[proxmark3-svn] / client / cmdlfhitag.c

//-----------------------------------------------------------------------------
// Copyright (C) 2012 Roel Verdult
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// Low frequency Hitag support
//-----------------------------------------------------------------------------

#include "cmdlfhitag.h"

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "comms.h"
#include "ui.h"
#include "cmdparser.h"
#include "common.h"
#include "util.h"
#include "parity.h"
#include "hitag.h"
#include "cmdmain.h"

static size_t nbytes(size_t nbits) {
	return (nbits/8) + ((nbits%8)>0);
}


static int CmdLFHitagList(const char *Cmd) {
	uint8_t *got = malloc(USB_CMD_DATA_SIZE);
	// Query for the actual size of the trace
	UsbCommand response;
	GetFromBigBuf(got, USB_CMD_DATA_SIZE, 0, &response, -1, false);
	uint16_t traceLen = response.arg[2];
	if (traceLen > USB_CMD_DATA_SIZE) {
		uint8_t *p = realloc(got, traceLen);
		if (p == NULL) {
			PrintAndLog("Cannot allocate memory for trace");
			free(got);
			return 2;
		}
		got = p;
		GetFromBigBuf(got, traceLen, 0, NULL, -1, false);
	}

	PrintAndLog("recorded activity (TraceLen = %d bytes):");
	PrintAndLog(" ETU     :nbits: who bytes");
	PrintAndLog("---------+-----+----+-----------");

	int j;
	int i = 0;
	int prev = -1;
	int len = strlen(Cmd);

	char filename[FILE_PATH_SIZE]  = { 0x00 };
	FILE* pf = NULL;

	if (len > FILE_PATH_SIZE)
		len = FILE_PATH_SIZE;
	memcpy(filename, Cmd, len);

	if (strlen(filename) > 0) {
		if ((pf = fopen(filename,"wb")) == NULL) {
			PrintAndLog("Error: Could not open file [%s]",filename);
			free(got);
			return 1;
		}
	}

	for (;;) {

		if(i >= traceLen) { break; }

		bool isResponse;
		int timestamp = *((uint32_t *)(got+i));
		if (timestamp & 0x80000000) {
			timestamp &= 0x7fffffff;
			isResponse = 1;
		} else {
			isResponse = 0;
		}

		int parityBits = *((uint32_t *)(got+i+4));
		// 4 bytes of additional information...
		// maximum of 32 additional parity bit information
		//
		// TODO:
		// at each quarter bit period we can send power level (16 levels)
		// or each half bit period in 256 levels.

		int bits = got[i+8];
		int len = nbytes(bits);

		if (len > 100) {
			break;
		}
		if (i + len > traceLen) { break;}

		uint8_t *frame = (got+i+9);
/*
		int fillupBits = 8 - (bits % 8);
		byte_t framefilled[bits+fillupBits];
		byte_t* ff = framefilled;

		int response_bit[200] = {0};
		int z = 0;
		for (int y = 0; y < len; y++) {
			for (j = 0; j < 8; j++) {
				response_bit[z] = 0;
				if ((frame[y] & ((mask << 7) >> j)) != 0)
					response_bit[z] = 1;
				z++;
			}
		}
		z = 0;
		for (int y = 0; y < len; y++) {
			ff[y] = (response_bit[z] << 7) | (response_bit[z + 1] << 6)
					| (response_bit[z + 2] << 5) | (response_bit[z + 3] << 4)
					| (response_bit[z + 4] << 3) | (response_bit[z + 5] << 2)
					| (response_bit[z + 6] << 1) | response_bit[z + 7];
			z += 8;
		}
*/


		// Break and stick with current result if buffer was not completely full
		if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; }

		char line[1000] = "";
		for (j = 0; j < len; j++) {
			//if((parityBits >> (len - j - 1)) & 0x01) {
			if (isResponse && (oddparity8(frame[j]) != ((parityBits >> (len - j - 1)) & 0x01))) {
				sprintf(line+(j*4), "%02x!  ", frame[j]);
			} else {
				sprintf(line+(j*4), "%02x   ", frame[j]);
			}
		}

		PrintAndLog(" +%7d:  %3d: %s %s",
			(prev < 0 ? 0 : (timestamp - prev)),
			bits,
			(isResponse ? "TAG" : "   "),
			line);

		if (pf) {
			fprintf(pf," +%7d:  %3d: %s %s\n",
				(prev < 0 ? 0 : (timestamp - prev)),
				bits,
				(isResponse ? "TAG" : "   "),
				line);
		}

		prev = timestamp;
		i += (len + 9);
	}

	if (pf) {
		fclose(pf);
		PrintAndLog("Recorded activity succesfully written to file: %s", filename);
	}

	free(got);
	return 0;
}


static int CmdLFHitagSnoop(const char *Cmd) {
	UsbCommand c = {CMD_SNOOP_HITAG};
	SendCommand(&c);
	return 0;
}


static int CmdLFHitagSim(const char *Cmd) {

	UsbCommand c = {CMD_SIMULATE_HITAG};
	char filename[FILE_PATH_SIZE] = { 0x00 };
	FILE* pf;
	bool tag_mem_supplied;
	int len = strlen(Cmd);
	if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
	memcpy(filename, Cmd, len);

	if (strlen(filename) > 0) {
		if ((pf = fopen(filename,"rb+")) == NULL) {
			PrintAndLog("Error: Could not open file [%s]",filename);
			return 1;
		}
		tag_mem_supplied = true;
		if (fread(c.d.asBytes,1,48,pf) != 48) {
			PrintAndLog("Error: File reading error");
			fclose(pf);
			return 1;
		}
		fclose(pf);
	} else {
		tag_mem_supplied = false;
	}

