]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifarecmd.c
projects / proxmark3-svn / blob
? search:


23652070ee0911cf54929bd550ad810cd03f055f
[proxmark3-svn] / armsrc / mifarecmd.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 // Midnitesnake - Dec 2013
6 // Andy Davies - Apr 2014
7 // Iceman - May 2014
8 //
9 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
10 // at your option, any later version. See the LICENSE.txt file for the text of
11 // the license.
12 //-----------------------------------------------------------------------------
13 // Routines to support ISO 14443 type A.
14 //-----------------------------------------------------------------------------
15
16 #include "mifarecmd.h"
17 #include "apps.h"
18 #include "util.h"
19
20 #include "crc.h"
21
22 // the block number for the ISO14443-4 PCB
23 uint8_t pcb_blocknum = 0;
24 // Deselect card by sending a s-block. the crc is precalced for speed
25 static uint8_t deselect_cmd[] = {0xc2,0xe0,0xb4};
26
27
28 //-----------------------------------------------------------------------------
29 // Select, Authenticate, Read a MIFARE tag.
30 // read block
31 //-----------------------------------------------------------------------------
32 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
33 {
34 // params
35 uint8_t blockNo = arg0;
36 uint8_t keyType = arg1;
37 uint64_t ui64Key = 0;
38 ui64Key = bytes_to_num(datain, 6);
39
40 // variables
41 byte_t isOK = 0;
42 byte_t dataoutbuf[16];
43 uint8_t uid[10];
44 uint32_t cuid;
45 struct Crypto1State mpcs = {0, 0};
46 struct Crypto1State *pcs;
47 pcs = &mpcs;
48
49 // clear trace
50 clear_trace();
51 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
52
53 LED_A_ON();
54 LED_B_OFF();
55 LED_C_OFF();
56
57 while (true) {
58 if(!iso14443a_select_card(uid, NULL, &cuid)) {
59 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
60 break;
61 };
62
63 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
64 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
65 break;
66 };
67
68 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
69 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
70 break;
71 };
72
73 if(mifare_classic_halt(pcs, cuid)) {
74 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
75 break;
76 };
77
78 isOK = 1;
79 break;
80 }
81
82 // ----------------------------- crypto1 destroy
83 crypto1_destroy(pcs);
84
85 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
86
87 LED_B_ON();
88 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
89 LED_B_OFF();
90
91 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
92 LEDsoff();
93 }
94
95 void MifareUC_Auth(uint8_t arg0, uint8_t *keybytes){
96
97 bool turnOffField = (arg0 == 1);
98
99 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
100 clear_trace();
101 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
102
103 if(!iso14443a_select_card(NULL, NULL, NULL)) {
104 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
105 OnError(0);
106 return;
107 };
108
109 if(!mifare_ultra_auth(keybytes)){
110 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication failed");
111 OnError(1);
112 return;
113 }
114
115 if (turnOffField) {
116 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
117 LEDsoff();
118 }
119 cmd_send(CMD_ACK,1,0,0,0,0);
120 }
121
122 // Arg0 = BlockNo,
123 // Arg1 = UsePwd bool
124 // datain = PWD bytes,
125 void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
126 {
127 uint8_t blockNo = arg0;
128 byte_t dataout[16] = {0x00};
129 bool useKey = (arg1 == 1); //UL_C
130 bool usePwd = (arg1 == 2); //UL_EV1/NTAG
131
132 LEDsoff();
133 LED_A_ON();
134 clear_trace();
135 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
136
137 int len = iso14443a_select_card(NULL, NULL, NULL);
138 if(!len) {
139 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len);
140 OnError(1);
141 return;
142 }
143
144 // UL-C authentication
145 if ( useKey ) {
146 uint8_t key[16] = {0x00};
147 memcpy(key, datain, sizeof(key) );
148
149 if ( !mifare_ultra_auth(key) ) {
150 OnError(1);
151 return;
152 }
153 }
154
155 // UL-EV1 / NTAG authentication
156 if ( usePwd ) {
157 uint8_t pwd[4] = {0x00};
158 memcpy(pwd, datain, 4);
159 uint8_t pack[4] = {0,0,0,0};
160 if (!mifare_ul_ev1_auth(pwd, pack)) {
161 OnError(1);
162 return;
163 }
164 }
165
166 if( mifare_ultra_readblock(blockNo, dataout) ) {
167 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block error");
168 OnError(2);
169 return;
170 }
171
172 if( mifare_ultra_halt() ) {
173 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
174 OnError(3);
175 return;
176 }
177
178 cmd_send(CMD_ACK,1,0,0,dataout,16);
179 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
180 LEDsoff();
181 }
182
183 //-----------------------------------------------------------------------------
184 // Select, Authenticate, Read a MIFARE tag.
