]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifarecmd.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
lf search use new psk, small demod adjustments
[proxmark3-svn] / armsrc / mifarecmd.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 // Midnitesnake - Dec 2013
6 // Andy Davies - Apr 2014
7 // Iceman - May 2014
8 //
9 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
10 // at your option, any later version. See the LICENSE.txt file for the text of
11 // the license.
12 //-----------------------------------------------------------------------------
13 // Routines to support ISO 14443 type A.
14 //-----------------------------------------------------------------------------
15
16 #include "mifarecmd.h"
17 #include "apps.h"
18
19 //-----------------------------------------------------------------------------
20 // Select, Authenticate, Read a MIFARE tag.
21 // read block
22 //-----------------------------------------------------------------------------
23 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
24 {
25 // params
26 uint8_t blockNo = arg0;
27 uint8_t keyType = arg1;
28 uint64_t ui64Key = 0;
29 ui64Key = bytes_to_num(datain, 6);
30
31 // variables
32 byte_t isOK = 0;
33 byte_t dataoutbuf[16];
34 uint8_t uid[10];
35 uint32_t cuid;
36 struct Crypto1State mpcs = {0, 0};
37 struct Crypto1State *pcs;
38 pcs = &mpcs;
39
40 // clear trace
41 iso14a_clear_trace();
42 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
43
44 LED_A_ON();
45 LED_B_OFF();
46 LED_C_OFF();
47
48 while (true) {
49 if(!iso14443a_select_card(uid, NULL, &cuid)) {
50 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
51 break;
52 };
53
54 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
55 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
56 break;
57 };
58
59 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
60 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
61 break;
62 };
63
64 if(mifare_classic_halt(pcs, cuid)) {
65 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
66 break;
67 };
68
69 isOK = 1;
70 break;
71 }
72
73 // ----------------------------- crypto1 destroy
74 crypto1_destroy(pcs);
75
76 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
77
78 LED_B_ON();
79 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
80 LED_B_OFF();
81
82 // Thats it...
83 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
84 LEDsoff();
85 }
86
87 void MifareUReadBlock(uint8_t arg0,uint8_t *datain)
88 {
89 // params
90 uint8_t blockNo = arg0;
91
92 // variables
93 byte_t isOK = 0;
94 byte_t dataoutbuf[16];
95 uint8_t uid[10];
96 uint32_t cuid;
97
98 // clear trace
99 iso14a_clear_trace();
100 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
101
102 LED_A_ON();
103 LED_B_OFF();
104 LED_C_OFF();
105
106 while (true) {
107 if(!iso14443a_select_card(uid, NULL, &cuid)) {
108 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
109 break;
110 };
111
112 if(mifare_ultra_readblock(cuid, blockNo, dataoutbuf)) {
113 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
114 break;
115 };
116
117 if(mifare_ultra_halt(cuid)) {
118 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
119 break;
120 };
121
122 isOK = 1;
123 break;
124 }
125
126 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
127
128 LED_B_ON();
129 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
130 LED_B_OFF();
131 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
132 LEDsoff();
133 }
134
135 //-----------------------------------------------------------------------------
136 // Select, Authenticate, Read a MIFARE tag.
137 // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
138 //-----------------------------------------------------------------------------
139 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
140 {
141 // params
142 uint8_t sectorNo = arg0;
143 uint8_t keyType = arg1;
144 uint64_t ui64Key = 0;
145 ui64Key = bytes_to_num(datain, 6);
146
147 // variables
148 byte_t isOK = 0;
149 byte_t dataoutbuf[16 * 16];
150 uint8_t uid[10];
151 uint32_t cuid;
152 struct Crypto1State mpcs = {0, 0};
153 struct Crypto1State *pcs;
154 pcs = &mpcs;
155
156 // clear trace
157 iso14a_clear_trace();
158
159 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
160
161 LED_A_ON();
162 LED_B_OFF();
163 LED_C_OFF();
164
165 isOK = 1;
166 if(!iso14443a_select_card(uid, NULL, &cuid)) {
167 isOK = 0;
168 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
169 }
170
171
172 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
173 isOK = 0;
174 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
175 }
176
177 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
178 if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) {
179 isOK = 0;
180 if (MF_DBGLEVEL >= 1) Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo);
181 break;
182 }
183 }
184
185 if(mifare_classic_halt(pcs, cuid)) {
186 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
187 }
188
189 // ----------------------------- crypto1 destroy
190 crypto1_destroy(pcs);
191
192 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
193
194 LED_B_ON();
195 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));
196 LED_B_OFF();
197
198 // Thats it...
