#define FREE_BUFFER_OFFSET (CARD_MEMORY_OFFSET + CARD_MEMORY_SIZE)
#define FREE_BUFFER_SIZE (BIGBUF_SIZE - FREE_BUFFER_OFFSET - 1)
+/*
+The statements above translates into this :
+BIGBUF_SIZE = 40000
+TRACE_OFFSET = 0
+TRACE_SIZE = 3000
+RECV_CMD_OFFSET = 3000
+MAX_FRAME_SIZE = 256
+MAX_PARITY_SIZE = 32
+RECV_CMD_PAR_OFFSET = 3256
+RECV_RESP_OFFSET = 3288
+RECV_RESP_PAR_OFFSET= 3544
+CARD_MEMORY_OFFSET = 3576
+CARD_MEMORY_SIZE = 4096
+DMA_BUFFER_OFFSET = 3576
+DMA_BUFFER_SIZE = 4096
+FREE_BUFFER_OFFSET = 7672
+FREE_BUFFER_SIZE = 32327
+ */
+
extern const uint8_t OddByteParity[256];
extern uint8_t *trace; // = (uint8_t *) BigBuf;
extern int traceLen; // = 0;
#define FPGA_HF_SIMULATOR_MODULATE_BPSK (1<<0)
#define FPGA_HF_SIMULATOR_MODULATE_212K (2<<0)
#define FPGA_HF_SIMULATOR_MODULATE_424K (4<<0)
+#define FPGA_HF_SIMULATOR_MODULATE_424K_8BIT 0x5//101
+
// Options for ISO14443A
#define FPGA_HF_ISO14443A_SNIFFER (0<<0)
#define FPGA_HF_ISO14443A_TAGSIM_LISTEN (1<<0)
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
uint32_t time_0 = GetCountSspClk();
-
+ uint32_t time_start = 0;
+ uint32_t time_stop = 0;
int div = 0;
//int div2 = 0;
smpl = decbyter;
if(OutOfNDecoding((smpl & 0xF0) >> 4)) {
rsamples = samples - Uart.samples;
+ time_stop = (GetCountSspClk()-time_0) << 4;
LED_C_ON();
//if(!LogTrace(Uart.output,Uart.byteCnt, rsamples, Uart.parityBits,TRUE)) break;
if(tracing) {
uint8_t parity[MAX_PARITY_SIZE];
GetParity(Uart.output, Uart.byteCnt, parity);
- LogTrace(Uart.output,Uart.byteCnt, (GetCountSspClk()-time_0) << 4, (GetCountSspClk()-time_0) << 4, parity, TRUE);
+ LogTrace(Uart.output,Uart.byteCnt, time_start, time_stop, parity, TRUE);
}
Demod.state = DEMOD_UNSYNCD;
LED_B_OFF();
Uart.byteCnt = 0;
+ }else{
+ time_start = (GetCountSspClk()-time_0) << 4;
}
decbyter = 0;
}
if(div > 3) {
smpl = decbyte;
if(ManchesterDecoding(smpl & 0x0F)) {
- rsamples = samples - Demod.samples;
+ time_stop = (GetCountSspClk()-time_0) << 4;
+
+ rsamples = samples - Demod.samples;
LED_B_ON();
if(tracing) {
uint8_t parity[MAX_PARITY_SIZE];
GetParity(Demod.output, Demod.len, parity);
- LogTrace(Demod.output, Demod.len, (GetCountSspClk()-time_0) << 4, (GetCountSspClk()-time_0) << 4, parity, FALSE);
+ LogTrace(Demod.output, Demod.len, time_start, time_stop, parity, FALSE);
}
-
// And ready to receive another response.
memset(&Demod, 0, sizeof(Demod));
Demod.output = tagToReaderResponse;
Demod.state = DEMOD_UNSYNCD;
LED_C_OFF();
+ }else{
+ time_start = (GetCountSspClk()-time_0) << 4;
}
div = 0;
}
}
+static uint8_t encode4Bits(const uint8_t b)
+{
+ uint8_t c = b & 0xF;
+ // OTA, the least significant bits first
+ // The columns are
+ // 1 - Bit value to send
+ // 2 - Reversed (big-endian)
+ // 3 - Encoded
+ // 4 - Hex values
+
+ switch(c){
+ // 1 2 3 4
+ case 15: return 0x55; // 1111 -> 1111 -> 01010101 -> 0x55
+ case 14: return 0x95; // 1110 -> 0111 -> 10010101 -> 0x95
+ case 13: return 0x65; // 1101 -> 1011 -> 01100101 -> 0x65
+ case 12: return 0xa5; // 1100 -> 0011 -> 10100101 -> 0xa5
+ case 11: return 0x59; // 1011 -> 1101 -> 01011001 -> 0x59
+ case 10: return 0x99; // 1010 -> 0101 -> 10011001 -> 0x99
+ case 9: return 0x69; // 1001 -> 1001 -> 01101001 -> 0x69
+ case 8: return 0xa9; // 1000 -> 0001 -> 10101001 -> 0xa9
+ case 7: return 0x56; // 0111 -> 1110 -> 01010110 -> 0x56
+ case 6: return 0x96; // 0110 -> 0110 -> 10010110 -> 0x96
+ case 5: return 0x66; // 0101 -> 1010 -> 01100110 -> 0x66
+ case 4: return 0xa6; // 0100 -> 0010 -> 10100110 -> 0xa6
+ case 3: return 0x5a; // 0011 -> 1100 -> 01011010 -> 0x5a
+ case 2: return 0x9a; // 0010 -> 0100 -> 10011010 -> 0x9a
+ case 1: return 0x6a; // 0001 -> 1000 -> 01101010 -> 0x6a
+ default: return 0xaa; // 0000 -> 0000 -> 10101010 -> 0xaa
+
+ }
+}
//-----------------------------------------------------------------------------
// Prepare tag messages
//-----------------------------------------------------------------------------
static void CodeIClassTagAnswer(const uint8_t *cmd, int len)
{
- //So far a dummy implementation, not used
- //int lastProxToAirDuration =0;
+
+ /*
+ * SOF comprises 3 parts;
+ * * An unmodulated time of 56.64 us
+ * * 24 pulses of 423.75 KHz (fc/32)
+ * * A logic 1, which starts with an unmodulated time of 18.88us
+ * followed by 8 pulses of 423.75kHz (fc/32)
+ *
+ *
+ * EOF comprises 3 parts:
+ * - A logic 0 (which starts with 8 pulses of fc/32 followed by an unmodulated
+ * time of 18.88us.
+ * - 24 pulses of fc/32
+ * - An unmodulated time of 56.64 us
+ *
+ *
+ * A logic 0 starts with 8 pulses of fc/32
+ * followed by an unmodulated time of 256/fc (~18,88us).
+ *
+ * A logic 0 starts with unmodulated time of 256/fc (~18,88us) followed by
+ * 8 pulses of fc/32 (also 18.88us)
+ *
+ * The mode FPGA_HF_SIMULATOR_MODULATE_424K_8BIT which we use to simulate tag,
+ * works like this.
+ * - A 1-bit input to the FPGA becomes 8 pulses on 423.5kHz (fc/32) (18.88us).
+ * - A 0-bit inptu to the FPGA becomes an unmodulated time of 18.88us
+ *
+ * In this mode the SOF can be written as 00011101 = 0x1D
+ * The EOF can be written as 10111000 = 0xb8
+ * A logic 1 is 01
+ * A logic 0 is 10
+ *
+ * */
+
int i;
ToSendReset();
// Send SOF
- ToSend[++ToSendMax] = 0x00;
- ToSend[++ToSendMax] = 0x00;
- ToSend[++ToSendMax] = 0x00;
- ToSend[++ToSendMax] = 0xff;//Proxtoair duration starts here
- ToSend[++ToSendMax] = 0xff;
- ToSend[++ToSendMax] = 0xff;
- ToSend[++ToSendMax] = 0x00;
- ToSend[++ToSendMax] = 0xff;
+ ToSend[++ToSendMax] = 0x1D;
for(i = 0; i < len; i++) {
- int j;
uint8_t b = cmd[i];
-
- // Data bits
- for(j = 0; j < 8; j++) {
- if(b & 1) {
- ToSend[++ToSendMax] = 0x00;
- ToSend[++ToSendMax] = 0xff;
- } else {
- ToSend[++ToSendMax] = 0xff;
- ToSend[++ToSendMax] = 0x00;
- }
- b >>= 1;
- }
+ ToSend[++ToSendMax] = encode4Bits(b & 0xF); //Least significant half
+ ToSend[++ToSendMax] = encode4Bits((b >>4) & 0xF);//Most significant half
}
// Send EOF
- ToSend[++ToSendMax] = 0xff;
- ToSend[++ToSendMax] = 0x00;
- ToSend[++ToSendMax] = 0xff;
- ToSend[++ToSendMax] = 0xff;
- ToSend[++ToSendMax] = 0xff;
- ToSend[++ToSendMax] = 0x00;
- ToSend[++ToSendMax] = 0x00;
- ToSend[++ToSendMax] = 0x00;
-
+ ToSend[++ToSendMax] = 0xB8;
//lastProxToAirDuration = 8*ToSendMax - 3*8 - 3*8;//Not counting zeroes in the beginning or end
-
// Convert from last byte pos to length
ToSendMax++;
}
ToSendReset();
// Send SOF
- ToSend[++ToSendMax] = 0x00;
- ToSend[++ToSendMax] = 0x00;
- ToSend[++ToSendMax] = 0x00;
- ToSend[++ToSendMax] = 0xff;
- ToSend[++ToSendMax] = 0xff;
- ToSend[++ToSendMax] = 0xff;
- ToSend[++ToSendMax] = 0x00;
- ToSend[++ToSendMax] = 0xff;
-
+ ToSend[++ToSendMax] = 0x1D;
// lastProxToAirDuration = 8*ToSendMax - 3*8;//Not counting zeroes in the beginning
-
// Convert from last byte pos to length
ToSendMax++;
}
+
int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf);
/**
* @brief SimulateIClass simulates an iClass card.
