]> git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdlfhitag.c
fix hf mf sim (#812)
[proxmark3-svn] / client / cmdlfhitag.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2012 Roel Verdult
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Low frequency Hitag support
9 //-----------------------------------------------------------------------------
10
11 #include "cmdlfhitag.h"
12
13 #include <stdio.h>
14 #include <stdlib.h>
15 #include <string.h>
16 #include "comms.h"
17 #include "ui.h"
18 #include "cmdparser.h"
19 #include "common.h"
20 #include "util.h"
21 #include "parity.h"
22 #include "hitag.h"
23 #include "cmdmain.h"
24
25 static int CmdHelp(const char *Cmd);
26
27 size_t nbytes(size_t nbits) {
28 return (nbits/8)+((nbits%8)>0);
29 }
30
31 int CmdLFHitagList(const char *Cmd)
32 {
33 uint8_t *got = malloc(USB_CMD_DATA_SIZE);
34 // Query for the actual size of the trace
35 UsbCommand response;
36 GetFromBigBuf(got, USB_CMD_DATA_SIZE, 0, &response, -1, false);
37 uint16_t traceLen = response.arg[2];
38 if (traceLen > USB_CMD_DATA_SIZE) {
39 uint8_t *p = realloc(got, traceLen);
40 if (p == NULL) {
41 PrintAndLog("Cannot allocate memory for trace");
42 free(got);
43 return 2;
44 }
45 got = p;
46 GetFromBigBuf(got, traceLen, 0, NULL, -1, false);
47 }
48
49 PrintAndLog("recorded activity (TraceLen = %d bytes):");
50 PrintAndLog(" ETU :nbits: who bytes");
51 PrintAndLog("---------+-----+----+-----------");
52
53 int j;
54 int i = 0;
55 int prev = -1;
56 int len = strlen(Cmd);
57
58 char filename[FILE_PATH_SIZE] = { 0x00 };
59 FILE* pf = NULL;
60
61 if (len > FILE_PATH_SIZE)
62 len = FILE_PATH_SIZE;
63 memcpy(filename, Cmd, len);
64
65 if (strlen(filename) > 0) {
66 if ((pf = fopen(filename,"wb")) == NULL) {
67 PrintAndLog("Error: Could not open file [%s]",filename);
68 free(got);
69 return 1;
70 }
71 }
72
73 for (;;) {
74
75 if(i > traceLen) { break; }
76
77 bool isResponse;
78 int timestamp = *((uint32_t *)(got+i));
79 if (timestamp & 0x80000000) {
80 timestamp &= 0x7fffffff;
81 isResponse = 1;
82 } else {
83 isResponse = 0;
84 }
85
86 int parityBits = *((uint32_t *)(got+i+4));
87 // 4 bytes of additional information...
88 // maximum of 32 additional parity bit information
89 //
90 // TODO:
91 // at each quarter bit period we can send power level (16 levels)
92 // or each half bit period in 256 levels.
