]> git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhficlass.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'master' of https://github.com/Proxmark/proxmark3
[proxmark3-svn] / client / cmdhficlass.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
3 // Copyright (C) 2011 Gerhard de Koning Gans
4 // Copyright (C) 2014 Midnitesnake & Andy Davies & Martin Holst Swende
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // High frequency iClass commands
11 //-----------------------------------------------------------------------------
12
13 #include <stdio.h>
14 #include <stdlib.h>
15 #include <string.h>
16 #include <sys/stat.h>
17 #include "iso14443crc.h" // Can also be used for iClass, using 0xE012 as CRC-type
18 #include "data.h"
19 //#include "proxusb.h"
20 #include "proxmark3.h"
21 #include "ui.h"
22 #include "cmdparser.h"
23 #include "cmdhficlass.h"
24 #include "common.h"
25 #include "util.h"
26 #include "cmdmain.h"
27 #include "loclass/des.h"
28 #include "loclass/cipherutils.h"
29 #include "loclass/cipher.h"
30 #include "loclass/ikeys.h"
31 #include "loclass/elite_crack.h"
32 #include "loclass/fileutils.h"
33
34 static int CmdHelp(const char *Cmd);
35
36 int xorbits_8(uint8_t val)
37 {
38 uint8_t res = val ^ (val >> 1); //1st pass
39 res = res ^ (res >> 1); // 2nd pass
40 res = res ^ (res >> 2); // 3rd pass
41 res = res ^ (res >> 4); // 4th pass
42 return res & 1;
43 }
44
45 int CmdHFiClassList(const char *Cmd)
46 {
47
48 bool ShowWaitCycles = false;
49 char param = param_getchar(Cmd, 0);
50
51 if (param != 0) {
52 PrintAndLog("List data in trace buffer.");
53 PrintAndLog("Usage: hf iclass list");
54 PrintAndLog("h - help");
55 PrintAndLog("sample: hf iclass list");
56 return 0;
57 }
58
59 uint8_t got[1920];
60 GetFromBigBuf(got,sizeof(got),0);
61 WaitForResponse(CMD_ACK,NULL);
62
63 PrintAndLog("Recorded Activity");
64 PrintAndLog("");
65 PrintAndLog("Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer");
66 PrintAndLog("All times are in carrier periods (1/13.56Mhz)");
67 PrintAndLog("");
68 PrintAndLog(" Start | End | Src | Data");
69 PrintAndLog("-----------|-----------|-----|--------");
70
71 int i;
72 uint32_t first_timestamp = 0;
73 uint32_t timestamp;
74 bool tagToReader;
75 uint32_t parityBits;
76 uint8_t len;
77 uint8_t *frame;
78 uint32_t EndOfTransmissionTimestamp = 0;
79
80
81 for( i=0; i < 1900;)
82 {
83 //First 32 bits contain
84 // isResponse (1 bit)
85 // timestamp (remaining)
86 //Then paritybits
87 //Then length
88 timestamp = *((uint32_t *)(got+i));
89 parityBits = *((uint32_t *)(got+i+4));
90 len = got[i+8];
91 frame = (got+i+9);
92 uint32_t next_timestamp = (*((uint32_t *)(got+i+9))) & 0x7fffffff;
93
94 tagToReader = timestamp & 0x80000000;
95 timestamp &= 0x7fffffff;
96
97 if(i==0) {
98 first_timestamp = timestamp;
99 }
100
101 // Break and stick with current result idf buffer was not completely full
102 if (frame[0] == 0x44 && frame[1] == 0x44 && frame[2] == 0x44 && frame[3] == 0x44) break;
103
104 char line[1000] = "";
105
106 if(len)//We have some data to display
107 {
108 int j,oddparity;
109
110 for(j = 0; j < len ; j++)
111 {
112 oddparity = 0x01 ^ xorbits_8(frame[j] & 0xFF);
113
114 if (tagToReader && (oddparity != ((parityBits >> (len - j - 1)) & 0x01))) {
115 sprintf(line+(j*4), "%02x! ", frame[j]);
116 } else {
117 sprintf(line+(j*4), "%02x ", frame[j]);
118 }
119 }
120 }else
121 {
122 if (ShowWaitCycles) {
123 sprintf(line, "fdt (Frame Delay Time): %d", (next_timestamp - timestamp));
124 }
125 }
126
127 char *crc = "";
128
129 if(len > 2)
130 {
131 uint8_t b1, b2;
132 if(!tagToReader && len == 4) {
133 // Rough guess that this is a command from the reader
134 // For iClass the command byte is not part of the CRC
135 ComputeCrc14443(CRC_ICLASS, &frame[1], len-3, &b1, &b2);
136 }
137 else {
138 // For other data.. CRC might not be applicable (UPDATE commands etc.)
