]> git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdlfhitag.c
47a85a1afcab361c025eb71a92906655c33d8205
[proxmark3-svn] / client / cmdlfhitag.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2012 Roel Verdult
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Low frequency Hitag support
9 //-----------------------------------------------------------------------------
10
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14 #include "data.h"
15 #include "proxmark3.h"
16 #include "ui.h"
17 #include "cmdparser.h"
18 #include "common.h"
19 #include "util.h"
20 #include "hitag2.h"
21 #include "hitagS.h"
22 #include "cmdmain.h"
23
24 static int CmdHelp(const char *Cmd);
25
26 size_t nbytes(size_t nbits) {
27 return (nbits/8)+((nbits%8)>0);
28 }
29
30 int CmdLFHitagList(const char *Cmd)
31 {
32 uint8_t *got = malloc(USB_CMD_DATA_SIZE);
33
34 // Query for the actual size of the trace
35 UsbCommand response;
36 GetFromBigBuf(got, USB_CMD_DATA_SIZE, 0);
37 WaitForResponse(CMD_ACK, &response);
38 uint16_t traceLen = response.arg[2];
39 if (traceLen > USB_CMD_DATA_SIZE) {
40 uint8_t *p = realloc(got, traceLen);
41 if (p == NULL) {
42 PrintAndLog("Cannot allocate memory for trace");
43 free(got);
44 return 2;
45 }
46 got = p;
47 GetFromBigBuf(got, traceLen, 0);
48 WaitForResponse(CMD_ACK,NULL);
49 }
50
51 PrintAndLog("recorded activity (TraceLen = %d bytes):");
52 PrintAndLog(" ETU :nbits: who bytes");
53 PrintAndLog("---------+-----+----+-----------");
54
55 int i = 0;
56 int prev = -1;
57 int len = strlen(Cmd);
58
59 char filename[FILE_PATH_SIZE] = { 0x00 };
60 FILE* pf = NULL;
61
62 if (len > FILE_PATH_SIZE)
63 len = FILE_PATH_SIZE;
64 memcpy(filename, Cmd, len);
65
66 if (strlen(filename) > 0) {
67 if ((pf = fopen(filename,"wb")) == NULL) {
68 PrintAndLog("Error: Could not open file [%s]",filename);
69 return 1;
70 }
71 }
72
73 for (;;) {
74
75 if(i > traceLen) { break; }
76
77 bool isResponse;
78 int timestamp = *((uint32_t *)(got+i));
79 if (timestamp & 0x80000000) {
80 timestamp &= 0x7fffffff;
81 isResponse = 1;
82 } else {
83 isResponse = 0;
84 }
85
86 int parityBits = *((uint32_t *)(got+i+4));
87 // 4 bytes of additional information...
88 // maximum of 32 additional parity bit information
89 //
90 // TODO:
91 // at each quarter bit period we can send power level (16 levels)
92 // or each half bit period in 256 levels.
93
94 int bits = got[i+8];
95 int len = nbytes(got[i+8]);
96
97 if (len > 100) {
98 break;
99 }
100 if (i + len > traceLen) { break;}
101
102 uint8_t *frame = (got+i+9);
103
104 // Break and stick with current result if buffer was not completely full
105 if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; }
106
107 char line[1000] = "";
108 int j;
109 for (j = 0; j < len; j++) {
110 int oddparity = 0x01;
111 int k;
112
113 for (k=0;k<8;k++) {
114 oddparity ^= (((frame[j] & 0xFF) >> k) & 0x01);
115 }
116
117 //if((parityBits >> (len - j - 1)) & 0x01) {
118 if (isResponse && (oddparity != ((parityBits >> (len - j - 1)) & 0x01))) {
119 sprintf(line+(j*4), "%02x! ", frame[j]);
120 }
121 else {
122 sprintf(line+(j*4), "%02x ", frame[j]);
123 }
124 }
125
126 PrintAndLog(" +%7d: %3d: %s %s",
127 (prev < 0 ? 0 : (timestamp - prev)),
128 bits,
129 (isResponse ? "TAG" : " "),
130 line);
131
132 if (pf) {
133 fprintf(pf," +%7d: %3d: %s %s\n",
134 (prev < 0 ? 0 : (timestamp - prev)),
135 bits,
136 (isResponse ? "TAG" : " "),
137 line);
138 }
139
140 prev = timestamp;
141 i += (len + 9);
142 }
143
144 if (pf) {
145 fclose(pf);
146 PrintAndLog("Recorded activity succesfully written to file: %s", filename);
147 }
148
149 free(got);
150 return 0;
151 }
152
153 int CmdLFHitagSnoop(const char *Cmd) {
154 UsbCommand c = {CMD_SNOOP_HITAG};
155 SendCommand(&c);
156 return 0;
157 }
158
159 int CmdLFHitagSim(const char *Cmd) {
160
