#SRC_LCD = fonts.c LCD.c
SRC_LF = lfops.c hitag2.c
SRC_ISO15693 = iso15693.c iso15693tools.c
-SRC_ISO14443a = iso14443a.c
+SRC_ISO14443a = iso14443a.c mifareutil.c
SRC_ISO14443b = iso14443.c
+SRC_CRAPTO1 = crapto1.c crypto1.c
THUMBSRC = start.c \
$(SRC_LCD) \
crc16.c \
$(SRC_ISO14443a) \
$(SRC_ISO14443b) \
+ $(SRC_CRAPTO1) \
legic_prng.c \
iclass.c \
crc.c
break;
#endif
+#ifdef WITH_ISO14443a
+ case CMD_MIFARE_READBL:
+ MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
+ break;
+ case CMD_MIFARE_READSC:
+ MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
+ break;
+ case CMD_MIFARE_WRITEBL:
+ MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
+ break;
+ case CMD_MIFARE_NESTED:
+ MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
+ break;
+ case CMD_SIMULATE_MIFARE_CARD:
+ Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
+ break;
+
+#endif
+
#ifdef WITH_ISO14443b
case CMD_SNOOP_ISO_14443:
SnoopIso14443();
void SimulateIso14443aTag(int tagType, int TagUid); // ## simulate iso14443a tag
void ReaderIso14443a(UsbCommand * c, UsbCommand * ack);
void ReaderMifare(uint32_t parameter);
+void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data);
+void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
+void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
+void MifareNested(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
+void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
/// iso15693.h
void RecordRawAdcSamplesIso15693(void);
--- /dev/null
+/* crapto1.c\r
+\r
+ This program is free software; you can redistribute it and/or\r
+ modify it under the terms of the GNU General Public License\r
+ as published by the Free Software Foundation; either version 2\r
+ of the License, or (at your option) any later version.\r
+\r
+ This program is distributed in the hope that it will be useful,\r
+ but WITHOUT ANY WARRANTY; without even the implied warranty of\r
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r
+ GNU General Public License for more details.\r
+\r
+ You should have received a copy of the GNU General Public License\r
+ along with this program; if not, write to the Free Software\r
+ Foundation, Inc., 51 Franklin Street, Fifth Floor,\r
+ Boston, MA 02110-1301, US$\r
+\r
+ Copyright (C) 2008-2008 bla <blapost@gmail.com>\r
+*/\r
+#include "crapto1.h"\r
+#include <stdlib.h>\r
+\r
+#if !defined LOWMEM && defined __GNUC__\r
+static uint8_t filterlut[1 << 20];\r
+static void __attribute__((constructor)) fill_lut()\r
+{\r
+ uint32_t i;\r
+ for(i = 0; i < 1 << 20; ++i)\r
+ filterlut[i] = filter(i);\r
+}\r
+#define filter(x) (filterlut[(x) & 0xfffff])\r
+#endif\r
+\r
+static void quicksort(uint32_t* const start, uint32_t* const stop)\r
+{\r
+ uint32_t *it = start + 1, *rit = stop;\r
+\r
+ if(it > rit)\r
+ return;\r
+\r
+ while(it < rit)\r
+ if(*it <= *start)\r
+ ++it;\r
+ else if(*rit > *start)\r
+ --rit;\r
+ else\r
+ *it ^= (*it ^= *rit, *rit ^= *it);\r
+\r
+ if(*rit >= *start)\r
+ --rit;\r
+ if(rit != start)\r
+ *rit ^= (*rit ^= *start, *start ^= *rit);\r
+\r
+ quicksort(start, rit - 1);\r
+ quicksort(rit + 1, stop);\r
+}\r
+/** binsearch\r
+ * Binary search for the first occurence of *stop's MSB in sorted [start,stop]\r
+ */\r
+static inline uint32_t* binsearch(uint32_t *start, uint32_t *stop)\r
+{\r
+ uint32_t mid, val = *stop & 0xff000000;\r
+ while(start != stop)\r
+ if(start[mid = (stop - start) >> 1] > val)\r
+ stop = &start[mid];\r
+ else\r
+ start += mid + 1;\r
+\r
+ return start;\r
+}\r
+\r
+/** update_contribution\r
+ * helper, calculates the partial linear feedback contributions and puts in MSB\r
+ */\r
+static inline void\r
+update_contribution(uint32_t *item, const uint32_t mask1, const uint32_t mask2)\r
+{\r
+ uint32_t p = *item >> 25;\r
+\r
+ p = p << 1 | parity(*item & mask1);\r
+ p = p << 1 | parity(*item & mask2);\r
+ *item = p << 24 | (*item & 0xffffff);\r
+}\r
+\r
+/** extend_table\r
+ * using a bit of the keystream extend the table of possible lfsr states\r
+ */\r
+static inline void\r
+extend_table(uint32_t *tbl, uint32_t **end, int bit, int m1, int m2, uint32_t in)\r
+{\r
+ in <<= 24;\r
+ for(*tbl <<= 1; tbl <= *end; *++tbl <<= 1)\r
+ if(filter(*tbl) ^ filter(*tbl | 1)) {\r
+ *tbl |= filter(*tbl) ^ bit;\r
+ update_contribution(tbl, m1, m2);\r
+ *tbl ^= in;\r
+ } else if(filter(*tbl) == bit) {\r
+ *++*end = tbl[1];\r
+ tbl[1] = tbl[0] | 1;\r
+ update_contribution(tbl, m1, m2);\r
+ *tbl++ ^= in;\r
+ update_contribution(tbl, m1, m2);\r
+ *tbl ^= in;\r
+ } else\r
+ *tbl-- = *(*end)--;\r
+}\r
+/** extend_table_simple\r
+ * using a bit of the keystream extend the table of possible lfsr states\r
+ */\r
+static inline void extend_table_simple(uint32_t *tbl, uint32_t **end, int bit)\r
+{\r
+ for(*tbl <<= 1; tbl <= *end; *++tbl <<= 1)\r
+ if(filter(*tbl) ^ filter(*tbl | 1))\r
+ *tbl |= filter(*tbl) ^ bit;\r
+ else if(filter(*tbl) == bit) {\r
+ *++*end = *++tbl;\r
+ *tbl = tbl[-1] | 1;\r
+ } else\r
+ *tbl-- = *(*end)--;\r
+}\r
+/** recover\r
+ * recursively narrow down the search space, 4 bits of keystream at a time\r
+ */\r
+static struct Crypto1State*\r
+recover(uint32_t *o_head, uint32_t *o_tail, uint32_t oks,\r
+ uint32_t *e_head, uint32_t *e_tail, uint32_t eks, int rem,\r
+ struct Crypto1State *sl, uint32_t in)\r
+{\r
+ uint32_t *o, *e, i;\r
+\r
+ if(rem == -1) {\r
+ for(e = e_head; e <= e_tail; ++e) {\r
+ *e = *e << 1 ^ parity(*e & LF_POLY_EVEN) ^ !!(in & 4);\r
+ for(o = o_head; o <= o_tail; ++o, ++sl) {\r
+ sl->even = *o;\r
+ sl->odd = *e ^ parity(*o & LF_POLY_ODD);\r
+ sl[1].odd = sl[1].even = 0;\r
+ }\r
+ }\r
+ return sl;\r
+ }\r
+\r
+ for(i = 0; i < 4 && rem--; i++) {\r
+ oks >>= 1;\r
+ eks >>= 1;\r
+ in >>= 2;\r
+ extend_table(o_head, &o_tail, oks & 1, LF_POLY_EVEN << 1 | 1,\r
+ LF_POLY_ODD << 1, 0);\r
+ if(o_head > o_tail)\r
+ return sl;\r
+\r
+ extend_table(e_head, &e_tail, eks & 1, LF_POLY_ODD,\r
+ LF_POLY_EVEN << 1 | 1, in & 3);\r
+ if(e_head > e_tail)\r
+ return sl;\r
+ }\r
+\r
+ quicksort(o_head, o_tail);\r
+ quicksort(e_head, e_tail);\r
+\r
+ while(o_tail >= o_head && e_tail >= e_head)\r
+ if(((*o_tail ^ *e_tail) >> 24) == 0) {\r
