]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifarecmd.c
Some work on iclass dump and iclass list, now the dumping is a lot more stable. I...
[proxmark3-svn] / armsrc / mifarecmd.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // Routines to support ISO 14443 type A.
11 //-----------------------------------------------------------------------------
12
13 #include "mifarecmd.h"
14 #include "apps.h"
15
16 //-----------------------------------------------------------------------------
17 // Select, Authenticate, Read a MIFARE tag.
18 // read block
19 //-----------------------------------------------------------------------------
20 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
21 {
22 // params
23 uint8_t blockNo = arg0;
24 uint8_t keyType = arg1;
25 uint64_t ui64Key = 0;
26 ui64Key = bytes_to_num(datain, 6);
27
28 // variables
29 byte_t isOK = 0;
30 byte_t dataoutbuf[16];
31 uint8_t uid[10];
32 uint32_t cuid;
33 struct Crypto1State mpcs = {0, 0};
34 struct Crypto1State *pcs;
35 pcs = &mpcs;
36
37 // clear trace
38 iso14a_clear_trace();
39 // iso14a_set_tracing(false);
40
41 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
42
43 LED_A_ON();
44 LED_B_OFF();
45 LED_C_OFF();
46
47 while (true) {
48 if(!iso14443a_select_card(uid, NULL, &cuid)) {
49 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
50 break;
51 };
52
53 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
54 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
55 break;
56 };
57
58 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
59 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
60 break;
61 };
62
63 if(mifare_classic_halt(pcs, cuid)) {
64 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
65 break;
66 };
67
68 isOK = 1;
69 break;
70 }
71
72 // ----------------------------- crypto1 destroy
73 crypto1_destroy(pcs);
74
75 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
76
77 LED_B_ON();
78 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
79 LED_B_OFF();
80
81 // Thats it...
82 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
83 LEDsoff();
84 // iso14a_set_tracing(TRUE);
85
86 }
87
88 void MifareUReadBlock(uint8_t arg0,uint8_t *datain)
89 {
90 // params
91 uint8_t blockNo = arg0;
92
93 // variables
94 byte_t isOK = 0;
95 byte_t dataoutbuf[16];
96 uint8_t uid[10];
97 uint32_t cuid;
98
99 // clear trace
100 iso14a_clear_trace();
101 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
102
103 LED_A_ON();
104 LED_B_OFF();
105 LED_C_OFF();
106
107 while (true) {
108 if(!iso14443a_select_card(uid, NULL, &cuid)) {
109 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
110 break;
111 };
112
113 if(mifare_ultra_readblock(cuid, blockNo, dataoutbuf)) {
114 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
115 break;
116 };
117
118 if(mifare_ultra_halt(cuid)) {
119 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
120 break;
121 };
122
123 isOK = 1;
124 break;
125 }
126
127 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
128
129 LED_B_ON();
130 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
131 LED_B_OFF();
132
133
134 // Thats it...
135 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
136 LEDsoff();
137 }
138
139
140 //-----------------------------------------------------------------------------
141 // Select, Authenticate, Read a MIFARE tag.
142 // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
143 //-----------------------------------------------------------------------------
144 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
145 {
146 // params
147 uint8_t sectorNo = arg0;
148 uint8_t keyType = arg1;
149 uint64_t ui64Key = 0;
150 ui64Key = bytes_to_num(datain, 6);
151
152 // variables
153 byte_t isOK;
154 byte_t dataoutbuf[16 * 16];
155 uint8_t uid[10];
156 uint32_t cuid;
157 struct Crypto1State mpcs = {0, 0};
158 struct Crypto1State *pcs;
159 pcs = &mpcs;
160
161 // clear trace
162 iso14a_clear_trace();
163 // iso14a_set_tracing(false);
164
165 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
166
167 LED_A_ON();
168 LED_B_OFF();
169 LED_C_OFF();
170
171 isOK = 1;
172 if(!iso14443a_select_card(uid, NULL, &cuid)) {
173 isOK = 0;
174 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
175 }
176
177
178 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
179 isOK = 0;
180 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
181 }
182
183 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
184 if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) {
185 isOK = 0;
186 if (MF_DBGLEVEL >= 1) Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo);
187 break;
188 }
189 }
190
191 if(mifare_classic_halt(pcs, cuid)) {
192 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
193 }
194
195
196 // ----------------------------- crypto1 destroy
197 crypto1_destroy(pcs);
198
199 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
200
201 LED_B_ON();
202 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));
203 LED_B_OFF();
204
205 // Thats it...
