]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifarecmd.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
First check in.
[proxmark3-svn] / armsrc / mifarecmd.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 // Midnitesnake - Dec 2013
6 // Andy Davies - Apr 2014
7 // Iceman - May 2014
8 //
9 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
10 // at your option, any later version. See the LICENSE.txt file for the text of
11 // the license.
12 //-----------------------------------------------------------------------------
13 // Routines to support ISO 14443 type A.
14 //-----------------------------------------------------------------------------
15
16 #include "mifarecmd.h"
17 #include "apps.h"
18 #include "util.h"
19 #include "desfire.h"
20 #include "../common/crc.h"
21
22 //-----------------------------------------------------------------------------
23 // Select, Authenticaate, Read an MIFARE tag.
24 // read block
25 //-----------------------------------------------------------------------------
26 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
27 {
28 // params
29 uint8_t blockNo = arg0;
30 uint8_t keyType = arg1;
31 uint64_t ui64Key = 0;
32 ui64Key = bytes_to_num(datain, 6);
33
34 // variables
35 byte_t isOK = 0;
36 byte_t dataoutbuf[16];
37 uint8_t uid[10];
38 uint32_t cuid;
39 struct Crypto1State mpcs = {0, 0};
40 struct Crypto1State *pcs;
41 pcs = &mpcs;
42
43 // clear trace
44 iso14a_clear_trace();
45 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
46
47 LED_A_ON();
48 LED_B_OFF();
49 LED_C_OFF();
50
51 while (true) {
52 if(!iso14443a_select_card(uid, NULL, &cuid)) {
53 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
54 break;
55 };
56
57 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
58 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
59 break;
60 };
61
62 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
63 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
64 break;
65 };
66
67 if(mifare_classic_halt(pcs, cuid)) {
68 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
69 break;
70 };
71
72 isOK = 1;
73 break;
74 }
75
76 // ----------------------------- crypto1 destroy
77 crypto1_destroy(pcs);
78
79 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
80
81 LED_B_ON();
82 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
83 LED_B_OFF();
84
85 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
86 LEDsoff();
87 }
88
89
90 void MifareUC_Auth1(uint8_t arg0, uint8_t *datain){
91 // variables
92 byte_t isOK = 0;
93 byte_t dataoutbuf[16];
94 uint8_t uid[10];
95 uint32_t cuid;
96
97 // clear trace
98 iso14a_clear_trace();
99 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
100
101 LED_A_ON();
102 LED_B_OFF();
103 LED_C_OFF();
104
105
106 if(!iso14443a_select_card(uid, NULL, &cuid)) {
107 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card, something went wrong before auth");
108 };
109
110
111
112
113 if(mifare_ultra_auth1(cuid, dataoutbuf)){
114 if (MF_DBGLEVEL >= 1) Dbprintf("Authentication part1: Fail.");
115 }
116
117 isOK=1;
118 if (MF_DBGLEVEL >= 2) DbpString("AUTH 1 FINISHED");
119
120 LED_B_ON();
121 cmd_send(CMD_ACK,isOK,cuid,0,dataoutbuf,11);
122 LED_B_OFF();
123
124 // Thats it...
