]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhf15.c
projects / proxmark3-svn / blob
? search:


c2a1335468ef817a542935a5c2bef3e64a566009
[proxmark3-svn] / client / cmdhf15.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 // Modified 2010-2012 by <adrian -at- atrox.at>
4 // Modified 2012 by <vsza at vsza.hu>
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // High frequency ISO15693 commands
11 //-----------------------------------------------------------------------------
12 // There are three basic operation modes, depending on which device (proxmark/pc)
13 // the signal processing, (de)modulation, transmission protocol and logic is done.
14 // Mode 1:
15 // All steps are done on the proxmark, the output of the commands is returned via
16 // USB-debug-print commands.
17 // Mode 2:
18 // The protocol is done on the PC, passing only Iso15693 data frames via USB. This
19 // allows direct communication with a tag on command level
20 // Mode 3:
21 // The proxmark just samples the antenna and passes this "analog" data via USB to
22 // the client. Signal Processing & decoding is done on the pc. This is the slowest
23 // variant, but offers the possibility to analyze the waveforms directly.
24
25 #include "cmdhf15.h"
26
27 #include <stdio.h>
28 #include <stdlib.h>
29 #include <string.h>
30 #include <stdint.h>
31
32 #include "comms.h"
33 #include "graph.h"
34 #include "ui.h"
35 #include "util.h"
36 #include "cmdparser.h"
37 #include "iso15693tools.h"
38 #include "protocols.h"
39 #include "cmdmain.h"
40 #include "taginfo.h"
41
42 #define Crc(data,datalen) Iso15693Crc(data,datalen)
43 #define AddCrc(data,datalen) Iso15693AddCrc(data,datalen)
44 #define sprintUID(target,uid) Iso15693sprintUID(target,uid)
45
46 // SOF defined as
47 // 1) Unmodulated time of 56.64us
48 // 2) 24 pulses of 423.75khz
49 // 3) logic '1' (unmodulated for 18.88us followed by 8 pulses of 423.75khz)
50
51 static const int Iso15693FrameSOF[] = {
52 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
53 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
54 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
55 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
56 -1, -1, -1, -1,
57 -1, -1, -1, -1,
58 1, 1, 1, 1,
59 1, 1, 1, 1
60 };
61 static const int Iso15693Logic0[] = {
62 1, 1, 1, 1,
63 1, 1, 1, 1,
64 -1, -1, -1, -1,
65 -1, -1, -1, -1
66 };
67 static const int Iso15693Logic1[] = {
68 -1, -1, -1, -1,
69 -1, -1, -1, -1,
70 1, 1, 1, 1,
71 1, 1, 1, 1
72 };
73
74 // EOF defined as
75 // 1) logic '0' (8 pulses of 423.75khz followed by unmodulated for 18.88us)
76 // 2) 24 pulses of 423.75khz
77 // 3) Unmodulated time of 56.64us
78
79 static const int Iso15693FrameEOF[] = {
80 1, 1, 1, 1,
81 1, 1, 1, 1,
82 -1, -1, -1, -1,
83 -1, -1, -1, -1,
84 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
85 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
86 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
87 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1
88 };
89
90
91 // fast method to just read the UID of a tag (collission detection not supported)
92 // *buf should be large enough to fit the 64bit uid
93 // returns 1 if suceeded
94 int getUID(uint8_t *buf)
95 {
96 UsbCommand resp;
97 uint8_t *recv;
98 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
99 uint8_t *req=c.d.asBytes;
100 int reqlen=0;
101
102 for (int retry=0;retry<3; retry++) { // don't give up the at the first try
103
104 req[0] = ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_INVENTORY | ISO15693_REQINV_SLOT1;
105 req[1] = ISO15693_INVENTORY;
106 req[2] = 0; // mask length
107 reqlen = AddCrc(req,3);
108 c.arg[0] = reqlen;
109
110 SendCommand(&c);
111
112 if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
113 recv = resp.d.asBytes;
114 if (resp.arg[0]>=12 && ISO15693_CRC_CHECK==Crc(recv,12)) {
115 memcpy(buf,&recv[2],8);
116 return 1;
