]> git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhf14a.c
FIX; the "L" optional parameter for swapping endianess on used authentication key...
[proxmark3-svn] / client / cmdhf14a.c
1 //-----------------------------------------------------------------------------
2 // 2011, Merlok
3 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>, Hagen Fritsch
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // High frequency ISO14443A commands
10 //-----------------------------------------------------------------------------
11
12 #include <stdio.h>
13 #include <stdlib.h>
14 #include <string.h>
15 #include <unistd.h>
16 #include "util.h"
17 #include "iso14443crc.h"
18 #include "data.h"
19 #include "proxmark3.h"
20 #include "ui.h"
21 #include "cmdparser.h"
22 #include "cmdhf14a.h"
23 #include "common.h"
24 #include "cmdmain.h"
25 #include "mifare.h"
26 #include "cmdhfmfu.h"
27 #include "nonce2key/crapto1.h"
28
29 #define llx PRIx64
30
31 static int CmdHelp(const char *Cmd);
32 static void waitCmd(uint8_t iLen);
33
34 // structure and database for uid -> tagtype lookups
35 typedef struct {
36 uint8_t uid;
37 char* desc;
38 } manufactureName;
39
40 const manufactureName manufactureMapping[] = {
41 // ID, "Vendor Country"
42 { 0x01, "Motorola UK" },
43 { 0x02, "ST Microelectronics SA France" },
44 { 0x03, "Hitachi, Ltd Japan" },
45 { 0x04, "NXP Semiconductors Germany" },
46 { 0x05, "Infineon Technologies AG Germany" },
47 { 0x06, "Cylink USA" },
48 { 0x07, "Texas Instrument France" },
49 { 0x08, "Fujitsu Limited Japan" },
50 { 0x09, "Matsushita Electronics Corporation, Semiconductor Company Japan" },
51 { 0x0A, "NEC Japan" },
52 { 0x0B, "Oki Electric Industry Co. Ltd Japan" },
53 { 0x0C, "Toshiba Corp. Japan" },
54 { 0x0D, "Mitsubishi Electric Corp. Japan" },
55 { 0x0E, "Samsung Electronics Co. Ltd Korea" },
56 { 0x0F, "Hynix / Hyundai, Korea" },
57 { 0x10, "LG-Semiconductors Co. Ltd Korea" },
58 { 0x11, "Emosyn-EM Microelectronics USA" },
59 { 0x12, "INSIDE Technology France" },
60 { 0x13, "ORGA Kartensysteme GmbH Germany" },
61 { 0x14, "SHARP Corporation Japan" },
62 { 0x15, "ATMEL France" },
63 { 0x16, "EM Microelectronic-Marin SA Switzerland" },
64 { 0x17, "KSW Microtec GmbH Germany" },
65 { 0x18, "ZMD AG Germany" },
66 { 0x19, "XICOR, Inc. USA" },
67 { 0x1A, "Sony Corporation Japan Identifier Company Country" },
68 { 0x1B, "Malaysia Microelectronic Solutions Sdn. Bhd Malaysia" },
69 { 0x1C, "Emosyn USA" },
70 { 0x1D, "Shanghai Fudan Microelectronics Co. Ltd. P.R. China" },
71 { 0x1E, "Magellan Technology Pty Limited Australia" },
72 { 0x1F, "Melexis NV BO Switzerland" },
73 { 0x20, "Renesas Technology Corp. Japan" },
74 { 0x21, "TAGSYS France" },
75 { 0x22, "Transcore USA" },
76 { 0x23, "Shanghai belling corp., ltd. China" },
77 { 0x24, "Masktech Germany Gmbh Germany" },
78 { 0x25, "Innovision Research and Technology Plc UK" },
79 { 0x26, "Hitachi ULSI Systems Co., Ltd. Japan" },
80 { 0x27, "Cypak AB Sweden" },
81 { 0x28, "Ricoh Japan" },
82 { 0x29, "ASK France" },
83 { 0x2A, "Unicore Microsystems, LLC Russian Federation" },
84 { 0x2B, "Dallas Semiconductor/Maxim USA" },
85 { 0x2C, "Impinj, Inc. USA" },
86 { 0x2D, "RightPlug Alliance USA" },
87 { 0x2E, "Broadcom Corporation USA" },
88 { 0x2F, "MStar Semiconductor, Inc Taiwan, ROC" },
89 { 0x30, "BeeDar Technology Inc. USA" },
90 { 0x31, "RFIDsec Denmark" },
91 { 0x32, "Schweizer Electronic AG Germany" },
92 { 0x33, "AMIC Technology Corp Taiwan" },
93 { 0x34, "Mikron JSC Russia" },
94 { 0x35, "Fraunhofer Institute for Photonic Microsystems Germany" },
