]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhf14a.c
CHG: removed unused variable
[proxmark3-svn] / client / cmdhf14a.c
1 //-----------------------------------------------------------------------------
2 // 2011, Merlok
3 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // High frequency ISO14443A commands
10 //-----------------------------------------------------------------------------
11
12 #include <stdio.h>
13 #include <stdlib.h>
14 #include <string.h>
15 #include <unistd.h>
16 #include "util.h"
17 #include "iso14443crc.h"
18 #include "data.h"
19 #include "proxmark3.h"
20 #include "ui.h"
21 #include "cmdparser.h"
22 #include "cmdhf14a.h"
23 #include "common.h"
24 #include "cmdmain.h"
25 #include "mifare.h"
26 #include "cmdhfmf.h"
27 #include "cmdhfmfu.h"
28 #include "nonce2key/nonce2key.h"
29 #include "cmdhf.h"
30
31 static int CmdHelp(const char *Cmd);
32 static void waitCmd(uint8_t iLen);
33
34 // structure and database for uid -> tagtype lookups
35 typedef struct {
36 uint8_t uid;
37 char* desc;
38 } manufactureName;
39
40 const manufactureName manufactureMapping[] = {
41 // ID, "Vendor Country"
42 { 0x01, "Motorola UK" },
43 { 0x02, "ST Microelectronics SA France" },
44 { 0x03, "Hitachi, Ltd Japan" },
45 { 0x04, "NXP Semiconductors Germany" },
46 { 0x05, "Infineon Technologies AG Germany" },
47 { 0x06, "Cylink USA" },
48 { 0x07, "Texas Instrument France" },
49 { 0x08, "Fujitsu Limited Japan" },
50 { 0x09, "Matsushita Electronics Corporation, Semiconductor Company Japan" },
51 { 0x0A, "NEC Japan" },
52 { 0x0B, "Oki Electric Industry Co. Ltd Japan" },
53 { 0x0C, "Toshiba Corp. Japan" },
54 { 0x0D, "Mitsubishi Electric Corp. Japan" },
55 { 0x0E, "Samsung Electronics Co. Ltd Korea" },
56 { 0x0F, "Hynix / Hyundai, Korea" },
57 { 0x10, "LG-Semiconductors Co. Ltd Korea" },
58 { 0x11, "Emosyn-EM Microelectronics USA" },
59 { 0x12, "INSIDE Technology France" },
60 { 0x13, "ORGA Kartensysteme GmbH Germany" },
61 { 0x14, "SHARP Corporation Japan" },
62 { 0x15, "ATMEL France" },
63 { 0x16, "EM Microelectronic-Marin SA Switzerland" },
64 { 0x17, "KSW Microtec GmbH Germany" },
65 { 0x18, "ZMD AG Germany" },
66 { 0x19, "XICOR, Inc. USA" },
67 { 0x1A, "Sony Corporation Japan" },
68 { 0x1B, "Malaysia Microelectronic Solutions Sdn. Bhd Malaysia" },
69 { 0x1C, "Emosyn USA" },
70 { 0x1D, "Shanghai Fudan Microelectronics Co. Ltd. P.R. China" },
71 { 0x1E, "Magellan Technology Pty Limited Australia" },
72 { 0x1F, "Melexis NV BO Switzerland" },
73 { 0x20, "Renesas Technology Corp. Japan" },
74 { 0x21, "TAGSYS France" },
75 { 0x22, "Transcore USA" },
76 { 0x23, "Shanghai belling corp., ltd. China" },
77 { 0x24, "Masktech Germany Gmbh Germany" },
78 { 0x25, "Innovision Research and Technology Plc UK" },
79 { 0x26, "Hitachi ULSI Systems Co., Ltd. Japan" },
80 { 0x27, "Cypak AB Sweden" },
81 { 0x28, "Ricoh Japan" },
82 { 0x29, "ASK France" },
83 { 0x2A, "Unicore Microsystems, LLC Russian Federation" },
84 { 0x2B, "Dallas Semiconductor/Maxim USA" },
85 { 0x2C, "Impinj, Inc. USA" },
86 { 0x2D, "RightPlug Alliance USA" },
87 { 0x2E, "Broadcom Corporation USA" },
88 { 0x2F, "MStar Semiconductor, Inc Taiwan, ROC" },
89 { 0x30, "BeeDar Technology Inc. USA" },
90 { 0x31, "RFIDsec Denmark" },
91 { 0x32, "Schweizer Electronic AG Germany" },
