]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifarecmd.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
@iceman1001 s lua script fix
[proxmark3-svn] / armsrc / mifarecmd.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 // Midnitesnake - Dec 2013
6 // Andy Davies - Apr 2014
7 // Iceman - May 2014
8 //
9 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
10 // at your option, any later version. See the LICENSE.txt file for the text of
11 // the license.
12 //-----------------------------------------------------------------------------
13 // Routines to support ISO 14443 type A.
14 //-----------------------------------------------------------------------------
15
16 #include "mifarecmd.h"
17 #include "apps.h"
18 #include "util.h"
19 #include "crc.h"
20
21 // the block number for the ISO14443-4 PCB
22 uint8_t pcb_blocknum = 0;
23 // Deselect card by sending a s-block. the crc is precalced for speed
24 static uint8_t deselect_cmd[] = {0xc2,0xe0,0xb4};
25
26 //-----------------------------------------------------------------------------
27 // Select, Authenticate, Read a MIFARE tag.
28 // read block
29 //-----------------------------------------------------------------------------
30 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
31 {
32 // params
33 uint8_t blockNo = arg0;
34 uint8_t keyType = arg1;
35 uint64_t ui64Key = 0;
36 ui64Key = bytes_to_num(datain, 6);
37
38 // variables
39 byte_t isOK = 0;
40 byte_t dataoutbuf[16];
41 uint8_t uid[10];
42 uint32_t cuid;
43 struct Crypto1State mpcs = {0, 0};
44 struct Crypto1State *pcs;
45 pcs = &mpcs;
46
47 // clear trace
48 clear_trace();
49 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
50
51 LED_A_ON();
52 LED_B_OFF();
53 LED_C_OFF();
54
55 while (true) {
56 if(!iso14443a_select_card(uid, NULL, &cuid)) {
57 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
58 break;
59 };
60
61 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
62 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
63 break;
64 };
65
66 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
67 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
68 break;
69 };
70
71 if(mifare_classic_halt(pcs, cuid)) {
72 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
73 break;
74 };
75
76 isOK = 1;
77 break;
78 }
79
80 // ----------------------------- crypto1 destroy
81 crypto1_destroy(pcs);
82
83 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
84
85 LED_B_ON();
86 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
87 LED_B_OFF();
88
89 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
90 LEDsoff();
91 }
92
93 void MifareUC_Auth(uint8_t arg0, uint8_t *keybytes){
94
95 bool turnOffField = (arg0 == 1);
96
97 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
98 clear_trace();
99 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
100
101 if(!iso14443a_select_card(NULL, NULL, NULL)) {
102 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
103 OnError(0);
104 return;
105 };
106
107 if(!mifare_ultra_auth(keybytes)){
108 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication failed");
109 OnError(1);
110 return;
111 }
112
113 if (turnOffField) {
114 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
115 LEDsoff();
116 }
117 cmd_send(CMD_ACK,1,0,0,0,0);
118 }
119
120 // Arg0 = BlockNo,
121 // Arg1 = UsePwd bool
122 // datain = PWD bytes,
123 void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
124 {
125 uint8_t blockNo = arg0;
126 byte_t dataout[16] = {0x00};
127 bool useKey = (arg1 == 1); //UL_C
128 bool usePwd = (arg1 == 2); //UL_EV1/NTAG
129
130 LEDsoff();
131 LED_A_ON();
132 clear_trace();
133 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
134
135 int len = iso14443a_select_card(NULL, NULL, NULL);
136 if(!len) {
137 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len);
138 OnError(1);
139 return;
140 }
141
142 // UL-C authentication
143 if ( useKey ) {
144 uint8_t key[16] = {0x00};
145 memcpy(key, datain, sizeof(key) );
146
147 if ( !mifare_ultra_auth(key) ) {
148 OnError(1);
149 return;
150 }
151 }
152
153 // UL-EV1 / NTAG authentication
154 if ( usePwd ) {
155 uint8_t pwd[4] = {0x00};
156 memcpy(pwd, datain, 4);
157 uint8_t pack[4] = {0,0,0,0};
158 if (!mifare_ul_ev1_auth(pwd, pack)) {
159 OnError(1);
160 return;
161 }
162 }
163
164 if( mifare_ultra_readblock(blockNo, dataout) ) {
165 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block error");
166 OnError(2);
167 return;
168 }
169
170 if( mifare_ultra_halt() ) {
171 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
172 OnError(3);
173 return;
174 }
175
176 cmd_send(CMD_ACK,1,0,0,dataout,16);
177 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
178 LEDsoff();
179 }
180
181 //-----------------------------------------------------------------------------
182 // Select, Authenticate, Read a MIFARE tag.
