- int cmdsRecvd = 0;
-
- int fdt_indicator;
-
- memset(receivedCmd, 0x44, 400);
-
- // Prepare the responses of the anticollision phase
- // there will be not enough time to do this at the moment the reader sends it REQA
-
- // Answer to request
- CodeIso14443aAsTag(response1, sizeof(response1));
- memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
-
- // Send our UID (cascade 1)
- CodeIso14443aAsTag(response2, sizeof(response2));
- memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
-
- // Answer to select (cascade1)
- CodeIso14443aAsTag(response3, sizeof(response3));
- memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
-
- // Send the cascade 2 2nd part of the uid
- CodeIso14443aAsTag(response2a, sizeof(response2a));
- memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
-
- // Answer to select (cascade 2)
- CodeIso14443aAsTag(response3a, sizeof(response3a));
- memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
-
- // Strange answer is an example of rare message size (3 bits)
- CodeStrangeAnswer();
- memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
-
- // Authentication answer (random nonce)
- CodeIso14443aAsTag(response5, sizeof(response5));
- memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
-
- // We need to listen to the high-frequency, peak-detected path.
- SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
- FpgaSetupSsc();
-
- cmdsRecvd = 0;
-
- LED_A_ON();
- for(;;) {
-
- if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
- DbpString("button press");
- break;
- }
- // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
- // Okay, look at the command now.
- lastorder = order;
- i = 1; // first byte transmitted
- if(receivedCmd[0] == 0x26) {
- // Received a REQUEST
- resp = resp1; respLen = resp1Len; order = 1;
- //DbpString("Hello request from reader:");
- } else if(receivedCmd[0] == 0x52) {
- // Received a WAKEUP
- resp = resp1; respLen = resp1Len; order = 6;
-// //DbpString("Wakeup request from reader:");
-
- } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
- // Received request for UID (cascade 1)
- resp = resp2; respLen = resp2Len; order = 2;
-// DbpString("UID (cascade 1) request from reader:");
-// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
-
-
- } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
- // Received request for UID (cascade 2)
- resp = resp2a; respLen = resp2aLen; order = 20;
-// DbpString("UID (cascade 2) request from reader:");
-// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
-
-
- } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
- // Received a SELECT
- resp = resp3; respLen = resp3Len; order = 3;
-// DbpString("Select (cascade 1) request from reader:");
-// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
-
-
- } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
- // Received a SELECT
- resp = resp3a; respLen = resp3aLen; order = 30;
-// DbpString("Select (cascade 2) request from reader:");
-// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
-
-
- } else if(receivedCmd[0] == 0x30) {
- // Received a READ
- resp = resp4; respLen = resp4Len; order = 4; // Do nothing
- Dbprintf("Read request from reader: %x %x %x",
- receivedCmd[0], receivedCmd[1], receivedCmd[2]);
-
-
- } else if(receivedCmd[0] == 0x50) {
- // Received a HALT
- resp = resp1; respLen = 0; order = 5; // Do nothing
- DbpString("Reader requested we HALT!:");
-
- } else if(receivedCmd[0] == 0x60) {
- // Received an authentication request
- resp = resp5; respLen = resp5Len; order = 7;
- Dbprintf("Authenticate request from reader: %x %x %x",
- receivedCmd[0], receivedCmd[1], receivedCmd[2]);
-
- } else if(receivedCmd[0] == 0xE0) {
- // Received a RATS request
- resp = resp1; respLen = 0;order = 70;
- Dbprintf("RATS request from reader: %x %x %x",
- receivedCmd[0], receivedCmd[1], receivedCmd[2]);
- } else {
- // Never seen this command before
- Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
- receivedCmd[0], receivedCmd[1], receivedCmd[2],
- receivedCmd[3], receivedCmd[3], receivedCmd[4],
- receivedCmd[5], receivedCmd[6], receivedCmd[7]);
- // Do not respond
- resp = resp1; respLen = 0; order = 0;
- }
+ LED_A_ON();
+ for(;;) {
+ WDT_HIT();
+
+ // Clean receive command buffer
+ if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
+ DbpString("Button press");
+ break;
+ }
+
+ // incease nonce at every command recieved
+ nonce++;
+ num_to_bytes(nonce, 4, response5);
+
+ p_response = NULL;
+
+ // Okay, look at the command now.
