]> git.zerfleddert.de Git - proxmark3-svn/blame - client/cmdhf14b.c
REM: "hf legic load" has been removed. It doesnt have a purpose anymore.
[proxmark3-svn] / client / cmdhf14b.c
CommitLineData
a553f267 1//-----------------------------------------------------------------------------
2// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// High frequency ISO14443B commands
9//-----------------------------------------------------------------------------
10
7fe9b0b7 11#include "cmdhf14b.h"
12
5de71ee6 13#define TIMEOUT 2000
7fe9b0b7 14static int CmdHelp(const char *Cmd);
15
6fc68747 16int usage_hf_14b_info(void){
18b90cce 17 PrintAndLog("Usage: hf 14b info [h] [s]");
18 PrintAndLog("Options:");
19 PrintAndLog(" h this help");
20 PrintAndLog(" s silently");
21 PrintAndLog("sample:");
22 PrintAndLog(" hf 14b info");
388c92bd 23 return 0;
7fe9b0b7 24}
6fc68747 25int usage_hf_14b_reader(void){
18b90cce 26 PrintAndLog("Usage: hf 14b reader [h] [s]");
27 PrintAndLog("Options:");
28 PrintAndLog(" h this help");
29 PrintAndLog(" s silently");
30 PrintAndLog("sample:");
31 PrintAndLog(" hf 14b reader");
22e24700 32 return 0;
7fe9b0b7 33}
6fc68747 34int usage_hf_14b_raw(void){
35 PrintAndLog("Usage: hf 14b raw [-h] [-r] [-c] [-p] [-s || -ss] <0A 0B 0C ... hex>");
18b90cce 36 PrintAndLog("Options:");
6fc68747 37 PrintAndLog(" -h this help");
38 PrintAndLog(" -r do not read response");
39 PrintAndLog(" -c calculate and append CRC");
40 PrintAndLog(" -p leave the field on after receive");
41 PrintAndLog(" -s active signal field ON with select");
42 PrintAndLog(" -ss active signal field ON with select for SRx ST Microelectronics tags");
18b90cce 43 PrintAndLog("sample:");
44 PrintAndLog(" hf 14b raw -s -c -p 0200a40400");
6fc68747 45 return 0;
7fe9b0b7 46}
6fc68747 47int usage_hf_14b_snoop(void){
48 PrintAndLog("It get data from the field and saves it into command buffer.");
49 PrintAndLog("Buffer accessible from command 'hf list 14b'");
18b90cce 50 PrintAndLog("Usage: hf 14b snoop [h]");
51 PrintAndLog("Options:");
52 PrintAndLog(" h this help");
53 PrintAndLog("sample:");
54 PrintAndLog(" hf 14b snoop");
6fc68747 55 return 0;
56}
57int usage_hf_14b_sim(void){
dccddaef 58 PrintAndLog("Emulating ISO/IEC 14443 type B tag with 4 UID / PUPI");
59 PrintAndLog("Usage: hf 14b sim [h] u <uid>");
18b90cce 60 PrintAndLog("Options:");
61 PrintAndLog(" h this help");
dccddaef 62 PrintAndLog(" u 4byte UID/PUPI");
18b90cce 63 PrintAndLog("sample:");
64 PrintAndLog(" hf 14b sim");
dccddaef 65 PrintAndLog(" hf 14b sim u 11223344");
6fc68747 66 return 0;
67}
68int usage_hf_14b_read_srx(void){
69 PrintAndLog("Usage: hf 14b read [h] <1|2>");
70 PrintAndLog("Options:");
71 PrintAndLog(" h this help");
72 PrintAndLog(" <1|2> 1 = SRIX4K , 2 = SRI512");
18b90cce 73 PrintAndLog("sample:");
74 PrintAndLog(" hf 14b read 1");
75 PrintAndLog(" hf 14b read 2");
22e24700 76 return 0;
7fe9b0b7 77}
6fc68747 78int usage_hf_14b_write_srx(void){
18b90cce 79 PrintAndLog("Usage: hf 14b [h] write <1|2> <BLOCK> <DATA>");
6fc68747 80 PrintAndLog("Options:");
81 PrintAndLog(" h this help");
82 PrintAndLog(" <1|2> 1 = SRIX4K , 2 = SRI512");
83 PrintAndLog(" <block> BLOCK number depends on tag, special block == FF");
84 PrintAndLog(" <data> hex bytes of data to be written");
18b90cce 85 PrintAndLog("sample:");
86 PrintAndLog(" hf 14b write 1 7F 11223344");
87 PrintAndLog(" hf 14b write 1 FF 11223344");
88 PrintAndLog(" hf 14b write 2 15 11223344");
89 PrintAndLog(" hf 14b write 2 FF 11223344");
22e24700 90 return 0;
7fe9b0b7 91}
92
18b90cce 93static void switch_on_field_14b(void) {
