- //-----------------------------------------------------------------------------
+ //-----------------------------------------------------------------------------
// Merlok - June 2011, 2012
// Gerhard de Koning Gans - May 2008
// Hagen Fritsch - June 2010
//-----------------------------------------------------------------------------
// Routines to support ISO 14443 type A.
//-----------------------------------------------------------------------------
-
-#include "proxmark3.h"
-#include "apps.h"
-#include "util.h"
-#include "string.h"
-#include "cmd.h"
-#include "iso14443crc.h"
#include "iso14443a.h"
-#include "iso14443b.h"
-#include "crapto1.h"
-#include "mifareutil.h"
-#include "BigBuf.h"
-#include "parity.h"
static uint32_t iso14a_timeout;
int rsamples = 0;
// Stop when button is pressed
// Or return TRUE when command is captured
//-----------------------------------------------------------------------------
-static int GetIso14443aCommandFromReader(uint8_t *received, uint8_t *parity, int *len) {
+int GetIso14443aCommandFromReader(uint8_t *received, uint8_t *parity, int *len) {
// Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
// only, since we are receiving, not transmitting).
// Signal field is off with the appropriate LED
//-----------------------------------------------------------------------------
void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
- // Here, we collect CUID, block1, keytype1, NT1, NR1, AR1, CUID, block2, keytyp2, NT2, NR2, AR2
- // it should also collect block, keytype.
- // This can be used in a reader-only attack.
- uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0,0};
- uint8_t ar_nr_collected = 0;
+ #define ATTACK_KEY_COUNT 8 // keep same as define in cmdhfmf.c -> readerAttack()
+ // init pseudorand
+ fast_prand();
+
uint8_t sak = 0;
uint32_t cuid = 0;
uint32_t nonce = 0;
// The first response contains the ATQA (note: bytes are transmitted in reverse order).
uint8_t response1[] = {0,0};
+
+ // Here, we collect CUID, block1, keytype1, NT1, NR1, AR1, CUID, block2, keytyp2, NT2, NR2, AR2
+ // it should also collect block, keytype.
+ uint8_t cardAUTHSC = 0;
+ uint8_t cardAUTHKEY = 0xff; // no authentication
+ // allow collecting up to 8 sets of nonces to allow recovery of up to 8 keys
+
+ nonces_t ar_nr_nonces[ATTACK_KEY_COUNT]; // for attack types moebius
+ memset(ar_nr_nonces, 0x00, sizeof(ar_nr_nonces));
+ uint8_t moebius_count = 0;
switch (tagType) {
case 1: { // MIFARE Classic 1k
uint16_t start = 4 * (0+12);
uint8_t emdata[8];
emlGetMemBt( emdata, start, sizeof(emdata));
- memcpy(data, emdata, 3); //uid bytes 0-2
- memcpy(data+3, emdata+4, 4); //uid bytes 3-7
+ memcpy(data, emdata, 3); // uid bytes 0-2
+ memcpy(data+3, emdata+4, 4); // uid bytes 3-7
flags |= FLAG_7B_UID_IN_DATA;
}
- } break;
+ } break;
+ case 8: { // MIFARE Classic 4k
+ response1[0] = 0x02;
+ sak = 0x18;
+ } break;
default: {
Dbprintf("Error: unkown tagtype (%d)",tagType);
return;
response3a[0] = sak & 0xFB;
ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
- uint8_t response5[] = { 0x01, 0x01, 0x01, 0x01 }; // Very random tag nonce
+ // Tag NONCE.
+ uint8_t response5[4];
+
uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS:
// Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present,
// TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
// TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
// TC(1) = 0x02: CID supported, NAD not supported
ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]);
-
- // the randon nonce
- nonce = bytes_to_num(response5, 4);
// Prepare GET_VERSION (different for UL EV-1 / NTAG)
- //uint8_t response7_EV1[] = {0x00, 0x04, 0x03, 0x01, 0x01, 0x00, 0x0b, 0x03, 0xfd, 0xf7}; //EV1 48bytes VERSION.
- //uint8_t response7_NTAG[] = {0x00, 0x04, 0x04, 0x02, 0x01, 0x00, 0x11, 0x03, 0x01, 0x9e}; //NTAG 215
+ // uint8_t response7_EV1[] = {0x00, 0x04, 0x03, 0x01, 0x01, 0x00, 0x0b, 0x03, 0xfd, 0xf7}; //EV1 48bytes VERSION.