+ o_tail = binsearch(o_head, o = o_tail);\r
+ e_tail = binsearch(e_head, e = e_tail);\r
+ sl = recover(o_tail--, o, oks,\r
+ e_tail--, e, eks, rem, sl, in);\r
+ }\r
+ else if(*o_tail > *e_tail)\r
+ o_tail = binsearch(o_head, o_tail) - 1;\r
+ else\r
+ e_tail = binsearch(e_head, e_tail) - 1;\r
+\r
+ return sl;\r
+}\r
+/** lfsr_recovery\r
+ * recover the state of the lfsr given 32 bits of the keystream\r
+ * additionally you can use the in parameter to specify the value\r
+ * that was fed into the lfsr at the time the keystream was generated\r
+ */\r
+struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in)\r
+{\r
+ struct Crypto1State *statelist;\r
+ uint32_t *odd_head = 0, *odd_tail = 0, oks = 0;\r
+ uint32_t *even_head = 0, *even_tail = 0, eks = 0;\r
+ int i;\r
+\r
+ for(i = 31; i >= 0; i -= 2)\r
+ oks = oks << 1 | BEBIT(ks2, i);\r
+ for(i = 30; i >= 0; i -= 2)\r
+ eks = eks << 1 | BEBIT(ks2, i);\r
+\r
+ odd_head = odd_tail = malloc(sizeof(uint32_t) << 21);\r
+ even_head = even_tail = malloc(sizeof(uint32_t) << 21);\r
+ statelist = malloc(sizeof(struct Crypto1State) << 18);\r
+ if(!odd_tail-- || !even_tail-- || !statelist) {\r
+ free(statelist);\r
+ statelist = 0;\r
+ goto out;\r
+ }\r
+\r
+ statelist->odd = statelist->even = 0;\r
+\r
+ for(i = 1 << 20; i >= 0; --i) {\r
+ if(filter(i) == (oks & 1))\r
+ *++odd_tail = i;\r
+ if(filter(i) == (eks & 1))\r
+ *++even_tail = i;\r
+ }\r
+\r
+ for(i = 0; i < 4; i++) {\r
+ extend_table_simple(odd_head, &odd_tail, (oks >>= 1) & 1);\r
+ extend_table_simple(even_head, &even_tail, (eks >>= 1) & 1);\r
+ }\r
+\r
+ in = (in >> 16 & 0xff) | (in << 16) | (in & 0xff00);\r
+ recover(odd_head, odd_tail, oks,\r
+ even_head, even_tail, eks, 11, statelist, in << 1);\r
+\r
+out:\r
+ free(odd_head);\r
+ free(even_head);\r
+ return statelist;\r
+}\r
+\r
+static const uint32_t S1[] = { 0x62141, 0x310A0, 0x18850, 0x0C428, 0x06214,\r
+ 0x0310A, 0x85E30, 0xC69AD, 0x634D6, 0xB5CDE, 0xDE8DA, 0x6F46D, 0xB3C83,\r
+ 0x59E41, 0xA8995, 0xD027F, 0x6813F, 0x3409F, 0x9E6FA};\r
+static const uint32_t S2[] = { 0x3A557B00, 0x5D2ABD80, 0x2E955EC0, 0x174AAF60,\r
+ 0x0BA557B0, 0x05D2ABD8, 0x0449DE68, 0x048464B0, 0x42423258, 0x278192A8,\r
+ 0x156042D0, 0x0AB02168, 0x43F89B30, 0x61FC4D98, 0x765EAD48, 0x7D8FDD20,\r
+ 0x7EC7EE90, 0x7F63F748, 0x79117020};\r
+static const uint32_t T1[] = {\r
+ 0x4F37D, 0x279BE, 0x97A6A, 0x4BD35, 0x25E9A, 0x12F4D, 0x097A6, 0x80D66,\r
+ 0xC4006, 0x62003, 0xB56B4, 0x5AB5A, 0xA9318, 0xD0F39, 0x6879C, 0xB057B,\r
+ 0x582BD, 0x2C15E, 0x160AF, 0x8F6E2, 0xC3DC4, 0xE5857, 0x72C2B, 0x39615,\r
+ 0x98DBF, 0xC806A, 0xE0680, 0x70340, 0x381A0, 0x98665, 0x4C332, 0xA272C};\r
+static const uint32_t T2[] = { 0x3C88B810, 0x5E445C08, 0x2982A580, 0x14C152C0,\r
+ 0x4A60A960, 0x253054B0, 0x52982A58, 0x2FEC9EA8, 0x1156C4D0, 0x08AB6268,\r
+ 0x42F53AB0, 0x217A9D58, 0x161DC528, 0x0DAE6910, 0x46D73488, 0x25CB11C0,\r
+ 0x52E588E0, 0x6972C470, 0x34B96238, 0x5CFC3A98, 0x28DE96C8, 0x12CFC0E0,\r
+ 0x4967E070, 0x64B3F038, 0x74F97398, 0x7CDC3248, 0x38CE92A0, 0x1C674950,\r
+ 0x0E33A4A8, 0x01B959D0, 0x40DCACE8, 0x26CEDDF0};\r
+static const uint32_t C1[] = { 0x846B5, 0x4235A, 0x211AD};\r
+static const uint32_t C2[] = { 0x1A822E0, 0x21A822E0, 0x21A822E0};\r
+/** Reverse 64 bits of keystream into possible cipher states\r
+ * Variation mentioned in the paper. Somewhat optimized version\r
+ */\r
+struct Crypto1State* lfsr_recovery64(uint32_t ks2, uint32_t ks3)\r
+{\r
+ struct Crypto1State *statelist, *sl;\r
+ uint8_t oks[32], eks[32], hi[32];\r
+ uint32_t low = 0, win = 0;\r
+ uint32_t *tail, table[1 << 16];\r
+ int i, j;\r
+\r
+ sl = statelist = malloc(sizeof(struct Crypto1State) << 4);\r
+ if(!sl)\r
+ return 0;\r
+ sl->odd = sl->even = 0;\r
+\r
+ for(i = 30; i >= 0; i -= 2) {\r
+ oks[i >> 1] = BEBIT(ks2, i);\r
+ oks[16 + (i >> 1)] = BEBIT(ks3, i);\r
+ }\r
+ for(i = 31; i >= 0; i -= 2) {\r
+ eks[i >> 1] = BEBIT(ks2, i);\r
+ eks[16 + (i >> 1)] = BEBIT(ks3, i);\r
+ }\r
+\r
+ for(i = 0xfffff; i >= 0; --i) {\r
+ if (filter(i) != oks[0])\r
+ continue;\r
+\r
+ *(tail = table) = i;\r
+ for(j = 1; tail >= table && j < 29; ++j)\r
+ extend_table_simple(table, &tail, oks[j]);\r
+\r
+ if(tail < table)\r
+ continue;\r
+\r
+ for(j = 0; j < 19; ++j)\r
+ low = low << 1 | parity(i & S1[j]);\r
+ for(j = 0; j < 32; ++j)\r
+ hi[j] = parity(i & T1[j]);\r
+\r
+ for(; tail >= table; --tail) {\r
+ for(j = 0; j < 3; ++j) {\r
+ *tail = *tail << 1;\r
+ *tail |= parity((i & C1[j]) ^ (*tail & C2[j]));\r
+ if(filter(*tail) != oks[29 + j])\r
+ goto continue2;\r
+ }\r
+\r
+ for(j = 0; j < 19; ++j)\r
+ win = win << 1 | parity(*tail & S2[j]);\r
+\r
+ win ^= low;\r
+ for(j = 0; j < 32; ++j) {\r
+ win = win << 1 ^ hi[j] ^ parity(*tail & T2[j]);\r
+ if(filter(win) != eks[j])\r
+ goto continue2;\r
+ }\r
+\r
+ *tail = *tail << 1 | parity(LF_POLY_EVEN & *tail);\r
+ sl->odd = *tail ^ parity(LF_POLY_ODD & win);\r
+ sl->even = win;\r
+ ++sl;\r
+ sl->odd = sl->even = 0;\r
+ continue2:;\r
+ }\r
+ }\r
+ return statelist;\r
+}\r
+\r
+/** lfsr_rollback_bit\r
+ * Rollback the shift register in order to get previous states\r
+ */\r
+uint8_t lfsr_rollback_bit(struct Crypto1State *s, uint32_t in, int fb)\r
+{\r
+ int out;\r
+ uint8_t ret;\r
+\r
+ s->odd &= 0xffffff;\r
+ s->odd ^= (s->odd ^= s->even, s->even ^= s->odd);\r
+\r
+ out = s->even & 1;\r
+ out ^= LF_POLY_EVEN & (s->even >>= 1);\r
+ out ^= LF_POLY_ODD & s->odd;\r
+ out ^= !!in;\r
+ out ^= (ret = filter(s->odd)) & !!fb;\r
+\r
+ s->even |= parity(out) << 23;\r
+ return ret;\r
+}\r
+/** lfsr_rollback_byte\r
+ * Rollback the shift register in order to get previous states\r
+ */\r
+uint8_t lfsr_rollback_byte(struct Crypto1State *s, uint32_t in, int fb)\r
+{\r
+ int i, ret = 0;\r
+ for (i = 7; i >= 0; --i)\r
+ ret |= lfsr_rollback_bit(s, BIT(in, i), fb) << i;\r
+ return ret;\r
+}\r
+/** lfsr_rollback_word\r
+ * Rollback the shift register in order to get previous states\r
+ */\r
+uint32_t lfsr_rollback_word(struct Crypto1State *s, uint32_t in, int fb)\r
+{\r
+ int i;\r
+ uint32_t ret = 0;\r
+ for (i = 31; i >= 0; --i)\r
+ ret |= lfsr_rollback_bit(s, BEBIT(in, i), fb) << (i ^ 24);\r
+ return ret;\r
+}\r
