[proxmark3-svn] / client / cmdhficlass.c

//-----------------------------------------------------------------------------
// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
// Copyright (C) 2011 Gerhard de Koning Gans
// Copyright (C) 2014 Midnitesnake & Andy Davies & Martin Holst Swende
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// High frequency iClass commands
//-----------------------------------------------------------------------------

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include "iso14443crc.h" // Can also be used for iClass, using 0xE012 as CRC-type
#include "data.h"
//#include "proxusb.h"
#include "proxmark3.h"
#include "ui.h"
#include "cmdparser.h"
#include "cmdhficlass.h"
#include "common.h"
#include "util.h"
#include "cmdmain.h"
#include "loclass/des.h"
#include "loclass/cipherutils.h"
#include "loclass/cipher.h"
#include "loclass/ikeys.h"
#include "loclass/elite_crack.h"
#include "loclass/fileutils.h"

static int CmdHelp(const char *Cmd);

int xorbits_8(uint8_t val)
{
    uint8_t res = val ^ (val >> 1); //1st pass
    res = res ^ (res >> 1); 		// 2nd pass
    res = res ^ (res >> 2); 		// 3rd pass
    res = res ^ (res >> 4); 			// 4th pass
    return res & 1;
}

#define ICLASS_CMD_ACTALL 0x0A
#define ICLASS_CMD_IDENTIFY 0x0C
#define ICLASS_CMD_READ 0x0C

#define ICLASS_CMD_SELECT 0x81
#define ICLASS_CMD_PAGESEL 0x84
#define ICLASS_CMD_READCHECK 0x88
#define ICLASS_CMD_CHECK 0x05
#define ICLASS_CMD_SOF 0x0F
#define ICLASS_CMD_HALT 0x00


void explain(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize)
{

	if(cmdsize > 1 && cmd[0] == ICLASS_CMD_READ)
	{
		  snprintf(exp,size,"READ(%d)",cmd[1]);
		  return;
	}

    switch(cmd[0])
    {
	case ICLASS_CMD_ACTALL:            snprintf(exp,size,"ACTALL"); break;
	case ICLASS_CMD_IDENTIFY:    snprintf(exp,size,"IDENTIFY"); break;
	case ICLASS_CMD_SELECT:         snprintf(exp,size,"SELECT"); break;
	case ICLASS_CMD_PAGESEL:         snprintf(exp,size,"PAGESEL"); break;
	case ICLASS_CMD_READCHECK:         snprintf(exp,size,"READCHECK"); break;
	case ICLASS_CMD_CHECK:         snprintf(exp,size,"CHECK"); break;
	case ICLASS_CMD_SOF:            snprintf(exp,size,"SOF"); break;
	case ICLASS_CMD_HALT:            snprintf(exp,size,"HALT"); break;
	default:                        snprintf(exp,size,"?"); break;
    }
    return;
}

int CmdHFiClassList(const char *Cmd)
{
	bool ShowWaitCycles = false;
	char param = param_getchar(Cmd, 0);
	
	if (param != 0) {
		PrintAndLog("List data in trace buffer.");
		PrintAndLog("Usage:  hf iclass list");
		PrintAndLog("h - help");
		PrintAndLog("sample: hf iclass list");
		return 0;
	}

// for the time being. Need better Bigbuf handling.	
#define TRACE_SIZE 3000	

	uint8_t trace[TRACE_SIZE];
	GetFromBigBuf(trace, TRACE_SIZE, 0);
	WaitForResponse(CMD_ACK, NULL);

	PrintAndLog("Recorded Activity");
	PrintAndLog("");
	PrintAndLog("Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer");
	PrintAndLog("All times are in carrier periods (1/13.56Mhz)");
	PrintAndLog("");
    PrintAndLog("     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Explanation|");
    PrintAndLog("-----------|-----------|-----|-------------------------------------------------------------------------------------");

	uint16_t tracepos = 0;
	uint16_t duration;
	uint16_t data_len;
	uint16_t parity_len;
	bool isResponse;
	uint32_t timestamp;
	uint32_t first_timestamp;
	uint32_t EndOfTransmissionTimestamp;
    char explanation[20] = {0};
	for (;;) {

		if(tracepos >= TRACE_SIZE) {
			break;
		}

		timestamp = *((uint32_t *)(trace + tracepos));
		if(tracepos == 0) {
			first_timestamp = timestamp;
		}

		// Break and stick with current result if buffer was not completely full
		if (timestamp == 0x44444444) break; 

		tracepos += 4;
		duration = *((uint16_t *)(trace + tracepos));
		tracepos += 2;
		data_len = *((uint16_t *)(trace + tracepos));
		tracepos += 2;
		
		if (data_len & 0x8000) {
		  data_len &= 0x7fff;
		  isResponse = true;
		} else {
		  isResponse = false;
		}

		parity_len = (data_len-1)/8 + 1;

		if (tracepos + data_len + parity_len >= TRACE_SIZE) {
			break;
		}
		
		uint8_t *frame = trace + tracepos;
		tracepos += data_len;
		uint8_t *parityBytes = trace + tracepos;
		tracepos += parity_len;

		char line[16][110];
		for (int j = 0; j < data_len; j++) {
			int oddparity = 0x01;
			int k;
			
			for (k=0;k<8;k++) {
				oddparity ^= (((frame[j] & 0xFF) >> k) & 0x01);
			}

			uint8_t parityBits = parityBytes[j>>3];
			if (isResponse && (oddparity != ((parityBits >> (7-(j&0x0007))) & 0x01))) {
				sprintf(line[j/16]+((j%16)*4), "%02x! ", frame[j]);
			} else {
				sprintf(line[j/16]+((j%16)*4), "%02x  ", frame[j]);
			}

		}

        char *crc = "    ";
		if (data_len > 2) {
			uint8_t b1, b2;
			if(!isResponse && data_len == 4 ) {
				// Rough guess that this is a command from the reader
				// For iClass the command byte is not part of the CRC
				ComputeCrc14443(CRC_ICLASS, &frame[1], data_len-3, &b1, &b2);
				if (b1 != frame[data_len-2] || b2 != frame[data_len-1]) {
					crc = "!crc";
				}
			}
			else {
				// For other data.. CRC might not be applicable (UPDATE commands etc.)
				ComputeCrc14443(CRC_ICLASS, frame, data_len-2, &b1, &b2);
				if (b1 != frame[data_len-2] || b2 != frame[data_len-1]) {
					crc = "!crc";
				}
			}
		}