	// Does the tag comes with memory
	c.arg[0] = (uint32_t)tag_mem_supplied;

	SendCommand(&c);
	return 0;
}


bool getHitagUid(uint32_t *uid, bool quiet) {
	// ToDo: this is for Hitag2 only (??)
	
	UsbCommand c = {CMD_READER_HITAG, {RHT2F_UID_ONLY}};

	SendCommand(&c);

	UsbCommand resp;
	if (!WaitForResponseTimeout(CMD_ACK, &resp, 2500)) {
		if (!quiet) PrintAndLogEx(WARNING, "timeout while waiting for reply.");
		return false;
	}

	if (resp.arg[0] == false) {
		if (!quiet) PrintAndLogEx(DEBUG, "DEBUG: Error - failed getting UID");
		return false;
	}

	if (uid)
		*uid = bytes_to_num(resp.d.asBytes, 4);

	return true;
}


static int CmdLFHitagInfo(const char *Cmd) {
	char ctmp = param_getchar(Cmd, 0);
	if (ctmp != '\0') {
		PrintAndLog("Usage:   lf hitag info [h]");
		PrintAndLog("Options:");
		PrintAndLog("       h          This help");
		PrintAndLog("Examples:");
		PrintAndLog("         lf hitag info");
		return 0;
	}

	// read UID
	uint32_t uid = 0;
	if (getHitagUid(&uid, false) == false)
		return 1;

	PrintAndLogEx(SUCCESS, "UID: %08X", uid);

	// how to detemine Hitag types?
	// read block3,  get configuration byte.
	// PrintAndLogEx(FAILED, _RED_("TODO: This is a hardcoded example!"));

	// common configurations.
	// printHitagConfiguration(0x06);
	//printHitagConfiguration( 0x0E );
	//printHitagConfiguration( 0x02 );
	//printHitagConfiguration( 0x00 );
	//printHitagConfiguration( 0x04 );
	return 0;
}


int CmdLFHitagReader(const char *Cmd) {
	UsbCommand c = {CMD_READER_HITAG};
	hitag_data* htd = (hitag_data*)c.d.asBytes;
	hitag_function htf = param_get32ex(Cmd, 0, 0, 10);

	switch (htf) {
		case RHTSF_CHALLENGE: {
			c = (UsbCommand){ CMD_READ_HITAG_S };
			num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->auth.NrAr);
			num_to_bytes(param_get32ex(Cmd, 2, 0, 16), 4, htd->auth.NrAr+4);
			c.arg[1] = param_get64ex(Cmd, 3, 0, 0); //firstpage
			c.arg[2] = param_get64ex(Cmd, 4, 0, 0); //tag mode
		} break;
		case RHTSF_KEY: {
			c = (UsbCommand){ CMD_READ_HITAG_S };
			num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 6, htd->crypto.key);
			c.arg[1] = param_get64ex(Cmd, 2, 0, 0); //firstpage
			c.arg[2] = param_get64ex(Cmd, 3, 0, 0); //tag mode
		} break;
		case RHT2F_PASSWORD: {
			num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->pwd.password);
		} break;
		case RHT2F_AUTHENTICATE: {
			num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->auth.NrAr);
			num_to_bytes(param_get32ex(Cmd, 2, 0, 16), 4, htd->auth.NrAr+4);
		} break;
		case RHT2F_CRYPTO: {
			num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 6, htd->crypto.key);
			//          num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
		} break;
		case RHT2F_TEST_AUTH_ATTEMPTS: {
			// No additional parameters needed
		} break;
		case RHT2F_UID_ONLY: {
			// No additional parameters needed
		} break;
		default: {
			PrintAndLog("\nError: unkown reader function %d",htf);
			PrintAndLog("");
			PrintAndLog("Usage: hitag reader <Reader Function #>");
			PrintAndLog("Reader Functions:");
			PrintAndLog("  HitagS (0*):");
			PrintAndLog("    01 <nr> <ar> (Challenge) <firstPage> <tagmode> read all pages from a Hitag S tag");
			PrintAndLog("    02 <key> (set to 0 if no authentication is needed) <firstPage> <tagmode> read all pages from a Hitag S tag");
			PrintAndLog("    Valid tagmodes are 0=STANDARD, 1=ADVANCED, 2=FAST_ADVANCED (default is ADVANCED)");
			PrintAndLog("  Hitag1 (1*):");
			PrintAndLog("    (not yet implemented)");
			PrintAndLog("  Hitag2 (2*):");
			PrintAndLog("    21 <password> (password mode)");
			PrintAndLog("    22 <nr> <ar> (authentication)");
			PrintAndLog("    23 <key> (authentication) key is in format: ISK high + ISK low");
			PrintAndLog("    25 (test recorded authentications)");
			PrintAndLog("    26 just read UID");
			return 1;
		} break;
	}