+\r
+/** nonce_distance\r
+ * x,y valid tag nonces, then prng_successor(x, nonce_distance(x, y)) = y\r
+ */\r
+static uint16_t *dist = 0;\r
+int nonce_distance(uint32_t from, uint32_t to)\r
+{\r
+ uint16_t x, i;\r
+ if(!dist) {\r
+ dist = malloc(2 << 16);\r
+ if(!dist)\r
+ return -1;\r
+ for (x = i = 1; i; ++i) {\r
+ dist[(x & 0xff) << 8 | x >> 8] = i;\r
+ x = x >> 1 | (x ^ x >> 2 ^ x >> 3 ^ x >> 5) << 15;\r
+ }\r
+ }\r
+ return (65535 + dist[to >> 16] - dist[from >> 16]) % 65535;\r
+}\r
+\r
+\r
+static uint32_t fastfwd[2][8] = {\r
+ { 0, 0x4BC53, 0xECB1, 0x450E2, 0x25E29, 0x6E27A, 0x2B298, 0x60ECB},\r
+ { 0, 0x1D962, 0x4BC53, 0x56531, 0xECB1, 0x135D3, 0x450E2, 0x58980}};\r
+/** lfsr_prefix_ks\r
+ *\r
+ * Is an exported helper function from the common prefix attack\r
+ * Described in the "dark side" paper. It returns an -1 terminated array\r
+ * of possible partial(21 bit) secret state.\r
+ * The required keystream(ks) needs to contain the keystream that was used to\r
+ * encrypt the NACK which is observed when varying only the 3 last bits of Nr\r
+ * only correct iff [NR_3] ^ NR_3 does not depend on Nr_3\r
+ */\r
+uint32_t *lfsr_prefix_ks(uint8_t ks[8], int isodd)\r
+{\r
+ uint32_t c, entry, *candidates = malloc(4 << 10);\r
+ int i, size = 0, good;\r
+\r
+ if(!candidates)\r
+ return 0;\r
+\r
+ for(i = 0; i < 1 << 21; ++i) {\r
+ for(c = 0, good = 1; good && c < 8; ++c) {\r
+ entry = i ^ fastfwd[isodd][c];\r
+ good &= (BIT(ks[c], isodd) == filter(entry >> 1));\r
+ good &= (BIT(ks[c], isodd + 2) == filter(entry));\r
+ }\r
+ if(good)\r
+ candidates[size++] = i;\r
+ }\r
+\r
+ candidates[size] = -1;\r
+\r
+ return candidates;\r
+}\r
+\r
+/** check_pfx_parity\r
+ * helper function which eliminates possible secret states using parity bits\r
+ */\r
+static struct Crypto1State*\r
+check_pfx_parity(uint32_t prefix, uint32_t rresp, uint8_t parities[8][8],\r
+ uint32_t odd, uint32_t even, struct Crypto1State* sl)\r
+{\r
+ uint32_t ks1, nr, ks2, rr, ks3, c, good = 1;\r
+\r
+ for(c = 0; good && c < 8; ++c) {\r
+ sl->odd = odd ^ fastfwd[1][c];\r
+ sl->even = even ^ fastfwd[0][c];\r
+\r
+ lfsr_rollback_bit(sl, 0, 0);\r
+ lfsr_rollback_bit(sl, 0, 0);\r
+\r
+ ks3 = lfsr_rollback_bit(sl, 0, 0);\r
+ ks2 = lfsr_rollback_word(sl, 0, 0);\r
+ ks1 = lfsr_rollback_word(sl, prefix | c << 5, 1);\r
+\r
+ nr = ks1 ^ (prefix | c << 5);\r
+ rr = ks2 ^ rresp;\r
+\r
+ good &= parity(nr & 0x000000ff) ^ parities[c][3] ^ BIT(ks2, 24);\r
+ good &= parity(rr & 0xff000000) ^ parities[c][4] ^ BIT(ks2, 16);\r
+ good &= parity(rr & 0x00ff0000) ^ parities[c][5] ^ BIT(ks2, 8);\r
+ good &= parity(rr & 0x0000ff00) ^ parities[c][6] ^ BIT(ks2, 0);\r
+ good &= parity(rr & 0x000000ff) ^ parities[c][7] ^ ks3;\r
+ }\r
+\r
+ return sl + good;\r
+} \r
+\r
+\r
+/** lfsr_common_prefix\r
+ * Implentation of the common prefix attack.\r
+ */\r
+struct Crypto1State*\r
+lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8])\r
+{\r
+ struct Crypto1State *statelist, *s;\r
+ uint32_t *odd, *even, *o, *e, top;\r
+\r
+ odd = lfsr_prefix_ks(ks, 1);\r
+ even = lfsr_prefix_ks(ks, 0);\r
+\r
+ s = statelist = malloc((sizeof *statelist) << 20);\r
+ if(!s || !odd || !even) {\r
+ free(statelist);\r
+ statelist = 0;\r
+ goto out;\r
+ }\r
+\r
+ for(o = odd; *o + 1; ++o)\r
+ for(e = even; *e + 1; ++e)\r
+ for(top = 0; top < 64; ++top) {\r
+ *o += 1 << 21;\r
+ *e += (!(top & 7) + 1) << 21;\r
+ s = check_pfx_parity(pfx, rr, par, *o, *e, s);\r
+ }\r
+\r
+ s->odd = s->even = 0;\r
+out:\r
+ free(odd);\r
+ free(even);\r
+ return statelist;\r
+}\r
--- /dev/null
+/* crapto1.h
+
+ This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License
+ as published by the Free Software Foundation; either version 2
+ of the License, or (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ MA 02110-1301, US$
+
+ Copyright (C) 2008-2008 bla <blapost@gmail.com>
+*/
+#ifndef CRAPTO1_INCLUDED
+#define CRAPTO1_INCLUDED
+#include <stdint.h>
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct Crypto1State {uint32_t odd, even;};
+void crypto1_create(struct Crypto1State *s, uint64_t key);
+void crypto1_destroy(struct Crypto1State*);
+void crypto1_get_lfsr(struct Crypto1State*, uint64_t*);
+uint8_t crypto1_bit(struct Crypto1State*, uint8_t, int);
+uint8_t crypto1_byte(struct Crypto1State*, uint8_t, int);
+uint32_t crypto1_word(struct Crypto1State*, uint32_t, int);
+uint32_t prng_successor(uint32_t x, uint32_t n);
+
+struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in);
+struct Crypto1State* lfsr_recovery64(uint32_t ks2, uint32_t ks3);
+uint32_t *lfsr_prefix_ks(uint8_t ks[8], int isodd);
+struct Crypto1State*
+lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8]);
+
+uint8_t lfsr_rollback_bit(struct Crypto1State* s, uint32_t in, int fb);
+uint8_t lfsr_rollback_byte(struct Crypto1State* s, uint32_t in, int fb);
+uint32_t lfsr_rollback_word(struct Crypto1State* s, uint32_t in, int fb);
+int nonce_distance(uint32_t from, uint32_t to);
+#define FOREACH_VALID_NONCE(N, FILTER, FSIZE)\
+ uint32_t __n = 0,__M = 0, N = 0;\
+ int __i;\
+ for(; __n < 1 << 16; N = prng_successor(__M = ++__n, 16))\
+ for(__i = FSIZE - 1; __i >= 0; __i--)\
+ if(BIT(FILTER, __i) ^ parity(__M & 0xFF01))\
+ break;\
+ else if(__i)\
+ __M = prng_successor(__M, (__i == 7) ? 48 : 8);\
+ else
+
+#define LF_POLY_ODD (0x29CE5C)
+#define LF_POLY_EVEN (0x870804)
+#define BIT(x, n) ((x) >> (n) & 1)
+#define BEBIT(x, n) BIT(x, (n) ^ 24)
+static inline int parity(uint32_t x)
+{
+#if !defined __i386__ || !defined __GNUC__
+ x ^= x >> 16;
+ x ^= x >> 8;
+ x ^= x >> 4;
+ return BIT(0x6996, x & 0xf);
+#else
+ asm( "movl %1, %%eax\n"
+ "mov %%ax, %%cx\n"
+ "shrl $0x10, %%eax\n"
+ "xor %%ax, %%cx\n"
+ "xor %%ch, %%cl\n"
+ "setpo %%al\n"
+ "movzx %%al, %0\n": "=r"(x) : "r"(x): "eax","ecx");
+ return x;
+#endif
+}
+static inline int filter(uint32_t const x)
+{
+ uint32_t f;
+
+ f = 0xf22c0 >> (x & 0xf) & 16;
+ f |= 0x6c9c0 >> (x >> 4 & 0xf) & 8;
+ f |= 0x3c8b0 >> (x >> 8 & 0xf) & 4;
+ f |= 0x1e458 >> (x >> 12 & 0xf) & 2;
+ f |= 0x0d938 >> (x >> 16 & 0xf) & 1;
+ return BIT(0xEC57E80A, f);
+}
+#ifdef __cplusplus
+}
+#endif
+#endif
