From: pwpiwi Date: Wed, 16 Jan 2019 08:54:19 +0000 (+0100) Subject: Add hf list 15 (#754) X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/0d2624a0cc13dbe34392da1f8495af6c64a84ddb Add hf list 15 (#754) and refactoring: move all of hf list code to cmdhflist.c --- diff --git a/client/cmdhf.c b/client/cmdhf.c index 744a95d2..f11c5b65 100644 --- a/client/cmdhf.c +++ b/client/cmdhf.c @@ -11,15 +11,9 @@ #include "cmdhf.h" -#include -#include -#include +#include "usb_cmd.h" #include "comms.h" -#include "util.h" #include "ui.h" -#include "iso14443crc.h" -#include "parity.h" -#include "cmdmain.h" #include "cmdparser.h" #include "cmdhf14a.h" #include "cmdhf14b.h" @@ -31,8 +25,6 @@ #include "cmdhfmfp.h" #include "cmdhfmfu.h" #include "cmdhftopaz.h" -#include "protocols.h" -#include "emv/cmdemv.h" #include "cmdhflist.h" #include "cmdhffido.h" @@ -45,509 +37,6 @@ int CmdHFTune(const char *Cmd) return 0; } -/** - * @brief iso14443B_CRC_check Checks CRC in command or response - * @param isResponse - * @param data - * @param len - * @return 0 : CRC-command, CRC not ok - * 1 : CRC-command, CRC ok - * 2 : Not crc-command - */ - -uint8_t iso14443B_CRC_check(bool isResponse, uint8_t* data, uint8_t len) -{ - uint8_t b1,b2; - - if(len <= 2) return 2; - - ComputeCrc14443(CRC_14443_B, data, len-2, &b1, &b2); - if(b1 != data[len-2] || b2 != data[len-1]) { - return 0; - } else { - return 1; - } -} - -/** - * @brief iclass_CRC_Ok Checks CRC in command or response - * @param isResponse - * @param data - * @param len - * @return 0 : CRC-command, CRC not ok - * 1 : CRC-command, CRC ok - * 2 : Not crc-command - */ -uint8_t iclass_CRC_check(bool isResponse, uint8_t* data, uint8_t len) -{ - if(len < 4) return 2;//CRC commands (and responses) are all at least 4 bytes - - uint8_t b1, b2; - - if(!isResponse)//Commands to tag - { - /** - These commands should have CRC. Total length leftmost - 4 READ - 4 READ4 - 12 UPDATE - unsecured, ends with CRC16 - 14 UPDATE - secured, ends with signature instead - 4 PAGESEL - **/ - if(len == 4 || len == 12)//Covers three of them - { - //Don't include the command byte - ComputeCrc14443(CRC_ICLASS, (data+1), len-3, &b1, &b2); - return b1 == data[len -2] && b2 == data[len-1]; - } - return 2; - }else{ - /** - These tag responses should have CRC. Total length leftmost - - 10 READ data[8] crc[2] - 34 READ4 data[32]crc[2] - 10 UPDATE data[8] crc[2] - 10 SELECT csn[8] crc[2] - 10 IDENTIFY asnb[8] crc[2] - 10 PAGESEL block1[8] crc[2] - 10 DETECT csn[8] crc[2] - - These should not - - 4 CHECK chip_response[4] - 8 READCHECK data[8] - 1 ACTALL sof[1] - 1 ACT sof[1] - - In conclusion, without looking at the command; any response - of length 10 or 34 should have CRC - **/ - if(len != 10 && len != 34) return true; - - ComputeCrc14443(CRC_ICLASS, data, len-2, &b1, &b2); - return b1 == data[len -2] && b2 == data[len-1]; - } -} - - -bool is_last_record(uint16_t tracepos, uint8_t *trace, uint16_t traceLen) -{ - return(tracepos + sizeof(uint32_t) + sizeof(uint16_t) + sizeof(uint16_t) >= traceLen); -} - - -bool next_record_is_response(uint16_t tracepos, uint8_t *trace) -{ - uint16_t next_records_datalen = *((uint16_t *)(trace + tracepos + sizeof(uint32_t) + sizeof(uint16_t))); - - return(next_records_datalen & 0x8000); -} - - -bool merge_topaz_reader_frames(uint32_t timestamp, uint32_t *duration, uint16_t *tracepos, uint16_t traceLen, uint8_t *trace, uint8_t *frame, uint8_t *topaz_reader_command, uint16_t *data_len) -{ - -#define MAX_TOPAZ_READER_CMD_LEN 16 - - uint32_t last_timestamp = timestamp + *duration; - - if ((*data_len != 1) || (frame[0] == TOPAZ_WUPA) || (frame[0] == TOPAZ_REQA)) return false; - - memcpy(topaz_reader_command, frame, *data_len); - - while (!is_last_record(*tracepos, trace, traceLen) && !next_record_is_response(*tracepos, trace)) { - uint32_t next_timestamp = *((uint32_t *)(trace + *tracepos)); - *tracepos += sizeof(uint32_t); - uint16_t next_duration = *((uint16_t *)(trace + *tracepos)); - *tracepos += sizeof(uint16_t); - uint16_t next_data_len = *((uint16_t *)(trace + *tracepos)) & 0x7FFF; - *tracepos += sizeof(uint16_t); - uint8_t *next_frame = (trace + *tracepos); - *tracepos += next_data_len; - if ((next_data_len == 1) && (*data_len + next_data_len <= MAX_TOPAZ_READER_CMD_LEN)) { - memcpy(topaz_reader_command + *data_len, next_frame, next_data_len); - *data_len += next_data_len; - last_timestamp = next_timestamp + next_duration; - } else { - // rewind and exit - *tracepos = *tracepos - next_data_len - sizeof(uint16_t) - sizeof(uint16_t) - sizeof(uint32_t); - break; - } - uint16_t next_parity_len = (next_data_len-1)/8 + 1; - *tracepos += next_parity_len; - } - - *duration = last_timestamp - timestamp; - - return true; -} - - -uint16_t printTraceLine(uint16_t tracepos, uint16_t traceLen, uint8_t *trace, uint8_t protocol, bool showWaitCycles, bool markCRCBytes) -{ - bool isResponse; - uint16_t data_len, parity_len; - uint32_t duration; - uint8_t topaz_reader_command[9]; - uint32_t timestamp, first_timestamp, EndOfTransmissionTimestamp; - char explanation[30] = {0}; - uint8_t mfData[32] = {0}; - size_t mfDataLen = 0; - - if (tracepos + sizeof(uint32_t) + sizeof(uint16_t) + sizeof(uint16_t) > traceLen) return traceLen; - - first_timestamp = *((uint32_t *)(trace)); - timestamp = *((uint32_t *)(trace + tracepos)); - - tracepos += 4; - duration = *((uint16_t *)(trace + tracepos)); - tracepos += 2; - data_len = *((uint16_t *)(trace + tracepos)); - tracepos += 2; - - if (data_len & 0x8000) { - data_len &= 0x7fff; - isResponse = true; - } else { - isResponse = false; - } - parity_len = (data_len-1)/8 + 1; - - if (tracepos + data_len + parity_len > traceLen) { - return traceLen; - } - uint8_t *frame = trace + tracepos; - tracepos += data_len; - uint8_t *parityBytes = trace + tracepos; - tracepos += parity_len; - - if (protocol == TOPAZ && !isResponse) { - // topaz reader commands come in 1 or 9 separate frames with 7 or 8 Bits each. - // merge them: - if (merge_topaz_reader_frames(timestamp, &duration, &tracepos, traceLen, trace, frame, topaz_reader_command, &data_len)) { - frame = topaz_reader_command; - } - } - - //Check the CRC status - uint8_t crcStatus = 2; - - if (data_len > 2) { - switch (protocol) { - case ICLASS: - crcStatus = iclass_CRC_check(isResponse, frame, data_len); - break; - case ISO_14443B: - case TOPAZ: - crcStatus = iso14443B_CRC_check(isResponse, frame, data_len); - break; - case PROTO_MIFARE: - crcStatus = mifare_CRC_check(isResponse, frame, data_len); - break; - case ISO_14443A: - crcStatus = iso14443A_CRC_check(isResponse, frame, data_len); - break; - default: - break; - } - } - //0 CRC-command, CRC not ok - //1 CRC-command, CRC ok - //2 Not crc-command - - //--- Draw the data column - //char line[16][110]; - char line[16][110]; - - for (int j = 0; j < data_len && j/16 < 16; j++) { - - uint8_t parityBits = parityBytes[j>>3]; - if (protocol != ISO_14443B && (isResponse || protocol == ISO_14443A) && (oddparity8(frame[j]) != ((parityBits >> (7-(j&0x0007))) & 0x01))) { - snprintf(line[j/16]+(( j % 16) * 4), 110, " %02x!", frame[j]); - } else { - snprintf(line[j/16]+(( j % 16) * 4), 110, " %02x ", frame[j]); - } - - } - - if (markCRCBytes) { - if(crcStatus == 0 || crcStatus == 1) - {//CRC-command - char *pos1 = line[(data_len-2)/16]+(((data_len-2) % 16) * 4); - (*pos1) = '['; - char *pos2 = line[(data_len)/16]+(((data_len) % 16) * 4); - sprintf(pos2, "%c", ']'); - } - } - - if (data_len == 0) { - sprintf(line[0]," "); - } - - //--- Draw the CRC column - char *crc = (crcStatus == 0 ? "!crc" : (crcStatus == 1 ? " ok " : " ")); - - EndOfTransmissionTimestamp = timestamp + duration; - - if (protocol == PROTO_MIFARE) - annotateMifare(explanation, sizeof(explanation), frame, data_len, parityBytes, parity_len, isResponse); - - if(!isResponse) - { - switch(protocol) { - case ICLASS: annotateIclass(explanation,sizeof(explanation),frame,data_len); break; - case ISO_14443A: annotateIso14443a(explanation,sizeof(explanation),frame,data_len); break; - case ISO_14443B: annotateIso14443b(explanation,sizeof(explanation),frame,data_len); break; - case TOPAZ: annotateTopaz(explanation,sizeof(explanation),frame,data_len); break; - default: break; - } - } - - int num_lines = MIN((data_len - 1)/16 + 1, 16); - for (int j = 0; j < num_lines ; j++) { - if (j == 0) { - PrintAndLog(" %10d | %10d | %s |%-64s | %s| %s", - (timestamp - first_timestamp), - (EndOfTransmissionTimestamp - first_timestamp), - (isResponse ? "Tag" : "Rdr"), - line[j], - (j == num_lines-1) ? crc : " ", - (j == num_lines-1) ? explanation : ""); - } else { - PrintAndLog(" | | |%-64s | %s| %s", - line[j], - (j == num_lines-1) ? crc : " ", - (j == num_lines-1) ? explanation : ""); - } - } - - if (DecodeMifareData(frame, data_len, parityBytes, isResponse, mfData, &mfDataLen)) { - memset(explanation, 0x00, sizeof(explanation)); - if (!isResponse) { - explanation[0] = '>'; - annotateIso14443a(&explanation[1], sizeof(explanation) - 1, mfData, mfDataLen); - } - uint8_t crcc = iso14443A_CRC_check(isResponse, mfData, mfDataLen); - PrintAndLog(" | * | dec |%-64s | %-4s| %s", - sprint_hex(mfData, mfDataLen), - (crcc == 0 ? "!crc" : (crcc == 1 ? " ok " : " ")), - (true) ? explanation : ""); - }; - - if (is_last_record(tracepos, trace, traceLen)) return traceLen; - - if (showWaitCycles && !isResponse && next_record_is_response(tracepos, trace)) { - uint32_t next_timestamp = *((uint32_t *)(trace + tracepos)); - PrintAndLog(" %10d | %10d | %s | fdt (Frame Delay Time): %d", - (EndOfTransmissionTimestamp - first_timestamp), - (next_timestamp - first_timestamp), - " ", - (next_timestamp - EndOfTransmissionTimestamp)); - } - - return tracepos; -} - - -int CmdHFList(const char *Cmd) -{ - #ifdef WITH_SMARTCARD - PrintAndLog("TEST_WITH_SMARTCARD"); - #endif - #ifdef WITH_TEST - PrintAndLog("TEST_WITH_TEST"); - #endif - bool showWaitCycles = false; - bool markCRCBytes = false; - bool loadFromFile = false; - bool saveToFile = false; - char param1 = '\0'; - char param2 = '\0'; - char param3 = '\0'; - char type[40] = {0}; - char filename[FILE_PATH_SIZE] = {0}; - uint8_t protocol = 0; - - // parse command line - int tlen = param_getstr(Cmd, 0, type, sizeof(type)); - if (param_getlength(Cmd, 1) == 1) { - param1 = param_getchar(Cmd, 1); - } else { - param_getstr(Cmd, 1, filename, sizeof(filename)); - } - if (param_getlength(Cmd, 2) == 1) { - param2 = param_getchar(Cmd, 2); - } else if (strlen(filename) == 0) { - param_getstr(Cmd, 2, filename, sizeof(filename)); - } - if (param_getlength(Cmd, 3) == 1) { - param3 = param_getchar(Cmd, 3); - } else if (strlen(filename) == 0) { - param_getstr(Cmd, 3, filename, sizeof(filename)); - } - - // Validate param1 - bool errors = false; - - if(tlen == 0) { - errors = true; - } - - if(param1 == 'h' - || (param1 != 0 && param1 != 'f' && param1 != 'c' && param1 != 'l') - || (param2 != 0 && param2 != 'f' && param2 != 'c' && param2 != 'l') - || (param3 != 0 && param3 != 'f' && param3 != 'c' && param3 != 'l')) { - errors = true; - } - - if(!errors) { - if(strcmp(type, "iclass") == 0) { - protocol = ICLASS; - } else if(strcmp(type, "mf") == 0) { - protocol = PROTO_MIFARE; - } else if(strcmp(type, "14a") == 0) { - protocol = ISO_14443A; - } else if(strcmp(type, "14b") == 0) { - protocol = ISO_14443B; - } else if(strcmp(type,"topaz") == 0) { - protocol = TOPAZ; - } else if(strcmp(type, "7816") == 0) { - protocol = ISO_7816_4; - } else if(strcmp(type,"raw") == 0) { - protocol = -1; //No crc, no annotations - } else if (strcmp(type, "save") == 0) { - saveToFile = true; - } else { - errors = true; - } - } - - if (param1 == 'f' || param2 == 'f' || param3 == 'f') { - showWaitCycles = true; - } - - if (param1 == 'c' || param2 == 'c' || param3 == 'c') { - markCRCBytes = true; - } - - if (param1 == 'l' || param2 == 'l' || param3 == 'l') { - loadFromFile = true; - } - - if ((loadFromFile || saveToFile) && strlen(filename) == 0) { - errors = true; - } - - if (loadFromFile && saveToFile) { - errors = true; - } - - if (errors) { - PrintAndLog("List or save protocol data."); - PrintAndLog("Usage: hf list [f] [c] [l ]"); - PrintAndLog(" hf list save "); - PrintAndLog(" f - show frame delay times as well"); - PrintAndLog(" c - mark CRC bytes"); - PrintAndLog(" l - load data from file instead of trace buffer"); - PrintAndLog(" save - save data to file"); - PrintAndLog("Supported values:"); - PrintAndLog(" raw - just show raw data without annotations"); - PrintAndLog(" 14a - interpret data as iso14443a communications"); - PrintAndLog(" mf - interpret data as iso14443a communications and decrypt crypto1 stream"); - PrintAndLog(" 14b - interpret data as iso14443b communications"); - PrintAndLog(" iclass - interpret data as iclass communications"); - PrintAndLog(" topaz - interpret data as topaz communications"); - PrintAndLog(""); - PrintAndLog("example: hf list 14a f"); - PrintAndLog("example: hf list iclass"); - PrintAndLog("example: hf list save myCardTrace.trc"); - PrintAndLog("example: hf list 14a l myCardTrace.trc"); - return 0; - } - - - uint8_t *trace; - uint32_t tracepos = 0; - uint32_t traceLen = 0; - - if (loadFromFile) { - #define TRACE_CHUNK_SIZE (1<<16) // 64K to start with. Will be enough for BigBuf and some room for future extensions - FILE *tracefile = NULL; - size_t bytes_read; - trace = malloc(TRACE_CHUNK_SIZE); - if (trace == NULL) { - PrintAndLog("Cannot allocate memory for trace"); - return 2; - } - if ((tracefile = fopen(filename,"rb")) == NULL) { - PrintAndLog("Could not open file %s", filename); - free(trace); - return 0; - } - while (!feof(tracefile)) { - bytes_read = fread(trace+traceLen, 1, TRACE_CHUNK_SIZE, tracefile); - traceLen += bytes_read; - if (!feof(tracefile)) { - uint8_t *p = realloc(trace, traceLen + TRACE_CHUNK_SIZE); - if (p == NULL) { - PrintAndLog("Cannot allocate memory for trace"); - free(trace); - fclose(tracefile); - return 2; - } - trace = p; - } - } - fclose(tracefile); - } else { - trace = malloc(USB_CMD_DATA_SIZE); - // Query for the size of the trace - UsbCommand response; - GetFromBigBuf(trace, USB_CMD_DATA_SIZE, 0, &response, -1, false); - traceLen = response.arg[2]; - if (traceLen > USB_CMD_DATA_SIZE) { - uint8_t *p = realloc(trace, traceLen); - if (p == NULL) { - PrintAndLog("Cannot allocate memory for trace"); - free(trace); - return 2; - } - trace = p; - GetFromBigBuf(trace, traceLen, 0, NULL, -1, false); - } - } - - if (saveToFile) { - FILE *tracefile = NULL; - if ((tracefile = fopen(filename,"wb")) == NULL) { - PrintAndLog("Could not create file %s", filename); - return 1; - } - fwrite(trace, 1, traceLen, tracefile); - PrintAndLog("Recorded Activity (TraceLen = %d bytes) written to file %s", traceLen, filename); - fclose(tracefile); - } else { - PrintAndLog("Recorded Activity (TraceLen = %d bytes)", traceLen); - PrintAndLog(""); - PrintAndLog("Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer"); - PrintAndLog("iso14443a - All times are in carrier periods (1/13.56Mhz)"); - PrintAndLog("iClass - Timings are not as accurate"); - PrintAndLog(""); - PrintAndLog(" Start | End | Src | Data (! denotes parity error) | CRC | Annotation |"); - PrintAndLog("------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|"); - - ClearAuthData(); - while(tracepos < traceLen) - { - tracepos = printTraceLine(tracepos, traceLen, trace, protocol, showWaitCycles, markCRCBytes); - } - } - - free(trace); - return 0; -} - int CmdHFSearch(const char *Cmd){ int ans = 0; PrintAndLog(""); diff --git a/client/cmdhf.h b/client/cmdhf.h index 026357b5..ff20a950 100644 --- a/client/cmdhf.h +++ b/client/cmdhf.h @@ -13,5 +13,5 @@ int CmdHF(const char *Cmd); int CmdHFTune(const char *Cmd); -int CmdHFList(const char *Cmd); + #endif diff --git a/client/cmdhflist.c b/client/cmdhflist.c index 5538b6fb..67326c98 100644 --- a/client/cmdhflist.c +++ b/client/cmdhflist.c @@ -1,11 +1,12 @@ //----------------------------------------------------------------------------- +// Copyright (C) 2010 iZsh // Copyright (C) Merlok - 2017 // // This code is licensed to you under the terms of the GNU GPL, version 2 or, // at your option, any later version. See the LICENSE.txt file for the text of // the license. //----------------------------------------------------------------------------- -// Command: hf mf list. It shows data from arm buffer. +// Command: hf list. It shows data from arm buffer. //----------------------------------------------------------------------------- #include "cmdhflist.h" @@ -17,13 +18,30 @@ #include #include "util.h" #include "ui.h" +#include "comms.h" #include "iso14443crc.h" +#include "iso15693tools.h" #include "parity.h" #include "protocols.h" #include "crapto1/crapto1.h" #include "mifarehost.h" #include "mifaredefault.h" +#include "usb_cmd.h" +typedef struct { + uint32_t uid; // UID + uint32_t nt; // tag challenge + uint32_t nt_enc; // encrypted tag challenge + uint8_t nt_enc_par; // encrypted tag challenge parity + uint32_t nr_enc; // encrypted reader challenge + uint32_t ar_enc; // encrypted reader response + uint8_t ar_enc_par; // encrypted reader response parity + uint32_t at_enc; // encrypted tag response + uint8_t at_enc_par; // encrypted tag response parity + bool first_auth; // is