1 //----------------------------------------------------------------------------- 
   2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com> 
   5 // This code is licensed to you under the terms of the GNU GPL, version 2 or, 
   6 // at your option, any later version. See the LICENSE.txt file for the text of 
   8 //----------------------------------------------------------------------------- 
   9 // High frequency commands 
  10 //----------------------------------------------------------------------------- 
  15 #include "proxmark3.h" 
  19 #include "iso14443crc.h" 
  22 #include "cmdparser.h" 
  28 #include "cmdhflegic.h" 
  29 #include "cmdhficlass.h" 
  32 #include "cmdhftopaz.h" 
  33 #include "protocols.h" 
  34 #include "emv/cmdemv.h" 
  35 #include "cmdhflist.h" 
  37 static int CmdHelp(const char *Cmd
); 
  39 int CmdHFTune(const char *Cmd
) 
  41   UsbCommand c
={CMD_MEASURE_ANTENNA_TUNING_HF
}; 
  47  * @brief iso14443B_CRC_check Checks CRC in command or response 
  51  * @return  0 : CRC-command, CRC not ok 
  52  *          1 : CRC-command, CRC ok 
  56 uint8_t iso14443B_CRC_check(bool isResponse
, uint8_t* data
, uint8_t len
) 
  60         if(len 
<= 2) return 2; 
  62         ComputeCrc14443(CRC_14443_B
, data
, len
-2, &b1
, &b2
); 
  63         if(b1 
!= data
[len
-2] || b2 
!= data
[len
-1]) { 
  71  * @brief iclass_CRC_Ok Checks CRC in command or response 
  75  * @return  0 : CRC-command, CRC not ok 
  76  *              1 : CRC-command, CRC ok 
  79 uint8_t iclass_CRC_check(bool isResponse
, uint8_t* data
, uint8_t len
) 
  81         if(len 
< 4) return 2;//CRC commands (and responses) are all at least 4 bytes 
  85         if(!isResponse
)//Commands to tag 
  88                   These commands should have CRC. Total length leftmost 
  91                   12 UPDATE - unsecured, ends with CRC16 
  92                   14 UPDATE - secured, ends with signature instead 
  95                 if(len 
== 4 || len 
== 12)//Covers three of them 
  97                         //Don't include the command byte 
  98                         ComputeCrc14443(CRC_ICLASS
, (data
+1), len
-3, &b1
, &b2
); 
  99                         return b1 
== data
[len 
-2] && b2 
== data
[len
-1]; 
 104                 These tag responses should have CRC. Total length leftmost 
 106                 10  READ                data[8] crc[2] 
 107                 34  READ4               data[32]crc[2] 
 108                 10  UPDATE      data[8] crc[2] 
 109                 10 SELECT       csn[8] crc[2] 
 110                 10  IDENTIFY  asnb[8] crc[2] 
 111                 10  PAGESEL   block1[8] crc[2] 
 112                 10  DETECT    csn[8] crc[2] 
 116                 4  CHECK                chip_response[4] 
 121                 In conclusion, without looking at the command; any response 
 122                 of length 10 or 34 should have CRC 
 124                 if(len 
!= 10 && len 
!= 34) return true; 
 126                 ComputeCrc14443(CRC_ICLASS
, data
, len
-2, &b1
, &b2
); 
 127                 return b1 
== data
[len 
-2] && b2 
== data
[len
-1]; 
 132 bool is_last_record(uint16_t tracepos
, uint8_t *trace
, uint16_t traceLen
) 
 134         return(tracepos 
+ sizeof(uint32_t) + sizeof(uint16_t) + sizeof(uint16_t) >= traceLen
); 
 138 bool next_record_is_response(uint16_t tracepos
