]> git.zerfleddert.de Git - proxmark3-svn/blobdiff - armsrc/iso14443a.c
Update default_pwd.dic (#735)
[proxmark3-svn] / armsrc / iso14443a.c
index 9fa08044281bd778adb1ce2f7045f1927ab5a92c..7bf8f5af7d110e4f440b933ebed4f5c1f8138052 100644 (file)
 
 #include "iso14443a.h"
 
+#include <stdio.h>
+#include <string.h>
 #include "proxmark3.h"
 #include "apps.h"
 #include "util.h"
-#include "string.h"
 #include "cmd.h"
 #include "iso14443crc.h"
 #include "crapto1/crapto1.h"
@@ -80,6 +81,8 @@ typedef struct {
 } tUart;
 
 static uint32_t iso14a_timeout;
+#define MAX_ISO14A_TIMEOUT 524288
+
 int rsamples = 0;
 uint8_t trigger = 0;
 // the block number for the ISO14443-4 PCB
@@ -186,33 +189,16 @@ void iso14a_set_trigger(bool enable) {
 
 
 void iso14a_set_timeout(uint32_t timeout) {
-       iso14a_timeout = timeout;
-       if(MF_DBGLEVEL >= 3) Dbprintf("ISO14443A Timeout set to %ld (%dms)", iso14a_timeout, iso14a_timeout / 106);
+       // adjust timeout by FPGA delays and 2 additional ssp_frames to detect SOF
+       iso14a_timeout = timeout + (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/(16*8) + 2;
+       if(MF_DBGLEVEL >= 3) Dbprintf("ISO14443A Timeout set to %ld (%dms)", timeout, timeout / 106);
 }
 
 
-static void iso14a_set_ATS_timeout(uint8_t *ats) {
-
-       uint8_t tb1;
-       uint8_t fwi; 
-       uint32_t fwt;
-       
-       if (ats[0] > 1) {                                                       // there is a format byte T0
-               if ((ats[1] & 0x20) == 0x20) {                  // there is an interface byte TB(1)
-                       if ((ats[1] & 0x10) == 0x10) {          // there is an interface byte TA(1) preceding TB(1)
-                               tb1 = ats[3];
-                       } else {
-                               tb1 = ats[2];
-                       }
-                       fwi = (tb1 & 0xf0) >> 4;                        // frame waiting indicator (FWI)
-                       fwt = 256 * 16 * (1 << fwi);            // frame waiting time (FWT) in 1/fc
-                       
-                       iso14a_set_timeout(fwt/(8*16));
-               }
-       }
+uint32_t iso14a_get_timeout(void) {
+       return iso14a_timeout - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/(16*8) - 2;
 }
 
-
 //-----------------------------------------------------------------------------
 // Generate the parity value for a byte sequence
 //
@@ -1274,7 +1260,7 @@ static void PrepareDelayedTransfer(uint16_t delay)
 // Transmit the command (to the tag) that was placed in ToSend[].
 // Parameter timing:
 // if NULL: transfer at next possible time, taking into account
-//                     request guard time and frame delay time
+//                     request guard time, startup frame guard time and frame delay time
 // if == 0:    transfer immediately and return time of transfer
 // if != 0: delay transfer until time specified
 //-------------------------------------------------------------------------------------
@@ -1419,7 +1405,7 @@ int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity)
                                ADC_MODE_PRESCALE(63) |
                                ADC_MODE_STARTUP_TIME(1) |
                                ADC_MODE_SAMPLE_HOLD_TIME(15);
-       AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
+       AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF_LOW);
        // start ADC
        AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
        
@@ -1446,12 +1432,12 @@ int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity)
                if (BUTTON_PRESS()) return 1;
 
                // test if the field exists
-               if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
+               if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF_LOW)) {
                        analogCnt++;
-                       analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
+                       analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF_LOW];
                        AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
                        if (analogCnt >= 32) {
-                               if ((MAX_ADC_HF_VOLTAGE * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
+                               if ((MAX_ADC_HF_VOLTAGE_LOW * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
                                        vtime = GetTickCount();
                                        if (!timer) timer = vtime;
                                        // 50ms no field --> card to idle state
@@ -1682,6 +1668,59 @@ int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity)
        return Demod.len;
 }
 