		EndOfTransmissionTimestamp = timestamp + duration;
        explain(explanation,sizeof(explanation),frame,data_len);
		int num_lines = (data_len - 1)/16 + 1;
		for (int j = 0; j < num_lines; j++) {
			if (j == 0) {
                PrintAndLog(" %9d | %9d | %s | %-64s| %s| %s",
					(timestamp - first_timestamp),
					(EndOfTransmissionTimestamp - first_timestamp),
					(isResponse ? "Tag" : "Rdr"),
					line[j], 
                    (j == num_lines-1)?crc:"    ",
                        explanation);
			} else {
				PrintAndLog("           |           |     | %-64s| %s",
					line[j], 
                    (j == num_lines-1)?crc:"    ");
			}
		}				

		bool next_isResponse = *((uint16_t *)(trace + tracepos + 6)) & 0x8000;
		
		if (ShowWaitCycles && !isResponse && next_isResponse) {
			uint32_t next_timestamp = *((uint32_t *)(trace + tracepos));
			if (next_timestamp != 0x44444444) {
				PrintAndLog(" %9d | %9d | %s | fdt (Frame Delay Time): %d",
					(EndOfTransmissionTimestamp - first_timestamp),
					(next_timestamp - first_timestamp),
					"   ",
					(next_timestamp - EndOfTransmissionTimestamp));
			}
		}
			
	}
	
	return 0;
}

int CmdHFiClassSnoop(const char *Cmd)
{
  UsbCommand c = {CMD_SNOOP_ICLASS};
  SendCommand(&c);
  return 0;
}
#define NUM_CSNS 15
int CmdHFiClassSim(const char *Cmd)
{
  uint8_t simType = 0;
  uint8_t CSN[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  if (strlen(Cmd)<1) {
	PrintAndLog("Usage:  hf iclass sim [0 <CSN>] | x");
	PrintAndLog("        options");
	PrintAndLog("                0 <CSN> simulate the given CSN");
	PrintAndLog("                1       simulate default CSN");
	PrintAndLog("                2       iterate CSNs, gather MACs");
	PrintAndLog("        sample: hf iclass sim 0 031FEC8AF7FF12E0");
	PrintAndLog("        sample: hf iclass sim 2");
	return 0;
  }	

  simType = param_get8(Cmd, 0);

  if(simType == 0)
  {
	  if (param_gethex(Cmd, 1, CSN, 16)) {
		  PrintAndLog("A CSN should consist of 16 HEX symbols");
		  return 1;
	  }
	  PrintAndLog("--simtype:%02x csn:%s", simType, sprint_hex(CSN, 8));

  }
  if(simType > 2)
  {
	  PrintAndLog("Undefined simptype %d", simType);
	  return 1;
  }
  uint8_t numberOfCSNs=0;

	if(simType == 2)
	{
		UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,NUM_CSNS}};
		UsbCommand resp = {0};

		/*uint8_t csns[8 * NUM_CSNS] = {
			 0x00,0x0B,0x0F,0xFF,0xF7,0xFF,0x12,0xE0 ,
			 0x00,0x13,0x94,0x7e,0x76,0xff,0x12,0xe0 ,
			 0x2a,0x99,0xac,0x79,0xec,0xff,0x12,0xe0 ,
			 0x17,0x12,0x01,0xfd,0xf7,0xff,0x12,0xe0 ,
			 0xcd,0x56,0x01,0x7c,0x6f,0xff,0x12,0xe0 ,
			 0x4b,0x5e,0x0b,0x72,0xef,0xff,0x12,0xe0 ,
			 0x00,0x73,0xd8,0x75,0x58,0xff,0x12,0xe0 ,
			 0x0c,0x90,0x32,0xf3,0x5d,0xff,0x12,0xe0 };
*/
      
       uint8_t csns[8*NUM_CSNS] = {
        0x00, 0x0B, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x04, 0x0E, 0x08, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x09, 0x0D, 0x05, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x0A, 0x0C, 0x06, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x0F, 0x0B, 0x03, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x08, 0x0A, 0x0C, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x0D, 0x09, 0x09, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x0E, 0x08, 0x0A, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x03, 0x07, 0x17, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x3C, 0x06, 0xE0, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x01, 0x05, 0x1D, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x02, 0x04, 0x1E, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x07, 0x03, 0x1B, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x00, 0x02, 0x24, 0xF7, 0xFF, 0x12, 0xE0,
        0x00, 0x05, 0x01, 0x21, 0xF7, 0xFF, 0x12, 0xE0 };

		memcpy(c.d.asBytes, csns, 8*NUM_CSNS);

		SendCommand(&c);
		if (!WaitForResponseTimeout(CMD_ACK, &resp, -1)) {
			PrintAndLog("Command timed out");
			return 0;
		}

		uint8_t num_mac_responses  = resp.arg[1];
		PrintAndLog("Mac responses: %d MACs obtained (should be %d)", num_mac_responses,NUM_CSNS);

		size_t datalen = NUM_CSNS*24;
		/*
		 * Now, time to dump to file. We'll use this format:
		 * <8-byte CSN><8-byte CC><4 byte NR><4 byte MAC>....
		 * So, it should wind up as
		 * 8 * 24 bytes.
		 *
		 * The returndata from the pm3 is on the following format
		 * <4 byte NR><4 byte MAC>
		 * CC are all zeroes, CSN is the same as was sent in
		 **/
		void* dump = malloc(datalen);
		memset(dump,0,datalen);//<-- Need zeroes for the CC-field
		uint8_t i = 0;
		for(i = 0 ; i < NUM_CSNS ; i++)
		{
			memcpy(dump+i*24, csns+i*8,8); //CSN
			//8 zero bytes here...
			//Then comes NR_MAC (eight bytes from the response)
			memcpy(dump+i*24+16,resp.d.asBytes+i*8,8);

		}
		/** Now, save to dumpfile **/
		saveFile("iclass_mac_attack", "bin", dump,datalen);
		free(dump);
	}else
	{
		UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,numberOfCSNs}};
		memcpy(c.d.asBytes, CSN, 8);
		SendCommand(&c);
	}

  return 0;
}

int CmdHFiClassReader(const char *Cmd)
{
  UsbCommand c = {CMD_READER_ICLASS, {0}};
  SendCommand(&c);
    UsbCommand resp;
  while(!ukbhit()){
      if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
            uint8_t isOK    = resp.arg[0] & 0xff;
            uint8_t * data  = resp.d.asBytes;

