From 810f53792ea438c1b70eaa1f934db1e5c96220cb Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 20 Jan 2016 22:26:01 +0100 Subject: [PATCH 1/1] ADD: added the possibility to choose which block num to attack with "hf mf mifare" Before it only worked on block 0. --- armsrc/BigBuf.c | 2 +- armsrc/Makefile | 2 + armsrc/appmain.c | 20 +++++-- armsrc/apps.h | 8 ++- armsrc/hitag2.c | 10 ++-- armsrc/iclass.c | 16 ++--- armsrc/iso14443a.c | 131 ++++++++++++++++++----------------------- armsrc/iso14443b.c | 100 +++++++++++++++---------------- armsrc/mifarecmd.c | 24 ++++++-- armsrc/mifaredesfire.c | 9 +-- armsrc/mifaresniff.c | 1 - client/cmdhflegic.c | 2 +- client/cmdhfmf.c | 17 +++++- client/cmdhfmfhard.c | 2 +- 14 files changed, 183 insertions(+), 161 deletions(-) diff --git a/armsrc/BigBuf.c b/armsrc/BigBuf.c index f3f23ddc..da86e9d3 100644 --- a/armsrc/BigBuf.c +++ b/armsrc/BigBuf.c @@ -58,7 +58,7 @@ void BigBuf_Clear_ext(bool verbose) { memset(BigBuf,0,BIGBUF_SIZE); if (verbose) - Dbprintf("Buffer cleared (%i bytes)",BIGBUF_SIZE); + Dbprintf("Buffer cleared (%i bytes)",BIGBUF_SIZE); } diff --git a/armsrc/Makefile b/armsrc/Makefile index f4e7495d..36113ebe 100644 --- a/armsrc/Makefile +++ b/armsrc/Makefile @@ -21,6 +21,7 @@ SRC_ISO14443a = epa.c iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c SRC_ISO14443b = iso14443b.c SRC_CRAPTO1 = crapto1.c crypto1.c des.c aes.c desfire_key.c desfire_crypto.c mifaredesfire.c SRC_CRC = iso14443crc.c crc.c crc16.c crc32.c +SRC_EMV = tlv.c emvdataels.c emvutil.c emvcmd.c #the FPGA bitstream files. Note: order matters! FPGA_BITSTREAMS = fpga_lf.bit fpga_hf.bit @@ -62,6 +63,7 @@ ARMSRC = fpgaloader.c \ optimized_cipher.c \ hfsnoop.c \ parity.c +# $(SRC_EMV) # Do not move this inclusion before the definition of {THUMB,ASM,ARM}SRC include ../common/Makefile.common diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 22657815..10db4a39 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -405,8 +405,8 @@ void StandAloneMode14a() /* need this delay to prevent catching some weird data */ SpinDelay(500); /* Code for reading from 14a tag */ - uint8_t uid[10] ={0}; - uint32_t cuid; + uint8_t uid[10] = {0}; + uint32_t cuid = 0; iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD); for ( ; ; ) @@ -1089,7 +1089,7 @@ void UsbPacketReceived(uint8_t *packet, int len) break; case CMD_READER_MIFARE: - ReaderMifare(c->arg[0]); + ReaderMifare(c->arg[0], c->arg[1]); break; case CMD_MIFARE_READBL: MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); @@ -1186,7 +1186,19 @@ void UsbPacketReceived(uint8_t *packet, int len) case CMD_MIFARE_COLLECT_NONCES: break; #endif - +#ifdef WITH_EMV + case CMD_EMV_TRANSACTION: + EMVTransaction(); + break; + case CMD_EMV_GET_RANDOM_NUM: + //EMVgetUDOL(); + break; + case CMD_EMV_LOAD_VALUE: + EMVloadvalue(c->arg[0], c->d.asBytes); + break; + case CMD_EMV_DUMP_CARD: + EMVdumpcard(); +#endif #ifdef WITH_ICLASS // Makes use of ISO14443a FPGA Firmware case CMD_SNOOP_ICLASS: diff --git a/armsrc/apps.h b/armsrc/apps.h index 83cd94ec..1d23caa4 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -121,7 +121,8 @@ void EPA_PACE_Collect_Nonce(UsbCommand * c); void EPA_PACE_Replay(UsbCommand *c); // mifarecmd.h -void ReaderMifare(bool first_try); +//void ReaderMifare(bool first_try); +void ReaderMifare(bool first_try, uint8_t block ); int32_t dist_nt(uint32_t nt1, uint32_t nt2); void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data); void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain); @@ -211,5 +212,10 @@ bool cmd_send(uint32_t cmd, uint32_t arg0, uint32_t arg1, uint32_t arg2, void* d /// util.h void HfSnoop(int , int); +//EMV functions emvcmd.h +void EMVTransaction(void); +void EMVgetUDOL(void); +void EMVloadvalue(uint32_t tag, uint8_t* datain); +void EMVdumpcard(void); #endif diff --git a/armsrc/hitag2.c b/armsrc/hitag2.c index d1005f3c..1147cb8d 100644 --- a/armsrc/hitag2.c +++ b/armsrc/hitag2.c @@ -714,8 +714,8 @@ void SnoopHitag(uint32_t type) { FpgaDownloadAndGo(FPGA_BITSTREAM_LF); // Clean up trace and prepare it for storing frames - set_tracing(TRUE); clear_trace(); + set_tracing(TRUE); auth_table_len = 0; auth_table_pos = 0; @@ -928,9 +928,9 @@ void SimulateHitagTag(bool tag_mem_supplied, byte_t* data) { FpgaDownloadAndGo(FPGA_BITSTREAM_LF); // Clean up trace and prepare it for storing frames - set_tracing(TRUE); clear_trace(); - + set_tracing(TRUE); + auth_table_len = 0; auth_table_pos = 0; byte_t* auth_table; @@ -1121,9 +1121,9 @@ void ReaderHitag(hitag_function htf, hitag_data* htd) { bSuccessful = false; // Clean up trace and prepare it for storing frames - set_tracing(TRUE); clear_trace(); - + set_tracing(TRUE); + DbpString("Starting Hitag reader family"); // Check configuration diff --git a/armsrc/iclass.c b/armsrc/iclass.c index 7a68ea6b..101ca060 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -653,8 +653,9 @@ void RAMFUNC SnoopIClass(void) // The DMA buffer, used to stream samples from the FPGA uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE); - set_tracing(TRUE); clear_trace(); + set_tracing(TRUE); + iso14a_set_trigger(FALSE); int lastRxCounter; @@ -985,8 +986,9 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain FpgaDownloadAndGo(FPGA_BITSTREAM_HF); // Enable and clear the trace - set_tracing(TRUE); clear_trace(); + set_tracing(TRUE); + //Use the emulator memory for SIM uint8_t *emulator = BigBuf_get_EM_addr(); @@ -1323,10 +1325,8 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) GetParity(trace_data, trace_data_size, parity); LogTrace(trace_data, trace_data_size, (t2r_time-time_0) << 4, (t2r_time-time_0) << 4, parity, FALSE); } - if(!tracing) { + if(!tracing) DbpString("Trace full"); - //break; - } } } @@ -1570,9 +1570,9 @@ void setupIclassReader() { FpgaDownloadAndGo(FPGA_BITSTREAM_HF); // Reset trace buffer - set_tracing(TRUE); clear_trace(); - + set_tracing(TRUE); + // Setup SSC FpgaSetupSsc(); // Start from off (no field generated) @@ -1693,7 +1693,9 @@ void ReaderIClass(uint8_t arg0) { while(!BUTTON_PRESS()) { if (try_once && tryCnt > 5) break; + tryCnt++; + if(!tracing) { DbpString("Trace full"); break; diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index 8a925475..1c4d0f05 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -1211,10 +1211,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) //p_response = &responses[9]; } else if(receivedCmd[0] == 0x50) { // Received a HALT - - if (tracing) { - LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); - } + LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); p_response = NULL; } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) { // Received an authentication request @@ -1236,9 +1233,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) p_response = &responses[6]; order = 70; } } else if (order == 7 && len == 8) { // Received {nr] and {ar} (part of authentication) - if (tracing) { - LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); - } + LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); uint32_t nonce = bytes_to_num(response5,4); uint32_t nr = bytes_to_num(receivedCmd,4); uint32_t ar = bytes_to_num(receivedCmd+4,4); @@ -1352,9 +1347,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) default: { // Never seen