117 }
118 }
119 } // retry
120 return 0;
121 }
122
123
124 // return a clear-text message to an errorcode
125 static char* TagErrorStr(uint8_t error) {
126 switch (error) {
127 case 0x01: return "The command is not supported";
128 case 0x02: return "The command is not recognised";
129 case 0x03: return "The option is not supported.";
130 case 0x0f: return "Unknown error.";
131 case 0x10: return "The specified block is not available (doesn't exist).";
132 case 0x11: return "The specified block is already -locked and thus cannot be locked again";
133 case 0x12: return "The specified block is locked and its content cannot be changed.";
134 case 0x13: return "The specified block was not successfully programmed.";
135 case 0x14: return "The specified block was not successfully locked.";
136 default: return "Reserved for Future Use or Custom command error.";
137 }
138 }
139
140
141 // Mode 3
142 int CmdHF15Demod(const char *Cmd)
143 {
144 // The sampling rate is 106.353 ksps/s, for T = 18.8 us
145
146 int i, j;
147 int max = 0, maxPos = 0;
148
149 int skip = 2;
150
151 if (GraphTraceLen < 2000) return 0;
152
153 // First, correlate for SOF
154 for (i = 0; i < 200; i++) {
155 int corr = 0;
156 for (j = 0; j < arraylen(Iso15693FrameSOF); j += skip) {
157 corr += Iso15693FrameSOF[j] * GraphBuffer[i + (j / skip)];
158 }
159 if (corr > max) {
160 max = corr;
161 maxPos = i;
162 }
163 }
164 PrintAndLog("SOF at %d, correlation %d", maxPos,
165 max / (arraylen(Iso15693FrameSOF) / skip));
166
167 i = maxPos + arraylen(Iso15693FrameSOF) / skip;
168 int k = 0;
169 uint8_t outBuf[20];
170 memset(outBuf, 0, sizeof(outBuf));
171 uint8_t mask = 0x01;
172 for (;;) {
173 int corr0 = 0, corr00 = 0, corr01 = 0, corr1 = 0, corrEOF = 0;
174 for(j = 0; j < arraylen(Iso15693Logic0); j += skip) {
175 corr0 += Iso15693Logic0[j]*GraphBuffer[i+(j/skip)];
176 }
177 corr01 = corr00 = corr0;
178 for(j = 0; j < arraylen(Iso15693Logic0); j += skip) {
179 corr00 += Iso15693Logic0[j]*GraphBuffer[i+arraylen(Iso15693Logic0)/skip+(j/skip)];
180 corr01 += Iso15693Logic1[j]*GraphBuffer[i+arraylen(Iso15693Logic0)/skip+(j/skip)];
181 }
182 for(j = 0; j < arraylen(Iso15693Logic1); j += skip) {
183 corr1 += Iso15693Logic1[j]*GraphBuffer[i+(j/skip)];
184 }
185 for(j = 0; j < arraylen(Iso15693FrameEOF); j += skip) {
186 corrEOF += Iso15693FrameEOF[j]*GraphBuffer[i+(j/skip)];
187 }
188 // Even things out by the length of the target waveform.
189 corr00 *= 2;
190 corr01 *= 2;
191 corr0 *= 4;
192 corr1 *= 4;
193
194 if(corrEOF > corr1 && corrEOF > corr00 && corrEOF > corr01) {
195 PrintAndLog("EOF at %d", i);
196 break;
197 } else if (corr1 > corr0) {
198 i += arraylen(Iso15693Logic1) / skip;
199 outBuf[k] |= mask;
200 } else {
201 i += arraylen(Iso15693Logic0) / skip;
202 }
203 mask <<= 1;
204 if (mask == 0) {
205 k++;
206 mask = 0x01;
207 }
208 if ((i + (int)arraylen(Iso15693FrameEOF)) >= GraphTraceLen) {
209 PrintAndLog("ran off end!");
210 break;
211 }
212 }
213 if (mask != 0x01) {
214 PrintAndLog("error, uneven octet! (discard extra bits!)");
215 PrintAndLog(" mask=%02x", mask);
216 }
217 PrintAndLog("%d octets", k);
218
219 for (i = 0; i < k; i++) {
220 PrintAndLog("# %2d: %02x ", i, outBuf[i]);
221 }
222 PrintAndLog("CRC=%04x", Iso15693Crc(outBuf, k - 2));
223 return 0;
224 }
225
226
227
228 // * Acquire Samples as Reader (enables carrier, sends inquiry)
229 int CmdHF15Read(const char *Cmd)
230 {
231 UsbCommand c = {CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693};
232 SendCommand(&c);
233 return 0;
234 }
235
236 // Record Activity without enabling carrier
237 int CmdHF15Snoop(const char *Cmd)
238 {
239 UsbCommand c = {CMD_SNOOP_ISO_15693};
240 SendCommand(&c);
241 return 0;
242 }
243
244 int HF15Reader(const char *Cmd, bool verbose)
245 {
246 uint8_t uid[8];
247
248 if (!getUID(uid)) {
249 if (verbose) PrintAndLog("No Tag found.");
250 return 0;