+ // uint8_t response7_NTAG[] = {0x00, 0x04, 0x04, 0x02, 0x01, 0x00, 0x11, 0x03, 0x01, 0x9e}; //NTAG 215
// Prepare CHK_TEARING
- //uint8_t response9[] = {0xBD,0x90,0x3f};
+ // uint8_t response9[] = {0xBD,0x90,0x3f};
#define TAG_RESPONSE_COUNT 10
tag_response_info_t responses[TAG_RESPONSE_COUNT] = {
{ .response = response8, .response_n = sizeof(response8) } // EV1/NTAG PACK response
};
- //{ .response = response7_NTAG, .response_n = sizeof(response7_NTAG)}, // EV1/NTAG GET_VERSION response
- //{ .response = response9, .response_n = sizeof(response9) } // EV1/NTAG CHK_TEAR response
+ // { .response = response7_NTAG, .response_n = sizeof(response7_NTAG)}, // EV1/NTAG GET_VERSION response
+ // { .response = response9, .response_n = sizeof(response9) } // EV1/NTAG CHK_TEAR response
// Allocate 512 bytes for the dynamic modulation, created when the reader queries for it
// Clean receive command buffer
if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
- DbpString("Button press");
+ Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, BigBuf_get_traceLen());
break;
- }
-
- // incease nonce at every command recieved
- nonce++;
- num_to_bytes(nonce, 4, response5);
-
+ }
p_response = NULL;
// Okay, look at the command now.
uint8_t block = receivedCmd[1];
// if Ultralight or NTAG (4 byte blocks)
if ( tagType == 7 || tagType == 2 ) {
- //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+ // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
uint16_t start = 4 * (block+12);
- uint8_t emdata[MAX_MIFARE_FRAME_SIZE];
- emlGetMemBt( emdata, start, 16);
- AppendCrc14443a(emdata, 16);
- EmSendCmdEx(emdata, sizeof(emdata), false);
+ uint8_t emdata[MAX_MIFARE_FRAME_SIZE];
+ emlGetMemBt( emdata, start, 16);
+ AppendCrc14443a(emdata, 16);
+ EmSendCmdEx(emdata, sizeof(emdata), false);
// We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
p_response = NULL;
} else { // all other tags (16 byte block tags)
- EmSendCmdEx(data+(4*receivedCmd[1]),16,false);
+ uint8_t emdata[MAX_MIFARE_FRAME_SIZE];
+ emlGetMemBt( emdata, block, 16);
+ AppendCrc14443a(emdata, 16);
+ EmSendCmdEx(emdata, sizeof(emdata), false);
+ // EmSendCmdEx(data+(4*receivedCmd[1]),16,false);
// Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
// We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
p_response = NULL;
}
} else if(receivedCmd[0] == MIFARE_ULEV1_FASTREAD) { // Received a FAST READ (ranged read)
uint8_t emdata[MAX_FRAME_SIZE];
- //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+ // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
int start = (receivedCmd[1]+12) * 4;
int len = (receivedCmd[2] - receivedCmd[1] + 1) * 4;
emlGetMemBt( emdata, start, len);
EmSendCmdEx(emdata, len+2, false);
p_response = NULL;
} else if(receivedCmd[0] == MIFARE_ULEV1_READSIG && tagType == 7) { // Received a READ SIGNATURE --
- //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+ // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
uint16_t start = 4 * 4;
uint8_t emdata[34];
emlGetMemBt( emdata, start, 32);
p_response = NULL;
} else if (receivedCmd[0] == MIFARE_ULEV1_READ_CNT && tagType == 7) { // Received a READ COUNTER --
uint8_t index = receivedCmd[1];
- uint8_t data[] = {0x00,0x00,0x00,0x14,0xa5};
+ uint8_t cmd[] = {0x00,0x00,0x00,0x14,0xa5};
if ( counters[index] > 0) {
- num_to_bytes(counters[index], 3, data);
- AppendCrc14443a(data, sizeof(data)-2);
+ num_to_bytes(counters[index], 3, cmd);
+ AppendCrc14443a(cmd, sizeof(cmd)-2);
}
- EmSendCmdEx(data,sizeof(data),false);
+ EmSendCmdEx(cmd,sizeof(cmd),false);
p_response = NULL;
} else if (receivedCmd[0] == MIFARE_ULEV1_INCR_CNT && tagType == 7) { // Received a INC COUNTER --
// number of counter
EmSendCmdEx(ack,sizeof(ack),false);
p_response = NULL;
} else if(receivedCmd[0] == MIFARE_ULEV1_CHECKTEAR && tagType == 7) { // Received a CHECK_TEARING_EVENT --
- //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
+ // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
uint8_t emdata[3];
uint8_t counter=0;
if (receivedCmd[1]<3) counter = receivedCmd[1];
uint8_t emdata[10];
emlGetMemBt( emdata, 0, 8 );
AppendCrc14443a(emdata, sizeof(emdata)-2);
- EmSendCmdEx(emdata, sizeof(emdata), false);
+ EmSendCmdEx(emdata, sizeof(emdata), false);
p_response = NULL;
} else {
- p_response = &responses[5]; order = 7;
+
+ cardAUTHKEY = receivedCmd[0] - 0x60;
+ cardAUTHSC = receivedCmd[1] / 4; // received block num
+
+ // incease nonce at AUTH requests. this is time consuming.
