From: iceman1001 Date: Mon, 30 Mar 2015 19:11:37 +0000 (+0200) Subject: Merge branch 'master' of https://github.com/Proxmark/proxmark3 X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/02d352fea75385d80b49a7ab8703692ae307f073?ds=inline;hp=-c Merge branch 'master' of https://github.com/Proxmark/proxmark3 Conflicts: armsrc/iclass.c armsrc/lfops.c client/cmdlf.c common/lfdemod.c include/usb_cmd.h --- 02d352fea75385d80b49a7ab8703692ae307f073 diff --combined armsrc/iclass.c index f62d45de,7b4daa36..e5bd4f42 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@@ -36,7 -36,7 +36,7 @@@ // //----------------------------------------------------------------------------- -#include "proxmark3.h" +#include "../include/proxmark3.h" #include "apps.h" #include "util.h" #include "string.h" @@@ -45,9 -45,8 +45,9 @@@ // Needed for CRC in emulation mode; // same construction as in ISO 14443; // different initial value (CRC_ICLASS) -#include "iso14443crc.h" -#include "iso15693tools.h" +#include "../common/iso14443crc.h" +#include "../common/iso15693tools.h" +//#include "iso15693tools.h" #include "protocols.h" #include "optimized_cipher.h" @@@ -354,7 -353,7 +354,7 @@@ static struct SUB_SECOND_HALF, SUB_BOTH } sub; - uint8_t *output; + uint8_t *output; } Demod; static RAMFUNC int ManchesterDecoding(int v) @@@ -659,7 -658,7 +659,7 @@@ void RAMFUNC SnoopIClass(void clear_trace(); iso14a_set_trigger(FALSE); - int lastRxCounter; + int lastRxCounter; uint8_t *upTo; int smpl; int maxBehindBy = 0; @@@ -775,7 -774,7 +775,7 @@@ if(ManchesterDecoding(smpl & 0x0F)) { time_stop = (GetCountSspClk()-time_0) << 4; - rsamples = samples - Demod.samples; + rsamples = samples - Demod.samples; LED_B_ON(); if(tracing) { @@@ -945,7 -944,7 +945,7 @@@ static void CodeIClassTagAnswer(const u uint8_t b = cmd[i]; ToSend[++ToSendMax] = encode4Bits(b & 0xF); //Least significant half ToSend[++ToSendMax] = encode4Bits((b >>4) & 0xF);//Most significant half - } + } // Send EOF ToSend[++ToSendMax] = 0xB8; @@@ -1231,24 -1230,24 +1231,24 @@@ int doIClassSimulation( int simulationM //exitLoop = true; }else { //Not fullsim, we don't respond - // We do not know what to answer, so lets keep quiet + // We do not know what to answer, so lets keep quiet modulated_response = resp_sof; modulated_response_size = 0; - trace_data = NULL; - trace_data_size = 0; + trace_data = NULL; + trace_data_size = 0; if (simulationMode == MODE_EXIT_AFTER_MAC){ - // dbprintf:ing ... - Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x" - ,csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]); - Dbprintf("RDR: (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",len, - receivedCmd[0], receivedCmd[1], receivedCmd[2], - receivedCmd[3], receivedCmd[4], receivedCmd[5], - receivedCmd[6], receivedCmd[7], receivedCmd[8]); - if (reader_mac_buf != NULL) - { - memcpy(reader_mac_buf,receivedCmd+1,8); - } - exitLoop = true; + // dbprintf:ing ... + Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x" + ,csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]); + Dbprintf("RDR: (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",len, + receivedCmd[0], receivedCmd[1], receivedCmd[2], + receivedCmd[3], receivedCmd[4], receivedCmd[5], + receivedCmd[6], receivedCmd[7], receivedCmd[8]); + if (reader_mac_buf != NULL) + { + memcpy(reader_mac_buf,receivedCmd+1,8); } + exitLoop = true; + } } } else if(receivedCmd[0] == ICLASS_CMD_HALT && len == 1) { @@@ -1405,17 -1404,17 +1405,17 @@@ static void TransmitIClassCommand(cons { if(*wait < 10) *wait = 10; - for(c = 0; c < *wait;) { - if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing! - c++; - } - if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { - volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR; - (void)r; - } - WDT_HIT(); - } + for(c = 0; c < *wait;) { + if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { + AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing! + c++; + } + if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { + volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR; + (void)r; + } + WDT_HIT(); + } } @@@ -1498,18 -1497,18 +1498,18 @@@ void CodeIClassCommand(const uint8_t * void ReaderTransmitIClass(uint8_t* frame, int len) { - int wait = 0; - int samples = 0; + int wait = 0; + int samples = 0; - // This is tied to other size changes - CodeIClassCommand(frame,len); + // This is tied to other size changes + CodeIClassCommand(frame,len); - // Select the card - TransmitIClassCommand(ToSend, ToSendMax, &samples, &wait); - if(trigger) - LED_A_ON(); + // Select the card + TransmitIClassCommand(ToSend, ToSendMax, &samples, &wait); + if(trigger) + LED_A_ON(); - // Store reader command in buffer + // Store reader command in buffer if (tracing) { uint8_t par[MAX_PARITY_SIZE]; GetParity(frame, len, par); @@@ -1545,7 -1544,7 +1545,7 @@@ static int GetIClassAnswer(uint8_t *rec for(;;) { WDT_HIT(); - if(BUTTON_PRESS()) return FALSE; + if(BUTTON_PRESS()) return FALSE; if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!! @@@ -1628,7 -1627,10 +1628,10 @@@ uint8_t handshakeIclassTag(uint8_t *car static uint8_t act_all[] = { 0x0a }; static uint8_t identify[] = { 0x0c }; static uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - static uint8_t readcheck_cc[]= { 0x88, 0x02 }; + + + static uint8_t readcheck_cc[]= { 0x88, 0x02,}; + uint8_t resp[ICLASS_BUFFER_SIZE]; uint8_t read_status = 0; @@@ -1663,28 -1665,33 +1666,33 @@@ if(ReaderReceiveIClass(resp) == 8) { //Save CC (e-purse) in response data memcpy(card_data+8,resp,8); - - //Got both - read_status = 2; + read_status++; } return read_status; } + // Reader iClass Anticollission void ReaderIClass(uint8_t arg0) { - uint8_t card_data[24]={0}; + uint8_t card_data[6 * 8]={0xFF}; uint8_t last_csn[8]={0}; + //Read conf block CRC(0x01) => 0xfa 0x22 + uint8_t readConf[] = { ICLASS_CMD_READ_OR_IDENTIFY,0x01, 0xfa, 0x22}; + //Read conf block CRC(0x05) => 0xde 0x64 + uint8_t readAA[] = { ICLASS_CMD_READ_OR_IDENTIFY,0x05, 0xde, 0x64}; + + int read_status= 0; + uint8_t result_status = 0; bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE; - bool get_cc = arg0 & FLAG_ICLASS_READER_GET_CC; + set_tracing(TRUE); setupIclassReader(); - size_t datasize = 0; - while(!BUTTON_PRESS()) + while(!BUTTON_PRESS()) { if(!tracing) { @@@ -1696,36 -1703,61 +1704,61 @@@ read_status = handshakeIclassTag(card_data); if(read_status == 0) continue; - if(read_status == 1) datasize = 8; - if(read_status == 2) datasize = 16; + if(read_status == 1) result_status = FLAG_ICLASS_READER_CSN; + if(read_status == 2) result_status = FLAG_ICLASS_READER_CSN|FLAG_ICLASS_READER_CC; + + // handshakeIclass returns CSN|CC, but the actual block + // layout is CSN|CONFIG|CC, so here we reorder the data, + // moving CC forward 8 bytes + memcpy(card_data+16,card_data+8, 8); + //Read block 1, config + if(arg0 & FLAG_ICLASS_READER_CONF) + { + if(sendCmdGetResponseWithRetries(readConf, sizeof(readConf),card_data+8, 10, 10)) + { + Dbprintf("Failed to dump config block"); + }else + { + result_status |= FLAG_ICLASS_READER_CONF; + } + } - //Todo, read the public blocks 1,5 aswell: - // - // 0 : CSN (we already have) + //Read block 5, AA + if(arg0 & FLAG_ICLASS_READER_AA){ + if(sendCmdGetResponseWithRetries(readAA, sizeof(readAA),card_data+(8*4), 10, 10)) + { + // Dbprintf("Failed to dump AA block"); + }else + { + result_status |= FLAG_ICLASS_READER_AA; + } + } + + // 0 : CSN // 1 : Configuration - // 2 : e-purse (we already have) - // (3,4 write-only) + // 2 : e-purse + // (3,4 write-only, kc and kd) // 5 Application issuer area // //Then we can 'ship' back the 8 * 5 bytes of data, // with 0xFF:s in block 3 and 4. - LED_B_ON(); - //Send back to client, but don't bother if we already sent this - if(memcmp(last_csn, card_data, 8) != 0) + LED_B_ON(); + //Send back to client, but don't bother if we already sent this + if(memcmp(last_csn, card_data, 8) != 0) { - - if(!get_cc || (get_cc && read_status == 2)) + // If caller requires that we get CC, continue until we got it + if( (arg0 & read_status & FLAG_ICLASS_READER_CC) || !(arg0 & FLAG_ICLASS_READER_CC)) { - cmd_send(CMD_ACK,read_status,0,0,card_data,datasize); + cmd_send(CMD_ACK,result_status,0,0,card_data,sizeof(card_data)); if(abort_after_read) { LED_A_OFF(); return; } - //Save that we already sent this.... - memcpy(last_csn, card_data, 8); + //Save that we already sent this.... + memcpy(last_csn, card_data, 8); } - //If 'get_cc' was specified and we didn't get a CC, we'll just keep trying... + } LED_B_OFF(); } @@@ -1778,20 -1810,20 +1811,20 @@@ void ReaderIClass_Replay(uint8_t arg0, uint8_t read_status = handshakeIclassTag(card_data); if(read_status < 2) continue; - //for now replay captured auth (as cc not updated) - memcpy(check+5,MAC,4); + //for now replay captured auth (as cc not updated) + memcpy(check+5,MAC,4); if(sendCmdGetResponseWithRetries(check, sizeof(check),resp, 4, 5)) { - Dbprintf("Error: Authentication Fail!"); + Dbprintf("Error: Authentication Fail!"); continue; - } + } //first get configuration block (block 1) crc = block_crc_LUT[1]; - read[1]=1; - read[2] = crc >> 8; - read[3] = crc & 0xff; + read[1]=1; + read[2] = crc >> 8; + read[3] = crc & 0xff; if(sendCmdGetResponseWithRetries(read, sizeof(read),resp, 10, 10)) { @@@ -1799,12 -1831,12 +1832,12 @@@ continue; } - mem=resp[5]; - memory.k16= (mem & 0x80); - memory.book= (mem & 0x20); - memory.k2= (mem & 0x8); - memory.lockauth= (mem & 0x2); - memory.keyaccess= (mem & 0x1); + mem=resp[5]; + memory.k16= (mem & 0x80); + memory.book= (mem & 0x20); + memory.k2= (mem & 0x8); + memory.lockauth= (mem & 0x2); + memory.keyaccess= (mem & 0x1); cardsize = memory.k16 ? 