94 UsbCommand c = {CMD_ISO_14443B_COMMAND, {ISO14B_CONNECT, 0, 0}};
95 clearCommandBuffer();
96 SendCommand(&c);
97}
98
99static int switch_off_field_14b(void) {
6fc68747 100 UsbCommand c = {CMD_ISO_14443B_COMMAND, {ISO14B_DISCONNECT, 0, 0}};
abb21530 101 clearCommandBuffer();
d71d59db 102 SendCommand(&c);
18b90cce 103 return 0;
3607b5a9 104}
d71d59db 105
6fc68747 106int CmdHF14BList(const char *Cmd) {
107 CmdHFList("14b");
108 return 0;
109}
22e24700 110
6fc68747 111int CmdHF14BSim(const char *Cmd) {
dccddaef 112 char cmdp = param_getchar(Cmd, 0);
6fc68747 113 if (cmdp == 'h' || cmdp == 'H') return usage_hf_14b_sim();
114
dccddaef 115 uint32_t pupi = 0;
116 if (cmdp == 'u' || cmdp == 'U') {
117 pupi = param_get32ex(Cmd, 1, 0, 16);
118 }
119
120 UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443B, {pupi, 0, 0}};
abb21530 121 clearCommandBuffer();
22e24700 122 SendCommand(&c);
6fc68747 123 return 0;
124}
22e24700 125
6fc68747 126int CmdHF14BSnoop(const char *Cmd) {
6de14cec 127
6fc68747 128 char cmdp = param_getchar(Cmd, 0);
129 if (cmdp == 'h' || cmdp == 'H') return usage_hf_14b_snoop();
6de14cec 130
6fc68747 131 UsbCommand c = {CMD_SNOOP_ISO_14443B, {0, 0, 0}};
132 clearCommandBuffer();
133 SendCommand(&c);
134 return 0;
1299c798 135}
136
137int CmdHF14BCmdRaw (const char *Cmd) {
16658b1f 138 bool reply = TRUE, power = FALSE, select = FALSE;
86db8973 139 char buf[5] = "";
6fc68747 140 int i = 0;
141 uint8_t data[USB_CMD_DATA_SIZE] = {0x00};
142 uint16_t datalen = 0;
18b90cce 143 uint32_t flags = ISO14B_CONNECT;
6fc68747 144 uint32_t temp = 0;
145
16658b1f 146 if ( strlen(Cmd) < 3 ) return usage_hf_14b_raw();
7cf3ef20 147
148 // strip
6fc68747 149 while (*Cmd==' ' || *Cmd=='\t') ++Cmd;
7cf3ef20 150
1299c798 151 while (Cmd[i]!='\0') {
6fc68747 152 if (Cmd[i]==' ' || Cmd[i]=='\t') { ++i; continue; }
1299c798 153 if (Cmd[i]=='-') {
154 switch (Cmd[i+1]) {
6fc68747 155 case 'h':
16658b1f 156 case 'H':
6fc68747 157 return usage_hf_14b_raw();
7cf3ef20 158 case 'r':
159 case 'R':
6fc68747 160 reply = FALSE;
7cf3ef20 161 break;
162 case 'c':
163 case 'C':
6fc68747 164 flags |= ISO14B_APPEND_CRC;
7cf3ef20 165 break;
166 case 'p':
167 case 'P':
6fc68747 168 power = TRUE;
7cf3ef20 169 break;
b10a759f 170 case 's':
171 case 'S':
6fc68747 172 select = TRUE;
b10a759f 173 if (Cmd[i+2]=='s' || Cmd[i+2]=='S') {
6fc68747 174 flags |= ISO14B_SELECT_SR;
175 ++i;
176 } else {
177 flags |= ISO14B_SELECT_STD;
b10a759f 178 }
179 break;
7cf3ef20 180 default:
6fc68747 181 return usage_hf_14b_raw();
7cf3ef20 182 }
183 i+=2;
184 continue;
185 }
1299c798 186 if ((Cmd[i]>='0' && Cmd[i]<='9') ||
187 (Cmd[i]>='a' && Cmd[i]<='f') ||
188 (Cmd[i]>='A' && Cmd[i]<='F') ) {
7cf3ef20 189 buf[strlen(buf)+1]=0;
1299c798 190 buf[strlen(buf)]=Cmd[i];
7cf3ef20 191 i++;
192
193 if (strlen(buf)>=2) {
194 sscanf(buf,"%x",&temp);
6fc68747 195 data[datalen++] = (uint8_t)(temp & 0xff);
7cf3ef20 196 *buf=0;
b10a759f 197 memset(buf, 0x00, sizeof(buf));
7cf3ef20 198 }
199 continue;
200 }
201 PrintAndLog("Invalid char on input");
b10a759f 202 return 0;
7cf3ef20 203 }
b10a759f 204
86db8973 205 if (!power)
6fc68747 206 flags |= ISO14B_DISCONNECT;
207
86db8973 208 if (datalen>0)
6fc68747 209 flags |= ISO14B_RAW;
210
211 // Max buffer is USB_CMD_DATA_SIZE
212 datalen = (datalen > USB_CMD_DATA_SIZE) ? USB_CMD_DATA_SIZE : datalen;
213
214 UsbCommand c = {CMD_ISO_14443B_COMMAND, {flags, datalen, 0}};
215 memcpy(c.d.asBytes, data, datalen);
216 clearCommandBuffer();
217 SendCommand(&c);
218
219 if (!reply) return 1;
220
221 bool success = TRUE;
222 // get back iso14b_card_select_t, don't print it.
