]> cvs.zerfleddert.de Git - proxmark3-svn/commitdiff
1. Mifare read block command
authorMerlokbr@gmail.com <Merlokbr@gmail.com@ef4ab9da-24cd-11de-8aaa-f3a34680c41f>
Thu, 26 May 2011 12:55:15 +0000 (12:55 +0000)
committerMerlokbr@gmail.com <Merlokbr@gmail.com@ef4ab9da-24cd-11de-8aaa-f3a34680c41f>
Thu, 26 May 2011 12:55:15 +0000 (12:55 +0000)
2. Mifare read sector (via 1)
3. Mifare write block
4. fixed several bugs in iso 14443 select
added
Issue 23
Issue 26

16 files changed:
armsrc/Makefile
armsrc/appmain.c
armsrc/apps.h
armsrc/crapto1.c [new file with mode: 0644]
armsrc/crapto1.h [new file with mode: 0644]
armsrc/crypto1.c [new file with mode: 0644]
armsrc/iso14443a.c
armsrc/iso14443a.h
armsrc/mifareutil.c [new file with mode: 0644]
armsrc/mifareutil.h [new file with mode: 0644]
armsrc/util.h
client/cmdhf14a.c
client/util.c
client/util.h
common/iso15693tools.c
include/usb_cmd.h

index 087ddcf8bbbf64c5cbd2c27842c5a42a3053cc24..565de2fe9e225bbea6d4885180db567041f14032 100644 (file)
@@ -16,8 +16,9 @@ APP_CFLAGS    = -O2 -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b
 #SRC_LCD = fonts.c LCD.c
 SRC_LF = lfops.c hitag2.c
 SRC_ISO15693 = iso15693.c iso15693tools.c 
 #SRC_LCD = fonts.c LCD.c
 SRC_LF = lfops.c hitag2.c
 SRC_ISO15693 = iso15693.c iso15693tools.c 
-SRC_ISO14443a = iso14443a.c
+SRC_ISO14443a = iso14443a.c mifareutil.c
 SRC_ISO14443b = iso14443.c
 SRC_ISO14443b = iso14443.c
+SRC_CRAPTO1 = crapto1.c crypto1.c
 
 THUMBSRC = start.c \
        $(SRC_LCD) \
 
 THUMBSRC = start.c \
        $(SRC_LCD) \
@@ -35,6 +36,7 @@ ARMSRC = fpgaloader.c \
        crc16.c \
        $(SRC_ISO14443a) \
        $(SRC_ISO14443b) \
        crc16.c \
        $(SRC_ISO14443a) \
        $(SRC_ISO14443b) \
+       $(SRC_CRAPTO1) \
        legic_prng.c \
        iclass.c \
        crc.c
        legic_prng.c \
        iclass.c \
        crc.c
index 47fa2f99f9fdb7f35832c5a639c82c78b57886fc..8be02778d8809213400a52e8b52bf5933e0aed53 100644 (file)
@@ -694,6 +694,25 @@ void UsbPacketReceived(uint8_t *packet, int len)
                        break;
 #endif
 
                        break;
 #endif
 
+#ifdef WITH_ISO14443a
+               case CMD_MIFARE_READBL:
+                       MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
+                       break;
+               case CMD_MIFARE_READSC:
+                       MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
+                       break;
+               case CMD_MIFARE_WRITEBL:
+                       MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
+                       break;
+               case CMD_MIFARE_NESTED:
+                       MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
+                       break;
+               case CMD_SIMULATE_MIFARE_CARD:
+                       Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
+                       break;
+                       
+#endif
+
 #ifdef WITH_ISO14443b
                case CMD_SNOOP_ISO_14443:
                        SnoopIso14443();
 #ifdef WITH_ISO14443b
                case CMD_SNOOP_ISO_14443:
                        SnoopIso14443();
index 2d15a907dd701ac5dea3cc3103f37d7fe1d7508b..e60fc924a42f9f6bd10eff31f0d2fd805c28ab08 100644 (file)
@@ -106,6 +106,11 @@ void RAMFUNC SnoopIso14443a(void);
 void SimulateIso14443aTag(int tagType, int TagUid);    // ## simulate iso14443a tag
 void ReaderIso14443a(UsbCommand * c, UsbCommand * ack);
 void ReaderMifare(uint32_t parameter);
 void SimulateIso14443aTag(int tagType, int TagUid);    // ## simulate iso14443a tag
 void ReaderIso14443a(UsbCommand * c, UsbCommand * ack);
 void ReaderMifare(uint32_t parameter);
+void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data);
+void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
+void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
+void MifareNested(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
+void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
 
 /// iso15693.h
 void RecordRawAdcSamplesIso15693(void);
 
