]> git.zerfleddert.de Git - proxmark3-svn/blame - client/cmdhf14a.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
FIX: 'hf 14a sim x' - this fixes the error with using moebius attack and sim. Updat...
[proxmark3-svn] / client / cmdhf14a.c
CommitLineData
a553f267 1//-----------------------------------------------------------------------------
f89c7050 2// 2011, Merlok
534983d7 3// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
a553f267 4//
5// This code is licensed to you under the terms of the GNU GPL, version 2 or,
6// at your option, any later version. See the LICENSE.txt file for the text of
7// the license.
8//-----------------------------------------------------------------------------
9// High frequency ISO14443A commands
10//-----------------------------------------------------------------------------
11
7fe9b0b7 12#include <stdio.h>
590f8ff9 13#include <stdlib.h>
7fe9b0b7 14#include <string.h>
f397b5cc 15#include <unistd.h>
20f9a2a1 16#include "util.h"
7fe9b0b7 17#include "iso14443crc.h"
18#include "data.h"
902cb3c0 19#include "proxmark3.h"
7fe9b0b7 20#include "ui.h"
21#include "cmdparser.h"
22#include "cmdhf14a.h"
534983d7 23#include "common.h"
20f9a2a1 24#include "cmdmain.h"
902cb3c0 25#include "mifare.h"
52eeaef5 26#include "cmdhfmf.h"
9cdd47c2 27#include "cmdhfmfu.h"
46cd801c 28#include "nonce2key/nonce2key.h"
9332b857 29#include "cmdhf.h"
9cdd47c2 30
7fe9b0b7 31static int CmdHelp(const char *Cmd);
5f6d6c90 32static void waitCmd(uint8_t iLen);
7fe9b0b7 33
52ab55ab 34// structure and database for uid -> tagtype lookups
35typedef struct {
36 uint8_t uid;
37 char* desc;
38} manufactureName;
39
40const manufactureName manufactureMapping[] = {
41 // ID, "Vendor Country"
42 { 0x01, "Motorola UK" },
43 { 0x02, "ST Microelectronics SA France" },
44 { 0x03, "Hitachi, Ltd Japan" },
45 { 0x04, "NXP Semiconductors Germany" },
46 { 0x05, "Infineon Technologies AG Germany" },
47 { 0x06, "Cylink USA" },
48 { 0x07, "Texas Instrument France" },
49 { 0x08, "Fujitsu Limited Japan" },
50 { 0x09, "Matsushita Electronics Corporation, Semiconductor Company Japan" },
51 { 0x0A, "NEC Japan" },
52 { 0x0B, "Oki Electric Industry Co. Ltd Japan" },
53 { 0x0C, "Toshiba Corp. Japan" },
54 { 0x0D, "Mitsubishi Electric Corp. Japan" },
55 { 0x0E, "Samsung Electronics Co. Ltd Korea" },
56 { 0x0F, "Hynix / Hyundai, Korea" },
57 { 0x10, "LG-Semiconductors Co. Ltd Korea" },
58 { 0x11, "Emosyn-EM Microelectronics USA" },
59 { 0x12, "INSIDE Technology France" },
60 { 0x13, "ORGA Kartensysteme GmbH Germany" },
61 { 0x14, "SHARP Corporation Japan" },
62 { 0x15, "ATMEL France" },
63 { 0x16, "EM Microelectronic-Marin SA Switzerland" },
64 { 0x17, "KSW Microtec GmbH Germany" },
65 { 0x18, "ZMD AG Germany" },
66 { 0x19, "XICOR, Inc. USA" },
53f7c75a 67 { 0x1A, "Sony Corporation Japan" },
52ab55ab 68 { 0x1B, "Malaysia Microelectronic Solutions Sdn. Bhd Malaysia" },
69 { 0x1C, "Emosyn USA" },
70 { 0x1D, "Shanghai Fudan Microelectronics Co. Ltd. P.R. China" },
71 { 0x1E, "Magellan Technology Pty Limited Australia" },
72 { 0x1F, "Melexis NV BO Switzerland" },
73 { 0x20, "Renesas Technology Corp. Japan" },
74 { 0x21, "TAGSYS France" },
75 { 0x22, "Transcore USA" },
76 { 0x23, "Shanghai belling corp., ltd. China" },
77 { 0x24, "Masktech Germany Gmbh Germany" },
78 { 0x25, "Innovision Research and Technology Plc UK" },
79 { 0x26, "Hitachi ULSI Systems Co., Ltd. Japan" },
80 { 0x27, "Cypak AB Sweden" },
81 { 0x28, "Ricoh Japan" },
82 { 0x29, "ASK France" },
83 { 0x2A, "Unicore Microsystems, LLC Russian Federation" },
84 { 0x2B, "Dallas Semiconductor/Maxim USA" },
85 { 0x2C, "Impinj, Inc. USA" },
86 { 0x2D, "RightPlug Alliance USA" },
87 { 0x2E, "Broadcom Corporation USA" },
