]> git.zerfleddert.de Git - proxmark3-svn/blame - client/cmdhf14a.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
CHG: the new NTAG_i2c_1K enums, broke the uint16_t size.. Had to go up one level.
[proxmark3-svn] / client / cmdhf14a.c
CommitLineData
a553f267 1//-----------------------------------------------------------------------------
f89c7050 2// 2011, Merlok
534983d7 3// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
a553f267 4//
5// This code is licensed to you under the terms of the GNU GPL, version 2 or,
6// at your option, any later version. See the LICENSE.txt file for the text of
7// the license.
8//-----------------------------------------------------------------------------
9// High frequency ISO14443A commands
10//-----------------------------------------------------------------------------
11
7fe9b0b7 12#include <stdio.h>
590f8ff9 13#include <stdlib.h>
7fe9b0b7 14#include <string.h>
f397b5cc 15#include <unistd.h>
20f9a2a1 16#include "util.h"
7fe9b0b7 17#include "iso14443crc.h"
18#include "data.h"
902cb3c0 19#include "proxmark3.h"
7fe9b0b7 20#include "ui.h"
21#include "cmdparser.h"
22#include "cmdhf14a.h"
534983d7 23#include "common.h"
20f9a2a1 24#include "cmdmain.h"
902cb3c0 25#include "mifare.h"
9cdd47c2 26#include "cmdhfmfu.h"
27#include "nonce2key/crapto1.h"
28
29#define llx PRIx64
7fe9b0b7 30
31static int CmdHelp(const char *Cmd);
5f6d6c90 32static void waitCmd(uint8_t iLen);
7fe9b0b7 33
52ab55ab 34// structure and database for uid -> tagtype lookups
35typedef struct {
36 uint8_t uid;
37 char* desc;
38} manufactureName;
39
40const manufactureName manufactureMapping[] = {
41 // ID, "Vendor Country"
42 { 0x01, "Motorola UK" },
43 { 0x02, "ST Microelectronics SA France" },
44 { 0x03, "Hitachi, Ltd Japan" },
45 { 0x04, "NXP Semiconductors Germany" },
46 { 0x05, "Infineon Technologies AG Germany" },
47 { 0x06, "Cylink USA" },
48 { 0x07, "Texas Instrument France" },
49 { 0x08, "Fujitsu Limited Japan" },
50 { 0x09, "Matsushita Electronics Corporation, Semiconductor Company Japan" },
51 { 0x0A, "NEC Japan" },
52 { 0x0B, "Oki Electric Industry Co. Ltd Japan" },
53 { 0x0C, "Toshiba Corp. Japan" },
54 { 0x0D, "Mitsubishi Electric Corp. Japan" },
55 { 0x0E, "Samsung Electronics Co. Ltd Korea" },
56 { 0x0F, "Hynix / Hyundai, Korea" },
57 { 0x10, "LG-Semiconductors Co. Ltd Korea" },
58 { 0x11, "Emosyn-EM Microelectronics USA" },
59 { 0x12, "INSIDE Technology France" },
60 { 0x13, "ORGA Kartensysteme GmbH Germany" },
61 { 0x14, "SHARP Corporation Japan" },
62 { 0x15, "ATMEL France" },
63 { 0x16, "EM Microelectronic-Marin SA Switzerland" },
64 { 0x17, "KSW Microtec GmbH Germany" },
65 { 0x18, "ZMD AG Germany" },
66 { 0x19, "XICOR, Inc. USA" },
67 { 0x1A, "Sony Corporation Japan Identifier Company Country" },
68 { 0x1B, "Malaysia Microelectronic Solutions Sdn. Bhd Malaysia" },
69 { 0x1C, "Emosyn USA" },
70 { 0x1D, "Shanghai Fudan Microelectronics Co. Ltd. P.R. China" },
71 { 0x1E, "Magellan Technology Pty Limited Australia" },
72 { 0x1F, "Melexis NV BO Switzerland" },
73 { 0x20, "Renesas Technology Corp. Japan" },
74 { 0x21, "TAGSYS France" },
75 { 0x22, "Transcore USA" },
76 { 0x23, "Shanghai belling corp., ltd. China" },
77 { 0x24, "Masktech Germany Gmbh Germany" },
78 { 0x25, "Innovision Research and Technology Plc UK" },
79 { 0x26, "Hitachi ULSI Systems Co., Ltd. Japan" },
80 { 0x27, "Cypak AB Sweden" },
81 { 0x28, "Ricoh Japan" },
82 { 0x29, "ASK France" },
83 { 0x2A, "Unicore Microsystems, LLC Russian Federation" },
84 { 0x2B, "Dallas Semiconductor/Maxim USA" },
85 { 0x2C, "Impinj, Inc. USA" },
86 { 0x2D, "RightPlug Alliance USA" },
87 { 0x2E, "Broadcom Corporation USA" },
88 { 0x2F, "MStar Semiconductor, Inc Taiwan, ROC" },
89 { 0x30, "BeeDar Technology Inc. USA" },
90 { 0x31, "RFIDsec Denmark" },
91 { 0x32, "Schweizer Electronic AG Germany" },
92 { 0x33, "AMIC Technology Corp Taiwan" },
93 { 0x34, "Mikron JSC Russia" },
94 { 0x35, "Fraunhofer Institute for Photonic Microsystems Germany" },
