[proxmark3-svn] / armsrc / mifarecmd.c

//-----------------------------------------------------------------------------\r
// Merlok - June 2011, 2012\r
// Gerhard de Koning Gans - May 2008\r
// Hagen Fritsch - June 2010\r
//\r
// This code is licensed to you under the terms of the GNU GPL, version 2 or,\r
// at your option, any later version. See the LICENSE.txt file for the text of\r
// the license.\r
//-----------------------------------------------------------------------------\r
// Routines to support ISO 14443 type A.\r
//-----------------------------------------------------------------------------\r
\r
#include "mifarecmd.h"\r
#include "apps.h"\r
\r
//-----------------------------------------------------------------------------\r
// Select, Authenticate, Read a MIFARE tag. \r
// read block\r
//-----------------------------------------------------------------------------\r
void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)\r
{\r
  // params\r
	uint8_t blockNo = arg0;\r
	uint8_t keyType = arg1;\r
	uint64_t ui64Key = 0;\r
	ui64Key = bytes_to_num(datain, 6);\r
	\r
	// variables\r
	byte_t isOK = 0;\r
	byte_t dataoutbuf[16];\r
	uint8_t uid[10];\r
	uint32_t cuid;\r
	struct Crypto1State mpcs = {0, 0};\r
	struct Crypto1State *pcs;\r
	pcs = &mpcs;\r
\r
	// clear trace\r
 	iso14a_clear_trace();\r
	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
	LED_A_ON();\r
	LED_B_OFF();\r
	LED_C_OFF();\r
\r
	while (true) {\r
		if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
			if (MF_DBGLEVEL >= 1)	Dbprintf("Can't select card");\r
			break;\r
		};\r
\r
		if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {\r
			if (MF_DBGLEVEL >= 1)	Dbprintf("Auth error");\r
			break;\r
		};\r
		\r
		if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {\r
			if (MF_DBGLEVEL >= 1)	Dbprintf("Read block error");\r
			break;\r
		};\r
\r
		if(mifare_classic_halt(pcs, cuid)) {\r
			if (MF_DBGLEVEL >= 1)	Dbprintf("Halt error");\r
			break;\r
		};\r
		\r
		isOK = 1;\r
		break;\r
	}\r
	\r
	//  ----------------------------- crypto1 destroy\r
	crypto1_destroy(pcs);\r
	\r
	if (MF_DBGLEVEL >= 2)	DbpString("READ BLOCK FINISHED");\r
\r
	LED_B_ON();\r
	cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);\r
	LED_B_OFF();\r
\r
	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
	LEDsoff();\r
\r
}\r
\r
void MifareUReadBlock(uint8_t arg0,uint8_t *datain)\r
{\r
    // params\r
	uint8_t blockNo = arg0;\r
	\r
	// variables\r
	byte_t isOK = 0;\r
	byte_t dataoutbuf[16];\r
	uint8_t uid[10];\r
	uint32_t cuid;\r
    \r
	// clear trace\r
	iso14a_clear_trace();\r
	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
    \r
	LED_A_ON();\r
	LED_B_OFF();\r
	LED_C_OFF();\r
    \r
	while (true) {\r
		if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
            if (MF_DBGLEVEL >= 1)	Dbprintf("Can't select card");\r
			break;\r
		};\r
        \r
		if(mifare_ultra_readblock(cuid, blockNo, dataoutbuf)) {\r
            if (MF_DBGLEVEL >= 1)	Dbprintf("Read block error");\r
			break;\r
		};\r
        \r
		if(mifare_ultra_halt(cuid)) {\r
            if (MF_DBGLEVEL >= 1)	Dbprintf("Halt error");\r
			break;\r
		};\r
		\r
		isOK = 1;\r
		break;\r
	}\r
	\r
	if (MF_DBGLEVEL >= 2)	DbpString("READ BLOCK FINISHED");\r
    \r
	LED_B_ON();\r
    cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);\r
	LED_B_OFF();\r
	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
	LEDsoff();\r
}\r
\r
\r
//-----------------------------------------------------------------------------\r
// Select, Authenticate, Read a MIFARE tag. \r
// read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)\r
//-----------------------------------------------------------------------------\r
void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)\r
{\r
  // params\r
	uint8_t sectorNo = arg0;\r
	uint8_t keyType = arg1;\r
	uint64_t ui64Key = 0;\r
	ui64Key = bytes_to_num(datain, 6);\r
	\r
	// variables\r
	byte_t isOK = 0;\r
