static void CodeIso14443aAsTag(const uint8_t *cmd, uint16_t len)
{
-- uint8_t par[MAX_PARITY_SIZE];
++ uint8_t par[MAX_PARITY_SIZE] = {0};
GetParity(cmd, len, par);
CodeIso14443aAsTagPar(cmd, len, par);
// of bits specified in the delay parameter.
void PrepareDelayedTransfer(uint16_t delay)
{
++ delay &= 0x07;
++ if (!delay) return;
++
uint8_t bitmask = 0;
uint8_t bits_to_shift = 0;
uint8_t bits_shifted = 0;
++ uint16_t i = 0;
++
++ for (i = 0; i < delay; ++i)
++ bitmask |= (0x01 << i);
-- delay &= 0x07;
-- if (delay) {
-- for (uint16_t i = 0; i < delay; i++) {
-- bitmask |= (1 << i);
-- }
ToSend[++ToSendMax] = 0x00;
-- for (uint16_t i = 0; i < ToSendMax; i++) {
++
++ for (i = 0; i < ToSendMax; ++i) {
bits_to_shift = ToSend[i] & bitmask;
ToSend[i] = ToSend[i] >> delay;
ToSend[i] = ToSend[i] | (bits_shifted << (8 - delay));
bits_shifted = bits_to_shift;
}
}
--}
//-------------------------------------------------------------------------------------
uint32_t ThisTransferTime = 0;
if (timing) {
-- if(*timing == 0) { // Measure time
++
++ if (*timing != 0)
++ // Delay transfer (fine tuning - up to 7 MF clock ticks)
++ PrepareDelayedTransfer(*timing & 0x00000007);
++ else
++ // Measure time
*timing = (GetCountSspClk() + 8) & 0xfffffff8;
-- } else {
-- PrepareDelayedTransfer(*timing & 0x00000007); // Delay transfer (fine tuning - up to 7 MF clock ticks)
-- }
-- if(MF_DBGLEVEL >= 4 && GetCountSspClk() >= (*timing & 0xfffffff8)) Dbprintf("TransmitFor14443a: Missed timing");
++
-- while(GetCountSspClk() < (*timing & 0xfffffff8)); // Delay transfer (multiple of 8 MF clock ticks)
++ if (MF_DBGLEVEL >= 4 && GetCountSspClk() >= (*timing & 0xfffffff8))
++ Dbprintf("TransmitFor14443a: Missed timing");
++
++ // Delay transfer (multiple of 8 MF clock ticks)
++ while (GetCountSspClk() < (*timing & 0xfffffff8));
++
LastTimeProxToAirStart = *timing;
} else {
ThisTransferTime = ((MAX(NextTransferTime, GetCountSspClk()) & 0xfffffff8) + 8);
++
while(GetCountSspClk() < ThisTransferTime);
++
LastTimeProxToAirStart = ThisTransferTime;
}
if (nt1 == nt2) return 0;
++ uint16_t i;
uint32_t nttmp1 = nt1;
uint32_t nttmp2 = nt2;
-- for (uint16_t i = 1; i < 0xFFFF; i += 8) {
-- nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i;
-- nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -i;
--
-- nttmp1 = prng_successor(nttmp1, 2); if (nttmp1 == nt2) return i+1;
-- nttmp2 = prng_successor(nttmp2, 2); if (nttmp2 == nt1) return -i-1;
--
-- nttmp1 = prng_successor(nttmp1, 3); if (nttmp1 == nt2) return i+2;
-- nttmp2 = prng_successor(nttmp2, 3); if (nttmp2 == nt1) return -i-2;
--
-- nttmp1 = prng_successor(nttmp1, 4); if (nttmp1 == nt2) return i+3;
-- nttmp2 = prng_successor(nttmp2, 4); if (nttmp2 == nt1) return -i-3;
++ for (i = 1; i < 0xFFFF; i += 8) {
++ nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i;
++ nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i;
-- nttmp1 = prng_successor(nttmp1, 5); if (nttmp1 == nt2) return i+4;
-- nttmp2 = prng_successor(nttmp2, 5); if (nttmp2 == nt1) return -i-4;
--
-- nttmp1 = prng_successor(nttmp1, 6); if (nttmp1 == nt2) return i+5;
-- nttmp2 = prng_successor(nttmp2, 6); if (nttmp2 == nt1) return -i-5;
--
-- nttmp1 = prng_successor(nttmp1, 7); if (nttmp1 == nt2) return i+6;
-- nttmp2 = prng_successor(nttmp2, 7); if (nttmp2 == nt1) return -i-6;
--
-- nttmp1 = prng_successor(nttmp1, 8); if (nttmp1 == nt2) return i+7;
-- nttmp2 = prng_successor(nttmp2, 8); if (nttmp2 == nt1) return -i-7;
++ nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+1;
++ nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i+1;
++
++ nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+2;
++ nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i+2;
++
++ nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+3;
++ nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i+3;
++
++ nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+4;
++ nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i+4;
++
++ nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+5;
++ nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i+5;
++
++ nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+6;
++ nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i+6;
++
++ nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+7;
++ nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i+7;
++
++ nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+8;
++ nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i+8;
++/*
++ if ( prng_successor(nttmp1, i) == nt2) return i;
++ if ( prng_successor(nttmp2, i) == nt1) return -i;
++
++ if ( prng_successor(nttmp1, i+2) == nt2) return i+2;
++ if ( prng_successor(nttmp2, i+2) == nt1) return -(i+2);
++
++ if ( prng_successor(nttmp1, i+3) == nt2) return i+3;
++ if ( prng_successor(nttmp2, i+3) == nt1) return -(i+3);
++
++ if ( prng_successor(nttmp1, i+4) == nt2) return i+4;
++ if ( prng_successor(nttmp2, i+4) == nt1) return -(i+4);
++
++ if ( prng_successor(nttmp1, i+5) == nt2) return i+5;
++ if ( prng_successor(nttmp2, i+5) == nt1) return -(i+5);
++
++ if ( prng_successor(nttmp1, i+6) == nt2) return i+6;
++ if ( prng_successor(nttmp2, i+6) == nt1) return -(i+6);
++
++ if ( prng_successor(nttmp1, i+7) == nt2) return i+7;
++ if ( prng_successor(nttmp2, i+7) == nt1) return -(i+7);
++
++ if ( prng_successor(nttmp1, i+8) == nt2) return i+8;
++ if ( prng_successor(nttmp2, i+8) == nt1) return -(i+8);
++*/
}
return(-99999); // either nt1 or nt2 are invalid nonces
// if we missed the sync time already, advance to the next nonce repeat
while(GetCountSspClk() > sync_time) {
++elapsed_prng_sequences;
-- sync_time = (sync_time & 0xfffffff8) + sync_cycles;
++ sync_time += sync_cycles;
}
// Transmit MIFARE_CLASSIC_AUTH at synctime. Should result in returning the same tag nonce (== nt_attacked)
ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);
uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE] = {0x00};\r
\r
uint32_t auth1_time, auth2_time;\r
-- static uint16_t delta_time;\r
++ static uint16_t delta_time = 0;\r
\r
LED_A_ON();\r
LED_C_OFF();\r
rtr--;\r
continue;\r
};\r
++ auth2_time = (delta_time) ? auth1_time + delta_time : 0;\r
\r
-- if (delta_time) {\r
-- auth2_time = auth1_time + delta_time;\r
-- } else {\r
-- auth2_time = 0;\r
-- }\r
if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");\r
rtr--;\r
\r
nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160\r
for (i = 101; i < 1200; i++) {\r
-- nttmp = prng_successor(nttmp, 1);\r
++ nttmp = prng_successor_one(nttmp);\r
if (nttmp == nt2) break;\r
}\r
\r
\r
// nested authentication\r
auth2_time = auth1_time + delta_time;\r
++\r
len = mifare_sendcmd_short(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);\r
if (len != 4) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);\r
if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);\r
\r
// Parity validity check\r
-- for (j = 0; j < 4; j++) {\r
-- par_array[j] = (oddparity8(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));\r
-- }\r
++// for (j = 0; j < 4; j++) {\r
++// par_array[j] = (oddparity8(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));\r
++// }\r
++ par_array[0] = (oddparity8(receivedAnswer[0]) != ((par[0] >> (7-0)) & 0x01));\r
++ par_array[1] = (oddparity8(receivedAnswer[1]) != ((par[0] >> (7-1)) & 0x01));\r
++ par_array[2] = (oddparity8(receivedAnswer[2]) != ((par[0] >> (7-2)) & 0x01));\r
++ par_array[3] = (oddparity8(receivedAnswer[3]) != ((par[0] >> (7-3)) & 0x01));\r
\r
ncount = 0;\r
nttest = prng_successor(nt1, dmin - 1);\r
for (j = dmin; j < dmax + 1; j++) {\r
-- nttest = prng_successor(nttest, 1);\r
++ nttest = prng_successor_one(nttest);\r
ks1 = nt2 ^ nttest;\r
\r
if (valid_nonce(nttest, nt2, ks1, par_array)){\r
// ----------------------------- crypto1 destroy\r
crypto1_destroy(pcs);\r
\r
-- byte_t buf[4 + 4 * 4];\r
-- memcpy(buf, &cuid, 4);\r
++ byte_t buf[4 + 4 * 4] = {0};\r
++ num_to_bytes(cuid, 4, buf);\r
memcpy(buf+4, &target_nt[0], 4);\r
memcpy(buf+8, &target_ks[0], 4);\r
memcpy(buf+12, &target_nt[1], 4);\r
int OLD_MF_DBGLEVEL = MF_DBGLEVEL; \r
MF_DBGLEVEL = MF_DBG_NONE;\r
\r
++ LEDsoff();\r
LED_A_ON();\r
-- LED_B_OFF();\r
-- LED_C_OFF();\r
++ \r
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
if (clearTrace) \r