From: frederikmoellers@aol.de Date: Tue, 28 Aug 2012 21:39:50 +0000 (+0000) Subject: Basic support for EAC documents (e.g. German Identification Card) X-Git-Tag: v1.0.0~149 X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/5acd09bdfb9b3777585f3875190e942e259a98f0?ds=inline Basic support for EAC documents (e.g. German Identification Card) -new files armsrc/epa.[ch] for ePA (electronic "Personalausweis") related functions -Offers elementary functions (EPA_PACE_MSE_Set_AT etc.) -Also offers one new USB command: EPA_PACE_Collect_Nonce -created new command subtree in client: client/hfepa.[ch] ("hf epa") -offers "hf epa cnonces" (collect encrypted PACE nonces) -more to come --- diff --git a/armsrc/Makefile b/armsrc/Makefile index 249cf5a9..e2d71324 100644 --- a/armsrc/Makefile +++ b/armsrc/Makefile @@ -16,7 +16,7 @@ APP_CFLAGS = -O2 -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DW #SRC_LCD = fonts.c LCD.c SRC_LF = lfops.c hitag2.c SRC_ISO15693 = iso15693.c iso15693tools.c -SRC_ISO14443a = iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c +SRC_ISO14443a = epa.c iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c SRC_ISO14443b = iso14443.c SRC_CRAPTO1 = crapto1.c crypto1.c diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 7830265f..d3544861 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -714,6 +714,9 @@ void UsbPacketReceived(uint8_t *packet, int len) case CMD_SIMULATE_TAG_ISO_14443a: SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2]); // ## Simulate iso14443a tag - pass tag type & UID break; + case CMD_EPA_PACE_COLLECT_NONCE: + EPA_PACE_Collect_Nonce(c, &ack); + break; case CMD_READER_MIFARE: ReaderMifare(c->arg[0]); diff --git a/armsrc/apps.h b/armsrc/apps.h index 4c218d0f..6e98311a 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -143,6 +143,9 @@ void iso14a_clear_tracelen(void); void iso14a_set_tracing(int enable); void RAMFUNC SniffMifare(uint8_t param); +/// epa.h +void EPA_PACE_Collect_Nonce(UsbCommand * c, UsbCommand * ack); + // mifarecmd.h void ReaderMifare(uint32_t parameter); void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data); diff --git a/armsrc/epa.c b/armsrc/epa.c new file mode 100644 index 00000000..8ab4311c --- /dev/null +++ b/armsrc/epa.c @@ -0,0 +1,441 @@ +//----------------------------------------------------------------------------- +// Frederik Möllers - August 2012 +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Routines to support the German eletronic "Personalausweis" (ID card) +// Note that the functions which do not implement USB commands do NOT initialize +// the card (with iso14443a_select_card etc.). If You want to use these +// functions, You need to do the setup before calling them! +//----------------------------------------------------------------------------- + +#include "iso14443a.h" + +#include "epa.h" + +// Protocol and Parameter Selection Request +// use regular (1x) speed in both directions +// CRC is already included +static const uint8_t pps[] = {0xD0, 0x11, 0x00, 0x52, 0xA6}; + +// APDUs for communication with German Identification Card + +// General Authenticate (request encrypted nonce) WITHOUT the Le at the end +static const uint8_t apdu_general_authenticate_pace_get_nonce[] = { + 0x10, // CLA + 0x86, // INS + 0x00, // P1 + 0x00, // P2 + 0x02, // Lc + 0x7C, // Type: Dynamic Authentication Data + 0x00, // Length: 0 bytes +}; + +// MSE: Set AT (only CLA, INS, P1 and P2) +static const uint8_t apdu_mse_set_at_start[] = { + 0x00, // CLA + 0x22, // INS + 0xC1, // P1 + 0xA4, // P2 +}; + +// SELECT BINARY with the ID for EF.CardAccess +static const uint8_t apdu_select_binary_cardaccess[] = { + 