]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifarecmd.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
FIX: a solution for the issue "hf mf esave - always saves 4K"
[proxmark3-svn] / armsrc / mifarecmd.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 // Midnitesnake - Dec 2013
6 // Andy Davies - Apr 2014
7 // Iceman - May 2014
8 //
9 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
10 // at your option, any later version. See the LICENSE.txt file for the text of
11 // the license.
12 //-----------------------------------------------------------------------------
13 // Routines to support ISO 14443 type A.
14 //-----------------------------------------------------------------------------
15
16 #include "mifarecmd.h"
17 #include "apps.h"
18
19 //-----------------------------------------------------------------------------
20 // Select, Authenticate, Read a MIFARE tag.
21 // read block
22 //-----------------------------------------------------------------------------
23 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
24 {
25 // params
26 uint8_t blockNo = arg0;
27 uint8_t keyType = arg1;
28 uint64_t ui64Key = 0;
29 ui64Key = bytes_to_num(datain, 6);
30
31 // variables
32 byte_t isOK = 0;
33 byte_t dataoutbuf[16];
34 uint8_t uid[10];
35 uint32_t cuid;
36 struct Crypto1State mpcs = {0, 0};
37 struct Crypto1State *pcs;
38 pcs = &mpcs;
39
40 // clear trace
41 iso14a_clear_trace();
42 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
43
44 LED_A_ON();
45 LED_B_OFF();
46 LED_C_OFF();
47
48 while (true) {
49 if(!iso14443a_select_card(uid, NULL, &cuid)) {
50 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
51 break;
52 };
53
54 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
55 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
56 break;
57 };
58
59 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
60 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
61 break;
62 };
63
64 if(mifare_classic_halt(pcs, cuid)) {
65 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
66 break;
67 };
68
69 isOK = 1;
70 break;
71 }
72
73 // ----------------------------- crypto1 destroy
74 crypto1_destroy(pcs);
75
76 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
77
78 LED_B_ON();
79 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
80 LED_B_OFF();
81
82 // Thats it...
83 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
84 LEDsoff();
85 }
86
87 void MifareUReadBlock(uint8_t arg0,uint8_t *datain)
88 {
89 // params
90 uint8_t blockNo = arg0;
91
92 // variables
93 byte_t isOK = 0;
94 byte_t dataoutbuf[16];
95 uint8_t uid[10];
96 uint32_t cuid;
97
98 // clear trace
99 iso14a_clear_trace();
100 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
101
102 LED_A_ON();
103 LED_B_OFF();
104 LED_C_OFF();
105
106 while (true) {
107 if(!iso14443a_select_card(uid, NULL, &cuid)) {
108 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
109 break;
110 };
111
112 if(mifare_ultra_readblock(cuid, blockNo, dataoutbuf)) {
113 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
114 break;
115 };
116
117 if(mifare_ultra_halt(cuid)) {
118 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
119 break;
120 };
121
122 isOK = 1;
123 break;
124 }
125
126 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
127
128 LED_B_ON();
129 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
130 LED_B_OFF();
131 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
132 LEDsoff();
133 }
134
135 //-----------------------------------------------------------------------------
136 // Select, Authenticate, Read a MIFARE tag.
137 // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
138 //-----------------------------------------------------------------------------
139 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
140 {
141 // params
142 uint8_t sectorNo = arg0;
143 uint8_t keyType = arg1;
144 uint64_t ui64Key = 0;
145 ui64Key = bytes_to_num(datain, 6);
146
147 // variables
148 byte_t isOK = 0;
149 byte_t dataoutbuf[16 * 16];
150 uint8_t uid[10];
151 uint32_t cuid;
152 struct Crypto1State mpcs = {0, 0};
153 struct Crypto1State *pcs;
154 pcs = &mpcs;
155
156 // clear trace
157 iso14a_clear_trace();
158
159 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
160
161 LED_A_ON();
162 LED_B_OFF();
163 LED_C_OFF();
164
165 isOK = 1;
166 if(!iso14443a_select_card(uid, NULL, &cuid)) {
167 isOK = 0;
168 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
169 }
170
171
172 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
173 isOK = 0;
174 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
175 }
176
177 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
178 if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) {
179 isOK = 0;
180 if (MF_DBGLEVEL >= 1) Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo);
181 break;
182 }
183 }
184
185 if(mifare_classic_halt(pcs, cuid)) {
186 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
187 }
188
189 // ----------------------------- crypto1 destroy
190 crypto1_destroy(pcs);
191
192 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
193
194 LED_B_ON();
195 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));
196 LED_B_OFF();
197
198 // Thats it...
