X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/8556b852ed769280d1b63054ab1bd08fa19b746a..4df3eb3f739af80b6fdc8f737fc906d254ebd0b5:/armsrc/mifarecmd.c diff --git a/armsrc/mifarecmd.c b/armsrc/mifarecmd.c index fca4f69b..a0e0b01f 100644 --- a/armsrc/mifarecmd.c +++ b/armsrc/mifarecmd.c @@ -1,5 +1,5 @@ //----------------------------------------------------------------------------- -// Merlok - June 2011 +// Merlok - June 2011, 2012 // Gerhard de Koning Gans - May 2008 // Hagen Fritsch - June 2010 // @@ -35,7 +35,7 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) pcs = &mpcs; // clear trace - iso14a_clear_tracelen(); + iso14a_clear_trace(); // iso14a_set_tracing(false); iso14443a_setup(); @@ -78,11 +78,12 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) memset(uid, 0x44, 4); LogTrace(uid, 4, 0, 0, TRUE); - UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; - memcpy(ack.d.asBytes, dataoutbuf, 16); +// UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; +// memcpy(ack.d.asBytes, dataoutbuf, 16); LED_B_ON(); - UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); + cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16); +// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); LED_B_OFF(); @@ -115,7 +116,7 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) pcs = &mpcs; // clear trace - iso14a_clear_tracelen(); + iso14a_clear_trace(); // iso14a_set_tracing(false); iso14443a_setup(); @@ -170,17 +171,18 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) memset(uid, 0x44, 4); LogTrace(uid, 4, 0, 0, TRUE); - UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; - memcpy(ack.d.asBytes, dataoutbuf, 16 * 2); +// UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; +// memcpy(ack.d.asBytes, dataoutbuf, 16 * 2); LED_B_ON(); - UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); - - SpinDelay(100); + cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,32); +// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); +// SpinDelay(100); - memcpy(ack.d.asBytes, dataoutbuf + 16 * 2, 16 * 2); - UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); - LED_B_OFF(); +// memcpy(ack.d.asBytes, dataoutbuf + 16 * 2, 16 * 2); +// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); + cmd_send(CMD_ACK,isOK,0,0,dataoutbuf+32, 32); + LED_B_OFF(); // Thats it... FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); @@ -213,7 +215,7 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) pcs = &mpcs; // clear trace - iso14a_clear_tracelen(); + iso14a_clear_trace(); // iso14a_set_tracing(false); iso14443a_setup(); @@ -256,11 +258,12 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) memset(uid, 0x44, 4); LogTrace(uid, 4, 0, 0, TRUE); - UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; +// UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; LED_B_ON(); - UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); - LED_B_OFF(); + cmd_send(CMD_ACK,isOK,0,0,0,0); +// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); + LED_B_OFF(); // Thats it... @@ -298,10 +301,9 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) uint8_t uid[8]; uint32_t cuid, nt1, nt2, nttmp, nttest, par, ks1; uint8_t par_array[4]; - nestedVector nvector[NES_MAX_INFO + 1][10]; + nestedVector nvector[NES_MAX_INFO + 1][11]; int nvectorcount[NES_MAX_INFO + 1]; int ncount = 0; - UsbCommand ack = {CMD_ACK, {0, 0, 0}}; struct Crypto1State mpcs = {0, 0}; struct Crypto1State *pcs; pcs = &mpcs; @@ -311,7 +313,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) for (i = 0; i < NES_MAX_INFO + 1; i++) nvectorcount[i] = 11; // 11 - empty block; // clear trace - iso14a_clear_tracelen(); + iso14a_clear_trace(); iso14a_set_tracing(false); iso14443a_setup(); @@ -417,8 +419,9 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) } ncount = 0; - for (m = dmin - NS_TOLERANCE; m < dmax + NS_TOLERANCE; m++) { - nttest = prng_successor(nt1, m); + nttest = prng_successor(nt1, dmin - NS_TOLERANCE); + for (m = dmin - NS_TOLERANCE + 1; m < dmax + NS_TOLERANCE; m++) { + nttest = prng_successor(nttest, 1); ks1 = nt2 ^ nttest; if (valid_nonce(nttest, nt2, ks1, par_array) && (ncount < 11)){ @@ -467,6 +470,8 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) memset(uid, 0x44, 4); LogTrace(uid, 4, 0, 0, TRUE); +// UsbCommand ack = {CMD_ACK, {0, 0, 0}}; + for (i = 0; i < NES_MAX_INFO; i++) { if (nvectorcount[i] > 10) continue; @@ -474,34 +479,38 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) ncount = nvectorcount[i] - j; if (ncount > 5) ncount = 5; - ack.arg[0] = 0; // isEOF = 0 - ack.arg[1] = ncount; - ack.arg[2] = targetBlockNo + (targetKeyType * 0x100); - memset(ack.d.asBytes, 0x00, sizeof(ack.d.asBytes)); +// ack.arg[0] = 0; // isEOF = 0 +// ack.arg[1] = ncount; +// ack.arg[2] = targetBlockNo + (targetKeyType * 0x100); +// memset(ack.d.asBytes, 0x00, sizeof(ack.d.asBytes)); - memcpy(ack.d.asBytes, &cuid, 4); + byte_t buf[48]; + memset(buf, 0x00, sizeof(buf)); + memcpy(buf, &cuid, 4); for (m = 0; m < ncount; m++) { - memcpy(ack.d.asBytes + 8 + m * 8 + 0, &nvector[i][m + j].nt, 4); - memcpy(ack.d.asBytes + 8 + m * 8 + 4, &nvector[i][m + j].ks1, 4); + memcpy(buf + 8 + m * 8 + 0, &nvector[i][m + j].nt, 4); + memcpy(buf + 8 + m * 8 + 4, &nvector[i][m + j].ks1, 4); } LED_B_ON(); - SpinDelay(100); - UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); - LED_B_OFF(); +// SpinDelay(100); + cmd_send(CMD_ACK,0,ncount,targetBlockNo + (targetKeyType * 0x100),buf,48); +// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); + LED_B_OFF(); } } // finalize list - ack.arg[0] = 1; // isEOF = 1 - ack.arg[1] = 0; - ack.arg[2] = 0; - memset(ack.d.asBytes, 0x00, sizeof(ack.d.asBytes)); +// ack.arg[0] = 1; // isEOF = 1 +// ack.arg[1] = 0; +// ack.arg[2] = 0; +// memset(ack.d.asBytes, 0x00, sizeof(ack.d.asBytes)); LED_B_ON(); - SpinDelay(300); - UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); - LED_B_OFF(); +// SpinDelay(300); +// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); + cmd_send(CMD_ACK,1,0,0,0,0); + LED_B_OFF(); if (MF_DBGLEVEL >= 4) DbpString("NESTED FINISHED"); @@ -538,7 +547,7 @@ void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) MF_DBGLEVEL = MF_DBG_NONE; // clear trace - iso14a_clear_tracelen(); + iso14a_clear_trace(); iso14a_set_tracing(TRUE); iso14443a_setup(); @@ -574,11 +583,12 @@ void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) memset(uid, 0x44, 4); LogTrace(uid, 4, 0, 0, TRUE); - UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; - if (isOK) memcpy(ack.d.asBytes, datain + i * 6, 6); +// UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; +// if (isOK) memcpy(ack.d.asBytes, datain + i * 6, 6); LED_B_ON(); - UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); + cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6); +// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); LED_B_OFF(); // Thats it... @@ -611,12 +621,14 @@ void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) } void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){ - UsbCommand ack = {CMD_ACK, {arg0, arg1, 0}}; +// UsbCommand ack = {CMD_ACK, {arg0, arg1, 0}}; - emlGetMem(ack.d.asBytes, arg0, arg1); // data, block num, blocks count + byte_t buf[48]; + emlGetMem(buf, arg0, arg1); // data, block num, blocks count