From: Martin Holst Swende <martin.holst@gmail.com>
Date: Fri, 27 Jun 2014 11:16:31 +0000 (+0200)
Subject: Merged with master
X-Git-Tag: v1.1.0~1^2^2~1
X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/42f57e0294c13f14f8ebcdcc529b5872c2884786

Merged with master
---

42f57e0294c13f14f8ebcdcc529b5872c2884786
diff --cc armsrc/iclass.c
index be27aa3a,9c5e8b2b..d5cd366d
--- a/armsrc/iclass.c
+++ b/armsrc/iclass.c
@@@ -665,10 -681,16 +665,12 @@@ void RAMFUNC SnoopIClass(void
      // The command (reader -> tag) that we're receiving.
  	// The length of a received command will in most cases be no more than 18 bytes.
  	// So 32 should be enough!
 -    uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
 +	uint8_t *readerToTagCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
      // The response (tag -> reader) that we're receiving.
 -    uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
 +	uint8_t *tagToReaderResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
  
 -    // As we receive stuff, we copy it from receivedCmd or receivedResponse
 -    // into trace, along with its length and other annotations.
 -    //uint8_t *trace = (uint8_t *)BigBuf;
 -    
+     FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+  
      // reset traceLen to 0
      iso14a_set_tracing(TRUE);
      iso14a_clear_trace();
@@@ -954,80 -987,27 +956,82 @@@ static void CodeIClassTagSOF(
  	// Convert from last byte pos to length
  	ToSendMax++;
  }
 -
 -//-----------------------------------------------------------------------------
 -// Simulate iClass Card
 -// Only CSN (Card Serial Number)
 -// 
 -//-----------------------------------------------------------------------------
 -void SimulateIClass(uint8_t arg0, uint8_t *datain)
 +int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf);
 +/**
 + * @brief SimulateIClass simulates an iClass card.
 + * @param arg0 type of simulation
 + *			- 0 uses the first 8 bytes in usb data as CSN
 + *			- 2 "dismantling iclass"-attack. This mode iterates through all CSN's specified
 + *			in the usb data. This mode collects MAC from the reader, in order to do an offline
 + *			attack on the keys. For more info, see "dismantling iclass" and proxclone.com.
 + *			- Other : Uses the default CSN (031fec8af7ff12e0)
 + * @param arg1 - number of CSN's contained in datain (applicable for mode 2 only)
 + * @param arg2
 + * @param datain
 + */
 +void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain)
  {
 -	uint8_t simType = arg0;
 -
 +	uint32_t simType = arg0;
 +	uint32_t numberOfCSNS = arg1;
+ 	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
  
 -  // Enable and clear the trace
 -	tracing = TRUE;
 -	traceLen = 0;
 -  memset(trace, 0x44, TRACE_SIZE);
 +	// Enable and clear the trace
 +	iso14a_set_tracing(TRUE);
 +	iso14a_clear_trace();
 +
 +	uint8_t csn_crc[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
 +	if(simType == 0) {
 +		// Use the CSN from commandline
 +		memcpy(csn_crc, datain, 8);
 +		doIClassSimulation(csn_crc,0,NULL);
 +	}else if(simType == 1)
 +	{
 +		doIClassSimulation(csn_crc,0,NULL);
 +	}
 +	else if(simType == 2)
 +	{
 +
 +		uint8_t mac_responses[64] = { 0 };
 +		Dbprintf("Going into attack mode");
 +		// In this mode, a number of csns are within datain. We'll simulate each one, one at a time
 +		// in order to collect MAC's from the reader. This can later be used in an offlne-attack
 +		// in order to obtain the keys, as in the "dismantling iclass"-paper.
 +		int i = 0;
 +		for( ; i < numberOfCSNS && i*8+8 < USB_CMD_DATA_SIZE; i++)
 +		{
 +			// The usb data is 512 bytes, fitting 65 8-byte CSNs in there.
 +
 +			memcpy(csn_crc, datain+(i*8), 8);
 +			if(doIClassSimulation(csn_crc,1,mac_responses))
 +			{
 +				return; // Button pressed
 +			}
 +		}
 +		cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8);
 +
 +	}
 +	else{
 +		// We may want a mode here where we hardcode the csns to use (from proxclone).
 +		// That will speed things up a little, but not required just yet.
 +		Dbprintf("The mode is not implemented, reserved for future use");
 +	}
 +	Dbprintf("Done...");
 +
 +}
 +/**
 + * @brief Does the actual simulation
 + * @param csn - csn to use
 + * @param breakAfterMacReceived if true, returns after reader MAC has been received.
 + */
 +int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf)
 +{
 +
+ 
  	// CSN followed by two CRC bytes
  	uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
 -	uint8_t response3[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
 -
 +	uint8_t response3[] = { 0,0,0,0,0,0,0,0,0,0};
 +	memcpy(response3,csn,sizeof(response3));
 +	Dbprintf("Simulating CSN %02x%02x%02x%02x%02x%02x%02x%02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
  	// e-Purse
  	uint8_t response4[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
  
@@@ -1469,8 -1430,10 +1473,10 @@@ void ReaderIClass(uint8_t arg0) 
  
  	uint8_t* resp = (((uint8_t *)BigBuf) + 3560);	// was 3560 - tied to other size changes
  
+     FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+ 
  	// Reset trace buffer
 -    	memset(trace, 0x44, RECV_CMD_OFFSET);
 +	memset(trace, 0x44, RECV_CMD_OFFSET);
  	traceLen = 0;
  
  	// Setup SSC