]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifarecmd.c
add reveng compile directory
[proxmark3-svn] / armsrc / mifarecmd.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 // Midnitesnake - Dec 2013
6 // Andy Davies - Apr 2014
7 // Iceman - May 2014
8 //
9 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
10 // at your option, any later version. See the LICENSE.txt file for the text of
11 // the license.
12 //-----------------------------------------------------------------------------
13 // Routines to support ISO 14443 type A.
14 //-----------------------------------------------------------------------------
15
16 #include "mifarecmd.h"
17 #include "apps.h"
18 #include "util.h"
19 #include "crc.h"
20
21 // the block number for the ISO14443-4 PCB
22 uint8_t pcb_blocknum = 0;
23 // Deselect card by sending a s-block. the crc is precalced for speed
24 static uint8_t deselect_cmd[] = {0xc2,0xe0,0xb4};
25
26 //-----------------------------------------------------------------------------
27 // Select, Authenticate, Read a MIFARE tag.
28 // read block
29 //-----------------------------------------------------------------------------
30 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
31 {
32 // params
33 uint8_t blockNo = arg0;
34 uint8_t keyType = arg1;
35 uint64_t ui64Key = 0;
36 ui64Key = bytes_to_num(datain, 6);
37
38 // variables
39 byte_t isOK = 0;
40 byte_t dataoutbuf[16];
41 uint8_t uid[10];
42 uint32_t cuid;
43 struct Crypto1State mpcs = {0, 0};
44 struct Crypto1State *pcs;
45 pcs = &mpcs;
46
47 // clear trace
48 clear_trace();
49 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
50
51 LED_A_ON();
52 LED_B_OFF();
53 LED_C_OFF();
54
55 while (true) {
56 if(!iso14443a_select_card(uid, NULL, &cuid)) {
57 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
58 break;
59 };
60
61 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
62 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
63 break;
64 };
65
66 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
67 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
68 break;
69 };
70
71 if(mifare_classic_halt(pcs, cuid)) {
72 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
73 break;
74 };
75
76 isOK = 1;
77 break;
78 }
79
80 // ----------------------------- crypto1 destroy
81 crypto1_destroy(pcs);
82
83 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
84
85 LED_B_ON();
86 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
87 LED_B_OFF();
88
89 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
90 LEDsoff();
91 }
92
93 void MifareUC_Auth(uint8_t arg0, uint8_t *keybytes){
94
95 bool turnOffField = (arg0 == 1);
96
97 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
98 clear_trace();
99 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
100
101 if(!iso14443a_select_card(NULL, NULL, NULL)) {
102 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
103 OnError(0);
104 return;
105 };
106
107 if(!mifare_ultra_auth(keybytes)){
108 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication failed");
109 OnError(1);
110 return;
111 }
112
113 if (turnOffField) {
114 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
115 LEDsoff();
116 }
117 cmd_send(CMD_ACK,1,0,0,0,0);
118 }
119
120 // Arg0 = BlockNo,
121 // Arg1 = UsePwd bool
122 // datain = PWD bytes,
123 void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
124 {
125 uint8_t blockNo = arg0;
126 byte_t dataout[16] = {0x00};
127 bool useKey = (arg1 == 1); //UL_C
128 bool usePwd = (arg1 == 2); //UL_EV1/NTAG
129
130 LEDsoff();
131 LED_A_ON();
132 clear_trace();
133 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
134
135 int len = iso14443a_select_card(NULL, NULL, NULL);
136 if(!len) {
137 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len);
138 OnError(1);
139 return;
140 }
141
142 // UL-C authentication
143 if ( useKey ) {
144 uint8_t key[16] = {0x00};
145 memcpy(key, datain, sizeof(key) );
146
147 if ( !mifare_ultra_auth(key) ) {
148 OnError(1);
149 return;
150 }
151 }
152
153 // UL-EV1 / NTAG authentication
154 if ( usePwd ) {
155 uint8_t pwd[4] = {0x00};
156 memcpy(pwd, datain, 4);
157 uint8_t pack[4] = {0,0,0,0};
158 if (!mifare_ul_ev1_auth(pwd, pack)) {
159 OnError(1);
160 return;
161 }
162 }
163
164 if( mifare_ultra_readblock(blockNo, dataout) ) {
165 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block error");
166 OnError(2);
167 return;
168 }
169
170 if( mifare_ultra_halt() ) {
171 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
172 OnError(3);
173 return;
174 }
175
176 cmd_send(CMD_ACK,1,0,0,dataout,16);
177 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
178 LEDsoff();
179 }
180
181 //-----------------------------------------------------------------------------
182 // Select, Authenticate, Read a MIFARE tag.
