1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 // Midnitesnake - Dec 2013
6 // Andy Davies - Apr 2014
9 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
10 // at your option, any later version. See the LICENSE.txt file for the text of
12 //-----------------------------------------------------------------------------
13 // Routines to support ISO 14443 type A.
14 //-----------------------------------------------------------------------------
16 #include "mifarecmd.h"
19 //#include "../client/loclass/des.h"
23 //-----------------------------------------------------------------------------
24 // Select, Authenticate, Read a MIFARE tag.
26 //-----------------------------------------------------------------------------
27 void MifareReadBlock(uint8_t arg0
, uint8_t arg1
, uint8_t arg2
, uint8_t *datain
)
30 uint8_t blockNo
= arg0
;
31 uint8_t keyType
= arg1
;
33 ui64Key
= bytes_to_num(datain
, 6);
37 byte_t dataoutbuf
[16];
40 struct Crypto1State mpcs
= {0, 0};
41 struct Crypto1State
*pcs
;
46 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
53 if(!iso14443a_select_card(uid
, NULL
, &cuid
)) {
54 if (MF_DBGLEVEL
>= 1) Dbprintf("Can't select card");
58 if(mifare_classic_auth(pcs
, cuid
, blockNo
, keyType
, ui64Key
, AUTH_FIRST
)) {
59 if (MF_DBGLEVEL
>= 1) Dbprintf("Auth error");
63 if(mifare_classic_readblock(pcs
, cuid
, blockNo
, dataoutbuf
)) {
64 if (MF_DBGLEVEL
>= 1) Dbprintf("Read block error");
68 if(mifare_classic_halt(pcs
, cuid
)) {
69 if (MF_DBGLEVEL
>= 1) Dbprintf("Halt error");
77 // ----------------------------- crypto1 destroy
80 if (MF_DBGLEVEL
>= 2) DbpString("READ BLOCK FINISHED");
83 cmd_send(CMD_ACK
,isOK
,0,0,dataoutbuf
,16);
86 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
91 void MifareUC_Auth1(uint8_t arg0
, uint8_t *datain
){
94 byte_t dataoutbuf
[16] = {0x00};
95 uint8_t uid
[10] = {0x00};
103 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
105 if(!iso14443a_select_card(uid
, NULL
, &cuid
)) {
106 if (MF_DBGLEVEL
>= MF_DBG_ERROR
)
107 Dbprintf("Can't select card");
112 if(mifare_ultra_auth1(cuid
, dataoutbuf
)){
113 if (MF_DBGLEVEL
>= MF_DBG_ERROR
)
114 Dbprintf("Authentication part1: Fail.");
120 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
)
121 DbpString("AUTH 1 FINISHED");
123 cmd_send(CMD_ACK
,isOK
,cuid
,0,dataoutbuf
,11);
126 void MifareUC_Auth2(uint32_t arg0
, uint8_t *datain
){
128 uint32_t cuid
= arg0
;
129 uint8_t key
[16] = {0x00};
131 byte_t dataoutbuf
[16] = {0x00};
133 memcpy(key
, datain
, 16);
139 if(mifare_ultra_auth2(cuid
, key
, dataoutbuf
)){
140 if (MF_DBGLEVEL
>= MF_DBG_ERROR
)
141 Dbprintf("Authentication part2: Fail...");
147 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
)
148 DbpString("AUTH 2 FINISHED");
150 cmd_send(CMD_ACK
,isOK
,0,0,dataoutbuf
,11);
151 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
155 void MifareUReadBlock(uint8_t arg0
, uint8_t arg1
, uint8_t *datain
)
157 uint8_t blockNo
= arg0
;
158 byte_t dataout
[16] = {0x00};
159 uint8_t uid
[10] = {0x00};
160 uint8_t key
[8] = {0x00};
164 usePwd
= (arg1
== 1);
168 memcpy(key
, datain
, 8);
175 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
177 int len
= iso14443a_select_card(uid
, NULL
, &cuid
);
179 if (MF_DBGLEVEL
>= MF_DBG_ERROR
) Dbprintf("Can't select card (RC:%d)",len
);
184 // authenticate here.
