X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/72e6d4621a74c3c5448dc7223d509f23df02d3a8..517f8f84e427888dc0d6bcebeb16595ba1ad642e:/armsrc/iso14443a.c
diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c
index ca6fd960..21f70c3e 100644
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
@@ -551,7 +551,10 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
UartInit(receivedCmd, receivedCmdPar);
// Setup and start DMA.
- FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
+ if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, DMA_BUFFER_SIZE) ){
+ if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting");
+ return;
+ }
// We won't start recording the frames that we acquire until we trigger;
// a good trigger condition to get started is probably when we see a
@@ -854,10 +857,12 @@ bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) {
//-----------------------------------------------------------------------------
// Main loop of simulated tag: receive commands from reader, decide what
// response to send, and send it.
+// 'hf 14a sim'
//-----------------------------------------------------------------------------
void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
- //Here, we collect CUID, NT, NR, AR, CUID, NT2, NR2, AR2
+ // Here, we collect CUID, block1, keytype1, NT1, NR1, AR1, CUID, block2, keytyp2, NT2, NR2, AR2
+ // it should also collect block, keytype.
// This can be used in a reader-only attack.
uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0,0};
uint8_t ar_nr_collected = 0;
@@ -1137,8 +1142,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
} else if(receivedCmd[0] == ISO14443A_CMD_HALT) { // Received a HALT
LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
p_response = NULL;
- } else if(receivedCmd[0] == MIFARE_AUTH_KEYA || receivedCmd[0] == MIFARE_AUTH_KEYB) { // Received an authentication request
-
+ } else if(receivedCmd[0] == MIFARE_AUTH_KEYA || receivedCmd[0] == MIFARE_AUTH_KEYB) { // Received an authentication request
if ( tagType == 7 ) { // IF NTAG /EV1 0x60 == GET_VERSION, not a authentication request.
uint8_t emdata[10];
emlGetMemBt( emdata, 0, 8 );
@@ -1162,27 +1166,23 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) {
if(ar_nr_collected < 2){
- // Avoid duplicates... probably not necessary, nr should vary.
- // nr doesn't change in pm3's reading etc. its fixed.
- //if(ar_nr_responses[3] != nr){
- ar_nr_responses[ar_nr_collected*4] = cuid;
- ar_nr_responses[ar_nr_collected*4+1] = nonce;
- ar_nr_responses[ar_nr_collected*4+2] = nr;
- ar_nr_responses[ar_nr_collected*4+3] = ar;
- ar_nr_collected++;
- //}
+ ar_nr_responses[ar_nr_collected*4] = cuid;
+ ar_nr_responses[ar_nr_collected*4+1] = nonce;
+ ar_nr_responses[ar_nr_collected*4+2] = nr;
+ ar_nr_responses[ar_nr_collected*4+3] = ar;
+ ar_nr_collected++;
}
-
if(ar_nr_collected > 1 ) {
if (MF_DBGLEVEL >= 2 && !(flags & FLAG_INTERACTIVE)) {
Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
- Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
+ Dbprintf("../tools/mfkey/mfkey32v2.exe %08x %08x %08x %08x %08x %08x %08x",
ar_nr_responses[0], // CUID
- ar_nr_responses[1], // NT
- ar_nr_responses[2], // AR1
- ar_nr_responses[3], // NR1
- ar_nr_responses[6], // AR2
- ar_nr_responses[7] // NR2
+ ar_nr_responses[1], // NT_1
+ ar_nr_responses[2], // AR_1
+ ar_nr_responses[3], // NR_1
+ ar_nr_responses[5], // NT_2
+ ar_nr_responses[6], // AR_2
+ ar_nr_responses[7] // NR_2
);
}
uint8_t len = ar_nr_collected*4*4;
@@ -1191,6 +1191,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
memset(ar_nr_responses, 0x00, len);
}
}
+
} else if (receivedCmd[0] == MIFARE_ULC_AUTH_1 ) { // ULC authentication, or Desfire Authentication
} else if (receivedCmd[0] == MIFARE_ULEV1_AUTH) { // NTAG / EV-1 authentication
if ( tagType == 7 ) {
@@ -1572,7 +1573,7 @@ int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNeeded) {
b = AT91C_BASE_SSC->SSC_RHR; (void) b;
// wait for the FPGA to signal fdt_indicator == 1 (the FPGA is ready to queue new data in its delay line)
- for (uint16_t j = 0; j < 5; j++) { // allow timeout - better late than never
+ for (uint8_t j = 0; j < 5; j++) { // allow timeout - better late than never
while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
if (AT91C_BASE_SSC->SSC_RHR) break;
}
@@ -2535,6 +2536,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
}
// REQ or WUP request in ANY state and WUP in HALTED state
+ // this if-statement doesn't match the specification above. (iceman)
if (len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) {
selTimer = GetTickCount();
EmSendCmdEx(atqa, sizeof(atqa), (receivedCmd[0] == ISO14443A_CMD_WUPA));
@@ -2976,8 +2978,12 @@ void RAMFUNC SniffMifare(uint8_t param) {
// Set up the demodulator for the reader -> tag commands
UartInit(receivedCmd, receivedCmdPar);
- // set transfer address and number of bytes. Start transfer.
- FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
+ // Setup and start DMA.
+ // set transfer address and number of bytes. Start transfer.
+ if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, DMA_BUFFER_SIZE) ){
+ if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting");
+ return;
+ }
LED_D_OFF();
@@ -3004,7 +3010,11 @@ void RAMFUNC SniffMifare(uint8_t param) {
maxDataLen = 0;
ReaderIsActive = FALSE;
TagIsActive = FALSE;
- FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
+ // Setup and start DMA. set transfer address and number of bytes. Start transfer.
+ if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, DMA_BUFFER_SIZE) ){
+ if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting");
+ return;
+ }
}
}