]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifarecmd.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'master' of https://github.com/Proxmark/proxmark3
[proxmark3-svn] / armsrc / mifarecmd.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 // Midnitesnake - Dec 2013
6 // Andy Davies - Apr 2014
7 // Iceman - May 2014
8 //
9 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
10 // at your option, any later version. See the LICENSE.txt file for the text of
11 // the license.
12 //-----------------------------------------------------------------------------
13 // Routines to support ISO 14443 type A.
14 //-----------------------------------------------------------------------------
15
16 #include "mifarecmd.h"
17 #include "apps.h"
18 #include "util.h"
19 //#include "../client/loclass/des.h"
20 #include "des.h"
21 #include "crc.h"
22
23 //-----------------------------------------------------------------------------
24 // Select, Authenticate, Read a MIFARE tag.
25 // read block
26 //-----------------------------------------------------------------------------
27 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
28 {
29 // params
30 uint8_t blockNo = arg0;
31 uint8_t keyType = arg1;
32 uint64_t ui64Key = 0;
33 ui64Key = bytes_to_num(datain, 6);
34
35 // variables
36 byte_t isOK = 0;
37 byte_t dataoutbuf[16];
38 uint8_t uid[10];
39 uint32_t cuid;
40 struct Crypto1State mpcs = {0, 0};
41 struct Crypto1State *pcs;
42 pcs = &mpcs;
43
44 // clear trace
45 clear_trace();
46 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
47
48 LED_A_ON();
49 LED_B_OFF();
50 LED_C_OFF();
51
52 while (true) {
53 if(!iso14443a_select_card(uid, NULL, &cuid)) {
54 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
55 break;
56 };
57
58 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
59 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
60 break;
61 };
62
63 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
64 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
65 break;
66 };
67
68 if(mifare_classic_halt(pcs, cuid)) {
69 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
70 break;
71 };
72
73 isOK = 1;
74 break;
75 }
76
77 // ----------------------------- crypto1 destroy
78 crypto1_destroy(pcs);
79
80 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
81
82 LED_B_ON();
83 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
84 LED_B_OFF();
85
86 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
87 LEDsoff();
88 }
89
90
91 void MifareUC_Auth1(uint8_t arg0, uint8_t *datain){
92
93 byte_t isOK = 0;
94 byte_t dataoutbuf[16] = {0x00};
95 uint8_t uid[10] = {0x00};
96 uint32_t cuid;
97
98 LED_A_ON();
99 LED_B_OFF();
100 LED_C_OFF();
101
102 clear_trace();
103 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
104
105 if(!iso14443a_select_card(uid, NULL, &cuid)) {
106 if (MF_DBGLEVEL >= MF_DBG_ERROR)
107 Dbprintf("Can't select card");
108 OnError(0);
109 return;
110 };
111
112 if(mifare_ultra_auth1(cuid, dataoutbuf)){
113 if (MF_DBGLEVEL >= MF_DBG_ERROR)
114 Dbprintf("Authentication part1: Fail.");
115 OnError(1);
116 return;
117 }
118
119 isOK = 1;
120 if (MF_DBGLEVEL >= MF_DBG_EXTENDED)
121 DbpString("AUTH 1 FINISHED");
122
123 cmd_send(CMD_ACK,isOK,cuid,0,dataoutbuf,11);
124 LEDsoff();
125 }
126 void MifareUC_Auth2(uint32_t arg0, uint8_t *datain){
127
128 uint32_t cuid = arg0;
129 uint8_t key[16] = {0x00};
130 byte_t isOK = 0;
131 byte_t dataoutbuf[16] = {0x00};
132
133 memcpy(key, datain, 16);
134
135 LED_A_ON();
136 LED_B_OFF();
137 LED_C_OFF();
138
139 if(mifare_ultra_auth2(cuid, key, dataoutbuf)){
140 if (MF_DBGLEVEL >= MF_DBG_ERROR)
141 Dbprintf("Authentication part2: Fail...");
142 OnError(1);
143 return;
144 }
145
146 isOK = 1;
147 if (MF_DBGLEVEL >= MF_DBG_EXTENDED)
148 DbpString("AUTH 2 FINISHED");
149
150 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,11);
151 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
152 LEDsoff();
153 }
154
155 void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
156 {
157 uint8_t blockNo = arg0;
158 byte_t dataout[16] = {0x00};
159 uint8_t uid[10] = {0x00};
160 uint8_t key[8] = {0x00};
161 uint32_t cuid;
162 bool usePwd = false;
163
164 usePwd = (arg1 == 1);
165
166 // use password
167 if ( usePwd )
168 memcpy(key, datain, 8);
169
170 LED_A_ON();
171 LED_B_OFF();
172 LED_C_OFF();
173
174 clear_trace();
175 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
176
177 int len = iso14443a_select_card(uid, NULL, &cuid);
178 if(!len) {
179 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len);
180 OnError(1);
181 return;
182 };
183
184 // authenticate here.