16658b1f 223 if (select)
6fc68747 224 success = waitCmd(FALSE);
225
226 // get back response from the raw bytes you sent.
16658b1f 227 if (success && datalen>0) waitCmd(TRUE);
6fc68747 228
229 return 1;
1299c798 230}
231
6de14cec 232// print full atqb info
186ad603 233// bytes
234// 0,1,2,3 = application data
235// 4 = bit rate capacity
236// 5 = max frame size / -4 info
237// 6 = FWI / Coding options
6fc68747 238static void print_atqb_resp(uint8_t *data, uint8_t cid){
186ad603 239 //PrintAndLog(" UID: %s", sprint_hex(data+1,4));
240 PrintAndLog(" App Data: %s", sprint_hex(data,4));
241 PrintAndLog(" Protocol: %s", sprint_hex(data+4,3));
6fc68747 242 uint8_t BitRate = data[4];
186ad603 243 if (!BitRate) PrintAndLog(" Bit Rate: 106 kbit/s only PICC <-> PCD");
244 if (BitRate & 0x10) PrintAndLog(" Bit Rate: 212 kbit/s PICC -> PCD supported");
245 if (BitRate & 0x20) PrintAndLog(" Bit Rate: 424 kbit/s PICC -> PCD supported");
246 if (BitRate & 0x40) PrintAndLog(" Bit Rate: 847 kbit/s PICC -> PCD supported");
247 if (BitRate & 0x01) PrintAndLog(" Bit Rate: 212 kbit/s PICC <- PCD supported");
248 if (BitRate & 0x02) PrintAndLog(" Bit Rate: 424 kbit/s PICC <- PCD supported");
249 if (BitRate & 0x04) PrintAndLog(" Bit Rate: 847 kbit/s PICC <- PCD supported");
250 if (BitRate & 0x80) PrintAndLog(" Same bit rate <-> required");
22e24700 251
86db8973 252 uint16_t maxFrame = data[5] >> 4;
22e24700 253 if (maxFrame < 5) maxFrame = 8 * maxFrame + 16;
254 else if (maxFrame == 5) maxFrame = 64;
255 else if (maxFrame == 6) maxFrame = 96;
256 else if (maxFrame == 7) maxFrame = 128;
257 else if (maxFrame == 8) maxFrame = 256;
258 else maxFrame = 257;
186ad603 259
86db8973 260 PrintAndLog("Max Frame Size: %u%s bytes", maxFrame, (maxFrame == 257) ? "+ RFU" : "");
22e24700 261
6fc68747 262 uint8_t protocolT = data[5] & 0xF;
186ad603 263 PrintAndLog(" Protocol Type: Protocol is %scompliant with ISO/IEC 14443-4",(protocolT) ? "" : "not " );
264
265 uint8_t fwt = data[6]>>4;
266 if ( fwt < 16 ){
267 uint32_t etus = (32 << fwt);
268 uint32_t fwt_time = (302 << fwt);
18b90cce 269 PrintAndLog("Frame Wait Integer: %u - %u ETUs | %u us", fwt, etus, fwt_time);
186ad603 270 } else {
271 PrintAndLog("Frame Wait Integer: %u - RFU", fwt);
272 }
273
274 PrintAndLog(" App Data Code: Application is %s",(data[6]&4) ? "Standard" : "Proprietary");
275 PrintAndLog(" Frame Options: NAD is %ssupported",(data[6]&2) ? "" : "not ");
276 PrintAndLog(" Frame Options: CID is %ssupported",(data[6]&1) ? "" : "not ");
277 PrintAndLog("Tag :");
278 PrintAndLog(" Max Buf Length: %u (MBLI) %s", cid>>4, (cid & 0xF0) ? "" : "chained frames not supported");
279 PrintAndLog(" CDI : %u", cid & 0x0f);
22e24700 280 return;
1299c798 281}
282
6de14cec 283// get SRx chip model (from UID) // from ST Microelectronics
d71d59db 284char *get_ST_Chip_Model(uint8_t data){
285 static char model[20];
286 char *retStr = model;
287 memset(model,0, sizeof(model));
288
289 switch (data) {
290 case 0x0: sprintf(retStr, "SRIX4K (Special)"); break;
291 case 0x2: sprintf(retStr, "SR176"); break;
292 case 0x3: sprintf(retStr, "SRIX4K"); break;
293 case 0x4: sprintf(retStr, "SRIX512"); break;
