1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
9 //-----------------------------------------------------------------------------
10 // Mifare Classic Card Simulation
11 //-----------------------------------------------------------------------------
13 #include "mifaresim.h"
14 #include "iso14443a.h"
15 #include "iso14443crc.h"
16 #include "crapto1/crapto1.h"
19 #include "mifareutil.h"
20 #include "fpgaloader.h"
21 #include "proxmark3.h"
24 #include "protocols.h"
27 //mifare emulator states
28 #define MFEMUL_NOFIELD 0
30 #define MFEMUL_SELECT1 2
31 #define MFEMUL_SELECT2 3
32 #define MFEMUL_SELECT3 4
33 #define MFEMUL_AUTH1 5
34 #define MFEMUL_AUTH2 6
36 #define MFEMUL_WRITEBL2 8
37 #define MFEMUL_INTREG_INC 9
38 #define MFEMUL_INTREG_DEC 10
39 #define MFEMUL_INTREG_REST 11
40 #define MFEMUL_HALTED 12
42 #define AC_DATA_READ 0
43 #define AC_DATA_WRITE 1
45 #define AC_DATA_DEC_TRANS_REST 3
46 #define AC_KEYA_READ 0
47 #define AC_KEYA_WRITE 1
48 #define AC_KEYB_READ 2
49 #define AC_KEYB_WRITE 3
55 #define AUTHKEYNONE 0xff
58 static int ParamCardSizeBlocks(const char c
) {
59 int numBlocks
= 16 * 4;
61 case '0' : numBlocks
= 5 * 4; break;
62 case '2' : numBlocks
= 32 * 4; break;
63 case '4' : numBlocks
= 32 * 4 + 8 * 16; break;
64 default: numBlocks
= 16 * 4;
69 static uint8_t BlockToSector(int block_num
) {
70 if (block_num
< 32 * 4) { // 4 blocks per sector
71 return (block_num
/ 4);
72 } else { // 16 blocks per sector
73 return 32 + (block_num
- 32 * 4) / 16;
77 static bool IsTrailerAccessAllowed(uint8_t blockNo
, uint8_t keytype
, uint8_t action
) {
78 uint8_t sector_trailer
[16];
79 emlGetMem(sector_trailer
, blockNo
, 1);
80 uint8_t AC
= ((sector_trailer
[7] >> 5) & 0x04)
81 | ((sector_trailer
[8] >> 2) & 0x02)
82 | ((sector_trailer
[8] >> 7) & 0x01);
89 return ((keytype
== AUTHKEYA
&& (AC
== 0x00 || AC
== 0x01))
90 || (keytype
== AUTHKEYB
&& (AC
== 0x04 || AC
== 0x03)));
94 return (keytype
== AUTHKEYA
&& (AC
== 0x00 || AC
== 0x02 || AC
== 0x01));
98 return ((keytype
== AUTHKEYA
&& (AC
== 0x00 || AC
== 0x04))
99 || (keytype
== AUTHKEYB
&& (AC
== 0x04 || AC
== 0x03)));
103 return ((keytype
== AUTHKEYA
)
104 || (keytype
== AUTHKEYB
&& !(AC
== 0x00 || AC
== 0x02 || AC
== 0x01)));
108 return ((keytype
== AUTHKEYA
&& (AC
== 0x01))
109 || (keytype
== AUTHKEYB
&& (AC
== 0x03 || AC
== 0x05)));
112 default: return false;
117 static bool IsDataAccessAllowed(uint8_t blockNo
, uint8_t keytype
, uint8_t action
)
119 uint8_t sector_trailer
[16];
120 emlGetMem(sector_trailer
, SectorTrailer(blockNo
), 1);
122 uint8_t sector_block
;
123 if (blockNo
< 32*4) {
124 sector_block
= blockNo
& 0x03;
126 sector_block
= (blockNo
& 0x0f) / 5;
130 switch (sector_block
) {
132 AC
= ((sector_trailer
[7] >> 2) & 0x04)
133 | ((sector_trailer
[8] << 1) & 0x02)
134 | ((sector_trailer
[8] >> 4) & 0x01);
138 AC
= ((sector_trailer
[7] >> 3) & 0x04)
139 | ((sector_trailer
[8] >> 0) & 0x02)
140 | ((sector_trailer
[8] >> 5) & 0x01);
144 AC
= ((sector_trailer
[7] >> 4) & 0x04)
145 | ((sector_trailer
[8] >> 1) & 0x02)
146 | ((sector_trailer
[8] >> 6) & 0x01);
155 return ((keytype
== AUTHKEYA
&& !(AC
== 0x03 || AC
== 0x05 || AC
== 0x07))
156 || (keytype
== AUTHKEYB
&& !(AC
== 0x07)));
159 case AC_DATA_WRITE
: {
160 return ((keytype
== AUTHKEYA
&& (AC
== 0x00))
161 || (keytype
== AUTHKEYB
&& (AC
== 0x00 || AC
== 0x04 || AC