+ nonce = prand();
+ //num_to_bytes(nonce, 4, response5);
+ num_to_bytes(nonce, 4, dynamic_response_info.response);
+ dynamic_response_info.response_n = 4;
+
+ //prepare_tag_modulation(&responses[5], DYNAMIC_MODULATION_BUFFER_SIZE);
+ prepare_tag_modulation(&dynamic_response_info, DYNAMIC_MODULATION_BUFFER_SIZE);
+ p_response = &dynamic_response_info;
+ //p_response = &responses[5];
+ order = 7;
}
} else if(receivedCmd[0] == ISO14443A_CMD_RATS) { // Received a RATS request
if (tagType == 1 || tagType == 2) { // RATS not supported
LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
uint32_t nr = bytes_to_num(receivedCmd,4);
uint32_t ar = bytes_to_num(receivedCmd+4,4);
-
+
+ // Collect AR/NR per keytype & sector
if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) {
- if(ar_nr_collected < 2){
- ar_nr_responses[ar_nr_collected*4] = cuid;
- ar_nr_responses[ar_nr_collected*4+1] = nonce;
- ar_nr_responses[ar_nr_collected*4+2] = nr;
- ar_nr_responses[ar_nr_collected*4+3] = ar;
- ar_nr_collected++;
- }
- if(ar_nr_collected > 1 ) {
- if (MF_DBGLEVEL >= 2 && !(flags & FLAG_INTERACTIVE)) {
- Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
- Dbprintf("../tools/mfkey/mfkey32v2.exe %08x %08x %08x %08x %08x %08x %08x",
- ar_nr_responses[0], // CUID
- ar_nr_responses[1], // NT_1
- ar_nr_responses[2], // AR_1
- ar_nr_responses[3], // NR_1
- ar_nr_responses[5], // NT_2
- ar_nr_responses[6], // AR_2
- ar_nr_responses[7] // NR_2
- );
+
+ int8_t index = -1;
+ int8_t empty = -1;
+ for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
+ // find which index to use
+ if ( (cardAUTHSC == ar_nr_nonces[i].sector) && (cardAUTHKEY == ar_nr_nonces[i].keytype))
+ index = i;
+
+ // keep track of empty slots.
+ if ( ar_nr_nonces[i].state == EMPTY)
+ empty = i;
+ }
+ // if no empty slots. Choose first and overwrite.
+ if ( index == -1 ) {
+ if ( empty == -1 ) {
+ index = 0;
+ ar_nr_nonces[index].state = EMPTY;
+ } else {
+ index = empty;
}
- uint8_t len = ar_nr_collected*4*4;
- cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, len, 0, &ar_nr_responses, len);
- ar_nr_collected = 0;
- memset(ar_nr_responses, 0x00, len);
+ }
+
+ switch(ar_nr_nonces[index].state) {
+ case EMPTY: {
+ // first nonce collect
+ ar_nr_nonces[index].cuid = cuid;
+ ar_nr_nonces[index].sector = cardAUTHSC;
+ ar_nr_nonces[index].keytype = cardAUTHKEY;
+ ar_nr_nonces[index].nonce = nonce;
+ ar_nr_nonces[index].nr = nr;
+ ar_nr_nonces[index].ar = ar;
+ ar_nr_nonces[index].state = FIRST;
+ break;
+ }
+ case FIRST : {
+ // second nonce collect
+ ar_nr_nonces[index].nonce2 = nonce;
+ ar_nr_nonces[index].nr2 = nr;
+ ar_nr_nonces[index].ar2 = ar;
+ ar_nr_nonces[index].state = SECOND;
+
+ // send to client
+ cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, 0, 0, &ar_nr_nonces[index], sizeof(nonces_t));
+
+ ar_nr_nonces[index].state = EMPTY;
+ ar_nr_nonces[index].sector = 0;
+ ar_nr_nonces[index].keytype = 0;
+
+ moebius_count++;
+ break;
+ }
+ default: break;
}
}
+ p_response = NULL;
} else if (receivedCmd[0] == MIFARE_ULC_AUTH_1 ) { // ULC authentication, or Desfire Authentication
} else if (receivedCmd[0] == MIFARE_ULEV1_AUTH) { // NTAG / EV-1 authentication
if ( tagType == 7 ) {
- uint16_t start = 13; //first 4 blocks of emu are [getversion answer - check tearing - pack - 0x00]
+ uint16_t start = 13; // first 4 blocks of emu are [getversion answer - check tearing - pack - 0x00]
uint8_t emdata[4];
emlGetMemBt( emdata, start, 2);
AppendCrc14443a(emdata, 2);
dynamic_response_info.response_n = 2;
} break;
- case 0xaa:
- case 0xbb: {
+ case 0xAA:
+ case 0xBB: {
dynamic_response_info.response[0] = receivedCmd[0] ^ 0x11;
dynamic_response_info.response_n = 2;
} break;
dynamic_response_info.response[1] = receivedCmd[1];
// Add CRC bytes, always used in ISO 14443A-4 compliant cards
- AppendCrc14443a(dynamic_response_info.response,dynamic_response_info.response_n);
+ AppendCrc14443a(dynamic_response_info.response, dynamic_response_info.response_n);
dynamic_response_info.response_n += 2;