95 { 0x36, "IDS Microchip AG Switzerland" },
96 { 0x37, "Kovio USA" },
97 { 0x38, "HMT Microelectronic Ltd Switzerland Identifier Company Country" },
98 { 0x39, "Silicon Craft Technology Thailand" },
99 { 0x3A, "Advanced Film Device Inc. Japan" },
100 { 0x3B, "Nitecrest Ltd UK" },
101 { 0x3C, "Verayo Inc. USA" },
102 { 0x3D, "HID Global USA" },
103 { 0x3E, "Productivity Engineering Gmbh Germany" },
104 { 0x3F, "Austriamicrosystems AG (reserved) Austria" },
105 { 0x40, "Gemalto SA France" },
106 { 0x41, "Renesas Electronics Corporation Japan" },
107 { 0x42, "3Alogics Inc Korea" },
108 { 0x43, "Top TroniQ Asia Limited Hong Kong" },
109 { 0x44, "Gentag Inc (USA) USA" },
110 { 0x00, "no tag-info available" } // must be the last entry
111};
112
113
114// get a product description based on the UID
115// uid[8] tag uid
116// returns description of the best match
b915fda3 117char* getTagInfo(uint8_t uid) {
52ab55ab 118
68033ed7 119 int i;
52ab55ab 120 int len = sizeof(manufactureMapping) / sizeof(manufactureName);
121
68033ed7
MHS		 122 for ( i = 0; i < len; ++i )
123 if ( uid == manufactureMapping[i].uid)
124 return manufactureMapping[i].desc;
52ab55ab 125
68033ed7
MHS		 126 //No match, return default
127 return manufactureMapping[len-1].desc;
52ab55ab 128}
129
7fe9b0b7 130int CmdHF14AList(const char *Cmd)
131{
4c3de57a 132 PrintAndLog("Deprecated command, use 'hf list 14a' instead");
f89c7050 133 return 0;
7fe9b0b7 134}
135
7fe9b0b7 136int CmdHF14AReader(const char *Cmd)
137{
19d6d91f 138 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}};
534983d7 139 SendCommand(&c);
902cb3c0 140
141 UsbCommand resp;
7bc95e2e 142 WaitForResponse(CMD_ACK,&resp);
902cb3c0 143
19d6d91f 144 iso14a_card_select_t card;
145 memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
534983d7 146
0ec548dc 147 uint64_t select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision
19d6d91f 148
149 if(select_status == 0) {
9cdd47c2 150 if (Cmd[0] != 's') PrintAndLog("iso14443a card select failed");
52bfb955 151 // disconnect
152 c.arg[0] = 0;
153 c.arg[1] = 0;
154 c.arg[2] = 0;
155 SendCommand(&c);
534983d7 156 return 0;
157 }
158
0ec548dc 159 if(select_status == 3) {
160 PrintAndLog("Card doesn't support standard iso14443-3 anticollision");
abcb166f 161 PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]);
0ec548dc 162 // disconnect
163 c.arg[0] = 0;
164 c.arg[1] = 0;
165 c.arg[2] = 0;
166 SendCommand(&c);
167 return 0;
168 }
169
19d6d91f 170 PrintAndLog(" UID : %s", sprint_hex(card.uid, card.uidlen));
466bc459 171 PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]);
19d6d91f 172 PrintAndLog(" SAK : %02x [%d]", card.sak, resp.arg[0]);
713e7ffb 173
19d6d91f 174 switch (card.sak) {
abcb166f 175 case 0x00:
9cdd47c2 176
177 //***************************************test****************
178 ul_switch_off_field();
179
623db355 180 uint32_t tagT = GetHF14AMfU_Type();
9cdd47c2 181 ul_print_type(tagT, 0);
182
183 //reconnect for further tests
184 c.arg[0] = ISO14A_CONNECT | ISO14A_NO_DISCONNECT;
185 c.arg[1] = 0;
186 c.arg[2] = 0;
187
188 SendCommand(&c);
189
190 UsbCommand resp;
191 WaitForResponse(CMD_ACK,&resp);
192
193 memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
194
195 select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS
196
197 if(select_status == 0) {
198 ul_switch_off_field();
199 return 0;
200 }
201
202 /* orig
abcb166f 203 // check if the tag answers to GETVERSION (0x60)
204 c.arg[0] = ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT;
205 c.arg[1] = 1;
206 c.arg[2] = 0;
207 c.d.asBytes[0] = 0x60;
208 SendCommand(&c);
209 WaitForResponse(CMD_ACK,&resp);
210
09c2a802 211 uint8_t version[10] = {0};
212 memcpy(version, resp.d.asBytes, resp.arg[0] < sizeof(version) ? resp.arg[0] : sizeof(version));
466bc459 213 uint8_t len = resp.arg[0] & 0xff;
214 switch ( len){
215 // todo, identify "Magic UL-C tags". // they usually have a static nonce response to 0x1A command.