== 0x06 || AC
== 0x03)));
165 return ((keytype
== AUTHKEYA
&& (AC
== 0x00))
166 || (keytype
== AUTHKEYB
&& (AC
== 0x00 || AC
== 0x06)));
169 case AC_DATA_DEC_TRANS_REST
: {
170 return ((keytype
== AUTHKEYA
&& (AC
== 0x00 || AC
== 0x06 || AC
== 0x01))
171 || (keytype
== AUTHKEYB
&& (AC
== 0x00 || AC
== 0x06 || AC
== 0x01)));
180 static bool IsAccessAllowed(uint8_t blockNo
, uint8_t keytype
, uint8_t action
) {
181 if (IsSectorTrailer(blockNo
)) {
182 return IsTrailerAccessAllowed(blockNo
, keytype
, action
);
184 return IsDataAccessAllowed(blockNo
, keytype
, action
);
189 static void MifareSimInit(uint8_t flags
, uint8_t *datain
, tag_response_info_t
**responses
, uint32_t *cuid
, uint8_t *uid_len
, uint8_t cardsize
) {
191 #define TAG_RESPONSE_COUNT 5 // number of precompiled responses
192 static uint8_t rATQA
[] = {0x00, 0x00};
193 static uint8_t rUIDBCC1
[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 1st cascade level
194 static uint8_t rUIDBCC2
[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 2nd cascade level
195 static uint8_t rSAKfinal
[]= {0x00, 0x00, 0x00}; // SAK after UID complete
196 static uint8_t rSAK1
[] = {0x00, 0x00, 0x00}; // indicate UID not finished
199 // UID can be set from emulator memory or incoming data and can be 4 or 7 bytes long
200 if (flags
& FLAG_4B_UID_IN_DATA
) { // get UID from datain
201 memcpy(rUIDBCC1
, datain
, 4);
202 } else if (flags
& FLAG_7B_UID_IN_DATA
) {
204 memcpy(rUIDBCC1
+1, datain
, 3);
205 memcpy(rUIDBCC2
, datain
+3, 4);
208 uint8_t probable_atqa
;
209 emlGetMemBt(&probable_atqa
, 7, 1); // get UID from emul memory - weak guess at length
210 if (probable_atqa
== 0x00) { // ---------- 4BUID
211 emlGetMemBt(rUIDBCC1
, 0, 4);
212 } else { // ---------- 7BUID
214 emlGetMemBt(rUIDBCC1
+1, 0, 3);
215 emlGetMemBt(rUIDBCC2
, 3, 4);
222 *cuid
= bytes_to_num(rUIDBCC1
, 4);
223 rUIDBCC1
[4] = rUIDBCC1
[0] ^ rUIDBCC1
[1] ^ rUIDBCC1
[2] ^ rUIDBCC1
[3];
224 if (MF_DBGLEVEL
>= MF_DBG_INFO
) {
225 Dbprintf("4B UID: %02x%02x%02x%02x",
226 rUIDBCC1
[0], rUIDBCC1
[1], rUIDBCC1
[2], rUIDBCC1
[3] );
230 *cuid
= bytes_to_num(rUIDBCC2
, 4);
231 rUIDBCC1
[4] = rUIDBCC1
[0] ^ rUIDBCC1
[1] ^ rUIDBCC1
[2] ^ rUIDBCC1
[3];
232 rUIDBCC2
[4] = rUIDBCC2
[0] ^ rUIDBCC2
[1] ^ rUIDBCC2
[2] ^ rUIDBCC2
[3];
233 if (MF_DBGLEVEL
>= MF_DBG_INFO
) {
234 Dbprintf("7B UID: %02x %02x %02x %02x %02x %02x %02x",
235 rUIDBCC1
[1], rUIDBCC1
[2], rUIDBCC1
[3], rUIDBCC2
[0], rUIDBCC2
[1], rUIDBCC2
[2], rUIDBCC2
[3] );
242 // set SAK based on cardsize
244 case '0': rSAKfinal
[0] = 0x09; break; // Mifare Mini
245 case '2': rSAKfinal
[0] = 0x10; break; // Mifare 2K
246 case '4': rSAKfinal
[0] = 0x18; break; // Mifare 4K
247 default: rSAKfinal
[0] = 0x08; // Mifare 1K
249 ComputeCrc14443(CRC_14443_A
, rSAKfinal
, 1, rSAKfinal
+ 1, rSAKfinal
+ 2);
250 if (MF_DBGLEVEL
>= MF_DBG_INFO
) {
251 Dbprintf("SAK: %02x", rSAKfinal
[0]);
254 // set SAK for incomplete UID
255 rSAK1
[0] = 0x04; // Bit 3 indicates incomplete UID
256 ComputeCrc14443(CRC_14443_A
, rSAK1
, 1, rSAK1
+ 1, rSAK1
+ 2);
258 // set ATQA based on cardsize and UIDlen
259 if (cardsize
== '4') {
267 if (MF_DBGLEVEL
>= MF_DBG_INFO
) {
268 Dbprintf("ATQA: %02x %02x", rATQA
[1], rATQA
[0]);
271 static tag_response_info_t responses_init
[TAG_RESPONSE_COUNT
] = {
272 { .response
= rATQA
, .response_n
= sizeof(rATQA
