From: marshmellow42 Date: Sun, 18 Jan 2015 23:19:26 +0000 (-0500) Subject: Merge remote-tracking branch 'upstream/master' X-Git-Tag: v2.0.0-rc1~43^2~5 X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/53d85a8fa1c1b98cb79c40712d1668731bdcaf49?hp=1e090a61a149a58a57e9d9acbf5e5532387867a4 Merge remote-tracking branch 'upstream/master' --- diff --git a/armsrc/apps.h b/armsrc/apps.h index ce721525..5a1ab690 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -37,6 +37,25 @@ uint32_t BigBuf[BIGBUF_SIZE / sizeof(uint32_t)]; #define FREE_BUFFER_OFFSET (CARD_MEMORY_OFFSET + CARD_MEMORY_SIZE) #define FREE_BUFFER_SIZE (BIGBUF_SIZE - FREE_BUFFER_OFFSET - 1) +/* +The statements above translates into this : +BIGBUF_SIZE = 40000 +TRACE_OFFSET = 0 +TRACE_SIZE = 3000 +RECV_CMD_OFFSET = 3000 +MAX_FRAME_SIZE = 256 +MAX_PARITY_SIZE = 32 +RECV_CMD_PAR_OFFSET = 3256 +RECV_RESP_OFFSET = 3288 +RECV_RESP_PAR_OFFSET= 3544 +CARD_MEMORY_OFFSET = 3576 +CARD_MEMORY_SIZE = 4096 +DMA_BUFFER_OFFSET = 3576 +DMA_BUFFER_SIZE = 4096 +FREE_BUFFER_OFFSET = 7672 +FREE_BUFFER_SIZE = 32327 + */ + extern const uint8_t OddByteParity[256]; extern uint8_t *trace; // = (uint8_t *) BigBuf; extern int traceLen; // = 0; @@ -115,6 +134,8 @@ void SetAdcMuxFor(uint32_t whichGpio); #define FPGA_HF_SIMULATOR_MODULATE_BPSK (1<<0) #define FPGA_HF_SIMULATOR_MODULATE_212K (2<<0) #define FPGA_HF_SIMULATOR_MODULATE_424K (4<<0) +#define FPGA_HF_SIMULATOR_MODULATE_424K_8BIT 0x5//101 + // Options for ISO14443A #define FPGA_HF_ISO14443A_SNIFFER (0<<0) #define FPGA_HF_ISO14443A_TAGSIM_LISTEN (1<<0) diff --git a/armsrc/iclass.c b/armsrc/iclass.c index ea9af7d4..e7dd9535 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -687,7 +687,8 @@ void RAMFUNC SnoopIClass(void) SetAdcMuxFor(GPIO_MUXSEL_HIPKD); uint32_t time_0 = GetCountSspClk(); - + uint32_t time_start = 0; + uint32_t time_stop = 0; int div = 0; //int div2 = 0; @@ -738,6 +739,7 @@ void RAMFUNC SnoopIClass(void) smpl = decbyter; if(OutOfNDecoding((smpl & 0xF0) >> 4)) { rsamples = samples - Uart.samples; + time_stop = (GetCountSspClk()-time_0) << 4; LED_C_ON(); //if(!LogTrace(Uart.output,Uart.byteCnt, rsamples, Uart.parityBits,TRUE)) break; @@ -745,7 +747,7 @@ void RAMFUNC SnoopIClass(void) if(tracing) { uint8_t parity[MAX_PARITY_SIZE]; GetParity(Uart.output, Uart.byteCnt, parity); - LogTrace(Uart.output,Uart.byteCnt, (GetCountSspClk()-time_0) << 4, (GetCountSspClk()-time_0) << 4, parity, TRUE); + LogTrace(Uart.output,Uart.byteCnt, time_start, time_stop, parity, TRUE); } @@ -756,6 +758,8 @@ void RAMFUNC SnoopIClass(void) Demod.state = DEMOD_UNSYNCD; LED_B_OFF(); Uart.byteCnt = 0; + }else{ + time_start = (GetCountSspClk()-time_0) << 4; } decbyter = 0; } @@ -763,21 +767,24 @@ void RAMFUNC SnoopIClass(void) if(div > 3) { smpl = decbyte; if(ManchesterDecoding(smpl & 0x0F)) { - rsamples = samples - Demod.samples; + time_stop = (GetCountSspClk()-time_0) << 4; + + rsamples = samples - Demod.samples; LED_B_ON(); if(tracing) { uint8_t parity[MAX_PARITY_SIZE]; GetParity(Demod.output, Demod.len, parity); - LogTrace(Demod.output, Demod.len, (GetCountSspClk()-time_0) << 4, (GetCountSspClk()-time_0) << 4, parity, FALSE); + LogTrace(Demod.output, Demod.len, time_start, time_stop, parity, FALSE); } - // And ready to receive another response. memset(&Demod, 0, sizeof(Demod)); Demod.output = tagToReaderResponse; Demod.state = DEMOD_UNSYNCD; LED_C_OFF(); + }else{ + time_start = (GetCountSspClk()-time_0) << 4; } div = 0; @@ -850,57 +857,93 @@ static int GetIClassCommandFromReader(uint8_t *received, int *len, int maxLen) } } +static uint8_t encode4Bits(const uint8_t b) +{ + uint8_t c = b & 0xF; + // OTA, the least significant bits first + // The columns are + // 1 - Bit value to send + // 2 - Reversed (big-endian) + // 3 - Encoded + // 4 - Hex values + + switch(c){ + // 1 2 3 4 + case 15: return 0x55; // 1111 -> 1111 -> 01010101 -> 0x55 + case 14: return 0x95; // 1110 -> 0111 -> 10010101 -> 0x95 + case 13: return 0x65; // 1101 -> 1011 -> 01100101 -> 0x65 + case 12: return 0xa5; // 1100 -> 0011 -> 10100101 -> 0xa5 + case 11: return 0x59; // 1011 -> 1101 -> 01011001 -> 0x59 + case 10: return 0x99; // 1010 -> 0101 -> 10011001 -> 0x99 + case 9: return 0x69; // 1001 -> 1001 -> 01101001 -> 0x69 + case 8: return 0xa9; // 1000 -> 0001 -> 10101001 -> 0xa9 + case 7: return 0x56; // 0111 -> 1110 -> 01010110 -> 0x56 + case 6: return 0x96; // 0110 -> 0110 -> 10010110 -> 0x96 + case 5: return 0x66; // 0101 -> 1010 -> 01100110 -> 0x66 + case 4: return 0xa6; // 0100 -> 0010 -> 10100110 -> 0xa6 + case 3: return 0x5a; // 0011 -> 1100 -> 01011010 -> 0x5a + case 2: return 0x9a; // 0010 -> 0100 -> 10011010 -> 0x9a + case 1: return 0x6a; // 0001 -> 1000 -> 01101010 -> 0x6a + default: return 0xaa; // 0000 -> 0000 -> 10101010 -> 0xaa + + } +} //----------------------------------------------------------------------------- // Prepare tag messages //----------------------------------------------------------------------------- static void CodeIClassTagAnswer(const uint8_t *cmd, int len) { - //So far a dummy implementation, not used - //int lastProxToAirDuration =0; + + /* + * SOF comprises 3 parts; + * * An unmodulated time of 56.64 us + * * 24 pulses of 423.75 KHz (fc/32) + * * A logic 1, which starts with an unmodulated time of 18.88us + * followed by 8 pulses of 423.75kHz (fc/32) + * + * + * EOF comprises 3 parts: + * - A logic 0 (which starts with 8 pulses of fc/32 followed by an unmodulated + * time of 18.88us. + * - 24 pulses of fc/32 + * - An unmodulated time of 56.64 us + * + * + * A logic 0 starts with 8 pulses of fc/32 + * followed by an unmodulated time of 256/fc (~18,88us). + * + * A logic 0 starts with unmodulated time of 256/fc (~18,88us) followed by + * 8 pulses of fc/32 (also 18.88us) + * + * The mode FPGA_HF_SIMULATOR_MODULATE_424K_8BIT which we use to simulate tag, + * works like this. + * - A 