1 //-----------------------------------------------------------------------------
2 // Gerhard de Koning Gans - May 2008
3 // Hagen Fritsch - June 2010
4 // Gerhard de Koning Gans - May 2011
5 // Gerhard de Koning Gans - June 2012 - Added iClass card and reader emulation
8 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
9 // at your option, any later version. See the LICENSE.txt file for the text of
11 //-----------------------------------------------------------------------------
12 // Routines to support iClass.
13 //-----------------------------------------------------------------------------
14 // Contribution made during a security research at Radboud University Nijmegen
16 // Please feel free to contribute and extend iClass support!!
17 //-----------------------------------------------------------------------------
21 #include "proxmark3.h"
28 #include "iso14443a.h"
30 // Needed for CRC in emulation mode;
31 // same construction as in ISO 14443;
32 // different initial value (CRC_ICLASS)
33 #include "iso14443crc.h"
34 #include "iso15693tools.h"
35 #include "protocols.h"
36 #include "optimized_cipher.h"
37 #include "usb_cdc.h" // for usb_poll_validate_length
38 #include "fpgaloader.h"
40 // iCLASS has a slightly different timing compared to ISO15693. According to the picopass data sheet the tag response is expected 330us after
41 // the reader command. This is measured from end of reader EOF to first modulation of the tag's SOF which starts with a 56,64us unmodulated period.
42 // 330us = 140 ssp_clk cycles @ 423,75kHz when simulating.
43 // 56,64us = 24 ssp_clk_cycles
44 #define DELAY_ICLASS_VCD_TO_VICC_SIM (140 - 24)
45 // times in ssp_clk_cycles @ 3,3625MHz when acting as reader
46 #define DELAY_ICLASS_VICC_TO_VCD_READER DELAY_ISO15693_VICC_TO_VCD_READER
47 // times in samples @ 212kHz when acting as reader
48 #define ICLASS_READER_TIMEOUT_ACTALL 330 // 1558us, nominal 330us + 7slots*160us = 1450us
49 #define ICLASS_READER_TIMEOUT_UPDATE 3390 // 16000us, nominal 4-15ms
50 #define ICLASS_READER_TIMEOUT_OTHERS 80 // 380us, nominal 330us
52 #define ICLASS_BUFFER_SIZE 34 // we expect max 34 bytes as tag answer (response to READ4)
55 //=============================================================================
56 // A `sniffer' for iClass communication
57 // Both sides of communication!
58 //=============================================================================
59 void SnoopIClass(uint8_t jam_search_len
, uint8_t *jam_search_string
) {
60 SnoopIso15693(jam_search_len
, jam_search_string
);
64 void rotateCSN(uint8_t* originalCSN
, uint8_t* rotatedCSN
) {
66 for (i
= 0; i
< 8; i
++) {
67 rotatedCSN
[i
] = (originalCSN
[i
] >> 3) | (originalCSN
[(i
+1)%8] << 5);
73 static void CodeIClassTagSOF() {
75 ToSend
[++ToSendMax
] = 0x1D;
80 static void AppendCrc(uint8_t *data
, int len
) {
81 ComputeCrc14443(CRC_ICLASS
, data
, len
, data
+len
, data
+len
+1);
86 * @brief Does the actual simulation
88 int doIClassSimulation(int simulationMode
, uint8_t *reader_mac_buf
) {
90 // free eventually allocated BigBuf memory
91 BigBuf_free_keep_EM();
93 uint16_t page_size
= 32 * 8;
94 uint8_t current_page
= 0;
96 // maintain cipher states for both credit and debit key for each page
97 State cipher_state_KC
[8];
98 State cipher_state_KD
[8];
99 State
*cipher_state
= &cipher_state_KD
[0];
101 uint8_t *emulator
= BigBuf_get_EM_addr();
102 uint8_t *csn
= emulator
;
104 // CSN followed by two CRC bytes
105 uint8_t anticoll_data
[10];
106 uint8_t csn_data
[10];
107 memcpy(csn_data
, csn
, sizeof(csn_data
));
108 Dbprintf("Simulating CSN %02x%02x%02x%02x%02x%02x%02x%02x", csn
[0], csn
[1], csn
[2], csn
[3], csn
[4], csn
[5], csn
[6], csn
[7]);
110 // Construct anticollision-CSN
111 rotateCSN(csn_data
, anticoll_data
);
113 // Compute CRC on both CSNs
114 AppendCrc(anticoll_data
, 8);
115 AppendCrc(csn_data
, 8);
117 uint8_t diversified_key_d
[8] = { 0x00 };
118 uint8_t diversified_key_c
[8] = { 0x00 };
119 uint8_t *diversified_key
= diversified_key_d
;
121 // configuration block
122 uint8_t conf_block
[10] = {0x12, 0xFF, 0xFF, 0xFF, 0x7F, 0x1F, 0xFF, 0x3C, 0x00, 0x00};
125 uint8_t card_challenge_data
[8] = { 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
127 if (simulationMode
== ICLASS_SIM_MODE_FULL
) {
128 // initialize from page 0
129 memcpy(conf_block
, emulator
+ 8 * 1, 8);
130 memcpy(card_challenge_data
, emulator
+ 8 * 2, 8); // e-purse
131 memcpy(diversified_key_d
, emulator
+ 8 * 3, 8); // Kd
132 memcpy(diversified_key_c
, emulator
+ 8 * 4, 8); // Kc
135 AppendCrc(conf_block
, 8);
137 // save card challenge for sim2,4 attack
138 if (reader_mac_buf
!= NULL
) {
139 memcpy(reader_mac_buf
, card_challenge_data
, 8);
142 if (conf_block
[5] & 0x80) {
147 // When the page is in personalization mode this bit is equal to 1.