88 { 0x2F, "MStar Semiconductor, Inc Taiwan, ROC" },
89 { 0x30, "BeeDar Technology Inc. USA" },
90 { 0x31, "RFIDsec Denmark" },
91 { 0x32, "Schweizer Electronic AG Germany" },
92 { 0x33, "AMIC Technology Corp Taiwan" },
93 { 0x34, "Mikron JSC Russia" },
94 { 0x35, "Fraunhofer Institute for Photonic Microsystems Germany" },
95 { 0x36, "IDS Microchip AG Switzerland" },
96 { 0x37, "Kovio USA" },
53f7c75a 97 { 0x38, "HMT Microelectronic Ltd Switzerland" },
52ab55ab 98 { 0x39, "Silicon Craft Technology Thailand" },
99 { 0x3A, "Advanced Film Device Inc. Japan" },
100 { 0x3B, "Nitecrest Ltd UK" },
101 { 0x3C, "Verayo Inc. USA" },
102 { 0x3D, "HID Global USA" },
103 { 0x3E, "Productivity Engineering Gmbh Germany" },
104 { 0x3F, "Austriamicrosystems AG (reserved) Austria" },
105 { 0x40, "Gemalto SA France" },
106 { 0x41, "Renesas Electronics Corporation Japan" },
107 { 0x42, "3Alogics Inc Korea" },
108 { 0x43, "Top TroniQ Asia Limited Hong Kong" },
53f7c75a 109 { 0x44, "Gentag Inc. USA" },
52ab55ab 110 { 0x00, "no tag-info available" } // must be the last entry
111};
112
113
114// get a product description based on the UID
115// uid[8] tag uid
116// returns description of the best match
b915fda3 117char* getTagInfo(uint8_t uid) {
52ab55ab 118
68033ed7 119 int i;
52ab55ab 120 int len = sizeof(manufactureMapping) / sizeof(manufactureName);
121
68033ed7
MHS		 122 for ( i = 0; i < len; ++i )
123 if ( uid == manufactureMapping[i].uid)
124 return manufactureMapping[i].desc;
52ab55ab 125
68033ed7
MHS		 126 //No match, return default
127 return manufactureMapping[len-1].desc;
52ab55ab 128}
129
0956e0db 130int usage_hf_14a_sim(void) {
0194ce8f 131// PrintAndLog("\n Emulating ISO/IEC 14443 type A tag with 4,7 or 10 byte UID\n");
132 PrintAndLog("\n Emulating ISO/IEC 14443 type A tag with 4,7 byte UID\n");
0956e0db 133 PrintAndLog("Usage: hf 14a sim t <type> u <uid> x");
134 PrintAndLog(" Options : ");
135 PrintAndLog(" h : this help");
136 PrintAndLog(" t : 1 = MIFARE Classic");
137 PrintAndLog(" 2 = MIFARE Ultralight");
138 PrintAndLog(" 3 = MIFARE Desfire");
139 PrintAndLog(" 4 = ISO/IEC 14443-4");
140 PrintAndLog(" 5 = MIFARE Tnp3xxx");
141 PrintAndLog(" 6 = MIFARE Mini");
142 PrintAndLog(" 7 = AMIIBO (NTAG 215), pack 0x8080");
0194ce8f 143// PrintAndLog(" u : 4, 7 or 10 byte UID");
144 PrintAndLog(" u : 4, 7 byte UID");
0956e0db 145 PrintAndLog(" x : (Optional) performs the 'reader attack', nr/ar attack against a legitimate reader");
32beef53 146 PrintAndLog(" v : (Optional) show maths used for cracking reader. Useful for debugging.");
57eba86b
PZ		 147 PrintAndLog("\n sample : hf 14a sim t 1 u 11223344 x");
148 PrintAndLog(" : hf 14a sim t 1 u 11223344");
149 PrintAndLog(" : hf 14a sim t 1 u 11223344556677");
0194ce8f 150// PrintAndLog(" : hf 14a sim t 1 u 11223445566778899AA\n");
0956e0db 151 return 0;
152}
153int usage_hf_14a_sniff(void){
154 PrintAndLog("It get data from the field and saves it into command buffer.");
155 PrintAndLog("Buffer accessible from command 'hf list 14a'");
156 PrintAndLog("Usage: hf 14a sniff [c][r]");
157 PrintAndLog("c - triggered by first data from card");
158 PrintAndLog("r - triggered by first 7-bit request from reader (REQ,WUP,...)");
159 PrintAndLog("sample: hf 14a sniff c r");
160 return 0;
161}
162int usage_hf_14a_raw(void){
163 PrintAndLog("Usage: hf 14a raw [-h] [-r] [-c] [-p] [-a] [-T] [-t] <milliseconds> [-b] <number of bits> <0A 0B 0C ... hex>");
164 PrintAndLog(" -h this help");
165 PrintAndLog(" -r do not read response");
166 PrintAndLog(" -c calculate and append CRC");
167 PrintAndLog(" -p leave the signal field ON after receive");
168 PrintAndLog(" -a active signal field ON without select");
