X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/aa53efc340d9f2dc382e4bb98d49bede5a18e920..refs/pull/347/head:/armsrc/iclass.c?ds=sidebyside diff --git a/armsrc/iclass.c b/armsrc/iclass.c index a27fb970..f69d0be2 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -1447,7 +1447,7 @@ static void TransmitIClassCommand(const uint8_t *cmd, int len, int *samples, int } WDT_HIT(); } - if (samples) *samples = (c + *wait) << 3; + if (samples && wait) *samples = (c + *wait) << 3; } @@ -1473,7 +1473,7 @@ void CodeIClassCommand(const uint8_t * cmd, int len) for(j = 0; j < 4; j++) { for(k = 0; k < 4; k++) { if(k == (b & 3)) { - ToSend[++ToSendMax] = 0x0f; + ToSend[++ToSendMax] = 0xf0; } else { ToSend[++ToSendMax] = 0x00; @@ -1580,8 +1580,8 @@ void setupIclassReader() { FpgaDownloadAndGo(FPGA_BITSTREAM_HF); // Reset trace buffer - set_tracing(TRUE); - clear_trace(); + set_tracing(TRUE); + clear_trace(); // Setup SSC FpgaSetupSsc(); @@ -1661,7 +1661,7 @@ uint8_t handshakeIclassTag_ext(uint8_t *card_data, bool use_credit_key) //Flag that we got to at least stage 1, read CSN read_status = 1; - // Card selected, now read e-purse (cc) + // Card selected, now read e-purse (cc) (only 8 bytes no CRC) ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc)); if(ReaderReceiveIClass(resp) == 8) { //Save CC (e-purse) in response data @@ -1671,7 +1671,7 @@ uint8_t handshakeIclassTag_ext(uint8_t *card_data, bool use_credit_key) return read_status; } -uint8_t handshakeIclassTag(uint8_t *card_data){ +uint8_t handshakeIclassTag(uint8_t *card_data) { return handshakeIclassTag_ext(card_data, false); } @@ -1682,21 +1682,28 @@ void ReaderIClass(uint8_t arg0) { uint8_t card_data[6 * 8]={0}; memset(card_data, 0xFF, sizeof(card_data)); uint8_t last_csn[8]={0}; - + uint8_t resp[ICLASS_BUFFER_SIZE]; + memset(resp, 0xFF, sizeof(resp)); //Read conf block CRC(0x01) => 0xfa 0x22 uint8_t readConf[] = { ICLASS_CMD_READ_OR_IDENTIFY,0x01, 0xfa, 0x22}; - //Read conf block CRC(0x05) => 0xde 0x64 + //Read App Issuer Area block CRC(0x05) => 0xde 0x64 uint8_t readAA[] = { ICLASS_CMD_READ_OR_IDENTIFY,0x05, 0xde, 0x64}; - int read_status= 0; uint8_t result_status = 0; + // flag to read until one tag is found successfully bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE; + // flag to only try 5 times to find one tag then return bool try_once = arg0 & FLAG_ICLASS_READER_ONE_TRY; - bool use_credit_key = false; - if (arg0 & FLAG_ICLASS_READER_CEDITKEY) - use_credit_key = true; - set_tracing(TRUE); + // if neither abort_after_read nor try_once then continue reading until button pressed. + + bool use_credit_key = arg0 & FLAG_ICLASS_READER_CEDITKEY; + // test flags for what blocks to be sure to read + uint8_t flagReadConfig = arg0 & FLAG_ICLASS_READER_CONF; + uint8_t flagReadCC = arg0 & FLAG_ICLASS_READER_CC; + uint8_t flagReadAA = arg0 & FLAG_ICLASS_READER_AA; + + set_tracing(true); setupIclassReader(); uint16_t tryCnt=0; @@ -1721,21 +1728,22 @@ void ReaderIClass(uint8_t arg0) { // moving