]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifarecmd.c
hf mf sniff: small fixes
[proxmark3-svn] / armsrc / mifarecmd.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 // Midnitesnake - Dec 2013
6 // Andy Davies - Apr 2014
7 // Iceman - May 2014
8 //
9 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
10 // at your option, any later version. See the LICENSE.txt file for the text of
11 // the license.
12 //-----------------------------------------------------------------------------
13 // Routines to support ISO 14443 type A.
14 //-----------------------------------------------------------------------------
15
16 #include "mifarecmd.h"
17
18 #include "apps.h"
19 #include "util.h"
20 #include "parity.h"
21 #include "crc.h"
22
23 // the block number for the ISO14443-4 PCB
24 static uint8_t pcb_blocknum = 0;
25 // Deselect card by sending a s-block. the crc is precalced for speed
26 static uint8_t deselect_cmd[] = {0xc2,0xe0,0xb4};
27
28 //-----------------------------------------------------------------------------
29 // Select, Authenticate, Read a MIFARE tag.
30 // read block
31 //-----------------------------------------------------------------------------
32 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
33 {
34 // params
35 uint8_t blockNo = arg0;
36 uint8_t keyType = arg1;
37 uint64_t ui64Key = 0;
38 ui64Key = bytes_to_num(datain, 6);
39
40 // variables
41 byte_t isOK = 0;
42 byte_t dataoutbuf[16];
43 uint8_t uid[10];
44 uint32_t cuid;
45 struct Crypto1State mpcs = {0, 0};
46 struct Crypto1State *pcs;
47 pcs = &mpcs;
48
49 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
50
51 clear_trace();
52
53 LED_A_ON();
54 LED_B_OFF();
55 LED_C_OFF();
56
57 while (true) {
58 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
59 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
60 break;
61 };
62
63 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
64 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
65 break;
66 };
67
68 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
69 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
70 break;
71 };
72
73 if(mifare_classic_halt(pcs, cuid)) {
74 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
75 break;
76 };
77
78 isOK = 1;
79 break;
80 }
81
82 // ----------------------------- crypto1 destroy
83 crypto1_destroy(pcs);
84
85 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
86
87 LED_B_ON();
88 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
89 LED_B_OFF();
90
91 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
92 LEDsoff();
93 }
94
95 void MifareUC_Auth(uint8_t arg0, uint8_t *keybytes){
96
97 bool turnOffField = (arg0 == 1);
98
99 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
100
101 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
102
103 clear_trace();
104
105 if(!iso14443a_select_card(NULL, NULL, NULL, true, 0, true)) {
106 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
107 OnError(0);
108 return;
109 };
110
111 if(!mifare_ultra_auth(keybytes)){
112 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication failed");
113 OnError(1);
114 return;
115 }
116
117 if (turnOffField) {
118 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
119 LEDsoff();
120 }
121 cmd_send(CMD_ACK,1,0,0,0,0);
122 }
123
124 // Arg0 = BlockNo,
125 // Arg1 = UsePwd bool
126 // datain = PWD bytes,
127 void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
128 {
129 uint8_t blockNo = arg0;
130 byte_t dataout[16] = {0x00};
131 bool useKey = (arg1 == 1); //UL_C
132 bool usePwd = (arg1 == 2); //UL_EV1/NTAG
133
134 LEDsoff();
135 LED_A_ON();
136 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
137
138 clear_trace();
139
140 int len = iso14443a_select_card(NULL, NULL, NULL, true, 0, true);
141 if(!len) {
142 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len);
143 OnError(1);
144 return;
145 }
146
147 // UL-C authentication
148 if ( useKey ) {
149 uint8_t key[16] = {0x00};
150 memcpy(key, datain, sizeof(key) );
151
152 if ( !mifare_ultra_auth(key) ) {
153 OnError(1);
154 return;
155 }
156 }
157
158 // UL-EV1 / NTAG authentication
159 if ( usePwd ) {
160 uint8_t pwd[4] = {0x00};
161 memcpy(pwd, datain, 4);
162 uint8_t pack[4] = {0,0,0,0};
163 if (!mifare_ul_ev1_auth(pwd, pack)) {
164 OnError(1);
165 return;
166 }
167 }
168
169 if( mifare_ultra_readblock(blockNo, dataout) ) {
170 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block error");
171 OnError(2);
172 return;
173 }
174
175 if( mifare_ultra_halt() ) {
176 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
177 OnError(3);
178 return;
179 }
180
181 cmd_send(CMD_ACK,1,0,0,dataout,16);
182 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
183 LEDsoff();
184 }
185
186 //-----------------------------------------------------------------------------
187 // Select, Authenticate, Read a MIFARE tag.
188 // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
189 //-----------------------------------------------------------------------------
190 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
191 {
192 // params
193 uint8_t sectorNo = arg0;
194 uint8_t keyType = arg1;
195 uint64_t ui64Key = 0;
196 ui64Key = bytes_to_num(datain, 6);
197
198 // variables
199 byte_t isOK = 0;
200 byte_t dataoutbuf[16 * 16];
201 uint8_t uid[10];
202 uint32_t cuid;
203 struct Crypto1State mpcs = {0, 0};
204 struct Crypto1State *pcs;
205 pcs = &mpcs;
206
207 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
208
209 clear_trace();
210
211 LED_A_ON();
212 LED_B_OFF();
213 LED_C_OFF();
214
215 isOK = 1;
216 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
217 isOK = 0;
218 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
219 }
220
221
222 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
223 isOK = 0;
224 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
225 }
226
227 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
228 if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) {
229 isOK = 0;
230 if (MF_DBGLEVEL >= 1) Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo);
231 break;
232 }
233 }
234
235 if(mifare_classic_halt(pcs, cuid)) {
236 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
237 }
238
239 // ----------------------------- crypto1 destroy
240 crypto1_destroy(pcs);
241
242 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
243
244 LED_B_ON();
245 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));
246 LED_B_OFF();
247
248 // Thats it...