	byte_t dataoutbuf[16 * 16];\r
	uint8_t uid[10];\r
	uint32_t cuid;\r
	struct Crypto1State mpcs = {0, 0};\r
	struct Crypto1State *pcs;\r
	pcs = &mpcs;\r
\r
	// clear trace\r
 	iso14a_clear_trace();\r
\r
	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
	LED_A_ON();\r
	LED_B_OFF();\r
	LED_C_OFF();\r
\r
	isOK = 1;\r
	if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
		isOK = 0;\r
		if (MF_DBGLEVEL >= 1)	Dbprintf("Can't select card");\r
	}\r
\r
	\r
	if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {\r
		isOK = 0;\r
		if (MF_DBGLEVEL >= 1)	Dbprintf("Auth error");\r
	}\r
	\r
	for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {\r
		if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) {\r
			isOK = 0;\r
			if (MF_DBGLEVEL >= 1)	Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo);\r
			break;\r
		}\r
	}\r
		\r
	if(mifare_classic_halt(pcs, cuid)) {\r
		if (MF_DBGLEVEL >= 1)	Dbprintf("Halt error");\r
	}\r
\r
	//  ----------------------------- crypto1 destroy\r
	crypto1_destroy(pcs);\r
	\r
	if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");\r
\r
	LED_B_ON();\r
	cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));\r
	LED_B_OFF();\r
\r
	// Thats it...\r
	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
	LEDsoff();\r
}\r
\r
\r
void MifareUReadCard(uint8_t arg0, uint8_t *datain)\r
{\r
  // params\r
        uint8_t sectorNo = arg0;\r
        \r
        // variables\r
        byte_t isOK = 0;\r
        byte_t dataoutbuf[16 * 4];\r
        uint8_t uid[10];\r
        uint32_t cuid;\r
\r
        // clear trace\r
        iso14a_clear_trace();\r
\r
		iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
        LED_A_ON();\r
        LED_B_OFF();\r
        LED_C_OFF();\r
\r
        while (true) {\r
                if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
                if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
                        break;\r
                };\r
		for(int sec=0;sec<16;sec++){\r
                    if(mifare_ultra_readblock(cuid, sectorNo * 4 + sec, dataoutbuf + 4 * sec)) {\r
                    if (MF_DBGLEVEL >= 1)   Dbprintf("Read block %d error",sec);\r
                        break;\r
                    };\r
                }\r
                if(mifare_ultra_halt(cuid)) {\r
                if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
                        break;\r
                };\r
\r
                isOK = 1;\r
                break;\r
        }\r
        \r
        if (MF_DBGLEVEL >= 2) DbpString("READ CARD FINISHED");\r
\r
        LED_B_ON();\r
		cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,64);\r
        LED_B_OFF();\r
\r
        // Thats it...\r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
\r
}\r
\r
\r
//-----------------------------------------------------------------------------\r
// Select, Authenticate, Write a MIFARE tag. \r
// read block\r
//-----------------------------------------------------------------------------\r
void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)\r
{\r
	// params\r
	uint8_t blockNo = arg0;\r
	uint8_t keyType = arg1;\r
	uint64_t ui64Key = 0;\r
	byte_t blockdata[16];\r
\r
	ui64Key = bytes_to_num(datain, 6);\r
	memcpy(blockdata, datain + 10, 16);\r
	\r
	// variables\r
	byte_t isOK = 0;\r
	uint8_t uid[10];\r
	uint32_t cuid;\r
	struct Crypto1State mpcs = {0, 0};\r
	struct Crypto1State *pcs;\r
	pcs = &mpcs;\r
\r
	// clear trace\r
	iso14a_clear_trace();\r
\r
	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
	LED_A_ON();\r
	LED_B_OFF();\r
	LED_C_OFF();\r
\r
	while (true) {\r
			if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
			if (MF_DBGLEVEL >= 1)	Dbprintf("Can't select card");\r
			break;\r
		};\r
\r
		if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {\r
			if (MF_DBGLEVEL >= 1)	Dbprintf("Auth error");\r
			break;\r
		};\r
		\r
		if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {\r