139 ComputeCrc14443(CRC_ICLASS, frame, len-2, &b1, &b2);
140 }
141
142 if (b1 != frame[len-2] || b2 != frame[len-1]) {
143 crc = (tagToReader & (len < 8)) ? "" : " !crc";
144 }
145 }
146
147 i += (len + 9);
148 EndOfTransmissionTimestamp = (*((uint32_t *)(got+i))) & 0x7fffffff;
149
150 // Not implemented for iclass on the ARM-side
151 //if (!ShowWaitCycles) i += 9;
152
153 PrintAndLog(" %9d | %9d | %s | %s %s",
154 (timestamp - first_timestamp),
155 (EndOfTransmissionTimestamp - first_timestamp),
156 (len?(tagToReader ? "Tag" : "Rdr"):" "),
157 line, crc);
158 }
159 return 0;
160 }
161
162 int CmdHFiClassListOld(const char *Cmd)
163 {
164 uint8_t got[1920];
165 GetFromBigBuf(got,sizeof(got),0);
166
167 PrintAndLog("recorded activity:");
168 PrintAndLog(" ETU :rssi: who bytes");
169 PrintAndLog("---------+----+----+-----------");
170
171 int i = 0;
172 int prev = -1;
173
174 for (;;) {
175 if(i >= 1900) {
176 break;
177 }
178
179 bool isResponse;
180 int timestamp = *((uint32_t *)(got+i));
181 if (timestamp & 0x80000000) {
182 timestamp &= 0x7fffffff;
183 isResponse = 1;
184 } else {
185 isResponse = 0;
186 }
187
188
189 int metric = 0;
190
191 int parityBits = *((uint32_t *)(got+i+4));
192 // 4 bytes of additional information...
193 // maximum of 32 additional parity bit information
194 //
195 // TODO:
196 // at each quarter bit period we can send power level (16 levels)
197 // or each half bit period in 256 levels.
198
199
200 int len = got[i+8];
201
202 if (len > 100) {
203 break;
204 }
205 if (i + len >= 1900) {
206 break;
207 }
208
209 uint8_t *frame = (got+i+9);
210
211 // Break and stick with current result if buffer was not completely full
212 if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; }
213
214 char line[1000] = "";
215 int j;
216 for (j = 0; j < len; j++) {
217 int oddparity = 0x01;
218 int k;
219
220 for (k=0;k<8;k++) {
221 oddparity ^= (((frame[j] & 0xFF) >> k) & 0x01);
222 }
223
224 //if((parityBits >> (len - j - 1)) & 0x01) {
225 if (isResponse && (oddparity != ((parityBits >> (len - j - 1)) & 0x01))) {
226 sprintf(line+(j*4), "%02x! ", frame[j]);
227 }
228 else {
229 sprintf(line+(j*4), "%02x ", frame[j]);
230 }
231 }
232
233 char *crc;
234 crc = "";
235 if (len > 2) {
236 uint8_t b1, b2;
237 for (j = 0; j < (len - 1); j++) {
238 // gives problems... search for the reason..
239 /*if(frame[j] == 0xAA) {
240 switch(frame[j+1]) {
241 case 0x01:
242 crc = "[1] Two drops close after each other";
243 break;
244 case 0x02:
245 crc = "[2] Potential SOC with a drop in second half of bitperiod";
246 break;
247 case 0x03:
248 crc = "[3] Segment Z after segment X is not possible";
249 break;
250 case 0x04:
251 crc = "[4] Parity bit of a fully received byte was wrong";
252 break;
253 default:
254 crc = "[?] Unknown error";
255 break;
256 }
257 break;
258 }*/
259 }
260
261 if (strlen(crc)==0) {
262 if(!isResponse && len == 4) {
263 // Rough guess that this is a command from the reader
264 // For iClass the command byte is not part of the CRC
265 ComputeCrc14443(CRC_ICLASS, &frame[1], len-3, &b1, &b2);
266 }
267 else {
268 // For other data.. CRC might not be applicable (UPDATE commands etc.)
