From: pwpiwi Date: Thu, 2 Nov 2017 20:37:42 +0000 (+0100) Subject: Merge branch 'master' into fix_hfmfsim X-Git-Tag: v3.1.0~132^2 X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/82f495524552e720c2661474ffcc1fcc37b6ff4d?hp=b35e04a7c6a8b6c99fcdc8f45e387437cbae4f08 Merge branch 'master' into fix_hfmfsim --- diff --git a/CHANGELOG.md b/CHANGELOG.md index 044538c4..60caf413 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac - `hf mf nested` Check keys after they have found (Merlok) - `hf mf chk` Move main cycle to arm (Merlok) - Changed proxmark command line parameter `flush` to `-f` or `-flush` (Merlok) +- Changed `hf 14a reader` to just reqest-anticilission-select sequence (Merlok) ### Fixed - Changed start sequence in Qt mode (fix: short commands hangs main Qt thread) (Merlok) @@ -32,6 +33,8 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac - Added to proxmark command line parameters `w` - wait 20s for serial port (Merlok) - Added to proxmark command line parameters `c` and `l` - execute command and lua script from command line (Merlok) - Added to proxmark ability to execute commands from stdin (pipe) (Merlok) +- Added `hf 14a info` and moved there functionality from `hf 14a reader` (Merlok) +- Added to `hf 14a info` detection of weak prng from Iceman1001 fork (Merlok) ## [3.0.1][2017-06-08] diff --git a/appveyor.yml b/appveyor.yml index a4a70f7a..eb22114e 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -2,7 +2,29 @@ version: 3.0.1.{build} image: Visual Studio 2017 clone_folder: C:\ProxSpace\pm3 init: -- ps: "$psversiontable\n#Get-ChildItem Env:\n\n$releasename=\"\"\n$env:APPVEYOR_REPO_COMMIT_SHORT = $env:APPVEYOR_REPO_COMMIT.Substring(0, 8)\nif ($env:appveyor_repo_tag -match \"true\"){\n $releasename=$env:APPVEYOR_REPO_TAG_NAME + \"/\"\n}\n$releasename+=$env:APPVEYOR_BUILD_VERSION + \" [\" + $env:APPVEYOR_REPO_COMMIT_SHORT + \"]\" \n\nWrite-Host \"repository: $env:appveyor_repo_name branch:$env:APPVEYOR_REPO_BRANCH release: $releasename\" -ForegroundColor Yellow\nAdd-AppveyorMessage -Message \"[$env:APPVEYOR_REPO_COMMIT_SHORT]$env:appveyor_repo_name($env:APPVEYOR_REPO_BRANCH)\" -Category Information -Details \"repository: $env:appveyor_repo_name branch: $env:APPVEYOR_REPO_BRANCH release: $releasename\"\n\niex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))" +- ps: >- + $psversiontable + + #Get-ChildItem Env: + + + $releasename="" + + $env:APPVEYOR_REPO_COMMIT_SHORT = $env:APPVEYOR_REPO_COMMIT.Substring(0, 8) + + if ($env:appveyor_repo_tag -match "true"){ + $releasename=$env:APPVEYOR_REPO_TAG_NAME + "/" + } + + $releasename+=$env:APPVEYOR_BUILD_VERSION + " [" + $env:APPVEYOR_REPO_COMMIT_SHORT + "]" + + + Write-Host "repository: $env:appveyor_repo_name branch:$env:APPVEYOR_REPO_BRANCH release: $releasename" -ForegroundColor Yellow + + Add-AppveyorMessage -Message "[$env:APPVEYOR_REPO_COMMIT_SHORT]$env:appveyor_repo_name($env:APPVEYOR_REPO_BRANCH)" -Category Information -Details "repository: $env:appveyor_repo_name branch: $env:APPVEYOR_REPO_BRANCH release: $releasename" + + + iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1')) clone_script: - ps: >- Write-Host "Removing ProxSpace..." -NoNewLine @@ -61,7 +83,88 @@ install: } } build_script: -- ps: "$env:Path = \"C:\\ProxSpace\\msys\\bin;$env:Path\"\n\n#make\nbash -lc -i \"pwd;make all\"\n\n#some checks\nif(!(Test-Path C:\\ProxSpace\\pm3\\client\\proxmark3.exe)){\nthrow \"Main file proxmark3.exe not exists.\"\n}\nif(!(Test-Path C:\\ProxSpace\\pm3\\armsrc\\obj\\fullimage.elf)){\nthrow \"ARM file fullimage.elf not exists.\"\n}\nif(!(Test-Path C:\\ProxSpace\\pm3\\client\\hardnested\\tables\\*.bin.z)){\nthrow \"Files in hardnested\\tables not exists.\"\n}\n\n#copy\nWrite-Host \"Copy release files...