}
/* And ready to receive another command. */
UartReset();
+ //UartInit(receivedCmd, receivedCmdPar);
/* And also reset the demod code, which might have been */
/* false-triggered by the commands from the reader. */
DemodReset();
// Coded responses need one byte per bit to transfer (data, parity, start, stop, correction)
// 28 * 8 data bits, 28 * 1 parity bits, 7 start bits, 7 stop bits, 7 correction bits
// -> need 273 bytes buffer
-#define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 273
+// 44 * 8 data bits, 44 * 1 parity bits, 9 start bits, 9 stop bits, 9 correction bits
+#define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 370 //273
bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) {
// Retrieve and store the current buffer index
uint8_t sak;
+ uint8_t blockzeros[512];
+ memset(blockzeros, 0x00, sizeof(blockzeros));
+
+ // PACK response to PWD AUTH for EV1/NTAG
+ uint8_t response8[4];
+
// The first response contains the ATQA (note: bytes are transmitted in reverse order).
uint8_t response1[2];
} break;
case 2: { // MIFARE Ultralight
// Says: I am a stupid memory tag, no crypto
- response1[0] = 0x04;
+ response1[0] = 0x44;
response1[1] = 0x00;
sak = 0x00;
} break;
response1[1] = 0x00;
sak = 0x09;
} break;
+ case 7: { // NTAG?
+ // Says: I am a NTAG,
+ response1[0] = 0x44;
+ response1[1] = 0x00;
+ sak = 0x00;
+ // PACK
+ response8[0] = 0x80;
+ response8[1] = 0x80;
+ ComputeCrc14443(CRC_14443_A, response8, 2, &response8[2], &response8[3]);
+ } break;
default: {
Dbprintf("Error: unkown tagtype (%d)",tagType);
return;
response3a[0] = sak & 0xFB;
ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
- uint8_t response5[] = { 0x01, 0x02, 0x03, 0x04 }; // Very random tag nonce
+ uint8_t response5[] = { 0x01, 0x01, 0x01, 0x01 }; // Very random tag nonce
uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS:
// Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present,
// TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
// TC(1) = 0x02: CID supported, NAD not supported
ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]);
- #define TAG_RESPONSE_COUNT 7
+ // Prepare GET_VERSION (different for EV-1 / NTAG)
+ //uint8_t response7_EV1[] = {0x00, 0x04, 0x03, 0x01, 0x01, 0x00, 0x0b, 0x03, 0xfd, 0xf7}; //EV1 48bytes VERSION.
+ uint8_t response7_NTAG[] = {0x00, 0x04, 0x04, 0x02, 0x01, 0x00, 0x11, 0x03, 0x01, 0x9e}; //NTAG 215
+
+ #define TAG_RESPONSE_COUNT 9
tag_response_info_t responses[TAG_RESPONSE_COUNT] = {
{ .response = response1, .response_n = sizeof(response1) }, // Answer to request - respond with card type
{ .response = response2, .response_n = sizeof(response2) }, // Anticollision cascade1 - respond with uid
{ .response = response3a, .response_n = sizeof(response3a) }, // Acknowledge select - cascade 2
{ .response = response5, .response_n = sizeof(response5) }, // Authentication answer (random nonce)
{ .response = response6, .response_n = sizeof(response6) }, // dummy ATS (pseudo-ATR), answer to RATS
+ { .response = response7_NTAG, .response_n = sizeof(response7_NTAG) }, // EV1/NTAG GET_VERSION response
+ { .response = response8, .response_n = sizeof(response8) }, // EV1/NTAG PACK response
};
// Allocate 512 bytes for the dynamic modulation, created when the reader queries for it
} else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) { // Received a SELECT (cascade 2)
p_response = &responses[4]; order = 30;
} else if(receivedCmd[0] == 0x30) { // Received a (plain) READ
