]> cvs.zerfleddert.de Git - proxmark3-svn/blobdiff - armsrc/mifaresniff.c
Adding a 'recoverpw' command for T55xx to try to recover corrupt password written...
[proxmark3-svn] / armsrc / mifaresniff.c
index 25c7780d49fda4a7539c7c8ea79a8f8d76acad5e..2dcd6d1a4276332ba2908a565d707e8eba922b8f 100644 (file)
@@ -9,7 +9,179 @@
 //-----------------------------------------------------------------------------\r
 \r
 #include "mifaresniff.h"\r
-#include "apps.h"\r
 \r
+static int sniffState = SNF_INIT;\r
+static uint8_t sniffUIDType = 0;\r
+static uint8_t sniffUID[10] = {0,0,0,0,0,0,0,0,0,0};\r
+static uint8_t sniffATQA[2] = {0,0};\r
+static uint8_t sniffSAK = 0;\r
+static uint8_t sniffBuf[17];\r
+static uint32_t timerData = 0;\r
 \r
+void MfSniffInit(void){\r
+       memset(sniffUID, 0x00, sizeof(sniffUID));\r
+       memset(sniffATQA, 0x00, sizeof(sniffATQA));\r
+       memset(sniffBuf, 0x00, sizeof(sniffBuf));\r
+       sniffSAK = 0;\r
+       sniffUIDType = SNF_UID_4;\r
+}\r
 \r
+void MfSniffEnd(void){\r
+       LED_B_ON();\r
+       cmd_send(CMD_ACK,0,0,0,0,0);\r
+       LED_B_OFF();\r
+}\r
+\r
+bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, uint16_t bitCnt, bool reader) {\r
+\r
+       // reset on 7-Bit commands from reader\r
+       if (reader && (len == 1) && (bitCnt == 7)) {            \r
+               sniffState = SNF_INIT;\r
+       }\r
+\r
+       switch (sniffState) {\r
+               case SNF_INIT:{\r
+                       // REQA or WUPA from reader\r
+                       if ((len == 1) && (reader) && (bitCnt == 7) ) {\r
+                               MfSniffInit();\r
+                               sniffState = SNF_WUPREQ;\r
+                       }\r
+                       break;\r
+               }\r
+               case SNF_WUPREQ:{\r
+                       // ATQA from tag\r
+                       if ((!reader) && (len == 2)) {\r
+                               sniffATQA[0] = data[0];\r
+                               sniffATQA[1] = data[1];\r
+                               sniffState = SNF_ATQA;\r
+                       }\r
+                       break;\r
+               }\r
+               case SNF_ATQA:{\r
+                       // Select ALL from reader\r
+                       if ((reader) && (len == 2) && (data[0] == 0x93) && (data[1] == 0x20))\r
+                               sniffState = SNF_ANTICOL1;\r
+                       break;\r
+               }\r
+               case SNF_ANTICOL1:{\r
+                       // UID from tag (CL1) \r
+                       if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) {\r
+                               memcpy(sniffUID, data, 4);\r
+                               sniffState = SNF_UID1;\r
+                       }\r
+                       break;\r
+               }\r
+               case SNF_UID1:{\r
+                       // Select 4 Byte UID from reader\r
+                       if ((reader) && (len == 9) && (data[0] == 0x93) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9)))\r
+                               sniffState = SNF_SAK;\r
+                       break;\r
+               }\r
+               case SNF_SAK:{\r
+                       if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) { // SAK from card?\r
+                               sniffSAK = data[0];\r
+                               if (sniffUID[0] == 0x88)                        // CL2/3 UID part to be expected                                        \r
+                                       sniffState = (sniffState == SNF_ANTICOL2 ) ? SNF_ANTICOL3 : SNF_ANTICOL2;\r
+                               else                                                            // select completed\r
+                                       sniffState = SNF_CARD_IDLE;\r
+                       }\r
+                       break;\r
+               }\r
+               case SNF_ANTICOL2:{\r
+                        // CL2 UID \r
+                       if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) {\r