CC forward 8 bytes memcpy(card_data+16,card_data+8, 8); //Read block 1, config - if(arg0 & FLAG_ICLASS_READER_CONF) - { - if(sendCmdGetResponseWithRetries(readConf, sizeof(readConf),card_data+8, 10, 10)) + if(flagReadConfig) { + if(sendCmdGetResponseWithRetries(readConf, sizeof(readConf), resp, 10, 10)) { result_status |= FLAG_ICLASS_READER_CONF; + memcpy(card_data+8, resp, 8); } else { Dbprintf("Failed to dump config block"); } } //Read block 5, AA - if(arg0 & FLAG_ICLASS_READER_AA){ - if(sendCmdGetResponseWithRetries(readAA, sizeof(readAA),card_data+(8*4), 10, 10)) + if(flagReadAA) { + if(sendCmdGetResponseWithRetries(readAA, sizeof(readAA), resp, 10, 10)) { result_status |= FLAG_ICLASS_READER_AA; + memcpy(card_data+(8*5), resp, 8); } else { //Dbprintf("Failed to dump AA block"); } @@ -1747,16 +1755,15 @@ void ReaderIClass(uint8_t arg0) { // (3,4 write-only, kc and kd) // 5 Application issuer area // - //Then we can 'ship' back the 8 * 5 bytes of data, + //Then we can 'ship' back the 8 * 6 bytes of data, // with 0xFF:s in block 3 and 4. LED_B_ON(); //Send back to client, but don't bother if we already sent this if(memcmp(last_csn, card_data, 8) != 0) { - // If caller requires that we get CC, continue until we got it - if( (arg0 & read_status & FLAG_ICLASS_READER_CC) || !(arg0 & FLAG_ICLASS_READER_CC)) - { + // If caller requires that we get Conf, CC, AA, continue until we got it + if( (result_status ^ FLAG_ICLASS_READER_CSN ^ flagReadConfig ^ flagReadCC ^ flagReadAA) == 0) { cmd_send(CMD_ACK,result_status,0,0,card_data,sizeof(card_data)); if(abort_after_read) { LED_A_OFF(); @@ -1769,8 +1776,8 @@ void ReaderIClass(uint8_t arg0) { } LED_B_OFF(); } - cmd_send(CMD_ACK,0,0,0,card_data, 0); - LED_A_OFF(); + cmd_send(CMD_ACK,0,0,0,card_data, 0); + LED_A_OFF(); } void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) { @@ -1911,64 +1918,69 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) { LED_A_OFF(); } +void iClass_ReadCheck(uint8_t blockNo, uint8_t keyType) { + uint8_t readcheck[] = { keyType, blockNo }; + uint8_t resp[] = {0,0,0,0,0,0,0,0}; + size_t isOK = 0; + isOK = sendCmdGetResponseWithRetries(readcheck, sizeof(readcheck), resp, sizeof(resp), 6); + cmd_send(CMD_ACK,isOK,0,0,0,0); +} + void iClass_Authentication(uint8_t *MAC) { - uint8_t check[] = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; + uint8_t check[] = { ICLASS_CMD_CHECK, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; uint8_t resp[ICLASS_BUFFER_SIZE]; memcpy(check+5,MAC,4); bool isOK; - isOK = sendCmdGetResponseWithRetries(check, sizeof(check),resp, 4, 5); + isOK = sendCmdGetResponseWithRetries(check, sizeof(check), resp, 4, 6); cmd_send(CMD_ACK,isOK,0,0,0,0); - //Dbprintf("isOK %d, Tag response : %02x%02x%02x%02x",isOK,resp[0],resp[1],resp[2],resp[3]); } -bool iClass_ReadBlock(uint8_t blockNo, uint8_t keyType, uint8_t *readdata) { - uint8_t readcmd[] = {keyType, blockNo}; //0x88, 0x00 - uint8_t resp[8]; - size_t isOK = 1; +bool iClass_ReadBlock(uint8_t