//
//-----------------------------------------------------------------------------
-#include "proxmark3.h"
+#include "../include/proxmark3.h"
#include "apps.h"
#include "util.h"
#include "string.h"
// Needed for CRC in emulation mode;
// same construction as in ISO 14443;
// different initial value (CRC_ICLASS)
-#include "iso14443crc.h"
-#include "iso15693tools.h"
+#include "../common/iso14443crc.h"
+#include "../common/iso15693tools.h"
+//#include "iso15693tools.h"
+
static int timeout = 4096;
int nOutOfCnt;
int OutOfCnt;
int syncBit;
- int parityBits;
int samples;
int highCnt;
int swapper;
int counter;
int bitBuffer;
int dropPosition;
- uint8_t *output;
+ uint8_t *output;
} Uart;
static RAMFUNC int OutOfNDecoding(int bit)
if(Uart.byteCnt == 0) {
// Its not straightforward to show single EOFs
// So just leave it and do not return TRUE
- Uart.output[Uart.byteCnt] = 0xf0;
+ Uart.output[0] = 0xf0;
Uart.byteCnt++;
-
- // Calculate the parity bit for the client...
- Uart.parityBits = 1;
}
else {
return TRUE;
if(Uart.bitCnt == 8) {
Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
Uart.byteCnt++;
-
- // Calculate the parity bit for the client...
- Uart.parityBits <<= 1;
- Uart.parityBits ^= OddByteParity[(Uart.shiftReg & 0xff)];
-
Uart.bitCnt = 0;
Uart.shiftReg = 0;
}
Uart.dropPosition--;
Uart.output[Uart.byteCnt] = (Uart.dropPosition & 0xff);
Uart.byteCnt++;
-
- // Calculate the parity bit for the client...
- Uart.parityBits <<= 1;
- Uart.parityBits ^= OddByteParity[(Uart.dropPosition & 0xff)];
-
Uart.bitCnt = 0;
Uart.shiftReg = 0;
Uart.nOutOfCnt = 0;
Uart.state = STATE_START_OF_COMMUNICATION;
Uart.bitCnt = 0;
Uart.byteCnt = 0;
- Uart.parityBits = 0;
Uart.nOutOfCnt = 0;
Uart.OutOfCnt = 4; // Start at 1/4, could switch to 1/256
Uart.dropPosition = 0;
int bitCount;
int posCount;
int syncBit;
- int parityBits;
uint16_t shiftReg;
int buffer;
int buffer2;
Demod.sub = SUB_FIRST_HALF;
Demod.bitCount = 0;
Demod.shiftReg = 0;
- Demod.parityBits = 0;
Demod.samples = 0;
if(Demod.posCount) {
//if(trigger) LED_A_OFF(); // Not useful in this case...
else {
modulation = bit & Demod.syncBit;
modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
- //modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
-
+
Demod.samples += 4;
if(Demod.posCount==0) {
if(Demod.state == DEMOD_SOF_COMPLETE) {
Demod.output[Demod.len] = 0x0f;
Demod.len++;
- Demod.parityBits <<= 1;
- Demod.parityBits ^= OddByteParity[0x0f];
Demod.state = DEMOD_UNSYNCD;
// error = 0x0f;
return TRUE;
// Tag response does not need to be a complete byte!
if(Demod.len > 0 || Demod.bitCount > 0) {
if(Demod.bitCount > 1) { // was > 0, do not interpret last closing bit, is part of EOF
- Demod.shiftReg >>= (9 - Demod.bitCount);
+ Demod.shiftReg >>= (9 - Demod.bitCount); // right align data
Demod.output[Demod.len] = Demod.shiftReg & 0xff;
Demod.len++;
- // No parity bit, so just shift a 0
- Demod.parityBits <<= 1;
}
Demod.state = DEMOD_UNSYNCD;
Demod.shiftReg >>= 1;
Demod.output[Demod.len] = (Demod.shiftReg & 0xff);
Demod.len++;
-
- // FOR ISO15639 PARITY NOT SEND OTA, JUST CALCULATE IT FOR THE CLIENT
- Demod.parityBits <<= 1;
- Demod.parityBits ^= OddByteParity[(Demod.shiftReg & 0xff)];
-
Demod.bitCount = 0;
Demod.shiftReg = 0;
}
// So 32 should be enough!
uint8_t *readerToTagCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
// The response (tag -> reader) that we're receiving.
