X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/b6e05350b2826c6d43fd8e7363de8a1eeef149a6..76a608af8e342b50718cfd0e53c0fa932304dbd9:/armsrc/iso14443a.c?ds=sidebyside diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index 570f028c..1fae4f3c 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -1,4 +1,4 @@ - //----------------------------------------------------------------------------- + //----------------------------------------------------------------------------- // Merlok - June 2011, 2012 // Gerhard de Koning Gans - May 2008 // Hagen Fritsch - June 2010 @@ -759,7 +759,7 @@ static void Code4bitAnswerAsTag(uint8_t cmd) { // Stop when button is pressed // Or return TRUE when command is captured //----------------------------------------------------------------------------- -static int GetIso14443aCommandFromReader(uint8_t *received, uint8_t *parity, int *len) { +int GetIso14443aCommandFromReader(uint8_t *received, uint8_t *parity, int *len) { // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen // only, since we are receiving, not transmitting). // Signal field is off with the appropriate LED @@ -849,6 +849,10 @@ bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) { //----------------------------------------------------------------------------- void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { + #define ATTACK_KEY_COUNT 8 // keep same as define in cmdhfmf.c -> readerAttack() + // init pseudorand + fast_prand(); + uint8_t sak = 0; uint32_t cuid = 0; uint32_t nonce = 0; @@ -866,18 +870,10 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { uint8_t cardAUTHSC = 0; uint8_t cardAUTHKEY = 0xff; // no authentication // allow collecting up to 8 sets of nonces to allow recovery of up to 8 keys - #define ATTACK_KEY_COUNT 8 // keep same as define in cmdhfmf.c -> readerAttack() - nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; // for 2 separate attack types (nml, moebius) - memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp)); - - uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; // for 2nd attack type (moebius) - memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected)); - uint8_t nonce1_count = 0; - uint8_t nonce2_count = 0; - uint8_t moebius_n_count = 0; - bool gettingMoebius = false; - uint8_t mM = 0; // moebius_modifier for collection storage + nonces_t ar_nr_nonces[ATTACK_KEY_COUNT]; // for attack types moebius + memset(ar_nr_nonces, 0x00, sizeof(ar_nr_nonces)); + uint8_t moebius_count = 0; switch (tagType) { case 1: { // MIFARE Classic 1k @@ -922,7 +918,11 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { memcpy(data+3, emdata+4, 4); // uid bytes 3-7 flags |= FLAG_7B_UID_IN_DATA; } - } break; + } break; + case 8: { // MIFARE Classic 4k + response1[0] = 0x02; + sak = 0x18; + } break; default: { Dbprintf("Error: unkown tagtype (%d)",tagType); return; @@ -972,16 +972,15 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { response3a[0] = sak & 0xFB; ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]); - uint8_t response5[] = { 0x01, 0x01, 0x01, 0x01 }; // Very random tag nonce + // Tag NONCE. + uint8_t response5[4]; + uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS: // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present, // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1 // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us) // TC(1) = 0x02: CID supported, NAD not supported ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]); - - // the randon nonce - nonce = bytes_to_num(response5, 4); // Prepare GET_VERSION (different for UL EV-1 / NTAG) // uint8_t response7_EV1[] = {0x00, 0x04, 0x03, 0x01, 0x01, 0x00, 0x0b, 0x03, 0xfd, 0xf7}; //EV1 48bytes VERSION. @@ -1053,14 +1052,9 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { // Clean receive command buffer if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) { - DbpString("Button press"); + Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, BigBuf_get_traceLen()); break; - } - - // incease nonce at every command recieved - nonce++; - num_to_bytes(nonce, 4, response5); - + } p_response = NULL; // Okay, look at the command now. @@ -1086,15 +1080,15 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { uint8_t emdata[MAX_MIFARE_FRAME_SIZE]; emlGetMemBt( emdata, start, 16); AppendCrc14443a(emdata, 16); - EmSendCmdEx(emdata, sizeof(emdata), false); + EmSendCmd(emdata, sizeof(emdata)); // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below p_response = NULL; } else { // all other tags (16 byte block tags) uint8_t emdata[MAX_MIFARE_FRAME_SIZE]; emlGetMemBt( emdata, block, 16); AppendCrc14443a(emdata, 16); - EmSendCmdEx(emdata, sizeof(emdata), false); - // EmSendCmdEx(data+(4*receivedCmd[1]),16,false); + EmSendCmd(emdata, sizeof(emdata)); + // EmSendCmd(data+(4*receivedCmd[1]),16); // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]); // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below p_response = NULL; @@ -1106,7 +1100,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { int len = (receivedCmd[2] - receivedCmd[1] + 1) * 4; emlGetMemBt( emdata, start, len); AppendCrc14443a(emdata, len); - EmSendCmdEx(emdata, len+2, false); + EmSendCmd(emdata, len+2); p_response = NULL; } else if(receivedCmd[0] == MIFARE_ULEV1_READSIG && tagType == 7) { // Received a READ SIGNATURE -- // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature] @@ -1114,16 +1108,16 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { uint8_t emdata[34]; emlGetMemBt( emdata, start, 32); AppendCrc14443a(emdata, 32); - EmSendCmdEx(emdata, sizeof(emdata), false); + EmSendCmd(emdata, sizeof(emdata)); p_response = NULL; } else if (receivedCmd[0] == MIFARE_ULEV1_READ_CNT && tagType == 7) { // Received a READ COUNTER -- uint8_t index = receivedCmd[1]; - uint8_t data[] = {0x00,0x00,0x00,0x14,0xa5}; + uint8_t cmd[] = {0x00,0x00,0x00,0x14,0xa5}; if ( counters[index] > 0) { - num_to_bytes(counters[index], 3, data); - AppendCrc14443a(data, sizeof(data)-2); + num_to_bytes(counters[index], 3, cmd); + AppendCrc14443a(cmd, sizeof(cmd)-2); } - EmSendCmdEx(data,sizeof(data),false); + EmSendCmd(cmd,sizeof(cmd)); p_response = NULL; } else if (receivedCmd[0] == MIFARE_ULEV1_INCR_CNT && tagType == 7) { // Received a INC COUNTER -- // number of counter @@ -1133,7 +1127,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { // send ACK uint8_t ack[] = {0x0a}; - EmSendCmdEx(ack,sizeof(ack),false); + EmSendCmd(ack,sizeof(ack)); p_response = NULL; } else if(receivedCmd[0] == MIFARE_ULEV1_CHECKTEAR && tagType == 7) { // Received a CHECK_TEARING_EVENT -- // first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature] @@ -1142,7 +1136,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { if (receivedCmd[1]<3) counter = receivedCmd[1]; emlGetMemBt( emdata, 10+counter, 1); AppendCrc14443a(emdata, sizeof(emdata)-2); - EmSendCmdEx(emdata, sizeof(emdata), false); + EmSendCmd(emdata, sizeof(emdata)); p_response = NULL; } else if(receivedCmd[0] == ISO14443A_CMD_HALT) { // Received a HALT LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); @@ -1152,12 +1146,24 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { uint8_t emdata[10]; emlGetMemBt( emdata, 0, 8 ); AppendCrc14443a(emdata, sizeof(emdata)-2); - EmSendCmdEx(emdata, sizeof(emdata), false); + EmSendCmd(emdata, sizeof(emdata)); p_response = NULL; } else { - cardAUTHSC = receivedCmd[1] / 4; // received block num + cardAUTHKEY = receivedCmd[0] - 0x60; - p_response = &responses[5]; order = 7; + cardAUTHSC = receivedCmd[1] / 4; // received block num + + // incease nonce at AUTH requests. this is time consuming. + nonce = prand(); + //num_to_bytes(nonce, 4, response5); + num_to_bytes(nonce, 4, dynamic_response_info.response); + dynamic_response_info.response_n = 4; + + //prepare_tag_modulation(&responses[5], DYNAMIC_MODULATION_BUFFER_SIZE); + prepare_tag_modulation(&dynamic_response_info, DYNAMIC_MODULATION_BUFFER_SIZE); + p_response = &dynamic_response_info; + //p_response = &responses[5]; + order = 7; } } else if(receivedCmd[0] == ISO14443A_CMD_RATS) { // Received a RATS request if (tagType == 1 || tagType == 2) { // RATS not supported @@ -1170,69 +1176,64 