185 // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
186 //-----------------------------------------------------------------------------
187 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
188 {
189 // params
190 uint8_t sectorNo = arg0;
191 uint8_t keyType = arg1;
192 uint64_t ui64Key = 0;
193 ui64Key = bytes_to_num(datain, 6);
194
195 // variables
196 byte_t isOK = 0;
197 byte_t dataoutbuf[16 * 16];
198 uint8_t uid[10];
199 uint32_t cuid;
200 struct Crypto1State mpcs = {0, 0};
201 struct Crypto1State *pcs;
202 pcs = &mpcs;
203
204 // clear trace
205 clear_trace();
206
207 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
208
209 LED_A_ON();
210 LED_B_OFF();
211 LED_C_OFF();
212
213 isOK = 1;
214 if(!iso14443a_select_card(uid, NULL, &cuid)) {
215 isOK = 0;
216 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
217 }
218
219
220 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
221 isOK = 0;
222 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
223 }
224
225 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
226 if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) {
227 isOK = 0;
228 if (MF_DBGLEVEL >= 1) Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo);
229 break;
230 }
231 }
232
233 if(mifare_classic_halt(pcs, cuid)) {
234 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
235 }
236
237 // ----------------------------- crypto1 destroy
238 crypto1_destroy(pcs);
239
240 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
241
242 LED_B_ON();
243 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));
244 LED_B_OFF();
245
246 // Thats it...
247 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
248 LEDsoff();
249 }
250
251 void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
252 {
253 // params
254 uint8_t blockNo = arg0;
255 uint16_t blocks = arg1;
256 bool useKey = (arg2 == 1); //UL_C
257 bool usePwd = (arg2 == 2); //UL_EV1/NTAG
258 uint32_t countblocks = 0;
259 uint8_t *dataout = BigBuf_get_addr();
260
261 LEDsoff();
262 LED_A_ON();
263 clear_trace();
264 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
265
266 int len = iso14443a_select_card(NULL, NULL, NULL);
267 if (!len) {
268 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len);
269 OnError(1);
270 return;
271 }
272
273 // UL-C authentication
274 if ( useKey ) {
275 uint8_t key[16] = {0x00};
276 memcpy(key, datain, sizeof(key) );
277
278 if ( !mifare_ultra_auth(key) ) {
279 OnError(1);
280 return;
281 }
282 }
283
284 // UL-EV1 / NTAG authentication
285 if (usePwd) {
286 uint8_t pwd[4] = {0x00};
287 memcpy(pwd, datain, sizeof(pwd));
288 uint8_t pack[4] = {0,0,0,0};
289
290 if (!mifare_ul_ev1_auth(pwd, pack)){
291 OnError(1);
292 return;
293 }
294 }
295
296 for (int i = 0; i < blocks; i++){
297 if ((i*4) + 4 > BigBuf_get_traceLen()) {
298 Dbprintf("Data exceeds buffer!!");
299 break;
300 }
301
302 len = mifare_ultra_readblock(blockNo + i, dataout + 4 * i);
303
304 if (len) {
305 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block %d error",i);
306 // if no blocks read - error out
307 if (i==0){
308 OnError(2);
309 return;
310 } else {
311 //stop at last successful read block and return what we got
312 break;
313 }
314 } else {
315 countblocks++;
316 }
317 }
318
319 len = mifare_ultra_halt();
320 if (len) {
321 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
322 OnError(3);
323 return;
324 }
325
326 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Blocks read %d", countblocks);
327
328 countblocks *= 4;
329 cmd_send(CMD_ACK, 1, countblocks, countblocks, 0, 0);
330 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
331 LEDsoff();
332 }
333
334 //-----------------------------------------------------------------------------
335 // Select, Authenticate, Write a MIFARE tag.