LED_B_ON(); - UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); + cmd_send(CMD_ACK,arg0,arg1,0,buf,48); +// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); LED_B_OFF(); } @@ -636,10 +648,11 @@ void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai // variables byte_t dataoutbuf[16]; + byte_t dataoutbuf2[16]; uint8_t uid[8]; // clear trace - iso14a_clear_tracelen(); + iso14a_clear_trace(); iso14a_set_tracing(false); iso14443a_setup(); @@ -687,6 +700,15 @@ void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai break; }; emlSetMem(dataoutbuf, sectorNo * 4 + 2, 1); + + // get block 3 bytes 6-9 + if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 3, dataoutbuf)) { + if (MF_DBGLEVEL >= 1) Dbprintf("Read block 3 error"); + break; + }; + emlGetMem(dataoutbuf2, sectorNo * 4 + 3, 1); + memcpy(&dataoutbuf2[6], &dataoutbuf[6], 4); + emlSetMem(dataoutbuf2, sectorNo * 4 + 3, 1); } if(mifare_classic_halt(pcs, cuid)) { @@ -699,14 +721,15 @@ void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai // ----------------------------- crypto1 destroy crypto1_destroy(pcs); + + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + LEDsoff(); if (MF_DBGLEVEL >= 2) DbpString("EMUL FILL SECTORS FINISHED"); // add trace trailer memset(uid, 0x44, 4); LogTrace(uid, 4, 0, 0, TRUE); - - Dbprintf("Loaded."); } //----------------------------------------------------------------------------- @@ -714,3 +737,245 @@ void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai // //----------------------------------------------------------------------------- + +//----------------------------------------------------------------------------- +// Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn) +// +//----------------------------------------------------------------------------- +void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){ + + // params + uint8_t needWipe = arg0; + // bit 0 - need get UID + // bit 1 - need wupC + // bit 2 - need HALT after sequence + // bit 3 - need init FPGA and field before sequence + // bit 4 - need reset FPGA and LED + uint8_t workFlags = arg1; + uint8_t blockNo = arg2; + + // card commands + uint8_t wupC1[] = { 0x40 }; + uint8_t wupC2[] = { 0x43 }; + uint8_t wipeC[] = { 0x41 }; + + // variables + byte_t isOK = 0; + uint8_t uid[8]; + uint8_t d_block[18]; + uint32_t cuid; + + memset(uid, 0x00, 8); + uint8_t* receivedAnswer = mifare_get_bigbufptr(); + + if (workFlags & 0x08) { + // clear trace + iso14a_clear_trace(); + iso14a_set_tracing(TRUE); + + iso14443a_setup(); + + LED_A_ON(); + LED_B_OFF(); + LED_C_OFF(); + + SpinDelay(300); + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + SpinDelay(100); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); + } + + while (true) { + // get UID from chip + if (workFlags & 0x01) { + if(!iso14443a_select_card(uid, NULL, &cuid)) { + if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); + break; + }; + + if(mifare_classic_halt(NULL, cuid)) { + if (MF_DBGLEVEL >= 1) Dbprintf("Halt error"); + break; + }; + }; + + // reset chip + if (needWipe){ + ReaderTransmitBitsPar(wupC1,7,0); + if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) { + if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error"); + break; + }; + + ReaderTransmit(wipeC, sizeof(wipeC)); + if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) { + if (MF_DBGLEVEL >= 1) Dbprintf("wipeC error"); + break; + }; + + if(mifare_classic_halt(NULL, cuid)) { + if (MF_DBGLEVEL >= 1) Dbprintf("Halt error"); + break; + }; + }; + + // write block + if (workFlags & 