185 if ( usePwd ) {
186
187 uint8_t a[8] = { 0x01 };
188 uint8_t b[8] = { 0x00 };
189 uint8_t enc_b[8] = { 0x00 };
190 uint8_t ab[16] = { 0x00 };
191
192 uint8_t transKey[8] = { 0x00 };
193
194 uint16_t len;
195 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
196 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
197
198 len = mifare_sendcmd_short(NULL, 1, 0x1A, 0x00, receivedAnswer,receivedAnswerPar ,NULL);
199 if (len == 1) {
200 if (MF_DBGLEVEL >= MF_DBG_ERROR)
201 Dbprintf("Cmd Error: %02x", receivedAnswer[0]);
202 OnError(1);
203 return;
204 }
205
206 // memcpy(dataout, receivedAnswer, 11);
207
208 // tag nonce.
209 memcpy(enc_b,receivedAnswer+1,8);
210
211 // decrypt nonce.
212 des_dec(enc_b, b, key );
213
214 Dbprintf("enc_B: %02x %02x %02x %02x %02x %02x %02x %02x", enc_b[0],enc_b[1],enc_b[2],enc_b[3],enc_b[4],enc_b[5],enc_b[6],enc_b[7] );
215
216 rol(b,8);
217
218 memcpy(ab ,a,8);
219 memcpy(ab+8,b,8);
220
221 Dbprintf("AB: %02x %02x %02x %02x %02x %02x %02x %02x", ab[0],ab[1],ab[2],ab[3],ab[4],ab[5],ab[6],ab[7] );
222 Dbprintf("AB: %02x %02x %02x %02x %02x %02x %02x %02x", ab[8],ab[9],ab[10],ab[11],ab[12],ab[13],ab[14],ab[15] );
223
224 // encrypt
225 des_enc(ab, ab, key);
226
227 Dbprintf("e_AB: %02x %02x %02x %02x %02x %02x %02x %02x", ab[0],ab[1],ab[2],ab[3],ab[4],ab[5],ab[6],ab[7] );
228 Dbprintf("e_AB: %02x %02x %02x %02x %02x %02x %02x %02x", ab[8],ab[9],ab[10],ab[11],ab[12],ab[13],ab[14],ab[15] );
229
230 len = mifare_sendcmd_short_mfucauth(NULL, 1, 0xAF, ab, receivedAnswer, receivedAnswerPar, NULL);
231 if (len == 1) {
232 if (MF_DBGLEVEL >= MF_DBG_ERROR)
233 Dbprintf("Cmd Error: %02x", receivedAnswer[0]);
234 OnError(1);
235 return;
236 }
237
238 //
239 memcpy(transKey, receivedAnswer+1, 8);
240 Dbprintf("TRANSACTIONKEY: %02x %02x %02x %02x %02x %02x %02x %02x", transKey[0],transKey[1],transKey[2],transKey[3],
241 transKey[4],transKey[5],transKey[6],transKey[7] );
242 }
243
244 len = mifare_ultra_readblock(cuid, blockNo, dataout);
245 if(len) {
246 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block error");
247 OnError(2);
248 return;
249 };
250
251 len = mifare_ultra_halt(cuid);
252 if(len) {
253 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
254 OnError(3);
255 return;
256 };
257
258 cmd_send(CMD_ACK,1,0,0,dataout,16);
259 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
260 LEDsoff();
261 }
262
263 //-----------------------------------------------------------------------------
264 // Select, Authenticate, Read a MIFARE tag.