93
94 int bits = got[i+8];
95 int len = nbytes(bits);
96
97 if (len > 100) {
98 break;
99 }
100 if (i + len > traceLen) { break;}
101
102 uint8_t *frame = (got+i+9);
103 /*
104 int fillupBits = 8 - (bits % 8);
105 byte_t framefilled[bits+fillupBits];
106 byte_t* ff = framefilled;
107
108 int response_bit[200] = {0};
109 int z = 0;
110 for (int y = 0; y < len; y++) {
111 for (j = 0; j < 8; j++) {
112 response_bit[z] = 0;
113 if ((frame[y] & ((mask << 7) >> j)) != 0)
114 response_bit[z] = 1;
115 z++;
116 }
117 }
118 z = 0;
119 for (int y = 0; y < len; y++) {
120 ff[y] = (response_bit[z] << 7) | (response_bit[z + 1] << 6)
121 | (response_bit[z + 2] << 5) | (response_bit[z + 3] << 4)
122 | (response_bit[z + 4] << 3) | (response_bit[z + 5] << 2)
123 | (response_bit[z + 6] << 1) | response_bit[z + 7];
124 z += 8;
125 }
126 */
127
128
129
130
131 // Break and stick with current result if buffer was not completely full
132 if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; }
133
134 char line[1000] = "";
135 for (j = 0; j < len; j++) {
136 //if((parityBits >> (len - j - 1)) & 0x01) {
137 if (isResponse && (oddparity8(frame[j]) != ((parityBits >> (len - j - 1)) & 0x01))) {
138 sprintf(line+(j*4), "%02x! ", frame[j]);
139 } else {
140 sprintf(line+(j*4), "%02x ", frame[j]);
141 }
142 }
143
144 PrintAndLog(" +%7d: %3d: %s %s",
145 (prev < 0 ? 0 : (timestamp - prev)),
146 bits,
147 (isResponse ? "TAG" : " "),
148 line);
149
150 if (pf) {
151 fprintf(pf," +%7d: %3d: %s %s\n",
152 (prev < 0 ? 0 : (timestamp - prev)),
153 bits,
154 (isResponse ? "TAG" : " "),
155 line);
156 }
157
158 prev = timestamp;
159 i += (len + 9);
160 }
161
162 if (pf) {
163 fclose(pf);
164 PrintAndLog("Recorded activity succesfully written to file: %s", filename);
165 }
166
167 free(got);
168 return 0;
169 }
170
171 int CmdLFHitagSnoop(const char *Cmd) {
172 UsbCommand c = {CMD_SNOOP_HITAG};
173 SendCommand(&c);
174 return 0;
175 }
176
177 int CmdLFHitagSim(const char *Cmd) {
178
179 UsbCommand c = {CMD_SIMULATE_HITAG};
180 char filename[FILE_PATH_SIZE] = { 0x00 };
181 FILE* pf;
182 bool tag_mem_supplied;
183 int len = strlen(Cmd);
184 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
185 memcpy(filename, Cmd, len);
186
187 if (strlen(filename) > 0) {
188 if ((pf = fopen(filename,"rb+")) == NULL) {
189 PrintAndLog("Error: Could not open file [%s]",filename);
190 return 1;
191 }
192 tag_mem_supplied = true;
193 if (fread(c.d.asBytes,1,48,pf) != 48) {
194 PrintAndLog("Error: File reading error");
195 fclose(pf);
196 return 1;
197 }
198 fclose(pf);
199 } else {
200 tag_mem_supplied = false;
201 }
202
203 // Does the tag comes with memory
204 c.arg[0] = (uint32_t)tag_mem_supplied;
205
206 SendCommand(&c);
207 return 0;
208 }
209
210 int CmdLFHitagReader(const char *Cmd) {
211 UsbCommand c = {CMD_READER_HITAG};//, {param_get32ex(Cmd,0,0,10),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),param_get32ex(Cmd,3,0,16)}};
212 hitag_data* htd = (hitag_data*)c.d.asBytes;
213 hitag_function htf = param_get32ex(Cmd,0,0,10);
214
215 switch (htf) {
216 case 01: { //RHTSF_CHALLENGE
217 c = (UsbCommand){ CMD_READ_HITAG_S };
218 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr);
219 num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
220 c.arg[1] = param_get64ex(Cmd,3,0,0); //firstpage
221 c.arg[2] = param_get64ex(Cmd,4,0,0); //tag mode
222 } break;
223 case 02: { //RHTSF_KEY
224 c = (UsbCommand){ CMD_READ_HITAG_S };
225 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
226 c.arg[1] = param_get64ex(Cmd,2,0,0); //firstpage
227 c.arg[2] = param_get64ex(Cmd,3,0,0); //tag mode
228 } break;
229 case 03: { //RHTSF_CHALLENGE BLOCK
