X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/9ca155ba443e8f2a9feb7640f4b461842cce9e35..713e7ffbc791bc34250e145b88db44786f22e81e:/armsrc/iso14443a.c diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index fb50cc82..6c219f30 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -26,11 +26,11 @@ static int rsamples = 0; static int tracing = TRUE; static uint32_t iso14a_timeout; -// CARD TO READER +// CARD TO READER - manchester // Sequence D: 11110000 modulation with subcarrier during first half // Sequence E: 00001111 modulation with subcarrier during second half // Sequence F: 00000000 no modulation with subcarrier -// READER TO CARD +// READER TO CARD - miller // Sequence X: 00001100 drop after half a period // Sequence Y: 00000000 no drop // Sequence Z: 11000000 drop at start @@ -60,18 +60,18 @@ static const uint8_t OddByteParity[256] = { 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1 }; -// BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT -#define RECV_CMD_OFFSET 3032 -#define RECV_RES_OFFSET 3096 -#define DMA_BUFFER_OFFSET 3160 -#define DMA_BUFFER_SIZE 4096 -#define TRACE_LENGTH 3000 - uint8_t trigger = 0; void iso14a_set_trigger(int enable) { trigger = enable; } +void iso14a_clear_tracelen(void) { + traceLen = 0; +} +void iso14a_set_tracing(int enable) { + tracing = enable; +} + //----------------------------------------------------------------------------- // Generate the parity value for a byte sequence // @@ -784,12 +784,11 @@ done: //----------------------------------------------------------------------------- // Prepare tag messages //----------------------------------------------------------------------------- -static void CodeIso14443aAsTag(const uint8_t *cmd, int len) +static void CodeIso14443aAsTagPar(const uint8_t *cmd, int len, uint32_t dwParity) { - int i; - int oddparity; + int i; - ToSendReset(); + ToSendReset(); // Correction bit, might be removed when not needed ToSendStuffBit(0); @@ -800,55 +799,47 @@ static void CodeIso14443aAsTag(const uint8_t *cmd, int len) ToSendStuffBit(0); ToSendStuffBit(0); ToSendStuffBit(0); - + // Send startbit ToSend[++ToSendMax] = SEC_D; - for(i = 0; i < len; i++) { - int j; - uint8_t b = cmd[i]; + for(i = 0; i < len; i++) { + int j; + uint8_t b = cmd[i]; // Data bits - oddparity = 0x01; for(j = 0; j < 8; j++) { - oddparity ^= (b & 1); if(b & 1) { ToSend[++ToSendMax] = SEC_D; } else { ToSend[++ToSendMax] = SEC_E; - } - b >>= 1; - } + } + b >>= 1; + } - // Parity bit - if(oddparity) { - ToSend[++ToSendMax] = SEC_D; + // Get the parity bit + if ((dwParity >> i) & 0x01) { + ToSend[++ToSendMax] = SEC_D; } else { ToSend[++ToSendMax] = SEC_E; } - } - - // Send stopbit - ToSend[++ToSendMax] = SEC_F; - - // Flush the buffer in FPGA!! - for(i = 0; i < 5; i++) { - ToSend[++ToSendMax] = SEC_F; } - // Convert from last byte pos to length - ToSendMax++; + // Send stopbit + ToSend[++ToSendMax] = SEC_F; + + // Convert from last byte pos to length + ToSendMax++; +} - // Add a few more for slop - ToSend[ToSendMax++] = 0x00; - ToSend[ToSendMax++] = 0x00; - //ToSendMax += 2; +static void CodeIso14443aAsTag(const uint8_t *cmd, int len){ + CodeIso14443aAsTagPar(cmd, len, GetParity(cmd, len)); } //----------------------------------------------------------------------------- // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4 //----------------------------------------------------------------------------- -static void CodeStrangeAnswer() +static void CodeStrangeAnswerAsTag() { int i; @@ -886,11 +877,47 @@ static void CodeStrangeAnswer() // Convert from last byte pos to length ToSendMax++; +} + +static void Code4bitAnswerAsTag(uint8_t cmd) +{ + int i; + + ToSendReset(); + + // Correction bit, might be removed when not needed + ToSendStuffBit(0); + ToSendStuffBit(0); + ToSendStuffBit(0); + ToSendStuffBit(0); + ToSendStuffBit(1); // 1 + ToSendStuffBit(0); + ToSendStuffBit(0); + ToSendStuffBit(0); + + // Send startbit + ToSend[++ToSendMax] = SEC_D; + + uint8_t b = cmd; + for(i = 0; i < 4; i++) { + if(b & 1) { + ToSend[++ToSendMax] = SEC_D; + } else { + ToSend[++ToSendMax] = SEC_E; + } + b >>= 1; + } + + // Send stopbit + ToSend[++ToSendMax] = SEC_F; + + // Flush the buffer in FPGA!! + for(i = 0; i < 5; i++) { + ToSend[++ToSendMax] = SEC_F; + } - // Add a