]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifaresim.c
projects / proxmark3-svn / blob
? search:


91f45efd63461c7a294e583478038243407b040f
[proxmark3-svn] / armsrc / mifaresim.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // Mifare Classic Card Simulation
11 //-----------------------------------------------------------------------------
12
13 #include "mifaresim.h"
14 #include "iso14443a.h"
15 #include "iso14443crc.h"
16 #include "crapto1/crapto1.h"
17 #include "BigBuf.h"
18 #include "string.h"
19 #include "mifareutil.h"
20 #include "fpgaloader.h"
21 #include "proxmark3.h"
22 #include "usb_cdc.h"
23 #include "cmd.h"
24 #include "protocols.h"
25 #include "apps.h"
26
27 //mifare emulator states
28 #define MFEMUL_NOFIELD 0
29 #define MFEMUL_IDLE 1
30 #define MFEMUL_SELECT1 2
31 #define MFEMUL_SELECT2 3
32 #define MFEMUL_SELECT3 4
33 #define MFEMUL_AUTH1 5
34 #define MFEMUL_AUTH2 6
35 #define MFEMUL_WORK 7
36 #define MFEMUL_WRITEBL2 8
37 #define MFEMUL_INTREG_INC 9
38 #define MFEMUL_INTREG_DEC 10
39 #define MFEMUL_INTREG_REST 11
40 #define MFEMUL_HALTED 12
41
42 #define cardSTATE_TO_IDLE() { cardSTATE = MFEMUL_IDLE; LED_B_OFF(); LED_C_OFF(); }
43
44
45
46 static void MifareSimInit(uint8_t flags, uint8_t *datain, tag_response_info_t **responses, uint32_t *cuid, uint8_t *uid_len) {
47
48 #define TAG_RESPONSE_COUNT 5 // number of precompiled responses
49 static uint8_t rATQA[] = {0x04, 0x00}; // indicate Mifare classic 1k 4Byte UID
50 static uint8_t rUIDBCC1[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 1st cascade level
51 static uint8_t rUIDBCC2[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 2nd cascade level
52 static uint8_t rSAKfinal[]= {0x08, 0xb6, 0xdd}; // mifare 1k indicated
53 static uint8_t rSAK1[] = {0x04, 0xda, 0x17}; // indicate UID not finished
54
55 *uid_len = 4;
56 // UID can be set from emulator memory or incoming data and can be 4 or 7 bytes long
57 if (flags & FLAG_4B_UID_IN_DATA) { // get UID from datain
58 memcpy(rUIDBCC1, datain, 4);
59 } else if (flags & FLAG_7B_UID_IN_DATA) {
60 rUIDBCC1[0] = 0x88;
61 memcpy(rUIDBCC1+1, datain, 3);
62 memcpy(rUIDBCC2, datain+3, 4);
63 *uid_len = 7;
64 } else {
65 uint8_t probable_atqa;
66 emlGetMemBt(&probable_atqa, 7, 1); // get UID from emul memory - weak guess at length
67 if (probable_atqa == 0x00) { // ---------- 4BUID
68 emlGetMemBt(rUIDBCC1, 0, 4);
69 } else { // ---------- 7BUID
70 rUIDBCC1[0] = 0x88;
71 emlGetMemBt(rUIDBCC1+1, 0, 3);
72 emlGetMemBt(rUIDBCC2, 3, 4);
73 *uid_len = 7;
74 }
75 }
76
77 switch (*uid_len) {
78 case 4:
79 *cuid = bytes_to_num(rUIDBCC1, 4);
80 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
81 if (MF_DBGLEVEL >= 2) {
82 Dbprintf("4B UID: %02x%02x%02x%02x",
83 rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3] );
84 }
85 break;
86 case 7:
87 rATQA[0] |= 0x40;
88 *cuid = bytes_to_num(rUIDBCC2, 4);
89 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
90 rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
91 if (MF_DBGLEVEL >= 2) {
92 Dbprintf("7B UID: %02x %02x %02x %02x %02x %02x %02x",
93 rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3], rUIDBCC2[0], rUIDBCC2[1], rUIDBCC2[2], rUIDBCC2[3] );
94 }
95 break;
96 default:
97 break;
98 }
99
100 static tag_response_info_t responses_init[TAG_RESPONSE_COUNT] = {
101 { .response = rATQA, .response_n = sizeof(rATQA) }, // Answer to request - respond with card type
102 { .response = rUIDBCC1, .response_n = sizeof(rUIDBCC1) }, // Anticollision cascade1 - respond with first part of uid
