]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifaresim.c
Add string.h
[proxmark3-svn] / armsrc / mifaresim.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // Mifare Classic Card Simulation
11 //-----------------------------------------------------------------------------
12
13 #include "mifaresim.h"
14 #include "iso14443a.h"
15 #include "iso14443crc.h"
16 #include "crapto1/crapto1.h"
17 #include "BigBuf.h"
18 #include "string.h"
19 #include "mifareutil.h"
20 #include "fpgaloader.h"
21 #include "proxmark3.h"
22 #include "usb_cdc.h"
23 #include "protocols.h"
24 #include "apps.h"
25
26 //mifare emulator states
27 #define MFEMUL_NOFIELD 0
28 #define MFEMUL_IDLE 1
29 #define MFEMUL_SELECT1 2
30 #define MFEMUL_SELECT2 3
31 #define MFEMUL_SELECT3 4
32 #define MFEMUL_AUTH1 5
33 #define MFEMUL_AUTH2 6
34 #define MFEMUL_WORK 7
35 #define MFEMUL_WRITEBL2 8
36 #define MFEMUL_INTREG_INC 9
37 #define MFEMUL_INTREG_DEC 10
38 #define MFEMUL_INTREG_REST 11
39 #define MFEMUL_HALTED 12
40
41 #define AC_DATA_READ 0
42 #define AC_DATA_WRITE 1
43 #define AC_DATA_INC 2
44 #define AC_DATA_DEC_TRANS_REST 3
45 #define AC_KEYA_READ 0
46 #define AC_KEYA_WRITE 1
47 #define AC_KEYB_READ 2
48 #define AC_KEYB_WRITE 3
49 #define AC_AC_READ 4
50 #define AC_AC_WRITE 5
51
52 #define AUTHKEYA 0
53 #define AUTHKEYB 1
54 #define AUTHKEYNONE 0xff
55
56
57 static int ParamCardSizeBlocks(const char c) {
58 int numBlocks = 16 * 4;
59 switch (c) {
60 case '0' : numBlocks = 5 * 4; break;
61 case '2' : numBlocks = 32 * 4; break;
62 case '4' : numBlocks = 32 * 4 + 8 * 16; break;
63 default: numBlocks = 16 * 4;
64 }
65 return numBlocks;
66 }
67
68 static uint8_t BlockToSector(int block_num) {
69 if (block_num < 32 * 4) { // 4 blocks per sector
70 return (block_num / 4);
71 } else { // 16 blocks per sector
72 return 32 + (block_num - 32 * 4) / 16;
73 }
74 }
75
76 static bool IsTrailerAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action) {
77 uint8_t sector_trailer[16];
78 emlGetMem(sector_trailer, blockNo, 1);
79 uint8_t AC = ((sector_trailer[7] >> 5) & 0x04)
80 | ((sector_trailer[8] >> 2) & 0x02)
81 | ((sector_trailer[8] >> 7) & 0x01);
82 switch (action) {
83 case AC_KEYA_READ: {
84 return false;
85 break;
86 }
87 case AC_KEYA_WRITE: {
88 return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x01))
89 || (keytype == AUTHKEYB && (AC == 0x04 || AC == 0x03)));
90 break;
91 }
92 case AC_KEYB_READ: {
93 return (keytype == AUTHKEYA && (AC == 0x00 || AC == 0x02 || AC == 0x01));
94 break;
95 }
96 case AC_KEYB_WRITE: {
97 return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x01))
98 || (keytype == AUTHKEYB && (AC == 0x04 || AC == 0x03)));
99 break;
100 }
101 case AC_AC_READ: {
102 return ((keytype == AUTHKEYA)
103 || (keytype == AUTHKEYB && !(AC == 0x00 || AC == 0x02 || AC == 0x01)));
104 break;
105 }
106 case AC_AC_WRITE: {
107 return ((keytype == AUTHKEYA && (AC == 0x01))
108 || (keytype == AUTHKEYB && (AC == 0x03 || AC == 0x05)));
109 break;
110 }
111 default: return false;
112 }
113 }
114
115
116 static bool IsDataAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action)
117 {
118 uint8_t sector_trailer[16];
119 emlGetMem(sector_trailer, SectorTrailer(blockNo), 1);
120
121 uint8_t sector_block;
122 if (blockNo < 32*4) {
123 sector_block = blockNo & 0x03;
124 } else {
125 sector_block = (blockNo & 0x0f) / 5;
126 }
127
128 uint8_t AC;
129 switch (sector_block) {
130 case 0x00: {
131 AC = ((sector_trailer[7] >> 2) & 0x04)
132 | ((sector_trailer[8] << 1) & 0x02)
