]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifaresim.c
Implement Originality Signature Check in 'hf mfu info'
[proxmark3-svn] / armsrc / mifaresim.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // Mifare Classic Card Simulation
11 //-----------------------------------------------------------------------------
12
13 #include "mifaresim.h"
14 #include "iso14443a.h"
15 #include "iso14443crc.h"
16 #include "crapto1/crapto1.h"
17 #include "BigBuf.h"
18 #include "string.h"
19 #include "mifareutil.h"
20 #include "fpgaloader.h"
21 #include "proxmark3.h"
22 #include "usb_cdc.h"
23 #include "cmd.h"
24 #include "protocols.h"
25 #include "apps.h"
26
27 //mifare emulator states
28 #define MFEMUL_NOFIELD 0
29 #define MFEMUL_IDLE 1
30 #define MFEMUL_SELECT1 2
31 #define MFEMUL_SELECT2 3
32 #define MFEMUL_SELECT3 4
33 #define MFEMUL_AUTH1 5
34 #define MFEMUL_AUTH2 6
35 #define MFEMUL_WORK 7
36 #define MFEMUL_WRITEBL2 8
37 #define MFEMUL_INTREG_INC 9
38 #define MFEMUL_INTREG_DEC 10
39 #define MFEMUL_INTREG_REST 11
40 #define MFEMUL_HALTED 12
41
42 #define AC_DATA_READ 0
43 #define AC_DATA_WRITE 1
44 #define AC_DATA_INC 2
45 #define AC_DATA_DEC_TRANS_REST 3
46 #define AC_KEYA_READ 0
47 #define AC_KEYA_WRITE 1
48 #define AC_KEYB_READ 2
49 #define AC_KEYB_WRITE 3
50 #define AC_AC_READ 4
51 #define AC_AC_WRITE 5
52
53 #define AUTHKEYA 0
54 #define AUTHKEYB 1
55 #define AUTHKEYNONE 0xff
56
57
58 static int ParamCardSizeBlocks(const char c) {
59 int numBlocks = 16 * 4;
60 switch (c) {
61 case '0' : numBlocks = 5 * 4; break;
62 case '2' : numBlocks = 32 * 4; break;
63 case '4' : numBlocks = 32 * 4 + 8 * 16; break;
64 default: numBlocks = 16 * 4;
65 }
66 return numBlocks;
67 }
68
69 static uint8_t BlockToSector(int block_num) {
70 if (block_num < 32 * 4) { // 4 blocks per sector
71 return (block_num / 4);
72 } else { // 16 blocks per sector
73 return 32 + (block_num - 32 * 4) / 16;
74 }
75 }
76
77 static bool IsTrailerAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action) {
78 uint8_t sector_trailer[16];
79 emlGetMem(sector_trailer, blockNo, 1);
80 uint8_t AC = ((sector_trailer[7] >> 5) & 0x04)
81 | ((sector_trailer[8] >> 2) & 0x02)
82 | ((sector_trailer[8] >> 7) & 0x01);
83 switch (action) {
84 case AC_KEYA_READ: {
85 return false;
86 break;
87 }
88 case AC_KEYA_WRITE: {
89 return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x01))
90 || (keytype == AUTHKEYB && (AC == 0x04 || AC == 0x03)));
91 break;
92 }
93 case AC_KEYB_READ: {
94 return (keytype == AUTHKEYA && (AC == 0x00 || AC == 0x02 || AC == 0x01));
95 break;
96 }
97 case AC_KEYB_WRITE: {
98 return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x04))
99 || (keytype == AUTHKEYB && (AC == 0x04 || AC == 0x03)));
100 break;
101 }
102 case AC_AC_READ: {
103 return ((keytype == AUTHKEYA)
104 || (keytype == AUTHKEYB && !(AC == 0x00 || AC == 0x02 || AC == 0x01)));
105 break;
106 }
107 case AC_AC_WRITE: {
108 return ((keytype == AUTHKEYA && (AC == 0x01))
109 || (keytype == AUTHKEYB && (AC == 0x03 || AC == 0x05)));
110 break;
111 }
112 default: return false;
113 }
114 }
115
116
117 static bool IsDataAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action)
118 {
119 uint8_t sector_trailer[16];
120 emlGetMem(sector_trailer, SectorTrailer(blockNo), 1);
121
122 uint8_t sector_block;
123 if (blockNo < 32*4) {
124 sector_block = blockNo & 0x03;
125 } else {
126 sector_block = (blockNo & 0x0f) / 5;
127 }
128
129 uint8_t AC;
130 switch (sector_block) {
131 case 0x00: {
132 AC = ((sector_trailer[7] >> 2) & 0x04)
