1 //-----------------------------------------------------------------------------
3 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
8 //-----------------------------------------------------------------------------
9 // High frequency ISO14443A commands
10 //-----------------------------------------------------------------------------
17 #include "iso14443crc.h"
21 #include "cmdparser.h"
25 #include "nonce2key/nonce2key.h"
26 #include "nonce2key/crapto1.h"
28 static int CmdHelp(const char *Cmd
);
30 int CmdHF14AList(const char *Cmd
)
33 GetFromBigBuf(got
, sizeof(got
));
35 PrintAndLog("recorded activity:");
36 PrintAndLog(" ETU :rssi: who bytes");
37 PrintAndLog("---------+----+----+-----------");
48 int timestamp
= *((uint32_t *)(got
+i
));
49 if (timestamp
& 0x80000000) {
50 timestamp
&= 0x7fffffff;
57 int parityBits
= *((uint32_t *)(got
+i
+4));
58 // 4 bytes of additional information...
59 // maximum of 32 additional parity bit information
62 // at each quarter bit period we can send power level (16 levels)
63 // or each half bit period in 256 levels.
71 if (i
+ len
>= 1900) {
75 uint8_t *frame
= (got
+i
+9);
77 // Break and stick with current result if buffer was not completely full
78 if (frame
[0] == 0x44 && frame
[1] == 0x44 && frame
[3] == 0x44) { break; }
82 for (j
= 0; j
< len
; j
++) {
87 oddparity
^= (((frame
[j
] & 0xFF) >> k
) & 0x01);
90 //if((parityBits >> (len - j - 1)) & 0x01) {
91 if (isResponse
&& (oddparity
!= ((parityBits
>> (len
- j
- 1)) & 0x01))) {
92 sprintf(line
+(j
*4), "%02x! ", frame
[j
]);
95 sprintf(line
+(j
*4), "%02x ", frame
[j
]);
103 for (j
= 0; j
< (len
- 1); j
++) {
104 // gives problems... search for the reason..
105 /*if(frame[j] == 0xAA) {
108 crc = "[1] Two drops close after each other";
111 crc = "[2] Potential SOC with a drop in second half of bitperiod";
114 crc = "[3] Segment Z after segment X is not possible";
117 crc = "[4] Parity bit of a fully received byte was wrong";
120 crc = "[?] Unknown error";
127 if (strlen(crc
)==0) {
128 ComputeCrc14443(CRC_14443_A
, frame
, len
-2, &b1
, &b2
);
129 if (b1
!= frame
[len
-2] || b2
!= frame
[len
-1]) {
130 crc
= (isResponse
& (len
< 6)) ? "" : " !crc";
139 char metricString
[100];
141 sprintf(metricString
, "%3d", metric
);
143 strcpy(metricString
, " ");
146 PrintAndLog(" +%7d: %s: %s %s %s",
147 (prev
< 0 ? 0 : (timestamp
- prev
)),
149 (isResponse
? "TAG" : " "), line
, crc
);
157 void iso14a_set_timeout(uint32_t timeout
) {
158 UsbCommand c
= {CMD_READER_ISO_14443a
, {ISO14A_SET_TIMEOUT
, 0, timeout
}};
162 int CmdHF14AMifare(const char *Cmd
)
166 uint64_t par_list
= 0, ks_list
= 0, r_key
= 0;
169 UsbCommand c
= {CMD_READER_MIFARE
, {strtol(Cmd
, NULL
, 0), 0, 0}};
173 while (kbhit()) getchar();
174 while (WaitForResponseTimeout(CMD_ACK
, 500) != NULL
) ;
