]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifarecmd.c
Reworked how to call 'standard' stuff from within lua scripts, so now it's much simpl...
[proxmark3-svn] / armsrc / mifarecmd.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // Routines to support ISO 14443 type A.
11 //-----------------------------------------------------------------------------
12
13 #include "mifarecmd.h"
14 #include "apps.h"
15
16 //-----------------------------------------------------------------------------
17 // Select, Authenticaate, Read an MIFARE tag.
18 // read block
19 //-----------------------------------------------------------------------------
20 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
21 {
22 // params
23 uint8_t blockNo = arg0;
24 uint8_t keyType = arg1;
25 uint64_t ui64Key = 0;
26 ui64Key = bytes_to_num(datain, 6);
27
28 // variables
29 byte_t isOK = 0;
30 byte_t dataoutbuf[16];
31 uint8_t uid[10];
32 uint32_t cuid;
33 struct Crypto1State mpcs = {0, 0};
34 struct Crypto1State *pcs;
35 pcs = &mpcs;
36
37 // clear trace
38 iso14a_clear_trace();
39 // iso14a_set_tracing(false);
40
41 iso14443a_setup();
42
43 LED_A_ON();
44 LED_B_OFF();
45 LED_C_OFF();
46
47 while (true) {
48 if(!iso14443a_select_card(uid, NULL, &cuid)) {
49 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
50 break;
51 };
52
53 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
54 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
55 break;
56 };
57
58 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
59 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
60 break;
61 };
62
63 if(mifare_classic_halt(pcs, cuid)) {
64 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
65 break;
66 };
67
68 isOK = 1;
69 break;
70 }
71
72 // ----------------------------- crypto1 destroy
73 crypto1_destroy(pcs);
74
75 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
76
77 // add trace trailer
78 memset(uid, 0x44, 4);
79 LogTrace(uid, 4, 0, 0, TRUE);
80
81 // UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
82 // memcpy(ack.d.asBytes, dataoutbuf, 16);
83
84 LED_B_ON();
85 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
86 // UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
87 LED_B_OFF();
88
89
90 // Thats it...
91 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
92 LEDsoff();
93 // iso14a_set_tracing(TRUE);
94
95 }
96
97 //-----------------------------------------------------------------------------
98 // Select, Authenticaate, Read an MIFARE tag.
99 // read sector (data = 4 x 16 bytes = 64 bytes)
100 //-----------------------------------------------------------------------------
101 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
102 {
103 // params
104 uint8_t sectorNo = arg0;
105 uint8_t keyType = arg1;
106 uint64_t ui64Key = 0;
107 ui64Key = bytes_to_num(datain, 6);
108
109 // variables
110 byte_t isOK = 0;
111 byte_t dataoutbuf[16 * 4];
112 uint8_t uid[10];
113 uint32_t cuid;
114 struct Crypto1State mpcs = {0, 0};
115 struct Crypto1State *pcs;
116 pcs = &mpcs;
117
118 // clear trace
119 iso14a_clear_trace();
120 // iso14a_set_tracing(false);
121
122 iso14443a_setup();
123
124 LED_A_ON();
125 LED_B_OFF();
126 LED_C_OFF();
127
128 while (true) {
129 if(!iso14443a_select_card(uid, NULL, &cuid)) {
130 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
131 break;
132 };
133
134 if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, AUTH_FIRST)) {
135 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
136 break;
137 };
138
139 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 0, dataoutbuf + 16 * 0)) {
140 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 0 error");
141 break;
142 };
143 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 1, dataoutbuf + 16 * 1)) {
144 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 1 error");
145 break;
146 };
147 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 2, dataoutbuf + 16 * 2)) {
148 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 2 error");
149 break;
150 };
151 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 3, dataoutbuf + 16 * 3)) {
152 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 3 error");
153 break;
154 };
155
156 if(mifare_classic_halt(pcs, cuid)) {
157 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
158 break;
159 };
160
161 isOK = 1;
162 break;
163 }
164
165 // ----------------------------- crypto1 destroy
166 crypto1_destroy(pcs);
167
168 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
169
170 // add trace trailer
171 memset(uid, 0x44, 4);
172 LogTrace(uid, 4, 0, 0, TRUE);
173
174 // UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
175 // memcpy(ack.d.asBytes, dataoutbuf, 16 * 2);
176
177 LED_B_ON();
178 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,32);
179 // UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
180 // SpinDelay(100);
181
182 // memcpy(ack.d.asBytes, dataoutbuf + 16 * 2, 16 * 2);
183 // UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
184 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf+32, 32);
185 LED_B_OFF();
186
187 // Thats it...
