X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/165e0775b1660a4dfc1f95338585bcb663b6b5e7..fe346768b35409677b6c7f40a6f2a6768cf54ac3:/client/cmdhficlass.c diff --git a/client/cmdhficlass.c b/client/cmdhficlass.c index 4cf9d3ea..d02eff8d 100644 --- a/client/cmdhficlass.c +++ b/client/cmdhficlass.c @@ -23,7 +23,7 @@ #include "common.h" #include "util.h" #include "cmdmain.h" -#include "loclass/des.h" +#include "polarssl/des.h" #include "loclass/cipherutils.h" #include "loclass/cipher.h" #include "loclass/ikeys.h" @@ -33,8 +33,6 @@ #include "usb_cmd.h" #include "cmdhfmfu.h" -#define llX PRIx64 - static int CmdHelp(const char *Cmd); #define ICLASS_KEYS_MAX 8 @@ -182,10 +180,10 @@ int CmdHFiClassSim(const char *Cmd) { int HFiClassReader(const char *Cmd, bool loop, bool verbose) { bool tagFound = false; - UsbCommand c = {CMD_READER_ICLASS, {FLAG_ICLASS_READER_CSN| - FLAG_ICLASS_READER_CONF|FLAG_ICLASS_READER_AA}}; + UsbCommand c = {CMD_READER_ICLASS, {FLAG_ICLASS_READER_CSN | + FLAG_ICLASS_READER_CC | FLAG_ICLASS_READER_CONF | FLAG_ICLASS_READER_AA | + FLAG_ICLASS_READER_ONLY_ONCE | FLAG_ICLASS_READER_ONE_TRY } }; // loop in client not device - else on windows have a communication error - c.arg[0] |= FLAG_ICLASS_READER_ONLY_ONCE | FLAG_ICLASS_READER_ONE_TRY; UsbCommand resp; while(!ukbhit()){ SendCommand(&c); @@ -193,21 +191,34 @@ int HFiClassReader(const char *Cmd, bool loop, bool verbose) { uint8_t readStatus = resp.arg[0] & 0xff; uint8_t *data = resp.d.asBytes; - if (verbose) - PrintAndLog("Readstatus:%02x", readStatus); - if( readStatus == 0){ - //Aborted + // no tag found or button pressed + if( (readStatus == 0 && !loop) || readStatus == 0xFF) { + // abort if (verbose) PrintAndLog("Quitting..."); return 0; } - if( readStatus & FLAG_ICLASS_READER_CSN){ - PrintAndLog("CSN: %s",sprint_hex(data,8)); + + if( readStatus & FLAG_ICLASS_READER_CSN) { + PrintAndLog(" CSN: %s",sprint_hex(data,8)); tagFound = true; } - if( readStatus & FLAG_ICLASS_READER_CC) PrintAndLog("CC: %s",sprint_hex(data+16,8)); - if( readStatus & FLAG_ICLASS_READER_CONF){ + if( readStatus & FLAG_ICLASS_READER_CC) { + PrintAndLog(" CC: %s",sprint_hex(data+16,8)); + } + if( readStatus & FLAG_ICLASS_READER_CONF) { printIclassDumpInfo(data); } + if (readStatus & FLAG_ICLASS_READER_AA) { + bool legacy = true; + PrintAndLog(" AppIA: %s",sprint_hex(data+8*5,8)); + for (int i = 0; i<8; i++) { + if (data[8*5+i] != 0xFF) { + legacy = false; + } + } + PrintAndLog(" : Possible iClass %s",(legacy) ? "(legacy tag)" : "(NOT legacy tag)"); + } + if (tagFound && !loop) return 1; } else { if (verbose) PrintAndLog("Command execute timeout"); @@ -779,10 +790,10 @@ int CmdHFiClassReader_Dump(const char *Cmd) { if (have_debit_key) memcpy(tag_data+(3*8),div_key,8); if (have_credit_key) memcpy(tag_data+(4*8),c_div_key,8); // print the dump - printf("CSN |00| %02X %02X %02X %02X %02X %02X %02X %02X |\n",tag_data[0],tag_data[1],tag_data[2] - ,tag_data[3],tag_data[4],tag_data[5],tag_data[6],tag_data[7]); - printIclassDumpContents(tag_data, 1, (gotBytes/8)-1, gotBytes-8); - + printf("------+--+-------------------------+\n"); + printf("CSN |00| %s|\n",sprint_hex(tag_data, 8)); + printIclassDumpContents(tag_data, 1, (gotBytes/8), gotBytes); + if (filename[0] == 0){ snprintf(filename, FILE_PATH_SIZE,"iclass_tagdump-%02x%02x%02x%02x%02x%02x%02x%02x", tag_data[0],tag_data[1],tag_data[2],tag_data[3], @@ -1097,12 +1108,19 @@ int CmdHFiClassCloneTag(const char *Cmd) { return 1; } -static int ReadBlock(uint8_t *KEY, uint8_t blockno, uint8_t keyType, bool elite, bool rawkey, bool verbose) { +static int ReadBlock(uint8_t *KEY, uint8_t blockno, uint8_t keyType, bool elite, bool rawkey, bool verbose, bool auth) { uint8_t MAC[4]={0x00,0x00,0x00,0x00}; uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; - if (!select_and_auth(KEY, MAC, div_key, (keyType==0x18), elite, rawkey, verbose)) - return 0; + if (auth) { + if (!select_and_auth(KEY, MAC, div_key, (keyType==0x18), elite, rawkey, verbose)) + return 0; + } else { + uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; + uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; + if (!select_only(CSN, CCNR, (keyType==0x18), verbose)) + return 0; + } UsbCommand resp; UsbCommand w = {CMD_ICLASS_READBLOCK, {blockno}}; @@ -1148,6 +1166,7 @@ int CmdHFiClass_ReadBlock(const char *Cmd) { bool elite = false; bool rawkey = false; bool errors = false; + bool auth = false; uint8_t cmdp = 0; while(param_getchar(Cmd, cmdp) != 0x00) { @@ -1176,6 +1195,7 @@ int CmdHFiClass_ReadBlock(const char *Cmd) { break; case 'k': case 'K': + auth = true; dataLen = param_getstr(Cmd, cmdp+1, tempStr); if (dataLen == 16) { errors = param_gethex(tempStr, 0, KEY, dataLen); @@ -1206,9 +1226,10 @@ int CmdHFiClass_ReadBlock(const char *Cmd) { if(errors) return usage_hf_iclass_readblock(); } - if (cmdp < 4) return usage_hf_iclass_readblock(); - - return ReadBlock(KEY, blockno, keyType, elite, rawkey, true); + if (cmdp < 2) return usage_hf_iclass_readblock(); + if (!auth) + PrintAndLog("warning: no authentication used with read, only a few specific blocks can be read accurately without authentication."); + return ReadBlock(KEY, blockno, keyType, elite, rawkey, true, auth); } int CmdHFiClass_loclass(const char *Cmd) { @@ -1222,7 +1243,7 @@ int CmdHFiClass_loclass(const char *Cmd) { PrintAndLog("f Bruteforce iclass dumpfile"); PrintAndLog(" An iclass dumpfile is assumed to consist of an arbitrary number of"); PrintAndLog(" malicious CSNs, and their protocol responses"); - PrintAndLog(" The the binary format of the file is expected to be as follows: "); + PrintAndLog(" The binary format of the file is expected to be as follows: "); PrintAndLog(" <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>"); PrintAndLog(" <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>"); PrintAndLog(" <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>"); @@ -1257,7 +1278,6 @@ int CmdHFiClass_loclass(const char *Cmd) { } void printIclassDumpContents(uint8_t *iclass_dump, uint8_t startblock, uint8_t endblock, size_t filesize) { - uint8_t blockdata[8]; uint8_t mem_config; memcpy(&mem_config, iclass_dump + 13,1); uint8_t maxmemcount; @@ -1272,18 +1292,19 @@ void printIclassDumpContents(uint8_t *iclass_dump, uint8_t startblock, uint8_t e startblock = 6; if ((endblock > maxmemcount) || (endblock == 0)) endblock = maxmemcount; - if (endblock > filemaxblock) + + // remember endblock need to relate to zero-index arrays. + if (endblock > filemaxblock-1) endblock = filemaxblock; + int i = startblock; - int j; - while (i <= endblock){ - printf("Block |%02X| ",i); - memcpy(blockdata,iclass_dump + (i * 8),8); - for (j = 0;j < 8;j++) - printf("%02X ",blockdata[j]); - printf("|\n"); + printf("------+--+-------------------------+\n"); + while (i <= endblock) { + uint8_t *blk = iclass_dump + (i * 8); + printf("Block |%02X| %s|\n", i, sprint_hex(blk, 8) ); i++; } + printf("------+--+-------------------------+\n"); } int usage_hf_iclass_readtagfile() { @@ -1329,7 +1350,8 @@ int CmdHFiClassReadTagFile(const char *Cmd) { size_t bytes_read = fread(dump, 1, fsize, f); fclose(f); uint8_t *csn = dump; - printf("CSN [00] | %02X %02X %02X %02X %02X %02X %02X %02X |\n",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]); + printf("------+--+-------------------------+\n"); + printf("CSN |00| %s|\n", sprint_hex(csn, 8) ); // printIclassDumpInfo(dump); printIclassDumpContents(dump,startblock,endblock,bytes_read); free(dump); @@ -1350,7 +1372,7 @@ uint64_t hexarray_to_uint64(uint8_t *key) { for (int i = 0;i < 8;i++) sprintf(&temp[(i *2)],"%02X",key[i]); temp[16] = '\0'; - if (sscanf(temp,"%016"llX,&uint_key) < 1) + if (sscanf(temp,"%016" SCNx64,&uint_key) < 1) return 0; return uint_key; } @@ -1690,7 +1712,7 @@ static command_t CommandTable[] = {"loclass", CmdHFiClass_loclass, 1, "[options..] Use loclass to perform bruteforce of reader attack dump"}, {"managekeys", CmdHFiClassManageKeys, 1, "[options..] Manage the keys to use with iClass"}, {"readblk", CmdHFiClass_ReadBlock, 0, "[options..] Authenticate and Read iClass block"}, - {"reader", CmdHFiClassReader, 0, " Read an iClass tag"}, + {"reader", CmdHFiClassReader, 0, " Look for iClass tags until a key or the pm3 button is pressed"}, {"readtagfile", CmdHFiClassReadTagFile, 1, "[options..] Display Content from tagfile"}, {"replay", CmdHFiClassReader_Replay, 0, " Read an iClass tag via Reply Attack"}, {"sim", CmdHFiClassSim, 0, "[options..] Simulate iClass tag"},