169 PrintAndLog(" -s active signal field ON with select");
170 PrintAndLog(" -b number of bits to send. Useful for send partial byte");
171 PrintAndLog(" -t timeout in ms");
172 PrintAndLog(" -T use Topaz protocol to send command");
173 return 0;
174}
175
0194ce8f 176int CmdHF14AList(const char *Cmd) {
9332b857 177 //PrintAndLog("Deprecated command, use 'hf list 14a' instead");
178 CmdHFList("14a");
f89c7050 179 return 0;
7fe9b0b7 180}
181
0194ce8f 182int CmdHF14AReader(const char *Cmd) {
823ad2e1 183 UsbCommand cDisconnect = {CMD_READER_ISO_14443a, {0,0,0}};
19d6d91f 184 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}};
c2731f37 185 clearCommandBuffer();
534983d7 186 SendCommand(&c);
902cb3c0 187 UsbCommand resp;
cd79d972 188 WaitForResponse(CMD_ACK, &resp);
902cb3c0 189
19d6d91f 190 iso14a_card_select_t card;
191 memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
534983d7 192
0ec548dc 193 uint64_t select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision
19d6d91f 194
195 if(select_status == 0) {
9cdd47c2 196 if (Cmd[0] != 's') PrintAndLog("iso14443a card select failed");
823ad2e1 197 SendCommand(&cDisconnect);
534983d7 198 return 0;
199 }
200
0ec548dc 201 if(select_status == 3) {
202 PrintAndLog("Card doesn't support standard iso14443-3 anticollision");
abcb166f 203 PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]);
823ad2e1 204 SendCommand(&cDisconnect);
0ec548dc 205 return 0;
206 }
207
19d6d91f 208 PrintAndLog(" UID : %s", sprint_hex(card.uid, card.uidlen));
466bc459 209 PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]);
19d6d91f 210 PrintAndLog(" SAK : %02x [%d]", card.sak, resp.arg[0]);
713e7ffb 211
19d6d91f 212 switch (card.sak) {
abcb166f 213 case 0x00:
9cdd47c2 214
823ad2e1 215 // ******** is card of the MFU type (UL/ULC/NTAG/ etc etc)
9cdd47c2 216 ul_switch_off_field();
217
623db355 218 uint32_t tagT = GetHF14AMfU_Type();
3b875041 219 if (tagT != UL_ERROR)
220 ul_print_type(tagT, 0);
9cdd47c2 221
823ad2e1 222 // reconnect for further tests
9cdd47c2 223 c.arg[0] = ISO14A_CONNECT | ISO14A_NO_DISCONNECT;
224 c.arg[1] = 0;
225 c.arg[2] = 0;
c2731f37 226 clearCommandBuffer();
9cdd47c2 227 SendCommand(&c);
9cdd47c2 228 UsbCommand resp;
823ad2e1 229 WaitForResponse(CMD_ACK, &resp);
9cdd47c2 230
231 memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
232
233 select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS
234
235 if(select_status == 0) {
236 ul_switch_off_field();
237 return 0;
238 }
abcb166f 239 break;
3fe4ff4f 240 case 0x01: PrintAndLog("TYPE : NXP TNP3xxx Activision Game Appliance"); break;
79a73ab2 241 case 0x04: PrintAndLog("TYPE : NXP MIFARE (various !DESFire !DESFire EV1)"); break;
e691fc45 242 case 0x08: PrintAndLog("TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1"); break;
79a73ab2 243 case 0x09: PrintAndLog("TYPE : NXP MIFARE Mini 0.3k"); break;
e691fc45 244 case 0x10: PrintAndLog("TYPE : NXP MIFARE Plus 2k SL2"); break;
245 case 0x11: PrintAndLog("TYPE : NXP MIFARE Plus 4k SL2"); break;
246 case 0x18: PrintAndLog("TYPE : NXP MIFARE Classic 4k | Plus 4k SL1"); break;
247 case 0x20: PrintAndLog("TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41"); break;
79a73ab2 248 case 0x24: PrintAndLog("TYPE : NXP MIFARE DESFire | DESFire EV1"); break;
249 case 0x28: PrintAndLog("TYPE : JCOP31 or JCOP41 v2.3.1"); break;
250 case 0x38: PrintAndLog("TYPE : Nokia 6212 or 6131 MIFARE CLASSIC 4K"); break;
251 case 0x88: PrintAndLog("TYPE : Infineon MIFARE CLASSIC 1K"); break;
252 case 0x98: PrintAndLog("TYPE : Gemplus MPCOS"); break;
9ca155ba
M		 253 default: ;
254 }
19d6d91f 255
466bc459 256 // Double & triple sized UID, can be mapped to a manufacturer.
