1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 // Midnitesnake - Dec 2013
6 // Andy Davies - Apr 2014
9 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
10 // at your option, any later version. See the LICENSE.txt file for the text of
12 //-----------------------------------------------------------------------------
13 // Routines to support ISO 14443 type A.
14 //-----------------------------------------------------------------------------
16 #include "mifarecmd.h"
23 #define HARDNESTED_AUTHENTICATION_TIMEOUT 848 // card times out 1ms after wrong authentication (according to NXP documentation)
24 #define HARDNESTED_PRE_AUTHENTICATION_LEADTIME 400 // some (non standard) cards need a pause after select before they are ready for first authentication
26 // the block number for the ISO14443-4 PCB
27 static uint8_t pcb_blocknum
= 0;
28 // Deselect card by sending a s-block. the crc is precalced for speed
29 static uint8_t deselect_cmd
[] = {0xc2,0xe0,0xb4};
31 //-----------------------------------------------------------------------------
32 // Select, Authenticate, Read a MIFARE tag.
34 //-----------------------------------------------------------------------------
35 void MifareReadBlock(uint8_t arg0
, uint8_t arg1
, uint8_t arg2
, uint8_t *datain
)
38 uint8_t blockNo
= arg0
;
39 uint8_t keyType
= arg1
;
41 ui64Key
= bytes_to_num(datain
, 6);
45 byte_t dataoutbuf
[16];
48 struct Crypto1State mpcs
= {0, 0};
49 struct Crypto1State
*pcs
;
52 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
61 if(!iso14443a_select_card(uid
, NULL
, &cuid
, true, 0, true)) {
62 if (MF_DBGLEVEL
>= 1) Dbprintf("Can't select card");
66 if(mifare_classic_auth(pcs
, cuid
, blockNo
, keyType
, ui64Key
, AUTH_FIRST
)) {
67 if (MF_DBGLEVEL
>= 1) Dbprintf("Auth error");
71 if(mifare_classic_readblock(pcs
, cuid
, blockNo
, dataoutbuf
)) {
72 if (MF_DBGLEVEL
>= 1) Dbprintf("Read block error");
76 if(mifare_classic_halt(pcs
, cuid
)) {
77 if (MF_DBGLEVEL
>= 1) Dbprintf("Halt error");
85 // ----------------------------- crypto1 destroy
88 if (MF_DBGLEVEL
>= 2) DbpString("READ BLOCK FINISHED");
91 cmd_send(CMD_ACK
,isOK
,0,0,dataoutbuf
,16);
94 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
98 void MifareUC_Auth(uint8_t arg0
, uint8_t *keybytes
){
100 bool turnOffField
= (arg0
== 1);
102 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
104 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
108 if(!iso14443a_select_card(NULL
, NULL
, NULL
, true, 0, true)) {
109 if (MF_DBGLEVEL
>= MF_DBG_ERROR
) Dbprintf("Can't select card");
114 if(!mifare_ultra_auth(keybytes
)){
115 if (MF_DBGLEVEL
>= MF_DBG_ERROR
) Dbprintf("Authentication failed");
121 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
124 cmd_send(CMD_ACK
,1,0,0,0,0);
128 // Arg1 = UsePwd bool
129 // datain = PWD bytes,
130 void MifareUReadBlock(uint8_t arg0
, uint8_t arg1
, uint8_t *datain
)
132 uint8_t blockNo
= arg0
;
133 byte_t dataout
[16] = {0x00};
134 bool useKey
= (arg1
== 1); //UL_C
135 bool usePwd
= (arg1
== 2); //UL_EV1/NTAG
139 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
143 int len
= iso14443a_select_card(NULL
, NULL
, NULL
, true, 0, true);
145 if (MF_DBGLEVEL
>= MF_DBG_ERROR
) Dbprintf("Can't select card (RC:%02X)",len
);
150 // UL-C authentication
152 uint8_t key
[16] = {0x00};
153 memcpy(key
, datain
, sizeof(key
) );
155 if ( !mifare_ultra_auth(key
) ) {
161 // UL-EV1 / NTAG authentication
163 uint8_t pwd
[4] = {0x00};
164 memcpy(pwd
, datain
, 4);
165 uint8_t pack
[4] = {0,0,0,0};
166 if (!mifare_ul_ev1_auth(pwd
, pack
)) {
172 if( mifare_ultra_readblock(blockNo
, dataout
) ) {
173 if (MF_DBGLEVEL
>= MF_DBG_ERROR
) Dbprintf("Read block error");
178 if( mifare_ultra_halt() ) {
179 if (MF_DBGLEVEL
>= MF_DBG_ERROR
) Dbprintf("Halt error");
184 cmd_send(CMD_ACK
,1,0,0,dataout
,16);
185 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
189 //-----------------------------------------------------------------------------
190 // Select, Authenticate, Read a MIFARE tag.