, uint8_t *trace
) 
 140         uint16_t next_records_datalen 
= *((uint16_t *)(trace 
+ tracepos 
+ sizeof(uint32_t) + sizeof(uint16_t))); 
 142         return(next_records_datalen 
& 0x8000); 
 146 bool merge_topaz_reader_frames(uint32_t timestamp
, uint32_t *duration
, uint16_t *tracepos
, uint16_t traceLen
, uint8_t *trace
, uint8_t *frame
, uint8_t *topaz_reader_command
, uint16_t *data_len
) 
 149 #define MAX_TOPAZ_READER_CMD_LEN        16 
 151         uint32_t last_timestamp 
= timestamp 
+ *duration
; 
 153         if ((*data_len 
!= 1) || (frame
[0] == TOPAZ_WUPA
) || (frame
[0] == TOPAZ_REQA
)) return false; 
 155         memcpy(topaz_reader_command
, frame
, *data_len
); 
 157         while (!is_last_record(*tracepos
, trace
, traceLen
) && !next_record_is_response(*tracepos
, trace
)) { 
 158                 uint32_t next_timestamp 
= *((uint32_t *)(trace 
+ *tracepos
)); 
 159                 *tracepos 
+= sizeof(uint32_t); 
 160                 uint16_t next_duration 
= *((uint16_t *)(trace 
+ *tracepos
)); 
 161                 *tracepos 
+= sizeof(uint16_t); 
 162                 uint16_t next_data_len 
= *((uint16_t *)(trace 
+ *tracepos
)) & 0x7FFF; 
 163                 *tracepos 
+= sizeof(uint16_t); 
 164                 uint8_t *next_frame 
= (trace 
+ *tracepos
); 
 165                 *tracepos 
+= next_data_len
; 
 166                 if ((next_data_len 
== 1) && (*data_len 
+ next_data_len 
<= MAX_TOPAZ_READER_CMD_LEN
)) { 
 167                         memcpy(topaz_reader_command 
+ *data_len
, next_frame
, next_data_len
); 
 168                         *data_len 
+= next_data_len
; 
 169                         last_timestamp 
= next_timestamp 
+ next_duration
; 
 172                         *tracepos 
= *tracepos 
- next_data_len 
- sizeof(uint16_t) - sizeof(uint16_t) - sizeof(uint32_t); 
 175                 uint16_t next_parity_len 
= (next_data_len
-1)/8 + 1; 
 176                 *tracepos 
+= next_parity_len
; 
 179         *duration 
= last_timestamp 
- timestamp
; 
 185 uint16_t printTraceLine(uint16_t tracepos
, uint16_t traceLen
, uint8_t *trace
, uint8_t protocol
, bool showWaitCycles
, bool markCRCBytes
) 
 188         uint16_t data_len
, parity_len
; 
 190         uint8_t topaz_reader_command
[9]; 
 191         uint32_t timestamp
, first_timestamp
, EndOfTransmissionTimestamp
; 
 192         char explanation
[30] = {0}; 
 193         uint8_t mfData
[32] = {0}; 
 194         size_t mfDataLen 
= 0; 
 196         if (tracepos 
+ sizeof(uint32_t) + sizeof(uint16_t) + sizeof(uint16_t) > traceLen
) return traceLen
; 
 198         first_timestamp 
= *((uint32_t *)(trace
)); 
 199         timestamp 
= *((uint32_t *)(trace 
+ tracepos
)); 
 202         duration 
= *((uint16_t *)(trace 
+ tracepos
)); 
 204         data_len 
= *((uint16_t *)(trace 
+ tracepos
)); 
 207         if (data_len 
& 0x8000) { 
 213         parity_len 
= (data_len
-1)/8 + 1; 
 215         if (tracepos 
+ data_len 
+ parity_len 
> traceLen
) { 
 218         uint8_t *frame 
= trace 
+ tracepos
; 
 219         tracepos 
+= data_len
; 
 220         uint8_t *parityBytes 
= trace 
+ tracepos
; 
 221         tracepos 
+= parity_len
; 
 223         if (protocol 
== TOPAZ 
&& !isResponse
) { 
 224                 // topaz reader commands come in 1 or 9 separate frames with 7 or 8 Bits each. 
