]> git.zerfleddert.de Git - proxmark3-svn/blame_incremental - client/cmdhficlass.c
Merge pull request #1 from bforbort/master
[proxmark3-svn] / client / cmdhficlass.c
... / ...
CommitLineData
1//-----------------------------------------------------------------------------
2// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
3// Copyright (C) 2011 Gerhard de Koning Gans
4// Copyright (C) 2014 Midnitesnake & Andy Davies & Martin Holst Swende
5//
6// This code is licensed to you under the terms of the GNU GPL, version 2 or,
7// at your option, any later version. See the LICENSE.txt file for the text of
8// the license.
9//-----------------------------------------------------------------------------
10// High frequency iClass commands
11//-----------------------------------------------------------------------------
12
13#include <stdio.h>
14#include <stdlib.h>
15#include <string.h>
16#include <sys/stat.h>
17#include "iso14443crc.h" // Can also be used for iClass, using 0xE012 as CRC-type
18#include "data.h"
19#include "proxmark3.h"
20#include "ui.h"
21#include "cmdparser.h"
22#include "cmdhficlass.h"
23#include "../include/common.h"
24#include "util.h"
25#include "cmdmain.h"
26#include "loclass/des.h"
27#include "loclass/cipherutils.h"
28#include "loclass/cipher.h"
29#include "loclass/ikeys.h"
30#include "loclass/elite_crack.h"
31#include "loclass/fileutils.h"
32
33static int CmdHelp(const char *Cmd);
34
35int xorbits_8(uint8_t val)
36{
37 uint8_t res = val ^ (val >> 1); //1st pass
38 res = res ^ (res >> 1); // 2nd pass
39 res = res ^ (res >> 2); // 3rd pass
40 res = res ^ (res >> 4); // 4th pass
41 return res & 1;
42}
43
44int CmdHFiClassList(const char *Cmd)
45{
46 bool ShowWaitCycles = false;
47 char param = param_getchar(Cmd, 0);
48
49 if (param != 0) {
50 PrintAndLog("List data in trace buffer.");
51 PrintAndLog("Usage: hf iclass list");
52 PrintAndLog("h - help");
53 PrintAndLog("sample: hf iclass list");
54 return 0;
55 }
56
57// for the time being. Need better Bigbuf handling.
58#define TRACE_SIZE 3000
59
60 uint8_t trace[TRACE_SIZE];
61 GetFromBigBuf(trace, TRACE_SIZE, 0);
62 WaitForResponse(CMD_ACK,NULL);
63
64 PrintAndLog("Recorded Activity");
65 PrintAndLog("");
66 PrintAndLog("Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer");
67 PrintAndLog("All times are in carrier periods (1/13.56Mhz)");
68 PrintAndLog("");
69 PrintAndLog(" Start | End | Src | Data (! denotes parity error) | CRC ");
70 PrintAndLog("-----------|-----------|-----|-----------------------------------------------------------------------");
71
72 uint16_t tracepos = 0;
73 uint16_t duration;
74 uint16_t data_len;
75 uint16_t parity_len;
76 bool isResponse;
77 uint32_t timestamp;
78 uint32_t first_timestamp;
79 uint32_t EndOfTransmissionTimestamp;
80
81 for (;;) {
82
83 if(tracepos >= TRACE_SIZE) {
84 break;
85 }
86
