X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/6067df30c59dc58dd4bb0bb922fd28087d3f58f9..7e735c1398b9c3643d292614db10c7e58c58db85:/armsrc/iso14443a.c diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index 642e8899..d49e6ae1 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -849,6 +849,10 @@ bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) { //----------------------------------------------------------------------------- void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { + #define ATTACK_KEY_COUNT 8 // keep same as define in cmdhfmf.c -> readerAttack() + // init pseudorand + fast_prand(); + uint8_t sak = 0; uint32_t cuid = 0; uint32_t nonce = 0; @@ -866,8 +870,8 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { uint8_t cardAUTHSC = 0; uint8_t cardAUTHKEY = 0xff; // no authentication // allow collecting up to 8 sets of nonces to allow recovery of up to 8 keys - #define ATTACK_KEY_COUNT 8 // keep same as define in cmdhfmf.c -> readerAttack() - nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; // for 2 separate attack types (nml, moebius) + + nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; // for 2 separate attack types (std, moebius) memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp)); uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; // for 2nd attack type (moebius) @@ -876,7 +880,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { uint8_t nonce2_count = 0; uint8_t moebius_n_count = 0; bool gettingMoebius = false; - uint8_t mM = 0; //moebius_modifier for collection storage + uint8_t mM = 0; // moebius_modifier for collection storage switch (tagType) { @@ -918,8 +922,8 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { uint16_t start = 4 * (0+12); uint8_t emdata[8]; emlGetMemBt( emdata, start, sizeof(emdata)); - memcpy(data, emdata, 3); //uid bytes 0-2 - memcpy(data+3, emdata+4, 4); //uid bytes 3-7 + memcpy(data, emdata, 3); // uid bytes 0-2 + memcpy(data+3, emdata+4, 4); // uid bytes 3-7 flags |= FLAG_7B_UID_IN_DATA; } } break; @@ -972,22 +976,21 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { response3a[0] = sak & 0xFB; ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]); - uint8_t response5[] = { 0x01, 0x01, 0x01, 0x01 }; // Very random tag nonce + // Tag NONCE. + uint8_t response5[4]; + uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS: // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present, // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1 // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us) // TC(1) = 0x02: CID supported, NAD not supported ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]); - - // the randon nonce - nonce = bytes_to_num(response5, 4); // Prepare GET_VERSION (different for UL EV-1 / NTAG) - //uint8_t response7_EV1[] = {0x00, 0x04, 0x03, 0x01, 0x01, 0x00, 0x0b, 0x03, 0xfd, 0xf7}; //EV1 48bytes VERSION. - //uint8_t response7_NTAG[] = {0x00, 0x04, 0x04, 0x02, 0x01, 0x00, 0x11, 0x03, 0x01, 0x9e}; //NTAG 215 + // uint8_t response7_EV1[] = {0x00, 0x04, 0x03, 0x01, 0x01, 0x00, 0x0b, 0x03, 0xfd, 0xf7}; //EV1 48bytes VERSION. + // uint8_t response7_NTAG[] = {0x00, 0x04, 0x04, 0x02, 0x01, 0x00, 0x11, 0x03, 0x01, 0x9e}; //NTAG 215 // Prepare CHK_TEARING - //uint8_t response9[] = {0xBD,0x90,0x3f}; + // uint8_t response9[] = {0xBD,0x90,0x3f}; #define TAG_RESPONSE_COUNT 10 tag_response_info_t responses[TAG_RESPONSE_COUNT] = { @@ -1001,8 +1004,8 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { { .response = response8, .response_n = sizeof(response8) } // EV1/NTAG PACK response }; - //{ .response = response7_NTAG, .response_n = sizeof(response7_NTAG)}, // EV1/NTAG GET_VERSION response - //{ .response = response9, .response_n = sizeof(response9) } // EV1/NTAG CHK_TEAR response + // { .response = response7_NTAG, .response_n = sizeof(response7_NTAG)}, // EV1/NTAG GET_VERSION response + // { .response = response9, .response_n = sizeof(response9) } // EV1/NTAG CHK_TEAR response // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it @@ -1055,12 +1058,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) { DbpString("Button press"); break; - } - - // incease nonce at every command recieved - nonce++; - num_to_bytes(nonce, 4, response5); - + } p_response = NULL; // Okay, look at the command now. @@ -1081,7 +1079,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { uint8_t block = receivedCmd[1]; // if Ultralight or NTAG (4 byte blocks) if ( tagType == 7 || tagType == 2 ) { - //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature] + // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature] uint16_t start = 4 * (block+12); uint8_t emdata[MAX_MIFARE_FRAME_SIZE]; emlGetMemBt( emdata, start, 16); @@ -1094,14 +1092,14 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { emlGetMemBt( emdata, block, 16); AppendCrc14443a(emdata, 16); EmSendCmdEx(emdata, sizeof(emdata), false); - //EmSendCmdEx(data+(4*receivedCmd[1]),16,false); + // EmSendCmdEx(data+(4*receivedCmd[1]),16,false); // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]); // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below p_response = NULL; } } else if(receivedCmd[0] == MIFARE_ULEV1_FASTREAD) { // Received a FAST READ (ranged read) uint8_t emdata[MAX_FRAME_SIZE]; - //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature] + // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature] int start = (receivedCmd[1]+12) * 4; int len = (receivedCmd[2] - receivedCmd[1] + 1) * 4; emlGetMemBt( emdata, start, len); @@ -1109,7 +1107,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { EmSendCmdEx(emdata, len+2, false); p_response = NULL; } else if(receivedCmd[0] == MIFARE_ULEV1_READSIG && tagType == 7) { // Received a READ SIGNATURE -- - //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature] + // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature] uint16_t start = 4 * 4; uint8_t emdata[34]; emlGetMemBt( emdata, start, 32); @@ -1136,7 +1134,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { EmSendCmdEx(ack,sizeof(ack),false); p_response = NULL; } else if(receivedCmd[0] == MIFARE_ULEV1_CHECKTEAR && tagType == 7) { // Received a CHECK_TEARING_EVENT -- - //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature] + // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature] uint8_t emdata[3]; uint8_t counter=0; if (receivedCmd[1]<3) counter = receivedCmd[1]; @@ -1155,6 +1153,12 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { EmSendCmdEx(emdata, sizeof(emdata), false); p_response = NULL; } else { + + // incease nonce at every command recieved. this is time consuming. + nonce = prand(); + num_to_bytes(nonce, 4, response5); + prepare_tag_modulation(&responses[5], DYNAMIC_MODULATION_BUFFER_SIZE); + cardAUTHSC = receivedCmd[1] / 4; // received block num cardAUTHKEY = receivedCmd[0] - 0x60; p_response = &responses[5]; order = 7; @@ -1170,63 +1174,67 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); uint32_t nr = bytes_to_num(receivedCmd,4); uint32_t ar = bytes_to_num(receivedCmd+4,4); - + // Collect AR/NR per keytype & sector if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) { + for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) { - if ( ar_nr_collected[i+mM]==0 || ((cardAUTHSC == ar_nr_resp[i+mM].sector) && (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && (ar_nr_collected[i+mM] > 0)) ) { + + if ( ar_nr_collected[i+mM] == 0 || ( + (cardAUTHSC == ar_nr_resp[i+mM].sector) && + (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && + (ar_nr_collected[i+mM] > 0) + ) + ) { + // if first auth for sector, or matches sector and keytype of previous auth - if (ar_nr_collected[i+mM] < 2) { - // if we haven't already collected 2 nonces for this sector - if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) { - // Avoid