 /// iso15693.h
 void RecordRawAdcSamplesIso15693(void);
diff --git a/armsrc/crapto1.c b/armsrc/crapto1.c
new file mode 100644 (file)
index 0000000..9d491d1
--- /dev/null
@@ -0,0 +1,478 @@
+/*  crapto1.c\r
+\r
+    This program is free software; you can redistribute it and/or\r
+    modify it under the terms of the GNU General Public License\r
+    as published by the Free Software Foundation; either version 2\r
+    of the License, or (at your option) any later version.\r
+\r
+    This program is distributed in the hope that it will be useful,\r
+    but WITHOUT ANY WARRANTY; without even the implied warranty of\r
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\r
+    GNU General Public License for more details.\r
+\r
+    You should have received a copy of the GNU General Public License\r
+    along with this program; if not, write to the Free Software\r
+    Foundation, Inc., 51 Franklin Street, Fifth Floor,\r
+    Boston, MA  02110-1301, US$\r
+\r
+    Copyright (C) 2008-2008 bla <blapost@gmail.com>\r
+*/\r
+#include "crapto1.h"\r
+#include <stdlib.h>\r
+\r
+#if !defined LOWMEM && defined __GNUC__\r
+static uint8_t filterlut[1 << 20];\r
+static void __attribute__((constructor)) fill_lut()\r
+{\r
+        uint32_t i;\r
+        for(i = 0; i < 1 << 20; ++i)\r
+                filterlut[i] = filter(i);\r
+}\r
+#define filter(x) (filterlut[(x) & 0xfffff])\r
+#endif\r
+\r
+static void quicksort(uint32_t* const start, uint32_t* const stop)\r
+{\r
+       uint32_t *it = start + 1, *rit = stop;\r
+\r
+       if(it > rit)\r
+               return;\r
+\r
+       while(it < rit)\r
+               if(*it <= *start)\r
+                       ++it;\r
+               else if(*rit > *start)\r
+                       --rit;\r
+               else\r
+                       *it ^= (*it ^= *rit, *rit ^= *it);\r
+\r
+       if(*rit >= *start)\r
+               --rit;\r
+       if(rit != start)\r
+               *rit ^= (*rit ^= *start, *start ^= *rit);\r
+\r
+       quicksort(start, rit - 1);\r
+       quicksort(rit + 1, stop);\r
+}\r
+/** binsearch\r
+ * Binary search for the first occurence of *stop's MSB in sorted [start,stop]\r
+ */\r
+static inline uint32_t* binsearch(uint32_t *start, uint32_t *stop)\r
+{\r
+       uint32_t mid, val = *stop & 0xff000000;\r
+       while(start != stop)\r
+               if(start[mid = (stop - start) >> 1] > val)\r
+                       stop = &start[mid];\r
+               else\r
+                       start += mid + 1;\r
+\r
+       return start;\r
+}\r
+\r
+/** update_contribution\r
+ * helper, calculates the partial linear feedback contributions and puts in MSB\r
+ */\r
+static inline void\r
+update_contribution(uint32_t *item, const uint32_t mask1, const uint32_t mask2)\r
+{\r
+       uint32_t p = *item >> 25;\r
+\r
+       p = p << 1 | parity(*item & mask1);\r
+       p = p << 1 | parity(*item & mask2);\r
+       *item = p << 24 | (*item & 0xffffff);\r
+}\r
+\r
+/** extend_table\r
+ * using a bit of the keystream extend the table of possible lfsr states\r
+ */\r
+static inline void\r
+extend_table(uint32_t *tbl, uint32_t **end, int bit, int m1, int m2, uint32_t in)\r
+{\r
+       in <<= 24;\r
+       for(*tbl <<= 1; tbl <= *end; *++tbl <<= 1)\r
+               if(filter(*tbl) ^ filter(*tbl | 1)) {\r
+                       *tbl |= filter(*tbl) ^ bit;\r
+                       update_contribution(tbl, m1, m2);\r
+                       *tbl ^= in;\r
+               } else if(filter(*tbl) == bit) {\r
+                       *++*end = tbl[1];\r
+                       tbl[1] = tbl[0] | 1;\r
+                       update_contribution(tbl, m1, m2);\r
+                       *tbl++ ^= in;\r
+                       update_contribution(tbl, m1, m2);\r
+                       *tbl ^= in;\r
+               } else\r
+                       *tbl-- = *(*end)--;\r
+}\r
+/** extend_table_simple\r
+ * using a bit of the keystream extend the table of possible lfsr states\r
+ */\r
+static inline void extend_table_simple(uint32_t *tbl, uint32_t **end, int bit)\r
+{\r
+       for(*tbl <<= 1; tbl <= *end; *++tbl <<= 1)\r
+               if(filter(*tbl) ^ filter(*tbl | 1))\r
+                       *tbl |= filter(*tbl) ^ bit;\r
+               else if(filter(*tbl) == bit) {\r
+                       *++*end = *++tbl;\r
+                       *tbl = tbl[-1] | 1;\r
+               } else\r
+                       *tbl-- = *(*end)--;\r
+}\r
+/** recover\r
+ * recursively narrow down the search space, 4 bits of keystream at a time\r
+ */\r
+static struct Crypto1State*\r
+recover(uint32_t *o_head, uint32_t *o_tail, uint32_t oks,\r
+       uint32_t *e_head, uint32_t *e_tail, uint32_t eks, int rem,\r
+       struct Crypto1State *sl, uint32_t in)\r
+{\r
+       uint32_t *o, *e, i;\r
+\r
+       if(rem == -1) {\r
+               for(e = e_head; e <= e_tail; ++e) {\r
+                       *e = *e << 1 ^ parity(*e & LF_POLY_EVEN) ^ !!(in & 4);\r
+                       for(o = o_head; o <= o_tail; ++o, ++sl) {\r
+                               sl->even = *o;\r
+                               sl->odd = *e ^ parity(*o & LF_POLY_ODD);\r
+                               sl[1].odd = sl[1].even = 0;\r
+                       }\r
+               }\r
+               return sl;\r
+       }\r
+\r
+       for(i = 0; i < 4 && rem--; i++) {\r
+               oks >>= 1;\r
+               eks >>= 1;\r
+               in >>= 2;\r
+               extend_table(o_head, &o_tail, oks & 1, LF_POLY_EVEN << 1 | 1,\r
+                            LF_POLY_ODD << 1, 0);\r
+               if(o_head > o_tail)\r
+                       return sl;\r
+\r
+               extend_table(e_head, &e_tail, eks & 1, LF_POLY_ODD,\r
+                            LF_POLY_EVEN << 1 | 1, in & 3);\r
+               if(e_head > e_tail)\r
+                       return sl;\r
+       }\r
+\r
+       quicksort(o_head, o_tail);\r
+       quicksort(e_head, e_tail);\r
+\r
+       while(o_tail >= o_head && e_tail >= e_head)\r
+               if(((*o_tail ^ *e_tail) >> 24) == 0) {\r
+                       o_tail = binsearch(o_head, o = o_tail);\r
+                       e_tail = binsearch(e_head, e = e_tail);\r
+                       sl = recover(o_tail--, o, oks,\r
+                                    e_tail--, e, eks, rem, sl, in);\r
+               }\r
+               else if(*o_tail > *e_tail)\r
+                       o_tail = binsearch(o_head, o_tail) - 1;\r
+               else\r
+                       e_tail = binsearch(e_head, e_tail) - 1;\r
+\r
+       return sl;\r
+}\r
+/** lfsr_recovery\r
+ * recover the state of the lfsr given 32 bits of the keystream\r
+ * additionally you can use the in parameter to specify the value\r
+ * that was fed into the lfsr at the time the keystream was generated\r
+ */\r
+struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in)\r
+{\r
+       struct Crypto1State *statelist;\r
+       uint32_t *odd_head = 0, *odd_tail = 0, oks = 0;\r
+       uint32_t *even_head = 0, *even_tail = 0, eks = 0;\r
+       int i;\r
+\r
+       for(i = 31; i >= 0; i -= 2)\r
+               oks = oks << 1 | BEBIT(ks2, i);\r
+       for(i = 30; i >= 0; i -= 2)\r
+               eks = eks << 1 | BEBIT(ks2, i);\r
+\r
+       odd_head = odd_tail = malloc(sizeof(uint32_t) << 21);\r
+       even_head = even_tail = malloc(sizeof(uint32_t) << 21);\r
+       statelist =  malloc(sizeof(struct Crypto1State) << 18);\r
+       if(!odd_tail-- || !even_tail-- || !statelist) {\r
+               free(statelist);\r
+               statelist = 0;\r
+               goto out;\r
+       }\r
+\r
+       statelist->odd = statelist->even = 0;\r
+\r
+       for(i = 1 << 20; i >= 0; --i) {\r
+               if(filter(i) == (oks & 1))\r
+                       *++odd_tail = i;\r
+               if(filter(i) == (eks & 1))\r
+                       *++even_tail = i;\r
+       }\r
+\r
+       for(i = 0; i < 4; i++) {\r
+               extend_table_simple(odd_head,  &odd_tail, (oks >>= 1) & 1);\r
+               extend_table_simple(even_head, &even_tail, (eks >>= 1) & 1);\r
+       }\r
+\r
+       in = (in >> 16 & 0xff) | (in << 16) | (in & 0xff00);\r
+       recover(odd_head, odd_tail, oks,\r
+               even_head, even_tail, eks, 11, statelist, in << 1);\r
+\r
+out:\r
+       free(odd_head);\r
+       free(even_head);\r
+       return statelist;\r
+}\r
+\r
+static const uint32_t S1[] = {     0x62141, 0x310A0, 0x18850, 0x0C428, 0x06214,\r
+       0x0310A, 0x85E30, 0xC69AD, 0x634D6, 0xB5CDE, 0xDE8DA, 0x6F46D, 0xB3C83,\r
+       0x59E41, 0xA8995, 0xD027F, 0x6813F, 0x3409F, 0x9E6FA};\r
+static const uint32_t S2[] = {  0x3A557B00, 0x5D2ABD80, 0x2E955EC0, 0x174AAF60,\r
+       0x0BA557B0, 0x05D2ABD8, 0x0449DE68, 0x048464B0, 0x42423258, 0x278192A8,\r
+       0x156042D0, 0x0AB02168, 0x43F89B30, 0x61FC4D98, 0x765EAD48, 0x7D8FDD20,\r
+       0x7EC7EE90, 0x7F63F748, 0x79117020};\r
+static const uint32_t T1[] = {\r
+       0x4F37D, 0x279BE, 0x97A6A, 0x4BD35, 0x25E9A, 0x12F4D, 0x097A6, 0x80D66,\r
+       0xC4006, 0x62003, 0xB56B4, 0x5AB5A, 0xA9318, 0xD0F39, 0x6879C, 0xB057B,\r
+       0x582BD, 0x2C15E, 0x160AF, 0x8F6E2, 0xC3DC4, 0xE5857, 0x72C2B, 0x39615,\r
+       0x98DBF, 0xC806A, 0xE0680, 0x70340, 0x381A0, 0x98665, 0x4C332, 0xA272C};\r
+static const uint32_t T2[] = {  0x3C88B810, 0x5E445C08, 0x2982A580, 0x14C152C0,\r
+       0x4A60A960, 0x253054B0, 0x52982A58, 0x2FEC9EA8, 0x1156C4D0, 0x08AB6268,\r
+       0x42F53AB0, 0x217A9D58, 0x161DC528, 0x0DAE6910, 0x46D73488, 0x25CB11C0,\r
+       0x52E588E0, 0x6972C470, 0x34B96238, 0x5CFC3A98, 0x28DE96C8, 0x12CFC0E0,\r
+       0x4967E070, 0x64B3F038, 0x74F97398, 0x7CDC3248, 0x38CE92A0, 0x1C674950,\r
+       0x0E33A4A8, 0x01B959D0, 0x40DCACE8, 0x26CEDDF0};\r
+static const uint32_t C1[] = { 0x846B5, 0x4235A, 0x211AD};\r
+static const uint32_t C2[] = { 0x1A822E0, 0x21A822E0, 0x21A822E0};\r
+/** Reverse 64 bits of keystream into possible cipher states\r
+ * Variation mentioned in the paper. Somewhat optimized version\r
+ */\r
+struct Crypto1State* lfsr_recovery64(uint32_t ks2, uint32_t ks3)\r
+{\r
+       struct Crypto1State *statelist, *sl;\r
+       uint8_t oks[32], eks[32], hi[32];\r
+       uint32_t low = 0,  win = 0;\r
+       uint32_t *tail, table[1 << 16];\r
+       int i, j;\r
+\r
+       sl = statelist = malloc(sizeof(struct Crypto1State) << 4);\r
+       if(!sl)\r
+               return 0;\r
+       sl->odd = sl->even = 0;\r
+\r
+       for(i = 30; i >= 0; i -= 2) {\r
+               oks[i >> 1] = BEBIT(ks2, i);\r
+               oks[16 + (i >> 1)] = BEBIT(ks3, i);\r
+       }\r
+       for(i = 31; i >= 0; i -= 2) {\r
+               eks[i >> 1] = BEBIT(ks2, i);\r
+               eks[16 + (i >> 1)] = BEBIT(ks3, i);\r
+       }\r
+\r
+       for(i = 0xfffff; i >= 0; --i) {\r
+               if (filter(i) != oks[0])\r
+                       continue;\r
+\r
+               *(tail = table) = i;\r
+               for(j = 1; tail >= table && j < 29; ++j)\r
+                       extend_table_simple(table, &tail, oks[j]);\r
+\r
+               if(tail < table)\r
+                       continue;\r
+\r
+               for(j = 0; j < 19; ++j)\r
+                       low = low << 1 | parity(i & S1[j]);\r
+               for(j = 0; j < 32; ++j)\r
+                       hi[j] = parity(i & T1[j]);\r
+\r
+               for(; tail >= table; --tail) {\r
+                       for(j = 0; j < 3; ++j) {\r
+                               *tail = *tail << 1;\r
+                               *tail |= parity((i & C1[j]) ^ (*tail & C2[j]));\r
+                               if(filter(*tail) != oks[29 + j])\r
+                                       goto continue2;\r
+                       }\r
+\r
+                       for(j = 0; j < 19; ++j)\r
+                               win = win << 1 | parity(*tail & S2[j]);\r
+\r
+                       win ^= low;\r
+                       for(j = 0; j < 32; ++j) {\r
+                               win = win << 1 ^ hi[j] ^ parity(*tail & T2[j]);\r