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); uint32_t nr = bytes_to_num(receivedCmd,4); uint32_t ar = bytes_to_num(receivedCmd+4,4); - + // Collect AR/NR per keytype & sector if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) { - for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) { - if ( ar_nr_collected[i+mM]==0 || ((cardAUTHSC == ar_nr_resp[i+mM].sector) && (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && (ar_nr_collected[i+mM] > 0)) ) { - // if first auth for sector, or matches sector and keytype of previous auth - if (ar_nr_collected[i+mM] < 2) { - // if we haven't already collected 2 nonces for this sector - if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) { - // Avoid duplicates... probably not necessary, ar should vary. - if (ar_nr_collected[i+mM]==0) { - // first nonce collect - ar_nr_resp[i+mM].cuid = cuid; - ar_nr_resp[i+mM].sector = cardAUTHSC; - ar_nr_resp[i+mM].keytype = cardAUTHKEY; - ar_nr_resp[i+mM].nonce = nonce; - ar_nr_resp[i+mM].nr = nr; - ar_nr_resp[i+mM].ar = ar; - nonce1_count++; - // add this nonce to first moebius nonce - ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid; - ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC; - ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY; - ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce; - ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr; - ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar; - ar_nr_collected[i+ATTACK_KEY_COUNT]++; - } else { // second nonce collect (std and moebius) - ar_nr_resp[i+mM].nonce2 = nonce; - ar_nr_resp[i+mM].nr2 = nr; - ar_nr_resp[i+mM].ar2 = ar; - if (!gettingMoebius) { - nonce2_count++; - // check if this was the last second nonce we need for std attack - if ( nonce2_count == nonce1_count ) { - // done collecting std test switch to moebius - // first finish incrementing last sample - ar_nr_collected[i+mM]++; - // switch to moebius collection - gettingMoebius = true; - mM = ATTACK_KEY_COUNT; - break; - } - } else { - moebius_n_count++; - // if we've collected all the nonces we need - finish. - if (nonce1_count == moebius_n_count) { - cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,0,0,&ar_nr_resp,sizeof(ar_nr_resp)); - nonce1_count = 0; - nonce2_count = 0; - moebius_n_count = 0; - gettingMoebius = false; - } - } - } - ar_nr_collected[i+mM]++; - } - } - // we found right spot for this nonce stop looking - break; - } + + int8_t index = -1; + int8_t empty = -1; + for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) { + // find which index to use + if ( (cardAUTHSC == ar_nr_nonces[i].sector) && (cardAUTHKEY == ar_nr_nonces[i].keytype)) + index = i; + + // keep track of empty slots. + if ( ar_nr_nonces[i].state == EMPTY) + empty = i; + } + // if no empty slots. Choose first and overwrite. + if ( index == -1 ) { + if ( empty == -1 ) { + index = 0; + ar_nr_nonces[index].state = EMPTY; + } else { + index = empty; } } + + switch(ar_nr_nonces[index].state) { + case EMPTY: { + // first nonce collect + ar_nr_nonces[index].cuid = cuid; + ar_nr_nonces[index].sector = cardAUTHSC; + ar_nr_nonces[index].keytype = cardAUTHKEY; + ar_nr_nonces[index].nonce = nonce; + ar_nr_nonces[index].nr = nr; + ar_nr_nonces[index].ar = ar; + ar_nr_nonces[index].state = FIRST; + break; + } + case FIRST : { + // second nonce collect + ar_nr_nonces[index].nonce2 = nonce; + ar_nr_nonces[index].nr2 = nr; + ar_nr_nonces[index].ar2 = ar; + ar_nr_nonces[index].state = SECOND; + + // send to client + cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, 0, 0, &ar_nr_nonces[index], sizeof(nonces_t)); + + ar_nr_nonces[index].state = EMPTY; + ar_nr_nonces[index].sector = 0; + ar_nr_nonces[index].keytype = 0; + + moebius_count++; + break; + } + default: break; + } + } + p_response = NULL; } else if (receivedCmd[0] == MIFARE_ULC_AUTH_1 ) { // ULC authentication, or Desfire Authentication } else if (receivedCmd[0] == MIFARE_ULEV1_AUTH) { // NTAG / EV-1 authentication @@ -1241,7 +1242,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { uint8_t emdata[4]; emlGetMemBt( emdata, start, 2); AppendCrc14443a(emdata, 