183 // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
184 //-----------------------------------------------------------------------------
185 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
186 {
187 // params
188 uint8_t sectorNo = arg0;
189 uint8_t keyType = arg1;
190 uint64_t ui64Key = 0;
191 ui64Key = bytes_to_num(datain, 6);
192
193 // variables
194 byte_t isOK = 0;
195 byte_t dataoutbuf[16 * 16];
196 uint8_t uid[10];
197 uint32_t cuid;
198 struct Crypto1State mpcs = {0, 0};
199 struct Crypto1State *pcs;
200 pcs = &mpcs;
201
202 // clear trace
203 clear_trace();
204
205 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
206
207 LED_A_ON();
208 LED_B_OFF();
209 LED_C_OFF();
210
211 isOK = 1;
212 if(!iso14443a_select_card(uid, NULL, &cuid)) {
213 isOK = 0;
214 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
215 }
216
217
218 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
219 isOK = 0;
220 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
221 }
222
223 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
224 if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) {
225 isOK = 0;
226 if (MF_DBGLEVEL >= 1) Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo);
227 break;
228 }
229 }
230
231 if(mifare_classic_halt(pcs, cuid)) {
232 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
233 }
234
235 // ----------------------------- crypto1 destroy
236 crypto1_destroy(pcs);
237
238 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
239
240 LED_B_ON();
241 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));
242 LED_B_OFF();
243
244 // Thats it...
245 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
246 LEDsoff();
247 }
248
249 // arg0 = blockNo (start)
250 // arg1 = Pages (number of blocks)
251 // arg2 = useKey
252 // datain = KEY bytes
253 void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
254 {
255 // free eventually allocated BigBuf memory
256 BigBuf_free();
257 // clear trace
258 clear_trace();
259
260 // params
261 uint8_t blockNo = arg0;
262 uint16_t blocks = arg1;
263 bool useKey = (arg2 == 1); //UL_C
264 bool usePwd = (arg2 == 2); //UL_EV1/NTAG
265 uint32_t countblocks = 0;
266 uint8_t *dataout = BigBuf_malloc(CARD_MEMORY_SIZE);
267 if (dataout == NULL){
268 Dbprintf("out of memory");
269 OnError(1);
270 return;
271 }
272
273 LEDsoff();
274 LED_A_ON();
275 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
276
277 int len = iso14443a_select_card(NULL, NULL, NULL);
278 if (!len) {
279 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len);
280 OnError(1);
281 return;
282 }
283
284 // UL-C authentication
285 if ( useKey ) {
286 uint8_t key[16] = {0x00};
287 memcpy(key, datain, sizeof(key) );
288
289 if ( !mifare_ultra_auth(key) ) {
290 OnError(1);
291 return;
292 }
293 }
294
295 // UL-EV1 / NTAG authentication
296 if (usePwd) {
297 uint8_t pwd[4] = {0x00};
298 memcpy(pwd, datain, sizeof(pwd));
299 uint8_t pack[4] = {0,0,0,0};
300
301 if (!mifare_ul_ev1_auth(pwd, pack)){
302 OnError(1);
303 return;
304 }
305 }
306
307 for (int i = 0; i < blocks; i++){
308 if ((i*4) + 4 >= CARD_MEMORY_SIZE) {
309 Dbprintf("Data exceeds buffer!!");
310 break;
311 }
312
313 len = mifare_ultra_readblock(blockNo + i, dataout + 4 * i);
314
315 if (len) {
316 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block %d error",i);
317 // if no blocks read - error out
318 if (i==0){
319 OnError(2);
320 return;
321 } else {
322 //stop at last successful read block and return what we got
323 break;
324 }
325 } else {
326 countblocks++;
327 }
328 }
329
330 len = mifare_ultra_halt();
331 if (len) {
332 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
333 OnError(3);
334 return;
335 }
336
337 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Blocks read %d", countblocks);
338
339 countblocks *= 4;
340
341 cmd_send(CMD_ACK, 1, countblocks, BigBuf_max_traceLen(), 0, 0);
342 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
343 LEDsoff();
344 BigBuf_free();
345 }
346
347 //-----------------------------------------------------------------------------
348 // Select, Authenticate, Write a MIFARE tag.