148 // Once the application issuer has personalized and coded its dedicated areas, this bit must be set to 0:
149 // the page is then "in application mode".
150 bool personalization_mode
= conf_block
[7] & 0x80;
152 // chip memory may be divided in 8 pages
153 uint8_t max_page
= conf_block
[4] & 0x10 ? 0 : 7;
155 // Precalculate the cipher states, feeding it the CC
156 cipher_state_KD
[0] = opt_doTagMAC_1(card_challenge_data
, diversified_key_d
);
157 cipher_state_KC
[0] = opt_doTagMAC_1(card_challenge_data
, diversified_key_c
);
158 if (simulationMode
== ICLASS_SIM_MODE_FULL
) {
159 for (int i
= 1; i
< max_page
; i
++) {
160 uint8_t *epurse
= emulator
+ i
*page_size
+ 8*2;
161 uint8_t *Kd
= emulator
+ i
*page_size
+ 8*3;
162 uint8_t *Kc
= emulator
+ i
*page_size
+ 8*4;
163 cipher_state_KD
[i
] = opt_doTagMAC_1(epurse
, Kd
);
164 cipher_state_KC
[i
] = opt_doTagMAC_1(epurse
, Kc
);
173 // Reader 81 anticoll. CSN
176 uint8_t *modulated_response
;
177 int modulated_response_size
= 0;
178 uint8_t *trace_data
= NULL
;
179 int trace_data_size
= 0;
181 // Respond SOF -- takes 1 bytes
182 uint8_t *resp_sof
= BigBuf_malloc(1);
185 // Anticollision CSN (rotated CSN)
186 // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte)
187 uint8_t *resp_anticoll
= BigBuf_malloc(22);
188 int resp_anticoll_len
;
191 // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte)
192 uint8_t *resp_csn
= BigBuf_malloc(22);
195 // configuration (block 1) picopass 2ks
196 uint8_t *resp_conf
= BigBuf_malloc(22);
200 // 18: Takes 2 bytes for SOF/EOF and 8 * 2 = 16 bytes (2 bytes/bit)
201 uint8_t *resp_cc
= BigBuf_malloc(18);
204 // Kd, Kc (blocks 3 and 4). Cannot be read. Always respond with 0xff bytes only
205 uint8_t *resp_ff
= BigBuf_malloc(22);
207 uint8_t ff_data
[10] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00};
208 AppendCrc(ff_data
, 8);
210 // Application Issuer Area (block 5)
211 uint8_t *resp_aia
= BigBuf_malloc(22);
213 uint8_t aia_data
[10] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00};
214 AppendCrc(aia_data
, 8);
216 uint8_t *receivedCmd
= BigBuf_malloc(MAX_FRAME_SIZE
);
219 // Prepare card messages
221 // First card answer: SOF only
223 memcpy(resp_sof
, ToSend
, ToSendMax
);
224 resp_sof_Len
= ToSendMax
;
227 CodeIso15693AsTag(anticoll_data
, sizeof(anticoll_data
));
228 memcpy(resp_anticoll
, ToSend
, ToSendMax
);
229 resp_anticoll_len
= ToSendMax
;
232 CodeIso15693AsTag(csn_data
, sizeof(csn_data
));
233 memcpy(resp_csn
, ToSend
, ToSendMax
);
234 resp_csn_len
= ToSendMax
;
236 // Configuration (block 1)
237 CodeIso15693AsTag(conf_block
, sizeof(conf_block
));
238 memcpy(resp_conf
, ToSend
, ToSendMax
);
239 resp_conf_len
= ToSendMax
;
242 CodeIso15693AsTag(card_challenge_data
, sizeof(card_challenge_data
));
243 memcpy(resp_cc
, ToSend
, ToSendMax
);
244 resp_cc_len
= ToSendMax
;
246 // Kd, Kc (blocks 3 and 4)
247 CodeIso15693AsTag(ff_data
, sizeof(ff_data
));
248 memcpy(resp_ff
, ToSend
, ToSendMax
);
249 resp_ff_len
= ToSendMax
;
251 // Application Issuer Area (block 5)
252 CodeIso15693AsTag(aia_data
, sizeof(aia_data
));
253 memcpy(resp_aia
, ToSend
, ToSendMax
);
254 resp_aia_len
= ToSendMax
;
256 //This is used for responding to READ-block commands or other data which is dynamically generated
257 uint8_t *data_generic_trace
= BigBuf_malloc(32 + 2); // 32 bytes data + 2byte CRC is max tag answer
258 uint8_t *data_response
= BigBuf_malloc( (32 + 2) * 2 + 2);
260 bool buttonPressed
= false;
261 enum { IDLE
, ACTIVATED
, SELECTED
, HALTED
} chip_state
= IDLE
;
266 uint32_t reader_eof_time