187 uint8_t a
[8] = { 0x01 };
188 uint8_t b
[8] = { 0x00 };
189 uint8_t enc_b
[8] = { 0x00 };
190 uint8_t ab
[16] = { 0x00 };
192 uint8_t transKey
[8] = { 0x00 };
195 uint8_t receivedAnswer
[MAX_MIFARE_FRAME_SIZE
];
196 uint8_t receivedAnswerPar
[MAX_MIFARE_PARITY_SIZE
];
198 len
= mifare_sendcmd_short(NULL
, 1, 0x1A, 0x00, receivedAnswer
,receivedAnswerPar
,NULL
);
200 if (MF_DBGLEVEL
>= MF_DBG_ERROR
)
201 Dbprintf("Cmd Error: %02x", receivedAnswer
[0]);
206 // memcpy(dataout, receivedAnswer, 11);
209 memcpy(enc_b
,receivedAnswer
+1,8);
212 des_dec(enc_b
, b
, key
);
214 Dbprintf("enc_B: %02x %02x %02x %02x %02x %02x %02x %02x", enc_b
[0],enc_b
[1],enc_b
[2],enc_b
[3],enc_b
[4],enc_b
[5],enc_b
[6],enc_b
[7] );
221 Dbprintf("AB: %02x %02x %02x %02x %02x %02x %02x %02x", ab
[0],ab
[1],ab
[2],ab
[3],ab
[4],ab
[5],ab
[6],ab
[7] );
222 Dbprintf("AB: %02x %02x %02x %02x %02x %02x %02x %02x", ab
[8],ab
[9],ab
[10],ab
[11],ab
[12],ab
[13],ab
[14],ab
[15] );
225 des_enc(ab
, ab
, key
);
227 Dbprintf("e_AB: %02x %02x %02x %02x %02x %02x %02x %02x", ab
[0],ab
[1],ab
[2],ab
[3],ab
[4],ab
[5],ab
[6],ab
[7] );
228 Dbprintf("e_AB: %02x %02x %02x %02x %02x %02x %02x %02x", ab
[8],ab
[9],ab
[10],ab
[11],ab
[12],ab
[13],ab
[14],ab
[15] );
230 len
= mifare_sendcmd_short_mfucauth(NULL
, 1, 0xAF, ab
, receivedAnswer
, receivedAnswerPar
, NULL
);
232 if (MF_DBGLEVEL
>= MF_DBG_ERROR
)
233 Dbprintf("Cmd Error: %02x", receivedAnswer
[0]);
239 memcpy(transKey
, receivedAnswer
+1, 8);
240 Dbprintf("TRANSACTIONKEY: %02x %02x %02x %02x %02x %02x %02x %02x", transKey
[0],transKey
[1],transKey
[2],transKey
[3],
241 transKey
[4],transKey
[5],transKey
[6],transKey
[7] );
244 len
= mifare_ultra_readblock(cuid
, blockNo
, dataout
);
246 if (MF_DBGLEVEL
>= MF_DBG_ERROR
) Dbprintf("Read block error");
251 len
= mifare_ultra_halt(cuid
);
253 if (MF_DBGLEVEL
>= MF_DBG_ERROR
) Dbprintf("Halt error");
258 cmd_send(CMD_ACK
,1,0,0,dataout
,16);
259 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
263 //-----------------------------------------------------------------------------
264 // Select, Authenticate, Read a MIFARE tag.
265 // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
266 //-----------------------------------------------------------------------------
267 void MifareReadSector(uint8_t arg0
, uint8_t arg1
, uint8_t arg2
, uint8_t *datain
)
270 uint8_t sectorNo
= arg0
;
271 uint8_t keyType
= arg1
;
272 uint64_t ui64Key
= 0;
273 ui64Key
= bytes_to_num(datain
, 6);
277 byte_t dataoutbuf
[16 * 16];
280 struct Crypto1State mpcs
= {0, 0};
281 struct Crypto1State
*pcs
;
287 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
294 if(!iso14443a_select_card(uid
, NULL
, &cuid
)) {
296 if (MF_DBGLEVEL
>= 1) Dbprintf("Can't select card");
300 if(isOK
&& mifare_classic_auth(pcs
, cuid
, FirstBlockOfSector(sectorNo
), keyType
, ui64Key
, AUTH_FIRST
)) {
302 if (MF_DBGLEVEL
>= 1) Dbprintf("Auth error");
305 for (uint8_t blockNo
= 0; isOK
&& blockNo
< NumBlocksPerSector(sectorNo
); blockNo
++) {
306 if(mifare_classic_readblock(pcs
, cuid
, FirstBlockOfSector(sectorNo
) + blockNo
, dataoutbuf
+ 16 * blockNo
)) {
308 if (MF_DBGLEVEL
>= 1) Dbprintf("Read sector %2d block %2d error", sectorNo
, blockNo
);
313 if(mifare_classic_halt(pcs
, cuid
)) {
314 if (MF_DBGLEVEL
>= 1) Dbprintf("Halt error");
317 // ----------------------------- crypto1 destroy
318 crypto1_destroy(pcs
);
320 if (MF_DBGLEVEL
>= 2) DbpString("READ SECTOR FINISHED");
323 cmd_send(CMD_ACK
,isOK
,0,0,dataoutbuf
,16*NumBlocksPerSector(sectorNo
