]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifaresniff.c
More work on iclass simulation attack
[proxmark3-svn] / armsrc / mifaresniff.c
1 //-----------------------------------------------------------------------------
2 // Merlok - 2012
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Routines to support mifare classic sniffer.
9 //-----------------------------------------------------------------------------
10
11 #include "mifaresniff.h"
12 #include "apps.h"
13
14 static int sniffState = SNF_INIT;
15 static uint8_t sniffUIDType;
16 static uint8_t sniffUID[8];
17 static uint8_t sniffATQA[2];
18 static uint8_t sniffSAK;
19 static uint8_t sniffBuf[16];
20 static uint32_t timerData = 0;
21
22
23 bool MfSniffInit(void){
24 memset(sniffUID, 0x00, 8);
25 memset(sniffATQA, 0x00, 2);
26 sniffSAK = 0;
27 sniffUIDType = SNF_UID_4;
28
29 return FALSE;
30 }
31
32 bool MfSniffEnd(void){
33 LED_B_ON();
34 cmd_send(CMD_ACK,0,0,0,0,0);
35 LED_B_OFF();
36
37 return FALSE;
38 }
39
40 bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint32_t parity, uint16_t bitCnt, bool reader) {
41
42 if (reader && (len == 1) && (bitCnt == 7)) { // reset on 7-Bit commands from reader
43 sniffState = SNF_INIT;
44 }
45
46 switch (sniffState) {
47 case SNF_INIT:{
48 if ((len == 1) && (reader) && (bitCnt == 7) ) { // REQA or WUPA from reader
49 sniffUIDType = SNF_UID_4;
50 memset(sniffUID, 0x00, 8);
51 memset(sniffATQA, 0x00, 2);
52 sniffSAK = 0;
53 sniffState = SNF_WUPREQ;
54 }
55 break;
56 }
57 case SNF_WUPREQ:{
58 if ((!reader) && (len == 2)) { // ATQA from tag
59 memcpy(sniffATQA, data, 2);
60 sniffState = SNF_ATQA;
61 }
62 break;
63 }
64 case SNF_ATQA:{
65 if ((reader) && (len == 2) && (data[0] == 0x93) && (data[1] == 0x20)) { // Select ALL from reader
66 sniffState = SNF_ANTICOL1;
67 }
68 break;
69 }
70 case SNF_ANTICOL1:{
71 if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { // UID from tag (CL1)
72 memcpy(sniffUID + 3, data, 4);
73 sniffState = SNF_UID1;
74 }
75 break;
76 }
77 case SNF_UID1:{
78 if ((reader) && (len == 9) && (data[0] == 0x93) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) { // Select 4 Byte UID from reader
79 sniffState = SNF_SAK;
80 }
81 break;
82 }
83 case SNF_SAK:{
84 if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) { // SAK from card?
85 sniffSAK = data[0];
86 if (sniffUID[3] == 0x88) { // CL2 UID part to be expected
87 sniffState = SNF_ANTICOL2;
88 } else { // select completed
89 sniffState = SNF_CARD_IDLE;
90 }
91 }
92 break;
93 }
94 case SNF_ANTICOL2:{
95 if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { // CL2 UID
96 memcpy(sniffUID, sniffUID+4, 3);
97 memcpy(sniffUID+3, data, 4);
98 sniffUIDType = SNF_UID_7;
99 sniffState = SNF_UID2;
100 }
101 break;
102 }
103 case SNF_UID2:{
104 if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) { // Select 2nd part of 7 Byte UID
105 sniffState = SNF_SAK;
106 }
107 break;
108 }
109 case SNF_CARD_IDLE:{ // trace the card select sequence
110 sniffBuf[0] = 0xFF;
111 sniffBuf[1] = 0xFF;
112 memcpy(sniffBuf + 2, sniffUID, 7);
113 memcpy(sniffBuf + 9, sniffATQA, 2);
114 sniffBuf[11] = sniffSAK;
115 sniffBuf[12] = 0xFF;
116 sniffBuf[13] = 0xFF;
117 LogTrace(sniffBuf, 14, 0, parity, true);
118 } // intentionally no break;
119 case SNF_CARD_CMD:{
120 LogTrace(data, len, 0, parity, true);
121 sniffState = SNF_CARD_RESP;
122 timerData = GetTickCount();
123 break;
124 }
125 case SNF_CARD_RESP:{
126 LogTrace(data, len, 0, parity, false);
127 sniffState = SNF_CARD_CMD;
128 timerData = GetTickCount();
129 break;
130 }
131
132 default:
133 sniffState = SNF_INIT;
134 break;
135 }
136
137
138 return FALSE;
139 }
140
141 bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs) {
142 if (traceLen && (GetTickCount() > timerData + maxTimeoutMs)) {
143 return intMfSniffSend();
144 }
145 return FALSE;
146 }
147
148 // internal sending function. not a RAMFUNC.
149 bool intMfSniffSend() {
150
151 int pckSize = 0;
152 int pckLen = traceLen;
153 int pckNum = 0;
154
155 FpgaDisableSscDma();
156 while (pckLen > 0) {
157 pckSize = MIN(USB_CMD_DATA_SIZE, pckLen);
158 LED_B_ON();
159 cmd_send(CMD_ACK, 1, pckSize, pckNum, trace + traceLen - pckLen, pckSize);
160 LED_B_OFF();
161
162 pckLen -= pckSize;
163 pckNum++;
164 }
165
166 LED_B_ON();
167 cmd_send(CMD_ACK,2,0,0,0,0);
168 LED_B_OFF();
169
170 iso14a_clear_trace();
171
172 return TRUE;
173 }
Impressum, Datenschutz