161 UsbCommand c = {CMD_SIMULATE_HITAG};
162 char filename[FILE_PATH_SIZE] = { 0x00 };
163 FILE* pf;
164 bool tag_mem_supplied;
165 int len = strlen(Cmd);
166 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
167 memcpy(filename, Cmd, len);
168
169 if (strlen(filename) > 0) {
170 if ((pf = fopen(filename,"rb+")) == NULL) {
171 PrintAndLog("Error: Could not open file [%s]",filename);
172 return 1;
173 }
174 tag_mem_supplied = true;
175 if (fread(c.d.asBytes,48,1,pf) == 0) {
176 PrintAndLog("Error: File reading error");
177 fclose(pf);
178 return 1;
179 }
180 fclose(pf);
181 } else {
182 tag_mem_supplied = false;
183 }
184
185 // Does the tag comes with memory
186 c.arg[0] = (uint32_t)tag_mem_supplied;
187
188 SendCommand(&c);
189 return 0;
190 }
191
192 int CmdLFHitagReader(const char *Cmd) {
193 UsbCommand c = {CMD_READER_HITAG};//, {param_get32ex(Cmd,0,0,10),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),param_get32ex(Cmd,3,0,16)}};
194 hitag_data* htd = (hitag_data*)c.d.asBytes;
195 hitag_function htf = param_get32ex(Cmd,0,0,10);
196
197 switch (htf) {
198 case 01: { //RHTSF_CHALLENGE
199 c = (UsbCommand){ CMD_READ_HITAG_S };
200 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr);
201 num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
202 } break;
203 case 02: { //RHTSF_KEY
204 c = (UsbCommand){ CMD_READ_HITAG_S };
205 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
206 } break;
207 case RHT2F_PASSWORD: {
208 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->pwd.password);
209 } break;
210 case RHT2F_AUTHENTICATE: {
211 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr);
212 num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
213 } break;
214 case RHT2F_CRYPTO: {
215 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
216 // num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
217 } break;
218 case RHT2F_TEST_AUTH_ATTEMPTS: {
219 // No additional parameters needed
220 } break;
221 case RHT2F_UID_ONLY: {
222 // No additional parameters needed
223 } break;
224 default: {
225 PrintAndLog("\nError: unkown reader function %d",htf);
226 PrintAndLog("");
227 PrintAndLog("Usage: hitag reader <Reader Function #>");
228 PrintAndLog("Reader Functions:");
229 PrintAndLog(" HitagS (0*)");
230 PrintAndLog(" 01 <nr> <ar> (Challenge) read all pages from a Hitag S tag");
231 PrintAndLog(" 02 <key> (set to 0 if no authentication is needed) read all pages from a Hitag S tag");
232 PrintAndLog(" Hitag1 (1*)");
233 PrintAndLog(" Hitag2 (2*)");
234 PrintAndLog(" 21 <password> (password mode)");
235 PrintAndLog(" 22 <nr> <ar> (authentication)");
236 PrintAndLog(" 23 <key> (authentication) key is in format: ISK high + ISK low");
237 PrintAndLog(" 25 (test recorded authentications)");
238 PrintAndLog(" 26 just read UID");
239 return 1;
240 } break;
241 }
242
243 // Copy the hitag2 function into the first argument
244 c.arg[0] = htf;
245
246 // Send the command to the proxmark
247 SendCommand(&c);
248
249 UsbCommand resp;
250 WaitForResponse(CMD_ACK,&resp);
251
252 // Check the return status, stored in the first argument
253 if (resp.arg[0] == false) return 1;
254
255 uint32_t id = bytes_to_num(resp.d.asBytes,4);
256
257 if (htf == RHT2F_UID_ONLY){
258 PrintAndLog("Valid Hitag2 tag found - UID: %08x",id);
259 } else {
260 char filename[256];
261 FILE* pf = NULL;
262
263 sprintf(filename,"%08x_%04x.ht2",id,(rand() & 0xffff));
264 if ((pf = fopen(filename,"wb")) == NULL) {
265 PrintAndLog("Error: Could not open file [%s]",filename);
266 return 1;
267 }
268
269 // Write the 48 tag memory bytes to file and finalize
270 fwrite(resp.d.asBytes,1,48,pf);
271 fclose(pf);
272
273 PrintAndLog("Succesfully saved tag memory to [%s]",filename);
274 }
275
276
277 return 0;
278 }
279
280
281 int CmdLFHitagSimS(const char *Cmd) {
