+ nt_diff = (nt_diff + 1) & 0x07;
+ mf_nr_ar[3] = (mf_nr_ar[3] & 0x1F) | (nt_diff << 5);
+ par[0] = par_low;
+ } else {
+ if (nt_diff == 0 && first_try)
+ {
+ par[0]++;
+ if (par[0] == 0x00) { // tried all 256 possible parities without success. Card doesn't send NACK.
+ isOK = -2;
+ break;
+ }
+ } else {
+ par[0] = ((par[0] & 0x1F) + 1) | par_low;
+ }
+ }
+ }
+
+
+ mf_nr_ar[3] &= 0x1F;
+
+ if (isOK == -4) {
+ if (MF_DBGLEVEL >= 3) {
+ for(uint16_t i = 0; i < MAX_SYNC_TRIES; i++) {
+ Dbprintf("collected debug info[%d] = %d\n", i, debug_info[i]);
+ }
+ }
+ }
+
+ byte_t buf[28];
+ memcpy(buf + 0, uid, 4);
+ num_to_bytes(nt, 4, buf + 4);
+ memcpy(buf + 8, par_list, 8);
+ memcpy(buf + 16, ks_list, 8);
+ memcpy(buf + 24, mf_nr_ar, 4);
+
+ cmd_send(CMD_ACK, isOK, 0, 0, buf, 28);
+
+ // Thats it...
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ LEDsoff();
+
+ set_tracing(FALSE);
+}
+
+/**
+ *MIFARE 1K simulate.
+ *
+ *@param flags :
+ * FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
+ * 4B_FLAG_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that
+ * 7B_FLAG_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
+ * FLAG_NR_AR_ATTACK - means we should collect NR_AR responses for bruteforcing later
+ *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is inifite
+ */
+void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain)
+{
+ int cardSTATE = MFEMUL_NOFIELD;
+ int _7BUID = 0;
+ int vHf = 0; // in mV
+ int res;
+ uint32_t selTimer = 0;
+ uint32_t authTimer = 0;
+ uint16_t len = 0;
+ uint8_t cardWRBL = 0;
+ uint8_t cardAUTHSC = 0;
+ uint8_t cardAUTHKEY = 0xff; // no authentication
+ uint32_t cardRr = 0;
+ uint32_t cuid = 0;
+ //uint32_t rn_enc = 0;
+ uint32_t ans = 0;
+ uint32_t cardINTREG = 0;
+ uint8_t cardINTBLOCK = 0;
+ struct Crypto1State mpcs = {0, 0};
+ struct Crypto1State *pcs;
+ pcs = &mpcs;
+ uint32_t numReads = 0;//Counts numer of times reader read a block
+ uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE];
+ uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE];
+ uint8_t response[MAX_MIFARE_FRAME_SIZE];
+ uint8_t response_par[MAX_MIFARE_PARITY_SIZE];
+
+ uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
+ uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
+ uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
+ uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
+ uint8_t rSAK1[] = {0x04, 0xda, 0x17};
+
+ uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
+ uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
+
+ //Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2
+ // This can be used in a reader-only attack.
+ // (it can also be retrieved via 'hf 14a list', but hey...
+ uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0};
+ uint8_t ar_nr_collected = 0;
+
+ // Authenticate response - nonce
+ uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
+
+ //-- Determine the UID
+ // Can be set from emulator memory, incoming data
+ // and can be 7 or 4 bytes long
+ if (flags & FLAG_4B_UID_IN_DATA)
+ {
+ // 4B uid comes from data-portion of packet
+ memcpy(rUIDBCC1,datain,4);
+ rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+
+ } else if (flags & FLAG_7B_UID_IN_DATA) {
+ // 7B uid comes from data-portion of packet
+ memcpy(&rUIDBCC1[1],datain,3);
+ memcpy(rUIDBCC2, datain+3, 4);
+ _7BUID = true;
+ } else {
+ // get UID from emul memory
+ emlGetMemBt(receivedCmd, 7, 1);
+ _7BUID = !(receivedCmd[0] == 0x00);
+ if (!_7BUID) { // ---------- 4BUID
+ emlGetMemBt(rUIDBCC1, 0, 4);
+ } else { // ---------- 7BUID
+ emlGetMemBt(&rUIDBCC1[1], 0, 3);
+ emlGetMemBt(rUIDBCC2, 3, 4);
+ }
+ }
+
+ /*
+ * Regardless of what method was used to set the UID, set fifth byte and modify
+ * the ATQA for 4 or 7-byte UID
+ */
+ rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+ if (_7BUID) {
+ rATQA[0] = 0x44;
+ rUIDBCC1[0] = 0x88;
+ rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+ rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
+ }
+
+ if (MF_DBGLEVEL >= 1) {
+ if (!_7BUID) {
+ Dbprintf("4B UID: %02x%02x%02x%02x",
+ rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3]);
+ } else {
+ Dbprintf("7B UID: (%02x)%02x%02x%02x%02x%02x%02x%02x",
+ rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3],
+ rUIDBCC2[0], rUIDBCC2[1] ,rUIDBCC2[2], rUIDBCC2[3]);
+ }
+ }
+
+ // We need to listen to the high-frequency, peak-detected path.
+ iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
+
+ // free eventually allocated BigBuf memory but keep Emulator Memory
+ BigBuf_free_keep_EM();
+
+ // clear trace
+ clear_trace();
+ set_tracing(TRUE);
+
+
+ bool finished = FALSE;
+ while (!BUTTON_PRESS() && !finished) {
+ WDT_HIT();
+
+ // find reader field
+ if (cardSTATE == MFEMUL_NOFIELD) {
+ vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
+ if (vHf > MF_MINFIELDV) {
+ cardSTATE_TO_IDLE();
+ LED_A_ON();
+ }
+ }
+ if(cardSTATE == MFEMUL_NOFIELD) continue;
+
+ //Now, get data
+
+ res = EmGetCmd(receivedCmd, &len, receivedCmd_par);
+ if (res == 2) { //Field is off!
+ cardSTATE = MFEMUL_NOFIELD;
+ LEDsoff();
+ continue;
+ } else if (res == 1) {
+ break; //return value 1 means button press
+ }
+
+ // REQ or WUP request in ANY state and WUP in HALTED state
+ if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
+ selTimer = GetTickCount();
+ EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
+ cardSTATE = MFEMUL_SELECT1;
+
+ // init crypto block
+ LED_B_OFF();
+ LED_C_OFF();
+ crypto1_destroy(pcs);
+ cardAUTHKEY = 0xff;
+ continue;