X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/94422fa23f2a9fe21d9d13286bde0e4e06a74c4f..53831b8818e4c62e95a59e6baf3b25e739c41971:/armsrc/iso14443a.c?ds=sidebyside diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index ad2bf658..8e1b7b7d 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -1,4 +1,4 @@ -//----------------------------------------------------------------------------- + //----------------------------------------------------------------------------- // Merlok - June 2011, 2012 // Gerhard de Koning Gans - May 2008 // Hagen Fritsch - June 2010 @@ -20,6 +20,8 @@ #include "crapto1.h" #include "mifareutil.h" #include "BigBuf.h" +#include "parity.h" + static uint32_t iso14a_timeout; int rsamples = 0; uint8_t trigger = 0; @@ -121,26 +123,6 @@ static uint32_t LastProxToAirDuration; #define SEC_Y 0x00 #define SEC_Z 0xc0 -const uint8_t OddByteParity[256] = { - 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, - 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, - 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, - 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, - 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, - 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, - 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, - 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, - 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, - 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, - 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, - 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, - 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, - 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, - 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, - 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1 -}; - - void iso14a_set_trigger(bool enable) { trigger = enable; } @@ -178,11 +160,6 @@ void iso14a_set_ATS_timeout(uint8_t *ats) { // Generate the parity value for a byte sequence // //----------------------------------------------------------------------------- -byte_t oddparity (const byte_t bt) -{ - return OddByteParity[bt]; -} - void GetParity(const uint8_t *pbtCmd, uint16_t iLen, uint8_t *par) { uint16_t paritybit_cnt = 0; @@ -191,7 +168,7 @@ void GetParity(const uint8_t *pbtCmd, uint16_t iLen, uint8_t *par) for (uint16_t i = 0; i < iLen; i++) { // Generate the parity bits - parityBits |= ((OddByteParity[pbtCmd[i]]) << (7-paritybit_cnt)); + parityBits |= ((oddparity8(pbtCmd[i])) << (7-paritybit_cnt)); if (paritybit_cnt == 7) { par[paritybyte_cnt] = parityBits; // save 8 Bits parity parityBits = 0; // and advance to next Parity Byte @@ -939,6 +916,7 @@ bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) { //----------------------------------------------------------------------------- void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { + uint32_t counters[] = {0,0,0}; //Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2 // This can be used in a reader-only attack. // (it can also be retrieved via 'hf 14a list', but hey... @@ -999,6 +977,15 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) response8[0] = 0x80; response8[1] = 0x80; ComputeCrc14443(CRC_14443_A, response8, 2, &response8[2], &response8[3]); + // uid not supplied then get from emulator memory + if (data[0]==0) { + uint16_t start = 4 * (0+12); + uint8_t emdata[8]; + emlGetMemBt( emdata, start, sizeof(emdata)); + memcpy(data, emdata, 3); //uid bytes 0-2 + memcpy(data+3, emdata+4, 4); //uid bytes 3-7 + flags |= FLAG_7B_UID_IN_DATA; + } } break; default: { Dbprintf("Error: unkown tagtype (%d)",tagType); @@ -1056,12 +1043,12 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) // TC(1) = 0x02: CID supported, NAD not supported ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]); - // Prepare GET_VERSION (different for EV-1 / NTAG) + // Prepare GET_VERSION (different for UL EV-1 / NTAG) //uint8_t response7_EV1[] = {0x00, 0x04, 0x03, 0x01, 0x01, 0x00, 0x0b, 0x03, 0xfd, 0xf7}; //EV1 48bytes VERSION. - uint8_t response7_NTAG[] = {0x00, 0x04, 0x04, 0x02, 0x01, 0x00, 0x11, 0x03, 0x01, 0x9e}; //NTAG 215 + //uint8_t response7_NTAG[] = {0x00, 0x04, 0x04, 0x02, 0x01, 0x00, 0x11, 0x03, 0x01, 0x9e}; //NTAG 215 // Prepare CHK_TEARING - uint8_t response9[] = {0xBD,0x90,0x3f}; + //uint8_t response9[] = {0xBD,0x90,0x3f}; #define TAG_RESPONSE_COUNT 10 tag_response_info_t responses[TAG_RESPONSE_COUNT] = { @@ -1072,9 +1059,9 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { .response = response3a, .response_n = sizeof(response3a) }, // Acknowledge select - cascade 2 { .response = response5, .response_n = sizeof(response5) }, // Authentication answer (random nonce) { .response = response6, .response_n = sizeof(response6) }, // dummy ATS (pseudo-ATR), answer to RATS - { .response = response7_NTAG, .response_n = sizeof(response7_NTAG) }, // EV1/NTAG GET_VERSION response - { .response = response8, .response_n = sizeof(response8) }, // EV1/NTAG PACK response - { .response = response9, .response_n = sizeof(response9) } // EV1/NTAG CHK_TEAR response + //{ .response = response7_NTAG, .response_n = sizeof(response7_NTAG)}, // EV1/NTAG GET_VERSION response + { .response = response8, .response_n = sizeof(response8) } // EV1/NTAG PACK response + //{ .response = response9, .response_n = sizeof(response9) } // EV1/NTAG CHK_TEAR response }; // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it @@ -1106,9 +1093,8 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) // Prepare the responses of the anticollision phase // there will be not enough time to do this at the moment the reader sends it REQA - for (size_t i=0; i 0) { + num_to_bytes(counters[index], 3, data); + AppendCrc14443a(data, sizeof(data)-2); + } + EmSendCmdEx(data,sizeof(data),false); + p_response = NULL; + } else if (receivedCmd[0] == 0xA5 && tagType == 7) { // Received a INC COUNTER -- // number of counter - //uint8_t counter = receivedCmd[1]; - //uint32_t val = bytes_to_num(receivedCmd+2,4); - + uint8_t counter = receivedCmd[1]; + uint32_t val = bytes_to_num(receivedCmd+2,4); + counters[counter] = val; + // send ACK uint8_t ack[] = {0x0a}; EmSendCmdEx(ack,sizeof(ack),false); p_response = NULL; } else if(receivedCmd[0] == 0x3E && tagType == 7) { // Received a CHECK_TEARING_EVENT -- - p_response = &responses[9]; + //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature] + uint8_t emdata[3]; + uint8_t counter=0; + if (receivedCmd[1]<3) counter = receivedCmd[1]; + emlGetMemBt( emdata, 10+counter, 1); + AppendCrc14443a(emdata, sizeof(emdata)-2); + EmSendCmdEx(emdata, sizeof(emdata), false); + p_response = NULL; + //p_response = &responses[9]; + } else if(receivedCmd[0] == 0x50) { // Received a HALT if (tracing) { @@ -1227,7 +1219,12 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) { // Received an authentication request if ( tagType == 7 ) { // IF NTAG /EV1 0x60 == GET_VERSION, not a authentication request. - p_response = &responses[7]; + uint8_t emdata[10]; + emlGetMemBt( emdata, 0, 8 ); + AppendCrc14443a(emdata, sizeof(emdata)-2); + EmSendCmdEx(emdata, sizeof(emdata), false); + p_response = NULL; + //p_response = &responses[7]; } else { p_response = &responses[5]; order = 7; } @@ -1298,13 +1295,18 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) else if (receivedCmd[0] == 0x1b) // NTAG / EV-1 authentication { if ( tagType == 7 ) { - p_response = &responses[8]; // PACK response + uint16_t start = 13; //first 4 blocks of emu are [getversion answer - check tearing - pack - 0x00] + uint8_t emdata[4]; + emlGetMemBt( emdata, start, 2); + AppendCrc14443a(emdata, 2); + EmSendCmdEx(emdata, sizeof(emdata), false); + p_response = NULL; + //p_response = &responses[8]; // PACK response uint32_t pwd = bytes_to_num(receivedCmd+1,4); if ( MF_DBGLEVEL >= 3) Dbprintf("Auth attempt: %08x", pwd); } - } - else { + } else { // Check for ISO 14443A-4 compliant commands, look at left nibble switch (receivedCmd[0]) { case 0x02: @@ -1889,10 +1891,12 @@ int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity) return Demod.len; } -/* performs iso14443a anticollision procedure - * fills the uid pointer unless NULL - * fills resp_data unless NULL */ -int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr) { +// performs iso14443a anticollision (optional) and card select procedure +// fills the uid and cuid pointer unless NULL +// fills the card info record unless NULL +// if anticollision is false, then the UID must be provided in uid_ptr[] +// and num_cascades