]> git.zerfleddert.de Git - proxmark3-svn/blame - client/cmdhf14b.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
FIX: @Aczid suggested this to fix a Coverity scan warning.
[proxmark3-svn] / client / cmdhf14b.c
CommitLineData
a553f267 1//-----------------------------------------------------------------------------
2// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// High frequency ISO14443B commands
9//-----------------------------------------------------------------------------
10
7fe9b0b7 11#include <stdio.h>
12#include <stdlib.h>
13#include <stdbool.h>
7fe9b0b7 14#include <stdint.h>
7fe9b0b7 15#include "cmdhf14b.h"
16
5de71ee6 17#define TIMEOUT 2000
7fe9b0b7 18static int CmdHelp(const char *Cmd);
19
6fc68747 20int usage_hf_14b_info(void){
18b90cce 21 PrintAndLog("Usage: hf 14b info [h] [s]");
22 PrintAndLog("Options:");
23 PrintAndLog(" h this help");
24 PrintAndLog(" s silently");
25 PrintAndLog("sample:");
26 PrintAndLog(" hf 14b info");
388c92bd 27 return 0;
7fe9b0b7 28}
6fc68747 29int usage_hf_14b_reader(void){
18b90cce 30 PrintAndLog("Usage: hf 14b reader [h] [s]");
31 PrintAndLog("Options:");
32 PrintAndLog(" h this help");
33 PrintAndLog(" s silently");
34 PrintAndLog("sample:");
35 PrintAndLog(" hf 14b reader");
22e24700 36 return 0;
7fe9b0b7 37}
6fc68747 38int usage_hf_14b_raw(void){
39 PrintAndLog("Usage: hf 14b raw [-h] [-r] [-c] [-p] [-s || -ss] <0A 0B 0C ... hex>");
18b90cce 40 PrintAndLog("Options:");
6fc68747 41 PrintAndLog(" -h this help");
42 PrintAndLog(" -r do not read response");
43 PrintAndLog(" -c calculate and append CRC");
44 PrintAndLog(" -p leave the field on after receive");
45 PrintAndLog(" -s active signal field ON with select");
46 PrintAndLog(" -ss active signal field ON with select for SRx ST Microelectronics tags");
18b90cce 47 PrintAndLog("sample:");
48 PrintAndLog(" hf 14b raw -s -c -p 0200a40400");
6fc68747 49 return 0;
7fe9b0b7 50}
6fc68747 51int usage_hf_14b_snoop(void){
52 PrintAndLog("It get data from the field and saves it into command buffer.");
53 PrintAndLog("Buffer accessible from command 'hf list 14b'");
18b90cce 54 PrintAndLog("Usage: hf 14b snoop [h]");
55 PrintAndLog("Options:");
56 PrintAndLog(" h this help");
57 PrintAndLog("sample:");
58 PrintAndLog(" hf 14b snoop");
6fc68747 59 return 0;
60}
61int usage_hf_14b_sim(void){
62 PrintAndLog("Emulating ISO/IEC 14443 type B tag with 4 UID");
18b90cce 63 PrintAndLog("Usage: hf 14b sim [h]");
64 PrintAndLog("Options:");
65 PrintAndLog(" h this help");
66 PrintAndLog("sample:");
67 PrintAndLog(" hf 14b sim");
6fc68747 68 return 0;
69}
70int usage_hf_14b_read_srx(void){
71 PrintAndLog("Usage: hf 14b read [h] <1|2>");
72 PrintAndLog("Options:");
73 PrintAndLog(" h this help");
74 PrintAndLog(" <1|2> 1 = SRIX4K , 2 = SRI512");
18b90cce 75 PrintAndLog("sample:");
76 PrintAndLog(" hf 14b read 1");
77 PrintAndLog(" hf 14b read 2");
22e24700 78 return 0;
7fe9b0b7 79}
6fc68747 80int usage_hf_14b_write_srx(void){
18b90cce 81 PrintAndLog("Usage: hf 14b [h] write <1|2> <BLOCK> <DATA>");
6fc68747 82 PrintAndLog("Options:");
83 PrintAndLog(" h this help");
84 PrintAndLog(" <1|2> 1 = SRIX4K , 2 = SRI512");
85 PrintAndLog(" <block> BLOCK number depends on tag, special block == FF");
86 PrintAndLog(" <data> hex bytes of data to be written");
18b90cce 87 PrintAndLog("sample:");
88 PrintAndLog(" hf 14b write 1 7F 11223344");
89 PrintAndLog(" hf 14b write 1 FF 11223344");
90 PrintAndLog(" hf 14b write 2 15 11223344");
91 PrintAndLog(" hf 14b write 2 FF 11223344");
22e24700 92 return 0;
7fe9b0b7 93}
94
