]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifarecmd.c
Fix memory bounds error
[proxmark3-svn] / armsrc / mifarecmd.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 // Midnitesnake - Dec 2013
6 // Andy Davies - Apr 2014
7 // Iceman - May 2014
8 //
9 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
10 // at your option, any later version. See the LICENSE.txt file for the text of
11 // the license.
12 //-----------------------------------------------------------------------------
13 // Routines to support ISO 14443 type A.
14 //-----------------------------------------------------------------------------
15
16 #include "mifarecmd.h"
17
18 #include "apps.h"
19 #include "util.h"
20 #include "parity.h"
21 #include "crc.h"
22
23 // the block number for the ISO14443-4 PCB
24 static uint8_t pcb_blocknum = 0;
25 // Deselect card by sending a s-block. the crc is precalced for speed
26 static uint8_t deselect_cmd[] = {0xc2,0xe0,0xb4};
27
28 //-----------------------------------------------------------------------------
29 // Select, Authenticate, Read a MIFARE tag.
30 // read block
31 //-----------------------------------------------------------------------------
32 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
33 {
34 // params
35 uint8_t blockNo = arg0;
36 uint8_t keyType = arg1;
37 uint64_t ui64Key = 0;
38 ui64Key = bytes_to_num(datain, 6);
39
40 // variables
41 byte_t isOK = 0;
42 byte_t dataoutbuf[16];
43 uint8_t uid[10];
44 uint32_t cuid;
45 struct Crypto1State mpcs = {0, 0};
46 struct Crypto1State *pcs;
47 pcs = &mpcs;
48
49 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
50
51 clear_trace();
52
53 LED_A_ON();
54 LED_B_OFF();
55 LED_C_OFF();
56
57 while (true) {
58 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
59 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
60 break;
61 };
62
63 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
64 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
65 break;
66 };
67
68 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
69 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
70 break;
71 };
72
73 if(mifare_classic_halt(pcs, cuid)) {
74 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
75 break;
76 };
77
78 isOK = 1;
79 break;
80 }
81
82 // ----------------------------- crypto1 destroy
83 crypto1_destroy(pcs);
84
85 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
86
87 LED_B_ON();
88 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
89 LED_B_OFF();
90
91 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
92 LEDsoff();
93 }
94
95 void MifareUC_Auth(uint8_t arg0, uint8_t *keybytes){
96
97 bool turnOffField = (arg0 == 1);
98
99 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
100
101 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
102
103 clear_trace();
104
105 if(!iso14443a_select_card(NULL, NULL, NULL, true, 0, true)) {
106 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
107 OnError(0);
108 return;
109 };
110
111 if(!mifare_ultra_auth(keybytes)){
112 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication failed");
113 OnError(1);
114 return;
115 }
116
117 if (turnOffField) {
118 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
119 LEDsoff();
120 }
121 cmd_send(CMD_ACK,1,0,0,0,0);
122 }
123
124 // Arg0 = BlockNo,
125 // Arg1 = UsePwd bool
126 // datain = PWD bytes,
127 void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
128 {
129 uint8_t blockNo = arg0;
130 byte_t dataout[16] = {0x00};
131 bool useKey = (arg1 == 1); //UL_C
132 bool usePwd = (arg1 == 2); //UL_EV1/NTAG
133
134 LEDsoff();
135 LED_A_ON();
136 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
137
138 clear_trace();
139
140 int len = iso14443a_select_card(NULL, NULL, NULL, true, 0, true);
141 if(!len) {
142 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len);
143 OnError(1);
144 return;
145 }
146
147 // UL-C authentication
148 if ( useKey ) {
149 uint8_t key[16] = {0x00};
150 memcpy(key, datain, sizeof(key) );
151
152 if ( !mifare_ultra_auth(key) ) {
153 OnError(1);
154 return;
155 }
156 }
157
158 // UL-EV1 / NTAG authentication
159 if ( usePwd ) {
160 uint8_t pwd[4] = {0x00};
161 memcpy(pwd, datain, 4);
162 uint8_t pack[4] = {0,0,0,0};
163 if (!mifare_ul_ev1_auth(pwd, pack)) {
164 OnError(1);
165 return;
166 }
167 }
168
169 if( mifare_ultra_readblock(blockNo, dataout) ) {
170 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block error");
171 OnError(2);
172 return;
173 }
174
175 if( mifare_ultra_halt() ) {
176 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
177 OnError(3);
178 return;
179 }
180
181 cmd_send(CMD_ACK,1,0,0,dataout,16);
182 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
183 LEDsoff();
184 }
185
186 //-----------------------------------------------------------------------------
187 // Select, Authenticate, Read a MIFARE tag.
188 // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
189 //-----------------------------------------------------------------------------
190 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
191 {
192 // params
193 uint8_t sectorNo = arg0;
194 uint8_t keyType = arg1;
195 uint64_t ui64Key = 0;
196 ui64Key = bytes_to_num(datain, 6);
197
198 // variables
199 byte_t isOK = 0;
200 byte_t dataoutbuf[16 * 16];
201 uint8_t uid[10];
202 uint32_t cuid;
203 struct Crypto1State mpcs = {0, 0};
204 struct Crypto1State *pcs;
205 pcs = &mpcs;
206
207 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
208
209 clear_trace();
210
211 LED_A_ON();
212 LED_B_OFF();
213 LED_C_OFF();
214
215 isOK = 1;
216 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
217 isOK = 0;
218 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
219 }
220
221
222 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
223 isOK = 0;
224 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
225 }
226
227 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
228 if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) {
229 isOK = 0;
230 if (MF_DBGLEVEL >= 1) Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo);
231 break;
232 }
233 }
234
235 if(mifare_classic_halt(pcs, cuid)) {
236 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
237 }
238
239 // ----------------------------- crypto1 destroy
240 crypto1_destroy(pcs);
241
242 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
243
244 LED_B_ON();
245 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));
246 LED_B_OFF();
247
248 // Thats it...