			if (MF_DBGLEVEL >= 1)	Dbprintf("Write block error");\r
			break;\r
		};\r
\r
		if(mifare_classic_halt(pcs, cuid)) {\r
			if (MF_DBGLEVEL >= 1)	Dbprintf("Halt error");\r
			break;\r
		};\r
		\r
		isOK = 1;\r
		break;\r
	}\r
	\r
	//  ----------------------------- crypto1 destroy\r
	crypto1_destroy(pcs);\r
	\r
	if (MF_DBGLEVEL >= 2)	DbpString("WRITE BLOCK FINISHED");\r
\r
	LED_B_ON();\r
	cmd_send(CMD_ACK,isOK,0,0,0,0);\r
	LED_B_OFF();\r
\r
\r
	// Thats it...\r
	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
	LEDsoff();\r
}\r
\r
void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)\r
{\r
        // params\r
        uint8_t blockNo = arg0;\r
        byte_t blockdata[16];\r
\r
        memset(blockdata,'\0',16);\r
        memcpy(blockdata, datain,16);\r
        \r
        // variables\r
        byte_t isOK = 0;\r
        uint8_t uid[10];\r
        uint32_t cuid;\r
\r
        // clear trace\r
        iso14a_clear_trace();\r
\r
		iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
        LED_A_ON();\r
        LED_B_OFF();\r
        LED_C_OFF();\r
\r
        while (true) {\r
                if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
                        if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
                        break;\r
                };\r
\r
                if(mifare_ultra_writeblock(cuid, blockNo, blockdata)) {\r
                        if (MF_DBGLEVEL >= 1)   Dbprintf("Write block error");\r
                        break;\r
                };\r
\r
                if(mifare_ultra_halt(cuid)) {\r
                        if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
                        break;\r
                };\r
                \r
                isOK = 1;\r
                break;\r
        }\r
        \r
        if (MF_DBGLEVEL >= 2)   DbpString("WRITE BLOCK FINISHED");\r
\r
        LED_B_ON();\r
		cmd_send(CMD_ACK,isOK,0,0,0,0);\r
        LED_B_OFF();\r
\r
\r
        // Thats it...\r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
//  iso14a_set_tracing(TRUE);\r
}\r
\r
void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)\r
{\r
	// params\r
	uint8_t blockNo = arg0;\r
	byte_t blockdata[4];\r
	\r
	memcpy(blockdata, datain,4);\r
\r
	// variables\r
	byte_t isOK = 0;\r
	uint8_t uid[10];\r
	uint32_t cuid;\r
\r
	// clear trace\r
	iso14a_clear_trace();\r
\r
	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
	LED_A_ON();\r
	LED_B_OFF();\r
	LED_C_OFF();\r
\r
	while (true) {\r
		if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
			if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
			break;\r
		};\r
\r
		if(mifare_ultra_special_writeblock(cuid, blockNo, blockdata)) {\r
			if (MF_DBGLEVEL >= 1)   Dbprintf("Write block error");\r
			break;\r
		};\r
\r
		if(mifare_ultra_halt(cuid)) {\r
			if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
			break;\r
		};\r
\r
		isOK = 1;\r
		break;\r
	}\r
\r
	if (MF_DBGLEVEL >= 2)   DbpString("WRITE BLOCK FINISHED");\r
\r
	LED_B_ON();\r
	cmd_send(CMD_ACK,isOK,0,0,0,0);\r
	LED_B_OFF();\r
\r
	// Thats it...\r
	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
	LEDsoff();\r
}\r
\r
// Return 1 if the nonce is invalid else return 0\r
int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, byte_t * parity) {\r
	return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \\r
	(oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \\r
	(oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;\r
}\r
\r
\r
//-----------------------------------------------------------------------------\r
// MIFARE nested authentication. \r
// \r
//-----------------------------------------------------------------------------\r
void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)\r
{\r
	// params\r
	uint8_t blockNo = arg0 & 0xff;\r
	uint8_t keyType = (arg0 >> 8) & 0xff;\r
	uint8_t targetBlockNo = arg1 & 0xff;\r
	uint8_t targetKeyType = (arg1 >> 8) & 0xff;\r
