]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifarecmd.c
projects / proxmark3-svn / blob
? search:


1f8f4ee8e429bee017e3e9a1c57a9374ad8ac92b
[proxmark3-svn] / armsrc / mifarecmd.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 // Midnitesnake - Dec 2013
6 // Andy Davies - Apr 2014
7 // Iceman - May 2014
8 //
9 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
10 // at your option, any later version. See the LICENSE.txt file for the text of
11 // the license.
12 //-----------------------------------------------------------------------------
13 // Routines to support ISO 14443 type A.
14 //-----------------------------------------------------------------------------
15
16 #include "mifarecmd.h"
17 #include "apps.h"
18 #include "util.h"
19
20 #include "crc.h"
21
22 // the block number for the ISO14443-4 PCB
23 uint8_t pcb_blocknum = 0;
24 // Deselect card by sending a s-block. the crc is precalced for speed
25 static uint8_t deselect_cmd[] = {0xc2,0xe0,0xb4};
26
27
28 //-----------------------------------------------------------------------------
29 // Select, Authenticate, Read a MIFARE tag.
30 // read block
31 //-----------------------------------------------------------------------------
32 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
33 {
34 // params
35 uint8_t blockNo = arg0;
36 uint8_t keyType = arg1;
37 uint64_t ui64Key = 0;
38 ui64Key = bytes_to_num(datain, 6);
39
40 // variables
41 byte_t isOK = 0;
42 byte_t dataoutbuf[16];
43 uint8_t uid[10];
44 uint32_t cuid;
45 struct Crypto1State mpcs = {0, 0};
46 struct Crypto1State *pcs;
47 pcs = &mpcs;
48
49 // clear trace
50 clear_trace();
51 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
52
53 LED_A_ON();
54 LED_B_OFF();
55 LED_C_OFF();
56
57 while (true) {
58 if(!iso14443a_select_card(uid, NULL, &cuid)) {
59 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
60 break;
61 };
62
63 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
64 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
65 break;
66 };
67
68 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
69 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
70 break;
71 };
72
73 if(mifare_classic_halt(pcs, cuid)) {
74 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
75 break;
76 };
77
78 isOK = 1;
79 break;
80 }
81
82 // ----------------------------- crypto1 destroy
83 crypto1_destroy(pcs);
84
85 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
86
87 LED_B_ON();
88 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
89 LED_B_OFF();
90
91 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
92 LEDsoff();
93 }
94
95 void MifareUC_Auth(uint8_t arg0, uint8_t *keybytes){
96
97 bool turnOffField = (arg0 == 1);
98
99 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
100 clear_trace();
101 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
102
103 if(!iso14443a_select_card(NULL, NULL, NULL)) {
104 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
105 OnError(0);
106 return;
107 };
108
109 if(mifare_ultra_auth(keybytes) == 1){
110 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication failed");
111 OnError(1);
112 return;
113 }
114 cmd_send(CMD_ACK,1,0,0,0,0);
115
116 if (turnOffField) {
117 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
118 LEDsoff();
119 }
120 }
121
122 // Arg0 = BlockNo,
123 // Arg1 = UsePwd bool
124 // datain = PWD bytes,
125 void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
126 {
127 uint8_t blockNo = arg0;
128 byte_t dataout[16] = {0x00};
129 bool useKey = (arg1 == 1); //UL_C
130 bool usePwd = (arg1 == 2); //UL_EV1/NTAG
131
132 LEDsoff();
133 LED_A_ON();
134 clear_trace();
135 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
136
137 int len = iso14443a_select_card(NULL, NULL, NULL);
138 if(!len) {
139 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len);
140 OnError(1);
141 return;
142 }
143
144 // UL-C authentication
145 if ( useKey ) {
146 uint8_t key[16] = {0x00};
147 memcpy(key, datain, sizeof(key) );
148
149 if ( mifare_ultra_auth(key) == 1 ) {
150 OnError(1);
151 return;
152 }
153 }
154
155 // UL-EV1 / NTAG authentication
156 if ( usePwd ) {
157 uint8_t pwd[4] = {0x00};
158 memcpy(pwd, datain, 4);
159 uint8_t pack[4] = {0,0,0,0};
160 if (mifare_ul_ev1_auth(pwd, pack) == 1) {
161 OnError(1);
162 return;
163 }
164 }
165
166 if( mifare_ultra_readblock(blockNo, dataout) ) {
167 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block error");
168 OnError(2);
169 return;
170 }
171
172 if( mifare_ultra_halt() ) {
173 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
174 OnError(3);
175 return;
176 }
177
178 cmd_send(CMD_ACK,1,0,0,dataout,16);
179 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
180 LEDsoff();
181 }
182
183 //-----------------------------------------------------------------------------
184 // Select, Authenticate, Read a MIFARE tag.
