1 //-----------------------------------------------------------------------------
2 // Gerhard de Koning Gans - May 2008
3 // Hagen Fritsch - June 2010
4 // Gerhard de Koning Gans - May 2011
5 // Gerhard de Koning Gans - June 2012 - Added iClass card and reader emulation
7 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
8 // at your option, any later version. See the LICENSE.txt file for the text of
10 //-----------------------------------------------------------------------------
11 // Routines to support iClass.
12 //-----------------------------------------------------------------------------
13 // Based on ISO14443a implementation. Still in experimental phase.
14 // Contribution made during a security research at Radboud University Nijmegen
16 // Please feel free to contribute and extend iClass support!!
17 //-----------------------------------------------------------------------------
21 // We still have sometimes a demodulation error when snooping iClass communication.
22 // The resulting trace of a read-block-03 command may look something like this:
24 // + 22279: : 0c 03 e8 01
26 // ...with an incorrect answer...
28 // + 85: 0: TAG ff! ff! ff! ff! ff! ff! ff! ff! bb 33 bb 00 01! 0e! 04! bb !crc
30 // We still left the error signalling bytes in the traces like 0xbb
32 // A correct trace should look like this:
34 // + 21112: : 0c 03 e8 01
35 // + 85: 0: TAG ff ff ff ff ff ff ff ff ea f5
37 //-----------------------------------------------------------------------------
41 #include "proxmark3.h"
48 #include "iso14443a.h"
50 // Needed for CRC in emulation mode;
51 // same construction as in ISO 14443;
52 // different initial value (CRC_ICLASS)
53 #include "iso14443crc.h"
54 #include "iso15693tools.h"
55 #include "protocols.h"
56 #include "optimized_cipher.h"
57 #include "usb_cdc.h" // for usb_poll_validate_length
58 #include "fpgaloader.h"
60 // iCLASS has a slightly different timing compared to ISO15693. According to the picopass data sheet the tag response is expected 330us after
61 // the reader command. This is measured from end of reader EOF to first modulation of the tag's SOF which starts with a 56,64us unmodulated period.
62 // 330us = 140 ssp_clk cycles @ 423,75kHz when simulating.
63 // 56,64us = 24 ssp_clk_cycles
64 #define DELAY_ICLASS_VCD_TO_VICC_SIM (140 - 24)
65 // times in ssp_clk_cycles @ 3,3625MHz when acting as reader
66 #define DELAY_ICLASS_VICC_TO_VCD_READER DELAY_ISO15693_VICC_TO_VCD_READER
67 // times in samples @ 212kHz when acting as reader
68 #define ICLASS_READER_TIMEOUT_ACTALL 330 // 1558us, nominal 330us + 7slots*160us = 1450us
69 #define ICLASS_READER_TIMEOUT_UPDATE 3390 // 16000us, nominal 4-15ms
70 #define ICLASS_READER_TIMEOUT_OTHERS 80 // 380us, nominal 330us
72 #define ICLASS_BUFFER_SIZE 34 // we expect max 34 bytes as tag answer (response to READ4)
75 //=============================================================================
76 // A `sniffer' for iClass communication
77 // Both sides of communication!
78 //=============================================================================
79 void SnoopIClass(uint8_t jam_search_len
, uint8_t *jam_search_string
) {
80 SnoopIso15693(jam_search_len
, jam_search_string
);
84 void rotateCSN(uint8_t* originalCSN
, uint8_t* rotatedCSN
) {
86 for (i
= 0; i
< 8; i
++) {
87 rotatedCSN
[i
] = (originalCSN
[i
] >> 3) | (originalCSN
[(i
+1)%8] << 5);
93 static void CodeIClassTagSOF() {
95 ToSend
[++ToSendMax
] = 0x1D;
100 static void AppendCrc(uint8_t *data
, int len
) {
101 ComputeCrc14443(CRC_ICLASS
, data
, len
, data
+len
, data
+len
+1);
106 * @brief Does the actual simulation
108 int doIClassSimulation(int simulationMode
, uint8_t *reader_mac_buf
) {
110 // free eventually allocated BigBuf memory
111 BigBuf_free_keep_EM();
113 uint16_t page_size
= 32 * 8;
114 uint8_t current_page
= 0;
116 // maintain cipher states for both credit and debit key for each page
117 State cipher_state_KC
[8];
118 State cipher_state_KD
[8];
119 State
*cipher_state
= &cipher_state_KD
[0];
121 uint8_t *emulator
= BigBuf_get_EM_addr();
122 uint8_t *csn
= emulator
;
124 // CSN followed by two CRC bytes
125 uint8_t anticoll_data
[10];
126 uint8_t csn_data
[10];
127 memcpy(csn_data
, csn
, sizeof(csn_data
));
128 Dbprintf("Simulating CSN %02x%02x%02x%02x%02x%02x%02x%02x", csn
[0], csn
[1], csn
[2], csn
[3], csn
[4], csn
[5], csn
[6], csn
[7]);
130 // Construct anticollision-CSN
131 rotateCSN(csn_data
, anticoll_data
);
133 // Compute CRC on both CSNs
134 AppendCrc(anticoll_data
, 8);
135 AppendCrc(csn_data
, 8);
137 uint8_t diversified_key_d
[8] = { 0x00 };
138 uint8_t diversified_key_c
[8] = { 0x00 };
139 uint8_t *diversified_key
= diversified_key_d
;
141 // configuration block
142 uint8_t conf_block
[10] = {0x12, 0xFF, 0xFF, 0xFF, 0x7F, 0x1F, 0xFF, 0x3C, 0x00, 0x00};
145 uint8_t card_challenge_data
[8] = { 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
147 if (simulationMode
== ICLASS_SIM_MODE_FULL
) {
148 // initialize from page 0
149 memcpy(conf_block
, emulator
+ 8 * 1, 8);
150 memcpy(card_challenge_data
, emulator
+ 8 * 2, 8); // e-purse
151 memcpy(diversified_key_d
, emulator
+ 8 * 3, 8); // Kd
152 memcpy(diversified_key_c
, emulator
+ 8 * 4, 8); // Kc
155 AppendCrc(conf_block
, 8);
157 // save card challenge for sim2,4 attack
158 if (reader_mac_buf
!= NULL
) {
159 memcpy(reader_mac_buf
, card_challenge_data
, 8);
162 if (conf_block
[5] & 0x80) {
167 // When the page is in personalization mode this bit is equal to 1.