	uint64_t ui64Key = 0;\r
\r
	ui64Key = bytes_to_num(datain, 6);\r
	\r
	// variables\r
	uint16_t rtr, i, j, len;\r
	uint16_t davg;\r
	static uint16_t dmin, dmax;\r
	uint8_t uid[10];\r
	uint32_t cuid, nt1, nt2, nttmp, nttest, par, ks1;\r
	uint32_t target_nt[2], target_ks[2];\r
	\r
	uint8_t par_array[4];\r
	uint16_t ncount = 0;\r
	struct Crypto1State mpcs = {0, 0};\r
	struct Crypto1State *pcs;\r
	pcs = &mpcs;\r
	uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
\r
	uint32_t auth1_time, auth2_time;\r
	static uint16_t delta_time;\r
\r
	// clear trace\r
	iso14a_clear_trace();\r
	iso14a_set_tracing(false);\r
	\r
	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
	LED_A_ON();\r
	LED_C_OFF();\r
\r
\r
	// statistics on nonce distance\r
	if (calibrate) {	// for first call only. Otherwise reuse previous calibration\r
		LED_B_ON();\r
\r
		davg = dmax = 0;\r
		dmin = 2000;\r
		delta_time = 0;\r
		\r
		for (rtr = 0; rtr < 17; rtr++) {\r
\r
			// prepare next select. No need to power down the card.\r
			if(mifare_classic_halt(pcs, cuid)) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("Nested: Halt error");\r
				rtr--;\r
				continue;\r
			}\r
\r
			if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("Nested: Can't select card");\r
				rtr--;\r
				continue;\r
			};\r
\r
			auth1_time = 0;\r
			if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("Nested: Auth1 error");\r
				rtr--;\r
				continue;\r
			};\r
\r
			if (delta_time) {\r
				auth2_time = auth1_time + delta_time;\r
			} else {\r
				auth2_time = 0;\r
			}\r
			if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("Nested: Auth2 error");\r
				rtr--;\r
				continue;\r
			};\r
\r
			nttmp = prng_successor(nt1, 100);				//NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160\r
			for (i = 101; i < 1200; i++) {\r
				nttmp = prng_successor(nttmp, 1);\r
				if (nttmp == nt2) break;\r
			}\r
\r
			if (i != 1200) {\r
				if (rtr != 0) {\r
					davg += i;\r
					dmin = MIN(dmin, i);\r
					dmax = MAX(dmax, i);\r
				}\r
				else {\r
					delta_time = auth2_time - auth1_time + 32;  // allow some slack for proper timing\r
				}\r
				if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);\r
			}\r
		}\r
		\r
		if (rtr <= 1)	return;\r
\r
		davg = (davg + (rtr - 1)/2) / (rtr - 1);\r
		\r
		if (MF_DBGLEVEL >= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin, dmax, davg, delta_time);\r
\r
		dmin = davg - 2;\r
		dmax = davg + 2;\r
		\r
		LED_B_OFF();\r
	\r
	}\r
//  -------------------------------------------------------------------------------------------------	\r
	\r
	LED_C_ON();\r
\r
	//  get crypted nonces for target sector\r
	for(i=0; i < 2; i++) { // look for exactly two different nonces\r
\r
		target_nt[i] = 0;\r
		while(target_nt[i] == 0) { // continue until we have an unambiguous nonce\r
		\r
			// prepare next select. No need to power down the card.\r
			if(mifare_classic_halt(pcs, cuid)) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("Nested: Halt error");\r
				continue;\r
			}\r
\r
			if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("Nested: Can't select card");\r
				continue;\r
			};\r
		\r
			auth1_time = 0;\r
			if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("Nested: Auth1 error");\r
				continue;\r
			};\r
\r
			// nested authentication\r
			auth2_time = auth1_time + delta_time;\r
			len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, &par, &auth2_time);\r
			if (len != 4) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("Nested: Auth2 error len=%d", len);\r
				continue;\r
			};\r
		\r
			nt2 = bytes_to_num(receivedAnswer, 4);		\r
			if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par);\r
			\r
			// Parity validity check\r
			for (j = 0; j < 4; j++) {\r
				par_array[j] = (oddparity(receivedAnswer[j]) != ((par & 0x08) >> 3));\r
				par = par << 1;\r
			}\r
			\r
			ncount = 0;\r
			nttest = prng_successor(nt1, dmin - 1);\r