251 }
252
253 PrintAndLog("UID: %s", sprintUID(NULL,uid));
254 PrintAndLog("Manufacturer byte: %02X, %s", uid[6], getManufacturerName(uid[6]));
255 PrintAndLog("Chip ID: %02X, %s", uid[5], getChipInfo(uid[6], uid[5]));
256 return 1;
257 }
258
259 int CmdHF15Reader(const char *Cmd)
260 {
261 UsbCommand c = {CMD_READER_ISO_15693, {strtol(Cmd, NULL, 0), 0, 0}};
262 SendCommand(&c);
263 return 0;
264 }
265
266 // Simulation is still not working very good
267 int CmdHF15Sim(const char *Cmd)
268 {
269 char cmdp = param_getchar(Cmd, 0);
270 uint8_t uid[8] = {0x00};
271
272 //E0 16 24 00 00 00 00 00
273 if (cmdp == 'h' || cmdp == 'H') {
274 PrintAndLog("Usage: hf 15 sim <UID>");
275 PrintAndLog("");
276 PrintAndLog(" sample: hf 15 sim E016240000000000");
277 return 0;
278 }
279
280 if (param_gethex(Cmd, 0, uid, 16)) {
281 PrintAndLog("UID must include 16 HEX symbols");
282 return 0;
283 }
284
285 PrintAndLog("Starting simulating UID %02X %02X %02X %02X %02X %02X %02X %02X",
286 uid[0],uid[1],uid[2],uid[3],uid[4], uid[5], uid[6], uid[7]);
287 PrintAndLog("Press the button to stop simulation");
288
289 UsbCommand c = {CMD_SIMTAG_ISO_15693, {0, 0, 0}};
290 memcpy(c.d.asBytes,uid,8);
291
292 SendCommand(&c);
293 return 0;
294 }
295
296 // finds the AFI (Application Family Idendifier) of a card, by trying all values
297 // (There is no standard way of reading the AFI, allthough some tags support this)
298 int CmdHF15Afi(const char *Cmd)
299 {
300 UsbCommand c = {CMD_ISO_15693_FIND_AFI, {strtol(Cmd, NULL, 0), 0, 0}};
301 SendCommand(&c);
302 return 0;
303 }
304
305 // Reads all memory pages
306 int CmdHF15DumpMem(const char*Cmd) {
307 UsbCommand resp;
308 uint8_t uid[8];
309 uint8_t *recv=NULL;
310 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
311 uint8_t *req=c.d.asBytes;
312 int reqlen=0;
313 int blocknum=0;
314 char output[80];
315
316 if (!getUID(uid)) {
317 PrintAndLog("No Tag found.");
318 return 0;
319 }
320
321 PrintAndLog("Reading memory from tag");
322 PrintAndLog("UID: %s", sprintUID(NULL,uid));
323 PrintAndLog("Manufacturer byte: %02X, %s", uid[6], getManufacturerName(uid[6]));
324 PrintAndLog("Chip ID: %02X, %s", uid[5], getChipInfo(uid[6], uid[5]));
325
326 for (int retry=0; retry<5; retry++) {
327
328 req[0]= ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_ADDRESS;
329 req[1] = ISO15693_READBLOCK;
330 memcpy(&req[2],uid,8);
331 req[10] = blocknum;
332 reqlen = AddCrc(req,11);
333 c.arg[0] = reqlen;
334
335 SendCommand(&c);
336
337 if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
338 recv = resp.d.asBytes;
339 if (ISO15693_CRC_CHECK==Crc(recv,resp.arg[0])) {
340 if (!(recv[0] & ISO15693_RES_ERROR)) {
341 retry=0;
342 *output=0; // reset outputstring
343 sprintf(output, "Block %02x ",blocknum);
344 for ( int i=1; i<resp.arg[0]-2; i++) { // data in hex
345 sprintf(output+strlen(output),"%02X ",recv[i]);
346 }
347 strcat(output," ");
348 for ( int i=1; i<resp.arg[0]-2; i++) { // data in cleaned ascii
349 sprintf(output+strlen(output),"%c",(recv[i]>31 && recv[i]<127)?recv[i]:'.');
350 }
351 PrintAndLog("%s",output);
352 blocknum++;
353 // PrintAndLog("bn=%i",blocknum);
354 } else {
355 PrintAndLog("Tag returned Error %i: %s",recv[1],TagErrorStr(recv[1]));
356 return 1;
357 }
358 } // else PrintAndLog("crc");
359 } // else PrintAndLog("r null");
360 } // retry
361 // TODO: need fix
362 // if (resp.arg[0]<3)
363 // PrintAndLog("Lost Connection");
364 // else if (ISO15693_CRC_CHECK!=Crc(resp.d.asBytes,resp.arg[0]))
365 // PrintAndLog("CRC Failed");
366 // else
367 // PrintAndLog("Tag returned Error %i: %s",recv[1],TagErrorStr(recv[1]));
368 return 1;
369 }
370
371
372 // "HF 15" interface
373
374 static command_t CommandTable15[] =
375 {
376 {"help", CmdHF15Help, 1, "This help"},
377 {"demod", CmdHF15Demod, 1, "Demodulate ISO15693 from tag"},
378 {"read", CmdHF15Read, 0, "Read HF tag (ISO 15693)"},
