X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/db4de4d82f2e4539b2528e604b7d82f79cc92f3a..55eaed8f2ad26b9db249e2259c13444c38906795:/armsrc/iclass.c diff --git a/armsrc/iclass.c b/armsrc/iclass.c index 28bdb3bc..64abc84a 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -433,7 +433,6 @@ static RAMFUNC int ManchesterDecoding(int v) else { modulation = bit & Demod.syncBit; modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit; - //modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit; Demod.samples += 4; @@ -688,7 +687,8 @@ void RAMFUNC SnoopIClass(void) SetAdcMuxFor(GPIO_MUXSEL_HIPKD); uint32_t time_0 = GetCountSspClk(); - + uint32_t time_start = 0; + uint32_t time_stop = 0; int div = 0; //int div2 = 0; @@ -739,6 +739,7 @@ void RAMFUNC SnoopIClass(void) smpl = decbyter; if(OutOfNDecoding((smpl & 0xF0) >> 4)) { rsamples = samples - Uart.samples; + time_stop = (GetCountSspClk()-time_0) << 4; LED_C_ON(); //if(!LogTrace(Uart.output,Uart.byteCnt, rsamples, Uart.parityBits,TRUE)) break; @@ -746,7 +747,7 @@ void RAMFUNC SnoopIClass(void) if(tracing) { uint8_t parity[MAX_PARITY_SIZE]; GetParity(Uart.output, Uart.byteCnt, parity); - LogTrace(Uart.output,Uart.byteCnt, (GetCountSspClk()-time_0) << 4, (GetCountSspClk()-time_0) << 4, parity, TRUE); + LogTrace(Uart.output,Uart.byteCnt, time_start, time_stop, parity, TRUE); } @@ -757,6 +758,8 @@ void RAMFUNC SnoopIClass(void) Demod.state = DEMOD_UNSYNCD; LED_B_OFF(); Uart.byteCnt = 0; + }else{ + time_start = (GetCountSspClk()-time_0) << 4; } decbyter = 0; } @@ -764,21 +767,24 @@ void RAMFUNC SnoopIClass(void) if(div > 3) { smpl = decbyte; if(ManchesterDecoding(smpl & 0x0F)) { - rsamples = samples - Demod.samples; + time_stop = (GetCountSspClk()-time_0) << 4; + + rsamples = samples - Demod.samples; LED_B_ON(); if(tracing) { uint8_t parity[MAX_PARITY_SIZE]; GetParity(Demod.output, Demod.len, parity); - LogTrace(Demod.output, Demod.len, (GetCountSspClk()-time_0) << 4, (GetCountSspClk()-time_0) << 4, parity, FALSE); + LogTrace(Demod.output, Demod.len, time_start, time_stop, parity, FALSE); } - // And ready to receive another response. memset(&Demod, 0, sizeof(Demod)); Demod.output = tagToReaderResponse; Demod.state = DEMOD_UNSYNCD; LED_C_OFF(); + }else{ + time_start = (GetCountSspClk()-time_0) << 4; } div = 0; @@ -842,10 +848,7 @@ static int GetIClassCommandFromReader(uint8_t *received, int *len, int maxLen) } if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - /*if(OutOfNDecoding((b & 0xf0) >> 4)) { - *len = Uart.byteCnt; - return TRUE; - }*/ + if(OutOfNDecoding(b & 0x0f)) { *len = Uart.byteCnt; return TRUE; @@ -932,6 +935,7 @@ static void CodeIClassTagSOF() // Convert from last byte pos to length ToSendMax++; } + int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf); /** * @brief SimulateIClass simulates an iClass card. @@ -1002,8 +1006,8 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf) { - // CSN followed by two CRC bytes + uint8_t response1[] = { 0x0F} ; uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; uint8_t response3[] = { 0,0,0,0,0,0,0,0,0,0}; memcpy(response3,csn,sizeof(response3)); @@ -1026,11 +1030,11 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader // Reader 81 anticoll. CSN // Tag CSN - uint8_t *resp; - int respLen; - uint8_t* respdata = NULL; - int respsize = 0; - uint8_t sof = 0x0f; + uint8_t *modulated_response; + int modulated_response_size; + uint8_t* trace_data = NULL; + int trace_data_size = 0; + //uint8_t sof = 0x0f; // Respond SOF -- takes 8 bytes uint8_t *resp1 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET); @@ -1095,17 +1099,13 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader LED_A_ON(); bool buttonPressed = false; - /** Hack for testing - memcpy(reader_mac_buf,csn,8); - exitLoop = true; - end hack **/ - while(!exitLoop) { LED_B_OFF(); //Signal tracer // Can be used to get a trigger for an oscilloscope.. LED_C_OFF(); + if(!GetIClassCommandFromReader(receivedCmd, &len, 100)) { buttonPressed = true; break; @@ -1117,35 +1117,35 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader // Okay, look at the command now. if(receivedCmd[0] == 0x0a ) { // Reader in anticollission phase - resp = resp1; respLen = resp1Len; //order = 1; - respdata = &sof; - respsize = sizeof(sof); + modulated_response = resp1; modulated_response_size = resp1Len; //order = 1; + trace_data = response1; + trace_data_size = sizeof(response1); } else if(receivedCmd[0] == 0x0c) { // Reader asks for anticollission CSN - resp = resp2; respLen = resp2Len; //order = 2; - respdata = response2; - respsize = sizeof(response2); + modulated_response = resp2; modulated_response_size = resp2Len; //order = 2; + trace_data = response2; + trace_data_size = sizeof(response2); //DbpString("Reader requests anticollission CSN:"); } else if(receivedCmd[0] == 0x81) { // Reader selects anticollission CSN. // Tag sends the corresponding real CSN - resp = resp3; respLen = resp3Len; //order = 3; - respdata = response3; - respsize = sizeof(response3); + modulated_response = resp3; modulated_response_size = resp3Len; //order = 3; + trace_data = response3; + trace_data_size = sizeof(response3); //DbpString("Reader selects anticollission CSN:"); } else if(receivedCmd[0] == 0x88) { // Read e-purse (88 02) - resp = resp4; respLen = resp4Len; //order = 4; - respdata = response4; - respsize = sizeof(response4); + modulated_response = resp4; modulated_response_size = resp4Len; //order = 4; + trace_data = response4; + trace_data_size = sizeof(response4); LED_B_ON(); } else if(receivedCmd[0] == 0x05) { // Reader random and reader MAC!!! // Do not respond // We do not know what to answer, so lets keep quiet - resp = resp1; respLen = 0; //order = 5; - respdata = NULL; - respsize = 0; + modulated_response = resp1; modulated_response_size = 0; //order = 5; + trace_data = NULL; + trace_data_size = 0; if (breakAfterMacReceived){ // dbprintf:ing ... Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x" @@ -1162,9 +1162,9 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader } } else if(receivedCmd[0] == 0x00 && len == 1) { // Reader ends the session - resp = resp1; respLen = 0; //order = 0; - respdata = NULL; - respsize = 0; + modulated_response = resp1; modulated_response_size = 0; //order = 0; + trace_data = NULL; + trace_data_size = 0; } else { //#db# Unknown command received from reader (len=5): 26 1 0 f6 a 44 44 44 44 // Never seen this command before @@ -1174,9 +1174,9 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader receivedCmd[3], receivedCmd[4], receivedCmd[5], receivedCmd[6], receivedCmd[7], receivedCmd[8]); // Do not respond - resp = resp1; respLen = 0; //order = 0; - respdata = NULL; - respsize = 0; + modulated_response = resp1; modulated_response_size = 0; //order = 0; + trace_data = NULL; + trace_data_size = 0; } if(cmdsRecvd > 100) { @@ -1186,9 +1186,16 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader else { cmdsRecvd++; } - - if(respLen > 0) { - SendIClassAnswer(resp, respLen, 21); + /** + After changes to parity calculation + Time between reader EOT and pm3 SOF + delay 21 -> 480uS + delay 10 -> 220us + delay 16 -> 388us + A legit tag has about 380us. + **/ + if(modulated_response_size > 0) { + SendIClassAnswer(modulated_response, modulated_response_size, timeout); t2r_time = GetCountSspClk(); } @@ -1197,9 +1204,9 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader GetParity(receivedCmd, len, parity); LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, (r2t_time-time_0) << 