0586a25db1b8882678ca3bd3080bcb37437d9293
[proxmark3-svn] / armsrc / mifarecmd.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 // Midnitesnake - Dec 2013
6 // Andy Davies - Apr 2014
7 // Iceman - May 2014
8 //
9 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
10 // at your option, any later version. See the LICENSE.txt file for the text of
11 // the license.
12 //-----------------------------------------------------------------------------
13 // Routines to support ISO 14443 type A.
14 //-----------------------------------------------------------------------------
15
16 #include "mifarecmd.h"
17 #include "apps.h"
18 #include "util.h"
19
20 #include "crc.h"
21
22 // the block number for the ISO14443-4 PCB
23 uint8_t pcb_blocknum = 0;
24 // Deselect card by sending a s-block. the crc is precalced for speed
25 static uint8_t deselect_cmd[] = {0xc2,0xe0,0xb4};
26
27
28 //-----------------------------------------------------------------------------
29 // Select, Authenticate, Read a MIFARE tag.
30 // read block
31 //-----------------------------------------------------------------------------
32 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
33 {
34 // params
35 uint8_t blockNo = arg0;
36 uint8_t keyType = arg1;
37 uint64_t ui64Key = 0;
38 ui64Key = bytes_to_num(datain, 6);
39
40 // variables
41 byte_t isOK = 0;
42 byte_t dataoutbuf[16];
43 uint8_t uid[10];
44 uint32_t cuid;
45 struct Crypto1State mpcs = {0, 0};
46 struct Crypto1State *pcs;
47 pcs = &mpcs;
48
49 // clear trace
50 clear_trace();
51 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
52
53 LED_A_ON();
54 LED_B_OFF();
55 LED_C_OFF();
56
57 while (true) {
58 if(!iso14443a_select_card(uid, NULL, &cuid)) {
59 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
60 break;
61 };
62
63 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
64 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
65 break;
66 };
67
68 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
69 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
70 break;
71 };
72
73 if(mifare_classic_halt(pcs, cuid)) {
74 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
75 break;
76 };
77
78 isOK = 1;
79 break;
80 }
81
82 // ----------------------------- crypto1 destroy
83 crypto1_destroy(pcs);
84
85 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
86
87 LED_B_ON();
88 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
89 LED_B_OFF();
90
91 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
92 LEDsoff();
93 }
94
95 void MifareUC_Auth(uint8_t arg0, uint8_t *keybytes){
96
97 bool turnOffField = (arg0 == 1);
98
99 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
100 clear_trace();
101 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
102
103 if(!iso14443a_select_card(NULL, NULL, NULL)) {
104 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
105 OnError(0);
106 return;
107 };
108
109 if(!mifare_ultra_auth(keybytes)){
110 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication failed");
111 OnError(1);
112 return;
113 }
114
115 if (turnOffField) {
116 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
117 LEDsoff();
118 }
119 cmd_send(CMD_ACK,1,0,0,0,0);
120 }
121
122 // Arg0 = BlockNo,
123 // Arg1 = UsePwd bool
124 // datain = PWD bytes,
125 void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
126 {
127 uint8_t blockNo = arg0;
128 byte_t dataout[16] = {0x00};
129 bool useKey = (arg1 == 1); //UL_C
130 bool usePwd = (arg1 == 2); //UL_EV1/NTAG
131
132 LEDsoff();
133 LED_A_ON();
134 clear_trace();
135 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
136
137 int len = iso14443a_select_card(NULL, NULL, NULL);
138 if(!len) {
139 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len);
140 OnError(1);
141 return;
142 }
143
144 // UL-C authentication
145 if ( useKey ) {
146 uint8_t key[16] = {0x00};
147 memcpy(key, datain, sizeof(key) );
148
149 if ( !mifare_ultra_auth(key) ) {
150 OnError(1);
151 return;
152 }
153 }
154
155 // UL-EV1 / NTAG authentication
156 if ( usePwd ) {
157 uint8_t pwd[4] = {0x00};
158 memcpy(pwd, datain, 4);
159 uint8_t pack[4] = {0,0,0,0};
160 if (!mifare_ul_ev1_auth(pwd, pack)) {
161 OnError(1);
162 return;
163 }
164 }
165
166 if( mifare_ultra_readblock(blockNo, dataout) ) {
167 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block error");
168 OnError(2);
169 return;
170 }
171
172 if( mifare_ultra_halt() ) {
173 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
174 OnError(3);
175 return;
176 }
177
178 cmd_send(CMD_ACK,1,0,0,dataout,16);
179 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
180 LEDsoff();
181 }
182
183 //-----------------------------------------------------------------------------
184 // Select, Authenticate, Read a MIFARE tag.
