]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifarecmd.c
projects / proxmark3-svn / blob
? search:


fb71b17111c9a8f92490c26917be2614151a13aa
[proxmark3-svn] / armsrc / mifarecmd.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 // Midnitesnake - Dec 2013
6 // Andy Davies - Apr 2014
7 // Iceman - May 2014
8 //
9 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
10 // at your option, any later version. See the LICENSE.txt file for the text of
11 // the license.
12 //-----------------------------------------------------------------------------
13 // Routines to support ISO 14443 type A.
14 //-----------------------------------------------------------------------------
15
16 #include "mifarecmd.h"
17 #include "apps.h"
18 #include "util.h"
19
20 #include "crc.h"
21
22 //-----------------------------------------------------------------------------
23 // Select, Authenticate, Read a MIFARE tag.
24 // read block
25 //-----------------------------------------------------------------------------
26 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
27 {
28 // params
29 uint8_t blockNo = arg0;
30 uint8_t keyType = arg1;
31 uint64_t ui64Key = 0;
32 ui64Key = bytes_to_num(datain, 6);
33
34 // variables
35 byte_t isOK = 0;
36 byte_t dataoutbuf[16];
37 uint8_t uid[10];
38 uint32_t cuid;
39 struct Crypto1State mpcs = {0, 0};
40 struct Crypto1State *pcs;
41 pcs = &mpcs;
42
43 // clear trace
44 clear_trace();
45 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
46
47 LED_A_ON();
48 LED_B_OFF();
49 LED_C_OFF();
50
51 while (true) {
52 if(!iso14443a_select_card(uid, NULL, &cuid)) {
53 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
54 break;
55 };
56
57 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
58 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
59 break;
60 };
61
62 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
63 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
64 break;
65 };
66
67 if(mifare_classic_halt(pcs, cuid)) {
68 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
69 break;
70 };
71
72 isOK = 1;
73 break;
74 }
75
76 // ----------------------------- crypto1 destroy
77 crypto1_destroy(pcs);
78
79 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
80
81 LED_B_ON();
82 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
83 LED_B_OFF();
84
85 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
86 LEDsoff();
87 }
88
89
90 void MifareUC_Auth(uint8_t arg0, uint8_t *keybytes){
91
92 bool turnOffField = (arg0 == 1);
93
94 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
95 clear_trace();
96 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
97
98 if(!iso14443a_select_card(NULL, NULL, NULL)) {
99 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
100 OnError(0);
101 return;
102 };
103
104 if(mifare_ultra_auth(keybytes) == 1){
105 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication failed");
106 OnError(1);
107 return;
108 }
109
110 cmd_send(CMD_ACK,1,0,0,0,0);
111
112 if (turnOffField) {
113 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
114 LEDsoff();
115 }
116 }
117
118 // Arg0 = BlockNo,
119 // Arg1 = UsePwd bool
120 // datain = PWD bytes,
121 void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
122 {
123 uint8_t blockNo = arg0;
124 byte_t dataout[16] = {0x00};
125 bool useKey = (arg1 == 1); //UL_C
126 bool usePwd = (arg1 == 2); //UL_EV1/NTAG
127
128 LEDsoff();
129 LED_A_ON();
130 clear_trace();
131 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
132
133 int len = iso14443a_select_card(NULL, NULL, NULL);
134 if(!len) {
135 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len);
136 OnError(1);
137 return;
138 }
139
140 // UL-C authentication
141 if ( useKey ) {
142 uint8_t key[16] = {0x00};
143 memcpy(key, datain, sizeof(key) );
144
145 if ( mifare_ultra_auth(key) == 1 ) {
146 OnError(1);
147 return;
148 }
149 }
150
151 // UL-EV1 / NTAG authentication
152 if (usePwd) {
153 uint8_t pwd[4] = {0x00};
154 memcpy(pwd, datain, 4);
155 uint8_t pack[4] = {0,0,0,0};
156
157 if (mifare_ul_ev1_auth(pwd, pack) == 1){
158 OnError(1);
159 return;
160 }
161 }
162
163 if( mifare_ultra_readblock(blockNo, dataout) ) {
164 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block error");
165 OnError(2);
166 return;
167 }
168
169 if( mifare_ultra_halt() ) {
170 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
171 OnError(3);
172 return;
173 }
174
175 cmd_send(CMD_ACK,1,0,0,dataout,16);
176 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
177 LEDsoff();
178 }
179 //-----------------------------------------------------------------------------
180 // Select, Authenticate, Read a MIFARE tag.
