]> git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhf14b.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
CHG: textual changes to help text.
[proxmark3-svn] / client / cmdhf14b.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // High frequency ISO14443B commands
9 //-----------------------------------------------------------------------------
10
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <stdbool.h>
14 #include <stdint.h>
15 #include "cmdhf14b.h"
16
17 #define TIMEOUT 2000
18 static int CmdHelp(const char *Cmd);
19
20 int usage_hf_14b_info(void){
21 PrintAndLog("Usage: hf 14b info [h] [s]");
22 PrintAndLog("Options:");
23 PrintAndLog(" h this help");
24 PrintAndLog(" s silently");
25 PrintAndLog("sample:");
26 PrintAndLog(" hf 14b info");
27 return 0;
28 }
29 int usage_hf_14b_reader(void){
30 PrintAndLog("Usage: hf 14b reader [h] [s]");
31 PrintAndLog("Options:");
32 PrintAndLog(" h this help");
33 PrintAndLog(" s silently");
34 PrintAndLog("sample:");
35 PrintAndLog(" hf 14b reader");
36 return 0;
37 }
38 int usage_hf_14b_raw(void){
39 PrintAndLog("Usage: hf 14b raw [-h] [-r] [-c] [-p] [-s || -ss] <0A 0B 0C ... hex>");
40 PrintAndLog("Options:");
41 PrintAndLog(" -h this help");
42 PrintAndLog(" -r do not read response");
43 PrintAndLog(" -c calculate and append CRC");
44 PrintAndLog(" -p leave the field on after receive");
45 PrintAndLog(" -s active signal field ON with select");
46 PrintAndLog(" -ss active signal field ON with select for SRx ST Microelectronics tags");
47 PrintAndLog("sample:");
48 PrintAndLog(" hf 14b raw -s -c -p 0200a40400");
49 return 0;
50 }
51 int usage_hf_14b_snoop(void){
52 PrintAndLog("It get data from the field and saves it into command buffer.");
53 PrintAndLog("Buffer accessible from command 'hf list 14b'");
54 PrintAndLog("Usage: hf 14b snoop [h]");
55 PrintAndLog("Options:");
56 PrintAndLog(" h this help");
57 PrintAndLog("sample:");
58 PrintAndLog(" hf 14b snoop");
59 return 0;
60 }
61 int usage_hf_14b_sim(void){
62 PrintAndLog("Emulating ISO/IEC 14443 type B tag with 4 UID / PUPI");
63 PrintAndLog("Usage: hf 14b sim [h] u <uid>");
64 PrintAndLog("Options:");
65 PrintAndLog(" h this help");
66 PrintAndLog(" u 4byte UID/PUPI");
67 PrintAndLog("sample:");
68 PrintAndLog(" hf 14b sim");
69 PrintAndLog(" hf 14b sim u 11223344");
70 return 0;
71 }
72 int usage_hf_14b_read_srx(void){
73 PrintAndLog("Usage: hf 14b read [h] <1|2>");
74 PrintAndLog("Options:");
75 PrintAndLog(" h this help");
76 PrintAndLog(" <1|2> 1 = SRIX4K , 2 = SRI512");
77 PrintAndLog("sample:");
78 PrintAndLog(" hf 14b read 1");
79 PrintAndLog(" hf 14b read 2");
80 return 0;
81 }
82 int usage_hf_14b_write_srx(void){
83 PrintAndLog("Usage: hf 14b [h] write <1|2> <BLOCK> <DATA>");
84 PrintAndLog("Options:");
85 PrintAndLog(" h this help");
86 PrintAndLog(" <1|2> 1 = SRIX4K , 2 = SRI512");
87 PrintAndLog(" <block> BLOCK number depends on tag, special block == FF");
88 PrintAndLog(" <data> hex bytes of data to be written");
89 PrintAndLog("sample:");
90 PrintAndLog(" hf 14b write 1 7F 11223344");
91 PrintAndLog(" hf 14b write 1 FF 11223344");
92 PrintAndLog(" hf 14b write 2 15 11223344");
93 PrintAndLog(" hf 14b write 2 FF 11223344");
