]> cvs.zerfleddert.de Git - proxmark3-svn/blobdiff - client/cmdhf14a.c
projects / proxmark3-svn / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Adjustments after the big merge from PM3 master.
[proxmark3-svn] / client / cmdhf14a.c
diff --git a/client/cmdhf14a.c b/client/cmdhf14a.c
index 61d337d47c9fc2b52b12d2cb7fd77fa3e48806d7..0527ad4d7bcee4eaa846d8961f08492d273f430c 100644 (file)
--- a/client/cmdhf14a.c
+++ b/client/cmdhf14a.c
@@ -1,197 +1,882 @@
+//-----------------------------------------------------------------------------
+// 2011, Merlok
+// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// High frequency ISO14443A commands
+//-----------------------------------------------------------------------------
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
+#include "util.h"
 #include "iso14443crc.h"
 #include "data.h"
 #include "iso14443crc.h"
 #include "data.h"
-#include "proxusb.h"
+#include "proxmark3.h"
 #include "ui.h"
 #include "cmdparser.h"
 #include "cmdhf14a.h"
 #include "ui.h"
 #include "cmdparser.h"
 #include "cmdhf14a.h"
+#include "common.h"
+#include "cmdmain.h"
+#include "mifare.h"
+#include "cmdhfmfu.h"
+#include "nonce2key/crapto1.h"
+
+#define llx PRIx64
 
 static int CmdHelp(const char *Cmd);
 
 static int CmdHelp(const char *Cmd);
+static void waitCmd(uint8_t iLen);
+
+// structure and database for uid -> tagtype lookups 
+typedef struct { 
+       uint8_t uid;
+       char* desc;
+} manufactureName; 
+
+const manufactureName manufactureMapping[] = {
+       // ID,  "Vendor Country"
+       { 0x01, "Motorola UK" },
+       { 0x02, "ST Microelectronics SA France" },
+       { 0x03, "Hitachi, Ltd Japan" }, 
+       { 0x04, "NXP Semiconductors Germany" }, 
+       { 0x05, "Infineon Technologies AG Germany" }, 
+       { 0x06, "Cylink USA" }, 
+       { 0x07, "Texas Instrument France" },
+       { 0x08, "Fujitsu Limited Japan" }, 
+       { 0x09, "Matsushita Electronics Corporation, Semiconductor Company Japan" }, 
+       { 0x0A, "NEC Japan" }, 
+       { 0x0B, "Oki Electric Industry Co. Ltd Japan" },
+       { 0x0C, "Toshiba Corp. Japan" },
+       { 0x0D, "Mitsubishi Electric Corp. Japan" },
+       { 0x0E, "Samsung Electronics Co. Ltd Korea" },
+       { 0x0F, "Hynix / Hyundai, Korea" },
+       { 0x10, "LG-Semiconductors Co. Ltd Korea" },
+       { 0x11, "Emosyn-EM Microelectronics USA" },
+       { 0x12, "INSIDE Technology France" },
+       { 0x13, "ORGA Kartensysteme GmbH Germany" },
+       { 0x14, "SHARP Corporation Japan" },
+       { 0x15, "ATMEL France" },
+       { 0x16, "EM Microelectronic-Marin SA Switzerland" },
+       { 0x17, "KSW Microtec GmbH Germany" },
+       { 0x18, "ZMD AG Germany" },
+       { 0x19, "XICOR, Inc. USA" },
+       { 0x1A, "Sony Corporation Japan Identifier Company Country" },
+       { 0x1B, "Malaysia Microelectronic Solutions Sdn. Bhd Malaysia" },
+       { 0x1C, "Emosyn USA" },
+       { 0x1D, "Shanghai Fudan Microelectronics Co. Ltd. P.R. China" },
+       { 0x1E, "Magellan Technology Pty Limited Australia" },
+       { 0x1F, "Melexis NV BO Switzerland" },
+       { 0x20, "Renesas Technology Corp. Japan" },
+       { 0x21, "TAGSYS France" },
+       { 0x22, "Transcore USA" },
+       { 0x23, "Shanghai belling corp., ltd. China" },
+       { 0x24, "Masktech Germany Gmbh Germany" },
+       { 0x25, "Innovision Research and Technology Plc UK" },
+       { 0x26, "Hitachi ULSI Systems Co., Ltd. Japan" },
+       { 0x27, "Cypak AB Sweden" },
+       { 0x28, "Ricoh Japan" },
+       { 0x29, "ASK France" },
+       { 0x2A, "Unicore Microsystems, LLC Russian Federation" },
+       { 0x2B, "Dallas Semiconductor/Maxim USA" },
+       { 0x2C, "Impinj, Inc. USA" },
+       { 0x2D, "RightPlug Alliance USA" },
+       { 0x2E, "Broadcom Corporation USA" },
+       { 0x2F, "MStar Semiconductor, Inc Taiwan, ROC" },
+       { 0x30, "BeeDar Technology Inc. USA" },
+       { 0x31, "RFIDsec Denmark" },
+       { 0x32, "Schweizer Electronic AG Germany" },
+       { 0x33, "AMIC Technology Corp Taiwan" }, 
+       { 0x34, "Mikron JSC Russia" },
+       { 0x35, "Fraunhofer Institute for Photonic Microsystems Germany" },
+       { 0x36, "IDS Microchip AG Switzerland" },
+       { 0x37, "Kovio USA" },
+       { 0x38, "HMT Microelectronic Ltd Switzerland Identifier Company Country" },
+       { 0x39, "Silicon Craft Technology Thailand" },
+       { 0x3A, "Advanced Film Device Inc. Japan" },
+       { 0x3B, "Nitecrest Ltd UK" },
+       { 0x3C, "Verayo Inc. USA" },
+       { 0x3D, "HID Global USA" },
+       { 0x3E, "Productivity Engineering Gmbh Germany" },
+       { 0x3F, "Austriamicrosystems AG (reserved) Austria" }, 
+       { 0x40, "Gemalto SA France" },
+       { 0x41, "Renesas Electronics Corporation Japan" },
+       { 0x42, "3Alogics Inc Korea" },
+       { 0x43, "Top TroniQ Asia Limited Hong Kong" },
+       { 0x44, "Gentag Inc (USA) USA" },
+       { 0x00, "no tag-info available" } // must be the last entry
+};
+
+
+// get a product description based on the UID
+//             uid[8]  tag uid
+// returns description of the best match       
+char* getTagInfo(uint8_t uid) {
+
+       int i;
+       int len = sizeof(manufactureMapping) / sizeof(manufactureName);
+       
+       for ( i = 0; i < len; ++i ) 
+               if ( uid == manufactureMapping[i].uid) 
+                       return manufactureMapping[i].desc;
+
+       //No match, return default
+       return manufactureMapping[len-1].desc; 
+}
 