95 { 0x36, "IDS Microchip AG Switzerland" },
96 { 0x37, "Kovio USA" },
97 { 0x38, "HMT Microelectronic Ltd Switzerland Identifier Company Country" },
98 { 0x39, "Silicon Craft Technology Thailand" },
99 { 0x3A, "Advanced Film Device Inc. Japan" },
100 { 0x3B, "Nitecrest Ltd UK" },
101 { 0x3C, "Verayo Inc. USA" },
102 { 0x3D, "HID Global USA" },
103 { 0x3E, "Productivity Engineering Gmbh Germany" },
104 { 0x3F, "Austriamicrosystems AG (reserved) Austria" },
105 { 0x40, "Gemalto SA France" },
106 { 0x41, "Renesas Electronics Corporation Japan" },
107 { 0x42, "3Alogics Inc Korea" },
108 { 0x43, "Top TroniQ Asia Limited Hong Kong" },
109 { 0x44, "Gentag Inc (USA) USA" },
110 { 0x00, "no tag-info available" } // must be the last entry
111 };
112
113
114 // get a product description based on the UID
115 // uid[8] tag uid
116 // returns description of the best match
117 char* getTagInfo(uint8_t uid) {
118
119 int i;
120 int len = sizeof(manufactureMapping) / sizeof(manufactureName);
121
122 for ( i = 0; i < len; ++i )
123 if ( uid == manufactureMapping[i].uid)
124 return manufactureMapping[i].desc;
125
126 //No match, return default
127 return manufactureMapping[len-1].desc;
128 }
129
130 int CmdHF14AList(const char *Cmd)
131 {
132 PrintAndLog("Deprecated command, use 'hf list 14a' instead");
133 return 0;
134 }
135
136 int CmdHF14AReader(const char *Cmd)
137 {
138 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}};
139 SendCommand(&c);
140
141 UsbCommand resp;
142 WaitForResponse(CMD_ACK,&resp);
143
144 iso14a_card_select_t card;
145 memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
146
147 uint64_t select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision
148
149 if(select_status == 0) {
150 if (Cmd[0] != 's') PrintAndLog("iso14443a card select failed");
151 // disconnect
152 c.arg[0] = 0;
153 c.arg[1] = 0;
154 c.arg[2] = 0;
155 SendCommand(&c);
156 return 0;
157 }
158
159 if(select_status == 3) {
160 PrintAndLog("Card doesn't support standard iso14443-3 anticollision");
161 PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]);
162 // disconnect
163 c.arg[0] = 0;
164 c.arg[1] = 0;
165 c.arg[2] = 0;
166 SendCommand(&c);
167 return 0;
168 }
169
170 PrintAndLog(" UID : %s", sprint_hex(card.uid, card.uidlen));
171 PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]);
172 PrintAndLog(" SAK : %02x [%d]", card.sak, resp.arg[0]);
173
174 switch (card.sak) {
175 case 0x00:
176
177 //***************************************test****************
178 ul_switch_off_field();
179
180 uint32_t tagT = GetHF14AMfU_Type();
181 ul_print_type(tagT, 0);
182
183 //reconnect for further tests
184 c.arg[0] = ISO14A_CONNECT | ISO14A_NO_DISCONNECT;
185 c.arg[1] = 0;
186 c.arg[2] = 0;
187
188 SendCommand(&c);
189
190 UsbCommand resp;
191 WaitForResponse(CMD_ACK,&resp);
192
193 memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t));
194
195 select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS
196
197 if(select_status == 0) {
198 ul_switch_off_field();
199 return 0;
200 }
201
202 /* orig
203 // check if the tag answers to GETVERSION (0x60)
204 c.arg[0] = ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT;
205 c.arg[1] = 1;
206 c.arg[2] = 0;
207 c.d.asBytes[0] = 0x60;
208 SendCommand(&c);
209 WaitForResponse(CMD_ACK,&resp);
210
211 uint8_t version[10] = {0};
212 memcpy(version, resp.d.asBytes, resp.arg[0] < sizeof(version) ? resp.arg[0] : sizeof(version));
213 uint8_t len = resp.arg[0] & 0xff;
214 switch ( len){
215 // todo, identify "Magic UL-C tags". // they usually have a static nonce response to 0x1A command.