94 return 0;
95 }
96
97 static void switch_on_field_14b(void) {
98 UsbCommand c = {CMD_ISO_14443B_COMMAND, {ISO14B_CONNECT, 0, 0}};
99 clearCommandBuffer();
100 SendCommand(&c);
101 }
102
103 static int switch_off_field_14b(void) {
104 UsbCommand c = {CMD_ISO_14443B_COMMAND, {ISO14B_DISCONNECT, 0, 0}};
105 clearCommandBuffer();
106 SendCommand(&c);
107 return 0;
108 }
109
110 int CmdHF14BList(const char *Cmd) {
111 CmdHFList("14b");
112 return 0;
113 }
114
115 int CmdHF14BSim(const char *Cmd) {
116 char cmdp = param_getchar(Cmd, 0);
117 if (cmdp == 'h' || cmdp == 'H') return usage_hf_14b_sim();
118
119 uint32_t pupi = 0;
120 if (cmdp == 'u' || cmdp == 'U') {
121 pupi = param_get32ex(Cmd, 1, 0, 16);
122 }
123
124 UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443B, {pupi, 0, 0}};
125 clearCommandBuffer();
126 SendCommand(&c);
127 return 0;
128 }
129
130 int CmdHF14BSnoop(const char *Cmd) {
131
132 char cmdp = param_getchar(Cmd, 0);
133 if (cmdp == 'h' || cmdp == 'H') return usage_hf_14b_snoop();
134
135 UsbCommand c = {CMD_SNOOP_ISO_14443B, {0, 0, 0}};
136 clearCommandBuffer();
137 SendCommand(&c);
138 return 0;
139 }
140
141 int CmdHF14BCmdRaw (const char *Cmd) {
142 bool reply = TRUE;
143 bool power = FALSE;
144 bool select = FALSE;
145 char buf[5]="";
146
147 int i = 0;
148 uint8_t data[USB_CMD_DATA_SIZE] = {0x00};
149 uint16_t datalen = 0;
150 uint32_t flags = ISO14B_CONNECT;
151 uint32_t temp = 0;
152
153 if (strlen(Cmd)<3) return usage_hf_14b_raw();
154
155 // strip
156 while (*Cmd==' ' || *Cmd=='\t') ++Cmd;
157
158 while (Cmd[i]!='\0') {
159 if (Cmd[i]==' ' || Cmd[i]=='\t') { ++i; continue; }
160 if (Cmd[i]=='-') {
161 switch (Cmd[i+1]) {
162 case 'H':
163 case 'h':
164 return usage_hf_14b_raw();
165 case 'r':
166 case 'R':
167 reply = FALSE;
168 break;
169 case 'c':
170 case 'C':
171 flags |= ISO14B_APPEND_CRC;
172 break;
173 case 'p':
174 case 'P':
175 power = TRUE;
176 break;
177 case 's':
178 case 'S':
179 select = TRUE;
180 if (Cmd[i+2]=='s' || Cmd[i+2]=='S') {
181 flags |= ISO14B_SELECT_SR;
182 ++i;
183 } else {
184 flags |= ISO14B_SELECT_STD;
185 }
186 break;
187 default:
188 return usage_hf_14b_raw();
189 }
190 i+=2;
191 continue;
192 }
193 if ((Cmd[i]>='0' && Cmd[i]<='9') ||
194 (Cmd[i]>='a' && Cmd[i]<='f') ||
195 (Cmd[i]>='A' && Cmd[i]<='F') ) {
196 buf[strlen(buf)+1]=0;
197 buf[strlen(buf)]=Cmd[i];
198 i++;
199
200 if (strlen(buf)>=2) {
201 sscanf(buf,"%x",&temp);
202 data[datalen++] = (uint8_t)(temp & 0xff);
203 *buf=0;
204 memset(buf, 0x00, sizeof(buf));
205 }
206 continue;
207 }
208 PrintAndLog("Invalid char on input");
209 return 0;
210 }
211
212 if(!power)
213 flags |= ISO14B_DISCONNECT;
214
215 if(datalen>0)
216 flags |= ISO14B_RAW;
217
218 // Max buffer is USB_CMD_DATA_SIZE
219 datalen = (datalen > USB_CMD_DATA_SIZE) ? USB_CMD_DATA_SIZE : datalen;
220
221 UsbCommand c = {CMD_ISO_14443B_COMMAND, {flags, datalen, 0}};
222 memcpy(c.d.asBytes, data, datalen);
223 clearCommandBuffer();
224 SendCommand(&c);
225
226 if (!reply) return 1;
227
228 bool success = TRUE;
229 // get back iso14b_card_select_t, don't print it.
230 if(select)
231 success = waitCmd(FALSE);
232
233 // get back response from the raw bytes you sent.