 int CmdHF14AList(const char *Cmd)
 {
 
 int CmdHF14AList(const char *Cmd)
 {
-  uint8_t got[1920];
-  GetFromBigBuf(got, sizeof(got));
+       PrintAndLog("Deprecated command, use 'hf list 14a' instead");
+       return 0;
+}
 
 
-  PrintAndLog("recorded activity:");
-  PrintAndLog(" ETU     :rssi: who bytes");
-  PrintAndLog("---------+----+----+-----------");
+int CmdHF14AReader(const char *Cmd)
+{
+       UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}};
+       SendCommand(&c);
 
 
-  int i = 0;
-  int prev = -1;
+       UsbCommand resp;
+       WaitForResponse(CMD_ACK,&resp);
+       
+       iso14a_card_select_t card;
+       memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
 
 
-  for (;;) {
-    if(i >= 1900) {
-      break;
-    }
+       uint64_t select_status = resp.arg[0];           // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision
+       
+       if(select_status == 0) {
+               if (Cmd[0] != 's') PrintAndLog("iso14443a card select failed");
+               // disconnect
+               c.arg[0] = 0;
+               c.arg[1] = 0;
+               c.arg[2] = 0;
+               SendCommand(&c);
+               return 0;
+       }
 
 
-    bool isResponse;
-    int timestamp = *((uint32_t *)(got+i));
-    if (timestamp & 0x80000000) {
-      timestamp &= 0x7fffffff;
-      isResponse = 1;
-    } else {
-      isResponse = 0;
-    }
+       if(select_status == 3) {
+               PrintAndLog("Card doesn't support standard iso14443-3 anticollision");
+               PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]);
+               // disconnect
+               c.arg[0] = 0;
+               c.arg[1] = 0;
+               c.arg[2] = 0;
+               SendCommand(&c);
+               return 0;
+       }
 
 
-    int metric = 0;
-    int parityBits = *((uint32_t *)(got+i+4));
-    // 4 bytes of additional information...
-    // maximum of 32 additional parity bit information
-    //
-    // TODO:
-    // at each quarter bit period we can send power level (16 levels)
-    // or each half bit period in 256 levels.
+       PrintAndLog(" UID : %s", sprint_hex(card.uid, card.uidlen));
+       PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]);
+       PrintAndLog(" SAK : %02x [%d]", card.sak, resp.arg[0]);
 
 
+       switch (card.sak) {
+               case 0x00: 
 
 
-    int len = got[i+8];
+                       //***************************************test****************
+                       ul_switch_off_field();
+                       
+                       uint32_t tagT = GetHF14AMfU_Type();
+                       ul_print_type(tagT, 0);
 
 
-    if (len > 100) {
-      break;
-    }
-    if (i + len >= 1900) {
-      break;
-    }
+                       //reconnect for further tests
+                       c.arg[0] = ISO14A_CONNECT | ISO14A_NO_DISCONNECT;
+                       c.arg[1] = 0;
+                       c.arg[2] = 0;
 
 
-    uint8_t *frame = (got+i+9);
+                       SendCommand(&c);
 
 
-    // Break and stick with current result if buffer was not completely full
-    if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; }
+                       UsbCommand resp;
+                       WaitForResponse(CMD_ACK,&resp);
+                       
+                       memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
 
 
-    char line[1000] = "";
-    int j;
-    for (j = 0; j < len; j++) {
-      int oddparity = 0x01;
-      int k;
+                       select_status = resp.arg[0];            // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS
+                       
+                       if(select_status == 0) {
+                               ul_switch_off_field();
+                               return 0;
+                       }
 
