Hitag fixes (#887)
[proxmark3-svn] / client / cmdlfhitag.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2012 Roel Verdult
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Low frequency Hitag support
9 //-----------------------------------------------------------------------------
10
11 #include "cmdlfhitag.h"
12
13 #include <stdio.h>
14 #include <stdlib.h>
15 #include <string.h>
16 #include "comms.h"
17 #include "ui.h"
18 #include "cmdparser.h"
19 #include "common.h"
20 #include "util.h"
21 #include "parity.h"
22 #include "hitag.h"
23 #include "cmdmain.h"
24
25 static size_t nbytes(size_t nbits) {
26 return (nbits/8) + ((nbits%8)>0);
27 }
28
29
30 static int CmdLFHitagList(const char *Cmd) {
31 uint8_t *got = malloc(USB_CMD_DATA_SIZE);
32 // Query for the actual size of the trace
33 UsbCommand response;
34 GetFromBigBuf(got, USB_CMD_DATA_SIZE, 0, &response, -1, false);
35 uint16_t traceLen = response.arg[2];
36 if (traceLen > USB_CMD_DATA_SIZE) {
37 uint8_t *p = realloc(got, traceLen);
38 if (p == NULL) {
39 PrintAndLog("Cannot allocate memory for trace");
40 free(got);
41 return 2;
42 }
43 got = p;
44 GetFromBigBuf(got, traceLen, 0, NULL, -1, false);
45 }
46
47 PrintAndLog("recorded activity (TraceLen = %d bytes):");
48 PrintAndLog(" ETU :nbits: who bytes");
49 PrintAndLog("---------+-----+----+-----------");
50
51 int j;
52 int i = 0;
53 int prev = -1;
54 int len = strlen(Cmd);
55
56 char filename[FILE_PATH_SIZE] = { 0x00 };
57 FILE* pf = NULL;
58
59 if (len > FILE_PATH_SIZE)
60 len = FILE_PATH_SIZE;
61 memcpy(filename, Cmd, len);
62
63 if (strlen(filename) > 0) {
64 if ((pf = fopen(filename,"wb")) == NULL) {
65 PrintAndLog("Error: Could not open file [%s]",filename);
66 free(got);
67 return 1;
68 }
69 }
70
71 for (;;) {
72
73 if(i >= traceLen) { break; }
74
75 bool isResponse;
76 int timestamp = *((uint32_t *)(got+i));
77 if (timestamp & 0x80000000) {
78 timestamp &= 0x7fffffff;
79 isResponse = 1;
80 } else {
81 isResponse = 0;
82 }
83
84 int parityBits = *((uint32_t *)(got+i+4));
85 // 4 bytes of additional information...
86 // maximum of 32 additional parity bit information
87 //
88 // TODO:
89 // at each quarter bit period we can send power level (16 levels)
90 // or each half bit period in 256 levels.
91
92 int bits = got[i+8];
93 int len = nbytes(bits);
94
95 if (len > 100) {
96 break;
97 }
98 if (i + len > traceLen) { break;}
99
100 uint8_t *frame = (got+i+9);
101 /*
102 int fillupBits = 8 - (bits % 8);
103 byte_t framefilled[bits+fillupBits];
104 byte_t* ff = framefilled;
105
106 int response_bit[200] = {0};
107 int z = 0;
108 for (int y = 0; y < len; y++) {
109 for (j = 0; j < 8; j++) {
110 response_bit[z] = 0;
111 if ((frame[y] & ((mask << 7) >> j)) != 0)
112 response_bit[z] = 1;
113 z++;
114 }
115 }
116 z = 0;
117 for (int y = 0; y < len; y++) {
118 ff[y] = (response_bit[z] << 7) | (response_bit[z + 1] << 6)
119 | (response_bit[z + 2] << 5) | (response_bit[z + 3] << 4)
120 | (response_bit[z + 4] << 3) | (response_bit[z + 5] << 2)
121 | (response_bit[z + 6] << 1) | response_bit[z + 7];
122 z += 8;
123 }
124 */
125
126
127
128
