]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifarecmd.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #81 from mdp/fixguard
[proxmark3-svn] / armsrc / mifarecmd.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 // Midnitesnake - Dec 2013
6 // Andy Davies - Apr 2014
7 // Iceman - May 2014,2015,2016
8 //
9 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
10 // at your option, any later version. See the LICENSE.txt file for the text of
11 // the license.
12 //-----------------------------------------------------------------------------
13 // Routines to support ISO 14443 type A.
14 //-----------------------------------------------------------------------------
15
16 #include "mifarecmd.h"
17
18 //-----------------------------------------------------------------------------
19 // Select, Authenticate, Read a MIFARE tag.
20 // read block
21 //-----------------------------------------------------------------------------
22 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
23 {
24 // params
25 uint8_t blockNo = arg0;
26 uint8_t keyType = arg1;
27 uint64_t ui64Key = 0;
28 ui64Key = bytes_to_num(datain, 6);
29
30 // variables
31 byte_t isOK = 0;
32 byte_t dataoutbuf[16] = {0x00};
33 uint8_t uid[10] = {0x00};
34 uint32_t cuid = 0;
35 struct Crypto1State mpcs = {0, 0};
36 struct Crypto1State *pcs;
37 pcs = &mpcs;
38
39 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
40
41 clear_trace();
42 set_tracing(true);
43
44 LED_A_ON();
45 LED_B_OFF();
46 LED_C_OFF();
47
48 while (true) {
49 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
50 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
51 break;
52 };
53
54 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
55 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
56 break;
57 };
58
59 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
60 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
61 break;
62 };
63
64 if(mifare_classic_halt(pcs, cuid)) {
65 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
66 break;
67 };
68
69 isOK = 1;
70 break;
71 }
72
73 crypto1_destroy(pcs);
74
75 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
76
77 LED_B_ON();
78 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
79 LED_B_OFF();
80
81 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
82 LEDsoff();
83 }
84
85 void MifareUC_Auth(uint8_t arg0, uint8_t *keybytes){
86
87 bool turnOffField = (arg0 == 1);
88
89 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
90
91 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
92
93 clear_trace();
94 set_tracing(true);
95
96 if(!iso14443a_select_card(NULL, NULL, NULL, true, 0)) {
97 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
98 OnError(0);
99 return;
100 };
101
102 if(!mifare_ultra_auth(keybytes)){
103 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication failed");
104 OnError(1);
105 return;
106 }
107
108 if (turnOffField) {
109 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
110 LEDsoff();
111 }
112 cmd_send(CMD_ACK,1,0,0,0,0);
113 }
114
115 // Arg0 = BlockNo,
116 // Arg1 = UsePwd bool
117 // datain = PWD bytes,
118 void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
119 {
120 uint8_t blockNo = arg0;
121 byte_t dataout[16] = {0x00};
122 bool useKey = (arg1 == 1); //UL_C
123 bool usePwd = (arg1 == 2); //UL_EV1/NTAG
124
125 LEDsoff();
126 LED_A_ON();
127 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
128
129 clear_trace();
130 set_tracing(true);
131
132 int len = iso14443a_select_card(NULL, NULL, NULL, true, 0);
133 if(!len) {
134 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len);
135 OnError(1);
136 return;
137 }
138
139 // UL-C authentication
140 if ( useKey ) {
141 uint8_t key[16] = {0x00};
142 memcpy(key, datain, sizeof(key) );
143
144 if ( !mifare_ultra_auth(key) ) {
145 OnError(1);
146 return;
147 }
148 }
149
150 // UL-EV1 / NTAG authentication
151 if ( usePwd ) {
152 uint8_t pwd[4] = {0x00};
153 memcpy(pwd, datain, 4);
154 uint8_t pack[4] = {0,0,0,0};
155 if (!mifare_ul_ev1_auth(pwd, pack)) {
156 OnError(1);
157 return;
158 }
159 }
160
161 if( mifare_ultra_readblock(blockNo, dataout) ) {
162 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block error");
163 OnError(2);
164 return;
165 }
166
167 if( mifare_ultra_halt() ) {
168 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
169 OnError(3);
170 return;
171 }
172
173 cmd_send(CMD_ACK,1,0,0,dataout,16);
174 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
175 LEDsoff();
176 }
177
178 //-----------------------------------------------------------------------------
179 // Select, Authenticate, Read a MIFARE tag.