 
-      for (k=0;k<8;k++) {
-        oddparity ^= (((frame[j] & 0xFF) >> k) & 0x01);
-      }
+                       /*  orig
+                       // check if the tag answers to GETVERSION (0x60)
+                       c.arg[0] = ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT;
+                       c.arg[1] = 1;
+                       c.arg[2] = 0;
+                       c.d.asBytes[0] = 0x60;
+                       SendCommand(&c);
+                       WaitForResponse(CMD_ACK,&resp);
+               
+                       uint8_t version[10] = {0};
+                       memcpy(version, resp.d.asBytes, resp.arg[0] < sizeof(version) ? resp.arg[0] : sizeof(version));
+                       uint8_t len  = resp.arg[0] & 0xff;
+                       switch ( len){
+                               // todo, identify "Magic UL-C tags".  // they usually have a static nonce response to 0x1A command.
+                               // UL-EV1, size, check version[6] == 0x0b (smaller)  0x0b * 4 == 48
+                               case 0x0A:PrintAndLog("TYPE : NXP MIFARE Ultralight EV1 %d bytes", (version[6] == 0xB) ? 48 : 128);     break;                          
+                               case 0x01:PrintAndLog("TYPE : NXP MIFARE Ultralight C");break;
+                               case 0x00:PrintAndLog("TYPE : NXP MIFARE Ultralight");break;
+                       }
+                       */
+                       break;
+               case 0x01: PrintAndLog("TYPE : NXP TNP3xxx Activision Game Appliance"); break;
+               case 0x04: PrintAndLog("TYPE : NXP MIFARE (various !DESFire !DESFire EV1)"); break;
+               case 0x08: PrintAndLog("TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1"); break;
+               case 0x09: PrintAndLog("TYPE : NXP MIFARE Mini 0.3k"); break;
+               case 0x10: PrintAndLog("TYPE : NXP MIFARE Plus 2k SL2"); break;
+               case 0x11: PrintAndLog("TYPE : NXP MIFARE Plus 4k SL2"); break;
+               case 0x18: PrintAndLog("TYPE : NXP MIFARE Classic 4k | Plus 4k SL1"); break;
+               case 0x20: PrintAndLog("TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41"); break;
+               case 0x24: PrintAndLog("TYPE : NXP MIFARE DESFire | DESFire EV1"); break;
+               case 0x28: PrintAndLog("TYPE : JCOP31 or JCOP41 v2.3.1"); break;
+               case 0x38: PrintAndLog("TYPE : Nokia 6212 or 6131 MIFARE CLASSIC 4K"); break;
+               case 0x88: PrintAndLog("TYPE : Infineon MIFARE CLASSIC 1K"); break;
+               case 0x98: PrintAndLog("TYPE : Gemplus MPCOS"); break;
+               default: ;
+       }
 
 
-      //if((parityBits >> (len - j - 1)) & 0x01) {
-      if (isResponse && (oddparity != ((parityBits >> (len - j - 1)) & 0x01))) {
-        sprintf(line+(j*4), "%02x!  ", frame[j]);
-      }
-      else {
-        sprintf(line+(j*4), "%02x   ", frame[j]);
-      }
-    }
+       // Double & triple sized UID, can be mapped to a manufacturer.
+       if ( card.uidlen > 4 ) {
+               PrintAndLog("MANUFACTURER : %s", getTagInfo(card.uid[0]));
+       }
+       
+       // try to request ATS even if tag claims not to support it
+       if (select_status == 2) {
+               uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0
+               c.arg[0] = ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT;
+               c.arg[1] = 2;
+               c.arg[2] = 0;
+               memcpy(c.d.asBytes, rats, 2);
+               SendCommand(&c);
+               WaitForResponse(CMD_ACK,&resp);
+               
+           memcpy(card.ats, resp.d.asBytes, resp.arg[0]);
+               card.ats_len = resp.arg[0];                             // note: ats_len includes CRC Bytes
+       } 
 
 
-    char *crc;
-    crc = "";
-    if (len > 2) {
-      uint8_t b1, b2;
-      for (j = 0; j < (len - 1); j++) {
-        // gives problems... search for the reason..
-        /*if(frame[j] == 0xAA) {
-          switch(frame[j+1]) {
-            case 0x01:
-              crc = "[1] Two drops close after each other";
-            break;
-            case 0x02:
-              crc = "[2] Potential SOC with a drop in second half of bitperiod";
-              break;
-            case 0x03:
-              crc = "[3] Segment Z after segment X is not possible";
-              break;
-            case 0x04:
-              crc = "[4] Parity bit of a fully received byte was wrong";
-              break;
-            default:
-              crc = "[?] Unknown error";
-              break;
-          }
-          break;
-        }*/
-      }
-
-      if (strlen(crc)==0) {
-        ComputeCrc14443(CRC_14443_A, frame, len-2, &b1, &b2);
-        if (b1 != frame[len-2] || b2 != frame[len-1]) {
-          crc = (isResponse & (len < 6)) ? "" : " !crc";
-        } else {
-          crc = "";
-        }
-      }
-    } else {
-      crc = ""; // SHORT
-    }
+       if(card.ats_len >= 3) {                 // a valid ATS consists of at least the length byte (TL) and 2 CRC bytes
+               bool ta1 = 0, tb1 = 0, tc1 = 0;
+               int pos;
 