133 | ((sector_trailer[8] >> 4) & 0x01);
134 break;
135 }
136 case 0x01: {
137 AC = ((sector_trailer[7] >> 3) & 0x04)
138 | ((sector_trailer[8] >> 0) & 0x02)
139 | ((sector_trailer[8] >> 5) & 0x01);
140 break;
141 }
142 case 0x02: {
143 AC = ((sector_trailer[7] >> 4) & 0x04)
144 | ((sector_trailer[8] >> 1) & 0x02)
145 | ((sector_trailer[8] >> 6) & 0x01);
146 break;
147 }
148 default:
149 return false;
150 }
151
152 switch (action) {
153 case AC_DATA_READ: {
154 return ((keytype == AUTHKEYA && !(AC == 0x03 || AC == 0x05 || AC == 0x07))
155 || (keytype == AUTHKEYB && !(AC == 0x07)));
156 break;
157 }
158 case AC_DATA_WRITE: {
159 return ((keytype == AUTHKEYA && (AC == 0x00))
160 || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x04 || AC == 0x06 || AC == 0x03)));
161 break;
162 }
163 case AC_DATA_INC: {
164 return ((keytype == AUTHKEYA && (AC == 0x00))
165 || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x06)));
166 break;
167 }
168 case AC_DATA_DEC_TRANS_REST: {
169 return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x06 || AC == 0x01))
170 || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x06 || AC == 0x01)));
171 break;
172 }
173 }
174
175 return false;
176 }
177
178
179 static bool IsAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action) {
180 if (IsSectorTrailer(blockNo)) {
181 return IsTrailerAccessAllowed(blockNo, keytype, action);
182 } else {
183 return IsDataAccessAllowed(blockNo, keytype, action);
184 }
185 }
186
187
188 static void MifareSimInit(uint8_t flags, uint8_t *datain, tag_response_info_t **responses, uint32_t *cuid, uint8_t *uid_len, uint8_t cardsize) {
189
190 #define TAG_RESPONSE_COUNT 5 // number of precompiled responses
191 static uint8_t rATQA[] = {0x00, 0x00};
192 static uint8_t rUIDBCC1[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 1st cascade level
193 static uint8_t rUIDBCC2[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 2nd cascade level
194 static uint8_t rSAKfinal[]= {0x00, 0x00, 0x00}; // SAK after UID complete
195 static uint8_t rSAK1[] = {0x00, 0x00, 0x00}; // indicate UID not finished
196
197 *uid_len = 4;
198 // UID can be set from emulator memory or incoming data and can be 4 or 7 bytes long
199 if (flags & FLAG_4B_UID_IN_DATA) { // get UID from datain
200 memcpy(rUIDBCC1, datain, 4);
201 } else if (flags & FLAG_7B_UID_IN_DATA) {
202 rUIDBCC1[0] = 0x88;
203 memcpy(rUIDBCC1+1, datain, 3);
204 memcpy(rUIDBCC2, datain+3, 4);
205 *uid_len = 7;
206 } else {
207 uint8_t probable_atqa;
208 emlGetMemBt(&probable_atqa, 7, 1); // get UID from emul memory - weak guess at length
209 if (probable_atqa == 0x00) { // ---------- 4BUID
210 emlGetMemBt(rUIDBCC1, 0, 4);
211 } else { // ---------- 7BUID
212 rUIDBCC1[0] = 0x88;
213 emlGetMemBt(rUIDBCC1+1, 0, 3);
214 emlGetMemBt(rUIDBCC2, 3, 4);
215 *uid_len = 7;
216 }
217 }
218
219 switch (*uid_len) {
220 case 4:
221 *cuid = bytes_to_num(rUIDBCC1, 4);
222 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
223 if (MF_DBGLEVEL >= MF_DBG_INFO) {
224 Dbprintf("4B UID: %02x%02x%02x%02x",
225 rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3] );
226 }
227 break;
228 case 7:
229 *cuid = bytes_to_num(rUIDBCC2, 4);
230 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
231 rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
232 if (MF_DBGLEVEL >= MF_DBG_INFO) {
233 Dbprintf("7B UID: %02x %02x %02x %02x %02x %02x %02x",
234 rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3], rUIDBCC2[0], rUIDBCC2[1], rUIDBCC2[2], rUIDBCC2[3] );
235 }