2); - EmSendCmdEx(emdata, sizeof(emdata), false); + EmSendCmd(emdata, sizeof(emdata)); p_response = NULL; uint32_t pwd = bytes_to_num(receivedCmd+1,4); @@ -1272,8 +1273,8 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { dynamic_response_info.response_n = 2; } break; - case 0xaa: - case 0xbb: { + case 0xAA: + case 0xBB: { dynamic_response_info.response[0] = receivedCmd[0] ^ 0x11; dynamic_response_info.response_n = 2; } break; @@ -1306,11 +1307,11 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { dynamic_response_info.response[1] = receivedCmd[1]; // Add CRC bytes, always used in ISO 14443A-4 compliant cards - AppendCrc14443a(dynamic_response_info.response,dynamic_response_info.response_n); + AppendCrc14443a(dynamic_response_info.response, dynamic_response_info.response_n); dynamic_response_info.response_n += 2; if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) { - Dbprintf("Error preparing tag response"); + DbpString("Error preparing tag response"); LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); break; } @@ -1326,7 +1327,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { // comment this limit if you want to simulation longer if (!tracing) { - Dbprintf("Trace Full. Simulation stopped."); + DbpString("Trace Full. Simulation stopped."); break; } // comment this limit if you want to simulation longer @@ -1337,7 +1338,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { cmdsRecvd++; if (p_response != NULL) { - EmSendCmd14443aRaw(p_response->modulation, p_response->modulation_n, receivedCmd[0] == 0x52); + EmSendCmd14443aRaw(p_response->modulation, p_response->modulation_n); // do the tracing for the previous reader request and this tag answer: uint8_t par[MAX_PARITY_SIZE] = {0x00}; GetParity(p_response->response, p_response->response_n, par); @@ -1359,42 +1360,15 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { set_tracing(FALSE); BigBuf_free_keep_EM(); LED_A_OFF(); - - if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1) { - for ( uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) { - if (ar_nr_collected[i] == 2) { - Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i= 4){ - Dbprintf("-[ Wake ups after halt [%d]", happened); - Dbprintf("-[ Messages after halt [%d]", happened2); - Dbprintf("-[ Num of received cmd [%d]", cmdsRecvd); + Dbprintf("-[ Wake ups after halt [%d]", happened); + Dbprintf("-[ Messages after halt [%d]", happened2); + Dbprintf("-[ Num of received cmd [%d]", cmdsRecvd); + Dbprintf("-[ Num of moebius tries [%d]", moebius_count); } + + cmd_send(CMD_ACK,1,0,0,0,0); } // prepare a delayed transfer. This simply shifts ToSend[] by a number @@ -1559,7 +1533,7 @@ void CodeIso14443aAsReaderPar(const uint8_t *cmd, uint16_t len, const uint8_t *p // Stop when button is pressed (return 1) or field was gone (return 2) // Or return 0 when command is captured //----------------------------------------------------------------------------- -static int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity) { +int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity) { *len = 0; uint32_t timer = 0, vtime = 0; @@ -1622,17 +1596,25 @@ static int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity) { } } -int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNeeded) { +int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen) { uint8_t b; uint16_t i = 0; uint32_t ThisTransferTime; + bool correctionNeeded; // Modulate Manchester FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD); - // include correction bit if necessary - if (Uart.parityBits & 0x01) { - correctionNeeded = TRUE; + // Include correction bit if necessary + if (Uart.bitCount == 7) + { + // Short tags (7 bits) don't have parity, determine the correct value from MSB + correctionNeeded = Uart.output[0] & 0x40; + } + else + { + // The parity bits are left-aligned + correctionNeeded = Uart.parity[(Uart.len-1)/8] & (0x80 >> ((Uart.len-1) & 7)); } // 1236, so correction bit needed i = (correctionNeeded) ? 