]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhf14a.c
projects / proxmark3-svn / blob
? search:


cdaa18cd1ca106960e0f7eb91a875ddea512af6f
[proxmark3-svn] / client / cmdhf14a.c
1 //-----------------------------------------------------------------------------
2 // 2011, Merlok
3 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // High frequency ISO14443A commands
10 //-----------------------------------------------------------------------------
11
12 #include "cmdhf14a.h"
13
14 static int CmdHelp(const char *Cmd);
15 static int waitCmd(uint8_t iLen);
16
17 // structure and database for uid -> tagtype lookups
18 typedef struct {
19 uint8_t uid;
20 char* desc;
21 } manufactureName;
22
23 const manufactureName manufactureMapping[] = {
24 // ID, "Vendor Country"
25 { 0x01, "Motorola UK" },
26 { 0x02, "ST Microelectronics SA France" },
27 { 0x03, "Hitachi, Ltd Japan" },
28 { 0x04, "NXP Semiconductors Germany" },
29 { 0x05, "Infineon Technologies AG Germany" },
30 { 0x06, "Cylink USA" },
31 { 0x07, "Texas Instrument France" },
32 { 0x08, "Fujitsu Limited Japan" },
33 { 0x09, "Matsushita Electronics Corporation, Semiconductor Company Japan" },
34 { 0x0A, "NEC Japan" },
35 { 0x0B, "Oki Electric Industry Co. Ltd Japan" },
36 { 0x0C, "Toshiba Corp. Japan" },
37 { 0x0D, "Mitsubishi Electric Corp. Japan" },
38 { 0x0E, "Samsung Electronics Co. Ltd Korea" },
39 { 0x0F, "Hynix / Hyundai, Korea" },
40 { 0x10, "LG-Semiconductors Co. Ltd Korea" },
41 { 0x11, "Emosyn-EM Microelectronics USA" },
42 { 0x12, "INSIDE Technology France" },
43 { 0x13, "ORGA Kartensysteme GmbH Germany" },
44 { 0x14, "SHARP Corporation Japan" },
45 { 0x15, "ATMEL France" },
46 { 0x16, "EM Microelectronic-Marin SA Switzerland" },
47 { 0x17, "KSW Microtec GmbH Germany" },
48 { 0x18, "ZMD AG Germany" },
49 { 0x19, "XICOR, Inc. USA" },
50 { 0x1A, "Sony Corporation Japan Identifier Company Country" },
51 { 0x1B, "Malaysia Microelectronic Solutions Sdn. Bhd Malaysia" },
52 { 0x1C, "Emosyn USA" },
53 { 0x1D, "Shanghai Fudan Microelectronics Co. Ltd. P.R. China" },
54 { 0x1E, "Magellan Technology Pty Limited Australia" },
55 { 0x1F, "Melexis NV BO Switzerland" },
56 { 0x20, "Renesas Technology Corp. Japan" },
57 { 0x21, "TAGSYS France" },
58 { 0x22, "Transcore USA" },
59 { 0x23, "Shanghai belling corp., ltd. China" },
60 { 0x24, "Masktech Germany Gmbh Germany" },
61 { 0x25, "Innovision Research and Technology Plc UK" },
62 { 0x26, "Hitachi ULSI Systems Co., Ltd. Japan" },
63 { 0x27, "Cypak AB Sweden" },
64 { 0x28, "Ricoh Japan" },
65 { 0x29, "ASK France" },
66 { 0x2A, "Unicore Microsystems, LLC Russian Federation" },
67 { 0x2B, "Dallas Semiconductor/Maxim USA" },
68 { 0x2C, "Impinj, Inc. USA" },
69 { 0x2D, "RightPlug Alliance USA" },
70 { 0x2E, "Broadcom Corporation USA" },
71 { 0x2F, "MStar Semiconductor, Inc Taiwan, ROC" },
72 { 0x30, "BeeDar Technology Inc. USA" },
73 { 0x31, "RFIDsec Denmark" },
74 { 0x32, "Schweizer Electronic AG Germany" },
75 { 0x33, "AMIC Technology Corp Taiwan" },
76 { 0x34, "Mikron JSC Russia" },
77 { 0x35, "Fraunhofer Institute for Photonic Microsystems Germany" },
78 { 0x36, "IDS Microchip AG Switzerland" },
79 { 0x37, "Kovio USA" },
80 { 0x38, "HMT Microelectronic Ltd Switzerland Identifier Company Country" },
81 { 0x39, "Silicon Craft Technology Thailand" },
82 { 0x3A, "Advanced Film Device Inc. Japan" },
83 { 0x3B, "Nitecrest Ltd UK" },
84 { 0x3C, "Verayo Inc. USA" },