249 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
250 LEDsoff();
251 }
252
253 // arg0 = blockNo (start)
254 // arg1 = Pages (number of blocks)
255 // arg2 = useKey
256 // datain = KEY bytes
257 void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
258 {
259 LEDsoff();
260 LED_A_ON();
261 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
262
263 // free eventually allocated BigBuf memory
264 BigBuf_free();
265 clear_trace();
266
267 // params
268 uint8_t blockNo = arg0;
269 uint16_t blocks = arg1;
270 bool useKey = (arg2 == 1); //UL_C
271 bool usePwd = (arg2 == 2); //UL_EV1/NTAG
272 uint32_t countblocks = 0;
273 uint8_t *dataout = BigBuf_malloc(CARD_MEMORY_SIZE);
274 if (dataout == NULL){
275 Dbprintf("out of memory");
276 OnError(1);
277 return;
278 }
279
280 int len = iso14443a_select_card(NULL, NULL, NULL, true, 0, true);
281 if (!len) {
282 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len);
283 OnError(1);
284 return;
285 }
286
287 // UL-C authentication
288 if ( useKey ) {
289 uint8_t key[16] = {0x00};
290 memcpy(key, datain, sizeof(key) );
291
292 if ( !mifare_ultra_auth(key) ) {
293 OnError(1);
294 return;
295 }
296 }
297
298 // UL-EV1 / NTAG authentication
299 if (usePwd) {
300 uint8_t pwd[4] = {0x00};
301 memcpy(pwd, datain, sizeof(pwd));
302 uint8_t pack[4] = {0,0,0,0};
303
304 if (!mifare_ul_ev1_auth(pwd, pack)){
305 OnError(1);
306 return;
307 }
308 }
309
310 for (int i = 0; i < blocks; i++){
311 if ((i*4) + 4 >= CARD_MEMORY_SIZE) {
312 Dbprintf("Data exceeds buffer!!");
313 break;
314 }
315
316 len = mifare_ultra_readblock(blockNo + i, dataout + 4 * i);
317
318 if (len) {
319 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block %d error",i);
320 // if no blocks read - error out
321 if (i==0){
322 OnError(2);
323 return;
324 } else {
325 //stop at last successful read block and return what we got
326 break;
327 }
328 } else {
329 countblocks++;
330 }
331 }
332
333 len = mifare_ultra_halt();
334 if (len) {
335 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
336 OnError(3);
337 return;
338 }
339
340 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Blocks read %d", countblocks);
341
342 countblocks *= 4;
343
344 cmd_send(CMD_ACK, 1, countblocks, BigBuf_max_traceLen(), 0, 0);
345 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
346 LEDsoff();
347 BigBuf_free();
348 }
349
350 //-----------------------------------------------------------------------------
351 // Select, Authenticate, Write a MIFARE tag.
352 // read block
353 //-----------------------------------------------------------------------------
354 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
355 {
356 // params
357 uint8_t blockNo = arg0;
358 uint8_t keyType = arg1;
359 uint64_t ui64Key = 0;
360 byte_t blockdata[16];
361
362 ui64Key = bytes_to_num(datain, 6);
363 memcpy(blockdata, datain + 10, 16);
364
365 // variables
366 byte_t isOK = 0;
367 uint8_t uid[10];
368 uint32_t cuid;
369 struct Crypto1State mpcs = {0, 0};
370 struct Crypto1State *pcs;
371 pcs = &mpcs;
372
373 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
374
375 clear_trace();
376
377 LED_A_ON();
378 LED_B_OFF();
379 LED_C_OFF();
380
381 while (true) {
382 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
383 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
384 break;
385 };
386
387 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
388 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
389 break;
390 };
391
392 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
393 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
394 break;
395 };
396
397 if(mifare_classic_halt(pcs, cuid)) {
398 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
399 break;
400 };
401
402 isOK = 1;
403 break;
404 }
405
406 // ----------------------------- crypto1 destroy
407 crypto1_destroy(pcs);
408
409 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
410
411 LED_B_ON();
412 cmd_send(CMD_ACK,isOK,0,0,0,0);
413 LED_B_OFF();
414
415
416 // Thats it...
417 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
418 LEDsoff();
419 }
420
421 /* // Command not needed but left for future testing
422 void MifareUWriteBlockCompat(uint8_t arg0, uint8_t *datain)
423 {
424 uint8_t blockNo = arg0;
425 byte_t blockdata[16] = {0x00};
426
427 memcpy(blockdata, datain, 16);
428
429 uint8_t uid[10] = {0x00};
430
431 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
432
433 clear_trace();
434 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
435
436 if(!iso14443a_select_card(uid, NULL, NULL, true, 0)) {
437 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
438 OnError(0);
439 return;
440 };
441
442 if(mifare_ultra_writeblock_compat(blockNo, blockdata)) {
443 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
444 OnError(0);
445 return; };
446
447 if(mifare_ultra_halt()) {
448 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
449 OnError(0);
450 return;
451 };
452
453 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
454
455 cmd_send(CMD_ACK,1,0,0,0,0);
456 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
457 LEDsoff();
458 }
459 */
460
461 // Arg0 : Block to write to.