255 : 32; WDT_HIT(); @@@ -1812,20 -1844,20 +1845,20 @@@ memset(card_data,0x0,USB_CMD_DATA_SIZE); uint8_t failedRead =0; uint32_t stored_data_length =0; - //then loop around remaining blocks + //then loop around remaining blocks for(int block=0; block < cardsize; block++){ read[1]= block; crc = block_crc_LUT[block]; - read[2] = crc >> 8; - read[3] = crc & 0xff; + read[2] = crc >> 8; + read[3] = crc & 0xff; if(!sendCmdGetResponseWithRetries(read, sizeof(read), resp, 10, 10)) { - Dbprintf(" %02x: %02x %02x %02x %02x %02x %02x %02x %02x", + Dbprintf(" %02x: %02x %02x %02x %02x %02x %02x %02x %02x", block, resp[0], resp[1], resp[2], - resp[3], resp[4], resp[5], - resp[6], resp[7]); + resp[3], resp[4], resp[5], + resp[6], resp[7]); //Fill up the buffer memcpy(card_data+stored_data_length,resp,8); @@@ -1889,7 -1921,7 +1922,7 @@@ void IClass_iso14443A_write(uint8_t arg uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // Reset trace buffer - memset(trace, 0x44, RECV_CMD_OFFSET); + memset(trace, 0x44, RECV_CMD_OFFSET); traceLen = 0; // Setup SSC diff --combined client/graph.c index 190dfe8f,190dfe8f..f4acc579 --- a/client/graph.c +++ b/client/graph.c @@@ -146,7 -146,7 +146,7 @@@ uint8_t GetPskCarrier(const char str[] } //uint8_t countPSK_FC(uint8_t *BitStream, size_t size) -- carrier = countPSK_FC(grph,size); ++ carrier = countFC(grph,size,0); // Only print this message if we're not looping something if (printAns){ PrintAndLog("Auto-detected PSK carrier rate: %d", carrier); @@@ -232,8 -232,8 +232,7 @@@ uint8_t fskClocks(uint8_t *fc1, uint8_ uint8_t BitStream[MAX_GRAPH_TRACE_LEN]={0}; size_t size = getFromGraphBuf(BitStream); if (size==0) return 0; -- uint8_t dummy = 0; -- uint16_t ans = countFC(BitStream, size, &dummy); ++ uint16_t ans = countFC(BitStream, size, 1); if (ans==0) { if (verbose) PrintAndLog("DEBUG: No data found"); return 0; diff --combined common/ldscript.common index f1b63550,f1b63550..c1a48dfc --- a/common/ldscript.common +++ b/common/ldscript.common @@@ -14,6 -14,6 +14,7 @@@ MEMOR bootphase1 : ORIGIN = 0x00100000, LENGTH = 0x200 /* Phase 1 bootloader: Copies real bootloader to RAM */ bootphase2 : ORIGIN = 0x00100200, LENGTH = 0x2000 - 0x200 /* Main bootloader code, stored in Flash, executed from RAM */ fpgaimage : ORIGIN = 0x00102000, LENGTH = 96k - 0x2000 /* Place where the FPGA image will end up */ ++ //osimage : ORIGIN = 0x00118000, LENGTH = 256K - 96k /* Place where the main OS will end up */ osimage : ORIGIN = 0x00118000, LENGTH = 256K - 96k /* Place where the main OS will end up */ ram : ORIGIN = 0x00200000, LENGTH = 64K - 0x20 /* RAM, minus small common area */ commonarea : ORIGIN = 0x00200000 + 64K - 0x20, LENGTH = 0x20 /* Communication between bootloader and main OS */ diff --combined common/lfdemod.h index 46e2bdd5,46e2bdd5..15121cbf --- a/common/lfdemod.h +++ b/common/lfdemod.h @@@ -19,7 -19,7 +19,6 @@@ int DetectASKClock(uint8_t dest[], size uint8_t DetectCleanAskWave(uint8_t dest[], size_t size, int high, int low); int askmandemod(uint8_t *BinStream, size_t *size, int *clk, int *invert, int maxErr); uint8_t Em410xDecode(uint8_t *BitStream, size_t *size, size_t *startIdx, uint32_t *hi, uint64_t *lo); --//uint64_t Em410xDecode(uint8_t *BitStream, size_t *size, size_t *startIdx); int ManchesterEncode(uint8_t *BitStream, size_t