249 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
250 LEDsoff();
251 }
252
253 // arg0 = blockNo (start)
254 // arg1 = Pages (number of blocks)
255 // arg2 = useKey
256 // datain = KEY bytes
257 void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
258 {
259 LEDsoff();
260 LED_A_ON();
261 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
262
263 // free eventually allocated BigBuf memory
264 BigBuf_free();
265 clear_trace();
266
267 // params
268 uint8_t blockNo = arg0;
269 uint16_t blocks = arg1;
270 bool useKey = (arg2 == 1); //UL_C
271 bool usePwd = (arg2 == 2); //UL_EV1/NTAG
272 uint32_t countblocks = 0;
273 uint8_t *dataout = BigBuf_malloc(CARD_MEMORY_SIZE);
274 if (dataout == NULL){
275 Dbprintf("out of memory");
276 OnError(1);
277 return;
278 }
279
280 int len = iso14443a_select_card(NULL, NULL, NULL, true, 0, true);
281 if (!len) {
282 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len);
283 OnError(1);
284 return;
285 }
286
287 // UL-C authentication
288 if ( useKey ) {
289 uint8_t key[16] = {0x00};
290 memcpy(key, datain, sizeof(key) );
291
292 if ( !mifare_ultra_auth(key) ) {
293 OnError(1);
294 return;
295 }
296 }
297
298 // UL-EV1 / NTAG authentication
299 if (usePwd) {
300 uint8_t pwd[4] = {0x00};
301 memcpy(pwd, datain, sizeof(pwd));
302 uint8_t pack[4] = {0,0,0,0};
303
304 if (!mifare_ul_ev1_auth(pwd, pack)){
305 OnError(1);
306 return;
307 }
308 }
309
310 for (int i = 0; i < blocks; i++){
311 if ((i*4) + 4 >= CARD_MEMORY_SIZE) {
312 Dbprintf("Data exceeds buffer!!");
313 break;
314 }
315
316 len = mifare_ultra_readblock(blockNo + i, dataout + 4 * i);
317
318 if (len) {
319 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block %d error",i);
320 // if no blocks read - error out
321 if (i==0){
322 OnError(2);
323 return;
324 } else {
325 //stop at last successful read block and return what we got
326 break;
327 }
328 } else {
329 countblocks++;
330 }
331 }
332
333 len = mifare_ultra_halt();
334 if (len) {
335 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
336 OnError(3);
337 return;
338 }
339
340 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Blocks read %d", countblocks);
341
342 countblocks *= 4;
343
344 cmd_send(CMD_ACK, 1, countblocks, BigBuf_max_traceLen(), 0, 0);
345 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
346 LEDsoff();
347 BigBuf_free();
348 }
349
350 //-----------------------------------------------------------------------------
351 // Select, Authenticate, Write a MIFARE tag.
352 // read block
353 //-----------------------------------------------------------------------------
354 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
355 {
356 // params
357 uint8_t blockNo = arg0;
358 uint8_t keyType = arg1;
359 uint64_t ui64Key = 0;
360 byte_t blockdata[16];
361
362 ui64Key = bytes_to_num(datain, 6);
363 memcpy(blockdata, datain + 10, 16);
364
365 // variables
366 byte_t isOK = 0;
367 uint8_t uid[10];
368 uint32_t cuid;
369 struct Crypto1State mpcs = {0, 0};
370 struct Crypto1State *pcs;
371 pcs = &mpcs;
372
373 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
374
375 clear_trace();
376
377 LED_A_ON();
378 LED_B_OFF();
379 LED_C_OFF();
380
381 while (true) {
382 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
383 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
384 break;
385 };
386
387 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
388 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
389 break;
390 };
391
392 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
393 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
394 break;
395 };
396
397 if(mifare_classic_halt(pcs, cuid)) {
398 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
399 break;
400 };
401
402 isOK = 1;
403 break;
404 }
405
406 // ----------------------------- crypto1 destroy
407 crypto1_destroy(pcs);
408
409 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
410
411 LED_B_ON();
412 cmd_send(CMD_ACK,isOK,0,0,0,0);
413 LED_B_OFF();
414
415
416 // Thats it...
417 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
418 LEDsoff();
419 }
420
421 /* // Command not needed but left for future testing
422 void MifareUWriteBlockCompat(uint8_t arg0, uint8_t *datain)
423 {
424 uint8_t blockNo = arg0;
425 byte_t blockdata[16] = {0x00};
426
427 memcpy(blockdata, datain, 16);
428
429 uint8_t uid[10] = {0x00};
430
431 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
432
433 clear_trace();
434 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
435
436 if(!iso14443a_select_card(uid, NULL, NULL, true, 0)) {
437 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
438 OnError(0);
439 return;
440 };
441
442 if(mifare_ultra_writeblock_compat(blockNo, blockdata)) {
443 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
444 OnError(0);
445 return; };
446
447 if(mifare_ultra_halt()) {
448 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
449 OnError(0);
450 return;
451 };
452
453 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
454
455 cmd_send(CMD_ACK,1,0,0,0,0);
456 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
457 LEDsoff();
458 }
459 */
460
461 // Arg0 : Block to write to.
462 // Arg1 : 0 = use no authentication.
463 // 1 = use 0x1A authentication.
464 // 2 = use 0x1B authentication.
465 // datain : 4 first bytes is data to be written.
466 // : 4/16 next bytes is authentication key.
467 void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
468 {
469 uint8_t blockNo = arg0;
470 bool useKey = (arg1 == 1); //UL_C
471 bool usePwd = (arg1 == 2); //UL_EV1/NTAG
472 byte_t blockdata[4] = {0x00};
473
474 memcpy(blockdata, datain,4);
475
476 LEDsoff();
477 LED_A_ON();
478 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
479
480 clear_trace();
481
482 if(!iso14443a_select_card(NULL, NULL, NULL, true, 0, true)) {
483 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
484 OnError(0);
485 return;
486 };
487
488 // UL-C authentication
489 if ( useKey ) {
490 uint8_t key[16] = {0x00};
491 memcpy(key, datain+4, sizeof(key) );
492
493 if ( !mifare_ultra_auth(key) ) {
494 OnError(1);
495 return;
496 }
497 }
498
499 // UL-EV1 / NTAG authentication
500 if (usePwd) {
501 uint8_t pwd[4] = {0x00};
502 memcpy(pwd, datain+4, 4);
503 uint8_t pack[4] = {0,0,0,0};
504 if (!mifare_ul_ev1_auth(pwd, pack)) {
505 OnError(1);
506 return;
507 }
508 }
509
510 if(mifare_ultra_writeblock(blockNo, blockdata)) {
511 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
512 OnError(0);
513 return;
514 };
515
516 if(mifare_ultra_halt()) {
517 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
518 OnError(0);
519 return;
520 };
521
522 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
523
524 cmd_send(CMD_ACK,1,0,0,0,0);
525 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
526 LEDsoff();
527 }
528
529 void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
530
531 uint8_t pwd[16] = {0x00};
532 byte_t blockdata[4] = {0x00};
533
534 memcpy(pwd, datain, 16);
535
536 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
537 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
538
539 clear_trace();
540
541 if(!iso14443a_select_card(NULL, NULL, NULL, true, 0, true)) {
542 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
543 OnError(0);
544 return;
545 };
546
547 blockdata[0] = pwd[7];
548 blockdata[1] = pwd[6];
549 blockdata[2] = pwd[5];
550 blockdata[3] = pwd[4];
551 if(mifare_ultra_writeblock( 44, blockdata)) {
552 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
553 OnError(44);
554 return;
555 };
556
557 blockdata[0] = pwd[3];
558 blockdata[1] = pwd[2];
559 blockdata[2] = pwd[1];
560 blockdata[3] = pwd[0];
561 if(mifare_ultra_writeblock( 45, blockdata)) {
562 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
563 OnError(45);
564 return;
565 };
566
567 blockdata[0] = pwd[15];
568 blockdata[1] = pwd[14];
569 blockdata[2] = pwd[13];
570 blockdata[3] = pwd[12];
571 if(mifare_ultra_writeblock( 46, blockdata)) {
572 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
573 OnError(46);
574 return;
575 };
576
577 blockdata[0] = pwd[11];
578 blockdata[1] = pwd[10];
579 blockdata[2] = pwd[9];
580 blockdata[3] = pwd[8];
581 if(mifare_ultra_writeblock( 47, blockdata)) {
582 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
583 OnError(47);
584 return;
585 };
586
587 if(mifare_ultra_halt()) {
588 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
589 OnError(0);
590 return;
591 };
592
593 cmd_send(CMD_ACK,1,0,0,0,0);
594 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
595 LEDsoff();
596 }
597
598 // Return 1 if the nonce is invalid else return 0
599 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {
600 return ((oddparity8((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity8((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
601 (oddparity8((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity8((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
602 (oddparity8((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity8((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
603 }
604
605
606 //-----------------------------------------------------------------------------
607 // acquire encrypted nonces in order to perform the attack described in
608 // Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
609 // Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
610 // Computer and Communications Security, 2015
611 //-----------------------------------------------------------------------------
612 void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, uint8_t *datain)
613 {
614 uint64_t ui64Key = 0;
615 uint8_t uid[10];
616 uint32_t cuid;
617 uint8_t cascade_levels = 0;
618 struct Crypto1State mpcs = {0, 0};
619 struct Crypto1State *pcs;
620 pcs = &mpcs;
621 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
622 int16_t isOK = 0;
623 uint8_t par_enc[1];
624 uint8_t nt_par_enc = 0;
625 uint8_t buf[USB_CMD_DATA_SIZE];
626 uint32_t timeout;
627