199 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
200 LEDsoff();
201 }
202
203
204 void MifareUReadCard(uint8_t arg0, uint8_t *datain)
205 {
206 // params
207 uint8_t sectorNo = arg0;
208
209 // variables
210 byte_t isOK = 0;
211 byte_t dataoutbuf[16 * 4];
212 uint8_t uid[10];
213 uint32_t cuid;
214
215 // clear trace
216 iso14a_clear_trace();
217 // iso14a_set_tracing(false);
218
219 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
220
221 LED_A_ON();
222 LED_B_OFF();
223 LED_C_OFF();
224
225 while (true) {
226 if(!iso14443a_select_card(uid, NULL, &cuid)) {
227 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
228 break;
229 };
230 for(int sec=0;sec<16;sec++){
231 if(mifare_ultra_readblock(cuid, sectorNo * 4 + sec, dataoutbuf + 4 * sec)) {
232 if (MF_DBGLEVEL >= 1) Dbprintf("Read block %d error",sec);
233 break;
234 };
235 }
236 if(mifare_ultra_halt(cuid)) {
237 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
238 break;
239 };
240
241 isOK = 1;
242 break;
243 }
244
245 if (MF_DBGLEVEL >= 2) DbpString("READ CARD FINISHED");
246
247 LED_B_ON();
248 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,64);
249 LED_B_OFF();
250
251 // Thats it...
252 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
253 LEDsoff();
254
255 }
256
257
258 //-----------------------------------------------------------------------------
259 // Select, Authenticate, Write a MIFARE tag.
260 // read block
261 //-----------------------------------------------------------------------------
262 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
263 {
264 // params
265 uint8_t blockNo = arg0;
266 uint8_t keyType = arg1;
267 uint64_t ui64Key = 0;
268 byte_t blockdata[16];
269
270 ui64Key = bytes_to_num(datain, 6);
271 memcpy(blockdata, datain + 10, 16);
272
273 // variables
274 byte_t isOK = 0;
275 uint8_t uid[10];
276 uint32_t cuid;
277 struct Crypto1State mpcs = {0, 0};
278 struct Crypto1State *pcs;
279 pcs = &mpcs;
280
281 // clear trace
282 iso14a_clear_trace();
283
284 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
285
286 LED_A_ON();
287 LED_B_OFF();
288 LED_C_OFF();
289
290 while (true) {
291 if(!iso14443a_select_card(uid, NULL, &cuid)) {
292 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
293 break;
294 };
295
296 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
297 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
298 break;
299 };
300
301 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
302 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
303 break;
304 };
305
306 if(mifare_classic_halt(pcs, cuid)) {
307 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
308 break;
309 };
310
311 isOK = 1;
312 break;
313 }
314
315 // ----------------------------- crypto1 destroy
316 crypto1_destroy(pcs);
317
318 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
319
320 LED_B_ON();
321 cmd_send(CMD_ACK,isOK,0,0,0,0);
322 LED_B_OFF();
323
324
325 // Thats it...
326 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
327 LEDsoff();
328 }
329
330 void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
331 {
332 // params
333 uint8_t blockNo = arg0;
334 byte_t blockdata[16];
335
336 memset(blockdata,'\0',16);
337 memcpy(blockdata, datain,16);
338
339 // variables
340 byte_t isOK = 0;
341 uint8_t uid[10];
342 uint32_t cuid;
343
344 // clear trace
345 iso14a_clear_trace();
346
347 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
348
349 LED_A_ON();
350 LED_B_OFF();
351 LED_C_OFF();
352
353 while (true) {
354 if(!iso14443a_select_card(uid, NULL, &cuid)) {
355 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
356 break;
357 };
358
359 if(mifare_ultra_writeblock(cuid, blockNo, blockdata)) {
360 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
361 break;
362 };
363
364 if(mifare_ultra_halt(cuid)) {
365 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
366 break;
367 };
368
369 isOK = 1;
370 break;
371 }
372
373 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
374
375 LED_B_ON();
376 cmd_send(CMD_ACK,isOK,0,0,0,0);
377 LED_B_OFF();
378
379
380 // Thats it...