185 // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
186 //-----------------------------------------------------------------------------
187 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
188 {
189 // params
190 uint8_t sectorNo = arg0;
191 uint8_t keyType = arg1;
192 uint64_t ui64Key = 0;
193 ui64Key = bytes_to_num(datain, 6);
194
195 // variables
196 byte_t isOK = 0;
197 byte_t dataoutbuf[16 * 16];
198 uint8_t uid[10];
199 uint32_t cuid;
200 struct Crypto1State mpcs = {0, 0};
201 struct Crypto1State *pcs;
202 pcs = &mpcs;
203
204 // clear trace
205 clear_trace();
206
207 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
208
209 LED_A_ON();
210 LED_B_OFF();
211 LED_C_OFF();
212
213 isOK = 1;
214 if(!iso14443a_select_card(uid, NULL, &cuid)) {
215 isOK = 0;
216 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
217 }
218
219
220 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
221 isOK = 0;
222 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
223 }
224
225 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
226 if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) {
227 isOK = 0;
228 if (MF_DBGLEVEL >= 1) Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo);
229 break;
230 }
231 }
232
233 if(mifare_classic_halt(pcs, cuid)) {
234 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
235 }
236
237 // ----------------------------- crypto1 destroy
238 crypto1_destroy(pcs);
239
240 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
241
242 LED_B_ON();
243 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));
244 LED_B_OFF();
245
246 // Thats it...
247 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
248 LEDsoff();
249 }
250
251 void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
252 {
253 // free eventually allocated BigBuf memory
254 BigBuf_free();
255 // clear trace
256 clear_trace();
257
258 // params
259 uint8_t blockNo = arg0;
260 uint16_t blocks = arg1;
261 bool useKey = (arg2 == 1); //UL_C
262 bool usePwd = (arg2 == 2); //UL_EV1/NTAG
263 uint32_t countblocks = 0;
264 uint8_t *dataout = BigBuf_malloc(CARD_MEMORY_SIZE);
265 if (dataout == NULL){
266 Dbprintf("out of memory");
267 OnError(1);
268 return;
269 }
270
271 LEDsoff();
272 LED_A_ON();
273 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
274
275 int len = iso14443a_select_card(NULL, NULL, NULL);
276 if (!len) {
277 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len);
278 OnError(1);
279 return;
280 }
281
282 // UL-C authentication
283 if ( useKey ) {
284 uint8_t key[16] = {0x00};
285 memcpy(key, datain, sizeof(key) );
286
287 if ( !mifare_ultra_auth(key) ) {
288 OnError(1);
289 return;
290 }
291 }
292
293 // UL-EV1 / NTAG authentication
294 if (usePwd) {
295 uint8_t pwd[4] = {0x00};
296 memcpy(pwd, datain, sizeof(pwd));
297 uint8_t pack[4] = {0,0,0,0};
298
299 if (!mifare_ul_ev1_auth(pwd, pack)){
300 OnError(1);
301 return;
302 }
303 }
304
305 for (int i = 0; i < blocks; i++){
306 if ((i*4) + 4 > CARD_MEMORY_SIZE) {
307 Dbprintf("Data exceeds buffer!!");
308 break;
309 }
310
311 len = mifare_ultra_readblock(blockNo + i, dataout + 4 * i);
312
313 if (len) {
314 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block %d error",i);
315 // if no blocks read - error out
316 if (i==0){
317 OnError(2);
318 return;
319 } else {
320 //stop at last successful read block and return what we got
321 break;
322 }
323 } else {
324 countblocks++;
325 }
326 }
327
328 len = mifare_ultra_halt();
329 if (len) {
330 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
331 OnError(3);
332 return;
333 }
334
335 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Blocks read %d", countblocks);
336
337 countblocks *= 4;
338 cmd_send(CMD_ACK, 1, countblocks, countblocks, 0, 0);
339 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
340 LEDsoff();
341 }
342
343 //-----------------------------------------------------------------------------
344 // Select, Authenticate, Write a MIFARE tag.