336 // read block
337 //-----------------------------------------------------------------------------
338 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
339 {
340 // params
341 uint8_t blockNo = arg0;
342 uint8_t keyType = arg1;
343 uint64_t ui64Key = 0;
344 byte_t blockdata[16];
345
346 ui64Key = bytes_to_num(datain, 6);
347 memcpy(blockdata, datain + 10, 16);
348
349 // variables
350 byte_t isOK = 0;
351 uint8_t uid[10];
352 uint32_t cuid;
353 struct Crypto1State mpcs = {0, 0};
354 struct Crypto1State *pcs;
355 pcs = &mpcs;
356
357 // clear trace
358 clear_trace();
359
360 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
361
362 LED_A_ON();
363 LED_B_OFF();
364 LED_C_OFF();
365
366 while (true) {
367 if(!iso14443a_select_card(uid, NULL, &cuid)) {
368 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
369 break;
370 };
371
372 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
373 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
374 break;
375 };
376
377 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
378 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
379 break;
380 };
381
382 if(mifare_classic_halt(pcs, cuid)) {
383 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
384 break;
385 };
386
387 isOK = 1;
388 break;
389 }
390
391 // ----------------------------- crypto1 destroy
392 crypto1_destroy(pcs);
393
394 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
395
396 LED_B_ON();
397 cmd_send(CMD_ACK,isOK,0,0,0,0);
398 LED_B_OFF();
399
400
401 // Thats it...
402 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
403 LEDsoff();
404 }
405
406 void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
407 {
408 uint8_t blockNo = arg0;
409 byte_t blockdata[16] = {0x00};
410
411 memcpy(blockdata, datain, 16);
412
413 uint8_t uid[10] = {0x00};
414
415 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
416
417 clear_trace();
418 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
419
420 if(!iso14443a_select_card(uid, NULL, NULL)) {
421 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
422 OnError(0);
423 return;
424 };
425
426 if(mifare_ultra_writeblock(blockNo, blockdata)) {
427 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
428 OnError(0);
429 return; };
430
431 if(mifare_ultra_halt()) {
432 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
433 OnError(0);
434 return;
435 };
436
437 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
438
439 cmd_send(CMD_ACK,1,0,0,0,0);
440 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
441 LEDsoff();
442 }
443
444 void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)
445 {
446 uint8_t blockNo = arg0;
447 byte_t blockdata[4] = {0x00};
448
449 memcpy(blockdata, datain,4);
450
451 LEDsoff();
452 LED_A_ON();
453 clear_trace();
454 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
455
456 if(!iso14443a_select_card(NULL, NULL, NULL)) {
457 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
458 OnError(0);
459 return;
460 };
461
462 if(mifare_ultra_special_writeblock(blockNo, blockdata)) {
463 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
464 OnError(0);
465 return;
466 };
467
468 if(mifare_ultra_halt()) {
469 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
470 OnError(0);
471 return;
472 };
473
474 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
475
476 cmd_send(CMD_ACK,1,0,0,0,0);
477 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
478 LEDsoff();
479 }
480
481 void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
482
483 uint8_t pwd[16] = {0x00};
484 byte_t blockdata[4] = {0x00};
485
486 memcpy(pwd, datain, 16);
487
488 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
489 clear_trace();
490 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
491
492 if(!iso14443a_select_card(NULL, NULL, NULL)) {
493 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
494 OnError(0);
495 return;
496 };
497
498 blockdata[0] = pwd[7];
499 blockdata[1] = pwd[6];
500 blockdata[2] = pwd[5];
501 blockdata[3] = pwd[4];
502 if(mifare_ultra_special_writeblock( 44, blockdata)) {
503 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
504 OnError(44);
505 return;
506 };
507
508 blockdata[0] = pwd[3];
509 blockdata[1] = pwd[2];
510 blockdata[2] = pwd[1];
511 blockdata[3] = pwd[0];
512 if(mifare_ultra_special_writeblock( 45, blockdata)) {
513 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
514 OnError(45);
515 return;
516 };
517
518 blockdata[0] = pwd[15];
519 blockdata[1] = pwd[14];
520 blockdata[2] = pwd[13];
521 blockdata[3] = pwd[12];
522 if(mifare_ultra_special_writeblock( 46, blockdata)) {
523 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
524 OnError(46);
525 return;
526 };
527
528 blockdata[0] = pwd[11];
529 blockdata[1] = pwd[10];
530 blockdata[2] = pwd[9];
531 blockdata[3] = pwd[8];
532 if(mifare_ultra_special_writeblock( 47, blockdata)) {
533 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
534 OnError(47);
535 return;
536 };
537
538 if(mifare_ultra_halt()) {
539 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
540 OnError(0);
541 return;
542 };
543
544 cmd_send(CMD_ACK,1,0,0,0,0);
545 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
546 LEDsoff();
547 }
548
549 // Return 1 if the nonce is invalid else return 0
550 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {
551 return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
552 (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
553 (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
554 }
555
556
557 //-----------------------------------------------------------------------------
558 // MIFARE nested authentication.