--- /dev/null
+/* crypto1.c
+
+ This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License
+ as published by the Free Software Foundation; either version 2
+ of the License, or (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ MA 02110-1301, US
+
+ Copyright (C) 2008-2008 bla <blapost@gmail.com>
+*/
+#include "crapto1.h"
+#include <stdlib.h>
+
+#define SWAPENDIAN(x)\
+ (x = (x >> 8 & 0xff00ff) | (x & 0xff00ff) << 8, x = x >> 16 | x << 16)
+
+void crypto1_create(struct Crypto1State *s, uint64_t key)
+{
+// struct Crypto1State *s = malloc(sizeof(*s));
+ int i;
+
+ for(i = 47;s && i > 0; i -= 2) {
+ s->odd = s->odd << 1 | BIT(key, (i - 1) ^ 7);
+ s->even = s->even << 1 | BIT(key, i ^ 7);
+ }
+ return;
+}
+void crypto1_destroy(struct Crypto1State *state)
+{
+// free(state);
+ state->odd = 0;
+ state->even = 0;
+}
+void crypto1_get_lfsr(struct Crypto1State *state, uint64_t *lfsr)
+{
+ int i;
+ for(*lfsr = 0, i = 23; i >= 0; --i) {
+ *lfsr = *lfsr << 1 | BIT(state->odd, i ^ 3);
+ *lfsr = *lfsr << 1 | BIT(state->even, i ^ 3);
+ }
+}
+uint8_t crypto1_bit(struct Crypto1State *s, uint8_t in, int is_encrypted)
+{
+ uint32_t feedin;
+ uint8_t ret = filter(s->odd);
+
+ feedin = ret & !!is_encrypted;
+ feedin ^= !!in;
+ feedin ^= LF_POLY_ODD & s->odd;
+ feedin ^= LF_POLY_EVEN & s->even;
+ s->even = s->even << 1 | parity(feedin);
+
+ s->odd ^= (s->odd ^= s->even, s->even ^= s->odd);
+
+ return ret;
+}
+uint8_t crypto1_byte(struct Crypto1State *s, uint8_t in, int is_encrypted)
+{
+ uint8_t i, ret = 0;
+
+ for (i = 0; i < 8; ++i)
+ ret |= crypto1_bit(s, BIT(in, i), is_encrypted) << i;
+
+ return ret;
+}
+uint32_t crypto1_word(struct Crypto1State *s, uint32_t in, int is_encrypted)
+{
+ uint32_t i, ret = 0;
+
+ for (i = 0; i < 32; ++i)
+ ret |= crypto1_bit(s, BEBIT(in, i), is_encrypted) << (i ^ 24);
+
+ return ret;
+}
+
+/* prng_successor
+ * helper used to obscure the keystream during authentication
+ */
+uint32_t prng_successor(uint32_t x, uint32_t n)
+{
+ SWAPENDIAN(x);
+ while(n--)
+ x = x >> 1 | (x >> 16 ^ x >> 18 ^ x >> 19 ^ x >> 21) << 31;
+
+ return SWAPENDIAN(x);
+}
#include "iso14443crc.h"
#include "iso14443a.h"
+#include "crapto1.h"
+#include "mifareutil.h"
static uint8_t *trace = (uint8_t *) BigBuf;
static int traceLen = 0;
// Generate the parity value for a byte sequence
//
//-----------------------------------------------------------------------------
+byte_t oddparity (const byte_t bt)
+{
+ return OddByteParity[bt];
+}
+
uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
{
int i;
receivedCmd[0], receivedCmd[1], receivedCmd[2]);
} else {
// Never seen this command before
- Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
+ Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
+ len,
receivedCmd[0], receivedCmd[1], receivedCmd[2],
- receivedCmd[3], receivedCmd[3], receivedCmd[4],
- receivedCmd[5], receivedCmd[6], receivedCmd[7]);
+ receivedCmd[3], receivedCmd[4], receivedCmd[5],
+ receivedCmd[6], receivedCmd[7], receivedCmd[8]);
// Do not respond
resp = resp1; respLen = 0; order = 0;
}
int ReaderReceive(uint8_t* receivedAnswer)
{
int samples = 0;
- if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
+ if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
if(samples == 0) return FALSE;
return Demod.len;
/* performs iso14443a anticolision procedure
* fills the uid pointer unless NULL
* fills resp_data unless NULL */
-int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data) {
- uint8_t wupa[] = { 0x52 };
+int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data, uint32_t * cuid_ptr) {
+ uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
uint8_t sel_all[] = { 0x93,0x20 };
uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
- uint8_t* uid = resp + 7;
+ //uint8_t* uid = resp + 7;
uint8_t sak = 0x04; // cascade uid
int cascade_level = 0;
int len;
+
+ // clear uid
+ memset(uid_ptr, 0, 8);
// Broadcast for a card, WUPA (0x52) will force response from all cards in the field
ReaderTransmitShort(wupa);
if(resp_data)
memcpy(resp_data->atqa, resp, 2);
- ReaderTransmit(sel_all,sizeof(sel_all));
- if(!ReaderReceive(uid)) return 0;
+ //ReaderTransmit(sel_all,sizeof(sel_all)); --- avoid duplicate SELECT request
+ //if(!ReaderReceive(uid)) return 0;
// OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
// which case we need to make a cascade 2 request and select - this is a long UID
ReaderTransmit(sel_all,sizeof(sel_all));
if (!ReaderReceive(resp)) return 0;
if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4);
+
+ // calculate crypto UID
+ if(cuid_ptr) *cuid_ptr = bytes_to_num(resp, 4);
// Construct SELECT UID command
memcpy(sel_uid+2,resp,5);
resp_data->sak = sak;
resp_data->ats_len = 0;
}
+ //-- this byte not UID, it CT. http://www.nxp.com/documents/application_note/AN10927.pdf page 3
+ if (uid_ptr[0] == 0x88) {
+ memcpy(uid_ptr, uid_ptr + 1, 7);
+ uid_ptr[7] = 0;
+ }
if( (sak & 0x20) == 0)
return 2; // non iso14443a compliant tag
// Request for answer to select
- AppendCrc14443a(rats, 2);
- ReaderTransmit(rats, sizeof(rats));
- if (!(len = ReaderReceive(resp))) return 0;
- if(resp_data) {
+ if(resp_data) { // JCOP cards - if reader sent RATS then there is no MIFARE session at all!!!
+ AppendCrc14443a(rats, 2);
+ ReaderTransmit(rats, sizeof(rats));
+
+ if (!(len = ReaderReceive(resp))) return 0;
+
memcpy(resp_data->ats, resp, sizeof(resp_data->ats));
resp_data->ats_len = len;
}
-
+
return 1;
}
if(param & ISO14A_CONNECT) {
iso14443a_setup();
- ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12));
+ ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12), NULL);
UsbSendPacket((void *)ack, sizeof(UsbCommand));
}
break;
}
- if(!iso14443a_select_card(NULL, NULL)) continue;
+ if(!iso14443a_select_card(NULL, NULL, NULL)) continue;
// Transmit MIFARE_CLASSIC_AUTH
ReaderTransmit(mf_auth,sizeof(mf_auth));
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
tracing = TRUE;
+
+ DbpString("COMMAND FINISHED");
+
+ Dbprintf("nt=%x", (int)nt[0]);
+}
+
+//-----------------------------------------------------------------------------
+// Select, Authenticaate, Read an MIFARE tag.
+// read block
+//-----------------------------------------------------------------------------
+void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
+{
+ // params
+ uint8_t blockNo = arg0;
+ uint8_t keyType = arg1;
+ uint64_t ui64Key = 0;
+ ui64Key = bytes_to_num(datain, 6);
+
+ // variables
+ byte_t isOK = 0;
+ byte_t dataoutbuf[16];
+ uint8_t uid[7];
+ uint32_t cuid;
+ struct Crypto1State mpcs = {0, 0};
+ struct Crypto1State *pcs;
+ pcs = &mpcs;
+
+ // clear trace
+ traceLen = 0;
+// tracing = false;
+
+ iso14443a_setup();
+
+ LED_A_ON();
+ LED_B_OFF();
+ LED_C_OFF();
+
+ while (true) {
+ if(!iso14443a_select_card(uid, NULL, &cuid)) {
+ Dbprintf("Can't select card");
+ break;
+ };
+
+ if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, 0)) {
+ Dbprintf("Auth error");
+ break;
+ };
+
+ if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
+ Dbprintf("Read block error");
+ break;
+ };
+
+ if(mifare_classic_halt(pcs, cuid)) {
+ Dbprintf("Halt error");
+ break;
+ };
+
+ isOK = 1;
+ break;
+ }
+
+ // ----------------------------- crypto1 destroy
+ crypto1_destroy(pcs);
+
+// DbpString("READ BLOCK FINISHED");
+
+ // add trace trailer
+ uid[0] = 0xff;
+ uid[1] = 0xff;
+ uid[2] = 0xff;
+ uid[3] = 0xff;
+ LogTrace(uid, 4, 0, 0, TRUE);
+
+ UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
+ memcpy(ack.d.asBytes, dataoutbuf, 16);
+
+ LED_B_ON();
+ UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
+ LED_B_OFF();
+
+
+ // Thats it...
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ LEDsoff();
+// tracing = TRUE;
+
+}
+
+//-----------------------------------------------------------------------------
+// Select, Authenticaate, Read an MIFARE tag.
+// read sector (data = 4 x 16 bytes = 64 bytes)
+//-----------------------------------------------------------------------------
+void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
+{
+ // params
+ uint8_t sectorNo = arg0;
+ uint8_t keyType = arg1;
+ uint64_t ui64Key = 0;
+ ui64Key = bytes_to_num(datain, 6);
+
+ // variables
+ byte_t isOK = 0;
+ byte_t dataoutbuf[16 * 4];
+ uint8_t uid[8];
+ uint32_t cuid;
+ struct Crypto1State mpcs = {0, 0};
+ struct Crypto1State *pcs;
+ pcs = &mpcs;
+
+ // clear trace
+ traceLen = 0;
+// tracing = false;
+
+ iso14443a_setup();
+
+ LED_A_ON();
+ LED_B_OFF();
+ LED_C_OFF();
+
+ while (true) {
+ if(!iso14443a_select_card(uid, NULL, &cuid)) {
+ Dbprintf("Can't select card");
+ break;
+ };
+
+ if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, 0)) {
+ Dbprintf("Auth error");
+ break;
+ };
+
+ if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 0, dataoutbuf + 16 * 0)) {
+ Dbprintf("Read block 0 error");
+ break;
+ };
+ if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 1, dataoutbuf + 16 * 1)) {
+ Dbprintf("Read block 1 error");
+ break;
+ };
+ if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 2, dataoutbuf + 16 * 2)) {
+ Dbprintf("Read block 2 error");
+ break;
+ };
+ if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 3, dataoutbuf + 16 * 3)) {
+ Dbprintf("Read block 3 error");
+ break;
+ };
+
+ if(mifare_classic_halt(pcs, cuid)) {
+ Dbprintf("Halt error");
+ break;
+ };
+
+ isOK = 1;
+ break;
+ }
+
+ // ----------------------------- crypto1 destroy
+ crypto1_destroy(pcs);
+
+// DbpString("READ BLOCK FINISHED");
+
+ // add trace trailer
+ uid[0] = 0xff;
+ uid[1] = 0xff;
+ uid[2] = 0xff;
+ uid[3] = 0xff;
+ LogTrace(uid, 4, 0, 0, TRUE);
+
+ UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
+ memcpy(ack.d.asBytes, dataoutbuf, 16 * 2);
+
+ LED_B_ON();
+ UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
+
+ SpinDelay(100);
+
+ memcpy(ack.d.asBytes, dataoutbuf + 16 * 2, 16 * 2);
+ UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
+ LED_B_OFF();
+
+ // Thats it...
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ LEDsoff();
+// tracing = TRUE;
+
+}
+
+//-----------------------------------------------------------------------------
+// Select, Authenticaate, Read an MIFARE tag.
+// read block
+//-----------------------------------------------------------------------------
+void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
+{
+ // params
+ uint8_t blockNo = arg0;
+ uint8_t keyType = arg1;
+ uint64_t ui64Key = 0;
+ byte_t blockdata[16];
+
+ ui64Key = bytes_to_num(datain, 6);
+ memcpy(blockdata, datain + 10, 16);
+
+ // variables
+ byte_t isOK = 0;
+ uint8_t uid[8];
+ uint32_t cuid;
+ struct Crypto1State mpcs = {0, 0};
+ struct Crypto1State *pcs;
+ pcs = &mpcs;
+
+ // clear trace
+ traceLen = 0;
+// tracing = false;
+
+ iso14443a_setup();
+
+ LED_A_ON();
+ LED_B_OFF();
+ LED_C_OFF();
+
+ while (true) {
+ if(!iso14443a_select_card(uid, NULL, &cuid)) {
+ Dbprintf("Can't select card");
+ break;
+ };
+
+ if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, 0)) {
+ Dbprintf("Auth error");
+ break;
+ };
+
+ if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
+ Dbprintf("Write block error");
+ break;
+ };
+
+ if(mifare_classic_halt(pcs, cuid)) {
+ Dbprintf("Halt error");
+ break;
+ };
+
+ isOK = 1;
+ break;
+ }
+
+ // ----------------------------- crypto1 destroy
+ crypto1_destroy(pcs);
+
+// DbpString("WRITE BLOCK FINISHED");
+
+ // add trace trailer
+ uid[0] = 0xff;
+ uid[1] = 0xff;
+ uid[2] = 0xff;
+ uid[3] = 0xff;
+ LogTrace(uid, 4, 0, 0, TRUE);
+
+ UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
+
+ LED_B_ON();
+ UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
+ LED_B_OFF();
+
+
+ // Thats it...
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ LEDsoff();
+// tracing = TRUE;
+
+}
+
+//-----------------------------------------------------------------------------
+// MIFARE nested authentication.
+//
+//-----------------------------------------------------------------------------
+void MifareNested(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
+{
+ // params
+ uint8_t blockNo = arg0;
+ uint8_t keyType = arg1;
+ uint64_t ui64Key = 0;
+
+ ui64Key = bytes_to_num(datain, 6);
+
+ // variables
+ byte_t isOK = 0;
+ uint8_t uid[8];
+ uint32_t cuid;
+ uint8_t dataoutbuf[16];
+ struct Crypto1State mpcs = {0, 0};
+ struct Crypto1State *pcs;
+ pcs = &mpcs;
+
+ // clear trace
+ traceLen = 0;
+// tracing = false;
+
+ iso14443a_setup();
+
+ LED_A_ON();
+ LED_B_OFF();
+ LED_C_OFF();
+
+ while (true) {
+ if(!iso14443a_select_card(uid, NULL, &cuid)) {
+ Dbprintf("Can't select card");
+ break;
+ };
+
+ if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, 0)) {
+ Dbprintf("Auth error");
+ break;
+ };
+
+ // nested authenticate block = (blockNo + 1)
+ if(mifare_classic_auth(pcs, (uint32_t)bytes_to_num(uid, 4), blockNo + 1, keyType, ui64Key, 1)) {
+ Dbprintf("Auth error");
+ break;
+ };
+
+ if(mifare_classic_readblock(pcs, (uint32_t)bytes_to_num(uid, 4), blockNo + 1, dataoutbuf)) {
+ Dbprintf("Read block error");
+ break;
+ };
+
+ if(mifare_classic_halt(pcs, (uint32_t)bytes_to_num(uid, 4))) {
+ Dbprintf("Halt error");
+ break;
+ };
+
+ isOK = 1;
+ break;
+ }
+
+ // ----------------------------- crypto1 destroy
+ crypto1_destroy(pcs);
+
+ DbpString("NESTED FINISHED");
+
+ // add trace trailer
+ uid[0] = 0xff;
+ uid[1] = 0xff;
+ uid[2] = 0xff;
+ uid[3] = 0xff;
+ LogTrace(uid, 4, 0, 0, TRUE);
+
+ UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
+ memcpy(ack.d.asBytes, dataoutbuf, 16);
+
+ LED_B_ON();
+ UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
+ LED_B_OFF();
+
+ // Thats it...