181 // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
182 //-----------------------------------------------------------------------------
183 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
184 {
185 // params
186 uint8_t sectorNo = arg0;
187 uint8_t keyType = arg1;
188 uint64_t ui64Key = 0;
189 ui64Key = bytes_to_num(datain, 6);
190
191 // variables
192 byte_t isOK = 0;
193 byte_t dataoutbuf[16 * 16];
194 uint8_t uid[10];
195 uint32_t cuid;
196 struct Crypto1State mpcs = {0, 0};
197 struct Crypto1State *pcs;
198 pcs = &mpcs;
199
200 // clear trace
201 clear_trace();
202
203 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
204
205 LED_A_ON();
206 LED_B_OFF();
207 LED_C_OFF();
208
209 isOK = 1;
210 if(!iso14443a_select_card(uid, NULL, &cuid)) {
211 isOK = 0;
212 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
213 }
214
215 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
216 isOK = 0;
217 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
218 }
219
220 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
221 if(mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf + 16 * blockNo)) {
222 isOK = 0;
223 if (MF_DBGLEVEL >= 1) Dbprintf("Read sector %2d block %2d error", sectorNo, blockNo);
224 break;
225 }
226 }
227
228 if(mifare_classic_halt(pcs, cuid)) {
229 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
230 }
231
232 // ----------------------------- crypto1 destroy
233 crypto1_destroy(pcs);
234
235 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
236
237 LED_B_ON();
238 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));
239 LED_B_OFF();
240
241 // Thats it...
242 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
243 LEDsoff();
244 }
245
246 // arg0 = blockNo (start)
247 // arg1 = Pages (number of blocks)
248 // arg2 = useKey
249 // datain = KEY bytes
250 void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
251 {
252 // params
253 uint8_t blockNo = arg0;
254 uint16_t blocks = arg1;
255 bool useKey = (arg2 == 1); //UL_C
256 bool usePwd = (arg2 == 2); //UL_EV1/NTAG
257 int countblocks = 0;
258 uint8_t dataout[176] = {0x00};
259
260 LEDsoff();
261 LED_A_ON();
262 clear_trace();
263 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
264
265 int len = iso14443a_select_card(NULL, NULL, NULL);
266 if (!len) {
267 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len);
268 OnError(1);
269 return;
270 }
271
272 // UL-C authentication
273 if ( useKey ) {
274 uint8_t key[16] = {0x00};
275 memcpy(key, datain, sizeof(key) );
276
277 if ( mifare_ultra_auth(key) == 1 ) {
278 OnError(1);
279 return;
280 }
281 }
282
283 // UL-EV1 / NTAG authentication
284 if (usePwd) {
285 uint8_t pwd[4] = {0x00};
286 memcpy(pwd, datain, sizeof(pwd));
287 uint8_t pack[4] = {0,0,0,0};
288
289 if (mifare_ul_ev1_auth(pwd, pack) == 1){
290 OnError(1);
291 return;
292 }
293 }
294
295 for (int i = 0; i < blocks; i++){
296 len = mifare_ultra_readblock(blockNo * 4 + i, dataout + 4 * i);
297
298 if (len) {
299 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block %d error",i);
300 OnError(2);
301 return;
302 } else {
303 countblocks++;
304 }
305 }
306
307 len = mifare_ultra_halt();
308 if (len) {
309 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
310 OnError(3);
311 return;
312 }
313
314 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Blocks read %d", countblocks);
315
316 len = blocks*4;
317
318 cmd_send(CMD_ACK, 1, len, 0, dataout, len);
319 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
320 LEDsoff();
321 }
322
323 //-----------------------------------------------------------------------------
324 // Select, Authenticate, Write a MIFARE tag.
