From: Martin Holst Swende Date: Fri, 27 Jun 2014 11:16:31 +0000 (+0200) Subject: Merged with master X-Git-Tag: v1.1.0~1^2^2~1 X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/42f57e0294c13f14f8ebcdcc529b5872c2884786 Merged with master --- 42f57e0294c13f14f8ebcdcc529b5872c2884786 diff --cc armsrc/iclass.c index be27aa3a,9c5e8b2b..d5cd366d --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@@ -665,10 -681,16 +665,12 @@@ void RAMFUNC SnoopIClass(void // The command (reader -> tag) that we're receiving. // The length of a received command will in most cases be no more than 18 bytes. // So 32 should be enough! - uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET); + uint8_t *readerToTagCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET); // The response (tag -> reader) that we're receiving. - uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET); + uint8_t *tagToReaderResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET); - // As we receive stuff, we copy it from receivedCmd or receivedResponse - // into trace, along with its length and other annotations. - //uint8_t *trace = (uint8_t *)BigBuf; - + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + // reset traceLen to 0 iso14a_set_tracing(TRUE); iso14a_clear_trace(); @@@ -954,80 -987,27 +956,82 @@@ static void CodeIClassTagSOF( // Convert from last byte pos to length ToSendMax++; } - -//----------------------------------------------------------------------------- -// Simulate iClass Card -// Only CSN (Card Serial Number) -// -//----------------------------------------------------------------------------- -void SimulateIClass(uint8_t arg0, uint8_t *datain) +int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf); +/** + * @brief SimulateIClass simulates an iClass card. + * @param arg0 type of simulation + * - 0 uses the first 8 bytes in usb data as CSN + * - 2 "dismantling iclass"-attack. This mode iterates through all CSN's specified + * in the usb data. This mode collects MAC from the reader, in order to do an offline + * attack on the keys. For more info, see "dismantling iclass" and proxclone.com. + * - Other : Uses the default CSN (031fec8af7ff12e0) + * @param arg1 - number of CSN's contained in datain (applicable for mode 2 only) + * @param arg2 + * @param datain + */ +void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) { - uint8_t simType = arg0; - + uint32_t simType = arg0; + uint32_t numberOfCSNS = arg1; + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - // Enable and clear the trace - tracing = TRUE; - traceLen = 0; - memset(trace, 0x44, TRACE_SIZE); + // Enable and clear the trace + iso14a_set_tracing(TRUE); + iso14a_clear_trace(); + + uint8_t csn_crc[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 }; + if(simType == 0) { + // Use the CSN from commandline + memcpy(csn_crc, datain, 8); + doIClassSimulation(csn_crc,0,NULL); + }else if(simType == 1) + { + doIClassSimulation(csn_crc,0,NULL); + } + else if(simType == 2) + { + + uint8_t mac_responses[64] = { 0 }; + Dbprintf("Going into attack mode"); + // In this mode, a number of csns are within datain. We'll simulate each one, one at a time + // in order to collect MAC's from the reader. This can later be used in an offlne-attack + // in order to obtain the keys, as in the "dismantling iclass"-paper. + int i = 0; + for( ; i < numberOfCSNS && i*8+8 < USB_CMD_DATA_SIZE; i++) + { + // The usb data is 512 bytes, fitting 65 8-byte CSNs in there. + + memcpy(csn_crc, datain+(i*8), 8); + if(doIClassSimulation(csn_crc,1,mac_responses)) + { + return; // Button pressed + } + } + cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8); + + } + else{ + // We may want a mode here where we hardcode the csns to use (from proxclone). + // That will speed things up a little, but not required just yet. + Dbprintf("The mode is not implemented, reserved for future use"); + } + Dbprintf("Done..."); + +} +/** + * @brief Does the actual simulation + * @param csn - csn to use + * @param breakAfterMacReceived if true, returns after reader MAC has been received. + */ +int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf) +{ + + // CSN followed by two CRC bytes uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - uint8_t response3[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 }; - + uint8_t response3[] = { 0,0,0,0,0,0,0,0,0,0}; + memcpy(response3,csn,sizeof(response3)); + Dbprintf("Simulating CSN %02x%02x%02x%02x%02x%02x%02x%02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]); // e-Purse uint8_t response4[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; @@@ -1469,8 -1430,10 +1473,10 @@@ void ReaderIClass(uint8_t arg0) uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + // Reset trace buffer - memset(trace, 0x44, RECV_CMD_OFFSET); + memset(trace, 0x44, RECV_CMD_OFFSET); traceLen = 0; // Setup SSC