230 c = (UsbCommand){ CMD_READ_HITAG_S_BLK };
231 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr);
232 num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
233 c.arg[1] = param_get64ex(Cmd,3,0,0); //firstpage
234 c.arg[2] = param_get64ex(Cmd,4,0,0); //tag mode
235 } break;
236 case 04: { //RHTSF_KEY BLOCK
237 c = (UsbCommand){ CMD_READ_HITAG_S_BLK };
238 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
239 c.arg[1] = param_get64ex(Cmd,2,0,0); //firstpage
240 c.arg[2] = param_get64ex(Cmd,3,0,0); //tag mode
241 } break;
242 case RHT2F_PASSWORD: {
243 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->pwd.password);
244 } break;
245 case RHT2F_AUTHENTICATE: {
246 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr);
247 num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
248 } break;
249 case RHT2F_CRYPTO: {
250 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
251 // num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
252 } break;
253 case RHT2F_TEST_AUTH_ATTEMPTS: {
254 // No additional parameters needed
255 } break;
256 case RHT2F_UID_ONLY: {
257 // No additional parameters needed
258 } break;
259 default: {
260 PrintAndLog("\nError: unkown reader function %d",htf);
261 PrintAndLog("");
262 PrintAndLog("Usage: hitag reader <Reader Function #>");
263 PrintAndLog("Reader Functions:");
264 PrintAndLog(" HitagS (0*)");
265 PrintAndLog(" 01 <nr> <ar> (Challenge) <firstPage> <tagmode> read all pages from a Hitag S tag");
266 PrintAndLog(" 02 <key> (set to 0 if no authentication is needed) <firstPage> <tagmode> read all pages from a Hitag S tag");
267 PrintAndLog(" 03 <nr> <ar> (Challenge) <firstPage> <tagmode> read all blocks from a Hitag S tag");
268 PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <firstPage> <tagmode> read all blocks from a Hitag S tag");
269 PrintAndLog(" Valid tagmodes are 0=STANDARD, 1=ADVANCED, 2=FAST_ADVANCED (default is ADVANCED)");
270 PrintAndLog(" Hitag1 (1*)");
271 PrintAndLog(" Hitag2 (2*)");
272 PrintAndLog(" 21 <password> (password mode)");
273 PrintAndLog(" 22 <nr> <ar> (authentication)");
274 PrintAndLog(" 23 <key> (authentication) key is in format: ISK high + ISK low");
275 PrintAndLog(" 25 (test recorded authentications)");
276 PrintAndLog(" 26 just read UID");
277 return 1;
278 } break;
279 }
280
281 // Copy the hitag2 function into the first argument
282 c.arg[0] = htf;
283
284 // Send the command to the proxmark
285 clearCommandBuffer();
286 SendCommand(&c);
287
288 UsbCommand resp;
289 WaitForResponse(CMD_ACK,&resp);
290
291 // Check the return status, stored in the first argument
292 if (resp.arg[0] == false) return 1;
293
294 uint32_t id = bytes_to_num(resp.d.asBytes,4);
295
296 if (htf == RHT2F_UID_ONLY){
297 PrintAndLog("Valid Hitag2 tag found - UID: %08x",id);
298 } else {
299 char filename[256];
300 FILE* pf = NULL;
301
302 sprintf(filename,"%08x_%04x.ht2",id,(rand() & 0xffff));
303 if ((pf = fopen(filename,"wb")) == NULL) {
304 PrintAndLog("Error: Could not open file [%s]",filename);
305 return 1;
306 }
307
308 // Write the 48 tag memory bytes to file and finalize
309 fwrite(resp.d.asBytes,1,48,pf);
310 fclose(pf);
311
312 PrintAndLog("Succesfully saved tag memory to [%s]",filename);
313 }
314
315
316 return 0;
317 }
318
319
320 int CmdLFHitagSimS(const char *Cmd) {
321 UsbCommand c = { CMD_SIMULATE_HITAG_S };
322 char filename[FILE_PATH_SIZE] = { 0x00 };
323 FILE* pf;
324 bool tag_mem_supplied;
325 int len = strlen(Cmd);
326 if (len > FILE_PATH_SIZE)
327 len = FILE_PATH_SIZE;
328 memcpy(filename, Cmd, len);
329
330 if (strlen(filename) > 0) {
331 if ((pf = fopen(filename, "rb+")) == NULL) {