462 // Arg1 : 0 = use no authentication.
463 // 1 = use 0x1A authentication.
464 // 2 = use 0x1B authentication.
465 // datain : 4 first bytes is data to be written.
466 // : 4/16 next bytes is authentication key.
467 void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
468 {
469 uint8_t blockNo = arg0;
470 bool useKey = (arg1 == 1); //UL_C
471 bool usePwd = (arg1 == 2); //UL_EV1/NTAG
472 byte_t blockdata[4] = {0x00};
473
474 memcpy(blockdata, datain,4);
475
476 LEDsoff();
477 LED_A_ON();
478 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
479
480 clear_trace();
481
482 if(!iso14443a_select_card(NULL, NULL, NULL, true, 0, true)) {
483 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
484 OnError(0);
485 return;
486 };
487
488 // UL-C authentication
489 if ( useKey ) {
490 uint8_t key[16] = {0x00};
491 memcpy(key, datain+4, sizeof(key) );
492
493 if ( !mifare_ultra_auth(key) ) {
494 OnError(1);
495 return;
496 }
497 }
498
499 // UL-EV1 / NTAG authentication
500 if (usePwd) {
501 uint8_t pwd[4] = {0x00};
502 memcpy(pwd, datain+4, 4);
503 uint8_t pack[4] = {0,0,0,0};
504 if (!mifare_ul_ev1_auth(pwd, pack)) {
505 OnError(1);
506 return;
507 }
508 }
509
510 if(mifare_ultra_writeblock(blockNo, blockdata)) {
511 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
512 OnError(0);
513 return;
514 };
515
516 if(mifare_ultra_halt()) {
517 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
518 OnError(0);
519 return;
520 };
521
522 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
523
524 cmd_send(CMD_ACK,1,0,0,0,0);
525 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
526 LEDsoff();
527 }
528
529 void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
530
531 uint8_t pwd[16] = {0x00};
532 byte_t blockdata[4] = {0x00};
533
534 memcpy(pwd, datain, 16);
535
536 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
537 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
538
539 clear_trace();
540
541 if(!iso14443a_select_card(NULL, NULL, NULL, true, 0, true)) {
542 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
543 OnError(0);
544 return;
545 };
546
547 blockdata[0] = pwd[7];
548 blockdata[1] = pwd[6];
549 blockdata[2] = pwd[5];
550 blockdata[3] = pwd[4];
551 if(mifare_ultra_writeblock( 44, blockdata)) {
552 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
553 OnError(44);
554 return;
555 };
556
557 blockdata[0] = pwd[3];
558 blockdata[1] = pwd[2];
559 blockdata[2] = pwd[1];
560 blockdata[3] = pwd[0];
561 if(mifare_ultra_writeblock( 45, blockdata)) {
562 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
563 OnError(45);
564 return;
565 };
566
567 blockdata[0] = pwd[15];
568 blockdata[1] = pwd[14];
569 blockdata[2] = pwd[13];
570 blockdata[3] = pwd[12];
571 if(mifare_ultra_writeblock( 46, blockdata)) {
572 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
573 OnError(46);
574 return;
575 };
576
577 blockdata[0] = pwd[11];
578 blockdata[1] = pwd[10];
579 blockdata[2] = pwd[9];
580 blockdata[3] = pwd[8];
581 if(mifare_ultra_writeblock( 47, blockdata)) {
582 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
583 OnError(47);
584 return;
585 };
586
587 if(mifare_ultra_halt()) {
588 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
589 OnError(0);
590 return;
591 };
592
593 cmd_send(CMD_ACK,1,0,0,0,0);
594 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
595 LEDsoff();
596 }
597
598 // Return 1 if the nonce is invalid else return 0
599 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {
600 return ((oddparity8((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity8((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
601 (oddparity8((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity8((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
602 (oddparity8((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity8((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
603 }
604
605
606 //-----------------------------------------------------------------------------
607 // acquire encrypted nonces in order to perform the attack described in
608 // Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
609 // Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
610 // Computer and Communications Security, 2015
611 //-----------------------------------------------------------------------------
612 void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, uint8_t *datain)
613 {
614 uint64_t ui64Key = 0;
615 uint8_t uid[10];
616 uint32_t cuid;
617 uint8_t cascade_levels = 0;
618 struct Crypto1State mpcs = {0, 0};
619 struct Crypto1State *pcs;
620 pcs = &mpcs;
621 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
622 int16_t isOK = 0;
623 uint8_t par_enc[1];
624 uint8_t nt_par_enc = 0;