size); int manrawdecode(uint8_t *BitStream, size_t *size); int BiphaseRawDecode(uint8_t * BitStream, size_t *size, int offset, int invert); @@@ -34,20 -34,20 +33,16 @@@ void psk1TOpsk2(uint8_t *BitStream, siz void psk2TOpsk1(uint8_t *BitStream, size_t size); int DetectNRZClock(uint8_t dest[], size_t size, int clock); int indala26decode(uint8_t *bitStream, size_t *size, uint8_t *invert); --void pskCleanWave(uint8_t *bitStream, size_t size); int PyramiddemodFSK(uint8_t *dest, size_t *size); int AWIDdemodFSK(uint8_t *dest, size_t *size); size_t removeParity(uint8_t *BitStream, size_t startIdx, uint8_t pLen, uint8_t pType, size_t bLen); --uint16_t countFC(uint8_t *BitStream, size_t size, uint8_t *mostFC); ++uint16_t countFC(uint8_t *BitStream, size_t size, uint8_t fskAdj); uint8_t detectFSKClk(uint8_t *BitStream, size_t size, uint8_t fcHigh, uint8_t fcLow); int getHiLo(uint8_t *BitStream, size_t size, int *high, int *low, uint8_t fuzzHi, uint8_t fuzzLo); int ParadoxdemodFSK(uint8_t *dest, size_t *size, uint32_t *hi2, uint32_t *hi, uint32_t *lo); uint8_t preambleSearch(uint8_t *BitStream, uint8_t *preamble, size_t pLen, size_t *size, size_t *startIdx); uint8_t parityTest(uint32_t bits, uint8_t bitLen, uint8_t pType); --uint8_t justNoise(uint8_t *BitStream, size_t size); --uint8_t countPSK_FC(uint8_t *BitStream, size_t size); int pskRawDemod(uint8_t dest[], size_t *size, int *clock, int *invert); int DetectPSKClock(uint8_t dest[], size_t size, int clock); --void askAmp(uint8_t *BitStream, size_t size); #endif diff --combined include/usb_cmd.h index b6caf94f,62c3d949..74d494c2 --- a/include/usb_cmd.h +++ b/include/usb_cmd.h @@@ -128,12 -128,11 +128,12 @@@ typedef struct #define CMD_READER_LEGIC_RF 0x0388 #define CMD_WRITER_LEGIC_RF 0x0389 #define CMD_EPA_PACE_COLLECT_NONCE 0x038A +//#define CMD_EPA_ 0x038B #define CMD_SNOOP_ICLASS 0x0392 #define CMD_SIMULATE_TAG_ICLASS 0x0393 #define CMD_READER_ICLASS 0x0394 -#define CMD_READER_ICLASS_REPLAY 0x0395 +#define CMD_READER_ICLASS_REPLAY 0x0395 #define CMD_ICLASS_ISO14443A_WRITE 0x0397 #define CMD_ICLASS_EML_MEMSET 0x0398 @@@ -164,11 -163,9 +164,11 @@@ #define CMD_MIFARE_NESTED 0x0612 #define CMD_MIFARE_READBL 0x0620 -#define CMD_MIFAREU_READBL 0x0720 +#define CMD_MIFAREU_READBL 0x0720 + #define CMD_MIFARE_READSC 0x0621 -#define CMD_MIFAREU_READCARD 0x0721 +#define CMD_MIFAREU_READCARD 0x0721 + #define CMD_MIFARE_WRITEBL 0x0622 #define CMD_MIFAREU_WRITEBL 0x0722 #define CMD_MIFAREU_WRITEBL_COMPAT 0x0723 @@@ -176,13 -173,10 +176,13 @@@ #define CMD_MIFARE_CHKKEYS 0x0623 #define CMD_MIFARE_SNIFFER 0x0630 + //ultralightC #define CMD_MIFAREUC_AUTH1 0x0724 #define CMD_MIFAREUC_AUTH2 0x0725 #define CMD_MIFAREUC_READCARD 0x0726 +#define CMD_MIFAREUC_SETPWD 0x0727 +#define CMD_MIFAREU_SETUID 0x0728 // mifare desfire #define CMD_MIFARE_DESFIRE_READBL 0x0728 @@@ -204,8 -198,12 +204,12 @@@ //Iclass reader flags -#define FLAG_ICLASS_READER_ONLY_ONCE 0x01 +#define FLAG_ICLASS_READER_ONLY_ONCE 0x01 - #define FLAG_ICLASS_READER_GET_CC 0x02 + #define FLAG_ICLASS_READER_CC 0x02 + #define FLAG_ICLASS_READER_CSN 0x04 + #define FLAG_ICLASS_READER_CONF 0x08 + #define FLAG_ICLASS_READER_AA 0x10 + // CMD_DEVICE_INFO response packet has flags in arg[0], flag definitions: