]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifarecmd.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
another "magic card" backdoor - command "read block". Added several commands to manip...
[proxmark3-svn] / armsrc / mifarecmd.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // Routines to support ISO 14443 type A.
11 //-----------------------------------------------------------------------------
12
13 #include "mifarecmd.h"
14 #include "apps.h"
15
16 //-----------------------------------------------------------------------------
17 // Select, Authenticaate, Read an MIFARE tag.
18 // read block
19 //-----------------------------------------------------------------------------
20 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
21 {
22 // params
23 uint8_t blockNo = arg0;
24 uint8_t keyType = arg1;
25 uint64_t ui64Key = 0;
26 ui64Key = bytes_to_num(datain, 6);
27
28 // variables
29 byte_t isOK = 0;
30 byte_t dataoutbuf[16];
31 uint8_t uid[8];
32 uint32_t cuid;
33 struct Crypto1State mpcs = {0, 0};
34 struct Crypto1State *pcs;
35 pcs = &mpcs;
36
37 // clear trace
38 iso14a_clear_tracelen();
39 // iso14a_set_tracing(false);
40
41 iso14443a_setup();
42
43 LED_A_ON();
44 LED_B_OFF();
45 LED_C_OFF();
46
47 while (true) {
48 if(!iso14443a_select_card(uid, NULL, &cuid)) {
49 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
50 break;
51 };
52
53 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
54 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
55 break;
56 };
57
58 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
59 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
60 break;
61 };
62
63 if(mifare_classic_halt(pcs, cuid)) {
64 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
65 break;
66 };
67
68 isOK = 1;
69 break;
70 }
71
72 // ----------------------------- crypto1 destroy
73 crypto1_destroy(pcs);
74
75 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
76
77 // add trace trailer
78 memset(uid, 0x44, 4);
79 LogTrace(uid, 4, 0, 0, TRUE);
80
81 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
82 memcpy(ack.d.asBytes, dataoutbuf, 16);
83
84 LED_B_ON();
85 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
86 LED_B_OFF();
87
88
89 // Thats it...
90 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
91 LEDsoff();
92 // iso14a_set_tracing(TRUE);
93
94 }
95
96 //-----------------------------------------------------------------------------
97 // Select, Authenticaate, Read an MIFARE tag.
98 // read sector (data = 4 x 16 bytes = 64 bytes)
99 //-----------------------------------------------------------------------------
100 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
101 {
102 // params
103 uint8_t sectorNo = arg0;
104 uint8_t keyType = arg1;
105 uint64_t ui64Key = 0;
106 ui64Key = bytes_to_num(datain, 6);
107
108 // variables
109 byte_t isOK = 0;
110 byte_t dataoutbuf[16 * 4];
111 uint8_t uid[8];
112 uint32_t cuid;
113 struct Crypto1State mpcs = {0, 0};
114 struct Crypto1State *pcs;
115 pcs = &mpcs;
116
117 // clear trace
118 iso14a_clear_tracelen();
119 // iso14a_set_tracing(false);
120
121 iso14443a_setup();
122
123 LED_A_ON();
124 LED_B_OFF();
125 LED_C_OFF();
126
127 while (true) {
128 if(!iso14443a_select_card(uid, NULL, &cuid)) {
129 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
130 break;
131 };
132
133 if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, AUTH_FIRST)) {
134 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
135 break;
136 };
137
138 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 0, dataoutbuf + 16 * 0)) {
139 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 0 error");
140 break;
141 };
142 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 1, dataoutbuf + 16 * 1)) {
143 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 1 error");
144 break;
145 };
146 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 2, dataoutbuf + 16 * 2)) {
147 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 2 error");
148 break;
149 };
150 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 3, dataoutbuf + 16 * 3)) {
151 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 3 error");
152 break;
153 };
154
155 if(mifare_classic_halt(pcs, cuid)) {
156 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
157 break;
158 };
159
160 isOK = 1;
161 break;
162 }
163
164 // ----------------------------- crypto1 destroy
165 crypto1_destroy(pcs);
166
167 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
168
169 // add trace trailer
170 memset(uid, 0x44, 4);
171 LogTrace(uid, 4, 0, 0, TRUE);
172
173 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
174 memcpy(ack.d.asBytes, dataoutbuf, 16 * 2);
175
176 LED_B_ON();
177 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
178
179 SpinDelay(100);
180
181 memcpy(ack.d.asBytes, dataoutbuf + 16 * 2, 16 * 2);
182 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
183 LED_B_OFF();
184
185 // Thats it...