	// Copy the hitag2 function into the first argument
	c.arg[0] = htf;

	// Send the command to the proxmark
	clearCommandBuffer();
	SendCommand(&c);

	UsbCommand resp;
	if (!WaitForResponseTimeout(CMD_ACK, &resp, 4000)) {
		PrintAndLogEx(WARNING, "timeout while waiting for reply.");
		return 1;
	}

	// Check the return status, stored in the first argument
	if (resp.arg[0] == false)  {
		PrintAndLogEx(DEBUG, "DEBUG: Error - hitag failed");
		return 1;
	}

	uint32_t id = bytes_to_num(resp.d.asBytes, 4);

	PrintAndLog("Valid Hitag2 tag found - UID: %08x", id);
	if (htf != RHT2F_UID_ONLY) {
        PrintAndLogEx(SUCCESS, "Dumping tag memory...");
		char filename[256];
		FILE* pf = NULL;

		sprintf(filename,"%08x_%04x.ht2",id,(rand() & 0xffff));
		if ((pf = fopen(filename,"wb")) == NULL) {
		  PrintAndLog("Error: Could not open file [%s]",filename);
		  return 1;
		}

		// Write the 48 tag memory bytes to file and finalize
		fwrite(resp.d.asBytes,1,48,pf);
		fclose(pf);

		PrintAndLog("Succesfully saved tag memory to [%s]",filename);
	}

	return 0;
}


static int CmdLFHitagSimS(const char *Cmd) {
	UsbCommand c = { CMD_SIMULATE_HITAG_S };
	char filename[FILE_PATH_SIZE] = { 0x00 };
	FILE* pf;
	bool tag_mem_supplied;
	int len = strlen(Cmd);
	if (len > FILE_PATH_SIZE)
		len = FILE_PATH_SIZE;
	memcpy(filename, Cmd, len);

	if (strlen(filename) > 0) {
		if ((pf = fopen(filename, "rb+")) == NULL) {
			PrintAndLog("Error: Could not open file [%s]", filename);
			return 1;
		}
		tag_mem_supplied = true;
		if (fread(c.d.asBytes, 1, 4*64, pf) != 4*64) {
			PrintAndLog("Error: File reading error");
			fclose(pf);
			return 1;
		}
		fclose(pf);
	} else {
		tag_mem_supplied = false;
	}

	// Does the tag comes with memory
	c.arg[0] = (uint32_t) tag_mem_supplied;

	SendCommand(&c);
	return 0;
}


static int CmdLFHitagCheckChallenges(const char *Cmd) {
	UsbCommand c = { CMD_TEST_HITAGS_TRACES };
	char filename[FILE_PATH_SIZE] = { 0x00 };
	FILE* pf;
	bool file_given;
	int len = strlen(Cmd);
	if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
	memcpy(filename, Cmd, len);

	if (strlen(filename) > 0) {
		if ((pf = fopen(filename,"rb+")) == NULL) {
			PrintAndLog("Error: Could not open file [%s]",filename);
			return 1;
		}
		file_given = true;
		if (fread(c.d.asBytes,1,8*60,pf) != 8*60) {
			PrintAndLog("Error: File reading error");
			fclose(pf);
			return 1;
		}
		fclose(pf);
	} else {
		file_given = false;
	}

	//file with all the challenges to try
	c.arg[0] = (uint32_t)file_given;
	c.arg[1] = param_get64ex(Cmd,2,0,0); //get mode

	SendCommand(&c);
	return 0;
}


static int CmdLFHitagWriter(const char *Cmd) {
	UsbCommand c = { CMD_WR_HITAG_S };
	hitag_data* htd = (hitag_data*)c.d.asBytes;
	hitag_function htf = param_get32ex(Cmd,0,0,10);
	switch (htf) {
		case WHTSF_CHALLENGE: {
			num_to_bytes(param_get64ex(Cmd,1,0,16),8,htd->auth.NrAr);
			c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
			num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->auth.data);
		} break;
		case WHTSF_KEY:
		case WHT2F_CRYPTO: {
			num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
			c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
			num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->crypto.data);
		} break;
		case WHT2F_PASSWORD: {
			num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 4, htd->pwd.password);
			c.arg[2] = param_get32ex(Cmd, 2, 0, 10);
			num_to_bytes(param_get32ex(Cmd, 3, 0, 16), 4, htd->crypto.data);
		} break;
		default: {
			PrintAndLog("Error: unkown writer function %d",htf);
			PrintAndLog("Hitag writer functions");
			PrintAndLog("  HitagS (0*):");
			PrintAndLog("    03 <nr,ar> (Challenge) <page> <byte0...byte3> write page on a Hitag S tag");
			PrintAndLog("    04 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
			PrintAndLog("  Hitag1 (1*)");
			PrintAndLog("    (not yet implemented)");
			PrintAndLog("  Hitag2 (2*):");
			PrintAndLog("    24 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
			PrintAndLog("    27 <password> <page> <byte0...byte3> write page on a Hitag2 tag");
			return 1;
		} break;
	}
	// Copy the hitag function into the first argument
	c.arg[0] = htf;

