// is the order in which they go out on the wire.
//=============================================================================
-uint8_t ToSend[512];
+#define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
+uint8_t ToSend[TOSEND_BUFFER_SIZE];
int ToSendMax;
static int ToSendBit;
struct common_area common_area __attribute__((section(".commonarea")));
ToSendBit++;
- if(ToSendBit >= sizeof(ToSend)) {
+ if(ToSendMax >= sizeof(ToSend)) {
ToSendBit = 0;
DbpString("ToSendStuffBit overflowed!");
}
void MeasureAntennaTuning(void)
{
- uint8_t *dest = (uint8_t *)BigBuf+FREE_BUFFER_OFFSET;
+ uint8_t LF_Results[256];
int i, adcval = 0, peak = 0, peakv = 0, peakf = 0; //ptr = 0
int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
LED_B_ON();
- DbpString("Measuring antenna characteristics, please wait...");
- memset(dest,0,sizeof(FREE_BUFFER_SIZE));
/*
* Sweeps the useful LF range of the proxmark from
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
- for (i=255; i>19; i--) {
+ for (i=255; i>=19; i--) {
WDT_HIT();
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
SpinDelay(20);
if (i==95) vLf125 = adcval; // voltage at 125Khz
if (i==89) vLf134 = adcval; // voltage at 134Khz
- dest[i] = adcval>>8; // scale int to fit in byte for graphing purposes
- if(dest[i] > peak) {
+ LF_Results[i] = adcval>>8; // scale int to fit in byte for graphing purposes
+ if(LF_Results[i] > peak) {
peakv = adcval;
- peak = dest[i];
+ peak = LF_Results[i];
peakf = i;
//ptr = i;
}
}
+ for (i=18; i >= 0; i--) LF_Results[i] = 0;
+
LED_A_ON();
// Let the FPGA drive the high-frequency antenna around 13.56 MHz.
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
// can measure voltages up to 33000 mV
vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
-// c.cmd = CMD_MEASURED_ANTENNA_TUNING;
-// c.arg[0] = (vLf125 << 0) | (vLf134 << 16);
-// c.arg[1] = vHf;
-// c.arg[2] = peakf | (peakv << 16);
-
- DbpString("Measuring complete, sending report back to host");
- cmd_send(CMD_MEASURED_ANTENNA_TUNING,vLf125|(vLf134<<16),vHf,peakf|(peakv<<16),0,0);
-// UsbSendPacket((uint8_t *)&c, sizeof(c));
+ cmd_send(CMD_MEASURED_ANTENNA_TUNING,vLf125|(vLf134<<16),vHf,peakf|(peakv<<16),LF_Results,256);
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LED_A_OFF();
LED_B_OFF();
extern char *_bootphase1_version_pointer, _flash_start, _flash_end;
void SendVersion(void)
{
- char temp[256]; /* Limited data payload in USB packets */
+ char temp[512]; /* Limited data payload in USB packets */
DbpString("Prox/RFID mark3 RFID instrument");
/* Try to find the bootrom version information. Expect to find a pointer at
for (;;)
{
-// UsbPoll(FALSE);
usb_poll();
- WDT_HIT();
+ WDT_HIT();
// Was our button held down or pressed?
int button_pressed = BUTTON_HELD(1000);
cmd_send(CMD_ACK,0,0,0,0,0);
break;
case CMD_HID_DEMOD_FSK:
- CmdHIDdemodFSK(0, 0, 0, 1); // Demodulate HID tag
+ CmdHIDdemodFSK(c->arg[0], 0, 0, 1);
break;
case CMD_HID_SIM_TAG:
- CmdHIDsimTAG(c->arg[0], c->arg[1], 1); // Simulate HID tag by ID
+ CmdHIDsimTAG(c->arg[0], c->arg[1], 1);
break;
- case CMD_HID_CLONE_TAG: // Clone HID tag by ID to T55x7
+ case CMD_HID_CLONE_TAG:
CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
break;
case CMD_IO_DEMOD_FSK:
- CmdIOdemodFSK(1, 0, 0, 1); // Demodulate IO tag
+ CmdIOdemodFSK(c->arg[0], 0, 0, 1);
break;
- case CMD_IO_CLONE_TAG: // Clone IO tag by ID to T55x7
+ case CMD_IO_CLONE_TAG:
CopyIOtoT55x7(c->arg[0], c->arg[1], c->d.asBytes[0]);
break;
case CMD_EM410X_WRITE_TAG:
WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
break;
case CMD_SIMULATE_TAG_125K:
- LED_A_ON();
SimulateTagLowFrequency(c->arg[0], c->arg[1], 0);
- LED_A_OFF();
+ //SimulateTagLowFrequencyA(c->arg[0], c->arg[1]);
break;
case CMD_LF_SIMULATE_BIDIR:
SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
break;
- case CMD_INDALA_CLONE_TAG: // Clone Indala 64-bit tag by UID to T55x7
+ case CMD_INDALA_CLONE_TAG:
CopyIndala64toT55x7(c->arg[0], c->arg[1]);
break;
- case CMD_INDALA_CLONE_TAG_L: // Clone Indala 224-bit tag by UID to T55x7
+ case CMD_INDALA_CLONE_TAG_L:
CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
break;
case CMD_T55XX_READ_BLOCK:
case CMD_T55XX_WRITE_BLOCK:
T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
break;
- case CMD_T55XX_READ_TRACE: // Clone HID tag by ID to T55x7
+ case CMD_T55XX_READ_TRACE:
T55xxReadTrace();
break;
- case CMD_PCF7931_READ: // Read PCF7931 tag
+ case CMD_PCF7931_READ:
ReadPCF7931();
cmd_send(CMD_ACK,0,0,0,0,0);
break;
case CMD_SIMULATE_TAG_ISO_14443a:
SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
break;
+
case CMD_EPA_PACE_COLLECT_NONCE:
EPA_PACE_Collect_Nonce(c);
break;
+ // case CMD_EPA_:
+ // EpaFoo(c);
+ // break;
+
case CMD_READER_MIFARE:
ReaderMifare(c->arg[0]);
break;
// The large multi-purpose buffer, typically used to hold A/D samples,
// maybe processed in some way.
-uint32_t BigBuf[10000];
-// BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
-#define TRACE_OFFSET 0
-#define TRACE_SIZE 3000
-#define RECV_CMD_OFFSET 3032
-#define RECV_CMD_SIZE 64
-#define RECV_RES_OFFSET 3096
-#define RECV_RES_SIZE 64
-#define DMA_BUFFER_OFFSET 3160
-#define DMA_BUFFER_SIZE 4096
-#define FREE_BUFFER_OFFSET 7256
-#define FREE_BUFFER_SIZE 2744
+#define BIGBUF_SIZE 40000
+uint32_t BigBuf[BIGBUF_SIZE / sizeof(uint32_t)];
+#define TRACE_OFFSET 0
+#define TRACE_SIZE 3000
+#define RECV_CMD_OFFSET (TRACE_OFFSET + TRACE_SIZE)
+#define MAX_FRAME_SIZE 256
+#define MAX_PARITY_SIZE ((MAX_FRAME_SIZE + 1)/ 8)
+#define RECV_CMD_PAR_OFFSET (RECV_CMD_OFFSET + MAX_FRAME_SIZE)
+#define RECV_RESP_OFFSET (RECV_CMD_PAR_OFFSET + MAX_PARITY_SIZE)
+#define RECV_RESP_PAR_OFFSET (RECV_RESP_OFFSET + MAX_FRAME_SIZE)
+#define CARD_MEMORY_OFFSET (RECV_RESP_PAR_OFFSET + MAX_PARITY_SIZE)
+#define CARD_MEMORY_SIZE 4096
+#define DMA_BUFFER_OFFSET CARD_MEMORY_OFFSET
+#define DMA_BUFFER_SIZE CARD_MEMORY_SIZE
+#define FREE_BUFFER_OFFSET (CARD_MEMORY_OFFSET + CARD_MEMORY_SIZE)
+#define FREE_BUFFER_SIZE (BIGBUF_SIZE - FREE_BUFFER_OFFSET - 1)
extern const uint8_t OddByteParity[256];
extern uint8_t *trace; // = (uint8_t *) BigBuf;
void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc);
void AcquireTiType(void);
void AcquireRawBitsTI(void);
-void SimulateTagLowFrequency(int period, int gap, int ledcontrol);
-void CmdHIDsimTAG(int hi, int lo, int ledcontrol);
+void SimulateTagLowFrequency( uint16_t period, uint32_t gap, uint8_t ledcontrol);
+void SimulateTagLowFrequencyA(int period, int gap);
+
+void CmdHIDsimTAG(int hi, int lo, uint8_t ledcontrol);
void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol);
void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol);
void CopyIOtoT55x7(uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an ioProx card to T5557/T5567
void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data);
void ReaderIso14443a(UsbCommand * c);
// Also used in iclass.c
-bool RAMFUNC LogTrace(const uint8_t * btBytes, uint8_t iLen, uint32_t iSamples, uint32_t dwParity, bool readerToTag);
-uint32_t GetParity(const uint8_t * pbtCmd, int iLen);
+bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t len, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag);
+void GetParity(const uint8_t * pbtCmd, uint16_t len, uint8_t *parity);
void iso14a_set_trigger(bool enable);
void iso14a_clear_trace();
void iso14a_set_tracing(bool enable);
void MifareUReadBlock(uint8_t arg0,uint8_t *datain);
void MifareUC_Auth1(uint8_t arg0, uint8_t *datain);
void MifareUC_Auth2(uint32_t arg0, uint8_t *datain);
-void MifareUReadCard(uint8_t arg0,int Pages,uint8_t *datain);
+void MifareUReadCard(uint8_t arg0, int Pages, uint8_t *datain);
void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
void MifareUWriteBlock(uint8_t arg0,uint8_t *datain);
if (data[index] == 0x31 || data[index] == 0x30) {
// enter the set (skip tag + length)
index += 2;
- // extended length
+ // check for extended length
if ((data[index - 1] & 0x80) != 0) {
- index += (data[index] & 0x7F);
+ index += (data[index-1] & 0x7F);
}
}
// OID
|| response_apdu[rapdu_length - 4] != 0x90
|| response_apdu[rapdu_length - 3] != 0x00)
{
+ Dbprintf("epa - no select cardaccess");
return -1;
}
|| response_apdu[rapdu_length - 4] != 0x90
|| response_apdu[rapdu_length - 3] != 0x00)
{
+ Dbprintf("epa - no read cardaccess");
return -1;
}
EPA_Finish();
// send the USB packet
- cmd_send(CMD_ACK,step,func_return,0,0,0);
-//UsbSendPacket((void *)ack, sizeof(UsbCommand));
+ cmd_send(CMD_ACK,step,func_return,0,0,0);
}
//-----------------------------------------------------------------------------
*/
// return value of a function
- int func_return;
+ int func_return = 0;
// // initialize ack with 0s
// memset(ack->arg, 0, 12);
// set up communication
func_return = EPA_Setup();
- if (func_return != 0) {
+ if (func_return != 0) {
EPA_PACE_Collect_Nonce_Abort(1, func_return);
+ Dbprintf("epa: setup fucked up! %d", func_return);
return;
}
// increase the timeout (at least some cards really do need this!)
iso14a_set_timeout(0x0002FFFF);
+ Dbprintf("epa: Epic!");
// read the CardAccess file
// this array will hold the CardAccess file
int card_access_length = EPA_Read_CardAccess(card_access, 256);
// the response has to be at least this big to hold the OID
if (card_access_length < 18) {
+ Dbprintf("epa: Too small!");
EPA_PACE_Collect_Nonce_Abort(2, card_access_length);
return;
}
+ Dbprintf("epa: foo!");
+
// this will hold the PACE info of the card
pace_version_info_t pace_version_info;
// search for the PACE OID
return;
}
+ Dbprintf("epa: bar!");
+
// initiate the PACE protocol
// use the CAN for the password since that doesn't change
func_return = EPA_PACE_MSE_Set_AT(pace_version_info, 2);
// save received information
// ack->arg[1] = func_return;
// memcpy(ack->d.asBytes, nonce, func_return);
-// UsbSendPacket((void *)ack, sizeof(UsbCommand));
- cmd_send(CMD_ACK,0,func_return,0,nonce,func_return);
+ cmd_send(CMD_ACK,0,func_return,0,nonce,func_return);
}
//-----------------------------------------------------------------------------
//-----------------------------------------------------------------------------
int EPA_Setup()
{
- // return code
+
int return_code = 0;
- // card UID
uint8_t uid[10];
- // card select information
+ uint8_t pps_response[3];
+ uint8_t pps_response_par[1];
iso14a_card_select_t card_select_info;
+
// power up the field
iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
-
+
+ iso14a_set_timeout(10500);
+
// select the card
return_code = iso14443a_select_card(uid, &card_select_info, NULL);
if (return_code != 1) {
+ Dbprintf("Epa: Can't select card");
return 1;
}
// send the PPS request
ReaderTransmit((uint8_t *)pps, sizeof(pps), NULL);
- uint8_t pps_response[3];
- return_code = ReaderReceive(pps_response);
+ return_code = ReaderReceive(pps_response, pps_response_par);
if (return_code != 3 || pps_response[0] != 0xD0) {
return return_code == 0 ? 2 : return_code;
}
// Set up eavesdropping mode, frequency divisor which will drive the FPGA
// and analog mux selection.
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
- FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_TOGGLE_MODE);
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
RELAY_OFF();
// Set up simulator mode, frequency divisor which will drive the FPGA
// and analog mux selection.
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
- FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
RELAY_OFF();
AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
- // Disable timer during configuration
+ // Disable timer during configuration
AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
- // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
+ // Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
// external trigger rising edge, load RA on rising edge of TIOA.
AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
- // Enable and reset counter
- AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
-
// Reset the received frame, frame count and timing info
memset(rx,0x00,sizeof(rx));
frame_count = 0;
response = 0;
overflow = 0;
+
+ // Enable and reset counter
+ AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
while(!BUTTON_PRESS()) {
// Watchdog hit
AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-// Dbprintf("frame received: %d",frame_count);
-// Dbprintf("Authentication Attempts: %d",(auth_table_len/8));
-// DbpString("All done");
+
+ DbpString("Sim Stopped");
+
}
void ReaderHitag(hitag_function htf, hitag_data* htd) {
case RHT2F_CRYPTO: {
DbpString("Authenticating using key:");
- memcpy(key,htd->crypto.key,6);
+ memcpy(key,htd->crypto.key,6); // 4 or 6 ??
Dbhexdump(6,key,false);
blocknr = 0;
bQuiet = false;
int nOutOfCnt;
int OutOfCnt;
int syncBit;
- int parityBits;
int samples;
int highCnt;
int swapper;
int counter;
int bitBuffer;
int dropPosition;
- uint8_t *output;
+ uint8_t *output;
} Uart;
static RAMFUNC int OutOfNDecoding(int bit)
if(Uart.byteCnt == 0) {
// Its not straightforward to show single EOFs
// So just leave it and do not return TRUE
- Uart.output[Uart.byteCnt] = 0xf0;
+ Uart.output[0] = 0xf0;
Uart.byteCnt++;
-
- // Calculate the parity bit for the client...
- Uart.parityBits = 1;
}
else {
return TRUE;
if(Uart.bitCnt == 8) {
Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
Uart.byteCnt++;
-
- // Calculate the parity bit for the client...
- Uart.parityBits <<= 1;
- Uart.parityBits ^= OddByteParity[(Uart.shiftReg & 0xff)];
-
Uart.bitCnt = 0;
Uart.shiftReg = 0;
}
Uart.dropPosition--;
Uart.output[Uart.byteCnt] = (Uart.dropPosition & 0xff);
Uart.byteCnt++;
-
- // Calculate the parity bit for the client...
- Uart.parityBits <<= 1;
- Uart.parityBits ^= OddByteParity[(Uart.dropPosition & 0xff)];
-
Uart.bitCnt = 0;
Uart.shiftReg = 0;
Uart.nOutOfCnt = 0;
Uart.state = STATE_START_OF_COMMUNICATION;
Uart.bitCnt = 0;
Uart.byteCnt = 0;
- Uart.parityBits = 0;
Uart.nOutOfCnt = 0;
Uart.OutOfCnt = 4; // Start at 1/4, could switch to 1/256
Uart.dropPosition = 0;
int bitCount;
int posCount;
int syncBit;
- int parityBits;
uint16_t shiftReg;
int buffer;
int buffer2;
Demod.sub = SUB_FIRST_HALF;
Demod.bitCount = 0;
Demod.shiftReg = 0;
- Demod.parityBits = 0;
Demod.samples = 0;
if(Demod.posCount) {
//if(trigger) LED_A_OFF(); // Not useful in this case...
else {
modulation = bit & Demod.syncBit;
modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
- //modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
-
+
Demod.samples += 4;
if(Demod.posCount==0) {
if(Demod.state == DEMOD_SOF_COMPLETE) {
Demod.output[Demod.len] = 0x0f;
Demod.len++;
- Demod.parityBits <<= 1;
- Demod.parityBits ^= OddByteParity[0x0f];
Demod.state = DEMOD_UNSYNCD;
// error = 0x0f;
return TRUE;
// Tag response does not need to be a complete byte!
if(Demod.len > 0 || Demod.bitCount > 0) {
if(Demod.bitCount > 1) { // was > 0, do not interpret last closing bit, is part of EOF
- Demod.shiftReg >>= (9 - Demod.bitCount);
+ Demod.shiftReg >>= (9 - Demod.bitCount); // right align data
Demod.output[Demod.len] = Demod.shiftReg & 0xff;
Demod.len++;
- // No parity bit, so just shift a 0
- Demod.parityBits <<= 1;
}
Demod.state = DEMOD_UNSYNCD;
Demod.shiftReg >>= 1;
Demod.output[Demod.len] = (Demod.shiftReg & 0xff);
Demod.len++;
-
- // FOR ISO15639 PARITY NOT SEND OTA, JUST CALCULATE IT FOR THE CLIENT
- Demod.parityBits <<= 1;
- Demod.parityBits ^= OddByteParity[(Demod.shiftReg & 0xff)];
-
Demod.bitCount = 0;
Demod.shiftReg = 0;
}
// So 32 should be enough!
uint8_t *readerToTagCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
// The response (tag -> reader) that we're receiving.
- uint8_t *tagToReaderResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
+ uint8_t *tagToReaderResponse = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
//if(!LogTrace(Uart.output,Uart.byteCnt, rsamples, Uart.parityBits,TRUE)) break;
//if(!LogTrace(NULL, 0, Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER, 0, TRUE)) break;
- if(tracing)
- {
- LogTrace(Uart.output,Uart.byteCnt, (GetCountSspClk()-time_0) << 4, Uart.parityBits,TRUE);
- LogTrace(NULL, 0, (GetCountSspClk()-time_0) << 4, 0, TRUE);
+ if(tracing) {
+ uint8_t parity[MAX_PARITY_SIZE];
+ GetParity(Uart.output, Uart.byteCnt, parity);
+ LogTrace(Uart.output,Uart.byteCnt, (GetCountSspClk()-time_0) << 4, (GetCountSspClk()-time_0) << 4, parity, TRUE);
}
rsamples = samples - Demod.samples;
LED_B_ON();
- if(tracing)
- {
- LogTrace(Demod.output,Demod.len, (GetCountSspClk()-time_0) << 4 , Demod.parityBits,FALSE);
- LogTrace(NULL, 0, (GetCountSspClk()-time_0) << 4, 0, FALSE);
+ if(tracing) {
+ uint8_t parity[MAX_PARITY_SIZE];
+ GetParity(Demod.output, Demod.len, parity);
+ LogTrace(Demod.output, Demod.len, (GetCountSspClk()-time_0) << 4, (GetCountSspClk()-time_0) << 4, parity, FALSE);
}
}
if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
- /*if(OutOfNDecoding((b & 0xf0) >> 4)) {
- *len = Uart.byteCnt;
- return TRUE;
- }*/
+
if(OutOfNDecoding(b & 0x0f)) {
*len = Uart.byteCnt;
return TRUE;
{
uint8_t mac_responses[64] = { 0 };
- Dbprintf("Going into attack mode");
+ Dbprintf("Going into attack mode, %d CSNS sent", numberOfCSNS);
// In this mode, a number of csns are within datain. We'll simulate each one, one at a time
// in order to collect MAC's from the reader. This can later be used in an offlne-attack
// in order to obtain the keys, as in the "dismantling iclass"-paper.
// The usb data is 512 bytes, fitting 65 8-byte CSNs in there.
memcpy(csn_crc, datain+(i*8), 8);
- if(doIClassSimulation(csn_crc,1,mac_responses))
+ if(doIClassSimulation(csn_crc,1,mac_responses+i*8))
{
return; // Button pressed
}
*/
int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf)
{
-
-
// CSN followed by two CRC bytes
uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
uint8_t response3[] = { 0,0,0,0,0,0,0,0,0,0};
// + 1720..
uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
- memset(receivedCmd, 0x44, RECV_CMD_SIZE);
+ memset(receivedCmd, 0x44, MAX_FRAME_SIZE);
int len;
// Prepare card messages
respsize = 0;
if (breakAfterMacReceived){
// dbprintf:ing ...
- Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
+ Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x"
+ ,csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
Dbprintf("RDR: (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",len,
- receivedCmd[0], receivedCmd[1], receivedCmd[2],
+ receivedCmd[0], receivedCmd[1], receivedCmd[2],
receivedCmd[3], receivedCmd[4], receivedCmd[5],
receivedCmd[6], receivedCmd[7], receivedCmd[8]);
if (reader_mac_buf != NULL)
}
if (tracing) {
- LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, Uart.parityBits,TRUE);
- LogTrace(NULL,0, (r2t_time-time_0) << 4, 0,TRUE);
+ uint8_t parity[MAX_PARITY_SIZE];
+ GetParity(receivedCmd, len, parity);
+ LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, (r2t_time-time_0) << 4, parity, TRUE);
if (respdata != NULL) {
- LogTrace(respdata,respsize, (t2r_time-time_0) << 4,SwapBits(GetParity(respdata,respsize),respsize),FALSE);
- LogTrace(NULL,0, (t2r_time-time_0) << 4,0,FALSE);
-
-
+ GetParity(respdata, respsize, parity);
+ LogTrace(respdata, respsize, (t2r_time-time_0) << 4, (t2r_time-time_0) << 4, parity, FALSE);
}
if(!tracing) {
DbpString("Trace full");
}
}
- memset(receivedCmd, 0x44, RECV_CMD_SIZE);
+ memset(receivedCmd, 0x44, MAX_FRAME_SIZE);
}
//Dbprintf("%x", cmdsRecvd);
FpgaSetupSsc();
if (wait)
- if(*wait < 10)
- *wait = 10;
+ {
+ if(*wait < 10) *wait = 10;
for(c = 0; c < *wait;) {
if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
WDT_HIT();
}
+ }
+
+
uint8_t sendbyte;
bool firstpart = TRUE;
c = 0;
{
int wait = 0;
int samples = 0;
- int par = 0;
// This is tied to other size changes
- // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
CodeIClassCommand(frame,len);
// Select the card
LED_A_ON();
// Store reader command in buffer
- if (tracing) LogTrace(frame,len,rsamples,par,TRUE);
+ if (tracing) {
+ uint8_t par[MAX_PARITY_SIZE];
+ GetParity(frame, len, par);
+ LogTrace(frame, len, rsamples, rsamples, par, TRUE);
+ }
}
//-----------------------------------------------------------------------------
for(;;) {
WDT_HIT();
- if(BUTTON_PRESS()) return FALSE;
+ if(BUTTON_PRESS()) return FALSE;
if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
skip = !skip;
if(skip) continue;
- /*if(ManchesterDecoding((b>>4) & 0xf)) {
- *samples = ((c - 1) << 3) + 4;
- return TRUE;
- }*/
+
if(ManchesterDecoding(b & 0x0f)) {
*samples = c << 3;
return TRUE;
int samples = 0;
if (!GetIClassAnswer(receivedAnswer,160,&samples,0)) return FALSE;
rsamples += samples;
- if (tracing) LogTrace(receivedAnswer,Demod.len,rsamples,Demod.parityBits,FALSE);
+ if (tracing){
+ uint8_t parity[MAX_PARITY_SIZE];
+ GetParity(receivedAnswer, Demod.len, parity);
+ LogTrace(receivedAnswer,Demod.len,rsamples,rsamples,parity,FALSE);
+ }
if(samples == 0) return FALSE;
return Demod.len;
}
uint8_t card_data[24]={0};
uint8_t last_csn[8]={0};
- uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
+ uint8_t *resp = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);
int read_status= 0;
bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE;
int keyaccess;
} memory;
- uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
+ uint8_t* resp = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);
setupIclassReader();
uint16_t crc = 0;
- uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
+ uint8_t* resp = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);
// Reset trace buffer
memset(trace, 0x44, RECV_CMD_OFFSET);
// only, since we are receiving, not transmitting).
// Signal field is off with the appropriate LED
LED_D_OFF();
- FpgaWriteConfWord(
- FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
// Now run a `software UART' on the stream of incoming samples.
// Modulate BPSK
// Signal field is off with the appropriate LED
LED_D_OFF();
- FpgaWriteConfWord(
- FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK);
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK);
AT91C_BASE_SSC->SSC_THR = 0xff;
FpgaSetupSsc();
//variables used for timing purposes:
//these are in ssp_clk cycles:
-uint32_t NextTransferTime;
-uint32_t LastTimeProxToAirStart;
-uint32_t LastProxToAirDuration;
+static uint32_t NextTransferTime;
+static uint32_t LastTimeProxToAirStart;
+static uint32_t LastProxToAirDuration;
1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
};
-
void iso14a_set_trigger(bool enable) {
trigger = enable;
}
return OddByteParity[bt];
}
-uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
+void GetParity(const uint8_t * pbtCmd, uint16_t iLen, uint8_t *par)
{
- int i;
- uint32_t dwPar = 0;
-
- // Generate the parity bits
- for (i = 0; i < iLen; i++) {
- // and save them to a 32Bit word
- dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
+ uint16_t paritybit_cnt = 0;
+ uint16_t paritybyte_cnt = 0;
+ uint8_t parityBits = 0;
+
+ for (uint16_t i = 0; i < iLen; i++) {
+ // Generate the parity bits
+ parityBits |= ((OddByteParity[pbtCmd[i]]) << (7-paritybit_cnt));
+ if (paritybit_cnt == 7) {
+ par[paritybyte_cnt] = parityBits; // save 8 Bits parity
+ parityBits = 0; // and advance to next Parity Byte
+ paritybyte_cnt++;
+ paritybit_cnt = 0;
+ } else {
+ paritybit_cnt++;
+ }
}
- return dwPar;
+
+ // save remaining parity bits
+ par[paritybyte_cnt] = parityBits;
+
}
void AppendCrc14443a(uint8_t* data, int len)
}
// The function LogTrace() is also used by the iClass implementation in iClass.c
-bool RAMFUNC LogTrace(const uint8_t * btBytes, uint8_t iLen, uint32_t timestamp, uint32_t dwParity, bool readerToTag)
+bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag)
{
if (!tracing) return FALSE;
+
+ uint16_t num_paritybytes = (iLen-1)/8 + 1; // number of valid paritybytes in *parity
+ uint16_t duration = timestamp_end - timestamp_start;
+
// Return when trace is full
- if (traceLen + sizeof(timestamp) + sizeof(dwParity) + iLen >= TRACE_SIZE) {
+ if (traceLen + sizeof(iLen) + sizeof(timestamp_start) + sizeof(duration) + num_paritybytes + iLen >= TRACE_SIZE) {
tracing = FALSE; // don't trace any more
return FALSE;
}
- // Trace the random, i'm curious
- trace[traceLen++] = ((timestamp >> 0) & 0xff);
- trace[traceLen++] = ((timestamp >> 8) & 0xff);
- trace[traceLen++] = ((timestamp >> 16) & 0xff);
- trace[traceLen++] = ((timestamp >> 24) & 0xff);
-
+ // Traceformat:
+ // 32 bits timestamp (little endian)
+ // 16 bits duration (little endian)
+ // 16 bits data length (little endian, Highest Bit used as readerToTag flag)
+ // y Bytes data
+ // x Bytes parity (one byte per 8 bytes data)
+
+ // timestamp (start)
+ trace[traceLen++] = ((timestamp_start >> 0) & 0xff);
+ trace[traceLen++] = ((timestamp_start >> 8) & 0xff);
+ trace[traceLen++] = ((timestamp_start >> 16) & 0xff);
+ trace[traceLen++] = ((timestamp_start >> 24) & 0xff);
+
+ // duration
+ trace[traceLen++] = ((duration >> 0) & 0xff);
+ trace[traceLen++] = ((duration >> 8) & 0xff);
+
+ // data length
+ trace[traceLen++] = ((iLen >> 0) & 0xff);
+ trace[traceLen++] = ((iLen >> 8) & 0xff);
+
+ // readerToTag flag
if (!readerToTag) {
trace[traceLen - 1] |= 0x80;
- }
- trace[traceLen++] = ((dwParity >> 0) & 0xff);
- trace[traceLen++] = ((dwParity >> 8) & 0xff);
- trace[traceLen++] = ((dwParity >> 16) & 0xff);
- trace[traceLen++] = ((dwParity >> 24) & 0xff);
- trace[traceLen++] = iLen;
+ }
+
+ // data bytes
if (btBytes != NULL && iLen != 0) {
memcpy(trace + traceLen, btBytes, iLen);
}
- traceLen += iLen;
+ traceLen += iLen;
+
+ // parity bytes
+ if (parity != NULL && iLen != 0) {
+ memcpy(trace + traceLen, parity, num_paritybytes);
+ }
+ traceLen += num_paritybytes;
+
return TRUE;
}
Uart.state = STATE_UNSYNCD;
Uart.bitCount = 0;
Uart.len = 0; // number of decoded data bytes
+ Uart.parityLen = 0; // number of decoded parity bytes
Uart.shiftReg = 0; // shiftreg to hold decoded data bits
- Uart.parityBits = 0; //
+ Uart.parityBits = 0; // holds 8 parity bits
Uart.twoBits = 0x0000; // buffer for 2 Bits
Uart.highCnt = 0;
Uart.startTime = 0;
Uart.endTime = 0;
}
+void UartInit(uint8_t *data, uint8_t *parity)
+{
+ Uart.output = data;
+ Uart.parity = parity;
+ UartReset();
+}
// use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
Uart.twoBits = (Uart.twoBits << 8) | bit;
- if (Uart.state == STATE_UNSYNCD) { // not yet synced
+ if (Uart.state == STATE_UNSYNCD) { // not yet synced
+
if (Uart.highCnt < 7) { // wait for a stable unmodulated signal
if (Uart.twoBits == 0xffff) {
Uart.highCnt++;
} else {
Uart.highCnt = 0;
}
- } else {
+ } else {
Uart.syncBit = 0xFFFF; // not set
// look for 00xx1111 (the start bit)
if ((Uart.twoBits & 0x6780) == 0x0780) Uart.syncBit = 7;
Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
Uart.bitCount = 0;
Uart.shiftReg = 0;
+ if((Uart.len & 0x0007) == 0) { // every 8 data bytes
+ Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
+ Uart.parityBits = 0;
+ }
}
}
}
Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
Uart.bitCount = 0;
Uart.shiftReg = 0;
+ if ((Uart.len & 0x0007) == 0) { // every 8 data bytes
+ Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
+ Uart.parityBits = 0;
+ }
}
} else { // no modulation in both halves - Sequence Y
if (Uart.state == STATE_MILLER_Z || Uart.state == STATE_MILLER_Y) { // Y after logic "0" - End of Communication
Uart.state = STATE_UNSYNCD;
- if(Uart.len == 0 && Uart.bitCount > 0) { // if we decoded some bits
- Uart.shiftReg >>= (9 - Uart.bitCount); // add them to the output
- Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
- Uart.parityBits <<= 1; // no parity bit - add "0"
- Uart.bitCount--; // last "0" was part of the EOC sequence
- }
+ Uart.bitCount--; // last "0" was part of EOC sequence
+ Uart.shiftReg <<= 1; // drop it
+ if(Uart.bitCount > 0) { // if we decoded some bits
+ Uart.shiftReg >>= (9 - Uart.bitCount); // right align them
+ Uart.output[Uart.len++] = (Uart.shiftReg & 0xff); // add last byte to the output
+ Uart.parityBits <<= 1; // add a (void) parity bit
+ Uart.parityBits <<= (8 - (Uart.len & 0x0007)); // left align parity bits
+ Uart.parity[Uart.parityLen++] = Uart.parityBits; // and store it
return TRUE;
+ } else if (Uart.len & 0x0007) { // there are some parity bits to store
+ Uart.parityBits <<= (8 - (Uart.len & 0x0007)); // left align remaining parity bits
+ Uart.parity[Uart.parityLen++] = Uart.parityBits; // and store them
+ return TRUE; // we are finished with decoding the raw data sequence
+ }
}
if (Uart.state == STATE_START_OF_COMMUNICATION) { // error - must not follow directly after SOC
UartReset();
Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
Uart.bitCount = 0;
Uart.shiftReg = 0;
+ if ((Uart.len & 0x0007) == 0) { // every 8 data bytes
+ Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
+ Uart.parityBits = 0;
+ }
}
}
}
}
- }
+ }
return FALSE; // not finished yet, need more data
}
{
Demod.state = DEMOD_UNSYNCD;
Demod.len = 0; // number of decoded data bytes
+ Demod.parityLen = 0;
Demod.shiftReg = 0; // shiftreg to hold decoded data bits
Demod.parityBits = 0; //
Demod.collisionPos = 0; // Position of collision bit
Demod.endTime = 0;
}
+void DemodInit(uint8_t *data, uint8_t *parity)
+{
+ Demod.output = data;
+ Demod.parity = parity;
+ DemodReset();
+}
+
// use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time)
{
Demod.parityBits |= ((Demod.shiftReg >> 8) & 0x01); // store parity bit
Demod.bitCount = 0;
Demod.shiftReg = 0;
+ if((Demod.len & 0x0007) == 0) { // every 8 data bytes
+ Demod.parity[Demod.parityLen++] = Demod.parityBits; // store 8 parity bits
+ Demod.parityBits = 0;
+ }
}
Demod.endTime = Demod.startTime + 8*(9*Demod.len + Demod.bitCount + 1) - 4;
} else { // no modulation in first half
Demod.parityBits |= ((Demod.shiftReg >> 8) & 0x01); // store parity bit
Demod.bitCount = 0;
Demod.shiftReg = 0;
+ if ((Demod.len & 0x0007) == 0) { // every 8 data bytes
+ Demod.parity[Demod.parityLen++] = Demod.parityBits; // store 8 parity bits1
+ Demod.parityBits = 0;
+ }
}
Demod.endTime = Demod.startTime + 8*(9*Demod.len + Demod.bitCount + 1);
} else { // no modulation in both halves - End of communication
- if (Demod.len > 0 || Demod.bitCount > 0) { // received something
- if(Demod.bitCount > 0) { // if we decoded bits
- Demod.shiftReg >>= (9 - Demod.bitCount); // add the remaining decoded bits to the output
- Demod.output[Demod.len++] = Demod.shiftReg & 0xff;
- // No parity bit, so just shift a 0
- Demod.parityBits <<= 1;
- }
- return TRUE; // we are finished with decoding the raw data sequence
+ if(Demod.bitCount > 0) { // there are some remaining data bits
+ Demod.shiftReg >>= (9 - Demod.bitCount); // right align the decoded bits
+ Demod.output[Demod.len++] = Demod.shiftReg & 0xff; // and add them to the output
+ Demod.parityBits <<= 1; // add a (void) parity bit
+ Demod.parityBits <<= (8 - (Demod.len & 0x0007)); // left align remaining parity bits
+ Demod.parity[Demod.parityLen++] = Demod.parityBits; // and store them
+ return TRUE;
+ } else if (Demod.len & 0x0007) { // there are some parity bits to store
+ Demod.parityBits <<= (8 - (Demod.len & 0x0007)); // left align remaining parity bits
+ Demod.parity[Demod.parityLen++] = Demod.parityBits; // and store them
+ return TRUE; // we are finished with decoding the raw data sequence
} else { // nothing received. Start over
DemodReset();
}
// The command (reader -> tag) that we're receiving.
// The length of a received command will in most cases be no more than 18 bytes.
// So 32 should be enough!
- uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
+ uint8_t *receivedCmd = ((uint8_t *)BigBuf) + RECV_CMD_OFFSET;
+ uint8_t *receivedCmdPar = ((uint8_t *)BigBuf) + RECV_CMD_PAR_OFFSET;
+
// The response (tag -> reader) that we're receiving.
- uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
-
+ uint8_t *receivedResponse = ((uint8_t *)BigBuf) + RECV_RESP_OFFSET;
+ uint8_t *receivedResponsePar = ((uint8_t *)BigBuf) + RECV_RESP_PAR_OFFSET;
+
// As we receive stuff, we copy it from receivedCmd or receivedResponse
// into trace, along with its length and other annotations.
//uint8_t *trace = (uint8_t *)BigBuf;
iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
// Set up the demodulator for tag -> reader responses.
- Demod.output = receivedResponse;
+ DemodInit(receivedResponse, receivedResponsePar);
// Set up the demodulator for the reader -> tag commands
- Uart.output = receivedCmd;
+ UartInit(receivedCmd, receivedCmdPar);
// Setup and start DMA.
FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
if ((!triggered) && (param & 0x02) && (Uart.len == 1) && (Uart.bitCount == 7)) triggered = TRUE;
if(triggered) {
- if (!LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER, Uart.parityBits, TRUE)) break;
- if (!LogTrace(NULL, 0, Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER, 0, TRUE)) break;
+ if (!LogTrace(receivedCmd,
+ Uart.len,
+ Uart.startTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER,
+ Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER,
+ Uart.parity,
+ TRUE)) break;
}
/* And ready to receive another command. */
UartReset();
if(ManchesterDecoding(tagdata, 0, (rsamples-1)*4)) {
LED_B_ON();
- if (!LogTrace(receivedResponse, Demod.len, Demod.startTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER, Demod.parityBits, FALSE)) break;
- if (!LogTrace(NULL, 0, Demod.endTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER, 0, FALSE)) break;
+ if (!LogTrace(receivedResponse,
+ Demod.len,
+ Demod.startTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER,
+ Demod.endTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER,
+ Demod.parity,
+ FALSE)) break;
if ((!triggered) && (param & 0x01)) triggered = TRUE;
//-----------------------------------------------------------------------------
// Prepare tag messages
//-----------------------------------------------------------------------------
-static void CodeIso14443aAsTagPar(const uint8_t *cmd, int len, uint32_t dwParity)
+static void CodeIso14443aAsTagPar(const uint8_t *cmd, uint16_t len, uint8_t *parity)
{
- int i;
-
ToSendReset();
// Correction bit, might be removed when not needed
ToSend[++ToSendMax] = SEC_D;
LastProxToAirDuration = 8 * ToSendMax - 4;
- for(i = 0; i < len; i++) {
- int j;
+ for( uint16_t i = 0; i < len; i++) {
uint8_t b = cmd[i];
// Data bits
- for(j = 0; j < 8; j++) {
+ for(uint16_t j = 0; j < 8; j++) {
if(b & 1) {
ToSend[++ToSendMax] = SEC_D;
} else {
}
// Get the parity bit
- if ((dwParity >> i) & 0x01) {
+ if (parity[i>>3] & (0x80>>(i&0x0007))) {
ToSend[++ToSendMax] = SEC_D;
LastProxToAirDuration = 8 * ToSendMax - 4;
} else {
ToSendMax++;
}
-static void CodeIso14443aAsTag(const uint8_t *cmd, int len){
- CodeIso14443aAsTagPar(cmd, len, GetParity(cmd, len));
+static void CodeIso14443aAsTag(const uint8_t *cmd, uint16_t len)
+{
+ uint8_t par[MAX_PARITY_SIZE];
+
+ GetParity(cmd, len, par);
+ CodeIso14443aAsTagPar(cmd, len, par);
}
// Stop when button is pressed
// Or return TRUE when command is captured
//-----------------------------------------------------------------------------
-static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
+static int GetIso14443aCommandFromReader(uint8_t *received, uint8_t *parity, int *len)
{
// Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
// only, since we are receiving, not transmitting).