168 // Once the application issuer has personalized and coded its dedicated areas, this bit must be set to 0:
169 // the page is then "in application mode".
170 bool personalization_mode
= conf_block
[7] & 0x80;
172 // chip memory may be divided in 8 pages
173 uint8_t max_page
= conf_block
[4] & 0x10 ? 0 : 7;
175 // Precalculate the cipher states, feeding it the CC
176 cipher_state_KD
[0] = opt_doTagMAC_1(card_challenge_data
, diversified_key_d
);
177 cipher_state_KC
[0] = opt_doTagMAC_1(card_challenge_data
, diversified_key_c
);
178 if (simulationMode
== ICLASS_SIM_MODE_FULL
) {
179 for (int i
= 1; i
< max_page
; i
++) {
180 uint8_t *epurse
= emulator
+ i
*page_size
+ 8*2;
181 uint8_t *Kd
= emulator
+ i
*page_size
+ 8*3;
182 uint8_t *Kc
= emulator
+ i
*page_size
+ 8*4;
183 cipher_state_KD
[i
] = opt_doTagMAC_1(epurse
, Kd
);
184 cipher_state_KC
[i
] = opt_doTagMAC_1(epurse
, Kc
);
193 // Reader 81 anticoll. CSN
196 uint8_t *modulated_response
;
197 int modulated_response_size
= 0;
198 uint8_t *trace_data
= NULL
;
199 int trace_data_size
= 0;
201 // Respond SOF -- takes 1 bytes
202 uint8_t *resp_sof
= BigBuf_malloc(1);
205 // Anticollision CSN (rotated CSN)
206 // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte)
207 uint8_t *resp_anticoll
= BigBuf_malloc(22);
208 int resp_anticoll_len
;
211 // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte)
212 uint8_t *resp_csn
= BigBuf_malloc(22);
215 // configuration (block 1) picopass 2ks
216 uint8_t *resp_conf
= BigBuf_malloc(22);
220 // 18: Takes 2 bytes for SOF/EOF and 8 * 2 = 16 bytes (2 bytes/bit)
221 uint8_t *resp_cc
= BigBuf_malloc(18);
224 // Kd, Kc (blocks 3 and 4). Cannot be read. Always respond with 0xff bytes only
225 uint8_t *resp_ff
= BigBuf_malloc(22);
227 uint8_t ff_data
[10] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00};
228 AppendCrc(ff_data
, 8);
230 // Application Issuer Area (block 5)
231 uint8_t *resp_aia
= BigBuf_malloc(22);
233 uint8_t aia_data
[10] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00};
234 AppendCrc(aia_data
, 8);
236 uint8_t *receivedCmd
= BigBuf_malloc(MAX_FRAME_SIZE
);
239 // Prepare card messages
241 // First card answer: SOF only
243 memcpy(resp_sof
, ToSend
, ToSendMax
);
244 resp_sof_Len
= ToSendMax
;
247 CodeIso15693AsTag(anticoll_data
, sizeof(anticoll_data
));
248 memcpy(resp_anticoll
, ToSend
, ToSendMax
);
249 resp_anticoll_len
= ToSendMax
;
252 CodeIso15693AsTag(csn_data
, sizeof(csn_data
));
253 memcpy(resp_csn
, ToSend
, ToSendMax
);
254 resp_csn_len
= ToSendMax
;
256 // Configuration (block 1)
257 CodeIso15693AsTag(conf_block
, sizeof(conf_block
));
258 memcpy(resp_conf
, ToSend
, ToSendMax
);
259 resp_conf_len
= ToSendMax
;
262 CodeIso15693AsTag(card_challenge_data
, sizeof(card_challenge_data
));
263 memcpy(resp_cc
, ToSend
, ToSendMax
);
264 resp_cc_len
= ToSendMax
;
266 // Kd, Kc (blocks 3 and 4)
267 CodeIso15693AsTag(ff_data
, sizeof(ff_data
));
268 memcpy(resp_ff
, ToSend
, ToSendMax
);
269 resp_ff_len
= ToSendMax
;
271 // Application Issuer Area (block 5)
272 CodeIso15693AsTag(aia_data
, sizeof(aia_data
));
273 memcpy(resp_aia
, ToSend
, ToSendMax
);
274 resp_aia_len
= ToSendMax
;
276 //This is used for responding to READ-block commands or other data which is dynamically generated
277 uint8_t *data_generic_trace
= BigBuf_malloc(32 + 2); // 32 bytes data + 2byte CRC is max tag answer
278 uint8_t *data_response
= BigBuf_malloc( (32 + 2) * 2 + 2);
280 bool buttonPressed
= false;
281 enum { IDLE
, ACTIVATED
, SELECTED
, HALTED
} chip_state
= IDLE
;
286 uint32_t reader_eof_time
= 0;
287 len
= GetIso15693CommandFromReader(receivedCmd
, MAX_FRAME_SIZE
, &reader_eof_time
);
289 buttonPressed
= true;
293 // Now look at the reader command and provide appropriate responses
294 // default is no response:
295 modulated_response
= NULL
;
296 modulated_response_size
= 0;
300 if (receivedCmd
[0] == ICLASS_CMD_ACTALL
&& len
== 1) {
301 // Reader in anticollision phase
302 if (chip_state
!= HALTED
) {
303 modulated_response
= resp_sof
;
304 modulated_response_size
= resp_sof_Len
;
305 chip_state
= ACTIVATED
;
308 } else if (receivedCmd
[0] == ICLASS_CMD_READ_OR_IDENTIFY
&& len
== 1) { // identify
309 // Reader asks for anticollision CSN
310 if (chip_state
== SELECTED
|| chip_state
== ACTIVATED
) {
311 modulated_response
= resp_anticoll
;
312 modulated_response_size
= resp_anticoll_len
;
313 trace_data
= anticoll_data
;
314 trace_data_size
= sizeof(anticoll_data
);
317 } else if (receivedCmd
[0] == ICLASS_CMD_SELECT
&& len
== 9) {
318 // Reader selects anticollision CSN.