186 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
187 LEDsoff();
188 // iso14a_set_tracing(TRUE);
189
190 }
191
192 //-----------------------------------------------------------------------------
193 // Select, Authenticaate, Read an MIFARE tag.
194 // read block
195 //-----------------------------------------------------------------------------
196 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
197 {
198 // params
199 uint8_t blockNo = arg0;
200 uint8_t keyType = arg1;
201 uint64_t ui64Key = 0;
202 byte_t blockdata[16];
203
204 ui64Key = bytes_to_num(datain, 6);
205 memcpy(blockdata, datain + 10, 16);
206
207 // variables
208 byte_t isOK = 0;
209 uint8_t uid[8];
210 uint32_t cuid;
211 struct Crypto1State mpcs = {0, 0};
212 struct Crypto1State *pcs;
213 pcs = &mpcs;
214
215 // clear trace
216 iso14a_clear_tracelen();
217 // iso14a_set_tracing(false);
218
219 iso14443a_setup();
220
221 LED_A_ON();
222 LED_B_OFF();
223 LED_C_OFF();
224
225 while (true) {
226 if(!iso14443a_select_card(uid, NULL, &cuid)) {
227 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
228 break;
229 };
230
231 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
232 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
233 break;
234 };
235
236 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
237 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
238 break;
239 };
240
241 if(mifare_classic_halt(pcs, cuid)) {
242 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
243 break;
244 };
245
246 isOK = 1;
247 break;
248 }
249
250 // ----------------------------- crypto1 destroy
251 crypto1_destroy(pcs);
252
253 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
254
255 // add trace trailer
256 memset(uid, 0x44, 4);
257 LogTrace(uid, 4, 0, 0, TRUE);
258
259 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
260
261 LED_B_ON();
262 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
263 LED_B_OFF();
264
265
266 // Thats it...
267 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
268 LEDsoff();
269 // iso14a_set_tracing(TRUE);
270
271 }
272
273 // Return 1 if the nonce is invalid else return 0
274 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, byte_t * parity) {
275 return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
276 (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
277 (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
278 }
279
280 //-----------------------------------------------------------------------------
281 // MIFARE nested authentication.
282 //
283 //-----------------------------------------------------------------------------
284 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain)
285 {
286 // params
287 uint8_t blockNo = arg0;
288 uint8_t keyType = arg1;
289 uint8_t targetBlockNo = arg2 & 0xff;
290 uint8_t targetKeyType = (arg2 >> 8) & 0xff;
291 uint64_t ui64Key = 0;
292
293 ui64Key = bytes_to_num(datain, 6);
294
295 // variables
296 int rtr, i, j, m, len;
297 int davg, dmin, dmax;
298 uint8_t uid[8];
299 uint32_t cuid, nt1, nt2, nttmp, nttest, par, ks1;
300 uint8_t par_array[4];
301 nestedVector nvector[NES_MAX_INFO + 1][11];
302 int nvectorcount[NES_MAX_INFO + 1];
303 int ncount = 0;
304 UsbCommand ack = {CMD_ACK, {0, 0, 0}};
305 struct Crypto1State mpcs = {0, 0};
306 struct Crypto1State *pcs;
307 pcs = &mpcs;
308 uint8_t* receivedAnswer = mifare_get_bigbufptr();
309
310 //init
311 for (i = 0; i < NES_MAX_INFO + 1; i++) nvectorcount[i] = 11; // 11 - empty block;
312
313 // clear trace
314 iso14a_clear_tracelen();