345 // read block
346 //-----------------------------------------------------------------------------
347 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
348 {
349 // params
350 uint8_t blockNo = arg0;
351 uint8_t keyType = arg1;
352 uint64_t ui64Key = 0;
353 byte_t blockdata[16];
354
355 ui64Key = bytes_to_num(datain, 6);
356 memcpy(blockdata, datain + 10, 16);
357
358 // variables
359 byte_t isOK = 0;
360 uint8_t uid[10];
361 uint32_t cuid;
362 struct Crypto1State mpcs = {0, 0};
363 struct Crypto1State *pcs;
364 pcs = &mpcs;
365
366 // clear trace
367 clear_trace();
368
369 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
370
371 LED_A_ON();
372 LED_B_OFF();
373 LED_C_OFF();
374
375 while (true) {
376 if(!iso14443a_select_card(uid, NULL, &cuid)) {
377 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
378 break;
379 };
380
381 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
382 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
383 break;
384 };
385
386 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
387 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
388 break;
389 };
390
391 if(mifare_classic_halt(pcs, cuid)) {
392 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
393 break;
394 };
395
396 isOK = 1;
397 break;
398 }
399
400 // ----------------------------- crypto1 destroy
401 crypto1_destroy(pcs);
402
403 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
404
405 LED_B_ON();
406 cmd_send(CMD_ACK,isOK,0,0,0,0);
407 LED_B_OFF();
408
409
410 // Thats it...
411 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
412 LEDsoff();
413 }
414
415 void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
416 {
417 uint8_t blockNo = arg0;
418 byte_t blockdata[16] = {0x00};
419
420 memcpy(blockdata, datain, 16);
421
422 uint8_t uid[10] = {0x00};
423
424 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
425
426 clear_trace();
427 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
428
429 if(!iso14443a_select_card(uid, NULL, NULL)) {
430 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
431 OnError(0);
432 return;
433 };
434
435 if(mifare_ultra_writeblock(blockNo, blockdata)) {
436 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
437 OnError(0);
438 return; };
439
440 if(mifare_ultra_halt()) {
441 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
442 OnError(0);
443 return;
444 };
445
446 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
447
448 cmd_send(CMD_ACK,1,0,0,0,0);
449 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
450 LEDsoff();
451 }
452
453 void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)
454 {
455 uint8_t blockNo = arg0;
456 byte_t blockdata[4] = {0x00};
457
458 memcpy(blockdata, datain,4);
459
460 LEDsoff();
461 LED_A_ON();
462 clear_trace();
463 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
464
465 if(!iso14443a_select_card(NULL, NULL, NULL)) {
466 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
467 OnError(0);
468 return;
469 };
470
471 if(mifare_ultra_special_writeblock(blockNo, blockdata)) {
472 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
473 OnError(0);
474 return;
475 };
476
477 if(mifare_ultra_halt()) {
478 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
479 OnError(0);
480 return;
481 };
482
483 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
484
485 cmd_send(CMD_ACK,1,0,0,0,0);
486 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
487 LEDsoff();
488 }
489
490 void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
491
492 uint8_t pwd[16] = {0x00};
493 byte_t blockdata[4] = {0x00};
494
495 memcpy(pwd, datain, 16);
496
497 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
498 clear_trace();
499 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
500
501 if(!iso14443a_select_card(NULL, NULL, NULL)) {
502 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
503 OnError(0);
504 return;
505 };
506
507 blockdata[0] = pwd[7];
508 blockdata[1] = pwd[6];
509 blockdata[2] = pwd[5];
510 blockdata[3] = pwd[4];
511 if(mifare_ultra_special_writeblock( 44, blockdata)) {
512 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
513 OnError(44);
514 return;
515 };
516
517 blockdata[0] = pwd[3];
518 blockdata[1] = pwd[2];
519 blockdata[2] = pwd[1];
520 blockdata[3] = pwd[0];
521 if(mifare_ultra_special_writeblock( 45, blockdata)) {
522 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
523 OnError(45);
524 return;
525 };
526
527 blockdata[0] = pwd[15];
528 blockdata[1] = pwd[14];
529 blockdata[2] = pwd[13];
530 blockdata[3] = pwd[12];
531 if(mifare_ultra_special_writeblock( 46, blockdata)) {
532 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
533 OnError(46);
534 return;
535 };
536
537 blockdata[0] = pwd[11];
538 blockdata[1] = pwd[10];
539 blockdata[2] = pwd[9];
540 blockdata[3] = pwd[8];
541 if(mifare_ultra_special_writeblock( 47, blockdata)) {
542 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
543 OnError(47);
544 return;
545 };
546
547 if(mifare_ultra_halt()) {
548 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
549 OnError(0);
550 return;
551 };
552
553 cmd_send(CMD_ACK,1,0,0,0,0);
554 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
555 LEDsoff();
556 }
557
558 // Return 1 if the nonce is invalid else return 0
559 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {
560 return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
561 (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
562 (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
563 }
564
565
566 //-----------------------------------------------------------------------------
567 // MIFARE nested authentication.