319 // Tag sends the corresponding real CSN
320 if (chip_state
== ACTIVATED
|| chip_state
== SELECTED
) {
321 if (!memcmp(receivedCmd
+1, anticoll_data
, 8)) {
322 modulated_response
= resp_csn
;
323 modulated_response_size
= resp_csn_len
;
324 trace_data
= csn_data
;
325 trace_data_size
= sizeof(csn_data
);
326 chip_state
= SELECTED
;
330 } else if (chip_state
== HALTED
) {
332 if (!memcmp(receivedCmd
+1, csn_data
, 8)) {
333 modulated_response
= resp_csn
;
334 modulated_response_size
= resp_csn_len
;
335 trace_data
= csn_data
;
336 trace_data_size
= sizeof(csn_data
);
337 chip_state
= SELECTED
;
341 } else if (receivedCmd
[0] == ICLASS_CMD_READ_OR_IDENTIFY
&& len
== 4) { // read block
342 uint16_t blockNo
= receivedCmd
[1];
343 if (chip_state
== SELECTED
) {
344 if (simulationMode
== ICLASS_SIM_MODE_EXIT_AFTER_MAC
) {
345 // provide defaults for blocks 0 ... 5
347 case 0: // csn (block 00)
348 modulated_response
= resp_csn
;
349 modulated_response_size
= resp_csn_len
;
350 trace_data
= csn_data
;
351 trace_data_size
= sizeof(csn_data
);
353 case 1: // configuration (block 01)
354 modulated_response
= resp_conf
;
355 modulated_response_size
= resp_conf_len
;
356 trace_data
= conf_block
;
357 trace_data_size
= sizeof(conf_block
);
359 case 2: // e-purse (block 02)
360 modulated_response
= resp_cc
;
361 modulated_response_size
= resp_cc_len
;
362 trace_data
= card_challenge_data
;
363 trace_data_size
= sizeof(card_challenge_data
);
364 // set epurse of sim2,4 attack
365 if (reader_mac_buf
!= NULL
) {
366 memcpy(reader_mac_buf
, card_challenge_data
, 8);
370 case 4: // Kd, Kc, always respond with 0xff bytes
371 modulated_response
= resp_ff
;
372 modulated_response_size
= resp_ff_len
;
373 trace_data
= ff_data
;
374 trace_data_size
= sizeof(ff_data
);
376 case 5: // Application Issuer Area (block 05)
377 modulated_response
= resp_aia
;
378 modulated_response_size
= resp_aia_len
;
379 trace_data
= aia_data
;
380 trace_data_size
= sizeof(aia_data
);
382 // default: don't respond
384 } else if (simulationMode
== ICLASS_SIM_MODE_FULL
) {
385 if (blockNo
== 3 || blockNo
== 4) { // Kd, Kc, always respond with 0xff bytes
386 modulated_response
= resp_ff
;
387 modulated_response_size
= resp_ff_len
;
388 trace_data
= ff_data
;
389 trace_data_size
= sizeof(ff_data
);
390 } else { // use data from emulator memory
391 memcpy(data_generic_trace
, emulator
+ current_page
*page_size
+ 8*blockNo
, 8);
392 AppendCrc(data_generic_trace
, 8);
393 trace_data
= data_generic_trace
;
394 trace_data_size
= 10;
395 CodeIso15693AsTag(trace_data
, trace_data_size
);
396 memcpy(data_response
, ToSend
, ToSendMax
);
397 modulated_response
= data_response
;
398 modulated_response_size
= ToSendMax
;
403 } else if ((receivedCmd
[0] == ICLASS_CMD_READCHECK_KD
404 || receivedCmd
[0] == ICLASS_CMD_READCHECK_KC
) && receivedCmd
[1] == 0x02 && len
== 2) {
405 // Read e-purse (88 02 || 18 02)
406 if (chip_state
== SELECTED
) {
407 if(receivedCmd
[0] == ICLASS_CMD_READCHECK_KD
){
408 cipher_state
= &cipher_state_KD
[current_page
];
409 diversified_key
= diversified_key_d
;
411 cipher_state
= &cipher_state_KC
[current_page
];
412 diversified_key
= diversified_key_c
;
414 modulated_response
= resp_cc
;
415 modulated_response_size
= resp_cc_len
;
416 trace_data
= card_challenge_data
;
417 trace_data_size
= sizeof(card_challenge_data
);
420 } else if ((receivedCmd
[0] == ICLASS_CMD_CHECK_KC
421 || receivedCmd
[0] == ICLASS_CMD_CHECK_KD
) && len
== 9) {
422 // Reader random and reader MAC!!!