379 {"snoop", CmdHF15Snoop, 0, "Eavesdrop ISO 15693 communications"},
380 {"reader", CmdHF15Reader, 0, "Act like an ISO15693 reader"},
381 {"sim", CmdHF15Sim, 0, "Fake an ISO15693 tag"},
382 {"cmd", CmdHF15Cmd, 0, "Send direct commands to ISO15693 tag"},
383 {"findafi", CmdHF15Afi, 0, "Brute force AFI of an ISO15693 tag"},
384 {"dumpmemory", CmdHF15DumpMem, 0, "Read all memory pages of an ISO15693 tag"},
385 {"csetuid", CmdHF15CSetUID, 0, "Set UID for magic Chinese card"},
386 {NULL, NULL, 0, NULL}
387 };
388
389 int CmdHF15(const char *Cmd)
390 {
391 CmdsParse(CommandTable15, Cmd);
392 return 0;
393 }
394
395 int CmdHF15Help(const char *Cmd)
396 {
397 CmdsHelp(CommandTable15);
398 return 0;
399 }
400
401
402 // "HF 15 Cmd" Interface
403 // Allows direct communication with the tag on command level
404
405 int CmdHF15CmdInquiry(const char *Cmd)
406 {
407 UsbCommand resp;
408 uint8_t *recv;
409 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
410 uint8_t *req=c.d.asBytes;
411 int reqlen=0;
412
413 req[0] = ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_INVENTORY | ISO15693_REQINV_SLOT1;
414 req[1] = ISO15693_INVENTORY;
415 req[2] = 0; // mask length
416 reqlen=AddCrc(req,3);
417 c.arg[0] = reqlen;
418
419 SendCommand(&c);
420
421 if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
422 if (resp.arg[0]>=12) {
423 recv = resp.d.asBytes;
424 PrintAndLog("UID: %s", sprintUID(NULL,recv+2));
425 PrintAndLog("Manufacturer byte: %02X, %s", recv[8], getManufacturerName(recv[8]));
426 PrintAndLog("Chip ID: %02X, %s", recv[7], getChipInfo(recv[8], recv[7]));
427 } else {
428 PrintAndLog("Response to short, just %i bytes. No tag?\n",resp.arg[0]);
429 }
430 } else {
431 PrintAndLog("timeout.");
432 }
433 return 0;
434 }
435
436
437 // Turns debugging on(1)/off(0)
438 int CmdHF15CmdDebug( const char *cmd) {
439 int debug = atoi(cmd);
440 if (strlen(cmd) < 1) {
441 PrintAndLog("Usage: hf 15 debug <0|1>");
442 PrintAndLog(" 0 no debugging");
443 PrintAndLog(" 1 turn debugging on");
444 return 0;
445 }
446
447 UsbCommand c = {CMD_ISO_15693_DEBUG, {debug, 0, 0}};
448 SendCommand(&c);
449 return 0;
450 }
451
452
453 int CmdHF15CmdRaw (const char *cmd) {
454 UsbCommand resp;
455 uint8_t *recv;
456 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
457 int reply=1;
458 int fast=1;
459 int crc=0;
460 char buf[5]="";
461 int i=0;
462 uint8_t data[100];
463 unsigned int datalen=0, temp;
464 char *hexout;
465
466
467 if (strlen(cmd)<3) {
468 PrintAndLog("Usage: hf 15 cmd raw [-r] [-2] [-c] <0A 0B 0C ... hex>");
469 PrintAndLog(" -r do not read response");
470 PrintAndLog(" -2 use slower '1 out of 256' mode");
471 PrintAndLog(" -c calculate and append CRC");
472 PrintAndLog(" Tip: turn on debugging for verbose output");
473 return 0;
474 }
475
476 // strip
477 while (*cmd==' ' || *cmd=='\t') cmd++;
478
479 while (cmd[i]!='\0') {
480 if (cmd[i]==' ' || cmd[i]=='\t') { i++; continue; }
481 if (cmd[i]=='-') {
482 switch (cmd[i+1]) {
483 case 'r':
484 case 'R':
485 reply=0;
486 break;
487 case '2':
488 fast=0;
489 break;
490 case 'c':
491 case 'C':
492 crc=1;
493 break;
494 default:
495 PrintAndLog("Invalid option");
496 return 0;
497 }
498 i+=2;
499 continue;
500 }
501 if ((cmd[i]>='0' && cmd[i]<='9') ||
502 (cmd[i]>='a' && cmd[i]<='f') ||
503 (cmd[i]>='A' && cmd[i]<='F') ) {
504 buf[strlen(buf)+1]=0;
505 buf[strlen(buf)]=cmd[i];
506 i++;
507
508 if (strlen(buf)>=2) {
509 sscanf(buf,"%x",&temp);
510 data[datalen]=(uint8_t)(temp & 0xff);
511 datalen++;
512 *buf=0;
513 }
514 continue;
515 }
516 PrintAndLog("Invalid char on input");
517 return 0;
518 }
519 if (crc) datalen=AddCrc(data,datalen);
520
521 c.arg[0]=datalen;
522 c.arg[1]=fast;
523 c.arg[2]=reply;
524 memcpy(c.d.asBytes,data,datalen);
525
526 SendCommand(&c);
527
528 if (reply) {
529 if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
530 recv = resp.d.asBytes;
