From: Martin Holst Swende Date: Sat, 28 Jun 2014 10:47:40 +0000 (+0200) Subject: Merge remote-tracking branch 'origin/master' into iclass-fixes X-Git-Tag: v1.1.0~1^2^2 X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/6db28145eacac986d481ceadf7ee9fc1061555fd?hp=238c503c3878a5d257051370a3895c166b018a49 Merge remote-tracking branch 'origin/master' into iclass-fixes --- diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 8c224b6a..2061f6b3 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -862,7 +862,7 @@ void UsbPacketReceived(uint8_t *packet, int len) SnoopIClass(); break; case CMD_SIMULATE_TAG_ICLASS: - SimulateIClass(c->arg[0], c->d.asBytes); + SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); break; case CMD_READER_ICLASS: ReaderIClass(c->arg[0]); diff --git a/armsrc/apps.h b/armsrc/apps.h index 364efe4b..1ef0e472 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -157,7 +157,7 @@ void RAMFUNC SnoopIso14443a(uint8_t param); void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data); void ReaderIso14443a(UsbCommand * c); // Also used in iclass.c -bool RAMFUNC LogTrace(const uint8_t * btBytes, uint8_t iLen, uint32_t iSamples, uint32_t dwParity, bool bReader); +bool RAMFUNC LogTrace(const uint8_t * btBytes, uint8_t iLen, uint32_t iSamples, uint32_t dwParity, bool readerToTag); uint32_t GetParity(const uint8_t * pbtCmd, int iLen); void iso14a_set_trigger(bool enable); void iso14a_clear_trace(); @@ -199,9 +199,9 @@ void SetDebugIso15693(uint32_t flag); /// iclass.h void RAMFUNC SnoopIClass(void); -void SimulateIClass(uint8_t arg0, uint8_t *datain); +void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); void ReaderIClass(uint8_t arg0); - +//int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived); // hitag2.h void SnoopHitag(uint32_t type); void SimulateHitagTag(bool tag_mem_supplied, byte_t* data); diff --git a/armsrc/iclass.c b/armsrc/iclass.c index 9c5e8b2b..d5cd366d 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -48,17 +48,6 @@ static int timeout = 4096; -// CARD TO READER -// Sequence D: 11110000 modulation with subcarrier during first half -// Sequence E: 00001111 modulation with subcarrier during second half -// Sequence F: 00000000 no modulation with subcarrier -// READER TO CARD -// Sequence X: 00001100 drop after half a period -// Sequence Y: 00000000 no drop -// Sequence Z: 11000000 drop at start -#define SEC_X 0x0c -#define SEC_Y 0x00 -#define SEC_Z 0xc0 static int SendIClassAnswer(uint8_t *resp, int respLen, int delay); @@ -666,12 +655,7 @@ static RAMFUNC int ManchesterDecoding(int v) //----------------------------------------------------------------------------- void RAMFUNC SnoopIClass(void) { -// DEFINED ABOVE -// #define RECV_CMD_OFFSET 3032 -// #define RECV_RES_OFFSET 3096 -// #define DMA_BUFFER_OFFSET 3160 -// #define DMA_BUFFER_SIZE 4096 -// #define TRACE_SIZE 3000 + // We won't start recording the frames that we acquire until we trigger; // a good trigger condition to get started is probably when we see a @@ -681,14 +665,10 @@ void RAMFUNC SnoopIClass(void) // The command (reader -> tag) that we're receiving. // The length of a received command will in most cases be no more than 18 bytes. // So 32 should be enough! - uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET); + uint8_t *readerToTagCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET); // The response (tag -> reader) that we're receiving. - uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET); + uint8_t *tagToReaderResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET); - // As we receive stuff, we copy it from receivedCmd or receivedResponse - // into trace, along with its length and other annotations. - //uint8_t *trace = (uint8_t *)BigBuf; - FpgaDownloadAndGo(FPGA_BITSTREAM_HF); // reset traceLen to 0 @@ -708,10 +688,8 @@ void RAMFUNC SnoopIClass(void) int samples = 0; rsamples = 0; - memset(trace, 0x44, RECV_CMD_OFFSET); - // Set up the demodulator for tag -> reader responses. - Demod.output = receivedResponse; + Demod.output = tagToReaderResponse; Demod.len = 0; Demod.state = DEMOD_UNSYNCD; @@ -723,7 +701,7 @@ void RAMFUNC SnoopIClass(void) // And the reader -> tag commands memset(&Uart, 0, sizeof(Uart)); - Uart.output = receivedCmd; + Uart.output = readerToTagCmd; Uart.byteCntMax = 32; // was 100 (greg)//////////////////////////////////////////////////////////////////////// Uart.state = STATE_UNSYNCD; @@ -733,6 +711,9 @@ void RAMFUNC SnoopIClass(void) FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER); SetAdcMuxFor(GPIO_MUXSEL_HIPKD); + uint32_t time_0 = GetCountSspClk(); + + int div = 0; //int div2 = 0; int decbyte = 0; @@ -766,20 +747,13 @@ void RAMFUNC SnoopIClass(void) //samples += 4; samples += 1; - //div2++; - //if(div2 > 3) { - //div2 = 0; - //decbyte ^= ((smpl & 0x01) << (3 - div)); - //decbyte ^= (((smpl & 0x01) | ((smpl & 0x02) >> 1)) << (3 - div)); // better already... - //decbyte ^= (((smpl & 0x01) | ((smpl & 0x02) >> 1) | ((smpl & 0x04) >> 2)) << (3 - div)); // even better... if(smpl & 0xF) { decbyte ^= (1 << (3 - div)); } - //decbyte ^= (MajorityNibble[(smpl & 0x0F)] << (3 - div)); // FOR READER SIDE COMMUMICATION... - //decbyte ^= ((smpl & 0x10) << (3 - div)); + decbyter <<= 2; decbyter ^= (smpl & 0x30); @@ -790,21 +764,17 @@ void RAMFUNC SnoopIClass(void) if(OutOfNDecoding((smpl & 0xF0) >> 4)) { rsamples = samples - Uart.samples; LED_C_ON(); - //if(triggered) { - trace[traceLen++] = ((rsamples >> 0) & 0xff); - trace[traceLen++] = ((rsamples >> 8) & 0xff); - trace[traceLen++] = ((rsamples >> 16) & 0xff); - trace[traceLen++] = ((rsamples >> 24) & 0xff); - trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff); - trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff); - trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff); - trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff); - trace[traceLen++] = Uart.byteCnt; - memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); - traceLen += Uart.byteCnt; - if(traceLen > TRACE_SIZE) break; - //} - /* And ready to receive another command. */ + + //if(!LogTrace(Uart.output,Uart.byteCnt, rsamples, Uart.parityBits,TRUE)) break; + //if(!LogTrace(NULL, 0, Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER, 0, TRUE)) break; + if(tracing) + { + LogTrace(Uart.output,Uart.byteCnt, (GetCountSspClk()-time_0) << 4, Uart.parityBits,TRUE); + LogTrace(NULL, 0, (GetCountSspClk()-time_0) << 4, 0, TRUE); + } + + + /* And ready to receive another command. */ Uart.state = STATE_UNSYNCD; /* And also reset the demod code, which might have been */ /* false-triggered by the commands from the reader. */ @@ -821,26 +791,16 @@ void RAMFUNC SnoopIClass(void) rsamples = samples - Demod.samples; LED_B_ON(); - // timestamp, as a count of samples - trace[traceLen++] = ((rsamples >> 0) & 0xff); - trace[traceLen++] = ((rsamples >> 8) & 0xff); - trace[traceLen++] = ((rsamples >> 16) & 