]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifarecmd.c
CHG: the device-side code for "hf 14a sim x"
[proxmark3-svn] / armsrc / mifarecmd.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 // Midnitesnake - Dec 2013
6 // Andy Davies - Apr 2014
7 // Iceman - May 2014
8 //
9 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
10 // at your option, any later version. See the LICENSE.txt file for the text of
11 // the license.
12 //-----------------------------------------------------------------------------
13 // Routines to support ISO 14443 type A.
14 //-----------------------------------------------------------------------------
15
16 #include "mifarecmd.h"
17 #include "apps.h"
18 #include "util.h"
19
20 #include "crc.h"
21
22 //-----------------------------------------------------------------------------
23 // Select, Authenticate, Read a MIFARE tag.
24 // read block
25 //-----------------------------------------------------------------------------
26 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
27 {
28 // params
29 uint8_t blockNo = arg0;
30 uint8_t keyType = arg1;
31 uint64_t ui64Key = 0;
32 ui64Key = bytes_to_num(datain, 6);
33
34 // variables
35 byte_t isOK = 0;
36 byte_t dataoutbuf[16];
37 uint8_t uid[10];
38 uint32_t cuid;
39 struct Crypto1State mpcs = {0, 0};
40 struct Crypto1State *pcs;
41 pcs = &mpcs;
42
43 // clear trace
44 clear_trace();
45 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
46
47 LED_A_ON();
48 LED_B_OFF();
49 LED_C_OFF();
50
51 while (true) {
52 if(!iso14443a_select_card(uid, NULL, &cuid)) {
53 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
54 break;
55 };
56
57 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
58 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
59 break;
60 };
61
62 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
63 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
64 break;
65 };
66
67 if(mifare_classic_halt(pcs, cuid)) {
68 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
69 break;
70 };
71
72 isOK = 1;
73 break;
74 }
75
76 // ----------------------------- crypto1 destroy
77 crypto1_destroy(pcs);
78
79 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
80
81 LED_B_ON();
82 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
83 LED_B_OFF();
84
85 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
86 LEDsoff();
87 }
88
89
90 void MifareUC_Auth(uint8_t arg0, uint8_t *keybytes){
91
92 bool turnOffField = (arg0 == 1);
93
94 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
95 clear_trace();
96 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
97
98 if(!iso14443a_select_card(NULL, NULL, NULL)) {
99 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
100 OnError(0);
101 return;
102 };
103
104 if(!mifare_ultra_auth(keybytes)){
105 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication failed");
106 OnError(1);
107 return;
108 }
109
110 if (turnOffField) {
111 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
112 LEDsoff();
113 }
114 cmd_send(CMD_ACK,1,0,0,0,0);
115 }
116
117 // Arg0 = BlockNo,
118 // Arg1 = UsePwd bool
119 // datain = PWD bytes,
120 void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
121 {
122 uint8_t blockNo = arg0;
123 byte_t dataout[16] = {0x00};
124 bool useKey = (arg1 == 1); //UL_C
125 bool usePwd = (arg1 == 2); //UL_EV1/NTAG
126
127 LEDsoff();
128 LED_A_ON();
129 clear_trace();
130 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
131
132 int len = iso14443a_select_card(NULL, NULL, NULL);
133 if(!len) {
134 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len);
135 OnError(1);
136 return;
137 }
138
139 // UL-C authentication
140 if ( useKey ) {
141 uint8_t key[16] = {0x00};
142 memcpy(key, datain, sizeof(key) );
143
144 if ( !mifare_ultra_auth(key) ) {
145 OnError(1);
146 return;
147 }
148 }
149
150 // UL-EV1 / NTAG authentication
151 if (usePwd) {
152 uint8_t pwd[4] = {0x00};
153 memcpy(pwd, datain, 4);
154 uint8_t pack[4] = {0,0,0,0};
155 if (!mifare_ul_ev1_auth(pwd, pack)) {
156 OnError(1);
157 return;
158 }
159 }
160
161 if( mifare_ultra_readblock(blockNo, dataout) ) {
162 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block error");
163 OnError(2);
164 return;
165 }
166
167 if( mifare_ultra_halt() ) {
168 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
169 OnError(3);
170 return;
171 }
172
173 cmd_send(CMD_ACK,1,0,0,dataout,16);
174 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
175 LEDsoff();
176 }
177
178 //-----------------------------------------------------------------------------
179 // Select, Authenticate, Read a MIFARE tag.