568 //
569 //-----------------------------------------------------------------------------
570 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)
571 {
572 // params
573 uint8_t blockNo = arg0 & 0xff;
574 uint8_t keyType = (arg0 >> 8) & 0xff;
575 uint8_t targetBlockNo = arg1 & 0xff;
576 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
577 uint64_t ui64Key = 0;
578
579 ui64Key = bytes_to_num(datain, 6);
580
581 // variables
582 uint16_t rtr, i, j, len;
583 uint16_t davg;
584 static uint16_t dmin, dmax;
585 uint8_t uid[10];
586 uint32_t cuid, nt1, nt2, nttmp, nttest, ks1;
587 uint8_t par[1];
588 uint32_t target_nt[2], target_ks[2];
589
590 uint8_t par_array[4];
591 uint16_t ncount = 0;
592 struct Crypto1State mpcs = {0, 0};
593 struct Crypto1State *pcs;
594 pcs = &mpcs;
595 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
596
597 uint32_t auth1_time, auth2_time;
598 static uint16_t delta_time;
599
600 // free eventually allocated BigBuf memory
601 BigBuf_free();
602 // clear trace
603 clear_trace();
604 set_tracing(false);
605
606 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
607
608 LED_A_ON();
609 LED_C_OFF();
610
611
612 // statistics on nonce distance
613 if (calibrate) { // for first call only. Otherwise reuse previous calibration
614 LED_B_ON();
615 WDT_HIT();
616
617 davg = dmax = 0;
618 dmin = 2000;
619 delta_time = 0;
620
621 for (rtr = 0; rtr < 17; rtr++) {
622
623 // prepare next select. No need to power down the card.
624 if(mifare_classic_halt(pcs, cuid)) {
625 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
626 rtr--;
627 continue;
628 }
629
630 if(!iso14443a_select_card(uid, NULL, &cuid)) {
631 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
632 rtr--;
633 continue;
634 };
635
636 auth1_time = 0;
637 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
638 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
639 rtr--;
640 continue;
641 };
642
643 if (delta_time) {
644 auth2_time = auth1_time + delta_time;
645 } else {
646 auth2_time = 0;
647 }
648 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {
649 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");
650 rtr--;
651 continue;
652 };
653
654 nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
655 for (i = 101; i < 1200; i++) {
656 nttmp = prng_successor(nttmp, 1);
657 if (nttmp == nt2) break;
658 }
659
660 if (i != 1200) {
661 if (rtr != 0) {
662 davg += i;
663 dmin = MIN(dmin, i);
664 dmax = MAX(dmax, i);
665 }
666 else {
667 delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing
668 }
669 if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
670 }
671 }
672
673 if (rtr <= 1) return;
674
675 davg = (davg + (rtr - 1)/2) / (rtr - 1);
676
677 if (MF_DBGLEVEL >= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin, dmax, davg, delta_time);
678
679 dmin = davg - 2;
680 dmax = davg + 2;
681
682 LED_B_OFF();
683
684 }
685 // -------------------------------------------------------------------------------------------------
686
687 LED_C_ON();
688
689 // get crypted nonces for target sector
690 for(i=0; i < 2; i++) { // look for exactly two different nonces
691
692 target_nt[i] = 0;
693 while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
694
695 // prepare next select. No need to power down the card.
