From: marshmellow42 Date: Wed, 7 Jan 2015 23:15:14 +0000 (-0500) Subject: Merge branch 'master' of https://github.com/marshmellow42/proxmark3 X-Git-Tag: v2.0.0-rc1~57^2~3 X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/bce5d24494997238052d7f3fa7a3b89df43bce9f?hp=809fb6aeabdf2427cfd863bf56d7a05f0217ce46 Merge branch 'master' of https://github.com/marshmellow42/proxmark3 --- diff --git a/armsrc/Makefile b/armsrc/Makefile index 6f0a2aef..b9019541 100644 --- a/armsrc/Makefile +++ b/armsrc/Makefile @@ -10,7 +10,7 @@ APP_INCLUDES = apps.h #remove one of the following defines and comment out the relevant line #in the next section to remove that particular feature from compilation -APP_CFLAGS = -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG +APP_CFLAGS = -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG -fno-strict-aliasing #-DWITH_LCD #SRC_LCD = fonts.c LCD.c @@ -24,7 +24,8 @@ THUMBSRC = start.c \ $(SRC_LCD) \ $(SRC_ISO15693) \ $(SRC_LF) \ - appmain.c printf.c \ + appmain.c \ + printf.c \ util.c \ string.c \ usb_cdc.c \ diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 57c485e8..3c92a7fd 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -82,40 +82,12 @@ void DbpString(char *str) { byte_t len = strlen(str); cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len); -// /* this holds up stuff unless we're connected to usb */ -// if (!UsbConnected()) -// return; -// -// UsbCommand c; -// c.cmd = CMD_DEBUG_PRINT_STRING; -// c.arg[0] = strlen(str); -// if(c.arg[0] > sizeof(c.d.asBytes)) { -// c.arg[0] = sizeof(c.d.asBytes); -// } -// memcpy(c.d.asBytes, str, c.arg[0]); -// -// UsbSendPacket((uint8_t *)&c, sizeof(c)); -// // TODO fix USB so stupid things like this aren't req'd -// SpinDelay(50); } #if 0 void DbpIntegers(int x1, int x2, int x3) { cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0); -// /* this holds up stuff unless we're connected to usb */ -// if (!UsbConnected()) -// return; -// -// UsbCommand c; -// c.cmd = CMD_DEBUG_PRINT_INTEGERS; -// c.arg[0] = x1; -// c.arg[1] = x2; -// c.arg[2] = x3; -// -// UsbSendPacket((uint8_t *)&c, sizeof(c)); -// // XXX -// SpinDelay(50); } #endif @@ -332,7 +304,7 @@ extern struct version_information version_information; extern char *_bootphase1_version_pointer, _flash_start, _flash_end; void SendVersion(void) { - char temp[256]; /* Limited data payload in USB packets */ + char temp[512]; /* Limited data payload in USB packets */ DbpString("Prox/RFID mark3 RFID instrument"); /* Try to find the bootrom version information. Expect to find a pointer at @@ -381,13 +353,13 @@ void SamyRun() int selected = 0; int playing = 0; + int cardRead = 0; // Turn on selected LED LED(selected + 1, 0); for (;;) { -// UsbPoll(FALSE); usb_poll(); WDT_HIT(); @@ -396,7 +368,7 @@ void SamyRun() SpinDelay(300); // Button was held for a second, begin recording - if (button_pressed > 0) + if (button_pressed > 0 && cardRead == 0) { LEDsoff(); LED(selected + 1, 0); @@ -422,6 +394,40 @@ void SamyRun() // If we were previously playing, set playing off // so next button push begins playing what we recorded playing = 0; + + cardRead = 1; + + } + + else if (button_pressed > 0 && cardRead == 1) + { + LEDsoff(); + LED(selected + 1, 0); + LED(LED_ORANGE, 0); + + // record + Dbprintf("Cloning %x %x %x", selected, high[selected], low[selected]); + + // wait for button to be released + while(BUTTON_PRESS()) + WDT_HIT(); + + /* need this delay to prevent catching some weird data */ + SpinDelay(500); + + CopyHIDtoT55x7(high[selected], low[selected], 0, 0); + Dbprintf("Cloned %x %x %x", selected, high[selected], low[selected]); + + LEDsoff(); + LED(selected + 1, 0); + // Finished recording + + // If we were previously playing, set playing off + // so next button push begins playing what we recorded + playing = 0; + + cardRead = 0; + } // Change where to record (or begin playing) @@ -635,18 +641,18 @@ void UsbPacketReceived(uint8_t *packet, int len) cmd_send(CMD_ACK,0,0,0,0,0); break; case CMD_HID_DEMOD_FSK: - CmdHIDdemodFSK(c->arg[0], 0, 0, 1); // Demodulate HID tag + CmdHIDdemodFSK(c->arg[0], 0, 0, 1); break; case CMD_HID_SIM_TAG: - CmdHIDsimTAG(c->arg[0], c->arg[1], 1); // Simulate HID tag by ID + CmdHIDsimTAG(c->arg[0], c->arg[1], 1); break; - case CMD_HID_CLONE_TAG: // Clone HID tag by ID to T55x7 + case CMD_HID_CLONE_TAG: CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]); break; case CMD_IO_DEMOD_FSK: - CmdIOdemodFSK(c->arg[0], 0, 0, 1); // Demodulate IO tag + CmdIOdemodFSK(c->arg[0], 0, 0, 1); break; - case CMD_IO_CLONE_TAG: // Clone IO tag by ID to T55x7 + case CMD_IO_CLONE_TAG: CopyIOtoT55x7(c->arg[0], c->arg[1], c->d.asBytes[0]); break; case CMD_EM410X_DEMOD: @@ -669,10 +675,10 @@ void UsbPacketReceived(uint8_t *packet, int len) case CMD_LF_SIMULATE_BIDIR: SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]); break; - case CMD_INDALA_CLONE_TAG: // Clone Indala 64-bit tag by UID to T55x7 + case CMD_INDALA_CLONE_TAG: CopyIndala64toT55x7(c->arg[0], c->arg[1]); break; - case CMD_INDALA_CLONE_TAG_L: // Clone Indala 224-bit tag by UID to T55x7 + case CMD_INDALA_CLONE_TAG_L: CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]); break; case CMD_T55XX_READ_BLOCK: @@ -681,13 +687,12 @@ void UsbPacketReceived(uint8_t *packet, int len) case CMD_T55XX_WRITE_BLOCK: T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]); break; - case CMD_T55XX_READ_TRACE: // Clone HID tag by ID to T55x7 + case CMD_T55XX_READ_TRACE: T55xxReadTrace(); break; - case CMD_PCF7931_READ: // Read PCF7931 tag + case CMD_PCF7931_READ: ReadPCF7931(); cmd_send(CMD_ACK,0,0,0,0,0); -// UsbSendPacket((uint8_t*)&ack, sizeof(ack)); break; case CMD_EM4X_READ_WORD: EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]); @@ -733,7 +738,7 @@ void UsbPacketReceived(uint8_t *packet, int len) ReaderIso15693(c->arg[0]); break; case CMD_SIMTAG_ISO_15693: - SimTagIso15693(c->arg[0]); + SimTagIso15693(c->arg[0], c->d.asBytes); break; #endif @@ -782,6 +787,7 @@ void UsbPacketReceived(uint8_t *packet, int len) case CMD_SIMULATE_TAG_ISO_14443a: SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID break; + case CMD_EPA_PACE_COLLECT_NONCE: EPA_PACE_Collect_Nonce(c); break; @@ -838,12 +844,15 @@ void UsbPacketReceived(uint8_t *packet, int len) break; // Work with "magic Chinese" card - case CMD_MIFARE_EML_CSETBLOCK: + case CMD_MIFARE_CSETBLOCK: MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); break; - case CMD_MIFARE_EML_CGETBLOCK: + case CMD_MIFARE_CGETBLOCK: MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); break; + case CMD_MIFARE_CIDENT: + MifareCIdent(); + break; // mifare sniffer case CMD_MIFARE_SNIFFER: @@ -894,18 +903,6 @@ void UsbPacketReceived(uint8_t *packet, int len) break; case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K: -// UsbCommand n; -// if(c->cmd == CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K) { -// n.cmd = CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K; -// } else { -// n.cmd = CMD_DOWNLOADED_RAW_BITS_TI_TYPE; -// } -// n.arg[0] = c->arg[0]; - // memcpy(n.d.asBytes, BigBuf+c->arg[0], 48); // 12*sizeof(uint32_t) - // LED_B_ON(); - // usb_write((uint8_t *)&n, sizeof(n)); - // UsbSendPacket((uint8_t *)&n, sizeof(n)); - // LED_B_OFF(); LED_B_ON(); for(size_t i=0; iarg[1]; i += USB_CMD_DATA_SIZE) { @@ -919,9 +916,7 @@ void UsbPacketReceived(uint8_t *packet, int len) case CMD_DOWNLOADED_SIM_SAMPLES_125K: { uint8_t *b = (uint8_t *)BigBuf; - memcpy(b+c->arg[0], c->d.asBytes, 48); - //Dbprintf("copied 48 bytes to %i",b+c->arg[0]); -// UsbSendPacket((uint8_t*)&ack, sizeof(ack)); + memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE); cmd_send(CMD_ACK,0,0,0,0,0); break; } @@ -979,7 +974,6 @@ void UsbPacketReceived(uint8_t *packet, int len) case CMD_DEVICE_INFO: { uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS; if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT; -// UsbSendPacket((uint8_t*)&c, sizeof(c)); cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0); break; } @@ -1006,9 +1000,8 @@ void __attribute__((noreturn)) AppMain(void) LED_B_OFF(); LED_A_OFF(); - // Init USB device` + // Init USB device usb_enable(); -// UsbStart(); // The FPGA gets its clock from us from PCK0 output, so set that up. AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0; @@ -1044,8 +1037,6 @@ void __attribute__((noreturn)) AppMain(void) UsbPacketReceived(rx,rx_len); } } -// UsbPoll(FALSE); - WDT_HIT(); #ifdef WITH_LF diff --git a/armsrc/apps.h b/armsrc/apps.h index ed51c7b9..eafee559 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -192,12 +192,13 @@ void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); // Work with "magic Chinese" card void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); +void MifareCIdent(); // is "magic chinese" card? /// iso15693.h void RecordRawAdcSamplesIso15693(void); void AcquireRawAdcSamplesIso15693(void); void ReaderIso15693(uint32_t parameter); // Simulate an ISO15693 reader - greg -void SimTagIso15693(uint32_t parameter); // simulate an ISO15693 tag - greg +void SimTagIso15693(uint32_t parameter, uint8_t *uid); // simulate an ISO15693 tag - greg void BruteforceIso15693Afi(uint32_t speed); // find an AFI of a tag - atrox void DirectTag15693Command(uint32_t datalen,uint32_t speed, uint32_t recv, uint8_t data[]); // send arbitrary commands from CLI - atrox void SetDebugIso15693(uint32_t flag); diff --git a/armsrc/epa.c b/armsrc/epa.c index fb19656d..bec79e61 100644 --- a/armsrc/epa.c +++ b/armsrc/epa.c @@ -185,6 +185,7 @@ int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length) || response_apdu[rapdu_length - 4] != 0x90 || response_apdu[rapdu_length - 3] != 0x00) { + Dbprintf("epa - no select cardaccess"); return -1; } @@ -196,6 +197,7 @@ int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length) || response_apdu[rapdu_length - 4] != 0x90 || response_apdu[rapdu_length - 3] != 0x00) { + Dbprintf("epa - no read cardaccess"); return -1; } @@ -223,7 +225,6 @@ static void EPA_PACE_Collect_Nonce_Abort(uint8_t step, int func_return) // send the USB packet cmd_send(CMD_ACK,step,func_return,0,0,0); -//UsbSendPacket((void *)ack, sizeof(UsbCommand)); } //----------------------------------------------------------------------------- @@ -243,7 +244,7 @@ void EPA_PACE_Collect_Nonce(UsbCommand *c) */ // return value of a function - int func_return; + int func_return = 0; // // initialize ack with 0s // memset(ack->arg, 0, 12); @@ -301,7 +302,6 @@ void EPA_PACE_Collect_Nonce(UsbCommand *c) // save received information // ack->arg[1] = func_return; // memcpy(ack->d.asBytes, nonce, func_return); -// UsbSendPacket((void *)ack, sizeof(UsbCommand)); cmd_send(CMD_ACK,0,func_return,0,nonce,func_return); } @@ -416,25 +416,27 @@ int EPA_PACE_MSE_Set_AT(pace_version_info_t pace_version_info, uint8_t password) //----------------------------------------------------------------------------- int EPA_Setup() { - // return code + int return_code = 0; - // card UID uint8_t uid[10]; - // card select information + uint8_t pps_response[3]; + uint8_t pps_response_par[1]; iso14a_card_select_t card_select_info; + // power up the field iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD); + iso14a_set_timeout(10500); + // select the card return_code = iso14443a_select_card(uid, &card_select_info, NULL); if (return_code != 1) { + Dbprintf("Epa: Can't select card"); return 1; } // send the PPS request ReaderTransmit((uint8_t *)pps, sizeof(pps), NULL); - uint8_t pps_response[3]; - uint8_t pps_response_par[1]; return_code = ReaderReceive(pps_response, pps_response_par); if (return_code != 3 || pps_response[0] != 0xD0) { return return_code == 0 ? 2 : return_code; diff --git a/armsrc/hitag2.c b/armsrc/hitag2.c index 839240bd..27a5d508 100644 --- a/armsrc/hitag2.c +++ b/armsrc/hitag2.c @@ -990,18 +990,18 @@ void SimulateHitagTag(bool tag_mem_supplied, byte_t* data) { // Disable timer during configuration AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS; - // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger, + // Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger, // external trigger rising edge, load RA on rising edge of TIOA. AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING; - // Enable and reset counter - AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; - // Reset the received frame, frame count and timing info memset(rx,0x00,sizeof(rx)); frame_count = 0; response = 0; overflow = 0; + + // Enable and reset counter + AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; while(!BUTTON_PRESS()) { // Watchdog hit @@ -1105,9 +1105,9 @@ void SimulateHitagTag(bool tag_mem_supplied, byte_t* data) { AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS; AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS; FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); -// Dbprintf("frame received: %d",frame_count); -// Dbprintf("Authentication Attempts: %d",(auth_table_len/8)); -// DbpString("All done"); + + DbpString("Sim Stopped"); + } void ReaderHitag(hitag_function htf, hitag_data* htd) { @@ -1158,7 +1158,7 @@ void ReaderHitag(hitag_function htf, hitag_data* htd) { case RHT2F_CRYPTO: { DbpString("Authenticating using key:"); - memcpy(key,htd->crypto.key,4); + memcpy(key,htd->crypto.key,4); //HACK; 4 or 6?? I read both in the code. Dbhexdump(6,key,false); blocknr = 0; bQuiet = false; diff --git a/armsrc/iclass.c b/armsrc/iclass.c index 3844ab14..ea9af7d4 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -433,7 +433,6 @@ static RAMFUNC int ManchesterDecoding(int v) else { modulation = bit & Demod.syncBit; modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit; - //modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit; Demod.samples += 4; @@ -842,10 +841,7 @@ static int GetIClassCommandFromReader(uint8_t *received, int *len, int maxLen) } if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - /*if(OutOfNDecoding((b & 0xf0) >> 4)) { - *len = Uart.byteCnt; - return TRUE; - }*/ + if(OutOfNDecoding(b & 0x0f)) { *len = Uart.byteCnt; return TRUE; @@ -1001,8 +997,6 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain */ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf) { - - // CSN followed by two CRC bytes uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; uint8_t