few more for slop - ToSend[ToSendMax++] = 0x00; - ToSend[ToSendMax++] = 0x00; - //ToSendMax += 2; + // Convert from last byte pos to length + ToSendMax++; } //----------------------------------------------------------------------------- @@ -1063,7 +1090,7 @@ ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]); memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax; // Strange answer is an example of rare message size (3 bits) - CodeStrangeAnswer(); + CodeStrangeAnswerAsTag(); memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax; // Authentication answer (random nonce) @@ -1469,10 +1496,12 @@ static int EmGetCmd(uint8_t *received, int *len, int maxLen) volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; if(MillerDecoding((b & 0xf0) >> 4)) { *len = Uart.byteCnt; + if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE); return 0; } if(MillerDecoding(b & 0x0f)) { *len = Uart.byteCnt; + if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE); return 0; } } @@ -1504,7 +1533,7 @@ static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded) } if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { if(i > respLen) { - b = 0x00; + b = 0xff; // was 0x00 u++; } else { b = resp[i]; @@ -1522,13 +1551,34 @@ static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded) return 0; } -static int EmSendCmdEx(uint8_t *resp, int respLen, int correctionNeeded){ - CodeIso14443aAsTag(resp, respLen); - return EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded); +int EmSend4bitEx(uint8_t resp, int correctionNeeded){ + Code4bitAnswerAsTag(resp); + int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded); + if (tracing) LogTrace(&resp, 1, GetDeltaCountUS(), GetParity(&resp, 1), FALSE); + return res; +} + +int EmSend4bit(uint8_t resp){ + return EmSend4bitEx(resp, 0); +} + +int EmSendCmdExPar(uint8_t *resp, int respLen, int correctionNeeded, uint32_t par){ + CodeIso14443aAsTagPar(resp, respLen, par); + int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded); + if (tracing) LogTrace(resp, respLen, GetDeltaCountUS(), par, FALSE); + return res; +} + +int EmSendCmdEx(uint8_t *resp, int respLen, int correctionNeeded){ + return EmSendCmdExPar(resp, respLen, correctionNeeded, GetParity(resp, respLen)); } -static int EmSendCmd(uint8_t *resp, int respLen){ - return EmSendCmdEx(resp, respLen, 0); +int EmSendCmd(uint8_t *resp, int respLen){ + return EmSendCmdExPar(resp, respLen, 0, GetParity(resp, respLen)); +} + +int EmSendCmdPar(uint8_t *resp, int respLen, uint32_t par){ + return EmSendCmdExPar(resp, respLen, 0, par); } //----------------------------------------------------------------------------- @@ -1924,597 +1974,6 @@ void ReaderMifare(uint32_t parameter) if (MF_DBGLEVEL >= 1) DbpString("COMMAND mifare FINISHED"); } -//----------------------------------------------------------------------------- -// Select, Authenticaate, Read an MIFARE tag. -// read block -//----------------------------------------------------------------------------- -void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) -{ - // params - uint8_t blockNo = arg0; - uint8_t keyType = arg1; - uint64_t ui64Key = 0; - ui64Key = bytes_to_num(datain, 6); - - // variables - byte_t isOK = 0; - byte_t dataoutbuf[16]; - uint8_t uid[8]; - uint32_t cuid; - struct Crypto1State mpcs = {0, 0}; - struct Crypto1State *pcs; - pcs = &mpcs; - - // clear trace - traceLen = 0; -// tracing = false; - - iso14443a_setup(); - - LED_A_ON(); - LED_B_OFF(); - LED_C_OFF(); - - while (true) { - if(!iso14443a_select_card(uid, NULL, &cuid)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); - break; - }; - - if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Auth error"); - break; - }; - - if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Read block error"); - break; - }; - - if(mifare_classic_halt(pcs, cuid)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Halt error"); - break; - }; - - isOK = 1; - break; - } - - // ----------------------------- crypto1 destroy - crypto1_destroy(pcs); - - if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED"); - - // add trace trailer - uid[0] = 0xff; - uid[1] = 0xff; - uid[2] = 0xff; - uid[3] = 0xff; - LogTrace(uid, 4, 0, 0, TRUE); - - UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; - memcpy(ack.d.asBytes, dataoutbuf, 