199 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
200 LEDsoff();
201 }
202
203
204 void MifareUReadCard(uint8_t arg0, uint8_t *datain)
205 {
206 // params
207 uint8_t sectorNo = arg0;
208
209 // variables
210 byte_t isOK = 0;
211 byte_t dataoutbuf[16 * 4];
212 uint8_t uid[10];
213 uint32_t cuid;
214
215 // clear trace
216 iso14a_clear_trace();
217
218 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
219
220 LED_A_ON();
221 LED_B_OFF();
222 LED_C_OFF();
223
224 while (true) {
225 if(!iso14443a_select_card(uid, NULL, &cuid)) {
226 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
227 break;
228 };
229 for(int sec=0;sec<16;sec++){
230 if(mifare_ultra_readblock(cuid, sectorNo * 4 + sec, dataoutbuf + 4 * sec)) {
231 if (MF_DBGLEVEL >= 1) Dbprintf("Read block %d error",sec);
232 break;
233 };
234 }
235 if(mifare_ultra_halt(cuid)) {
236 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
237 break;
238 };
239
240 isOK = 1;
241 break;
242 }
243
244 if (MF_DBGLEVEL >= 2) DbpString("READ CARD FINISHED");
245
246 LED_B_ON();
247 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,64);
248 LED_B_OFF();
249
250 // Thats it...
251 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
252 LEDsoff();
253
254 }
255
256
257 //-----------------------------------------------------------------------------
258 // Select, Authenticate, Write a MIFARE tag.
259 // read block
260 //-----------------------------------------------------------------------------
261 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
262 {
263 // params
264 uint8_t blockNo = arg0;
265 uint8_t keyType = arg1;
266 uint64_t ui64Key = 0;
267 byte_t blockdata[16];
268
269 ui64Key = bytes_to_num(datain, 6);
270 memcpy(blockdata, datain + 10, 16);
271
272 // variables
273 byte_t isOK = 0;
274 uint8_t uid[10];
275 uint32_t cuid;
276 struct Crypto1State mpcs = {0, 0};
277 struct Crypto1State *pcs;
278 pcs = &mpcs;
279
280 // clear trace
281 iso14a_clear_trace();
282
283 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
284
285 LED_A_ON();
286 LED_B_OFF();
287 LED_C_OFF();
288
289 while (true) {
290 if(!iso14443a_select_card(uid, NULL, &cuid)) {
291 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
292 break;
293 };
294
295 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
296 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
297 break;
298 };
299
300 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
301 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
302 break;
303 };
304
305 if(mifare_classic_halt(pcs, cuid)) {
306 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
307 break;
308 };
309
310 isOK = 1;
311 break;
312 }
313
314 // ----------------------------- crypto1 destroy
315 crypto1_destroy(pcs);
316
317 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
318
319 LED_B_ON();
320 cmd_send(CMD_ACK,isOK,0,0,0,0);
321 LED_B_OFF();
322
323
324 // Thats it...
325 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
326 LEDsoff();
327 }
328
329 void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
330 {
331 // params
332 uint8_t blockNo = arg0;
333 byte_t blockdata[16];
334
335 memset(blockdata,'\0',16);
336 memcpy(blockdata, datain,16);
337
338 // variables
339 byte_t isOK = 0;
340 uint8_t uid[10];
341 uint32_t cuid;
342
343 // clear trace
344 iso14a_clear_trace();
345
346 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
347
348 LED_A_ON();
349 LED_B_OFF();
350 LED_C_OFF();
351
352 while (true) {
353 if(!iso14443a_select_card(uid, NULL, &cuid)) {
354 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
355 break;
356 };
357
358 if(mifare_ultra_writeblock(cuid, blockNo, blockdata)) {
359 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
360 break;
361 };
362
363 if(mifare_ultra_halt(cuid)) {
364 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
365 break;
366 };
367
368 isOK = 1;
369 break;
370 }
371
372 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
373
374 LED_B_ON();
375 cmd_send(CMD_ACK,isOK,0,0,0,0);
376 LED_B_OFF();
377
378
379 // Thats it...