349 // read block
350 //-----------------------------------------------------------------------------
351 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
352 {
353 // params
354 uint8_t blockNo = arg0;
355 uint8_t keyType = arg1;
356 uint64_t ui64Key = 0;
357 byte_t blockdata[16];
358
359 ui64Key = bytes_to_num(datain, 6);
360 memcpy(blockdata, datain + 10, 16);
361
362 // variables
363 byte_t isOK = 0;
364 uint8_t uid[10];
365 uint32_t cuid;
366 struct Crypto1State mpcs = {0, 0};
367 struct Crypto1State *pcs;
368 pcs = &mpcs;
369
370 // clear trace
371 clear_trace();
372
373 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
374
375 LED_A_ON();
376 LED_B_OFF();
377 LED_C_OFF();
378
379 while (true) {
380 if(!iso14443a_select_card(uid, NULL, &cuid)) {
381 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
382 break;
383 };
384
385 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
386 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
387 break;
388 };
389
390 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
391 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
392 break;
393 };
394
395 if(mifare_classic_halt(pcs, cuid)) {
396 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
397 break;
398 };
399
400 isOK = 1;
401 break;
402 }
403
404 // ----------------------------- crypto1 destroy
405 crypto1_destroy(pcs);
406
407 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
408
409 LED_B_ON();
410 cmd_send(CMD_ACK,isOK,0,0,0,0);
411 LED_B_OFF();
412
413
414 // Thats it...
415 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
416 LEDsoff();
417 }
418
419 void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
420 {
421 uint8_t blockNo = arg0;
422 byte_t blockdata[16] = {0x00};
423
424 memcpy(blockdata, datain, 16);
425
426 uint8_t uid[10] = {0x00};
427
428 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
429
430 clear_trace();
431 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
432
433 if(!iso14443a_select_card(uid, NULL, NULL)) {
434 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
435 OnError(0);
436 return;
437 };
438
439 if(mifare_ultra_writeblock(blockNo, blockdata)) {
440 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
441 OnError(0);
442 return; };
443
444 if(mifare_ultra_halt()) {
445 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
446 OnError(0);
447 return;
448 };
449
450 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
451
452 cmd_send(CMD_ACK,1,0,0,0,0);
453 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
454 LEDsoff();
455 }
456
457 // Arg0 : Block to write to.
458 // Arg1 : 0 = use no authentication.
459 // 1 = use 0x1A authentication.
460 // 2 = use 0x1B authentication.
461 // datain : 4 first bytes is data to be written.
462 // : 4/16 next bytes is authentication key.