18b90cce 95static void switch_on_field_14b(void) {
96 UsbCommand c = {CMD_ISO_14443B_COMMAND, {ISO14B_CONNECT, 0, 0}};
97 clearCommandBuffer();
98 SendCommand(&c);
99}
100
101static int switch_off_field_14b(void) {
6fc68747 102 UsbCommand c = {CMD_ISO_14443B_COMMAND, {ISO14B_DISCONNECT, 0, 0}};
abb21530 103 clearCommandBuffer();
d71d59db 104 SendCommand(&c);
18b90cce 105 return 0;
3607b5a9 106}
d71d59db 107
6fc68747 108int CmdHF14BList(const char *Cmd) {
109 CmdHFList("14b");
110 return 0;
111}
22e24700 112
6fc68747 113int CmdHF14BSim(const char *Cmd) {
114 char cmdp = param_getchar(Cmd, 0);
115 if (cmdp == 'h' || cmdp == 'H') return usage_hf_14b_sim();
116
117 UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443B, {0, 0, 0}};
abb21530 118 clearCommandBuffer();
22e24700 119 SendCommand(&c);
6fc68747 120 return 0;
121}
22e24700 122
6fc68747 123int CmdHF14BSnoop(const char *Cmd) {
6de14cec 124
6fc68747 125 char cmdp = param_getchar(Cmd, 0);
126 if (cmdp == 'h' || cmdp == 'H') return usage_hf_14b_snoop();
6de14cec 127
6fc68747 128 UsbCommand c = {CMD_SNOOP_ISO_14443B, {0, 0, 0}};
129 clearCommandBuffer();
130 SendCommand(&c);
131 return 0;
1299c798 132}
133
134int CmdHF14BCmdRaw (const char *Cmd) {
6fc68747 135 bool reply = TRUE;
136 bool power = FALSE;
137 bool select = FALSE;
138 char buf[5]="";
139
140 int i = 0;
141 uint8_t data[USB_CMD_DATA_SIZE] = {0x00};
142 uint16_t datalen = 0;
18b90cce 143 uint32_t flags = ISO14B_CONNECT;
6fc68747 144 uint32_t temp = 0;
145
146 if (strlen(Cmd)<3) return usage_hf_14b_raw();
7cf3ef20 147
148 // strip
6fc68747 149 while (*Cmd==' ' || *Cmd=='\t') ++Cmd;
7cf3ef20 150
1299c798 151 while (Cmd[i]!='\0') {
6fc68747 152 if (Cmd[i]==' ' || Cmd[i]=='\t') { ++i; continue; }
1299c798 153 if (Cmd[i]=='-') {
154 switch (Cmd[i+1]) {
6fc68747 155 case 'H':
156 case 'h':
157 return usage_hf_14b_raw();
7cf3ef20 158 case 'r':
159 case 'R':
6fc68747 160 reply = FALSE;
7cf3ef20 161 break;
162 case 'c':
163 case 'C':
6fc68747 164 flags |= ISO14B_APPEND_CRC;
7cf3ef20 165 break;
166 case 'p':
167 case 'P':
6fc68747 168 power = TRUE;
7cf3ef20 169 break;
b10a759f 170 case 's':
171 case 'S':
6fc68747 172 select = TRUE;
b10a759f 173 if (Cmd[i+2]=='s' || Cmd[i+2]=='S') {
6fc68747 174 flags |= ISO14B_SELECT_SR;
175 ++i;
176 } else {
177 flags |= ISO14B_SELECT_STD;
b10a759f 178 }
179 break;
7cf3ef20 180 default:
6fc68747 181 return usage_hf_14b_raw();
7cf3ef20 182 }
183 i+=2;
184 continue;
185 }
1299c798 186 if ((Cmd[i]>='0' && Cmd[i]<='9') ||
187 (Cmd[i]>='a' && Cmd[i]<='f') ||
188 (Cmd[i]>='A' && Cmd[i]<='F') ) {
7cf3ef20 189 buf[strlen(buf)+1]=0;
1299c798 190 buf[strlen(buf)]=Cmd[i];
7cf3ef20 191 i++;
192
193 if (strlen(buf)>=2) {
194 sscanf(buf,"%x",&temp);
6fc68747 195 data[datalen++] = (uint8_t)(temp & 0xff);
7cf3ef20 196 *buf=0;
b10a759f 197 memset(buf, 0x00, sizeof(buf));
7cf3ef20 198 }
199 continue;
200 }
201 PrintAndLog("Invalid char on input");
b10a759f 202 return 0;
7cf3ef20 203 }
b10a759f 204
6fc68747 205 if(!power)
206 flags |= ISO14B_DISCONNECT;
207
208 if(datalen>0)
209 flags |= ISO14B_RAW;
210
211 // Max buffer is USB_CMD_DATA_SIZE
212 datalen = (datalen > USB_CMD_DATA_SIZE) ? USB_CMD_DATA_SIZE : datalen;
213
214 UsbCommand c = {CMD_ISO_14443B_COMMAND, {flags, datalen, 0}};
215 memcpy(c.d.asBytes, data, datalen);
216 clearCommandBuffer();
217 SendCommand(&c);
218
219 if (!reply) return 1;
220
221 bool success = TRUE;
222 // get back iso14b_card_select_t, don't print it.
223 if(select)
224 success = waitCmd(FALSE);
225
226 // get back response from the raw bytes you sent.