else if(simType == 2)
{
- uint8_t mac_responses[64] = { 0 };
+ uint8_t mac_responses[USB_CMD_DATA_SIZE] = { 0 };
Dbprintf("Going into attack mode, %d CSNS sent", numberOfCSNS);
// In this mode, a number of csns are within datain. We'll simulate each one, one at a time
// in order to collect MAC's from the reader. This can later be used in an offlne-attack
memcpy(csn_crc, datain+(i*8), 8);
if(doIClassSimulation(csn_crc,1,mac_responses+i*8))
{
+ cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8);
return; // Button pressed
}
}
*/
int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf)
{
+
// CSN followed by two CRC bytes
+ uint8_t response1[] = { 0x0F} ;
uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
uint8_t response3[] = { 0,0,0,0,0,0,0,0,0,0};
memcpy(response3,csn,sizeof(response3));
// Reader 81 anticoll. CSN
// Tag CSN
- uint8_t *resp;
- int respLen;
- uint8_t* respdata = NULL;
- int respsize = 0;
- uint8_t sof = 0x0f;
+ uint8_t *modulated_response;
+ int modulated_response_size;
+ uint8_t* trace_data = NULL;
+ int trace_data_size = 0;
+ //uint8_t sof = 0x0f;
- // Respond SOF -- takes 8 bytes
+ // Respond SOF -- takes 1 bytes
uint8_t *resp1 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
int resp1Len;
// Anticollision CSN (rotated CSN)
- // 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit)
- uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 10);
+ // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte)
+ uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 2);
int resp2Len;
// CSN
- // 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit)
- uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 190);
+ // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte)
+ uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 30);
int resp3Len;
// e-Purse
- // 144: Takes 16 bytes for SOF/EOF and 8 * 16 = 128 bytes (2 bytes/bit)
- uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 370);
+ // 18: Takes 2 bytes for SOF/EOF and 8 * 2 = 16 bytes (2 bytes/byte)
+ uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 60);
int resp4Len;
// + 1720..
LED_A_ON();
bool buttonPressed = false;
- /** Hack for testing
- memcpy(reader_mac_buf,csn,8);
- exitLoop = true;
- end hack **/
-
while(!exitLoop) {
LED_B_OFF();
// Okay, look at the command now.
if(receivedCmd[0] == 0x0a ) {
// Reader in anticollission phase
- resp = resp1; respLen = resp1Len; //order = 1;
- respdata = &sof;
- respsize = sizeof(sof);
+ modulated_response = resp1; modulated_response_size = resp1Len; //order = 1;
+ trace_data = response1;
+ trace_data_size = sizeof(response1);
} else if(receivedCmd[0] == 0x0c) {
// Reader asks for anticollission CSN
- resp = resp2; respLen = resp2Len; //order = 2;
- respdata = response2;
- respsize = sizeof(response2);
+ modulated_response = resp2; modulated_response_size = resp2Len; //order = 2;
+ trace_data = response2;
+ trace_data_size = sizeof(response2);
//DbpString("Reader requests anticollission CSN:");
} else if(receivedCmd[0] == 0x81) {
// Reader selects anticollission CSN.
// Tag sends the corresponding real CSN
- resp = resp3; respLen = resp3Len; //order = 3;
- respdata = response3;
- respsize = sizeof(response3);
+ modulated_response = resp3; modulated_response_size = resp3Len; //order = 3;
+ trace_data = response3;
+ trace_data_size = sizeof(response3);
//DbpString("Reader selects anticollission CSN:");
} else if(receivedCmd[0] == 0x88) {
// Read e-purse (88 02)
- resp = resp4; respLen = resp4Len; //order = 4;
- respdata = response4;
- respsize = sizeof(response4);
+ modulated_response = resp4; modulated_response_size = resp4Len; //order = 4;
+ trace_data = response4;
+ trace_data_size = sizeof(response4);
LED_B_ON();
} else if(receivedCmd[0] == 0x05) {
// Reader random and reader MAC!!!
// Do not respond
// We do not know what to answer, so lets keep quiet
- resp = resp1; respLen = 0; //order = 5;
- respdata = NULL;
- respsize = 0;
+ modulated_response = resp1; modulated_response_size = 0; //order = 5;
+ trace_data = NULL;
+ trace_data_size = 0;
if (breakAfterMacReceived){
// dbprintf:ing ...
Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x"
}
} else if(receivedCmd[0] == 0x00 && len == 1) {
// Reader ends the session
- resp = resp1; respLen = 0; //order = 0;
- respdata = NULL;
- respsize = 0;
+ modulated_response = resp1; modulated_response_size = 0; //order = 0;
+ trace_data = NULL;
+ trace_data_size = 0;
} else {
//#db# Unknown command received from reader (len=5): 26 1 0 f6 a 44 44 44 44
// Never seen this command before
receivedCmd[3], receivedCmd[4], receivedCmd[5],
receivedCmd[6], receivedCmd[7], receivedCmd[8]);
// Do not respond
- resp = resp1; respLen = 0; //order = 0;
- respdata = NULL;
- respsize = 0;
+ modulated_response = resp1; modulated_response_size = 0; //order = 0;
+ trace_data = NULL;
+ trace_data_size = 0;
}
if(cmdsRecvd > 100) {
else {
cmdsRecvd++;
}
-
- if(respLen > 0) {
- SendIClassAnswer(resp, respLen, 21);
+ /**
+ A legit tag has about 380us delay between reader EOT and tag SOF.