92 { 0x33, "AMIC Technology Corp Taiwan" },
93 { 0x34, "Mikron JSC Russia" },
94 { 0x35, "Fraunhofer Institute for Photonic Microsystems Germany" },
95 { 0x36, "IDS Microchip AG Switzerland" },
96 { 0x37, "Kovio USA" },
97 { 0x38, "HMT Microelectronic Ltd Switzerland" },
98 { 0x39, "Silicon Craft Technology Thailand" },
99 { 0x3A, "Advanced Film Device Inc. Japan" },
100 { 0x3B, "Nitecrest Ltd UK" },
101 { 0x3C, "Verayo Inc. USA" },
102 { 0x3D, "HID Global USA" },
103 { 0x3E, "Productivity Engineering Gmbh Germany" },
104 { 0x3F, "Austriamicrosystems AG (reserved) Austria" },
105 { 0x40, "Gemalto SA France" },
106 { 0x41, "Renesas Electronics Corporation Japan" },
107 { 0x42, "3Alogics Inc Korea" },
108 { 0x43, "Top TroniQ Asia Limited Hong Kong" },
109 { 0x44, "Gentag Inc. USA" },
110 { 0x00, "no tag-info available" } // must be the last entry
111 };
112
113
114 // get a product description based on the UID
115 // uid[8] tag uid
116 // returns description of the best match
117 char* getTagInfo(uint8_t uid) {
118
119 int i;
120 int len = sizeof(manufactureMapping) / sizeof(manufactureName);
121
122 for ( i = 0; i < len; ++i )
123 if ( uid == manufactureMapping[i].uid)
124 return manufactureMapping[i].desc;
125
126 //No match, return default
127 return manufactureMapping[len-1].desc;
128 }
129
130 int usage_hf_14a_sim(void) {
131 // PrintAndLog("\n Emulating ISO/IEC 14443 type A tag with 4,7 or 10 byte UID\n");
132 PrintAndLog("\n Emulating ISO/IEC 14443 type A tag with 4,7 byte UID\n");
133 PrintAndLog("Usage: hf 14a sim t <type> u <uid> x");
134 PrintAndLog(" Options : ");
135 PrintAndLog(" h : this help");
136 PrintAndLog(" t : 1 = MIFARE Classic");
137 PrintAndLog(" 2 = MIFARE Ultralight");
138 PrintAndLog(" 3 = MIFARE Desfire");
139 PrintAndLog(" 4 = ISO/IEC 14443-4");
140 PrintAndLog(" 5 = MIFARE Tnp3xxx");
141 PrintAndLog(" 6 = MIFARE Mini");
142 PrintAndLog(" 7 = AMIIBO (NTAG 215), pack 0x8080");
143 // PrintAndLog(" u : 4, 7 or 10 byte UID");
144 PrintAndLog(" u : 4, 7 byte UID");
145 PrintAndLog(" x : (Optional) performs the 'reader attack', nr/ar attack against a legitimate reader");
146 PrintAndLog(" v : (Optional) show maths used for cracking reader. Useful for debugging.");
147 PrintAndLog("\n sample : hf 14a sim t 1 u 11223344 x");
148 PrintAndLog(" : hf 14a sim t 1 u 11223344");
149 PrintAndLog(" : hf 14a sim t 1 u 11223344556677");
150 // PrintAndLog(" : hf 14a sim t 1 u 11223445566778899AA\n");
151 return 0;
152 }
153 int usage_hf_14a_sniff(void){
154 PrintAndLog("It get data from the field and saves it into command buffer.");
155 PrintAndLog("Buffer accessible from command 'hf list 14a'");
156 PrintAndLog("Usage: hf 14a sniff [c][r]");
157 PrintAndLog("c - triggered by first data from card");
158 PrintAndLog("r - triggered by first 7-bit request from reader (REQ,WUP,...)");
159 PrintAndLog("sample: hf 14a sniff c r");
160 return 0;
161 }
162 int usage_hf_14a_raw(void){
163 PrintAndLog("Usage: hf 14a raw [-h] [-r] [-c] [-p] [-a] [-T] [-t] <milliseconds> [-b] <number of bits> <0A 0B 0C ... hex>");
164 PrintAndLog(" -h this help");
165 PrintAndLog(" -r do not read response");
166 PrintAndLog(" -c calculate and append CRC");
167 PrintAndLog(" -p leave the signal field ON after receive");