0x00, // CLA + 0xA4, // INS + 0x02, // P1 + 0x0C, // P2 + 0x02, // Lc + 0x01, // ID + 0x1C // ID +}; + +// READ BINARY +static const uint8_t apdu_read_binary[] = { + 0x00, // CLA + 0xB0, // INS + 0x00, // P1 + 0x00, // P2 + 0x38 // Le +}; + + +// the leading bytes of a PACE OID +static const uint8_t oid_pace_start[] = { + 0x04, // itu-t, identified-organization + 0x00, // etsi + 0x7F, // reserved + 0x00, // etsi-identified-organization + 0x07, // bsi-de + 0x02, // protocols + 0x02, // smartcard + 0x04 // id-PACE +}; + +//----------------------------------------------------------------------------- +// Closes the communication channel and turns off the field +//----------------------------------------------------------------------------- +void EPA_Finish() +{ + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + LEDsoff(); +} + +//----------------------------------------------------------------------------- +// Parses DER encoded data, e.g. from EF.CardAccess and fills out the given +// structs. If a pointer is 0, it is ignored. +// The function returns 0 on success and if an error occured, it returns the +// offset where it occured. +// +// TODO: This function can access memory outside of the given data if the DER +// encoding is broken +// TODO: Support skipping elements with a length > 0x7F +// TODO: Support OIDs with a length > 7F +// TODO: Support elements with long tags (tag is longer than 1 byte) +// TODO: Support proprietary PACE domain parameters +//----------------------------------------------------------------------------- +size_t EPA_Parse_CardAccess(uint8_t *data, + size_t length, + pace_version_info_t *pace_info) +{ + size_t index = 0; + + while (index <= length - 2) { + // determine type of element + // SET or SEQUENCE + if (data[index] == 0x31 || data[index] == 0x30) { + // enter the set (skip tag + length) + index += 2; + // extended length + if ((data[index - 1] & 0x80) != 0) { + index += (data[index] & 0x7F); + } + } + // OID + else if (data[index] == 0x06) { + // is this a PACE OID? + if (data[index + 1] == 0x0A // length matches + && memcmp(data + index + 2, + oid_pace_start, + sizeof(oid_pace_start)) == 0 // content matches + && pace_info != NULL) + { + // first, clear the pace_info struct + memset(pace_info, 0, sizeof(pace_version_info_t)); + memcpy(pace_info->oid, data + index + 2, sizeof(pace_info->oid)); + // a PACE OID is followed by the version + index += data[index + 1] + 2; + if (data[index] == 02 && data[index + 1] == 01) { + pace_info->version = data[index + 2]; + index += 3; + } + else { + return index; + } + // after that there might(!) be the parameter ID + if (data[index] == 02 && data[index + 1] == 01) { + pace_info->parameter_id = data[index + 2]; + index += 3; + } + } + else { + // skip this OID + index += 2 + data[index + 1]; + } + } + // if the length is 0, something is wrong + // TODO: This needs to be extended to support long tags + else if (data[index + 1] == 0) { + return index; + } + else { + // skip this part + // TODO: This needs to be extended to support long tags + // TODO: This needs to be extended to support unknown elements with + // a size > 0x7F + index += 2 + data[index + 1]; + } + } + + // TODO: We should check whether we reached the end in error, but for that + // we need a better parser (e.g. with states like IN_SET or IN_PACE_INFO) + return 0; +} + +//----------------------------------------------------------------------------- +// Read the file EF.CardAccess and save it into a buffer (at most max_length bytes) +// Returns -1 on failure or the length of the data on success +// TODO: for the moment this sends only 