) }, // Answer to request - respond with card type
273 { .response
= rUIDBCC1
, .response_n
= sizeof(rUIDBCC1
) }, // Anticollision cascade1 - respond with first part of uid
274 { .response
= rUIDBCC2
, .response_n
= sizeof(rUIDBCC2
) }, // Anticollision cascade2 - respond with 2nd part of uid
275 { .response
= rSAKfinal
, .response_n
= sizeof(rSAKfinal
) }, // Acknowledge select - last cascade
276 { .response
= rSAK1
, .response_n
= sizeof(rSAK1
) } // Acknowledge select - previous cascades
279 // Prepare ("precompile") the responses of the anticollision phase. There will be not enough time to do this at the moment the reader sends its REQA or SELECT
280 // There are 5 predefined responses with a total of 18 bytes data to transmit. Coded responses need one byte per bit to transfer (data, parity, start, stop, correction)
281 // 18 * 8 data bits, 18 * 1 parity bits, 5 start bits, 5 stop bits, 5 correction bits -> need 177 bytes buffer
282 #define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 177 // number of bytes required for precompiled responses
284 uint8_t *free_buffer_pointer
= BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE
);
285 size_t free_buffer_size
= ALLOCATED_TAG_MODULATION_BUFFER_SIZE
;
286 for (size_t i
= 0; i
< TAG_RESPONSE_COUNT
; i
++) {
287 prepare_allocated_tag_modulation(&responses_init
[i
], &free_buffer_pointer
, &free_buffer_size
);
290 *responses
= responses_init
;
292 // indices into responses array:
302 static bool HasValidCRC(uint8_t *receivedCmd
, uint16_t receivedCmd_len
) {
303 uint8_t CRC_byte_1
, CRC_byte_2
;
304 ComputeCrc14443(CRC_14443_A
, receivedCmd
, receivedCmd_len
-2, &CRC_byte_1
, &CRC_byte_2
);
305 return (receivedCmd
[receivedCmd_len
-2] == CRC_byte_1
&& receivedCmd
[receivedCmd_len
-1] == CRC_byte_2
);
313 * FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
314 * FLAG_4B_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that
315 * FLAG_7B_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
316 * FLAG_NR_AR_ATTACK - means we should collect NR_AR responses for bruteforcing later
317 * FLAG_RANDOM_NONCE - means we should generate some pseudo-random nonce data (only allows moebius attack)
318 *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is infinite ...
319 * (unless reader attack mode enabled then it runs util it gets enough nonces to recover all keys attmpted)
321 void MifareSim(uint8_t flags
, uint8_t exitAfterNReads
, uint8_t cardsize
, uint8_t *datain
)
325 tag_response_info_t
*responses
;
328 uint8_t cardWRBL
= 0;
329 uint8_t cardAUTHSC
= 0;
330 uint8_t cardAUTHKEY
= AUTHKEYNONE
; // no authentication
332 //uint32_t rn_enc = 0;
334 uint32_t cardINTREG
= 0;
335 uint8_t cardINTBLOCK
= 0;
336 struct Crypto1State mpcs
= {0, 0};
337 struct Crypto1State
*pcs
= &mpcs
;
338 uint32_t numReads
= 0; //Counts numer of times reader reads a block
339 uint8_t receivedCmd
[MAX_MIFARE_FRAME_SIZE
];
340 uint8_t receivedCmd_dec
[MAX_MIFARE_FRAME_SIZE
];
341 uint8_t receivedCmd_par
[MAX_MIFARE_PARITY_SIZE
];
342 uint16_t receivedCmd_len
;
343 uint8_t response
[MAX_MIFARE_FRAME_SIZE
];
344 uint8_t response_par
[MAX_MIFARE_PARITY_SIZE
];
345 uint8_t fixed_nonce
[] = {0x01, 0x02, 0x03, 0x04};
347 int num_blocks
= ParamCardSizeBlocks(cardsize
);
349 // Here we collect UID, sector, keytype, NT, AR, NR, NT2, AR2, NR2
350 // This will be used in the reader-only attack.