183 // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
184 //-----------------------------------------------------------------------------
185 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
186 {
187 // params
188 uint8_t sectorNo = arg0;
189 uint8_t keyType = arg1;
190 uint64_t ui64Key = 0;
191 ui64Key = bytes_to_num(datain, 6);
192
193 // variables
194 byte_t isOK = 0;
195 byte_t dataoutbuf[16 * 16];
196 uint8_t uid[10];
197 uint32_t cuid;
198 struct Crypto1State mpcs = {0, 0};
199 struct Crypto1State *pcs;
200 pcs = &mpcs;
201
202 // clear trace
203 clear_trace();
204
205 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
206
207 LED_A_ON();
208 LED_B_OFF();
209 LED_C_OFF();
210
211 isOK = 1;
212 if(!iso14443a_select_card(uid, NULL, &cuid)) {
213 isOK = 0;
214 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
215 }
216
217
218 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
219 isOK = 0;
220 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
221 }
222
223 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
224 if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) {
225 isOK = 0;
226 if (MF_DBGLEVEL >= 1) Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo);
227 break;
228 }
229 }
230
231 if(mifare_classic_halt(pcs, cuid)) {
232 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
233 }
234
235 // ----------------------------- crypto1 destroy
236 crypto1_destroy(pcs);
237
238 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
239
240 LED_B_ON();
241 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));
242 LED_B_OFF();
243
244 // Thats it...
245 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
246 LEDsoff();
247 }
248
249 // arg0 = blockNo (start)
250 // arg1 = Pages (number of blocks)
251 // arg2 = useKey
252 // datain = KEY bytes
253 void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
254 {
255 // free eventually allocated BigBuf memory
256 BigBuf_free();
257 clear_trace();
258
259 // params
260 uint8_t blockNo = arg0;
261 uint16_t blocks = arg1;
262 bool useKey = (arg2 == 1); //UL_C
263 bool usePwd = (arg2 == 2); //UL_EV1/NTAG
264 uint32_t countblocks = 0;
265 uint8_t *dataout = BigBuf_malloc(CARD_MEMORY_SIZE);
266 if (dataout == NULL){
267 Dbprintf("out of memory");
268 OnError(1);
269 return;
270 }
271
272 LEDsoff();
273 LED_A_ON();
274 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
275
276 int len = iso14443a_select_card(NULL, NULL, NULL);
277 if (!len) {
278 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len);
279 OnError(1);
280 return;
281 }
282
283 // UL-C authentication
284 if ( useKey ) {
285 uint8_t key[16] = {0x00};
286 memcpy(key, datain, sizeof(key) );
287
288 if ( !mifare_ultra_auth(key) ) {
289 OnError(1);
290 return;
291 }
292 }
293
294 // UL-EV1 / NTAG authentication
295 if (usePwd) {
296 uint8_t pwd[4] = {0x00};
297 memcpy(pwd, datain, sizeof(pwd));
298 uint8_t pack[4] = {0,0,0,0};
299
300 if (!mifare_ul_ev1_auth(pwd, pack)){
301 OnError(1);
302 return;
303 }
304 }
305
306 for (int i = 0; i < blocks; i++){
307 if ((i*4) + 4 >= CARD_MEMORY_SIZE) {
308 Dbprintf("Data exceeds buffer!!");
309 break;
310 }
311
312 len = mifare_ultra_readblock(blockNo + i, dataout + 4 * i);
313
314 if (len) {
315 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block %d error",i);
316 // if no blocks read - error out
317 if (i==0){
318 OnError(2);
319 return;
320 } else {
321 //stop at last successful read block and return what we got
322 break;
323 }
324 } else {
325 countblocks++;
326 }
327 }
328
329 len = mifare_ultra_halt();
330 if (len) {
331 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
332 OnError(3);
333 return;
334 }
335
336 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Blocks read %d", countblocks);
337
338 countblocks *= 4;
339
340 cmd_send(CMD_ACK, 1, countblocks, BigBuf_max_traceLen(), 0, 0);
341 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
342 LEDsoff();
343 BigBuf_free();
344 }
345
346 //-----------------------------------------------------------------------------
347 // Select, Authenticate, Write a MIFARE tag.