= 0;
267 len
= GetIso15693CommandFromReader(receivedCmd
, MAX_FRAME_SIZE
, &reader_eof_time
);
269 buttonPressed
= true;
273 // Now look at the reader command and provide appropriate responses
274 // default is no response:
275 modulated_response
= NULL
;
276 modulated_response_size
= 0;
280 if (receivedCmd
[0] == ICLASS_CMD_ACTALL
&& len
== 1) {
281 // Reader in anticollision phase
282 if (chip_state
!= HALTED
) {
283 modulated_response
= resp_sof
;
284 modulated_response_size
= resp_sof_Len
;
285 chip_state
= ACTIVATED
;
288 } else if (receivedCmd
[0] == ICLASS_CMD_READ_OR_IDENTIFY
&& len
== 1) { // identify
289 // Reader asks for anticollision CSN
290 if (chip_state
== SELECTED
|| chip_state
== ACTIVATED
) {
291 modulated_response
= resp_anticoll
;
292 modulated_response_size
= resp_anticoll_len
;
293 trace_data
= anticoll_data
;
294 trace_data_size
= sizeof(anticoll_data
);
297 } else if (receivedCmd
[0] == ICLASS_CMD_SELECT
&& len
== 9) {
298 // Reader selects anticollision CSN.
299 // Tag sends the corresponding real CSN
300 if (chip_state
== ACTIVATED
|| chip_state
== SELECTED
) {
301 if (!memcmp(receivedCmd
+1, anticoll_data
, 8)) {
302 modulated_response
= resp_csn
;
303 modulated_response_size
= resp_csn_len
;
304 trace_data
= csn_data
;
305 trace_data_size
= sizeof(csn_data
);
306 chip_state
= SELECTED
;
310 } else if (chip_state
== HALTED
) {
312 if (!memcmp(receivedCmd
+1, csn_data
, 8)) {
313 modulated_response
= resp_csn
;
314 modulated_response_size
= resp_csn_len
;
315 trace_data
= csn_data
;
316 trace_data_size
= sizeof(csn_data
);
317 chip_state
= SELECTED
;
321 } else if (receivedCmd
[0] == ICLASS_CMD_READ_OR_IDENTIFY
&& len
== 4) { // read block
322 uint16_t blockNo
= receivedCmd
[1];
323 if (chip_state
== SELECTED
) {
324 if (simulationMode
== ICLASS_SIM_MODE_EXIT_AFTER_MAC
) {
325 // provide defaults for blocks 0 ... 5
327 case 0: // csn (block 00)
328 modulated_response
= resp_csn
;
329 modulated_response_size
= resp_csn_len
;
330 trace_data
= csn_data
;
331 trace_data_size
= sizeof(csn_data
);
333 case 1: // configuration (block 01)
334 modulated_response
= resp_conf
;
335 modulated_response_size
= resp_conf_len
;
336 trace_data
= conf_block
;
337 trace_data_size
= sizeof(conf_block
);
339 case 2: // e-purse (block 02)
340 modulated_response
= resp_cc
;
341 modulated_response_size
= resp_cc_len
;
342 trace_data
= card_challenge_data
;
343 trace_data_size
= sizeof(card_challenge_data
);
344 // set epurse of sim2,4 attack
345 if (reader_mac_buf
!= NULL
) {
346 memcpy(reader_mac_buf
, card_challenge_data
, 8);
350 case 4: // Kd, Kc, always respond with 0xff bytes
351 modulated_response
= resp_ff
;
352 modulated_response_size
= resp_ff_len
;
353 trace_data
= ff_data
;
354 trace_data_size
= sizeof(ff_data
);
356 case 5: // Application Issuer Area (block 05)
357 modulated_response
= resp_aia
;
358 modulated_response_size
= resp_aia_len
;
359 trace_data
= aia_data
;
360 trace_data_size
= sizeof(aia_data
);
362 // default: don't respond
364 } else if (simulationMode
== ICLASS_SIM_MODE_FULL
) {
365 if (blockNo
== 3 || blockNo
== 4) { // Kd, Kc, always respond with 0xff bytes
366 modulated_response
= resp_ff
;
367 modulated_response_size
= resp_ff_len
;
368 trace_data
= ff_data
;
369 trace_data_size
= sizeof(ff_data
);
370 } else { // use data from emulator memory
371 memcpy(data_generic_trace
, emulator
+ current_page
*page_size
+ 8*blockNo
, 8);
372 AppendCrc(data_generic_trace
, 8);
373 trace_data
= data_generic_trace
;
374 trace_data_size
= 10;
375 CodeIso15693AsTag(trace_data