16); - - LED_B_ON(); - UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); - LED_B_OFF(); - - - // Thats it... - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - LEDsoff(); -// tracing = TRUE; - -} - -//----------------------------------------------------------------------------- -// Select, Authenticaate, Read an MIFARE tag. -// read sector (data = 4 x 16 bytes = 64 bytes) -//----------------------------------------------------------------------------- -void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) -{ - // params - uint8_t sectorNo = arg0; - uint8_t keyType = arg1; - uint64_t ui64Key = 0; - ui64Key = bytes_to_num(datain, 6); - - // variables - byte_t isOK = 0; - byte_t dataoutbuf[16 * 4]; - uint8_t uid[8]; - uint32_t cuid; - struct Crypto1State mpcs = {0, 0}; - struct Crypto1State *pcs; - pcs = &mpcs; - - // clear trace - traceLen = 0; -// tracing = false; - - iso14443a_setup(); - - LED_A_ON(); - LED_B_OFF(); - LED_C_OFF(); - - while (true) { - if(!iso14443a_select_card(uid, NULL, &cuid)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); - break; - }; - - if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, AUTH_FIRST)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Auth error"); - break; - }; - - if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 0, dataoutbuf + 16 * 0)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Read block 0 error"); - break; - }; - if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 1, dataoutbuf + 16 * 1)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Read block 1 error"); - break; - }; - if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 2, dataoutbuf + 16 * 2)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Read block 2 error"); - break; - }; - if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 3, dataoutbuf + 16 * 3)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Read block 3 error"); - break; - }; - - if(mifare_classic_halt(pcs, cuid)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Halt error"); - break; - }; - - isOK = 1; - break; - } - - // ----------------------------- crypto1 destroy - crypto1_destroy(pcs); - - if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED"); - - // add trace trailer - uid[0] = 0xff; - uid[1] = 0xff; - uid[2] = 0xff; - uid[3] = 0xff; - LogTrace(uid, 4, 0, 0, TRUE); - - UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; - memcpy(ack.d.asBytes, dataoutbuf, 16 * 2); - - LED_B_ON(); - UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); - - SpinDelay(100); - - memcpy(ack.d.asBytes, dataoutbuf + 16 * 2, 16 * 2); - UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); - LED_B_OFF(); - - // Thats it... - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - LEDsoff(); -// tracing = TRUE; - -} - -//----------------------------------------------------------------------------- -// Select, Authenticaate, Read an MIFARE tag. -// read block -//----------------------------------------------------------------------------- -void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) -{ - // params - uint8_t blockNo = arg0; - uint8_t keyType = arg1; - uint64_t ui64Key = 0; - byte_t blockdata[16]; - - ui64Key = bytes_to_num(datain, 6); - memcpy(blockdata, datain + 10, 16); - - // variables - byte_t isOK = 0; - uint8_t uid[8]; - uint32_t cuid; - struct Crypto1State mpcs = {0, 0}; - struct Crypto1State *pcs; - pcs = &mpcs; - - // clear trace - traceLen = 0; -// tracing = false; - - iso14443a_setup(); - - LED_A_ON(); - LED_B_OFF(); - LED_C_OFF(); - - while (true) { - if(!iso14443a_select_card(uid, NULL, &cuid)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); - break; - }; - - if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Auth error"); - break; - }; - - if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Write block error"); - break; - }; - - if(mifare_classic_halt(pcs, cuid)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Halt error"); - break; - }; - - isOK = 1; - break; - } - - // ----------------------------- crypto1 destroy - crypto1_destroy(pcs); - - if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED"); - - // add trace trailer - uid[0] = 0xff; - uid[1] = 0xff; - uid[2] = 0xff; - uid[3] = 0xff; - LogTrace(uid, 4, 0, 