X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/aa53efc340d9f2dc382e4bb98d49bede5a18e920..refs/pull/347/head:/armsrc/iclass.c?ds=sidebyside

diff --git a/armsrc/iclass.c b/armsrc/iclass.c
index a27fb970..f69d0be2 100644
--- a/armsrc/iclass.c
+++ b/armsrc/iclass.c
@@ -1447,7 +1447,7 @@ static void TransmitIClassCommand(const uint8_t *cmd, int len, int *samples, int
     }
     WDT_HIT();
   }
-  if (samples) *samples = (c + *wait) << 3;
+  if (samples && wait) *samples = (c + *wait) << 3;
 }
 
 
@@ -1473,7 +1473,7 @@ void CodeIClassCommand(const uint8_t * cmd, int len)
     for(j = 0; j < 4; j++) {
       for(k = 0; k < 4; k++) {
 			if(k == (b & 3)) {
-				ToSend[++ToSendMax] = 0x0f;
+				ToSend[++ToSendMax] = 0xf0;
 			}
 			else {
 				ToSend[++ToSendMax] = 0x00;
@@ -1580,8 +1580,8 @@ void setupIclassReader()
 {
     FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
     // Reset trace buffer
-	set_tracing(TRUE);
-	clear_trace();
+	  set_tracing(TRUE);
+	  clear_trace();
 
     // Setup SSC
     FpgaSetupSsc();
@@ -1661,7 +1661,7 @@ uint8_t handshakeIclassTag_ext(uint8_t *card_data, bool use_credit_key)
 	//Flag that we got to at least stage 1, read CSN
 	read_status = 1;
 
-	// Card selected, now read e-purse (cc)
+	// Card selected, now read e-purse (cc) (only 8 bytes no CRC)
 	ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
 	if(ReaderReceiveIClass(resp) == 8) {
 		//Save CC (e-purse) in response data
@@ -1671,7 +1671,7 @@ uint8_t handshakeIclassTag_ext(uint8_t *card_data, bool use_credit_key)
 
 	return read_status;
 }
-uint8_t handshakeIclassTag(uint8_t *card_data){
+uint8_t handshakeIclassTag(uint8_t *card_data) {
 	return handshakeIclassTag_ext(card_data, false);
 }
 
@@ -1682,21 +1682,28 @@ void ReaderIClass(uint8_t arg0) {
 	uint8_t card_data[6 * 8]={0};
 	memset(card_data, 0xFF, sizeof(card_data));
 	uint8_t last_csn[8]={0};
-	
+	uint8_t resp[ICLASS_BUFFER_SIZE];
+	memset(resp, 0xFF, sizeof(resp));
 	//Read conf block CRC(0x01) => 0xfa 0x22
 	uint8_t readConf[] = { ICLASS_CMD_READ_OR_IDENTIFY,0x01, 0xfa, 0x22};
-	//Read conf block CRC(0x05) => 0xde  0x64
+	//Read App Issuer Area block CRC(0x05) => 0xde  0x64
 	uint8_t readAA[] = { ICLASS_CMD_READ_OR_IDENTIFY,0x05, 0xde, 0x64};
 
-
 	int read_status= 0;
 	uint8_t result_status = 0;
+	// flag to read until one tag is found successfully
 	bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE;
+	// flag to only try 5 times to find one tag then return
 	bool try_once = arg0 & FLAG_ICLASS_READER_ONE_TRY;
-	bool use_credit_key = false;
-	if (arg0 & FLAG_ICLASS_READER_CEDITKEY)
-		use_credit_key = true;
-	set_tracing(TRUE);
+	// if neither abort_after_read nor try_once then continue reading until button pressed.
+
+	bool use_credit_key = arg0 & FLAG_ICLASS_READER_CEDITKEY;
+	// test flags for what blocks to be sure to read
+	uint8_t flagReadConfig = arg0 & FLAG_ICLASS_READER_CONF;
+	uint8_t flagReadCC = arg0 & FLAG_ICLASS_READER_CC;
+	uint8_t flagReadAA = arg0 & FLAG_ICLASS_READER_AA;
+
+	set_tracing(true);
 	setupIclassReader();
 