696 if(mifare_classic_halt(pcs, cuid)) {
697 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
698 continue;
699 }
700
701 if(!iso14443a_select_card(uid, NULL, &cuid)) {
702 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
703 continue;
704 };
705
706 auth1_time = 0;
707 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
708 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
709 continue;
710 };
711
712 // nested authentication
713 auth2_time = auth1_time + delta_time;
714 len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);
715 if (len != 4) {
716 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);
717 continue;
718 };
719
720 nt2 = bytes_to_num(receivedAnswer, 4);
721 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);
722
723 // Parity validity check
724 for (j = 0; j < 4; j++) {
725 par_array[j] = (oddparity(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));
726 }
727
728 ncount = 0;
729 nttest = prng_successor(nt1, dmin - 1);
730 for (j = dmin; j < dmax + 1; j++) {
731 nttest = prng_successor(nttest, 1);
732 ks1 = nt2 ^ nttest;
733
734 if (valid_nonce(nttest, nt2, ks1, par_array)){
735 if (ncount > 0) { // we are only interested in disambiguous nonces, try again
736 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);
737 target_nt[i] = 0;
738 break;
739 }
740 target_nt[i] = nttest;
741 target_ks[i] = ks1;
742 ncount++;
743 if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces
744 target_nt[i] = 0;
745 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);
746 break;
747 }
748 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);
749 }
750 }
751 if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
752 }
753 }
754
755 LED_C_OFF();
756
757 // ----------------------------- crypto1 destroy
758 crypto1_destroy(pcs);
759
760 byte_t buf[4 + 4 * 4];
761 memcpy(buf, &cuid, 4);
762 memcpy(buf+4, &target_nt[0], 4);
763 memcpy(buf+8, &target_ks[0], 4);
764 memcpy(buf+12, &target_nt[1], 4);
765 memcpy(buf+16, &target_ks[1], 4);
766
767 LED_B_ON();
768 cmd_send(CMD_ACK, 0, 2, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
769 LED_B_OFF();
770
771 if (MF_DBGLEVEL >= 3) DbpString("NESTED FINISHED");
772
773 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
774 LEDsoff();
775 set_tracing(TRUE);
776 }
777
778 //-----------------------------------------------------------------------------
779 // MIFARE check keys. key count up to 85.
780 //
781 //-----------------------------------------------------------------------------
782 void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
783 {
784 // params
785 uint8_t blockNo = arg0;
786 uint8_t keyType = arg1;
787 uint8_t keyCount = arg2;
788 uint64_t ui64Key = 0;
789
790 // variables
791 int i;
792 byte_t isOK = 0;
793 uint8_t uid[10];
794 uint32_t cuid;
795 struct Crypto1State mpcs = {0, 0};
796 struct Crypto1State *pcs;
797 pcs = &mpcs;
798
799 // clear debug level
800 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
801 MF_DBGLEVEL = MF_DBG_NONE;
802
803 // clear trace
804 clear_trace();
805 set_tracing(TRUE);
806
807 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
808
809 LED_A_ON();
810 LED_B_OFF();
811 LED_C_OFF();
812
813 for (i = 0; i < keyCount; i++) {
814 if(mifare_classic_halt(pcs, cuid)) {
815 if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Halt error");
816 }
817
818 if(!iso14443a_select_card(uid, NULL, &cuid)) {
819 if (OLD_MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card");
820 break;
821 };
822
823 ui64Key = bytes_to_num(datain + i * 6, 6);
824 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
825 continue;
826 };
827
828 isOK = 1;
829 break;
830 }
831
832 // ----------------------------- crypto1 destroy
833 crypto1_destroy(pcs);
834
835 LED_B_ON();
836 cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);
837 LED_B_OFF();
838
839 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
840 LEDsoff();
841
842 // restore debug level
843 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
844 }
845
846 //-----------------------------------------------------------------------------
847 // MIFARE commands set debug level
848 //
849 //-----------------------------------------------------------------------------
850 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
851 MF_DBGLEVEL = arg0;
852 Dbprintf("Debug level: %d", MF_DBGLEVEL);
853 }
854
855 //-----------------------------------------------------------------------------
856 // Work with emulator memory
857 //
858 //-----------------------------------------------------------------------------
859 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
860 emlClearMem();
861 }
862
863 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
864 emlSetMem(datain, arg0, arg1); // data, block num, blocks count
865 }
866
867 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
868 byte_t buf[USB_CMD_DATA_SIZE];
869 emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
870
871 LED_B_ON();
872 cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE);
873 LED_B_OFF();
874 }
875