265 // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
266 //-----------------------------------------------------------------------------
267 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
268 {
269 // params
270 uint8_t sectorNo = arg0;
271 uint8_t keyType = arg1;
272 uint64_t ui64Key = 0;
273 ui64Key = bytes_to_num(datain, 6);
274
275 // variables
276 byte_t isOK = 0;
277 byte_t dataoutbuf[16 * 16];
278 uint8_t uid[10];
279 uint32_t cuid;
280 struct Crypto1State mpcs = {0, 0};
281 struct Crypto1State *pcs;
282 pcs = &mpcs;
283
284 // clear trace
285 clear_trace();
286
287 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
288
289 LED_A_ON();
290 LED_B_OFF();
291 LED_C_OFF();
292
293 isOK = 1;
294 if(!iso14443a_select_card(uid, NULL, &cuid)) {
295 isOK = 0;
296 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
297 }
298
299
300 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
301 isOK = 0;
302 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
303 }
304
305 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
306 if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) {
307 isOK = 0;
308 if (MF_DBGLEVEL >= 1) Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo);
309 break;
310 }
311 }
312
313 if(mifare_classic_halt(pcs, cuid)) {
314 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
315 }
316
317 // ----------------------------- crypto1 destroy
318 crypto1_destroy(pcs);
319
320 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
321
322 LED_B_ON();
323 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));
324 LED_B_OFF();
325
326 // Thats it...
327 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
328 LEDsoff();
329 }
330
331 void MifareUReadCard(uint8_t arg0, int arg1, uint8_t *datain)
332 {
333 // params
334 uint8_t sectorNo = arg0;
335 int Pages = arg1;
336 int count_Pages = 0;
337 byte_t dataout[176] = {0x00};;
338 uint8_t uid[10] = {0x00};
339 uint32_t cuid;
340
341 LED_A_ON();
342 LED_B_OFF();
343 LED_C_OFF();
344
345 if (MF_DBGLEVEL >= MF_DBG_ALL)
346 Dbprintf("Pages %d",Pages);
347
348 clear_trace();
349 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
350
351 int len = iso14443a_select_card(uid, NULL, &cuid);
352
353 if (!len) {
354 if (MF_DBGLEVEL >= MF_DBG_ERROR)
355 Dbprintf("Can't select card (RC:%d)",len);
356 OnError(1);
357 return;
358 }
359
360 for (int i = 0; i < Pages; i++){
361
362 len = mifare_ultra_readblock(cuid, sectorNo * 4 + i, dataout + 4 * i);
363
364 if (len) {
365 if (MF_DBGLEVEL >= MF_DBG_ERROR)
366 Dbprintf("Read block %d error",i);
367 OnError(2);
368 return;
369 } else {
370 count_Pages++;
371 }
372 }
373
374 len = mifare_ultra_halt(cuid);
375 if (len) {
376 if (MF_DBGLEVEL >= MF_DBG_ERROR)
377 Dbprintf("Halt error");
378 OnError(3);
379 return;
380 }
381
382 if (MF_DBGLEVEL >= MF_DBG_ALL) {
383 Dbprintf("Pages read %d", count_Pages);
384 }
385
386 len = 16*4; //64 bytes
387
388 // Read a UL-C
389 if (Pages == 44 && count_Pages > 16)
390 len = 176;
391
392 cmd_send(CMD_ACK, 1, 0, 0, dataout, len);
393 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
394 LEDsoff();
395 }
396
397
398 //-----------------------------------------------------------------------------
399 // Select, Authenticate, Write a MIFARE tag.