352 // allow collecting up to 7 sets of nonces to allow recovery of up to 7 keys
353 #define ATTACK_KEY_COUNT 7 // keep same as define in cmdhfmf.c -> readerAttack() (Cannot be more than 7)
354 nonces_t ar_nr_resp
[ATTACK_KEY_COUNT
*2]; // *2 for 2 separate attack types (nml, moebius) 36 * 7 * 2 bytes = 504 bytes
355 memset(ar_nr_resp
, 0x00, sizeof(ar_nr_resp
));
357 uint8_t ar_nr_collected
[ATTACK_KEY_COUNT
*2]; // *2 for 2nd attack type (moebius)
358 memset(ar_nr_collected
, 0x00, sizeof(ar_nr_collected
));
359 uint8_t nonce1_count
= 0;
360 uint8_t nonce2_count
= 0;
361 uint8_t moebius_n_count
= 0;
362 bool gettingMoebius
= false;
363 uint8_t mM
= 0; // moebius_modifier for collection storage
365 // Authenticate response - nonce
367 if (flags
& FLAG_RANDOM_NONCE
) {
370 nonce
= bytes_to_num(fixed_nonce
, 4);
373 // free eventually allocated BigBuf memory but keep Emulator Memory
374 BigBuf_free_keep_EM();
376 MifareSimInit(flags
, datain
, &responses
, &cuid
, &uid_len
, cardsize
);
378 // We need to listen to the high-frequency, peak-detected path.
379 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN
);
386 bool finished
= false;
387 bool button_pushed
= BUTTON_PRESS();
388 int cardSTATE
= MFEMUL_NOFIELD
;
390 while (!button_pushed
&& !finished
&& !usb_poll_validate_length()) {
393 if (cardSTATE
== MFEMUL_NOFIELD
) {
394 // wait for reader HF field
395 int vHf
= (MAX_ADC_HF_VOLTAGE_LOW
* AvgAdc(ADC_CHAN_HF_LOW
)) >> 10;
396 if (vHf
> MF_MINFIELDV
) {
398 cardSTATE
= MFEMUL_IDLE
;
400 button_pushed
= BUTTON_PRESS();
406 int res
= EmGetCmd(receivedCmd
, &receivedCmd_len
, receivedCmd_par
);
408 if (res
== 2) { // Reader has dropped the HF field. Power off.
409 FpgaDisableTracing();
411 cardSTATE
= MFEMUL_NOFIELD
;
413 } else if (res
== 1) { // button pressed
414 FpgaDisableTracing();
415 button_pushed
= true;
419 // WUPA in HALTED state or REQA or WUPA in any other state
420 if (receivedCmd_len
== 1 && ((receivedCmd
[0] == ISO14443A_CMD_REQA
&& cardSTATE
!= MFEMUL_HALTED
) || receivedCmd
[0] == ISO14443A_CMD_WUPA
)) {
421 EmSendPrecompiledCmd(&responses
[ATQA
]);
422 FpgaDisableTracing();
425 crypto1_destroy(pcs
);
426 cardAUTHKEY
= AUTHKEYNONE
;
427 if (flags
& FLAG_RANDOM_NONCE
) {
430 cardSTATE
= MFEMUL_SELECT1
;
441 case MFEMUL_SELECT1
:{
442 // select all - 0x93 0x20
443 if (receivedCmd_len
== 2 && (receivedCmd
[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT
&& receivedCmd
[1] == 0x20)) {
444 EmSendPrecompiledCmd(&responses
[UIDBCC1
]);
445 FpgaDisableTracing();
446 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) Dbprintf("SELECT ALL CL1 received");
449 // select card - 0x93 0x70 ...