103 { .response = rUIDBCC2, .response_n = sizeof(rUIDBCC2) }, // Anticollision cascade2 - respond with 2nd part of uid
104 { .response = rSAKfinal, .response_n = sizeof(rSAKfinal) }, // Acknowledge select - last cascade
105 { .response = rSAK1, .response_n = sizeof(rSAK1) } // Acknowledge select - previous cascades
106 };
107
108 // Prepare ("precompile") the responses of the anticollision phase. There will be not enough time to do this at the moment the reader sends its REQA or SELECT
109 // There are 7 predefined responses with a total of 18 bytes data to transmit. Coded responses need one byte per bit to transfer (data, parity, start, stop, correction)
110 // 18 * 8 data bits, 18 * 1 parity bits, 5 start bits, 5 stop bits, 5 correction bits -> need 177 bytes buffer
111 #define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 177 // number of bytes required for precompiled responses
112
113 uint8_t *free_buffer_pointer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
114 size_t free_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE;
115 for (size_t i = 0; i < TAG_RESPONSE_COUNT; i++) {
116 prepare_allocated_tag_modulation(&responses_init[i], &free_buffer_pointer, &free_buffer_size);
117 }
118
119 *responses = responses_init;
120
121 // indices into responses array:
122 #define ATQA 0
123 #define UIDBCC1 1
124 #define UIDBCC2 2
125 #define SAKfinal 3
126 #define SAK1 4
127
128 }
129
130
131 static bool HasValidCRC(uint8_t *receivedCmd, uint16_t receivedCmd_len) {
132 uint8_t CRC_byte_1, CRC_byte_2;
133 ComputeCrc14443(CRC_14443_A, receivedCmd, receivedCmd_len-2, &CRC_byte_1, &CRC_byte_2);
134 return (receivedCmd[receivedCmd_len-2] == CRC_byte_1 && receivedCmd[receivedCmd_len-1] == CRC_byte_2);
135 }
136
137
138 /**
139 *MIFARE 1K simulate.
140 *
141 *@param flags :
142 * FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
143 * FLAG_4B_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that
144 * FLAG_7B_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
145 * FLAG_10B_UID_IN_DATA - use 10-byte UID in the data-section not finished
146 * FLAG_NR_AR_ATTACK - means we should collect NR_AR responses for bruteforcing later
147 * FLAG_RANDOM_NONCE - means we should generate some pseudo-random nonce data (only allows moebius attack)
148 *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is infinite ...
149 * (unless reader attack mode enabled then it runs util it gets enough nonces to recover all keys attmpted)
150 */
151 void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain)
152 {
153 tag_response_info_t *responses;
154 uint8_t uid_len = 4;
155 uint32_t cuid = 0;
156 uint8_t cardWRBL = 0;
157 uint8_t cardAUTHSC = 0;
158 uint8_t cardAUTHKEY = 0xff; // no authentication
159 uint32_t cardRr = 0;
160 //uint32_t rn_enc = 0;
161 uint32_t ans = 0;
162 uint32_t cardINTREG = 0;
163 uint8_t cardINTBLOCK = 0;
164 struct Crypto1State mpcs = {0, 0};
165 struct Crypto1State *pcs;
166 pcs = &mpcs;
167 uint32_t numReads = 0;//Counts numer of times reader reads a block
168 uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE];
169 uint8_t receivedCmd_dec[MAX_MIFARE_FRAME_SIZE];
170 uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE];
171 uint16_t receivedCmd_len;
172 uint8_t response[MAX_MIFARE_FRAME_SIZE];
173 uint8_t response_par[MAX_MIFARE_PARITY_SIZE];
174
175 uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
176 uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
177
178 //Here, we collect UID,sector,keytype,NT,AR,NR,NT2,AR2,NR2
179 // This will be used in the reader-only attack.
