]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhf14a.c
projects / proxmark3-svn / blob
? search:


2600d937c75275a8b2a2b26bddce44ff14aac3aa
[proxmark3-svn] / client / cmdhf14a.c
1 //-----------------------------------------------------------------------------
2 // 2011, Merlok
3 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // High frequency ISO14443A commands
10 //-----------------------------------------------------------------------------
11
12 #include <stdio.h>
13 #include <stdlib.h>
14 #include <string.h>
15 #include <unistd.h>
16 #include "util.h"
17 #include "iso14443crc.h"
18 #include "data.h"
19 #include "proxmark3.h"
20 #include "ui.h"
21 #include "cmdparser.h"
22 #include "cmdhf14a.h"
23 #include "common.h"
24 #include "cmdmain.h"
25 #include "mifare.h"
26 #include "cmdhfmf.h"
27 #include "cmdhfmfu.h"
28 #include "nonce2key/nonce2key.h"
29 #include "cmdhf.h"
30
31 static int CmdHelp(const char *Cmd);
32 static void waitCmd(uint8_t iLen);
33
34 // structure and database for uid -> tagtype lookups
35 typedef struct {
36 uint8_t uid;
37 char* desc;
38 } manufactureName;
39
40 const manufactureName manufactureMapping[] = {
41 // ID, "Vendor Country"
42 { 0x01, "Motorola UK" },
43 { 0x02, "ST Microelectronics SA France" },
44 { 0x03, "Hitachi, Ltd Japan" },
45 { 0x04, "NXP Semiconductors Germany" },
46 { 0x05, "Infineon Technologies AG Germany" },
47 { 0x06, "Cylink USA" },
48 { 0x07, "Texas Instrument France" },
49 { 0x08, "Fujitsu Limited Japan" },
50 { 0x09, "Matsushita Electronics Corporation, Semiconductor Company Japan" },
51 { 0x0A, "NEC Japan" },
52 { 0x0B, "Oki Electric Industry Co. Ltd Japan" },
53 { 0x0C, "Toshiba Corp. Japan" },
54 { 0x0D, "Mitsubishi Electric Corp. Japan" },
55 { 0x0E, "Samsung Electronics Co. Ltd Korea" },
56 { 0x0F, "Hynix / Hyundai, Korea" },
57 { 0x10, "LG-Semiconductors Co. Ltd Korea" },
58 { 0x11, "Emosyn-EM Microelectronics USA" },
59 { 0x12, "INSIDE Technology France" },
60 { 0x13, "ORGA Kartensysteme GmbH Germany" },
61 { 0x14, "SHARP Corporation Japan" },
62 { 0x15, "ATMEL France" },
63 { 0x16, "EM Microelectronic-Marin SA Switzerland" },
64 { 0x17, "KSW Microtec GmbH Germany" },
65 { 0x18, "ZMD AG Germany" },
66 { 0x19, "XICOR, Inc. USA" },
67 { 0x1A, "Sony Corporation Japan" },
68 { 0x1B, "Malaysia Microelectronic Solutions Sdn. Bhd Malaysia" },
69 { 0x1C, "Emosyn USA" },
70 { 0x1D, "Shanghai Fudan Microelectronics Co. Ltd. P.R. China" },
71 { 0x1E, "Magellan Technology Pty Limited Australia" },
72 { 0x1F, "Melexis NV BO Switzerland" },
73 { 0x20, "Renesas Technology Corp. Japan" },
74 { 0x21, "TAGSYS France" },
75 { 0x22, "Transcore USA" },
76 { 0x23, "Shanghai belling corp., ltd. China" },
77 { 0x24, "Masktech Germany Gmbh Germany" },
78 { 0x25, "Innovision Research and Technology Plc UK" },
79 { 0x26, "Hitachi ULSI Systems Co., Ltd. Japan" },
80 { 0x27, "Cypak AB Sweden" },
81 { 0x28, "Ricoh Japan" },
82 { 0x29, "ASK France" },
83 { 0x2A, "Unicore Microsystems, LLC Russian Federation" },
84 { 0x2B, "Dallas Semiconductor/Maxim USA" },
85 { 0x2C, "Impinj, Inc. USA" },
86 { 0x2D, "RightPlug Alliance USA" },
87 { 0x2E, "Broadcom Corporation USA" },
88 { 0x2F, "MStar Semiconductor, Inc Taiwan, ROC" },
89 { 0x30, "BeeDar Technology Inc. USA" },
90 { 0x31, "RFIDsec Denmark" },
91 { 0x32, "Schweizer Electronic AG Germany" },