191 // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
192 //-----------------------------------------------------------------------------
193 void MifareReadSector(uint8_t arg0
, uint8_t arg1
, uint8_t arg2
, uint8_t *datain
)
196 uint8_t sectorNo
= arg0
;
197 uint8_t keyType
= arg1
;
198 uint64_t ui64Key
= 0;
199 ui64Key
= bytes_to_num(datain
, 6);
203 byte_t dataoutbuf
[16 * 16];
206 struct Crypto1State mpcs
= {0, 0};
207 struct Crypto1State
*pcs
;
210 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
219 if(!iso14443a_select_card(uid
, NULL
, &cuid
, true, 0, true)) {
221 if (MF_DBGLEVEL
>= 1) Dbprintf("Can't select card");
225 if(isOK
&& mifare_classic_auth(pcs
, cuid
, FirstBlockOfSector(sectorNo
), keyType
, ui64Key
, AUTH_FIRST
)) {
227 if (MF_DBGLEVEL
>= 1) Dbprintf("Auth error");
230 for (uint8_t blockNo
= 0; isOK
&& blockNo
< NumBlocksPerSector(sectorNo
); blockNo
++) {
231 if(mifare_classic_readblock(pcs
, cuid
, FirstBlockOfSector(sectorNo
) + blockNo
, dataoutbuf
+ 16 * blockNo
)) {
233 if (MF_DBGLEVEL
>= 1) Dbprintf("Read sector %2d block %2d error", sectorNo
, blockNo
);
238 if(mifare_classic_halt(pcs
, cuid
)) {
239 if (MF_DBGLEVEL
>= 1) Dbprintf("Halt error");
242 // ----------------------------- crypto1 destroy
243 crypto1_destroy(pcs
);
245 if (MF_DBGLEVEL
>= 2) DbpString("READ SECTOR FINISHED");
248 cmd_send(CMD_ACK
,isOK
,0,0,dataoutbuf
,16*NumBlocksPerSector(sectorNo
));
252 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
256 // arg0 = blockNo (start)
257 // arg1 = Pages (number of blocks)
259 // datain = KEY bytes
260 void MifareUReadCard(uint8_t arg0
, uint16_t arg1
, uint8_t arg2
, uint8_t *datain
)
264 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
266 // free eventually allocated BigBuf memory
271 uint8_t blockNo
= arg0
;
272 uint16_t blocks
= arg1
;
273 bool useKey
= (arg2
== 1); //UL_C
274 bool usePwd
= (arg2
== 2); //UL_EV1/NTAG
275 uint32_t countblocks
= 0;
276 uint8_t *dataout
= BigBuf_malloc(CARD_MEMORY_SIZE
);
277 if (dataout
== NULL
){
278 Dbprintf("out of memory");
283 int len
= iso14443a_select_card(NULL
, NULL
, NULL
, true, 0, true);
285 if (MF_DBGLEVEL
>= MF_DBG_ERROR
) Dbprintf("Can't select card (RC:%d)",len
);
290 // UL-C authentication
292 uint8_t key
[16] = {0x00};
293 memcpy(key
, datain
, sizeof(key
) );
295 if ( !mifare_ultra_auth(key
) ) {
301 // UL-EV1 / NTAG authentication
303 uint8_t pwd
[4] = {0x00};
304 memcpy(pwd
, datain
, sizeof(pwd
));
305 uint8_t pack
[4] = {0,0,0,0};
307 if (!mifare_ul_ev1_auth(pwd
, pack
)){
313 for (int i
= 0; i
< blocks
; i
++){
314 if ((i
*4) + 4 >= CARD_MEMORY_SIZE
) {
315 Dbprintf("Data exceeds buffer!!");
319 len
= mifare_ultra_readblock(blockNo
+ i
, dataout
+ 4 * i
);
322 if (MF_DBGLEVEL
>= MF_DBG_ERROR
) Dbprintf("Read block %d error",i
);
323 // if no blocks read - error out
328 //stop at last successful read block and return what we got
336 len
= mifare_ultra_halt();
338 if (MF_DBGLEVEL
>= MF_DBG_ERROR
) Dbprintf("Halt error");
343 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) Dbprintf("Blocks read %d", countblocks
);
347 cmd_send(CMD_ACK
, 1, countblocks
, BigBuf_max_traceLen(), 0, 0);
348 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
353 //-----------------------------------------------------------------------------
354 // Select, Authenticate, Write a MIFARE tag.
356 //-----------------------------------------------------------------------------
357 void MifareWriteBlock(uint8_t arg0
, uint8_t arg1
, uint8_t arg2
, uint8_t *datain
)
360 uint8_t blockNo
= arg0
;
361 uint8_t keyType
= arg1
;
362 uint64_t ui64Key
= 0;
363 byte_t blockdata
[16];
365 ui64Key
= bytes_to_num(datain
, 6);
366 memcpy(blockdata
, datain
+ 10, 16);
372 struct Crypto1State mpcs
= {0, 0};
373 struct Crypto1State
*pcs
;
376 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
385 if(!iso14443a_select_card(uid
, NULL
, &cuid
, true, 0, true)) {
386 if (MF_DBGLEVEL
>= 1) Dbprintf("Can't select card");
390 if(mifare_classic_auth(pcs
, cuid
, blockNo
, keyType
, ui64Key
, AUTH_FIRST
)) {
391 if (MF_DBGLEVEL
>= 1) Dbprintf("Auth error");
395 if(mifare_classic_writeblock(pcs
, cuid
, blockNo
, blockdata
)) {
396 if (MF_DBGLEVEL
>= 1) Dbprintf("Write block error");
400 if(mifare_classic_halt(pcs
, cuid
)) {
401 if (MF_DBGLEVEL
>= 1) Dbprintf("Halt error");
409 // ----------------------------- crypto1 destroy
410 crypto1_destroy(pcs
);
412 if (MF_DBGLEVEL
>= 2) DbpString("WRITE BLOCK FINISHED");
415 cmd_send(CMD_ACK
,isOK
,0,0,0,0);
420 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
424 /* // Command not needed but left for future testing
425 void MifareUWriteBlockCompat(uint8_t arg0, uint8_t *datain)
427 uint8_t blockNo = arg0;
428 byte_t blockdata[16] = {0x00};
430 memcpy(blockdata, datain, 16);
432 uint8_t uid[10] = {0x00};
434 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
437 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
439 if(!iso14443a_select_card(uid, NULL, NULL, true, 0)) {
440 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
445 if(mifare_ultra_writeblock_compat(blockNo, blockdata)) {
446 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
450 if(mifare_ultra_halt()) {
451 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
456 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
458 cmd_send(CMD_ACK,1,0,0,0,0);
459 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
464 // Arg0 : Block to write to.
465 // Arg1 : 0 = use no authentication.
466 // 1 = use 0x1A authentication.
467 // 2 = use 0x1B authentication.
468 // datain : 4 first bytes is data to be written.
469 // : 4/16 next bytes is authentication key.