450 if (receivedCmd_len
== 9 &&
451 (receivedCmd
[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT
&& receivedCmd
[1] == 0x70 && memcmp(&receivedCmd
[2], responses
[UIDBCC1
].response
, 4) == 0)) {
453 EmSendPrecompiledCmd(&responses
[SAKfinal
]);
454 cardSTATE
= MFEMUL_WORK
;
455 } else if (uid_len
== 7) {
456 EmSendPrecompiledCmd(&responses
[SAK1
]);
457 cardSTATE
= MFEMUL_SELECT2
;
459 FpgaDisableTracing();
460 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) Dbprintf("SELECT CL1 %02x%02x%02x%02x received",receivedCmd
[2],receivedCmd
[3],receivedCmd
[4],receivedCmd
[5]);
463 cardSTATE
= MFEMUL_IDLE
;
467 case MFEMUL_SELECT2
:{
468 // select all cl2 - 0x95 0x20
469 if (receivedCmd_len
== 2 && (receivedCmd
[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2
&& receivedCmd
[1] == 0x20)) {
470 EmSendPrecompiledCmd(&responses
[UIDBCC2
]);
471 FpgaDisableTracing();
472 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) Dbprintf("SELECT ALL CL2 received");
475 // select cl2 card - 0x95 0x70 xxxxxxxxxxxx
476 if (receivedCmd_len
== 9 &&
477 (receivedCmd
[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2
&& receivedCmd
[1] == 0x70 && memcmp(&receivedCmd
[2], responses
[UIDBCC2
].response
, 4) == 0)) {
479 EmSendPrecompiledCmd(&responses
[SAKfinal
]);
480 FpgaDisableTracing();
481 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) Dbprintf("SELECT CL2 %02x%02x%02x%02x received",receivedCmd
[2],receivedCmd
[3],receivedCmd
[4],receivedCmd
[5]);
482 cardSTATE
= MFEMUL_WORK
;
486 cardSTATE
= MFEMUL_IDLE
;
491 if (receivedCmd_len
!= 4) { // all commands must have exactly 4 bytes
494 bool encrypted_data
= (cardAUTHKEY
!= AUTHKEYNONE
) ;
495 if (encrypted_data
) {
497 mf_crypto1_decryptEx(pcs
, receivedCmd
, receivedCmd_len
, receivedCmd_dec
);
499 memcpy(receivedCmd_dec
, receivedCmd
, receivedCmd_len
);
501 if (!HasValidCRC(receivedCmd_dec
, receivedCmd_len
)) { // all commands must have a valid CRC
502 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_TR
));
506 if (receivedCmd_dec
[0] == MIFARE_AUTH_KEYA
|| receivedCmd_dec
[0] == MIFARE_AUTH_KEYB
) {
507 // if authenticating to a block that shouldn't exist - as long as we are not doing the reader attack
508 if (receivedCmd_dec
[1] >= num_blocks
&& !(flags
& FLAG_NR_AR_ATTACK
)) {
509 //is this the correct response to an auth on a out of range block? marshmellow
510 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
511 FpgaDisableTracing();
512 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking", receivedCmd_dec
[0], receivedCmd_dec
[1], receivedCmd_dec
[1]);
515 cardAUTHSC
= BlockToSector(receivedCmd_dec
[1]); // received block num
516 cardAUTHKEY
= receivedCmd_dec
[0] & 0x01;
517 crypto1_destroy(pcs
);//Added by martin
518 crypto1_create(pcs
, emlGetKey(cardAUTHSC
, cardAUTHKEY
));
519 if (!encrypted_data
) { // first authentication
520 crypto1_word(pcs
, cuid
^ nonce
, 0); // Update crypto state
521 num_to_bytes(nonce
, 4, response
); // Send unencrypted nonce
522 EmSendCmd(response
, sizeof(nonce
));
523 FpgaDisableTracing();
524 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d", receivedCmd_dec
[1], receivedCmd_dec
[1], cardAUTHKEY
);
525 } else { // nested authentication
526 num_to_bytes(nonce
, sizeof(nonce
), response
);
527 uint8_t pcs_in
[4] = {0};
528 num_to_bytes(cuid
^ nonce
, sizeof(nonce
), pcs_in
);
529 mf_crypto1_encryptEx(pcs
, response
, pcs_in
, sizeof(nonce
), response_par
);
530 EmSendCmdPar(response
, sizeof(nonce
), response_par
); // send encrypted nonce
531 FpgaDisableTracing();
532 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d", receivedCmd_dec
[1], receivedCmd_dec
[1], cardAUTHKEY
);
534 cardSTATE
= MFEMUL_AUTH1
;
538 // halt can be sent encrypted or in clear
539 if (receivedCmd_dec
[0] == ISO14443A_CMD_HALT
&& receivedCmd_dec
[1] == 0x00) {
540 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) Dbprintf("--> HALTED.");
541 cardSTATE
= MFEMUL_HALTED
;
545 if(receivedCmd_dec
[0] == ISO14443A_CMD_READBLOCK
546 || receivedCmd_dec
[0] == ISO14443A_CMD_WRITEBLOCK
547 || receivedCmd_dec
[0] == MIFARE_CMD_INC
548 || receivedCmd_dec
[0] == MIFARE_CMD_DEC
549 || receivedCmd_dec
[0] == MIFARE_CMD_RESTORE
550 || receivedCmd_dec
[0] == MIFARE_CMD_TRANSFER
) {
551 if (receivedCmd_dec
[1] >= num_blocks
) {
552 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