531 PrintAndLog("received %i octets",resp.arg[0]);
532 hexout = (char *)malloc(resp.arg[0] * 3 + 1);
533 if (hexout != NULL) {
534 for (int i = 0; i < resp.arg[0]; i++) { // data in hex
535 sprintf(&hexout[i * 3], "%02X ", recv[i]);
536 }
537 PrintAndLog("%s", hexout);
538 free(hexout);
539 }
540 } else {
541 PrintAndLog("timeout while waiting for reply.");
542 }
543
544 } // if reply
545 return 0;
546 }
547
548
549 /**
550 * parses common HF 15 CMD parameters and prepares some data structures
551 * Parameters:
552 * **cmd command line
553 */
554 int prepareHF15Cmd(char **cmd, UsbCommand *c, uint8_t iso15cmd[], int iso15cmdlen) {
555 int temp;
556 uint8_t *req=c->d.asBytes;
557 uint8_t uid[8] = {0x00};
558 uint32_t reqlen=0;
559
560 // strip
561 while (**cmd==' ' || **cmd=='\t') (*cmd)++;
562
563 if (strstr(*cmd,"-2")==*cmd) {
564 c->arg[1]=0; // use 1of256
565 (*cmd)+=2;
566 }
567
568 // strip
569 while (**cmd==' ' || **cmd=='\t') (*cmd)++;
570
571 if (strstr(*cmd,"-o")==*cmd) {
572 req[reqlen]=ISO15693_REQ_OPTION;
573 (*cmd)+=2;
574 }
575
576 // strip
577 while (**cmd==' ' || **cmd=='\t') (*cmd)++;
578
579 switch (**cmd) {
580 case 0:
581 PrintAndLog("missing addr");
582 return 0;
583 break;
584 case 's':
585 case 'S':
586 // you must have selected the tag earlier
587 req[reqlen++] |= ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_SELECT;
588 memcpy(&req[reqlen],&iso15cmd[0],iso15cmdlen);
589 reqlen += iso15cmdlen;
590 break;
591 case 'u':
592 case 'U':
593 // unaddressed mode may not be supported by all vendors
594 req[reqlen++] |= ISO15693_REQ_DATARATE_HIGH;
595 memcpy(&req[reqlen],&iso15cmd[0],iso15cmdlen);
596 reqlen += iso15cmdlen;
597 break;
598 case '*':
599 // we scan for the UID ourself
600 req[reqlen++] |= ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_ADDRESS;
601 memcpy(&req[reqlen],&iso15cmd[0],iso15cmdlen);
602 reqlen+=iso15cmdlen;
603 if (!getUID(uid)) {
604 PrintAndLog("No Tag found");
605 return 0;
606 }
607 memcpy(req+reqlen,uid,8);
608 PrintAndLog("Detected UID %s",sprintUID(NULL,uid));
609 reqlen+=8;
610 break;
611 default:
612 req[reqlen++] |= ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_ADDRESS;
613 memcpy(&req[reqlen],&iso15cmd[0],iso15cmdlen);
614 reqlen+=iso15cmdlen;
615
616 /* sscanf(cmd,"%hX%hX%hX%hX%hX%hX%hX%hX",
617 (short unsigned int *)&uid[7],(short unsigned int *)&uid[6],
618 (short unsigned int *)&uid[5],(short unsigned int *)&uid[4],
619 (short unsigned int *)&uid[3],(short unsigned int *)&uid[2],
620 (short unsigned int *)&uid[1],(short unsigned int *)&uid[0]); */
621 for (int i=0;i<8 && (*cmd)[i*2] && (*cmd)[i*2+1];i++) { // parse UID
622 sscanf((char[]){(*cmd)[i*2],(*cmd)[i*2+1],0},"%X",&temp);
623 uid[7-i]=temp&0xff;
624 }
625
626 PrintAndLog("Using UID %s",sprintUID(NULL,uid));
627 memcpy(&req[reqlen],&uid[0],8);
628 reqlen+=8;
629 }
630 // skip to next space
631 while (**cmd!=' ' && **cmd!='\t') (*cmd)++;
632 // skip over the space
633 while (**cmd==' ' || **cmd=='\t') (*cmd)++;
634
635 c->arg[0]=reqlen;
636 return 1;
637 }
638
639 /**
640 * Commandline handling: HF15 CMD SYSINFO
641 * get system information from tag/VICC
642 */
643 int CmdHF15CmdSysinfo(const char *Cmd) {
644 UsbCommand resp;
645 uint8_t *recv;
646 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
647 uint8_t *req=c.d.asBytes;
648 int reqlen=0;
649 char cmdbuf[100];
650 char *cmd=cmdbuf;
651 char output[2048]="";
652 int i;
653
654 strncpy(cmd,Cmd,99);
655
656 // usage:
657 if (strlen(cmd)<1) {
658 PrintAndLog("Usage: hf 15 cmd sysinfo [options] <uid|s|u|*>");
659 PrintAndLog(" options:");
660 PrintAndLog(" -2 use slower '1 out of 256' mode");
661 PrintAndLog(" uid (either): ");
662 PrintAndLog(" <8B hex> full UID eg E011223344556677");
663 PrintAndLog(" s selected tag");
664 PrintAndLog(" u unaddressed mode");
665 PrintAndLog(" * scan for tag");