348 // read block
349 //-----------------------------------------------------------------------------
350 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
351 {
352 // params
353 uint8_t blockNo = arg0;
354 uint8_t keyType = arg1;
355 uint64_t ui64Key = 0;
356 byte_t blockdata[16];
357
358 ui64Key = bytes_to_num(datain, 6);
359 memcpy(blockdata, datain + 10, 16);
360
361 // variables
362 byte_t isOK = 0;
363 uint8_t uid[10];
364 uint32_t cuid;
365 struct Crypto1State mpcs = {0, 0};
366 struct Crypto1State *pcs;
367 pcs = &mpcs;
368
369 // clear trace
370 clear_trace();
371
372 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
373
374 LED_A_ON();
375 LED_B_OFF();
376 LED_C_OFF();
377
378 while (true) {
379 if(!iso14443a_select_card(uid, NULL, &cuid)) {
380 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
381 break;
382 };
383
384 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
385 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
386 break;
387 };
388
389 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
390 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
391 break;
392 };
393
394 if(mifare_classic_halt(pcs, cuid)) {
395 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
396 break;
397 };
398
399 isOK = 1;
400 break;
401 }
402
403 // ----------------------------- crypto1 destroy
404 crypto1_destroy(pcs);
405
406 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
407
408 LED_B_ON();
409 cmd_send(CMD_ACK,isOK,0,0,0,0);
410 LED_B_OFF();
411
412
413 // Thats it...
414 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
415 LEDsoff();
416 }
417
418 /* // Command not needed but left for future testing
419 void MifareUWriteBlockCompat(uint8_t arg0, uint8_t *datain)
420 {
421 uint8_t blockNo = arg0;
422 byte_t blockdata[16] = {0x00};
423
424 memcpy(blockdata, datain, 16);
425
426 uint8_t uid[10] = {0x00};
427
428 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
429
430 clear_trace();
431 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
432
433 if(!iso14443a_select_card(uid, NULL, NULL)) {
434 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
435 OnError(0);
436 return;
437 };
438
439 if(mifare_ultra_writeblock_compat(blockNo, blockdata)) {
440 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
441 OnError(0);
442 return; };
443
444 if(mifare_ultra_halt()) {
445 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
446 OnError(0);
447 return;
448 };
449
450 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
451
452 cmd_send(CMD_ACK,1,0,0,0,0);
453 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
454 LEDsoff();
455 }
456 */
457
458 // Arg0 : Block to write to.
459 // Arg1 : 0 = use no authentication.
460 // 1 = use 0x1A authentication.
461 // 2 = use 0x1B authentication.
462 // datain : 4 first bytes is data to be written.
463 // : 4/16 next bytes is authentication key.