180
181 //allow collecting up to 7 sets of nonces to allow recovery of up to 7 keys
182 #define ATTACK_KEY_COUNT 7 // keep same as define in cmdhfmf.c -> readerAttack() (Cannot be more than 7)
183 nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; //*2 for 2 separate attack types (nml, moebius) 36 * 7 * 2 bytes = 504 bytes
184 memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
185
186 uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; //*2 for 2nd attack type (moebius)
187 memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
188 uint8_t nonce1_count = 0;
189 uint8_t nonce2_count = 0;
190 uint8_t moebius_n_count = 0;
191 bool gettingMoebius = false;
192 uint8_t mM = 0; //moebius_modifier for collection storage
193
194 // Authenticate response - nonce
195 uint32_t nonce;
196 if (flags & FLAG_RANDOM_NONCE) {
197 nonce = prand();
198 } else {
199 nonce = bytes_to_num(rAUTH_NT, 4);
200 }
201
202 // free eventually allocated BigBuf memory but keep Emulator Memory
203 BigBuf_free_keep_EM();
204
205 MifareSimInit(flags, datain, &responses, &cuid, &uid_len);
206
207 // We need to listen to the high-frequency, peak-detected path.
208 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
209
210 // clear trace
211 clear_trace();
212 set_tracing(true);
213 ResetSspClk();
214
215 bool finished = false;
216 bool button_pushed = BUTTON_PRESS();
217 int cardSTATE = MFEMUL_NOFIELD;
218
219 while (!button_pushed && !finished && !usb_poll_validate_length()) {
220 WDT_HIT();
221
222 // find reader field
223 if (cardSTATE == MFEMUL_NOFIELD) {
224 int vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
225 if (vHf > MF_MINFIELDV) {
226 LED_A_ON();
227 cardSTATE_TO_IDLE();
228 }
229 button_pushed = BUTTON_PRESS();
230 continue;
231 }
232
233 //Now, get data
234 int res = EmGetCmd(receivedCmd, &receivedCmd_len, receivedCmd_par);
235
236 if (res == 2) { //Field is off!
237 LEDsoff();
238 cardSTATE = MFEMUL_NOFIELD;
239 continue;
240 } else if (res == 1) { // button pressed
241 button_pushed = true;
242 break;
243 }
244
245 // WUPA in HALTED state or REQA or WUPA in any other state
246 if (receivedCmd_len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) {
247 EmSendPrecompiledCmd(&responses[ATQA], (receivedCmd[0] == ISO14443A_CMD_WUPA));
248
249 // init crypto block
250 crypto1_destroy(pcs);
251 cardAUTHKEY = 0xff;
252 if (flags & FLAG_RANDOM_NONCE) {
253 nonce = prand();
254 }
255 LED_B_OFF();
256 LED_C_OFF();
257 cardSTATE = MFEMUL_SELECT1;
258 continue;
259 }
260
261 switch (cardSTATE) {
262 case MFEMUL_NOFIELD:
263 case MFEMUL_HALTED:
264 case MFEMUL_IDLE:{
265 break;
266 }
267 case MFEMUL_SELECT1:{
268 // select all - 0x93 0x20
269 if (receivedCmd_len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x20)) {
270 if (MF_DBGLEVEL >= 4) Dbprintf("SELECT ALL CL1 received");
271 EmSendPrecompiledCmd(&responses[UIDBCC1], false);
272 break;
273 }
274 // select card - 0x93 0x70 ...