));
327 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
331 void MifareUReadCard(uint8_t arg0
, int arg1
, uint8_t *datain
)
334 uint8_t sectorNo
= arg0
;
337 byte_t dataout
[176] = {0x00};;
338 uint8_t uid
[10] = {0x00};
345 if (MF_DBGLEVEL
>= MF_DBG_ALL
)
346 Dbprintf("Pages %d",Pages
);
349 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
351 int len
= iso14443a_select_card(uid
, NULL
, &cuid
);
354 if (MF_DBGLEVEL
>= MF_DBG_ERROR
)
355 Dbprintf("Can't select card (RC:%d)",len
);
360 for (int i
= 0; i
< Pages
; i
++){
362 len
= mifare_ultra_readblock(cuid
, sectorNo
* 4 + i
, dataout
+ 4 * i
);
365 if (MF_DBGLEVEL
>= MF_DBG_ERROR
)
366 Dbprintf("Read block %d error",i
);
374 len
= mifare_ultra_halt(cuid
);
376 if (MF_DBGLEVEL
>= MF_DBG_ERROR
)
377 Dbprintf("Halt error");
382 if (MF_DBGLEVEL
>= MF_DBG_ALL
) {
383 Dbprintf("Pages read %d", count_Pages
);
386 len
= 16*4; //64 bytes
389 if (Pages
== 44 && count_Pages
> 16)
392 cmd_send(CMD_ACK
, 1, 0, 0, dataout
, len
);
393 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
398 //-----------------------------------------------------------------------------
399 // Select, Authenticate, Write a MIFARE tag.
401 //-----------------------------------------------------------------------------
402 void MifareWriteBlock(uint8_t arg0
, uint8_t arg1
, uint8_t arg2
, uint8_t *datain
)
405 uint8_t blockNo
= arg0
;
406 uint8_t keyType
= arg1
;
407 uint64_t ui64Key
= 0;
408 byte_t blockdata
[16];
410 ui64Key
= bytes_to_num(datain
, 6);
411 memcpy(blockdata
, datain
+ 10, 16);
417 struct Crypto1State mpcs
= {0, 0};
418 struct Crypto1State
*pcs
;
424 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
431 if(!iso14443a_select_card(uid
, NULL
, &cuid
)) {
432 if (MF_DBGLEVEL
>= 1) Dbprintf("Can't select card");
436 if(mifare_classic_auth(pcs
, cuid
, blockNo
, keyType
, ui64Key
, AUTH_FIRST
)) {
437 if (MF_DBGLEVEL
>= 1) Dbprintf("Auth error");
441 if(mifare_classic_writeblock(pcs
, cuid
, blockNo
, blockdata
)) {
442 if (MF_DBGLEVEL
>= 1) Dbprintf("Write block error");
446 if(mifare_classic_halt(pcs
, cuid
)) {
447 if (MF_DBGLEVEL
>= 1) Dbprintf("Halt error");
455 // ----------------------------- crypto1 destroy
456 crypto1_destroy(pcs
);
458 if (MF_DBGLEVEL
>= 2) DbpString("WRITE BLOCK FINISHED");
461 cmd_send(CMD_ACK
,isOK
,0,0,0,0);
466 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
470 void MifareUWriteBlock(uint8_t arg0
, uint8_t *datain
)
473 uint8_t blockNo
= arg0
;
474 byte_t blockdata
[16] = {0x00};
476 memcpy(blockdata
, datain
,16);
480 uint8_t uid
[10] = {0x00};
484 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
491 if(!iso14443a_select_card(uid
, NULL
, &cuid
)) {
492 if (MF_DBGLEVEL
>= 1) Dbprintf("Can't select card");
496 if(mifare_ultra_writeblock(cuid
, blockNo
, blockdata
)) {
497 if (MF_DBGLEVEL
>= 1) Dbprintf("Write block error");
501 if(mifare_ultra_halt(cuid
)) {
502 if (MF_DBGLEVEL
>= 1) Dbprintf("Halt error");
510 if (MF_DBGLEVEL
>= 2) DbpString("WRITE BLOCK FINISHED");
512 cmd_send(CMD_ACK
,isOK
,0,0,0,0);
513 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
517 void MifareUWriteBlock_Special(uint8_t arg0
, uint8_t *datain
)
520 uint8_t blockNo
= arg0
;
521 byte_t blockdata
[4] = {0x00};
523 memcpy(blockdata
, datain
,4);
527 uint8_t uid
[10] = {0x00};
531 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
538 if(!iso14443a_select_card(uid
, NULL
, &cuid
)) {
539 if (MF_DBGLEVEL
>= 1) Dbprintf("Can't select card");
543 if(mifare_ultra_special_writeblock(cuid