185 // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
186 //-----------------------------------------------------------------------------
187 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
188 {
189 // params
190 uint8_t sectorNo = arg0;
191 uint8_t keyType = arg1;
192 uint64_t ui64Key = 0;
193 ui64Key = bytes_to_num(datain, 6);
194
195 // variables
196 byte_t isOK = 0;
197 byte_t dataoutbuf[16 * 16];
198 uint8_t uid[10];
199 uint32_t cuid;
200 struct Crypto1State mpcs = {0, 0};
201 struct Crypto1State *pcs;
202 pcs = &mpcs;
203
204 // clear trace
205 clear_trace();
206
207 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
208
209 LED_A_ON();
210 LED_B_OFF();
211 LED_C_OFF();
212
213 isOK = 1;
214 if(!iso14443a_select_card(uid, NULL, &cuid)) {
215 isOK = 0;
216 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
217 }
218
219
220 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
221 isOK = 0;
222 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
223 }
224
225 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
226 if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) {
227 isOK = 0;
228 if (MF_DBGLEVEL >= 1) Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo);
229 break;
230 }
231 }
232
233 if(mifare_classic_halt(pcs, cuid)) {
234 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
235 }
236
237 // ----------------------------- crypto1 destroy
238 crypto1_destroy(pcs);
239
240 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
241
242 LED_B_ON();
243 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));
244 LED_B_OFF();
245
246 // Thats it...
247 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
248 LEDsoff();
249 }
250
251 void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
252 {
253 // params
254 uint8_t blockNo = arg0;
255 uint16_t blocks = arg1;
256 bool useKey = (arg2 == 1); //UL_C
257 bool usePwd = (arg2 == 2); //UL_EV1/NTAG
258 int countblocks = 0;
259 uint8_t dataout[176] = {0x00};
260
261 LEDsoff();
262 LED_A_ON();
263 clear_trace();
264 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
265
266 int len = iso14443a_select_card(NULL, NULL, NULL);
267 if (!len) {
268 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len);
269 OnError(1);
270 return;
271 }
272
273 // UL-C authentication
274 if ( useKey ) {
275 uint8_t key[16] = {0x00};
276 memcpy(key, datain, sizeof(key) );
277
278 if ( mifare_ultra_auth(key) == 1 ) {
279 OnError(1);
280 return;
281 }
282 }
283
284 // UL-EV1 / NTAG authentication
285 if (usePwd) {
286 uint8_t pwd[4] = {0x00};
287 memcpy(pwd, datain, sizeof(pwd));
288 uint8_t pack[4] = {0,0,0,0};
289
290 if (mifare_ul_ev1_auth(pwd, pack) == 1){
291 OnError(1);
292 return;
293 }
294 }
295
296 for (int i = 0; i < blocks; i++){
297 len = mifare_ultra_readblock(blockNo * 4 + i, dataout + 4 * i);
298
299 if (len) {
300 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block %d error",i);
301 OnError(2);
302 return;
303 } else {
304 countblocks++;
305 }
306 }
307
308 len = mifare_ultra_halt();
309 if (len) {
310 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
311 OnError(3);
312 return;
313 }
314
315 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Blocks read %d", countblocks);
316
317 len = blocks * 4;
318
319 cmd_send(CMD_ACK, 1, len, 0, dataout, len);
320 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
321 LEDsoff();
322 }
323
324 //-----------------------------------------------------------------------------
325 // Select, Authenticate, Write a MIFARE tag.