168 PrintAndLog(" -a active signal field ON without select");
169 PrintAndLog(" -s active signal field ON with select");
170 PrintAndLog(" -b number of bits to send. Useful for send partial byte");
171 PrintAndLog(" -t timeout in ms");
172 PrintAndLog(" -T use Topaz protocol to send command");
173 return 0;
174 }
175
176 int CmdHF14AList(const char *Cmd) {
177 //PrintAndLog("Deprecated command, use 'hf list 14a' instead");
178 CmdHFList("14a");
179 return 0;
180 }
181
182 int CmdHF14AReader(const char *Cmd) {
183 UsbCommand cDisconnect = {CMD_READER_ISO_14443a, {0,0,0}};
184 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}};
185 clearCommandBuffer();
186 SendCommand(&c);
187 UsbCommand resp;
188 WaitForResponse(CMD_ACK, &resp);
189
190 iso14a_card_select_t card;
191 memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
192
193 uint64_t select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision
194
195 if(select_status == 0) {
196 if (Cmd[0] != 's') PrintAndLog("iso14443a card select failed");
197 SendCommand(&cDisconnect);
198 return 0;
199 }
200
201 if(select_status == 3) {
202 PrintAndLog("Card doesn't support standard iso14443-3 anticollision");
203 PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]);
204 SendCommand(&cDisconnect);
205 return 0;
206 }
207
208 PrintAndLog(" UID : %s", sprint_hex(card.uid, card.uidlen));
209 PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]);
210 PrintAndLog(" SAK : %02x [%d]", card.sak, resp.arg[0]);
211
212 switch (card.sak) {
213 case 0x00:
214
215 // ******** is card of the MFU type (UL/ULC/NTAG/ etc etc)
216 ul_switch_off_field();
217
218 uint32_t tagT = GetHF14AMfU_Type();
219 ul_print_type(tagT, 0);
220
221 // reconnect for further tests
222 c.arg[0] = ISO14A_CONNECT | ISO14A_NO_DISCONNECT;
223 c.arg[1] = 0;
224 c.arg[2] = 0;
225
226 clearCommandBuffer();
227 SendCommand(&c);
228
229 UsbCommand resp;
230 WaitForResponse(CMD_ACK, &resp);
231
232 memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
233
234 select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS
235
236 if(select_status == 0) {
237 ul_switch_off_field();
238 return 0;
239 }
240 break;
241 case 0x01: PrintAndLog("TYPE : NXP TNP3xxx Activision Game Appliance"); break;
242 case 0x04: PrintAndLog("TYPE : NXP MIFARE (various !DESFire !DESFire EV1)"); break;
243 case 0x08: PrintAndLog("TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1"); break;
244 case 0x09: PrintAndLog("TYPE : NXP MIFARE Mini 0.3k"); break;
245 case 0x10: PrintAndLog("TYPE : NXP MIFARE Plus 2k SL2"); break;
246 case 0x11: PrintAndLog("TYPE : NXP MIFARE Plus 4k SL2"); break;
247 case 0x18: PrintAndLog("TYPE : NXP MIFARE Classic 4k | Plus 4k SL1"); break;
248 case 0x20: PrintAndLog("TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41"); break;
249 case 0x24: PrintAndLog("TYPE : NXP MIFARE DESFire | DESFire EV1"); break;
250 case 0x28: PrintAndLog("TYPE : JCOP31 or JCOP41 v2.3.1"); break;
251 case 0x38: PrintAndLog("TYPE : Nokia 6212 or 6131 MIFARE CLASSIC 4K"); break;
252 case 0x88: PrintAndLog("TYPE : Infineon MIFARE CLASSIC 1K"); break;
253 case 0x98: PrintAndLog("TYPE : Gemplus MPCOS"); break;
254 default: ;
255 }
256
257 // Double & triple sized UID, can be mapped to a manufacturer.
