[proxmark3-svn] / armsrc / mifaresniff.c

//-----------------------------------------------------------------------------
// Merlok - 2012
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// Routines to support mifare classic sniffer.
//-----------------------------------------------------------------------------

#include "mifaresniff.h"
#include "apps.h"
#include "proxmark3.h"
#include "util.h"
#include "string.h"
#include "iso14443crc.h"
#include "iso14443a.h"
#include "crapto1/crapto1.h"
#include "mifareutil.h"
#include "common.h"


static int sniffState = SNF_INIT;
static uint8_t sniffUIDType;
static uint8_t sniffUID[8] = {0x00};
static uint8_t sniffATQA[2] = {0x00};
static uint8_t sniffSAK;
static uint8_t sniffBuf[16] = {0x00};
static uint32_t timerData = 0;


bool MfSniffInit(void){
	memset(sniffUID, 0x00, 8);
	memset(sniffATQA, 0x00, 2);
	sniffSAK = 0;
	sniffUIDType = SNF_UID_4;

	return FALSE;
}

bool MfSniffEnd(void){
	LED_B_ON();
	cmd_send(CMD_ACK,0,0,0,0,0);
	LED_B_OFF();

	return FALSE;
}

bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, uint16_t bitCnt, bool reader) {

	if (reader && (len == 1) && (bitCnt == 7)) { 		// reset on 7-Bit commands from reader
		sniffState = SNF_INIT;
	}

	switch (sniffState) {
		case SNF_INIT:{
			if ((len == 1) && (reader) && (bitCnt == 7) ) {  // REQA or WUPA from reader
				sniffUIDType = SNF_UID_4;
				memset(sniffUID, 0x00, 8);
				memset(sniffATQA, 0x00, 2);
				sniffSAK = 0;
				sniffState = SNF_ATQA;
				if (data[0] == 0x40) 
					sniffState = SNF_MAGIC_WUPC2;
			}
			break;
		}
		case SNF_MAGIC_WUPC2:
			if ((len == 1) && (reader) && (data[0] == 0x43) ) {  
				sniffState = SNF_CARD_IDLE;
			}
			break;
		case SNF_ATQA:{
			if ((!reader) && (len == 2)) { 		// ATQA from tag
				memcpy(sniffATQA, data, 2);
				sniffState = SNF_UID1;
			}
			break;
		}
		case SNF_UID1:{\r
			if ((reader) && (len == 9) && (data[0] == 0x93) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) {   // Select 4 Byte UID from reader\r
				memcpy(sniffUID + 3, &data[2], 4);\r
				sniffState = SNF_SAK;\r
			}\r
			break;
		}\r
		case SNF_SAK:{
			if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) { // SAK from card?
				sniffSAK = data[0];
				if ((sniffUID[3] == 0x88) && (sniffUIDType == SNF_UID_4)) {			// CL2 UID part to be expected
					sniffUIDType = SNF_UID_7;\r
					memcpy(sniffUID, sniffUID + 4, 3);\r
					sniffState = SNF_UID2;
				} else {															// select completed
					sniffState = SNF_CARD_IDLE;
				}
			}
			break;
		}
		case SNF_UID2:{\r
			if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) {\r
				memcpy(sniffUID + 3, &data[2], 4);\r
				sniffState = SNF_SAK;\r
			}\r
			break;\r
		}\r
		case SNF_CARD_IDLE:{	// trace the card select sequence
			sniffBuf[0] = 0xFF;
			sniffBuf[1] = 0xFF;
			memcpy(sniffBuf + 2, sniffUID, 7);
			memcpy(sniffBuf + 9, sniffATQA, 2);
			sniffBuf[11] = sniffSAK;
			sniffBuf[12] = 0xFF;
			sniffBuf[13] = 0xFF;
			LogTrace(sniffBuf, 14, 0, 0, NULL, TRUE);
			sniffState = SNF_CARD_CMD;
		}	// intentionally no break;
		case SNF_CARD_CMD:{	
			LogTrace(data, len, 0, 0, parity, reader);
			timerData = GetTickCount();
			break;
		}
	
		default:
			sniffState = SNF_INIT;
		break;
	}


	return FALSE;
}

bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs) {
	if (BigBuf_get_traceLen() && (GetTickCount() > timerData + maxTimeoutMs)) {
		return intMfSniffSend();
	}
	return FALSE;
}