92 { 0x33, "AMIC Technology Corp Taiwan" },
93 { 0x34, "Mikron JSC Russia" },
94 { 0x35, "Fraunhofer Institute for Photonic Microsystems Germany" },
95 { 0x36, "IDS Microchip AG Switzerland" },
96 { 0x37, "Kovio USA" },
97 { 0x38, "HMT Microelectronic Ltd Switzerland" },
98 { 0x39, "Silicon Craft Technology Thailand" },
99 { 0x3A, "Advanced Film Device Inc. Japan" },
100 { 0x3B, "Nitecrest Ltd UK" },
101 { 0x3C, "Verayo Inc. USA" },
102 { 0x3D, "HID Global USA" },
103 { 0x3E, "Productivity Engineering Gmbh Germany" },
104 { 0x3F, "Austriamicrosystems AG (reserved) Austria" },
105 { 0x40, "Gemalto SA France" },
106 { 0x41, "Renesas Electronics Corporation Japan" },
107 { 0x42, "3Alogics Inc Korea" },
108 { 0x43, "Top TroniQ Asia Limited Hong Kong" },
109 { 0x44, "Gentag Inc. USA" },
110 { 0x00, "no tag-info available" } // must be the last entry
111 };
112
113
114 // get a product description based on the UID
115 // uid[8] tag uid
116 // returns description of the best match
117 char* getTagInfo(uint8_t uid) {
118
119 int i;
120 int len = sizeof(manufactureMapping) / sizeof(manufactureName);
121
122 for ( i = 0; i < len; ++i )
123 if ( uid == manufactureMapping[i].uid)
124 return manufactureMapping[i].desc;
125
126 //No match, return default
127 return manufactureMapping[len-1].desc;
128 }
129
130 int usage_hf_14a_sim(void) {
131 // PrintAndLog("\n Emulating ISO/IEC 14443 type A tag with 4,7 or 10 byte UID\n");
132 PrintAndLog("\n Emulating ISO/IEC 14443 type A tag with 4,7 byte UID\n");
133 PrintAndLog("usage: hf 14a sim [h] t <type> u <uid> [x] [e] [v]");
134 PrintAndLog("options: ");
135 PrintAndLog(" h : This help");
136 PrintAndLog(" t : 1 = MIFARE Classic 1k");
137 PrintAndLog(" 2 = MIFARE Ultralight");
138 PrintAndLog(" 3 = MIFARE Desfire");
139 PrintAndLog(" 4 = ISO/IEC 14443-4");
140 PrintAndLog(" 5 = MIFARE Tnp3xxx");
141 PrintAndLog(" 6 = MIFARE Mini");
142 PrintAndLog(" 7 = AMIIBO (NTAG 215), pack 0x8080");
143 PrintAndLog(" 8 = MIFARE Classic 4k");
144 // PrintAndLog(" u : 4, 7 or 10 byte UID");
145 PrintAndLog(" u : 4, 7 byte UID");
146 PrintAndLog(" x : (Optional) Performs the 'reader attack', nr/ar attack against a reader");
147 PrintAndLog(" e : (Optional) Fill simulator keys from found keys");
148 PrintAndLog(" v : (Optional) Verbose");
149 PrintAndLog("samples:");
150 PrintAndLog(" hf 14a sim t 1 u 11223344 x");
151 PrintAndLog(" hf 14a sim t 1 u 11223344");
152 PrintAndLog(" hf 14a sim t 1 u 11223344556677");
153 // PrintAndLog(" hf 14a sim t 1 u 11223445566778899AA\n");
154 return 0;
155 }
156 int usage_hf_14a_sniff(void){
157 PrintAndLog("It get data from the field and saves it into command buffer.");
158 PrintAndLog("Buffer accessible from command 'hf list 14a'");
159 PrintAndLog("Usage: hf 14a sniff [c][r]");
160 PrintAndLog("c - triggered by first data from card");
161 PrintAndLog("r - triggered by first 7-bit request from reader (REQ,WUP,...)");
162 PrintAndLog("sample: hf 14a sniff c r");
163 return 0;
164 }
165 int usage_hf_14a_raw(void){
166 PrintAndLog("Usage: hf 14a raw [-h] [-r] [-c] [-p] [-a] [-T] [-t] <milliseconds> [-b] <number of bits> <0A 0B 0C ... hex>");
167 PrintAndLog(" -h this help");
168 PrintAndLog(" -r do not read response");
169 PrintAndLog(" -c calculate and append CRC");
170 PrintAndLog(" -p leave the signal field ON after receive");