this command before - if (tracing) { - LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); - } + LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); Dbprintf("Received unknown command (len=%d):",len); Dbhexdump(len,receivedCmd,false); // Do not respond @@ -1372,9 +1365,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) { Dbprintf("Error preparing tag response"); - if (tracing) { - LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); - } + LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); break; } p_response = &dynamic_response_info; @@ -1396,7 +1387,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) if (p_response != NULL) { EmSendCmd14443aRaw(p_response->modulation, p_response->modulation_n, receivedCmd[0] == 0x52); // do the tracing for the previous reader request and this tag answer: - uint8_t par[MAX_PARITY_SIZE]; + uint8_t par[MAX_PARITY_SIZE] = {0x00}; GetParity(p_response->response, p_response->response_n, par); EmLogTrace(Uart.output, @@ -1781,24 +1772,20 @@ int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par){ bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity, uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint8_t *tag_Parity) { - if (tracing) { - // we cannot exactly measure the end and start of a received command from reader. However we know that the delay from - // end of the received command to start of the tag's (simulated by us) answer is n*128+20 or n*128+84 resp. - // with n >= 9. The start of the tags answer can be measured and therefore the end of the received command be calculated: - uint16_t reader_modlen = reader_EndTime - reader_StartTime; - uint16_t approx_fdt = tag_StartTime - reader_EndTime; - uint16_t exact_fdt = (approx_fdt - 20 + 32)/64 * 64 + 20; - reader_EndTime = tag_StartTime - exact_fdt; - reader_StartTime = reader_EndTime - reader_modlen; + // we cannot exactly measure the end and start of a received command from reader. However we know that the delay from + // end of the received command to start of the tag's (simulated by us) answer is n*128+20 or n*128+84 resp. + // with n >= 9. The start of the tags answer can be measured and therefore the end of the received command be calculated: + uint16_t reader_modlen = reader_EndTime - reader_StartTime; + uint16_t approx_fdt = tag_StartTime - reader_EndTime; + uint16_t exact_fdt = (approx_fdt - 20 + 32)/64 * 64 + 20; + reader_EndTime = tag_StartTime - exact_fdt; + reader_StartTime = reader_EndTime - reader_modlen; - if (!LogTrace(reader_data, reader_len, reader_StartTime, reader_EndTime, reader_Parity, TRUE)) - return FALSE; - else - return(!LogTrace(tag_data, tag_len, tag_StartTime, tag_EndTime, tag_Parity, FALSE)); - - } else { - return TRUE; - } + if (!LogTrace(reader_data, reader_len, reader_StartTime, reader_EndTime, reader_Parity, TRUE)) + return FALSE; + else + return(!LogTrace(tag_data, tag_len, tag_StartTime, tag_EndTime, tag_Parity, FALSE)); + } //----------------------------------------------------------------------------- @@ -1847,8 +1834,7 @@ void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t LED_A_ON(); // Log reader command in trace buffer - if (tracing) - LogTrace(frame, nbytes(bits), LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_READER, (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_READER, par, TRUE); + LogTrace(frame, nbytes(bits), LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_READER, (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_READER, par, TRUE); } void ReaderTransmitPar(uint8_t* frame, uint16_t len, uint8_t *par, uint32_t *timing) @@ -1877,9 +1863,7 @@ int