 	uint16_t tryCnt=0;
@@ -1721,21 +1728,22 @@ void ReaderIClass(uint8_t arg0) {
 		// moving CC forward 8 bytes
 		memcpy(card_data+16,card_data+8, 8);
 		//Read block 1, config
-		if(arg0 & FLAG_ICLASS_READER_CONF)
-		{
-			if(sendCmdGetResponseWithRetries(readConf, sizeof(readConf),card_data+8, 10, 10))
+		if(flagReadConfig) {
+			if(sendCmdGetResponseWithRetries(readConf, sizeof(readConf), resp, 10, 10))
 			{
 				result_status |= FLAG_ICLASS_READER_CONF;
+				memcpy(card_data+8, resp, 8);
 			} else {
 				Dbprintf("Failed to dump config block");
 			}
 		}
 
 		//Read block 5, AA
-		if(arg0 & FLAG_ICLASS_READER_AA){
-			if(sendCmdGetResponseWithRetries(readAA, sizeof(readAA),card_data+(8*4), 10, 10))
+		if(flagReadAA) {
+			if(sendCmdGetResponseWithRetries(readAA, sizeof(readAA), resp, 10, 10))
 			{
 				result_status |= FLAG_ICLASS_READER_AA;
+				memcpy(card_data+(8*5), resp, 8);
 			} else {
 				//Dbprintf("Failed to dump AA block");
 			}
@@ -1747,16 +1755,15 @@ void ReaderIClass(uint8_t arg0) {
 		// (3,4 write-only, kc and kd)
 		// 5 Application issuer area
 		//
-		//Then we can 'ship' back the 8 * 5 bytes of data,
+		//Then we can 'ship' back the 8 * 6 bytes of data,
 		// with 0xFF:s in block 3 and 4.
 
 		LED_B_ON();
 		//Send back to client, but don't bother if we already sent this
 		if(memcmp(last_csn, card_data, 8) != 0)
 		{
-			// If caller requires that we get CC, continue until we got it
-			if( (arg0 & read_status & FLAG_ICLASS_READER_CC) || !(arg0 & FLAG_ICLASS_READER_CC))
-			{
+			// If caller requires that we get Conf, CC, AA, continue until we got it
+			if( (result_status ^ FLAG_ICLASS_READER_CSN ^ flagReadConfig ^ flagReadCC ^ flagReadAA) == 0) {
 				cmd_send(CMD_ACK,result_status,0,0,card_data,sizeof(card_data));
 				if(abort_after_read) {
 					LED_A_OFF();
@@ -1769,8 +1776,8 @@ void ReaderIClass(uint8_t arg0) {
 		}
 		LED_B_OFF();
 	}
-    cmd_send(CMD_ACK,0,0,0,card_data, 0);
-    LED_A_OFF();
+	cmd_send(CMD_ACK,0,0,0,card_data, 0);
+	LED_A_OFF();
 }
 
 void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
@@ -1911,64 +1918,69 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
 	LED_A_OFF();
 }
 
+void iClass_ReadCheck(uint8_t	blockNo, uint8_t keyType) {
+	uint8_t readcheck[] = { keyType, blockNo };
+	uint8_t resp[] = {0,0,0,0,0,0,0,0};
+	size_t isOK = 0;
+	isOK = sendCmdGetResponseWithRetries(readcheck, sizeof(readcheck), resp, sizeof(resp), 6);
+	cmd_send(CMD_ACK,isOK,0,0,0,0);
+}
+
 void iClass_Authentication(uint8_t *MAC) {
-	uint8_t check[] = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+	uint8_t check[] = { ICLASS_CMD_CHECK, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
 	uint8_t resp[ICLASS_BUFFER_SIZE];
 	memcpy(check+5,MAC,4);
 	bool isOK;
-	isOK = sendCmdGetResponseWithRetries(check, sizeof(check),resp, 4, 5);
+	isOK = sendCmdGetResponseWithRetries(check, sizeof(check), resp, 4, 6);
 	cmd_send(CMD_ACK,isOK,0,0,0,0);
-	//Dbprintf("isOK %d, Tag response : %02x%02x%02x%02x",isOK,resp[0],resp[1],resp[2],resp[3]);
 }
-bool iClass_ReadBlock(uint8_t blockNo, uint8_t keyType, uint8_t *readdata) {
-	uint8_t readcmd[] = {keyType, blockNo}; //0x88, 0x00
-	uint8_t resp[8];
-	size_t isOK = 1;
+bool iClass_ReadBlock(uint8_t blockNo, uint8_t *readdata) {
+	uint8_t readcmd[] = {ICLASS_CMD_READ_OR_IDENTIFY, blockNo, 0x00, 0x00}; //0x88, 0x00 // can i use 0C?
+	char bl = blockNo;
+	uint16_t rdCrc = iclass_crc16(&bl, 1);
+	readcmd[2] = rdCrc >> 8;
+	readcmd[3] = rdCrc & 0xff;
+	uint8_t resp[] = {0,0,0,0,0,0,0,0,0,0};
+	bool isOK = false;
 