0 : 1; @@ -1673,13 +1655,13 @@ int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNeeded) { i++; } } - LastTimeProxToAirStart = ThisTransferTime + (correctionNeeded?8:0); + LastTimeProxToAirStart = ThisTransferTime + (correctionNeeded ? 8 : 0); return 0; } -int EmSend4bitEx(uint8_t resp, bool correctionNeeded){ +int EmSend4bit(uint8_t resp){ Code4bitAnswerAsTag(resp); - int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded); + int res = EmSendCmd14443aRaw(ToSend, ToSendMax); // do the tracing for the previous reader request and this tag answer: uint8_t par[1] = {0x00}; GetParity(&resp, 1, par); @@ -1696,13 +1678,9 @@ int EmSend4bitEx(uint8_t resp, bool correctionNeeded){ return res; } -int EmSend4bit(uint8_t resp){ - return EmSend4bitEx(resp, false); -} - -int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, bool correctionNeeded, uint8_t *par){ +int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par){ CodeIso14443aAsTagPar(resp, respLen, par); - int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded); + int res = EmSendCmd14443aRaw(ToSend, ToSendMax); // do the tracing for the previous reader request and this tag answer: EmLogTrace(Uart.output, Uart.len, @@ -1717,20 +1695,10 @@ int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, bool correctionNeeded, uint8 return res; } -int EmSendCmdEx(uint8_t *resp, uint16_t respLen, bool correctionNeeded){ - uint8_t par[MAX_PARITY_SIZE] = {0x00}; - GetParity(resp, respLen, par); - return EmSendCmdExPar(resp, respLen, correctionNeeded, par); -} - int EmSendCmd(uint8_t *resp, uint16_t respLen){ uint8_t par[MAX_PARITY_SIZE] = {0x00}; GetParity(resp, respLen, par); - return EmSendCmdExPar(resp, respLen, false, par); -} - -int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par){ - return EmSendCmdExPar(resp, respLen, false, par); + return EmSendCmdPar(resp, respLen, par); } bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity, @@ -1866,6 +1834,9 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u memset(uid_ptr,0,10); } + // reset the PCB block number + iso14_pcb_blocknum = 0; + // check for proprietary anticollision: if ((resp[0] & 0x1F) == 0) return 3; @@ -1977,12 +1948,8 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u p_hi14a_card->ats_len = len; } - // reset the PCB block number - iso14_pcb_blocknum = 0; - // set default timeout based on ATS iso14a_set_ATS_timeout(resp); - return 1; } @@ -2040,7 +2007,6 @@ int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) { { iso14_pcb_blocknum ^= 1; } - return len; } @@ -2086,17 +2052,17 @@ void ReaderIso14443a(UsbCommand *c) { } if (param & ISO14A_RAW) { - if(param & ISO14A_APPEND_CRC) { - if(param & ISO14A_TOPAZMODE) { + if (param & ISO14A_APPEND_CRC) { + if (param & ISO14A_TOPAZMODE) AppendCrc14443b(cmd,len); - } else { + else AppendCrc14443a(cmd,len); - } + len += 2; if (lenbits) lenbits += 16; } - if(lenbits>0) { // want to send a specific number of bits (e.g. short commands) - if(param & ISO14A_TOPAZMODE) { + if (lenbits>0) { // want to send a specific number of bits (e.g. short commands) + if (param & ISO14A_TOPAZMODE) { int bits_to_send = lenbits; uint16_t i = 0; ReaderTransmitBitsPar(&cmd[i++], MIN(bits_to_send, 7), NULL, NULL); // first byte is always short (7bits) and no parity @@ -2110,7 +2076,7 @@ void ReaderIso14443a(UsbCommand *c) { ReaderTransmitBitsPar(cmd, lenbits, par, NULL); // bytes are 8 bit with odd parity } } else { // want to send complete bytes only - if(param & ISO14A_TOPAZMODE) { + if (param & ISO14A_TOPAZMODE) { uint16_t i = 0; ReaderTransmitBitsPar(&cmd[i++], 7, NULL, NULL); // first byte: 7 bits, no paritiy while (i < len) { @@ -2145,29 +2111,24 @@ int32_t dist_nt(uint32_t nt1, uint32_t nt2) { uint32_t nttmp1 = nt1; uint32_t nttmp2 = nt2; - for (uint16_t i = 1; i < 32768/8; ++i) { + // 0xFFFF -- Half up and half down to find distance between nonces + for (uint16_t i = 1; i < 32768/8; i += 8) { nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i; - nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -i; - nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+1; - nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+1); - nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+2; - nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+2); - nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+3; - nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+3); - nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+4; - nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+4); - nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+5; - nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+5); - nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+6; - nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+6); - nttmp1 = prng_successor(nttmp1, 1); if (nttmp1 == nt2) return i+7; + + nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -i; + nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+1); + nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+2); + nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+3); + nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+4); + nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+5); + nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+6); nttmp2 = prng_successor(nttmp2, 1); if (nttmp2 == nt1) return -(i+7); } // either nt1 or nt2 are invalid nonces @@ -2221,14 +2182,14 @@ void ReaderMifare(bool first_try, uint8_t block, uint8_t keytype ) { BigBuf_free(); BigBuf_Clear_ext(false); clear_trace(); - set_tracing(TRUE); + set_tracing(FALSE); iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD); sync_time = GetCountSspClk() & 0xfffffff8; sync_cycles = PRNG_SEQUENCE_LENGTH; // Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces). nt_attacked = 0; - if (MF_DBGLEVEL >= 4) Dbprintf("Mifare::Sync %08x", sync_time); + if (MF_DBGLEVEL >= 4) Dbprintf("Mifare::Sync %u", sync_time); if (first_try) { mf_nr_ar3 = 0; @@ -2445,6 +2406,10 @@ void ReaderMifare(bool first_try, uint8_t block, uint8_t keytype ) { *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is inifite */ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain) { + + // init pseudorand + fast_prand( GetTickCount() ); + int cardSTATE = MFEMUL_NOFIELD; int _UID_LEN = 0; // 4, 7, 10 int vHf = 0; // in mV @@ -2478,27 +2443,19 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; uint8_t rUIDBCC3[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; - uint8_t rAUTH_NT[] = {0x01, 0x01, 0x01, 0x01}; // very random nonce + // TAG Nonce - Authenticate response + uint8_t rAUTH_NT[4]; + uint32_t nonce = prand(); + num_to_bytes(nonce, 4, rAUTH_NT); + // uint8_t rAUTH_NT[] = {0x55, 0x41, 0x49, 0x92};// nonce from nested? why this? uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00}; - + // Here, we collect CUID, NT, NR, AR, CUID2, NT2, NR2, AR2 // This can be used in a reader-only attack. - nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; // for 2 separate attack types (nml, moebius) - memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp)); - - uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; // for 2nd attack type (moebius) - memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected)); - uint8_t nonce1_count = 0; - uint8_t nonce2_count = 0; - uint8_t moebius_n_count = 0; - bool gettingMoebius = false; - uint8_t mM = 0; // moebius_modifier for collection storage - bool doBufResetNext = false; + nonces_t ar_nr_nonces[ATTACK_KEY_COUNT]; + memset(ar_nr_nonces, 0x00, sizeof(ar_nr_nonces)); - // Authenticate response - nonce - uint32_t nonce = bytes_to_num(rAUTH_NT, 4); - // -- Determine the UID // Can be set from emulator memory or incoming data // Length: 4,7,or 10 bytes @@ -2629,12 +2586,12 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * // this if-statement doesn't match the specification above. (iceman) if (len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) { selTimer = GetTickCount(); - EmSendCmdEx(atqa, sizeof(atqa), (receivedCmd[0] == ISO14443A_CMD_WUPA)); + EmSendCmd(atqa, sizeof(atqa)); cardSTATE = MFEMUL_SELECT1; crypto1_destroy(pcs); cardAUTHKEY = 0xff; LEDsoff(); - nonce++; + nonce = prand(); continue; } @@ -2739,121 +2696,92 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * uint32_t nr = bytes_to_num(receivedCmd, 4); uint32_t ar = bytes_to_num(&receivedCmd[4], 4); - if (doBufResetNext) { - // Reset, lets try again! - Dbprintf("Re-read after previous NR_AR_ATTACK, resetting buffer"); - memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp)); - memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected)); - mM = 0; - doBufResetNext = false; - } + // Collect AR/NR per keytype & sector + if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) { + + int8_t index = -1; + int8_t empty = -1; + for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) { + // find which index to use + if ( (cardAUTHSC == ar_nr_nonces[i].sector) && (cardAUTHKEY == ar_nr_nonces[i].keytype)) + index = i; - for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) { - if ( ar_nr_collected[i+mM]==0 || ((cardAUTHSC == ar_nr_resp[i+mM].sector) && (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && (ar_nr_collected[i+mM] > 0)) ) { - - // if first auth for sector, or matches sector and keytype of previous auth - if (ar_nr_collected[i+mM] < 2) { - // if we haven't already collected 2 nonces for this sector - if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) { - // Avoid duplicates... probably not necessary, ar should vary. - if (ar_nr_collected[i+mM]==0) { - // first nonce collect - ar_nr_resp[i+mM].cuid = cuid; - ar_nr_resp[i+mM].sector = cardAUTHSC; - ar_nr_resp[i+mM].keytype = cardAUTHKEY; - ar_nr_resp[i+mM].nonce = nonce; - ar_nr_resp[i+mM].nr = nr; - ar_nr_resp[i+mM].ar = ar; - nonce1_count++; - // add this nonce to first moebius nonce - ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid; - ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC; - ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY; - ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce; - ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr; - ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar; - ar_nr_collected[i+ATTACK_KEY_COUNT]++; - } else { // second nonce collect (std and moebius) - ar_nr_resp[i+mM].nonce2 = nonce; - ar_nr_resp[i+mM].nr2 = nr; - ar_nr_resp[i+mM].ar2 = ar; - if (!gettingMoebius) { - nonce2_count++; - // check if this was the last second nonce we need for std attack - if ( nonce2_count == nonce1_count ) { - // done collecting std test switch to moebius - // first finish incrementing last sample - ar_nr_collected[i+mM]++; - // switch to moebius collection - gettingMoebius = true; - mM = ATTACK_KEY_COUNT; - break; - } - } else { - moebius_n_count++; - // if we've collected all the nonces we need - finish. - - if (nonce1_count == moebius_n_count) { - cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,0,0,&ar_nr_resp,sizeof(ar_nr_resp)); - nonce1_count = 0; - nonce2_count = 0; - moebius_n_count = 0; - gettingMoebius = false; - doBufResetNext = true; - finished = ( ((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE)); - } - } - } - ar_nr_collected[i+mM]++; - } + // keep track of empty slots. + if ( ar_nr_nonces[i].state == EMPTY) + empty = i; + } + // if no empty slots. Choose first and overwrite. + if ( index == -1 ) { + if ( empty == -1 ) { + index = 0; + ar_nr_nonces[index].state = EMPTY; + } else { + index = empty; } - // we found right spot for this nonce stop looking - break; } - } - - /* - // Collect AR/NR - // if(ar_nr_collected < 2 && cardAUTHSC == 2){ - if(ar_nr_collected < 2) { - // if(ar_nr_responses[2] != nr) { - ar_nr_responses[ar_nr_collected*4] = cuid; - ar_nr_responses[ar_nr_collected*4+1] = nonce; - ar_nr_responses[ar_nr_collected*4+2] = nr; - ar_nr_responses[ar_nr_collected*4+3] = ar; - ar_nr_collected++; - // } - - // Interactive mode flag, means we need to send ACK - finished = ( ((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE)&& ar_nr_collected == 2); + switch(ar_nr_nonces[index].state) { + case EMPTY: { + // first nonce collect + ar_nr_nonces[index].cuid = cuid; + ar_nr_nonces[index].sector = cardAUTHSC; + ar_nr_nonces[index].keytype = cardAUTHKEY; + ar_nr_nonces[index].nonce = nonce; + ar_nr_nonces[index].nr = nr; + ar_nr_nonces[index].ar = ar; + ar_nr_nonces[index].state = FIRST; + break; + } + case FIRST : { + // second