'lf hitag writer': add Hitag2 password auth
[proxmark3-svn] / client / cmdlfhitag.c
CommitLineData
db09cb3a 1//-----------------------------------------------------------------------------
2// Copyright (C) 2012 Roel Verdult
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// Low frequency Hitag support
9//-----------------------------------------------------------------------------
10
ad939de5 11#include "cmdlfhitag.h"
12
db09cb3a 13#include <stdio.h>
14#include <stdlib.h>
15#include <string.h>
ad939de5 16#include "comms.h"
db09cb3a 17#include "ui.h"
18#include "cmdparser.h"
19#include "common.h"
20#include "util.h"
1f065e1d 21#include "parity.h"
5866c187 22#include "hitag.h"
902cb3c0 23#include "cmdmain.h"
db09cb3a 24
f2dbf3d2 25static size_t nbytes(size_t nbits) {
26 return (nbits/8) + ((nbits%8)>0);
47e18126 27}
28
f2dbf3d2 29
30static int CmdLFHitagList(const char *Cmd) {
31 uint8_t *got = malloc(USB_CMD_DATA_SIZE);
f71f4deb 32 // Query for the actual size of the trace
33 UsbCommand response;
babca445 34 GetFromBigBuf(got, USB_CMD_DATA_SIZE, 0, &response, -1, false);
f71f4deb 35 uint16_t traceLen = response.arg[2];
36 if (traceLen > USB_CMD_DATA_SIZE) {
37 uint8_t *p = realloc(got, traceLen);
38 if (p == NULL) {
39 PrintAndLog("Cannot allocate memory for trace");
40 free(got);
41 return 2;
42 }
43 got = p;
babca445 44 GetFromBigBuf(got, traceLen, 0, NULL, -1, false);
f71f4deb 45 }
f2dbf3d2 46
f71f4deb 47 PrintAndLog("recorded activity (TraceLen = %d bytes):");
48 PrintAndLog(" ETU :nbits: who bytes");
49 PrintAndLog("---------+-----+----+-----------");
db09cb3a 50
7b6e3205 51 int j;
f71f4deb 52 int i = 0;
53 int prev = -1;
54 int len = strlen(Cmd);
b915fda3 55
f71f4deb 56 char filename[FILE_PATH_SIZE] = { 0x00 };
57 FILE* pf = NULL;
f2dbf3d2 58
59 if (len > FILE_PATH_SIZE)
f71f4deb 60 len = FILE_PATH_SIZE;
61 memcpy(filename, Cmd, len);
f2dbf3d2 62
f71f4deb 63 if (strlen(filename) > 0) {
64 if ((pf = fopen(filename,"wb")) == NULL) {
65 PrintAndLog("Error: Could not open file [%s]",filename);
44964fd1 66 free(got);
f71f4deb 67 return 1;
68 }
b915fda3 69 }
db09cb3a 70
f71f4deb 71 for (;;) {
f2dbf3d2 72
f71f4deb 73 if(i > traceLen) { break; }
74
75 bool isResponse;
76 int timestamp = *((uint32_t *)(got+i));
77 if (timestamp & 0x80000000) {
78 timestamp &= 0x7fffffff;
79 isResponse = 1;
80 } else {
81 isResponse = 0;
82 }
83
84 int parityBits = *((uint32_t *)(got+i+4));
85 // 4 bytes of additional information...
86 // maximum of 32 additional parity bit information
87 //
88 // TODO:
89 // at each quarter bit period we can send power level (16 levels)
90 // or each half bit period in 256 levels.