227 if(success && datalen>0) waitCmd(TRUE);
228
229 return 1;
1299c798 230}
231
6de14cec 232// print full atqb info
186ad603 233// bytes
234// 0,1,2,3 = application data
235// 4 = bit rate capacity
236// 5 = max frame size / -4 info
237// 6 = FWI / Coding options
6fc68747 238static void print_atqb_resp(uint8_t *data, uint8_t cid){
186ad603 239 //PrintAndLog(" UID: %s", sprint_hex(data+1,4));
240 PrintAndLog(" App Data: %s", sprint_hex(data,4));
241 PrintAndLog(" Protocol: %s", sprint_hex(data+4,3));
6fc68747 242 uint8_t BitRate = data[4];
186ad603 243 if (!BitRate) PrintAndLog(" Bit Rate: 106 kbit/s only PICC <-> PCD");
244 if (BitRate & 0x10) PrintAndLog(" Bit Rate: 212 kbit/s PICC -> PCD supported");
245 if (BitRate & 0x20) PrintAndLog(" Bit Rate: 424 kbit/s PICC -> PCD supported");
246 if (BitRate & 0x40) PrintAndLog(" Bit Rate: 847 kbit/s PICC -> PCD supported");
247 if (BitRate & 0x01) PrintAndLog(" Bit Rate: 212 kbit/s PICC <- PCD supported");
248 if (BitRate & 0x02) PrintAndLog(" Bit Rate: 424 kbit/s PICC <- PCD supported");
249 if (BitRate & 0x04) PrintAndLog(" Bit Rate: 847 kbit/s PICC <- PCD supported");
250 if (BitRate & 0x80) PrintAndLog(" Same bit rate <-> required");
22e24700 251
6fc68747 252 uint16_t maxFrame = data[5]>>4;
22e24700 253 if (maxFrame < 5) maxFrame = 8 * maxFrame + 16;
254 else if (maxFrame == 5) maxFrame = 64;
255 else if (maxFrame == 6) maxFrame = 96;
256 else if (maxFrame == 7) maxFrame = 128;
257 else if (maxFrame == 8) maxFrame = 256;
258 else maxFrame = 257;
186ad603 259
260 PrintAndLog("Max Frame Size: %u%s bytes",maxFrame, (maxFrame == 257) ? "+ RFU" : "");
22e24700 261
6fc68747 262 uint8_t protocolT = data[5] & 0xF;
186ad603 263 PrintAndLog(" Protocol Type: Protocol is %scompliant with ISO/IEC 14443-4",(protocolT) ? "" : "not " );
264
265 uint8_t fwt = data[6]>>4;
266 if ( fwt < 16 ){
267 uint32_t etus = (32 << fwt);
268 uint32_t fwt_time = (302 << fwt);
18b90cce 269 PrintAndLog("Frame Wait Integer: %u - %u ETUs | %u us", fwt, etus, fwt_time);
186ad603 270 } else {
271 PrintAndLog("Frame Wait Integer: %u - RFU", fwt);
272 }
273
274 PrintAndLog(" App Data Code: Application is %s",(data[6]&4) ? "Standard" : "Proprietary");
275 PrintAndLog(" Frame Options: NAD is %ssupported",(data[6]&2) ? "" : "not ");
276 PrintAndLog(" Frame Options: CID is %ssupported",(data[6]&1) ? "" : "not ");
277 PrintAndLog("Tag :");
278 PrintAndLog(" Max Buf Length: %u (MBLI) %s", cid>>4, (cid & 0xF0) ? "" : "chained frames not supported");
279 PrintAndLog(" CDI : %u", cid & 0x0f);
22e24700 280 return;
1299c798 281}
282
6de14cec 283// get SRx chip model (from UID) // from ST Microelectronics
d71d59db 284char *get_ST_Chip_Model(uint8_t data){
285 static char model[20];
286 char *retStr = model;
287 memset(model,0, sizeof(model));
288
289 switch (data) {
290 case 0x0: sprintf(retStr, "SRIX4K (Special)"); break;
291 case 0x2: sprintf(retStr, "SR176"); break;
292 case 0x3: sprintf(retStr, "SRIX4K"); break;
293 case 0x4: sprintf(retStr, "SRIX512"); break;
294 case 0x6: sprintf(retStr, "SRI512"); break;
295 case 0x7: sprintf(retStr, "SRI4K"); break;
296 case 0xC: sprintf(retStr, "SRT512"); break;
5636ee8c 297 default : sprintf(retStr, "Unknown"); break;
d71d59db 298 }
17ad0e09 299 return retStr;
300}
301
6fc68747 302// REMAKE:
b10a759f 303int print_ST_Lock_info(uint8_t model){
b10a759f 304
6fc68747 305 // PrintAndLog("Chip Write Protection Bits:");
306 // // now interpret the data
307 // switch (model){
308 // case 0x0: //fall through (SRIX4K special)
309 // case 0x3: //fall through (SRIx4K)
310 // case 0x7: // (SRI4K)
311 // //only need data[3]
312 // blk1 = 9;
313 // PrintAndLog(" raw: %s", sprint_bin(data+3, 1));
314 // PrintAndLog(" 07/08:%slocked", (data[3] & 1) ? " not " : " " );
315 // for (uint8_t i = 1; i<8; i++){
316 // PrintAndLog(" %02u:%slocked", blk1, (data[3] & (1 << i)) ? " not " : " " );
317 // blk1++;
318 // }
319 // break;
320 // case 0x4: //fall through (SRIX512)