463 void MifareUWriteBlock_Special(uint8_t arg0, uint8_t arg1, uint8_t *datain)
464 {
465 uint8_t blockNo = arg0;
466 bool useKey = (arg1 == 1); //UL_C
467 bool usePwd = (arg1 == 2); //UL_EV1/NTAG
468 byte_t blockdata[4] = {0x00};
469
470 memcpy(blockdata, datain,4);
471
472 LEDsoff();
473 LED_A_ON();
474 clear_trace();
475 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
476
477 if(!iso14443a_select_card(NULL, NULL, NULL)) {
478 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
479 OnError(0);
480 return;
481 };
482
483 // UL-C authentication
484 if ( useKey ) {
485 uint8_t key[16] = {0x00};
486 memcpy(key, datain+4, sizeof(key) );
487
488 if ( !mifare_ultra_auth(key) ) {
489 OnError(1);
490 return;
491 }
492 }
493
494 // UL-EV1 / NTAG authentication
495 if (usePwd) {
496 uint8_t pwd[4] = {0x00};
497 memcpy(pwd, datain+4, 4);
498 uint8_t pack[4] = {0,0,0,0};
499 if (!mifare_ul_ev1_auth(pwd, pack)) {
500 OnError(1);
501 return;
502 }
503 }
504
505 if(mifare_ultra_special_writeblock(blockNo, blockdata)) {
506 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
507 OnError(0);
508 return;
509 };
510
511 if(mifare_ultra_halt()) {
512 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
513 OnError(0);
514 return;
515 };
516
517 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
518
519 cmd_send(CMD_ACK,1,0,0,0,0);
520 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
521 LEDsoff();
522 }
523
524 void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
525
526 uint8_t pwd[16] = {0x00};
527 byte_t blockdata[4] = {0x00};
528
529 memcpy(pwd, datain, 16);
530
531 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
532 clear_trace();
533 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
534
535 if(!iso14443a_select_card(NULL, NULL, NULL)) {
536 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
537 OnError(0);
538 return;
539 };
540
541 blockdata[0] = pwd[7];
542 blockdata[1] = pwd[6];
543 blockdata[2] = pwd[5];
544 blockdata[3] = pwd[4];
545 if(mifare_ultra_special_writeblock( 44, blockdata)) {
546 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
547 OnError(44);
548 return;
549 };
550
551 blockdata[0] = pwd[3];
552 blockdata[1] = pwd[2];
553 blockdata[2] = pwd[1];
554 blockdata[3] = pwd[0];
555 if(mifare_ultra_special_writeblock( 45, blockdata)) {
556 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
557 OnError(45);
558 return;
559 };
560
561 blockdata[0] = pwd[15];
562 blockdata[1] = pwd[14];
563 blockdata[2] = pwd[13];
564 blockdata[3] = pwd[12];
565 if(mifare_ultra_special_writeblock( 46, blockdata)) {
566 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
567 OnError(46);
568 return;
569 };
570
571 blockdata[0] = pwd[11];
572 blockdata[1] = pwd[10];
573 blockdata[2] = pwd[9];
574 blockdata[3] = pwd[8];
575 if(mifare_ultra_special_writeblock( 47, blockdata)) {
576 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
577 OnError(47);
578 return;
579 };
580
581 if(mifare_ultra_halt()) {
582 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
583 OnError(0);
584 return;
585 };
586
587 cmd_send(CMD_ACK,1,0,0,0,0);
588 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
589 LEDsoff();
590 }
591
592 // Return 1 if the nonce is invalid else return 0
593 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {
594 return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
595 (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
596 (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
597 }
598
599
600 //-----------------------------------------------------------------------------
601 // MIFARE nested authentication.
602 //
603 //-----------------------------------------------------------------------------
604 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)
605 {
606 // params
607 uint8_t blockNo = arg0 & 0xff;
608 uint8_t keyType = (arg0 >> 8) & 0xff;
609 uint8_t targetBlockNo = arg1 & 0xff;
610 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
611 uint64_t ui64Key = 0;
612
613 ui64Key = bytes_to_num(datain, 6);
614
615 // variables
616 uint16_t rtr, i, j, len;
617 uint16_t davg;
618 static uint16_t dmin, dmax;
619 uint8_t uid[10];
620 uint32_t cuid, nt1, nt2, nttmp, nttest, ks1;
621 uint8_t par[1];
622 uint32_t target_nt[2], target_ks[2];
623
624 uint8_t par_array[4];
625 uint16_t ncount = 0;
626 struct Crypto1State mpcs = {0, 0};
627 struct Crypto1State *pcs;
628 pcs = &mpcs;
629 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
630
631 uint32_t auth1_time, auth2_time;
632 static uint16_t delta_time;
633
634 // free eventually allocated BigBuf memory
635 BigBuf_free();
636 // clear trace
637 clear_trace();
638 set_tracing(false);
639
640 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
641
642 LED_A_ON();
643 LED_C_OFF();
644
645
646 // statistics on nonce distance
647 if (calibrate) { // for first call only. Otherwise reuse previous calibration
648 LED_B_ON();
649 WDT_HIT();
650
651 davg = dmax = 0;
652 dmin = 2000;
653 delta_time = 0;
654
655 for (rtr = 0; rtr < 17; rtr++) {
656
657 // prepare next select. No need to power down the card.