            PrintAndLog("isOk:%02x", isOK);
            if( isOK == 0){
                //Aborted
                PrintAndLog("Quitting...");
                return 0;
            }
            if(isOK > 0)
            {
                PrintAndLog("CSN: %s",sprint_hex(data,8));
            }
            if(isOK >= 1)
            {
                PrintAndLog("CC: %s",sprint_hex(data+8,8));
            }else{
                PrintAndLog("No CC obtained");
            }
        } else {
            PrintAndLog("Command execute timeout");
        }
    }

  return 0;
}

int CmdHFiClassReader_Replay(const char *Cmd)
{
  uint8_t readerType = 0;
  uint8_t MAC[4]={0x00, 0x00, 0x00, 0x00};

  if (strlen(Cmd)<1) {
    PrintAndLog("Usage:  hf iclass replay <MAC>");
    PrintAndLog("        sample: hf iclass replay 00112233");
    return 0;
  }

  if (param_gethex(Cmd, 0, MAC, 8)) {
    PrintAndLog("MAC must include 8 HEX symbols");
    return 1;
  }

  UsbCommand c = {CMD_READER_ICLASS_REPLAY, {readerType}};
  memcpy(c.d.asBytes, MAC, 4);
  SendCommand(&c);

  return 0;
}

int CmdHFiClassReader_Dump(const char *Cmd)
{
  uint8_t readerType = 0;
  uint8_t MAC[4]={0x00,0x00,0x00,0x00};
  uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
  uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
  uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
  //uint8_t CC_temp[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
  uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
  uint8_t keytable[128] = {0};
  int elite = 0;
  uint8_t *used_key;
  int i;
  if (strlen(Cmd)<1) 
  {
    PrintAndLog("Usage:  hf iclass dump <Key> [e]");
    PrintAndLog("        Key    - A 16 byte master key");
    PrintAndLog("        e      - If 'e' is specified, the key is interpreted as the 16 byte");
    PrintAndLog("                 Custom Key (KCus), which can be obtained via reader-attack");
    PrintAndLog("                 See 'hf iclass sim 2'. This key should be on iclass-format");
    PrintAndLog("        sample: hf iclass dump 0011223344556677");


    return 0;
  }

  if (param_gethex(Cmd, 0, KEY, 16)) 
  {
    PrintAndLog("KEY must include 16 HEX symbols");
    return 1;
  }

  if (param_getchar(Cmd, 1) == 'e')
  {
    PrintAndLog("Elite switch on");
    elite = 1;

    //calc h2
    hash2(KEY, keytable);
    printarr_human_readable("keytable", keytable, 128);

  }

  UsbCommand resp;
  uint8_t key_sel[8] = {0};
  uint8_t key_sel_p[8] = { 0 };

  //HACK -- Below is for testing without access to a tag
  uint8_t fake_dummy_test = false;
  if(fake_dummy_test)
  {
    uint8_t xdata[16] = {0x01,0x02,0x03,0x04,0xF7,0xFF,0x12,0xE0, //CSN from http://www.proxmark.org/forum/viewtopic.php?pid=11230#p11230
                        0xFE,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}; // Just a random CC. Would be good to add a real testcase here
    memcpy(resp.d.asBytes,xdata, 16);
    resp.arg[0] = 2;    
  }
  
  //End hack


  UsbCommand c = {CMD_READER_ICLASS, {0}};
  c.arg[0] = FLAG_ICLASS_READER_ONLY_ONCE| FLAG_ICLASS_READER_GET_CC;
  if(!fake_dummy_test)   
    SendCommand(&c);
  

  if (fake_dummy_test || WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
        uint8_t isOK    = resp.arg[0] & 0xff;
        uint8_t * data  = resp.d.asBytes;

        memcpy(CSN,data,8);
        memcpy(CCNR,data+8,8);

        PrintAndLog("isOk:%02x", isOK);

        if(isOK > 0)
        {
            PrintAndLog("CSN: %s",sprint_hex(CSN,8));
        }
        if(isOK > 1)
        {
            if(elite)
            {
                //Get the key index (hash1)
                uint8_t key_index[8] = {0};

                hash1(CSN, key_index);
                printvar("hash1", key_index,8);
                for(i = 0; i < 8 ; i++)
                    key_sel[i] = keytable[key_index[i]] & 0xFF;
                PrintAndLog("Pre-fortified 'permuted' HS key that would be needed by an iclass reader to talk to above CSN:");
                printvar("k_sel", key_sel,8);
                //Permute from iclass format to standard format
                permutekey_rev(key_sel,key_sel_p);
                used_key = key_sel_p;
            }else{
                //Perhaps this should also be permuted to std format?
                // Something like the code below? I have no std system
                // to test this with /Martin

                //uint8_t key_sel_p[8] = { 0 };
                //permutekey_rev(KEY,key_sel_p);
                //used_key = key_sel_p;

                used_key = KEY;

            }

            PrintAndLog("Pre-fortified key that would be needed by the OmniKey reader to talk to above CSN:");
            printvar("Used key",used_key,8);
            diversifyKey(CSN,used_key, div_key);
            PrintAndLog("Hash0, a.k.a diversified key, that is computed using Ksel and stored in the card (Block 3):");
            printvar("Div key", div_key, 8);
            printvar("CC_NR:",CCNR,12);
            doMAC(CCNR,12,div_key, MAC);
            printvar("MAC", MAC, 4);

            UsbCommand d = {CMD_READER_ICLASS_REPLAY, {readerType}};
            memcpy(d.d.asBytes, MAC, 4);
            if(!fake_dummy_test) SendCommand(&d);

        }else{
            PrintAndLog("Failed to obtain CC! Aborting");
        }
    } else {
        PrintAndLog("Command execute timeout");
    }

  return 0;
}

int CmdHFiClass_iso14443A_write(const char *Cmd)
{
  uint8_t readerType = 0;
  uint8_t MAC[4]={0x00,0x00,0x00,0x00};
  uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
  uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
  uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
  uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};

  uint8_t blockNo=0;
  uint8_t bldata[8]={0};

  if (strlen(Cmd)<3) 
  {
    PrintAndLog("Usage:  hf iclass write <Key> <Block> <Data>");
    PrintAndLog("        sample: hf iclass write 0011223344556677 10 AAAAAAAAAAAAAAAA");
    return 0;
  }

  if (param_gethex(Cmd, 0, KEY, 16)) 
  {
    PrintAndLog("KEY must include 16 HEX symbols");
    return 1;
  }
  
  blockNo = param_get8(Cmd, 1);
  if (blockNo>32)
  {
        PrintAndLog("Error: Maximum number of blocks is 32 for iClass 2K Cards!");
        return 1;
  }
  if (param_gethex(Cmd, 2, bldata, 8)) 
  {
        PrintAndLog("Block data must include 8 HEX symbols");
        return 1;
  }
  