400 // read block
401 //-----------------------------------------------------------------------------
402 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
403 {
404 // params
405 uint8_t blockNo = arg0;
406 uint8_t keyType = arg1;
407 uint64_t ui64Key = 0;
408 byte_t blockdata[16];
409
410 ui64Key = bytes_to_num(datain, 6);
411 memcpy(blockdata, datain + 10, 16);
412
413 // variables
414 byte_t isOK = 0;
415 uint8_t uid[10];
416 uint32_t cuid;
417 struct Crypto1State mpcs = {0, 0};
418 struct Crypto1State *pcs;
419 pcs = &mpcs;
420
421 // clear trace
422 clear_trace();
423
424 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
425
426 LED_A_ON();
427 LED_B_OFF();
428 LED_C_OFF();
429
430 while (true) {
431 if(!iso14443a_select_card(uid, NULL, &cuid)) {
432 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
433 break;
434 };
435
436 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
437 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
438 break;
439 };
440
441 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
442 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
443 break;
444 };
445
446 if(mifare_classic_halt(pcs, cuid)) {
447 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
448 break;
449 };
450
451 isOK = 1;
452 break;
453 }
454
455 // ----------------------------- crypto1 destroy
456 crypto1_destroy(pcs);
457
458 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
459
460 LED_B_ON();
461 cmd_send(CMD_ACK,isOK,0,0,0,0);
462 LED_B_OFF();
463
464
465 // Thats it...
466 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
467 LEDsoff();
468 }
469
470 void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
471 {
472 // params
473 uint8_t blockNo = arg0;
474 byte_t blockdata[16] = {0x00};
475
476 memcpy(blockdata, datain,16);
477
478 // variables
479 byte_t isOK = 0;
480 uint8_t uid[10] = {0x00};
481 uint32_t cuid;
482
483 clear_trace();
484 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
485
486 LED_A_ON();
487 LED_B_OFF();
488 LED_C_OFF();
489
490 while (true) {
491 if(!iso14443a_select_card(uid, NULL, &cuid)) {
492 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
493 break;
494 };
495
496 if(mifare_ultra_writeblock(cuid, blockNo, blockdata)) {
497 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
498 break;
499 };
500
501 if(mifare_ultra_halt(cuid)) {
502 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
503 break;
504 };
505
506 isOK = 1;
507 break;
508 }
509
510 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
511
512 cmd_send(CMD_ACK,isOK,0,0,0,0);
513 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
514 LEDsoff();
515 }
516
517 void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)
518 {
519 // params
520 uint8_t blockNo = arg0;
521 byte_t blockdata[4] = {0x00};
522
523 memcpy(blockdata, datain,4);
524
525 // variables
526 byte_t isOK = 0;
527 uint8_t uid[10] = {0x00};
528 uint32_t cuid;
529
530 clear_trace();
531 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
532
533 LED_A_ON();
534 LED_B_OFF();
535 LED_C_OFF();
536
537 while (true) {
538 if(!iso14443a_select_card(uid, NULL, &cuid)) {
539 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
540 break;
541 };
542
543 if(mifare_ultra_special_writeblock(cuid, blockNo, blockdata)) {
544 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
545 break;
546 };
547
548 if(mifare_ultra_halt(cuid)) {
549 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
550 break;
551 };
552
553 isOK = 1;
554 break;
555 }
556
557 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
558
559 cmd_send(CMD_ACK,isOK,0,0,0,0);
560 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
561 LEDsoff();
562 }
563
564 // Return 1 if the nonce is invalid else return 0
565 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {
566 return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
567 (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
568 (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
569 }
570
571
572 //-----------------------------------------------------------------------------
573 // MIFARE nested authentication.