216 // UL-EV1, size, check version[6] == 0x0b (smaller) 0x0b * 4 == 48
217 case 0x0A:PrintAndLog("TYPE : NXP MIFARE Ultralight EV1 %d bytes", (version[6] == 0xB) ? 48 : 128); break;
218 case 0x01:PrintAndLog("TYPE : NXP MIFARE Ultralight C");break;
219 case 0x00:PrintAndLog("TYPE : NXP MIFARE Ultralight");break;
abcb166f 220 }
9cdd47c2 221 */
abcb166f 222 break;
3fe4ff4f 223 case 0x01: PrintAndLog("TYPE : NXP TNP3xxx Activision Game Appliance"); break;
79a73ab2 224 case 0x04: PrintAndLog("TYPE : NXP MIFARE (various !DESFire !DESFire EV1)"); break;
e691fc45 225 case 0x08: PrintAndLog("TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1"); break;
79a73ab2 226 case 0x09: PrintAndLog("TYPE : NXP MIFARE Mini 0.3k"); break;
e691fc45 227 case 0x10: PrintAndLog("TYPE : NXP MIFARE Plus 2k SL2"); break;
228 case 0x11: PrintAndLog("TYPE : NXP MIFARE Plus 4k SL2"); break;
229 case 0x18: PrintAndLog("TYPE : NXP MIFARE Classic 4k | Plus 4k SL1"); break;
230 case 0x20: PrintAndLog("TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41"); break;
79a73ab2 231 case 0x24: PrintAndLog("TYPE : NXP MIFARE DESFire | DESFire EV1"); break;
232 case 0x28: PrintAndLog("TYPE : JCOP31 or JCOP41 v2.3.1"); break;
233 case 0x38: PrintAndLog("TYPE : Nokia 6212 or 6131 MIFARE CLASSIC 4K"); break;
234 case 0x88: PrintAndLog("TYPE : Infineon MIFARE CLASSIC 1K"); break;
235 case 0x98: PrintAndLog("TYPE : Gemplus MPCOS"); break;
9ca155ba
M		 236 default: ;
237 }
19d6d91f 238
466bc459 239 // Double & triple sized UID, can be mapped to a manufacturer.
466bc459 240 if ( card.uidlen > 4 ) {
241 PrintAndLog("MANUFACTURER : %s", getTagInfo(card.uid[0]));
242 }
243
19d6d91f 244 // try to request ATS even if tag claims not to support it
245 if (select_status == 2) {
246 uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0
247 c.arg[0] = ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT;
248 c.arg[1] = 2;
249 c.arg[2] = 0;
250 memcpy(c.d.asBytes, rats, 2);
251 SendCommand(&c);
252 WaitForResponse(CMD_ACK,&resp);
253
09c2a802 254 memcpy(card.ats, resp.d.asBytes, resp.arg[0]);
9a573554 255 card.ats_len = resp.arg[0]; // note: ats_len includes CRC Bytes
19d6d91f 256 }
257
9a573554 258 if(card.ats_len >= 3) { // a valid ATS consists of at least the length byte (TL) and 2 CRC bytes
561f7c11 259 bool ta1 = 0, tb1 = 0, tc1 = 0;
260 int pos;
261
9a573554 262 if (select_status == 2) {
19d6d91f 263 PrintAndLog("SAK incorrectly claims that card doesn't support RATS");
264 }
265 PrintAndLog(" ATS : %s", sprint_hex(card.ats, card.ats_len));
9a573554 266 PrintAndLog(" - TL : length is %d bytes", card.ats[0]);
267 if (card.ats[0] != card.ats_len - 2) {
268 PrintAndLog("ATS may be corrupted. Length of ATS (%d bytes incl. 2 Bytes CRC) doesn't match TL", card.ats_len);
561f7c11 269 }
9a573554 270
271 if (card.ats[0] > 1) { // there is a format byte (T0)
19d6d91f 272 ta1 = (card.ats[1] & 0x10) == 0x10;
273 tb1 = (card.ats[1] & 0x20) == 0x20;
274 tc1 = (card.ats[1] & 0x40) == 0x40;
9a573554 275 int16_t fsci = card.ats[1] & 0x0f;
561f7c11 276 PrintAndLog(" - T0 : TA1 is%s present, TB1 is%s present, "
9a573554 277 "TC1 is%s present, FSCI is %d (FSC = %ld)",
561f7c11 278 (ta1 ? "" : " NOT"), (tb1 ? "" : " NOT"), (tc1 ? "" : " NOT"),
9a573554 279 fsci,
280 fsci < 5 ? (fsci - 2) * 8 :
281 fsci < 8 ? (fsci - 3) * 32 :
282 fsci == 8 ? 256 :
283 -1
284 );
561f7c11 285 }
286 pos = 2;
9a573554 287 if (ta1) {
561f7c11 288 char dr[16], ds[16];