275 if (receivedCmd_len == 9 &&
276 (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], responses[UIDBCC1].response, 4) == 0)) {
277 if (MF_DBGLEVEL >= 4) Dbprintf("SELECT CL1 %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
278 if (uid_len == 4) {
279 EmSendPrecompiledCmd(&responses[SAKfinal], false);
280 LED_B_ON();
281 cardSTATE = MFEMUL_WORK;
282 break;
283 } else if (uid_len == 7) {
284 EmSendPrecompiledCmd(&responses[SAK1], false);
285 cardSTATE = MFEMUL_SELECT2;
286 break;
287 }
288 }
289 cardSTATE_TO_IDLE();
290 break;
291 }
292 case MFEMUL_SELECT2:{
293 // select all cl2 - 0x95 0x20
294 if (receivedCmd_len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x20)) {
295 if (MF_DBGLEVEL >= 4) Dbprintf("SELECT ALL CL2 received");
296 EmSendPrecompiledCmd(&responses[UIDBCC2], false);
297 break;
298 }
299 // select cl2 card - 0x95 0x70 xxxxxxxxxxxx
300 if (receivedCmd_len == 9 &&
301 (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], responses[UIDBCC2].response, 4) == 0)) {
302 if (uid_len == 7) {
303 if (MF_DBGLEVEL >= 4) Dbprintf("SELECT CL2 %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
304 EmSendPrecompiledCmd(&responses[SAKfinal], false);
305 LED_B_ON();
306 cardSTATE = MFEMUL_WORK;
307 break;
308 }
309 }
310 cardSTATE_TO_IDLE();
311 break;
312 }
313 case MFEMUL_WORK:{
314 if (receivedCmd_len != 4) { // all commands must have exactly 4 bytes
315 break;
316 }
317 bool encrypted_data = (cardAUTHKEY != 0xFF) ;
318 if (encrypted_data) {
319 // decrypt seqence
320 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, receivedCmd_dec);
321 } else {
322 memcpy(receivedCmd_dec, receivedCmd, receivedCmd_len);
323 }
324 if (!HasValidCRC(receivedCmd_dec, receivedCmd_len)) { // all commands must have a valid CRC
325 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
326 break;
327 }
328 if (receivedCmd_dec[0] == MIFARE_AUTH_KEYA || receivedCmd_dec[0] == MIFARE_AUTH_KEYB) {
329 // if authenticating to a block that shouldn't exist - as long as we are not doing the reader attack
330 if (receivedCmd_dec[1] >= 16 * 4 && !(flags & FLAG_NR_AR_ATTACK)) {
331 //is this the correct response to an auth on a out of range block? marshmellow
332 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
333 if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],receivedCmd_dec[1]);
334 break;
335 }
336 cardAUTHSC = receivedCmd_dec[1] / 4; // received block num
337 cardAUTHKEY = receivedCmd_dec[0] & 0x01;
338 crypto1_destroy(pcs);//Added by martin
339 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
340 if (!encrypted_data) { // first authentication
341 if (MF_DBGLEVEL >= 4) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd_dec[1], receivedCmd_dec[1], cardAUTHKEY);
342 crypto1_word(pcs, cuid ^ nonce, 0);//Update crypto state
343 num_to_bytes(nonce, 4, rAUTH_AT); // Send nonce
344 } else { // nested authentication
345 if (MF_DBGLEVEL >= 4) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d", receivedCmd_dec[1], receivedCmd_dec[1], cardAUTHKEY);
346 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
347 num_to_bytes(ans, 4, rAUTH_AT);
348 }
349 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
350 cardSTATE = MFEMUL_AUTH1;
351 break;
352 }
353 if (!encrypted_data) { // all other commands must be encrypted (authenticated)
354 break;
355 }
356 if(receivedCmd_dec[0] == ISO14443A_CMD_READBLOCK
357 || receivedCmd_dec[0] == ISO14443A_CMD_WRITEBLOCK
358 || receivedCmd_dec[0] == MIFARE_CMD_INC
359 || receivedCmd_dec[0] == MIFARE_CMD_DEC
360 || receivedCmd_dec[0] == MIFARE_CMD_RESTORE
361 || receivedCmd_dec[0] == MIFARE_CMD_TRANSFER) {
362 if (receivedCmd_dec[1] >= 16 * 4) {
363 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
364 if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],receivedCmd_dec[1]);
365 break;
366 }
367 if (receivedCmd_dec[1] / 4 != cardAUTHSC) {
368 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
369 if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02x) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],cardAUTHSC);
370 break;
371 }
372 }
373 if (receivedCmd_dec[0] == ISO14443A_CMD_READBLOCK) {
374 if (MF_DBGLEVEL >= 4) {
375 Dbprintf("Reader reading block %d (0x%02x)",receivedCmd_dec[1],receivedCmd_dec[1]);
376 }
377 emlGetMem(response, receivedCmd_dec[1], 1);
378 AppendCrc14443a(response, 16);
379 mf_crypto1_encrypt(pcs, response, 18, response_par);
380 EmSendCmdPar(response, 18, response_par);