553 FpgaDisableTracing();
554 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking",receivedCmd_dec
[0],receivedCmd_dec
[1],receivedCmd_dec
[1]);
557 if (BlockToSector(receivedCmd_dec
[1]) != cardAUTHSC
) {
558 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
559 FpgaDisableTracing();
560 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) Dbprintf("Reader tried to operate (0x%02x) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd_dec
[0],receivedCmd_dec
[1],cardAUTHSC
);
565 if (receivedCmd_dec
[0] == ISO14443A_CMD_READBLOCK
) {
566 uint8_t blockNo
= receivedCmd_dec
[1];
567 emlGetMem(response
, blockNo
, 1);
568 if (IsSectorTrailer(blockNo
)) {
569 memset(response
, 0x00, 6); // keyA can never be read
570 if (!IsAccessAllowed(blockNo
, cardAUTHKEY
, AC_KEYB_READ
)) {
571 memset(response
+10, 0x00, 6); // keyB cannot be read
573 if (!IsAccessAllowed(blockNo
, cardAUTHKEY
, AC_AC_READ
)) {
574 memset(response
+6, 0x00, 4); // AC bits cannot be read
577 if (!IsAccessAllowed(blockNo
, cardAUTHKEY
, AC_DATA_READ
)) {
578 memset(response
, 0x00, 16); // datablock cannot be read
581 AppendCrc14443a(response
, 16);
582 mf_crypto1_encrypt(pcs
, response
, 18, response_par
);
583 EmSendCmdPar(response
, 18, response_par
);
584 FpgaDisableTracing();
585 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) {
586 Dbprintf("Reader reading block %d (0x%02x)", blockNo
, blockNo
);
589 if(exitAfterNReads
> 0 && numReads
== exitAfterNReads
) {
590 Dbprintf("%d reads done, exiting", numReads
);
596 if (receivedCmd_dec
[0] == ISO14443A_CMD_WRITEBLOCK
) {
597 uint8_t blockNo
= receivedCmd_dec
[1];
598 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_ACK
));
599 FpgaDisableTracing();
600 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) Dbprintf("RECV 0xA0 write block %d (%02x)", blockNo
, blockNo
);
602 cardSTATE
= MFEMUL_WRITEBL2
;
606 if (receivedCmd_dec
[0] == MIFARE_CMD_INC
|| receivedCmd_dec
[0] == MIFARE_CMD_DEC
|| receivedCmd_dec
[0] == MIFARE_CMD_RESTORE
) {
607 uint8_t blockNo
= receivedCmd_dec
[1];
608 if (emlCheckValBl(blockNo
)) {
609 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
610 FpgaDisableTracing();
611 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) {
612 Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd_dec
[0], blockNo
, blockNo
);
614 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
617 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_ACK
));
618 FpgaDisableTracing();
619 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) {
620 Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd_dec
[0], blockNo
, blockNo
);
623 if (receivedCmd_dec
[0] == MIFARE_CMD_INC
)
624 cardSTATE
= MFEMUL_INTREG_INC
;
625 if (receivedCmd_dec
[0] == MIFARE_CMD_DEC
)
626 cardSTATE
= MFEMUL_INTREG_DEC
;
627 if (receivedCmd_dec
[0] == MIFARE_CMD_RESTORE
)
628 cardSTATE
= MFEMUL_INTREG_REST
;
632 if (receivedCmd_dec
[0] == MIFARE_CMD_TRANSFER
) {
633 uint8_t blockNo
= receivedCmd_dec
[1];
634 if (emlSetValBl(cardINTREG
, cardINTBLOCK
, receivedCmd_dec
[1]))
635 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
637 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_ACK
));
638 FpgaDisableTracing();
639 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) Dbprintf("RECV 0x%02x transfer block %d (%02x)",receivedCmd_dec
[0], blockNo
, blockNo
);
643 // command not allowed
644 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
645 FpgaDisableTracing();
646 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) Dbprintf("Received command not allowed, nacking");
647 cardSTATE
= MFEMUL_IDLE
;
652 if (receivedCmd_len
!= 8) {
653 cardSTATE
= MFEMUL_IDLE
;
657 uint32_t nr
= bytes_to_num(receivedCmd
, 4);
658 uint32_t ar
= bytes_to_num(&receivedCmd
[4], 4);
660 // Collect AR/NR per keytype & sector
661 if(flags
& FLAG_NR_AR_ATTACK
) {
662 for (uint8_t i
= 0; i
< ATTACK_KEY_COUNT
; i
++) {
663 if ( ar_nr_collected
[i
+mM
]==0 || ((cardAUTHSC
== ar_nr_resp
[i
+mM
].sector
) && (cardAUTHKEY
== ar_nr_resp
[i
+mM
].keytype
) && (ar_nr_collected
[i
+mM
] > 0)) ) {
664 // if first auth for sector, or matches sector and keytype of previous auth
665 if (ar_nr_collected
[i
+mM
] < 2) {
666 // if we haven't already collected 2 nonces for this sector
667 if (ar_nr_resp
[ar_nr_collected
[i
+mM
]].ar
!= ar
) {
668 // Avoid duplicates... probably not necessary, ar should vary.