423 if (chip_state
== SELECTED
) {
424 if (simulationMode
== ICLASS_SIM_MODE_FULL
) {
425 //NR, from reader, is in receivedCmd+1
426 opt_doTagMAC_2(*cipher_state
, receivedCmd
+1, data_generic_trace
, diversified_key
);
427 trace_data
= data_generic_trace
;
429 CodeIso15693AsTag(trace_data
, trace_data_size
);
430 memcpy(data_response
, ToSend
, ToSendMax
);
431 modulated_response
= data_response
;
432 modulated_response_size
= ToSendMax
;
434 } else { // Not fullsim, we don't respond
435 // We do not know what to answer, so lets keep quiet
436 if (simulationMode
== ICLASS_SIM_MODE_EXIT_AFTER_MAC
) {
437 if (reader_mac_buf
!= NULL
) {
438 // save NR and MAC for sim 2,4
439 memcpy(reader_mac_buf
+ 8, receivedCmd
+ 1, 8);
446 } else if (receivedCmd
[0] == ICLASS_CMD_HALT
&& len
== 1) {
447 if (chip_state
== SELECTED
) {
448 // Reader ends the session
449 modulated_response
= resp_sof
;
450 modulated_response_size
= resp_sof_Len
;
454 } else if (simulationMode
== ICLASS_SIM_MODE_FULL
&& receivedCmd
[0] == ICLASS_CMD_READ4
&& len
== 4) { // 0x06
456 if (chip_state
== SELECTED
) {
457 uint8_t blockNo
= receivedCmd
[1];
458 memcpy(data_generic_trace
, emulator
+ current_page
*page_size
+ blockNo
*8, 8 * 4);
459 AppendCrc(data_generic_trace
, 8 * 4);
460 trace_data
= data_generic_trace
;
461 trace_data_size
= 8 * 4 + 2;
462 CodeIso15693AsTag(trace_data
, trace_data_size
);
463 memcpy(data_response
, ToSend
, ToSendMax
);
464 modulated_response
= data_response
;
465 modulated_response_size
= ToSendMax
;
468 } else if (receivedCmd
[0] == ICLASS_CMD_UPDATE
&& (len
== 12 || len
== 14)) {
469 // We're expected to respond with the data+crc, exactly what's already in the receivedCmd
470 // receivedCmd is now UPDATE 1b | ADDRESS 1b | DATA 8b | Signature 4b or CRC 2b
471 if (chip_state
== SELECTED
) {
472 uint8_t blockNo
= receivedCmd
[1];
473 if (blockNo
== 2) { // update e-purse
474 memcpy(card_challenge_data
, receivedCmd
+2, 8);
475 CodeIso15693AsTag(card_challenge_data
, sizeof(card_challenge_data
));
476 memcpy(resp_cc
, ToSend
, ToSendMax
);
477 resp_cc_len
= ToSendMax
;
478 cipher_state_KD
[current_page
] = opt_doTagMAC_1(card_challenge_data
, diversified_key_d
);
479 cipher_state_KC
[current_page
] = opt_doTagMAC_1(card_challenge_data
, diversified_key_c
);
480 if (simulationMode
== ICLASS_SIM_MODE_FULL
) {
481 memcpy(emulator
+ current_page
*page_size
+ 8*2, card_challenge_data
, 8);
483 } else if (blockNo
== 3) { // update Kd
484 for (int i
= 0; i
< 8; i
++) {
485 if (personalization_mode
) {
486 diversified_key_d
[i
] = receivedCmd
[2 + i
];
488 diversified_key_d
[i
] ^= receivedCmd
[2 + i
];
491 cipher_state_KD
[current_page
] = opt_doTagMAC_1(card_challenge_data
, diversified_key_d
);
492 if (simulationMode
== ICLASS_SIM_MODE_FULL
) {
493 memcpy(emulator
+ current_page
*page_size
+ 8*3, diversified_key_d
, 8);
495 } else if (blockNo
== 4) { // update Kc
496 for (int i
= 0; i
< 8; i
++) {
497 if (personalization_mode
) {
498 diversified_key_c
[i
] = receivedCmd
[2 + i
];
500 diversified_key_c
[i
] ^= receivedCmd
[2 + i
];
503 cipher_state_KC
[current_page
] = opt_doTagMAC_1(card_challenge_data
, diversified_key_c
);
504 if (simulationMode
== ICLASS_SIM_MODE_FULL
) {
505 memcpy(emulator
+ current_page
*page_size
+ 8*4, diversified_key_c
, 8);
507 } else if (simulationMode
== ICLASS_SIM_MODE_FULL
) { // update any other data block
508 memcpy(emulator
+ current_page
*page_size
+ 8*blockNo
, receivedCmd
+2, 8);
510 memcpy(data_generic_trace
, receivedCmd
+ 2, 8);
511 AppendCrc(data_generic_trace
, 8);
512 trace_data
= data_generic_trace
;
513 trace_data_size
= 10;
514 CodeIso15693AsTag(trace_data
, trace_data_size
);
515 memcpy(data_response
, ToSend
, ToSendMax
);
516 modulated_response
= data_response
;
517 modulated_response_size
= ToSendMax
;
520 } else if (receivedCmd
[0] == ICLASS_CMD_PAGESEL
&& len
== 4) {
522 // Chips with a single page will not answer to this command
523 // Otherwise, we should answer 8bytes (conf block 1) + 2bytes CRC
524 if (chip_state
== SELECTED
) {
525 if (simulationMode
== ICLASS_SIM_MODE_FULL
&& max_page
> 0) {
526 current_page
= receivedCmd
[1];
527 memcpy(data_generic_trace
, emulator
+ current_page
*page_size
+ 8*1, 8);
528 memcpy(diversified_key_d
, emulator
+ current_page
*page_size
+ 8*3, 8);
529 memcpy(diversified_key_c
, emulator
+ current_page
*page_size
+ 8*4, 8);
530 cipher_state
= &cipher_state_KD
[current_page
];
531 personalization_mode
= data_generic_trace
[7] & 0x80;
532 AppendCrc(data_generic_trace
, 8);
533 trace_data
= data_generic_trace
;
534 trace_data_size
= 10;
535 CodeIso15693AsTag(trace_data
, trace_data_size
);
536 memcpy(data_response
, ToSend
, ToSendMax
);
537 modulated_response
= data_response
;
538 modulated_response_size
= ToSendMax
;
542 } else if (receivedCmd
[0] == 0x26 && len
== 5) {
543 // standard ISO15693 INVENTORY command. Ignore.