236 break;
237 default:
238 break;
239 }
240
241 // set SAK based on cardsize
242 switch (cardsize) {
243 case '0': rSAKfinal[0] = 0x09; break; // Mifare Mini
244 case '2': rSAKfinal[0] = 0x10; break; // Mifare 2K
245 case '4': rSAKfinal[0] = 0x18; break; // Mifare 4K
246 default: rSAKfinal[0] = 0x08; // Mifare 1K
247 }
248 ComputeCrc14443(CRC_14443_A, rSAKfinal, 1, rSAKfinal + 1, rSAKfinal + 2);
249 if (MF_DBGLEVEL >= MF_DBG_INFO) {
250 Dbprintf("SAK: %02x", rSAKfinal[0]);
251 }
252
253 // set SAK for incomplete UID
254 rSAK1[0] = 0x04; // Bit 3 indicates incomplete UID
255 ComputeCrc14443(CRC_14443_A, rSAK1, 1, rSAK1 + 1, rSAK1 + 2);
256
257 // set ATQA based on cardsize and UIDlen
258 if (cardsize == '4') {
259 rATQA[0] = 0x02;
260 } else {
261 rATQA[0] = 0x04;
262 }
263 if (*uid_len == 7) {
264 rATQA[0] |= 0x40;
265 }
266 if (MF_DBGLEVEL >= MF_DBG_INFO) {
267 Dbprintf("ATQA: %02x %02x", rATQA[1], rATQA[0]);
268 }
269
270 static tag_response_info_t responses_init[TAG_RESPONSE_COUNT] = {
271 { .response = rATQA, .response_n = sizeof(rATQA) }, // Answer to request - respond with card type
272 { .response = rUIDBCC1, .response_n = sizeof(rUIDBCC1) }, // Anticollision cascade1 - respond with first part of uid
273 { .response = rUIDBCC2, .response_n = sizeof(rUIDBCC2) }, // Anticollision cascade2 - respond with 2nd part of uid
274 { .response = rSAKfinal, .response_n = sizeof(rSAKfinal) }, // Acknowledge select - last cascade
275 { .response = rSAK1, .response_n = sizeof(rSAK1) } // Acknowledge select - previous cascades
276 };
277
278 // Prepare ("precompile") the responses of the anticollision phase. There will be not enough time to do this at the moment the reader sends its REQA or SELECT
279 // There are 5 predefined responses with a total of 18 bytes data to transmit. Coded responses need one byte per bit to transfer (data, parity, start, stop, correction)
280 // 18 * 8 data bits, 18 * 1 parity bits, 5 start bits, 5 stop bits, 5 correction bits -> need 177 bytes buffer
281 #define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 177 // number of bytes required for precompiled responses
282
283 uint8_t *free_buffer_pointer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
284 size_t free_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE;
285 for (size_t i = 0; i < TAG_RESPONSE_COUNT; i++) {
286 prepare_allocated_tag_modulation(&responses_init[i], &free_buffer_pointer, &free_buffer_size);
287 }
288
289 *responses = responses_init;
290
291 // indices into responses array:
292 #define ATQA 0
293 #define UIDBCC1 1
294 #define UIDBCC2 2
295 #define SAKfinal 3
296 #define SAK1 4
297
298 }
299
300
301 static bool HasValidCRC(uint8_t *receivedCmd, uint16_t receivedCmd_len) {
302 uint8_t CRC_byte_1, CRC_byte_2;
303 ComputeCrc14443(CRC_14443_A, receivedCmd, receivedCmd_len-2, &CRC_byte_1, &CRC_byte_2);
304 return (receivedCmd[receivedCmd_len-2] == CRC_byte_1 && receivedCmd[receivedCmd_len-1] == CRC_byte_2);
305 }
306
307
308 /**
309 *MIFARE simulate.
310 *
311 *@param flags :
312 * FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
313 * FLAG_4B_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that
314 * FLAG_7B_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
315 * FLAG_NR_AR_ATTACK - means we should collect NR_AR responses for bruteforcing later
316 * FLAG_RANDOM_NONCE - means we should generate some pseudo-random nonce data (only allows moebius attack)
317 *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is infinite ...