669 if (ar_nr_collected
[i
+mM
]==0) {
670 // first nonce collect
671 ar_nr_resp
[i
+mM
].cuid
= cuid
;
672 ar_nr_resp
[i
+mM
].sector
= cardAUTHSC
;
673 ar_nr_resp
[i
+mM
].keytype
= cardAUTHKEY
;
674 ar_nr_resp
[i
+mM
].nonce
= nonce
;
675 ar_nr_resp
[i
+mM
].nr
= nr
;
676 ar_nr_resp
[i
+mM
].ar
= ar
;
678 // add this nonce to first moebius nonce
679 ar_nr_resp
[i
+ATTACK_KEY_COUNT
].cuid
= cuid
;
680 ar_nr_resp
[i
+ATTACK_KEY_COUNT
].sector
= cardAUTHSC
;
681 ar_nr_resp
[i
+ATTACK_KEY_COUNT
].keytype
= cardAUTHKEY
;
682 ar_nr_resp
[i
+ATTACK_KEY_COUNT
].nonce
= nonce
;
683 ar_nr_resp
[i
+ATTACK_KEY_COUNT
].nr
= nr
;
684 ar_nr_resp
[i
+ATTACK_KEY_COUNT
].ar
= ar
;
685 ar_nr_collected
[i
+ATTACK_KEY_COUNT
]++;
686 } else { // second nonce collect (std and moebius)
687 ar_nr_resp
[i
+mM
].nonce2
= nonce
;
688 ar_nr_resp
[i
+mM
].nr2
= nr
;
689 ar_nr_resp
[i
+mM
].ar2
= ar
;
690 if (!gettingMoebius
) {
692 // check if this was the last second nonce we need for std attack
693 if ( nonce2_count
== nonce1_count
) {
694 // done collecting std test switch to moebius
695 // first finish incrementing last sample
696 ar_nr_collected
[i
+mM
]++;
697 // switch to moebius collection
698 gettingMoebius
= true;
699 mM
= ATTACK_KEY_COUNT
;
700 if (flags
& FLAG_RANDOM_NONCE
) {
709 // if we've collected all the nonces we need - finish.
710 if (nonce1_count
== moebius_n_count
) finished
= true;
713 ar_nr_collected
[i
+mM
]++;
716 // we found right spot for this nonce stop looking
723 crypto1_word(pcs
, nr
, 1);
724 cardRr
= ar
^ crypto1_word(pcs
, 0, 0);
727 if (cardRr
!= prng_successor(nonce
, 64)){
728 FpgaDisableTracing();
729 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
730 cardAUTHSC
, cardAUTHKEY
== AUTHKEYA
? 'A' : 'B',
731 cardRr
, prng_successor(nonce
, 64));
732 // Shouldn't we respond anything here?
733 // Right now, we don't nack or anything, which causes the
734 // reader to do a WUPA after a while. /Martin
735 // -- which is the correct response. /piwi
736 cardAUTHKEY
= AUTHKEYNONE
; // not authenticated
737 cardSTATE
= MFEMUL_IDLE
;
740 ans
= prng_successor(nonce
, 96);
741 num_to_bytes(ans
, 4, response
);
742 mf_crypto1_encrypt(pcs
, response
, 4, response_par
);
743 EmSendCmdPar(response
, 4, response_par
);
744 FpgaDisableTracing();
745 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) Dbprintf("AUTH COMPLETED for sector %d with key %c.", cardAUTHSC
, cardAUTHKEY
== AUTHKEYA
? 'A' : 'B');
746 cardSTATE
= MFEMUL_WORK
;
750 case MFEMUL_WRITEBL2
:{
751 if (receivedCmd_len
== 18) {
752 mf_crypto1_decryptEx(pcs
, receivedCmd
, receivedCmd_len
, receivedCmd_dec
);
753 if (HasValidCRC(receivedCmd_dec
, receivedCmd_len
)) {
754 if (IsSectorTrailer(cardWRBL
)) {
755 emlGetMem(response
, cardWRBL
, 1);
756 if (!IsAccessAllowed(cardWRBL
, cardAUTHKEY
, AC_KEYA_WRITE
)) {
757 memcpy(receivedCmd_dec
, response
, 6); // don't change KeyA
759 if (!IsAccessAllowed(cardWRBL
, cardAUTHKEY
, AC_KEYB_WRITE
)) {
760 memcpy(receivedCmd_dec
+10, response
+10, 6); // don't change KeyA
762 if (!IsAccessAllowed(cardWRBL
, cardAUTHKEY
, AC_AC_WRITE
)) {
763 memcpy(receivedCmd_dec
+6, response
+6, 4); // don't change AC bits
766 if (!IsAccessAllowed(cardWRBL
, cardAUTHKEY
, AC_DATA_WRITE
)) {
767 memcpy(receivedCmd_dec
, response
, 16); // don't change anything
770 emlSetMem(receivedCmd_dec
, cardWRBL
, 1);
771 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_ACK
)); // always ACK?