, trace_data_size
);
376 memcpy(data_response
, ToSend
, ToSendMax
);
377 modulated_response
= data_response
;
378 modulated_response_size
= ToSendMax
;
383 } else if ((receivedCmd
[0] == ICLASS_CMD_READCHECK_KD
384 || receivedCmd
[0] == ICLASS_CMD_READCHECK_KC
) && receivedCmd
[1] == 0x02 && len
== 2) {
385 // Read e-purse (88 02 || 18 02)
386 if (chip_state
== SELECTED
) {
387 if(receivedCmd
[0] == ICLASS_CMD_READCHECK_KD
){
388 cipher_state
= &cipher_state_KD
[current_page
];
389 diversified_key
= diversified_key_d
;
391 cipher_state
= &cipher_state_KC
[current_page
];
392 diversified_key
= diversified_key_c
;
394 modulated_response
= resp_cc
;
395 modulated_response_size
= resp_cc_len
;
396 trace_data
= card_challenge_data
;
397 trace_data_size
= sizeof(card_challenge_data
);
400 } else if ((receivedCmd
[0] == ICLASS_CMD_CHECK_KC
401 || receivedCmd
[0] == ICLASS_CMD_CHECK_KD
) && len
== 9) {
402 // Reader random and reader MAC!!!
403 if (chip_state
== SELECTED
) {
404 if (simulationMode
== ICLASS_SIM_MODE_FULL
) {
405 //NR, from reader, is in receivedCmd+1
406 opt_doTagMAC_2(*cipher_state
, receivedCmd
+1, data_generic_trace
, diversified_key
);
407 trace_data
= data_generic_trace
;
409 CodeIso15693AsTag(trace_data
, trace_data_size
);
410 memcpy(data_response
, ToSend
, ToSendMax
);
411 modulated_response
= data_response
;
412 modulated_response_size
= ToSendMax
;
414 } else { // Not fullsim, we don't respond
415 // We do not know what to answer, so lets keep quiet
416 if (simulationMode
== ICLASS_SIM_MODE_EXIT_AFTER_MAC
) {
417 if (reader_mac_buf
!= NULL
) {
418 // save NR and MAC for sim 2,4
419 memcpy(reader_mac_buf
+ 8, receivedCmd
+ 1, 8);
426 } else if (receivedCmd
[0] == ICLASS_CMD_HALT
&& len
== 1) {
427 if (chip_state
== SELECTED
) {
428 // Reader ends the session
429 modulated_response
= resp_sof
;
430 modulated_response_size
= resp_sof_Len
;
434 } else if (simulationMode
== ICLASS_SIM_MODE_FULL
&& receivedCmd
[0] == ICLASS_CMD_READ4
&& len
== 4) { // 0x06
436 if (chip_state
== SELECTED
) {
437 uint8_t blockNo
= receivedCmd
[1];
438 memcpy(data_generic_trace
, emulator
+ current_page
*page_size
+ blockNo
*8, 8 * 4);
439 AppendCrc(data_generic_trace
, 8 * 4);
440 trace_data
= data_generic_trace
;
441 trace_data_size
= 8 * 4 + 2;
442 CodeIso15693AsTag(trace_data
, trace_data_size
);
443 memcpy(data_response
, ToSend
, ToSendMax
);
444 modulated_response
= data_response
;
445 modulated_response_size
= ToSendMax
;
448 } else if (receivedCmd
[0] == ICLASS_CMD_UPDATE
&& (len
== 12 || len
== 14)) {
449 // We're expected to respond with the data+crc, exactly what's already in the receivedCmd
450 // receivedCmd is now UPDATE 1b | ADDRESS 1b | DATA 8b | Signature 4b or CRC 2b
451 if (chip_state
== SELECTED
) {
452 uint8_t blockNo
= receivedCmd
[1];
453 if (blockNo
== 2) { // update e-purse
454 memcpy(card_challenge_data
, receivedCmd
+2, 8);
455 CodeIso15693AsTag(card_challenge_data
, sizeof(card_challenge_data
));
456 memcpy(resp_cc
, ToSend
, ToSendMax
);
457 resp_cc_len
= ToSendMax
;
458 cipher_state_KD
[current_page
] = opt_doTagMAC_1(card_challenge_data
, diversified_key_d
);
459 cipher_state_KC
[current_page
] = opt_doTagMAC_1(card_challenge_data
, diversified_key_c
);
460 if (simulationMode
== ICLASS_SIM_MODE_FULL
) {
461 memcpy(emulator
+ current_page
*page_size
+ 8*2, card_challenge_data
, 8);
463 } else if (blockNo
== 3) { // update Kd
464 for (int i
= 0; i
< 8; i
++) {
465 if (personalization_mode
) {
466 diversified_key_d
[i
] = receivedCmd
[2 + i
];
468 diversified_key_d
[i