 
-    char metricString[100];
-    if (isResponse) {
-      sprintf(metricString, "%3d", metric);
-    } else {
-      strcpy(metricString, "   ");
-    }
+               if (select_status == 2) {
+                       PrintAndLog("SAK incorrectly claims that card doesn't support RATS");
+               }
+               PrintAndLog(" ATS : %s", sprint_hex(card.ats, card.ats_len));
+               PrintAndLog("       -  TL : length is %d bytes", card.ats[0]);
+               if (card.ats[0] != card.ats_len - 2) {
+                       PrintAndLog("ATS may be corrupted. Length of ATS (%d bytes incl. 2 Bytes CRC) doesn't match TL", card.ats_len);
+               }
+               
+               if (card.ats[0] > 1) {          // there is a format byte (T0)
+                       ta1 = (card.ats[1] & 0x10) == 0x10;
+                       tb1 = (card.ats[1] & 0x20) == 0x20;
+                       tc1 = (card.ats[1] & 0x40) == 0x40;
+                       int16_t fsci = card.ats[1] & 0x0f;
+                       PrintAndLog("       -  T0 : TA1 is%s present, TB1 is%s present, "
+                                       "TC1 is%s present, FSCI is %d (FSC = %ld)",
+                               (ta1 ? "" : " NOT"), (tb1 ? "" : " NOT"), (tc1 ? "" : " NOT"),
+                               fsci,
+                               fsci < 5 ? (fsci - 2) * 8 : 
+                                       fsci < 8 ? (fsci - 3) * 32 :
+                                       fsci == 8 ? 256 :
+                                       -1
+                               );
+               }
+               pos = 2;
+               if (ta1) {
+                       char dr[16], ds[16];
+                       dr[0] = ds[0] = '\0';
+                       if (card.ats[pos] & 0x10) strcat(ds, "2, ");
+                       if (card.ats[pos] & 0x20) strcat(ds, "4, ");
+                       if (card.ats[pos] & 0x40) strcat(ds, "8, ");
+                       if (card.ats[pos] & 0x01) strcat(dr, "2, ");
+                       if (card.ats[pos] & 0x02) strcat(dr, "4, ");
+                       if (card.ats[pos] & 0x04) strcat(dr, "8, ");
+                       if (strlen(ds) != 0) ds[strlen(ds) - 2] = '\0';
+                       if (strlen(dr) != 0) dr[strlen(dr) - 2] = '\0';
+                       PrintAndLog("       - TA1 : different divisors are%s supported, "
+                                       "DR: [%s], DS: [%s]",
+                                       (card.ats[pos] & 0x80 ? " NOT" : ""), dr, ds);
+                       pos++;
+               }
+               if (tb1) {
+                       uint32_t sfgi = card.ats[pos] & 0x0F;
+                       uint32_t fwi = card.ats[pos] >> 4;
+                       PrintAndLog("       - TB1 : SFGI = %d (SFGT = %s%ld/fc), FWI = %d (FWT = %ld/fc)",
+                                       (sfgi),
+                                       sfgi ? "" : "(not needed) ",
+                                       sfgi ? (1 << 12) << sfgi : 0,
+                                       fwi,
+                                       (1 << 12) << fwi
+                                       );
+                       pos++;
+               }
+               if (tc1) {
+                       PrintAndLog("       - TC1 : NAD is%s supported, CID is%s supported",
+                                       (card.ats[pos] & 0x01) ? "" : " NOT",
+                                       (card.ats[pos] & 0x02) ? "" : " NOT");
+                       pos++;
+               }
+               if (card.ats[0] > pos) {
+                       char *tip = "";
+                       if (card.ats[0] - pos >= 7) {
+                               if (memcmp(card.ats + pos, "\xC1\x05\x2F\x2F\x01\xBC\xD6", 7) == 0) {
+                                       tip = "-> MIFARE Plus X 2K or 4K";
+                               } else if (memcmp(card.ats + pos, "\xC1\x05\x2F\x2F\x00\x35\xC7", 7) == 0) {
+                                       tip = "-> MIFARE Plus S 2K or 4K";
+                               }
+                       } 
+                       PrintAndLog("       -  HB : %s%s", sprint_hex(card.ats + pos, card.ats[0] - pos), tip);
+                       if (card.ats[pos] == 0xC1) {
+                               PrintAndLog("               c1 -> Mifare or (multiple) virtual cards of various type");
+                               PrintAndLog("                  %02x -> Length is %d bytes",
+                                               card.ats[pos + 1], card.ats[pos + 1]);
+                               switch (card.ats[pos + 2] & 0xf0) {
+                                       case 0x10:
+                                               PrintAndLog("                     1x -> MIFARE DESFire");
+                                               break;
+                                       case 0x20:
+                                               PrintAndLog("                     2x -> MIFARE Plus");
+                                               break;
+                               }
+                               switch (card.ats[pos + 2] & 0x0f) {
+                                       case 0x00:
+                                               PrintAndLog("                     x0 -> <1 kByte");
+                                               break;
+                                       case 0x01:
+                                               PrintAndLog("                     x0 -> 1 kByte");
+                                               break;
+                                       case 0x02:
+                                               PrintAndLog("                     x0 -> 2 kByte");
+                                               break;
+                                       case 0x03:
+                                               PrintAndLog("                     x0 -> 4 kByte");
+                                               break;
+                                       case 0x04:
+                                               PrintAndLog("                     x0 -> 8 kByte");
+                                               break;
+                               }
+                               switch (card.ats[pos + 3] & 0xf0) {
+                                       case 0x00:
+                                               PrintAndLog("                        0x -> Engineering sample");
+                                               break;
+                                       case 0x20:
+                                               PrintAndLog("                        2x -> Released");
+                                               break;
+                               }
+                               switch (card.ats[pos + 3] & 0x0f) {
+                                       case 0x00:
+                                               PrintAndLog("                        x0 -> Generation 1");
+                                               break;
+                                       case 0x01:
+                                               PrintAndLog("                        x1 -> Generation 2");
+                                               break;
+                                       case 0x02:
+                                               PrintAndLog("                        x2 -> Generation 3");
+                                               break;
+                               }
+                               switch (card.ats[pos + 4] & 0x0f) {
+                                       case 0x00:
+                                               PrintAndLog("                           x0 -> Only VCSL supported");
+                                               break;
+                                       case 0x01:
+                                               PrintAndLog("                           x1 -> VCS, VCSL, and SVC supported");
+                                               break;
+                                       case 0x0E:
+                                               PrintAndLog("                           xE -> no VCS command supported");
+                                               break;
+                               }
+                       }
+               }
+       } else {
+               PrintAndLog("proprietary non iso14443-4 card found, RATS not supported");
+       }
 