ReaderReceiveOffset(uint8_t* receivedAnswer, uint16_t offset, uint8_t *parit if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, offset)) return FALSE; - if (tracing) - LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE); - + LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE); return Demod.len; } @@ -1888,9 +1872,7 @@ int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity) if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, 0)) return FALSE; - if (tracing) - LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE); - + LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE); return Demod.len; } @@ -2006,7 +1988,7 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u if (!ReaderReceive(resp, resp_par)) return 0; sak = resp[0]; - // Test if more parts of the uid are coming + // Test if more parts of the uid are coming if ((sak & 0x04) /* && uid_resp[0] == 0x88 */) { // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of: // http://www.nxp.com/documents/application_note/AN10927.pdf @@ -2081,7 +2063,7 @@ void iso14443a_setup(uint8_t fpga_minor_mode) { } int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) { - uint8_t parity[MAX_PARITY_SIZE]; + uint8_t parity[MAX_PARITY_SIZE] = {0x00}; uint8_t real_cmd[cmd_len+4]; real_cmd[0] = 0x0a; //I-Block // put block number into the PCB @@ -2120,20 +2102,19 @@ void ReaderIso14443a(UsbCommand *c) size_t lenbits = c->arg[1] >> 16; uint32_t timeout = c->arg[2]; uint32_t arg0 = 0; - byte_t buf[USB_CMD_DATA_SIZE]; - uint8_t par[MAX_PARITY_SIZE]; + byte_t buf[USB_CMD_DATA_SIZE] = {0x00}; + uint8_t par[MAX_PARITY_SIZE] = {0x00}; - if(param & ISO14A_CONNECT) { + if (param & ISO14A_CONNECT) clear_trace(); - } set_tracing(TRUE); - if(param & ISO14A_REQUEST_TRIGGER) { + if (param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(TRUE); - } - if(param & ISO14A_CONNECT) { + + if (param & ISO14A_CONNECT) { iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); if(!(param & ISO14A_NO_SELECT)) { iso14a_card_select_t *card = (iso14a_card_select_t*)buf; @@ -2142,16 +2123,15 @@ void ReaderIso14443a(UsbCommand *c) } } - if(param & ISO14A_SET_TIMEOUT) { + if (param & ISO14A_SET_TIMEOUT) iso14a_set_timeout(timeout); - } - if(param & ISO14A_APDU) { + if (param & ISO14A_APDU) { arg0 = iso14_apdu(cmd, len, buf); cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf)); } - if(param & ISO14A_RAW) { + if (param & ISO14A_RAW) { if(param & ISO14A_APPEND_CRC) { if(param & ISO14A_TOPAZMODE) { AppendCrc14443b(cmd,len); @@ -2190,13 +2170,12 @@ void ReaderIso14443a(UsbCommand *c) cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf)); } - if(param & ISO14A_REQUEST_TRIGGER) { + if (param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(FALSE); - } - if(param & ISO14A_NO_DISCONNECT) { + + if (param & ISO14A_NO_DISCONNECT) return; - } FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); set_tracing(FALSE); @@ -2209,20 +2188,19 @@ void ReaderIso14443a(UsbCommand *c) // Therefore try in alternating directions. int32_t dist_nt(uint32_t nt1, uint32_t nt2) { - uint16_t i; - uint32_t nttmp1, nttmp2; - if (nt1 == nt2) return 0; - - nttmp1 = nt1; - nttmp2 = nt2; - for (i = 1; i < 0xFFFF; i++) { + uint16_t i; + uint32_t nttmp1 = nt1; + uint32_t nttmp2 = nt2; + + for (i = 1; i < 0xFFFF; ++i) { nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i; + nttmp2 = prng_successor(nttmp2, 1); - if (nttmp2 == nt1) return -i; - } + if (nttmp2 == nt1) return -i; + } return(-99999); // either nt1 or nt2 are invalid nonces } @@ -2234,13 +2212,18 @@ int32_t dist_nt(uint32_t nt1, uint32_t nt2) { // Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime" // (article