321 // case 0x6: //fall through (SRI512)
322 // case 0xC: // (SRT512)
323 // //need data[2] and data[3]
324 // blk1 = 0;
325 // PrintAndLog(" raw: %s", sprint_bin(data+2, 2));
326 // for (uint8_t b=2; b<4; b++){
327 // for (uint8_t i=0; i<8; i++){
328 // PrintAndLog(" %02u:%slocked", blk1, (data[b] & (1 << i)) ? " not " : " " );
329 // blk1++;
330 // }
331 // }
332 // break;
333 // case 0x2: // (SR176)
334 // //need data[2]
335 // blk1 = 0;
336 // PrintAndLog(" raw: %s", sprint_bin(data+2, 1));
337 // for (uint8_t i = 0; i<8; i++){
338 // PrintAndLog(" %02u/%02u:%slocked", blk1, blk1+1, (data[2] & (1 << i)) ? " " : " not " );
339 // blk1+=2;
340 // }
341 // break;
342 // default:
343 // return rawClose();
344 // }
b10a759f 345 return 1;
346}
347
6de14cec 348// print UID info from SRx chips (ST Microelectronics)
6fc68747 349static void print_st_general_info(uint8_t *data, uint8_t len){
17ad0e09 350 //uid = first 8 bytes in data
6fc68747 351 PrintAndLog(" UID: %s", sprint_hex(SwapEndian64(data,8,8), len));
17ad0e09 352 PrintAndLog(" MFG: %02X, %s", data[6], getTagInfo(data[6]));
353 PrintAndLog("Chip: %02X, %s", data[5]>>2, get_ST_Chip_Model(data[5]>>2));
354 return;
355}
356
6fc68747 357//05 00 00 = find one tag in field
358//1d xx xx xx xx 00 08 01 00 = attrib xx=UID (resp 10 [f9 e0])
359//a3 = ? (resp 03 [e2 c2])
360//02 = ? (resp 02 [6a d3])
361// 022b (resp 02 67 00 [29 5b])
362// 0200a40400 (resp 02 67 00 [29 5b])
363// 0200a4040c07a0000002480300 (resp 02 67 00 [29 5b])
364// 0200a4040c07a0000002480200 (resp 02 67 00 [29 5b])
365// 0200a4040006a0000000010100 (resp 02 6a 82 [4b 4c])
366// 0200a4040c09d27600002545500200 (resp 02 67 00 [29 5b])
367// 0200a404000cd2760001354b414e4d30310000 (resp 02 6a 82 [4b 4c])
368// 0200a404000ca000000063504b43532d313500 (resp 02 6a 82 [4b 4c])
369// 0200a4040010a000000018300301000000000000000000 (resp 02 6a 82 [4b 4c])
370//03 = ? (resp 03 [e3 c2])
371//c2 = ? (resp c2 [66 15])
372//b2 = ? (resp a3 [e9 67])
373//a2 = ? (resp 02 [6a d3])
6de14cec 374
375// 14b get and print Full Info (as much as we know)
6fc68747 376bool HF14B_Std_Info(bool verbose){
6de14cec 377 //add more info here
6fc68747 378 return FALSE;
17ad0e09 379}
380
6fc68747 381// SRx get and print full info (needs more info...)
382bool HF14B_ST_Info(bool verbose){
383
384 UsbCommand c = {CMD_ISO_14443B_COMMAND, {ISO14B_CONNECT | ISO14B_SELECT_SR | ISO14B_DISCONNECT, 0, 0}};
385 clearCommandBuffer();
386 SendCommand(&c);
387 UsbCommand resp;
17ad0e09 388
5de71ee6 389 if (!WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) {
6fc68747 390 if (verbose) PrintAndLog("timeout while waiting for reply.");
391 return FALSE;
392 }
17ad0e09 393
6fc68747 394 iso14b_card_select_t card;
395 memcpy(&card, (iso14b_card_select_t *)resp.d.asBytes, sizeof(iso14b_card_select_t));
396
397 uint64_t status = resp.arg[0];
18b90cce 398 if ( status > 0 ) return switch_off_field_14b();
17ad0e09 399
6fc68747 400 //add locking bit information here. uint8_t data[16] = {0x00};
401 // uint8_t datalen = 2;
402 // uint8_t resplen;
403 // uint8_t blk1;
404 // data[0] = 0x08;
405
406 //
407 // if (model == 0x2) { //SR176 has special command:
408 // data[1] = 0xf;
409 // resplen = 4;
410 // } else {
411 // data[1] = 0xff;
412 // resplen = 6;
413 // }
414
415 // //std read cmd
416 // if (HF14BCmdRaw(true, true, data, &datalen, false)==0)
417 // return rawClose();
418
419 // if (datalen != resplen || !crc) return rawClose();
420 //print_ST_Lock_info(data[5]>>2);
18b90cce 421 switch_off_field_14b();
6fc68747 422 return TRUE;
423}
17ad0e09 424
6fc68747 425// get and print all info known about any known 14b tag
426bool HF14BInfo(bool verbose){
17ad0e09 427
6fc68747 428 // try std 14b (atqb)
429 if (HF14B_Std_Info(verbose)) return TRUE;
17ad0e09 430
6fc68747 431 // try st 14b
432 if (HF14B_ST_Info(verbose)) return TRUE;
b10a759f 433
6fc68747 434 // try unknown 14b read commands (to be identified later)
435 // could be read of calypso, CEPAS, moneo, or pico pass.