] ^= receivedCmd
[2 + i
];
471 cipher_state_KD
[current_page
] = opt_doTagMAC_1(card_challenge_data
, diversified_key_d
);
472 if (simulationMode
== ICLASS_SIM_MODE_FULL
) {
473 memcpy(emulator
+ current_page
*page_size
+ 8*3, diversified_key_d
, 8);
475 } else if (blockNo
== 4) { // update Kc
476 for (int i
= 0; i
< 8; i
++) {
477 if (personalization_mode
) {
478 diversified_key_c
[i
] = receivedCmd
[2 + i
];
480 diversified_key_c
[i
] ^= receivedCmd
[2 + i
];
483 cipher_state_KC
[current_page
] = opt_doTagMAC_1(card_challenge_data
, diversified_key_c
);
484 if (simulationMode
== ICLASS_SIM_MODE_FULL
) {
485 memcpy(emulator
+ current_page
*page_size
+ 8*4, diversified_key_c
, 8);
487 } else if (simulationMode
== ICLASS_SIM_MODE_FULL
) { // update any other data block
488 memcpy(emulator
+ current_page
*page_size
+ 8*blockNo
, receivedCmd
+2, 8);
490 memcpy(data_generic_trace
, receivedCmd
+ 2, 8);
491 AppendCrc(data_generic_trace
, 8);
492 trace_data
= data_generic_trace
;
493 trace_data_size
= 10;
494 CodeIso15693AsTag(trace_data
, trace_data_size
);
495 memcpy(data_response
, ToSend
, ToSendMax
);
496 modulated_response
= data_response
;
497 modulated_response_size
= ToSendMax
;
500 } else if (receivedCmd
[0] == ICLASS_CMD_PAGESEL
&& len
== 4) {
502 // Chips with a single page will not answer to this command
503 // Otherwise, we should answer 8bytes (conf block 1) + 2bytes CRC
504 if (chip_state
== SELECTED
) {
505 if (simulationMode
== ICLASS_SIM_MODE_FULL
&& max_page
> 0) {
506 current_page
= receivedCmd
[1];
507 memcpy(data_generic_trace
, emulator
+ current_page
*page_size
+ 8*1, 8);
508 memcpy(diversified_key_d
, emulator
+ current_page
*page_size
+ 8*3, 8);
509 memcpy(diversified_key_c
, emulator
+ current_page
*page_size
+ 8*4, 8);
510 cipher_state
= &cipher_state_KD
[current_page
];
511 personalization_mode
= data_generic_trace
[7] & 0x80;
512 AppendCrc(data_generic_trace
, 8);
513 trace_data
= data_generic_trace
;
514 trace_data_size
= 10;
515 CodeIso15693AsTag(trace_data
, trace_data_size
);
516 memcpy(data_response
, ToSend
, ToSendMax
);
517 modulated_response
= data_response
;
518 modulated_response_size
= ToSendMax
;
522 } else if (receivedCmd
[0] == 0x26 && len
== 5) {
523 // standard ISO15693 INVENTORY command. Ignore.
526 // don't know how to handle this command
527 char debug_message
[250]; // should be enough
528 sprintf(debug_message
, "Unhandled command (len = %d) received from reader:", len
);
529 for (int i
= 0; i
< len
&& strlen(debug_message
) < sizeof(debug_message
) - 3 - 1; i
++) {
530 sprintf(debug_message
+ strlen(debug_message
), " %02x", receivedCmd
[i
]);
532 Dbprintf("%s", debug_message
);
537 A legit tag has about 273,4us delay between reader EOT and tag SOF.
539 if (modulated_response_size
> 0) {
540 uint32_t response_time
= reader_eof_time
+ DELAY_ICLASS_VCD_TO_VICC_SIM
;
541 TransmitTo15693Reader(modulated_response
, modulated_response_size
, &response_time
, 0, false);
542 LogTrace_ISO15693(trace_data
, trace_data_size
, response_time
*32, response_time
*32 + modulated_response_size
/2, NULL
, false);
549 DbpString("Button pressed");
551 return buttonPressed
;
555 * @brief SimulateIClass simulates an iClass card.
556 * @param arg0 type of simulation
557 * - 0 uses the first 8 bytes in usb data as CSN
558 * - 2 "dismantling iclass"-attack. This mode iterates through all CSN's specified
559 * in the usb data. This mode collects MAC from the reader, in order to do an offline
560 * attack on the keys. For more info, see "dismantling iclass" and proxclone.com.