129 // Break and stick with current result if buffer was not completely full
130 if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; }
131
132 char line[1000] = "";
133 for (j = 0; j < len; j++) {
134 //if((parityBits >> (len - j - 1)) & 0x01) {
135 if (isResponse && (oddparity8(frame[j]) != ((parityBits >> (len - j - 1)) & 0x01))) {
136 sprintf(line+(j*4), "%02x! ", frame[j]);
137 } else {
138 sprintf(line+(j*4), "%02x ", frame[j]);
139 }
140 }
141
142 PrintAndLog(" +%7d: %3d: %s %s",
143 (prev < 0 ? 0 : (timestamp - prev)),
144 bits,
145 (isResponse ? "TAG" : " "),
146 line);
147
148 if (pf) {
149 fprintf(pf," +%7d: %3d: %s %s\n",
150 (prev < 0 ? 0 : (timestamp - prev)),
151 bits,
152 (isResponse ? "TAG" : " "),
153 line);
154 }
155
156 prev = timestamp;
157 i += (len + 9);
158 }
159
160 if (pf) {
161 fclose(pf);
162 PrintAndLog("Recorded activity succesfully written to file: %s", filename);
163 }
164
165 free(got);
166 return 0;
167 }
168
169
170 static int CmdLFHitagSnoop(const char *Cmd) {
171 UsbCommand c = {CMD_SNOOP_HITAG};
172 SendCommand(&c);
173 return 0;
174 }
175
176
177 static int CmdLFHitagSim(const char *Cmd) {
178
179 UsbCommand c = {CMD_SIMULATE_HITAG};
180 char filename[FILE_PATH_SIZE] = { 0x00 };
181 FILE* pf;
182 bool tag_mem_supplied;
183 int len = strlen(Cmd);
184 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
185 memcpy(filename, Cmd, len);
186
187 if (strlen(filename) > 0) {
188 if ((pf = fopen(filename,"rb+")) == NULL) {
189 PrintAndLog("Error: Could not open file [%s]",filename);
190 return 1;
191 }
192 tag_mem_supplied = true;
193 if (fread(c.d.asBytes,1,48,pf) != 48) {
194 PrintAndLog("Error: File reading error");
195 fclose(pf);
196 return 1;
197 }
198 fclose(pf);
199 } else {
200 tag_mem_supplied = false;
201 }
202
203 // Does the tag comes with memory
204 c.arg[0] = (uint32_t)tag_mem_supplied;
205
206 SendCommand(&c);
207 return 0;
208 }
209
210
211 bool getHitagUid(uint32_t *uid, bool quiet) {
212 // ToDo: this is for Hitag2 only (??)
213
214 UsbCommand c = {CMD_READER_HITAG, {RHT2F_UID_ONLY}};
215
216 SendCommand(&c);
217
218 UsbCommand resp;
219 if (!WaitForResponseTimeout(CMD_ACK, &resp, 2500)) {
220 if (!quiet) PrintAndLogEx(WARNING, "timeout while waiting for reply.");
221 return false;
222 }
223
224 if (resp.arg[0] == false) {
225 if (!quiet) PrintAndLogEx(DEBUG, "DEBUG: Error - failed getting UID");
226 return false;
227 }
228
229 if (uid)
230 *uid = bytes_to_num(resp.d.asBytes, 4);
231
232 return true;
233 }
234
235
236 static int CmdLFHitagInfo(const char *Cmd) {
237 char ctmp = param_getchar(Cmd, 0);
238 if (ctmp != '\0') {
239 PrintAndLog("Usage: lf hitag info [h]");
240 PrintAndLog("Options:");
241 PrintAndLog(" h This help");
242 PrintAndLog("Examples:");
243 PrintAndLog(" lf hitag info");
244 return 0;
245 }
246
247 // read UID
248 uint32_t uid = 0;
249 if (getHitagUid(&uid, false) == false)
250 return 1;
251
252 PrintAndLogEx(SUCCESS, "UID: %08X", uid);
253
254 // how to detemine Hitag types?
255 // read block3, get configuration byte.
256 // PrintAndLogEx(FAILED, _RED_("TODO: This is a hardcoded example!"));
257
258 // common configurations.