470 void MifareUWriteBlock(uint8_t arg0
, uint8_t arg1
, uint8_t *datain
)
472 uint8_t blockNo
= arg0
;
473 bool useKey
= (arg1
== 1); //UL_C
474 bool usePwd
= (arg1
== 2); //UL_EV1/NTAG
475 byte_t blockdata
[4] = {0x00};
477 memcpy(blockdata
, datain
,4);
481 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
485 if(!iso14443a_select_card(NULL
, NULL
, NULL
, true, 0, true)) {
486 if (MF_DBGLEVEL
>= 1) Dbprintf("Can't select card");
491 // UL-C authentication
493 uint8_t key
[16] = {0x00};
494 memcpy(key
, datain
+4, sizeof(key
) );
496 if ( !mifare_ultra_auth(key
) ) {
502 // UL-EV1 / NTAG authentication
504 uint8_t pwd
[4] = {0x00};
505 memcpy(pwd
, datain
+4, 4);
506 uint8_t pack
[4] = {0,0,0,0};
507 if (!mifare_ul_ev1_auth(pwd
, pack
)) {
513 if(mifare_ultra_writeblock(blockNo
, blockdata
)) {
514 if (MF_DBGLEVEL
>= 1) Dbprintf("Write block error");
519 if(mifare_ultra_halt()) {
520 if (MF_DBGLEVEL
>= 1) Dbprintf("Halt error");
525 if (MF_DBGLEVEL
>= 2) DbpString("WRITE BLOCK FINISHED");
527 cmd_send(CMD_ACK
,1,0,0,0,0);
528 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
532 void MifareUSetPwd(uint8_t arg0
, uint8_t *datain
){
534 uint8_t pwd
[16] = {0x00};
535 byte_t blockdata
[4] = {0x00};
537 memcpy(pwd
, datain
, 16);
539 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
540 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
544 if(!iso14443a_select_card(NULL
, NULL
, NULL
, true, 0, true)) {
545 if (MF_DBGLEVEL
>= 1) Dbprintf("Can't select card");
550 blockdata
[0] = pwd
[7];
551 blockdata
[1] = pwd
[6];
552 blockdata
[2] = pwd
[5];
553 blockdata
[3] = pwd
[4];
554 if(mifare_ultra_writeblock( 44, blockdata
)) {
555 if (MF_DBGLEVEL
>= 1) Dbprintf("Write block error");
560 blockdata
[0] = pwd
[3];
561 blockdata
[1] = pwd
[2];
562 blockdata
[2] = pwd
[1];
563 blockdata
[3] = pwd
[0];
564 if(mifare_ultra_writeblock( 45, blockdata
)) {
565 if (MF_DBGLEVEL
>= 1) Dbprintf("Write block error");
570 blockdata
[0] = pwd
[15];
571 blockdata
[1] = pwd
[14];
572 blockdata
[2] = pwd
[13];
573 blockdata
[3] = pwd
[12];
574 if(mifare_ultra_writeblock( 46, blockdata
)) {
575 if (MF_DBGLEVEL
>= 1) Dbprintf("Write block error");
580 blockdata
[0] = pwd
[11];
581 blockdata
[1] = pwd
[10];
582 blockdata
[2] = pwd
[9];
583 blockdata
[3] = pwd
[8];
584 if(mifare_ultra_writeblock( 47, blockdata
)) {
585 if (MF_DBGLEVEL
>= 1) Dbprintf("Write block error");
590 if(mifare_ultra_halt()) {
591 if (MF_DBGLEVEL
>= 1) Dbprintf("Halt error");
596 cmd_send(CMD_ACK
,1,0,0,0,0);
597 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
601 // Return 1 if the nonce is invalid else return 0
602 int valid_nonce(uint32_t Nt
, uint32_t NtEnc
, uint32_t Ks1
, uint8_t *parity
) {
603 return ((oddparity8((Nt
>> 24) & 0xFF) == ((parity
[0]) ^ oddparity8((NtEnc
>> 24) & 0xFF) ^ BIT(Ks1
,16))) & \
604 (oddparity8((Nt
>> 16) & 0xFF) == ((parity
[1]) ^ oddparity8((NtEnc
>> 16) & 0xFF) ^ BIT(Ks1
,8))) & \
605 (oddparity8((Nt
>> 8) & 0xFF) == ((parity
[2]) ^ oddparity8((NtEnc
>> 8) & 0xFF) ^ BIT(Ks1
,0)))) ? 1 : 0;
609 //-----------------------------------------------------------------------------
610 // acquire encrypted nonces in order to perform the attack described in
611 // Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
612 // Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
613 // Computer and Communications Security, 2015
614 //-----------------------------------------------------------------------------
615 void MifareAcquireEncryptedNonces(uint32_t arg0
, uint32_t arg1
, uint32_t flags
, uint8_t *datain
)
617 uint64_t ui64Key
= 0;
620 uint8_t cascade_levels
= 0;
621 struct Crypto1State mpcs
= {0, 0};
622 struct Crypto1State
*pcs
;
624 uint8_t receivedAnswer
[MAX_MIFARE_FRAME_SIZE
];
627 uint8_t nt_par_enc
= 0;
628 uint8_t buf
[USB_CMD_DATA_SIZE
];
631 uint8_t blockNo
= arg0
& 0xff;
632 uint8_t keyType
= (arg0
>> 8) & 0xff;
633 uint8_t targetBlockNo
= arg1
& 0xff;
634 uint8_t targetKeyType
= (arg1
>> 8) & 0xff;
635 ui64Key
= bytes_to_num(datain
, 6);
636 bool initialize
= flags
& 0x0001;
637 bool slow
= flags
& 0x0002;
638 bool field_off
= flags
& 0x0004;
644 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
651 uint16_t num_nonces
= 0;
652 bool have_uid
= false;
653 for (uint16_t i
= 0; i
<= USB_CMD_DATA_SIZE
- 9; ) {
655 // Test if the action was cancelled
662 if (!have_uid
) { // need a full select cycle to get the uid first
663 iso14a_card_select_t card_info
;
664 if(!iso14443a_select_card(uid
, &card_info
, &cuid
, true, 0, true)) {
665 if (MF_DBGLEVEL
>= 1) Dbprintf("AcquireNonces: Can't select card (ALL)");
668 switch (card_info
.uidlen
) {
669 case 4 : cascade_levels
= 1; break;