b10a759f 436
6fc68747 437 if (verbose) PrintAndLog("no 14443B tag found");
438 return FALSE;
439}
17ad0e09 440
6fc68747 441// menu command to get and print all info known about any known 14b tag
442int CmdHF14Binfo(const char *Cmd){
443 char cmdp = param_getchar(Cmd, 0);
444 if (cmdp == 'h' || cmdp == 'H') return usage_hf_14b_info();
445
446 bool verbose = !((cmdp == 's') || (cmdp == 'S'));
447 return HF14BInfo(verbose);
6de14cec 448}
449
6fc68747 450bool HF14B_ST_Reader(bool verbose){
451
452 bool isSuccess = FALSE;
453
18b90cce 454 switch_on_field_14b();
455
6fc68747 456 // SRx get and print general info about SRx chip from UID
18b90cce 457 UsbCommand c = {CMD_ISO_14443B_COMMAND, {ISO14B_SELECT_SR, 0, 0}};
6fc68747 458 clearCommandBuffer();
459 SendCommand(&c);
460 UsbCommand resp;
5de71ee6 461 if (!WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) {
6fc68747 462 if (verbose) PrintAndLog("timeout while waiting for reply.");
463 return FALSE;
464 }
6fc68747 465
466 iso14b_card_select_t card;
467 memcpy(&card, (iso14b_card_select_t *)resp.d.asBytes, sizeof(iso14b_card_select_t));
17ad0e09 468
6fc68747 469 uint64_t status = resp.arg[0];
22e24700 470
6fc68747 471 switch( status ){
472 case 0:
473 print_st_general_info(card.uid, card.uidlen);
474 isSuccess = TRUE;
475 break;
476 case 1:
477 if (verbose) PrintAndLog("iso14443-3 random chip id fail");
478 break;
479 case 2:
480 if (verbose) PrintAndLog("iso14443-3 ATTRIB fail");
481 break;
482 case 3:
483 if (verbose) PrintAndLog("iso14443-3 CRC fail");
484 break;
485 default:
486 if (verbose) PrintAndLog("iso14443b card select SRx failed");
487 break;
22e24700 488 }
489
18b90cce 490 switch_off_field_14b();
6fc68747 491 return isSuccess;
1299c798 492}
493
6fc68747 494bool HF14B_Std_Reader(bool verbose){
22e24700 495
6fc68747 496 bool isSuccess = FALSE;
22e24700 497
6fc68747 498 // 14b get and print UID only (general info)
499 UsbCommand c = {CMD_ISO_14443B_COMMAND, {ISO14B_CONNECT | ISO14B_SELECT_STD | ISO14B_DISCONNECT, 0, 0}};
500 clearCommandBuffer();
501 SendCommand(&c);
502 UsbCommand resp;
503
5de71ee6 504 if (!WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) {
6fc68747 505 if (verbose) PrintAndLog("timeout while waiting for reply.");
506 return FALSE;
507 }
508
509 iso14b_card_select_t card;
510 memcpy(&card, (iso14b_card_select_t *)resp.d.asBytes, sizeof(iso14b_card_select_t));
511
512 uint64_t status = resp.arg[0];
513
514 switch( status ){
515 case 0:
516 PrintAndLog(" UID : %s", sprint_hex(card.uid, card.uidlen));
517 PrintAndLog(" ATQB : %s", sprint_hex(card.atqb, sizeof(card.atqb)));
518 PrintAndLog(" CHIPID : %02X", card.chipid);
519 print_atqb_resp(card.atqb, card.cid);
520 isSuccess = TRUE;
521 break;
522 case 2:
523 if (verbose) PrintAndLog("iso14443-3 ATTRIB fail");
524 break;
525 case 3:
526 if (verbose) PrintAndLog("iso14443-3 CRC fail");
527 break;
528 default:
529 if (verbose) PrintAndLog("iso14443b card select failed");
530 break;
531 }
532
18b90cce 533 switch_off_field_14b();
6fc68747 534 return isSuccess;
535}
1299c798 536
6fc68747 537// test for other 14b type tags (mimic another reader - don't have tags to identify)
538bool HF14B_Other_Reader(){
abb21530 539
6fc68747 540 // uint8_t data[] = {0x00, 0x0b, 0x3f, 0x80};
541 // uint8_t datalen = 4;
d71d59db 542
6fc68747 543 // // 14b get and print UID only (general info)
544 // uint32_t flags = ISO14B_CONNECT | ISO14B_SELECT_STD | ISO14B_RAW | ISO14B_APPEND_CRC;
545
546 // UsbCommand c = {CMD_ISO_14443B_COMMAND, {flags, datalen, 0}};
547 // memcpy(c.d.asBytes, data, datalen);
548
549 // clearCommandBuffer();
550 // SendCommand(&c);
551 // UsbCommand resp;
552 // WaitForResponse(CMD_ACK,&resp);
553
554 // if (datalen > 2 ) {
555 // printandlog ("\n14443-3b tag found:");
556 // printandlog ("unknown tag type answered to a 0x000b3f80 command ans:");
557 // //printandlog ("%s", sprint_hex(data, datalen));
558 // rawclose();
559 // return true;
560 // }
561
562 // c.arg1 = 1;
563 // c.d.asBytes[0] = ISO14443B_AUTHENTICATE;
564 // clearCommandBuffer();
565 // SendCommand(&c);
566 // UsbCommand resp;
567 // WaitForResponse(CMD_ACK, &resp);
568
569 // if (datalen > 0) {
570 // PrintAndLog ("\n14443-3b tag found:");