must be set (1: 4 Byte UID, 2: 7 Byte UID, 3: 10 Byte UID) +int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades) { uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP uint8_t sel_all[] = { 0x93,0x20 }; uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; @@ -1907,7 +1911,7 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u int len; // Broadcast for a card, WUPA (0x52) will force response from all cards in the field - ReaderTransmitBitsPar(wupa,7,0, NULL); + ReaderTransmitBitsPar(wupa, 7, NULL, NULL); // Receive the ATQA if(!ReaderReceive(resp, resp_par)) return 0; @@ -1918,10 +1922,12 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u memset(p_hi14a_card->uid,0,10); } + if (anticollision) { // clear uid if (uid_ptr) { memset(uid_ptr,0,10); } + } // check for proprietary anticollision: if ((resp[0] & 0x1F) == 0) { @@ -1935,6 +1941,7 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97) sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2; + if (anticollision) { // SELECT_ALL ReaderTransmit(sel_all, sizeof(sel_all), NULL); if (!ReaderReceive(resp, resp_par)) return 0; @@ -1970,6 +1977,14 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u } else { // no collision, use the response to SELECT_ALL as current uid memcpy(uid_resp, resp, 4); } + } else { + if (cascade_level < num_cascades - 1) { + uid_resp[0] = 0x88; + memcpy(uid_resp+1, uid_ptr+cascade_level*3, 3); + } else { + memcpy(uid_resp, uid_ptr+cascade_level*3, 4); + } + } uid_resp_len = 4; // calculate crypto UID. Always use last 4 Bytes. @@ -1979,7 +1994,7 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u // Construct SELECT UID command sel_uid[1] = 0x70; // transmitting a full UID (1 Byte cmd, 1 Byte NVB, 4 Byte UID, 1 Byte BCC, 2 Bytes CRC) - memcpy(sel_uid+2, uid_resp, 4); // the UID + memcpy(sel_uid+2, uid_resp, 4); // the UID received during anticollision, or the provided UID sel_uid[6] = sel_uid[2] ^ sel_uid[3] ^ sel_uid[4] ^ sel_uid[5]; // calculate and add BCC AppendCrc14443a(sel_uid, 7); // calculate and add CRC ReaderTransmit(sel_uid, sizeof(sel_uid), NULL); @@ -1995,11 +2010,10 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u uid_resp[0] = uid_resp[1]; uid_resp[1] = uid_resp[2]; uid_resp[2] = uid_resp[3]; - uid_resp_len = 3; } - if(uid_ptr) { + if(uid_ptr && anticollision) { memcpy(uid_ptr + (cascade_level*3), uid_resp, uid_resp_len); } @@ -2120,7 +2134,7 @@ void ReaderIso14443a(UsbCommand *c) iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); if(!(param & ISO14A_NO_SELECT)) { iso14a_card_select_t *card = (iso14a_card_select_t*)buf; - arg0 = iso14443a_select_card(NULL,card,NULL); + arg0 = iso14443a_select_card(NULL,card,NULL, true, 0); cmd_send(CMD_ACK,arg0,card->uidlen,0,buf,sizeof(iso14a_card_select_t)); } } @@ -2224,16 +2238,14 @@ void ReaderMifare(bool first_try) uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; static uint8_t mf_nr_ar3; - uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE]; - uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE]; + uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE] = {0x00}; + uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE] = {0x00}; - if (first_try) { + if (first_try) iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD); - } // free eventually allocated BigBuf memory. We want all for tracing. BigBuf_free(); - clear_trace(); set_tracing(TRUE); @@ -2241,7 +2253,7 @@ void ReaderMifare(bool first_try) uint8_t par[1] = {0}; // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough static byte_t par_low = 0; bool led_on = TRUE; - uint8_t uid[10] ={0}; + uint8_t uid[10] = {0}; uint32_t cuid; uint32_t nt = 0; @@ -2250,7 +2262,7 @@ void ReaderMifare(bool first_try) byte_t par_list[8] = {0x00}; byte_t ks_list[8] = {0x00}; - #define PRNG_SEQUENCE_LENGTH (1 << 16); + #define PRNG_SEQUENCE_LENGTH (1 << 16); static uint32_t sync_time = 0; static int32_t sync_cycles = 0; int catch_up_cycles = 0; @@ -2290,7 +2302,7 @@ void ReaderMifare(bool first_try) uint32_t select_time; uint32_t halt_time; - for(uint16_t i = 0; TRUE; i++) { + for(uint16_t i = 0; TRUE; ++i) { LED_C_ON(); WDT_HIT(); @@ -2318,7 +2330,7 @@ void ReaderMifare(bool