325 // read block
326 //-----------------------------------------------------------------------------
327 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
328 {
329 // params
330 uint8_t blockNo = arg0;
331 uint8_t keyType = arg1;
332 uint64_t ui64Key = 0;
333 byte_t blockdata[16];
334
335 ui64Key = bytes_to_num(datain, 6);
336 memcpy(blockdata, datain + 10, 16);
337
338 // variables
339 byte_t isOK = 0;
340 uint8_t uid[10];
341 uint32_t cuid;
342 struct Crypto1State mpcs = {0, 0};
343 struct Crypto1State *pcs;
344 pcs = &mpcs;
345
346 // clear trace
347 clear_trace();
348
349 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
350
351 LED_A_ON();
352 LED_B_OFF();
353 LED_C_OFF();
354
355 while (true) {
356 if(!iso14443a_select_card(uid, NULL, &cuid)) {
357 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
358 break;
359 };
360
361 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
362 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
363 break;
364 };
365
366 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
367 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
368 break;
369 };
370
371 if(mifare_classic_halt(pcs, cuid)) {
372 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
373 break;
374 };
375
376 isOK = 1;
377 break;
378 }
379
380 // ----------------------------- crypto1 destroy
381 crypto1_destroy(pcs);
382
383 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
384
385 LED_B_ON();
386 cmd_send(CMD_ACK,isOK,0,0,0,0);
387 LED_B_OFF();
388
389
390 // Thats it...
391 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
392 LEDsoff();
393 }
394
395
396 void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
397 {
398 uint8_t blockNo = arg0;
399 byte_t blockdata[16] = {0x00};
400
401 memcpy(blockdata, datain, 16);
402
403 uint8_t uid[10] = {0x00};
404
405 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
406
407 clear_trace();
408 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
409
410 if(!iso14443a_select_card(uid, NULL, NULL)) {
411 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
412 OnError(0);
413 return;
414 };
415
416 if(mifare_ultra_writeblock(blockNo, blockdata)) {
417 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
418 OnError(0);
419 return; };
420
421 if(mifare_ultra_halt()) {
422 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
423 OnError(0);
424 return;
425 };
426
427 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
428
429 cmd_send(CMD_ACK,1,0,0,0,0);
430 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
431 LEDsoff();
432 }
433
434 void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)
435 {
436 uint8_t blockNo = arg0;
437 byte_t blockdata[4] = {0x00};
438 uint8_t uid[10] = {0x00};
439
440 memcpy(blockdata, datain,4);
441
442 LEDsoff();
443 LED_A_ON();
444 clear_trace();
445 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
446
447 if(!iso14443a_select_card(uid, NULL, NULL)) {
448 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
449 OnError(0);
450 return;
451 };
452
453 if(mifare_ultra_special_writeblock(blockNo, blockdata)) {
454 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
455 OnError(0);
456 return;
457 };
458
459 if(mifare_ultra_halt()) {
460 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
461 OnError(0);
462 return;
463 };
464
465 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
466
467 cmd_send(CMD_ACK,1,0,0,0,0);
468 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
469 LEDsoff();
470 }
471
472 void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
473
474 uint8_t pwd[16] = {0x00};
475 byte_t blockdata[4] = {0x00};
476
477 memcpy(pwd, datain, 16);
478
479 LED_A_ON(); LED_B_OFF(); LED_C_OFF();
480 clear_trace();
481 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
482
483 if(!iso14443a_select_card(NULL, NULL, NULL)) {
484 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
485 OnError(0);
486 return;
487 };
488
489 blockdata[0] = pwd[7];
490 blockdata[1] = pwd[6];
491 blockdata[2] = pwd[5];
492 blockdata[3] = pwd[4];
493 if(mifare_ultra_special_writeblock( 44, blockdata)) {
494 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
495 OnError(44);
496 return;
497 };
498
499 blockdata[0] = pwd[3];
500 blockdata[1] = pwd[2];
501 blockdata[2] = pwd[1];
502 blockdata[3] = pwd[0];
503 if(mifare_ultra_special_writeblock( 45, blockdata)) {
504 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
505 OnError(45);
506 return;
507 };
508
509 blockdata[0] = pwd[15];
510 blockdata[1] = pwd[14];
511 blockdata[2] = pwd[13];
512 blockdata[3] = pwd[12];
513 if(mifare_ultra_special_writeblock( 46, blockdata)) {
514 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
515 OnError(46);
516 return;
517 };
518
519 blockdata[0] = pwd[11];
520 blockdata[1] = pwd[10];
521 blockdata[2] = pwd[9];
522 blockdata[3] = pwd[8];
523 if(mifare_ultra_special_writeblock( 47, blockdata)) {
524 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
525 OnError(47);
526 return;
527 };
528
529 if(mifare_ultra_halt()) {
530 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
531 OnError(0);
532 return;
533 };
534
535 cmd_send(CMD_ACK,1,0,0,0,0);
536 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
537 LEDsoff();
538 }
539
540 // Return 1 if the nonce is invalid else return 0
541 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {
542 return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
543 (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
544 (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
545 }
546
547
548 //-----------------------------------------------------------------------------
549 // MIFARE nested authentication.
550 //
551 //-----------------------------------------------------------------------------
552 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain)
553 {
554 // params
555 uint8_t blockNo = arg0 & 0xff;
556 uint8_t keyType = (arg0 >> 8) & 0xff;
557 uint8_t targetBlockNo = arg1 & 0xff;
558 uint8_t targetKeyType = (arg1 >> 8) & 0xff;
559 uint64_t ui64Key = 0;
560
561 ui64Key = bytes_to_num(datain, 6);
562
563 // variables
564 uint16_t rtr, i, j, len;
565 uint16_t davg;
566 static uint16_t dmin, dmax;
567 uint8_t uid[10];
568 uint32_t cuid, nt1, nt2, nttmp, nttest, ks1;
569 uint8_t par[1];
570 uint32_t target_nt[2], target_ks[2];
571
572 uint8_t par_array[4];
573 uint16_t ncount = 0;
574 struct Crypto1State mpcs = {0, 0};
575 struct Crypto1State *pcs;
576 pcs = &mpcs;
577 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
578
579 uint32_t auth1_time, auth2_time;
580 static uint16_t delta_time;
581
582 // free eventually allocated BigBuf memory
583 BigBuf_free();
584 // clear trace
585 clear_trace();
586 set_tracing(false);
587
588 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
589
590 LED_A_ON();
591 LED_C_OFF();
592
593
594 // statistics on nonce distance
595 if (calibrate) { // for first call only. Otherwise reuse previous calibration
596 LED_B_ON();
597 WDT_HIT();
598
599 davg = dmax = 0;
600 dmin = 2000;
601 delta_time = 0;
602
603 for (rtr = 0; rtr < 17; rtr++) {
604
605 // prepare next select. No need to power down the card.
606 if(mifare_classic_halt(pcs, cuid)) {
607 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
608 rtr--;
609 continue;
610 }
611
612 if(!iso14443a_select_card(uid, NULL, &cuid)) {
613 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
614 rtr--;
615 continue;
616 };
617
618 auth1_time = 0;
619 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
620 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
621 rtr--;
622 continue;
623 };
624
625 if (delta_time) {
626 auth2_time = auth1_time + delta_time;
627 } else {
628 auth2_time = 0;
629 }
630 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {
631 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");
632 rtr--;
633 continue;
634 };
635
636 nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
637 for (i = 101; i < 1200; i++) {
638 nttmp = prng_successor(nttmp, 1);
639 if (nttmp == nt2) break;
640 }
641
642 if (i != 1200) {
643 if (rtr != 0) {
644 davg += i;
645 dmin = MIN(dmin, i);
646 dmax = MAX(dmax, i);
647 }
648 else {
649 delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing
650 }
651 if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
652 }
653 }
654
655 if (rtr <= 1) return;
656
657 davg = (davg + (rtr - 1)/2) / (rtr - 1);
658
659 if (MF_DBGLEVEL >= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin, dmax, davg, delta_time);
660
661 dmin = davg - 2;
662 dmax = davg + 2;
663
664 LED_B_OFF();
665
666 }
667 // -------------------------------------------------------------------------------------------------
668
669 LED_C_ON();
670
671 // get crypted nonces for target sector
672 for(i=0; i < 2; i++) { // look for exactly two different nonces
673
674 target_nt[i] = 0;
675 while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
676
677 // prepare next select. No need to power down the card.