206 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
207 LEDsoff();
208 // iso14a_set_tracing(TRUE);
209 }
210
211
212 void MifareUReadCard(uint8_t arg0, uint8_t *datain)
213 {
214 // params
215 uint8_t sectorNo = arg0;
216
217 // variables
218 byte_t isOK = 0;
219 byte_t dataoutbuf[16 * 4];
220 uint8_t uid[10];
221 uint32_t cuid;
222
223 // clear trace
224 iso14a_clear_trace();
225 // iso14a_set_tracing(false);
226
227 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
228
229 LED_A_ON();
230 LED_B_OFF();
231 LED_C_OFF();
232
233 while (true) {
234 if(!iso14443a_select_card(uid, NULL, &cuid)) {
235 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
236 break;
237 };
238 for(int sec=0;sec<16;sec++){
239 if(mifare_ultra_readblock(cuid, sectorNo * 4 + sec, dataoutbuf + 4 * sec)) {
240 if (MF_DBGLEVEL >= 1) Dbprintf("Read block %d error",sec);
241 break;
242 };
243 }
244 if(mifare_ultra_halt(cuid)) {
245 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
246 break;
247 };
248
249 isOK = 1;
250 break;
251 }
252
253 if (MF_DBGLEVEL >= 2) DbpString("READ CARD FINISHED");
254
255 LED_B_ON();
256 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,64);
257 LED_B_OFF();
258
259 // Thats it...
260 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
261 LEDsoff();
262
263 }
264
265
266 //-----------------------------------------------------------------------------
267 // Select, Authenticate, Write a MIFARE tag.
268 // read block
269 //-----------------------------------------------------------------------------
270 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
271 {
272 // params
273 uint8_t blockNo = arg0;
274 uint8_t keyType = arg1;
275 uint64_t ui64Key = 0;
276 byte_t blockdata[16];
277
278 ui64Key = bytes_to_num(datain, 6);
279 memcpy(blockdata, datain + 10, 16);
280
281 // variables
282 byte_t isOK = 0;
283 uint8_t uid[10];
284 uint32_t cuid;
285 struct Crypto1State mpcs = {0, 0};
286 struct Crypto1State *pcs;
287 pcs = &mpcs;
288
289 // clear trace
290 iso14a_clear_trace();
291 // iso14a_set_tracing(false);
292
293 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
294
295 LED_A_ON();
296 LED_B_OFF();
297 LED_C_OFF();
298
299 while (true) {
300 if(!iso14443a_select_card(uid, NULL, &cuid)) {
301 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
302 break;
303 };
304
305 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
306 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
307 break;
308 };
309
310 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
311 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
312 break;
313 };
314
315 if(mifare_classic_halt(pcs, cuid)) {
316 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
317 break;
318 };
319
320 isOK = 1;
321 break;
322 }
323
324 // ----------------------------- crypto1 destroy
325 crypto1_destroy(pcs);
326
327 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
328
329 LED_B_ON();
330 cmd_send(CMD_ACK,isOK,0,0,0,0);
331 LED_B_OFF();
332
333
334 // Thats it...
335 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
336 LEDsoff();
337 // iso14a_set_tracing(TRUE);
338
339 }
340
341
342 void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
343 {
344 // params
345 uint8_t blockNo = arg0;
346 byte_t blockdata[16];
347
348 memset(blockdata,'\0',16);
349 memcpy(blockdata, datain,16);
350
351 // variables
352 byte_t isOK = 0;
353 uint8_t uid[10];
354 uint32_t cuid;
355
356 // clear trace
357 iso14a_clear_trace();
358 // iso14a_set_tracing(false);
359
360 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
361
362 LED_A_ON();
363 LED_B_OFF();
364 LED_C_OFF();
365
366 while (true) {
367 if(!iso14443a_select_card(uid, NULL, &cuid)) {
368 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
369 break;
370 };
371
372 if(mifare_ultra_writeblock(cuid, blockNo, blockdata)) {
373 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
374 break;
375 };
376
377 if(mifare_ultra_halt(cuid)) {
378 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
379 break;
380 };
381
382 isOK = 1;
383 break;
384 }
385
386 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
387
388 LED_B_ON();
389 cmd_send(CMD_ACK,isOK,0,0,0,0);
390 LED_B_OFF();
391
392
393 // Thats it...