234 if(success && datalen>0) waitCmd(TRUE);
235
236 return 1;
237 }
238
239 // print full atqb info
240 // bytes
241 // 0,1,2,3 = application data
242 // 4 = bit rate capacity
243 // 5 = max frame size / -4 info
244 // 6 = FWI / Coding options
245 static void print_atqb_resp(uint8_t *data, uint8_t cid){
246 //PrintAndLog(" UID: %s", sprint_hex(data+1,4));
247 PrintAndLog(" App Data: %s", sprint_hex(data,4));
248 PrintAndLog(" Protocol: %s", sprint_hex(data+4,3));
249 uint8_t BitRate = data[4];
250 if (!BitRate) PrintAndLog(" Bit Rate: 106 kbit/s only PICC <-> PCD");
251 if (BitRate & 0x10) PrintAndLog(" Bit Rate: 212 kbit/s PICC -> PCD supported");
252 if (BitRate & 0x20) PrintAndLog(" Bit Rate: 424 kbit/s PICC -> PCD supported");
253 if (BitRate & 0x40) PrintAndLog(" Bit Rate: 847 kbit/s PICC -> PCD supported");
254 if (BitRate & 0x01) PrintAndLog(" Bit Rate: 212 kbit/s PICC <- PCD supported");
255 if (BitRate & 0x02) PrintAndLog(" Bit Rate: 424 kbit/s PICC <- PCD supported");
256 if (BitRate & 0x04) PrintAndLog(" Bit Rate: 847 kbit/s PICC <- PCD supported");
257 if (BitRate & 0x80) PrintAndLog(" Same bit rate <-> required");
258
259 uint16_t maxFrame = data[5]>>4;
260 if (maxFrame < 5) maxFrame = 8 * maxFrame + 16;
261 else if (maxFrame == 5) maxFrame = 64;
262 else if (maxFrame == 6) maxFrame = 96;
263 else if (maxFrame == 7) maxFrame = 128;
264 else if (maxFrame == 8) maxFrame = 256;
265 else maxFrame = 257;
266
267 PrintAndLog("Max Frame Size: %u%s bytes",maxFrame, (maxFrame == 257) ? "+ RFU" : "");
268
269 uint8_t protocolT = data[5] & 0xF;
270 PrintAndLog(" Protocol Type: Protocol is %scompliant with ISO/IEC 14443-4",(protocolT) ? "" : "not " );
271
272 uint8_t fwt = data[6]>>4;
273 if ( fwt < 16 ){
274 uint32_t etus = (32 << fwt);
275 uint32_t fwt_time = (302 << fwt);
276 PrintAndLog("Frame Wait Integer: %u - %u ETUs | %u us", fwt, etus, fwt_time);
277 } else {
278 PrintAndLog("Frame Wait Integer: %u - RFU", fwt);
279 }
280
281 PrintAndLog(" App Data Code: Application is %s",(data[6]&4) ? "Standard" : "Proprietary");
282 PrintAndLog(" Frame Options: NAD is %ssupported",(data[6]&2) ? "" : "not ");
283 PrintAndLog(" Frame Options: CID is %ssupported",(data[6]&1) ? "" : "not ");
284 PrintAndLog("Tag :");
285 PrintAndLog(" Max Buf Length: %u (MBLI) %s", cid>>4, (cid & 0xF0) ? "" : "chained frames not supported");
286 PrintAndLog(" CDI : %u", cid & 0x0f);
287 return;
288 }
289
290 // get SRx chip model (from UID) // from ST Microelectronics
291 char *get_ST_Chip_Model(uint8_t data){
292 static char model[20];
293 char *retStr = model;
294 memset(model,0, sizeof(model));
295
296 switch (data) {
297 case 0x0: sprintf(retStr, "SRIX4K (Special)"); break;
298 case 0x2: sprintf(retStr, "SR176"); break;
299 case 0x3: sprintf(retStr, "SRIX4K"); break;
300 case 0x4: sprintf(retStr, "SRIX512"); break;
301 case 0x6: sprintf(retStr, "SRI512"); break;
302 case 0x7: sprintf(retStr, "SRI4K"); break;
303 case 0xC: sprintf(retStr, "SRT512"); break;
304 default : sprintf(retStr, "Unknown"); break;
305 }
306 return retStr;
307 }
308
309 // REMAKE:
310 int print_ST_Lock_info(uint8_t model){
311
312 // PrintAndLog("Chip Write Protection Bits:");
313 // // now interpret the data
314 // switch (model){
315 // case 0x0: //fall through (SRIX4K special)
316 // case 0x3: //fall through (SRIx4K)
317 // case 0x7: // (SRI4K)
318 // //only need data[3]
319 // blk1 = 9;
320 // PrintAndLog(" raw: %s", sprint_bin(data+3, 1));
321 // PrintAndLog(" 07/08:%slocked", (data[3] & 1) ? " not " : " " );
322 // for (uint8_t i = 1; i<8; i++){
323 // PrintAndLog(" %02u:%slocked", blk1, (data[3] & (1 << i)) ? " not " : " " );
324 // blk1++;
325 // }
326 // break;
327 // case 0x4: //fall through (SRIX512)