  UsbCommand c = {CMD_ICLASS_ISO14443A_WRITE, {0}};
  SendCommand(&c);
  UsbCommand resp;

  if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
    uint8_t isOK    = resp.arg[0] & 0xff;
    uint8_t * data  = resp.d.asBytes;
    
    memcpy(CSN,data,8);
    memcpy(CCNR,data+8,8);
    PrintAndLog("DEBUG: %s",sprint_hex(CSN,8));
    PrintAndLog("DEBUG: %s",sprint_hex(CCNR,8));
	PrintAndLog("isOk:%02x", isOK);
  } else {
	PrintAndLog("Command execute timeout");
  }

  diversifyKey(CSN,KEY, div_key);

  PrintAndLog("Div Key: %s",sprint_hex(div_key,8));
  doMAC(CCNR, 12,div_key, MAC);

  UsbCommand c2 = {CMD_ICLASS_ISO14443A_WRITE, {readerType,blockNo}};
  memcpy(c2.d.asBytes, bldata, 8);
  memcpy(c2.d.asBytes+8, MAC, 4);
  SendCommand(&c2);

  if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
    uint8_t isOK    = resp.arg[0] & 0xff;
    uint8_t * data  = resp.d.asBytes;

    if (isOK)
      PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 4));
    else
      PrintAndLog("isOk:%02x", isOK);
  } else {
      PrintAndLog("Command execute timeout");
  }
  return 0;
}


static command_t CommandTable[] = 
{
  {"help",	CmdHelp,			1,	"This help"},
  {"list",	CmdHFiClassList,	0,	"List iClass history"},
  {"snoop",	CmdHFiClassSnoop,	0,	"Eavesdrop iClass communication"},
  {"sim",	CmdHFiClassSim,		0,	"Simulate iClass tag"},
  {"reader",CmdHFiClassReader,	0,	"Read an iClass tag"},
  {"replay",CmdHFiClassReader_Replay,	0,	"Read an iClass tag via Reply Attack"},
  {"dump",	CmdHFiClassReader_Dump,	0,		"Authenticate and Dump iClass tag"},
  {"write",	CmdHFiClass_iso14443A_write,	0,	"Authenticate and Write iClass block"},
  {NULL, NULL, 0, NULL}
};