216 // UL-EV1, size, check version[6] == 0x0b (smaller) 0x0b * 4 == 48
217 case 0x0A:PrintAndLog("TYPE : NXP MIFARE Ultralight EV1 %d bytes", (version[6] == 0xB) ? 48 : 128); break;
218 case 0x01:PrintAndLog("TYPE : NXP MIFARE Ultralight C");break;
219 case 0x00:PrintAndLog("TYPE : NXP MIFARE Ultralight");break;
220 }
221 */
222 break;
223 case 0x01: PrintAndLog("TYPE : NXP TNP3xxx Activision Game Appliance"); break;
224 case 0x04: PrintAndLog("TYPE : NXP MIFARE (various !DESFire !DESFire EV1)"); break;
225 case 0x08: PrintAndLog("TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1"); break;
226 case 0x09: PrintAndLog("TYPE : NXP MIFARE Mini 0.3k"); break;
227 case 0x10: PrintAndLog("TYPE : NXP MIFARE Plus 2k SL2"); break;
228 case 0x11: PrintAndLog("TYPE : NXP MIFARE Plus 4k SL2"); break;
229 case 0x18: PrintAndLog("TYPE : NXP MIFARE Classic 4k | Plus 4k SL1"); break;
230 case 0x20: PrintAndLog("TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41"); break;
231 case 0x24: PrintAndLog("TYPE : NXP MIFARE DESFire | DESFire EV1"); break;
232 case 0x28: PrintAndLog("TYPE : JCOP31 or JCOP41 v2.3.1"); break;
233 case 0x38: PrintAndLog("TYPE : Nokia 6212 or 6131 MIFARE CLASSIC 4K"); break;
234 case 0x88: PrintAndLog("TYPE : Infineon MIFARE CLASSIC 1K"); break;
235 case 0x98: PrintAndLog("TYPE : Gemplus MPCOS"); break;
236 default: ;
237 }
238
239 // Double & triple sized UID, can be mapped to a manufacturer.
240 if ( card.uidlen > 4 ) {
241 PrintAndLog("MANUFACTURER : %s", getTagInfo(card.uid[0]));
242 }
243
244 // try to request ATS even if tag claims not to support it
245 if (select_status == 2) {
246 uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0
247 c.arg[0] = ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT;
248 c.arg[1] = 2;
249 c.arg[2] = 0;
250 memcpy(c.d.asBytes, rats, 2);
251 SendCommand(&c);
252 WaitForResponse(CMD_ACK,&resp);
253
254 memcpy(card.ats, resp.d.asBytes, resp.arg[0]);
255 card.ats_len = resp.arg[0]; // note: ats_len includes CRC Bytes
256 }
257
258 if(card.ats_len >= 3) { // a valid ATS consists of at least the length byte (TL) and 2 CRC bytes
259 bool ta1 = 0, tb1 = 0, tc1 = 0;
260 int pos;
261
262 if (select_status == 2) {
263 PrintAndLog("SAK incorrectly claims that card doesn't support RATS");
264 }
265 PrintAndLog(" ATS : %s", sprint_hex(card.ats, card.ats_len));
266 PrintAndLog(" - TL : length is %d bytes", card.ats[0]);
267 if (card.ats[0] != card.ats_len - 2) {
268 PrintAndLog("ATS may be corrupted. Length of ATS (%d bytes incl. 2 Bytes CRC) doesn't match TL", card.ats_len);
269 }
270
271 if (card.ats[0] > 1) { // there is a format byte (T0)
272 ta1 = (card.ats[1] & 0x10) == 0x10;
273 tb1 = (card.ats[1] & 0x20) == 0x20;
274 tc1 = (card.ats[1] & 0x40) == 0x40;
275 int16_t fsci = card.ats[1] & 0x0f;
276 PrintAndLog(" - T0 : TA1 is%s present, TB1 is%s present, "
277 "TC1 is%s present, FSCI is %d (FSC = %ld)",
278 (ta1 ? "" : " NOT"), (tb1 ? "" : " NOT"), (tc1 ? "" : " NOT"),
279 fsci,
280 fsci < 5 ? (fsci - 2) * 8 :
281 fsci < 8 ? (fsci - 3) * 32 :
282 fsci == 8 ? 256 :
283 -1
284 );
285 }
286 pos = 2;
287 if (ta1) {