328 // case 0x6: //fall through (SRI512)
329 // case 0xC: // (SRT512)
330 // //need data[2] and data[3]
331 // blk1 = 0;
332 // PrintAndLog(" raw: %s", sprint_bin(data+2, 2));
333 // for (uint8_t b=2; b<4; b++){
334 // for (uint8_t i=0; i<8; i++){
335 // PrintAndLog(" %02u:%slocked", blk1, (data[b] & (1 << i)) ? " not " : " " );
336 // blk1++;
337 // }
338 // }
339 // break;
340 // case 0x2: // (SR176)
341 // //need data[2]
342 // blk1 = 0;
343 // PrintAndLog(" raw: %s", sprint_bin(data+2, 1));
344 // for (uint8_t i = 0; i<8; i++){
345 // PrintAndLog(" %02u/%02u:%slocked", blk1, blk1+1, (data[2] & (1 << i)) ? " " : " not " );
346 // blk1+=2;
347 // }
348 // break;
349 // default:
350 // return rawClose();
351 // }
352 return 1;
353 }
354
355 // print UID info from SRx chips (ST Microelectronics)
356 static void print_st_general_info(uint8_t *data, uint8_t len){
357 //uid = first 8 bytes in data
358 PrintAndLog(" UID: %s", sprint_hex(SwapEndian64(data,8,8), len));
359 PrintAndLog(" MFG: %02X, %s", data[6], getTagInfo(data[6]));
360 PrintAndLog("Chip: %02X, %s", data[5]>>2, get_ST_Chip_Model(data[5]>>2));
361 return;
362 }
363
364 //05 00 00 = find one tag in field
365 //1d xx xx xx xx 00 08 01 00 = attrib xx=UID (resp 10 [f9 e0])
366 //a3 = ? (resp 03 [e2 c2])
367 //02 = ? (resp 02 [6a d3])
368 // 022b (resp 02 67 00 [29 5b])
369 // 0200a40400 (resp 02 67 00 [29 5b])
370 // 0200a4040c07a0000002480300 (resp 02 67 00 [29 5b])
371 // 0200a4040c07a0000002480200 (resp 02 67 00 [29 5b])
372 // 0200a4040006a0000000010100 (resp 02 6a 82 [4b 4c])
373 // 0200a4040c09d27600002545500200 (resp 02 67 00 [29 5b])
374 // 0200a404000cd2760001354b414e4d30310000 (resp 02 6a 82 [4b 4c])
375 // 0200a404000ca000000063504b43532d313500 (resp 02 6a 82 [4b 4c])
376 // 0200a4040010a000000018300301000000000000000000 (resp 02 6a 82 [4b 4c])
377 //03 = ? (resp 03 [e3 c2])
378 //c2 = ? (resp c2 [66 15])
379 //b2 = ? (resp a3 [e9 67])
380 //a2 = ? (resp 02 [6a d3])
381
382 // 14b get and print Full Info (as much as we know)
383 bool HF14B_Std_Info(bool verbose){
384 //add more info here
385 return FALSE;
386 }
387
388 // SRx get and print full info (needs more info...)
389 bool HF14B_ST_Info(bool verbose){
390
391 UsbCommand c = {CMD_ISO_14443B_COMMAND, {ISO14B_CONNECT | ISO14B_SELECT_SR | ISO14B_DISCONNECT, 0, 0}};
392 clearCommandBuffer();
393 SendCommand(&c);
394 UsbCommand resp;
395
396 if (!WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) {
397 if (verbose) PrintAndLog("timeout while waiting for reply.");
398 return FALSE;
399 }
400
401 iso14b_card_select_t card;
402 memcpy(&card, (iso14b_card_select_t *)resp.d.asBytes, sizeof(iso14b_card_select_t));
403
404 uint64_t status = resp.arg[0];
405 if ( status > 0 ) return switch_off_field_14b();
406
407 //add locking bit information here. uint8_t data[16] = {0x00};
408 // uint8_t datalen = 2;
409 // uint8_t resplen;
410 // uint8_t blk1;
411 // data[0] = 0x08;
412
413 //
414 // if (model == 0x2) { //SR176 has special command:
415 // data[1] = 0xf;
416 // resplen = 4;
417 // } else {
418 // data[1] = 0xff;
419 // resplen = 6;
420 // }
421
422 // //std read cmd
423 // if (HF14BCmdRaw(true, true, data, &datalen, false)==0)
424 // return rawClose();
425
426 // if (datalen != resplen || !crc) return rawClose();
427 //print_ST_Lock_info(data[5]>>2);
428 switch_off_field_14b();
429 return TRUE;
430 }
431
432 // get and print all info known about any known 14b tag
433 bool HF14BInfo(bool verbose){
434
435 // try std 14b (atqb)
436 if (HF14B_Std_Info(verbose)) return TRUE;
437
438 // try st 14b
439 if (HF14B_ST_Info(verbose)) return TRUE;
440
441 // try unknown 14b read commands (to be identified later)
442 // could be read of calypso, CEPAS, moneo, or pico pass.