+ **/
+ if(modulated_response_size > 0) {
+ SendIClassAnswer(modulated_response, modulated_response_size, 1);
t2r_time = GetCountSspClk();
}
GetParity(receivedCmd, len, parity);
LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, (r2t_time-time_0) << 4, parity, TRUE);
- if (respdata != NULL) {
- GetParity(respdata, respsize, parity);
- LogTrace(respdata, respsize, (t2r_time-time_0) << 4, (t2r_time-time_0) << 4, parity, FALSE);
+ if (trace_data != NULL) {
+ GetParity(trace_data, trace_data_size, parity);
+ LogTrace(trace_data, trace_data_size, (t2r_time-time_0) << 4, (t2r_time-time_0) << 4, parity, FALSE);
}
if(!tracing) {
DbpString("Trace full");
//Dbprintf("%x", cmdsRecvd);
LED_A_OFF();
LED_B_OFF();
+ LED_C_OFF();
+
if(buttonPressed)
{
DbpString("Button pressed");
int i = 0, d=0;//, u = 0, d = 0;
uint8_t b = 0;
- FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K);
+ //FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K);
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K_8BIT);
AT91C_BASE_SSC->SSC_THR = 0x00;
FpgaSetupSsc();
AT91C_BASE_SSC->SSC_THR = b;
}
- if (i > respLen +4) break;
+// if (i > respLen +4) break;
+ if (i > respLen +1) break;
}
return 0;
}
// The second response contains the (mandatory) first 24 bits of the UID
- uint8_t response2[5];
+ uint8_t response2[5] = {0x00};
// Check if the uid uses the (optional) part
- uint8_t response2a[5];
+ uint8_t response2a[5] = {0x00};
+
if (uid_2nd) {
response2[0] = 0x88;
num_to_bytes(uid_1st,3,response2+1);
response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
// Prepare the mandatory SAK (for 4 and 7 byte UID)
- uint8_t response3[3];
+ uint8_t response3[3] = {0x00};
response3[0] = sak;
ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
// Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
- uint8_t response3a[3];
+ uint8_t response3a[3] = {0x00};
response3a[0] = sak & 0xFB;
ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
Dbprintf("Multiple tags detected. Collision after Bit %d", Demod.collisionPos);
for (uint16_t i = collision_answer_offset; i < Demod.collisionPos; i++, uid_resp_bits++) { // add valid UID bits before collision point
uint16_t UIDbit = (resp[i/8] >> (i % 8)) & 0x01;
- uid_resp[uid_resp_bits & 0xf8] |= UIDbit << (uid_resp_bits % 8);
+ uid_resp[uid_resp_bits / 8] |= UIDbit << (uid_resp_bits % 8);
}
uid_resp[uid_resp_bits/8] |= 1 << (uid_resp_bits % 8); // next time select the card(s) with a 1 in the collision position
uid_resp_bits++;
if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
if (MF_DBGLEVEL >= MF_DBG_ERROR)\r
Dbprintf("Can't select card");\r
- OnError(0);\r
+ //OnError(0);\r
return;\r
};\r
\r
if(mifare_ultra_auth1(cuid, dataoutbuf)){\r
if (MF_DBGLEVEL >= MF_DBG_ERROR) \r
Dbprintf("Authentication part1: Fail.");\r
- OnError(1);\r
+ //OnError(1);\r
return;\r
}\r
\r
if(mifare_ultra_auth2(cuid, key, dataoutbuf)){\r
if (MF_DBGLEVEL >= MF_DBG_ERROR) \r
Dbprintf("Authentication part2: Fail...");\r
- OnError(1);\r
+ //OnError(1);\r
return; \r
}\r
\r
if(!len) {\r
if (MF_DBGLEVEL >= MF_DBG_ERROR) \r
Dbprintf("Can't select card");\r
- OnError(1);\r
+ //OnError(1);\r
return;\r
};\r
\r
if(mifare_desfire_des_auth1(cuid, dataout)){\r
if (MF_DBGLEVEL >= MF_DBG_ERROR) \r
Dbprintf("Authentication part1: Fail.");\r
- OnError(4);\r
+ //OnError(4);\r
return;\r
}\r
\r
if( isOK) {\r
if (MF_DBGLEVEL >= MF_DBG_EXTENDED) \r
Dbprintf("Authentication part2: Failed"); \r
- OnError(4);\r
+ //OnError(4);\r
return;\r
}\r
\r
cmd_send(CMD_ACK, isOK, 0, 0, dataout, sizeof(dataout));\r
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
LEDsoff();\r
-}
+}
\ No newline at end of file
\r
static int sniffState = SNF_INIT;\r
static uint8_t sniffUIDType;\r
-static uint8_t sniffUID[8];\r
-static uint8_t sniffATQA[2];\r
+static uint8_t sniffUID[8] = {0x00};\r
+static uint8_t sniffATQA[2] = {0x00};\r
static uint8_t sniffSAK;\r
-static uint8_t sniffBuf[16];\r
+static uint8_t sniffBuf[16] = {0x00};\r
static uint32_t timerData = 0;\r
\r
\r
emlSetMem((uint8_t *)uid, 0, 1);\r
return;\r
}\r
+\r
+\r
+// Mifare desfire commands\r
+int mifare_sendcmd_special(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t* data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing)\r
+{\r
+ uint8_t dcmd[5] = {0x00};\r
+ dcmd[0] = cmd;\r
+ memcpy(dcmd+1,data,2);\r
+ AppendCrc14443a(dcmd, 3);\r
+ \r
+ ReaderTransmit(dcmd, sizeof(dcmd), NULL);\r
+ int len = ReaderReceive(answer, answer_parity);\r
+ if(!len) {\r
+ if (MF_DBGLEVEL >= MF_DBG_ERROR) \r
+ Dbprintf("Authentication failed. Card timeout.");\r
+ return 1;\r
+ }\r
+ return len;\r
+}\r
+\r
+int mifare_sendcmd_special2(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t* data, uint8_t* answer,uint8_t *answer_parity, uint32_t *timing)\r
+{\r
+ uint8_t dcmd[20] = {0x00};\r
+ dcmd[0] = cmd;\r
+ memcpy(dcmd+1,data,17);\r
+ AppendCrc14443a(dcmd, 18);\r
+\r
+ ReaderTransmit(dcmd, sizeof(dcmd), NULL);\r
+ int len = ReaderReceive(answer, answer_parity);\r
+ if(!len){\r
+ if (MF_DBGLEVEL >= MF_DBG_ERROR)\r
+ Dbprintf("Authentication failed. Card timeout.");\r
+ return 1;\r
+ }\r
+ return len;\r
+}\r
+\r
+int mifare_desfire_des_auth1(uint32_t uid, uint8_t *blockData){\r
+\r
+ int len;\r
+ // load key, keynumber\r
+ uint8_t data[2]={0x0a, 0x00};\r
+ uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();\r
+ uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;\r
+ \r
+ len = mifare_sendcmd_special(NULL, 1, 0x02, data, receivedAnswer,receivedAnswerPar,NULL);\r
+ if (len == 1) {\r
+ if (MF_DBGLEVEL >= MF_DBG_ERROR)\r
+ Dbprintf("Cmd Error: %02x", receivedAnswer[0]);\r
+ return 1;\r
+ }\r
+ \r
+ if (len == 12) {\r
+ if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {\r
+ Dbprintf("Auth1 Resp: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",\r
+ receivedAnswer[0],receivedAnswer[1],receivedAnswer[2],receivedAnswer[3],receivedAnswer[4],\r
+ receivedAnswer[5],receivedAnswer[6],receivedAnswer[7],receivedAnswer[8],receivedAnswer[9],\r
+ receivedAnswer[10],receivedAnswer[11]);\r
+ }\r
+ memcpy(blockData, receivedAnswer, 12);\r