1-bit input to the FPGA becomes 8 pulses on 423.5kHz (fc/32) (18.88us). + * - A 0-bit inptu to the FPGA becomes an unmodulated time of 18.88us + * + * In this mode the SOF can be written as 00011101 = 0x1D + * The EOF can be written as 10111000 = 0xb8 + * A logic 1 is 01 + * A logic 0 is 10 + * + * */ + int i; ToSendReset(); // Send SOF - ToSend[++ToSendMax] = 0x00; - ToSend[++ToSendMax] = 0x00; - ToSend[++ToSendMax] = 0x00; - ToSend[++ToSendMax] = 0xff;//Proxtoair duration starts here - ToSend[++ToSendMax] = 0xff; - ToSend[++ToSendMax] = 0xff; - ToSend[++ToSendMax] = 0x00; - ToSend[++ToSendMax] = 0xff; + ToSend[++ToSendMax] = 0x1D; for(i = 0; i < len; i++) { - int j; uint8_t b = cmd[i]; - - // Data bits - for(j = 0; j < 8; j++) { - if(b & 1) { - ToSend[++ToSendMax] = 0x00; - ToSend[++ToSendMax] = 0xff; - } else { - ToSend[++ToSendMax] = 0xff; - ToSend[++ToSendMax] = 0x00; - } - b >>= 1; - } + ToSend[++ToSendMax] = encode4Bits(b & 0xF); //Least significant half + ToSend[++ToSendMax] = encode4Bits((b >>4) & 0xF);//Most significant half } // Send EOF - ToSend[++ToSendMax] = 0xff; - ToSend[++ToSendMax] = 0x00; - ToSend[++ToSendMax] = 0xff; - ToSend[++ToSendMax] = 0xff; - ToSend[++ToSendMax] = 0xff; - ToSend[++ToSendMax] = 0x00; - ToSend[++ToSendMax] = 0x00; - ToSend[++ToSendMax] = 0x00; - + ToSend[++ToSendMax] = 0xB8; //lastProxToAirDuration = 8*ToSendMax - 3*8 - 3*8;//Not counting zeroes in the beginning or end - // Convert from last byte pos to length ToSendMax++; } @@ -913,21 +956,13 @@ static void CodeIClassTagSOF() ToSendReset(); // Send SOF - ToSend[++ToSendMax] = 0x00; - ToSend[++ToSendMax] = 0x00; - ToSend[++ToSendMax] = 0x00; - ToSend[++ToSendMax] = 0xff; - ToSend[++ToSendMax] = 0xff; - ToSend[++ToSendMax] = 0xff; - ToSend[++ToSendMax] = 0x00; - ToSend[++ToSendMax] = 0xff; - + ToSend[++ToSendMax] = 0x1D; // lastProxToAirDuration = 8*ToSendMax - 3*8;//Not counting zeroes in the beginning - // Convert from last byte pos to length ToSendMax++; } + int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf); /** * @brief SimulateIClass simulates an iClass card. @@ -963,7 +998,7 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain else if(simType == 2) { - uint8_t mac_responses[64] = { 0 }; + uint8_t mac_responses[USB_CMD_DATA_SIZE] = { 0 }; Dbprintf("Going into attack mode, %d CSNS sent", numberOfCSNS); // In this mode, a number of csns are within datain. We'll simulate each one, one at a time // in order to collect MAC's from the reader. This can later be used in an offlne-attack @@ -976,6 +1011,7 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain memcpy(csn_crc, datain+(i*8), 8); if(doIClassSimulation(csn_crc,1,mac_responses+i*8)) { + cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8); return; // Button pressed } } @@ -997,7 +1033,9 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain */ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf) { + // CSN followed by two CRC bytes + uint8_t response1[] = { 0x0F} ; uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; uint8_t response3[] = { 0,0,0,0,0,0,0,0,0,0}; memcpy(response3,csn,sizeof(response3)); @@ -1020,29 +1058,29 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader // Reader 81 anticoll. CSN // Tag CSN - uint8_t *resp; - int respLen; - uint8_t* respdata = NULL; - int respsize = 0; - uint8_t sof = 0x0f; + uint8_t *modulated_response; + int modulated_response_size; + uint8_t* trace_data = NULL; + int trace_data_size = 0; + //uint8_t sof = 0x0f; - // Respond SOF -- takes 8 bytes + // Respond SOF -- takes 1 bytes uint8_t *resp1 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET); int resp1Len; // Anticollision CSN (rotated CSN) - // 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit) - uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 10); + // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte) + uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 2); int resp2Len; // CSN - // 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit) - uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 190); + // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte) + uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 30); int resp3Len; // e-Purse - // 144: Takes 16 bytes for SOF/EOF and 8 * 16 = 128 bytes (2 bytes/bit) - uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 370); + // 18: Takes 2 bytes for SOF/EOF and 8 * 2 = 16 bytes (2 bytes/byte) + uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 60); int resp4Len; // + 1720.. @@ -1089,11 +1127,6 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader LED_A_ON(); bool buttonPressed = false; - /** Hack for testing - memcpy(reader_mac_buf,csn,8); - exitLoop = true; - end hack **/ - while(!exitLoop) { LED_B_OFF(); @@ -1112,35 +1145,35 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader // Okay, look at the command now. if(receivedCmd[0] == 0x0a ) { // Reader in anticollission phase - resp = resp1; respLen = resp1Len; //order = 1; - respdata = &sof; - respsize = sizeof(sof); + modulated_response = resp1; modulated_response_size = resp1Len; //order = 1; + trace_data = response1; + trace_data_size = sizeof(response1); } else if(receivedCmd[0] == 0x0c) { // Reader asks for anticollission CSN - resp = resp2; respLen = resp2Len; //order = 2; - respdata = response2; - respsize = sizeof(response2); + modulated_response = resp2; modulated_response_size = resp2Len; //order = 2; + trace_data = response2; + trace_data_size = sizeof(response2); //DbpString("Reader requests anticollission CSN:"); } else if(receivedCmd[0] == 0x81) { // Reader selects anticollission CSN. // Tag sends the corresponding real CSN - resp = resp3; respLen = resp3Len; //order = 3; - respdata = response3; - respsize = sizeof(response3); + modulated_response = resp3; modulated_response_size = resp3Len; //order = 3; + trace_data = response3; + trace_data_size = sizeof(response3); //DbpString("Reader selects anticollission CSN:"); } else if(receivedCmd[0] == 0x88) { // Read e-purse (88 02) - resp = resp4; respLen = resp4Len; //order = 4; - respdata = response4; - respsize = sizeof(response4); + modulated_response = resp4; modulated_response_size = resp4Len; //order = 4; + trace_data = response4; + trace_data_size = sizeof(response4); LED_B_ON(); } else if(receivedCmd[0] == 0x05) { // Reader random and reader MAC!!! // Do not respond // We do not know what to answer, so lets keep quiet - resp = resp1; respLen = 0; //order = 5; - respdata = NULL; - respsize = 0; + modulated_response = resp1; modulated_response_size = 0; //order = 5; + trace_data = NULL; + trace_data_size = 0; if (breakAfterMacReceived){ // dbprintf:ing ... Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x" @@ -1157,9 +1190,9 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader } } else if(receivedCmd[0] == 0x00 && len == 1) { // Reader ends the session - resp = resp1; respLen = 0; //order = 0; - respdata = NULL; - respsize = 0; + modulated_response = resp1; modulated_response_size = 0; //order = 0; + trace_data = NULL; + trace_data_size = 0; } else { //#db# Unknown command received from reader (len=5): 26 1 0 f6 a 44 44 44 44 // Never seen this command before @@ -1169,9 +1202,9 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader receivedCmd[3], receivedCmd[4], receivedCmd[5], receivedCmd[6], receivedCmd[7], receivedCmd[8]); // Do not respond - resp = resp1; respLen = 0; //order = 0; - respdata = NULL; - respsize = 0; + modulated_response = resp1; modulated_response_size = 0; //order = 0; + trace_data = NULL; + trace_data_size = 0; } if(cmdsRecvd > 100) { @@ -1181,9 +1214,11 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader else { cmdsRecvd++; } - - if(respLen > 0) { - SendIClassAnswer(resp, respLen, 21); + /** + A legit tag has about 380us delay between reader EOT and tag SOF. + **/ + if(modulated_response_size > 0) { + SendIClassAnswer(modulated_response, modulated_response_size, 1); t2r_time = GetCountSspClk(); } @@ -1192,9 +1227,9 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader GetParity(receivedCmd, len, parity); LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, (r2t_time-time_0) << 4, parity, TRUE); - if (respdata != NULL) { - GetParity(respdata, respsize, parity); - LogTrace(respdata, respsize, (t2r_time-time_0) << 4, (t2r_time-time_0) << 4, parity, FALSE); + if (trace_data != NULL) { + GetParity(trace_data, trace_data_size, parity); + LogTrace(trace_data, trace_data_size, (t2r_time-time_0) << 4, (t2r_time-time_0) << 4, parity, FALSE); } if(!tracing) { DbpString("Trace full"); @@ -1208,6 +1243,8 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader //Dbprintf("%x", cmdsRecvd); LED_A_OFF(); LED_B_OFF(); + LED_C_OFF(); + if(buttonPressed) { DbpString("Button pressed"); @@ -1220,7 +1257,8 @@ static int SendIClassAnswer(uint8_t *resp, int respLen, int delay) int i = 0, d=0;//, u = 0, d = 0; uint8_t b = 0; - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K); + //FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K_8BIT); AT91C_BASE_SSC->SSC_THR = 0x00; FpgaSetupSsc(); @@ -1244,7 +1282,8 @@ static int SendIClassAnswer(uint8_t *resp, int respLen, int delay) AT91C_BASE_SSC->SSC_THR = b; } - if (i > respLen +4) break; +// if (i > respLen +4) break; + if (i > respLen +1) break; } return 0; diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index cf55e606..d326be2c 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -1772,7 +1772,7 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u Dbprintf("Multiple tags detected. Collision after Bit %d", Demod.collisionPos); for (uint16_t i = collision_answer_offset; i < Demod.collisionPos; i++, uid_resp_bits++) { // add valid UID bits before collision point uint16_t UIDbit = (resp[i/8] >> (i % 8)) & 0x01; - uid_resp[uid_resp_bits & 0xf8] |= UIDbit << (uid_resp_bits % 8); + uid_resp[uid_resp_bits / 8] |= UIDbit << (uid_resp_bits % 8); } uid_resp[uid_resp_bits/8] |= 1 << (uid_resp_bits % 8); // next time select the card(s) with a 1 in the collision position uid_resp_bits++; diff --git a/client/cmdhf.c b/client/cmdhf.c index 762fada4..9acc9825 100644 --- a/client/cmdhf.c +++ b/client/cmdhf.c @@ -123,23 +123,28 @@ NXP/Philips CUSTOM COMMANDS 40 = Long Range CMD (Standard ISO/TR7003:1990) */ -#define ICLASS_CMD_ACTALL 0x0A +#define ICLASS_CMD_ACTALL 0x0A #define ICLASS_CMD_READ_OR_IDENTIFY 0x0C -#define ICLASS_CMD_SELECT 0x81 -#define ICLASS_CMD_PAGESEL 0x84 -#define ICLASS_CMD_READCHECK 0x88 -#define ICLASS_CMD_CHECK 0x05 -#define ICLASS_CMD_SOF 0x0F -#define ICLASS_CMD_HALT 0x00 - -#define ISO14443_CMD_REQA 0x26 -#define ISO14443_CMD_READBLOCK 0x30 -#define ISO14443_CMD_WUPA 0x52 -#define ISO14443_CMD_ANTICOLL_OR_SELECT 0x93 -#define ISO14443_CMD_ANTICOLL_OR_SELECT_2 0x95 -#define ISO14443_CMD_WRITEBLOCK 0xA0 // or 0xA2 ? -#define ISO14443_CMD_HALT 0x50 -#define ISO14443_CMD_RATS 0xE0 +#define ICLASS_CMD_SELECT 0x81 +#define ICLASS_CMD_PAGESEL 0x84 +#define ICLASS_CMD_READCHECK_KD 0x88 +#define ICLASS_CMD_READCHECK_KC 0x18 +#define ICLASS_CMD_CHECK 0x05 +#define ICLASS_CMD_DETECT 0x0F +#define ICLASS_CMD_HALT 0x00 +#define ICLASS_CMD_UPDATE 0x87 +#define ICLASS_CMD_ACT 0x8E +#define ICLASS_CMD_READ4 0x06 + + +#define ISO14443A_CMD_REQA 0x26 +#define ISO14443A_CMD_READBLOCK 0x30 +#define ISO14443A_CMD_WUPA 0x52 +#define ISO14443A_CMD_ANTICOLL_OR_SELECT 0x93 +#define ISO14443A_CMD_ANTICOLL_OR_SELECT_2 0x95 +#define ISO14443A_CMD_WRITEBLOCK 0xA0 // or 0xA2 ? +#define ISO14443A_CMD_HALT 0x50 +#define ISO14443A_CMD_RATS 0xE0 #define MIFARE_AUTH_KEYA 0x60 #define MIFARE_AUTH_KEYB 0x61 @@ -175,14 +180,17 @@ NXP/Philips CUSTOM COMMANDS #define ISO15693_READ_MULTI_SECSTATUS 0x2C +#define ISO_14443A 0 +#define ICLASS 1 +#define