289 dr[0] = ds[0] = '\0';
19d6d91f 290 if (card.ats[pos] & 0x10) strcat(ds, "2, ");
291 if (card.ats[pos] & 0x20) strcat(ds, "4, ");
292 if (card.ats[pos] & 0x40) strcat(ds, "8, ");
293 if (card.ats[pos] & 0x01) strcat(dr, "2, ");
294 if (card.ats[pos] & 0x02) strcat(dr, "4, ");
295 if (card.ats[pos] & 0x04) strcat(dr, "8, ");
561f7c11 296 if (strlen(ds) != 0) ds[strlen(ds) - 2] = '\0';
297 if (strlen(dr) != 0) dr[strlen(dr) - 2] = '\0';
298 PrintAndLog(" - TA1 : different divisors are%s supported, "
299 "DR: [%s], DS: [%s]",
19d6d91f 300 (card.ats[pos] & 0x80 ? " NOT" : ""), dr, ds);
561f7c11 301 pos++;
302 }
9a573554 303 if (tb1) {
304 uint32_t sfgi = card.ats[pos] & 0x0F;
305 uint32_t fwi = card.ats[pos] >> 4;
306 PrintAndLog(" - TB1 : SFGI = %d (SFGT = %s%ld/fc), FWI = %d (FWT = %ld/fc)",
307 (sfgi),
308 sfgi ? "" : "(not needed) ",
309 sfgi ? (1 << 12) << sfgi : 0,
310 fwi,
311 (1 << 12) << fwi
312 );
561f7c11 313 pos++;
314 }
9a573554 315 if (tc1) {
561f7c11 316 PrintAndLog(" - TC1 : NAD is%s supported, CID is%s supported",
19d6d91f 317 (card.ats[pos] & 0x01) ? "" : " NOT",
318 (card.ats[pos] & 0x02) ? "" : " NOT");
561f7c11 319 pos++;
320 }
9a573554 321 if (card.ats[0] > pos) {
561f7c11 322 char *tip = "";
9a573554 323 if (card.ats[0] - pos >= 7) {
19d6d91f 324 if (memcmp(card.ats + pos, "\xC1\x05\x2F\x2F\x01\xBC\xD6", 7) == 0) {
561f7c11 325 tip = "-> MIFARE Plus X 2K or 4K";
19d6d91f 326 } else if (memcmp(card.ats + pos, "\xC1\x05\x2F\x2F\x00\x35\xC7", 7) == 0) {
561f7c11 327 tip = "-> MIFARE Plus S 2K or 4K";
328 }
329 }
9a573554 330 PrintAndLog(" - HB : %s%s", sprint_hex(card.ats + pos, card.ats[0] - pos), tip);
19d6d91f 331 if (card.ats[pos] == 0xC1) {
561f7c11 332 PrintAndLog(" c1 -> Mifare or (multiple) virtual cards of various type");
333 PrintAndLog(" %02x -> Length is %d bytes",
19d6d91f 334 card.ats[pos + 1], card.ats[pos + 1]);
335 switch (card.ats[pos + 2] & 0xf0) {
561f7c11 336 case 0x10:
337 PrintAndLog(" 1x -> MIFARE DESFire");
338 break;
339 case 0x20:
340 PrintAndLog(" 2x -> MIFARE Plus");
341 break;
342 }
19d6d91f 343 switch (card.ats[pos + 2] & 0x0f) {
561f7c11 344 case 0x00:
345 PrintAndLog(" x0 -> <1 kByte");
346 break;
347 case 0x01:
348 PrintAndLog(" x0 -> 1 kByte");
349 break;
350 case 0x02:
351 PrintAndLog(" x0 -> 2 kByte");
352 break;
353 case 0x03:
354 PrintAndLog(" x0 -> 4 kByte");
355 break;
356 case 0x04:
357 PrintAndLog(" x0 -> 8 kByte");
358 break;
359 }
19d6d91f 360 switch (card.ats[pos + 3] & 0xf0) {
561f7c11 361 case 0x00:
362 PrintAndLog(" 0x -> Engineering sample");
363 break;
364 case 0x20:
365 PrintAndLog(" 2x -> Released");
366 break;
367 }
19d6d91f 368 switch (card.ats[pos + 3] & 0x0f) {
561f7c11 369 case 0x00:
370 PrintAndLog(" x0 -> Generation 1");
371 break;
372 case 0x01:
373 PrintAndLog(" x1 -> Generation 2");
374 break;
375 case 0x02:
376 PrintAndLog(" x2 -> Generation 3");
377 break;
378 }
19d6d91f 379 switch (card.ats[pos + 4] & 0x0f) {
561f7c11 380 case 0x00:
381 PrintAndLog(" x0 -> Only VCSL supported");
382 break;
383 case 0x01:
384 PrintAndLog(" x1 -> VCS, VCSL, and SVC supported");
385 break;
386 case 0x0E:
387 PrintAndLog(" xE -> no VCS command supported");
388 break;
389 }
390 }
391 }
79a73ab2 392 } else {
19d6d91f 393 PrintAndLog("proprietary non iso14443-4 card found, RATS not supported");
394 }
534983d7 395
52ab55ab 396
397 // try to see if card responses to "chinese magic backdoor" commands.