91
92 int bits = got[i+8];
7b6e3205 93 int len = nbytes(bits);
f71f4deb 94
95 if (len > 100) {
f2dbf3d2 96 break;
f71f4deb 97 }
98 if (i + len > traceLen) { break;}
99
100 uint8_t *frame = (got+i+9);
7b6e3205 101/*
102 int fillupBits = 8 - (bits % 8);
103 byte_t framefilled[bits+fillupBits];
104 byte_t* ff = framefilled;
f2dbf3d2 105
7b6e3205 106 int response_bit[200] = {0};
107 int z = 0;
108 for (int y = 0; y < len; y++) {
109 for (j = 0; j < 8; j++) {
110 response_bit[z] = 0;
111 if ((frame[y] & ((mask << 7) >> j)) != 0)
112 response_bit[z] = 1;
113 z++;
114 }
115 }
116 z = 0;
117 for (int y = 0; y < len; y++) {
118 ff[y] = (response_bit[z] << 7) | (response_bit[z + 1] << 6)
119 | (response_bit[z + 2] << 5) | (response_bit[z + 3] << 4)
120 | (response_bit[z + 4] << 3) | (response_bit[z + 5] << 2)
121 | (response_bit[z + 6] << 1) | response_bit[z + 7];
122 z += 8;
123 }
124*/
125
126
127
f71f4deb 128
129 // Break and stick with current result if buffer was not completely full
130 if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; }
131
132 char line[1000] = "";
f71f4deb 133 for (j = 0; j < len; j++) {
f2dbf3d2 134 //if((parityBits >> (len - j - 1)) & 0x01) {
135 if (isResponse && (oddparity8(frame[j]) != ((parityBits >> (len - j - 1)) & 0x01))) {
136 sprintf(line+(j*4), "%02x! ", frame[j]);
137 } else {
138 sprintf(line+(j*4), "%02x ", frame[j]);
139 }
f71f4deb 140 }
141
142 PrintAndLog(" +%7d: %3d: %s %s",
143 (prev < 0 ? 0 : (timestamp - prev)),
144 bits,
145 (isResponse ? "TAG" : " "),
146 line);
147
148 if (pf) {
149 fprintf(pf," +%7d: %3d: %s %s\n",
150 (prev < 0 ? 0 : (timestamp - prev)),
151 bits,
152 (isResponse ? "TAG" : " "),
153 line);
154 }
f2dbf3d2 155
f71f4deb 156 prev = timestamp;
157 i += (len + 9);
158 }
f2dbf3d2 159
f71f4deb 160 if (pf) {
161 fclose(pf);
162 PrintAndLog("Recorded activity succesfully written to file: %s", filename);
163 }
97d582a6 164
f71f4deb 165 free(got);
166 return 0;
db09cb3a 167}
168
f2dbf3d2 169
170static int CmdLFHitagSnoop(const char *Cmd) {
171 UsbCommand c = {CMD_SNOOP_HITAG};
172 SendCommand(&c);
173 return 0;
db09cb3a 174}
175
f2dbf3d2 176
177static int CmdLFHitagSim(const char *Cmd) {
178
179 UsbCommand c = {CMD_SIMULATE_HITAG};
b915fda3 180 char filename[FILE_PATH_SIZE] = { 0x00 };
db09cb3a 181 FILE* pf;
182 bool tag_mem_supplied;
b915fda3 183 int len = strlen(Cmd);
184 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
185 memcpy(filename, Cmd, len);
f2dbf3d2 186
db09cb3a 187 if (strlen(filename) > 0) {
188 if ((pf = fopen(filename,"rb+")) == NULL) {
189 PrintAndLog("Error: Could not open file [%s]",filename);
190 return 1;
191 }
192 tag_mem_supplied = true;
44964fd1 193 if (fread(c.d.asBytes,1,48,pf) != 48) {
194 PrintAndLog("Error: File reading error");
195 fclose(pf);
759c16b3 196 return 1;
44964fd1 197 }
db09cb3a 198 fclose(pf);
199 } else {
200 tag_mem_supplied = false;
201 }
f2dbf3d2 202
db09cb3a 203 // Does the tag comes with memory
204 c.arg[0] = (uint32_t)tag_mem_supplied;
205
f2dbf3d2 206 SendCommand(&c);
207 return 0;
208}
209
210
211static bool getHitagUid(uint32_t *uid) {
212 // ToDo: this is for Hitag2 only (??)
213
214 UsbCommand c = {CMD_READER_HITAG, {RHT2F_UID_ONLY}};
215
216 SendCommand(&c);
217
218 UsbCommand resp;
219 if (!WaitForResponseTimeout(CMD_ACK, &resp, 2500)) {
220 PrintAndLogEx(WARNING, "timeout while waiting for reply.");
221 return false;
222 }
223
224 if (resp.arg[0] == false) {
225 PrintAndLogEx(DEBUG, "DEBUG: Error - failed getting UID");
226 return false;
227 }
228
229 if (uid)
230 *uid = bytes_to_num(resp.d.asBytes, 4);
231
232 return true;
db09cb3a 233}
234
f2dbf3d2 235
236static int CmdLFHitagInfo(const char *Cmd) {
237 char ctmp = param_getchar(Cmd, 0);
238 if (ctmp != '\0') {
239 PrintAndLog("Usage: lf hitag info [h]");
240 PrintAndLog("Options:");
241 PrintAndLog(" h This help");
242 PrintAndLog("Examples:");
243 PrintAndLog(" lf hitag info");
244 return 0;
245 }
246
247 // read UID
248 uint32_t uid = 0;
249 if (getHitagUid(&uid) == false)
250 return 1;
251
252 PrintAndLogEx(SUCCESS, "UID: %08X", uid);
253
254 // how to detemine Hitag types?