+                               sniffUID[0] = sniffUID[1];\r
+                               sniffUID[1] = sniffUID[2];\r
+                               sniffUID[2] = sniffUID[3];\r
+                               memcpy(sniffUID+3, data, 4);\r
+                               sniffUIDType = SNF_UID_7;\r
+                               sniffState = SNF_UID2;\r
+                       }\r
+                       break;\r
+               }\r
+               case SNF_UID2:{\r
+                       // Select 2nd part of 7 Byte UID\r
+                       if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9)))\r
+                               sniffState = SNF_SAK;\r
+                       break;\r
+               }\r
+               case SNF_ANTICOL3:{\r
+                       // CL3 UID \r
+                       if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { \r
+                               // 3+3+4 = 10.\r
+                               sniffUID[3] = sniffUID[4];\r
+                               sniffUID[4] = sniffUID[5];\r
+                               sniffUID[5] = sniffUID[6];\r
+                               memcpy(sniffUID+6, data, 4);\r
+                               sniffUIDType = SNF_UID_10;\r
+                               sniffState = SNF_UID3;\r
+                       }\r
+                       break;\r
+               }\r
+               case SNF_UID3:{\r
+                       // Select 3nd part of 10 Byte UID\r
+                       if ((reader) && (len == 9) && (data[0] == 0x97) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9)))\r
+                               sniffState = SNF_SAK;\r
+                       break;\r
+               }\r
+               case SNF_CARD_IDLE:{    // trace the card select sequence\r
+                       sniffBuf[0] = 0xFF;\r
+                       sniffBuf[1] = 0xFF;\r
+                       memcpy(sniffBuf + 2, sniffUID, sizeof(sniffUID));\r
+                       memcpy(sniffBuf + 12, sniffATQA, sizeof(sniffATQA));\r
+                       sniffBuf[14] = sniffSAK;\r
+                       sniffBuf[15] = 0xFF;\r
+                       sniffBuf[16] = 0xFF;\r
+                       LogTrace(sniffBuf, sizeof(sniffBuf), 0, 0, NULL, TRUE);\r
+               }       // intentionally no break;\r
+               case SNF_CARD_CMD:{             \r
+                       LogTrace(data, len, 0, 0, NULL, TRUE);\r
+                       sniffState = SNF_CARD_RESP;\r
+                       timerData = GetTickCount();\r
+                       break;\r
+               }\r
+               case SNF_CARD_RESP:{\r
+                       LogTrace(data, len, 0, 0, NULL, FALSE);\r
+                       sniffState = SNF_CARD_CMD;\r
+                       timerData = GetTickCount();\r
+                       break;\r
+               }\r
+               default:\r
+                       sniffState = SNF_INIT;\r
+               break;\r
+       }\r
+       return FALSE;\r
+}\r
+\r
+bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs) {\r
+       if (BigBuf_get_traceLen() && (GetTickCount() > timerData + maxTimeoutMs)) {\r
+               return intMfSniffSend();\r
+       }\r
+       return FALSE;\r
+}\r
+\r
+// internal sending function. not a RAMFUNC.\r
+bool intMfSniffSend() {\r
+\r
+       int pckSize = 0;\r
+       int pckLen = BigBuf_get_traceLen();\r
+       int pckNum = 0;\r
+       uint8_t *data = BigBuf_get_addr();\r
+       \r
+       FpgaDisableSscDma();\r
+       while (pckLen > 0) {\r
+               pckSize = MIN(USB_CMD_DATA_SIZE, pckLen);\r
+               LED_B_ON();\r
+               cmd_send(CMD_ACK, 1, BigBuf_get_traceLen(), pckSize, data + BigBuf_get_traceLen() - pckLen, pckSize);\r
+               LED_B_OFF();\r
+               pckLen -= pckSize;\r
+               pckNum++;\r
+       }\r
+\r
+       LED_B_ON();\r
+       cmd_send(CMD_ACK,2,0,0,0,0);  // 2 == data transfer is finished.\r
+       LED_B_OFF();\r
+\r
+       clear_trace();\r
+       return TRUE;\r
+}\r
Impressum, Datenschutz