]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifarecmd.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ADD: @go_tus simple bruteforce for t55xx, refactored a bit.
[proxmark3-svn] / armsrc / mifarecmd.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 // Midnitesnake - Dec 2013
6 // Andy Davies - Apr 2014
7 // Iceman - May 2014
8 //
9 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
10 // at your option, any later version. See the LICENSE.txt file for the text of
11 // the license.
12 //-----------------------------------------------------------------------------
13 // Routines to support ISO 14443 type A.
14 //-----------------------------------------------------------------------------
15
16 #include "mifarecmd.h"
17 #include "apps.h"
18 #include "util.h"
19 #include "crc.h"
20 #include "protocols.h"
21
22 //-----------------------------------------------------------------------------
23 // Select, Authenticate, Read a MIFARE tag.
24 // read block
25 //-----------------------------------------------------------------------------
26 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
27 {
28 // params
29 uint8_t blockNo = arg0;
30 uint8_t keyType = arg1;
31 uint64_t ui64Key = 0;
32 ui64Key = bytes_to_num(datain, 6);
33
34 // variables
35 byte_t isOK = 0;
36 byte_t dataoutbuf[16];
37 uint8_t uid[10];
38 uint32_t cuid;
39 struct Crypto1State mpcs = {0, 0};
40 struct Crypto1State *pcs;
41 pcs = &mpcs;
42
43 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
44
45 clear_trace();
46
47 LED_A_ON();
48 LED_B_OFF();
49 LED_C_OFF();
50
51 while (true) {
52 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
53 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
54 break;
55 };
56
57 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
58 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
59 break;
60 };
61
62 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
63 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
64 break;
65 };
66
67 if(mifare_classic_halt(pcs, cuid)) {
68 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
69 break;
70 };
71
72 isOK = 1;
73 break;
74 }
75
76 // ----------------------------- crypto1 destroy
77 crypto1_destroy(pcs);
78
79 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
80
81 LED_B_ON();
82 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
83 LED_B_OFF();
84
85 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
86 LEDsoff();
87 }
88
89 void MifareUC_Auth(uint8_t arg0, uint8_t *keybytes){
90
91 bool turnOffField = (arg0 == 1);
92
93 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
94
95 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
96
97 clear_trace();
98
99 if(!iso14443a_select_card(NULL, NULL, NULL, true, 0)) {
100 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
101 OnError(0);
102 return;
103 };
104
105 if(!mifare_ultra_auth(keybytes)){
106 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication failed");
107 OnError(1);
108 return;
109 }
110
111 if (turnOffField) {
112 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
113 LEDsoff();
114 }
115 cmd_send(CMD_ACK,1,0,0,0,0);
116 }
117
118 // Arg0 = BlockNo,
119 // Arg1 = UsePwd bool
120 // datain = PWD bytes,
121 void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
122 {
123 uint8_t blockNo = arg0;
124 byte_t dataout[16] = {0x00};
125 bool useKey = (arg1 == 1); //UL_C
126 bool usePwd = (arg1 == 2); //UL_EV1/NTAG
127
128 LEDsoff();
129 LED_A_ON();
130 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
131
132 clear_trace();
133
134 int len = iso14443a_select_card(NULL, NULL, NULL, true, 0);
135 if(!len) {
136 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len);
137 OnError(1);
138 return;
139 }
140
141 // UL-C authentication
142 if ( useKey ) {
143 uint8_t key[16] = {0x00};
144 memcpy(key, datain, sizeof(key) );
145
146 if ( !mifare_ultra_auth(key) ) {
147 OnError(1);
148 return;
149 }
150 }
151
152 // UL-EV1 / NTAG authentication
153 if ( usePwd ) {
154 uint8_t pwd[4] = {0x00};
155 memcpy(pwd, datain, 4);
156 uint8_t pack[4] = {0,0,0,0};
157 if (!mifare_ul_ev1_auth(pwd, pack)) {
158 OnError(1);
159 return;
160 }
161 }
162
163 if( mifare_ultra_readblock(blockNo, dataout) ) {
164 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block error");
165 OnError(2);
166 return;
167 }
168
169 if( mifare_ultra_halt() ) {
170 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
171 OnError(3);
172 return;
173 }
174
175 cmd_send(CMD_ACK,1,0,0,dataout,16);
176 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
177 LEDsoff();
178 }
179
180 //-----------------------------------------------------------------------------
181 // Select, Authenticate, Read a MIFARE tag.