85 { 0x3D, "HID Global USA" },
86 { 0x3E, "Productivity Engineering Gmbh Germany" },
87 { 0x3F, "Austriamicrosystems AG (reserved) Austria" },
88 { 0x40, "Gemalto SA France" },
89 { 0x41, "Renesas Electronics Corporation Japan" },
90 { 0x42, "3Alogics Inc Korea" },
91 { 0x43, "Top TroniQ Asia Limited Hong Kong" },
92 { 0x44, "Gentag Inc (USA) USA" },
93 { 0x00, "no tag-info available" } // must be the last entry
94 };
95
96
97 // get a product description based on the UID
98 // uid[8] tag uid
99 // returns description of the best match
100 char* getTagInfo(uint8_t uid) {
101
102 int i;
103 int len = sizeof(manufactureMapping) / sizeof(manufactureName);
104
105 for ( i = 0; i < len; ++i )
106 if ( uid == manufactureMapping[i].uid)
107 return manufactureMapping[i].desc;
108
109 //No match, return default
110 return manufactureMapping[len-1].desc;
111 }
112
113 int CmdHF14AList(const char *Cmd)
114 {
115 PrintAndLog("Deprecated command, use 'hf list 14a' instead");
116 return 0;
117 }
118
119 int CmdHF14AReader(const char *Cmd)
120 {
121 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}};
122 SendCommand(&c);
123
124 UsbCommand resp;
125 WaitForResponse(CMD_ACK,&resp);
126
127 iso14a_card_select_t card;
128 memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
129
130 uint64_t select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision
131
132 if(select_status == 0) {
133 if (Cmd[0] != 's') PrintAndLog("iso14443a card select failed");
134 // disconnect
135 c.arg[0] = 0;
136 c.arg[1] = 0;
137 c.arg[2] = 0;
138 SendCommand(&c);
139 return 0;
140 }
141
142 if(select_status == 3) {
143 PrintAndLog("Card doesn't support standard iso14443-3 anticollision");
144 PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]);
145 // disconnect
146 c.arg[0] = 0;
147 c.arg[1] = 0;
148 c.arg[2] = 0;
149 SendCommand(&c);
150 return 0;
151 }
152
153 PrintAndLog(" UID : %s", sprint_hex(card.uid, card.uidlen));
154 PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]);
155 PrintAndLog(" SAK : %02x [%d]", card.sak, resp.arg[0]);
156
157 switch (card.sak) {
158 case 0x00:
159
160 //***************************************test****************
161 // disconnect
162 c.arg[0] = 0;
163 c.arg[1] = 0;
164 c.arg[2] = 0;
165 SendCommand(&c);
166
167 uint32_t tagT = GetHF14AMfU_Type();
168 ul_print_type(tagT, 0);
169
170 //reconnect for further tests
171 c.arg[0] = ISO14A_CONNECT | ISO14A_NO_DISCONNECT;
172 c.arg[1] = 0;
173 c.arg[2] = 0;
174
175 SendCommand(&c);
176
177 UsbCommand resp;
178 WaitForResponse(CMD_ACK,&resp);
179
180 memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
181
182 select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS
183
184 if(select_status == 0) {
185 //PrintAndLog("iso14443a card select failed");
186 // disconnect
187 c.arg[0] = 0;
188 c.arg[1] = 0;
189 c.arg[2] = 0;
190 SendCommand(&c);
191 return 0;
192 }
193
194 /* orig
195 // check if the tag answers to GETVERSION (0x60)
196 c.arg[0] = ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT;
197 c.arg[1] = 1;
198 c.arg[2] = 0;
199 c.d.asBytes[0] = 0x60;
200 SendCommand(&c);
201 WaitForResponse(CMD_ACK,&resp);
202
203 uint8_t version[10] = {0};
204 memcpy(version, resp.d.asBytes, resp.arg[0] < sizeof(version) ? resp.arg[0] : sizeof(version));
205 uint8_t len = resp.arg[0] & 0xff;
206 switch ( len ){
207 // todo, identify "Magic UL-C tags". // they usually have a static nonce response to 0x1A command.
