]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhf.c
ADD: scripts/tracetest.lua is a simple script that tries to load from traces folder...
[proxmark3-svn] / client / cmdhf.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // High frequency commands
9 //-----------------------------------------------------------------------------
10
11 #include <stdio.h>
12 #include <string.h>
13 #include "proxmark3.h"
14 #include "graph.h"
15 #include "ui.h"
16 #include "cmdparser.h"
17 #include "cmdhf.h"
18 #include "cmdhf14a.h"
19 #include "cmdhf14b.h"
20 #include "cmdhf15.h"
21 #include "cmdhfepa.h"
22 #include "cmdhflegic.h"
23 #include "cmdhficlass.h"
24 #include "cmdhfmf.h"
25 #include "cmdhfmfu.h"
26 #include "cmdhfmfdes.h"
27 #include "cmdhfdes.h"
28
29 static int CmdHelp(const char *Cmd);
30
31 int CmdHFTune(const char *Cmd)
32 {
33 UsbCommand c={CMD_MEASURE_ANTENNA_TUNING_HF};
34 SendCommand(&c);
35 return 0;
36 }
37 // for the time being. Need better Bigbuf handling.
38 #define TRACE_SIZE 3000
39
40 //The following data is taken from http://www.proxmark.org/forum/viewtopic.php?pid=13501#p13501
41 /*
42 ISO14443A (usually NFC tags)
43 26 (7bits) = REQA
44 30 = Read (usage: 30+1byte block number+2bytes ISO14443A-CRC - answer: 16bytes)
45 A2 = Write (usage: A2+1byte block number+4bytes data+2bytes ISO14443A-CRC - answer: 0A [ACK] or 00 [NAK])
46 52 (7bits) = WUPA (usage: 52(7bits) - answer: 2bytes ATQA)
47 93 20 = Anticollision (usage: 9320 - answer: 4bytes UID+1byte UID-bytes-xor)
48 93 70 = Select (usage: 9370+5bytes 9320 answer - answer: 1byte SAK)
49 95 20 = Anticollision of cascade level2
50 95 70 = Select of cascade level2
51 50 00 = Halt (usage: 5000+2bytes ISO14443A-CRC - no answer from card)
52 Mifare
53 60 = Authenticate with KeyA
54 61 = Authenticate with KeyB
55 40 (7bits) = Used to put Chinese Changeable UID cards in special mode (must be followed by 43 (8bits) - answer: 0A)
56 C0 = Decrement
57 C1 = Increment
58 C2 = Restore
59 B0 = Transfer
60 Ultralight C
61 A0 = Compatibility Write (to accomodate MIFARE commands)
62 1A = Step1 Authenticate
63 AF = Step2 Authenticate
64
65
66 ISO14443B
67 05 = REQB
68 1D = ATTRIB
69 50 = HALT
70 SRIX4K (tag does not respond to 05)
71 06 00 = INITIATE
72 0E xx = SELECT ID (xx = Chip-ID)
73 0B = Get UID
74 08 yy = Read Block (yy = block number)
75 09 yy dd dd dd dd = Write Block (yy = block number; dd dd dd dd = data to be written)
76 0C = Reset to Inventory
77 0F = Completion
78 0A 11 22 33 44 55 66 = Authenticate (11 22 33 44 55 66 = data to authenticate)
79
80
81 ISO15693
82 MANDATORY COMMANDS (all ISO15693 tags must support those)
83 01 = Inventory (usage: 260100+2bytes ISO15693-CRC - answer: 12bytes)
84 02 = Stay Quiet
85 OPTIONAL COMMANDS (not all tags support them)
86 20 = Read Block (usage: 0220+1byte block number+2bytes ISO15693-CRC - answer: 4bytes)
87 21 = Write Block (usage: 0221+1byte block number+4bytes data+2bytes ISO15693-CRC - answer: 4bytes)
88 22 = Lock Block
89 23 = Read Multiple Blocks (usage: 0223+1byte 1st block to read+1byte last block to read+2bytes ISO15693-CRC)
90 25 = Select
91 26 = Reset to Ready
92 27 = Write AFI
93 28 = Lock AFI
94 29 = Write DSFID
95 2A = Lock DSFID
96 2B = Get_System_Info (usage: 022B+2bytes ISO15693-CRC - answer: 14 or more bytes)