0xff); - trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff); - trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff); - trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff); - trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff); - trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff); - // length - trace[traceLen++] = Demod.len; - memcpy(trace+traceLen, receivedResponse, Demod.len); - traceLen += Demod.len; - if(traceLen > TRACE_SIZE) break; - - //triggered = TRUE; + if(tracing) + { + LogTrace(Demod.output,Demod.len, (GetCountSspClk()-time_0) << 4 , Demod.parityBits,FALSE); + LogTrace(NULL, 0, (GetCountSspClk()-time_0) << 4, 0, FALSE); + } + // And ready to receive another response. memset(&Demod, 0, sizeof(Demod)); - Demod.output = receivedResponse; + Demod.output = tagToReaderResponse; Demod.state = DEMOD_UNSYNCD; LED_C_OFF(); } @@ -924,6 +884,8 @@ static int GetIClassCommandFromReader(uint8_t *received, int *len, int maxLen) //----------------------------------------------------------------------------- static void CodeIClassTagAnswer(const uint8_t *cmd, int len) { + //So far a dummy implementation, not used + //int lastProxToAirDuration =0; int i; ToSendReset(); @@ -932,7 +894,7 @@ static void CodeIClassTagAnswer(const uint8_t *cmd, int len) ToSend[++ToSendMax] = 0x00; ToSend[++ToSendMax] = 0x00; ToSend[++ToSendMax] = 0x00; - ToSend[++ToSendMax] = 0xff; + ToSend[++ToSendMax] = 0xff;//Proxtoair duration starts here ToSend[++ToSendMax] = 0xff; ToSend[++ToSendMax] = 0xff; ToSend[++ToSendMax] = 0x00; @@ -960,11 +922,13 @@ static void CodeIClassTagAnswer(const uint8_t *cmd, int len) ToSend[++ToSendMax] = 0x00; ToSend[++ToSendMax] = 0xff; ToSend[++ToSendMax] = 0xff; - ToSend[++ToSendMax] = 0xff; + ToSend[++ToSendMax] = 0xff; ToSend[++ToSendMax] = 0x00; ToSend[++ToSendMax] = 0x00; ToSend[++ToSendMax] = 0x00; + //lastProxToAirDuration = 8*ToSendMax - 3*8 - 3*8;//Not counting zeroes in the beginning or end + // Convert from last byte pos to length ToSendMax++; } @@ -972,8 +936,10 @@ static void CodeIClassTagAnswer(const uint8_t *cmd, int len) // Only SOF static void CodeIClassTagSOF() { - ToSendReset(); + //So far a dummy implementation, not used + //int lastProxToAirDuration =0; + ToSendReset(); // Send SOF ToSend[++ToSendMax] = 0x00; ToSend[++ToSendMax] = 0x00; @@ -983,39 +949,92 @@ static void CodeIClassTagSOF() ToSend[++ToSendMax] = 0xff; ToSend[++ToSendMax] = 0x00; ToSend[++ToSendMax] = 0xff; + +// lastProxToAirDuration = 8*ToSendMax - 3*8;//Not counting zeroes in the beginning + // Convert from last byte pos to length ToSendMax++; } - -//----------------------------------------------------------------------------- -// Simulate iClass Card -// Only CSN (Card Serial Number) -// -//----------------------------------------------------------------------------- -void SimulateIClass(uint8_t arg0, uint8_t *datain) +int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf); +/** + * @brief SimulateIClass simulates an iClass card. + * @param arg0 type of simulation + * - 0 uses the first 8 bytes in usb data as CSN + * - 2 "dismantling iclass"-attack. This mode iterates through all CSN's specified + * in the usb data. This mode collects MAC from the reader, in order to do an offline + * attack on the keys. For more info, see "dismantling iclass" and proxclone.com. + * - Other : Uses the default CSN (031fec8af7ff12e0) + * @param arg1 - number of CSN's contained in datain (applicable for mode 2 only) + * @param arg2 + * @param datain + */ +void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) { - uint8_t simType = arg0; - + uint32_t simType = arg0; + uint32_t numberOfCSNS = arg1; FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - // Enable and clear the trace - tracing = TRUE; - traceLen = 0; - memset(trace, 0x44, TRACE_SIZE); + // Enable and clear the trace + iso14a_set_tracing(TRUE); + iso14a_clear_trace(); + + uint8_t csn_crc[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 }; + if(simType == 0) { + // Use the CSN from commandline + memcpy(csn_crc, datain, 8); + doIClassSimulation(csn_crc,0,NULL); + }else if(simType == 1) + { + doIClassSimulation(csn_crc,0,NULL); + } + else if(simType == 2) + { + + uint8_t mac_responses[64] = { 0 }; + Dbprintf("Going into attack mode"); + // In this mode, a number of csns are within datain. We'll simulate each one, one at a time + // in order to collect MAC's from the reader. This can later be used in an offlne-attack + // in order to obtain the keys, as in the "dismantling iclass"-paper. + int i = 0; + for( ; i < numberOfCSNS && i*8+8 < USB_CMD_DATA_SIZE; i++) + { + // The usb data is 512 bytes, fitting 65 8-byte CSNs in there. + + memcpy(csn_crc, datain+(i*8), 8); + if(doIClassSimulation(csn_crc,1,mac_responses)) + { + return; // Button pressed + } + } + cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8); + + } + else{ + // We may want a mode here where we hardcode the csns to use (from proxclone). + // That will speed things up a little, but not required just yet. + Dbprintf("The mode is not implemented, reserved for future use"); + } + Dbprintf("Done..."); + +} +/** + * @brief Does the actual simulation + * @param csn - csn to use + * @param breakAfterMacReceived if true, returns after reader MAC has been received. + */ +int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf) +{ + // CSN followed by two CRC bytes uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - uint8_t response3[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 }; - + uint8_t response3[] = { 0,0,0,0,0,0,0,0,0,0}; + memcpy(response3,csn,sizeof(response3)); + Dbprintf("Simulating CSN %02x%02x%02x%02x%02x%02x%02x%02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]); // e-Purse uint8_t response4[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - if(simType == 0) { - // Use the CSN from commandline - memcpy(response3, datain, 8); - } - // Construct anticollision-CSN rotateCSN(response3,response2); @@ -1023,6 +1042,7 @@ void SimulateIClass(uint8_t arg0, uint8_t *datain) ComputeCrc14443(CRC_ICLASS, response2, 8, &response2[8], &response2[9]); ComputeCrc14443(CRC_ICLASS, response3, 8, &response3[8], &response3[9]); + int exitLoop = 0; // Reader 0a // Tag 0f // Reader 0c @@ -1056,7 +1076,7 @@ void SimulateIClass(uint8_t arg0, uint8_t *datain) int resp4Len; // + 1720.. - uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET); + uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET); memset(receivedCmd, 0x44, RECV_CMD_SIZE); int len; @@ -1081,40 +1101,50 @@ void SimulateIClass(uint8_t arg0, uint8_t *datain) // Start from off (no field generated) - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - SpinDelay(200); - - + //FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + //SpinDelay(200); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN); + SpinDelay(100); + StartCountSspClk(); // We need to listen to the high-frequency, peak-detected path. SetAdcMuxFor(GPIO_MUXSEL_HIPKD); FpgaSetupSsc(); // To control where we are in the protocol int cmdsRecvd = 0; + uint32_t time_0 = GetCountSspClk(); + uint32_t t2r_time =0; + uint32_t r2t_time =0; LED_A_ON(); - for(;;) { + bool buttonPressed = false; + + /** Hack for testing + memcpy(reader_mac_buf,csn,8); + exitLoop = true; + end hack **/ + + while(!exitLoop) { + LED_B_OFF(); //Signal tracer // Can be used to get a trigger for an oscilloscope.. LED_C_OFF(); if(!GetIClassCommandFromReader(receivedCmd, &len, 100)) { - DbpString("button press"); + buttonPressed = true; break; } + r2t_time = GetCountSspClk(); //Signal tracer LED_C_ON(); - // Okay, look at the command now. - if(receivedCmd[0] == 0x0a) { + if(receivedCmd[0] == 0x0a ) { // Reader in anticollission phase resp = resp1; respLen = resp1Len; //order = 1; respdata = &sof; respsize = sizeof(sof); - //resp = resp2; respLen = resp2Len; order = 2; - //DbpString("Hello request from reader:"); } else if(receivedCmd[0] == 0x0c) { // Reader asks for anticollission CSN resp = resp2; respLen = resp2Len; //order = 2; @@ -1136,30 +1166,32 @@ void SimulateIClass(uint8_t arg0, uint8_t *datain) LED_B_ON(); } else if(receivedCmd[0] == 0x05) { // Reader random and reader MAC!!! - // Lets store this ;-) -/* - Dbprintf(" CSN: %02x %02x %02x %02x %02x %02x %02x %02x", - response3[0], response3[1], response3[2], - response3[3], response3[4], response3[5], - response3[6], response3[7]); -*/ - Dbprintf("READER AUTH (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x", - len, - receivedCmd[0], receivedCmd[1], receivedCmd[2], - receivedCmd[3], receivedCmd[4], receivedCmd[5], - receivedCmd[6], receivedCmd[7], receivedCmd[8]); - // Do not respond // We do not know what to answer, so lets keep quit resp = resp1; respLen = 0; //order = 5; respdata = NULL; respsize = 0; + if (breakAfterMacReceived){ + // TODO, actually return this to the caller instead of just + // dbprintf:ing ... + Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]); + Dbprintf("RDR: (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",len, + receivedCmd[0], receivedCmd[1], receivedCmd[2], + receivedCmd[3], receivedCmd[4], receivedCmd[5], + receivedCmd[6], receivedCmd[7], receivedCmd[8]); + if (reader_mac_buf != NULL) + { + memcpy(reader_mac_buf,receivedCmd+1,8); + } + exitLoop = true; + } } else if(receivedCmd[0] == 0x00 && len == 1) { // Reader ends the session resp = resp1; respLen = 0; //order = 0; respdata = NULL; respsize = 0; } else { + //#db# Unknown command received from reader (len=5): 26 1 0 f6 a 44 44 44 44 // Never seen this command before Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x", len, @@ -1172,9 +1204,9 @@ void SimulateIClass(uint8_t arg0, uint8_t *datain) respsize = 0; } - if(cmdsRecvd > 999) { - DbpString("1000 commands later..."); - break; + if(cmdsRecvd > 100) { + //DbpString("100 commands later..."); + //break; } else { cmdsRecvd++; @@ -1182,25 +1214,36 @@ void SimulateIClass(uint8_t arg0, uint8_t *datain) if(respLen > 0) { SendIClassAnswer(resp, respLen, 21); + t2r_time = GetCountSspClk(); } - + if (tracing) { - LogTrace(receivedCmd,len, rsamples, Uart.parityBits, TRUE); + LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, Uart.parityBits,TRUE); + LogTrace(NULL,0, (r2t_time-time_0) << 4, 0,TRUE); + if (respdata != NULL) { - LogTrace(respdata,respsize, rsamples, SwapBits(GetParity(respdata,respsize),respsize), FALSE); + LogTrace(respdata,respsize, (t2r_time-time_0) << 4,SwapBits(GetParity(respdata,respsize),respsize),FALSE); + LogTrace(NULL,0, (t2r_time-time_0) << 4,0,FALSE); + + } - if(traceLen > TRACE_SIZE) { + if(!tracing) { DbpString("Trace full"); - break; + //break; } - } + } memset(receivedCmd, 0x44, RECV_CMD_SIZE); } - Dbprintf("%x", cmdsRecvd); + //Dbprintf("%x", cmdsRecvd); LED_A_OFF(); LED_B_OFF(); + if(buttonPressed) + { + DbpString("Button