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
// Now run a `software UART' on the stream of incoming samples.
- UartReset();
- Uart.output = received;
+ UartInit(received, parity);
// clear RXRDY:
uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
}
}
-static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, bool correctionNeeded);
+static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNeeded);
int EmSend4bitEx(uint8_t resp, bool correctionNeeded);
int EmSend4bit(uint8_t resp);
-int EmSendCmdExPar(uint8_t *resp, int respLen, bool correctionNeeded, uint32_t par);
-int EmSendCmdExPar(uint8_t *resp, int respLen, bool correctionNeeded, uint32_t par);
-int EmSendCmdEx(uint8_t *resp, int respLen, bool correctionNeeded);
-int EmSendCmd(uint8_t *resp, int respLen);
-int EmSendCmdPar(uint8_t *resp, int respLen, uint32_t par);
-bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint32_t reader_Parity,
- uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint32_t tag_Parity);
+int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, bool correctionNeeded, uint8_t *par);
+int EmSendCmdEx(uint8_t *resp, uint16_t respLen, bool correctionNeeded);
+int EmSendCmd(uint8_t *resp, uint16_t respLen);
+int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par);
+bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity,
+ uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint8_t *tag_Parity);
static uint8_t* free_buffer_pointer = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
response_info->modulation = free_buffer_pointer;
// Determine the maximum size we can use from our buffer
- size_t max_buffer_size = (((uint8_t *)BigBuf)+FREE_BUFFER_OFFSET+FREE_BUFFER_SIZE)-free_buffer_pointer;
+ size_t max_buffer_size = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + FREE_BUFFER_SIZE) - free_buffer_pointer;
// Forward the prepare tag modulation function to the inner function
if (prepare_tag_modulation(response_info,max_buffer_size)) {
response1[1] = 0x00;
sak = 0x28;
} break;
+ case 5: { // MIFARE TNP3XXX
+ // Says: I am a toy
+ response1[0] = 0x01;
+ response1[1] = 0x0f;
+ sak = 0x01;
+ } break;
default: {
Dbprintf("Error: unkown tagtype (%d)",tagType);
return;
ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
- uint8_t response6[] = { 0x04, 0x58, 0x00, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS
+ uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS:
+ // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present,
+ // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
+ // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
+ // TC(1) = 0x02: CID supported, NAD not supported
ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]);
#define TAG_RESPONSE_COUNT 7
prepare_allocated_tag_modulation(&responses[i]);
}
- uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
int len = 0;
// To control where we are in the protocol
// We need to listen to the high-frequency, peak-detected path.
iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
+ // buffers used on software Uart:
+ uint8_t *receivedCmd = ((uint8_t *)BigBuf) + RECV_CMD_OFFSET;
+ uint8_t *receivedCmdPar = ((uint8_t *)BigBuf) + RECV_CMD_PAR_OFFSET;
+
cmdsRecvd = 0;
tag_response_info_t* p_response;
for(;;) {
// Clean receive command buffer
- if(!GetIso14443aCommandFromReader(receivedCmd, &len, RECV_CMD_SIZE)) {
+ if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
DbpString("Button press");
- break;
+ break;
}
p_response = NULL;
- // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
// Okay, look at the command now.
lastorder = order;
if(receivedCmd[0] == 0x26) { // Received a REQUEST
p_response = &responses[0]; order = 6;
} else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // Received request for UID (cascade 1)
p_response = &responses[1]; order = 2;
- } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x95) { // Received request for UID (cascade 2)
+ } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x95) { // Received request for UID (cascade 2)
p_response = &responses[2]; order = 20;
} else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) { // Received a SELECT (cascade 1)
p_response = &responses[3]; order = 3;
} else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) { // Received a SELECT (cascade 2)
p_response = &responses[4]; order = 30;
} else if(receivedCmd[0] == 0x30) { // Received a (plain) READ
- EmSendCmdEx(data+(4*receivedCmd[0]),16,false);
+ EmSendCmdEx(data+(4*receivedCmd[1]),16,false);
// Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
// We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
p_response = NULL;
} else if(receivedCmd[0] == 0x50) { // Received a HALT
-// DbpString("Reader requested we HALT!:");
+
if (tracing) {
- LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parityBits, TRUE);
- LogTrace(NULL, 0, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 0, TRUE);
+ LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
}
p_response = NULL;
} else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) { // Received an authentication request
} else {
p_response = &responses[6]; order = 70;
}
- } else if (order == 7 && len == 8) { // Received authentication request
+ } else if (order == 7 && len == 8) { // Received {nr] and {ar} (part of authentication)
if (tracing) {
- LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parityBits, TRUE);
- LogTrace(NULL, 0, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 0, TRUE);
+ LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
}
uint32_t nr = bytes_to_num(receivedCmd,4);
uint32_t ar = bytes_to_num(receivedCmd+4,4);
default: {
// Never seen this command before
if (tracing) {
- LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parityBits, TRUE);
- LogTrace(NULL, 0, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 0, TRUE);
+ LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
}
Dbprintf("Received unknown command (len=%d):",len);
Dbhexdump(len,receivedCmd,false);
if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
Dbprintf("Error preparing tag response");
if (tracing) {
- LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parityBits, TRUE);
- LogTrace(NULL, 0, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 0, TRUE);
+ LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
}
break;
}
if (p_response != NULL) {
EmSendCmd14443aRaw(p_response->modulation, p_response->modulation_n, receivedCmd[0] == 0x52);
// do the tracing for the previous reader request and this tag answer:
+ uint8_t par[MAX_PARITY_SIZE];
+ GetParity(p_response->response, p_response->response_n, par);
+
EmLogTrace(Uart.output,
Uart.len,
Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG,
Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG,
- Uart.parityBits,
+ Uart.parity,
p_response->response,
p_response->response_n,
LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG,
(LastTimeProxToAirStart + p_response->ProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG,
- SwapBits(GetParity(p_response->response, p_response->response_n), p_response->response_n));
+ par);
}
if (!tracing) {
// if == 0: transfer immediately and return time of transfer
// if != 0: delay transfer until time specified
//-------------------------------------------------------------------------------------
-static void TransmitFor14443a(const uint8_t *cmd, int len, uint32_t *timing)
+static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing)
{
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
//-----------------------------------------------------------------------------
// Prepare reader command (in bits, support short frames) to send to FPGA
//-----------------------------------------------------------------------------
-void CodeIso14443aBitsAsReaderPar(const uint8_t * cmd, int bits, uint32_t dwParity)
+void CodeIso14443aBitsAsReaderPar(const uint8_t * cmd, uint16_t bits, const uint8_t *parity)
{
int i, j;
int last;
b >>= 1;
}
- // Only transmit (last) parity bit if we transmitted a complete byte
+ // Only transmit parity bit if we transmitted a complete byte
if (j == 8) {
// Get the parity bit
- if ((dwParity >> i) & 0x01) {
+ if (parity[i>>3] & (0x80 >> (i&0x0007))) {
// Sequence X
ToSend[++ToSendMax] = SEC_X;
LastProxToAirDuration = 8 * (ToSendMax+1) - 2;
//-----------------------------------------------------------------------------
// Prepare reader command to send to FPGA
//-----------------------------------------------------------------------------
-void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
+void CodeIso14443aAsReaderPar(const uint8_t * cmd, uint16_t len, const uint8_t *parity)
{
- CodeIso14443aBitsAsReaderPar(cmd,len*8,dwParity);
+ CodeIso14443aBitsAsReaderPar(cmd, len*8, parity);
}
//-----------------------------------------------------------------------------
// Stop when button is pressed (return 1) or field was gone (return 2)
// Or return 0 when command is captured
//-----------------------------------------------------------------------------
-static int EmGetCmd(uint8_t *received, int *len)
+static int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity)
{
*len = 0;
AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
// Now run a 'software UART' on the stream of incoming samples.
- UartReset();
- Uart.output = received;
+ UartInit(received, parity);
// Clear RXRDY:
uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
}
-static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, bool correctionNeeded)
+static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNeeded)
{
uint8_t b;
uint16_t i = 0;
Code4bitAnswerAsTag(resp);
int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
// do the tracing for the previous reader request and this tag answer:
+ uint8_t par[1];
+ GetParity(&resp, 1, par);
EmLogTrace(Uart.output,
Uart.len,
Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG,
Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG,
- Uart.parityBits,
+ Uart.parity,
&resp,
1,
LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG,
(LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG,
- SwapBits(GetParity(&resp, 1), 1));
+ par);
return res;
}
return EmSend4bitEx(resp, false);
}
-int EmSendCmdExPar(uint8_t *resp, int respLen, bool correctionNeeded, uint32_t par){
+int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, bool correctionNeeded, uint8_t *par){
CodeIso14443aAsTagPar(resp, respLen, par);
int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
// do the tracing for the previous reader request and this tag answer:
Uart.len,
Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG,
Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG,
- Uart.parityBits,
+ Uart.parity,
resp,
respLen,
LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG,
(LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG,
- SwapBits(GetParity(resp, respLen), respLen));
+ par);
return res;
}
-int EmSendCmdEx(uint8_t *resp, int respLen, bool correctionNeeded){
- return EmSendCmdExPar(resp, respLen, correctionNeeded, GetParity(resp, respLen));
+int EmSendCmdEx(uint8_t *resp, uint16_t respLen, bool correctionNeeded){
+ uint8_t par[MAX_PARITY_SIZE];
+ GetParity(resp, respLen, par);
+ return EmSendCmdExPar(resp, respLen, correctionNeeded, par);
}
-
-int EmSendCmd(uint8_t *resp, int respLen){
- return EmSendCmdExPar(resp, respLen, false, GetParity(resp, respLen));
+
+int EmSendCmd(uint8_t *resp, uint16_t respLen){
+ uint8_t par[MAX_PARITY_SIZE];
+ GetParity(resp, respLen, par);
+ return EmSendCmdExPar(resp, respLen, false, par);
}
-int EmSendCmdPar(uint8_t *resp, int respLen, uint32_t par){
+int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par){
return EmSendCmdExPar(resp, respLen, false, par);
}
-bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint32_t reader_Parity,
- uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint32_t tag_Parity)
+bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity,
+ uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint8_t *tag_Parity)
{
if (tracing) {
- // we cannot exactly measure the end and start of a received command from reader. However we know that the delay from
- // end of the received command to start of the tag's (simulated by us) answer is n*128+20 or n*128+84 resp.
- // with n >= 9. The start of the tags answer can be measured and therefore the end of the received command be calculated:
- uint16_t reader_modlen = reader_EndTime - reader_StartTime;
- uint16_t approx_fdt = tag_StartTime - reader_EndTime;
- uint16_t exact_fdt = (approx_fdt - 20 + 32)/64 * 64 + 20;
- reader_EndTime = tag_StartTime - exact_fdt;
- reader_StartTime = reader_EndTime - reader_modlen;
- if (!LogTrace(reader_data, reader_len, reader_StartTime, reader_Parity, TRUE)) {
- return FALSE;
- } else if (!LogTrace(NULL, 0, reader_EndTime, 0, TRUE)) {
- return FALSE;
- } else if (!LogTrace(tag_data, tag_len, tag_StartTime, tag_Parity, FALSE)) {
- return FALSE;
- } else {
- return (!LogTrace(NULL, 0, tag_EndTime, 0, FALSE));
- }
+ // we cannot exactly measure the end and start of a received command from reader. However we know that the delay from
+ // end of the received command to start of the tag's (simulated by us) answer is n*128+20 or n*128+84 resp.
+ // with n >= 9. The start of the tags answer can be measured and therefore the end of the received command be calculated:
+ uint16_t reader_modlen = reader_EndTime - reader_StartTime;
+ uint16_t approx_fdt = tag_StartTime - reader_EndTime;
+ uint16_t exact_fdt = (approx_fdt - 20 + 32)/64 * 64 + 20;
+ reader_EndTime = tag_StartTime - exact_fdt;
+ reader_StartTime = reader_EndTime - reader_modlen;
+ if (!LogTrace(reader_data, reader_len, reader_StartTime, reader_EndTime, reader_Parity, TRUE)) {
+ return FALSE;
+ } else return(!LogTrace(tag_data, tag_len, tag_StartTime, tag_EndTime, tag_Parity, FALSE));
} else {
return TRUE;
}
// If a response is captured return TRUE
// If it takes too long return FALSE
//-----------------------------------------------------------------------------
-static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint16_t offset, int maxLen)
+static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receivedResponsePar, uint16_t offset)
{
uint16_t c;
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
// Now get the answer from the card
- DemodReset();
- Demod.output = receivedResponse;
-
+ DemodInit(receivedResponse, receivedResponsePar);
+
// clear RXRDY:
uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
if(ManchesterDecoding(b, offset, 0)) {
NextTransferTime = MAX(NextTransferTime, Demod.endTime - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/16 + FRAME_DELAY_TIME_PICC_TO_PCD);
return TRUE;
- } else if(c++ > iso14a_timeout) {
+ } else if (c++ > iso14a_timeout) {
return FALSE;
}
}
}
}
-void ReaderTransmitBitsPar(uint8_t* frame, int bits, uint32_t par, uint32_t *timing)
+void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing)
{
-
- CodeIso14443aBitsAsReaderPar(frame,bits,par);
+ CodeIso14443aBitsAsReaderPar(frame, bits, par);
// Send command to tag
TransmitFor14443a(ToSend, ToSendMax, timing);
// Log reader command in trace buffer
if (tracing) {
- LogTrace(frame, nbytes(bits), LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_READER, par, TRUE);
- LogTrace(NULL, 0, (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_READER, 0, TRUE);
+ LogTrace(frame, nbytes(bits), LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_READER, (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_READER, par, TRUE);
}
}
-void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par, uint32_t *timing)
+void ReaderTransmitPar(uint8_t* frame, uint16_t len, uint8_t *par, uint32_t *timing)
{
- ReaderTransmitBitsPar(frame,len*8,par, timing);
+ ReaderTransmitBitsPar(frame, len*8, par, timing);
}
-void ReaderTransmitBits(uint8_t* frame, int len, uint32_t *timing)
+void ReaderTransmitBits(uint8_t* frame, uint16_t len, uint32_t *timing)
{
- // Generate parity and redirect
- ReaderTransmitBitsPar(frame,len,GetParity(frame,len/8), timing);
+ // Generate parity and redirect
+ uint8_t par[MAX_PARITY_SIZE];
+ GetParity(frame, len/8, par);
+ ReaderTransmitBitsPar(frame, len, par, timing);
}
-void ReaderTransmit(uint8_t* frame, int len, uint32_t *timing)
+void ReaderTransmit(uint8_t* frame, uint16_t len, uint32_t *timing)
{
- // Generate parity and redirect
- ReaderTransmitBitsPar(frame,len*8,GetParity(frame,len), timing);
+ // Generate parity and redirect
+ uint8_t par[MAX_PARITY_SIZE];
+ GetParity(frame, len, par);
+ ReaderTransmitBitsPar(frame, len*8, par, timing);
}
-int ReaderReceiveOffset(uint8_t* receivedAnswer, uint16_t offset)
+int ReaderReceiveOffset(uint8_t* receivedAnswer, uint16_t offset, uint8_t *parity)
{
- if (!GetIso14443aAnswerFromTag(receivedAnswer,offset,160)) return FALSE;
+ if (!GetIso14443aAnswerFromTag(receivedAnswer,parity,offset)) return FALSE;
if (tracing) {
- LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.parityBits, FALSE);
- LogTrace(NULL, 0, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, 0, FALSE);
+ LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE);
}
return Demod.len;
}
-int ReaderReceive(uint8_t* receivedAnswer)
+int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity)
{
- return ReaderReceiveOffset(receivedAnswer, 0);
-}
-
-int ReaderReceivePar(uint8_t *receivedAnswer, uint32_t *parptr)
-{
- if (!GetIso14443aAnswerFromTag(receivedAnswer,0,160)) return FALSE;
+ if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, 0)) return FALSE;
if (tracing) {
- LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.parityBits, FALSE);
- LogTrace(NULL, 0, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, 0, FALSE);
+ LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE);
}
- *parptr = Demod.parityBits;
return Demod.len;
}
* fills the uid pointer unless NULL
* fills resp_data unless NULL */
int iso14443a_select_card(byte_t* uid_ptr, iso14a_card_select_t* p_hi14a_card, uint32_t* cuid_ptr) {
- uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
- uint8_t sel_all[] = { 0x93,0x20 };
- uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
- uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
- uint8_t* resp = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET); // was 3560 - tied to other size changes
- byte_t uid_resp[4];
- size_t uid_resp_len;
-
- uint8_t sak = 0x04; // cascade uid
- int cascade_level = 0;
- int len;
-
- // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
- ReaderTransmitBitsPar(wupa,7,0, NULL);
+ //uint8_t halt[] = { 0x50, 0x00, 0x57, 0xCD }; // HALT
+ uint8_t wupa[] = { 0x52 }; // WAKE-UP
+ //uint8_t reqa[] = { 0x26 }; // REQUEST A
+ uint8_t sel_all[] = { 0x93,0x20 };
+ uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+ uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
+ uint8_t *resp = ((uint8_t *)BigBuf) + RECV_RESP_OFFSET;
+ uint8_t *resp_par = ((uint8_t *)BigBuf) + RECV_RESP_PAR_OFFSET;
+
+ byte_t uid_resp[4];
+ size_t uid_resp_len;
+ uint8_t sak = 0x04; // cascade uid
+ int cascade_level = 0;
+ int len;
- // Receive the ATQA
- if(!ReaderReceive(resp)) return 0;
- // Dbprintf("atqa: %02x %02x",resp[0],resp[1]);
-
- if(p_hi14a_card) {
- memcpy(p_hi14a_card->atqa, resp, 2);
- p_hi14a_card->uidlen = 0;
- memset(p_hi14a_card->uid,0,10);
- }
+ // test for the SKYLANDERS TOY.
+ //ReaderTransmit(halt,sizeof(halt), NULL);
+ //len = ReaderReceive(resp, resp_par);
+
+ // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
+ ReaderTransmitBitsPar(wupa,7,0, NULL);
+
+ // Receive the ATQA
+ if(!ReaderReceive(resp, resp_par)) return 0;
+
+ if(p_hi14a_card) {
+ memcpy(p_hi14a_card->atqa, resp, 2);
+ p_hi14a_card->uidlen = 0;
+ memset(p_hi14a_card->uid,0,10);
+ }
- // clear uid
- if (uid_ptr) {
- memset(uid_ptr,0,10);
- }
+ // clear uid
+ if (uid_ptr) {
+ memset(uid_ptr,0,10);
+ }
// OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
// which case we need to make a cascade 2 request and select - this is a long UID
// SELECT_ALL
ReaderTransmit(sel_all,sizeof(sel_all), NULL);
- if (!ReaderReceive(resp)) return 0;
+ if (!ReaderReceive(resp, resp_par)) return 0;
if (Demod.collisionPos) { // we had a collision and need to construct the UID bit by bit
memset(uid_resp, 0, 4);
}
collision_answer_offset = uid_resp_bits%8;
ReaderTransmitBits(sel_uid, 16 + uid_resp_bits, NULL);
- if (!ReaderReceiveOffset(resp, collision_answer_offset)) return 0;
+ if (!ReaderReceiveOffset(resp, collision_answer_offset,resp_par)) return 0;
}
// finally, add the last bits and BCC of the UID
for (uint16_t i = collision_answer_offset; i < (Demod.len-1)*8; i++, uid_resp_bits++) {
memcpy(uid_resp,resp,4);
}
uid_resp_len = 4;
- // Dbprintf("uid: %02x %02x %02x %02x",uid_resp[0],uid_resp[1],uid_resp[2],uid_resp[3]);
// calculate crypto UID. Always use last 4 Bytes.
if(cuid_ptr) {
ReaderTransmit(sel_uid,sizeof(sel_uid), NULL);
// Receive the SAK
- if (!ReaderReceive(resp)) return 0;
+ if (!ReaderReceive(resp, resp_par)) return 0;
sak = resp[0];
-
- // Test if more parts of the uid are comming
+
+ // Test if more parts of the uid are coming
if ((sak & 0x04) /* && uid_resp[0] == 0x88 */) {
- // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
- // http://www.nxp.com/documents/application_note/AN10927.pdf
- // This was earlier:
- //memcpy(uid_resp, uid_resp + 1, 3);
- // But memcpy should not be used for overlapping arrays,
- // and memmove appears to not be available in the arm build.
- // So this has been replaced with a for-loop:
- for(int xx = 0; xx < 3; xx++)
- uid_resp[xx] = uid_resp[xx+1];
- uid_resp_len = 3;
+ // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
+ // http://www.nxp.com/documents/application_note/AN10927.pdf
+ uid_resp[0] = uid_resp[1];
+ uid_resp[1] = uid_resp[2];
+ uid_resp[2] = uid_resp[3];
+
+ uid_resp_len = 3;
}
if(uid_ptr) {
p_hi14a_card->ats_len = 0;
}
- if( (sak & 0x20) == 0) {
- return 2; // non iso14443a compliant tag
- }
+ if( (sak & 0x20) == 0) {
+ return 2; // non iso14443a compliant tag
+ }
- // Request for answer to select
- AppendCrc14443a(rats, 2);
- ReaderTransmit(rats, sizeof(rats), NULL);
+ // Request for answer to select
+ AppendCrc14443a(rats, 2);
+ ReaderTransmit(rats, sizeof(rats), NULL);
- if (!(len = ReaderReceive(resp))) return 0;
+ len = ReaderReceive(resp, resp_par);
+ if(!len) return 0;
- if(p_hi14a_card) {
- memcpy(p_hi14a_card->ats, resp, sizeof(p_hi14a_card->ats));
- p_hi14a_card->ats_len = len;
- }
+ if(p_hi14a_card) {
+ memcpy(p_hi14a_card->ats, resp, sizeof(p_hi14a_card->ats));
+ p_hi14a_card->ats_len = len;
+ }
- // reset the PCB block number
- iso14_pcb_blocknum = 0;
- return 1;
+ // reset the PCB block number
+ iso14_pcb_blocknum = 0;
+ return 1;
}
void iso14443a_setup(uint8_t fpga_minor_mode) {
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
// Signal field is on with the appropriate LED
- if (fpga_minor_mode == FPGA_HF_ISO14443A_READER_MOD
- || fpga_minor_mode == FPGA_HF_ISO14443A_READER_LISTEN) {
+ if (fpga_minor_mode == FPGA_HF_ISO14443A_READER_MOD || fpga_minor_mode == FPGA_HF_ISO14443A_READER_LISTEN) {
LED_D_ON();
} else {
LED_D_OFF();
iso14a_set_timeout(1050); // 10ms default 10*105 =
}
-int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
+int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
+ uint8_t parity[MAX_PARITY_SIZE];
uint8_t real_cmd[cmd_len+4];
real_cmd[0] = 0x0a; //I-Block
// put block number into the PCB
AppendCrc14443a(real_cmd,cmd_len+2);
ReaderTransmit(real_cmd, cmd_len+4, NULL);
- size_t len = ReaderReceive(data);
+ size_t len = ReaderReceive(data, parity);
uint8_t * data_bytes = (uint8_t *) data;
if (!len)
return 0; //DATA LINK ERROR
{
iso14a_command_t param = c->arg[0];
uint8_t *cmd = c->d.asBytes;
- size_t len = c->arg[1] & 0xFFFF;
- size_t lenbits = c->arg[1] >> 16;
+ size_t len = c->arg[1];
+ size_t lenbits = c->arg[2];
uint32_t arg0 = 0;
byte_t buf[USB_CMD_DATA_SIZE];
+ uint8_t par[MAX_PARITY_SIZE];
if(param & ISO14A_CONNECT) {
iso14a_clear_trace();
if(param & ISO14A_APPEND_CRC) {
AppendCrc14443a(cmd,len);
len += 2;
- lenbits += 16;
+ if (lenbits) lenbits += 16;
}
- if(lenbits>0) {
-
- ReaderTransmitBitsPar(cmd,lenbits,GetParity(cmd,lenbits/8), NULL);
+ if(lenbits>0) {
+ GetParity(cmd, lenbits/8, par);
+ ReaderTransmitBitsPar(cmd, lenbits, par, NULL);
} else {
ReaderTransmit(cmd,len, NULL);
}
- arg0 = ReaderReceive(buf);
+ arg0 = ReaderReceive(buf, par);
cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
}
uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
static uint8_t mf_nr_ar3;
- uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
+ uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);
+ uint8_t* receivedAnswerPar = (((uint8_t *)BigBuf) + RECV_RESP_PAR_OFFSET);
iso14a_clear_trace();
iso14a_set_tracing(TRUE);
byte_t nt_diff = 0;
- byte_t par = 0;
- //byte_t par_mask = 0xff;
+ uint8_t par[1] = {0}; // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
static byte_t par_low = 0;
bool led_on = TRUE;
- uint8_t uid[10];
+ uint8_t uid[10] ={0};
uint32_t cuid;
uint32_t nt = 0;
uint32_t previous_nt = 0;
static uint32_t nt_attacked = 0;
- byte_t par_list[8] = {0,0,0,0,0,0,0,0};
- byte_t ks_list[8] = {0,0,0,0,0,0,0,0};
+ byte_t par_list[8] = {0x00};
+ byte_t ks_list[8] = {0x00};
static uint32_t sync_time;
static uint32_t sync_cycles;
uint16_t consecutive_resyncs = 0;
int isOK = 0;
-
-
if (first_try) {
mf_nr_ar3 = 0;
iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
sync_cycles = 65536; // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).
nt_attacked = 0;
nt = 0;
- par = 0;
+ par[0] = 0;
}
else {
// we were unsuccessful on a previous call. Try another READER nonce (first 3 parity bits remain the same)
- // nt_attacked = prng_successor(nt_attacked, 1);
mf_nr_ar3++;
mf_nr_ar[3] = mf_nr_ar3;
- par = par_low;
+ par[0] = par_low;
}
LED_A_ON();
ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);
// Receive the (4 Byte) "random" nonce
- if (!ReaderReceive(receivedAnswer)) {
+ if (!ReaderReceive(receivedAnswer, receivedAnswerPar)) {
if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Couldn't receive tag nonce");
continue;
}
consecutive_resyncs = 0;
// Receive answer. This will be a 4 Bit NACK when the 8 parity bits are OK after decoding
- if (ReaderReceive(receivedAnswer))
+ if (ReaderReceive(receivedAnswer, receivedAnswerPar))
{
catch_up_cycles = 8; // the PRNG is delayed by 8 cycles due to the NAC (4Bits = 0x05 encrypted) transfer
if (nt_diff == 0)
{
- par_low = par & 0x07; // there is no need to check all parities for other nt_diff. Parity Bits for mf_nr_ar[0..2] won't change
+ par_low = par[0] & 0xE0; // there is no need to check all parities for other nt_diff. Parity Bits for mf_nr_ar[0..2] won't change
}
led_on = !led_on;
if(led_on) LED_B_ON(); else LED_B_OFF();
- par_list[nt_diff] = par;
+ par_list[nt_diff] = SwapBits(par[0], 8);
ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
// Test if the information is complete
nt_diff = (nt_diff + 1) & 0x07;
mf_nr_ar[3] = (mf_nr_ar[3] & 0x1F) | (nt_diff << 5);
- par = par_low;
+ par[0] = par_low;
} else {
if (nt_diff == 0 && first_try)
{
- par++;
+ par[0]++;
} else {
- par = (((par >> 3) + 1) << 3) | par_low;
+ par[0] = ((par[0] & 0x1F) + 1) | par_low;
}
}
}
int res;
uint32_t selTimer = 0;
uint32_t authTimer = 0;
- uint32_t par = 0;
- int len = 0;
+ uint16_t len = 0;
uint8_t cardWRBL = 0;
uint8_t cardAUTHSC = 0;
uint8_t cardAUTHKEY = 0xff; // no authentication
struct Crypto1State *pcs;
pcs = &mpcs;
uint32_t numReads = 0;//Counts numer of times reader read a block
- uint8_t* receivedCmd = eml_get_bigbufptr_recbuf();
- uint8_t *response = eml_get_bigbufptr_sendbuf();
+ uint8_t* receivedCmd = get_bigbufptr_recvcmdbuf();
+ uint8_t* receivedCmd_par = receivedCmd + MAX_FRAME_SIZE;
+ uint8_t* response = get_bigbufptr_recvrespbuf();
+ uint8_t* response_par = response + MAX_FRAME_SIZE;
uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
if (MF_DBGLEVEL >= 1) {
if (!_7BUID) {
- Dbprintf("4B UID: %02x%02x%02x%02x",rUIDBCC1[0] , rUIDBCC1[1] , rUIDBCC1[2] , rUIDBCC1[3]);
+ Dbprintf("4B UID: %02x%02x%02x%02x",
+ rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3]);
} else {
- Dbprintf("7B UID: (%02x)%02x%02x%02x%02x%02x%02x%02x",rUIDBCC1[0] , rUIDBCC1[1] , rUIDBCC1[2] , rUIDBCC1[3],rUIDBCC2[0],rUIDBCC2[1] ,rUIDBCC2[2] , rUIDBCC2[3]);
+ Dbprintf("7B UID: (%02x)%02x%02x%02x%02x%02x%02x%02x",
+ rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3],
+ rUIDBCC2[0], rUIDBCC2[1] ,rUIDBCC2[2], rUIDBCC2[3]);
}
}
//Now, get data
- res = EmGetCmd(receivedCmd, &len);
+ res = EmGetCmd(receivedCmd, &len, receivedCmd_par);
if (res == 2) { //Field is off!
cardSTATE = MFEMUL_NOFIELD;
LEDsoff();
case MFEMUL_NOFIELD:
case MFEMUL_HALTED:
case MFEMUL_IDLE:{
- LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parityBits, TRUE);
- LogTrace(NULL, 0, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 0, TRUE);
+ LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
break;
}
case MFEMUL_SELECT1:{
if( len != 8)
{
cardSTATE_TO_IDLE();
- LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parityBits, TRUE);
- LogTrace(NULL, 0, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 0, TRUE);
+ LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
break;
}
uint32_t ar = bytes_to_num(receivedCmd, 4);
- uint32_t nr= bytes_to_num(&receivedCmd[4], 4);
+ uint32_t nr = bytes_to_num(&receivedCmd[4], 4);
//Collect AR/NR
if(ar_nr_collected < 2){
// test if auth OK
if (cardRr != prng_successor(nonce, 64)){
- if (MF_DBGLEVEL >= 2) Dbprintf("AUTH FAILED. cardRr=%08x, succ=%08x",cardRr, prng_successor(nonce, 64));
+ if (MF_DBGLEVEL >= 2) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
+ cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
+ cardRr, prng_successor(nonce, 64));
// Shouldn't we respond anything here?
// Right now, we don't nack or anything, which causes the
// reader to do a WUPA after a while. /Martin
// -- which is the correct response. /piwi
cardSTATE_TO_IDLE();
- LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parityBits, TRUE);
- LogTrace(NULL, 0, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 0, TRUE);
+ LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
break;
}
}
case MFEMUL_SELECT2:{
if (!len) {
- LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parityBits, TRUE);
- LogTrace(NULL, 0, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 0, TRUE);
+ LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
break;
}
if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
// i guess there is a command). go into the work state.
if (len != 4) {
- LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parityBits, TRUE);
- LogTrace(NULL, 0, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 0, TRUE);
+ LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
break;
}
cardSTATE = MFEMUL_WORK;
case MFEMUL_WORK:{
if (len == 0) {
- LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parityBits, TRUE);
- LogTrace(NULL, 0, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 0, TRUE);
+ LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
break;
}
}
if(len != 4) {
- LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parityBits, TRUE);
- LogTrace(NULL, 0, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 0, TRUE);
+ LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
break;
}
}
emlGetMem(response, receivedCmd[1], 1);
AppendCrc14443a(response, 16);
- mf_crypto1_encrypt(pcs, response, 18, &par);
- EmSendCmdPar(response, 18, par);
+ mf_crypto1_encrypt(pcs, response, 18, response_par);
+ EmSendCmdPar(response, 18, response_par);
numReads++;
if(exitAfterNReads > 0 && numReads == exitAfterNReads) {
Dbprintf("%d reads done, exiting", numReads);
LED_C_OFF();
cardSTATE = MFEMUL_HALTED;
if (MF_DBGLEVEL >= 4) Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer);
- LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parityBits, TRUE);
- LogTrace(NULL, 0, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 0, TRUE);
+ LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
break;
}
// RATS
cardSTATE = MFEMUL_WORK;
} else {
cardSTATE_TO_IDLE();
- LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parityBits, TRUE);
- LogTrace(NULL, 0, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 0, TRUE);
+ LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
}
break;
}
cardSTATE_TO_IDLE();
break;
}
- LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parityBits, TRUE);
- LogTrace(NULL, 0, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 0, TRUE);
+ LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
cardINTREG = cardINTREG + ans;
cardSTATE = MFEMUL_WORK;
break;
cardSTATE_TO_IDLE();
break;
}
- LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parityBits, TRUE);
- LogTrace(NULL, 0, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 0, TRUE);
+ LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
cardINTREG = cardINTREG - ans;
cardSTATE = MFEMUL_WORK;
break;
cardSTATE_TO_IDLE();
break;
}
- LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parityBits, TRUE);
- LogTrace(NULL, 0, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 0, TRUE);
+ LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
cardSTATE = MFEMUL_WORK;
break;
}
// The length of a received command will in most cases be no more than 18 bytes.
// So 32 should be enough!
uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
+ uint8_t *receivedCmdPar = ((uint8_t *)BigBuf) + RECV_CMD_PAR_OFFSET;
// The response (tag -> reader) that we're receiving.
- uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
-
+ uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);
+ uint8_t *receivedResponsePar = ((uint8_t *)BigBuf) + RECV_RESP_PAR_OFFSET;
+
// As we receive stuff, we copy it from receivedCmd or receivedResponse
// into trace, along with its length and other annotations.
//uint8_t *trace = (uint8_t *)BigBuf;
iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
// Set up the demodulator for tag -> reader responses.
- Demod.output = receivedResponse;
+ DemodInit(receivedResponse, receivedResponsePar);
// Set up the demodulator for the reader -> tag commands
- Uart.output = receivedCmd;
+ UartInit(receivedCmd, receivedCmdPar);
// Setup for the DMA.
FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
if(MillerDecoding(readerdata, (sniffCounter-1)*4)) {
LED_C_INV();
- if (MfSniffLogic(receivedCmd, Uart.len, Uart.parityBits, Uart.bitCount, TRUE)) break;
+ if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, TRUE)) break;
/* And ready to receive another command. */
UartReset();
if(ManchesterDecoding(tagdata, 0, (sniffCounter-1)*4)) {
LED_C_INV();
- if (MfSniffLogic(receivedResponse, Demod.len, Demod.parityBits, Demod.bitCount, FALSE)) break;
+ if (MfSniffLogic(receivedResponse, Demod.len, Demod.parity, Demod.bitCount, FALSE)) break;
// And ready to receive another response.
DemodReset();
#include "../include/common.h"
#include "mifaresniff.h"
-// mifare reader over DMA buffer (SnoopIso14443a())!!!
-#define MIFARE_BUFF_OFFSET 3560 // \/ \/ \/
-// card emulator memory
-#define EML_RESPONSES 4000
-#define CARD_MEMORY 6000
-#define CARD_MEMORY_LEN 4096
-
typedef struct {
enum {
DEMOD_UNSYNCD,
uint16_t bitCount;
uint16_t collisionPos;
uint16_t syncBit;
- uint32_t parityBits;
+ uint8_t parityBits;
+ uint8_t parityLen;
uint16_t shiftReg;
uint16_t samples;
uint16_t len;
uint32_t startTime, endTime;
uint8_t *output;
+ uint8_t *parity;
} tDemod;
typedef enum {
uint16_t byteCntMax;
uint16_t posCnt;
uint16_t syncBit;
- uint32_t parityBits;
+ uint8_t parityBits;
+ uint8_t parityLen;
uint16_t highCnt;
uint16_t twoBits;
uint32_t startTime, endTime;
uint8_t *output;
+ uint8_t *parity;
} tUart;
extern byte_t oddparity (const byte_t bt);
-extern uint32_t GetParity(const uint8_t *pbtCmd, int iLen);
+extern void GetParity(const uint8_t *pbtCmd, uint16_t len, uint8_t *par);
extern void AppendCrc14443a(uint8_t *data, int len);
-extern void ReaderTransmit(uint8_t *frame, int len, uint32_t *timing);
-extern void ReaderTransmitBitsPar(uint8_t *frame, int bits, uint32_t par, uint32_t *timing);
-extern void ReaderTransmitPar(uint8_t *frame, int len, uint32_t par, uint32_t *timing);
-extern int ReaderReceive(uint8_t *receivedAnswer);
-extern int ReaderReceivePar(uint8_t *receivedAnswer, uint32_t *parptr);
+extern void ReaderTransmit(uint8_t *frame, uint16_t len, uint32_t *timing);
+extern void ReaderTransmitBitsPar(uint8_t *frame, uint16_t bits, uint8_t *par, uint32_t *timing);
+extern void ReaderTransmitPar(uint8_t *frame, uint16_t len, uint8_t *par, uint32_t *timing);
+extern int ReaderReceive(uint8_t *receivedAnswer, uint8_t *par);
extern void iso14443a_setup(uint8_t fpga_minor_mode);
-extern int iso14_apdu(uint8_t *cmd, size_t cmd_len, void *data);
+extern int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data);
extern int iso14443a_select_card(uint8_t *uid_ptr, iso14a_card_select_t *resp_data, uint32_t *cuid_ptr);
extern void iso14a_set_trigger(bool enable);
extern void iso14a_set_timeout(uint32_t timeout);
-extern void iso14a_clear_tracelen();
+extern void iso14a_clear_trace();
extern void iso14a_set_tracing(bool enable);
#endif /* __ISO14443A_H */
AT91C_BASE_SSC->SSC_THR = 0x43;
}
if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
- int8_t b;
- b = (int8_t)AT91C_BASE_SSC->SSC_RHR;
+ int8_t b = (int8_t)AT91C_BASE_SSC->SSC_RHR;
// The samples are correlations against I and Q versions of the
// tone that the tag AM-modulates, so every other sample is I,
// every other is Q. We just want power, so abs(I) + abs(Q) is
// close to what we want.
