]> git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdlfhitag.c
Mfp read plain (#704)
[proxmark3-svn] / client / cmdlfhitag.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2012 Roel Verdult
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Low frequency Hitag support
9 //-----------------------------------------------------------------------------
10
11 #include "cmdlfhitag.h"
12
13 #include <stdio.h>
14 #include <stdlib.h>
15 #include <string.h>
16 #include "comms.h"
17 #include "ui.h"
18 #include "cmdparser.h"
19 #include "common.h"
20 #include "util.h"
21 #include "parity.h"
22 #include "hitag2.h"
23 #include "hitagS.h"
24 #include "cmdmain.h"
25
26 static int CmdHelp(const char *Cmd);
27
28 size_t nbytes(size_t nbits) {
29 return (nbits/8)+((nbits%8)>0);
30 }
31
32 int CmdLFHitagList(const char *Cmd)
33 {
34 uint8_t *got = malloc(USB_CMD_DATA_SIZE);
35
36 // Query for the actual size of the trace
37 UsbCommand response;
38 GetFromBigBuf(got, USB_CMD_DATA_SIZE, 0, &response, -1, false);
39 uint16_t traceLen = response.arg[2];
40 if (traceLen > USB_CMD_DATA_SIZE) {
41 uint8_t *p = realloc(got, traceLen);
42 if (p == NULL) {
43 PrintAndLog("Cannot allocate memory for trace");
44 free(got);
45 return 2;
46 }
47 got = p;
48 GetFromBigBuf(got, traceLen, 0, NULL, -1, false);
49 }
50
51 PrintAndLog("recorded activity (TraceLen = %d bytes):");
52 PrintAndLog(" ETU :nbits: who bytes");
53 PrintAndLog("---------+-----+----+-----------");
54
55 int i = 0;
56 int prev = -1;
57 int len = strlen(Cmd);
58
59 char filename[FILE_PATH_SIZE] = { 0x00 };
60 FILE* pf = NULL;
61
62 if (len > FILE_PATH_SIZE)
63 len = FILE_PATH_SIZE;
64 memcpy(filename, Cmd, len);
65
66 if (strlen(filename) > 0) {
67 if ((pf = fopen(filename,"wb")) == NULL) {
68 PrintAndLog("Error: Could not open file [%s]",filename);
69 free(got);
70 return 1;
71 }
72 }
73
74 for (;;) {
75
76 if(i > traceLen) { break; }
77
78 bool isResponse;
79 int timestamp = *((uint32_t *)(got+i));
80 if (timestamp & 0x80000000) {
81 timestamp &= 0x7fffffff;
82 isResponse = 1;
83 } else {
84 isResponse = 0;
85 }
86
87 int parityBits = *((uint32_t *)(got+i+4));
88 // 4 bytes of additional information...
89 // maximum of 32 additional parity bit information
90 //
91 // TODO:
92 // at each quarter bit period we can send power level (16 levels)
93 // or each half bit period in 256 levels.
94
95 int bits = got[i+8];
96 int len = nbytes(got[i+8]);
97
98 if (len > 100) {
99 break;
100 }
101 if (i + len > traceLen) { break;}
102
103 uint8_t *frame = (got+i+9);
104
105 // Break and stick with current result if buffer was not completely full
106 if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; }
107
108 char line[1000] = "";
109 int j;
110 for (j = 0; j < len; j++) {
111
112 //if((parityBits >> (len - j - 1)) & 0x01) {
113 if (isResponse && (oddparity8(frame[j]) != ((parityBits >> (len - j - 1)) & 0x01))) {
114 sprintf(line+(j*4), "%02x! ", frame[j]);
115 }
116 else {
117 sprintf(line+(j*4), "%02x ", frame[j]);
118 }
119 }
120
121 PrintAndLog(" +%7d: %3d: %s %s",
122 (prev < 0 ? 0 : (timestamp - prev)),
123 bits,
124 (isResponse ? "TAG" : " "),
125 line);
126
127 if (pf) {
128 fprintf(pf," +%7d: %3d: %s %s\n",
129 (prev < 0 ? 0 : (timestamp - prev)),
130 bits,
131 (isResponse ? "TAG" : " "),
132 line);
133 }
134
135 prev = timestamp;
136 i += (len + 9);
137 }
138
139 if (pf) {
140 fclose(pf);
141 PrintAndLog("Recorded activity succesfully written to file: %s", filename);
142 }
143
144 free(got);
145 return 0;
146 }
147
148 int CmdLFHitagSnoop(const char *Cmd) {
149 UsbCommand c = {CMD_SNOOP_HITAG};
150 SendCommand(&c);
151 return 0;
152 }
153
154 int CmdLFHitagSim(const char *Cmd) {
155
156 UsbCommand c = {CMD_SIMULATE_HITAG};
157 char filename[FILE_PATH_SIZE] = { 0x00 };
158 FILE* pf;
159 bool tag_mem_supplied;