394 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
395 LEDsoff();
396 // iso14a_set_tracing(TRUE);
397 }
398
399
400 void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)
401 {
402 // params
403 uint8_t blockNo = arg0;
404 byte_t blockdata[4];
405
406 memcpy(blockdata, datain,4);
407
408 // variables
409 byte_t isOK = 0;
410 uint8_t uid[10];
411 uint32_t cuid;
412
413 // clear trace
414 iso14a_clear_trace();
415 // iso14a_set_tracing(false);
416
417 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
418
419 LED_A_ON();
420 LED_B_OFF();
421 LED_C_OFF();
422
423 while (true) {
424 if(!iso14443a_select_card(uid, NULL, &cuid)) {
425 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
426 break;
427 };
428
429 if(mifare_ultra_special_writeblock(cuid, blockNo, blockdata)) {
430 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
431 break;
432 };
433
434 if(mifare_ultra_halt(cuid)) {
435 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
436 break;
437 };
438
439 isOK = 1;
440 break;
441 }
442
443 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
444
445 LED_B_ON();
446 cmd_send(CMD_ACK,isOK,0,0,0,0);
447 LED_B_OFF();
448
449
450 // Thats it...
451 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
452 LEDsoff();
453 // iso14a_set_tracing(TRUE);
454
455 }
456
457
458 // Return 1 if the nonce is invalid else return 0
459 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {
460 return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
461 (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
462 (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
463 }
464
465
466 //-----------------------------------------------------------------------------
467 // MIFARE nested authentication.
468 //
469 //-----------------------------------------------------------------------------
470 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)
471 {
472 // params
473 uint8_t blockNo = arg0 & 0xff;
474 uint8_t keyType = (arg0 >> 8) & 0xff;
475 uint8_t targetBlockNo = arg1 & 0xff;
476 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
477 uint64_t ui64Key = 0;
478
479 ui64Key = bytes_to_num(datain, 6);
480
481 // variables
482 uint16_t rtr, i, j, len;
483 uint16_t davg;
484 static uint16_t dmin, dmax;
485 uint8_t uid[10];
486 uint32_t cuid, nt1, nt2, nttmp, nttest, ks1;
487 uint8_t par[1];
488 uint32_t target_nt[2], target_ks[2];
489
490 uint8_t par_array[4];
491 uint16_t ncount = 0;
492 struct Crypto1State mpcs = {0, 0};
493 struct Crypto1State *pcs;
494 pcs = &mpcs;
495 uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();
496
497 uint32_t auth1_time, auth2_time;
498 static uint16_t delta_time;
499
500 // clear trace
501 iso14a_clear_trace();
502 iso14a_set_tracing(false);
503
504 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
505
506 LED_A_ON();
507 LED_C_OFF();
508
509
510 // statistics on nonce distance
511 if (calibrate) { // for first call only. Otherwise reuse previous calibration
512 LED_B_ON();
513
514 davg = dmax = 0;
515 dmin = 2000;
516 delta_time = 0;
517
518 for (rtr = 0; rtr < 17; rtr++) {
519
520 // prepare next select. No need to power down the card.