466bc459 257 if ( card.uidlen > 4 ) {
258 PrintAndLog("MANUFACTURER : %s", getTagInfo(card.uid[0]));
259 }
260
19d6d91f 261 // try to request ATS even if tag claims not to support it
262 if (select_status == 2) {
263 uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0
264 c.arg[0] = ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT;
265 c.arg[1] = 2;
266 c.arg[2] = 0;
267 memcpy(c.d.asBytes, rats, 2);
c2731f37 268 clearCommandBuffer();
19d6d91f 269 SendCommand(&c);
270 WaitForResponse(CMD_ACK,&resp);
271
09c2a802 272 memcpy(card.ats, resp.d.asBytes, resp.arg[0]);
9a573554 273 card.ats_len = resp.arg[0]; // note: ats_len includes CRC Bytes
19d6d91f 274 }
275
9a573554 276 if(card.ats_len >= 3) { // a valid ATS consists of at least the length byte (TL) and 2 CRC bytes
561f7c11 277 bool ta1 = 0, tb1 = 0, tc1 = 0;
278 int pos;
279
9a573554 280 if (select_status == 2) {
19d6d91f 281 PrintAndLog("SAK incorrectly claims that card doesn't support RATS");
282 }
283 PrintAndLog(" ATS : %s", sprint_hex(card.ats, card.ats_len));
9a573554 284 PrintAndLog(" - TL : length is %d bytes", card.ats[0]);
285 if (card.ats[0] != card.ats_len - 2) {
286 PrintAndLog("ATS may be corrupted. Length of ATS (%d bytes incl. 2 Bytes CRC) doesn't match TL", card.ats_len);
561f7c11 287 }
9a573554 288
289 if (card.ats[0] > 1) { // there is a format byte (T0)
19d6d91f 290 ta1 = (card.ats[1] & 0x10) == 0x10;
291 tb1 = (card.ats[1] & 0x20) == 0x20;
292 tc1 = (card.ats[1] & 0x40) == 0x40;
9a573554 293 int16_t fsci = card.ats[1] & 0x0f;
561f7c11 294 PrintAndLog(" - T0 : TA1 is%s present, TB1 is%s present, "
9a573554 295 "TC1 is%s present, FSCI is %d (FSC = %ld)",
561f7c11 296 (ta1 ? "" : " NOT"), (tb1 ? "" : " NOT"), (tc1 ? "" : " NOT"),
9a573554 297 fsci,
298 fsci < 5 ? (fsci - 2) * 8 :
299 fsci < 8 ? (fsci - 3) * 32 :
300 fsci == 8 ? 256 :
301 -1
302 );
561f7c11 303 }
304 pos = 2;
9a573554 305 if (ta1) {
561f7c11 306 char dr[16], ds[16];
307 dr[0] = ds[0] = '\0';
19d6d91f 308 if (card.ats[pos] & 0x10) strcat(ds, "2, ");
309 if (card.ats[pos] & 0x20) strcat(ds, "4, ");
310 if (card.ats[pos] & 0x40) strcat(ds, "8, ");
311 if (card.ats[pos] & 0x01) strcat(dr, "2, ");
312 if (card.ats[pos] & 0x02) strcat(dr, "4, ");
313 if (card.ats[pos] & 0x04) strcat(dr, "8, ");
561f7c11 314 if (strlen(ds) != 0) ds[strlen(ds) - 2] = '\0';
315 if (strlen(dr) != 0) dr[strlen(dr) - 2] = '\0';
316 PrintAndLog(" - TA1 : different divisors are%s supported, "
317 "DR: [%s], DS: [%s]",
19d6d91f 318 (card.ats[pos] & 0x80 ? " NOT" : ""), dr, ds);
561f7c11 319 pos++;
320 }
9a573554 321 if (tb1) {
322 uint32_t sfgi = card.ats[pos] & 0x0F;