571 // PrintAndLog ("Unknown tag type answered to a 0x0A command ans:");
572 // // PrintAndLog ("%s", sprint_hex(data, datalen));
573 // rawClose();
574 // return TRUE;
575 // }
576
577 // c.arg1 = 1;
578 // c.d.asBytes[0] = ISO14443B_RESET;
579 // clearCommandBuffer();
580 // SendCommand(&c);
581 // UsbCommand resp;
582 // WaitForResponse(CMD_ACK, &resp);
583
584 // if (datalen > 0) {
585 // PrintAndLog ("\n14443-3b tag found:");
586 // PrintAndLog ("Unknown tag type answered to a 0x0C command ans:");
587 // PrintAndLog ("%s", sprint_hex(data, datalen));
588 // rawClose();
589 // return TRUE;
590 // }
591
592 // rawClose();
593 return FALSE;
7cf3ef20 594}
595
6de14cec 596// get and print general info about all known 14b chips
6fc68747 597bool HF14BReader(bool verbose){
6de14cec 598
599 // try std 14b (atqb)
6fc68747 600 if (HF14B_Std_Reader(verbose)) return TRUE;
6de14cec 601
6fc68747 602 // try ST Microelectronics 14b
603 if (HF14B_ST_Reader(verbose)) return TRUE;
6de14cec 604
605 // try unknown 14b read commands (to be identified later)
606 // could be read of calypso, CEPAS, moneo, or pico pass.
6fc68747 607 if (HF14B_Other_Reader()) return TRUE;
6de14cec 608
609 if (verbose) PrintAndLog("no 14443B tag found");
6fc68747 610 return FALSE;
6de14cec 611}
612
613// menu command to get and print general info about all known 14b chips
614int CmdHF14BReader(const char *Cmd){
6fc68747 615 char cmdp = param_getchar(Cmd, 0);
616 if (cmdp == 'h' || cmdp == 'H') return usage_hf_14b_reader();
617
618 bool verbose = !((cmdp == 's') || (cmdp == 'S'));
619 return HF14BReader(verbose);
6de14cec 620}
621
6fc68747 622/* New command to read the contents of a SRI512|SRIX4K tag
623 * SRI* tags are ISO14443-B modulated memory tags,
624 * this command just dumps the contents of the memory/
625 */
626int CmdHF14BReadSri(const char *Cmd){
627 char cmdp = param_getchar(Cmd, 0);
628 if (strlen(Cmd) < 1 || cmdp == 'h' || cmdp == 'H') return usage_hf_14b_read_srx();
629
630 uint8_t tagtype = param_get8(Cmd, 0);
631 uint8_t blocks = (tagtype == 1) ? 0x7F : 0x0F;
632
633 UsbCommand c = {CMD_READ_SRI_TAG, {blocks, 0, 0}};
634 clearCommandBuffer();
635 SendCommand(&c);
636 return 0;
637}
638// New command to write a SRI512/SRIX4K tag.
639int CmdHF14BWriteSri(const char *Cmd){
3fe4ff4f 640/*
641 * For SRIX4K blocks 00 - 7F
642 * hf 14b raw -c -p 09 $srix4kwblock $srix4kwdata
643 *
644 * For SR512 blocks 00 - 0F
645 * hf 14b raw -c -p 09 $sr512wblock $sr512wdata
646 *
647 * Special block FF = otp_lock_reg block.
648 * Data len 4 bytes-
649 */
650 char cmdp = param_getchar(Cmd, 0);
651 uint8_t blockno = -1;
652 uint8_t data[4] = {0x00};
653 bool isSrix4k = true;
6fc68747 654 char str[30];
655 memset(str, 0x00, sizeof(str));
656
657 if (strlen(Cmd) < 1 || cmdp == 'h' || cmdp == 'H') return usage_hf_14b_write_srx();
3fe4ff4f 658
b5be31f9 659 if ( cmdp == '2' )
3fe4ff4f 660 isSrix4k = false;
661
b5be31f9 662 //blockno = param_get8(Cmd, 1);
663
6fc68747 664 if ( param_gethex(Cmd, 1, &blockno, 2) ) {
b5be31f9 665 PrintAndLog("Block number must include 2 HEX symbols");
666 return 0;
667 }
3fe4ff4f 668
669 if ( isSrix4k ){
670 if ( blockno > 0x7f && blockno != 0xff ){
671 PrintAndLog("Block number out of range");
672 return 0;
673 }
674 } else {
675 if ( blockno > 0x0f && blockno != 0xff ){
676 PrintAndLog("Block number out of range");
677 return 0;
678 }
679 }
680
681 if (param_gethex(Cmd, 2, data, 8)) {
682 PrintAndLog("Data must include 8 HEX symbols");
683 return 0;
684 }
685
6fc68747 686 if ( blockno == 0xff) {
687 PrintAndLog("[%s] Write special block %02X [ %s ]",
688 (isSrix4k) ? "SRIX4K":"SRI512",
689 blockno,
690 sprint_hex(data,4)
691 );
692 } else {
693 PrintAndLog("[%s] Write block %02X [ %s ]",
694 (isSrix4k) ? "SRIX4K":"SRI512",
695 blockno,
696 sprint_hex(data,4)
697 );
698 }
699
700 sprintf(str, "-ss -c %02x %02x %02x%02x%02x%02x", ISO14443B_WRITE_BLK, blockno, data[0], data[1], data[2], data[3]);
3fe4ff4f 701 CmdHF14BCmdRaw(str);
702 return 0;
703}
704
341fd1de 705uint32_t srix4kEncode(uint32_t value) {
5636ee8c 706/*
707// vv = value
708// pp = position
709// vv vv vv pp
7104 bytes : 00 1A 20 01
711*/
5636ee8c 712 // only the lower crumbs.