443
444 if (verbose) PrintAndLog("no 14443B tag found");
445 return FALSE;
446 }
447
448 // menu command to get and print all info known about any known 14b tag
449 int CmdHF14Binfo(const char *Cmd){
450 char cmdp = param_getchar(Cmd, 0);
451 if (cmdp == 'h' || cmdp == 'H') return usage_hf_14b_info();
452
453 bool verbose = !((cmdp == 's') || (cmdp == 'S'));
454 return HF14BInfo(verbose);
455 }
456
457 bool HF14B_ST_Reader(bool verbose){
458
459 bool isSuccess = FALSE;
460
461 switch_on_field_14b();
462
463 // SRx get and print general info about SRx chip from UID
464 UsbCommand c = {CMD_ISO_14443B_COMMAND, {ISO14B_SELECT_SR, 0, 0}};
465 clearCommandBuffer();
466 SendCommand(&c);
467 UsbCommand resp;
468 if (!WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) {
469 if (verbose) PrintAndLog("timeout while waiting for reply.");
470 return FALSE;
471 }
472
473 iso14b_card_select_t card;
474 memcpy(&card, (iso14b_card_select_t *)resp.d.asBytes, sizeof(iso14b_card_select_t));
475
476 uint64_t status = resp.arg[0];
477
478 switch( status ){
479 case 0:
480 print_st_general_info(card.uid, card.uidlen);
481 isSuccess = TRUE;
482 break;
483 case 1:
484 if (verbose) PrintAndLog("iso14443-3 random chip id fail");
485 break;
486 case 2:
487 if (verbose) PrintAndLog("iso14443-3 ATTRIB fail");
488 break;
489 case 3:
490 if (verbose) PrintAndLog("iso14443-3 CRC fail");
491 break;
492 default:
493 if (verbose) PrintAndLog("iso14443b card select SRx failed");
494 break;
495 }
496
497 switch_off_field_14b();
498 return isSuccess;
499 }
500
501 bool HF14B_Std_Reader(bool verbose){
502
503 bool isSuccess = FALSE;
504
505 // 14b get and print UID only (general info)
506 UsbCommand c = {CMD_ISO_14443B_COMMAND, {ISO14B_CONNECT | ISO14B_SELECT_STD | ISO14B_DISCONNECT, 0, 0}};
507 clearCommandBuffer();
508 SendCommand(&c);
509 UsbCommand resp;
510
511 if (!WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) {
512 if (verbose) PrintAndLog("timeout while waiting for reply.");
513 return FALSE;
514 }
515
516 iso14b_card_select_t card;
517 memcpy(&card, (iso14b_card_select_t *)resp.d.asBytes, sizeof(iso14b_card_select_t));
518
519 uint64_t status = resp.arg[0];
520
521 switch( status ){
522 case 0:
523 PrintAndLog(" UID : %s", sprint_hex(card.uid, card.uidlen));
524 PrintAndLog(" ATQB : %s", sprint_hex(card.atqb, sizeof(card.atqb)));
525 PrintAndLog(" CHIPID : %02X", card.chipid);
526 print_atqb_resp(card.atqb, card.cid);
527 isSuccess = TRUE;
528 break;
529 case 2:
530 if (verbose) PrintAndLog("iso14443-3 ATTRIB fail");
531 break;
532 case 3:
533 if (verbose) PrintAndLog("iso14443-3 CRC fail");
534 break;
535 default:
536 if (verbose) PrintAndLog("iso14443b card select failed");
537 break;
538 }
539
540 switch_off_field_14b();
541 return isSuccess;
542 }
543
544 // test for other 14b type tags (mimic another reader - don't have tags to identify)
545 bool HF14B_Other_Reader(){
546
547 // uint8_t data[] = {0x00, 0x0b, 0x3f, 0x80};
548 // uint8_t datalen = 4;
549
550 // // 14b get and print UID only (general info)
551 // uint32_t flags = ISO14B_CONNECT | ISO14B_SELECT_STD | ISO14B_RAW | ISO14B_APPEND_CRC;
552
553 // UsbCommand c = {CMD_ISO_14443B_COMMAND, {flags, datalen, 0}};
554 // memcpy(c.d.asBytes, data, datalen);
555
556 // clearCommandBuffer();
557 // SendCommand(&c);
558 // UsbCommand resp;
559 // WaitForResponse(CMD_ACK,&resp);
560
561 // if (datalen > 2 ) {
562 // printandlog ("\n14443-3b tag found:");
563 // printandlog ("unknown tag type answered to a 0x000b3f80 command ans:");
564 // //printandlog ("%s", sprint_hex(data, datalen));
565 // rawclose();
566 // return true;
567 // }
568
569 // c.arg1 = 1;
570 // c.d.asBytes[0] = ISO14443B_AUTHENTICATE;
571 // clearCommandBuffer();
572 // SendCommand(&c);
573 // UsbCommand resp;
574 // WaitForResponse(CMD_ACK, &resp);
575
576 // if (datalen > 0) {
577 // PrintAndLog ("\n14443-3b tag found:");