180 // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
181 //-----------------------------------------------------------------------------
182 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
183 {
184 // params
185 uint8_t sectorNo = arg0;
186 uint8_t keyType = arg1;
187 uint64_t ui64Key = 0;
188 ui64Key = bytes_to_num(datain, 6);
189
190 // variables
191 byte_t isOK = 0;
192 byte_t dataoutbuf[16 * 16];
193 uint8_t uid[10];
194 uint32_t cuid;
195 struct Crypto1State mpcs = {0, 0};
196 struct Crypto1State *pcs;
197 pcs = &mpcs;
198
199 // clear trace
200 clear_trace();
201
202 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
203
204 LED_A_ON();
205 LED_B_OFF();
206 LED_C_OFF();
207
208 isOK = 1;
209 if(!iso14443a_select_card(uid, NULL, &cuid)) {
210 isOK = 0;
211 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
212 }
213
214
215 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
216 isOK = 0;
217 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
218 }
219
220 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
221 if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) {
222 isOK = 0;
223 if (MF_DBGLEVEL >= 1) Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo);
224 break;
225 }
226 }
227
228 if(mifare_classic_halt(pcs, cuid)) {
229 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
230 }
231
232 // ----------------------------- crypto1 destroy
233 crypto1_destroy(pcs);
234
235 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
236
237 LED_B_ON();
238 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));
239 LED_B_OFF();
240
241 // Thats it...
242 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
243 LEDsoff();
244 }
245
246 // arg0 = blockNo (start)
247 // arg1 = Pages (number of blocks)
248 // arg2 = useKey
249 // datain = KEY bytes
250 void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
251 {
252 // params
253 uint8_t blockNo = arg0;
254 uint16_t blocks = arg1;
255 bool useKey = (arg2 == 1); //UL_C
256 bool usePwd = (arg2 == 2); //UL_EV1/NTAG
257 uint32_t countblocks = 0;
258 uint8_t *dataout = BigBuf_get_addr();
259
260 LEDsoff();
261 LED_A_ON();
262 clear_trace();
263 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
264
265 int len = iso14443a_select_card(NULL, NULL, NULL);
266 if (!len) {
267 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len);
268 OnError(1);
269 return;
270 }
271
272 // UL-C authentication
273 if ( useKey ) {
274 uint8_t key[16] = {0x00};
275 memcpy(key, datain, sizeof(key) );
276
277 if ( !mifare_ultra_auth(key) ) {
278 OnError(1);
279 return;
280 }
281 }
282
283 // UL-EV1 / NTAG authentication
284 if (usePwd) {
285 uint8_t pwd[4] = {0x00};
286 memcpy(pwd, datain, sizeof(pwd));
287 uint8_t pack[4] = {0,0,0,0};
288
289 if (!mifare_ul_ev1_auth(pwd, pack)){
290 OnError(1);
291 return;
292 }
293 }
294
295 for (int i = 0; i < blocks; i++){
296 if ((i*4) + 4 > BigBuf_get_traceLen()) {
297 Dbprintf("Data exceeds buffer!!");
298 break;
299 }
300
301 len = mifare_ultra_readblock(blockNo + i, dataout + 4 * i);
302
303 if (len) {
304 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block %d error",i);
305 // if no blocks read - error out
306 if (i==0){
307 OnError(2);
308 return;
309 } else {
310 //stop at last successful read block and return what we got
311 break;
312 }
313 } else {
314 countblocks++;
315 }
316 }
317
318 len = mifare_ultra_halt();
319 if (len) {
320 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
321 OnError(3);
322 return;
323 }
324
325 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Blocks read %d", countblocks);
326
327 countblocks *= 4;
328 cmd_send(CMD_ACK, 1, countblocks, countblocks, 0, 0);
329 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
330 LEDsoff();
331 }
332
333 //-----------------------------------------------------------------------------
334 // Select, Authenticate, Write a MIFARE tag.