713 uint8_t block = (value & 0xFF);
714 uint8_t i = 0;
715 uint8_t valuebytes[] = {0,0,0};
716
5636ee8c 717 num_to_bytes(value, 3, valuebytes);
718
719 // Scrambled part
720 // Crumb swapping of value.
721 uint8_t temp[] = {0,0};
ff3e0744 722 temp[0] = (CRUMB(value, 22) << 4 | CRUMB(value, 14 ) << 2 | CRUMB(value, 6)) << 4;
723 temp[0] |= CRUMB(value, 20) << 4 | CRUMB(value, 12 ) << 2 | CRUMB(value, 4);
724 temp[1] = (CRUMB(value, 18) << 4 | CRUMB(value, 10 ) << 2 | CRUMB(value, 2)) << 4;
725 temp[1] |= CRUMB(value, 16) << 4 | CRUMB(value, 8 ) << 2 | CRUMB(value, 0);
5636ee8c 726
727 // chksum part
728 uint32_t chksum = 0xFF - block;
729
730 // chksum is reduced by each nibbles of value.
731 for (i = 0; i < 3; ++i){
ff3e0744 732 chksum -= NIBBLE_HIGH(valuebytes[i]);
733 chksum -= NIBBLE_LOW(valuebytes[i]);
5636ee8c 734 }
735
341fd1de 736 // base4 conversion and left shift twice
5636ee8c 737 i = 3;
738 uint8_t base4[] = {0,0,0,0};
739 while( chksum !=0 ){
740 base4[i--] = (chksum % 4 << 2);
741 chksum /= 4;
742 }
743
744 // merge scambled and chksum parts
745 uint32_t encvalue =
ff3e0744 746 ( NIBBLE_LOW ( base4[0]) << 28 ) |
747 ( NIBBLE_HIGH( temp[0]) << 24 ) |
5636ee8c 748
ff3e0744 749 ( NIBBLE_LOW ( base4[1]) << 20 ) |
750 ( NIBBLE_LOW ( temp[0]) << 16 ) |
5636ee8c 751
ff3e0744 752 ( NIBBLE_LOW ( base4[2]) << 12 ) |
753 ( NIBBLE_HIGH( temp[1]) << 8 ) |
5636ee8c 754
ff3e0744 755 ( NIBBLE_LOW ( base4[3]) << 4 ) |
756 NIBBLE_LOW ( temp[1] );
5636ee8c 757
341fd1de 758 PrintAndLog("ICE encoded | %08X -> %08X", value, encvalue);
759 return encvalue;
760}
761uint32_t srix4kDecode(uint32_t value) {
762 switch(value) {
763 case 0xC04F42C5: return 0x003139;
764 case 0xC1484807: return 0x002943;
765 case 0xC0C60848: return 0x001A20;
766 }
5636ee8c 767 return 0;
768}
341fd1de 769uint32_t srix4kDecodeCounter(uint32_t num) {
770 uint32_t value = ~num;
771 ++value;
772 return value;
773}
774
775uint32_t srix4kGetMagicbytes( uint64_t uid, uint32_t block6, uint32_t block18, uint32_t block19 ){
776#define MASK 0xFFFFFFFF;
777 uint32_t uid32 = uid & MASK;
778 uint32_t counter = srix4kDecodeCounter(block6);
779 uint32_t decodedBlock18 = srix4kDecode(block18);
780 uint32_t decodedBlock19 = srix4kDecode(block19);
781 uint32_t doubleBlock = (decodedBlock18 << 16 | decodedBlock19) + 1;
782
783 uint32_t result = (uid32 * doubleBlock * counter) & MASK;
784 PrintAndLog("Magic bytes | %08X", result);
785 return result;
786}
787int srix4kValid(const char *Cmd){
788
789 uint64_t uid = 0xD00202501A4532F9;
790 uint32_t block6 = 0xFFFFFFFF;
791 uint32_t block18 = 0xC04F42C5;
792 uint32_t block19 = 0xC1484807;
793 uint32_t block21 = 0xD1BCABA4;
794
795 uint32_t test_b18 = 0x00313918;
796 uint32_t test_b18_enc = srix4kEncode(test_b18);
797 //uint32_t test_b18_dec = srix4kDecode(test_b18_enc);
798 PrintAndLog("ENCODE & CHECKSUM | %08X -> %08X (%s)", test_b18, test_b18_enc , "");
799
800 uint32_t magic = srix4kGetMagicbytes(uid, block6, block18, block19);
801 PrintAndLog("BLOCK 21 | %08X -> %08X (no XOR)", block21, magic ^ block21);
5636ee8c 802 return 0;
803}
341fd1de 804