464 void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
465 {
466 uint8_t blockNo = arg0;
467 bool useKey = (arg1 == 1); //UL_C
468 bool usePwd = (arg1 == 2); //UL_EV1/NTAG
469 byte_t blockdata[4] = {0x00};
470
471 memcpy(blockdata, datain,4);
472
473 LEDsoff();
474 LED_A_ON();
475 clear_trace();
476 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
477
478 if(!iso14443a_select_card(NULL, NULL, NULL)) {
479 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
480 OnError(0);
481 return;
482 };
483
484 // UL-C authentication
485 if ( useKey ) {
486 uint8_t key[16] = {0x00};
487 memcpy(key, datain+4, sizeof(key) );
488
489 if ( !mifare_ultra_auth(key) ) {
490 OnError(1);
491 return;
492 }
493 }
494
495 // UL-EV1 / NTAG authentication
496 if (usePwd) {
497 uint8_t pwd[4] = {0x00};
498 memcpy(pwd, datain+4, 4);
499 uint8_t pack[4] = {0,0,0,0};
500 if (!mifare_ul_ev1_auth(pwd, pack)) {
501 OnError(1);
502 return;
503 }
504 }
505
506 if(mifare_ultra_writeblock(blockNo, blockdata)) {
507 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
508 OnError(0);
509 return;
510 };
511
512 if(mifare_ultra_halt()) {
513 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
514 OnError(0);
515 return;
516 };
517
518 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
519
520 cmd_send(CMD_ACK,1,0,0,0,0);
521 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
522 LEDsoff();
523 }
524
525 void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
526
527 uint8_t pwd[16] = {0x00};
528 byte_t blockdata[4] = {0x00};
529
530 memcpy(pwd, datain, 16);
531
532 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
533 clear_trace();
534 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
535
536 if(!iso14443a_select_card(NULL, NULL, NULL)) {
537 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
538 OnError(0);
539 return;
540 };
541
542 blockdata[0] = pwd[7];
543 blockdata[1] = pwd[6];
544 blockdata[2] = pwd[5];
545 blockdata[3] = pwd[4];
546 if(mifare_ultra_writeblock( 44, blockdata)) {
547 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
548 OnError(44);
549 return;
550 };
551
552 blockdata[0] = pwd[3];
553 blockdata[1] = pwd[2];
554 blockdata[2] = pwd[1];
555 blockdata[3] = pwd[0];
556 if(mifare_ultra_writeblock( 45, blockdata)) {
557 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
558 OnError(45);
559 return;
560 };
561
562 blockdata[0] = pwd[15];
563 blockdata[1] = pwd[14];
564 blockdata[2] = pwd[13];
565 blockdata[3] = pwd[12];
566 if(mifare_ultra_writeblock( 46, blockdata)) {
567 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
568 OnError(46);
569 return;
570 };
571
572 blockdata[0] = pwd[11];
573 blockdata[1] = pwd[10];
574 blockdata[2] = pwd[9];
575 blockdata[3] = pwd[8];
576 if(mifare_ultra_writeblock( 47, blockdata)) {
577 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
578 OnError(47);
579 return;
580 };
581
582 if(mifare_ultra_halt()) {
583 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
584 OnError(0);
585 return;
586 };
587
588 cmd_send(CMD_ACK,1,0,0,0,0);
589 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
590 LEDsoff();
591 }
592
593 // Return 1 if the nonce is invalid else return 0
594 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {
595 return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
596 (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
597 (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
598 }
599
600
601 //-----------------------------------------------------------------------------
602 // MIFARE nested authentication.
603 //
604 //-----------------------------------------------------------------------------
605 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)
606 {
607 // params
608 uint8_t blockNo = arg0 & 0xff;
609 uint8_t keyType = (arg0 >> 8) & 0xff;
610 uint8_t targetBlockNo = arg1 & 0xff;
611 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
612 uint64_t ui64Key = 0;
613
614 ui64Key = bytes_to_num(datain, 6);
615
616 // variables
617 uint16_t rtr, i, j, len;
618 uint16_t davg;
619 static uint16_t dmin, dmax;
620 uint8_t uid[10];
621 uint32_t cuid, nt1, nt2, nttmp, nttest, ks1;
622 uint8_t par[1];
623 uint32_t target_nt[2], target_ks[2];
624
625 uint8_t par_array[4];
626 uint16_t ncount = 0;
627 struct Crypto1State mpcs = {0, 0};
628 struct Crypto1State *pcs;
629 pcs = &mpcs;
630 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
631
632 uint32_t auth1_time, auth2_time;
633 static uint16_t delta_time;
634
635 // free eventually allocated BigBuf memory
636 BigBuf_free();
637 // clear trace
638 clear_trace();
639 set_tracing(false);
640
641 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
642
643 LED_A_ON();
644 LED_C_OFF();
645
646
647 // statistics on nonce distance
648 if (calibrate) { // for first call only. Otherwise reuse previous calibration
649 LED_B_ON();
650 WDT_HIT();
651
652 davg = dmax = 0;
653 dmin = 2000;
654 delta_time = 0;
655
656 for (rtr = 0; rtr < 17; rtr++) {
657
658 // prepare next select. No need to power down the card.