97 2C = Read Multiple Block Security Status (usage: 022C+1byte 1st block security to read+1byte last block security to read+2bytes ISO15693-CRC)
98
99 EM Microelectronic CUSTOM COMMANDS
100 A5 = Active EAS (followed by 1byte IC Manufacturer code+1byte EAS type)
101 A7 = Write EAS ID (followed by 1byte IC Manufacturer code+2bytes EAS value)
102 B8 = Get Protection Status for a specific block (followed by 1byte IC Manufacturer code+1byte block number+1byte of how many blocks after the previous is needed the info)
103 E4 = Login (followed by 1byte IC Manufacturer code+4bytes password)
104 NXP/Philips CUSTOM COMMANDS
105 A0 = Inventory Read
106 A1 = Fast Inventory Read
107 A2 = Set EAS
108 A3 = Reset EAS
109 A4 = Lock EAS
110 A5 = EAS Alarm
111 A6 = Password Protect EAS
112 A7 = Write EAS ID
113 A8 = Read EPC
114 B0 = Inventory Page Read
115 B1 = Fast Inventory Page Read
116 B2 = Get Random Number
117 B3 = Set Password
118 B4 = Write Password
119 B5 = Lock Password
120 B6 = Bit Password Protection
121 B7 = Lock Page Protection Condition
122 B8 = Get Multiple Block Protection Status
123 B9 = Destroy SLI
124 BA = Enable Privacy
125 BB = 64bit Password Protection
126 40 = Long Range CMD (Standard ISO/TR7003:1990)
127 */
128
129 #define ICLASS_CMD_ACTALL 0x0A
130 #define ICLASS_CMD_READ_OR_IDENTIFY 0x0C
131 #define ICLASS_CMD_SELECT 0x81
132 #define ICLASS_CMD_PAGESEL 0x84
133 #define ICLASS_CMD_READCHECK 0x88
134 #define ICLASS_CMD_CHECK 0x05
135 #define ICLASS_CMD_SOF 0x0F
136 #define ICLASS_CMD_HALT 0x00
137
138 #define ISO14443_CMD_REQA 0x26
139 #define ISO14443_CMD_READBLOCK 0x30
140 #define ISO14443_CMD_WUPA 0x52
141 #define ISO14443_CMD_ANTICOLL_OR_SELECT 0x93
142 #define ISO14443_CMD_ANTICOLL_OR_SELECT_2 0x95
143 #define ISO14443_CMD_WRITEBLOCK 0xA0 // or 0xA2 ?
144 #define ISO14443_CMD_HALT 0x50
145 #define ISO14443_CMD_RATS 0xE0
146
147 #define MIFARE_AUTH_KEYA 0x60
148 #define MIFARE_AUTH_KEYB 0x61
149 #define MIFARE_MAGICMODE 0x40
150 #define MIFARE_CMD_INC 0xC0
151 #define MIFARE_CMD_DEC 0xC1
152 #define MIFARE_CMD_RESTORE 0xC2
153 #define MIFARE_CMD_TRANSFER 0xB0
154
155 #define MIFARE_ULC_WRITE 0xA0
156 #define MIFARE_ULC_AUTH_1 0x1A
157 #define MIFARE_ULC_AUTH_2 0xAF
158
159 #define ISO14443B_REQB 0x05
160 #define ISO14443B_ATTRIB 0x1D
161 #define ISO14443B_HALT 0x50
162
163 //First byte is 26
164 #define ISO15693_INVENTORY 0x01
165 #define ISO15693_STAYQUIET 0x02
166 //First byte is 02
167 #define ISO15693_READBLOCK 0x20
168 #define ISO15693_WRITEBLOCK 0x21
169 #define ISO15693_LOCKBLOCK 0x22
170 #define ISO15693_READ_MULTI_BLOCK 0x23
171 #define ISO15693_SELECT 0x25
172 #define ISO15693_RESET_TO_READY 0x26
173 #define ISO15693_WRITE_AFI 0x27
174 #define ISO15693_LOCK_AFI 0x28
175 #define ISO15693_WRITE_DSFID 0x29
176 #define ISO15693_LOCK_DSFID 0x2A
177 #define ISO15693_GET_SYSTEM_INFO 0x2B
178 #define ISO15693_READ_MULTI_SECSTATUS 0x2C
179
180
181
182
183 void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize)
184 {
185 switch(cmd[0])
186 {
187 case ISO14443_CMD_WUPA: snprintf(exp,size,"WUPA"); break;
188 case ISO14443_CMD_ANTICOLL_OR_SELECT:{
189 // 93 20 = Anticollision (usage: 9320 - answer: 4bytes UID+1byte UID-bytes-xor)
190 // 93 70 = Select (usage: 9370+5bytes 9320 answer - answer: 1byte SAK)
191 if(cmd[2] == 0x70)
192 {
193 snprintf(exp,size,"SELECT_UID"); break;