574 //
575 //-----------------------------------------------------------------------------
576 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)
577 {
578 // params
579 uint8_t blockNo = arg0 & 0xff;
580 uint8_t keyType = (arg0 >> 8) & 0xff;
581 uint8_t targetBlockNo = arg1 & 0xff;
582 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
583 uint64_t ui64Key = 0;
584
585 ui64Key = bytes_to_num(datain, 6);
586
587 // variables
588 uint16_t rtr, i, j, len;
589 uint16_t davg;
590 static uint16_t dmin, dmax;
591 uint8_t uid[10];
592 uint32_t cuid, nt1, nt2, nttmp, nttest, ks1;
593 uint8_t par[1];
594 uint32_t target_nt[2], target_ks[2];
595
596 uint8_t par_array[4];
597 uint16_t ncount = 0;
598 struct Crypto1State mpcs = {0, 0};
599 struct Crypto1State *pcs;
600 pcs = &mpcs;
601 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
602
603 uint32_t auth1_time, auth2_time;
604 static uint16_t delta_time;
605
606 // free eventually allocated BigBuf memory
607 BigBuf_free();
608 // clear trace
609 clear_trace();
610 set_tracing(false);
611
612 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
613
614 LED_A_ON();
615 LED_C_OFF();
616
617
618 // statistics on nonce distance
619 if (calibrate) { // for first call only. Otherwise reuse previous calibration
620 LED_B_ON();
621 WDT_HIT();
622
623 davg = dmax = 0;
624 dmin = 2000;
625 delta_time = 0;
626
627 for (rtr = 0; rtr < 17; rtr++) {
628
629 // prepare next select. No need to power down the card.
630 if(mifare_classic_halt(pcs, cuid)) {
631 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
632 rtr--;
633 continue;
634 }
635
636 if(!iso14443a_select_card(uid, NULL, &cuid)) {
637 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
638 rtr--;
639 continue;
640 };
641
642 auth1_time = 0;
643 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
644 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
645 rtr--;
646 continue;
647 };
648
649 if (delta_time) {
650 auth2_time = auth1_time + delta_time;
651 } else {
652 auth2_time = 0;
653 }
654 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {
655 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");
656 rtr--;
657 continue;
658 };
659
660 nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
661 for (i = 101; i < 1200; i++) {
662 nttmp = prng_successor(nttmp, 1);
663 if (nttmp == nt2) break;
664 }
665
666 if (i != 1200) {
667 if (rtr != 0) {
668 davg += i;
669 dmin = MIN(dmin, i);
670 dmax = MAX(dmax, i);
671 }
672 else {
673 delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing
674 }
675 if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
676 }
677 }
678
679 if (rtr <= 1) return;
680
681 davg = (davg + (rtr - 1)/2) / (rtr - 1);
682
683 if (MF_DBGLEVEL >= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin, dmax, davg, delta_time);
684
685 dmin = davg - 2;
686 dmax = davg + 2;
687
688 LED_B_OFF();
689
690 }
691 // -------------------------------------------------------------------------------------------------
692
693 LED_C_ON();
694
695 // get crypted nonces for target sector
696 for(i=0; i < 2; i++) { // look for exactly two different nonces
697
698 target_nt[i] = 0;
699 while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
700
701 // prepare next select. No need to power down the card.
702 if(mifare_classic_halt(pcs, cuid)) {
703 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
704 continue;
705 }
706
707 if(!iso14443a_select_card(uid, NULL, &cuid)) {
708 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
709 continue;
710 };
711
712 auth1_time = 0;
713 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
714 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
715 continue;
716 };
717
718 // nested authentication
719 auth2_time = auth1_time + delta_time;
720 len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);
721 if (len != 4) {
722 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);
723 continue;
724 };
725
726 nt2 = bytes_to_num(receivedAnswer, 4);
727 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);
728
729 // Parity validity check
730 for (j = 0; j < 4; j++) {
731 par_array[j] = (oddparity(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));
732 }
733
734 ncount = 0;
735 nttest = prng_successor(nt1, dmin - 1);
736 for (j = dmin; j < dmax + 1; j++) {
737 nttest = prng_successor(nttest, 1);
738 ks1 = nt2 ^ nttest;
739
740 if (valid_nonce(nttest, nt2, ks1, par_array)){
741 if (ncount > 0) { // we are only interested in disambiguous nonces, try again
742 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);
743 target_nt[i] = 0;
744 break;
745 }
746 target_nt[i] = nttest;
747 target_ks[i] = ks1;
748 ncount++;
749 if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces
750 target_nt[i] = 0;
751 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);
752 break;
753 }
754 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);
755 }
756 }
757 if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
758 }
759 }
760
761 LED_C_OFF();
762
763 // ----------------------------- crypto1 destroy
764 crypto1_destroy(pcs);
765
766 byte_t buf[4 + 4 * 4];
767 memcpy(buf, &cuid, 4);
768 memcpy(buf+4, &target_nt[0], 4);
769 memcpy(buf+8, &target_ks[0], 4);
770 memcpy(buf+12, &target_nt[1], 4);
771 memcpy(buf+16, &target_ks[1], 4);
772
773 LED_B_ON();
774 cmd_send(CMD_ACK, 0, 2, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
775 LED_B_OFF();
776
777 if (MF_DBGLEVEL >= 3) DbpString("NESTED FINISHED");
778
779 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
780 LEDsoff();
781 set_tracing(TRUE);
782 }
783
784 //-----------------------------------------------------------------------------
785 // MIFARE check keys. key count up to 85.