+
+static void iso14a_set_ATS_times(uint8_t *ats) {
+
+       uint8_t tb1;
+       uint8_t fwi, sfgi; 
+       uint32_t fwt, sfgt;
+       
+       if (ats[0] > 1) {                                                       // there is a format byte T0
+               if ((ats[1] & 0x20) == 0x20) {                  // there is an interface byte TB(1)
+                       if ((ats[1] & 0x10) == 0x10) {          // there is an interface byte TA(1) preceding TB(1)
+                               tb1 = ats[3];
+                       } else {
+                               tb1 = ats[2];
+                       }
+                       fwi = (tb1 & 0xf0) >> 4;                        // frame waiting time integer (FWI)
+                       if (fwi != 15) {
+                               fwt = 256 * 16 * (1 << fwi);    // frame waiting time (FWT) in 1/fc
+                               iso14a_set_timeout(fwt/(8*16));
+                       }
+                       sfgi = tb1 & 0x0f;                                      // startup frame guard time integer (SFGI)
+                       if (sfgi != 0 && sfgi != 15) {
+                               sfgt = 256 * 16 * (1 << sfgi);  // startup frame guard time (SFGT) in 1/fc
+                               NextTransferTime = MAX(NextTransferTime, Demod.endTime + (sfgt - DELAY_AIR2ARM_AS_READER - DELAY_ARM2AIR_AS_READER)/16);
+                       }
+               }
+       }
+}
+
+
+static int GetATQA(uint8_t *resp, uint8_t *resp_par) {
+
+#define WUPA_RETRY_TIMEOUT     10      // 10ms
+       uint8_t wupa[]       = { 0x52 };  // 0x26 - REQA  0x52 - WAKE-UP
+
+       uint32_t save_iso14a_timeout = iso14a_get_timeout();
+       iso14a_set_timeout(1236/(16*8)+1);              // response to WUPA is expected at exactly 1236/fc. No need to wait longer.
+       
+       uint32_t start_time = GetTickCount();
+       int len;
+       
+       // we may need several tries if we did send an unknown command or a wrong authentication before...
+       do {
+               // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
+               ReaderTransmitBitsPar(wupa, 7, NULL, NULL);
+               // Receive the ATQA
+               len = ReaderReceive(resp, resp_par);
+       } while (len == 0 && GetTickCount() <= start_time + WUPA_RETRY_TIMEOUT);
+                       
+       iso14a_set_timeout(save_iso14a_timeout);
+       return len;
+}
+
+
 // performs iso14443a anticollision (optional) and card select procedure
 // fills the uid and cuid pointer unless NULL
 // fills the card info record unless NULL
@@ -1689,7 +1728,6 @@ int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity)
 // and num_cascades must be set (1: 4 Byte UID, 2: 7 Byte UID, 3: 10 Byte UID)
 // requests ATS unless no_rats is true
 int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades, bool no_rats) {
-       uint8_t wupa[]       = { 0x52 };  // 0x26 - REQA  0x52 - WAKE-UP
        uint8_t sel_all[]    = { 0x93,0x20 };
        uint8_t sel_uid[]    = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
        uint8_t rats[]       = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
@@ -1709,11 +1747,9 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
                p_hi14a_card->ats_len = 0;
        }
 
-       // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
-    ReaderTransmitBitsPar(wupa, 7, NULL, NULL);
-       
-       // Receive the ATQA
-       if(!ReaderReceive(resp, resp_par)) return 0;
+       if (!GetATQA(resp, resp_par)) {
+               return 0;
+       }
 
        if(p_hi14a_card) {
                memcpy(p_hi14a_card->atqa, resp, 2);
@@ -1842,8 +1878,9 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
                // reset the PCB block number
                iso14_pcb_blocknum = 0;
 
-               // set default timeout based on ATS
-               iso14a_set_ATS_timeout(resp);
+               // set default timeout and delay next transfer based on ATS
+               iso14a_set_ATS_times(resp);
+               
        }
        return 1;       
 }
@@ -1852,7 +1889,7 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
 void iso14443a_setup(uint8_t fpga_minor_mode) {
        FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
        // Set up the synchronous serial port
-       FpgaSetupSsc();
+       FpgaSetupSsc(FPGA_MAJOR_MODE_HF_ISO14443A);
        // connect Demodulated Signal to ADC:
        SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
 