658 if(mifare_classic_halt(pcs, cuid)) {
659 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
660 rtr--;
661 continue;
662 }
663
664 if(!iso14443a_select_card(uid, NULL, &cuid)) {
665 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
666 rtr--;
667 continue;
668 };
669
670 auth1_time = 0;
671 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
672 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
673 rtr--;
674 continue;
675 };
676
677 if (delta_time) {
678 auth2_time = auth1_time + delta_time;
679 } else {
680 auth2_time = 0;
681 }
682 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {
683 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");
684 rtr--;
685 continue;
686 };
687
688 nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
689 for (i = 101; i < 1200; i++) {
690 nttmp = prng_successor(nttmp, 1);
691 if (nttmp == nt2) break;
692 }
693
694 if (i != 1200) {
695 if (rtr != 0) {
696 davg += i;
697 dmin = MIN(dmin, i);
698 dmax = MAX(dmax, i);
699 }
700 else {
701 delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing
702 }
703 if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
704 }
705 }
706
707 if (rtr <= 1) return;
708
709 davg = (davg + (rtr - 1)/2) / (rtr - 1);
710
711 if (MF_DBGLEVEL >= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin, dmax, davg, delta_time);
712
713 dmin = davg - 2;
714 dmax = davg + 2;
715
716 LED_B_OFF();
717
718 }
719 // -------------------------------------------------------------------------------------------------
720
721 LED_C_ON();
722
723 // get crypted nonces for target sector
724 for(i=0; i < 2; i++) { // look for exactly two different nonces
725
726 target_nt[i] = 0;
727 while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
728
729 // prepare next select. No need to power down the card.
730 if(mifare_classic_halt(pcs, cuid)) {
731 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
732 continue;
733 }
734
735 if(!iso14443a_select_card(uid, NULL, &cuid)) {
736 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
737 continue;
738 };
739
740 auth1_time = 0;
741 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
742 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
743 continue;
744 };
745
746 // nested authentication
747 auth2_time = auth1_time + delta_time;
748 len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);
749 if (len != 4) {
750 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);
751 continue;
752 };
753
754 nt2 = bytes_to_num(receivedAnswer, 4);
755 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);
756
757 // Parity validity check
758 for (j = 0; j < 4; j++) {
759 par_array[j] = (oddparity(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));
760 }
761
762 ncount = 0;
763 nttest = prng_successor(nt1, dmin - 1);
764 for (j = dmin; j < dmax + 1; j++) {
765 nttest = prng_successor(nttest, 1);
766 ks1 = nt2 ^ nttest;
767
768 if (valid_nonce(nttest, nt2, ks1, par_array)){
769 if (ncount > 0) { // we are only interested in disambiguous nonces, try again
770 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);
771 target_nt[i] = 0;
772 break;
773 }
774 target_nt[i] = nttest;
775 target_ks[i] = ks1;
776 ncount++;
777 if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces
778 target_nt[i] = 0;
779 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);
780 break;
781 }
782 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);
783 }
784 }
785 if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
786 }
787 }
788
789 LED_C_OFF();
790
791 // ----------------------------- crypto1 destroy
792 crypto1_destroy(pcs);
793
794 byte_t buf[4 + 4 * 4];
795 memcpy(buf, &cuid, 4);
796 memcpy(buf+4, &target_nt[0], 4);
797 memcpy(buf+8, &target_ks[0], 4);
798 memcpy(buf+12, &target_nt[1], 4);
799 memcpy(buf+16, &target_ks[1], 4);
800
801 LED_B_ON();
802 cmd_send(CMD_ACK, 0, 2, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
803 LED_B_OFF();
804
805 if (MF_DBGLEVEL >= 3) DbpString("NESTED FINISHED");
806
807 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
808 LEDsoff();
809 set_tracing(TRUE);
810 }
811
812 //-----------------------------------------------------------------------------
813 // MIFARE check keys. key count up to 85.
