X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/de15fc5fe3090a95cf100c48af340e93a738576a..db2b81ba11bdb125a7ee22b226729f4c70acb1ad:/client/cmdhftopaz.c diff --git a/client/cmdhftopaz.c b/client/cmdhftopaz.c index 95e988ed..ebe3a571 100644 --- a/client/cmdhftopaz.c +++ b/client/cmdhftopaz.c @@ -22,7 +22,26 @@ #include "iso14443crc.h" #include "protocols.h" +#define TOPAZ_STATIC_MEMORY (0x0f * 8) +typedef struct dynamic_lock_area { + struct dynamic_lock_area *next; + uint16_t byte_offset; + uint16_t size_in_bits; + uint16_t first_locked_byte; + uint16_t bytes_locked_per_bit; +} dynamic_lock_area_t; + + +static struct { + uint8_t HR01[2]; + uint8_t uid[7]; + uint8_t size; + uint8_t data_blocks[TOPAZ_STATIC_MEMORY/8][8]; + dynamic_lock_area_t *dynamic_lock_areas; + uint8_t *dynamic_reserved_areas; + uint8_t *dynamic_memory; +} topaz_tag; static void topaz_switch_on_field(void) @@ -92,12 +111,12 @@ static int topaz_select(uint8_t *atqa, uint8_t *rid_response) } -static int topaz_rall(uint8_t *uid, uint8_t *rall_response) +static int topaz_rall(uint8_t *uid, uint8_t *response) { uint8_t rall_cmd[] = {TOPAZ_RALL, 0, 0, 0, 0, 0, 0, 0, 0}; memcpy(&rall_cmd[3], uid, 4); - if (!topaz_send_cmd(rall_cmd, sizeof(rall_cmd), rall_response)) { + if (!topaz_send_cmd(rall_cmd, sizeof(rall_cmd), response)) { topaz_switch_off_field(); return -1; // RALL failed } @@ -106,8 +125,46 @@ static int topaz_rall(uint8_t *uid, uint8_t *rall_response) } -static bool topaz_block_is_locked(uint8_t blockno, uint8_t *lockbits) +static dynamic_lock_area_t *get_dynamic_lock_area(uint16_t byteno) +{ + dynamic_lock_area_t *lock_area; + + lock_area = topaz_tag.dynamic_lock_areas; + + while (lock_area != NULL) { + if (byteno < lock_area->first_locked_byte) { + lock_area = lock_area->next; + } else { + return lock_area; + } + } + + return NULL; +} + + +// check if a memory block (8 Bytes) is locked. +// TODO: support other sizes of locked_bytes_per_bit (current assumption: each lock bit locks 8 Bytes) +static bool topaz_byte_is_locked(uint16_t byteno) { + uint8_t *lockbits; + uint16_t locked_bytes_per_bit; + dynamic_lock_area_t *lock_area; + + if (byteno < TOPAZ_STATIC_MEMORY) { + lockbits = &topaz_tag.data_blocks[0x0e][0]; + locked_bytes_per_bit = 8; + } else { + lock_area = get_dynamic_lock_area(byteno); + if (lock_area == NULL) { + return false; + } + locked_bytes_per_bit = lock_area->bytes_locked_per_bit; + byteno = byteno - lock_area->first_locked_byte; + lockbits = &topaz_tag.dynamic_memory[lock_area->byte_offset - TOPAZ_STATIC_MEMORY]; + } + + uint16_t blockno = byteno / locked_bytes_per_bit; if(lockbits[blockno/8] >> (blockno % 8) & 0x01) { return true; } else { @@ -125,7 +182,9 @@ static int topaz_print_CC(uint8_t *data) PrintAndLog("Capability Container: %02x %02x %02x %02x", data[0], data[1], data[2], data[3]); PrintAndLog(" %02x: NDEF Magic Number", data[0]); PrintAndLog(" %02x: version %d.