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ LEDsoff();
+// tracing = TRUE;
+
+}
+
+//-----------------------------------------------------------------------------
+// MIFARE 1K simulate.
+//
+//-----------------------------------------------------------------------------
+void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
+{
}
#define __ISO14443A_H
#include "common.h"
+extern byte_t oddparity (const byte_t bt);
+extern uint32_t GetParity(const uint8_t * pbtCmd, int iLen);
extern void AppendCrc14443a(uint8_t* data, int len);
+
extern void ReaderTransmitShort(const uint8_t* bt);
extern void ReaderTransmit(uint8_t* frame, int len);
+extern void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par);
extern int ReaderReceive(uint8_t* receivedAnswer);
+
extern void iso14443a_setup();
-extern int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * card_info);
+extern int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data, uint32_t * cuid_ptr);
extern void iso14a_set_trigger(int enable);
#endif /* __ISO14443A_H */
--- /dev/null
+//-----------------------------------------------------------------------------\r
+// Merlok, May 2011\r
+// Many authors, that makes it possible\r
+//\r
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,\r
+// at your option, any later version. See the LICENSE.txt file for the text of\r
+// the license.\r
+//-----------------------------------------------------------------------------\r
+// code for work with mifare cards.\r
+//-----------------------------------------------------------------------------\r
+\r
+#include "proxmark3.h"\r
+#include "apps.h"\r
+#include "util.h"\r
+#include "string.h"\r
+\r
+#include "iso14443crc.h"\r
+#include "iso14443a.h"\r
+#include "crapto1.h"\r
+#include "mifareutil.h"\r
+\r
+uint8_t* mifare_get_bigbufptr(void) {\r
+ return (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes\r
+}\r
+\r
+int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t* answer)\r
+{\r
+ uint8_t dcmd[4], ecmd[4];\r
+ uint32_t pos, par, res;\r
+\r
+ dcmd[0] = cmd;\r
+ dcmd[1] = data;\r
+ AppendCrc14443a(dcmd, 2);\r
+ \r
+ memcpy(ecmd, dcmd, sizeof(dcmd));\r
+ \r
+ if (crypted) {\r
+ par = 0;\r
+ for (pos = 0; pos < 4; pos++)\r
+ {\r
+ ecmd[pos] = crypto1_byte(pcs, 0x00, 0) ^ dcmd[pos];\r
+ par = (par >> 1) | ( ((filter(pcs->odd) ^ oddparity(dcmd[pos])) & 0x01) * 0x08 );\r
+ } \r
+\r
+ ReaderTransmitPar(ecmd, sizeof(ecmd), par);\r
+\r
+ } else {\r
+ ReaderTransmit(dcmd, sizeof(dcmd));\r
+ }\r
+\r
+ int len = ReaderReceive(answer);\r
+\r
+ if (crypted) {\r
+ if (len == 1) {\r
+ res = 0;\r
+ for (pos = 0; pos < 4; pos++)\r
+ res |= (crypto1_bit(pcs, 0, 0) ^ BIT(answer[0], pos)) << pos;\r
+ \r
+ answer[0] = res;\r
+ \r
+ } else {\r
+ for (pos = 0; pos < len; pos++)\r
+ {\r
+ answer[pos] = crypto1_byte(pcs, 0x00, 0) ^ answer[pos];\r
+ }\r
+ }\r
+ }\r
+ \r
+ return len;\r
+}\r
+\r
+int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint64_t isNested) \r
+{\r
+ // variables\r
+ int len; \r
+ uint32_t pos;\r
+ uint8_t tmp4[4];\r
+ byte_t par = 0;\r
+ byte_t ar[4];\r
+ uint32_t nt, ntpp; // Supplied tag nonce\r
+ \r
+ uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };\r
+ uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+\r
+ // Transmit MIFARE_CLASSIC_AUTH\r
+ len = mifare_sendcmd_short(pcs, isNested, 0x60 + (keyType & 0x01), blockNo, receivedAnswer);\r
+// Dbprintf("rand nonce len: %x", len); \r
+ if (len != 4) return 1;\r
+ \r
+ ar[0] = 0x55;\r
+ ar[1] = 0x41;\r
+ ar[2] = 0x49;\r
+ ar[3] = 0x92; \r
+ \r
+ // Save the tag nonce (nt)\r
+ nt = bytes_to_num(receivedAnswer, 4);\r
+ Dbprintf("uid: %x nt: %x", uid, nt); \r
+\r
+ // ----------------------------- crypto1 create\r
+ // Init cipher with key\r
+ crypto1_create(pcs, ui64Key);\r
+\r
+ // Load (plain) uid^nt into the cipher\r
+ crypto1_word(pcs, nt ^ uid, 0);\r
+\r
+ par = 0;\r
+ // Generate (encrypted) nr+parity by loading it into the cipher (Nr)\r
+ for (pos = 0; pos < 4; pos++)\r
+ {\r
+ mf_nr_ar[pos] = crypto1_byte(pcs, ar[pos], 0) ^ ar[pos];\r
+ par = (par >> 1) | ( ((filter(pcs->odd) ^ oddparity(ar[pos])) & 0x01) * 0x80 );\r
+ } \r
+ \r
+ // Skip 32 bits in pseudo random generator\r
+ nt = prng_successor(nt,32);\r
+\r
+ // ar+parity\r
+ for (pos = 4; pos < 8; pos++)\r
+ {\r
+ nt = prng_successor(nt,8);\r
+ mf_nr_ar[pos] = crypto1_byte(pcs,0x00,0) ^ (nt & 0xff);\r
+ par = (par >> 1)| ( ((filter(pcs->odd) ^ oddparity(nt & 0xff)) & 0x01) * 0x80 );\r
+ } \r
+ \r
+ // Transmit reader nonce and reader answer\r
+ ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par);\r
+\r
+ // Receive 4 bit answer\r
+ len = ReaderReceive(receivedAnswer);\r
+ if (!len)\r
+ {\r
+ Dbprintf("Authentication failed. Card timeout.");\r
+ return 2;\r
+ }\r
+ \r
+ memcpy(tmp4, receivedAnswer, 4);\r
+ ntpp = prng_successor(nt, 32) ^ crypto1_word(pcs, 0,0);\r
+ \r
+ if (ntpp != bytes_to_num(tmp4, 4)) {\r
+ Dbprintf("Authentication failed. Error card response.");\r
+ return 3;\r
+ }\r
+\r
+ return 0;\r
+}\r
+\r
+int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData) \r
+{\r
+ // variables\r
+ int len; \r
+ uint8_t bt[2];\r
+ \r
+ uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+ \r
+ // command MIFARE_CLASSIC_READBLOCK\r
+ len = mifare_sendcmd_short(pcs, 1, 0x30, blockNo, receivedAnswer);\r
+ if (len == 1) {\r
+ Dbprintf("Cmd Error: %02x", receivedAnswer[0]); \r
+ return 1;\r
+ }\r
+ if (len != 18) {\r
+ Dbprintf("Cmd Error: card timeout. len: %x", len); \r
+ return 2;\r
+ }\r
+\r
+ memcpy(bt, receivedAnswer + 16, 2);\r
+ AppendCrc14443a(receivedAnswer, 16);\r
+ if (bt[0] != receivedAnswer[16] || bt[1] != receivedAnswer[17]) {\r
+ Dbprintf("Cmd CRC response error."); \r
+ return 3;\r
+ }\r
+ \r
+ memcpy(blockData, receivedAnswer, 16);\r
+ return 0;\r
+}\r
+\r
+int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData) \r
+{\r
+ // variables\r
+ int len, i; \r
+ uint32_t pos;\r
+ uint32_t par = 0;\r
+ byte_t res;\r
+ \r
+ uint8_t d_block[18], d_block_enc[18];\r
+ uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+ \r
+ // command MIFARE_CLASSIC_WRITEBLOCK\r
+ len = mifare_sendcmd_short(pcs, 1, 0xA0, blockNo, receivedAnswer);\r
+\r
+ if ((len != 1) || (receivedAnswer[0] != 0x0A)) { // 0x0a - ACK\r
+ Dbprintf("Cmd Error: %02x", receivedAnswer[0]); \r
+ return 1;\r
+ }\r
+ \r
+ memcpy(d_block, blockData, 16);\r
+ AppendCrc14443a(d_block, 16);\r
+ \r
+ // crypto\r
+ par = 0;\r
+ for (pos = 0; pos < 18; pos++)\r
+ {\r
+ d_block_enc[pos] = crypto1_byte(pcs, 0x00, 0) ^ d_block[pos];\r