ISO_14443B 2 void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) { switch(cmd[0]) { - case ISO14443_CMD_WUPA: snprintf(exp,size,"WUPA"); break; - case ISO14443_CMD_ANTICOLL_OR_SELECT:{ + case ISO14443A_CMD_WUPA: snprintf(exp,size,"WUPA"); break; + case ISO14443A_CMD_ANTICOLL_OR_SELECT:{ // 93 20 = Anticollision (usage: 9320 - answer: 4bytes UID+1byte UID-bytes-xor) // 93 70 = Select (usage: 9370+5bytes 9320 answer - answer: 1byte SAK) if(cmd[2] == 0x70) @@ -193,7 +201,7 @@ void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) snprintf(exp,size,"ANTICOLL"); break; } } - case ISO14443_CMD_ANTICOLL_OR_SELECT_2:{ + case ISO14443A_CMD_ANTICOLL_OR_SELECT_2:{ //95 20 = Anticollision of cascade level2 //95 70 = Select of cascade level2 if(cmd[2] == 0x70) @@ -204,11 +212,11 @@ void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) snprintf(exp,size,"ANTICOLL-2"); break; } } - case ISO14443_CMD_REQA: snprintf(exp,size,"REQA"); break; - case ISO14443_CMD_READBLOCK: snprintf(exp,size,"READBLOCK(%d)",cmd[1]); break; - case ISO14443_CMD_WRITEBLOCK: snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); break; - case ISO14443_CMD_HALT: snprintf(exp,size,"HALT"); break; - case ISO14443_CMD_RATS: snprintf(exp,size,"RATS"); break; + case ISO14443A_CMD_REQA: snprintf(exp,size,"REQA"); break; + case ISO14443A_CMD_READBLOCK: snprintf(exp,size,"READBLOCK(%d)",cmd[1]); break; + case ISO14443A_CMD_WRITEBLOCK: snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); break; + case ISO14443A_CMD_HALT: snprintf(exp,size,"HALT"); break; + case ISO14443A_CMD_RATS: snprintf(exp,size,"RATS"); break; case MIFARE_CMD_INC: snprintf(exp,size,"INC(%d)",cmd[1]); break; case MIFARE_CMD_DEC: snprintf(exp,size,"DEC(%d)",cmd[1]); break; case MIFARE_CMD_RESTORE: snprintf(exp,size,"RESTORE(%d)",cmd[1]); break; @@ -235,11 +243,15 @@ void annotateIclass(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) break; } case ICLASS_CMD_SELECT: snprintf(exp,size,"SELECT"); break; - case ICLASS_CMD_PAGESEL: snprintf(exp,size,"PAGESEL"); break; - case ICLASS_CMD_READCHECK: snprintf(exp,size,"READCHECK"); break; + case ICLASS_CMD_PAGESEL: snprintf(exp,size,"PAGESEL(%d)", cmd[1]); break; + case ICLASS_CMD_READCHECK_KC:snprintf(exp,size,"READCHECK[Kc](%d)", cmd[1]); break; + case ICLASS_CMD_READCHECK_KD:snprintf(exp,size,"READCHECK[Kd](%d)", cmd[1]); break; case ICLASS_CMD_CHECK: snprintf(exp,size,"CHECK"); break; - case ICLASS_CMD_SOF: snprintf(exp,size,"SOF"); break; + case ICLASS_CMD_DETECT: snprintf(exp,size,"DETECT"); break; case ICLASS_CMD_HALT: snprintf(exp,size,"HALT"); break; + case ICLASS_CMD_UPDATE: snprintf(exp,size,"UPDATE(%d)",cmd[1]); break; + case ICLASS_CMD_ACT: snprintf(exp,size,"ACT"); break; + case ICLASS_CMD_READ4: snprintf(exp,size,"READ4(%d)",cmd[1]); break; default: snprintf(exp,size,"?"); break; } return; @@ -272,12 +284,106 @@ void annotateIso15693(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) case ISO15693_LOCK_DSFID :snprintf(exp, size, "LOCK_DSFID");break; case ISO15693_GET_SYSTEM_INFO :snprintf(exp, size, "GET_SYSTEM_INFO");break; case ISO15693_READ_MULTI_SECSTATUS :snprintf(exp, size, "READ_MULTI_SECSTATUS");break; - default: snprintf(exp,size,"?"); break; + default: snprintf(exp,size,"?"); break; + } + } +} +void annotateIso14443b(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) +{ + switch(cmd[0]){ + case ISO14443B_REQB : snprintf(exp,size,"REQB");break; + case ISO14443B_ATTRIB : snprintf(exp,size,"ATTRIB");break; + case ISO14443B_HALT : snprintf(exp,size,"HALT");break; + default: snprintf(exp,size ,"?");break; + } + +} + +/** + * @brief iso14443B_CRC_Ok Checks CRC in command or response + * @param isResponse + * @param data + * @param len + * @return 0 : CRC-command, CRC not ok + * 1 : CRC-command, CRC ok + * 2 : Not crc-command + */ + +uint8_t iso14443B_CRC_check(bool isResponse, uint8_t* data, uint8_t len) +{ + uint8_t b1,b2; + + if(len <= 2) return 2; + + ComputeCrc14443(CRC_14443_B, data, len-2, &b1, &b2); + if(b1 != data[len-2] || b2 != data[len-1]) { + return 0; + } + return 1; +} + +/** + * @brief iclass_CRC_Ok Checks CRC in command or response + * @param isResponse + * @param data + * @param len + * @return 0 : CRC-command, CRC not ok + * 1 : CRC-command, CRC ok + * 2 : Not crc-command + */ +uint8_t iclass_CRC_check(bool isResponse, uint8_t* data, uint8_t len) +{ + if(len < 4) return 2;//CRC commands (and responses) are all at least 4 bytes + + uint8_t b1, b2; + + if(!isResponse)//Commands to tag + { + /** + These commands should have CRC. Total length leftmost + 4 READ + 4 READ4 + 12 UPDATE - unsecured, ends with CRC16 + 14 UPDATE - secured, ends with signature instead + 4 PAGESEL + **/ + if(len == 4 || len == 12)//Covers three of them + { + //Don't include the command byte + ComputeCrc14443(CRC_ICLASS, (data+1), len-3, &b1, &b2); + return b1 == data[len -2] && b2 == data[len-1]; } + return 2; + }else{ + /** + These tag responses should have CRC. Total length leftmost + + 10 READ data[8] crc[2] + 34 READ4 data[32]crc[2] + 10 UPDATE data[8] crc[2] + 10 SELECT csn[8] crc[2] + 10 IDENTIFY asnb[8] crc[2] + 10 PAGESEL block1[8] crc[2] + 10 DETECT csn[8] crc[2] + + These should not + + 4 CHECK chip_response[4] + 8 READCHECK data[8] + 1 ACTALL sof[1] + 1 ACT sof[1] + + In conclusion, without looking at the command; any response + of length 10 or 34 should have CRC + **/ + if(len != 10 && len != 34) return true; + + ComputeCrc14443(CRC_ICLASS, data, len-2, &b1, &b2); + return b1 == data[len -2] && b2 == data[len-1]; } } -uint16_t printTraceLine(uint16_t tracepos, uint8_t* trace, bool iclass, bool showWaitCycles) +uint16_t printTraceLine(uint16_t tracepos, uint8_t* trace, uint8_t protocol, bool showWaitCycles) { bool isResponse; uint16_t duration, data_len,parity_len; @@ -332,47 +438,45 @@ uint16_t printTraceLine(uint16_t tracepos, uint8_t* trace, bool