194 }else
195 {
196 snprintf(exp,size,"ANTICOLL"); break;
197 }
198 }
199 case ISO14443_CMD_ANTICOLL_OR_SELECT_2:{
200 //95 20 = Anticollision of cascade level2
201 //95 70 = Select of cascade level2
202 if(cmd[2] == 0x70)
203 {
204 snprintf(exp,size,"SELECT_UID-2"); break;
205 }else
206 {
207 snprintf(exp,size,"ANTICOLL-2"); break;
208 }
209 }
210 case ISO14443_CMD_REQA: snprintf(exp,size,"REQA"); break;
211 case ISO14443_CMD_READBLOCK: snprintf(exp,size,"READBLOCK(%d)",cmd[1]); break;
212 case ISO14443_CMD_WRITEBLOCK: snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); break;
213 case ISO14443_CMD_HALT: snprintf(exp,size,"HALT"); break;
214 case ISO14443_CMD_RATS: snprintf(exp,size,"RATS"); break;
215 case MIFARE_CMD_INC: snprintf(exp,size,"INC(%d)",cmd[1]); break;
216 case MIFARE_CMD_DEC: snprintf(exp,size,"DEC(%d)",cmd[1]); break;
217 case MIFARE_CMD_RESTORE: snprintf(exp,size,"RESTORE(%d)",cmd[1]); break;
218 case MIFARE_CMD_TRANSFER: snprintf(exp,size,"TRANSFER(%d)",cmd[1]); break;
219 case MIFARE_AUTH_KEYA: snprintf(exp,size,"AUTH-A"); break;
220 case MIFARE_AUTH_KEYB: snprintf(exp,size,"AUTH-B"); break;
221 case MIFARE_MAGICMODE: snprintf(exp,size,"MAGIC"); break;
222 default: snprintf(exp,size,"?"); break;
223 }
224 return;
225 }
226
227 void annotateIclass(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize)
228 {
229 switch(cmd[0])
230 {
231 case ICLASS_CMD_ACTALL: snprintf(exp,size,"ACTALL"); break;
232 case ICLASS_CMD_READ_OR_IDENTIFY:{
233 if(cmdsize > 1){
234 snprintf(exp,size,"READ(%d)",cmd[1]);
235 }else{
236 snprintf(exp,size,"IDENTIFY");
237 }
238 break;
239 }
240 case ICLASS_CMD_SELECT: snprintf(exp,size,"SELECT"); break;
241 case ICLASS_CMD_PAGESEL: snprintf(exp,size,"PAGESEL"); break;
242 case ICLASS_CMD_READCHECK: snprintf(exp,size,"READCHECK"); break;
243 case ICLASS_CMD_CHECK: snprintf(exp,size,"CHECK"); break;
244 case ICLASS_CMD_SOF: snprintf(exp,size,"SOF"); break;
245 case ICLASS_CMD_HALT: snprintf(exp,size,"HALT"); break;
246 default: snprintf(exp,size,"?"); break;
247 }
248 return;
249 }
250
251 void annotateIso15693(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize)
252 {
253
254 if(cmd[0] == 0x26)
255 {
256 switch(cmd[1]){
257 case ISO15693_INVENTORY :snprintf(exp, size, "INVENTORY");break;
258 case ISO15693_STAYQUIET :snprintf(exp, size, "STAY_QUIET");break;
259 default: snprintf(exp,size,"?"); break;
260
261 }
262 }else if(cmd[0] == 0x02)
263 {
264 switch(cmd[1])
265 {
266 case ISO15693_READBLOCK :snprintf(exp, size, "READBLOCK");break;
267 case ISO15693_WRITEBLOCK :snprintf(exp, size, "WRITEBLOCK");break;
268 case ISO15693_LOCKBLOCK :snprintf(exp, size, "LOCKBLOCK");break;
269 case ISO15693_READ_MULTI_BLOCK :snprintf(exp, size, "READ_MULTI_BLOCK");break;
270 case ISO15693_SELECT :snprintf(exp, size, "SELECT");break;
271 case ISO15693_RESET_TO_READY :snprintf(exp, size, "RESET_TO_READY");break;
272 case ISO15693_WRITE_AFI :snprintf(exp, size, "WRITE_AFI");break;
273 case ISO15693_LOCK_AFI :snprintf(exp, size, "LOCK_AFI");break;
274 case ISO15693_WRITE_DSFID :snprintf(exp, size, "WRITE_DSFID");break;
275 case ISO15693_LOCK_DSFID :snprintf(exp, size, "LOCK_DSFID");break;
276 case ISO15693_GET_SYSTEM_INFO :snprintf(exp, size, "GET_SYSTEM_INFO");break;
277 case ISO15693_READ_MULTI_SECSTATUS :snprintf(exp, size, "READ_MULTI_SECSTATUS");break;