335 // read block
336 //-----------------------------------------------------------------------------
337 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
338 {
339 // params
340 uint8_t blockNo = arg0;
341 uint8_t keyType = arg1;
342 uint64_t ui64Key = 0;
343 byte_t blockdata[16];
344
345 ui64Key = bytes_to_num(datain, 6);
346 memcpy(blockdata, datain + 10, 16);
347
348 // variables
349 byte_t isOK = 0;
350 uint8_t uid[10];
351 uint32_t cuid;
352 struct Crypto1State mpcs = {0, 0};
353 struct Crypto1State *pcs;
354 pcs = &mpcs;
355
356 // clear trace
357 clear_trace();
358
359 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
360
361 LED_A_ON();
362 LED_B_OFF();
363 LED_C_OFF();
364
365 while (true) {
366 if(!iso14443a_select_card(uid, NULL, &cuid)) {
367 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
368 break;
369 };
370
371 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
372 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
373 break;
374 };
375
376 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
377 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
378 break;
379 };
380
381 if(mifare_classic_halt(pcs, cuid)) {
382 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
383 break;
384 };
385
386 isOK = 1;
387 break;
388 }
389
390 // ----------------------------- crypto1 destroy
391 crypto1_destroy(pcs);
392
393 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
394
395 LED_B_ON();
396 cmd_send(CMD_ACK,isOK,0,0,0,0);
397 LED_B_OFF();
398
399
400 // Thats it...
401 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
402 LEDsoff();
403 }
404
405 void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
406 {
407 uint8_t blockNo = arg0;
408 byte_t blockdata[16] = {0x00};
409
410 memcpy(blockdata, datain, 16);
411
412 uint8_t uid[10] = {0x00};
413
414 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
415
416 clear_trace();
417 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
418
419 if(!iso14443a_select_card(uid, NULL, NULL)) {
420 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
421 OnError(0);
422 return;
423 };
424
425 if(mifare_ultra_writeblock(blockNo, blockdata)) {
426 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
427 OnError(0);
428 return; };
429
430 if(mifare_ultra_halt()) {
431 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
432 OnError(0);
433 return;
434 };
435
436 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
437
438 cmd_send(CMD_ACK,1,0,0,0,0);
439 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
440 LEDsoff();
441 }
442
443 void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)
444 {
445 uint8_t blockNo = arg0;
446 byte_t blockdata[4] = {0x00};
447
448 memcpy(blockdata, datain,4);
449
450 LEDsoff();
451 LED_A_ON();
452 clear_trace();
453 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
454
455 if(!iso14443a_select_card(NULL, NULL, NULL)) {
456 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
457 OnError(0);
458 return;
459 };
460
461 if(mifare_ultra_special_writeblock(blockNo, blockdata)) {
462 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
463 OnError(0);
464 return;
465 };
466
467 if(mifare_ultra_halt()) {
468 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
469 OnError(0);
470 return;
471 };
472
473 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
474
475 cmd_send(CMD_ACK,1,0,0,0,0);
476 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
477 LEDsoff();
478 }
479
480 void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
481
482 uint8_t pwd[16] = {0x00};
483 byte_t blockdata[4] = {0x00};
484
485 memcpy(pwd, datain, 16);
486
487 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
488 clear_trace();
489 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
490
491 if(!iso14443a_select_card(NULL, NULL, NULL)) {
492 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
493 OnError(0);
494 return;
495 };
496
497 blockdata[0] = pwd[7];
498 blockdata[1] = pwd[6];
499 blockdata[2] = pwd[5];
500 blockdata[3] = pwd[4];
501 if(mifare_ultra_special_writeblock( 44, blockdata)) {
502 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
503 OnError(44);
504 return;
505 };
506
507 blockdata[0] = pwd[3];
508 blockdata[1] = pwd[2];
509 blockdata[2] = pwd[1];
510 blockdata[3] = pwd[0];
511 if(mifare_ultra_special_writeblock( 45, blockdata)) {
512 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
513 OnError(45);
514 return;
515 };
516
517 blockdata[0] = pwd[15];