			for (j = dmin; j < dmax + 1; j++) {\r
				nttest = prng_successor(nttest, 1);\r
				ks1 = nt2 ^ nttest;\r
\r
				if (valid_nonce(nttest, nt2, ks1, par_array)){\r
					if (ncount > 0) { 		// we are only interested in disambiguous nonces, try again\r
						if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);\r
						target_nt[i] = 0;\r
						break;\r
					}\r
					target_nt[i] = nttest;\r
					target_ks[i] = ks1;\r
					ncount++;\r
					if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces\r
						target_nt[i] = 0;\r
						if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);\r
						break;\r
					}\r
					if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);\r
				}\r
			}\r
			if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);\r
		}\r
	}\r
\r
	LED_C_OFF();\r
	\r
	//  ----------------------------- crypto1 destroy\r
	crypto1_destroy(pcs);\r
	\r
	// add trace trailer\r
	memset(uid, 0x44, 4);\r
	LogTrace(uid, 4, 0, 0, TRUE);\r
\r
	byte_t buf[4 + 4 * 4];\r
	memcpy(buf, &cuid, 4);\r
	memcpy(buf+4, &target_nt[0], 4);\r
	memcpy(buf+8, &target_ks[0], 4);\r
	memcpy(buf+12, &target_nt[1], 4);\r
	memcpy(buf+16, &target_ks[1], 4);\r
	\r
	LED_B_ON();\r
	cmd_send(CMD_ACK, 0, 2, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));\r
	LED_B_OFF();\r
\r
	if (MF_DBGLEVEL >= 3)	DbpString("NESTED FINISHED");\r
\r
	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
	LEDsoff();\r
	iso14a_set_tracing(TRUE);\r
}\r
\r
//-----------------------------------------------------------------------------\r
// MIFARE check keys. key count up to 85. \r
// \r
//-----------------------------------------------------------------------------\r
void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)\r
{\r
  // params\r
	uint8_t blockNo = arg0;\r
	uint8_t keyType = arg1;\r
	uint8_t keyCount = arg2;\r
	uint64_t ui64Key = 0;\r
	\r
	// variables\r
	int i;\r
	byte_t isOK = 0;\r
	uint8_t uid[10];\r
	uint32_t cuid;\r
	struct Crypto1State mpcs = {0, 0};\r
	struct Crypto1State *pcs;\r
	pcs = &mpcs;\r
	\r
	// clear debug level\r
	int OLD_MF_DBGLEVEL = MF_DBGLEVEL;	\r
	MF_DBGLEVEL = MF_DBG_NONE;\r
	\r
	// clear trace\r
	iso14a_clear_trace();\r
	iso14a_set_tracing(TRUE);\r
\r
	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
	LED_A_ON();\r
	LED_B_OFF();\r
	LED_C_OFF();\r
\r
	for (i = 0; i < keyCount; i++) {\r
		if(mifare_classic_halt(pcs, cuid)) {\r
			if (MF_DBGLEVEL >= 1)	Dbprintf("ChkKeys: Halt error");\r
		}\r
\r
		if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
			if (OLD_MF_DBGLEVEL >= 1)	Dbprintf("ChkKeys: Can't select card");\r
			break;\r
		};\r
\r
		ui64Key = bytes_to_num(datain + i * 6, 6);\r
		if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {\r
			continue;\r
		};\r
		\r
		isOK = 1;\r
		break;\r
	}\r
	\r
	//  ----------------------------- crypto1 destroy\r
	crypto1_destroy(pcs);\r
	\r
	LED_B_ON();\r
    cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);\r
	LED_B_OFF();\r
\r
  // Thats it...\r
	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
	LEDsoff();\r
\r
	// restore debug level\r
	MF_DBGLEVEL = OLD_MF_DBGLEVEL;	\r
}\r
\r
//-----------------------------------------------------------------------------\r
// MIFARE commands set debug level\r
// \r
//-----------------------------------------------------------------------------\r
void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
	MF_DBGLEVEL = arg0;\r
	Dbprintf("Debug level: %d", MF_DBGLEVEL);\r
}\r
\r
//-----------------------------------------------------------------------------\r
// Work with emulator memory\r
// \r
//-----------------------------------------------------------------------------\r
void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
	emlClearMem();\r
}\r
\r
void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
	emlSetMem(datain, arg0, arg1); // data, block num, blocks count\r
}\r
\r
void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