578 // PrintAndLog ("Unknown tag type answered to a 0x0A command ans:");
579 // // PrintAndLog ("%s", sprint_hex(data, datalen));
580 // rawClose();
581 // return TRUE;
582 // }
583
584 // c.arg1 = 1;
585 // c.d.asBytes[0] = ISO14443B_RESET;
586 // clearCommandBuffer();
587 // SendCommand(&c);
588 // UsbCommand resp;
589 // WaitForResponse(CMD_ACK, &resp);
590
591 // if (datalen > 0) {
592 // PrintAndLog ("\n14443-3b tag found:");
593 // PrintAndLog ("Unknown tag type answered to a 0x0C command ans:");
594 // PrintAndLog ("%s", sprint_hex(data, datalen));
595 // rawClose();
596 // return TRUE;
597 // }
598
599 // rawClose();
600 return FALSE;
601 }
602
603 // get and print general info about all known 14b chips
604 bool HF14BReader(bool verbose){
605
606 // try std 14b (atqb)
607 if (HF14B_Std_Reader(verbose)) return TRUE;
608
609 // try ST Microelectronics 14b
610 if (HF14B_ST_Reader(verbose)) return TRUE;
611
612 // try unknown 14b read commands (to be identified later)
613 // could be read of calypso, CEPAS, moneo, or pico pass.
614 if (HF14B_Other_Reader()) return TRUE;
615
616 if (verbose) PrintAndLog("no 14443B tag found");
617 return FALSE;
618 }
619
620 // menu command to get and print general info about all known 14b chips
621 int CmdHF14BReader(const char *Cmd){
622 char cmdp = param_getchar(Cmd, 0);
623 if (cmdp == 'h' || cmdp == 'H') return usage_hf_14b_reader();
624
625 bool verbose = !((cmdp == 's') || (cmdp == 'S'));
626 return HF14BReader(verbose);
627 }
628
629 /* New command to read the contents of a SRI512|SRIX4K tag
630 * SRI* tags are ISO14443-B modulated memory tags,
631 * this command just dumps the contents of the memory/
632 */
633 int CmdHF14BReadSri(const char *Cmd){
634 char cmdp = param_getchar(Cmd, 0);
635 if (strlen(Cmd) < 1 || cmdp == 'h' || cmdp == 'H') return usage_hf_14b_read_srx();
636
637 uint8_t tagtype = param_get8(Cmd, 0);
638 uint8_t blocks = (tagtype == 1) ? 0x7F : 0x0F;
639
640 UsbCommand c = {CMD_READ_SRI_TAG, {blocks, 0, 0}};
641 clearCommandBuffer();
642 SendCommand(&c);
643 return 0;
644 }
645 // New command to write a SRI512/SRIX4K tag.
646 int CmdHF14BWriteSri(const char *Cmd){
647 /*
648 * For SRIX4K blocks 00 - 7F
649 * hf 14b raw -c -p 09 $srix4kwblock $srix4kwdata
650 *
651 * For SR512 blocks 00 - 0F
652 * hf 14b raw -c -p 09 $sr512wblock $sr512wdata
653 *
654 * Special block FF = otp_lock_reg block.
655 * Data len 4 bytes-
656 */
657 char cmdp = param_getchar(Cmd, 0);
658 uint8_t blockno = -1;
659 uint8_t data[4] = {0x00};
660 bool isSrix4k = true;
661 char str[30];
662 memset(str, 0x00, sizeof(str));
663
664 if (strlen(Cmd) < 1 || cmdp == 'h' || cmdp == 'H') return usage_hf_14b_write_srx();
665
666 if ( cmdp == '2' )
667 isSrix4k = false;
668
669 //blockno = param_get8(Cmd, 1);
670
671 if ( param_gethex(Cmd, 1, &blockno, 2) ) {
672 PrintAndLog("Block number must include 2 HEX symbols");
673 return 0;
674 }
675
676 if ( isSrix4k ){
677 if ( blockno > 0x7f && blockno != 0xff ){
678 PrintAndLog("Block number out of range");
679 return 0;
680 }
681 } else {
682 if ( blockno > 0x0f && blockno != 0xff ){
683 PrintAndLog("Block number out of range");
684 return 0;
685 }
686 }
687
688 if (param_gethex(Cmd, 2, data, 8)) {
689 PrintAndLog("Data must include 8 HEX symbols");
690 return 0;
691 }
692
693 if ( blockno == 0xff) {
694 PrintAndLog("[%s] Write special block %02X [ %s ]",
695 (isSrix4k) ? "SRIX4K":"SRI512",
696 blockno,
697 sprint_hex(data,4)
698 );
699 } else {
700 PrintAndLog("[%s] Write block %02X [ %s ]",
701 (isSrix4k) ? "SRIX4K":"SRI512",
702 blockno,
703 sprint_hex(data,4)
704 );
705 }
706
707 sprintf(str, "-ss -c %02x %02x %02x%02x%02x%02x", ISO14443B_WRITE_BLK, blockno, data[0], data[1], data[2], data[3]);
708 CmdHF14BCmdRaw(str);
709 return 0;
710 }
711
712 uint32_t srix4kEncode(uint32_t value) {
713 /*
714 // vv = value
715 // pp = position
716 // vv vv vv pp
717 4 bytes : 00 1A 20 01
718 */
719 // only the lower crumbs.