678 if(mifare_classic_halt(pcs, cuid)) {
679 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
680 continue;
681 }
682
683 if(!iso14443a_select_card(uid, NULL, &cuid)) {
684 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
685 continue;
686 };
687
688 auth1_time = 0;
689 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time)) {
690 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");
691 continue;
692 };
693
694 // nested authentication
695 auth2_time = auth1_time + delta_time;
696 len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);
697 if (len != 4) {
698 if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);
699 continue;
700 };
701
702 nt2 = bytes_to_num(receivedAnswer, 4);
703 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);
704
705 // Parity validity check
706 for (j = 0; j < 4; j++) {
707 par_array[j] = (oddparity(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));
708 }
709
710 ncount = 0;
711 nttest = prng_successor(nt1, dmin - 1);
712 for (j = dmin; j < dmax + 1; j++) {
713 nttest = prng_successor(nttest, 1);
714 ks1 = nt2 ^ nttest;
715
716 if (valid_nonce(nttest, nt2, ks1, par_array)){
717 if (ncount > 0) { // we are only interested in disambiguous nonces, try again
718 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);
719 target_nt[i] = 0;
720 break;
721 }
722 target_nt[i] = nttest;
723 target_ks[i] = ks1;
724 ncount++;
725 if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces
726 target_nt[i] = 0;
727 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);
728 break;
729 }
730 if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);
731 }
732 }
733 if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
734 }
735 }
736
737 LED_C_OFF();
738
739 // ----------------------------- crypto1 destroy
740 crypto1_destroy(pcs);
741
742 byte_t buf[4 + 4 * 4];
743 memcpy(buf, &cuid, 4);
744 memcpy(buf+4, &target_nt[0], 4);
745 memcpy(buf+8, &target_ks[0], 4);
746 memcpy(buf+12, &target_nt[1], 4);
747 memcpy(buf+16, &target_ks[1], 4);
748
749 LED_B_ON();
750 cmd_send(CMD_ACK, 0, 2, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
751 LED_B_OFF();
752
753 if (MF_DBGLEVEL >= 3) DbpString("NESTED FINISHED");
754
755 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
756 LEDsoff();
757 set_tracing(TRUE);
758 }
759
760 //-----------------------------------------------------------------------------
761 // MIFARE check keys. key count up to 85.
762 //
763 //-----------------------------------------------------------------------------
764 void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
765 {
766 // params
767 uint8_t blockNo = arg0;
768 uint8_t keyType = arg1;
769 uint8_t keyCount = arg2;
770 uint64_t ui64Key = 0;
771
772 // variables
773 int i;
774 byte_t isOK = 0;
775 uint8_t uid[10];
776 uint32_t cuid;
777 struct Crypto1State mpcs = {0, 0};
778 struct Crypto1State *pcs;
779 pcs = &mpcs;
780
781 // clear debug level
782 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
783 MF_DBGLEVEL = MF_DBG_NONE;
784
785 // clear trace
786 clear_trace();
787 set_tracing(TRUE);
788
789 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
790
791 LED_A_ON();
792 LED_B_OFF();
793 LED_C_OFF();
794
795 for (i = 0; i < keyCount; i++) {
796 if(mifare_classic_halt(pcs, cuid)) {
797 if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Halt error");
798 }
799
800 if(!iso14443a_select_card(uid, NULL, &cuid)) {
801 if (OLD_MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card");
802 break;
803 };
804
805 ui64Key = bytes_to_num(datain + i * 6, 6);
806 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
807 continue;
808 };
809
810 isOK = 1;
811 break;
812 }
813
814 // ----------------------------- crypto1 destroy
815 crypto1_destroy(pcs);
816
817 LED_B_ON();
818 cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);
819 LED_B_OFF();
820
821 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
822 LEDsoff();
823
824 // restore debug level
825 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
826 }
827
828 //-----------------------------------------------------------------------------
829 // MIFARE commands set debug level
830 //
831 //-----------------------------------------------------------------------------
832 void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
833 MF_DBGLEVEL = arg0;
834 Dbprintf("Debug level: %d", MF_DBGLEVEL);
835 }
836
837 //-----------------------------------------------------------------------------
838 // Work with emulator memory
839 //
840 //-----------------------------------------------------------------------------
841 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
842 emlClearMem();