521 if(mifare_classic_halt(pcs, cuid)) {
522 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
523 rtr--;
524 continue;
525 }
526
527 if(!iso14443a_select_card(uid, NULL, &cuid)) {
528 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
529 rtr--;
530 continue;
531 };
532
533 auth1_time = 0;
534 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
535 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
536 rtr--;
537 continue;
538 };
539
540 if (delta_time) {
541 auth2_time = auth1_time + delta_time;
542 } else {
543 auth2_time = 0;
544 }
545 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {
546 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");
547 rtr--;
548 continue;
549 };
550
551 nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
552 for (i = 101; i < 1200; i++) {
553 nttmp = prng_successor(nttmp, 1);
554 if (nttmp == nt2) break;
555 }
556
557 if (i != 1200) {
558 if (rtr != 0) {
559 davg += i;
560 dmin = MIN(dmin, i);
561 dmax = MAX(dmax, i);
562 }
563 else {
564 delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing
565 }
566 if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
567 }
568 }
569
570 if (rtr <= 1) return;
571
572 davg = (davg + (rtr - 1)/2) / (rtr - 1);
573
574 if (MF_DBGLEVEL >= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin, dmax, davg, delta_time);
575
576 dmin = davg - 2;
577 dmax = davg + 2;
578
579 LED_B_OFF();
580
581 }
582 // -------------------------------------------------------------------------------------------------
583
584 LED_C_ON();
585
586 // get crypted nonces for target sector
587 for(i=0; i < 2; i++) { // look for exactly two different nonces
588
589 target_nt[i] = 0;
590 while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
591
592 // prepare next select. No need to power down the card.
593 if(mifare_classic_halt(pcs, cuid)) {
594 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
595 continue;
596 }
597
598 if(!iso14443a_select_card(uid, NULL, &cuid)) {
599 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
600 continue;
601 };
602
603 auth1_time = 0;
604 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
605 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
606 continue;
607 };
608
609 // nested authentication
610 auth2_time = auth1_time + delta_time;
611 len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);
612 if (len != 4) {
613 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);
614 continue;
615 };
616
617 nt2 = bytes_to_num(receivedAnswer, 4);
618 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);
619
620 // Parity validity check
621 for (j = 0; j < 4; j++) {
622 par_array[j] = (oddparity(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));
623 }
624
625 ncount = 0;
626 nttest = prng_successor(nt1, dmin - 1);
627 for (j = dmin; j < dmax + 1; j++) {
628 nttest = prng_successor(nttest, 1);
629 ks1 = nt2 ^ nttest;
630
631 if (valid_nonce(nttest, nt2, ks1, par_array)){
632 if (ncount > 0) { // we are only interested in disambiguous nonces, try again
633 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);
634 target_nt[i] = 0;
635 break;
636 }
637 target_nt[i] = nttest;
638 target_ks[i] = ks1;
639 ncount++;
640 if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces
641 target_nt[i] = 0;
642 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);
643 break;
644 }
645 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);
646 }
647 }
648 if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
649 }
650 }
651
652 LED_C_OFF();
653
654 // ----------------------------- crypto1 destroy
655 crypto1_destroy(pcs);
656
657 byte_t buf[4 + 4 * 4];
658 memcpy(buf, &cuid, 4);
659 memcpy(buf+4, &target_nt[0], 4);
660 memcpy(buf+8, &target_ks[0], 4);
661 memcpy(buf+12, &target_nt[1], 4);
662 memcpy(buf+16, &target_ks[1], 4);
663
664 LED_B_ON();
665 cmd_send(CMD_ACK, 0, 2, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
666 LED_B_OFF();
667
668 if (MF_DBGLEVEL >= 3) DbpString("NESTED FINISHED");
669
670 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
671 LEDsoff();
672 iso14a_set_tracing(TRUE);
673 }
674
675 //-----------------------------------------------------------------------------
676 // MIFARE check keys. key count up to 85.
677 //
678 //-----------------------------------------------------------------------------
679 void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
680 {
681 // params
682 uint8_t blockNo = arg0;
683 uint8_t keyType = arg1;
684 uint8_t keyCount = arg2;
685 uint64_t ui64Key = 0;
686
687 // variables
688 int i;
689 byte_t isOK = 0;
690 uint8_t uid[10];
691 uint32_t cuid;
692 struct Crypto1State mpcs = {0, 0};
693 struct Crypto1State *pcs;
694 pcs = &mpcs;
695
696 // clear debug level
697 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
698 MF_DBGLEVEL = MF_DBG_NONE;
699
700 // clear trace
701 iso14a_clear_trace();
702 iso14a_set_tracing(TRUE);
703
704 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
705
706 LED_A_ON();
707 LED_B_OFF();
708 LED_C_OFF();
709
710 for (i = 0; i < keyCount; i++) {
711 if(mifare_classic_halt(pcs, cuid)) {
712 if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Halt error");
713 }
714
715 if(!iso14443a_select_card(uid, NULL, &cuid)) {
716 if (OLD_MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card");
717 break;
718 };
719
720 ui64Key = bytes_to_num(datain + i * 6, 6);
721 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
722 continue;
723 };
724
725 isOK = 1;
726 break;
727 }
728
729 // ----------------------------- crypto1 destroy
730 crypto1_destroy(pcs);
731
732 LED_B_ON();
733 cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);
734 LED_B_OFF();
735
736 // Thats it...
