X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/3ad48540d4d77f50cc62d16acb78f17019ef431d..eabba3df7e2a09f466e6f5f988d973aff7722cd5:/armsrc/iclass.c diff --git a/armsrc/iclass.c b/armsrc/iclass.c index 017d5eff..73036712 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -994,7 +994,7 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain { uint8_t mac_responses[64] = { 0 }; - Dbprintf("Going into attack mode"); + Dbprintf("Going into attack mode, %d CSNS sent", numberOfCSNS); // In this mode, a number of csns are within datain. We'll simulate each one, one at a time // in order to collect MAC's from the reader. This can later be used in an offlne-attack // in order to obtain the keys, as in the "dismantling iclass"-paper. @@ -1169,12 +1169,11 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader } else if(receivedCmd[0] == 0x05) { // Reader random and reader MAC!!! // Do not respond - // We do not know what to answer, so lets keep quit + // We do not know what to answer, so lets keep quiet resp = resp1; respLen = 0; //order = 5; respdata = NULL; respsize = 0; if (breakAfterMacReceived){ - // TODO, actually return this to the caller instead of just // dbprintf:ing ... Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]); Dbprintf("RDR: (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",len, @@ -1296,20 +1295,23 @@ static void TransmitIClassCommand(const uint8_t *cmd, int len, int *samples, int FpgaSetupSsc(); if (wait) - if(*wait < 10) - *wait = 10; + { + if(*wait < 10) *wait = 10; + + for(c = 0; c < *wait;) { + if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { + AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing! + c++; + } + if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { + volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR; + (void)r; + } + WDT_HIT(); + } + + } - for(c = 0; c < *wait;) { - if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing! - c++; - } - if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { - volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR; - (void)r; - } - WDT_HIT(); - } uint8_t sendbyte; bool firstpart = TRUE; @@ -1467,69 +1469,109 @@ int ReaderReceiveIClass(uint8_t* receivedAnswer) return Demod.len; } -// Reader iClass Anticollission -void ReaderIClass(uint8_t arg0) { - uint8_t act_all[] = { 0x0a }; - uint8_t identify[] = { 0x0c }; - uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; +void setupIclassReader() +{ + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + // Reset trace buffer + iso14a_set_tracing(TRUE); + iso14a_clear_trace(); - uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes + // Setup SSC + FpgaSetupSsc(); + // Start from off (no field generated) + // Signal field is off with the appropriate LED + LED_D_OFF(); + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + SpinDelay(200); - FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + SetAdcMuxFor(GPIO_MUXSEL_HIPKD); - // Reset trace buffer - memset(trace, 0x44, RECV_CMD_OFFSET); - traceLen = 0; + // Now give it time to spin up. + // Signal field is on with the appropriate LED + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); + SpinDelay(200); + LED_A_ON(); - // Setup SSC - FpgaSetupSsc(); - // Start from off (no field generated) - // Signal field is off with the appropriate LED - LED_D_OFF(); - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - SpinDelay(200); +} - SetAdcMuxFor(GPIO_MUXSEL_HIPKD); +// Reader iClass Anticollission +void ReaderIClass(uint8_t arg0) { + uint8_t act_all[] = { 0x0a }; + uint8_t identify[] = { 0x0c }; + uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; + uint8_t readcheck_cc[]= { 0x88, 0x02 }; - // Now give it time to spin up. - // Signal field is on with the appropriate LED - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); - SpinDelay(200); + uint8_t card_data[24]={0}; + uint8_t last_csn[8]={0}; - LED_A_ON(); + uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes - for(;;) { - - if(traceLen > TRACE_SIZE) { - DbpString("Trace full"); - break; - } - - if (BUTTON_PRESS()) break; + int read_status= 0; + bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE; - // Send act_all - ReaderTransmitIClass(act_all, 1); - // Card present? - if(ReaderReceiveIClass(resp)) { - ReaderTransmitIClass(identify, 1); - if(ReaderReceiveIClass(resp) == 10) { - // Select card - memcpy(&select[1],resp,8); - ReaderTransmitIClass(select, sizeof(select)); + setupIclassReader(); - if(ReaderReceiveIClass(resp) == 10) { - Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x", - resp[0], resp[1], resp[2], - resp[3], resp[4], resp[5], - resp[6], resp[7]); - } - // Card selected, whats next... ;-) - } - } - WDT_HIT(); - } - - LED_A_OFF(); + size_t datasize = 0; + while(!BUTTON_PRESS()) + { + WDT_HIT(); + + // Send act_all + ReaderTransmitIClass(act_all, 1); + // Card present? + if(ReaderReceiveIClass(resp)) { + + ReaderTransmitIClass(identify, 1); + + if(ReaderReceiveIClass(resp) == 10) { + //Copy the Anti-collision CSN to our select-packet + memcpy(&select[1],resp,8); + //Dbprintf("Anti-collision CSN: %02x %02x %02x %02x %02x %02x %02x %02x",resp[0], resp[1], resp[2], + // resp[3], resp[4], resp[5], + // resp[6], resp[7]); + //Select