255 // read block3, get configuration byte.
256 // PrintAndLogEx(FAILED, _RED_("TODO: This is a hardcoded example!"));
257
258 // common configurations.
259 // printHitagConfiguration(0x06);
260 //printHitagConfiguration( 0x0E );
261 //printHitagConfiguration( 0x02 );
262 //printHitagConfiguration( 0x00 );
263 //printHitagConfiguration( 0x04 );
264 return 0;
265}
266
267
db09cb3a 268int CmdLFHitagReader(const char *Cmd) {
f2dbf3d2 269 UsbCommand c = {CMD_READER_HITAG};
db09cb3a 270 hitag_data* htd = (hitag_data*)c.d.asBytes;
f2dbf3d2 271 hitag_function htf = param_get32ex(Cmd, 0, 0, 10);
272
db09cb3a 273 switch (htf) {
4e12287d
RS
274 case 01: { //RHTSF_CHALLENGE
275 c = (UsbCommand){ CMD_READ_HITAG_S };
f2dbf3d2 276 num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->auth.NrAr);
277 num_to_bytes(param_get32ex(Cmd, 2, 0, 16), 4, htd->auth.NrAr+4);
278 c.arg[1] = param_get64ex(Cmd, 3, 0, 0); //firstpage
279 c.arg[2] = param_get64ex(Cmd, 4, 0, 0); //tag mode
4e12287d
RS
280 } break;
281 case 02: { //RHTSF_KEY
282 c = (UsbCommand){ CMD_READ_HITAG_S };
f2dbf3d2 283 num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 6, htd->crypto.key);
284 c.arg[1] = param_get64ex(Cmd, 2, 0, 0); //firstpage
285 c.arg[2] = param_get64ex(Cmd, 3, 0, 0); //tag mode
7b6e3205 286 } break;
287 case 03: { //RHTSF_CHALLENGE BLOCK
288 c = (UsbCommand){ CMD_READ_HITAG_S_BLK };
f2dbf3d2 289 num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->auth.NrAr);
290 num_to_bytes(param_get32ex(Cmd, 2, 0, 16), 4, htd->auth.NrAr+4);
291 c.arg[1] = param_get64ex(Cmd, 3, 0, 0); //firstpage
292 c.arg[2] = param_get64ex(Cmd, 4, 0, 0); //tag mode
7b6e3205 293 } break;
294 case 04: { //RHTSF_KEY BLOCK
295 c = (UsbCommand){ CMD_READ_HITAG_S_BLK };
f2dbf3d2 296 num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 6, htd->crypto.key);
297 c.arg[1] = param_get64ex(Cmd, 2, 0, 0); //firstpage
298 c.arg[2] = param_get64ex(Cmd, 3, 0, 0); //tag mode
4e12287d 299 } break;
db09cb3a 300 case RHT2F_PASSWORD: {
f2dbf3d2 301 num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->pwd.password);
db09cb3a 302 } break;
303 case RHT2F_AUTHENTICATE: {
f2dbf3d2 304 num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->auth.NrAr);
305 num_to_bytes(param_get32ex(Cmd, 2, 0, 16), 4, htd->auth.NrAr+4);
db09cb3a 306 } break;
bde10a50 307 case RHT2F_CRYPTO: {
f2dbf3d2 308 num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 6, htd->crypto.key);
309 // num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
bde10a50 310 } break;
db09cb3a 311 case RHT2F_TEST_AUTH_ATTEMPTS: {
312 // No additional parameters needed
313 } break;
f86d6b55 314 case RHT2F_UID_ONLY: {
315 // No additional parameters needed
316 } break;
db09cb3a 317 default: {
f86d6b55 318 PrintAndLog("\nError: unkown reader function %d",htf);
319 PrintAndLog("");
320 PrintAndLog("Usage: hitag reader <Reader Function #>");
321 PrintAndLog("Reader Functions:");
f2dbf3d2 322 PrintAndLog(" HitagS (0*):");
323 PrintAndLog(" 01 <nr> <ar> (Challenge) <firstPage> <tagmode> read all pages from a Hitag S tag");
324 PrintAndLog(" 02 <key> (set to 0 if no authentication is needed) <firstPage> <tagmode> read all pages from a Hitag S tag");
325 PrintAndLog(" 03 <nr> <ar> (Challenge) <firstPage> <tagmode> read all blocks from a Hitag S tag");
326 PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <firstPage> <tagmode> read all blocks from a Hitag S tag");