294 case 0x6: sprintf(retStr, "SRI512"); break;
295 case 0x7: sprintf(retStr, "SRI4K"); break;
296 case 0xC: sprintf(retStr, "SRT512"); break;
5636ee8c 297 default : sprintf(retStr, "Unknown"); break;
d71d59db 298 }
17ad0e09 299 return retStr;
300}
301
6fc68747 302// REMAKE:
b10a759f 303int print_ST_Lock_info(uint8_t model){
b10a759f 304
6fc68747 305 // PrintAndLog("Chip Write Protection Bits:");
306 // // now interpret the data
307 // switch (model){
308 // case 0x0: //fall through (SRIX4K special)
309 // case 0x3: //fall through (SRIx4K)
310 // case 0x7: // (SRI4K)
311 // //only need data[3]
312 // blk1 = 9;
313 // PrintAndLog(" raw: %s", sprint_bin(data+3, 1));
314 // PrintAndLog(" 07/08:%slocked", (data[3] & 1) ? " not " : " " );
315 // for (uint8_t i = 1; i<8; i++){
316 // PrintAndLog(" %02u:%slocked", blk1, (data[3] & (1 << i)) ? " not " : " " );
317 // blk1++;
318 // }
319 // break;
320 // case 0x4: //fall through (SRIX512)
321 // case 0x6: //fall through (SRI512)
322 // case 0xC: // (SRT512)
323 // //need data[2] and data[3]
324 // blk1 = 0;
325 // PrintAndLog(" raw: %s", sprint_bin(data+2, 2));
326 // for (uint8_t b=2; b<4; b++){
327 // for (uint8_t i=0; i<8; i++){
328 // PrintAndLog(" %02u:%slocked", blk1, (data[b] & (1 << i)) ? " not " : " " );
329 // blk1++;
330 // }
331 // }
332 // break;
333 // case 0x2: // (SR176)
334 // //need data[2]
335 // blk1 = 0;
336 // PrintAndLog(" raw: %s", sprint_bin(data+2, 1));
337 // for (uint8_t i = 0; i<8; i++){
338 // PrintAndLog(" %02u/%02u:%slocked", blk1, blk1+1, (data[2] & (1 << i)) ? " " : " not " );
339 // blk1+=2;
340 // }
341 // break;
342 // default:
343 // return rawClose();
344 // }
b10a759f 345 return 1;
346}
347
6de14cec 348// print UID info from SRx chips (ST Microelectronics)
6fc68747 349static void print_st_general_info(uint8_t *data, uint8_t len){
17ad0e09 350 //uid = first 8 bytes in data
6fc68747 351 PrintAndLog(" UID: %s", sprint_hex(SwapEndian64(data,8,8), len));
17ad0e09 352 PrintAndLog(" MFG: %02X, %s", data[6], getTagInfo(data[6]));
353 PrintAndLog("Chip: %02X, %s", data[5]>>2, get_ST_Chip_Model(data[5]>>2));
354 return;
355}
356
6fc68747 357//05 00 00 = find one tag in field
358//1d xx xx xx xx 00 08 01 00 = attrib xx=UID (resp 10 [f9 e0])
359//a3 = ? (resp 03 [e2 c2])
360//02 = ? (resp 02 [6a d3])
361// 022b (resp 02 67 00 [29 5b])
362// 0200a40400 (resp 02 67 00 [29 5b])
363// 0200a4040c07a0000002480300 (resp 02 67 00 [29 5b])
364// 0200a4040c07a0000002480200 (resp 02 67 00 [29 5b])
365// 0200a4040006a0000000010100 (resp 02 6a 82 [4b 4c])
366// 0200a4040c09d27600002545500200 (resp 02 67 00 [29 5b])
367// 0200a404000cd2760001354b414e4d30310000 (resp 02 6a 82 [4b 4c])
368// 0200a404000ca000000063504b43532d313500 (resp 02 6a 82 [4b 4c])
369// 0200a4040010a000000018300301000000000000000000 (resp 02 6a 82 [4b 4c])
370//03 = ? (resp 03 [e3 c2])
371//c2 = ? (resp c2 [66 15])
372//b2 = ? (resp a3 [e9 67])
373//a2 = ? (resp 02 [6a d3])
6de14cec 374
375// 14b get and print Full Info (as much as we know)
6fc68747 376bool HF14B_Std_Info(bool verbose){
6de14cec 377 //add more info here
6fc68747 378 return FALSE;
17ad0e09 379}
380
6fc68747 381// SRx get and print full info (needs more info...)