int CmdHFiClass(const char *Cmd)
{
  CmdsParse(CommandTable, Cmd);
  return 0;
}

int CmdHelp(const char *Cmd)
{
  CmdsHelp(CommandTable);
  return 0;
}
Commit	Line	Data
cee5a30d	1	//-----------------------------------------------------------------------------
	2	// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
	3	// Copyright (C) 2011 Gerhard de Koning Gans
26c0d833	4	// Copyright (C) 2014 Midnitesnake & Andy Davies & Martin Holst Swende
cee5a30d	5	//
	6	// This code is licensed to you under the terms of the GNU GPL, version 2 or,
	7	// at your option, any later version. See the LICENSE.txt file for the text of
	8	// the license.
	9	//-----------------------------------------------------------------------------
	10	// High frequency iClass commands
	11	//-----------------------------------------------------------------------------
	12
	13	#include <stdio.h>
	14	#include <stdlib.h>
	15	#include <string.h>
9f6e9d15	16	#include <sys/stat.h>
cee5a30d	17	#include "iso14443crc.h" // Can also be used for iClass, using 0xE012 as CRC-type
cee5a30d	18	#include "data.h"
28fdb04f	19	//#include "proxusb.h"
902cb3c0	20	#include "proxmark3.h"
cee5a30d	21	#include "ui.h"
	22	#include "cmdparser.h"
	23	#include "cmdhficlass.h"
	24	#include "common.h"
14006804	25	#include "util.h"
17cba269	26	#include "cmdmain.h"
a66fca86 AD	27	#include "loclass/des.h"
	28	#include "loclass/cipherutils.h"
	29	#include "loclass/cipher.h"
	30	#include "loclass/ikeys.h"
3ad48540 MHS	31	#include "loclass/elite_crack.h"
3ad48540 MHS	32	#include "loclass/fileutils.h"
cee5a30d	33
	34	static int CmdHelp(const char *Cmd);
	35
17cba269 MHS	36	int xorbits_8(uint8_t val)
17cba269 MHS	37	{
3ad48540 MHS	38	uint8_t res = val ^ (val >> 1); //1st pass
	39	res = res ^ (res >> 1); // 2nd pass
	40	res = res ^ (res >> 2); // 3rd pass
	41	res = res ^ (res >> 4); // 4th pass
	42	return res & 1;
17cba269 MHS	43	}
17cba269 MHS	44
c8dd9b09 MHS	45	#define ICLASS_CMD_ACTALL 0x0A
	46	#define ICLASS_CMD_IDENTIFY 0x0C
	47	#define ICLASS_CMD_READ 0x0C
	48
	49	#define ICLASS_CMD_SELECT 0x81
	50	#define ICLASS_CMD_PAGESEL 0x84
	51	#define ICLASS_CMD_READCHECK 0x88
	52	#define ICLASS_CMD_CHECK 0x05
	53	#define ICLASS_CMD_SOF 0x0F
	54	#define ICLASS_CMD_HALT 0x00
	55
	56
2e9d4b3f MHS	57	void explain(char exp, size_t size, uint8_t cmd, uint8_t cmdsize)
	58	{
	59
c8dd9b09 MHS	60	if(cmdsize > 1 && cmd[0] == ICLASS_CMD_READ)
	61	{
	62	snprintf(exp,size,"READ(%d)",cmd[1]);
	63	return;
	64	}
	65
2e9d4b3f MHS	66	switch(cmd[0])
2e9d4b3f MHS	67	{
c8dd9b09 MHS	68	case ICLASS_CMD_ACTALL: snprintf(exp,size,"ACTALL"); break;
	69	case ICLASS_CMD_IDENTIFY: snprintf(exp,size,"IDENTIFY"); break;
	70	case ICLASS_CMD_SELECT: snprintf(exp,size,"SELECT"); break;
	71	case ICLASS_CMD_PAGESEL: snprintf(exp,size,"PAGESEL"); break;
	72	case ICLASS_CMD_READCHECK: snprintf(exp,size,"READCHECK"); break;
	73	case ICLASS_CMD_CHECK: snprintf(exp,size,"CHECK"); break;
	74	case ICLASS_CMD_SOF: snprintf(exp,size,"SOF"); break;
	75	case ICLASS_CMD_HALT: snprintf(exp,size,"HALT"); break;
	76	default: snprintf(exp,size,"?"); break;
2e9d4b3f MHS	77	}
	78	return;
	79	}
	80
cee5a30d	81	int CmdHFiClassList(const char *Cmd)
17cba269	82	{
17cba269 MHS	83	bool ShowWaitCycles = false;
17cba269 MHS	84	char param = param_getchar(Cmd, 0);
545f2038	85
17cba269 MHS	86	if (param != 0) {
	87	PrintAndLog("List data in trace buffer.");
	88	PrintAndLog("Usage: hf iclass list");
	89	PrintAndLog("h - help");
	90	PrintAndLog("sample: hf iclass list");
	91	return 0;
	92	}
	93
545f2038	94	// for the time being. Need better Bigbuf handling.
	95	#define TRACE_SIZE 3000
	96
	97	uint8_t trace[TRACE_SIZE];
	98	GetFromBigBuf(trace, TRACE_SIZE, 0);
	99	WaitForResponse(CMD_ACK, NULL);
17cba269 MHS	100
	101	PrintAndLog("Recorded Activity");
	102	PrintAndLog("");
	103	PrintAndLog("Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer");
	104	PrintAndLog("All times are in carrier periods (1/13.56Mhz)");
	105	PrintAndLog("");
2e9d4b3f MHS	106	PrintAndLog(" Start \| End \| Src \| Data (! denotes parity error) \| CRC \| Explanation\|");
2e9d4b3f MHS	107	PrintAndLog("-----------\|-----------\|-----\|-------------------------------------------------------------------------------------");
545f2038	108
	109	uint16_t tracepos = 0;
	110	uint16_t duration;
	111	uint16_t data_len;
	112	uint16_t parity_len;
	113	bool isResponse;
17cba269	114	uint32_t timestamp;
545f2038	115	uint32_t first_timestamp;
545f2038	116	uint32_t EndOfTransmissionTimestamp;
2e9d4b3f	117	char explanation[20] = {0};
545f2038	118	for (;;) {
17cba269	119
545f2038	120	if(tracepos >= TRACE_SIZE) {
	121	break;
	122	}
17cba269	123
545f2038	124	timestamp = ((uint32_t )(trace + tracepos));
545f2038	125	if(tracepos == 0) {
17cba269 MHS	126	first_timestamp = timestamp;
	127	}
	128
545f2038	129	// Break and stick with current result if buffer was not completely full
	130	if (timestamp == 0x44444444) break;
	131
	132	tracepos += 4;
	133	duration = ((uint16_t )(trace + tracepos));
	134	tracepos += 2;
	135	data_len = ((uint16_t )(trace + tracepos));
	136	tracepos += 2;
	137
	138	if (data_len & 0x8000) {
	139	data_len &= 0x7fff;
	140	isResponse = true;
	141	} else {
	142	isResponse = false;
	143	}
17cba269	144
545f2038	145	parity_len = (data_len-1)/8 + 1;
17cba269	146
545f2038	147	if (tracepos + data_len + parity_len >= TRACE_SIZE) {
	148	break;
	149	}
	150
	151	uint8_t *frame = trace + tracepos;
	152	tracepos += data_len;