@@ -1874,32 +1911,101 @@ void iso14443a_setup(uint8_t fpga_minor_mode) {
        iso14a_set_timeout(1060); // 10ms default
 }
 
-
-int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
+/* Peter Fillmore 2015
+Added card id field to the function
+ info from ISO14443A standard
+b1 = Block Number
+b2 = RFU (always 1)
+b3 = depends on block
+b4 = Card ID following if set to 1
+b5 = depends on block type
+b6 = depends on block type
+b7,b8 = block type.
+Coding of I-BLOCK:
+b8 b7 b6 b5 b4 b3 b2 b1
+0  0  0  x  x  x  1  x
+b5 = chaining bit
+Coding of R-block:
+b8 b7 b6 b5 b4 b3 b2 b1
+1  0  1  x  x  0  1  x
+b5 = ACK/NACK
+Coding of S-block:
+b8 b7 b6 b5 b4 b3 b2 b1
+1  1  x  x  x  0  1  0 
+b5,b6 = 00 - DESELECT
+        11 - WTX 
+*/    
+int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data, uint8_t *res) {
        uint8_t parity[MAX_PARITY_SIZE];
-       uint8_t real_cmd[cmd_len+4];
-       real_cmd[0] = 0x0a; //I-Block
-       // put block number into the PCB
-       real_cmd[0] |= iso14_pcb_blocknum;
-       real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
-       memcpy(real_cmd+2, cmd, cmd_len);
-       AppendCrc14443a(real_cmd,cmd_len+2);
+       uint8_t real_cmd[cmd_len + 4];
+       
+       if (cmd_len) {
+               // ISO 14443 APDU frame: PCB [CID] [NAD] APDU CRC PCB=0x02
+               real_cmd[0] = 0x02; // bnr,nad,cid,chn=0; i-block(0x00) 
+               // put block number into the PCB
+               real_cmd[0] |= iso14_pcb_blocknum;
+               memcpy(real_cmd + 1, cmd, cmd_len);
+       } else {
+               // R-block. ACK
+               real_cmd[0] = 0xA2; // r-block + ACK    
+               real_cmd[0] |= iso14_pcb_blocknum;
+       }
+       AppendCrc14443a(real_cmd, cmd_len + 1);
  
-       ReaderTransmit(real_cmd, cmd_len+4, NULL);
+       ReaderTransmit(real_cmd, cmd_len + 3, NULL);
+
        size_t len = ReaderReceive(data, parity);
        uint8_t *data_bytes = (uint8_t *) data;
-       if (!len)
+
+       if (!len) {
                return 0; //DATA LINK ERROR
-       // if we received an I- or R(ACK)-Block with a block number equal to the
-       // current block number, toggle the current block number
-       else if (len >= 4 // PCB+CID+CRC = 4 bytes
+       } else{
+               // S-Block WTX 
+               while((data_bytes[0] & 0xF2) == 0xF2) {
+                       uint32_t save_iso14a_timeout = iso14a_get_timeout();
+                       // temporarily increase timeout
+                       iso14a_set_timeout(MAX((data_bytes[1] & 0x3f) * save_iso14a_timeout, MAX_ISO14A_TIMEOUT));
+                       // Transmit WTX back 
+                       // byte1 - WTXM [1..59]. command FWT=FWT*WTXM
+                       data_bytes[1] = data_bytes[1] & 0x3f; // 2 high bits mandatory set to 0b
+                       // now need to fix CRC.
+                       AppendCrc14443a(data_bytes, len - 2);
+                       // transmit S-Block
+                       ReaderTransmit(data_bytes, len, NULL);
+                       // retrieve the result again (with increased timeout) 
+                       len = ReaderReceive(data, parity);
+                       data_bytes = data;
+                       // restore timeout
+                       iso14a_set_timeout(save_iso14a_timeout);
+               }
+
+               // if we received an I- or R(ACK)-Block with a block number equal to the
+               // current block number, toggle the current block number
+               if (len >= 3 // PCB+CRC = 3 bytes
                 && ((data_bytes[0] & 0xC0) == 0 // I-Block
                     || (data_bytes[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
                 && (data_bytes[0] & 0x01) == iso14_pcb_blocknum) // equal block numbers
-       {
-               iso14_pcb_blocknum ^= 1;
-       }
+               {
+                       iso14_pcb_blocknum ^= 1;
+               }
+               
+               // if we received I-block with chaining we need to send ACK and receive another block of data
+               if (res)
+                       *res = data_bytes[0];
 