\" -NoNewLine -ForegroundColor Yellow\nNew-Item -ItemType Directory -Force -Path C:\\ProxSpace\\Release\nCopy-Item C:\\ProxSpace\\pm3\\client\\*.exe C:\\ProxSpace\\Release\nNew-Item -ItemType Directory -Force -Path C:\\ProxSpace\\Release\\arm\nCopy-Item C:\\ProxSpace\\pm3\\armsrc\\obj\\*.elf C:\\ProxSpace\\Release\\arm\nCopy-Item C:\\ProxSpace\\pm3\\bootrom\\obj\\*.elf C:\\ProxSpace\\Release\\arm\nNew-Item -ItemType Directory -Force -Path C:\\ProxSpace\\Release\\scripts\nCopy-Item C:\\ProxSpace\\pm3\\client\\scripts\\*.lua C:\\ProxSpace\\Release\\scripts\nNew-Item -ItemType Directory -Force -Path C:\\ProxSpace\\Release\\hardnested\\tables\nCopy-Item C:\\ProxSpace\\pm3\\client\\hardnested\\*.bin C:\\ProxSpace\\Release\\hardnested\nCopy-Item C:\\ProxSpace\\pm3\\client\\hardnested\\tables\\*.bin.z C:\\ProxSpace\\Release\\hardnested\\tables\nWrite-Host \"[ OK ]\" -ForegroundColor Green\n\n#archive and push\n$releasename=\"\"\nif ($env:appveyor_repo_tag -match \"true\"){\n$releasename=$env:APPVEYOR_REPO_TAG_NAME + \"/\"\n}\n$releasename+=$env:APPVEYOR_BUILD_VERSION + \" [\" + $env:APPVEYOR_REPO_COMMIT.Substring(0, 7) + \"]\" \n\nWrite-Host \"Archive and publish release files ($releasename)...\" -NoNewLine -ForegroundColor Yellow\ncd C:\\ProxSpace\n7z a release.zip C:\\ProxSpace\\Release\nPush-AppveyorArtifact release.zip -DeploymentName \"$releasename\"\nWrite-Host \"[ OK ]\" -ForegroundColor Green\n\nWrite-Host \"Builded...\" -ForegroundColor Yellow" +- ps: >- + $env:Path = "C:\ProxSpace\msys\bin;$env:Path" + + + #make + + bash -lc -i "pwd;make all" + + + #some checks + + if(!(Test-Path C:\ProxSpace\pm3\client\proxmark3.exe)){ + + throw "Main file proxmark3.exe not exists." + + } + + if(!(Test-Path C:\ProxSpace\pm3\armsrc\obj\fullimage.elf)){ + + throw "ARM file fullimage.elf not exists." + + } + + if(!(Test-Path C:\ProxSpace\pm3\client\hardnested\tables\*.bin.z)){ + + throw "Files in hardnested\tables not exists." + + } + + + #copy + + Write-Host "Copy release files..." -NoNewLine -ForegroundColor Yellow + + New-Item -ItemType Directory -Force -Path C:\ProxSpace\Release + + Copy-Item C:\ProxSpace\pm3\client\*.exe C:\ProxSpace\Release + + New-Item -ItemType Directory -Force -Path C:\ProxSpace\Release\arm + + Copy-Item C:\ProxSpace\pm3\armsrc\obj\*.elf C:\ProxSpace\Release\arm + + Copy-Item C:\ProxSpace\pm3\bootrom\obj\*.elf C:\ProxSpace\Release\arm + + New-Item -ItemType Directory -Force -Path C:\ProxSpace\Release\scripts + + Copy-Item C:\ProxSpace\pm3\client\scripts\*.lua C:\ProxSpace\Release\scripts + + New-Item -ItemType Directory -Force -Path C:\ProxSpace\Release\hardnested\tables + + Copy-Item C:\ProxSpace\pm3\client\hardnested\*.bin C:\ProxSpace\Release\hardnested + + Copy-Item C:\ProxSpace\pm3\client\hardnested\tables\*.bin.z C:\ProxSpace\Release\hardnested\tables + + Write-Host "[ OK ]" -ForegroundColor Green + + + #archive and push + + $releasename="" + + if ($env:appveyor_repo_tag -match "true"){ + + $releasename=$env:APPVEYOR_REPO_TAG_NAME + "/" + + } + + $releasename+=$env:APPVEYOR_BUILD_VERSION + " [" + $env:APPVEYOR_REPO_COMMIT.Substring(0, 7) + "]" + + + Write-Host "Archive and publish release files ($releasename)..." -NoNewLine -ForegroundColor Yellow + + cd C:\ProxSpace + + 7z a release.zip C:\ProxSpace\Release + + Push-AppveyorArtifact release.zip -DeploymentName "$releasename" + + Write-Host "[ OK ]" -ForegroundColor Green + + + Write-Host "Builded..." -ForegroundColor Yellow test_script: - ps: >- $env:Path = "C:\ProxSpace\msys\bin;$env:Path" @@ -71,12 +174,38 @@ test_script: $global:TestsPassed=$true - $global:TestTime=[System.Environment]::TickCount + Function ExecTest($Name, $File, $Cmd, $CheckResult) { + + #--- begin Job + + $Job = Start-Job -ScriptBlock { + [bool]$res=$false + $TestTime=[System.Environment]::TickCount + $env:Path = "C:\ProxSpace\msys\bin;$env:Path" + Set-Location $using:PWD + + $sb=[scriptblock]::Create("$using:Cmd") + #execute scriptblock + Write-host "Test [$using:Name] job: $using:Cmd" + $Cond=&$sb - Function ExecTest($Name, $File, $Cond) { - [bool]$res=$false; if ($Cond -eq $null){ + } ElseIf($using:CheckResult -ne $null) { + [String]$searchstr="" + if ($Cond -is [Object]){ + ForEach($line in $Cond){ + Write-host $line -ForegroundColor Gray + $searchstr += $line + } + }else{ + Write-host "$Cond" -ForegroundColor Gray + $searchstr = $Cond + } + If($searchstr -like "*$using:CheckResult*") { + $res=$true + } + $Cond="*$using:CheckResult*" } Else { If (!