259 // printHitagConfiguration(0x06);
260 //printHitagConfiguration( 0x0E );
261 //printHitagConfiguration( 0x02 );
262 //printHitagConfiguration( 0x00 );
263 //printHitagConfiguration( 0x04 );
264 return 0;
265 }
266
267
268 int CmdLFHitagReader(const char *Cmd) {
269 UsbCommand c = {CMD_READER_HITAG};
270 hitag_data* htd = (hitag_data*)c.d.asBytes;
271 hitag_function htf = param_get32ex(Cmd, 0, 0, 10);
272
273 switch (htf) {
274 case RHTSF_CHALLENGE: {
275 c = (UsbCommand){ CMD_READ_HITAG_S };
276 num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->auth.NrAr);
277 num_to_bytes(param_get32ex(Cmd, 2, 0, 16), 4, htd->auth.NrAr+4);
278 c.arg[1] = param_get64ex(Cmd, 3, 0, 0); //firstpage
279 c.arg[2] = param_get64ex(Cmd, 4, 0, 0); //tag mode
280 } break;
281 case RHTSF_KEY: {
282 c = (UsbCommand){ CMD_READ_HITAG_S };
283 num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 6, htd->crypto.key);
284 c.arg[1] = param_get64ex(Cmd, 2, 0, 0); //firstpage
285 c.arg[2] = param_get64ex(Cmd, 3, 0, 0); //tag mode
286 } break;
287 case RHT2F_PASSWORD: {
288 num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->pwd.password);
289 } break;
290 case RHT2F_AUTHENTICATE: {
291 num_to_bytes(param_get32ex(Cmd, 1, 0, 16), 4, htd->auth.NrAr);
292 num_to_bytes(param_get32ex(Cmd, 2, 0, 16), 4, htd->auth.NrAr+4);
293 } break;
294 case RHT2F_CRYPTO: {
295 num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 6, htd->crypto.key);
296 // num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
297 } break;
298 case RHT2F_TEST_AUTH_ATTEMPTS: {
299 // No additional parameters needed
300 } break;
301 case RHT2F_UID_ONLY: {
302 // No additional parameters needed
303 } break;
304 default: {
305 PrintAndLog("\nError: unkown reader function %d",htf);
306 PrintAndLog("");
307 PrintAndLog("Usage: hitag reader <Reader Function #>");
308 PrintAndLog("Reader Functions:");
309 PrintAndLog(" HitagS (0*):");
310 PrintAndLog(" 01 <nr> <ar> (Challenge) <firstPage> <tagmode> read all pages from a Hitag S tag");
311 PrintAndLog(" 02 <key> (set to 0 if no authentication is needed) <firstPage> <tagmode> read all pages from a Hitag S tag");
312 PrintAndLog(" Valid tagmodes are 0=STANDARD, 1=ADVANCED, 2=FAST_ADVANCED (default is ADVANCED)");
313 PrintAndLog(" Hitag1 (1*):");
314 PrintAndLog(" (not yet implemented)");
315 PrintAndLog(" Hitag2 (2*):");
316 PrintAndLog(" 21 <password> (password mode)");
317 PrintAndLog(" 22 <nr> <ar> (authentication)");
318 PrintAndLog(" 23 <key> (authentication) key is in format: ISK high + ISK low");
319 PrintAndLog(" 25 (test recorded authentications)");
320 PrintAndLog(" 26 just read UID");
321 return 1;
322 } break;
323 }
324
325 // Copy the hitag2 function into the first argument
326 c.arg[0] = htf;
327
328 // Send the command to the proxmark
329 clearCommandBuffer();
330 SendCommand(&c);
331
332 UsbCommand resp;
333 if (!WaitForResponseTimeout(CMD_ACK, &resp, 4000)) {
334 PrintAndLogEx(WARNING, "timeout while waiting for reply.");
335 return 1;
336 }
337
338 // Check the return status, stored in the first argument
339 if (resp.arg[0] == false) {
340 PrintAndLogEx(DEBUG, "DEBUG: Error - hitag failed");
341 return 1;
342 }
343
344 uint32_t id = bytes_to_num(resp.d.asBytes, 4);
345
346 PrintAndLog("Valid Hitag2 tag found - UID: %08x", id);
347 if (htf != RHT2F_UID_ONLY) {
348 PrintAndLogEx(SUCCESS, "Dumping tag memory...");
349 char filename[256];
350 FILE* pf = NULL;
351
352 sprintf(filename,"%08x_%04x.ht2",id,(rand() & 0xffff));
353 if ((pf = fopen(filename,"wb")) == NULL) {
354 PrintAndLog("Error: Could not open file [%s]",filename);
355 return 1;
356 }
357
358 // Write the 48 tag memory bytes to file and finalize
359 fwrite(resp.d.asBytes,1,48,pf);
360 fclose(pf);
361
362 PrintAndLog("Succesfully saved tag memory to [%s]",filename);
363 }
364
365 return 0;
366 }
367
368
369 static int CmdLFHitagSimS(const char *Cmd) {
370 UsbCommand c = { CMD_SIMULATE_HITAG_S };
371 char filename[FILE_PATH_SIZE] = { 0x00 };
372 FILE* pf;
373 bool tag_mem_supplied;
374 int len = strlen(Cmd);
375 if (len > FILE_PATH_SIZE)
376 len = FILE_PATH_SIZE;
377 memcpy(filename, Cmd, len);
378
379 if (strlen(filename) > 0) {
380 if ((pf = fopen(filename, "rb+")) == NULL) {