1 APDU regardless of the requested length +//----------------------------------------------------------------------------- +int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length) +{ + // the response APDU of the card + // since the card doesn't always care for the expected length we send it, + // we reserve 262 bytes here just to be safe (256-byte APDU + SW + ISO frame) + uint8_t response_apdu[262]; + int rapdu_length = 0; + + // select the file EF.CardAccess + rapdu_length = iso14_apdu((uint8_t *)apdu_select_binary_cardaccess, + sizeof(apdu_select_binary_cardaccess), + response_apdu); + if (rapdu_length != 6 + || response_apdu[rapdu_length - 4] != 0x90 + || response_apdu[rapdu_length - 3] != 0x00) + { + return -1; + } + + // read the file + rapdu_length = iso14_apdu((uint8_t *)apdu_read_binary, + sizeof(apdu_read_binary), + response_apdu); + if (rapdu_length <= 6 + || response_apdu[rapdu_length - 4] != 0x90 + || response_apdu[rapdu_length - 3] != 0x00) + { + return -1; + } + + // copy the content into the buffer + // length of data available: apdu_length - 4 (ISO frame) - 2 (SW) + size_t to_copy = rapdu_length - 6; + to_copy = to_copy < max_length ? to_copy : max_length; + memcpy(buffer, response_apdu+2, to_copy); + return to_copy; +} + +//----------------------------------------------------------------------------- +// Abort helper function for EPA_PACE_Collect_Nonce +// sets relevant data in ack, sends the response +//----------------------------------------------------------------------------- +static void EPA_PACE_Collect_Nonce_Abort(UsbCommand *ack, uint8_t step, int func_return) +{ + // step in which the failure occured + ack->arg[0] = step; + // last return code + ack->arg[1] = func_return; + + // send the USB packet + UsbSendPacket((void *)ack, sizeof(UsbCommand)); + + // power down the field + EPA_Finish(); +} + +//----------------------------------------------------------------------------- +// Acquire one encrypted PACE nonce +//----------------------------------------------------------------------------- +void EPA_PACE_Collect_Nonce(UsbCommand *c, UsbCommand *ack) +{ + /* + * ack layout: + * arg: + * 1. element + * step where the error occured or 0 if no error occured + * 2. element + * return code of the last executed function + * d: + * Encrypted nonce + */ + + // return value of a function + int func_return; + + // initialize ack with 0s + memset(ack->arg, 0, 12); + memset(ack->d.asBytes, 0, 48); + + // set up communication + func_return = EPA_Setup(); + if (func_return != 0) { + EPA_PACE_Collect_Nonce_Abort(ack, 1, func_return); + return; + } + + // increase the timeout (at least some cards really do need this!) + iso14a_set_timeout(0x0002FFFF); + + // read the CardAccess file + // this array will hold the CardAccess file + uint8_t card_access[256] = {0}; + int card_access_length = EPA_Read_CardAccess(card_access, 256); + // the response has to be at least this big to hold the OID + if (card_access_length < 18) { + EPA_PACE_Collect_Nonce_Abort(ack, 2, card_access_length); + return; + } + + // this will hold the PACE info of the card + pace_version_info_t pace_version_info; + // search for the PACE OID + func_return = EPA_Parse_CardAccess(card_access, + card_access_length, + &pace_version_info); + if (func_return != 0 || pace_version_info.version == 0) { + EPA_PACE_Collect_Nonce_Abort(ack, 3, func_return); + return; + } + + // initiate the PACE protocol + // use the CAN for the password since that doesn't change + func_return = EPA_PACE_MSE_Set_AT(pace_version_info, 2); + + // now get the nonce + uint8_t nonce[256] = {0}; + uint8_t requested_size = (uint8_t)c->arg[0]; + func_return = EPA_PACE_Get_Nonce(requested_size, nonce); + // check if the command succeeded + if (func_return < 0) + { + EPA_PACE_Collect_Nonce_Abort(ack, 4, func_return); + return; + } + + // save received information + ack->arg[1] = func_return; + memcpy(ack->d.asBytes, nonce, func_return); + + // all done, return + EPA_Finish(); + UsbSendPacket((void *)ack, sizeof(UsbCommand)); +} + +//----------------------------------------------------------------------------- +// Performs the "Get Nonce" step of the PACE protocol and saves the returned +// nonce. The caller is responsible for allocating enough memory to store the +// nonce. Note that the returned size might be less or than or greater than the +// requested size! +// Returns the actual size of the nonce on success or a less-than-zero error +// code on failure. +//----------------------------------------------------------------------------- +int EPA_PACE_Get_Nonce(uint8_t requested_length, uint8_t *nonce) +{ + // build the APDU + uint8_t apdu[sizeof(apdu_general_authenticate_pace_get_nonce) + 1]; + // copy the constant part + memcpy(apdu, + apdu_general_authenticate_pace_get_nonce, + sizeof(apdu_general_authenticate_pace_get_nonce)); + // append Le (requested length + 2 due to tag/length taking 2 bytes) in RAPDU + apdu[sizeof(apdu_general_authenticate_pace_get_nonce)] = requested_length + 4; + + // send it + uint8_t response_apdu[262]; + int send_return = iso14_apdu(apdu, + sizeof(apdu), + response_apdu); + // check if the command succeeded + if (send_return < 6 + || response_apdu[send_return - 4] != 0x90 + || response_apdu[send_return - 3] != 0x00) + { + return -1; + } + + // if there is no nonce in the RAPDU, return here + if (send_return < 10) + { + // no error + return 0; + } + // get the actual length of the nonce + uint8_t nonce_length = response_apdu[5]; + if (nonce_length > send_return - 10) + { + nonce_length = send_return - 10; + } + // copy the nonce + memcpy(nonce, response_apdu + 6, nonce_length); + + return nonce_length; +} + +//----------------------------------------------------------------------------- +// Initializes the PACE protocol by performing the "MSE: Set AT" step +// Returns 0 on success or a non-zero error code on failure +//----------------------------------------------------------------------------- +int EPA_PACE_MSE_Set_AT(pace_version_info_t pace_version_info, uint8_t password) +{ + // create the MSE: Set AT APDU + uint8_t apdu[23]; + // the minimum length (will be increased as more data is added) + size_t apdu_length = 20; + // copy the constant part + memcpy(apdu, + apdu_mse_set_at_start, + sizeof(apdu_mse_set_at_start)); + // type: OID + apdu[5] = 0x80; + // length of the OID + apdu[6] = sizeof(pace_version_info.oid); + // copy the OID + memcpy(apdu + 7, + pace_version_info.oid, + sizeof(pace_version_info.oid)); + // type: password + apdu[17] = 0x83; + // length: 1 + apdu[18] = 1; + // password + apdu[19] = password; + // if standardized domain parameters are used, copy the ID + if (pace_version_info.parameter_id != 0) { + apdu_length += 3; + // type: domain parameter + apdu[20] = 0x84; + // length: 1 + apdu[21] = 1; + // copy the parameter ID + apdu[22] = pace_version_info.parameter_id; + } + // now set Lc to the actual length + apdu[4] = apdu_length - 5; + // send it + uint8_t response_apdu[6]; + int send_return = iso14_apdu(apdu, + apdu_length, + response_apdu); + // check if the command succeeded + if (send_return != 6 + || response_apdu[send_return - 4] != 0x90 + || response_apdu[send_return - 3] != 0x00) + { + return 1; + } + return 