318 * (unless reader attack mode enabled then it runs util it gets enough nonces to recover all keys attmpted)
319 */
320 void MifareSim(uint8_t flags, uint8_t exitAfterNReads, uint8_t cardsize, uint8_t *datain)
321 {
322 LED_A_ON();
323
324 tag_response_info_t *responses;
325 uint8_t uid_len = 4;
326 uint32_t cuid = 0;
327 uint8_t cardWRBL = 0;
328 uint8_t cardAUTHSC = 0;
329 uint8_t cardAUTHKEY = AUTHKEYNONE; // no authentication
330 uint32_t cardRr = 0;
331 //uint32_t rn_enc = 0;
332 uint32_t ans = 0;
333 uint32_t cardINTREG = 0;
334 uint8_t cardINTBLOCK = 0;
335 struct Crypto1State mpcs = {0, 0};
336 struct Crypto1State *pcs = &mpcs;
337 uint32_t numReads = 0; //Counts numer of times reader reads a block
338 uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE];
339 uint8_t receivedCmd_dec[MAX_MIFARE_FRAME_SIZE];
340 uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE];
341 uint16_t receivedCmd_len;
342 uint8_t response[MAX_MIFARE_FRAME_SIZE];
343 uint8_t response_par[MAX_MIFARE_PARITY_SIZE];
344 uint8_t fixed_nonce[] = {0x01, 0x02, 0x03, 0x04};
345
346 int num_blocks = ParamCardSizeBlocks(cardsize);
347
348 // Here we collect UID, sector, keytype, NT, AR, NR, NT2, AR2, NR2
349 // This will be used in the reader-only attack.
350
351 // allow collecting up to 7 sets of nonces to allow recovery of up to 7 keys
352 #define ATTACK_KEY_COUNT 7 // keep same as define in cmdhfmf.c -> readerAttack() (Cannot be more than 7)
353 nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; // *2 for 2 separate attack types (nml, moebius) 36 * 7 * 2 bytes = 504 bytes
354 memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
355
356 uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; // *2 for 2nd attack type (moebius)
357 memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
358 uint8_t nonce1_count = 0;
359 uint8_t nonce2_count = 0;
360 uint8_t moebius_n_count = 0;
361 bool gettingMoebius = false;
362 uint8_t mM = 0; // moebius_modifier for collection storage
363
364 // Authenticate response - nonce
365 uint32_t nonce;
366 if (flags & FLAG_RANDOM_NONCE) {
367 nonce = prand();
368 } else {
369 nonce = bytes_to_num(fixed_nonce, 4);
370 }
371
372 // free eventually allocated BigBuf memory but keep Emulator Memory
373 BigBuf_free_keep_EM();
374
375 MifareSimInit(flags, datain, &responses, &cuid, &uid_len, cardsize);
376
377 // We need to listen to the high-frequency, peak-detected path.
378 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
379
380 // clear trace
381 clear_trace();
382 set_tracing(true);
383 ResetSspClk();
384
385 bool finished = false;
386 bool button_pushed = BUTTON_PRESS();
387 int cardSTATE = MFEMUL_NOFIELD;
388
389 while (!button_pushed && !finished && !usb_poll_validate_length()) {
390 WDT_HIT();
391
392 if (cardSTATE == MFEMUL_NOFIELD) {
393 // wait for reader HF field
394 int vHf = (MAX_ADC_HF_VOLTAGE_LOW * AvgAdc(ADC_CHAN_HF_LOW)) >> 10;
395 if (vHf > MF_MINFIELDV) {
396 LED_D_ON();
397 cardSTATE = MFEMUL_IDLE;
398 }
399 button_pushed = BUTTON_PRESS();
400 continue;
401 }
402
403 //Now, get data
404 FpgaEnableTracing();
405 int res = EmGetCmd(receivedCmd, &receivedCmd_len, receivedCmd_par);
406
407 if (res == 2) { // Reader has dropped the HF field. Power off.