125 LEDsoff();
126 }
127 void MifareUC_Auth2(uint32_t arg0, uint8_t *datain){
128 // params
129 uint32_t cuid = arg0;
130 uint8_t key[16]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
131 // variables
132 byte_t isOK = 0;
133 byte_t dataoutbuf[16];
134
135 memcpy(key, datain, 16);
136
137 LED_A_ON();
138 LED_B_OFF();
139 LED_C_OFF();
140
141 if(mifare_ultra_auth2(cuid, key, dataoutbuf)){
142 if (MF_DBGLEVEL >= 1) Dbprintf("Authentication part2: Fail...");
143 }
144 isOK=1;
145 if (MF_DBGLEVEL >= 2) DbpString("AUTH 2 FINISHED");
146
147 LED_B_ON();
148 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,11);
149 LED_B_OFF();
150
151 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
152 LEDsoff();
153 }
154
155 void MifareUReadBlock(uint8_t arg0,uint8_t *datain)
156 {
157 // params
158 uint8_t blockNo = arg0;
159
160 // variables
161 byte_t isOK = 0;
162 byte_t dataoutbuf[16];
163 uint8_t uid[10];
164 uint32_t cuid;
165
166 // clear trace
167 iso14a_clear_trace();
168 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
169
170 LED_A_ON();
171 LED_B_OFF();
172 LED_C_OFF();
173
174 while (true) {
175 if(!iso14443a_select_card(uid, NULL, &cuid)) {
176 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
177 break;
178 };
179
180 if(mifare_ultra_readblock(cuid, blockNo, dataoutbuf)) {
181 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
182 break;
183 };
184
185 if(mifare_ultra_halt(cuid)) {
186 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
187 break;
188 };
189
190 isOK = 1;
191 break;
192 }
193
194 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
195
196 LED_B_ON();
197 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
198 LED_B_OFF();
199 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
200 LEDsoff();
201 }
202
203 //-----------------------------------------------------------------------------
204 // Select, Authenticate, Read a MIFARE tag.
205 // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
206 //-----------------------------------------------------------------------------
207 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
208 {
209 // params
210 uint8_t sectorNo = arg0;
211 uint8_t keyType = arg1;
212 uint64_t ui64Key = 0;
213 ui64Key = bytes_to_num(datain, 6);
214
215 // variables
216 byte_t isOK = 0;
217 byte_t dataoutbuf[16 * 16];
218 uint8_t uid[10];
219 uint32_t cuid;
220 struct Crypto1State mpcs = {0, 0};
221 struct Crypto1State *pcs;
222 pcs = &mpcs;
223
224 // clear trace
225 iso14a_clear_trace();
226
227 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
228
229 LED_A_ON();
230 LED_B_OFF();
231 LED_C_OFF();
232
233 isOK = 1;
234 if(!iso14443a_select_card(uid, NULL, &cuid)) {
235 isOK = 0;
236 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
237 }
238
239
240 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
241 isOK = 0;
242 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
243 }
244
245 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
246 if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) {
247 isOK = 0;
248 if (MF_DBGLEVEL >= 1) Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo);
249 break;
250 }
251 }
252
253 if(mifare_classic_halt(pcs, cuid)) {
254 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
255 }
256
257 // ----------------------------- crypto1 destroy
258 crypto1_destroy(pcs);
259
260 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
261
262 LED_B_ON();
263 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));
264 LED_B_OFF();
265
266 // Thats it...
267 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
268 LEDsoff();
269 }
270
271 void MifareUReadCard(uint8_t arg0, int arg1, uint8_t *datain)
272 {
273 // params
274 uint8_t sectorNo = arg0;
275 int Pages=arg1;
276 int count_Pages=0;
277 // variables
278 byte_t isOK = 0;
279 byte_t dataoutbuf[44 * 4];
280 uint8_t uid[10];
281 uint32_t cuid;
282
283 // clear trace
284 iso14a_clear_trace();
285
286 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
287
288 LED_A_ON();
289 LED_B_OFF();
290 LED_C_OFF();
291 Dbprintf("Pages %d",Pages);
292 while (true) {
293 if(!iso14443a_select_card(uid, NULL, &cuid)) {
294 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
295 break;
296 };
297 for(int sec=0;sec<Pages;sec++){
298 if(mifare_ultra_readblock(cuid, sectorNo * 4 + sec, dataoutbuf + 4 * sec)) {
299 if (MF_DBGLEVEL >= 1) Dbprintf("Read block %d error",sec);
300 break;
301 }else{
302 count_Pages++;
303 };
304 }
305 if(mifare_ultra_halt(cuid)) {
306 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
307 break;
308 };
309
310 isOK = 1;
311 break;
312 }
313 Dbprintf("Pages read %d",count_Pages);
314 if (MF_DBGLEVEL >= 2) DbpString("READ CARD FINISHED");
315
316 LED_B_ON();
317 if (Pages==16) cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,64);
318 if (Pages==44 && count_Pages==16) cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,64);
319 if (Pages==44 && count_Pages>16) cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,176);
320 LED_B_OFF();
321
322 // Thats it...