670 case 7 : cascade_levels
= 2; break;
671 case 10: cascade_levels
= 3; break;
675 } else { // no need for anticollision. We can directly select the card
676 if(!iso14443a_select_card(uid
, NULL
, NULL
, false, cascade_levels
, true)) {
677 if (MF_DBGLEVEL
>= 1) Dbprintf("AcquireNonces: Can't select card (UID)");
683 timeout
= GetCountSspClk() + HARDNESTED_PRE_AUTHENTICATION_LEADTIME
;
684 while(GetCountSspClk() < timeout
);
688 if (mifare_classic_authex(pcs
, cuid
, blockNo
, keyType
, ui64Key
, AUTH_FIRST
, &nt1
, NULL
)) {
689 if (MF_DBGLEVEL
>= 1) Dbprintf("AcquireNonces: Auth1 error");
693 // nested authentication
694 uint16_t len
= mifare_sendcmd_short(pcs
, AUTH_NESTED
, 0x60 + (targetKeyType
& 0x01), targetBlockNo
, receivedAnswer
, par_enc
, NULL
);
696 if (MF_DBGLEVEL
>= 1) Dbprintf("AcquireNonces: Auth2 error len=%d", len
);
700 // send an incomplete dummy response in order to trigger the card's authentication failure timeout
701 uint8_t dummy_answer
[1] = {0};
702 ReaderTransmit(dummy_answer
, 1, NULL
);
704 timeout
= GetCountSspClk() + HARDNESTED_AUTHENTICATION_TIMEOUT
;
707 if (num_nonces
% 2) {
708 memcpy(buf
+i
, receivedAnswer
, 4);
709 nt_par_enc
= par_enc
[0] & 0xf0;
711 nt_par_enc
|= par_enc
[0] >> 4;
712 memcpy(buf
+i
+4, receivedAnswer
, 4);
713 memcpy(buf
+i
+8, &nt_par_enc
, 1);
717 // wait for the card to become ready again
718 while(GetCountSspClk() < timeout
);
724 crypto1_destroy(pcs
);
727 cmd_send(CMD_ACK
, isOK
, cuid
, num_nonces
, buf
, sizeof(buf
));
730 if (MF_DBGLEVEL
>= 3) DbpString("AcquireEncryptedNonces finished");
733 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
739 //-----------------------------------------------------------------------------
740 // MIFARE nested authentication.
742 //-----------------------------------------------------------------------------
743 void MifareNested(uint32_t arg0
, uint32_t arg1
, uint32_t calibrate
, uint8_t *datain
)
746 uint8_t blockNo
= arg0
& 0xff;
747 uint8_t keyType
= (arg0
>> 8) & 0xff;
748 uint8_t targetBlockNo
= arg1
& 0xff;
749 uint8_t targetKeyType
= (arg1
>> 8) & 0xff;
750 uint64_t ui64Key
= 0;
752 ui64Key
= bytes_to_num(datain
, 6);
755 uint16_t rtr
, i
, j
, len
;
757 static uint16_t dmin
, dmax
;
759 uint32_t cuid
, nt1
, nt2
, nttmp
, nttest
, ks1
;
761 uint32_t target_nt
[2], target_ks
[2];
763 uint8_t par_array
[4];
765 struct Crypto1State mpcs
= {0, 0};
766 struct Crypto1State
*pcs
;
768 uint8_t receivedAnswer
[MAX_MIFARE_FRAME_SIZE
];
770 uint32_t auth1_time
, auth2_time
;
771 static uint16_t delta_time
;
775 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
777 // free eventually allocated BigBuf memory
780 if (calibrate
) clear_trace();
783 // statistics on nonce distance
785 #define NESTED_MAX_TRIES 12
786 uint16_t unsuccessfull_tries
= 0;
787 if (calibrate
) { // for first call only. Otherwise reuse previous calibration
795 for (rtr
= 0; rtr
< 17; rtr
++) {
797 // Test if the action was cancelled
803 // prepare next select. No need to power down the card.
804 if(mifare_classic_halt(pcs
, cuid
)) {
805 if (MF_DBGLEVEL
>= 1) Dbprintf("Nested: Halt error");
810 if(!iso14443a_select_card(uid
, NULL
, &cuid
, true, 0, true)) {
811 if (MF_DBGLEVEL
>= 1) Dbprintf("Nested: Can't select card");
817 if(mifare_classic_authex(pcs
, cuid
, blockNo
, keyType
, ui64Key
, AUTH_FIRST
, &nt1
, &auth1_time
)) {
818 if (MF_DBGLEVEL
>= 1) Dbprintf("Nested: Auth1 error");
824 auth2_time
= auth1_time
+ delta_time
;
828 if(mifare_classic_authex(pcs
, cuid
, blockNo
, keyType
, ui64Key
, AUTH_NESTED
, &nt2
, &auth2_time
)) {
829 if (MF_DBGLEVEL
>= 1) Dbprintf("Nested: Auth2 error");
834 nttmp
= prng_successor(nt1
, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
835 for (i
= 101; i
< 1200; i
++) {
836 nttmp
= prng_successor(nttmp
, 1);
837 if (nttmp
== nt2
) break;
847 delta_time
= auth2_time
- auth1_time
+ 32; // allow some slack for proper timing
849 if (MF_DBGLEVEL
>= 3) Dbprintf("Nested: calibrating... ntdist=%d", i
);
851 unsuccessfull_tries
++;
852 if (unsuccessfull_tries
> NESTED_MAX_TRIES
) { // card isn't vulnerable to nested attack (random numbers are not predictable)
858 davg
= (davg
+ (rtr
- 1)/2) / (rtr
- 1);
860 if (MF_DBGLEVEL
>= 3) Dbprintf("rtr=%d isOK=%d min=%d max=%d avg=%d, delta_time=%d", rtr
, isOK
, dmin
, dmax
, davg
, delta_time
);
868 // -------------------------------------------------------------------------------------------------
872 // get crypted nonces for target sector
873 for(i
=0; i
< 2 && !isOK
; i
++) { // look for exactly two different nonces
876 while(target_nt
[i
] == 0) { // continue until we have an unambiguous nonce
878 // prepare next select. No need to power down the card.