	// Send the command to the proxmark
	SendCommand(&c);

	UsbCommand resp;
	if (!WaitForResponseTimeout(CMD_ACK, &resp, 4000)) {
		PrintAndLogEx(WARNING, "timeout while waiting for reply.");
		return 1;
	}

	// Check the return status, stored in the first argument
	if (resp.arg[0] == false) {
		PrintAndLogEx(DEBUG, "DEBUG: Error - hitag write failed");
		return 1;
	}
	return 0;
}


static int CmdHelp(const char *Cmd);

static command_t CommandTable[] =
{
	{"help",             CmdHelp,                   1, "This help"},
	{"list",             CmdLFHitagList,            0, "<outfile> List Hitag trace history"},
	{"info",             CmdLFHitagInfo,            0, "Tag information" },
	{"reader",           CmdLFHitagReader,          0, "Act like a Hitag Reader"},
	{"sim",              CmdLFHitagSim,             0, "Simulate Hitag transponder"},
	{"snoop",            CmdLFHitagSnoop,           0, "Eavesdrop Hitag communication"},
	{"writer",           CmdLFHitagWriter,          0, "Act like a Hitag Writer" },
	{"simS",             CmdLFHitagSimS,            0, "Simulate HitagS transponder" },
	{"checkChallenges",  CmdLFHitagCheckChallenges, 0, "Test challenges from a file" },
	{ NULL,              NULL,                      0, NULL }
};


