]>
Commit | Line | Data |
---|---|---|
b67f7ec3 MHS |
1 | #ifndef PROTOCOLS_H |
2 | #define PROTOCOLS_H | |
3 | ||
4 | //The following data is taken from http://www.proxmark.org/forum/viewtopic.php?pid=13501#p13501 | |
5 | /* | |
6 | ISO14443A (usually NFC tags) | |
7 | 26 (7bits) = REQA | |
8 | 30 = Read (usage: 30+1byte block number+2bytes ISO14443A-CRC - answer: 16bytes) | |
9 | A2 = Write (usage: A2+1byte block number+4bytes data+2bytes ISO14443A-CRC - answer: 0A [ACK] or 00 [NAK]) | |
10 | 52 (7bits) = WUPA (usage: 52(7bits) - answer: 2bytes ATQA) | |
11 | 93 20 = Anticollision (usage: 9320 - answer: 4bytes UID+1byte UID-bytes-xor) | |
12 | 93 70 = Select (usage: 9370+5bytes 9320 answer - answer: 1byte SAK) | |
13 | 95 20 = Anticollision of cascade level2 | |
14 | 95 70 = Select of cascade level2 | |
15 | 50 00 = Halt (usage: 5000+2bytes ISO14443A-CRC - no answer from card) | |
16 | Mifare | |
17 | 60 = Authenticate with KeyA | |
18 | 61 = Authenticate with KeyB | |
19 | 40 (7bits) = Used to put Chinese Changeable UID cards in special mode (must be followed by 43 (8bits) - answer: 0A) | |
20 | C0 = Decrement | |
21 | C1 = Increment | |
22 | C2 = Restore | |
23 | B0 = Transfer | |
24 | Ultralight C | |
25 | A0 = Compatibility Write (to accomodate MIFARE commands) | |
26 | 1A = Step1 Authenticate | |
27 | AF = Step2 Authenticate | |
28 | ||
29 | ||
30 | ISO14443B | |
31 | 05 = REQB | |
32 | 1D = ATTRIB | |
33 | 50 = HALT | |
c5f8c67a | 34 | |
35 | BA = PING (reader -> tag) | |
36 | AB = PONG (tag -> reader) | |
b67f7ec3 MHS |
37 | SRIX4K (tag does not respond to 05) |
38 | 06 00 = INITIATE | |
39 | 0E xx = SELECT ID (xx = Chip-ID) | |
40 | 0B = Get UID | |
41 | 08 yy = Read Block (yy = block number) | |
42 | 09 yy dd dd dd dd = Write Block (yy = block number; dd dd dd dd = data to be written) | |
43 | 0C = Reset to Inventory | |
44 | 0F = Completion | |
45 | 0A 11 22 33 44 55 66 = Authenticate (11 22 33 44 55 66 = data to authenticate) | |
46 | ||
47 | ||
48 | ISO15693 | |
49 | MANDATORY COMMANDS (all ISO15693 tags must support those) | |
50 | 01 = Inventory (usage: 260100+2bytes ISO15693-CRC - answer: 12bytes) | |
51 | 02 = Stay Quiet | |
52 | OPTIONAL COMMANDS (not all tags support them) | |
53 | 20 = Read Block (usage: 0220+1byte block number+2bytes ISO15693-CRC - answer: 4bytes) | |
54 | 21 = Write Block (usage: 0221+1byte block number+4bytes data+2bytes ISO15693-CRC - answer: 4bytes) | |
55 | 22 = Lock Block | |
56 | 23 = Read Multiple Blocks (usage: 0223+1byte 1st block to read+1byte last block to read+2bytes ISO15693-CRC) | |
57 | 25 = Select | |
58 | 26 = Reset to Ready | |
59 | 27 = Write AFI | |
60 | 28 = Lock AFI | |
61 | 29 = Write DSFID | |
62 | 2A = Lock DSFID | |
63 | 2B = Get_System_Info (usage: 022B+2bytes ISO15693-CRC - answer: 14 or more bytes) | |