- if(getNext) {
- int8_t r;
-
- if(b < 0) {
- r = -b;
- } else {
- r = b;
- }
- if(prev < 0) {
- r -= prev;
- } else {
- r += prev;
- }
+ if (getNext) {
- dest[c++] = (uint8_t)r;
+ dest[c++] = abs(b) + abs(prev);
if(c >= 20000) {
break;
//-----------------------------------------------------------------------------
void AcquireRawAdcSamplesIso15693(void)
{
- uint8_t *dest = mifare_get_bigbufptr();
+ uint8_t *dest = get_bigbufptr_recvrespbuf();
int c = 0;
int getNext = 0;
void RecordRawAdcSamplesIso15693(void)
{
- uint8_t *dest = mifare_get_bigbufptr();
+ uint8_t *dest = get_bigbufptr_recvrespbuf();
int c = 0;
int getNext = 0;
uint16_t crc;
// one sub-carrier, inventory, 1 slot, fast rate
// AFI is at bit 5 (1<<4) when doing an INVENTORY
- cmd[0] = 0; //(1 << 2) | (1 << 5) | (1 << 1);
- cmd[1] = 0;
+ //(1 << 2) | (1 << 5) | (1 << 1);
+ cmd[0] = 0; //
+ cmd[1] = 0; // DSFID (data storage format identifier). 0x00 = not supported
// 64-bit UID
cmd[2] = uid[7]; //0x32;
cmd[3] = uid[6]; //0x4b;
memset(buf, 0x00, 100);
- // Inventory response
- BuildInventoryResponse(uid);
-
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
{
// Build a suitable reponse to the reader INVENTORY cocmmand
// not so obsvious, but in the call to BuildInventoryResponse, the command is copied to the global ToSend buffer used below.
+
+ BuildInventoryResponse(uid);
+
TransmitTo15693Reader(ToSend, ToSendMax, &tsamples, &wait);
}
buf[0], buf[1], buf[2], buf[3],
buf[4], buf[5], buf[6], buf[7], buf[8]);
+ Dbprintf("Simulationg uid: %x %x %x %x %x %x %x %x",
+ uid[0], uid[1], uid[2], uid[3],
+ uid[4], uid[5], uid[6], uid[7]);
+
LED_A_OFF();
LED_B_OFF();
LED_C_OFF();
#include "crapto1.h"
#include "mifareutil.h"
+// Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
+// TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
+// Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
+// T0 = TIMER_CLOCK1 / 125000 = 192
+#define T0 192
+
#define SHORT_COIL() LOW(GPIO_SSC_DOUT)
#define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
// split into two routines so we can avoid timing issues after sending commands //
void DoAcquisition125k_internal(int trigger_threshold, bool silent)
{
- uint8_t *dest = mifare_get_bigbufptr();
- int n = 24000;
- int i = 0;
- memset(dest, 0x00, n);
+ uint8_t *dest = get_bigbufptr_recvrespbuf();
+ uint16_t i = 0;
+ memset(dest, 0x00, FREE_BUFFER_SIZE);
for(;;) {
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
continue;
else
trigger_threshold = -1;
- if (++i >= n) break;
+ if (++i >= FREE_BUFFER_SIZE) break;
}
}
if (!silent){
void ModThenAcquireRawAdcSamples125k(int delay_off, int period_0, int period_1, uint8_t *command)
{
-
- /* Make sure the tag is reset */
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
+
+ /* Make sure the tag is reset */
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
SpinDelay(2500);
- int divisor_used = 95; // 125 KHz
+ int divisor = 95; // 125 KHz
// see if 'h' was specified
-
if (command[strlen((char *) command) - 1] == 'h')
- divisor_used = 88; // 134.8 KHz
+ divisor = 88; // 134.8 KHz
- FpgaSendCommand(FPGA_CMD_SET_DIVISOR, divisor_used);
+ FpgaSendCommand(FPGA_CMD_SET_DIVISOR, divisor);
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
// Give it a bit of time for the resonant antenna to settle.
- SpinDelay(50);
-
-
- // And a little more time for the tag to fully power up
SpinDelay(2000);
// Now set up the SSC to get the ADC samples that are now streaming at us.
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LED_D_OFF();
SpinDelayUs(delay_off);
- FpgaSendCommand(FPGA_CMD_SET_DIVISOR, divisor_used);
+ FpgaSendCommand(FPGA_CMD_SET_DIVISOR, divisor);
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
LED_D_ON();
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LED_D_OFF();
SpinDelayUs(delay_off);
- FpgaSendCommand(FPGA_CMD_SET_DIVISOR, divisor_used);
-
+ FpgaSendCommand(FPGA_CMD_SET_DIVISOR, divisor);
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
// now do the read
DbpString("Now use tiread to check");
}
-void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
+
+
+// PIO_CODR = Clear Output Data Register
+// PIO_SODR = Set Output Data Register
+//#define LOW(x) AT91C_BASE_PIOA->PIO_CODR = (x)
+//#define HIGH(x) AT91C_BASE_PIOA->PIO_SODR = (x)
+void SimulateTagLowFrequency( uint16_t period, uint32_t gap, uint8_t ledcontrol)
{
- int i = 0;
- uint8_t *buff = (uint8_t *)BigBuf;
+ LED_D_ON();
+
+ uint16_t i = 0;
+ uint8_t send = 0;
+
+ //int overflow = 0;
+ uint8_t *buf = (uint8_t *)BigBuf;
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
- FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
-
- // Configure output and enable pin that is connected to the FPGA (for modulating)
- AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK;
- AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
+ RELAY_OFF();
- AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK;
+ // Configure output pin that is connected to the FPGA (for modulating)
+ AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
+ AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
- // Give it a bit of time for the resonant antenna to settle.
- SpinDelay(30);
+ SHORT_COIL();
+
+ // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
+ AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
+
+ // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
+ AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
+ AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
+
+ // Disable timer during configuration
+ AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
+
+ // Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
+ // external trigger rising edge, load RA on rising edge of TIOA.
+ AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
+
+ // Enable and reset counter
+ //AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+ AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
- for(;;) {
+ while(!BUTTON_PRESS()) {
+ WDT_HIT();
- while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {
- if(BUTTON_PRESS()) {
- DbpString("Stopped at 0");
- FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
- return;
- }
- WDT_HIT();
+ // Receive frame, watch for at most T0*EOF periods
+ while (AT91C_BASE_TC1->TC_CV < T0 * 55) {
+
+ // Check if rising edge in modulation is detected
+ if(AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
+ // Retrieve the new timing values
+ //int ra = (AT91C_BASE_TC1->TC_RA/T0) + overflow;
+ //Dbprintf("Timing value - %d %d", ra, overflow);
+ //overflow = 0;
+
+ // Reset timer every frame, we have to capture the last edge for timing
+ AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+ send = 1;
+
+ LED_B_ON();
+ }
+ }
+
+ if ( send ) {
+ // Disable timer 1 with external trigger to avoid triggers during our own modulation
+ AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
+
+ // Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
+ // not that since the clock counts since the rising edge, but T_Wait1 is
+ // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
+ // periods. The gap time T_Low varies (4..10). All timer values are in
+ // terms of T0 units
+ while(AT91C_BASE_TC0->TC_CV < T0 * 16 );
+
+ // datat kommer in som 1 bit för varje position i arrayn
+ for(i = 0; i < period; ++i) {
+
+ // Reset clock for the next bit
+ AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
+
+ if ( buf[i] > 0 )
+ HIGH(GPIO_SSC_DOUT);
+ else
+ LOW(GPIO_SSC_DOUT);
+
+ while(AT91C_BASE_TC0->TC_CV < T0 * 1 );
+ }
+ // Drop modulation
+ LOW(GPIO_SSC_DOUT);
+
+ // Enable and reset external trigger in timer for capturing future frames
+ AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+ LED_B_OFF();
}
-
- if ( buff[i] )
- OPEN_COIL();
- else
- SHORT_COIL();
-
- while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) {
- if(BUTTON_PRESS()) {
- DbpString("Stopped at 1");
- FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
- return;
+
+ send = 0;
+
+ // Save the timer overflow, will be 0 when frame was received
+ //overflow += (AT91C_BASE_TC1->TC_CV/T0);
+
+ // Reset the timer to restart while-loop that receives frames
+ AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
+ }
+
+ LED_B_OFF();
+ LED_D_OFF();
+ AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
+ AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+
+ DbpString("Sim Stopped");
+}
+
+
+void SimulateTagLowFrequencyA(int len, int gap)
+{
+ //Dbprintf("LEN %d || Gap %d",len, gap);
+
+ uint8_t *buf = (uint8_t *)BigBuf;
+
+ FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
+ FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_TOGGLE_MODE); // new izsh toggle mode!
+
+ // Connect the A/D to the peak-detected low-frequency path.
+ SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
+
+ // Now set up the SSC to get the ADC samples that are now streaming at us.
+ FpgaSetupSsc();
+ SpinDelay(5);
+
+ AT91C_BASE_SSC->SSC_THR = 0x00;
+
+ int i = 0;
+ while(!BUTTON_PRESS()) {
+ WDT_HIT();
+ if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
+
+ if ( buf[i] > 0 )
+ AT91C_BASE_SSC->SSC_THR = 0x43;
+ else
+ AT91C_BASE_SSC->SSC_THR = 0x00;
+
+ ++i;
+ LED_A_ON();
+ if (i >= len){
+ i = 0;
}
- WDT_HIT();
- }
-
- ++i;
- if(i == period) {
- i = 0;
- if (gap) {
- // turn of modulation
- SHORT_COIL();
- // wait
- SpinDelay(gap);
- }
+ }
+
+ if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
+ volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
+ (void)r;
+ LED_A_OFF();
}
}
+ DbpString("lf simulate stopped");
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
}
#define DEBUG_FRAME_CONTENTS 1
}
// compose fc/8 fc/10 waveform
-static void fc(int c, int *n) {
+static void fc(int c, uint16_t *n) {
uint8_t *dest = (uint8_t *)BigBuf;
int idx;
// prepare a waveform pattern in the buffer based on the ID given then
// simulate a HID tag until the button is pressed
-void CmdHIDsimTAG(int hi, int lo, int ledcontrol)
+void CmdHIDsimTAG(int hi, int lo, uint8_t ledcontrol)
{
- int n=0, i=0;
+ uint16_t n=0, i=0;
/*
HID tag bitstream format
The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits
}
-size_t aggregate_bits(uint8_t *dest,size_t size, uint8_t h2l_crossing_value,uint8_t l2h_crossing_value, uint8_t maxConsequtiveBits )
+size_t aggregate_bits(uint8_t *dest,size_t size, uint8_t h2l_crossing_value,uint8_t l2h_crossing_value, uint8_t maxConsequtiveBits, uint8_t invert )
{
uint8_t lastval=dest[0];
uint32_t idx=0;
if(n < maxConsequtiveBits)
{
- memset(dest+numBits, dest[idx-1] , n);
+ if ( invert==0)
+ memset(dest+numBits, dest[idx-1] , n);
+ else
+ memset(dest+numBits, dest[idx-1]^1 , n);
+
numBits += n;
}
n=0;
// loop to capture raw HID waveform then FSK demodulate the TAG ID from it
void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
{
- uint8_t *dest = (uint8_t *)BigBuf;
+ uint8_t *dest = get_bigbufptr_recvrespbuf();
size_t size=0,idx=0; //, found=0;
- uint32_t hi2=0, hi=0, lo=0;
+ uint32_t hi2=0, hi=0, lo=0;
// Configure to go in 125Khz listen mode
LFSetupFPGAForADC(0, true);
if (ledcontrol) LED_A_ON();
DoAcquisition125k_internal(-1,true);
- size = sizeof(BigBuf);
// FSK demodulator
- size = fsk_demod(dest, size);
+ size = fsk_demod(dest, FREE_BUFFER_SIZE);
// we now have a set of cycle counts, loop over previous results and aggregate data into bit patterns
- // 1->0 : fc/8 in sets of 6
- // 0->1 : fc/10 in sets of 5
- size = aggregate_bits(dest,size, 6,5,5);
+ // 1->0 : fc/8 in sets of 6 (RF/50 / 8 = 6.25)
+ // 0->1 : fc/10 in sets of 5 (RF/50 / 10= 5)
+ // do not invert
+ size = aggregate_bits(dest,size, 6,5,5,0);
WDT_HIT();
{
// Keep going until next frame marker (or error)
// Shift in a bit. Start by shifting high registers
- hi2=(hi2<<1)|(hi>>31);
+ hi2=(hi2<<1)|(hi>>31);
hi=(hi<<1)|(lo>>31);
//Then, shift in a 0 or one into low
if (dest[idx] && !dest[idx+1]) // 1 0
// Hopefully, we read a tag and hit upon the next frame marker
if(idx + sizeof(frame_marker_mask) < size)
{
- if ( memcmp(dest+idx, frame_marker_mask, sizeof(frame_marker_mask)) == 0)
- {
- if (hi2 != 0){
- Dbprintf("TAG ID: %x%08x%08x (%d)",
- (unsigned int) hi2, (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
+ if ( memcmp(dest+idx, frame_marker_mask, sizeof(frame_marker_mask)) == 0)
+ {
+ if (hi2 != 0){ //extra large HID tags
+ Dbprintf("TAG ID: %x%08x%08x (%d)",
+ (unsigned int) hi2, (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
+ }
+ else { //standard HID tags <38 bits
+ //Dbprintf("TAG ID: %x%08x (%d)",(unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); //old print cmd
+ uint8_t bitlen = 0;
+ uint32_t fc = 0;
+ uint32_t cardnum = 0;
+ if (((hi>>5)&1)==1){//if bit 38 is set then < 37 bit format is used
+ uint32_t lo2=0;
+ lo2=(((hi & 31) << 12) | (lo>>20)); //get bits 21-37 to check for format len bit
+ uint8_t idx3 = 1;
+ while(lo2>1){ //find last bit set to 1 (format len bit)
+ lo2=lo2>>1;
+ idx3++;
+ }
+ bitlen =idx3+19;
+ fc =0;
+ cardnum=0;
+ if(bitlen==26){
+ cardnum = (lo>>1)&0xFFFF;
+ fc = (lo>>17)&0xFF;
+ }
+ if(bitlen==37){
+ cardnum = (lo>>1)&0x7FFFF;
+ fc = ((hi&0xF)<<12)|(lo>>20);
+ }
+ if(bitlen==34){
+ cardnum = (lo>>1)&0xFFFF;
+ fc= ((hi&1)<<15)|(lo>>17);
+ }
+ if(bitlen==35){
+ cardnum = (lo>>1)&0xFFFFF;
+ fc = ((hi&1)<<11)|(lo>>21);
+ }
+ }
+ else { //if bit 38 is not set then 37 bit format is used
+ bitlen= 37;
+ fc =0;
+ cardnum=0;
+ if(bitlen==37){
+ cardnum = (lo>>1)&0x7FFFF;
+ fc = ((hi&0xF)<<12)|(lo>>20);
+ }
+ }
+ //Dbprintf("TAG ID: %x%08x (%d)",
+ // (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
+ Dbprintf("TAG ID: %x%08x (%d) - Format Len: %dbit - FC: %d - Card: %d",
+ (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF,
+ (unsigned int) bitlen, (unsigned int) fc, (unsigned int) cardnum);
+ }
+ if (findone){
+ if (ledcontrol) LED_A_OFF();
+ return;
+ }
}
- else {
- Dbprintf("TAG ID: %x%08x (%d)",
- (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
- }
- }
-
}
-
// reset
hi2 = hi = lo = 0;
numshifts = 0;
- }else
- {
+ } else {
idx++;
}
}
void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
{
uint8_t *dest = (uint8_t *)BigBuf;
-
size_t size=0, idx=0;
uint32_t code=0, code2=0;
-
+ uint8_t isFinish = 0;
+
// Configure to go in 125Khz listen mode
LFSetupFPGAForADC(0, true);
- while(!BUTTON_PRESS()) {
+ while(!BUTTON_PRESS() & !isFinish) {
+
WDT_HIT();
+
if (ledcontrol) LED_A_ON();
DoAcquisition125k_internal(-1,true);
// FSK demodulator
size = fsk_demod(dest, size);
-
// we now have a set of cycle counts, loop over previous results and aggregate data into bit patterns
- // 1->0 : fc/8 in sets of 7
- // 0->1 : fc/10 in sets of 6
- size = aggregate_bits(dest, size, 7,6,13);
-
- WDT_HIT();
-
+ // 1->0 : fc/8 in sets of 7 (RF/64 / 8 = 8)
+ // 0->1 : fc/10 in sets of 6 (RF/64 / 10 = 6.4)
+ size = aggregate_bits(dest, size, 7,6,13,1); //13 max Consecutive should be ok as most 0s in row should be 10 for init seq - invert bits
+
+ //Index map
+ //0 10 20 30 40 50 60
+ //| | | | | | |
+ //01234567 8 90123456 7 89012345 6 78901234 5 67890123 4 56789012 3 45678901 23
+ //-----------------------------------------------------------------------------
+ //00000000 0 11110000 1 facility 1 version* 1 code*one 1 code*two 1 ???????? 11
+ //
+ //XSF(version)facility:codeone+codetwo
//Handle the data
+
uint8_t mask[] = {0,0,0,0,0,0,0,0,0,1};
- for( idx=0; idx < size - 64; idx++) {
-
- if ( memcmp(dest + idx, mask, sizeof(mask)) ) continue;
-
- Dbprintf("%d%d%d%d%d%d%d%d",dest[idx], dest[idx+1], dest[idx+2],dest[idx+3],dest[idx+4],dest[idx+5],dest[idx+6],dest[idx+7]);
- Dbprintf("%d%d%d%d%d%d%d%d",dest[idx+8], dest[idx+9], dest[idx+10],dest[idx+11],dest[idx+12],dest[idx+13],dest[idx+14],dest[idx+15]);
- Dbprintf("%d%d%d%d%d%d%d%d",dest[idx+16],dest[idx+17],dest[idx+18],dest[idx+19],dest[idx+20],dest[idx+21],dest[idx+22],dest[idx+23]);
- Dbprintf("%d%d%d%d%d%d%d%d",dest[idx+24],dest[idx+25],dest[idx+26],dest[idx+27],dest[idx+28],dest[idx+29],dest[idx+30],dest[idx+31]);
- Dbprintf("%d%d%d%d%d%d%d%d",dest[idx+32],dest[idx+33],dest[idx+34],dest[idx+35],dest[idx+36],dest[idx+37],dest[idx+38],dest[idx+39]);
- Dbprintf("%d%d%d%d%d%d%d%d",dest[idx+40],dest[idx+41],dest[idx+42],dest[idx+43],dest[idx+44],dest[idx+45],dest[idx+46],dest[idx+47]);
- Dbprintf("%d%d%d%d%d%d%d%d",dest[idx+48],dest[idx+49],dest[idx+50],dest[idx+51],dest[idx+52],dest[idx+53],dest[idx+54],dest[idx+55]);
- Dbprintf("%d%d%d%d%d%d%d%d",dest[idx+56],dest[idx+57],dest[idx+58],dest[idx+59],dest[idx+60],dest[idx+61],dest[idx+62],dest[idx+63]);
- code = bytebits_to_byte(dest+idx,32);
- code2 = bytebits_to_byte(dest+idx+32,32);
+ for( idx=0; idx < (size - 64); idx++) {
+ if ( memcmp(dest + idx, mask, sizeof(mask))==0) {
+ //frame marker found
+ if(findone){ //only print binary if we are doing one
+ Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx], dest[idx+1], dest[idx+2],dest[idx+3],dest[idx+4],dest[idx+5],dest[idx+6],dest[idx+7],dest[idx+8]);
+ Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+9], dest[idx+10],dest[idx+11],dest[idx+12],dest[idx+13],dest[idx+14],dest[idx+15],dest[idx+16],dest[idx+17]);
+ Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+18],dest[idx+19],dest[idx+20],dest[idx+21],dest[idx+22],dest[idx+23],dest[idx+24],dest[idx+25],dest[idx+26]);
+ Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+27],dest[idx+28],dest[idx+29],dest[idx+30],dest[idx+31],dest[idx+32],dest[idx+33],dest[idx+34],dest[idx+35]);
+ Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+36],dest[idx+37],dest[idx+38],dest[idx+39],dest[idx+40],dest[idx+41],dest[idx+42],dest[idx+43],dest[idx+44]);
+ Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+45],dest[idx+46],dest[idx+47],dest[idx+48],dest[idx+49],dest[idx+50],dest[idx+51],dest[idx+52],dest[idx+53]);
+ Dbprintf("%d%d%d%d%d%d%d%d %d%d",dest[idx+54],dest[idx+55],dest[idx+56],dest[idx+57],dest[idx+58],dest[idx+59],dest[idx+60],dest[idx+61],dest[idx+62],dest[idx+63]);
+ }
+ code = bytebits_to_byte(dest+idx,32);
+ code2 = bytebits_to_byte(dest+idx+32,32);
+ short version = bytebits_to_byte(dest+idx+28,8); //14,4
+ char facilitycode = bytebits_to_byte(dest+idx+19,8) ;
+ uint16_t number = (bytebits_to_byte(dest+idx+37,8)<<8)|(bytebits_to_byte(dest+idx+46,8)); //36,9
+
+ Dbprintf("XSF(%02d)%02x:%d (%08x%08x)",version,facilitycode,number,code,code2);
- short version = bytebits_to_byte(dest+idx+14,4);
- char unknown = bytebits_to_byte(dest+idx+19,8) ;
- uint16_t number = bytebits_to_byte(dest+idx+36,9);
-
- Dbprintf("XSF(%02d)%02x:%d (%08x%08x)",version,unknown,number,code,code2);
- if (ledcontrol) LED_D_OFF();
-
- // if we're only looking for one tag
- if (findone){
- LED_A_OFF();
- return;
+ // if we're only looking for one tag
+ if (findone){
+ if (ledcontrol) LED_A_OFF();
+ isFinish = 1;
+ break;
+ }
+ }
}
- }
- WDT_HIT();
+ WDT_HIT();
}
DbpString("Stopped");
if (ledcontrol) LED_A_OFF();
// Read one card block in page 0
void T55xxReadBlock(uint32_t Block, uint32_t Pwd, uint8_t PwdMode)
{
- uint8_t *dest = mifare_get_bigbufptr();
+ uint8_t *dest = get_bigbufptr_recvrespbuf();
uint16_t bufferlength = T55xx_SAMPLES_SIZE;
uint32_t i = 0;
for(;;) {
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
AT91C_BASE_SSC->SSC_THR = 0x43;
+ //AT91C_BASE_SSC->SSC_THR = 0xff;
LED_D_ON();
}
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
// Read card traceability data (page 1)
void T55xxReadTrace(void){
- uint8_t *dest = mifare_get_bigbufptr();
+ uint8_t *dest = get_bigbufptr_recvrespbuf();
uint16_t bufferlength = T55xx_SAMPLES_SIZE;
- int i=0;
+ uint32_t i = 0;
// Clear destination buffer before sending the command 0x80 = average
memset(dest, 0x80, bufferlength);
block_done = 0;
half_switch = 0;
}
+ if(i < GraphTraceLen)
+ {
if (GraphBuffer[i-1] > GraphBuffer[i]) dir=0;
else dir = 1;
}
+ }
if(bitidx==255)
bitidx=0;
warnings = 0;
void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
- uint8_t *dest = mifare_get_bigbufptr();
+ uint8_t *dest = get_bigbufptr_recvrespbuf();
uint16_t bufferlength = 12000;
uint32_t i = 0;
#include "../common/crc.h"\r
\r
//-----------------------------------------------------------------------------\r
-// Select, Authenticaate, Read an MIFARE tag. \r
+// Select, Authenticate, Read a MIFARE tag. \r
// read block\r
//-----------------------------------------------------------------------------\r
void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)\r
// ----------------------------- crypto1 destroy\r
crypto1_destroy(pcs);\r
\r
- if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");\r
+ if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");\r
\r
LED_B_ON();\r
cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);\r
\r
void MifareUReadCard(uint8_t arg0, int arg1, uint8_t *datain)\r
{\r
- // params\r
- uint8_t sectorNo = arg0;\r
- int Pages=arg1;\r
+ // params\r
+ uint8_t sectorNo = arg0;\r
+ int Pages=arg1;\r
int count_Pages=0;\r
- // variables\r
- byte_t isOK = 0;\r
- byte_t dataoutbuf[44 * 4];\r
- uint8_t uid[10];\r
- uint32_t cuid;\r
+ // variables\r
+ byte_t isOK = 0;\r
+ byte_t dataoutbuf[176];\r
+ uint8_t uid[10];\r
+ uint32_t cuid;\r
\r
- // clear trace\r
- iso14a_clear_trace();\r
+ // clear trace\r
+ iso14a_clear_trace();\r
\r
- iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+ iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
- LED_A_ON();\r
- LED_B_OFF();\r
- LED_C_OFF();\r
- Dbprintf("Pages %d",Pages);\r
+ LED_A_ON();\r
+ LED_B_OFF();\r
+ LED_C_OFF();\r
+ Dbprintf("Pages %d",Pages);\r
while (true) {\r
if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");\r
isOK = 1;\r
break;\r
}\r
- Dbprintf("Pages read %d",count_Pages);\r
- if (MF_DBGLEVEL >= 2) DbpString("READ CARD FINISHED");\r
+ Dbprintf("Pages read %d",count_Pages);\r
+ if (MF_DBGLEVEL >= 2) DbpString("READ CARD FINISHED");\r
\r
LED_B_ON();\r
if (Pages==16) cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,64);\r
if (Pages==44 && count_Pages>16) cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,176);\r
LED_B_OFF();\r
\r
- // Thats it...\r
- FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
- LEDsoff();\r
+ // Thats it...\r
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+ LEDsoff();\r
\r
}\r
\r
}\r
\r
// Return 1 if the nonce is invalid else return 0\r
-int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, byte_t * parity) {\r
+int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t * parity) {\r
return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \\r
(oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \\r
(oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;\r
uint16_t davg;\r
static uint16_t dmin, dmax;\r
uint8_t uid[10];\r
- uint32_t cuid, nt1, nt2, nttmp, nttest, par, ks1;\r
+ uint32_t cuid, nt1, nt2, nttmp, nttest, ks1;\r
+ uint8_t par[1];\r
uint32_t target_nt[2], target_ks[2];\r
\r
uint8_t par_array[4];\r
struct Crypto1State mpcs = {0, 0};\r
struct Crypto1State *pcs;\r
pcs = &mpcs;\r
- uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+ uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();\r
\r
uint32_t auth1_time, auth2_time;\r
static uint16_t delta_time;\r
// statistics on nonce distance\r
if (calibrate) { // for first call only. Otherwise reuse previous calibration\r
LED_B_ON();\r
+ WDT_HIT();\r
\r
davg = dmax = 0;\r
- dmin = 2000;\r
+ dmin = 2000; \r
delta_time = 0;\r
\r
for (rtr = 0; rtr < 17; rtr++) {\r
};\r
\r
nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160\r
- for (i = 101; i < 1200; i++) {\r
+ for (i = 141; i < 1200; i++) {\r
nttmp = prng_successor(nttmp, 1);\r
- if (nttmp == nt2) break;\r
+ if (nttmp == nt2) {break;}\r
}\r
\r
if (i != 1200) {\r
}\r
}\r
\r
- if (rtr <= 1) return;\r
+ if (rtr <= 1) return;\r
\r
davg = (davg + (rtr - 1)/2) / (rtr - 1);\r
\r
// get crypted nonces for target sector\r
for(i=0; i < 2; i++) { // look for exactly two different nonces\r
\r
+ WDT_HIT(); \r
+ if(BUTTON_PRESS()) {\r
+ DbpString("Nested: cancelled");\r
+ crypto1_destroy(pcs);\r
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+ LEDsoff();\r
+ return;\r
+ }\r
+\r
target_nt[i] = 0;\r
while(target_nt[i] == 0) { // continue until we have an unambiguous nonce\r
- \r
+ \r
// prepare next select. No need to power down the card.\r
if(mifare_classic_halt(pcs, cuid)) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");\r
\r
// nested authentication\r
auth2_time = auth1_time + delta_time;\r
- len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, &par, &auth2_time);\r
+ len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);\r
if (len != 4) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);\r
continue;\r
};\r
\r
nt2 = bytes_to_num(receivedAnswer, 4); \r
- if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par);\r
+ if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);\r
\r
// Parity validity check\r
for (j = 0; j < 4; j++) {\r
- par_array[j] = (oddparity(receivedAnswer[j]) != ((par & 0x08) >> 3));\r
- par = par << 1;\r
+ par_array[j] = (oddparity(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));\r
}\r
\r
ncount = 0;\r
if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);\r
}\r
}\r
-\r
+ \r
LED_C_OFF();\r
\r
// ----------------------------- crypto1 destroy\r
crypto1_destroy(pcs);\r
\r
- // add trace trailer\r
- memset(uid, 0x44, 4);\r
- LogTrace(uid, 4, 0, 0, TRUE);\r
-\r
byte_t buf[4 + 4 * 4];\r
memcpy(buf, &cuid, 4);\r
memcpy(buf+4, &target_nt[0], 4);\r
cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);\r
LED_B_OFF();\r
\r
- // Thats it...\r
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
LEDsoff();\r
\r
}\r
\r
void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
- byte_t buf[48];\r
+ byte_t buf[USB_CMD_DATA_SIZE];\r
emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)\r
\r
LED_B_ON();\r
- cmd_send(CMD_ACK,arg0,arg1,0,buf,48);\r
+ cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE);\r
LED_B_OFF();\r
}\r
\r
uint32_t cuid;\r
\r
memset(uid, 0x00, 10);\r
- uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+ uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();\r
+ uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;\r
\r
if (workFlags & 0x08) {\r
// clear trace\r
\r
// reset chip\r
if (needWipe){\r
- ReaderTransmitBitsPar(wupC1,7,0, NULL);\r
- if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
+ ReaderTransmitBitsPar(wupC1,7,0, NULL);\r
+ if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");\r
break;\r
};\r
\r
ReaderTransmit(wipeC, sizeof(wipeC), NULL);\r
- if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
+ if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");\r
break;\r
};\r
\r
// write block\r
if (workFlags & 0x02) {\r
- ReaderTransmitBitsPar(wupC1,7,0, NULL);\r
- if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
+ ReaderTransmitBitsPar(wupC1,7,0, NULL);\r
+ if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");\r
break;\r
};\r
\r
ReaderTransmit(wupC2, sizeof(wupC2), NULL);\r
- if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
+ if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");\r
break;\r
};\r
}\r
\r
- if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {\r
+ if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");\r
break;\r
};\r
AppendCrc14443a(d_block, 16);\r
\r
ReaderTransmit(d_block, sizeof(d_block), NULL);\r
- if ((ReaderReceive(receivedAnswer) != 1) || (receivedAnswer[0] != 0x0a)) {\r
+ if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");\r
break;\r
}; \r
uint32_t cuid = 0;\r
\r
memset(data, 0x00, 18);\r
- uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+ uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();\r
+ uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;\r
\r
if (workFlags & 0x08) {\r
// clear trace\r
while (true) {\r
if (workFlags & 0x02) {\r
ReaderTransmitBitsPar(wupC1,7,0, NULL);\r
- if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
+ if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");\r
break;\r
};\r
\r
ReaderTransmit(wupC2, sizeof(wupC2), NULL);\r
- if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
+ if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");\r
break;\r
};\r
}\r
\r
// read block\r
- if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, NULL) != 18)) {\r
+ if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("read block send command error");\r
break;\r
};\r
LED_B_OFF();\r
\r
if ((workFlags & 0x10) || (!isOK)) {\r
- // Thats it...\r
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
LEDsoff();\r
}\r
#define MAX_APPLICATION_COUNT 28
#define MAX_FILE_COUNT 16
-#define MAX_FRAME_SIZE 60
+#define MAX_DESFIRE_FRAME_SIZE 60
#define NOT_YET_AUTHENTICATED 255
-#define FRAME_PAYLOAD_SIZE (MAX_FRAME_SIZE - 5)
+#define FRAME_PAYLOAD_SIZE (MAX_DESFIRE_FRAME_SIZE - 5)
+#define RECEIVE_SIZE 64
// the block number for the ISO14443-4 PCB
uint8_t pcb_blocknum = 0;
*/
uint8_t flags = arg0;
size_t datalen = arg1;
- uint8_t resp[RECV_RES_SIZE];
+ uint8_t resp[RECEIVE_SIZE];
memset(resp,0,sizeof(resp));
if (MF_DBGLEVEL >= 4) {
}
int len = DesfireAPDU(datain, datalen, resp);
- if (MF_DBGLEVEL >= 4) {
- print_result("ERR <--: ", resp, len);
- }
+ if (MF_DBGLEVEL >= 4) {
+ print_result("ERR <--: ", resp, len);
+ }
if ( !len ) {
OnError();
// card select - information
iso14a_card_select_t *card = (iso14a_card_select_t*)cardbuf;
byte_t isOK = iso14443a_select_card(NULL, card, NULL);
- if (isOK != 1) {
+ if ( isOK == 0) {
if (MF_DBGLEVEL >= 1) {
Dbprintf("Can't select card");
}
//uint8_t new_key_data8[8] = { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77};
//uint8_t new_key_data16[16] = { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF};
- //uint8_t* bigbuffer = mifare_get_bigbufptr();
+ //uint8_t* bigbuffer = get_bigbufptr_recvrespbuf();
uint8_t resp[256] = {0x00};
uint8_t IV[16] = {0x00};
// dataout = pointer to response data array
int DesfireAPDU(uint8_t *cmd, size_t cmd_len, uint8_t *dataout){
- uint32_t status = 0;
+ size_t len = 0;
size_t wrappedLen = 0;
uint8_t wCmd[USB_CMD_DATA_SIZE] = {0};
+ uint8_t *resp = ((uint8_t *)BigBuf) + RECV_RESP_OFFSET;
+ uint8_t *resp_par = ((uint8_t *)BigBuf) + RECV_RESP_PAR_OFFSET;
+
wrappedLen = CreateAPDU( cmd, cmd_len, wCmd);
if (MF_DBGLEVEL >= 4) {
}
ReaderTransmit( wCmd, wrappedLen, NULL);
- status = ReaderReceive(dataout);
+ len = ReaderReceive(resp, resp_par);
- if( status == 0x00){
+ if( len == 0x00 ){
if (MF_DBGLEVEL >= 4) {
Dbprintf("fukked");
}
}
// if we received an I- or R(ACK)-Block with a block number equal to the
// current block number, toggle the current block number
- else if (status >= 4 // PCB+CID+CRC = 4 bytes
- && ((dataout[0] & 0xC0) == 0 // I-Block
- || (dataout[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
- && (dataout[0] & 0x01) == pcb_blocknum) // equal block numbers
+ else if (len >= 4 // PCB+CID+CRC = 4 bytes
+ && ((resp[0] & 0xC0) == 0 // I-Block
+ || (resp[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
+ && (resp[0] & 0x01) == pcb_blocknum) // equal block numbers
{
pcb_blocknum ^= 1; //toggle next block
}
- return status;
+
+ memcpy(dataout, resp, len);
+ return len;
}
// CreateAPDU
return FALSE;\r
}\r
\r
-bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint32_t parity, uint16_t bitCnt, bool reader) {\r
+bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, uint16_t bitCnt, bool reader) {\r
\r
if (reader && (len == 1) && (bitCnt == 7)) { // reset on 7-Bit commands from reader\r
sniffState = SNF_INIT;\r
sniffBuf[11] = sniffSAK;\r