-	readcmd[1] = blockNo;
-	isOK = sendCmdGetResponseWithRetries(readcmd, sizeof(readcmd),resp, 8, 5);
-	memcpy(readdata,resp,sizeof(resp));
+	//readcmd[1] = blockNo;
+	isOK = sendCmdGetResponseWithRetries(readcmd, sizeof(readcmd), resp, 10, 10);
+	memcpy(readdata, resp, sizeof(resp));
 
 	return isOK;
 }
 
-void iClass_ReadBlk(uint8_t blockno, uint8_t keyType) {
-	uint8_t readblockdata[8];
+void iClass_ReadBlk(uint8_t blockno) {
+	uint8_t readblockdata[] = {0,0,0,0,0,0,0,0,0,0};
 	bool isOK = false;
-	isOK = iClass_ReadBlock(blockno, keyType, readblockdata);
-	//Dbprintf("read block [%02x] [%02x%02x%02x%02x%02x%02x%02x%02x]",blockNo,readblockdata[0],readblockdata[1],readblockdata[2],readblockdata[3],readblockdata[4],readblockdata[5],readblockdata[6],readblockdata[7]);
-	cmd_send(CMD_ACK,isOK,0,0,readblockdata,8);
+	isOK = iClass_ReadBlock(blockno, readblockdata);
+	cmd_send(CMD_ACK, isOK, 0, 0, readblockdata, 8);
 }
 
-void iClass_Dump(uint8_t blockno, uint8_t numblks, uint8_t keyType) {
-	uint8_t readblockdata[8];
+void iClass_Dump(uint8_t blockno, uint8_t numblks) {
+	uint8_t readblockdata[] = {0,0,0,0,0,0,0,0,0,0};
 	bool isOK = false;
 	uint8_t blkCnt = 0;
 
 	BigBuf_free();
 	uint8_t *dataout = BigBuf_malloc(255*8);
-	memset(dataout,0xFF,255*8);
 	if (dataout == NULL){
 		Dbprintf("out of memory");
 		OnError(1);
 		return;
 	}
+	memset(dataout,0xFF,255*8);
 
 	for (;blkCnt < numblks; blkCnt++) {
-		isOK = iClass_ReadBlock(blockno+blkCnt, keyType, readblockdata);
-		if (!isOK || (readblockdata[0] == 0xBB || readblockdata[7] == 0x33 || readblockdata[2] == 0xBB)) { //try again
-			isOK = iClass_ReadBlock(blockno+blkCnt, keyType, readblockdata);
+		isOK = iClass_ReadBlock(blockno+blkCnt, readblockdata);
+		if (!isOK || (readblockdata[0] == 0xBB || readblockdata[7] == 0xBB || readblockdata[2] == 0xBB)) { //try again
+			isOK = iClass_ReadBlock(blockno+blkCnt, readblockdata);
 			if (!isOK) {
 				Dbprintf("Block %02X failed to read", blkCnt+blockno);
 				break;
 			}
 		}
 		memcpy(dataout+(blkCnt*8),readblockdata,8);
-		/*Dbprintf("| %02x | %02x%02x%02x%02x%02x%02x%02x%02x |",
-			blockno+blkCnt, readblockdata[0], readblockdata[1], readblockdata[2],
-			readblockdata[3], readblockdata[4], readblockdata[5],
-			readblockdata[6], readblockdata[7]);
-		*/
 	}
 	//return pointer to dump memory in arg3
 	cmd_send(CMD_ACK,isOK,blkCnt,BigBuf_max_traceLen(),0,0);
@@ -1977,32 +1989,34 @@ void iClass_Dump(uint8_t blockno, uint8_t numblks, uint8_t keyType) {
 	BigBuf_free();
 }
 