323 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
324 LEDsoff();
325
326 }
327
328
329 //-----------------------------------------------------------------------------
330 // Select, Authenticate, Write a MIFARE tag.
331 // read block
332 //-----------------------------------------------------------------------------
333 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
334 {
335 // params
336 uint8_t blockNo = arg0;
337 uint8_t keyType = arg1;
338 uint64_t ui64Key = 0;
339 byte_t blockdata[16];
340
341 ui64Key = bytes_to_num(datain, 6);
342 memcpy(blockdata, datain + 10, 16);
343
344 // variables
345 byte_t isOK = 0;
346 uint8_t uid[10];
347 uint32_t cuid;
348 struct Crypto1State mpcs = {0, 0};
349 struct Crypto1State *pcs;
350 pcs = &mpcs;
351
352 // clear trace
353 iso14a_clear_trace();
354
355 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
356
357 LED_A_ON();
358 LED_B_OFF();
359 LED_C_OFF();
360
361 while (true) {
362 if(!iso14443a_select_card(uid, NULL, &cuid)) {
363 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
364 break;
365 };
366
367 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
368 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
369 break;
370 };
371
372 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
373 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
374 break;
375 };
376
377 if(mifare_classic_halt(pcs, cuid)) {
378 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
379 break;
380 };
381
382 isOK = 1;
383 break;
384 }
385
386 // ----------------------------- crypto1 destroy
387 crypto1_destroy(pcs);
388
389 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
390
391 LED_B_ON();
392 cmd_send(CMD_ACK,isOK,0,0,0,0);
393 LED_B_OFF();
394
395
396 // Thats it...
397 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
398 LEDsoff();
399 }
400
401 void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
402 {
403 // params
404 uint8_t blockNo = arg0;
405 byte_t blockdata[16];
406
407 memset(blockdata,'\0',16);
408 memcpy(blockdata, datain,16);
409
410 // variables
411 byte_t isOK = 0;
412 uint8_t uid[10];
413 uint32_t cuid;
414
415 // clear trace
416 iso14a_clear_trace();
417
418 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
419
420 LED_A_ON();
421 LED_B_OFF();
422 LED_C_OFF();
423
424 while (true) {
425 if(!iso14443a_select_card(uid, NULL, &cuid)) {
426 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
427 break;
428 };
429
430 if(mifare_ultra_writeblock(cuid, blockNo, blockdata)) {
431 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
432 break;
433 };
434
435 if(mifare_ultra_halt(cuid)) {
436 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
437 break;
438 };
439
440 isOK = 1;
441 break;
442 }
443
444 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
445
446 LED_B_ON();
447 cmd_send(CMD_ACK,isOK,0,0,0,0);
448 LED_B_OFF();
449
450
451 // Thats it...
452 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
453 LEDsoff();
454 // iso14a_set_tracing(TRUE);
455 }
456
457 void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)
458 {
459 // params
460 uint8_t blockNo = arg0;
461 byte_t blockdata[4];
462
463 memcpy(blockdata, datain,4);
464
465 // variables
466 byte_t isOK = 0;
467 uint8_t uid[10];
468 uint32_t cuid;
469
470 // clear trace
471 iso14a_clear_trace();
472
473 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
474
475 LED_A_ON();
476 LED_B_OFF();
477 LED_C_OFF();
478
479 while (true) {
480 if(!iso14443a_select_card(uid, NULL, &cuid)) {
481 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
482 break;
483 };
484
485 if(mifare_ultra_special_writeblock(cuid, blockNo, blockdata)) {
486 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
487 break;
488 };
489
490 if(mifare_ultra_halt(cuid)) {
491 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
492 break;
493 };
494
495 isOK = 1;
496 break;
497 }
498
499 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
500
501 LED_B_ON();
502 cmd_send(CMD_ACK,isOK,0,0,0,0);
503 LED_B_OFF();
504
505 // Thats it...
