | if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking"); | |
399 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); | |
400 | break; | |
401 | } | |
402 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); | |
403 | cardWRBL = receivedCmd_dec[1]; | |
404 | if (receivedCmd_dec[0] == MIFARE_CMD_INC) | |
405 | cardSTATE = MFEMUL_INTREG_INC; | |
406 | if (receivedCmd_dec[0] == MIFARE_CMD_DEC) | |
407 | cardSTATE = MFEMUL_INTREG_DEC; | |
408 | if (receivedCmd_dec[0] == MIFARE_CMD_RESTORE) | |
409 | cardSTATE = MFEMUL_INTREG_REST; | |
410 | break; | |
411 | } | |
412 | if (receivedCmd_dec[0] == MIFARE_CMD_TRANSFER) { | |
413 | if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x transfer block %d (%02x)",receivedCmd_dec[0],receivedCmd_dec[1],receivedCmd_dec[1]); | |
414 | if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd_dec[1])) | |
415 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); | |
416 | else | |
417 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); | |
418 | break; | |
419 | } | |
420 | // halt | |
421 | if (receivedCmd_dec[0] == ISO14443A_CMD_HALT && receivedCmd_dec[1] == 0x00) { | |
422 | if (MF_DBGLEVEL >= 4) Dbprintf("--> HALTED."); | |
423 | LED_B_OFF(); | |
424 | LED_C_OFF(); | |
425 | cardSTATE = MFEMUL_HALTED; | |
426 | break; | |
427 | } | |
428 | // command not allowed | |
429 | if (MF_DBGLEVEL >= 4) Dbprintf("Received command not allowed, nacking"); | |
430 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); | |
431 | break; | |
432 | } | |
433 | case MFEMUL_AUTH1:{ | |
434 | if (receivedCmd_len != 8) { | |
435 | cardSTATE_TO_IDLE(); | |
436 | break; | |
437 | } | |
438 | ||
439 | uint32_t nr = bytes_to_num(receivedCmd, 4); | |
440 | uint32_t ar = bytes_to_num(&receivedCmd[4], 4); | |
441 | ||
442 | // Collect AR/NR per keytype & sector | |
443 | if(flags & FLAG_NR_AR_ATTACK) { | |
444 | for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) { | |
445 | if ( ar_nr_collected[i+mM]==0 || ((cardAUTHSC == ar_nr_resp[i+mM].sector) && (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && (ar_nr_collected[i+mM] > 0)) ) { | |
446 | // if first auth for sector, or matches sector and keytype of previous auth | |
447 | if (ar_nr_collected[i+mM] < 2) { | |
448 | // if we haven't already collected 2 nonces for this sector | |
449 | if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) { | |
450 | // Avoid duplicates... probably not necessary, ar should vary. | |
451 | if (ar_nr_collected[i+mM]==0) { | |
452 | // first nonce collect | |
453 | ar_nr_resp[i+mM].cuid = cuid; | |
454 | ar_nr_resp[i+mM].sector = cardAUTHSC; | |
455 | ar_nr_resp[i+mM].keytype = cardAUTHKEY; | |
456 | ar_nr_resp[i+mM].nonce = nonce; | |
457 | ar_nr_resp[i+mM].nr = nr; | |
458 | ar_nr_resp[i+mM].ar = ar; | |
459 | nonce1_count++; | |
460 | // add this nonce to first moebius nonce | |
461 | ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid; | |
462 | ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC; | |
463 | ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY; | |
464 | ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce; | |
465 | ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr; | |
466 | ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar; | |
467 | ar_nr_collected[i+ATTACK_KEY_COUNT]++; | |
468 | } else { // second nonce collect (std and moebius) | |
469 | ar_nr_resp[i+mM].nonce2 = nonce; | |
470 | ar_nr_resp[i+mM].nr2 = nr; | |
471 | ar_nr_resp[i+mM].ar2 = ar; | |
472 | if (!gettingMoebius) { | |
473 | nonce2_count++; | |
474 | // check if this was the last second nonce we need for std attack | |
475 | if ( nonce2_count == nonce1_count ) { | |
476 | // done collecting std test switch to moebius | |
477 | // first finish incrementing last sample | |
478 | ar_nr_collected[i+mM]++; | |
479 | // switch to moebius collection | |
480 | gettingMoebius = true; | |
481 | mM = ATTACK_KEY_COUNT; | |
482 | if (flags & FLAG_RANDOM_NONCE) { | |
483 | nonce = prand(); | |
484 | } else { | |
485 | nonce = nonce*7; | |
486 | } | |
487 | break; | |
488 | } | |
489 | } else { | |
490 | moebius_n_count++; | |
491 | // if we've collected all the nonces we need - finish. | |
492 | if (nonce1_count == moebius_n_count) finished = true; | |
493 | } | |
494 | } | |
495 | ar_nr_collected[i+mM]++; | |
496 | } | |
497 | } | |
498 | // we found right spot for this nonce stop looking | |
499 | break; | |
500 | } | |
501 | } | |
502 | } | |
503 | ||
504 | // --- crypto | |
505 | crypto1_word(pcs, nr , 1); | |