 
-    PrintAndLog(" +%7d: %s: %s %s %s",
-      (prev < 0 ? 0 : (timestamp - prev)),
-      metricString,
-      (isResponse ? "TAG" : "   "), line, crc);
+       
+       // try to see if card responses to "chinese magic backdoor" commands.
+       c.cmd = CMD_MIFARE_CIDENT;
+       c.arg[0] = 0;
+       c.arg[1] = 0;
+       c.arg[2] = 0;   
+       SendCommand(&c);
+       WaitForResponse(CMD_ACK,&resp);
+       uint8_t isOK  = resp.arg[0] & 0xff;
+       PrintAndLog("Answers to chinese magic backdoor commands: %s", (isOK ? "YES" : "NO") );
+       
+       // disconnect
+       c.cmd = CMD_READER_ISO_14443a;
+       c.arg[0] = 0;
+       c.arg[1] = 0;
+       c.arg[2] = 0;
+       SendCommand(&c);
 
 
-    prev = timestamp;
-    i += (len + 9);
-  }
-  return 0;
+       return select_status;
 }
 
 }
 
-int CmdHF14AMifare(const char *Cmd)
+// Collect ISO14443 Type A UIDs
+int CmdHF14ACUIDs(const char *Cmd)
 {
 {
-  UsbCommand c = {CMD_READER_MIFARE, {strtol(Cmd, NULL, 0), 0, 0}};
-  SendCommand(&c);
-  return 0;
+       // requested number of UIDs
+       int n = atoi(Cmd);
+       // collect at least 1 (e.g. if no parameter was given)
+       n = n > 0 ? n : 1;
+
+       PrintAndLog("Collecting %d UIDs", n);
+       PrintAndLog("Start: %u", time(NULL));
+       // repeat n times
+       for (int i = 0; i < n; i++) {
+               // execute anticollision procedure
+               UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}};
+               SendCommand(&c);
+    
+               UsbCommand resp;
+               WaitForResponse(CMD_ACK,&resp);
+
+               iso14a_card_select_t *card = (iso14a_card_select_t *) resp.d.asBytes;
+
+               // check if command failed
+               if (resp.arg[0] == 0) {
+                       PrintAndLog("Card select failed.");
+               } else {
+                       char uid_string[20];
+                       for (uint16_t i = 0; i < card->uidlen; i++) {
+                               sprintf(&uid_string[2*i], "%02X", card->uid[i]);
+                       }
+                       PrintAndLog("%s", uid_string);
+               }
+       }
+       PrintAndLog("End: %u", time(NULL));
+
+       return 1;
 }
 
 }
 
-int CmdHF14AReader(const char *Cmd)
+
+static int usage_hf_14a_sim(void)
 {
 {
-  UsbCommand c = {CMD_READER_ISO_14443a, {strtol(Cmd, NULL, 0), 0, 0}};
-  SendCommand(&c);
-  return 0;
+       PrintAndLog("\n Emulating ISO/IEC 14443 type A tag with 4 or 7 byte UID\n");
+       PrintAndLog("Usage: hf 14a sim t <type> u <uid> x");
+       PrintAndLog("  Options : ");
+       PrintAndLog("    h     : this help");
+       PrintAndLog("    t     : 1 = MIFARE Classic");
+       PrintAndLog("            2 = MIFARE Ultralight");
+       PrintAndLog("            3 = MIFARE Desfire");
+       PrintAndLog("            4 = ISO/IEC 14443-4");
+       PrintAndLog("            5 = MIFARE Tnp3xxx");
+       PrintAndLog("            6 = MIFARE Mini");
+       PrintAndLog("    u     : 4 or 7 byte UID");
+       PrintAndLog("    x     : (Optional) performs the 'reader attack', nr/ar attack against a legitimate reader");
+       PrintAndLog("\n   sample : hf 14a sim t 1 u 1122344");
+       PrintAndLog("          : hf 14a sim t 1 u 1122344 x\n");
+       return 0;
 }
 
 // ## simulate iso14443a tag
 // ## greg - added ability to specify tag UID
 int CmdHF14ASim(const char *Cmd)
 }
 
