]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/mifaresniff.c
fix memory overflow in hf mf nested (issue #479)
[proxmark3-svn] / armsrc / mifaresniff.c
CommitLineData
b62a5a84
M
1//-----------------------------------------------------------------------------\r
2// Merlok - 2012\r
3//\r
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,\r
5// at your option, any later version. See the LICENSE.txt file for the text of\r
6// the license.\r
7//-----------------------------------------------------------------------------\r
8// Routines to support mifare classic sniffer.\r
9//-----------------------------------------------------------------------------\r
10\r
11#include "mifaresniff.h"\r
12#include "apps.h"\r
33443e7c 13#include "proxmark3.h"\r
14#include "util.h"\r
15#include "string.h"\r
16#include "iso14443crc.h"\r
17#include "iso14443a.h"\r
18#include "crapto1/crapto1.h"\r
19#include "mifareutil.h"\r
20#include "common.h"\r
21\r
b62a5a84 22\r
39864b0b
M
23static int sniffState = SNF_INIT;\r
24static uint8_t sniffUIDType;\r
c8b6da22 25static uint8_t sniffUID[8] = {0x00};\r
26static uint8_t sniffATQA[2] = {0x00};\r
39864b0b 27static uint8_t sniffSAK;\r
c8b6da22 28static uint8_t sniffBuf[16] = {0x00};\r
7bc95e2e 29static uint32_t timerData = 0;\r
b62a5a84
M
30\r
31\r
7bc95e2e 32bool MfSniffInit(void){\r
39864b0b
M
33 memset(sniffUID, 0x00, 8);\r
34 memset(sniffATQA, 0x00, 2);\r
35 sniffSAK = 0;\r
36 sniffUIDType = SNF_UID_4;\r
37\r
7bc95e2e 38 return FALSE;\r
39864b0b
M
39}\r
40\r
7bc95e2e 41bool MfSniffEnd(void){\r
39864b0b 42 LED_B_ON();\r
7bc95e2e 43 cmd_send(CMD_ACK,0,0,0,0,0);\r
39864b0b
M
44 LED_B_OFF();\r
45\r
7bc95e2e 46 return FALSE;\r
39864b0b
M
47}\r
48\r
6a1f2d82 49bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, uint16_t bitCnt, bool reader) {\r
39864b0b 50\r
7bc95e2e 51 if (reader && (len == 1) && (bitCnt == 7)) { // reset on 7-Bit commands from reader\r
39864b0b
M
52 sniffState = SNF_INIT;\r
53 }\r
54\r
55 switch (sniffState) {\r
56 case SNF_INIT:{\r
7bc95e2e 57 if ((len == 1) && (reader) && (bitCnt == 7) ) { // REQA or WUPA from reader\r
39864b0b
M
58 sniffUIDType = SNF_UID_4;\r
59 memset(sniffUID, 0x00, 8);\r
60 memset(sniffATQA, 0x00, 2);\r
61 sniffSAK = 0;\r
39864b0b
M
62 sniffState = SNF_WUPREQ;\r
63 }\r
64 break;\r
65 }\r
66 case SNF_WUPREQ:{\r
7bc95e2e 67 if ((!reader) && (len == 2)) { // ATQA from tag\r
39864b0b 68 memcpy(sniffATQA, data, 2);\r
39864b0b
M
69 sniffState = SNF_ATQA;\r
70 }\r
71 break;\r
72 }\r
73 case SNF_ATQA:{\r
7bc95e2e 74 if ((reader) && (len == 2) && (data[0] == 0x93) && (data[1] == 0x20)) { // Select ALL from reader\r
39864b0b
M
75 sniffState = SNF_ANTICOL1;\r
76 }\r
77 break;\r
78 }\r
79 case SNF_ANTICOL1:{\r
7bc95e2e 80 if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { // UID from tag (CL1) \r
39864b0b 81 memcpy(sniffUID + 3, data, 4);\r
39864b0b
M
82 sniffState = SNF_UID1;\r
83 }\r
84 break;\r
85 }\r
86 case SNF_UID1:{\r
7bc95e2e 87 if ((reader) && (len == 9) && (data[0] == 0x93) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) { // Select 4 Byte UID from reader\r