876 //-----------------------------------------------------------------------------
877 // Load a card into the emulator memory
878 //
879 //-----------------------------------------------------------------------------
880 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
881 uint8_t numSectors = arg0;
882 uint8_t keyType = arg1;
883 uint64_t ui64Key = 0;
884 uint32_t cuid;
885 struct Crypto1State mpcs = {0, 0};
886 struct Crypto1State *pcs;
887 pcs = &mpcs;
888
889 // variables
890 byte_t dataoutbuf[16];
891 byte_t dataoutbuf2[16];
892 uint8_t uid[10];
893
894 // clear trace
895 clear_trace();
896 set_tracing(false);
897
898 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
899
900 LED_A_ON();
901 LED_B_OFF();
902 LED_C_OFF();
903
904 bool isOK = true;
905
906 if(!iso14443a_select_card(uid, NULL, &cuid)) {
907 isOK = false;
908 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
909 }
910
911 for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
912 ui64Key = emlGetKey(sectorNo, keyType);
913 if (sectorNo == 0){
914 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
915 isOK = false;
916 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo);
917 break;
918 }
919 } else {
920 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) {
921 isOK = false;
922 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo);
923 break;
924 }
925 }
926
927 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
928 if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) {
929 isOK = false;
930 if (MF_DBGLEVEL >= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);
931 break;
932 };
933 if (isOK) {
934 if (blockNo < NumBlocksPerSector(sectorNo) - 1) {
935 emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);
936 } else { // sector trailer, keep the keys, set only the AC
937 emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
938 memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
939 emlSetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
940 }
941 }
942 }
943
944 }
945
946 if(mifare_classic_halt(pcs, cuid)) {
947 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
948 };
949
950 // ----------------------------- crypto1 destroy
951 crypto1_destroy(pcs);
952
953 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
954 LEDsoff();
955
956 if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
957
958 }
959
960
961 //-----------------------------------------------------------------------------
962 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
963 //
964 //-----------------------------------------------------------------------------
965 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
966
967 // params
968 uint8_t needWipe = arg0;
969 // bit 0 - need get UID
970 // bit 1 - need wupC
971 // bit 2 - need HALT after sequence
972 // bit 3 - need init FPGA and field before sequence
973 // bit 4 - need reset FPGA and LED
974 uint8_t workFlags = arg1;
975 uint8_t blockNo = arg2;
976
977 // card commands
978 uint8_t wupC1[] = { 0x40 };
979 uint8_t wupC2[] = { 0x43 };
980 uint8_t wipeC[] = { 0x41 };
981
982 // variables
983 byte_t isOK = 0;
984 uint8_t uid[10] = {0x00};
985 uint8_t d_block[18] = {0x00};
986 uint32_t cuid;
987
988 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
989 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
990
991 // reset FPGA and LED
992 if (workFlags & 0x08) {
993 LED_A_ON();
994 LED_B_OFF();
995 LED_C_OFF();
996
997 clear_trace();
998 set_tracing(TRUE);
999 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1000 }
1001
1002 while (true) {
1003
1004 // get UID from chip
1005 if (workFlags & 0x01) {
1006 if(!iso14443a_select_card(uid, NULL, &cuid)) {
1007 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
1008 break;
1009 };
1010
1011 if(mifare_classic_halt(NULL, cuid)) {
1012 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1013 break;
1014 };
1015 };
1016
1017 // reset chip
1018 if (needWipe){
1019 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1020 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1021 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1022 break;
1023 };
1024
1025 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
1026 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1027 if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");
1028 break;
1029 };
1030
1031 if(mifare_classic_halt(NULL, cuid)) {
1032 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1033 break;
1034 };
1035 };
1036
1037 // write block
1038 if (workFlags & 0x02) {
1039 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1040 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1041 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1042 break;
1043 };
1044
1045 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1046 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1047 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1048 break;
1049 };
1050 }
1051
1052 if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
1053 if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
1054 break;
1055 };
1056
1057 memcpy(d_block, datain, 16);
1058 AppendCrc14443a(d_block, 16);