64 | 2C = Read Multiple Block Security Status (usage: 022C+1byte 1st block security to read+1byte last block security to read+2bytes ISO15693-CRC) | |
65 | ||
66 | EM Microelectronic CUSTOM COMMANDS | |
67 | A5 = Active EAS (followed by 1byte IC Manufacturer code+1byte EAS type) | |
68 | A7 = Write EAS ID (followed by 1byte IC Manufacturer code+2bytes EAS value) | |
69 | B8 = Get Protection Status for a specific block (followed by 1byte IC Manufacturer code+1byte block number+1byte of how many blocks after the previous is needed the info) | |
70 | E4 = Login (followed by 1byte IC Manufacturer code+4bytes password) | |
71 | NXP/Philips CUSTOM COMMANDS | |
72 | A0 = Inventory Read | |
73 | A1 = Fast Inventory Read | |
74 | A2 = Set EAS | |
75 | A3 = Reset EAS | |
76 | A4 = Lock EAS | |
77 | A5 = EAS Alarm | |
78 | A6 = Password Protect EAS | |
79 | A7 = Write EAS ID | |
80 | A8 = Read EPC | |
81 | B0 = Inventory Page Read | |
82 | B1 = Fast Inventory Page Read | |
83 | B2 = Get Random Number | |
84 | B3 = Set Password | |
85 | B4 = Write Password | |
86 | B5 = Lock Password | |
87 | B6 = Bit Password Protection | |
88 | B7 = Lock Page Protection Condition | |
89 | B8 = Get Multiple Block Protection Status | |
90 | B9 = Destroy SLI | |
91 | BA = Enable Privacy | |
92 | BB = 64bit Password Protection | |
93 | 40 = Long Range CMD (Standard ISO/TR7003:1990) | |
c5f8c67a | 94 | |
95 | ISO 7816-4 Basic interindustry commands. For command APDU's. | |
96 | B0 = READ BINARY | |
97 | D0 = WRITE BINARY | |
98 | D6 = UPDATE BINARY | |
99 | 0E = ERASE BINARY | |
100 | B2 = READ RECORDS | |
101 | D2 = WRITE RECORDS | |
102 | E2 = APPEND RECORD | |
103 | DC = UPDATE RECORD | |
104 | CA = GET DATA | |
105 | DA = PUT DATA | |
106 | A4 = SELECT FILE | |
107 | 20 = VERIFY | |
108 | 88 = INTERNAL AUTHENTICATION | |
109 | 82 = EXTERNAL AUTHENTICATION | |
110 | B4 = GET CHALLENGE | |
111 | 70 = MANAGE CHANNEL | |
112 | ||
113 | For response APDU's | |
114 | 90 00 = OK | |
115 | 6x xx = ERROR | |
116 | */ | |
b67f7ec3 MHS |
117 | |
118 | #define ICLASS_CMD_ACTALL 0x0A | |
119 | #define ICLASS_CMD_READ_OR_IDENTIFY 0x0C | |
120 | #define ICLASS_CMD_SELECT 0x81 | |
121 | #define ICLASS_CMD_PAGESEL 0x84 | |
122 | #define ICLASS_CMD_READCHECK_KD 0x88 | |
123 | #define ICLASS_CMD_READCHECK_KC 0x18 | |
124 | #define ICLASS_CMD_CHECK 0x05 | |
125 | #define ICLASS_CMD_DETECT 0x0F | |
126 | #define ICLASS_CMD_HALT 0x00 | |
127 | #define ICLASS_CMD_UPDATE 0x87 | |
128 | #define ICLASS_CMD_ACT 0x8E | |
129 | #define ICLASS_CMD_READ4 0x06 | |
130 | ||
131 | ||
132 | #define ISO14443A_CMD_REQA 0x26 | |
133 | #define ISO14443A_CMD_READBLOCK 0x30 | |
134 | #define ISO14443A_CMD_WUPA 0x52 | |
135 | #define ISO14443A_CMD_ANTICOLL_OR_SELECT 0x93 | |
136 | #define ISO14443A_CMD_ANTICOLL_OR_SELECT_2 0x95 | |