518 blockdata[1] = pwd[14];
519 blockdata[2] = pwd[13];
520 blockdata[3] = pwd[12];
521 if(mifare_ultra_special_writeblock( 46, blockdata)) {
522 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
523 OnError(46);
524 return;
525 };
526
527 blockdata[0] = pwd[11];
528 blockdata[1] = pwd[10];
529 blockdata[2] = pwd[9];
530 blockdata[3] = pwd[8];
531 if(mifare_ultra_special_writeblock( 47, blockdata)) {
532 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
533 OnError(47);
534 return;
535 };
536
537 if(mifare_ultra_halt()) {
538 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
539 OnError(0);
540 return;
541 };
542
543 cmd_send(CMD_ACK,1,0,0,0,0);
544 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
545 LEDsoff();
546 }
547
548 // Return 1 if the nonce is invalid else return 0
549 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {
550 return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
551 (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
552 (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
553 }
554
555
556 //-----------------------------------------------------------------------------
557 // MIFARE nested authentication.
558 //
559 //-----------------------------------------------------------------------------
560 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)
561 {
562 // params
563 uint8_t blockNo = arg0 & 0xff;
564 uint8_t keyType = (arg0 >> 8) & 0xff;
565 uint8_t targetBlockNo = arg1 & 0xff;
566 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
567 uint64_t ui64Key = 0;
568
569 ui64Key = bytes_to_num(datain, 6);
570
571 // variables
572 uint16_t rtr, i, j, len;
573 uint16_t davg;
574 static uint16_t dmin, dmax;
575 uint8_t uid[10];
576 uint32_t cuid, nt1, nt2, nttmp, nttest, ks1;
577 uint8_t par[1];
578 uint32_t target_nt[2], target_ks[2];
579
580 uint8_t par_array[4];
581 uint16_t ncount = 0;
582 struct Crypto1State mpcs = {0, 0};
583 struct Crypto1State *pcs;
584 pcs = &mpcs;
585 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
586
587 uint32_t auth1_time, auth2_time;
588 static uint16_t delta_time;
589
590 // free eventually allocated BigBuf memory
591 BigBuf_free();
592 // clear trace
593 clear_trace();
594 set_tracing(false);
595
596 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
597
598 LED_A_ON();
599 LED_C_OFF();
600
601
602 // statistics on nonce distance
603 if (calibrate) { // for first call only. Otherwise reuse previous calibration
604 LED_B_ON();
605 WDT_HIT();
606
607 davg = dmax = 0;
608 dmin = 2000;
609 delta_time = 0;
610
611 for (rtr = 0; rtr < 17; rtr++) {
612
613 // prepare next select. No need to power down the card.
614 if(mifare_classic_halt(pcs, cuid)) {
615 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
616 rtr--;
617 continue;
618 }
619
620 if(!iso14443a_select_card(uid, NULL, &cuid)) {
621 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
622 rtr--;
623 continue;
624 };
625
626 auth1_time = 0;
627 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
628 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
629 rtr--;
630 continue;
631 };
632
633 if (delta_time) {
634 auth2_time = auth1_time + delta_time;
635 } else {
636 auth2_time = 0;
637 }
638 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {
639 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");
640 rtr--;
641 continue;
642 };
643
644 nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
645 for (i = 101; i < 1200; i++) {
646 nttmp = prng_successor(nttmp, 1);
647 if (nttmp == nt2) break;
648 }
649
650 if (i != 1200) {
651 if (rtr != 0) {
652 davg += i;
653 dmin = MIN(dmin, i);
654 dmax = MAX(dmax, i);
655 }
656 else {
657 delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing
658 }
659 if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
660 }
661 }
662
663 if (rtr <= 1) return;
664
665 davg = (davg + (rtr - 1)/2) / (rtr - 1);
666
667 if (MF_DBGLEVEL >= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin, dmax, davg, delta_time);
668
669 dmin = davg - 2;
670 dmax = davg + 2;
671
672 LED_B_OFF();
673
674 }
675 // -------------------------------------------------------------------------------------------------
676
677 LED_C_ON();
678
679 // get crypted nonces for target sector
680 for(i=0; i < 2; i++) { // look for exactly two different nonces
681
682 target_nt[i] = 0;
683 while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
684
685 // prepare next select. No need to power down the card.