182 // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
183 //-----------------------------------------------------------------------------
184 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
185 {
186 // params
187 uint8_t sectorNo = arg0;
188 uint8_t keyType = arg1;
189 uint64_t ui64Key = 0;
190 ui64Key = bytes_to_num(datain, 6);
191
192 // variables
193 byte_t isOK = 0;
194 byte_t dataoutbuf[16 * 16];
195 uint8_t uid[10];
196 uint32_t cuid;
197 struct Crypto1State mpcs = {0, 0};
198 struct Crypto1State *pcs;
199 pcs = &mpcs;
200
201 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
202
203 clear_trace();
204
205 LED_A_ON();
206 LED_B_OFF();
207 LED_C_OFF();
208
209 isOK = 1;
210 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
211 isOK = 0;
212 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
213 }
214
215
216 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
217 isOK = 0;
218 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
219 }
220
221 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
222 if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) {
223 isOK = 0;
224 if (MF_DBGLEVEL >= 1) Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo);
225 break;
226 }
227 }
228
229 if(mifare_classic_halt(pcs, cuid)) {
230 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
231 }
232
233 // ----------------------------- crypto1 destroy
234 crypto1_destroy(pcs);
235
236 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
237
238 LED_B_ON();
239 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));
240 LED_B_OFF();
241
242 // Thats it...
243 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
244 LEDsoff();
245 }
246
247 // arg0 = blockNo (start)
248 // arg1 = Pages (number of blocks)
249 // arg2 = useKey
250 // datain = KEY bytes
251 void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
252 {
253 LEDsoff();
254 LED_A_ON();
255 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
256
257 // free eventually allocated BigBuf memory
258 BigBuf_free();
259 clear_trace();
260
261 // params
262 uint8_t blockNo = arg0;
263 uint16_t blocks = arg1;
264 bool useKey = (arg2 == 1); //UL_C
265 bool usePwd = (arg2 == 2); //UL_EV1/NTAG
266 uint32_t countblocks = 0;
267 uint8_t *dataout = BigBuf_malloc(CARD_MEMORY_SIZE);
268 if (dataout == NULL){
269 Dbprintf("out of memory");
270 OnError(1);
271 return;
272 }
273
274 int len = iso14443a_select_card(NULL, NULL, NULL, true, 0);
275 if (!len) {
276 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len);
277 OnError(1);
278 return;
279 }
280
281 // UL-C authentication
282 if ( useKey ) {
283 uint8_t key[16] = {0x00};
284 memcpy(key, datain, sizeof(key) );
285
286 if ( !mifare_ultra_auth(key) ) {
287 OnError(1);
288 return;
289 }
290 }
291
292 // UL-EV1 / NTAG authentication
293 if (usePwd) {
294 uint8_t pwd[4] = {0x00};
295 memcpy(pwd, datain, sizeof(pwd));
296 uint8_t pack[4] = {0,0,0,0};
297
298 if (!mifare_ul_ev1_auth(pwd, pack)){
299 OnError(1);
300 return;
301 }
302 }
303
304 for (int i = 0; i < blocks; i++){
305 if ((i*4) + 4 >= CARD_MEMORY_SIZE) {
306 Dbprintf("Data exceeds buffer!!");
307 break;
308 }
309
310 len = mifare_ultra_readblock(blockNo + i, dataout + 4 * i);
311
312 if (len) {
313 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block %d error",i);
314 // if no blocks read - error out
315 if (i==0){
316 OnError(2);
317 return;
318 } else {
319 //stop at last successful read block and return what we got
320 break;
321 }
322 } else {
323 countblocks++;
324 }
325 }
326
327 len = mifare_ultra_halt();
328 if (len) {
329 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
330 OnError(3);
331 return;
332 }
333
334 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Blocks read %d", countblocks);
335
336 countblocks *= 4;
337
338 cmd_send(CMD_ACK, 1, countblocks, BigBuf_max_traceLen(), 0, 0);
339 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
340 LEDsoff();
341 BigBuf_free();
342 }
343
344 //-----------------------------------------------------------------------------
345 // Select, Authenticate, Write a MIFARE tag.
346 // read block
347 //-----------------------------------------------------------------------------
348 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
349 {
350 // params
351 uint8_t blockNo = arg0;
352 uint8_t keyType = arg1;
353 uint64_t ui64Key = 0;
354 byte_t blockdata[16];
355
356 ui64Key = bytes_to_num(datain, 6);
357 memcpy(blockdata, datain + 10, 16);
358
359 // variables
360 byte_t isOK = 0;
361 uint8_t uid[10];
362 uint32_t cuid;
363 struct Crypto1State mpcs = {0, 0};
364 struct Crypto1State *pcs;
365 pcs = &mpcs;
366
367 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
368
369 clear_trace();
370
371 LED_A_ON();
372 LED_B_OFF();
373 LED_C_OFF();
374
375 while (true) {
376 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
377 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
378 break;
379 };
380
381 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
382 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
383 break;
384 };
385
386 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
387 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
388 break;
389 };
390
391 if(mifare_classic_halt(pcs, cuid)) {
392 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
393 break;
394 };
395
396 isOK = 1;
397 break;
398 }
399
400 // ----------------------------- crypto1 destroy
401 crypto1_destroy(pcs);
402
403 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
404
405 LED_B_ON();
406 cmd_send(CMD_ACK,isOK,0,0,0,0);
407 LED_B_OFF();
408
409
410 // Thats it...