177 printf("-------------------------------------------------------------------------\n");
178 printf("Executing command. It may take up to 30 min.\n");
179 printf("Press the key on proxmark3 device to abort proxmark3.\n");
180 printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");
181 printf("-------------------------------------------------------------------------\n");
188 printf("\naborted via keyboard!\n");
192 UsbCommand
* resp
= WaitForResponseTimeout(CMD_ACK
, 2000);
194 isOK
= resp
->arg
[0] & 0xff;
196 uid
= (uint32_t)bytes_to_num(resp
->d
.asBytes
+ 0, 4);
197 nt
= (uint32_t)bytes_to_num(resp
->d
.asBytes
+ 4, 4);
198 par_list
= bytes_to_num(resp
->d
.asBytes
+ 8, 8);
199 ks_list
= bytes_to_num(resp
->d
.asBytes
+ 16, 8);
202 PrintAndLog("isOk:%02x", isOK
);
203 if (!isOK
) PrintAndLog("Proxmark can't get statistic info. Execution aborted.\n");
210 if (isOK
!= 1) return 1;
212 // execute original function from util nonce2key
213 if (nonce2key(uid
, nt
, par_list
, ks_list
, &r_key
)) return 2;
214 printf("-------------------------------------------------------------------------\n");
215 PrintAndLog("Key found:%012llx \n", r_key
);
220 int CmdHF14AMfWrBl(const char *Cmd
)
225 uint8_t key
[6] = {0, 0, 0, 0, 0, 0};
226 uint8_t bldata
[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
228 const char *cmdp
= Cmd
;
229 const char *cmdpe
= Cmd
;
232 PrintAndLog("Usage: hf 14 mfwrbl <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>");
233 PrintAndLog(" sample: hf 14a mfwrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F");
236 PrintAndLog("l: %s", Cmd
);
239 while (*cmdp
==' ' || *cmdp
=='\t') cmdp
++;
240 blockNo
= strtol(cmdp
, NULL
, 0) & 0xff;
243 while (*cmdp
!=' ' && *cmdp
!='\t') cmdp
++;
244 while (*cmdp
==' ' || *cmdp
=='\t') cmdp
++;
245 if (*cmdp
!= 'A' && *cmdp
!= 'a') {
250 while (*cmdp
!=' ' && *cmdp
!='\t') cmdp
++;
251 while (*cmdp
==' ' || *cmdp
=='\t') cmdp
++;
253 // next value here:cmdpe
255 while (*cmdpe
!=' ' && *cmdpe
!='\t') cmdpe
++;
256 while (*cmdpe
==' ' || *cmdpe
=='\t') cmdpe
++;
258 if ((int)cmdpe
- (int)cmdp
!= 13) {
259 PrintAndLog("Length of key must be 12 hex symbols");
263 for(i
= 0; i
< 6; i
++) {
264 sscanf((char[]){cmdp
[0],cmdp
[1],0},"%X",&temp
);
265 key
[i
] = temp
& 0xff;
271 while (*cmdp
!=' ' && *cmdp
!='\t') cmdp
++;
272 while (*cmdp
==' ' || *cmdp
=='\t') cmdp
++;
274 if (strlen(cmdp
) != 32) {
275 PrintAndLog("Length of block data must be 32 hex symbols");
279 for(i
= 0; i
< 16; i
++) {
280 sscanf((char[]){cmdp
[0],cmdp
[1],0},"%X",&temp
);
281 bldata
[i
] = temp
& 0xff;
285 PrintAndLog(" block no:%02x key type:%02x key:%s", blockNo
, keyType
, sprint_hex(key
, 6));
286 PrintAndLog(" data: %s", sprint_hex(bldata
, 16));
288 UsbCommand c
= {CMD_MIFARE_WRITEBL
, {blockNo
, keyType
, 0}};