625 uint8_t buf[USB_CMD_DATA_SIZE];
626 uint32_t timeout;
627
628 uint8_t blockNo = arg0 & 0xff;
629 uint8_t keyType = (arg0 >> 8) & 0xff;
630 uint8_t targetBlockNo = arg1 & 0xff;
631 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
632 ui64Key = bytes_to_num(datain, 6);
633 bool initialize = flags & 0x0001;
634 bool slow = flags & 0x0002;
635 bool field_off = flags & 0x0004;
636
637 LED_A_ON();
638 LED_C_OFF();
639
640 if (initialize) {
641 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
642 clear_trace();
643 set_tracing(true);
644 }
645
646 LED_C_ON();
647
648 uint16_t num_nonces = 0;
649 bool have_uid = false;
650 for (uint16_t i = 0; i <= USB_CMD_DATA_SIZE - 9; ) {
651
652 // Test if the action was cancelled
653 if(BUTTON_PRESS()) {
654 isOK = 2;
655 field_off = true;
656 break;
657 }
658
659 if (!have_uid) { // need a full select cycle to get the uid first
660 iso14a_card_select_t card_info;
661 if(!iso14443a_select_card(uid, &card_info, &cuid, true, 0, true)) {
662 if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Can't select card (ALL)");
663 continue;
664 }
665 switch (card_info.uidlen) {
666 case 4 : cascade_levels = 1; break;
667 case 7 : cascade_levels = 2; break;
668 case 10: cascade_levels = 3; break;
669 default: break;
670 }
671 have_uid = true;
672 } else { // no need for anticollision. We can directly select the card
673 if(!iso14443a_select_card(uid, NULL, NULL, false, cascade_levels, true)) {
674 if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Can't select card (UID)");
675 continue;
676 }
677 }
678
679 if (slow) {
680 timeout = GetCountSspClk() + PRE_AUTHENTICATION_LEADTIME;
681 while(GetCountSspClk() < timeout);
682 }
683
684 uint32_t nt1;
685 if (mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, NULL)) {
686 if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Auth1 error");
687 continue;
688 }
689
690 // nested authentication
691 uint16_t len = mifare_sendcmd_short(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par_enc, NULL);
692 if (len != 4) {
693 if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Auth2 error len=%d", len);
694 continue;
695 }
696
697 // send a dummy response in order to trigger the cards authentication failure timeout
698 uint8_t dummy_answer[8] = {0};
699 ReaderTransmit(dummy_answer, 8, NULL);
700
701 num_nonces++;
702 if (num_nonces % 2) {
703 memcpy(buf+i, receivedAnswer, 4);
704 nt_par_enc = par_enc[0] & 0xf0;
705 } else {
706 nt_par_enc |= par_enc[0] >> 4;
707 memcpy(buf+i+4, receivedAnswer, 4);
708 memcpy(buf+i+8, &nt_par_enc, 1);
709 i += 9;
710 }
711
712 }
713
714 LED_C_OFF();
715
716 crypto1_destroy(pcs);
717
718 LED_B_ON();
719 cmd_send(CMD_ACK, isOK, cuid, num_nonces, buf, sizeof(buf));
720 LED_B_OFF();
721
722 if (MF_DBGLEVEL >= 3) DbpString("AcquireEncryptedNonces finished");
723
724 if (field_off) {
725 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
726 LEDsoff();
727 }
728 }
729
730
731 //-----------------------------------------------------------------------------
732 // MIFARE nested authentication.
733 //
734 //-----------------------------------------------------------------------------
735 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)
736 {
737 // params
738 uint8_t blockNo = arg0 & 0xff;
739 uint8_t keyType = (arg0 >> 8) & 0xff;
740 uint8_t targetBlockNo = arg1 & 0xff;
741 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
742 uint64_t ui64Key = 0;
743
744 ui64Key = bytes_to_num(datain, 6);
745
746 // variables
747 uint16_t rtr, i, j, len;
748 uint16_t davg;
749 static uint16_t dmin, dmax;
750 uint8_t uid[10];
751 uint32_t cuid, nt1, nt2, nttmp, nttest, ks1;
752 uint8_t par[1];
753 uint32_t target_nt[2], target_ks[2];
754
755 uint8_t par_array[4];
756 uint16_t ncount = 0;
757 struct Crypto1State mpcs = {0, 0};
758 struct Crypto1State *pcs;
759 pcs = &mpcs;
760 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
761
762 uint32_t auth1_time, auth2_time;
763 static uint16_t delta_time;
764
765 LED_A_ON();
766 LED_C_OFF();
767 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
768
769 // free eventually allocated BigBuf memory
770 BigBuf_free();
771
772 if (calibrate) clear_trace();
773 set_tracing(true);
774
775 // statistics on nonce distance
776 int16_t isOK = 0;
777 #define NESTED_MAX_TRIES 12
778 uint16_t unsuccessfull_tries = 0;
779 if (calibrate) { // for first call only. Otherwise reuse previous calibration
780 LED_B_ON();
781 WDT_HIT();
782
783 davg = dmax = 0;
784 dmin = 2000;
785 delta_time = 0;
786
787 for (rtr = 0; rtr < 17; rtr++) {
788
789 // Test if the action was cancelled
790 if(BUTTON_PRESS()) {
791 isOK = -2;
792 break;
793 }
794
795 // prepare next select. No need to power down the card.