879 if(mifare_classic_halt(pcs
, cuid
)) {
880 if (MF_DBGLEVEL
>= 1) Dbprintf("Nested: Halt error");
884 if(!iso14443a_select_card(uid
, NULL
, &cuid
, true, 0, true)) {
885 if (MF_DBGLEVEL
>= 1) Dbprintf("Nested: Can't select card");
890 if(mifare_classic_authex(pcs
, cuid
, blockNo
, keyType
, ui64Key
, AUTH_FIRST
, &nt1
, &auth1_time
)) {
891 if (MF_DBGLEVEL
>= 1) Dbprintf("Nested: Auth1 error");
895 // nested authentication
896 auth2_time
= auth1_time
+ delta_time
;
897 len
= mifare_sendcmd_short(pcs
, AUTH_NESTED
, 0x60 + (targetKeyType
& 0x01), targetBlockNo
, receivedAnswer
, par
, &auth2_time
);
899 if (MF_DBGLEVEL
>= 1) Dbprintf("Nested: Auth2 error len=%d", len
);
903 nt2
= bytes_to_num(receivedAnswer
, 4);
904 if (MF_DBGLEVEL
>= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i
+1, nt1
, nt2
, par
[0]);
906 // Parity validity check
907 for (j
= 0; j
< 4; j
++) {
908 par_array
[j
] = (oddparity8(receivedAnswer
[j
]) != ((par
[0] >> (7-j
)) & 0x01));
912 nttest
= prng_successor(nt1
, dmin
- 1);
913 for (j
= dmin
; j
< dmax
+ 1; j
++) {
914 nttest
= prng_successor(nttest
, 1);
917 if (valid_nonce(nttest
, nt2
, ks1
, par_array
)){
918 if (ncount
> 0) { // we are only interested in disambiguous nonces, try again
919 if (MF_DBGLEVEL
>= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i
+1, j
);
923 target_nt
[i
] = nttest
;
926 if (i
== 1 && target_nt
[1] == target_nt
[0]) { // we need two different nonces
928 if (MF_DBGLEVEL
>= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j
);
931 if (MF_DBGLEVEL
>= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i
+1, j
);
934 if (target_nt
[i
] == 0 && j
== dmax
+1 && MF_DBGLEVEL
>= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i
+1);
940 // ----------------------------- crypto1 destroy
941 crypto1_destroy(pcs
);
943 byte_t buf
[4 + 4 * 4];
944 memcpy(buf
, &cuid
, 4);
945 memcpy(buf
+4, &target_nt
[0], 4);
946 memcpy(buf
+8, &target_ks
[0], 4);
947 memcpy(buf
+12, &target_nt
[1], 4);
948 memcpy(buf
+16, &target_ks
[1], 4);
951 cmd_send(CMD_ACK
, isOK
, 0, targetBlockNo
+ (targetKeyType
* 0x100), buf
, sizeof(buf
));
954 if (MF_DBGLEVEL
>= 3) DbpString("NESTED FINISHED");
956 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
960 //-----------------------------------------------------------------------------
961 // MIFARE check keys. key count up to 85.
963 //-----------------------------------------------------------------------------
964 void MifareChkKeys(uint16_t arg0
, uint16_t arg1
, uint8_t arg2
, uint8_t *datain
)
966 uint8_t blockNo
= arg0
& 0xff;
967 uint8_t keyType
= (arg0
>> 8) & 0xff;
968 bool clearTrace
= arg1
& 0x01;
969 bool multisectorCheck
= arg1
& 0x02;
970 uint8_t set14aTimeout
= (arg1
>> 8) & 0xff;
971 uint8_t keyCount
= arg2
;
974 int OLD_MF_DBGLEVEL
= MF_DBGLEVEL
;
975 MF_DBGLEVEL
= MF_DBG_NONE
;
980 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
982 if (clearTrace
) clear_trace();
986 iso14a_set_timeout(set14aTimeout
* 10); // timeout: ms = x/106 35-minimum, 50-OK 106-recommended 500-safe
989 if (multisectorCheck
) {
990 TKeyIndex keyIndex
= {{0}};
991 uint8_t sectorCnt
= blockNo
;
992 int res
= MifareMultisectorChk(datain
, keyCount
, sectorCnt
, keyType
, OLD_MF_DBGLEVEL
, &keyIndex
);
996 cmd_send(CMD_ACK
, 1, 0, 0, keyIndex
, 80);
998 cmd_send(CMD_ACK
, 0, 0, 0, NULL
, 0);
1002 int res
= MifareChkBlockKeys(datain
, keyCount
, blockNo
, keyType
, OLD_MF_DBGLEVEL
);
1006 cmd_send(CMD_ACK
, 1, 0, 0, datain
+ (res
- 1) * 6, 6);
1008 cmd_send(CMD_ACK
, 0, 0, 0, NULL
, 0);
1013 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1016 // restore debug level
1017 MF_DBGLEVEL
= OLD_MF_DBGLEVEL
;
1020 //-----------------------------------------------------------------------------
1021 // MIFARE commands set debug level
1023 //-----------------------------------------------------------------------------
1024 void MifareSetDbgLvl(uint32_t arg0
, uint32_t arg1
, uint32_t arg2
, uint8_t *datain
){
1026 Dbprintf("Debug level: %d", MF_DBGLEVEL
);
1029 //-----------------------------------------------------------------------------
1030 // Work with emulator memory
1032 // Note: we call FpgaDownloadAndGo(FPGA_BITSTREAM_HF) here although FPGA is not
1033 // involved in dealing with emulator memory. But if it is called later, it might
1034 // destroy the Emulator Memory.