133 | ((sector_trailer[8] << 1) & 0x02)
134 | ((sector_trailer[8] >> 4) & 0x01);
135 break;
136 }
137 case 0x01: {
138 AC = ((sector_trailer[7] >> 3) & 0x04)
139 | ((sector_trailer[8] >> 0) & 0x02)
140 | ((sector_trailer[8] >> 5) & 0x01);
141 break;
142 }
143 case 0x02: {
144 AC = ((sector_trailer[7] >> 4) & 0x04)
145 | ((sector_trailer[8] >> 1) & 0x02)
146 | ((sector_trailer[8] >> 6) & 0x01);
147 break;
148 }
149 default:
150 return false;
151 }
152
153 switch (action) {
154 case AC_DATA_READ: {
155 return ((keytype == AUTHKEYA && !(AC == 0x03 || AC == 0x05 || AC == 0x07))
156 || (keytype == AUTHKEYB && !(AC == 0x07)));
157 break;
158 }
159 case AC_DATA_WRITE: {
160 return ((keytype == AUTHKEYA && (AC == 0x00))
161 || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x04 || AC == 0x06 || AC == 0x03)));
162 break;
163 }
164 case AC_DATA_INC: {
165 return ((keytype == AUTHKEYA && (AC == 0x00))
166 || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x06)));
167 break;
168 }
169 case AC_DATA_DEC_TRANS_REST: {
170 return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x06 || AC == 0x01))
171 || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x06 || AC == 0x01)));
172 break;
173 }
174 }
175
176 return false;
177 }
178
179
180 static bool IsAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action) {
181 if (IsSectorTrailer(blockNo)) {
182 return IsTrailerAccessAllowed(blockNo, keytype, action);
183 } else {
184 return IsDataAccessAllowed(blockNo, keytype, action);
185 }
186 }
187
188
189 static void MifareSimInit(uint8_t flags, uint8_t *datain, tag_response_info_t **responses, uint32_t *cuid, uint8_t *uid_len, uint8_t cardsize) {
190
191 #define TAG_RESPONSE_COUNT 5 // number of precompiled responses
192 static uint8_t rATQA[] = {0x00, 0x00};
193 static uint8_t rUIDBCC1[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 1st cascade level
194 static uint8_t rUIDBCC2[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 2nd cascade level
195 static uint8_t rSAKfinal[]= {0x00, 0x00, 0x00}; // SAK after UID complete
196 static uint8_t rSAK1[] = {0x00, 0x00, 0x00}; // indicate UID not finished
197
198 *uid_len = 4;
199 // UID can be set from emulator memory or incoming data and can be 4 or 7 bytes long
200 if (flags & FLAG_4B_UID_IN_DATA) { // get UID from datain
201 memcpy(rUIDBCC1, datain, 4);
202 } else if (flags & FLAG_7B_UID_IN_DATA) {
203 rUIDBCC1[0] = 0x88;
204 memcpy(rUIDBCC1+1, datain, 3);
205 memcpy(rUIDBCC2, datain+3, 4);
206 *uid_len = 7;
207 } else {
208 uint8_t probable_atqa;
209 emlGetMemBt(&probable_atqa, 7, 1); // get UID from emul memory - weak guess at length
210 if (probable_atqa == 0x00) { // ---------- 4BUID
211 emlGetMemBt(rUIDBCC1, 0, 4);
212 } else { // ---------- 7BUID
213 rUIDBCC1[0] = 0x88;
214 emlGetMemBt(rUIDBCC1+1, 0, 3);
215 emlGetMemBt(rUIDBCC2, 3, 4);
216 *uid_len = 7;
217 }
218 }
219
220 switch (*uid_len) {
221 case 4:
222 *cuid = bytes_to_num(rUIDBCC1, 4);
223 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
224 if (MF_DBGLEVEL >= MF_DBG_INFO) {
225 Dbprintf("4B UID: %02x%02x%02x%02x",
226 rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3] );
227 }
228 break;
229 case 7:
230 *cuid = bytes_to_num(rUIDBCC2, 4);
231 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
232 rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
233 if (MF_DBGLEVEL >= MF_DBG_INFO) {
234 Dbprintf("7B UID: %02x %02x %02x %02x %02x %02x %02x",
235 rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3], rUIDBCC2[0], rUIDBCC2[1], rUIDBCC2[2], rUIDBCC2[3] );
