]>
Commit | Line | Data |
---|---|---|
db09cb3a | 1 | //----------------------------------------------------------------------------- |
2 | // Copyright (C) 2012 Roel Verdult | |
3 | // | |
4 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, | |
5 | // at your option, any later version. See the LICENSE.txt file for the text of | |
6 | // the license. | |
7 | //----------------------------------------------------------------------------- | |
8 | // Low frequency Hitag support | |
9 | //----------------------------------------------------------------------------- | |
10 | ||
11 | #include <stdio.h> | |
12 | #include <stdlib.h> | |
13 | #include <string.h> | |
14 | #include "data.h" | |
902cb3c0 | 15 | #include "proxmark3.h" |
db09cb3a | 16 | #include "ui.h" |
17 | #include "cmdparser.h" | |
18 | #include "common.h" | |
19 | #include "util.h" | |
1f065e1d | 20 | #include "parity.h" |
db09cb3a | 21 | #include "hitag2.h" |
4e12287d | 22 | #include "hitagS.h" |
902cb3c0 | 23 | #include "cmdmain.h" |
db09cb3a | 24 | |
25 | static int CmdHelp(const char *Cmd); | |
26 | ||
47e18126 | 27 | size_t nbytes(size_t nbits) { |
28 | return (nbits/8)+((nbits%8)>0); | |
29 | } | |
30 | ||
db09cb3a | 31 | int CmdLFHitagList(const char *Cmd) |
32 | { | |
f71f4deb | 33 | uint8_t *got = malloc(USB_CMD_DATA_SIZE); |
34 | ||
35 | // Query for the actual size of the trace | |
36 | UsbCommand response; | |
37 | GetFromBigBuf(got, USB_CMD_DATA_SIZE, 0); | |
38 | WaitForResponse(CMD_ACK, &response); | |
39 | uint16_t traceLen = response.arg[2]; | |
40 | if (traceLen > USB_CMD_DATA_SIZE) { | |
41 | uint8_t *p = realloc(got, traceLen); | |
42 | if (p == NULL) { | |
43 | PrintAndLog("Cannot allocate memory for trace"); | |
44 | free(got); | |
45 | return 2; | |
46 | } | |
47 | got = p; | |
48 | GetFromBigBuf(got, traceLen, 0); | |
49 | WaitForResponse(CMD_ACK,NULL); | |
50 | } | |
51 | ||
52 | PrintAndLog("recorded activity (TraceLen = %d bytes):"); | |
53 | PrintAndLog(" ETU :nbits: who bytes"); | |
54 | PrintAndLog("---------+-----+----+-----------"); | |
db09cb3a | 55 | |
f71f4deb | 56 | int i = 0; |
57 | int prev = -1; | |
58 | int len = strlen(Cmd); | |
b915fda3 | 59 | |
f71f4deb | 60 | char filename[FILE_PATH_SIZE] = { 0x00 }; |
61 | FILE* pf = NULL; | |
b915fda3 | 62 | |
f71f4deb | 63 | if (len > FILE_PATH_SIZE) |
64 | len = FILE_PATH_SIZE; | |
65 | memcpy(filename, Cmd, len); | |
b915fda3 | 66 | |
f71f4deb | 67 | if (strlen(filename) > 0) { |
68 | if ((pf = fopen(filename,"wb")) == NULL) { | |
69 | PrintAndLog("Error: Could not open file [%s]",filename); | |
70 | return 1; | |
71 | } | |
b915fda3 | 72 | } |
db09cb3a | 73 | |
f71f4deb | 74 | for (;;) { |
b915fda3 | 75 | |
f71f4deb | 76 | if(i > traceLen) { break; } |
77 | ||
78 | bool isResponse; | |
79 | int timestamp = *((uint32_t *)(got+i)); | |
80 | if (timestamp & 0x80000000) { | |
81 | timestamp &= 0x7fffffff; | |
82 | isResponse = 1; | |
83 | } else { | |
84 | isResponse = 0; | |
85 | } | |
86 | ||
87 | int parityBits = *((uint32_t *)(got+i+4)); | |
88 | // 4 bytes of additional information... | |
89 | // maximum of 32 additional parity bit information | |
90 | // | |
91 | // TODO: | |
92 | // at each quarter bit period we can send power level (16 levels) | |
93 | // or each half bit period in 256 levels. | |
94 | ||
95 | int bits = got[i+8]; | |
96 | int len = nbytes(got[i+8]); | |
97 | ||
98 | if (len > 100) { | |
99 | break; | |
100 | } | |
101 | if (i + len > traceLen) { break;} | |
102 | ||
103 | uint8_t *frame = (got+i+9); | |
104 | ||
105 | // Break and stick with current result if buffer was not completely full | |
106 | if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; } | |