288 char dr[16], ds[16];
289 dr[0] = ds[0] = '\0';
290 if (card.ats[pos] & 0x10) strcat(ds, "2, ");
291 if (card.ats[pos] & 0x20) strcat(ds, "4, ");
292 if (card.ats[pos] & 0x40) strcat(ds, "8, ");
293 if (card.ats[pos] & 0x01) strcat(dr, "2, ");
294 if (card.ats[pos] & 0x02) strcat(dr, "4, ");
295 if (card.ats[pos] & 0x04) strcat(dr, "8, ");
296 if (strlen(ds) != 0) ds[strlen(ds) - 2] = '\0';
297 if (strlen(dr) != 0) dr[strlen(dr) - 2] = '\0';
298 PrintAndLog(" - TA1 : different divisors are%s supported, "
299 "DR: [%s], DS: [%s]",
300 (card.ats[pos] & 0x80 ? " NOT" : ""), dr, ds);
301 pos++;
302 }
303 if (tb1) {
304 uint32_t sfgi = card.ats[pos] & 0x0F;
305 uint32_t fwi = card.ats[pos] >> 4;
306 PrintAndLog(" - TB1 : SFGI = %d (SFGT = %s%ld/fc), FWI = %d (FWT = %ld/fc)",
307 (sfgi),
308 sfgi ? "" : "(not needed) ",
309 sfgi ? (1 << 12) << sfgi : 0,
310 fwi,
311 (1 << 12) << fwi
312 );
313 pos++;
314 }
315 if (tc1) {
316 PrintAndLog(" - TC1 : NAD is%s supported, CID is%s supported",
317 (card.ats[pos] & 0x01) ? "" : " NOT",
318 (card.ats[pos] & 0x02) ? "" : " NOT");
319 pos++;
320 }
321 if (card.ats[0] > pos) {
322 char *tip = "";
323 if (card.ats[0] - pos >= 7) {
324 if (memcmp(card.ats + pos, "\xC1\x05\x2F\x2F\x01\xBC\xD6", 7) == 0) {
325 tip = "-> MIFARE Plus X 2K or 4K";
326 } else if (memcmp(card.ats + pos, "\xC1\x05\x2F\x2F\x00\x35\xC7", 7) == 0) {
327 tip = "-> MIFARE Plus S 2K or 4K";
328 }
329 }
330 PrintAndLog(" - HB : %s%s", sprint_hex(card.ats + pos, card.ats[0] - pos), tip);
331 if (card.ats[pos] == 0xC1) {
332 PrintAndLog(" c1 -> Mifare or (multiple) virtual cards of various type");
333 PrintAndLog(" %02x -> Length is %d bytes",
334 card.ats[pos + 1], card.ats[pos + 1]);
335 switch (card.ats[pos + 2] & 0xf0) {
336 case 0x10:
337 PrintAndLog(" 1x -> MIFARE DESFire");
338 break;
339 case 0x20:
340 PrintAndLog(" 2x -> MIFARE Plus");
341 break;
342 }
343 switch (card.ats[pos + 2] & 0x0f) {
344 case 0x00:
345 PrintAndLog(" x0 -> <1 kByte");
346 break;
347 case 0x01:
348 PrintAndLog(" x0 -> 1 kByte");
349 break;
350 case 0x02:
351 PrintAndLog(" x0 -> 2 kByte");
352 break;
353 case 0x03:
354 PrintAndLog(" x0 -> 4 kByte");
355 break;
356 case 0x04:
357 PrintAndLog(" x0 -> 8 kByte");
358 break;
359 }
360 switch (card.ats[pos + 3] & 0xf0) {
361 case 0x00:
362 PrintAndLog(" 0x -> Engineering sample");
363 break;
364 case 0x20:
365 PrintAndLog(" 2x -> Released");
366 break;
367 }
368 switch (card.ats[pos + 3] & 0x0f) {
369 case 0x00:
370 PrintAndLog(" x0 -> Generation 1");
371 break;
372 case 0x01:
373 PrintAndLog(" x1 -> Generation 2");
374 break;
375 case 0x02:
376 PrintAndLog(" x2 -> Generation 3");
377 break;
378 }
379 switch (card.ats[pos + 4] & 0x0f) {
380 case 0x00:
381 PrintAndLog(" x0 -> Only VCSL supported");
382 break;
383 case 0x01:
384 PrintAndLog(" x1 -> VCS, VCSL, and SVC supported");
385 break;
386 case 0x0E:
387 PrintAndLog(" xE -> no VCS command supported");
388 break;
389 }
390 }
391 }
392 } else {
393 PrintAndLog("proprietary non iso14443-4 card found, RATS not supported");
394 }
395
396
397 // try to see if card responses to "chinese magic backdoor" commands.