411 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
412 LEDsoff();
413 }
414
415 /* // Command not needed but left for future testing
416 void MifareUWriteBlockCompat(uint8_t arg0, uint8_t *datain)
417 {
418 uint8_t blockNo = arg0;
419 byte_t blockdata[16] = {0x00};
420
421 memcpy(blockdata, datain, 16);
422
423 uint8_t uid[10] = {0x00};
424
425 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
426
427 clear_trace();
428 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
429
430 if(!iso14443a_select_card(uid, NULL, NULL, true, 0)) {
431 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
432 OnError(0);
433 return;
434 };
435
436 if(mifare_ultra_writeblock_compat(blockNo, blockdata)) {
437 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
438 OnError(0);
439 return; };
440
441 if(mifare_ultra_halt()) {
442 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
443 OnError(0);
444 return;
445 };
446
447 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
448
449 cmd_send(CMD_ACK,1,0,0,0,0);
450 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
451 LEDsoff();
452 }
453 */
454
455 // Arg0 : Block to write to.
456 // Arg1 : 0 = use no authentication.
457 // 1 = use 0x1A authentication.
458 // 2 = use 0x1B authentication.
459 // datain : 4 first bytes is data to be written.
460 // : 4/16 next bytes is authentication key.
461 void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
462 {
463 uint8_t blockNo = arg0;
464 bool useKey = (arg1 == 1); //UL_C
465 bool usePwd = (arg1 == 2); //UL_EV1/NTAG
466 byte_t blockdata[4] = {0x00};
467
468 memcpy(blockdata, datain,4);
469
470 LEDsoff();
471 LED_A_ON();
472 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
473
474 clear_trace();
475
476 if(!iso14443a_select_card(NULL, NULL, NULL, true, 0)) {
477 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
478 OnError(0);
479 return;
480 };
481
482 // UL-C authentication
483 if ( useKey ) {
484 uint8_t key[16] = {0x00};
485 memcpy(key, datain+4, sizeof(key) );
486
487 if ( !mifare_ultra_auth(key) ) {
488 OnError(1);
489 return;
490 }
491 }
492
493 // UL-EV1 / NTAG authentication
494 if (usePwd) {
495 uint8_t pwd[4] = {0x00};
496 memcpy(pwd, datain+4, 4);
497 uint8_t pack[4] = {0,0,0,0};
498 if (!mifare_ul_ev1_auth(pwd, pack)) {
499 OnError(1);
500 return;
501 }
502 }
503
504 if(mifare_ultra_writeblock(blockNo, blockdata)) {
505 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
506 OnError(0);
507 return;
508 };
509
510 if(mifare_ultra_halt()) {
511 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
512 OnError(0);
513 return;
514 };
515
516 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
517
518 cmd_send(CMD_ACK,1,0,0,0,0);
519 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
520 LEDsoff();
521 }
522
523 void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
524
525 uint8_t pwd[16] = {0x00};
526 byte_t blockdata[4] = {0x00};
527
528 memcpy(pwd, datain, 16);
529
530 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
531 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
532
533 clear_trace();
534
535 if(!iso14443a_select_card(NULL, NULL, NULL, true, 0)) {
536 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
537 OnError(0);
538 return;
539 };
540
541 blockdata[0] = pwd[7];
542 blockdata[1] = pwd[6];
543 blockdata[2] = pwd[5];
544 blockdata[3] = pwd[4];
545 if(mifare_ultra_writeblock( 44, blockdata)) {
546 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
547 OnError(44);
548 return;
549 };
550
551 blockdata[0] = pwd[3];
552 blockdata[1] = pwd[2];
553 blockdata[2] = pwd[1];
554 blockdata[3] = pwd[0];
555 if(mifare_ultra_writeblock( 45, blockdata)) {
556 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
557 OnError(45);
558 return;
559 };
560
561 blockdata[0] = pwd[15];
562 blockdata[1] = pwd[14];
563 blockdata[2] = pwd[13];
564 blockdata[3] = pwd[12];
565 if(mifare_ultra_writeblock( 46, blockdata)) {
566 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
567 OnError(46);
568 return;
569 };
570
571 blockdata[0] = pwd[11];
572 blockdata[1] = pwd[10];
573 blockdata[2] = pwd[9];
574 blockdata[3] = pwd[8];
575 if(mifare_ultra_writeblock( 47, blockdata)) {
576 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
577 OnError(47);
578 return;
579 };
580
581 if(mifare_ultra_halt()) {
582 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
583 OnError(0);
584 return;
585 };
586
587 cmd_send(CMD_ACK,1,0,0,0,0);
588 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
589 LEDsoff();
590 }
591
592 // Return 1 if the nonce is invalid else return 0
