From: iceman1001 Date: Wed, 7 Jan 2015 21:55:26 +0000 (+0100) Subject: Merge branch 'master' of https://github.com/Proxmark/proxmark3 X-Git-Tag: v2.0.0-rc1~44^2~22 X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/024b97c5076d1c644fe84b250882569923b67c0c?hp=b915fda392487a876ccc7b0c8b79a1b31ca5e398 Merge branch 'master' of https://github.com/Proxmark/proxmark3 Conflicts: client/cmdhf.c --- diff --git a/armsrc/hitag2.c b/armsrc/hitag2.c index 27a5d508..da77cc8a 100644 --- a/armsrc/hitag2.c +++ b/armsrc/hitag2.c @@ -744,7 +744,7 @@ void SnoopHitag(uint32_t type) { // Set up eavesdropping mode, frequency divisor which will drive the FPGA // and analog mux selection. FpgaDownloadAndGo(FPGA_BITSTREAM_LF); - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT); + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_TOGGLE_MODE); FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz SetAdcMuxFor(GPIO_MUXSEL_LOPKD); RELAY_OFF(); @@ -968,7 +968,7 @@ void SimulateHitagTag(bool tag_mem_supplied, byte_t* data) { // Set up simulator mode, frequency divisor which will drive the FPGA // and analog mux selection. FpgaDownloadAndGo(FPGA_BITSTREAM_LF); - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT); + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD); FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz SetAdcMuxFor(GPIO_MUXSEL_LOPKD); RELAY_OFF(); diff --git a/armsrc/mifaresniff.c b/armsrc/mifaresniff.c index 910ea74d..fed12772 100644 --- a/armsrc/mifaresniff.c +++ b/armsrc/mifaresniff.c @@ -11,7 +11,6 @@ #include "mifaresniff.h" #include "apps.h" - static int sniffState = SNF_INIT; static uint8_t sniffUIDType; static uint8_t sniffUID[8]; diff --git a/bootrom/bootrom.c b/bootrom/bootrom.c index 0c4831c8..c2c81a9d 100644 --- a/bootrom/bootrom.c +++ b/bootrom/bootrom.c @@ -103,13 +103,11 @@ void UsbPacketReceived(uint8_t *packet, int len) { switch(c->cmd) { case CMD_DEVICE_INFO: { dont_ack = 1; -// c->cmd = CMD_DEVICE_INFO; arg0 = DEVICE_INFO_FLAG_BOOTROM_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_BOOTROM | DEVICE_INFO_FLAG_UNDERSTANDS_START_FLASH; if(common_area.flags.osimage_present) { arg0 |= DEVICE_INFO_FLAG_OSIMAGE_PRESENT; } -// UsbSendPacket(packet, len); cmd_send(CMD_DEVICE_INFO,arg0,1,2,0,0); } break; @@ -125,10 +123,8 @@ void UsbPacketReceived(uint8_t *packet, int len) { case CMD_FINISH_WRITE: { uint32_t* flash_mem = (uint32_t*)(&_flash_start); -// p = (volatile uint32_t *)&_flash_start; for (size_t j=0; j<2; j++) { for(i = 0+(64*j); i < 64+(64*j); i++) { - //p[i+60] = c->d.asDwords[i]; flash_mem[i] = c->d.asDwords[i]; } @@ -138,8 +134,6 @@ void UsbPacketReceived(uint8_t *packet, int len) { if( ((flash_address+AT91C_IFLASH_PAGE_SIZE-1) >= end_addr) || (flash_address < start_addr) ) { /* Disallow write */ dont_ack = 1; - // c->cmd = CMD_NACK; - // UsbSendPacket(packet, len); cmd_send(CMD_NACK,0,0,0,0,0); } else { uint32_t page_n = (flash_address - ((uint32_t)flash_mem)) / AT91C_IFLASH_PAGE_SIZE; @@ -147,7 +141,6 @@ void UsbPacketReceived(uint8_t *packet, int len) { AT91C_BASE_EFC0->EFC_FCR = MC_FLASH_COMMAND_KEY | MC_FLASH_COMMAND_PAGEN(page_n) | AT91C_MC_FCMD_START_PROG; - // arg0 = (address - ((uint32_t)flash_s)); } // Wait until flashing of page finishes @@ -155,15 +148,12 @@ void UsbPacketReceived(uint8_t *packet, int len) { while(!((sr = AT91C_BASE_EFC0->EFC_FSR) & AT91C_MC_FRDY)); if(sr & (AT91C_MC_LOCKE | AT91C_MC_PROGE)) { dont_ack = 1; - // c->cmd = CMD_NACK; cmd_send(CMD_NACK,0,0,0,0,0); - // UsbSendPacket(packet, len); } } } break; case CMD_HARDWARE_RESET: { -// USB_D_PLUS_PULLUP_OFF(); usb_disable(); AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST; } break; @@ -189,8 +179,6 @@ void UsbPacketReceived(uint8_t *packet, int len) { } else { start_addr = end_addr = 0; dont_ack = 1; -// c->cmd = CMD_NACK; -// UsbSendPacket(packet, len); cmd_send(CMD_NACK,0,0,0,0,0); } } @@ -202,8 +190,6 @@ void UsbPacketReceived(uint8_t *packet, int len) { } if(!dont_ack) { -// c->cmd = CMD_ACK; -// UsbSendPacket(packet, len); cmd_send(CMD_ACK,arg0,0,0,0,0); } } @@ -219,23 +205,18 @@ static void flash_mode(int externally_entered) usb_enable(); for (volatile size_t i=0; i<0x100000; i++); -// UsbStart(); for(;;) { WDT_HIT(); if (usb_poll()) { rx_len = usb_read(rx,sizeof(UsbCommand)); if (rx_len) { -// DbpString("starting to flash"); UsbPacketReceived(rx,rx_len); } } -// UsbPoll(TRUE); - if(!externally_entered && !BUTTON_PRESS()) { /* Perform a reset to leave flash mode */ -// USB_D_PLUS_PULLUP_OFF(); usb_disable(); LED_B_ON(); AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST; diff --git a/client/cmdhf.c b/client/cmdhf.c index b53742e4..2da4c2d9 100644 --- a/client/cmdhf.c +++ b/client/cmdhf.c @@ -34,9 +34,97 @@ int CmdHFTune(const char *Cmd) // for the time being. Need better Bigbuf handling. #define TRACE_SIZE 3000 +//The following data is taken from http://www.proxmark.org/forum/viewtopic.php?pid=13501#p13501 +/* +ISO14443A (usually NFC tags) + 26 (7bits) = REQA + 30 = Read (usage: 30+1byte block number+2bytes ISO14443A-CRC - answer: 16bytes) + A2 = Write (usage: A2+1byte block number+4bytes data+2bytes ISO14443A-CRC - answer: 0A [ACK] or 00 [NAK]) + 52 (7bits) = WUPA (usage: 52(7bits) - answer: 2bytes ATQA) + 93 20 = Anticollision (usage: 9320 - answer: 4bytes UID+1byte UID-bytes-xor) + 93 70 = Select (usage: 9370+5bytes 9320 answer - answer: 1byte SAK) + 95 20 = Anticollision of cascade level2 + 95 70 = Select of cascade level2 + 50 00 = Halt (usage: 5000+2bytes ISO14443A-CRC - no answer from card) +Mifare + 60 = Authenticate with KeyA + 61 = Authenticate with KeyB + 40 (7bits) = Used to put Chinese Changeable UID cards in special mode (must be followed by 43 (8bits) - answer: 0A) + C0 = Decrement + C1 = Increment + C2 = Restore + B0 = Transfer +Ultralight C + A0 = Compatibility Write (to accomodate MIFARE commands) + 1A = Step1 Authenticate + AF = Step2 Authenticate + + +ISO14443B + 05 = REQB + 1D = ATTRIB + 50 = HALT +SRIX4K (tag does not respond to 05) + 06 00 = INITIATE + 0E xx = SELECT ID (xx = Chip-ID) + 0B = Get UID + 08 yy = Read Block (yy = block number) + 09 yy dd dd dd dd = Write Block (yy = block number; dd dd dd dd = data to be written) + 0C = Reset to Inventory + 0F = Completion + 0A 11 22 33 44 55 66 = Authenticate (11 22 33 44 55 66 = data to authenticate) + + +ISO15693 + MANDATORY COMMANDS (all ISO15693 tags must support those) + 01 = Inventory (usage: 260100+2bytes ISO15693-CRC - answer: 12bytes) + 02 = Stay Quiet + OPTIONAL COMMANDS (not all tags support them) + 20 = Read Block (usage: 0220+1byte block number+2bytes ISO15693-CRC - answer: 4bytes) + 21 = Write Block (usage: 0221+1byte block number+4bytes data+2bytes ISO15693-CRC - answer: 4bytes) + 22 = Lock Block + 23 = Read Multiple Blocks (usage: 0223+1byte 1st block to read+1byte last block to read+2bytes ISO15693-CRC) + 25 = Select + 26 = Reset to Ready + 27 = Write AFI + 28 = Lock AFI + 29 = Write DSFID + 2A = Lock DSFID + 2B = Get_System_Info (usage: 022B+2bytes ISO15693-CRC - answer: 14 or more bytes) + 2C = Read Multiple Block Security Status (usage: 022C+1byte 1st block security to read+1byte last block security to read+2bytes ISO15693-CRC) + +EM Microelectronic CUSTOM COMMANDS + A5 = Active EAS (followed by 1byte IC Manufacturer code+1byte EAS type) + A7 = Write EAS ID (followed by 1byte IC Manufacturer code+2bytes EAS value) + B8 = Get Protection Status for a specific block (followed by 1byte IC Manufacturer code+1byte block number+1byte of how many blocks after the previous is needed the info) + E4 = Login (followed by 1byte IC Manufacturer code+4bytes password) +NXP/Philips CUSTOM COMMANDS + A0 = Inventory Read + A1 = Fast Inventory Read + A2 = Set EAS + A3 = Reset EAS + A4 = Lock EAS + A5 = EAS Alarm + A6 = Password Protect EAS + A7 = Write EAS ID + A8 = Read EPC + B0 = Inventory Page Read + B1 = Fast Inventory Page Read + B2 = Get Random Number + B3 = Set Password + B4 = Write Password + B5 = Lock Password + B6 = Bit Password Protection + B7 = Lock Page Protection Condition + B8 = Get Multiple Block Protection Status + B9 = Destroy SLI + BA = Enable Privacy + BB = 64bit Password Protection + 40 = Long Range CMD (Standard ISO/TR7003:1990) + */ + #define ICLASS_CMD_ACTALL 0x0A -#define ICLASS_CMD_IDENTIFY 0x0C -#define ICLASS_CMD_READ 0x0C +#define ICLASS_CMD_READ_OR_IDENTIFY 0x0C #define ICLASS_CMD_SELECT 0x81 #define ICLASS_CMD_PAGESEL 