0, TRUE); - - UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; - - LED_B_ON(); - UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); - LED_B_OFF(); - - - // Thats it... - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - LEDsoff(); -// tracing = TRUE; - -} - -// Return 1 if the nonce is invalid else return 0 -int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, byte_t * parity) { - return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \ - (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \ - (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0; -} - - -//----------------------------------------------------------------------------- -// MIFARE nested authentication. -// -//----------------------------------------------------------------------------- -void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) -{ - // params - uint8_t blockNo = arg0; - uint8_t keyType = arg1; - uint8_t targetBlockNo = arg2 & 0xff; - uint8_t targetKeyType = (arg2 >> 8) & 0xff; - uint64_t ui64Key = 0; - - ui64Key = bytes_to_num(datain, 6); - - // variables - int rtr, i, j, m, len; - int davg, dmin, dmax; - uint8_t uid[8]; - uint32_t cuid, nt1, nt2, nttmp, nttest, par, ks1; - uint8_t par_array[4]; - nestedVector nvector[NES_MAX_INFO + 1][10]; - int nvectorcount[NES_MAX_INFO + 1]; - int ncount = 0; - UsbCommand ack = {CMD_ACK, {0, 0, 0}}; - struct Crypto1State mpcs = {0, 0}; - struct Crypto1State *pcs; - pcs = &mpcs; - uint8_t* receivedAnswer = mifare_get_bigbufptr(); - - //init - for (i = 0; i < NES_MAX_INFO + 1; i++) nvectorcount[i] = 11; // 11 - empty block; - - // clear trace - traceLen = 0; - tracing = false; - - iso14443a_setup(); - - LED_A_ON(); - LED_B_ON(); - LED_C_OFF(); - - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - SpinDelay(200); - - davg = dmax = 0; - dmin = 2000; - - // test nonce distance - for (rtr = 0; rtr < 10; rtr++) { - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - SpinDelay(100); - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); - - // Test if the action was cancelled - if(BUTTON_PRESS()) { - break; - } - - if(!iso14443a_select_card(uid, NULL, &cuid)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); - break; - }; - - if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Auth1 error"); - break; - }; - - if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Auth2 error"); - break; - }; - - nttmp = prng_successor(nt1, 500); - for (i = 501; i < 2000; i++) { - nttmp = prng_successor(nttmp, 1); - if (nttmp == nt2) break; - } - - if (i != 2000) { - davg += i; - if (dmin > i) dmin = i; - if (dmax < i) dmax = i; - if (MF_DBGLEVEL >= 4) Dbprintf("r=%d nt1=%08x nt2=%08x distance=%d", rtr, nt1, nt2, i); - } - } - - if (rtr == 0) return; - - davg = davg / rtr; - if (MF_DBGLEVEL >= 3) Dbprintf("distance: min=%d max=%d avg=%d", dmin, dmax, davg); - - LED_B_OFF(); - -// ------------------------------------------------------------------------------------------------- - - LED_C_ON(); - - // get crypted nonces for target sector - for (rtr = 0; rtr < NS_RETRIES_GETNONCE; rtr++) { - if (MF_DBGLEVEL >= 4) Dbprintf("------------------------------"); - - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - SpinDelay(100); - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); - - // Test if the action was cancelled - if(BUTTON_PRESS()) { - break; - } - - if(!iso14443a_select_card(uid, NULL, &cuid)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); - break; - }; - - if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1)) { - if (MF_DBGLEVEL >= 1) Dbprintf("Auth1 error"); - break; - }; - - // nested authentication - len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, &par); - if (len != 4) { - if (MF_DBGLEVEL >= 1) Dbprintf("Auth2 error len=%d", len); - break; - }; - - nt2 = bytes_to_num(receivedAnswer, 4); - if (MF_DBGLEVEL >= 4) Dbprintf("r=%d nt1=%08x nt2enc=%08x nt2par=%08x", rtr, nt1, nt2, par); - - // Parity validity check - for (i = 0; i < 4; i++) { - par_array[i] = (oddparity(receivedAnswer[i]) != ((par & 0x08) >> 3)); - par = par << 1; - } - - ncount = 0; - for (m = dmin - NS_TOLERANCE; m < dmax + NS_TOLERANCE; m++) { - nttest = prng_successor(nt1, m); - ks1 = nt2 ^ nttest; - - if (valid_nonce(nttest, nt2, ks1, par_array) && (ncount < 11)){ - - nvector[NES_MAX_INFO][ncount].nt = nttest; - nvector[NES_MAX_INFO][ncount].ks1 = ks1; - ncount++; - nvectorcount[NES_MAX_INFO] = ncount; - if (MF_DBGLEVEL >= 4) Dbprintf("valid m=%d ks1=%08x nttest=%08x", m, ks1, nttest); - } - - } - - // select vector with length less than got - if (nvectorcount[NES_MAX_INFO] != 0) { - m = NES_MAX_INFO; - - for (i = 0; i < NES_MAX_INFO; i++) - if (nvectorcount[i] > 10) { - m = i; - break; - } - - if (m == NES_MAX_INFO) - for (i = 0; i < NES_MAX_INFO; i++) - if (nvectorcount[NES_MAX_INFO] < nvectorcount[i]) { - m = i; - break; - } - - if (m != NES_MAX_INFO) { - for (i = 0; i < nvectorcount[m]; i++) { - nvector[m][i] = nvector[NES_MAX_INFO][i]; - } - nvectorcount[m] = nvectorcount[NES_MAX_INFO]; - } - } - } - - LED_C_OFF(); - - // ----------------------------- crypto1 destroy - crypto1_destroy(pcs); - - // add trace trailer - uid[0] = 0xff; - uid[1] = 0xff; - uid[2] = 0xff; - uid[3] = 0xff; - LogTrace(uid, 4, 0, 0, TRUE); - - for (i = 0; i < NES_MAX_INFO; i++) { - if (nvectorcount[i] > 10) continue; - - for (j = 0; j < nvectorcount[i]; j += 5) { - ncount = nvectorcount[i] - j; - if (ncount > 5) ncount = 5; - - ack.arg[0] = 0; // isEOF = 0 - ack.arg[1] = ncount; - ack.arg[2] = targetBlockNo + (targetKeyType * 0x100); - memset(ack.d.asBytes, 0x00, sizeof(ack.d.asBytes)); - - memcpy(ack.d.asBytes, &cuid, 4); - for (m = 0; m < ncount; m++) { - memcpy(ack.d.asBytes + 8 + m * 8 + 0, &nvector[i][m + j].nt, 4); - memcpy(ack.d.asBytes + 8 + m * 8 + 4, &nvector[i][m + j].ks1, 4); - } - - LED_B_ON(); - SpinDelay(100); - UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); - LED_B_OFF(); - } - } - - // finalize list - ack.arg[0] = 1; // isEOF = 1 - ack.arg[1] = 0; - ack.arg[2] = 0; - memset(ack.d.asBytes, 0x00, sizeof(ack.d.asBytes)); - - LED_B_ON(); - SpinDelay(300); - UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); - LED_B_OFF(); - - if (MF_DBGLEVEL >= 4) DbpString("NESTED FINISHED"); - - // Thats it... - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - LEDsoff(); - - tracing = TRUE; -} - -//----------------------------------------------------------------------------- -// MIFARE check keys. key count up to 8. -// -//----------------------------------------------------------------------------- -void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) -{ - // params - uint8_t blockNo = arg0; - uint8_t keyType = arg1; - uint8_t keyCount = arg2; - uint64_t ui64Key = 0; - - // variables - int i; - byte_t isOK = 0; - uint8_t uid[8]; - uint32_t cuid; - struct Crypto1State mpcs = {0, 0}; - struct Crypto1State *pcs; - pcs = &mpcs; - - // clear debug level - int OLD_MF_DBGLEVEL = MF_DBGLEVEL; - MF_DBGLEVEL = MF_DBG_NONE; - - // clear trace - traceLen = 0; - tracing = TRUE; - - iso14443a_setup(); - - LED_A_ON(); - LED_B_OFF(); - LED_C_OFF(); - - SpinDelay(300); - for (i = 0; i < keyCount; i++) { - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - SpinDelay(100); - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); - - if(!iso14443a_select_card(uid, NULL, &cuid)) { - if (OLD_MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); - break; - }; - - ui64Key = bytes_to_num(datain + i * 6, 6); - if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) { - continue; - }; - - isOK = 1; - break; - } - - // ----------------------------- crypto1 destroy - crypto1_destroy(pcs); - - // add trace trailer - uid[0] = 0xff; - uid[1] = 0xff; - uid[2] = 0xff; - uid[3] = 0xff; - LogTrace(uid, 4, 0, 0, TRUE); - - UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; - if (isOK) memcpy(ack.d.asBytes, datain + i * 6, 6); - - LED_B_ON(); - UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); - LED_B_OFF(); - - // Thats it... - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - LEDsoff(); - - // restore debug level - MF_DBGLEVEL = OLD_MF_DBGLEVEL; -} //----------------------------------------------------------------------------- // MIFARE 1K simulate. @@ -2523,34 +1982,74 @@ void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) { int cardSTATE = MFEMUL_NOFIELD; + int _7BUID = 0; int vHf = 0; // in mV + int nextCycleTimeout = 0; int res; - uint32_t timer = 0; +// uint32_t timer = 0; + uint32_t selTimer = 0; + uint32_t authTimer = 0; + uint32_t par = 0; int len = 0; + uint8_t cardWRBL = 0; uint8_t