+                               if(filter(win) != eks[j])\r
+                                       goto continue2;\r
+                       }\r
+\r
+                       *tail = *tail << 1 | parity(LF_POLY_EVEN & *tail);\r
+                       sl->odd = *tail ^ parity(LF_POLY_ODD & win);\r
+                       sl->even = win;\r
+                       ++sl;\r
+                       sl->odd = sl->even = 0;\r
+                       continue2:;\r
+               }\r
+       }\r
+       return statelist;\r
+}\r
+\r
+/** lfsr_rollback_bit\r
+ * Rollback the shift register in order to get previous states\r
+ */\r
+uint8_t lfsr_rollback_bit(struct Crypto1State *s, uint32_t in, int fb)\r
+{\r
+       int out;\r
+       uint8_t ret;\r
+\r
+       s->odd &= 0xffffff;\r
+       s->odd ^= (s->odd ^= s->even, s->even ^= s->odd);\r
+\r
+       out = s->even & 1;\r
+       out ^= LF_POLY_EVEN & (s->even >>= 1);\r
+       out ^= LF_POLY_ODD & s->odd;\r
+       out ^= !!in;\r
+       out ^= (ret = filter(s->odd)) & !!fb;\r
+\r
+       s->even |= parity(out) << 23;\r
+       return ret;\r
+}\r
+/** lfsr_rollback_byte\r
+ * Rollback the shift register in order to get previous states\r
+ */\r
+uint8_t lfsr_rollback_byte(struct Crypto1State *s, uint32_t in, int fb)\r
+{\r
+       int i, ret = 0;\r
+       for (i = 7; i >= 0; --i)\r
+               ret |= lfsr_rollback_bit(s, BIT(in, i), fb) << i;\r
+       return ret;\r
+}\r
+/** lfsr_rollback_word\r
+ * Rollback the shift register in order to get previous states\r
+ */\r
+uint32_t lfsr_rollback_word(struct Crypto1State *s, uint32_t in, int fb)\r
+{\r
+       int i;\r
+       uint32_t ret = 0;\r
+       for (i = 31; i >= 0; --i)\r
+               ret |= lfsr_rollback_bit(s, BEBIT(in, i), fb) << (i ^ 24);\r
+       return ret;\r
+}\r
+\r
+/** nonce_distance\r
+ * x,y valid tag nonces, then prng_successor(x, nonce_distance(x, y)) = y\r
+ */\r
+static uint16_t *dist = 0;\r
+int nonce_distance(uint32_t from, uint32_t to)\r
+{\r
+       uint16_t x, i;\r
+       if(!dist) {\r
+               dist = malloc(2 << 16);\r
+               if(!dist)\r
+                       return -1;\r
+               for (x = i = 1; i; ++i) {\r
+                       dist[(x & 0xff) << 8 | x >> 8] = i;\r
+                       x = x >> 1 | (x ^ x >> 2 ^ x >> 3 ^ x >> 5) << 15;\r
+               }\r
+       }\r
+       return (65535 + dist[to >> 16] - dist[from >> 16]) % 65535;\r
+}\r
+\r
+\r
+static uint32_t fastfwd[2][8] = {\r
+       { 0, 0x4BC53, 0xECB1, 0x450E2, 0x25E29, 0x6E27A, 0x2B298, 0x60ECB},\r
+       { 0, 0x1D962, 0x4BC53, 0x56531, 0xECB1, 0x135D3, 0x450E2, 0x58980}};\r
+/** lfsr_prefix_ks\r
+ *\r
+ * Is an exported helper function from the common prefix attack\r
+ * Described in the "dark side" paper. It returns an -1 terminated array\r
+ * of possible partial(21 bit) secret state.\r
+ * The required keystream(ks) needs to contain the keystream that was used to\r
+ * encrypt the NACK which is observed when varying only the 3 last bits of Nr\r
+ * only correct iff [NR_3] ^ NR_3 does not depend on Nr_3\r
+ */\r
+uint32_t *lfsr_prefix_ks(uint8_t ks[8], int isodd)\r
+{\r
+       uint32_t c, entry, *candidates = malloc(4 << 10);\r
+       int i, size = 0, good;\r
+\r
+       if(!candidates)\r
+               return 0;\r
+\r
+       for(i = 0; i < 1 << 21; ++i) {\r
+               for(c = 0, good = 1; good && c < 8; ++c) {\r
+                       entry = i ^ fastfwd[isodd][c];\r
+                       good &= (BIT(ks[c], isodd) == filter(entry >> 1));\r
+                       good &= (BIT(ks[c], isodd + 2) == filter(entry));\r
+               }\r
+               if(good)\r
+                       candidates[size++] = i;\r
+       }\r
+\r
+       candidates[size] = -1;\r
+\r
+       return candidates;\r
+}\r
+\r
+/** check_pfx_parity\r
+ * helper function which eliminates possible secret states using parity bits\r
+ */\r
+static struct Crypto1State*\r
+check_pfx_parity(uint32_t prefix, uint32_t rresp, uint8_t parities[8][8],\r
+               uint32_t odd, uint32_t even, struct Crypto1State* sl)\r
+{\r
+       uint32_t ks1, nr, ks2, rr, ks3, c, good = 1;\r
+\r
+       for(c = 0; good && c < 8; ++c) {\r
+               sl->odd = odd ^ fastfwd[1][c];\r
+               sl->even = even ^ fastfwd[0][c];\r
+\r
+               lfsr_rollback_bit(sl, 0, 0);\r
+               lfsr_rollback_bit(sl, 0, 0);\r
+\r
+               ks3 = lfsr_rollback_bit(sl, 0, 0);\r
+               ks2 = lfsr_rollback_word(sl, 0, 0);\r
+               ks1 = lfsr_rollback_word(sl, prefix | c << 5, 1);\r
+\r
+               nr = ks1 ^ (prefix | c << 5);\r
+               rr = ks2 ^ rresp;\r
+\r
+               good &= parity(nr & 0x000000ff) ^ parities[c][3] ^ BIT(ks2, 24);\r
+               good &= parity(rr & 0xff000000) ^ parities[c][4] ^ BIT(ks2, 16);\r
+               good &= parity(rr & 0x00ff0000) ^ parities[c][5] ^ BIT(ks2,  8);\r
+               good &= parity(rr & 0x0000ff00) ^ parities[c][6] ^ BIT(ks2,  0);\r
+               good &= parity(rr & 0x000000ff) ^ parities[c][7] ^ ks3;\r
+       }\r
+\r
+       return sl + good;\r
+} \r
+\r
+\r
+/** lfsr_common_prefix\r
+ * Implentation of the common prefix attack.\r
+ */\r
+struct Crypto1State*\r
+lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8])\r
+{\r
+       struct Crypto1State *statelist, *s;\r
+       uint32_t *odd, *even, *o, *e, top;\r
+\r
+       odd = lfsr_prefix_ks(ks, 1);\r
+       even = lfsr_prefix_ks(ks, 0);\r
+\r
+       s = statelist = malloc((sizeof *statelist) << 20);\r
+       if(!s || !odd || !even) {\r
+               free(statelist);\r
+               statelist = 0;\r
+                goto out;\r
+       }\r
+\r
+       for(o = odd; *o + 1; ++o)\r
+               for(e = even; *e + 1; ++e)\r
+                       for(top = 0; top < 64; ++top) {\r
+                               *o += 1 << 21;\r
+                               *e += (!(top & 7) + 1) << 21;\r
+                               s = check_pfx_parity(pfx, rr, par, *o, *e, s);\r
+                       }\r
+\r
+       s->odd = s->even = 0;\r
+out:\r
+       free(odd);\r
+       free(even);\r
+       return statelist;\r
+}\r
diff --git a/armsrc/crapto1.h b/armsrc/crapto1.h
new file mode 100644 (file)
index 0000000..b144853
--- /dev/null
@@ -0,0 +1,93 @@
+/*  crapto1.h
+
+    This program is free software; you can redistribute it and/or
+    modify it under the terms of the GNU General Public License
+    as published by the Free Software Foundation; either version 2
+    of the License, or (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+    MA  02110-1301, US$
+
+    Copyright (C) 2008-2008 bla <blapost@gmail.com>
+*/
+#ifndef CRAPTO1_INCLUDED
+#define CRAPTO1_INCLUDED
+#include <stdint.h>
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct Crypto1State {uint32_t odd, even;};
+void crypto1_create(struct Crypto1State *s, uint64_t key);
+void crypto1_destroy(struct Crypto1State*);
+void crypto1_get_lfsr(struct Crypto1State*, uint64_t*);
+uint8_t crypto1_bit(struct Crypto1State*, uint8_t, int);
+uint8_t crypto1_byte(struct Crypto1State*, uint8_t, int);
+uint32_t crypto1_word(struct Crypto1State*, uint32_t, int);
+uint32_t prng_successor(uint32_t x, uint32_t n);
+
+struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in);
+struct Crypto1State* lfsr_recovery64(uint32_t ks2, uint32_t ks3);
+uint32_t *lfsr_prefix_ks(uint8_t ks[8], int isodd);
+struct Crypto1State*
+lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8]);
+
+uint8_t lfsr_rollback_bit(struct Crypto1State* s, uint32_t in, int fb);
+uint8_t lfsr_rollback_byte(struct Crypto1State* s, uint32_t in, int fb);
+uint32_t lfsr_rollback_word(struct Crypto1State* s, uint32_t in, int fb);
+int nonce_distance(uint32_t from, uint32_t to);
+#define FOREACH_VALID_NONCE(N, FILTER, FSIZE)\
+       uint32_t __n = 0,__M = 0, N = 0;\
+       int __i;\
+       for(; __n < 1 << 16; N = prng_successor(__M = ++__n, 16))\
+               for(__i = FSIZE - 1; __i >= 0; __i--)\
+                       if(BIT(FILTER, __i) ^ parity(__M & 0xFF01))\
+                               break;\
+                       else if(__i)\
+                               __M = prng_successor(__M, (__i == 7) ? 48 : 8);\
+                       else 
+
+#define LF_POLY_ODD (0x29CE5C)
+#define LF_POLY_EVEN (0x870804)
+#define BIT(x, n) ((x) >> (n) & 1)
+#define BEBIT(x, n) BIT(x, (n) ^ 24)
+static inline int parity(uint32_t x)
+{
+#if !defined __i386__ || !defined __GNUC__
+       x ^= x >> 16;
+       x ^= x >> 8;
+       x ^= x >> 4;
+       return BIT(0x6996, x & 0xf);
+#else
+        asm(    "movl %1, %%eax\n"
+               "mov %%ax, %%cx\n"
+               "shrl $0x10, %%eax\n"
+               "xor %%ax, %%cx\n"
+                "xor %%ch, %%cl\n"
+                "setpo %%al\n"
+                "movzx %%al, %0\n": "=r"(x) : "r"(x): "eax","ecx");
+       return x;
+#endif
+}
+static inline int filter(uint32_t const x)
+{
+       uint32_t f;
+
+       f  = 0xf22c0 >> (x       & 0xf) & 16;
+       f |= 0x6c9c0 >> (x >>  4 & 0xf) &  8;
+       f |= 0x3c8b0 >> (x >>  8 & 0xf) &  4;
+       f |= 0x1e458 >> (x >> 12 & 0xf) &  2;
+       f |= 0x0d938 >> (x >> 16 & 0xf) &  1;
+       return BIT(0xEC57E80A, f);
+}
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/armsrc/crypto1.c b/armsrc/crypto1.c
new file mode 100644 (file)
index 0000000..9d103c7
--- /dev/null
@@ -0,0 +1,95 @@
+/*  crypto1.c
+
+    This program is free software; you can redistribute it and/or
+    modify it under the terms of the GNU General Public License
+    as published by the Free Software Foundation; either version 2
+    of the License, or (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+    MA  02110-1301, US
+
+    Copyright (C) 2008-2008 bla <blapost@gmail.com>
+*/
+#include "crapto1.h"
+#include <stdlib.h>
+
+#define SWAPENDIAN(x)\
+       (x = (x >> 8 & 0xff00ff) | (x & 0xff00ff) << 8, x = x >> 16 | x << 16)
+
+void crypto1_create(struct Crypto1State *s, uint64_t key)
+{
+//     struct Crypto1State *s = malloc(sizeof(*s));
+       int i;
+
+       for(i = 47;s && i > 0; i -= 2) {
+               s->odd  = s->odd  << 1 | BIT(key, (i - 1) ^ 7);
+               s->even = s->even << 1 | BIT(key, i ^ 7);
+       }
+       return;
+}
+void crypto1_destroy(struct Crypto1State *state)
+{
+//     free(state);
+  state->odd = 0;
+  state->even = 0;
+}
+void crypto1_get_lfsr(struct Crypto1State *state, uint64_t *lfsr)
+{
+       int i;
+       for(*lfsr = 0, i = 23; i >= 0; --i) {
+               *lfsr = *lfsr << 1 | BIT(state->odd, i ^ 3);
+               *lfsr = *lfsr << 1 | BIT(state->even, i ^ 3);
+       }
+}
+uint8_t crypto1_bit(struct Crypto1State *s, uint8_t in, int is_encrypted)
+{
+       uint32_t feedin;
+       uint8_t ret = filter(s->odd);
+
+       feedin  = ret & !!is_encrypted;
+       feedin ^= !!in;
+       feedin ^= LF_POLY_ODD & s->odd;
+       feedin ^= LF_POLY_EVEN & s->even;
+       s->even = s->even << 1 | parity(feedin);
+
+       s->odd ^= (s->odd ^= s->even, s->even ^= s->odd);
+
+       return ret;
+}
+uint8_t crypto1_byte(struct Crypto1State *s, uint8_t in, int is_encrypted)
+{
+       uint8_t i, ret = 0;
+
+       for (i = 0; i < 8; ++i)
+               ret |= crypto1_bit(s, BIT(in, i), is_encrypted) << i;
+
+       return ret;
+}
+uint32_t crypto1_word(struct Crypto1State *s, uint32_t in, int is_encrypted)
+{
+       uint32_t i, ret = 0;
+
+       for (i = 0; i < 32; ++i)
+               ret |= crypto1_bit(s, BEBIT(in, i), is_encrypted) << (i ^ 24);
+
+       return ret;
+}
+
+/* prng_successor
+ * helper used to obscure the keystream during authentication
+ */
+uint32_t prng_successor(uint32_t x, uint32_t n)
+{
+       SWAPENDIAN(x);
+       while(n--)
+               x = x >> 1 | (x >> 16 ^ x >> 18 ^ x >> 19 ^ x >> 21) << 31;
+
+       return SWAPENDIAN(x);
+}
index 1c5e9265d3224df0ca088e7c04f3a6eca889a71f..bb280807b30efb3d264d110faf6c9fcae8165694 100644 (file)
@@ -16,6 +16,8 @@
 