326 // read block
327 //-----------------------------------------------------------------------------
328 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
329 {
330 // params
331 uint8_t blockNo = arg0;
332 uint8_t keyType = arg1;
333 uint64_t ui64Key = 0;
334 byte_t blockdata[16];
335
336 ui64Key = bytes_to_num(datain, 6);
337 memcpy(blockdata, datain + 10, 16);
338
339 // variables
340 byte_t isOK = 0;
341 uint8_t uid[10];
342 uint32_t cuid;
343 struct Crypto1State mpcs = {0, 0};
344 struct Crypto1State *pcs;
345 pcs = &mpcs;
346
347 // clear trace
348 clear_trace();
349
350 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
351
352 LED_A_ON();
353 LED_B_OFF();
354 LED_C_OFF();
355
356 while (true) {
357 if(!iso14443a_select_card(uid, NULL, &cuid)) {
358 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
359 break;
360 };
361
362 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
363 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
364 break;
365 };
366
367 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
368 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
369 break;
370 };
371
372 if(mifare_classic_halt(pcs, cuid)) {
373 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
374 break;
375 };
376
377 isOK = 1;
378 break;
379 }
380
381 // ----------------------------- crypto1 destroy
382 crypto1_destroy(pcs);
383
384 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
385
386 LED_B_ON();
387 cmd_send(CMD_ACK,isOK,0,0,0,0);
388 LED_B_OFF();
389
390
391 // Thats it...
392 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
393 LEDsoff();
394 }
395
396 void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
397 {
398 uint8_t blockNo = arg0;
399 byte_t blockdata[16] = {0x00};
400
401 memcpy(blockdata, datain, 16);
402
403 uint8_t uid[10] = {0x00};
404
405 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
406
407 clear_trace();
408 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
409
410 if(!iso14443a_select_card(uid, NULL, NULL)) {
411 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
412 OnError(0);
413 return;
414 };
415
416 if(mifare_ultra_writeblock(blockNo, blockdata)) {
417 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
418 OnError(0);
419 return; };
420
421 if(mifare_ultra_halt()) {
422 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
423 OnError(0);
424 return;
425 };
426
427 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
428
429 cmd_send(CMD_ACK,1,0,0,0,0);
430 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
431 LEDsoff();
432 }
433
434 void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)
435 {
436 uint8_t blockNo = arg0;
437 byte_t blockdata[4] = {0x00};
438
439 memcpy(blockdata, datain,4);
440
441 LEDsoff();
442 LED_A_ON();
443 clear_trace();
444 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
445
446 if(!iso14443a_select_card(NULL, NULL, NULL)) {
447 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
448 OnError(0);
449 return;
450 };
451
452 if(mifare_ultra_special_writeblock(blockNo, blockdata)) {
453 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
454 OnError(0);
455 return;
456 };
457
458 if(mifare_ultra_halt()) {
459 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
460 OnError(0);
461 return;
462 };
463
464 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
465
466 cmd_send(CMD_ACK,1,0,0,0,0);
467 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
468 LEDsoff();
469 }
470
471 void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
472
473 uint8_t pwd[16] = {0x00};
474 byte_t blockdata[4] = {0x00};
475
476 memcpy(pwd, datain, 16);
477
478 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
479 clear_trace();
480 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
481
482 if(!iso14443a_select_card(NULL, NULL, NULL)) {
483 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
484 OnError(0);
485 return;
486 };
487
488 blockdata[0] = pwd[7];
489 blockdata[1] = pwd[6];
490 blockdata[2] = pwd[5];
491 blockdata[3] = pwd[4];
492 if(mifare_ultra_special_writeblock( 44, blockdata)) {
493 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
494 OnError(44);
495 return;
496 };
497
498 blockdata[0] = pwd[3];
499 blockdata[1] = pwd[2];
500 blockdata[2] = pwd[1];
501 blockdata[3] = pwd[0];
502 if(mifare_ultra_special_writeblock( 45, blockdata)) {
503 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
504 OnError(45);
505 return;
506 };
507
508 blockdata[0] = pwd[15];
509 blockdata[1] = pwd[14];
510 blockdata[2] = pwd[13];
511 blockdata[3] = pwd[12];
512 if(mifare_ultra_special_writeblock( 46, blockdata)) {
513 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
514 OnError(46);
515 return;
516 };
517
518 blockdata[0] = pwd[11];
519 blockdata[1] = pwd[10];
520 blockdata[2] = pwd[9];
521 blockdata[3] = pwd[8];
522 if(mifare_ultra_special_writeblock( 47, blockdata)) {
523 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
524 OnError(47);
525 return;
526 };
527
528 if(mifare_ultra_halt()) {
529 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
530 OnError(0);
531 return;
532 };
533
534 cmd_send(CMD_ACK,1,0,0,0,0);
535 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
536 LEDsoff();
537 }
538
539 // Return 1 if the nonce is invalid else return 0
540 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {
541 return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
542 (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
543 (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
544 }
545
546
547 //-----------------------------------------------------------------------------
548 // MIFARE nested authentication.