188 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
189 LEDsoff();
190 // iso14a_set_tracing(TRUE);
191
192 }
193
194 //-----------------------------------------------------------------------------
195 // Select, Authenticaate, Read an MIFARE tag.
196 // read block
197 //-----------------------------------------------------------------------------
198 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
199 {
200 // params
201 uint8_t blockNo = arg0;
202 uint8_t keyType = arg1;
203 uint64_t ui64Key = 0;
204 byte_t blockdata[16];
205
206 ui64Key = bytes_to_num(datain, 6);
207 memcpy(blockdata, datain + 10, 16);
208
209 // variables
210 byte_t isOK = 0;
211 uint8_t uid[10];
212 uint32_t cuid;
213 struct Crypto1State mpcs = {0, 0};
214 struct Crypto1State *pcs;
215 pcs = &mpcs;
216
217 // clear trace
218 iso14a_clear_trace();
219 // iso14a_set_tracing(false);
220
221 iso14443a_setup();
222
223 LED_A_ON();
224 LED_B_OFF();
225 LED_C_OFF();
226
227 while (true) {
228 if(!iso14443a_select_card(uid, NULL, &cuid)) {
229 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
230 break;
231 };
232
233 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
234 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
235 break;
236 };
237
238 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
239 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
240 break;
241 };
242
243 if(mifare_classic_halt(pcs, cuid)) {
244 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
245 break;
246 };
247
248 isOK = 1;
249 break;
250 }
251
252 // ----------------------------- crypto1 destroy
253 crypto1_destroy(pcs);
254
255 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
256
257 // add trace trailer
258 memset(uid, 0x44, 4);
259 LogTrace(uid, 4, 0, 0, TRUE);
260
261 // UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
262
263 LED_B_ON();
264 cmd_send(CMD_ACK,isOK,0,0,0,0);
265 // UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
266 LED_B_OFF();
267
268
269 // Thats it...
270 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
271 LEDsoff();
272 // iso14a_set_tracing(TRUE);
273
274 }
275
276 // Return 1 if the nonce is invalid else return 0
277 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, byte_t * parity) {
278 return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
279 (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
280 (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
281 }
282
283
284
285 //-----------------------------------------------------------------------------
286 // MIFARE nested authentication.
287 //
288 //-----------------------------------------------------------------------------
289 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)
290 {
291 // params
292 uint8_t blockNo = arg0 & 0xff;
293 uint8_t keyType = (arg0 >> 8) & 0xff;
294 uint8_t targetBlockNo = arg1 & 0xff;
295 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
296 uint64_t ui64Key = 0;
297
298 ui64Key = bytes_to_num(datain, 6);
299
300 // variables
301 uint16_t rtr, i, j, len;
302 uint16_t davg;
303 static uint16_t dmin, dmax;
304 uint8_t uid[10];
305 uint32_t cuid, nt1, nt2, nttmp, nttest, par, ks1;
306 uint32_t target_nt[2], target_ks[2];
307
308 uint8_t par_array[4];
309 uint16_t ncount = 0;
310 struct Crypto1State mpcs = {0, 0};
311 struct Crypto1State *pcs;
312 pcs = &mpcs;
313 uint8_t* receivedAnswer = mifare_get_bigbufptr();
314
315 uint32_t auth1_time, auth2_time;
316 static uint16_t delta_time;
317
318 StartCountMifare();
319
320 // clear trace
321 iso14a_clear_trace();
322 iso14a_set_tracing(false);
323
324 iso14443a_setup();
325
326 LED_A_ON();
327 LED_C_OFF();
328
329
330 while((GetCountMifare() & 0xffff0000) != 0x00010000); // wait for counter to reset and "warm up"
331
332 // statistics on nonce distance
333 if (calibrate) { // for first call only. Otherwise reuse previous calibration
334 LED_B_ON();
335
336 davg = dmax = 0;
337 dmin = 2000;
338 delta_time = 0;
339
340 for (rtr = 0; rtr < 17; rtr++) {
341
342 // prepare next select. No need to power down the card.