if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
- Dbprintf("Error preparing tag response");
+ DbpString("Error preparing tag response");
LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
break;
}
// comment this limit if you want to simulation longer
if (!tracing) {
- Dbprintf("Trace Full. Simulation stopped.");
+ DbpString("Trace Full. Simulation stopped.");
break;
}
// comment this limit if you want to simulation longer
set_tracing(FALSE);
BigBuf_free_keep_EM();
LED_A_OFF();
-
+
if (MF_DBGLEVEL >= 4){
- Dbprintf("-[ Wake ups after halt [%d]", happened);
- Dbprintf("-[ Messages after halt [%d]", happened2);
- Dbprintf("-[ Num of received cmd [%d]", cmdsRecvd);
+ Dbprintf("-[ Wake ups after halt [%d]", happened);
+ Dbprintf("-[ Messages after halt [%d]", happened2);
+ Dbprintf("-[ Num of received cmd [%d]", cmdsRecvd);
+ Dbprintf("-[ Num of moebius tries [%d]", moebius_count);
}
+
+ cmd_send(CMD_ACK,1,0,0,0,0);
}
// prepare a delayed transfer. This simply shifts ToSend[] by a number
//-----------------------------------------------------------------------------
// Prepare reader command (in bits, support short frames) to send to FPGA
//-----------------------------------------------------------------------------
-void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, const uint8_t *parity)
-{
+void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, const uint8_t *parity) {
int i, j;
int last = 0;
uint8_t b;
// Stop when button is pressed (return 1) or field was gone (return 2)
// Or return 0 when command is captured
//-----------------------------------------------------------------------------
-static int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity) {
+int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity) {
*len = 0;
uint32_t timer = 0, vtime = 0;
// if anticollision is false, then the UID must be provided in uid_ptr[]
// and num_cascades must be set (1: 4 Byte UID, 2: 7 Byte UID, 3: 10 Byte UID)
int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades) {
- uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
- uint8_t sel_all[] = { 0x93,0x20 };
- uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
- uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
+ uint8_t wupa[] = { ISO14443A_CMD_WUPA }; // 0x26 - ISO14443A_CMD_REQA 0x52 - ISO14443A_CMD_WUPA
+ uint8_t sel_all[] = { ISO14443A_CMD_ANTICOLL_OR_SELECT,0x20 };
+ uint8_t sel_uid[] = { ISO14443A_CMD_ANTICOLL_OR_SELECT,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+ uint8_t rats[] = { ISO14443A_CMD_RATS,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
uint8_t resp[MAX_FRAME_SIZE] = {0}; // theoretically. A usual RATS will be much smaller
uint8_t resp_par[MAX_PARITY_SIZE] = {0};
byte_t uid_resp[4] = {0};
memset(uid_ptr,0,10);
}
+ // reset the PCB block number
+ iso14_pcb_blocknum = 0;
+
// check for proprietary anticollision:
if ((resp[0] & 0x1F) == 0) return 3;
p_hi14a_card->ats_len = len;
}
- // reset the PCB block number
- iso14_pcb_blocknum = 0;
-
// set default timeout based on ATS
iso14a_set_ATS_timeout(resp);
-
return 1;
}
void iso14443a_setup(uint8_t fpga_minor_mode) {
+
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
// Set up the synchronous serial port
FpgaSetupSsc();
// connect Demodulated Signal to ADC:
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
- FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | fpga_minor_mode);
-
LED_D_OFF();
// Signal field is on with the appropriate LED
if (fpga_minor_mode == FPGA_HF_ISO14443A_READER_MOD ||
fpga_minor_mode == FPGA_HF_ISO14443A_READER_LISTEN)
LED_D_ON();
- // Prepare the demodulation functions
- DemodReset();
- UartReset();
-
- iso14a_set_timeout(10*106); // 10ms default
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | fpga_minor_mode);
- //NextTransferTime = 2 * DELAY_ARM2AIR_AS_READER;
- NextTransferTime = DELAY_ARM2AIR_AS_READER << 1;
+ SpinDelay(20);
// Start the timer
StartCountSspClk();
+
+ // Prepare the demodulation functions