160 int len = strlen(Cmd);
161 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
162 memcpy(filename, Cmd, len);
163
164 if (strlen(filename) > 0) {
165 if ((pf = fopen(filename,"rb+")) == NULL) {
166 PrintAndLog("Error: Could not open file [%s]",filename);
167 return 1;
168 }
169 tag_mem_supplied = true;
170 if (fread(c.d.asBytes,1,48,pf) != 48) {
171 PrintAndLog("Error: File reading error");
172 fclose(pf);
173 return 1;
174 }
175 fclose(pf);
176 } else {
177 tag_mem_supplied = false;
178 }
179
180 // Does the tag comes with memory
181 c.arg[0] = (uint32_t)tag_mem_supplied;
182
183 SendCommand(&c);
184 return 0;
185 }
186
187 int CmdLFHitagReader(const char *Cmd) {
188 UsbCommand c = {CMD_READER_HITAG};//, {param_get32ex(Cmd,0,0,10),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),param_get32ex(Cmd,3,0,16)}};
189 hitag_data* htd = (hitag_data*)c.d.asBytes;
190 hitag_function htf = param_get32ex(Cmd,0,0,10);
191
192 switch (htf) {
193 case 01: { //RHTSF_CHALLENGE
194 c = (UsbCommand){ CMD_READ_HITAG_S };
195 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr);
196 num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
197 } break;
198 case 02: { //RHTSF_KEY
199 c = (UsbCommand){ CMD_READ_HITAG_S };
200 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
201 } break;
202 case RHT2F_PASSWORD: {
203 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->pwd.password);
204 } break;
205 case RHT2F_AUTHENTICATE: {
206 num_to_bytes(param_get32ex(Cmd,1,0,16),4,htd->auth.NrAr);
207 num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
208 } break;
209 case RHT2F_CRYPTO: {
210 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
211 // num_to_bytes(param_get32ex(Cmd,2,0,16),4,htd->auth.NrAr+4);
212 } break;
213 case RHT2F_TEST_AUTH_ATTEMPTS: {
214 // No additional parameters needed
215 } break;
216 case RHT2F_UID_ONLY: {
217 // No additional parameters needed
218 } break;
219 default: {
220 PrintAndLog("\nError: unkown reader function %d",htf);
221 PrintAndLog("");
222 PrintAndLog("Usage: hitag reader <Reader Function #>");
223 PrintAndLog("Reader Functions:");
224 PrintAndLog(" HitagS (0*)");
225 PrintAndLog(" 01 <nr> <ar> (Challenge) read all pages from a Hitag S tag");
226 PrintAndLog(" 02 <key> (set to 0 if no authentication is needed) read all pages from a Hitag S tag");
227 PrintAndLog(" Hitag1 (1*)");
228 PrintAndLog(" Hitag2 (2*)");
229 PrintAndLog(" 21 <password> (password mode)");
230 PrintAndLog(" 22 <nr> <ar> (authentication)");
231 PrintAndLog(" 23 <key> (authentication) key is in format: ISK high + ISK low");
232 PrintAndLog(" 25 (test recorded authentications)");
233 PrintAndLog(" 26 just read UID");
234 return 1;
235 } break;
236 }
237
238 // Copy the hitag2 function into the first argument
239 c.arg[0] = htf;
240
241 // Send the command to the proxmark
242 clearCommandBuffer();
243 SendCommand(&c);
244
245 UsbCommand resp;
246 WaitForResponse(CMD_ACK,&resp);
247
248 // Check the return status, stored in the first argument
249 if (resp.arg[0] == false) return 1;
250
251 uint32_t id = bytes_to_num(resp.d.asBytes,4);
252
253 if (htf == RHT2F_UID_ONLY){
254 PrintAndLog("Valid Hitag2 tag found - UID: %08x",id);
255 } else {
256 char filename[256];
257 FILE* pf = NULL;
258
259 sprintf(filename,"%08x_%04x.ht2",id,(rand() & 0xffff));
260 if ((pf = fopen(filename,"wb")) == NULL) {
261 PrintAndLog("Error: Could not open file [%s]",filename);
262 return 1;
263 }
264
265 // Write the 48 tag memory bytes to file and finalize
266 fwrite(resp.d.asBytes,1,48,pf);
267 fclose(pf);
268
269 PrintAndLog("Succesfully saved tag memory to [%s]",filename);
270 }
271
272
273 return 0;
274 }
275
276
277 int CmdLFHitagSimS(const char *Cmd) {
278 UsbCommand c = { CMD_SIMULATE_HITAG_S };
279 char filename[FILE_PATH_SIZE] = { 0x00 };
280 FILE* pf;
281 bool tag_mem_supplied;