208 // UL-EV1, size, check version[6] == 0x0b (smaller) 0x0b * 4 == 48
209 case 0x0A:PrintAndLog("TYPE : NXP MIFARE Ultralight EV1 %d bytes", (version[6] == 0xB) ? 48 : 128);break;
210 case 0x01:PrintAndLog("TYPE : NXP MIFARE Ultralight C");break;
211 case 0x00:PrintAndLog("TYPE : NXP MIFARE Ultralight");break;
212 }
213 */
214 break;
215 case 0x01: PrintAndLog("TYPE : NXP TNP3xxx Activision Game Appliance"); break;
216 case 0x04: PrintAndLog("TYPE : NXP MIFARE (various !DESFire !DESFire EV1)"); break;
217 case 0x08: PrintAndLog("TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1"); break;
218 case 0x09: PrintAndLog("TYPE : NXP MIFARE Mini 0.3k"); break;
219 case 0x10: PrintAndLog("TYPE : NXP MIFARE Plus 2k SL2"); break;
220 case 0x11: PrintAndLog("TYPE : NXP MIFARE Plus 4k SL2"); break;
221 case 0x18: PrintAndLog("TYPE : NXP MIFARE Classic 4k | Plus 4k SL1"); break;
222 case 0x20: PrintAndLog("TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41"); break;
223 case 0x24: PrintAndLog("TYPE : NXP MIFARE DESFire | DESFire EV1"); break;
224 case 0x28: PrintAndLog("TYPE : JCOP31 or JCOP41 v2.3.1"); break;
225 case 0x38: PrintAndLog("TYPE : Nokia 6212 or 6131 MIFARE CLASSIC 4K"); break;
226 case 0x88: PrintAndLog("TYPE : Infineon MIFARE CLASSIC 1K"); break;
227 case 0x98: PrintAndLog("TYPE : Gemplus MPCOS"); break;
228 default: ;
229 }
230
231 // Double & triple sized UID, can be mapped to a manufacturer.
232 // HACK: does this apply for Ultralight cards?
233 if ( card.uidlen > 4 ) {
234 PrintAndLog("MANUFACTURER : %s", getTagInfo(card.uid[0]));
235 }
236
237 // try to request ATS even if tag claims not to support it
238 if (select_status == 2) {
239 uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0
240 c.arg[0] = ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT;
241 c.arg[1] = 2;
242 c.arg[2] = 0;
243 memcpy(c.d.asBytes, rats, 2);
244 SendCommand(&c);
245 WaitForResponse(CMD_ACK,&resp);
246
247 memcpy(card.ats, resp.d.asBytes, resp.arg[0]);
248 card.ats_len = resp.arg[0]; // note: ats_len includes CRC Bytes
249 }
250
251 if(card.ats_len >= 3) { // a valid ATS consists of at least the length byte (TL) and 2 CRC bytes
252 bool ta1 = 0, tb1 = 0, tc1 = 0;
253 int pos;
254
255 if (select_status == 2) {
256 PrintAndLog("SAK incorrectly claims that card doesn't support RATS");
257 }
258 PrintAndLog(" ATS : %s", sprint_hex(card.ats, card.ats_len));
259 PrintAndLog(" - TL : length is %d bytes", card.ats[0]);
260 if (card.ats[0] != card.ats_len - 2) {
261 PrintAndLog("ATS may be corrupted. Length of ATS (%d bytes incl. 2 Bytes CRC) doesn't match TL", card.ats_len);
262 }
263
264 if (card.ats[0] > 1) { // there is a format byte (T0)
265 ta1 = (card.ats[1] & 0x10) == 0x10;
266 tb1 = (card.ats[1] & 0x20) == 0x20;
267 tc1 = (card.ats[1] & 0x40) == 0x40;
268 int16_t fsci = card.ats[1] & 0x0f;
269 PrintAndLog(" - T0 : TA1 is%s present, TB1 is%s present, "
270 "TC1 is%s present, FSCI is %d (FSC = %ld)",
271 (ta1 ? "" : " NOT"), (tb1 ? "" : " NOT"), (tc1 ? "" : " NOT"),
272 fsci,
273 fsci < 5 ? (fsci - 2) * 8 :
274 fsci < 8 ? (fsci - 3) * 32 :
275 fsci == 8 ? 256 :
276 -1
277 );
278 }
279 pos = 2;