786 //
787 //-----------------------------------------------------------------------------
788 void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
789 {
790 // params
791 uint8_t blockNo = arg0;
792 uint8_t keyType = arg1;
793 uint8_t keyCount = arg2;
794 uint64_t ui64Key = 0;
795
796 // variables
797 int i;
798 byte_t isOK = 0;
799 uint8_t uid[10];
800 uint32_t cuid;
801 struct Crypto1State mpcs = {0, 0};
802 struct Crypto1State *pcs;
803 pcs = &mpcs;
804
805 // clear debug level
806 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
807 MF_DBGLEVEL = MF_DBG_NONE;
808
809 // clear trace
810 clear_trace();
811 set_tracing(TRUE);
812
813 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
814
815 LED_A_ON();
816 LED_B_OFF();
817 LED_C_OFF();
818
819 for (i = 0; i < keyCount; i++) {
820 if(mifare_classic_halt(pcs, cuid)) {
821 if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Halt error");
822 }
823
824 if(!iso14443a_select_card(uid, NULL, &cuid)) {
825 if (OLD_MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card");
826 break;
827 };
828
829 ui64Key = bytes_to_num(datain + i * 6, 6);
830 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
831 continue;
832 };
833
834 isOK = 1;
835 break;
836 }
837
838 // ----------------------------- crypto1 destroy
839 crypto1_destroy(pcs);
840
841 LED_B_ON();
842 cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);
843 LED_B_OFF();
844
845 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
846 LEDsoff();
847
848 // restore debug level
849 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
850 }
851
852 //-----------------------------------------------------------------------------
853 // MIFARE commands set debug level
854 //
855 //-----------------------------------------------------------------------------
856 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
857 MF_DBGLEVEL = arg0;
858 Dbprintf("Debug level: %d", MF_DBGLEVEL);
859 }
860
861 //-----------------------------------------------------------------------------
862 // Work with emulator memory
863 //
864 //-----------------------------------------------------------------------------
865 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
866 emlClearMem();
867 }
868
869 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
870 emlSetMem(datain, arg0, arg1); // data, block num, blocks count
871 }
872
873 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
874 byte_t buf[USB_CMD_DATA_SIZE];
875 emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
876
877 LED_B_ON();
878 cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE);
879 LED_B_OFF();
880 }
881
882 //-----------------------------------------------------------------------------
883 // Load a card into the emulator memory
884 //
885 //-----------------------------------------------------------------------------
886 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
887 uint8_t numSectors = arg0;
888 uint8_t keyType = arg1;
889 uint64_t ui64Key = 0;
890 uint32_t cuid;
891 struct Crypto1State mpcs = {0, 0};
892 struct Crypto1State *pcs;
893 pcs = &mpcs;
894
895 // variables
896 byte_t dataoutbuf[16];
897 byte_t dataoutbuf2[16];
898 uint8_t uid[10];
899
900 // clear trace
901 clear_trace();
902 set_tracing(false);
903
904 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
905
906 LED_A_ON();
907 LED_B_OFF();
908 LED_C_OFF();
909
910 bool isOK = true;
911
912 if(!iso14443a_select_card(uid, NULL, &cuid)) {
913 isOK = false;
914 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
915 }
916
917 for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
918 ui64Key = emlGetKey(sectorNo, keyType);
919 if (sectorNo == 0){
920 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
921 isOK = false;
922 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo);
923 break;
924 }
925 } else {
926 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) {
927 isOK = false;
928 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo);
929 break;
930 }
931 }
932
933 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
934 if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) {
935 isOK = false;