659 if(mifare_classic_halt(pcs, cuid)) {
660 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
661 rtr--;
662 continue;
663 }
664
665 if(!iso14443a_select_card(uid, NULL, &cuid)) {
666 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
667 rtr--;
668 continue;
669 };
670
671 auth1_time = 0;
672 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
673 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
674 rtr--;
675 continue;
676 };
677
678 if (delta_time) {
679 auth2_time = auth1_time + delta_time;
680 } else {
681 auth2_time = 0;
682 }
683 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {
684 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");
685 rtr--;
686 continue;
687 };
688
689 nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
690 for (i = 101; i < 1200; i++) {
691 nttmp = prng_successor(nttmp, 1);
692 if (nttmp == nt2) break;
693 }
694
695 if (i != 1200) {
696 if (rtr != 0) {
697 davg += i;
698 dmin = MIN(dmin, i);
699 dmax = MAX(dmax, i);
700 }
701 else {
702 delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing
703 }
704 if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
705 }
706 }
707
708 if (rtr <= 1) return;
709
710 davg = (davg + (rtr - 1)/2) / (rtr - 1);
711
712 if (MF_DBGLEVEL >= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin, dmax, davg, delta_time);
713
714 dmin = davg - 2;
715 dmax = davg + 2;
716
717 LED_B_OFF();
718
719 }
720 // -------------------------------------------------------------------------------------------------
721
722 LED_C_ON();
723
724 // get crypted nonces for target sector
725 for(i=0; i < 2; i++) { // look for exactly two different nonces
726
727 target_nt[i] = 0;
728 while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
729
730 // prepare next select. No need to power down the card.
731 if(mifare_classic_halt(pcs, cuid)) {
732 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
733 continue;
734 }
735
736 if(!iso14443a_select_card(uid, NULL, &cuid)) {
737 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
738 continue;
739 };
740
741 auth1_time = 0;
742 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
743 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
744 continue;
745 };
746
747 // nested authentication
748 auth2_time = auth1_time + delta_time;
749 len = mifare_sendcmd_short(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);
750 if (len != 4) {
751 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);
752 continue;
753 };
754
755 nt2 = bytes_to_num(receivedAnswer, 4);
756 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);
757
758 // Parity validity check
759 for (j = 0; j < 4; j++) {
760 par_array[j] = (oddparity(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));
761 }
762
763 ncount = 0;
764 nttest = prng_successor(nt1, dmin - 1);
765 for (j = dmin; j < dmax + 1; j++) {
766 nttest = prng_successor(nttest, 1);
767 ks1 = nt2 ^ nttest;
768
769 if (valid_nonce(nttest, nt2, ks1, par_array)){
770 if (ncount > 0) { // we are only interested in disambiguous nonces, try again
771 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);
772 target_nt[i] = 0;
773 break;
774 }
775 target_nt[i] = nttest;
776 target_ks[i] = ks1;
777 ncount++;
778 if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces
779 target_nt[i] = 0;
780 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);
781 break;
782 }
783 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);
784 }
785 }
786 if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
787 }
788 }
789
790 LED_C_OFF();
791
792 // ----------------------------- crypto1 destroy
793 crypto1_destroy(pcs);
794
795 byte_t buf[4 + 4 * 4];
796 memcpy(buf, &cuid, 4);
797 memcpy(buf+4, &target_nt[0], 4);
798 memcpy(buf+8, &target_ks[0], 4);
799 memcpy(buf+12, &target_nt[1], 4);
800 memcpy(buf+16, &target_ks[1], 4);
801
802 LED_B_ON();
803 cmd_send(CMD_ACK, 0, 2, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
804 LED_B_OFF();
805
806 if (MF_DBGLEVEL >= 3) DbpString("NESTED FINISHED");
807
808 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
809 LEDsoff();
810 set_tracing(TRUE);
811 }
812
813 //-----------------------------------------------------------------------------
814 // MIFARE check keys. key count up to 85.