593 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {
594 return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
595 (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
596 (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
597 }
598
599
600 //-----------------------------------------------------------------------------
601 // acquire encrypted nonces in order to perform the attack described in
602 // Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
603 // Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
604 // Computer and Communications Security, 2015
605 //-----------------------------------------------------------------------------
606 void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, uint8_t *datain)
607 {
608 uint64_t ui64Key = 0;
609 uint8_t uid[10];
610 uint32_t cuid;
611 uint8_t cascade_levels = 0;
612 struct Crypto1State mpcs = {0, 0};
613 struct Crypto1State *pcs;
614 pcs = &mpcs;
615 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
616 int16_t isOK = 0;
617 uint8_t par_enc[1];
618 uint8_t nt_par_enc = 0;
619 uint8_t buf[USB_CMD_DATA_SIZE];
620 uint32_t timeout;
621
622 uint8_t blockNo = arg0 & 0xff;
623 uint8_t keyType = (arg0 >> 8) & 0xff;
624 uint8_t targetBlockNo = arg1 & 0xff;
625 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
626 ui64Key = bytes_to_num(datain, 6);
627 bool initialize = flags & 0x0001;
628 bool slow = flags & 0x0002;
629 bool field_off = flags & 0x0004;
630
631 #define AUTHENTICATION_TIMEOUT 848 // card times out 1ms after wrong authentication (according to NXP documentation)
632 #define PRE_AUTHENTICATION_LEADTIME 400 // some (non standard) cards need a pause after select before they are ready for first authentication
633
634 LED_A_ON();
635 LED_C_OFF();
636
637 if (initialize) {
638 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
639 clear_trace();
640 set_tracing(true);
641 }
642
643 LED_C_ON();
644
645 uint16_t num_nonces = 0;
646 bool have_uid = false;
647 for (uint16_t i = 0; i <= USB_CMD_DATA_SIZE - 9; ) {
648
649 // Test if the action was cancelled
650 if(BUTTON_PRESS()) {
651 isOK = 2;
652 field_off = true;
653 break;
654 }
655
656 if (!have_uid) { // need a full select cycle to get the uid first
657 iso14a_card_select_t card_info;
658 if(!iso14443a_select_card(uid, &card_info, &cuid, true, 0)) {
659 if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Can't select card (ALL)");
660 continue;
661 }
662 switch (card_info.uidlen) {
663 case 4 : cascade_levels = 1; break;
664 case 7 : cascade_levels = 2; break;
665 case 10: cascade_levels = 3; break;
666 default: break;
667 }
668 have_uid = true;
669 } else { // no need for anticollision. We can directly select the card
670 if(!iso14443a_select_card(uid, NULL, NULL, false, cascade_levels)) {
671 if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Can't select card (UID)");
672 continue;
673 }
674 }
675
676 if (slow) {
677 timeout = GetCountSspClk() + PRE_AUTHENTICATION_LEADTIME;
678 while(GetCountSspClk() < timeout);
679 }
680
681 uint32_t nt1;
682 if (mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, NULL)) {
683 if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Auth1 error");
684 continue;
685 }
686
687 // nested authentication
688 uint16_t len = mifare_sendcmd_short(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par_enc, NULL);
689 if (len != 4) {
690 if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Auth2 error len=%d", len);
691 continue;
692 }
693
694 // send a dummy byte as reader response in order to trigger the cards authentication timeout
695 uint8_t dummy_answer = 0;
696 ReaderTransmit(&dummy_answer, 1, NULL);
697 timeout = GetCountSspClk() + AUTHENTICATION_TIMEOUT;
698
699 num_nonces++;
700 if (num_nonces % 2) {
701 memcpy(buf+i, receivedAnswer, 4);
702 nt_par_enc = par_enc[0] & 0xf0;
703 } else {
704 nt_par_enc |= par_enc[0] >> 4;
705 memcpy(buf+i+4, receivedAnswer, 4);
706 memcpy(buf+i+8, &nt_par_enc, 1);
707 i += 9;
708 }
709
710 // wait for the card to become ready again
711 while(GetCountSspClk() < timeout);
712
713 }
714
715 LED_C_OFF();
716
717 crypto1_destroy(pcs);
718
719 LED_B_ON();
720 cmd_send(CMD_ACK, isOK, cuid, num_nonces, buf, sizeof(buf));
721 LED_B_OFF();
722
723 if (MF_DBGLEVEL >= 3) DbpString("AcquireEncryptedNonces finished");
724
725 if (field_off) {
726 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
727 LEDsoff();
728 }
729 }
730
731
732 //-----------------------------------------------------------------------------
733 // MIFARE nested authentication.