sniffBuf[12] = 0xFF;\r
sniffBuf[13] = 0xFF;\r
- LogTrace(sniffBuf, 14, 0, parity, true);\r
+ LogTrace(sniffBuf, 14, 0, 0, NULL, TRUE);\r
} // intentionally no break;\r
case SNF_CARD_CMD:{ \r
- LogTrace(data, len, 0, parity, true);\r
+ LogTrace(data, len, 0, 0, NULL, TRUE);\r
sniffState = SNF_CARD_RESP;\r
timerData = GetTickCount();\r
break;\r
}\r
case SNF_CARD_RESP:{\r
- LogTrace(data, len, 0, parity, false);\r
+ LogTrace(data, len, 0, 0, NULL, FALSE);\r
sniffState = SNF_CARD_CMD;\r
timerData = GetTickCount();\r
break;\r
#define SNF_UID_7 0\r
\r
bool MfSniffInit(void);\r
-bool RAMFUNC MfSniffLogic(const uint8_t * data, uint16_t len, uint32_t parity, uint16_t bitCnt, bool reader);\r
+bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, uint16_t bitCnt, bool reader);\r
bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs);\r
bool intMfSniffSend();\r
bool MfSniffEnd(void);\r
int MF_DBGLEVEL = MF_DBG_ALL;\r
\r
// memory management\r
-uint8_t* mifare_get_bigbufptr(void) {\r
- return (((uint8_t *)BigBuf) + MIFARE_BUFF_OFFSET); // was 3560 - tied to other size changes\r
+uint8_t* get_bigbufptr_recvrespbuf(void) {\r
+ return (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);\r
}\r
-uint8_t* eml_get_bigbufptr_sendbuf(void) {\r
+uint8_t* get_bigbufptr_recvcmdbuf(void) {\r
return (((uint8_t *)BigBuf) + RECV_CMD_OFFSET); \r
}\r
-uint8_t* eml_get_bigbufptr_recbuf(void) {\r
- return (((uint8_t *)BigBuf) + MIFARE_BUFF_OFFSET);\r
-}\r
-uint8_t* eml_get_bigbufptr_cardmem(void) {\r
- return (((uint8_t *)BigBuf) + CARD_MEMORY);\r
+uint8_t* get_bigbufptr_emlcardmem(void) {\r
+ return (((uint8_t *)BigBuf) + CARD_MEMORY_OFFSET);\r
}\r
\r
// crypto1 helpers\r
return;\r
}\r
\r
-void mf_crypto1_encrypt(struct Crypto1State *pcs, uint8_t *data, int len, uint32_t *par) {\r
+void mf_crypto1_encrypt(struct Crypto1State *pcs, uint8_t *data, uint16_t len, uint8_t *par) {\r
uint8_t bt = 0;\r
int i;\r
- uint32_t mltpl = 1 << (len - 1); // for len=18 it=0x20000\r
- *par = 0;\r
+ par[0] = 0;\r
+ \r
for (i = 0; i < len; i++) {\r
bt = data[i];\r
data[i] = crypto1_byte(pcs, 0x00, 0) ^ data[i];\r
- *par = (*par >> 1) | ( ((filter(pcs->odd) ^ oddparity(bt)) & 0x01) * mltpl );\r
+ if((i&0x0007) == 0) \r
+ par[i>>3] = 0;\r
+ par[i>>3] |= (((filter(pcs->odd) ^ oddparity(bt)) & 0x01)<<(7-(i&0x0007)));\r
} \r
return;\r
}\r
}\r
\r
// send commands\r
-int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t* answer, uint32_t *timing)\r
+int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t *answer, uint8_t *answer_parity, uint32_t *timing)\r
{\r
- return mifare_sendcmd_shortex(pcs, crypted, cmd, data, answer, NULL, timing);
+ return mifare_sendcmd_shortex(pcs, crypted, cmd, data, answer, answer_parity, timing);
}
-int mifare_sendcmd_short_special(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t* data, uint8_t* answer, uint8_t *timing)
+int mifare_sendcmd_short_special(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t* data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing)
{
- uint8_t dcmd[8];
- dcmd[0] = cmd;
- memcpy(dcmd+1,data,5);
+ uint8_t dcmd[8];
+ dcmd[0] = cmd;
+ dcmd[1] = data[0];\r
+ dcmd[2] = data[1];
+ dcmd[3] = data[2];\r
+ dcmd[4] = data[3];\r
+ dcmd[5] = data[4];\r
AppendCrc14443a(dcmd, 6);
ReaderTransmit(dcmd, sizeof(dcmd), NULL);
- int len = ReaderReceive(answer);
+ int len = ReaderReceive(answer, answer_parity);
if(!len) {
if (MF_DBGLEVEL >= 1) Dbprintf("Authentication failed. Card timeout.");
return 2;
return len;\r
}\r
\r
-int mifare_sendcmd_short_mfucauth(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t* data, uint8_t* answer, uint32_t *timing)\r
+int mifare_sendcmd_short_mfucauth(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t *data, uint8_t *answer, uint8_t *answer_parity, uint32_t *timing)\r
{\r
uint8_t dcmd[19];\r
int len; \r
AppendCrc14443a(dcmd, 17);\r
\r
ReaderTransmit(dcmd, sizeof(dcmd), timing);\r
- len = ReaderReceive(answer);\r
+ len = ReaderReceive(answer, answer_parity);\r
if(!len) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("Authentication failed. Card timeout.");\r
- len = ReaderReceive(answer);\r
+ len = ReaderReceive(answer,answer_parity);\r
}\r
if(len==1) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("NAK - Authentication failed.");\r
return len;
}
-int mifare_sendcmd_shortex(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t* answer, uint32_t * parptr, uint32_t *timing)
+int mifare_sendcmd_shortex(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t *answer, uint8_t *answer_parity, uint32_t *timing)
{
uint8_t dcmd[4], ecmd[4];
- uint32_t pos, par, res;\r
-\r
+ uint16_t pos, res;\r
+ uint8_t par[1]; // 1 Byte parity is enough here\r
dcmd[0] = cmd;\r
dcmd[1] = data;\r
AppendCrc14443a(dcmd, 2);\r
memcpy(ecmd, dcmd, sizeof(dcmd));\r
\r
if (crypted) {\r
- par = 0;\r
+ par[0] = 0;\r
for (pos = 0; pos < 4; pos++)\r
{\r
ecmd[pos] = crypto1_byte(pcs, 0x00, 0) ^ dcmd[pos];\r
- par = (par >> 1) | ( ((filter(pcs->odd) ^ oddparity(dcmd[pos])) & 0x01) * 0x08 );\r
+ par[0] |= (((filter(pcs->odd) ^ oddparity(dcmd[pos])) & 0x01) << (7-pos));\r
} \r
\r
ReaderTransmitPar(ecmd, sizeof(ecmd), par, timing);\r
ReaderTransmit(dcmd, sizeof(dcmd), timing);\r
}\r
\r
- int len = ReaderReceivePar(answer, &par);\r
+ int len = ReaderReceive(answer, par);\r
\r
- if (parptr) *parptr = par;\r
+ if (answer_parity) *answer_parity = par[0];\r
\r
if (crypted == CRYPT_ALL) {\r
if (len == 1) {\r
}\r
\r
// mifare commands\r
-int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint64_t isNested) \r
+int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested) \r
{\r
return mifare_classic_authex(pcs, uid, blockNo, keyType, ui64Key, isNested, NULL, NULL);\r
}\r
\r
-int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint64_t isNested, uint32_t * ntptr, uint32_t *timing) \r
+int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested, uint32_t * ntptr, uint32_t *timing) \r
{\r
// variables\r
int len; \r
uint32_t pos;\r
uint8_t tmp4[4];\r
- byte_t par = 0;\r
- byte_t ar[4];\r
+ uint8_t par[1] = {0x00};\r
+ byte_t nr[4];\r
uint32_t nt, ntpp; // Supplied tag nonce\r
\r
uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };\r
- uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+ uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();\r
+ uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;\r
\r
// Transmit MIFARE_CLASSIC_AUTH\r
- len = mifare_sendcmd_short(pcs, isNested, 0x60 + (keyType & 0x01), blockNo, receivedAnswer, timing);\r
- if (MF_DBGLEVEL >= 4) Dbprintf("rand nonce len: %x", len); \r
+ len = mifare_sendcmd_short(pcs, isNested, 0x60 + (keyType & 0x01), blockNo, receivedAnswer, receivedAnswerPar, timing);\r
+ if (MF_DBGLEVEL >= 4) Dbprintf("rand tag nonce len: %x", len); \r
if (len != 4) return 1;\r
\r
- ar[0] = 0x55;\r
- ar[1] = 0x41;\r
- ar[2] = 0x49;\r
- ar[3] = 0x92; \r
+ // "random" reader nonce:\r
+ nr[0] = 0x55;\r
+ nr[1] = 0x41;\r
+ nr[2] = 0x49;\r
+ nr[3] = 0x92; \r
\r
// Save the tag nonce (nt)\r
nt = bytes_to_num(receivedAnswer, 4);\r
if (ntptr)\r
*ntptr = nt;\r
\r
- par = 0;\r
// Generate (encrypted) nr+parity by loading it into the cipher (Nr)\r
+ par[0] = 0;\r
for (pos = 0; pos < 4; pos++)\r
{\r
- mf_nr_ar[pos] = crypto1_byte(pcs, ar[pos], 0) ^ ar[pos];\r
- par = (par >> 1) | ( ((filter(pcs->odd) ^ oddparity(ar[pos])) & 0x01) * 0x80 );\r
+ mf_nr_ar[pos] = crypto1_byte(pcs, nr[pos], 0) ^ nr[pos];\r
+ par[0] |= (((filter(pcs->odd) ^ oddparity(nr[pos])) & 0x01) << (7-pos));\r
} \r
\r
// Skip 32 bits in pseudo random generator\r
{\r
nt = prng_successor(nt,8);\r
mf_nr_ar[pos] = crypto1_byte(pcs,0x00,0) ^ (nt & 0xff);\r
- par = (par >> 1)| ( ((filter(pcs->odd) ^ oddparity(nt & 0xff)) & 0x01) * 0x80 );\r
+ par[0] |= (((filter(pcs->odd) ^ oddparity(nt & 0xff)) & 0x01) << (7-pos));\r
} \r
\r
// Transmit reader nonce and reader answer\r
ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par, NULL);\r
\r
- // Receive 4 bit answer\r
- len = ReaderReceive(receivedAnswer);\r
+ // Receive 4 byte tag answer\r
+ len = ReaderReceive(receivedAnswer, receivedAnswerPar);\r
if (!len)\r
{\r
if (MF_DBGLEVEL >= 1) Dbprintf("Authentication failed. Card timeout.");\r
int len; \r
uint8_t bt[2];\r
\r
- uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+ uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();\r
+ uint8_t* receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;\r
\r
// command MIFARE_CLASSIC_READBLOCK\r
- len = mifare_sendcmd_short(pcs, 1, 0x30, blockNo, receivedAnswer, NULL);\r
+ len = mifare_sendcmd_short(pcs, 1, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL);\r
if (len == 1) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("Cmd Error: %02x", receivedAnswer[0]); \r
return 1;\r
\r
int mifare_ultra_auth1(uint32_t uid, uint8_t *blockData){\r
// variables\r
- int len;\r
+ uint16_t len;\r
\r
- uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+ uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();\r
+ uint8_t* receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;\r
\r
// command MIFARE_CLASSIC_READBLOCK\r
- len = mifare_sendcmd_short(NULL, 1, 0x1A, 0x00, receivedAnswer,NULL);\r
+ len = mifare_sendcmd_short(NULL, 1, 0x1A, 0x00, receivedAnswer,receivedAnswerPar ,NULL);\r
if (len == 1) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("Cmd Error: %02x", receivedAnswer[0]);\r
return 1;\r
receivedAnswer[5],receivedAnswer[6],receivedAnswer[7],receivedAnswer[8],receivedAnswer[9],\r
receivedAnswer[10]);\r
memcpy(blockData, receivedAnswer, 11);\r
- return 0;\r
+ return 0;\r
}\r
//else something went wrong???\r
return 1;\r
\r
int mifare_ultra_auth2(uint32_t uid, uint8_t *key, uint8_t *blockData){\r
// variables\r
- int len;\r
- \r
- uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+ uint16_t len;\r
\r
+ uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();\r
+ uint8_t* receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;\r
\r
// command MIFARE_CLASSIC_READBLOCK\r
- len = mifare_sendcmd_short_mfucauth(NULL, 1, 0xAF, key, receivedAnswer,NULL);\r
+ len = mifare_sendcmd_short_mfucauth(NULL, 1, 0xAF, key, receivedAnswer, receivedAnswerPar, NULL);\r
if (len == 1) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("Cmd Error: %02x", receivedAnswer[0]);\r
return 1;\r
int mifare_ultra_readblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData)
{
// variables
- int len;
+ uint16_t len;
uint8_t bt[2];
- uint8_t* receivedAnswer = mifare_get_bigbufptr();
+ uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();
+ uint8_t* receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;\r
+ \r
// command MIFARE_CLASSIC_READBLOCK
- len = mifare_sendcmd_short(NULL, 1, 0x30, blockNo, receivedAnswer,NULL);
+ len = mifare_sendcmd_short(NULL, 1, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL);
if (len == 1) {
if (MF_DBGLEVEL >= 1) Dbprintf("Cmd Error: %02x", receivedAnswer[0]);
return 1;
int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData)
{
// variables
- int len, i; \r
+ uint16_t len, i; \r
uint32_t pos;\r
- uint32_t par = 0;\r
+ uint8_t par[3] = {0}; // enough for 18 Bytes to send\r
byte_t res;\r
\r
uint8_t d_block[18], d_block_enc[18];\r
- uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+ uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();\r
+ uint8_t* receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;\r
\r
// command MIFARE_CLASSIC_WRITEBLOCK\r
- len = mifare_sendcmd_short(pcs, 1, 0xA0, blockNo, receivedAnswer, NULL);\r
+ len = mifare_sendcmd_short(pcs, 1, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL);\r
\r
if ((len != 1) || (receivedAnswer[0] != 0x0A)) { // 0x0a - ACK\r
if (MF_DBGLEVEL >= 1) Dbprintf("Cmd Error: %02x", receivedAnswer[0]); \r
AppendCrc14443a(d_block, 16);\r
\r
// crypto\r
- par = 0;\r
for (pos = 0; pos < 18; pos++)\r
{\r
d_block_enc[pos] = crypto1_byte(pcs, 0x00, 0) ^ d_block[pos];\r
- par = (par >> 1) | ( ((filter(pcs->odd) ^ oddparity(d_block[pos])) & 0x01) * 0x20000 );\r
+ par[pos>>3] |= (((filter(pcs->odd) ^ oddparity(d_block[pos])) & 0x01) << (7 - (pos&0x0007)));\r
} \r
\r
ReaderTransmitPar(d_block_enc, sizeof(d_block_enc), par, NULL);\r
\r
// Receive the response\r
- len = ReaderReceive(receivedAnswer); \r
+ len = ReaderReceive(receivedAnswer, receivedAnswerPar); \r
\r
res = 0;\r
for (i = 0; i < 4; i++)\r
int mifare_ultra_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData)
{
- // variables
- int len;
- uint32_t par = 0;
-
- uint8_t d_block[18];
- uint8_t* receivedAnswer = mifare_get_bigbufptr();
-
- // command MIFARE_CLASSIC_WRITEBLOCK
- len = mifare_sendcmd_short(NULL, 1, 0xA0, blockNo, receivedAnswer,NULL);
+ // variables
+ uint16_t len;
+ uint8_t par[3] = {0}; // enough for 18 parity bits
+
+ uint8_t d_block[18];
+ uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();\r
+ uint8_t* receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
+
+ // command MIFARE_CLASSIC_WRITEBLOCK
+ len = mifare_sendcmd_short(NULL, true, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL);
- if ((len != 1) || (receivedAnswer[0] != 0x0A)) { // 0x0a - ACK
- if (MF_DBGLEVEL >= 1) Dbprintf("Cmd Addr Error: %02x", receivedAnswer[0]);
- return 1;
- }
+ if ((len != 1) || (receivedAnswer[0] != 0x0A)) { // 0x0a - ACK
+ if (MF_DBGLEVEL >= 1) Dbprintf("Cmd Addr Error: %02x", receivedAnswer[0]);
+ return 1;
+ }
memset(d_block,'\0',18);
memcpy(d_block, blockData, 16);
- AppendCrc14443a(d_block, 16);
+ AppendCrc14443a(d_block, 16);
ReaderTransmitPar(d_block, sizeof(d_block), par, NULL);
-
- // Receive the response
- len = ReaderReceive(receivedAnswer);
+\r
+ // Receive the response
+ len = ReaderReceive(receivedAnswer, receivedAnswerPar);
if ((len != 1) || (receivedAnswer[0] != 0x0A)) { // 0x0a - ACK
- if (MF_DBGLEVEL >= 1) Dbprintf("Cmd Data Error: %02x %d", receivedAnswer[0],len);
- return 2;
- }
+ if (MF_DBGLEVEL >= 1) Dbprintf("Cmd Data Error: %02x %d", receivedAnswer[0],len);
+ return 2;
+ }
- return 0;
+ return 0;
}
int mifare_ultra_special_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData)
{
- // variables
- int len;
- //uint32_t par = 0;
-
- uint8_t d_block[8];
- uint8_t* receivedAnswer = mifare_get_bigbufptr();
+ uint16_t len;
+\r
+ uint8_t d_block[8];
+ uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();\r
+ uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
- // command MIFARE_CLASSIC_WRITEBLOCK
+ // command MIFARE_CLASSIC_WRITEBLOCK
memset(d_block,'\0',8);
d_block[0]= blockNo;
memcpy(d_block+1,blockData,4);
AppendCrc14443a(d_block, 6);
//i know the data send here is correct
- len = mifare_sendcmd_short_special(NULL, 1, 0xA2, d_block, receivedAnswer,NULL);
+ len = mifare_sendcmd_short_special(NULL, 1, 0xA2, d_block, receivedAnswer, receivedAnswerPar, NULL);
- if (receivedAnswer[0] != 0x0A) { // 0x0a - ACK
- if (MF_DBGLEVEL >= 1) Dbprintf("Cmd Send Error: %02x %d", receivedAnswer[0],len);
- return 1;
- }
- return 0;
+ if (receivedAnswer[0] != 0x0A) { // 0x0a - ACK
+ if (MF_DBGLEVEL >= 1) Dbprintf("Cmd Send Error: %02x %d", receivedAnswer[0],len);
+ return 1;
+ }
+ return 0;
}
int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid)
{
- // variables
- int len; \r
- \r
- // Mifare HALT\r
- uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
+ uint16_t len; \r
+ uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();\r
+ uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;\r
\r
- len = mifare_sendcmd_short(pcs, pcs == NULL ? 0:1, 0x50, 0x00, receivedAnswer, NULL);\r
+ len = mifare_sendcmd_short(pcs, pcs == NULL ? false:true, 0x50, 0x00, receivedAnswer, receivedAnswerPar, NULL);\r
if (len != 0) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("halt error. response len: %x", len); \r
return 1;\r
int mifare_ultra_halt(uint32_t uid)
{
- // variables
- int len;
-
- // Mifare HALT
- uint8_t* receivedAnswer = mifare_get_bigbufptr();
+ uint16_t len; \r
+ uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();\r
+ uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;\r
- len = mifare_sendcmd_short(NULL, 1, 0x50, 0x00, receivedAnswer, NULL);
+ len = mifare_sendcmd_short(NULL, true, 0x50, 0x00, receivedAnswer, receivedAnswerPar, NULL);
if (len != 0) {
if (MF_DBGLEVEL >= 1) Dbprintf("halt error. response len: %x", len);
return 1;
\r
// work with emulator memory
void emlSetMem(uint8_t *data, int blockNum, int blocksCount) {
- uint8_t* emCARD = eml_get_bigbufptr_cardmem();
- \r
+ uint8_t* emCARD = get_bigbufptr_emlcardmem();\r
memcpy(emCARD + blockNum * 16, data, blocksCount * 16);\r
}\r
\r
void emlGetMem(uint8_t *data, int blockNum, int blocksCount) {\r
- uint8_t* emCARD = eml_get_bigbufptr_cardmem();\r
- \r
+ uint8_t* emCARD = get_bigbufptr_emlcardmem();\r
memcpy(data, emCARD + blockNum * 16, blocksCount * 16);\r
}\r
\r
void emlGetMemBt(uint8_t *data, int bytePtr, int byteCount) {\r
- uint8_t* emCARD = eml_get_bigbufptr_cardmem();\r
- \r
+ uint8_t* emCARD = get_bigbufptr_emlcardmem();\r
memcpy(data, emCARD + bytePtr, byteCount);\r
}\r
\r
int emlCheckValBl(int blockNum) {\r
- uint8_t* emCARD = eml_get_bigbufptr_cardmem();\r
+ uint8_t* emCARD = get_bigbufptr_emlcardmem();\r
uint8_t* data = emCARD + blockNum * 16;\r
\r
if ((data[0] != (data[4] ^ 0xff)) || (data[0] != data[8]) ||\r
}\r
\r
int emlGetValBl(uint32_t *blReg, uint8_t *blBlock, int blockNum) {\r
- uint8_t* emCARD = eml_get_bigbufptr_cardmem();\r
+ uint8_t* emCARD = get_bigbufptr_emlcardmem();\r
uint8_t* data = emCARD + blockNum * 16;\r
\r
if (emlCheckValBl(blockNum)) {\r
}\r
\r
memcpy(blReg, data, 4);\r
- *blBlock = data[12];\r
- \r
+ *blBlock = data[12]; \r
return 0;\r
}\r
\r
int emlSetValBl(uint32_t blReg, uint8_t blBlock, int blockNum) {\r
- uint8_t* emCARD = eml_get_bigbufptr_cardmem();\r
+ uint8_t* emCARD = get_bigbufptr_emlcardmem();\r
uint8_t* data = emCARD + blockNum * 16;\r
\r
memcpy(data + 0, &blReg, 4);\r
\r
uint64_t emlGetKey(int sectorNum, int keyType) {\r
uint8_t key[6];\r
- uint8_t* emCARD = eml_get_bigbufptr_cardmem();\r
+ uint8_t* emCARD = get_bigbufptr_emlcardmem();\r
\r
memcpy(key, emCARD + 16 * (FirstBlockOfSector(sectorNum) + NumBlocksPerSector(sectorNum) - 1) + keyType * 10, 6);\r
return bytes_to_num(key, 6);\r
\r
const uint8_t trailer[] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0x80, 0x69, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff};\r
const uint8_t uid[] = {0xe6, 0x84, 0x87, 0xf3, 0x16, 0x88, 0x04, 0x00, 0x46, 0x8e, 0x45, 0x55, 0x4d, 0x70, 0x41, 0x04};\r
- uint8_t* emCARD = eml_get_bigbufptr_cardmem();\r
+ uint8_t* emCARD = get_bigbufptr_emlcardmem();\r
\r
- memset(emCARD, 0, CARD_MEMORY_LEN);\r
+ memset(emCARD, 0, CARD_MEMORY_SIZE);\r
\r
// fill sectors trailer data\r
for(b = 3; b < 256; b<127?(b+=4):(b+=16)) {\r
\r
//functions
uint8_t* mifare_get_bigbufptr(void);
-int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t* answer, uint32_t *timing);
-int mifare_sendcmd_short_special(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t *data, uint8_t* amswer, uint8_t *timing);
-int mifare_sendcmd_short_mfucauth(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t *data, uint8_t* amswer, uint32_t *timing);\r
-int mifare_sendcmd_shortex(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t* answer, uint32_t * parptr, uint32_t *timing);
+int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing);
+int mifare_sendcmd_short_special(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t *data, uint8_t *answer, uint8_t *answer_parity, uint32_t *timing);
+\r
+int mifare_sendcmd_short_mfucauth(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t *data, uint8_t *answer, uint8_t *answer_parity, uint32_t *timing);\r
+int mifare_sendcmd_shortex(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing);
-int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, \
- uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint64_t isNested);\r
-int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, \
- uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint64_t isNested, uint32_t * ntptr, uint32_t *timing);
+int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested);\r
+int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested, uint32_t * ntptr, uint32_t *timing);
int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData);
int mifare_ultra_auth1(uint32_t cuid, uint8_t *blockData);\r
int mifare_ultra_auth2(uint32_t cuid, uint8_t *key, uint8_t *blockData);\r
// crypto functions
void mf_crypto1_decrypt(struct Crypto1State *pcs, uint8_t *receivedCmd, int len);
-void mf_crypto1_encrypt(struct Crypto1State *pcs, uint8_t *data, int len, uint32_t *par);\r
+void mf_crypto1_encrypt(struct Crypto1State *pcs, uint8_t *data, uint16_t len, uint8_t *par);\r
uint8_t mf_crypto1_encrypt4bit(struct Crypto1State *pcs, uint8_t data);\r
\r
// memory management\r
-uint8_t* mifare_get_bigbufptr(void);\r
-uint8_t* eml_get_bigbufptr_sendbuf(void);\r
-uint8_t* eml_get_bigbufptr_recbuf(void);\r
+uint8_t* get_bigbufptr_recvrespbuf(void);\r
+uint8_t* get_bigbufptr_recvcmdbuf(void);\r
+uint8_t* get_bigbufptr_emlcardmem(void);\r
\r
// Mifare memory structure\r
uint8_t NumBlocksPerSector(uint8_t sectorNo);\r
#include <util.h>
int strlen(const char *str);
-void *memcpy(void *dest, const void *src, int len);
+RAMFUNC void *memcpy(void *dest, const void *src, int len);
void *memset(void *dest, int c, int len);
-int memcmp(const void *av, const void *bv, int len);
+RAMFUNC int memcmp(const void *av, const void *bv, int len);
void memxor(uint8_t * dest, uint8_t * src, size_t len);
char *strncat(char *dest, const char *src, unsigned int n);
char *strcat(char *dest, const char *src);
lf em4x 410xsim 124s
lf em4x 410xsim 0F0368568B
da pl
+scr run sky
+script list
+scr run mifare_autopwn
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3 -n
+scr run tnp3
+scr run tnp3 -n
+hf mf nested 0 a 4b0b20107ccb d
+hf mf nested 1 0 a 4b0b20107ccb d
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3 -n
+scr run tnp3
+hf mf nested 1 0 a 4b0b20107ccb d
+scr run tnp3
VPATH = ../common
OBJDIR = obj
-LDLIBS = -L/opt/local/lib -L/usr/local/lib ../liblua/liblua.a -lm -lreadline -lpthread -lcrypto
+LDLIBS = -L/mingw/lib -L/opt/local/lib -L/usr/local/lib ../liblua/liblua.a -lm -lreadline -lpthread -lcrypto -lgdi32
LDFLAGS = $(COMMON_FLAGS)
CFLAGS = -std=c99 -I. -I../include -I../common -I/mingw/include -I/opt/local/include -I../liblua -Wall $(COMMON_FLAGS) -g -O4 $(ICE_FLAGS)
LUAPLATFORM = generic
ifneq (,$(findstring MINGW,$(platform)))
-CXXFLAGS = -I$(QTDIR)/include -I$(QTDIR)/include/QtCore -I$(QTDIR)/include/QtGui -I$(QTDIR)/include/QtWidgets
+CXXFLAGS = -I$(QTDIR)/include -I$(QTDIR)/include/QtCore -I$(QTDIR)/include/QtGui -I$(QTDIR)/include/QtWidgets -I/mingw/include
QTLDLIBS = -L$(QTDIR)/lib -lQt5Core -lQt5Gui -lQt5Widgets
MOC = $(QTDIR)/bin/moc
LUAPLATFORM = mingw
cmdhfdes.c \
cmdhw.c \
cmdlf.c \
+ cmdlfawid26.c \
cmdlfio.c \
cmdlfhid.c \
cmdlfem4x.c \
#include "cmdmain.h"
#include "cmddata.h"
+
static int CmdHelp(const char *Cmd);
int CmdAmp(const char *Cmd)
int n = strtol(Cmd, NULL, 0);
if (n == 0)
- n = 512;
+ n = 16000;
if (n > sizeof(got))
n = sizeof(got);
RepaintGraphWindow();
return 0;
}
+int CmdTuneSamples(const char *Cmd)
+{
+ int timeout = 0;
+ printf("\nMeasuring antenna characteristics, please wait...");
+
+ UsbCommand c = {CMD_MEASURE_ANTENNA_TUNING};
+ SendCommand(&c);
+
+ UsbCommand resp;
+ while(!WaitForResponseTimeout(CMD_MEASURED_ANTENNA_TUNING,&resp,1000)) {
+ timeout++;
+ printf(".");
+ if (timeout > 7) {
+ PrintAndLog("\nNo response from Proxmark. Aborting...");
+ return 1;
+ }
+ }
+
+ int peakv, peakf;
+ int vLf125, vLf134, vHf;
+ vLf125 = resp.arg[0] & 0xffff;
+ vLf134 = resp.arg[0] >> 16;
+ vHf = resp.arg[1] & 0xffff;;
+ peakf = resp.arg[2] & 0xffff;
+ peakv = resp.arg[2] >> 16;
+ PrintAndLog("");
+ PrintAndLog("# LF antenna: %5.2f V @ 125.00 kHz", vLf125/1000.0);
+ PrintAndLog("# LF antenna: %5.2f V @ 134.00 kHz", vLf134/1000.0);
+ PrintAndLog("# LF optimal: %5.2f V @%9.2f kHz", peakv/1000.0, 12000.0/(peakf+1));
+ PrintAndLog("# HF antenna: %5.2f V @ 13.56 MHz", vHf/1000.0);
+ if (peakv<2000)
+ PrintAndLog("# Your LF antenna is unusable.");
+ else if (peakv<10000)
+ PrintAndLog("# Your LF antenna is marginal.");
+ if (vHf<2000)
+ PrintAndLog("# Your HF antenna is unusable.");
+ else if (vHf<5000)
+ PrintAndLog("# Your HF antenna is marginal.");
+
+ for (int i = 0; i < 256; i++) {
+ GraphBuffer[i] = resp.d.asBytes[i] - 128;
+ }
+
+ PrintAndLog("Done! Divisor 89 is 134khz, 95 is 125khz.\n");
+ PrintAndLog("\n");
+ GraphTraceLen = 256;
+ ShowGraphWindow();
+
+ return 0;
+}
+
int CmdLoad(const char *Cmd)
{
- FILE *f = fopen(Cmd, "r");
- if (!f) {
- PrintAndLog("couldn't open '%s'", Cmd);
- return 0;
- }
+ char filename[FILE_PATH_SIZE] = {0x00};
+ int len = 0;
+
+ len = strlen(Cmd);
+ if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
+ memcpy(filename, Cmd, len);
+
+ FILE *f = fopen(filename, "r");
+ if (!f) {
+ PrintAndLog("couldn't open '%s'", filename);
+ return 0;
+ }
GraphTraceLen = 0;
char line[80];
// At this stage, we now have a bitstream of "01" ("1") or "10" ("0"), parse it into final decoded bitstream
// Actually, we overwrite BitStream with the new decoded bitstream, we just need to be careful
// to stop output at the final bitidx2 value, not bitidx
- for (i = 0; i < bitidx; i += 2) {
+
+ //http://www.proxmark.org/forum/viewtopic.php?id=403
+ for (i = 1; i < bitidx; i += 2) {
if ((BitStream[i] == 0) && (BitStream[i+1] == 1)) {
BitStream[bit2idx++] = 1 ^ invert;
} else if ((BitStream[i] == 1) && (BitStream[i+1] == 0)) {
BitStream[i+14],
BitStream[i+15]);
}
- return 0;
+ return bit2idx;
}
/* Modulate our data into manchester */
int CmdSave(const char *Cmd)
{
- FILE *f = fopen(Cmd, "w");
+ char filename[FILE_PATH_SIZE] = {0x00};
+ int len = 0;
+
+ len = strlen(Cmd);
+ if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
+ memcpy(filename, Cmd, len);
+
+
+ FILE *f = fopen(filename, "w");
if(!f) {
- PrintAndLog("couldn't open '%s'", Cmd);
+ PrintAndLog("couldn't open '%s'", filename);
return 0;
}
int i;
{
{"help", CmdHelp, 1, "This help"},
{"amp", CmdAmp, 1, "Amplify peaks"},
- {"askdemod", Cmdaskdemod, 1, "<0 or 1> -- Attempt to demodulate simple ASK tags"},
+ {"askdemod", Cmdaskdemod, 1, "<0|1> -- Attempt to demodulate simple ASK tags"},
{"autocorr", CmdAutoCorr, 1, "<window length> -- Autocorrelation over window"},
{"bitsamples", CmdBitsamples, 0, "Get raw samples as bitstring"},
{"bitstream", CmdBitstream, 1, "[clock rate] -- Convert waveform into a bitstream"},
{"buffclear", CmdBuffClear, 1, "Clear sample buffer and graph window"},
{"dec", CmdDec, 1, "Decimate samples"},
{"detectclock", CmdDetectClockRate, 1, "Detect clock rate"},
+ {"dirthreshold", CmdDirectionalThreshold, 1, "<thres up> <thres down> -- Max rising higher up-thres/ Min falling lower down-thres, keep rest as prev."},
{"fskdemod", CmdFSKdemod, 1, "Demodulate graph window as a HID FSK"},
{"grid", CmdGrid, 1, "<x> <y> -- overlay grid on graph window, use zero value to turn off either"},
{"hexsamples", CmdHexsamples, 0, "<bytes> [<offset>] -- Dump big buffer as hex bytes"},
{"save", CmdSave, 1, "<filename> -- Save trace (from graph window)"},
{"scale", CmdScale, 1, "<int> -- Set cursor display scale"},
{"threshold", CmdThreshold, 1, "<threshold> -- Maximize/minimize every value in the graph window depending on threshold"},
+ {"tune", CmdTuneSamples, 0, "Get hw tune samples for graph window"},
{"zerocrossings", CmdZerocrossings, 1, "Count time between zero-crossings"},
- {"dirthreshold", CmdDirectionalThreshold, 1, "<thres up> <thres down> -- Max rising higher up-thres/ Min falling lower down-thres, keep rest as prev."},
{NULL, NULL, 0, NULL}
};
int CmdThreshold(const char *Cmd);
int CmdDirectionalThreshold(const char *Cmd);
int CmdZerocrossings(const char *Cmd);
-
+int CmdTuneSamples(const char *Cmd);
#endif
return 0;
}
- if (param == 'f') {
- ShowWaitCycles = true;
- }
+ ShowWaitCycles = (param == 'f');
- uint8_t got[1920];
- GetFromBigBuf(got,sizeof(got),0);
+// for the time being. Need better Bigbuf handling.
+#define TRACE_SIZE 3000
+
+ uint8_t trace[TRACE_SIZE];
+ GetFromBigBuf(trace, TRACE_SIZE, 0);
WaitForResponse(CMD_ACK,NULL);
PrintAndLog("Recorded Activity");
PrintAndLog("Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer");
PrintAndLog("All times are in carrier periods (1/13.56Mhz)");
PrintAndLog("");
- PrintAndLog(" Start | End | Src | Data");
- PrintAndLog("-----------|-----------|-----|--------");
-
- int i = 0;
- uint32_t first_timestamp = 0;
+ PrintAndLog(" Start | End | Src | Data (! denotes parity error) | CRC ");
+ PrintAndLog("-----------|-----------|-----|-----------------------------------------------------------------------");
+
+ uint16_t tracepos = 0;
+ uint16_t duration;
+ uint16_t data_len;
+ uint16_t parity_len;
+ bool isResponse;
uint32_t timestamp;
- uint32_t EndOfTransmissionTimestamp = 0;
+ uint32_t first_timestamp;
+ uint32_t EndOfTransmissionTimestamp;
for (;;) {
- if(i >= 1900) {
- break;
- }
-
- bool isResponse;
- timestamp = *((uint32_t *)(got+i));
- if (timestamp & 0x80000000) {
- timestamp &= 0x7fffffff;
- isResponse = true;
- } else {
- isResponse = false;
- }
+
+ if(tracepos >= TRACE_SIZE) break;
+
+ timestamp = *((uint32_t *)(trace + tracepos));
+
+ // Break and stick with current result if buffer was not completely full
+ if (timestamp == 0x44444444) break;
- if(i==0) {
+ if(tracepos == 0) {
first_timestamp = timestamp;
}
- int parityBits = *((uint32_t *)(got+i+4));
-
- int len = got[i+8];
-
- if (len > 100) {
- break;
- }
- if (i + len >= 1900) {
- break;
+ tracepos += 4;
+ duration = *((uint16_t *)(trace + tracepos));
+ tracepos += 2;
+ data_len = *((uint16_t *)(trace + tracepos));
+ tracepos += 2;
+
+ isResponse = false;
+ if (data_len & 0x8000) {
+ data_len &= 0x7fff;
+ isResponse = true;
}
+
+ parity_len = (data_len-1)/8 + 1;
+
+ if (tracepos + data_len + parity_len >= TRACE_SIZE) break;
- uint8_t *frame = (got+i+9);
-
- // Break and stick with current result if buffer was not completely full
- if (frame[0] == 0x44 && frame[1] == 0x44 && frame[2] == 0x44 && frame[3] == 0x44) break;
-
- char line[1000] = "";
- int j;
- if (len) {
- for (j = 0; j < len; j++) {
- int oddparity = 0x01;
- int k;
-
- for (k=0;k<8;k++) {
- oddparity ^= (((frame[j] & 0xFF) >> k) & 0x01);
- }
+ uint8_t *frame = trace + tracepos;
+ tracepos += data_len;
+ uint8_t *parityBytes = trace + tracepos;
+ tracepos += parity_len;
+
+ char line[16][110];
+ for (int j = 0; j < data_len; j++) {
+ int oddparity = 0x01;
+ int k;
- //if((parityBits >> (len - j - 1)) & 0x01) {
- if (isResponse && (oddparity != ((parityBits >> (len - j - 1)) & 0x01))) {
- sprintf(line+(j*4), "%02x! ", frame[j]);
- } else {
- sprintf(line+(j*4), "%02x ", frame[j]);
- }
+ for (k=0;k<8;k++) {
+ oddparity ^= (((frame[j] & 0xFF) >> k) & 0x01);
}
- } else {
- if (ShowWaitCycles) {
- uint32_t next_timestamp = (*((uint32_t *)(got+i+9))) & 0x7fffffff;
- sprintf(line, "fdt (Frame Delay Time): %d", (next_timestamp - timestamp));
+
+ uint8_t parityBits = parityBytes[j>>3];
+ if (isResponse && (oddparity != ((parityBits >> (7-(j&0x0007))) & 0x01))) {
+ sprintf(line[j/16]+((j%16)*4), "%02x! ", frame[j]);
+ } else {
+ sprintf(line[j/16]+((j%16)*4), "%02x ", frame[j]);
}
}
-
- char *crc;
- crc = "";
- if (len > 2) {
+
+ char crc[5] = {0x00};
+ if (data_len > 2) {
uint8_t b1, b2;
- for (j = 0; j < (len - 1); j++) {
- // gives problems... search for the reason..