236 }
237 break;
238 default:
239 break;
240 }
241
242 // set SAK based on cardsize
243 switch (cardsize) {
244 case '0': rSAKfinal[0] = 0x09; break; // Mifare Mini
245 case '2': rSAKfinal[0] = 0x10; break; // Mifare 2K
246 case '4': rSAKfinal[0] = 0x18; break; // Mifare 4K
247 default: rSAKfinal[0] = 0x08; // Mifare 1K
248 }
249 ComputeCrc14443(CRC_14443_A, rSAKfinal, 1, rSAKfinal + 1, rSAKfinal + 2);
250 if (MF_DBGLEVEL >= MF_DBG_INFO) {
251 Dbprintf("SAK: %02x", rSAKfinal[0]);
252 }
253
254 // set SAK for incomplete UID
255 rSAK1[0] = 0x04; // Bit 3 indicates incomplete UID
256 ComputeCrc14443(CRC_14443_A, rSAK1, 1, rSAK1 + 1, rSAK1 + 2);
257
258 // set ATQA based on cardsize and UIDlen
259 if (cardsize == '4') {
260 rATQA[0] = 0x02;
261 } else {
262 rATQA[0] = 0x04;
263 }
264 if (*uid_len == 7) {
265 rATQA[0] |= 0x40;
266 }
267 if (MF_DBGLEVEL >= MF_DBG_INFO) {
268 Dbprintf("ATQA: %02x %02x", rATQA[1], rATQA[0]);
269 }
270
271 static tag_response_info_t responses_init[TAG_RESPONSE_COUNT] = {
272 { .response = rATQA, .response_n = sizeof(rATQA) }, // Answer to request - respond with card type
273 { .response = rUIDBCC1, .response_n = sizeof(rUIDBCC1) }, // Anticollision cascade1 - respond with first part of uid
274 { .response = rUIDBCC2, .response_n = sizeof(rUIDBCC2) }, // Anticollision cascade2 - respond with 2nd part of uid
275 { .response = rSAKfinal, .response_n = sizeof(rSAKfinal) }, // Acknowledge select - last cascade
276 { .response = rSAK1, .response_n = sizeof(rSAK1) } // Acknowledge select - previous cascades
277 };
278
279 // Prepare ("precompile") the responses of the anticollision phase. There will be not enough time to do this at the moment the reader sends its REQA or SELECT
280 // There are 5 predefined responses with a total of 18 bytes data to transmit. Coded responses need one byte per bit to transfer (data, parity, start, stop, correction)
281 // 18 * 8 data bits, 18 * 1 parity bits, 5 start bits, 5 stop bits, 5 correction bits -> need 177 bytes buffer
282 #define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 177 // number of bytes required for precompiled responses
283
284 uint8_t *free_buffer_pointer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
285 size_t free_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE;
286 for (size_t i = 0; i < TAG_RESPONSE_COUNT; i++) {
287 prepare_allocated_tag_modulation(&responses_init[i], &free_buffer_pointer, &free_buffer_size);
288 }
289
290 *responses = responses_init;
291
292 // indices into responses array:
293 #define ATQA 0
294 #define UIDBCC1 1
295 #define UIDBCC2 2
296 #define SAKfinal 3
297 #define SAK1 4
298
299 }
300
301
302 static bool HasValidCRC(uint8_t *receivedCmd, uint16_t receivedCmd_len) {
303 uint8_t CRC_byte_1, CRC_byte_2;
304 ComputeCrc14443(CRC_14443_A, receivedCmd, receivedCmd_len-2, &CRC_byte_1, &CRC_byte_2);
305 return (receivedCmd[receivedCmd_len-2] == CRC_byte_1 && receivedCmd[receivedCmd_len-1] == CRC_byte_2);
306 }
307
308
309 /**
310 *MIFARE simulate.
311 *
312 *@param flags :
313 * FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
314 * FLAG_4B_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that
315 * FLAG_7B_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
316 * FLAG_NR_AR_ATTACK - means we should collect NR_AR responses for bruteforcing later
317 * FLAG_RANDOM_NONCE - means we should generate some pseudo-random nonce data (only allows moebius attack)
318 *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is infinite ...