549 //
550 //-----------------------------------------------------------------------------
551 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)
552 {
553 // params
554 uint8_t blockNo = arg0 & 0xff;
555 uint8_t keyType = (arg0 >> 8) & 0xff;
556 uint8_t targetBlockNo = arg1 & 0xff;
557 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
558 uint64_t ui64Key = 0;
559
560 ui64Key = bytes_to_num(datain, 6);
561
562 // variables
563 uint16_t rtr, i, j, len;
564 uint16_t davg;
565 static uint16_t dmin, dmax;
566 uint8_t uid[10];
567 uint32_t cuid, nt1, nt2, nttmp, nttest, ks1;
568 uint8_t par[1];
569 uint32_t target_nt[2], target_ks[2];
570
571 uint8_t par_array[4];
572 uint16_t ncount = 0;
573 struct Crypto1State mpcs = {0, 0};
574 struct Crypto1State *pcs;
575 pcs = &mpcs;
576 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
577
578 uint32_t auth1_time, auth2_time;
579 static uint16_t delta_time;
580
581 // free eventually allocated BigBuf memory
582 BigBuf_free();
583 // clear trace
584 clear_trace();
585 set_tracing(false);
586
587 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
588
589 LED_A_ON();
590 LED_C_OFF();
591
592
593 // statistics on nonce distance
594 if (calibrate) { // for first call only. Otherwise reuse previous calibration
595 LED_B_ON();
596 WDT_HIT();
597
598 davg = dmax = 0;
599 dmin = 2000;
600 delta_time = 0;
601
602 for (rtr = 0; rtr < 17; rtr++) {
603
604 // prepare next select. No need to power down the card.
605 if(mifare_classic_halt(pcs, cuid)) {
606 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
607 rtr--;
608 continue;
609 }
610
611 if(!iso14443a_select_card(uid, NULL, &cuid)) {
612 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
613 rtr--;
614 continue;
615 };
616
617 auth1_time = 0;
618 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
619 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
620 rtr--;
621 continue;
622 };
623
624 if (delta_time) {
625 auth2_time = auth1_time + delta_time;
626 } else {
627 auth2_time = 0;
628 }
629 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {
630 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");
631 rtr--;
632 continue;
633 };
634
635 nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
636 for (i = 101; i < 1200; i++) {
637 nttmp = prng_successor(nttmp, 1);
638 if (nttmp == nt2) break;
639 }
640
641 if (i != 1200) {
642 if (rtr != 0) {
643 davg += i;
644 dmin = MIN(dmin, i);
645 dmax = MAX(dmax, i);
646 }
647 else {
648 delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing
649 }
650 if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
651 }
652 }
653
654 if (rtr <= 1) return;
655
656 davg = (davg + (rtr - 1)/2) / (rtr - 1);
657
658 if (MF_DBGLEVEL >= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin, dmax, davg, delta_time);
659
660 dmin = davg - 2;
661 dmax = davg + 2;
662
663 LED_B_OFF();
664
665 }
666 // -------------------------------------------------------------------------------------------------
667
668 LED_C_ON();
669
670 // get crypted nonces for target sector
671 for(i=0; i < 2; i++) { // look for exactly two different nonces
672
673 target_nt[i] = 0;
674 while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
675
676 // prepare next select. No need to power down the card.
