X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/3ad48540d4d77f50cc62d16acb78f17019ef431d..e6ee6c4cd135c29fcd3812e0ceea8fe17497700d:/client/cmdhficlass.c

diff --git a/client/cmdhficlass.c b/client/cmdhficlass.c
index 91b5d898..7156b118 100644
--- a/client/cmdhficlass.c
+++ b/client/cmdhficlass.c
@@ -1,7 +1,7 @@
 //-----------------------------------------------------------------------------
 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
 // Copyright (C) 2011 Gerhard de Koning Gans
-// Copyright (C) 2014 Midnitesnake & Andy Davies
+// Copyright (C) 2014 Midnitesnake & Andy Davies & Martin Holst Swende
 //
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of
@@ -88,7 +88,7 @@ int CmdHFiClassList(const char *Cmd)
 		timestamp = *((uint32_t *)(got+i));
 		parityBits = *((uint32_t *)(got+i+4));
 		len = got[i+8];
-		frame = (got+i+9);
+        frame = (got+i+9);
 		uint32_t next_timestamp = (*((uint32_t *)(got+i+9))) & 0x7fffffff;
 
 		tagToReader = timestamp & 0x80000000;
@@ -98,7 +98,7 @@ int CmdHFiClassList(const char *Cmd)
 			first_timestamp = timestamp;
 		}
 
-		// Break and stick with current result if buffer was not completely full
+        // Break and stick with current result idf buffer was not completely full
 		if (frame[0] == 0x44 && frame[1] == 0x44 && frame[2] == 0x44 && frame[3] == 0x44) break;
 
 		char line[1000] = "";
@@ -401,19 +401,30 @@ int CmdHFiClassSim(const char *Cmd)
 
 int CmdHFiClassReader(const char *Cmd)
 {
-  uint8_t readerType = 0;
-
-  if (strlen(Cmd)<1) {
-	PrintAndLog("Usage:  hf iclass reader    <reader type>");
-	PrintAndLog("        sample: hf iclass reader 0");
-	return 0;
-  }	
-
-  readerType = param_get8(Cmd, 0);
-  PrintAndLog("--readertype:%02x", readerType);
-
-  UsbCommand c = {CMD_READER_ICLASS, {readerType}};
+  UsbCommand c = {CMD_READER_ICLASS, {0}};
   SendCommand(&c);
+    UsbCommand resp;
+  while(!ukbhit()){
+      if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
+            uint8_t isOK    = resp.arg[0] & 0xff;
+            uint8_t * data  = resp.d.asBytes;
+
+            PrintAndLog("isOk:%02x", isOK);
+
+            if(isOK > 0)
+            {
+                PrintAndLog("CSN: %s",sprint_hex(data,8));
+            }
+            if(isOK >= 1)
+            {
+                PrintAndLog("CC: %s",sprint_hex(data+8,8));
+            }else{
+                PrintAndLog("No CC obtained");
+            }
+        } else {
+            PrintAndLog("Command execute timeout");
+        }
+    }
 
   return 0;
 }
@@ -450,13 +461,20 @@ int CmdHFiClassReader_Dump(const char *Cmd)
   uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
   //uint8_t CC_temp[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
   uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
-
+  uint8_t keytable[128] = {0};
+  int elite = 0;
+  uint8_t *used_key;
+  int i;
   if (strlen(Cmd)<1) 
   {
-    //PrintAndLog("Usage:  hf iclass dump <Key> <CSN> <CC>");
-    //PrintAndLog("        sample: hf iclass dump 0011223344556677 aabbccddeeffgghh FFFFFFFFFFFFFFFF");
-    PrintAndLog("Usage:  hf iclass dump <Key>");
+    PrintAndLog("Usage:  hf iclass dump <Key> [e]");
+    PrintAndLog("        Key    - A 16 byte master key");
+    PrintAndLog("        e      - If 'e' is specified, the key is interpreted as the 16 byte");
+    PrintAndLog("                 Custom Key (KCus), which can be obtained via reader-attack");
+    PrintAndLog("                 See 'hf iclass sim 2'. This key should be on iclass-format");
     PrintAndLog("        sample: hf iclass dump 0011223344556677");
+
+
     return 0;
   }
 