686 if(mifare_classic_halt(pcs, cuid)) {
687 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
688 continue;
689 }
690
691 if(!iso14443a_select_card(uid, NULL, &cuid)) {
692 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
693 continue;
694 };
695
696 auth1_time = 0;
697 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
698 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
699 continue;
700 };
701
702 // nested authentication
703 auth2_time = auth1_time + delta_time;
704 len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);
705 if (len != 4) {
706 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);
707 continue;
708 };
709
710 nt2 = bytes_to_num(receivedAnswer, 4);
711 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);
712
713 // Parity validity check
714 for (j = 0; j < 4; j++) {
715 par_array[j] = (oddparity(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));
716 }
717
718 ncount = 0;
719 nttest = prng_successor(nt1, dmin - 1);
720 for (j = dmin; j < dmax + 1; j++) {
721 nttest = prng_successor(nttest, 1);
722 ks1 = nt2 ^ nttest;
723
724 if (valid_nonce(nttest, nt2, ks1, par_array)){
725 if (ncount > 0) { // we are only interested in disambiguous nonces, try again
726 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);
727 target_nt[i] = 0;
728 break;
729 }
730 target_nt[i] = nttest;
731 target_ks[i] = ks1;
732 ncount++;
733 if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces
734 target_nt[i] = 0;
735 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);
736 break;
737 }
738 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);
739 }
740 }
741 if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
742 }
743 }
744
745 LED_C_OFF();
746
747 // ----------------------------- crypto1 destroy
748 crypto1_destroy(pcs);
749
750 byte_t buf[4 + 4 * 4];
751 memcpy(buf, &cuid, 4);
752 memcpy(buf+4, &target_nt[0], 4);
753 memcpy(buf+8, &target_ks[0], 4);
754 memcpy(buf+12, &target_nt[1], 4);
755 memcpy(buf+16, &target_ks[1], 4);
756
757 LED_B_ON();
758 cmd_send(CMD_ACK, 0, 2, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
759 LED_B_OFF();
760
761 if (MF_DBGLEVEL >= 3) DbpString("NESTED FINISHED");
762
763 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
764 LEDsoff();
765 set_tracing(TRUE);
766 }
767
768 //-----------------------------------------------------------------------------
769 // MIFARE check keys. key count up to 85.