+ lastorder = order;
+ if(receivedCmd[0] == ISO14443A_CMD_REQA) { // Received a REQUEST
+ p_response = &responses[0]; order = 1;
+ } else if(receivedCmd[0] == ISO14443A_CMD_WUPA) { // Received a WAKEUP
+ p_response = &responses[0]; order = 6;
+ } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT) { // Received request for UID (cascade 1)
+ p_response = &responses[1]; order = 2;
+ } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2) { // Received request for UID (cascade 2)
+ p_response = &responses[2]; order = 20;
+ } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT) { // Received a SELECT (cascade 1)
+ p_response = &responses[3]; order = 3;
+ } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2) { // Received a SELECT (cascade 2)
+ p_response = &responses[4]; order = 30;
+ } else if(receivedCmd[0] == ISO14443A_CMD_READBLOCK) { // Received a (plain) READ
+ uint8_t block = receivedCmd[1];
+ // if Ultralight or NTAG (4 byte blocks)
+ if ( tagType == 7 || tagType == 2 ) {
+ // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+ uint16_t start = 4 * (block+12);
+ uint8_t emdata[MAX_MIFARE_FRAME_SIZE];
+ emlGetMemBt( emdata, start, 16);
+ AppendCrc14443a(emdata, 16);
+ EmSendCmdEx(emdata, sizeof(emdata), false);
+ // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
+ p_response = NULL;
+ } else { // all other tags (16 byte block tags)
+ uint8_t emdata[MAX_MIFARE_FRAME_SIZE];
+ emlGetMemBt( emdata, block, 16);
+ AppendCrc14443a(emdata, 16);
+ EmSendCmdEx(emdata, sizeof(emdata), false);
+ // EmSendCmdEx(data+(4*receivedCmd[1]),16,false);
+ // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
+ // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
+ p_response = NULL;
+ }
+ } else if(receivedCmd[0] == MIFARE_ULEV1_FASTREAD) { // Received a FAST READ (ranged read)
+ uint8_t emdata[MAX_FRAME_SIZE];
+ // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+ int start = (receivedCmd[1]+12) * 4;
+ int len = (receivedCmd[2] - receivedCmd[1] + 1) * 4;
+ emlGetMemBt( emdata, start, len);
+ AppendCrc14443a(emdata, len);
+ EmSendCmdEx(emdata, len+2, false);
+ p_response = NULL;
+ } else if(receivedCmd[0] == MIFARE_ULEV1_READSIG && tagType == 7) { // Received a READ SIGNATURE --
+ // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+ uint16_t start = 4 * 4;
+ uint8_t emdata[34];
+ emlGetMemBt( emdata, start, 32);
+ AppendCrc14443a(emdata, 32);
+ EmSendCmdEx(emdata, sizeof(emdata), false);
+ p_response = NULL;
+ } else if (receivedCmd[0] == MIFARE_ULEV1_READ_CNT && tagType == 7) { // Received a READ COUNTER --
+ uint8_t index = receivedCmd[1];
+ uint8_t data[] = {0x00,0x00,0x00,0x14,0xa5};
+ if ( counters[index] > 0) {
+ num_to_bytes(counters[index], 3, data);
+ AppendCrc14443a(data, sizeof(data)-2);
+ }
+ EmSendCmdEx(data,sizeof(data),false);
+ p_response = NULL;
+ } else if (receivedCmd[0] == MIFARE_ULEV1_INCR_CNT && tagType == 7) { // Received a INC COUNTER --
+ // number of counter
+ uint8_t counter = receivedCmd[1];
+ uint32_t val = bytes_to_num(receivedCmd+2,4);
+ counters[counter] = val;
+
+ // send ACK
+ uint8_t ack[] = {0x0a};
+ EmSendCmdEx(ack,sizeof(ack),false);
+ p_response = NULL;
+ } else if(receivedCmd[0] == MIFARE_ULEV1_CHECKTEAR && tagType == 7) { // Received a CHECK_TEARING_EVENT --
+ // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+ uint8_t emdata[3];
+ uint8_t counter=0;
+ if (receivedCmd[1]<3) counter = receivedCmd[1];
+ emlGetMemBt( emdata, 10+counter, 1);
+ AppendCrc14443a(emdata, sizeof(emdata)-2);
+ EmSendCmdEx(emdata, sizeof(emdata), false);
+ p_response = NULL;
+ } else if(receivedCmd[0] == ISO14443A_CMD_HALT) { // Received a HALT
+ LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+ p_response = NULL;
+ } else if(receivedCmd[0] == MIFARE_AUTH_KEYA || receivedCmd[0] == MIFARE_AUTH_KEYB) { // Received an authentication request
+ if ( tagType == 7 ) { // IF NTAG /EV1 0x60 == GET_VERSION, not a authentication request.