// internal sending function. not a RAMFUNC.
bool intMfSniffSend() {

	int pckSize = 0;
	int pckLen = BigBuf_get_traceLen();
	int pckNum = 0;
	uint8_t *trace = BigBuf_get_addr();
	
	FpgaDisableSscDma();
	while (pckLen > 0) {
		pckSize = MIN(USB_CMD_DATA_SIZE, pckLen);
		LED_B_ON();
		cmd_send(CMD_ACK, 1, BigBuf_get_traceLen(), pckSize, trace + BigBuf_get_traceLen() - pckLen, pckSize);
		LED_B_OFF();

		pckLen -= pckSize;
		pckNum++;
	}

	LED_B_ON();
	cmd_send(CMD_ACK,2,0,0,0,0);
	LED_B_OFF();

	clear_trace();
	
	return TRUE;
}
Commit	Line	Data
3544b997	1	//-----------------------------------------------------------------------------
	2	// Merlok - 2012
	3	//
	4	// This code is licensed to you under the terms of the GNU GPL, version 2 or,
	5	// at your option, any later version. See the LICENSE.txt file for the text of
	6	// the license.
	7	//-----------------------------------------------------------------------------
	8	// Routines to support mifare classic sniffer.
	9	//-----------------------------------------------------------------------------
	10
	11	#include "mifaresniff.h"
	12	#include "apps.h"
	13	#include "proxmark3.h"
	14	#include "util.h"
	15	#include "string.h"
	16	#include "iso14443crc.h"
	17	#include "iso14443a.h"
	18	#include "crapto1/crapto1.h"
	19	#include "mifareutil.h"
	20	#include "common.h"
	21
	22
	23	static int sniffState = SNF_INIT;
	24	static uint8_t sniffUIDType;
	25	static uint8_t sniffUID[8] = {0x00};
	26	static uint8_t sniffATQA[2] = {0x00};
	27	static uint8_t sniffSAK;
	28	static uint8_t sniffBuf[16] = {0x00};
	29	static uint32_t timerData = 0;
	30
	31
	32	bool MfSniffInit(void){
	33	memset(sniffUID, 0x00, 8);
	34	memset(sniffATQA, 0x00, 2);
	35	sniffSAK = 0;
	36	sniffUIDType = SNF_UID_4;
	37
	38	return FALSE;
	39	}
	40
	41	bool MfSniffEnd(void){
	42	LED_B_ON();
	43	cmd_send(CMD_ACK,0,0,0,0,0);
	44	LED_B_OFF();
	45
	46	return FALSE;
	47	}
	48
	49	bool RAMFUNC MfSniffLogic(const uint8_t data, uint16_t len, uint8_t parity, uint16_t bitCnt, bool reader) {
	50
	51	if (reader && (len == 1) && (bitCnt == 7)) { // reset on 7-Bit commands from reader
	52	sniffState = SNF_INIT;
	53	}
	54
	55	switch (sniffState) {
	56	case SNF_INIT:{
	57	if ((len == 1) && (reader) && (bitCnt == 7) ) { // REQA or WUPA from reader
	58	sniffUIDType = SNF_UID_4;
	59	memset(sniffUID, 0x00, 8);
	60	memset(sniffATQA, 0x00, 2);
	61	sniffSAK = 0;
543a6ed3	62	sniffState = SNF_ATQA;
f7887fa8	63	if (data[0] == 0x40)
f7887fa8	64	sniffState = SNF_MAGIC_WUPC2;
3544b997	65	}
	66	break;
	67	}
f7887fa8	68	case SNF_MAGIC_WUPC2:
	69	if ((len == 1) && (reader) && (data[0] == 0x43) ) {
	70	sniffState = SNF_CARD_IDLE;
	71	}
	72	break;