380 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
381 LEDsoff();
382 // iso14a_set_tracing(TRUE);
383 }
384
385 void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)
386 {
387 // params
388 uint8_t blockNo = arg0;
389 byte_t blockdata[4];
390
391 memcpy(blockdata, datain,4);
392
393 // variables
394 byte_t isOK = 0;
395 uint8_t uid[10];
396 uint32_t cuid;
397
398 // clear trace
399 iso14a_clear_trace();
400
401 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
402
403 LED_A_ON();
404 LED_B_OFF();
405 LED_C_OFF();
406
407 while (true) {
408 if(!iso14443a_select_card(uid, NULL, &cuid)) {
409 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
410 break;
411 };
412
413 if(mifare_ultra_special_writeblock(cuid, blockNo, blockdata)) {
414 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
415 break;
416 };
417
418 if(mifare_ultra_halt(cuid)) {
419 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
420 break;
421 };
422
423 isOK = 1;
424 break;
425 }
426
427 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
428
429 LED_B_ON();
430 cmd_send(CMD_ACK,isOK,0,0,0,0);
431 LED_B_OFF();
432
433 // Thats it...
434 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
435 LEDsoff();
436 }
437
438 // Return 1 if the nonce is invalid else return 0
439 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {
440 return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
441 (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
442 (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
443 }
444
445
446 //-----------------------------------------------------------------------------
447 // MIFARE nested authentication.
448 //
449 //-----------------------------------------------------------------------------
450 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)
451 {
452 // params
453 uint8_t blockNo = arg0 & 0xff;
454 uint8_t keyType = (arg0 >> 8) & 0xff;
455 uint8_t targetBlockNo = arg1 & 0xff;
456 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
457 uint64_t ui64Key = 0;
458
459 ui64Key = bytes_to_num(datain, 6);
460
461 // variables
462 uint16_t rtr, i, j, len;
463 uint16_t davg;
464 static uint16_t dmin, dmax;
465 uint8_t uid[10];
466 uint32_t cuid, nt1, nt2, nttmp, nttest, ks1;
467 uint8_t par[1];
468 uint32_t target_nt[2], target_ks[2];
469
470 uint8_t par_array[4];
471 uint16_t ncount = 0;
472 struct Crypto1State mpcs = {0, 0};
473 struct Crypto1State *pcs;
474 pcs = &mpcs;
475 uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();
476
477 uint32_t auth1_time, auth2_time;
478 static uint16_t delta_time;
479
480 // clear trace
481 iso14a_clear_trace();
482 iso14a_set_tracing(false);
483
484 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
485
486 LED_A_ON();
487 LED_C_OFF();
488
489
490 // statistics on nonce distance
491 if (calibrate) { // for first call only. Otherwise reuse previous calibration
492 LED_B_ON();
493 WDT_HIT();
494
495 davg = dmax = 0;
496 dmin = 2000;
497 delta_time = 0;
498
499 for (rtr = 0; rtr < 17; rtr++) {
500
501 // prepare next select. No need to power down the card.
502 if(mifare_classic_halt(pcs, cuid)) {
503 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
504 rtr--;
505 continue;
506 }
507
508 if(!iso14443a_select_card(uid, NULL, &cuid)) {
509 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
510 rtr--;
511 continue;
512 };
513
514 auth1_time = 0;
515 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
516 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
517 rtr--;
518 continue;
519 };
520
521 if (delta_time) {
522 auth2_time = auth1_time + delta_time;
523 } else {
524 auth2_time = 0;
525 }
526 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {
527 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");
528 rtr--;
529 continue;
530 };
531
532 nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
533 for (i = 101; i < 1200; i++) {
534 nttmp = prng_successor(nttmp, 1);
535 if (nttmp == nt2) break;
536 }
537
538 if (i != 1200) {
539 if (rtr != 0) {
540 davg += i;
541 dmin = MIN(dmin, i);
542 dmax = MAX(dmax, i);
543 }
544 else {
545 delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing
546 }
547 if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
548 }
549 }
550
551 if (rtr <= 1) return;
552
553 davg = (davg + (rtr - 1)/2) / (rtr - 1);
554
555 if (MF_DBGLEVEL >= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin, dmax, davg, delta_time);
556
557 dmin = davg - 2;
558 dmax = davg + 2;
559
560 LED_B_OFF();
561
562 }
563 // -------------------------------------------------------------------------------------------------
564
565 LED_C_ON();
566
567 // get crypted nonces for target sector
568 for(i=0; i < 2; i++) { // look for exactly two different nonces
569
570 target_nt[i] = 0;
571 while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
572
573 // prepare next select. No need to power down the card.