666 PrintAndLog(" start#: page number to start 0-255");
667 PrintAndLog(" count#: number of pages");
668 return 0;
669 }
670
671 prepareHF15Cmd(&cmd, &c,(uint8_t[]){ISO15693_GET_SYSTEM_INFO},1);
672 reqlen=c.arg[0];
673
674 reqlen=AddCrc(req,reqlen);
675 c.arg[0]=reqlen;
676
677 SendCommand(&c);
678
679 if (WaitForResponseTimeout(CMD_ACK,&resp,1000) && resp.arg[0]>2) {
680 recv = resp.d.asBytes;
681 if (ISO15693_CRC_CHECK==Crc(recv,resp.arg[0])) {
682 if (!(recv[0] & ISO15693_RES_ERROR)) {
683 *output=0; // reset outputstring
684 PrintAndLog("UID: %s", sprintUID(NULL,recv+2));
685 PrintAndLog("Manufacturer byte: %02X, %s", recv[8], getManufacturerName(recv[8]));
686 PrintAndLog("Chip ID: %02X, %s", recv[7], getChipInfo(recv[8], recv[7]));
687 i=10;
688 if (recv[1] & 0x01)
689 sprintf(output+strlen(output),"DSFID supported, set to %02X\n\r",recv[i++]);
690 else
691 strcat(output,"DSFID not supported\n\r");
692 if (recv[1] & 0x02)
693 sprintf(output+strlen(output),"AFI supported, set to %03X\n\r",recv[i++]);
694 else
695 strcat(output,"AFI not supported\n\r");
696 if (recv[1] & 0x04) {
697 strcat(output,"Tag provides info on memory layout (vendor dependent)\n\r");
698 sprintf(output+strlen(output)," %i (or %i) bytes/page x %i pages \n\r",
699 (recv[i+1]&0x1F)+1, (recv[i+1]&0x1F), recv[i]+1);
700 i+=2;
701 } else
702 strcat(output,"Tag does not provide information on memory layout\n\r");
703 if (recv[1] & 0x08) sprintf(output+strlen(output),"IC reference given: %02X\n\r",recv[i++]);
704 else strcat(output,"IC reference not given\n\r");
705
706
707 PrintAndLog("%s",output);
708 } else {
709 PrintAndLog("Tag returned Error %i: %s",recv[0],TagErrorStr(recv[0]));
710 }
711 } else {
712 PrintAndLog("CRC failed");
713 }
714 } else {
715 PrintAndLog("timeout: no answer");
716 }
717
718 return 0;
719 }
720
721 /**
722 * Commandline handling: HF15 CMD READMULTI
723 * Read multiple blocks at once (not all tags support this)
724 */
725 int CmdHF15CmdReadmulti(const char *Cmd) {
726 UsbCommand resp;
727 uint8_t *recv;
728 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
729 uint8_t *req=c.d.asBytes;
730 int reqlen=0, pagenum,pagecount;
731 char cmdbuf[100];
732 char *cmd=cmdbuf;
733 char output[2048]="";
734
735 strncpy(cmd,Cmd,99);
736
737 // usage:
738 if (strlen(cmd)<3) {
739 PrintAndLog("Usage: hf 15 cmd readmulti [options] <uid|s|u|*> <start#> <count#>");
740 PrintAndLog(" options:");
741 PrintAndLog(" -2 use slower '1 out of 256' mode");
742 PrintAndLog(" uid (either): ");
743 PrintAndLog(" <8B hex> full UID eg E011223344556677");
744 PrintAndLog(" s selected tag");
745 PrintAndLog(" u unaddressed mode");
746 PrintAndLog(" * scan for tag");
747 PrintAndLog(" start#: page number to start 0-255");
748 PrintAndLog(" count#: number of pages");
749 return 0;
750 }
751
752 prepareHF15Cmd(&cmd, &c,(uint8_t[]){ISO15693_READ_MULTI_BLOCK},1);
753 reqlen=c.arg[0];
754
755 pagenum=strtol(cmd,NULL,0);
756
757 // skip to next space
758 while (*cmd!=' ' && *cmd!='\t') cmd++;
759 // skip over the space
760 while (*cmd==' ' || *cmd=='\t') cmd++;
761
762 pagecount=strtol(cmd,NULL,0);
763 if (pagecount>0) pagecount--; // 0 means 1 page, 1 means 2 pages, ...
764
765 req[reqlen++]=(uint8_t)pagenum;
766 req[reqlen++]=(uint8_t)pagecount;
767
768 reqlen=AddCrc(req,reqlen);
769
770 c.arg[0]=reqlen;
771
772 SendCommand(&c);
773
774 if (WaitForResponseTimeout(CMD_ACK,&resp,1000) && resp.arg[0]>2) {
775 recv = resp.d.asBytes;
776 if (ISO15693_CRC_CHECK==Crc(recv,resp.arg[0])) {
777 if (!(recv[0] & ISO15693_RES_ERROR)) {
778 *output=0; // reset outputstring
779 for ( int i=1; i<resp.arg[0]-2; i++) {
780 sprintf(output+strlen(output),"%02X ",recv[i]);
781 }
782 strcat(output," ");
783 for ( int i=1; i<resp.arg[0]-2; i++) {
784 sprintf(output+strlen(output),"%c",recv[i]>31 && recv[i]<127?recv[i]:'.');
785 }
786 PrintAndLog("%s",output);
787 } else {