- EmSendCmdEx(data+(4*receivedCmd[1]),16,false);
- // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
- // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
- p_response = NULL;
+ uint8_t block = receivedCmd[1];
+ if ( tagType == 7 ) {
+
+ if ( block < 4 ) {
+ //NTAG 215
+ uint8_t start = 4 * block;
+
+ uint8_t blockdata[50] = {
+ data[0],data[1],data[2], 0x88 ^ data[0] ^ data[1] ^ data[2],
+ data[3],data[4],data[5],data[6],
+ data[3] ^ data[4] ^ data[5] ^ data[6],0x48,0x0f,0xe0,
+ 0xe1,0x10,0x12,0x00,
+ 0x03,0x00,0xfe,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,
+ 0x00,0x00};
+ ComputeCrc14443(CRC_14443_A, blockdata+start, 16, blockdata+start+17, blockdata+start+18);
+ EmSendCmdEx( blockdata+start, 18, false);
+ } else {
+ ComputeCrc14443(CRC_14443_A, blockzeros,16, blockzeros+17,blockzeros+18);
+ EmSendCmdEx(blockzeros,18,false);
+ }
+ p_response = NULL;
+
+ } else {
+ EmSendCmdEx(data+(4*block),16,false);
+ // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
+ // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
+ p_response = NULL;
+ }
+ } else if(receivedCmd[0] == 0x3A) { // Received a FAST READ -- just returns all zeros.
+ uint8_t len = (receivedCmd[2]- receivedCmd[1] ) * 4;
+ ComputeCrc14443(CRC_14443_A, blockzeros,len, blockzeros+len+1, blockzeros+len+2);
+ EmSendCmdEx(blockzeros,len+2,false);
+ p_response = NULL;
} else if(receivedCmd[0] == 0x50) { // Received a HALT
if (tracing) {
}
p_response = NULL;
} else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) { // Received an authentication request
- p_response = &responses[5]; order = 7;
+
+ if ( tagType == 7 ) { // IF NTAG /EV1 0x60 == GET_VERSION, not a authentication request.
+ p_response = &responses[7];
+ } else {
+ p_response = &responses[5]; order = 7;
+ }
} else if(receivedCmd[0] == 0xE0) { // Received a RATS request
if (tagType == 1 || tagType == 2) { // RATS not supported
EmSend4bit(CARD_NACK_NA);
memset(ar_nr_responses, 0x00, len);
}
}
- } else {
+ } else if (receivedCmd[0] == 0x1a ) // ULC authentication
+ {
+
+ }
+ else if (receivedCmd[0] == 0x1b) // NTAG / EV-1 authentication
+ {
+ if ( tagType == 7 ) {
+ p_response = &responses[8]; // PACK response
+ }
+ }
+ else {
// Check for ISO 14443A-4 compliant commands, look at left nibble
switch (receivedCmd[0]) {
uint8_t rSAK[] = {0x09, 0x3f, 0xcc }; // Mifare Mini
uint8_t rSAK1[] = {0x04, 0xda, 0x17};
- uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
+ uint8_t rAUTH_NT[] = {0x01, 0x01, 0x01, 0x01};
uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
//Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2
uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0,0};
uint8_t ar_nr_collected = 0;
- Dbprintf("FIRE");
-
// free eventually allocated BigBuf memory but keep Emulator Memory
BigBuf_free_keep_EM();
clear_trace();
set_tracing(TRUE);
- Dbprintf("ICE");
// Authenticate response - nonce
uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
}
}
- Dbprintf("ICE2");
// save uid.
ar_nr_responses[0*5] = bytes_to_num(rUIDBCC1+1, 3);
if ( _7BUID )
}
}
- Dbprintf("ICE3");
bool finished = FALSE;
while (!BUTTON_PRESS() && !finished) {
WDT_HIT();
if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, TRUE)) break;
/* And ready to receive another command. */
- UartInit(receivedCmd, receivedCmdPar);
+ //UartInit(receivedCmd, receivedCmdPar);
+ UartReset();
/* And also reset the demod code */
DemodReset();
projects / proxmark3-svn / blobdiff