796 if(mifare_classic_halt(pcs, cuid)) {
797 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
798 rtr--;
799 continue;
800 }
801
802 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
803 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
804 rtr--;
805 continue;
806 };
807
808 auth1_time = 0;
809 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
810 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
811 rtr--;
812 continue;
813 };
814
815 if (delta_time) {
816 auth2_time = auth1_time + delta_time;
817 } else {
818 auth2_time = 0;
819 }
820 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {
821 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");
822 rtr--;
823 continue;
824 };
825
826 nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
827 for (i = 101; i < 1200; i++) {
828 nttmp = prng_successor(nttmp, 1);
829 if (nttmp == nt2) break;
830 }
831
832 if (i != 1200) {
833 if (rtr != 0) {
834 davg += i;
835 dmin = MIN(dmin, i);
836 dmax = MAX(dmax, i);
837 }
838 else {
839 delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing
840 }
841 if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
842 } else {
843 unsuccessfull_tries++;
844 if (unsuccessfull_tries > NESTED_MAX_TRIES) { // card isn't vulnerable to nested attack (random numbers are not predictable)
845 isOK = -3;
846 }
847 }
848 }
849
850 davg = (davg + (rtr - 1)/2) / (rtr - 1);
851
852 if (MF_DBGLEVEL >= 3) Dbprintf("rtr=%d isOK=%d min=%d max=%d avg=%d, delta_time=%d", rtr, isOK, dmin, dmax, davg, delta_time);
853
854 dmin = davg - 2;
855 dmax = davg + 2;
856
857 LED_B_OFF();
858
859 }
860 // -------------------------------------------------------------------------------------------------
861
862 LED_C_ON();
863
864 // get crypted nonces for target sector
865 for(i=0; i < 2 && !isOK; i++) { // look for exactly two different nonces
866
867 target_nt[i] = 0;
868 while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
869
870 // prepare next select. No need to power down the card.
871 if(mifare_classic_halt(pcs, cuid)) {
872 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
873 continue;
874 }
875
876 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
877 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
878 continue;
879 };
880
881 auth1_time = 0;
882 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
883 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
884 continue;
885 };
886
887 // nested authentication
888 auth2_time = auth1_time + delta_time;
889 len = mifare_sendcmd_short(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);
890 if (len != 4) {
891 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);
892 continue;
893 };
894
895 nt2 = bytes_to_num(receivedAnswer, 4);
896 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);
897
898 // Parity validity check
899 for (j = 0; j < 4; j++) {
900 par_array[j] = (oddparity8(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));
901 }
902
903 ncount = 0;
904 nttest = prng_successor(nt1, dmin - 1);
905 for (j = dmin; j < dmax + 1; j++) {
906 nttest = prng_successor(nttest, 1);
907 ks1 = nt2 ^ nttest;
908
909 if (valid_nonce(nttest, nt2, ks1, par_array)){
910 if (ncount > 0) { // we are only interested in disambiguous nonces, try again
911 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);
912 target_nt[i] = 0;
913 break;
914 }
915 target_nt[i] = nttest;
916 target_ks[i] = ks1;
917 ncount++;
918 if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces
919 target_nt[i] = 0;
920 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);
921 break;
922 }
923 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);
924 }
925 }
926 if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
927 }
928 }
929
930 LED_C_OFF();
931
932 // ----------------------------- crypto1 destroy
933 crypto1_destroy(pcs);
934
935 byte_t buf[4 + 4 * 4];
936 memcpy(buf, &cuid, 4);
937 memcpy(buf+4, &target_nt[0], 4);
938 memcpy(buf+8, &target_ks[0], 4);
939 memcpy(buf+12, &target_nt[1], 4);
940 memcpy(buf+16, &target_ks[1], 4);
941
942 LED_B_ON();
943 cmd_send(CMD_ACK, isOK, 0, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
944 LED_B_OFF();
945
946 if (MF_DBGLEVEL >= 3) DbpString("NESTED FINISHED");
947
948 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
949 LEDsoff();
950 }
951
952 //-----------------------------------------------------------------------------
953 // MIFARE check keys. key count up to 85.
954 //
955 //-----------------------------------------------------------------------------
956 void MifareChkKeys(uint16_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
957 {
958 uint8_t blockNo = arg0 & 0xff;
959 uint8_t keyType = (arg0 >> 8) & 0xff;
960 bool clearTrace = arg1 & 0x01;
961 bool multisectorCheck = arg1 & 0x02;
962 uint8_t set14aTimeout = (arg1 >> 8) & 0xff;
963 uint8_t keyCount = arg2;
964
965 // clear debug level
966 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
967 MF_DBGLEVEL = MF_DBG_NONE;
968
969 LED_A_ON();
970 LED_B_OFF();
971 LED_C_OFF();
972 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
973
974 if (clearTrace) clear_trace();
975 set_tracing(true);
976
977 if (set14aTimeout){
978 iso14a_set_timeout(set14aTimeout * 10); // timeout: ms = x/106 35-minimum, 50-OK 106-recommended 500-safe
979 }
980
981 if (multisectorCheck) {
982 TKeyIndex keyIndex = {{0}};
983 uint8_t sectorCnt = blockNo;
984 int res = MifareMultisectorChk(datain, keyCount, sectorCnt, keyType, OLD_MF_DBGLEVEL, &keyIndex);
985
986 LED_B_ON();
987 if (res >= 0) {
988 cmd_send(CMD_ACK, 1, 0, 0, keyIndex, 80);
989 } else {
990 cmd_send(CMD_ACK, 0, 0, 0, NULL, 0);
991 }
992 LED_B_OFF();
993 } else {
994 int res = MifareChkBlockKeys(datain, keyCount, blockNo, keyType, OLD_MF_DBGLEVEL);
995
996 LED_B_ON();
997 if (res > 0) {
998 cmd_send(CMD_ACK, 1, 0, 0, datain + (res - 1) * 6, 6);
999 } else {
1000 cmd_send(CMD_ACK, 0, 0, 0, NULL, 0);
1001 }
1002 LED_B_OFF();
1003 }
1004
1005 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1006 LEDsoff();
1007
1008 // restore debug level
1009 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
1010 }
1011
1012 //-----------------------------------------------------------------------------
1013 // MIFARE commands set debug level
1014 //
1015 //-----------------------------------------------------------------------------
1016 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1017 MF_DBGLEVEL = arg0;
1018 Dbprintf("Debug level: %d", MF_DBGLEVEL);
1019 }
1020
1021 //-----------------------------------------------------------------------------
1022 // Work with emulator memory
1023 //
1024 // Note: we call FpgaDownloadAndGo(FPGA_BITSTREAM_HF) here although FPGA is not
1025 // involved in dealing with emulator memory. But if it is called later, it might
1026 // destroy the Emulator Memory.