282 UsbCommand c = { CMD_SIMULATE_HITAG_S };
283 char filename[FILE_PATH_SIZE] = { 0x00 };
284 FILE* pf;
285 bool tag_mem_supplied;
286 int len = strlen(Cmd);
287 if (len > FILE_PATH_SIZE)
288 len = FILE_PATH_SIZE;
289 memcpy(filename, Cmd, len);
290
291 if (strlen(filename) > 0) {
292 if ((pf = fopen(filename, "rb+")) == NULL) {
293 PrintAndLog("Error: Could not open file [%s]", filename);
294 return 1;
295 }
296 tag_mem_supplied = true;
297 if (fread(c.d.asBytes, 4*64, 1, pf) == 0) {
298 PrintAndLog("Error: File reading error");
299 fclose(pf);
300 return 1;
301 }
302 fclose(pf);
303 } else {
304 tag_mem_supplied = false;
305 }
306
307 // Does the tag comes with memory
308 c.arg[0] = (uint32_t) tag_mem_supplied;
309
310 SendCommand(&c);
311 return 0;
312 }
313
314 int CmdLFHitagCheckChallenges(const char *Cmd) {
315 UsbCommand c = { CMD_TEST_HITAGS_TRACES };
316 char filename[FILE_PATH_SIZE] = { 0x00 };
317 FILE* pf;
318 bool file_given;
319 int len = strlen(Cmd);
320 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
321 memcpy(filename, Cmd, len);
322
323 if (strlen(filename) > 0) {
324 if ((pf = fopen(filename,"rb+")) == NULL) {
325 PrintAndLog("Error: Could not open file [%s]",filename);
326 return 1;
327 }
328 file_given = true;
329 if (fread(c.d.asBytes,8*60,1,pf) == 0) {
330 PrintAndLog("Error: File reading error");
331 fclose(pf);
332 return 1;
333 }
334 fclose(pf);
335 } else {
336 file_given = false;
337 }
338
339 //file with all the challenges to try
340 c.arg[0] = (uint32_t)file_given;
341
342 SendCommand(&c);
343 return 0;
344 }
345
346
347 int CmdLFHitagWP(const char *Cmd) {
348 UsbCommand c = { CMD_WR_HITAG_S };
349 hitag_data* htd = (hitag_data*)c.d.asBytes;
350 hitag_function htf = param_get32ex(Cmd,0,0,10);
351 switch (htf) {
352 case 03: { //WHTSF_CHALLENGE
353 num_to_bytes(param_get64ex(Cmd,1,0,16),8,htd->auth.NrAr);
354 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
355 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->auth.data);
356 } break;
357 case 04: { //WHTSF_KEY
358 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
359 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
360 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->crypto.data);
361
362 } break;
363 default: {
364 PrintAndLog("Error: unkown writer function %d",htf);
365 PrintAndLog("Hitag writer functions");
366 PrintAndLog(" HitagS (0*)");
367 PrintAndLog(" 03 <nr,ar> (Challenge) <page> <byte0...byte3> write page on a Hitag S tag");
368 PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
369 PrintAndLog(" Hitag1 (1*)");
370 PrintAndLog(" Hitag2 (2*)");
371 return 1;
372 } break;
373 }
374 // Copy the hitag function into the first argument
375 c.arg[0] = htf;
376
377 // Send the command to the proxmark
378 SendCommand(&c);
379
380 UsbCommand resp;
381 WaitForResponse(CMD_ACK,&resp);
382
383 // Check the return status, stored in the first argument
384 if (resp.arg[0] == false) return 1;
385 return 0;
386 }
387
388
389 static command_t CommandTable[] =
390 {
391 {"help", CmdHelp, 1, "This help"},
392 {"list", CmdLFHitagList, 1, "<outfile> List Hitag trace history"},
393 {"reader", CmdLFHitagReader, 1, "Act like a Hitag Reader"},
394 {"sim", CmdLFHitagSim, 1, "<infile> Simulate Hitag transponder"},
395 {"snoop", CmdLFHitagSnoop, 1, "Eavesdrop Hitag communication"},
396 {"writer", CmdLFHitagWP, 1, "Act like a Hitag Writer" },
397 {"simS", CmdLFHitagSimS, 1, "<hitagS.hts> Simulate HitagS transponder" },
398 {"checkChallenges", CmdLFHitagCheckChallenges, 1, "<challenges.cc> test all challenges" }, {
399 NULL,NULL, 0, NULL }
400 };
401
402 int CmdLFHitag(const char *Cmd)
403 {
404 CmdsParse(CommandTable, Cmd);
405 return 0;
406 }
407
408 int CmdHelp(const char *Cmd)
409 {
410 CmdsHelp(CommandTable);
411 return 0;
412 }
Impressum, Datenschutz