382bool HF14B_ST_Info(bool verbose){
383
384 UsbCommand c = {CMD_ISO_14443B_COMMAND, {ISO14B_CONNECT | ISO14B_SELECT_SR | ISO14B_DISCONNECT, 0, 0}};
385 clearCommandBuffer();
386 SendCommand(&c);
387 UsbCommand resp;
17ad0e09 388
5de71ee6 389 if (!WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) {
6fc68747 390 if (verbose) PrintAndLog("timeout while waiting for reply.");
391 return FALSE;
392 }
17ad0e09 393
6fc68747 394 iso14b_card_select_t card;
395 memcpy(&card, (iso14b_card_select_t *)resp.d.asBytes, sizeof(iso14b_card_select_t));
396
397 uint64_t status = resp.arg[0];
18b90cce 398 if ( status > 0 ) return switch_off_field_14b();
17ad0e09 399
6fc68747 400 //add locking bit information here. uint8_t data[16] = {0x00};
401 // uint8_t datalen = 2;
402 // uint8_t resplen;
403 // uint8_t blk1;
404 // data[0] = 0x08;
405
406 //
407 // if (model == 0x2) { //SR176 has special command:
408 // data[1] = 0xf;
409 // resplen = 4;
410 // } else {
411 // data[1] = 0xff;
412 // resplen = 6;
413 // }
414
415 // //std read cmd
416 // if (HF14BCmdRaw(true, true, data, &datalen, false)==0)
417 // return rawClose();
418
419 // if (datalen != resplen || !crc) return rawClose();
420 //print_ST_Lock_info(data[5]>>2);
18b90cce 421 switch_off_field_14b();
6fc68747 422 return TRUE;
423}
17ad0e09 424
6fc68747 425// get and print all info known about any known 14b tag
426bool HF14BInfo(bool verbose){
17ad0e09 427
6fc68747 428 // try std 14b (atqb)
429 if (HF14B_Std_Info(verbose)) return TRUE;
17ad0e09 430
6fc68747 431 // try st 14b
432 if (HF14B_ST_Info(verbose)) return TRUE;
b10a759f 433
6fc68747 434 // try unknown 14b read commands (to be identified later)
435 // could be read of calypso, CEPAS, moneo, or pico pass.
b10a759f 436
6fc68747 437 if (verbose) PrintAndLog("no 14443B tag found");
438 return FALSE;
439}
17ad0e09 440
6fc68747 441// menu command to get and print all info known about any known 14b tag
442int CmdHF14Binfo(const char *Cmd){
443 char cmdp = param_getchar(Cmd, 0);
444 if (cmdp == 'h' || cmdp == 'H') return usage_hf_14b_info();
445
446 bool verbose = !((cmdp == 's') || (cmdp == 'S'));
447 return HF14BInfo(verbose);
6de14cec 448}
449
6fc68747 450bool HF14B_ST_Reader(bool verbose){
451
452 bool isSuccess = FALSE;
453
18b90cce 454 switch_on_field_14b();
455
6fc68747 456 // SRx get and print general info about SRx chip from UID
18b90cce 457 UsbCommand c = {CMD_ISO_14443B_COMMAND, {ISO14B_SELECT_SR, 0, 0}};
6fc68747 458 clearCommandBuffer();
459 SendCommand(&c);
460 UsbCommand resp;
5de71ee6 461 if (!WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) {
6fc68747 462 if (verbose) PrintAndLog("timeout while waiting for reply.");
463 return FALSE;
464 }
6fc68747 465
466 iso14b_card_select_t card;
467 memcpy(&card, (iso14b_card_select_t *)resp.d.asBytes, sizeof(iso14b_card_select_t));
17ad0e09 468
6fc68747 469 uint64_t status = resp.arg[0];
22e24700 470
6fc68747 471 switch( status ){
472 case 0:
473 print_st_general_info(card.uid, card.uidlen);
474 isSuccess = TRUE;
475 break;
476 case 1:
477 if (verbose) PrintAndLog("iso14443-3 random chip id fail");
478 break;
479 case 2:
480 if (verbose) PrintAndLog("iso14443-3 ATTRIB fail");
481 break;
482 case 3:
483 if (verbose) PrintAndLog("iso14443-3 CRC fail");
484 break;
485 default:
486 if (verbose) PrintAndLog("iso14443b card select SRx failed");
487 break;
22e24700 488 }
489
18b90cce 490 switch_off_field_14b();
6fc68747 491 return isSuccess;
1299c798 492}
493
6fc68747 494bool HF14B_Std_Reader(bool verbose){
22e24700 495
6fc68747 496 bool isSuccess = FALSE;
22e24700 497
6fc68747 498 // 14b get and print UID only (general info)
499 UsbCommand c = {CMD_ISO_14443B_COMMAND, {ISO14B_CONNECT | ISO14B_SELECT_STD | ISO14B_DISCONNECT, 0, 0}};
500 clearCommandBuffer();
501 SendCommand(&c);
502 UsbCommand resp;
503
5de71ee6 504 if (!WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) {
6fc68747 505 if (verbose) PrintAndLog("timeout while waiting for reply.");
506 return FALSE;
507 }
508
509 iso14b_card_select_t card;
510 memcpy(&card, (iso14b_card_select_t *)resp.d.asBytes, sizeof(iso14b_card_select_t));
511
512 uint64_t status = resp.arg[0];
513
514 switch( status ){
515 case 0:
516 PrintAndLog(" UID : %s", sprint_hex(card.uid, card.uidlen));