180 // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
181 //-----------------------------------------------------------------------------
182 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
183 {
184 // params
185 uint8_t sectorNo = arg0;
186 uint8_t keyType = arg1;
187 uint64_t ui64Key = 0;
188 ui64Key = bytes_to_num(datain, 6);
189
190 // variables
191 byte_t isOK = 0;
192 byte_t dataoutbuf[16 * 16];
193 uint8_t uid[10] = {0x00};
194 uint32_t cuid = 0;
195 struct Crypto1State mpcs = {0, 0};
196 struct Crypto1State *pcs;
197 pcs = &mpcs;
198
199 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
200
201 clear_trace();
202 set_tracing(true);
203
204 LED_A_ON();
205 LED_B_OFF();
206 LED_C_OFF();
207
208 isOK = 1;
209 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
210 isOK = 0;
211 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
212 }
213
214
215 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
216 isOK = 0;
217 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
218 }
219
220 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
221 if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) {
222 isOK = 0;
223 if (MF_DBGLEVEL >= 1) Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo);
224 break;
225 }
226 }
227
228 if(mifare_classic_halt(pcs, cuid)) {
229 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
230 }
231
232 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
233
234 crypto1_destroy(pcs);
235
236 LED_B_ON();
237 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));
238 LED_B_OFF();
239
240 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
241 LEDsoff();
242 set_tracing(FALSE);
243 }
244
245 // arg0 = blockNo (start)
246 // arg1 = Pages (number of blocks)
247 // arg2 = useKey
248 // datain = KEY bytes
249 void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
250 {
251 LEDsoff();
252 LED_A_ON();
253 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
254
255 // free eventually allocated BigBuf memory
256 BigBuf_free(); BigBuf_Clear_ext(false);
257 clear_trace();
258 set_tracing(true);
259
260 // params
261 uint8_t blockNo = arg0;
262 uint16_t blocks = arg1;
263 bool useKey = (arg2 == 1); //UL_C
264 bool usePwd = (arg2 == 2); //UL_EV1/NTAG
265 uint32_t countblocks = 0;
266 uint8_t *dataout = BigBuf_malloc(CARD_MEMORY_SIZE);
267 if (dataout == NULL){
268 Dbprintf("out of memory");
269 OnError(1);
270 return;
271 }
272
273 int len = iso14443a_select_card(NULL, NULL, NULL, true, 0);
274 if (!len) {
275 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len);
276 OnError(1);
277 return;
278 }
279
280 // UL-C authentication
281 if ( useKey ) {
282 uint8_t key[16] = {0x00};
283 memcpy(key, datain, sizeof(key) );
284
285 if ( !mifare_ultra_auth(key) ) {
286 OnError(1);
287 return;
288 }
289 }
290
291 // UL-EV1 / NTAG authentication
292 if (usePwd) {
293 uint8_t pwd[4] = {0x00};
294 memcpy(pwd, datain, sizeof(pwd));
295 uint8_t pack[4] = {0,0,0,0};
296
297 if (!mifare_ul_ev1_auth(pwd, pack)){
298 OnError(1);
299 return;
300 }
301 }
302
303 for (int i = 0; i < blocks; i++){
304 if ((i*4) + 4 >= CARD_MEMORY_SIZE) {
305 Dbprintf("Data exceeds buffer!!");
306 break;
307 }
308
309 len = mifare_ultra_readblock(blockNo + i, dataout + 4 * i);
310
311 if (len) {
312 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block %d error",i);
313 // if no blocks read - error out
314 if (i==0){
315 OnError(2);
316 return;
317 } else {
318 //stop at last successful read block and return what we got
319 break;
320 }
321 } else {
322 countblocks++;
323 }
324 }
325
326 len = mifare_ultra_halt();
327 if (len) {
328 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
329 OnError(3);
330 return;
331 }
332
333 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Blocks read %d", countblocks);
334
335 countblocks *= 4;
336
337 cmd_send(CMD_ACK, 1, countblocks, BigBuf_max_traceLen(), 0, 0);
338 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
339 LEDsoff();
340 BigBuf_free();
341 set_tracing(FALSE);
342 }
343
344 //-----------------------------------------------------------------------------
345 // Select, Authenticate, Write a MIFARE tag.
346 // read block
347 //-----------------------------------------------------------------------------
348 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
349 {
350 // params
351 uint8_t blockNo = arg0;
352 uint8_t keyType = arg1;
353 uint64_t ui64Key = 0;
354 byte_t blockdata[16] = {0x00};
355
356 ui64Key = bytes_to_num(datain, 6);
357 memcpy(blockdata, datain + 10, 16);
358
359 // variables
360 byte_t isOK = 0;
361 uint8_t uid[10] = {0x00};
362 uint32_t cuid = 0;
363 struct Crypto1State mpcs = {0, 0};
364 struct Crypto1State *pcs;
365 pcs = &mpcs;
366
367 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
368
369 clear_trace();
370 set_tracing(true);
371
372 LED_A_ON();
373 LED_B_OFF();
374 LED_C_OFF();
375
376 while (true) {
377 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
378 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
379 break;
380 };
381
382 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
383 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
384 break;
385 };
386
387 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
388 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
389 break;
390 };
391
392 if(mifare_classic_halt(pcs, cuid)) {
393 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
394 break;
395 };
396
397 isOK = 1;
398 break;
399 }
400
401 crypto1_destroy(pcs);
402
403 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
404
405 cmd_send(CMD_ACK,isOK,0,0,0,0);
406
407 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
408 LEDsoff();
409 set_tracing(FALSE);
410 }
411
412 /* // Command not needed but left for future testing
413 void MifareUWriteBlockCompat(uint8_t arg0, uint8_t *datain)
414 {
415 uint8_t blockNo = arg0;
416 byte_t blockdata[16] = {0x00};
417
418 memcpy(blockdata, datain, 16);
419
420 uint8_t uid[10] = {0x00};
421
422 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
423
424 clear_trace();
425 set_tracing(true);
426 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
427
428 if(!iso14443a_select_card(uid, NULL, NULL, true, 0)) {
429 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
430 OnError(0);
431 return;
432 };
433
434 if(mifare_ultra_writeblock_compat(blockNo, blockdata)) {
435 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
436 OnError(0);
437 return; };
438
439 if(mifare_ultra_halt()) {
440 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
441 OnError(0);
442 return;
443 };
444
445 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
446
447 cmd_send(CMD_ACK,1,0,0,0,0);
448 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
449 LEDsoff();
450 }
451 */
452
453 // Arg0 : Block to write to.