289 memcpy(c
.d
.asBytes
, key
, 6);
290 memcpy(c
.d
.asBytes
+ 10, bldata
, 16);
292 UsbCommand
* resp
= WaitForResponseTimeout(CMD_ACK
, 1500);
295 uint8_t isOK
= resp
->arg
[0] & 0xff;
297 PrintAndLog("isOk:%02x", isOK
);
299 PrintAndLog("Command execute timeout");
305 int CmdHF14AMfRdBl(const char *Cmd
)
310 uint8_t key
[6] = {0, 0, 0, 0, 0, 0};
312 const char *cmdp
= Cmd
;
316 PrintAndLog("Usage: hf 14 mfrdbl <block number> <key A/B> <key (12 hex symbols)>");
317 PrintAndLog(" sample: hf 14a mfrdbl 0 A FFFFFFFFFFFF ");
322 while (*cmdp
==' ' || *cmdp
=='\t') cmdp
++;
323 blockNo
= strtol(cmdp
, NULL
, 0) & 0xff;
326 while (*cmdp
!=' ' && *cmdp
!='\t') cmdp
++;
327 while (*cmdp
==' ' || *cmdp
=='\t') cmdp
++;
328 if (*cmdp
!= 'A' && *cmdp
!= 'a') {
333 while (*cmdp
!=' ' && *cmdp
!='\t') cmdp
++;
334 while (*cmdp
==' ' || *cmdp
=='\t') cmdp
++;
336 if (strlen(cmdp
) != 12) {
337 PrintAndLog("Length of key must be 12 hex symbols");
341 for(i
= 0; i
< 6; i
++) {
342 sscanf((char[]){cmdp
[0],cmdp
[1],0},"%X",&temp
);
343 key
[i
] = temp
& 0xff;
347 PrintAndLog(" block no:%02x key type:%02x key:%s ", blockNo
, keyType
, sprint_hex(key
, 6));
349 UsbCommand c
= {CMD_MIFARE_READBL
, {blockNo
, keyType
, 0}};
350 memcpy(c
.d
.asBytes
, key
, 6);
352 UsbCommand
* resp
= WaitForResponseTimeout(CMD_ACK
, 1500);
355 uint8_t isOK
= resp
->arg
[0] & 0xff;
356 uint8_t * data
= resp
->d
.asBytes
;
358 PrintAndLog("isOk:%02x data:%s", isOK
, sprint_hex(data
, 16));
360 PrintAndLog("Command execute timeout");
366 int CmdHF14AMfRdSc(const char *Cmd
)
369 uint8_t sectorNo
= 0;
371 uint8_t key
[6] = {0, 0, 0, 0, 0, 0};
373 const char *cmdp
= Cmd
;
377 PrintAndLog("Usage: hf 14 mfrdsc <sector number> <key A/B> <key (12 hex symbols)>");
378 PrintAndLog(" sample: hf 14a mfrdsc 0 A FFFFFFFFFFFF ");
383 while (*cmdp
==' ' || *cmdp
=='\t') cmdp
++;
384 sectorNo
= strtol(cmdp
, NULL
, 0) & 0xff;
387 while (*cmdp
!=' ' && *cmdp
!='\t') cmdp
++;
388 while (*cmdp
==' ' || *cmdp
=='\t') cmdp
++;
389 if (*cmdp
!= 'A' && *cmdp
!= 'a') {
394 while (*cmdp
!=' ' && *cmdp
!='\t') cmdp
++;
395 while (*cmdp
==' ' || *cmdp
=='\t') cmdp
++;
397 if (strlen(cmdp
) != 12) {
398 PrintAndLog("Length of key must be 12 hex symbols");
402 for(i
= 0; i
< 6; i
++) {
403 sscanf((char[]){cmdp
[0],cmdp
[1],0},"%X",&temp
);
404 key
[i
] = temp
& 0xff;
408 PrintAndLog(" sector no:%02x key type:%02x key:%s ", sectorNo
, keyType
, sprint_hex(key
, 6));
410 UsbCommand c
= {CMD_MIFARE_READSC
, {sectorNo
, keyType
, 0}};
411 memcpy(c
.d
.asBytes
, key
, 6);
413 UsbCommand
* resp
= WaitForResponseTimeout(CMD_ACK
, 1500);
417 uint8_t isOK
= resp
->arg
[0] & 0xff;
418 uint8_t * data
= resp
->d
.asBytes
;
420 PrintAndLog("isOk:%02x", isOK
);
421 for (i
= 0; i
< 2; i
++) {
422 PrintAndLog("data:%s", sprint_hex(data