cardAUTHSC = 0; uint8_t cardAUTHKEY = 0xff; // no authentication + uint32_t cardRn = 0; + uint32_t cardRr = 0; uint32_t cuid = 0; + uint32_t rn_enc = 0; + uint32_t ans = 0; + uint32_t cardINTREG = 0; + uint8_t cardINTBLOCK = 0; struct Crypto1State mpcs = {0, 0}; struct Crypto1State *pcs; pcs = &mpcs; - uint64_t key64 = 0xffffffffffffULL; - - uint8_t* receivedCmd = mifare_get_bigbufptr(); + uint8_t* receivedCmd = eml_get_bigbufptr_recbuf(); + uint8_t *response = eml_get_bigbufptr_sendbuf(); - static uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k + static uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID - static uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; - static uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!! + static uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; + static uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!! - static uint8_t rSAK[] = {0x08, 0xb6, 0xdd}; + static uint8_t rSAK[] = {0x08, 0xb6, 0xdd}; + static uint8_t rSAK1[] = {0x04, 0xda, 0x17}; static uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04}; +// static uint8_t rAUTH_NT[] = {0x1a, 0xac, 0xff, 0x4f}; + static uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00}; + + // clear trace + traceLen = 0; + tracing = true; + + // Authenticate response - nonce + uint32_t nonce = bytes_to_num(rAUTH_NT, 4); -// -------------------------------------- test area + // get UID from emul memory + emlGetMemBt(receivedCmd, 7, 1); + _7BUID = !(receivedCmd[0] == 0x00); + if (!_7BUID) { // ---------- 4BUID + rATQA[0] = 0x04; + + emlGetMemBt(rUIDBCC1, 0, 4); + rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3]; + } else { // ---------- 7BUID + rATQA[0] = 0x44; + + rUIDBCC1[0] = 0x88; + emlGetMemBt(&rUIDBCC1[1], 0, 3); + rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3]; + emlGetMemBt(rUIDBCC2, 3, 4); + rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3]; + } +// -------------------------------------- test area // -------------------------------------- END test area + // start mkseconds counter + StartCountUS(); // We need to listen to the high-frequency, peak-detected path. SetAdcMuxFor(GPIO_MUXSEL_HIPKD); @@ -2559,11 +2058,15 @@ void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN); SpinDelay(200); -Dbprintf("--> start"); + if (MF_DBGLEVEL >= 1) Dbprintf("Started. 7buid=%d", _7BUID); + // calibrate mkseconds counter + GetDeltaCountUS(); while (true) { WDT_HIT(); -// timer = GetTickCount(); -// Dbprintf("time: %d", GetTickCount() - timer); + + if(BUTTON_PRESS()) { + break; + } // find reader field // Vref = 3300mV, and an 10:1 voltage divider on the input @@ -2571,13 +2074,13 @@ Dbprintf("--> start"); if (cardSTATE == MFEMUL_NOFIELD) { vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10; if (vHf > MF_MINFIELDV) { - cardSTATE = MFEMUL_IDLE; + cardSTATE_TO_IDLE(); LED_A_ON(); } } if (cardSTATE != MFEMUL_NOFIELD) { - res = EmGetCmd(receivedCmd, &len, 100); + res = EmGetCmd(receivedCmd, &len, 100); // (+ nextCycleTimeout) if (res == 2) { cardSTATE = MFEMUL_NOFIELD; LEDsoff(); @@ -2586,98 +2089,309 @@ Dbprintf("--> start"); if(res) break; } - if(BUTTON_PRESS()) { - break; - } - + nextCycleTimeout = 0; + // if (len) Dbprintf("len:%d cmd: %02x %02x %02x %02x", len, receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3]); + + if (len != 4 && cardSTATE != MFEMUL_NOFIELD) { // len != 4 <---- speed up the code 4 authentication + // REQ or WUP request in ANY state and WUP in HALTED state + if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) { + selTimer = GetTickCount(); + EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52)); + cardSTATE = MFEMUL_SELECT1; + + // init crypto block + LED_B_OFF(); + LED_C_OFF(); + crypto1_destroy(pcs); + cardAUTHKEY = 0xff; + } + } switch (cardSTATE) { case MFEMUL_NOFIELD:{ break; } case MFEMUL_HALTED:{ - // WUP request - if (!(len == 1 && receivedCmd[0] == 0x52)) break; + break; } case MFEMUL_IDLE:{ - // REQ or WUP request - if (len == 1 && (receivedCmd[0] == 0x26 || receivedCmd[0] == 0x52)) { -timer = GetTickCount(); - EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52)); - cardSTATE = MFEMUL_SELECT1; - - // init crypto block - crypto1_destroy(pcs); - cardAUTHKEY = 0xff; - } break; } case MFEMUL_SELECT1:{ // select all if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) { EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1)); - - if (rUIDBCC1[0] == 0x88) { - cardSTATE = MFEMUL_SELECT2; - } + break; } // select card - if (len == 9 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70)) { - EmSendCmd(rSAK, sizeof(rSAK)); + if (len == 9 && + (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) { + if (!