 #include "iso14443crc.h"
 #include "iso14443a.h"
 
 #include "iso14443crc.h"
 #include "iso14443a.h"
+#include "crapto1.h"
+#include "mifareutil.h"
 
 static uint8_t *trace = (uint8_t *) BigBuf;
 static int traceLen = 0;
 
 static uint8_t *trace = (uint8_t *) BigBuf;
 static int traceLen = 0;
@@ -73,6 +75,11 @@ void iso14a_set_trigger(int enable) {
 // Generate the parity value for a byte sequence
 //
 //-----------------------------------------------------------------------------
 // Generate the parity value for a byte sequence
 //
 //-----------------------------------------------------------------------------
+byte_t oddparity (const byte_t bt)
+{
+  return OddByteParity[bt];
+}
+
 uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
 {
   int i;
 uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
 {
   int i;
@@ -1140,10 +1147,11 @@ ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
                                receivedCmd[0], receivedCmd[1], receivedCmd[2]);
         } else {
             // Never seen this command before
                                receivedCmd[0], receivedCmd[1], receivedCmd[2]);
         } else {
             // Never seen this command before
-               Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
+               Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
+                       len,
                        receivedCmd[0], receivedCmd[1], receivedCmd[2],
                        receivedCmd[0], receivedCmd[1], receivedCmd[2],
-                       receivedCmd[3], receivedCmd[3], receivedCmd[4],
-                       receivedCmd[5], receivedCmd[6], receivedCmd[7]);
+                       receivedCmd[3], receivedCmd[4], receivedCmd[5],
+                       receivedCmd[6], receivedCmd[7], receivedCmd[8]);
                        // Do not respond
                        resp = resp1; respLen = 0; order = 0;
         }
                        // Do not respond
                        resp = resp1; respLen = 0; order = 0;
         }
@@ -1478,7 +1486,7 @@ void ReaderTransmit(uint8_t* frame, int len)
 int ReaderReceive(uint8_t* receivedAnswer)
 {
   int samples = 0;
 int ReaderReceive(uint8_t* receivedAnswer)
 {
   int samples = 0;
-  if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
+  if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
   if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
   if(samples == 0) return FALSE;
   return Demod.len;
   if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
   if(samples == 0) return FALSE;
   return Demod.len;
@@ -1487,19 +1495,22 @@ int ReaderReceive(uint8_t* receivedAnswer)
 /* performs iso14443a anticolision procedure
  * fills the uid pointer unless NULL
  * fills resp_data unless NULL */
 /* performs iso14443a anticolision procedure
  * fills the uid pointer unless NULL
  * fills resp_data unless NULL */
-int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data) {
-       uint8_t wupa[]       = { 0x52 };
+int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data, uint32_t * cuid_ptr) {
+       uint8_t wupa[]       = { 0x52 };  // 0x26 - REQA  0x52 - WAKE-UP
        uint8_t sel_all[]    = { 0x93,0x20 };
        uint8_t sel_uid[]    = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
        uint8_t rats[]       = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
 
        uint8_t* resp = (((uint8_t *)BigBuf) + 3560);   // was 3560 - tied to other size changes
        uint8_t sel_all[]    = { 0x93,0x20 };
        uint8_t sel_uid[]    = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
        uint8_t rats[]       = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
 
        uint8_t* resp = (((uint8_t *)BigBuf) + 3560);   // was 3560 - tied to other size changes
-       uint8_t* uid  = resp + 7;
+       //uint8_t* uid  = resp + 7;
 
        uint8_t sak = 0x04; // cascade uid
        int cascade_level = 0;
 
        int len;
 
        uint8_t sak = 0x04; // cascade uid
        int cascade_level = 0;
 
        int len;
+       
+       // clear uid
+       memset(uid_ptr, 0, 8);
 
        // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
        ReaderTransmitShort(wupa);
 
        // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
        ReaderTransmitShort(wupa);
@@ -1509,8 +1520,8 @@ int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data) {
        if(resp_data)
                memcpy(resp_data->atqa, resp, 2);
        
        if(resp_data)
                memcpy(resp_data->atqa, resp, 2);
        
-       ReaderTransmit(sel_all,sizeof(sel_all)); 
-       if(!ReaderReceive(uid)) return 0;
+       //ReaderTransmit(sel_all,sizeof(sel_all)); --- avoid duplicate SELECT request
+       //if(!ReaderReceive(uid)) return 0;
 
        // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
        // which case we need to make a cascade 2 request and select - this is a long UID
 
        // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
        // which case we need to make a cascade 2 request and select - this is a long UID
@@ -1524,6 +1535,9 @@ int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data) {
                ReaderTransmit(sel_all,sizeof(sel_all));
                if (!ReaderReceive(resp)) return 0;
                if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4);
                ReaderTransmit(sel_all,sizeof(sel_all));
                if (!ReaderReceive(resp)) return 0;
                if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4);
+               
+               // calculate crypto UID
+               if(cuid_ptr) *cuid_ptr = bytes_to_num(resp, 4);
 
                // Construct SELECT UID command
                memcpy(sel_uid+2,resp,5);
 
                // Construct SELECT UID command
                memcpy(sel_uid+2,resp,5);
@@ -1538,19 +1552,26 @@ int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data) {
                resp_data->sak = sak;
                resp_data->ats_len = 0;
        }
                resp_data->sak = sak;
                resp_data->ats_len = 0;
        }
+       //--  this byte not UID, it CT.  http://www.nxp.com/documents/application_note/AN10927.pdf  page 3
+       if (uid_ptr[0] == 0x88) {  
+               memcpy(uid_ptr, uid_ptr + 1, 7);
+               uid_ptr[7] = 0;
+       }
 
        if( (sak & 0x20) == 0)
                return 2; // non iso14443a compliant tag
 
        // Request for answer to select
 
        if( (sak & 0x20) == 0)
                return 2; // non iso14443a compliant tag
 
        // Request for answer to select
-       AppendCrc14443a(rats, 2);
-       ReaderTransmit(rats, sizeof(rats));
-       if (!(len = ReaderReceive(resp))) return 0;
-       if(resp_data) {
+       if(resp_data) {  // JCOP cards - if reader sent RATS then there is no MIFARE session at all!!!
+               AppendCrc14443a(rats, 2);
+               ReaderTransmit(rats, sizeof(rats));
+               
+               if (!(len = ReaderReceive(resp))) return 0;
+               
                memcpy(resp_data->ats, resp, sizeof(resp_data->ats));
                resp_data->ats_len = len;
        }
                memcpy(resp_data->ats, resp, sizeof(resp_data->ats));
                resp_data->ats_len = len;
        }
-
+       
        return 1;
 }
 
        return 1;
 }
 
@@ -1604,7 +1625,7 @@ void ReaderIso14443a(UsbCommand * c, UsbCommand * ack)
 
        if(param & ISO14A_CONNECT) {
                iso14443a_setup();
 
        if(param & ISO14A_CONNECT) {
                iso14443a_setup();
-               ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12));
+               ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12), NULL);
                UsbSendPacket((void *)ack, sizeof(UsbCommand));
        }
 
                UsbSendPacket((void *)ack, sizeof(UsbCommand));
        }
 
@@ -1684,7 +1705,7 @@ void ReaderMifare(uint32_t parameter)
       break;
     }
 
       break;
     }
 
-    if(!iso14443a_select_card(NULL, NULL)) continue;
+    if(!iso14443a_select_card(NULL, NULL, NULL)) continue;
 