506 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
507 LEDsoff();
508 }
509
510 // Return 1 if the nonce is invalid else return 0
511 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, byte_t * parity) {
512 return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
513 (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
514 (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
515 }
516
517
518 //-----------------------------------------------------------------------------
519 // MIFARE nested authentication.
520 //
521 //-----------------------------------------------------------------------------
522 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)
523 {
524 // params
525 uint8_t blockNo = arg0 & 0xff;
526 uint8_t keyType = (arg0 >> 8) & 0xff;
527 uint8_t targetBlockNo = arg1 & 0xff;
528 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
529 uint64_t ui64Key = 0;
530
531 ui64Key = bytes_to_num(datain, 6);
532
533 // variables
534 uint16_t rtr, i, j, len;
535 uint16_t davg;
536 static uint16_t dmin, dmax;
537 uint8_t uid[10];
538 uint32_t cuid, nt1, nt2, nttmp, nttest, par, ks1;
539 uint32_t target_nt[2], target_ks[2];
540
541 uint8_t par_array[4];
542 uint16_t ncount = 0;
543 struct Crypto1State mpcs = {0, 0};
544 struct Crypto1State *pcs;
545 pcs = &mpcs;
546 uint8_t* receivedAnswer = mifare_get_bigbufptr();
547
548 uint32_t auth1_time, auth2_time;
549 static uint16_t delta_time;
550
551 // clear trace
552 iso14a_clear_trace();
553 iso14a_set_tracing(false);
554
555 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
556
557 LED_A_ON();
558 LED_C_OFF();
559
560
561 // statistics on nonce distance
562 if (calibrate) { // for first call only. Otherwise reuse previous calibration
563 LED_B_ON();
564
565 davg = dmax = 0;
566 dmin = 2000;
567 delta_time = 0;
568
569 for (rtr = 0; rtr < 17; rtr++) {
570
571 // prepare next select. No need to power down the card.
572 if(mifare_classic_halt(pcs, cuid)) {
573 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
574 rtr--;
575 continue;
576 }
577
578 if(!iso14443a_select_card(uid, NULL, &cuid)) {
579 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
580 rtr--;
581 continue;
582 };
583
584 auth1_time = 0;
585 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
586 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
587 rtr--;
588 continue;
589 };
590
591 if (delta_time) {
592 auth2_time = auth1_time + delta_time;
593 } else {
594 auth2_time = 0;
595 }
596 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {
597 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");
598 rtr--;
599 continue;
600 };
601
602 nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
603 for (i = 101; i < 1200; i++) {
604 nttmp = prng_successor(nttmp, 1);
605 if (nttmp == nt2) break;
606 }
607
608 if (i != 1200) {
609 if (rtr != 0) {
610 davg += i;
611 dmin = MIN(dmin, i);
612 dmax = MAX(dmax, i);
613 }
614 else {
615 delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing
616 }
617 if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
618 }
619 }
620
621 if (rtr <= 1) return;
622
623 davg = (davg + (rtr - 1)/2) / (rtr - 1);
624
625 if (MF_DBGLEVEL >= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin, dmax, davg, delta_time);
626
627 dmin = davg - 2;
628 dmax = davg + 2;
629
630 LED_B_OFF();
631
632 }
633 // -------------------------------------------------------------------------------------------------
634
635 LED_C_ON();
636
637 // get crypted nonces for target sector
638 for(i=0; i < 2; i++) { // look for exactly two different nonces
639
640 target_nt[i] = 0;
641 while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
642
643 // prepare next select. No need to power down the card.
