From 0014cb46da1bb7e0dfaa1d2cc8a291c6ab4ac1b3 Mon Sep 17 00:00:00 2001 From: "Merlokbr@gmail.com" Date: Sat, 25 Jun 2011 13:03:01 +0000 Subject: [PATCH 1/1] 1. emulator works. tested on ARC1302, NXP pegoda, touchtag, my firm's readers. 2. added increment, decrement, restore, transfer commands 3. fixed several small bugs and small code cleaning 4. there is strange behavier in the emulator: for 7BUID is seems that there is must be a feature that cam make work card withouth 2nd anticollision loop. NXP reader authenticates, but cant read card contents. all the rest readers works, BUT.... my 7BUID mifare card dont work AT ALL .... I dont know what i should do ) --- armsrc/iso14443a.c | 152 ++++++++++++++++++++++++++++++-------------- armsrc/mifareutil.c | 46 ++++++++++++++ armsrc/mifareutil.h | 26 +++++--- client/cmdhfmf.c | 6 +- 4 files changed, 169 insertions(+), 61 deletions(-) diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index e66a64f5..6c219f30 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -787,7 +787,6 @@ done: static void CodeIso14443aAsTagPar(const uint8_t *cmd, int len, uint32_t dwParity) { int i; -// int oddparity; ToSendReset(); @@ -809,9 +808,7 @@ static void CodeIso14443aAsTagPar(const uint8_t *cmd, int len, uint32_t dwParity uint8_t b = cmd[i]; // Data bits -// oddparity = 0x01; for(j = 0; j < 8; j++) { -// oddparity ^= (b & 1); if(b & 1) { ToSend[++ToSendMax] = SEC_D; } else { @@ -820,38 +817,19 @@ static void CodeIso14443aAsTagPar(const uint8_t *cmd, int len, uint32_t dwParity b >>= 1; } - // Get the parity bit + // Get the parity bit if ((dwParity >> i) & 0x01) { ToSend[++ToSendMax] = SEC_D; } else { ToSend[++ToSendMax] = SEC_E; } - - // Parity bit -// if(oddparity) { -// ToSend[++ToSendMax] = SEC_D; -// } else { -// ToSend[++ToSendMax] = SEC_E; -// } - -// if (oddparity != ((dwParity >> i) & 0x01)) -// Dbprintf("par error. i=%d", i); } // Send stopbit ToSend[++ToSendMax] = SEC_F; - // Flush the buffer in FPGA!! - for(i = 0; i < 5; i++) { -// ToSend[++ToSendMax] = SEC_F; - } - // Convert from last byte pos to length ToSendMax++; - - // Add a few more for slop -// ToSend[ToSendMax++] = 0x00; -// ToSend[ToSendMax++] = 0x00; } static void CodeIso14443aAsTag(const uint8_t *cmd, int len){ @@ -2021,6 +1999,8 @@ void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) uint32_t cuid = 0; uint32_t rn_enc = 0; uint32_t ans = 0; + uint32_t cardINTREG = 0; + uint8_t cardINTBLOCK = 0; struct Crypto1State mpcs = {0, 0}; struct Crypto1State *pcs; pcs = &mpcs; @@ -2036,9 +2016,10 @@ void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) static uint8_t rSAK[] = {0x08, 0xb6, 0xdd}; static uint8_t rSAK1[] = {0x04, 0xda, 0x17}; - static uint8_t rAUTH_NT[] = {0x1a, 0xac, 0xff, 0x4f}; + static uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04}; +// static uint8_t rAUTH_NT[] = {0x1a, 0xac, 0xff, 0x4f}; static uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00}; - + // clear trace traceLen = 0; tracing = true; @@ -2077,7 +2058,7 @@ void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN); SpinDelay(200); - Dbprintf("--> start. 7buid=%d", _7BUID); + if (MF_DBGLEVEL >= 1) Dbprintf("Started. 7buid=%d", _7BUID); // calibrate mkseconds counter GetDeltaCountUS(); while (true) { @@ -2093,7 +2074,7 @@ void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) if (cardSTATE == MFEMUL_NOFIELD) { vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10; if (vHf > MF_MINFIELDV) { - cardSTATE = MFEMUL_IDLE; + cardSTATE_TO_IDLE(); LED_A_ON(); } } @@ -2141,6 +2122,7 @@ void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) // select all if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) { EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1)); + break; } // select card @@ -2154,17 +2136,20 @@ void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) cuid = bytes_to_num(rUIDBCC1, 4); if (!