87 timestamp = *((uint32_t *)(trace + tracepos));
88 if(tracepos == 0) {
89 first_timestamp = timestamp;
90 }
91
92 // Break and stick with current result if buffer was not completely full
93 if (timestamp == 0x44444444) break;
94
95 tracepos += 4;
96 duration = *((uint16_t *)(trace + tracepos));
97 tracepos += 2;
98 data_len = *((uint16_t *)(trace + tracepos));
99 tracepos += 2;
100
101 if (data_len & 0x8000) {
102 data_len &= 0x7fff;
103 isResponse = true;
104 } else {
105 isResponse = false;
106 }
107
108 parity_len = (data_len-1)/8 + 1;
109
110 if (tracepos + data_len + parity_len >= TRACE_SIZE) {
111 break;
112 }
113
114 uint8_t *frame = trace + tracepos;
115 tracepos += data_len;
116 uint8_t *parityBytes = trace + tracepos;
117 tracepos += parity_len;
118
119 char line[16][110];
120 for (int j = 0; j < data_len; j++) {
121 int oddparity = 0x01;
122 int k;
123
124 for (k=0;k<8;k++) {
125 oddparity ^= (((frame[j] & 0xFF) >> k) & 0x01);
126 }
127
128 uint8_t parityBits = parityBytes[j>>3];
129 if (isResponse && (oddparity != ((parityBits >> (7-(j&0x0007))) & 0x01))) {
130 sprintf(line[j/16]+((j%16)*4), "%02x! ", frame[j]);
131 } else {
132 sprintf(line[j/16]+((j%16)*4), "%02x ", frame[j]);
133 }
134
135 }
136
137 char *crc = "";
138 if (data_len > 2) {
139 uint8_t b1, b2;
140 if(!isResponse && data_len == 4 ) {
141 // Rough guess that this is a command from the reader
142 // For iClass the command byte is not part of the CRC
143 ComputeCrc14443(CRC_ICLASS, &frame[1], data_len-3, &b1, &b2);
144 if (b1 != frame[data_len-2] || b2 != frame[data_len-1]) {
145 crc = "!crc";
146 }
147 }
148 else {
149 // For other data.. CRC might not be applicable (UPDATE commands etc.)
150 ComputeCrc14443(CRC_ICLASS, frame, data_len-2, &b1, &b2);
151 if (b1 != frame[data_len-2] || b2 != frame[data_len-1]) {
152 crc = "!crc";
153 }
154 }
155 }
156
157 EndOfTransmissionTimestamp = timestamp + duration;
158
159 int num_lines = (data_len - 1)/16 + 1;
160 for (int j = 0; j < num_lines; j++) {
161 if (j == 0) {
162 PrintAndLog(" %9d | %9d | %s | %-64s| %s",
163 (timestamp - first_timestamp),
164 (EndOfTransmissionTimestamp - first_timestamp),
165 (isResponse ? "Tag" : "Rdr"),
166 line[j],
167 (j == num_lines-1)?crc:"");
168 } else {
169 PrintAndLog(" | | | %-64s| %s",
170 line[j],
171 (j == num_lines-1)?crc:"");
172 }
173 }
174
175 bool next_isResponse = *((uint16_t *)(trace + tracepos + 6)) & 0x8000;
176
177 if (ShowWaitCycles && !isResponse && next_isResponse) {
178 uint32_t next_timestamp = *((uint32_t *)(trace + tracepos));
179 if (next_timestamp != 0x44444444) {
180 PrintAndLog(" %9d | %9d | %s | fdt (Frame Delay Time): %d",
181 (EndOfTransmissionTimestamp - first_timestamp),
182 (next_timestamp - first_timestamp),
183 " ",
184 (next_timestamp - EndOfTransmissionTimestamp));
185 }
186 }
187
188 }
189
190 return 0;
191}
192
193int CmdHFiClassSnoop(const char *Cmd)