559 //
560 //-----------------------------------------------------------------------------
561 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)
562 {
563 // params
564 uint8_t blockNo = arg0 & 0xff;
565 uint8_t keyType = (arg0 >> 8) & 0xff;
566 uint8_t targetBlockNo = arg1 & 0xff;
567 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
568 uint64_t ui64Key = 0;
569
570 ui64Key = bytes_to_num(datain, 6);
571
572 // variables
573 uint16_t rtr, i, j, len;
574 uint16_t davg;
575 static uint16_t dmin, dmax;
576 uint8_t uid[10];
577 uint32_t cuid, nt1, nt2, nttmp, nttest, ks1;
578 uint8_t par[1];
579 uint32_t target_nt[2], target_ks[2];
580
581 uint8_t par_array[4];
582 uint16_t ncount = 0;
583 struct Crypto1State mpcs = {0, 0};
584 struct Crypto1State *pcs;
585 pcs = &mpcs;
586 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
587
588 uint32_t auth1_time, auth2_time;
589 static uint16_t delta_time;
590
591 // free eventually allocated BigBuf memory
592 BigBuf_free();
593 // clear trace
594 clear_trace();
595 set_tracing(false);
596
597 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
598
599 LED_A_ON();
600 LED_C_OFF();
601
602
603 // statistics on nonce distance
604 if (calibrate) { // for first call only. Otherwise reuse previous calibration
605 LED_B_ON();
606 WDT_HIT();
607
608 davg = dmax = 0;
609 dmin = 2000;
610 delta_time = 0;
611
612 for (rtr = 0; rtr < 17; rtr++) {
613
614 // prepare next select. No need to power down the card.
615 if(mifare_classic_halt(pcs, cuid)) {
616 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
617 rtr--;
618 continue;
619 }
620
621 if(!iso14443a_select_card(uid, NULL, &cuid)) {
622 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
623 rtr--;
624 continue;
625 };
626
627 auth1_time = 0;
628 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
629 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
630 rtr--;
631 continue;
632 };
633
634 if (delta_time) {
635 auth2_time = auth1_time + delta_time;
636 } else {
637 auth2_time = 0;
638 }
639 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {
640 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");
641 rtr--;
642 continue;
643 };
644
645 nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
646 for (i = 101; i < 1200; i++) {
647 nttmp = prng_successor(nttmp, 1);
648 if (nttmp == nt2) break;
649 }
650
651 if (i != 1200) {
652 if (rtr != 0) {
653 davg += i;
654 dmin = MIN(dmin, i);
655 dmax = MAX(dmax, i);
656 }
657 else {
658 delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing
659 }
660 if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
661 }
662 }
663
664 if (rtr <= 1) return;
665
666 davg = (davg + (rtr - 1)/2) / (rtr - 1);
667
668 if (MF_DBGLEVEL >= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin, dmax, davg, delta_time);
669
670 dmin = davg - 2;
671 dmax = davg + 2;
672
673 LED_B_OFF();
674
675 }
676 // -------------------------------------------------------------------------------------------------
677
678 LED_C_ON();
679
680 // get crypted nonces for target sector
681 for(i=0; i < 2; i++) { // look for exactly two different nonces
682
683 target_nt[i] = 0;
684 while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
685
686 // prepare next select. No need to power down the card.