first_try) SpinDelay(100); } - if(!iso14443a_select_card(uid, NULL, &cuid)) { + if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) { if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Can't select card"); continue; } @@ -2440,9 +2452,8 @@ void ReaderMifare(bool first_try) if (ReaderReceive(receivedAnswer, receivedAnswerPar)) { catch_up_cycles = 8; // the PRNG is delayed by 8 cycles due to the NAC (4Bits = 0x05 encrypted) transfer - if (nt_diff == 0) { + if (nt_diff == 0) par_low = par[0] & 0xE0; // there is no need to check all parities for other nt_diff. Parity Bits for mf_nr_ar[0..2] won't change - } led_on = !led_on; if(led_on) LED_B_ON(); else LED_B_OFF(); @@ -2460,8 +2471,7 @@ void ReaderMifare(bool first_try) mf_nr_ar[3] = (mf_nr_ar[3] & 0x1F) | (nt_diff << 5); par[0] = par_low; } else { - if (nt_diff == 0 && first_try) - { + if (nt_diff == 0 && first_try) { par[0]++; if (par[0] == 0x00) { // tried all 256 possible parities without success. Card doesn't send NACK. isOK = -2; @@ -2486,7 +2496,7 @@ void ReaderMifare(bool first_try) } } - byte_t buf[28]; + byte_t buf[28] = {0x00}; memcpy(buf + 0, uid, 4); num_to_bytes(nt, 4, buf + 4); memcpy(buf + 8, par_list, 8); @@ -2546,10 +2556,11 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * //uint8_t rSAK[] = {0x09, 0x3f, 0xcc }; // Mifare Mini uint8_t rSAK1[] = {0x04, 0xda, 0x17}; - uint8_t rAUTH_NT[] = {0x01, 0x01, 0x01, 0x01}; + //uint8_t rAUTH_NT[] = {0x01, 0x01, 0x01, 0x01}; + uint8_t rAUTH_NT[] = {0x55, 0x41, 0x49, 0x92}; uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00}; - //Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2 + //Here, we collect UID1,UID2,NT,AR,NR,0,0,NT2,AR2,NR2 // This can be used in a reader-only attack. // (it can also be retrieved via 'hf 14a list', but hey... uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0,0}; @@ -2624,7 +2635,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * bool finished = FALSE; - while (!BUTTON_PRESS() && !finished) { + while (!BUTTON_PRESS() && !finished && !usb_poll_validate_length()) { WDT_HIT(); // find reader field @@ -2697,8 +2708,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * break; } case MFEMUL_AUTH1:{ - if( len != 8) - { + if( len != 8) { cardSTATE_TO_IDLE(); LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); break; @@ -2709,9 +2719,9 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * //Collect AR/NR //if(ar_nr_collected < 2 && cardAUTHSC == 2){ - if(ar_nr_collected < 2){ - if(ar_nr_responses[2] != ar) - {// Avoid duplicates... probably not necessary, ar should vary. + if(ar_nr_collected < 2) { + if(ar_nr_responses[2] != ar) { + // Avoid duplicates... probably not necessary, ar should vary. //ar_nr_responses[ar_nr_collected*5] = 0; //ar_nr_responses[ar_nr_collected*5+1] = 0; ar_nr_responses[ar_nr_collected*5+2] = nonce; @@ -2721,9 +2731,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * } // Interactive mode flag, means we need to send ACK if(flags & FLAG_INTERACTIVE && ar_nr_collected == 2) - { finished = true; - } } // --- crypto @@ -2752,9 +2760,13 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT)); LED_C_ON(); cardSTATE = MFEMUL_WORK; - if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED for sector %d with key %c. time=%d", - cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B', - GetTickCount() - authTimer); + if (MF_DBGLEVEL >= 4) { + Dbprintf("AUTH COMPLETED for sector %d with key %c. time=%d", + cardAUTHSC, + cardAUTHKEY == 0 ? 'A' : 'B', + GetTickCount() - authTimer + ); + } break; } case MFEMUL_SELECT2:{ @@ -2769,7 +2781,9 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * // select 2 card if (len == 9 && - (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) { + (receivedCmd[0] == 0x95 && + receivedCmd[1] == 0x70 && + memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0) ) { EmSendCmd(rSAK, sizeof(rSAK)); cuid = bytes_to_num(rUIDBCC2, 4); cardSTATE = MFEMUL_WORK; @@ -2796,10 +2810,9 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * bool encrypted_data = (cardAUTHKEY != 0xFF) ; - if(encrypted_data) { - // decrypt seqence + // decrypt seqence + if(encrypted_data) mf_crypto1_decrypt(pcs, receivedCmd, len); - } if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) { authTimer = GetTickCount(); @@ -2863,9 +2876,8 