454 // Arg1 : 0 = use no authentication.
455 // 1 = use 0x1A authentication.
456 // 2 = use 0x1B authentication.
457 // datain : 4 first bytes is data to be written.
458 // : 4/16 next bytes is authentication key.
459 void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
460 {
461 uint8_t blockNo = arg0;
462 bool useKey = (arg1 == 1); //UL_C
463 bool usePwd = (arg1 == 2); //UL_EV1/NTAG
464 byte_t blockdata[4] = {0x00};
465
466 memcpy(blockdata, datain,4);
467
468 LEDsoff();
469 LED_A_ON();
470 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
471
472 clear_trace();
473 set_tracing(true);
474
475 if(!iso14443a_select_card(NULL, NULL, NULL, true, 0)) {
476 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
477 OnError(0);
478 return;
479 };
480
481 // UL-C authentication
482 if ( useKey ) {
483 uint8_t key[16] = {0x00};
484 memcpy(key, datain+4, sizeof(key) );
485
486 if ( !mifare_ultra_auth(key) ) {
487 OnError(1);
488 return;
489 }
490 }
491
492 // UL-EV1 / NTAG authentication
493 if (usePwd) {
494 uint8_t pwd[4] = {0x00};
495 memcpy(pwd, datain+4, 4);
496 uint8_t pack[4] = {0,0,0,0};
497 if (!mifare_ul_ev1_auth(pwd, pack)) {
498 OnError(1);
499 return;
500 }
501 }
502
503 if(mifare_ultra_writeblock(blockNo, blockdata)) {
504 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
505 OnError(0);
506 return;
507 };
508
509 if(mifare_ultra_halt()) {
510 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
511 OnError(0);
512 return;
513 };
514
515 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
516
517 cmd_send(CMD_ACK,1,0,0,0,0);
518 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
519 LEDsoff();
520 set_tracing(FALSE);
521 }
522
523 void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
524
525 uint8_t pwd[16] = {0x00};
526 byte_t blockdata[4] = {0x00};
527
528 memcpy(pwd, datain, 16);
529
530 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
531 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
532
533 clear_trace();
534 set_tracing(true);
535
536 if(!iso14443a_select_card(NULL, NULL, NULL, true, 0)) {
537 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
538 OnError(0);
539 return;
540 };
541
542 blockdata[0] = pwd[7];
543 blockdata[1] = pwd[6];
544 blockdata[2] = pwd[5];
545 blockdata[3] = pwd[4];
546 if(mifare_ultra_writeblock( 44, blockdata)) {
547 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
548 OnError(44);
549 return;
550 };
551
552 blockdata[0] = pwd[3];
553 blockdata[1] = pwd[2];
554 blockdata[2] = pwd[1];
555 blockdata[3] = pwd[0];
556 if(mifare_ultra_writeblock( 45, blockdata)) {
557 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
558 OnError(45);
559 return;
560 };
561
562 blockdata[0] = pwd[15];
563 blockdata[1] = pwd[14];
564 blockdata[2] = pwd[13];
565 blockdata[3] = pwd[12];
566 if(mifare_ultra_writeblock( 46, blockdata)) {
567 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
568 OnError(46);
569 return;
570 };
571
572 blockdata[0] = pwd[11];
573 blockdata[1] = pwd[10];
574 blockdata[2] = pwd[9];
575 blockdata[3] = pwd[8];
576 if(mifare_ultra_writeblock( 47, blockdata)) {
577 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
578 OnError(47);
579 return;
580 };
581
582 if(mifare_ultra_halt()) {
583 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
584 OnError(0);
585 return;
586 };
587
588 cmd_send(CMD_ACK,1,0,0,0,0);
589 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
590 LEDsoff();
591 set_tracing(FALSE);
592 }
593
594 // Return 1 if the nonce is invalid else return 0
595 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {
596 return ((oddparity8((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity8((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
597 (oddparity8((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity8((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
598 (oddparity8((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity8((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
599 }
600
601
602 //-----------------------------------------------------------------------------
603 // acquire encrypted nonces in order to perform the attack described in
604 // Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