- uint8_t *tagToReaderResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
+ uint8_t *tagToReaderResponse = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
//if(!LogTrace(Uart.output,Uart.byteCnt, rsamples, Uart.parityBits,TRUE)) break;
//if(!LogTrace(NULL, 0, Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER, 0, TRUE)) break;
- if(tracing)
- {
- LogTrace(Uart.output,Uart.byteCnt, (GetCountSspClk()-time_0) << 4, Uart.parityBits,TRUE);
- LogTrace(NULL, 0, (GetCountSspClk()-time_0) << 4, 0, TRUE);
+ if(tracing) {
+ uint8_t parity[MAX_PARITY_SIZE];
+ GetParity(Uart.output, Uart.byteCnt, parity);
+ LogTrace(Uart.output,Uart.byteCnt, (GetCountSspClk()-time_0) << 4, (GetCountSspClk()-time_0) << 4, parity, TRUE);
}
rsamples = samples - Demod.samples;
LED_B_ON();
- if(tracing)
- {
- LogTrace(Demod.output,Demod.len, (GetCountSspClk()-time_0) << 4 , Demod.parityBits,FALSE);
- LogTrace(NULL, 0, (GetCountSspClk()-time_0) << 4, 0, FALSE);
+ if(tracing) {
+ uint8_t parity[MAX_PARITY_SIZE];
+ GetParity(Demod.output, Demod.len, parity);
+ LogTrace(Demod.output, Demod.len, (GetCountSspClk()-time_0) << 4, (GetCountSspClk()-time_0) << 4, parity, FALSE);
}
}
if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
- /*if(OutOfNDecoding((b & 0xf0) >> 4)) {
- *len = Uart.byteCnt;
- return TRUE;
- }*/
+
if(OutOfNDecoding(b & 0x0f)) {
*len = Uart.byteCnt;
return TRUE;
{
uint8_t mac_responses[64] = { 0 };
- Dbprintf("Going into attack mode");
+ Dbprintf("Going into attack mode, %d CSNS sent", numberOfCSNS);
// In this mode, a number of csns are within datain. We'll simulate each one, one at a time
// in order to collect MAC's from the reader. This can later be used in an offlne-attack
// in order to obtain the keys, as in the "dismantling iclass"-paper.
// The usb data is 512 bytes, fitting 65 8-byte CSNs in there.
memcpy(csn_crc, datain+(i*8), 8);
- if(doIClassSimulation(csn_crc,1,mac_responses))
+ if(doIClassSimulation(csn_crc,1,mac_responses+i*8))
{
return; // Button pressed
}
*/
int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf)
{
-
-
// CSN followed by two CRC bytes
uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
uint8_t response3[] = { 0,0,0,0,0,0,0,0,0,0};
// + 1720..
uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
- memset(receivedCmd, 0x44, RECV_CMD_SIZE);
+ memset(receivedCmd, 0x44, MAX_FRAME_SIZE);
int len;
// Prepare card messages
respsize = 0;
if (breakAfterMacReceived){
// dbprintf:ing ...
- Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
+ Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x"
+ ,csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
Dbprintf("RDR: (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",len,
- receivedCmd[0], receivedCmd[1], receivedCmd[2],
+ receivedCmd[0], receivedCmd[1], receivedCmd[2],
receivedCmd[3], receivedCmd[4], receivedCmd[5],
receivedCmd[6], receivedCmd[7], receivedCmd[8]);
if (reader_mac_buf != NULL)
}
if (tracing) {
- LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, Uart.parityBits,TRUE);
- LogTrace(NULL,0, (r2t_time-time_0) << 4, 0,TRUE);
+ uint8_t parity[MAX_PARITY_SIZE];
+ GetParity(receivedCmd, len, parity);
+ LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, (r2t_time-time_0) << 4, parity, TRUE);
if (respdata != NULL) {
- LogTrace(respdata,respsize, (t2r_time-time_0) << 4,SwapBits(GetParity(respdata,respsize),respsize),FALSE);
- LogTrace(NULL,0, (t2r_time-time_0) << 4,0,FALSE);
-
-
+ GetParity(respdata, respsize, parity);
+ LogTrace(respdata, respsize, (t2r_time-time_0) << 4, (t2r_time-time_0) << 4, parity, FALSE);
}
if(!tracing) {
DbpString("Trace full");
}
}
- memset(receivedCmd, 0x44, RECV_CMD_SIZE);
+ memset(receivedCmd, 0x44, MAX_FRAME_SIZE);
}
//Dbprintf("%x", cmdsRecvd);
FpgaSetupSsc();
if (wait)
- if(*wait < 10)
- *wait = 10;
+ {
+ if(*wait < 10) *wait = 10;
for(c = 0; c < *wait;) {
if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
WDT_HIT();
}
+ }
+
+
uint8_t sendbyte;
bool firstpart = TRUE;
c = 0;
{
int wait = 0;
int samples = 0;
- int par = 0;
// This is tied to other size changes
- // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
CodeIClassCommand(frame,len);
// Select the card
LED_A_ON();
// Store reader command in buffer
- if (tracing) LogTrace(frame,len,rsamples,par,TRUE);
+ if (tracing) {
+ uint8_t par[MAX_PARITY_SIZE];
+ GetParity(frame, len, par);
+ LogTrace(frame, len, rsamples, rsamples, par, TRUE);
+ }
}
//-----------------------------------------------------------------------------
for(;;) {
WDT_HIT();
- if(BUTTON_PRESS()) return FALSE;
+ if(BUTTON_PRESS()) return FALSE;
if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
skip = !skip;
if(skip) continue;
- /*if(ManchesterDecoding((b>>4) & 0xf)) {
- *samples = ((c - 1) << 3) + 4;
- return TRUE;
- }*/
+
if(ManchesterDecoding(b & 0x0f)) {
*samples = c << 3;
return TRUE;
int samples = 0;
if (!GetIClassAnswer(receivedAnswer,160,&samples,0)) return FALSE;
rsamples += samples;
- if (tracing) LogTrace(receivedAnswer,Demod.len,rsamples,Demod.parityBits,FALSE);
+ if (tracing){
+ uint8_t parity[MAX_PARITY_SIZE];
+ GetParity(receivedAnswer, Demod.len, parity);
+ LogTrace(receivedAnswer,Demod.len,rsamples,rsamples,parity,FALSE);
+ }
if(samples == 0) return FALSE;
return Demod.len;
}
}
+size_t sendCmdGetResponseWithRetries(uint8_t* command, size_t cmdsize, uint8_t* resp, uint8_t expected_size, uint8_t retries)
+{
+ while(retries-- > 0)
+ {
+ ReaderTransmitIClass(command, cmdsize);
+ if(expected_size == ReaderReceiveIClass(resp)){
+ return 0;
+ }
+ }
+ return 1;//Error
+}
+
+/**
+ * @brief Talks to an iclass tag, sends the commands to get CSN and CC.
+ * @param card_data where the CSN and CC are stored for return
+ * @return 0 = fail
+ * 1 = Got CSN
+ * 2 = Got CSN and CC
+ */
+uint8_t handshakeIclassTag(uint8_t *card_data)
+{
+ static uint8_t act_all[] = { 0x0a };
+ static uint8_t identify[] = { 0x0c };
+ static uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+ static uint8_t readcheck_cc[]= { 0x88, 0x02 };
+ uint8_t *resp = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);
+
+ uint8_t read_status = 0;
+
+ // Send act_all
+ ReaderTransmitIClass(act_all, 1);
+ // Card present?
+ if(!ReaderReceiveIClass(resp)) return read_status;//Fail
+ //Send Identify
+ ReaderTransmitIClass(identify, 1);
+ //We expect a 10-byte response here, 8 byte anticollision-CSN and 2 byte CRC
+ uint8_t len = ReaderReceiveIClass(resp);
+ if(len != 10) return read_status;//Fail
+
+ //Copy the Anti-collision CSN to our select-packet
+ memcpy(&select[1],resp,8);
+ //Select the card
+ ReaderTransmitIClass(select, sizeof(select));
+ //We expect a 10-byte response here, 8 byte CSN and 2 byte CRC
+ len = ReaderReceiveIClass(resp);
+ if(len != 10) return read_status;//Fail
+
+ //Success - level 1, we got CSN
+ //Save CSN in response data
+ memcpy(card_data,resp,8);
+
+ //Flag that we got to at least stage 1, read CSN
+ read_status = 1;
+
+ // Card selected, now read e-purse (cc)
+ ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
+ if(ReaderReceiveIClass(resp) == 8) {
+ //Save CC (e-purse) in response data
+ memcpy(card_data+8,resp,8);
+
+ //Got both
+ read_status = 2;
+ }
+
+ return read_status;
+}
+
// Reader iClass Anticollission
void ReaderIClass(uint8_t arg0) {
- uint8_t act_all[] = { 0x0a };
- uint8_t identify[] = { 0x0c };
- uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
- uint8_t readcheck_cc[]= { 0x88, 0x02 };
uint8_t card_data[24]={0};
uint8_t last_csn[8]={0};
- uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
-
int read_status= 0;
bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE;
+ bool get_cc = arg0 & FLAG_ICLASS_READER_GET_CC;
setupIclassReader();
size_t datasize = 0;
while(!BUTTON_PRESS())
{
+
+ if(traceLen > TRACE_SIZE) {
+ DbpString("Trace full");
+ break;
+ }
WDT_HIT();
- // Send act_all
- ReaderTransmitIClass(act_all, 1);
- // Card present?