194{
195 UsbCommand c = {CMD_SNOOP_ICLASS};
196 SendCommand(&c);
197 return 0;
198}
199#define NUM_CSNS 15
200int CmdHFiClassSim(const char *Cmd)
201{
202 uint8_t simType = 0;
203 uint8_t CSN[8] = {0, 0, 0, 0, 0, 0, 0, 0};
204
205 if (strlen(Cmd)<1) {
206 PrintAndLog("Usage: hf iclass sim [0 <CSN>] | x");
207 PrintAndLog(" options");
208 PrintAndLog(" 0 <CSN> simulate the given CSN");
209 PrintAndLog(" 1 simulate default CSN");
210 PrintAndLog(" 2 iterate CSNs, gather MACs");
211 PrintAndLog(" sample: hf iclass sim 0 031FEC8AF7FF12E0");
212 PrintAndLog(" sample: hf iclass sim 2");
213 return 0;
214 }
215
216 simType = param_get8(Cmd, 0);
217
218 if(simType == 0)
219 {
220 if (param_gethex(Cmd, 1, CSN, 16)) {
221 PrintAndLog("A CSN should consist of 16 HEX symbols");
222 return 1;
223 }
224 PrintAndLog("--simtype:%02x csn:%s", simType, sprint_hex(CSN, 8));
225
226 }
227 if(simType > 2)
228 {
229 PrintAndLog("Undefined simptype %d", simType);
230 return 1;
231 }
232 uint8_t numberOfCSNs=0;
233
234 if(simType == 2)
235 {
236 UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,NUM_CSNS}};
237 UsbCommand resp = {0};
238
239 /*uint8_t csns[8 * NUM_CSNS] = {
240 0x00,0x0B,0x0F,0xFF,0xF7,0xFF,0x12,0xE0 ,
241 0x00,0x13,0x94,0x7e,0x76,0xff,0x12,0xe0 ,
242 0x2a,0x99,0xac,0x79,0xec,0xff,0x12,0xe0 ,
243 0x17,0x12,0x01,0xfd,0xf7,0xff,0x12,0xe0 ,
244 0xcd,0x56,0x01,0x7c,0x6f,0xff,0x12,0xe0 ,
245 0x4b,0x5e,0x0b,0x72,0xef,0xff,0x12,0xe0 ,
246 0x00,0x73,0xd8,0x75,0x58,0xff,0x12,0xe0 ,
247 0x0c,0x90,0x32,0xf3,0x5d,0xff,0x12,0xe0 };
248*/
249
250 uint8_t csns[8*NUM_CSNS] = {
251 0x00, 0x0B, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0,
252 0x00, 0x04, 0x0E, 0x08, 0xF7, 0xFF, 0x12, 0xE0,
253 0x00, 0x09, 0x0D, 0x05, 0xF7, 0xFF, 0x12, 0xE0,
254 0x00, 0x0A, 0x0C, 0x06, 0xF7, 0xFF, 0x12, 0xE0,
255 0x00, 0x0F, 0x0B, 0x03, 0xF7, 0xFF, 0x12, 0xE0,
256 0x00, 0x08, 0x0A, 0x0C, 0xF7, 0xFF, 0x12, 0xE0,
257 0x00, 0x0D, 0x09, 0x09, 0xF7, 0xFF, 0x12, 0xE0,
258 0x00, 0x0E, 0x08, 0x0A, 0xF7, 0xFF, 0x12, 0xE0,
259 0x00, 0x03, 0x07, 0x17, 0xF7, 0xFF, 0x12, 0xE0,
260 0x00, 0x3C, 0x06, 0xE0, 0xF7, 0xFF, 0x12, 0xE0,
261 0x00, 0x01, 0x05, 0x1D, 0xF7, 0xFF, 0x12, 0xE0,
262 0x00, 0x02, 0x04, 0x1E, 0xF7, 0xFF, 0x12, 0xE0,
263 0x00, 0x07, 0x03, 0x1B, 0xF7, 0xFF, 0x12, 0xE0,
264 0x00, 0x00, 0x02, 0x24, 0xF7, 0xFF, 0x12, 0xE0,
265 0x00, 0x05, 0x01, 0x21, 0xF7, 0xFF, 0x12, 0xE0 };
266
267 memcpy(c.d.asBytes, csns, 8*NUM_CSNS);
268
269 SendCommand(&c);
270 if (!WaitForResponseTimeout(CMD_ACK, &resp, -1)) {
271 PrintAndLog("Command timed out");
272 return 0;
273 }
274
275 uint8_t num_mac_responses = resp.arg[1];
276 PrintAndLog("Mac responses: %d MACs obtained (should be %d)", num_mac_responses, NUM_CSNS);
277
278 size_t datalen = NUM_CSNS*24;
279 /*
280 * Now, time to dump to file. We'll use this format:
281 * <8-byte CSN><8-byte CC><4 byte NR><4 byte MAC>....