315 iso14a_set_tracing(false);
316
317 iso14443a_setup();
318
319 LED_A_ON();
320 LED_B_ON();
321 LED_C_OFF();
322
323 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
324 SpinDelay(200);
325
326 davg = dmax = 0;
327 dmin = 2000;
328
329 // test nonce distance
330 for (rtr = 0; rtr < 10; rtr++) {
331 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
332 SpinDelay(100);
333 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
334
335 // Test if the action was cancelled
336 if(BUTTON_PRESS()) {
337 break;
338 }
339
340 if(!iso14443a_select_card(uid, NULL, &cuid)) {
341 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
342 break;
343 };
344
345 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1)) {
346 if (MF_DBGLEVEL >= 1) Dbprintf("Auth1 error");
347 break;
348 };
349
350 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2)) {
351 if (MF_DBGLEVEL >= 1) Dbprintf("Auth2 error");
352 break;
353 };
354
355 nttmp = prng_successor(nt1, 500);
356 for (i = 501; i < 2000; i++) {
357 nttmp = prng_successor(nttmp, 1);
358 if (nttmp == nt2) break;
359 }
360
361 if (i != 2000) {
362 davg += i;
363 if (dmin > i) dmin = i;
364 if (dmax < i) dmax = i;
365 if (MF_DBGLEVEL >= 4) Dbprintf("r=%d nt1=%08x nt2=%08x distance=%d", rtr, nt1, nt2, i);
366 }
367 }
368
369 if (rtr == 0) return;
370
371 davg = davg / rtr;
372 if (MF_DBGLEVEL >= 3) Dbprintf("distance: min=%d max=%d avg=%d", dmin, dmax, davg);
373
374 LED_B_OFF();
375
376 // -------------------------------------------------------------------------------------------------
377
378 LED_C_ON();
379
380 // get crypted nonces for target sector
381 for (rtr = 0; rtr < NS_RETRIES_GETNONCE; rtr++) {
382 if (MF_DBGLEVEL >= 4) Dbprintf("------------------------------");
383
384 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
385 SpinDelay(100);
386 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
387
388 // Test if the action was cancelled
389 if(BUTTON_PRESS()) {
390 break;
391 }
392
393 if(!iso14443a_select_card(uid, NULL, &cuid)) {
394 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
395 break;
396 };
397
398 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1)) {
399 if (MF_DBGLEVEL >= 1) Dbprintf("Auth1 error");
400 break;
401 };
402
403 // nested authentication
404 len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, &par);
405 if (len != 4) {
406 if (MF_DBGLEVEL >= 1) Dbprintf("Auth2 error len=%d", len);
407 break;
408 };
409
410 nt2 = bytes_to_num(receivedAnswer, 4);
411 if (MF_DBGLEVEL >= 4) Dbprintf("r=%d nt1=%08x nt2enc=%08x nt2par=%08x", rtr, nt1, nt2, par);
412
413 // Parity validity check
414 for (i = 0; i < 4; i++) {
415 par_array[i] = (oddparity(receivedAnswer[i]) != ((par & 0x08) >> 3));
416 par = par << 1;
417 }
418
419 ncount = 0;
420 nttest = prng_successor(nt1, dmin - NS_TOLERANCE);
421 for (m = dmin - NS_TOLERANCE + 1; m < dmax + NS_TOLERANCE; m++) {
422 nttest = prng_successor(nttest, 1);
423 ks1 = nt2 ^ nttest;
424
425 if (valid_nonce(nttest, nt2, ks1, par_array) && (ncount < 11)){
426
427 nvector[NES_MAX_INFO][ncount].nt = nttest;
428 nvector[NES_MAX_INFO][ncount].ks1 = ks1;
429 ncount++;
430 nvectorcount[NES_MAX_INFO] = ncount;
431 if (MF_DBGLEVEL >= 4) Dbprintf("valid m=%d ks1=%08x nttest=%08x", m, ks1, nttest);
432 }
433
434 }
435
436 // select vector with length less than got
437 if (nvectorcount[NES_MAX_INFO] != 0) {
438 m = NES_MAX_INFO;
439
440 for (i = 0; i < NES_MAX_INFO; i++)
441 if (nvectorcount[i] > 10) {
442 m = i;
443 break;
444 }
445