39864b0b
M
88 sniffState = SNF_SAK;\r
89 }\r
90 break;\r
91 }\r
92 case SNF_SAK:{\r
7bc95e2e 93 if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) { // SAK from card?\r
39864b0b 94 sniffSAK = data[0];\r
7bc95e2e 95 if (sniffUID[3] == 0x88) { // CL2 UID part to be expected\r
39864b0b 96 sniffState = SNF_ANTICOL2;\r
7bc95e2e 97 } else { // select completed\r
39864b0b
M
98 sniffState = SNF_CARD_IDLE;\r
99 }\r
100 }\r
101 break;\r
102 }\r
103 case SNF_ANTICOL2:{\r
7bc95e2e 104 if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { // CL2 UID \r
d714d3ef 105 memcpy(sniffUID, sniffUID+4, 3);\r
106 memcpy(sniffUID+3, data, 4);\r
39864b0b 107 sniffUIDType = SNF_UID_7;\r
39864b0b 108 sniffState = SNF_UID2;\r
7bc95e2e 109 }\r
39864b0b
M
110 break;\r
111 }\r
112 case SNF_UID2:{\r
7bc95e2e 113 if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) { // Select 2nd part of 7 Byte UID\r
39864b0b 114 sniffState = SNF_SAK;\r
39864b0b
M
115 }\r
116 break;\r
117 }\r
7bc95e2e 118 case SNF_CARD_IDLE:{ // trace the card select sequence\r
39864b0b
M
119 sniffBuf[0] = 0xFF;\r
120 sniffBuf[1] = 0xFF;\r
121 memcpy(sniffBuf + 2, sniffUID, 7);\r
122 memcpy(sniffBuf + 9, sniffATQA, 2);\r
123 sniffBuf[11] = sniffSAK;\r
124 sniffBuf[12] = 0xFF;\r
125 sniffBuf[13] = 0xFF;\r
6a1f2d82 126 LogTrace(sniffBuf, 14, 0, 0, NULL, TRUE);\r
7bc95e2e 127 } // intentionally no break;\r
128 case SNF_CARD_CMD:{ \r
6a1f2d82 129 LogTrace(data, len, 0, 0, NULL, TRUE);\r
39864b0b
M
130 sniffState = SNF_CARD_RESP;\r
131 timerData = GetTickCount();\r
132 break;\r
133 }\r
134 case SNF_CARD_RESP:{\r
6a1f2d82 135 LogTrace(data, len, 0, 0, NULL, FALSE);\r
39864b0b
M
136 sniffState = SNF_CARD_CMD;\r
137 timerData = GetTickCount();\r
138 break;\r
139 }\r
140 \r
141 default:\r
142 sniffState = SNF_INIT;\r
143 break;\r
144 }\r
145\r
7bc95e2e 146\r
147 return FALSE;\r
39864b0b
M
148}\r
149\r
7bc95e2e 150bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs) {\r
3000dc4e 151 if (BigBuf_get_traceLen() && (GetTickCount() > timerData + maxTimeoutMs)) {\r
39864b0b
M
152 return intMfSniffSend();\r
153 }\r
7bc95e2e 154 return FALSE;\r
39864b0b
M
155}\r
156\r
7bc95e2e 157// internal sending function. not a RAMFUNC.\r
158bool intMfSniffSend() {\r
159\r
39864b0b 160 int pckSize = 0;\r
3000dc4e 161 int pckLen = BigBuf_get_traceLen();\r
39864b0b 162 int pckNum = 0;\r
117d9ec2 163 uint8_t *trace = BigBuf_get_addr();\r
164 \r
55acbb2a 165 FpgaDisableSscDma();\r
39864b0b 166 while (pckLen > 0) {\r
7bc95e2e 167 pckSize = MIN(USB_CMD_DATA_SIZE, pckLen);\r
39864b0b 168 LED_B_ON();\r
3000dc4e 169 cmd_send(CMD_ACK, 1, BigBuf_get_traceLen(), pckSize, trace + BigBuf_get_traceLen() - pckLen, pckSize);\r
39864b0b
M
170 LED_B_OFF();\r
171\r
172 pckLen -= pckSize;\r
173 pckNum++;\r
174 }\r
175\r
39864b0b 176 LED_B_ON();\r
7bc95e2e 177 cmd_send(CMD_ACK,2,0,0,0,0);\r
39864b0b
M
178 LED_B_OFF();\r
179\r
3000dc4e 180 clear_trace();\r
39864b0b 181 \r
7bc95e2e 182 return TRUE;\r
39864b0b 183}\r
Impressum, Datenschutz