936 if (MF_DBGLEVEL >= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);
937 break;
938 };
939 if (isOK) {
940 if (blockNo < NumBlocksPerSector(sectorNo) - 1) {
941 emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);
942 } else { // sector trailer, keep the keys, set only the AC
943 emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
944 memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
945 emlSetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
946 }
947 }
948 }
949
950 }
951
952 if(mifare_classic_halt(pcs, cuid)) {
953 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
954 };
955
956 // ----------------------------- crypto1 destroy
957 crypto1_destroy(pcs);
958
959 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
960 LEDsoff();
961
962 if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
963
964 }
965
966
967 //-----------------------------------------------------------------------------
968 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
969 //
970 //-----------------------------------------------------------------------------
971 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
972
973 // params
974 uint8_t needWipe = arg0;
975 // bit 0 - need get UID
976 // bit 1 - need wupC
977 // bit 2 - need HALT after sequence
978 // bit 3 - need init FPGA and field before sequence
979 // bit 4 - need reset FPGA and LED
980 uint8_t workFlags = arg1;
981 uint8_t blockNo = arg2;
982
983 // card commands
984 uint8_t wupC1[] = { 0x40 };
985 uint8_t wupC2[] = { 0x43 };
986 uint8_t wipeC[] = { 0x41 };
987
988 // variables
989 byte_t isOK = 0;
990 uint8_t uid[10] = {0x00};
991 uint8_t d_block[18] = {0x00};
992 uint32_t cuid;
993
994 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
995 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
996
997 // reset FPGA and LED
998 if (workFlags & 0x08) {
999 LED_A_ON();
1000 LED_B_OFF();
1001 LED_C_OFF();
1002
1003 clear_trace();
1004 set_tracing(TRUE);
1005 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1006 }
1007
1008 while (true) {
1009
1010 // get UID from chip
1011 if (workFlags & 0x01) {
1012 if(!iso14443a_select_card(uid, NULL, &cuid)) {
1013 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
1014 //break;
1015 };
1016
1017 if(mifare_classic_halt(NULL, cuid)) {
1018 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1019 //break;
1020 };
1021 };
1022
1023 // reset chip
1024 if (needWipe){
1025 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1026 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1027 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1028 break;
1029 };
1030
1031 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
1032 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1033 if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");
1034 break;
1035 };
1036
1037 if(mifare_classic_halt(NULL, cuid)) {
1038 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1039 break;
1040 };
1041 };
1042
1043 // write block
1044 if (workFlags & 0x02) {
1045 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1046 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1047 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1048 break;
1049 };
1050
1051 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1052 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1053 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1054 break;
1055 };
1056 }
1057
1058 if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
1059 if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
1060 break;
1061 };
1062
1063 memcpy(d_block, datain, 16);
1064 AppendCrc14443a(d_block, 16);
1065
1066 ReaderTransmit(d_block, sizeof(d_block), NULL);
1067 if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
1068 if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");
1069 break;
1070 };
1071
1072 if (workFlags & 0x04) {
1073 if (mifare_classic_halt(NULL, cuid)) {
1074 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1075 break;
1076 };
1077 }
1078
1079 isOK = 1;
1080 break;
1081 }
1082
1083 LED_B_ON();
1084 cmd_send(CMD_ACK,isOK,0,0,uid,4);
1085 LED_B_OFF();
1086
1087 if ((workFlags & 0x10) || (!isOK)) {