381 numReads++;
382 if(exitAfterNReads > 0 && numReads == exitAfterNReads) {
383 Dbprintf("%d reads done, exiting", numReads);
384 finished = true;
385 }
386 break;
387 }
388 if (receivedCmd_dec[0] == ISO14443A_CMD_WRITEBLOCK) {
389 if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0xA0 write block %d (%02x)",receivedCmd_dec[1],receivedCmd_dec[1]);
390 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
391 cardWRBL = receivedCmd_dec[1];
392 cardSTATE = MFEMUL_WRITEBL2;
393 break;
394 }
395 if (receivedCmd_dec[0] == MIFARE_CMD_INC || receivedCmd_dec[0] == MIFARE_CMD_DEC || receivedCmd_dec[0] == MIFARE_CMD_RESTORE) {
396 if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd_dec[0],receivedCmd_dec[1],receivedCmd_dec[1]);
397 if (emlCheckValBl(receivedCmd_dec[1])) {
398 if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
399 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
400 break;
401 }
402 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
403 cardWRBL = receivedCmd_dec[1];
404 if (receivedCmd_dec[0] == MIFARE_CMD_INC)
405 cardSTATE = MFEMUL_INTREG_INC;
406 if (receivedCmd_dec[0] == MIFARE_CMD_DEC)
407 cardSTATE = MFEMUL_INTREG_DEC;
408 if (receivedCmd_dec[0] == MIFARE_CMD_RESTORE)
409 cardSTATE = MFEMUL_INTREG_REST;
410 break;
411 }
412 if (receivedCmd_dec[0] == MIFARE_CMD_TRANSFER) {
413 if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x transfer block %d (%02x)",receivedCmd_dec[0],receivedCmd_dec[1],receivedCmd_dec[1]);
414 if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd_dec[1]))
415 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
416 else
417 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
418 break;
419 }
420 // halt
421 if (receivedCmd_dec[0] == ISO14443A_CMD_HALT && receivedCmd_dec[1] == 0x00) {
422 if (MF_DBGLEVEL >= 4) Dbprintf("--> HALTED.");
423 LED_B_OFF();
424 LED_C_OFF();
425 cardSTATE = MFEMUL_HALTED;
426 break;
427 }
428 // command not allowed
429 if (MF_DBGLEVEL >= 4) Dbprintf("Received command not allowed, nacking");
430 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
431 break;
432 }
433 case MFEMUL_AUTH1:{
434 if (receivedCmd_len != 8) {
435 cardSTATE_TO_IDLE();
436 break;
437 }
438
439 uint32_t nr = bytes_to_num(receivedCmd, 4);
440 uint32_t ar = bytes_to_num(&receivedCmd[4], 4);
441
442 // Collect AR/NR per keytype & sector
443 if(flags & FLAG_NR_AR_ATTACK) {
444 for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
445 if ( ar_nr_collected[i+mM]==0 || ((cardAUTHSC == ar_nr_resp[i+mM].sector) && (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && (ar_nr_collected[i+mM] > 0)) ) {
446 // if first auth for sector, or matches sector and keytype of previous auth
447 if (ar_nr_collected[i+mM] < 2) {
448 // if we haven't already collected 2 nonces for this sector
449 if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) {
450 // Avoid duplicates... probably not necessary, ar should vary.
451 if (ar_nr_collected[i+mM]==0) {
452 // first nonce collect
453 ar_nr_resp[i+mM].cuid = cuid;
454 ar_nr_resp[i+mM].sector = cardAUTHSC;
455 ar_nr_resp[i+mM].keytype = cardAUTHKEY;
456 ar_nr_resp[i+mM].nonce = nonce;
457 ar_nr_resp[i+mM].nr = nr;
458 ar_nr_resp[i+mM].ar = ar;
459 nonce1_count++;
460 // add this nonce to first moebius nonce
461 ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid;
462 ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC;
463 ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
464 ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce;
465 ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr;
466 ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar;
467 ar_nr_collected[i+ATTACK_KEY_COUNT]++;
468 } else { // second nonce collect (std and moebius)
469 ar_nr_resp[i+mM].nonce2 = nonce;
470 ar_nr_resp[i+mM].nr2 = nr;
471 ar_nr_resp[i+mM].ar2 = ar;
472 if (!gettingMoebius) {
473 nonce2_count++;
474 // check if this was the last second nonce we need for std attack
475 if ( nonce2_count == nonce1_count ) {
476 // done collecting std test switch to moebius
477 // first finish incrementing last sample
478 ar_nr_collected[i+mM]++;
479 // switch to moebius collection
480 gettingMoebius = true;
481 mM = ATTACK_KEY_COUNT;
482 if (flags & FLAG_RANDOM_NONCE) {
483 nonce = prand();
484 } else {
485 nonce = nonce*7;
486 }
487 break;
488 }
489 } else {
490 moebius_n_count++;
491 // if we've collected all the nonces we need - finish.