815 //
816 //-----------------------------------------------------------------------------
817 void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
818 {
819 // params
820 uint8_t blockNo = arg0;
821 uint8_t keyType = arg1;
822 uint8_t keyCount = arg2;
823 uint64_t ui64Key = 0;
824
825 // variables
826 int i;
827 byte_t isOK = 0;
828 uint8_t uid[10];
829 uint32_t cuid;
830 struct Crypto1State mpcs = {0, 0};
831 struct Crypto1State *pcs;
832 pcs = &mpcs;
833
834 // clear debug level
835 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
836 MF_DBGLEVEL = MF_DBG_NONE;
837
838 // clear trace
839 clear_trace();
840 set_tracing(TRUE);
841
842 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
843
844 LED_A_ON();
845 LED_B_OFF();
846 LED_C_OFF();
847
848 for (i = 0; i < keyCount; i++) {
849 if(mifare_classic_halt(pcs, cuid)) {
850 if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Halt error");
851 }
852
853 if(!iso14443a_select_card(uid, NULL, &cuid)) {
854 if (OLD_MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card");
855 break;
856 };
857
858 ui64Key = bytes_to_num(datain + i * 6, 6);
859 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
860 continue;
861 };
862
863 isOK = 1;
864 break;
865 }
866
867 // ----------------------------- crypto1 destroy
868 crypto1_destroy(pcs);
869
870 LED_B_ON();
871 cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);
872 LED_B_OFF();
873
874 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
875 LEDsoff();
876
877 // restore debug level
878 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
879 }
880
881 //-----------------------------------------------------------------------------
882 // MIFARE commands set debug level
883 //
884 //-----------------------------------------------------------------------------
885 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
886 MF_DBGLEVEL = arg0;
887 Dbprintf("Debug level: %d", MF_DBGLEVEL);
888 }
889
890 //-----------------------------------------------------------------------------
891 // Work with emulator memory
892 //
893 //-----------------------------------------------------------------------------
894 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
895 emlClearMem();
896 }
897
898 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
899 emlSetMem(datain, arg0, arg1); // data, block num, blocks count
900 }
901
902 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
903 byte_t buf[USB_CMD_DATA_SIZE];
904 emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
905
906 LED_B_ON();
907 cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE);
908 LED_B_OFF();
909 }
910
911 //-----------------------------------------------------------------------------
912 // Load a card into the emulator memory
913 //
914 //-----------------------------------------------------------------------------
915 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
916 uint8_t numSectors = arg0;
917 uint8_t keyType = arg1;
918 uint64_t ui64Key = 0;
919 uint32_t cuid;
920 struct Crypto1State mpcs = {0, 0};
921 struct Crypto1State *pcs;
922 pcs = &mpcs;
923
924 // variables
925 byte_t dataoutbuf[16];
926 byte_t dataoutbuf2[16];
927 uint8_t uid[10];
928
929 // clear trace
930 clear_trace();
931 set_tracing(false);
932
933 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
934
935 LED_A_ON();
936 LED_B_OFF();
937 LED_C_OFF();
938
939 bool isOK = true;
940
941 if(!iso14443a_select_card(uid, NULL, &cuid)) {
942 isOK = false;
943 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
944 }
945
946 for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
947 ui64Key = emlGetKey(sectorNo, keyType);
948 if (sectorNo == 0){
949 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
950 isOK = false;
951 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo);
952 break;
953 }
954 } else {
955 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) {
956 isOK = false;
957 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo);
958 break;
959 }
960 }
961
962 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
963 if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) {
964 isOK = false;
965 if (MF_DBGLEVEL >= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);
966 break;
967 };
968 if (isOK) {
969 if (blockNo < NumBlocksPerSector(sectorNo) - 1) {