, blockNo
, blockdata
)) {
544 if (MF_DBGLEVEL
>= 1) Dbprintf("Write block error");
548 if(mifare_ultra_halt(cuid
)) {
549 if (MF_DBGLEVEL
>= 1) Dbprintf("Halt error");
557 if (MF_DBGLEVEL
>= 2) DbpString("WRITE BLOCK FINISHED");
559 cmd_send(CMD_ACK
,isOK
,0,0,0,0);
560 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
564 // Return 1 if the nonce is invalid else return 0
565 int valid_nonce(uint32_t Nt
, uint32_t NtEnc
, uint32_t Ks1
, uint8_t *parity
) {
566 return ((oddparity((Nt
>> 24) & 0xFF) == ((parity
[0]) ^ oddparity((NtEnc
>> 24) & 0xFF) ^ BIT(Ks1
,16))) & \
567 (oddparity((Nt
>> 16) & 0xFF) == ((parity
[1]) ^ oddparity((NtEnc
>> 16) & 0xFF) ^ BIT(Ks1
,8))) & \
568 (oddparity((Nt
>> 8) & 0xFF) == ((parity
[2]) ^ oddparity((NtEnc
>> 8) & 0xFF) ^ BIT(Ks1
,0)))) ? 1 : 0;
572 //-----------------------------------------------------------------------------
573 // MIFARE nested authentication.
575 //-----------------------------------------------------------------------------
576 void MifareNested(uint32_t arg0
, uint32_t arg1
, uint32_t calibrate
, uint8_t *datain
)
579 uint8_t blockNo
= arg0
& 0xff;
580 uint8_t keyType
= (arg0
>> 8) & 0xff;
581 uint8_t targetBlockNo
= arg1
& 0xff;
582 uint8_t targetKeyType
= (arg1
>> 8) & 0xff;
583 uint64_t ui64Key
= 0;
585 ui64Key
= bytes_to_num(datain
, 6);
588 uint16_t rtr
, i
, j
, len
;
590 static uint16_t dmin
, dmax
;
592 uint32_t cuid
, nt1
, nt2
, nttmp
, nttest
, ks1
;
594 uint32_t target_nt
[2], target_ks
[2];
596 uint8_t par_array
[4];
598 struct Crypto1State mpcs
= {0, 0};
599 struct Crypto1State
*pcs
;
601 uint8_t receivedAnswer
[MAX_MIFARE_FRAME_SIZE
];
603 uint32_t auth1_time
, auth2_time
;
604 static uint16_t delta_time
;
606 // free eventually allocated BigBuf memory
612 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
618 // statistics on nonce distance
619 if (calibrate
) { // for first call only. Otherwise reuse previous calibration
627 for (rtr
= 0; rtr
< 17; rtr
++) {
629 // prepare next select. No need to power down the card.
630 if(mifare_classic_halt(pcs
, cuid
)) {
631 if (MF_DBGLEVEL
>= 1) Dbprintf("Nested: Halt error");
636 if(!iso14443a_select_card(uid
, NULL
, &cuid
)) {
637 if (MF_DBGLEVEL
>= 1) Dbprintf("Nested: Can't select card");
643 if(mifare_classic_authex(pcs
, cuid
, blockNo
, keyType
, ui64Key
, AUTH_FIRST
, &nt1
, &auth1_time
)) {
644 if (MF_DBGLEVEL
>= 1) Dbprintf("Nested: Auth1 error");
650 auth2_time
= auth1_time
+ delta_time
;
654 if(mifare_classic_authex(pcs
, cuid
, blockNo
, keyType
, ui64Key
, AUTH_NESTED
, &nt2
, &auth2_time
)) {
655 if (MF_DBGLEVEL
>= 1) Dbprintf("Nested: Auth2 error");
660 nttmp
= prng_successor(nt1
, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
661 for (i
= 101; i
< 1200; i
++) {
662 nttmp
= prng_successor(nttmp
, 1);
663 if (nttmp
== nt2
) break;
673 delta_time
= auth2_time
- auth1_time
+ 32; // allow some slack for proper timing
675 if (MF_DBGLEVEL
>= 3) Dbprintf("Nested: calibrating... ntdist=%d", i
);
679 if (rtr
<= 1) return;
681 davg
= (davg
+ (rtr
- 1)/2) / (rtr
- 1);
683 if (MF_DBGLEVEL
>= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin
, dmax
, davg
, delta_time
);
691 // -------------------------------------------------------------------------------------------------
695 // get crypted nonces for target sector
696 for(i
=0; i
< 2; i
++) { // look for exactly two different nonces
699 while(target_nt
[i
] == 0) { // continue until we have an unambiguous nonce
701 // prepare next select. No need to power down the card.