($Cond -is [bool] -or $Cond -is [byte] -or $Cond -is [int16] -or $Cond -is [int32] -or $Cond -is [int64] -or $Cond -is [float])){ if ($Cond -is "String" -and $Cond -like "*passed*"){ @@ -86,17 +215,38 @@ test_script: $res= $true } } Else { - $res=$Cond; + $res=$Cond } } If ($res) { - Add-AppveyorTest -Name "$Name" -Framework NUnit -Filename "$File" -Outcome Passed -Duration "$([System.Environment]::TickCount-$global:TestTime)" + Write-host "Result[$using:Name]: $Cond" -ForegroundColor Green + Add-AppveyorTest -Name "$using:Name" -Framework NUnit -Filename "$using:File" -Outcome Passed -Duration "$([System.Environment]::TickCount-$TestTime)" }Else { - Add-AppveyorTest -Name "$Name" -Framework NUnit -Filename "$File" -Outcome Failed -Duration "$([System.Environment]::TickCount-$global:TestTime)" + Write-host "Result[$using:Name]: $Cond" -ForegroundColor Red + Add-AppveyorTest -Name "$using:Name" -Framework NUnit -Filename "$using:File" -Outcome Failed -Duration "$([System.Environment]::TickCount-$TestTime)" -ErrorMessage "command:$using:Cmd`nresult:$Cond" + } + return $res + } + + #--- end Job + + [bool]$res=$false + # Wait 40 sec timeout for Job + if(Wait-Job $Job -Timeout 40){ + $Results = $Job | Receive-Job + if($Results -like "true"){ + $res=$true + } + } else { + Write-host "Test [$Name] timeout" -ForegroundColor Red + Add-AppveyorTest -Name "$Name" -Framework NUnit -Filename "$File" -Outcome Failed -Duration 40000 -ErrorMessage "timeout" + } + Remove-Job -Force $Job + + if(!$res){ $global:TestsPassed=$false } - $global:TestTime=[System.Environment]::TickCount } @@ -105,27 +255,27 @@ test_script: #file test - ExecTest "proxmark3 exists" "proxmark3.exe" $(Test-Path C:\ProxSpace\Release\proxmark3.exe) + ExecTest "proxmark3 exists" "proxmark3.exe" {Test-Path C:\ProxSpace\Release\proxmark3.exe} - ExecTest "arm image exists" "\arm\fullimage1.elf" $(Test-Path C:\ProxSpace\Release\arm\fullimage.elf) + ExecTest "arm image exists" "\arm\fullimage1.elf" {Test-Path C:\ProxSpace\Release\arm\fullimage.elf} - ExecTest "bootrom exists" "bootrom.elf" $(Test-Path C:\ProxSpace\Release\arm\bootrom.elf) + ExecTest "bootrom exists" "bootrom.elf" {Test-Path C:\ProxSpace\Release\arm\bootrom.elf} - ExecTest "hardnested tables exists" "hardnested" $(Test-Path C:\ProxSpace\Release\hardnested\tables\*.z) + ExecTest "hardnested tables exists" "hardnested" {Test-Path C:\ProxSpace\Release\hardnested\tables\*.z} - ExecTest "release exists" "release.zip" $(Test-Path C:\ProxSpace\release.zip) + ExecTest "release exists" "release.zip" {Test-Path C:\ProxSpace\release.zip} #proxmark logic tests - ExecTest "proxmark help" "proxmark3 -h" $(bash -lc 'cd ~/client;proxmark3 -h | grep -q Execute && echo Passed || echo Failed') + ExecTest "proxmark help" "proxmark3 -h" {bash -lc 'cd ~/client;proxmark3 -h | grep -q Execute && echo Passed || echo Failed'} - ExecTest "proxmark help hardnested" "proxmark3 -h" $(bash -lc 'cd ~/client;proxmark3 -h | grep -q hardnested && echo Passed || echo Failed') + ExecTest "proxmark help hardnested" "proxmark3 -h" {bash -lc 'cd ~/client;proxmark3 -h | grep -q hardnested && echo Passed || echo Failed'} - ExecTest "hf mf offline text" "hf mf" $(bash -lc "cd ~/client;proxmark3 comx -c 'hf mf' | grep -q at_enc && echo Passed || echo Failed") + ExecTest "hf mf offline text" "hf mf" {bash -lc "cd ~/client;proxmark3 comx -c 'hf mf'"} "at_enc" - ExecTest "hf mf hardnested" "hf mf hardnested" $(bash -lc "cd ~/client;proxmark3 comx -c 'hf mf hardnested t 1 000000000000' | grep -q 'found:' && echo Passed || echo Failed") + ExecTest "hf mf hardnested" "hf mf hardnested" {bash -lc "cd ~/client;proxmark3 comx -c 'hf mf hardnested t 1 000000000000'"} "found:" if ($global:TestsPassed) { @@ -139,4 +289,4 @@ on_success: on_failure: - ps: Write-Host "Build error." -ForegroundColor Red on_finish: -- ps: $blockRdp = $false; iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1')) \ No newline at end of file +- ps: $blockRdp = $false; iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1')) diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index af810b74..9fa08044 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -1702,6 +1702,13 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u int cascade_level = 0; int len; + // init card struct + if(p_hi14a_card) { + p_hi14a_card->uidlen = 0; + memset(p_hi14a_card->uid, 0, 10); + p_hi14a_card->ats_len = 0; + } + // Broadcast for a card, WUPA (0x52) will force response from all cards in the field ReaderTransmitBitsPar(wupa, 7, NULL, NULL); @@ -1710,8 +1717,6 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u if(p_hi14a_card) { memcpy(p_hi14a_card->atqa, resp, 2); - p_hi14a_card->uidlen = 0; - memset(p_hi14a_card->uid,0,10); } if (anticollision) { @@ -1817,10 +1822,9 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u if(p_hi14a_card) { p_hi14a_card->sak = sak; - p_hi14a_card->ats_len = 0; } - // non iso14443a compliant tag + // PICC compilant with iso14443a-4 ---> (SAK & 0x20 != 0) if( (sak & 0x20) == 0) return 2; if (!no_rats) { @@ -1912,7 +1916,7 @@ void ReaderIso14443a(UsbCommand *c) size_t lenbits = c->arg[1] >> 16; uint32_t timeout = c->arg[2]; uint32_t arg0 = 0; - byte_t buf[USB_CMD_DATA_SIZE]; + byte_t buf[USB_CMD_DATA_SIZE] = {0}; uint8_t par[MAX_PARITY_SIZE]; if(param & ISO14A_CONNECT) { diff --git a/armsrc/mifarecmd.c b/armsrc/mifarecmd.c index edafe0a3..00fd638c 100644 --- a/armsrc/mifarecmd.c +++ b/armsrc/mifarecmd.c @@ -1510,6 +1510,14 @@ void MifareCIdent(){ uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE]; uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE]; + + LED_A_ON(); + LED_B_OFF(); + LED_C_OFF(); + iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); + + clear_trace(); + set_tracing(true); ReaderTransmitBitsPar(wupC1,7,0, NULL); if(ReaderReceive(receivedAnswer, receivedAnswerPar) && (receivedAnswer[0] == 0x0a)) { @@ -1523,8 +1531,13 @@ void MifareCIdent(){ // From iceman1001: removed the if, since some magic tags misbehavies and send an answer to it. mifare_classic_halt(NULL, 0); - + + LED_B_ON(); cmd_send(CMD_ACK,isOK,0,0,0,0); + LED_B_OFF(); + + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + LEDsoff(); } // diff --git a/client/cmdhf.c b/client/cmdhf.c index 6aa5ae4e..168296ba 100644 --- a/client/cmdhf.c +++ b/client/cmdhf.c @@ -663,7 +663,7 @@ int CmdHFList(const char *Cmd) int CmdHFSearch(const char *Cmd){ int ans = 0; PrintAndLog(""); - ans = CmdHF14AReader("s"); + ans = CmdHF14AInfo("s"); if (ans > 0) { PrintAndLog("\nValid ISO14443A Tag Found - Quiting Search\n"); return ans; diff --git a/client/cmdhf14a.c b/client/cmdhf14a.c index db9ce46e..928864a1 100644 --- a/client/cmdhf14a.c +++ b/client/cmdhf14a.c @@ -133,7 +133,80 @@ int CmdHF14AList(const char *Cmd) return 0; } -int CmdHF14AReader(const char *Cmd) +int CmdHF14AReader(const char *Cmd) { + uint32_t cm = ISO14A_CONNECT; + bool disconnectAfter = false; + + int cmdp = 0; + while(param_getchar(Cmd, cmdp) != 0x00) { + switch(param_getchar(Cmd, cmdp)) { + case 'h': + case 'H': + PrintAndLog("Usage: hf 14a reader [d] [3]"); + PrintAndLog(" d drop the signal field after command executed"); + PrintAndLog(" x just drop the signal field"); + PrintAndLog(" 3 ISO14443-3 select only (skip RATS)"); + return 0; + case '3': + cm |= ISO14A_NO_RATS; + break; + case 'd': + case 'D': + disconnectAfter = true; + break; + case 'x': + case 'X': + disconnectAfter = true; + cm = cm - ISO14A_CONNECT; + break; + default: + PrintAndLog("Unknown command."); + return 1; + } + + cmdp++; + } + + if (!disconnectAfter) + cm |= ISO14A_NO_DISCONNECT; + + UsbCommand c = {CMD_READER_ISO_14443a, {cm, 0, 0}}; + SendCommand(&c); + + if (ISO14A_CONNECT & cm) { + UsbCommand resp; + WaitForResponse(CMD_ACK,&resp); + + iso14a_card_select_t card; + memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t)); + + uint64_t select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision + + if(select_status == 0) { + PrintAndLog("iso14443a card select failed"); + return 1; + } + + if(select_status == 3) { + PrintAndLog("Card doesn't support standard iso14443-3 anticollision"); + PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]); + return 1; + } + + PrintAndLog(" UID : %s", sprint_hex(card.uid, card.uidlen)); + PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]); + PrintAndLog(" SAK : %02x [%d]", card.sak, resp.arg[0]); + if(card.ats_len >= 3) { // a valid ATS consists of at least the length byte (TL) and 2 CRC bytes + PrintAndLog(" ATS : %s", sprint_hex(card.ats, card.ats_len)); + } + PrintAndLog("Card is selected. You can now start sending commands"); + } else { + PrintAndLog("Field dropped."); + } + return 0; +} + +int CmdHF14AInfo(const char *Cmd) { UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}}; SendCommand(&c); @@ -171,8 +244,10 @@ int CmdHF14AReader(const char *Cmd) PrintAndLog("ATQA : %02x %02x", card.atqa[1], card.atqa[0]); PrintAndLog(" SAK : %02x [%d]", card.sak, resp.arg[0]); + bool isMifareClassic = true; switch (card.sak) { case 0x00: + isMifareClassic = false; //***************************************test**************** // disconnect @@ -405,27 +480,21 @@ int CmdHF14AReader(const char *Cmd) // try to see if card responses to "chinese magic backdoor" commands. - c.cmd = CMD_MIFARE_CIDENT; - c.arg[0] = 0; - c.arg[1] = 0; - c.arg[2] = 0; - SendCommand(&c); - WaitForResponse(CMD_ACK,&resp); + mfCIdentify(); - uint8_t isGeneration = resp.arg[0] & 0xff; - switch( isGeneration ){ - case 1: PrintAndLog("Answers to chinese magic backdoor commands (GEN 1a): YES"); break; - case 2: PrintAndLog("Answers to chinese magic backdoor commands (GEN 1b): YES"); break; - default: PrintAndLog("Answers to chinese magic backdoor commands: NO"); break; + if (isMifareClassic) { + switch(DetectClassicPrng()) { + case 0: + PrintAndLog("Prng detection: HARDEND (hardnested)"); + break; + case 1: + PrintAndLog("Prng detection: WEAK"); + break; + default: + PrintAndLog("Prng detection error."); + } } - // disconnect - c.cmd = CMD_READER_ISO_14443a; - c.arg[0] = 0; - c.arg[1] = 0; - c.arg[2] = 0; - SendCommand(&c); - return select_status; } @@ -751,8 +820,17 @@ static void waitCmd(uint8_t iSelect) if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { recv = resp.d.asBytes; - uint8_t iLen = iSelect ? resp.arg[1] : resp.arg[0]; - PrintAndLog("received %i octets", iLen); + uint8_t iLen = resp.arg[0]; + if (iSelect){ + iLen = resp.arg[1]; + if (iLen){ + PrintAndLog("Card selected. UID[%i]:", iLen); + } else { + PrintAndLog("Can't select card."); + } + } else { + PrintAndLog("received %i bytes:", iLen); + } if(!iLen) return; hexout = (char *)malloc(iLen * 3 + 1); @@ -774,7 +852,8 @@ static command_t CommandTable[] = { {"help", CmdHelp, 1, "This help"}, {"list", CmdHF14AList, 0, "[Deprecated] List ISO 14443a history"}, - {"reader", CmdHF14AReader, 0, "Act like an ISO14443 Type A reader"}, + {"reader", CmdHF14AReader, 0, "Start acting like an ISO14443 Type A reader"}, + {"info", CmdHF14AInfo, 0, "Reads card and shows information about it"}, {"cuids", CmdHF14ACUIDs, 0, " Collect n>0 ISO14443 Type A UIDs in one go"}, {"sim", CmdHF14ASim, 0, " -- Simulate ISO 14443a tag"}, {"snoop", CmdHF14ASnoop, 0, "Eavesdrop ISO 14443 Type A"}, diff --git a/client/cmdhf14a.h b/client/cmdhf14a.h index dfdf1f4a..2556678d 100644 --- a/client/cmdhf14a.h +++ b/client/cmdhf14a.h @@ -18,6 +18,7 @@ int CmdHF14A(const char *Cmd); int CmdHF14AList(const char *Cmd); int CmdHF14AMifare(const char *Cmd); int CmdHF14AReader(const char *Cmd); +extern int CmdHF14AInfo(const char *Cmd); int CmdHF14ASim(const char *Cmd); int CmdHF14ASnoop(const char *Cmd); char* getTagInfo(uint8_t uid); diff --git a/client/cmdmain.c b/client/cmdmain.c index db88b3ac..739d68e1 100644 --- a/client/cmdmain.c +++ b/client/cmdmain.c @@ -8,6 +8,9 @@ // Main command parser entry point //----------------------------------------------------------------------------- +#include "cmdmain.h" + +#include #include #include #include @@ -21,7 +24,6 @@ #include "cmddata.h" #include "cmdhw.h" #include "cmdlf.h" -#include "cmdmain.h" #include "util.h" #include "util_posix.h" #include "cmdscript.h" @@ -41,6 +43,8 @@ static UsbCommand cmdBuffer[CMD_BUFFER_SIZE]; static int cmd_head;//Starts as 0 //Points to the position of the last unread command static int cmd_tail;//Starts as 0 +// to lock cmdBuffer operations from different threads +static pthread_mutex_t cmdBufferMutex = PTHREAD_MUTEX_INITIALIZER; static command_t CommandTable[] = { @@ -86,7 +90,9 @@ int CmdRev(const char *Cmd) void clearCommandBuffer() { //This is a very simple operation + pthread_mutex_lock(&cmdBufferMutex); cmd_tail = cmd_head; + pthread_mutex_unlock(&cmdBufferMutex); } /** @@ -95,6 +101,7 @@ void clearCommandBuffer() */ void storeCommand(UsbCommand *command) { + pthread_mutex_lock(&cmdBufferMutex); if( ( cmd_head+1) % CMD_BUFFER_SIZE == cmd_tail) { //If these two are equal, we're about to overwrite in the @@ -106,6 +113,7 @@ void storeCommand(UsbCommand *command) memcpy(destination, command, sizeof(UsbCommand)); cmd_head = (cmd_head +1) % CMD_BUFFER_SIZE; //increment head and wrap + pthread_mutex_unlock(&cmdBufferMutex); } @@ -116,8 +124,10 @@ void storeCommand(UsbCommand *command) */ int getCommand(UsbCommand* response) { + pthread_mutex_lock(&cmdBufferMutex); //If head == tail, there's nothing to read, or if we just got initialized if(cmd_head == cmd_tail){ + pthread_mutex_unlock(&cmdBufferMutex); return 