605 // Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
606 // Computer and Communications Security, 2015
607 //-----------------------------------------------------------------------------
608 #define AUTHENTICATION_TIMEOUT 848 //848 // card times out 1ms after wrong authentication (according to NXP documentation)
609 #define PRE_AUTHENTICATION_LEADTIME 400 // some (non standard) cards need a pause after select before they are ready for first authentication
610
611 void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, uint8_t *datain)
612 {
613 uint64_t ui64Key = 0;
614 uint8_t uid[10] = {0x00};
615 uint32_t cuid = 0;
616 uint8_t cascade_levels = 0;
617 struct Crypto1State mpcs = {0, 0};
618 struct Crypto1State *pcs;
619 pcs = &mpcs;
620 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE] = {0x00};
621 int16_t isOK = 0;
622 uint8_t par_enc[1] = {0x00};
623 uint8_t nt_par_enc = 0;
624 uint8_t buf[USB_CMD_DATA_SIZE] = {0x00};
625 uint32_t timeout = 0;
626
627 uint8_t blockNo = arg0 & 0xff;
628 uint8_t keyType = (arg0 >> 8) & 0xff;
629 uint8_t targetBlockNo = arg1 & 0xff;
630 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
631 ui64Key = bytes_to_num(datain, 6);
632 bool initialize = flags & 0x0001;
633 bool slow = flags & 0x0002;
634 bool field_off = flags & 0x0004;
635
636 LED_A_ON();
637 LED_C_OFF();
638
639 BigBuf_free(); BigBuf_Clear_ext(false);
640 clear_trace();
641 set_tracing(FALSE);
642
643 if (initialize) {
644 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
645 }
646
647 LED_C_ON();
648
649 uint8_t dummy_answer = 0;
650 uint16_t num_nonces = 0;
651 bool have_uid = false;
652 for (uint16_t i = 0; i <= USB_CMD_DATA_SIZE - 9; ) {
653
654 // Test if the action was cancelled
655 if(BUTTON_PRESS()) {
656 isOK = 2;
657 field_off = true;
658 break;
659 }
660
661 if (!have_uid) { // need a full select cycle to get the uid first
662 iso14a_card_select_t card_info;
663 if(!iso14443a_select_card(uid, &card_info, &cuid, true, 0)) {
664 if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Can't select card (ALL)");
665 continue;
666 }
667 switch (card_info.uidlen) {
668 case 4 : cascade_levels = 1; break;
669 case 7 : cascade_levels = 2; break;
670 case 10: cascade_levels = 3; break;
671 default: break;
672 }
673 have_uid = true;
674 } else { // no need for anticollision. We can directly select the card
675 if(!iso14443a_select_card(uid, NULL, NULL, false, cascade_levels)) {
676 if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Can't select card (UID)");
677 continue;
678 }
679 }
680
681 if (slow) {
682 timeout = GetCountSspClk() + PRE_AUTHENTICATION_LEADTIME;
683 while(GetCountSspClk() < timeout);
684 }
685
686 uint32_t nt1;
687 if (mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, NULL)) {
688 if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Auth1 error");
689 continue;
690 }
691
692 // nested authentication
693 uint16_t len = mifare_sendcmd_short(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par_enc, NULL);
694 if (len != 4) {
695 if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Auth2 error len=%d", len);
696 continue;
697 }
698
699 // send a dummy byte as reader response in order to trigger the cards authentication timeout
700 ReaderTransmit(&dummy_answer, 1, NULL);
701 timeout = GetCountSspClk() + AUTHENTICATION_TIMEOUT;
702
703 num_nonces++;
704 if (num_nonces % 2) {
705 memcpy(buf+i, receivedAnswer, 4);
706 nt_par_enc = par_enc[0] & 0xf0;
707 } else {
708 nt_par_enc |= par_enc[0] >> 4;
709 memcpy(buf+i+4, receivedAnswer, 4);
710 memcpy(buf+i+8, &nt_par_enc, 1);
711 i += 9;
712 }
713 // wait for the card to become ready again
714 while(GetCountSspClk() < timeout);
715 }
716
717 LED_C_OFF();
718 crypto1_destroy(pcs);
719 LED_B_ON();
720 cmd_send(CMD_ACK, isOK, cuid, num_nonces, buf, sizeof(buf));
721 LED_B_OFF();
722
723 if (MF_DBGLEVEL >= 3) DbpString("AcquireEncryptedNonces finished");
724
725 if (field_off) {
726 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
727 LEDsoff();
728 set_tracing(FALSE);
729 }
730 }
731
732
733 //-----------------------------------------------------------------------------
734 // MIFARE nested authentication.