343 if(mifare_classic_halt(pcs, cuid)) {
344 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
345 rtr--;
346 continue;
347 }
348
349 if(!iso14443a_select_card(uid, NULL, &cuid)) {
350 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
351 rtr--;
352 continue;
353 };
354
355 auth1_time = 0;
356 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
357 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
358 rtr--;
359 continue;
360 };
361
362 if (delta_time) {
363 auth2_time = auth1_time + delta_time;
364 } else {
365 auth2_time = 0;
366 }
367 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {
368 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");
369 rtr--;
370 continue;
371 };
372
373 nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
374 for (i = 101; i < 1200; i++) {
375 nttmp = prng_successor(nttmp, 1);
376 if (nttmp == nt2) break;
377 }
378
379 if (i != 1200) {
380 if (rtr != 0) {
381 davg += i;
382 dmin = MIN(dmin, i);
383 dmax = MAX(dmax, i);
384 }
385 else {
386 delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing
387 }
388 if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
389 }
390 }
391
392 if (rtr <= 1) return;
393
394 davg = (davg + (rtr - 1)/2) / (rtr - 1);
395
396 if (MF_DBGLEVEL >= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin, dmax, davg, delta_time);
397
398 dmin = davg - 2;
399 dmax = davg + 2;
400
401 LED_B_OFF();
402
403 }
404 // -------------------------------------------------------------------------------------------------
405
406 LED_C_ON();
407
408 // get crypted nonces for target sector
409 for(i=0; i < 2; i++) { // look for exactly two different nonces
410
411 target_nt[i] = 0;
412 while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
413
414 // prepare next select. No need to power down the card.
415 if(mifare_classic_halt(pcs, cuid)) {
416 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
417 continue;
418 }
419
420 if(!iso14443a_select_card(uid, NULL, &cuid)) {
421 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
422 continue;
423 };
424
425 auth1_time = 0;
426 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
427 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
428 continue;
429 };
430
431 // nested authentication
432 auth2_time = auth1_time + delta_time;
433 len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, &par, &auth2_time);
434 if (len != 4) {
435 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);
436 continue;
437 };
438
439 nt2 = bytes_to_num(receivedAnswer, 4);
440 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par);
441
442 // Parity validity check
443 for (j = 0; j < 4; j++) {
444 par_array[j] = (oddparity(receivedAnswer[j]) != ((par & 0x08) >> 3));
445 par = par << 1;
446 }
447
448 ncount = 0;
449 nttest = prng_successor(nt1, dmin - 1);
450 for (j = dmin; j < dmax + 1; j++) {
451 nttest = prng_successor(nttest, 1);
452 ks1 = nt2 ^ nttest;
453
454 if (valid_nonce(nttest, nt2, ks1, par_array)){
455 if (ncount > 0) { // we are only interested in disambiguous nonces, try again
456 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);
457 target_nt[i] = 0;
458 break;
459 }
460 target_nt[i] = nttest;
461 target_ks[i] = ks1;
462 ncount++;
463 if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces
464 target_nt[i] = 0;
465 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);
466 break;
467 }
468 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);
469 }
470 }
471 if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
472 }
473 }
474
475 LED_C_OFF();
476
477 // ----------------------------- crypto1 destroy
478 crypto1_destroy(pcs);
479
480 // add trace trailer
481 memset(uid, 0x44, 4);
482 LogTrace(uid, 4, 0, 0, TRUE);
483
484 byte_t buf[4 + 4 * 4];
485 memcpy(buf, &cuid, 4);
486 memcpy(buf+4, &target_nt[0], 4);
487 memcpy(buf+8, &target_ks[0], 4);
488 memcpy(buf+12, &target_nt[1], 4);
489 memcpy(buf+16, &target_ks[1], 4);
490
491 LED_B_ON();
492 cmd_send(CMD_ACK, 0, 2, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
493 LED_B_OFF();
494
495 if (MF_DBGLEVEL >= 3) DbpString("NESTED FINISHED");
496
497 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
498 LEDsoff();
499 iso14a_set_tracing(TRUE);
500 }
501
502 //-----------------------------------------------------------------------------
503 // MIFARE check keys. key count up to 85.