nonce collect + ar_nr_nonces[index].nonce2 = nonce; + ar_nr_nonces[index].nr2 = nr; + ar_nr_nonces[index].ar2 = ar; + ar_nr_nonces[index].state = SECOND; + + // send to client + cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, 0, 0, &ar_nr_nonces[index], sizeof(nonces_t)); + + ar_nr_nonces[index].state = EMPTY; + ar_nr_nonces[index].sector = 0; + ar_nr_nonces[index].keytype = 0; + break; + } + default: break; + } } + + crypto1_word(pcs, nr , 1); + uint32_t cardRr = ar ^ crypto1_word(pcs, 0, 0); - crypto1_word(pcs, ar , 1); - cardRr = nr ^ crypto1_word(pcs, 0, 0); - - test if auth OK + //test if auth OK if (cardRr != prng_successor(nonce, 64)){ - if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x", - cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B', - cardRr, prng_successor(nonce, 64)); - Shouldn't we respond anything here? - Right now, we don't nack or anything, which causes the - reader to do a WUPA after a while. /Martin - -- which is the correct response. /piwi + if (MF_DBGLEVEL >= 3) { + Dbprintf("AUTH FAILED for sector %d with key %c. [nr=%08x cardRr=%08x] [nt=%08x succ=%08x]" + , cardAUTHSC + , (cardAUTHKEY == 0) ? 'A' : 'B' + , nr + , cardRr + , nonce // nt + , prng_successor(nonce, 64) + ); + } + // Shouldn't we respond anything here? + // Right now, we don't nack or anything, which causes the + // reader to do a WUPA after a while. /Martin + // -- which is the correct response. /piwi cardSTATE_TO_IDLE(); LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); break; } - */ ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0); num_to_bytes(ans, 4, rAUTH_AT); EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT)); LED_C_ON(); - if (MF_DBGLEVEL >= 4) { + if (MF_DBGLEVEL >= 1) { Dbprintf("AUTH COMPLETED for sector %d with key %c. time=%d", cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B', @@ -2877,24 +2805,24 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * receivedCmd[0] == MIFARE_AUTH_KEYB) ) { authTimer = GetTickCount(); - cardAUTHSC = receivedCmd[1] / 4; // received block num - cardAUTHKEY = receivedCmd[0] - 0x60; // & 1 + cardAUTHSC = receivedCmd[1] / 4; // received block -> sector + cardAUTHKEY = receivedCmd[0] & 0x1; crypto1_destroy(pcs); + + // load key into crypto crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY)); - if (!encrypted_data) { + if (!encrypted_data) { // first authentication - crypto1_word(pcs, cuid ^ nonce, 0);// Update crypto state - num_to_bytes(nonce, 4, rAUTH_AT); // Send nonce - - if (MF_DBGLEVEL >= 4) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY ); - + // Update crypto state init (UID ^ NONCE) + crypto1_word(pcs, cuid ^ nonce, 0); + num_to_bytes(nonce, 4, rAUTH_AT); } else { // nested authentication ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0); num_to_bytes(ans, 4, rAUTH_AT); - if (MF_DBGLEVEL >= 4) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY ); + if (MF_DBGLEVEL >= 3) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %c", receivedCmd[1], receivedCmd[1], cardAUTHKEY == 0 ? 'A' : 'B'); } EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT)); @@ -3062,49 +2990,10 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * } } - // Interactive mode flag, means we need to send ACK - /* - if((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE) { - // May just aswell send the collected ar_nr in the response aswell - uint8_t len = ar_nr_collected * 4 * 4; - cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, len, 0, &ar_nr_responses, len); - } - - */ - if( ((flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) && MF_DBGLEVEL >= 1 ) { - for ( uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) { - if (ar_nr_collected[i] == 2) { - Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i= 1) + Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, BigBuf_get_traceLen()); - if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, BigBuf_get_traceLen()); - - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + cmd_send(CMD_ACK,1,0,0,0,0); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); set_tracing(FALSE); }