702 if(mifare_classic_halt(pcs
, cuid
)) {
703 if (MF_DBGLEVEL
>= 1) Dbprintf("Nested: Halt error");
707 if(!iso14443a_select_card(uid
, NULL
, &cuid
)) {
708 if (MF_DBGLEVEL
>= 1) Dbprintf("Nested: Can't select card");
713 if(mifare_classic_authex(pcs
, cuid
, blockNo
, keyType
, ui64Key
, AUTH_FIRST
, &nt1
, &auth1_time
)) {
714 if (MF_DBGLEVEL
>= 1) Dbprintf("Nested: Auth1 error");
718 // nested authentication
719 auth2_time
= auth1_time
+ delta_time
;
720 len
= mifare_sendcmd_shortex(pcs
, AUTH_NESTED
, 0x60 + (targetKeyType
& 0x01), targetBlockNo
, receivedAnswer
, par
, &auth2_time
);
722 if (MF_DBGLEVEL
>= 1) Dbprintf("Nested: Auth2 error len=%d", len
);
726 nt2
= bytes_to_num(receivedAnswer
, 4);
727 if (MF_DBGLEVEL
>= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i
+1, nt1
, nt2
, par
[0]);
729 // Parity validity check
730 for (j
= 0; j
< 4; j
++) {
731 par_array
[j
] = (oddparity(receivedAnswer
[j
]) != ((par
[0] >> (7-j
)) & 0x01));
735 nttest
= prng_successor(nt1
, dmin
- 1);
736 for (j
= dmin
; j
< dmax
+ 1; j
++) {
737 nttest
= prng_successor(nttest
, 1);
740 if (valid_nonce(nttest
, nt2
, ks1
, par_array
)){
741 if (ncount
> 0) { // we are only interested in disambiguous nonces, try again
742 if (MF_DBGLEVEL
>= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i
+1, j
);
746 target_nt
[i
] = nttest
;
749 if (i
== 1 && target_nt
[1] == target_nt
[0]) { // we need two different nonces
751 if (MF_DBGLEVEL
>= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j
);
754 if (MF_DBGLEVEL
>= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i
+1, j
);
757 if (target_nt
[i
] == 0 && j
== dmax
+1 && MF_DBGLEVEL
>= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i
+1);
763 // ----------------------------- crypto1 destroy
764 crypto1_destroy(pcs
);
766 byte_t buf
[4 + 4 * 4];
767 memcpy(buf
, &cuid
, 4);
768 memcpy(buf
+4, &target_nt
[0], 4);
769 memcpy(buf
+8, &target_ks
[0], 4);
770 memcpy(buf
+12, &target_nt
[1], 4);
771 memcpy(buf
+16, &target_ks
[1], 4);
774 cmd_send(CMD_ACK
, 0, 2, targetBlockNo
+ (targetKeyType
* 0x100), buf
, sizeof(buf
));
777 if (MF_DBGLEVEL
>= 3) DbpString("NESTED FINISHED");
779 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
784 //-----------------------------------------------------------------------------
785 // MIFARE check keys. key count up to 85.