107 | ||
108 | char line[1000] = ""; | |
109 | int j; | |
110 | for (j = 0; j < len; j++) { | |
f71f4deb | 111 | |
112 | //if((parityBits >> (len - j - 1)) & 0x01) { | |
1f065e1d | 113 | if (isResponse && (oddparity8(frame[j]) != ((parityBits >> (len - j - 1)) & 0x01))) { |
f71f4deb | 114 | sprintf(line+(j*4), "%02x! ", frame[j]); |
115 | } | |
116 | else { | |
117 | sprintf(line+(j*4), "%02x ", frame[j]); | |
118 | } | |
119 | } | |
120 | ||
121 | PrintAndLog(" +%7d: %3d: %s %s", | |
122 | (prev < 0 ? 0 : (timestamp - prev)), | |
123 | bits, | |
124 | (isResponse ? "TAG" : " "), | |
125 | line); | |
126 | ||
127 | if (pf) { | |
128 | fprintf(pf," +%7d: %3d: %s %s\n", | |
129 | (prev < 0 ? 0 : (timestamp - prev)), | |
130 | bits, | |
131 | (isResponse ? "TAG" : " "), | |
132 | line); | |
133 | } | |
134 | ||
135 | prev = timestamp; | |
136 | i += (len + 9); | |
137 | } | |
2d495a81 | 138 | |
f71f4deb | 139 | if (pf) { |
140 | fclose(pf); | |
141 | PrintAndLog("Recorded activity succesfully written to file: %s", filename); | |
142 | } | |
97d582a6 | 143 | |
f71f4deb | 144 | free(got); |
145 | return 0; | |
db09cb3a | 146 | } |
147 | ||
148 | int CmdLFHitagSnoop(const char *Cmd) { | |
149 | UsbCommand c = {CMD_SNOOP_HITAG}; | |
150 | SendCommand(&c); | |
151 | return 0; | |
152 | } | |
153 | ||
154 | int CmdLFHitagSim(const char *Cmd) { | |
b915fda3 | 155 | |
db09cb3a | 156 | UsbCommand c = {CMD_SIMULATE_HITAG}; |
b915fda3 | 157 | char filename[FILE_PATH_SIZE] = { 0x00 }; |
db09cb3a | 158 | FILE* pf; |
159 | bool tag_mem_supplied; | |
b915fda3 | 160 | int len = strlen(Cmd); |
161 | if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; | |
162 | memcpy(filename, Cmd, len); | |
db09cb3a | 163 | |
164 | if (strlen(filename) > 0) { | |
165 | if ((pf = fopen(filename,"rb+")) == NULL) { | |
166 | PrintAndLog("Error: Could not open file [%s]",filename); | |
167 | return 1; | |
168 | } | |
169 | tag_mem_supplied = true; | |
759c16b3 | 170 | if (fread(c.d.asBytes,48,1,pf) == 0) { |
171 | PrintAndLog("Error: File reading error"); | |
90e278d3 | 172 | fclose(pf); |
759c16b3 | 173 | return 1; |
174 | } | |
db09cb3a | 175 | fclose(pf); |
176 | } else { | |
177 | tag_mem_supplied = false; | |
178 | } | |
179 | ||
180 | // Does the tag comes with memory | |
181 | c.arg[0] = (uint32_t)tag_mem_supplied; | |
182 | ||
183 | SendCommand(&c); | |
184 | return 0; | |
185 | } | |
186 | ||
187 | int CmdLFHitagReader(const char *Cmd) { | |
db09cb3a | 188 | UsbCommand c = {CMD_READER_HITAG};//, {param_get32ex(Cmd,0,0,10),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),param_get32ex(Cmd,3,0,16)}}; |
189 | hitag_data* htd = (hitag_data*)c.d.asBytes; | |
190 | hitag_function htf = param_get32ex(Cmd,0,0,10); | |
191 | ||
192 | switch (htf) { | |
4e12287d RS |
193 | case 01: { //RHTSF_CHALLENGE |
194 | c = (UsbCommand){ CMD_READ_HITAG_S }; | |
195 | num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr); | |
196 | num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4); | |
197 | } break; | |
198 | case 02: { //RHTSF_KEY | |
199 | c = (UsbCommand){ CMD_READ_HITAG_S }; | |
200 | num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key); | |
201 | } break; | |
db09cb3a | 202 | case RHT2F_PASSWORD: { |
203 | num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->pwd.password); | |
204 | } break; | |
205 | case RHT2F_AUTHENTICATE: { | |
206 | num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr); | |
207 | num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4); | |
208 | } break; | |
bde10a50 | 209 | case RHT2F_CRYPTO: { |
210 | num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key); | |