788 PrintAndLog("Tag returned Error %i: %s",recv[0],TagErrorStr(recv[0]));
789 }
790 } else {
791 PrintAndLog("CRC failed");
792 }
793 } else {
794 PrintAndLog("no answer");
795 }
796
797 return 0;
798 }
799
800 /**
801 * Commandline handling: HF15 CMD READ
802 * Reads a single Block
803 */
804 int CmdHF15CmdRead(const char *Cmd) {
805 UsbCommand resp;
806 uint8_t *recv;
807 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
808 uint8_t *req=c.d.asBytes;
809 int reqlen=0, pagenum;
810 char cmdbuf[100];
811 char *cmd=cmdbuf;
812 char output[100]="";
813
814 strncpy(cmd,Cmd,99);
815
816 // usage:
817 if (strlen(cmd)<3) {
818 PrintAndLog("Usage: hf 15 cmd read [options] <uid|s|u|*> <page#>");
819 PrintAndLog(" options:");
820 PrintAndLog(" -2 use slower '1 out of 256' mode");
821 PrintAndLog(" uid (either): ");
822 PrintAndLog(" <8B hex> full UID eg E011223344556677");
823 PrintAndLog(" s selected tag");
824 PrintAndLog(" u unaddressed mode");
825 PrintAndLog(" * scan for tag");
826 PrintAndLog(" page#: page number 0-255");
827 return 0;
828 }
829
830 prepareHF15Cmd(&cmd, &c,(uint8_t[]){ISO15693_READBLOCK},1);
831 reqlen=c.arg[0];
832
833 pagenum=strtol(cmd,NULL,0);
834 /*if (pagenum<0) {
835 PrintAndLog("invalid pagenum");
836 return 0;
837 } */
838
839 req[reqlen++]=(uint8_t)pagenum;
840
841 reqlen=AddCrc(req,reqlen);
842
843 c.arg[0]=reqlen;
844
845 SendCommand(&c);
846
847 if (WaitForResponseTimeout(CMD_ACK,&resp,1000) && resp.arg[0]>2) {
848 recv = resp.d.asBytes;
849 if (ISO15693_CRC_CHECK==Crc(recv,resp.arg[0])) {
850 if (!(recv[0] & ISO15693_RES_ERROR)) {
851 *output=0; // reset outputstring
852 //sprintf(output, "Block %2i ",blocknum);
853 for ( int i=1; i<resp.arg[0]-2; i++) {
854 sprintf(output+strlen(output),"%02X ",recv[i]);
855 }
856 strcat(output," ");
857 for ( int i=1; i<resp.arg[0]-2; i++) {
858 sprintf(output+strlen(output),"%c",recv[i]>31 && recv[i]<127?recv[i]:'.');
859 }
860 PrintAndLog("%s",output);
861 } else {
862 PrintAndLog("Tag returned Error %i: %s",recv[1],TagErrorStr(recv[1]));
863 }
864 } else {
865 PrintAndLog("CRC failed");
866 }
867 } else {
868 PrintAndLog("no answer");
869 }
870
871 return 0;
872 }
873
874
875 /**
876 * Commandline handling: HF15 CMD WRITE
877 * Writes a single Block - might run into timeout, even when successful
878 */
879 int CmdHF15CmdWrite(const char *Cmd) {
880 UsbCommand resp;
881 uint8_t *recv;
882 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
883 uint8_t *req=c.d.asBytes;
884 int reqlen=0, pagenum, temp;
885 char cmdbuf[100];
886 char *cmd=cmdbuf;
887 char *cmd2;
888
889 strncpy(cmd,Cmd,99);
890
891 // usage:
892 if (strlen(cmd)<3) {
893 PrintAndLog("Usage: hf 15 cmd write [options] <uid|s|u|*> <page#> <hexdata>");
894 PrintAndLog(" options:");
895 PrintAndLog(" -2 use slower '1 out of 256' mode");
896 PrintAndLog(" -o set OPTION Flag (needed for TI)");
897 PrintAndLog(" uid (either): ");
898 PrintAndLog(" <8B hex> full UID eg E011223344556677");
899 PrintAndLog(" s selected tag");
900 PrintAndLog(" u unaddressed mode");
901 PrintAndLog(" * scan for tag");
902 PrintAndLog(" page#: page number 0-255");
903 PrintAndLog(" hexdata: data to be written eg AA BB CC DD");
904 return 0;
905 }
906
907 prepareHF15Cmd(&cmd, &c,(uint8_t[]){ISO15693_WRITEBLOCK},1);
908 reqlen=c.arg[0];
909
910 // *cmd -> page num ; *cmd2 -> data
911 cmd2=cmd;
912 while (*cmd2!=' ' && *cmd2!='\t' && *cmd2) cmd2++;
913 *cmd2=0;
914 cmd2++;
915
916 pagenum=strtol(cmd,NULL,0);
917 /*if (pagenum<0) {
918 PrintAndLog("invalid pagenum");
919 return 0;
920 } */
921 req[reqlen++]=(uint8_t)pagenum;
922
923
924 while (cmd2[0] && cmd2[1]) { // hexdata, read by 2 hexchars
925 if (*cmd2==' ') {
926 cmd2++;
927 continue;
928 }
929 sscanf((char[]){cmd2[0],cmd2[1],0},"%X",&temp);
930 req[reqlen++]=temp & 0xff;
931 cmd2+=2;
932 }
933
934 reqlen=AddCrc(req,reqlen);
935
936 c.arg[0]=reqlen;
937
938 SendCommand(&c);