171 PrintAndLog(" -a active signal field ON without select");
172 PrintAndLog(" -s active signal field ON with select");
173 PrintAndLog(" -b number of bits to send. Useful for send partial byte");
174 PrintAndLog(" -t timeout in ms");
175 PrintAndLog(" -T use Topaz protocol to send command");
176 return 0;
177 }
178
179 int CmdHF14AList(const char *Cmd) {
180 //PrintAndLog("Deprecated command, use 'hf list 14a' instead");
181 CmdHFList("14a");
182 return 0;
183 }
184
185 int CmdHF14AReader(const char *Cmd) {
186 UsbCommand cDisconnect = {CMD_READER_ISO_14443a, {0,0,0}};
187 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}};
188 clearCommandBuffer();
189 SendCommand(&c);
190 UsbCommand resp;
191 WaitForResponse(CMD_ACK, &resp);
192
193 iso14a_card_select_t card;
194 memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
195
196 uint64_t select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision
197
198 if(select_status == 0) {
199 if (Cmd[0] != 's') PrintAndLog("iso14443a card select failed");
200 SendCommand(&cDisconnect);
201 return 0;
202 }
203
204 if(select_status == 3) {
205 PrintAndLog("Card doesn't support standard iso14443-3 anticollision");
206 PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]);
207 SendCommand(&cDisconnect);
208 return 0;
209 }
210
211 PrintAndLog(" UID : %s", sprint_hex(card.uid, card.uidlen));
212 PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]);
213 PrintAndLog(" SAK : %02x [%d]", card.sak, resp.arg[0]);
214
215 switch (card.sak) {
216 case 0x00:
217
218 // ******** is card of the MFU type (UL/ULC/NTAG/ etc etc)
219 ul_switch_off_field();
220
221 uint32_t tagT = GetHF14AMfU_Type();
222 if (tagT != UL_ERROR)
223 ul_print_type(tagT, 0);
224 else
225 PrintAndLog("TYPE: Possible AZTEK (iso14443a compliant)");
226
227 // reconnect for further tests
228 c.arg[0] = ISO14A_CONNECT | ISO14A_NO_DISCONNECT;
229 c.arg[1] = 0;
230 c.arg[2] = 0;
231 clearCommandBuffer();
232 SendCommand(&c);
233 UsbCommand resp;
234 WaitForResponse(CMD_ACK, &resp);
235
236 memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
237
238 select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS
239
240 if(select_status == 0) {
241 ul_switch_off_field();
242 return 0;
243 }
244 break;
245 case 0x01: PrintAndLog("TYPE : NXP TNP3xxx Activision Game Appliance"); break;
246 case 0x04: PrintAndLog("TYPE : NXP MIFARE (various !DESFire !DESFire EV1)"); break;
247 case 0x08: PrintAndLog("TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1"); break;
248 case 0x09: PrintAndLog("TYPE : NXP MIFARE Mini 0.3k"); break;
249 case 0x10: PrintAndLog("TYPE : NXP MIFARE Plus 2k SL2"); break;
250 case 0x11: PrintAndLog("TYPE : NXP MIFARE Plus 4k SL2"); break;
251 case 0x18: PrintAndLog("TYPE : NXP MIFARE Classic 4k | Plus 4k SL1"); break;
252 case 0x20: PrintAndLog("TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41"); break;
253 case 0x24: PrintAndLog("TYPE : NXP MIFARE DESFire | DESFire EV1"); break;
254 case 0x28: PrintAndLog("TYPE : JCOP31 or JCOP41 v2.3.1"); break;
255 case 0x38: PrintAndLog("TYPE : Nokia 6212 or 6131 MIFARE CLASSIC 4K"); break;
256 case 0x88: PrintAndLog("TYPE : Infineon MIFARE CLASSIC 1K"); break;
257 case 0x98: PrintAndLog("TYPE : Gemplus MPCOS"); break;
258 default: ;
259 }
260
261 // Double & triple sized UID, can be mapped to a manufacturer.