504 //
505 //-----------------------------------------------------------------------------
506 void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
507 {
508 // params
509 uint8_t blockNo = arg0;
510 uint8_t keyType = arg1;
511 uint8_t keyCount = arg2;
512 uint64_t ui64Key = 0;
513
514 // variables
515 int i;
516 byte_t isOK = 0;
517 uint8_t uid[10];
518 uint32_t cuid;
519 struct Crypto1State mpcs = {0, 0};
520 struct Crypto1State *pcs;
521 pcs = &mpcs;
522
523 // clear debug level
524 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
525 MF_DBGLEVEL = MF_DBG_NONE;
526
527 // clear trace
528 iso14a_clear_trace();
529 iso14a_set_tracing(TRUE);
530
531 iso14443a_setup();
532
533 LED_A_ON();
534 LED_B_OFF();
535 LED_C_OFF();
536
537 // SpinDelay(300);
538 for (i = 0; i < keyCount; i++) {
539 // FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
540 // SpinDelay(100);
541 // FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
542 // prepare next select by sending a HALT. There is no need to power down the card.
543 if(mifare_classic_halt(pcs, cuid)) {
544 if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Halt error");
545 }
546
547 // SpinDelay(50);
548
549 if(!iso14443a_select_card(uid, NULL, &cuid)) {
550 if (OLD_MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card");
551 break;
552 };
553
554 ui64Key = bytes_to_num(datain + i * 6, 6);
555 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
556 continue;
557 };
558
559 isOK = 1;
560 break;
561 }
562
563 // ----------------------------- crypto1 destroy
564 crypto1_destroy(pcs);
565
566 // add trace trailer
567 memset(uid, 0x44, 4);
568 LogTrace(uid, 4, 0, 0, TRUE);
569
570 LED_B_ON();
571 cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);
572 LED_B_OFF();
573
574 // Thats it...
575 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
576 LEDsoff();
577
578 // restore debug level
579 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
580 }
581
582 //-----------------------------------------------------------------------------
583 // MIFARE commands set debug level
584 //
585 //-----------------------------------------------------------------------------
586 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
587 MF_DBGLEVEL = arg0;
588 Dbprintf("Debug level: %d", MF_DBGLEVEL);
589 }
590
591 //-----------------------------------------------------------------------------
592 // Work with emulator memory
593 //
594 //-----------------------------------------------------------------------------
595 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
596 emlClearMem();
597 }
598
599 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
600 emlSetMem(datain, arg0, arg1); // data, block num, blocks count
601 }
602
603 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
604 // UsbCommand ack = {CMD_ACK, {arg0, arg1, 0}};
605
606 byte_t buf[48];
607 emlGetMem(buf, arg0, arg1); // data, block num, blocks count
608
609 LED_B_ON();
610 cmd_send(CMD_ACK,arg0,arg1,0,buf,48);
611 // UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
612 LED_B_OFF();
613 }
614
615 //-----------------------------------------------------------------------------
616 // Load a card into the emulator memory
617 //
618 //-----------------------------------------------------------------------------
619 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
620 int i;
621 uint8_t sectorNo = 0;
622 uint8_t keyType = arg1;
623 uint64_t ui64Key = 0;
624 uint32_t cuid;
625 struct Crypto1State mpcs = {0, 0};
626 struct Crypto1State *pcs;
627 pcs = &mpcs;
628
629 // variables
630 byte_t dataoutbuf[16];
631 byte_t dataoutbuf2[16];
632 uint8_t uid[10];
633
634 // clear trace
635 iso14a_clear_trace();
636 iso14a_set_tracing(false);
637
638 iso14443a_setup();
639
640 LED_A_ON();
641 LED_B_OFF();
642 LED_C_OFF();
643
644 while (true) {
645 if(!iso14443a_select_card(uid, NULL, &cuid)) {
646 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
647 break;
648 };
649
650 for (i = 0; i < 16; i++) {
651 sectorNo = i;
652 ui64Key = emlGetKey(sectorNo, keyType);
653
654 if (!i){
655 if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, AUTH_FIRST)) {
656 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%d]. Auth error", i);
657 break;
658 }
659 } else {
660 if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, AUTH_NESTED)) {
661 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%d]. Auth nested error", i);
662 break;
663 }
664 }
665
666 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 0, dataoutbuf)) {
667 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 0 error");
668 break;
669 };
670 emlSetMem(dataoutbuf, sectorNo * 4 + 0, 1);
671
672 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 1, dataoutbuf)) {