327 PrintAndLog(" Valid tagmodes are 0=STANDARD, 1=ADVANCED, 2=FAST_ADVANCED (default is ADVANCED)");
328 PrintAndLog(" Hitag1 (1*):");
329 PrintAndLog(" (not yet implemented)");
330 PrintAndLog(" Hitag2 (2*):");
331 PrintAndLog(" 21 <password> (password mode)");
332 PrintAndLog(" 22 <nr> <ar> (authentication)");
333 PrintAndLog(" 23 <key> (authentication) key is in format: ISK high + ISK low");
334 PrintAndLog(" 25 (test recorded authentications)");
335 PrintAndLog(" 26 just read UID");
db09cb3a 336 return 1;
337 } break;
338 }
339
340 // Copy the hitag2 function into the first argument
341 c.arg[0] = htf;
342
f86d6b55 343 // Send the command to the proxmark
217cfb6b 344 clearCommandBuffer();
f86d6b55 345 SendCommand(&c);
ab4da50d 346
f86d6b55 347 UsbCommand resp;
f2dbf3d2 348 if (!WaitForResponseTimeout(CMD_ACK, &resp, 4000)) {
349 PrintAndLogEx(WARNING, "timeout while waiting for reply.");
350 return 1;
351 }
f86d6b55 352
353 // Check the return status, stored in the first argument
f2dbf3d2 354 if (resp.arg[0] == false) {
355 PrintAndLogEx(DEBUG, "DEBUG: Error - hitag failed");
356 return 1;
357 }
358
f86d6b55 359 uint32_t id = bytes_to_num(resp.d.asBytes,4);
f2dbf3d2 360
f86d6b55 361 if (htf == RHT2F_UID_ONLY){
362 PrintAndLog("Valid Hitag2 tag found - UID: %08x",id);
363 } else {
364 char filename[256];
365 FILE* pf = NULL;
366
367 sprintf(filename,"%08x_%04x.ht2",id,(rand() & 0xffff));
368 if ((pf = fopen(filename,"wb")) == NULL) {
369 PrintAndLog("Error: Could not open file [%s]",filename);
370 return 1;
371 }
372
373 // Write the 48 tag memory bytes to file and finalize
374 fwrite(resp.d.asBytes,1,48,pf);
375 fclose(pf);
376
377 PrintAndLog("Succesfully saved tag memory to [%s]",filename);
378 }
379
f86d6b55 380 return 0;
db09cb3a 381}
382
4e12287d 383
f2dbf3d2 384static int CmdLFHitagSimS(const char *Cmd) {
4e12287d
RS
385 UsbCommand c = { CMD_SIMULATE_HITAG_S };
386 char filename[FILE_PATH_SIZE] = { 0x00 };
387 FILE* pf;
388 bool tag_mem_supplied;
389 int len = strlen(Cmd);
390 if (len > FILE_PATH_SIZE)
391 len = FILE_PATH_SIZE;
392 memcpy(filename, Cmd, len);
393
394 if (strlen(filename) > 0) {
395 if ((pf = fopen(filename, "rb+")) == NULL) {
396 PrintAndLog("Error: Could not open file [%s]", filename);
397 return 1;
398 }
399 tag_mem_supplied = true;
44964fd1 400 if (fread(c.d.asBytes, 1, 4*64, pf) != 4*64) {
4e12287d
RS
401 PrintAndLog("Error: File reading error");
402 fclose(pf);
403 return 1;
404 }
405 fclose(pf);
406 } else {
407 tag_mem_supplied = false;
408 }
409
410 // Does the tag comes with memory
411 c.arg[0] = (uint32_t) tag_mem_supplied;
412
413 SendCommand(&c);
414 return 0;
415}
416
f2dbf3d2 417
418static int CmdLFHitagCheckChallenges(const char *Cmd) {
4e12287d
RS
419 UsbCommand c = { CMD_TEST_HITAGS_TRACES };
420 char filename[FILE_PATH_SIZE] = { 0x00 };
421 FILE* pf;
422 bool file_given;
423 int len = strlen(Cmd);
424 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
425 memcpy(filename, Cmd, len);
f2dbf3d2 426
4e12287d
RS
427 if (strlen(filename) > 0) {
428 if ((pf = fopen(filename,"rb+")) == NULL) {
429 PrintAndLog("Error: Could not open file [%s]",filename);
430 return 1;
431 }
432 file_given = true;
44964fd1 433 if (fread(c.d.asBytes,1,8*60,pf) != 8*60) {
434 PrintAndLog("Error: File reading error");
435 fclose(pf);
4e12287d 436 return 1;
f2dbf3d2 437 }
4e12287d
RS
438 fclose(pf);
439 } else {
440 file_given = false;