720 uint8_t block = (value & 0xFF);
721 uint8_t i = 0;
722 uint8_t valuebytes[] = {0,0,0};
723
724 num_to_bytes(value, 3, valuebytes);
725
726 // Scrambled part
727 // Crumb swapping of value.
728 uint8_t temp[] = {0,0};
729 temp[0] = (CRUMB(value, 22) << 4 | CRUMB(value, 14 ) << 2 | CRUMB(value, 6)) << 4;
730 temp[0] |= CRUMB(value, 20) << 4 | CRUMB(value, 12 ) << 2 | CRUMB(value, 4);
731 temp[1] = (CRUMB(value, 18) << 4 | CRUMB(value, 10 ) << 2 | CRUMB(value, 2)) << 4;
732 temp[1] |= CRUMB(value, 16) << 4 | CRUMB(value, 8 ) << 2 | CRUMB(value, 0);
733
734 // chksum part
735 uint32_t chksum = 0xFF - block;
736
737 // chksum is reduced by each nibbles of value.
738 for (i = 0; i < 3; ++i){
739 chksum -= NIBBLE_HIGH(valuebytes[i]);
740 chksum -= NIBBLE_LOW(valuebytes[i]);
741 }
742
743 // base4 conversion and left shift twice
744 i = 3;
745 uint8_t base4[] = {0,0,0,0};
746 while( chksum !=0 ){
747 base4[i--] = (chksum % 4 << 2);
748 chksum /= 4;
749 }
750
751 // merge scambled and chksum parts
752 uint32_t encvalue =
753 ( NIBBLE_LOW ( base4[0]) << 28 ) |
754 ( NIBBLE_HIGH( temp[0]) << 24 ) |
755
756 ( NIBBLE_LOW ( base4[1]) << 20 ) |
757 ( NIBBLE_LOW ( temp[0]) << 16 ) |
758
759 ( NIBBLE_LOW ( base4[2]) << 12 ) |
760 ( NIBBLE_HIGH( temp[1]) << 8 ) |
761
762 ( NIBBLE_LOW ( base4[3]) << 4 ) |
763 NIBBLE_LOW ( temp[1] );
764
765 PrintAndLog("ICE encoded | %08X -> %08X", value, encvalue);
766 return encvalue;
767 }
768 uint32_t srix4kDecode(uint32_t value) {
769 switch(value) {
770 case 0xC04F42C5: return 0x003139;
771 case 0xC1484807: return 0x002943;
772 case 0xC0C60848: return 0x001A20;
773 }
774 return 0;
775 }
776 uint32_t srix4kDecodeCounter(uint32_t num) {
777 uint32_t value = ~num;
778 ++value;
779 return value;
780 }
781
782 uint32_t srix4kGetMagicbytes( uint64_t uid, uint32_t block6, uint32_t block18, uint32_t block19 ){
783 #define MASK 0xFFFFFFFF;
784 uint32_t uid32 = uid & MASK;
785 uint32_t counter = srix4kDecodeCounter(block6);
786 uint32_t decodedBlock18 = srix4kDecode(block18);
787 uint32_t decodedBlock19 = srix4kDecode(block19);
788 uint32_t doubleBlock = (decodedBlock18 << 16 | decodedBlock19) + 1;
789
790 uint32_t result = (uid32 * doubleBlock * counter) & MASK;
791 PrintAndLog("Magic bytes | %08X", result);
792 return result;
793 }
794 int srix4kValid(const char *Cmd){
795
796 uint64_t uid = 0xD00202501A4532F9;
797 uint32_t block6 = 0xFFFFFFFF;
798 uint32_t block18 = 0xC04F42C5;
799 uint32_t block19 = 0xC1484807;
800 uint32_t block21 = 0xD1BCABA4;
801
802 uint32_t test_b18 = 0x00313918;
803 uint32_t test_b18_enc = srix4kEncode(test_b18);
804 //uint32_t test_b18_dec = srix4kDecode(test_b18_enc);
805 PrintAndLog("ENCODE & CHECKSUM | %08X -> %08X (%s)", test_b18, test_b18_enc , "");
806
807 uint32_t magic = srix4kGetMagicbytes(uid, block6, block18, block19);
808 PrintAndLog("BLOCK 21 | %08X -> %08X (no XOR)", block21, magic ^ block21);
809 return 0;
810 }
811
812 int CmdteaSelfTest(const char *Cmd){