+ DemodReset();
+ UartReset();
+ NextTransferTime = 2 * DELAY_ARM2AIR_AS_READER;
+ iso14a_set_timeout(10*106); // 20ms default
}
int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
{
iso14_pcb_blocknum ^= 1;
}
-
return len;
}
+
//-----------------------------------------------------------------------------
// Read an ISO 14443a tag. Send out commands and store answers.
-//
//-----------------------------------------------------------------------------
void ReaderIso14443a(UsbCommand *c) {
iso14a_command_t param = c->arg[0];
}
if (param & ISO14A_RAW) {
- if(param & ISO14A_APPEND_CRC) {
- if(param & ISO14A_TOPAZMODE) {
+ if (param & ISO14A_APPEND_CRC) {
+ if (param & ISO14A_TOPAZMODE)
AppendCrc14443b(cmd,len);
- } else {
+ else
AppendCrc14443a(cmd,len);
- }
+
len += 2;
if (lenbits) lenbits += 16;
}
- if(lenbits>0) { // want to send a specific number of bits (e.g. short commands)
- if(param & ISO14A_TOPAZMODE) {
+ if (lenbits>0) { // want to send a specific number of bits (e.g. short commands)
+ if (param & ISO14A_TOPAZMODE) {
int bits_to_send = lenbits;
uint16_t i = 0;
ReaderTransmitBitsPar(&cmd[i++], MIN(bits_to_send, 7), NULL, NULL); // first byte is always short (7bits) and no parity
ReaderTransmitBitsPar(cmd, lenbits, par, NULL); // bytes are 8 bit with odd parity
}
} else { // want to send complete bytes only
- if(param & ISO14A_TOPAZMODE) {
+ if (param & ISO14A_TOPAZMODE) {
uint16_t i = 0;
ReaderTransmitBitsPar(&cmd[i++], 7, NULL, NULL); // first byte: 7 bits, no paritiy
while (i < len) {
if (nt1 == nt2) return 0;
- uint16_t i;
uint32_t nttmp1 = nt1;
uint32_t nttmp2 = nt2;
- for (i = 1; i < (32768/8); ++i) {
+ // 0xFFFF -- Half up and half down to find distance between nonces
+ for (uint16_t i = 1; i < 32768/8; i += 8) {
nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i;
- nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -i;
-
nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+1;
- nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+1);
nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+2;
- nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+2);
nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+3;
- nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+3);
nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+4;
- nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+4);
nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+5;
- nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+5);
nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+6;
- nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+6);
nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+7;
- nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+7);
- }
+
+ nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -i;
+ nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+1);
+ nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+2);
+ nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+3);
+ nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+4);
+ nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+5);
+ nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+6);
+ nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+7);
+ }
// either nt1 or nt2 are invalid nonces
return(-99999);
}
// Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
// (article by Nicolas T. Courtois, 2009)
//-----------------------------------------------------------------------------
-void ReaderMifare(bool first_try, uint8_t block ) {
- uint8_t mf_auth[] = { MIFARE_AUTH_KEYA, block, 0x00, 0x00 };
+
+void ReaderMifare(bool first_try, uint8_t block, uint8_t keytype ) {
+
+ uint8_t mf_auth[] = { keytype, block, 0x00, 0x00 };
uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
uint8_t uid[10] = {0,0,0,0,0,0,0,0,0,0};
uint8_t par_list[8] = {0,0,0,0,0,0,0,0};
#define PRNG_SEQUENCE_LENGTH (1 << 16)
#define MAX_UNEXPECTED_RANDOM 4 // maximum number of unexpected (i.e. real) random numbers when trying to sync. Then give up.