+ i
* 16, 16));
425 PrintAndLog("Command1 execute timeout");
429 resp
= WaitForResponseTimeout(CMD_ACK
, 500);
433 uint8_t * data
= resp
->d
.asBytes
;
435 for (i
= 0; i
< 2; i
++) {
436 PrintAndLog("data:%s", sprint_hex(data
+ i
* 16, 16));
439 PrintAndLog("Command2 execute timeout");
445 int CmdHF14AMfNested(const char *Cmd
)
448 uint8_t sectorNo
= 0;
450 uint8_t key
[6] = {0, 0, 0, 0, 0, 0};
454 fnVector
* vector
= NULL
;
456 UsbCommand
* resp
= NULL
;
458 const char *cmdp
= Cmd
;
461 PrintAndLog("Usage: hf 14a nested <sector number> <key A/B> <key (12 hex symbols)>");
462 PrintAndLog(" sample: hf 14a nested 0 A FFFFFFFFFFFF ");
467 while (*cmdp
==' ' || *cmdp
=='\t') cmdp
++;
468 sectorNo
= strtol(cmdp
, NULL
, 0) & 0xff;
471 while (*cmdp
!=' ' && *cmdp
!='\t') cmdp
++;
472 while (*cmdp
==' ' || *cmdp
=='\t') cmdp
++;
473 if (*cmdp
!= 'A' && *cmdp
!= 'a') {
478 while (*cmdp
!=' ' && *cmdp
!='\t') cmdp
++;
479 while (*cmdp
==' ' || *cmdp
=='\t') cmdp
++;
481 if (strlen(cmdp
) != 12) {
482 PrintAndLog("Length of key must be 12 hex symbols");
486 for(i
= 0; i
< 6; i
++) {
487 sscanf((char[]){cmdp
[0],cmdp
[1],0},"%X",&temp
);
488 key
[i
] = temp
& 0xff;
492 PrintAndLog(" sector no:%02x key type:%02x key:%s ", sectorNo
, keyType
, sprint_hex(key
, 6));
495 while (WaitForResponseTimeout(CMD_ACK
, 500) != NULL
) ;
497 UsbCommand c
= {CMD_MIFARE_NESTED
, {sectorNo
, keyType
, 0}};
498 memcpy(c
.d
.asBytes
, key
, 6);
502 printf("-------------------------------------------------------------------------\n");
509 printf("\naborted via keyboard!\n");
513 resp
= WaitForResponseTimeout(CMD_ACK
, 1500);
516 isEOF
= resp
->arg
[0] & 0xff;
517 data
= resp
->d
.asBytes
;
519 PrintAndLog("isEOF:%02x", isEOF
);
520 for (i
= 0; i
< 2; i
++) {
521 PrintAndLog("data:%s", sprint_hex(data
+ i
* 16, 16));
525 len
= resp
->arg
[1] & 0xff;
526 if (len
== 0) continue;
528 memcpy(&uid
, resp
->d
.asBytes
, 4);
529 PrintAndLog("uid:%08x len=%d trgbl=%d trgkey=%d", uid
, len
, resp
->arg
[2] & 0xff, (resp
->arg
[2] >> 8) & 0xff);
531 vector
= (fnVector
*) realloc((void *)vector
, (lenVector
+ len
) * sizeof(fnVector
) + 200);
532 if (vector
== NULL
) {
533 PrintAndLog("Memory allocation error for fnVector. len: %d bytes: %d", lenVector
+ len
, (lenVector
+ len
) * sizeof(fnVector
));
537 for (i
= 0; i
< len
; i
++) {
538 vector
[lenVector
+ i
].blockNo
= resp
->arg
[2] & 0xff;
539 vector
[lenVector
+ i
].keyType
= (resp
->arg
[2] >> 8) & 0xff;
540 vector
[lenVector
+ i
].uid
= uid
;
542 memcpy(&vector
[lenVector
+ i
].nt
, (void *)(resp
->d
.asBytes
+ 8 + i
* 8 + 0), 4);
543 memcpy(&vector
[lenVector
+ i
].ks1
, (void *)(resp
->d
.asBytes
+ 8 + i
* 8 + 4), 4);
545 PrintAndLog("i=%d nt:%08x ks1:%08x", i
, vector
[lenVector
+ i
].nt
, vector
[lenVector
+ i
].ks1
);
560 int CmdHF14AMf1kSim(const char *Cmd