258 if ( card.uidlen > 4 ) {
259 PrintAndLog("MANUFACTURER : %s", getTagInfo(card.uid[0]));
260 }
261
262 // try to request ATS even if tag claims not to support it
263 if (select_status == 2) {
264 uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0
265 c.arg[0] = ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT;
266 c.arg[1] = 2;
267 c.arg[2] = 0;
268 memcpy(c.d.asBytes, rats, 2);
269 clearCommandBuffer();
270 SendCommand(&c);
271 WaitForResponse(CMD_ACK,&resp);
272
273 memcpy(card.ats, resp.d.asBytes, resp.arg[0]);
274 card.ats_len = resp.arg[0]; // note: ats_len includes CRC Bytes
275 }
276
277 if(card.ats_len >= 3) { // a valid ATS consists of at least the length byte (TL) and 2 CRC bytes
278 bool ta1 = 0, tb1 = 0, tc1 = 0;
279 int pos;
280
281 if (select_status == 2) {
282 PrintAndLog("SAK incorrectly claims that card doesn't support RATS");
283 }
284 PrintAndLog(" ATS : %s", sprint_hex(card.ats, card.ats_len));
285 PrintAndLog(" - TL : length is %d bytes", card.ats[0]);
286 if (card.ats[0] != card.ats_len - 2) {
287 PrintAndLog("ATS may be corrupted. Length of ATS (%d bytes incl. 2 Bytes CRC) doesn't match TL", card.ats_len);
288 }
289
290 if (card.ats[0] > 1) { // there is a format byte (T0)
291 ta1 = (card.ats[1] & 0x10) == 0x10;
292 tb1 = (card.ats[1] & 0x20) == 0x20;
293 tc1 = (card.ats[1] & 0x40) == 0x40;
294 int16_t fsci = card.ats[1] & 0x0f;
295 PrintAndLog(" - T0 : TA1 is%s present, TB1 is%s present, "
296 "TC1 is%s present, FSCI is %d (FSC = %ld)",
297 (ta1 ? "" : " NOT"), (tb1 ? "" : " NOT"), (tc1 ? "" : " NOT"),
298 fsci,
299 fsci < 5 ? (fsci - 2) * 8 :
300 fsci < 8 ? (fsci - 3) * 32 :
301 fsci == 8 ? 256 :
302 -1
303 );
304 }
305 pos = 2;
306 if (ta1) {
307 char dr[16], ds[16];
308 dr[0] = ds[0] = '\0';
309 if (card.ats[pos] & 0x10) strcat(ds, "2, ");
310 if (card.ats[pos] & 0x20) strcat(ds, "4, ");
311 if (card.ats[pos] & 0x40) strcat(ds, "8, ");
312 if (card.ats[pos] & 0x01) strcat(dr, "2, ");
313 if (card.ats[pos] & 0x02) strcat(dr, "4, ");
314 if (card.ats[pos] & 0x04) strcat(dr, "8, ");
315 if (strlen(ds) != 0) ds[strlen(ds) - 2] = '\0';
316 if (strlen(dr) != 0) dr[strlen(dr) - 2] = '\0';
317 PrintAndLog(" - TA1 : different divisors are%s supported, "
318 "DR: [%s], DS: [%s]",
319 (card.ats[pos] & 0x80 ? " NOT" : ""), dr, ds);
320 pos++;
321 }
322 if (tb1) {
323 uint32_t sfgi = card.ats[pos] & 0x0F;