814 //
815 //-----------------------------------------------------------------------------
816 void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
817 {
818 // params
819 uint8_t blockNo = arg0;
820 uint8_t keyType = arg1;
821 uint8_t keyCount = arg2;
822 uint64_t ui64Key = 0;
823
824 // variables
825 int i;
826 byte_t isOK = 0;
827 uint8_t uid[10];
828 uint32_t cuid;
829 struct Crypto1State mpcs = {0, 0};
830 struct Crypto1State *pcs;
831 pcs = &mpcs;
832
833 // clear debug level
834 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
835 MF_DBGLEVEL = MF_DBG_NONE;
836
837 // clear trace
838 clear_trace();
839 set_tracing(TRUE);
840
841 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
842
843 LED_A_ON();
844 LED_B_OFF();
845 LED_C_OFF();
846
847 for (i = 0; i < keyCount; i++) {
848 if(mifare_classic_halt(pcs, cuid)) {
849 if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Halt error");
850 }
851
852 if(!iso14443a_select_card(uid, NULL, &cuid)) {
853 if (OLD_MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card");
854 break;
855 };
856
857 ui64Key = bytes_to_num(datain + i * 6, 6);
858 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
859 continue;
860 };
861
862 isOK = 1;
863 break;
864 }
865
866 // ----------------------------- crypto1 destroy
867 crypto1_destroy(pcs);
868
869 LED_B_ON();
870 cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);
871 LED_B_OFF();
872
873 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
874 LEDsoff();
875
876 // restore debug level
877 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
878 }
879
880 //-----------------------------------------------------------------------------
881 // MIFARE commands set debug level
882 //
883 //-----------------------------------------------------------------------------
884 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
885 MF_DBGLEVEL = arg0;
886 Dbprintf("Debug level: %d", MF_DBGLEVEL);
887 }
888
889 //-----------------------------------------------------------------------------
890 // Work with emulator memory
891 //
892 //-----------------------------------------------------------------------------
893 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
894 emlClearMem();
895 }
896
897 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
898 emlSetMem(datain, arg0, arg1); // data, block num, blocks count
899 }
900
901 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
902 byte_t buf[USB_CMD_DATA_SIZE];
903 emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
904
905 LED_B_ON();
906 cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE);
907 LED_B_OFF();
908 }
909
910 //-----------------------------------------------------------------------------
911 // Load a card into the emulator memory
912 //
913 //-----------------------------------------------------------------------------
914 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
915 uint8_t numSectors = arg0;
916 uint8_t keyType = arg1;
917 uint64_t ui64Key = 0;
918 uint32_t cuid;
919 struct Crypto1State mpcs = {0, 0};
920 struct Crypto1State *pcs;
921 pcs = &mpcs;
922
923 // variables
924 byte_t dataoutbuf[16];
925 byte_t dataoutbuf2[16];
926 uint8_t uid[10];
927
928 // clear trace
929 clear_trace();
930 set_tracing(false);
931
932 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
933
934 LED_A_ON();
935 LED_B_OFF();
936 LED_C_OFF();
937
938 bool isOK = true;
939
940 if(!iso14443a_select_card(uid, NULL, &cuid)) {
941 isOK = false;
942 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
943 }
944
945 for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
946 ui64Key = emlGetKey(sectorNo, keyType);
947 if (sectorNo == 0){
948 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
949 isOK = false;
950 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo);
951 break;
952 }
953 } else {
954 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) {
955 isOK = false;
956 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo);
957 break;
958 }
959 }
960
961 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
962 if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) {
963 isOK = false;
964 if (MF_DBGLEVEL >= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);
965 break;
966 };
967 if (isOK) {
968 if (blockNo < NumBlocksPerSector(sectorNo) - 1) {