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * } // read block if (receivedCmd[0] == 0x30) { - if (MF_DBGLEVEL >= 4) { - Dbprintf("Reader reading block %d (0x%02x)",receivedCmd[1],receivedCmd[1]); - } + if (MF_DBGLEVEL >= 4) Dbprintf("Reader reading block %d (0x%02x)",receivedCmd[1],receivedCmd[1]); + emlGetMem(response, receivedCmd[1], 1); AppendCrc14443a(response, 16); mf_crypto1_encrypt(pcs, response, 18, response_par); @@ -2932,7 +2944,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * break; } case MFEMUL_WRITEBL2:{ - if (len == 18){ + if (len == 18) { mf_crypto1_decrypt(pcs, receivedCmd, len); emlSetMem(receivedCmd, cardWRBL, 1); EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); @@ -3021,7 +3033,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * } else { Dbprintf("Failed to obtain two AR/NR pairs!"); if(ar_nr_collected > 0 ) { - Dbprintf("Only got these: UID=%07x%08x, nonce=%08x, AR1=%08x, NR1=%08x", + Dbprintf("Only got these: UID=%06x%08x, nonce=%08x, AR1=%08x, NR1=%08x", ar_nr_responses[0], // UID1 ar_nr_responses[1], // UID2 ar_nr_responses[2], // NT @@ -3055,11 +3067,11 @@ void RAMFUNC SniffMifare(uint8_t param) { // The command (reader -> tag) that we're receiving. // The length of a received command will in most cases be no more than 18 bytes. // So 32 should be enough! - uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE]; - uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE]; + uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00}; + uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE] = {0x00}; // The response (tag -> reader) that we're receiving. - uint8_t receivedResponse[MAX_MIFARE_FRAME_SIZE]; - uint8_t receivedResponsePar[MAX_MIFARE_PARITY_SIZE]; + uint8_t receivedResponse[MAX_MIFARE_FRAME_SIZE] = {0x00}; + uint8_t receivedResponsePar[MAX_MIFARE_PARITY_SIZE] = {0x00}; iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER); @@ -3115,11 +3127,12 @@ void RAMFUNC SniffMifare(uint8_t param) { int register readBufDataP = data - dmaBuf; // number of bytes we have processed so far int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR; // number of bytes already transferred - if (readBufDataP <= dmaBufDataP){ // we are processing the same block of data which is currently being transferred + + if (readBufDataP <= dmaBufDataP) // we are processing the same block of data which is currently being transferred dataLen = dmaBufDataP - readBufDataP; // number of bytes still to be processed - } else { + else dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP; // number of bytes still to be processed - } + // test for length of buffer if(dataLen > maxDataLen) { // we are more behind than ever... maxDataLen = dataLen; @@ -3146,14 +3159,16 @@ void RAMFUNC SniffMifare(uint8_t param) { if (sniffCounter & 0x01) { - if(!TagIsActive) { // no need to try decoding tag data if the reader is sending + // no need to try decoding tag data if the reader is sending + if(!TagIsActive) { uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4); if(MillerDecoding(readerdata, (sniffCounter-1)*4)) { LED_C_INV(); + if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, TRUE)) break; /* And ready to receive another command. */ - UartReset(); + UartInit(receivedCmd, receivedCmdPar); /* And also reset the demod code */ DemodReset(); @@ -3161,7 +3176,8 @@ void RAMFUNC SniffMifare(uint8_t param) { ReaderIsActive = (Uart.state != STATE_UNSYNCD); } - if(!ReaderIsActive) { // no need to try decoding tag data if the reader is sending + // no need to try decoding tag data if the reader is sending + if(!ReaderIsActive) { uint8_t tagdata = (previous_data << 4) | (*data & 0x0F); if(ManchesterDecoding(tagdata, 0, (sniffCounter-1)*4)) { LED_C_INV(); @@ -3170,10 +3186,9 @@ void RAMFUNC SniffMifare(uint8_t param) { // And ready to receive another response. DemodReset(); - + // And reset the Miller decoder including its (now outdated) input buffer UartInit(receivedCmd, receivedCmdPar); - // why not UartReset? } TagIsActive = (Demod.state != DEMOD_UNSYNCD); } @@ -3182,9 +3197,9 @@ void RAMFUNC SniffMifare(uint8_t param) { previous_data = *data; sniffCounter++; data++; - if(data == dmaBuf + DMA_BUFFER_SIZE) { + + if(data == dmaBuf + DMA_BUFFER_SIZE) data = dmaBuf; - } } // main cycle