517 PrintAndLog(" ATQB : %s", sprint_hex(card.atqb, sizeof(card.atqb)));
518 PrintAndLog(" CHIPID : %02X", card.chipid);
519 print_atqb_resp(card.atqb, card.cid);
520 isSuccess = TRUE;
521 break;
522 case 2:
523 if (verbose) PrintAndLog("iso14443-3 ATTRIB fail");
524 break;
525 case 3:
526 if (verbose) PrintAndLog("iso14443-3 CRC fail");
527 break;
528 default:
529 if (verbose) PrintAndLog("iso14443b card select failed");
530 break;
531 }
532
18b90cce 533 switch_off_field_14b();
6fc68747 534 return isSuccess;
535}
1299c798 536
6fc68747 537// test for other 14b type tags (mimic another reader - don't have tags to identify)
538bool HF14B_Other_Reader(){
abb21530 539
6fc68747 540 // uint8_t data[] = {0x00, 0x0b, 0x3f, 0x80};
541 // uint8_t datalen = 4;
d71d59db 542
6fc68747 543 // // 14b get and print UID only (general info)
544 // uint32_t flags = ISO14B_CONNECT | ISO14B_SELECT_STD | ISO14B_RAW | ISO14B_APPEND_CRC;
545
546 // UsbCommand c = {CMD_ISO_14443B_COMMAND, {flags, datalen, 0}};
547 // memcpy(c.d.asBytes, data, datalen);
548
549 // clearCommandBuffer();
550 // SendCommand(&c);
551 // UsbCommand resp;
552 // WaitForResponse(CMD_ACK,&resp);
553
554 // if (datalen > 2 ) {
555 // printandlog ("\n14443-3b tag found:");
556 // printandlog ("unknown tag type answered to a 0x000b3f80 command ans:");
557 // //printandlog ("%s", sprint_hex(data, datalen));
558 // rawclose();
559 // return true;
560 // }
561
562 // c.arg1 = 1;
563 // c.d.asBytes[0] = ISO14443B_AUTHENTICATE;
564 // clearCommandBuffer();
565 // SendCommand(&c);
566 // UsbCommand resp;
567 // WaitForResponse(CMD_ACK, &resp);
568
569 // if (datalen > 0) {
570 // PrintAndLog ("\n14443-3b tag found:");
571 // PrintAndLog ("Unknown tag type answered to a 0x0A command ans:");
572 // // PrintAndLog ("%s", sprint_hex(data, datalen));
573 // rawClose();
574 // return TRUE;
575 // }
576
577 // c.arg1 = 1;
578 // c.d.asBytes[0] = ISO14443B_RESET;
579 // clearCommandBuffer();
580 // SendCommand(&c);
581 // UsbCommand resp;
582 // WaitForResponse(CMD_ACK, &resp);
583
584 // if (datalen > 0) {
585 // PrintAndLog ("\n14443-3b tag found:");
586 // PrintAndLog ("Unknown tag type answered to a 0x0C command ans:");
587 // PrintAndLog ("%s", sprint_hex(data, datalen));
588 // rawClose();
589 // return TRUE;
590 // }
591
592 // rawClose();
593 return FALSE;
7cf3ef20 594}
595
6de14cec 596// get and print general info about all known 14b chips
6fc68747 597bool HF14BReader(bool verbose){
6de14cec 598
599 // try std 14b (atqb)
6fc68747 600 if (HF14B_Std_Reader(verbose)) return TRUE;
6de14cec 601
6fc68747 602 // try ST Microelectronics 14b
603 if (HF14B_ST_Reader(verbose)) return TRUE;
6de14cec 604
605 // try unknown 14b read commands (to be identified later)
606 // could be read of calypso, CEPAS, moneo, or pico pass.
6fc68747 607 if (HF14B_Other_Reader()) return TRUE;
6de14cec 608
609 if (verbose) PrintAndLog("no 14443B tag found");
6fc68747 610 return FALSE;
6de14cec 611}
612
613// menu command to get and print general info about all known 14b chips
614int CmdHF14BReader(const char *Cmd){
6fc68747 615 char cmdp = param_getchar(Cmd, 0);
616 if (cmdp == 'h' || cmdp == 'H') return usage_hf_14b_reader();
617
618 bool verbose = !((cmdp == 's') || (cmdp == 'S'));
619 return HF14BReader(verbose);
6de14cec 620}
621
6fc68747 622/* New command to read the contents of a SRI512|SRIX4K tag
623 * SRI* tags are ISO14443-B modulated memory tags,
624 * this command just dumps the contents of the memory/
625 */
626int CmdHF14BReadSri(const char *Cmd){
627 char cmdp = param_getchar(Cmd, 0);
628 if (strlen(Cmd) < 1 || cmdp == 'h' || cmdp == 'H') return usage_hf_14b_read_srx();
629
630 uint8_t tagtype = param_get8(Cmd, 0);
631 uint8_t blocks = (tagtype == 1) ? 0x7F : 0x0F;
632
633 UsbCommand c = {CMD_READ_SRI_TAG, {blocks, 0, 0}};
634 clearCommandBuffer();
635 SendCommand(&c);
636 return 0;
637}
638// New command to write a SRI512/SRIX4K tag.
639int CmdHF14BWriteSri(const char *Cmd){
3fe4ff4f 640/*
641 * For SRIX4K blocks 00 - 7F
642 * hf 14b raw -c -p 09 $srix4kwblock $srix4kwdata
643 *
644 * For SR512 blocks 00 - 0F
645 * hf 14b raw -c -p 09 $sr512wblock $sr512wdata
646 *
647 * Special block FF = otp_lock_reg block.