970 emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);
971 } else { // sector trailer, keep the keys, set only the AC
972 emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
973 memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
974 emlSetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
975 }
976 }
977 }
978
979 }
980
981 if(mifare_classic_halt(pcs, cuid)) {
982 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
983 };
984
985 // ----------------------------- crypto1 destroy
986 crypto1_destroy(pcs);
987
988 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
989 LEDsoff();
990
991 if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
992
993 }
994
995
996 //-----------------------------------------------------------------------------
997 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
998 //
999 //-----------------------------------------------------------------------------
1000 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1001
1002 // params
1003 uint8_t needWipe = arg0;
1004 // bit 0 - need get UID
1005 // bit 1 - need wupC
1006 // bit 2 - need HALT after sequence
1007 // bit 3 - need init FPGA and field before sequence
1008 // bit 4 - need reset FPGA and LED
1009 uint8_t workFlags = arg1;
1010 uint8_t blockNo = arg2;
1011
1012 // card commands
1013 uint8_t wupC1[] = { 0x40 };
1014 uint8_t wupC2[] = { 0x43 };
1015 uint8_t wipeC[] = { 0x41 };
1016
1017 // variables
1018 byte_t isOK = 0;
1019 uint8_t uid[10] = {0x00};
1020 uint8_t d_block[18] = {0x00};
1021 uint32_t cuid;
1022
1023 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1024 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1025
1026 // reset FPGA and LED
1027 if (workFlags & 0x08) {
1028 LED_A_ON();
1029 LED_B_OFF();
1030 LED_C_OFF();
1031
1032 clear_trace();
1033 set_tracing(TRUE);
1034 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1035 }
1036
1037 while (true) {
1038
1039 // get UID from chip
1040 if (workFlags & 0x01) {
1041 if(!iso14443a_select_card(uid, NULL, &cuid)) {
1042 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
1043 break;
1044 };
1045
1046 if(mifare_classic_halt(NULL, cuid)) {
1047 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1048 break;
1049 };
1050 };
1051
1052 // reset chip
1053 if (needWipe){
1054 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1055 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1056 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1057 break;
1058 };
1059
1060 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
1061 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1062 if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");
1063 break;
1064 };
1065
1066 if(mifare_classic_halt(NULL, cuid)) {
1067 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1068 break;
1069 };
1070 };
1071
1072 // write block
1073 if (workFlags & 0x02) {
1074 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1075 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1076 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1077 break;
1078 };
1079
1080 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1081 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1082 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1083 break;
1084 };
1085 }
1086
1087 if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
1088 if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
1089 break;
1090 };
1091
1092 memcpy(d_block, datain, 16);
1093 AppendCrc14443a(d_block, 16);
1094
1095 ReaderTransmit(d_block, sizeof(d_block), NULL);
1096 if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
1097 if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");
1098 break;
1099 };
1100
1101 if (workFlags & 0x04) {
1102 if (mifare_classic_halt(NULL, cuid)) {
1103 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1104 break;
1105 };
1106 }
1107
1108 isOK = 1;
1109 break;
1110 }
1111
1112 LED_B_ON();
1113 cmd_send(CMD_ACK,isOK,0,0,uid,4);
1114 LED_B_OFF();
1115
1116 if ((workFlags & 0x10) || (!isOK)) {
1117 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1118 LEDsoff();
1119 }
1120 }
1121
1122
1123 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1124
1125 // params
1126 // bit 1 - need wupC
1127 // bit 2 - need HALT after sequence