static int CmdHelp(const char *Cmd) {
	CmdsHelp(CommandTable);
	return 0;
}


int CmdLFHitag(const char *Cmd) {
	CmdsParse(CommandTable, Cmd);
	return 0;
}
Commit	Line	Data
db09cb3a	1	//-----------------------------------------------------------------------------
	2	// Copyright (C) 2012 Roel Verdult
	3	//
	4	// This code is licensed to you under the terms of the GNU GPL, version 2 or,
	5	// at your option, any later version. See the LICENSE.txt file for the text of
	6	// the license.
	7	//-----------------------------------------------------------------------------
	8	// Low frequency Hitag support
	9	//-----------------------------------------------------------------------------
	10
ad939de5	11	#include "cmdlfhitag.h"
ad939de5	12
db09cb3a	13	#include <stdio.h>
	14	#include <stdlib.h>
	15	#include <string.h>
ad939de5	16	#include "comms.h"
db09cb3a	17	#include "ui.h"
	18	#include "cmdparser.h"
	19	#include "common.h"
	20	#include "util.h"
1f065e1d	21	#include "parity.h"
5866c187	22	#include "hitag.h"
902cb3c0	23	#include "cmdmain.h"
db09cb3a	24
f2dbf3d2	25	static size_t nbytes(size_t nbits) {
f2dbf3d2	26	return (nbits/8) + ((nbits%8)>0);
47e18126	27	}
47e18126	28
f2dbf3d2	29
	30	static int CmdLFHitagList(const char *Cmd) {
	31	uint8_t *got = malloc(USB_CMD_DATA_SIZE);
f71f4deb	32	// Query for the actual size of the trace
f71f4deb	33	UsbCommand response;
babca445	34	GetFromBigBuf(got, USB_CMD_DATA_SIZE, 0, &response, -1, false);
f71f4deb	35	uint16_t traceLen = response.arg[2];
	36	if (traceLen > USB_CMD_DATA_SIZE) {
	37	uint8_t *p = realloc(got, traceLen);
	38	if (p == NULL) {
	39	PrintAndLog("Cannot allocate memory for trace");
	40	free(got);
	41	return 2;
	42	}
	43	got = p;
babca445	44	GetFromBigBuf(got, traceLen, 0, NULL, -1, false);
f71f4deb	45	}
f2dbf3d2	46
f71f4deb	47	PrintAndLog("recorded activity (TraceLen = %d bytes):");
	48	PrintAndLog(" ETU :nbits: who bytes");
	49	PrintAndLog("---------+-----+----+-----------");
db09cb3a	50
7b6e3205	51	int j;
f71f4deb	52	int i = 0;
	53	int prev = -1;
	54	int len = strlen(Cmd);
b915fda3	55
f71f4deb	56	char filename[FILE_PATH_SIZE] = { 0x00 };
f71f4deb	57	FILE* pf = NULL;
f2dbf3d2	58
f2dbf3d2	59	if (len > FILE_PATH_SIZE)
f71f4deb	60	len = FILE_PATH_SIZE;
f71f4deb	61	memcpy(filename, Cmd, len);
f2dbf3d2	62
f71f4deb	63	if (strlen(filename) > 0) {
	64	if ((pf = fopen(filename,"wb")) == NULL) {
	65	PrintAndLog("Error: Could not open file [%s]",filename);
44964fd1	66	free(got);
f71f4deb	67	return 1;
f71f4deb	68	}
b915fda3	69	}
db09cb3a	70
f71f4deb	71	for (;;) {
f2dbf3d2	72
00848e09	73	if(i >= traceLen) { break; }
f71f4deb	74
	75	bool isResponse;
	76	int timestamp = ((uint32_t )(got+i));
	77	if (timestamp & 0x80000000) {
	78	timestamp &= 0x7fffffff;
	79	isResponse = 1;
	80	} else {
	81	isResponse = 0;
	82	}
	83
	84	int parityBits = ((uint32_t )(got+i+4));
	85	// 4 bytes of additional information...
	86	// maximum of 32 additional parity bit information
	87	//
	88	// TODO:
	89	// at each quarter bit period we can send power level (16 levels)
	90	// or each half bit period in 256 levels.
	91
	92	int bits = got[i+8];
7b6e3205	93	int len = nbytes(bits);
f71f4deb	94
f71f4deb	95	if (len > 100) {
f2dbf3d2	96	break;
f71f4deb	97	}
	98	if (i + len > traceLen) { break;}
	99
	100	uint8_t *frame = (got+i+9);
7b6e3205	101	/*
	102	int fillupBits = 8 - (bits % 8);
	103	byte_t framefilled[bits+fillupBits];
	104	byte_t* ff = framefilled;
f2dbf3d2	105
7b6e3205	106	int response_bit[200] = {0};
	107	int z = 0;
	108	for (int y = 0; y < len; y++) {
	109	for (j = 0; j < 8; j++) {
	110	response_bit[z] = 0;
	111	if ((frame[y] & ((mask << 7) >> j)) != 0)
	112	response_bit[z] = 1;
	113	z++;
	114	}
	115	}
	116	z = 0;
	117	for (int y = 0; y < len; y++) {
	118	ff[y] = (response_bit[z] << 7) \| (response_bit[z + 1] << 6)
	119	\| (response_bit[z + 2] << 5) \| (response_bit[z + 3] << 4)
	120	\| (response_bit[z + 4] << 3) \| (response_bit[z + 5] << 2)
	121	\| (response_bit[z + 6] << 1) \| response_bit[z + 7];
	122	z += 8;
	123	}
	124	*/
	125
	126
	127
f71f4deb	128
	129	// Break and stick with current result if buffer was not completely full
	130	if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; }
	131
	132	char line[1000] = "";
f71f4deb	133	for (j = 0; j < len; j++) {
f2dbf3d2	134	//if((parityBits >> (len - j - 1)) & 0x01) {