628 uint8_t blockNo = arg0 & 0xff;
629 uint8_t keyType = (arg0 >> 8) & 0xff;
630 uint8_t targetBlockNo = arg1 & 0xff;
631 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
632 ui64Key = bytes_to_num(datain, 6);
633 bool initialize = flags & 0x0001;
634 bool slow = flags & 0x0002;
635 bool field_off = flags & 0x0004;
636
637 LED_A_ON();
638 LED_C_OFF();
639
640 if (initialize) {
641 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
642 clear_trace();
643 set_tracing(true);
644 }
645
646 LED_C_ON();
647
648 uint16_t num_nonces = 0;
649 bool have_uid = false;
650 for (uint16_t i = 0; i <= USB_CMD_DATA_SIZE - 9; ) {
651
652 // Test if the action was cancelled
653 if(BUTTON_PRESS()) {
654 isOK = 2;
655 field_off = true;
656 break;
657 }
658
659 if (!have_uid) { // need a full select cycle to get the uid first
660 iso14a_card_select_t card_info;
661 if(!iso14443a_select_card(uid, &card_info, &cuid, true, 0, true)) {
662 if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Can't select card (ALL)");
663 continue;
664 }
665 switch (card_info.uidlen) {
666 case 4 : cascade_levels = 1; break;
667 case 7 : cascade_levels = 2; break;
668 case 10: cascade_levels = 3; break;
669 default: break;
670 }
671 have_uid = true;
672 } else { // no need for anticollision. We can directly select the card
673 if(!iso14443a_select_card(uid, NULL, NULL, false, cascade_levels, true)) {
674 if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Can't select card (UID)");
675 continue;
676 }
677 }
678
679 if (slow) {
680 timeout = GetCountSspClk() + PRE_AUTHENTICATION_LEADTIME;
681 while(GetCountSspClk() < timeout);
682 }
683
684 uint32_t nt1;
685 if (mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, NULL)) {
686 if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Auth1 error");
687 continue;
688 }
689
690 // nested authentication
691 uint16_t len = mifare_sendcmd_short(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par_enc, NULL);
692 if (len != 4) {
693 if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Auth2 error len=%d", len);
694 continue;
695 }
696
697 // send a dummy byte as reader response in order to trigger the cards authentication timeout
698 uint8_t dummy_answer = 0;
699 ReaderTransmit(&dummy_answer, 1, NULL);
700 timeout = GetCountSspClk() + AUTHENTICATION_TIMEOUT;
701
702 num_nonces++;
703 if (num_nonces % 2) {
704 memcpy(buf+i, receivedAnswer, 4);
705 nt_par_enc = par_enc[0] & 0xf0;
706 } else {
707 nt_par_enc |= par_enc[0] >> 4;
708 memcpy(buf+i+4, receivedAnswer, 4);
709 memcpy(buf+i+8, &nt_par_enc, 1);
710 i += 9;
711 }
712
713 // wait for the card to become ready again
714 while(GetCountSspClk() < timeout);
715
716 }
717
718 LED_C_OFF();
719
720 crypto1_destroy(pcs);
721
722 LED_B_ON();
723 cmd_send(CMD_ACK, isOK, cuid, num_nonces, buf, sizeof(buf));
724 LED_B_OFF();
725
726 if (MF_DBGLEVEL >= 3) DbpString("AcquireEncryptedNonces finished");
727
728 if (field_off) {
729 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
730 LEDsoff();
731 }
732 }
733
734
735 //-----------------------------------------------------------------------------
736 // MIFARE nested authentication.
737 //
738 //-----------------------------------------------------------------------------
739 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)
740 {
741 // params
742 uint8_t blockNo = arg0 & 0xff;
743 uint8_t keyType = (arg0 >> 8) & 0xff;
744 uint8_t targetBlockNo = arg1 & 0xff;
745 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
746 uint64_t ui64Key = 0;
747
748 ui64Key = bytes_to_num(datain, 6);
749
750 // variables
751 uint16_t rtr, i, j, len;
752 uint16_t davg;
753 static uint16_t dmin, dmax;
754 uint8_t uid[10];
755 uint32_t cuid, nt1, nt2, nttmp, nttest, ks1;
756 uint8_t par[1];
757 uint32_t target_nt[2], target_ks[2];
758
759 uint8_t par_array[4];
760 uint16_t ncount = 0;
761 struct Crypto1State mpcs = {0, 0};
762 struct Crypto1State *pcs;
763 pcs = &mpcs;
764 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
765
766 uint32_t auth1_time, auth2_time;
767 static uint16_t delta_time;
768
769 LED_A_ON();
770 LED_C_OFF();
771 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
772
773 // free eventually allocated BigBuf memory
774 BigBuf_free();
775
776 if (calibrate) clear_trace();
777 set_tracing(true);
778
779 // statistics on nonce distance
780 int16_t isOK = 0;
781 #define NESTED_MAX_TRIES 12
782 uint16_t unsuccessfull_tries = 0;
783 if (calibrate) { // for first call only. Otherwise reuse previous calibration
784 LED_B_ON();
785 WDT_HIT();
786
787 davg = dmax = 0;
788 dmin = 2000;
789 delta_time = 0;
790
791 for (rtr = 0; rtr < 17; rtr++) {
792
793 // Test if the action was cancelled
794 if(BUTTON_PRESS()) {
795 isOK = -2;
796 break;
797 }
798
799 // prepare next select. No need to power down the card.