319 * (unless reader attack mode enabled then it runs util it gets enough nonces to recover all keys attmpted)
320 */
321 void MifareSim(uint8_t flags, uint8_t exitAfterNReads, uint8_t cardsize, uint8_t *datain)
322 {
323 LED_A_ON();
324
325 tag_response_info_t *responses;
326 uint8_t uid_len = 4;
327 uint32_t cuid = 0;
328 uint8_t cardWRBL = 0;
329 uint8_t cardAUTHSC = 0;
330 uint8_t cardAUTHKEY = AUTHKEYNONE; // no authentication
331 uint32_t cardRr = 0;
332 //uint32_t rn_enc = 0;
333 uint32_t ans = 0;
334 uint32_t cardINTREG = 0;
335 uint8_t cardINTBLOCK = 0;
336 struct Crypto1State mpcs = {0, 0};
337 struct Crypto1State *pcs = &mpcs;
338 uint32_t numReads = 0; //Counts numer of times reader reads a block
339 uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE];
340 uint8_t receivedCmd_dec[MAX_MIFARE_FRAME_SIZE];
341 uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE];
342 uint16_t receivedCmd_len;
343 uint8_t response[MAX_MIFARE_FRAME_SIZE];
344 uint8_t response_par[MAX_MIFARE_PARITY_SIZE];
345 uint8_t fixed_nonce[] = {0x01, 0x02, 0x03, 0x04};
346
347 int num_blocks = ParamCardSizeBlocks(cardsize);
348
349 // Here we collect UID, sector, keytype, NT, AR, NR, NT2, AR2, NR2
350 // This will be used in the reader-only attack.
351
352 // allow collecting up to 7 sets of nonces to allow recovery of up to 7 keys
353 #define ATTACK_KEY_COUNT 7 // keep same as define in cmdhfmf.c -> readerAttack() (Cannot be more than 7)
354 nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; // *2 for 2 separate attack types (nml, moebius) 36 * 7 * 2 bytes = 504 bytes
355 memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
356
357 uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; // *2 for 2nd attack type (moebius)
358 memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
359 uint8_t nonce1_count = 0;
360 uint8_t nonce2_count = 0;
361 uint8_t moebius_n_count = 0;
362 bool gettingMoebius = false;
363 uint8_t mM = 0; // moebius_modifier for collection storage
364
365 // Authenticate response - nonce
366 uint32_t nonce;
367 if (flags & FLAG_RANDOM_NONCE) {
368 nonce = prand();
369 } else {
370 nonce = bytes_to_num(fixed_nonce, 4);
371 }
372
373 // free eventually allocated BigBuf memory but keep Emulator Memory
374 BigBuf_free_keep_EM();
375
376 MifareSimInit(flags, datain, &responses, &cuid, &uid_len, cardsize);
377
378 // We need to listen to the high-frequency, peak-detected path.
379 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
380
381 // clear trace
382 clear_trace();
383 set_tracing(true);
384 ResetSspClk();
385
386 bool finished = false;
387 bool button_pushed = BUTTON_PRESS();
388 int cardSTATE = MFEMUL_NOFIELD;
389
390 while (!button_pushed && !finished && !usb_poll_validate_length()) {
391 WDT_HIT();
392
393 if (cardSTATE == MFEMUL_NOFIELD) {
394 // wait for reader HF field
395 int vHf = (MAX_ADC_HF_VOLTAGE_LOW * AvgAdc(ADC_CHAN_HF_LOW)) >> 10;
396 if (vHf > MF_MINFIELDV) {
397 LED_D_ON();
398 cardSTATE = MFEMUL_IDLE;
399 }
400 button_pushed = BUTTON_PRESS();
401 continue;
402 }
403
404 //Now, get data
405 FpgaEnableTracing();
406 int res = EmGetCmd(receivedCmd, &receivedCmd_len, receivedCmd_par);
407
408 if (res == 2) { // Reader has dropped the HF field. Power off.