561 * - Other : Uses the default CSN (031fec8af7ff12e0)
562 * @param arg1 - number of CSN's contained in datain (applicable for mode 2 only)
566 void SimulateIClass(uint32_t arg0
, uint32_t arg1
, uint32_t arg2
, uint8_t *datain
) {
570 uint32_t simType
= arg0
;
571 uint32_t numberOfCSNS
= arg1
;
573 // setup hardware for simulation:
574 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
575 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
576 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR
| FPGA_HF_SIMULATOR_NO_MODULATION
);
578 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR
);
581 // Enable and clear the trace
584 //Use the emulator memory for SIM
585 uint8_t *emulator
= BigBuf_get_EM_addr();
587 if (simType
== ICLASS_SIM_MODE_CSN
) {
588 // Use the CSN from commandline
589 memcpy(emulator
, datain
, 8);
590 doIClassSimulation(ICLASS_SIM_MODE_CSN
, NULL
);
591 } else if (simType
== ICLASS_SIM_MODE_CSN_DEFAULT
) {
593 uint8_t csn_crc
[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
594 // Use the CSN from commandline
595 memcpy(emulator
, csn_crc
, 8);
596 doIClassSimulation(ICLASS_SIM_MODE_CSN
, NULL
);
597 } else if (simType
== ICLASS_SIM_MODE_READER_ATTACK
) {
598 uint8_t mac_responses
[USB_CMD_DATA_SIZE
] = { 0 };
599 Dbprintf("Going into attack mode, %d CSNS sent", numberOfCSNS
);
600 // In this mode, a number of csns are within datain. We'll simulate each one, one at a time
601 // in order to collect MAC's from the reader. This can later be used in an offline-attack
602 // in order to obtain the keys, as in the "dismantling iclass"-paper.
604 for (i
= 0; i
< numberOfCSNS
&& i
*16+16 <= USB_CMD_DATA_SIZE
; i
++) {
605 // The usb data is 512 bytes, fitting 32 responses (8 byte CC + 4 Byte NR + 4 Byte MAC = 16 Byte response).
606 memcpy(emulator
, datain
+(i
*8), 8);
607 if (doIClassSimulation(ICLASS_SIM_MODE_EXIT_AFTER_MAC
, mac_responses
+i
*16)) {
611 Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
612 datain
[i
*8+0], datain
[i
*8+1], datain
[i
*8+2], datain
[i
*8+3],
613 datain
[i
*8+4], datain
[i
*8+5], datain
[i
*8+6], datain
[i
*8+7]);
614 Dbprintf("NR,MAC: %02x %02x %02x %02x %02x %02x %02x %02x",
615 mac_responses
[i
*16+ 8], mac_responses
[i
*16+ 9], mac_responses
[i
*16+10], mac_responses
[i
*16+11],
616 mac_responses
[i
*16+12], mac_responses
[i
*16+13], mac_responses
[i
*16+14], mac_responses
[i
*16+15]);
617 SpinDelay(100); // give the reader some time to prepare for next CSN
619 cmd_send(CMD_ACK
, CMD_SIMULATE_TAG_ICLASS
, i
, 0, mac_responses
, i
*16);
620 } else if (simType
== ICLASS_SIM_MODE_FULL
) {
621 //This is 'full sim' mode, where we use the emulator storage for data.
622 doIClassSimulation(ICLASS_SIM_MODE_FULL
, NULL
);
624 // We may want a mode here where we hardcode the csns to use (from proxclone).
625 // That will speed things up a little, but not required just yet.
626 Dbprintf("The mode is not implemented, reserved for future use");
637 static void ReaderTransmitIClass(uint8_t *frame
, int len
, uint32_t *start_time
) {
639 CodeIso15693AsReader(frame
, len
);
641 TransmitTo15693Tag(ToSend
, ToSendMax
, start_time
);
643 uint32_t end_time
= *start_time
+ 32*(8*ToSendMax
-4); // substract the 4 padding bits after EOF
644 LogTrace_ISO15693(frame
, len
, *start_time
*4, end_time
*4, NULL
, true);
648 static bool sendCmdGetResponseWithRetries(uint8_t* command
, size_t cmdsize
, uint8_t* resp
, size_t max_resp_size
,
649 uint8_t expected_size
, uint8_t tries
, uint32_t start_time
, uint32_t timeout
, uint32_t *eof_time
) {
650 while (tries
-- > 0) {
651 ReaderTransmitIClass(command
, cmdsize
, &start_time
);
652 if (expected_size
== GetIso15693AnswerFromTag(resp
, max_resp_size
, timeout
, eof_time
)) {
661 * @brief Selects an iclass tag
662 * @param card_data where the CSN is stored for return
663 * @return false = fail
666 static bool selectIclassTag(uint8_t *card_data
, uint32_t *eof_time
) {
667 uint8_t act_all
[] = { 0x0a };
668 uint8_t identify
[] = { 0x0c };
669 uint8_t select
[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
671 uint8_t resp
[ICLASS_BUFFER_SIZE
];
673 uint32_t start_time
= GetCountSspClk();
676 ReaderTransmitIClass(act_all