492 if (nonce1_count == moebius_n_count) finished = true;
493 }
494 }
495 ar_nr_collected[i+mM]++;
496 }
497 }
498 // we found right spot for this nonce stop looking
499 break;
500 }
501 }
502 }
503
504 // --- crypto
505 crypto1_word(pcs, nr , 1);
506 cardRr = ar ^ crypto1_word(pcs, 0, 0);
507
508 // test if auth OK
509 if (cardRr != prng_successor(nonce, 64)){
510 if (MF_DBGLEVEL >= 2) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
511 cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
512 cardRr, prng_successor(nonce, 64));
513 // Shouldn't we respond anything here?
514 // Right now, we don't nack or anything, which causes the
515 // reader to do a WUPA after a while. /Martin
516 // -- which is the correct response. /piwi
517 cardAUTHKEY = 0xff; // not authenticated
518 cardSTATE_TO_IDLE();
519 break;
520 }
521 ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
522 num_to_bytes(ans, 4, rAUTH_AT);
523 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
524 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED for sector %d with key %c.", cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B');
525 LED_C_ON();
526 cardSTATE = MFEMUL_WORK;
527 break;
528 }
529 case MFEMUL_WRITEBL2:{
530 if (receivedCmd_len == 18) {
531 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, receivedCmd_dec);
532 if (HasValidCRC(receivedCmd_dec, receivedCmd_len)) {
533 emlSetMem(receivedCmd_dec, cardWRBL, 1);
534 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
535 cardSTATE = MFEMUL_WORK;
536 break;
537 }
538 }
539 cardSTATE_TO_IDLE();
540 break;
541 }
542 case MFEMUL_INTREG_INC:{
543 if (receivedCmd_len == 6) {
544 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans);
545 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
546 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
547 cardSTATE_TO_IDLE();
548 break;
549 }
550 cardINTREG = cardINTREG + ans;
551 }
552 cardSTATE = MFEMUL_WORK;
553 break;
554 }
555 case MFEMUL_INTREG_DEC:{
556 if (receivedCmd_len == 6) {
557 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans);
558 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
559 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
560 cardSTATE_TO_IDLE();
561 break;
562 }
563 }
564 cardINTREG = cardINTREG - ans;
565 cardSTATE = MFEMUL_WORK;
566 break;
567 }
568 case MFEMUL_INTREG_REST:{
569 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans);
570 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
571 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
572 cardSTATE_TO_IDLE();
573 break;
574 }
575 cardSTATE = MFEMUL_WORK;
576 break;
577 }
578 }
579 button_pushed = BUTTON_PRESS();
580 }
581
582 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
583 LEDsoff();
584
585 if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1) {
586 for ( uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
587 if (ar_nr_collected[i] == 2) {
588 Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
589 Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
590 ar_nr_resp[i].cuid, //UID
591 ar_nr_resp[i].nonce, //NT
592 ar_nr_resp[i].nr, //NR1
593 ar_nr_resp[i].ar, //AR1
594 ar_nr_resp[i].nr2, //NR2
595 ar_nr_resp[i].ar2 //AR2
596 );
597 }
598 }
599 for ( uint8_t i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT*2; i++) {
600 if (ar_nr_collected[i] == 2) {
601 Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
602 Dbprintf("../tools/mfkey/mfkey32v2 %08x %08x %08x %08x %08x %08x %08x",
603 ar_nr_resp[i].cuid, //UID
604 ar_nr_resp[i].nonce, //NT
605 ar_nr_resp[i].nr, //NR1
606 ar_nr_resp[i].ar, //AR1
607 ar_nr_resp[i].nonce2,//NT2
608 ar_nr_resp[i].nr2, //NR2
609 ar_nr_resp[i].ar2 //AR2
610 );
611 }
612 }
613 }
614 if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", get_tracing(), BigBuf_get_traceLen());
615
616 if(flags & FLAG_INTERACTIVE) { // Interactive mode flag, means we need to send ACK
617 //Send the collected ar_nr in the response
618 cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,button_pushed,0,&ar_nr_resp,sizeof(ar_nr_resp));
619 }
620 }
Proxmark3 GIT tracking
Impressum, Datenschutz