843 }
844
845 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
846 emlSetMem(datain, arg0, arg1); // data, block num, blocks count
847 }
848
849 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
850 byte_t buf[USB_CMD_DATA_SIZE];
851 emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
852
853 LED_B_ON();
854 cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE);
855 LED_B_OFF();
856 }
857
858 //-----------------------------------------------------------------------------
859 // Load a card into the emulator memory
860 //
861 //-----------------------------------------------------------------------------
862 void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
863 uint8_t numSectors = arg0;
864 uint8_t keyType = arg1;
865 uint64_t ui64Key = 0;
866 uint32_t cuid;
867 struct Crypto1State mpcs = {0, 0};
868 struct Crypto1State *pcs;
869 pcs = &mpcs;
870
871 // variables
872 byte_t dataoutbuf[16];
873 byte_t dataoutbuf2[16];
874 uint8_t uid[10];
875
876 // clear trace
877 clear_trace();
878 set_tracing(false);
879
880 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
881
882 LED_A_ON();
883 LED_B_OFF();
884 LED_C_OFF();
885
886 bool isOK = true;
887
888 if(!iso14443a_select_card(uid, NULL, &cuid)) {
889 isOK = false;
890 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
891 }
892
893 for (uint8_t sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
894 ui64Key = emlGetKey(sectorNo, keyType);
895 if (sectorNo == 0){
896 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
897 isOK = false;
898 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth error", sectorNo);
899 break;
900 }
901 } else {
902 if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_NESTED)) {
903 isOK = false;
904 if (MF_DBGLEVEL >= 1) Dbprintf("Sector[%2d]. Auth nested error", sectorNo);
905 break;
906 }
907 }
908
909 for (uint8_t blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
910 if(isOK && mifare_classic_readblock(pcs, cuid, FirstBlockOfSector(sectorNo) + blockNo, dataoutbuf)) {
911 isOK = false;
912 if (MF_DBGLEVEL >= 1) Dbprintf("Error reading sector %2d block %2d", sectorNo, blockNo);
913 break;
914 };
915 if (isOK) {
916 if (blockNo < NumBlocksPerSector(sectorNo) - 1) {
917 emlSetMem(dataoutbuf, FirstBlockOfSector(sectorNo) + blockNo, 1);
918 } else { // sector trailer, keep the keys, set only the AC
919 emlGetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
920 memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4);
921 emlSetMem(dataoutbuf2, FirstBlockOfSector(sectorNo) + blockNo, 1);
922 }
923 }
924 }
925
926 }
927
928 if(mifare_classic_halt(pcs, cuid)) {
929 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
930 };
931
932 // ----------------------------- crypto1 destroy
933 crypto1_destroy(pcs);
934
935 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
936 LEDsoff();
937
938 if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED");
939
940 }
941
942
943 //-----------------------------------------------------------------------------
944 // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
945 //
946 //-----------------------------------------------------------------------------
947 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
948
949 // params
950 uint8_t needWipe = arg0;
951 // bit 0 - need get UID
952 // bit 1 - need wupC
953 // bit 2 - need HALT after sequence
954 // bit 3 - need init FPGA and field before sequence
955 // bit 4 - need reset FPGA and LED
956 uint8_t workFlags = arg1;
957 uint8_t blockNo = arg2;
958
959 // card commands
960 uint8_t wupC1[] = { 0x40 };
961 uint8_t wupC2[] = { 0x43 };
962 uint8_t wipeC[] = { 0x41 };
963
964 // variables
965 byte_t isOK = 0;
966 uint8_t uid[10] = {0x00};
967 uint8_t d_block[18] = {0x00};
968 uint32_t cuid;
969
970 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
971 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
972
973 // reset FPGA and LED
974 if (workFlags & 0x08) {
975 LED_A_ON();
976 LED_B_OFF();
977 LED_C_OFF();
978
979 clear_trace();
980 set_tracing(TRUE);
981 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
982 }
983
984 while (true) {
985
986 // get UID from chip
987 if (workFlags & 0x01) {
988 if(!iso14443a_select_card(uid, NULL, &cuid)) {
989 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
990 //break;
991 };
992
993 if(mifare_classic_halt(NULL, cuid)) {
994 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
995 //break;
996 };
997 };
998
999 // reset chip
1000 if (needWipe){
1001 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1002 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1003 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1004 break;