, 1, &start_time
);
678 if (GetIso15693AnswerFromTag(resp
, sizeof(resp
), ICLASS_READER_TIMEOUT_ACTALL
, eof_time
) < 0) return false;//Fail
681 start_time
= *eof_time
+ DELAY_ICLASS_VICC_TO_VCD_READER
;
682 ReaderTransmitIClass(identify
, 1, &start_time
);
683 //We expect a 10-byte response here, 8 byte anticollision-CSN and 2 byte CRC
684 uint8_t len
= GetIso15693AnswerFromTag(resp
, sizeof(resp
), ICLASS_READER_TIMEOUT_OTHERS
, eof_time
);
685 if (len
!= 10) return false;//Fail
687 //Copy the Anti-collision CSN to our select-packet
688 memcpy(&select
[1], resp
, 8);
690 start_time
= *eof_time
+ DELAY_ICLASS_VICC_TO_VCD_READER
;
691 ReaderTransmitIClass(select
, sizeof(select
), &start_time
);
692 //We expect a 10-byte response here, 8 byte CSN and 2 byte CRC
693 len
= GetIso15693AnswerFromTag(resp
, sizeof(resp
), ICLASS_READER_TIMEOUT_OTHERS
, eof_time
);
694 if (len
!= 10) return false;//Fail
696 //Success - we got CSN
697 //Save CSN in response data
698 memcpy(card_data
, resp
, 8);
704 // Select an iClass tag and read all blocks which are always readable without authentication
705 void ReaderIClass(uint8_t flags
) {
709 uint8_t card_data
[6 * 8] = {0};
710 memset(card_data
, 0xFF, sizeof(card_data
));
711 uint8_t resp
[ICLASS_BUFFER_SIZE
];
712 //Read conf block CRC(0x01) => 0xfa 0x22
713 uint8_t readConf
[] = {ICLASS_CMD_READ_OR_IDENTIFY
, 0x01, 0xfa, 0x22};
714 //Read e-purse block CRC(0x02) => 0x61 0x10
715 uint8_t readEpurse
[] = {ICLASS_CMD_READ_OR_IDENTIFY
, 0x02, 0x61, 0x10};
716 //Read App Issuer Area block CRC(0x05) => 0xde 0x64
717 uint8_t readAA
[] = {ICLASS_CMD_READ_OR_IDENTIFY
, 0x05, 0xde, 0x64};
719 uint8_t result_status
= 0;
721 if (flags
& FLAG_ICLASS_READER_INIT
) {
722 Iso15693InitReader();
725 if (flags
& FLAG_ICLASS_READER_CLEARTRACE
) {
731 uint32_t start_time
= 0;
732 uint32_t eof_time
= 0;
734 if (selectIclassTag(resp
, &eof_time
)) {
735 result_status
= FLAG_ICLASS_READER_CSN
;
736 memcpy(card_data
, resp
, 8);
739 start_time
= eof_time
+ DELAY_ICLASS_VICC_TO_VCD_READER
;
741 //Read block 1, config
742 if (flags
& FLAG_ICLASS_READER_CONF
) {
743 if (sendCmdGetResponseWithRetries(readConf
, sizeof(readConf
), resp
, sizeof(resp
), 10, 10, start_time
, ICLASS_READER_TIMEOUT_OTHERS
, &eof_time
)) {
744 result_status
|= FLAG_ICLASS_READER_CONF
;
745 memcpy(card_data
+8, resp
, 8);
747 Dbprintf("Failed to read config block");
749 start_time
= eof_time
+ DELAY_ICLASS_VICC_TO_VCD_READER
;
752 //Read block 2, e-purse
753 if (flags
& FLAG_ICLASS_READER_CC
) {
754 if (sendCmdGetResponseWithRetries(readEpurse
, sizeof(readEpurse
), resp
, sizeof(resp
), 10, 10, start_time
, ICLASS_READER_TIMEOUT_OTHERS
, &eof_time
)) {
755 result_status
|= FLAG_ICLASS_READER_CC
;
756 memcpy(card_data
+ (8*2), resp
, 8);
758 Dbprintf("Failed to read e-purse");
760 start_time
= eof_time
+ DELAY_ICLASS_VICC_TO_VCD_READER
;
764 if (flags
& FLAG_ICLASS_READER_AA
) {
765 if (sendCmdGetResponseWithRetries(readAA
, sizeof(readAA
), resp
, sizeof(resp
), 10, 10, start_time
, ICLASS_READER_TIMEOUT_OTHERS
, &eof_time
)) {
766 result_status
|= FLAG_ICLASS_READER_AA
;
767 memcpy(card_data
+ (8*5), resp
, 8);
769 Dbprintf("Failed to read AA block");
773 cmd_send(CMD_ACK
, result_status
, 0, 0, card_data
, sizeof(card_data
));
779 void iClass_Check(uint8_t *NRMAC
) {
780 uint8_t check
[9] = {ICLASS_CMD_CHECK_KD
, 0x00};
782 memcpy(check
+1, NRMAC
, 8);
784 bool isOK
= sendCmdGetResponseWithRetries(check
, sizeof(check
), resp
, sizeof(resp
), 4, 3, 0, ICLASS_READER_TIMEOUT_OTHERS
, &eof_time
);
785 cmd_send(CMD_ACK
, isOK
, 0, 0, resp
, sizeof(resp
));
789 void iClass_Readcheck(uint8_t block
, bool use_credit_key
) {
790 uint8_t readcheck
[2] = {ICLASS_CMD_READCHECK_KD
, block
};
791 if (use_credit_key
) {
792 readcheck
[0] = ICLASS_CMD_READCHECK_KC
;
796 bool isOK
= sendCmdGetResponseWithRetries(readcheck
, sizeof(readcheck
), resp
, sizeof(resp
), 8, 3, 0, ICLASS_READER_TIMEOUT_OTHERS
, &eof_time
);
797 cmd_send(CMD_ACK
, isOK
, 0, 0, resp
, sizeof(resp
));
801 static bool iClass_ReadBlock(uint8_t blockNo
, uint8_t *readdata
) {
802 uint8_t readcmd
[] = {ICLASS_CMD_READ_OR_IDENTIFY
, blockNo
, 0x00, 0x00}; //0x88, 0x00 // can i use 0C?