282 * So, it should wind up as
283 * 8 * 24 bytes.
284 *
285 * The returndata from the pm3 is on the following format
286 * <4 byte NR><4 byte MAC>
287 * CC are all zeroes, CSN is the same as was sent in
288 **/
289 void* dump = malloc(datalen);
290 memset(dump,0,datalen);//<-- Need zeroes for the CC-field
291 uint8_t i = 0;
292 for(i = 0 ; i < NUM_CSNS ; i++)
293 {
294 memcpy(dump+i*24, csns+i*8,8); //CSN
295 //8 zero bytes here...
296 //Then comes NR_MAC (eight bytes from the response)
297 memcpy(dump+i*24+16,resp.d.asBytes+i*8,8);
298
299 }
300 /** Now, save to dumpfile **/
301 saveFile("iclass_mac_attack", "bin", dump,datalen);
302 free(dump);
303 }else
304 {
305 UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,numberOfCSNs}};
306 memcpy(c.d.asBytes, CSN, 8);
307 SendCommand(&c);
308 }
309
310 return 0;
311}
312
313int CmdHFiClassReader(const char *Cmd)
314{
315 UsbCommand c = {CMD_READER_ICLASS, {0}};
316 SendCommand(&c);
317 UsbCommand resp;
318 while(!ukbhit()){
319 if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
320 uint8_t isOK = resp.arg[0] & 0xff;
321 uint8_t * data = resp.d.asBytes;
322
323 PrintAndLog("isOk:%02x", isOK);
324
325 if(isOK > 0)
326 {
327 PrintAndLog("CSN: %s",sprint_hex(data,8));
328 }
329 if(isOK >= 1)
330 {
331 PrintAndLog("CC: %s",sprint_hex(data+8,8));
332 }else{
333 PrintAndLog("No CC obtained");
334 }
335 } else {
336 PrintAndLog("Command execute timeout");
337 }
338 }
339
340 return 0;
341}
342
343int CmdHFiClassReader_Replay(const char *Cmd)
344{
345 uint8_t readerType = 0;
346 uint8_t MAC[4]={0x00, 0x00, 0x00, 0x00};
347
348 if (strlen(Cmd)<1) {
349 PrintAndLog("Usage: hf iclass replay <MAC>");
350 PrintAndLog(" sample: hf iclass replay 00112233");
351 return 0;
352 }
353
354 if (param_gethex(Cmd, 0, MAC, 8)) {
355 PrintAndLog("MAC must include 8 HEX symbols");
356 return 1;
357 }
358
359 UsbCommand c = {CMD_READER_ICLASS_REPLAY, {readerType}};
360 memcpy(c.d.asBytes, MAC, 4);
361 SendCommand(&c);
362
363 return 0;
364}
365
366int CmdHFiClassReader_Dump(const char *Cmd)
367{
368 uint8_t readerType = 0;
369 uint8_t MAC[4]={0x00,0x00,0x00,0x00};
370 uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
371 uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
372 uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
373 //uint8_t CC_temp[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
374 uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
375 uint8_t keytable[128] = {0};
376 int elite = 0;
377 uint8_t *used_key;
378 int i;
379 if (strlen(Cmd)<1)
380 {
381 PrintAndLog("Usage: hf iclass dump <Key> [e]");
382 PrintAndLog(" Key - A 16 byte master key");
383 PrintAndLog(" e - If 'e' is specified, the key is interpreted as the 16 byte");
384 PrintAndLog(" Custom Key (KCus), which can be obtained via reader-attack");
385 PrintAndLog(" See 'hf iclass sim 2'. This key should be on iclass-format");
386 PrintAndLog(" sample: hf iclass dump 0011223344556677");
387
388
389 return 0;
390 }
391
392 if (param_gethex(Cmd, 0, KEY, 16))
393 {
394 PrintAndLog("KEY must include 16 HEX symbols");