280 if (ta1) {
281 char dr[16], ds[16];
282 dr[0] = ds[0] = '\0';
283 if (card.ats[pos] & 0x10) strcat(ds, "2, ");
284 if (card.ats[pos] & 0x20) strcat(ds, "4, ");
285 if (card.ats[pos] & 0x40) strcat(ds, "8, ");
286 if (card.ats[pos] & 0x01) strcat(dr, "2, ");
287 if (card.ats[pos] & 0x02) strcat(dr, "4, ");
288 if (card.ats[pos] & 0x04) strcat(dr, "8, ");
289 if (strlen(ds) != 0) ds[strlen(ds) - 2] = '\0';
290 if (strlen(dr) != 0) dr[strlen(dr) - 2] = '\0';
291 PrintAndLog(" - TA1 : different divisors are%s supported, "
292 "DR: [%s], DS: [%s]",
293 (card.ats[pos] & 0x80 ? " NOT" : ""), dr, ds);
294 pos++;
295 }
296 if (tb1) {
297 uint32_t sfgi = card.ats[pos] & 0x0F;
298 uint32_t fwi = card.ats[pos] >> 4;
299 PrintAndLog(" - TB1 : SFGI = %d (SFGT = %s%ld/fc), FWI = %d (FWT = %ld/fc)",
300 (sfgi),
301 sfgi ? "" : "(not needed) ",
302 sfgi ? (1 << 12) << sfgi : 0,
303 fwi,
304 (1 << 12) << fwi
305 );
306 pos++;
307 }
308 if (tc1) {
309 PrintAndLog(" - TC1 : NAD is%s supported, CID is%s supported",
310 (card.ats[pos] & 0x01) ? "" : " NOT",
311 (card.ats[pos] & 0x02) ? "" : " NOT");
312 pos++;
313 }
314 if (card.ats[0] > pos) {
315 char *tip = "";
316 if (card.ats[0] - pos >= 7) {
317 if (memcmp(card.ats + pos, "\xC1\x05\x2F\x2F\x01\xBC\xD6", 7) == 0) {
318 tip = "-> MIFARE Plus X 2K or 4K";
319 } else if (memcmp(card.ats + pos, "\xC1\x05\x2F\x2F\x00\x35\xC7", 7) == 0) {
320 tip = "-> MIFARE Plus S 2K or 4K";
321 }
322 }
323 PrintAndLog(" - HB : %s%s", sprint_hex(card.ats + pos, card.ats[0] - pos), tip);
324 if (card.ats[pos] == 0xC1) {
325 PrintAndLog(" c1 -> Mifare or (multiple) virtual cards of various type");
326 PrintAndLog(" %02x -> Length is %d bytes",
327 card.ats[pos + 1], card.ats[pos + 1]);
328 switch (card.ats[pos + 2] & 0xf0) {
329 case 0x10:
330 PrintAndLog(" 1x -> MIFARE DESFire");
331 break;
332 case 0x20:
333 PrintAndLog(" 2x -> MIFARE Plus");
334 break;
335 }
336 switch (card.ats[pos + 2] & 0x0f) {
337 case 0x00:
338 PrintAndLog(" x0 -> <1 kByte");
339 break;
340 case 0x01:
341 PrintAndLog(" x1 -> 1 kByte");
342 break;
343 case 0x02:
344 PrintAndLog(" x2 -> 2 kByte");
345 break;
346 case 0x03:
347 PrintAndLog(" x3 -> 4 kByte");
348 break;
349 case 0x04:
350 PrintAndLog(" x4 -> 8 kByte");
351 break;
352 }
353 switch (card.ats[pos + 3] & 0xf0) {
354 case 0x00:
355 PrintAndLog(" 0x -> Engineering sample");
356 break;
357 case 0x20:
358 PrintAndLog(" 2x -> Released");
359 break;
360 }
361 switch (card.ats[pos + 3] & 0x0f) {
362 case 0x00:
363 PrintAndLog(" x0 -> Generation 1");
364 break;
365 case 0x01:
366 PrintAndLog(" x1 -> Generation 2");
367 break;
368 case 0x02:
369 PrintAndLog(" x2 -> Generation 3");
370 break;
371 }
372 switch (card.ats[pos + 4] & 0x0f) {
373 case 0x00:
374 PrintAndLog(" x0 -> Only VCSL supported");
375 break;
376 case 0x01:
377 PrintAndLog(" x1 -> VCS, VCSL, and SVC supported");
378 break;
379 case 0x0E:
380 PrintAndLog(" xE -> no VCS command supported");
381 break;
382 }
383 }
384 }
385 } else {
386 PrintAndLog("proprietary non iso14443-4 card found, RATS not supported");
387 }
388
389
390 // try to see if card responses to "chinese magic backdoor" commands.