pressed"); + } + return buttonPressed; } static int SendIClassAnswer(uint8_t *resp, int respLen, int delay) @@ -1433,7 +1476,7 @@ void ReaderIClass(uint8_t arg0) { FpgaDownloadAndGo(FPGA_BITSTREAM_HF); // Reset trace buffer - memset(trace, 0x44, RECV_CMD_OFFSET); + memset(trace, 0x44, RECV_CMD_OFFSET); traceLen = 0; // Setup SSC diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index 099e1d68..d5dd05ca 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -190,8 +190,9 @@ void AppendCrc14443a(uint8_t* data, int len) } // The function LogTrace() is also used by the iClass implementation in iClass.c -bool RAMFUNC LogTrace(const uint8_t * btBytes, uint8_t iLen, uint32_t timestamp, uint32_t dwParity, bool bReader) +bool RAMFUNC LogTrace(const uint8_t * btBytes, uint8_t iLen, uint32_t timestamp, uint32_t dwParity, bool readerToTag) { + if (!tracing) return FALSE; // Return when trace is full if (traceLen + sizeof(timestamp) + sizeof(dwParity) + iLen >= TRACE_SIZE) { tracing = FALSE; // don't trace any more @@ -203,7 +204,8 @@ bool RAMFUNC LogTrace(const uint8_t * btBytes, uint8_t iLen, uint32_t timestamp, trace[traceLen++] = ((timestamp >> 8) & 0xff); trace[traceLen++] = ((timestamp >> 16) & 0xff); trace[traceLen++] = ((timestamp >> 24) & 0xff); - if (!bReader) { + + if (!readerToTag) { trace[traceLen - 1] |= 0x80; } trace[traceLen++] = ((dwParity >> 0) & 0xff); @@ -1859,8 +1861,10 @@ void ReaderIso14443a(UsbCommand *c) if(param & ISO14A_APPEND_CRC) { AppendCrc14443a(cmd,len); len += 2; + lenbits += 16; } if(lenbits>0) { + ReaderTransmitBitsPar(cmd,lenbits,GetParity(cmd,lenbits/8), NULL); } else { ReaderTransmit(cmd,len, NULL); diff --git a/client/cmdhficlass.c b/client/cmdhficlass.c index f807e972..b8e1e098 100644 --- a/client/cmdhficlass.c +++ b/client/cmdhficlass.c @@ -12,6 +12,7 @@ #include #include #include +#include #include "iso14443crc.h" // Can also be used for iClass, using 0xE012 as CRC-type #include "data.h" //#include "proxusb.h" @@ -21,10 +22,137 @@ #include "cmdhficlass.h" #include "common.h" #include "util.h" +#include "cmdmain.h" static int CmdHelp(const char *Cmd); +int xorbits_8(uint8_t val) +{ + uint8_t res = val ^ (val >> 1); //1st pass + res = res ^ (res >> 1); // 2nd pass + res = res ^ (res >> 2); // 3rd pass + res = res ^ (res >> 4); // 4th pass + return res & 1; +} + int CmdHFiClassList(const char *Cmd) +{ + + bool ShowWaitCycles = false; + char param = param_getchar(Cmd, 0); + + if (param != 0) { + PrintAndLog("List data in trace buffer."); + PrintAndLog("Usage: hf iclass list"); + PrintAndLog("h - help"); + PrintAndLog("sample: hf iclass list"); + return 0; + } + + uint8_t got[1920]; + GetFromBigBuf(got,sizeof(got),0); + WaitForResponse(CMD_ACK,NULL); + + PrintAndLog("Recorded Activity"); + PrintAndLog(""); + PrintAndLog("Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer"); + PrintAndLog("All times are in carrier periods (1/13.56Mhz)"); + PrintAndLog(""); + PrintAndLog(" Start | End | Src | Data"); + PrintAndLog("-----------|-----------|-----|--------"); + + int i; + uint32_t first_timestamp = 0; + uint32_t timestamp; + bool tagToReader; + uint32_t parityBits; + uint8_t len; + uint8_t *frame; + uint32_t EndOfTransmissionTimestamp = 0; + + + for( i=0; i < 1900;) + { + //First 32 bits contain + // isResponse (1 bit) + // timestamp (remaining) + //Then paritybits + //Then length + timestamp = *((uint32_t *)(got+i)); + parityBits = *((uint32_t *)(got+i+4)); + len = got[i+8]; + frame = (got+i+9); + uint32_t