446 if (m == NES_MAX_INFO)
447 for (i = 0; i < NES_MAX_INFO; i++)
448 if (nvectorcount[NES_MAX_INFO] < nvectorcount[i]) {
449 m = i;
450 break;
451 }
452
453 if (m != NES_MAX_INFO) {
454 for (i = 0; i < nvectorcount[m]; i++) {
455 nvector[m][i] = nvector[NES_MAX_INFO][i];
456 }
457 nvectorcount[m] = nvectorcount[NES_MAX_INFO];
458 }
459 }
460 }
461
462 LED_C_OFF();
463
464 // ----------------------------- crypto1 destroy
465 crypto1_destroy(pcs);
466
467 // add trace trailer
468 memset(uid, 0x44, 4);
469 LogTrace(uid, 4, 0, 0, TRUE);
470
471 for (i = 0; i < NES_MAX_INFO; i++) {
472 if (nvectorcount[i] > 10) continue;
473
474 for (j = 0; j < nvectorcount[i]; j += 5) {
475 ncount = nvectorcount[i] - j;
476 if (ncount > 5) ncount = 5;
477
478 ack.arg[0] = 0; // isEOF = 0
479 ack.arg[1] = ncount;
480 ack.arg[2] = targetBlockNo + (targetKeyType * 0x100);
481 memset(ack.d.asBytes, 0x00, sizeof(ack.d.asBytes));
482
483 memcpy(ack.d.asBytes, &cuid, 4);
484 for (m = 0; m < ncount; m++) {
485 memcpy(ack.d.asBytes + 8 + m * 8 + 0, &nvector[i][m + j].nt, 4);
486 memcpy(ack.d.asBytes + 8 + m * 8 + 4, &nvector[i][m + j].ks1, 4);
487 }
488
489 LED_B_ON();
490 SpinDelay(100);
491 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
492 LED_B_OFF();
493 }
494 }
495
496 // finalize list
497 ack.arg[0] = 1; // isEOF = 1
498 ack.arg[1] = 0;
499 ack.arg[2] = 0;
500 memset(ack.d.asBytes, 0x00, sizeof(ack.d.asBytes));
501
502 LED_B_ON();
503 SpinDelay(300);
504 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
505 LED_B_OFF();
506
507 if (MF_DBGLEVEL >= 4) DbpString("NESTED FINISHED");
508
509 // Thats it...
510 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
511 LEDsoff();
512
513 iso14a_set_tracing(TRUE);
514 }
515
516 //-----------------------------------------------------------------------------
517 // MIFARE check keys. key count up to 8.
518 //
519 //-----------------------------------------------------------------------------
520 void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
521 {
522 // params
523 uint8_t blockNo = arg0;
524 uint8_t keyType = arg1;
525 uint8_t keyCount = arg2;
526 uint64_t ui64Key = 0;
527
528 // variables
529 int i;
530 byte_t isOK = 0;
531 uint8_t uid[8];
532 uint32_t cuid;
533 struct Crypto1State mpcs = {0, 0};
534 struct Crypto1State *pcs;
535 pcs = &mpcs;
536
537 // clear debug level
538 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
539 MF_DBGLEVEL = MF_DBG_NONE;
540
541 // clear trace
542 iso14a_clear_tracelen();
543 iso14a_set_tracing(TRUE);
544
545 iso14443a_setup();
546
547 LED_A_ON();
548 LED_B_OFF();
549 LED_C_OFF();
550
551 SpinDelay(300);
552 for (i = 0; i < keyCount; i++) {
553 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
554 SpinDelay(100);
555 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
556
557 if(!iso14443a_select_card(uid, NULL, &cuid)) {
558 if (OLD_MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
559 break;
560 };
561
562 ui64Key = bytes_to_num(datain + i * 6, 6);
563 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
564 continue;
565 };
566
567 isOK = 1;
568 break;
569 }
570
571 // ----------------------------- crypto1 destroy
572 crypto1_destroy(pcs);
573
574 // add trace trailer
575 memset(uid, 0x44, 4);
576 LogTrace(uid, 4, 0, 0, TRUE);
577
578 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
579 if (isOK) memcpy(ack.d.asBytes, datain + i * 6, 6);
580
581 LED_B_ON();
582 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
583 LED_B_OFF();
584
585 // Thats it...