@@ -465,43 +483,85 @@ int CmdHFiClassReader_Dump(const char *Cmd)
     PrintAndLog("KEY must include 16 HEX symbols");
     return 1;
   }
-  
-  /*if (param_gethex(Cmd, 1, CSN, 16)) 
+
+  if (param_getchar(Cmd, 1) == 'e')
   {
-    PrintAndLog("CSN must include 16 HEX symbols");
-    return 1;
+    PrintAndLog("Elite switch on");
+    elite = 1;
+
+    //calc h2
+    hash2(KEY, keytable);
+    printarr_human_readable("keytable", keytable, 128);
+
   }
-  if (param_gethex(Cmd, 2, CC_temp, 16)) 
-  {
-    PrintAndLog("CC must include 16 HEX symbols");
-    return 1;
-  }*/
-  
-  UsbCommand c = {CMD_ICLASS_ISO14443A_GETPUBLIC, {0}};
-  //memcpy(c.d.asBytes, MAC, 4);
+
+
+  UsbCommand c = {CMD_READER_ICLASS, {0}};
+  c.arg[0] = FLAG_ICLASS_READER_ONLY_ONCE;
+
   SendCommand(&c);
   
   UsbCommand resp;
+
   if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
-    uint8_t isOK    = resp.arg[0] & 0xff;
-    uint8_t * data  = resp.d.asBytes;
-    
-    memcpy(CSN,data,8);
-    memcpy(CCNR,data+8,8);
-    PrintAndLog("DEBUG: %s",sprint_hex(CSN,8));
-    PrintAndLog("DEBUG: %s",sprint_hex(CCNR,8));
-	PrintAndLog("isOk:%02x", isOK);
-  } else {
-	PrintAndLog("Command execute timeout");
-  }
+        uint8_t isOK    = resp.arg[0] & 0xff;
+        uint8_t * data  = resp.d.asBytes;
 
-  diversifyKey(CSN,KEY, div_key);
+        memcpy(CSN,data,8);
+        memcpy(CCNR,data+8,8);
 
-  doMAC(CCNR,div_key, MAC);
+        PrintAndLog("isOk:%02x", isOK);
 
-  UsbCommand d = {CMD_READER_ICLASS_REPLAY, {readerType}};
-  memcpy(d.d.asBytes, MAC, 4);
-  SendCommand(&d);
+        if(isOK > 0)
+        {
+            PrintAndLog("CSN: %s",sprint_hex(CSN,8));
+        }
+        if(isOK > 1)
+        {
+            if(elite)
+            {
+                uint8_t key_sel[8] = {0};
+                uint8_t key_sel_p[8] = { 0 };
+                //Get the key index (hash1)
+                uint8_t key_index[8] = {0};
+
+                hash1(CSN, key_index);
+                printvar("hash1", key_index,8);
+                for(i = 0; i < 8 ; i++)
+                    key_sel[i] = keytable[key_index[i]] & 0xFF;
+                printvar("k_sel", key_sel,8);
+                //Permute from iclass format to standard format
+                permutekey_rev(key_sel,key_sel_p);
+                used_key = key_sel_p;
+            }else{
+                //Perhaps this should also be permuted to std format?
+                // Something like the code below? I have no std system
+                // to test this with /Martin
+
+                //uint8_t key_sel_p[8] = { 0 };
+                //permutekey_rev(KEY,key_sel_p);
+                //used_key = key_sel_p;
+
+                used_key = KEY;
+
+            }
+            printvar("Used key",used_key,8);
+            diversifyKey(CSN,used_key, div_key);
+            printvar("Div key", div_key, 8);
+            printvar("CC_NR:",CCNR,12);
+            doMAC(CCNR,12,div_key, MAC);
+            printvar("MAC", MAC, 4);
+
+            UsbCommand d = {CMD_READER_ICLASS_REPLAY, {readerType}};
+            memcpy(d.d.asBytes, MAC, 4);
+            SendCommand(&d);
+
+        }else{
+            PrintAndLog("Failed to obtain CC! Aborting");
+        }
+    } else {
+        PrintAndLog("Command execute timeout");
+    }
 
   return 0;
 }
@@ -543,7 +603,7 @@ int CmdHFiClass_iso14443A_write(const char *Cmd)
         return 1;
   }
   
-  UsbCommand c = {CMD_ICLASS_ISO14443A_GETPUBLIC, {0}};
+  UsbCommand c = {CMD_ICLASS_ISO14443A_WRITE, {0}};
   SendCommand(&c);
   UsbCommand resp;
 
@@ -563,7 +623,7 @@ int CmdHFiClass_iso14443A_write(const char *Cmd)
   diversifyKey(CSN,KEY, div_key);
 
   PrintAndLog("Div Key: %s",sprint_hex(div_key,8));
-  doMAC(CCNR, div_key, MAC);
+  doMAC(CCNR, 12,div_key, MAC);
 
   UsbCommand c2 = {CMD_ICLASS_ISO14443A_WRITE, {readerType,blockNo}};
   memcpy(c2.d.asBytes, bldata, 8);