f86d6b55 | 211 | // num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4); |
bde10a50 | 212 | } break; |
db09cb3a | 213 | case RHT2F_TEST_AUTH_ATTEMPTS: { |
214 | // No additional parameters needed | |
215 | } break; | |
f86d6b55 | 216 | case RHT2F_UID_ONLY: { |
217 | // No additional parameters needed | |
218 | } break; | |
db09cb3a | 219 | default: { |
f86d6b55 | 220 | PrintAndLog("\nError: unkown reader function %d",htf); |
221 | PrintAndLog(""); | |
222 | PrintAndLog("Usage: hitag reader <Reader Function #>"); | |
223 | PrintAndLog("Reader Functions:"); | |
ab4da50d | 224 | PrintAndLog(" HitagS (0*)"); |
4e12287d RS |
225 | PrintAndLog(" 01 <nr> <ar> (Challenge) read all pages from a Hitag S tag"); |
226 | PrintAndLog(" 02 <key> (set to 0 if no authentication is needed) read all pages from a Hitag S tag"); | |
ab4da50d | 227 | PrintAndLog(" Hitag1 (1*)"); |
228 | PrintAndLog(" Hitag2 (2*)"); | |
229 | PrintAndLog(" 21 <password> (password mode)"); | |
230 | PrintAndLog(" 22 <nr> <ar> (authentication)"); | |
231 | PrintAndLog(" 23 <key> (authentication) key is in format: ISK high + ISK low"); | |
232 | PrintAndLog(" 25 (test recorded authentications)"); | |
f86d6b55 | 233 | PrintAndLog(" 26 just read UID"); |
db09cb3a | 234 | return 1; |
235 | } break; | |
236 | } | |
237 | ||
238 | // Copy the hitag2 function into the first argument | |
239 | c.arg[0] = htf; | |
240 | ||
f86d6b55 | 241 | // Send the command to the proxmark |
217cfb6b | 242 | clearCommandBuffer(); |
f86d6b55 | 243 | SendCommand(&c); |
ab4da50d | 244 | |
f86d6b55 | 245 | UsbCommand resp; |
246 | WaitForResponse(CMD_ACK,&resp); | |
247 | ||
248 | // Check the return status, stored in the first argument | |
249 | if (resp.arg[0] == false) return 1; | |
250 | ||
251 | uint32_t id = bytes_to_num(resp.d.asBytes,4); | |
252 | ||
253 | if (htf == RHT2F_UID_ONLY){ | |
254 | PrintAndLog("Valid Hitag2 tag found - UID: %08x",id); | |
255 | } else { | |
256 | char filename[256]; | |
257 | FILE* pf = NULL; | |
258 | ||
259 | sprintf(filename,"%08x_%04x.ht2",id,(rand() & 0xffff)); | |
260 | if ((pf = fopen(filename,"wb")) == NULL) { | |
261 | PrintAndLog("Error: Could not open file [%s]",filename); | |
262 | return 1; | |
263 | } | |
264 | ||
265 | // Write the 48 tag memory bytes to file and finalize | |
266 | fwrite(resp.d.asBytes,1,48,pf); | |
267 | fclose(pf); | |
268 | ||
269 | PrintAndLog("Succesfully saved tag memory to [%s]",filename); | |
270 | } | |
271 | ||
272 | ||
273 | return 0; | |
db09cb3a | 274 | } |
275 | ||
4e12287d RS |
276 | |
277 | int CmdLFHitagSimS(const char *Cmd) { | |
278 | UsbCommand c = { CMD_SIMULATE_HITAG_S }; | |
279 | char filename[FILE_PATH_SIZE] = { 0x00 }; | |
280 | FILE* pf; | |
281 | bool tag_mem_supplied; | |
282 | int len = strlen(Cmd); | |
283 | if (len > FILE_PATH_SIZE) | |
284 | len = FILE_PATH_SIZE; | |
285 | memcpy(filename, Cmd, len); | |
286 | ||
287 | if (strlen(filename) > 0) { | |
288 | if ((pf = fopen(filename, "rb+")) == NULL) { | |
289 | PrintAndLog("Error: Could not open file [%s]", filename); | |
290 | return 1; | |
291 | } | |
292 | tag_mem_supplied = true; | |
293 | if (fread(c.d.asBytes, 4*64, 1, pf) == 0) { | |
294 | PrintAndLog("Error: File reading error"); | |
295 | fclose(pf); | |
296 | return 1; | |
297 | } | |
298 | fclose(pf); | |
299 | } else { | |
300 | tag_mem_supplied = false; | |
301 | } | |
302 | ||
303 | // Does the tag comes with memory | |
304 | c.arg[0] = (uint32_t) tag_mem_supplied; | |
305 | ||
306 | SendCommand(&c); | |
307 | return 0; | |
308 | } | |
309 | ||
310 | int CmdLFHitagCheckChallenges(const char *Cmd) { | |
311 | UsbCommand c = { CMD_TEST_HITAGS_TRACES }; | |
312 | char filename[FILE_PATH_SIZE] = { 0x00 }; | |