 // ## simulate iso14443a tag
 // ## greg - added ability to specify tag UID
 int CmdHF14ASim(const char *Cmd)
-{                                 
-
-  unsigned int hi = 0, lo = 0;
-  int n = 0, i = 0;
-  while (sscanf(&Cmd[i++], "%1x", &n ) == 1) {
-    hi= (hi << 4) | (lo >> 28);
-    lo= (lo << 4) | (n & 0xf);
-  }
-
-  // c.arg should be set to *Cmd or convert *Cmd to the correct format for a uid
-  UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443a, {hi, lo, 0}};
-  PrintAndLog("Emulating 14443A TAG with UID %x%16x", hi, lo);
+{
+       bool errors = FALSE;
+       uint8_t flags = 0;
+       uint8_t tagtype = 1;
+       uint64_t uid = 0;
+       uint8_t cmdp = 0;
+       
+       while(param_getchar(Cmd, cmdp) != 0x00)
+       {
+               switch(param_getchar(Cmd, cmdp))
+               {
+                       case 'h':
+                       case 'H':
+                               return usage_hf_14a_sim();
+                       case 't':
+                       case 'T':
+                               // Retrieve the tag type
+                               tagtype = param_get8ex(Cmd, cmdp+1, 0, 10);
+                               if (tagtype == 0)
+                                       errors = true; 
+                               cmdp += 2;
+                               break;
+                       case 'u':
+                       case 'U':
+                               // Retrieve the full 4 or 7 byte long uid 
+                               uid = param_get64ex(Cmd, cmdp+1, 0, 16);
+                               if (uid == 0 )
+                                       errors = TRUE;
+                                
+                               if (uid > 0xffffffff) {
+                                       PrintAndLog("Emulating ISO/IEC 14443 type A tag with 7 byte UID (%014"llx")",uid);
+                                       flags |= FLAG_7B_UID_IN_DATA;
+                               } else {
+                                       PrintAndLog("Emulating ISO/IEC 14443 type A tag with 4 byte UID (%08x)",uid);
+                                       flags |= FLAG_4B_UID_IN_DATA;
+                               }
+                               cmdp += 2;
+                               break;
+                       case 'x':
+                       case 'X':
+                               flags |= FLAG_NR_AR_ATTACK;
+                               cmdp++;
+                               break;
+                       default:
+                               PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
+                               errors = true;
+                               break;
+                       }
+               if(errors) break;
+       }
+
+       //Validations
+       if (errors) return usage_hf_14a_sim();
+
+       PrintAndLog("Press pm3-button to abort simulation");
+       
+       UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443a,{ tagtype, flags, 0 }};
+       num_to_bytes(uid, 7, c.d.asBytes);
+       SendCommand(&c);        
+
+       while(!ukbhit()){
+               UsbCommand resp;
+               WaitForResponseTimeout(CMD_ACK,&resp,1500);
+               PrintAndLog("Got %04X %02X", resp.arg[0], resp.arg[0]);
+               if ( (resp.arg[0] & 0xffff) == CMD_SIMULATE_MIFARE_CARD ){
+                       uint8_t data[40];
+                       uint8_t key[6];
+                       int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];
+                       memcpy(data, resp.d.asBytes, len);
+                       tryMfk32(uid, data, key);
+                       //tryMfk64(uid, data, key);
+                       PrintAndLog("--");
+                       memset(data,0x00, 40);
+               }
+       }
+       return 0;
+}
+
+int tryMfk32(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){
+
+       struct Crypto1State *s,*t;
+       uint64_t key;     // recovered key
+       uint32_t uid;     // serial number
+       uint32_t nt;      // tag challenge
+       uint32_t nr0_enc; // first encrypted reader challenge
+       uint32_t ar0_enc; // first encrypted reader response
+       uint32_t nr1_enc; // second encrypted reader challenge