4, parity, TRUE); - if (respdata != NULL) { - GetParity(respdata, respsize, parity); - LogTrace(respdata, respsize, (t2r_time-time_0) << 4, (t2r_time-time_0) << 4, parity, FALSE); + if (trace_data != NULL) { + GetParity(trace_data, trace_data_size, parity); + LogTrace(trace_data, trace_data_size, (t2r_time-time_0) << 4, (t2r_time-time_0) << 4, parity, FALSE); } if(!tracing) { DbpString("Trace full"); @@ -1368,7 +1375,6 @@ void ReaderTransmitIClass(uint8_t* frame, int len) int samples = 0; // This is tied to other size changes - // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024; CodeIClassCommand(frame,len); // Select the card @@ -1423,10 +1429,7 @@ static int GetIClassAnswer(uint8_t *receivedResponse, int maxLen, int *samples, b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; skip = !skip; if(skip) continue; - /*if(ManchesterDecoding((b>>4) & 0xf)) { - *samples = ((c - 1) << 3) + 4; - return TRUE; - }*/ + if(ManchesterDecoding(b & 0x0f)) { *samples = c << 3; return TRUE; @@ -1474,97 +1477,142 @@ void setupIclassReader() } +size_t sendCmdGetResponseWithRetries(uint8_t* command, size_t cmdsize, uint8_t* resp, uint8_t expected_size, uint8_t retries) +{ + while(retries-- > 0) + { + ReaderTransmitIClass(command, cmdsize); + if(expected_size == ReaderReceiveIClass(resp)){ + return 0; + } + } + return 1;//Error +} + +/** + * @brief Talks to an iclass tag, sends the commands to get CSN and CC. + * @param card_data where the CSN and CC are stored for return + * @return 0 = fail + * 1 = Got CSN + * 2 = Got CSN and CC + */ +uint8_t handshakeIclassTag(uint8_t *card_data) +{ + static uint8_t act_all[] = { 0x0a }; + static uint8_t identify[] = { 0x0c }; + static uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; + static uint8_t readcheck_cc[]= { 0x88, 0x02 }; + uint8_t *resp = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET); + + uint8_t read_status = 0; + + // Send act_all + ReaderTransmitIClass(act_all, 1); + // Card present? + if(!ReaderReceiveIClass(resp)) return read_status;//Fail + //Send Identify + ReaderTransmitIClass(identify, 1); + //We expect a 10-byte response here, 8 byte anticollision-CSN and 2 byte CRC + uint8_t len = ReaderReceiveIClass(resp); + if(len != 10) return read_status;//Fail + + //Copy the Anti-collision CSN to our select-packet + memcpy(&select[1],resp,8); + //Select the card + ReaderTransmitIClass(select, sizeof(select)); + //We expect a 10-byte response here, 8 byte CSN and 2 byte CRC + len = ReaderReceiveIClass(resp); + if(len != 10) return read_status;//Fail + + //Success - level 1, we got CSN + //Save CSN in response data + memcpy(card_data,resp,8); + + //Flag that we got to at least stage 1, read CSN + read_status = 1; + + // Card selected, now read e-purse (cc) + ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc)); + if(ReaderReceiveIClass(resp) == 8) { + //Save CC (e-purse) in response data + memcpy(card_data+8,resp,8); + + //Got both + read_status = 2; + } + + return read_status; +} + // Reader iClass Anticollission void ReaderIClass(uint8_t arg0) { - uint8_t act_all[] = { 0x0a }; - uint8_t identify[] = { 0x0c }; - uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - uint8_t readcheck_cc[]= { 0x88, 0x02 }; uint8_t card_data[24]={0}; uint8_t last_csn[8]={0}; - - uint8_t *resp = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET); int read_status= 0; bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE; + bool get_cc = arg0 & FLAG_ICLASS_READER_GET_CC; setupIclassReader(); size_t datasize = 0; while(!BUTTON_PRESS()) { - WDT_HIT(); - // Send act_all - ReaderTransmitIClass(act_all, 1); - // Card present? - if(ReaderReceiveIClass(resp)) { - - ReaderTransmitIClass(identify, 