648 * Data len 4 bytes-
649 */
650 char cmdp = param_getchar(Cmd, 0);
651 uint8_t blockno = -1;
652 uint8_t data[4] = {0x00};
653 bool isSrix4k = true;
6fc68747 654 char str[30];
655 memset(str, 0x00, sizeof(str));
656
657 if (strlen(Cmd) < 1 || cmdp == 'h' || cmdp == 'H') return usage_hf_14b_write_srx();
3fe4ff4f 658
b5be31f9 659 if ( cmdp == '2' )
3fe4ff4f 660 isSrix4k = false;
661
b5be31f9 662 //blockno = param_get8(Cmd, 1);
663
6fc68747 664 if ( param_gethex(Cmd, 1, &blockno, 2) ) {
b5be31f9 665 PrintAndLog("Block number must include 2 HEX symbols");
666 return 0;
667 }
3fe4ff4f 668
669 if ( isSrix4k ){
670 if ( blockno > 0x7f && blockno != 0xff ){
671 PrintAndLog("Block number out of range");
672 return 0;
673 }
674 } else {
675 if ( blockno > 0x0f && blockno != 0xff ){
676 PrintAndLog("Block number out of range");
677 return 0;
678 }
679 }
680
681 if (param_gethex(Cmd, 2, data, 8)) {
682 PrintAndLog("Data must include 8 HEX symbols");
683 return 0;
684 }
685
6fc68747 686 if ( blockno == 0xff) {
687 PrintAndLog("[%s] Write special block %02X [ %s ]",
688 (isSrix4k) ? "SRIX4K":"SRI512",
689 blockno,
690 sprint_hex(data,4)
691 );
692 } else {
693 PrintAndLog("[%s] Write block %02X [ %s ]",
694 (isSrix4k) ? "SRIX4K":"SRI512",
695 blockno,
696 sprint_hex(data,4)
697 );
698 }
699
16658b1f 700 sprintf(str, "-ss -c %02x %02x %02x %02x %02x %02x", ISO14443B_WRITE_BLK, blockno, data[0], data[1], data[2], data[3]);
3fe4ff4f 701 CmdHF14BCmdRaw(str);
702 return 0;
703}
704
341fd1de 705uint32_t srix4kEncode(uint32_t value) {
5636ee8c 706/*
707// vv = value
708// pp = position
709// vv vv vv pp
7104 bytes : 00 1A 20 01
711*/
5636ee8c 712 // only the lower crumbs.
713 uint8_t block = (value & 0xFF);
714 uint8_t i = 0;
715 uint8_t valuebytes[] = {0,0,0};
716
5636ee8c 717 num_to_bytes(value, 3, valuebytes);
718
719 // Scrambled part
720 // Crumb swapping of value.
721 uint8_t temp[] = {0,0};
ff3e0744 722 temp[0] = (CRUMB(value, 22) << 4 | CRUMB(value, 14 ) << 2 | CRUMB(value, 6)) << 4;
723 temp[0] |= CRUMB(value, 20) << 4 | CRUMB(value, 12 ) << 2 | CRUMB(value, 4);
724 temp[1] = (CRUMB(value, 18) << 4 | CRUMB(value, 10 ) << 2 | CRUMB(value, 2)) << 4;
725 temp[1] |= CRUMB(value, 16) << 4 | CRUMB(value, 8 ) << 2 | CRUMB(value, 0);
5636ee8c 726
727 // chksum part
728 uint32_t chksum = 0xFF - block;
729
730 // chksum is reduced by each nibbles of value.
731 for (i = 0; i < 3; ++i){
ff3e0744 732 chksum -= NIBBLE_HIGH(valuebytes[i]);
733 chksum -= NIBBLE_LOW(valuebytes[i]);
5636ee8c 734 }
735
341fd1de 736 // base4 conversion and left shift twice
5636ee8c 737 i = 3;
738 uint8_t base4[] = {0,0,0,0};
739 while( chksum !=0 ){
740 base4[i--] = (chksum % 4 << 2);
741 chksum /= 4;
742 }
743
744 // merge scambled and chksum parts
745 uint32_t encvalue =
ff3e0744 746 ( NIBBLE_LOW ( base4[0]) << 28 ) |
747 ( NIBBLE_HIGH( temp[0]) << 24 ) |
5636ee8c 748
ff3e0744 749 ( NIBBLE_LOW ( base4[1]) << 20 ) |
750 ( NIBBLE_LOW ( temp[0]) << 16 ) |
5636ee8c 751
ff3e0744 752 ( NIBBLE_LOW ( base4[2]) << 12 ) |
753 ( NIBBLE_HIGH( temp[1]) << 8 ) |
5636ee8c 754
ff3e0744 755 ( NIBBLE_LOW ( base4[3]) << 4 ) |
756 NIBBLE_LOW ( temp[1] );
5636ee8c 757
341fd1de 758 PrintAndLog("ICE encoded | %08X -> %08X", value, encvalue);
759 return encvalue;
760}
761uint32_t srix4kDecode(uint32_t value) {
762 switch(value) {
763 case 0xC04F42C5: return 0x003139;
764 case 0xC1484807: return 0x002943;
765 case 0xC0C60848: return 0x001A20;
766 }