398 c.cmd = CMD_MIFARE_CIDENT;
399 c.arg[0] = 0;
400 c.arg[1] = 0;
401 c.arg[2] = 0;
402 SendCommand(&c);
403 WaitForResponse(CMD_ACK,&resp);
404 uint8_t isOK = resp.arg[0] & 0xff;
19a700a8 405 PrintAndLog("Answers to chinese magic backdoor commands: %s", (isOK ? "YES" : "NO") );
52ab55ab 406
407 // disconnect
408 c.cmd = CMD_READER_ISO_14443a;
409 c.arg[0] = 0;
410 c.arg[1] = 0;
411 c.arg[2] = 0;
412 SendCommand(&c);
413
19d6d91f 414 return select_status;
7fe9b0b7 415}
416
db22dfe6 417// Collect ISO14443 Type A UIDs
418int CmdHF14ACUIDs(const char *Cmd)
419{
420 // requested number of UIDs
421 int n = atoi(Cmd);
422 // collect at least 1 (e.g. if no parameter was given)
423 n = n > 0 ? n : 1;
424
425 PrintAndLog("Collecting %d UIDs", n);
426 PrintAndLog("Start: %u", time(NULL));
427 // repeat n times
428 for (int i = 0; i < n; i++) {
429 // execute anticollision procedure
430 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}};
431 SendCommand(&c);
902cb3c0 432
72b1090a 433 UsbCommand resp;
434 WaitForResponse(CMD_ACK,&resp);
902cb3c0 435
72b1090a 436 iso14a_card_select_t *card = (iso14a_card_select_t *) resp.d.asBytes;
db22dfe6 437
438 // check if command failed
902cb3c0 439 if (resp.arg[0] == 0) {
db22dfe6 440 PrintAndLog("Card select failed.");
441 } else {
72b1090a 442 char uid_string[20];
443 for (uint16_t i = 0; i < card->uidlen; i++) {
444 sprintf(&uid_string[2*i], "%02X", card->uid[i]);
db22dfe6 445 }
72b1090a 446 PrintAndLog("%s", uid_string);
db22dfe6 447 }
448 }
449 PrintAndLog("End: %u", time(NULL));
450
451 return 1;
452}
453
9cdd47c2 454
455static int usage_hf_14a_sim(void)
456{
457 PrintAndLog("\n Emulating ISO/IEC 14443 type A tag with 4 or 7 byte UID\n");
458 PrintAndLog("Usage: hf 14a sim t <type> u <uid> x");
459 PrintAndLog(" Options : ");
460 PrintAndLog(" h : this help");
461 PrintAndLog(" t : 1 = MIFARE Classic");
462 PrintAndLog(" 2 = MIFARE Ultralight");
463 PrintAndLog(" 3 = MIFARE Desfire");
464 PrintAndLog(" 4 = ISO/IEC 14443-4");
465 PrintAndLog(" 5 = MIFARE Tnp3xxx");
466 PrintAndLog(" 6 = MIFARE Mini");
467 PrintAndLog(" u : 4 or 7 byte UID");
468 PrintAndLog(" x : (Optional) performs the 'reader attack', nr/ar attack against a legitimate reader");
469 PrintAndLog("\n sample : hf 14a sim t 1 u 1122344");
470 PrintAndLog(" : hf 14a sim t 1 u 1122344 x\n");
471 return 0;
472}
473
7fe9b0b7 474// ## simulate iso14443a tag
475// ## greg - added ability to specify tag UID
476int CmdHF14ASim(const char *Cmd)
81cd0474 477{
9cdd47c2 478 bool errors = FALSE;
479 uint8_t flags = 0;
480 uint8_t tagtype = 1;
481 uint64_t uid = 0;
482 uint8_t cmdp = 0;
81cd0474 483
9cdd47c2 484 while(param_getchar(Cmd, cmdp) != 0x00)
485 {
486 switch(param_getchar(Cmd, cmdp))
487 {
488 case 'h':
489 case 'H':
490 return usage_hf_14a_sim();
491 case 't':
492 case 'T':
493 // Retrieve the tag type
494 tagtype = param_get8ex(Cmd, cmdp+1, 0, 10);
495 if (tagtype == 0)
496 errors = true;
497 cmdp += 2;
498 break;
499 case 'u':
500 case 'U':
501 // Retrieve the full 4 or 7 byte long uid
502 uid = param_get64ex(Cmd, cmdp+1, 0, 16);
503 if (uid == 0 )
504 errors = TRUE;
505
506 if (uid > 0xffffffff) {
507 PrintAndLog("Emulating ISO/IEC 14443 type A tag with 7 byte UID (%014"llx")",uid);
508 flags |= FLAG_7B_UID_IN_DATA;
509 } else {
510 PrintAndLog("Emulating ISO/IEC 14443 type A tag with 4 byte UID (%08x)",uid);
511 flags |= FLAG_4B_UID_IN_DATA;
512 }
513 cmdp += 2;
514 break;
515 case 'x':
516 case 'X':
517 flags |= FLAG_NR_AR_ATTACK;
518 cmdp++;
519 break;
520 default:
521 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
522 errors = true;
523 break;
524 }
525 if(errors) break;
81cd0474 526 }
9cdd47c2 527
528 //Validations