+ return 0;\r
+ }\r
+ return 1;\r
+}\r
+\r
+int mifare_desfire_des_auth2(uint32_t uid, uint8_t *key, uint8_t *blockData){\r
+\r
+ int len;\r
+ uint8_t data[17] = {0x00};\r
+ data[0] = 0xAF;\r
+ memcpy(data+1,key,16);\r
+ \r
+ uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();\r
+ uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;\r
+ \r
+ len = mifare_sendcmd_special2(NULL, 1, 0x03, data, receivedAnswer, receivedAnswerPar ,NULL);\r
+ \r
+ if ((receivedAnswer[0] == 0x03) && (receivedAnswer[1] == 0xae)) {\r
+ if (MF_DBGLEVEL >= MF_DBG_ERROR)\r
+ Dbprintf("Auth Error: %02x %02x", receivedAnswer[0], receivedAnswer[1]);\r
+ return 1;\r
+ }\r
+ \r
+ if (len == 12){\r
+ if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {\r
+ Dbprintf("Auth2 Resp: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",\r
+ receivedAnswer[0],receivedAnswer[1],receivedAnswer[2],receivedAnswer[3],receivedAnswer[4],\r
+ receivedAnswer[5],receivedAnswer[6],receivedAnswer[7],receivedAnswer[8],receivedAnswer[9],\r
+ receivedAnswer[10],receivedAnswer[11]);\r
+ }\r
+ memcpy(blockData, receivedAnswer, 12);\r
+ return 0;\r
+ }\r
+ return 1;\r
+}
\ No newline at end of file
int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid);
int mifare_ultra_halt(uint32_t uid);
\r
+// desfire\r
+int mifare_sendcmd_special(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t* data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing);\r
+int mifare_sendcmd_special2(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t* data, uint8_t* answer,uint8_t *answer_parity, uint32_t *timing);\r
+int mifare_desfire_des_auth1(uint32_t uid, uint8_t *blockData);\r
+int mifare_desfire_des_auth2(uint32_t uid, uint8_t *key, uint8_t *blockData);\r
// crypto functions
void mf_crypto1_decrypt(struct Crypto1State *pcs, uint8_t *receivedCmd, int len);
VPATH = ../common
OBJDIR = obj
-LDLIBS = -L/opt/local/lib -L/usr/local/lib ../liblua/liblua.a -lreadline -lpthread -lm
+LDLIBS = -L/opt/local/lib -L/usr/local/lib ../liblua/liblua.a -lreadline -lpthread -lm -lcrypto
LDFLAGS = $(COMMON_FLAGS)
-CFLAGS = -std=c99 -I. -I../include -I../common -I/opt/local/include -I../liblua -Wall $(COMMON_FLAGS) -g -O4
+CFLAGS = -std=c99 -lcrypto -I. -I../include -I../common -I/opt/local/include -I../liblua -Wall $(COMMON_FLAGS) -g -O4
LUAPLATFORM = generic
-
ifneq (,$(findstring MINGW,$(platform)))
CXXFLAGS = -I$(QTDIR)/include -I$(QTDIR)/include/QtCore -I$(QTDIR)/include/QtGui
QTLDLIBS = -L$(QTDIR)/lib -lQtCore4 -lQtGui4
uint32_t cardnum = 0;
if (((hi>>5)&1)==1){//if bit 38 is set then < 37 bit format is used
uint32_t lo2=0;
- lo2=(((hi & 15) << 12) | (lo>>20)); //get bits 21-37 to check for format len bit
+ lo2=(((hi & 31) << 12) | (lo>>20)); //get bits 21-37 to check for format len bit
uint8_t idx3 = 1;
while(lo2>1){ //find last bit set to 1 (format len bit)
lo2=lo2>>1;
cardnum = (lo>>1)&0xFFFF;
fc = (lo>>17)&0xFF;
}
- if(fmtLen==37){
- cardnum = (lo>>1)&0x7FFFF;
- fc = ((hi&0xF)<<12)|(lo>>20);
- }
if(fmtLen==34){
cardnum = (lo>>1)&0xFFFF;
fc= ((hi&1)<<15)|(lo>>17);
}
}
else { //if bit 38 is not set then 37 bit format is used
- fmtLen= 37;
- fc =0;
- cardnum=0;
- if(fmtLen==37){
+ fmtLen = 37;
+ fc = 0;
+ cardnum = 0;
+ if(fmtLen == 37){
cardnum = (lo>>1)&0x7FFFF;
fc = ((hi&0xF)<<12)|(lo>>20);
}
// optional arguments - same as CmdpskNRZrawDemod (clock & invert)
int CmdIndalaDecode(const char *Cmd)
{
+ uint8_t verbose = 1;
+ int ans;
+ if (strlen(Cmd)>0){
+ if (Cmd[0]=='0'){
+ verbose=0;
+ ans = PSKnrzDemod("32");
+ }else{
+ ans = PSKnrzDemod(Cmd);
+ }
+ } else{ //default to RF/32
+ ans = PSKnrzDemod("32");
+ }
- int ans=PSKnrzDemod(Cmd);
if (ans < 0){
- PrintAndLog("Error1: %d",ans);
+ if (verbose)
+ PrintAndLog("Error1: %d",ans);
return 0;
}
uint8_t invert=0;
ans = indala26decode(DemodBuffer,(size_t *) &DemodBufferLen, &invert);
if (ans < 1) {
- PrintAndLog("Error2: %d",ans);
+ if (verbose)
+ PrintAndLog("Error2: %d",ans);
return -1;
}
char showbits[251];
- if(invert==1) PrintAndLog("Had to invert bits");
+ if (invert)
+ if (verbose)
+ PrintAndLog("Had to invert bits");
//convert UID to HEX
uint32_t uid1, uid2, uid3, uid4, uid5, uid6, uid7;
int idx;
//prints binary found and saves in graphbuffer for further commands
int CmdpskNRZrawDemod(const char *Cmd)
{
- int errCnt= PSKnrzDemod(Cmd);
+ uint8_t verbose = 1;
+ int errCnt;
+ if (strlen(Cmd)>0){
+ if (Cmd[0]=='0')
+ verbose=0;
+ }
+
+ errCnt = PSKnrzDemod(Cmd);
//output
if (errCnt<0) return 0;
if (errCnt>0){
- PrintAndLog("# Errors during Demoding (shown as 77 in bit stream): %d",errCnt);
+ if (verbose)
+ PrintAndLog("# Errors during Demoding (shown as 77 in bit stream): %d",errCnt);
}
PrintAndLog("PSK or NRZ demoded bitstream:");
// Now output the bitstream to the scrollback by line of 16 bits
40 = Long Range CMD (Standard ISO/TR7003:1990)
*/
-#define ICLASS_CMD_ACTALL 0x0A
+#define ICLASS_CMD_ACTALL 0x0A
#define ICLASS_CMD_READ_OR_IDENTIFY 0x0C
-#define ICLASS_CMD_SELECT 0x81
-#define ICLASS_CMD_PAGESEL 0x84
-#define ICLASS_CMD_READCHECK 0x88
-#define ICLASS_CMD_CHECK 0x05
-#define ICLASS_CMD_SOF 0x0F
-#define ICLASS_CMD_HALT 0x00
-
-#define ISO14443_CMD_REQA 0x26
-#define ISO14443_CMD_READBLOCK 0x30
-#define ISO14443_CMD_WUPA 0x52
-#define ISO14443_CMD_ANTICOLL_OR_SELECT 0x93
-#define ISO14443_CMD_ANTICOLL_OR_SELECT_2 0x95
-#define ISO14443_CMD_WRITEBLOCK 0xA0 // or 0xA2 ?
-#define ISO14443_CMD_HALT 0x50
-#define ISO14443_CMD_RATS 0xE0
+#define ICLASS_CMD_SELECT 0x81
+#define ICLASS_CMD_PAGESEL 0x84
+#define ICLASS_CMD_READCHECK_KD 0x88
+#define ICLASS_CMD_READCHECK_KC 0x18
+#define ICLASS_CMD_CHECK 0x05
+#define ICLASS_CMD_DETECT 0x0F
+#define ICLASS_CMD_HALT 0x00
+#define ICLASS_CMD_UPDATE 0x87
+#define ICLASS_CMD_ACT 0x8E
+#define ICLASS_CMD_READ4 0x06
+
+
+#define ISO14443A_CMD_REQA 0x26
+#define ISO14443A_CMD_READBLOCK 0x30
+#define ISO14443A_CMD_WUPA 0x52
+#define ISO14443A_CMD_ANTICOLL_OR_SELECT 0x93
+#define ISO14443A_CMD_ANTICOLL_OR_SELECT_2 0x95
+#define ISO14443A_CMD_WRITEBLOCK 0xA0 // or 0xA2 ?