805int CmdteaSelfTest(const char *Cmd){
806
807 uint8_t v[8], v_le[8];
808 memset(v, 0x00, sizeof(v));
809 memset(v_le, 0x00, sizeof(v_le));
810 uint8_t* v_ptr = v_le;
811
812 uint8_t cmdlen = strlen(Cmd);
813 cmdlen = ( sizeof(v)<<2 < cmdlen ) ? sizeof(v)<<2 : cmdlen;
814
815 if ( param_gethex(Cmd, 0, v, cmdlen) > 0 ){
816 PrintAndLog("can't read hex chars, uneven? :: %u", cmdlen);
817 return 1;
818 }
819
820 SwapEndian64ex(v , 8, 4, v_ptr);
821
e994394a 822 // ENCRYPTION KEY:
ff3e0744 823 uint8_t key[16] = {0x55,0xFE,0xF6,0x30,0x62,0xBF,0x0B,0xC1,0xC9,0xB3,0x7C,0x34,0x97,0x3E,0x29,0xFB };
e994394a 824 uint8_t keyle[16];
825 uint8_t* key_ptr = keyle;
826 SwapEndian64ex(key , sizeof(key), 4, key_ptr);
341fd1de 827
e994394a 828 PrintAndLog("TEST LE enc| %s", sprint_hex(v_ptr, 8));
829
830 tea_decrypt(v_ptr, key_ptr);
831 PrintAndLog("TEST LE dec | %s", sprint_hex_ascii(v_ptr, 8));
832
833 tea_encrypt(v_ptr, key_ptr);
834 tea_encrypt(v_ptr, key_ptr);
835 PrintAndLog("TEST enc2 | %s", sprint_hex_ascii(v_ptr, 8));
341fd1de 836
5636ee8c 837 return 0;
838}
839
6fc68747 840bool waitCmd(bool verbose) {
841
842 bool crc = FALSE;
843 uint8_t b1 = 0, b2 = 0;
844 uint8_t data[USB_CMD_DATA_SIZE] = {0x00};
845 uint8_t status = 0;
846 uint16_t len = 0;
847 UsbCommand resp;
848
5de71ee6 849 if (WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) {
6fc68747 850
851 status = (resp.arg[0] & 0xFFFF);
852 if ( status > 0 ) return FALSE;
853
854 len = (resp.arg[1] & 0xFFFF);
855 memcpy(data, resp.d.asBytes, len);
856
857 if (verbose) {
858
859 ComputeCrc14443(CRC_14443_B, data, len-2, &b1, &b2);
860 crc = ( data[len-2] == b1 && data[len-1] == b2);
861
862 PrintAndLog("[LEN %u] %s[%02X %02X] %s",
863 len,
864 sprint_hex(data, len-2),
865 data[len-2],
866 data[len-1],
867 (crc) ? "OK" : "FAIL"
868 );
869 }
870 return TRUE;
871 } else {
872 PrintAndLog("timeout while waiting for reply.");
873 return FALSE;
874 }
875}
876
e994394a 877static command_t CommandTable[] = {
22e24700 878 {"help", CmdHelp, 1, "This help"},
6de14cec 879 {"info", CmdHF14Binfo, 0, "Find and print details about a 14443B tag"},
880 {"list", CmdHF14BList, 0, "[Deprecated] List ISO 14443B history"},
6fc68747 881 {"raw", CmdHF14BCmdRaw, 0, "Send raw hex data to tag"},
6de14cec 882 {"reader", CmdHF14BReader, 0, "Act as a 14443B reader to identify a tag"},
883 {"sim", CmdHF14BSim, 0, "Fake ISO 14443B tag"},
884 {"snoop", CmdHF14BSnoop, 0, "Eavesdrop ISO 14443B"},
6fc68747 885 {"sriread", CmdHF14BReadSri, 0, "Read contents of a SRI512 | SRIX4K tag"},
886 {"sriwrite", CmdHF14BWriteSri, 0, "Write data to a SRI512 | SRIX4K tag"},
341fd1de 887 //{"valid", srix4kValid, 1, "srix4k checksum test"},
6fc68747 888 //{"valid", CmdteaSelfTest, 1, "tea test"},
22e24700 889 {NULL, NULL, 0, NULL}
7fe9b0b7 890};
891
e994394a 892int CmdHF14B(const char *Cmd) {
893 clearCommandBuffer();
22e24700 894 CmdsParse(CommandTable, Cmd);
895 return 0;
7fe9b0b7 896}
897
e994394a 898int CmdHelp(const char *Cmd) {
22e24700 899 CmdsHelp(CommandTable);
900 return 0;
7fe9b0b7 901}
Proxmark3 GIT tracking
Impressum, Datenschutz