673 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 1 error");
674 break;
675 };
676 emlSetMem(dataoutbuf, sectorNo * 4 + 1, 1);
677
678 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 2, dataoutbuf)) {
679 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 2 error");
680 break;
681 };
682 emlSetMem(dataoutbuf, sectorNo * 4 + 2, 1);
683
684 // get block 3 bytes 6-9
685 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 3, dataoutbuf)) {
686 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 3 error");
687 break;
688 };
689 emlGetMem(dataoutbuf2, sectorNo * 4 + 3, 1);
690 memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
691 emlSetMem(dataoutbuf2, sectorNo * 4 + 3, 1);
692 }
693
694 if(mifare_classic_halt(pcs, cuid)) {
695 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
696 break;
697 };
698
699 break;
700 }
701
702 // ----------------------------- crypto1 destroy
703 crypto1_destroy(pcs);
704
705 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
706 LEDsoff();
707
708 if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
709
710 // add trace trailer
711 memset(uid, 0x44, 4);
712 LogTrace(uid, 4, 0, 0, TRUE);
713 }
714
715 //-----------------------------------------------------------------------------
716 // MIFARE 1k emulator
717 //
718 //-----------------------------------------------------------------------------
719
720
721 //-----------------------------------------------------------------------------
722 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
723 //
724 //-----------------------------------------------------------------------------
725 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
726
727 // params
728 uint8_t needWipe = arg0;
729 // bit 0 - need get UID
730 // bit 1 - need wupC
731 // bit 2 - need HALT after sequence
732 // bit 3 - need init FPGA and field before sequence
733 // bit 4 - need reset FPGA and LED
734 uint8_t workFlags = arg1;
735 uint8_t blockNo = arg2;
736
737 // card commands
738 uint8_t wupC1[] = { 0x40 };
739 uint8_t wupC2[] = { 0x43 };
740 uint8_t wipeC[] = { 0x41 };
741
742 // variables
743 byte_t isOK = 0;
744 uint8_t uid[10];
745 uint8_t d_block[18];
746 uint32_t cuid;
747
748 memset(uid, 0x00, 10);
749 uint8_t* receivedAnswer = mifare_get_bigbufptr();
750
751 if (workFlags & 0x08) {
752 // clear trace
753 iso14a_clear_trace();
754 iso14a_set_tracing(TRUE);
755
756 iso14443a_setup();
757
758 LED_A_ON();
759 LED_B_OFF();
760 LED_C_OFF();
761
762 SpinDelay(300);
763 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
764 SpinDelay(100);
765 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
766 }
767
768 while (true) {
769 // get UID from chip
770 if (workFlags & 0x01) {
771 if(!iso14443a_select_card(uid, NULL, &cuid)) {
772 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
773 break;
774 };
775
776 if(mifare_classic_halt(NULL, cuid)) {
777 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
778 break;
779 };
780 };
781
782 // reset chip
783 if (needWipe){
784 ReaderTransmitBitsPar(wupC1,7,0, NULL);
785 if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {
786 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
787 break;
788 };
789
790 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
791 if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {
792 if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");
793 break;
794 };
795
796 if(mifare_classic_halt(NULL, cuid)) {
797 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
798 break;
799 };
800 };
801
802 // write block
803 if (workFlags & 0x02) {
804 ReaderTransmitBitsPar(wupC1,7,0, NULL);
805 if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {
806 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
807 break;
808 };
809
810 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
811 if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {
812 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
813 break;
814 };
815 }
816
817 if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
818 if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
819 break;
820 };
821
822 memcpy(d_block, datain, 16);
823 AppendCrc14443a(d_block, 16);
824
825 ReaderTransmit(d_block, sizeof(d_block), NULL);
826 if ((ReaderReceive(receivedAnswer) != 1) || (receivedAnswer[0] != 0x0a)) {
827 if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");
828 break;
829 };
830
831 if (workFlags & 0x04) {
832 if (mifare_classic_halt(NULL, cuid)) {
833 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
834 break;
835 };
836 }
837
838 isOK = 1;
839 break;
840 }
841
842 // UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
843 // if (isOK) memcpy(ack.d.asBytes, uid, 4);
844
845 // add trace trailer
846 /**
847 * Removed by Martin, the uid is overwritten with 0x44,
848 * which can 't be intended.