	153	uint8_t *parityBytes = trace + tracepos;
	154	tracepos += parity_len;
	155
	156	char line[16][110];
	157	for (int j = 0; j < data_len; j++) {
	158	int oddparity = 0x01;
	159	int k;
	160
	161	for (k=0;k<8;k++) {
	162	oddparity ^= (((frame[j] & 0xFF) >> k) & 0x01);
17cba269	163	}
545f2038	164
	165	uint8_t parityBits = parityBytes[j>>3];
	166	if (isResponse && (oddparity != ((parityBits >> (7-(j&0x0007))) & 0x01))) {
	167	sprintf(line[j/16]+((j%16)*4), "%02x! ", frame[j]);
	168	} else {
	169	sprintf(line[j/16]+((j%16)*4), "%02x ", frame[j]);
17cba269	170	}
17cba269	171
545f2038	172	}
17cba269	173
2e9d4b3f	174	char *crc = " ";
545f2038	175	if (data_len > 2) {
17cba269	176	uint8_t b1, b2;
545f2038	177	if(!isResponse && data_len == 4 ) {
17cba269 MHS	178	// Rough guess that this is a command from the reader
17cba269 MHS	179	// For iClass the command byte is not part of the CRC
545f2038	180	ComputeCrc14443(CRC_ICLASS, &frame[1], data_len-3, &b1, &b2);
	181	if (b1 != frame[data_len-2] \|\| b2 != frame[data_len-1]) {
	182	crc = "!crc";
	183	}
17cba269 MHS	184	}
17cba269 MHS	185	else {
545f2038	186	// For other data.. CRC might not be applicable (UPDATE commands etc.)
	187	ComputeCrc14443(CRC_ICLASS, frame, data_len-2, &b1, &b2);
	188	if (b1 != frame[data_len-2] \|\| b2 != frame[data_len-1]) {
	189	crc = "!crc";
	190	}
17cba269	191	}
545f2038	192	}
17cba269	193
545f2038	194	EndOfTransmissionTimestamp = timestamp + duration;
2e9d4b3f	195	explain(explanation,sizeof(explanation),frame,data_len);
545f2038	196	int num_lines = (data_len - 1)/16 + 1;
	197	for (int j = 0; j < num_lines; j++) {
	198	if (j == 0) {
2e9d4b3f	199	PrintAndLog(" %9d \| %9d \| %s \| %-64s\| %s\| %s",
545f2038	200	(timestamp - first_timestamp),
	201	(EndOfTransmissionTimestamp - first_timestamp),
	202	(isResponse ? "Tag" : "Rdr"),
	203	line[j],
2e9d4b3f MHS	204	(j == num_lines-1)?crc:" ",
2e9d4b3f MHS	205	explanation);
545f2038	206	} else {
	207	PrintAndLog(" \| \| \| %-64s\| %s",
	208	line[j],
2e9d4b3f	209	(j == num_lines-1)?crc:" ");
545f2038	210	}
	211	}
	212
	213	bool next_isResponse = ((uint16_t )(trace + tracepos + 6)) & 0x8000;
	214
	215	if (ShowWaitCycles && !isResponse && next_isResponse) {
	216	uint32_t next_timestamp = ((uint32_t )(trace + tracepos));
	217	if (next_timestamp != 0x44444444) {
	218	PrintAndLog(" %9d \| %9d \| %s \| fdt (Frame Delay Time): %d",
	219	(EndOfTransmissionTimestamp - first_timestamp),
	220	(next_timestamp - first_timestamp),
	221	" ",
	222	(next_timestamp - EndOfTransmissionTimestamp));
17cba269 MHS	223	}
17cba269 MHS	224	}
545f2038	225
17cba269	226	}
545f2038	227
17cba269 MHS	228	return 0;
	229	}
	230
cee5a30d	231	int CmdHFiClassSnoop(const char *Cmd)
	232	{
	233	UsbCommand c = {CMD_SNOOP_ICLASS};
	234	SendCommand(&c);
	235	return 0;
	236	}
6116c796	237	#define NUM_CSNS 15
1e262141	238	int CmdHFiClassSim(const char *Cmd)
	239	{
	240	uint8_t simType = 0;
	241	uint8_t CSN[8] = {0, 0, 0, 0, 0, 0, 0, 0};
	242
17cba269 MHS	243	if (strlen(Cmd)<1) {
	244	PrintAndLog("Usage: hf iclass sim [0 <CSN>] \| x");
	245	PrintAndLog(" options");
	246	PrintAndLog(" 0 <CSN> simulate the given CSN");
	247	PrintAndLog(" 1 simulate default CSN");
	248	PrintAndLog(" 2 iterate CSNs, gather MACs");
1e262141	249	PrintAndLog(" sample: hf iclass sim 0 031FEC8AF7FF12E0");
17cba269	250	PrintAndLog(" sample: hf iclass sim 2");
1e262141	251	return 0;
	252	}
	253
	254	simType = param_get8(Cmd, 0);
17cba269 MHS	255
	256	if(simType == 0)
	257	{
	258	if (param_gethex(Cmd, 1, CSN, 16)) {
	259	PrintAndLog("A CSN should consist of 16 HEX symbols");
	260	return 1;
	261	}
	262	PrintAndLog("--simtype:%02x csn:%s", simType, sprint_hex(CSN, 8));
	263
	264	}
77abe781	265	if(simType > 2)
17cba269 MHS	266	{
	267	PrintAndLog("Undefined simptype %d", simType);
	268	return 1;
1e262141	269	}
17cba269	270	uint8_t numberOfCSNs=0;
1e262141	271
9f6e9d15 MHS	272	if(simType == 2)
9f6e9d15 MHS	273	{
6116c796	274	UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,NUM_CSNS}};
9f6e9d15	275	UsbCommand resp = {0};
17cba269	276
6116c796	277	/uint8_t csns[8 NUM_CSNS] = {
77abe781 MHS	278	0x00,0x0B,0x0F,0xFF,0xF7,0xFF,0x12,0xE0 ,
	279	0x00,0x13,0x94,0x7e,0x76,0xff,0x12,0xe0 ,
	280	0x2a,0x99,0xac,0x79,0xec,0xff,0x12,0xe0 ,
	281	0x17,0x12,0x01,0xfd,0xf7,0xff,0x12,0xe0 ,
	282	0xcd,0x56,0x01,0x7c,0x6f,0xff,0x12,0xe0 ,
	283	0x4b,0x5e,0x0b,0x72,0xef,0xff,0x12,0xe0 ,
	284	0x00,0x73,0xd8,0x75,0x58,0xff,0x12,0xe0 ,
	285	0x0c,0x90,0x32,0xf3,0x5d,0xff,0x12,0xe0 };
6116c796 MHS	286	*/
	287
	288	uint8_t csns[8*NUM_CSNS] = {
	289	0x00, 0x0B, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0,
	290	0x00, 0x04, 0x0E, 0x08, 0xF7, 0xFF, 0x12, 0xE0,
	291	0x00, 0x09, 0x0D, 0x05, 0xF7, 0xFF, 0x12, 0xE0,
	292	0x00, 0x0A, 0x0C, 0x06, 0xF7, 0xFF, 0x12, 0xE0,
	293	0x00, 0x0F, 0x0B, 0x03, 0xF7, 0xFF, 0x12, 0xE0,
	294	0x00, 0x08, 0x0A, 0x0C, 0xF7, 0xFF, 0x12, 0xE0,
	295	0x00, 0x0D, 0x09, 0x09, 0xF7, 0xFF, 0x12, 0xE0,
	296	0x00, 0x0E, 0x08, 0x0A, 0xF7, 0xFF, 0x12, 0xE0,
	297	0x00, 0x03, 0x07, 0x17, 0xF7, 0xFF, 0x12, 0xE0,
	298	0x00, 0x3C, 0x06, 0xE0, 0xF7, 0xFF, 0x12, 0xE0,
	299	0x00, 0x01, 0x05, 0x1D, 0xF7, 0xFF, 0x12, 0xE0,
	300	0x00, 0x02, 0x04, 0x1E, 0xF7, 0xFF, 0x12, 0xE0,
	301	0x00, 0x07, 0x03, 0x1B, 0xF7, 0xFF, 0x12, 0xE0,
	302	0x00, 0x00, 0x02, 0x24, 0xF7, 0xFF, 0x12, 0xE0,
	303	0x00, 0x05, 0x01, 0x21, 0xF7, 0xFF, 0x12, 0xE0 };
	304
	305	memcpy(c.d.asBytes, csns, 8*NUM_CSNS);
9f6e9d15 MHS	306
	307	SendCommand(&c);