546 // don't know how to handle this command
547 char debug_message
[250]; // should be enough
548 sprintf(debug_message
, "Unhandled command (len = %d) received from reader:", len
);
549 for (int i
= 0; i
< len
&& strlen(debug_message
) < sizeof(debug_message
) - 3 - 1; i
++) {
550 sprintf(debug_message
+ strlen(debug_message
), " %02x", receivedCmd
[i
]);
552 Dbprintf("%s", debug_message
);
557 A legit tag has about 273,4us delay between reader EOT and tag SOF.
559 if (modulated_response_size
> 0) {
560 uint32_t response_time
= reader_eof_time
+ DELAY_ICLASS_VCD_TO_VICC_SIM
;
561 TransmitTo15693Reader(modulated_response
, modulated_response_size
, &response_time
, 0, false);
562 LogTrace_ISO15693(trace_data
, trace_data_size
, response_time
*32, response_time
*32 + modulated_response_size
/2, NULL
, false);
569 DbpString("Button pressed");
571 return buttonPressed
;
575 * @brief SimulateIClass simulates an iClass card.
576 * @param arg0 type of simulation
577 * - 0 uses the first 8 bytes in usb data as CSN
578 * - 2 "dismantling iclass"-attack. This mode iterates through all CSN's specified
579 * in the usb data. This mode collects MAC from the reader, in order to do an offline
580 * attack on the keys. For more info, see "dismantling iclass" and proxclone.com.
581 * - Other : Uses the default CSN (031fec8af7ff12e0)
582 * @param arg1 - number of CSN's contained in datain (applicable for mode 2 only)
586 void SimulateIClass(uint32_t arg0
, uint32_t arg1
, uint32_t arg2
, uint8_t *datain
) {
590 uint32_t simType
= arg0
;
591 uint32_t numberOfCSNS
= arg1
;
593 // setup hardware for simulation:
594 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
595 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
596 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR
| FPGA_HF_SIMULATOR_NO_MODULATION
);
598 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR
);
601 // Enable and clear the trace
604 //Use the emulator memory for SIM
605 uint8_t *emulator
= BigBuf_get_EM_addr();
607 if (simType
== ICLASS_SIM_MODE_CSN
) {
608 // Use the CSN from commandline
609 memcpy(emulator
, datain
, 8);
610 doIClassSimulation(ICLASS_SIM_MODE_CSN
, NULL
);
611 } else if (simType
== ICLASS_SIM_MODE_CSN_DEFAULT
) {
613 uint8_t csn_crc
[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
614 // Use the CSN from commandline
615 memcpy(emulator
, csn_crc
, 8);
616 doIClassSimulation(ICLASS_SIM_MODE_CSN
, NULL
);
617 } else if (simType
== ICLASS_SIM_MODE_READER_ATTACK
) {
618 uint8_t mac_responses
[USB_CMD_DATA_SIZE
] = { 0 };
619 Dbprintf("Going into attack mode, %d CSNS sent", numberOfCSNS
);
620 // In this mode, a number of csns are within datain. We'll simulate each one, one at a time
621 // in order to collect MAC's from the reader. This can later be used in an offline-attack
622 // in order to obtain the keys, as in the "dismantling iclass"-paper.
624 for (i
= 0; i
< numberOfCSNS
&& i
*16+16 <= USB_CMD_DATA_SIZE
; i
++) {
625 // The usb data is 512 bytes, fitting 32 responses (8 byte CC + 4 Byte NR + 4 Byte MAC = 16 Byte response).
626 memcpy(emulator
, datain
+(i
*8), 8);
627 if (doIClassSimulation(ICLASS_SIM_MODE_EXIT_AFTER_MAC
, mac_responses
+i
*16)) {
631 Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
632 datain
[i
*8+0], datain
[i
*8+1], datain
[i
*8+2], datain
[i
*8+3],
633 datain
[i
*8+4], datain
[i
*8+5], datain
[i
*8+6], datain
[i
*8+7]);
634 Dbprintf("NR,MAC: %02x %02x %02x %02x %02x %02x %02x %02x",
635 mac_responses
[i
*16+ 8], mac_responses
[i
*16+ 9], mac_responses
[i
*16+10], mac_responses
[i
*16+11],
636 mac_responses
[i
*16+12], mac_responses
[i
*16+13], mac_responses
[i
*16+14], mac_responses
[i
*16+15]);
637 SpinDelay(100); // give the reader some time to prepare for next CSN
639 cmd_send(CMD_ACK
, CMD_SIMULATE_TAG_ICLASS
, i
, 0, mac_responses
, i
*16);
640 } else if (simType
== ICLASS_SIM_MODE_FULL
) {
641 //This is 'full sim' mode, where we use the emulator storage for data.