	byte_t buf[48];\r
	emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)\r
\r
	LED_B_ON();\r
	cmd_send(CMD_ACK,arg0,arg1,0,buf,48);\r
	LED_B_OFF();\r
}\r
\r
//-----------------------------------------------------------------------------\r
// Load a card into the emulator memory\r
// \r
//-----------------------------------------------------------------------------\r
void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
	uint8_t numSectors = arg0;\r
	uint8_t keyType = arg1;\r
	uint64_t ui64Key = 0;\r
	uint32_t cuid;\r
	struct Crypto1State mpcs = {0, 0};\r
	struct Crypto1State *pcs;\r
	pcs = &mpcs;\r
\r
	// variables\r
	byte_t dataoutbuf[16];\r
	byte_t dataoutbuf2[16];\r
	uint8_t uid[10];\r
\r
	// clear trace\r
	iso14a_clear_trace();\r
	iso14a_set_tracing(false);\r
	\r
	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
	LED_A_ON();\r
	LED_B_OFF();\r
	LED_C_OFF();\r
	\r
	bool isOK = true;\r
\r
	if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
		isOK = false;\r
		if (MF_DBGLEVEL >= 1)	Dbprintf("Can't select card");\r
	}\r
		\r
	for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {\r
		ui64Key = emlGetKey(sectorNo, keyType);\r
		if (sectorNo == 0){\r
			if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {\r
				isOK = false;\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("Sector[%2d]. Auth error", sectorNo);\r
				break;\r
			}\r
		} else {\r
			if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) {\r
				isOK = false;\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("Sector[%2d]. Auth nested error", sectorNo);\r
				break;\r
			}\r
		}\r
		\r
		for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {\r
			if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) {\r
				isOK = false;\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);\r
				break;\r
			};\r
			if (isOK) {\r
				if (blockNo < NumBlocksPerSector(sectorNo) - 1) {\r
					emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);\r
				} else {	// sector trailer, keep the keys, set only the AC\r
					emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);\r
					memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);\r
					emlSetMem(dataoutbuf2,  FirstBlockOfSector(sectorNo) + blockNo, 1);\r
				}\r
			}\r
		}\r
\r
	}\r
\r
	if(mifare_classic_halt(pcs, cuid)) {\r
		if (MF_DBGLEVEL >= 1)	Dbprintf("Halt error");\r
	};\r
\r
	//  ----------------------------- crypto1 destroy\r
	crypto1_destroy(pcs);\r
\r
	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
	LEDsoff();\r
	\r
	if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");\r
\r
}\r
\r
\r
//-----------------------------------------------------------------------------\r
// Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)\r
// \r
//-----------------------------------------------------------------------------\r
void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
  \r
  // params\r
	uint8_t needWipe = arg0;\r
	// bit 0 - need get UID\r
	// bit 1 - need wupC\r
	// bit 2 - need HALT after sequence\r
	// bit 3 - need init FPGA and field before sequence\r
	// bit 4 - need reset FPGA and LED\r
	uint8_t workFlags = arg1;\r
	uint8_t blockNo = arg2;\r
	\r
	// card commands\r
	uint8_t wupC1[]       = { 0x40 }; \r
	uint8_t wupC2[]       = { 0x43 }; \r
	uint8_t wipeC[]       = { 0x41 }; \r
	\r
	// variables\r
	byte_t isOK = 0;\r
	uint8_t uid[10];\r
	uint8_t d_block[18];\r
	uint32_t cuid;\r
	\r
	memset(uid, 0x00, 10);\r
	uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
	\r
	if (workFlags & 0x08) {\r
		// clear trace\r
		iso14a_clear_trace();\r
		iso14a_set_tracing(TRUE);\r
\r
		iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
		LED_A_ON();\r
		LED_B_OFF();\r
		LED_C_OFF();\r
	\r
		SpinDelay(300);\r
		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
		SpinDelay(100);\r
		FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);\r
	}\r
\r
	while (true) {\r