313 | FILE* pf; | |
314 | bool file_given; | |
315 | int len = strlen(Cmd); | |
316 | if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; | |
317 | memcpy(filename, Cmd, len); | |
318 | ||
319 | if (strlen(filename) > 0) { | |
320 | if ((pf = fopen(filename,"rb+")) == NULL) { | |
321 | PrintAndLog("Error: Could not open file [%s]",filename); | |
322 | return 1; | |
323 | } | |
324 | file_given = true; | |
325 | if (fread(c.d.asBytes,8*60,1,pf) == 0) { | |
326 | PrintAndLog("Error: File reading error"); | |
327 | fclose(pf); | |
328 | return 1; | |
329 | } | |
330 | fclose(pf); | |
331 | } else { | |
332 | file_given = false; | |
333 | } | |
334 | ||
335 | //file with all the challenges to try | |
336 | c.arg[0] = (uint32_t)file_given; | |
337 | ||
338 | SendCommand(&c); | |
339 | return 0; | |
340 | } | |
341 | ||
342 | ||
343 | int CmdLFHitagWP(const char *Cmd) { | |
344 | UsbCommand c = { CMD_WR_HITAG_S }; | |
345 | hitag_data* htd = (hitag_data*)c.d.asBytes; | |
346 | hitag_function htf = param_get32ex(Cmd,0,0,10); | |
347 | switch (htf) { | |
348 | case 03: { //WHTSF_CHALLENGE | |
349 | num_to_bytes(param_get64ex(Cmd,1,0,16),8,htd->auth.NrAr); | |
350 | c.arg[2]= param_get32ex(Cmd, 2, 0, 10); | |
351 | num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->auth.data); | |
352 | } break; | |
52244230 HJ |
353 | case 04: |
354 | case 24: | |
355 | { //WHTSF_KEY | |
4e12287d RS |
356 | num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key); |
357 | c.arg[2]= param_get32ex(Cmd, 2, 0, 10); | |
358 | num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->crypto.data); | |
359 | ||
360 | } break; | |
361 | default: { | |
362 | PrintAndLog("Error: unkown writer function %d",htf); | |
363 | PrintAndLog("Hitag writer functions"); | |
364 | PrintAndLog(" HitagS (0*)"); | |
365 | PrintAndLog(" 03 <nr,ar> (Challenge) <page> <byte0...byte3> write page on a Hitag S tag"); | |
366 | PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag"); | |
367 | PrintAndLog(" Hitag1 (1*)"); | |
368 | PrintAndLog(" Hitag2 (2*)"); | |
52244230 | 369 | PrintAndLog(" 24 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag"); |
4e12287d RS |
370 | return 1; |
371 | } break; | |
372 | } | |
373 | // Copy the hitag function into the first argument | |
374 | c.arg[0] = htf; | |
375 | ||
376 | // Send the command to the proxmark | |
377 | SendCommand(&c); | |
378 | ||
379 | UsbCommand resp; | |
380 | WaitForResponse(CMD_ACK,&resp); | |
381 | ||
382 | // Check the return status, stored in the first argument | |
383 | if (resp.arg[0] == false) return 1; | |
384 | return 0; | |
385 | } | |
386 | ||
387 | ||
3fe4ff4f | 388 | static command_t CommandTable[] = |
db09cb3a | 389 | { |
4e12287d RS |
390 | {"help", CmdHelp, 1, "This help"}, |
391 | {"list", CmdLFHitagList, 1, "<outfile> List Hitag trace history"}, | |
392 | {"reader", CmdLFHitagReader, 1, "Act like a Hitag Reader"}, | |
393 | {"sim", CmdLFHitagSim, 1, "<infile> Simulate Hitag transponder"}, | |
394 | {"snoop", CmdLFHitagSnoop, 1, "Eavesdrop Hitag communication"}, | |
395 | {"writer", CmdLFHitagWP, 1, "Act like a Hitag Writer" }, | |
396 | {"simS", CmdLFHitagSimS, 1, "<hitagS.hts> Simulate HitagS transponder" }, | |
397 | {"checkChallenges", CmdLFHitagCheckChallenges, 1, "<challenges.cc> test all challenges" }, { | |
398 | NULL,NULL, 0, NULL } | |
db09cb3a | 399 | }; |
400 | ||
401 | int CmdLFHitag(const char *Cmd) | |
402 | { | |
3fe4ff4f | 403 | CmdsParse(CommandTable, Cmd); |
db09cb3a | 404 | return 0; |
405 | } | |
406 | ||
407 | int CmdHelp(const char *Cmd) | |
408 | { | |
3fe4ff4f | 409 | CmdsHelp(CommandTable); |
db09cb3a | 410 | return 0; |
411 | } |