278 default: snprintf(exp,size,"?"); break;
279 }
280 }
281 }
282
283 uint16_t printTraceLine(uint16_t tracepos, uint8_t* trace, bool iclass, bool showWaitCycles)
284 {
285 bool isResponse;
286 uint16_t duration, data_len,parity_len;
287
288 uint32_t timestamp, first_timestamp, EndOfTransmissionTimestamp;
289 char explanation[30] = {0};
290
291 first_timestamp = *((uint32_t *)(trace));
292 timestamp = *((uint32_t *)(trace + tracepos));
293 // Break and stick with current result if buffer was not completely full
294 if (timestamp == 0x44444444) return TRACE_SIZE;
295
296 tracepos += 4;
297 duration = *((uint16_t *)(trace + tracepos));
298 tracepos += 2;
299 data_len = *((uint16_t *)(trace + tracepos));
300 tracepos += 2;
301
302 if (data_len & 0x8000) {
303 data_len &= 0x7fff;
304 isResponse = true;
305 } else {
306 isResponse = false;
307 }
308 parity_len = (data_len-1)/8 + 1;
309
310 if (tracepos + data_len + parity_len >= TRACE_SIZE) {
311 return TRACE_SIZE;
312 }
313
314 uint8_t *frame = trace + tracepos;
315 tracepos += data_len;
316 uint8_t *parityBytes = trace + tracepos;
317 tracepos += parity_len;
318
319 //--- Draw the data column
320 char line[16][110];
321 for (int j = 0; j < data_len; j++) {
322 int oddparity = 0x01;
323 int k;
324
325 for (k=0 ; k<8 ; k++) {
326 oddparity ^= (((frame[j] & 0xFF) >> k) & 0x01);
327 }
328
329 uint8_t parityBits = parityBytes[j>>3];
330
331 if (isResponse && (oddparity != ((parityBits >> (7-(j&0x0007))) & 0x01))) {
332 sprintf(line[j/16]+((j%16)*4), "%02x! ", frame[j]);
333 } else {
334 sprintf(line[j/16]+((j%16)*4), "%02x ", frame[j]);
335 }
336 }
337 //--- Draw the CRC column
338 bool crcError = false;
339
340 if (data_len > 2) {
341 uint8_t b1, b2;
342 if(iclass)
343 {
344 if(!isResponse && data_len == 4 ) {
345 // Rough guess that this is a command from the reader
346 // For iClass the command byte is not part of the CRC
347 ComputeCrc14443(CRC_ICLASS, &frame[1], data_len-3, &b1, &b2);
348 } else {
349 // For other data.. CRC might not be applicable (UPDATE commands etc.)
350 ComputeCrc14443(CRC_ICLASS, frame, data_len-2, &b1, &b2);
351 }
352
353 if (b1 != frame[data_len-2] || b2 != frame[data_len-1]) {
354 crcError = true;
355 }
356
357 } else {//Iso 14443a
358
359 ComputeCrc14443(CRC_14443_A, frame, data_len-2, &b1, &b2);
360
361 if (b1 != frame[data_len-2] || b2 != frame[data_len-1]) {
362 if(!(isResponse & (data_len < 6)))
363 {
364 crcError = true;
365 }
366 }
367 }
368 }
369 char *crc = crcError ? "!crc" :" ";
370
371 EndOfTransmissionTimestamp = timestamp + duration;
372
373 if(!isResponse)
374 {
375 if(iclass)
376 annotateIclass(explanation,sizeof(explanation),frame,data_len);
377 else
378 annotateIso14443a(explanation,sizeof(explanation),frame,data_len);
379 }
380
381 int num_lines = (data_len - 1)/16 + 1;
382 for (int j = 0; j < num_lines; j++) {
383 if (j == 0) {
384 PrintAndLog(" %9d | %9d | %s | %-64s| %s| %s",
385 (timestamp - first_timestamp),
386 (EndOfTransmissionTimestamp - first_timestamp),
387 (isResponse ? "Tag" : "Rdr"),
388 line[j],
389 (j == num_lines-1) ? crc : " ",
390 (j == num_lines-1) ? explanation : "");
391 } else {
392 PrintAndLog(" | | | %-64s| %s| %s",
393 line[j],
394 (j == num_lines-1) ? crc : " ",
395 (j == num_lines-1) ? explanation : "");