642 doIClassSimulation(ICLASS_SIM_MODE_FULL
, NULL
);
644 // We may want a mode here where we hardcode the csns to use (from proxclone).
645 // That will speed things up a little, but not required just yet.
646 Dbprintf("The mode is not implemented, reserved for future use");
657 static void ReaderTransmitIClass(uint8_t *frame
, int len
, uint32_t *start_time
) {
659 CodeIso15693AsReader(frame
, len
);
661 TransmitTo15693Tag(ToSend
, ToSendMax
, start_time
);
663 uint32_t end_time
= *start_time
+ 32*(8*ToSendMax
-4); // substract the 4 padding bits after EOF
664 LogTrace_ISO15693(frame
, len
, *start_time
*4, end_time
*4, NULL
, true);
668 static bool sendCmdGetResponseWithRetries(uint8_t* command
, size_t cmdsize
, uint8_t* resp
, size_t max_resp_size
,
669 uint8_t expected_size
, uint8_t retries
, uint32_t start_time
, uint32_t timeout
, uint32_t *eof_time
) {
670 while (retries
-- > 0) {
671 ReaderTransmitIClass(command
, cmdsize
, &start_time
);
672 if (expected_size
== GetIso15693AnswerFromTag(resp
, max_resp_size
, timeout
, eof_time
)) {
680 * @brief Selects an iclass tag
681 * @param card_data where the CSN is stored for return
682 * @return false = fail
685 static bool selectIclassTag(uint8_t *card_data
, uint32_t *eof_time
) {
686 uint8_t act_all
[] = { 0x0a };
687 uint8_t identify
[] = { 0x0c };
688 uint8_t select
[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
690 uint8_t resp
[ICLASS_BUFFER_SIZE
];
692 uint32_t start_time
= GetCountSspClk();
695 ReaderTransmitIClass(act_all
, 1, &start_time
);
697 if (GetIso15693AnswerFromTag(resp
, sizeof(resp
), ICLASS_READER_TIMEOUT_ACTALL
, eof_time
) < 0) return false;//Fail
700 start_time
= *eof_time
+ DELAY_ICLASS_VICC_TO_VCD_READER
;
701 ReaderTransmitIClass(identify
, 1, &start_time
);
702 //We expect a 10-byte response here, 8 byte anticollision-CSN and 2 byte CRC
703 uint8_t len
= GetIso15693AnswerFromTag(resp
, sizeof(resp
), ICLASS_READER_TIMEOUT_OTHERS
, eof_time
);
704 if (len
!= 10) return false;//Fail
706 //Copy the Anti-collision CSN to our select-packet
707 memcpy(&select
[1], resp
, 8);
709 start_time
= *eof_time
+ DELAY_ICLASS_VICC_TO_VCD_READER
;
710 ReaderTransmitIClass(select
, sizeof(select
), &start_time
);
711 //We expect a 10-byte response here, 8 byte CSN and 2 byte CRC
712 len
= GetIso15693AnswerFromTag(resp
, sizeof(resp
), ICLASS_READER_TIMEOUT_OTHERS
, eof_time
);
713 if (len
!= 10) return false;//Fail
715 //Success - we got CSN
716 //Save CSN in response data
717 memcpy(card_data
, resp
, 8);
723 // Select an iClass tag and read all blocks which are always readable without authentication
724 void ReaderIClass(uint8_t flags
) {
728 uint8_t card_data
[6 * 8] = {0};
729 memset(card_data
, 0xFF, sizeof(card_data
));
730 uint8_t resp
[ICLASS_BUFFER_SIZE
];
731 //Read conf block CRC(0x01) => 0xfa 0x22
732 uint8_t readConf
[] = {ICLASS_CMD_READ_OR_IDENTIFY
, 0x01, 0xfa, 0x22};
733 //Read e-purse block CRC(0x02) => 0x61 0x10
734 uint8_t readEpurse
[] = {ICLASS_CMD_READ_OR_IDENTIFY
, 0x02, 0x61, 0x10};
735 //Read App Issuer Area block CRC(0x05) => 0xde 0x64
736 uint8_t readAA
[] = {ICLASS_CMD_READ_OR_IDENTIFY
, 0x05, 0xde, 0x64};
738 uint8_t result_status
= 0;
740 if (flags
& FLAG_ICLASS_READER_INIT
) {
741 Iso15693InitReader();
744 if (flags
& FLAG_ICLASS_READER_CLEARTRACE
) {
750 uint32_t start_time
= 0;
751 uint32_t eof_time
= 0;
753 if (selectIclassTag(resp
, &eof_time
)) {
754 result_status
= FLAG_ICLASS_READER_CSN
;
755 memcpy(card_data
, resp
, 8);
758 start_time
= eof_time
+ DELAY_ICLASS_VICC_TO_VCD_READER
;
760 //Read block 1, config
761 if (flags
& FLAG_ICLASS_READER_CONF
) {
762 if (sendCmdGetResponseWithRetries(readConf
, sizeof(readConf
), resp
, sizeof(resp
), 10, 10, start_time
, ICLASS_READER_TIMEOUT_OTHERS
, &eof_time
)) {
763 result_status
|= FLAG_ICLASS_READER_CONF
;
764 memcpy(card_data
+8, resp
, 8);
766 Dbprintf("Failed to read config block");
768 start_time
= eof_time
+ DELAY_ICLASS_VICC_TO_VCD_READER