1027 //-----------------------------------------------------------------------------
1028
1029 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1030 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1031 emlClearMem();
1032 }
1033
1034 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1035 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1036 emlSetMem(datain, arg0, arg1); // data, block num, blocks count
1037 }
1038
1039 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1040 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1041 byte_t buf[USB_CMD_DATA_SIZE];
1042 emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
1043
1044 LED_B_ON();
1045 cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE);
1046 LED_B_OFF();
1047 }
1048
1049 //-----------------------------------------------------------------------------
1050 // Load a card into the emulator memory
1051 //
1052 //-----------------------------------------------------------------------------
1053 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1054 uint8_t numSectors = arg0;
1055 uint8_t keyType = arg1;
1056 uint64_t ui64Key = 0;
1057 uint32_t cuid;
1058 struct Crypto1State mpcs = {0, 0};
1059 struct Crypto1State *pcs;
1060 pcs = &mpcs;
1061
1062 // variables
1063 byte_t dataoutbuf[16];
1064 byte_t dataoutbuf2[16];
1065 uint8_t uid[10];
1066
1067 LED_A_ON();
1068 LED_B_OFF();
1069 LED_C_OFF();
1070 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1071
1072 clear_trace();
1073 set_tracing(false);
1074
1075 bool isOK = true;
1076
1077 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
1078 isOK = false;
1079 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
1080 }
1081
1082 for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
1083 ui64Key = emlGetKey(sectorNo, keyType);
1084 if (sectorNo == 0){
1085 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
1086 isOK = false;
1087 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo);
1088 break;
1089 }
1090 } else {
1091 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) {
1092 isOK = false;
1093 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo);
1094 break;
1095 }
1096 }
1097
1098 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
1099 if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) {
1100 isOK = false;
1101 if (MF_DBGLEVEL >= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);
1102 break;
1103 };
1104 if (isOK) {
1105 if (blockNo < NumBlocksPerSector(sectorNo) - 1) {
1106 emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);
1107 } else { // sector trailer, keep the keys, set only the AC
1108 emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
1109 memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
1110 emlSetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
1111 }
1112 }
1113 }
1114
1115 }
1116
1117 if(mifare_classic_halt(pcs, cuid)) {
1118 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1119 };
1120
1121 // ----------------------------- crypto1 destroy
1122 crypto1_destroy(pcs);
1123
1124 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1125 LEDsoff();
1126
1127 if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
1128
1129 }
1130
1131
1132 //-----------------------------------------------------------------------------
1133 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
1134 //
1135 //-----------------------------------------------------------------------------
1136
1137 static bool isBlockTrailer(int blockN) {
1138 if (blockN >= 0 && blockN < 128) {
1139 return ((blockN & 0x03) == 0x03);
1140 }
1141 if (blockN >= 128 && blockN <= 256) {
1142 return ((blockN & 0x0F) == 0x0F);
1143 }
1144 return FALSE;
1145 }
1146
1147 void MifareCWipe(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1148 // var
1149 byte_t isOK = 0;
1150 uint32_t numBlocks = arg0;
1151 // cmdParams:
1152 // bit 0 - wipe gen1a
1153 // bit 1 - fill card with default data
1154 // bit 2 - gen1a = 0, gen1b = 1
1155 uint8_t cmdParams = arg1;
1156 bool needWipe = cmdParams & 0x01;
1157 bool needFill = cmdParams & 0x02;
1158 bool gen1b = cmdParams & 0x04;
1159
1160 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1161 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1162
1163 uint8_t block0[16] = {0x01, 0x02, 0x03, 0x04, 0x04, 0x08, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBE, 0xAF};
1164 uint8_t block1[16] = {0x00};
1165 uint8_t blockK[16] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x08, 0x77, 0x8F, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
1166 uint8_t d_block[18] = {0x00};
1167
1168 // card commands
1169 uint8_t wupC1[] = { 0x40 };
1170 uint8_t wupC2[] = { 0x43 };
1171 uint8_t wipeC[] = { 0x41 };
1172
1173 // iso14443 setup
1174 LED_A_ON();
1175 LED_B_OFF();
1176 LED_C_OFF();
1177 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1178
1179 // tracing
1180 clear_trace();
1181 set_tracing(true);
1182
1183 while (true){
1184 // wipe
1185 if (needWipe){
1186 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1187 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1188 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1189 break;
1190 };
1191
1192 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
1193 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1194 if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");
1195 break;
1196 };
1197
1198 if(mifare_classic_halt(NULL, 0)) {
1199 if (MF_DBGLEVEL > 2) Dbprintf("Halt error");
1200 };
1201 };
1202
1203 // put default data