644 if(mifare_classic_halt(pcs, cuid)) {
645 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
646 continue;
647 }
648
649 if(!iso14443a_select_card(uid, NULL, &cuid)) {
650 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
651 continue;
652 };
653
654 auth1_time = 0;
655 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
656 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
657 continue;
658 };
659
660 // nested authentication
661 auth2_time = auth1_time + delta_time;
662 len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, &par, &auth2_time);
663 if (len != 4) {
664 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);
665 continue;
666 };
667
668 nt2 = bytes_to_num(receivedAnswer, 4);
669 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par);
670
671 // Parity validity check
672 for (j = 0; j < 4; j++) {
673 par_array[j] = (oddparity(receivedAnswer[j]) != ((par & 0x08) >> 3));
674 par = par << 1;
675 }
676
677 ncount = 0;
678 nttest = prng_successor(nt1, dmin - 1);
679 for (j = dmin; j < dmax + 1; j++) {
680 nttest = prng_successor(nttest, 1);
681 ks1 = nt2 ^ nttest;
682
683 if (valid_nonce(nttest, nt2, ks1, par_array)){
684 if (ncount > 0) { // we are only interested in disambiguous nonces, try again
685 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);
686 target_nt[i] = 0;
687 break;
688 }
689 target_nt[i] = nttest;
690 target_ks[i] = ks1;
691 ncount++;
692 if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces
693 target_nt[i] = 0;
694 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);
695 break;
696 }
697 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);
698 }
699 }
700 if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
701 }
702 }
703
704 LED_C_OFF();
705
706 // ----------------------------- crypto1 destroy
707 crypto1_destroy(pcs);
708
709 // add trace trailer
710 memset(uid, 0x44, 4);
711 LogTrace(uid, 4, 0, 0, TRUE);
712
713 byte_t buf[4 + 4 * 4];
714 memcpy(buf, &cuid, 4);
715 memcpy(buf+4, &target_nt[0], 4);
716 memcpy(buf+8, &target_ks[0], 4);
717 memcpy(buf+12, &target_nt[1], 4);
718 memcpy(buf+16, &target_ks[1], 4);
719
720 LED_B_ON();
721 cmd_send(CMD_ACK, 0, 2, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
722 LED_B_OFF();
723
724 if (MF_DBGLEVEL >= 3) DbpString("NESTED FINISHED");
725
726 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
727 LEDsoff();
728 iso14a_set_tracing(TRUE);
729 }
730
731 //-----------------------------------------------------------------------------
732 // MIFARE check keys. key count up to 85.
733 //
734 //-----------------------------------------------------------------------------
735 void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
736 {
737 // params
738 uint8_t blockNo = arg0;
739 uint8_t keyType = arg1;
740 uint8_t keyCount = arg2;
741 uint64_t ui64Key = 0;
742
743 // variables
744 int i;
745 byte_t isOK = 0;
746 uint8_t uid[10];
747 uint32_t cuid;
748 struct Crypto1State mpcs = {0, 0};
749 struct Crypto1State *pcs;
750 pcs = &mpcs;
751
752 // clear debug level
753 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
754 MF_DBGLEVEL = MF_DBG_NONE;
755
756 // clear trace
757 iso14a_clear_trace();
758 iso14a_set_tracing(TRUE);
759
760 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
761
762 LED_A_ON();
763 LED_B_OFF();
764 LED_C_OFF();
765
766 for (i = 0; i < keyCount; i++) {
767 if(mifare_classic_halt(pcs, cuid)) {
768 if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Halt error");
769 }
770
771 if(!iso14443a_select_card(uid, NULL, &cuid)) {
772 if (OLD_MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card");
773 break;
774 };
775
776 ui64Key = bytes_to_num(datain + i * 6, 6);
777 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
778 continue;
779 };
780
781 isOK = 1;
782 break;
783 }
784
785 // ----------------------------- crypto1 destroy
786 crypto1_destroy(pcs);
787
788 LED_B_ON();
789 cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);
790 LED_B_OFF();
791
792 // Thats it...