381 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
382 LEDsoff();
383 // iso14a_set_tracing(TRUE);
384 }
385
386 void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)
387 {
388 // params
389 uint8_t blockNo = arg0;
390 byte_t blockdata[4];
391
392 memcpy(blockdata, datain,4);
393
394 // variables
395 byte_t isOK = 0;
396 uint8_t uid[10];
397 uint32_t cuid;
398
399 // clear trace
400 iso14a_clear_trace();
401
402 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
403
404 LED_A_ON();
405 LED_B_OFF();
406 LED_C_OFF();
407
408 while (true) {
409 if(!iso14443a_select_card(uid, NULL, &cuid)) {
410 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
411 break;
412 };
413
414 if(mifare_ultra_special_writeblock(cuid, blockNo, blockdata)) {
415 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
416 break;
417 };
418
419 if(mifare_ultra_halt(cuid)) {
420 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
421 break;
422 };
423
424 isOK = 1;
425 break;
426 }
427
428 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
429
430 LED_B_ON();
431 cmd_send(CMD_ACK,isOK,0,0,0,0);
432 LED_B_OFF();
433
434 // Thats it...
435 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
436 LEDsoff();
437 }
438
439 // Return 1 if the nonce is invalid else return 0
440 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {
441 return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
442 (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
443 (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
444 }
445
446
447 //-----------------------------------------------------------------------------
448 // MIFARE nested authentication.
449 //
450 //-----------------------------------------------------------------------------
451 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)
452 {
453 // params
454 uint8_t blockNo = arg0 & 0xff;
455 uint8_t keyType = (arg0 >> 8) & 0xff;
456 uint8_t targetBlockNo = arg1 & 0xff;
457 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
458 uint64_t ui64Key = 0;
459
460 ui64Key = bytes_to_num(datain, 6);
461
462 // variables
463 uint16_t rtr, i, j, len;
464 uint16_t davg;
465 static uint16_t dmin, dmax;
466 uint8_t uid[10];
467 uint32_t cuid, nt1, nt2, nttmp, nttest, ks1;
468 uint8_t par[1];
469 uint32_t target_nt[2], target_ks[2];
470
471 uint8_t par_array[4];
472 uint16_t ncount = 0;
473 struct Crypto1State mpcs = {0, 0};
474 struct Crypto1State *pcs;
475 pcs = &mpcs;
476 uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();
477
478 uint32_t auth1_time, auth2_time;
479 static uint16_t delta_time;
480
481 // clear trace
482 iso14a_clear_trace();
483 iso14a_set_tracing(false);
484
485 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
486
487 LED_A_ON();
488 LED_C_OFF();
489
490
491 // statistics on nonce distance
492 if (calibrate) { // for first call only. Otherwise reuse previous calibration
493 LED_B_ON();
494 WDT_HIT();
495
496 davg = dmax = 0;
497 dmin = 2000;
498 delta_time = 0;
499
500 for (rtr = 0; rtr < 17; rtr++) {
501
502 // prepare next select. No need to power down the card.
503 if(mifare_classic_halt(pcs, cuid)) {
504 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
505 rtr--;
506 continue;
507 }
508
509 if(!iso14443a_select_card(uid, NULL, &cuid)) {
510 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
511 rtr--;
512 continue;
513 };
514
515 auth1_time = 0;
516 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
517 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
518 rtr--;
519 continue;
520 };
521
522 if (delta_time) {
523 auth2_time = auth1_time + delta_time;
524 } else {
525 auth2_time = 0;
526 }
527 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {
528 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");
529 rtr--;
530 continue;
531 };
532
533 nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
534 for (i = 101; i < 1200; i++) {
535 nttmp = prng_successor(nttmp, 1);
536 if (nttmp == nt2) break;
537 }
538
539 if (i != 1200) {
540 if (rtr != 0) {
541 davg += i;
542 dmin = MIN(dmin, i);
543 dmax = MAX(dmax, i);
544 }
545 else {
546 delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing
547 }
548 if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
549 }
550 }
551
552 if (rtr <= 1) return;
553
554 davg = (davg + (rtr - 1)/2) / (rtr - 1);
555
556 if (MF_DBGLEVEL >= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin, dmax, davg, delta_time);
557
558 dmin = davg - 2;
559 dmax = davg + 2;
560
561 LED_B_OFF();
562
563 }
564 // -------------------------------------------------------------------------------------------------
565
566 LED_C_ON();
567
568 // get crypted nonces for target sector
569 for(i=0; i < 2; i++) { // look for exactly two different nonces
570
571 target_nt[i] = 0;
572 while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
573
574 // prepare next select. No need to power down the card.