324 uint32_t fwi = card.ats[pos] >> 4;
325 PrintAndLog(" - TB1 : SFGI = %d (SFGT = %s%ld/fc), FWI = %d (FWT = %ld/fc)",
326 (sfgi),
327 sfgi ? "" : "(not needed) ",
328 sfgi ? (1 << 12) << sfgi : 0,
329 fwi,
330 (1 << 12) << fwi
331 );
332 pos++;
333 }
334 if (tc1) {
335 PrintAndLog(" - TC1 : NAD is%s supported, CID is%s supported",
336 (card.ats[pos] & 0x01) ? "" : " NOT",
337 (card.ats[pos] & 0x02) ? "" : " NOT");
338 pos++;
339 }
340 if (card.ats[0] > pos) {
341 char *tip = "";
342 if (card.ats[0] - pos >= 7) {
343 if (memcmp(card.ats + pos, "\xC1\x05\x2F\x2F\x01\xBC\xD6", 7) == 0) {
344 tip = "-> MIFARE Plus X 2K or 4K";
345 } else if (memcmp(card.ats + pos, "\xC1\x05\x2F\x2F\x00\x35\xC7", 7) == 0) {
346 tip = "-> MIFARE Plus S 2K or 4K";
347 }
348 }
349 PrintAndLog(" - HB : %s%s", sprint_hex(card.ats + pos, card.ats[0] - pos), tip);
350 if (card.ats[pos] == 0xC1) {
351 PrintAndLog(" c1 -> Mifare or (multiple) virtual cards of various type");
352 PrintAndLog(" %02x -> Length is %d bytes",
353 card.ats[pos + 1], card.ats[pos + 1]);
354 switch (card.ats[pos + 2] & 0xf0) {
355 case 0x10: PrintAndLog(" 1x -> MIFARE DESFire"); break;
356 case 0x20: PrintAndLog(" 2x -> MIFARE Plus"); break;
357 }
358 switch (card.ats[pos + 2] & 0x0f) {
359 case 0x00: PrintAndLog(" x0 -> <1 kByte"); break;
360 case 0x01: PrintAndLog(" x1 -> 1 kByte"); break;
361 case 0x02: PrintAndLog(" x2 -> 2 kByte"); break;
362 case 0x03: PrintAndLog(" x3 -> 4 kByte"); break;
363 case 0x04: PrintAndLog(" x4 -> 8 kByte"); break;
364 }
365 switch (card.ats[pos + 3] & 0xf0) {
366 case 0x00: PrintAndLog(" 0x -> Engineering sample"); break;
367 case 0x20: PrintAndLog(" 2x -> Released"); break;
368 }
369 switch (card.ats[pos + 3] & 0x0f) {
370 case 0x00: PrintAndLog(" x0 -> Generation 1"); break;
371 case 0x01: PrintAndLog(" x1 -> Generation 2"); break;
372 case 0x02: PrintAndLog(" x2 -> Generation 3"); break;
373 }
374 switch (card.ats[pos + 4] & 0x0f) {
375 case 0x00: PrintAndLog(" x0 -> Only VCSL supported"); break;
376 case 0x01: PrintAndLog(" x1 -> VCS, VCSL, and SVC supported"); break;
377 case 0x0E: PrintAndLog(" xE -> no VCS command supported"); break;
378 }
379 }
380 }
381 } else {
382 PrintAndLog("proprietary non iso14443-4 card found, RATS not supported");
383 }
384
385
386 // try to see if card responses to "chinese magic backdoor" commands.