0x02) { + ReaderTransmitBitsPar(wupC1,7,0); + if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) { + if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error"); + break; + }; + + ReaderTransmit(wupC2, sizeof(wupC2)); + if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) { + if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error"); + break; + }; + } + + if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer) != 1) || (receivedAnswer[0] != 0x0a)) { + if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error"); + break; + }; + + memcpy(d_block, datain, 16); + AppendCrc14443a(d_block, 16); + + ReaderTransmit(d_block, sizeof(d_block)); + if ((ReaderReceive(receivedAnswer) != 1) || (receivedAnswer[0] != 0x0a)) { + if (MF_DBGLEVEL >= 1) Dbprintf("write block send data error"); + break; + }; + + if (workFlags & 0x04) { + if (mifare_classic_halt(NULL, cuid)) { + if (MF_DBGLEVEL >= 1) Dbprintf("Halt error"); + break; + }; + } + + isOK = 1; + break; + } + +// UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; +// if (isOK) memcpy(ack.d.asBytes, uid, 4); + + // add trace trailer + /** + * Removed by Martin, the uid is overwritten with 0x44, + * which can 't be intended. + * + * memset(uid, 0x44, 4); + * LogTrace(uid, 4, 0, 0, TRUE); + **/ + + + LED_B_ON(); + cmd_send(CMD_ACK,isOK,0,0,uid,4); +// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); + LED_B_OFF(); + + if ((workFlags & 0x10) || (!isOK)) { + // Thats it... + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + LEDsoff(); + } +} + +void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){ + + // params + // bit 1 - need wupC + // bit 2 - need HALT after sequence + // bit 3 - need init FPGA and field before sequence + // bit 4 - need reset FPGA and LED + uint8_t workFlags = arg0; + uint8_t blockNo = arg2; + + // card commands + uint8_t wupC1[] = { 0x40 }; + uint8_t wupC2[] = { 0x43 }; + + // variables + byte_t isOK = 0; + uint8_t data[18]; + uint32_t cuid = 0; + + memset(data, 0x00, 18); + uint8_t* receivedAnswer = mifare_get_bigbufptr(); + + if (workFlags & 0x08) { + // clear trace + iso14a_clear_trace(); + iso14a_set_tracing(TRUE); + + iso14443a_setup(); + + LED_A_ON(); + LED_B_OFF(); + LED_C_OFF(); + + SpinDelay(300); + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + SpinDelay(100); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); + } + + while (true) { + if (workFlags & 0x02) { + ReaderTransmitBitsPar(wupC1,7,0); + if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) { + if (MF_DBGLEVEL >= 1) Dbprintf("wupC1 error"); + break; + }; + + ReaderTransmit(wupC2, sizeof(wupC2)); + if(!ReaderReceive(receivedAnswer) || (receivedAnswer[0] != 0x0a)) { + if (MF_DBGLEVEL >= 1) Dbprintf("wupC2 error"); + break; + }; + } + + // read block + if ((mifare_sendcmd_short(NULL, 0, 0x30, blockNo, receivedAnswer) != 18)) { + if (MF_DBGLEVEL >= 1) Dbprintf("read block send command error"); + break; + }; + memcpy(data, receivedAnswer, 18); + + if (workFlags & 0x04) { + if (mifare_classic_halt(NULL, cuid)) { + if (MF_DBGLEVEL >= 1) Dbprintf("Halt error"); + break; + }; + } + + isOK = 1; + break; + } + +// UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; +// if (isOK) memcpy(ack.d.asBytes, data, 18); + + // add trace trailer + /* + * Removed by Martin, this piece of overwrites the 'data' variable + * which is sent two lines down, and is obviously not correct. + * + * memset(data, 0x44, 4); + * LogTrace(data, 4, 0, 0, TRUE); + */ + LED_B_ON(); + cmd_send(CMD_ACK,isOK,0,0,data,18); +// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); + LED_B_OFF(); + + if ((workFlags & 0x10) || (!isOK)) { + // Thats it... + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + LEDsoff(); + } +} +