     // Transmit MIFARE_CLASSIC_AUTH
     ReaderTransmit(mf_auth,sizeof(mf_auth));
 
     // Transmit MIFARE_CLASSIC_AUTH
     ReaderTransmit(mf_auth,sizeof(mf_auth));
@@ -1738,4 +1759,371 @@ void ReaderMifare(uint32_t parameter)
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        LEDsoff();
   tracing = TRUE;
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        LEDsoff();
   tracing = TRUE;
+  
+    DbpString("COMMAND FINISHED");
+
+    Dbprintf("nt=%x", (int)nt[0]);  
+}
+
+//-----------------------------------------------------------------------------
+// Select, Authenticaate, Read an MIFARE tag. 
+// read block
+//-----------------------------------------------------------------------------
+void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
+{
+  // params
+       uint8_t blockNo = arg0;
+       uint8_t keyType = arg1;
+       uint64_t ui64Key = 0;
+       ui64Key = bytes_to_num(datain, 6);
+       
+       // variables
+  byte_t isOK = 0;
+  byte_t dataoutbuf[16];
+       uint8_t uid[7];
+       uint32_t cuid;
+  struct Crypto1State mpcs = {0, 0};
+       struct Crypto1State *pcs;
+       pcs = &mpcs;
+
+       // clear trace
+  traceLen = 0;
+//  tracing = false;
+
+       iso14443a_setup();
+
+       LED_A_ON();
+       LED_B_OFF();
+       LED_C_OFF();
+
+       while (true) {
+               if(!iso14443a_select_card(uid, NULL, &cuid)) {
+                       Dbprintf("Can't select card");
+                       break;
+               };
+
+               if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, 0)) {
+                       Dbprintf("Auth error");
+                       break;
+               };
+               
+               if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
+                       Dbprintf("Read block error");
+                       break;
+               };
+
+               if(mifare_classic_halt(pcs, cuid)) {
+                       Dbprintf("Halt error");
+                       break;
+               };
+               
+               isOK = 1;
+               break;
+       }
+       
+       //  ----------------------------- crypto1 destroy
+       crypto1_destroy(pcs);
+       
+//    DbpString("READ BLOCK FINISHED");
+
+       // add trace trailer
+       uid[0] = 0xff;
+       uid[1] = 0xff;
+       uid[2] = 0xff;
+       uid[3] = 0xff;
+  LogTrace(uid, 4, 0, 0, TRUE);
+
+       UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
+       memcpy(ack.d.asBytes, dataoutbuf, 16);
+       
+       LED_B_ON();
+       UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
+       LED_B_OFF();    
+
+
+  // Thats it...
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       LEDsoff();
+//  tracing = TRUE;
+
+}
+
+//-----------------------------------------------------------------------------
+// Select, Authenticaate, Read an MIFARE tag. 
+// read sector (data = 4 x 16 bytes = 64 bytes)
+//-----------------------------------------------------------------------------
+void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
+{
+  // params
+       uint8_t sectorNo = arg0;
+       uint8_t keyType = arg1;
+       uint64_t ui64Key = 0;
+       ui64Key = bytes_to_num(datain, 6);
+       
+       // variables
+  byte_t isOK = 0;
+  byte_t dataoutbuf[16 * 4];
+       uint8_t uid[8];
+       uint32_t cuid;
+  struct Crypto1State mpcs = {0, 0};
+       struct Crypto1State *pcs;
+       pcs = &mpcs;
+
+       // clear trace
+  traceLen = 0;
+//  tracing = false;
+
+       iso14443a_setup();
+
+       LED_A_ON();
+       LED_B_OFF();
+       LED_C_OFF();
+
+       while (true) {
+               if(!iso14443a_select_card(uid, NULL, &cuid)) {
+                       Dbprintf("Can't select card");
+                       break;
+               };
+
+               if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, 0)) {
+                       Dbprintf("Auth error");
+                       break;
+               };
+               
+               if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 0, dataoutbuf + 16 * 0)) {
+                       Dbprintf("Read block 0 error");
+                       break;
+               };
+               if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 1, dataoutbuf + 16 * 1)) {
+                       Dbprintf("Read block 1 error");
+                       break;
+               };
+               if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 2, dataoutbuf + 16 * 2)) {
+                       Dbprintf("Read block 2 error");
+                       break;
+               };
+               if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 3, dataoutbuf + 16 * 3)) {
+                       Dbprintf("Read block 3 error");
+                       break;
+               };
+               
+               if(mifare_classic_halt(pcs, cuid)) {
+                       Dbprintf("Halt error");
+                       break;
+               };
+
+               isOK = 1;
+               break;
+       }
+       
+       //  ----------------------------- crypto1 destroy
+       crypto1_destroy(pcs);
+       
+//    DbpString("READ BLOCK FINISHED");
+
+       // add trace trailer
+       uid[0] = 0xff;
+       uid[1] = 0xff;
+       uid[2] = 0xff;
+       uid[3] = 0xff;
+  LogTrace(uid, 4, 0, 0, TRUE);
+
+       UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
+       memcpy(ack.d.asBytes, dataoutbuf, 16 * 2);
+       
+       LED_B_ON();
+       UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
+
+       SpinDelay(100);
+       
+       memcpy(ack.d.asBytes, dataoutbuf + 16 * 2, 16 * 2);
+       UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
+       LED_B_OFF();    
+
+  // Thats it...
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       LEDsoff();
+//  tracing = TRUE;
+
+}
+
+//-----------------------------------------------------------------------------
+// Select, Authenticaate, Read an MIFARE tag. 
+// read block
+//-----------------------------------------------------------------------------
+void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
+{
+  // params
+       uint8_t blockNo = arg0;
+       uint8_t keyType = arg1;
+       uint64_t ui64Key = 0;
+  byte_t blockdata[16];
+
+       ui64Key = bytes_to_num(datain, 6);
+       memcpy(blockdata, datain + 10, 16);
+       
+       // variables
+  byte_t isOK = 0;
+       uint8_t uid[8];
+       uint32_t cuid;
+  struct Crypto1State mpcs = {0, 0};
+       struct Crypto1State *pcs;
+       pcs = &mpcs;
+
+       // clear trace
+  traceLen = 0;
+//  tracing = false;
+
+       iso14443a_setup();
+
+       LED_A_ON();
+       LED_B_OFF();
+       LED_C_OFF();
+
+       while (true) {
+               if(!iso14443a_select_card(uid, NULL, &cuid)) {
+                       Dbprintf("Can't select card");
+                       break;
+               };
+
+               if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, 0)) {
+                       Dbprintf("Auth error");
+                       break;
+               };
+               
+               if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
+                       Dbprintf("Write block error");
+                       break;
+               };
+
+               if(mifare_classic_halt(pcs, cuid)) {
+                       Dbprintf("Halt error");
+                       break;
+               };
+               
+               isOK = 1;
+               break;
+       }
+       
+       //  ----------------------------- crypto1 destroy
+       crypto1_destroy(pcs);
+       
+//  DbpString("WRITE BLOCK FINISHED");
+
+       // add trace trailer
+       uid[0] = 0xff;
+       uid[1] = 0xff;
+       uid[2] = 0xff;
+       uid[3] = 0xff;
+  LogTrace(uid, 4, 0, 0, TRUE);
+
+       UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
+       
+       LED_B_ON();
+       UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
+       LED_B_OFF();    
+
+
+  // Thats it...
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       LEDsoff();
+//  tracing = TRUE;
+
+}
+
+//-----------------------------------------------------------------------------
+// MIFARE nested authentication. 
+// 
+//-----------------------------------------------------------------------------
+void MifareNested(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
+{
+  // params
+       uint8_t blockNo = arg0;
+       uint8_t keyType = arg1;
+       uint64_t ui64Key = 0;
+
+       ui64Key = bytes_to_num(datain, 6);
+       
+       // variables
+  byte_t isOK = 0;
+       uint8_t uid[8];
+       uint32_t cuid;
+       uint8_t dataoutbuf[16];
+  struct Crypto1State mpcs = {0, 0};
+       struct Crypto1State *pcs;
+       pcs = &mpcs;
+
+       // clear trace
+  traceLen = 0;
+//  tracing = false;
+
+       iso14443a_setup();
+
+       LED_A_ON();
+       LED_B_OFF();
+       LED_C_OFF();
+
+       while (true) {
+               if(!iso14443a_select_card(uid, NULL, &cuid)) {
+                       Dbprintf("Can't select card");
+                       break;
+               };
+               
+               if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, 0)) {
+                       Dbprintf("Auth error");
+                       break;
+               };
+
+               // nested authenticate block = (blockNo + 1)
+               if(mifare_classic_auth(pcs, (uint32_t)bytes_to_num(uid, 4), blockNo + 1, keyType, ui64Key, 1)) {
+                       Dbprintf("Auth error");
+                       break;
+               };
+               
+               if(mifare_classic_readblock(pcs, (uint32_t)bytes_to_num(uid, 4), blockNo + 1, dataoutbuf)) {
+                       Dbprintf("Read block error");
+                       break;
+               };
+
+               if(mifare_classic_halt(pcs, (uint32_t)bytes_to_num(uid, 4))) {
+                       Dbprintf("Halt error");
+                       break;
+               };
+               
+               isOK = 1;
+               break;
+       }
+       
+       //  ----------------------------- crypto1 destroy
+       crypto1_destroy(pcs);
+       
+  DbpString("NESTED FINISHED");
+
+       // add trace trailer
+       uid[0] = 0xff;
+       uid[1] = 0xff;
+       uid[2] = 0xff;
+       uid[3] = 0xff;
+  LogTrace(uid, 4, 0, 0, TRUE);
+
+       UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
+       memcpy(ack.d.asBytes, dataoutbuf, 16);
+       
+       LED_B_ON();
+       UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
+       LED_B_OFF();    
+
+  // Thats it...
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       LEDsoff();
+//  tracing = TRUE;
+
+}
+
+//-----------------------------------------------------------------------------
+// MIFARE 1K simulate. 
+// 
+//-----------------------------------------------------------------------------
+void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
+{
 }
 }
index c7e023d46db5cbc320bfbfc405b48d8eef4ec0c6..f848c6e9558c4d3f6522b91ae43a226e0ea54bad 100644 (file)
@@ -2,12 +2,17 @@
 #define __ISO14443A_H
 #include "common.h"
 