269 ComputeCrc14443(CRC_ICLASS, frame, len-2, &b1, &b2);
270 }
271 //printf("%1x %1x",(unsigned)b1,(unsigned)b2);
272 if (b1 != frame[len-2] || b2 != frame[len-1]) {
273 crc = (isResponse & (len < 8)) ? "" : " !crc";
274 } else {
275 crc = "";
276 }
277 }
278 } else {
279 crc = ""; // SHORT
280 }
281
282 char metricString[100];
283 if (isResponse) {
284 sprintf(metricString, "%3d", metric);
285 } else {
286 strcpy(metricString, " ");
287 }
288
289 PrintAndLog(" +%7d: %s: %s %s %s",
290 (prev < 0 ? 0 : (timestamp - prev)),
291 metricString,
292 (isResponse ? "TAG" : " "), line, crc);
293
294 prev = timestamp;
295 i += (len + 9);
296 }
297 return 0;
298 }
299
300 int CmdHFiClassSnoop(const char *Cmd)
301 {
302 UsbCommand c = {CMD_SNOOP_ICLASS};
303 SendCommand(&c);
304 return 0;
305 }
306 #define NUM_CSNS 15
307 int CmdHFiClassSim(const char *Cmd)
308 {
309 uint8_t simType = 0;
310 uint8_t CSN[8] = {0, 0, 0, 0, 0, 0, 0, 0};
311
312 if (strlen(Cmd)<1) {
313 PrintAndLog("Usage: hf iclass sim [0 <CSN>] | x");
314 PrintAndLog(" options");
315 PrintAndLog(" 0 <CSN> simulate the given CSN");
316 PrintAndLog(" 1 simulate default CSN");
317 PrintAndLog(" 2 iterate CSNs, gather MACs");
318 PrintAndLog(" sample: hf iclass sim 0 031FEC8AF7FF12E0");
319 PrintAndLog(" sample: hf iclass sim 2");
320 return 0;
321 }
322
323 simType = param_get8(Cmd, 0);
324
325 if(simType == 0)
326 {
327 if (param_gethex(Cmd, 1, CSN, 16)) {
328 PrintAndLog("A CSN should consist of 16 HEX symbols");
329 return 1;
330 }
331 PrintAndLog("--simtype:%02x csn:%s", simType, sprint_hex(CSN, 8));
332
333 }
334 if(simType > 2)
335 {
336 PrintAndLog("Undefined simptype %d", simType);
337 return 1;
338 }
339 uint8_t numberOfCSNs=0;
340
341 if(simType == 2)
342 {
343 UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,NUM_CSNS}};
344 UsbCommand resp = {0};
345
346 /*uint8_t csns[8 * NUM_CSNS] = {
347 0x00,0x0B,0x0F,0xFF,0xF7,0xFF,0x12,0xE0 ,
348 0x00,0x13,0x94,0x7e,0x76,0xff,0x12,0xe0 ,
349 0x2a,0x99,0xac,0x79,0xec,0xff,0x12,0xe0 ,
350 0x17,0x12,0x01,0xfd,0xf7,0xff,0x12,0xe0 ,
351 0xcd,0x56,0x01,0x7c,0x6f,0xff,0x12,0xe0 ,
352 0x4b,0x5e,0x0b,0x72,0xef,0xff,0x12,0xe0 ,
353 0x00,0x73,0xd8,0x75,0x58,0xff,0x12,0xe0 ,
354 0x0c,0x90,0x32,0xf3,0x5d,0xff,0x12,0xe0 };
355 */
356
357 uint8_t csns[8*NUM_CSNS] = {
358 0x00, 0x0B, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0,
359 0x00, 0x04, 0x0E, 0x08, 0xF7, 0xFF, 0x12, 0xE0,
360 0x00, 0x09, 0x0D, 0x05, 0xF7, 0xFF, 0x12, 0xE0,
361 0x00, 0x0A, 0x0C, 0x06, 0xF7, 0xFF, 0x12, 0xE0,
362 0x00, 0x0F, 0x0B, 0x03, 0xF7, 0xFF, 0x12, 0xE0,
363 0x00, 0x08, 0x0A, 0x0C, 0xF7, 0xFF, 0x12, 0xE0,
364 0x00, 0x0D, 0x09, 0x09, 0xF7, 0xFF, 0x12, 0xE0,
365 0x00, 0x0E, 0x08, 0x0A, 0xF7, 0xFF, 0x12, 0xE0,
366 0x00, 0x03, 0x07, 0x17, 0xF7, 0xFF, 0x12, 0xE0,
367 0x00, 0x3C, 0x06, 0xE0, 0xF7, 0xFF, 0x12, 0xE0,
