1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2012 Roel Verdult
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
7 //-----------------------------------------------------------------------------
8 // Low frequency Hitag support
9 //-----------------------------------------------------------------------------
15 #include "proxmark3.h"
17 #include "cmdparser.h"
25 static int CmdHelp(const char *Cmd
);
27 size_t nbytes(size_t nbits
) {
28 return (nbits
/8)+((nbits
%8)>0);
31 int CmdLFHitagList(const char *Cmd
)
33 uint8_t *got
= malloc(USB_CMD_DATA_SIZE
);
35 // Query for the actual size of the trace
37 GetFromBigBuf(got
, USB_CMD_DATA_SIZE
, 0);
38 WaitForResponse(CMD_ACK
, &response
);
39 uint16_t traceLen
= response
.arg
[2];
40 if (traceLen
> USB_CMD_DATA_SIZE
) {
41 uint8_t *p
= realloc(got
, traceLen
);
43 PrintAndLog("Cannot allocate memory for trace");
48 GetFromBigBuf(got
, traceLen
, 0);
49 WaitForResponse(CMD_ACK
,NULL
);
52 PrintAndLog("recorded activity (TraceLen = %d bytes):");
53 PrintAndLog(" ETU :nbits: who bytes");
54 PrintAndLog("---------+-----+----+-----------");
58 int len
= strlen(Cmd
);
60 char filename
[FILE_PATH_SIZE
] = { 0x00 };
63 if (len
> FILE_PATH_SIZE
)
65 memcpy(filename
, Cmd
, len
);
67 if (strlen(filename
) > 0) {
68 if ((pf
= fopen(filename
,"wb")) == NULL
) {
69 PrintAndLog("Error: Could not open file [%s]",filename
);
76 if(i
> traceLen
) { break; }
79 int timestamp
= *((uint32_t *)(got
+i
));
80 if (timestamp
& 0x80000000) {
81 timestamp
&= 0x7fffffff;
87 int parityBits
= *((uint32_t *)(got
+i
+4));
88 // 4 bytes of additional information...
89 // maximum of 32 additional parity bit information
92 // at each quarter bit period we can send power level (16 levels)
93 // or each half bit period in 256 levels.
96 int len
= nbytes(got
[i
+8]);
101 if (i
+ len
> traceLen
) { break;}
103 uint8_t *frame
= (got
+i
+9);
105 // Break and stick with current result if buffer was not completely full
106 if (frame
[0] == 0x44 && frame
[1] == 0x44 && frame
[3] == 0x44) { break; }
108 char line
[1000] = "";
110 for (j
= 0; j
< len
; j
++) {
112 //if((parityBits >> (len - j - 1)) & 0x01) {
113 if (isResponse
&& (oddparity8(frame
[j
]) != ((parityBits
>> (len
- j
- 1)) & 0x01))) {
114 sprintf(line
+(j
*4), "%02x! ", frame
[j
]);
117 sprintf(line
+(j
*4), "%02x ", frame
[j
]);
121 PrintAndLog(" +%7d: %3d: %s %s",
122 (prev
< 0 ? 0 : (timestamp
- prev
)),
124 (isResponse
? "TAG" : " "),
128 fprintf(pf
," +%7d: %3d: %s %s\n",
129 (prev
< 0 ? 0 : (timestamp
- prev
)),
131 (isResponse
? "TAG" : " "),
141 PrintAndLog("Recorded activity succesfully written to file: %s", filename
);
148 int CmdLFHitagSnoop(const char *Cmd
) {
149 UsbCommand c
= {CMD_SNOOP_HITAG
};
154 int CmdLFHitagSim(const char *Cmd
) {
156 UsbCommand c
= {CMD_SIMULATE_HITAG
};
157 char filename
[FILE_PATH_SIZE
] = { 0x00 };
159 bool tag_mem_supplied
;
160 int len
= strlen(Cmd
);
161 if (len
> FILE_PATH_SIZE
) len
= FILE_PATH_SIZE
;
162 memcpy(filename
, Cmd
, len
);
164 if (strlen(filename
) > 0) {
165 if ((pf
= fopen(filename
,"rb+")) == NULL
) {