969 emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);
970 } else { // sector trailer, keep the keys, set only the AC
971 emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
972 memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
973 emlSetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
974 }
975 }
976 }
977
978 }
979
980 if(mifare_classic_halt(pcs, cuid)) {
981 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
982 };
983
984 // ----------------------------- crypto1 destroy
985 crypto1_destroy(pcs);
986
987 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
988 LEDsoff();
989
990 if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
991
992 }
993
994
995 //-----------------------------------------------------------------------------
996 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
997 //
998 //-----------------------------------------------------------------------------
999 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1000
1001 // params
1002 uint8_t needWipe = arg0;
1003 // bit 0 - need get UID
1004 // bit 1 - need wupC
1005 // bit 2 - need HALT after sequence
1006 // bit 3 - need init FPGA and field before sequence
1007 // bit 4 - need reset FPGA and LED
1008 uint8_t workFlags = arg1;
1009 uint8_t blockNo = arg2;
1010
1011 // card commands
1012 uint8_t wupC1[] = { 0x40 };
1013 uint8_t wupC2[] = { 0x43 };
1014 uint8_t wipeC[] = { 0x41 };
1015
1016 // variables
1017 byte_t isOK = 0;
1018 uint8_t uid[10] = {0x00};
1019 uint8_t d_block[18] = {0x00};
1020 uint32_t cuid;
1021
1022 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1023 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1024
1025 // reset FPGA and LED
1026 if (workFlags & 0x08) {
1027 LED_A_ON();
1028 LED_B_OFF();
1029 LED_C_OFF();
1030
1031 clear_trace();
1032 set_tracing(TRUE);
1033 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1034 }
1035
1036 while (true) {
1037
1038 // get UID from chip
1039 if (workFlags & 0x01) {
1040 if(!iso14443a_select_card(uid, NULL, &cuid)) {
1041 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
1042 break;
1043 };
1044
1045 if(mifare_classic_halt(NULL, cuid)) {
1046 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1047 break;
1048 };
1049 };
1050
1051 // reset chip
1052 if (needWipe){
1053 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1054 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1055 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1056 break;
1057 };
1058
1059 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
1060 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1061 if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");
1062 break;
1063 };
1064
1065 if(mifare_classic_halt(NULL, cuid)) {
1066 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1067 break;
1068 };
1069 };
1070
1071 // write block
1072 if (workFlags & 0x02) {
1073 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1074 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1075 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1076 break;
1077 };
1078
1079 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1080 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1081 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1082 break;
1083 };
1084 }
1085
1086 if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
1087 if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
1088 break;
1089 };
1090
1091 memcpy(d_block, datain, 16);
1092 AppendCrc14443a(d_block, 16);
1093
1094 ReaderTransmit(d_block, sizeof(d_block), NULL);
1095 if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
1096 if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");
1097 break;
1098 };
1099
1100 if (workFlags & 0x04) {
1101 if (mifare_classic_halt(NULL, cuid)) {
1102 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1103 break;
1104 };
1105 }
1106
1107 isOK = 1;
1108 break;
1109 }
1110
1111 LED_B_ON();
1112 cmd_send(CMD_ACK,isOK,0,0,uid,4);
1113 LED_B_OFF();
1114
1115 if ((workFlags & 0x10) || (!isOK)) {
1116 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1117 LEDsoff();
1118 }
1119 }
1120
1121
1122 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1123
1124 // params
1125 // bit 1 - need wupC
1126 // bit 2 - need HALT after sequence
1127 // bit 3 - need init FPGA and field before sequence