0x84 #define ICLASS_CMD_READCHECK 0x88 @@ -44,82 +132,108 @@ int CmdHFTune(const char *Cmd) #define ICLASS_CMD_SOF 0x0F #define ICLASS_CMD_HALT 0x00 -#define iso14443_CMD_WUPA 0x52 -#define iso14443_CMD_SELECT 0x93 -#define iso14443_CMD_SELECT_2 0x95 -#define iso14443_CMD_SELECT_3 0x97 -#define iso14443_CMD_REQ 0x26 -#define iso14443_CMD_READBLOCK 0x30 -#define iso14443_CMD_WRITEBLOCK 0xA0 -#define iso14443_CMD_WRITE 0xA2 -#define iso14443_CMD_INC 0xC0 -#define iso14443_CMD_DEC 0xC1 -#define iso14443_CMD_RESTORE 0xC2 -#define iso14443_CMD_TRANSFER 0xB0 -#define iso14443_CMD_HALT 0x50 -#define iso14443_CMD_RATS 0xE0 - -#define iso14443_CMD_AUTH_KEYA 0x60 -#define iso14443_CMD_AUTH_KEYB 0x61 - -#define iso14443_CMD_AUTH_STEP1 0x1A -#define iso14443_CMD_AUTH_STEP2 0xAA -#define iso14443_CMD_AUTH_RESPONSE 0xAF - -#define CHINESE_BACKDOOR_INIT 0x40 -#define CHINESE_BACKDOOR_STEP2 0x43 +#define ISO14443_CMD_REQA 0x26 +#define ISO14443_CMD_READBLOCK 0x30 +#define ISO14443_CMD_WUPA 0x52 +#define ISO14443_CMD_ANTICOLL_OR_SELECT 0x93 +#define ISO14443_CMD_ANTICOLL_OR_SELECT_2 0x95 +#define ISO14443_CMD_WRITEBLOCK 0xA0 // or 0xA2 ? +#define ISO14443_CMD_HALT 0x50 +#define ISO14443_CMD_RATS 0xE0 + +#define MIFARE_AUTH_KEYA 0x60 +#define MIFARE_AUTH_KEYB 0x61 +#define MIFARE_MAGICMODE 0x40 +#define MIFARE_CMD_INC 0xC0 +#define MIFARE_CMD_DEC 0xC1 +#define MIFARE_CMD_RESTORE 0xC2 +#define MIFARE_CMD_TRANSFER 0xB0 + +#define MIFARE_ULC_WRITE 0xA0 +#define MIFARE_ULC_AUTH_1 0x1A +#define MIFARE_ULC_AUTH_2 0xAF + +#define ISO14443B_REQB 0x05 +#define ISO14443B_ATTRIB 0x1D +#define ISO14443B_HALT 0x50 + +//First byte is 26 +#define ISO15693_INVENTORY 0x01 +#define ISO15693_STAYQUIET 0x02 +//First byte is 02 +#define ISO15693_READBLOCK 0x20 +#define ISO15693_WRITEBLOCK 0x21 +#define ISO15693_LOCKBLOCK 0x22 +#define ISO15693_READ_MULTI_BLOCK 0x23 +#define ISO15693_SELECT 0x25 +#define ISO15693_RESET_TO_READY 0x26 +#define ISO15693_WRITE_AFI 0x27 +#define ISO15693_LOCK_AFI 0x28 +#define ISO15693_WRITE_DSFID 0x29 +#define ISO15693_LOCK_DSFID 0x2A +#define ISO15693_GET_SYSTEM_INFO 0x2B +#define ISO15693_READ_MULTI_SECSTATUS 0x2C + + + void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) { switch(cmd[0]) { - case iso14443_CMD_WUPA: snprintf(exp,size,"WUPA"); break; - case iso14443_CMD_SELECT:{ - if(cmdsize > 2) + case ISO14443_CMD_WUPA: snprintf(exp,size,"WUPA"); break; + case ISO14443_CMD_ANTICOLL_OR_SELECT:{ + // 93 20 = Anticollision (usage: 9320 - answer: 4bytes UID+1byte UID-bytes-xor) + // 93 70 = Select (usage: 9370+5bytes 9320 answer - answer: 1byte SAK) + if(cmd[2] == 0x70) { snprintf(exp,size,"SELECT_UID"); break; }else { - snprintf(exp,size,"SELECT_ALL"); break; + snprintf(exp,size,"ANTICOLL"); break; + } + } + case ISO14443_CMD_ANTICOLL_OR_SELECT_2:{ + //95 