408 FpgaDisableTracing();
409 LED_D_OFF();
410 cardSTATE = MFEMUL_NOFIELD;
411 continue;
412 } else if (res == 1) { // button pressed
413 FpgaDisableTracing();
414 button_pushed = true;
415 break;
416 }
417
418 // WUPA in HALTED state or REQA or WUPA in any other state
419 if (receivedCmd_len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) {
420 EmSendPrecompiledCmd(&responses[ATQA]);
421 FpgaDisableTracing();
422
423 // init crypto block
424 crypto1_destroy(pcs);
425 cardAUTHKEY = AUTHKEYNONE;
426 if (flags & FLAG_RANDOM_NONCE) {
427 nonce = prand();
428 }
429 cardSTATE = MFEMUL_SELECT1;
430 continue;
431 }
432
433 switch (cardSTATE) {
434 case MFEMUL_NOFIELD:
435 case MFEMUL_HALTED:
436 case MFEMUL_IDLE:{
437 break;
438 }
439
440 case MFEMUL_SELECT1:{
441 // select all - 0x93 0x20
442 if (receivedCmd_len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x20)) {
443 EmSendPrecompiledCmd(&responses[UIDBCC1]);
444 FpgaDisableTracing();
445 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("SELECT ALL CL1 received");
446 break;
447 }
448 // select card - 0x93 0x70 ...
449 if (receivedCmd_len == 9 &&
450 (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], responses[UIDBCC1].response, 4) == 0)) {
451 if (uid_len == 4) {
452 EmSendPrecompiledCmd(&responses[SAKfinal]);
453 cardSTATE = MFEMUL_WORK;
454 } else if (uid_len == 7) {
455 EmSendPrecompiledCmd(&responses[SAK1]);
456 cardSTATE = MFEMUL_SELECT2;
457 }
458 FpgaDisableTracing();
459 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("SELECT CL1 %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
460 break;
461 }
462 cardSTATE = MFEMUL_IDLE;
463 break;
464 }
465
466 case MFEMUL_SELECT2:{
467 // select all cl2 - 0x95 0x20
468 if (receivedCmd_len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x20)) {
469 EmSendPrecompiledCmd(&responses[UIDBCC2]);
470 FpgaDisableTracing();
471 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("SELECT ALL CL2 received");
472 break;
473 }
474 // select cl2 card - 0x95 0x70 xxxxxxxxxxxx
475 if (receivedCmd_len == 9 &&
476 (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], responses[UIDBCC2].response, 4) == 0)) {
477 if (uid_len == 7) {
478 EmSendPrecompiledCmd(&responses[SAKfinal]);
479 FpgaDisableTracing();
480 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("SELECT CL2 %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
481 cardSTATE = MFEMUL_WORK;
482 break;
483 }
484 }
485 cardSTATE = MFEMUL_IDLE;
486 break;
487 }
488
489 case MFEMUL_WORK:{
490 if (receivedCmd_len != 4) { // all commands must have exactly 4 bytes
491 break;
492 }
493 bool encrypted_data = (cardAUTHKEY != AUTHKEYNONE) ;
494 if (encrypted_data) {
495 // decrypt seqence
496 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, receivedCmd_dec);
497 } else {
498 memcpy(receivedCmd_dec, receivedCmd, receivedCmd_len);
499 }
500 if (!HasValidCRC(receivedCmd_dec, receivedCmd_len)) { // all commands must have a valid CRC
501 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_TR));
502 break;
503 }
504
505 if (receivedCmd_dec[0] == MIFARE_AUTH_KEYA || receivedCmd_dec[0] == MIFARE_AUTH_KEYB) {
506 // if authenticating to a block that shouldn't exist - as long as we are not doing the reader attack
507 if (receivedCmd_dec[1] >= num_blocks && !(flags & FLAG_NR_AR_ATTACK)) {
508 //is this the correct response to an auth on a out of range block? marshmellow
509 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
510 FpgaDisableTracing();
511 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking", receivedCmd_dec[0], receivedCmd_dec[1], receivedCmd_dec[1]);
512 break;
513 }
514 cardAUTHSC = BlockToSector(receivedCmd_dec[1]); // received block num
515 cardAUTHKEY = receivedCmd_dec[0] & 0x01;
516 crypto1_destroy(pcs);//Added by martin
517 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
518 if (!encrypted_data) { // first authentication
519 crypto1_word(pcs, cuid ^ nonce, 0); // Update crypto state
520 num_to_bytes(nonce, 4, response); // Send unencrypted nonce