	135	if (isResponse && (oddparity8(frame[j]) != ((parityBits >> (len - j - 1)) & 0x01))) {
	136	sprintf(line+(j*4), "%02x! ", frame[j]);
	137	} else {
	138	sprintf(line+(j*4), "%02x ", frame[j]);
	139	}
f71f4deb	140	}
	141
	142	PrintAndLog(" +%7d: %3d: %s %s",
	143	(prev < 0 ? 0 : (timestamp - prev)),
	144	bits,
	145	(isResponse ? "TAG" : " "),
	146	line);
	147
	148	if (pf) {
	149	fprintf(pf," +%7d: %3d: %s %s\n",
	150	(prev < 0 ? 0 : (timestamp - prev)),
	151	bits,
	152	(isResponse ? "TAG" : " "),
	153	line);
	154	}
f2dbf3d2	155
f71f4deb	156	prev = timestamp;
	157	i += (len + 9);
	158	}
f2dbf3d2	159
f71f4deb	160	if (pf) {
	161	fclose(pf);
	162	PrintAndLog("Recorded activity succesfully written to file: %s", filename);
	163	}
97d582a6	164
f71f4deb	165	free(got);
f71f4deb	166	return 0;
db09cb3a	167	}
db09cb3a	168
f2dbf3d2	169
	170	static int CmdLFHitagSnoop(const char *Cmd) {
	171	UsbCommand c = {CMD_SNOOP_HITAG};
	172	SendCommand(&c);
	173	return 0;
db09cb3a	174	}
db09cb3a	175
f2dbf3d2	176
	177	static int CmdLFHitagSim(const char *Cmd) {
	178
	179	UsbCommand c = {CMD_SIMULATE_HITAG};
b915fda3	180	char filename[FILE_PATH_SIZE] = { 0x00 };
db09cb3a	181	FILE* pf;
db09cb3a	182	bool tag_mem_supplied;
b915fda3	183	int len = strlen(Cmd);
	184	if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
	185	memcpy(filename, Cmd, len);
f2dbf3d2	186
db09cb3a	187	if (strlen(filename) > 0) {
	188	if ((pf = fopen(filename,"rb+")) == NULL) {
	189	PrintAndLog("Error: Could not open file [%s]",filename);
	190	return 1;
	191	}
	192	tag_mem_supplied = true;
44964fd1	193	if (fread(c.d.asBytes,1,48,pf) != 48) {
	194	PrintAndLog("Error: File reading error");
	195	fclose(pf);
759c16b3	196	return 1;
44964fd1	197	}
db09cb3a	198	fclose(pf);
	199	} else {
	200	tag_mem_supplied = false;
	201	}
f2dbf3d2	202
db09cb3a	203	// Does the tag comes with memory
	204	c.arg[0] = (uint32_t)tag_mem_supplied;
	205
f2dbf3d2	206	SendCommand(&c);
	207	return 0;
	208	}
	209
	210
00848e09	211	bool getHitagUid(uint32_t *uid, bool quiet) {
f2dbf3d2	212	// ToDo: this is for Hitag2 only (??)
	213
	214	UsbCommand c = {CMD_READER_HITAG, {RHT2F_UID_ONLY}};
	215
	216	SendCommand(&c);
	217
	218	UsbCommand resp;
	219	if (!WaitForResponseTimeout(CMD_ACK, &resp, 2500)) {
00848e09	220	if (!quiet) PrintAndLogEx(WARNING, "timeout while waiting for reply.");
f2dbf3d2	221	return false;
	222	}
	223
	224	if (resp.arg[0] == false) {
00848e09	225	if (!quiet) PrintAndLogEx(DEBUG, "DEBUG: Error - failed getting UID");
f2dbf3d2	226	return false;
	227	}
	228
	229	if (uid)
	230	*uid = bytes_to_num(resp.d.asBytes, 4);
	231
	232	return true;
db09cb3a	233	}
db09cb3a	234
f2dbf3d2	235
	236	static int CmdLFHitagInfo(const char *Cmd) {
	237	char ctmp = param_getchar(Cmd, 0);
	238	if (ctmp != '\0') {
	239	PrintAndLog("Usage: lf hitag info [h]");
	240	PrintAndLog("Options:");
	241	PrintAndLog(" h This help");
	242	PrintAndLog("Examples:");
	243	PrintAndLog(" lf hitag info");
	244	return 0;
	245	}
	246
	247	// read UID
	248	uint32_t uid = 0;
00848e09	249	if (getHitagUid(&uid, false) == false)
f2dbf3d2	250	return 1;
	251
	252	PrintAndLogEx(SUCCESS, "UID: %08X", uid);
	253
	254	// how to detemine Hitag types?
	255	// read block3, get configuration byte.
	256	// PrintAndLogEx(FAILED, _RED_("TODO: This is a hardcoded example!"));
	257
	258	// common configurations.
	259	// printHitagConfiguration(0x06);
	260	//printHitagConfiguration( 0x0E );
	261	//printHitagConfiguration( 0x02 );
	262	//printHitagConfiguration( 0x00 );
	263	//printHitagConfiguration( 0x04 );
	264	return 0;
	265	}
	266
	267
db09cb3a	268	int CmdLFHitagReader(const char *Cmd) {
f2dbf3d2	269	UsbCommand c = {CMD_READER_HITAG};
db09cb3a	270	hitag_data* htd = (hitag_data*)c.d.asBytes;
f2dbf3d2	271	hitag_function htf = param_get32ex(Cmd, 0, 0, 10);
f2dbf3d2	272
db09cb3a	273	switch (htf) {
00848e09	274	case RHTSF_CHALLENGE: {
4e12287d	275	c = (UsbCommand){ CMD_READ_HITAG_S };
f2dbf3d2	276	num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->auth.NrAr);
	277	num_to_bytes(param_get32ex(Cmd, 2, 0, 16), 4, htd->auth.NrAr+4);
	278	c.arg[1] = param_get64ex(Cmd, 3, 0, 0); //firstpage
	279	c.arg[2] = param_get64ex(Cmd, 4, 0, 0); //tag mode
4e12287d	280	} break;
00848e09	281	case RHTSF_KEY: {
4e12287d	282	c = (UsbCommand){ CMD_READ_HITAG_S };