%d supported by tag", data[1], (data[1] & 0xF0) >> 4, data[1] & 0x0f); - PrintAndLog(" %02x: Physical Memory Size of this tag: %d bytes", data[2], (data[2] + 1) * 8); + uint16_t memsize = (data[2] + 1) * 8; + topaz_tag.dynamic_memory = malloc(memsize - TOPAZ_STATIC_MEMORY); + PrintAndLog(" %02x: Physical Memory Size of this tag: %d bytes", data[2], memsize); PrintAndLog(" %02x: %s / %s", data[3], (data[3] & 0xF0) ? "(RFU)" : "Read access granted without any security", (data[3] & 0x0F)==0 ? "Write access granted without any security" : (data[3] & 0x0F)==0x0F ? "No write access granted at all" : "(RFU)"); @@ -172,6 +231,7 @@ static bool topaz_print_lock_control_TLVs(uint8_t *memory) uint16_t length; uint8_t *value; bool lock_TLV_present = false; + uint16_t first_locked_byte = 0x0f * 8; while(*TLV_ptr != 0x03 && *TLV_ptr != 0xFD && *TLV_ptr != 0xFE) { // all Lock Control TLVs shall be present before the NDEF message TLV, the proprietary TLV (and the Terminator TLV) @@ -179,14 +239,30 @@ static bool topaz_print_lock_control_TLVs(uint8_t *memory) if (tag == 0x01) { // the Lock Control TLV uint8_t pages_addr = value[0] >> 4; uint8_t byte_offset = value[0] & 0x0f; - uint8_t size_in_bits = value[1] ? value[1] : 256; - uint8_t bytes_per_page = 1 << (value[2] & 0x0f); - uint8_t bytes_locked_per_bit = 1 << (value[2] >> 4); - PrintAndLog("Lock Area of %d bits at byte offset 0x%02x. Each Lock Bit locks %d bytes.", + uint16_t size_in_bits = value[1] ? value[1] : 256; + uint16_t bytes_per_page = 1 << (value[2] & 0x0f); + uint16_t bytes_locked_per_bit = 1 << (value[2] >> 4); + PrintAndLog("Lock Area of %d bits at byte offset 0x%04x. Each Lock Bit locks %d bytes.", size_in_bits, pages_addr * bytes_per_page + byte_offset, bytes_locked_per_bit); lock_TLV_present = true; + dynamic_lock_area_t *old = topaz_tag.dynamic_lock_areas; + dynamic_lock_area_t *new = topaz_tag.dynamic_lock_areas; + if (old == NULL) { + new = topaz_tag.dynamic_lock_areas = (dynamic_lock_area_t *)malloc(sizeof(dynamic_lock_area_t)); + } else { + while(old->next != NULL) { + old = old->next; + } + new = old->next = (dynamic_lock_area_t *)malloc(sizeof(dynamic_lock_area_t)); + } + new->next = NULL; + new->first_locked_byte = first_locked_byte; + new->byte_offset = pages_addr * bytes_per_page + byte_offset; + new->size_in_bits = size_in_bits; + new->bytes_locked_per_bit = bytes_locked_per_bit; + first_locked_byte = first_locked_byte + size_in_bits*bytes_locked_per_bit; } } @@ -249,15 +325,7 @@ int CmdHFTopazReader(const char *Cmd) uint8_t atqa[2]; uint8_t rid_response[8]; uint8_t *uid_echo = &rid_response[2]; - union { - uint8_t raw_content[124]; - struct { - uint8_t HR[2]; - uint8_t data_block[15][8]; - uint8_t CRC[2]; - } static_memory; - } rall_response; - uint8_t *static_lock_bytes = rall_response.static_memory.data_block[0x0e]; + uint8_t rall_response[124]; status = topaz_select(atqa, rid_response); @@ -279,6 +347,9 @@ int CmdHFTopazReader(const char *Cmd) return -1; } + topaz_tag.HR01[0] = rid_response[0]; + topaz_tag.HR01[1] = rid_response[1]; + // ToDo: CRC check PrintAndLog("HR0 : %02x (%sa Topaz tag (%scapable of carrying a NDEF message), %s memory map)", rid_response[0], (rid_response[0] & 0xF0) == 0x10 ? "" : "not ", @@ -286,7 +357,7 @@ int CmdHFTopazReader(const char *Cmd) (rid_response[0] & 0x0F) == 0x10 ? "static" : "dynamic"); PrintAndLog("HR1 : %02x", rid_response[1]); - status = topaz_rall(uid_echo, rall_response.raw_content); + status = topaz_rall(uid_echo, rall_response); if(status == -1) { PrintAndLog("Error: tag didn't answer to RALL"); @@ -294,46 +365,48 @@ int CmdHFTopazReader(const char *Cmd) return -1; } + memcpy(topaz_tag.uid, rall_response+2, 7); PrintAndLog("UID : %02x %02x %02x %02x %02x %02x %02x", - rall_response.static_memory.data_block[0][6], - rall_response.static_memory.data_block[0][5], - rall_response.static_memory.data_block[0][4], - rall_response.static_memory.data_block[0][3], - rall_response.static_memory.data_block[0][2], - rall_response.static_memory.data_block[0][1], - rall_response.static_memory.data_block[0][0]); + topaz_tag.uid[6], + topaz_tag.uid[5], + topaz_tag.uid[4], + topaz_tag.uid[3], + topaz_tag.uid[2], + topaz_tag.uid[1], + topaz_tag.uid[0]); PrintAndLog(" UID[6] (Manufacturer Byte) = %02x, Manufacturer: %s", - rall_response.static_memory.data_block[0][6], - getTagInfo(rall_response.static_memory.data_block[0][6])); - + topaz_tag.uid[6], + getTagInfo(topaz_tag.uid[6])); + + memcpy(topaz_tag.data_blocks, rall_response+2, 0x10*8); PrintAndLog(""); PrintAndLog("Static Data blocks 00 to 0c:"); - PrintAndLog("block# | offset | Data | Locked?"); + PrintAndLog("block# | offset | Data | Locked(y/n)"); char line[80]; for (uint16_t i = 0; i <= 0x0c; i++) { for (uint16_t j = 0; j < 8; j++) { - sprintf(&line[3*j], "%02x ", rall_response.static_memory.data_block[i][j] /*rall_response[2 + 8*i + j]*/); + sprintf(&line[3*j], "%02x ", topaz_tag.data_blocks[i][j] /*rall_response[2 + 8*i + j]*/); } - PrintAndLog(" 0x%02x | 0x%02x | %s| %-3s", i, i*8, line, topaz_block_is_locked(i, static_lock_bytes) ? "yes" : "no"); + PrintAndLog(" 0x%02x | 0x%04x | %s| %-3s", i, i*8, line, topaz_byte_is_locked(i*8) ? "yyyyyyyy" : "nnnnnnnn"); } PrintAndLog(""); PrintAndLog("Static Reserved block 0d:"); for (uint16_t j = 0; j < 8; j++) { - sprintf(&line[3*j], "%02x ", rall_response.static_memory.data_block[0x0d][j]); + sprintf(&line[3*j], "%02x ", topaz_tag.data_blocks[0x0d][j]); } - PrintAndLog(" 0x%02x | 0x%02x | %s| %-3s", 0x0d, 0x0d*8, line, "n/a"); + PrintAndLog(" 0x%02x | 0x%04x | %s| %-3s", 0x0d, 0x0d*8, line, "n/a"); PrintAndLog(""); - PrintAndLog("Static Lockbits / OTP block 0e:"); + PrintAndLog("Static Lockbits and OTP Bytes:"); for (uint16_t j = 0; j < 8; j++) { - sprintf(&line[3*j], "%02x ", static_lock_bytes[j]); + sprintf(&line[3*j], "%02x ", topaz_tag.data_blocks[0x0e][j]); } - PrintAndLog(" 0x%02x | 0x%02x | %s| %-3s", 0x0e, 0x0e*8, line, "n/a"); + PrintAndLog(" 0x%02x | 0x%04x | %s| %-3s", 0x0e, 0x0e*8, line, "n/a"); PrintAndLog(""); - status = topaz_print_CC(&rall_response.static_memory.data_block[1][0]); + status = topaz_print_CC(&topaz_tag.data_blocks[1][0]); if (status == -1) { PrintAndLog("No NDEF message present"); @@ -342,14 +415,14 @@ int CmdHFTopazReader(const char *Cmd) } PrintAndLog(""); - bool lock_TLV_present = topaz_print_lock_control_TLVs(&rall_response.static_memory.data_block[1][4]); + bool lock_TLV_present = topaz_print_lock_control_TLVs(&topaz_tag.data_blocks[1][4]); PrintAndLog(""); - bool reserved_mem_present = topaz_print_reserved_memory_control_TLVs(&rall_response.static_memory.data_block[1][4]); + bool reserved_mem_present = topaz_print_reserved_memory_control_TLVs(&topaz_tag.data_blocks[1][4]); - topaz_print_lifecycle_state(&rall_response.static_memory.data_block[1][0]); + topaz_print_lifecycle_state(&topaz_tag.data_blocks[1][0]); - topaz_print_NDEF(&rall_response.static_memory.data_block[1][0]); + topaz_print_NDEF(&topaz_tag.data_blocks[1][0]); topaz_switch_off_field(); return 0;