-//-----------------------------------------------------------------------------
+ //-----------------------------------------------------------------------------
// Merlok - June 2011, 2012
// Gerhard de Koning Gans - May 2008
// Hagen Fritsch - June 2010
//-----------------------------------------------------------------------------
void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
{
+ uint32_t counters[] = {0,0,0};
//Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2
// This can be used in a reader-only attack.
// (it can also be retrieved via 'hf 14a list', but hey...
// We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
p_response = NULL;
}
- } else if(receivedCmd[0] == 0x3A) { // Received a FAST READ (ranged read) -- just returns all zeros.
+ } else if(receivedCmd[0] == 0x3A) { // Received a FAST READ (ranged read)
uint8_t emdata[MAX_FRAME_SIZE];
int start = receivedCmd[1] * 4;
AppendCrc14443a(data, sizeof(data)-2);
EmSendCmdEx(data,sizeof(data),false);
p_response = NULL;
- } else if(receivedCmd[0] == 0x39 && tagType == 7) { // Received a READ COUNTER --
- uint8_t data[] = {0x00,0x00,0x00,0x14,0xa5};
- EmSendCmdEx(data,sizeof(data),false);
- p_response = NULL;
- } else if(receivedCmd[0] == 0xA5 && tagType == 7) { // Received a INC COUNTER --
+ } else if (receivedCmd[0] == 0x39 && tagType == 7) { // Received a READ COUNTER --
+ uint8_t index = receivedCmd[1];
+ uint8_t data[] = {0x00,0x00,0x00,0x14,0xa5};
+ if ( counters[index] > 0) {
+ num_to_bytes(counters[index], 3, data);
+ AppendCrc14443a(data, sizeof(data)-2);
+ }
+ EmSendCmdEx(data,sizeof(data),false);
+ p_response = NULL;
+ } else if (receivedCmd[0] == 0xA5 && tagType == 7) { // Received a INC COUNTER --
// number of counter
- //uint8_t counter = receivedCmd[1];
- //uint32_t val = bytes_to_num(receivedCmd+2,4);
-
+ uint8_t counter = receivedCmd[1];
+ uint32_t val = bytes_to_num(receivedCmd+2,4);
+ counters[counter] = val;
+
// send ACK
uint8_t ack[] = {0x0a};
EmSendCmdEx(ack,sizeof(ack),false);
return Demod.len;
}
-/* performs iso14443a anticollision procedure
- * fills the uid pointer unless NULL
- * fills resp_data unless NULL */
-int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr) {
+// performs iso14443a anticollision (optional) and card select procedure
+// fills the uid and cuid pointer unless NULL
+// fills the card info record unless NULL
+// if anticollision is false, then the UID must be provided in uid_ptr[]
+// and num_cascades must be set (1: 4 Byte UID, 2: 7 Byte UID, 3: 10 Byte UID)
+int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades) {
uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
uint8_t sel_all[] = { 0x93,0x20 };
uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
int len;
// Broadcast for a card, WUPA (0x52) will force response from all cards in the field
- ReaderTransmitBitsPar(wupa,7,0, NULL);
+ ReaderTransmitBitsPar(wupa, 7, NULL, NULL);
// Receive the ATQA
if(!ReaderReceive(resp, resp_par)) return 0;
memset(p_hi14a_card->uid,0,10);
}
+ if (anticollision) {
// clear uid
if (uid_ptr) {
memset(uid_ptr,0,10);
}
+ }
// check for proprietary anticollision:
if ((resp[0] & 0x1F) == 0) {
// SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
+ if (anticollision) {
// SELECT_ALL
ReaderTransmit(sel_all, sizeof(sel_all), NULL);
if (!ReaderReceive(resp, resp_par)) return 0;
} else { // no collision, use the response to SELECT_ALL as current uid
memcpy(uid_resp, resp, 4);
}
+ } else {
+ if (cascade_level < num_cascades - 1) {
+ uid_resp[0] = 0x88;
+ memcpy(uid_resp+1, uid_ptr+cascade_level*3, 3);
+ } else {
+ memcpy(uid_resp, uid_ptr+cascade_level*3, 4);
+ }
+ }
uid_resp_len = 4;
// calculate crypto UID. Always use last 4 Bytes.
// Construct SELECT UID command
sel_uid[1] = 0x70; // transmitting a full UID (1 Byte cmd, 1 Byte NVB, 4 Byte UID, 1 Byte BCC, 2 Bytes CRC)
- memcpy(sel_uid+2, uid_resp, 4); // the UID
+ memcpy(sel_uid+2, uid_resp, 4); // the UID received during anticollision, or the provided UID
sel_uid[6] = sel_uid[2] ^ sel_uid[3] ^ sel_uid[4] ^ sel_uid[5]; // calculate and add BCC
AppendCrc14443a(sel_uid, 7); // calculate and add CRC
ReaderTransmit(sel_uid, sizeof(sel_uid), NULL);
uid_resp[0] = uid_resp[1];
uid_resp[1] = uid_resp[2];
uid_resp[2] = uid_resp[3];
-
uid_resp_len = 3;
}
- if(uid_ptr) {
+ if(uid_ptr && anticollision) {
memcpy(uid_ptr + (cascade_level*3), uid_resp, uid_resp_len);
}
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
if(!(param & ISO14A_NO_SELECT)) {
iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
- arg0 = iso14443a_select_card(NULL,card,NULL);
+ arg0 = iso14443a_select_card(NULL,card,NULL, true, 0);
cmd_send(CMD_ACK,arg0,card->uidlen,0,buf,sizeof(iso14a_card_select_t));
}
}
SpinDelay(100);
}
- if(!iso14443a_select_card(uid, NULL, &cuid)) {
+ if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Can't select card");
continue;
}
projects / proxmark3-svn / blobdiff