391 mfCIdentify();
392
393 return select_status;
394 }
395
396 // Collect ISO14443 Type A UIDs
397 int CmdHF14ACUIDs(const char *Cmd)
398 {
399 // requested number of UIDs
400 int n = atoi(Cmd);
401 // collect at least 1 (e.g. if no parameter was given)
402 n = n > 0 ? n : 1;
403
404 PrintAndLog("Collecting %d UIDs", n);
405 PrintAndLog("Start: %" PRIu64, msclock()/1000);
406 // repeat n times
407 for (int i = 0; i < n; i++) {
408 // execute anticollision procedure
409 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_RATS, 0, 0}};
410 SendCommand(&c);
411
412 UsbCommand resp;
413 WaitForResponse(CMD_ACK,&resp);
414
415 iso14a_card_select_t *card = (iso14a_card_select_t *) resp.d.asBytes;
416
417 // check if command failed
418 if (resp.arg[0] == 0) {
419 PrintAndLog("Card select failed.");
420 } else {
421 char uid_string[20];
422 for (uint16_t i = 0; i < card->uidlen; i++) {
423 sprintf(&uid_string[2*i], "%02X", card->uid[i]);
424 }
425 PrintAndLog("%s", uid_string);
426 }
427 }
428 PrintAndLog("End: %" PRIu64, msclock()/1000);
429
430 return 1;
431 }
432
433 // ## simulate iso14443a tag
434 // ## greg - added ability to specify tag UID
435 int CmdHF14ASim(const char *Cmd)
436 {
437 UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443a,{0,0,0}};
438
439 // Retrieve the tag type
440 uint8_t tagtype = param_get8ex(Cmd,0,0,10);
441
442 // When no argument was given, just print help message
443 if (tagtype == 0) {
444 PrintAndLog("");
445 PrintAndLog(" Emulating ISO/IEC 14443 type A tag with 4 or 7 byte UID");
446 PrintAndLog("");
447 PrintAndLog(" syntax: hf 14a sim <type> <uid>");
448 PrintAndLog(" types: 1 = MIFARE Classic");
449 PrintAndLog(" 2 = MIFARE Ultralight");
450 PrintAndLog(" 3 = MIFARE Desfire");
451 PrintAndLog(" 4 = ISO/IEC 14443-4");
452 PrintAndLog(" 5 = MIFARE Tnp3xxx");
453 PrintAndLog("");
454 return 1;
455 }
456
457 // Store the tag type
458 c.arg[0] = tagtype;
459
460 // Retrieve the full 4 or 7 byte long uid
461 uint64_t long_uid = param_get64ex(Cmd,1,0,16);
462
463 // Are we handling the (optional) second part uid?
464 if (long_uid > 0xffffffff) {
465 PrintAndLog("Emulating ISO/IEC 14443 type A tag with 7 byte UID (%014" PRIx64 ")",long_uid);
466 // Store the second part
467 c.arg[2] = (long_uid & 0xffffffff);
468 long_uid >>= 32;
469 // Store the first part, ignore the first byte, it is replaced by cascade byte (0x88)
470 c.arg[1] = (long_uid & 0xffffff);
471 } else {
472 PrintAndLog("Emulating ISO/IEC 14443 type A tag with 4 byte UID (%08x)",long_uid);
473 // Only store the first part
474 c.arg[1] = long_uid & 0xffffffff;
475 }
476 /*
477 // At lease save the mandatory first part of the UID
478 c.arg[0] = long_uid & 0xffffffff;
479
480 if (c.arg[1] == 0) {
481 PrintAndLog("Emulating ISO/IEC 14443 type A tag with UID %01d %08x %08x",c.arg[0],c.arg[1],c.arg[2]);
482 }
483
484 switch (c.arg[0]) {
485 case 1: {
486 PrintAndLog("Emulating ISO/IEC 14443-3 type A tag with 4 byte UID");
487 UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443a,param_get32ex(Cmd,0,0,10),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16)};
488 } break;
489 case 2: {
490 PrintAndLog("Emulating ISO/IEC 14443-4 type A tag with 7 byte UID");
491 } break;
492 default: {
493 PrintAndLog("Error: unkown tag type (%d)",c.arg[0]);
494 PrintAndLog("syntax: hf 14a sim <uid>",c.arg[0]);
495 PrintAndLog(" type1: 4 ",c.arg[0]);
496
497 return 1;
498 } break;
499 }
500 */
501 /*
502 unsigned int hi = 0, lo = 0;
503 int n = 0, i = 0;
504 while (sscanf(&Cmd[i++], "%1x", &n ) == 1) {
505 hi= (hi << 4) | (lo >> 28);
506 lo= (lo << 4) | (n & 0xf);
507 }
508 */
509 // UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443a,param_get32ex(Cmd,0,0,10),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16)};
510 // PrintAndLog("Emulating ISO/IEC 14443 type A tag with UID %01d %08x %08x",c.arg[0],c.arg[1],c.arg[2]);
511 SendCommand(&c);
512 return 0;
513 }
514
515 int CmdHF14ASnoop(const char *Cmd) {
516 int param = 0;
517
518 uint8_t ctmp = param_getchar(Cmd, 0) ;
519 if (ctmp == 'h' || ctmp == 'H') {
520 PrintAndLog("It get data from the field and saves it into command buffer.");
521 PrintAndLog("Buffer accessible from command hf list 14a.");
522 PrintAndLog("Usage: hf 14a snoop [c][r]");
523 PrintAndLog("c - triggered by first data from card");
524 PrintAndLog("r - triggered by first 7-bit request from reader (REQ,WUP,...)");
525 PrintAndLog("sample: hf 14a snoop c r");
526 return 0;
527 }
528
529 for (int i = 0; i < 2; i++) {
530 ctmp = param_getchar(Cmd, i);
531 if (ctmp == 'c' || ctmp == 'C') param |= 0x01;