duplicates... probably not necessary, ar should vary. - if (ar_nr_collected[i+mM]==0) { - // first nonce collect - ar_nr_resp[i+mM].cuid = cuid; - ar_nr_resp[i+mM].sector = cardAUTHSC; - ar_nr_resp[i+mM].keytype = cardAUTHKEY; - ar_nr_resp[i+mM].nonce = nonce; - ar_nr_resp[i+mM].nr = nr; - ar_nr_resp[i+mM].ar = ar; - nonce1_count++; - // add this nonce to first moebius nonce - ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid; - ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC; - ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY; - ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce; - ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr; - ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar; - ar_nr_collected[i+ATTACK_KEY_COUNT]++; - } else { // second nonce collect (std and moebius) - ar_nr_resp[i+mM].nonce2 = nonce; - ar_nr_resp[i+mM].nr2 = nr; - ar_nr_resp[i+mM].ar2 = ar; - if (!gettingMoebius) { - nonce2_count++; - // check if this was the last second nonce we need for std attack - if ( nonce2_count == nonce1_count ) { - // done collecting std test switch to moebius - // first finish incrementing last sample - ar_nr_collected[i+mM]++; - // switch to moebius collection - gettingMoebius = true; - mM = ATTACK_KEY_COUNT; - break; - } - } else { - moebius_n_count++; - // if we've collected all the nonces we need - finish. - if (nonce1_count == moebius_n_count) { - cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,0,0,&ar_nr_resp,sizeof(ar_nr_resp)); - nonce1_count = 0; - nonce2_count = 0; - moebius_n_count = 0; - gettingMoebius = false; - } + if (ar_nr_collected[i+mM] > 1) continue; + + // if we haven't already collected 2 nonces for this sector + if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) { + // Avoid duplicates... probably not necessary, ar should vary. + if (ar_nr_collected[i+mM]==0) { + // first nonce collect + nonce1_count++; + // add this nonce to first moebius nonce + ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid; + ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC; + ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY; + ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce; + ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr; + ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar; + ar_nr_collected[i+ATTACK_KEY_COUNT]++; + } else { + // second nonce collect (std and moebius) + ar_nr_resp[i+mM].nonce2 = nonce; + ar_nr_resp[i+mM].nr2 = nr; + ar_nr_resp[i+mM].ar2 = ar; + + if (!gettingMoebius) { + nonce2_count++; + // check if this was the last second nonce we need for std attack + if ( nonce2_count == nonce1_count ) { + // done collecting std test switch to moebius + // first finish incrementing last sample + ar_nr_collected[i+mM]++; + // switch to moebius collection + gettingMoebius = true; + mM = ATTACK_KEY_COUNT; + break; + } + } else { + moebius_n_count++; + // if we've collected all the nonces we need - finish. + if (nonce1_count == moebius_n_count) { + cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,0,0,&ar_nr_resp,sizeof(ar_nr_resp)); + nonce1_count = 0; + nonce2_count = 0; + moebius_n_count = 0; + gettingMoebius = false; } } - ar_nr_collected[i+mM]++; } + ar_nr_collected[i+mM]++; } // we found right spot for this nonce stop looking break; @@ -1237,7 +1245,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { } else if (receivedCmd[0] == MIFARE_ULC_AUTH_1 ) { // ULC authentication, or Desfire Authentication } else if (receivedCmd[0] == MIFARE_ULEV1_AUTH) { // NTAG / EV-1 authentication if ( tagType == 7 ) { - uint16_t start = 13; //first 4 blocks of emu are [getversion answer - check tearing - pack - 0x00] + uint16_t start = 13; // first 4 blocks of emu are [getversion answer - check tearing - pack - 0x00] uint8_t emdata[4]; emlGetMemBt( emdata, start, 2); AppendCrc14443a(emdata, 2); @@ -1272,8 +1280,8 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { dynamic_response_info.response_n = 2; } break; - case 0xaa: - case 0xbb: { + case 0xAA: + case 0xBB: { dynamic_response_info.response[0] = receivedCmd[0] ^ 0x11; dynamic_response_info.response_n = 2; } break; @@ -1306,7 +1314,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { dynamic_response_info.response[1] = receivedCmd[1]; // Add CRC bytes, always used in ISO 14443A-4 compliant cards - AppendCrc14443a(dynamic_response_info.response,dynamic_response_info.response_n); + AppendCrc14443a(dynamic_response_info.response, dynamic_response_info.response_n); dynamic_response_info.response_n += 2; if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) { @@ -1326,7 +1334,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { // comment this limit if you want to simulation longer if (!tracing) { - Dbprintf("Trace Full. Simulation stopped."); + DbpString("Trace Full. Simulation stopped."); break; } // comment this limit if you want to simulation longer @@ -1359,8 +1367,10 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { set_tracing(FALSE); BigBuf_free_keep_EM(); LED_A_OFF(); - - if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1) { + + /* + if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1) { + for ( uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) { if (ar_nr_collected[i] == 2) { Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i= 4){ Dbprintf("-[ Wake ups after halt [%d]", happened); Dbprintf("-[ Messages after halt [%d]", happened2); Dbprintf("-[ Num of received cmd [%d]", cmdsRecvd); } + + cmd_send(CMD_ACK,1,0,0,0,0); } // prepare a delayed transfer. This simply shifts ToSend[] by a number @@ -1835,10 +1849,10 @@ int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity) { // if anticollision is false, then the UID must be provided in uid_ptr[] // and num_cascades must be set (1: 4 Byte UID, 2: 7 Byte UID, 3: 10 Byte UID) int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades) { - uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP - uint8_t sel_all[] = { 0x93,0x20 }; - uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; - uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0 + uint8_t wupa[] = { ISO14443A_CMD_WUPA }; // 0x26 - ISO14443A_CMD_REQA 0x52 - ISO14443A_CMD_WUPA + uint8_t sel_all[] = { ISO14443A_CMD_ANTICOLL_OR_SELECT,0x20 }; + uint8_t sel_uid[] = { ISO14443A_CMD_ANTICOLL_OR_SELECT,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; + uint8_t rats[] = { ISO14443A_CMD_RATS,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0 uint8_t resp[MAX_FRAME_SIZE] = {0}; // theoretically. A usual RATS will be much smaller uint8_t resp_par[MAX_PARITY_SIZE] = {0}; byte_t uid_resp[4] = {0}; @@ -1866,6 +1880,9 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u memset(uid_ptr,0,10); } + // reset the PCB block number + iso14_pcb_blocknum = 0; + // check for proprietary anticollision: if ((resp[0] & 0x1F) == 0) return 3; @@ -1977,41 +1994,37 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u p_hi14a_card->ats_len = len; } - // reset the PCB block number - iso14_pcb_blocknum = 0; - // set default timeout based on ATS iso14a_set_ATS_timeout(resp); - return 1; } void iso14443a_setup(uint8_t fpga_minor_mode) { + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); // Set up the synchronous serial port FpgaSetupSsc(); // connect Demodulated Signal to ADC: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | fpga_minor_mode); - LED_D_OFF(); // Signal field is on with the appropriate LED if (fpga_minor_mode == FPGA_HF_ISO14443A_READER_MOD || fpga_minor_mode == FPGA_HF_ISO14443A_READER_LISTEN) LED_D_ON(); - // Prepare the demodulation functions - DemodReset(); - UartReset(); - - iso14a_set_timeout(10*106); // 10ms default + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | fpga_minor_mode); - //NextTransferTime = 2 * DELAY_ARM2AIR_AS_READER; - NextTransferTime = DELAY_ARM2AIR_AS_READER << 1; + SpinDelay(20); // Start the timer StartCountSspClk(); + + // Prepare the demodulation functions + DemodReset(); + UartReset(); + NextTransferTime = 2 * DELAY_ARM2AIR_AS_READER; + iso14a_set_timeout(10*106); // 20ms default } int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) { @@ -2044,9 +2057,9 @@ int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) { return len; } + //----------------------------------------------------------------------------- // Read an ISO 14443a tag. Send out commands and store answers. -// //----------------------------------------------------------------------------- void ReaderIso14443a(UsbCommand *c) { iso14a_command_t param = c->arg[0]; @@ -2086,17 +2099,17 @@ void ReaderIso14443a(UsbCommand *c) { } if (param & ISO14A_RAW) { - if(param & ISO14A_APPEND_CRC) { - if(param & ISO14A_TOPAZMODE) { + if (param & ISO14A_APPEND_CRC) { + if (param & ISO14A_TOPAZMODE) AppendCrc14443b(cmd,len); - } else { + else AppendCrc14443a(cmd,len); - } + len += 2; if (lenbits) lenbits += 16; } - if(lenbits>0) { // want to send a specific number of bits (e.g. short commands) - if(param & ISO14A_TOPAZMODE) { + if (lenbits>0) { // want to send a specific number of bits (e.g. short commands) + if (param & ISO14A_TOPAZMODE) { int bits_to_send = lenbits; uint16_t i = 0; ReaderTransmitBitsPar(&cmd[i++], MIN(bits_to_send, 7), NULL, NULL); // first byte is always short (7bits) and no parity @@ -2110,7 +2123,7 @@ void ReaderIso14443a(UsbCommand *c) { ReaderTransmitBitsPar(cmd, lenbits, par, NULL); // bytes are 8 bit with odd parity } } else { // want to send complete bytes only - if(param & ISO14A_TOPAZMODE) { + if (param & ISO14A_TOPAZMODE) { uint16_t i = 0; ReaderTransmitBitsPar(&cmd[i++], 7, NULL, NULL); // first byte: 7 bits, no paritiy while (i < len) { @@ -2142,29 +2155,29 @@ int32_t dist_nt(uint32_t nt1, uint32_t nt2) { if (nt1 == nt2) return 0; - uint16_t i; uint32_t nttmp1 = nt1; uint32_t nttmp2 = nt2; - for (i = 1; i < (32768/8); ++i) { + // 0xFFFF -- Half up and half down to find distance between nonces + for (uint16_t i = 1; i < 32768/8; i += 8) { nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i; - nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -i; - nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+1; - nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+1); nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+2; - nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+2); nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+3; - nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+3); nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+4; - nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+4); nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+5; - nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+5); nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+6; - nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+6); nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+7; - nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+7); - } + + nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -i; + nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+1); + nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+2); + nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+3); + nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+4); + nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+5); + nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+6); + nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+7); + } // either nt1 or nt2 are invalid nonces return(-99999); } @@ -2175,6 +2188,7 @@ int32_t dist_nt(uint32_t nt1, uint32_t nt2) { // Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime" // (article by Nicolas T. Courtois, 2009) //----------------------------------------------------------------------------- + void ReaderMifare(bool