 226                 if (merge_topaz_reader_frames(timestamp
, &duration
, &tracepos
, traceLen
, trace
, frame
, topaz_reader_command
, &data_len
)) { 
 227                         frame 
= topaz_reader_command
; 
 231         //Check the CRC status 
 232         uint8_t crcStatus 
= 2; 
 237                                 crcStatus 
= iclass_CRC_check(isResponse
, frame
, data_len
); 
 241                                 crcStatus 
= iso14443B_CRC_check(isResponse
, frame
, data_len
);  
 244                                 crcStatus 
= mifare_CRC_check(isResponse
, frame
, data_len
); 
 247                                 crcStatus 
= iso14443A_CRC_check(isResponse
, frame
, data_len
); 
 253         //0 CRC-command, CRC not ok 
 254         //1 CRC-command, CRC ok 
 257         //--- Draw the data column 
 258         //char line[16][110]; 
 261         for (int j 
= 0; j 
< data_len 
&& j
/16 < 16; j
++) { 
 263                 uint8_t parityBits 
= parityBytes
[j
>>3]; 
 264                 if (protocol 
!= ISO_14443B 
&& (isResponse 
|| protocol 
== ISO_14443A
) && (oddparity8(frame
[j
]) != ((parityBits 
>> (7-(j
&0x0007))) & 0x01))) { 
 265                         snprintf(line
[j
/16]+(( j 
% 16) * 4),110, "%02x! ", frame
[j
]); 
 267                         snprintf(line
[j
/16]+(( j 
% 16) * 4), 110, " %02x ", frame
[j
]); 
 273                 if(crcStatus 
== 0 || crcStatus 
== 1) 
 275                         char *pos1 
= line
[(data_len
-2)/16]+(((data_len
-2) % 16) * 4); 
 277                         char *pos2 
= line
[(data_len
)/16]+(((data_len
) % 16) * 4); 
 278                         sprintf(pos2
, "%c", ']'); 
 285                         sprintf(line
[0],"<empty trace - possible error>"); 
 288         //--- Draw the CRC column 
 290         char *crc 
= (crcStatus 
== 0 ? "!crc" : (crcStatus 
== 1 ? " ok " : "    ")); 
 292         EndOfTransmissionTimestamp 
= timestamp 
+ duration
; 
 294         if (protocol 
== PROTO_MIFARE
) 
 295                 annotateMifare(explanation
, sizeof(explanation
), frame
, data_len
, parityBytes
, parity_len
, isResponse
); 
 300                         case ICLASS
:            annotateIclass(explanation
,sizeof(explanation
),frame
,data_len
); break; 
 301                         case ISO_14443A
:        annotateIso14443a(explanation
,sizeof(explanation
),frame
,data_len
); break; 
 302                         case ISO_14443B
:        annotateIso14443b(explanation
,sizeof(explanation
),frame
,data_len
); break; 
 303                         case TOPAZ
:                     annotateTopaz(explanation
,sizeof(explanation
),frame
,data_len
); break; 
 308         int num_lines 
= MIN((data_len 
- 1)/16 + 1, 16); 
 309         for (int j 
= 0; j 
< num_lines 
; j
++) { 
 311                         PrintAndLog(" %10d | %10d | %s |%-64s | %s| %s", 
 312                                 (timestamp 
- first_timestamp
), 
 313                                 (EndOfTransmissionTimestamp 
- first_timestamp
), 
 314                                 (isResponse 
? "Tag" : "Rdr"), 
 316                                 (j 
== num_lines
-1) ? crc 
: "    ", 
 317                                 (j 
== num_lines
-1) ? explanation 
: ""); 
 319                         PrintAndLog("            |            |     |%-64s | %s| %s", 
 321                                 (j 
== num_lines
-1) ? crc 
: "    ", 
 322                                 (j 
== num_lines
-1) ? explanation 
: ""); 
 326         if (DecodeMifareData(frame
, data_len
, parityBytes
, isResponse
, mfData
, &mfDataLen
)) { 