166 PrintAndLog("Error: Could not open file [%s]",filename
);
169 tag_mem_supplied
= true;
170 if (fread(c
.d
.asBytes
,48,1,pf
) == 0) {
171 PrintAndLog("Error: File reading error");
177 tag_mem_supplied
= false;
180 // Does the tag comes with memory
181 c
.arg
[0] = (uint32_t)tag_mem_supplied
;
187 int CmdLFHitagReader(const char *Cmd
) {
188 UsbCommand c
= {CMD_READER_HITAG
};//, {param_get32ex(Cmd,0,0,10),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),param_get32ex(Cmd,3,0,16)}};
189 hitag_data
* htd
= (hitag_data
*)c
.d
.asBytes
;
190 hitag_function htf
= param_get32ex(Cmd
,0,0,10);
193 case 01: { //RHTSF_CHALLENGE
194 c
= (UsbCommand
){ CMD_READ_HITAG_S
};
195 num_to_bytes(param_get32ex(Cmd
,1,0,16),4,htd
->auth
.NrAr
);
196 num_to_bytes(param_get32ex(Cmd
,2,0,16),4,htd
->auth
.NrAr
+4);
198 case 02: { //RHTSF_KEY
199 c
= (UsbCommand
){ CMD_READ_HITAG_S
};
200 num_to_bytes(param_get64ex(Cmd
,1,0,16),6,htd
->crypto
.key
);
202 case RHT2F_PASSWORD
: {
203 num_to_bytes(param_get32ex(Cmd
,1,0,16),4,htd
->pwd
.password
);
205 case RHT2F_AUTHENTICATE
: {
206 num_to_bytes(param_get32ex(Cmd
,1,0,16),4,htd
->auth
.NrAr
);
207 num_to_bytes(param_get32ex(Cmd
,2,0,16),4,htd
->auth
.NrAr
+4);
210 num_to_bytes(param_get64ex(Cmd
,1,0,16),6,htd
->crypto
.key
);
211 // num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
213 case RHT2F_TEST_AUTH_ATTEMPTS
: {
214 // No additional parameters needed
216 case RHT2F_UID_ONLY
: {
217 // No additional parameters needed
220 PrintAndLog("\nError: unkown reader function %d",htf
);
222 PrintAndLog("Usage: hitag reader <Reader Function #>");
223 PrintAndLog("Reader Functions:");
224 PrintAndLog(" HitagS (0*)");
225 PrintAndLog(" 01 <nr> <ar> (Challenge) read all pages from a Hitag S tag");
226 PrintAndLog(" 02 <key> (set to 0 if no authentication is needed) read all pages from a Hitag S tag");
227 PrintAndLog(" Hitag1 (1*)");
228 PrintAndLog(" Hitag2 (2*)");
229 PrintAndLog(" 21 <password> (password mode)");
230 PrintAndLog(" 22 <nr> <ar> (authentication)");
231 PrintAndLog(" 23 <key> (authentication) key is in format: ISK high + ISK low");
232 PrintAndLog(" 25 (test recorded authentications)");
233 PrintAndLog(" 26 just read UID");
238 // Copy the hitag2 function into the first argument
241 // Send the command to the proxmark
242 clearCommandBuffer();
246 WaitForResponse(CMD_ACK
,&resp
);
248 // Check the return status, stored in the first argument
249 if (resp
.arg
[0] == false) return 1;
251 uint32_t id
= bytes_to_num(resp
.d
.asBytes
,4);
253 if (htf
== RHT2F_UID_ONLY
){
254 PrintAndLog("Valid Hitag2 tag found - UID: %08x",id
);
259 sprintf(filename
,"%08x_%04x.ht2",id
,(rand() & 0xffff));
260 if ((pf
= fopen(filename
,"wb")) == NULL
) {
261 PrintAndLog("Error: Could not open file [%s]",filename
);
265 // Write the 48 tag memory bytes to file and finalize
266 fwrite(resp
.d
.asBytes
,1,48,pf
);
269 PrintAndLog("Succesfully saved tag memory to [%s]",filename
);
277 int CmdLFHitagSimS(const char *Cmd
) {
278 UsbCommand c
= { CMD_SIMULATE_HITAG_S
};
279 char filename
[FILE_PATH_SIZE
] = { 0x00 };