735 //
736 //-----------------------------------------------------------------------------
737 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)
738 {
739 // params
740 uint8_t blockNo = arg0 & 0xff;
741 uint8_t keyType = (arg0 >> 8) & 0xff;
742 uint8_t targetBlockNo = arg1 & 0xff;
743 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
744 uint64_t ui64Key = 0;
745
746 ui64Key = bytes_to_num(datain, 6);
747
748 // variables
749 uint16_t rtr, i, j, len;
750 uint16_t davg = 0;
751 static uint16_t dmin, dmax;
752 uint8_t uid[10] = {0x00};
753 uint32_t cuid = 0, nt1, nt2, nttmp, nttest, ks1;
754 uint8_t par[1] = {0x00};
755 uint32_t target_nt[2] = {0x00}, target_ks[2] = {0x00};
756
757 uint8_t par_array[4] = {0x00};
758 uint16_t ncount = 0;
759 struct Crypto1State mpcs = {0, 0};
760 struct Crypto1State *pcs;
761 pcs = &mpcs;
762 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE] = {0x00};
763
764 uint32_t auth1_time, auth2_time;
765 static uint16_t delta_time = 0;
766
767 LED_A_ON();
768 LED_C_OFF();
769 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
770
771 // free eventually allocated BigBuf memory
772 BigBuf_free(); BigBuf_Clear_ext(false);
773
774 if (calibrate) clear_trace();
775 set_tracing(true);
776
777 // statistics on nonce distance
778 int16_t isOK = 0;
779 #define NESTED_MAX_TRIES 12
780 uint16_t unsuccessfull_tries = 0;
781 if (calibrate) { // for first call only. Otherwise reuse previous calibration
782 LED_B_ON();
783 WDT_HIT();
784
785 davg = dmax = 0;
786 dmin = 2000;
787 delta_time = 0;
788
789 for (rtr = 0; rtr < 17; rtr++) {
790
791 // Test if the action was cancelled
792 if(BUTTON_PRESS()) {
793 isOK = -2;
794 break;
795 }
796
797 // prepare next select. No need to power down the card.
798 if(mifare_classic_halt(pcs, cuid)) {
799 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
800 rtr--;
801 continue;
802 }
803
804 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
805 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
806 rtr--;
807 continue;
808 };
809
810 auth1_time = 0;
811 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
812 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
813 rtr--;
814 continue;
815 };
816 auth2_time = (delta_time) ? auth1_time + delta_time : 0;
817
818 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {
819 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");
820 rtr--;
821 continue;
822 };
823
824 nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
825 for (i = 101; i < 1200; i++) {
826 nttmp = prng_successor(nttmp, 1);
827 if (nttmp == nt2) break;
828 }
829
830 if (i != 1200) {
831 if (rtr != 0) {
832 davg += i;
833 dmin = MIN(dmin, i);
834 dmax = MAX(dmax, i);
835 }
836 else {
837 delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing
838 }
839 if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
840 } else {
841 unsuccessfull_tries++;
842 if (unsuccessfull_tries > NESTED_MAX_TRIES) { // card isn't vulnerable to nested attack (random numbers are not predictable)
843 isOK = -3;
844 }
845 }
846 }
847
848 davg = (davg + (rtr - 1)/2) / (rtr - 1);
849
850 if (MF_DBGLEVEL >= 3) Dbprintf("rtr=%d isOK=%d min=%d max=%d avg=%d, delta_time=%d", rtr, isOK, dmin, dmax, davg, delta_time);
851
852 dmin = davg - 2;
853 dmax = davg + 2;
854
855 LED_B_OFF();
856 }
857 // -------------------------------------------------------------------------------------------------
858
859 LED_C_ON();
860
861 // get crypted nonces for target sector
862 for(i=0; i < 2 && !isOK; i++) { // look for exactly two different nonces
863
864 target_nt[i] = 0;
865 while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
866
867 // prepare next select. No need to power down the card.
868 if(mifare_classic_halt(pcs, cuid)) {
869 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
870 continue;
871 }
872
873 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
874 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
875 continue;
876 };
877
878 auth1_time = 0;
879 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
880 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
881 continue;
882 };
883
884 // nested authentication
885 auth2_time = auth1_time + delta_time;
886
887 len = mifare_sendcmd_short(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);
888 if (len != 4) {
889 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);
890 continue;
891 };
892
893 nt2 = bytes_to_num(receivedAnswer, 4);
894 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);
895
896 // Parity validity check
897 // for (j = 0; j < 4; j++) {
898 // par_array[j] = (oddparity8(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));
899 // }
900 par_array[0] = (oddparity8(receivedAnswer[0]) != ((par[0] >> (7-0)) & 0x01));
901 par_array[1] = (oddparity8(receivedAnswer[1]) != ((par[0] >> (7-1)) & 0x01));
902 par_array[2] = (oddparity8(receivedAnswer[2]) != ((par[0] >> (7-2)) & 0x01));
903 par_array[3] = (oddparity8(receivedAnswer[3]) != ((par[0] >> (7-3)) & 0x01));
904
905 ncount = 0;
906 nttest = prng_successor(nt1, dmin - 1);
907 for (j = dmin; j < dmax + 1; j++) {
908 nttest = prng_successor(nttest, 1);
909 ks1 = nt2 ^ nttest;
910
911 if (valid_nonce(nttest, nt2, ks1, par_array)){
912 if (ncount > 0) { // we are only interested in disambiguous nonces, try again
913 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);
914 target_nt[i] = 0;
915 break;
916 }
917 target_nt[i] = nttest;
918 target_ks[i] = ks1;
919 ncount++;
920 if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces
921 target_nt[i] = 0;
922 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);
923 break;
924 }
925 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);
926 }
927 }
928 if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
929 }
930 }
931
932 LED_C_OFF();
933
934 crypto1_destroy(pcs);
935
936 byte_t buf[4 + 4 * 4] = {0};
937 memcpy(buf, &cuid, 4);
938 memcpy(buf+4, &target_nt[0], 4);
939 memcpy(buf+8, &target_ks[0], 4);
940 memcpy(buf+12, &target_nt[1], 4);
941 memcpy(buf+16, &target_ks[1], 4);
942
943 LED_B_ON();
944 cmd_send(CMD_ACK, isOK, 0, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
945 LED_B_OFF();
946
947 if (MF_DBGLEVEL >= 3) DbpString("NESTED FINISHED");
948
949 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
950 LEDsoff();
951 set_tracing(FALSE);
952 }
953
954 //-----------------------------------------------------------------------------
955 // MIFARE check keys. key count up to 85.