323 uint32_t fwi = card.ats[pos] >> 4;
324 PrintAndLog(" - TB1 : SFGI = %d (SFGT = %s%ld/fc), FWI = %d (FWT = %ld/fc)",
325 (sfgi),
326 sfgi ? "" : "(not needed) ",
327 sfgi ? (1 << 12) << sfgi : 0,
328 fwi,
329 (1 << 12) << fwi
330 );
561f7c11 331 pos++;
332 }
9a573554 333 if (tc1) {
561f7c11 334 PrintAndLog(" - TC1 : NAD is%s supported, CID is%s supported",
19d6d91f 335 (card.ats[pos] & 0x01) ? "" : " NOT",
336 (card.ats[pos] & 0x02) ? "" : " NOT");
561f7c11 337 pos++;
338 }
9a573554 339 if (card.ats[0] > pos) {
561f7c11 340 char *tip = "";
9a573554 341 if (card.ats[0] - pos >= 7) {
19d6d91f 342 if (memcmp(card.ats + pos, "\xC1\x05\x2F\x2F\x01\xBC\xD6", 7) == 0) {
561f7c11 343 tip = "-> MIFARE Plus X 2K or 4K";
19d6d91f 344 } else if (memcmp(card.ats + pos, "\xC1\x05\x2F\x2F\x00\x35\xC7", 7) == 0) {
561f7c11 345 tip = "-> MIFARE Plus S 2K or 4K";
346 }
347 }
9a573554 348 PrintAndLog(" - HB : %s%s", sprint_hex(card.ats + pos, card.ats[0] - pos), tip);
19d6d91f 349 if (card.ats[pos] == 0xC1) {
561f7c11 350 PrintAndLog(" c1 -> Mifare or (multiple) virtual cards of various type");
351 PrintAndLog(" %02x -> Length is %d bytes",
19d6d91f 352 card.ats[pos + 1], card.ats[pos + 1]);
353 switch (card.ats[pos + 2] & 0xf0) {
823ad2e1 354 case 0x10: PrintAndLog(" 1x -> MIFARE DESFire"); break;
355 case 0x20: PrintAndLog(" 2x -> MIFARE Plus"); break;
561f7c11 356 }
19d6d91f 357 switch (card.ats[pos + 2] & 0x0f) {
823ad2e1 358 case 0x00: PrintAndLog(" x0 -> <1 kByte"); break;
359 case 0x01: PrintAndLog(" x1 -> 1 kByte"); break;
360 case 0x02: PrintAndLog(" x2 -> 2 kByte"); break;
361 case 0x03: PrintAndLog(" x3 -> 4 kByte"); break;
362 case 0x04: PrintAndLog(" x4 -> 8 kByte"); break;
561f7c11 363 }
19d6d91f 364 switch (card.ats[pos + 3] & 0xf0) {
823ad2e1 365 case 0x00: PrintAndLog(" 0x -> Engineering sample"); break;
366 case 0x20: PrintAndLog(" 2x -> Released"); break;
561f7c11 367 }
19d6d91f 368 switch (card.ats[pos + 3] & 0x0f) {
823ad2e1 369 case 0x00: PrintAndLog(" x0 -> Generation 1"); break;
370 case 0x01: PrintAndLog(" x1 -> Generation 2"); break;
371 case 0x02: PrintAndLog(" x2 -> Generation 3"); break;
561f7c11 372 }
19d6d91f 373 switch (card.ats[pos + 4] & 0x0f) {
823ad2e1 374 case 0x00: PrintAndLog(" x0 -> Only VCSL supported"); break;
375 case 0x01: PrintAndLog(" x1 -> VCS, VCSL, and SVC supported"); break;
376 case 0x0E: PrintAndLog(" xE -> no VCS command supported"); break;
561f7c11 377 }
378 }
379 }
79a73ab2 380 } else {
19d6d91f 381 PrintAndLog("proprietary non iso14443-4 card found, RATS not supported");
382 }
534983d7 383
52ab55ab 384
385 // try to see if card responses to "chinese magic backdoor" commands.