+       uint32_t ar1_enc; // second encrypted reader response   
+       bool isSuccess = FALSE;
+       int counter = 0;
+       
+       uid     = myuid;//(uint32_t)bytes_to_num(data +  0, 4);
+       nt              = *(uint32_t*)(data+8);
+       nr0_enc = *(uint32_t*)(data+12);
+       ar0_enc = *(uint32_t*)(data+16);
+       nr1_enc = *(uint32_t*)(data+32);
+       ar1_enc = *(uint32_t*)(data+36);
+
+       // PrintAndLog("Recovering key for:");
+       // PrintAndLog("    uid: %08x",uid);
+       // PrintAndLog("     nt: %08x",nt);
+       // PrintAndLog(" {nr_0}: %08x",nr0_enc);
+       // PrintAndLog(" {ar_0}: %08x",ar0_enc);
+       // PrintAndLog(" {nr_1}: %08x",nr1_enc);
+       // PrintAndLog(" {ar_1}: %08x",ar1_enc);
+
+       s = lfsr_recovery32(ar0_enc ^ prng_successor(nt, 64), 0);
+  
+       for(t = s; t->odd | t->even; ++t) {
+               lfsr_rollback_word(t, 0, 0);
+               lfsr_rollback_word(t, nr0_enc, 1);
+               lfsr_rollback_word(t, uid ^ nt, 0);
+               crypto1_get_lfsr(t, &key);
+               crypto1_word(t, uid ^ nt, 0);
+               crypto1_word(t, nr1_enc, 1);
+               if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt, 64))) {
+                       PrintAndLog("Found Key: [%012"llx"]",key);
+                       isSuccess = TRUE;
+                       ++counter;
+                       if (counter==10)
+                               break;
+               }
+       }
+       free(s);
+       return isSuccess;
+}
+
+int tryMfk64(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){
+
+       struct Crypto1State *revstate;
+       uint64_t key;     // recovered key
+       uint32_t uid;     // serial number
+       uint32_t nt;      // tag challenge
+       uint32_t nr_enc;  // encrypted reader challenge
+       uint32_t ar_enc;  // encrypted reader response
+       uint32_t at_enc;  // encrypted tag response
+       uint32_t ks2;     // keystream used to encrypt reader response
+       uint32_t ks3;     // keystream used to encrypt tag response
+
+       struct Crypto1State mpcs = {0, 0};
+       struct Crypto1State *pcs;
+       pcs = &mpcs;
+       
+
+
+       uid     = myuid;//(uint32_t)bytes_to_num(data +  0, 4);
+       nt              = *(uint32_t*)(data+8);
+       nr_enc = *(uint32_t*)(data+12);
+       ar_enc = *(uint32_t*)(data+16);
+       
+       crypto1_word(pcs, nr_enc , 1);
+       at_enc = prng_successor(nt, 96) ^ crypto1_word(pcs, 0, 0);
+
+       // printf("Recovering key for:\n");
+       // printf("  uid: %08x\n",uid);
+       // printf("   nt: %08x\n",nt);
+       // printf(" {nr}: %08x\n",nr_enc);
+       // printf(" {ar}: %08x\n",ar_enc);
+       // printf(" {at}: %08x\n",at_enc);
+
+       // Extract the keystream from the messages
+       ks2 = ar_enc ^ prng_successor(nt, 64);
+       ks3 = at_enc ^ prng_successor(nt, 96);
+
+       revstate = lfsr_recovery64(ks2, ks3);
+       lfsr_rollback_word(revstate, 0, 0);
+       lfsr_rollback_word(revstate, 0, 0);
+       lfsr_rollback_word(revstate, nr_enc, 1);
+       lfsr_rollback_word(revstate, uid ^ nt, 0);
+       crypto1_get_lfsr(revstate, &key);
+       PrintAndLog("Found Key: [%012"llx"]",key);
+       crypto1_destroy(revstate);
+       crypto1_destroy(pcs);
+       return 0;
+}
+
+int CmdHF14ASniff(const char *Cmd) {
+       int param = 0;
+       
+       uint8_t ctmp = param_getchar(Cmd, 0) ;
+       if (ctmp == 'h' || ctmp == 'H') {
+               PrintAndLog("It get data from the field and saves it into command buffer.");
+               PrintAndLog("Buffer accessible from command 'hf list 14a'");
+               PrintAndLog("Usage:  hf 14a sniff [c][r]");
+               PrintAndLog("c - triggered by first data from card");
+               PrintAndLog("r - triggered by first 7-bit request from reader (REQ,WUP,...)");
+               PrintAndLog("sample: hf 14a sniff c r");
+               return 0;
+       }       
+       
+       for (int i = 0; i < 2; i++) {
+               ctmp = param_getchar(Cmd, i);
+               if (ctmp == 'c' || ctmp == 'C') param |= 0x01;
+               if (ctmp == 'r' || ctmp == 'R') param |= 0x02;
+       }
+
+  UsbCommand c = {CMD_SNOOP_ISO_14443a, {param, 0, 0}};
   SendCommand(&c);
   return 0;
 }
 