1128 // bit 4 - need reset FPGA and LED
1129 uint8_t workFlags = arg0;
1130 uint8_t blockNo = arg2;
1131
1132 // card commands
1133 uint8_t wupC1[] = { 0x40 };
1134 uint8_t wupC2[] = { 0x43 };
1135
1136 // variables
1137 byte_t isOK = 0;
1138 uint8_t data[18] = {0x00};
1139 uint32_t cuid = 0;
1140
1141 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1142 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1143
1144 if (workFlags & 0x08) {
1145 LED_A_ON();
1146 LED_B_OFF();
1147 LED_C_OFF();
1148
1149 clear_trace();
1150 set_tracing(TRUE);
1151 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1152 }
1153
1154 while (true) {
1155 if (workFlags & 0x02) {
1156 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1157 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1158 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1159 break;
1160 };
1161
1162 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1163 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1164 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1165 break;
1166 };
1167 }
1168
1169 // read block
1170 if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {
1171 if (MF_DBGLEVEL >= 1) Dbprintf("read block send command error");
1172 break;
1173 };
1174 memcpy(data, receivedAnswer, 18);
1175
1176 if (workFlags & 0x04) {
1177 if (mifare_classic_halt(NULL, cuid)) {
1178 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1179 break;
1180 };
1181 }
1182
1183 isOK = 1;
1184 break;
1185 }
1186
1187 LED_B_ON();
1188 cmd_send(CMD_ACK,isOK,0,0,data,18);
1189 LED_B_OFF();
1190
1191 if ((workFlags & 0x10) || (!isOK)) {
1192 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1193 LEDsoff();
1194 }
1195 }
1196
1197 void MifareCIdent(){
1198
1199 // card commands
1200 uint8_t wupC1[] = { 0x40 };
1201 uint8_t wupC2[] = { 0x43 };
1202
1203 // variables
1204 byte_t isOK = 1;
1205
1206 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1207 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1208
1209 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1210 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1211 isOK = 0;
1212 };
1213
1214 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1215 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1216 isOK = 0;
1217 };
1218
1219 if (mifare_classic_halt(NULL, 0)) {
1220 isOK = 0;
1221 };
1222
1223 cmd_send(CMD_ACK,isOK,0,0,0,0);
1224 }
1225
1226 //
1227 // DESFIRE
1228 //
1229
1230 void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){
1231
1232 byte_t dataout[11] = {0x00};
1233 uint8_t uid[10] = {0x00};
1234 uint32_t cuid;
1235
1236 clear_trace();
1237 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1238
1239 int len = iso14443a_select_card(uid, NULL, &cuid);
1240 if(!len) {
1241 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
1242 OnError(1);
1243 return;
1244 };
1245
1246 if(mifare_desfire_des_auth1(cuid, dataout)){
1247 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication part1: Fail.");
1248 OnError(4);
1249 return;
1250 }
1251
1252 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 1 FINISHED");
1253 cmd_send(CMD_ACK,1,cuid,0,dataout, sizeof(dataout));
1254 }
1255
1256 void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain){
1257
1258 uint32_t cuid = arg0;
1259 uint8_t key[16] = {0x00};
1260 byte_t isOK = 0;
1261 byte_t dataout[12] = {0x00};
1262
1263 memcpy(key, datain, 16);
1264
1265 isOK = mifare_desfire_des_auth2(cuid, key, dataout);
1266
1267 if( isOK) {
1268 if (MF_DBGLEVEL >= MF_DBG_EXTENDED)
1269 Dbprintf("Authentication part2: Failed");
1270 //OnError(4);
1271 return;
1272 }
1273
1274 if (MF_DBGLEVEL >= MF_DBG_EXTENDED)
1275 DbpString("AUTH 2 FINISHED");
1276
1277 cmd_send(CMD_ACK, isOK, 0, 0, dataout, sizeof(dataout));
1278 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1279 LEDsoff();
1280 }
1281
1282 void OnSuccess(){
1283 pcb_blocknum = 0;
1284 ReaderTransmit(deselect_cmd, 3 , NULL);
1285 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1286 LEDsoff();
1287 }
1288
1289 void OnError(uint8_t reason){
1290 pcb_blocknum = 0;
1291 ReaderTransmit(deselect_cmd, 3 , NULL);
1292 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1293 cmd_send(CMD_ACK,0,reason,0,0,0);
1294 LEDsoff();
1295 }
Proxmark3 GIT tracking
Impressum, Datenschutz