282 int len = strlen(Cmd);
283 if (len > FILE_PATH_SIZE)
284 len = FILE_PATH_SIZE;
285 memcpy(filename, Cmd, len);
286
287 if (strlen(filename) > 0) {
288 if ((pf = fopen(filename, "rb+")) == NULL) {
289 PrintAndLog("Error: Could not open file [%s]", filename);
290 return 1;
291 }
292 tag_mem_supplied = true;
293 if (fread(c.d.asBytes, 1, 4*64, pf) != 4*64) {
294 PrintAndLog("Error: File reading error");
295 fclose(pf);
296 return 1;
297 }
298 fclose(pf);
299 } else {
300 tag_mem_supplied = false;
301 }
302
303 // Does the tag comes with memory
304 c.arg[0] = (uint32_t) tag_mem_supplied;
305
306 SendCommand(&c);
307 return 0;
308 }
309
310 int CmdLFHitagCheckChallenges(const char *Cmd) {
311 UsbCommand c = { CMD_TEST_HITAGS_TRACES };
312 char filename[FILE_PATH_SIZE] = { 0x00 };
313 FILE* pf;
314 bool file_given;
315 int len = strlen(Cmd);
316 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
317 memcpy(filename, Cmd, len);
318
319 if (strlen(filename) > 0) {
320 if ((pf = fopen(filename,"rb+")) == NULL) {
321 PrintAndLog("Error: Could not open file [%s]",filename);
322 return 1;
323 }
324 file_given = true;
325 if (fread(c.d.asBytes,1,8*60,pf) != 8*60) {
326 PrintAndLog("Error: File reading error");
327 fclose(pf);
328 return 1;
329 }
330 fclose(pf);
331 } else {
332 file_given = false;
333 }
334
335 //file with all the challenges to try
336 c.arg[0] = (uint32_t)file_given;
337
338 SendCommand(&c);
339 return 0;
340 }
341
342
343 int CmdLFHitagWP(const char *Cmd) {
344 UsbCommand c = { CMD_WR_HITAG_S };
345 hitag_data* htd = (hitag_data*)c.d.asBytes;
346 hitag_function htf = param_get32ex(Cmd,0,0,10);
347 switch (htf) {
348 case 03: { //WHTSF_CHALLENGE
349 num_to_bytes(param_get64ex(Cmd,1,0,16),8,htd->auth.NrAr);
350 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
351 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->auth.data);
352 } break;
353 case 04:
354 case 24:
355 { //WHTSF_KEY
356 num_to_bytes(param_get64ex(Cmd,1,0,16),6,htd->crypto.key);
357 c.arg[2]= param_get32ex(Cmd, 2, 0, 10);
358 num_to_bytes(param_get32ex(Cmd,3,0,16),4,htd->crypto.data);
359
360 } break;
361 default: {
362 PrintAndLog("Error: unkown writer function %d",htf);
363 PrintAndLog("Hitag writer functions");
364 PrintAndLog(" HitagS (0*)");
365 PrintAndLog(" 03 <nr,ar> (Challenge) <page> <byte0...byte3> write page on a Hitag S tag");
366 PrintAndLog(" 04 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
367 PrintAndLog(" Hitag1 (1*)");
368 PrintAndLog(" Hitag2 (2*)");
369 PrintAndLog(" 24 <key> (set to 0 if no authentication is needed) <page> <byte0...byte3> write page on a Hitag S tag");
370 return 1;
371 } break;
372 }
373 // Copy the hitag function into the first argument
374 c.arg[0] = htf;
375
376 // Send the command to the proxmark
377 SendCommand(&c);
378
379 UsbCommand resp;
380 WaitForResponse(CMD_ACK,&resp);
381
382 // Check the return status, stored in the first argument
383 if (resp.arg[0] == false) return 1;
384 return 0;
385 }
386
387
388 static command_t CommandTable[] =
389 {
390 {"help", CmdHelp, 1, "This help"},
391 {"list", CmdLFHitagList, 1, "<outfile> List Hitag trace history"},
392 {"reader", CmdLFHitagReader, 1, "Act like a Hitag Reader"},
393 {"sim", CmdLFHitagSim, 1, "<infile> Simulate Hitag transponder"},
394 {"snoop", CmdLFHitagSnoop, 1, "Eavesdrop Hitag communication"},
395 {"writer", CmdLFHitagWP, 1, "Act like a Hitag Writer" },
396 {"simS", CmdLFHitagSimS, 1, "<hitagS.hts> Simulate HitagS transponder" },
397 {"checkChallenges", CmdLFHitagCheckChallenges, 1, "<challenges.cc> test all challenges" }, {
398 NULL,NULL, 0, NULL }
399 };
400
401 int CmdLFHitag(const char *Cmd)
402 {
403 CmdsParse(CommandTable, Cmd);
404 return 0;
405 }
406
407 int CmdHelp(const char *Cmd)
408 {
409 CmdsHelp(CommandTable);
410 return 0;
411 }
Impressum, Datenschutz