1204 if (needFill){
1205 // select commands
1206 ReaderTransmitBitsPar(wupC1, 7, 0, NULL);
1207
1208 // gen1b magic tag : do no issue wupC2 and don't expect 0x0a response after SELECT_UID (after getting UID from chip in 'hf mf csetuid' command)
1209 if (!gen1b) {
1210
1211 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1212 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1213 break;
1214 };
1215
1216 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1217 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1218 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1219 break;
1220 };
1221 }
1222
1223 // send blocks command
1224 for (int blockNo = 0; blockNo < numBlocks; blockNo++) {
1225 if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
1226 if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
1227 break;
1228 };
1229
1230 // check type of block and add crc
1231 if (!isBlockTrailer(blockNo)){
1232 memcpy(d_block, block1, 16);
1233 } else {
1234 memcpy(d_block, blockK, 16);
1235 }
1236 if (blockNo == 0) {
1237 memcpy(d_block, block0, 16);
1238 }
1239 AppendCrc14443a(d_block, 16);
1240
1241 // send write command
1242 ReaderTransmit(d_block, sizeof(d_block), NULL);
1243 if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
1244 if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");
1245 break;
1246 };
1247 }
1248
1249 // halt
1250 // do no issue halt command for gen1b
1251 if (!gen1b) {
1252 if (mifare_classic_halt(NULL, 0)) {
1253 if (MF_DBGLEVEL > 2) Dbprintf("Halt error");
1254 break;
1255 }
1256 }
1257 }
1258 break;
1259 }
1260
1261 // send USB response
1262 LED_B_ON();
1263 cmd_send(CMD_ACK,isOK,0,0,NULL,0);
1264 LED_B_OFF();
1265
1266 // reset fpga
1267 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1268 LEDsoff();
1269
1270 return;
1271 }
1272
1273 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1274
1275 // params
1276 uint8_t needWipe = arg0;
1277 // bit 0 - need get UID
1278 // bit 1 - need wupC
1279 // bit 2 - need HALT after sequence
1280 // bit 3 - need init FPGA and field before sequence
1281 // bit 4 - need reset FPGA and LED
1282 // bit 6 - gen1b backdoor type
1283 uint8_t workFlags = arg1;
1284 uint8_t blockNo = arg2;
1285
1286 // card commands
1287 uint8_t wupC1[] = { 0x40 };
1288 uint8_t wupC2[] = { 0x43 };
1289 uint8_t wipeC[] = { 0x41 };
1290
1291 // variables
1292 byte_t isOK = 0;
1293 uint8_t uid[10] = {0x00};
1294 uint8_t d_block[18] = {0x00};
1295 uint32_t cuid;
1296
1297 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1298 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1299
1300 // reset FPGA and LED
1301 if (workFlags & 0x08) {
1302 LED_A_ON();
1303 LED_B_OFF();
1304 LED_C_OFF();
1305 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1306
1307 clear_trace();
1308 set_tracing(true);
1309 }
1310
1311 while (true) {
1312
1313 // get UID from chip
1314 if (workFlags & 0x01) {
1315 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
1316 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
1317 // Continue, if we set wrong UID or wrong UID checksum or some ATQA or SAK we will can't select card. But we need to write block 0 to make card work.
1318 //break;
1319 };
1320
1321 if(mifare_classic_halt(NULL, cuid)) {
1322 if (MF_DBGLEVEL > 2) Dbprintf("Halt error");
1323 // Continue, some magic tags misbehavies and send an answer to it.
1324 // break;
1325 };
1326 };
1327
1328 // reset chip
1329 // Wipe command don't work with gen1b
1330 if (needWipe && !(workFlags & 0x40)){
1331 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1332 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1333 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1334 break;
1335 };
1336
1337 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
1338 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1339 if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");
1340 break;
1341 };
1342
1343 if(mifare_classic_halt(NULL, 0)) {
1344 if (MF_DBGLEVEL > 2) Dbprintf("Halt error");
1345 // Continue, some magic tags misbehavies and send an answer to it.
1346 // break;
1347 };
1348 };
1349
1350 // write block
1351 if (workFlags & 0x02) {
1352 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1353
1354 // gen1b magic tag : do no issue wupC2 and don't expect 0x0a response after SELECT_UID (after getting UID from chip in 'hf mf csetuid' command)
1355 if (!(workFlags & 0x40)) {
1356
1357 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1358 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1359 break;
1360 };
1361
1362 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1363 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1364 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1365 break;
1366 };
1367 }
1368 }
1369
1370 if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
1371 if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
1372 break;
1373 };
1374
1375 memcpy(d_block, datain, 16);
1376 AppendCrc14443a(d_block, 16);
1377
1378 ReaderTransmit(d_block, sizeof(d_block), NULL);
1379 if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
1380 if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");
1381 break;
1382 };
1383
1384 if (workFlags & 0x04) {
1385 // do no issue halt command for gen1b magic tag (#db# halt error. response len: 1)
1386 if (!(workFlags & 0x40)) {
1387 if (mifare_classic_halt(NULL, 0)) {
1388 if (MF_DBGLEVEL > 2) Dbprintf("Halt error");
1389 // Continue, some magic tags misbehavies and send an answer to it.