+#define ISO14443A_CMD_HALT 0x50
+#define ISO14443A_CMD_RATS 0xE0
#define MIFARE_AUTH_KEYA 0x60
#define MIFARE_AUTH_KEYB 0x61
#define ISO15693_READ_MULTI_SECSTATUS 0x2C
+#define ISO_14443A 0
+#define ICLASS 1
+#define ISO_14443B 2
void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize)
{
switch(cmd[0])
{
- case ISO14443_CMD_WUPA: snprintf(exp,size,"WUPA"); break;
- case ISO14443_CMD_ANTICOLL_OR_SELECT:{
+ case ISO14443A_CMD_WUPA: snprintf(exp,size,"WUPA"); break;
+ case ISO14443A_CMD_ANTICOLL_OR_SELECT:{
// 93 20 = Anticollision (usage: 9320 - answer: 4bytes UID+1byte UID-bytes-xor)
// 93 70 = Select (usage: 9370+5bytes 9320 answer - answer: 1byte SAK)
if(cmd[2] == 0x70)
snprintf(exp,size,"ANTICOLL"); break;
}
}
- case ISO14443_CMD_ANTICOLL_OR_SELECT_2:{
+ case ISO14443A_CMD_ANTICOLL_OR_SELECT_2:{
//95 20 = Anticollision of cascade level2
//95 70 = Select of cascade level2
if(cmd[2] == 0x70)
snprintf(exp,size,"ANTICOLL-2"); break;
}
}
- case ISO14443_CMD_REQA: snprintf(exp,size,"REQA"); break;
- case ISO14443_CMD_READBLOCK: snprintf(exp,size,"READBLOCK(%d)",cmd[1]); break;
- case ISO14443_CMD_WRITEBLOCK: snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); break;
- case ISO14443_CMD_HALT: snprintf(exp,size,"HALT"); break;
- case ISO14443_CMD_RATS: snprintf(exp,size,"RATS"); break;
+ case ISO14443A_CMD_REQA: snprintf(exp,size,"REQA"); break;
+ case ISO14443A_CMD_READBLOCK: snprintf(exp,size,"READBLOCK(%d)",cmd[1]); break;
+ case ISO14443A_CMD_WRITEBLOCK: snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); break;
+ case ISO14443A_CMD_HALT: snprintf(exp,size,"HALT"); break;
+ case ISO14443A_CMD_RATS: snprintf(exp,size,"RATS"); break;
case MIFARE_CMD_INC: snprintf(exp,size,"INC(%d)",cmd[1]); break;
case MIFARE_CMD_DEC: snprintf(exp,size,"DEC(%d)",cmd[1]); break;
case MIFARE_CMD_RESTORE: snprintf(exp,size,"RESTORE(%d)",cmd[1]); break;
break;
}
case ICLASS_CMD_SELECT: snprintf(exp,size,"SELECT"); break;
- case ICLASS_CMD_PAGESEL: snprintf(exp,size,"PAGESEL"); break;
- case ICLASS_CMD_READCHECK: snprintf(exp,size,"READCHECK"); break;
+ case ICLASS_CMD_PAGESEL: snprintf(exp,size,"PAGESEL(%d)", cmd[1]); break;
+ case ICLASS_CMD_READCHECK_KC:snprintf(exp,size,"READCHECK[Kc](%d)", cmd[1]); break;
+ case ICLASS_CMD_READCHECK_KD:snprintf(exp,size,"READCHECK[Kd](%d)", cmd[1]); break;
case ICLASS_CMD_CHECK: snprintf(exp,size,"CHECK"); break;
- case ICLASS_CMD_SOF: snprintf(exp,size,"SOF"); break;
+ case ICLASS_CMD_DETECT: snprintf(exp,size,"DETECT"); break;
case ICLASS_CMD_HALT: snprintf(exp,size,"HALT"); break;
+ case ICLASS_CMD_UPDATE: snprintf(exp,size,"UPDATE(%d)",cmd[1]); break;
+ case ICLASS_CMD_ACT: snprintf(exp,size,"ACT"); break;
+ case ICLASS_CMD_READ4: snprintf(exp,size,"READ4(%d)",cmd[1]); break;
default: snprintf(exp,size,"?"); break;
}
return;
case ISO15693_LOCK_DSFID :snprintf(exp, size, "LOCK_DSFID");break;
case ISO15693_GET_SYSTEM_INFO :snprintf(exp, size, "GET_SYSTEM_INFO");break;
case ISO15693_READ_MULTI_SECSTATUS :snprintf(exp, size, "READ_MULTI_SECSTATUS");break;
- default: snprintf(exp,size,"?"); break;
+ default: snprintf(exp,size,"?"); break;
+ }
+ }
+}
+void annotateIso14443b(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize)
+{
+ switch(cmd[0]){
+ case ISO14443B_REQB : snprintf(exp,size,"REQB");break;
+ case ISO14443B_ATTRIB : snprintf(exp,size,"ATTRIB");break;
+ case ISO14443B_HALT : snprintf(exp,size,"HALT");break;
+ default: snprintf(exp,size ,"?");break;
+ }
+
+}
+
+/**
+ * @brief iso14443B_CRC_Ok Checks CRC in command or response
+ * @param isResponse
+ * @param data
+ * @param len
+ * @return 0 : CRC-command, CRC not ok
+ * 1 : CRC-command, CRC ok
+ * 2 : Not crc-command
+ */
+
+uint8_t iso14443B_CRC_check(bool isResponse, uint8_t* data, uint8_t len)
+{
+ uint8_t b1,b2;
+
+ if(len <= 2) return 2;
+
+ ComputeCrc14443(CRC_14443_B, data, len-2, &b1, &b2);
+ if(b1 != data[len-2] || b2 != data[len-1]) {
+ return 0;
+ }
+ return 1;
+}
+
+/**
+ * @brief iclass_CRC_Ok Checks CRC in command or response
+ * @param isResponse
+ * @param data
+ * @param len
+ * @return 0 : CRC-command, CRC not ok
+ * 1 : CRC-command, CRC ok
+ * 2 : Not crc-command
+ */
+uint8_t iclass_CRC_check(bool isResponse, uint8_t* data, uint8_t len)
+{
+ if(len < 4) return 2;//CRC commands (and responses) are all at least 4 bytes
+
+ uint8_t b1, b2;
+
+ if(!isResponse)//Commands to tag
+ {
+ /**
+ These commands should have CRC. Total length leftmost
+ 4 READ
+ 4 READ4
+ 12 UPDATE - unsecured, ends with CRC16
+ 14 UPDATE - secured, ends with signature instead
+ 4 PAGESEL
+ **/
+ if(len == 4 || len == 12)//Covers three of them
+ {
+ //Don't include the command byte
+ ComputeCrc14443(CRC_ICLASS, (data+1), len-3, &b1, &b2);
+ return b1 == data[len -2] && b2 == data[len-1];
}
+ return 2;
+ }else{
+ /**
+ These tag responses should have CRC. Total length leftmost
+
+ 10 READ data[8] crc[2]
+ 34 READ4 data[32]crc[2]
+ 10 UPDATE data[8] crc[2]
+ 10 SELECT csn[8] crc[2]
+ 10 IDENTIFY asnb[8] crc[2]
+ 10 PAGESEL block1[8] crc[2]
+ 10 DETECT csn[8] crc[2]
+
+ These should not
+
+ 4 CHECK chip_response[4]
+ 8 READCHECK data[8]
+ 1 ACTALL sof[1]
+ 1 ACT sof[1]
+
+ In conclusion, without looking at the command; any response
+ of length 10 or 34 should have CRC
+ **/
+ if(len != 10 && len != 34) return true;
+
+ ComputeCrc14443(CRC_ICLASS, data, len-2, &b1, &b2);
+ return b1 == data[len -2] && b2 == data[len-1];
}
}
-uint16_t printTraceLine(uint16_t tracepos, uint8_t* trace, bool iclass, bool showWaitCycles)
+uint16_t printTraceLine(uint16_t tracepos, uint8_t* trace, uint8_t protocol, bool showWaitCycles)
{
bool isResponse;
uint16_t duration, data_len,parity_len;
}
}
//--- Draw the CRC column
- bool crcError = false;
+ uint8_t crcStatus = 2;
if (data_len > 2) {
uint8_t b1, b2;
- if(iclass)
+ if(protocol == ICLASS)
{
- if(!isResponse && data_len == 4 ) {
- // Rough guess that this is a command from the reader
- // For iClass the command byte is not part of the CRC
- ComputeCrc14443(CRC_ICLASS, &frame[1], data_len-3, &b1, &b2);
- } else {
- // For other data.. CRC might not be applicable (UPDATE commands etc.)
