X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/94ad01bfba1c29747f9c42942bbec6b834695ef2..9f6e9d15755fdaefa4fee7a660cac988721268cd:/armsrc/iclass.c diff --git a/armsrc/iclass.c b/armsrc/iclass.c index 7289abbc..be27aa3a 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -954,7 +954,7 @@ static void CodeIClassTagSOF() // Convert from last byte pos to length ToSendMax++; } - +int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf); /** * @brief SimulateIClass simulates an iClass card. * @param arg0 type of simulation @@ -977,37 +977,42 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain iso14a_clear_trace(); uint8_t csn_crc[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 }; - if(simType == 0) { // Use the CSN from commandline memcpy(csn_crc, datain, 8); - doIClassSimulation(csn_crc,0); + doIClassSimulation(csn_crc,0,NULL); }else if(simType == 1) { - doIClassSimulation(csn_crc,0); + doIClassSimulation(csn_crc,0,NULL); } else if(simType == 2) { + + uint8_t mac_responses[64] = { 0 }; Dbprintf("Going into attack mode"); // In this mode, a number of csns are within datain. We'll simulate each one, one at a time // in order to collect MAC's from the reader. This can later be used in an offlne-attack // in order to obtain the keys, as in the "dismantling iclass"-paper. - for(int i = 0 ; i < numberOfCSNS && i*8+8 < USB_CMD_DATA_SIZE; i++) + int i = 0; + for( ; i < numberOfCSNS && i*8+8 < USB_CMD_DATA_SIZE; i++) { // The usb data is 512 bytes, fitting 65 8-byte CSNs in there. memcpy(csn_crc, datain+(i*8), 8); - if(doIClassSimulation(csn_crc,1)) + if(doIClassSimulation(csn_crc,1,mac_responses)) { return; // Button pressed } } + cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8); + } else{ // We may want a mode here where we hardcode the csns to use (from proxclone). // That will speed things up a little, but not required just yet. Dbprintf("The mode is not implemented, reserved for future use"); } + Dbprintf("Done..."); } /** @@ -1015,7 +1020,7 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain * @param csn - csn to use * @param breakAfterMacReceived if true, returns after reader MAC has been received. */ -int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived) +int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf) { // CSN followed by two CRC bytes @@ -1092,10 +1097,11 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived) // Start from off (no field generated) - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - SpinDelay(200); - - + //FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + //SpinDelay(200); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN); + SpinDelay(100); + StartCountSspClk(); // We need to listen to the high-frequency, peak-detected path. SetAdcMuxFor(GPIO_MUXSEL_HIPKD); FpgaSetupSsc(); @@ -1107,10 +1113,14 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived) uint32_t r2t_time =0; LED_A_ON(); - bool displayDebug = true; bool buttonPressed = false; + + /** Hack for testing + memcpy(reader_mac_buf,csn,8); + exitLoop = true; + end hack **/ + while(!exitLoop) { - displayDebug = true; LED_B_OFF(); //Signal tracer @@ -1131,13 +1141,11 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived) resp = resp1; respLen = resp1Len; //order = 1; respdata = &sof; respsize = sizeof(sof); - displayDebug = false; } else if(receivedCmd[0] == 0x0c) { // Reader asks for anticollission CSN resp = resp2; respLen = resp2Len; //order = 2; respdata = response2; respsize = sizeof(response2); - //displayDebug = false; //DbpString("Reader requests anticollission CSN:"); } else if(receivedCmd[0] == 0x81) { // Reader selects anticollission CSN. @@ -1162,11 +1170,15 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived) if (breakAfterMacReceived){ // TODO, actually return this to the caller instead of just // dbprintf:ing ... - Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x"); + Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]); Dbprintf("RDR: (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",len, receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3], receivedCmd[4], receivedCmd[5], receivedCmd[6], receivedCmd[7], receivedCmd[8]); + if (reader_mac_buf != NULL) + { + memcpy(reader_mac_buf,receivedCmd+1,8); + } exitLoop = true; } } else if(receivedCmd[0] == 0x00 && len == 1) { @@ -1190,7 +1202,7 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived) if(cmdsRecvd > 100) { //DbpString("100 commands later..."); - break; + //break; } else { cmdsRecvd++; @@ -1199,29 +1211,13 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived) if(respLen > 0) { SendIClassAnswer(resp, respLen, 21); t2r_time = GetCountSspClk(); - -// } - if(displayDebug) Dbprintf("R2T:(len=%d): %x %x %x %x %x %x %x %x %x\nT2R: (total/data =%d/%d): %x %x %x %x %x %x %x %x %x", - len, - receivedCmd[0], receivedCmd[1], receivedCmd[2], - receivedCmd[3], receivedCmd[4], receivedCmd[5], - receivedCmd[6], receivedCmd[7], receivedCmd[8], - respLen,respsize, - resp[0], resp[1], resp[2], - resp[3], resp[4], resp[5], - resp[6], resp[7], resp[8]); - } if (tracing) { - //LogTrace(receivedCmd,len, rsamples, Uart.parityBits, TRUE); - LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, Uart.parityBits,TRUE); LogTrace(NULL,0, (r2t_time-time_0) << 4, 0,TRUE); if (respdata != NULL) { - //LogTrace(respdata,respsize, rsamples, SwapBits(GetParity(respdata,respsize),respsize), FALSE); - //if(!LogTrace(resp,respLen, rsamples,SwapBits(GetParity(respdata,respsize),respsize),FALSE)) LogTrace(respdata,respsize, (t2r_time-time_0) << 4,SwapBits(GetParity(respdata,respsize),respsize),FALSE); LogTrace(NULL,0, (t2r_time-time_0) << 4,0,FALSE); @@ -1236,7 +1232,7 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived) memset(receivedCmd, 0x44, RECV_CMD_SIZE); } - Dbprintf("%x", cmdsRecvd); + //Dbprintf("%x", cmdsRecvd); LED_A_OFF(); LED_B_OFF(); if(buttonPressed)