1005 };
1006
1007 ReaderTransmit(wipeC, sizeof(wipeC), NULL);
1008 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1009 if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error");
1010 break;
1011 };
1012
1013 if(mifare_classic_halt(NULL, cuid)) {
1014 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1015 break;
1016 };
1017 };
1018
1019 // write block
1020 if (workFlags & 0x02) {
1021 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1022 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1023 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1024 break;
1025 };
1026
1027 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1028 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1029 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1030 break;
1031 };
1032 }
1033
1034 if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
1035 if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
1036 break;
1037 };
1038
1039 memcpy(d_block, datain, 16);
1040 AppendCrc14443a(d_block, 16);
1041
1042 ReaderTransmit(d_block, sizeof(d_block), NULL);
1043 if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
1044 if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error");
1045 break;
1046 };
1047
1048 if (workFlags & 0x04) {
1049 if (mifare_classic_halt(NULL, cuid)) {
1050 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1051 break;
1052 };
1053 }
1054
1055 isOK = 1;
1056 break;
1057 }
1058
1059 LED_B_ON();
1060 cmd_send(CMD_ACK,isOK,0,0,uid,4);
1061 LED_B_OFF();
1062
1063 if ((workFlags & 0x10) || (!isOK)) {
1064 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1065 LEDsoff();
1066 }
1067 }
1068
1069
1070 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
1071
1072 // params
1073 // bit 1 - need wupC
1074 // bit 2 - need HALT after sequence
1075 // bit 3 - need init FPGA and field before sequence
1076 // bit 4 - need reset FPGA and LED
1077 uint8_t workFlags = arg0;
1078 uint8_t blockNo = arg2;
1079
1080 // card commands
1081 uint8_t wupC1[] = { 0x40 };
1082 uint8_t wupC2[] = { 0x43 };
1083
1084 // variables
1085 byte_t isOK = 0;
1086 uint8_t data[18] = {0x00};
1087 uint32_t cuid = 0;
1088
1089 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1090 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1091
1092 if (workFlags & 0x08) {
1093 LED_A_ON();
1094 LED_B_OFF();
1095 LED_C_OFF();
1096
1097 clear_trace();
1098 set_tracing(TRUE);
1099 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1100 }
1101
1102 while (true) {
1103 if (workFlags & 0x02) {
1104 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1105 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1106 if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error");
1107 break;
1108 };
1109
1110 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1111 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1112 if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error");
1113 break;
1114 };
1115 }
1116
1117 // read block
1118 if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {
1119 if (MF_DBGLEVEL >= 1) Dbprintf("read block send command error");
1120 break;
1121 };
1122 memcpy(data, receivedAnswer, 18);
1123
1124 if (workFlags & 0x04) {
1125 if (mifare_classic_halt(NULL, cuid)) {
1126 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1127 break;
1128 };
1129 }
1130
1131 isOK = 1;
1132 break;
1133 }
1134
1135 LED_B_ON();
1136 cmd_send(CMD_ACK,isOK,0,0,data,18);
1137 LED_B_OFF();
1138
1139 if ((workFlags & 0x10) || (!isOK)) {
1140 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1141 LEDsoff();
1142 }
1143 }
1144
1145 void MifareCIdent(){
1146
1147 // card commands
1148 uint8_t wupC1[] = { 0x40 };
1149 uint8_t wupC2[] = { 0x43 };
1150
1151 // variables
1152 byte_t isOK = 1;
1153
1154 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
1155 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
1156
1157 ReaderTransmitBitsPar(wupC1,7,0, NULL);
1158 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1159 isOK = 0;
1160 };
1161
1162 ReaderTransmit(wupC2, sizeof(wupC2), NULL);
1163 if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
1164 isOK = 0;
1165 };
1166
1167 if (mifare_classic_halt(NULL, 0)) {
1168 isOK = 0;
1169 };
1170
1171 cmd_send(CMD_ACK,isOK,0,0,0,0);
1172 }
1173
1174 void MifareCollectNonces(uint32_t arg0, uint32_t arg1){
1175
1176 BigBuf_free();
1177
1178 uint32_t iterations = arg0;
1179 uint8_t uid[10] = {0x00};
1180
1181 uint8_t *response = BigBuf_malloc(MAX_MIFARE_FRAME_SIZE);
1182 uint8_t *responsePar = BigBuf_malloc(MAX_MIFARE_PARITY_SIZE);
1183
1184 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1185
1186 // get memory from BigBuf.