813
814 uint8_t v[8], v_le[8];
815 memset(v, 0x00, sizeof(v));
816 memset(v_le, 0x00, sizeof(v_le));
817 uint8_t* v_ptr = v_le;
818
819 uint8_t cmdlen = strlen(Cmd);
820 cmdlen = ( sizeof(v)<<2 < cmdlen ) ? sizeof(v)<<2 : cmdlen;
821
822 if ( param_gethex(Cmd, 0, v, cmdlen) > 0 ){
823 PrintAndLog("can't read hex chars, uneven? :: %u", cmdlen);
824 return 1;
825 }
826
827 SwapEndian64ex(v , 8, 4, v_ptr);
828
829 // ENCRYPTION KEY:
830 uint8_t key[16] = {0x55,0xFE,0xF6,0x30,0x62,0xBF,0x0B,0xC1,0xC9,0xB3,0x7C,0x34,0x97,0x3E,0x29,0xFB };
831 uint8_t keyle[16];
832 uint8_t* key_ptr = keyle;
833 SwapEndian64ex(key , sizeof(key), 4, key_ptr);
834
835 PrintAndLog("TEST LE enc| %s", sprint_hex(v_ptr, 8));
836
837 tea_decrypt(v_ptr, key_ptr);
838 PrintAndLog("TEST LE dec | %s", sprint_hex_ascii(v_ptr, 8));
839
840 tea_encrypt(v_ptr, key_ptr);
841 tea_encrypt(v_ptr, key_ptr);
842 PrintAndLog("TEST enc2 | %s", sprint_hex_ascii(v_ptr, 8));
843
844 return 0;
845 }
846
847 bool waitCmd(bool verbose) {
848
849 bool crc = FALSE;
850 uint8_t b1 = 0, b2 = 0;
851 uint8_t data[USB_CMD_DATA_SIZE] = {0x00};
852 uint8_t status = 0;
853 uint16_t len = 0;
854 UsbCommand resp;
855
856 if (WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) {
857
858 status = (resp.arg[0] & 0xFF);
859 if ( status > 0 ) return FALSE;
860
861 len = (resp.arg[1] & 0xFFFF);
862
863 memcpy(data, resp.d.asBytes, len);
864
865 if (verbose) {
866 if ( len >= 3 ) {
867 ComputeCrc14443(CRC_14443_B, data, len-2, &b1, &b2);
868 crc = ( data[len-2] == b1 && data[len-1] == b2);
869
870 PrintAndLog("[LEN %u] %s[%02X %02X] %s",
871 len,
872 sprint_hex(data, len-2),
873 data[len-2],
874 data[len-1],
875 (crc) ? "OK" : "FAIL"
876 );
877 } else {
878 PrintAndLog("[LEN %u] %s", len, sprint_hex(data, len) );
879 }
880 }
881 return TRUE;
882 } else {
883 PrintAndLog("timeout while waiting for reply.");
884 return FALSE;
885 }
886 }
887
888 static command_t CommandTable[] = {
889 {"help", CmdHelp, 1, "This help"},
890 {"info", CmdHF14Binfo, 0, "Find and print details about a 14443B tag"},
891 {"list", CmdHF14BList, 0, "[Deprecated] List ISO 14443B history"},
892 {"raw", CmdHF14BCmdRaw, 0, "Send raw hex data to tag"},
893 {"reader", CmdHF14BReader, 0, "Act as a 14443B reader to identify a tag"},
894 {"sim", CmdHF14BSim, 0, "Fake ISO 14443B tag"},
895 {"snoop", CmdHF14BSnoop, 0, "Eavesdrop ISO 14443B"},
896 {"sriread", CmdHF14BReadSri, 0, "Read contents of a SRI512 | SRIX4K tag"},
897 {"sriwrite", CmdHF14BWriteSri, 0, "Write data to a SRI512 | SRIX4K tag"},
898 //{"valid", srix4kValid, 1, "srix4k checksum test"},
899 //{"valid", CmdteaSelfTest, 1, "tea test"},
900 {NULL, NULL, 0, NULL}
901 };
902
903 int CmdHF14B(const char *Cmd) {
904 clearCommandBuffer();
905 CmdsParse(CommandTable, Cmd);
906 return 0;
907 }
908
909 int CmdHelp(const char *Cmd) {
910 CmdsHelp(CommandTable);
911 return 0;
912 }
Proxmark3 GIT tracking
Impressum, Datenschutz