by Nicolas T. Courtois, 2009) //----------------------------------------------------------------------------- -void ReaderMifare(bool first_try) +void ReaderMifare(bool first_try, uint8_t block ) { // Mifare AUTH - uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b }; + //uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b }; + //uint8_t mf_auth[] = { 0x60,0x05, 0x58, 0x2c }; + uint8_t mf_auth[] = { 0x60,0x00, 0x00, 0x00 }; uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; static uint8_t mf_nr_ar3; + mf_auth[1] = block; + AppendCrc14443a(mf_auth, 2); + uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE] = {0x00}; uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE] = {0x00}; @@ -3006,15 +2989,14 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); - if(flags & FLAG_INTERACTIVE)// Interactive mode flag, means we need to send ACK - { + // Interactive mode flag, means we need to send ACK + if(flags & FLAG_INTERACTIVE) { //May just aswell send the collected ar_nr in the response aswell uint8_t len = ar_nr_collected*5*4; cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, len, 0, &ar_nr_responses, len); } - if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1 ) - { + if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1 ) { if(ar_nr_collected > 1 ) { Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:"); Dbprintf("../tools/mfkey/mfkey32 %06x%08x %08x %08x %08x %08x %08x", @@ -3063,9 +3045,8 @@ void RAMFUNC SniffMifare(uint8_t param) { // param: // bit 0 - trigger from first card answer // bit 1 - trigger from first reader 7-bit request - - // C(red) A(yellow) B(green) LEDsoff(); + // init trace buffer clear_trace(); set_tracing(TRUE); @@ -3073,8 +3054,9 @@ void RAMFUNC SniffMifare(uint8_t param) { // The command (reader -> tag) that we're receiving. // The length of a received command will in most cases be no more than 18 bytes. // So 32 should be enough! - uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00}; + uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00}; uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE] = {0x00}; + // The response (tag -> reader) that we're receiving. uint8_t receivedResponse[MAX_MIFARE_FRAME_SIZE] = {0x00}; uint8_t receivedResponsePar[MAX_MIFARE_PARITY_SIZE] = {0x00}; @@ -3083,6 +3065,7 @@ void RAMFUNC SniffMifare(uint8_t param) { // free eventually allocated BigBuf memory BigBuf_free(); + // allocate the DMA buffer, used to stream samples from the FPGA uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE); uint8_t *data = dmaBuf; diff --git a/armsrc/iso14443b.c b/armsrc/iso14443b.c index 0b9962e1..9d033f61 100644 --- a/armsrc/iso14443b.c +++ b/armsrc/iso14443b.c @@ -345,7 +345,7 @@ void SimulateIso14443bTag(void) // response to HLTB and ATTRIB static const uint8_t response2[] = {0x00, 0x78, 0xF0}; - uint8_t parity[MAX_PARITY_SIZE]; + uint8_t parity[MAX_PARITY_SIZE] = {0x00}; FpgaDownloadAndGo(FPGA_BITSTREAM_HF); @@ -383,14 +383,12 @@ void SimulateIso14443bTag(void) for(;;) { - if(!GetIso14443bCommandFromReader(receivedCmd, &len)) { - Dbprintf("button pressed, received %d commands", cmdsRecvd); - break; + if (!GetIso14443bCommandFromReader(receivedCmd, &len)) { + Dbprintf("button pressed, received %d commands", cmdsRecvd); + break; } - if (tracing) { - LogTrace(receivedCmd, len, 0, 0, parity, TRUE); - } + LogTrace(receivedCmd, len, 0, 0, parity, TRUE); // Good, look at the command now. if ( (len == sizeof(cmd1) && memcmp(receivedCmd, cmd1, len) == 0) @@ -410,14 +408,14 @@ void SimulateIso14443bTag(void) // And print whether the CRC fails, just for