+ uint8_t emdata[10];
+ emlGetMemBt( emdata, 0, 8 );
+ AppendCrc14443a(emdata, sizeof(emdata)-2);
+ EmSendCmdEx(emdata, sizeof(emdata), false);
+ p_response = NULL;
+ } else {
+ cardAUTHSC = receivedCmd[1] / 4; // received block num
+ cardAUTHKEY = receivedCmd[0] - 0x60;
+ p_response = &responses[5]; order = 7;
+ }
+ } else if(receivedCmd[0] == ISO14443A_CMD_RATS) { // Received a RATS request
+ if (tagType == 1 || tagType == 2) { // RATS not supported
+ EmSend4bit(CARD_NACK_NA);
+ p_response = NULL;
+ } else {
+ p_response = &responses[6]; order = 70;
+ }
+ } else if (order == 7 && len == 8) { // Received {nr] and {ar} (part of authentication)
+ LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+ uint32_t nr = bytes_to_num(receivedCmd,4);
+ uint32_t ar = bytes_to_num(receivedCmd+4,4);
+
+ // Collect AR/NR per keytype & sector
+ if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) {
+ for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
+ if ( ar_nr_collected[i+mM]==0 || ((cardAUTHSC == ar_nr_resp[i+mM].sector) && (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && (ar_nr_collected[i+mM] > 0)) ) {
+ // if first auth for sector, or matches sector and keytype of previous auth
+ if (ar_nr_collected[i+mM] < 2) {
+ // if we haven't already collected 2 nonces for this sector
+ if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) {
+ // Avoid duplicates... probably not necessary, ar should vary.
+ if (ar_nr_collected[i+mM]==0) {
+ // first nonce collect
+ ar_nr_resp[i+mM].cuid = cuid;
+ ar_nr_resp[i+mM].sector = cardAUTHSC;
+ ar_nr_resp[i+mM].keytype = cardAUTHKEY;
+ ar_nr_resp[i+mM].nonce = nonce;
+ ar_nr_resp[i+mM].nr = nr;
+ ar_nr_resp[i+mM].ar = ar;
+ nonce1_count++;
+ // add this nonce to first moebius nonce
+ ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid;
+ ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC;
+ ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
+ ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce;
+ ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr;
+ ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar;
+ ar_nr_collected[i+ATTACK_KEY_COUNT]++;
+ } else { // second nonce collect (std and moebius)
+ ar_nr_resp[i+mM].nonce2 = nonce;
+ ar_nr_resp[i+mM].nr2 = nr;
+ ar_nr_resp[i+mM].ar2 = ar;
+ if (!gettingMoebius) {
+ nonce2_count++;
+ // check if this was the last second nonce we need for std attack
+ if ( nonce2_count == nonce1_count ) {
+ // done collecting std test switch to moebius
+ // first finish incrementing last sample
+ ar_nr_collected[i+mM]++;
+ // switch to moebius collection
+ gettingMoebius = true;
+ mM = ATTACK_KEY_COUNT;
+ break;
+ }
+ } else {
+ moebius_n_count++;
+ // if we've collected all the nonces we need - finish.