next_timestamp = (*((uint32_t *)(got+i+9))) & 0x7fffffff; + + tagToReader = timestamp & 0x80000000; + timestamp &= 0x7fffffff; + + if(i==0) { + first_timestamp = timestamp; + } + + // Break and stick with current result if buffer was not completely full + if (frame[0] == 0x44 && frame[1] == 0x44 && frame[2] == 0x44 && frame[3] == 0x44) break; + + char line[1000] = ""; + + if(len)//We have some data to display + { + int j,oddparity; + + for(j = 0; j < len ; j++) + { + oddparity = 0x01 ^ xorbits_8(frame[j] & 0xFF); + + if (tagToReader && (oddparity != ((parityBits >> (len - j - 1)) & 0x01))) { + sprintf(line+(j*4), "%02x! ", frame[j]); + } else { + sprintf(line+(j*4), "%02x ", frame[j]); + } + } + }else + { + if (ShowWaitCycles) { + sprintf(line, "fdt (Frame Delay Time): %d", (next_timestamp - timestamp)); + } + } + + char *crc = ""; + + if(len > 2) + { + uint8_t b1, b2; + if(!tagToReader && len == 4) { + // Rough guess that this is a command from the reader + // For iClass the command byte is not part of the CRC + ComputeCrc14443(CRC_ICLASS, &frame[1], len-3, &b1, &b2); + } + else { + // For other data.. CRC might not be applicable (UPDATE commands etc.) + ComputeCrc14443(CRC_ICLASS, frame, len-2, &b1, &b2); + } + + if (b1 != frame[len-2] || b2 != frame[len-1]) { + crc = (tagToReader & (len < 8)) ? "" : " !crc"; + } + } + + i += (len + 9); + EndOfTransmissionTimestamp = (*((uint32_t *)(got+i))) & 0x7fffffff; + + // Not implemented for iclass on the ARM-side + //if (!ShowWaitCycles) i += 9; + + PrintAndLog(" %9d | %9d | %s | %s %s", + (timestamp - first_timestamp), + (EndOfTransmissionTimestamp - first_timestamp), + (len?(tagToReader ? "Tag" : "Rdr"):" "), + line, crc); + } + return 0; +} + +int CmdHFiClassListOld(const char *Cmd) { uint8_t got[1920]; GetFromBigBuf(got,sizeof(got),0); @@ -50,7 +178,9 @@ int CmdHFiClassList(const char *Cmd) isResponse = 0; } + int metric = 0; + int parityBits = *((uint32_t *)(got+i+4)); // 4 bytes of additional information... // maximum of 32 additional parity bit information @@ -177,31 +307,92 @@ int CmdHFiClassSim(const char *Cmd) uint8_t simType = 0; uint8_t CSN[8] = {0, 0, 0, 0, 0, 0, 0, 0}; - if (strlen(Cmd)<2) { - PrintAndLog("Usage: hf iclass sim "); + if (strlen(Cmd)<1) { + PrintAndLog("Usage: hf iclass sim [0 ] | x"); + PrintAndLog(" options"); + PrintAndLog(" 0 simulate the given CSN"); + PrintAndLog(" 1 simulate default CSN"); + PrintAndLog(" 2 iterate CSNs, gather MACs"); PrintAndLog(" sample: hf iclass sim 0 031FEC8AF7FF12E0"); + PrintAndLog(" sample: hf iclass sim 2"); return 0; } simType = param_get8(Cmd, 0); - if (param_gethex(Cmd, 1, CSN, 16)) { - PrintAndLog("A CSN should consist of 16 HEX symbols"); - return 1; - } - PrintAndLog("--simtype:%02x csn:%s", simType, sprint_hex(CSN, 8)); - UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType}}; - memcpy(c.d.asBytes, CSN, 8); - SendCommand(&c); - - /*UsbCommand * resp = WaitForResponseTimeout(CMD_ACK, 1500); - if (resp != NULL) { - uint8_t isOK = resp->arg[0] & 0xff; - PrintAndLog("isOk:%02x", isOK); - } else { - PrintAndLog("Command execute timeout"); - }*/ + if(simType == 0) + { + if (param_gethex(Cmd, 1, CSN, 16)) { + PrintAndLog("A CSN should consist of 16 HEX symbols"); + return 1; + } + PrintAndLog("--simtype:%02x csn:%s", simType, sprint_hex(CSN, 8)); + } + if(simType > 2) + { + PrintAndLog("Undefined simptype %d", simType); + return 1; + } + uint8_t numberOfCSNs=0; + + if(simType == 2) + { + UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,63}}; + UsbCommand