737 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
738 LEDsoff();
739
740 // restore debug level
741 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
742 }
743
744 //-----------------------------------------------------------------------------
745 // MIFARE commands set debug level
746 //
747 //-----------------------------------------------------------------------------
748 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
749 MF_DBGLEVEL = arg0;
750 Dbprintf("Debug level: %d", MF_DBGLEVEL);
751 }
752
753
754 //-----------------------------------------------------------------------------
755 // Work with emulator memory
756 //
757 //-----------------------------------------------------------------------------
758 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
759 emlClearMem();
760 }
761
762
763 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
764 emlSetMem(datain, arg0, arg1); // data, block num, blocks count
765 }
766
767
768 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
769
770 byte_t buf[48];
771 emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
772
773 LED_B_ON();
774 cmd_send(CMD_ACK,arg0,arg1,0,buf,48);
775 LED_B_OFF();
776 }
777
778
779 //-----------------------------------------------------------------------------
780 // Load a card into the emulator memory
781 //
782 //-----------------------------------------------------------------------------
783 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
784 uint8_t numSectors = arg0;
785 uint8_t keyType = arg1;
786 uint64_t ui64Key = 0;
787 uint32_t cuid;
788 struct Crypto1State mpcs = {0, 0};
789 struct Crypto1State *pcs;
790 pcs = &mpcs;
791
792 // variables
793 byte_t dataoutbuf[16];
794 byte_t dataoutbuf2[16];
795 uint8_t uid[10];
796
797 // clear trace
798 iso14a_clear_trace();
799 iso14a_set_tracing(false);
800
801 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
802
803 LED_A_ON();
804 LED_B_OFF();
805 LED_C_OFF();
806
807 bool isOK = true;
808
809 if(!iso14443a_select_card(uid, NULL, &cuid)) {
810 isOK = false;
811 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
812 }
813
814 for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
815 ui64Key = emlGetKey(sectorNo, keyType);
816 if (sectorNo == 0){
817 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
818 isOK = false;
819 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo);
820 break;
821 }
822 } else {
823 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) {
824 isOK = false;
825 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo);
826 break;
827 }
828 }
829
830 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
831 if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) {
832 isOK = false;
833 if (MF_DBGLEVEL >= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);
834 break;
835 };
836 if (isOK) {
837 if (blockNo < NumBlocksPerSector(sectorNo) - 1) {
838 emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);
839 } else { // sector trailer, keep the keys, set only the AC
840 emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
841 memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
842 emlSetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
843 }
844 }
845 }
846
847 }
848
849 if(mifare_classic_halt(pcs, cuid)) {
850 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
851 };
852
853 // ----------------------------- crypto1 destroy
854 crypto1_destroy(pcs);
855
856 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
857 LEDsoff();
858
859 if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
860
861 }
862
863
864 //-----------------------------------------------------------------------------
865 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
866 //
867 //-----------------------------------------------------------------------------
868 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
869
870 // params
871 uint8_t needWipe = arg0;
872 // bit 0 - need get UID
873 // bit 1 - need wupC
874 // bit 2 - need HALT after sequence
875 // bit 3 - need init FPGA and field before sequence
876 // bit 4 - need reset FPGA and LED
877 uint8_t workFlags = arg1;
878 uint8_t blockNo = arg2;
879
880 // card commands
881 uint8_t wupC1[] = { 0x40 };
882 uint8_t wupC2[] = { 0x43 };
883 uint8_t wipeC[] = { 0x41 };
884
885 // variables
886 byte_t isOK = 0;
887 uint8_t uid[10];
888 uint8_t d_block[18];
889 uint32_t cuid;
890
891 memset(uid, 0x00, 10);
892 uint8_t *receivedAnswer = get_bigbufptr_recvrespbuf();
893 uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
894
895 if (workFlags & 0x08) {
896 // clear trace
897 iso14a_clear_trace();