770 //
771 //-----------------------------------------------------------------------------
772 void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
773 {
774 // params
775 uint8_t blockNo = arg0;
776 uint8_t keyType = arg1;
777 uint8_t keyCount = arg2;
778 uint64_t ui64Key = 0;
779
780 // variables
781 int i;
782 byte_t isOK = 0;
783 uint8_t uid[10];
784 uint32_t cuid;
785 struct Crypto1State mpcs = {0, 0};
786 struct Crypto1State *pcs;
787 pcs = &mpcs;
788
789 // clear debug level
790 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
791 MF_DBGLEVEL = MF_DBG_NONE;
792
793 // clear trace
794 clear_trace();
795 set_tracing(TRUE);
796
797 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
798
799 LED_A_ON();
800 LED_B_OFF();
801 LED_C_OFF();
802
803 for (i = 0; i < keyCount; i++) {
804 if(mifare_classic_halt(pcs, cuid)) {
805 if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Halt error");
806 }
807
808 if(!iso14443a_select_card(uid, NULL, &cuid)) {
809 if (OLD_MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card");
810 break;
811 };
812
813 ui64Key = bytes_to_num(datain + i * 6, 6);
814 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
815 continue;
816 };
817
818 isOK = 1;
819 break;
820 }
821
822 // ----------------------------- crypto1 destroy
823 crypto1_destroy(pcs);
824
825 LED_B_ON();
826 cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);
827 LED_B_OFF();
828
829 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
830 LEDsoff();
831
832 // restore debug level
833 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
834 }
835
836 //-----------------------------------------------------------------------------
837 // MIFARE commands set debug level
838 //
839 //-----------------------------------------------------------------------------
840 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
841 MF_DBGLEVEL = arg0;
842 Dbprintf("Debug level: %d", MF_DBGLEVEL);
843 }
844
845 //-----------------------------------------------------------------------------
846 // Work with emulator memory
847 //
848 //-----------------------------------------------------------------------------
849 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
850 emlClearMem();
851 }
852
853 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
854 emlSetMem(datain, arg0, arg1); // data, block num, blocks count
855 }
856
857 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
858 byte_t buf[USB_CMD_DATA_SIZE];
859 emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
860
861 LED_B_ON();
862 cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE);
863 LED_B_OFF();
864 }
865
866 //-----------------------------------------------------------------------------
867 // Load a card into the emulator memory
868 //
869 //-----------------------------------------------------------------------------
870 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
871 uint8_t numSectors = arg0;
872 uint8_t keyType = arg1;
873 uint64_t ui64Key = 0;
874 uint32_t cuid;
875 struct Crypto1State mpcs = {0, 0};
876 struct Crypto1State *pcs;
877 pcs = &mpcs;
878
879 // variables
880 byte_t dataoutbuf[16];
881 byte_t dataoutbuf2[16];
882 uint8_t uid[10];
883
884 // clear trace
885 clear_trace();
886 set_tracing(false);
887
888 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
889
890 LED_A_ON();
891 LED_B_OFF();
892 LED_C_OFF();
893
894 bool isOK = true;
895
896 if(!iso14443a_select_card(uid, NULL, &cuid)) {
897 isOK = false;
898 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
899 }
900
901 for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
902 ui64Key = emlGetKey(sectorNo, keyType);
903 if (sectorNo == 0){
904 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
905 isOK = false;
906 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo);
907 break;
908 }
909 } else {
910 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) {
911 isOK = false;
912 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo);
913 break;
914 }
915 }
916
917 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
918 if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) {
919 isOK = false;
920 if (MF_DBGLEVEL >= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);
921 break;
922 };
923 if (isOK) {
924 if (blockNo < NumBlocksPerSector(sectorNo) - 1) {
925 emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);
926 } else { // sector trailer, keep the keys, set only the AC
927 emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
928 memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
929 emlSetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
930 }
931 }
932 }
933
934 }
935
936 if(mifare_classic_halt(pcs, cuid)) {
937 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
938 };
939
940 // ----------------------------- crypto1 destroy
941 crypto1_destroy(pcs);
942
943 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
944 LEDsoff();
945
946 if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
947
948 }
949
950
951 //-----------------------------------------------------------------------------
952 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
953 //
954 //-----------------------------------------------------------------------------
955 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
956
957 // params
958 uint8_t needWipe = arg0;
959 // bit 0 - need get UID
960 // bit 1 - need wupC
961 // bit 2 - need HALT after sequence
962 // bit 3 - need init FPGA and field before sequence
963 // bit 4 - need reset FPGA and LED
964 uint8_t workFlags = arg1;
965 uint8_t blockNo = arg2;
966
967 // card commands
968 uint8_t wupC1[] = { 0x40 };
969 uint8_t wupC2[] = { 0x43 };
970 uint8_t wipeC[] = { 0x41 };