521 EmSendCmd(response, sizeof(nonce));
522 FpgaDisableTracing();
523 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d", receivedCmd_dec[1], receivedCmd_dec[1], cardAUTHKEY);
524 } else { // nested authentication
525 num_to_bytes(nonce, sizeof(nonce), response);
526 uint8_t pcs_in[4] = {0};
527 num_to_bytes(cuid ^ nonce, sizeof(nonce), pcs_in);
528 mf_crypto1_encryptEx(pcs, response, pcs_in, sizeof(nonce), response_par);
529 EmSendCmdPar(response, sizeof(nonce), response_par); // send encrypted nonce
530 FpgaDisableTracing();
531 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d", receivedCmd_dec[1], receivedCmd_dec[1], cardAUTHKEY);
532 }
533 cardSTATE = MFEMUL_AUTH1;
534 break;
535 }
536
537 // halt can be sent encrypted or in clear
538 if (receivedCmd_dec[0] == ISO14443A_CMD_HALT && receivedCmd_dec[1] == 0x00) {
539 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("--> HALTED.");
540 cardSTATE = MFEMUL_HALTED;
541 break;
542 }
543
544 if(receivedCmd_dec[0] == MIFARE_CMD_READBLOCK
545 || receivedCmd_dec[0] == MIFARE_CMD_WRITEBLOCK
546 || receivedCmd_dec[0] == MIFARE_CMD_INC
547 || receivedCmd_dec[0] == MIFARE_CMD_DEC
548 || receivedCmd_dec[0] == MIFARE_CMD_RESTORE
549 || receivedCmd_dec[0] == MIFARE_CMD_TRANSFER) {
550 if (receivedCmd_dec[1] >= num_blocks) {
551 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
552 FpgaDisableTracing();
553 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],receivedCmd_dec[1]);
554 break;
555 }
556 if (BlockToSector(receivedCmd_dec[1]) != cardAUTHSC) {
557 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
558 FpgaDisableTracing();
559 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate (0x%02x) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],cardAUTHSC);
560 break;
561 }
562 }
563
564 if (receivedCmd_dec[0] == MIFARE_CMD_READBLOCK) {
565 uint8_t blockNo = receivedCmd_dec[1];
566 emlGetMem(response, blockNo, 1);
567 if (IsSectorTrailer(blockNo)) {
568 memset(response, 0x00, 6); // keyA can never be read
569 if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_KEYB_READ)) {
570 memset(response+10, 0x00, 6); // keyB cannot be read
571 }
572 if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_AC_READ)) {
573 memset(response+6, 0x00, 4); // AC bits cannot be read
574 }
575 } else {
576 if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_DATA_READ)) {
577 memset(response, 0x00, 16); // datablock cannot be read
578 }
579 }
580 AppendCrc14443a(response, 16);
581 mf_crypto1_encrypt(pcs, response, 18, response_par);
582 EmSendCmdPar(response, 18, response_par);
583 FpgaDisableTracing();
584 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
585 Dbprintf("Reader reading block %d (0x%02x)", blockNo, blockNo);
586 }
587 numReads++;
588 if(exitAfterNReads > 0 && numReads == exitAfterNReads) {
589 Dbprintf("%d reads done, exiting", numReads);
590 finished = true;
591 }
592 break;
593 }
594
595 if (receivedCmd_dec[0] == MIFARE_CMD_WRITEBLOCK) {
596 uint8_t blockNo = receivedCmd_dec[1];
597 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
598 FpgaDisableTracing();
599 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("RECV 0xA0 write block %d (%02x)", blockNo, blockNo);
600 cardWRBL = blockNo;
601 cardSTATE = MFEMUL_WRITEBL2;
602 break;
603 }
604
605 if (receivedCmd_dec[0] == MIFARE_CMD_INC || receivedCmd_dec[0] == MIFARE_CMD_DEC || receivedCmd_dec[0] == MIFARE_CMD_RESTORE) {
606 uint8_t blockNo = receivedCmd_dec[1];
607 if (emlCheckValBl(blockNo)) {
608 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
609 FpgaDisableTracing();
610 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
611 Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd_dec[0], blockNo, blockNo);
612 }
613 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
614 break;
615 }
616 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
617 FpgaDisableTracing();
618 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