575 if(mifare_classic_halt(pcs, cuid)) {
576 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
577 continue;
578 }
579
580 if(!iso14443a_select_card(uid, NULL, &cuid)) {
581 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
582 continue;
583 };
584
585 auth1_time = 0;
586 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
587 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
588 continue;
589 };
590
591 // nested authentication
592 auth2_time = auth1_time + delta_time;
593 len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);
594 if (len != 4) {
595 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);
596 continue;
597 };
598
599 nt2 = bytes_to_num(receivedAnswer, 4);
600 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);
601
602 // Parity validity check
603 for (j = 0; j < 4; j++) {
604 par_array[j] = (oddparity(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));
605 }
606
607 ncount = 0;
608 nttest = prng_successor(nt1, dmin - 1);
609 for (j = dmin; j < dmax + 1; j++) {
610 nttest = prng_successor(nttest, 1);
611 ks1 = nt2 ^ nttest;
612
613 if (valid_nonce(nttest, nt2, ks1, par_array)){
614 if (ncount > 0) { // we are only interested in disambiguous nonces, try again
615 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);
616 target_nt[i] = 0;
617 break;
618 }
619 target_nt[i] = nttest;
620 target_ks[i] = ks1;
621 ncount++;
622 if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces
623 target_nt[i] = 0;
624 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);
625 break;
626 }
627 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);
628 }
629 }
630 if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
631 }
632 }
633
634 LED_C_OFF();
635
636 // ----------------------------- crypto1 destroy
637 crypto1_destroy(pcs);
638
639 byte_t buf[4 + 4 * 4];
640 memcpy(buf, &cuid, 4);
641 memcpy(buf+4, &target_nt[0], 4);
642 memcpy(buf+8, &target_ks[0], 4);
643 memcpy(buf+12, &target_nt[1], 4);
644 memcpy(buf+16, &target_ks[1], 4);
645
646 LED_B_ON();
647 cmd_send(CMD_ACK, 0, 2, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
648 LED_B_OFF();
649
650 if (MF_DBGLEVEL >= 3) DbpString("NESTED FINISHED");
651
652 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
653 LEDsoff();
654 iso14a_set_tracing(TRUE);
655 }
656
657 //-----------------------------------------------------------------------------
658 // MIFARE check keys. key count up to 85.