 327                 memset(explanation
, 0x00, sizeof(explanation
)); 
 329                         explanation
[0] = '>'; 
 330                         annotateIso14443a(&explanation
[1], sizeof(explanation
) - 1, mfData
, mfDataLen
); 
 332                 uint8_t crcc 
= iso14443A_CRC_check(isResponse
, mfData
, mfDataLen
); 
 333                 PrintAndLog("            |          * | dec |%-64s | %-4s| %s", 
 334                         sprint_hex(mfData
, mfDataLen
), 
 335                         (crcc 
== 0 ? "!crc" : (crcc 
== 1 ? " ok " : "    ")), 
 336                         (true) ? explanation 
: ""); 
 339         if (is_last_record(tracepos
, trace
, traceLen
)) return traceLen
; 
 341         if (showWaitCycles 
&& !isResponse 
&& next_record_is_response(tracepos
, trace
)) { 
 342                 uint32_t next_timestamp 
= *((uint32_t *)(trace 
+ tracepos
)); 
 343                 PrintAndLog(" %10d | %10d | %s | fdt (Frame Delay Time): %d", 
 344                         (EndOfTransmissionTimestamp 
- first_timestamp
), 
 345                         (next_timestamp 
- first_timestamp
), 
 347                         (next_timestamp 
- EndOfTransmissionTimestamp
)); 
 354 int CmdHFList(const char *Cmd
) 
 356         bool showWaitCycles 
= false; 
 357         bool markCRCBytes 
= false; 
 359         int tlen 
= param_getstr(Cmd
,0,type
, sizeof(type
)); 
 360         char param1 
= param_getchar(Cmd
, 1); 
 361         char param2 
= param_getchar(Cmd
, 2); 
 363         uint8_t protocol 
= 0; 
 371                         || (param1 
!= 0 && param1 
!= 'f' && param1 
!= 'c') 
 372                         || (param2 
!= 0 && param2 
!= 'f' && param2 
!= 'c')) { 
 377                 if(strcmp(type
, "iclass") == 0) { 
 379                 } else if(strcmp(type
, "mf") == 0) { 
 380                         protocol 
= PROTO_MIFARE
; 
 381                 } else if(strcmp(type
, "14a") == 0) { 
 382                         protocol 
= ISO_14443A
; 
 383                 } else if(strcmp(type
, "14b") == 0)     { 
 384                         protocol 
= ISO_14443B
; 
 385                 } else if(strcmp(type
,"topaz")== 0) { 
 387                 } else if(strcmp(type
,"raw")== 0) { 
 388                         protocol 
= -1;//No crc, no annotations 
 395                 PrintAndLog("List protocol data in trace buffer."); 
 396                 PrintAndLog("Usage:  hf list <protocol> [f][c]"); 
 397                 PrintAndLog("    f      - show frame delay times as well"); 
 398                 PrintAndLog("    c      - mark CRC bytes"); 
 399                 PrintAndLog("Supported <protocol> values:"); 
 400                 PrintAndLog("    raw    - just show raw data without annotations"); 
 401                 PrintAndLog("    14a    - interpret data as iso14443a communications"); 
 402                 PrintAndLog("    mf     - interpret data as iso14443a communications and decrypt crypto1 stream"); 
 403                 PrintAndLog("    14b    - interpret data as iso14443b communications"); 
 404                 PrintAndLog("    iclass - interpret data as iclass communications"); 
 405                 PrintAndLog("    topaz  - interpret data as topaz communications"); 
 407                 PrintAndLog("example: hf list 14a f"); 
 408                 PrintAndLog("example: hf list iclass"); 
 413         if (param1 
== 'f' || param2 
== 'f') { 
 414                 showWaitCycles 
= true; 
 417         if (param1 
== 'c' || param2 
== 'c') { 
 422         uint16_t tracepos 
= 0; 
 423         trace 
= malloc(USB_CMD_DATA_SIZE
); 