532 if (ctmp == 'r' || ctmp == 'R') param |= 0x02;
533 }
534
535 UsbCommand c = {CMD_SNOOP_ISO_14443a, {param, 0, 0}};
536 SendCommand(&c);
537 return 0;
538 }
539
540 int ExchangeAPDU14a(uint8_t *datain, int datainlen, bool activateField, bool leaveSignalON, uint8_t *dataout, int *dataoutlen) {
541 uint8_t data[USB_CMD_DATA_SIZE];
542 int datalen;
543 uint8_t cmdc = 0;
544 uint8_t first, second;
545
546 if (activateField)
547 cmdc |= ISO14A_CONNECT;
548 if (leaveSignalON)
549 cmdc |= ISO14A_NO_DISCONNECT;
550
551 // ISO 14443 APDU frame: PCB [CID] [NAD] APDU CRC PCB=0x02
552 memcpy(data + 1, datain, datainlen);
553 data[0] = 0x02; // bnr,nad,cid,chn=0; i-block(0x00)
554 datalen = datainlen + 1;
555
556 ComputeCrc14443(CRC_14443_A, data, datalen, &first, &second);
557 data[datalen++] = first;
558 data[datalen++] = second;
559
560 // "Command APDU" length should be 5+255+1, but javacard's APDU buffer might be smaller - 133 bytes
561 // https://stackoverflow.com/questions/32994936/safe-max-java-card-apdu-data-command-and-respond-size
562 // here length USB_CMD_DATA_SIZE=512
563 // timeout timeout14a * 1.06 / 100, true, size, &keyBlock[6 * c], e_sector); // timeout is (ms * 106)/10 or us*0.0106
564 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_RAW | ISO14A_SET_TIMEOUT | cmdc, (datalen & 0xFFFF), 1000 * 1000 * 1.06 / 100}};
565 memcpy(c.d.asBytes, data, datalen);
566 SendCommand(&c);
567
568 uint8_t *recv;
569 UsbCommand resp;
570
571 if (activateField) {
572 if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500))
573 return 1;
574 if (resp.arg[0] != 1)
575 return 1;
576 }
577
578 if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
579 recv = resp.d.asBytes;
580 uint8_t iLen = resp.arg[0];
581
582 *dataoutlen = iLen - 1 - 2;
583 if (*dataoutlen < 0)
584 *dataoutlen = 0;
585 memcpy(dataout, recv + 1, *dataoutlen);
586
587 if(!iLen)
588 return 1;
589
590 // check apdu length
591 if (iLen < 5) {
592 PrintAndLog("APDU ERROR: Small APDU response.");
593 return 2;
594 }
595
596 // check block
597 if (data[0] != recv[0]) {
598 PrintAndLog("APDU ERROR: Block type mismatch: %02x-%02x", data[0], recv[0]);
599 return 2;
600 }
601
602 // CRC Check
603 ComputeCrc14443(CRC_14443_A, recv, iLen, &first, &second);
604 if (first || second) {
605 PrintAndLog("APDU ERROR: ISO 14443A CRC error.");
606 return 3;
607 }
608
609 } else {
610 PrintAndLog("APDU ERROR: Reply timeout.");
611 return 4;
612 }
613
614 return 0;
615 }
616
617 int CmdHF14AAPDU(const char *cmd) {
618 uint8_t data[USB_CMD_DATA_SIZE];
619 int datalen = 0;
620 bool activateField = false;
621 bool leaveSignalON = false;
622 bool decodeTLV = false;
623
624 if (strlen(cmd) < 2) {
625 PrintAndLog("Usage: hf 14a apdu [-s] [-k] [-t] <APDU (hex)>");
626 PrintAndLog(" -s activate field and select card");
627 PrintAndLog(" -k leave the signal field ON after receive response");
628 PrintAndLog(" -t executes TLV decoder if it possible");
629 return 0;
630 }
631
632 int cmdp = 0;
633 while(param_getchar(cmd, cmdp) != 0x00) {
634 char c = param_getchar(cmd, cmdp);
635 if ((c == '-') && (param_getlength(cmd, cmdp) == 2))
636 switch (param_getchar_indx(cmd, 1, cmdp)) {
637 case 's':
638 case 'S':
639 activateField = true;
640 break;
641 case 'k':
642 case 'K':
643 leaveSignalON = true;
644 break;
645 case 't':
646 case 'T':
647 decodeTLV = true;
648 break;
649 default:
650 PrintAndLog("Unknown parameter '%c'", param_getchar_indx(cmd, 1, cmdp));
651 return 1;
652 }
653
654 if (isxdigit(c)) {
655 // len = data + PCB(1b) + CRC(2b)
656 switch(param_gethex_to_eol(cmd, cmdp, data, sizeof(data) - 1 - 2, &datalen)) {
657 case 1:
658 PrintAndLog("Invalid HEX value.");
659 return 1;
660 case 2:
661 PrintAndLog("APDU too large.");
662 return 1;
663 case 3:
664 PrintAndLog("Hex must have even number of digits.");
665 return 1;
666 }
667
668 // we get all the hex to end of line with spaces
669 break;
670 }
671
672 cmdp++;
673 }
674
675 PrintAndLog("--%s %s %s >>>> %s", activateField ? "sel": "", leaveSignalON ? "keep": "", decodeTLV ? "TLV": "", sprint_hex(data, datalen));
676
677 switch(ExchangeAPDU14a(data, datalen, activateField, leaveSignalON, data, &datalen)) {
678 case 0:
679 break;
680 case 1:
681 PrintAndLog("APDU ERROR: Send APDU error.");
682 return 1;
683 case 2:
684 return 2;
685 case 3:
686 return 3;
687 case 4:
688 return 4;
689 default:
690 return 5;
691 }
692
693 PrintAndLog("<<<< %s", sprint_hex(data, datalen));
694
695 PrintAndLog("APDU response: %02x %02x", data[datalen - 2], data[datalen - 1]); // TODO add APDU descriptions
696
697 // here TLV decoder...