_7BUID) { cardSTATE = MFEMUL_WORK; + LED_B_ON(); + if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer); + break; } else { cardSTATE = MFEMUL_SELECT2; break; } - LED_B_ON(); - if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer); } break; } case MFEMUL_SELECT2:{ + if (!len) break; + if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) { EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2)); break; @@ -2178,11 +2163,14 @@ void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) cuid = bytes_to_num(rUIDBCC2, 4); cardSTATE = MFEMUL_WORK; LED_B_ON(); - Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer); + if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer); break; } - // TODO: goto work state - i guess there is a command - break; + + // i guess there is a command). go into the work state. + if (len != 4) break; + cardSTATE = MFEMUL_WORK; + goto lbWORK; } case MFEMUL_AUTH1:{ if (len == 8) { @@ -2192,10 +2180,8 @@ void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) cardRr = bytes_to_num(&receivedCmd[4], 4) ^ crypto1_word(pcs, 0, 0); // test if auth OK if (cardRr != prng_successor(nonce, 64)){ - Dbprintf("AUTH FAILED. cardRr=%08x, suc=%08x", cardRr, prng_successor(nonce, 64)); - cardSTATE = MFEMUL_IDLE; - LED_B_OFF(); - LED_C_OFF(); + if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED. cardRr=%08x, succ=%08x", cardRr, prng_successor(nonce, 64)); + cardSTATE_TO_IDLE(); break; } ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0); @@ -2204,22 +2190,18 @@ void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT)); cardSTATE = MFEMUL_AUTH2; } else { - cardSTATE = MFEMUL_IDLE; - LED_B_OFF(); - LED_C_OFF(); + cardSTATE_TO_IDLE(); } if (cardSTATE != MFEMUL_AUTH2) break; } case MFEMUL_AUTH2:{ - // test auth info here... - LED_C_ON(); cardSTATE = MFEMUL_WORK; - Dbprintf("AUTH COMPLETED. sec=%d, key=%d time=%d", cardAUTHSC, cardAUTHKEY, GetTickCount() - authTimer); + if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED. sec=%d, key=%d time=%d", cardAUTHSC, cardAUTHKEY, GetTickCount() - authTimer); break; } case MFEMUL_WORK:{ - if (len == 0) break; +lbWORK: if (len == 0) break; if (cardAUTHKEY == 0xff) { // first authentication @@ -2307,12 +2289,50 @@ void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) break; } + // works with cardINTREG + + // increment, decrement, restore + if (len == 4 && (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2)) { + if (receivedCmd[1] >= 16 * 4 || + receivedCmd[1] / 4 != cardAUTHSC || + emlCheckValBl(receivedCmd[1])) { + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); + break; + } + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); + if (receivedCmd[0] == 0xC1) + cardSTATE = MFEMUL_INTREG_INC; + if (receivedCmd[0] == 0xC0) + cardSTATE = MFEMUL_INTREG_DEC; + if (receivedCmd[0] == 0xC2) + cardSTATE = MFEMUL_INTREG_REST; + cardWRBL = receivedCmd[1]; + + break; + } + + + // transfer + if (len == 4 && receivedCmd[0] == 0xB0) { + if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) { + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); + break; + } + + if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1])) + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); + else + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); + + break; + } + // halt if (len == 4 && (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00)) { - cardSTATE = MFEMUL_HALTED; LED_B_OFF(); LED_C_OFF(); - Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer); + cardSTATE = MFEMUL_HALTED; + if (MF_DBGLEVEL >= 4) Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer); break; } @@ -2333,13 +2353,47 @@ void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) cardSTATE = MFEMUL_WORK; break; } else { - cardSTATE = MFEMUL_IDLE; - LED_B_OFF(); - LED_C_OFF(); + cardSTATE_TO_IDLE(); break; } break; } + + case MFEMUL_INTREG_INC:{ + mf_crypto1_decrypt(pcs, receivedCmd, len); + memcpy(&ans, receivedCmd, 4); + if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) { + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); + cardSTATE_TO_IDLE(); + break; + } + cardINTREG = cardINTREG + ans; + cardSTATE = MFEMUL_WORK; + break; + } + case MFEMUL_INTREG_DEC:{ + mf_crypto1_decrypt(pcs, receivedCmd, len); + memcpy(&ans, receivedCmd, 4); + if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) { + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); + cardSTATE_TO_IDLE(); + break; + } + cardINTREG = cardINTREG - ans; + cardSTATE = MFEMUL_WORK; + break; + } + case MFEMUL_INTREG_REST:{ + mf_crypto1_decrypt(pcs, receivedCmd, len); + memcpy(&ans, receivedCmd, 