586 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
587 LEDsoff();
588
589 // restore debug level
590 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
591 }
592
593 //-----------------------------------------------------------------------------
594 // MIFARE commands set debug level
595 //
596 //-----------------------------------------------------------------------------
597 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
598 MF_DBGLEVEL = arg0;
599 Dbprintf("Debug level: %d", MF_DBGLEVEL);
600 }
601
602 //-----------------------------------------------------------------------------
603 // Work with emulator memory
604 //
605 //-----------------------------------------------------------------------------
606 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
607 emlClearMem();
608 }
609
610 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
611 emlSetMem(datain, arg0, arg1); // data, block num, blocks count
612 }
613
614 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
615 UsbCommand ack = {CMD_ACK, {arg0, arg1, 0}};
616
617 emlGetMem(ack.d.asBytes, arg0, arg1); // data, block num, blocks count
618
619 LED_B_ON();
620 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
621 LED_B_OFF();
622 }
623
624 //-----------------------------------------------------------------------------
625 // Load a card into the emulator memory
626 //
627 //-----------------------------------------------------------------------------
628 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
629 int i;
630 uint8_t sectorNo = 0;
631 uint8_t keyType = arg1;
632 uint64_t ui64Key = 0;
633 uint32_t cuid;
634 struct Crypto1State mpcs = {0, 0};
635 struct Crypto1State *pcs;
636 pcs = &mpcs;
637
638 // variables
639 byte_t dataoutbuf[16];
640 byte_t dataoutbuf2[16];
641 uint8_t uid[8];
642
643 // clear trace
644 iso14a_clear_tracelen();
645 iso14a_set_tracing(false);
646
647 iso14443a_setup();
648
649 LED_A_ON();
650 LED_B_OFF();
651 LED_C_OFF();
652
653 while (true) {
654 if(!iso14443a_select_card(uid, NULL, &cuid)) {
655 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
656 break;
657 };
658
659 for (i = 0; i < 16; i++) {
660 sectorNo = i;
661 ui64Key = emlGetKey(sectorNo, keyType);
662
663 if (!i){
664 if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, AUTH_FIRST)) {
665 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%d]. Auth error", i);
666 break;
667 }
668 } else {
669 if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, AUTH_NESTED)) {
670 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%d]. Auth nested error", i);
671 break;
672 }
673 }
674
675 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 0, dataoutbuf)) {
676 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 0 error");
677 break;
678 };
679 emlSetMem(dataoutbuf, sectorNo * 4 + 0, 1);
680
681 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 1, dataoutbuf)) {
682 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 1 error");
683 break;
684 };
685 emlSetMem(dataoutbuf, sectorNo * 4 + 1, 1);
686
687 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 2, dataoutbuf)) {
688 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 2 error");
689 break;
690 };
691 emlSetMem(dataoutbuf, sectorNo * 4 + 2, 1);
692
693 // get block 3 bytes 6-9
694 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 3, dataoutbuf)) {
695 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 3 error");
696 break;
697 };
698 emlGetMem(dataoutbuf2, sectorNo * 4 + 3, 1);
699 memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
700 emlSetMem(dataoutbuf2, sectorNo * 4 + 3, 1);
701 }
702
703 if(mifare_classic_halt(pcs, cuid)) {
704 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
705 break;
706 };
707
708 break;
709 }
710
711 // ----------------------------- crypto1 destroy
712 crypto1_destroy(pcs);
713
714 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
715 LEDsoff();
716
717 if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
718
719 // add trace trailer
720 memset(uid, 0x44, 4);
721 LogTrace(uid, 4, 0, 0, TRUE);
722 }
723
724 //-----------------------------------------------------------------------------
725 // MIFARE 1k emulator
726 //
727 //-----------------------------------------------------------------------------
728
729
730 //-----------------------------------------------------------------------------
731 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
732 //
733 //-----------------------------------------------------------------------------
734 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
735
736 // params
737 uint8_t needWipe = arg0;
738 // bit 0 - need get UID
739 // bit 1 - need wupC
740 // bit 2 - need HALT after sequence
741 // bit 3 - need init FPGA and field before sequence
742 // bit 4 - need reset FPGA and LED
743 uint8_t workFlags = arg1;
744 uint8_t blockNo = arg2;
745
746 // card commands
747 uint8_t wupC1[] = { 0x40 };
748 uint8_t wupC2[] = { 0x43 };
749 uint8_t wipeC[] = { 0x41 };
750
751 // variables
752 byte_t isOK = 0;
753 uint8_t uid[8];