0; } //Pick out the next unread command @@ -125,7 +135,7 @@ int getCommand(UsbCommand* response) memcpy(response, last_unread, sizeof(UsbCommand)); //Increment tail - this is a circular buffer, so modulo buffer size cmd_tail = (cmd_tail +1 ) % CMD_BUFFER_SIZE; - + pthread_mutex_unlock(&cmdBufferMutex); return 1; } @@ -147,22 +157,28 @@ bool WaitForResponseTimeoutW(uint32_t cmd, UsbCommand* response, size_t ms_timeo response = &resp; } + uint64_t start_time = msclock(); + // Wait until the command is received - for(size_t dm_seconds=0; dm_seconds < ms_timeout/10; dm_seconds++) { + while (true) { while(getCommand(response)) { if(response->cmd == cmd){ return true; } } - msleep(10); // XXX ugh - if (dm_seconds == 200 && show_warning) { // Two seconds elapsed + if (msclock() - start_time > ms_timeout) { + break; + } + if (msclock() - start_time > 2000 && show_warning) { PrintAndLog("Waiting for a response from the proxmark..."); PrintAndLog("Don't forget to cancel its operation first by pressing on the button"); + break; } } return false; } + bool WaitForResponseTimeout(uint32_t cmd, UsbCommand* response, size_t ms_timeout) { return WaitForResponseTimeoutW(cmd, response, ms_timeout, true); } diff --git a/client/mifarehost.c b/client/mifarehost.c index a02019a3..67277b59 100644 --- a/client/mifarehost.c +++ b/client/mifarehost.c @@ -540,36 +540,12 @@ int mfCSetUID(uint8_t *uid, uint8_t *atqa, uint8_t *sak, uint8_t *oldUID) { return 0; } -int mfCIdentify() -{ - UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}}; +int mfCIdentify() { + UsbCommand c = {CMD_MIFARE_CIDENT, {0, 0, 0}}; SendCommand(&c); - UsbCommand resp; WaitForResponse(CMD_ACK,&resp); - // iso14a_card_select_t card; - // memcpy(&card, (iso14a_card_select_t *)resp.d.asBytes, sizeof(iso14a_card_select_t)); - - // uint64_t select_status = resp.arg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision - - // if(select_status != 0) { - // uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0 - // c.arg[0] = ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT; - // c.arg[1] = 2; - // c.arg[2] = 0; - // memcpy(c.d.asBytes, rats, 2); - // SendCommand(&c); - // WaitForResponse(CMD_ACK,&resp); - // } - - c.cmd = CMD_MIFARE_CIDENT; - c.arg[0] = 0; - c.arg[1] = 0; - c.arg[2] = 0; - SendCommand(&c); - WaitForResponse(CMD_ACK,&resp); - uint8_t isGeneration = resp.arg[0] & 0xff; switch( isGeneration ){ case 1: PrintAndLog("Chinese magic backdoor commands (GEN 1a) detected"); break; @@ -577,13 +553,6 @@ int mfCIdentify() default: PrintAndLog("No chinese magic backdoor command detected"); break; } - // disconnect - c.cmd = CMD_READER_ISO_14443a; - c.arg[0] = 0; - c.arg[1] = 0; - c.arg[2] = 0; - SendCommand(&c); - return (int) isGeneration; } @@ -934,3 +903,72 @@ int tryDecryptWord(uint32_t nt, uint32_t ar_enc, uint32_t at_enc, uint8_t *data, return 0; } +/** validate_prng_nonce + * Determine if nonce is deterministic. ie: Suspectable to Darkside attack. + * returns + * true = weak prng + * false = hardend prng + */ +bool validate_prng_nonce(uint32_t nonce) { + uint16_t *dist = 0; + uint16_t x, i; + + dist = malloc(2 << 16); + if(!dist) + return -1; + + // init prng table: + for (x = i = 1; i; ++i) { + dist[(x & 0xff) << 8 | x >> 8] = i; + x = x >> 1 | (x ^ x >> 2 ^ x >> 3 ^ x >> 5) << 15; + } + + uint32_t res = (65535 - dist[nonce >> 16] + dist[nonce & 0xffff]) % 65535; + + free(dist); + return (res == 16); +} + +/* Detect Tag Prng, +* function performs a partial AUTH, where it tries to authenticate against block0, key A, but only collects tag nonce. +* the tag nonce is check to see if it has a predictable PRNG. +* @returns +* TRUE if tag uses WEAK prng (ie Now the NACK bug also needs to be present for Darkside attack) +* FALSE is tag uses HARDEND prng (ie hardnested attack possible, with known key) +*/ +int DetectClassicPrng(void){ + + UsbCommand resp, respA; + uint8_t cmd[] = {0x60, 0x00}; // MIFARE_AUTH_KEYA + uint32_t flags = ISO14A_CONNECT | ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_RATS; + + UsbCommand c = {CMD_READER_ISO_14443a, {flags, sizeof(cmd), 0}}; + memcpy(c.d.asBytes, cmd, sizeof(cmd)); + + clearCommandBuffer(); + SendCommand(&c); + if (!WaitForResponseTimeout(CMD_ACK, &resp, 2000)) { + PrintAndLog("PRNG UID: Reply timeout."); + return -1; + } + + // if