4); + if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) { + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); + cardSTATE_TO_IDLE(); + break; + } + cardSTATE = MFEMUL_WORK; + break; + } } @@ -2352,5 +2406,5 @@ void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) memset(rAUTH_NT, 0x44, 4); LogTrace(rAUTH_NT, 4, 0, 0, TRUE); - DbpString("Emulator stopped."); + if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, traceLen); } diff --git a/armsrc/mifareutil.c b/armsrc/mifareutil.c index be36e9db..c5843fd7 100644 --- a/armsrc/mifareutil.c +++ b/armsrc/mifareutil.c @@ -339,6 +339,52 @@ void emlGetMemBt(uint8_t *data, int bytePtr, int byteCount) { memcpy(data, emCARD + bytePtr, byteCount); } +int emlCheckValBl(int blockNum) { + uint8_t* emCARD = eml_get_bigbufptr_cardmem(); + uint8_t* data = emCARD + blockNum * 16; + + if ((data[0] != (data[4] ^ 0xff)) || (data[0] != data[8]) || + (data[1] != (data[5] ^ 0xff)) || (data[1] != data[9]) || + (data[2] != (data[6] ^ 0xff)) || (data[2] != data[10]) || + (data[3] != (data[7] ^ 0xff)) || (data[3] != data[11]) || + (data[12] != (data[13] ^ 0xff)) || (data[12] != data[14]) || + (data[12] != (data[15] ^ 0xff)) + ) + return 1; + return 0; +} + +int emlGetValBl(uint32_t *blReg, uint8_t *blBlock, int blockNum) { + uint8_t* emCARD = eml_get_bigbufptr_cardmem(); + uint8_t* data = emCARD + blockNum * 16; + + if (emlCheckValBl(blockNum)) { + return 1; + } + + memcpy(blReg, data, 4); + *blBlock = data[12]; + + return 0; +} + +int emlSetValBl(uint32_t blReg, uint8_t blBlock, int blockNum) { + uint8_t* emCARD = eml_get_bigbufptr_cardmem(); + uint8_t* data = emCARD + blockNum * 16; + + memcpy(data + 0, &blReg, 4); + memcpy(data + 8, &blReg, 4); + blReg = blReg ^ 0xffffffff; + memcpy(data + 4, &blReg, 4); + + data[12] = blBlock; + data[13] = blBlock ^ 0xff; + data[14] = blBlock; + data[15] = blBlock ^ 0xff; + + return 0; +} + uint64_t emlGetKey(int sectorNum, int keyType) { uint8_t key[6]; uint8_t* emCARD = eml_get_bigbufptr_cardmem(); diff --git a/armsrc/mifareutil.h b/armsrc/mifareutil.h index 59e3cc5b..8539a7de 100644 --- a/armsrc/mifareutil.h +++ b/armsrc/mifareutil.h @@ -44,15 +44,20 @@ extern int MF_DBGLEVEL; #define NES_MAX_INFO 5 //mifare emulator states -#define MFEMUL_NOFIELD 0 -#define MFEMUL_IDLE 1 -#define MFEMUL_SELECT1 2 -#define MFEMUL_SELECT2 3 -#define MFEMUL_AUTH1 4 -#define MFEMUL_AUTH2 5 -#define MFEMUL_WORK 6 -#define MFEMUL_WRITEBL2 7 -#define MFEMUL_HALTED 8 +#define MFEMUL_NOFIELD 0 +#define MFEMUL_IDLE 1 +#define MFEMUL_SELECT1 2 +#define MFEMUL_SELECT2 3 +#define MFEMUL_AUTH1 4 +#define MFEMUL_AUTH2 5 +#define MFEMUL_WORK 6 +#define MFEMUL_WRITEBL2 7 +#define MFEMUL_INTREG_INC 8 +#define MFEMUL_INTREG_DEC 9 +#define MFEMUL_INTREG_REST 10 +#define MFEMUL_HALTED 11 + +#define cardSTATE_TO_IDLE() cardSTATE = MFEMUL_IDLE; LED_B_OFF(); LED_C_OFF(); //functions uint8_t* mifare_get_bigbufptr(void); @@ -83,5 +88,8 @@ void emlSetMem(uint8_t *data, int blockNum, int blocksCount); void emlGetMem(uint8_t *data, int blockNum, int blocksCount); void emlGetMemBt(uint8_t *data, int bytePtr, int byteCount); uint64_t emlGetKey(int sectorNum, int keyType); +int emlGetValBl(uint32_t *blReg, uint8_t *blBlock, int blockNum); +int emlSetValBl(uint32_t blReg, uint8_t blBlock, int blockNum); +int emlCheckValBl(int blockNum); #endif \ No newline at end of file diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 130e2802..d8bc8f1d 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -276,8 +276,8 @@ int CmdHF14AMfNested(const char *Cmd) if (strlen(Cmd)<3) { PrintAndLog("Usage:"); PrintAndLog(" all sectors: hf mf nested [t]"); - PrintAndLog(" one sector: hf mf nested o [t]"); - PrintAndLog(" "); + PrintAndLog(" one sector: hf mf nested o "); + PrintAndLog(" [t]"); PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, - 1K"); PrintAndLog("t - transfer keys into emulator memory"); PrintAndLog(" "); @@ -454,7 +454,7 @@ int CmdHF14AMfChk(const char *Cmd) if (strlen(Cmd)<3) { PrintAndLog("Usage: hf mf chk []"); - PrintAndLog(" sample: hf mf chk 0 A FFFFFFFFFFFF a0a1a2a3a4a5 b01b2b3b4b5 "); + PrintAndLog(" sample: hf mf chk 0 A FFFFFFFFFFFF a0a1a2a3a4a5 b0b1b2b3b4b5 "); return 0; } -- 2.39.5