1035 //-----------------------------------------------------------------------------
1037 void MifareEMemClr(uint32_t arg0
, uint32_t arg1
, uint32_t arg2
, uint8_t *datain
){
1038 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
1042 void MifareEMemSet(uint32_t arg0
, uint32_t arg1
, uint32_t arg2
, uint8_t *datain
){
1043 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
1044 emlSetMem(datain
, arg0
, arg1
); // data, block num, blocks count
1047 void MifareEMemGet(uint32_t arg0
, uint32_t arg1
, uint32_t arg2
, uint8_t *datain
){
1048 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
1049 byte_t buf
[USB_CMD_DATA_SIZE
];
1050 emlGetMem(buf
, arg0
, arg1
); // data, block num, blocks count (max 4)
1053 cmd_send(CMD_ACK
,arg0
,arg1
,0,buf
,USB_CMD_DATA_SIZE
);
1057 //-----------------------------------------------------------------------------
1058 // Load a card into the emulator memory
1060 //-----------------------------------------------------------------------------
1061 void MifareECardLoad(uint32_t arg0
, uint32_t arg1
, uint32_t arg2
, uint8_t *datain
){
1062 uint8_t numSectors
= arg0
;
1063 uint8_t keyType
= arg1
;
1064 uint64_t ui64Key
= 0;
1066 struct Crypto1State mpcs
= {0, 0};
1067 struct Crypto1State
*pcs
;
1071 byte_t dataoutbuf
[16];
1072 byte_t dataoutbuf2
[16];
1078 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
1085 if(!iso14443a_select_card(uid
, NULL
, &cuid
, true, 0, true)) {
1087 if (MF_DBGLEVEL
>= 1) Dbprintf("Can't select card");
1090 for (uint8_t sectorNo
= 0; isOK
&& sectorNo
< numSectors
; sectorNo
++) {
1091 ui64Key
= emlGetKey(sectorNo
, keyType
);
1093 if(isOK
&& mifare_classic_auth(pcs
, cuid
, FirstBlockOfSector(sectorNo
), keyType
, ui64Key
, AUTH_FIRST
)) {
1095 if (MF_DBGLEVEL
>= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo
);
1099 if(isOK
&& mifare_classic_auth(pcs
, cuid
, FirstBlockOfSector(sectorNo
), keyType
, ui64Key
, AUTH_NESTED
)) {
1101 if (MF_DBGLEVEL
>= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo
);
1106 for (uint8_t blockNo
= 0; isOK
&& blockNo
< NumBlocksPerSector(sectorNo
); blockNo
++) {
1107 if(isOK
&& mifare_classic_readblock(pcs
, cuid
, FirstBlockOfSector(sectorNo
) + blockNo
, dataoutbuf
)) {
1109 if (MF_DBGLEVEL
>= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo
, blockNo
);
1113 if (blockNo
< NumBlocksPerSector(sectorNo
) - 1) {
1114 emlSetMem(dataoutbuf
, FirstBlockOfSector(sectorNo
) + blockNo
, 1);
1115 } else { // sector trailer, keep the keys, set only the AC
1116 emlGetMem(dataoutbuf2
, FirstBlockOfSector(sectorNo
) + blockNo
, 1);
1117 memcpy(&dataoutbuf2
[6], &dataoutbuf
[6], 4);
1118 emlSetMem(dataoutbuf2
, FirstBlockOfSector(sectorNo
) + blockNo
, 1);
1125 if(mifare_classic_halt(pcs
, cuid
)) {
1126 if (MF_DBGLEVEL
>= 1) Dbprintf("Halt error");
1129 // ----------------------------- crypto1 destroy
1130 crypto1_destroy(pcs
);
1132 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1135 if (MF_DBGLEVEL
>= 2) DbpString("EMUL FILL SECTORS FINISHED");
1140 //-----------------------------------------------------------------------------
1141 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
1143 //-----------------------------------------------------------------------------
1145 static bool isBlockTrailer(int blockN
) {
1146 if (blockN
>= 0 && blockN
< 128) {
1147 return ((blockN
& 0x03) == 0x03);
1149 if (blockN
>= 128 && blockN
<= 256) {
1150 return ((blockN
& 0x0F) == 0x0F);
1155 void MifareCWipe(uint32_t arg0
, uint32_t arg1
, uint32_t arg2
, uint8_t *datain
){
1158 uint32_t numBlocks
= arg0
;
1160 // bit 0 - wipe gen1a
1161 // bit 1 - fill card with default data
1162 // bit 2 - gen1a = 0, gen1b = 1
1163 uint8_t cmdParams
= arg1
;
1164 bool needWipe
= cmdParams
& 0x01;
1165 bool needFill
= cmdParams
& 0x02;
1166 bool gen1b
= cmdParams
& 0x04;
1168 uint8_t receivedAnswer
[MAX_MIFARE_FRAME_SIZE
];
1169 uint8_t receivedAnswerPar
[MAX_MIFARE_PARITY_SIZE
];
1171 uint8_t block0
[16] = {0x01, 0x02, 0x03, 0x04, 0x04, 0x08, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBE, 0xAF};
1172 uint8_t block1
[16] = {0x00};
1173 uint8_t blockK
[16] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x08, 0x77, 0x8F, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
1174 uint8_t d_block
[18] = {0x00};
1177 uint8_t wupC1
[] = { 0x40 };
1178 uint8_t wupC2
[] = { 0x43 };
1179 uint8_t wipeC
[] = { 0x41 };
1185 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
1194 ReaderTransmitBitsPar(wupC1
,7,0, NULL
);
1195 if(!ReaderReceive(receivedAnswer
, receivedAnswerPar
) || (receivedAnswer
[0] != 0x0a)) {
1196 if (MF_DBGLEVEL
>= 1) Dbprintf("wupC1 error");
1200 ReaderTransmit(wipeC
, sizeof(wipeC
), NULL
);
1201 if(!ReaderReceive(receivedAnswer
, receivedAnswerPar
) || (receivedAnswer
[0] != 0x0a)) {
1202 if (MF_DBGLEVEL
>= 1) Dbprintf("wipeC error");
1206 if(mifare_classic_halt(NULL
, 0)) {
1207 if (MF_DBGLEVEL
> 2) Dbprintf("Halt error");
1214 ReaderTransmitBitsPar(wupC1