f2dbf3d2	283	num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 6, htd->crypto.key);
	284	c.arg[1] = param_get64ex(Cmd, 2, 0, 0); //firstpage
	285	c.arg[2] = param_get64ex(Cmd, 3, 0, 0); //tag mode
7b6e3205	286	} break;
db09cb3a	287	case RHT2F_PASSWORD: {
f2dbf3d2	288	num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->pwd.password);
db09cb3a	289	} break;
db09cb3a	290	case RHT2F_AUTHENTICATE: {
f2dbf3d2	291	num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->auth.NrAr);
f2dbf3d2	292	num_to_bytes(param_get32ex(Cmd, 2, 0, 16), 4, htd->auth.NrAr+4);
db09cb3a	293	} break;
bde10a50	294	case RHT2F_CRYPTO: {
f2dbf3d2	295	num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 6, htd->crypto.key);
f2dbf3d2	296	// num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
bde10a50	297	} break;
db09cb3a	298	case RHT2F_TEST_AUTH_ATTEMPTS: {
	299	// No additional parameters needed
	300	} break;
f86d6b55	301	case RHT2F_UID_ONLY: {
	302	// No additional parameters needed
	303	} break;
db09cb3a	304	default: {
f86d6b55	305	PrintAndLog("\nError: unkown reader function %d",htf);
	306	PrintAndLog("");
	307	PrintAndLog("Usage: hitag reader <Reader Function #>");
	308	PrintAndLog("Reader Functions:");
f2dbf3d2	309	PrintAndLog(" HitagS (0*):");
	310	PrintAndLog(" 01 <nr> <ar> (Challenge) <firstPage> <tagmode> read all pages from a Hitag S tag");
	311	PrintAndLog(" 02 <key> (set to 0 if no authentication is needed) <firstPage> <tagmode> read all pages from a Hitag S tag");
f2dbf3d2	312	PrintAndLog(" Valid tagmodes are 0=STANDARD, 1=ADVANCED, 2=FAST_ADVANCED (default is ADVANCED)");
	313	PrintAndLog(" Hitag1 (1*):");
	314	PrintAndLog(" (not yet implemented)");
	315	PrintAndLog(" Hitag2 (2*):");
	316	PrintAndLog(" 21 <password> (password mode)");
	317	PrintAndLog(" 22 <nr> <ar> (authentication)");
	318	PrintAndLog(" 23 <key> (authentication) key is in format: ISK high + ISK low");
	319	PrintAndLog(" 25 (test recorded authentications)");
	320	PrintAndLog(" 26 just read UID");
db09cb3a	321	return 1;
	322	} break;
	323	}
	324
	325	// Copy the hitag2 function into the first argument
	326	c.arg[0] = htf;
	327
f86d6b55	328	// Send the command to the proxmark
217cfb6b	329	clearCommandBuffer();
f86d6b55	330	SendCommand(&c);
ab4da50d	331
f86d6b55	332	UsbCommand resp;
f2dbf3d2	333	if (!WaitForResponseTimeout(CMD_ACK, &resp, 4000)) {
	334	PrintAndLogEx(WARNING, "timeout while waiting for reply.");
	335	return 1;
	336	}
f86d6b55	337
f86d6b55	338	// Check the return status, stored in the first argument
f2dbf3d2	339	if (resp.arg[0] == false) {
	340	PrintAndLogEx(DEBUG, "DEBUG: Error - hitag failed");
	341	return 1;
	342	}
	343
00848e09	344	uint32_t id = bytes_to_num(resp.d.asBytes, 4);
f2dbf3d2	345
00848e09	346	PrintAndLog("Valid Hitag2 tag found - UID: %08x", id);
	347	if (htf != RHT2F_UID_ONLY) {
	348	PrintAndLogEx(SUCCESS, "Dumping tag memory...");
f86d6b55	349	char filename[256];
	350	FILE* pf = NULL;
	351
	352	sprintf(filename,"%08x_%04x.ht2",id,(rand() & 0xffff));
	353	if ((pf = fopen(filename,"wb")) == NULL) {
	354	PrintAndLog("Error: Could not open file [%s]",filename);
	355	return 1;
	356	}
	357
	358	// Write the 48 tag memory bytes to file and finalize
	359	fwrite(resp.d.asBytes,1,48,pf);
	360	fclose(pf);
	361
	362	PrintAndLog("Succesfully saved tag memory to [%s]",filename);
	363	}
	364
f86d6b55	365	return 0;
db09cb3a	366	}
db09cb3a	367
4e12287d	368
f2dbf3d2	369	static int CmdLFHitagSimS(const char *Cmd) {
4e12287d RS	370	UsbCommand c = { CMD_SIMULATE_HITAG_S };
	371	char filename[FILE_PATH_SIZE] = { 0x00 };
	372	FILE* pf;
	373	bool tag_mem_supplied;
	374	int len = strlen(Cmd);
	375	if (len > FILE_PATH_SIZE)
	376	len = FILE_PATH_SIZE;
	377	memcpy(filename, Cmd, len);
	378
	379	if (strlen(filename) > 0) {
	380	if ((pf = fopen(filename, "rb+")) == NULL) {
	381	PrintAndLog("Error: Could not open file [%s]", filename);
	382	return 1;
	383	}
	384	tag_mem_supplied = true;
44964fd1	385	if (fread(c.d.asBytes, 1, 464, pf) != 464) {
4e12287d RS	386	PrintAndLog("Error: File reading error");
	387	fclose(pf);
	388	return 1;
	389	}
	390	fclose(pf);
	391	} else {
	392	tag_mem_supplied = false;
	393	}
	394
	395	// Does the tag comes with memory
	396	c.arg[0] = (uint32_t) tag_mem_supplied;
	397
	398	SendCommand(&c);
	399	return 0;
	400	}
	401