793 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
794 LEDsoff();
795
796 // restore debug level
797 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
798 }
799
800 //-----------------------------------------------------------------------------
801 // MIFARE commands set debug level
802 //
803 //-----------------------------------------------------------------------------
804 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
805 MF_DBGLEVEL = arg0;
806 Dbprintf("Debug level: %d", MF_DBGLEVEL);
807 }
808
809 //-----------------------------------------------------------------------------
810 // Work with emulator memory
811 //
812 //-----------------------------------------------------------------------------
813 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
814 emlClearMem();
815 }
816
817 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
818 emlSetMem(datain, arg0, arg1); // data, block num, blocks count
819 }
820
821 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
822 byte_t buf[48];
823 emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
824
825 LED_B_ON();
826 cmd_send(CMD_ACK,arg0,arg1,0,buf,48);
827 LED_B_OFF();
828 }
829
830 //-----------------------------------------------------------------------------
831 // Load a card into the emulator memory
832 //
833 //-----------------------------------------------------------------------------
834 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
835 uint8_t numSectors = arg0;
836 uint8_t keyType = arg1;
837 uint64_t ui64Key = 0;
838 uint32_t cuid;
839 struct Crypto1State mpcs = {0, 0};
840 struct Crypto1State *pcs;
841 pcs = &mpcs;
842
843 // variables
844 byte_t dataoutbuf[16];
845 byte_t dataoutbuf2[16];
846 uint8_t uid[10];
847
848 // clear trace
849 iso14a_clear_trace();
850 iso14a_set_tracing(false);
851
852 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
853
854 LED_A_ON();
855 LED_B_OFF();
856 LED_C_OFF();
857
858 bool isOK = true;
859
860 if(!iso14443a_select_card(uid, NULL, &cuid)) {
861 isOK = false;
862 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
863 }
864
865 for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
866 ui64Key = emlGetKey(sectorNo, keyType);
867 if (sectorNo == 0){
868 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
869 isOK = false;
870 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo);
871 break;
872 }
873 } else {
874 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) {
875 isOK = false;
876 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo);
877 break;
878 }
879 }
880
881 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
882 if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) {
883 isOK = false;
884 if (MF_DBGLEVEL >= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);
885 break;
886 };
887 if (isOK) {
888 if (blockNo < NumBlocksPerSector(sectorNo) - 1) {
889 emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);
890 } else { // sector trailer, keep the keys, set only the AC
891 emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
892 memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
893 emlSetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
894 }
895 }
896 }
897
898 }
899
900 if(mifare_classic_halt(pcs, cuid)) {
901 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
902 };
903
904 // ----------------------------- crypto1 destroy
905 crypto1_destroy(pcs);
906
907 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
908 LEDsoff();
909
910 if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
911
912 }
913
914
915 //-----------------------------------------------------------------------------
916 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
917 //
918 //-----------------------------------------------------------------------------
919 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
920
921 // params
922 uint8_t needWipe = arg0;
923 // bit 0 - need get UID
924 // bit 1 - need wupC
925 // bit 2 - need HALT after sequence
926 // bit 3 - need init FPGA and field before sequence
927 // bit 4 - need reset FPGA and LED
928 uint8_t workFlags = arg1;
929 uint8_t blockNo = arg2;
930
931 // card commands
932 uint8_t wupC1[] = { 0x40 };
933 uint8_t wupC2[] = { 0x43 };
934 uint8_t wipeC[] = { 0x41 };
935
936 // variables
937 byte_t isOK = 0;
938 uint8_t uid[10];
939 uint8_t d_block[18];
940 uint32_t cuid;
941
942 memset(uid, 0x00, 10);
943 uint8_t* receivedAnswer = mifare_get_bigbufptr();
944
945 if (workFlags & 0x08) {
946 // clear trace
947 iso14a_clear_trace();
948 iso14a_set_tracing(TRUE);
949
950 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