734 //
735 //-----------------------------------------------------------------------------
736 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)
737 {
738 // params
739 uint8_t blockNo = arg0 & 0xff;
740 uint8_t keyType = (arg0 >> 8) & 0xff;
741 uint8_t targetBlockNo = arg1 & 0xff;
742 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
743 uint64_t ui64Key = 0;
744
745 ui64Key = bytes_to_num(datain, 6);
746
747 // variables
748 uint16_t rtr, i, j, len;
749 uint16_t davg;
750 static uint16_t dmin, dmax;
751 uint8_t uid[10];
752 uint32_t cuid, nt1, nt2, nttmp, nttest, ks1;
753 uint8_t par[1];
754 uint32_t target_nt[2], target_ks[2];
755
756 uint8_t par_array[4];
757 uint16_t ncount = 0;
758 struct Crypto1State mpcs = {0, 0};
759 struct Crypto1State *pcs;
760 pcs = &mpcs;
761 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
762
763 uint32_t auth1_time, auth2_time;
764 static uint16_t delta_time;
765
766 LED_A_ON();
767 LED_C_OFF();
768 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
769
770 // free eventually allocated BigBuf memory
771 BigBuf_free();
772
773 if (calibrate) clear_trace();
774 set_tracing(true);
775
776 // statistics on nonce distance
777 int16_t isOK = 0;
778 #define NESTED_MAX_TRIES 12
779 uint16_t unsuccessfull_tries = 0;
780 if (calibrate) { // for first call only. Otherwise reuse previous calibration
781 LED_B_ON();
782 WDT_HIT();
783
784 davg = dmax = 0;
785 dmin = 2000;
786 delta_time = 0;
787
788 for (rtr = 0; rtr < 17; rtr++) {
789
790 // Test if the action was cancelled
791 if(BUTTON_PRESS()) {
792 isOK = -2;
793 break;
794 }
795
796 // prepare next select. No need to power down the card.
797 if(mifare_classic_halt(pcs, cuid)) {
798 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
799 rtr--;
800 continue;
801 }
802
803 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
804 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
805 rtr--;
806 continue;
807 };
808
809 auth1_time = 0;
810 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
811 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
812 rtr--;
813 continue;
814 };
815
816 if (delta_time) {
817 auth2_time = auth1_time + delta_time;
818 } else {
819 auth2_time = 0;
820 }
821 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {
822 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");
823 rtr--;
824 continue;
825 };
826
827 nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
828 for (i = 101; i < 1200; i++) {
829 nttmp = prng_successor(nttmp, 1);
830 if (nttmp == nt2) break;
831 }
832
833 if (i != 1200) {
834 if (rtr != 0) {
835 davg += i;
836 dmin = MIN(dmin, i);
837 dmax = MAX(dmax, i);
838 }
839 else {
840 delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing
841 }
842 if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
843 } else {
844 unsuccessfull_tries++;
845 if (unsuccessfull_tries > NESTED_MAX_TRIES) { // card isn't vulnerable to nested attack (random numbers are not predictable)
846 isOK = -3;
847 }
848 }
849 }
850
851 davg = (davg + (rtr - 1)/2) / (rtr - 1);
852
853 if (MF_DBGLEVEL >= 3) Dbprintf("rtr=%d isOK=%d min=%d max=%d avg=%d, delta_time=%d", rtr, isOK, dmin, dmax, davg, delta_time);
854
855 dmin = davg - 2;
856 dmax = davg + 2;
857
858 LED_B_OFF();
859 }
860 // -------------------------------------------------------------------------------------------------
861
862 LED_C_ON();
863
864 // get crypted nonces for target sector
865 for(i=0; i < 2 && !isOK; i++) { // look for exactly two different nonces
866
867 target_nt[i] = 0;
868 while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
869
870 // prepare next select. No need to power down the card.
