UartInit(receivedCmd, receivedCmdPar);
// Setup and start DMA.
- FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
+ if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, DMA_BUFFER_SIZE) ){
+ if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting");
+ return;
+ }
// We won't start recording the frames that we acquire until we trigger;
// a good trigger condition to get started is probably when we see a
//-----------------------------------------------------------------------------
// Main loop of simulated tag: receive commands from reader, decide what
// response to send, and send it.
+// 'hf 14a sim'
//-----------------------------------------------------------------------------
void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
- //Here, we collect CUID, NT, NR, AR, CUID, NT2, NR2, AR2
+ // Here, we collect CUID, block1, keytype1, NT1, NR1, AR1, CUID, block2, keytyp2, NT2, NR2, AR2
+ // it should also collect block, keytype.
// This can be used in a reader-only attack.
uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0,0};
uint8_t ar_nr_collected = 0;
} else if(receivedCmd[0] == ISO14443A_CMD_HALT) { // Received a HALT
LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
p_response = NULL;
- } else if(receivedCmd[0] == MIFARE_AUTH_KEYA || receivedCmd[0] == MIFARE_AUTH_KEYB) { // Received an authentication request
-
+ } else if(receivedCmd[0] == MIFARE_AUTH_KEYA || receivedCmd[0] == MIFARE_AUTH_KEYB) { // Received an authentication request
if ( tagType == 7 ) { // IF NTAG /EV1 0x60 == GET_VERSION, not a authentication request.
uint8_t emdata[10];
emlGetMemBt( emdata, 0, 8 );
if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) {
if(ar_nr_collected < 2){
- // Avoid duplicates... probably not necessary, nr should vary.
- // nr doesn't change in pm3's reading etc. its fixed.
- //if(ar_nr_responses[3] != nr){
- ar_nr_responses[ar_nr_collected*4] = cuid;
- ar_nr_responses[ar_nr_collected*4+1] = nonce;
- ar_nr_responses[ar_nr_collected*4+2] = nr;
- ar_nr_responses[ar_nr_collected*4+3] = ar;
- ar_nr_collected++;
- //}
+ ar_nr_responses[ar_nr_collected*4] = cuid;
+ ar_nr_responses[ar_nr_collected*4+1] = nonce;
+ ar_nr_responses[ar_nr_collected*4+2] = nr;
+ ar_nr_responses[ar_nr_collected*4+3] = ar;
+ ar_nr_collected++;
}
-
if(ar_nr_collected > 1 ) {
if (MF_DBGLEVEL >= 2 && !(flags & FLAG_INTERACTIVE)) {
Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
- Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
+ Dbprintf("../tools/mfkey/mfkey32v2.exe %08x %08x %08x %08x %08x %08x %08x",
ar_nr_responses[0], // CUID
- ar_nr_responses[1], // NT
- ar_nr_responses[2], // AR1
- ar_nr_responses[3], // NR1
- ar_nr_responses[6], // AR2
- ar_nr_responses[7] // NR2
+ ar_nr_responses[1], // NT_1
+ ar_nr_responses[2], // AR_1
+ ar_nr_responses[3], // NR_1
+ ar_nr_responses[5], // NT_2
+ ar_nr_responses[6], // AR_2
+ ar_nr_responses[7] // NR_2
);
}
uint8_t len = ar_nr_collected*4*4;
memset(ar_nr_responses, 0x00, len);
}
}
+
} else if (receivedCmd[0] == MIFARE_ULC_AUTH_1 ) { // ULC authentication, or Desfire Authentication
} else if (receivedCmd[0] == MIFARE_ULEV1_AUTH) { // NTAG / EV-1 authentication
if ( tagType == 7 ) {
b = AT91C_BASE_SSC->SSC_RHR; (void) b;
// wait for the FPGA to signal fdt_indicator == 1 (the FPGA is ready to queue new data in its delay line)
- for (uint16_t j = 0; j < 5; j++) { // allow timeout - better late than never
+ for (uint8_t j = 0; j < 5; j++) { // allow timeout - better late than never
while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
if (AT91C_BASE_SSC->SSC_RHR) break;
}
}
void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing) {
+
CodeIso14443aBitsAsReaderPar(frame, bits, par);
-
// Send command to tag
TransmitFor14443a(ToSend, ToSendMax, timing);
if(trigger) LED_A_ON();
- // Log reader command in trace buffer
- //LogTrace(frame, nbytes(bits), LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_READER, (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_READER, par, TRUE);
LogTrace(frame, nbytes(bits), (LastTimeProxToAirStart<<4) + DELAY_ARM2AIR_AS_READER, ((LastTimeProxToAirStart + LastProxToAirDuration)<<4) + DELAY_ARM2AIR_AS_READER, par, TRUE);
}
}
void ReaderTransmitBits(uint8_t* frame, uint16_t len, uint32_t *timing) {
- // Generate parity and redirect
- uint8_t par[MAX_PARITY_SIZE] = {0x00};
- GetParity(frame, len/8, par);
- ReaderTransmitBitsPar(frame, len, par, timing);
+ // Generate parity and redirect
+ uint8_t par[MAX_PARITY_SIZE] = {0x00};
+ GetParity(frame, len/8, par);
+ ReaderTransmitBitsPar(frame, len, par, timing);
}
void ReaderTransmit(uint8_t* frame, uint16_t len, uint32_t *timing) {
- // Generate parity and redirect
- uint8_t par[MAX_PARITY_SIZE] = {0x00};
- GetParity(frame, len, par);
- ReaderTransmitBitsPar(frame, len*8, par, timing);
+ // Generate parity and redirect
+ uint8_t par[MAX_PARITY_SIZE] = {0x00};
+ GetParity(frame, len, par);
+ ReaderTransmitBitsPar(frame, len*8, par, timing);
}
int ReaderReceiveOffset(uint8_t* receivedAnswer, uint16_t offset, uint8_t *parity) {
}
// REQ or WUP request in ANY state and WUP in HALTED state
+ // this if-statement doesn't match the specification above. (iceman)
if (len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) {
selTimer = GetTickCount();
EmSendCmdEx(atqa, sizeof(atqa), (receivedCmd[0] == ISO14443A_CMD_WUPA));
// Set up the demodulator for the reader -> tag commands
UartInit(receivedCmd, receivedCmdPar);
- // set transfer address and number of bytes. Start transfer.
- FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
+ // Setup and start DMA.
+ // set transfer address and number of bytes. Start transfer.
+ if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, DMA_BUFFER_SIZE) ){
+ if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting");
+ return;
+ }
LED_D_OFF();
maxDataLen = 0;
ReaderIsActive = FALSE;
TagIsActive = FALSE;
- FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
+ // Setup and start DMA. set transfer address and number of bytes. Start transfer.
+ if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, DMA_BUFFER_SIZE) ){
+ if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting");
+ return;
+ }
}
}