1088 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1089 LEDsoff();
1090 }
1091 }
1092
1093
1094 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1095
1096 // params
1097 // bit 1 - need wupC
1098 // bit 2 - need HALT after sequence
1099 // bit 3 - need init FPGA and field before sequence
1100 // bit 4 - need reset FPGA and LED
1101 uint8_t workFlags = arg0;
1102 uint8_t blockNo = arg2;
1103
1104 // card commands
1105 uint8_t wupC1[] = { 0x40 };
1106 uint8_t wupC2[] = { 0x43 };
1107
1108 // variables
1109 byte_t isOK = 0;
1110 uint8_t data[18] = {0x00};
1111 uint32_t cuid = 0;
1112
1113 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1114 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1115
1116 if (workFlags & 0x08) {
1117 LED_A_ON();
1118 LED_B_OFF();
1119 LED_C_OFF();
1120
1121 clear_trace();
1122 set_tracing(TRUE);
1123 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1124 }
1125
1126 while (true) {
1127 if (workFlags & 0x02) {
1128 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1129 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1130 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1131 break;
1132 };
1133
1134 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1135 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1136 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1137 break;
1138 };
1139 }
1140
1141 // read block
1142 if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {
1143 if (MF_DBGLEVEL >= 1) Dbprintf("read block send command error");
1144 break;
1145 };
1146 memcpy(data, receivedAnswer, 18);
1147
1148 if (workFlags & 0x04) {
1149 if (mifare_classic_halt(NULL, cuid)) {
1150 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1151 break;
1152 };
1153 }
1154
1155 isOK = 1;
1156 break;
1157 }
1158
1159 LED_B_ON();
1160 cmd_send(CMD_ACK,isOK,0,0,data,18);
1161 LED_B_OFF();
1162
1163 if ((workFlags & 0x10) || (!isOK)) {
1164 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1165 LEDsoff();
1166 }
1167 }
1168
1169 void MifareCIdent(){
1170
1171 // card commands
1172 uint8_t wupC1[] = { 0x40 };
1173 uint8_t wupC2[] = { 0x43 };
1174
1175 // variables
1176 byte_t isOK = 1;
1177
1178 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1179 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1180
1181 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1182 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1183 isOK = 0;
1184 };
1185
1186 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1187 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1188 isOK = 0;
1189 };
1190
1191 if (mifare_classic_halt(NULL, 0)) {
1192 isOK = 0;
1193 };
1194
1195 cmd_send(CMD_ACK,isOK,0,0,0,0);
1196 }
1197
1198 //
1199 // DESFIRE
1200 //
1201
1202 void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){
1203
1204 byte_t dataout[11] = {0x00};
1205 uint8_t uid[10] = {0x00};
1206 uint32_t cuid;
1207
1208 clear_trace();
1209 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1210
1211 int len = iso14443a_select_card(uid, NULL, &cuid);
1212 if(!len) {
1213 if (MF_DBGLEVEL >= MF_DBG_ERROR)
1214 Dbprintf("Can't select card");
1215 OnError(1);
1216 return;
1217 };
1218
1219 if(mifare_desfire_des_auth1(cuid, dataout)){
1220 if (MF_DBGLEVEL >= MF_DBG_ERROR)
1221 Dbprintf("Authentication part1: Fail.");
1222 OnError(4);
1223 return;
1224 }
1225
1226 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 1 FINISHED");
1227
1228 cmd_send(CMD_ACK,1,cuid,0,dataout, sizeof(dataout));
1229 }
1230
1231 void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain){
1232
1233 uint32_t cuid = arg0;
1234 uint8_t key[16] = {0x00};
1235 byte_t isOK = 0;
1236 byte_t dataout[12] = {0x00};
1237
1238 memcpy(key, datain, 16);
1239
1240 isOK = mifare_desfire_des_auth2(cuid, key, dataout);
1241
1242 if( isOK) {
1243 if (MF_DBGLEVEL >= MF_DBG_EXTENDED)
1244 Dbprintf("Authentication part2: Failed");
1245 OnError(4);
1246 return;
1247 }
1248
1249 if (MF_DBGLEVEL >= MF_DBG_EXTENDED)
1250 DbpString("AUTH 2 FINISHED");
1251
1252 cmd_send(CMD_ACK, isOK, 0, 0, dataout, sizeof(dataout));
1253 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1254 LEDsoff();
1255 }
Proxmark3 GIT tracking
Impressum, Datenschutz