f2dbf3d2	402
f2dbf3d2	403	static int CmdLFHitagCheckChallenges(const char *Cmd) {
4e12287d RS	404	UsbCommand c = { CMD_TEST_HITAGS_TRACES };
	405	char filename[FILE_PATH_SIZE] = { 0x00 };
	406	FILE* pf;
	407	bool file_given;
	408	int len = strlen(Cmd);
	409	if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
	410	memcpy(filename, Cmd, len);
f2dbf3d2	411
4e12287d RS	412	if (strlen(filename) > 0) {
	413	if ((pf = fopen(filename,"rb+")) == NULL) {
	414	PrintAndLog("Error: Could not open file [%s]",filename);
	415	return 1;
	416	}
	417	file_given = true;
44964fd1	418	if (fread(c.d.asBytes,1,860,pf) != 860) {
	419	PrintAndLog("Error: File reading error");
	420	fclose(pf);
4e12287d	421	return 1;
f2dbf3d2	422	}
4e12287d RS	423	fclose(pf);
	424	} else {
	425	file_given = false;
	426	}
f2dbf3d2	427
4e12287d RS	428	//file with all the challenges to try
4e12287d RS	429	c.arg[0] = (uint32_t)file_given;
7b6e3205	430	c.arg[1] = param_get64ex(Cmd,2,0,0); //get mode
4e12287d	431
f2dbf3d2	432	SendCommand(&c);
f2dbf3d2	433	return 0;
4e12287d RS	434	}
	435
	436
f2dbf3d2	437	static int CmdLFHitagWriter(const char *Cmd) {
4e12287d RS	438	UsbCommand c = { CMD_WR_HITAG_S };
	439	hitag_data* htd = (hitag_data*)c.d.asBytes;
	440	hitag_function htf = param_get32ex(Cmd,0,0,10);
	441	switch (htf) {
f2dbf3d2	442	case WHTSF_CHALLENGE: {
4e12287d RS	443	num_to_bytes(param_get64ex(Cmd,1,0,16),8,htd->auth.NrAr);
	444	c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
	445	num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->auth.data);
	446	} break;
f2dbf3d2	447	case WHTSF_KEY:
f2dbf3d2	448	case WHT2F_CRYPTO: {
4e12287d RS	449	num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
	450	c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
	451	num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->crypto.data);
f2dbf3d2	452	} break;
	453	case WHT2F_PASSWORD: {
	454	num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 4, htd->pwd.password);
	455	c.arg[2] = param_get32ex(Cmd, 2, 0, 10);
	456	num_to_bytes(param_get32ex(Cmd, 3, 0, 16), 4, htd->crypto.data);
4e12287d RS	457	} break;
	458	default: {
	459	PrintAndLog("Error: unkown writer function %d",htf);
	460	PrintAndLog("Hitag writer functions");
f2dbf3d2	461	PrintAndLog(" HitagS (0*):");
	462	PrintAndLog(" 03 <nr,ar> (Challenge) <page> <byte0...byte3> write page on a Hitag S tag");
	463	PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
	464	PrintAndLog(" Hitag1 (1*)");
	465	PrintAndLog(" (not yet implemented)");
	466	PrintAndLog(" Hitag2 (2*):");
	467	PrintAndLog(" 24 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
	468	PrintAndLog(" 27 <password> <page> <byte0...byte3> write page on a Hitag2 tag");
4e12287d RS	469	return 1;
	470	} break;
	471	}
	472	// Copy the hitag function into the first argument
	473	c.arg[0] = htf;
	474
f2dbf3d2	475	// Send the command to the proxmark
	476	SendCommand(&c);
	477
	478	UsbCommand resp;
	479	if (!WaitForResponseTimeout(CMD_ACK, &resp, 4000)) {
	480	PrintAndLogEx(WARNING, "timeout while waiting for reply.");
	481	return 1;
	482	}
	483
	484	// Check the return status, stored in the first argument
	485	if (resp.arg[0] == false) {
	486	PrintAndLogEx(DEBUG, "DEBUG: Error - hitag write failed");
	487	return 1;
	488	}
	489	return 0;
4e12287d RS	490	}
	491
	492
f2dbf3d2	493	static int CmdHelp(const char *Cmd);
	494
	495	static command_t CommandTable[] =
db09cb3a	496	{
f2dbf3d2	497	{"help", CmdHelp, 1, "This help"},
	498	{"list", CmdLFHitagList, 0, "<outfile> List Hitag trace history"},
	499	{"info", CmdLFHitagInfo, 0, "Tag information" },
	500	{"reader", CmdLFHitagReader, 0, "Act like a Hitag Reader"},
	501	{"sim", CmdLFHitagSim, 0, "Simulate Hitag transponder"},
	502	{"snoop", CmdLFHitagSnoop, 0, "Eavesdrop Hitag communication"},
	503	{"writer", CmdLFHitagWriter, 0, "Act like a Hitag Writer" },
	504	{"simS", CmdLFHitagSimS, 0, "Simulate HitagS transponder" },
	505	{"checkChallenges", CmdLFHitagCheckChallenges, 0, "Test challenges from a file" },
	506	{ NULL, NULL, 0, NULL }
db09cb3a	507	};
db09cb3a	508
f2dbf3d2	509
	510	static int CmdHelp(const char *Cmd) {
	511	CmdsHelp(CommandTable);
	512	return 0;
db09cb3a	513	}
db09cb3a	514
f2dbf3d2	515
	516	int CmdLFHitag(const char *Cmd) {
	517	CmdsParse(CommandTable, Cmd);
	518	return 0;
db09cb3a	519	}