506 | cardRr = ar ^ crypto1_word(pcs, 0, 0); | |
507 | ||
508 | // test if auth OK | |
509 | if (cardRr != prng_successor(nonce, 64)){ | |
510 | if (MF_DBGLEVEL >= 2) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x", | |
511 | cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B', | |
512 | cardRr, prng_successor(nonce, 64)); | |
513 | // Shouldn't we respond anything here? | |
514 | // Right now, we don't nack or anything, which causes the | |
515 | // reader to do a WUPA after a while. /Martin | |
516 | // -- which is the correct response. /piwi | |
517 | cardAUTHKEY = 0xff; // not authenticated | |
518 | cardSTATE_TO_IDLE(); | |
519 | break; | |
520 | } | |
521 | ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0); | |
522 | num_to_bytes(ans, 4, rAUTH_AT); | |
523 | EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT)); | |
524 | if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED for sector %d with key %c.", cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B'); | |
525 | LED_C_ON(); | |
526 | cardSTATE = MFEMUL_WORK; | |
527 | break; | |
528 | } | |
529 | case MFEMUL_WRITEBL2:{ | |
530 | if (receivedCmd_len == 18) { | |
531 | mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, receivedCmd_dec); | |
532 | if (HasValidCRC(receivedCmd_dec, receivedCmd_len)) { | |
533 | emlSetMem(receivedCmd_dec, cardWRBL, 1); | |
534 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); | |
535 | cardSTATE = MFEMUL_WORK; | |
536 | break; | |
537 | } | |
538 | } | |
539 | cardSTATE_TO_IDLE(); | |
540 | break; | |
541 | } | |
542 | case MFEMUL_INTREG_INC:{ | |
543 | if (receivedCmd_len == 6) { | |
544 | mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans); | |
545 | if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) { | |
546 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); | |
547 | cardSTATE_TO_IDLE(); | |
548 | break; | |
549 | } | |
550 | cardINTREG = cardINTREG + ans; | |
551 | } | |
552 | cardSTATE = MFEMUL_WORK; | |
553 | break; | |
554 | } | |
555 | case MFEMUL_INTREG_DEC:{ | |
556 | if (receivedCmd_len == 6) { | |
557 | mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans); | |
558 | if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) { | |
559 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); | |
560 | cardSTATE_TO_IDLE(); | |
561 | break; | |
562 | } | |
563 | } | |
564 | cardINTREG = cardINTREG - ans; | |
565 | cardSTATE = MFEMUL_WORK; | |
566 | break; | |
567 | } | |
568 | case MFEMUL_INTREG_REST:{ | |
569 | mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans); | |
570 | if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) { | |
571 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); | |
572 | cardSTATE_TO_IDLE(); | |
573 | break; | |
574 | } | |
575 | cardSTATE = MFEMUL_WORK; | |
576 | break; | |
577 | } | |
578 | } | |
579 | button_pushed = BUTTON_PRESS(); | |
580 | } | |
581 | ||
582 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
583 | LEDsoff(); | |
584 | ||
585 | if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1) { | |
586 | for ( uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) { | |
587 | if (ar_nr_collected[i] == 2) { | |
588 | Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector); | |
589 | Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x", | |
590 | ar_nr_resp[i].cuid, //UID | |
591 | ar_nr_resp[i].nonce, //NT | |
592 | ar_nr_resp[i].nr, //NR1 | |
593 | ar_nr_resp[i].ar, //AR1 | |
594 | ar_nr_resp[i].nr2, //NR2 | |
595 | ar_nr_resp[i].ar2 //AR2 | |
596 | ); | |
597 | } | |
598 | } | |
599 | for ( uint8_t i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT*2; i++) { | |
600 | if (ar_nr_collected[i] == 2) { | |
601 | Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector); | |
602 | Dbprintf("../tools/mfkey/mfkey32v2 %08x %08x %08x %08x %08x %08x %08x", | |
603 | ar_nr_resp[i].cuid, //UID | |
604 | ar_nr_resp[i].nonce, //NT | |
605 | ar_nr_resp[i].nr, //NR1 | |
606 | ar_nr_resp[i].ar, //AR1 | |
607 | ar_nr_resp[i].nonce2,//NT2 | |
608 | ar_nr_resp[i].nr2, //NR2 | |
609 | ar_nr_resp[i].ar2 //AR2 | |
610 | ); | |
611 | } | |
612 | } | |
613 | } | |
614 | if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", get_tracing(), BigBuf_get_traceLen()); | |
615 | ||
616 | if(flags & FLAG_INTERACTIVE) { // Interactive mode flag, means we need to send ACK | |
617 | //Send the collected ar_nr in the response | |
618 | cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,button_pushed,0,&ar_nr_resp,sizeof(ar_nr_resp)); | |
619 | } | |
620 | } |