529 if (errors) return usage_hf_14a_sim();
530
531 PrintAndLog("Press pm3-button to abort simulation");
81cd0474 532
9cdd47c2 533 UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443a,{ tagtype, flags, 0 }};
534 num_to_bytes(uid, 7, c.d.asBytes);
535 SendCommand(&c);
536
537 while(!ukbhit()){
538 UsbCommand resp;
539 WaitForResponseTimeout(CMD_ACK,&resp,1500);
540 PrintAndLog("Got %04X %02X", resp.arg[0], resp.arg[0]);
541 if ( (resp.arg[0] & 0xffff) == CMD_SIMULATE_MIFARE_CARD ){
542 uint8_t data[40];
543 uint8_t key[6];
544 int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];
545 memcpy(data, resp.d.asBytes, len);
546 tryMfk32(uid, data, key);
547 //tryMfk64(uid, data, key);
548 PrintAndLog("--");
549 memset(data,0x00, 40);
550 }
81cd0474 551 }
9cdd47c2 552 return 0;
553}
81cd0474 554
9cdd47c2 555int tryMfk32(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){
556
557 struct Crypto1State *s,*t;
558 uint64_t key; // recovered key
559 uint32_t uid; // serial number
560 uint32_t nt; // tag challenge
561 uint32_t nr0_enc; // first encrypted reader challenge
562 uint32_t ar0_enc; // first encrypted reader response
563 uint32_t nr1_enc; // second encrypted reader challenge
564 uint32_t ar1_enc; // second encrypted reader response
565 bool isSuccess = FALSE;
566 int counter = 0;
567
568 uid = myuid;//(uint32_t)bytes_to_num(data + 0, 4);
569 nt = *(uint32_t*)(data+8);
570 nr0_enc = *(uint32_t*)(data+12);
571 ar0_enc = *(uint32_t*)(data+16);
572 nr1_enc = *(uint32_t*)(data+32);
573 ar1_enc = *(uint32_t*)(data+36);
574
575 // PrintAndLog("Recovering key for:");
576 // PrintAndLog(" uid: %08x",uid);
577 // PrintAndLog(" nt: %08x",nt);
578 // PrintAndLog(" {nr_0}: %08x",nr0_enc);
579 // PrintAndLog(" {ar_0}: %08x",ar0_enc);
580 // PrintAndLog(" {nr_1}: %08x",nr1_enc);
581 // PrintAndLog(" {ar_1}: %08x",ar1_enc);
582
583 s = lfsr_recovery32(ar0_enc ^ prng_successor(nt, 64), 0);
584
585 for(t = s; t->odd | t->even; ++t) {
586 lfsr_rollback_word(t, 0, 0);
587 lfsr_rollback_word(t, nr0_enc, 1);
588 lfsr_rollback_word(t, uid ^ nt, 0);
589 crypto1_get_lfsr(t, &key);
590 crypto1_word(t, uid ^ nt, 0);
591 crypto1_word(t, nr1_enc, 1);
592 if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt, 64))) {
593 PrintAndLog("Found Key: [%012"llx"]",key);
594 isSuccess = TRUE;
595 ++counter;
596 if (counter==10)
597 break;
598 }
81cd0474 599 }
9cdd47c2 600 free(s);
601 return isSuccess;
602}
603
604int tryMfk64(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){
605
606 struct Crypto1State *revstate;
607 uint64_t key; // recovered key
608 uint32_t uid; // serial number
609 uint32_t nt; // tag challenge
610 uint32_t nr_enc; // encrypted reader challenge
611 uint32_t ar_enc; // encrypted reader response
612 uint32_t at_enc; // encrypted tag response
613 uint32_t ks2; // keystream used to encrypt reader response
614 uint32_t ks3; // keystream used to encrypt tag response
615
616 struct Crypto1State mpcs = {0, 0};
617 struct Crypto1State *pcs;
618 pcs = &mpcs;
81cd0474 619
9cdd47c2 620
621
622 uid = myuid;//(uint32_t)bytes_to_num(data + 0, 4);
623 nt = *(uint32_t*)(data+8);
624 nr_enc = *(uint32_t*)(data+12);
625 ar_enc = *(uint32_t*)(data+16);
626
627 crypto1_word(pcs, nr_enc , 1);
628 at_enc = prng_successor(nt, 96) ^ crypto1_word(pcs, 0, 0);
629
630 // printf("Recovering key for:\n");
631 // printf(" uid: %08x\n",uid);
632 // printf(" nt: %08x\n",nt);
633 // printf(" {nr}: %08x\n",nr_enc);
634 // printf(" {ar}: %08x\n",ar_enc);
635 // printf(" {at}: %08x\n",at_enc);
636
637 // Extract the keystream from the messages
638 ks2 = ar_enc ^ prng_successor(nt, 64);
639 ks3 = at_enc ^ prng_successor(nt, 96);
640
641 revstate = lfsr_recovery64(ks2, ks3);