;
771 //Read block 2, e-purse
772 if (flags
& FLAG_ICLASS_READER_CC
) {
773 if (sendCmdGetResponseWithRetries(readEpurse
, sizeof(readEpurse
), resp
, sizeof(resp
), 10, 10, start_time
, ICLASS_READER_TIMEOUT_OTHERS
, &eof_time
)) {
774 result_status
|= FLAG_ICLASS_READER_CC
;
775 memcpy(card_data
+ (8*2), resp
, 8);
777 Dbprintf("Failed to read e-purse");
779 start_time
= eof_time
+ DELAY_ICLASS_VICC_TO_VCD_READER
;
783 if (flags
& FLAG_ICLASS_READER_AA
) {
784 if (sendCmdGetResponseWithRetries(readAA
, sizeof(readAA
), resp
, sizeof(resp
), 10, 10, start_time
, ICLASS_READER_TIMEOUT_OTHERS
, &eof_time
)) {
785 result_status
|= FLAG_ICLASS_READER_AA
;
786 memcpy(card_data
+ (8*5), resp
, 8);
788 Dbprintf("Failed to read AA block");
792 cmd_send(CMD_ACK
, result_status
, 0, 0, card_data
, sizeof(card_data
));
798 void ReaderIClass_Replay(uint8_t arg0
, uint8_t *MAC
) {
802 bool use_credit_key
= false;
803 uint8_t card_data
[USB_CMD_DATA_SIZE
]={0};
804 uint16_t block_crc_LUT
[255] = {0};
806 //Generate a lookup table for block crc
807 for (int block
= 0; block
< 255; block
++){
809 block_crc_LUT
[block
] = iclass_crc16(&bl
,1);
811 //Dbprintf("Lookup table: %02x %02x %02x" ,block_crc_LUT[0],block_crc_LUT[1],block_crc_LUT[2]);
813 uint8_t readcheck_cc
[] = { ICLASS_CMD_READCHECK_KD
, 0x02 };
815 readcheck_cc
[0] = ICLASS_CMD_READCHECK_KC
;
816 uint8_t check
[] = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
817 uint8_t read
[] = { 0x0c, 0x00, 0x00, 0x00 };
820 uint8_t cardsize
= 0;
823 static struct memory_t
{
831 uint8_t resp
[ICLASS_BUFFER_SIZE
];
835 Iso15693InitReader();
838 uint32_t start_time
= 0;
839 uint32_t eof_time
= 0;
841 while (!BUTTON_PRESS()) {
845 if (!get_tracing()) {
846 DbpString("Trace full");
850 if (!selectIclassTag(card_data
, &eof_time
)) continue;
852 start_time
= eof_time
+ DELAY_ICLASS_VICC_TO_VCD_READER
;
853 if (!sendCmdGetResponseWithRetries(readcheck_cc
, sizeof(readcheck_cc
), resp
, sizeof(resp
), 8, 3, start_time
, ICLASS_READER_TIMEOUT_OTHERS
, &eof_time
)) continue;
855 // replay captured auth (cc must not have been updated)
856 memcpy(check
+5, MAC
, 4);
858 start_time
= eof_time
+ DELAY_ICLASS_VICC_TO_VCD_READER
;
859 if (!sendCmdGetResponseWithRetries(check
, sizeof(check
), resp
, sizeof(resp
), 4, 5, start_time
, ICLASS_READER_TIMEOUT_OTHERS
, &eof_time
)) {
860 Dbprintf("Error: Authentication Fail!");
864 //first get configuration block (block 1)
865 crc
= block_crc_LUT
[1];
868 read
[3] = crc
& 0xff;
870 start_time
= eof_time
+ DELAY_ICLASS_VICC_TO_VCD_READER
;
871 if (!sendCmdGetResponseWithRetries(read
, sizeof(read
), resp
, sizeof(resp
), 10, 10, start_time
, ICLASS_READER_TIMEOUT_OTHERS
, &eof_time
)) {
872 start_time
= eof_time
+ DELAY_ICLASS_VICC_TO_VCD_READER
;
873 Dbprintf("Dump config (block 1) failed");
878 memory
.k16
= (mem
& 0x80);
879 memory
.book
= (mem
& 0x20);
880 memory
.k2
= (mem
& 0x8);
881 memory
.lockauth
= (mem
& 0x2);
882 memory
.keyaccess
= (mem
& 0x1);
884 cardsize
= memory
.k16
? 255 : 32;
886 //Set card_data to all zeroes, we'll fill it with data
887 memset(card_data
, 0x0, USB_CMD_DATA_SIZE
);
888 uint8_t failedRead
= 0;
889 uint32_t stored_data_length
= 0;
890 //then loop around remaining blocks
891 for (int block
= 0; block
< cardsize
; block
++) {
893 crc
= block_crc_LUT
[block
];
895 read
[3] = crc
& 0xff;
897 start_time
= eof_time
+ DELAY_ICLASS_VICC_TO_VCD_READER
;
898 if (sendCmdGetResponseWithRetries(read
, sizeof(read
), resp
, sizeof(resp
), 10, 10, start_time
, ICLASS_READER_TIMEOUT_OTHERS
, &eof_time
)) {
899 Dbprintf(" %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
900 block
, resp
[0], resp
[1], resp
[2],
901 resp
[3], resp
[4], resp
[5],
905 memcpy(card_data
+stored_data_length
, resp
, 8);
906 stored_data_length
+= 8;
907 if (stored_data_length
+8 > USB_CMD_DATA_SIZE
) {
908 //Time to send this off and start afresh
910 stored_data_length
,//data length
911 failedRead
,//Failed blocks?