- ComputeCrc14443(CRC_ICLASS, frame, data_len-2, &b1, &b2);
- }
-
- if (b1 != frame[data_len-2] || b2 != frame[data_len-1]) {
- crcError = true;
- }
+ crcStatus = iclass_CRC_check(isResponse, frame, data_len);
- }else{//Iso 14443a
+ }else if (protocol == ISO_14443B)
+ {
+ crcStatus = iso14443B_CRC_check(isResponse, frame, data_len);
+ }
+ else if (protocol == ISO_14443A){//Iso 14443a
ComputeCrc14443(CRC_14443_A, frame, data_len-2, &b1, &b2);
if (b1 != frame[data_len-2] || b2 != frame[data_len-1]) {
if(!(isResponse & (data_len < 6)))
{
- crcError = true;
+ crcStatus = 0;
}
}
}
}
- char *crc = crcError ? "!crc" :" ";
+ //0 CRC-command, CRC not ok
+ //1 CRC-command, CRC ok
+ //2 Not crc-command
+ char *crc = (crcStatus == 0 ? "!crc" : (crcStatus == 1 ? " ok " : " "));
EndOfTransmissionTimestamp = timestamp + duration;
if(!isResponse)
{
- if(iclass)
+ if(protocol == ICLASS)
annotateIclass(explanation,sizeof(explanation),frame,data_len);
- else
+ else if (protocol == ISO_14443A)
annotateIso14443a(explanation,sizeof(explanation),frame,data_len);
+ else if(protocol == ISO_14443B)
+ annotateIso14443b(explanation,sizeof(explanation),frame,data_len);
}
int num_lines = (data_len - 1)/16 + 1;
int tlen = param_getstr(Cmd,0,type);
char param = param_getchar(Cmd, 1);
bool errors = false;
- bool iclass = false;
+ uint8_t protocol = 0;
//Validate params
- if(tlen == 0 || (strcmp(type, "iclass") != 0 && strcmp(type,"14a") != 0))
+ if(tlen == 0)
{
errors = true;
}
{
errors = true;
}
+ if(!errors)
+ {
+ if(strcmp(type, "iclass") == 0)
+ {
+ protocol = ICLASS;
+ }else if(strcmp(type, "14a") == 0)
+ {
+ protocol = ISO_14443A;
+ }
+ else if(strcmp(type, "14b") == 0)
+ {
+ protocol = ISO_14443B;
+ }else if(strcmp(type,"raw")== 0)
+ {
+ protocol = -1;//No crc, no annotations
+ }else{
+ errors = true;
+ }
+ }
if (errors) {
PrintAndLog("List protocol data in trace buffer.");
- PrintAndLog("Usage: hf list [14a|iclass] [f]");
+ PrintAndLog("Usage: hf list [14a|14b|iclass] [f]");
PrintAndLog(" 14a - interpret data as iso14443a communications");
+ PrintAndLog(" 14b - interpret data as iso14443b communications");
PrintAndLog(" iclass - interpret data as iclass communications");
+ PrintAndLog(" raw - just show raw data");
PrintAndLog(" f - show frame delay times as well");
PrintAndLog("");
PrintAndLog("example: hf list 14a f");
PrintAndLog("example: hf list iclass");
return 0;
}
- if(strcmp(type, "iclass") == 0)
- {
- iclass = true;
- }
+
if (param == 'f') {
showWaitCycles = true;
while(tracepos < TRACE_SIZE)
{
- tracepos = printTraceLine(tracepos, trace, iclass, showWaitCycles);
+ tracepos = printTraceLine(tracepos, trace, protocol, showWaitCycles);
}
return 0;
}
return 0;
}
- if (!offline || (cmdp != '1') ){
+ if (!offline && (cmdp != '1')){
ans=CmdLFRead("");
- ans=CmdSamples("20000");
+ ans=CmdSamples("20000");
} else if (GraphTraceLen < 1000) {
PrintAndLog("Data in Graphbuffer was too small.");
return 0;
}
+ PrintAndLog("NOTE: some demods output possible binary\n if it finds something that looks like a tag");
PrintAndLog("Checking for known tags:");
- ans=Cmdaskmandemod("");
- if (ans>0) return 1;
- ans=CmdFSKdemodHID("");
- if (ans>0) return 1;
ans=CmdFSKdemodIO("");
- if (ans>0) return 1;
+ if (ans>0) {
+ PrintAndLog("Valid IO Prox ID Found!");
+ return 1;
+ }
+ ans=CmdFSKdemodHID("");
+ if (ans>0) {
+ PrintAndLog("Valid HID Prox ID Found!");
+ return 1;
+ }
//add psk and indala
- ans=CmdIndalaDemod("");
- if (ans>0) return 1;
- ans=CmdIndalaDemod("224");
- if (ans>0) return 1;
+ ans=CmdIndalaDecode("0");
+ if (ans>0) {
+ PrintAndLog("Valid Indala ID Found!");
+ return 1;
+ }
+ ans=Cmdaskmandemod("");
+ if (ans>0) {
+ PrintAndLog("Valid EM410x ID Found!");
+ return 1;
+ }
PrintAndLog("No Known Tags Found!\n");
return 0;
}
/*****************************************************************************
- * This file is part of iClassCipher. It is a reconstructon of the cipher engine
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
+ *
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
+ *
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
* used in iClass, and RFID techology.
*
* The implementation is based on the work performed by
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
- * along with IClassCipher. If not, see <http://www.gnu.org/licenses/>.
+ * along with loclass. If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ *
****************************************************************************/
+
#include "cipher.h"
#include "cipherutils.h"
#include <stdio.h>
/*****************************************************************************
- * This file is part of iClassCipher. It is a reconstructon of the cipher engine
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
+ *
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
+ *
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
* used in iClass, and RFID techology.
*
* The implementation is based on the work performed by
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
- * along with IClassCipher. If not, see <http://www.gnu.org/licenses/>.
+ * along with loclass. If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ *
****************************************************************************/
+
#ifndef CIPHER_H
#define CIPHER_H
#include <stdint.h>
/*****************************************************************************
- * This file is part of iClassCipher. It is a reconstructon of the cipher engine
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
+ *
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
+ *
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
* used in iClass, and RFID techology.
*
* The implementation is based on the work performed by
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
- * along with IClassCipher. If not, see <http://www.gnu.org/licenses/>.
+ * along with loclass. If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ *
****************************************************************************/
#include <stdint.h>
/*****************************************************************************
- * This file is part of iClassCipher. It is a reconstructon of the cipher engine
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
+ *
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
+ *
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
* used in iClass, and RFID techology.
*
* The implementation is based on the work performed by
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
- * along with IClassCipher. If not, see <http://www.gnu.org/licenses/>.
+ * along with loclass. If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ *
****************************************************************************/
+
#ifndef CIPHERUTILS_H
#define CIPHERUTILS_H
#include <stdint.h>
+/*****************************************************************************
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
+ *
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
+ *
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
+ * used in iClass, and RFID techology.
+ *
+ * The implementation is based on the work performed by
+ * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
+ * Milosch Meriac in the paper "Dismantling IClass".
+ *
+ * Copyright (C) 2014 Martin Holst Swende
+ *
+ * This is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with loclass. If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ *
+ ****************************************************************************/
+
#include <stdint.h>
#include <stdbool.h>
#include <string.h>
*/
int bruteforceFile(const char *filename, uint16_t keytable[])
{
+
FILE *f = fopen(filename, "rb");
if(!f) {
prnlog("Failed to read from file '%s'", filename);
prnlog("[+] Iclass key permutation OK!");
return 0;
}
+int _testHash1()
+{
+ uint8_t csn[8]= {0x01,0x02,0x03,0x04,0xF7,0xFF,0x12,0xE0};
+ uint8_t k[8] = {0};
+ hash1(csn, k);
+ uint8_t expected[8] = {0x7E,0x72,0x2F,0x40,0x2D,0x02,0x51,0x42};
+ if(memcmp(k,expected,8) != 0)
+ {
+ prnlog("Error with hash1!");
+ printarr("calculated", k, 8);
+ printarr("expected", expected, 8);
+ return 1;
+ }
+ return 0;
+}
int testElite()
{
prnlog("[+] Hash2 looks fine...");
}
- prnlog("[+] Testing key diversification ...");
-
int errors = 0 ;
- errors +=_test_iclass_key_permutation();
+ prnlog("[+] Testing hash1...");
+ errors += _testHash1();
+ prnlog("[+] Testing key diversification ...");
+ errors +=_test_iclass_key_permutation();
errors += _testBruteforce();
+
return errors;
}
+/*****************************************************************************
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
+ *
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
+ *
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
+ * used in iClass, and RFID techology.
+ *
+ * The implementation is based on the work performed by
+ * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
+ * Milosch Meriac in the paper "Dismantling IClass".
+ *
+ * Copyright (C) 2014 Martin Holst Swende
+ *
+ * This is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with loclass. If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ *
+ ****************************************************************************/
+
+
#ifndef ELITE_CRACK_H
#define ELITE_CRACK_H
void permutekey(uint8_t key[8], uint8_t dest[8]);
+/*****************************************************************************
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
+ *
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
+ *
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
+ * used in iClass, and RFID techology.
+ *
+ * The implementation is based on the work performed by
+ * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
+ * Milosch Meriac in the paper "Dismantling IClass".
+ *
+ * Copyright (C) 2014 Martin Holst Swende
+ *
+ * This is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with loclass. If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ *
+ ****************************************************************************/
+
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
/*Opening file for writing in binary mode*/
FILE *fileHandle=fopen(fileName,"wb");
if(!fileHandle) {
- PrintAndLog("Failed to write to file '%s'", fileName);
+ prnlog("Failed to write to file '%s'", fileName);
free(fileName);
return 1;
}
fwrite(data, 1, datalen, fileHandle);
fclose(fileHandle);
- PrintAndLog("Saved data to '%s'", fileName);
-
+ prnlog("Saved data to '%s'", fileName);
free(fileName);
return 0;
+/*****************************************************************************
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
+ *
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
+ *
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
+ * used in iClass, and RFID techology.
+ *
+ * The implementation is based on the work performed by
+ * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
+ * Milosch Meriac in the paper "Dismantling IClass".
+ *
+ * Copyright (C) 2014 Martin Holst Swende
+ *
+ * This is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with loclass. If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ *
+ ****************************************************************************/
+
#ifndef FILEUTILS_H
#define FILEUTILS_H
/**
/*****************************************************************************
- * This file is part of iClassCipher. It is a reconstructon of the cipher engine
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
+ *
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
+ *
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
* used in iClass, and RFID techology.
*
* The implementation is based on the work performed by
* Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
* Milosch Meriac in the paper "Dismantling IClass".
*
- * This is a reference implementation of iclass key diversification. I'm sure it can be
- * optimized heavily. It is written for ease of understanding and correctness, please take it
- * and tweak it and make a super fast version instead, using this for testing and verification.