574 if(mifare_classic_halt(pcs, cuid)) {
575 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
576 continue;
577 }
578
579 if(!iso14443a_select_card(uid, NULL, &cuid)) {
580 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
581 continue;
582 };
583
584 auth1_time = 0;
585 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
586 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
587 continue;
588 };
589
590 // nested authentication
591 auth2_time = auth1_time + delta_time;
592 len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);
593 if (len != 4) {
594 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);
595 continue;
596 };
597
598 nt2 = bytes_to_num(receivedAnswer, 4);
599 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);
600
601 // Parity validity check
602 for (j = 0; j < 4; j++) {
603 par_array[j] = (oddparity(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));
604 }
605
606 ncount = 0;
607 nttest = prng_successor(nt1, dmin - 1);
608 for (j = dmin; j < dmax + 1; j++) {
609 nttest = prng_successor(nttest, 1);
610 ks1 = nt2 ^ nttest;
611
612 if (valid_nonce(nttest, nt2, ks1, par_array)){
613 if (ncount > 0) { // we are only interested in disambiguous nonces, try again
614 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);
615 target_nt[i] = 0;
616 break;
617 }
618 target_nt[i] = nttest;
619 target_ks[i] = ks1;
620 ncount++;
621 if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces
622 target_nt[i] = 0;
623 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);
624 break;
625 }
626 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);
627 }
628 }
629 if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
630 }
631 }
632
633 LED_C_OFF();
634
635 // ----------------------------- crypto1 destroy
636 crypto1_destroy(pcs);
637
638 byte_t buf[4 + 4 * 4];
639 memcpy(buf, &cuid, 4);
640 memcpy(buf+4, &target_nt[0], 4);
641 memcpy(buf+8, &target_ks[0], 4);
642 memcpy(buf+12, &target_nt[1], 4);
643 memcpy(buf+16, &target_ks[1], 4);
644
645 LED_B_ON();
646 cmd_send(CMD_ACK, 0, 2, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
647 LED_B_OFF();
648
649 if (MF_DBGLEVEL >= 3) DbpString("NESTED FINISHED");
650
651 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
652 LEDsoff();
653 iso14a_set_tracing(TRUE);
654 }
655
656 //-----------------------------------------------------------------------------
657 // MIFARE check keys. key count up to 85.