956 //
957 //-----------------------------------------------------------------------------
958 void MifareChkKeys(uint16_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) {
959 uint8_t blockNo = arg0 & 0xff;
960 uint8_t keyType = (arg0 >> 8) & 0xff;
961 bool clearTrace = arg1;
962 uint8_t keyCount = arg2;
963 uint64_t ui64Key = 0;
964
965 bool have_uid = FALSE;
966 uint8_t cascade_levels = 0;
967 uint32_t timeout = 0;
968
969 int i;
970 byte_t isOK = 0;
971 uint8_t uid[10] = {0x00};
972 uint32_t cuid = 0;
973 struct Crypto1State mpcs = {0, 0};
974 struct Crypto1State *pcs;
975 pcs = &mpcs;
976
977 // save old debuglevel, and tempory turn off dbg printing. speedissues.
978 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
979 MF_DBGLEVEL = MF_DBG_NONE;
980
981 LEDsoff();
982 LED_A_ON();
983
984 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
985
986 if (clearTrace)
987 clear_trace();
988
989 set_tracing(TRUE);
990
991 for (i = 0; i < keyCount; ++i) {
992
993 //mifare_classic_halt(pcs, cuid);
994
995 // this part is from Piwi's faster nonce collecting part in Hardnested.
996 if (!have_uid) { // need a full select cycle to get the uid first
997 iso14a_card_select_t card_info;
998 if(!iso14443a_select_card(uid, &card_info, &cuid, true, 0)) {
999 if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card (ALL)");
1000 break;
1001 }
1002 switch (card_info.uidlen) {
1003 case 4 : cascade_levels = 1; break;
1004 case 7 : cascade_levels = 2; break;
1005 case 10: cascade_levels = 3; break;
1006 default: break;
1007 }
1008 have_uid = TRUE;
1009 } else { // no need for anticollision. We can directly select the card
1010 if(!iso14443a_select_card(uid, NULL, NULL, false, cascade_levels)) {
1011 if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card (UID)");
1012 continue;
1013 }
1014 }
1015
1016 ui64Key = bytes_to_num(datain + i * 6, 6);
1017
1018 if (mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
1019
1020 uint8_t dummy_answer = 0;
1021 ReaderTransmit(&dummy_answer, 1, NULL);
1022 timeout = GetCountSspClk() + AUTHENTICATION_TIMEOUT;
1023
1024 // wait for the card to become ready again
1025 while(GetCountSspClk() < timeout);
1026
1027 continue;
1028 }
1029 isOK = 1;
1030 break;
1031 }
1032
1033 LED_B_ON();
1034 cmd_send(CMD_ACK, isOK, 0, 0, datain + i * 6, 6);
1035
1036 // restore debug level
1037 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
1038
1039 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1040 LEDsoff();
1041 set_tracing(FALSE);
1042 crypto1_destroy(pcs);
1043 }
1044
1045 //-----------------------------------------------------------------------------
1046 // MIFARE commands set debug level
1047 //
1048 //-----------------------------------------------------------------------------
1049 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1050 MF_DBGLEVEL = arg0;
1051 Dbprintf("Debug level: %d", MF_DBGLEVEL);
1052 }
1053
1054 //-----------------------------------------------------------------------------
1055 // Work with emulator memory
1056 //
1057 // Note: we call FpgaDownloadAndGo(FPGA_BITSTREAM_HF) here although FPGA is not
1058 // involved in dealing with emulator memory. But if it is called later, it might
1059 // destroy the Emulator Memory.