- if(ReaderReceiveIClass(resp)) {
-
- ReaderTransmitIClass(identify, 1);
-
- if(ReaderReceiveIClass(resp) == 10) {
- //Copy the Anti-collision CSN to our select-packet
- memcpy(&select[1],resp,8);
- //Dbprintf("Anti-collision CSN: %02x %02x %02x %02x %02x %02x %02x %02x",resp[0], resp[1], resp[2],
- // resp[3], resp[4], resp[5],
- // resp[6], resp[7]);
- //Select the card
- ReaderTransmitIClass(select, sizeof(select));
-
- if(ReaderReceiveIClass(resp) == 10) {
- //Save CSN in response data
- memcpy(card_data,resp,8);
- datasize += 8;
- //Flag that we got to at least stage 1, read CSN
- read_status = 1;
-
- // Card selected
- //Dbprintf("Readcheck on Sector 2");
- ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
- if(ReaderReceiveIClass(resp) == 8) {
- //Save CC (e-purse) in response data
- memcpy(card_data+8,resp,8);
- datasize += 8;
- //Got both
- read_status = 2;
- }
+ read_status = handshakeIclassTag(card_data);
+
+ if(read_status == 0) continue;
+ if(read_status == 1) datasize = 8;
+ if(read_status == 2) datasize = 16;
LED_B_ON();
//Send back to client, but don't bother if we already sent this
if(memcmp(last_csn, card_data, 8) != 0)
- cmd_send(CMD_ACK,read_status,0,0,card_data,datasize);
+ {
+ if(!get_cc || (get_cc && read_status == 2))
+ {
+ cmd_send(CMD_ACK,read_status,0,0,card_data,datasize);
+ if(abort_after_read) {
+ LED_A_OFF();
+ return;
+ }
//Save that we already sent this....
- if(read_status == 2)
memcpy(last_csn, card_data, 8);
-
+ }
+ //If 'get_cc' was specified and we didn't get a CC, we'll just keep trying...
+ }
LED_B_OFF();
-
- if(abort_after_read) break;
- }
- }
- }
-
- if(traceLen > TRACE_SIZE) {
- DbpString("Trace full");
- break;
- }
}
+ cmd_send(CMD_ACK,0,0,0,card_data, 0);
LED_A_OFF();
}
void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
- uint8_t act_all[] = { 0x0a };
- uint8_t identify[] = { 0x0c };
- uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
- uint8_t readcheck_cc[]= { 0x88, 0x02 };
+
+ uint8_t card_data[24]={0};
+ uint16_t block_crc_LUT[255] = {0};
+
+ {//Generate a lookup table for block crc
+ for(int block = 0; block < 255; block++){
+ char bl = block;
+ block_crc_LUT[block] = iclass_crc16(&bl ,1);
+ }
+ }
+ //Dbprintf("Lookup table: %02x %02x %02x" ,block_crc_LUT[0],block_crc_LUT[1],block_crc_LUT[2]);
+
uint8_t check[] = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
uint8_t read[] = { 0x0c, 0x00, 0x00, 0x00 };
uint16_t crc = 0;
uint8_t cardsize=0;
- bool read_success=false;
uint8_t mem=0;
static struct memory_t{
int keyaccess;
} memory;
- uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
+ uint8_t* resp = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);
setupIclassReader();
- for(int i=0;i<1;i++) {
+ while(!BUTTON_PRESS()) {
+
+ WDT_HIT();
if(traceLen > TRACE_SIZE) {
DbpString("Trace full");
break;
}
- if (BUTTON_PRESS()) break;
-
- // Send act_all
- ReaderTransmitIClass(act_all, 1);
- // Card present?