select tag failed. + if (resp.arg[0] == 0) { + PrintAndLog("PRNG error: selecting tag failed, can't detect prng."); + return -1; + } + + if (!WaitForResponseTimeout(CMD_ACK, &respA, 5000)) { + PrintAndLog("PRNG data: Reply timeout."); + return -1; + } + + // check respA + if (respA.arg[0] != 4) { + PrintAndLog("PRNG data error: Wrong length: %d", respA.arg[0]); + return -1; + } + + uint32_t nonce = bytes_to_num(respA.d.asBytes, respA.arg[0]); + return validate_prng_nonce(nonce); +} diff --git a/client/mifarehost.h b/client/mifarehost.h index 118d55cc..031dac1b 100644 --- a/client/mifarehost.h +++ b/client/mifarehost.h @@ -60,5 +60,6 @@ extern int saveTraceCard(void); extern int tryDecryptWord(uint32_t nt, uint32_t ar_enc, uint32_t at_enc, uint8_t *data, int len); extern int mfCIdentify(); +extern int DetectClassicPrng(void); #endif diff --git a/client/proxmark3.c b/client/proxmark3.c index d0e68b61..99ba9fba 100644 --- a/client/proxmark3.c +++ b/client/proxmark3.c @@ -73,12 +73,11 @@ static void *uart_receiver(void *targ) { while (arg->run) { rxlen = 0; - if (uart_receive(sp, prx, sizeof(UsbCommand) - (prx-rx), &rxlen)) { + if (uart_receive(sp, prx, sizeof(UsbCommand) - (prx-rx), &rxlen) && rxlen) { prx += rxlen; if (prx-rx < sizeof(UsbCommand)) { continue; } - UsbCommandReceived((UsbCommand*)rx); } prx = rx; @@ -356,11 +355,13 @@ int main(int argc, char* argv[]) { sp = uart_open(argv[1]); } else { printf("Waiting for Proxmark to appear on %s ", argv[1]); + fflush(stdout); int openCount = 0; do { sp = uart_open(argv[1]); msleep(1000); printf("."); + fflush(stdout); } while(++openCount < 20 && (sp == INVALID_SERIAL_PORT || sp == CLAIMED_SERIAL_PORT)); printf("\n"); } diff --git a/common/crapto1/crapto1.c b/common/crapto1/crapto1.c index 9398a1f3..1edfca1b 100644 --- a/common/crapto1/crapto1.c +++ b/common/crapto1/crapto1.c @@ -426,7 +426,6 @@ int nonce_distance(uint32_t from, uint32_t to) return (65535 + dist[to >> 16] - dist[from >> 16]) % 65535; } - static uint32_t fastfwd[2][8] = { { 0, 0x4BC53, 0xECB1, 0x450E2, 0x25E29, 0x6E27A, 0x2B298, 0x60ECB}, { 0, 0x1D962, 0x4BC53, 0x56531, 0xECB1, 0x135D3, 0x450E2, 0x58980}}; diff --git a/common/usb_cdc.c b/common/usb_cdc.c index 56690ad8..91a63cf3 100644 --- a/common/usb_cdc.c +++ b/common/usb_cdc.c @@ -44,6 +44,11 @@ #define AT91C_EP_OUT_SIZE 0x40 #define AT91C_EP_IN_SIZE 0x40 +// Language must always be 0. +#define STR_LANGUAGE_CODES 0x00 +#define STR_MANUFACTURER 0x01 +#define STR_PRODUCT 0x02 + static const char devDescriptor[] = { /* Device descriptor */ 0x12, // bLength @@ -56,8 +61,8 @@ static const char devDescriptor[] = { 0xc4,0x9a, // Vendor ID (0x9ac4 = J. Westhues) 0x8f,0x4b, // Product ID (0x4b8f = Proxmark-3 RFID Instrument) 0x01,0x00, // Device release number (0001) - 0x01, // iManufacturer - 0x02, // iProduct + STR_MANUFACTURER, // iManufacturer + STR_PRODUCT, // iProduct 0x00, // iSerialNumber 0x01 // bNumConfigs }; @@ -157,7 +162,9 @@ static const char StrDescLanguageCodes[] = { 0x03, // Type is string 0x09, 0x04 // supported language Code 0 = 0x0409 (English) }; - + +// Note: ModemManager (Linux) ignores Proxmark3 devices by matching the +// manufacturer string "proxmark.org". Don't change this. static const char StrDescManufacturer[] = { 26, // Length 0x03, // Type is string @@ -182,20 +189,18 @@ static const char StrDescProduct[] = { 'M', 0x00, '3', 0x00 }; - -static const char* const pStrings[] = -{ - StrDescLanguageCodes, - StrDescManufacturer, - StrDescProduct -}; const char* getStringDescriptor(uint8_t idx) { - if(idx >= (sizeof(pStrings) / sizeof(pStrings[0]))) { - return(NULL); - } else { - return(pStrings[idx]); + switch (idx) { + case STR_LANGUAGE_CODES: + return StrDescLanguageCodes; + case STR_MANUFACTURER: + return StrDescManufacturer; + case STR_PRODUCT: + return StrDescProduct; + default: + return NULL; } } diff --git a/fpga/hi_read_rx_xcorr.v b/fpga/hi_read_rx_xcorr.v index afa46c44..433d6736 100644 --- a/fpga/hi_read_rx_xcorr.v +++ b/fpga/hi_read_rx_xcorr.v @@ -34,13 +34,13 @@ always @(negedge ck_1356megb) (* clock_signal = "yes" *) reg adc_clk; // sample frequency, always 16 * fc always @(ck_1356megb, xcorr_is_848, xcorr_quarter_freq, fc_div) - if (xcorr_is_848 & ~xcorr_quarter_freq) // fc = 847.5 kHz + if (xcorr_is_848 & ~xcorr_quarter_freq) // fc = 847.5 kHz, standard