resp = {0}; + + uint8_t csns[64] = { + 0x00,0x0B,0x0F,0xFF,0xF7,0xFF,0x12,0xE0 , + 0x00,0x13,0x94,0x7e,0x76,0xff,0x12,0xe0 , + 0x2a,0x99,0xac,0x79,0xec,0xff,0x12,0xe0 , + 0x17,0x12,0x01,0xfd,0xf7,0xff,0x12,0xe0 , + 0xcd,0x56,0x01,0x7c,0x6f,0xff,0x12,0xe0 , + 0x4b,0x5e,0x0b,0x72,0xef,0xff,0x12,0xe0 , + 0x00,0x73,0xd8,0x75,0x58,0xff,0x12,0xe0 , + 0x0c,0x90,0x32,0xf3,0x5d,0xff,0x12,0xe0 }; + + memcpy(c.d.asBytes, csns, 64); + + SendCommand(&c); + if (!WaitForResponseTimeout(CMD_ACK, &resp, -1)) { + PrintAndLog("Command timed out"); + return 0; + } + + uint8_t num_mac_responses = resp.arg[1]; + PrintAndLog("Mac responses: %d MACs obtained (should be 8)", num_mac_responses); + + size_t datalen = 8*24; + /* + * Now, time to dump to file. We'll use this format: + * <8-byte CSN><8-byte CC><4 byte NR><4 byte MAC>.... + * So, it should wind up as + * 8 * 24 bytes. + * + * The returndata from the pm3 is on the following format + * <4 byte NR><4 byte MAC> + * CC are all zeroes, CSN is the same as was sent in + **/ + void* dump = malloc(datalen); + memset(dump,0,datalen);//<-- Need zeroes for the CC-field + uint8_t i = 0; + for(i = 0 ; i < 8 ; i++) + { + memcpy(dump+i*24, csns+i*8,8); //CSN + //8 zero bytes here... + //Then comes NR_MAC (eight bytes from the response) + memcpy(dump+i*24+16,resp.d.asBytes+i*8,8); + + } + /** Now, save to dumpfile **/ + saveFile("iclass_mac_attack", "bin", dump,datalen); + free(dump); + }else + { + UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,numberOfCSNs}}; + memcpy(c.d.asBytes, CSN, 8); + SendCommand(&c); + } return 0; } @@ -254,3 +445,53 @@ int CmdHelp(const char *Cmd) CmdsHelp(CommandTable); return 0; } + +/** + * @brief checks if a file exists + * @param filename + * @return + */ +int fileExists(const char *filename) { + struct stat st; + int result = stat(filename, &st); + return result == 0; +} +/** + * @brief Utility function to save data to a file. This method takes a preferred name, but if that + * file already exists, it tries with another name until it finds something suitable. + * E.g. dumpdata-15.txt + * @param preferredName + * @param suffix the file suffix. Leave out the ".". + * @param data The binary data to write to the file + * @param datalen the length of the data + * @return 0 for ok, 1 for failz + */ +int saveFile(const char *preferredName, const char *suffix, const void* data, size_t datalen) +{ + FILE *f = fopen(preferredName, "wb"); + int size = sizeof(char) * (strlen(preferredName)+strlen(suffix)+5); + char * fileName = malloc(size); + + memset(fileName,0,size); + int num = 1; + sprintf(fileName,"%s.%s", preferredName, suffix); + while(fileExists(fileName)) + { + sprintf(fileName,"%s-%d.%s", preferredName, num, suffix); + num++; + } + /* We should have a valid filename now, e.g. dumpdata-3.bin */ + + /*Opening file for writing in binary mode*/ + FILE *fileHandle=fopen(fileName,"wb"); + if(!f) { + PrintAndLog("Failed to write to file '%s'", fileName); + return 0; + } + fwrite(data, 1, datalen, fileHandle); + fclose(fileHandle); + PrintAndLog("Saved data to '%s'", fileName); + + free(fileName); + return 0; +} diff --git a/client/cmdhficlass.h b/client/cmdhficlass.h index c1bf60c7..98c79e4b 100644 --- a/client/cmdhficlass.h +++ b/client/cmdhficlass.h @@ -18,5 +18,6 @@ int CmdHFiClassSnoop(const char *Cmd); int CmdHFiClassSim(const char *Cmd); int CmdHFiClassList(const char *Cmd); int CmdHFiClassReader(const char *Cmd); +int saveFile(const char *preferredName, const char *suffix, const void* data, size_t datalen); #endif