iclass, bool sho } } //--- Draw the CRC column - bool crcError = false; + uint8_t crcStatus = 2; if (data_len > 2) { uint8_t b1, b2; - if(iclass) + if(protocol == ICLASS) { - if(!isResponse && data_len == 4 ) { - // Rough guess that this is a command from the reader - // For iClass the command byte is not part of the CRC - ComputeCrc14443(CRC_ICLASS, &frame[1], data_len-3, &b1, &b2); - } else { - // For other data.. CRC might not be applicable (UPDATE commands etc.) - ComputeCrc14443(CRC_ICLASS, frame, data_len-2, &b1, &b2); - } - - if (b1 != frame[data_len-2] || b2 != frame[data_len-1]) { - crcError = true; - } + crcStatus = iclass_CRC_check(isResponse, frame, data_len); - }else{//Iso 14443a + }else if (protocol == ISO_14443B) + { + crcStatus = iso14443B_CRC_check(isResponse, frame, data_len); + } + else if (protocol == ISO_14443A){//Iso 14443a ComputeCrc14443(CRC_14443_A, frame, data_len-2, &b1, &b2); if (b1 != frame[data_len-2] || b2 != frame[data_len-1]) { if(!(isResponse & (data_len < 6))) { - crcError = true; + crcStatus = 0; } } } } - char *crc = crcError ? "!crc" :" "; + //0 CRC-command, CRC not ok + //1 CRC-command, CRC ok + //2 Not crc-command + char *crc = (crcStatus == 0 ? "!crc" : (crcStatus == 1 ? " ok " : " ")); EndOfTransmissionTimestamp = timestamp + duration; if(!isResponse) { - if(iclass) + if(protocol == ICLASS) annotateIclass(explanation,sizeof(explanation),frame,data_len); - else + else if (protocol == ISO_14443A) annotateIso14443a(explanation,sizeof(explanation),frame,data_len); + else if(protocol == ISO_14443B) + annotateIso14443b(explanation,sizeof(explanation),frame,data_len); } int num_lines = (data_len - 1)/16 + 1; @@ -415,9 +519,9 @@ int CmdHFList(const char *Cmd) int tlen = param_getstr(Cmd,0,type); char param = param_getchar(Cmd, 1); bool errors = false; - bool iclass = false; + uint8_t protocol = 0; //Validate params - if(tlen == 0 || (strcmp(type, "iclass") != 0 && strcmp(type,"14a") != 0)) + if(tlen == 0) { errors = true; } @@ -425,22 +529,40 @@ int CmdHFList(const char *Cmd) { errors = true; } + if(!errors) + { + if(strcmp(type, "iclass") == 0) + { + protocol = ICLASS; + }else if(strcmp(type, "14a") == 0) + { + protocol = ISO_14443A; + } + else if(strcmp(type, "14b") == 0) + { + protocol = ISO_14443B; + }else if(strcmp(type,"raw")== 0) + { + protocol = -1;//No crc, no annotations + }else{ + errors = true; + } + } if (errors) { PrintAndLog("List protocol data in trace buffer."); - PrintAndLog("Usage: hf list [14a|iclass] [f]"); + PrintAndLog("Usage: hf list [14a|14b|iclass] [f]"); PrintAndLog(" 14a - interpret data as iso14443a communications"); + PrintAndLog(" 14b - interpret data as iso14443b communications"); PrintAndLog(" iclass - interpret data as iclass communications"); + PrintAndLog(" raw - just show raw data"); PrintAndLog(" f - show frame delay times as well"); PrintAndLog(""); PrintAndLog("example: hf list 14a f"); PrintAndLog("example: hf list iclass"); return 0; } - if(strcmp(type, "iclass") == 0) - { - iclass = true; - } + if (param == 'f') { showWaitCycles = true; @@ -463,7 +585,7 @@ int CmdHFList(const char *Cmd) while(tracepos < TRACE_SIZE) { - tracepos = printTraceLine(tracepos, trace, iclass, showWaitCycles); + tracepos = printTraceLine(tracepos, trace, protocol, showWaitCycles); } return 0; } diff --git a/client/loclass/cipher.c b/client/loclass/cipher.c index 463ba9be..d3b1e799 100644 --- a/client/loclass/cipher.c +++ b/client/loclass/cipher.c @@ -1,5 +1,17 @@ /***************************************************************************** - * This file is part of iClassCipher. It is a reconstructon of the cipher engine + * WARNING + * + * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. + * + * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL + * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, + * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. + * + * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. + * + ***************************************************************************** + * + * This file is part of loclass. It is a reconstructon of the cipher engine * used in iClass, and RFID techology. * * The implementation is based on the work performed by @@ -18,9 +30,13 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with IClassCipher. If not, see . + * along with loclass. If not, see . + * + * + * ****************************************************************************/ + #include "cipher.h" #include "cipherutils.h" #include diff --git a/client/loclass/cipher.h b/client/loclass/cipher.h index 4bfbe0b7..176a2976 100644 --- a/client/loclass/cipher.h +++ b/client/loclass/cipher.h @@ -1,5 +1,17 @@ /***************************************************************************** - * This file is part of iClassCipher. It is a reconstructon of the cipher engine + * WARNING + * + * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. + * + * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL + * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, + * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. + * + * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. + * + ***************************************************************************** + * + * This file is part of loclass. It is a reconstructon of the cipher engine * used in iClass, and RFID techology. * * The implementation is based on the work performed by @@ -18,9 +30,13 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with IClassCipher. If not, see . + * along with loclass. If not, see . + * + * + * ****************************************************************************/ + #ifndef CIPHER_H #define CIPHER_H #include diff --git a/client/loclass/cipherutils.c b/client/loclass/cipherutils.c index e11e8d22..f9c62273 100644 --- a/client/loclass/cipherutils.c +++ b/client/loclass/cipherutils.c @@ -1,5 +1,17 @@ /***************************************************************************** - * This file is part of iClassCipher. It is a reconstructon of the cipher engine + * WARNING + * + * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. + * + * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL + * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, + * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. + * + * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. + * + ***************************************************************************** + * + * This file is part of loclass. It is a reconstructon of the cipher engine * used in iClass, and RFID techology. * * The implementation is based on the work performed by @@ -18,7 +30,10 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with IClassCipher. If not, see . + * along with loclass. If not, see . + * + * + * ****************************************************************************/ #include diff --git a/client/loclass/cipherutils.h b/client/loclass/cipherutils.h index acf96115..cb090f69 100644 --- a/client/loclass/cipherutils.h +++ b/client/loclass/cipherutils.h @@ -1,5 +1,17 @@ /***************************************************************************** - * This file is part of iClassCipher. It is a reconstructon of the cipher engine + * WARNING + * + * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. + * + * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL + * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, + * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. + * + * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. + * + ***************************************************************************** + * + * This file is part of loclass. It is a reconstructon of the cipher engine * used in iClass, and RFID techology. * * The implementation is based on the work performed by @@ -18,9 +30,13 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with IClassCipher. If not, see . + * along with loclass. If not, see . + * + * + * ****************************************************************************/ + #ifndef CIPHERUTILS_H #define CIPHERUTILS_H #include diff --git a/client/loclass/elite_crack.c b/client/loclass/elite_crack.c index adedba85..a8ab869e 100644 --- a/client/loclass/elite_crack.c +++ b/client/loclass/elite_crack.c @@ -1,3 +1,41 @@ +/***************************************************************************** + * WARNING + * + * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. + * + * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL + * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, + * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. + * + * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. + * + ***************************************************************************** + * + * This file is part of loclass. It is a reconstructon of the cipher engine + * used in iClass, and RFID techology. + * + * The implementation is based on the work performed by + * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and + * Milosch Meriac in the paper "Dismantling IClass". + * + * Copyright (C) 2014 Martin Holst Swende + * + * This is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as published + * by the Free Software Foundation. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with loclass. If not, see . + * + * + * + ****************************************************************************/ + #include #include #include @@ -514,6 +552,7 @@ int bruteforceDump(uint8_t dump[], size_t dumpsize, uint16_t keytable[]) */ int bruteforceFile(const char *filename, uint16_t keytable[]) { + FILE *f = fopen(filename, "rb"); if(!f) { prnlog("Failed to read from file '%s'", filename); @@ -621,6 +660,21 @@ int _test_iclass_key_permutation() prnlog("[+] Iclass key permutation OK!"); return 0; } +int _testHash1() +{ + uint8_t csn[8]= {0x01,0x02,0x03,0x04,0xF7,0xFF,0x12,0xE0}; + uint8_t k[8] = {0}; + hash1(csn, k); + uint8_t expected[8] = {0x7E,0x72,0x2F,0x40,0x2D,0x02,0x51,0x42}; + if(memcmp(k,expected,8) != 0) + { + prnlog("Error with hash1!"); + printarr("calculated", k, 8); + printarr("expected", expected, 8); + return 1; + } + return 0; +} int testElite() { @@ -653,11 +707,13 @@ int testElite() prnlog("[+] Hash2 looks fine..."); } - prnlog("[+] Testing key diversification ..."); - int errors = 0 ; - errors +=_test_iclass_key_permutation(); + prnlog("[+] Testing hash1..."); + errors += _testHash1(); + prnlog("[+] Testing key diversification ..."); + errors +=_test_iclass_key_permutation(); errors += _testBruteforce(); + return errors; } diff --git a/client/loclass/elite_crack.h b/client/loclass/elite_crack.h index 21004e59..fb27355f 100644 --- a/client/loclass/elite_crack.h +++ b/client/loclass/elite_crack.h @@ -1,3 +1,42 @@ +/***************************************************************************** + * WARNING + * + * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. + * + * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL + * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, + * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. + * + * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. + * + ***************************************************************************** + * + * This file is part of loclass. It is a reconstructon of the cipher engine + * used in iClass, and RFID techology. + * + * The implementation is based on the work performed by + * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and + * Milosch Meriac in the paper "Dismantling IClass". + * + * Copyright (C) 2014 Martin Holst Swende + * + * This is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as published + * by the Free Software Foundation. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with loclass. If not, see . + * + * + * + ****************************************************************************/ + + #ifndef ELITE_CRACK_H #define ELITE_CRACK_H void permutekey(uint8_t key[8], uint8_t dest[8]); diff --git a/client/loclass/fileutils.c b/client/loclass/fileutils.c index 206d9695..4079dccf 100644 --- a/client/loclass/fileutils.c +++ b/client/loclass/fileutils.c @@ -1,3 +1,41 @@ +/***************************************************************************** + * WARNING + * + * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. + * + * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL + * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, + * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. + * + * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. + * + ***************************************************************************** + * + * This file is part of loclass. It is a reconstructon of the cipher engine + * used in iClass, and RFID techology. + * + * The implementation is based on the work performed by + * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and + * Milosch Meriac in the paper "Dismantling IClass". + * + * Copyright (C) 2014 Martin Holst Swende + * + * This is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as published + * by the Free Software Foundation. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with loclass. If not, see . + * + * + * + ****************************************************************************/ + #include #include #include @@ -40,14 +78,13 @@ int saveFile(const char *preferredName, const char *suffix, const void* data, si /*Opening file for writing in binary mode*/ FILE *fileHandle=fopen(fileName,"wb"); if(!fileHandle) { - PrintAndLog("Failed to write to file '%s'", fileName); + prnlog("Failed to write to file '%s'", fileName); free(fileName); return 1; } fwrite(data, 1, datalen, fileHandle); fclose(fileHandle); - PrintAndLog("Saved data to '%s'", fileName); - + prnlog("Saved data to '%s'", fileName); free(fileName); return 0; diff --git a/client/loclass/fileutils.h b/client/loclass/fileutils.h index e02079d5..623190a6 100644 --- a/client/loclass/fileutils.h +++ b/client/loclass/fileutils.h @@ -1,3 +1,41 @@ +/***************************************************************************** + * WARNING + * + * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. + * + * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL + * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, + * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. + * + * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. + * + ***************************************************************************** + * + * This file is part of loclass. It is a reconstructon of the cipher engine + * used in iClass, and RFID techology. + * + * The implementation is based on the work performed by + * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and + * Milosch Meriac in the paper "Dismantling IClass". + * + * Copyright (C) 2014 Martin Holst Swende + * + * This is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as published + * by the Free Software Foundation. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with loclass. If not, see . + * + * + * + ****************************************************************************/ + #ifndef FILEUTILS_H #define FILEUTILS_H /** diff --git a/client/loclass/ikeys.c b/client/loclass/ikeys.c index f7115b19..b21ecdbc 100644 --- a/client/loclass/ikeys.c +++ b/client/loclass/ikeys.c @@ -1,15 +1,23 @@ /***************************************************************************** - * This file is part of iClassCipher. It is a reconstructon of the cipher engine + * WARNING + * + * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. + * + * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL + * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, + * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. + * + * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. + * + ***************************************************************************** + * + * This file is part of loclass. It is a reconstructon of the cipher engine * used in iClass, and RFID techology. * * The implementation is based on the work performed by * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and * Milosch Meriac in the paper "Dismantling IClass". * - * This is a reference implementation of iclass key diversification. I'm sure it can be - * optimized heavily. It is written for ease of understanding and correctness, please take it - * and tweak it and make a super fast version instead, using this for testing and verification. - * Copyright (C) 2014 Martin Holst Swende * * This is free software: you can redistribute it and/or modify @@ -22,8 +30,12 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with IClassCipher. If not, see . + * along with loclass. If not, see . + * + * + * ****************************************************************************/ + /** diff --git a/client/loclass/ikeys.h b/client/loclass/ikeys.h index 1de46b62..13096194 100644 --- a/client/loclass/ikeys.h +++ b/client/loclass/ikeys.h @@ -1,3 +1,41 @@ +/***************************************************************************** + * WARNING + * + * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. + * + * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL + * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, + * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. + * + * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. + * + ***************************************************************************** + * + * This file is part of loclass. It is a reconstructon of the cipher engine + * used in iClass, and RFID techology. + * + * The implementation is based on the work performed by + * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and + * Milosch Meriac in the paper "Dismantling IClass". + * + * Copyright (C) 2014 Martin Holst Swende + * + * This is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as published + * by the Free Software Foundation. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with loclass. If not, see . + * + * + * + ****************************************************************************/ + #ifndef IKEYS_H #define IKEYS_H diff --git a/client/loclass/loclass_main.h b/client/loclass/loclass_main.h new file mode 100644 index 00000000..b6d58a8b --- /dev/null +++ b/client/loclass/loclass_main.h @@ -0,0 +1,4 @@ +#ifndef LOCLASS_MAIN_H +#define LOCLASS_MAIN_H + +#endif // LOCLASS_MAIN_H diff --git a/client/loclass/main.c b/client/loclass/main.c index 42019072..d1b0359b 100644 --- a/client/loclass/main.c +++ b/client/loclass/main.c @@ -1,5 +1,17 @@ /***************************************************************************** - * This file is part of iClassCipher. It is a reconstructon of the cipher engine + * WARNING + * + * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. + * + * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL + * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, + * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. + * + * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. + * + ***************************************************************************** + * + * This file is part of loclass. It is a reconstructon of the cipher engine * used in iClass, and RFID techology. * * The implementation is based on the work performed by @@ -18,11 +30,14 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with IClassCipher. If not, see . + * along with loclass. If not, see . + * + * + * ****************************************************************************/ + #include -#include #include #include #include @@ -40,11 +55,15 @@ int unitTests() errors += testMAC(); errors += doKeyTests(0); errors += testElite(); + if(errors) + { + prnlog("OBS! There were errors!!!"); + } return errors; } int showHelp() { - prnlog("Usage: iclazz [options]"); + prnlog("Usage: loclass [options]"); prnlog("Options:"); prnlog("-t Perform self-test"); prnlog("-h Show this help"); @@ -64,7 +83,18 @@ int main (int argc, char **argv) { prnlog("IClass Cipher version 1.2, Copyright (C) 2014 Martin Holst Swende\n"); prnlog("Comes with ABSOLUTELY NO WARRANTY"); - prnlog("This is free software, and you are welcome to use, abuse and repackage, please keep the credits\n"); + prnlog("Released as GPLv2\n"); + prnlog("WARNING"); + prnlog(""); + prnlog("THIS TOOL IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. "); + prnlog(""); + prnlog("USAGE OF THIS TOOL IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL "); + prnlog("PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, "); + prnlog("AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. "); + prnlog(""); + prnlog("THIS TOOL SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. "); + + char *fileName = NULL; int c; while ((c = getopt (argc, argv, "thf:")) != -1) diff --git a/fpga/fpga_hf.bit b/fpga/fpga_hf.bit index 5389428c..8b0c7a37 100644 Binary files a/fpga/fpga_hf.bit and b/fpga/fpga_hf.bit differ diff --git a/fpga/fpga_lf.bit b/fpga/fpga_lf.bit index e942921a..51b0681c 100644 Binary files a/fpga/fpga_lf.bit and b/fpga/fpga_lf.bit differ diff --git a/fpga/hi_simulate.v b/fpga/hi_simulate.v index c04ade80..0768c29d 100644 --- a/fpga/hi_simulate.v +++ b/fpga/hi_simulate.v @@ -50,12 +50,38 @@ begin else if(~(| adc_d[7:5])) after_hysteresis = 1'b0; end + // Divide 13.56 MHz by 32 to produce the SSP_CLK // The register is bigger to allow higher division factors of up to /128 -reg [6:0] ssp_clk_divider; +reg [10:0] ssp_clk_divider; + always @(posedge adc_clk) ssp_clk_divider <= (ssp_clk_divider + 1); -assign ssp_clk = ssp_clk_divider[4]; + +reg ssp_clk; +reg ssp_frame; +always @(negedge adc_clk) +begin + //If we're in 101, we only need a new bit every 8th carrier bit (53Hz). Otherwise, get next bit at 424Khz + if(mod_type == 3'b101) + begin + if(ssp_clk_divider[7:0] == 8'b00000000) + ssp_clk <= 1'b0; + if(ssp_clk_divider[7:0] == 8'b10000000) + ssp_clk <= 1'b1; + + end + else + begin + if(ssp_clk_divider[4:0] == 5'd0)//[4:0] == 5'b00000) + ssp_clk <= 1'b1; + if(ssp_clk_divider[4:0] == 5'd16) //[4:0] == 5'b10000) + ssp_clk <= 1'b0; + end +end + + +//assign ssp_clk = ssp_clk_divider[4]; // Divide SSP_CLK by 8 to produce the byte framing signal; the phase of // this is arbitrary, because it's just a bitstream. @@ -69,12 +95,13 @@ reg [2:0] ssp_frame_divider_from_arm; always @(negedge ssp_clk) ssp_frame_divider_from_arm <= (ssp_frame_divider_from_arm + 1); -reg ssp_frame; + + always @(ssp_frame_divider_to_arm or ssp_frame_divider_from_arm or mod_type) if(mod_type == 3'b000) // not modulating, so listening, to ARM ssp_frame = (ssp_frame_divider_to_arm == 3'b000); else - ssp_frame = (ssp_frame_divider_from_arm == 3'b000); + ssp_frame = (ssp_frame_divider_from_arm == 3'b000); // Synchronize up the after-hysteresis signal, to produce DIN. reg ssp_din; @@ -90,7 +117,7 @@ always @(mod_type or ssp_clk or ssp_dout) modulating_carrier <= ssp_dout ^ ssp_clk_divider[3]; // XOR means BPSK else if(mod_type == 3'b010) modulating_carrier <= ssp_dout & ssp_clk_divider[5]; // switch 212kHz subcarrier on/off - else if(mod_type == 3'b100) + else if(mod_type == 3'b100 || mod_type == 3'b101) modulating_carrier <= ssp_dout & ssp_clk_divider[4]; // switch 424kHz modulation on/off else modulating_carrier <= 1'b0; // yet unused @@ -106,7 +133,7 @@ assign pwr_oe4 = modulating_carrier; // This one is always on, so that we can watch the carrier. assign pwr_oe3 = 1'b0; -assign dbg = after_hysteresis; +assign dbg = modulating_carrier; //reg dbg; //always @(ssp_dout) // dbg <= ssp_dout;