+               // crc check
+               if (len >= 3 && !CheckCrc14443(CRC_14443_A, data_bytes, len)) {
+                       return -1;
+               }
+               
+       }
+       
+       // cut frame byte
+       len -= 1;
+       // memmove(data_bytes, data_bytes + 1, len);
+       for (int i = 0; i < len; i++)
+               data_bytes[i] = data_bytes[i + 1];
+       
        return len;
 }
 
@@ -1918,23 +2024,34 @@ void ReaderIso14443a(UsbCommand *c)
        uint32_t arg0 = 0;
        byte_t buf[USB_CMD_DATA_SIZE] = {0};
        uint8_t par[MAX_PARITY_SIZE];
+       bool cantSELECT = false;
   
-       if(param & ISO14A_CONNECT) {
+       set_tracing(true);
+       
+       if(param & ISO14A_CLEAR_TRACE) {
                clear_trace();
        }
 
-       set_tracing(true);
-
        if(param & ISO14A_REQUEST_TRIGGER) {
                iso14a_set_trigger(true);
        }
 
        if(param & ISO14A_CONNECT) {
+               LED_A_ON();
                iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
                if(!(param & ISO14A_NO_SELECT)) {
                        iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
                        arg0 = iso14443a_select_card(NULL, card, NULL, true, 0, param & ISO14A_NO_RATS);
+
+                       // if we cant select then we cant send data
+                       if (arg0 != 1 && arg0 != 2) {
+                               // 1 - all is OK with ATS, 2 - without ATS
+                               cantSELECT = true;
+                       }
+                       
+                       LED_B_ON();
                        cmd_send(CMD_ACK,arg0,card->uidlen,0,buf,sizeof(iso14a_card_select_t));
+                       LED_B_OFF();
                }
        }
 
@@ -1942,12 +2059,15 @@ void ReaderIso14443a(UsbCommand *c)
                iso14a_set_timeout(timeout);
        }
 
-       if(param & ISO14A_APDU) {
-               arg0 = iso14_apdu(cmd, len, buf);
-               cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
+       if(param & ISO14A_APDU && !cantSELECT) {
+               uint8_t res;
+               arg0 = iso14_apdu(cmd, len, buf, &res);
+               LED_B_ON();
+               cmd_send(CMD_ACK, arg0, res, 0, buf, sizeof(buf));
+               LED_B_OFF();
        }
 
-       if(param & ISO14A_RAW) {
+       if(param & ISO14A_RAW && !cantSELECT) {
                if(param & ISO14A_APPEND_CRC) {
                        if(param & ISO14A_TOPAZMODE) {
                                AppendCrc14443b(cmd,len);
@@ -1983,7 +2103,10 @@ void ReaderIso14443a(UsbCommand *c)
                        }
                }
                arg0 = ReaderReceive(buf, par);
+
+               LED_B_ON();
                cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
+               LED_B_OFF();
        }
 
        if(param & ISO14A_REQUEST_TRIGGER) {
@@ -2039,9 +2162,7 @@ void ReaderMifare(bool first_try)
        uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
        uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
 
-       if (first_try) { 
-               iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
-       }
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
        
        // free eventually allocated BigBuf memory. We want all for tracing.
        BigBuf_free();
@@ -2049,9 +2170,9 @@ void ReaderMifare(bool first_try)
        clear_trace();
        set_tracing(true);
 
-       byte_t nt_diff = 0;
+       uint8_t nt_diff = 0;
        uint8_t par[1] = {0};   // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
-       static byte_t par_low = 0;
+       static uint8_t par_low = 0;
        bool led_on = true;
        uint8_t uid[10]  ={0};
        uint32_t cuid;
@@ -2059,11 +2180,11 @@ void ReaderMifare(bool first_try)
        uint32_t nt = 0;
        uint32_t previous_nt = 0;
        static uint32_t nt_attacked = 0;
-       byte_t par_list[8] = {0x00};
-       byte_t ks_list[8] = {0x00};
+       uint8_t par_list[8] = {0x00};
+       uint8_t ks_list[8] = {0x00};
 