first authentication + uint32_t ks2; // ar ^ ar_enc + uint32_t ks3; // at ^ at_enc +} TAuthData; enum MifareAuthSeq { masNone, @@ -35,10 +53,11 @@ enum MifareAuthSeq { masData, masError, }; + static enum MifareAuthSeq MifareAuthState; static TAuthData AuthData; -void ClearAuthData() { +static void ClearAuthData() { AuthData.uid = 0; AuthData.nt = 0; AuthData.first_auth = true; @@ -55,7 +74,7 @@ void ClearAuthData() { * 1 : CRC-command, CRC ok * 2 : Not crc-command */ -uint8_t iso14443A_CRC_check(bool isResponse, uint8_t* data, uint8_t len) +static uint8_t iso14443A_CRC_check(bool isResponse, uint8_t* data, uint8_t len) { uint8_t b1,b2; @@ -71,7 +90,8 @@ uint8_t iso14443A_CRC_check(bool isResponse, uint8_t* data, uint8_t len) } } -uint8_t mifare_CRC_check(bool isResponse, uint8_t* data, uint8_t len) + +static uint8_t mifare_CRC_check(bool isResponse, uint8_t* data, uint8_t len) { switch(MifareAuthState) { case masNone: @@ -82,6 +102,101 @@ uint8_t mifare_CRC_check(bool isResponse, uint8_t* data, uint8_t len) } } + +/** + * @brief iso14443B_CRC_check Checks CRC in command or response + * @param isResponse + * @param data + * @param len + * @return 0 : CRC-command, CRC not ok + * 1 : CRC-command, CRC ok + * 2 : Not crc-command + */ +static uint8_t iso14443B_CRC_check(bool isResponse, uint8_t* data, uint8_t len) +{ + uint8_t b1,b2; + + if(len <= 2) return 2; + + ComputeCrc14443(CRC_14443_B, data, len-2, &b1, &b2); + if(b1 != data[len-2] || b2 != data[len-1]) { + return 0; + } else { + return 1; + } +} + + +static uint8_t iso15693_CRC_check(uint8_t* d, uint16_t n) +{ + if (n <= 2) return 2; + + return (Iso15693Crc(d, n) == ISO15693_CRC_CHECK ? 1 : 0); +} + + +/** + * @brief iclass_CRC_Ok Checks CRC in command or response + * @param isResponse + * @param data + * @param len + * @return 0 : CRC-command, CRC not ok + * 1 : CRC-command, CRC ok + * 2 : Not crc-command + */ +uint8_t iclass_CRC_check(bool isResponse, uint8_t* data, uint8_t len) +{ + if(len < 4) return 2;//CRC commands (and responses) are all at least 4 bytes + + uint8_t b1, b2; + + if(!isResponse)//Commands to tag + { + /** + These commands should have CRC. Total length leftmost + 4 READ + 4 READ4 + 12 UPDATE - unsecured, ends with CRC16 + 14 UPDATE - secured, ends with signature instead + 4 PAGESEL + **/ + if(len == 4 || len == 12)//Covers three of them + { + //Don't include the command byte + ComputeCrc14443(CRC_ICLASS, (data+1), len-3, &b1, &b2); + return b1 == data[len -2] && b2 == data[len-1]; + } + return 2; + }else{ + /** + These tag responses should have CRC. Total length leftmost + + 10 READ data[8] crc[2] + 34 READ4 data[32]crc[2] + 10 UPDATE data[8] crc[2] + 10 SELECT csn[8] crc[2] + 10 IDENTIFY asnb[8] crc[2] + 10 PAGESEL block1[8] crc[2] + 10 DETECT csn[8] crc[2] + + These should not + + 4 CHECK chip_response[4] + 8 READCHECK data[8] + 1 ACTALL sof[1] + 1 ACT sof[1] + + In conclusion, without looking at the command; any response + of length 10 or 34 should have CRC + **/ + if(len != 10 && len != 34) return true; + + ComputeCrc14443(CRC_ICLASS, data, len-2, &b1, &b2); + return b1 == data[len -2] && b2 == data[len-1]; + } +} + + void annotateIclass(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) { switch(cmd[0]) @@ -110,36 +225,33 @@ void annotateIclass(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) return; } + void annotateIso15693(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) { - - if(cmd[0] == 0x26) - { - switch(cmd[1]){ - case ISO15693_INVENTORY :snprintf(exp, size, "INVENTORY");break; - case ISO15693_STAYQUIET :snprintf(exp, size, "STAY_QUIET");break; - default: snprintf(exp,size,"?"); break; - - } - }else if(cmd[0] == 0x02) - { - switch(cmd[1]) - { - case ISO15693_READBLOCK :snprintf(exp, size, "READBLOCK");break; - case ISO15693_WRITEBLOCK :snprintf(exp, size, "WRITEBLOCK");break; - case ISO15693_LOCKBLOCK :snprintf(exp, size, "LOCKBLOCK");break; - case ISO15693_READ_MULTI_BLOCK :snprintf(exp, size, "READ_MULTI_BLOCK");break; - case ISO15693_SELECT :snprintf(exp, size, "SELECT");break; - case ISO15693_RESET_TO_READY :snprintf(exp, size, "RESET_TO_READY");break; - case ISO15693_WRITE_AFI :snprintf(exp, size, "WRITE_AFI");break; - case ISO15693_LOCK_AFI :snprintf(exp, size, "LOCK_AFI");break; - case ISO15693_WRITE_DSFID :snprintf(exp, size, "WRITE_DSFID");break; - case ISO15693_LOCK_DSFID :snprintf(exp, size, "LOCK_DSFID");break; - case ISO15693_GET_SYSTEM_INFO :snprintf(exp, size, "GET_SYSTEM_INFO");break; - case ISO15693_READ_MULTI_SECSTATUS :snprintf(exp, size, "READ_MULTI_SECSTATUS");break; - default: snprintf(exp,size,"?"); break; - } + switch(cmd[1]){ + // Mandatory Commands, all Tags must support them: + case ISO15693_INVENTORY :snprintf(exp, size, "INVENTORY");return; + case ISO15693_STAYQUIET :snprintf(exp, size, "STAY_QUIET");return; + // Optional Commands, Tags may support them: + case ISO15693_READBLOCK :snprintf(exp, size, "READBLOCK");return; + case ISO15693_WRITEBLOCK :snprintf(exp, size, "WRITEBLOCK");return; + case ISO15693_LOCKBLOCK :snprintf(exp, size, "LOCKBLOCK");return; + case ISO15693_READ_MULTI_BLOCK :snprintf(exp, size, "READ_MULTI_BLOCK");return; + case ISO15693_SELECT :snprintf(exp, size, "SELECT");return; + case ISO15693_RESET_TO_READY :snprintf(exp, size, "RESET_TO_READY");return; + case ISO15693_WRITE_AFI :snprintf(exp, size, "WRITE_AFI");return; + case ISO15693_LOCK_AFI :snprintf(exp, size, "LOCK_AFI");return; + case ISO15693_WRITE_DSFID :snprintf(exp, size, "WRITE_DSFID");return; + case ISO15693_LOCK_DSFID :snprintf(exp, size, "LOCK_DSFID");return; + case ISO15693_GET_SYSTEM_INFO :snprintf(exp, size, "GET_SYSTEM_INFO");return; + case ISO15693_READ_MULTI_SECSTATUS :snprintf(exp, size, "READ_MULTI_SECSTATUS");return; + default: break; } + + if (cmd[1] > ISO15693_STAYQUIET && cmd[1] < ISO15693_READBLOCK) snprintf(exp, size, "Mandatory RFU"); + else if (cmd[1] > ISO15693_READ_MULTI_SECSTATUS && cmd[1] <= 0x9F) snprintf(exp, size, "Optional RFU"); + else if ( cmd[1] >= 0xA0 && cmd[1] <= 0xDF ) snprintf(exp, size, "Custom command"); + else if ( cmd[1] >= 0xE0 && cmd[1] <= 0xFF ) snprintf(exp, size, "Proprietary command"); } @@ -367,7 +479,103 @@ void annotateMifare(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize, uint8 } -bool DecodeMifareData(uint8_t *cmd, uint8_t cmdsize, uint8_t *parity, bool isResponse, uint8_t *mfData, size_t *mfDataLen) { + +static uint64_t GetCrypto1ProbableKey(TAuthData *ad) { + struct Crypto1State *revstate = lfsr_recovery64(ad->ks2, ad->ks3); + lfsr_rollback_word(revstate, 0, 0); + lfsr_rollback_word(revstate, 0, 0); + lfsr_rollback_word(revstate, ad->nr_enc, 1); + lfsr_rollback_word(revstate, ad->uid ^ ad->nt, 0); + + uint64_t lfsr = 0; + crypto1_get_lfsr(revstate, &lfsr); + crypto1_destroy(revstate); + + return lfsr; +} + + +static bool NTParityChk(TAuthData *ad, uint32_t ntx) { + if ( + (oddparity8(ntx >> 8 & 0xff) ^ (ntx & 0x01) ^ ((ad->nt_enc_par >> 5) & 0x01) ^ (ad->nt_enc & 0x01)) || + (oddparity8(ntx >> 16 & 0xff) ^ (ntx >> 8 & 0x01) ^ ((ad->nt_enc_par >> 6) & 0x01) ^ (ad->nt_enc >> 8 & 0x01)) || + (oddparity8(ntx >> 24 & 0xff) ^ (ntx >> 16 & 0x01) ^ ((ad->nt_enc_par >> 7) & 0x01) ^ (ad->nt_enc >> 16 & 0x01)) + ) + return false; + + uint32_t ar = prng_successor(ntx, 64); + if ( + (oddparity8(ar >> 8 & 0xff) ^ (ar & 0x01) ^ ((ad->ar_enc_par >> 5) & 0x01) ^ (ad->ar_enc & 0x01)) || + (oddparity8(ar >> 16 & 0xff) ^ (ar >> 8 & 0x01) ^ ((ad->ar_enc_par >> 6) & 0x01) ^ (ad->ar_enc >> 8 & 0x01)) || + (oddparity8(ar >> 24 & 0xff) ^ (ar >> 16 & 0x01) ^ ((ad->ar_enc_par >> 7) & 0x01) ^ (ad->ar_enc >> 16 & 0x01)) + ) + return false; + + uint32_t at = prng_successor(ntx, 96); + if ( + (oddparity8(ar & 0xff) ^ (at >> 24 & 0x01) ^ ((ad->ar_enc_par >> 4) & 0x01) ^ (ad->at_enc >> 24 & 0x01)) || + (oddparity8(at >> 8 & 0xff) ^ (at & 0x01) ^ ((ad->at_enc_par >> 5) & 0x01) ^ (ad->at_enc & 0x01)) || + (oddparity8(at >> 16 & 0xff) ^ (at >> 8 & 0x01) ^ ((ad->at_enc_par >> 6) & 0x01) ^ (ad->at_enc >> 8 & 0x01)) || + (oddparity8(at >> 24 & 0xff) ^ (at >> 16 & 0x01) ^ ((ad->at_enc_par >> 7) & 0x01) ^ (ad->at_enc >> 16 & 0x01)) + ) + return false; + + return true; +} + + +static bool CheckCrypto1Parity(uint8_t *cmd_enc, uint8_t cmdsize, uint8_t *cmd, uint8_t *parity_enc) { + for (int i = 0; i < cmdsize - 1; i++) { + if (oddparity8(cmd[i]) ^ (cmd[i + 1] & 0x01) ^ ((parity_enc[i / 8] >> (7 - i % 8)) & 0x01) ^ (cmd_enc[i + 1] & 0x01)) + return false; + } + + return true; +} + + +static bool NestedCheckKey(uint64_t key, TAuthData *ad, uint8_t *cmd, uint8_t cmdsize, uint8_t *parity) { + uint8_t buf[32] = {0}; + struct Crypto1State *pcs; + + AuthData.ks2 = 0; + AuthData.ks3 = 0; + + pcs = crypto1_create(key); + uint32_t nt1 = crypto1_word(pcs, ad->nt_enc ^ ad->uid, 1) ^ ad->nt_enc; + uint32_t ar = prng_successor(nt1, 64); + uint32_t at = prng_successor(nt1, 96); + + crypto1_word(pcs, ad->nr_enc, 1); +// uint32_t nr1 = crypto1_word(pcs, ad->nr_enc, 1) ^ ad->nr_enc; // if needs deciphered nr + uint32_t ar1 = crypto1_word(pcs, 0, 0) ^ ad->ar_enc; + uint32_t at1 = crypto1_word(pcs, 0, 0) ^ ad->at_enc; + + if (!(ar == ar1 && at == at1 && NTParityChk(ad, nt1))) { + crypto1_destroy(pcs); + return false; + } + + memcpy(buf, cmd, cmdsize); + mf_crypto1_decrypt(pcs, buf, cmdsize, 0); + + crypto1_destroy(pcs); + + if (!CheckCrypto1Parity(cmd, cmdsize, buf, parity)) + return false; + + if(!CheckCrc14443(CRC_14443_A, buf, cmdsize)) + return false; + + AuthData.nt = nt1; + AuthData.ks2 = AuthData.ar_enc ^ ar; + AuthData.ks3 = AuthData.at_enc ^ at; + + return true; +} + + +static bool DecodeMifareData(uint8_t *cmd, uint8_t cmdsize, uint8_t *parity, bool isResponse, uint8_t *mfData, size_t *mfDataLen) { static struct Crypto1State *traceCrypto1; static uint64_t mfLastKey; @@ -514,93 +722,415 @@ bool DecodeMifareData(uint8_t *cmd, uint8_t cmdsize, uint8_t *parity, bool isRes return *mfDataLen > 0; } -bool NTParityChk(TAuthData *ad, uint32_t ntx) { - if ( - (oddparity8(ntx >> 8 & 0xff) ^ (ntx & 0x01) ^ ((ad->nt_enc_par >> 5) & 0x01) ^ (ad->nt_enc & 0x01)) || - (oddparity8(ntx >> 16 & 0xff) ^ (ntx >> 8 & 0x01) ^ ((ad->nt_enc_par >> 6) & 0x01) ^ (ad->nt_enc >> 8 & 0x01)) || - (oddparity8(ntx >> 24 & 0xff) ^ (ntx >> 16 & 0x01) ^ ((ad->nt_enc_par >> 7) & 0x01) ^ (ad->nt_enc >> 16 & 0x01)) - ) - return false; + +bool is_last_record(uint16_t tracepos, uint8_t *trace, uint16_t traceLen) +{ + return(tracepos + sizeof(uint32_t) + sizeof(uint16_t) + sizeof(uint16_t) >= traceLen); +} + + +bool next_record_is_response(uint16_t tracepos, uint8_t *trace) +{ + uint16_t next_records_datalen = *((uint16_t *)(trace + tracepos + sizeof(uint32_t) + sizeof(uint16_t))); - uint32_t ar = prng_successor(ntx, 64); - if ( - (oddparity8(ar >> 8 & 0xff) ^ (ar & 0x01) ^ ((ad->ar_enc_par >> 5) & 0x01) ^ (ad->ar_enc & 0x01)) || - (oddparity8(ar >> 16 & 0xff) ^ (ar >> 8 & 0x01) ^ ((ad->ar_enc_par >> 6) & 0x01) ^ (ad->ar_enc >> 8 & 0x01)) || - (oddparity8(ar >> 24 & 0xff) ^ (ar >> 16 & 0x01) ^ ((ad->ar_enc_par >> 7) & 0x01) ^ (ad->ar_enc >> 16 & 0x01)) - ) - return false; + return(next_records_datalen & 0x8000); +} - uint32_t at = prng_successor(ntx, 96); - if ( - (oddparity8(ar & 0xff) ^ (at >> 24 & 0x01) ^ ((ad->ar_enc_par >> 4) & 0x01) ^ (ad->at_enc >> 24 & 0x01)) || - (oddparity8(at >> 8 & 0xff) ^ (at & 0x01) ^ ((ad->at_enc_par >> 5) & 0x01) ^ (ad->at_enc & 0x01)) || - (oddparity8(at >> 16 & 0xff) ^ (at >> 8 & 0x01) ^ ((ad->at_enc_par >> 6) & 0x01) ^ (ad->at_enc >> 8 & 0x01)) || - (oddparity8(at >> 24 & 0xff) ^ (at >> 16 & 0x01) ^ ((ad->at_enc_par >> 7) & 0x01) ^ (ad->at_enc >> 16 & 0x01)) - ) - return false; - + +bool merge_topaz_reader_frames(uint32_t timestamp, uint32_t *duration, uint16_t *tracepos, uint16_t traceLen, uint8_t *trace, uint8_t *frame, uint8_t *topaz_reader_command, uint16_t *data_len) +{ + +#define MAX_TOPAZ_READER_CMD_LEN 16 + + uint32_t last_timestamp = timestamp + *duration; + + if ((*data_len != 1) || (frame[0] == TOPAZ_WUPA) || (frame[0] == TOPAZ_REQA)) return false; + + memcpy(topaz_reader_command, frame, *data_len); + + while (!is_last_record(*tracepos, trace, traceLen) && !next_record_is_response(*tracepos, trace)) { + uint32_t next_timestamp = *((uint32_t *)(trace + *tracepos)); + *tracepos += sizeof(uint32_t); + uint16_t next_duration = *((uint16_t *)(trace + *tracepos)); + *tracepos += sizeof(uint16_t); + uint16_t next_data_len = *((uint16_t *)(trace + *tracepos)) & 0x7FFF; + *tracepos += sizeof(uint16_t); + uint8_t *next_frame = (trace + *tracepos); + *tracepos += next_data_len; + if ((next_data_len == 1) && (*data_len + next_data_len <= MAX_TOPAZ_READER_CMD_LEN)) { + memcpy(topaz_reader_command + *data_len, next_frame, next_data_len); + *data_len += next_data_len; + last_timestamp = next_timestamp + next_duration; + } else { + // rewind and exit + *tracepos = *tracepos - next_data_len - sizeof(uint16_t) - sizeof(uint16_t) - sizeof(uint32_t); + break; + } + uint16_t next_parity_len = (next_data_len-1)/8 + 1; + *tracepos += next_parity_len; + } + + *duration = last_timestamp - timestamp; + return true; } -bool NestedCheckKey(uint64_t key, TAuthData *ad, uint8_t *cmd, uint8_t cmdsize, uint8_t *parity) { - uint8_t buf[32] = {0}; - struct Crypto1State *pcs; + +uint16_t printTraceLine(uint16_t tracepos, uint16_t traceLen, uint8_t *trace, uint8_t protocol, bool showWaitCycles, bool markCRCBytes) +{ + bool isResponse; + uint16_t data_len, parity_len; + uint32_t duration; + uint8_t topaz_reader_command[9]; + uint32_t timestamp, first_timestamp, EndOfTransmissionTimestamp; + char explanation[30] = {0}; + uint8_t mfData[32] = {0}; + size_t mfDataLen = 0; + + if (tracepos + sizeof(uint32_t) + sizeof(uint16_t) + sizeof(uint16_t) > traceLen) return traceLen; - AuthData.ks2 = 0; - AuthData.ks3 = 0; + first_timestamp = *((uint32_t *)(trace)); + timestamp = *((uint32_t *)(trace + tracepos)); - pcs = crypto1_create(key); - uint32_t nt1 = crypto1_word(pcs, ad->nt_enc ^ ad->uid, 1) ^ ad->nt_enc; - uint32_t ar = prng_successor(nt1, 64); - uint32_t at = prng_successor(nt1, 96); + tracepos += 4; + duration = *((uint16_t *)(trace + tracepos)); + tracepos += 2; + data_len = *((uint16_t *)(trace + tracepos)); + tracepos += 2; - crypto1_word(pcs, ad->nr_enc, 1); -// uint32_t nr1 = crypto1_word(pcs, ad->nr_enc, 1) ^ ad->nr_enc; // if needs deciphered nr - uint32_t ar1 = crypto1_word(pcs, 0, 0) ^ ad->ar_enc; - uint32_t at1 = crypto1_word(pcs, 0, 0) ^ ad->at_enc; + if (data_len & 0x8000) { + data_len &= 0x7fff; + isResponse = true; + } else { + isResponse = false; + } + parity_len = (data_len-1)/8 + 1; - if (!(ar == ar1 && at == at1 && NTParityChk(ad, nt1))) { - crypto1_destroy(pcs); - return false; + if (tracepos + data_len + parity_len > traceLen) { + return traceLen; } + uint8_t *frame = trace + tracepos; + tracepos += data_len; + uint8_t *parityBytes = trace + tracepos; + tracepos += parity_len; - memcpy(buf, cmd, cmdsize); - mf_crypto1_decrypt(pcs, buf, cmdsize, 0); + if (protocol == TOPAZ && !isResponse) { + // topaz reader commands come in 1 or 9 separate frames with 7 or 8 Bits each. + // merge them: + if (merge_topaz_reader_frames(timestamp, &duration, &tracepos, traceLen, trace, frame, topaz_reader_command, &data_len)) { + frame = topaz_reader_command; + } + } - crypto1_destroy(pcs); + //Check the CRC status + uint8_t crcStatus = 2; + + if (data_len > 2) { + switch (protocol) { + case ICLASS: + crcStatus = iclass_CRC_check(isResponse, frame, data_len); + break; + case ISO_14443B: + case TOPAZ: + crcStatus = iso14443B_CRC_check(isResponse, frame, data_len); + break; + case PROTO_MIFARE: + crcStatus = mifare_CRC_check(isResponse, frame, data_len); + break; + case ISO_14443A: + crcStatus = iso14443A_CRC_check(isResponse, frame, data_len); + break; + case ISO_15693: + crcStatus = iso15693_CRC_check(frame, data_len); + break; + default: + break; + } + } + //0 CRC-command, CRC not ok + //1 CRC-command, CRC ok + //2 Not crc-command + + //--- Draw the data column + //char line[16][110]; + char line[16][110]; + + for (int j = 0; j < data_len && j/16 < 16; j++) { + + uint8_t parityBits = parityBytes[j>>3]; + if (protocol != ISO_14443B + && protocol != ISO_15693 + && protocol != ISO_7816_4 + && (isResponse || protocol == ISO_14443A) + && (oddparity8(frame[j]) != ((parityBits >> (7-(j&0x0007))) & 0x01))) { + snprintf(line[j/16]+(( j % 16) * 4), 110, " %02x!", frame[j]); + } else { + snprintf(line[j/16]+(( j % 16) * 4), 110, " %02x ", frame[j]); + } + + } + + if (markCRCBytes) { + if(crcStatus == 0 || crcStatus == 1) + {//CRC-command + char *pos1 = line[(data_len-2)/16]+(((data_len-2) % 16) * 4); + (*pos1) = '['; + char *pos2 = line[(data_len)/16]+(((data_len) % 16) * 4); + sprintf(pos2, "%c", ']'); + } + } + + if (data_len == 0) { + sprintf(line[0]," "); + } + + //--- Draw the CRC column + char *crc = (crcStatus == 0 ? "!crc" : (crcStatus == 1 ? " ok " : " ")); + + EndOfTransmissionTimestamp = timestamp + duration; + + if (protocol == PROTO_MIFARE) + annotateMifare(explanation, sizeof(explanation), frame, data_len, parityBytes, parity_len, isResponse); - if (!CheckCrypto1Parity(cmd, cmdsize, buf, parity)) - return false; + if(!isResponse) + { + switch(protocol) { + case ICLASS: annotateIclass(explanation,sizeof(explanation),frame,data_len); break; + case ISO_14443A: annotateIso14443a(explanation,sizeof(explanation),frame,data_len); break; + case ISO_14443B: annotateIso14443b(explanation,sizeof(explanation),frame,data_len); break; + case TOPAZ: annotateTopaz(explanation,sizeof(explanation),frame,data_len); break; + case ISO_15693: annotateIso15693(explanation,sizeof(explanation),frame,data_len); break; + default: break; + } + } - if(!CheckCrc14443(CRC_14443_A, buf, cmdsize)) - return false; + int num_lines = MIN((data_len - 1)/16 + 1, 16); + for (int j = 0; j < num_lines ; j++) { + if (j == 0) { + PrintAndLog(" %10d | %10d | %s |%-64s | %s| %s", + (timestamp - first_timestamp), + (EndOfTransmissionTimestamp - first_timestamp), + (isResponse ? "Tag" : "Rdr"), + line[j], + (j == num_lines-1) ? crc : " ", + (j == num_lines-1) ? explanation : ""); + } else { + PrintAndLog(" | | |%-64s | %s| %s", + line[j], + (j == num_lines-1) ? crc : " ", + (j == num_lines-1) ? explanation : ""); + } + } - AuthData.nt = nt1; - AuthData.ks2 = AuthData.ar_enc ^ ar; - AuthData.ks3 = AuthData.at_enc ^ at; + if (DecodeMifareData(frame, data_len, parityBytes, isResponse, mfData, &mfDataLen)) { + memset(explanation, 0x00, sizeof(explanation)); + if (!isResponse) { + explanation[0] = '>'; + annotateIso14443a(&explanation[1], sizeof(explanation) - 1, mfData, mfDataLen); + } + uint8_t crcc = iso14443A_CRC_check(isResponse, mfData, mfDataLen); + PrintAndLog(" | * | dec |%-64s | %-4s| %s", + sprint_hex(mfData, mfDataLen), + (crcc == 0 ? "!crc" : (crcc == 1 ? " ok " : " ")), + (true) ? explanation : ""); + }; - return true; + if (is_last_record(tracepos, trace, traceLen)) return traceLen; + + if (showWaitCycles && !isResponse && next_record_is_response(tracepos, trace)) { + uint32_t next_timestamp = *((uint32_t *)(trace + tracepos)); + PrintAndLog(" %10d | %10d | %s | fdt (Frame Delay Time): %d", + (EndOfTransmissionTimestamp - first_timestamp), + (next_timestamp - first_timestamp), + " ", + (next_timestamp - EndOfTransmissionTimestamp)); + } + + return tracepos; } -bool CheckCrypto1Parity(uint8_t *cmd_enc, uint8_t cmdsize, uint8_t *cmd, uint8_t *parity_enc) { - for (int i = 0; i < cmdsize - 1; i++) { - if (oddparity8(cmd[i]) ^ (cmd[i + 1] & 0x01) ^ ((parity_enc[i / 8] >> (7 - i % 8)) & 0x01) ^ (cmd_enc[i + 1] & 0x01)) - return false; + +int CmdHFList(const char *Cmd) +{ + bool showWaitCycles = false; + bool markCRCBytes = false; + bool loadFromFile = false; + bool saveToFile = false; + char param1 = '\0'; + char param2 = '\0'; + char param3 = '\0'; + char type[40] = {0}; + char filename[FILE_PATH_SIZE] = {0}; + uint8_t protocol = 0; + + // parse command line + int tlen = param_getstr(Cmd, 0, type, sizeof(type)); + if (param_getlength(Cmd, 1) == 1) { + param1 = param_getchar(Cmd, 1); + } else { + param_getstr(Cmd, 1, filename, sizeof(filename)); + } + if (param_getlength(Cmd, 2) == 1) { + param2 = param_getchar(Cmd, 2); + } else if (strlen(filename) == 0) { + param_getstr(Cmd, 2, filename, sizeof(filename)); + } + if (param_getlength(Cmd, 3) == 1) { + param3 = param_getchar(Cmd, 3); + } else if (strlen(filename) == 0) { + param_getstr(Cmd, 3, filename, sizeof(filename)); + } + + // Validate param1 + bool errors = false; + + if(tlen == 0) { + errors = true; + } + + if(param1 == 'h' + || (param1 != 0 && param1 != 'f' && param1 != 'c' && param1 != 'l') + || (param2 != 0 && param2 != 'f' && param2 != 'c' && param2 != 'l') + || (param3 != 0 && param3 != 'f' && param3 != 'c' && param3 != 'l')) { + errors = true; + } + + if(!errors) { + if (strcmp(type, "iclass") == 0) protocol = ICLASS; + else if(strcmp(type, "14a") == 0) protocol = ISO_14443A; + else if(strcmp(type, "mf") == 0) protocol = PROTO_MIFARE; + else if(strcmp(type, "14b") == 0) protocol = ISO_14443B; + else if(strcmp(type, "topaz") == 0) protocol = TOPAZ; + else if(strcmp(type, "7816") == 0) protocol = ISO_7816_4; + else if(strcmp(type, "15") == 0) protocol = ISO_15693; + else if(strcmp(type, "raw") == 0) protocol = -1;//No crc, no annotations + else if (strcmp(type, "save") == 0) saveToFile = true; + else errors = true; } - return true; -} + if (param1 == 'f' || param2 == 'f' || param3 == 'f') { + showWaitCycles = true; + } -uint64_t GetCrypto1ProbableKey(TAuthData *ad) { - struct Crypto1State *revstate = lfsr_recovery64(ad->ks2, ad->ks3); - lfsr_rollback_word(revstate, 0, 0); - lfsr_rollback_word(revstate, 0, 0); - lfsr_rollback_word(revstate, ad->nr_enc, 1); - lfsr_rollback_word(revstate, ad->uid ^ ad->nt, 0); + if (param1 == 'c' || param2 == 'c' || param3 == 'c') { + markCRCBytes = true; + } - uint64_t lfsr = 0; - crypto1_get_lfsr(revstate, &lfsr); - crypto1_destroy(revstate); + if (param1 == 'l' || param2 == 'l' || param3 == 'l') { + loadFromFile = true; + } + + if ((loadFromFile || saveToFile) && strlen(filename) == 0) { + errors = true; + } + + if (loadFromFile && saveToFile) { + errors = true; + } - return lfsr; + if (errors) { + PrintAndLog("List or save protocol data."); + PrintAndLog("Usage: hf list [f] [c] [l ]"); + PrintAndLog(" hf list save "); + PrintAndLog(" f - show frame delay times as well"); + PrintAndLog(" c - mark CRC bytes"); + PrintAndLog(" l - load data from file instead of trace buffer"); + PrintAndLog(" save - save data to file"); + PrintAndLog("Supported values:"); + PrintAndLog(" raw - just show raw data without annotations"); + PrintAndLog(" 14a - interpret data as iso14443a communications"); + PrintAndLog(" mf - interpret data as iso14443a communications and decrypt crypto1 stream"); + PrintAndLog(" 14b - interpret data as iso14443b communications"); + PrintAndLog(" 15 - interpret data as iso15693 communications"); + PrintAndLog(" iclass - interpret