c2731f37 386 uint8_t isOK = 0;
387 clearCommandBuffer();
52ab55ab 388 c.cmd = CMD_MIFARE_CIDENT;
389 c.arg[0] = 0;
390 c.arg[1] = 0;
391 c.arg[2] = 0;
392 SendCommand(&c);
c2731f37 393 if (WaitForResponseTimeout(CMD_ACK, &resp, 1500))
394 isOK = resp.arg[0] & 0xff;
395
396 PrintAndLog("Answers to magic commands (GEN1): %s", (isOK ? "YES" : "NO") );
52ab55ab 397
398 // disconnect
823ad2e1 399 SendCommand(&cDisconnect);
52ab55ab 400
19d6d91f 401 return select_status;
7fe9b0b7 402}
403
db22dfe6 404// Collect ISO14443 Type A UIDs
0194ce8f 405int CmdHF14ACUIDs(const char *Cmd) {
db22dfe6 406 // requested number of UIDs
407 int n = atoi(Cmd);
408 // collect at least 1 (e.g. if no parameter was given)
409 n = n > 0 ? n : 1;
410
411 PrintAndLog("Collecting %d UIDs", n);
412 PrintAndLog("Start: %u", time(NULL));
413 // repeat n times
414 for (int i = 0; i < n; i++) {
415 // execute anticollision procedure
416 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}};
417 SendCommand(&c);
902cb3c0 418
72b1090a 419 UsbCommand resp;
420 WaitForResponse(CMD_ACK,&resp);
902cb3c0 421
72b1090a 422 iso14a_card_select_t *card = (iso14a_card_select_t *) resp.d.asBytes;
db22dfe6 423
424 // check if command failed
902cb3c0 425 if (resp.arg[0] == 0) {
db22dfe6 426 PrintAndLog("Card select failed.");
427 } else {
72b1090a 428 char uid_string[20];
429 for (uint16_t i = 0; i < card->uidlen; i++) {
430 sprintf(&uid_string[2*i], "%02X", card->uid[i]);
db22dfe6 431 }
72b1090a 432 PrintAndLog("%s", uid_string);
db22dfe6 433 }
434 }
435 PrintAndLog("End: %u", time(NULL));
db22dfe6 436 return 1;
437}
438
7fe9b0b7 439// ## simulate iso14443a tag
440// ## greg - added ability to specify tag UID
0194ce8f 441int CmdHF14ASim(const char *Cmd) {
52eeaef5 442 #define ATTACK_KEY_COUNT 8
9cdd47c2 443 bool errors = FALSE;
444 uint8_t flags = 0;
0194ce8f 445 uint8_t tagtype = 1;
9cdd47c2 446 uint8_t cmdp = 0;
0194ce8f 447 uint8_t uid[10] = {0,0,0,0,0,0,0,0,0,0};
448 int uidlen = 0;
0194ce8f 449 bool useUIDfromEML = TRUE;
ba39db37 450 bool verbose = false;
0956e0db 451
0194ce8f 452 while(param_getchar(Cmd, cmdp) != 0x00) {
453 switch(param_getchar(Cmd, cmdp)) {
9cdd47c2 454 case 'h':
455 case 'H':
456 return usage_hf_14a_sim();
457 case 't':
458 case 'T':
459 // Retrieve the tag type
460 tagtype = param_get8ex(Cmd, cmdp+1, 0, 10);
461 if (tagtype == 0)
462 errors = true;
463 cmdp += 2;
464 break;
465 case 'u':
466 case 'U':
0194ce8f 467 // Retrieve the full 4,7,10 byte long uid
468 param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);
469 switch(uidlen) {
470 //case 20: flags |= FLAG_10B_UID_IN_DATA; break;
471 case 14: flags |= FLAG_7B_UID_IN_DATA; break;
472 case 8: flags |= FLAG_4B_UID_IN_DATA; break;
473 default: errors = TRUE; break;
474 }
475 if (!errors) {
476 PrintAndLog("Emulating ISO/IEC 14443 type A tag with %d byte UID (%s)", uidlen>>1, sprint_hex(uid, uidlen>>1));
477 useUIDfromEML = FALSE;
9cdd47c2 478 }
479 cmdp += 2;
480 break;
32beef53
MF		 481 case 'v':
482 case 'V':
ba39db37 483 verbose = true;
32beef53
MF		 484 cmdp++;
485 break;
9cdd47c2 486 case 'x':
487 case 'X':
488 flags |= FLAG_NR_AR_ATTACK;
489 cmdp++;
490 break;
491 default:
492 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
493 errors = true;
494 break;
495 }
496 if(errors) break;
81cd0474 497 }
9cdd47c2 498
499 //Validations
500 if (errors) return usage_hf_14a_sim();
501