- /*if(frame[j] == 0xAA) {
- switch(frame[j+1]) {
- case 0x01:
- crc = "[1] Two drops close after each other";
- break;
- case 0x02:
- crc = "[2] Potential SOC with a drop in second half of bitperiod";
- break;
- case 0x03:
- crc = "[3] Segment Z after segment X is not possible";
- break;
- case 0x04:
- crc = "[4] Parity bit of a fully received byte was wrong";
- break;
- default:
- crc = "[?] Unknown error";
- break;
- }
- break;
- }*/
- }
-
- if (strlen(crc)==0) {
- ComputeCrc14443(CRC_14443_A, frame, len-2, &b1, &b2);
- if (b1 != frame[len-2] || b2 != frame[len-1]) {
- crc = (isResponse & (len < 6)) ? "" : " !crc";
- } else {
- crc = "";
- }
- }
- } else {
- crc = ""; // SHORT
+ ComputeCrc14443(CRC_14443_A, frame, data_len-2, &b1, &b2);
+ if (b1 != frame[data_len-2] || b2 != frame[data_len-1]) {
+ sprintf(crc, (isResponse & (data_len < 6)) ? "" : "!crc");
+ }
}
-
- i += (len + 9);
-
- EndOfTransmissionTimestamp = (*((uint32_t *)(got+i))) & 0x7fffffff;
- if (!ShowWaitCycles) i += 9;
+ EndOfTransmissionTimestamp = timestamp + duration;
+ int num_lines = (data_len - 1)/16 + 1;
+
+ for (int j = 0; j < num_lines; j++) {
+ if (j == 0) {
+ PrintAndLog(" %9d | %9d | %s | %-64s| %s",
+ (timestamp - first_timestamp),
+ (EndOfTransmissionTimestamp - first_timestamp),
+ (isResponse ? "Tag" : "Rdr"),
+ line[j],
+ (j == num_lines-1)?crc:""
+ );
+ } else {
+ PrintAndLog(" | | | %-64s| %s",
+ line[j],
+ (j == num_lines-1)?crc:"");
+ }
+ }
+
+ bool next_isResponse = *((uint16_t *)(trace + tracepos + 6)) & 0x8000;
- PrintAndLog(" %9d | %9d | %s | %s %s",
- (timestamp - first_timestamp),
- (EndOfTransmissionTimestamp - first_timestamp),
- (len?(isResponse ? "Tag" : "Rdr"):" "),
- line, crc);
-
+ if (ShowWaitCycles && !isResponse && next_isResponse) {
+ uint32_t next_timestamp = *((uint32_t *)(trace + tracepos));
+ if (next_timestamp != 0x44444444) {
+ PrintAndLog(" %9d | %9d | %s | fdt (Frame Delay Time): %d",
+ (EndOfTransmissionTimestamp - first_timestamp),
+ (next_timestamp - first_timestamp),
+ " ",
+ (next_timestamp - EndOfTransmissionTimestamp));
+ }
+ }
}
return 0;
}
int CmdHF14AReader(const char *Cmd)
{
- UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}};
+ UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}};
SendCommand(&c);
UsbCommand resp;
WaitForResponse(CMD_ACK,&resp);
- iso14a_card_select_t *card = (iso14a_card_select_t *)resp.d.asBytes;
+ iso14a_card_select_t card;
+ memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
- if(resp.arg[0] == 0) {
+ uint64_t select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS
+
+ if(select_status == 0) {
PrintAndLog("iso14443a card select failed");
return 0;
}
- PrintAndLog("ATQA : %02x %02x", card->atqa[0], card->atqa[1]);
- PrintAndLog(" UID : %s", sprint_hex(card->uid, card->uidlen));
- PrintAndLog(" SAK : %02x [%d]", card->sak, resp.arg[0]);
+ PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]);
+ PrintAndLog(" UID : %s", sprint_hex(card.uid, card.uidlen));
+ PrintAndLog(" SAK : %02x [%d]", card.sak, resp.arg[0]);
- switch (card->sak) {
+ switch (card.sak) {
case 0x00: PrintAndLog("TYPE : NXP MIFARE Ultralight | Ultralight C"); break;
+ case 0x01: PrintAndLog("TYPE : NXP TNP3xxx Activision Game Appliance"); break;
case 0x04: PrintAndLog("TYPE : NXP MIFARE (various !DESFire !DESFire EV1)"); break;
case 0x08: PrintAndLog("TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1"); break;
case 0x09: PrintAndLog("TYPE : NXP MIFARE Mini 0.3k"); break;
case 0x98: PrintAndLog("TYPE : Gemplus MPCOS"); break;
default: ;
}
- if(resp.arg[0] == 1) {
+
+
+ // try to request ATS even if tag claims not to support it
+ if (select_status == 2) {
+ uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0
+ c.arg[0] = ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT;
+ c.arg[1] = 2;
+ c.arg[2] = 0;
+ memcpy(c.d.asBytes, rats, 2);
+ SendCommand(&c);
+ WaitForResponse(CMD_ACK,&resp);
+
+ memcpy(&card.ats, resp.d.asBytes, resp.arg[0]);
+ card.ats_len = resp.arg[0]; // note: ats_len includes CRC Bytes
+ }
+
+ // disconnect
+ c.arg[0] = 0;
+ c.arg[1] = 0;
+ c.arg[2] = 0;
+ SendCommand(&c);
+
+
+ if(card.ats_len >= 3) { // a valid ATS consists of at least the length byte (TL) and 2 CRC bytes
bool ta1 = 0, tb1 = 0, tc1 = 0;
int pos;
- PrintAndLog(" ATS : %s", sprint_hex(card->ats, card->ats_len));
- if (card->ats_len > 0) {
- PrintAndLog(" - TL : length is %d bytes", card->ats[0]);
+ if (select_status == 2) {
+ PrintAndLog("SAK incorrectly claims that card doesn't support RATS");
}
- if (card->ats_len > 1) {
- ta1 = (card->ats[1] & 0x10) == 0x10;
- tb1 = (card->ats[1] & 0x20) == 0x20;
- tc1 = (card->ats[1] & 0x40) == 0x40;
+ PrintAndLog(" ATS : %s", sprint_hex(card.ats, card.ats_len));
+ PrintAndLog(" - TL : length is %d bytes", card.ats[0]);
+ if (card.ats[0] != card.ats_len - 2) {
+ PrintAndLog("ATS may be corrupted. Length of ATS (%d bytes incl. 2 Bytes CRC) doesn't match TL", card.ats_len);
+ }
+
+ if (card.ats[0] > 1) { // there is a format byte (T0)
+ ta1 = (card.ats[1] & 0x10) == 0x10;
+ tb1 = (card.ats[1] & 0x20) == 0x20;
+ tc1 = (card.ats[1] & 0x40) == 0x40;
+ int16_t fsci = card.ats[1] & 0x0f;
PrintAndLog(" - T0 : TA1 is%s present, TB1 is%s present, "
- "TC1 is%s present, FSCI is %d",
+ "TC1 is%s present, FSCI is %d (FSC = %ld)",
(ta1 ? "" : " NOT"), (tb1 ? "" : " NOT"), (tc1 ? "" : " NOT"),
- (card->ats[1] & 0x0f));
+ fsci,
+ fsci < 5 ? (fsci - 2) * 8 :
+ fsci < 8 ? (fsci - 3) * 32 :
+ fsci == 8 ? 256 :
+ -1
+ );
}
pos = 2;
- if (ta1 && card->ats_len > pos) {
+ if (ta1) {
char dr[16], ds[16];
dr[0] = ds[0] = '\0';
- if (card->ats[pos] & 0x10) strcat(ds, "2, ");
- if (card->ats[pos] & 0x20) strcat(ds, "4, ");
- if (card->ats[pos] & 0x40) strcat(ds, "8, ");
- if (card->ats[pos] & 0x01) strcat(dr, "2, ");
- if (card->ats[pos] & 0x02) strcat(dr, "4, ");
- if (card->ats[pos] & 0x04) strcat(dr, "8, ");
+ if (card.ats[pos] & 0x10) strcat(ds, "2, ");
+ if (card.ats[pos] & 0x20) strcat(ds, "4, ");
+ if (card.ats[pos] & 0x40) strcat(ds, "8, ");
+ if (card.ats[pos] & 0x01) strcat(dr, "2, ");
+ if (card.ats[pos] & 0x02) strcat(dr, "4, ");
+ if (card.ats[pos] & 0x04) strcat(dr, "8, ");
if (strlen(ds) != 0) ds[strlen(ds) - 2] = '\0';
if (strlen(dr) != 0) dr[strlen(dr) - 2] = '\0';
PrintAndLog(" - TA1 : different divisors are%s supported, "
"DR: [%s], DS: [%s]",
- (card->ats[pos] & 0x80 ? " NOT" : ""), dr, ds);
+ (card.ats[pos] & 0x80 ? " NOT" : ""), dr, ds);
pos++;
}
- if (tb1 && card->ats_len > pos) {
- PrintAndLog(" - TB1 : SFGI = %d, FWI = %d",
- (card->ats[pos] & 0x08),
- (card->ats[pos] & 0x80) >> 4);
+ if (tb1) {
+ uint32_t sfgi = card.ats[pos] & 0x0F;
+ uint32_t fwi = card.ats[pos] >> 4;
+ PrintAndLog(" - TB1 : SFGI = %d (SFGT = %s%ld/fc), FWI = %d (FWT = %ld/fc)",
+ (sfgi),
+ sfgi ? "" : "(not needed) ",
+ sfgi ? (1 << 12) << sfgi : 0,
+ fwi,
+ (1 << 12) << fwi
+ );
pos++;
}
- if (tc1 && card->ats_len > pos) {
+ if (tc1) {
PrintAndLog(" - TC1 : NAD is%s supported, CID is%s supported",
- (card->ats[pos] & 0x01) ? "" : " NOT",
- (card->ats[pos] & 0x02) ? "" : " NOT");
+ (card.ats[pos] & 0x01) ? "" : " NOT",
+ (card.ats[pos] & 0x02) ? "" : " NOT");
pos++;
}
- if (card->ats_len > pos) {
+ if (card.ats[0] > pos) {
char *tip = "";
- if (card->ats_len - pos > 7) {
- if (memcmp(card->ats + pos, "\xC1\x05\x2F\x2F\x01\xBC\xD6", 7) == 0) {
+ if (card.ats[0] - pos >= 7) {
+ if (memcmp(card.ats + pos, "\xC1\x05\x2F\x2F\x01\xBC\xD6", 7) == 0) {
tip = "-> MIFARE Plus X 2K or 4K";
- } else if (memcmp(card->ats + pos, "\xC1\x05\x2F\x2F\x00\x35\xC7", 7) == 0) {
+ } else if (memcmp(card.ats + pos, "\xC1\x05\x2F\x2F\x00\x35\xC7", 7) == 0) {
tip = "-> MIFARE Plus S 2K or 4K";
}
}
- PrintAndLog(" - HB : %s%s", sprint_hex(card->ats + pos, card->ats_len - pos - 2), tip);
- if (card->ats[pos] == 0xC1) {
+ PrintAndLog(" - HB : %s%s", sprint_hex(card.ats + pos, card.ats[0] - pos), tip);
+ if (card.ats[pos] == 0xC1) {
PrintAndLog(" c1 -> Mifare or (multiple) virtual cards of various type");
PrintAndLog(" %02x -> Length is %d bytes",
- card->ats[pos + 1], card->ats[pos + 1]);
- switch (card->ats[pos + 2] & 0xf0) {
+ card.ats[pos + 1], card.ats[pos + 1]);
+ switch (card.ats[pos + 2] & 0xf0) {
case 0x10:
PrintAndLog(" 1x -> MIFARE DESFire");
break;
PrintAndLog(" 2x -> MIFARE Plus");
break;
}
- switch (card->ats[pos + 2] & 0x0f) {
+ switch (card.ats[pos + 2] & 0x0f) {
case 0x00:
PrintAndLog(" x0 -> <1 kByte");
break;
PrintAndLog(" x0 -> 8 kByte");
break;
}
- switch (card->ats[pos + 3] & 0xf0) {
+ switch (card.ats[pos + 3] & 0xf0) {
case 0x00:
PrintAndLog(" 0x -> Engineering sample");
break;
PrintAndLog(" 2x -> Released");
break;
}
- switch (card->ats[pos + 3] & 0x0f) {
+ switch (card.ats[pos + 3] & 0x0f) {
case 0x00:
PrintAndLog(" x0 -> Generation 1");
break;
PrintAndLog(" x2 -> Generation 3");
break;
}
- switch (card->ats[pos + 4] & 0x0f) {
+ switch (card.ats[pos + 4] & 0x0f) {
case 0x00:
PrintAndLog(" x0 -> Only VCSL supported");
break;
}
}
} else {
- PrintAndLog("proprietary non iso14443a-4 card found, RATS not supported");
+ PrintAndLog("proprietary non iso14443-4 card found, RATS not supported");
}
- return resp.arg[0];
+ return select_status;
}
// Collect ISO14443 Type A UIDs
UsbCommand resp;
WaitForResponse(CMD_ACK,&resp);
- uint8_t *uid = resp.d.asBytes;
- iso14a_card_select_t *card = (iso14a_card_select_t *)(uid + 12);
+ iso14a_card_select_t *card = (iso14a_card_select_t *) resp.d.asBytes;
// check if command failed
if (resp.arg[0] == 0) {
PrintAndLog("Card select failed.");
} else {
- // check if UID is 4 bytes
- if ((card->atqa[1] & 0xC0) == 0) {
- PrintAndLog("%02X%02X%02X%02X",
- *uid, *(uid + 1), *(uid + 2), *(uid + 3));
- } else {
- PrintAndLog("UID longer than 4 bytes");
+ char uid_string[20];
+ for (uint16_t i = 0; i < card->uidlen; i++) {
+ sprintf(&uid_string[2*i], "%02X", card->uid[i]);
}
+ PrintAndLog("%s", uid_string);
}
}
PrintAndLog("End: %u", time(NULL));
PrintAndLog(" 2 = MIFARE Ultralight");
PrintAndLog(" 3 = MIFARE DESFIRE");
PrintAndLog(" 4 = ISO/IEC 14443-4");
+ PrintAndLog(" 5 = MIFARE TNP3XXX");
PrintAndLog("");
return 1;
}
UsbCommand resp;
char *hexout;
- if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
+ if (WaitForResponseTimeout(CMD_ACK,&resp,10000)) {
recv = resp.d.asBytes;
uint8_t iLen = iSelect ? resp.arg[1] : resp.arg[0];
PrintAndLog("received %i octets",iLen);
int CmdHF14BList(const char *Cmd)
{
- uint8_t got[960];
+ uint8_t got[TRACE_BUFFER_SIZE];
GetFromBigBuf(got,sizeof(got),0);
WaitForResponse(CMD_ACK,NULL);
int prev = -1;
for(;;) {
- if(i >= 900) {
- break;
- }
+
+ if(i >= TRACE_BUFFER_SIZE) { break; }
bool isResponse;
int timestamp = *((uint32_t *)(got+i));
if(len > 100) {
break;
}
- if(i + len >= 900) {
+ if(i + len >= TRACE_BUFFER_SIZE) {
break;
}
SendCommand(&c);
if (reply) {
- if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
+ if (WaitForResponseTimeout(CMD_ACK,&resp,10000)) {
recv = resp.d.asBytes;
PrintAndLog("received %i octets",resp.arg[0]);
if(!resp.arg[0])
SendCommand(&c);
UsbCommand resp;
- WaitForResponse(CMD_ACK,&resp);
+ WaitForResponse(CMD_ACK,&resp);
// check if command failed
if (resp.arg[0] != 0) {
size_t nonce_length = resp.arg[1];
char *nonce = (char *) malloc(2 * nonce_length + 1);
for(int j = 0; j < nonce_length; j++) {
- snprintf(nonce + (2 * j), 3, "%02X", resp.d.asBytes[j]);
+ snprintf(nonce + (2 * j), "%02X", resp.d.asBytes[j]);
}
// print nonce
- PrintAndLog("Length: %d, Nonce: %s",resp.arg[1], nonce);
+ PrintAndLog("Length: %d, Nonce: %s", nonce_length, nonce);
}
if (i < n - 1) {
sleep(d);
return 0;
}
- uint8_t got[1920];
+ uint8_t got[TRACE_BUFFER_SIZE];
GetFromBigBuf(got,sizeof(got),0);
WaitForResponse(CMD_ACK,NULL);
uint32_t EndOfTransmissionTimestamp = 0;
- for( i=0; i < 1900;)
+ for( i=0; i < TRACE_BUFFER_SIZE;)
{
//First 32 bits contain
// isResponse (1 bit)
SendCommand(&c);
return 0;
}
-
+#define NUM_CSNS 15
int CmdHFiClassSim(const char *Cmd)
{
uint8_t simType = 0;
if(simType == 2)
{
- UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,63}};
+ UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,NUM_CSNS}};
UsbCommand resp = {0};
- uint8_t csns[64] = {
+ /*uint8_t csns[8 * NUM_CSNS] = {
0x00,0x0B,0x0F,0xFF,0xF7,0xFF,0x12,0xE0 ,
0x00,0x13,0x94,0x7e,0x76,0xff,0x12,0xe0 ,
0x2a,0x99,0xac,0x79,0xec,0xff,0x12,0xe0 ,
0x4b,0x5e,0x0b,0x72,0xef,0xff,0x12,0xe0 ,
0x00,0x73,0xd8,0x75,0x58,0xff,0x12,0xe0 ,
0x0c,0x90,0x32,0xf3,0x5d,0xff,0x12,0xe0 };
-
- memcpy(c.d.asBytes, csns, 64);
+*/
+
+ uint8_t csns[8*NUM_CSNS] = {
+ 0x00, 0x0B, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0,
+ 0x00, 0x04, 0x0E, 0x08, 0xF7, 0xFF, 0x12, 0xE0,
+ 0x00, 0x09, 0x0D, 0x05, 0xF7, 0xFF, 0x12, 0xE0,
+ 0x00, 0x0A, 0x0C, 0x06, 0xF7, 0xFF, 0x12, 0xE0,
+ 0x00, 0x0F, 0x0B, 0x03, 0xF7, 0xFF, 0x12, 0xE0,
+ 0x00, 0x08, 0x0A, 0x0C, 0xF7, 0xFF, 0x12, 0xE0,
+ 0x00, 0x0D, 0x09, 0x09, 0xF7, 0xFF, 0x12, 0xE0,
+ 0x00, 0x0E, 0x08, 0x0A, 0xF7, 0xFF, 0x12, 0xE0,
+ 0x00, 0x03, 0x07, 0x17, 0xF7, 0xFF, 0x12, 0xE0,
+ 0x00, 0x3C, 0x06, 0xE0, 0xF7, 0xFF, 0x12, 0xE0,
+ 0x00, 0x01, 0x05, 0x1D, 0xF7, 0xFF, 0x12, 0xE0,
+ 0x00, 0x02, 0x04, 0x1E, 0xF7, 0xFF, 0x12, 0xE0,
+ 0x00, 0x07, 0x03, 0x1B, 0xF7, 0xFF, 0x12, 0xE0,
+ 0x00, 0x00, 0x02, 0x24, 0xF7, 0xFF, 0x12, 0xE0,
+ 0x00, 0x05, 0x01, 0x21, 0xF7, 0xFF, 0x12, 0xE0 };
+
+ memcpy(c.d.asBytes, csns, 8*NUM_CSNS);
SendCommand(&c);
if (!WaitForResponseTimeout(CMD_ACK, &resp, -1)) {
}
uint8_t num_mac_responses = resp.arg[1];
- PrintAndLog("Mac responses: %d MACs obtained (should be 8)", num_mac_responses);
+ PrintAndLog("Mac responses: %d MACs obtained (should be %d)", num_mac_responses, NUM_CSNS);
- size_t datalen = 8*24;
+ size_t datalen = NUM_CSNS*24;
/*
* Now, time to dump to file. We'll use this format:
* <8-byte CSN><8-byte CC><4 byte NR><4 byte MAC>....
void* dump = malloc(datalen);
memset(dump,0,datalen);//<-- Need zeroes for the CC-field
uint8_t i = 0;
- for(i = 0 ; i < 8 ; i++)
+ for(i = 0 ; i < NUM_CSNS ; i++)
{
memcpy(dump+i*24, csns+i*8,8); //CSN
//8 zero bytes here...
}
+ UsbCommand resp;
+ uint8_t key_sel[8] = {0};
+ uint8_t key_sel_p[8] = { 0 };
+
+ //HACK -- Below is for testing without access to a tag
+ uint8_t fake_dummy_test = false;
+ if(fake_dummy_test)
+ {
+ uint8_t xdata[16] = {0x01,0x02,0x03,0x04,0xF7,0xFF,0x12,0xE0, //CSN from http://www.proxmark.org/forum/viewtopic.php?pid=11230#p11230
+ 0xFE,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}; // Just a random CC. Would be good to add a real testcase here
+ memcpy(resp.d.asBytes,xdata, 16);
+ resp.arg[0] = 2;
+ }
+
+ //End hack
+
UsbCommand c = {CMD_READER_ICLASS, {0}};
c.arg[0] = FLAG_ICLASS_READER_ONLY_ONCE;
-
+ if(!fake_dummy_test)
SendCommand(&c);
- UsbCommand resp;
- uint8_t key_sel[8] = {0x00};
- uint8_t key_sel_p[8] = {0x00};
-
- if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
+
+
+ if (fake_dummy_test || WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
uint8_t isOK = resp.arg[0] & 0xff;
uint8_t * data = resp.d.asBytes;
{
if(elite)
{
-
//Get the key index (hash1)
uint8_t key_index[8] = {0};
printvar("hash1", key_index,8);
for(i = 0; i < 8 ; i++)
key_sel[i] = keytable[key_index[i]] & 0xFF;
+ PrintAndLog("Pre-fortified 'permuted' HS key that would be needed by an iclass reader to talk to above CSN:");
printvar("k_sel", key_sel,8);
//Permute from iclass format to standard format
permutekey_rev(key_sel,key_sel_p);
used_key = KEY;
}
+
+ PrintAndLog("Pre-fortified key that would be needed by the OmniKey reader to talk to above CSN:");
printvar("Used key",used_key,8);
diversifyKey(CSN,used_key, div_key);
+ PrintAndLog("Hash0, a.k.a diversified key, that is computed using Ksel and stored in the card (Block 3):");
printvar("Div key", div_key, 8);
printvar("CC_NR:",CCNR,12);
doMAC(CCNR,12,div_key, MAC);
UsbCommand d = {CMD_READER_ICLASS_REPLAY, {readerType}};
memcpy(d.d.asBytes, MAC, 4);
- SendCommand(&d);
+ if(!fake_dummy_test) SendCommand(&d);
}else{
PrintAndLog("Failed to obtain CC! Aborting");
int CmdLegicLoad(const char *Cmd)
{
- FILE *f = fopen(Cmd, "r");
+ char filename[FILE_PATH_SIZE] = {0x00};
+ int len = 0;
+
+ if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {
+ PrintAndLog("It loads datasamples from the file `filename`");
+ PrintAndLog("Usage: hf legic load <file name>");
+ PrintAndLog(" sample: hf legic load filename");
+ return 0;
+ }
+
+ len = strlen(Cmd);
+ if (len > FILE_PATH_SIZE) {
+ PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len, FILE_PATH_SIZE);
+ return 0;
+ }
+ memcpy(filename, Cmd, len);
+
+ FILE *f = fopen(filename, "r");
if(!f) {
PrintAndLog("couldn't open '%s'", Cmd);
return -1;
int requested = 1024;
int offset = 0;
int delivered = 0;
- char filename[1024];
+ char filename[FILE_PATH_SIZE];
uint8_t got[1024];
sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
int remainder = requested % 8;
requested = requested + 8 - remainder;
}
-
if (offset + requested > sizeof(got)) {
PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
return 0;
SendCommand(&c);\r
\r
//flush queue\r
- while (ukbhit()) getchar();\r
+ while (ukbhit()) getchar();\r
\r
- \r
// wait cycle\r
while (true) {\r
printf(".");\r
if (isOK != 1) return 1;\r
\r
// execute original function from util nonce2key\r
- if (nonce2key(uid, nt, nr, par_list, ks_list, &r_key))\r
- {\r
+ if (nonce2key(uid, nt, nr, par_list, ks_list, &r_key)) {\r
isOK = 2;\r
PrintAndLog("Key not found (lfsr_common_prefix list is null). Nt=%08x", nt); \r
} else {\r
printf("------------------------------------------------------------------\n");\r
- PrintAndLog("Key found:%012"llx" \n", r_key);\r
+ PrintAndLog("Key found :%012"llx" \n", r_key);\r
\r
num_to_bytes(r_key, 6, keyBlock);\r
isOK = mfCheckKeys(0, 0, 1, keyBlock, &r_key);\r
}\r
+ \r
if (!isOK) \r
- PrintAndLog("Found valid key:%012"llx, r_key);\r
+ PrintAndLog("Found valid key :%012"llx, r_key);\r
else\r
{\r
if (isOK != 2) PrintAndLog("Found invalid key. "); \r
goto start;\r
}\r
\r
+ PrintAndLog("");\r
return 0;\r
}\r
\r
return 0;\r
}\r
\r
-/* dublett finns i CMDHFMFU.C \r
-int CmdHF14AMfUWrBl(const char *Cmd)\r
-{\r
- uint8_t blockNo = 0;\r
- bool chinese_card=0;\r
- uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};\r
- UsbCommand resp;\r
- \r
- if (strlen(Cmd)<3) {\r
- PrintAndLog("Usage: hf mf uwrbl <block number> <block data (8 hex symbols)> <w>");\r
- PrintAndLog(" sample: hf mf uwrbl 0 01020304");\r
- return 0;\r
- } \r
-\r
- blockNo = param_get8(Cmd, 0);\r
- if (param_gethex(Cmd, 1, bldata, 8)) {\r
- PrintAndLog("Block data must include 8 HEX symbols");\r
- return 1;\r
- }\r
- \r
- if (strchr(Cmd,'w') != 0) {\r
- chinese_card=1;\r
- }\r
- \r
- switch(blockNo){\r
- case 0:\r
- if (!chinese_card){\r
- PrintAndLog("Access Denied");\r
- }else{\r
- PrintAndLog("--specialblock no:%d", blockNo);\r
- PrintAndLog("--data: %s", sprint_hex(bldata, 4));\r
- UsbCommand d = {CMD_MIFAREU_WRITEBL, {blockNo}};\r
- memcpy(d.d.asBytes,bldata, 4);\r
- SendCommand(&d);\r
-\r
- if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
- uint8_t isOK = resp.arg[0] & 0xff;\r
- PrintAndLog("isOk:%02x", isOK);\r
- } else {\r
- PrintAndLog("Command execute timeout");\r
- }\r
- }\r
- break;\r
- case 1:\r
- if (!chinese_card){\r
- PrintAndLog("Access Denied");\r
- }else{\r
- PrintAndLog("--specialblock no:%d", blockNo);\r
- PrintAndLog("--data: %s", sprint_hex(bldata, 4));\r
- UsbCommand d = {CMD_MIFAREU_WRITEBL, {blockNo}};\r
- memcpy(d.d.asBytes,bldata, 4);\r
- SendCommand(&d);\r
-\r
- if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
- uint8_t isOK = resp.arg[0] & 0xff;\r
- PrintAndLog("isOk:%02x", isOK);\r
- } else {\r
- PrintAndLog("Command execute timeout");\r
- }\r
- }\r
- break;\r
- case 2:\r
- if (!chinese_card){\r
- PrintAndLog("Access Denied");\r
- }else{\r
- PrintAndLog("--specialblock no:%d", blockNo);\r
- PrintAndLog("--data: %s", sprint_hex(bldata, 4));\r
- UsbCommand c = {CMD_MIFAREU_WRITEBL, {blockNo}};\r
- memcpy(c.d.asBytes, bldata, 4);\r
- SendCommand(&c);\r
-\r
- if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
- uint8_t isOK = resp.arg[0] & 0xff;\r
- PrintAndLog("isOk:%02x", isOK);\r
- } else {\r
- PrintAndLog("Command execute timeout");\r
- }\r
- }\r
- break;\r
- case 3:\r
- PrintAndLog("--specialblock no:%d", blockNo);\r
- PrintAndLog("--data: %s", sprint_hex(bldata, 4));\r
- UsbCommand d = {CMD_MIFAREU_WRITEBL, {blockNo}};\r
- memcpy(d.d.asBytes,bldata, 4);\r
- SendCommand(&d);\r
-\r
- if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
- uint8_t isOK = resp.arg[0] & 0xff;\r
- PrintAndLog("isOk:%02x", isOK);\r
- } else {\r
- PrintAndLog("Command execute timeout");\r
- }\r
- break;\r
- default: \r
- PrintAndLog("--block no:%d", blockNo);\r
- PrintAndLog("--data: %s", sprint_hex(bldata, 4)); \r
- UsbCommand e = {CMD_MIFAREU_WRITEBL, {blockNo}};\r
- memcpy(e.d.asBytes,bldata, 4);\r
- SendCommand(&e);\r
-\r
- if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
- uint8_t isOK = resp.arg[0] & 0xff;\r
- PrintAndLog("isOk:%02x", isOK);\r
- } else {\r
- PrintAndLog("Command execute timeout");\r
- }\r
- break;\r
- }\r
- return 0;\r
-}\r
-*/\r
int CmdHF14AMfRdBl(const char *Cmd)\r
{\r
uint8_t blockNo = 0;\r
return 0;\r
}\r
\r
-/* dublett finns i CMDHFMFU.C \r
-int CmdHF14AMfURdBl(const char *Cmd)\r
-{\r
- uint8_t blockNo = 0;\r
-\r
- if (strlen(Cmd)<1) {\r
- PrintAndLog("Usage: hf mf urdbl <block number>");\r
- PrintAndLog(" sample: hf mf urdbl 0");\r
- return 0;\r
- } \r
- \r
- blockNo = param_get8(Cmd, 0);\r
- PrintAndLog("--block no:%d", blockNo);\r
- \r
- UsbCommand c = {CMD_MIFAREU_READBL, {blockNo}};\r
- SendCommand(&c);\r
-\r
- UsbCommand resp;\r
- if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
- uint8_t isOK = resp.arg[0] & 0xff;\r
- uint8_t *data = resp.d.asBytes;\r
-\r
- if (isOK)\r
- PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 4));\r
- else\r
- PrintAndLog("isOk:%02x", isOK);\r
- } else {\r
- PrintAndLog("Command execute timeout");\r
- }\r
-\r
- return 0;\r
-}\r
-*/\r
-\r
-/* dublett finns i CMDHFMFU.C \r
-int CmdHF14AMfURdCard(const char *Cmd)\r
-{\r
- int i;\r
- uint8_t sectorNo = 0;\r
- uint8_t *lockbytes_t=NULL;\r
- uint8_t lockbytes[2]={0,0};\r
- bool bit[16]={0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};\r
- \r
- uint8_t isOK = 0;\r
- uint8_t * data = NULL;\r
-\r
- if (sectorNo > 15) {\r
- PrintAndLog("Sector number must be less than 16");\r
- return 1;\r
- }\r
- PrintAndLog("Attempting to Read Ultralight... ");\r
- \r
- UsbCommand c = {CMD_MIFAREU_READCARD, {sectorNo}};\r
- SendCommand(&c);\r
-\r
- UsbCommand resp;\r
- if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
- isOK = resp.arg[0] & 0xff;\r
- data = resp.d.asBytes;\r
-\r
- PrintAndLog("isOk:%02x", isOK);\r
- if (isOK) \r
- for (i = 0; i < 16; i++) {\r
- switch(i){\r
- case 2:\r
- //process lock bytes\r
- lockbytes_t=data+(i*4);\r
- lockbytes[0]=lockbytes_t[2];\r
- lockbytes[1]=lockbytes_t[3];\r
- for(int j=0; j<16; j++){\r
- bit[j]=lockbytes[j/8] & ( 1 <<(7-j%8));\r
- }\r
- //PrintAndLog("LB %02x %02x", lockbytes[0],lockbytes[1]);\r
- //PrintAndLog("LB2b %02x %02x %02x %02x %02x %02x %02x %02x",bit[8],bit[9],bit[10],bit[11],bit[12],bit[13],bit[14],bit[15]); \r
- PrintAndLog("Block %3d:%s ", i,sprint_hex(data + i * 4, 4));\r
- break;\r
- case 3: \r
- PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[4]);\r
- break;\r
- case 4:\r
- PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[3]);\r
- break;\r
- case 5:\r
- PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[2]);\r
- break;\r
- case 6:\r
- PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[1]);\r
- break;\r
- case 7:\r
- PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[0]);\r
- break;\r
- case 8:\r
- PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[15]);\r
- break;\r
- case 9:\r
- PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[14]);\r
- break;\r
- case 10:\r
- PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[13]);\r
- break;\r
- case 11:\r
- PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[12]);\r
- break;\r
- case 12:\r
- PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[11]);\r
- break;\r
- case 13:\r
- PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[10]);\r
- break;\r
- case 14:\r
- PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[9]);\r
- break;\r
- case 15:\r
- PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[8]);\r
- break;\r
- default:\r
- PrintAndLog("Block %3d:%s ", i,sprint_hex(data + i * 4, 4));\r
- break;\r
- }\r
- }\r
- } else {\r
- PrintAndLog("Command execute timeout");\r
- }\r
- return 0;\r
-}\r
-*/\r
-\r
int CmdHF14AMfRdSc(const char *Cmd)\r
{\r
int i;\r
return 0;\r
}\r
\r
-\r
uint8_t FirstBlockOfSector(uint8_t sectorNo)\r
{\r
if (sectorNo < 32) {\r
}\r
}\r
\r
-\r
uint8_t NumBlocksPerSector(uint8_t sectorNo)\r
{\r
if (sectorNo < 32) {\r
}\r
}\r
\r
-\r
int CmdHF14AMfDump(const char *Cmd)\r
{\r
uint8_t sectorNo, blockNo;\r
return 0;\r
}\r
\r
-\r
int CmdHF14AMfRestore(const char *Cmd)\r
{\r
-\r
uint8_t sectorNo,blockNo;\r
uint8_t keyType = 0;\r
- uint8_t key[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};\r
- uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};\r
+ uint8_t key[6] = {0xFF};\r
+ uint8_t bldata[16] = {0x00};\r
uint8_t keyA[40][6];\r
uint8_t keyB[40][6];\r
uint8_t numSectors;\r
default: numSectors = 16;\r
} \r
\r
- if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') {\r
+ if (cmdp == 'h' || cmdp == 'H') {\r
PrintAndLog("Usage: hf mf restore [card memory]");\r
PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");\r
PrintAndLog("");\r
PrintAndLog(" hf mf restore 4");\r
return 0;\r
}\r
-\r
- if ((fdump = fopen("dumpdata.bin","rb")) == NULL) {\r
- PrintAndLog("Could not find file dumpdata.bin");\r
- return 1;\r
- }\r
+ \r
if ((fkeys = fopen("dumpkeys.bin","rb")) == NULL) {\r
PrintAndLog("Could not find file dumpkeys.bin");\r
return 1;\r
}\r
}\r
\r
+ fclose(fkeys);\r
+ \r
+ if ((fdump = fopen("dumpdata.bin","rb")) == NULL) {\r
+ PrintAndLog("Could not find file dumpdata.bin");\r
+ return 1;\r
+ } \r
PrintAndLog("Restoring dumpdata.bin to card");\r
\r
for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
\r
if (fread(bldata, 1, 16, fdump) == 0) {\r
PrintAndLog("File reading error (dumpdata.bin).");\r
+ fclose(fdump);\r
return 2;\r
}\r
\r
}\r
\r
fclose(fdump);\r
- fclose(fkeys);\r
return 0;\r
}\r
\r
-\r
int CmdHF14AMfNested(const char *Cmd)\r
{\r
int i, j, res, iterations;\r
if (ctmp != 'A' && ctmp != 'a') \r
trgKeyType = 1;\r
} else {\r
- \r
- \r
- \r
+ \r
switch (cmdp) {\r
case '0': SectorsCnt = 05; break;\r
case '1': SectorsCnt = 16; break;\r
}\r
}\r
\r
- \r
// nested sectors\r
iterations = 0;\r
PrintAndLog("nested...");\r
bool calibrate = true;\r
for (i = 0; i < NESTED_SECTOR_RETRY; i++) {\r
for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {\r
+\r
+ if (ukbhit()) {\r
+ printf("\naborted via keyboard!\n");\r
+ free(e_sector);\r
+ return 2;\r
+ } \r
+ \r
for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) { \r
if (e_sector[sectorNo].foundKey[trgKeyType]) continue;\r
PrintAndLog("-----------------------------------------------");\r
if(mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate)) {\r
PrintAndLog("Nested error.\n");\r
- return 2;\r
- }\r
+ free(e_sector);\r
+ return 2; }\r
else {\r
calibrate = false;\r
}\r
}\r
fclose(fkeys);\r
}\r
- \r
+\r
free(e_sector);\r
}\r
-\r
return 0;\r
}\r
\r
-\r
int CmdHF14AMfChk(const char *Cmd)\r
{\r
if (strlen(Cmd)<3) {\r
}\r
\r
FILE * f;\r
- char filename[256]={0};\r
+ char filename[FILE_PATH_SIZE]={0};\r
char buf[13];\r
uint8_t *keyBlock = NULL, *p;\r
uint8_t stKeyBlock = 20;\r
keycnt++;\r
} else {\r
// May be a dic file\r
- if ( param_getstr(Cmd, 2 + i,filename) > 255 ) {\r
+ if ( param_getstr(Cmd, 2 + i,filename) >= FILE_PATH_SIZE ) {\r
PrintAndLog("File name too long");\r
free(keyBlock);\r
return 2;\r
}\r
\r
free(keyBlock);\r
-\r
+ PrintAndLog("");\r
return 0;\r
}\r
\r
-\r
int CmdHF14AMf1kSim(const char *Cmd)\r
{\r
uint8_t uid[7] = {0, 0, 0, 0, 0, 0, 0};\r
return 0;\r
}\r
\r
-\r
int CmdHF14AMfDbg(const char *Cmd)\r
{\r
int dbgMode = param_get32ex(Cmd, 0, 0, 10);\r
return 0;\r
}\r
\r
-\r
int CmdHF14AMfEClear(const char *Cmd)\r
{\r
if (param_getchar(Cmd, 0) == 'h') {\r
int CmdHF14AMfELoad(const char *Cmd)\r
{\r
FILE * f;\r
- char filename[20];\r
+ char filename[FILE_PATH_SIZE];\r
char *fnameptr = filename;\r
char buf[64];\r
uint8_t buf8[64];\r
- int i, len, blockNum;\r
+ int i, len, blockNum, numBlocks;\r
+ int nameParamNo = 1;\r