+ if (nonce1_count == moebius_n_count) {
+ cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,0,0,&ar_nr_resp,sizeof(ar_nr_resp));
+ nonce1_count = 0;
+ nonce2_count = 0;
+ moebius_n_count = 0;
+ gettingMoebius = false;
+ }
+ }
+ }
+ ar_nr_collected[i+mM]++;
+ }
+ }
+ // we found right spot for this nonce stop looking
+ break;
+ }
+ }
+ }
+
+ } else if (receivedCmd[0] == MIFARE_ULC_AUTH_1 ) { // ULC authentication, or Desfire Authentication
+ } else if (receivedCmd[0] == MIFARE_ULEV1_AUTH) { // NTAG / EV-1 authentication
+ if ( tagType == 7 ) {
+ uint16_t start = 13; // first 4 blocks of emu are [getversion answer - check tearing - pack - 0x00]
+ uint8_t emdata[4];
+ emlGetMemBt( emdata, start, 2);
+ AppendCrc14443a(emdata, 2);
+ EmSendCmdEx(emdata, sizeof(emdata), false);
+ p_response = NULL;
+ uint32_t pwd = bytes_to_num(receivedCmd+1,4);
+
+ if ( MF_DBGLEVEL >= 3) Dbprintf("Auth attempt: %08x", pwd);
+ }
+ } else {
+ // Check for ISO 14443A-4 compliant commands, look at left nibble
+ switch (receivedCmd[0]) {
+ case 0x02:
+ case 0x03: { // IBlock (command no CID)
+ dynamic_response_info.response[0] = receivedCmd[0];
+ dynamic_response_info.response[1] = 0x90;
+ dynamic_response_info.response[2] = 0x00;
+ dynamic_response_info.response_n = 3;
+ } break;
+ case 0x0B:
+ case 0x0A: { // IBlock (command CID)
+ dynamic_response_info.response[0] = receivedCmd[0];
+ dynamic_response_info.response[1] = 0x00;
+ dynamic_response_info.response[2] = 0x90;
+ dynamic_response_info.response[3] = 0x00;
+ dynamic_response_info.response_n = 4;
+ } break;
+
+ case 0x1A:
+ case 0x1B: { // Chaining command
+ dynamic_response_info.response[0] = 0xaa | ((receivedCmd[0]) & 1);
+ dynamic_response_info.response_n = 2;
+ } break;
+
+ case 0xaa:
+ case 0xbb: {
+ dynamic_response_info.response[0] = receivedCmd[0] ^ 0x11;
+ dynamic_response_info.response_n = 2;
+ } break;
+
+ case 0xBA: { // ping / pong
+ dynamic_response_info.response[0] = 0xAB;
+ dynamic_response_info.response[1] = 0x00;
+ dynamic_response_info.response_n = 2;
+ } break;
+
+ case 0xCA:
+ case 0xC2: { // Readers sends deselect command
+ dynamic_response_info.response[0] = 0xCA;
+ dynamic_response_info.response[1] = 0x00;
+ dynamic_response_info.response_n = 2;
+ } break;
+
+ default: {
+ // Never seen this command before
+ LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+ Dbprintf("Received unknown command (len=%d):",len);
+ Dbhexdump(len,receivedCmd,false);
+ // Do not respond
+ dynamic_response_info.response_n = 0;
+ } break;
+ }
+
+ if (dynamic_response_info.response_n > 0) {
+ // Copy the CID from the reader query
+ dynamic_response_info.response[1] = receivedCmd[1];
+
+ // Add CRC bytes, always used in ISO 14443A-4 compliant cards
+ AppendCrc14443a(dynamic_response_info.response,dynamic_response_info.response_n);
+ dynamic_response_info.response_n += 2;
+
+ if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
+ Dbprintf("Error preparing tag response");
+ LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+ break;
+ }
+ p_response = &dynamic_response_info;
+ }
+ }