939
940 if (WaitForResponseTimeout(CMD_ACK,&resp,2000) && resp.arg[0]>2) {
941 recv = resp.d.asBytes;
942 if (ISO15693_CRC_CHECK==Crc(recv,resp.arg[0])) {
943 if (!(recv[0] & ISO15693_RES_ERROR)) {
944 PrintAndLog("OK");
945 } else {
946 PrintAndLog("Tag returned Error %i: %s",recv[1],TagErrorStr(recv[1]));
947 }
948 } else {
949 PrintAndLog("CRC failed");
950 }
951 } else {
952 PrintAndLog("timeout: no answer - data may be written anyway");
953 }
954
955 return 0;
956 }
957
958 int CmdHF15CSetUID(const char *Cmd)
959 {
960 uint8_t uid[8] = {0x00};
961 uint8_t oldUid[8], newUid[8] = {0x00};
962
963 uint8_t needHelp = 0;
964 char cmdp = 1;
965
966 if (param_getchar(Cmd, 0) && param_gethex(Cmd, 0, uid, 16)) {
967 PrintAndLog("UID must include 16 HEX symbols");
968 return 1;
969 }
970
971 if (uid[0] != 0xe0) {
972 PrintAndLog("UID must begin with the byte 'E0'");
973 return 1;
974 }
975
976 while(param_getchar(Cmd, cmdp) != 0x00)
977 {
978 switch(param_getchar(Cmd, cmdp))
979 {
980 case 'h':
981 case 'H':
982 needHelp = 1;
983 break;
984 default:
985 PrintAndLog("ERROR: Unknown parameter '%c'", param_getchar(Cmd, cmdp));
986 needHelp = 1;
987 break;
988 }
989 cmdp++;
990 }
991
992 if (strlen(Cmd) < 1 || needHelp) {
993 PrintAndLog("");
994 PrintAndLog("Usage: hf 15 csetuid <UID 16 hex symbols>");
995 PrintAndLog("sample: hf 15 csetuid E004013344556677");
996 PrintAndLog("Set UID for magic Chinese card (only works with such cards)");
997 return 0;
998 }
999
1000 PrintAndLog("");
1001 PrintAndLog("new UID | %s", sprint_hex(uid, 8));
1002 PrintAndLog("Using backdoor Magic tag function");
1003
1004 if (!getUID(oldUid)) {
1005 PrintAndLog("Can't get old UID.");
1006 return 1;
1007 }
1008
1009 UsbCommand resp;
1010 uint8_t *recv;
1011 char *hexout;
1012 UsbCommand c = {CMD_CSETUID_ISO_15693, {0, 0, 0}};
1013 memcpy(c.d.asBytes, uid, 8);
1014
1015 SendCommand(&c);
1016
1017 for (int i=0; i<4; i++) {
1018 if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
1019 recv = resp.d.asBytes;
1020 PrintAndLog("received %i octets",resp.arg[0]);
1021 hexout = (char *)malloc(resp.arg[0] * 3 + 1);
1022 if (hexout != NULL) {
1023 for (int i = 0; i < resp.arg[0]; i++) { // data in hex
1024 sprintf(&hexout[i * 3], "%02X ", recv[i]);
1025 }
1026 PrintAndLog("%s", hexout);
1027 free(hexout);
1028 }
1029 } else {
1030 PrintAndLog("timeout while waiting for reply.");
1031 }
1032 }
1033
1034 if (!getUID(newUid)) {
1035 PrintAndLog("Can't get new UID.");
1036 return 1;
1037 }
1038
1039 PrintAndLog("");
1040 PrintAndLog("old UID : %02X %02X %02X %02X %02X %02X %02X %02X", oldUid[7], oldUid[6], oldUid[5], oldUid[4], oldUid[3], oldUid[2], oldUid[1], oldUid[0]);
1041 PrintAndLog("new UID : %02X %02X %02X %02X %02X %02X %02X %02X", newUid[7], newUid[6], newUid[5], newUid[4], newUid[3], newUid[2], newUid[1], newUid[0]);
1042 return 0;
1043 }
1044
1045
1046 static command_t CommandTable15Cmd[] =
1047 {
1048 {"help", CmdHF15CmdHelp, 1, "This Help"},
1049 {"inquiry", CmdHF15CmdInquiry, 0, "Search for tags in range"},
1050 /*
1051 {"select", CmdHF15CmdSelect, 0, "Select an tag with a specific UID for further commands"},
1052 */
1053 {"read", CmdHF15CmdRead, 0, "Read a block"},
1054 {"write", CmdHF15CmdWrite, 0, "Write a block"},
1055 {"readmulti",CmdHF15CmdReadmulti, 0, "Reads multiple Blocks"},
1056 {"sysinfo",CmdHF15CmdSysinfo, 0, "Get Card Information"},
1057 {"raw", CmdHF15CmdRaw, 0, "Send raw hex data to tag"},
1058 {"csetuid", CmdHF15CSetUID, 0, "Set UID for magic Chinese card"},
1059 {"debug", CmdHF15CmdDebug, 0, "Turn debugging on/off"},
1060 {NULL, NULL, 0, NULL}
1061 };
1062
1063 int CmdHF15Cmd(const char *Cmd)
1064 {
1065 CmdsParse(CommandTable15Cmd, Cmd);
1066 return 0;
1067 }
1068
1069 int CmdHF15CmdHelp(const char *Cmd)
1070 {
1071 CmdsHelp(CommandTable15Cmd);
1072 return 0;
1073 }
1074
Proxmark3 GIT tracking
Impressum, Datenschutz