971
972 // variables
973 byte_t isOK = 0;
974 uint8_t uid[10] = {0x00};
975 uint8_t d_block[18] = {0x00};
976 uint32_t cuid;
977
978 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
979 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
980
981 // reset FPGA and LED
982 if (workFlags & 0x08) {
983 LED_A_ON();
984 LED_B_OFF();
985 LED_C_OFF();
986
987 clear_trace();
988 set_tracing(TRUE);
989 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
990 }
991
992 while (true) {
993
994 // get UID from chip
995 if (workFlags & 0x01) {
996 if(!iso14443a_select_card(uid, NULL, &cuid)) {
997 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
998 //break;
999 };
1000
1001 if(mifare_classic_halt(NULL, cuid)) {
1002 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1003 //break;
1004 };
1005 };
1006
1007 // reset chip
1008 if (needWipe){
1009 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1010 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1011 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1012 break;
1013 };
1014
1015 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
1016 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1017 if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");
1018 break;
1019 };
1020
1021 if(mifare_classic_halt(NULL, cuid)) {
1022 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1023 break;
1024 };
1025 };
1026
1027 // write block
1028 if (workFlags & 0x02) {
1029 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1030 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1031 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1032 break;
1033 };
1034
1035 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1036 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1037 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1038 break;
1039 };
1040 }
1041
1042 if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
1043 if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
1044 break;
1045 };
1046
1047 memcpy(d_block, datain, 16);
1048 AppendCrc14443a(d_block, 16);
1049
1050 ReaderTransmit(d_block, sizeof(d_block), NULL);
1051 if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
1052 if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");
1053 break;
1054 };
1055
1056 if (workFlags & 0x04) {
1057 if (mifare_classic_halt(NULL, cuid)) {
1058 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1059 break;
1060 };
1061 }
1062
1063 isOK = 1;
1064 break;
1065 }
1066
1067 LED_B_ON();
1068 cmd_send(CMD_ACK,isOK,0,0,uid,4);
1069 LED_B_OFF();
1070
1071 if ((workFlags & 0x10) || (!isOK)) {
1072 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1073 LEDsoff();
1074 }
1075 }
1076
1077
1078 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1079
1080 // params
1081 // bit 1 - need wupC
1082 // bit 2 - need HALT after sequence
1083 // bit 3 - need init FPGA and field before sequence
1084 // bit 4 - need reset FPGA and LED
1085 uint8_t workFlags = arg0;
1086 uint8_t blockNo = arg2;
1087
1088 // card commands
1089 uint8_t wupC1[] = { 0x40 };
1090 uint8_t wupC2[] = { 0x43 };
1091
1092 // variables
1093 byte_t isOK = 0;
1094 uint8_t data[18] = {0x00};
1095 uint32_t cuid = 0;
1096
1097 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1098 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1099
1100 if (workFlags & 0x08) {
1101 LED_A_ON();
1102 LED_B_OFF();
1103 LED_C_OFF();
1104
1105 clear_trace();
1106 set_tracing(TRUE);
1107 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1108 }
1109
1110 while (true) {
1111 if (workFlags & 0x02) {
1112 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1113 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1114 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1115 break;
1116 };
1117
1118 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1119 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1120 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1121 break;
1122 };
1123 }
1124
1125 // read block
1126 if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {
1127 if (MF_DBGLEVEL >= 1) Dbprintf("read block send command error");
1128 break;
1129 };
1130 memcpy(data, receivedAnswer, 18);
1131
1132 if (workFlags & 0x04) {
1133 if (mifare_classic_halt(NULL, cuid)) {
1134 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1135 break;
1136 };
1137 }
1138
1139 isOK = 1;
1140 break;
1141 }
1142
1143 LED_B_ON();
1144 cmd_send(CMD_ACK,isOK,0,0,data,18);
1145 LED_B_OFF();
1146
1147 if ((workFlags & 0x10) || (!isOK)) {
1148 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1149 LEDsoff();
1150 }
1151 }
1152
1153 void MifareCIdent(){
1154
1155 // card commands
1156 uint8_t wupC1[] = { 0x40 };
1157 uint8_t wupC2[] = { 0x43 };
1158
1159 // variables
1160 byte_t isOK = 1;
1161
1162 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1163 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1164
1165 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1166 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1167 isOK = 0;
1168 };
1169
1170 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1171 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1172 isOK = 0;
1173 };
1174
1175 if (mifare_classic_halt(NULL, 0)) {
1176 isOK = 0;
1177 };
1178
1179 cmd_send(CMD_ACK,isOK,0,0,0,0);
1180 }
1181
1182 void MifareCollectNonces(uint32_t arg0, uint32_t arg1){
1183
1184 BigBuf_free();
1185
1186 uint32_t iterations = arg0;
1187 uint8_t uid[10] = {0x00};
1188
1189 uint8_t *response = BigBuf_malloc(MAX_MIFARE_FRAME_SIZE);
1190 uint8_t *responsePar = BigBuf_malloc(MAX_MIFARE_PARITY_SIZE);
1191
1192 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1193
1194 // get memory from BigBuf.