381 PrintAndLog("Error: Could not open file [%s]", filename);
382 return 1;
383 }
384 tag_mem_supplied = true;
385 if (fread(c.d.asBytes, 1, 4*64, pf) != 4*64) {
386 PrintAndLog("Error: File reading error");
387 fclose(pf);
388 return 1;
389 }
390 fclose(pf);
391 } else {
392 tag_mem_supplied = false;
393 }
394
395 // Does the tag comes with memory
396 c.arg[0] = (uint32_t) tag_mem_supplied;
397
398 SendCommand(&c);
399 return 0;
400 }
401
402
403 static int CmdLFHitagCheckChallenges(const char *Cmd) {
404 UsbCommand c = { CMD_TEST_HITAGS_TRACES };
405 char filename[FILE_PATH_SIZE] = { 0x00 };
406 FILE* pf;
407 bool file_given;
408 int len = strlen(Cmd);
409 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
410 memcpy(filename, Cmd, len);
411
412 if (strlen(filename) > 0) {
413 if ((pf = fopen(filename,"rb+")) == NULL) {
414 PrintAndLog("Error: Could not open file [%s]",filename);
415 return 1;
416 }
417 file_given = true;
418 if (fread(c.d.asBytes,1,8*60,pf) != 8*60) {
419 PrintAndLog("Error: File reading error");
420 fclose(pf);
421 return 1;
422 }
423 fclose(pf);
424 } else {
425 file_given = false;
426 }
427
428 //file with all the challenges to try
429 c.arg[0] = (uint32_t)file_given;
430 c.arg[1] = param_get64ex(Cmd,2,0,0); //get mode
431
432 SendCommand(&c);
433 return 0;
434 }
435
436
437 static int CmdLFHitagWriter(const char *Cmd) {
438 UsbCommand c = { CMD_WR_HITAG_S };
439 hitag_data* htd = (hitag_data*)c.d.asBytes;
440 hitag_function htf = param_get32ex(Cmd,0,0,10);
441 switch (htf) {
442 case WHTSF_CHALLENGE: {
443 num_to_bytes(param_get64ex(Cmd,1,0,16),8,htd->auth.NrAr);
444 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
445 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->auth.data);
446 } break;
447 case WHTSF_KEY:
448 case WHT2F_CRYPTO: {
449 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
450 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
451 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->crypto.data);
452 } break;
453 case WHT2F_PASSWORD: {
454 num_to_bytes(param_get64ex(Cmd, 1, 0, 16), 4, htd->pwd.password);
455 c.arg[2] = param_get32ex(Cmd, 2, 0, 10);
456 num_to_bytes(param_get32ex(Cmd, 3, 0, 16), 4, htd->crypto.data);
457 } break;
458 default: {
459 PrintAndLog("Error: unkown writer function %d",htf);
460 PrintAndLog("Hitag writer functions");
461 PrintAndLog(" HitagS (0*):");
462 PrintAndLog(" 03 <nr,ar> (Challenge) <page> <byte0...byte3> write page on a Hitag S tag");
463 PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
464 PrintAndLog(" Hitag1 (1*)");
465 PrintAndLog(" (not yet implemented)");
466 PrintAndLog(" Hitag2 (2*):");
467 PrintAndLog(" 24 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
468 PrintAndLog(" 27 <password> <page> <byte0...byte3> write page on a Hitag2 tag");
469 return 1;
470 } break;
471 }
472 // Copy the hitag function into the first argument
473 c.arg[0] = htf;
474
475 // Send the command to the proxmark
476 SendCommand(&c);
477
478 UsbCommand resp;
479 if (!WaitForResponseTimeout(CMD_ACK, &resp, 4000)) {
480 PrintAndLogEx(WARNING, "timeout while waiting for reply.");
481 return 1;
482 }
483
484 // Check the return status, stored in the first argument
485 if (resp.arg[0] == false) {
486 PrintAndLogEx(DEBUG, "DEBUG: Error - hitag write failed");
487 return 1;
488 }
489 return 0;
490 }
491
492
493 static int CmdHelp(const char *Cmd);
494
495 static command_t CommandTable[] =
496 {
497 {"help", CmdHelp, 1, "This help"},
498 {"list", CmdLFHitagList, 0, "<outfile> List Hitag trace history"},
499 {"info", CmdLFHitagInfo, 0, "Tag information" },
500 {"reader", CmdLFHitagReader, 0, "Act like a Hitag Reader"},
501 {"sim", CmdLFHitagSim, 0, "Simulate Hitag transponder"},
502 {"snoop", CmdLFHitagSnoop, 0, "Eavesdrop Hitag communication"},
503 {"writer", CmdLFHitagWriter, 0, "Act like a Hitag Writer" },
504 {"simS", CmdLFHitagSimS, 0, "Simulate HitagS transponder" },
505 {"checkChallenges", CmdLFHitagCheckChallenges, 0, "Test challenges from a file" },
506 { NULL, NULL, 0, NULL }
507 };
508
509
510 static int CmdHelp(const char *Cmd) {
511 CmdsHelp(CommandTable);
512 return 0;
513 }
514
515
516 int CmdLFHitag(const char *Cmd) {
517 CmdsParse(CommandTable, Cmd);
518 return 0;
519 }
Impressum, Datenschutz