772 cardSTATE
= MFEMUL_WORK
;
776 cardSTATE
= MFEMUL_IDLE
;
780 case MFEMUL_INTREG_INC
:{
781 if (receivedCmd_len
== 6) {
782 mf_crypto1_decryptEx(pcs
, receivedCmd
, receivedCmd_len
, (uint8_t*)&ans
);
783 if (emlGetValBl(&cardINTREG
, &cardINTBLOCK
, cardWRBL
)) {
784 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
785 cardSTATE
= MFEMUL_IDLE
;
788 cardINTREG
= cardINTREG
+ ans
;
789 cardSTATE
= MFEMUL_WORK
;
794 case MFEMUL_INTREG_DEC
:{
795 if (receivedCmd_len
== 6) {
796 mf_crypto1_decryptEx(pcs
, receivedCmd
, receivedCmd_len
, (uint8_t*)&ans
);
797 if (emlGetValBl(&cardINTREG
, &cardINTBLOCK
, cardWRBL
)) {
798 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
799 cardSTATE
= MFEMUL_IDLE
;
802 cardINTREG
= cardINTREG
- ans
;
803 cardSTATE
= MFEMUL_WORK
;
808 case MFEMUL_INTREG_REST
:{
809 mf_crypto1_decryptEx(pcs
, receivedCmd
, receivedCmd_len
, (uint8_t*)&ans
);
810 if (emlGetValBl(&cardINTREG
, &cardINTBLOCK
, cardWRBL
)) {
811 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
812 cardSTATE
= MFEMUL_IDLE
;
815 cardSTATE
= MFEMUL_WORK
;
821 FpgaDisableTracing();
822 button_pushed
= BUTTON_PRESS();
826 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
829 if(flags
& FLAG_NR_AR_ATTACK
&& MF_DBGLEVEL
>= MF_DBG_INFO
) {
830 for ( uint8_t i
= 0; i
< ATTACK_KEY_COUNT
; i
++) {
831 if (ar_nr_collected
[i
] == 2) {
832 Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i
<ATTACK_KEY_COUNT
/2) ? "keyA" : "keyB", ar_nr_resp
[i
].sector
);
833 Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
834 ar_nr_resp
[i
].cuid
, //UID
835 ar_nr_resp
[i
].nonce
, //NT
836 ar_nr_resp
[i
].nr
, //NR1
837 ar_nr_resp
[i
].ar
, //AR1
838 ar_nr_resp
[i
].nr2
, //NR2
839 ar_nr_resp
[i
].ar2
//AR2
843 for ( uint8_t i
= ATTACK_KEY_COUNT
; i
< ATTACK_KEY_COUNT
*2; i
++) {
844 if (ar_nr_collected
[i
] == 2) {
845 Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i
<ATTACK_KEY_COUNT
/2) ? "keyA" : "keyB", ar_nr_resp
[i
].sector
);
846 Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x %08x",
847 ar_nr_resp
[i
].cuid
, //UID
848 ar_nr_resp
[i
].nonce
, //NT
849 ar_nr_resp
[i
].nr
, //NR1
850 ar_nr_resp
[i
].ar
, //AR1
851 ar_nr_resp
[i
].nonce2
,//NT2
852 ar_nr_resp
[i
].nr2
, //NR2
853 ar_nr_resp
[i
].ar2
//AR2
858 if (MF_DBGLEVEL
>= MF_DBG_INFO
) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", get_tracing(), BigBuf_get_traceLen());
860 if(flags
& FLAG_INTERACTIVE
) { // Interactive mode flag, means we need to send ACK
861 //Send the collected ar_nr in the response
862 cmd_send(CMD_ACK
, CMD_SIMULATE_MIFARE_CARD
, button_pushed
, 0, &ar_nr_resp
, sizeof(ar_nr_resp
));