262 if ( card.uidlen > 4 ) {
263 PrintAndLog("MANUFACTURER : %s", getTagInfo(card.uid[0]));
264 }
265
266 // try to request ATS even if tag claims not to support it
267 if (select_status == 2) {
268 uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0
269 c.arg[0] = ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT;
270 c.arg[1] = 2;
271 c.arg[2] = 0;
272 memcpy(c.d.asBytes, rats, 2);
273 clearCommandBuffer();
274 SendCommand(&c);
275 WaitForResponse(CMD_ACK,&resp);
276
277 memcpy(card.ats, resp.d.asBytes, resp.arg[0]);
278 card.ats_len = resp.arg[0]; // note: ats_len includes CRC Bytes
279 }
280
281 if(card.ats_len >= 3) { // a valid ATS consists of at least the length byte (TL) and 2 CRC bytes
282 bool ta1 = 0, tb1 = 0, tc1 = 0;
283 int pos;
284
285 if (select_status == 2) {
286 PrintAndLog("SAK incorrectly claims that card doesn't support RATS");
287 }
288 PrintAndLog(" ATS : %s", sprint_hex(card.ats, card.ats_len));
289 PrintAndLog(" - TL : length is %d bytes", card.ats[0]);
290 if (card.ats[0] != card.ats_len - 2) {
291 PrintAndLog("ATS may be corrupted. Length of ATS (%d bytes incl. 2 Bytes CRC) doesn't match TL", card.ats_len);
292 }
293
294 if (card.ats[0] > 1) { // there is a format byte (T0)
295 ta1 = (card.ats[1] & 0x10) == 0x10;
296 tb1 = (card.ats[1] & 0x20) == 0x20;
297 tc1 = (card.ats[1] & 0x40) == 0x40;
298 int16_t fsci = card.ats[1] & 0x0f;
299 PrintAndLog(" - T0 : TA1 is%s present, TB1 is%s present, "
300 "TC1 is%s present, FSCI is %d (FSC = %ld)",
301 (ta1 ? "" : " NOT"), (tb1 ? "" : " NOT"), (tc1 ? "" : " NOT"),
302 fsci,
303 fsci < 5 ? (fsci - 2) * 8 :
304 fsci < 8 ? (fsci - 3) * 32 :
305 fsci == 8 ? 256 :
306 -1
307 );
308 }
309 pos = 2;
310 if (ta1) {
311 char dr[16], ds[16];
312 dr[0] = ds[0] = '\0';
313 if (card.ats[pos] & 0x10) strcat(ds, "2, ");
314 if (card.ats[pos] & 0x20) strcat(ds, "4, ");
315 if (card.ats[pos] & 0x40) strcat(ds, "8, ");
316 if (card.ats[pos] & 0x01) strcat(dr, "2, ");
317 if (card.ats[pos] & 0x02) strcat(dr, "4, ");
318 if (card.ats[pos] & 0x04) strcat(dr, "8, ");
319 if (strlen(ds) != 0) ds[strlen(ds) - 2] = '\0';
320 if (strlen(dr) != 0) dr[strlen(dr) - 2] = '\0';
321 PrintAndLog(" - TA1 : different divisors are%s supported, "
322 "DR: [%s], DS: [%s]",
323 (card.ats[pos] & 0x80 ? " NOT" : ""), dr, ds);
324 pos++;
325 }
326 if (tb1) {
327 uint32_t sfgi = card.ats[pos] & 0x0F;