659 //
660 //-----------------------------------------------------------------------------
661 void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
662 {
663 // params
664 uint8_t blockNo = arg0;
665 uint8_t keyType = arg1;
666 uint8_t keyCount = arg2;
667 uint64_t ui64Key = 0;
668
669 // variables
670 int i;
671 byte_t isOK = 0;
672 uint8_t uid[10];
673 uint32_t cuid;
674 struct Crypto1State mpcs = {0, 0};
675 struct Crypto1State *pcs;
676 pcs = &mpcs;
677
678 // clear debug level
679 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
680 MF_DBGLEVEL = MF_DBG_NONE;
681
682 // clear trace
683 iso14a_clear_trace();
684 iso14a_set_tracing(TRUE);
685
686 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
687
688 LED_A_ON();
689 LED_B_OFF();
690 LED_C_OFF();
691
692 for (i = 0; i < keyCount; i++) {
693 if(mifare_classic_halt(pcs, cuid)) {
694 if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Halt error");
695 }
696
697 if(!iso14443a_select_card(uid, NULL, &cuid)) {
698 if (OLD_MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card");
699 break;
700 };
701
702 ui64Key = bytes_to_num(datain + i * 6, 6);
703 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
704 continue;
705 };
706
707 isOK = 1;
708 break;
709 }
710
711 // ----------------------------- crypto1 destroy
712 crypto1_destroy(pcs);
713
714 LED_B_ON();
715 cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);
716 LED_B_OFF();
717
718 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
719 LEDsoff();
720
721 // restore debug level
722 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
723 }
724
725 //-----------------------------------------------------------------------------
726 // MIFARE commands set debug level
727 //
728 //-----------------------------------------------------------------------------
729 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
730 MF_DBGLEVEL = arg0;
731 Dbprintf("Debug level: %d", MF_DBGLEVEL);
732 }
733
734 //-----------------------------------------------------------------------------
735 // Work with emulator memory
736 //
737 //-----------------------------------------------------------------------------
738 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
739 emlClearMem();
740 }
741
742 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
743 emlSetMem(datain, arg0, arg1); // data, block num, blocks count
744 }
745
746 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
747 byte_t buf[USB_CMD_DATA_SIZE];
748 emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
749
750 LED_B_ON();
751 cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE);
752 LED_B_OFF();
753 }
754
755 //-----------------------------------------------------------------------------
756 // Load a card into the emulator memory
757 //
758 //-----------------------------------------------------------------------------
759 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
760 uint8_t numSectors = arg0;
761 uint8_t keyType = arg1;
762 uint64_t ui64Key = 0;
763 uint32_t cuid;
764 struct Crypto1State mpcs = {0, 0};
765 struct Crypto1State *pcs;
766 pcs = &mpcs;
767
768 // variables
769 byte_t dataoutbuf[16];
770 byte_t dataoutbuf2[16];
771 uint8_t uid[10];
772
773 // clear trace
774 iso14a_clear_trace();
775 iso14a_set_tracing(false);
776
777 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
778
779 LED_A_ON();
780 LED_B_OFF();
781 LED_C_OFF();
782
783 bool isOK = true;
784
785 if(!iso14443a_select_card(uid, NULL, &cuid)) {
786 isOK = false;
787 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
788 }
789
790 for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
791 ui64Key = emlGetKey(sectorNo, keyType);
792 if (sectorNo == 0){
793 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
794 isOK = false;
795 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo);
796 break;
797 }
798 } else {
799 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) {
800 isOK = false;
801 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo);
802 break;
803 }
804 }
805
806 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
807 if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) {
808 isOK = false;
809 if (MF_DBGLEVEL >= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);
810 break;
811 };
812 if (isOK) {
813 if (blockNo < NumBlocksPerSector(sectorNo) - 1) {
814 emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);
815 } else { // sector trailer, keep the keys, set only the AC
816 emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
817 memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
818 emlSetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
819 }
820 }
821 }
822
823 }
824
825 if(mifare_classic_halt(pcs, cuid)) {
826 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
827 };
828
829 // ----------------------------- crypto1 destroy
830 crypto1_destroy(pcs);
831
832 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
833 LEDsoff();
834
835 if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
836
837 }
838
839
840 //-----------------------------------------------------------------------------
841 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
842 //
843 //-----------------------------------------------------------------------------
844 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
845
846 // params
847 uint8_t needWipe = arg0;
848 // bit 0 - need get UID
849 // bit 1 - need wupC
850 // bit 2 - need HALT after sequence
851 // bit 3 - need init FPGA and field before sequence