-bool iClass_WriteBlock_ext(uint8_t blockNo, uint8_t keyType, uint8_t *data) {
-	uint8_t write[] = { 0x87, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-	uint8_t readblockdata[8];
-	write[1] = blockNo;
+bool iClass_WriteBlock_ext(uint8_t blockNo, uint8_t *data) {
+	uint8_t write[] = { ICLASS_CMD_UPDATE, blockNo, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+	//uint8_t readblockdata[10];
+	//write[1] = blockNo;
 	memcpy(write+2, data, 12); // data + mac
-	uint8_t resp[10];
-	bool isOK;
-	isOK = sendCmdGetResponseWithRetries(write,sizeof(write),resp,sizeof(resp),5);
-	//Dbprintf("reply       [%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x]",resp[0],resp[1],resp[2],resp[3],resp[4],resp[5],resp[6],resp[7],resp[8],resp[9]);
-	if (isOK) {
-		isOK = iClass_ReadBlock(blockNo, keyType, readblockdata);
-		//try again
-		if (!isOK || (readblockdata[0] == 0xBB || readblockdata[7] == 0xBB || readblockdata[2] == 0xBB)) 
-			isOK = iClass_ReadBlock(blockNo, keyType, readblockdata);
-	}
-	if (isOK) {
-		//Dbprintf("read block  [%02x] [%02x%02x%02x%02x%02x%02x%02x%02x]",blockNo,readblockdata[0],readblockdata[1],readblockdata[2],readblockdata[3],readblockdata[4],readblockdata[5],readblockdata[6],readblockdata[7]);
-		if (memcmp(write+2,readblockdata,sizeof(readblockdata)) != 0){
-			isOK=false;
+	char *wrCmd = (char *)(write+1); 
+	uint16_t wrCrc = iclass_crc16(wrCmd, 13);
+	write[14] = wrCrc >> 8;
+	write[15] = wrCrc & 0xff;
+	uint8_t resp[] = {0,0,0,0,0,0,0,0,0,0};
+	bool isOK = false;
+
+	isOK = sendCmdGetResponseWithRetries(write,sizeof(write),resp,sizeof(resp),10);
+	if (isOK) { //if reader responded correctly
+		//Dbprintf("WriteResp: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X",resp[0],resp[1],resp[2],resp[3],resp[4],resp[5],resp[6],resp[7],resp[8],resp[9]);
+		if (memcmp(write+2,resp,8)) {  //if response is not equal to write values
+			if (blockNo != 3 && blockNo != 4) { //if not programming key areas (note key blocks don't get programmed with actual key data it is xor data)
+				//error try again
+				isOK = sendCmdGetResponseWithRetries(write,sizeof(write),resp,sizeof(resp),10);
+			} 
+			
 		}
 	}
 	return isOK;
 }
 
-void iClass_WriteBlock(uint8_t blockNo, uint8_t keyType, uint8_t *data) {
-	bool isOK = iClass_WriteBlock_ext(blockNo, keyType, data);
+void iClass_WriteBlock(uint8_t blockNo, uint8_t *data) {
+	bool isOK = iClass_WriteBlock_ext(blockNo, data);
 	if (isOK){
 		Dbprintf("Write block [%02x] successful",blockNo);
 	} else {
@@ -2011,17 +2025,17 @@ void iClass_WriteBlock(uint8_t blockNo, uint8_t keyType, uint8_t *data) {
 	cmd_send(CMD_ACK,isOK,0,0,0,0);	
 }
 
-void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t keyType, uint8_t *data) {
+void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data) {
 	int i;
 	int written = 0;
 	int total_block = (endblock - startblock) + 1;
 	for (i = 0; i < total_block;i++){
 		// block number
-		if (iClass_WriteBlock_ext(i+startblock, keyType, data+(i*12))){
+		if (iClass_WriteBlock_ext(i+startblock, data+(i*12))){
 			Dbprintf("Write block [%02x] successful",i + startblock);
 			written++;
 		} else {
-			if (iClass_WriteBlock_ext(i+startblock, keyType, data+(i*12))){
+			if (iClass_WriteBlock_ext(i+startblock, data+(i*12))){
 				Dbprintf("Write block [%02x] successful",i + startblock);
 				written++;
 			} else {