800 if(mifare_classic_halt(pcs, cuid)) {
801 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
802 rtr--;
803 continue;
804 }
805
806 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
807 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
808 rtr--;
809 continue;
810 };
811
812 auth1_time = 0;
813 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
814 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
815 rtr--;
816 continue;
817 };
818
819 if (delta_time) {
820 auth2_time = auth1_time + delta_time;
821 } else {
822 auth2_time = 0;
823 }
824 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {
825 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");
826 rtr--;
827 continue;
828 };
829
830 nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
831 for (i = 101; i < 1200; i++) {
832 nttmp = prng_successor(nttmp, 1);
833 if (nttmp == nt2) break;
834 }
835
836 if (i != 1200) {
837 if (rtr != 0) {
838 davg += i;
839 dmin = MIN(dmin, i);
840 dmax = MAX(dmax, i);
841 }
842 else {
843 delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing
844 }
845 if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
846 } else {
847 unsuccessfull_tries++;
848 if (unsuccessfull_tries > NESTED_MAX_TRIES) { // card isn't vulnerable to nested attack (random numbers are not predictable)
849 isOK = -3;
850 }
851 }
852 }
853
854 davg = (davg + (rtr - 1)/2) / (rtr - 1);
855
856 if (MF_DBGLEVEL >= 3) Dbprintf("rtr=%d isOK=%d min=%d max=%d avg=%d, delta_time=%d", rtr, isOK, dmin, dmax, davg, delta_time);
857
858 dmin = davg - 2;
859 dmax = davg + 2;
860
861 LED_B_OFF();
862
863 }
864 // -------------------------------------------------------------------------------------------------
865
866 LED_C_ON();
867
868 // get crypted nonces for target sector
869 for(i=0; i < 2 && !isOK; i++) { // look for exactly two different nonces
870
871 target_nt[i] = 0;
872 while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
873
874 // prepare next select. No need to power down the card.
875 if(mifare_classic_halt(pcs, cuid)) {
876 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
877 continue;
878 }
879
880 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
881 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
882 continue;
883 };
884
885 auth1_time = 0;
886 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
887 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
888 continue;
889 };
890
891 // nested authentication
892 auth2_time = auth1_time + delta_time;
893 len = mifare_sendcmd_short(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);
894 if (len != 4) {
895 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);
896 continue;
897 };
898
899 nt2 = bytes_to_num(receivedAnswer, 4);
900 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);
901
902 // Parity validity check
903 for (j = 0; j < 4; j++) {
904 par_array[j] = (oddparity8(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));
905 }
906
907 ncount = 0;
908 nttest = prng_successor(nt1, dmin - 1);
909 for (j = dmin; j < dmax + 1; j++) {
910 nttest = prng_successor(nttest, 1);
911 ks1 = nt2 ^ nttest;
912
913 if (valid_nonce(nttest, nt2, ks1, par_array)){
914 if (ncount > 0) { // we are only interested in disambiguous nonces, try again
915 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);
916 target_nt[i] = 0;
917 break;
918 }
919 target_nt[i] = nttest;
920 target_ks[i] = ks1;
921 ncount++;
922 if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces
923 target_nt[i] = 0;
924 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);
925 break;
926 }
927 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);
928 }
929 }
930 if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
931 }
932 }
933
934 LED_C_OFF();
935
936 // ----------------------------- crypto1 destroy
937 crypto1_destroy(pcs);
938
939 byte_t buf[4 + 4 * 4];
940 memcpy(buf, &cuid, 4);
941 memcpy(buf+4, &target_nt[0], 4);
942 memcpy(buf+8, &target_ks[0], 4);
943 memcpy(buf+12, &target_nt[1], 4);
944 memcpy(buf+16, &target_ks[1], 4);
945
946 LED_B_ON();
947 cmd_send(CMD_ACK, isOK, 0, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
948 LED_B_OFF();
949
950 if (MF_DBGLEVEL >= 3) DbpString("NESTED FINISHED");
951
952 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
953 LEDsoff();
954 }
955
956 //-----------------------------------------------------------------------------
957 // MIFARE check keys. key count up to 85.
958 //
959 //-----------------------------------------------------------------------------
960 void MifareChkKeys(uint16_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
961 {
962 uint8_t blockNo = arg0 & 0xff;
963 uint8_t keyType = (arg0 >> 8) & 0xff;
964 bool clearTrace = arg1 & 0x01;
965 bool multisectorCheck = arg1 & 0x02;
966 uint8_t set14aTimeout = (arg1 >> 8) & 0xff;
967 uint8_t keyCount = arg2;
968
969 // clear debug level
970 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
971 MF_DBGLEVEL = MF_DBG_NONE;
972
973 LED_A_ON();
974 LED_B_OFF();
975 LED_C_OFF();
976 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
977
978 if (clearTrace) clear_trace();
979 set_tracing(true);
980
981 if (set14aTimeout){
982 iso14a_set_timeout(set14aTimeout * 10); // timeout: ms = x/106 35-minimum, 50-OK 106-recommended 500-safe
983 }
984
985 if (multisectorCheck) {
986 TKeyIndex keyIndex = {{0}};
987 uint8_t sectorCnt = blockNo;
988 int res = MifareMultisectorChk(datain, keyCount, sectorCnt, keyType, OLD_MF_DBGLEVEL, &keyIndex);
989
990 LED_B_ON();
991 if (res >= 0) {
992 cmd_send(CMD_ACK, 1, 0, 0, keyIndex, 80);
993 } else {
994 cmd_send(CMD_ACK, 0, 0, 0, NULL, 0);
995 }
996 LED_B_OFF();
997 } else {
998 int res = MifareChkBlockKeys(datain, keyCount, blockNo, keyType, OLD_MF_DBGLEVEL);
999
1000 LED_B_ON();
1001 if (res > 0) {
1002 cmd_send(CMD_ACK, 1, 0, 0, datain + (res - 1) * 6, 6);
1003 } else {
1004 cmd_send(CMD_ACK, 0, 0, 0, NULL, 0);
1005 }
1006 LED_B_OFF();
1007 }
1008
1009 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1010 LEDsoff();
1011
1012 // restore debug level
1013 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
1014 }
1015
1016 //-----------------------------------------------------------------------------
1017 // MIFARE commands set debug level
1018 //
1019 //-----------------------------------------------------------------------------
1020 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1021 MF_DBGLEVEL = arg0;
1022 Dbprintf("Debug level: %d", MF_DBGLEVEL);
1023 }
1024
1025 //-----------------------------------------------------------------------------
1026 // Work with emulator memory
1027 //
1028 // Note: we call FpgaDownloadAndGo(FPGA_BITSTREAM_HF) here although FPGA is not
1029 // involved in dealing with emulator memory. But if it is called later, it might
1030 // destroy the Emulator Memory.