368 0x00, 0x01, 0x05, 0x1D, 0xF7, 0xFF, 0x12, 0xE0,
369 0x00, 0x02, 0x04, 0x1E, 0xF7, 0xFF, 0x12, 0xE0,
370 0x00, 0x07, 0x03, 0x1B, 0xF7, 0xFF, 0x12, 0xE0,
371 0x00, 0x00, 0x02, 0x24, 0xF7, 0xFF, 0x12, 0xE0,
372 0x00, 0x05, 0x01, 0x21, 0xF7, 0xFF, 0x12, 0xE0 };
373
374 memcpy(c.d.asBytes, csns, 8*NUM_CSNS);
375
376 SendCommand(&c);
377 if (!WaitForResponseTimeout(CMD_ACK, &resp, -1)) {
378 PrintAndLog("Command timed out");
379 return 0;
380 }
381
382 uint8_t num_mac_responses = resp.arg[1];
383 PrintAndLog("Mac responses: %d MACs obtained (should be %d)", num_mac_responses,NUM_CSNS);
384
385 size_t datalen = NUM_CSNS*24;
386 /*
387 * Now, time to dump to file. We'll use this format:
388 * <8-byte CSN><8-byte CC><4 byte NR><4 byte MAC>....
389 * So, it should wind up as
390 * 8 * 24 bytes.
391 *
392 * The returndata from the pm3 is on the following format
393 * <4 byte NR><4 byte MAC>
394 * CC are all zeroes, CSN is the same as was sent in
395 **/
396 void* dump = malloc(datalen);
397 memset(dump,0,datalen);//<-- Need zeroes for the CC-field
398 uint8_t i = 0;
399 for(i = 0 ; i < NUM_CSNS ; i++)
400 {
401 memcpy(dump+i*24, csns+i*8,8); //CSN
402 //8 zero bytes here...
403 //Then comes NR_MAC (eight bytes from the response)
404 memcpy(dump+i*24+16,resp.d.asBytes+i*8,8);
405
406 }
407 /** Now, save to dumpfile **/
408 saveFile("iclass_mac_attack", "bin", dump,datalen);
409 free(dump);
410 }else
411 {
412 UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,numberOfCSNs}};
413 memcpy(c.d.asBytes, CSN, 8);
414 SendCommand(&c);
415 }
416
417 return 0;
418 }
419
420 int CmdHFiClassReader(const char *Cmd)
421 {
422 UsbCommand c = {CMD_READER_ICLASS, {0}};
423 SendCommand(&c);
424 UsbCommand resp;
425 while(!ukbhit()){
426 if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
427 uint8_t isOK = resp.arg[0] & 0xff;
428 uint8_t * data = resp.d.asBytes;
429
430 PrintAndLog("isOk:%02x", isOK);
431
432 if(isOK > 0)
433 {
434 PrintAndLog("CSN: %s",sprint_hex(data,8));
435 }
436 if(isOK >= 1)
437 {
438 PrintAndLog("CC: %s",sprint_hex(data+8,8));
439 }else{
440 PrintAndLog("No CC obtained");
441 }
442 } else {
443 PrintAndLog("Command execute timeout");
444 }
445 }
446
447 return 0;
448 }
449
450 int CmdHFiClassReader_Replay(const char *Cmd)
451 {
452 uint8_t readerType = 0;
453 uint8_t MAC[4]={0x00, 0x00, 0x00, 0x00};
454
455 if (strlen(Cmd)<1) {
456 PrintAndLog("Usage: hf iclass replay <MAC>");
457 PrintAndLog(" sample: hf iclass replay 00112233");
458 return 0;
459 }
460
461 if (param_gethex(Cmd, 0, MAC, 8)) {
462 PrintAndLog("MAC must include 8 HEX symbols");
463 return 1;
464 }
465
466 UsbCommand c = {CMD_READER_ICLASS_REPLAY, {readerType}};
467 memcpy(c.d.asBytes, MAC, 4);
468 SendCommand(&c);
469
470 return 0;
471 }
472
473 int CmdHFiClassReader_Dump(const char *Cmd)
474 {
475 uint8_t readerType = 0;
476 uint8_t MAC[4]={0x00,0x00,0x00,0x00};