409 FpgaDisableTracing();
410 LED_D_OFF();
411 cardSTATE = MFEMUL_NOFIELD;
412 continue;
413 } else if (res == 1) { // button pressed
414 FpgaDisableTracing();
415 button_pushed = true;
416 break;
417 }
418
419 // WUPA in HALTED state or REQA or WUPA in any other state
420 if (receivedCmd_len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) {
421 EmSendPrecompiledCmd(&responses[ATQA]);
422 FpgaDisableTracing();
423
424 // init crypto block
425 crypto1_destroy(pcs);
426 cardAUTHKEY = AUTHKEYNONE;
427 if (flags & FLAG_RANDOM_NONCE) {
428 nonce = prand();
429 }
430 cardSTATE = MFEMUL_SELECT1;
431 continue;
432 }
433
434 switch (cardSTATE) {
435 case MFEMUL_NOFIELD:
436 case MFEMUL_HALTED:
437 case MFEMUL_IDLE:{
438 break;
439 }
440
441 case MFEMUL_SELECT1:{
442 // select all - 0x93 0x20
443 if (receivedCmd_len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x20)) {
444 EmSendPrecompiledCmd(&responses[UIDBCC1]);
445 FpgaDisableTracing();
446 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("SELECT ALL CL1 received");
447 break;
448 }
449 // select card - 0x93 0x70 ...
450 if (receivedCmd_len == 9 &&
451 (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], responses[UIDBCC1].response, 4) == 0)) {
452 if (uid_len == 4) {
453 EmSendPrecompiledCmd(&responses[SAKfinal]);
454 cardSTATE = MFEMUL_WORK;
455 } else if (uid_len == 7) {
456 EmSendPrecompiledCmd(&responses[SAK1]);
457 cardSTATE = MFEMUL_SELECT2;
458 }
459 FpgaDisableTracing();
460 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("SELECT CL1 %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
461 break;
462 }
463 cardSTATE = MFEMUL_IDLE;
464 break;
465 }
466
467 case MFEMUL_SELECT2:{
468 // select all cl2 - 0x95 0x20
469 if (receivedCmd_len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x20)) {
470 EmSendPrecompiledCmd(&responses[UIDBCC2]);
471 FpgaDisableTracing();
472 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("SELECT ALL CL2 received");
473 break;
474 }
475 // select cl2 card - 0x95 0x70 xxxxxxxxxxxx
476 if (receivedCmd_len == 9 &&
477 (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], responses[UIDBCC2].response, 4) == 0)) {
478 if (uid_len == 7) {
479 EmSendPrecompiledCmd(&responses[SAKfinal]);
480 FpgaDisableTracing();
481 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("SELECT CL2 %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
482 cardSTATE = MFEMUL_WORK;
483 break;
484 }
485 }
486 cardSTATE = MFEMUL_IDLE;
487 break;
488 }
489
490 case MFEMUL_WORK:{
491 if (receivedCmd_len != 4) { // all commands must have exactly 4 bytes
492 break;
493 }
494 bool encrypted_data = (cardAUTHKEY != AUTHKEYNONE) ;
495 if (encrypted_data) {
496 // decrypt seqence
497 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, receivedCmd_dec);
498 } else {
499 memcpy(receivedCmd_dec, receivedCmd, receivedCmd_len);
500 }
501 if (!HasValidCRC(receivedCmd_dec, receivedCmd_len)) { // all commands must have a valid CRC
502 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_TR));
503 break;
504 }
505
506 if (receivedCmd_dec[0] == MIFARE_AUTH_KEYA || receivedCmd_dec[0] == MIFARE_AUTH_KEYB) {
507 // if authenticating to a block that shouldn't exist - as long as we are not doing the reader attack
508 if (receivedCmd_dec[1] >= num_blocks && !(flags & FLAG_NR_AR_ATTACK)) {
509 //is this the correct response to an auth on a out of range block? marshmellow
510 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
511 FpgaDisableTracing();
512 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking", receivedCmd_dec[0], receivedCmd_dec[1], receivedCmd_dec[1]);
513 break;
514 }
515 cardAUTHSC = BlockToSector(receivedCmd_dec[1]); // received block num
516 cardAUTHKEY = receivedCmd_dec[0] & 0x01;
517 crypto1_destroy(pcs);//Added by martin
518 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
519 if (!encrypted_data) { // first authentication
520 crypto1_word(pcs, cuid ^ nonce, 0); // Update crypto state
521 num_to_bytes(nonce, 4, response); // Send unencrypted nonce