9358e496 | 137 | #define ISO14443A_CMD_ANTICOLL_OR_SELECT_3 0x97 |
2c39c25c | 138 | #define ISO14443A_CMD_WRITEBLOCK 0xA0 |
b67f7ec3 MHS |
139 | #define ISO14443A_CMD_HALT 0x50 |
140 | #define ISO14443A_CMD_RATS 0xE0 | |
141 | ||
142 | #define MIFARE_AUTH_KEYA 0x60 | |
143 | #define MIFARE_AUTH_KEYB 0x61 | |
16a95d76 | 144 | #define MIFARE_MAGICWUPC1 0x40 |
145 | #define MIFARE_MAGICWUPC2 0x43 | |
146 | #define MIFARE_MAGICWIPEC 0x41 | |
b67f7ec3 MHS |
147 | #define MIFARE_CMD_INC 0xC0 |
148 | #define MIFARE_CMD_DEC 0xC1 | |
149 | #define MIFARE_CMD_RESTORE 0xC2 | |
150 | #define MIFARE_CMD_TRANSFER 0xB0 | |
151 | ||
e98572a1 | 152 | #define MIFARE_EV1_PERSONAL_UID 0x40 |
153 | #define MIFARE_EV1_SETMODE 0x43 | |
154 | ||
a98b05b7 | 155 | #define MIFARE_ULC_WRITE 0xA2 |
156 | //#define MIFARE_ULC__COMP_WRITE 0xA0 | |
b67f7ec3 | 157 | #define MIFARE_ULC_AUTH_1 0x1A |
11b1e2e5 | 158 | #define MIFARE_ULC_AUTH_2 0xAF |
7d010c49 | 159 | |
11b1e2e5 | 160 | #define MIFARE_ULEV1_AUTH 0x1B |
7d010c49 | 161 | #define MIFARE_ULEV1_VERSION 0x60 |
11b1e2e5 | 162 | #define MIFARE_ULEV1_FASTREAD 0x3A |
11b1e2e5 | 163 | #define MIFARE_ULEV1_READ_CNT 0x39 |
164 | #define MIFARE_ULEV1_INCR_CNT 0xA5 | |
165 | #define MIFARE_ULEV1_READSIG 0x3C | |
166 | #define MIFARE_ULEV1_CHECKTEAR 0x3E | |
167 | #define MIFARE_ULEV1_VCSL 0x4B | |
b67f7ec3 | 168 | |
9358e496 | 169 | // mifare 4bit card answers |
170 | #define CARD_ACK 0x0A // 1010 - ACK | |
171 | #define CARD_NACK_NA 0x04 // 0100 - NACK, not allowed (command not allowed) | |
172 | #define CARD_NACK_TR 0x05 // 0101 - NACK, transmission error | |
173 | ||
e98572a1 | 174 | |
c2731f37 | 175 | // Magic Generation 1, parameter "work flags" |
176 | // bit 0 - need get UID | |
177 | // bit 1 - send wupC (wakeup chinese) | |
178 | // bit 2 - send HALT cmd after sequence | |
179 | // bit 3 - turn on FPGA | |
180 | // bit 4 - turn off FPGA | |
181 | // bit 5 - set datain instead of issuing USB reply (called via ARM for StandAloneMode14a) | |
182 | #define MAGIC_UID 0x01 | |
183 | #define MAGIC_WUPC 0x02 | |
184 | #define MAGIC_HALT 0x04 | |
185 | #define MAGIC_INIT 0x08 | |
186 | #define MAGIC_OFF 0x10 | |
187 | #define MAGIC_DATAIN 0x20 | |
188 | #define MAGIC_WIPE 0x40 | |
189 | #define MAGIC_SINGLE (MAGIC_WUPC | MAGIC_HALT | MAGIC_INIT | MAGIC_OFF) //0x1E | |
e98572a1 | 190 | |
b67f7ec3 MHS |
191 | /** |
192 | 06 00 = INITIATE | |
193 | 0E xx = SELECT ID (xx = Chip-ID) | |
194 | 0B = Get UID | |
195 | 08 yy = Read Block (yy = block number) | |
196 | 09 yy dd dd dd dd = Write Block (yy = block number; dd dd dd dd = data to be written) | |
197 | 0C = Reset to Inventory | |
198 | 0F = Completion | |
199 | 0A 11 22 33 44 55 66 = Authenticate (11 22 33 44 55 66 = data to authenticate) | |
200 | **/ | |
201 | ||