677 if(mifare_classic_halt(pcs, cuid)) {
678 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
679 continue;
680 }
681
682 if(!iso14443a_select_card(uid, NULL, &cuid)) {
683 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
684 continue;
685 };
686
687 auth1_time = 0;
688 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
689 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
690 continue;
691 };
692
693 // nested authentication
694 auth2_time = auth1_time + delta_time;
695 len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);
696 if (len != 4) {
697 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);
698 continue;
699 };
700
701 nt2 = bytes_to_num(receivedAnswer, 4);
702 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);
703
704 // Parity validity check
705 for (j = 0; j < 4; j++) {
706 par_array[j] = (oddparity(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));
707 }
708
709 ncount = 0;
710 nttest = prng_successor(nt1, dmin - 1);
711 for (j = dmin; j < dmax + 1; j++) {
712 nttest = prng_successor(nttest, 1);
713 ks1 = nt2 ^ nttest;
714
715 if (valid_nonce(nttest, nt2, ks1, par_array)){
716 if (ncount > 0) { // we are only interested in disambiguous nonces, try again
717 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);
718 target_nt[i] = 0;
719 break;
720 }
721 target_nt[i] = nttest;
722 target_ks[i] = ks1;
723 ncount++;
724 if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces
725 target_nt[i] = 0;
726 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);
727 break;
728 }
729 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);
730 }
731 }
732 if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
733 }
734 }
735
736 LED_C_OFF();
737
738 // ----------------------------- crypto1 destroy
739 crypto1_destroy(pcs);
740
741 byte_t buf[4 + 4 * 4];
742 memcpy(buf, &cuid, 4);
743 memcpy(buf+4, &target_nt[0], 4);
744 memcpy(buf+8, &target_ks[0], 4);
745 memcpy(buf+12, &target_nt[1], 4);
746 memcpy(buf+16, &target_ks[1], 4);
747
748 LED_B_ON();
749 cmd_send(CMD_ACK, 0, 2, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
750 LED_B_OFF();
751
752 if (MF_DBGLEVEL >= 3) DbpString("NESTED FINISHED");
753
754 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
755 LEDsoff();
756 set_tracing(TRUE);
757 }
758
759 //-----------------------------------------------------------------------------
760 // MIFARE check keys. key count up to 85.
761 //
762 //-----------------------------------------------------------------------------
763 void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
764 {
765 // params
766 uint8_t blockNo = arg0;
767 uint8_t keyType = arg1;
768 uint8_t keyCount = arg2;
769 uint64_t ui64Key = 0;
770
771 // variables
772 int i;
773 byte_t isOK = 0;
774 uint8_t uid[10];
775 uint32_t cuid;
776 struct Crypto1State mpcs = {0, 0};
777 struct Crypto1State *pcs;
778 pcs = &mpcs;
779
780 // clear debug level
781 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
782 MF_DBGLEVEL = MF_DBG_NONE;
783
784 // clear trace
785 clear_trace();
786 set_tracing(TRUE);
787
788 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
789
790 LED_A_ON();
791 LED_B_OFF();
792 LED_C_OFF();
793
794 for (i = 0; i < keyCount; i++) {
795 if(mifare_classic_halt(pcs, cuid)) {
796 if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Halt error");
797 }
798
799 if(!iso14443a_select_card(uid, NULL, &cuid)) {
800 if (OLD_MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card");
801 break;
802 };
803
804 ui64Key = bytes_to_num(datain + i * 6, 6);
805 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
806 continue;
807 };
808
809 isOK = 1;
810 break;
811 }
812
813 // ----------------------------- crypto1 destroy
814 crypto1_destroy(pcs);
815
816 LED_B_ON();
817 cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);
818 LED_B_OFF();
819
820 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
821 LEDsoff();
822
823 // restore debug level
824 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
825 }
826
827 //-----------------------------------------------------------------------------
828 // MIFARE commands set debug level
829 //
830 //-----------------------------------------------------------------------------
831 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
832 MF_DBGLEVEL = arg0;
833 Dbprintf("Debug level: %d", MF_DBGLEVEL);
834 }
835
836 //-----------------------------------------------------------------------------
837 // Work with emulator memory
838 //
839 //-----------------------------------------------------------------------------
840 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
841 emlClearMem();
842 }
843
844 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
845 emlSetMem(datain, arg0, arg1); // data, block num, blocks count
846 }
847
848 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
849 byte_t buf[USB_CMD_DATA_SIZE];
850 emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
851
852 LED_B_ON();
853 cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE);
854 LED_B_OFF();
855 }
856
857 //-----------------------------------------------------------------------------