398 c.cmd = CMD_MIFARE_CIDENT;
399 c.arg[0] = 0;
400 c.arg[1] = 0;
401 c.arg[2] = 0;
402 SendCommand(&c);
403 WaitForResponse(CMD_ACK,&resp);
404 uint8_t isOK = resp.arg[0] & 0xff;
405 PrintAndLog("Answers to chinese magic backdoor commands: %s", (isOK ? "YES" : "NO") );
406
407 // disconnect
408 c.cmd = CMD_READER_ISO_14443a;
409 c.arg[0] = 0;
410 c.arg[1] = 0;
411 c.arg[2] = 0;
412 SendCommand(&c);
413
414 return select_status;
415 }
416
417 // Collect ISO14443 Type A UIDs
418 int CmdHF14ACUIDs(const char *Cmd)
419 {
420 // requested number of UIDs
421 int n = atoi(Cmd);
422 // collect at least 1 (e.g. if no parameter was given)
423 n = n > 0 ? n : 1;
424
425 PrintAndLog("Collecting %d UIDs", n);
426 PrintAndLog("Start: %u", time(NULL));
427 // repeat n times
428 for (int i = 0; i < n; i++) {
429 // execute anticollision procedure
430 UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}};
431 SendCommand(&c);
432
433 UsbCommand resp;
434 WaitForResponse(CMD_ACK,&resp);
435
436 iso14a_card_select_t *card = (iso14a_card_select_t *) resp.d.asBytes;
437
438 // check if command failed
439 if (resp.arg[0] == 0) {
440 PrintAndLog("Card select failed.");
441 } else {
442 char uid_string[20];
443 for (uint16_t i = 0; i < card->uidlen; i++) {
444 sprintf(&uid_string[2*i], "%02X", card->uid[i]);
445 }
446 PrintAndLog("%s", uid_string);
447 }
448 }
449 PrintAndLog("End: %u", time(NULL));
450
451 return 1;
452 }
453
454
455 static int usage_hf_14a_sim(void)
456 {
457 PrintAndLog("\n Emulating ISO/IEC 14443 type A tag with 4 or 7 byte UID\n");
458 PrintAndLog("Usage: hf 14a sim t <type> u <uid> x");
459 PrintAndLog(" Options : ");
460 PrintAndLog(" h : this help");
461 PrintAndLog(" t : 1 = MIFARE Classic");
462 PrintAndLog(" 2 = MIFARE Ultralight");
463 PrintAndLog(" 3 = MIFARE Desfire");
464 PrintAndLog(" 4 = ISO/IEC 14443-4");
465 PrintAndLog(" 5 = MIFARE Tnp3xxx");
466 PrintAndLog(" 6 = MIFARE Mini");
467 PrintAndLog(" u : 4 or 7 byte UID");
468 PrintAndLog(" x : (Optional) performs the 'reader attack', nr/ar attack against a legitimate reader");
469 PrintAndLog("\n sample : hf 14a sim t 1 u 1122344");
470 PrintAndLog(" : hf 14a sim t 1 u 1122344 x\n");
471 return 0;
472 }
473
474 // ## simulate iso14443a tag
475 // ## greg - added ability to specify tag UID
476 int CmdHF14ASim(const char *Cmd)
477 {
478 bool errors = FALSE;
479 uint8_t flags = 0;
480 uint8_t tagtype = 1;
481 uint64_t uid = 0;
482 uint8_t cmdp = 0;
483
484 while(param_getchar(Cmd, cmdp) != 0x00)
485 {
486 switch(param_getchar(Cmd, cmdp))
487 {
488 case 'h':
489 case 'H':
490 return usage_hf_14a_sim();
491 case 't':
492 case 'T':
493 // Retrieve the tag type
494 tagtype = param_get8ex(Cmd, cmdp+1, 0, 10);
495 if (tagtype == 0)
496 errors = true;
497 cmdp += 2;
498 break;
499 case 'u':
500 case 'U':
501 // Retrieve the full 4 or 7 byte long uid
502 uid = param_get64ex(Cmd, cmdp+1, 0, 16);
503 if (uid == 0 )
504 errors = TRUE;
505
506 if (uid > 0xffffffff) {
507 PrintAndLog("Emulating ISO/IEC 14443 type A tag with 7 byte UID (%014"llx")",uid);
508 flags |= FLAG_7B_UID_IN_DATA;
509 } else {
510 PrintAndLog("Emulating ISO/IEC 14443 type A tag with 4 byte UID (%08x)",uid);
511 flags |= FLAG_4B_UID_IN_DATA;
512 }
513 cmdp += 2;
514 break;
515 case 'x':
516 case 'X':
517 flags |= FLAG_NR_AR_ATTACK;
518 cmdp++;
519 break;
520 default:
521 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