787 //-----------------------------------------------------------------------------
788 void MifareChkKeys(uint8_t arg0
, uint8_t arg1
, uint8_t arg2
, uint8_t *datain
)
791 uint8_t blockNo
= arg0
;
792 uint8_t keyType
= arg1
;
793 uint8_t keyCount
= arg2
;
794 uint64_t ui64Key
= 0;
801 struct Crypto1State mpcs
= {0, 0};
802 struct Crypto1State
*pcs
;
806 int OLD_MF_DBGLEVEL
= MF_DBGLEVEL
;
807 MF_DBGLEVEL
= MF_DBG_NONE
;
813 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
819 for (i
= 0; i
< keyCount
; i
++) {
820 if(mifare_classic_halt(pcs
, cuid
)) {
821 if (MF_DBGLEVEL
>= 1) Dbprintf("ChkKeys: Halt error");
824 if(!iso14443a_select_card(uid
, NULL
, &cuid
)) {
825 if (OLD_MF_DBGLEVEL
>= 1) Dbprintf("ChkKeys: Can't select card");
829 ui64Key
= bytes_to_num(datain
+ i
* 6, 6);
830 if(mifare_classic_auth(pcs
, cuid
, blockNo
, keyType
, ui64Key
, AUTH_FIRST
)) {
838 // ----------------------------- crypto1 destroy
839 crypto1_destroy(pcs
);
842 cmd_send(CMD_ACK
,isOK
,0,0,datain
+ i
* 6,6);
845 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
848 // restore debug level
849 MF_DBGLEVEL
= OLD_MF_DBGLEVEL
;
852 //-----------------------------------------------------------------------------
853 // MIFARE commands set debug level
855 //-----------------------------------------------------------------------------
856 void MifareSetDbgLvl(uint32_t arg0
, uint32_t arg1
, uint32_t arg2
, uint8_t *datain
){
858 Dbprintf("Debug level: %d", MF_DBGLEVEL
);
861 //-----------------------------------------------------------------------------
862 // Work with emulator memory
864 //-----------------------------------------------------------------------------
865 void MifareEMemClr(uint32_t arg0
, uint32_t arg1
, uint32_t arg2
, uint8_t *datain
){
869 void MifareEMemSet(uint32_t arg0
, uint32_t arg1
, uint32_t arg2
, uint8_t *datain
){
870 emlSetMem(datain
, arg0
, arg1
); // data, block num, blocks count
873 void MifareEMemGet(uint32_t arg0
, uint32_t arg1
, uint32_t arg2
, uint8_t *datain
){
874 byte_t buf
[USB_CMD_DATA_SIZE
];
875 emlGetMem(buf
, arg0
, arg1
); // data, block num, blocks count (max 4)
878 cmd_send(CMD_ACK
,arg0
,arg1
,0,buf
,USB_CMD_DATA_SIZE
);
882 //-----------------------------------------------------------------------------
883 // Load a card into the emulator memory
885 //-----------------------------------------------------------------------------
886 void MifareECardLoad(uint32_t arg0
, uint32_t arg1
, uint32_t arg2
, uint8_t *datain
){
887 uint8_t numSectors
= arg0
;
888 uint8_t keyType
= arg1
;
889 uint64_t ui64Key
= 0;
891 struct Crypto1State mpcs
= {0, 0};
892 struct Crypto1State
*pcs
;
896 byte_t dataoutbuf
[16];
897 byte_t dataoutbuf2
[16];
904 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
912 if(!iso14443a_select_card(uid
, NULL
, &cuid
)) {
914 if (MF_DBGLEVEL
>= 1) Dbprintf("Can't select card");
917 for (uint8_t sectorNo
= 0; isOK
&& sectorNo
< numSectors
; sectorNo
++) {
918 ui64Key
= emlGetKey(sectorNo
, keyType
);
920 if(isOK
&& mifare_classic_auth(pcs
, cuid
, FirstBlockOfSector(sectorNo
), keyType
, ui64Key
, AUTH_FIRST
)) {
922 if (MF_DBGLEVEL
>= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo
);
926 if(isOK
&& mifare_classic_auth(pcs
, cuid
, FirstBlockOfSector(sectorNo
), keyType
, ui64Key
, AUTH_NESTED
)) {
928 if (MF_DBGLEVEL
>= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo
);
933 for (uint8_t blockNo
= 0; isOK
&& blockNo
< NumBlocksPerSector(sectorNo
); blockNo
++) {
934 if(isOK
&& mifare_classic_readblock(pcs