387 uint8_t isOK = 0;
388 clearCommandBuffer();
389 c.cmd = CMD_MIFARE_CIDENT;
390 c.arg[0] = 0;
391 c.arg[1] = 0;
392 c.arg[2] = 0;
393 SendCommand(&c);
394 if (WaitForResponseTimeout(CMD_ACK, &resp, 1500))
395 isOK = resp.arg[0] & 0xff;
396
397 PrintAndLog("Answers to magic commands (GEN1): %s", (isOK ? "YES" : "NO") );
398
399 // disconnect
400 SendCommand(&cDisconnect);
401
402 return select_status;
403 }
404
405 // Collect ISO14443 Type A UIDs
406 int CmdHF14ACUIDs(const char *Cmd) {
407 // requested number of UIDs
408 int n = atoi(Cmd);
409 // collect at least 1 (e.g. if no parameter was given)
410 n = n > 0 ? n : 1;
411
412 PrintAndLog("Collecting %d UIDs", n);
413 PrintAndLog("Start: %u", time(NULL));
414 // repeat n times
415 for (int i = 0; i < n; i++) {
416 // execute anticollision procedure
417 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}};
418 SendCommand(&c);
419
420 UsbCommand resp;
421 WaitForResponse(CMD_ACK,&resp);
422
423 iso14a_card_select_t *card = (iso14a_card_select_t *) resp.d.asBytes;
424
425 // check if command failed
426 if (resp.arg[0] == 0) {
427 PrintAndLog("Card select failed.");
428 } else {
429 char uid_string[20];
430 for (uint16_t i = 0; i < card->uidlen; i++) {
431 sprintf(&uid_string[2*i], "%02X", card->uid[i]);
432 }
433 PrintAndLog("%s", uid_string);
434 }
435 }
436 PrintAndLog("End: %u", time(NULL));
437 return 1;
438 }
439
440 // ## simulate iso14443a tag
441 // ## greg - added ability to specify tag UID
442 int CmdHF14ASim(const char *Cmd) {
443 #define ATTACK_KEY_COUNT 8
444 bool errors = FALSE;
445 uint8_t flags = 0;
446 uint8_t tagtype = 1;
447 uint8_t cmdp = 0;
448 uint8_t uid[10] = {0,0,0,0,0,0,0,0,0,0};
449 int uidlen = 0;
450 bool useUIDfromEML = TRUE;
451 bool verbose = false;
452
453 while(param_getchar(Cmd, cmdp) != 0x00) {
454 switch(param_getchar(Cmd, cmdp)) {
455 case 'h':
456 case 'H':
457 return usage_hf_14a_sim();
458 case 't':
459 case 'T':
460 // Retrieve the tag type
461 tagtype = param_get8ex(Cmd, cmdp+1, 0, 10);
462 if (tagtype == 0)
463 errors = true;
464 cmdp += 2;
465 break;
466 case 'u':
467 case 'U':
468 // Retrieve the full 4,7,10 byte long uid
469 param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);
470 switch(uidlen) {
471 //case 20: flags |= FLAG_10B_UID_IN_DATA; break;
472 case 14: flags |= FLAG_7B_UID_IN_DATA; break;
473 case 8: flags |= FLAG_4B_UID_IN_DATA; break;
474 default: errors = TRUE; break;
475 }
476 if (!errors) {
477 PrintAndLog("Emulating ISO/IEC 14443 type A tag with %d byte UID (%s)", uidlen>>1, sprint_hex(uid, uidlen>>1));
478 useUIDfromEML = FALSE;
479 }
480 cmdp += 2;
481 break;
482 case 'v':
483 case 'V':
484 verbose = true;
485 cmdp++;
486 break;
487 case 'x':
488 case 'X':
489 flags |= FLAG_NR_AR_ATTACK;
490 cmdp++;
491 break;
492 default:
493 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
494 errors = true;
495 break;
496 }
497 if(errors) break;