951
952 LED_A_ON();
953 LED_B_OFF();
954 LED_C_OFF();
955
956 SpinDelay(300);
957 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
958 SpinDelay(100);
959 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
960 }
961
962 while (true) {
963 // get UID from chip
964 if (workFlags & 0x01) {
965 if(!iso14443a_select_card(uid, NULL, &cuid)) {
966 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
967 break;
968 };
969
970 if(mifare_classic_halt(NULL, cuid)) {
971 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
972 break;
973 };
974 };
975
976 // reset chip
977 if (needWipe){
978 ReaderTransmitBitsPar(wupC1,7,0, NULL);
979 if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {
980 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
981 break;
982 };
983
984 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
985 if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {
986 if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");
987 break;
988 };
989
990 if(mifare_classic_halt(NULL, cuid)) {
991 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
992 break;
993 };
994 };
995
996 // write block
997 if (workFlags & 0x02) {
998 ReaderTransmitBitsPar(wupC1,7,0, NULL);
999 if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {
1000 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1001 break;
1002 };
1003
1004 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1005 if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {
1006 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1007 break;
1008 };
1009 }
1010
1011 if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
1012 if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
1013 break;
1014 };
1015
1016 memcpy(d_block, datain, 16);
1017 AppendCrc14443a(d_block, 16);
1018
1019 ReaderTransmit(d_block, sizeof(d_block), NULL);
1020 if ((ReaderReceive(receivedAnswer) != 1) || (receivedAnswer[0] != 0x0a)) {
1021 if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");
1022 break;
1023 };
1024
1025 if (workFlags & 0x04) {
1026 if (mifare_classic_halt(NULL, cuid)) {
1027 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1028 break;
1029 };
1030 }
1031
1032 isOK = 1;
1033 break;
1034 }
1035
1036 LED_B_ON();
1037 cmd_send(CMD_ACK,isOK,0,0,uid,4);
1038 LED_B_OFF();
1039
1040 if ((workFlags & 0x10) || (!isOK)) {
1041 // Thats it...
1042 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1043 LEDsoff();
1044 }
1045 }
1046
1047
1048 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1049
1050 // params
1051 // bit 1 - need wupC
1052 // bit 2 - need HALT after sequence
1053 // bit 3 - need init FPGA and field before sequence
1054 // bit 4 - need reset FPGA and LED
1055 uint8_t workFlags = arg0;
1056 uint8_t blockNo = arg2;
1057
1058 // card commands
1059 uint8_t wupC1[] = { 0x40 };
1060 uint8_t wupC2[] = { 0x43 };
1061
1062 // variables
1063 byte_t isOK = 0;
1064 uint8_t data[18];
1065 uint32_t cuid = 0;
1066
1067 memset(data, 0x00, 18);
1068 uint8_t* receivedAnswer = mifare_get_bigbufptr();
1069
1070 if (workFlags & 0x08) {
1071 // clear trace
1072 iso14a_clear_trace();
1073 iso14a_set_tracing(TRUE);
1074
1075 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1076
1077 LED_A_ON();
1078 LED_B_OFF();
1079 LED_C_OFF();
1080
1081 SpinDelay(300);
1082 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1083 SpinDelay(100);
1084 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1085 }
1086
1087 while (true) {
1088 if (workFlags & 0x02) {
1089 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1090 if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {
1091 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1092 break;
1093 };
1094
1095 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1096 if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) {
1097 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1098 break;
1099 };
1100 }
1101
1102 // read block
1103 if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, NULL) != 18)) {
1104 if (MF_DBGLEVEL >= 1) Dbprintf("read block send command error");
1105 break;
1106 };
1107 memcpy(data, receivedAnswer, 18);
1108
1109 if (workFlags & 0x04) {
1110 if (mifare_classic_halt(NULL, cuid)) {
1111 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1112 break;
1113 };
1114 }
1115
1116 isOK = 1;
1117 break;
1118 }
1119
1120 LED_B_ON();
1121 cmd_send(CMD_ACK,isOK,0,0,data,18);
1122 LED_B_OFF();
1123
1124 if ((workFlags & 0x10) || (!isOK)) {
1125 // Thats it...
1126 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1127 LEDsoff();
1128 }
1129 }
1130
Proxmark3 GIT tracking
Impressum, Datenschutz