619 Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd_dec[0], blockNo, blockNo);
620 }
621 cardWRBL = blockNo;
622 if (receivedCmd_dec[0] == MIFARE_CMD_INC)
623 cardSTATE = MFEMUL_INTREG_INC;
624 if (receivedCmd_dec[0] == MIFARE_CMD_DEC)
625 cardSTATE = MFEMUL_INTREG_DEC;
626 if (receivedCmd_dec[0] == MIFARE_CMD_RESTORE)
627 cardSTATE = MFEMUL_INTREG_REST;
628 break;
629 }
630
631 if (receivedCmd_dec[0] == MIFARE_CMD_TRANSFER) {
632 uint8_t blockNo = receivedCmd_dec[1];
633 if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd_dec[1]))
634 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
635 else
636 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
637 FpgaDisableTracing();
638 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("RECV 0x%02x transfer block %d (%02x)",receivedCmd_dec[0], blockNo, blockNo);
639 break;
640 }
641
642 // command not allowed
643 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
644 FpgaDisableTracing();
645 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Received command not allowed, nacking");
646 cardSTATE = MFEMUL_IDLE;
647 break;
648 }
649
650 case MFEMUL_AUTH1:{
651 if (receivedCmd_len != 8) {
652 cardSTATE = MFEMUL_IDLE;
653 break;
654 }
655
656 uint32_t nr = bytes_to_num(receivedCmd, 4);
657 uint32_t ar = bytes_to_num(&receivedCmd[4], 4);
658
659 // Collect AR/NR per keytype & sector
660 if(flags & FLAG_NR_AR_ATTACK) {
661 for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
662 if ( ar_nr_collected[i+mM]==0 || ((cardAUTHSC == ar_nr_resp[i+mM].sector) && (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && (ar_nr_collected[i+mM] > 0)) ) {
663 // if first auth for sector, or matches sector and keytype of previous auth
664 if (ar_nr_collected[i+mM] < 2) {
665 // if we haven't already collected 2 nonces for this sector
666 if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) {
667 // Avoid duplicates... probably not necessary, ar should vary.
668 if (ar_nr_collected[i+mM]==0) {
669 // first nonce collect
670 ar_nr_resp[i+mM].cuid = cuid;
671 ar_nr_resp[i+mM].sector = cardAUTHSC;
672 ar_nr_resp[i+mM].keytype = cardAUTHKEY;
673 ar_nr_resp[i+mM].nonce = nonce;
674 ar_nr_resp[i+mM].nr = nr;
675 ar_nr_resp[i+mM].ar = ar;
676 nonce1_count++;
677 // add this nonce to first moebius nonce
678 ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid;
679 ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC;
680 ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
681 ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce;
682 ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr;
683 ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar;
684 ar_nr_collected[i+ATTACK_KEY_COUNT]++;
685 } else { // second nonce collect (std and moebius)
686 ar_nr_resp[i+mM].nonce2 = nonce;
687 ar_nr_resp[i+mM].nr2 = nr;
688 ar_nr_resp[i+mM].ar2 = ar;
689 if (!gettingMoebius) {
690 nonce2_count++;
691 // check if this was the last second nonce we need for std attack
692 if ( nonce2_count == nonce1_count ) {
693 // done collecting std test switch to moebius
694 // first finish incrementing last sample
695 ar_nr_collected[i+mM]++;
696 // switch to moebius collection
697 gettingMoebius = true;
698 mM = ATTACK_KEY_COUNT;
699 if (flags & FLAG_RANDOM_NONCE) {
700 nonce = prand();
701 } else {
702 nonce = nonce*7;
703 }
704 break;
705 }
706 } else {
707 moebius_n_count++;
708 // if we've collected all the nonces we need - finish.
709 if (nonce1_count == moebius_n_count) finished = true;
710 }
711 }
712 ar_nr_collected[i+mM]++;
713 }
714 }
715 // we found right spot for this nonce stop looking
716 break;
717 }
718 }
719 }
720
721 // --- crypto
722 crypto1_word(pcs, nr , 1);
723 cardRr = ar ^ crypto1_word(pcs, 0, 0);
724
725 // test if auth OK
726 if (cardRr != prng_successor(nonce, 64)){
727 FpgaDisableTracing();
728 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
729 cardAUTHSC, cardAUTHKEY == AUTHKEYA ? 'A' : 'B',
730 cardRr, prng_successor(nonce, 64));
731 // Shouldn't we respond anything here?