498 }
499
500 //Validations
501 if (errors) return usage_hf_14a_sim();
502
503 if ( useUIDfromEML )
504 flags |= FLAG_UID_IN_EMUL;
505
506 PrintAndLog("Press pm3-button to abort simulation");
507
508 UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443a,{ tagtype, flags, 0 }};
509 memcpy(c.d.asBytes, uid, uidlen>>1);
510 clearCommandBuffer();
511 SendCommand(&c);
512
513 nonces_t data[ATTACK_KEY_COUNT*2];
514 UsbCommand resp;
515
516 while( !ukbhit() ){
517 if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue;
518
519 if ( !(flags & FLAG_NR_AR_ATTACK) ) break;
520 if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break;
521
522 memcpy( data, resp.d.asBytes, sizeof(data) );
523 readerAttack(data, TRUE, verbose);
524 }
525 return 0;
526 }
527
528 int CmdHF14ASniff(const char *Cmd) {
529 int param = 0;
530 uint8_t ctmp = param_getchar(Cmd, 0) ;
531 if (ctmp == 'h' || ctmp == 'H') return usage_hf_14a_sniff();
532
533 for (int i = 0; i < 2; i++) {
534 ctmp = param_getchar(Cmd, i);
535 if (ctmp == 'c' || ctmp == 'C') param |= 0x01;
536 if (ctmp == 'r' || ctmp == 'R') param |= 0x02;
537 }
538
539 UsbCommand c = {CMD_SNOOP_ISO_14443a, {param, 0, 0}};
540 clearCommandBuffer();
541 SendCommand(&c);
542 return 0;
543 }
544
545 int CmdHF14ACmdRaw(const char *cmd) {
546 UsbCommand c = {CMD_READER_ISO_14443a, {0, 0, 0}};
547 bool reply=1;
548 bool crc = FALSE;
549 bool power = FALSE;
550 bool active = FALSE;
551 bool active_select = FALSE;
552 uint16_t numbits=0;
553 bool bTimeout = FALSE;
554 uint32_t timeout=0;
555 bool topazmode = FALSE;
556 char buf[5]="";
557 int i=0;
558 uint8_t data[USB_CMD_DATA_SIZE];
559 uint16_t datalen=0;
560 uint32_t temp;
561
562 if (strlen(cmd)<2) return usage_hf_14a_raw();
563
564 // strip
565 while (*cmd==' ' || *cmd=='\t') cmd++;
566
567 while (cmd[i]!='\0') {
568 if (cmd[i]==' ' || cmd[i]=='\t') { i++; continue; }
569 if (cmd[i]=='-') {
570 switch (cmd[i+1]) {
571 case 'H':
572 case 'h':
573 return usage_hf_14a_raw();
574 case 'r':
575 reply = FALSE;
576 break;
577 case 'c':
578 crc = TRUE;
579 break;
580 case 'p':
581 power = TRUE;
582 break;
583 case 'a':
584 active = TRUE;
585 break;
586 case 's':
587 active_select = TRUE;
588 break;
589 case 'b':
590 sscanf(cmd+i+2,"%d",&temp);
591 numbits = temp & 0xFFFF;
592 i+=3;
593 while(cmd[i]!=' ' && cmd[i]!='\0') { i++; }
594 i-=2;
595 break;
596 case 't':
597 bTimeout = TRUE;
598 sscanf(cmd+i+2,"%d",&temp);
599 timeout = temp;
600 i+=3;
601 while(cmd[i]!=' ' && cmd[i]!='\0') { i++; }
602 i-=2;
603 break;
604 case 'T':
605 topazmode = TRUE;
606 break;
607 default:
608 return usage_hf_14a_raw();
609 }
610 i+=2;
611 continue;
612 }
613 if ((cmd[i]>='0' && cmd[i]<='9') ||
614 (cmd[i]>='a' && cmd[i]<='f') ||
615 (cmd[i]>='A' && cmd[i]<='F') ) {
616 buf[strlen(buf)+1]=0;
617 buf[strlen(buf)]=cmd[i];
618 i++;
619
620 if (strlen(buf)>=2) {
621 sscanf(buf,"%x",&temp);