5636ee8c 767 return 0;
768}
341fd1de 769uint32_t srix4kDecodeCounter(uint32_t num) {
770 uint32_t value = ~num;
771 ++value;
772 return value;
773}
774
775uint32_t srix4kGetMagicbytes( uint64_t uid, uint32_t block6, uint32_t block18, uint32_t block19 ){
776#define MASK 0xFFFFFFFF;
777 uint32_t uid32 = uid & MASK;
778 uint32_t counter = srix4kDecodeCounter(block6);
779 uint32_t decodedBlock18 = srix4kDecode(block18);
780 uint32_t decodedBlock19 = srix4kDecode(block19);
781 uint32_t doubleBlock = (decodedBlock18 << 16 | decodedBlock19) + 1;
782
783 uint32_t result = (uid32 * doubleBlock * counter) & MASK;
784 PrintAndLog("Magic bytes | %08X", result);
785 return result;
786}
787int srix4kValid(const char *Cmd){
788
789 uint64_t uid = 0xD00202501A4532F9;
790 uint32_t block6 = 0xFFFFFFFF;
791 uint32_t block18 = 0xC04F42C5;
792 uint32_t block19 = 0xC1484807;
793 uint32_t block21 = 0xD1BCABA4;
794
795 uint32_t test_b18 = 0x00313918;
796 uint32_t test_b18_enc = srix4kEncode(test_b18);
797 //uint32_t test_b18_dec = srix4kDecode(test_b18_enc);
798 PrintAndLog("ENCODE & CHECKSUM | %08X -> %08X (%s)", test_b18, test_b18_enc , "");
799
800 uint32_t magic = srix4kGetMagicbytes(uid, block6, block18, block19);
801 PrintAndLog("BLOCK 21 | %08X -> %08X (no XOR)", block21, magic ^ block21);
5636ee8c 802 return 0;
803}
341fd1de 804
6fc68747 805bool waitCmd(bool verbose) {
806
807 bool crc = FALSE;
808 uint8_t b1 = 0, b2 = 0;
809 uint8_t data[USB_CMD_DATA_SIZE] = {0x00};
810 uint8_t status = 0;
811 uint16_t len = 0;
812 UsbCommand resp;
813
5de71ee6 814 if (WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) {
6fc68747 815
a420e5c1 816 status = (resp.arg[0] & 0xFF);
6fc68747 817 if ( status > 0 ) return FALSE;
a420e5c1 818
6fc68747 819 len = (resp.arg[1] & 0xFFFF);
a420e5c1 820
6fc68747 821 memcpy(data, resp.d.asBytes, len);
822
823 if (verbose) {
a420e5c1 824 if ( len >= 3 ) {
825 ComputeCrc14443(CRC_14443_B, data, len-2, &b1, &b2);
826 crc = ( data[len-2] == b1 && data[len-1] == b2);
827
828 PrintAndLog("[LEN %u] %s[%02X %02X] %s",
829 len,
830 sprint_hex(data, len-2),
831 data[len-2],
832 data[len-1],
833 (crc) ? "OK" : "FAIL"
834 );
835 } else {
836 PrintAndLog("[LEN %u] %s", len, sprint_hex(data, len) );
837 }
6fc68747 838 }
839 return TRUE;
840 } else {
841 PrintAndLog("timeout while waiting for reply.");
842 return FALSE;
843 }
844}
845
e994394a 846static command_t CommandTable[] = {
22e24700 847 {"help", CmdHelp, 1, "This help"},
6de14cec 848 {"info", CmdHF14Binfo, 0, "Find and print details about a 14443B tag"},
849 {"list", CmdHF14BList, 0, "[Deprecated] List ISO 14443B history"},
6fc68747 850 {"raw", CmdHF14BCmdRaw, 0, "Send raw hex data to tag"},
6de14cec 851 {"reader", CmdHF14BReader, 0, "Act as a 14443B reader to identify a tag"},
852 {"sim", CmdHF14BSim, 0, "Fake ISO 14443B tag"},
853 {"snoop", CmdHF14BSnoop, 0, "Eavesdrop ISO 14443B"},
6fc68747 854 {"sriread", CmdHF14BReadSri, 0, "Read contents of a SRI512 | SRIX4K tag"},
855 {"sriwrite", CmdHF14BWriteSri, 0, "Write data to a SRI512 | SRIX4K tag"},
341fd1de 856 //{"valid", srix4kValid, 1, "srix4k checksum test"},
22e24700 857 {NULL, NULL, 0, NULL}
7fe9b0b7 858};
859
e994394a 860int CmdHF14B(const char *Cmd) {
861 clearCommandBuffer();
22e24700 862 CmdsParse(CommandTable, Cmd);
863 return 0;
7fe9b0b7 864}
865
e994394a 866int CmdHelp(const char *Cmd) {
22e24700 867 CmdsHelp(CommandTable);
868 return 0;
7fe9b0b7 869}
Impressum, Datenschutz