658 //
659 //-----------------------------------------------------------------------------
660 void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
661 {
662 // params
663 uint8_t blockNo = arg0;
664 uint8_t keyType = arg1;
665 uint8_t keyCount = arg2;
666 uint64_t ui64Key = 0;
667
668 // variables
669 int i;
670 byte_t isOK = 0;
671 uint8_t uid[10];
672 uint32_t cuid;
673 struct Crypto1State mpcs = {0, 0};
674 struct Crypto1State *pcs;
675 pcs = &mpcs;
676
677 // clear debug level
678 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
679 MF_DBGLEVEL = MF_DBG_NONE;
680
681 // clear trace
682 iso14a_clear_trace();
683 iso14a_set_tracing(TRUE);
684
685 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
686
687 LED_A_ON();
688 LED_B_OFF();
689 LED_C_OFF();
690
691 for (i = 0; i < keyCount; i++) {
692 if(mifare_classic_halt(pcs, cuid)) {
693 if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Halt error");
694 }
695
696 if(!iso14443a_select_card(uid, NULL, &cuid)) {
697 if (OLD_MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card");
698 break;
699 };
700
701 ui64Key = bytes_to_num(datain + i * 6, 6);
702 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
703 continue;
704 };
705
706 isOK = 1;
707 break;
708 }
709
710 // ----------------------------- crypto1 destroy
711 crypto1_destroy(pcs);
712
713 LED_B_ON();
714 cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);
715 LED_B_OFF();
716
717 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
718 LEDsoff();
719
720 // restore debug level
721 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
722 }
723
724 //-----------------------------------------------------------------------------
725 // MIFARE commands set debug level
726 //
727 //-----------------------------------------------------------------------------
728 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
729 MF_DBGLEVEL = arg0;
730 Dbprintf("Debug level: %d", MF_DBGLEVEL);
731 }
732
733 //-----------------------------------------------------------------------------
734 // Work with emulator memory
735 //
736 //-----------------------------------------------------------------------------
737 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
738 emlClearMem();
739 }
740
741 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
742 emlSetMem(datain, arg0, arg1); // data, block num, blocks count
743 }
744
745 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
746 byte_t buf[USB_CMD_DATA_SIZE];
747 emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
748
749 LED_B_ON();
750 cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE);
751 LED_B_OFF();
752 }
753
754 //-----------------------------------------------------------------------------
755 // Load a card into the emulator memory
756 //
757 //-----------------------------------------------------------------------------
758 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
759 uint8_t numSectors = arg0;
760 uint8_t keyType = arg1;
761 uint64_t ui64Key = 0;
762 uint32_t cuid;
763 struct Crypto1State mpcs = {0, 0};
764 struct Crypto1State *pcs;
765 pcs = &mpcs;
766
767 // variables
768 byte_t dataoutbuf[16];
769 byte_t dataoutbuf2[16];
770 uint8_t uid[10];
771
772 // clear trace
773 iso14a_clear_trace();
774 iso14a_set_tracing(false);
775
776 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
777
778 LED_A_ON();
779 LED_B_OFF();
780 LED_C_OFF();
781
782 bool isOK = true;
783
784 if(!iso14443a_select_card(uid, NULL, &cuid)) {
785 isOK = false;
786 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
787 }
788
789 for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
790 ui64Key = emlGetKey(sectorNo, keyType);
791 if (sectorNo == 0){
792 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
793 isOK = false;
794 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo);
795 break;
796 }
797 } else {
798 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) {
799 isOK = false;
800 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo);
801 break;
802 }
803 }
804
805 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
806 if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) {
807 isOK = false;
808 if (MF_DBGLEVEL >= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);
809 break;
810 };
811 if (isOK) {
812 if (blockNo < NumBlocksPerSector(sectorNo) - 1) {
813 emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);
814 } else { // sector trailer, keep the keys, set only the AC
815 emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
816 memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
817 emlSetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
818 }
819 }
820 }
821
822 }
823
824 if(mifare_classic_halt(pcs, cuid)) {
825 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
826 };
827
828 // ----------------------------- crypto1 destroy
829 crypto1_destroy(pcs);
830
831 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
832 LEDsoff();
833
834 if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
835
836 }
837
838
839 //-----------------------------------------------------------------------------
840 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
841 //
842 //-----------------------------------------------------------------------------
843 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
844
845 // params
846 uint8_t needWipe = arg0;
847 // bit 0 - need get UID
848 // bit 1 - need wupC
849 // bit 2 - need HALT after sequence
850 // bit 3 - need init FPGA and field before sequence