response3[] = { 0,0,0,0,0,0,0,0,0,0}; @@ -1106,6 +1100,7 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader //Signal tracer // Can be used to get a trigger for an oscilloscope.. LED_C_OFF(); + if(!GetIClassCommandFromReader(receivedCmd, &len, 100)) { buttonPressed = true; break; @@ -1368,7 +1363,6 @@ void ReaderTransmitIClass(uint8_t* frame, int len) int samples = 0; // This is tied to other size changes - // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024; CodeIClassCommand(frame,len); // Select the card @@ -1423,10 +1417,7 @@ static int GetIClassAnswer(uint8_t *receivedResponse, int maxLen, int *samples, b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; skip = !skip; if(skip) continue; - /*if(ManchesterDecoding((b>>4) & 0xf)) { - *samples = ((c - 1) << 3) + 4; - return TRUE; - }*/ + if(ManchesterDecoding(b & 0x0f)) { *samples = c << 3; return TRUE; @@ -1594,7 +1585,7 @@ void ReaderIClass(uint8_t arg0) { void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) { - uint8_t card_data[24]={0}; + uint8_t card_data[USB_CMD_DATA_SIZE]={0}; uint16_t block_crc_LUT[255] = {0}; {//Generate a lookup table for block crc @@ -1667,7 +1658,10 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) { cardsize = memory.k16 ? 255 : 32; WDT_HIT(); - + //Set card_data to all zeroes, we'll fill it with data + memset(card_data,0x0,USB_CMD_DATA_SIZE); + uint8_t failedRead =0; + uint8_t stored_data_length =0; //then loop around remaining blocks for(int block=0; block < cardsize; block++){ @@ -1683,14 +1677,47 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) { resp[3], resp[4], resp[5], resp[6], resp[7]); + //Fill up the buffer + memcpy(card_data+stored_data_length,resp,8); + stored_data_length += 8; + + if(stored_data_length +8 > USB_CMD_DATA_SIZE) + {//Time to send this off and start afresh + cmd_send(CMD_ACK, + stored_data_length,//data length + failedRead,//Failed blocks? + 0,//Not used ATM + card_data, stored_data_length); + //reset + stored_data_length = 0; + failedRead = 0; + } + }else{ + failedRead = 1; + stored_data_length +=8;//Otherwise, data becomes misaligned Dbprintf("Failed to dump block %d", block); - } } + //Send off any remaining data + if(stored_data_length > 0) + { + cmd_send(CMD_ACK, + stored_data_length,//data length + failedRead,//Failed blocks? + 0,//Not used ATM + card_data, stored_data_length); + } //If we got here, let's break break; } + //Signal end of transmission + cmd_send(CMD_ACK, + 0,//data length + 0,//Failed blocks? + 0,//Not used ATM + card_data, 0); + LED_A_OFF(); } diff --git a/armsrc/iso14443.c b/armsrc/iso14443.c index 7a445bcb..e9483189 100644 --- a/armsrc/iso14443.c +++ b/armsrc/iso14443.c @@ -293,8 +293,7 @@ static int GetIso14443CommandFromReader(uint8_t *received, int *len, int maxLen) // only, since we are receiving, not transmitting). // Signal field is off with the appropriate LED LED_D_OFF(); - FpgaWriteConfWord( - FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION); // Now run a `software UART' on the stream of incoming samples. @@ -401,8 +400,7 @@ void SimulateIso14443Tag(void) // Modulate BPSK // Signal field is off with the appropriate LED LED_D_OFF(); - FpgaWriteConfWord( - FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK); AT91C_BASE_SSC->SSC_THR = 0xff; FpgaSetupSsc(); diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index a4632aa5..c2f809fe 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -144,7 +144,6 @@ const uint8_t OddByteParity[256] = { 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1 }; - void