477 uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
478 uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
479 uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
480 //uint8_t CC_temp[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
481 uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
482 uint8_t keytable[128] = {0};
483 int elite = 0;
484 uint8_t *used_key;
485 int i;
486 if (strlen(Cmd)<1)
487 {
488 PrintAndLog("Usage: hf iclass dump <Key> [e]");
489 PrintAndLog(" Key - A 16 byte master key");
490 PrintAndLog(" e - If 'e' is specified, the key is interpreted as the 16 byte");
491 PrintAndLog(" Custom Key (KCus), which can be obtained via reader-attack");
492 PrintAndLog(" See 'hf iclass sim 2'. This key should be on iclass-format");
493 PrintAndLog(" sample: hf iclass dump 0011223344556677");
494
495
496 return 0;
497 }
498
499 if (param_gethex(Cmd, 0, KEY, 16))
500 {
501 PrintAndLog("KEY must include 16 HEX symbols");
502 return 1;
503 }
504
505 if (param_getchar(Cmd, 1) == 'e')
506 {
507 PrintAndLog("Elite switch on");
508 elite = 1;
509
510 //calc h2
511 hash2(KEY, keytable);
512 printarr_human_readable("keytable", keytable, 128);
513
514 }
515
516 UsbCommand resp;
517 uint8_t key_sel[8] = {0};
518 uint8_t key_sel_p[8] = { 0 };
519
520 //HACK -- Below is for testing without access to a tag
521 uint8_t fake_dummy_test = false;
522 if(fake_dummy_test)
523 {
524 uint8_t xdata[16] = {0x01,0x02,0x03,0x04,0xF7,0xFF,0x12,0xE0, //CSN from http://www.proxmark.org/forum/viewtopic.php?pid=11230#p11230
525 0xFE,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}; // Just a random CC. Would be good to add a real testcase here
526 memcpy(resp.d.asBytes,xdata, 16);
527 resp.arg[0] = 2;
528 }
529
530 //End hack
531
532
533 UsbCommand c = {CMD_READER_ICLASS, {0}};
534 c.arg[0] = FLAG_ICLASS_READER_ONLY_ONCE;
535 if(!fake_dummy_test)
536 SendCommand(&c);
537
538
539
540 if (fake_dummy_test || WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
541 uint8_t isOK = resp.arg[0] & 0xff;
542 uint8_t * data = resp.d.asBytes;
543
544 memcpy(CSN,data,8);
545 memcpy(CCNR,data+8,8);
546
547 PrintAndLog("isOk:%02x", isOK);
548
549 if(isOK > 0)
550 {
551 PrintAndLog("CSN: %s",sprint_hex(CSN,8));
552 }
553 if(isOK > 1)
554 {
555 if(elite)
556 {
557 //Get the key index (hash1)
558 uint8_t key_index[8] = {0};
559
560 hash1(CSN, key_index);
561 printvar("hash1", key_index,8);
562 for(i = 0; i < 8 ; i++)
563 key_sel[i] = keytable[key_index[i]] & 0xFF;
564 PrintAndLog("Pre-fortified 'permuted' HS key that would be needed by an iclass reader to talk to above CSN:");
565 printvar("k_sel", key_sel,8);
566 //Permute from iclass format to standard format
567 permutekey_rev(key_sel,key_sel_p);
568 used_key = key_sel_p;
569 }else{
570 //Perhaps this should also be permuted to std format?