687 if(mifare_classic_halt(pcs, cuid)) {
688 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
689 continue;
690 }
691
692 if(!iso14443a_select_card(uid, NULL, &cuid)) {
693 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
694 continue;
695 };
696
697 auth1_time = 0;
698 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
699 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
700 continue;
701 };
702
703 // nested authentication
704 auth2_time = auth1_time + delta_time;
705 len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);
706 if (len != 4) {
707 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);
708 continue;
709 };
710
711 nt2 = bytes_to_num(receivedAnswer, 4);
712 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);
713
714 // Parity validity check
715 for (j = 0; j < 4; j++) {
716 par_array[j] = (oddparity(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));
717 }
718
719 ncount = 0;
720 nttest = prng_successor(nt1, dmin - 1);
721 for (j = dmin; j < dmax + 1; j++) {
722 nttest = prng_successor(nttest, 1);
723 ks1 = nt2 ^ nttest;
724
725 if (valid_nonce(nttest, nt2, ks1, par_array)){
726 if (ncount > 0) { // we are only interested in disambiguous nonces, try again
727 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);
728 target_nt[i] = 0;
729 break;
730 }
731 target_nt[i] = nttest;
732 target_ks[i] = ks1;
733 ncount++;
734 if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces
735 target_nt[i] = 0;
736 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);
737 break;
738 }
739 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);
740 }
741 }
742 if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
743 }
744 }
745
746 LED_C_OFF();
747
748 // ----------------------------- crypto1 destroy
749 crypto1_destroy(pcs);
750
751 byte_t buf[4 + 4 * 4];
752 memcpy(buf, &cuid, 4);
753 memcpy(buf+4, &target_nt[0], 4);
754 memcpy(buf+8, &target_ks[0], 4);
755 memcpy(buf+12, &target_nt[1], 4);
756 memcpy(buf+16, &target_ks[1], 4);
757
758 LED_B_ON();
759 cmd_send(CMD_ACK, 0, 2, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
760 LED_B_OFF();
761
762 if (MF_DBGLEVEL >= 3) DbpString("NESTED FINISHED");
763
764 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
765 LEDsoff();
766 set_tracing(TRUE);
767 }
768
769 //-----------------------------------------------------------------------------
770 // MIFARE check keys. key count up to 85.
771 //
772 //-----------------------------------------------------------------------------
773 void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
774 {
775 // params
776 uint8_t blockNo = arg0;
777 uint8_t keyType = arg1;
778 uint8_t keyCount = arg2;
779 uint64_t ui64Key = 0;
780
781 // variables
782 int i;
783 byte_t isOK = 0;
784 uint8_t uid[10];
785 uint32_t cuid;
786 struct Crypto1State mpcs = {0, 0};
787 struct Crypto1State *pcs;
788 pcs = &mpcs;
789
790 // clear debug level
791 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
792 MF_DBGLEVEL = MF_DBG_NONE;
793
794 // clear trace
795 clear_trace();
796 set_tracing(TRUE);
797
798 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
799
800 LED_A_ON();
801 LED_B_OFF();
802 LED_C_OFF();
803
804 for (i = 0; i < keyCount; i++) {
805 if(mifare_classic_halt(pcs, cuid)) {
806 if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Halt error");
807 }
808
809 if(!iso14443a_select_card(uid, NULL, &cuid)) {
810 if (OLD_MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card");
811 break;
812 };
813
814 ui64Key = bytes_to_num(datain + i * 6, 6);
815 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
816 continue;
817 };
818
819 isOK = 1;
820 break;
821 }
822
823 // ----------------------------- crypto1 destroy
824 crypto1_destroy(pcs);
825
826 LED_B_ON();
827 cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);
828 LED_B_OFF();
829
830 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
831 LEDsoff();
832
833 // restore debug level
834 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
835 }
836
837 //-----------------------------------------------------------------------------
838 // MIFARE commands set debug level
839 //
840 //-----------------------------------------------------------------------------
841 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
842 MF_DBGLEVEL = arg0;
843 Dbprintf("Debug level: %d", MF_DBGLEVEL);
844 }
845
846 //-----------------------------------------------------------------------------
847 // Work with emulator memory
848 //
849 //-----------------------------------------------------------------------------
850 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
851 emlClearMem();
852 }
853
854 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
855 emlSetMem(datain, arg0, arg1); // data, block num, blocks count
856 }
857
858 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
859 byte_t buf[USB_CMD_DATA_SIZE];
860 emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
861
862 LED_B_ON();
863 cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE);
864 LED_B_OFF();
865 }
866
867 //-----------------------------------------------------------------------------