, cuid
, FirstBlockOfSector(sectorNo
) + blockNo
, dataoutbuf
)) {
936 if (MF_DBGLEVEL
>= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo
, blockNo
);
940 if (blockNo
< NumBlocksPerSector(sectorNo
) - 1) {
941 emlSetMem(dataoutbuf
, FirstBlockOfSector(sectorNo
) + blockNo
, 1);
942 } else { // sector trailer, keep the keys, set only the AC
943 emlGetMem(dataoutbuf2
, FirstBlockOfSector(sectorNo
) + blockNo
, 1);
944 memcpy(&dataoutbuf2
[6], &dataoutbuf
[6], 4);
945 emlSetMem(dataoutbuf2
, FirstBlockOfSector(sectorNo
) + blockNo
, 1);
952 if(mifare_classic_halt(pcs
, cuid
)) {
953 if (MF_DBGLEVEL
>= 1) Dbprintf("Halt error");
956 // ----------------------------- crypto1 destroy
957 crypto1_destroy(pcs
);
959 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
962 if (MF_DBGLEVEL
>= 2) DbpString("EMUL FILL SECTORS FINISHED");
967 //-----------------------------------------------------------------------------
968 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
970 //-----------------------------------------------------------------------------
971 void MifareCSetBlock(uint32_t arg0
, uint32_t arg1
, uint32_t arg2
, uint8_t *datain
){
974 uint8_t needWipe
= arg0
;
975 // bit 0 - need get UID
977 // bit 2 - need HALT after sequence
978 // bit 3 - need init FPGA and field before sequence
979 // bit 4 - need reset FPGA and LED
980 uint8_t workFlags
= arg1
;
981 uint8_t blockNo
= arg2
;
984 uint8_t wupC1
[] = { 0x40 };
985 uint8_t wupC2
[] = { 0x43 };
986 uint8_t wipeC
[] = { 0x41 };
990 uint8_t uid
[10] = {0x00};
991 uint8_t d_block
[18] = {0x00};
994 uint8_t receivedAnswer
[MAX_MIFARE_FRAME_SIZE
];
995 uint8_t receivedAnswerPar
[MAX_MIFARE_PARITY_SIZE
];
997 // reset FPGA and LED
998 if (workFlags
& 0x08) {
1005 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
1010 // get UID from chip
1011 if (workFlags
& 0x01) {
1012 if(!iso14443a_select_card(uid
, NULL
, &cuid
)) {
1013 if (MF_DBGLEVEL
>= 1) Dbprintf("Can't select card");
1017 if(mifare_classic_halt(NULL
, cuid
)) {
1018 if (MF_DBGLEVEL
>= 1) Dbprintf("Halt error");
1025 ReaderTransmitBitsPar(wupC1
,7,0, NULL
);
1026 if(!ReaderReceive(receivedAnswer
, receivedAnswerPar
) || (receivedAnswer
[0] != 0x0a)) {
1027 if (MF_DBGLEVEL
>= 1) Dbprintf("wupC1 error");
1031 ReaderTransmit(wipeC
, sizeof(wipeC
), NULL
);
1032 if(!ReaderReceive(receivedAnswer
, receivedAnswerPar
) || (receivedAnswer
[0] != 0x0a)) {
1033 if (MF_DBGLEVEL
>= 1) Dbprintf("wipeC error");
1037 if(mifare_classic_halt(NULL
, cuid
)) {
1038 if (MF_DBGLEVEL
>= 1) Dbprintf("Halt error");
1044 if (workFlags
& 0x02) {
1045 ReaderTransmitBitsPar(wupC1
,7,0, NULL
);
1046 if(!ReaderReceive(receivedAnswer
, receivedAnswerPar
) || (receivedAnswer
[0] != 0x0a)) {
1047 if (MF_DBGLEVEL
>= 1) Dbprintf("wupC1 error");
1051 ReaderTransmit(wupC2
, sizeof(wupC2
), NULL
);
1052 if(!ReaderReceive(receivedAnswer
, receivedAnswerPar
) || (receivedAnswer
[0] != 0x0a)) {
1053 if (MF_DBGLEVEL
>= 1) Dbprintf("wupC2 error");
1058 if ((mifare_sendcmd_short(NULL
, 0, 0xA0, blockNo
, receivedAnswer
, receivedAnswerPar
, NULL
) != 1) || (receivedAnswer
[0] != 0x0a)) {
1059 if (MF_DBGLEVEL
>= 1) Dbprintf("write block send command error");
1063 memcpy(d_block
, datain
, 16);
1064 AppendCrc14443a(d_block
, 16);
1066 ReaderTransmit(d_block
, sizeof(d_block
), NULL
);
1067 if ((ReaderReceive(receivedAnswer
, receivedAnswerPar
) != 1) || (receivedAnswer
[0] != 0x0a)) {
1068 if (MF_DBGLEVEL
>= 1) Dbprintf("write block send data error");
1072 if (workFlags
& 0x04) {
