]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifaresniff.c
f4879329d5f3e194a03f6f0cce0d5744f9d4a6d4
[proxmark3-svn] / armsrc / mifaresniff.c
1 //-----------------------------------------------------------------------------
2 // Merlok - 2012
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Routines to support mifare classic sniffer.
9 //-----------------------------------------------------------------------------
10
11 #include "mifaresniff.h"
12 #include "apps.h"
13 #include "proxmark3.h"
14 #include "util.h"
15 #include "string.h"
16 #include "iso14443crc.h"
17 #include "iso14443a.h"
18 #include "crapto1/crapto1.h"
19 #include "mifareutil.h"
20 #include "common.h"
21
22
23 static int sniffState = SNF_INIT;
24 static uint8_t sniffUIDType;
25 static uint8_t sniffUID[8] = {0x00};
26 static uint8_t sniffATQA[2] = {0x00};
27 static uint8_t sniffSAK;
28 static uint8_t sniffBuf[16] = {0x00};
29 static uint32_t timerData = 0;
30
31
32 bool MfSniffInit(void){
33 memset(sniffUID, 0x00, 8);
34 memset(sniffATQA, 0x00, 2);
35 sniffSAK = 0;
36 sniffUIDType = SNF_UID_4;
37
38 return FALSE;
39 }
40
41 bool MfSniffEnd(void){
42 LED_B_ON();
43 cmd_send(CMD_ACK,0,0,0,0,0);
44 LED_B_OFF();
45
46 return FALSE;
47 }
48
49 bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, uint16_t bitCnt, bool reader) {
50
51 if (reader && (len == 1) && (bitCnt == 7)) { // reset on 7-Bit commands from reader
52 sniffState = SNF_INIT;
53 }
54
55 switch (sniffState) {
56 case SNF_INIT:{
57 if ((len == 1) && (reader) && (bitCnt == 7) ) { // REQA or WUPA from reader
58 sniffUIDType = SNF_UID_4;
59 memset(sniffUID, 0x00, 8);
60 memset(sniffATQA, 0x00, 2);
61 sniffSAK = 0;
62 sniffState = SNF_WUPREQ;
63 }
64 break;
65 }
66 case SNF_WUPREQ:{
67 if ((!reader) && (len == 2)) { // ATQA from tag
68 memcpy(sniffATQA, data, 2);
69 sniffState = SNF_ATQA;
70 }
71 break;
72 }
73 case SNF_ATQA:
74 case SNF_UID1:{
75 // SNF_ATQA
76 if ((reader) && (len == 2) && (data[0] == 0x93) && (data[1] == 0x20)) { // Select ALL from reader
77 sniffState = SNF_ANTICOL1;
78 }
79
80 // SNF_UID1
81 if ((reader) && (len == 9) && (data[0] == 0x93) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) { // Select 4 Byte UID from reader
82 memcpy(sniffUID + 3, &data[2], 4);
83 sniffState = SNF_SAK;
84 }
85 break;
86 }
87 case SNF_ANTICOL1:{
88 if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { // UID from tag (CL1)
89 sniffState = SNF_UID1;
90 }
91 break;
92 }
93 case SNF_SAK:{
94 if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) { // SAK from card?
95 sniffSAK = data[0];
96 if ((sniffUID[3] == 0x88) && (sniffUIDType == SNF_UID_4)) { // CL2 UID part to be expected
97 sniffUIDType = SNF_UID_7;
98 memcpy(sniffUID, sniffUID + 4, 3);
99 sniffState = SNF_UID2;
100 } else { // select completed
101 sniffState = SNF_CARD_IDLE;
102 }
103 }
104 break;
105 }
106 case SNF_ANTICOL2:{
107 if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { // CL2 UID
108 sniffState = SNF_UID2;
109 }
110 break;
111 }
112 case SNF_UID2:{
113 if ((reader) && (len == 2) && (data[0] == 0x95) && (data[1] == 0x20)) {
114 sniffState = SNF_ANTICOL2;
115 }
116
117 if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) {
118 memcpy(sniffUID + 3, &data[2], 4);
119 sniffState = SNF_SAK;
120 }
121 break;
122 }
123 case SNF_CARD_IDLE:{ // trace the card select sequence
124 sniffBuf[0] = 0xFF;
125 sniffBuf[1] = 0xFF;
126 memcpy(sniffBuf + 2, sniffUID, 7);
127 memcpy(sniffBuf + 9, sniffATQA, 2);
128 sniffBuf[11] = sniffSAK;
129 sniffBuf[12] = 0xFF;
130 sniffBuf[13] = 0xFF;
131 LogTrace(sniffBuf, 14, 0, 0, NULL, TRUE);
132 sniffState = SNF_CARD_CMD;
133 } // intentionally no break;
134 case SNF_CARD_CMD:{
135 LogTrace(data, len, 0, 0, NULL, reader);
136 timerData = GetTickCount();
137 break;
138 }
139
140 default:
141 sniffState = SNF_INIT;
142 break;
143 }
144
145
146 return FALSE;
147 }
148
149 bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs) {
150 if (BigBuf_get_traceLen() && (GetTickCount() > timerData + maxTimeoutMs)) {
151 return intMfSniffSend();
152 }
153 return FALSE;
154 }
155
156 // internal sending function. not a RAMFUNC.
157 bool intMfSniffSend() {
158
159 int pckSize = 0;
160 int pckLen = BigBuf_get_traceLen();
161 int pckNum = 0;
162 uint8_t *trace = BigBuf_get_addr();
163
164 FpgaDisableSscDma();
165 while (pckLen > 0) {
166 pckSize = MIN(USB_CMD_DATA_SIZE, pckLen);
167 LED_B_ON();
168 cmd_send(CMD_ACK, 1, BigBuf_get_traceLen(), pckSize, trace + BigBuf_get_traceLen() - pckLen, pckSize);
169 LED_B_OFF();
170
171 pckLen -= pckSize;
172 pckNum++;
173 }
174
175 LED_B_ON();
176 cmd_send(CMD_ACK,2,0,0,0,0);
177 LED_B_OFF();
178
179 clear_trace();
180
181 return TRUE;
182 }
Impressum, Datenschutz