868 // Load a card into the emulator memory
869 //
870 //-----------------------------------------------------------------------------
871 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
872 uint8_t numSectors = arg0;
873 uint8_t keyType = arg1;
874 uint64_t ui64Key = 0;
875 uint32_t cuid;
876 struct Crypto1State mpcs = {0, 0};
877 struct Crypto1State *pcs;
878 pcs = &mpcs;
879
880 // variables
881 byte_t dataoutbuf[16];
882 byte_t dataoutbuf2[16];
883 uint8_t uid[10];
884
885 // clear trace
886 clear_trace();
887 set_tracing(false);
888
889 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
890
891 LED_A_ON();
892 LED_B_OFF();
893 LED_C_OFF();
894
895 bool isOK = true;
896
897 if(!iso14443a_select_card(uid, NULL, &cuid)) {
898 isOK = false;
899 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
900 }
901
902 for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
903 ui64Key = emlGetKey(sectorNo, keyType);
904 if (sectorNo == 0){
905 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
906 isOK = false;
907 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo);
908 break;
909 }
910 } else {
911 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) {
912 isOK = false;
913 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo);
914 break;
915 }
916 }
917
918 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
919 if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) {
920 isOK = false;
921 if (MF_DBGLEVEL >= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);
922 break;
923 };
924 if (isOK) {
925 if (blockNo < NumBlocksPerSector(sectorNo) - 1) {
926 emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);
927 } else { // sector trailer, keep the keys, set only the AC
928 emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
929 memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
930 emlSetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
931 }
932 }
933 }
934
935 }
936
937 if(mifare_classic_halt(pcs, cuid)) {
938 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
939 };
940
941 // ----------------------------- crypto1 destroy
942 crypto1_destroy(pcs);
943
944 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
945 LEDsoff();
946
947 if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
948
949 }
950
951
952 //-----------------------------------------------------------------------------
953 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
954 //
955 //-----------------------------------------------------------------------------
956 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
957
958 // params
959 uint8_t needWipe = arg0;
960 // bit 0 - need get UID
961 // bit 1 - need wupC
962 // bit 2 - need HALT after sequence
963 // bit 3 - need init FPGA and field before sequence
964 // bit 4 - need reset FPGA and LED
965 uint8_t workFlags = arg1;
966 uint8_t blockNo = arg2;
967
968 // card commands
969 uint8_t wupC1[] = { 0x40 };
970 uint8_t wupC2[] = { 0x43 };
971 uint8_t wipeC[] = { 0x41 };
972
973 // variables
974 byte_t isOK = 0;
975 uint8_t uid[10] = {0x00};
976 uint8_t d_block[18] = {0x00};
977 uint32_t cuid;
978
979 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
980 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
981
982 // reset FPGA and LED
983 if (workFlags & 0x08) {
984 LED_A_ON();
985 LED_B_OFF();
986 LED_C_OFF();
987
988 clear_trace();
989 set_tracing(TRUE);
990 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
991 }
992
993 while (true) {
994
995 // get UID from chip
996 if (workFlags & 0x01) {
997 if(!iso14443a_select_card(uid, NULL, &cuid)) {
998 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
999 break;
1000 };
1001
1002 if(mifare_classic_halt(NULL, cuid)) {
1003 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1004 break;
1005 };
1006 };
1007
1008 // reset chip
1009 if (needWipe){
1010 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1011 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1012 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1013 break;
1014 };
1015
1016 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
1017 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1018 if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");
1019 break;
1020 };
1021
1022 if(mifare_classic_halt(NULL, cuid)) {
1023 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1024 break;
1025 };
1026 };
1027
1028 // write block
1029 if (workFlags & 0x02) {
1030 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1031 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1032 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1033 break;
1034 };
1035
1036 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1037 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1038 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1039 break;
1040 };
1041 }
1042
1043 if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
1044 if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
1045 break;
1046 };
1047
1048 memcpy(d_block, datain, 16);
1049 AppendCrc14443a(d_block, 16);
1050