522 errors = true;
523 break;
524 }
525 if(errors) break;
526 }
527
528 //Validations
529 if (errors) return usage_hf_14a_sim();
530
531 PrintAndLog("Press pm3-button to abort simulation");
532
533 UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443a,{ tagtype, flags, 0 }};
534 num_to_bytes(uid, 7, c.d.asBytes);
535 SendCommand(&c);
536
537 while(!ukbhit()){
538 UsbCommand resp;
539 WaitForResponseTimeout(CMD_ACK,&resp,1500);
540 PrintAndLog("Got %04X %02X", resp.arg[0], resp.arg[0]);
541 if ( (resp.arg[0] & 0xffff) == CMD_SIMULATE_MIFARE_CARD ){
542 uint8_t data[40];
543 uint8_t key[6];
544 int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];
545 memcpy(data, resp.d.asBytes, len);
546 tryMfk32(uid, data, key);
547 //tryMfk64(uid, data, key);
548 PrintAndLog("--");
549 memset(data,0x00, 40);
550 }
551 }
552 return 0;
553 }
554
555 int tryMfk32(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){
556
557 struct Crypto1State *s,*t;
558 uint64_t key; // recovered key
559 uint32_t uid; // serial number
560 uint32_t nt; // tag challenge
561 uint32_t nr0_enc; // first encrypted reader challenge
562 uint32_t ar0_enc; // first encrypted reader response
563 uint32_t nr1_enc; // second encrypted reader challenge
564 uint32_t ar1_enc; // second encrypted reader response
565 bool isSuccess = FALSE;
566 int counter = 0;
567
568 uid = myuid;//(uint32_t)bytes_to_num(data + 0, 4);
569 nt = *(uint32_t*)(data+8);
570 nr0_enc = *(uint32_t*)(data+12);
571 ar0_enc = *(uint32_t*)(data+16);
572 nr1_enc = *(uint32_t*)(data+32);
573 ar1_enc = *(uint32_t*)(data+36);
574
575 // PrintAndLog("Recovering key for:");
576 // PrintAndLog(" uid: %08x",uid);
577 // PrintAndLog(" nt: %08x",nt);
578 // PrintAndLog(" {nr_0}: %08x",nr0_enc);
579 // PrintAndLog(" {ar_0}: %08x",ar0_enc);
580 // PrintAndLog(" {nr_1}: %08x",nr1_enc);
581 // PrintAndLog(" {ar_1}: %08x",ar1_enc);
582
583 s = lfsr_recovery32(ar0_enc ^ prng_successor(nt, 64), 0);
584
585 for(t = s; t->odd | t->even; ++t) {
586 lfsr_rollback_word(t, 0, 0);
587 lfsr_rollback_word(t, nr0_enc, 1);
588 lfsr_rollback_word(t, uid ^ nt, 0);
589 crypto1_get_lfsr(t, &key);
590 crypto1_word(t, uid ^ nt, 0);
591 crypto1_word(t, nr1_enc, 1);
592 if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt, 64))) {
593 PrintAndLog("Found Key: [%012"llx"]",key);
594 isSuccess = TRUE;
595 ++counter;
596 if (counter==10)
597 break;
598 }
599 }
600 free(s);
601 return isSuccess;
602 }
603
604 int tryMfk64(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){
605
606 struct Crypto1State *revstate;
607 uint64_t key; // recovered key
608 uint32_t uid; // serial number
609 uint32_t nt; // tag challenge
610 uint32_t nr_enc; // encrypted reader challenge
611 uint32_t ar_enc; // encrypted reader response
612 uint32_t at_enc; // encrypted tag response
613 uint32_t ks2; // keystream used to encrypt reader response
614 uint32_t ks3; // keystream used to encrypt tag response
615
616 struct Crypto1State mpcs = {0, 0};
617 struct Crypto1State *pcs;
618 pcs = &mpcs;
619
620
621
622 uid = myuid;//(uint32_t)bytes_to_num(data + 0, 4);
623 nt = *(uint32_t*)(data+8);
624 nr_enc = *(uint32_t*)(data+12);
625 ar_enc = *(uint32_t*)(data+16);
626
627 crypto1_word(pcs, nr_enc , 1);
628 at_enc = prng_successor(nt, 96) ^ crypto1_word(pcs, 0, 0);
629
630 // printf("Recovering key for:\n");
631 // printf(" uid: %08x\n",uid);
