]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifaresniff.c
FIX: mental note to self, don't forget to adjust messages to new logic
[proxmark3-svn] / armsrc / mifaresniff.c
1 //-----------------------------------------------------------------------------
2 // Merlok - 2012
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Routines to support mifare classic sniffer.
9 //-----------------------------------------------------------------------------
10
11 #include "mifaresniff.h"
12 #include "apps.h"
13
14 static int sniffState = SNF_INIT;
15 static uint8_t sniffUIDType = 0;
16 static uint8_t sniffUID[10] = {0,0,0,0,0,0,0,0,0,0};
17 static uint8_t sniffATQA[2] = {0,0};
18 static uint8_t sniffSAK = 0;
19 static uint8_t sniffBuf[17];
20 static uint32_t timerData = 0;
21
22 void MfSniffInit(void){
23 memset(sniffUID, 0x00, sizeof(sniffUID));
24 memset(sniffATQA, 0x00, sizeof(sniffATQA));
25 memset(sniffBuf, 0x00, sizeof(sniffBuf));
26 sniffSAK = 0;
27 sniffUIDType = SNF_UID_4;
28 }
29
30 void MfSniffEnd(void){
31 LED_B_ON();
32 cmd_send(CMD_ACK,0,0,0,0,0);
33 LED_B_OFF();
34 }
35
36 bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, uint16_t bitCnt, bool reader) {
37
38 // reset on 7-Bit commands from reader
39 if (reader && (len == 1) && (bitCnt == 7)) {
40 sniffState = SNF_INIT;
41 }
42
43 switch (sniffState) {
44 case SNF_INIT:{
45 // REQA or WUPA from reader
46 if ((len == 1) && (reader) && (bitCnt == 7) ) {
47 MfSniffInit();
48 sniffState = SNF_WUPREQ;
49 }
50 break;
51 }
52 case SNF_WUPREQ:{
53 // ATQA from tag
54 if ((!reader) && (len == 2)) {
55 sniffATQA[0] = data[0];
56 sniffATQA[1] = data[1];
57 sniffState = SNF_ATQA;
58 }
59 break;
60 }
61 case SNF_ATQA:{
62 // Select ALL from reader
63 if ((reader) && (len == 2) && (data[0] == 0x93) && (data[1] == 0x20))
64 sniffState = SNF_ANTICOL1;
65 break;
66 }
67 case SNF_ANTICOL1:{
68 // UID from tag (CL1)
69 if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) {
70 memcpy(sniffUID, data, 4);
71 sniffState = SNF_UID1;
72 }
73 break;
74 }
75 case SNF_UID1:{
76 // Select 4 Byte UID from reader
77 if ((reader) && (len == 9) && (data[0] == 0x93) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9)))
78 sniffState = SNF_SAK;
79 break;
80 }
81 case SNF_SAK:{
82 if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) { // SAK from card?
83 sniffSAK = data[0];
84 if (sniffUID[0] == 0x88) // CL2/3 UID part to be expected
85 sniffState = (sniffState == SNF_ANTICOL2 ) ? SNF_ANTICOL3 : SNF_ANTICOL2;
86 else // select completed
87 sniffState = SNF_CARD_IDLE;
88 }
89 break;
90 }
91 case SNF_ANTICOL2:{
92 // CL2 UID
93 if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) {
94 sniffUID[0] = sniffUID[1];
95 sniffUID[1] = sniffUID[2];
96 sniffUID[2] = sniffUID[3];
97 memcpy(sniffUID+3, data, 4);
98 sniffUIDType = SNF_UID_7;
99 sniffState = SNF_UID2;
100 }
101 break;
102 }
103 case SNF_UID2:{
104 // Select 2nd part of 7 Byte UID
105 if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9)))
106 sniffState = SNF_SAK;
107 break;
108 }
109 case SNF_ANTICOL3:{
110 // CL3 UID
111 if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) {
112 // 3+3+4 = 10.
113 sniffUID[3] = sniffUID[4];
114 sniffUID[4] = sniffUID[5];
115 sniffUID[5] = sniffUID[6];
116 memcpy(sniffUID+6, data, 4);
117 sniffUIDType = SNF_UID_10;
118 sniffState = SNF_UID3;
119 }
120 break;
121 }
122 case SNF_UID3:{
123 // Select 3nd part of 10 Byte UID
124 if ((reader) && (len == 9) && (data[0] == 0x97) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9)))
125 sniffState = SNF_SAK;
126 break;
127 }
128 case SNF_CARD_IDLE:{ // trace the card select sequence
129 sniffBuf[0] = 0xFF;
130 sniffBuf[1] = 0xFF;
131 memcpy(sniffBuf + 2, sniffUID, sizeof(sniffUID));
132 memcpy(sniffBuf + 12, sniffATQA, sizeof(sniffATQA));
133 sniffBuf[14] = sniffSAK;
134 sniffBuf[15] = 0xFF;
135 sniffBuf[16] = 0xFF;
136 LogTrace(sniffBuf, sizeof(sniffBuf), 0, 0, NULL, TRUE);
137 } // intentionally no break;
138 case SNF_CARD_CMD:{
139 LogTrace(data, len, 0, 0, NULL, TRUE);
140 sniffState = SNF_CARD_RESP;
141 timerData = GetTickCount();
142 break;
143 }
144 case SNF_CARD_RESP:{
145 LogTrace(data, len, 0, 0, NULL, FALSE);
146 sniffState = SNF_CARD_CMD;
147 timerData = GetTickCount();
148 break;
149 }
150 default:
151 sniffState = SNF_INIT;
152 break;
153 }
154 return FALSE;
155 }
156
157 bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs) {
158 if (BigBuf_get_traceLen() && (GetTickCount() > timerData + maxTimeoutMs)) {
159 return intMfSniffSend();
160 }
161 return FALSE;
162 }
163
164 // internal sending function. not a RAMFUNC.
165 bool intMfSniffSend() {
166
167 int pckSize = 0;
168 int pckLen = BigBuf_get_traceLen();
169 int pckNum = 0;
170 uint8_t *data = BigBuf_get_addr();
171
172 FpgaDisableSscDma();
173 while (pckLen > 0) {
174 pckSize = MIN(USB_CMD_DATA_SIZE, pckLen);
175 LED_B_ON();
176 cmd_send(CMD_ACK, 1, BigBuf_get_traceLen(), pckSize, data + BigBuf_get_traceLen() - pckLen, pckSize);
177 LED_B_OFF();
178 pckLen -= pckSize;
179 pckNum++;
180 }
181
182 LED_B_ON();
183 cmd_send(CMD_ACK,2,0,0,0,0); // 2 == data transfer is finished.
184 LED_B_OFF();
185
186 clear_trace();
187 return TRUE;
188 }
Impressum, Datenschutz