        #define PRNG_SEQUENCE_LENGTH  (1 << 16);
-       static uint32_t sync_time;
+       uint32_t sync_time = GetCountSspClk() & 0xfffffff8;
        static int32_t sync_cycles;
        int catch_up_cycles = 0;
        int last_catch_up = 0;
@@ -2073,10 +2194,9 @@ void ReaderMifare(bool first_try)
 
        if (first_try) { 
                mf_nr_ar3 = 0;
-               sync_time = GetCountSspClk() & 0xfffffff8;
+               par[0] = par_low = 0;
                sync_cycles = PRNG_SEQUENCE_LENGTH;                                                     // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the tag nonces).
                nt_attacked = 0;
-               par[0] = 0;
        }
        else {
                // we were unsuccessful on a previous call. Try another READER nonce (first 3 parity bits remain the same)
@@ -2092,6 +2212,7 @@ void ReaderMifare(bool first_try)
 
        #define MAX_UNEXPECTED_RANDOM   4               // maximum number of unexpected (i.e. real) random numbers when trying to sync. Then give up.
        #define MAX_SYNC_TRIES                  32
+       #define SYNC_TIME_BUFFER                16              // if there is only SYNC_TIME_BUFFER left before next planned sync, wait for next PRNG cycle
        #define NUM_DEBUG_INFOS                 8               // per strategy
        #define MAX_STRATEGY                    3
        uint16_t unexpected_random = 0;
@@ -2141,8 +2262,8 @@ void ReaderMifare(bool first_try)
                        sync_time = (sync_time & 0xfffffff8) + sync_cycles + catch_up_cycles;
                        catch_up_cycles = 0;
 
-                       // if we missed the sync time already, advance to the next nonce repeat
-                       while(GetCountSspClk() > sync_time) {
+                       // if we missed the sync time already or are about to miss it, advance to the next nonce repeat
+                       while(sync_time < GetCountSspClk() + SYNC_TIME_BUFFER) {
                                elapsed_prng_sequences++;
                                sync_time = (sync_time & 0xfffffff8) + sync_cycles;
                        }
@@ -2298,14 +2419,14 @@ void ReaderMifare(bool first_try)
                }
        }
        
-       byte_t buf[28];
+       uint8_t buf[32];
        memcpy(buf + 0,  uid, 4);
        num_to_bytes(nt, 4, buf + 4);
        memcpy(buf + 8,  par_list, 8);
        memcpy(buf + 16, ks_list, 8);
-       memcpy(buf + 24, mf_nr_ar, 4);
+       memcpy(buf + 24, mf_nr_ar, 8);
                
-       cmd_send(CMD_ACK, isOK, 0, 0, buf, 28);
+       cmd_send(CMD_ACK, isOK, 0, 0, buf, 32);
 
        // Thats it...
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
@@ -2370,7 +2491,7 @@ void RAMFUNC SniffMifare(uint8_t param) {
        for(uint32_t sniffCounter = 0; true; ) {
        
                if(BUTTON_PRESS()) {
-                       DbpString("cancelled by button");
+                       DbpString("Canceled by button.");
                        break;
                }
 
@@ -2427,7 +2548,9 @@ void RAMFUNC SniffMifare(uint8_t param) {
                        if(!TagIsActive) {              // no need to try decoding tag data if the reader is sending
                                uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
                                if(MillerDecoding(readerdata, (sniffCounter-1)*4)) {
-                                       LED_C_INV();
+                                       LED_B_ON();
+                                       LED_C_OFF();
+
                                        if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, true)) break;
 
                                        /* And ready to receive another command. */
@@ -2442,7 +2565,8 @@ void RAMFUNC SniffMifare(uint8_t param) {
                        if(!ReaderIsActive) {           // no need to try decoding tag data if the reader is sending
                                uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
                                if(ManchesterDecoding(tagdata, 0, (sniffCounter-1)*4)) {
-                                       LED_C_INV();
+                                       LED_B_OFF();
+                                       LED_C_ON();
 
                                        if (MfSniffLogic(receivedResponse, Demod.len, Demod.parity, Demod.bitCount, false)) break;
 
@@ -2464,7 +2588,7 @@ void RAMFUNC SniffMifare(uint8_t param) {
 
        } // main cycle
 
-       DbpString("COMMAND FINISHED");
+       DbpString("COMMAND FINISHED.");
 
        FpgaDisableSscDma();
        MfSniffEnd();
Impressum, Datenschutz