-
* Copyright (C) 2014 Martin Holst Swende
*
* This is free software: you can redistribute it and/or modify
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
- * along with IClassCipher. If not, see <http://www.gnu.org/licenses/>.
+ * along with loclass. If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ *
****************************************************************************/
+
/**
+/*****************************************************************************
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
+ *
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
+ *
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
+ * used in iClass, and RFID techology.
+ *
+ * The implementation is based on the work performed by
+ * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
+ * Milosch Meriac in the paper "Dismantling IClass".
+ *
+ * Copyright (C) 2014 Martin Holst Swende
+ *
+ * This is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with loclass. If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ *
+ ****************************************************************************/
+
#ifndef IKEYS_H
#define IKEYS_H
--- /dev/null
+#ifndef LOCLASS_MAIN_H
+#define LOCLASS_MAIN_H
+
+#endif // LOCLASS_MAIN_H
/*****************************************************************************
- * This file is part of iClassCipher. It is a reconstructon of the cipher engine
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
+ *
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
+ *
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
* used in iClass, and RFID techology.
*
* The implementation is based on the work performed by
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
- * along with IClassCipher. If not, see <http://www.gnu.org/licenses/>.
+ * along with loclass. If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ *
****************************************************************************/
+
#include <stdio.h>
-#include <cipherutils.h>
#include <stdint.h>
#include <stdbool.h>
#include <string.h>
errors += testMAC();
errors += doKeyTests(0);
errors += testElite();
+ if(errors)
+ {
+ prnlog("OBS! There were errors!!!");
+ }
return errors;
}
int showHelp()
{
- prnlog("Usage: iclazz [options]");
+ prnlog("Usage: loclass [options]");
prnlog("Options:");
prnlog("-t Perform self-test");
prnlog("-h Show this help");
{
prnlog("IClass Cipher version 1.2, Copyright (C) 2014 Martin Holst Swende\n");
prnlog("Comes with ABSOLUTELY NO WARRANTY");
- prnlog("This is free software, and you are welcome to use, abuse and repackage, please keep the credits\n");
+ prnlog("Released as GPLv2\n");
+ prnlog("WARNING");
+ prnlog("");
+ prnlog("THIS TOOL IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. ");
+ prnlog("");
+ prnlog("USAGE OF THIS TOOL IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL ");
+ prnlog("PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, ");
+ prnlog("AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. ");
+ prnlog("");
+ prnlog("THIS TOOL SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. ");
+
+
char *fileName = NULL;
int c;
while ((c = getopt (argc, argv, "thf:")) != -1)
CMD_EM4X_WRITE_WORD = 0x0219,
CMD_IO_DEMOD_FSK = 0x021A,
CMD_IO_CLONE_TAG = 0x021B,
- CMD_EM410X_DEMOD = 0x021C,
+ CMD_EM410X_DEMOD = 0x021c,
--/* CMD_SET_ADC_MUX: ext1 is 0 for lopkd, 1 for loraw, 2 for hipkd, 3 for hiraw */
--// For the 13.56 MHz tags
return retval\r
end,\r
\r
+ -- input parameter is a string\r
+ -- Swaps the endianess and returns a string, \r
+ -- IE: 'cd7a' -> '7acd' -> 0x7acd\r
+ SwapEndiannessStr = function(s, len)\r
+ if s == nil then return nil end\r
+ if #s == 0 then return '' end\r
+ if type(s) ~= 'string' then return nil end\r
+ \r
+ local retval\r
+ if len == 16 then\r
+ retval = s:sub(3,4)..s:sub(1,2)\r
+ elseif len == 24 then\r
+ retval = s:sub(5,6)..s:sub(3,4)..s:sub(1,2)\r
+ elseif len == 32 then\r
+ retval = s:sub(7,8)..s:sub(5,6)..s:sub(3,4)..s:sub(1,2)\r
+ end\r
+ return retval\r
+ end, \r
------------ CONVERSIONS\r
\r
--\r
local B,K,OUT,I,D=16,"0123456789ABCDEF","",0\r
while IN>0 do\r
I=I+1\r
- IN,D=math.floor(IN/B),math.mod(IN,B)+1\r
+ IN , D = math.floor(IN/B), math.modf(IN,B)+1\r
OUT=string.sub(K,D,D)..OUT\r
end\r
return OUT\r
end
end
+
+ local uid = block0:sub(1,8)
+ local itemtype = block1:sub(1,4)
+ local cardid = block1:sub(9,24)
+
-- Write dump to files
if not DEBUG then
- local foo = dumplib.SaveAsBinary(bindata, outputTemplate..'.bin')
+ local foo = dumplib.SaveAsBinary(bindata, outputTemplate..'_uid_'..uid..'.bin')
print(("Wrote a BIN dump to the file %s"):format(foo))
- local bar = dumplib.SaveAsText(emldata, outputTemplate..'.eml')
+ local bar = dumplib.SaveAsText(emldata, outputTemplate..'_uid_'..uid..'.eml')
print(("Wrote a EML dump to the file %s"):format(bar))
end
- local uid = block0:sub(1,8)
- local itemtype = block1:sub(1,4)
- local cardid = block1:sub(9,24)
-
-- Show info
print( string.rep('--',20) )
print( (' ITEM TYPE : 0x%s - %s'):format(itemtype, toyNames[itemtype]) )
local cmdSetDbgOff = "hf mf dbg 0"
core.console( cmdSetDbgOff)
- -- Look for tag present on reader,
- result, err = lib14a.read1443a(false)
- if not result then return oops(err) end
+ -- if not loadFromDump then
+ -- -- Look for tag present on reader,
+ -- result, err = lib14a.read1443a(false)
+ -- if not result then return oops(err) end
- core.clearCommandBuffer()
+ -- core.clearCommandBuffer()
- if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx
- return oops('This is not a TNP3xxx tag. aborting.')
- end
+ -- if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx
+ -- return oops('This is not a TNP3xxx tag. aborting.')
+ -- end
- -- Show tag info
- print((' Found tag : %s'):format(result.name))
+ -- -- Show tag info
+ -- print((' Found tag : %s'):format(result.name))
+ -- end
-- Load dump.bin file
print( (' Load data from %s'):format(inputTemplate))
err = LoadEmulator(blocks)
if err then return oops(err) end
core.clearCommandBuffer()
- print('The simulation is now prepared.\n --> run \"hf mf sim 5 '..uid..'\" <--')
+ print('The simulation is now prepared.\n --> run \"hf mf sim u '..uid..' x\" <--')
end
end
main(args)
\ No newline at end of file
#ifndef _PROXMARK_CMD_H_\r
#define _PROXMARK_CMD_H_\r
\r
-#include <common.h>\r
-#include <usb_cmd.h>\r
+#include "common.h"\r
+#include "usb_cmd.h"\r
#include "usb_cdc.h"\r
\r
bool cmd_receive(UsbCommand* cmd);\r
//no arguments needed - built this way in case we want this to be a direct call from "data " cmds in the future
// otherwise could be a void with no arguments
//set defaults
- int high=0, low=128;
uint64_t lo=0;
-
uint32_t i = 0;
- uint32_t initLoopMax = 65;
- if (initLoopMax>size) initLoopMax=size;
-
- for (;i < initLoopMax; ++i) //65 samples should be plenty to find high and low values
- {
- if (BitStream[i] > high)
- high = BitStream[i];
- else if (BitStream[i] < low)
- low = BitStream[i];
- }
- if (((high !=1)||(low !=0))){ //allow only 1s and 0s
+ if (BitStream[10]>1){ //allow only 1s and 0s
// PrintAndLog("no data found");
return 0;
}
idx+=9;
for (i=0; i<10;i++){
for(ii=0; ii<5; ++ii){
- parityTest += BitStream[(i*5)+ii+idx];
+ parityTest ^= BitStream[(i*5)+ii+idx];
}
- if (parityTest== ((parityTest>>1)<<1)){
+ if (!parityTest){
parityTest=0;
for (ii=0; ii<4;++ii){
lo=(lo<<1LL)|(BitStream[(i*5)+ii+idx]);
//PrintAndLog("DEBUG: EM parity failed parity val: %d, i:%d, ii:%d,idx:%d, Buffer: %d%d%d%d%d",parityTest,i,ii,idx,BitStream[idx+ii+(i*5)-5],BitStream[idx+ii+(i*5)-4],BitStream[idx+ii+(i*5)-3],BitStream[idx+ii+(i*5)-2],BitStream[idx+ii+(i*5)-1]);
parityTest=0;
idx-=8;
- if (resetCnt>5)return 0;
+ if (resetCnt>5)return 0; //try 5 times
resetCnt++;
goto restart;//continue;
}
int askmandemod(uint8_t *BinStream, size_t *size, int *clk, int *invert)
{
int i;
- int high = 0, low = 128;
+ int high = 0, low = 255;
*clk=DetectASKClock(BinStream, *size, *clk); //clock default
if (*clk<8) *clk =64;
else if (BinStream[i] < low)
low = BinStream[i];
}
- if ((high < 158) ){ //throw away static
+ if ((high < 129) ){ //throw away static (anything < 1 graph)
//PrintAndLog("no data found");
return -2;
}
{
uint32_t i;
// int invert=0; //invert default
- int high = 0, low = 128;
+ int high = 0, low = 255;
*clk=DetectASKClock(BinStream, *size, *clk); //clock default
uint8_t BitStream[502] = {0};
else if (BinStream[i] < low)
low = BinStream[i];
}
- if ((high < 158)){ //throw away static
+ if ((high < 129)){ //throw away static high has to be more than 0 on graph.