202 | #define ISO14443B_REQB 0x05 | |
203 | #define ISO14443B_ATTRIB 0x1D | |
204 | #define ISO14443B_HALT 0x50 | |
205 | #define ISO14443B_INITIATE 0x06 | |
206 | #define ISO14443B_SELECT 0x0E | |
207 | #define ISO14443B_GET_UID 0x0B | |
208 | #define ISO14443B_READ_BLK 0x08 | |
209 | #define ISO14443B_WRITE_BLK 0x09 | |
210 | #define ISO14443B_RESET 0x0C | |
211 | #define ISO14443B_COMPLETION 0x0F | |
212 | #define ISO14443B_AUTHENTICATE 0x0A | |
c5f8c67a | 213 | #define ISO14443B_PING 0xBA |
214 | #define ISO14443B_PONG 0xAB | |
b67f7ec3 MHS |
215 | |
216 | //First byte is 26 | |
217 | #define ISO15693_INVENTORY 0x01 | |
218 | #define ISO15693_STAYQUIET 0x02 | |
219 | //First byte is 02 | |
220 | #define ISO15693_READBLOCK 0x20 | |
221 | #define ISO15693_WRITEBLOCK 0x21 | |
222 | #define ISO15693_LOCKBLOCK 0x22 | |
223 | #define ISO15693_READ_MULTI_BLOCK 0x23 | |
224 | #define ISO15693_SELECT 0x25 | |
225 | #define ISO15693_RESET_TO_READY 0x26 | |
226 | #define ISO15693_WRITE_AFI 0x27 | |
227 | #define ISO15693_LOCK_AFI 0x28 | |
228 | #define ISO15693_WRITE_DSFID 0x29 | |
229 | #define ISO15693_LOCK_DSFID 0x2A | |
230 | #define ISO15693_GET_SYSTEM_INFO 0x2B | |
231 | #define ISO15693_READ_MULTI_SECSTATUS 0x2C | |
232 | ||
233 | ||
0ec548dc | 234 | // Topaz command set: |
235 | #define TOPAZ_REQA 0x26 // Request | |
236 | #define TOPAZ_WUPA 0x52 // WakeUp | |
237 | #define TOPAZ_RID 0x78 // Read ID | |
238 | #define TOPAZ_RALL 0x00 // Read All (all bytes) | |
239 | #define TOPAZ_READ 0x01 // Read (a single byte) | |
240 | #define TOPAZ_WRITE_E 0x53 // Write-with-erase (a single byte) | |
241 | #define TOPAZ_WRITE_NE 0x1a // Write-no-erase (a single byte) | |
242 | // additional commands for Dynamic Memory Model | |
243 | #define TOPAZ_RSEG 0x10 // Read segment | |
244 | #define TOPAZ_READ8 0x02 // Read (eight bytes) | |
245 | #define TOPAZ_WRITE_E8 0x54 // Write-with-erase (eight bytes) | |
246 | #define TOPAZ_WRITE_NE8 0x1B // Write-no-erase (eight bytes) | |
247 | ||
248 | ||
c71c5ee1 | 249 | // Definetions of which protocol annotations there are available |
c5f8c67a | 250 | #define ISO_14443A 0 |
251 | #define ICLASS 1 | |
252 | #define ISO_14443B 2 | |
0ec548dc | 253 | #define TOPAZ 3 |
c5f8c67a | 254 | #define ISO_7816_4 4 |
7e08450d | 255 | #define MFDES 5 |
c71c5ee1 | 256 | #define LEGIC 6 |
b67f7ec3 | 257 | |
1defcf60 MHS |
258 | //-- Picopass fuses |
259 | #define FUSE_FPERS 0x80 | |
260 | #define FUSE_CODING1 0x40 | |
261 | #define FUSE_CODING0 0x20 | |
262 | #define FUSE_CRYPT1 0x10 | |
263 | #define FUSE_CRYPT0 0x08 | |
264 | #define FUSE_FPROD1 0x04 | |
265 | #define FUSE_FPROD0 0x02 | |
266 | #define FUSE_RA 0x01 | |
267 | ||
c5f8c67a | 268 | // ISO 7816-4 Basic interindustry commands. For command APDU's. |
f3782960 | 269 | #define ISO7816_READ_BINARY 0xB0 |