858 // Load a card into the emulator memory
859 //
860 //-----------------------------------------------------------------------------
861 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
862 uint8_t numSectors = arg0;
863 uint8_t keyType = arg1;
864 uint64_t ui64Key = 0;
865 uint32_t cuid;
866 struct Crypto1State mpcs = {0, 0};
867 struct Crypto1State *pcs;
868 pcs = &mpcs;
869
870 // variables
871 byte_t dataoutbuf[16];
872 byte_t dataoutbuf2[16];
873 uint8_t uid[10];
874
875 // clear trace
876 clear_trace();
877 set_tracing(false);
878
879 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
880
881 LED_A_ON();
882 LED_B_OFF();
883 LED_C_OFF();
884
885 bool isOK = true;
886
887 if(!iso14443a_select_card(uid, NULL, &cuid)) {
888 isOK = false;
889 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
890 }
891
892 for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
893 ui64Key = emlGetKey(sectorNo, keyType);
894 if (sectorNo == 0){
895 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
896 isOK = false;
897 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo);
898 break;
899 }
900 } else {
901 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) {
902 isOK = false;
903 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo);
904 break;
905 }
906 }
907
908 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
909 if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) {
910 isOK = false;
911 if (MF_DBGLEVEL >= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);
912 break;
913 };
914 if (isOK) {
915 if (blockNo < NumBlocksPerSector(sectorNo) - 1) {
916 emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);
917 } else { // sector trailer, keep the keys, set only the AC
918 emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
919 memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
920 emlSetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
921 }
922 }
923 }
924
925 }
926
927 if(mifare_classic_halt(pcs, cuid)) {
928 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
929 };
930
931 // ----------------------------- crypto1 destroy
932 crypto1_destroy(pcs);
933
934 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
935 LEDsoff();
936
937 if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
938
939 }
940
941
942 //-----------------------------------------------------------------------------
943 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
944 //
945 //-----------------------------------------------------------------------------
946 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
947
948 // params
949 uint8_t needWipe = arg0;
950 // bit 0 - need get UID
951 // bit 1 - need wupC
952 // bit 2 - need HALT after sequence
953 // bit 3 - need init FPGA and field before sequence
954 // bit 4 - need reset FPGA and LED
955 uint8_t workFlags = arg1;
956 uint8_t blockNo = arg2;
957
958 // card commands
959 uint8_t wupC1[] = { 0x40 };
960 uint8_t wupC2[] = { 0x43 };
961 uint8_t wipeC[] = { 0x41 };
962
963 // variables
964 byte_t isOK = 0;
965 uint8_t uid[10] = {0x00};
966 uint8_t d_block[18] = {0x00};
967 uint32_t cuid;
968
969 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
970 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
971
972 // reset FPGA and LED
973 if (workFlags & 0x08) {
974 LED_A_ON();
975 LED_B_OFF();
976 LED_C_OFF();
977
978 clear_trace();
979 set_tracing(TRUE);
980 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
981 }
982
983 while (true) {
984
985 // get UID from chip
986 if (workFlags & 0x01) {
987 if(!iso14443a_select_card(uid, NULL, &cuid)) {
988 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
989 break;
990 };
991
992 if(mifare_classic_halt(NULL, cuid)) {
993 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
994 break;
995 };
996 };
997
998 // reset chip
999 if (needWipe){
1000 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1001 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1002 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1003 break;
1004 };
1005
1006 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
1007 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1008 if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");
1009 break;
1010 };
1011
1012 if(mifare_classic_halt(NULL, cuid)) {
1013 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1014 break;
1015 };
1016 };
1017
1018 // write block
1019 if (workFlags & 0x02) {
1020 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1021 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1022 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1023 break;
1024 };
1025
1026 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1027 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1028 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1029 break;
1030 };
1031 }
1032
1033 if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
1034 if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
1035 break;
1036 };
1037
1038 memcpy(d_block, datain, 16);
1039 AppendCrc14443a(d_block, 16);
1040