_7BUID) + EmSendCmd(rSAK, sizeof(rSAK)); + else + EmSendCmd(rSAK1, sizeof(rSAK1)); cuid = bytes_to_num(rUIDBCC1, 4); - cardSTATE = MFEMUL_WORK; - LED_B_ON(); -Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - timer); + if (!_7BUID) { + cardSTATE = MFEMUL_WORK; + LED_B_ON(); + if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer); + break; + } else { + cardSTATE = MFEMUL_SELECT2; + break; + } } break; } case MFEMUL_SELECT2:{ + if (!len) break; + + if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) { EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2)); + break; + } + + // select 2 card + if (len == 9 && + (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) { + EmSendCmd(rSAK, sizeof(rSAK)); - cuid = bytes_to_num(rUIDBCC2, 4); + cuid = bytes_to_num(rUIDBCC2, 4); + cardSTATE = MFEMUL_WORK; + LED_B_ON(); + if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer); + break; + } + + // i guess there is a command). go into the work state. + if (len != 4) break; cardSTATE = MFEMUL_WORK; - LED_B_ON(); -Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - timer); - break; + goto lbWORK; } case MFEMUL_AUTH1:{ -if (len) Dbprintf("au1 len:%d cmd: %02x %02x %02x %02x", len, receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3]); if (len == 8) { - + // --- crypto + rn_enc = bytes_to_num(receivedCmd, 4); + cardRn = rn_enc ^ crypto1_word(pcs, rn_enc , 1); + cardRr = bytes_to_num(&receivedCmd[4], 4) ^ crypto1_word(pcs, 0, 0); + // test if auth OK + if (cardRr != prng_successor(nonce, 64)){ + if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED. cardRr=%08x, succ=%08x", cardRr, prng_successor(nonce, 64)); + cardSTATE_TO_IDLE(); + break; + } + ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0); + num_to_bytes(ans, 4, rAUTH_AT); + // --- crypto + EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT)); + cardSTATE = MFEMUL_AUTH2; + } else { + cardSTATE_TO_IDLE(); } - break; + if (cardSTATE != MFEMUL_AUTH2) break; } case MFEMUL_AUTH2:{ - LED_C_ON(); -Dbprintf("AUTH COMPLETED. sec=%d, key=%d time=%d", cardAUTHSC, cardAUTHKEY, GetTickCount() - timer); + cardSTATE = MFEMUL_WORK; + if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED. sec=%d, key=%d time=%d", cardAUTHSC, cardAUTHKEY, GetTickCount() - authTimer); break; } case MFEMUL_WORK:{ - // auth - if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) { -timer = GetTickCount(); - crypto1_create(pcs, key64); -// if (cardAUTHKEY == 0xff) { // first auth - crypto1_word(pcs, cuid ^ bytes_to_num(rAUTH_NT, 4), 0); // uid ^ nonce -// } else { // nested auth -// } - - EmSendCmd(rAUTH_NT, sizeof(rAUTH_NT)); - cardAUTHSC = receivedCmd[1]; - cardAUTHKEY = receivedCmd[0] - 0x60; - cardSTATE = MFEMUL_AUTH1; +lbWORK: if (len == 0) break; + + if (cardAUTHKEY == 0xff) { + // first authentication + if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) { + authTimer = GetTickCount(); + + cardAUTHSC = receivedCmd[1] / 4; // received block num + cardAUTHKEY = receivedCmd[0] - 0x60; + + // --- crypto + crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY)); + ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0); + num_to_bytes(nonce, 4, rAUTH_AT); + EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT)); + // --- crypto + +// last working revision +// EmSendCmd14443aRaw(resp1, resp1Len, 0); +// LogTrace(NULL, 0, GetDeltaCountUS(), 0, true); + + cardSTATE = MFEMUL_AUTH1; + nextCycleTimeout = 10; + break; + } + } else { + // decrypt seqence + mf_crypto1_decrypt(pcs, receivedCmd, len); + + // nested authentication + if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) { + authTimer = GetTickCount(); + + cardAUTHSC = receivedCmd[1] / 4; // received block num + cardAUTHKEY = receivedCmd[0] - 0x60; + + // --- crypto + crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY)); + ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0); + num_to_bytes(ans, 