, 7, 0, NULL
);
1216 // gen1b magic tag : do no issue wupC2 and don't expect 0x0a response after SELECT_UID (after getting UID from chip in 'hf mf csetuid' command)
1219 if(!ReaderReceive(receivedAnswer
, receivedAnswerPar
) || (receivedAnswer
[0] != 0x0a)) {
1220 if (MF_DBGLEVEL
>= 1) Dbprintf("wupC1 error");
1224 ReaderTransmit(wupC2
, sizeof(wupC2
), NULL
);
1225 if(!ReaderReceive(receivedAnswer
, receivedAnswerPar
) || (receivedAnswer
[0] != 0x0a)) {
1226 if (MF_DBGLEVEL
>= 1) Dbprintf("wupC2 error");
1231 // send blocks command
1232 for (int blockNo
= 0; blockNo
< numBlocks
; blockNo
++) {
1233 if ((mifare_sendcmd_short(NULL
, 0, 0xA0, blockNo
, receivedAnswer
, receivedAnswerPar
, NULL
) != 1) || (receivedAnswer
[0] != 0x0a)) {
1234 if (MF_DBGLEVEL
>= 1) Dbprintf("write block send command error");
1238 // check type of block and add crc
1239 if (!isBlockTrailer(blockNo
)){
1240 memcpy(d_block
, block1
, 16);
1242 memcpy(d_block
, blockK
, 16);
1245 memcpy(d_block
, block0
, 16);
1247 AppendCrc14443a(d_block
, 16);
1249 // send write command
1250 ReaderTransmit(d_block
, sizeof(d_block
), NULL
);
1251 if ((ReaderReceive(receivedAnswer
, receivedAnswerPar
) != 1) || (receivedAnswer
[0] != 0x0a)) {
1252 if (MF_DBGLEVEL
>= 1) Dbprintf("write block send data error");
1258 // do no issue halt command for gen1b
1260 if (mifare_classic_halt(NULL
, 0)) {
1261 if (MF_DBGLEVEL
> 2) Dbprintf("Halt error");
1269 // send USB response
1271 cmd_send(CMD_ACK
,isOK
,0,0,NULL
,0);
1275 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1281 void MifareCSetBlock(uint32_t arg0
, uint32_t arg1
, uint32_t arg2
, uint8_t *datain
){
1284 uint8_t needWipe
= arg0
;
1285 // bit 0 - need get UID
1286 // bit 1 - need wupC
1287 // bit 2 - need HALT after sequence
1288 // bit 3 - need init FPGA and field before sequence
1289 // bit 4 - need reset FPGA and LED
1290 // bit 6 - gen1b backdoor type
1291 uint8_t workFlags
= arg1
;
1292 uint8_t blockNo
= arg2
;
1295 uint8_t wupC1
[] = { 0x40 };
1296 uint8_t wupC2
[] = { 0x43 };
1297 uint8_t wipeC
[] = { 0x41 };
1301 uint8_t uid
[10] = {0x00};
1302 uint8_t d_block
[18] = {0x00};
1305 uint8_t receivedAnswer
[MAX_MIFARE_FRAME_SIZE
];
1306 uint8_t receivedAnswerPar
[MAX_MIFARE_PARITY_SIZE
];
1308 // reset FPGA and LED
1309 if (workFlags
& 0x08) {
1313 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
1321 // get UID from chip
1322 if (workFlags
& 0x01) {
1323 if(!iso14443a_select_card(uid
, NULL
, &cuid
, true, 0, true)) {
1324 if (MF_DBGLEVEL
>= 1) Dbprintf("Can't select card");
1325 // Continue, if we set wrong UID or wrong UID checksum or some ATQA or SAK we will can't select card. But we need to write block 0 to make card work.
1329 if(mifare_classic_halt(NULL
, cuid
)) {
1330 if (MF_DBGLEVEL
> 2) Dbprintf("Halt error");
1331 // Continue, some magic tags misbehavies and send an answer to it.
1337 // Wipe command don't work with gen1b
1338 if (needWipe
&& !(workFlags
& 0x40)){
1339 ReaderTransmitBitsPar(wupC1
,7,0, NULL
);
1340 if(!ReaderReceive(receivedAnswer
, receivedAnswerPar
) || (receivedAnswer
[0] != 0x0a)) {
1341 if (MF_DBGLEVEL
>= 1) Dbprintf("wupC1 error");
1345 ReaderTransmit(wipeC
, sizeof(wipeC
), NULL
);
1346 if(!ReaderReceive(receivedAnswer
, receivedAnswerPar
) || (receivedAnswer
[0] != 0x0a)) {
1347 if (MF_DBGLEVEL
>= 1) Dbprintf("wipeC error");
1351 if(mifare_classic_halt(NULL
, 0)) {
1352 if (MF_DBGLEVEL
> 2) Dbprintf("Halt error");
1353 // Continue, some magic tags misbehavies and send an answer to it.
1359 if (workFlags
& 0x02) {
1360 ReaderTransmitBitsPar(wupC1
,7,0, NULL
);
1362 // gen1b magic tag : do no issue wupC2 and don't expect 0x0a response after SELECT_UID (after getting UID from chip in 'hf mf csetuid' command)
1363 if (!(workFlags
& 0x40)) {
1365 if(!ReaderReceive(receivedAnswer
, receivedAnswerPar
) || (receivedAnswer
[0] != 0x0a)) {
1366 if (MF_DBGLEVEL
>= 1) Dbprintf("wupC1 error");
1370 ReaderTransmit(wupC2
, sizeof(wupC2
), NULL
);
1371 if(!ReaderReceive(receivedAnswer
, receivedAnswerPar
) || (receivedAnswer
[0] != 0x0a)) {
1372 if (MF_DBGLEVEL
>= 1) Dbprintf("wupC2 error");
1378 if ((mifare_sendcmd_short(NULL
, 0, 0xA0, blockNo
, receivedAnswer
, receivedAnswerPar
, NULL
) != 1) || (receivedAnswer
[0] != 0x0a)) {
1379 if (MF_DBGLEVEL
>= 1) Dbprintf("write block send command error");
1383 memcpy(d_block
, datain
, 16);
1384 AppendCrc14443a(d_block
, 16);
1386 ReaderTransmit(d_block
, sizeof(d_block
), NULL
);
1387 if ((ReaderReceive(receivedAnswer
, receivedAnswerPar
) != 1) || (receivedAnswer
[0] != 0x0a)) {
1388 if (MF_DBGLEVEL
>= 1) Dbprintf("write block send data error");
1392 if (workFlags
& 0x04) {
1393 // do no issue halt command for gen1b magic tag (#db# halt error. response len: 1)
1394 if (!(workFlags
& 0x40)) {
1395 if (mifare_classic_halt(NULL
, 0)) {
1396 if (MF_DBGLEVEL
> 2) Dbprintf("Halt error");
1397 // Continue, some magic tags misbehavies and send an answer to it.