328 uint32_t fwi = card.ats[pos] >> 4;
329 PrintAndLog(" - TB1 : SFGI = %d (SFGT = %s%ld/fc), FWI = %d (FWT = %ld/fc)",
330 (sfgi),
331 sfgi ? "" : "(not needed) ",
332 sfgi ? (1 << 12) << sfgi : 0,
333 fwi,
334 (1 << 12) << fwi
335 );
336 pos++;
337 }
338 if (tc1) {
339 PrintAndLog(" - TC1 : NAD is%s supported, CID is%s supported",
340 (card.ats[pos] & 0x01) ? "" : " NOT",
341 (card.ats[pos] & 0x02) ? "" : " NOT");
342 pos++;
343 }
344 if (card.ats[0] > pos) {
345 char *tip = "";
346 if (card.ats[0] - pos >= 7) {
347 if (memcmp(card.ats + pos, "\xC1\x05\x2F\x2F\x01\xBC\xD6", 7) == 0) {
348 tip = "-> MIFARE Plus X 2K or 4K";
349 } else if (memcmp(card.ats + pos, "\xC1\x05\x2F\x2F\x00\x35\xC7", 7) == 0) {
350 tip = "-> MIFARE Plus S 2K or 4K";
351 }
352 }
353 PrintAndLog(" - HB : %s%s", sprint_hex(card.ats + pos, card.ats[0] - pos), tip);
354 if (card.ats[pos] == 0xC1) {
355 PrintAndLog(" c1 -> Mifare or (multiple) virtual cards of various type");
356 PrintAndLog(" %02x -> Length is %d bytes",
357 card.ats[pos + 1], card.ats[pos + 1]);
358 switch (card.ats[pos + 2] & 0xf0) {
359 case 0x10: PrintAndLog(" 1x -> MIFARE DESFire"); break;
360 case 0x20: PrintAndLog(" 2x -> MIFARE Plus"); break;
361 }
362 switch (card.ats[pos + 2] & 0x0f) {
363 case 0x00: PrintAndLog(" x0 -> <1 kByte"); break;
364 case 0x01: PrintAndLog(" x1 -> 1 kByte"); break;
365 case 0x02: PrintAndLog(" x2 -> 2 kByte"); break;
366 case 0x03: PrintAndLog(" x3 -> 4 kByte"); break;
367 case 0x04: PrintAndLog(" x4 -> 8 kByte"); break;
368 }
369 switch (card.ats[pos + 3] & 0xf0) {
370 case 0x00: PrintAndLog(" 0x -> Engineering sample"); break;
371 case 0x20: PrintAndLog(" 2x -> Released"); break;
372 }
373 switch (card.ats[pos + 3] & 0x0f) {
374 case 0x00: PrintAndLog(" x0 -> Generation 1"); break;
375 case 0x01: PrintAndLog(" x1 -> Generation 2"); break;
376 case 0x02: PrintAndLog(" x2 -> Generation 3"); break;
377 }
378 switch (card.ats[pos + 4] & 0x0f) {
379 case 0x00: PrintAndLog(" x0 -> Only VCSL supported"); break;
380 case 0x01: PrintAndLog(" x1 -> VCS, VCSL, and SVC supported"); break;
381 case 0x0E: PrintAndLog(" xE -> no VCS command supported"); break;
382 }
383 }
384 }
385 } else {
386 PrintAndLog("proprietary non iso14443-4 card found, RATS not supported");
387 }
388
389
390 // try to see if card responses to "chinese magic backdoor" commands.