1060 //-----------------------------------------------------------------------------
1061
1062 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1063 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1064 emlClearMem();
1065 }
1066
1067 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1068 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1069 if (arg2==0) arg2 = 16; // backwards compat... default bytewidth
1070 emlSetMem_xt(datain, arg0, arg1, arg2); // data, block num, blocks count, block byte width
1071 }
1072
1073 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1074 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1075 byte_t buf[USB_CMD_DATA_SIZE] = {0x00};
1076 emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
1077
1078 LED_B_ON();
1079 cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE);
1080 LED_B_OFF();
1081 }
1082
1083 //-----------------------------------------------------------------------------
1084 // Load a card into the emulator memory
1085 //
1086 //-----------------------------------------------------------------------------
1087 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1088 uint8_t numSectors = arg0;
1089 uint8_t keyType = arg1;
1090 uint64_t ui64Key = 0;
1091 uint32_t cuid = 0;
1092 struct Crypto1State mpcs = {0, 0};
1093 struct Crypto1State *pcs;
1094 pcs = &mpcs;
1095
1096 // variables
1097 byte_t dataoutbuf[16] = {0x00};
1098 byte_t dataoutbuf2[16] = {0x00};
1099 uint8_t uid[10] = {0x00};
1100
1101 LED_A_ON();
1102 LED_B_OFF();
1103 LED_C_OFF();
1104 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1105
1106 clear_trace();
1107 set_tracing(TRUE);
1108
1109 bool isOK = true;
1110
1111 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
1112 isOK = false;
1113 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
1114 }
1115
1116 for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
1117 ui64Key = emlGetKey(sectorNo, keyType);
1118 if (sectorNo == 0){
1119 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
1120 isOK = false;
1121 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo);
1122 break;
1123 }
1124 } else {
1125 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) {
1126 isOK = false;
1127 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo);
1128 break;
1129 }
1130 }
1131
1132 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
1133 if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) {
1134 isOK = false;
1135 if (MF_DBGLEVEL >= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);
1136 break;
1137 }
1138 if (isOK) {
1139 if (blockNo < NumBlocksPerSector(sectorNo) - 1) {
1140 emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);
1141 } else { // sector trailer, keep the keys, set only the AC
1142 emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
1143 memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
1144 emlSetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
1145 }
1146 }
1147 }
1148
1149 }
1150
1151 if(mifare_classic_halt(pcs, cuid))
1152 if (MF_DBGLEVEL >= 1)
1153 Dbprintf("Halt error");
1154
1155 // ----------------------------- crypto1 destroy
1156 crypto1_destroy(pcs);
1157
1158 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1159 LEDsoff();
1160
1161 if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
1162
1163 set_tracing(FALSE);
1164 }
1165
1166
1167 //-----------------------------------------------------------------------------
1168 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
1169 //
1170 // PARAMS - workFlags
1171 // bit 0 - need get UID
1172 // bit 1 - need wupC
1173 // bit 2 - need HALT after sequence
1174 // bit 3 - need turn on FPGA before sequence
1175 // bit 4 - need turn off FPGA
1176 // bit 5 - need to set datain instead of issuing USB reply (called via ARM for StandAloneMode14a)
1177 // bit 6 - wipe tag.
1178 //-----------------------------------------------------------------------------
1179 // magic uid card generation 1 commands
1180 uint8_t wupC1[] = { MIFARE_MAGICWUPC1 };
1181 uint8_t wupC2[] = { MIFARE_MAGICWUPC2 };
1182 uint8_t wipeC[] = { MIFARE_MAGICWIPEC };
1183
1184 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint8_t *datain){
1185
1186 // params
1187 uint8_t workFlags = arg0;
1188 uint8_t blockNo = arg1;
1189
1190 // variables
1191 bool isOK = false; //assume we will get an error
1192 uint8_t errormsg = 0x00;
1193 uint8_t uid[10] = {0x00};
1194 uint8_t data[18] = {0x00};
1195 uint32_t cuid = 0;
1196
1197 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE] = {0x00};
1198 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
1199
1200 if (workFlags & MAGIC_INIT) {
1201 LED_A_ON();
1202 LED_B_OFF();
1203 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1204 clear_trace();
1205 set_tracing(TRUE);
1206 }
1207
1208 //loop doesn't loop just breaks out if error
1209 while (true) {
1210 // read UID and return to client with write
1211 if (workFlags & MAGIC_UID) {
1212 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
1213 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
1214 errormsg = MAGIC_UID;
1215 }
1216 mifare_classic_halt_ex(NULL);
1217 break;
1218 }
1219
1220 // wipe tag, fill it with zeros
1221 if (workFlags & MAGIC_WIPE){
1222 ReaderTransmitBitsPar(wupC1, 7, NULL, NULL);
1223 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1224 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wupC1 error");
1225 errormsg = MAGIC_WIPE;
1226 break;
1227 }
1228
1229 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
1230 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1231 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wipeC error");
1232 errormsg = MAGIC_WIPE;
1233 break;
1234 }
1235
1236 mifare_classic_halt_ex(NULL);
1237 }
1238
1239 // write block
1240 if (workFlags & MAGIC_WUPC) {