+ //noise <= -10 here
// PrintAndLog("no data found");
return -2;
}
{
uint32_t last_transition = 0;
uint32_t idx = 1;
- uint32_t maxVal=0;
+ //uint32_t maxVal=0;
if (fchigh==0) fchigh=10;
if (fclow==0) fclow=8;
- // we do care about the actual theshold value as sometimes near the center of the
- // wave we may get static that changes direction of wave for one value
- // if our value is too low it might affect the read. and if our tag or
- // antenna is weak a setting too high might not see anything. [marshmellow]
- if (size<100) return 0;
- for(idx=1; idx<100; idx++){
- if(maxVal<dest[idx]) maxVal = dest[idx];
- }
- // set close to the top of the wave threshold with 25% margin for error
- // less likely to get a false transition up there.
- // (but have to be careful not to go too high and miss some short waves)
- uint8_t threshold_value = (uint8_t)(((maxVal-128)*.75)+128);
+ //set the threshold close to 0 (graph) or 128 std to avoid static
+ uint8_t threshold_value = 123;
// sync to first lo-hi transition, and threshold
if ( dest[idx-1]==1 ) {
n=myround2((float)(n+1)/((float)(rfLen)/(float)fclow));
} else {// 0->1 crossing
- n=myround2((float)(n+1)/((float)(rfLen-2)/(float)fchigh)); //-2 for fudge factor
+ n=myround2((float)(n+1)/((float)(rfLen-1)/(float)fchigh)); //-1 for fudge factor
}
if (n == 0) n = 1;
int IOdemodFSK(uint8_t *dest, size_t size)
{
- static const uint8_t THRESHOLD = 140;
+ static const uint8_t THRESHOLD = 129;
uint32_t idx=0;
//make sure buffer has data
if (size < 66) return -1;
{
int i=0;
int peak=0;
- int low=128;
+ int low=255;
int clk[]={16,32,40,50,64,100,128,256};
int loopCnt = 256; //don't need to loop through entire array...
if (size<loopCnt) loopCnt = size;
{
int i=0;
int peak=0;
- int low=128;
+ int low=255;
int clk[]={16,32,40,50,64,100,128,256};
int loopCnt = 2048; //don't need to loop through entire array...
if (size<loopCnt) loopCnt = size;
low = dest[i];
}
}
- peak=(int)(((peak-128)*.90)+128);
- low= (int)(((low-128)*.90)+128);
+ peak=(int)(((peak-128)*.75)+128);
+ low= (int)(((low-128)*.75)+128);
//PrintAndLog("DEBUG: peak: %d, low: %d",peak,low);
int ii;
uint8_t clkCnt;
//test each valid clock from smallest to greatest to see which lines up
for(clkCnt=0; clkCnt < 6; ++clkCnt){
if (clk[clkCnt] == 32){
- tol=0;
+ tol=1;
}else{
tol=0;
}
void pskCleanWave(uint8_t *bitStream, size_t size)
{
int i;
- int low=128;
+ int low=255;
int high=0;
int gap = 4;
// int loopMax = 2048;
{
//26 bit 40134 format (don't know other formats)
int i;
- int long_wait;
- long_wait = 29;//29 leading zeros in format
+ int long_wait=29;//29 leading zeros in format
int start;
int first = 0;
int first2 = 0;
// did not find start sequence
return -1;
}
- //found start once now test length by finding next one
// Inverting signal if needed
if (first == 1) {
for (i = start; i < *size; i++) {
}else *invert=0;
int iii;
+ //found start once now test length by finding next one
for (ii=start+29; ii <= *size - 250; ii++) {
first2 = bitStream[ii];
for (iii = ii; iii < ii + long_wait; iii++) {
int clk2 = DetectpskNRZClock(dest, *size, *clk);
*clk=clk2;
uint32_t i;
- uint8_t high=0, low=128;
+ uint8_t high=0, low=255;
uint32_t gLen = *size;
if (gLen > 1280) gLen=1280;
// get high
int lastBit = 0; //set first clock check
uint32_t bitnum = 0; //output counter
uint8_t tol = 0; //clock tolerance adjust - waves will be accepted as within the clock if they fall + or - this value + clock from last valid wave
- if (*clk==32)tol=2; //clock tolerance may not be needed anymore currently set to + or - 1 but could be increased for poor waves or removed entirely
+ if (*clk==32) tol = 2; //clock tolerance may not be needed anymore currently set to + or - 1 but could be increased for poor waves or removed entirely
uint32_t iii = 0;
uint8_t errCnt =0;
uint32_t bestStart = *size;
#ifndef _USB_CDC_H_\r
#define _USB_CDC_H_\r
\r
-#include <common.h>\r
+#include "common.h"\r
\r
void usb_disable();\r
void usb_enable();\r
else if(~(| adc_d[7:5])) after_hysteresis = 1'b0;
end
+
// Divide 13.56 MHz by 32 to produce the SSP_CLK
// The register is bigger to allow higher division factors of up to /128
-reg [6:0] ssp_clk_divider;
+reg [10:0] ssp_clk_divider;
+
always @(posedge adc_clk)
ssp_clk_divider <= (ssp_clk_divider + 1);
-assign ssp_clk = ssp_clk_divider[4];
+
+reg ssp_clk;
+reg ssp_frame;
+always @(negedge adc_clk)
+begin
+ //If we're in 101, we only need a new bit every 8th carrier bit (53Hz). Otherwise, get next bit at 424Khz
+ if(mod_type == 3'b101)
+ begin
+ if(ssp_clk_divider[7:0] == 8'b00000000)
+ ssp_clk <= 1'b0;
+ if(ssp_clk_divider[7:0] == 8'b10000000)
+ ssp_clk <= 1'b1;
+
+ end
+ else
+ begin
+ if(ssp_clk_divider[4:0] == 5'd0)//[4:0] == 5'b00000)
+ ssp_clk <= 1'b1;
+ if(ssp_clk_divider[4:0] == 5'd16) //[4:0] == 5'b10000)
+ ssp_clk <= 1'b0;
+ end
+end
+
+
+//assign ssp_clk = ssp_clk_divider[4];
// Divide SSP_CLK by 8 to produce the byte framing signal; the phase of
// this is arbitrary, because it's just a bitstream.
always @(negedge ssp_clk)
ssp_frame_divider_from_arm <= (ssp_frame_divider_from_arm + 1);
-reg ssp_frame;
+
+
always @(ssp_frame_divider_to_arm or ssp_frame_divider_from_arm or mod_type)
if(mod_type == 3'b000) // not modulating, so listening, to ARM
ssp_frame = (ssp_frame_divider_to_arm == 3'b000);
else
- ssp_frame = (ssp_frame_divider_from_arm == 3'b000);
+ ssp_frame = (ssp_frame_divider_from_arm == 3'b000);
// Synchronize up the after-hysteresis signal, to produce DIN.
reg ssp_din;
modulating_carrier <= ssp_dout ^ ssp_clk_divider[3]; // XOR means BPSK
else if(mod_type == 3'b010)
modulating_carrier <= ssp_dout & ssp_clk_divider[5]; // switch 212kHz subcarrier on/off
- else if(mod_type == 3'b100)
+ else if(mod_type == 3'b100 || mod_type == 3'b101)
modulating_carrier <= ssp_dout & ssp_clk_divider[4]; // switch 424kHz modulation on/off
else
modulating_carrier <= 1'b0; // yet unused
// This one is always on, so that we can watch the carrier.
assign pwr_oe3 = 1'b0;
-assign dbg = after_hysteresis;
+assign dbg = modulating_carrier;
//reg dbg;
//always @(ssp_dout)
// dbg <= ssp_dout;
projects / proxmark3-svn / commitdiff