blockNo, uint8_t *readdata) { + uint8_t readcmd[] = {ICLASS_CMD_READ_OR_IDENTIFY, blockNo, 0x00, 0x00}; //0x88, 0x00 // can i use 0C? + char bl = blockNo; + uint16_t rdCrc = iclass_crc16(&bl, 1); + readcmd[2] = rdCrc >> 8; + readcmd[3] = rdCrc & 0xff; + uint8_t resp[] = {0,0,0,0,0,0,0,0,0,0}; + bool isOK = false; - readcmd[1] = blockNo; - isOK = sendCmdGetResponseWithRetries(readcmd, sizeof(readcmd),resp, 8, 5); - memcpy(readdata,resp,sizeof(resp)); + //readcmd[1] = blockNo; + isOK = sendCmdGetResponseWithRetries(readcmd, sizeof(readcmd), resp, 10, 10); + memcpy(readdata, resp, sizeof(resp)); return isOK; } -void iClass_ReadBlk(uint8_t blockno, uint8_t keyType) { - uint8_t readblockdata[8]; +void iClass_ReadBlk(uint8_t blockno) { + uint8_t readblockdata[] = {0,0,0,0,0,0,0,0,0,0}; bool isOK = false; - isOK = iClass_ReadBlock(blockno, keyType, readblockdata); - //Dbprintf("read block [%02x] [%02x%02x%02x%02x%02x%02x%02x%02x]",blockNo,readblockdata[0],readblockdata[1],readblockdata[2],readblockdata[3],readblockdata[4],readblockdata[5],readblockdata[6],readblockdata[7]); - cmd_send(CMD_ACK,isOK,0,0,readblockdata,8); + isOK = iClass_ReadBlock(blockno, readblockdata); + cmd_send(CMD_ACK, isOK, 0, 0, readblockdata, 8); } -void iClass_Dump(uint8_t blockno, uint8_t numblks, uint8_t keyType) { - uint8_t readblockdata[8]; +void iClass_Dump(uint8_t blockno, uint8_t numblks) { + uint8_t readblockdata[] = {0,0,0,0,0,0,0,0,0,0}; bool isOK = false; uint8_t blkCnt = 0; BigBuf_free(); uint8_t *dataout = BigBuf_malloc(255*8); - memset(dataout,0xFF,255*8); if (dataout == NULL){ Dbprintf("out of memory"); OnError(1); return; } + memset(dataout,0xFF,255*8); for (;blkCnt < numblks; blkCnt++) { - isOK = iClass_ReadBlock(blockno+blkCnt, keyType, readblockdata); - if (!isOK || (readblockdata[0] == 0xBB || readblockdata[7] == 0x33 || readblockdata[2] == 0xBB)) { //try again - isOK = iClass_ReadBlock(blockno+blkCnt, keyType, readblockdata); + isOK = iClass_ReadBlock(blockno+blkCnt, readblockdata); + if (!isOK || (readblockdata[0] == 0xBB || readblockdata[7] == 0xBB || readblockdata[2] == 0xBB)) { //try again + isOK = iClass_ReadBlock(blockno+blkCnt, readblockdata); if (!isOK) { Dbprintf("Block %02X failed to read", blkCnt+blockno); break; } } memcpy(dataout+(blkCnt*8),readblockdata,8); - /*Dbprintf("| %02x | %02x%02x%02x%02x%02x%02x%02x%02x |", - blockno+blkCnt, readblockdata[0], readblockdata[1], readblockdata[2], - readblockdata[3], readblockdata[4], readblockdata[5], - readblockdata[6], readblockdata[7]); - */ } //return pointer to dump memory in arg3 cmd_send(CMD_ACK,isOK,blkCnt,BigBuf_max_traceLen(),0,0); @@ -1977,32 +1989,34 @@ void iClass_Dump(uint8_t blockno, uint8_t numblks, uint8_t keyType) { BigBuf_free(); } -bool iClass_WriteBlock_ext(uint8_t blockNo, uint8_t keyType, uint8_t *data) { - uint8_t write[] = { 0x87, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - uint8_t readblockdata[8]; - write[1] = blockNo; +bool iClass_WriteBlock_ext(uint8_t blockNo, uint8_t *data) { + uint8_t write[] = { ICLASS_CMD_UPDATE, blockNo, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; + //uint8_t readblockdata[10]; + //write[1] = blockNo; memcpy(write+2, data, 12); // data + mac - uint8_t resp[10]; - bool isOK; - isOK = sendCmdGetResponseWithRetries(write,sizeof(write),resp,sizeof(resp),5); - //Dbprintf("reply [%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x]",resp[0],resp[1],resp[2],resp[3],resp[4],resp[5],resp[6],resp[7],resp[8],resp[9]); - if (isOK) { - isOK = iClass_ReadBlock(blockNo, keyType, readblockdata); - //try again - if (!isOK || (readblockdata[0] == 0xBB || readblockdata[7] == 0xBB || readblockdata[2] == 0xBB)) - isOK = iClass_ReadBlock(blockNo, keyType, readblockdata); - } - if (isOK) { - //Dbprintf("read block [%02x] [%02x%02x%02x%02x%02x%02x%02x%02x]",blockNo,readblockdata[0],readblockdata[1],readblockdata[2],readblockdata[3],readblockdata[4],readblockdata[5],readblockdata[6],readblockdata[7]); - if (memcmp(write+2,readblockdata,sizeof(readblockdata)) != 0){ - isOK=false; + char *wrCmd = (char *)(write+1); + uint16_t wrCrc = iclass_crc16(wrCmd, 13); + write[14] = wrCrc >> 8; + write[15] = wrCrc & 0xff; + uint8_t resp[] = {0,0,0,0,0,0,0,0,0,0}; + bool isOK = false; + + isOK = sendCmdGetResponseWithRetries(write,sizeof(write),resp,sizeof(resp),10); + if (isOK) { //if reader responded correctly + //Dbprintf("WriteResp: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X",resp[0],resp[1],resp[2],resp[3],resp[4],resp[5],resp[6],resp[7],resp[8],resp[9]); + if (memcmp(write+2,resp,8)) { //if response is not equal to write values + if (blockNo != 3 && blockNo != 4) { //if not programming key areas (note key blocks don't get programmed with actual key data it is xor data) + //error try again + isOK = sendCmdGetResponseWithRetries(write,sizeof(write),resp,sizeof(resp),10); + } + } } return isOK; } -void iClass_WriteBlock(uint8_t blockNo, uint8_t keyType, uint8_t *data) { - bool isOK = iClass_WriteBlock_ext(blockNo, keyType, data); +void iClass_WriteBlock(uint8_t blockNo, uint8_t *data) { + bool isOK = iClass_WriteBlock_ext(blockNo, data); if (isOK){ Dbprintf("Write block [%02x] successful",blockNo); } else { @@ -2011,17 +2025,17 @@ void iClass_WriteBlock(uint8_t blockNo, uint8_t keyType, uint8_t *data) { cmd_send(CMD_ACK,isOK,0,0,0,0); } -void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t keyType, uint8_t *data) { +void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data) { int i; int written = 0; int total_block = (endblock - startblock) + 1; for (i = 0; i < total_block;i++){ // block number - if (iClass_WriteBlock_ext(i+startblock, keyType, data+(i*12))){ + if (iClass_WriteBlock_ext(i+startblock, data+(i*12))){ Dbprintf("Write block [%02x] successful",i + startblock); written++; } else { - if (iClass_WriteBlock_ext(i+startblock, keyType, data+(i*12))){ + if (iClass_WriteBlock_ext(i+startblock, data+(i*12))){ Dbprintf("Write block [%02x] successful",i + startblock); written++; } else {