1195 uint8_t *nonces = BigBuf_malloc(iterations * 4);
1196
1197 LED_A_ON();
1198 LED_B_OFF();
1199 LED_C_OFF();
1200
1201 clear_trace();
1202 set_tracing(TRUE);
1203 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1204
1205 for (int i = 0; i < iterations; i++) {
1206
1207 WDT_HIT();
1208
1209 // Test if the action was cancelled
1210 if(BUTTON_PRESS()) break;
1211
1212 // if(mifare_classic_halt(pcs, cuid)) {
1213 // if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1214 //}
1215
1216 if(!iso14443a_select_card(uid, NULL, NULL)) {
1217 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
1218 continue;
1219 };
1220
1221 // Transmit MIFARE_CLASSIC_AUTH.
1222 ReaderTransmit(mf_auth, sizeof(mf_auth), NULL);
1223
1224 // Receive the (4 Byte) "random" nonce
1225 if (!ReaderReceive(response, responsePar)) {
1226 if (MF_DBGLEVEL >= 1) Dbprintf("Couldn't receive tag nonce");
1227 continue;
1228 }
1229
1230 nonces[i*4] = bytes_to_num(response, 4);
1231 }
1232
1233 int packLen = iterations * 4;
1234 int packSize = 0;
1235 int packNum = 0;
1236 while (packLen > 0) {
1237 packSize = MIN(USB_CMD_DATA_SIZE, packLen);
1238 LED_B_ON();
1239 cmd_send(CMD_ACK, 77, 0, packSize, nonces - packLen, packSize);
1240 LED_B_OFF();
1241
1242 packLen -= packSize;
1243 packNum++;
1244 }
1245 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1246 LEDsoff();
1247 }
1248
1249 //
1250 // DESFIRE
1251 //
1252
1253 void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){
1254
1255 byte_t dataout[11] = {0x00};
1256 uint8_t uid[10] = {0x00};
1257 uint32_t cuid = 0x00;
1258
1259 clear_trace();
1260 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1261
1262 int len = iso14443a_select_card(uid, NULL, &cuid);
1263 if(!len) {
1264 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
1265 OnError(1);
1266 return;
1267 };
1268
1269 if(mifare_desfire_des_auth1(cuid, dataout)){
1270 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication part1: Fail.");
1271 OnError(4);
1272 return;
1273 }
1274
1275 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 1 FINISHED");
1276 cmd_send(CMD_ACK,1,cuid,0,dataout, sizeof(dataout));
1277 }
1278
1279 void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain){
1280
1281 uint32_t cuid = arg0;
1282 uint8_t key[16] = {0x00};
1283 byte_t dataout[12] = {0x00};
1284 byte_t isOK = 0;
1285
1286 memcpy(key, datain, 16);
1287
1288 isOK = mifare_desfire_des_auth2(cuid, key, dataout);
1289
1290 if( isOK) {
1291 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Authentication part2: Failed");
1292 OnError(4);
1293 return;
1294 }
1295
1296 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 2 FINISHED");
1297
1298 cmd_send(CMD_ACK, isOK, 0, 0, dataout, sizeof(dataout));
1299 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1300 LEDsoff();
1301 }
Impressum, Datenschutz