898 iso14a_set_tracing(TRUE);
899
900 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
901
902 LED_A_ON();
903 LED_B_OFF();
904 LED_C_OFF();
905
906 SpinDelay(300);
907 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
908 SpinDelay(100);
909 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
910 }
911
912 while (true) {
913 // get UID from chip
914 if (workFlags & 0x01) {
915 if(!iso14443a_select_card(uid, NULL, &cuid)) {
916 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
917 break;
918 };
919
920 if(mifare_classic_halt(NULL, cuid)) {
921 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
922 break;
923 };
924 };
925
926 // reset chip
927 if (needWipe){
928 ReaderTransmitBitsPar(wupC1,7,0, NULL);
929 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
930 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
931 break;
932 };
933
934 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
935 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
936 if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");
937 break;
938 };
939
940 if(mifare_classic_halt(NULL, cuid)) {
941 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
942 break;
943 };
944 };
945
946 // write block
947 if (workFlags & 0x02) {
948 ReaderTransmitBitsPar(wupC1,7,0, NULL);
949 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
950 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
951 break;
952 };
953
954 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
955 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
956 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
957 break;
958 };
959 }
960
961 if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
962 if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
963 break;
964 };
965
966 memcpy(d_block, datain, 16);
967 AppendCrc14443a(d_block, 16);
968
969 ReaderTransmit(d_block, sizeof(d_block), NULL);
970 if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
971 if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");
972 break;
973 };
974
975 if (workFlags & 0x04) {
976 if (mifare_classic_halt(NULL, cuid)) {
977 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
978 break;
979 };
980 }
981
982 isOK = 1;
983 break;
984 }
985
986 LED_B_ON();
987 cmd_send(CMD_ACK,isOK,0,0,uid,4);
988 LED_B_OFF();
989
990 if ((workFlags & 0x10) || (!isOK)) {
991 // Thats it...
992 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
993 LEDsoff();
994 }
995 }
996
997
998 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
999
1000 // params
1001 // bit 1 - need wupC
1002 // bit 2 - need HALT after sequence
1003 // bit 3 - need init FPGA and field before sequence
1004 // bit 4 - need reset FPGA and LED
1005 uint8_t workFlags = arg0;
1006 uint8_t blockNo = arg2;
1007
1008 // card commands
1009 uint8_t wupC1[] = { 0x40 };
1010 uint8_t wupC2[] = { 0x43 };
1011
1012 // variables
1013 byte_t isOK = 0;
1014 uint8_t data[18];
1015 uint32_t cuid = 0;
1016
1017 memset(data, 0x00, 18);
1018 uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();
1019 uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
1020
1021 if (workFlags & 0x08) {
1022 // clear trace
1023 iso14a_clear_trace();
1024 iso14a_set_tracing(TRUE);
1025
1026 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1027
1028 LED_A_ON();
1029 LED_B_OFF();
1030 LED_C_OFF();
1031
1032 SpinDelay(300);
1033 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1034 SpinDelay(100);
1035 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1036 }
1037
1038 while (true) {
1039 if (workFlags & 0x02) {
1040 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1041 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1042 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1043 break;
1044 };
1045
1046 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1047 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1048 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1049 break;
1050 };
1051 }
1052
1053 // read block
1054 if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {
1055 if (MF_DBGLEVEL >= 1) Dbprintf("read block send command error");
1056 break;
1057 };
1058 memcpy(data, receivedAnswer, 18);
1059
1060 if (workFlags & 0x04) {
1061 if (mifare_classic_halt(NULL, cuid)) {
1062 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1063 break;
1064 };
1065 }
1066
1067 isOK = 1;
1068 break;
1069 }
1070
1071 LED_B_ON();
1072 cmd_send(CMD_ACK,isOK,0,0,data,18);
1073 LED_B_OFF();
1074
1075 if ((workFlags & 0x10) || (!isOK)) {
1076 // Thats it...
1077 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1078 LEDsoff();
1079 }
1080 }
1081
Impressum, Datenschutz