1408 cmd_send(CMD_ACK
,isOK
,0,0,uid
,4);
1411 if ((workFlags
& 0x10) || (!isOK
)) {
1412 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1418 void MifareCGetBlock(uint32_t arg0
, uint32_t arg1
, uint32_t arg2
, uint8_t *datain
){
1421 // bit 1 - need wupC
1422 // bit 2 - need HALT after sequence
1423 // bit 3 - need init FPGA and field before sequence
1424 // bit 4 - need reset FPGA and LED
1425 // bit 5 - need to set datain instead of issuing USB reply (called via ARM for StandAloneMode14a)
1426 // bit 6 - gen1b backdoor type
1427 uint8_t workFlags
= arg0
;
1428 uint8_t blockNo
= arg2
;
1431 uint8_t wupC1
[] = { 0x40 };
1432 uint8_t wupC2
[] = { 0x43 };
1436 uint8_t data
[18] = {0x00};
1439 uint8_t receivedAnswer
[MAX_MIFARE_FRAME_SIZE
];
1440 uint8_t receivedAnswerPar
[MAX_MIFARE_PARITY_SIZE
];
1442 if (workFlags
& 0x08) {
1446 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
1453 if (workFlags
& 0x02) {
1454 ReaderTransmitBitsPar(wupC1
,7,0, NULL
);
1455 if(!ReaderReceive(receivedAnswer
, receivedAnswerPar
) || (receivedAnswer
[0] != 0x0a)) {
1456 if (MF_DBGLEVEL
>= 1) Dbprintf("wupC1 error");
1459 // do no issue for gen1b magic tag
1460 if (!(workFlags
& 0x40)) {
1461 ReaderTransmit(wupC2
, sizeof(wupC2
), NULL
);
1462 if(!ReaderReceive(receivedAnswer
, receivedAnswerPar
) || (receivedAnswer
[0] != 0x0a)) {
1463 if (MF_DBGLEVEL
>= 1) Dbprintf("wupC2 error");
1470 if ((mifare_sendcmd_short(NULL
, 0, 0x30, blockNo
, receivedAnswer
, receivedAnswerPar
, NULL
) != 18)) {
1471 if (MF_DBGLEVEL
>= 1) Dbprintf("read block send command error");
1474 memcpy(data
, receivedAnswer
, 18);
1476 if (workFlags
& 0x04) {
1477 // do no issue halt command for gen1b magic tag (#db# halt error. response len: 1)
1478 if (!(workFlags
& 0x40)) {
1479 if (mifare_classic_halt(NULL
, cuid
)) {
1480 if (MF_DBGLEVEL
> 1) Dbprintf("Halt error");
1481 // Continue, some magic tags misbehavies and send an answer to it.
1492 if (workFlags
& 0x20) {
1494 memcpy(datain
, data
, 18);
1497 cmd_send(CMD_ACK
,isOK
,0,0,data
,18);
1500 if ((workFlags
& 0x10) || (!isOK
)) {
1501 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1506 void MifareCIdent(){
1509 uint8_t wupC1
[] = { 0x40 };
1510 uint8_t wupC2
[] = { 0x43 };
1515 uint8_t receivedAnswer
[MAX_MIFARE_FRAME_SIZE
];
1516 uint8_t receivedAnswerPar
[MAX_MIFARE_PARITY_SIZE
];
1521 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
1526 ReaderTransmitBitsPar(wupC1
,7,0, NULL
);
1527 if(ReaderReceive(receivedAnswer
, receivedAnswerPar
) && (receivedAnswer
[0] == 0x0a)) {
1530 ReaderTransmit(wupC2
, sizeof(wupC2
), NULL
);
1531 if(ReaderReceive(receivedAnswer
, receivedAnswerPar
) && (receivedAnswer
[0] == 0x0a)) {
1536 // From iceman1001: removed the if, since some magic tags misbehavies and send an answer to it.
1537 mifare_classic_halt(NULL
, 0);
1540 cmd_send(CMD_ACK
,isOK
,0,0,0,0);
1543 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1551 void Mifare_DES_Auth1(uint8_t arg0
, uint8_t *datain
){
1553 byte_t dataout
[11] = {0x00};
1554 uint8_t uid
[10] = {0x00};
1557 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
1560 int len
= iso14443a_select_card(uid
, NULL
, &cuid
, true, 0, true);
1562 if (MF_DBGLEVEL
>= MF_DBG_ERROR
) Dbprintf("Can't select card");
1567 if(mifare_desfire_des_auth1(cuid
, dataout
)){
1568 if (MF_DBGLEVEL
>= MF_DBG_ERROR
) Dbprintf("Authentication part1: Fail.");
1573 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) DbpString("AUTH 1 FINISHED");
1574 cmd_send(CMD_ACK
,1,cuid
,0,dataout
, sizeof(dataout
));
1577 void Mifare_DES_Auth2(uint32_t arg0
, uint8_t *datain
){
1579 uint32_t cuid
= arg0
;
1580 uint8_t key
[16] = {0x00};
1582 byte_t dataout
[12] = {0x00};
1584 memcpy(key
, datain
, 16);
1586 isOK
= mifare_desfire_des_auth2(cuid
, key
, dataout
);
1589 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) Dbprintf("Authentication part2: Failed");
1594 if (MF_DBGLEVEL
>= MF_DBG_EXTENDED
) DbpString("AUTH 2 FINISHED");
1596 cmd_send(CMD_ACK
, isOK
, 0, 0, dataout
, sizeof(dataout
));
1597 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1603 ReaderTransmit(deselect_cmd
, 3 , NULL
);
1604 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1608 void OnError(uint8_t reason
){
1610 ReaderTransmit(deselect_cmd
, 3 , NULL
);
1611 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1612 cmd_send(CMD_ACK
,0,reason
,0,0,0);