395 return 1;
396 }
397
398 if (param_getchar(Cmd, 1) == 'e')
399 {
400 PrintAndLog("Elite switch on");
401 elite = 1;
402
403 //calc h2
404 hash2(KEY, keytable);
405 printarr_human_readable("keytable", keytable, 128);
406
407 }
408
409 UsbCommand resp;
410 uint8_t key_sel[8] = {0};
411 uint8_t key_sel_p[8] = { 0 };
412
413 //HACK -- Below is for testing without access to a tag
414 uint8_t fake_dummy_test = false;
415 if(fake_dummy_test)
416 {
417 uint8_t xdata[16] = {0x01,0x02,0x03,0x04,0xF7,0xFF,0x12,0xE0, //CSN from http://www.proxmark.org/forum/viewtopic.php?pid=11230#p11230
418 0xFE,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}; // Just a random CC. Would be good to add a real testcase here
419 memcpy(resp.d.asBytes,xdata, 16);
420 resp.arg[0] = 2;
421 }
422
423 //End hack
424
425
426 UsbCommand c = {CMD_READER_ICLASS, {0}};
427 c.arg[0] = FLAG_ICLASS_READER_ONLY_ONCE;
428 if(!fake_dummy_test)
429 SendCommand(&c);
430
431
432
433 if (fake_dummy_test || WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
434 uint8_t isOK = resp.arg[0] & 0xff;
435 uint8_t * data = resp.d.asBytes;
436
437 memcpy(CSN,data,8);
438 memcpy(CCNR,data+8,8);
439
440 PrintAndLog("isOk:%02x", isOK);
441
442 if(isOK > 0)
443 {
444 PrintAndLog("CSN: %s",sprint_hex(CSN,8));
445 }
446 if(isOK > 1)
447 {
448 if(elite)
449 {
450 //Get the key index (hash1)
451 uint8_t key_index[8] = {0};
452
453 hash1(CSN, key_index);
454 printvar("hash1", key_index,8);
455 for(i = 0; i < 8 ; i++)
456 key_sel[i] = keytable[key_index[i]] & 0xFF;
457 PrintAndLog("Pre-fortified 'permuted' HS key that would be needed by an iclass reader to talk to above CSN:");
458 printvar("k_sel", key_sel,8);
459 //Permute from iclass format to standard format
460 permutekey_rev(key_sel,key_sel_p);
461 used_key = key_sel_p;
462 }else{
463 //Perhaps this should also be permuted to std format?
464 // Something like the code below? I have no std system
465 // to test this with /Martin
466
467 //uint8_t key_sel_p[8] = { 0 };
468 //permutekey_rev(KEY,key_sel_p);
469 //used_key = key_sel_p;
470
471 used_key = KEY;
472
473 }
474
475 PrintAndLog("Pre-fortified key that would be needed by the OmniKey reader to talk to above CSN:");
476 printvar("Used key",used_key,8);
477 diversifyKey(CSN,used_key, div_key);
478 PrintAndLog("Hash0, a.k.a diversified key, that is computed using Ksel and stored in the card (Block 3):");
479 printvar("Div key", div_key, 8);
480 printvar("CC_NR:",CCNR,12);
481 doMAC(CCNR,12,div_key, MAC);
482 printvar("MAC", MAC, 4);
483
484 UsbCommand d = {CMD_READER_ICLASS_REPLAY, {readerType}};
485 memcpy(d.d.asBytes, MAC, 4);
486 if(!fake_dummy_test) SendCommand(&d);
487
488 }else{
489 PrintAndLog("Failed to obtain CC! Aborting");
490 }
491 } else {
492 PrintAndLog("Command execute timeout");
493 }
494
495 return 0;
496}
497
498int CmdHFiClass_iso14443A_write(const char *Cmd)
499{
500 uint8_t readerType = 0;
501 uint8_t MAC[4]={0x00,0x00,0x00,0x00};
502 uint8_t KEY[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