543a6ed3	73	case SNF_ATQA:{
3544b997	74	if ((!reader) && (len == 2)) { // ATQA from tag
3544b997	75	memcpy(sniffATQA, data, 2);
543a6ed3	76	sniffState = SNF_UID1;
3544b997	77	}
	78	break;
	79	}
39864b0b	80	case SNF_UID1:{\r
7bc95e2e	81	if ((reader) && (len == 9) && (data[0] == 0x93) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) { // Select 4 Byte UID from reader\r
3544b997	82	memcpy(sniffUID + 3, &data[2], 4);\r
39864b0b M	83	sniffState = SNF_SAK;\r
39864b0b M	84	}\r
3544b997	85	break;
39864b0b	86	}\r
3544b997	87	case SNF_SAK:{
	88	if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) { // SAK from card?
	89	sniffSAK = data[0];
	90	if ((sniffUID[3] == 0x88) && (sniffUIDType == SNF_UID_4)) { // CL2 UID part to be expected
	91	sniffUIDType = SNF_UID_7;\r
	92	memcpy(sniffUID, sniffUID + 4, 3);\r
	93	sniffState = SNF_UID2;
	94	} else { // select completed
	95	sniffState = SNF_CARD_IDLE;
	96	}
	97	}
	98	break;
	99	}
39864b0b	100	case SNF_UID2:{\r
3544b997	101	if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) {\r
3544b997	102	memcpy(sniffUID + 3, &data[2], 4);\r
39864b0b	103	sniffState = SNF_SAK;\r
39864b0b M	104	}\r
	105	break;\r
	106	}\r
3544b997	107	case SNF_CARD_IDLE:{ // trace the card select sequence
	108	sniffBuf[0] = 0xFF;
	109	sniffBuf[1] = 0xFF;
	110	memcpy(sniffBuf + 2, sniffUID, 7);
	111	memcpy(sniffBuf + 9, sniffATQA, 2);
	112	sniffBuf[11] = sniffSAK;
	113	sniffBuf[12] = 0xFF;
	114	sniffBuf[13] = 0xFF;
	115	LogTrace(sniffBuf, 14, 0, 0, NULL, TRUE);
	116	sniffState = SNF_CARD_CMD;
	117	} // intentionally no break;
	118	case SNF_CARD_CMD:{
a37725fa	119	LogTrace(data, len, 0, 0, parity, reader);
3544b997	120	timerData = GetTickCount();
	121	break;
	122	}
	123
	124	default:
	125	sniffState = SNF_INIT;
	126	break;
	127	}
	128
	129
	130	return FALSE;
	131	}
	132
	133	bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs) {
	134	if (BigBuf_get_traceLen() && (GetTickCount() > timerData + maxTimeoutMs)) {
	135	return intMfSniffSend();
	136	}
	137	return FALSE;
	138	}
	139
	140	// internal sending function. not a RAMFUNC.
	141	bool intMfSniffSend() {
	142
	143	int pckSize = 0;
	144	int pckLen = BigBuf_get_traceLen();
	145	int pckNum = 0;
	146	uint8_t *trace = BigBuf_get_addr();
	147
	148	FpgaDisableSscDma();
	149	while (pckLen > 0) {
	150	pckSize = MIN(USB_CMD_DATA_SIZE, pckLen);
	151	LED_B_ON();
	152	cmd_send(CMD_ACK, 1, BigBuf_get_traceLen(), pckSize, trace + BigBuf_get_traceLen() - pckLen, pckSize);
	153	LED_B_OFF();
	154
	155	pckLen -= pckSize;
	156	pckNum++;
	157	}
	158
	159	LED_B_ON();
	160	cmd_send(CMD_ACK,2,0,0,0,0);
	161	LED_B_OFF();
	162
	163	clear_trace();
	164
	165	return TRUE;
	166	}