#define MAX_SYNC_TRIES 32
-
+
+ AppendCrc14443a(mf_auth, 2);
+
BigBuf_free(); BigBuf_Clear_ext(false);
clear_trace();
- set_tracing(TRUE);
+ set_tracing(FALSE);
iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
- AppendCrc14443a(mf_auth, 2);
+ sync_time = GetCountSspClk() & 0xfffffff8;
+ sync_cycles = PRNG_SEQUENCE_LENGTH; // Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).
+ nt_attacked = 0;
- if (first_try) {
- sync_time = GetCountSspClk() & 0xfffffff8;
- sync_cycles = PRNG_SEQUENCE_LENGTH + 1130; //65536; //0x10000 // Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).
- mf_nr_ar3 = 0;
- nt_attacked = 0;
+ if (MF_DBGLEVEL >= 4) Dbprintf("Mifare::Sync %u", sync_time);
+
+ if (first_try) {
+ mf_nr_ar3 = 0;
par_low = 0;
} else {
// we were unsuccessful on a previous call.
// Transmit reader nonce with fake par
ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par, NULL);
- WDT_HIT();
- LED_B_ON();
- if (first_try && previous_nt && !nt_attacked) { // we didn't calibrate our clock yet
+ // we didn't calibrate our clock yet,
+ // iceman: has to be calibrated every time.
+ if (previous_nt && !nt_attacked) {
nt_distance = dist_nt(previous_nt, nt);
}
LED_B_OFF();
- if ((nt != nt_attacked) && nt_attacked) { // we somehow lost sync. Try to catch up again...
+ if ( (nt != nt_attacked) && nt_attacked) { // we somehow lost sync. Try to catch up again...
catch_up_cycles = ABS(dist_nt(nt_attacked, nt));
if (catch_up_cycles == 99999) { // invalid nonce received. Don't resync on that one.
set_tracing(FALSE);
}
+
/**
*MIFARE 1K simulate.
*
*@param exitAfterNReads, exit simulation after n blocks have been read, 0 is inifite
*/
void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain) {
+
+ // init pseudorand
+ fast_prand( GetTickCount() );
+
int cardSTATE = MFEMUL_NOFIELD;
int _UID_LEN = 0; // 4, 7, 10
int vHf = 0; // in mV
struct Crypto1State mpcs = {0, 0};
struct Crypto1State *pcs;
pcs = &mpcs;
- uint32_t numReads = 0; //Counts numer of times reader read a block
+ uint32_t numReads = 0; // Counts numer of times reader read a block
uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00};
uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE] = {0x00};
uint8_t response[MAX_MIFARE_FRAME_SIZE] = {0x00};
uint8_t sak_4[] = {0x0C, 0x00, 0x00}; // CL1 - 4b uid
uint8_t sak_7[] = {0x0C, 0x00, 0x00}; // CL2 - 7b uid
uint8_t sak_10[] = {0x0C, 0x00, 0x00}; // CL3 - 10b uid
- //uint8_t sak[] = {0x09, 0x3f, 0xcc }; // Mifare Mini
+ // uint8_t sak[] = {0x09, 0x3f, 0xcc }; // Mifare Mini
uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
uint8_t rUIDBCC3[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
- uint8_t rAUTH_NT[] = {0x01, 0x01, 0x01, 0x01}; // very random nonce
- //uint8_t rAUTH_NT[] = {0x55, 0x41, 0x49, 0x92};// nonce from nested? why this?
+ // TAG Nonce - Authenticate response
+ uint8_t rAUTH_NT[4];
+ uint32_t nonce = prand();
+ num_to_bytes(nonce, 4, rAUTH_NT);
+
+ // uint8_t rAUTH_NT[] = {0x55, 0x41, 0x49, 0x92};// nonce from nested? why this?
uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
-
+
// Here, we collect CUID, NT, NR, AR, CUID2, NT2, NR2, AR2
// This can be used in a reader-only attack.
- uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0};
- uint8_t ar_nr_collected = 0;
+ nonces_t ar_nr_nonces[ATTACK_KEY_COUNT];
+ memset(ar_nr_nonces, 0x00, sizeof(ar_nr_nonces));
- // Authenticate response - nonce
- uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
- ar_nr_responses[1] = nonce;
-
- //-- Determine the UID
+ // -- Determine the UID
// Can be set from emulator memory or incoming data
// Length: 4,7,or 10 bytes
if ( (flags & FLAG_UID_IN_EMUL) == FLAG_UID_IN_EMUL)
case 4:
sak_4[0] &= 0xFB;
// save CUID
- ar_nr_responses[0] = cuid = bytes_to_num(rUIDBCC1, 4);
+ cuid = bytes_to_num(rUIDBCC1, 4);
// BCC
rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
if (MF_DBGLEVEL >= 2) {
atqa[0] |= 0x40;
sak_7[0] &= 0xFB;
// save CUID
- ar_nr_responses[0] = cuid = bytes_to_num(rUIDBCC2, 4);
+ cuid = bytes_to_num(rUIDBCC2, 4);
// CascadeTag, CT
rUIDBCC1[0] = 0x88;
// BCC
atqa[0] |= 0x80;
sak_10[0] &= 0xFB;
// save CUID
- ar_nr_responses[0] = cuid = bytes_to_num(rUIDBCC3, 4);
+ cuid = bytes_to_num(rUIDBCC3, 4);
// CascadeTag, CT
rUIDBCC1[0] = 0x88;
rUIDBCC2[0] = 0x88;
}
if (cardSTATE == MFEMUL_NOFIELD) continue;
- //Now, get data
+ // Now, get data
res = EmGetCmd(receivedCmd, &len, receivedCmd_par);
if (res == 2) { //Field is off!
cardSTATE = MFEMUL_NOFIELD;
LEDsoff();
continue;
} else if (res == 1) {
- break; //return value 1 means button press
+ break; // return value 1 means button press
}
// REQ or WUP request in ANY state and WUP in HALTED state
crypto1_destroy(pcs);
cardAUTHKEY = 0xff;
LEDsoff();
- nonce++;
+ nonce = prand();
continue;
}
uint32_t nr = bytes_to_num(receivedCmd, 4);
uint32_t ar = bytes_to_num(&receivedCmd[4], 4);
- //Collect AR/NR
- //if(ar_nr_collected < 2 && cardAUTHSC == 2){
- if(ar_nr_collected < 2) {
- //if(ar_nr_responses[2] != nr) {
- ar_nr_responses[ar_nr_collected*4] = cuid;
- ar_nr_responses[ar_nr_collected*4+1] = nonce;
- ar_nr_responses[ar_nr_collected*4+2] = nr;
- ar_nr_responses[ar_nr_collected*4+3] = ar;
- ar_nr_collected++;
- //}
-
- // Interactive mode flag, means we need to send ACK
- finished = ( ((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE)&& ar_nr_collected == 2);
+ // Collect AR/NR per keytype & sector
+ if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) {
+
+ int8_t index = -1;
+ int8_t empty = -1;
+ for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
+ // find which index to use
+ if ( (cardAUTHSC == ar_nr_nonces[i].sector) && (cardAUTHKEY == ar_nr_nonces[i].keytype))
+ index = i;
+
+ // keep track of empty slots.
+ if ( ar_nr_nonces[i].state == EMPTY)
+ empty = i;
+ }
+ // if no empty slots. Choose first and overwrite.
+ if ( index == -1 ) {
+ if ( empty == -1 ) {
+ index = 0;
+ ar_nr_nonces[index].state = EMPTY;
+ } else {
+ index = empty;
+ }
+ }
+
+ switch(ar_nr_nonces[index].state) {
+ case EMPTY: {
+ // first nonce collect
+ ar_nr_nonces[index].cuid = cuid;
+ ar_nr_nonces[index].sector = cardAUTHSC;
+ ar_nr_nonces[index].keytype = cardAUTHKEY;
+ ar_nr_nonces[index].nonce = nonce;
+ ar_nr_nonces[index].nr = nr;
+ ar_nr_nonces[index].ar = ar;
+ ar_nr_nonces[index].state = FIRST;
+ break;
+ }
+ case FIRST : {
+ // second nonce collect
+ ar_nr_nonces[index].nonce2 = nonce;
+ ar_nr_nonces[index].nr2 = nr;
+ ar_nr_nonces[index].ar2 = ar;
+ ar_nr_nonces[index].state = SECOND;
+
+ // send to client
+ cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, 0, 0, &ar_nr_nonces[index], sizeof(nonces_t));
+
+ ar_nr_nonces[index].state = EMPTY;
+ ar_nr_nonces[index].sector = 0;
+ ar_nr_nonces[index].keytype = 0;
+ break;
+ }
+ default: break;
+ }
}
- /*
- crypto1_word(pcs, ar , 1);
- cardRr = nr ^ crypto1_word(pcs, 0, 0);
+
+ crypto1_word(pcs, nr , 1);
+ uint32_t cardRr = ar ^ crypto1_word(pcs, 0, 0);
- test if auth OK
+ //test if auth OK
if (cardRr != prng_successor(nonce, 64)){
- if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
- cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
- cardRr, prng_successor(nonce, 64));
- Shouldn't we respond anything here?