- if(ReaderReceiveIClass(resp)) {
- ReaderTransmitIClass(identify, 1);
- if(ReaderReceiveIClass(resp) == 10) {
- // Select card
- memcpy(&select[1],resp,8);
- ReaderTransmitIClass(select, sizeof(select));
+ uint8_t read_status = handshakeIclassTag(card_data);
+ if(read_status < 2) continue;
- if(ReaderReceiveIClass(resp) == 10) {
- Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
- resp[0], resp[1], resp[2],
- resp[3], resp[4], resp[5],
- resp[6], resp[7]);
- }
- // Card selected
- Dbprintf("Readcheck on Sector 2");
- ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
- if(ReaderReceiveIClass(resp) == 8) {
- Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x",
- resp[0], resp[1], resp[2],
- resp[3], resp[4], resp[5],
- resp[6], resp[7]);
- }else return;
- Dbprintf("Authenticate");
//for now replay captured auth (as cc not updated)
memcpy(check+5,MAC,4);
- //Dbprintf(" AA: %02x %02x %02x %02x",
- // check[5], check[6], check[7],check[8]);
- ReaderTransmitIClass(check, sizeof(check));
- if(ReaderReceiveIClass(resp) == 4) {
- Dbprintf(" AR: %02x %02x %02x %02x",
- resp[0], resp[1], resp[2],resp[3]);
- }else {
+
+ if(sendCmdGetResponseWithRetries(check, sizeof(check),resp, 4, 5))
+ {
Dbprintf("Error: Authentication Fail!");
- return;
+ continue;
}
- Dbprintf("Dump Contents");
- //first get configuration block
- read_success=false;
+
+ //first get configuration block (block 1)
+ crc = block_crc_LUT[1];
read[1]=1;
- uint8_t *blockno=&read[1];
- crc = iclass_crc16((char *)blockno,1);
read[2] = crc >> 8;
read[3] = crc & 0xff;
- while(!read_success){
- ReaderTransmitIClass(read, sizeof(read));
- if(ReaderReceiveIClass(resp) == 10) {
- read_success=true;
+
+ if(sendCmdGetResponseWithRetries(read, sizeof(read),resp, 10, 10))
+ {
+ Dbprintf("Dump config (block 1) failed");
+ continue;
+ }
+
mem=resp[5];
memory.k16= (mem & 0x80);
memory.book= (mem & 0x20);
memory.lockauth= (mem & 0x2);
memory.keyaccess= (mem & 0x1);
- }
- }
- if (memory.k16){
- cardsize=255;
- }else cardsize=32;
+ cardsize = memory.k16 ? 255 : 32;
+ WDT_HIT();
+
//then loop around remaining blocks
- for(uint8_t j=0; j<cardsize; j++){
- read_success=false;
- uint8_t *blockno=&j;
- //crc_data[0]=j;
- read[1]=j;
- crc = iclass_crc16((char *)blockno,1);
+ for(int block=0; block < cardsize; block++){
+
+ read[1]= block;
+ crc = block_crc_LUT[block];
read[2] = crc >> 8;
read[3] = crc & 0xff;
- while(!read_success){
- ReaderTransmitIClass(read, sizeof(read));
- if(ReaderReceiveIClass(resp) == 10) {
- read_success=true;
+
+ if(!sendCmdGetResponseWithRetries(read, sizeof(read), resp, 10, 10))
+ {
Dbprintf(" %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
- j, resp[0], resp[1], resp[2],
+ block, resp[0], resp[1], resp[2],
resp[3], resp[4], resp[5],
resp[6], resp[7]);
- }
- }
- }
+
+ }else{
+ Dbprintf("Failed to dump block %d", block);
+
}
}
- WDT_HIT();
+ //If we got here, let's break
+ break;
}
-
LED_A_OFF();
}
uint16_t crc = 0;
- uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
+ uint8_t* resp = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);
// Reset trace buffer
- memset(trace, 0x44, RECV_CMD_OFFSET);
+ memset(trace, 0x44, RECV_CMD_OFFSET);
traceLen = 0;
// Setup SSC