1); - - if(ReaderReceiveIClass(resp) == 10) { - //Copy the Anti-collision CSN to our select-packet - memcpy(&select[1],resp,8); - //Dbprintf("Anti-collision CSN: %02x %02x %02x %02x %02x %02x %02x %02x",resp[0], resp[1], resp[2], - // resp[3], resp[4], resp[5], - // resp[6], resp[7]); - //Select the card - ReaderTransmitIClass(select, sizeof(select)); - - if(ReaderReceiveIClass(resp) == 10) { - //Save CSN in response data - memcpy(card_data,resp,8); - datasize += 8; - //Flag that we got to at least stage 1, read CSN - read_status = 1; - - // Card selected - //Dbprintf("Readcheck on Sector 2"); - ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc)); - if(ReaderReceiveIClass(resp) == 8) { - //Save CC (e-purse) in response data - memcpy(card_data+8,resp,8); - datasize += 8; - //Got both - read_status = 2; - } - - LED_B_ON(); - //Send back to client, but don't bother if we already sent this - if(memcmp(last_csn, card_data, 8) != 0) - cmd_send(CMD_ACK,read_status,0,0,card_data,datasize); - - //Save that we already sent this.... - if(read_status == 2) - memcpy(last_csn, card_data, 8); - - LED_B_OFF(); - - if(abort_after_read) break; - } - } - } + if(traceLen > TRACE_SIZE) { + DbpString("Trace full"); + break; + } + WDT_HIT(); - if(traceLen > TRACE_SIZE) { - DbpString("Trace full"); - break; - } + read_status = handshakeIclassTag(card_data); + + if(read_status == 0) continue; + if(read_status == 1) datasize = 8; + if(read_status == 2) datasize = 16; + + LED_B_ON(); + //Send back to client, but don't bother if we already sent this + if(memcmp(last_csn, card_data, 8) != 0) + { + + if(!get_cc || (get_cc && read_status == 2)) + { + cmd_send(CMD_ACK,read_status,0,0,card_data,datasize); + if(abort_after_read) { + LED_A_OFF(); + return; + } + //Save that we already sent this.... + memcpy(last_csn, card_data, 8); + } + //If 'get_cc' was specified and we didn't get a CC, we'll just keep trying... + } + LED_B_OFF(); } + cmd_send(CMD_ACK,0,0,0,card_data, 0); LED_A_OFF(); } void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) { - uint8_t act_all[] = { 0x0a }; - uint8_t identify[] = { 0x0c }; - uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - uint8_t readcheck_cc[]= { 0x88, 0x02 }; + + uint8_t card_data[USB_CMD_DATA_SIZE]={0}; + uint16_t block_crc_LUT[255] = {0}; + + {//Generate a lookup table for block crc + for(int block = 0; block < 255; block++){ + char bl = block; + block_crc_LUT[block] = iclass_crc16(&bl ,1); + } + } + //Dbprintf("Lookup table: %02x %02x %02x" ,block_crc_LUT[0],block_crc_LUT[1],block_crc_LUT[2]); + uint8_t check[] = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; uint8_t read[] = { 0x0c, 0x00, 0x00, 0x00 }; uint16_t crc = 0; uint8_t cardsize=0; - bool read_success=false; uint8_t mem=0; static struct memory_t{ @@ -1580,102 +1628,108 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) { setupIclassReader(); - for(int i=0;i<1;i++) { + while(!BUTTON_PRESS()) { + WDT_HIT(); + if(traceLen > TRACE_SIZE) { DbpString("Trace full"); break; } - if (BUTTON_PRESS()) break; + uint8_t read_status = handshakeIclassTag(card_data); + if(read_status < 2) continue; - // Send act_all - ReaderTransmitIClass(act_all, 1); - // Card present? - if(ReaderReceiveIClass(resp)) { - ReaderTransmitIClass(identify, 1); - if(ReaderReceiveIClass(resp) == 10) { - // Select card - memcpy(&select[1],resp,8); - ReaderTransmitIClass(select, sizeof(select)); + //for now replay captured auth (as cc not updated) + memcpy(check+5,MAC,4); - if(ReaderReceiveIClass(resp) == 10) { - Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x", - resp[0], resp[1], resp[2], - resp[3], resp[4], resp[5], - resp[6], resp[7]); - } - // Card selected - Dbprintf("Readcheck on