	308	if (!WaitForResponseTimeout(CMD_ACK, &resp, -1)) {
	309	PrintAndLog("Command timed out");
	310	return 0;
	311	}
1e262141	312
77abe781	313	uint8_t num_mac_responses = resp.arg[1];
6116c796	314	PrintAndLog("Mac responses: %d MACs obtained (should be %d)", num_mac_responses,NUM_CSNS);
9f6e9d15	315
6116c796	316	size_t datalen = NUM_CSNS*24;
9f6e9d15 MHS	317	/*
9f6e9d15 MHS	318	* Now, time to dump to file. We'll use this format:
77abe781	319	* <8-byte CSN><8-byte CC><4 byte NR><4 byte MAC>....
9f6e9d15	320	* So, it should wind up as
77abe781 MHS	321	* 8 * 24 bytes.
	322	*
	323	* The returndata from the pm3 is on the following format
	324	* <4 byte NR><4 byte MAC>
	325	* CC are all zeroes, CSN is the same as was sent in
9f6e9d15	326	**/
77abe781 MHS	327	void* dump = malloc(datalen);
77abe781 MHS	328	memset(dump,0,datalen);//<-- Need zeroes for the CC-field
9f6e9d15	329	uint8_t i = 0;
6116c796	330	for(i = 0 ; i < NUM_CSNS ; i++)
9f6e9d15	331	{
77abe781 MHS	332	memcpy(dump+i24, csns+i8,8); //CSN
	333	//8 zero bytes here...
	334	//Then comes NR_MAC (eight bytes from the response)
	335	memcpy(dump+i24+16,resp.d.asBytes+i8,8);
1e262141	336
9f6e9d15 MHS	337	}
9f6e9d15 MHS	338	/ Now, save to dumpfile /
77abe781 MHS	339	saveFile("iclass_mac_attack", "bin", dump,datalen);
77abe781 MHS	340	free(dump);
9f6e9d15 MHS	341	}else
	342	{
	343	UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,numberOfCSNs}};
	344	memcpy(c.d.asBytes, CSN, 8);
	345	SendCommand(&c);
	346	}
1e262141	347
1e262141	348	return 0;
	349	}
	350
	351	int CmdHFiClassReader(const char *Cmd)
	352	{
aa41c605	353	UsbCommand c = {CMD_READER_ICLASS, {0}};
1e262141	354	SendCommand(&c);
aa41c605 MHS	355	UsbCommand resp;
	356	while(!ukbhit()){
	357	if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
	358	uint8_t isOK = resp.arg[0] & 0xff;
	359	uint8_t * data = resp.d.asBytes;
	360
	361	PrintAndLog("isOk:%02x", isOK);
2e9d4b3f MHS	362	if( isOK == 0){
	363	//Aborted
	364	PrintAndLog("Quitting...");
	365	return 0;
	366	}
aa41c605 MHS	367	if(isOK > 0)
	368	{
	369	PrintAndLog("CSN: %s",sprint_hex(data,8));
	370	}
	371	if(isOK >= 1)
	372	{
	373	PrintAndLog("CC: %s",sprint_hex(data+8,8));
	374	}else{
	375	PrintAndLog("No CC obtained");
	376	}
	377	} else {
	378	PrintAndLog("Command execute timeout");
	379	}
	380	}
1e262141	381
c3963755	382	return 0;
	383	}
	384
	385	int CmdHFiClassReader_Replay(const char *Cmd)
	386	{
	387	uint8_t readerType = 0;
	388	uint8_t MAC[4]={0x00, 0x00, 0x00, 0x00};
	389
	390	if (strlen(Cmd)<1) {
	391	PrintAndLog("Usage: hf iclass replay <MAC>");
	392	PrintAndLog(" sample: hf iclass replay 00112233");
	393	return 0;
	394	}
	395
	396	if (param_gethex(Cmd, 0, MAC, 8)) {
	397	PrintAndLog("MAC must include 8 HEX symbols");
	398	return 1;
	399	}
	400
	401	UsbCommand c = {CMD_READER_ICLASS_REPLAY, {readerType}};
	402	memcpy(c.d.asBytes, MAC, 4);
	403	SendCommand(&c);
1e262141	404
	405	return 0;
	406	}
	407
a66fca86 AD	408	int CmdHFiClassReader_Dump(const char *Cmd)
	409	{
	410	uint8_t readerType = 0;
	411	uint8_t MAC[4]={0x00,0x00,0x00,0x00};
	412	uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
	413	uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
	414	uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
fecd8202	415	//uint8_t CC_temp[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
a66fca86	416	uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
9b82de75 MHS	417	uint8_t keytable[128] = {0};
	418	int elite = 0;
	419	uint8_t *used_key;
	420	int i;
fecd8202	421	if (strlen(Cmd)<1)
fecd8202	422	{
9b82de75 MHS	423	PrintAndLog("Usage: hf iclass dump <Key> [e]");
	424	PrintAndLog(" Key - A 16 byte master key");
	425	PrintAndLog(" e - If 'e' is specified, the key is interpreted as the 16 byte");
	426	PrintAndLog(" Custom Key (KCus), which can be obtained via reader-attack");
	427	PrintAndLog(" See 'hf iclass sim 2'. This key should be on iclass-format");
fecd8202	428	PrintAndLog(" sample: hf iclass dump 0011223344556677");
9b82de75 MHS	429
9b82de75 MHS	430
a66fca86 AD	431	return 0;
	432	}
	433
fecd8202	434	if (param_gethex(Cmd, 0, KEY, 16))
fecd8202	435	{
a66fca86 AD	436	PrintAndLog("KEY must include 16 HEX symbols");
	437	return 1;
	438	}
9b82de75 MHS	439
	440	if (param_getchar(Cmd, 1) == 'e')
	441	{
	442	PrintAndLog("Elite switch on");
	443	elite = 1;
	444
	445	//calc h2
	446	hash2(KEY, keytable);
9e28ee9f	447	printarr_human_readable("keytable", keytable, 128);
9b82de75 MHS	448
	449	}
	450
0eea34a2 MHS	451	UsbCommand resp;
	452	uint8_t key_sel[8] = {0};
	453	uint8_t key_sel_p[8] = { 0 };
	454
	455	//HACK -- Below is for testing without access to a tag
0eea34a2	456	uint8_t fake_dummy_test = false;
8e976839 MHS	457	if(fake_dummy_test)
	458	{
	459	uint8_t xdata[16] = {0x01,0x02,0x03,0x04,0xF7,0xFF,0x12,0xE0, //CSN from http://www.proxmark.org/forum/viewtopic.php?pid=11230#p11230
	460	0xFE,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}; // Just a random CC. Would be good to add a real testcase here
	461	memcpy(resp.d.asBytes,xdata, 16);
	462	resp.arg[0] = 2;
	463	}
	464
0eea34a2 MHS	465	//End hack
0eea34a2 MHS	466
9b82de75	467
aa41c605	468	UsbCommand c = {CMD_READER_ICLASS, {0}};
c8dd9b09	469	c.arg[0] = FLAG_ICLASS_READER_ONLY_ONCE\| FLAG_ICLASS_READER_GET_CC;
0eea34a2 MHS	470	if(!fake_dummy_test)
0eea34a2 MHS	471	SendCommand(&c);
fecd8202	472
26c0d833	473
0eea34a2 MHS	474
0eea34a2 MHS	475	if (fake_dummy_test \|\| WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