270 | #define ISO7816_WRITE_BINARY 0xD0 | |
271 | #define ISO7816_UPDATE_BINARY 0xD6 | |
272 | #define ISO7816_ERASE_BINARY 0x0E | |
273 | #define ISO7816_READ_RECORDS 0xB2 | |
274 | #define ISO7816_WRITE_RECORDS 0xD2 | |
275 | #define ISO7816_APPEND_RECORD 0xE2 | |
276 | #define ISO7816_UPDATE_RECORD 0xDC | |
277 | #define ISO7816_GET_DATA 0xCA | |
278 | #define ISO7816_PUT_DATA 0xDA | |
279 | #define ISO7816_SELECT_FILE 0xA4 | |
280 | #define ISO7816_VERIFY 0x20 | |
c5f8c67a | 281 | #define ISO7816_INTERNAL_AUTHENTICATION 0x88 |
282 | #define ISO7816_EXTERNAL_AUTHENTICATION 0x82 | |
f3782960 | 283 | #define ISO7816_GET_CHALLENGE 0xB4 |
284 | #define ISO7816_MANAGE_CHANNEL 0x70 | |
1defcf60 | 285 | |
c5f8c67a | 286 | // ISO7816-4 For response APDU's |
f3782960 | 287 | #define ISO7816_OK 0x9000 |
c5f8c67a | 288 | // 6x xx = ERROR |
289 | ||
7e08450d | 290 | // MIFARE DESFire command set: |
291 | #define MFDES_CREATE_APPLICATION 0xca | |
292 | #define MFDES_DELETE_APPLICATION 0xda | |
293 | #define MFDES_GET_APPLICATION_IDS 0x6a | |
294 | #define MFDES_SELECT_APPLICATION 0x5a | |
295 | #define MFDES_FORMAT_PICC 0xfc | |
296 | #define MFDES_GET_VERSION 0x60 | |
297 | #define MFDES_READ_DATA 0xbd | |
298 | #define MFDES_WRITE_DATA 0x3d | |
299 | #define MFDES_GET_VALUE 0x6c | |
300 | #define MFDES_CREDIT 0x0c | |
301 | #define MFDES_DEBIT 0xdc | |
302 | #define MFDES_LIMITED_CREDIT 0x1c | |
303 | #define MFDES_WRITE_RECORD 0x3b | |
304 | #define MFDES_READ_RECORDS 0xbb | |
305 | #define MFDES_CLEAR_RECORD_FILE 0xeb | |
306 | #define MFDES_COMMIT_TRANSACTION 0xc7 | |
307 | #define MFDES_ABORT_TRANSACTION 0xa7 | |
308 | #define MFDES_GET_FREE_MEMORY 0x6e | |
309 | #define MFDES_GET_FILE_IDS 0x6f | |
310 | #define MFDES_GET_ISOFILE_IDS 0x61 | |
311 | #define MFDES_GET_FILE_SETTINGS 0xf5 | |
312 | #define MFDES_CHANGE_FILE_SETTINGS 0x5f | |
313 | #define MFDES_CREATE_STD_DATA_FILE 0xcd | |
314 | #define MFDES_CREATE_BACKUP_DATA_FILE 0xcb | |
315 | #define MFDES_CREATE_VALUE_FILE 0xcc | |
316 | #define MFDES_CREATE_LINEAR_RECORD_FILE 0xc1 | |
317 | #define MFDES_CREATE_CYCLIC_RECORD_FILE 0xc0 | |
318 | #define MFDES_DELETE_FILE 0xdf | |
319 | #define MFDES_AUTHENTICATE 0x0a // AUTHENTICATE_NATIVE | |
320 | #define MFDES_AUTHENTICATE_ISO 0x1a // AUTHENTICATE_STANDARD | |
321 | #define MFDES_AUTHENTICATE_AES 0xaa | |
322 | #define MFDES_CHANGE_KEY_SETTINGS 0x54 | |
323 | #define MFDES_GET_KEY_SETTINGS 0x45 | |
324 | #define MFDES_CHANGE_KEY 0xc4 | |
325 | #define MFDES_GET_KEY_VERSION 0x64 | |
326 | #define MFDES_AUTHENTICATION_FRAME 0xAF | |
c71c5ee1 | 327 | |
328 | // LEGIC Commands | |
ad5bc8cc | 329 | #define LEGIC_HSK_22 0x19 |
330 | #define LEGIC_HSK_256 0x39 | |
331 | #define LEGIC_READ 0x01 | |
332 | #define LEGIC_WRITE 0x00 | |
c71c5ee1 | 333 | |