\r
memset(filename, 0, sizeof(filename));\r
memset(buf, 0, sizeof(buf));\r
\r
- if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {\r
+ char ctmp = param_getchar(Cmd, 0);\r
+ \r
+ if ( ctmp == 'h' || ctmp == 0x00) {\r
PrintAndLog("It loads emul dump from the file `filename.eml`");\r
- PrintAndLog("Usage: hf mf eload <file name w/o `.eml`>");\r
+ PrintAndLog("Usage: hf mf eload [card memory] <file name w/o `.eml`>");\r
+ PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");\r
+ PrintAndLog("");\r
PrintAndLog(" sample: hf mf eload filename");\r
+ PrintAndLog(" hf mf eload 4 filename");\r
return 0;\r
} \r
\r
- len = strlen(Cmd);\r
- if (len > 14) len = 14;\r
+ switch (ctmp) {\r
+ case '0' : numBlocks = 5*4; break;\r
+ case '1' : \r
+ case '\0': numBlocks = 16*4; break;\r
+ case '2' : numBlocks = 32*4; break;\r
+ case '4' : numBlocks = 256; break;\r
+ default: {\r
+ numBlocks = 16*4;\r
+ nameParamNo = 0;\r
+ }\r
+ }\r
+\r
+ len = param_getstr(Cmd,nameParamNo,filename);\r
+ \r
+ if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
\r
- memcpy(filename, Cmd, len);\r
fnameptr += len;\r
\r
sprintf(fnameptr, ".eml"); \r
// open file\r
f = fopen(filename, "r");\r
if (f == NULL) {\r
- PrintAndLog("File not found or locked.");\r
+ PrintAndLog("File %s not found or locked", filename);\r
return 1;\r
}\r
\r
+// for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
+// for(blockNo = 0; blockNo < NumBlocksPerSector(sectorNo); blockNo++) {\r
+ \r
blockNum = 0;\r
while(!feof(f)){\r
memset(buf, 0, sizeof(buf));\r
+ \r
if (fgets(buf, sizeof(buf), f) == NULL) {\r
- if((blockNum == 16*4) || (blockNum == 32*4 + 8*16)) { // supports both old (1K) and new (4K) .eml files)\r
- break;\r
- }\r
+ \r
+ if (blockNum >= numBlocks) break;\r
+ \r
PrintAndLog("File reading error.");\r
fclose(f);\r
return 2;\r
}\r
+ \r
if (strlen(buf) < 32){\r
if(strlen(buf) && feof(f))\r
break;\r
PrintAndLog("File content error. Block data must include 32 HEX symbols");\r
return 2;\r
}\r
+ \r
for (i = 0; i < 32; i += 2) {\r
sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);\r
-// PrintAndLog("data[%02d]:%s", blockNum, sprint_hex(buf8, 16));\r
}\r
+ \r
if (mfEmlSetMem(buf8, blockNum, 1)) {\r
PrintAndLog("Cant set emul block: %3d", blockNum);\r
return 3;\r
}\r
blockNum++;\r
\r
- if (blockNum >= 32*4 + 8*16) break;\r
+ if (blockNum >= numBlocks) break;\r
}\r
fclose(f);\r
\r
- if ((blockNum != 16*4) && (blockNum != 32*4 + 8*16)) {\r
- PrintAndLog("File content error. There must be 64 or 256 blocks.");\r
+ if ((blockNum != numBlocks)) {\r
+ PrintAndLog("File content error. Got %d must be %d blocks.",blockNum, numBlocks);\r
fclose(f);\r
return 4;\r
}\r
int CmdHF14AMfESave(const char *Cmd)\r
{\r
FILE * f;\r
- char filename[20];\r
+ char filename[FILE_PATH_SIZE];\r
char * fnameptr = filename;\r
uint8_t buf[64];\r
- int i, j, len;\r
+ int i, j, len, numBlocks;\r
+ int nameParamNo = 1;\r
\r
memset(filename, 0, sizeof(filename));\r
memset(buf, 0, sizeof(buf));\r
\r
- if (param_getchar(Cmd, 0) == 'h') {\r
- PrintAndLog("It saves emul dump into the file `filename.eml` or `cardID.eml`");\r
- PrintAndLog("Usage: hf mf esave [file name w/o `.eml`]");\r
+ char ctmp = param_getchar(Cmd, 0);\r
+ \r
+ if ( ctmp == 'h') {\r
+ PrintAndLog("It saves emul dump into the file `filename.eml` or `cardID.eml`"); \r
+ PrintAndLog(" Usage: hf mf esave [card memory] [file name w/o `.eml`]");\r
+ PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");\r
+ PrintAndLog("");\r
PrintAndLog(" sample: hf mf esave ");\r
- PrintAndLog(" hf mf esave filename");\r
+ PrintAndLog(" hf mf esave 4");\r
+ PrintAndLog(" hf mf esave 4 filename");\r
return 0;\r
} \r
+ \r
+ switch (ctmp) {\r
+ case '0' : numBlocks = 5*4; break;\r
+ case '1' : \r
+ case '\0': numBlocks = 16*4; break;\r
+ case '2' : numBlocks = 32*4; break;\r
+ case '4' : numBlocks = 256; break;\r
+ default: {\r
+ numBlocks = 16*4;\r
+ nameParamNo = 0;\r
+ }\r
+ }\r
\r
- len = strlen(Cmd);\r
- if (len > 14) len = 14;\r
+ len = param_getstr(Cmd,nameParamNo,filename);\r
+ \r
+ if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
\r
+ // user supplied filename?\r
if (len < 1) {\r
- // get filename\r
+ // get filename (UID from memory)\r
if (mfEmlGetMem(buf, 0, 1)) {\r
- PrintAndLog("Cant get block: %d", 0);\r
- return 1;\r
+ PrintAndLog("Can\'t get UID from block: %d", 0);\r
+ sprintf(filename, "dump.eml"); \r
}\r
for (j = 0; j < 7; j++, fnameptr += 2)\r
- sprintf(fnameptr, "%02x", buf[j]); \r
+ sprintf(fnameptr, "%02X", buf[j]); \r
} else {\r
- memcpy(filename, Cmd, len);\r
fnameptr += len;\r
}\r
\r
+ // add file extension\r
sprintf(fnameptr, ".eml"); \r
\r
// open file\r
f = fopen(filename, "w+");\r
\r
// put hex\r
- for (i = 0; i < 32*4 + 8*16; i++) {\r
+ for (i = 0; i < numBlocks; i++) {\r
if (mfEmlGetMem(buf, i, 1)) {\r
PrintAndLog("Cant get block: %d", i);\r
break;\r
}\r
for (j = 0; j < 16; j++)\r
- fprintf(f, "%02x", buf[j]); \r
+ fprintf(f, "%02X", buf[j]); \r
fprintf(f,"\n");\r
}\r
fclose(f);\r
\r
- PrintAndLog("Saved to file: %s", filename);\r
+ PrintAndLog("Saved %d blocks to file: %s", numBlocks, filename);\r
\r
return 0;\r
}\r
int CmdHF14AMfEKeyPrn(const char *Cmd)\r
{\r
int i;\r
+ uint8_t numSectors;\r
uint8_t data[16];\r
uint64_t keyA, keyB;\r
\r
+ if (param_getchar(Cmd, 0) == 'h') {\r
+ PrintAndLog("It prints the keys loaded in the emulator memory");\r
+ PrintAndLog("Usage: hf mf ekeyprn [card memory]");\r
+ PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");\r
+ PrintAndLog("");\r
+ PrintAndLog(" sample: hf mf ekeyprn 1");\r
+ return 0;\r
+ } \r
+\r
+ char cmdp = param_getchar(Cmd, 0);\r
+ \r
+ switch (cmdp) {\r
+ case '0' : numSectors = 5; break;\r
+ case '1' : \r
+ case '\0': numSectors = 16; break;\r
+ case '2' : numSectors = 32; break;\r
+ case '4' : numSectors = 40; break;\r
+ default: numSectors = 16;\r
+ } \r
+ \r
PrintAndLog("|---|----------------|----------------|");\r
PrintAndLog("|sec|key A |key B |");\r
PrintAndLog("|---|----------------|----------------|");\r
- for (i = 0; i < 40; i++) {\r
+ for (i = 0; i < numSectors; i++) {\r
if (mfEmlGetMem(data, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1)) {\r
PrintAndLog("error get block %d", FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1);\r
break;\r
int CmdHF14AMfCLoad(const char *Cmd)\r
{\r
FILE * f;\r
- char filename[20];\r
+ char filename[FILE_PATH_SIZE];\r
char * fnameptr = filename;\r
char buf[64];\r
uint8_t buf8[64];\r
return 0;\r
} else {\r
len = strlen(Cmd);\r
- if (len > 14) len = 14;\r
+ if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
\r
memcpy(filename, Cmd, len);\r
fnameptr += len;\r
int CmdHF14AMfCSave(const char *Cmd) {\r
\r
FILE * f;\r
- char filename[20];\r
+ char filename[FILE_PATH_SIZE];\r
char * fnameptr = filename;\r
uint8_t fillFromEmulator = 0;\r
uint8_t buf[64];\r
return 0;\r
} else {\r
len = strlen(Cmd);\r
- if (len > 14) len = 14;\r
+ if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
\r
if (len < 1) {\r
// get filename\r
\r
\r
int CmdHF14AMfSniff(const char *Cmd){\r
- // params\r
+\r
bool wantLogToFile = 0;\r
bool wantDecrypt = 0;\r
//bool wantSaveToEml = 0; TODO\r
uint8_t atqa[2];\r
uint8_t sak;\r
bool isTag;\r
- uint32_t parity;\r
uint8_t buf[3000];\r
uint8_t * bufPtr = buf;\r
memset(buf, 0x00, 3000);\r
PrintAndLog(" l - save encrypted sequence to logfile `uid.log`");\r
PrintAndLog(" d - decrypt sequence and put it to log file `uid.log`");\r
PrintAndLog(" n/a e - decrypt sequence, collect read and write commands and save the result of the sequence to emulator memory");\r
- PrintAndLog(" r - decrypt sequence, collect read and write commands and save the result of the sequence to emulator dump file `uid.eml`");\r
- PrintAndLog("Usage: hf mf sniff [l][d][e][r]");\r
+ PrintAndLog(" f - decrypt sequence, collect read and write commands and save the result of the sequence to emulator dump file `uid.eml`");\r
+ PrintAndLog("Usage: hf mf sniff [l][d][e][f]");\r
PrintAndLog(" sample: hf mf sniff l d e");\r
return 0;\r
} \r
printf(">\n");\r
PrintAndLog("received trace len: %d packages: %d", blockLen, pckNum);\r
num = 0;\r
- while (bufPtr - buf + 9 < blockLen) {\r
- isTag = bufPtr[3] & 0x80 ? true:false;\r
- bufPtr += 4;\r
- parity = *((uint32_t *)(bufPtr));\r
- bufPtr += 4;\r
- len = bufPtr[0];\r
- bufPtr++;\r
- if ((len == 14) && (bufPtr[0] == 0xff) && (bufPtr[1] == 0xff)) {\r
+ while (bufPtr - buf < blockLen) {\r
+ bufPtr += 6;\r
+ len = *((uint16_t *)bufPtr);\r
+\r
+ if(len & 0x8000) {\r
+ isTag = true;\r
+ len &= 0x7fff;\r
+ } else {\r
+ isTag = false;\r
+ }\r
+ bufPtr += 2;\r
+ if ((len == 14) && (bufPtr[0] == 0xff) && (bufPtr[1] == 0xff) && (bufPtr[12] == 0xff) && (bufPtr[13] == 0xff)) {\r
+ \r
memcpy(uid, bufPtr + 2, 7);\r
memcpy(atqa, bufPtr + 2 + 7, 2);\r
uid_len = (atqa[0] & 0xC0) == 0x40 ? 7 : 4;\r
if (wantLogToFile) \r
AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len);\r
if (wantDecrypt) \r
- mfTraceDecode(bufPtr, len, parity, wantSaveToEmlFile);\r
+ mfTraceDecode(bufPtr, len, wantSaveToEmlFile);\r
}\r
bufPtr += len;\r
+ bufPtr += ((len-1)/8+1); // ignore parity\r
num++;\r
}\r
}\r
return -1;\r
}\r
\r
-\r
-\r
-\r
static command_t CommandTable[] =\r
{\r
{"help", CmdHelp, 1, "This help"},\r
uint8_t CMDPOS = 0;
uint8_t LENPOS = 1;
-uint8_t key_zero_data[16] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
+uint8_t key_zero_data[16] = { 0x00 };
+uint8_t key_ones_data[16] = { 0x01 };
uint8_t key_defa_data[16] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f };
-uint8_t key_ones_data[16] = { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 };
uint8_t key_picc_data[16] = { 0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f };
static int CmdHelp(const char *Cmd);
return 1;
}
-int CmdHF14ADesNonces(const char *Cmd){
- return 1;
-}
-
-//
// MIAFRE DesFire Authentication
//
#define BUFSIZE 256
{"wb", CmdHF14ADesWb, 0, "write MIFARE DesFire block"},
{"info", CmdHF14ADesInfo, 0, "Get MIFARE DesFire information"},
{"enum", CmdHF14ADesEnumApplications,0, "Tries enumerate all applications"},
- {"nonce", CmdHF14ADesNonces, 0, "<n> Collect n>0 nonces"},
{NULL, NULL, 0, NULL}
};
int CmdHF14ADesWb(const char* cmd);
int CmdHF14ADesInfo(const char *Cmd);
int CmdHF14ADesEnumApplications(const char *Cmd);
-int CmdHF14ADesNonces(const char *Cmd);
+
char * GetCardSizeStr( uint8_t fsize );
char * GetVendorStr( uint8_t id);
char * GetProtocolStr(uint8_t id);
if (isOK)
PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 4));
else
- PrintAndLog("isOk:%02x", isOK);
- } else {
- PrintAndLog("Command execute timeout");
+ PrintAndLog("isOk:%02x", isOK);
}
+ else {
+ PrintAndLog("Command execute timeout");
+ }
return 0;
}
int CmdHF14AMfURdCard(const char *Cmd){
int i;
uint8_t BlockNo = 0;
- int Pages=16;
+ int pages=16;
uint8_t *lockbytes_t=NULL;
uint8_t lockbytes[2]={0x00};
bool bit[16]={0x00};
PrintAndLog("Dumping Ultralight Card Data...");
}
PrintAndLog("Attempting to Read Ultralight... ");
- UsbCommand c = {CMD_MIFAREU_READCARD, {BlockNo, Pages}};
+ UsbCommand c = {CMD_MIFAREU_READCARD, {BlockNo, pages}};
SendCommand(&c);
UsbCommand resp;
PrintAndLog(" OneTimePad :%s ", sprint_hex(data + 3*4, 4));
PrintAndLog("");
- for (i = 0; i < Pages; i++) {
+ for (i = 0; i < pages; i++) {
switch(i){
case 2:
//process lock bytes
if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
isOK = resp.arg[0] & 0xff;
data = resp.d.asBytes;
- //Pages=sizeof(data)/sizeof(data[0]);
+
PrintAndLog("isOk:%02x", isOK);
if (isOK)
for (i = 0; i < Pages; i++) {
return 1;
}
PrintAndLog("Dumping Ultralight C Card Data...");
- PrintAndLog("Attempting to Read Ultralight C... ");
+ PrintAndLog("Attempting to Read Ultralight C... ");
UsbCommand c = {CMD_MIFAREU_READCARD, {BlockNo,Pages}};
SendCommand(&c);
UsbCommand resp;
//------------------------------------
static command_t CommandTable[] =
{
- {"help", CmdHelp, 1,"This help"},
+ {"help", CmdHelp, 1,"This help"},
{"dbg", CmdHF14AMfDbg, 0,"Set default debug mode"},
- {"urdbl", CmdHF14AMfURdBl, 0,"Read MIFARE Ultralight block"},
- {"urdcard", CmdHF14AMfURdCard, 0,"Read MIFARE Ultralight Card"},
+ {"urdbl", CmdHF14AMfURdBl, 0,"Read MIFARE Ultralight block"},
+ {"urdcard", CmdHF14AMfURdCard, 0,"Read MIFARE Ultralight Card"},
{"udump", CmdHF14AMfUDump, 0,"Dump MIFARE Ultralight tag to binary file"},
{"uwrbl", CmdHF14AMfUWrBl, 0,"Write MIFARE Ultralight block"},
- {"ucrdbl", CmdHF14AMfUCRdBl, 0,"Read MIFARE Ultralight C block"},
- {"ucrdcard",CmdHF14AMfUCRdCard, 0,"Read MIFARE Ultralight C Card"},
+ {"ucrdbl", CmdHF14AMfUCRdBl, 0,"Read MIFARE Ultralight C block"},
+ {"ucrdcard",CmdHF14AMfUCRdCard, 0,"Read MIFARE Ultralight C Card"},
{"ucdump", CmdHF14AMfUCDump, 0,"Dump MIFARE Ultralight C tag to binary file"},
{"ucwrbl", CmdHF14AMfUCWrBl, 0,"Write MIFARE Ultralight C block"},
{"auth", CmdHF14AMfucAuth, 0,"Ultralight C Authentication"},
};
int CmdHFMFUltra(const char *Cmd){
- // flush
WaitForResponseTimeout(CMD_ACK,NULL,100);
CmdsParse(CommandTable, Cmd);
return 0;
#include "ui.h"
#include "proxmark3.h"
#include "cmdparser.h"
+#include "cmddata.h"
#include "cmdhw.h"
#include "cmdmain.h"
int CmdTune(const char *Cmd)
{
- UsbCommand c = {CMD_MEASURE_ANTENNA_TUNING};
- SendCommand(&c);
- return 0;
+ return CmdTuneSamples(Cmd);
}
int CmdVersion(const char *Cmd)
#include "cmdmain.h"
#include "cmddata.h"
#include "cmdlf.h"
+#include "cmdlfawid26.h"
#include "cmdlfhid.h"
#include "cmdlfti.h"
#include "cmdlfem4x.h"
PrintAndLog("UID=%s (%x%08x%08x%08x%08x%08x%08x)", showbits, uid1, uid2, uid3, uid4, uid5, uid6, uid7);
}
- // Checking UID against next occurences
+ // Checking UID against next occurrences
for (; i + uidlen <= rawbit;) {
int failed = 0;
for (bit = 0; bit < uidlen; bit++) {
}
times += 1;
}
- PrintAndLog("Occurences: %d (expected %d)", times, (rawbit - start) / uidlen);
+ PrintAndLog("Occurrences: %d (expected %d)", times, (rawbit - start) / uidlen);
// Remodulating for tag cloning
GraphTraceLen = 32*uidlen;
int CmdLFSim(const char *Cmd)
{
- int i;
+ int i,j;
+
static int gap;
sscanf(Cmd, "%i", &gap);
/* convert to bitstream if necessary */
ChkBitstream(Cmd);
- PrintAndLog("Sending [%d bytes]", GraphTraceLen);
+ printf("Sending [%d bytes]", GraphTraceLen);
for (i = 0; i < GraphTraceLen; i += USB_CMD_DATA_SIZE) {
UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {i, 0, 0}};
- int j;
+
for (j = 0; j < USB_CMD_DATA_SIZE; j++) {
c.d.asBytes[j] = GraphBuffer[i+j];
}
{"flexdemod", CmdFlexdemod, 1, "Demodulate samples for FlexPass"},
{"indalademod", CmdIndalaDemod, 1, "['224'] -- Demodulate samples for Indala 64 bit UID (option '224' for 224 bit)"},
- {"indalaclone", CmdIndalaClone, 1, "<UID> ['l']-- Clone Indala to T55x7 (UID in HEX)(option 'l' for 224 UID"},
+ {"indalaclone", CmdIndalaClone, 0, "<UID> ['l']-- Clone Indala to T55x7 (UID in HEX)(option 'l' for 224 UID"},
{"vchdemod", CmdVchDemod, 1, "['clone'] -- Demodulate samples for VeriChip"},
{"simman", CmdLFSimManchester, 0, "<Clock> <Bitstream> [GAP] Simulate arbitrary Manchester LF tag"},
{"snoop", CmdLFSnoop, 0, "['l'|'h'|<divisor>] [trigger threshold]-- Snoop LF (l:125khz, h:134khz)"},
+ {"avid", CmdLFAWID26, 1, "{ AWID26 tags }"},
{"em4x", CmdLFEM4X, 1, "{ EM4X tags }"},
{"hid", CmdLFHID, 1, "{ HID tags }"},
{"hitag", CmdLFHitag, 1, "{ Hitag tags and transponders }"},
--- /dev/null
+//-----------------------------------------------------------------------------
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Low frequency AWID26 commands
+//-----------------------------------------------------------------------------
+
+#include <stdio.h>
+#include <string.h>
+#include <inttypes.h>
+#include "proxmark3.h"
+#include "ui.h"
+#include "graph.h"
+#include "cmdmain.h"
+#include "cmdparser.h"
+#include "cmddata.h"
+#include "cmdlf.h"
+#include "cmdlfawid26.h"
+#include "util.h"
+#include "data.h"
+
+
+static int CmdHelp(const char *Cmd);
+
+int CmdClone(const char *Cmd)
+{
+ char cmdp = param_getchar(Cmd, 0);
+
+ if (strlen(Cmd) < 1 || cmdp == 'h' || cmdp == 'H') {
+ PrintAndLog("Usage: lf awid26 write []");
+ PrintAndLog(" [], ");
+ PrintAndLog("");
+ PrintAndLog(" sample: lf awid26 write 26 2233");
+ PrintAndLog(" : lf awid26 write 26 15 2233");
+ return 0;
+ }
+
+ //sscanf(Cmd, "%d %d", &facilitycode, &cardno);
+
+ // char block0 = "00107060";
+ // char block1 = "00107060";
+ // char block2 = "00107060";
+ // char block3 = "00107060";
+
+
+
+ // PrintAndLog("Writing block %d with data %08X", Block, Data);
+ return 0;
+}
+
+// int CmdReadTrace(const char *Cmd)
+// {
+
+ // uint8_t bits[LF_BITSSTREAM_LEN] = {0x00};
+ // uint8_t * bitstream = bits;
+
+ // uint8_t si = 5;
+ // uint32_t bl0 = PackBits(si, 32, bitstream);
+ // uint32_t bl1 = PackBits(si+32, 32, bitstream);
+
+ // uint32_t acl = PackBits(si, 8, bitstream); si += 8;
+ // uint32_t mfc = PackBits(si, 8, bitstream); si += 8;
+ // uint32_t cid = PackBits(si, 5, bitstream); si += 5;
+ // uint32_t icr = PackBits(si, 3, bitstream); si += 3;
+ // uint32_t year = PackBits(si, 4, bitstream); si += 4;
+ // uint32_t quarter = PackBits(si, 2, bitstream); si += 2;
+ // uint32_t lotid = PackBits(si, 12, bitstream); si += 12;
+ // uint32_t wafer = PackBits(si, 5, bitstream); si += 5;
+ // uint32_t dw = PackBits(si, 15, bitstream);
+
+ // PrintAndLog("");
+ // PrintAndLog("-- T55xx Trace Information ----------------------------------");
+ // PrintAndLog("-------------------------------------------------------------");
+ // PrintAndLog(" ACL Allocation class (ISO/IEC 15963-1) : 0x%02X (%d)", acl, acl);
+ // PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6) : 0x%02X (%d)", mfc, mfc);
+ // PrintAndLog(" CID : 0x%02X (%d)", cid, cid);
+ // PrintAndLog(" ICR IC Revision : %d",icr );
+
+
+ // return 0;
+// }
+
+static command_t CommandTable[] =
+{
+ {"help", CmdHelp, 1, "This help"},
+ {"clone", CmdClone, 0, "<facility> <id> -- clone to a t55xx tag"},
+ {NULL, NULL, 0, NULL}
+};
+
+int CmdLFAWID26(const char *Cmd)
+{
+ CmdsParse(CommandTable, Cmd);
+ return 0;
+}
+
+int CmdHelp(const char *Cmd)
+{
+ CmdsHelp(CommandTable);
+ return 0;
+}
--- /dev/null
+//-----------------------------------------------------------------------------
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Low frequency AWID 26 commands
+//-----------------------------------------------------------------------------
+
+#ifndef CMDLFAWID26_H__
+#define CMDLFAWID26_H__
+
+int CmdLFAWID26(const char *Cmd);
+
+int CmdClone(const char *Cmd);
+#endif
PrintAndLog("Thought we had a valid tag but failed at word %d (i=%d)", rows + 1, i);
/* Start back rows * 5 + 9 header bits, -1 to not start at same place */
- i -= 9 + (5 * rows) -2;
+ i -= 9 + (5 * rows) -5;
rows = header = 0;
}
*/
int CmdEM410xSim(const char *Cmd)
{
- int i, n, j, h, binary[4], parity[4];
+ int i, n, j, binary[4], parity[4];
char cmdp = param_getchar(Cmd, 0);
uint8_t uid[5] = {0x00};
if (cmdp == 'h' || cmdp == 'H') {
- PrintAndLog("Usage: lf em4x sim <UID>");
+ PrintAndLog("Usage: lf em4x 410xsim <UID>");
PrintAndLog("");
- PrintAndLog(" sample: lf em4x sim 0F0368568B");
+ PrintAndLog(" sample: lf em4x 410xsim 0F0368568B");
return 0;
}
int clock = 64;
/* clear our graph */
- ClearGraph(1);
+ ClearGraph(0);
- /* write it out a few times */
- for (h = 0; h < 4; h++)
- {
/* write 9 start bits */
for (i = 0; i < 9; i++)
AppendGraph(0, clock, 1);
AppendGraph(0, clock, parity[2]);
AppendGraph(0, clock, parity[3]);
- /* stop bit */
- AppendGraph(0, clock, 0);
- }
-
- /* modulate that biatch */
- CmdManchesterMod("64");
-
- /* booyah! */
- RepaintGraphWindow();
-
- CmdLFSim("");
+ /* stop bit */
+ AppendGraph(1, clock, 0);
+
+ CmdLFSim("240"); //240 start_gap.
return 0;
}
}
CmdLFRead(read_h ? "h" : "");
- CmdSamples("16000");
+ CmdSamples("6000");
} while (
!CmdEM410xRead("")
static command_t CommandTable[] =
{
{"help", CmdHelp, 1, "This help"},
+
{"410xread", CmdEM410xRead, 1, "[clock rate] -- Extract ID from EM410x tag"},
{"410xsim", CmdEM410xSim, 0, "<UID> -- Simulate EM410x tag"},
+ {"replay", MWRem4xReplay, 0, "Watches for tag and simulates manchester encoded em4x tag"},
{"410xwatch", CmdEM410xWatch, 0, "['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)"},
{"410xspoof", CmdEM410xWatchnSpoof, 0, "['h'] --- Watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)" },
{"410xwrite", CmdEM410xWrite, 1, "<UID> <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"},
{NULL, NULL, 0, NULL}
};
+
+//Confirms the parity of a bitstream as well as obtaining the data (TagID) from within the appropriate memory space.
+//Arguments:
+// Pointer to a string containing the desired bitsream
+// Pointer to a string that will receive the decoded tag ID
+// Length of the bitsream pointed at in the first argument, char* _strBitStream
+//Retuns:
+//1 Parity confirmed
+//0 Parity not confirmed
+int ConfirmEm410xTagParity( char* _strBitStream, char* pID, int LengthOfBitstream )
+{
+ int i = 0;
+ int rows = 0;
+ int Parity[4] = {0x00};
+ char ID[11] = {0x00};
+ int k = 0;
+ int BitStream[70] = {0x00};
+ int counter = 0;
+ //prepare variables
+ for ( i = 0; i <= LengthOfBitstream; i++)
+ {
+ if (_strBitStream[i] == '1')
+ {
+ k =1;
+ memcpy(&BitStream[i], &k,4);
+ }
+ else if (_strBitStream[i] == '0')
+ {
+ k = 0;
+ memcpy(&BitStream[i], &k,4);
+ }
+ }
+ while ( counter < 2 )
+ {
+ //set/reset variables and counters
+ memset(ID,0x00,sizeof(ID));
+ memset(Parity,0x00,sizeof(Parity));
+ rows = 0;
+ for ( i = 9; i <= LengthOfBitstream; i++)
+ {
+ if ( rows < 10 )
+ {
+ if ((BitStream[i] ^ BitStream[i+1] ^ BitStream[i+2] ^ BitStream[i+3]) == BitStream[i+4])
+ {
+ sprintf(ID+rows, "%x", (8 * BitStream[i]) + (4 * BitStream[i+1]) + (2 * BitStream[i+2]) + (1 * BitStream[i+3]));
+ rows++;
+ /* Keep parity info and move four bits ahead*/
+ Parity[0] ^= BitStream[i];
+ Parity[1] ^= BitStream[i+1];
+ Parity[2] ^= BitStream[i+2];
+ Parity[3] ^= BitStream[i+3];
+ i += 4;
+ }
+ }
+ if ( rows == 10 )
+ {
+ if ( BitStream[i] == Parity[0] && BitStream[i+1] == Parity[1] &&
+ BitStream[i+2] == Parity[2] && BitStream[i+3] == Parity[3] &&
+ BitStream[i+4] == 0)
+ {
+ memcpy(pID,ID,strlen(ID));
+ return 1;
+ }
+ }
+ }
+ printf("[PARITY ->]Failed. Flipping Bits, and rechecking parity for bitstream:\n[PARITY ->]");
+ for (k = 0; k < LengthOfBitstream; k++)
+ {
+ BitStream[k] ^= 1;
+ printf("%i", BitStream[k]);
+ }
+ puts(" ");
+ counter++;
+ }
+ return 0;
+}
+//Reads and demodulates an em410x RFID tag. It further allows slight modification to the decoded bitstream
+//Once a suitable bitstream has been identified, and if needed, modified, it is replayed. Allowing emulation of the
+//"stolen" rfid tag.
+//No meaningful returns or arguments.
+int MWRem4xReplay(const char* Cmd)
+{
+ // //header traces
+ // static char ArrayTraceZero[] = { '0','0','0','0','0','0','0','0','0' };
+ // static char ArrayTraceOne[] = { '1','1','1','1','1','1','1','1','1' };
+ // //local string variables
+ // char strClockRate[10] = {0x00};
+ // char strAnswer[4] = {0x00};
+ // char strTempBufferMini[2] = {0x00};
+ // //our outbound bit-stream
+ // char strSimulateBitStream[65] = {0x00};
+ // //integers
+ // int iClockRate = 0;
+ // int needle = 0;
+ // int j = 0;
+ // int iFirstHeaderOffset = 0x00000000;
+ // int numManchesterDemodBits=0;
+ // //boolean values
+ // bool bInverted = false;
+ // //pointers to strings. memory will be allocated.
+ // char* pstrInvertBitStream = 0x00000000;
+ // char* pTempBuffer = 0x00000000;
+ // char* pID = 0x00000000;
+ // char* strBitStreamBuffer = 0x00000000;
+
+
+ // puts("###################################");
+ // puts("#### Em4x Replay ##");
+ // puts("#### R.A.M. June 2013 ##");
+ // puts("###################################");
+ // //initialize
+ // CmdLFRead("");
+ // //Collect ourselves 10,000 samples
+ // CmdSamples("10000");
+ // puts("[->]preforming ASK demodulation\n");
+ // //demodulate ask
+ // Cmdaskdemod("0");
+ // iClockRate = DetectClock(0);
+ // sprintf(strClockRate, "%i\n",iClockRate);
+ // printf("[->]Detected ClockRate: %s\n", strClockRate);
+
+ // //If detected clock rate is something completely unreasonable, dont go ahead
+ // if ( iClockRate < 0xFFFE )
+ // {
+ // pTempBuffer = (char*)malloc(MAX_GRAPH_TRACE_LEN);
+ // if (pTempBuffer == 0x00000000)
+ // return 0;
+ // memset(pTempBuffer,0x00,MAX_GRAPH_TRACE_LEN);
+ // //Preform manchester de-modulation and display in a single line.
+ // numManchesterDemodBits = CmdManchesterDemod( strClockRate );
+ // //note: numManchesterDemodBits is set above in CmdManchesterDemod()
+ // if ( numManchesterDemodBits == 0 )
+ // return 0;
+ // strBitStreamBuffer = malloc(numManchesterDemodBits+1);
+ // if ( strBitStreamBuffer == 0x00000000 )
+ // return 0;
+ // memset(strBitStreamBuffer, 0x00, (numManchesterDemodBits+1));
+ // //fill strBitStreamBuffer with demodulated, string formatted bits.
+ // for ( j = 0; j <= numManchesterDemodBits; j++ )
+ // {
+ // sprintf(strTempBufferMini, "%i",BitStream[j]);
+ // strcat(strBitStreamBuffer,strTempBufferMini);
+ // }
+ // printf("[->]Demodulated Bitstream: \n%s\n", strBitStreamBuffer);
+ // //Reset counter and select most probable bit stream
+ // j = 0;
+ // while ( j < numManchesterDemodBits )
+ // {
+ // memset(strSimulateBitStream,0x00,64);
+ // //search for header of nine (9) 0's : 000000000 or nine (9) 1's : 1111 1111 1
+ // if ( ( strncmp(strBitStreamBuffer+j, ArrayTraceZero, sizeof(ArrayTraceZero)) == 0 ) ||
+ // ( strncmp(strBitStreamBuffer+j, ArrayTraceOne, sizeof(ArrayTraceOne)) == 0 ) )
+ // {
+ // iFirstHeaderOffset = j;
+ // memcpy(strSimulateBitStream, strBitStreamBuffer+j,64);
+ // printf("[->]Offset of Header");
+ // if ( strncmp(strBitStreamBuffer+iFirstHeaderOffset, "0", 1) == 0 )
+ // printf("'%s'", ArrayTraceZero );
+ // else
+ // printf("'%s'", ArrayTraceOne );
+ // printf(": %i\nHighlighted string : %s\n",iFirstHeaderOffset,strSimulateBitStream);
+ // //allow us to escape loop or choose another frame
+ // puts("[<-]Are we happy with this sample? [Y]es/[N]o");
+ // gets(strAnswer);
+ // if ( ( strncmp(strAnswer,"y",1) == 0 ) || ( strncmp(strAnswer,"Y",1) == 0 ) )
+ // {
+ // j = numManchesterDemodBits+1;
+ // break;
+ // }
+ // }
+ // j++;
+ // }
+ // }
+ // else return 0;
+
+ // //Do we want the buffer inverted?
+ // memset(strAnswer, 0x00, sizeof(strAnswer));
+ // printf("[<-]Do you wish to invert the highlighted bitstream? [Y]es/[N]o\n");
+ // gets(strAnswer);
+ // if ( ( strncmp("y", strAnswer,1) == 0 ) || ( strncmp("Y", strAnswer, 1 ) == 0 ) )
+ // {
+ // //allocate heap memory
+ // pstrInvertBitStream = (char*)malloc(numManchesterDemodBits);
+ // if ( pstrInvertBitStream != 0x00000000 )
+ // {
+ // memset(pstrInvertBitStream,0x00,numManchesterDemodBits);
+ // bInverted = true;
+ // //Invert Bitstream
+ // for ( needle = 0; needle <= numManchesterDemodBits; needle++ )
+ // {
+ // if (strSimulateBitStream[needle] == '0')
+ // strcat(pstrInvertBitStream,"1");
+ // else if (strSimulateBitStream[needle] == '1')
+ // strcat(pstrInvertBitStream,"0");
+ // }
+ // printf("[->]Inverted bitstream: %s\n", pstrInvertBitStream);
+ // }
+ // }
+ // //Confirm parity of selected string
+ // pID = (char*)malloc(11);
+ // if (pID != 0x00000000)
+ // {
+ // memset(pID, 0x00, 11);
+ // if (ConfirmEm410xTagParity(strSimulateBitStream,pID, 64) == 1)
+ // {
+ // printf("[->]Parity confirmed for selected bitstream!\n");
+ // printf("[->]Tag ID was detected as: [hex]:%s\n",pID );
+ // }
+ // else
+ // printf("[->]Parity check failed for the selected bitstream!\n");
+ // }
+
+ // //Spoof
+ // memset(strAnswer, 0x00, sizeof(strAnswer));
+ // printf("[<-]Do you wish to continue with the EM4x simulation? [Y]es/[N]o\n");
+ // gets(strAnswer);
+ // if ( ( strncmp(strAnswer,"y",1) == 0 ) || ( strncmp(strAnswer,"Y",1) == 0 ) )
+ // {
+ // strcat(pTempBuffer, strClockRate);
+ // strcat(pTempBuffer, " ");
+ // if (bInverted == true)
+ // strcat(pTempBuffer,pstrInvertBitStream);
+ // if (bInverted == false)
+ // strcat(pTempBuffer,strSimulateBitStream);
+ // //inform the user
+ // puts("[->]Starting simulation now: \n");
+ // //Simulate tag with prepared buffer.
+ // CmdLFSimManchester(pTempBuffer);
+ // }
+ // else if ( ( strcmp("n", strAnswer) == 0 ) || ( strcmp("N", strAnswer ) == 0 ) )
+ // printf("[->]Exiting procedure now...\n");
+ // else
+ // printf("[->]Erroneous selection\nExiting procedure now....\n");
+
+ // //Clean up -- Exit function
+ // //clear memory, then release pointer.