522 EmSendCmd(response, sizeof(nonce));
523 FpgaDisableTracing();
524 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d", receivedCmd_dec[1], receivedCmd_dec[1], cardAUTHKEY);
525 } else { // nested authentication
526 num_to_bytes(nonce, sizeof(nonce), response);
527 uint8_t pcs_in[4] = {0};
528 num_to_bytes(cuid ^ nonce, sizeof(nonce), pcs_in);
529 mf_crypto1_encryptEx(pcs, response, pcs_in, sizeof(nonce), response_par);
530 EmSendCmdPar(response, sizeof(nonce), response_par); // send encrypted nonce
531 FpgaDisableTracing();
532 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d", receivedCmd_dec[1], receivedCmd_dec[1], cardAUTHKEY);
533 }
534 cardSTATE = MFEMUL_AUTH1;
535 break;
536 }
537
538 // halt can be sent encrypted or in clear
539 if (receivedCmd_dec[0] == ISO14443A_CMD_HALT && receivedCmd_dec[1] == 0x00) {
540 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("--> HALTED.");
541 cardSTATE = MFEMUL_HALTED;
542 break;
543 }
544
545 if(receivedCmd_dec[0] == MIFARE_CMD_READBLOCK
546 || receivedCmd_dec[0] == MIFARE_CMD_WRITEBLOCK
547 || receivedCmd_dec[0] == MIFARE_CMD_INC
548 || receivedCmd_dec[0] == MIFARE_CMD_DEC
549 || receivedCmd_dec[0] == MIFARE_CMD_RESTORE
550 || receivedCmd_dec[0] == MIFARE_CMD_TRANSFER) {
551 if (receivedCmd_dec[1] >= num_blocks) {
552 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
553 FpgaDisableTracing();
554 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],receivedCmd_dec[1]);
555 break;
556 }
557 if (BlockToSector(receivedCmd_dec[1]) != cardAUTHSC) {
558 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
559 FpgaDisableTracing();
560 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate (0x%02x) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],cardAUTHSC);
561 break;
562 }
563 }
564
565 if (receivedCmd_dec[0] == MIFARE_CMD_READBLOCK) {
566 uint8_t blockNo = receivedCmd_dec[1];
567 emlGetMem(response, blockNo, 1);
568 if (IsSectorTrailer(blockNo)) {
569 memset(response, 0x00, 6); // keyA can never be read
570 if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_KEYB_READ)) {
571 memset(response+10, 0x00, 6); // keyB cannot be read
572 }
573 if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_AC_READ)) {
574 memset(response+6, 0x00, 4); // AC bits cannot be read
575 }
576 } else {
577 if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_DATA_READ)) {
578 memset(response, 0x00, 16); // datablock cannot be read
579 }
580 }
581 AppendCrc14443a(response, 16);
582 mf_crypto1_encrypt(pcs, response, 18, response_par);
583 EmSendCmdPar(response, 18, response_par);
584 FpgaDisableTracing();
585 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
586 Dbprintf("Reader reading block %d (0x%02x)", blockNo, blockNo);
587 }
588 numReads++;
589 if(exitAfterNReads > 0 && numReads == exitAfterNReads) {
590 Dbprintf("%d reads done, exiting", numReads);
591 finished = true;
592 }
593 break;
594 }
595
596 if (receivedCmd_dec[0] == MIFARE_CMD_WRITEBLOCK) {
597 uint8_t blockNo = receivedCmd_dec[1];
598 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
599 FpgaDisableTracing();
600 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("RECV 0xA0 write block %d (%02x)", blockNo, blockNo);
601 cardWRBL = blockNo;
602 cardSTATE = MFEMUL_WRITEBL2;
603 break;
604 }
605
606 if (receivedCmd_dec[0] == MIFARE_CMD_INC || receivedCmd_dec[0] == MIFARE_CMD_DEC || receivedCmd_dec[0] == MIFARE_CMD_RESTORE) {
607 uint8_t blockNo = receivedCmd_dec[1];
608 if (emlCheckValBl(blockNo)) {
609 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
610 FpgaDisableTracing();
611 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
612 Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd_dec[0], blockNo, blockNo);
613 }
614 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
615 break;
616 }
617 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
618 FpgaDisableTracing();
619 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