 #define __ISO14443A_H
 #include "common.h"
 
+extern byte_t oddparity (const byte_t bt);
+extern uint32_t GetParity(const uint8_t * pbtCmd, int iLen);
 extern void AppendCrc14443a(uint8_t* data, int len);
 extern void AppendCrc14443a(uint8_t* data, int len);
+
 extern void ReaderTransmitShort(const uint8_t* bt);
 extern void ReaderTransmit(uint8_t* frame, int len);
 extern void ReaderTransmitShort(const uint8_t* bt);
 extern void ReaderTransmit(uint8_t* frame, int len);
+extern void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par);
 extern int ReaderReceive(uint8_t* receivedAnswer);
 extern int ReaderReceive(uint8_t* receivedAnswer);
+
 extern void iso14443a_setup();
 extern void iso14443a_setup();
-extern int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * card_info);
+extern int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data, uint32_t * cuid_ptr);
 extern void iso14a_set_trigger(int enable);
 
 #endif /* __ISO14443A_H */
 extern void iso14a_set_trigger(int enable);
 
 #endif /* __ISO14443A_H */
diff --git a/armsrc/mifareutil.c b/armsrc/mifareutil.c
new file mode 100644 (file)
index 0000000..ede1cbc
--- /dev/null
@@ -0,0 +1,239 @@
+//-----------------------------------------------------------------------------\r
+// Merlok, May 2011\r
+// Many authors, that makes it possible\r
+//\r
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,\r
+// at your option, any later version. See the LICENSE.txt file for the text of\r
+// the license.\r
+//-----------------------------------------------------------------------------\r
+// code for work with mifare cards.\r
+//-----------------------------------------------------------------------------\r
+\r
+#include "proxmark3.h"\r
+#include "apps.h"\r
+#include "util.h"\r
+#include "string.h"\r
+\r
+#include "iso14443crc.h"\r
+#include "iso14443a.h"\r
+#include "crapto1.h"\r
+#include "mifareutil.h"\r
+\r
+uint8_t* mifare_get_bigbufptr(void) {\r
+       return (((uint8_t *)BigBuf) + 3560);    // was 3560 - tied to other size changes\r
+}\r
+\r
+int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t* answer)\r
+{\r
+       uint8_t dcmd[4], ecmd[4];\r
+       uint32_t pos, par, res;\r
+\r
+       dcmd[0] = cmd;\r
+       dcmd[1] = data;\r
+       AppendCrc14443a(dcmd, 2);\r
+       \r
+       memcpy(ecmd, dcmd, sizeof(dcmd));\r
+       \r
+       if (crypted) {\r
+               par = 0;\r
+               for (pos = 0; pos < 4; pos++)\r
+               {\r
+                       ecmd[pos] = crypto1_byte(pcs, 0x00, 0) ^ dcmd[pos];\r
+                       par = (par >> 1) | ( ((filter(pcs->odd) ^ oddparity(dcmd[pos])) & 0x01) * 0x08 );\r
+               }       \r
+\r
+               ReaderTransmitPar(ecmd, sizeof(ecmd), par);\r
+\r
+       } else {\r
+               ReaderTransmit(dcmd, sizeof(dcmd));\r
+       }\r
+\r
+       int len = ReaderReceive(answer);\r
+\r
+       if (crypted) {\r
+               if (len == 1) {\r
+                       res = 0;\r
+                       for (pos = 0; pos < 4; pos++)\r
+                               res |= (crypto1_bit(pcs, 0, 0) ^ BIT(answer[0], pos)) << pos;\r
+                               \r
+                       answer[0] = res;\r
+                       \r
+               } else {\r
+                       for (pos = 0; pos < len; pos++)\r
+                       {\r
+                               answer[pos] = crypto1_byte(pcs, 0x00, 0) ^ answer[pos];\r
+                       }\r
+               }\r
+       }\r
+       \r
+       return len;\r
+}\r
+\r
+int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint64_t isNested) \r
+{\r
+       // variables\r
+  int len;     \r
+       uint32_t pos;\r
+       uint8_t tmp4[4];\r
+  byte_t par = 0;\r
+  byte_t ar[4];\r
+       uint32_t nt, ntpp; // Supplied tag nonce\r
+       \r
+       uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };\r
+  uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+\r
+  // Transmit MIFARE_CLASSIC_AUTH\r
+       len = mifare_sendcmd_short(pcs, isNested, 0x60 + (keyType & 0x01), blockNo, receivedAnswer);\r
+//     Dbprintf("rand nonce len: %x", len);  \r
+  if (len != 4) return 1;\r
+       \r
+       ar[0] = 0x55;\r
+       ar[1] = 0x41;\r
+       ar[2] = 0x49;\r
+       ar[3] = 0x92; \r
+       \r
+       // Save the tag nonce (nt)\r
+       nt = bytes_to_num(receivedAnswer, 4);\r
+       Dbprintf("uid: %x nt: %x", uid, nt);  \r
+\r
+       //  ----------------------------- crypto1 create\r
+  // Init cipher with key\r
+       crypto1_create(pcs, ui64Key);\r
+\r
+  // Load (plain) uid^nt into the cipher\r
+       crypto1_word(pcs, nt ^ uid, 0);\r
+\r
+       par = 0;\r
+  // Generate (encrypted) nr+parity by loading it into the cipher (Nr)\r
+  for (pos = 0; pos < 4; pos++)\r
+  {\r
+    mf_nr_ar[pos] = crypto1_byte(pcs, ar[pos], 0) ^ ar[pos];\r
+               par = (par >> 1) | ( ((filter(pcs->odd) ^ oddparity(ar[pos])) & 0x01) * 0x80 );\r
+  }    \r
+               \r
+  // Skip 32 bits in pseudo random generator\r
+  nt = prng_successor(nt,32);\r
+\r
+       //  ar+parity\r
+  for (pos = 4; pos < 8; pos++)\r
+  {\r
+               nt = prng_successor(nt,8);\r
+    mf_nr_ar[pos] = crypto1_byte(pcs,0x00,0) ^ (nt & 0xff);\r
+               par = (par >> 1)| ( ((filter(pcs->odd) ^ oddparity(nt & 0xff)) & 0x01) * 0x80 );\r
+  }    \r
+               \r
+  // Transmit reader nonce and reader answer\r
+  ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par);\r
+\r
+  // Receive 4 bit answer\r
+       len = ReaderReceive(receivedAnswer);\r
+  if (!len)\r
+  {\r
+    Dbprintf("Authentication failed. Card timeout.");\r
+               return 2;\r
+  }\r
+       \r
+  memcpy(tmp4, receivedAnswer, 4);\r
+       ntpp = prng_successor(nt, 32) ^ crypto1_word(pcs, 0,0);\r
+       \r
+       if (ntpp != bytes_to_num(tmp4, 4)) {\r
+    Dbprintf("Authentication failed. Error card response.");\r
+               return 3;\r
+       }\r
+\r
+       return 0;\r
+}\r
+\r
+int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData) \r
+{\r
+       // variables\r
+  int len;     \r
+       uint8_t bt[2];\r
+       \r
+  uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+       \r
+  // command MIFARE_CLASSIC_READBLOCK\r
+       len = mifare_sendcmd_short(pcs, 1, 0x30, blockNo, receivedAnswer);\r
+       if (len == 1) {\r
+               Dbprintf("Cmd Error: %02x", receivedAnswer[0]);  \r
+               return 1;\r
+       }\r
+       if (len != 18) {\r
+               Dbprintf("Cmd Error: card timeout. len: %x", len);  \r
+               return 2;\r
+       }\r
+\r
+       memcpy(bt, receivedAnswer + 16, 2);\r
+  AppendCrc14443a(receivedAnswer, 16);\r
+       if (bt[0] != receivedAnswer[16] || bt[1] != receivedAnswer[17]) {\r
+               Dbprintf("Cmd CRC response error.");  \r
+               return 3;\r
+       }\r
+       \r
+       memcpy(blockData, receivedAnswer, 16);\r
+       return 0;\r
+}\r
+\r
+int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData) \r
+{\r
+       // variables\r
+  int len, i;  \r
+       uint32_t pos;\r
+  uint32_t par = 0;\r
+  byte_t res;\r
+       \r
+       uint8_t d_block[18], d_block_enc[18];\r
+  uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+       \r
+  // command MIFARE_CLASSIC_WRITEBLOCK\r
+       len = mifare_sendcmd_short(pcs, 1, 0xA0, blockNo, receivedAnswer);\r
+\r
+       if ((len != 1) || (receivedAnswer[0] != 0x0A)) {   //  0x0a - ACK\r
+               Dbprintf("Cmd Error: %02x", receivedAnswer[0]);  \r
+               return 1;\r
+       }\r
+       \r
+       memcpy(d_block, blockData, 16);\r
+       AppendCrc14443a(d_block, 16);\r
+       \r
+       // crypto\r
+       par = 0;\r
+  for (pos = 0; pos < 18; pos++)\r
+  {\r
+    d_block_enc[pos] = crypto1_byte(pcs, 0x00, 0) ^ d_block[pos];\r
+               par = (par >> 1) | ( ((filter(pcs->odd) ^ oddparity(d_block[pos])) & 0x01) * 0x20000 );\r
+  }    \r
+\r
+  ReaderTransmitPar(d_block_enc, sizeof(d_block_enc), par);\r
+\r
+  // Receive the response\r
+       len = ReaderReceive(receivedAnswer);    \r
+\r
+       res = 0;\r
+       for (i = 0; i < 4; i++)\r
+               res |= (crypto1_bit(pcs, 0, 0) ^ BIT(receivedAnswer[0], i)) << i;\r
+\r
+       if ((len != 1) || (res != 0x0A)) {\r
+               Dbprintf("Cmd send data2 Error: %02x", res);  \r
+               return 2;\r
+       }\r
+       \r
+       return 0;\r
+}\r
+\r
+int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid) \r
+{\r
+       // variables\r
+  int len;     \r
+       \r
+       // Mifare HALT\r
+  uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+\r
+       len = mifare_sendcmd_short(pcs, 1, 0x50, 0x00, receivedAnswer);\r
+  if (len != 0) {\r
+               Dbprintf("halt error. response len: %x", len);  \r
+               return 1;\r
+       }\r
+\r
+       return 0;\r
+}\r
diff --git a/armsrc/mifareutil.h b/armsrc/mifareutil.h
new file mode 100644 (file)
index 0000000..ed2779f
--- /dev/null
@@ -0,0 +1,17 @@
+//-----------------------------------------------------------------------------\r
+// Merlok, May 2011\r
+// Many authors, that makes it possible\r
+//\r
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,\r
+// at your option, any later version. See the LICENSE.txt file for the text of\r
+// the license.\r
+//-----------------------------------------------------------------------------\r
+// code for work with mifare cards.\r
+//-----------------------------------------------------------------------------\r
+\r
+int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, \\r
+                        uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint64_t isNested);\r
+int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData); \r
+int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData);\r
+int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid); \r
+\r
index 6f69fba8b8b3c120e70cde4519115b9aeb9a6c2e..34760ab1dedd4eb83e4df3c0ee60a26e44c3ad64 100644 (file)
@@ -14,6 +14,8 @@
 #include <stddef.h>
 #include <stdint.h>
 