1128 // bit 3 - need init FPGA and field before sequence
1129 // bit 4 - need reset FPGA and LED
1130 uint8_t workFlags = arg0;
1131 uint8_t blockNo = arg2;
1132
1133 // card commands
1134 uint8_t wupC1[] = { 0x40 };
1135 uint8_t wupC2[] = { 0x43 };
1136
1137 // variables
1138 byte_t isOK = 0;
1139 uint8_t data[18] = {0x00};
1140 uint32_t cuid = 0;
1141
1142 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1143 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1144
1145 if (workFlags & 0x08) {
1146 LED_A_ON();
1147 LED_B_OFF();
1148 LED_C_OFF();
1149
1150 clear_trace();
1151 set_tracing(TRUE);
1152 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1153 }
1154
1155 while (true) {
1156 if (workFlags & 0x02) {
1157 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1158 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1159 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1160 break;
1161 };
1162
1163 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1164 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1165 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1166 break;
1167 };
1168 }
1169
1170 // read block
1171 if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {
1172 if (MF_DBGLEVEL >= 1) Dbprintf("read block send command error");
1173 break;
1174 };
1175 memcpy(data, receivedAnswer, 18);
1176
1177 if (workFlags & 0x04) {
1178 if (mifare_classic_halt(NULL, cuid)) {
1179 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1180 break;
1181 };
1182 }
1183
1184 isOK = 1;
1185 break;
1186 }
1187
1188 LED_B_ON();
1189 cmd_send(CMD_ACK,isOK,0,0,data,18);
1190 LED_B_OFF();
1191
1192 if ((workFlags & 0x10) || (!isOK)) {
1193 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1194 LEDsoff();
1195 }
1196 }
1197
1198 void MifareCIdent(){
1199
1200 // card commands
1201 uint8_t wupC1[] = { 0x40 };
1202 uint8_t wupC2[] = { 0x43 };
1203
1204 // variables
1205 byte_t isOK = 1;
1206
1207 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1208 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1209
1210 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1211 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1212 isOK = 0;
1213 };
1214
1215 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1216 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1217 isOK = 0;
1218 };
1219
1220 if (mifare_classic_halt(NULL, 0)) {
1221 isOK = 0;
1222 };
1223
1224 cmd_send(CMD_ACK,isOK,0,0,0,0);
1225 }
1226
1227 //
1228 // DESFIRE
1229 //
1230
1231 void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){
1232
1233 byte_t dataout[11] = {0x00};
1234 uint8_t uid[10] = {0x00};
1235 uint32_t cuid;
1236
1237 clear_trace();
1238 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1239
1240 int len = iso14443a_select_card(uid, NULL, &cuid);
1241 if(!len) {
1242 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
1243 OnError(1);
1244 return;
1245 };
1246
1247 if(mifare_desfire_des_auth1(cuid, dataout)){
1248 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication part1: Fail.");
1249 OnError(4);
1250 return;
1251 }
1252
1253 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 1 FINISHED");
1254 cmd_send(CMD_ACK,1,cuid,0,dataout, sizeof(dataout));
1255 }
1256
1257 void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain){
1258
1259 uint32_t cuid = arg0;
1260 uint8_t key[16] = {0x00};
1261 byte_t isOK = 0;
1262 byte_t dataout[12] = {0x00};
1263
1264 memcpy(key, datain, 16);
1265
1266 isOK = mifare_desfire_des_auth2(cuid, key, dataout);
1267
1268 if( isOK) {
1269 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Authentication part2: Failed");
1270 OnError(4);
1271 return;
1272 }
1273
1274 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 2 FINISHED");
1275
1276 cmd_send(CMD_ACK, isOK, 0, 0, dataout, sizeof(dataout));
1277 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1278 LEDsoff();
1279 }
1280
1281 void OnSuccess(){
1282 pcb_blocknum = 0;
1283 ReaderTransmit(deselect_cmd, 3 , NULL);
1284 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1285 LEDsoff();
1286 }
1287
1288 void OnError(uint8_t reason){
1289 pcb_blocknum = 0;
1290 ReaderTransmit(deselect_cmd, 3 , NULL);
1291 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1292 cmd_send(CMD_ACK,0,reason,0,0,0);
1293 LEDsoff();
1294 }
Impressum, Datenschutz