26c0d833 MHS	476	uint8_t isOK = resp.arg[0] & 0xff;
	477	uint8_t * data = resp.d.asBytes;
	478
26c0d833 MHS	479	memcpy(CSN,data,8);
26c0d833 MHS	480	memcpy(CCNR,data+8,8);
3ad48540	481
26c0d833	482	PrintAndLog("isOk:%02x", isOK);
a66fca86	483
aa41c605	484	if(isOK > 0)
26c0d833 MHS	485	{
	486	PrintAndLog("CSN: %s",sprint_hex(CSN,8));
	487	}
9b82de75	488	if(isOK > 1)
26c0d833	489	{
9b82de75 MHS	490	if(elite)
9b82de75 MHS	491	{
9b82de75 MHS	492	//Get the key index (hash1)
	493	uint8_t key_index[8] = {0};
	494
	495	hash1(CSN, key_index);
	496	printvar("hash1", key_index,8);
	497	for(i = 0; i < 8 ; i++)
	498	key_sel[i] = keytable[key_index[i]] & 0xFF;
0eea34a2	499	PrintAndLog("Pre-fortified 'permuted' HS key that would be needed by an iclass reader to talk to above CSN:");
9b82de75 MHS	500	printvar("k_sel", key_sel,8);
	501	//Permute from iclass format to standard format
	502	permutekey_rev(key_sel,key_sel_p);
	503	used_key = key_sel_p;
	504	}else{
9e28ee9f MHS	505	//Perhaps this should also be permuted to std format?
	506	// Something like the code below? I have no std system
	507	// to test this with /Martin
	508
	509	//uint8_t key_sel_p[8] = { 0 };
	510	//permutekey_rev(KEY,key_sel_p);
	511	//used_key = key_sel_p;
	512
9b82de75 MHS	513	used_key = KEY;
	514
	515	}
0eea34a2 MHS	516
0eea34a2 MHS	517	PrintAndLog("Pre-fortified key that would be needed by the OmniKey reader to talk to above CSN:");
9b82de75 MHS	518	printvar("Used key",used_key,8);
9b82de75 MHS	519	diversifyKey(CSN,used_key, div_key);
0eea34a2	520	PrintAndLog("Hash0, a.k.a diversified key, that is computed using Ksel and stored in the card (Block 3):");
9b82de75	521	printvar("Div key", div_key, 8);
9e28ee9f	522	printvar("CC_NR:",CCNR,12);
74a38802	523	doMAC(CCNR,12,div_key, MAC);
9b82de75 MHS	524	printvar("MAC", MAC, 4);
9b82de75 MHS	525
26c0d833 MHS	526	UsbCommand d = {CMD_READER_ICLASS_REPLAY, {readerType}};
26c0d833 MHS	527	memcpy(d.d.asBytes, MAC, 4);
0eea34a2	528	if(!fake_dummy_test) SendCommand(&d);
26c0d833 MHS	529
	530	}else{
	531	PrintAndLog("Failed to obtain CC! Aborting");
	532	}
	533	} else {
	534	PrintAndLog("Command execute timeout");
	535	}
1e262141	536
	537	return 0;
	538	}
	539
fecd8202	540	int CmdHFiClass_iso14443A_write(const char *Cmd)
	541	{
	542	uint8_t readerType = 0;
	543	uint8_t MAC[4]={0x00,0x00,0x00,0x00};
	544	uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
	545	uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
	546	uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
fecd8202	547	uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
3ad48540	548
fecd8202	549	uint8_t blockNo=0;
	550	uint8_t bldata[8]={0};
	551
	552	if (strlen(Cmd)<3)
	553	{
	554	PrintAndLog("Usage: hf iclass write <Key> <Block> <Data>");
	555	PrintAndLog(" sample: hf iclass write 0011223344556677 10 AAAAAAAAAAAAAAAA");
	556	return 0;
	557	}
	558
	559	if (param_gethex(Cmd, 0, KEY, 16))
	560	{
	561	PrintAndLog("KEY must include 16 HEX symbols");
	562	return 1;
	563	}
	564
	565	blockNo = param_get8(Cmd, 1);
	566	if (blockNo>32)
	567	{
	568	PrintAndLog("Error: Maximum number of blocks is 32 for iClass 2K Cards!");
	569	return 1;
	570	}
	571	if (param_gethex(Cmd, 2, bldata, 8))
	572	{
	573	PrintAndLog("Block data must include 8 HEX symbols");
	574	return 1;
	575	}
	576
aa41c605	577	UsbCommand c = {CMD_ICLASS_ISO14443A_WRITE, {0}};
fecd8202	578	SendCommand(&c);
fecd8202	579	UsbCommand resp;
3ad48540	580
fecd8202	581	if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
	582	uint8_t isOK = resp.arg[0] & 0xff;
	583	uint8_t * data = resp.d.asBytes;
	584
	585	memcpy(CSN,data,8);
	586	memcpy(CCNR,data+8,8);
	587	PrintAndLog("DEBUG: %s",sprint_hex(CSN,8));
	588	PrintAndLog("DEBUG: %s",sprint_hex(CCNR,8));
	589	PrintAndLog("isOk:%02x", isOK);
	590	} else {
	591	PrintAndLog("Command execute timeout");
	592	}
3ad48540 MHS	593
	594	diversifyKey(CSN,KEY, div_key);
	595
fecd8202	596	PrintAndLog("Div Key: %s",sprint_hex(div_key,8));
74a38802	597	doMAC(CCNR, 12,div_key, MAC);
fecd8202	598
3ad48540 MHS	599	UsbCommand c2 = {CMD_ICLASS_ISO14443A_WRITE, {readerType,blockNo}};
	600	memcpy(c2.d.asBytes, bldata, 8);
	601	memcpy(c2.d.asBytes+8, MAC, 4);
	602	SendCommand(&c2);
a66fca86	603
fecd8202	604	if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
	605	uint8_t isOK = resp.arg[0] & 0xff;
	606	uint8_t * data = resp.d.asBytes;
	607
	608	if (isOK)
	609	PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 4));
	610	else
	611	PrintAndLog("isOk:%02x", isOK);
	612	} else {
	613	PrintAndLog("Command execute timeout");
	614	}
a66fca86 AD	615	return 0;
	616	}
	617
c3963755	618
cee5a30d	619	static command_t CommandTable[] =
cee5a30d	620	{
fecd8202	621	{"help", CmdHelp, 1, "This help"},
	622	{"list", CmdHFiClassList, 0, "List iClass history"},
	623	{"snoop", CmdHFiClassSnoop, 0, "Eavesdrop iClass communication"},
	624	{"sim", CmdHFiClassSim, 0, "Simulate iClass tag"},
	625	{"reader",CmdHFiClassReader, 0, "Read an iClass tag"},
	626	{"replay",CmdHFiClassReader_Replay, 0, "Read an iClass tag via Reply Attack"},
	627	{"dump", CmdHFiClassReader_Dump, 0, "Authenticate and Dump iClass tag"},
	628	{"write", CmdHFiClass_iso14443A_write, 0, "Authenticate and Write iClass block"},
cee5a30d	629	{NULL, NULL, 0, NULL}
	630	};
	631
	632	int CmdHFiClass(const char *Cmd)
	633	{
	634	CmdsParse(CommandTable, Cmd);
	635	return 0;
	636	}
	637
	638	int CmdHelp(const char *Cmd)
	639	{
	640	CmdsHelp(CommandTable);
	641	return 0;
	642	}