871 if(mifare_classic_halt(pcs, cuid)) {
872 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
873 continue;
874 }
875
876 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
877 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
878 continue;
879 };
880
881 auth1_time = 0;
882 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
883 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
884 continue;
885 };
886
887 // nested authentication
888 auth2_time = auth1_time + delta_time;
889 len = mifare_sendcmd_short(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);
890 if (len != 4) {
891 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);
892 continue;
893 };
894
895 nt2 = bytes_to_num(receivedAnswer, 4);
896 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);
897
898 // Parity validity check
899 for (j = 0; j < 4; j++) {
900 par_array[j] = (oddparity(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));
901 }
902
903 ncount = 0;
904 nttest = prng_successor(nt1, dmin - 1);
905 for (j = dmin; j < dmax + 1; j++) {
906 nttest = prng_successor(nttest, 1);
907 ks1 = nt2 ^ nttest;
908
909 if (valid_nonce(nttest, nt2, ks1, par_array)){
910 if (ncount > 0) { // we are only interested in disambiguous nonces, try again
911 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);
912 target_nt[i] = 0;
913 break;
914 }
915 target_nt[i] = nttest;
916 target_ks[i] = ks1;
917 ncount++;
918 if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces
919 target_nt[i] = 0;
920 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);
921 break;
922 }
923 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);
924 }
925 }
926 if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
927 }
928 }
929
930 LED_C_OFF();
931
932 // ----------------------------- crypto1 destroy
933 crypto1_destroy(pcs);
934
935 byte_t buf[4 + 4 * 4];
936 memcpy(buf, &cuid, 4);
937 memcpy(buf+4, &target_nt[0], 4);
938 memcpy(buf+8, &target_ks[0], 4);
939 memcpy(buf+12, &target_nt[1], 4);
940 memcpy(buf+16, &target_ks[1], 4);
941
942 LED_B_ON();
943 cmd_send(CMD_ACK, isOK, 0, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
944 LED_B_OFF();
945
946 if (MF_DBGLEVEL >= 3) DbpString("NESTED FINISHED");
947
948 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
949 LEDsoff();
950 set_tracing(FALSE);
951 }
952
953 //-----------------------------------------------------------------------------
954 // MIFARE check keys. key count up to 85.
955 //
956 //-----------------------------------------------------------------------------
957 void MifareChkKeys(uint16_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
958 {
959 // params
960 uint8_t blockNo = arg0 & 0xff;
961 uint8_t keyType = (arg0 >> 8) & 0xff;
962 bool clearTrace = arg1;
963 uint8_t keyCount = arg2;
964 uint64_t ui64Key = 0;
965
966 // variables
967 int i;
968 byte_t isOK = 0;
969 uint8_t uid[10];
970 uint32_t cuid;
971 struct Crypto1State mpcs = {0, 0};
972 struct Crypto1State *pcs;
973 pcs = &mpcs;
974
975 // clear debug level
976 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
977 MF_DBGLEVEL = MF_DBG_NONE;
978
979 LED_A_ON();
980 LED_B_OFF();
981 LED_C_OFF();
982 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
983
984 if (clearTrace) clear_trace();
985 set_tracing(TRUE);
986
987 for (i = 0; i < keyCount; i++) {
988 if(mifare_classic_halt(pcs, cuid)) {
989 if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Halt error");
990 }
991
992 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
993 if (OLD_MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card");
994 break;
995 };
996
997 ui64Key = bytes_to_num(datain + i * 6, 6);
998 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
999 continue;
1000 };
1001
1002 isOK = 1;
1003 break;
1004 }
1005
1006 // ----------------------------- crypto1 destroy
1007 crypto1_destroy(pcs);
1008
1009 LED_B_ON();
1010 cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);
1011 LED_B_OFF();
1012
1013 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1014 LEDsoff();
1015 set_tracing(FALSE);
1016
1017 // restore debug level
1018 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
1019 }
1020
1021 //-----------------------------------------------------------------------------
1022 // MIFARE commands set debug level
1023 //
1024 //-----------------------------------------------------------------------------
1025 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1026 MF_DBGLEVEL = arg0;
1027 Dbprintf("Debug level: %d", MF_DBGLEVEL);
1028 }
1029
1030 //-----------------------------------------------------------------------------
1031 // Work with emulator memory
1032 //
1033 // Note: we call FpgaDownloadAndGo(FPGA_BITSTREAM_HF) here although FPGA is not
1034 // involved in dealing with emulator memory. But if it is called later, it might
1035 // destroy the Emulator Memory.