		// get UID from chip\r
		if (workFlags & 0x01) {\r
			if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("Can't select card");\r
				break;\r
			};\r
\r
			if(mifare_classic_halt(NULL, cuid)) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("Halt error");\r
				break;\r
			};\r
		};\r
	\r
		// reset chip\r
		if (needWipe){\r
      ReaderTransmitBitsPar(wupC1,7,0, NULL);\r
			if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("wupC1 error");\r
				break;\r
			};\r
\r
			ReaderTransmit(wipeC, sizeof(wipeC), NULL);\r
			if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("wipeC error");\r
				break;\r
			};\r
\r
			if(mifare_classic_halt(NULL, cuid)) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("Halt error");\r
				break;\r
			};\r
		};	\r
\r
		// write block\r
		if (workFlags & 0x02) {\r
      ReaderTransmitBitsPar(wupC1,7,0, NULL);\r
			if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("wupC1 error");\r
				break;\r
			};\r
\r
			ReaderTransmit(wupC2, sizeof(wupC2), NULL);\r
			if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("wupC2 error");\r
				break;\r
			};\r
		}\r
\r
		if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {\r
			if (MF_DBGLEVEL >= 1)	Dbprintf("write block send command error");\r
			break;\r
		};\r
	\r
		memcpy(d_block, datain, 16);\r
		AppendCrc14443a(d_block, 16);\r
	\r
		ReaderTransmit(d_block, sizeof(d_block), NULL);\r
		if ((ReaderReceive(receivedAnswer) != 1) || (receivedAnswer[0] != 0x0a)) {\r
			if (MF_DBGLEVEL >= 1)	Dbprintf("write block send data error");\r
			break;\r
		};	\r
	\r
		if (workFlags & 0x04) {\r
			if (mifare_classic_halt(NULL, cuid)) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("Halt error");\r
				break;\r
			};\r
		}\r
		\r
		isOK = 1;\r
		break;\r
	}\r
	\r
	LED_B_ON();\r
	cmd_send(CMD_ACK,isOK,0,0,uid,4);\r
	LED_B_OFF();\r
\r
	if ((workFlags & 0x10) || (!isOK)) {\r
		// Thats it...\r
		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
		LEDsoff();\r
	}\r
}\r
\r
\r
void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
  \r
  // params\r
	// bit 1 - need wupC\r
	// bit 2 - need HALT after sequence\r
	// bit 3 - need init FPGA and field before sequence\r
	// bit 4 - need reset FPGA and LED\r
	uint8_t workFlags = arg0;\r
	uint8_t blockNo = arg2;\r
	\r
	// card commands\r
	uint8_t wupC1[]       = { 0x40 }; \r
	uint8_t wupC2[]       = { 0x43 }; \r
	\r
	// variables\r
	byte_t isOK = 0;\r
	uint8_t data[18];\r
	uint32_t cuid = 0;\r
	\r
	memset(data, 0x00, 18);\r
	uint8_t* receivedAnswer = mifare_get_bigbufptr();\r
	\r
	if (workFlags & 0x08) {\r
		// clear trace\r
		iso14a_clear_trace();\r
		iso14a_set_tracing(TRUE);\r
\r
		iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
		LED_A_ON();\r
		LED_B_OFF();\r
		LED_C_OFF();\r
	\r
		SpinDelay(300);\r
		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
		SpinDelay(100);\r
		FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);\r
	}\r
\r
	while (true) {\r
		if (workFlags & 0x02) {\r
			ReaderTransmitBitsPar(wupC1,7,0, NULL);\r
			if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("wupC1 error");\r
				break;\r
			};\r
\r
			ReaderTransmit(wupC2, sizeof(wupC2), NULL);\r
			if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("wupC2 error");\r
				break;\r
			};\r
		}\r
\r
		// read block\r
		if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, NULL) != 18)) {\r
			if (MF_DBGLEVEL >= 1)	Dbprintf("read block send command error");\r
			break;\r
		};\r
		memcpy(data, receivedAnswer, 18);\r
		\r
		if (workFlags & 0x04) {\r
			if (mifare_classic_halt(NULL, cuid)) {\r
				if (MF_DBGLEVEL >= 1)	Dbprintf("Halt error");\r
				break;\r
			};\r
		}\r
		\r
		isOK = 1;\r
		break;\r
	}\r
	\r
	LED_B_ON();\r
	cmd_send(CMD_ACK,isOK,0,0,data,18);\r
	LED_B_OFF();\r
\r
	if ((workFlags & 0x10) || (!isOK)) {\r
		// Thats it...\r
		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
		LEDsoff();\r
	}\r
}\r
\r