first_try, uint8_t block, uint8_t keytype ) { uint8_t mf_auth[] = { keytype, block, 0x00, 0x00 }; @@ -2215,16 +2229,17 @@ void ReaderMifare(bool first_try, uint8_t block, uint8_t keytype ) { BigBuf_free(); BigBuf_Clear_ext(false); clear_trace(); - set_tracing(TRUE); + set_tracing(FALSE); iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD); sync_time = GetCountSspClk() & 0xfffffff8; - // iceman, i add 1130 because during my observations this makse the syncronization much fast to sync. - sync_cycles = PRNG_SEQUENCE_LENGTH + 1130; //65536; // Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces). - + sync_cycles = PRNG_SEQUENCE_LENGTH; // Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces). + nt_attacked = 0; + + if (MF_DBGLEVEL >= 4) Dbprintf("Mifare::Sync %u", sync_time); + if (first_try) { - mf_nr_ar3 = 0; - nt_attacked = 0; + mf_nr_ar3 = 0; par_low = 0; } else { // we were unsuccessful on a previous call. @@ -2293,8 +2308,6 @@ void ReaderMifare(bool first_try, uint8_t block, uint8_t keytype ) { // Transmit reader nonce with fake par ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par, NULL); - WDT_HIT(); - LED_B_ON(); // we didn't calibrate our clock yet, // iceman: has to be calibrated every time. if (previous_nt && !nt_attacked) { @@ -2336,7 +2349,7 @@ void ReaderMifare(bool first_try, uint8_t block, uint8_t keytype ) { } LED_B_OFF(); - if ((nt != nt_attacked) && nt_attacked) { // we somehow lost sync. Try to catch up again... + if ( (nt != nt_attacked) && nt_attacked) { // we somehow lost sync. Try to catch up again... catch_up_cycles = ABS(dist_nt(nt_attacked, nt)); if (catch_up_cycles == 99999) { // invalid nonce received. Don't resync on that one. @@ -2426,6 +2439,7 @@ void ReaderMifare(bool first_try, uint8_t block, uint8_t keytype ) { set_tracing(FALSE); } + /** *MIFARE 1K simulate. * @@ -2439,6 +2453,10 @@ void ReaderMifare(bool first_try, uint8_t block, uint8_t keytype ) { *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is inifite */ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain) { + + // init pseudorand + fast_prand( GetTickCount() ); + int cardSTATE = MFEMUL_NOFIELD; int _UID_LEN = 0; // 4, 7, 10 int vHf = 0; // in mV @@ -2456,7 +2474,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * struct Crypto1State mpcs = {0, 0}; struct Crypto1State *pcs; pcs = &mpcs; - uint32_t numReads = 0; //Counts numer of times reader read a block + uint32_t numReads = 0; // Counts numer of times reader read a block uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00}; uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE] = {0x00}; uint8_t response[MAX_MIFARE_FRAME_SIZE] = {0x00}; @@ -2466,26 +2484,35 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * uint8_t sak_4[] = {0x0C, 0x00, 0x00}; // CL1 - 4b uid uint8_t sak_7[] = {0x0C, 0x00, 0x00}; // CL2 - 7b uid uint8_t sak_10[] = {0x0C, 0x00, 0x00}; // CL3 - 10b uid - //uint8_t sak[] = {0x09, 0x3f, 0xcc }; // Mifare Mini + // uint8_t sak[] = {0x09, 0x3f, 0xcc }; // Mifare Mini uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; uint8_t rUIDBCC3[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; - uint8_t rAUTH_NT[] = {0x01, 0x01, 0x01, 0x01}; // very random nonce - //uint8_t rAUTH_NT[] = {0x55, 0x41, 0x49, 0x92};// nonce from nested? why this? + // TAG Nonce - Authenticate response + uint8_t rAUTH_NT[4]; + uint32_t nonce = prand(); + num_to_bytes(nonce, 4, rAUTH_NT); + + // uint8_t rAUTH_NT[] = {0x55, 0x41, 0x49, 0x92};// nonce from nested? why this? uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00}; - + // Here, we collect CUID, NT, NR, AR, CUID2, NT2, NR2, AR2 // This can be used in a reader-only attack. - uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0}; - uint8_t ar_nr_collected = 0; + nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; // for 2 separate attack types (nml, moebius) + memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp)); - // Authenticate response - nonce - uint32_t nonce = bytes_to_num(rAUTH_NT, 4); - ar_nr_responses[1] = nonce; - - //-- Determine the UID + uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; // for 2nd attack type (moebius) + memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected)); + uint8_t nonce1_count = 0; + uint8_t nonce2_count = 0; + uint8_t moebius_n_count = 0; + bool gettingMoebius = false; + uint8_t mM = 0; // moebius_modifier for collection storage + bool doBufResetNext = false; + + // -- Determine the UID // Can be set from emulator memory or incoming data // Length: 4,7,or 10 bytes if ( (flags & FLAG_UID_IN_EMUL) == FLAG_UID_IN_EMUL) @@ -2509,7 +2536,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * case 4: sak_4[0] &= 0xFB; // save CUID - ar_nr_responses[0] = cuid = bytes_to_num(rUIDBCC1, 4); + cuid = bytes_to_num(rUIDBCC1, 4); // BCC rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3]; if (MF_DBGLEVEL >= 2) { @@ -2525,7 +2552,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * atqa[0] |= 0x40; sak_7[0] &= 0xFB; // save CUID - ar_nr_responses[0] = cuid = bytes_to_num(rUIDBCC2, 4); + cuid = bytes_to_num(rUIDBCC2, 4); // CascadeTag, CT rUIDBCC1[0] = 0x88; // BCC @@ -2547,7 +2574,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * atqa[0] |= 0x80; sak_10[0] &= 0xFB; // save CUID - ar_nr_responses[0] = cuid = bytes_to_num(rUIDBCC3, 4); + cuid = bytes_to_num(rUIDBCC3, 4); // CascadeTag, CT rUIDBCC1[0] = 0x88; rUIDBCC2[0] = 0x88; @@ -2601,14 +2628,14 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * } if (cardSTATE == MFEMUL_NOFIELD) continue; - //Now, get data + // Now, get data res = EmGetCmd(receivedCmd, &len, receivedCmd_par); if (res == 2) { //Field is off! cardSTATE = MFEMUL_NOFIELD; LEDsoff(); continue; } else if (res == 1) { - break; //return value 1 means button press + break; // return value 1 means button press } // REQ or WUP request in ANY state and WUP in HALTED state @@ -2620,7 +2647,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * crypto1_destroy(pcs); cardAUTHKEY = 0xff; LEDsoff(); - nonce++; + nonce = prand(); continue; } @@ -2725,21 +2752,102 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * uint32_t nr = bytes_to_num(receivedCmd, 4); uint32_t ar = bytes_to_num(&receivedCmd[4], 4); - //Collect AR/NR - //if(ar_nr_collected < 2 && cardAUTHSC == 2){ + if (doBufResetNext) { + // Reset, lets try again! + if (MF_DBGLEVEL >= 4) Dbprintf("Re-read after previous NR_AR_ATTACK, resetting buffer"); + memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp)); + memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected)); + mM = 0; + doBufResetNext = false; + } + + for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) { + + if ( ar_nr_collected[i+mM] == 0 || ( + (cardAUTHSC == ar_nr_resp[i+mM].sector) && + (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && + (ar_nr_collected[i+mM] > 0) + ) + ) { + + // if first auth for sector, or matches sector and keytype of previous auth + if (ar_nr_collected[i+mM] < 2) { + // if we haven't already collected 2 nonces for this sector + if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) { + // Avoid duplicates... probably not necessary, ar should vary. + if (ar_nr_collected[i+mM]==0) { + // first nonce collect + ar_nr_resp[i+mM].cuid = cuid; + ar_nr_resp[i+mM].sector = cardAUTHSC; + ar_nr_resp[i+mM].keytype = cardAUTHKEY; + ar_nr_resp[i+mM].nonce = nonce; + ar_nr_resp[i+mM].nr = nr; + ar_nr_resp[i+mM].ar = ar; + nonce1_count++; + // add this nonce to first moebius nonce + ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid; + ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC; + ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY; + ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce; + ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr; + ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar; + ar_nr_collected[i+ATTACK_KEY_COUNT]++; + } else { // second nonce collect (std and moebius) + ar_nr_resp[i+mM].nonce2 = nonce; + ar_nr_resp[i+mM].nr2 = nr; + ar_nr_resp[i+mM].ar2 = ar; + if (!gettingMoebius) { + nonce2_count++; + // check if this was the last second nonce we need for std attack + if ( nonce2_count == nonce1_count ) { + // done collecting std test switch to moebius + // first finish incrementing last sample + ar_nr_collected[i+mM]++; + // switch to moebius collection + gettingMoebius = true; + mM = ATTACK_KEY_COUNT; + break; + } + } else { + moebius_n_count++; + // if we've collected all the nonces we need - finish. + + if (nonce1_count == moebius_n_count) { + cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, 0, 0, &ar_nr_resp, sizeof(ar_nr_resp)); + nonce1_count = 0; + nonce2_count = 0; + moebius_n_count = 0; + gettingMoebius = false; + doBufResetNext = true; + finished = ( ((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE)); + } + } + } + ar_nr_collected[i+mM]++; + } + } + // we found right spot for this nonce stop looking + break; + } + } + + + /* + // Collect AR/NR + // if(ar_nr_collected < 2 && cardAUTHSC == 2){ if(ar_nr_collected < 2) { - //if(ar_nr_responses[2] != nr) { + // if(ar_nr_responses[2] != nr) { ar_nr_responses[ar_nr_collected*4] = cuid; ar_nr_responses[ar_nr_collected*4+1] = nonce; ar_nr_responses[ar_nr_collected*4+2] = nr; ar_nr_responses[ar_nr_collected*4+3] = ar; ar_nr_collected++; - //} + // } // Interactive mode flag, means we need to send ACK finished = ( ((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE)&& ar_nr_collected == 2); } - /* + crypto1_word(pcs, ar , 1); cardRr = nr ^ crypto1_word(pcs, 0, 0); @@ -2795,7 +2903,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * if (!encrypted_data) { // first authentication - crypto1_word(pcs, cuid ^ nonce, 0);//Update crypto state + crypto1_word(pcs, cuid ^ nonce, 0);// Update crypto state num_to_bytes(nonce, 4, rAUTH_AT); // Send nonce if (MF_DBGLEVEL >= 4) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY ); @@ -2974,40 +3082,48 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * } // Interactive mode flag, means we need to send ACK - if((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE) { - //May just aswell send the collected ar_nr in the response aswell + /* + if((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE && flags & FLAG_NR_AR_ATTACK == FLAG_NR_AR_ATTACK) { + // May just aswell send the collected ar_nr in the response aswell uint8_t len = ar_nr_collected * 4 * 4; cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, len, 0, &ar_nr_responses, len); } - + */ + if( ((flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) && MF_DBGLEVEL >= 1 ) { - if(ar_nr_collected > 1 ) { - Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:"); - Dbprintf("../tools/mfkey/mfkey32v2.exe %08x %08x %08x %08x %08x %08x %08x", - ar_nr_responses[0], // CUID - ar_nr_responses[1], // NT1 - ar_nr_responses[2], // NR1 - ar_nr_responses[3], // AR1 - //ar_nr_responses[4], // CUID2 - ar_nr_responses[5], // NT2 - ar_nr_responses[6], // NR2 - ar_nr_responses[7] // AR2 - ); - } else { - Dbprintf("Failed to obtain two AR/NR pairs!"); - if(ar_nr_collected == 1 ) { - Dbprintf("Only got these: UID=%08x, nonce=%08x, NR1=%08x, AR1=%08x", - ar_nr_responses[0], // CUID - ar_nr_responses[1], // NT - ar_nr_responses[2], // NR1 - ar_nr_responses[3] // AR1 - ); + for ( uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) { + if (ar_nr_collected[i] == 2) { + Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, BigBuf_get_traceLen()); + } - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + if (MF_DBGLEVEL >= 1) + Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, BigBuf_get_traceLen()); + + cmd_send(CMD_ACK,1,0,0,0,0); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); set_tracing(FALSE); }