632 // printf(" nt: %08x\n",nt);
633 // printf(" {nr}: %08x\n",nr_enc);
634 // printf(" {ar}: %08x\n",ar_enc);
635 // printf(" {at}: %08x\n",at_enc);
636
637 // Extract the keystream from the messages
638 ks2 = ar_enc ^ prng_successor(nt, 64);
639 ks3 = at_enc ^ prng_successor(nt, 96);
640
641 revstate = lfsr_recovery64(ks2, ks3);
642 lfsr_rollback_word(revstate, 0, 0);
643 lfsr_rollback_word(revstate, 0, 0);
644 lfsr_rollback_word(revstate, nr_enc, 1);
645 lfsr_rollback_word(revstate, uid ^ nt, 0);
646 crypto1_get_lfsr(revstate, &key);
647 PrintAndLog("Found Key: [%012"llx"]",key);
648 crypto1_destroy(revstate);
649 crypto1_destroy(pcs);
650 return 0;
651 }
652
653 int CmdHF14ASniff(const char *Cmd) {
654 int param = 0;
655
656 uint8_t ctmp = param_getchar(Cmd, 0) ;
657 if (ctmp == 'h' || ctmp == 'H') {
658 PrintAndLog("It get data from the field and saves it into command buffer.");
659 PrintAndLog("Buffer accessible from command 'hf list 14a'");
660 PrintAndLog("Usage: hf 14a sniff [c][r]");
661 PrintAndLog("c - triggered by first data from card");
662 PrintAndLog("r - triggered by first 7-bit request from reader (REQ,WUP,...)");
663 PrintAndLog("sample: hf 14a sniff c r");
664 return 0;
665 }
666
667 for (int i = 0; i < 2; i++) {
668 ctmp = param_getchar(Cmd, i);
669 if (ctmp == 'c' || ctmp == 'C') param |= 0x01;
670 if (ctmp == 'r' || ctmp == 'R') param |= 0x02;
671 }
672
673 UsbCommand c = {CMD_SNOOP_ISO_14443a, {param, 0, 0}};
674 SendCommand(&c);
675 return 0;
676 }
677
678
679 int CmdHF14ACmdRaw(const char *cmd) {
680 UsbCommand c = {CMD_READER_ISO_14443a, {0, 0, 0}};
681 bool reply=1;
682 bool crc = FALSE;
683 bool power = FALSE;
684 bool active = FALSE;
685 bool active_select = FALSE;
686 uint16_t numbits=0;
687 bool bTimeout = FALSE;
688 uint32_t timeout=0;
689 bool topazmode = FALSE;
690 char buf[5]="";
691 int i=0;
692 uint8_t data[USB_CMD_DATA_SIZE];
693 uint16_t datalen=0;
694 uint32_t temp;
695
696 if (strlen(cmd)<2) {
697 PrintAndLog("Usage: hf 14a raw [-r] [-c] [-p] [-a] [-t] <milliseconds> [-b] <number of bits> <0A 0B 0C ... hex>");
698 PrintAndLog(" -r do not read response");
699 PrintAndLog(" -c calculate and append CRC");
700 PrintAndLog(" -p leave the signal field ON after receive");
701 PrintAndLog(" -a active signal field ON without select");
702 PrintAndLog(" -s active signal field ON with select");
703 PrintAndLog(" -b number of bits to send. Useful for send partial byte");
704 PrintAndLog(" -t timeout in ms");
705 PrintAndLog(" -T use Topaz protocol to send command");
706 return 0;
707 }
708
709
710 // strip
711 while (*cmd==' ' || *cmd=='\t') cmd++;
712
713 while (cmd[i]!='\0') {
714 if (cmd[i]==' ' || cmd[i]=='\t') { i++; continue; }
715 if (cmd[i]=='-') {
716 switch (cmd[i+1]) {
717 case 'r':
718 reply = FALSE;
719 break;
720 case 'c':
721 crc = TRUE;
722 break;
723 case 'p':
724 power = TRUE;
725 break;
726 case 'a':
727 active = TRUE;
728 break;
729 case 's':
730 active_select = TRUE;
731 break;
732 case 'b':
733 sscanf(cmd+i+2,"%d",&temp);
734 numbits = temp & 0xFFFF;
735 i+=3;
736 while(cmd[i]!=' ' && cmd[i]!='\0') { i++; }
737 i-=2;
738 break;
739 case 't':
740 bTimeout = TRUE;
741 sscanf(cmd+i+2,"%d",&temp);
742 timeout = temp;
743 i+=3;
744 while(cmd[i]!=' ' && cmd[i]!='\0') { i++; }
745 i-=2;
746 break;
747 case 'T':
748 topazmode = TRUE;
749 break;
750 default:
751 PrintAndLog("Invalid option");
752 return 0;