622 data[datalen]=(uint8_t)(temp & 0xff);
623 *buf=0;
624 if (++datalen >= sizeof(data)){
625 if (crc)
626 PrintAndLog("Buffer is full, we can't add CRC to your data");
627 break;
628 }
629 }
630 continue;
631 }
632 PrintAndLog("Invalid char on input");
633 return 0;
634 }
635
636 if(crc && datalen>0 && datalen<sizeof(data)-2)
637 {
638 uint8_t first, second;
639 if (topazmode) {
640 ComputeCrc14443(CRC_14443_B, data, datalen, &first, &second);
641 } else {
642 ComputeCrc14443(CRC_14443_A, data, datalen, &first, &second);
643 }
644 data[datalen++] = first;
645 data[datalen++] = second;
646 }
647
648 if(active || active_select)
649 {
650 c.arg[0] |= ISO14A_CONNECT;
651 if(active)
652 c.arg[0] |= ISO14A_NO_SELECT;
653 }
654
655 if(bTimeout){
656 #define MAX_TIMEOUT 40542464 // = (2^32-1) * (8*16) / 13560000Hz * 1000ms/s
657 c.arg[0] |= ISO14A_SET_TIMEOUT;
658 if(timeout > MAX_TIMEOUT) {
659 timeout = MAX_TIMEOUT;
660 PrintAndLog("Set timeout to 40542 seconds (11.26 hours). The max we can wait for response");
661 }
662 c.arg[2] = 13560000 / 1000 / (8*16) * timeout; // timeout in ETUs (time to transfer 1 bit, approx. 9.4 us)
663 }
664
665 if(power) {
666 c.arg[0] |= ISO14A_NO_DISCONNECT;
667 }
668
669 if(datalen>0) {
670 c.arg[0] |= ISO14A_RAW;
671 }
672
673 if(topazmode) {
674 c.arg[0] |= ISO14A_TOPAZMODE;
675 }
676
677 // Max buffer is USB_CMD_DATA_SIZE
678 datalen = (datalen > USB_CMD_DATA_SIZE) ? USB_CMD_DATA_SIZE : datalen;
679
680 c.arg[1] = (datalen & 0xFFFF) | (uint32_t)(numbits << 16);
681 memcpy(c.d.asBytes, data, datalen);
682
683 clearCommandBuffer();
684 SendCommand(&c);
685
686 if (reply) {
687 if(active_select)
688 waitCmd(1);
689 if(datalen>0)
690 waitCmd(0);
691 } // if reply
692 return 0;
693 }
694
695 static void waitCmd(uint8_t iSelect) {
696 UsbCommand resp;
697 uint16_t len = 0;
698
699 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
700 len = iSelect ? (resp.arg[1] & 0xffff) : (resp.arg[0] & 0xffff);
701 PrintAndLog("received %i octets", len);
702 if(!len)
703 return;
704 PrintAndLog("%s", sprint_hex(resp.d.asBytes, len) );
705 } else {
706 PrintAndLog("timeout while waiting for reply.");
707 }
708 }
709
710 static command_t CommandTable[] = {
711 {"help", CmdHelp, 1, "This help"},
712 {"list", CmdHF14AList, 0, "[Deprecated] List ISO 14443a history"},
713 {"reader", CmdHF14AReader, 0, "Act like an ISO14443 Type A reader"},
714 {"cuids", CmdHF14ACUIDs, 0, "<n> Collect n>0 ISO14443 Type A UIDs in one go"},
715 {"sim", CmdHF14ASim, 0, "<UID> -- Simulate ISO 14443a tag"},
716 {"sniff", CmdHF14ASniff, 0, "sniff ISO 14443 Type A traffic"},
717 {"raw", CmdHF14ACmdRaw, 0, "Send raw hex data to tag"},
718 {NULL, NULL, 0, NULL}
719 };
720
721 int CmdHF14A(const char *Cmd) {
722 clearCommandBuffer();
723 CmdsParse(CommandTable, Cmd);
724 return 0;
725 }
726
727 int CmdHelp(const char *Cmd) {
728 CmdsHelp(CommandTable);
729 return 0;
730 }
Impressum, Datenschutz