good measure uint8_t b1, b2; if (len >= 3){ // if crc exists - ComputeCrc14443(CRC_14443_B, receivedCmd, len-2, &b1, &b2); - if(b1 != receivedCmd[len-2] || b2 != receivedCmd[len-1]) { - // Not so good, try again. - DbpString("+++CRC fail"); - - } else { - DbpString("CRC passes"); - } + ComputeCrc14443(CRC_14443_B, receivedCmd, len-2, &b1, &b2); + if(b1 != receivedCmd[len-2] || b2 != receivedCmd[len-1]) { + // Not so good, try again. + DbpString("+++CRC fail"); + + } else { + DbpString("CRC passes"); + } } //get rid of compiler warning respCodeLen = 0; @@ -462,7 +460,7 @@ void SimulateIso14443bTag(void) AT91C_BASE_SSC->SSC_THR = respCode[i++]; FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR; } - if(BUTTON_PRESS()) break; + if(BUTTON_PRESS()) break; } // Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN again: @@ -475,8 +473,7 @@ void SimulateIso14443bTag(void) } } - // trace the response: - if (tracing) LogTrace(resp, respLen, 0, 0, parity, FALSE); + LogTrace(resp, respLen, 0, 0, parity, FALSE); } FpgaDisableSscDma(); set_tracing(FALSE); @@ -793,8 +790,8 @@ static void GetSamplesFor14443bDemod(int n, bool quiet) } //Tracing - if (tracing && Demod.len > 0) { - uint8_t parity[MAX_PARITY_SIZE]; + if (Demod.len > 0) { + uint8_t parity[MAX_PARITY_SIZE] = {0x00}; LogTrace(Demod.output, Demod.len, 0, 0, parity, FALSE); } } @@ -1216,7 +1213,7 @@ void RAMFUNC SnoopIso14443b(void) upTo = dmaBuf; lastRxCounter = ISO14443B_DMA_BUFFER_SIZE; FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE); - uint8_t parity[MAX_PARITY_SIZE]; + uint8_t parity[MAX_PARITY_SIZE] = {0x00}; bool TagIsActive = FALSE; bool ReaderIsActive = FALSE; @@ -1245,10 +1242,12 @@ void RAMFUNC SnoopIso14443b(void) Dbprintf("blew circular buffer! behindBy=%d", behindBy); break; } + if(!tracing) { - DbpString("Reached trace limit"); + DbpString("Trace full"); break; } + if(BUTTON_PRESS()) { DbpString("cancelled"); break; @@ -1258,26 +1257,26 @@ void RAMFUNC SnoopIso14443b(void) samples += 2; if (!TagIsActive) { // no need to try decoding reader data if the tag is sending - if(Handle14443bUartBit(ci & 0x01)) { - if(triggered && tracing) { + if (Handle14443bUartBit(ci & 0x01)) { + if ( triggered) LogTrace(Uart.output, Uart.byteCnt, samples, samples, parity, TRUE); + + /* And ready to receive another command. */ + UartReset(); + /* And also reset the demod code, which might have been */ + /* false-triggered by the commands from the reader. */ + DemodReset(); } - /* And ready to receive another command. */ - UartReset(); - /* And also reset the demod code, which might have been */ - /* false-triggered by the commands from the reader. */ - DemodReset(); - } - if(Handle14443bUartBit(cq & 0x01)) { - if(triggered && tracing) { + if (Handle14443bUartBit(cq & 0x01)) { + if (triggered) LogTrace(Uart.output, Uart.byteCnt, samples, samples, parity, TRUE); - } - /* And ready to receive another command. */ - UartReset(); - /* And also reset the demod code, which might have been */ - /* false-triggered by the commands from the reader. */ - DemodReset(); - } + + /* And ready to receive another command. */ + UartReset(); + /* And also reset the demod code, which might have been */ + /* false-triggered by the commands from the reader. */ + DemodReset(); + } ReaderIsActive = (Uart.state > STATE_GOT_FALLING_EDGE_OF_SOF); } @@ -1285,25 +1284,21 @@ void RAMFUNC SnoopIso14443b(void) // is this | 0x01 the error? & 0xfe in https://github.com/Proxmark/proxmark3/issues/103 if(Handle14443bSamplesDemod(ci & 0xfe, cq & 0xfe)) { - //Use samples as a time measurement - if(tracing) - { - //uint8_t parity[MAX_PARITY_SIZE]; + //Use