1defcf60 | 334 | void printIclassDumpInfo(uint8_t* iclass_dump); |
e98572a1 | 335 | void getMemConfig(uint8_t mem_cfg, uint8_t chip_cfg, uint8_t *max_blk, uint8_t *app_areas, uint8_t *kb); |
b67f7ec3 | 336 | |
1d0ccbe0 | 337 | /* T55x7 configuration register definitions */ |
857bc2ff | 338 | #define T55x7_POR_DELAY 0x00000001 |
339 | #define T55x7_ST_TERMINATOR 0x00000008 | |
340 | #define T55x7_PWD 0x00000010 | |
1d0ccbe0 | 341 | #define T55x7_MAXBLOCK_SHIFT 5 |
857bc2ff | 342 | #define T55x7_AOR 0x00000200 |
343 | #define T55x7_PSKCF_RF_2 0 | |
344 | #define T55x7_PSKCF_RF_4 0x00000400 | |
345 | #define T55x7_PSKCF_RF_8 0x00000800 | |
1d0ccbe0 | 346 | #define T55x7_MODULATION_DIRECT 0 |
347 | #define T55x7_MODULATION_PSK1 0x00001000 | |
348 | #define T55x7_MODULATION_PSK2 0x00002000 | |
349 | #define T55x7_MODULATION_PSK3 0x00003000 | |
350 | #define T55x7_MODULATION_FSK1 0x00004000 | |
351 | #define T55x7_MODULATION_FSK2 0x00005000 | |
352 | #define T55x7_MODULATION_FSK1a 0x00006000 | |
353 | #define T55x7_MODULATION_FSK2a 0x00007000 | |
354 | #define T55x7_MODULATION_MANCHESTER 0x00008000 | |
355 | #define T55x7_MODULATION_BIPHASE 0x00010000 | |
356 | #define T55x7_MODULATION_DIPHASE 0x00018000 | |
857bc2ff | 357 | #define T55x7_BITRATE_RF_8 0 |
358 | #define T55x7_BITRATE_RF_16 0x00040000 | |
359 | #define T55x7_BITRATE_RF_32 0x00080000 | |
360 | #define T55x7_BITRATE_RF_40 0x000C0000 | |
361 | #define T55x7_BITRATE_RF_50 0x00100000 | |
362 | #define T55x7_BITRATE_RF_64 0x00140000 | |
1d0ccbe0 | 363 | #define T55x7_BITRATE_RF_100 0x00180000 |
364 | #define T55x7_BITRATE_RF_128 0x001C0000 | |
365 | ||
366 | /* T5555 (Q5) configuration register definitions */ | |
857bc2ff | 367 | #define T5555_ST_TERMINATOR 0x00000001 |
1d0ccbe0 | 368 | #define T5555_MAXBLOCK_SHIFT 0x00000001 |
369 | #define T5555_MODULATION_MANCHESTER 0 | |
370 | #define T5555_MODULATION_PSK1 0x00000010 | |
371 | #define T5555_MODULATION_PSK2 0x00000020 | |
372 | #define T5555_MODULATION_PSK3 0x00000030 | |
373 | #define T5555_MODULATION_FSK1 0x00000040 | |
374 | #define T5555_MODULATION_FSK2 0x00000050 | |
375 | #define T5555_MODULATION_BIPHASE 0x00000060 | |
376 | #define T5555_MODULATION_DIRECT 0x00000070 | |
857bc2ff | 377 | #define T5555_INVERT_OUTPUT 0x00000080 |
378 | #define T5555_PSK_RF_2 0 | |
379 | #define T5555_PSK_RF_4 0x00000100 | |
380 | #define T5555_PSK_RF_8 0x00000200 | |
381 | #define T5555_USE_PWD 0x00000400 | |
382 | #define T5555_USE_AOR 0x00000800 | |
c2731f37 | 383 | #define T5555_BITRATE_SHIFT 12 //(RF=2n+2) ie 64=2*0x1F+2 or n = (RF-2)/2 |
857bc2ff | 384 | #define T5555_FAST_WRITE 0x00004000 |
385 | #define T5555_PAGE_SELECT 0x00008000 | |
1d0ccbe0 | 386 | |
387 | uint32_t GetT55xxClockBit(uint32_t clock); | |
388 | ||
389 | #endif | |
390 | // PROTOCOLS_H |