 #include <stddef.h>
 #include <stdint.h>
 
+#define BYTEx(x, n) (((x) >> (n * 8)) & 0xff )
+
 #define LED_RED 1
 #define LED_ORANGE 2
 #define LED_GREEN 4
 #define LED_RED 1
 #define LED_ORANGE 2
 #define LED_GREEN 4
index 145f6a678dbfbf6f2cdd3ddc131ec1f38b77b500..922d1b7f923163737d21ae5cb3111fe53c6a9a71 100644 (file)
@@ -11,6 +11,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include "util.h"
 #include "iso14443crc.h"
 #include "data.h"
 #include "proxusb.h"
 #include "iso14443crc.h"
 #include "data.h"
 #include "proxusb.h"
@@ -18,6 +19,7 @@
 #include "cmdparser.h"
 #include "cmdhf14a.h"
 #include "common.h"
 #include "cmdparser.h"
 #include "cmdhf14a.h"
 #include "common.h"
+#include "cmdmain.h"
 
 static int CmdHelp(const char *Cmd);
 
 
 static int CmdHelp(const char *Cmd);
 
@@ -160,6 +162,231 @@ int CmdHF14AMifare(const char *Cmd)
   return 0;
 }
 
   return 0;
 }
 
+int CmdHF14AMfWrBl(const char *Cmd)
+{
+       int i, temp;
+       uint8_t blockNo = 0;
+       uint8_t keyType = 0;
+       uint8_t key[6] = {0, 0, 0, 0, 0, 0};
+       uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+       
+       const char *cmdp        = Cmd;
+       const char *cmdpe       = Cmd;
+
+       if (strlen(Cmd)<3) {
+               PrintAndLog("Usage:  hf 14 mfwrbl    <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>");
+               PrintAndLog("           sample: hf 14a mfwrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F");
+               return 0;
+       }       
+       PrintAndLog("l: %s", Cmd);
+       
+  // skip spaces
+       while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+       blockNo = strtol(cmdp, NULL, 0) & 0xff;
+       
+       // next value
+       while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
+       while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+       if (*cmdp != 'A' && *cmdp != 'a')  {
+               keyType = 1;
+       }
+
+       // next value
+       while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
+       while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+
+       // next value here:cmdpe
+       cmdpe = cmdp;
+       while (*cmdpe!=' ' && *cmdpe!='\t') cmdpe++;
+       while (*cmdpe==' ' || *cmdpe=='\t') cmdpe++;
+
+       if ((int)cmdpe - (int)cmdp != 13) {
+               PrintAndLog("Length of key must be 12 hex symbols");
+               return 0;
+       }
+       
+       for(i = 0; i < 6; i++) {
+               sscanf((char[]){cmdp[0],cmdp[1],0},"%X",&temp);
+               key[i] = temp & 0xff;
+               cmdp++;
+               cmdp++;
+       }       
+
+       // next value
+       while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
+       while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+
+       if (strlen(cmdp) != 32) {
+               PrintAndLog("Length of block data must be 32 hex symbols");
+               return 0;
+       }
+
+       for(i = 0; i < 16; i++) {
+               sscanf((char[]){cmdp[0],cmdp[1],0},"%X",&temp);
+               bldata[i] = temp & 0xff;
+               cmdp++;
+               cmdp++;
+       }       
+       PrintAndLog(" block no:%02x key type:%02x key:%s", blockNo, keyType, sprint_hex(key, 6));
+       PrintAndLog(" data: %s", sprint_hex(bldata, 16));
+       
+  UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}};
+       memcpy(c.d.asBytes, key, 6);
+       memcpy(c.d.asBytes + 10, bldata, 16);
+  SendCommand(&c);
+       UsbCommand * resp = WaitForResponseTimeout(CMD_ACK, 1500);
+
+       if (resp != NULL) {
+               uint8_t                isOK  = resp->arg[0] & 0xff;
+
+               PrintAndLog("isOk:%02x", isOK);
+       } else {
+               PrintAndLog("Command execute timeout");
+       }
+
+       return 0;
+}
+
+int CmdHF14AMfRdBl(const char *Cmd)
+{
+       int i, temp;
+       uint8_t blockNo = 0;
+       uint8_t keyType = 0;
+       uint8_t key[6] = {0, 0, 0, 0, 0, 0};
+       
+       const char *cmdp        = Cmd;
+
+
+       if (strlen(Cmd)<3) {
+               PrintAndLog("Usage:  hf 14 mfrdbl    <block number> <key A/B> <key (12 hex symbols)>");
+               PrintAndLog("           sample: hf 14a mfrdbl 0 A FFFFFFFFFFFF ");
+               return 0;
+       }       
+       
+  // skip spaces
+       while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+       blockNo = strtol(cmdp, NULL, 0) & 0xff;
+       
+       // next value
+       while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
+       while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+       if (*cmdp != 'A' && *cmdp != 'a')  {
+               keyType = 1;
+       }
+
+       // next value
+       while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
+       while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+
+       if (strlen(cmdp) != 12) {
+               PrintAndLog("Length of key must be 12 hex symbols");
+               return 0;
+       }
+       
+       for(i = 0; i < 6; i++) {
+               sscanf((char[]){cmdp[0],cmdp[1],0},"%X",&temp);
+               key[i] = temp & 0xff;
+               cmdp++;
+               cmdp++;
+       }       
+       PrintAndLog(" block no:%02x key type:%02x key:%s ", blockNo, keyType, sprint_hex(key, 6));
+       
+  UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}};
+       memcpy(c.d.asBytes, key, 6);
+  SendCommand(&c);
+       UsbCommand * resp = WaitForResponseTimeout(CMD_ACK, 1500);
+
+       if (resp != NULL) {
+               uint8_t                isOK  = resp->arg[0] & 0xff;
+               uint8_t              * data  = resp->d.asBytes;
+
+               PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 16));
+       } else {
+               PrintAndLog("Command execute timeout");
+       }
+
+  return 0;
+}
+
+int CmdHF14AMfRdSc(const char *Cmd)
+{
+       int i, temp;
+       uint8_t sectorNo = 0;
+       uint8_t keyType = 0;
+       uint8_t key[6] = {0, 0, 0, 0, 0, 0};
+       
+       const char *cmdp        = Cmd;
+
+
+       if (strlen(Cmd)<3) {
+               PrintAndLog("Usage:  hf 14 mfrdsc    <sector number> <key A/B> <key (12 hex symbols)>");
+               PrintAndLog("           sample: hf 14a mfrdsc 0 A FFFFFFFFFFFF ");
+               return 0;
+       }       
+       
+  // skip spaces
+       while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+       sectorNo = strtol(cmdp, NULL, 0) & 0xff;
+       
+       // next value
+       while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
+       while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+       if (*cmdp != 'A' && *cmdp != 'a')  {
+               keyType = 1;
+       }
+
+       // next value
+       while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
+       while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+
+       if (strlen(cmdp) != 12) {
+               PrintAndLog("Length of key must be 12 hex symbols");
+               return 0;
+       }
+       
+       for(i = 0; i < 6; i++) {
+               sscanf((char[]){cmdp[0],cmdp[1],0},"%X",&temp);
+               key[i] = temp & 0xff;
+               cmdp++;
+               cmdp++;
+       }       
+       PrintAndLog(" sector no:%02x key type:%02x key:%s ", sectorNo, keyType, sprint_hex(key, 6));
+       
+  UsbCommand c = {CMD_MIFARE_READSC, {sectorNo, keyType, 0}};
+       memcpy(c.d.asBytes, key, 6);
+  SendCommand(&c);
+       UsbCommand * resp = WaitForResponseTimeout(CMD_ACK, 1500);
+       PrintAndLog(" ");
+
+       if (resp != NULL) {
+               uint8_t                isOK  = resp->arg[0] & 0xff;
+               uint8_t              * data  = resp->d.asBytes;
+
+               PrintAndLog("isOk:%02x", isOK);
+               for (i = 0; i < 2; i++) {
+                       PrintAndLog("data:%s", sprint_hex(data + i * 16, 16));
+               }
+       } else {
+               PrintAndLog("Command1 execute timeout");
+       }
+
+               // response2
+       resp = WaitForResponseTimeout(CMD_ACK, 500);
+       PrintAndLog(" ");
+
+       if (resp != NULL) {
+               uint8_t              * data  = resp->d.asBytes;
+
+               for (i = 0; i < 2; i++) {
+                       PrintAndLog("data:%s", sprint_hex(data + i * 16, 16));
+               }
+       } else {
+               PrintAndLog("Command2 execute timeout");
+       }
+       
+  return 0;
+}
+
 int CmdHF14AReader(const char *Cmd)
 {
        UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}};
 int CmdHF14AReader(const char *Cmd)
 {
        UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}};
@@ -215,6 +442,9 @@ static command_t CommandTable[] =
   {"help",    CmdHelp,        1, "This help"},
   {"list",    CmdHF14AList,   0, "List ISO 14443a history"},
   {"mifare",  CmdHF14AMifare, 0, "Read out sector 0 parity error messages"},
   {"help",    CmdHelp,        1, "This help"},
   {"list",    CmdHF14AList,   0, "List ISO 14443a history"},
   {"mifare",  CmdHF14AMifare, 0, "Read out sector 0 parity error messages"},
+  {"mfrdbl",  CmdHF14AMfRdBl, 0, "Read MIFARE classic block"},
+  {"mfrdsc",  CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"},
+  {"mfwrbl",  CmdHF14AMfWrBl, 0, "Write MIFARE classic block"},
   {"reader",  CmdHF14AReader, 0, "Act like an ISO14443 Type A reader"},
   {"sim",     CmdHF14ASim,    0, "<UID> -- Fake ISO 14443a tag"},
   {"snoop",   CmdHF14ASnoop,  0, "Eavesdrop ISO 14443 Type A"},
   {"reader",  CmdHF14AReader, 0, "Act like an ISO14443 Type A reader"},
   {"sim",     CmdHF14ASim,    0, "<UID> -- Fake ISO 14443a tag"},
   {"snoop",   CmdHF14ASnoop,  0, "Eavesdrop ISO 14443 Type A"},
index 2c02d119449667a95f9aebb7744784ae86840284..fe89626fe04b940058288963cc69dba830d249ec 100644 (file)
@@ -1,5 +1,14 @@
-#include <stdio.h>
-#include <stdint.h>
+//-----------------------------------------------------------------------------
+// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// utilities
+//-----------------------------------------------------------------------------
+
+#include "util.h"
 