4, rAUTH_AT); + EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT)); + // --- crypto + + cardSTATE = MFEMUL_AUTH1; + nextCycleTimeout = 10; + break; + } + } + + // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued + // BUT... ACK --> NACK + if (len == 1 && receivedCmd[0] == CARD_ACK) { + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); + break; } + // rule 12 of 7.5.3. in ISO 14443-4. R(NAK) --> R(ACK) + if (len == 1 && receivedCmd[0] == CARD_NACK_NA) { + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); + break; + } + + // read block + if (len == 4 && receivedCmd[0] == 0x30) { + if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) { + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); + break; + } + emlGetMem(response, receivedCmd[1], 1); + AppendCrc14443a(response, 16); + mf_crypto1_encrypt(pcs, response, 18, &par); + EmSendCmdPar(response, 18, par); + break; + } + + // write block + if (len == 4 && receivedCmd[0] == 0xA0) { + if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) { + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); + break; + } + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); + nextCycleTimeout = 50; + cardSTATE = MFEMUL_WRITEBL2; + cardWRBL = receivedCmd[1]; + break; + } + + // works with cardINTREG + + // increment, decrement, restore + if (len == 4 && (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2)) { + if (receivedCmd[1] >= 16 * 4 || + receivedCmd[1] / 4 != cardAUTHSC || + emlCheckValBl(receivedCmd[1])) { + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); + break; + } + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); + if (receivedCmd[0] == 0xC1) + cardSTATE = MFEMUL_INTREG_INC; + if (receivedCmd[0] == 0xC0) + cardSTATE = MFEMUL_INTREG_DEC; + if (receivedCmd[0] == 0xC2) + cardSTATE = MFEMUL_INTREG_REST; + cardWRBL = receivedCmd[1]; + + break; + } + + + // transfer + if (len == 4 && receivedCmd[0] == 0xB0) { + if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) { + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); + break; + } + + if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1])) + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); + else + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); + + break; + } + // halt - if (len == 4 && (receivedCmd[0] == 0x50 || receivedCmd[0] == 0x00)) { - cardSTATE = MFEMUL_HALTED; + if (len == 4 && (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00)) { LED_B_OFF(); + LED_C_OFF(); + cardSTATE = MFEMUL_HALTED; + if (MF_DBGLEVEL >= 4) Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer); + break; } + + // command not allowed + if (len == 4) { + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); + break; + } + + // case break + break; + } + case MFEMUL_WRITEBL2:{ + if (len == 18){ + mf_crypto1_decrypt(pcs, receivedCmd, len); + emlSetMem(receivedCmd, cardWRBL, 1); + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); + cardSTATE = MFEMUL_WORK; + break; + } else { + cardSTATE_TO_IDLE(); + break; + } + break; + } + + case MFEMUL_INTREG_INC:{ + mf_crypto1_decrypt(pcs, receivedCmd, len); + memcpy(&ans, receivedCmd, 4); + if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) { + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); + cardSTATE_TO_IDLE(); + break; + } + cardINTREG = cardINTREG + ans; + cardSTATE = MFEMUL_WORK; + break; + } + case MFEMUL_INTREG_DEC:{ + mf_crypto1_decrypt(pcs, receivedCmd, len); + memcpy(&ans, receivedCmd, 4); + if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) { + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); + cardSTATE_TO_IDLE(); + break; + } + cardINTREG = cardINTREG - ans; + cardSTATE = MFEMUL_WORK; + break; + } + case MFEMUL_INTREG_REST:{ + mf_crypto1_decrypt(pcs, receivedCmd, len); + memcpy(&ans, receivedCmd, 4); + if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) { + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); + cardSTATE_TO_IDLE(); + break; + } + cardSTATE = MFEMUL_WORK; break; } @@ -2688,5 +2402,9 @@ timer = GetTickCount(); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); - DbpString("Emulator stopped."); + // add trace trailer + memset(rAUTH_NT, 0x44, 4); + LogTrace(rAUTH_NT, 4, 0, 0, TRUE); + + if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, traceLen); }