0; +} + +//----------------------------------------------------------------------------- +// Set up a communication channel (Card Select, PPS) +// Returns 0 on success or a non-zero error code on failure +//----------------------------------------------------------------------------- +int EPA_Setup() +{ + // return code + int return_code = 0; + // card UID + uint8_t uid[8]; + // card select information + iso14a_card_select_t card_select_info; + // power up the field + iso14443a_setup(); + + // select the card + return_code = iso14443a_select_card(uid, &card_select_info, NULL); + if (return_code != 1) { + return 1; + } + + // send the PPS request + ReaderTransmit((uint8_t *)pps, sizeof(pps)); + uint8_t pps_response[3]; + return_code = ReaderReceive(pps_response); + if (return_code != 3 || pps_response[0] != 0xD0) { + return return_code == 0 ? 2 : return_code; + } + + return 0; +} \ No newline at end of file diff --git a/armsrc/epa.h b/armsrc/epa.h new file mode 100644 index 00000000..730652b7 --- /dev/null +++ b/armsrc/epa.h @@ -0,0 +1,36 @@ +//----------------------------------------------------------------------------- +// Frederik Möllers - August 2012 +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Routines to support the German eletronic "Personalausweis" (ID card) +//----------------------------------------------------------------------------- + +#ifndef __EPA_H +#define __EPA_H + +// this struct is used by EPA_Parse_CardAccess and contains info about the +// PACE protocol supported by the chip +typedef struct { + uint8_t oid[10]; + uint8_t version; + uint8_t parameter_id; +} pace_version_info_t; + +// note: EPA_PACE_GetNonce is declared in apps.h + +// general functions +void EPA_Finish(); +size_t EPA_Parse_CardAccess(uint8_t *data, + size_t length, + pace_version_info_t *pace_info); +int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length); +int EPA_Setup(); + +// PACE related functions +int EPA_PACE_MSE_Set_AT(pace_version_info_t pace_version_info, uint8_t password); +int EPA_PACE_Get_Nonce(uint8_t requested_length, uint8_t *nonce); + +#endif /* __EPA_H */ \ No newline at end of file diff --git a/client/Makefile b/client/Makefile index c76edf52..ff676f4f 100644 --- a/client/Makefile +++ b/client/Makefile @@ -56,6 +56,7 @@ CMDSRCS = \ cmdhf14a.c \ cmdhf14b.c \ cmdhf15.c \ + cmdhfepa.c \ cmdhflegic.c \ cmdhficlass.c \ cmdhfmf.c \ diff --git a/client/cmdhf.c b/client/cmdhf.c index 87c819fb..0ed3de1a 100644 --- a/client/cmdhf.c +++ b/client/cmdhf.c @@ -17,6 +17,7 @@ #include "cmdhf14a.h" #include "cmdhf14b.h" #include "cmdhf15.h" +#include "cmdhfepa.h" #include "cmdhflegic.h" #include "cmdhficlass.h" #include "cmdhfmf.h" @@ -36,6 +37,7 @@ static command_t CommandTable[] = {"14a", CmdHF14A, 1, "{ ISO14443A RFIDs... }"}, {"14b", CmdHF14B, 1, "{ ISO14443B RFIDs... }"}, {"15", CmdHF15, 1, "{ ISO15693 RFIDs... }"}, + {"epa", CmdHFEPA, 1, "{ German Identification Card... }"}, {"legic", CmdHFLegic, 0, "{ LEGIC RFIDs... }"}, {"iclass", CmdHFiClass, 1, "{ ICLASS RFIDs... }"}, {"mf", CmdHFMF, 1, "{ MIFARE RFIDs... }"}, diff --git a/client/cmdhf14a.c b/client/cmdhf14a.c index 372c3787..4b405d2b 100644 --- a/client/cmdhf14a.c +++ b/client/cmdhf14a.c @@ -463,12 +463,12 @@ int CmdHF14ASnoop(const char *Cmd) { static command_t CommandTable[] = { - {"help", CmdHelp, 1, "This help"}, - {"list", CmdHF14AList, 0, "List ISO 14443a history"}, - {"reader", CmdHF14AReader, 0, "Act like an ISO14443 Type A reader"}, - {"cuids", CmdHF14ACUIDs, 0, " Collect n>0 ISO14443 Type A UIDs in one go"}, - {"sim", CmdHF14ASim, 0, " -- Fake ISO 14443a tag"}, - {"snoop", CmdHF14ASnoop, 0, "Eavesdrop ISO 14443 Type A"}, + {"help", CmdHelp, 