503 uint8_t CSN[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
504 uint8_t CCNR[12]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
505 uint8_t div_key[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
506
507 uint8_t blockNo=0;
508 uint8_t bldata[8]={0};
509
510 if (strlen(Cmd)<3)
511 {
512 PrintAndLog("Usage: hf iclass write <Key> <Block> <Data>");
513 PrintAndLog(" sample: hf iclass write 0011223344556677 10 AAAAAAAAAAAAAAAA");
514 return 0;
515 }
516
517 if (param_gethex(Cmd, 0, KEY, 16))
518 {
519 PrintAndLog("KEY must include 16 HEX symbols");
520 return 1;
521 }
522
523 blockNo = param_get8(Cmd, 1);
524 if (blockNo>32)
525 {
526 PrintAndLog("Error: Maximum number of blocks is 32 for iClass 2K Cards!");
527 return 1;
528 }
529 if (param_gethex(Cmd, 2, bldata, 8))
530 {
531 PrintAndLog("Block data must include 8 HEX symbols");
532 return 1;
533 }
534
535 UsbCommand c = {CMD_ICLASS_ISO14443A_WRITE, {0}};
536 SendCommand(&c);
537 UsbCommand resp;
538
539 if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) {
540 uint8_t isOK = resp.arg[0] & 0xff;
541 uint8_t * data = resp.d.asBytes;
542
543 memcpy(CSN,data,8);
544 memcpy(CCNR,data+8,8);
545 PrintAndLog("DEBUG: %s",sprint_hex(CSN,8));
546 PrintAndLog("DEBUG: %s",sprint_hex(CCNR,8));
547 PrintAndLog("isOk:%02x", isOK);
548 } else {
549 PrintAndLog("Command execute timeout");
550 }
551
552 diversifyKey(CSN,KEY, div_key);
553
554 PrintAndLog("Div Key: %s",sprint_hex(div_key,8));
555 doMAC(CCNR, 12,div_key, MAC);
556
557 UsbCommand c2 = {CMD_ICLASS_ISO14443A_WRITE, {readerType,blockNo}};
558 memcpy(c2.d.asBytes, bldata, 8);
559 memcpy(c2.d.asBytes+8, MAC, 4);
560 SendCommand(&c2);
561
562 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
563 uint8_t isOK = resp.arg[0] & 0xff;
564 uint8_t * data = resp.d.asBytes;
565
566 if (isOK)
567 PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 4));
568 else
569 PrintAndLog("isOk:%02x", isOK);
570 } else {
571 PrintAndLog("Command execute timeout");
572 }
573 return 0;
574}
575
576
577static command_t CommandTable[] =
578{
579 {"help", CmdHelp, 1, "This help"},
580 {"list", CmdHFiClassList, 0, "List iClass history"},
581 {"snoop", CmdHFiClassSnoop, 0, "Eavesdrop iClass communication"},
582 {"sim", CmdHFiClassSim, 0, "Simulate iClass tag"},
583 {"reader",CmdHFiClassReader, 0, "Read an iClass tag"},
584 {"replay",CmdHFiClassReader_Replay, 0, "Read an iClass tag via Reply Attack"},
585 {"dump", CmdHFiClassReader_Dump, 0, "Authenticate and Dump iClass tag"},
586 {"write", CmdHFiClass_iso14443A_write, 0, "Authenticate and Write iClass block"},
587 {"replay", CmdHFiClassReader_Replay, 0, "Read an iClass tag via Reply Attack"},
588 {"dump", CmdHFiClassReader_Dump, 0, "Authenticate and Dump iClass tag"},
589 {"write", CmdHFiClass_iso14443A_write, 0, "Authenticate and Write iClass block"},
590 {NULL, NULL, 0, NULL}
591};
592
593int CmdHFiClass(const char *Cmd)
594{
595 CmdsParse(CommandTable, Cmd);
596 return 0;
597}
598
599int CmdHelp(const char *Cmd)
600{
601 CmdsHelp(CommandTable);
602 return 0;
603}
Impressum, Datenschutz