1051 ReaderTransmit(d_block, sizeof(d_block), NULL);
1052 if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
1053 if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");
1054 break;
1055 };
1056
1057 if (workFlags & 0x04) {
1058 if (mifare_classic_halt(NULL, cuid)) {
1059 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1060 break;
1061 };
1062 }
1063
1064 isOK = 1;
1065 break;
1066 }
1067
1068 LED_B_ON();
1069 cmd_send(CMD_ACK,isOK,0,0,uid,4);
1070 LED_B_OFF();
1071
1072 if ((workFlags & 0x10) || (!isOK)) {
1073 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1074 LEDsoff();
1075 }
1076 }
1077
1078
1079 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1080
1081 // params
1082 // bit 1 - need wupC
1083 // bit 2 - need HALT after sequence
1084 // bit 3 - need init FPGA and field before sequence
1085 // bit 4 - need reset FPGA and LED
1086 uint8_t workFlags = arg0;
1087 uint8_t blockNo = arg2;
1088
1089 // card commands
1090 uint8_t wupC1[] = { 0x40 };
1091 uint8_t wupC2[] = { 0x43 };
1092
1093 // variables
1094 byte_t isOK = 0;
1095 uint8_t data[18] = {0x00};
1096 uint32_t cuid = 0;
1097
1098 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1099 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1100
1101 if (workFlags & 0x08) {
1102 LED_A_ON();
1103 LED_B_OFF();
1104 LED_C_OFF();
1105
1106 clear_trace();
1107 set_tracing(TRUE);
1108 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1109 }
1110
1111 while (true) {
1112 if (workFlags & 0x02) {
1113 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1114 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1115 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1116 break;
1117 };
1118
1119 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1120 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1121 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1122 break;
1123 };
1124 }
1125
1126 // read block
1127 if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {
1128 if (MF_DBGLEVEL >= 1) Dbprintf("read block send command error");
1129 break;
1130 };
1131 memcpy(data, receivedAnswer, 18);
1132
1133 if (workFlags & 0x04) {
1134 if (mifare_classic_halt(NULL, cuid)) {
1135 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1136 break;
1137 };
1138 }
1139
1140 isOK = 1;
1141 break;
1142 }
1143
1144 LED_B_ON();
1145 cmd_send(CMD_ACK,isOK,0,0,data,18);
1146 LED_B_OFF();
1147
1148 if ((workFlags & 0x10) || (!isOK)) {
1149 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1150 LEDsoff();
1151 }
1152 }
1153
1154 void MifareCIdent(){
1155
1156 // card commands
1157 uint8_t wupC1[] = { 0x40 };
1158 uint8_t wupC2[] = { 0x43 };
1159
1160 // variables
1161 byte_t isOK = 1;
1162
1163 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1164 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1165
1166 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1167 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1168 isOK = 0;
1169 };
1170
1171 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1172 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1173 isOK = 0;
1174 };
1175
1176 if (mifare_classic_halt(NULL, 0)) {
1177 isOK = 0;
1178 };
1179
1180 cmd_send(CMD_ACK,isOK,0,0,0,0);
1181 }
1182
1183 //
1184 // DESFIRE
1185 //
1186
1187 void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){
1188
1189 byte_t dataout[11] = {0x00};
1190 uint8_t uid[10] = {0x00};
1191 uint32_t cuid;
1192
1193 clear_trace();
1194 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1195
1196 int len = iso14443a_select_card(uid, NULL, &cuid);
1197 if(!len) {
1198 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
1199 OnError(1);
1200 return;
1201 };
1202
1203 if(mifare_desfire_des_auth1(cuid, dataout)){
1204 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication part1: Fail.");
1205 OnError(4);
1206 return;
1207 }
1208
1209 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 1 FINISHED");
1210 cmd_send(CMD_ACK,1,cuid,0,dataout, sizeof(dataout));
1211 }
1212
1213 void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain){
1214
1215 uint32_t cuid = arg0;
1216 uint8_t key[16] = {0x00};
1217 byte_t isOK = 0;
1218 byte_t dataout[12] = {0x00};
1219
1220 memcpy(key, datain, 16);
1221
1222 isOK = mifare_desfire_des_auth2(cuid, key, dataout);
1223
1224 if( isOK) {
1225 if (MF_DBGLEVEL >= MF_DBG_EXTENDED)
1226 Dbprintf("Authentication part2: Failed");
1227 //OnError(4);
1228 return;
1229 }
1230
1231 if (MF_DBGLEVEL >= MF_DBG_EXTENDED)
1232 DbpString("AUTH 2 FINISHED");
1233
1234 cmd_send(CMD_ACK, isOK, 0, 0, dataout, sizeof(dataout));
1235 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1236 LEDsoff();
1237 }
1238
1239 void OnSuccess(){
1240 pcb_blocknum = 0;
1241 ReaderTransmit(deselect_cmd, 3 , NULL);
1242 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1243 LEDsoff();
1244 }
1245
1246 void OnError(uint8_t reason){
1247 pcb_blocknum = 0;
1248 ReaderTransmit(deselect_cmd, 3 , NULL);
1249 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1250 cmd_send(CMD_ACK,0,reason,0,0,0);
1251 LEDsoff();
1252 }
Proxmark3 GIT tracking
Impressum, Datenschutz