0194ce8f 502 if ( useUIDfromEML )
503 flags |= FLAG_UID_IN_EMUL;
81cd0474 504
0194ce8f 505 PrintAndLog("Press pm3-button to abort simulation");
46cd801c 506
0194ce8f 507 UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443a,{ tagtype, flags, 0 }};
f7c1a934 508 memcpy(c.d.asBytes, uid, uidlen>>1);
0956e0db 509 clearCommandBuffer();
9cdd47c2 510 SendCommand(&c);
511
52eeaef5 512 nonces_t data[ATTACK_KEY_COUNT*2];
513 UsbCommand resp;
514
515 while( !ukbhit() ){
516 if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue;
517
518 if ( !(flags & FLAG_NR_AR_ATTACK) ) break;
519 if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break;
520
521 memcpy( data, resp.d.asBytes, sizeof(data) );
ba39db37 522 readerAttack(data, TRUE, verbose);
81cd0474 523 }
9cdd47c2 524 return 0;
525}
81cd0474 526
9cdd47c2 527int CmdHF14ASniff(const char *Cmd) {
52eeaef5 528 int param = 0;
df3e429d 529 uint8_t ctmp = param_getchar(Cmd, 0) ;
0956e0db 530 if (ctmp == 'h' || ctmp == 'H') return usage_hf_14a_sniff();
5cd9ec01
M		 531
532 for (int i = 0; i < 2; i++) {
df3e429d 533 ctmp = param_getchar(Cmd, i);
5cd9ec01
M		 534 if (ctmp == 'c' || ctmp == 'C') param |= 0x01;
535 if (ctmp == 'r' || ctmp == 'R') param |= 0x02;
536 }
537
538 UsbCommand c = {CMD_SNOOP_ISO_14443a, {param, 0, 0}};
0956e0db 539 clearCommandBuffer();
7fe9b0b7 540 SendCommand(&c);
541 return 0;
542}
543
5f6d6c90 544int CmdHF14ACmdRaw(const char *cmd) {
545 UsbCommand c = {CMD_READER_ISO_14443a, {0, 0, 0}};
0ec548dc 546 bool reply=1;
547 bool crc = FALSE;
548 bool power = FALSE;
549 bool active = FALSE;
550 bool active_select = FALSE;
5f6d6c90 551 uint16_t numbits=0;
0ec548dc 552 bool bTimeout = FALSE;
19a700a8 553 uint32_t timeout=0;
0ec548dc 554 bool topazmode = FALSE;
5f6d6c90 555 char buf[5]="";
556 int i=0;
79bf1ad2 557 uint8_t data[USB_CMD_DATA_SIZE];
19a700a8 558 uint16_t datalen=0;
559 uint32_t temp;
5f6d6c90 560
0956e0db 561 if (strlen(cmd)<2) return usage_hf_14a_raw();
0ec548dc 562
5f6d6c90 563 // strip
564 while (*cmd==' ' || *cmd=='\t') cmd++;
565
566 while (cmd[i]!='\0') {
567 if (cmd[i]==' ' || cmd[i]=='\t') { i++; continue; }
568 if (cmd[i]=='-') {
569 switch (cmd[i+1]) {
0956e0db 570 case 'H':
571 case 'h':
572 return usage_hf_14a_raw();
5f6d6c90 573 case 'r':
0ec548dc 574 reply = FALSE;
5f6d6c90 575 break;
576 case 'c':
0ec548dc 577 crc = TRUE;
5f6d6c90 578 break;
579 case 'p':
0ec548dc 580 power = TRUE;
5f6d6c90 581 break;
582 case 'a':
0ec548dc 583 active = TRUE;
5f6d6c90 584 break;
585 case 's':
0ec548dc 586 active_select = TRUE;
5f6d6c90 587 break;
588 case 'b':
589 sscanf(cmd+i+2,"%d",&temp);
590 numbits = temp & 0xFFFF;
591 i+=3;
592 while(cmd[i]!=' ' && cmd[i]!='\0') { i++; }
593 i-=2;
594 break;
79bf1ad2 595 case 't':
0ec548dc 596 bTimeout = TRUE;
79bf1ad2 597 sscanf(cmd+i+2,"%d",&temp);
19a700a8 598 timeout = temp;
79bf1ad2 599 i+=3;
600 while(cmd[i]!=' ' && cmd[i]!='\0') { i++; }
04bc1c66 601 i-=2;
79bf1ad2 602 break;
0ec548dc 603 case 'T':
604 topazmode = TRUE;
605 break;
5f6d6c90 606 default:
0956e0db 607 return usage_hf_14a_raw();
5f6d6c90 608 }
609 i+=2;
610 continue;
611 }
612 if ((cmd[i]>='0' && cmd[i]<='9') ||
613 (cmd[i]>='a' && cmd[i]<='f') ||
614 (cmd[i]>='A' && cmd[i]<='F') ) {
615 buf[strlen(buf)+1]=0;
616 buf[strlen(buf)]=cmd[i];
617 i++;
618
619 if (strlen(buf)>=2) {
620 sscanf(buf,"%x",&temp);
621 data[datalen]=(uint8_t)(temp & 0xff);
5f6d6c90 622 *buf=0;