20 = Anticollision of cascade level2 + //95 70 = Select of cascade level2 + if(cmd[2] == 0x70) + { + snprintf(exp,size,"SELECT_UID-2"); break; + }else + { + snprintf(exp,size,"ANTICOLL-2"); break; } } - case iso14443_CMD_SELECT_2: snprintf(exp,size,"SELECT_2"); break; - case iso14443_CMD_REQ: snprintf(exp,size,"REW"); break; - case iso14443_CMD_READBLOCK: snprintf(exp,size,"READBLOCK(%d)",cmd[1]); break; - case iso14443_CMD_WRITEBLOCK: snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); break; - case iso14443_CMD_WRITE: snprintf(exp,size,"WRITE"); break; - case iso14443_CMD_INC: snprintf(exp,size,"INC(%d)",cmd[1]); break; - case iso14443_CMD_DEC: snprintf(exp,size,"DEC(%d)",cmd[1]); break; - case iso14443_CMD_RESTORE: snprintf(exp,size,"RESTORE(%d)",cmd[1]); break; - case iso14443_CMD_TRANSFER: snprintf(exp,size,"TRANSFER(%d)",cmd[1]); break; - case iso14443_CMD_HALT: snprintf(exp,size,"HALT"); break; - case iso14443_CMD_RATS: snprintf(exp,size,"RATS"); break; - - case iso14443_CMD_AUTH_KEYA: snprintf(exp,size,"AUTH KEY A"); break; - case iso14443_CMD_AUTH_KEYB: snprintf(exp,size,"AUTH KEY B"); break; - case iso14443_CMD_AUTH_STEP1: snprintf(exp,size,"AUTH REQ NONCE"); break; - case iso14443_CMD_AUTH_STEP2: snprintf(exp,size,"AUTH STEP 2"); break; - case iso14443_CMD_AUTH_RESPONSE: snprintf(exp,size,"AUTH RESPONSE"); break; - - case CHINESE_BACKDOOR_INIT: snprintf(exp,size,"BACKDOOR INIT");break; - case CHINESE_BACKDOOR_STEP2: snprintf(exp,size,"BACKDOOR STEP2");break; - default: snprintf(exp,size,"?"); break; + case ISO14443_CMD_REQA: snprintf(exp,size,"REQA"); break; + case ISO14443_CMD_READBLOCK: snprintf(exp,size,"READBLOCK(%d)",cmd[1]); break; + case ISO14443_CMD_WRITEBLOCK: snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); break; + case ISO14443_CMD_HALT: snprintf(exp,size,"HALT"); break; + case ISO14443_CMD_RATS: snprintf(exp,size,"RATS"); break; + case MIFARE_CMD_INC: snprintf(exp,size,"INC(%d)",cmd[1]); break; + case MIFARE_CMD_DEC: snprintf(exp,size,"DEC(%d)",cmd[1]); break; + case MIFARE_CMD_RESTORE: snprintf(exp,size,"RESTORE(%d)",cmd[1]); break; + case MIFARE_CMD_TRANSFER: snprintf(exp,size,"TRANSFER(%d)",cmd[1]); break; + case MIFARE_AUTH_KEYA: snprintf(exp,size,"AUTH-A"); break; + case MIFARE_AUTH_KEYB: snprintf(exp,size,"AUTH-B"); break; + case MIFARE_MAGICMODE: snprintf(exp,size,"MAGIC"); break; + default: snprintf(exp,size,"?"); break; } return; } void annotateIclass(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) { - if(cmdsize > 1 && cmd[0] == ICLASS_CMD_READ) - { - snprintf(exp,size,"READ(%d)",cmd[1]); - return; - } - switch(cmd[0]) { case ICLASS_CMD_ACTALL: snprintf(exp,size,"ACTALL"); break; - case ICLASS_CMD_IDENTIFY: snprintf(exp,size,"IDENTIFY"); break; + case ICLASS_CMD_READ_OR_IDENTIFY:{ + if(cmdsize > 1){ + snprintf(exp,size,"READ(%d)",cmd[1]); + }else{ + snprintf(exp,size,"IDENTIFY"); + } + break; + } case ICLASS_CMD_SELECT: snprintf(exp,size,"SELECT"); break; case ICLASS_CMD_PAGESEL: snprintf(exp,size,"PAGESEL"); break; case ICLASS_CMD_READCHECK: snprintf(exp,size,"READCHECK"); break; @@ -131,6 +245,37 @@ void annotateIclass(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) return; } +void annotateIso15693(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) +{ + + if(cmd[0] == 0x26) + { + switch(cmd[1]){ + case ISO15693_INVENTORY :snprintf(exp, size, "INVENTORY");break; + case ISO15693_STAYQUIET :snprintf(exp, size, "STAY_QUIET");break; + default: snprintf(exp,size,"?"); break; + + } + }else if(cmd[0] == 0x02) + { + switch(cmd[1]) + { + case ISO15693_READBLOCK :snprintf(exp, size, "READBLOCK");break; + case ISO15693_WRITEBLOCK :snprintf(exp, size, "WRITEBLOCK");break; + case ISO15693_LOCKBLOCK :snprintf(exp, size, "LOCKBLOCK");break; + case ISO15693_READ_MULTI_BLOCK :snprintf(exp, size, "READ_MULTI_BLOCK");break; + case ISO15693_SELECT :snprintf(exp, size, "SELECT");break; + case ISO15693_RESET_TO_READY :snprintf(exp, size, "RESET_TO_READY");break; + case ISO15693_WRITE_AFI :snprintf(exp, size, "WRITE_AFI");break; + case ISO15693_LOCK_AFI :snprintf(exp, size, "LOCK_AFI");break; + case ISO15693_WRITE_DSFID :snprintf(exp, size, "WRITE_DSFID");break; + case ISO15693_LOCK_DSFID :snprintf(exp, size, "LOCK_DSFID");break; + case ISO15693_GET_SYSTEM_INFO :snprintf(exp, size, "GET_SYSTEM_INFO");break; + case ISO15693_READ_MULTI_SECSTATUS :snprintf(exp, size, "READ_MULTI_SECSTATUS");break; + default: snprintf(exp,size,"?"); break; + } + } +} uint16_t printTraceLine(uint16_t tracepos, uint8_t* trace, bool iclass, bool showWaitCycles) { @@ -197,7 +342,8 @@ uint16_t printTraceLine(uint16_t tracepos, uint8_t* trace, bool iclass, bool sho // Rough guess that this is a command from the reader // For iClass the command byte is not part of the CRC ComputeCrc14443(CRC_ICLASS, &frame[1], data_len-3, &b1, &b2); - } else { + } + else { // For other data.. CRC might not be applicable (UPDATE commands etc.) ComputeCrc14443(CRC_ICLASS, frame, data_len-2, &b1, &b2); } @@ -217,6 +363,7 @@ uint16_t printTraceLine(uint16_t tracepos, uint8_t* trace, bool iclass, bool sho } } } + } char *crc = crcError ? "!crc" :" "; @@ -224,10 +371,8 @@ uint16_t printTraceLine(uint16_t tracepos, uint8_t* trace, bool iclass, bool sho if(!isResponse) { - if(iclass) - annotateIclass(explanation,sizeof(explanation),frame,data_len); - else - annotateIso14443a(explanation,sizeof(explanation),frame,data_len); + if(iclass) annotateIclass(explanation,sizeof(explanation),frame,data_len); + else annotateIso14443a(explanation,sizeof(explanation),frame,data_len); } int num_lines = (data_len - 1)/16 + 1;