1036 //-----------------------------------------------------------------------------
1037
1038 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1039 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1040 emlClearMem();
1041 }
1042
1043 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1044 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1045 //emlSetMem(datain, arg0, arg1); // data, block num, blocks count
1046 emlSetMem_xt(datain, arg0, arg1, arg2); // data, block num, blocks count, block byte width
1047 }
1048
1049 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1050 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1051 byte_t buf[USB_CMD_DATA_SIZE];
1052 emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
1053
1054 LED_B_ON();
1055 cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE);
1056 LED_B_OFF();
1057 }
1058
1059 //-----------------------------------------------------------------------------
1060 // Load a card into the emulator memory
1061 //
1062 //-----------------------------------------------------------------------------
1063 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1064 uint8_t numSectors = arg0;
1065 uint8_t keyType = arg1;
1066 uint64_t ui64Key = 0;
1067 uint32_t cuid;
1068 struct Crypto1State mpcs = {0, 0};
1069 struct Crypto1State *pcs;
1070 pcs = &mpcs;
1071
1072 // variables
1073 byte_t dataoutbuf[16];
1074 byte_t dataoutbuf2[16];
1075 uint8_t uid[10];
1076
1077 LED_A_ON();
1078 LED_B_OFF();
1079 LED_C_OFF();
1080 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1081
1082 clear_trace();
1083 set_tracing(TRUE);
1084
1085 bool isOK = true;
1086
1087 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
1088 isOK = false;
1089 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
1090 }
1091
1092 for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
1093 ui64Key = emlGetKey(sectorNo, keyType);
1094 if (sectorNo == 0){
1095 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
1096 isOK = false;
1097 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo);
1098 break;
1099 }
1100 } else {
1101 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) {
1102 isOK = false;
1103 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo);
1104 break;
1105 }
1106 }
1107
1108 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
1109 if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) {
1110 isOK = false;
1111 if (MF_DBGLEVEL >= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);
1112 break;
1113 };
1114 if (isOK) {
1115 if (blockNo < NumBlocksPerSector(sectorNo) - 1) {
1116 emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);
1117 } else { // sector trailer, keep the keys, set only the AC
1118 emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
1119 memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
1120 emlSetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
1121 }
1122 }
1123 }
1124
1125 }
1126
1127 if(mifare_classic_halt(pcs, cuid)) {
1128 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1129 };
1130
1131 // ----------------------------- crypto1 destroy
1132 crypto1_destroy(pcs);
1133
1134 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1135 LEDsoff();
1136
1137 if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
1138
1139 set_tracing(FALSE);
1140 }
1141
1142
1143 //-----------------------------------------------------------------------------
1144 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
1145 //
1146 // PARAMS - workFlags
1147 // bit 0 - need get UID
1148 // bit 1 - need wupC
1149 // bit 2 - need HALT after sequence
1150 // bit 3 - need turn on FPGA before sequence
1151 // bit 4 - need turn off FPGA
1152 // bit 5 - need to set datain instead of issuing USB reply (called via ARM for StandAloneMode14a)
1153 // bit 6 - wipe tag.
1154 //-----------------------------------------------------------------------------
1155 // magic uid card generation 1 commands
1156 uint8_t wupC1[] = { MIFARE_MAGICWUPC1 };
1157 uint8_t wupC2[] = { MIFARE_MAGICWUPC2 };
1158 uint8_t wipeC[] = { MIFARE_MAGICWIPEC };
1159
1160 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint8_t *datain){
1161
1162 // params
1163 uint8_t workFlags = arg0;
1164 uint8_t blockNo = arg1;
1165
1166 Dbprintf("ICE :: CSetBlocks Flags %02x", workFlags);
1167
1168 // variables
1169 uint8_t uid[10] = {0x00};
1170 uint8_t data[18] = {0x00};
1171 uint32_t cuid;
1172
1173 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1174 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1175
1176 if (workFlags & MAGIC_INIT) {
1177 LED_A_ON();
1178 LED_B_OFF();
1179 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1180 clear_trace();
1181 set_tracing(TRUE);
1182 }
1183
1184 // read UID and return to client
1185 if (workFlags & MAGIC_UID) {
1186 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
1187 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
1188 OnErrorMagic(MAGIC_UID);
1189 };
1190 };
1191
1192 // wipe tag, fill it with zeros
1193 if (workFlags & MAGIC_WIPE){
1194 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1195 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1196 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wupC1 error");
1197 OnErrorMagic(MAGIC_WIPE);
1198 };
1199
1200 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
1201 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1202 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wipeC error");
1203 OnErrorMagic(MAGIC_WIPE);
1204 };
1205 };
1206
1207 // write block
1208 if (workFlags & MAGIC_WUPC) {
1209 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1210 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1211 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wupC1 error");
1212 OnErrorMagic(MAGIC_WUPC);
1213 };
1214
1215 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1216 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1217 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wupC2 error");
1218 OnErrorMagic(MAGIC_WUPC);
1219 };
1220 }
1221
1222 if ((mifare_sendcmd_short(NULL, 0, ISO14443A_CMD_WRITEBLOCK, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
1223 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("write block send command error");
1224 OnErrorMagic(4);
1225 };
1226
1227 memcpy(data, datain, 16);
1228 AppendCrc14443a(data, 16);
1229
1230 ReaderTransmit(data, sizeof(data), NULL);
1231 if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
1232 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("write block send data error");
1233 OnErrorMagic(0);
1234 };
1235
1236 if (workFlags & MAGIC_OFF)
1237 mifare_classic_halt_ex(NULL);
1238
1239 LED_B_ON();
1240 // check if uid is cuid?