9cdd47c2 623 if (++datalen >= sizeof(data)){
79bf1ad2 624 if (crc)
625 PrintAndLog("Buffer is full, we can't add CRC to your data");
626 break;
627 }
5f6d6c90 628 }
629 continue;
630 }
631 PrintAndLog("Invalid char on input");
632 return 0;
633 }
0ec548dc 634
79bf1ad2 635 if(crc && datalen>0 && datalen<sizeof(data)-2)
5f6d6c90 636 {
637 uint8_t first, second;
0ec548dc 638 if (topazmode) {
639 ComputeCrc14443(CRC_14443_B, data, datalen, &first, &second);
640 } else {
9cdd47c2 641 ComputeCrc14443(CRC_14443_A, data, datalen, &first, &second);
0ec548dc 642 }
5f6d6c90 643 data[datalen++] = first;
644 data[datalen++] = second;
645 }
646
647 if(active || active_select)
648 {
649 c.arg[0] |= ISO14A_CONNECT;
650 if(active)
651 c.arg[0] |= ISO14A_NO_SELECT;
652 }
04bc1c66 653
79bf1ad2 654 if(bTimeout){
0ec548dc 655 #define MAX_TIMEOUT 40542464 // = (2^32-1) * (8*16) / 13560000Hz * 1000ms/s
79bf1ad2 656 c.arg[0] |= ISO14A_SET_TIMEOUT;
19a700a8 657 if(timeout > MAX_TIMEOUT) {
658 timeout = MAX_TIMEOUT;
659 PrintAndLog("Set timeout to 40542 seconds (11.26 hours). The max we can wait for response");
79bf1ad2 660 }
04bc1c66 661 c.arg[2] = 13560000 / 1000 / (8*16) * timeout; // timeout in ETUs (time to transfer 1 bit, approx. 9.4 us)
79bf1ad2 662 }
0ec548dc 663
3c654208 664 if(power) {
5f6d6c90 665 c.arg[0] |= ISO14A_NO_DISCONNECT;
3c654208 666 }
667
668 if(datalen>0) {
5f6d6c90 669 c.arg[0] |= ISO14A_RAW;
3c654208 670 }
671
672 if(topazmode) {
0ec548dc 673 c.arg[0] |= ISO14A_TOPAZMODE;
3c654208 674 }
c46ea881 675
79bf1ad2 676 // Max buffer is USB_CMD_DATA_SIZE
c46ea881 677 datalen = (datalen > USB_CMD_DATA_SIZE) ? USB_CMD_DATA_SIZE : datalen;
678
4c685ac8 679 c.arg[1] = (datalen & 0xFFFF) | (uint32_t)(numbits << 16);
6fc68747 680 memcpy(c.d.asBytes, data, datalen);
5f6d6c90 681
7838f4be 682 clearCommandBuffer();
5f6d6c90 683 SendCommand(&c);
684
685 if (reply) {
686 if(active_select)
687 waitCmd(1);
688 if(datalen>0)
689 waitCmd(0);
690 } // if reply
691 return 0;
692}
693
0956e0db 694static void waitCmd(uint8_t iSelect) {
5f6d6c90 695 UsbCommand resp;
6fc68747 696 uint16_t len = 0;
5f6d6c90 697
6fc68747 698 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
699 len = iSelect ? (resp.arg[1] & 0xffff) : (resp.arg[0] & 0xffff);
700 PrintAndLog("received %i octets", len);
701 if(!len)
5f6d6c90 702 return;
6fc68747 703 PrintAndLog("%s", sprint_hex(resp.d.asBytes, len) );
5f6d6c90 704 } else {
705 PrintAndLog("timeout while waiting for reply.");
706 }
707}
708
52eeaef5 709static command_t CommandTable[] = {
5acd09bd 710 {"help", CmdHelp, 1, "This help"},
4c3de57a 711 {"list", CmdHF14AList, 0, "[Deprecated] List ISO 14443a history"},
5acd09bd 712 {"reader", CmdHF14AReader, 0, "Act like an ISO14443 Type A reader"},
713 {"cuids", CmdHF14ACUIDs, 0, "<n> Collect n>0 ISO14443 Type A UIDs in one go"},
df3e429d 714 {"sim", CmdHF14ASim, 0, "<UID> -- Simulate ISO 14443a tag"},
9cdd47c2 715 {"sniff", CmdHF14ASniff, 0, "sniff ISO 14443 Type A traffic"},
5f6d6c90 716 {"raw", CmdHF14ACmdRaw, 0, "Send raw hex data to tag"},
7fe9b0b7 717 {NULL, NULL, 0, NULL}
718};
719
902cb3c0 720int CmdHF14A(const char *Cmd) {
28415b5d 721 clearCommandBuffer();
9cdd47c2 722 CmdsParse(CommandTable, Cmd);
723 return 0;
7fe9b0b7 724}
725
0194ce8f 726int CmdHelp(const char *Cmd) {
7fe9b0b7 727 CmdsHelp(CommandTable);
728 return 0;
729}
Proxmark3 GIT tracking
Impressum, Datenschutz