1, "This help"}, + {"list", CmdHF14AList, 0, "List ISO 14443a history"}, + {"reader", CmdHF14AReader, 0, "Act like an ISO14443 Type A reader"}, + {"cuids", CmdHF14ACUIDs, 0, " Collect n>0 ISO14443 Type A UIDs in one go"}, + {"sim", CmdHF14ASim, 0, " -- Fake ISO 14443a tag"}, + {"snoop", CmdHF14ASnoop, 0, "Eavesdrop ISO 14443 Type A"}, {NULL, NULL, 0, NULL} }; diff --git a/client/cmdhfepa.c b/client/cmdhfepa.c new file mode 100644 index 00000000..5fcd1714 --- /dev/null +++ b/client/cmdhfepa.c @@ -0,0 +1,89 @@ +//----------------------------------------------------------------------------- +// Copyright (C) 2012 Frederik Möllers +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Commands related to the German electronic Identification Card +//----------------------------------------------------------------------------- + +#include "util.h" +#include "proxusb.h" +#include "ui.h" +#include "cmdparser.h" +#include "common.h" +#include "cmdmain.h" + +#include "cmdhfepa.h" + +static int CmdHelp(const char *Cmd); + +// Perform (part of) the PACE protocol +int CmdHFEPACollectPACENonces(const char *Cmd) +{ + // requested nonce size + uint8_t m = 0; + // requested number of Nonces + unsigned int n = 0; + + sscanf(Cmd, "%hhu %u", &m, &n); + + // values are expected to be > 0 + m = m > 0 ? m : 1; + n = n > 0 ? n : 1; + + PrintAndLog("Collecting %u %hhu-byte nonces", n, m); + PrintAndLog("Start: %u", time(NULL)); + // repeat n times + for (unsigned int i = 0; i < n; i++) { + // execute PACE + UsbCommand c = {CMD_EPA_PACE_COLLECT_NONCE, {(int)m, 0, 0}}; + SendCommand(&c); + UsbCommand *resp = WaitForResponse(CMD_ACK); + + // check if command failed + if (resp->arg[0] != 0) { + PrintAndLog("Error in step %d, Return code: %d", + resp->arg[0], + (int)resp->arg[1]); + } else { + size_t nonce_length = resp->arg[1]; + char *nonce = (char *) malloc(2 * nonce_length + 1); + for(int j = 0; j < nonce_length; j++) { + snprintf(nonce + (2 * j), 3, "%02X", resp->d.asBytes[j]); + } + // print nonce + PrintAndLog("Length: %d, Nonce: %s", + resp->arg[1], nonce); + } + } + PrintAndLog("End: %u", time(NULL)); + + return 1; +} + +// UI-related stuff + +static const command_t CommandTable[] = +{ + {"help", CmdHelp, 1, "This help"}, + {"cnonces", CmdHFEPACollectPACENonces, 0, " Acquire n>0 encrypted PACE nonces of size m>0"}, + {NULL, NULL, 0, NULL} +}; + +int CmdHelp(const char *Cmd) +{ + CmdsHelp(CommandTable); + return 0; +} + +int CmdHFEPA(const char *Cmd) +{ + // flush + while (WaitForResponseTimeout(CMD_ACK, 500) != NULL) ; + + // parse + CmdsParse(CommandTable, Cmd); + return 0; +} \ No newline at end of file diff --git a/client/cmdhfepa.h b/client/cmdhfepa.h new file mode 100644 index 00000000..94ad7d23 --- /dev/null +++ b/client/cmdhfepa.h @@ -0,0 +1,18 @@ +//----------------------------------------------------------------------------- +// Copyright (C) 2012 Frederik Möllers +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Commands related to the German electronic Identification Card +//----------------------------------------------------------------------------- + +#ifndef CMDHFEPA_H__ +#define CMDHFEPA_H__ + +int CmdHFEPA(const char *Cmd); + +int CmdHFEPACollectPACENonces(const char *Cmd); + +#endif // CMDHFEPA_H__ diff --git a/include/usb_cmd.h b/include/usb_cmd.h index 4ba9d29f..a209497f 100644 --- a/include/usb_cmd.h +++ b/include/usb_cmd.h @@ -95,6 +95,7 @@ typedef struct { #define CMD_SIMULATE_TAG_LEGIC_RF 0x0387 #define CMD_READER_LEGIC_RF 0x0388 #define CMD_WRITER_LEGIC_RF 0x0389 +#define CMD_EPA_PACE_COLLECT_NONCE 0x038A #define CMD_SNOOP_ICLASS 0x0392 #define CMD_SIMULATE_TAG_ICLASS 0x0393