1031 //-----------------------------------------------------------------------------
1032
1033 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1034 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1035 emlClearMem();
1036 }
1037
1038 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1039 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1040 emlSetMem(datain, arg0, arg1); // data, block num, blocks count
1041 }
1042
1043 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1044 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1045 byte_t buf[USB_CMD_DATA_SIZE];
1046 emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
1047
1048 LED_B_ON();
1049 cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE);
1050 LED_B_OFF();
1051 }
1052
1053 //-----------------------------------------------------------------------------
1054 // Load a card into the emulator memory
1055 //
1056 //-----------------------------------------------------------------------------
1057 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1058 uint8_t numSectors = arg0;
1059 uint8_t keyType = arg1;
1060 uint64_t ui64Key = 0;
1061 uint32_t cuid;
1062 struct Crypto1State mpcs = {0, 0};
1063 struct Crypto1State *pcs;
1064 pcs = &mpcs;
1065
1066 // variables
1067 byte_t dataoutbuf[16];
1068 byte_t dataoutbuf2[16];
1069 uint8_t uid[10];
1070
1071 LED_A_ON();
1072 LED_B_OFF();
1073 LED_C_OFF();
1074 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1075
1076 clear_trace();
1077 set_tracing(false);
1078
1079 bool isOK = true;
1080
1081 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
1082 isOK = false;
1083 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
1084 }
1085
1086 for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
1087 ui64Key = emlGetKey(sectorNo, keyType);
1088 if (sectorNo == 0){
1089 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
1090 isOK = false;
1091 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo);
1092 break;
1093 }
1094 } else {
1095 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) {
1096 isOK = false;
1097 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo);
1098 break;
1099 }
1100 }
1101
1102 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
1103 if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) {
1104 isOK = false;
1105 if (MF_DBGLEVEL >= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);
1106 break;
1107 };
1108 if (isOK) {
1109 if (blockNo < NumBlocksPerSector(sectorNo) - 1) {
1110 emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);
1111 } else { // sector trailer, keep the keys, set only the AC
1112 emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
1113 memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
1114 emlSetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
1115 }
1116 }
1117 }
1118
1119 }
1120
1121 if(mifare_classic_halt(pcs, cuid)) {
1122 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1123 };
1124
1125 // ----------------------------- crypto1 destroy
1126 crypto1_destroy(pcs);
1127
1128 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1129 LEDsoff();
1130
1131 if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
1132
1133 }
1134
1135
1136 //-----------------------------------------------------------------------------
1137 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
1138 //
1139 //-----------------------------------------------------------------------------
1140
1141 static bool isBlockTrailer(int blockN) {
1142 if (blockN >= 0 && blockN < 128) {
1143 return ((blockN & 0x03) == 0x03);
1144 }
1145 if (blockN >= 128 && blockN <= 256) {
1146 return ((blockN & 0x0F) == 0x0F);
1147 }
1148 return FALSE;
1149 }
1150
1151 void MifareCWipe(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1152 // var
1153 byte_t isOK = 0;
1154 uint32_t numBlocks = arg0;
1155 // cmdParams:
1156 // bit 0 - wipe gen1a
1157 // bit 1 - fill card with default data
1158 // bit 2 - gen1a = 0, gen1b = 1
1159 uint8_t cmdParams = arg1;
1160 bool needWipe = cmdParams & 0x01;
1161 bool needFill = cmdParams & 0x02;
1162 bool gen1b = cmdParams & 0x04;
1163
1164 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1165 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1166
1167 uint8_t block0[16] = {0x01, 0x02, 0x03, 0x04, 0x04, 0x08, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBE, 0xAF};
1168 uint8_t block1[16] = {0x00};
1169 uint8_t blockK[16] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x08, 0x77, 0x8F, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
1170 uint8_t d_block[18] = {0x00};
1171
1172 // card commands
1173 uint8_t wupC1[] = { 0x40 };
1174 uint8_t wupC2[] = { 0x43 };
1175 uint8_t wipeC[] = { 0x41 };
1176
1177 // iso14443 setup
1178 LED_A_ON();
1179 LED_B_OFF();
1180 LED_C_OFF();
1181 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1182
1183 // tracing
1184 clear_trace();
1185 set_tracing(true);
1186
1187 while (true){
1188 // wipe
1189 if (needWipe){
1190 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1191 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1192 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1193 break;
1194 };
1195
1196 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
1197 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1198 if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");
1199 break;
1200 };
1201
1202 if(mifare_classic_halt(NULL, 0)) {
1203 if (MF_DBGLEVEL > 2) Dbprintf("Halt error");
1204 };
1205 };
1206
1207 // put default data