642 lfsr_rollback_word(revstate, 0, 0);
643 lfsr_rollback_word(revstate, 0, 0);
644 lfsr_rollback_word(revstate, nr_enc, 1);
645 lfsr_rollback_word(revstate, uid ^ nt, 0);
646 crypto1_get_lfsr(revstate, &key);
647 PrintAndLog("Found Key: [%012"llx"]",key);
648 crypto1_destroy(revstate);
649 crypto1_destroy(pcs);
650 return 0;
7fe9b0b7 651}
652
9cdd47c2 653int CmdHF14ASniff(const char *Cmd) {
5cd9ec01
M		 654 int param = 0;
655
df3e429d 656 uint8_t ctmp = param_getchar(Cmd, 0) ;
657 if (ctmp == 'h' || ctmp == 'H') {
5cd9ec01 658 PrintAndLog("It get data from the field and saves it into command buffer.");
9cdd47c2 659 PrintAndLog("Buffer accessible from command 'hf list 14a'");
660 PrintAndLog("Usage: hf 14a sniff [c][r]");
5cd9ec01
M		 661 PrintAndLog("c - triggered by first data from card");
662 PrintAndLog("r - triggered by first 7-bit request from reader (REQ,WUP,...)");
9cdd47c2 663 PrintAndLog("sample: hf 14a sniff c r");
5cd9ec01
M		 664 return 0;
665 }
666
667 for (int i = 0; i < 2; i++) {
df3e429d 668 ctmp = param_getchar(Cmd, i);
5cd9ec01
M		 669 if (ctmp == 'c' || ctmp == 'C') param |= 0x01;
670 if (ctmp == 'r' || ctmp == 'R') param |= 0x02;
671 }
672
673 UsbCommand c = {CMD_SNOOP_ISO_14443a, {param, 0, 0}};
7fe9b0b7 674 SendCommand(&c);
675 return 0;
676}
677
0ec548dc 678
5f6d6c90 679int CmdHF14ACmdRaw(const char *cmd) {
680 UsbCommand c = {CMD_READER_ISO_14443a, {0, 0, 0}};
0ec548dc 681 bool reply=1;
682 bool crc = FALSE;
683 bool power = FALSE;
684 bool active = FALSE;
685 bool active_select = FALSE;
5f6d6c90 686 uint16_t numbits=0;
0ec548dc 687 bool bTimeout = FALSE;
19a700a8 688 uint32_t timeout=0;
0ec548dc 689 bool topazmode = FALSE;
5f6d6c90 690 char buf[5]="";
691 int i=0;
79bf1ad2 692 uint8_t data[USB_CMD_DATA_SIZE];
19a700a8 693 uint16_t datalen=0;
694 uint32_t temp;
5f6d6c90 695
696 if (strlen(cmd)<2) {
963fa1c2 697 PrintAndLog("Usage: hf 14a raw [-r] [-c] [-p] [-a] [-t] <milliseconds> [-b] <number of bits> <0A 0B 0C ... hex>");
5f6d6c90 698 PrintAndLog(" -r do not read response");
699 PrintAndLog(" -c calculate and append CRC");
700 PrintAndLog(" -p leave the signal field ON after receive");
701 PrintAndLog(" -a active signal field ON without select");
702 PrintAndLog(" -s active signal field ON with select");
703 PrintAndLog(" -b number of bits to send. Useful for send partial byte");
19a700a8 704 PrintAndLog(" -t timeout in ms");
0ec548dc 705 PrintAndLog(" -T use Topaz protocol to send command");
5f6d6c90 706 return 0;
707 }
708
0ec548dc 709
5f6d6c90 710 // strip
711 while (*cmd==' ' || *cmd=='\t') cmd++;
712
713 while (cmd[i]!='\0') {
714 if (cmd[i]==' ' || cmd[i]=='\t') { i++; continue; }
715 if (cmd[i]=='-') {
716 switch (cmd[i+1]) {
717 case 'r':
0ec548dc 718 reply = FALSE;
5f6d6c90 719 break;
720 case 'c':
0ec548dc 721 crc = TRUE;
5f6d6c90 722 break;
723 case 'p':
0ec548dc 724 power = TRUE;
5f6d6c90 725 break;
726 case 'a':
0ec548dc 727 active = TRUE;
5f6d6c90 728 break;
729 case 's':
0ec548dc 730 active_select = TRUE;
5f6d6c90 731 break;
732 case 'b':
733 sscanf(cmd+i+2,"%d",&temp);
734 numbits = temp & 0xFFFF;
735 i+=3;
736 while(cmd[i]!=' ' && cmd[i]!='\0') { i++; }
737 i-=2;
738 break;
79bf1ad2 739 case 't':
0ec548dc 740 bTimeout = TRUE;
79bf1ad2 741 sscanf(cmd+i+2,"%d",&temp);
19a700a8 742 timeout = temp;
79bf1ad2 743 i+=3;
744 while(cmd[i]!=' ' && cmd[i]!='\0') { i++; }
04bc1c66 745 i-=2;
79bf1ad2 746 break;
0ec548dc 747 case 'T':
748 topazmode = TRUE;
749 break;
5f6d6c90 750 default:
751 PrintAndLog("Invalid option");
752 return 0;
753 }
754 i+=2;
755 continue;
756 }
757 if ((cmd[i]>='0' && cmd[i]<='9') ||
758 (cmd[i]>='a' && cmd[i]<='f') ||
759 (cmd[i]>='A' && cmd[i]<='F') ) {