753 }
754 i+=2;
755 continue;
756 }
757 if ((cmd[i]>='0' && cmd[i]<='9') ||
758 (cmd[i]>='a' && cmd[i]<='f') ||
759 (cmd[i]>='A' && cmd[i]<='F') ) {
760 buf[strlen(buf)+1]=0;
761 buf[strlen(buf)]=cmd[i];
762 i++;
763
764 if (strlen(buf)>=2) {
765 sscanf(buf,"%x",&temp);
766 data[datalen]=(uint8_t)(temp & 0xff);
767 *buf=0;
768 if (++datalen >= sizeof(data)){
769 if (crc)
770 PrintAndLog("Buffer is full, we can't add CRC to your data");
771 break;
772 }
773 }
774 continue;
775 }
776 PrintAndLog("Invalid char on input");
777 return 0;
778 }
779
780 if(crc && datalen>0 && datalen<sizeof(data)-2)
781 {
782 uint8_t first, second;
783 if (topazmode) {
784 ComputeCrc14443(CRC_14443_B, data, datalen, &first, &second);
785 } else {
786 ComputeCrc14443(CRC_14443_A, data, datalen, &first, &second);
787 }
788 data[datalen++] = first;
789 data[datalen++] = second;
790 }
791
792 if(active || active_select)
793 {
794 c.arg[0] |= ISO14A_CONNECT;
795 if(active)
796 c.arg[0] |= ISO14A_NO_SELECT;
797 }
798
799 if(bTimeout){
800 #define MAX_TIMEOUT 40542464 // = (2^32-1) * (8*16) / 13560000Hz * 1000ms/s
801 c.arg[0] |= ISO14A_SET_TIMEOUT;
802 if(timeout > MAX_TIMEOUT) {
803 timeout = MAX_TIMEOUT;
804 PrintAndLog("Set timeout to 40542 seconds (11.26 hours). The max we can wait for response");
805 }
806 c.arg[2] = 13560000 / 1000 / (8*16) * timeout; // timeout in ETUs (time to transfer 1 bit, approx. 9.4 us)
807 }
808
809 if(power)
810 c.arg[0] |= ISO14A_NO_DISCONNECT;
811
812 if(datalen>0)
813 c.arg[0] |= ISO14A_RAW;
814
815 if(topazmode)
816 c.arg[0] |= ISO14A_TOPAZMODE;
817
818 // Max buffer is USB_CMD_DATA_SIZE
819 c.arg[1] = (datalen & 0xFFFF) | (numbits << 16);
820 memcpy(c.d.asBytes,data,datalen);
821
822 SendCommand(&c);
823
824 if (reply) {
825 if(active_select)
826 waitCmd(1);
827 if(datalen>0)
828 waitCmd(0);
829 } // if reply
830 return 0;
831 }
832
833
834 static void waitCmd(uint8_t iSelect)
835 {
836 uint8_t *recv;
837 UsbCommand resp;
838 char *hexout;
839
840 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
841 recv = resp.d.asBytes;
842 uint8_t iLen = iSelect ? resp.arg[1] : resp.arg[0];
843 PrintAndLog("received %i octets",iLen);
844 if(!iLen)
845 return;
846 hexout = (char *)malloc(iLen * 3 + 1);
847 if (hexout != NULL) {
848 for (int i = 0; i < iLen; i++) { // data in hex
849 sprintf(&hexout[i * 3], "%02X ", recv[i]);
850 }
851 PrintAndLog("%s", hexout);
852 free(hexout);
853 } else {
854 PrintAndLog("malloc failed your client has low memory?");
855 }
856 } else {
857 PrintAndLog("timeout while waiting for reply.");
858 }
859 }
860
861 static command_t CommandTable[] =
862 {
863 {"help", CmdHelp, 1, "This help"},
864 {"list", CmdHF14AList, 0, "[Deprecated] List ISO 14443a history"},
865 {"reader", CmdHF14AReader, 0, "Act like an ISO14443 Type A reader"},
866 {"cuids", CmdHF14ACUIDs, 0, "<n> Collect n>0 ISO14443 Type A UIDs in one go"},
867 {"sim", CmdHF14ASim, 0, "<UID> -- Simulate ISO 14443a tag"},
868 {"sniff", CmdHF14ASniff, 0, "sniff ISO 14443 Type A traffic"},
869 {"raw", CmdHF14ACmdRaw, 0, "Send raw hex data to tag"},
870 {NULL, NULL, 0, NULL}
871 };
872
873 int CmdHF14A(const char *Cmd) {
874 // flush
875 WaitForResponseTimeout(CMD_ACK,NULL,100);
876
877 // parse
878 CmdsParse(CommandTable, Cmd);
879 return 0;
880 }
881
882 int CmdHelp(const char *Cmd)
883 {
884 CmdsHelp(CommandTable);
885 return 0;
886 }
Impressum, Datenschutz