1208 if (needFill){
1209 // select commands
1210 ReaderTransmitBitsPar(wupC1, 7, 0, NULL);
1211
1212 // gen1b magic tag : do no issue wupC2 and don't expect 0x0a response after SELECT_UID (after getting UID from chip in 'hf mf csetuid' command)
1213 if (!gen1b) {
1214
1215 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1216 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1217 break;
1218 };
1219
1220 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1221 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1222 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1223 break;
1224 };
1225 }
1226
1227 // send blocks command
1228 for (int blockNo = 0; blockNo < numBlocks; blockNo++) {
1229 if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
1230 if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
1231 break;
1232 };
1233
1234 // check type of block and add crc
1235 if (!isBlockTrailer(blockNo)){
1236 memcpy(d_block, block1, 16);
1237 } else {
1238 memcpy(d_block, blockK, 16);
1239 }
1240 if (blockNo == 0) {
1241 memcpy(d_block, block0, 16);
1242 }
1243 AppendCrc14443a(d_block, 16);
1244
1245 // send write command
1246 ReaderTransmit(d_block, sizeof(d_block), NULL);
1247 if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
1248 if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");
1249 break;
1250 };
1251 }
1252
1253 // halt
1254 // do no issue halt command for gen1b
1255 if (!gen1b) {
1256 if (mifare_classic_halt(NULL, 0)) {
1257 if (MF_DBGLEVEL > 2) Dbprintf("Halt error");
1258 break;
1259 }
1260 }
1261 }
1262 break;
1263 }
1264
1265 // send USB response
1266 LED_B_ON();
1267 cmd_send(CMD_ACK,isOK,0,0,NULL,0);
1268 LED_B_OFF();
1269
1270 // reset fpga
1271 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1272 LEDsoff();
1273
1274 return;
1275 }
1276
1277 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1278
1279 // params
1280 uint8_t needWipe = arg0;
1281 // bit 0 - need get UID
1282 // bit 1 - need wupC
1283 // bit 2 - need HALT after sequence
1284 // bit 3 - need init FPGA and field before sequence
1285 // bit 4 - need reset FPGA and LED
1286 // bit 6 - gen1b backdoor type
1287 uint8_t workFlags = arg1;
1288 uint8_t blockNo = arg2;
1289
1290 // card commands
1291 uint8_t wupC1[] = { 0x40 };
1292 uint8_t wupC2[] = { 0x43 };
1293 uint8_t wipeC[] = { 0x41 };
1294
1295 // variables
1296 byte_t isOK = 0;
1297 uint8_t uid[10] = {0x00};
1298 uint8_t d_block[18] = {0x00};
1299 uint32_t cuid;
1300
1301 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1302 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1303
1304 // reset FPGA and LED
1305 if (workFlags & 0x08) {
1306 LED_A_ON();
1307 LED_B_OFF();
1308 LED_C_OFF();
1309 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1310
1311 clear_trace();
1312 set_tracing(true);
1313 }
1314
1315 while (true) {
1316
1317 // get UID from chip
1318 if (workFlags & 0x01) {
1319 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
1320 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
1321 // Continue, if we set wrong UID or wrong UID checksum or some ATQA or SAK we will can't select card. But we need to write block 0 to make card work.
1322 //break;
1323 };
1324
1325 if(mifare_classic_halt(NULL, cuid)) {
1326 if (MF_DBGLEVEL > 2) Dbprintf("Halt error");
1327 // Continue, some magic tags misbehavies and send an answer to it.
1328 // break;
1329 };
1330 };
1331
1332 // reset chip
1333 // Wipe command don't work with gen1b
1334 if (needWipe && !(workFlags & 0x40)){
1335 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1336 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1337 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1338 break;
1339 };
1340
1341 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
1342 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1343 if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");
1344 break;
1345 };
1346
1347 if(mifare_classic_halt(NULL, 0)) {
1348 if (MF_DBGLEVEL > 2) Dbprintf("Halt error");
1349 // Continue, some magic tags misbehavies and send an answer to it.
1350 // break;
1351 };
1352 };
1353
1354 // write block
1355 if (workFlags & 0x02) {
1356 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1357
1358 // gen1b magic tag : do no issue wupC2 and don't expect 0x0a response after SELECT_UID (after getting UID from chip in 'hf mf csetuid' command)
1359 if (!(workFlags & 0x40)) {
1360
1361 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1362 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1363 break;
1364 };
1365
1366 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1367 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1368 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1369 break;
1370 };
1371 }
1372 }
1373
1374 if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
1375 if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
1376 break;
1377 };
1378
1379 memcpy(d_block, datain, 16);
1380 AppendCrc14443a(d_block, 16);
1381
1382 ReaderTransmit(d_block, sizeof(d_block), NULL);
1383 if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
1384 if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");
1385 break;
1386 };
1387
1388 if (workFlags & 0x04) {
1389 // do no issue halt command for gen1b magic tag (#db# halt error. response len: 1)
1390 if (!(workFlags & 0x40)) {
1391 if (mifare_classic_halt(NULL, 0)) {
1392 if (MF_DBGLEVEL > 2) Dbprintf("Halt error");
1393 // Continue, some magic tags misbehavies and send an answer to it.