849 *
850 * memset(uid, 0x44, 4);
851 * LogTrace(uid, 4, 0, 0, TRUE);
852 **/
853
854
855 LED_B_ON();
856 cmd_send(CMD_ACK,isOK,0,0,uid,4);
857 // UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
858 LED_B_OFF();
859
860 if ((workFlags & 0x10) || (!isOK)) {
861 // Thats it...
862 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
863 LEDsoff();
864 }
865 }
866
867 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
868
869 // params
870 // bit 1 - need wupC
871 // bit 2 - need HALT after sequence
872 // bit 3 - need init FPGA and field before sequence
873 // bit 4 - need reset FPGA and LED
874 uint8_t workFlags = arg0;
875 uint8_t blockNo = arg2;
876
877 // card commands
878 uint8_t wupC1[] = { 0x40 };
879 uint8_t wupC2[] = { 0x43 };
880
881 // variables
882 byte_t isOK = 0;
883 uint8_t data[18];
884 uint32_t cuid = 0;
885
886 memset(data, 0x00, 18);
887 uint8_t* receivedAnswer = mifare_get_bigbufptr();
888
889 if (workFlags & 0x08) {
890 // clear trace
891 iso14a_clear_trace();
892 iso14a_set_tracing(TRUE);
893
894 iso14443a_setup();
895
896 LED_A_ON();
897 LED_B_OFF();
898 LED_C_OFF();
899
900 SpinDelay(300);
901 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
902 SpinDelay(100);
903 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
904 }
905
906 while (true) {
907 if (workFlags & 0x02) {
908 ReaderTransmitBitsPar(wupC1,7,0, NULL);
909 if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {
910 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
911 break;
912 };
913
914 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
915 if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {
916 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
917 break;
918 };
919 }
920
921 // read block
922 if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, NULL) != 18)) {
923 if (MF_DBGLEVEL >= 1) Dbprintf("read block send command error");
924 break;
925 };
926 memcpy(data, receivedAnswer, 18);
927
928 if (workFlags & 0x04) {
929 if (mifare_classic_halt(NULL, cuid)) {
930 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
931 break;
932 };
933 }
934
935 isOK = 1;
936 break;
937 }
938
939 // UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
940 // if (isOK) memcpy(ack.d.asBytes, data, 18);
941
942 // add trace trailer
943 /*
944 * Removed by Martin, this piece of overwrites the 'data' variable
945 * which is sent two lines down, and is obviously not correct.
946 *
947 * memset(data, 0x44, 4);
948 * LogTrace(data, 4, 0, 0, TRUE);
949 */
950 LED_B_ON();
951 cmd_send(CMD_ACK,isOK,0,0,data,18);
952 // UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
953 LED_B_OFF();
954
955 if ((workFlags & 0x10) || (!isOK)) {
956 // Thats it...
957 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
958 LEDsoff();
959 }
960 }
961
Impressum, Datenschutz