760 buf[strlen(buf)+1]=0;
761 buf[strlen(buf)]=cmd[i];
762 i++;
763
764 if (strlen(buf)>=2) {
765 sscanf(buf,"%x",&temp);
766 data[datalen]=(uint8_t)(temp & 0xff);
5f6d6c90 767 *buf=0;
9cdd47c2 768 if (++datalen >= sizeof(data)){
79bf1ad2 769 if (crc)
770 PrintAndLog("Buffer is full, we can't add CRC to your data");
771 break;
772 }
5f6d6c90 773 }
774 continue;
775 }
776 PrintAndLog("Invalid char on input");
777 return 0;
778 }
0ec548dc 779
79bf1ad2 780 if(crc && datalen>0 && datalen<sizeof(data)-2)
5f6d6c90 781 {
782 uint8_t first, second;
0ec548dc 783 if (topazmode) {
784 ComputeCrc14443(CRC_14443_B, data, datalen, &first, &second);
785 } else {
9cdd47c2 786 ComputeCrc14443(CRC_14443_A, data, datalen, &first, &second);
0ec548dc 787 }
5f6d6c90 788 data[datalen++] = first;
789 data[datalen++] = second;
790 }
791
792 if(active || active_select)
793 {
794 c.arg[0] |= ISO14A_CONNECT;
795 if(active)
796 c.arg[0] |= ISO14A_NO_SELECT;
797 }
04bc1c66 798
79bf1ad2 799 if(bTimeout){
0ec548dc 800 #define MAX_TIMEOUT 40542464 // = (2^32-1) * (8*16) / 13560000Hz * 1000ms/s
79bf1ad2 801 c.arg[0] |= ISO14A_SET_TIMEOUT;
19a700a8 802 if(timeout > MAX_TIMEOUT) {
803 timeout = MAX_TIMEOUT;
804 PrintAndLog("Set timeout to 40542 seconds (11.26 hours). The max we can wait for response");
79bf1ad2 805 }
04bc1c66 806 c.arg[2] = 13560000 / 1000 / (8*16) * timeout; // timeout in ETUs (time to transfer 1 bit, approx. 9.4 us)
79bf1ad2 807 }
0ec548dc 808
5f6d6c90 809 if(power)
810 c.arg[0] |= ISO14A_NO_DISCONNECT;
0ec548dc 811
5f6d6c90 812 if(datalen>0)
813 c.arg[0] |= ISO14A_RAW;
814
0ec548dc 815 if(topazmode)
816 c.arg[0] |= ISO14A_TOPAZMODE;
817
79bf1ad2 818 // Max buffer is USB_CMD_DATA_SIZE
819 c.arg[1] = (datalen & 0xFFFF) | (numbits << 16);
5f6d6c90 820 memcpy(c.d.asBytes,data,datalen);
821
822 SendCommand(&c);
823
824 if (reply) {
825 if(active_select)
826 waitCmd(1);
827 if(datalen>0)
828 waitCmd(0);
829 } // if reply
830 return 0;
831}
832
0ec548dc 833
5f6d6c90 834static void waitCmd(uint8_t iSelect)
835{
836 uint8_t *recv;
837 UsbCommand resp;
838 char *hexout;
839
b915fda3 840 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
5f6d6c90 841 recv = resp.d.asBytes;
842 uint8_t iLen = iSelect ? resp.arg[1] : resp.arg[0];
843 PrintAndLog("received %i octets",iLen);
844 if(!iLen)
845 return;
846 hexout = (char *)malloc(iLen * 3 + 1);
847 if (hexout != NULL) {
5f6d6c90 848 for (int i = 0; i < iLen; i++) { // data in hex
f66021cf 849 sprintf(&hexout[i * 3], "%02X ", recv[i]);
5f6d6c90 850 }
851 PrintAndLog("%s", hexout);
852 free(hexout);
853 } else {
854 PrintAndLog("malloc failed your client has low memory?");
855 }
856 } else {
857 PrintAndLog("timeout while waiting for reply.");
858 }
859}
860
7fe9b0b7 861static command_t CommandTable[] =
862{
5acd09bd 863 {"help", CmdHelp, 1, "This help"},
4c3de57a 864 {"list", CmdHF14AList, 0, "[Deprecated] List ISO 14443a history"},
5acd09bd 865 {"reader", CmdHF14AReader, 0, "Act like an ISO14443 Type A reader"},
866 {"cuids", CmdHF14ACUIDs, 0, "<n> Collect n>0 ISO14443 Type A UIDs in one go"},
df3e429d 867 {"sim", CmdHF14ASim, 0, "<UID> -- Simulate ISO 14443a tag"},
9cdd47c2 868 {"sniff", CmdHF14ASniff, 0, "sniff ISO 14443 Type A traffic"},
5f6d6c90 869 {"raw", CmdHF14ACmdRaw, 0, "Send raw hex data to tag"},
7fe9b0b7 870 {NULL, NULL, 0, NULL}
871};
872
902cb3c0 873int CmdHF14A(const char *Cmd) {
f397b5cc 874 // flush
902cb3c0 875 WaitForResponseTimeout(CMD_ACK,NULL,100);
f397b5cc
M		 876
877 // parse
9cdd47c2 878 CmdsParse(CommandTable, Cmd);
879 return 0;
7fe9b0b7 880}
881
882int CmdHelp(const char *Cmd)
883{
884 CmdsHelp(CommandTable);
885 return 0;
886}
Proxmark3 GIT tracking
Impressum, Datenschutz