1041 ReaderTransmit(d_block, sizeof(d_block), NULL);
1042 if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
1043 if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");
1044 break;
1045 };
1046
1047 if (workFlags & 0x04) {
1048 if (mifare_classic_halt(NULL, cuid)) {
1049 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1050 break;
1051 };
1052 }
1053
1054 isOK = 1;
1055 break;
1056 }
1057
1058 LED_B_ON();
1059 cmd_send(CMD_ACK,isOK,0,0,uid,4);
1060 LED_B_OFF();
1061
1062 if ((workFlags & 0x10) || (!isOK)) {
1063 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1064 LEDsoff();
1065 }
1066 }
1067
1068
1069 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1070
1071 // params
1072 // bit 1 - need wupC
1073 // bit 2 - need HALT after sequence
1074 // bit 3 - need init FPGA and field before sequence
1075 // bit 4 - need reset FPGA and LED
1076 uint8_t workFlags = arg0;
1077 uint8_t blockNo = arg2;
1078
1079 // card commands
1080 uint8_t wupC1[] = { 0x40 };
1081 uint8_t wupC2[] = { 0x43 };
1082
1083 // variables
1084 byte_t isOK = 0;
1085 uint8_t data[18] = {0x00};
1086 uint32_t cuid = 0;
1087
1088 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1089 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1090
1091 if (workFlags & 0x08) {
1092 LED_A_ON();
1093 LED_B_OFF();
1094 LED_C_OFF();
1095
1096 clear_trace();
1097 set_tracing(TRUE);
1098 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1099 }
1100
1101 while (true) {
1102 if (workFlags & 0x02) {
1103 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1104 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1105 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1106 break;
1107 };
1108
1109 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1110 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1111 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1112 break;
1113 };
1114 }
1115
1116 // read block
1117 if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {
1118 if (MF_DBGLEVEL >= 1) Dbprintf("read block send command error");
1119 break;
1120 };
1121 memcpy(data, receivedAnswer, 18);
1122
1123 if (workFlags & 0x04) {
1124 if (mifare_classic_halt(NULL, cuid)) {
1125 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1126 break;
1127 };
1128 }
1129
1130 isOK = 1;
1131 break;
1132 }
1133
1134 LED_B_ON();
1135 cmd_send(CMD_ACK,isOK,0,0,data,18);
1136 LED_B_OFF();
1137
1138 if ((workFlags & 0x10) || (!isOK)) {
1139 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1140 LEDsoff();
1141 }
1142 }
1143
1144 void MifareCIdent(){
1145
1146 // card commands
1147 uint8_t wupC1[] = { 0x40 };
1148 uint8_t wupC2[] = { 0x43 };
1149
1150 // variables
1151 byte_t isOK = 1;
1152
1153 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1154 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1155
1156 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1157 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1158 isOK = 0;
1159 };
1160
1161 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1162 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1163 isOK = 0;
1164 };
1165
1166 if (mifare_classic_halt(NULL, 0)) {
1167 isOK = 0;
1168 };
1169
1170 cmd_send(CMD_ACK,isOK,0,0,0,0);
1171 }
1172
1173 //
1174 // DESFIRE
1175 //
1176
1177 void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){
1178
1179 byte_t dataout[11] = {0x00};
1180 uint8_t uid[10] = {0x00};
1181 uint32_t cuid;
1182
1183 clear_trace();
1184 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1185
1186 int len = iso14443a_select_card(uid, NULL, &cuid);
1187 if(!len) {
1188 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
1189 OnError(1);
1190 return;
1191 };
1192
1193 if(mifare_desfire_des_auth1(cuid, dataout)){
1194 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication part1: Fail.");
1195 OnError(4);
1196 return;
1197 }
1198
1199 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 1 FINISHED");
1200 cmd_send(CMD_ACK,1,cuid,0,dataout, sizeof(dataout));
1201 }
1202
1203 void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain){
1204
1205 uint32_t cuid = arg0;
1206 uint8_t key[16] = {0x00};
1207 byte_t isOK = 0;
1208 byte_t dataout[12] = {0x00};
1209
1210 memcpy(key, datain, 16);
1211
1212 isOK = mifare_desfire_des_auth2(cuid, key, dataout);
1213
1214 if( isOK) {
1215 if (MF_DBGLEVEL >= MF_DBG_EXTENDED)
1216 Dbprintf("Authentication part2: Failed");
1217 //OnError(4);
1218 return;
1219 }
1220
1221 if (MF_DBGLEVEL >= MF_DBG_EXTENDED)
1222 DbpString("AUTH 2 FINISHED");
1223
1224 cmd_send(CMD_ACK, isOK, 0, 0, dataout, sizeof(dataout));
1225 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1226 LEDsoff();
1227 }
1228
1229 void OnSuccess(){
1230 pcb_blocknum = 0;
1231 ReaderTransmit(deselect_cmd, 3 , NULL);
1232 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1233 LEDsoff();
1234 }
1235
1236 void OnError(uint8_t reason){
1237 pcb_blocknum = 0;
1238 ReaderTransmit(deselect_cmd, 3 , NULL);
1239 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1240 cmd_send(CMD_ACK,0,reason,0,0,0);
1241 LEDsoff();
1242 }
Proxmark3 GIT tracking
Impressum, Datenschutz