852 // bit 4 - need reset FPGA and LED
853 uint8_t workFlags = arg1;
854 uint8_t blockNo = arg2;
855
856 // card commands
857 uint8_t wupC1[] = { 0x40 };
858 uint8_t wupC2[] = { 0x43 };
859 uint8_t wipeC[] = { 0x41 };
860
861 // variables
862 byte_t isOK = 0;
863 uint8_t uid[10] = {0x00};
864 uint8_t d_block[18] = {0x00};
865 uint32_t cuid;
866
867 uint8_t *receivedAnswer = get_bigbufptr_recvrespbuf();
868 uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
869
870 // reset FPGA and LED
871 if (workFlags & 0x08) {
872 LED_A_ON();
873 LED_B_OFF();
874 LED_C_OFF();
875
876 iso14a_clear_trace();
877 iso14a_set_tracing(TRUE);
878 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
879 }
880
881 while (true) {
882
883 // get UID from chip
884 if (workFlags & 0x01) {
885 if(!iso14443a_select_card(uid, NULL, &cuid)) {
886 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
887 break;
888 };
889
890 if(mifare_classic_halt(NULL, cuid)) {
891 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
892 break;
893 };
894 };
895
896 // reset chip
897 if (needWipe){
898 ReaderTransmitBitsPar(wupC1,7,0, NULL);
899 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
900 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
901 break;
902 };
903
904 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
905 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
906 if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");
907 break;
908 };
909
910 if(mifare_classic_halt(NULL, cuid)) {
911 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
912 break;
913 };
914 };
915
916 // write block
917 if (workFlags & 0x02) {
918 ReaderTransmitBitsPar(wupC1,7,0, NULL);
919 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
920 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
921 break;
922 };
923
924 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
925 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
926 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
927 break;
928 };
929 }
930
931 if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
932 if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
933 break;
934 };
935
936 memcpy(d_block, datain, 16);
937 AppendCrc14443a(d_block, 16);
938
939 ReaderTransmit(d_block, sizeof(d_block), NULL);
940 if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
941 if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");
942 break;
943 };
944
945 if (workFlags & 0x04) {
946 if (mifare_classic_halt(NULL, cuid)) {
947 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
948 break;
949 };
950 }
951
952 isOK = 1;
953 break;
954 }
955
956 LED_B_ON();
957 cmd_send(CMD_ACK,isOK,0,0,uid,4);
958 LED_B_OFF();
959
960 if ((workFlags & 0x10) || (!isOK)) {
961 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
962 LEDsoff();
963 }
964 }
965
966
967 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
968
969 // params
970 // bit 1 - need wupC
971 // bit 2 - need HALT after sequence
972 // bit 3 - need init FPGA and field before sequence
973 // bit 4 - need reset FPGA and LED
974 uint8_t workFlags = arg0;
975 uint8_t blockNo = arg2;
976
977 // card commands
978 uint8_t wupC1[] = { 0x40 };
979 uint8_t wupC2[] = { 0x43 };
980
981 // variables
982 byte_t isOK = 0;
983 uint8_t data[18] = {0x00};
984 uint32_t cuid = 0;
985
986 uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();
987 uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
988
989 if (workFlags & 0x08) {
990 LED_A_ON();
991 LED_B_OFF();
992 LED_C_OFF();
993
994 iso14a_clear_trace();
995 iso14a_set_tracing(TRUE);
996 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
997 }
998
999 while (true) {
1000 if (workFlags & 0x02) {
1001 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1002 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1003 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1004 break;
1005 };
1006
1007 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1008 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1009 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1010 break;
1011 };
1012 }
1013
1014 // read block
1015 if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {
1016 if (MF_DBGLEVEL >= 1) Dbprintf("read block send command error");
1017 break;
1018 };
1019 memcpy(data, receivedAnswer, 18);
1020
1021 if (workFlags & 0x04) {
1022 if (mifare_classic_halt(NULL, cuid)) {
1023 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1024 break;
1025 };
1026 }
1027
1028 isOK = 1;
1029 break;
1030 }
1031
1032 LED_B_ON();
1033 cmd_send(CMD_ACK,isOK,0,0,data,18);
1034 LED_B_OFF();
1035
1036 if ((workFlags & 0x10) || (!isOK)) {
1037 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1038 LEDsoff();
1039 }
1040 }
1041
1042 void MifareCIdent(){
1043
1044 // card commands
1045 uint8_t wupC1[] = { 0x40 };
1046 uint8_t wupC2[] = { 0x43 };
1047
1048 // variables
1049 byte_t isOK = 1;
1050
1051 uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();
1052 uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
1053
1054 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1055 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1056 isOK = 0;
1057 };
1058
1059 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1060 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1061 isOK = 0;
1062 };
1063
1064 if (mifare_classic_halt(NULL, 0)) {
1065 isOK = 0;
1066 };
1067
1068 cmd_send(CMD_ACK,isOK,0,0,0,0);
1069 }
1070
1071 //
1072 // DESFIRE
1073 //
Proxmark3 GIT tracking
Impressum, Datenschutz