851 // bit 4 - need reset FPGA and LED
852 uint8_t workFlags = arg1;
853 uint8_t blockNo = arg2;
854
855 // card commands
856 uint8_t wupC1[] = { 0x40 };
857 uint8_t wupC2[] = { 0x43 };
858 uint8_t wipeC[] = { 0x41 };
859
860 // variables
861 byte_t isOK = 0;
862 uint8_t uid[10] = {0x00};
863 uint8_t d_block[18] = {0x00};
864 uint32_t cuid;
865
866 uint8_t *receivedAnswer = get_bigbufptr_recvrespbuf();
867 uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
868
869 // reset FPGA and LED
870 if (workFlags & 0x08) {
871 LED_A_ON();
872 LED_B_OFF();
873 LED_C_OFF();
874
875 iso14a_clear_trace();
876 iso14a_set_tracing(TRUE);
877 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
878 }
879
880 while (true) {
881
882 // get UID from chip
883 if (workFlags & 0x01) {
884 if(!iso14443a_select_card(uid, NULL, &cuid)) {
885 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
886 break;
887 };
888
889 if(mifare_classic_halt(NULL, cuid)) {
890 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
891 break;
892 };
893 };
894
895 // reset chip
896 if (needWipe){
897 ReaderTransmitBitsPar(wupC1,7,0, NULL);
898 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
899 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
900 break;
901 };
902
903 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
904 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
905 if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");
906 break;
907 };
908
909 if(mifare_classic_halt(NULL, cuid)) {
910 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
911 break;
912 };
913 };
914
915 // write block
916 if (workFlags & 0x02) {
917 ReaderTransmitBitsPar(wupC1,7,0, NULL);
918 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
919 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
920 break;
921 };
922
923 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
924 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
925 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
926 break;
927 };
928 }
929
930 if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
931 if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
932 break;
933 };
934
935 memcpy(d_block, datain, 16);
936 AppendCrc14443a(d_block, 16);
937
938 ReaderTransmit(d_block, sizeof(d_block), NULL);
939 if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
940 if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");
941 break;
942 };
943
944 if (workFlags & 0x04) {
945 if (mifare_classic_halt(NULL, cuid)) {
946 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
947 break;
948 };
949 }
950
951 isOK = 1;
952 break;
953 }
954
955 LED_B_ON();
956 cmd_send(CMD_ACK,isOK,0,0,uid,4);
957 LED_B_OFF();
958
959 if ((workFlags & 0x10) || (!isOK)) {
960 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
961 LEDsoff();
962 }
963 }
964
965
966 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
967
968 // params
969 // bit 1 - need wupC
970 // bit 2 - need HALT after sequence
971 // bit 3 - need init FPGA and field before sequence
972 // bit 4 - need reset FPGA and LED
973 uint8_t workFlags = arg0;
974 uint8_t blockNo = arg2;
975
976 // card commands
977 uint8_t wupC1[] = { 0x40 };
978 uint8_t wupC2[] = { 0x43 };
979
980 // variables
981 byte_t isOK = 0;
982 uint8_t data[18] = {0x00};
983 uint32_t cuid = 0;
984
985 uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();
986 uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
987
988 if (workFlags & 0x08) {
989 LED_A_ON();
990 LED_B_OFF();
991 LED_C_OFF();
992
993 iso14a_clear_trace();
994 iso14a_set_tracing(TRUE);
995 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
996 }
997
998 while (true) {
999 if (workFlags & 0x02) {
1000 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1001 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1002 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1003 break;
1004 };
1005
1006 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1007 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1008 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1009 break;
1010 };
1011 }
1012
1013 // read block
1014 if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {
1015 if (MF_DBGLEVEL >= 1) Dbprintf("read block send command error");
1016 break;
1017 };
1018 memcpy(data, receivedAnswer, 18);
1019
1020 if (workFlags & 0x04) {
1021 if (mifare_classic_halt(NULL, cuid)) {
1022 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1023 break;
1024 };
1025 }
1026
1027 isOK = 1;
1028 break;
1029 }
1030
1031 LED_B_ON();
1032 cmd_send(CMD_ACK,isOK,0,0,data,18);
1033 LED_B_OFF();
1034
1035 if ((workFlags & 0x10) || (!isOK)) {
1036 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1037 LEDsoff();
1038 }
1039 }
1040
1041 void MifareCIdent(){
1042
1043 // card commands
1044 uint8_t wupC1[] = { 0x40 };
1045 uint8_t wupC2[] = { 0x43 };
1046
1047 // variables
1048 byte_t isOK = 1;
1049
1050 uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();
1051 uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
1052
1053 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1054 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1055 isOK = 0;
1056 };
1057
1058 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1059 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1060 isOK = 0;
1061 };
1062
1063 if (mifare_classic_halt(NULL, 0)) {
1064 isOK = 0;
1065 };
1066
1067 cmd_send(CMD_ACK,isOK,0,0,0,0);
1068 }
1069
1070 //
1071 // DESFIRE
1072 //
Proxmark3 GIT tracking
Impressum, Datenschutz