+ if (tagType == 1 || tagType == 2) { // RATS not supported
+ EmSend4bit(CARD_NACK_NA);
+ p_response = NULL;
+ } else {
+ p_response = &responses[6]; order = 70;
+ }
+ } else if (order == 7 && len == 8) { // Received {nr] and {ar} (part of authentication)
+ if (tracing) {
+ LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+ }
+ uint32_t nonce = bytes_to_num(response5,4);
+ uint32_t nr = bytes_to_num(receivedCmd,4);
+ uint32_t ar = bytes_to_num(receivedCmd+4,4);
+ //Dbprintf("Auth attempt {nonce}{nr}{ar}: %08x %08x %08x", nonce, nr, ar);
+
+ if(flags & FLAG_NR_AR_ATTACK )
+ {
+ if(ar_nr_collected < 2){
+ // Avoid duplicates... probably not necessary, nr should vary.
+ //if(ar_nr_responses[3] != nr){
+ ar_nr_responses[ar_nr_collected*5] = 0;
+ ar_nr_responses[ar_nr_collected*5+1] = 0;
+ ar_nr_responses[ar_nr_collected*5+2] = nonce;
+ ar_nr_responses[ar_nr_collected*5+3] = nr;
+ ar_nr_responses[ar_nr_collected*5+4] = ar;
+ ar_nr_collected++;
+ //}
+ }
+
+ if(ar_nr_collected > 1 ) {
+
+ if (MF_DBGLEVEL >= 2) {
+ Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
+ Dbprintf("../tools/mfkey/mfkey32 %07x%08x %08x %08x %08x %08x %08x",
+ ar_nr_responses[0], // UID1
+ ar_nr_responses[1], // UID2
+ ar_nr_responses[2], // NT
+ ar_nr_responses[3], // AR1
+ ar_nr_responses[4], // NR1
+ ar_nr_responses[8], // AR2
+ ar_nr_responses[9] // NR2
+ );
+ }
+ uint8_t len = ar_nr_collected*5*4;
+ cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,len,0,&ar_nr_responses,len);
+ ar_nr_collected = 0;
+ memset(ar_nr_responses, 0x00, len);
+ }
+ }
+ } else if (receivedCmd[0] == 0x1a ) // ULC authentication
+ {
+
+ }
+ else if (receivedCmd[0] == 0x1b) // NTAG / EV-1 authentication
+ {
+ if ( tagType == 7 ) {
+ p_response = &responses[8]; // PACK response
+ }
+ }
+ else {
+ // Check for ISO 14443A-4 compliant commands, look at left nibble
+ switch (receivedCmd[0]) {
+
+ case 0x0B:
+ case 0x0A: { // IBlock (command)
+ dynamic_response_info.response[0] = receivedCmd[0];
+ dynamic_response_info.response[1] = 0x00;
+ dynamic_response_info.response[2] = 0x90;
+ dynamic_response_info.response[3] = 0x00;
+ dynamic_response_info.response_n = 4;
+ } break;
+
+ case 0x1A:
+ case 0x1B: { // Chaining command
+ dynamic_response_info.response[0] = 0xaa | ((receivedCmd[0]) & 1);
+ dynamic_response_info.response_n = 2;
+ } break;
+
+ case 0xaa:
+ case 0xbb: {
+ dynamic_response_info.response[0] = receivedCmd[0] ^ 0x11;
+ dynamic_response_info.response_n = 2;
+ } break;
+
+ case 0xBA: { //
+ memcpy(dynamic_response_info.response,"\xAB\x00",2);
+ dynamic_response_info.response_n = 2;
+ } break;
+
+ case 0xCA:
+ case 0xC2: { // Readers sends deselect command
+ memcpy(dynamic_response_info.response,"\xCA\x00",2);
+ dynamic_response_info.response_n = 2;
+ } break;
+
+ default: {
+ // Never seen this command before
+ if (tracing) {
+ LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+ }
+ Dbprintf("Received unknown command (len=%d):",len);
+ Dbhexdump(len,receivedCmd,false);
+ // Do not respond
+ dynamic_response_info.response_n = 0;
+ } break;
+ }
+
+ if (dynamic_response_info.response_n > 0) {
+ // Copy the CID from the reader query
+ dynamic_response_info.response[1] = receivedCmd[1];
+
+ // Add CRC bytes, always used in ISO 14443A-4 compliant cards
+ AppendCrc14443a(dynamic_response_info.response,dynamic_response_info.response_n);
+ dynamic_response_info.response_n += 2;
+
+ if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
+ Dbprintf("Error preparing tag response");
+ if (tracing) {
+ LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+ }
+ break;
+ }
+ p_response = &dynamic_response_info;
+ }