 void print_hex(const uint8_t * data, const size_t len)
 {
 
 void print_hex(const uint8_t * data, const size_t len)
 {
index 483307997042e92167751c021e6e86f616b3d95a..8b65bc651823f9c28b08cdfab2bd3141bf88f079 100644 (file)
@@ -1 +1,15 @@
+//-----------------------------------------------------------------------------
+// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// utilities
+//-----------------------------------------------------------------------------
+
+#include <stdio.h>
+#include <stdint.h>
+
 void print_hex(const uint8_t * data, const size_t len);
 void print_hex(const uint8_t * data, const size_t len);
+char * sprint_hex(const uint8_t * data, const size_t len);
index 6d8ae5b135c9c7390359741ae84666cb0de8eb99..ec9c4a5e50d7eb92f8af9ca1d1f47d0ecd64c17f 100644 (file)
@@ -56,7 +56,7 @@ int sprintf(char *str, const char *format, ...);
 //             uid[]           the UID in transmission order
 //     return: ptr to string
 char* Iso15693sprintUID(char *target,uint8_t *uid) {
 //             uid[]           the UID in transmission order
 //     return: ptr to string
 char* Iso15693sprintUID(char *target,uint8_t *uid) {
-  static char tempbuf[9]="";
+  static char tempbuf[2*8+1]="";
   if (target==NULL) target=tempbuf;
   sprintf(target,"%02hX%02hX%02hX%02hX%02hX%02hX%02hX%02hX",
                                uid[7],uid[6],uid[5],uid[4],uid[3],uid[2],uid[1],uid[0]);
   if (target==NULL) target=tempbuf;
   sprintf(target,"%02hX%02hX%02hX%02hX%02hX%02hX%02hX%02hX",
                                uid[7],uid[6],uid[5],uid[4],uid[3],uid[2],uid[1],uid[0]);
index 20a2b7eafab574b88b54cb83912cf7ad21befbb3..b36ea5dd9afcdfb01fb7666a5c82626f13ba1b98 100644 (file)
@@ -36,24 +36,24 @@ typedef struct {
 #define CMD_DEVICE_INFO                                        0x0000
 #define CMD_SETUP_WRITE                                        0x0001
 #define CMD_FINISH_WRITE                               0x0003
 #define CMD_DEVICE_INFO                                        0x0000
 #define CMD_SETUP_WRITE                                        0x0001
 #define CMD_FINISH_WRITE                               0x0003
-#define CMD_HARDWARE_RESET                             0x0004
+#define CMD_HARDWARE_RESET                     0x0004
 #define CMD_START_FLASH                                        0x0005
 #define CMD_START_FLASH                                        0x0005
-#define CMD_NACK                                       0x00fe
-#define CMD_ACK                                                0x00ff
+#define CMD_NACK                                                               0x00fe
+#define CMD_ACK                                                                        0x00ff
 
 // For general mucking around
 #define CMD_DEBUG_PRINT_STRING                         0x0100
 #define CMD_DEBUG_PRINT_INTEGERS                       0x0101
 
 // For general mucking around
 #define CMD_DEBUG_PRINT_STRING                         0x0100
 #define CMD_DEBUG_PRINT_INTEGERS                       0x0101
-#define CMD_DEBUG_PRINT_BYTES                          0x0102
-#define CMD_LCD_RESET                                  0x0103
-#define CMD_LCD                                                0x0104
-#define CMD_BUFF_CLEAR                                 0x0105
-#define CMD_READ_MEM                                   0x0106
-#define CMD_VERSION                                    0x0107
+#define CMD_DEBUG_PRINT_BYTES                                  0x0102
+#define CMD_LCD_RESET                                                                  0x0103
+#define CMD_LCD                                                                                                0x0104
+#define CMD_BUFF_CLEAR                                                         0x0105
+#define CMD_READ_MEM                                                                   0x0106
+#define CMD_VERSION                                                                            0x0107
 
 // For low-frequency tags
 
 // For low-frequency tags
-#define CMD_READ_TI_TYPE                               0x0202
-#define CMD_WRITE_TI_TYPE                              0x0203
+#define CMD_READ_TI_TYPE                                                                               0x0202
+#define CMD_WRITE_TI_TYPE                                                                              0x0203
 #define CMD_DOWNLOADED_RAW_BITS_TI_TYPE                        0x0204
 #define CMD_ACQUIRE_RAW_ADC_SAMPLES_125K               0x0205
 #define CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K      0x0206
 #define CMD_DOWNLOADED_RAW_BITS_TI_TYPE                        0x0204
 #define CMD_ACQUIRE_RAW_ADC_SAMPLES_125K               0x0205
 #define CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K      0x0206
@@ -71,38 +71,42 @@ typedef struct {
 // For the 13.56 MHz tags
 #define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693          0x0300
 #define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_14443          0x0301
 // For the 13.56 MHz tags
 #define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693          0x0300
 #define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_14443          0x0301
-#define CMD_READ_SRI512_TAG                            0x0303
-#define CMD_READ_SRIX4K_TAG                            0x0304
-#define CMD_READER_ISO_15693                           0x0310
-#define CMD_SIMTAG_ISO_15693                           0x0311
+#define CMD_READ_SRI512_TAG                                                    0x0303
+#define CMD_READ_SRIX4K_TAG                                                    0x0304
+#define CMD_READER_ISO_15693                                           0x0310
+#define CMD_SIMTAG_ISO_15693                                           0x0311
 #define CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693           0x0312
 #define CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693           0x0312
-#define CMD_ISO_15693_COMMAND                          0x0313
-#define CMD_ISO_15693_COMMAND_DONE             0x0314
-#define CMD_ISO_15693_FIND_AFI                 0x0315
-#define CMD_ISO_15693_DEBUG                            0x0316
+#define CMD_ISO_15693_COMMAND                                          0x0313
+#define CMD_ISO_15693_COMMAND_DONE                     0x0314
+#define CMD_ISO_15693_FIND_AFI                                 0x0315
+#define CMD_ISO_15693_DEBUG                                                    0x0316
 #define CMD_SIMULATE_TAG_HF_LISTEN                     0x0380
 #define CMD_SIMULATE_TAG_ISO_14443                     0x0381
 #define CMD_SIMULATE_TAG_HF_LISTEN                     0x0380
 #define CMD_SIMULATE_TAG_ISO_14443                     0x0381
-#define CMD_SNOOP_ISO_14443                            0x0382
-#define CMD_SNOOP_ISO_14443a                           0x0383
+#define CMD_SNOOP_ISO_14443                                                    0x0382
+#define CMD_SNOOP_ISO_14443a                                           0x0383
 #define CMD_SIMULATE_TAG_ISO_14443a                    0x0384
 #define CMD_SIMULATE_TAG_ISO_14443a                    0x0384
-#define CMD_READER_ISO_14443a                          0x0385
-#define CMD_SIMULATE_MIFARE_CARD                       0x0386
-#define CMD_SIMULATE_TAG_LEGIC_RF                      0x0387
-#define CMD_READER_LEGIC_RF                            0x0388
-#define CMD_WRITER_LEGIC_RF                            0x0399
-#define CMD_READER_MIFARE                              0x0389
-#define CMD_SNOOP_ICLASS                               0x0392
+#define CMD_READER_ISO_14443a                                          0x0385
+#define CMD_SIMULATE_MIFARE_CARD                               0x0386
+#define CMD_SIMULATE_TAG_LEGIC_RF                              0x0387
+#define CMD_READER_LEGIC_RF                                                    0x0388
+#define CMD_WRITER_LEGIC_RF                                                    0x0399
+#define CMD_READER_MIFARE                                                              0x0389
+#define CMD_MIFARE_NESTED                                                              0x0390
+#define CMD_MIFARE_READBL                                                              0x0391
+#define CMD_MIFARE_READSC                                                              0x0393
+#define CMD_MIFARE_WRITEBL                                                     0x0394
+#define CMD_SNOOP_ICLASS                                                               0x0392
 
 // For measurements of the antenna tuning
 
 // For measurements of the antenna tuning
-#define CMD_MEASURE_ANTENNA_TUNING                     0x0400
+#define CMD_MEASURE_ANTENNA_TUNING                             0x0400
 #define CMD_MEASURE_ANTENNA_TUNING_HF                  0x0401
 #define CMD_MEASURE_ANTENNA_TUNING_HF                  0x0401
-#define CMD_MEASURED_ANTENNA_TUNING                    0x0410
-#define CMD_LISTEN_READER_FIELD                                0x0420
+#define CMD_MEASURED_ANTENNA_TUNING                            0x0410
+#define CMD_LISTEN_READER_FIELD                                                0x0420
 
 // For direct FPGA control
 
 // For direct FPGA control
-#define CMD_FPGA_MAJOR_MODE_OFF                                0x0500
+#define CMD_FPGA_MAJOR_MODE_OFF                                                0x0500
 
 
-#define CMD_UNKNOWN                                    0xFFFF
+#define CMD_UNKNOWN                                                                                            0xFFFF
 
 // CMD_DEVICE_INFO response packet has flags in arg[0], flag definitions:
 /* Whether a bootloader that understands the common_area is present */
 
 // CMD_DEVICE_INFO response packet has flags in arg[0], flag definitions:
 /* Whether a bootloader that understands the common_area is present */
Impressum, Datenschutz