620 Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd_dec[0], blockNo, blockNo);
621 }
622 cardWRBL = blockNo;
623 if (receivedCmd_dec[0] == MIFARE_CMD_INC)
624 cardSTATE = MFEMUL_INTREG_INC;
625 if (receivedCmd_dec[0] == MIFARE_CMD_DEC)
626 cardSTATE = MFEMUL_INTREG_DEC;
627 if (receivedCmd_dec[0] == MIFARE_CMD_RESTORE)
628 cardSTATE = MFEMUL_INTREG_REST;
629 break;
630 }
631
632 if (receivedCmd_dec[0] == MIFARE_CMD_TRANSFER) {
633 uint8_t blockNo = receivedCmd_dec[1];
634 if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd_dec[1]))
635 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
636 else
637 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
638 FpgaDisableTracing();
639 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("RECV 0x%02x transfer block %d (%02x)",receivedCmd_dec[0], blockNo, blockNo);
640 break;
641 }
642
643 // command not allowed
644 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
645 FpgaDisableTracing();
646 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Received command not allowed, nacking");
647 cardSTATE = MFEMUL_IDLE;
648 break;
649 }
650
651 case MFEMUL_AUTH1:{
652 if (receivedCmd_len != 8) {
653 cardSTATE = MFEMUL_IDLE;
654 break;
655 }
656
657 uint32_t nr = bytes_to_num(receivedCmd, 4);
658 uint32_t ar = bytes_to_num(&receivedCmd[4], 4);
659
660 // Collect AR/NR per keytype & sector
661 if(flags & FLAG_NR_AR_ATTACK) {
662 for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
663 if ( ar_nr_collected[i+mM]==0 || ((cardAUTHSC == ar_nr_resp[i+mM].sector) && (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && (ar_nr_collected[i+mM] > 0)) ) {
664 // if first auth for sector, or matches sector and keytype of previous auth
665 if (ar_nr_collected[i+mM] < 2) {
666 // if we haven't already collected 2 nonces for this sector
667 if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) {
668 // Avoid duplicates... probably not necessary, ar should vary.
669 if (ar_nr_collected[i+mM]==0) {
670 // first nonce collect
671 ar_nr_resp[i+mM].cuid = cuid;
672 ar_nr_resp[i+mM].sector = cardAUTHSC;
673 ar_nr_resp[i+mM].keytype = cardAUTHKEY;
674 ar_nr_resp[i+mM].nonce = nonce;
675 ar_nr_resp[i+mM].nr = nr;
676 ar_nr_resp[i+mM].ar = ar;
677 nonce1_count++;
678 // add this nonce to first moebius nonce
679 ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid;
680 ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC;
681 ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
682 ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce;
683 ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr;
684 ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar;
685 ar_nr_collected[i+ATTACK_KEY_COUNT]++;
686 } else { // second nonce collect (std and moebius)
687 ar_nr_resp[i+mM].nonce2 = nonce;
688 ar_nr_resp[i+mM].nr2 = nr;
689 ar_nr_resp[i+mM].ar2 = ar;
690 if (!gettingMoebius) {
691 nonce2_count++;
692 // check if this was the last second nonce we need for std attack
693 if ( nonce2_count == nonce1_count ) {
694 // done collecting std test switch to moebius
695 // first finish incrementing last sample
696 ar_nr_collected[i+mM]++;
697 // switch to moebius collection
698 gettingMoebius = true;
699 mM = ATTACK_KEY_COUNT;
700 if (flags & FLAG_RANDOM_NONCE) {
701 nonce = prand();
702 } else {
703 nonce = nonce*7;
704 }
705 break;
706 }
707 } else {
708 moebius_n_count++;
709 // if we've collected all the nonces we need - finish.
710 if (nonce1_count == moebius_n_count) finished = true;
711 }
712 }
713 ar_nr_collected[i+mM]++;
714 }
715 }
716 // we found right spot for this nonce stop looking
717 break;
718 }
719 }
720 }
721
722 // --- crypto
723 crypto1_word(pcs, nr , 1);
724 cardRr = ar ^ crypto1_word(pcs, 0, 0);
725
726 // test if auth OK
727 if (cardRr != prng_successor(nonce, 64)){
728 FpgaDisableTracing();
729 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
730 cardAUTHSC, cardAUTHKEY == AUTHKEYA ? 'A' : 'B',
731 cardRr, prng_successor(nonce, 64));
732 // Shouldn't we respond anything here?