396 }
397 }
398
399 bool next_isResponse = *((uint16_t *)(trace + tracepos + 6)) & 0x8000;
400
401 if (showWaitCycles && !isResponse && next_isResponse) {
402 uint32_t next_timestamp = *((uint32_t *)(trace + tracepos));
403 if (next_timestamp != 0x44444444) {
404 PrintAndLog(" %9d | %9d | %s | fdt (Frame Delay Time): %d",
405 (EndOfTransmissionTimestamp - first_timestamp),
406 (next_timestamp - first_timestamp),
407 " ",
408 (next_timestamp - EndOfTransmissionTimestamp));
409 }
410 }
411 return tracepos;
412 }
413
414 int CmdHFList(const char *Cmd)
415 {
416 bool showWaitCycles = false;
417 char type[40] = {0};
418 int tlen = param_getstr(Cmd,0,type);
419 char param = param_getchar(Cmd, 1);
420 bool errors = false;
421 bool iclass = false;
422 //Validate params
423 if(tlen == 0 || (strcmp(type, "iclass") != 0 && strcmp(type,"14a") != 0))
424 {
425 errors = true;
426 }
427 if(param == 'h' || (param !=0 && param != 'f'))
428 {
429 errors = true;
430 }
431
432 if (errors) {
433 PrintAndLog("List protocol data in trace buffer.");
434 PrintAndLog("Usage: hf list [14a|iclass] [f]");
435 PrintAndLog(" 14a - interpret data as iso14443a communications");
436 PrintAndLog(" iclass - interpret data as iclass communications");
437 PrintAndLog(" f - show frame delay times as well");
438 PrintAndLog("");
439 PrintAndLog("example: hf list 14a f");
440 PrintAndLog("example: hf list iclass");
441 return 0;
442 }
443 if(strcmp(type, "iclass") == 0)
444 {
445 iclass = true;
446 }
447
448 if (param == 'f') {
449 showWaitCycles = true;
450 }
451
452
453 uint8_t trace[TRACE_SIZE];
454 uint16_t tracepos = 0;
455 GetFromBigBuf(trace, TRACE_SIZE, 0);
456 WaitForResponse(CMD_ACK, NULL);
457
458 PrintAndLog("Recorded Activity");
459 PrintAndLog("");
460 PrintAndLog("Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer");
461 PrintAndLog("iso14443a - All times are in carrier periods (1/13.56Mhz)");
462 PrintAndLog("iClass - Timings are not as accurate");
463 PrintAndLog("");
464 PrintAndLog(" Start | End | Src | Data (! denotes parity error) | CRC | Annotation |");
465 PrintAndLog("-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|");
466
467 while(tracepos < TRACE_SIZE)
468 {
469 tracepos = printTraceLine(tracepos, trace, iclass, showWaitCycles);
470 }
471 return 0;
472 }
473
474
475 static command_t CommandTable[] =
476 {
477 {"help", CmdHelp, 1, "This help"},
478 {"14a", CmdHF14A, 1, "{ ISO14443A RFIDs... }"},
479 {"14b", CmdHF14B, 1, "{ ISO14443B RFIDs... }"},
480 {"15", CmdHF15, 1, "{ ISO15693 RFIDs... }"},
481 {"epa", CmdHFEPA, 1, "{ German Identification Card... }"},
482 {"legic", CmdHFLegic, 0, "{ LEGIC RFIDs... }"},
483 {"iclass", CmdHFiClass, 1, "{ ICLASS RFIDs... }"},
484 {"mf", CmdHFMF, 1, "{ MIFARE RFIDs... }"},
485 {"mfu", CmdHFMFUltra, 1, "{ MIFARE Ultralight RFIDs... }"},
486 {"mfdes", CmdHFMFDes, 1, "{ MIFARE Desfire RFIDs... }"},
487 {"des", CmdHFDES, 0, "{ MIFARE DESfire}"},
488 {"tune", CmdHFTune, 0, "Continuously measure HF antenna tuning"},
489 {"list", CmdHFList, 1, "List protocol data in trace buffer"},
490 {NULL, NULL, 0, NULL}
491 };
492
493 int CmdHF(const char *Cmd)
494 {
495 CmdsParse(CommandTable, Cmd);
496 return 0;
497 }
498
499 int CmdHelp(const char *Cmd)
500 {
501 CmdsHelp(CommandTable);
502 return 0;
503 }
Impressum, Datenschutz