732 // Right now, we don't nack or anything, which causes the
733 // reader to do a WUPA after a while. /Martin
734 // -- which is the correct response. /piwi
735 cardAUTHKEY = AUTHKEYNONE; // not authenticated
736 cardSTATE = MFEMUL_IDLE;
737 break;
738 }
739 ans = prng_successor(nonce, 96);
740 num_to_bytes(ans, 4, response);
741 mf_crypto1_encrypt(pcs, response, 4, response_par);
742 EmSendCmdPar(response, 4, response_par);
743 FpgaDisableTracing();
744 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("AUTH COMPLETED for sector %d with key %c.", cardAUTHSC, cardAUTHKEY == AUTHKEYA ? 'A' : 'B');
745 cardSTATE = MFEMUL_WORK;
746 break;
747 }
748
749 case MFEMUL_WRITEBL2:{
750 if (receivedCmd_len == 18) {
751 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, receivedCmd_dec);
752 if (HasValidCRC(receivedCmd_dec, receivedCmd_len)) {
753 if (IsSectorTrailer(cardWRBL)) {
754 emlGetMem(response, cardWRBL, 1);
755 if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_KEYA_WRITE)) {
756 memcpy(receivedCmd_dec, response, 6); // don't change KeyA
757 }
758 if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_KEYB_WRITE)) {
759 memcpy(receivedCmd_dec+10, response+10, 6); // don't change KeyA
760 }
761 if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_AC_WRITE)) {
762 memcpy(receivedCmd_dec+6, response+6, 4); // don't change AC bits
763 }
764 } else {
765 if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_DATA_WRITE)) {
766 memcpy(receivedCmd_dec, response, 16); // don't change anything
767 }
768 }
769 emlSetMem(receivedCmd_dec, cardWRBL, 1);
770 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); // always ACK?
771 cardSTATE = MFEMUL_WORK;
772 break;
773 }
774 }
775 cardSTATE = MFEMUL_IDLE;
776 break;
777 }
778
779 case MFEMUL_INTREG_INC:{
780 if (receivedCmd_len == 6) {
781 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans);
782 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
783 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
784 cardSTATE = MFEMUL_IDLE;
785 break;
786 }
787 cardINTREG = cardINTREG + ans;
788 cardSTATE = MFEMUL_WORK;
789 }
790 break;
791 }
792
793 case MFEMUL_INTREG_DEC:{
794 if (receivedCmd_len == 6) {
795 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans);
796 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
797 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
798 cardSTATE = MFEMUL_IDLE;
799 break;
800 }
801 cardINTREG = cardINTREG - ans;
802 cardSTATE = MFEMUL_WORK;
803 }
804 break;
805 }
806
807 case MFEMUL_INTREG_REST:{
808 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans);
809 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
810 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
811 cardSTATE = MFEMUL_IDLE;
812 break;
813 }
814 cardSTATE = MFEMUL_WORK;
815 break;
816 }
817
818 } // end of switch
819
820 FpgaDisableTracing();
821 button_pushed = BUTTON_PRESS();
822
823 } // end of while
824
825 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
826 LEDsoff();
827
828 if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= MF_DBG_INFO) {
829 for ( uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
830 if (ar_nr_collected[i] == 2) {
831 Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
832 Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
833 ar_nr_resp[i].cuid, //UID
834 ar_nr_resp[i].nonce, //NT
835 ar_nr_resp[i].nr, //NR1
836 ar_nr_resp[i].ar, //AR1
837 ar_nr_resp[i].nr2, //NR2
838 ar_nr_resp[i].ar2 //AR2
839 );
840 }
841 }
842 for ( uint8_t i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT*2; i++) {
843 if (ar_nr_collected[i] == 2) {
844 Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
845 Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x %08x",
846 ar_nr_resp[i].cuid, //UID
847 ar_nr_resp[i].nonce, //NT
848 ar_nr_resp[i].nr, //NR1
849 ar_nr_resp[i].ar, //AR1
850 ar_nr_resp[i].nonce2,//NT2
851 ar_nr_resp[i].nr2, //NR2
852 ar_nr_resp[i].ar2 //AR2
853 );
854 }
855 }
856 }
857 if (MF_DBGLEVEL >= MF_DBG_INFO) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", get_tracing(), BigBuf_get_traceLen());
858
859 if(flags & FLAG_INTERACTIVE) { // Interactive mode flag, means we need to send ACK
860 //Send the collected ar_nr in the response
861 cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, button_pushed, 0, &ar_nr_resp, sizeof(ar_nr_resp));
862 }
863
864 LED_A_OFF();
865 }
Impressum, Datenschutz