+ par = (par >> 1) | ( ((filter(pcs->odd) ^ oddparity(d_block[pos])) & 0x01) * 0x20000 );\r
+ } \r
+\r
+ ReaderTransmitPar(d_block_enc, sizeof(d_block_enc), par);\r
+\r
+ // Receive the response\r
+ len = ReaderReceive(receivedAnswer); \r
+\r
+ res = 0;\r
+ for (i = 0; i < 4; i++)\r
+ res |= (crypto1_bit(pcs, 0, 0) ^ BIT(receivedAnswer[0], i)) << i;\r
+\r
+ if ((len != 1) || (res != 0x0A)) {\r
+ Dbprintf("Cmd send data2 Error: %02x", res); \r
+ return 2;\r
+ }\r
+ \r
+ return 0;\r
+}\r
+\r
+int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid) \r
+{\r
+ // variables\r
+ int len; \r
+ \r
+ // Mifare HALT\r
+ uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+\r
+ len = mifare_sendcmd_short(pcs, 1, 0x50, 0x00, receivedAnswer);\r
+ if (len != 0) {\r
+ Dbprintf("halt error. response len: %x", len); \r
+ return 1;\r
+ }\r
+\r
+ return 0;\r
+}\r
--- /dev/null
+//-----------------------------------------------------------------------------\r
+// Merlok, May 2011\r
+// Many authors, that makes it possible\r
+//\r
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,\r
+// at your option, any later version. See the LICENSE.txt file for the text of\r
+// the license.\r
+//-----------------------------------------------------------------------------\r
+// code for work with mifare cards.\r
+//-----------------------------------------------------------------------------\r
+\r
+int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, \\r
+ uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint64_t isNested);\r
+int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData); \r
+int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData);\r
+int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid); \r
+\r
#include <stddef.h>
#include <stdint.h>
+#define BYTEx(x, n) (((x) >> (n * 8)) & 0xff )
+
#define LED_RED 1
#define LED_ORANGE 2
#define LED_GREEN 4
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include "util.h"
#include "iso14443crc.h"
#include "data.h"
#include "proxusb.h"
#include "cmdparser.h"
#include "cmdhf14a.h"
#include "common.h"
+#include "cmdmain.h"
static int CmdHelp(const char *Cmd);
return 0;
}
+int CmdHF14AMfWrBl(const char *Cmd)
+{
+ int i, temp;
+ uint8_t blockNo = 0;
+ uint8_t keyType = 0;
+ uint8_t key[6] = {0, 0, 0, 0, 0, 0};
+ uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+
+ const char *cmdp = Cmd;
+ const char *cmdpe = Cmd;
+
+ if (strlen(Cmd)<3) {
+ PrintAndLog("Usage: hf 14 mfwrbl <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>");
+ PrintAndLog(" sample: hf 14a mfwrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F");
+ return 0;
+ }
+ PrintAndLog("l: %s", Cmd);
+
+ // skip spaces
+ while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+ blockNo = strtol(cmdp, NULL, 0) & 0xff;
+
+ // next value
+ while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
+ while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+ if (*cmdp != 'A' && *cmdp != 'a') {
+ keyType = 1;
+ }
+
+ // next value
+ while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
+ while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+
+ // next value here:cmdpe
+ cmdpe = cmdp;
+ while (*cmdpe!=' ' && *cmdpe!='\t') cmdpe++;
+ while (*cmdpe==' ' || *cmdpe=='\t') cmdpe++;
+
+ if ((int)cmdpe - (int)cmdp != 13) {
+ PrintAndLog("Length of key must be 12 hex symbols");
+ return 0;
+ }
+
+ for(i = 0; i < 6; i++) {
+ sscanf((char[]){cmdp[0],cmdp[1],0},"%X",&temp);
+ key[i] = temp & 0xff;
+ cmdp++;
+ cmdp++;
+ }
+
+ // next value
+ while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
+ while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+
+ if (strlen(cmdp) != 32) {
+ PrintAndLog("Length of block data must be 32 hex symbols");
+ return 0;
+ }
+
+ for(i = 0; i < 16; i++) {
+ sscanf((char[]){cmdp[0],cmdp[1],0},"%X",&temp);
+ bldata[i] = temp & 0xff;
+ cmdp++;
+ cmdp++;
+ }
+ PrintAndLog(" block no:%02x key type:%02x key:%s", blockNo, keyType, sprint_hex(key, 6));
+ PrintAndLog(" data: %s", sprint_hex(bldata, 16));
+
+ UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}};
+ memcpy(c.d.asBytes, key, 6);
+ memcpy(c.d.asBytes + 10, bldata, 16);
+ SendCommand(&c);
+ UsbCommand * resp = WaitForResponseTimeout(CMD_ACK, 1500);
+
+ if (resp != NULL) {
+ uint8_t isOK = resp->arg[0] & 0xff;
+
+ PrintAndLog("isOk:%02x", isOK);
+ } else {
+ PrintAndLog("Command execute timeout");
+ }
+
+ return 0;
+}
+
+int CmdHF14AMfRdBl(const char *Cmd)
+{
+ int i, temp;
+ uint8_t blockNo = 0;
+ uint8_t keyType = 0;
+ uint8_t key[6] = {0, 0, 0, 0, 0, 0};
+
+ const char *cmdp = Cmd;
+
+
+ if (strlen(Cmd)<3) {
+ PrintAndLog("Usage: hf 14 mfrdbl <block number> <key A/B> <key (12 hex symbols)>");
+ PrintAndLog(" sample: hf 14a mfrdbl 0 A FFFFFFFFFFFF ");
+ return 0;
+ }
+
+ // skip spaces
+ while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+ blockNo = strtol(cmdp, NULL, 0) & 0xff;
+
+ // next value
+ while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
+ while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+ if (*cmdp != 'A' && *cmdp != 'a') {
+ keyType = 1;
+ }
+
+ // next value
+ while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
+ while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+
+ if (strlen(cmdp) != 12) {
+ PrintAndLog("Length of key must be 12 hex symbols");
+ return 0;
+ }
+
+ for(i = 0; i < 6; i++) {
+ sscanf((char[]){cmdp[0],cmdp[1],0},"%X",&temp);
+ key[i] = temp & 0xff;
+ cmdp++;
+ cmdp++;
+ }
+ PrintAndLog(" block no:%02x key type:%02x key:%s ", blockNo, keyType, sprint_hex(key, 6));
+
+ UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}};
+ memcpy(c.d.asBytes, key, 6);
+ SendCommand(&c);
+ UsbCommand * resp = WaitForResponseTimeout(CMD_ACK, 1500);
+
+ if (resp != NULL) {
+ uint8_t isOK = resp->arg[0] & 0xff;
+ uint8_t * data = resp->d.asBytes;
+
+ PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 16));
+ } else {
+ PrintAndLog("Command execute timeout");
+ }
+
+ return 0;
+}
+
+int CmdHF14AMfRdSc(const char *Cmd)
+{
+ int i, temp;
+ uint8_t sectorNo = 0;
+ uint8_t keyType = 0;
+ uint8_t key[6] = {0, 0, 0, 0, 0, 0};
+
+ const char *cmdp = Cmd;
+
+
+ if (strlen(Cmd)<3) {
+ PrintAndLog("Usage: hf 14 mfrdsc <sector number> <key A/B> <key (12 hex symbols)>");
+ PrintAndLog(" sample: hf 14a mfrdsc 0 A FFFFFFFFFFFF ");
+ return 0;
+ }
+
+ // skip spaces
+ while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+ sectorNo = strtol(cmdp, NULL, 0) & 0xff;
+
+ // next value
+ while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