803 uint8_t bl
= blockNo
;
804 uint16_t rdCrc
= iclass_crc16(&bl
, 1);
805 readcmd
[2] = rdCrc
>> 8;
806 readcmd
[3] = rdCrc
& 0xff;
810 bool isOK
= sendCmdGetResponseWithRetries(readcmd
, sizeof(readcmd
), resp
, sizeof(resp
), 10, 10, 0, ICLASS_READER_TIMEOUT_OTHERS
, &eof_time
);
811 memcpy(readdata
, resp
, sizeof(resp
));
817 void iClass_ReadBlk(uint8_t blockno
) {
821 uint8_t readblockdata
[10];
822 bool isOK
= iClass_ReadBlock(blockno
, readblockdata
);
823 cmd_send(CMD_ACK
, isOK
, 0, 0, readblockdata
, 8);
824 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
831 void iClass_Dump(uint8_t startblock
, uint8_t numblks
) {
835 uint8_t readblockdata
[USB_CMD_DATA_SIZE
+2] = {0};
839 if (numblks
> USB_CMD_DATA_SIZE
/ 8) {
840 numblks
= USB_CMD_DATA_SIZE
/ 8;
843 for (blkCnt
= 0; blkCnt
< numblks
; blkCnt
++) {
844 isOK
= iClass_ReadBlock(startblock
+blkCnt
, readblockdata
+8*blkCnt
);
846 Dbprintf("Block %02X failed to read", startblock
+blkCnt
);
851 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
854 cmd_send(CMD_ACK
, isOK
, blkCnt
, 0, readblockdata
, blkCnt
*8);
860 static bool iClass_WriteBlock_ext(uint8_t blockNo
, uint8_t *data
) {
862 uint8_t write
[16] = {ICLASS_CMD_UPDATE
, blockNo
};
863 memcpy(write
+2, data
, 12); // data + mac
864 AppendCrc(write
+1, 13);
867 uint32_t eof_time
= 0;
869 isOK
= sendCmdGetResponseWithRetries(write
, sizeof(write
), resp
, sizeof(resp
), 10, 3, 0, ICLASS_READER_TIMEOUT_UPDATE
, &eof_time
);
874 uint8_t all_ff
[8] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
876 if (memcmp(data
+4, resp
, 4) || memcmp(data
, resp
+4, 4)) { // check response. e-purse update swaps first and second half
879 } else if (blockNo
== 3 || blockNo
== 4) {
880 if (memcmp(all_ff
, resp
, 8)) { // check response. Key updates always return 0xffffffffffffffff
884 if (memcmp(data
, resp
, 8)) { // check response. All other updates return unchanged data
893 void iClass_WriteBlock(uint8_t blockNo
, uint8_t *data
) {
897 bool isOK
= iClass_WriteBlock_ext(blockNo
, data
);
899 Dbprintf("Write block [%02x] successful", blockNo
);
901 Dbprintf("Write block [%02x] failed", blockNo
);
903 cmd_send(CMD_ACK
, isOK
, 0, 0, 0, 0);
905 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
912 void iClass_Clone(uint8_t startblock
, uint8_t endblock
, uint8_t *data
) {
917 int total_blocks
= (endblock
- startblock
) + 1;
919 for (uint8_t block
= startblock
; block
<= endblock
; block
++) {
921 if (iClass_WriteBlock_ext(block
, data
+ (block
-startblock
)*12)) {
922 Dbprintf("Write block [%02x] successful", block
);
925 Dbprintf("Write block [%02x] failed", block
);
929 if (written
== total_blocks
)
930 Dbprintf("Clone complete");
932 Dbprintf("Clone incomplete");
934 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
937 cmd_send(CMD_ACK
, 1, 0, 0, 0, 0);