913 card_data
, stored_data_length
);
915 stored_data_length
= 0;
921 stored_data_length
+= 8;//Otherwise, data becomes misaligned
922 Dbprintf("Failed to dump block %d", block
);
926 //Send off any remaining data
927 if (stored_data_length
> 0) {
929 stored_data_length
,//data length
930 failedRead
,//Failed blocks?
935 //If we got here, let's break
938 //Signal end of transmission
946 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
952 void iClass_Check(uint8_t *MAC
) {
953 uint8_t check
[9] = {ICLASS_CMD_CHECK_KD
, 0x00};
955 memcpy(check
+5, MAC
, 4);
957 bool isOK
= sendCmdGetResponseWithRetries(check
, sizeof(check
), resp
, sizeof(resp
), 4, 6, 0, ICLASS_READER_TIMEOUT_OTHERS
, &eof_time
);
958 cmd_send(CMD_ACK
, isOK
, 0, 0, resp
, sizeof(resp
));
962 void iClass_Readcheck(uint8_t block
, bool use_credit_key
) {
963 uint8_t readcheck
[2] = {ICLASS_CMD_READCHECK_KD
, block
};
964 if (use_credit_key
) {
965 readcheck
[0] = ICLASS_CMD_READCHECK_KC
;
969 bool isOK
= sendCmdGetResponseWithRetries(readcheck
, sizeof(readcheck
), resp
, sizeof(resp
), 8, 6, 0, ICLASS_READER_TIMEOUT_OTHERS
, &eof_time
);
970 cmd_send(CMD_ACK
, isOK
, 0, 0, resp
, sizeof(resp
));
974 static bool iClass_ReadBlock(uint8_t blockNo
, uint8_t *readdata
) {
975 uint8_t readcmd
[] = {ICLASS_CMD_READ_OR_IDENTIFY
, blockNo
, 0x00, 0x00}; //0x88, 0x00 // can i use 0C?
977 uint16_t rdCrc
= iclass_crc16(&bl
, 1);
978 readcmd
[2] = rdCrc
>> 8;
979 readcmd
[3] = rdCrc
& 0xff;
983 bool isOK
= sendCmdGetResponseWithRetries(readcmd
, sizeof(readcmd
), resp
, sizeof(resp
), 10, 10, 0, ICLASS_READER_TIMEOUT_OTHERS
, &eof_time
);
984 memcpy(readdata
, resp
, sizeof(resp
));
990 void iClass_ReadBlk(uint8_t blockno
) {
994 uint8_t readblockdata
[] = {0,0,0,0,0,0,0,0,0,0};
995 bool isOK
= iClass_ReadBlock(blockno
, readblockdata
);
996 cmd_send(CMD_ACK
, isOK
, 0, 0, readblockdata
, 8);
997 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1004 void iClass_Dump(uint8_t startblock
, uint8_t numblks
) {
1008 uint8_t readblockdata
[USB_CMD_DATA_SIZE
+2] = {0};
1010 uint16_t blkCnt
= 0;
1012 if (numblks
> USB_CMD_DATA_SIZE
/ 8) {
1013 numblks
= USB_CMD_DATA_SIZE
/ 8;
1016 for (blkCnt
= 0; blkCnt
< numblks
; blkCnt
++) {
1017 isOK
= iClass_ReadBlock(startblock
+blkCnt
, readblockdata
+8*blkCnt
);
1019 Dbprintf("Block %02X failed to read", startblock
+blkCnt
);
1024 cmd_send(CMD_ACK
, isOK
, blkCnt
, 0, readblockdata
, blkCnt
*8);
1030 static bool iClass_WriteBlock_ext(uint8_t blockNo
, uint8_t *data
) {
1032 uint8_t write
[16] = {ICLASS_CMD_UPDATE
, blockNo
};
1033 memcpy(write
+2, data
, 12); // data + mac
1034 AppendCrc(write
+1, 13);
1037 uint32_t eof_time
= 0;
1039 isOK
= sendCmdGetResponseWithRetries(write
, sizeof(write
), resp
, sizeof(resp
), 10, 10, 0, ICLASS_READER_TIMEOUT_UPDATE
, &eof_time
);
1040 if (isOK
&& blockNo
!= 3 && blockNo
!= 4 && memcmp(write
+2, resp
, 8)) { // check response
1048 void iClass_WriteBlock(uint8_t blockNo
, uint8_t *data
) {
1052 bool isOK
= iClass_WriteBlock_ext(blockNo
, data
);
1054 Dbprintf("Write block [%02x] successful", blockNo
);
1056 Dbprintf("Write block [%02x] failed", blockNo
);
1058 cmd_send(CMD_ACK
, isOK
, 0, 0, 0, 0);
1060 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1067 void iClass_Clone(uint8_t startblock
, uint8_t endblock
, uint8_t *data
) {
1070 int total_block
= (endblock
- startblock
) + 1;
1071 for (i
= 0; i
< total_block
; i
++) {
1073 if (iClass_WriteBlock_ext(i
+startblock
, data
+ (i
*12))){
1074 Dbprintf("Write block [%02x] successful", i
+ startblock
);
1077 if (iClass_WriteBlock_ext(i
+startblock
, data
+ (i
*12))){
1078 Dbprintf("Write block [%02x] successful", i
+ startblock
);
1081 Dbprintf("Write block [%02x] failed", i
+ startblock
);
1085 if (written
== total_block
)
1086 Dbprintf("Clone complete");
1088 Dbprintf("Clone incomplete");
1090 cmd_send(CMD_ACK
, 1, 0, 0, 0, 0);
1091 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);