754 uint8_t d_block[18];
755 uint32_t cuid;
756
757 memset(uid, 0x00, 8);
758 uint8_t* receivedAnswer = mifare_get_bigbufptr();
759
760 if (workFlags & 0x08) {
761 // clear trace
762 iso14a_clear_tracelen();
763 iso14a_set_tracing(TRUE);
764
765 iso14443a_setup();
766
767 LED_A_ON();
768 LED_B_OFF();
769 LED_C_OFF();
770
771 SpinDelay(300);
772 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
773 SpinDelay(100);
774 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
775 }
776
777 while (true) {
778 // get UID from chip
779 if (workFlags & 0x01) {
780 if(!iso14443a_select_card(uid, NULL, &cuid)) {
781 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
782 break;
783 };
784
785 if(mifare_classic_halt(NULL, cuid)) {
786 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
787 break;
788 };
789 };
790
791 // reset chip
792 if (needWipe){
793 ReaderTransmitShort(wupC1);
794 if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {
795 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
796 break;
797 };
798
799 ReaderTransmit(wipeC, sizeof(wipeC));
800 if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {
801 if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");
802 break;
803 };
804
805 if(mifare_classic_halt(NULL, cuid)) {
806 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
807 break;
808 };
809 };
810
811 // write block
812 if (workFlags & 0x02) {
813 ReaderTransmitShort(wupC1);
814 if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {
815 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
816 break;
817 };
818
819 ReaderTransmit(wupC2, sizeof(wupC2));
820 if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {
821 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
822 break;
823 };
824 }
825
826 if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer) != 1) || (receivedAnswer[0] != 0x0a)) {
827 if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
828 break;
829 };
830
831 memcpy(d_block, datain, 16);
832 AppendCrc14443a(d_block, 16);
833
834 ReaderTransmit(d_block, sizeof(d_block));
835 if ((ReaderReceive(receivedAnswer) != 1) || (receivedAnswer[0] != 0x0a)) {
836 if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");
837 break;
838 };
839
840 if (workFlags & 0x04) {
841 if (mifare_classic_halt(NULL, cuid)) {
842 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
843 break;
844 };
845 }
846
847 isOK = 1;
848 break;
849 }
850
851 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
852 if (isOK) memcpy(ack.d.asBytes, uid, 4);
853
854 // add trace trailer
855 memset(uid, 0x44, 4);
856 LogTrace(uid, 4, 0, 0, TRUE);
857
858 LED_B_ON();
859 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
860 LED_B_OFF();
861
862 if ((workFlags & 0x10) || (!isOK)) {
863 // Thats it...
864 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
865 LEDsoff();
866 }
867 }
868
869 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
870
871 // params
872 // bit 1 - need wupC
873 // bit 2 - need HALT after sequence
874 // bit 3 - need init FPGA and field before sequence
875 // bit 4 - need reset FPGA and LED
876 uint8_t workFlags = arg0;
877 uint8_t blockNo = arg2;
878
879 // card commands
880 uint8_t wupC1[] = { 0x40 };
881 uint8_t wupC2[] = { 0x43 };
882
883 // variables
884 byte_t isOK = 0;
885 uint8_t data[18];
886 uint32_t cuid = 0;
887
888 memset(data, 0x00, 18);
889 uint8_t* receivedAnswer = mifare_get_bigbufptr();
890
891 if (workFlags & 0x08) {
892 // clear trace
893 iso14a_clear_tracelen();
894 iso14a_set_tracing(TRUE);
895
896 iso14443a_setup();
897
898 LED_A_ON();
899 LED_B_OFF();
900 LED_C_OFF();
901
902 SpinDelay(300);
903 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
904 SpinDelay(100);
905 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
906 }
907
908 while (true) {
909 if (workFlags & 0x02) {
910 ReaderTransmitShort(wupC1);
911 if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {
912 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
913 break;
914 };
915
916 ReaderTransmit(wupC2, sizeof(wupC2));
917 if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {
918 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
919 break;
920 };
921 }
922
923 // read block
924 if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer) != 18)) {
925 if (MF_DBGLEVEL >= 1) Dbprintf("read block send command error");
926 break;
927 };
928 memcpy(data, receivedAnswer, 18);
929
930 if (workFlags & 0x04) {
931 if (mifare_classic_halt(NULL, cuid)) {
932 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
933 break;
934 };
935 }
936
937 isOK = 1;
938 break;
939 }
940
941 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
942 if (isOK) memcpy(ack.d.asBytes, data, 18);
943
944 // add trace trailer
945 memset(data, 0x44, 4);
946 LogTrace(data, 4, 0, 0, TRUE);
947
948 LED_B_ON();
949 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
950 LED_B_OFF();
951
952 if ((workFlags & 0x10) || (!isOK)) {
953 // Thats it...
954 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
955 LEDsoff();
956 }
957 }
958
Proxmark3 GIT tracking
Impressum, Datenschutz