Sector 2"); - ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc)); - if(ReaderReceiveIClass(resp) == 8) { - Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x", - resp[0], resp[1], resp[2], - resp[3], resp[4], resp[5], - resp[6], resp[7]); - }else return; - Dbprintf("Authenticate"); - //for now replay captured auth (as cc not updated) - memcpy(check+5,MAC,4); - //Dbprintf(" AA: %02x %02x %02x %02x", - // check[5], check[6], check[7],check[8]); - ReaderTransmitIClass(check, sizeof(check)); - if(ReaderReceiveIClass(resp) == 4) { - Dbprintf(" AR: %02x %02x %02x %02x", - resp[0], resp[1], resp[2],resp[3]); - }else { - Dbprintf("Error: Authentication Fail!"); - return; - } - Dbprintf("Dump Contents"); - //first get configuration block - read_success=false; - read[1]=1; - uint8_t *blockno=&read[1]; - crc = iclass_crc16((char *)blockno,1); - read[2] = crc >> 8; - read[3] = crc & 0xff; - while(!read_success){ - ReaderTransmitIClass(read, sizeof(read)); - if(ReaderReceiveIClass(resp) == 10) { - read_success=true; - mem=resp[5]; - memory.k16= (mem & 0x80); - memory.book= (mem & 0x20); - memory.k2= (mem & 0x8); - memory.lockauth= (mem & 0x2); - memory.keyaccess= (mem & 0x1); + if(sendCmdGetResponseWithRetries(check, sizeof(check),resp, 4, 5)) + { + Dbprintf("Error: Authentication Fail!"); + continue; + } - } - } - if (memory.k16){ - cardsize=255; - }else cardsize=32; - //then loop around remaining blocks - for(uint8_t j=0; j> 8; - read[3] = crc & 0xff; - while(!read_success){ - ReaderTransmitIClass(read, sizeof(read)); - if(ReaderReceiveIClass(resp) == 10) { - read_success=true; - Dbprintf(" %02x: %02x %02x %02x %02x %02x %02x %02x %02x", - j, resp[0], resp[1], resp[2], - resp[3], resp[4], resp[5], - resp[6], resp[7]); - } - } + //first get configuration block (block 1) + crc = block_crc_LUT[1]; + read[1]=1; + read[2] = crc >> 8; + read[3] = crc & 0xff; + + if(sendCmdGetResponseWithRetries(read, sizeof(read),resp, 10, 10)) + { + Dbprintf("Dump config (block 1) failed"); + continue; + } + + mem=resp[5]; + memory.k16= (mem & 0x80); + memory.book= (mem & 0x20); + memory.k2= (mem & 0x8); + memory.lockauth= (mem & 0x2); + memory.keyaccess= (mem & 0x1); + + cardsize = memory.k16 ? 255 : 32; + WDT_HIT(); + //Set card_data to all zeroes, we'll fill it with data + memset(card_data,0x0,USB_CMD_DATA_SIZE); + uint8_t failedRead =0; + uint8_t stored_data_length =0; + //then loop around remaining blocks + for(int block=0; block < cardsize; block++){ + + read[1]= block; + crc = block_crc_LUT[block]; + read[2] = crc >> 8; + read[3] = crc & 0xff; + + if(!sendCmdGetResponseWithRetries(read, sizeof(read), resp, 10, 10)) + { + Dbprintf(" %02x: %02x %02x %02x %02x %02x %02x %02x %02x", + block, resp[0], resp[1], resp[2], + resp[3], resp[4], resp[5], + resp[6], resp[7]); + + //Fill up the buffer + memcpy(card_data+stored_data_length,resp,8); + stored_data_length += 8; + + if(stored_data_length +8 > USB_CMD_DATA_SIZE) + {//Time to send this off and start afresh + cmd_send(CMD_ACK, + stored_data_length,//data length + failedRead,//Failed blocks? + 0,//Not used ATM + card_data, stored_data_length); + //reset + stored_data_length = 0; + failedRead = 0; } + + }else{ + failedRead = 1; + stored_data_length +=8;//Otherwise, data becomes misaligned + Dbprintf("Failed to dump block %d", block); } } - WDT_HIT(); + //Send off any remaining data + if(stored_data_length > 0) + { + cmd_send(CMD_ACK, + stored_data_length,//data length + failedRead,//Failed blocks? + 0,//Not used ATM + card_data, stored_data_length); + } + //If we got here, let's break + break; } - + //Signal end of transmission + cmd_send(CMD_ACK, + 0,//data length + 0,//Failed blocks? + 0,//Not used ATM + card_data, 0); + LED_A_OFF(); }