]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifaresniff.c
bd9840e8cb4a8467e9b3c6b3719f0aede40a9d18
[proxmark3-svn] / armsrc / mifaresniff.c
1 //-----------------------------------------------------------------------------
2 // Merlok - 2012
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Routines to support mifare classic sniffer.
9 //-----------------------------------------------------------------------------
10
11 #include "mifaresniff.h"
12 #include "apps.h"
13
14 static int sniffState = SNF_INIT;
15 static uint8_t sniffUIDType;
16 static uint8_t sniffUID[8];
17 static uint8_t sniffATQA[2];
18 static uint8_t sniffSAK;
19 static uint8_t sniffBuf[16];
20 static uint32_t timerData = 0;
21
22
23 bool MfSniffInit(void){
24 memset(sniffUID, 0x00, 8);
25 memset(sniffATQA, 0x00, 2);
26 sniffSAK = 0;
27 sniffUIDType = SNF_UID_4;
28
29 return FALSE;
30 }
31
32 bool MfSniffEnd(void){
33 LED_B_ON();
34 cmd_send(CMD_ACK,0,0,0,0,0);
35 LED_B_OFF();
36
37 return FALSE;
38 }
39
40 bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint32_t parity, uint16_t bitCnt, bool reader) {
41
42 if (reader && (len == 1) && (bitCnt == 7)) { // reset on 7-Bit commands from reader
43 sniffState = SNF_INIT;
44 }
45
46 switch (sniffState) {
47 case SNF_INIT:{
48 if ((len == 1) && (reader) && (bitCnt == 7) ) { // REQA or WUPA from reader
49 sniffUIDType = SNF_UID_4;
50 memset(sniffUID, 0x00, 8);
51 memset(sniffATQA, 0x00, 2);
52 sniffSAK = 0;
53 sniffState = SNF_WUPREQ;
54 }
55 break;
56 }
57 case SNF_WUPREQ:{
58 if ((!reader) && (len == 2)) { // ATQA from tag
59 memcpy(sniffATQA, data, 2);
60 sniffState = SNF_ATQA;
61 }
62 break;
63 }
64 case SNF_ATQA:{
65 if ((reader) && (len == 2) && (data[0] == 0x93) && (data[1] == 0x20)) { // Select ALL from reader
66 sniffState = SNF_ANTICOL1;
67 }
68 break;
69 }
70 case SNF_ANTICOL1:{
71 if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { // UID from tag (CL1)
72 memcpy(sniffUID + 3, data, 4);
73 sniffState = SNF_UID1;
74 }
75 break;
76 }
77 case SNF_UID1:{
78 if ((reader) && (len == 9) && (data[0] == 0x93) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) { // Select 4 Byte UID from reader
79 sniffState = SNF_SAK;
80 }
81 break;
82 }
83 case SNF_SAK:{
84 if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) { // SAK from card?
85 sniffSAK = data[0];
86 if (sniffUID[3] == 0x88) { // CL2 UID part to be expected
87 sniffState = SNF_ANTICOL2;
88 } else { // select completed
89 sniffState = SNF_CARD_IDLE;
90 }
91 }
92 break;
93 }
94 case SNF_ANTICOL2:{
95 if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { // CL2 UID
96 memcpy(sniffUID, data, 4);
97 sniffUIDType = SNF_UID_7;
98 sniffState = SNF_UID2;
99 }
100 break;
101 }
102 case SNF_UID2:{
103 if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) { // Select 2nd part of 7 Byte UID
104 sniffState = SNF_SAK;
105 }
106 break;
107 }
108 case SNF_CARD_IDLE:{ // trace the card select sequence
109 sniffBuf[0] = 0xFF;
110 sniffBuf[1] = 0xFF;
111 memcpy(sniffBuf + 2, sniffUID, 7);
112 memcpy(sniffBuf + 9, sniffATQA, 2);
113 sniffBuf[11] = sniffSAK;
114 sniffBuf[12] = 0xFF;
115 sniffBuf[13] = 0xFF;
116 LogTrace(sniffBuf, 14, 0, parity, true);
117 } // intentionally no break;
118 case SNF_CARD_CMD:{
119 LogTrace(data, len, 0, parity, true);
120 sniffState = SNF_CARD_RESP;
121 timerData = GetTickCount();
122 break;
123 }
124 case SNF_CARD_RESP:{
125 LogTrace(data, len, 0, parity, false);
126 sniffState = SNF_CARD_CMD;
127 timerData = GetTickCount();
128 break;
129 }
130
131 default:
132 sniffState = SNF_INIT;
133 break;
134 }
135
136
137 return FALSE;
138 }
139
140 bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs) {
141 if (traceLen && (GetTickCount() > timerData + maxTimeoutMs)) {
142 return intMfSniffSend();
143 }
144 return FALSE;
145 }
146
147 // internal sending function. not a RAMFUNC.
148 bool intMfSniffSend() {
149
150 int pckSize = 0;
151 int pckLen = traceLen;
152 int pckNum = 0;
153
154 FpgaDisableSscDma();
155 while (pckLen > 0) {
156 pckSize = MIN(USB_CMD_DATA_SIZE, pckLen);
157 LED_B_ON();
158 cmd_send(CMD_ACK, 1, pckSize, pckNum, trace + traceLen - pckLen, pckSize);
159 LED_B_OFF();
160
161 pckLen -= pckSize;
162 pckNum++;
163 }
164
165 LED_B_ON();
166 cmd_send(CMD_ACK,2,0,0,0,0);
167 LED_B_OFF();
168
169 iso14a_clear_trace();
170
171 return TRUE;
172 }
Impressum, Datenschutz