)
563 uint8_t uid
[4] = {0, 0, 0, 0};
565 const char *cmdp
= Cmd
;
569 PrintAndLog("Usage: hf 14a mfsim <uid (8 hex symbols)>");
570 PrintAndLog(" sample: hf 14a mfsim 0a0a0a0a ");
575 while (*cmdp
==' ' || *cmdp
=='\t') cmdp
++;
577 if (strlen(cmdp
) != 8) {
578 PrintAndLog("Length of UID must be 8 hex symbols");
582 for(i
= 0; i
< 4; i
++) {
583 sscanf((char[]){cmdp
[0],cmdp
[1],0},"%X",&temp
);
584 uid
[i
] = temp
& 0xff;
588 PrintAndLog(" uid:%s ", sprint_hex(uid
, 4));
590 UsbCommand c
= {CMD_SIMULATE_MIFARE_CARD
, {0, 0, 0}};
591 memcpy(c
.d
.asBytes
, uid
, 6);
598 int CmdHF14AReader(const char *Cmd
)
600 UsbCommand c
= {CMD_READER_ISO_14443a
, {ISO14A_CONNECT
, 0, 0}};
602 UsbCommand
* resp
= WaitForResponse(CMD_ACK
);
603 uint8_t * uid
= resp
->d
.asBytes
;
604 iso14a_card_select_t
* card
= uid
+ 12;
606 if(resp
->arg
[0] == 0) {
607 PrintAndLog("iso14443a card select failed");
611 PrintAndLog("ATQA : %02x %02x", card
->atqa
[0], card
->atqa
[1]);
612 PrintAndLog(" UID : %s", sprint_hex(uid
, 12));
613 PrintAndLog(" SAK : %02x [%d]", card
->sak
, resp
->arg
[0]);
614 if(resp
->arg
[0] == 1)
615 PrintAndLog(" ATS : %s", sprint_hex(card
->ats
, card
->ats_len
));
617 PrintAndLog("proprietary non-iso14443a card found, RATS not supported");
622 // ## simulate iso14443a tag
623 // ## greg - added ability to specify tag UID
624 int CmdHF14ASim(const char *Cmd
)
627 unsigned int hi
= 0, lo
= 0;
629 while (sscanf(&Cmd
[i
++], "%1x", &n
) == 1) {
630 hi
= (hi
<< 4) | (lo
>> 28);
631 lo
= (lo
<< 4) | (n
& 0xf);
634 // c.arg should be set to *Cmd or convert *Cmd to the correct format for a uid
635 UsbCommand c
= {CMD_SIMULATE_TAG_ISO_14443a
, {hi
, lo
, 0}};
636 PrintAndLog("Emulating 14443A TAG with UID %x%16x", hi
, lo
);
641 int CmdHF14ASnoop(const char *Cmd
)
643 UsbCommand c
= {CMD_SNOOP_ISO_14443a
};
648 static command_t CommandTable
[] =
650 {"help", CmdHelp
, 1, "This help"},
651 {"list", CmdHF14AList
, 0, "List ISO 14443a history"},
652 {"mifare", CmdHF14AMifare
, 0, "Read out sector 0 parity error messages. param - <used card nonce>"},
653 {"mfrdbl", CmdHF14AMfRdBl
, 0, "Read MIFARE classic block"},
654 {"mfrdsc", CmdHF14AMfRdSc
, 0, "Read MIFARE classic sector"},
655 {"mfwrbl", CmdHF14AMfWrBl
, 0, "Write MIFARE classic block"},
656 {"nested", CmdHF14AMfNested
, 0, "Test nested authentication"},
657 {"mfsim", CmdHF14AMf1kSim
, 0, "Simulate MIFARE 1k card - NOT WORKING!!!"},
658 {"reader", CmdHF14AReader
, 0, "Act like an ISO14443 Type A reader"},
659 {"sim", CmdHF14ASim
, 0, "<UID> -- Fake ISO 14443a tag"},
660 {"snoop", CmdHF14ASnoop
, 0, "Eavesdrop ISO 14443 Type A"},
661 {NULL
, NULL
, 0, NULL
}
664 int CmdHF14A(const char *Cmd
)
666 CmdsParse(CommandTable
, Cmd
);
670 int CmdHelp(const char *Cmd
)
672 CmdsHelp(CommandTable
);