281 bool tag_mem_supplied
;
282 int len
= strlen(Cmd
);
283 if (len
> FILE_PATH_SIZE
)
284 len
= FILE_PATH_SIZE
;
285 memcpy(filename
, Cmd
, len
);
287 if (strlen(filename
) > 0) {
288 if ((pf
= fopen(filename
, "rb+")) == NULL
) {
289 PrintAndLog("Error: Could not open file [%s]", filename
);
292 tag_mem_supplied
= true;
293 if (fread(c
.d
.asBytes
, 4*64, 1, pf
) == 0) {
294 PrintAndLog("Error: File reading error");
300 tag_mem_supplied
= false;
303 // Does the tag comes with memory
304 c
.arg
[0] = (uint32_t) tag_mem_supplied
;
310 int CmdLFHitagCheckChallenges(const char *Cmd
) {
311 UsbCommand c
= { CMD_TEST_HITAGS_TRACES
};
312 char filename
[FILE_PATH_SIZE
] = { 0x00 };
315 int len
= strlen(Cmd
);
316 if (len
> FILE_PATH_SIZE
) len
= FILE_PATH_SIZE
;
317 memcpy(filename
, Cmd
, len
);
319 if (strlen(filename
) > 0) {
320 if ((pf
= fopen(filename
,"rb+")) == NULL
) {
321 PrintAndLog("Error: Could not open file [%s]",filename
);
325 if (fread(c
.d
.asBytes
,8*60,1,pf
) == 0) {
326 PrintAndLog("Error: File reading error");
335 //file with all the challenges to try
336 c
.arg
[0] = (uint32_t)file_given
;
343 int CmdLFHitagWP(const char *Cmd
) {
344 UsbCommand c
= { CMD_WR_HITAG_S
};
345 hitag_data
* htd
= (hitag_data
*)c
.d
.asBytes
;
346 hitag_function htf
= param_get32ex(Cmd
,0,0,10);
348 case 03: { //WHTSF_CHALLENGE
349 num_to_bytes(param_get64ex(Cmd
,1,0,16),8,htd
->auth
.NrAr
);
350 c
.arg
[2]= param_get32ex(Cmd
, 2, 0, 10);
351 num_to_bytes(param_get32ex(Cmd
,3,0,16),4,htd
->auth
.data
);
356 num_to_bytes(param_get64ex(Cmd
,1,0,16),6,htd
->crypto
.key
);
357 c
.arg
[2]= param_get32ex(Cmd
, 2, 0, 10);
358 num_to_bytes(param_get32ex(Cmd
,3,0,16),4,htd
->crypto
.data
);
362 PrintAndLog("Error: unkown writer function %d",htf
);
363 PrintAndLog("Hitag writer functions");
364 PrintAndLog(" HitagS (0*)");
365 PrintAndLog(" 03 <nr,ar> (Challenge) <page> <byte0...byte3> write page on a Hitag S tag");
366 PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
367 PrintAndLog(" Hitag1 (1*)");
368 PrintAndLog(" Hitag2 (2*)");
369 PrintAndLog(" 24 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
373 // Copy the hitag function into the first argument
376 // Send the command to the proxmark
380 WaitForResponse(CMD_ACK
,&resp
);
382 // Check the return status, stored in the first argument
383 if (resp
.arg
[0] == false) return 1;
388 static command_t CommandTable
[] =
390 {"help", CmdHelp
, 1, "This help"},
391 {"list", CmdLFHitagList
, 1, "<outfile> List Hitag trace history"},
392 {"reader", CmdLFHitagReader
, 1, "Act like a Hitag Reader"},
393 {"sim", CmdLFHitagSim
, 1, "<infile> Simulate Hitag transponder"},
394 {"snoop", CmdLFHitagSnoop
, 1, "Eavesdrop Hitag communication"},
395 {"writer", CmdLFHitagWP
, 1, "Act like a Hitag Writer" },
396 {"simS", CmdLFHitagSimS
, 1, "<hitagS.hts> Simulate HitagS transponder" },
397 {"checkChallenges", CmdLFHitagCheckChallenges
, 1, "<challenges.cc> test all challenges" }, {
401 int CmdLFHitag(const char *Cmd
)
403 CmdsParse(CommandTable
, Cmd
);
407 int CmdHelp(const char *Cmd
)
409 CmdsHelp(CommandTable
);