1073 if (mifare_classic_halt(NULL
, cuid
)) {
1074 if (MF_DBGLEVEL
>= 1) Dbprintf("Halt error");
1084 cmd_send(CMD_ACK
,isOK
,0,0,uid
,4);
1087 if ((workFlags
& 0x10) || (!isOK
)) {
1088 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1094 void MifareCGetBlock(uint32_t arg0
, uint32_t arg1
, uint32_t arg2
, uint8_t *datain
){
1097 // bit 1 - need wupC
1098 // bit 2 - need HALT after sequence
1099 // bit 3 - need init FPGA and field before sequence
1100 // bit 4 - need reset FPGA and LED
1101 uint8_t workFlags
= arg0
;
1102 uint8_t blockNo
= arg2
;
1105 uint8_t wupC1
[] = { 0x40 };
1106 uint8_t wupC2
[] = { 0x43 };
1110 uint8_t data
[18] = {0x00};
1113 uint8_t receivedAnswer
[MAX_MIFARE_FRAME_SIZE
];
1114 uint8_t receivedAnswerPar
[MAX_MIFARE_PARITY_SIZE
];
1116 if (workFlags
& 0x08) {
1123 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
1127 if (workFlags
& 0x02) {
1128 ReaderTransmitBitsPar(wupC1
,7,0, NULL
);
1129 if(!ReaderReceive(receivedAnswer
, receivedAnswerPar
) || (receivedAnswer
[0] != 0x0a)) {
1130 if (MF_DBGLEVEL
>= 1) Dbprintf("wupC1 error");
1134 ReaderTransmit(wupC2
, sizeof(wupC2
), NULL
);
1135 if(!ReaderReceive(receivedAnswer
, receivedAnswerPar
) || (receivedAnswer
[0] != 0x0a)) {
1136 if (MF_DBGLEVEL
>= 1) Dbprintf("wupC2 error");
1142 if ((mifare_sendcmd_short(NULL
, 0, 0x30, blockNo
, receivedAnswer
, receivedAnswerPar
, NULL
) != 18)) {
1143 if (MF_DBGLEVEL
>= 1) Dbprintf("read block send command error");
1146 memcpy(data
, receivedAnswer
, 18);
1148 if (workFlags
& 0x04) {
1149 if (mifare_classic_halt(NULL
, cuid
)) {
1150 if (MF_DBGLEVEL
>= 1) Dbprintf("Halt error");
1160 cmd_send(CMD_ACK
,isOK
,0,0,data
,18);
1163 if ((workFlags
& 0x10) || (!isOK
)) {
1164 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1169 void MifareCIdent(){
1172 uint8_t wupC1
[] = { 0x40 };
1173 uint8_t wupC2
[] = { 0x43 };
1178 uint8_t receivedAnswer
[MAX_MIFARE_FRAME_SIZE
];
1179 uint8_t receivedAnswerPar
[MAX_MIFARE_PARITY_SIZE
];
1181 ReaderTransmitBitsPar(wupC1
,7,0, NULL
);
1182 if(!ReaderReceive(receivedAnswer
, receivedAnswerPar
) || (receivedAnswer
[0] != 0x0a)) {
1186 ReaderTransmit(wupC2
, sizeof(wupC2
), NULL
);
1187 if(!ReaderReceive(receivedAnswer
, receivedAnswerPar
) || (receivedAnswer
[0] != 0x0a)) {
1191 if (mifare_classic_halt(NULL
, 0)) {
1195 cmd_send(CMD_ACK
,isOK
,0,0,0,0);
1202 void Mifare_DES_Auth1(uint8_t arg0
, uint8_t *datain
){
1204 byte_t dataout
[11] = {0x00};
1205 uint8_t uid
[10] = {0x00};
1209 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
1211 int len
= iso14443a_select_card(uid
, NULL
, &cuid
);
1213 if (MF_DBGLEVEL
>= MF_DBG_ERROR
)
1214 Dbprintf("Can't select card");
1219 if(mifare_desfire_des_auth1(cuid
, dataout
)){
1220 if (MF_DBGLEVEL
>= MF_DBG_ERROR
)
1221 Dbprintf("Authentication part1: Fail.");
1226 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) DbpString("AUTH 1 FINISHED");
1228 cmd_send(CMD_ACK
,1,cuid
,0,dataout
, sizeof(dataout
));
1231 void Mifare_DES_Auth2(uint32_t arg0
, uint8_t *datain
){
1233 uint32_t cuid
= arg0
;
1234 uint8_t key
[16] = {0x00};
1236 byte_t dataout
[12] = {0x00};
1238 memcpy(key
, datain
, 16);
1240 isOK
= mifare_desfire_des_auth2(cuid
, key
, dataout
);
1243 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
)
1244 Dbprintf("Authentication part2: Failed");
1249 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
)
1250 DbpString("AUTH 2 FINISHED");
1252 cmd_send(CMD_ACK
, isOK
, 0, 0, dataout
, sizeof(dataout
));
1253 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);