   SendCommand(&c);
   return 0;
 }
 
-int CmdHF14ASnoop(const char *Cmd)
+
+int CmdHF14ACmdRaw(const char *cmd) {
+    UsbCommand c = {CMD_READER_ISO_14443a, {0, 0, 0}};
+    bool reply=1;
+    bool crc = FALSE;
+    bool power = FALSE;
+    bool active = FALSE;
+    bool active_select = FALSE;
+    uint16_t numbits=0;
+       bool bTimeout = FALSE;
+       uint32_t timeout=0;
+       bool topazmode = FALSE;
+    char buf[5]="";
+    int i=0;
+    uint8_t data[USB_CMD_DATA_SIZE];
+       uint16_t datalen=0;
+       uint32_t temp;
+
+    if (strlen(cmd)<2) {
+        PrintAndLog("Usage: hf 14a raw [-r] [-c] [-p] [-a] [-t] <milliseconds> [-b] <number of bits>  <0A 0B 0C ... hex>");
+        PrintAndLog("       -r    do not read response");
+        PrintAndLog("       -c    calculate and append CRC");
+        PrintAndLog("       -p    leave the signal field ON after receive");
+        PrintAndLog("       -a    active signal field ON without select");
+        PrintAndLog("       -s    active signal field ON with select");
+        PrintAndLog("       -b    number of bits to send. Useful for send partial byte");
+               PrintAndLog("       -t    timeout in ms");
+               PrintAndLog("       -T    use Topaz protocol to send command");
+        return 0;
+    }
+
+
+    // strip
+    while (*cmd==' ' || *cmd=='\t') cmd++;
+
+    while (cmd[i]!='\0') {
+        if (cmd[i]==' ' || cmd[i]=='\t') { i++; continue; }
+        if (cmd[i]=='-') {
+            switch (cmd[i+1]) {
+                case 'r': 
+                    reply = FALSE;
+                    break;
+                case 'c':
+                    crc = TRUE;
+                    break;
+                case 'p':
+                    power = TRUE;
+                    break;
+                case 'a':
+                    active = TRUE;
+                    break;
+                case 's':
+                    active_select = TRUE;
+                    break;
+                case 'b': 
+                    sscanf(cmd+i+2,"%d",&temp);
+                    numbits = temp & 0xFFFF;
+                    i+=3;
+                    while(cmd[i]!=' ' && cmd[i]!='\0') { i++; }
+                    i-=2;
+                    break;
+                               case 't':
+                                       bTimeout = TRUE;
+                                       sscanf(cmd+i+2,"%d",&temp);
+                                       timeout = temp;
+                                       i+=3;
+                                       while(cmd[i]!=' ' && cmd[i]!='\0') { i++; }
+                                       i-=2;
+                                       break;
+                case 'T':
+                                       topazmode = TRUE;
+                                       break;
+                default:
+                    PrintAndLog("Invalid option");
+                    return 0;
+            }
+            i+=2;
+            continue;
+        }
+        if ((cmd[i]>='0' && cmd[i]<='9') ||
+            (cmd[i]>='a' && cmd[i]<='f') ||
+            (cmd[i]>='A' && cmd[i]<='F') ) {
+            buf[strlen(buf)+1]=0;
+            buf[strlen(buf)]=cmd[i];
+            i++;
+
+            if (strlen(buf)>=2) {
+                sscanf(buf,"%x",&temp);
+                data[datalen]=(uint8_t)(temp & 0xff);
+                *buf=0;
+                               if (++datalen >= sizeof(data)){
+                                       if (crc)
+                                               PrintAndLog("Buffer is full, we can't add CRC to your data");
+                                       break;
+                               }
+            }
+            continue;
+        }
+        PrintAndLog("Invalid char on input");
+        return 0;
+    }
+
+    if(crc && datalen>0 && datalen<sizeof(data)-2)
+    {
+        uint8_t first, second;
+               if (topazmode) {
+                       ComputeCrc14443(CRC_14443_B, data, datalen, &first, &second);
+               } else {
+                       ComputeCrc14443(CRC_14443_A, data, datalen, &first, &second);
+               }
+        data[datalen++] = first;
+        data[datalen++] = second;
+    }
+
+    if(active || active_select)
+    {
+        c.arg[0] |= ISO14A_CONNECT;
+        if(active)
+            c.arg[0] |= ISO14A_NO_SELECT;
+    }
+
+       if(bTimeout){
+           #define MAX_TIMEOUT 40542464        // = (2^32-1) * (8*16) / 13560000Hz * 1000ms/s
+        c.arg[0] |= ISO14A_SET_TIMEOUT;
+        if(timeout > MAX_TIMEOUT) {
+            timeout = MAX_TIMEOUT;
+            PrintAndLog("Set timeout to 40542 seconds (11.26 hours). The max we can wait for response");
+        }
+               c.arg[2] = 13560000 / 1000 / (8*16) * timeout; // timeout in ETUs (time to transfer 1 bit, approx. 9.4 us)
+       }
+
+    if(power)
+        c.arg[0] |= ISO14A_NO_DISCONNECT;
+
+    if(datalen>0)
+        c.arg[0] |= ISO14A_RAW;
+
+       if(topazmode)
+               c.arg[0] |= ISO14A_TOPAZMODE;
+               
+       // Max buffer is USB_CMD_DATA_SIZE
+    c.arg[1] = (datalen & 0xFFFF) | (numbits << 16);
+    memcpy(c.d.asBytes,data,datalen);
+
+    SendCommand(&c);
+
+    if (reply) {
+        if(active_select)
+            waitCmd(1);
+        if(datalen>0)
+            waitCmd(0);
+    } // if reply
+    return 0;
+}
+
+
+static void waitCmd(uint8_t iSelect)
 {
 {
-  UsbCommand c = {CMD_SNOOP_ISO_14443a};
-  SendCommand(&c);
-  return 0;
+    uint8_t *recv;
+    UsbCommand resp;
+    char *hexout;
+
+    if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+        recv = resp.d.asBytes;
+        uint8_t iLen = iSelect ? resp.arg[1] : resp.arg[0];
+        PrintAndLog("received %i octets",iLen);
+        if(!iLen)
+            return;
+        hexout = (char *)malloc(iLen * 3 + 1);
+        if (hexout != NULL) {
+            for (int i = 0; i < iLen; i++) { // data in hex
+                sprintf(&hexout[i * 3], "%02X ", recv[i]);
+            }
+            PrintAndLog("%s", hexout);
+            free(hexout);
+        } else {
+            PrintAndLog("malloc failed your client has low memory?");
+        }
+    } else {
+        PrintAndLog("timeout while waiting for reply.");
+    }
 }
 
 static command_t CommandTable[] = 
 {
 }
 
 static command_t CommandTable[] = 
 {
-  {"help",    CmdHelp,        1, "This help"},
-  {"list",    CmdHF14AList,   0, "List ISO 14443a history"},
-  {"mifare",  CmdHF14AMifare, 0, "Read out sector 0 parity error messages"},
-  {"reader",  CmdHF14AReader, 0, "Act like an ISO14443 Type A reader"},
-  {"sim",     CmdHF14ASim,    0, "<UID> -- Fake ISO 14443a tag"},
-  {"snoop",   CmdHF14ASnoop,  0, "Eavesdrop ISO 14443 Type A"},
+  {"help",   CmdHelp,              1, "This help"},
+  {"list",   CmdHF14AList,         0, "[Deprecated] List ISO 14443a history"},
+  {"reader", CmdHF14AReader,       0, "Act like an ISO14443 Type A reader"},
+  {"cuids",  CmdHF14ACUIDs,        0, "<n> Collect n>0 ISO14443 Type A UIDs in one go"},
+  {"sim",    CmdHF14ASim,          0, "<UID> -- Simulate ISO 14443a tag"},
+  {"sniff",  CmdHF14ASniff,        0, "sniff ISO 14443 Type A traffic"},
+  {"raw",    CmdHF14ACmdRaw,       0, "Send raw hex data to tag"},
   {NULL, NULL, 0, NULL}
 };
 
   {NULL, NULL, 0, NULL}
 };
 
-int CmdHF14A(const char *Cmd)
-{
-  CmdsParse(CommandTable, Cmd);
-  return 0;
+int CmdHF14A(const char *Cmd) {
+       // flush
+       WaitForResponseTimeout(CMD_ACK,NULL,100);
+
+       // parse
+       CmdsParse(CommandTable, Cmd);
+       return 0;
 }
 
 int CmdHelp(const char *Cmd)
 }
 
 int CmdHelp(const char *Cmd)
Proxmark3 GIT tracking
Impressum, Datenschutz