1390 // break;
1391 }
1392 }
1393 }
1394
1395 isOK = 1;
1396 break;
1397 }
1398
1399 LED_B_ON();
1400 cmd_send(CMD_ACK,isOK,0,0,uid,4);
1401 LED_B_OFF();
1402
1403 if ((workFlags & 0x10) || (!isOK)) {
1404 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1405 LEDsoff();
1406 }
1407 }
1408
1409
1410 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1411
1412 // params
1413 // bit 1 - need wupC
1414 // bit 2 - need HALT after sequence
1415 // bit 3 - need init FPGA and field before sequence
1416 // bit 4 - need reset FPGA and LED
1417 // bit 5 - need to set datain instead of issuing USB reply (called via ARM for StandAloneMode14a)
1418 // bit 6 - gen1b backdoor type
1419 uint8_t workFlags = arg0;
1420 uint8_t blockNo = arg2;
1421
1422 // card commands
1423 uint8_t wupC1[] = { 0x40 };
1424 uint8_t wupC2[] = { 0x43 };
1425
1426 // variables
1427 byte_t isOK = 0;
1428 uint8_t data[18] = {0x00};
1429 uint32_t cuid = 0;
1430
1431 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1432 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1433
1434 if (workFlags & 0x08) {
1435 LED_A_ON();
1436 LED_B_OFF();
1437 LED_C_OFF();
1438 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1439
1440 clear_trace();
1441 set_tracing(true);
1442 }
1443
1444 while (true) {
1445 if (workFlags & 0x02) {
1446 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1447 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1448 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1449 break;
1450 };
1451 // do no issue for gen1b magic tag
1452 if (!(workFlags & 0x40)) {
1453 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1454 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1455 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1456 break;
1457 };
1458 }
1459 }
1460
1461 // read block
1462 if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {
1463 if (MF_DBGLEVEL >= 1) Dbprintf("read block send command error");
1464 break;
1465 };
1466 memcpy(data, receivedAnswer, 18);
1467
1468 if (workFlags & 0x04) {
1469 // do no issue halt command for gen1b magic tag (#db# halt error. response len: 1)
1470 if (!(workFlags & 0x40)) {
1471 if (mifare_classic_halt(NULL, cuid)) {
1472 if (MF_DBGLEVEL > 1) Dbprintf("Halt error");
1473 // Continue, some magic tags misbehavies and send an answer to it.
1474 // break;
1475 }
1476 }
1477 }
1478
1479 isOK = 1;
1480 break;
1481 }
1482
1483 LED_B_ON();
1484 if (workFlags & 0x20) {
1485 if (isOK)
1486 memcpy(datain, data, 18);
1487 }
1488 else
1489 cmd_send(CMD_ACK,isOK,0,0,data,18);
1490 LED_B_OFF();
1491
1492 if ((workFlags & 0x10) || (!isOK)) {
1493 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1494 LEDsoff();
1495 }
1496 }
1497
1498 void MifareCIdent(){
1499
1500 // card commands
1501 uint8_t wupC1[] = { 0x40 };
1502 uint8_t wupC2[] = { 0x43 };
1503
1504 // variables
1505 byte_t isOK = 0;
1506
1507 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1508 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1509
1510 LED_A_ON();
1511 LED_B_OFF();
1512 LED_C_OFF();
1513 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1514
1515 clear_trace();
1516 set_tracing(true);
1517
1518 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1519 if(ReaderReceive(receivedAnswer, receivedAnswerPar) && (receivedAnswer[0] == 0x0a)) {
1520 isOK = 2;
1521
1522 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1523 if(ReaderReceive(receivedAnswer, receivedAnswerPar) && (receivedAnswer[0] == 0x0a)) {
1524 isOK = 1;
1525 };
1526 };
1527
1528 // From iceman1001: removed the if, since some magic tags misbehavies and send an answer to it.
1529 mifare_classic_halt(NULL, 0);
1530
1531 LED_B_ON();
1532 cmd_send(CMD_ACK,isOK,0,0,0,0);
1533 LED_B_OFF();
1534
1535 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1536 LEDsoff();
1537 }
1538
1539 //
1540 // DESFIRE
1541 //
1542
1543 void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){
1544
1545 byte_t dataout[11] = {0x00};
1546 uint8_t uid[10] = {0x00};
1547 uint32_t cuid;
1548
1549 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1550 clear_trace();
1551
1552 int len = iso14443a_select_card(uid, NULL, &cuid, true, 0, true);
1553 if(!len) {
1554 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
1555 OnError(1);
1556 return;
1557 };
1558
1559 if(mifare_desfire_des_auth1(cuid, dataout)){
1560 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication part1: Fail.");
1561 OnError(4);
1562 return;
1563 }
1564
1565 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 1 FINISHED");
1566 cmd_send(CMD_ACK,1,cuid,0,dataout, sizeof(dataout));
1567 }
1568
1569 void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain){
1570
1571 uint32_t cuid = arg0;
1572 uint8_t key[16] = {0x00};
1573 byte_t isOK = 0;
1574 byte_t dataout[12] = {0x00};
1575
1576 memcpy(key, datain, 16);
1577
1578 isOK = mifare_desfire_des_auth2(cuid, key, dataout);
1579
1580 if( isOK) {
1581 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Authentication part2: Failed");
1582 OnError(4);
1583 return;
1584 }
1585
1586 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 2 FINISHED");
1587
1588 cmd_send(CMD_ACK, isOK, 0, 0, dataout, sizeof(dataout));
1589 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1590 LEDsoff();
1591 }
1592
1593 void OnSuccess(){
1594 pcb_blocknum = 0;
1595 ReaderTransmit(deselect_cmd, 3 , NULL);
1596 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1597 LEDsoff();
1598 }
1599
1600 void OnError(uint8_t reason){
1601 pcb_blocknum = 0;
1602 ReaderTransmit(deselect_cmd, 3 , NULL);
1603 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1604 cmd_send(CMD_ACK,0,reason,0,0,0);
1605 LEDsoff();
1606 }
Impressum, Datenschutz