441 }
f2dbf3d2 442
4e12287d
RS
443 //file with all the challenges to try
444 c.arg[0] = (uint32_t)file_given;
7b6e3205 445 c.arg[1] = param_get64ex(Cmd,2,0,0); //get mode
4e12287d 446
f2dbf3d2 447 SendCommand(&c);
448 return 0;
4e12287d
RS
449}
450
451
f2dbf3d2 452static int CmdLFHitagWriter(const char *Cmd) {
4e12287d
RS
453 UsbCommand c = { CMD_WR_HITAG_S };
454 hitag_data* htd = (hitag_data*)c.d.asBytes;
455 hitag_function htf = param_get32ex(Cmd,0,0,10);
456 switch (htf) {
f2dbf3d2 457 case WHTSF_CHALLENGE: {
4e12287d
RS
458 num_to_bytes(param_get64ex(Cmd,1,0,16),8,htd->auth.NrAr);
459 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
460 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->auth.data);
461 } break;
f2dbf3d2 462 case WHTSF_KEY:
463 case WHT2F_CRYPTO: {
4e12287d
RS
464 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
465 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
466 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->crypto.data);
f2dbf3d2 467 } break;
468 case WHT2F_PASSWORD: {
469 num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 4, htd->pwd.password);
470 c.arg[2] = param_get32ex(Cmd, 2, 0, 10);
471 num_to_bytes(param_get32ex(Cmd, 3, 0, 16), 4, htd->crypto.data);
4e12287d
RS
472 } break;
473 default: {
474 PrintAndLog("Error: unkown writer function %d",htf);
475 PrintAndLog("Hitag writer functions");
f2dbf3d2 476 PrintAndLog(" HitagS (0*):");
477 PrintAndLog(" 03 <nr,ar> (Challenge) <page> <byte0...byte3> write page on a Hitag S tag");
478 PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
479 PrintAndLog(" Hitag1 (1*)");
480 PrintAndLog(" (not yet implemented)");
481 PrintAndLog(" Hitag2 (2*):");
482 PrintAndLog(" 24 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
483 PrintAndLog(" 27 <password> <page> <byte0...byte3> write page on a Hitag2 tag");
4e12287d
RS
484 return 1;
485 } break;
486 }
487 // Copy the hitag function into the first argument
488 c.arg[0] = htf;
489
f2dbf3d2 490 // Send the command to the proxmark
491 SendCommand(&c);
492
493 UsbCommand resp;
494 if (!WaitForResponseTimeout(CMD_ACK, &resp, 4000)) {
495 PrintAndLogEx(WARNING, "timeout while waiting for reply.");
496 return 1;
497 }
498
499 // Check the return status, stored in the first argument
500 if (resp.arg[0] == false) {
501 PrintAndLogEx(DEBUG, "DEBUG: Error - hitag write failed");
502 return 1;
503 }
504 return 0;
4e12287d
RS
505}
506
507
f2dbf3d2 508static int CmdHelp(const char *Cmd);
509
510static command_t CommandTable[] =
db09cb3a 511{
f2dbf3d2 512 {"help", CmdHelp, 1, "This help"},
513 {"list", CmdLFHitagList, 0, "<outfile> List Hitag trace history"},
514 {"info", CmdLFHitagInfo, 0, "Tag information" },
515 {"reader", CmdLFHitagReader, 0, "Act like a Hitag Reader"},
516 {"sim", CmdLFHitagSim, 0, "Simulate Hitag transponder"},
517 {"snoop", CmdLFHitagSnoop, 0, "Eavesdrop Hitag communication"},
518 {"writer", CmdLFHitagWriter, 0, "Act like a Hitag Writer" },
519 {"simS", CmdLFHitagSimS, 0, "Simulate HitagS transponder" },
520 {"checkChallenges", CmdLFHitagCheckChallenges, 0, "Test challenges from a file" },
521 { NULL, NULL, 0, NULL }
db09cb3a 522};
523
f2dbf3d2 524
525static int CmdHelp(const char *Cmd) {
526 CmdsHelp(CommandTable);
527 return 0;
db09cb3a 528}
529
f2dbf3d2 530
531int CmdLFHitag(const char *Cmd) {
532 CmdsParse(CommandTable, Cmd);
533 return 0;
db09cb3a 534}
Impressum, Datenschutz