1241 cmd_send(CMD_ACK,1,0,0,uid,sizeof(uid));
1242 LED_B_OFF();
1243
1244 if (workFlags & MAGIC_OFF)
1245 OnSuccessMagic();
1246 }
1247
1248 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint8_t *datain){
1249
1250 uint8_t workFlags = arg0;
1251 uint8_t blockNo = arg1;
1252
1253 // variables
1254 uint8_t data[MAX_MIFARE_FRAME_SIZE];
1255 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1256 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1257
1258 memset(data, 0x00, sizeof(data));
1259
1260 if (workFlags & MAGIC_INIT) {
1261 LED_A_ON();
1262 LED_B_OFF();
1263 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1264 clear_trace();
1265 set_tracing(TRUE);
1266 }
1267
1268 if (workFlags & MAGIC_WUPC) {
1269 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1270 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1271 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wupC1 error");
1272 OnErrorMagic(MAGIC_WUPC);
1273 };
1274
1275 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1276 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1277 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wupC2 error");
1278 OnErrorMagic(MAGIC_WUPC);
1279 };
1280 }
1281
1282 // read block
1283 if ((mifare_sendcmd_short(NULL, 0, ISO14443A_CMD_READBLOCK, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {
1284 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("read block send command error");
1285 OnErrorMagic(0);
1286 };
1287
1288 memcpy(data, receivedAnswer, sizeof(data));
1289
1290 // send HALT
1291 if (workFlags & MAGIC_HALT)
1292 mifare_classic_halt_ex(NULL);
1293
1294 LED_B_ON();
1295
1296 // if MAGIC_DATAIN, the data stays on device side.
1297 if (workFlags & MAGIC_DATAIN)
1298 memcpy(datain, data, sizeof(data));
1299 else
1300 cmd_send(CMD_ACK,1,0,0,data,sizeof(data));
1301
1302 LED_B_OFF();
1303
1304 if (workFlags & MAGIC_OFF)
1305 OnSuccessMagic();
1306 }
1307
1308 void MifareCIdent(){
1309
1310 // variables
1311 byte_t isOK = 1;
1312 uint8_t receivedAnswer[1];
1313 uint8_t receivedAnswerPar[1];
1314
1315 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1316 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1317 isOK = 0;
1318 };
1319
1320 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1321 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1322 isOK = 0;
1323 };
1324
1325 // removed the if, since some magic tags misbehavies and send an answer to it.
1326 mifare_classic_halt(NULL, 0);
1327 cmd_send(CMD_ACK,isOK,0,0,0,0);
1328 }
1329
1330 void OnSuccessMagic(){
1331 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1332 LEDsoff();
1333 set_tracing(FALSE);
1334 }
1335 void OnErrorMagic(uint8_t reason){
1336 // ACK, ISOK, reason,0,0,0
1337 cmd_send(CMD_ACK,0,reason,0,0,0);
1338 OnSuccessMagic();
1339 }
1340
1341 void MifareCollectNonces(uint32_t arg0, uint32_t arg1){
1342 }
1343
1344 //
1345 // DESFIRE
1346 //
1347
1348 void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){
1349
1350 byte_t dataout[11] = {0x00};
1351 uint8_t uid[10] = {0x00};
1352 uint32_t cuid = 0x00;
1353
1354 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1355 clear_trace();
1356
1357 int len = iso14443a_select_card(uid, NULL, &cuid, true, 0);
1358 if(!len) {
1359 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
1360 OnError(1);
1361 return;
1362 };
1363
1364 if(mifare_desfire_des_auth1(cuid, dataout)){
1365 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication part1: Fail.");
1366 OnError(4);
1367 return;
1368 }
1369
1370 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 1 FINISHED");
1371 cmd_send(CMD_ACK,1,cuid,0,dataout, sizeof(dataout));
1372 }
1373
1374 void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain){
1375
1376 uint32_t cuid = arg0;
1377 uint8_t key[16] = {0x00};
1378 byte_t dataout[12] = {0x00};
1379 byte_t isOK = 0;
1380
1381 memcpy(key, datain, 16);
1382
1383 isOK = mifare_desfire_des_auth2(cuid, key, dataout);
1384
1385 if( isOK) {
1386 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Authentication part2: Failed");
1387 OnError(4);
1388 return;
1389 }
1390
1391 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 2 FINISHED");
1392
1393 cmd_send(CMD_ACK, isOK, 0, 0, dataout, sizeof(dataout));
1394 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1395 LEDsoff();
1396 }
Proxmark3 GIT tracking
Impressum, Datenschutz