ISO14443B adc_clk <= ck_1356megb; - else if (~xcorr_is_848 & ~xcorr_quarter_freq) // fc = 424.25 kHz + else if (~xcorr_is_848 & ~xcorr_quarter_freq) // fc = 423.75 kHz adc_clk <= fc_div[0]; - else if (xcorr_is_848 & xcorr_quarter_freq) // fc = 212.125 kHz + else if (xcorr_is_848 & xcorr_quarter_freq) // fc = 211.875 kHz adc_clk <= fc_div[1]; - else // fc = 106.0625 kHz + else // fc = 105.9375 kHz adc_clk <= fc_div[2]; // When we're a reader, we just need to do the BPSK demod; but when we're an @@ -69,13 +69,16 @@ begin end end -// Let us report a correlation every 4 subcarrier cycles, or 4*16 samples, +// Let us report a correlation every 4 subcarrier cycles, or 4*16=64 samples, // so we need a 6-bit counter. reg [5:0] corr_i_cnt; // And a couple of registers in which to accumulate the correlations. -// we would add/sub at most 32 times adc_d, the signed result can be held in 14 bits. -reg signed [13:0] corr_i_accum; -reg signed [13:0] corr_q_accum; +// We would add at most 32 times the difference between unmodulated and modulated signal. It should +// be safe to assume that a tag will not be able to modulate the carrier signal by more than 25%. +// 32 * 255 * 0,25 = 2040, which can be held in 11 bits. Add 1 bit for sign. +reg signed [11:0] corr_i_accum; +reg signed [11:0] corr_q_accum; +// we will report maximum 8 significant bits reg signed [7:0] corr_i_out; reg signed [7:0] corr_q_out; // clock and frame signal for communication to ARM @@ -99,16 +102,16 @@ begin begin if(snoop) begin - // Send only 7 most significant bits of tag signal (signed), LSB is reader signal: - corr_i_out <= {corr_i_accum[13:7], after_hysteresis_prev_prev}; - corr_q_out <= {corr_q_accum[13:7], after_hysteresis_prev}; + // Send 7 most significant bits of tag signal (signed), plus 1 bit reader signal + corr_i_out <= {corr_i_accum[11:5], after_hysteresis_prev_prev}; + corr_q_out <= {corr_q_accum[11:5], after_hysteresis_prev}; after_hysteresis_prev_prev <= after_hysteresis; end else begin - // 8 most significant bits of tag signal - corr_i_out <= corr_i_accum[13:6]; - corr_q_out <= corr_q_accum[13:6]; + // 8 bits of tag signal + corr_i_out <= corr_i_accum[11:4]; + corr_q_out <= corr_q_accum[11:4]; end corr_i_accum <= adc_d; diff --git a/fpga/hi_read_tx.v b/fpga/hi_read_tx.v index f12e64eb..fc309cde 100644 --- a/fpga/hi_read_tx.v +++ b/fpga/hi_read_tx.v @@ -24,33 +24,36 @@ module hi_read_tx( output dbg; input shallow_modulation; +// low frequency outputs, not relevant +assign pwr_lo = 1'b0; +assign pwr_oe2 = 1'b0; + // The high-frequency stuff. For now, for testing, just bring out the carrier, // and allow the ARM to modulate it over the SSP. reg pwr_hi; reg pwr_oe1; -reg pwr_oe2; reg pwr_oe3; reg pwr_oe4; + always @(ck_1356megb or ssp_dout or shallow_modulation) begin if(shallow_modulation) begin pwr_hi <= ck_1356megb; - pwr_oe1 <= ~ssp_dout; - pwr_oe2 <= ~ssp_dout; - pwr_oe3 <= ~ssp_dout; - pwr_oe4 <= 1'b0; + pwr_oe1 <= 1'b0; + pwr_oe3 <= 1'b0; + pwr_oe4 <= ~ssp_dout; end else begin pwr_hi <= ck_1356megb & ssp_dout; pwr_oe1 <= 1'b0; - pwr_oe2 <= 1'b0; pwr_oe3 <= 1'b0; pwr_oe4 <= 1'b0; end end + // Then just divide the 13.56 MHz clock down to produce appropriate clocks // for the synchronous serial port. @@ -83,7 +86,6 @@ end assign ssp_din = after_hysteresis; -assign pwr_lo = 1'b0; assign dbg = ssp_din; endmodule diff --git a/uart/uart_win32.c b/uart/uart_win32.c index af521ead..121b2b51 100644 --- a/uart/uart_win32.c +++ b/uart/uart_win32.c @@ -107,15 +107,13 @@ void uart_close(const serial_port sp) { free(sp); } -bool uart_receive(const serial_port sp, byte_t* pbtRx, size_t pszMaxRxLen, size_t* pszRxLen) { - ReadFile(((serial_port_windows*)sp)->hPort,pbtRx,pszMaxRxLen,(LPDWORD)pszRxLen,NULL); - return (*pszRxLen != 0); +bool uart_receive(const serial_port sp, byte_t *pbtRx, size_t pszMaxRxLen, size_t *pszRxLen) { + return ReadFile(((serial_port_windows*)sp)->hPort, pbtRx, pszMaxRxLen, (LPDWORD)pszRxLen, NULL); } bool uart_send(const serial_port sp, const byte_t* pbtTx, const size_t szTxLen) { DWORD dwTxLen = 0; - return WriteFile(((serial_port_windows*)sp)->hPort,pbtTx,szTxLen,&dwTxLen,NULL); - return (dwTxLen != 0); + return WriteFile(((serial_port_windows*)sp)->hPort, pbtTx, szTxLen, &dwTxLen, NULL); } bool uart_set_speed(serial_port sp, const uint32_t uiPortSpeed) {