+ while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+ if (*cmdp != 'A' && *cmdp != 'a') {
+ keyType = 1;
+ }
+
+ // next value
+ while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
+ while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+
+ if (strlen(cmdp) != 12) {
+ PrintAndLog("Length of key must be 12 hex symbols");
+ return 0;
+ }
+
+ for(i = 0; i < 6; i++) {
+ sscanf((char[]){cmdp[0],cmdp[1],0},"%X",&temp);
+ key[i] = temp & 0xff;
+ cmdp++;
+ cmdp++;
+ }
+ PrintAndLog(" sector no:%02x key type:%02x key:%s ", sectorNo, keyType, sprint_hex(key, 6));
+
+ UsbCommand c = {CMD_MIFARE_READSC, {sectorNo, keyType, 0}};
+ memcpy(c.d.asBytes, key, 6);
+ SendCommand(&c);
+ UsbCommand * resp = WaitForResponseTimeout(CMD_ACK, 1500);
+ PrintAndLog(" ");
+
+ if (resp != NULL) {
+ uint8_t isOK = resp->arg[0] & 0xff;
+ uint8_t * data = resp->d.asBytes;
+
+ PrintAndLog("isOk:%02x", isOK);
+ for (i = 0; i < 2; i++) {
+ PrintAndLog("data:%s", sprint_hex(data + i * 16, 16));
+ }
+ } else {
+ PrintAndLog("Command1 execute timeout");
+ }
+
+ // response2
+ resp = WaitForResponseTimeout(CMD_ACK, 500);
+ PrintAndLog(" ");
+
+ if (resp != NULL) {
+ uint8_t * data = resp->d.asBytes;
+
+ for (i = 0; i < 2; i++) {
+ PrintAndLog("data:%s", sprint_hex(data + i * 16, 16));
+ }
+ } else {
+ PrintAndLog("Command2 execute timeout");
+ }
+
+ return 0;
+}
+
int CmdHF14AReader(const char *Cmd)
{
UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}};
{"help", CmdHelp, 1, "This help"},
{"list", CmdHF14AList, 0, "List ISO 14443a history"},
{"mifare", CmdHF14AMifare, 0, "Read out sector 0 parity error messages"},
+ {"mfrdbl", CmdHF14AMfRdBl, 0, "Read MIFARE classic block"},
+ {"mfrdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"},
+ {"mfwrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"},
{"reader", CmdHF14AReader, 0, "Act like an ISO14443 Type A reader"},
{"sim", CmdHF14ASim, 0, "<UID> -- Fake ISO 14443a tag"},
{"snoop", CmdHF14ASnoop, 0, "Eavesdrop ISO 14443 Type A"},
-#include <stdio.h>
-#include <stdint.h>
+//-----------------------------------------------------------------------------
+// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// utilities
+//-----------------------------------------------------------------------------
+
+#include "util.h"
void print_hex(const uint8_t * data, const size_t len)
{
+//-----------------------------------------------------------------------------
+// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// utilities
+//-----------------------------------------------------------------------------
+
+#include <stdio.h>
+#include <stdint.h>
+
void print_hex(const uint8_t * data, const size_t len);
+char * sprint_hex(const uint8_t * data, const size_t len);
// uid[] the UID in transmission order
// return: ptr to string
char* Iso15693sprintUID(char *target,uint8_t *uid) {
- static char tempbuf[9]="";
+ static char tempbuf[2*8+1]="";
if (target==NULL) target=tempbuf;
sprintf(target,"%02hX%02hX%02hX%02hX%02hX%02hX%02hX%02hX",
uid[7],uid[6],uid[5],uid[4],uid[3],uid[2],uid[1],uid[0]);
#define CMD_DEVICE_INFO 0x0000
#define CMD_SETUP_WRITE 0x0001
#define CMD_FINISH_WRITE 0x0003
-#define CMD_HARDWARE_RESET 0x0004
+#define CMD_HARDWARE_RESET 0x0004
#define CMD_START_FLASH 0x0005
-#define CMD_NACK 0x00fe
-#define CMD_ACK 0x00ff
+#define CMD_NACK 0x00fe
+#define CMD_ACK 0x00ff
// For general mucking around
#define CMD_DEBUG_PRINT_STRING 0x0100
#define CMD_DEBUG_PRINT_INTEGERS 0x0101
-#define CMD_DEBUG_PRINT_BYTES 0x0102
-#define CMD_LCD_RESET 0x0103
-#define CMD_LCD 0x0104
-#define CMD_BUFF_CLEAR 0x0105
-#define CMD_READ_MEM 0x0106
-#define CMD_VERSION 0x0107
+#define CMD_DEBUG_PRINT_BYTES 0x0102
+#define CMD_LCD_RESET 0x0103
+#define CMD_LCD 0x0104
+#define CMD_BUFF_CLEAR 0x0105
+#define CMD_READ_MEM 0x0106
+#define CMD_VERSION 0x0107
// For low-frequency tags
-#define CMD_READ_TI_TYPE 0x0202
-#define CMD_WRITE_TI_TYPE 0x0203
+#define CMD_READ_TI_TYPE 0x0202
+#define CMD_WRITE_TI_TYPE 0x0203
#define CMD_DOWNLOADED_RAW_BITS_TI_TYPE 0x0204
#define CMD_ACQUIRE_RAW_ADC_SAMPLES_125K 0x0205
#define CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K 0x0206
// For the 13.56 MHz tags
#define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693 0x0300
#define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_14443 0x0301
-#define CMD_READ_SRI512_TAG 0x0303
-#define CMD_READ_SRIX4K_TAG 0x0304
-#define CMD_READER_ISO_15693 0x0310
-#define CMD_SIMTAG_ISO_15693 0x0311
+#define CMD_READ_SRI512_TAG 0x0303
+#define CMD_READ_SRIX4K_TAG 0x0304
+#define CMD_READER_ISO_15693 0x0310
+#define CMD_SIMTAG_ISO_15693 0x0311
#define CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693 0x0312
-#define CMD_ISO_15693_COMMAND 0x0313
-#define CMD_ISO_15693_COMMAND_DONE 0x0314
-#define CMD_ISO_15693_FIND_AFI 0x0315
-#define CMD_ISO_15693_DEBUG 0x0316
+#define CMD_ISO_15693_COMMAND 0x0313
+#define CMD_ISO_15693_COMMAND_DONE 0x0314
+#define CMD_ISO_15693_FIND_AFI 0x0315
+#define CMD_ISO_15693_DEBUG 0x0316
#define CMD_SIMULATE_TAG_HF_LISTEN 0x0380
#define CMD_SIMULATE_TAG_ISO_14443 0x0381
-#define CMD_SNOOP_ISO_14443 0x0382
-#define CMD_SNOOP_ISO_14443a 0x0383
+#define CMD_SNOOP_ISO_14443 0x0382
+#define CMD_SNOOP_ISO_14443a 0x0383
#define CMD_SIMULATE_TAG_ISO_14443a 0x0384
-#define CMD_READER_ISO_14443a 0x0385
-#define CMD_SIMULATE_MIFARE_CARD 0x0386
-#define CMD_SIMULATE_TAG_LEGIC_RF 0x0387
-#define CMD_READER_LEGIC_RF 0x0388
-#define CMD_WRITER_LEGIC_RF 0x0399
-#define CMD_READER_MIFARE 0x0389
-#define CMD_SNOOP_ICLASS 0x0392
+#define CMD_READER_ISO_14443a 0x0385
+#define CMD_SIMULATE_MIFARE_CARD 0x0386
+#define CMD_SIMULATE_TAG_LEGIC_RF 0x0387
+#define CMD_READER_LEGIC_RF 0x0388
+#define CMD_WRITER_LEGIC_RF 0x0399
+#define CMD_READER_MIFARE 0x0389
+#define CMD_MIFARE_NESTED 0x0390
+#define CMD_MIFARE_READBL 0x0391
+#define CMD_MIFARE_READSC 0x0393
+#define CMD_MIFARE_WRITEBL 0x0394
+#define CMD_SNOOP_ICLASS 0x0392
// For measurements of the antenna tuning
-#define CMD_MEASURE_ANTENNA_TUNING 0x0400
+#define CMD_MEASURE_ANTENNA_TUNING 0x0400
#define CMD_MEASURE_ANTENNA_TUNING_HF 0x0401
-#define CMD_MEASURED_ANTENNA_TUNING 0x0410
-#define CMD_LISTEN_READER_FIELD 0x0420
+#define CMD_MEASURED_ANTENNA_TUNING 0x0410
+#define CMD_LISTEN_READER_FIELD 0x0420
// For direct FPGA control
-#define CMD_FPGA_MAJOR_MODE_OFF 0x0500
+#define CMD_FPGA_MAJOR_MODE_OFF 0x0500
-#define CMD_UNKNOWN 0xFFFF
+#define CMD_UNKNOWN 0xFFFF
// CMD_DEVICE_INFO response packet has flags in arg[0], flag definitions:
/* Whether a bootloader that understands the common_area is present */