733 // Right now, we don't nack or anything, which causes the
734 // reader to do a WUPA after a while. /Martin
735 // -- which is the correct response. /piwi
736 cardAUTHKEY = AUTHKEYNONE; // not authenticated
737 cardSTATE = MFEMUL_IDLE;
738 break;
739 }
740 ans = prng_successor(nonce, 96);
741 num_to_bytes(ans, 4, response);
742 mf_crypto1_encrypt(pcs, response, 4, response_par);
743 EmSendCmdPar(response, 4, response_par);
744 FpgaDisableTracing();
745 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("AUTH COMPLETED for sector %d with key %c.", cardAUTHSC, cardAUTHKEY == AUTHKEYA ? 'A' : 'B');
746 cardSTATE = MFEMUL_WORK;
747 break;
748 }
749
750 case MFEMUL_WRITEBL2:{
751 if (receivedCmd_len == 18) {
752 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, receivedCmd_dec);
753 if (HasValidCRC(receivedCmd_dec, receivedCmd_len)) {
754 if (IsSectorTrailer(cardWRBL)) {
755 emlGetMem(response, cardWRBL, 1);
756 if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_KEYA_WRITE)) {
757 memcpy(receivedCmd_dec, response, 6); // don't change KeyA
758 }
759 if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_KEYB_WRITE)) {
760 memcpy(receivedCmd_dec+10, response+10, 6); // don't change KeyA
761 }
762 if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_AC_WRITE)) {
763 memcpy(receivedCmd_dec+6, response+6, 4); // don't change AC bits
764 }
765 } else {
766 if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_DATA_WRITE)) {
767 memcpy(receivedCmd_dec, response, 16); // don't change anything
768 }
769 }
770 emlSetMem(receivedCmd_dec, cardWRBL, 1);
771 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); // always ACK?
772 cardSTATE = MFEMUL_WORK;
773 break;
774 }
775 }
776 cardSTATE = MFEMUL_IDLE;
777 break;
778 }
779
780 case MFEMUL_INTREG_INC:{
781 if (receivedCmd_len == 6) {
782 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans);
783 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
784 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
785 cardSTATE = MFEMUL_IDLE;
786 break;
787 }
788 cardINTREG = cardINTREG + ans;
789 cardSTATE = MFEMUL_WORK;
790 }
791 break;
792 }
793
794 case MFEMUL_INTREG_DEC:{
795 if (receivedCmd_len == 6) {
796 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans);
797 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
798 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
799 cardSTATE = MFEMUL_IDLE;
800 break;
801 }
802 cardINTREG = cardINTREG - ans;
803 cardSTATE = MFEMUL_WORK;
804 }
805 break;
806 }
807
808 case MFEMUL_INTREG_REST:{
809 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans);
810 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
811 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
812 cardSTATE = MFEMUL_IDLE;
813 break;
814 }
815 cardSTATE = MFEMUL_WORK;
816 break;
817 }
818
819 } // end of switch
820
821 FpgaDisableTracing();
822 button_pushed = BUTTON_PRESS();
823
824 } // end of while
825
826 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
827 LEDsoff();
828
829 if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= MF_DBG_INFO) {
830 for ( uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
831 if (ar_nr_collected[i] == 2) {
832 Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
833 Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
834 ar_nr_resp[i].cuid, //UID
835 ar_nr_resp[i].nonce, //NT
836 ar_nr_resp[i].nr, //NR1
837 ar_nr_resp[i].ar, //AR1
838 ar_nr_resp[i].nr2, //NR2
839 ar_nr_resp[i].ar2 //AR2
840 );
841 }
842 }
843 for ( uint8_t i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT*2; i++) {
844 if (ar_nr_collected[i] == 2) {
845 Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
846 Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x %08x",
847 ar_nr_resp[i].cuid, //UID
848 ar_nr_resp[i].nonce, //NT
849 ar_nr_resp[i].nr, //NR1
850 ar_nr_resp[i].ar, //AR1
851 ar_nr_resp[i].nonce2,//NT2
852 ar_nr_resp[i].nr2, //NR2
853 ar_nr_resp[i].ar2 //AR2
854 );
855 }
856 }
857 }
858 if (MF_DBGLEVEL >= MF_DBG_INFO) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", get_tracing(), BigBuf_get_traceLen());
859
860 if(flags & FLAG_INTERACTIVE) { // Interactive mode flag, means we need to send ACK
861 //Send the collected ar_nr in the response
862 cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, button_pushed, 0, &ar_nr_resp, sizeof(ar_nr_resp));
863 }
864
865 LED_A_OFF();
866 }
Impressum, Datenschutz