- Right now, we don't nack or anything, which causes the
- reader to do a WUPA after a while. /Martin
- -- which is the correct response. /piwi
+ if (MF_DBGLEVEL >= 3) {
+ Dbprintf("AUTH FAILED for sector %d with key %c. [nr=%08x cardRr=%08x] [nt=%08x succ=%08x]"
+ , cardAUTHSC
+ , (cardAUTHKEY == 0) ? 'A' : 'B'
+ , nr
+ , cardRr
+ , nonce // nt
+ , prng_successor(nonce, 64)
+ );
+ }
+ // Shouldn't we respond anything here?
+ // Right now, we don't nack or anything, which causes the
+ // reader to do a WUPA after a while. /Martin
+ // -- which is the correct response. /piwi
cardSTATE_TO_IDLE();
LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
break;
}
- */
ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
num_to_bytes(ans, 4, rAUTH_AT);
EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
LED_C_ON();
- if (MF_DBGLEVEL >= 4) {
+ if (MF_DBGLEVEL >= 1) {
Dbprintf("AUTH COMPLETED for sector %d with key %c. time=%d",
cardAUTHSC,
cardAUTHKEY == 0 ? 'A' : 'B',
receivedCmd[0] == MIFARE_AUTH_KEYB) ) {
authTimer = GetTickCount();
- cardAUTHSC = receivedCmd[1] / 4; // received block num
- cardAUTHKEY = receivedCmd[0] - 0x60; // & 1
+ cardAUTHSC = receivedCmd[1] / 4; // received block -> sector
+ cardAUTHKEY = receivedCmd[0] & 0x1;
crypto1_destroy(pcs);
+
+ // load key into crypto
crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
- if (!encrypted_data) {
+ if (!encrypted_data) {
// first authentication
- crypto1_word(pcs, cuid ^ nonce, 0);//Update crypto state
- num_to_bytes(nonce, 4, rAUTH_AT); // Send nonce
-
- if (MF_DBGLEVEL >= 4) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY );
-
+ // Update crypto state init (UID ^ NONCE)
+ crypto1_word(pcs, cuid ^ nonce, 0);
+ num_to_bytes(nonce, 4, rAUTH_AT);
} else {
// nested authentication
ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
num_to_bytes(ans, 4, rAUTH_AT);
- if (MF_DBGLEVEL >= 4) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY );
+ if (MF_DBGLEVEL >= 3) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %c", receivedCmd[1], receivedCmd[1], cardAUTHKEY == 0 ? 'A' : 'B');
}
EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
}
}
- // Interactive mode flag, means we need to send ACK
- if((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE) {
- //May just aswell send the collected ar_nr in the response aswell
- uint8_t len = ar_nr_collected * 4 * 4;
- cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, len, 0, &ar_nr_responses, len);
- }
-
- if( ((flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) && MF_DBGLEVEL >= 1 ) {
- if(ar_nr_collected > 1 ) {
- Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
- Dbprintf("../tools/mfkey/mfkey32v2.exe %08x %08x %08x %08x %08x %08x %08x",
- ar_nr_responses[0], // CUID
- ar_nr_responses[1], // NT1
- ar_nr_responses[2], // NR1
- ar_nr_responses[3], // AR1
- //ar_nr_responses[4], // CUID2
- ar_nr_responses[5], // NT2
- ar_nr_responses[6], // NR2
- ar_nr_responses[7] // AR2
- );
- } else {
- Dbprintf("Failed to obtain two AR/NR pairs!");
- if(ar_nr_collected == 1 ) {
- Dbprintf("Only got these: UID=%08x, nonce=%08x, NR1=%08x, AR1=%08x",
- ar_nr_responses[0], // CUID
- ar_nr_responses[1], // NT
- ar_nr_responses[2], // NR1
- ar_nr_responses[3] // AR1
- );
- }
- }
- }
- if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, BigBuf_get_traceLen());
+ if (MF_DBGLEVEL >= 1)
+ Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, BigBuf_get_traceLen());
- FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ cmd_send(CMD_ACK,1,0,0,0,0); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
set_tracing(FALSE);
}