1394 // break;
1395 }
1396 }
1397 }
1398
1399 isOK = 1;
1400 break;
1401 }
1402
1403 LED_B_ON();
1404 cmd_send(CMD_ACK,isOK,0,0,uid,4);
1405 LED_B_OFF();
1406
1407 if ((workFlags & 0x10) || (!isOK)) {
1408 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1409 LEDsoff();
1410 }
1411 }
1412
1413
1414 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1415
1416 // params
1417 // bit 1 - need wupC
1418 // bit 2 - need HALT after sequence
1419 // bit 3 - need init FPGA and field before sequence
1420 // bit 4 - need reset FPGA and LED
1421 // bit 5 - need to set datain instead of issuing USB reply (called via ARM for StandAloneMode14a)
1422 // bit 6 - gen1b backdoor type
1423 uint8_t workFlags = arg0;
1424 uint8_t blockNo = arg2;
1425
1426 // card commands
1427 uint8_t wupC1[] = { 0x40 };
1428 uint8_t wupC2[] = { 0x43 };
1429
1430 // variables
1431 byte_t isOK = 0;
1432 uint8_t data[18] = {0x00};
1433 uint32_t cuid = 0;
1434
1435 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1436 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1437
1438 if (workFlags & 0x08) {
1439 LED_A_ON();
1440 LED_B_OFF();
1441 LED_C_OFF();
1442 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1443
1444 clear_trace();
1445 set_tracing(true);
1446 }
1447
1448 while (true) {
1449 if (workFlags & 0x02) {
1450 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1451 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1452 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1453 break;
1454 };
1455 // do no issue for gen1b magic tag
1456 if (!(workFlags & 0x40)) {
1457 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1458 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1459 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1460 break;
1461 };
1462 }
1463 }
1464
1465 // read block
1466 if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {
1467 if (MF_DBGLEVEL >= 1) Dbprintf("read block send command error");
1468 break;
1469 };
1470 memcpy(data, receivedAnswer, 18);
1471
1472 if (workFlags & 0x04) {
1473 // do no issue halt command for gen1b magic tag (#db# halt error. response len: 1)
1474 if (!(workFlags & 0x40)) {
1475 if (mifare_classic_halt(NULL, cuid)) {
1476 if (MF_DBGLEVEL > 1) Dbprintf("Halt error");
1477 // Continue, some magic tags misbehavies and send an answer to it.
1478 // break;
1479 }
1480 }
1481 }
1482
1483 isOK = 1;
1484 break;
1485 }
1486
1487 LED_B_ON();
1488 if (workFlags & 0x20) {
1489 if (isOK)
1490 memcpy(datain, data, 18);
1491 }
1492 else
1493 cmd_send(CMD_ACK,isOK,0,0,data,18);
1494 LED_B_OFF();
1495
1496 if ((workFlags & 0x10) || (!isOK)) {
1497 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1498 LEDsoff();
1499 }
1500 }
1501
1502 void MifareCIdent(){
1503
1504 // card commands
1505 uint8_t wupC1[] = { 0x40 };
1506 uint8_t wupC2[] = { 0x43 };
1507
1508 // variables
1509 byte_t isOK = 0;
1510
1511 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1512 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1513
1514 LED_A_ON();
1515 LED_B_OFF();
1516 LED_C_OFF();
1517 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1518
1519 clear_trace();
1520 set_tracing(true);
1521
1522 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1523 if(ReaderReceive(receivedAnswer, receivedAnswerPar) && (receivedAnswer[0] == 0x0a)) {
1524 isOK = 2;
1525
1526 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1527 if(ReaderReceive(receivedAnswer, receivedAnswerPar) && (receivedAnswer[0] == 0x0a)) {
1528 isOK = 1;
1529 };
1530 };
1531
1532 // From iceman1001: removed the if, since some magic tags misbehavies and send an answer to it.
1533 mifare_classic_halt(NULL, 0);
1534
1535 LED_B_ON();
1536 cmd_send(CMD_ACK,isOK,0,0,0,0);
1537 LED_B_OFF();
1538
1539 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1540 LEDsoff();
1541 }
1542
1543 //
1544 // DESFIRE
1545 //
1546
1547 void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){
1548
1549 byte_t dataout[11] = {0x00};
1550 uint8_t uid[10] = {0x00};
1551 uint32_t cuid;
1552
1553 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1554 clear_trace();
1555
1556 int len = iso14443a_select_card(uid, NULL, &cuid, true, 0, true);
1557 if(!len) {
1558 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
1559 OnError(1);
1560 return;
1561 };
1562
1563 if(mifare_desfire_des_auth1(cuid, dataout)){
1564 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication part1: Fail.");
1565 OnError(4);
1566 return;
1567 }
1568
1569 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 1 FINISHED");
1570 cmd_send(CMD_ACK,1,cuid,0,dataout, sizeof(dataout));
1571 }
1572
1573 void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain){
1574
1575 uint32_t cuid = arg0;
1576 uint8_t key[16] = {0x00};
1577 byte_t isOK = 0;
1578 byte_t dataout[12] = {0x00};
1579
1580 memcpy(key, datain, 16);
1581
1582 isOK = mifare_desfire_des_auth2(cuid, key, dataout);
1583
1584 if( isOK) {
1585 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Authentication part2: Failed");
1586 OnError(4);
1587 return;
1588 }
1589
1590 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 2 FINISHED");
1591
1592 cmd_send(CMD_ACK, isOK, 0, 0, dataout, sizeof(dataout));
1593 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1594 LEDsoff();
1595 }
1596
1597 void OnSuccess(){
1598 pcb_blocknum = 0;
1599 ReaderTransmit(deselect_cmd, 3 , NULL);
1600 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1601 LEDsoff();
1602 }
1603
1604 void OnError(uint8_t reason){
1605 pcb_blocknum = 0;
1606 ReaderTransmit(deselect_cmd, 3 , NULL);
1607 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1608 cmd_send(CMD_ACK,0,reason,0,0,0);
1609 LEDsoff();
1610 }
Impressum, Datenschutz