571 // Something like the code below? I have no std system
572 // to test this with /Martin
573
574 //uint8_t key_sel_p[8] = { 0 };
575 //permutekey_rev(KEY,key_sel_p);
576 //used_key = key_sel_p;
577
578 used_key = KEY;
579
580 }
581
582 PrintAndLog("Pre-fortified key that would be needed by the OmniKey reader to talk to above CSN:");
583 printvar("Used key",used_key,8);
584 diversifyKey(CSN,used_key, div_key);
585 PrintAndLog("Hash0, a.k.a diversified key, that is computed using Ksel and stored in the card (Block 3):");
586 printvar("Div key", div_key, 8);
587 printvar("CC_NR:",CCNR,12);
588 doMAC(CCNR,12,div_key, MAC);
589 printvar("MAC", MAC, 4);
590
591 UsbCommand d = {CMD_READER_ICLASS_REPLAY, {readerType}};
592 memcpy(d.d.asBytes, MAC, 4);
593 if(!fake_dummy_test) SendCommand(&d);
594
595 }else{
596 PrintAndLog("Failed to obtain CC! Aborting");
597 }
598 } else {
599 PrintAndLog("Command execute timeout");
600 }
601
602 return 0;
603 }
604
605 int CmdHFiClass_iso14443A_write(const char *Cmd)
606 {
607 uint8_t readerType = 0;
608 uint8_t MAC[4]={0x00,0x00,0x00,0x00};
609 uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
610 uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
611 uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
612 uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
613
614 uint8_t blockNo=0;
615 uint8_t bldata[8]={0};
616
617 if (strlen(Cmd)<3)
618 {
619 PrintAndLog("Usage: hf iclass write <Key> <Block> <Data>");
620 PrintAndLog(" sample: hf iclass write 0011223344556677 10 AAAAAAAAAAAAAAAA");
621 return 0;
622 }
623
624 if (param_gethex(Cmd, 0, KEY, 16))
625 {
626 PrintAndLog("KEY must include 16 HEX symbols");
627 return 1;
628 }
629
630 blockNo = param_get8(Cmd, 1);
631 if (blockNo>32)
632 {
633 PrintAndLog("Error: Maximum number of blocks is 32 for iClass 2K Cards!");
634 return 1;
635 }
636 if (param_gethex(Cmd, 2, bldata, 8))
637 {
638 PrintAndLog("Block data must include 8 HEX symbols");
639 return 1;
640 }
641
642 UsbCommand c = {CMD_ICLASS_ISO14443A_WRITE, {0}};
643 SendCommand(&c);
644 UsbCommand resp;
645
646 if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
647 uint8_t isOK = resp.arg[0] & 0xff;
648 uint8_t * data = resp.d.asBytes;
649
650 memcpy(CSN,data,8);
651 memcpy(CCNR,data+8,8);
652 PrintAndLog("DEBUG: %s",sprint_hex(CSN,8));
653 PrintAndLog("DEBUG: %s",sprint_hex(CCNR,8));
654 PrintAndLog("isOk:%02x", isOK);
655 } else {
656 PrintAndLog("Command execute timeout");
657 }
658
659 diversifyKey(CSN,KEY, div_key);
660
661 PrintAndLog("Div Key: %s",sprint_hex(div_key,8));
662 doMAC(CCNR, 12,div_key, MAC);
663
664 UsbCommand c2 = {CMD_ICLASS_ISO14443A_WRITE, {readerType,blockNo}};
665 memcpy(c2.d.asBytes, bldata, 8);
666 memcpy(c2.d.asBytes+8, MAC, 4);
667 SendCommand(&c2);
668
669 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
670 uint8_t isOK = resp.arg[0] & 0xff;
671 uint8_t * data = resp.d.asBytes;
672
673 if (isOK)
674 PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 4));
675 else
676 PrintAndLog("isOk:%02x", isOK);
677 } else {
678 PrintAndLog("Command execute timeout");
679 }
680 return 0;
681 }
682
683
684 static command_t CommandTable[] =
685 {
686 {"help", CmdHelp, 1, "This help"},
687 {"list", CmdHFiClassList, 0, "List iClass history"},
688 {"snoop", CmdHFiClassSnoop, 0, "Eavesdrop iClass communication"},
689 {"sim", CmdHFiClassSim, 0, "Simulate iClass tag"},
690 {"reader",CmdHFiClassReader, 0, "Read an iClass tag"},
691 {"replay",CmdHFiClassReader_Replay, 0, "Read an iClass tag via Reply Attack"},
692 {"dump", CmdHFiClassReader_Dump, 0, "Authenticate and Dump iClass tag"},
693 {"write", CmdHFiClass_iso14443A_write, 0, "Authenticate and Write iClass block"},
694 {NULL, NULL, 0, NULL}
695 };
696
697 int CmdHFiClass(const char *Cmd)
698 {
699 CmdsParse(CommandTable, Cmd);
700 return 0;
701 }
702
703 int CmdHelp(const char *Cmd)
704 {
705 CmdsHelp(CommandTable);
706 return 0;
707 }
Proxmark3 GIT tracking
Impressum, Datenschutz