1241 ReaderTransmitBitsPar(wupC1, 7, NULL, NULL);
1242 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1243 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wupC1 error");
1244 errormsg = MAGIC_WUPC;
1245 break;
1246 }
1247
1248 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1249 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1250 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wupC2 error");
1251 errormsg = MAGIC_WUPC;
1252 break;
1253 }
1254 }
1255
1256 if ((mifare_sendcmd_short(NULL, 0, ISO14443A_CMD_WRITEBLOCK, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
1257 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("write block send command error");
1258 errormsg = 4;
1259 break;
1260 }
1261
1262 memcpy(data, datain, 16);
1263 AppendCrc14443a(data, 16);
1264
1265 ReaderTransmit(data, sizeof(data), NULL);
1266 if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
1267 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("write block send data error");
1268 errormsg = 0;
1269 break;
1270 }
1271
1272 if (workFlags & MAGIC_OFF)
1273 mifare_classic_halt_ex(NULL);
1274
1275 isOK = true;
1276 break;
1277
1278 } // end while
1279
1280 if (isOK )
1281 cmd_send(CMD_ACK,1,0,0,uid,sizeof(uid));
1282 else
1283 OnErrorMagic(errormsg);
1284
1285 if (workFlags & MAGIC_OFF)
1286 OnSuccessMagic();
1287 }
1288
1289 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint8_t *datain){
1290
1291 uint8_t workFlags = arg0;
1292 uint8_t blockNo = arg1;
1293 uint8_t errormsg = 0x00;
1294 bool isOK = false; //assume we will get an error
1295
1296 // variables
1297 uint8_t data[MAX_MIFARE_FRAME_SIZE];
1298 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE] = {0x00};
1299 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
1300
1301 memset(data, 0x00, sizeof(data));
1302
1303 if (workFlags & MAGIC_INIT) {
1304 LED_A_ON();
1305 LED_B_OFF();
1306 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1307 clear_trace();
1308 set_tracing(TRUE);
1309 }
1310
1311 //loop doesn't loop just breaks out if error or done
1312 while (true) {
1313 if (workFlags & MAGIC_WUPC) {
1314 ReaderTransmitBitsPar(wupC1, 7, NULL, NULL);
1315 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1316 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wupC1 error");
1317 errormsg = MAGIC_WUPC;
1318 break;
1319 }
1320
1321 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1322 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1323 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wupC2 error");
1324 errormsg = MAGIC_WUPC;
1325 break;
1326 }
1327 }
1328
1329 // read block
1330 if ((mifare_sendcmd_short(NULL, 0, ISO14443A_CMD_READBLOCK, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {
1331 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("read block send command error");
1332 errormsg = 0;
1333 break;
1334 }
1335
1336 memcpy(data, receivedAnswer, sizeof(data));
1337
1338 // send HALT
1339 if (workFlags & MAGIC_HALT)
1340 mifare_classic_halt_ex(NULL);
1341
1342 isOK = true;
1343 break;
1344 }
1345 // if MAGIC_DATAIN, the data stays on device side.
1346 if (workFlags & MAGIC_DATAIN) {
1347 if (isOK)
1348 memcpy(datain, data, sizeof(data));
1349 } else {
1350 if (isOK)
1351 cmd_send(CMD_ACK,1,0,0,data,sizeof(data));
1352 else
1353 OnErrorMagic(errormsg);
1354 }
1355
1356 if (workFlags & MAGIC_OFF)
1357 OnSuccessMagic();
1358 }
1359
1360 void MifareCIdent(){
1361
1362 // variables
1363 bool isOK = true;
1364 uint8_t receivedAnswer[1] = {0x00};
1365 uint8_t receivedAnswerPar[1] = {0x00};
1366
1367 ReaderTransmitBitsPar(wupC1, 7, NULL, NULL);
1368 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1369 isOK = false;
1370 }
1371
1372 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1373 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1374 isOK = false;
1375 }
1376
1377 // removed the if, since some magic tags misbehavies and send an answer to it.
1378 mifare_classic_halt(NULL, 0);
1379 cmd_send(CMD_ACK,isOK,0,0,0,0);
1380 }
1381
1382 void OnSuccessMagic(){
1383 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1384 LEDsoff();
1385 set_tracing(FALSE);
1386 }
1387 void OnErrorMagic(uint8_t reason){
1388 // ACK, ISOK, reason,0,0,0
1389 cmd_send(CMD_ACK,0,reason,0,0,0);
1390 OnSuccessMagic();
1391 }
1392 //
1393 // DESFIRE
1394 //
1395 void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){
1396 byte_t dataout[12] = {0x00};
1397 uint8_t uid[10] = {0x00};
1398 uint32_t cuid = 0;
1399
1400 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1401 clear_trace();
1402 set_tracing(true);
1403
1404 int len = iso14443a_select_card(uid, NULL, &cuid, true, 0);
1405 if(!len) {
1406 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
1407 OnError(1);
1408 return;
1409 };
1410
1411 if(mifare_desfire_des_auth1(cuid, dataout)){
1412 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication part1: Fail.");
1413 OnError(4);
1414 return;
1415 }
1416
1417 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 1 FINISHED");
1418 cmd_send(CMD_ACK, 1, cuid, 0, dataout, sizeof(dataout));
1419 }
1420
1421 void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain){
1422 uint32_t cuid = arg0;
1423 uint8_t key[16] = {0x00};
1424 byte_t dataout[12] = {0x00};
1425 byte_t isOK = 0;
1426
1427 memcpy(key, datain, 16);
1428
1429 isOK = mifare_desfire_des_auth2(cuid, key, dataout);
1430
1431 if( isOK) {
1432 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Authentication part2: Failed");
1433 OnError(4);
1434 return;
1435 }
1436
1437 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 2 FINISHED");
1438
1439 cmd_send(CMD_ACK, isOK, 0, 0, dataout, sizeof(dataout));
1440 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1441 LEDsoff();
1442 set_tracing(FALSE);
1443 }
Proxmark3 GIT tracking
Impressum, Datenschutz