1059
1060 ReaderTransmit(d_block, sizeof(d_block), NULL);
1061 if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
1062 if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");
1063 break;
1064 };
1065
1066 if (workFlags & 0x04) {
1067 if (mifare_classic_halt(NULL, cuid)) {
1068 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1069 break;
1070 };
1071 }
1072
1073 isOK = 1;
1074 break;
1075 }
1076
1077 LED_B_ON();
1078 cmd_send(CMD_ACK,isOK,0,0,uid,4);
1079 LED_B_OFF();
1080
1081 if ((workFlags & 0x10) || (!isOK)) {
1082 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1083 LEDsoff();
1084 }
1085 }
1086
1087
1088 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1089
1090 // params
1091 // bit 1 - need wupC
1092 // bit 2 - need HALT after sequence
1093 // bit 3 - need init FPGA and field before sequence
1094 // bit 4 - need reset FPGA and LED
1095 uint8_t workFlags = arg0;
1096 uint8_t blockNo = arg2;
1097
1098 // card commands
1099 uint8_t wupC1[] = { 0x40 };
1100 uint8_t wupC2[] = { 0x43 };
1101
1102 // variables
1103 byte_t isOK = 0;
1104 uint8_t data[18] = {0x00};
1105 uint32_t cuid = 0;
1106
1107 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1108 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1109
1110 if (workFlags & 0x08) {
1111 LED_A_ON();
1112 LED_B_OFF();
1113 LED_C_OFF();
1114
1115 clear_trace();
1116 set_tracing(TRUE);
1117 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1118 }
1119
1120 while (true) {
1121 if (workFlags & 0x02) {
1122 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1123 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1124 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1125 break;
1126 };
1127
1128 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1129 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1130 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1131 break;
1132 };
1133 }
1134
1135 // read block
1136 if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {
1137 if (MF_DBGLEVEL >= 1) Dbprintf("read block send command error");
1138 break;
1139 };
1140 memcpy(data, receivedAnswer, 18);
1141
1142 if (workFlags & 0x04) {
1143 if (mifare_classic_halt(NULL, cuid)) {
1144 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1145 break;
1146 };
1147 }
1148
1149 isOK = 1;
1150 break;
1151 }
1152
1153 LED_B_ON();
1154 cmd_send(CMD_ACK,isOK,0,0,data,18);
1155 LED_B_OFF();
1156
1157 if ((workFlags & 0x10) || (!isOK)) {
1158 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1159 LEDsoff();
1160 }
1161 }
1162
1163 void MifareCIdent(){
1164
1165 // card commands
1166 uint8_t wupC1[] = { 0x40 };
1167 uint8_t wupC2[] = { 0x43 };
1168
1169 // variables
1170 byte_t isOK = 1;
1171
1172 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1173 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1174
1175 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1176 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1177 isOK = 0;
1178 };
1179
1180 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1181 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1182 isOK = 0;
1183 };
1184
1185 if (mifare_classic_halt(NULL, 0)) {
1186 isOK = 0;
1187 };
1188
1189 cmd_send(CMD_ACK,isOK,0,0,0,0);
1190 }
1191
1192 //
1193 // DESFIRE
1194 //
1195
1196 void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){
1197
1198 byte_t dataout[11] = {0x00};
1199 uint8_t uid[10] = {0x00};
1200 uint32_t cuid;
1201
1202 clear_trace();
1203 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1204
1205 int len = iso14443a_select_card(uid, NULL, &cuid);
1206 if(!len) {
1207 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
1208 OnError(1);
1209 return;
1210 };
1211
1212 if(mifare_desfire_des_auth1(cuid, dataout)){
1213 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication part1: Fail.");
1214 OnError(4);
1215 return;
1216 }
1217
1218 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 1 FINISHED");
1219 cmd_send(CMD_ACK,1,cuid,0,dataout, sizeof(dataout));
1220 }
1221
1222 void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain){
1223
1224 uint32_t cuid = arg0;
1225 uint8_t key[16] = {0x00};
1226 byte_t isOK = 0;
1227 byte_t dataout[12] = {0x00};
1228
1229 memcpy(key, datain, 16);
1230
1231 isOK = mifare_desfire_des_auth2(cuid, key, dataout);
1232
1233 if( isOK) {
1234 if (MF_DBGLEVEL >= MF_DBG_EXTENDED)
1235 Dbprintf("Authentication part2: Failed");
1236 //OnError(4);
1237 return;
1238 }
1239
1240 if (MF_DBGLEVEL >= MF_DBG_EXTENDED)
1241 DbpString("AUTH 2 FINISHED");
1242
1243 cmd_send(CMD_ACK, isOK, 0, 0, dataout, sizeof(dataout));
1244 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1245 LEDsoff();
1246 }
1247
1248 void OnSuccess(){
1249 pcb_blocknum = 0;
1250 ReaderTransmit(deselect_cmd, 3 , NULL);
1251 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1252 LEDsoff();
1253 }
1254
1255 void OnError(uint8_t reason){
1256 pcb_blocknum = 0;
1257 ReaderTransmit(deselect_cmd, 3 , NULL);
1258 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1259 cmd_send(CMD_ACK,0,reason,0,0,0);
1260 LEDsoff();
1261 }
Impressum, Datenschutz