+ // if ( pstrInvertBitStream != 0x00000000 )
+ // {
+ // memset(pstrInvertBitStream,0x00,numManchesterDemodBits);
+ // free(pstrInvertBitStream);
+ // }
+ // if ( pTempBuffer != 0x00000000 )
+ // {
+ // memset(pTempBuffer,0x00,MAX_GRAPH_TRACE_LEN);
+ // free(pTempBuffer);
+ // }
+ // if ( pID != 0x00000000 )
+ // {
+ // memset(pID,0x00,11);
+ // free(pID);
+ // }
+ // if ( strBitStreamBuffer != 0x00000000 )
+ // {
+ // memset(strBitStreamBuffer,0x00,numManchesterDemodBits);
+ // free(strBitStreamBuffer);
+ // }
+ return 0;
+}
+
int CmdLFEM4X(const char *Cmd)
{
CmdsParse(CommandTable, Cmd);
int CmdReadWordPWD(const char *Cmd);
int CmdWriteWord(const char *Cmd);
int CmdWriteWordPWD(const char *Cmd);
+int MWRem4xReplay(const char* Cmd);
#endif
int CmdHIDDemodFSK(const char *Cmd)
{
- UsbCommand c={CMD_HID_DEMOD_FSK};
- SendCommand(&c);
- return 0;
+ int findone = 0;
+ if(Cmd[0]=='1') findone=1;
+ UsbCommand c = {CMD_HID_DEMOD_FSK};
+ c.arg[0]=findone;
+ SendCommand(&c);
+ return 0;
}
int CmdHIDSim(const char *Cmd)
{
{"help", CmdHelp, 1, "This help"},
{"demod", CmdHIDDemod, 1, "Demodulate HID Prox Card II (not optimal)"},
- {"fskdemod", CmdHIDDemodFSK, 1, "Realtime HID FSK demodulator"},
- {"sim", CmdHIDSim, 1, "<ID> -- HID tag simulator"},
- {"clone", CmdHIDClone, 1, "<ID> ['l'] -- Clone HID to T55x7 (tag must be in antenna)(option 'l' for 84bit ID)"},
+ {"fskdemod", CmdHIDDemodFSK, 0, "['1'] Realtime HID FSK demodulator (option '1' for one tag only)"},
+ {"sim", CmdHIDSim, 0, "<ID> -- HID tag simulator"},
+ {"clone", CmdHIDClone, 0, "<ID> ['l'] -- Clone HID to T55x7 (tag must be in antenna)(option 'l' for 84bit ID)"},
{NULL, NULL, 0, NULL}
};
int CmdLFHitagList(const char *Cmd)
{
- uint8_t got[3000];
+ uint8_t got[TRACE_BUFFER_SIZE];
GetFromBigBuf(got,sizeof(got),0);
WaitForResponse(CMD_ACK,NULL);
int i = 0;
int prev = -1;
+ int len = strlen(Cmd);
- char filename[256];
+ char filename[FILE_PATH_SIZE] = { 0x00 };
FILE* pf = NULL;
+
+ if (len > FILE_PATH_SIZE)
+ len = FILE_PATH_SIZE;
+ memcpy(filename, Cmd, len);
+
+ if (strlen(filename) > 0) {
+ if ((pf = fopen(filename,"wb")) == NULL) {
+ PrintAndLog("Error: Could not open file [%s]",filename);
+ return 1;
+ }
+ }
for (;;) {
- if(i >= 1900) {
- break;
- }
+
+ if(i >= TRACE_BUFFER_SIZE) { break; }
bool isResponse;
int timestamp = *((uint32_t *)(got+i));
if (len > 100) {
break;
}
- if (i + len >= 1900) {
- break;
- }
+ if (i + len >= TRACE_BUFFER_SIZE) { break;}
uint8_t *frame = (got+i+9);
}
if (pf) {
- PrintAndLog("Recorded activity succesfully written to file: %s", filename);
fclose(pf);
+ PrintAndLog("Recorded activity succesfully written to file: %s", filename);
}
return 0;
}
int CmdLFHitagSim(const char *Cmd) {
- UsbCommand c = {CMD_SIMULATE_HITAG};
- char filename[256] = { 0x00 };
+
+ UsbCommand c = {CMD_SIMULATE_HITAG};
+ char filename[FILE_PATH_SIZE] = { 0x00 };
FILE* pf;
bool tag_mem_supplied;
-
- param_getstr(Cmd,0,filename);
-
+ int len = strlen(Cmd);
+ if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
+ memcpy(filename, Cmd, len);
+
if (strlen(filename) > 0) {
if ((pf = fopen(filename,"rb+")) == NULL) {
PrintAndLog("Error: Could not open file [%s]",filename);
}
tag_mem_supplied = true;
if (fread(c.d.asBytes,48,1,pf) == 0) {
- PrintAndLog("Error: File reading error");
+ PrintAndLog("Error: File reading error");
return 1;
- }
+ }
fclose(pf);
} else {
tag_mem_supplied = false;
static command_t CommandTable[] =
{
{"help", CmdHelp, 1, "This help"},
- {"list", CmdLFHitagList, 1, "List Hitag trace history"},
+ {"list", CmdLFHitagList, 1, "<outfile> List Hitag trace history"},
{"reader", CmdLFHitagReader, 1, "Act like a Hitag Reader"},
- {"sim", CmdLFHitagSim, 1, "Simulate Hitag transponder"},
+ {"sim", CmdLFHitagSim, 1, "<infile> Simulate Hitag transponder"},
{"snoop", CmdLFHitagSnoop, 1, "Eavesdrop Hitag communication"},
- {NULL, NULL, 0, NULL}
+ {NULL, NULL, 0, NULL}
};
int CmdLFHitag(const char *Cmd)
int CmdIODemodFSK(const char *Cmd)
{
- UsbCommand c={CMD_IO_DEMOD_FSK};
- SendCommand(&c);
- return 0;
+ int findone = 0;
+ if (Cmd[0] =='1') findone = 1;
+
+ UsbCommand c={CMD_IO_DEMOD_FSK};
+ c.arg[0] = findone;
+ SendCommand(&c);
+ return 0;
}
int CmdIOProxDemod(const char *Cmd){
{
{"help", CmdHelp, 1, "This help"},
{"demod", CmdIOProxDemod, 1, "Demodulate Stream"},
- {"fskdemod", CmdIODemodFSK, 1, "Demodulate ioProx Tag"},
- {"clone", CmdIOClone, 1, "Clone ioProx Tag"},
+ {"fskdemod", CmdIODemodFSK, 0, "['1'] Realtime IO FSK demodulator (option '1' for one tag only)"},
+ {"clone", CmdIOClone, 0, "Clone ioProx Tag"},
{NULL, NULL, 0, NULL}
};
SendCommand(&c);\r
WaitForResponse(CMD_ACK, NULL);\r
\r
-// uint8_t data[LF_TRACE_BUFF_SIZE] = {0x00};\r
+ uint8_t data[LF_TRACE_BUFF_SIZE] = {0x00};\r
\r
- // GetFromBigBuf(data,LF_TRACE_BUFF_SIZE,3560); //3560 -- should be offset..\r
- // WaitForResponseTimeout(CMD_ACK,NULL, 1500);\r
-\r
- // for (int j = 0; j < LF_TRACE_BUFF_SIZE; j++) {\r
- // GraphBuffer[j] = (int)data[j];\r
- // }\r
- // GraphTraceLen = LF_TRACE_BUFF_SIZE;\r
- CmdSamples("12000");\r
+ GetFromBigBuf(data,LF_TRACE_BUFF_SIZE,3560); //3560 -- should be offset..\r
+ WaitForResponseTimeout(CMD_ACK,NULL, 1500);\r
+\r
+ for (int j = 0; j < LF_TRACE_BUFF_SIZE; j++) {\r
+ GraphBuffer[j] = (int)data[j];\r
+ }\r
+ GraphTraceLen = LF_TRACE_BUFF_SIZE;\r
ManchesterDemod(block);\r
- // RepaintGraphWindow();\r
+ RepaintGraphWindow();\r
return 0;\r
}\r
\r
return 0;\r
}\r
}\r
-\r
+ \r
for ( int i = 0; i <8; ++i){\r
memset(s,0,sizeof(s));\r
if ( hasPwd ) {\r
if (!HasGraphData()) return 0;\r
\r
uint8_t sizebyte = 32;\r
+ // the value 5 was selected during empirical studies of the decoded data. Some signal noise to skip.\r
uint8_t offset = 5;\r
uint32_t blockData;\r
uint8_t bits[LF_BITSSTREAM_LEN] = {0x00};\r
#include "util.h"
#include "cmdscript.h"
-int delta125[2];
-int delta134[2];
-int deltahf[2];
-int deltaReset = 0;
unsigned int current_command = CMD_UNKNOWN;
-//unsigned int received_command = CMD_UNKNOWN;
-//UsbCommand current_response;
-//UsbCommand current_response_user;
static int CmdHelp(const char *Cmd);
static int CmdQuit(const char *Cmd);
static command_t CommandTable[] =
{
- {"help", CmdHelp, 1, "This help. Use '<command> help' for details of a particular command."},
- {"data", CmdData, 1, "{ Plot window / data buffer manipulation... }"},
- {"hf", CmdHF, 1, "{ High Frequency commands... }"},
- {"hw", CmdHW, 1, "{ Hardware commands... }"},
- {"lf", CmdLF, 1, "{ Low Frequency commands... }"},
- {"script", CmdScript, 1,"{ Scripting commands }"},
- {"quit", CmdQuit, 1, "Exit program"},
- {"exit", CmdQuit, 1, "Exit program"},
+ {"help", CmdHelp, 1, "This help. Use '<command> help' for details of a particular command."},
+ {"data", CmdData, 1, "{ Plot window / data buffer manipulation... }"},
+ {"hf", CmdHF, 1, "{ High Frequency commands... }"},
+ {"hw", CmdHW, 1, "{ Hardware commands... }"},
+ {"lf", CmdLF, 1, "{ Low Frequency commands... }"},
+ {"script", CmdScript, 1,"{ Scripting commands }"},
+ {"quit", CmdQuit, 1, "Exit program"},
+ {"exit", CmdQuit, 1, "Exit program"},
{NULL, NULL, 0, NULL}
};
*/
bool WaitForResponseTimeout(uint32_t cmd, UsbCommand* response, size_t ms_timeout) {
- UsbCommand resp;
+ UsbCommand resp;
- if (response == NULL) {
-
- response = &resp;
- }
-
- // Wait until the command is received
- for(size_t dm_seconds=0; dm_seconds < ms_timeout/10; dm_seconds++) {
-
- while(getCommand(response))
- {
- if(response->cmd == cmd){
- //We got what we expected
- return true;
- }
-
- }
- msleep(10); // XXX ugh
- if (dm_seconds == 200) { // Two seconds elapsed
- PrintAndLog("Waiting for a response from the proxmark...");
- PrintAndLog("Don't forget to cancel its operation first by pressing on the button");
- }
+ if (response == NULL)
+ response = &resp;
+
+
+ // Wait until the command is received
+ for(size_t dm_seconds=0; dm_seconds < ms_timeout/10; dm_seconds++) {
+
+ while(getCommand(response)) {
+ if(response->cmd == cmd){
+ return true;
+ }
+ }
+ msleep(10); // XXX ugh
+ if (dm_seconds == 200) { // Two seconds elapsed
+ PrintAndLog("Waiting for a response from the proxmark...");
+ PrintAndLog("Don't forget to cancel its operation first by pressing on the button");
+ }
}
return false;
}
//-----------------------------------------------------------------------------
void UsbCommandReceived(UsbCommand *UC)
{
- /*
- // Debug
- printf("UsbCommand length[len=%zd]\n",sizeof(UsbCommand));
- printf(" cmd[len=%zd]: %"llx"\n",sizeof(UC->cmd),UC->cmd);
- printf(" arg0[len=%zd]: %"llx"\n",sizeof(UC->arg[0]),UC->arg[0]);
- printf(" arg1[len=%zd]: %"llx"\n",sizeof(UC->arg[1]),UC->arg[1]);
- printf(" arg2[len=%zd]: %"llx"\n",sizeof(UC->arg[2]),UC->arg[2]);
- printf(" data[len=%zd]: %02x%02x%02x...\n",sizeof(UC->d.asBytes),UC->d.asBytes[0],UC->d.asBytes[1],UC->d.asBytes[2]);
- */
-
- // printf("%s(%x) current cmd = %x\n", __FUNCTION__, c->cmd, current_command);
- // If we recognize a response, return to avoid further processing
- switch(UC->cmd) {
- // First check if we are handling a debug message
- case CMD_DEBUG_PRINT_STRING: {
- char s[USB_CMD_DATA_SIZE+1];
- size_t len = MIN(UC->arg[0],USB_CMD_DATA_SIZE);
- memcpy(s,UC->d.asBytes,len);
- s[len] = 0x00;
- PrintAndLog("#db# %s ", s);
- return;
- } break;
-
- case CMD_DEBUG_PRINT_INTEGERS: {
- PrintAndLog("#db# %08x, %08x, %08x \r\n", UC->arg[0], UC->arg[1], UC->arg[2]);
- return;
- } break;
-
- case CMD_MEASURED_ANTENNA_TUNING: {
- int peakv, peakf;
- int vLf125, vLf134, vHf;
- vLf125 = UC->arg[0] & 0xffff;
- vLf134 = UC->arg[0] >> 16;
- vHf = UC->arg[1] & 0xffff;;
- peakf = UC->arg[2] & 0xffff;
- peakv = UC->arg[2] >> 16;
-
- //Reset delta trigger every 3:d time
-
- if ( deltaReset == 4){
- delta125[0] = vLf125;
- delta134[0] = vLf134;
- deltahf[0] = vHf;
- } else if ( deltaReset == 2){
- delta125[1] = vLf125;
- delta134[1] = vLf134;
- deltahf[1] = vHf;
- }
-
- if ( deltaReset == 0){
-
+ switch(UC->cmd) {
+ // First check if we are handling a debug message
+ case CMD_DEBUG_PRINT_STRING: {
+ char s[USB_CMD_DATA_SIZE+1] = {0x00};
+ size_t len = MIN(UC->arg[0],USB_CMD_DATA_SIZE);
+ memcpy(s,UC->d.asBytes,len);
+ PrintAndLog("#db# %s ", s);
+ return;
+ } break;
+
+ case CMD_DEBUG_PRINT_INTEGERS: {
+ PrintAndLog("#db# %08x, %08x, %08x \r\n", UC->arg[0], UC->arg[1], UC->arg[2]);
+ return;
+ } break;
+
+ case CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K: {
+ sample_buf_len += UC->arg[1];
+ memcpy(sample_buf+(UC->arg[0]),UC->d.asBytes,UC->arg[1]);
+ } break;
+
+ default:
+ break;
}
-
- PrintAndLog("");
- PrintAndLog("# LF antenna: %5.2f V @ 125.00 kHz", vLf125/1000.0);
- PrintAndLog("# LF antenna: %5.2f V @ 134.00 kHz", vLf134/1000.0);
- PrintAndLog("# LF optimal: %5.2f V @ %9.2f kHz", peakv/1000.0, 12000.0/(peakf+1));
- PrintAndLog("# HF antenna: %5.2f V @ 13.56 MHz", vHf/1000.0);
- if (peakv<2000)
- PrintAndLog("# Your LF antenna is unusable.");
- else if (peakv<10000)
- PrintAndLog("# Your LF antenna is marginal.");
- if (vHf<2000)
- PrintAndLog("# Your HF antenna is unusable.");
- else if (vHf<5000)
- PrintAndLog("# Your HF antenna is marginal.");
- }
-
- deltaReset = (deltaReset == 0) ? 4 : deltaReset>>1;
- break;
-
- case CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K: {
-// printf("received samples: ");
-// print_hex(UC->d.asBytes,512);
- sample_buf_len += UC->arg[1];
-// printf("samples: %zd offset: %d\n",sample_buf_len,UC->arg[0]);
- memcpy(sample_buf+(UC->arg[0]),UC->d.asBytes,UC->arg[1]);
- } break;
-
-
-// case CMD_ACK: {
-// PrintAndLog("Receive ACK\n");
-// } break;
-
- default: {
- // Maybe it's a response
- /*
- switch(current_command) {
- case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K: {
- if (UC->cmd != CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K) {
- PrintAndLog("unrecognized command %08x\n", UC->cmd);
- break;
- }
-// int i;
- PrintAndLog("received samples %d\n",UC->arg[0]);
- memcpy(sample_buf+UC->arg[0],UC->d.asBytes,48);
- sample_buf_len += 48;
-// for(i=0; i<48; i++) sample_buf[i] = UC->d.asBytes[i];
- //received_command = UC->cmd;
- } break;
-
- default: {
- } break;
- }*/
- }
- break;
- }
storeCommand(UC);
-
}
#include <stdint.h>
+//trace buffer size as defined in armsrc/apps.h TRACE_SIZE
+#define TRACE_BUFFER_SIZE 4096
+#define FILE_PATH_SIZE 1000
#define SAMPLE_BUFFER_SIZE 64
extern uint8_t* sample_buf;
{
UsbCommand c;
c.cmd = CMD_DEVICE_INFO;
-// SendCommand_(&c);
- SendCommand(&c);
+ SendCommand(&c);
UsbCommand resp;
ReceiveCommand(&resp);
c.arg[2] = 0;
}
SendCommand(&c);
-// SendCommand_(&c);
return wait_for_ack();
} else {
fprintf(stderr, "Note: Your bootloader does not understand the new START_FLASH command\n");
memset(block_buf, 0xFF, BLOCK_SIZE);
memcpy(block_buf, data, length);
- UsbCommand c;
-/*
- c.cmd = {CMD_SETUP_WRITE};
- for (int i = 0; i < 240; i += 48) {
- memcpy(c.d.asBytes, block_buf + i, 48);
- c.arg[0] = i / 4;
- SendCommand(&c);
-// SendCommand_(&c);
- if (wait_for_ack() < 0) {
- return -1;
- }
- }
-*/
+ UsbCommand c;
c.cmd = CMD_FINISH_WRITE;
c.arg[0] = address;
-// memcpy(c.d.asBytes, block_buf+240, 16);
-// SendCommand_(&c);
memcpy(c.d.asBytes, block_buf, length);
- SendCommand(&c);
+ SendCommand(&c);
return wait_for_ack();
}
// just reset the unit
int flash_stop_flashing(void) {
UsbCommand c = {CMD_HARDWARE_RESET};
-// SendCommand_(&c);
- SendCommand(&c);
- msleep(100);
- return 0;
+ SendCommand(&c);
+ msleep(100);
+ return 0;
}
case 1: clock--; break;
case 2: clock -= 2; break;
}
+ if ( clock < 32)
+ clock = 32;
+
printf("- adjusted it to %d \n", clock);
return clock;
}
k[0] = csn[0]^csn[1]^csn[2]^csn[3]^csn[4]^csn[5]^csn[6]^csn[7];
k[1] = csn[0]+csn[1]+csn[2]+csn[3]+csn[4]+csn[5]+csn[6]+csn[7];
k[2] = rr(swap( csn[2]+k[1] ));
- k[3] = rr(swap( csn[3]+k[0] ));
- k[4] = ~rr(swap( csn[4]+k[2] ))+1;
- k[5] = ~rr(swap( csn[5]+k[3] ))+1;
+ k[3] = rl(swap( csn[3]+k[0] ));
+ k[4] = ~rr( csn[4]+k[2] )+1;
+ k[5] = ~rl( csn[5]+k[3] )+1;
k[6] = rr( csn[6]+(k[4]^0x3c) );
k[7] = rl( csn[7]+(k[5]^0xc3) );
int i;
*/
int bruteforceFile(const char *filename, uint16_t keytable[])
{
-
FILE *f = fopen(filename, "rb");
if(!f) {
prnlog("Failed to read from file '%s'", filename);
fseek(f, 0, SEEK_SET);
uint8_t *dump = malloc(fsize);
- fread(dump, fsize, 1, f);
- fclose(f);
+ size_t bytes_read = fread(dump, fsize, 1, f);
+ fclose(f);
+ if (bytes_read < fsize)
+ {
+ prnlog("Error, could only read %d bytes (should be %d)",bytes_read, fsize );
+ }
return bruteforceDump(dump,fsize,keytable);
}
/**
* @return
*/
int fileExists(const char *filename) {
- struct stat st;
- int result = stat(filename, &st);
+ struct _stat fileStat;
+ int result = _stat(filename, &fileStat);
return result == 0;
}
int saveFile(const char *preferredName, const char *suffix, const void* data, size_t datalen)
{
- int size = sizeof(char) * (strlen(preferredName)+strlen(suffix)+5);
+ int size = sizeof(char) * (strlen(preferredName)+strlen(suffix)+10);
char * fileName = malloc(size);
memset(fileName,0,size);
/* We should have a valid filename now, e.g. dumpdata-3.bin */
/*Opening file for writing in binary mode*/
- FILE *fileHandle=fopen(fileName,"wb");
- if(!fileHandle) {
- prnlog("Failed to write to file '%s'", fileName);
+ FILE *fh=fopen(fileName,"wb");
+ if(!fh) {
+ PrintAndLog("Failed to write to file '%s'", fileName);
return 1;
}
- fwrite(data, 1, datalen, fileHandle);
- fclose(fileHandle);
- prnlog("Saved data to '%s'", fileName);
+ fwrite(data, 1, datalen, fh);
+ fclose(fh);
+ PrintAndLog("Saved data to '%s'", fileName);
free(fileName);
return 0;
{
FILE *filehandle = fopen(fileName, "rb");
if(!filehandle) {
- prnlog("Failed to read from file '%s'", fileName);
+ PrintAndLog("Failed to read from file '%s'", fileName);
return 1;
}
fread(data,datalen,1,filehandle);
int main (int argc, char **argv)
{
-
-
prnlog("IClass Cipher version 1.2, Copyright (C) 2014 Martin Holst Swende\n");
prnlog("Comes with ABSOLUTELY NO WARRANTY");
prnlog("Released as GPLv2\n");
local _reverse_lookup,k,v = {}
-for k, v in pairs(_commands) do
- _reverse_lookup[v] = k
-end
-_commands.tostring = function(command)
+ for k, v in pairs(_commands) do
+ _reverse_lookup[v] = k
+ end
+ _commands.tostring = function(command)
if(type(command) == 'number') then
return ("%s (%d)"):format(_reverse_lookup[command]or "ERROR UNDEFINED!", command)
end
local cmd = self.cmd
local arg1, arg2, arg3 = self.arg1, self.arg2, self.arg3
-
return bin.pack("LLLLH",cmd, arg1, arg2, arg3,data);
end
return _commands
\ No newline at end of file
--- /dev/null
+local _names = {
+ --[[
+ --]]
+ ["0400"]="BASH",
+ ["1600"]="BOOMER" ,
+ ["1800"]="CAMO",
+ ["3000"]="CHOPCHOP" ,
+ ["2000"]="CYNDER",
+ ["6400"]="JET-VAC",
+ ["6700"]="FLASHWING",
+ ["7000"]="TREE REX",
+ ["7100"]="LIGHTCORE SHROOMBOOM",
+ ["1C00"]="DARK SPYRO",
+ ["0600"]="DINORANG" ,
+ ["1200"]="DOUBLE TROUBLE" ,
+ ["1500"]="DRILLSERGEANT" ,
+ ["1400"]="DROBOT",
+ ["0900"]="LIGHTCORE ERUPTOR" ,
+ ["0B00"]="FLAMESLINGER" ,
+ ["1F00"]="GHOST ROASTER",
+ ["0E00"]="GILL GRUNT" ,
+ ["1D00"]="HEX",
+ ["0A00"]="IGNITOR",
+ ["0300"]="LIGHTNINGROD",
+ ["0700"]="LIGHTCORE PRISM BREAK",
+ ["1500"]="SLAMBAM",
+ ["0100"]="SONIC BOOM",
+ ["1000"]="SPYRO",
+ ["1A00"]="STEALTH ELF",
+ ["1B00"]="STUMP SMASH",
+ ["0800"]="SUNBURN",
+ ["0500"]="TERRAFIN",
+ ["1300"]="TRIGGER HAPPY",
+ ["1100"]="VOODOOD",
+ ["0200"]="WARNADO",
+ ["0D00"]="WHAM SHELL",
+ ["0000"]="WHIRLWIND",
+ ["1700"]="WRECKING BALL",
+ ["0C00"]="ZAP",
+ ["1900"]="ZOOK",
+ ["0300"]="DRAGON",
+ ["012D"]="ICE",
+ ["012E"]="PIRATE",
+ ["0130"]="PVPUNLOCK",
+ ["012F"]="UNDEAD",
+ ["0200"]="ANVIL" ,
+ ["CB00"]="CROSSED SWORDS",
+ ["CC00"]="HOURGLASS",
+ ["CA00"]="REGENERATION",
+ ["C900"]="SECRET STASH",
+ ["CD00"]="SHIELD",
+ ["CF00"]="SPARX",
+ ["CE00"]="SPEED BOOTS",
+ ["0194"]="LEGENDARY BASH",
+ ["0430"]="LEGENDARY CHOPCHOP",
+ ["01A0"]="LEGENDARY SPYRO",
+ ["01A3"]="LEGENDARY TRIGGER HAPPY",
+ ["0202"]="PET GILL GRUNT",
+ ["020E"]="PET STEALTH ELF",
+ ["01F9"]="PET TERRAFIN",
+ ["0207"]="PET TRIGGER HAPPY",
+}
+return _names
end
+local function save_TEXT(data,filename)
+ -- Open the output file
+ local outfile = io.open(filename, "wb")
+ if outfile == nil then
+ return oops(string.format("Could not write to file %s",tostring(filename)))
+ end
+
+ outfile:write(data)
+ io.close(outfile)
+ return filename
+end
+
local function save_BIN(data, filename)
-- Open the output file
return {
convert_bin_to_html = convert_bin_to_html,
convert_eml_to_html = convert_eml_to_html,
- convert_eml_to_bin = convert_eml_to_bin,
+ convert_eml_to_bin = convert_eml_to_bin,
+ SaveAsBinary = save_BIN,
+ SaveAsText = save_TEXT,
}
return "UNKNOWN"
}
+ add("04,,,Mifare TNP3xxx Activision 1K,0f01,01");
add("04,,,Mifare Mini,0004,09");
add("04,,,Mifare Classic 1k/Mifare Plus(4 byte UID) 2K SL1,0004,08");
add("04,,,Mifare Plus (4 byte UID) 2K SL2,0004,10");
--- /dev/null
+local md5 = {
+ _VERSION = "md5.lua 0.5.0",
+ _DESCRIPTION = "MD5 computation in Lua (5.1)",
+ _URL = "https://github.com/kikito/md5.lua",
+ _LICENSE = [[
+ MIT LICENSE
+
+ Copyright (c) 2013 Enrique GarcÃa Cota + Adam Baldwin + hanzao + Equi 4 Software
+
+ Permission is hereby granted, free of charge, to any person obtaining a
+ copy of this software and associated documentation files (the
+ "Software"), to deal in the Software without restriction, including
+ without limitation the rights to use, copy, modify, merge, publish,
+ distribute, sublicense, and/or sell copies of the Software, and to
+ permit persons to whom the Software is furnished to do so, subject to
+ the following conditions:
+
+ The above copyright notice and this permission notice shall be included
+ in all copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+ CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+ TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ ]]
+}
+
+-- bit lib implementions
+
+local floor, abs, max = math.floor, math.abs, math.max
+local char, byte, format, rep, sub =
+ string.char, string.byte, string.format, string.rep, string.sub
+
+local function check_int(n)
+ -- checking not float
+ if(n - floor(n) > 0) then
+ error("trying to use bitwise operation on non-integer!")
+ end
+end
+
+local function tbl2number(tbl)
+ local n = #tbl
+
+ local rslt = 0
+ local power = 1
+ for i = 1, n do
+ rslt = rslt + tbl[i]*power
+ power = power*2
+ end
+
+ return rslt
+end
+
+local function expand(tbl_m, tbl_n)
+ local big = {}
+ local small = {}
+ if(#tbl_m > #tbl_n) then
+ big = tbl_m
+ small = tbl_n
+ else
+ big = tbl_n
+ small = tbl_m
+ end
+ -- expand small
+ for i = #small + 1, #big do
+ small[i] = 0
+ end
+
+end
+
+local to_bits -- needs to be declared before bit_not
+
+local function bit_not(n)
+ local tbl = to_bits(n)
+ local size = max(#tbl, 32)
+ for i = 1, size do
+ if(tbl[i] == 1) then
+ tbl[i] = 0
+ else
+ tbl[i] = 1
+ end
+ end
+ return tbl2number(tbl)
+end
+
+-- defined as local above
+to_bits = function (n)
+ check_int(n)
+ if(n < 0) then
+ -- negative
+ return to_bits(bit_not(abs(n)) + 1)
+ end
+ -- to bits table
+ local tbl = {}
+ local cnt = 1
+ while (n > 0) do
+ local last = math.fmod(n,2)
+ if(last == 1) then
+ tbl[cnt] = 1
+ else
+ tbl[cnt] = 0
+ end
+ n = (n-last)/2
+ cnt = cnt + 1
+ end
+
+ return tbl
+end
+
+local function bit_or(m, n)
+ local tbl_m = to_bits(m)
+ local tbl_n = to_bits(n)
+ expand(tbl_m, tbl_n)
+
+ local tbl = {}
+ local rslt = max(#tbl_m, #tbl_n)
+ for i = 1, rslt do
+ if(tbl_m[i]== 0 and tbl_n[i] == 0) then
+ tbl[i] = 0
+ else
+ tbl[i] = 1
+ end
+ end
+
+ return tbl2number(tbl)
+end
+
+local function bit_and(m, n)
+ local tbl_m = to_bits(m)
+ local tbl_n = to_bits(n)
+ expand(tbl_m, tbl_n)
+
+ local tbl = {}
+ local rslt = max(#tbl_m, #tbl_n)
+ for i = 1, rslt do
+ if(tbl_m[i]== 0 or tbl_n[i] == 0) then
+ tbl[i] = 0
+ else
+ tbl[i] = 1
+ end
+ end
+
+ return tbl2number(tbl)
+end
+
+local function bit_xor(m, n)
+ local tbl_m = to_bits(m)
+ local tbl_n = to_bits(n)
+ expand(tbl_m, tbl_n)
+
+ local tbl = {}
+ local rslt = max(#tbl_m, #tbl_n)
+ for i = 1, rslt do
+ if(tbl_m[i] ~= tbl_n[i]) then
+ tbl[i] = 1
+ else
+ tbl[i] = 0
+ end
+ end
+
+ return tbl2number(tbl)
+end
+
+local function bit_rshift(n, bits)
+ check_int(n)
+
+ local high_bit = 0
+ if(n < 0) then
+ -- negative
+ n = bit_not(abs(n)) + 1
+ high_bit = 2147483648 -- 0x80000000
+ end
+
+ for i=1, bits do
+ n = n/2
+ n = bit_or(floor(n), high_bit)
+ end
+ return floor(n)
+end
+
+local function bit_lshift(n, bits)
+ check_int(n)
+
+ if(n < 0) then
+ -- negative
+ n = bit_not(abs(n)) + 1
+ end
+
+ for i=1, bits do
+ n = n*2
+ end
+ return bit_and(n, 4294967295) -- 0xFFFFFFFF
+end
+
+-- convert little-endian 32-bit int to a 4-char string
+local function lei2str(i)
+ local f=function (s) return char( bit_and( bit_rshift(i, s), 255)) end
+ return f(0)..f(8)..f(16)..f(24)
+end
+
+-- convert raw string to big-endian int
+local function str2bei(s)
+ local v=0
+ for i=1, #s do
+ v = v * 256 + byte(s, i)
+ end
+ return v
+end
+
+-- convert raw string to little-endian int
+local function str2lei(s)
+ local v=0
+ for i = #s,1,-1 do
+ v = v*256 + byte(s, i)
+ end
+ return v
+end
+
+-- cut up a string in little-endian ints of given size
+local function cut_le_str(s,...)
+ local o, r = 1, {}
+ local args = {...}
+ for i=1, #args do
+ table.insert(r, str2lei(sub(s, o, o + args[i] - 1)))
+ o = o + args[i]
+ end
+ return r
+end
+
+local swap = function (w) return str2bei(lei2str(w)) end
+
+local function hex2binaryaux(hexval)
+ return char(tonumber(hexval, 16))
+end
+
+local function hex2binary(hex)
+ local result, _ = hex:gsub('..', hex2binaryaux)
+ return result
+end
+
+-- An MD5 mplementation in Lua, requires bitlib (hacked to use LuaBit from above, ugh)
+-- 10/02/2001 jcw@equi4.com
+
+local FF = 0xffffffff
+local CONSTS = {
+ 0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee,
+ 0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501,
+ 0x698098d8, 0x8b44f7af, 0xffff5bb1, 0x895cd7be,
+ 0x6b901122, 0xfd987193, 0xa679438e, 0x49b40821,
+ 0xf61e2562, 0xc040b340, 0x265e5a51, 0xe9b6c7aa,
+ 0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8,
+ 0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed,
+ 0xa9e3e905, 0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a,
+ 0xfffa3942, 0x8771f681, 0x6d9d6122, 0xfde5380c,
+ 0xa4beea44, 0x4bdecfa9, 0xf6bb4b60, 0xbebfbc70,
+ 0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x04881d05,
+ 0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665,
+ 0xf4292244, 0x432aff97, 0xab9423a7, 0xfc93a039,
+ 0x655b59c3, 0x8f0ccc92, 0xffeff47d, 0x85845dd1,
+ 0x6fa87e4f, 0xfe2ce6e0, 0xa3014314, 0x4e0811a1,
+ 0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391,
+ 0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476
+}
+
+local f=function (x,y,z) return bit_or(bit_and(x,y),bit_and(-x-1,z)) end
+local g=function (x,y,z) return bit_or(bit_and(x,z),bit_and(y,-z-1)) end
+local h=function (x,y,z) return bit_xor(x,bit_xor(y,z)) end
+local i=function (x,y,z) return bit_xor(y,bit_or(x,-z-1)) end
+local z=function (f,a,b,c,d,x,s,ac)
+ a=bit_and(a+f(b,c,d)+x+ac,FF)
+ -- be *very* careful that left shift does not cause rounding!
+ return bit_or(bit_lshift(bit_and(a,bit_rshift(FF,s)),s),bit_rshift(a,32-s))+b
+end
+
+local function transform(A,B,C,D,X)
+ local a,b,c,d=A,B,C,D
+ local t=CONSTS
+
+ a=z(f,a,b,c,d,X[ 0], 7,t[ 1])
+ d=z(f,d,a,b,c,X[ 1],12,t[ 2])
+ c=z(f,c,d,a,b,X[ 2],17,t[ 3])
+ b=z(f,b,c,d,a,X[ 3],22,t[ 4])
+ a=z(f,a,b,c,d,X[ 4], 7,t[ 5])
+ d=z(f,d,a,b,c,X[ 5],12,t[ 6])
+ c=z(f,c,d,a,b,X[ 6],17,t[ 7])
+ b=z(f,b,c,d,a,X[ 7],22,t[ 8])
+ a=z(f,a,b,c,d,X[ 8], 7,t[ 9])
+ d=z(f,d,a,b,c,X[ 9],12,t[10])
+ c=z(f,c,d,a,b,X[10],17,t[11])
+ b=z(f,b,c,d,a,X[11],22,t[12])
+ a=z(f,a,b,c,d,X[12], 7,t[13])
+ d=z(f,d,a,b,c,X[13],12,t[14])
+ c=z(f,c,d,a,b,X[14],17,t[15])
+ b=z(f,b,c,d,a,X[15],22,t[16])
+
+ a=z(g,a,b,c,d,X[ 1], 5,t[17])
+ d=z(g,d,a,b,c,X[ 6], 9,t[18])
+ c=z(g,c,d,a,b,X[11],14,t[19])
+ b=z(g,b,c,d,a,X[ 0],20,t[20])
+ a=z(g,a,b,c,d,X[ 5], 5,t[21])
+ d=z(g,d,a,b,c,X[10], 9,t[22])
+ c=z(g,c,d,a,b,X[15],14,t[23])
+ b=z(g,b,c,d,a,X[ 4],20,t[24])
+ a=z(g,a,b,c,d,X[ 9], 5,t[25])
+ d=z(g,d,a,b,c,X[14], 9,t[26])
+ c=z(g,c,d,a,b,X[ 3],14,t[27])
+ b=z(g,b,c,d,a,X[ 8],20,t[28])
+ a=z(g,a,b,c,d,X[13], 5,t[29])
+ d=z(g,d,a,b,c,X[ 2], 9,t[30])
+ c=z(g,c,d,a,b,X[ 7],14,t[31])
+ b=z(g,b,c,d,a,X[12],20,t[32])
+
+ a=z(h,a,b,c,d,X[ 5], 4,t[33])
+ d=z(h,d,a,b,c,X[ 8],11,t[34])
+ c=z(h,c,d,a,b,X[11],16,t[35])
+ b=z(h,b,c,d,a,X[14],23,t[36])
+ a=z(h,a,b,c,d,X[ 1], 4,t[37])
+ d=z(h,d,a,b,c,X[ 4],11,t[38])
+ c=z(h,c,d,a,b,X[ 7],16,t[39])
+ b=z(h,b,c,d,a,X[10],23,t[40])
+ a=z(h,a,b,c,d,X[13], 4,t[41])
+ d=z(h,d,a,b,c,X[ 0],11,t[42])
+ c=z(h,c,d,a,b,X[ 3],16,t[43])
+ b=z(h,b,c,d,a,X[ 6],23,t[44])
+ a=z(h,a,b,c,d,X[ 9], 4,t[45])
+ d=z(h,d,a,b,c,X[12],11,t[46])
+ c=z(h,c,d,a,b,X[15],16,t[47])
+ b=z(h,b,c,d,a,X[ 2],23,t[48])
+
+ a=z(i,a,b,c,d,X[ 0], 6,t[49])
+ d=z(i,d,a,b,c,X[ 7],10,t[50])
+ c=z(i,c,d,a,b,X[14],15,t[51])
+ b=z(i,b,c,d,a,X[ 5],21,t[52])
+ a=z(i,a,b,c,d,X[12], 6,t[53])
+ d=z(i,d,a,b,c,X[ 3],10,t[54])
+ c=z(i,c,d,a,b,X[10],15,t[55])
+ b=z(i,b,c,d,a,X[ 1],21,t[56])
+ a=z(i,a,b,c,d,X[ 8], 6,t[57])
+ d=z(i,d,a,b,c,X[15],10,t[58])
+ c=z(i,c,d,a,b,X[ 6],15,t[59])
+ b=z(i,b,c,d,a,X[13],21,t[60])
+ a=z(i,a,b,c,d,X[ 4], 6,t[61])
+ d=z(i,d,a,b,c,X[11],10,t[62])
+ c=z(i,c,d,a,b,X[ 2],15,t[63])
+ b=z(i,b,c,d,a,X[ 9],21,t[64])
+
+ return A+a,B+b,C+c,D+d
+end
+
+----------------------------------------------------------------
+
+function md5.sumhexa(s)
+ local msgLen = #s
+ local padLen = 56 - msgLen % 64
+
+ if msgLen % 64 > 56 then padLen = padLen + 64 end
+
+ if padLen == 0 then padLen = 64 end
+
+ s = s .. char(128) .. rep(char(0),padLen-1) .. lei2str(8*msgLen) .. lei2str(0)
+
+ assert(#s % 64 == 0)
+
+ local t = CONSTS
+ local a,b,c,d = t[65],t[66],t[67],t[68]
+
+ for i=1,#s,64 do
+ local X = cut_le_str(sub(s,i,i+63),4,4,4,4,4,4,4,4,4,4,4,4,4,4,4,4)
+ assert(#X == 16)
+ X[0] = table.remove(X,1) -- zero based!
+ a,b,c,d = transform(a,b,c,d,X)
+ end
+
+ return format("%08x%08x%08x%08x",swap(a),swap(b),swap(c),swap(d))
+end
+
+function md5.sum(s)
+ return hex2binary(md5.sumhexa(s))
+end
+
+return md5
'200000000000',
'a00000000000',
'b00000000000',
- }
+
+ --[[
+ Should be for Mifare TNP3xxx tags A KEY.