391 uint8_t isOK = 0;
392 clearCommandBuffer();
393 c.cmd = CMD_MIFARE_CIDENT;
394 c.arg[0] = 0;
395 c.arg[1] = 0;
396 c.arg[2] = 0;
397 SendCommand(&c);
398 if (WaitForResponseTimeout(CMD_ACK, &resp, 1500))
399 isOK = resp.arg[0] & 0xff;
400
401 PrintAndLog("Answers to magic commands (GEN1): %s", (isOK ? "YES" : "NO") );
402
403 // disconnect
404 SendCommand(&cDisconnect);
405
406 return select_status;
407 }
408
409 // Collect ISO14443 Type A UIDs
410 int CmdHF14ACUIDs(const char *Cmd) {
411 // requested number of UIDs
412 int n = atoi(Cmd);
413 // collect at least 1 (e.g. if no parameter was given)
414 n = n > 0 ? n : 1;
415
416 PrintAndLog("Collecting %d UIDs", n);
417 PrintAndLog("Start: %u", time(NULL));
418 // repeat n times
419 for (int i = 0; i < n; i++) {
420 // execute anticollision procedure
421 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}};
422 SendCommand(&c);
423
424 UsbCommand resp;
425 WaitForResponse(CMD_ACK,&resp);
426
427 iso14a_card_select_t *card = (iso14a_card_select_t *) resp.d.asBytes;
428
429 // check if command failed
430 if (resp.arg[0] == 0) {
431 PrintAndLog("Card select failed.");
432 } else {
433 char uid_string[20];
434 for (uint16_t i = 0; i < card->uidlen; i++) {
435 sprintf(&uid_string[2*i], "%02X", card->uid[i]);
436 }
437 PrintAndLog("%s", uid_string);
438 }
439 }
440 PrintAndLog("End: %u", time(NULL));
441 return 1;
442 }
443
444 // ## simulate iso14443a tag
445 // ## greg - added ability to specify tag UID
446 int CmdHF14ASim(const char *Cmd) {
447 bool errors = FALSE;
448 uint8_t flags = 0;
449 uint8_t tagtype = 1;
450 uint8_t cmdp = 0;
451 uint8_t uid[10] = {0,0,0,0,0,0,0,0,0,0};
452 int uidlen = 0;
453 bool useUIDfromEML = TRUE;
454 bool setEmulatorMem = FALSE;
455 bool verbose = FALSE;
456 nonces_t data[1];
457
458 while(param_getchar(Cmd, cmdp) != 0x00) {
459 switch(param_getchar(Cmd, cmdp)) {
460 case 'h':
461 case 'H':
462 return usage_hf_14a_sim();
463 case 't':
464 case 'T':
465 // Retrieve the tag type
466 tagtype = param_get8ex(Cmd, cmdp+1, 0, 10);
467 if (tagtype == 0)
468 errors = TRUE;
469 cmdp += 2;
470 break;
471 case 'u':
472 case 'U':
473 // Retrieve the full 4,7,10 byte long uid
474 param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);
475 switch(uidlen) {
476 //case 20: flags |= FLAG_10B_UID_IN_DATA; break;
477 case 14: flags |= FLAG_7B_UID_IN_DATA; break;
478 case 8: flags |= FLAG_4B_UID_IN_DATA; break;
479 default: errors = TRUE; break;
480 }
481 if (!errors) {
482 PrintAndLog("Emulating ISO/IEC 14443 type A tag with %d byte UID (%s)", uidlen>>1, sprint_hex(uid, uidlen>>1));
483 useUIDfromEML = FALSE;
484 }
485 cmdp += 2;
486 break;
487 case 'v':
488 case 'V':
489 verbose = TRUE;
490 cmdp++;
491 break;
492 case 'x':
493 case 'X':
494 flags |= FLAG_NR_AR_ATTACK;
495 cmdp++;
496 break;
497 case 'e':
498 case 'E':
499 setEmulatorMem = TRUE;
500 cmdp++;
501 break;
502 default:
503 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
504 errors = TRUE;
505 break;
506 }
507 if(errors) break;
508 }
509
510 //Validations
511 if (errors) return usage_hf_14a_sim();
512
513 if ( useUIDfromEML )
514 flags |= FLAG_UID_IN_EMUL;
515
516 UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443a,{ tagtype, flags, 0 }};
517 memcpy(c.d.asBytes, uid, uidlen>>1);
518 clearCommandBuffer();
519 SendCommand(&c);
520 UsbCommand resp;
521
522 PrintAndLog("Press pm3-button to abort simulation");
523
524 while( !ukbhit() ){
525 if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue;
526 if ( !(flags & FLAG_NR_AR_ATTACK) ) break;
527 if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break;
528
529 memcpy(data, resp.d.asBytes, sizeof(data) );
530 readerAttack(data[0], setEmulatorMem, verbose);
531 }
532 showSectorTable();
533 return 0;
534 }
535
536 int CmdHF14ASniff(const char *Cmd) {
537 int param = 0;
538 uint8_t ctmp = param_getchar(Cmd, 0) ;
539 if (ctmp == 'h' || ctmp == 'H') return usage_hf_14a_sniff();
540
541 for (int i = 0; i < 2; i++) {
542 ctmp = param_getchar(Cmd, i);
543 if (ctmp == 'c' || ctmp == 'C') param |= 0x01;
544 if (ctmp == 'r' || ctmp == 'R') param |= 0x02;
545 }
546
547 UsbCommand c = {CMD_SNOOP_ISO_14443a, {param, 0, 0}};
548 clearCommandBuffer();
549 SendCommand(&c);
550 return 0;
551 }
552
553 int CmdHF14ACmdRaw(const char *cmd) {
554 UsbCommand c = {CMD_READER_ISO_14443a, {0, 0, 0}};
555 bool reply=1;
556 bool crc = FALSE;
557 bool power = FALSE;
558 bool active = FALSE;
559 bool active_select = FALSE;
560 uint16_t numbits=0;
561 bool bTimeout = FALSE;
562 uint32_t timeout=0;
563 bool topazmode = FALSE;
564 char buf[5]="";
565 int i=0;
566 uint8_t data[USB_CMD_DATA_SIZE];
567 uint16_t datalen=0;
568 uint32_t temp;
569
570 if (strlen(cmd)<2) return usage_hf_14a_raw();
571
572 // strip
573 while (*cmd==' ' || *cmd=='\t') cmd++;
574
575 while (cmd[i]!='\0') {
576 if (cmd[i]==' ' || cmd[i]=='\t') { i++; continue; }
577 if (cmd[i]=='-') {
578 switch (cmd[i+1]) {
579 case 'H':
580 case 'h':
581 return usage_hf_14a_raw();
582 case 'r':
583 reply = FALSE;
584 break;
585 case 'c':
586 crc = TRUE;
587 break;
588 case 'p':
589 power = TRUE;
590 break;
591 case 'a':
592 active = TRUE;
593 break;
594 case 's':
595 active_select = TRUE;
596 break;
597 case 'b':
598 sscanf(cmd+i+2,"%d",&temp);
599 numbits = temp & 0xFFFF;
600 i+=3;
601 while(cmd[i]!=' ' && cmd[i]!='\0') { i++; }
602 i-=2;
603 break;
604 case 't':
605 bTimeout = TRUE;
606 sscanf(cmd+i+2,"%d",&temp);
607 timeout = temp;
608 i+=3;
609 while(cmd[i]!=' ' && cmd[i]!='\0') { i++; }
610 i-=2;
611 break;
612 case 'T':
613 topazmode = TRUE;
614 break;
615 default:
616 return usage_hf_14a_raw();
617 }
618 i+=2;
619 continue;
620 }
621 if ((cmd[i]>='0' && cmd[i]<='9') ||
622 (cmd[i]>='a' && cmd[i]<='f') ||
623 (cmd[i]>='A' && cmd[i]<='F') ) {
624 buf[strlen(buf)+1]=0;
625 buf[strlen(buf)]=cmd[i];
626 i++;
627
628 if (strlen(buf)>=2) {
629 sscanf(buf,"%x",&temp);