 425         // Query for the size of the trace 
 427         GetFromBigBuf(trace
, USB_CMD_DATA_SIZE
, 0); 
 428         WaitForResponse(CMD_ACK
, &response
); 
 429         uint16_t traceLen 
= response
.arg
[2]; 
 430         if (traceLen 
> USB_CMD_DATA_SIZE
) { 
 431                 uint8_t *p 
= realloc(trace
, traceLen
); 
 433                         PrintAndLog("Cannot allocate memory for trace"); 
 438                 GetFromBigBuf(trace
, traceLen
, 0); 
 439                 WaitForResponse(CMD_ACK
, NULL
); 
 442         PrintAndLog("Recorded Activity (TraceLen = %d bytes)", traceLen
); 
 444         PrintAndLog("Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer"); 
 445         PrintAndLog("iso14443a - All times are in carrier periods (1/13.56Mhz)"); 
 446         PrintAndLog("iClass    - Timings are not as accurate"); 
 448         PrintAndLog("      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |"); 
 449         PrintAndLog("------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|"); 
 452         while(tracepos 
< traceLen
) 
 454                 tracepos 
= printTraceLine(tracepos
, traceLen
, trace
, protocol
, showWaitCycles
, markCRCBytes
); 
 461 int CmdHFSearch(const char *Cmd
){ 
 464         ans 
= CmdHF14AInfo("s"); 
 466                 PrintAndLog("\nValid ISO14443A Tag Found - Quiting Search\n"); 
 469         ans 
= HFiClassReader("", false, false); 
 471                 PrintAndLog("\nValid iClass Tag (or PicoPass Tag) Found - Quiting Search\n"); 
 474         ans 
= HF15Reader("", false); 
 476                 PrintAndLog("\nValid ISO15693 Tag Found - Quiting Search\n"); 
 479         //14b is longest test currently (and rarest chip type) ... put last 
 480         ans 
= HF14BInfo(false); 
 482                 PrintAndLog("\nValid ISO14443B Tag Found - Quiting Search\n"); 
 485         PrintAndLog("\nno known/supported 13.56 MHz tags found\n"); 
 489 int CmdHFSnoop(const char *Cmd
) 
 492         UsbCommand c 
= {CMD_HF_SNIFFER
, {strtol(Cmd
, &pEnd
,0),strtol(pEnd
, &pEnd
,0),0}}; 
 497 static command_t CommandTable
[] =  
 499         {"help",        CmdHelp
,                1, "This help"}, 
 500         {"14a",         CmdHF14A
,               1, "{ ISO14443A RFIDs... }"}, 
 501         {"14b",         CmdHF14B
,               1, "{ ISO14443B RFIDs... }"}, 
 502         {"15",          CmdHF15
,                1, "{ ISO15693 RFIDs... }"}, 
 503         {"epa",         CmdHFEPA
,               1, "{ German Identification Card... }"}, 
 504         {"emv",         CmdHFEMV
,               1, "{ EMV cards... }"}, 
 505         {"legic",       CmdHFLegic
,             0, "{ LEGIC RFIDs... }"}, 
 506         {"iclass",      CmdHFiClass
,    1, "{ ICLASS RFIDs... }"}, 
 507         {"mf",          CmdHFMF
,                1, "{ MIFARE RFIDs... }"}, 
 508         {"mfu",         CmdHFMFUltra
,   1, "{ MIFARE Ultralight RFIDs... }"}, 
 509         {"topaz",       CmdHFTopaz
,             1, "{ TOPAZ (NFC Type 1) RFIDs... }"}, 
 510         {"tune",        CmdHFTune
,              0, "Continuously measure HF antenna tuning"}, 
 511         {"list",        CmdHFList
,              1, "List protocol data in trace buffer"}, 
 512         {"search",      CmdHFSearch
,    1, "Search for known HF tags [preliminary]"}, 
 513         {"snoop",   CmdHFSnoop
,     0, "<samples to skip (10000)> <triggers to skip (1)> Generic HF Snoop"}, 
 514         {NULL
,          NULL
,                   0, NULL
} 
 517 int CmdHF(const char *Cmd
) 
 519   CmdsParse(CommandTable
, Cmd
); 
 523 int CmdHelp(const char *Cmd
) 
 525   CmdsHelp(CommandTable
);