698 if (decodeTLV) {
699 PrintAndLog("--- TLV decoded:");
700 }
701
702 return 0;
703 }
704
705 int CmdHF14ACmdRaw(const char *cmd) {
706 UsbCommand c = {CMD_READER_ISO_14443a, {0, 0, 0}};
707 bool reply=1;
708 bool crc = false;
709 bool power = false;
710 bool active = false;
711 bool active_select = false;
712 bool no_rats = false;
713 uint16_t numbits = 0;
714 bool bTimeout = false;
715 uint32_t timeout = 0;
716 bool topazmode = false;
717 char buf[5]="";
718 int i = 0;
719 uint8_t data[USB_CMD_DATA_SIZE];
720 uint16_t datalen = 0;
721 uint32_t temp;
722
723 if (strlen(cmd)<2) {
724 PrintAndLog("Usage: hf 14a raw [-r] [-c] [-p] [-f] [-b] [-t] <number of bits> <0A 0B 0C ... hex>");
725 PrintAndLog(" -r do not read response");
726 PrintAndLog(" -c calculate and append CRC");
727 PrintAndLog(" -p leave the signal field ON after receive");
728 PrintAndLog(" -a active signal field ON without select");
729 PrintAndLog(" -s active signal field ON with select");
730 PrintAndLog(" -b number of bits to send. Useful for send partial byte");
731 PrintAndLog(" -t timeout in ms");
732 PrintAndLog(" -T use Topaz protocol to send command");
733 PrintAndLog(" -3 ISO14443-3 select only (skip RATS)");
734 return 0;
735 }
736
737
738 // strip
739 while (*cmd==' ' || *cmd=='\t') cmd++;
740
741 while (cmd[i]!='\0') {
742 if (cmd[i]==' ' || cmd[i]=='\t') { i++; continue; }
743 if (cmd[i]=='-') {
744 switch (cmd[i+1]) {
745 case 'r':
746 reply = false;
747 break;
748 case 'c':
749 crc = true;
750 break;
751 case 'p':
752 power = true;
753 break;
754 case 'a':
755 active = true;
756 break;
757 case 's':
758 active_select = true;
759 break;
760 case 'b':
761 sscanf(cmd+i+2,"%d",&temp);
762 numbits = temp & 0xFFFF;
763 i+=3;
764 while(cmd[i]!=' ' && cmd[i]!='\0') { i++; }
765 i-=2;
766 break;
767 case 't':
768 bTimeout = true;
769 sscanf(cmd+i+2,"%d",&temp);
770 timeout = temp;
771 i+=3;
772 while(cmd[i]!=' ' && cmd[i]!='\0') { i++; }
773 i-=2;
774 break;
775 case 'T':
776 topazmode = true;
777 break;
778 case '3':
779 no_rats = true;
780 break;
781 default:
782 PrintAndLog("Invalid option");
783 return 0;
784 }
785 i+=2;
786 continue;
787 }
788 if ((cmd[i]>='0' && cmd[i]<='9') ||
789 (cmd[i]>='a' && cmd[i]<='f') ||
790 (cmd[i]>='A' && cmd[i]<='F') ) {
791 buf[strlen(buf)+1]=0;
792 buf[strlen(buf)]=cmd[i];
793 i++;
794
795 if (strlen(buf)>=2) {
796 sscanf(buf,"%x",&temp);
797 data[datalen]=(uint8_t)(temp & 0xff);
798 *buf=0;
799 if (datalen > sizeof(data)-1) {
800 if (crc)
801 PrintAndLog("Buffer is full, we can't add CRC to your data");
802 break;
803 } else {
804 datalen++;
805 }
806 }
807 continue;
808 }
809 PrintAndLog("Invalid char on input");
810 return 0;
811 }
812
813 if(crc && datalen>0 && datalen<sizeof(data)-2)
814 {
815 uint8_t first, second;
816 if (topazmode) {
817 ComputeCrc14443(CRC_14443_B, data, datalen, &first, &second);
818 } else {