samples as a time measurement LogTrace(Demod.output, Demod.len, samples, samples, parity, FALSE); - } - triggered = TRUE; - // And ready to receive another response. - DemodReset(); - } + triggered = TRUE; + + // And ready to receive another response. + DemodReset(); + } TagIsActive = (Demod.state > DEMOD_GOT_FALLING_EDGE_OF_SOF); } } FpgaDisableSscDma(); LEDsoff(); - set_tracing(FALSE); - + AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS; DbpString("Snoop statistics:"); Dbprintf(" Max behind by: %i", maxBehindBy); @@ -1311,6 +1306,7 @@ void RAMFUNC SnoopIso14443b(void) Dbprintf(" Uart ByteCnt: %i", Uart.byteCnt); Dbprintf(" Uart ByteCntMax: %i", Uart.byteCntMax); Dbprintf(" Trace length: %i", BigBuf_get_traceLen()); + set_tracing(FALSE); } @@ -1337,13 +1333,13 @@ void SendRawCommand14443B(uint32_t datalen, uint32_t recv, uint8_t powerfield, u CodeAndTransmit14443bAsReader(data, datalen); } - if(recv) { + if (recv) { GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, FALSE); uint16_t iLen = MIN(Demod.len, USB_CMD_DATA_SIZE); cmd_send(CMD_ACK, iLen, 0, 0, Demod.output, iLen); } - if(!powerfield) { + if (!powerfield) { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); FpgaDisableSscDma(); set_tracing(FALSE); diff --git a/armsrc/mifarecmd.c b/armsrc/mifarecmd.c index 0443c1f1..a3ce6acf 100644 --- a/armsrc/mifarecmd.c +++ b/armsrc/mifarecmd.c @@ -44,6 +44,7 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); clear_trace(); + set_tracing(true); LED_A_ON(); LED_B_OFF(); @@ -96,6 +97,7 @@ void MifareUC_Auth(uint8_t arg0, uint8_t *keybytes){ iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); clear_trace(); + set_tracing(true); if(!iso14443a_select_card(NULL, NULL, NULL, true, 0)) { if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card"); @@ -131,6 +133,7 @@ void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain) iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); clear_trace(); + set_tracing(true); int len = iso14443a_select_card(NULL, NULL, NULL, true, 0); if(!len) { @@ -202,7 +205,8 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); clear_trace(); - + set_tracing(true); + LED_A_ON(); LED_B_OFF(); LED_C_OFF(); @@ -258,7 +262,8 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain) // free eventually allocated BigBuf memory BigBuf_free(); clear_trace(); - + set_tracing(true); + // params uint8_t blockNo = arg0; uint16_t blocks = arg1; @@ -368,7 +373,8 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); clear_trace(); - + set_tracing(true); + LED_A_ON(); LED_B_OFF(); LED_C_OFF(); @@ -426,6 +432,7 @@ void MifareUWriteBlockCompat(uint8_t arg0, uint8_t *datain) LED_A_ON(); LED_B_OFF(); LED_C_OFF(); clear_trace(); + set_tracing(true); iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); if(!iso14443a_select_card(uid, NULL, NULL, true, 0)) { @@ -473,7 +480,8 @@ void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain) iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); clear_trace(); - + set_tracing(true); + if(!iso14443a_select_card(NULL, NULL, NULL, true, 0)) { if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); OnError(0); @@ -532,7 +540,8 @@ void MifareUSetPwd(uint8_t arg0, uint8_t *datain){ iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); clear_trace(); - + set_tracing(true); + if(!iso14443a_select_card(NULL, NULL, NULL, true, 0)) { if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); OnError(0); @@ -982,7 +991,9 @@ void MifareChkKeys(uint16_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) LED_C_OFF(); iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); - if (clearTrace) clear_trace(); + if (clearTrace) + clear_trace(); + set_tracing(TRUE); for (i = 0; i < keyCount; i++) { @@ -1354,6 +1365,7 @@ void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){ iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); clear_trace(); + set_tracing(true); int len = iso14443a_select_card(uid, NULL, &cuid, true, 0); if(!len) { diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index 8336d793..75cb9e73 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -63,9 +63,8 @@ void MifareSendCommand(uint8_t arg0, uint8_t arg1, uint8_t *datain){ print_result(" RX : ", datain, datalen); } - if ( flags & CLEARTRACE ){ + if ( flags & CLEARTRACE ) clear_trace(); - } if ( flags & INIT ){ if ( !InitDesfireCard() ) @@ -73,9 +72,8 @@ void MifareSendCommand(uint8_t arg0, uint8_t arg1, uint8_t *datain){ } int len = DesfireAPDU(datain, datalen, resp); - if (MF_DBGLEVEL >= 4) { + if (MF_DBGLEVEL >= 4) print_result("ERR <--: ", resp, len); - } if ( !len ) { OnError(2); @@ -85,9 +83,8 @@ void MifareSendCommand(uint8_t arg0, uint8_t arg1, uint8_t *datain){ // reset the pcb_blocknum, pcb_blocknum = 0; - if ( flags & DISCONNECT ){ + if ( flags & DISCONNECT ) OnSuccess(); - } cmd_send(CMD_ACK,1,len,0,resp,len); } diff --git a/armsrc/mifaresniff.c b/armsrc/mifaresniff.c index 0cc2963b..3194f8d8 100644 --- a/armsrc/mifaresniff.c +++ b/armsrc/mifaresniff.c @@ -169,6 +169,5 @@ bool intMfSniffSend() { LED_B_OFF(); clear_trace(); - return TRUE; } diff --git a/client/cmdhflegic.c b/client/cmdhflegic.c index 0971e306..2d198820 100644 --- a/client/cmdhflegic.c +++ b/client/cmdhflegic.c @@ -202,7 +202,7 @@ int CmdLegicLoad(const char *Cmd) { } char line[80]; - int offset = 0, j; + int offset = 0; uint32_t data[8] = {0x00}; while ( fgets(line, sizeof(line), f) ) { diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index e10a88f3..bd27ba0c 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -21,8 +21,17 @@ int CmdHF14AMifare(const char *Cmd) uint64_t par_list = 0, ks_list = 0, r_key = 0; int16_t isOK = 0; int tmpchar; + uint8_t blockNo = 0; + + char cmdp = param_getchar(Cmd, 0); + if ( cmdp == 'H' || cmdp == 'h') { + PrintAndLog("Usage: hf mf mifare "); + PrintAndLog(" sample: hf mf mifare 0"); + return 0; + } - UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}}; + blockNo = param_get8(Cmd, 0); + UsbCommand c = {CMD_READER_MIFARE, {true, blockNo, 0}}; // message printf("-------------------------------------------------------------------------\n"); @@ -754,6 +763,8 @@ int CmdHF14AMfNested(const char *Cmd) uint8_t sectrail = (FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1); + PrintAndLog("Reading block %d", sectrail); + UsbCommand c = {CMD_MIFARE_READBL, {sectrail, 0, 0}}; num_to_bytes(e_sector[i].Key[0], 6, c.d.asBytes); // KEY A clearCommandBuffer(); @@ -1159,9 +1170,11 @@ int CmdHF14AMfChk(const char *Cmd) for (i = 0; i < SectorsCnt; i++) { // KEY A but not KEY B if ( e_sector[i].foundKey[0] && !e_sector[i].foundKey[1] ) { - + uint8_t sectrail = (FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1); + PrintAndLog("Reading block %d", sectrail); + UsbCommand c = {CMD_MIFARE_READBL, {sectrail, 0, 0}}; num_to_bytes(e_sector[i].Key[0], 6, c.d.asBytes); // KEY A clearCommandBuffer(); diff --git a/client/cmdhfmfhard.c b/client/cmdhfmfhard.c index e2d6da74..07421ea1 100644 --- a/client/cmdhfmfhard.c +++ b/client/cmdhfmfhard.c @@ -88,7 +88,7 @@ typedef struct noncelist { } noncelist_t; -static uint32_t cuid; +static uint32_t cuid = 0; static noncelist_t nonces[256]; static uint8_t best_first_bytes[256]; static uint16_t first_byte_Sum = 0; -- 2.39.5