1187 uint8_t *nonces = BigBuf_malloc(iterations * 4);
1188
1189 LED_A_ON();
1190 LED_B_OFF();
1191 LED_C_OFF();
1192
1193 clear_trace();
1194 set_tracing(TRUE);
1195 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1196
1197 for (int i = 0; i < iterations; i++) {
1198
1199 WDT_HIT();
1200
1201 // Test if the action was cancelled
1202 if(BUTTON_PRESS()) break;
1203
1204 // if(mifare_classic_halt(pcs, cuid)) {
1205 // if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
1206 //}
1207
1208 if(!iso14443a_select_card(uid, NULL, NULL)) {
1209 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
1210 continue;
1211 };
1212
1213 // Transmit MIFARE_CLASSIC_AUTH.
1214 ReaderTransmit(mf_auth, sizeof(mf_auth), NULL);
1215
1216 // Receive the (4 Byte) "random" nonce
1217 if (!ReaderReceive(response, responsePar)) {
1218 if (MF_DBGLEVEL >= 1) Dbprintf("Couldn't receive tag nonce");
1219 continue;
1220 }
1221
1222 nonces[i*4] = bytes_to_num(response, 4);
1223 }
1224
1225 int packLen = iterations * 4;
1226 int packSize = 0;
1227 int packNum = 0;
1228 while (packLen > 0) {
1229 packSize = MIN(USB_CMD_DATA_SIZE, packLen);
1230 LED_B_ON();
1231 cmd_send(CMD_ACK, 77, 0, packSize, nonces - packLen, packSize);
1232 LED_B_OFF();
1233
1234 packLen -= packSize;
1235 packNum++;
1236 }
1237 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1238 LEDsoff();
1239 }
1240
1241 //
1242 // DESFIRE
1243 //
1244
1245 void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){
1246
1247 byte_t dataout[11] = {0x00};
1248 uint8_t uid[10] = {0x00};
1249 uint32_t cuid = 0x00;
1250
1251 clear_trace();
1252 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1253
1254 int len = iso14443a_select_card(uid, NULL, &cuid);
1255 if(!len) {
1256 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
1257 OnError(1);
1258 return;
1259 };
1260
1261 if(mifare_desfire_des_auth1(cuid, dataout)){
1262 if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication part1: Fail.");
1263 OnError(4);
1264 return;
1265 }
1266
1267 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 1 FINISHED");
1268 cmd_send(CMD_ACK,1,cuid,0,dataout, sizeof(dataout));
1269 }
1270
1271 void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain){
1272
1273 uint32_t cuid = arg0;
1274 uint8_t key[16] = {0x00};
1275 byte_t dataout[12] = {0x00};
1276 byte_t isOK = 0;
1277
1278 memcpy(key, datain, 16);
1279
1280 isOK = mifare_desfire_des_auth2(cuid, key, dataout);
1281
1282 if( isOK) {
1283 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Authentication part2: Failed");
1284 OnError(4);
1285 return;
1286 }
1287
1288 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 2 FINISHED");
1289
1290 cmd_send(CMD_ACK, isOK, 0, 0, dataout, sizeof(dataout));
1291 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1292 LEDsoff();
1293 }
Proxmark3 GIT tracking
Impressum, Datenschutz