the card + ReaderTransmitIClass(select, sizeof(select)); + + if(ReaderReceiveIClass(resp) == 10) { + //Save CSN in response data + memcpy(card_data,resp,8); + datasize += 8; + //Flag that we got to at least stage 1, read CSN + read_status = 1; + + // Card selected + //Dbprintf("Readcheck on Sector 2"); + ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc)); + if(ReaderReceiveIClass(resp) == 8) { + //Save CC (e-purse) in response data + memcpy(card_data+8,resp,8); + datasize += 8; + //Got both + read_status = 2; + } + + LED_B_ON(); + //Send back to client, but don't bother if we already sent this + if(memcmp(last_csn, card_data, 8) != 0) + cmd_send(CMD_ACK,read_status,0,0,card_data,datasize); + + //Save that we already sent this.... + if(read_status == 2) + memcpy(last_csn, card_data, 8); + + LED_B_OFF(); + + if(abort_after_read) break; + } + } + } + + if(traceLen > TRACE_SIZE) { + DbpString("Trace full"); + break; + } + } + LED_A_OFF(); } void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) { @@ -1555,26 +1597,8 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) { uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes - // Reset trace buffer - memset(trace, 0x44, RECV_CMD_OFFSET); - traceLen = 0; - - // Setup SSC - FpgaSetupSsc(); - // Start from off (no field generated) - // Signal field is off with the appropriate LED - LED_D_OFF(); - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - SpinDelay(200); - - SetAdcMuxFor(GPIO_MUXSEL_HIPKD); + setupIclassReader(); - // Now give it time to spin up. - // Signal field is on with the appropriate LED - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); - SpinDelay(200); - - LED_A_ON(); for(int i=0;i<1;i++) { @@ -1613,8 +1637,8 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) { Dbprintf("Authenticate"); //for now replay captured auth (as cc not updated) memcpy(check+5,MAC,4); - Dbprintf(" AA: %02x %02x %02x %02x", - check[5], check[6], check[7],check[8]); + //Dbprintf(" AA: %02x %02x %02x %02x", + // check[5], check[6], check[7],check[8]); ReaderTransmitIClass(check, sizeof(check)); if(ReaderReceiveIClass(resp) == 4) { Dbprintf(" AR: %02x %02x %02x %02x", @@ -1675,103 +1699,6 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) { LED_A_OFF(); } -//1. Create Method to Read sectors/blocks 0,1,2 and Send to client -void IClass_iso14443A_GetPublic(uint8_t arg0) { - uint8_t act_all[] = { 0x0a }; - uint8_t identify[] = { 0x0c }; - uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - uint8_t readcheck_cc[]= { 0x88, 0x02 }; - //uint8_t read[] = { 0x0c, 0x00, 0x00, 0x00 }; - uint8_t card_data[24]={0}; - - //bool read_success=false; - uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes - - // Reset trace buffer - memset(trace, 0x44, RECV_CMD_OFFSET); - traceLen = 0; - - // Setup SSC - FpgaSetupSsc(); - // Start from off (no field generated) - // Signal field is off with the appropriate LED - LED_D_OFF(); - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - SpinDelay(200); - - SetAdcMuxFor(GPIO_MUXSEL_HIPKD); - - // Now give it time to spin up. - // Signal field is on with the appropriate LED - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); - SpinDelay(200); - - LED_A_ON(); - - for(int i=0;i<1;i++) { - - if(traceLen > TRACE_SIZE) { - DbpString("Trace full"); - break; - } - - if (BUTTON_PRESS()) break; - - // Send act_all - ReaderTransmitIClass(act_all, 1); - // Card present? - if(ReaderReceiveIClass(resp)) { - ReaderTransmitIClass(identify, 1); - if(ReaderReceiveIClass(resp) == 10) { - // Select card - memcpy(&select[1],resp,8); - ReaderTransmitIClass(select, sizeof(select)); - - if(ReaderReceiveIClass(resp) == 10) { - Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x", - resp[0], resp[1], resp[2], - resp[3], resp[4], resp[5], - resp[6], resp[7]); - } - memcpy(card_data,resp,8); - // Card selected - Dbprintf("Readcheck on Sector 2"); - ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc)); - if(ReaderReceiveIClass(resp) == 8) { - Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x", - resp[0], resp[1], resp[2], - resp[3], resp[4], resp[5], - resp[6], resp[7]); - } - memcpy(card_data+8,resp,8); - //prep to read config block - /* read card configuration block - while(!read_success){ - uint8_t sector_config=0x01; - memcpy(read+1,§or_config,1); - ReaderTransmitIClass(read, sizeof(read)); - if(ReaderReceiveIClass(resp) == 8) { - Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x", - resp[0], resp[1], resp[2], - resp[3], resp[4], resp[5], - resp[6], resp[7]); - read_success=true; - memcpy(card_data+16,resp,8); - } - }*/ - } - } - WDT_HIT(); - } - //Dbprintf("DEBUG: %02x%02x%02x%02x%02x%02x%02x%02x",card_data[0],card_data[1],card_data[2],card_data[3],card_data[4],card_data[5],card_data[6],card_data[7]); - //Dbprintf("DEBUG: %02x%02x%02x%02x%02x%02x%02x%02x",card_data[8],card_data[9],card_data[10],card_data[11],card_data[12],card_data[13],card_data[14],card_data[15]); - LED_A_OFF(); - LED_B_ON(); - //send data back to the client - cmd_send(CMD_ACK,0,0,0,card_data,16); - LED_B_OFF(); -} - //2. Create Read method (cut-down from above) based off responses from 1. // Since we have the MAC could continue to use replay function. //3. Create Write method