332 PrintAndLog("Error: Could not open file [%s]", filename);
333 return 1;
334 }
335 tag_mem_supplied = true;
336 if (fread(c.d.asBytes, 1, 4*64, pf) != 4*64) {
337 PrintAndLog("Error: File reading error");
338 fclose(pf);
339 return 1;
340 }
341 fclose(pf);
342 } else {
343 tag_mem_supplied = false;
344 }
345
346 // Does the tag comes with memory
347 c.arg[0] = (uint32_t) tag_mem_supplied;
348
349 SendCommand(&c);
350 return 0;
351 }
352
353 int CmdLFHitagCheckChallenges(const char *Cmd) {
354 UsbCommand c = { CMD_TEST_HITAGS_TRACES };
355 char filename[FILE_PATH_SIZE] = { 0x00 };
356 FILE* pf;
357 bool file_given;
358 int len = strlen(Cmd);
359 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
360 memcpy(filename, Cmd, len);
361
362 if (strlen(filename) > 0) {
363 if ((pf = fopen(filename,"rb+")) == NULL) {
364 PrintAndLog("Error: Could not open file [%s]",filename);
365 return 1;
366 }
367 file_given = true;
368 if (fread(c.d.asBytes,1,8*60,pf) != 8*60) {
369 PrintAndLog("Error: File reading error");
370 fclose(pf);
371 return 1;
372 }
373 fclose(pf);
374 } else {
375 file_given = false;
376 }
377
378 //file with all the challenges to try
379 c.arg[0] = (uint32_t)file_given;
380 c.arg[1] = param_get64ex(Cmd,2,0,0); //get mode
381
382 SendCommand(&c);
383 return 0;
384 }
385
386
387 int CmdLFHitagWP(const char *Cmd) {
388 UsbCommand c = { CMD_WR_HITAG_S };
389 hitag_data* htd = (hitag_data*)c.d.asBytes;
390 hitag_function htf = param_get32ex(Cmd,0,0,10);
391 switch (htf) {
392 case 03: { //WHTSF_CHALLENGE
393 num_to_bytes(param_get64ex(Cmd,1,0,16),8,htd->auth.NrAr);
394 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
395 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->auth.data);
396 } break;
397 case 04:
398 case 24:
399 { //WHTSF_KEY
400 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
401 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
402 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->crypto.data);
403
404 } break;
405 default: {
406 PrintAndLog("Error: unkown writer function %d",htf);
407 PrintAndLog("Hitag writer functions");
408 PrintAndLog(" HitagS (0*)");
409 PrintAndLog(" 03 <nr,ar> (Challenge) <page> <byte0...byte3> write page on a Hitag S tag");
410 PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
411 PrintAndLog(" Hitag1 (1*)");
412 PrintAndLog(" Hitag2 (2*)");
413 PrintAndLog(" 24 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
414 return 1;
415 } break;
416 }
417 // Copy the hitag function into the first argument
418 c.arg[0] = htf;
419
420 // Send the command to the proxmark
421 SendCommand(&c);
422
423 UsbCommand resp;
424 WaitForResponse(CMD_ACK,&resp);
425
426 // Check the return status, stored in the first argument
427 if (resp.arg[0] == false) return 1;
428 return 0;
429 }
430
431
432 static command_t CommandTable[] =
433 {
434 {"help", CmdHelp, 1, "This help"},
435 {"list", CmdLFHitagList, 1, "<outfile> List Hitag trace history"},
436 {"reader", CmdLFHitagReader, 1, "Act like a Hitag Reader"},
437 {"sim", CmdLFHitagSim, 1, "<infile> Simulate Hitag transponder"},
438 {"snoop", CmdLFHitagSnoop, 1, "Eavesdrop Hitag communication"},
439 {"writer", CmdLFHitagWP, 1, "Act like a Hitag Writer" },
440 {"simS", CmdLFHitagSimS, 1, "<hitagS.hts> Simulate HitagS transponder" },
441 {"checkChallenges", CmdLFHitagCheckChallenges, 1, "<challenges.cc> <tagmode> test all challenges" }, {
442 NULL,NULL, 0, NULL }
443 };
444
445 int CmdLFHitag(const char *Cmd)
446 {
447 CmdsParse(CommandTable, Cmd);
448 return 0;
449 }
450
451 int CmdHelp(const char *Cmd)
452 {
453 CmdsHelp(CommandTable);
454 return 0;
455 }
Impressum, Datenschutz