819 ComputeCrc14443(CRC_14443_A, data, datalen, &first, &second);
820 }
821 data[datalen++] = first;
822 data[datalen++] = second;
823 }
824
825 if(active || active_select)
826 {
827 c.arg[0] |= ISO14A_CONNECT;
828 if(active)
829 c.arg[0] |= ISO14A_NO_SELECT;
830 }
831
832 if(bTimeout){
833 #define MAX_TIMEOUT 40542464 // = (2^32-1) * (8*16) / 13560000Hz * 1000ms/s
834 c.arg[0] |= ISO14A_SET_TIMEOUT;
835 if(timeout > MAX_TIMEOUT) {
836 timeout = MAX_TIMEOUT;
837 PrintAndLog("Set timeout to 40542 seconds (11.26 hours). The max we can wait for response");
838 }
839 c.arg[2] = 13560000 / 1000 / (8*16) * timeout; // timeout in ETUs (time to transfer 1 bit, approx. 9.4 us)
840 }
841
842 if(power) {
843 c.arg[0] |= ISO14A_NO_DISCONNECT;
844 }
845
846 if(datalen > 0) {
847 c.arg[0] |= ISO14A_RAW;
848 }
849
850 if(topazmode) {
851 c.arg[0] |= ISO14A_TOPAZMODE;
852 }
853
854 if(no_rats) {
855 c.arg[0] |= ISO14A_NO_RATS;
856 }
857
858 // Max buffer is USB_CMD_DATA_SIZE (512)
859 c.arg[1] = (datalen & 0xFFFF) | ((uint32_t)numbits << 16);
860 memcpy(c.d.asBytes,data,datalen);
861
862 SendCommand(&c);
863
864 if (reply) {
865 int res = 0;
866 if (active_select)
867 res = waitCmd(1);
868 if (!res && datalen > 0)
869 waitCmd(0);
870 } // if reply
871 return 0;
872 }
873
874
875 static int waitCmd(uint8_t iSelect) {
876 uint8_t *recv;
877 UsbCommand resp;
878 char *hexout;
879
880 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
881 recv = resp.d.asBytes;
882 uint8_t iLen = iSelect ? resp.arg[1] : resp.arg[0];
883 PrintAndLog("received %i octets", iLen);
884 if(!iLen)
885 return 1;
886 hexout = (char *)malloc(iLen * 3 + 1);
887 if (hexout != NULL) {
888 for (int i = 0; i < iLen; i++) { // data in hex
889 sprintf(&hexout[i * 3], "%02X ", recv[i]);
890 }
891 PrintAndLog("%s", hexout);
892 free(hexout);
893 } else {
894 PrintAndLog("malloc failed your client has low memory?");
895 return 2;
896 }
897 } else {
898 PrintAndLog("timeout while waiting for reply.");
899 return 3;
900 }
901 return 0;
902 }
903
904 static command_t CommandTable[] =
905 {
906 {"help", CmdHelp, 1, "This help"},
907 {"list", CmdHF14AList, 0, "[Deprecated] List ISO 14443a history"},
908 {"reader", CmdHF14AReader, 0, "Act like an ISO14443 Type A reader"},
909 {"cuids", CmdHF14ACUIDs, 0, "<n> Collect n>0 ISO14443 Type A UIDs in one go"},
910 {"sim", CmdHF14ASim, 0, "<UID> -- Simulate ISO 14443a tag"},
911 {"snoop", CmdHF14ASnoop, 0, "Eavesdrop ISO 14443 Type A"},
912 {"apdu", CmdHF14AAPDU, 0, "Send ISO 1443-4 APDU to tag"},
913 {"raw", CmdHF14ACmdRaw, 0, "Send raw hex data to tag"},
914 {NULL, NULL, 0, NULL}
915 };
916
917 int CmdHF14A(const char *Cmd) {
918 // flush
919 WaitForResponseTimeout(CMD_ACK,NULL,100);
920
921 // parse
922 CmdsParse(CommandTable, Cmd);
923 return 0;
924 }
925
926 int CmdHelp(const char *Cmd)
927 {
928 CmdsHelp(CommandTable);
929 return 0;
930 }
Proxmark3 GIT tracking
Impressum, Datenschutz