data as iclass communications"); + PrintAndLog(" topaz - interpret data as topaz communications"); + PrintAndLog(""); + PrintAndLog("example: hf list 14a f"); + PrintAndLog("example: hf list iclass"); + PrintAndLog("example: hf list save myCardTrace.trc"); + PrintAndLog("example: hf list 14a l myCardTrace.trc"); + return 0; + } + + + uint8_t *trace; + uint32_t tracepos = 0; + uint32_t traceLen = 0; + + if (loadFromFile) { + #define TRACE_CHUNK_SIZE (1<<16) // 64K to start with. Will be enough for BigBuf and some room for future extensions + FILE *tracefile = NULL; + size_t bytes_read; + trace = malloc(TRACE_CHUNK_SIZE); + if (trace == NULL) { + PrintAndLog("Cannot allocate memory for trace"); + return 2; + } + if ((tracefile = fopen(filename,"rb")) == NULL) { + PrintAndLog("Could not open file %s", filename); + free(trace); + return 0; + } + while (!feof(tracefile)) { + bytes_read = fread(trace+traceLen, 1, TRACE_CHUNK_SIZE, tracefile); + traceLen += bytes_read; + if (!feof(tracefile)) { + uint8_t *p = realloc(trace, traceLen + TRACE_CHUNK_SIZE); + if (p == NULL) { + PrintAndLog("Cannot allocate memory for trace"); + free(trace); + fclose(tracefile); + return 2; + } + trace = p; + } + } + fclose(tracefile); + } else { + trace = malloc(USB_CMD_DATA_SIZE); + // Query for the size of the trace + UsbCommand response; + GetFromBigBuf(trace, USB_CMD_DATA_SIZE, 0, &response, -1, false); + traceLen = response.arg[2]; + if (traceLen > USB_CMD_DATA_SIZE) { + uint8_t *p = realloc(trace, traceLen); + if (p == NULL) { + PrintAndLog("Cannot allocate memory for trace"); + free(trace); + return 2; + } + trace = p; + GetFromBigBuf(trace, traceLen, 0, NULL, -1, false); + } + } + + if (saveToFile) { + FILE *tracefile = NULL; + if ((tracefile = fopen(filename,"wb")) == NULL) { + PrintAndLog("Could not create file %s", filename); + return 1; + } + fwrite(trace, 1, traceLen, tracefile); + PrintAndLog("Recorded Activity (TraceLen = %d bytes) written to file %s", traceLen, filename); + fclose(tracefile); + } else { + PrintAndLog("Recorded Activity (TraceLen = %d bytes)", traceLen); + PrintAndLog(""); + PrintAndLog("Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer"); + PrintAndLog("iso14443a - All times are in carrier periods (1/13.56Mhz)"); + PrintAndLog("iClass - Timings are not as accurate"); + PrintAndLog(""); + PrintAndLog(" Start | End | Src | Data (! denotes parity error) | CRC | Annotation |"); + PrintAndLog("------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|"); + + ClearAuthData(); + while(tracepos < traceLen) + { + tracepos = printTraceLine(tracepos, traceLen, trace, protocol, showWaitCycles, markCRCBytes); + } + } + + free(trace); + return 0; } + diff --git a/client/cmdhflist.h b/client/cmdhflist.h index 8f289b48..3187440f 100644 --- a/client/cmdhflist.h +++ b/client/cmdhflist.h @@ -1,4 +1,5 @@ //----------------------------------------------------------------------------- +// Copyright (C) 2010 iZsh // Copyright (C) Merlok - 2017 // // This code is licensed to you under the terms of the GNU GPL, version 2 or, @@ -10,38 +11,6 @@ #ifndef CMDHFLIST_H #define CMDHFLIST_H -#include -#include -#include +extern int CmdHFList(const char *Cmd); -typedef struct { - uint32_t uid; // UID - uint32_t nt; // tag challenge - uint32_t nt_enc; // encrypted tag challenge - uint8_t nt_enc_par; // encrypted tag challenge parity - uint32_t nr_enc; // encrypted reader challenge - uint32_t ar_enc; // encrypted reader response - uint8_t ar_enc_par; // encrypted reader response parity - uint32_t at_enc; // encrypted tag response - uint8_t at_enc_par; // encrypted tag response parity - bool first_auth; // is first authentication - uint32_t ks2; // ar ^ ar_enc - uint32_t ks3; // at ^ at_enc -} TAuthData; -extern void ClearAuthData(); - -extern uint8_t iso14443A_CRC_check(bool isResponse, uint8_t* data, uint8_t len); -extern uint8_t mifare_CRC_check(bool isResponse, uint8_t* data, uint8_t len); -extern void annotateIclass(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize); -extern void annotateIso15693(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize); -extern void annotateTopaz(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize); -extern void annotateIso14443b(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize); -extern void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize); -extern void annotateMifare(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize, uint8_t* parity, uint8_t paritysize, bool isResponse); -extern bool DecodeMifareData(uint8_t *cmd, uint8_t cmdsize, uint8_t *parity, bool isResponse, uint8_t *mfData, size_t *mfDataLen); -extern bool NTParityChk(TAuthData *ad, uint32_t ntx); -extern bool NestedCheckKey(uint64_t key, TAuthData *ad, uint8_t *cmd, uint8_t cmdsize, uint8_t *parity); -extern bool CheckCrypto1Parity(uint8_t *cmd_enc, uint8_t cmdsize, uint8_t *cmd, uint8_t *parity_enc); -extern uint64_t GetCrypto1ProbableKey(TAuthData *ad); - -#endif // CMDHFLIST +#endif // CMDHFLIST_H diff --git a/client/cmdsmartcard.c b/client/cmdsmartcard.c index 8f3d8d2e..d5b9c287 100644 --- a/client/cmdsmartcard.c +++ b/client/cmdsmartcard.c @@ -18,7 +18,7 @@ #include "smartcard.h" #include "comms.h" #include "protocols.h" -#include "cmdhf.h" // CmdHFlist +#include "cmdhflist.h" #include "emv/apduinfo.h" // APDUcode description #include "emv/emvcore.h" // decodeTVL #include "crypto/libpcrypto.h" // sha512hash diff --git a/common/protocols.h b/common/protocols.h index 79d8e083..82b69f9d 100644 --- a/common/protocols.h +++ b/common/protocols.h @@ -234,6 +234,8 @@ NXP/Philips CUSTOM COMMANDS #define TOPAZ 3 #define PROTO_MIFARE 4 #define ISO_7816_4 5 +#define ISO_15693 6 + //-- Picopass fuses #define FUSE_FPERS 0x80