630 data[datalen]=(uint8_t)(temp & 0xff);
631 *buf=0;
632 if (++datalen >= sizeof(data)){
633 if (crc)
634 PrintAndLog("Buffer is full, we can't add CRC to your data");
635 break;
636 }
637 }
638 continue;
639 }
640 PrintAndLog("Invalid char on input");
641 return 0;
642 }
643
644 if(crc && datalen>0 && datalen<sizeof(data)-2)
645 {
646 uint8_t first, second;
647 if (topazmode) {
648 ComputeCrc14443(CRC_14443_B, data, datalen, &first, &second);
649 } else {
650 ComputeCrc14443(CRC_14443_A, data, datalen, &first, &second);
651 }
652 data[datalen++] = first;
653 data[datalen++] = second;
654 }
655
656 if(active || active_select)
657 {
658 c.arg[0] |= ISO14A_CONNECT;
659 if(active)
660 c.arg[0] |= ISO14A_NO_SELECT;
661 }
662
663 if(bTimeout){
664 #define MAX_TIMEOUT 40542464 // = (2^32-1) * (8*16) / 13560000Hz * 1000ms/s
665 c.arg[0] |= ISO14A_SET_TIMEOUT;
666 if(timeout > MAX_TIMEOUT) {
667 timeout = MAX_TIMEOUT;
668 PrintAndLog("Set timeout to 40542 seconds (11.26 hours). The max we can wait for response");
669 }
670 c.arg[2] = 13560000 / 1000 / (8*16) * timeout; // timeout in ETUs (time to transfer 1 bit, approx. 9.4 us)
671 }
672
673 if(power) {
674 c.arg[0] |= ISO14A_NO_DISCONNECT;
675 }
676
677 if(datalen>0) {
678 c.arg[0] |= ISO14A_RAW;
679 }
680
681 if(topazmode) {
682 c.arg[0] |= ISO14A_TOPAZMODE;
683 }
684
685 // Max buffer is USB_CMD_DATA_SIZE
686 datalen = (datalen > USB_CMD_DATA_SIZE) ? USB_CMD_DATA_SIZE : datalen;
687
688 c.arg[1] = (datalen & 0xFFFF) | (uint32_t)(numbits << 16);
689 memcpy(c.d.asBytes, data, datalen);
690
691 clearCommandBuffer();
692 SendCommand(&c);
693
694 if (reply) {
695 if(active_select)
696 waitCmd(1);
697 if(datalen>0)
698 waitCmd(0);
699 } // if reply
700 return 0;
701 }
702
703 static void waitCmd(uint8_t iSelect) {
704 UsbCommand resp;
705 uint16_t len = 0;
706
707 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
708 len = iSelect ? (resp.arg[1] & 0xffff) : (resp.arg[0] & 0xffff);
709 PrintAndLog("received %i octets", len);
710 if(!len)
711 return;
712 PrintAndLog("%s", sprint_hex(resp.d.asBytes, len) );
713 } else {
714 PrintAndLog("timeout while waiting for reply.");
715 }
716 }
717
718 static command_t CommandTable[] = {
719 {"help", CmdHelp, 1, "This help"},
720 {"list", CmdHF14AList, 0, "[Deprecated] List ISO 14443a history"},
721 {"reader", CmdHF14AReader, 0, "Act like an ISO14443 Type A reader"},
722 {"cuids", CmdHF14ACUIDs, 0, "<n> Collect n>0 ISO14443 Type A UIDs in one go"},
723 {"sim", CmdHF14ASim, 0, "<UID> -- Simulate ISO 14443a tag"},
724 {"sniff", CmdHF14ASniff, 0, "sniff ISO 14443 Type A traffic"},
725 {"raw", CmdHF14ACmdRaw, 0, "Send raw hex data to tag"},
726 {NULL, NULL, 0, NULL}
727 };
728
729 int CmdHF14A(const char *Cmd) {
730 clearCommandBuffer();
731 CmdsParse(CommandTable, Cmd);
732 return 0;
733 }
734
735 int CmdHelp(const char *Cmd) {
736 CmdsHelp(CommandTable);
737 return 0;
738 }
Proxmark3 GIT tracking
Impressum, Datenschutz