+ --]]
+ '4b0b20107ccb',
+
+ --[[
+ Kiev metro cards
+ --]]
+ '8fe644038790',
+ 'f14ee7cae863',
+ '632193be1c3c',
+ '569369c5a0e5',
+ '9de89e070277',
+ 'eff603e1efe9',
+ '644672bd4afe',
+
+ 'b5ff67cba951',
+}
---
-- The keys above have just been pasted in, for completeness sake. They contain duplicates.
local ISO14443a_TYPES = {}
ISO14443a_TYPES[0x00] = "NXP MIFARE Ultralight | Ultralight C"
+ISO14443a_TYPES[0x01] = "NXP MIFARE TNP3xxx Activision Game Appliance"
ISO14443a_TYPES[0x04] = "NXP MIFARE (various !DESFire !DESFire EV1)"
ISO14443a_TYPES[0x08] = "NXP MIFARE CLASSIC 1k | Plus 2k"
ISO14443a_TYPES[0x09] = "NXP MIFARE Mini 0.3k"
\r
return answer\r
end,\r
+ \r
+ ------------ FILE READING\r
+ ReadDumpFile = function (filename)\r
+ \r
+ if filename == nil then \r
+ return nil, 'Filename is empty'\r
+ end\r
+ if #filename == 0 then\r
+ return nil, 'Filename length is zero'\r
+ end\r
+\r
+ infile = io.open(filename, "rb")\r
+ if infile == nil then \r
+ return nil, string.format("Could not read file %s",filename)\r
+ end\r
+ local t = infile:read("*all")\r
+ len = string.len(t)\r
+ local _,hex = bin.unpack(("H%d"):format(len),t)\r
+ io.close(infile)\r
+ return hex\r
+ end,\r
+ \r
+ ------------ string split function\r
+ Split = function( inSplitPattern, outResults )\r
+ if not outResults then\r
+ outResults = {}\r
+ end\r
+ local start = 1\r
+ local splitStart, splitEnd = string.find( self, inSplitPattern, start )\r
+ while splitStart do\r
+ table.insert( outResults, string.sub( self, start, splitStart-1 ) )\r
+ start = splitEnd + 1\r
+ splitStart, splitEnd = string.find( self, inSplitPattern, start )\r
+ end\r
+ table.insert( outResults, string.sub( self, start ) )\r
+ return outResults\r
+ end,\r
+ \r
+ ------------ CRC-16 ccitt checksums\r
+ \r
+ -- Takes a hex string and calculates a crc16\r
+ Crc16 = function(s)\r
+ if s == nil then return nil end\r
+ if #s == 0 then return nil end\r
+ if type(s) == 'string' then\r
+ local utils = require('utils')\r
+ local asc = utils.ConvertHexToAscii(s)\r
+ local hash = core.crc16(asc)\r
+ return hash\r
+ end\r
+ return nil\r
+ end,\r
+\r
+ -- input parameter is a string\r
+ -- Swaps the endianess and returns a number, \r
+ -- IE: 'cd7a' -> '7acd' -> 0x7acd\r
+ SwapEndianness = function(s, len)\r
+ if s == nil then return nil end\r
+ if #s == 0 then return '' end\r
+ if type(s) ~= 'string' then return nil end\r
+ \r
+ local retval = 0\r
+ if len == 16 then\r
+ local t = s:sub(3,4)..s:sub(1,2)\r
+ retval = tonumber(t,16)\r
+ elseif len == 24 then\r
+ local t = s:sub(5,6)..s:sub(3,4)..s:sub(1,2)\r
+ retval = tonumber(t,16)\r
+ elseif len == 32 then\r
+ local t = s:sub(7,8)..s:sub(5,6)..s:sub(3,4)..s:sub(1,2)\r
+ retval = tonumber(t,16)\r
+ end\r
+ return retval\r
+ end,\r
+ \r
+ ------------ CONVERSIONS\r
+ \r
--\r
-- Converts DECIMAL to HEX\r
- ConvertDec2Hex = function(IN)\r
+ ConvertDecToHex = function(IN)\r
local B,K,OUT,I,D=16,"0123456789ABCDEF","",0\r
while IN>0 do\r
I=I+1\r
end,\r
---\r
-- Convert Byte array to string of hex\r
- ConvertBytes2String = function(bytes)\r
- s = {}\r
+ ConvertBytesToHex = function(bytes)\r
+ if #bytes == 0 then\r
+ return ''\r
+ end\r
+ local s={}\r
for i = 1, #(bytes) do\r
- s[i] = string.format("%02X",bytes[i]) \r
+ s[i] = string.format("%02X",bytes[i]) \r
end\r
return table.concat(s)\r
end, \r
+ -- Convert byte array to string with ascii\r
+ ConvertBytesToAscii = function(bytes)\r
+ if #bytes == 0 then\r
+ return ''\r
+ end\r
+ local s={}\r
+ for i = 1, #(bytes) do\r
+ s[i] = string.char(bytes[i]) \r
+ end\r
+ return table.concat(s) \r
+ end, \r
+ ConvertHexToBytes = function(s)\r
+ local t={}\r
+ if s == nil then return t end\r
+ if #s == 0 then return t end\r
+ for k in s:gmatch"(%x%x)" do\r
+ table.insert(t,tonumber(k,16))\r
+ end\r
+ return t\r
+ end,\r
+ ConvertAsciiToBytes = function(s)\r
+ local t={}\r
+ if s == nil then return t end\r
+ if #s == 0 then return t end\r
+ \r
+ for k in s:gmatch"(.)" do\r
+ table.insert(t, string.byte(k))\r
+ end\r
+ return t\r
+ end,\r
+ ConvertHexToAscii = function(s)\r
+ local t={}\r
+ if s == nil then return t end\r
+ if #s == 0 then return t end\r
+ for k in s:gmatch"(%x%x)" do\r
+ table.insert(t, string.char(tonumber(k,16)))\r
+ end\r
+ return table.concat(t) \r
+ end,\r
+ \r
+ -- function convertStringToBytes(str)\r
+ -- local bytes = {}\r
+ -- local strLength = string.len(str)\r
+ -- for i=1,strLength do\r
+ -- table.insert(bytes, string.byte(str, i))\r
+ -- end\r
+\r
+ -- return bytes\r
+-- end\r
+\r
+-- function convertBytesToString(bytes)\r
+ -- local bytesLength = table.getn(bytes)\r
+ -- local str = ""\r
+ -- for i=1,bytesLength do\r
+ -- str = str .. string.char(bytes[i])\r
+ -- end\r
+\r
+ -- return str\r
+-- end\r
+\r
+-- function convertHexStringToBytes(str)\r
+ -- local bytes = {}\r
+ -- local strLength = string.len(str)\r
+ -- for k=2,strLength,2 do\r
+ -- local hexString = "0x" .. string.sub(str, (k - 1), k)\r
+ -- table.insert(bytes, hex.to_dec(hexString))\r
+ -- end\r
+\r
+ -- return bytes\r
+-- end\r
+\r
+-- function convertBytesToHexString(bytes)\r
+ -- local str = ""\r
+ -- local bytesLength = table.getn(bytes)\r
+ -- for i=1,bytesLength do\r
+ -- local hexString = string.sub(hex.to_hex(bytes[i]), 3)\r
+ -- if string.len(hexString) == 1 then\r
+ -- hexString = "0" .. hexString\r
+ -- end\r
+ -- str = str .. hexString\r
+ -- end\r
+\r
+ -- return str\r
+-- end\r
+\r
}\r
return Utils
\ No newline at end of file
else return -1;\r
}\r
\r
-\r
-\r
// Compare 16 Bits out of cryptostate\r
int Compare16Bits(const void * a, const void * b) {\r
if ((*(uint64_t*)b & 0x00ff000000ff0000) == (*(uint64_t*)a & 0x00ff000000ff0000)) return 0;\r
else return -1;\r
}\r
\r
-\r
typedef \r
struct {\r
union {\r
return statelist->head.slhead;\r
}\r
\r
-\r
-\r
-\r
int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKey, bool calibrate) \r
{\r
uint16_t i, len;\r
uint32_t uid;\r
UsbCommand resp;\r
-\r
\r
StateList_t statelists[2];\r
struct Crypto1State *p1, *p2, *p3, *p4;\r
UsbCommand c = {CMD_MIFARE_EML_MEMGET, {blockNum, blocksCount, 0}};\r
SendCommand(&c);\r
\r
- UsbCommand resp;\r
+ UsbCommand resp;\r
if (!WaitForResponseTimeout(CMD_ACK,&resp,1500)) return 1;\r
memcpy(data, resp.d.asBytes, blocksCount * 16);\r
return 0;\r
\r
// "MAGIC" CARD\r
\r
-int mfCSetUID(uint8_t *uid, uint8_t *oldUID, int wantWipe) {\r
+int mfCSetUID(uint8_t *uid, uint8_t *oldUID, bool wantWipe) {\r
uint8_t block0[16];\r
memset(block0, 0, 16);\r
memcpy(block0, uid, 4); \r
return mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER);\r
}\r
\r
-int mfCSetBlock(uint8_t blockNo, uint8_t *data, uint8_t *uid, int wantWipe, uint8_t params) {\r
+int mfCSetBlock(uint8_t blockNo, uint8_t *data, uint8_t *uid, bool wantWipe, uint8_t params) {\r
uint8_t isOK = 0;\r
\r
UsbCommand c = {CMD_MIFARE_EML_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}};\r
\r
uint32_t uid; // serial number\r
uint32_t nt; // tag challenge\r
-uint32_t nt_par; \r
uint32_t nr_enc; // encrypted reader challenge\r
uint32_t ar_enc; // encrypted reader response\r
-uint32_t nr_ar_par; \r
uint32_t at_enc; // encrypted tag response\r
-uint32_t at_par; \r
\r
int isTraceCardEmpty(void) {\r
return ((traceCard[0] == 0) && (traceCard[1] == 0) && (traceCard[2] == 0) && (traceCard[3] == 0));\r
}\r
\r
\r
-int mfTraceDecode(uint8_t *data_src, int len, uint32_t parity, bool wantSaveToEmlFile) {\r
+int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {\r
uint8_t data[64];\r
\r
if (traceState == TRACE_ERROR) return 1;\r
case TRACE_AUTH1: \r
if (len == 4) {\r
traceState = TRACE_AUTH2;\r
-\r
nt = bytes_to_num(data, 4);\r
- nt_par = parity;\r
return 0;\r
} else {\r
traceState = TRACE_ERROR;\r
\r
nr_enc = bytes_to_num(data, 4);\r
ar_enc = bytes_to_num(data + 4, 4);\r
- nr_ar_par = parity;\r
return 0;\r
} else {\r
traceState = TRACE_ERROR;\r
traceState = TRACE_IDLE;\r
\r
at_enc = bytes_to_num(data, 4);\r
- at_par = parity;\r
\r
// decode key here)\r
ks2 = ar_enc ^ prng_successor(nt, 64);\r
int mfEmlGetMem(uint8_t *data, int blockNum, int blocksCount);\r
int mfEmlSetMem(uint8_t *data, int blockNum, int blocksCount);\r
\r
-int mfCSetUID(uint8_t *uid, uint8_t *oldUID, int wantWipe);\r
-int mfCSetBlock(uint8_t blockNo, uint8_t *data, uint8_t *uid, int wantWipe, uint8_t params);\r
+int mfCSetUID(uint8_t *uid, uint8_t *oldUID, bool wantWipe);\r
+int mfCSetBlock(uint8_t blockNo, uint8_t *data, uint8_t *uid, bool wantWipe, uint8_t params);\r
int mfCGetBlock(uint8_t blockNo, uint8_t *data, uint8_t params);\r
\r
int mfTraceInit(uint8_t *tuid, uint8_t *atqa, uint8_t sak, bool wantSaveToEmlFile);\r
-int mfTraceDecode(uint8_t *data_src, int len, uint32_t parity, bool wantSaveToEmlFile);\r
+int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile);\r
\r
int isTraceCardEmpty(void);\r
int isBlockEmpty(int blockN);\r
}
FILE *script_file = NULL;
- char script_cmd_buf[256];
+ char script_cmd_buf[256]; // iceman, needs lua script the same file_path_buffer as the rest
if (arg->script_cmds_file)
{
#include "util.h"
#include "nonce2key/nonce2key.h"
#include "../common/iso15693tools.h"
+#include <openssl/aes.h>
+#include "../common/crc16.h"
/**
* The following params expected:
* UsbCommand c
return 1;
}
+/*
+ Simple AES 128 cbc hook up to OpenSSL.
+ params: key, input
+*/
+static int l_aes(lua_State *L)
+{
+ //Check number of arguments
+ int i;
+ size_t size;
+ const char *p_key = luaL_checklstring(L, 1, &size);
+ if(size != 32) return returnToLuaWithError(L,"Wrong size of key, got %d bytes, expected 32", (int) size);
+
+ const char *p_encTxt = luaL_checklstring(L, 2, &size);
+
+ unsigned char indata[AES_BLOCK_SIZE] = {0x00};
+ unsigned char outdata[AES_BLOCK_SIZE] = {0x00};
+ unsigned char aes_key[AES_BLOCK_SIZE] = {0x00};
+ unsigned char iv[AES_BLOCK_SIZE] = {0x00};
+
+ // convert key to bytearray
+ for (i = 0; i < 32; i += 2) {
+ sscanf(&p_encTxt[i], "%02x", (unsigned int *)&indata[i / 2]);
+ }
+
+ // convert input to bytearray
+ for (i = 0; i < 32; i += 2) {
+ sscanf(&p_key[i], "%02x", (unsigned int *)&aes_key[i / 2]);
+ }
+
+ AES_KEY key;
+ AES_set_decrypt_key(aes_key, 128, &key);
+ AES_cbc_encrypt(indata, outdata, sizeof(indata), &key, iv, AES_DECRYPT);
+
+ //Push decrypted array as a string
+ lua_pushlstring(L,(const char *)&outdata, sizeof(outdata));
+ return 1;// return 1 to signal one return value
+}
+
+static int l_crc16(lua_State *L)
+{
+ size_t size;
+ const char *p_str = luaL_checklstring(L, 1, &size);
+
+ uint16_t retval = crc16_ccitt( (uint8_t*) p_str, size);
+ lua_pushinteger(L, (int) retval);
+ return 1;
+}
+
/**
* @brief Sets the lua path to include "./lualibs/?.lua", in order for a script to be
* able to do "require('foobar')" if foobar.lua is within lualibs folder.
{"foobar", l_foobar},
{"ukbhit", l_ukbhit},
{"clearCommandBuffer", l_clearCommandBuffer},
- {"console", l_CmdConsole},
- {"iso15693_crc", l_iso15693_crc},
+ {"console", l_CmdConsole},
+ {"iso15693_crc", l_iso15693_crc},
+ {"aes", l_aes},
+ {"crc16", l_crc16},
{NULL, NULL}
};
\r
core.clearCommandBuffer()\r
\r
- if 0x18 == result.sak then --NXP MIFARE Classic 4k | Plus 4k\r
+ if 0x18 == result.sak then -- NXP MIFARE Classic 4k | Plus 4k\r
-- IFARE Classic 4K offers 4096 bytes split into forty sectors, \r
-- of which 32 are same size as in the 1K with eight more that are quadruple size sectors. \r
numSectors = 40\r
- elseif 0x08 == result.sak then -- NXP MIFARE CLASSIC 1k | Plus 2k\r
+ elseif 0x08 == result.sak then -- NXP MIFARE CLASSIC 1k | Plus 2k\r
-- 1K offers 1024 bytes of data storage, split into 16 sector\r
numSectors = 16\r
- elseif 0x09 == result.sak then -- NXP MIFARE Mini 0.3k\r
+ elseif 0x09 == result.sak then -- NXP MIFARE Mini 0.3k\r
-- MIFARE Classic mini offers 320 bytes split into five sectors.\r
numSectors = 5\r
- elseif 0x10 == result.sak then-- "NXP MIFARE Plus 2k"\r
+ elseif 0x10 == result.sak then -- NXP MIFARE Plus 2k\r
numSectors = 32\r
+ elseif 0x01 == sak then -- NXP MIFARE TNP3xxx 1K\r
+ numSectors = 16\r
else\r
print("I don't know how many sectors there are on this type of card, defaulting to 16")\r
end \r
typ = 0
elseif 0x10 == sak then-- "NXP MIFARE Plus 2k"
typ = 2
+ elseif 0x01 == sak then-- "NXP MIFARE TNP3xxx 1K"
+ typ = 1
else
print("I don't know how many sectors there are on this type of card, defaulting to 16")
end
+++ /dev/null
-local foo = "This shows how to use some standard libraries"
-print(foo)
-local answer
-repeat
- io.write("Continue with this operation (y/n)? ")
- io.flush()
- answer=io.read()
-until answer=="y" or answer=="n"
-local x = "Ok then, %s"
-print (x:format("whatever"))
\ No newline at end of file
--- /dev/null
+local cmds = require('commands')
+local getopt = require('getopt')
+local bin = require('bin')
+local lib14a = require('read14a')
+local utils = require('utils')
+local md5 = require('md5')
+local dumplib = require('html_dumplib')
+local toyNames = require('default_toys')
+
+example =[[
+ 1. script run tnp3dump
+ 2. script run tnp3dump -n
+ 3. script run tnp3dump -k aabbccddeeff
+ 4. script run tnp3dump -k aabbccddeeff -n
+ 5. script run tnp3dump -o myfile
+ 6. script run tnp3dump -n -o myfile
+ 7. script run tnp3dump -k aabbccddeeff -n -o myfile
+]]
+author = "Iceman"
+usage = "script run tnp3dump -k <key> -n -o <filename>"
+desc =[[
+This script will try to dump the contents of a Mifare TNP3xxx card.
+It will need a valid KeyA in order to find the other keys and decode the card.
+Arguments:
+ -h : this help
+ -k <key> : Sector 0 Key A.
+ -n : Use the nested cmd to find all keys
+ -o : filename for the saved dumps
+]]
+
+local HASHCONSTANT = '20436F707972696768742028432920323031302041637469766973696F6E2E20416C6C205269676874732052657365727665642E20'
+
+local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds
+local DEBUG = false -- the debug flag
+local numBlocks = 64
+local numSectors = 16
+---
+-- A debug printout-function
+function dbg(args)
+ if not DEBUG then
+ return
+ end
+
+ if type(args) == "table" then
+ local i = 1
+ while result[i] do
+ dbg(result[i])
+ i = i+1
+ end
+ else
+ print("###", args)
+ end
+end
+---
+-- This is only meant to be used when errors occur
+function oops(err)
+ print("ERROR: ",err)
+end
+---
+-- Usage help
+function help()
+ print(desc)
+ print("Example usage")
+ print(example)
+end
+--
+-- Exit message
+function ExitMsg(msg)
+ print( string.rep('--',20) )
+ print( string.rep('--',20) )
+ print(msg)
+ print()
+end
+
+local function readdumpkeys(infile)
+ t = infile:read("*all")
+ len = string.len(t)
+ local len,hex = bin.unpack(("H%d"):format(len),t)
+ return hex
+end
+
+local function waitCmd()
+ local response = core.WaitForResponseTimeout(cmds.CMD_ACK,TIMEOUT)
+ if response then
+ local count,cmd,arg0 = bin.unpack('LL',response)
+ if(arg0==1) then
+ local count,arg1,arg2,data = bin.unpack('LLH511',response,count)
+ return data:sub(1,32)
+ else
+ return nil, "Couldn't read block.."
+ end
+ end
+ return nil, "No response from device"
+end
+
+local function computeCrc16(s)
+ local hash = core.crc16(utils.ConvertHexToAscii(s))
+ return hash
+end
+
+local function reverseCrcBytes(crc)
+ crc2 = crc:sub(3,4)..crc:sub(1,2)
+ return tonumber(crc2,16)
+end
+
+local function main(args)
+
+ print( string.rep('--',20) )
+ print( string.rep('--',20) )
+
+ local keyA
+ local cmd
+ local err
+ local useNested = false
+ local cmdReadBlockString = 'hf mf rdbl %d A %s'
+ local input = "dumpkeys.bin"
+ local outputTemplate = os.date("toydump_%Y-%m-%d_%H%M%S");
+
+ -- Arguments for the script
+ for o, a in getopt.getopt(args, 'hk:no:') do
+ if o == "h" then return help() end
+ if o == "k" then keyA = a end
+ if o == "n" then useNested = true end
+ if o == "o" then outputTemplate = a end
+ end
+
+ -- validate input args.
+ keyA = keyA or '4b0b20107ccb'
+ if #(keyA) ~= 12 then
+ return oops( string.format('Wrong length of write key (was %d) expected 12', #keyA))
+ end
+
+ -- Turn off Debug
+ local cmdSetDbgOff = "hf mf dbg 0"
+ core.console( cmdSetDbgOff)
+
+ result, err = lib14a.read1443a(false)
+ if not result then
+ return oops(err)
+ end
+
+ core.clearCommandBuffer()
+
+ if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx
+ return oops('This is not a TNP3xxx tag. aborting.')
+ end
+
+ -- Show tag info
+ print((' Found tag : %s'):format(result.name))
+ print(('Using keyA : %s'):format(keyA))
+
+ --Trying to find the other keys
+ if useNested then
+ core.console( ('hf mf nested 1 0 A %s d'):format(keyA) )
+ end
+
+ core.clearCommandBuffer()
+
+ -- Loading keyfile
+ print('Loading dumpkeys.bin')
+ local hex, err = utils.ReadDumpFile(input)
+ if not hex then
+ return oops(err)
+ end
+
+ local akeys = hex:sub(0,12*16)
+
+ -- Read block 0
+ cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = 0,arg2 = 0,arg3 = 0, data = keyA}
+ err = core.SendCommand(cmd:getBytes())
+ if err then return oops(err) end
+ local block0, err = waitCmd()
+ if err then return oops(err) end
+
+ -- Read block 1
+ cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = 1,arg2 = 0,arg3 = 0, data = keyA}
+ err = core.SendCommand(cmd:getBytes())
+ if err then return oops(err) end
+ local block1, err = waitCmd()
+ if err then return oops(err) end
+
+ local key
+ local pos = 0
+ local blockNo
+ local blocks = {}
+
+ print('Reading card data')
+ core.clearCommandBuffer()
+
+ -- main loop
+ io.write('Decrypting blocks > ')
+ for blockNo = 0, numBlocks-1, 1 do
+
+ if core.ukbhit() then
+ print("aborted by user")
+ break
+ end
+
+ pos = (math.floor( blockNo / 4 ) * 12)+1
+ key = akeys:sub(pos, pos + 11 )
+ cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = blockNo ,arg2 = 0,arg3 = 0, data = key}
+ local err = core.SendCommand(cmd:getBytes())
+ if err then return oops(err) end
+ local blockdata, err = waitCmd()
+ if err then return oops(err) end
+
+ if blockNo%4 ~= 3 then
+ if blockNo < 8 then
+ -- Block 0-7 not encrypted
+ blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,blockdata)
+ else
+ local base = ('%s%s%02x%s'):format(block0, block1, blockNo, HASHCONSTANT)
+ local baseStr = utils.ConvertHexToAscii(base)
+ local md5hash = md5.sumhexa(baseStr)
+ local aestest = core.aes(md5hash, blockdata)
+
+ local hex = utils.ConvertAsciiToBytes(aestest)
+ hex = utils.ConvertBytesToHex(hex)
+
+ -- blocks with zero not encrypted.
+ if string.find(blockdata, '^0+$') then
+ blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,blockdata)
+ else
+ blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,hex)
+ io.write( blockNo..',')
+ end
+ end
+ else
+ -- Sectorblocks, not encrypted
+ blocks[blockNo+1] = ('%02d :: %s%s'):format(blockNo,key,blockdata:sub(13,32))
+ end
+ end
+ io.write('\n')
+
+ core.clearCommandBuffer()
+
+ -- Print results
+ local bindata = {}
+ local emldata = ''
+
+ for _,s in pairs(blocks) do
+ local slice = s:sub(8,#s)
+ local str = utils.ConvertBytesToAscii(
+ utils.ConvertHexToBytes(slice)
+ )
+ emldata = emldata..slice..'\n'
+ for c in (str):gmatch('.') do
+ bindata[#bindata+1] = c
+ end
+ end
+
+ -- Write dump to files
+ if not DEBUG then
+ local foo = dumplib.SaveAsBinary(bindata, outputTemplate..'.bin')
+ print(("Wrote a BIN dump to the file %s"):format(foo))
+ local bar = dumplib.SaveAsText(emldata, outputTemplate..'.eml')
+ print(("Wrote a EML dump to the file %s"):format(bar))
+ end
+
+ local uid = block0:sub(1,8)
+ local itemtype = block1:sub(1,4)
+ local cardid = block1:sub(9,24)
+
+ -- Show info
+ print( string.rep('--',20) )
+ print( (' ITEM TYPE : 0x%s - %s'):format(itemtype, toyNames[itemtype]) )
+ print( (' UID : 0x%s'):format(uid) )
+ print( (' CARDID : 0x%s'):format(cardid ) )
+ print( string.rep('--',20) )
+
+end
+main(args)
\ No newline at end of file
--- /dev/null
+local cmds = require('commands')
+local getopt = require('getopt')
+local bin = require('bin')
+local lib14a = require('read14a')
+local utils = require('utils')
+local md5 = require('md5')
+local toyNames = require('default_toys')
+
+example =[[
+ 1. script run tnp3sim
+ 2. script run tnp3sim -m
+ 3. script run tnp3sim -m -i myfile
+]]
+author = "Iceman"
+usage = "script run tnp3sim -h -m -i <filename>"
+desc =[[
+This script will try to load a binary datadump of a Mifare TNP3xxx card.
+It vill try to validate all checksums and view some information stored in the dump
+For an experimental mode, it tries to manipulate some data.
+At last it sends all data to the PM3 device memory where it can be used in the command "hf mf sim"
+
+Arguments:
+ -h : this help
+ -m : Maxed out items (experimental)
+ -i : filename for the datadump to read (bin)
+]]
+
+local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds
+local DEBUG = true -- the debug flag
+---
+-- A debug printout-function
+function dbg(args)
+ if not DEBUG then
+ return
+ end
+
+ if type(args) == "table" then
+ local i = 1
+ while result[i] do
+ dbg(result[i])
+ i = i+1
+ end
+ else
+ print("###", args)
+ end
+end
+---
+-- This is only meant to be used when errors occur
+function oops(err)
+ print("ERROR: ",err)
+end
+---
+-- Usage help
+function help()
+ print(desc)
+ print("Example usage")
+ print(example)
+end
+--
+-- Exit message
+function ExitMsg(msg)
+ print( string.rep('--',20) )
+ print( string.rep('--',20) )
+ print(msg)
+ print()
+end
+
+
+local function writedumpfile(infile)
+ t = infile:read("*all")
+ len = string.len(t)
+ local len,hex = bin.unpack(("H%d"):format(len),t)
+ return hex
+end
+-- blocks with data
+-- there are two dataareas, in block 8 or block 36, ( 1==8 ,
+-- checksum type = 0, 1, 2, 3
+local function GetCheckSum(blocks, dataarea, chksumtype)
+
+ local crc
+ local area = 36
+ if dataarea == 1 then
+ area = 8
+ end
+
+ if chksumtype == 0 then
+ crc = blocks[1]:sub(29,32)
+ elseif chksumtype == 1 then
+ crc = blocks[area]:sub(29,32)
+ elseif chksumtype == 2 then
+ crc = blocks[area]:sub(25,28)
+ elseif chksumtype == 3 then
+ crc = blocks[area]:sub(21,24)
+ end
+ return utils.SwapEndianness(crc,16)
+end
+
+local function SetCheckSum(blocks, chksumtype)
+
+ if blocks == nil then return nil, 'Argument \"blocks\" nil' end
+ local newcrc
+ local area1 = 8
+ local area2 = 36
+
+ if chksumtype == 0 then
+ newcrc = ('%04X'):format(CalcCheckSum(blocks,1,0))
+ blocks[1] = blocks[1]:sub(1,28)..newcrc:sub(3,4)..newcrc:sub(1,2)
+ elseif chksumtype == 1 then
+ newcrc = ('%04X'):format(CalcCheckSum(blocks,1,1))
+ blocks[area1] = blocks[area1]:sub(1,28)..newcrc:sub(3,4)..newcrc:sub(1,2)
+ newcrc = ('%04X'):format(CalcCheckSum(blocks,2,1))
+ blocks[area2] = blocks[area2]:sub(1,28)..newcrc:sub(3,4)..newcrc:sub(1,2)
+ elseif chksumtype == 2 then
+ newcrc = ('%04X'):format(CalcCheckSum(blocks,1,2))
+ blocks[area1] = blocks[area1]:sub(1,24)..newcrc:sub(3,4)..newcrc:sub(1,2)..blocks[area1]:sub(29,32)
+ newcrc = ('%04X'):format(CalcCheckSum(blocks,2,2))
+ blocks[area2] = blocks[area2]:sub(1,24)..newcrc:sub(3,4)..newcrc:sub(1,2)..blocks[area2]:sub(29,32)
+ elseif chksumtype == 3 then
+ newcrc = ('%04X'):format(CalcCheckSum(blocks,1,3))
+ blocks[area1] = blocks[area1]:sub(1,20)..newcrc:sub(3,4)..newcrc:sub(1,2)..blocks[area1]:sub(25,32)
+ newcrc = ('%04X'):format(CalcCheckSum(blocks,2,3))
+ blocks[area2] = blocks[area2]:sub(1,20)..newcrc:sub(3,4)..newcrc:sub(1,2)..blocks[area2]:sub(25,32)
+ end
+end
+
+function CalcCheckSum(blocks, dataarea, chksumtype)
+ local area = 36
+ if dataarea == 1 then
+ area = 8
+ end
+
+ if chksumtype == 0 then
+ data = blocks[0]..blocks[1]:sub(1,28)
+ elseif chksumtype == 1 then
+ data = blocks[area]:sub(1,28)..'0500'
+ elseif chksumtype == 2 then
+ data = blocks[area+1]..blocks[area+2]..blocks[area+4]
+ elseif chksumtype == 3 then
+ data = blocks[area+5]..blocks[area+6]..blocks[area+8]..string.rep('00',0xe0)
+ end
+ return utils.Crc16(data)
+end
+
+local function ValidateCheckSums(blocks)
+
+ local isOk, crc, calc
+ -- Checksum Type 0
+ crc = GetCheckSum(blocks,1,0)
+ calc = CalcCheckSum(blocks, 1, 0)
+ if crc == calc then isOk='Ok' else isOk = 'Error' end
+ io.write( ('TYPE 0 : %04x = %04x -- %s\n'):format(crc,calc,isOk))
+
+ -- Checksum Type 1 (DATAAREAHEADER 1)
+ crc = GetCheckSum(blocks,1,1)
+ calc = CalcCheckSum(blocks,1,1)
+ if crc == calc then isOk='Ok' else isOk = 'Error' end
+ io.write( ('TYPE 1 area 1: %04x = %04x -- %s\n'):format(crc,calc,isOk))
+
+ -- Checksum Type 1 (DATAAREAHEADER 2)
+ crc = GetCheckSum(blocks,2,1)
+ calc = CalcCheckSum(blocks,2,1)
+ if crc == calc then isOk='Ok' else isOk = 'Error' end
+ io.write( ('TYPE 1 area 2: %04x = %04x -- %s\n'):format(crc,calc,isOk))
+
+ -- Checksum Type 2 (DATAAREA 1)
+ crc = GetCheckSum(blocks,1,2)
+ calc = CalcCheckSum(blocks,1,2)
+ if crc == calc then isOk='Ok' else isOk = 'Error' end
+ io.write( ('TYPE 2 area 1: %04x = %04x -- %s\n'):format(crc,calc,isOk))
+
+ -- Checksum Type 2 (DATAAREA 2)
+ crc = GetCheckSum(blocks,2,2)
+ calc = CalcCheckSum(blocks,2,2)
+ if crc == calc then isOk='Ok' else isOk = 'Error' end
+ io.write( ('TYPE 2 area 2: %04x = %04x -- %s\n'):format(crc,calc,isOk))
+
+ -- Checksum Type 3 (DATAAREA 1)
+ crc = GetCheckSum(blocks,1,3)
+ calc = CalcCheckSum(blocks,1,3)
+ if crc == calc then isOk='Ok' else isOk = 'Error' end
+ io.write( ('TYPE 3 area 1: %04x = %04x -- %s\n'):format(crc,calc,isOk))
+
+ -- Checksum Type 3 (DATAAREA 2)
+ crc = GetCheckSum(blocks,2,3)
+ calc = CalcCheckSum(blocks,2,3)
+ if crc == calc then isOk='Ok' else isOk = 'Error' end
+ io.write( ('TYPE 3 area 2: %04x = %04x -- %s\n'):format(crc,calc,isOk))
+end
+
+
+local function LoadEmulator(blocks)
+ local HASHCONSTANT = '20436F707972696768742028432920323031302041637469766973696F6E2E20416C6C205269676874732052657365727665642E20'
+ local cmd
+ local blockdata
+ for _,b in pairs(blocks) do
+
+ blockdata = b
+
+ if _%4 ~= 3 then
+ if (_ >= 8 and _<=21) or (_ >= 36 and _<=49) then
+ local base = ('%s%s%02x%s'):format(blocks[0], blocks[1], _ , HASHCONSTANT)
+ local baseStr = utils.ConvertHexToAscii(base)
+ local key = md5.sumhexa(baseStr)
+ local enc = core.aes(key, blockdata)
+ local hex = utils.ConvertAsciiToBytes(enc)
+ hex = utils.ConvertBytesToHex(hex)
+
+ blockdata = hex
+ io.write( _..',')
+ end
+ end
+
+ cmd = Command:new{cmd = cmds.CMD_MIFARE_EML_MEMSET, arg1 = _ ,arg2 = 1,arg3 = 0, data = blockdata}
+ local err = core.SendCommand(cmd:getBytes())
+ if err then
+ return err
+ end
+ end
+ io.write('\n')
+end
+
+local function main(args)
+
+ print( string.rep('--',20) )
+ print( string.rep('--',20) )
+
+ local result, err, hex
+ local maxed = false
+ local inputTemplate = "dumpdata.bin"
+ local outputTemplate = os.date("toydump_%Y-%m-%d_%H%M");
+
+ -- Arguments for the script
+ for o, a in getopt.getopt(args, 'hmi:o:') do
+ if o == "h" then return help() end
+ if o == "m" then maxed = true end
+ if o == "o" then outputTemplate = a end
+ if o == "i" then inputTemplate = a end
+ end
+
+ -- Turn off Debug
+ local cmdSetDbgOff = "hf mf dbg 0"
+ core.console( cmdSetDbgOff)
+
+ -- Look for tag present on reader,
+ result, err = lib14a.read1443a(false)
+ if not result then return oops(err) end
+
+ core.clearCommandBuffer()
+
+ if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx
+ return oops('This is not a TNP3xxx tag. aborting.')
+ end
+
+ -- Show tag info
+ print((' Found tag : %s'):format(result.name))
+
+ -- Load dump.bin file
+ print( (' Load data from %s'):format(inputTemplate))
+ hex, err = utils.ReadDumpFile(inputTemplate)
+ if not hex then return oops(err) end
+
+ local blocks = {}
+ local blockindex = 0
+ for i = 1, #hex, 32 do
+ blocks[blockindex] = hex:sub(i,i+31)
+ blockindex = blockindex + 1
+ end
+
+ if DEBUG then
+ print('Validating checksums in the loaded datadump')
+ ValidateCheckSums(blocks)
+ end
+
+ --
+ print( string.rep('--',20) )
+ print(' Gathering info')
+ local uid = blocks[0]:sub(1,8)
+ local itemtype = blocks[1]:sub(1,4)
+ local cardid = blocks[1]:sub(9,24)
+
+ -- Show info
+ print( string.rep('--',20) )
+ print( (' ITEM TYPE : 0x%s - %s'):format(itemtype, toyNames[itemtype]) )
+ print( (' UID : 0x%s'):format(uid) )
+ print( (' CARDID : 0x%s'):format(cardid ) )
+ print( string.rep('--',20) )
+
+ -- lets do something.
+ --
+ local experience = blocks[8]:sub(1,6)
+ print(('Experience : %d'):format(utils.SwapEndianness(experience,24)))
+ local money = blocks[8]:sub(7,10)
+ print(('Money : %d'):format(utils.SwapEndianness(money,16)))
+ local fairy = blocks[9]:sub(1,8)
+ --FD0F = Left, FF0F = Right
+ local path = 'not choosen'
+ if fairy:sub(2,2) == 'D' then
+ path = 'Left'
+ elseif fairy:sub(2,2) == 'F' then
+ path = 'Right'
+ end
+ print(('Fairy : %d [Path: %s] '):format(utils.SwapEndianness(fairy,24),path))
+
+ local hat = blocks[9]:sub(8,11)
+ print(('Hat : %d'):format(utils.SwapEndianness(hat,16)))
+
+ --0x0D 0x29 0x0A 0x02 16-bit hero points value. Maximum 100.
+ local heropoints = blocks[13]:sub(20,23)
+ print(('Hero points : %d'):format(utils.SwapEndianness(heropoints,16)))
+
+ --0x10 0x2C 0x0C 0x04 32 bit flag value indicating heroic challenges completed.
+ local challenges = blocks[16]:sub(25,32)
+ print(('Finished hero challenges : %d'):format(utils.SwapEndianness(challenges,32)))
+
+ if maxed then
+ print('Lets try to max out some values')
+ -- max out money, experience
+ --print (blocks[8])
+ blocks[8] = 'FFFFFF'..'FFFF'..blocks[8]:sub(11,32)
+ blocks[36] = 'FFFFFF'..'FFFF'..blocks[36]:sub(11,32)
+ --print (blocks[8])
+
+ -- max out hero challenges
+ --print (blocks[16])
+ blocks[16] = blocks[16]:sub(1,24)..'FFFFFFFF'
+ blocks[44] = blocks[44]:sub(1,24)..'FFFFFFFF'
+ --print (blocks[16])
+
+ -- max out heropoints
+ --print (blocks[13])
+ blocks[13] = blocks[13]:sub(1,19)..'0064'..blocks[13]:sub(24,32)
+ blocks[41] = blocks[41]:sub(1,19)..'0064'..blocks[41]:sub(24,32)
+ --print (blocks[13])
+
+ -- Update Checksums
+ print('Updating all checksums')
+ SetCheckSum(blocks, 3)
+ SetCheckSum(blocks, 2)
+ SetCheckSum(blocks, 1)
+ SetCheckSum(blocks, 0)
+
+ print('Validating all checksums')
+ ValidateCheckSums(blocks)
+ end
+
+ --Load dumpdata to emulator memory
+ if DEBUG then
+ print('Sending dumpdata to emulator memory')
+ err = LoadEmulator(blocks)
+ if err then return oops(err) end
+ core.clearCommandBuffer()
+ print('The simulation is now prepared.\n --> run \"hf mf sim 5 '..uid..'\" <--')
+ end
+end
+main(args)
\ No newline at end of file
#endif
// log files functions
-void AddLogLine(char *fileName, char *extData, char *c) {
+void AddLogLine(char *file, char *extData, char *c) {
FILE *fLog = NULL;
-
- fLog = fopen(fileName, "a");
+ char filename[FILE_PATH_SIZE] = {0x00};
+ int len = 0;
+
+ len = strlen(file);
+ if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
+ memcpy(filename, file, len);
+
+ fLog = fopen(filename, "a");
if (!fLog) {
- printf("Could not append log file %s", fileName);
+ printf("Could not append log file %s", filename);
return;
}
#include <string.h>
#include <ctype.h>
#include <time.h>
+#include "data.h"
#ifndef MIN
# define MIN(a, b) (((a) < (b)) ? (a) : (b))
#include "crc16.h"
+
unsigned short update_crc16( unsigned short crc, unsigned char c )
{
unsigned short i, v, tcrc = 0;
return ((crc >> 8) ^ tcrc)&0xffff;
}
+
+uint16_t crc16(uint8_t const *message, int length, uint16_t remainder, uint16_t polynomial) {
+
+ if (length == 0)
+ return (~remainder);
+
+ for (int byte = 0; byte < length; ++byte) {
+ remainder ^= (message[byte] << 8);
+ for (uint8_t bit = 8; bit > 0; --bit) {
+ if (remainder & 0x8000) {
+ remainder = (remainder << 1) ^ polynomial;
+ } else {
+ remainder = (remainder << 1);
+ }
+ }
+ }
+ return remainder;
+}
+
+uint16_t crc16_ccitt(uint8_t const *message, int length) {
+ return crc16(message, length, 0xffff, 0x1021);
+}
//-----------------------------------------------------------------------------
// CRC16
//-----------------------------------------------------------------------------
+#include <stdint.h>
#ifndef __CRC16_H
#define __CRC16_H
-
unsigned short update_crc16(unsigned short crc, unsigned char c);
-
+uint16_t crc16(uint8_t const *message, int length, uint16_t remainder, uint16_t polynomial);
+uint16_t crc16_ccitt(uint8_t const *message, int length);
#endif
#define PIO_PDR (AT91_CAST(AT91_REG *) 0x00000004) // (PIO_PDR) PIO Disable Register
#define PIO_PSR (AT91_CAST(AT91_REG *) 0x00000008) // (PIO_PSR) PIO Status Register
#define PIO_OER (AT91_CAST(AT91_REG *) 0x00000010) // (PIO_OER) Output Enable Register
-#define PIO_ODR (AT91_CAST(AT91_REG *) 0x00000014) // (PIO_ODR) Output Disable Registerr
+#define PIO_ODR (AT91_CAST(AT91_REG *) 0x00000014) // (PIO_ODR) Output Disable Register
#define PIO_OSR (AT91_CAST(AT91_REG *) 0x00000018) // (PIO_OSR) Output Status Register
#define PIO_IFER (AT91_CAST(AT91_REG *) 0x00000020) // (PIO_IFER) Input Filter Enable Register
#define PIO_IFDR (AT91_CAST(AT91_REG *) 0x00000024) // (PIO_IFDR) Input Filter Disable Register
#define CMD_SIMULATE_TAG_LEGIC_RF 0x0387
#define CMD_READER_LEGIC_RF 0x0388
#define CMD_WRITER_LEGIC_RF 0x0389
+
#define CMD_EPA_PACE_COLLECT_NONCE 0x038A
+//#define CMD_EPA_ 0x038B
#define CMD_SNOOP_ICLASS 0x0392
#define CMD_SIMULATE_TAG_ICLASS 0x0393
projects / proxmark3-svn / commitdiff