iso14a_set_trigger(bool enable) { trigger = enable; } @@ -310,6 +309,7 @@ static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) Uart.twoBits = (Uart.twoBits << 8) | bit; if (Uart.state == STATE_UNSYNCD) { // not yet synced + if (Uart.highCnt < 7) { // wait for a stable unmodulated signal if (Uart.twoBits == 0xffff) { Uart.highCnt++; @@ -399,7 +399,7 @@ static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) if (Uart.len) { return TRUE; // we are finished with decoding the raw data sequence } else { - UartReset(); // Nothing received - try again + UartReset(); // Nothing receiver - start over } } if (Uart.state == STATE_START_OF_COMMUNICATION) { // error - must not follow directly after SOC @@ -473,7 +473,6 @@ void DemodReset() Demod.endTime = 0; } - void DemodInit(uint8_t *data, uint8_t *parity) { Demod.output = data; @@ -763,7 +762,6 @@ static void CodeIso14443aAsTagPar(const uint8_t *cmd, uint16_t len, uint8_t *par // Send startbit ToSend[++ToSendMax] = SEC_D; - LastProxToAirDuration = 8 * ToSendMax - 4; for(uint16_t i = 0; i < len; i++) { @@ -990,6 +988,12 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data) response1[1] = 0x00; sak = 0x28; } break; + case 5: { // MIFARE TNP3XXX + // Says: I am a toy + response1[0] = 0x01; + response1[1] = 0x0f; + sak = 0x01; + } break; default: { Dbprintf("Error: unkown tagtype (%d)",tagType); return; @@ -1123,7 +1127,7 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data) // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below p_response = NULL; } else if(receivedCmd[0] == 0x50) { // Received a HALT -// DbpString("Reader requested we HALT!:"); + if (tracing) { LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); } @@ -1228,6 +1232,7 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data) // do the tracing for the previous reader request and this tag answer: uint8_t par[MAX_PARITY_SIZE]; GetParity(p_response->response, p_response->response_n, par); + EmLogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, @@ -1308,13 +1313,6 @@ static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing // clear TXRDY AT91C_BASE_SSC->SSC_THR = SEC_Y; - // for(uint16_t c = 0; c < 10;) { // standard delay for each transfer (allow tag to be ready after last transmission) - // if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - // AT91C_BASE_SSC->SSC_THR = SEC_Y; - // c++; - // } - // } - uint16_t c = 0; for(;;) { if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { @@ -1327,7 +1325,6 @@ static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing } NextTransferTime = MAX(NextTransferTime, LastTimeProxToAirStart + REQUEST_GUARD_TIME); - } @@ -1669,7 +1666,6 @@ static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receive void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing) { - CodeIso14443aBitsAsReaderPar(frame, bits, par); // Send command to tag @@ -1744,7 +1740,6 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u // Receive the ATQA if(!ReaderReceive(resp, resp_par)) return 0; - //Dbprintf("atqa: %02x %02x",resp[1],resp[0]); if(p_hi14a_card) { memcpy(p_hi14a_card->atqa, resp, 2); @@ -1800,7 +1795,6 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u memcpy(uid_resp, resp, 4); } uid_resp_len = 4; - //Dbprintf("uid: %02x %02x %02x %02x",uid_resp[0],uid_resp[1],uid_resp[2],uid_resp[3]); // calculate crypto UID. Always use last 4 Bytes. if(cuid_ptr) { @@ -1822,11 +1816,6 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u if ((sak & 0x04) /* && uid_resp[0] == 0x88 */) { // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of: // http://www.nxp.com/documents/application_note/AN10927.pdf - // This was earlier: - //memcpy(uid_resp, uid_resp + 1, 3); - // But memcpy should not be used for overlapping arrays, - // and memmove appears to not be available in the arm build. - // Therefore: uid_resp[0] = uid_resp[1]; uid_resp[1] = uid_resp[2]; uid_resp[2] = uid_resp[3]; @@ -1849,9 +1838,8 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u p_hi14a_card->ats_len = 0; } - if( (sak & 0x20) == 0) { - return 2; // non iso14443a compliant tag - } + // non iso14443a compliant tag + if( (sak & 0x20) == 0) return 2; // Request for answer to select AppendCrc14443a(rats, 2); @@ -1859,6 +1847,7 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u if (!(len = ReaderReceive(resp, resp_par))) return 0; + if(p_hi14a_card) { memcpy(p_hi14a_card->ats, resp, sizeof(p_hi14a_card->ats)); p_hi14a_card->ats_len = len; @@ -1866,7 +1855,6 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u // reset the PCB block number iso14_pcb_blocknum = 0; - return 1; } @@ -1957,7 +1945,7 @@ void ReaderIso14443a(UsbCommand *c) } if(param & ISO14A_SET_TIMEOUT) { - iso14a_timeout = c->arg[2]; + iso14a_set_timeout(c->arg[2]); } if(param & ISO14A_APDU) { @@ -2047,8 +2035,8 @@ void ReaderMifare(bool first_try) uint32_t nt = 0; uint32_t previous_nt = 0; static uint32_t nt_attacked = 0; - byte_t par_list[8] = {0,0,0,0,0,0,0,0}; - byte_t ks_list[8] = {0,0,0,0,0,0,0,0}; + byte_t par_list[8] = {0x00}; + byte_t ks_list[8] = {0x00}; static uint32_t sync_time; static uint32_t sync_cycles; @@ -2057,8 +2045,6 @@ void ReaderMifare(bool first_try) uint16_t consecutive_resyncs = 0; int isOK = 0; - - if (first_try) { mf_nr_ar3 = 0; iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD); diff --git a/armsrc/iso15693.c b/armsrc/iso15693.c index ed7beb6f..ec8120b9 100644 --- a/armsrc/iso15693.c +++ b/armsrc/iso15693.c @@ -263,13 +263,10 @@ static void TransmitTo15693Tag(const uint8_t *cmd, int len, int *samples, int *w //----------------------------------------------------------------------------- static void TransmitTo15693Reader(const uint8_t *cmd, int len, int *samples, int *wait) { - int c; - -// FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX); - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR); // No requirement to energise my coils + int c = 0; + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K); if(*wait < 10) { *wait = 10; } - c = 0; for(;;) { if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { AT91C_BASE_SSC->SSC_THR = cmd[c]; @@ -464,8 +461,7 @@ static int GetIso15693AnswerFromSniff(uint8_t *receivedResponse, int maxLen, int AT91C_BASE_SSC->SSC_THR = 0x43; } if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { - int8_t b; - b = (int8_t)AT91C_BASE_SSC->SSC_RHR; + int8_t b = (int8_t)AT91C_BASE_SSC->SSC_RHR; // The samples are correlations against I and Q versions of the // tone that the tag AM-modulates, so every other sample is I, @@ -600,10 +596,10 @@ static void BuildIdentifyRequest(void); //----------------------------------------------------------------------------- void AcquireRawAdcSamplesIso15693(void) { - int c = 0; uint8_t *dest = (uint8_t *)BigBuf; - int getNext = 0; + int c = 0; + int getNext = 0; int8_t prev = 0; FpgaDownloadAndGo(FPGA_BITSTREAM_HF); @@ -682,10 +678,10 @@ void AcquireRawAdcSamplesIso15693(void) void RecordRawAdcSamplesIso15693(void) { + uint8_t *dest = (uint8_t *)BigBuf; + int c = 0; - uint8_t *dest = (uint8_t *)BigBuf; int getNext = 0; - int8_t prev = 0; FpgaDownloadAndGo(FPGA_BITSTREAM_HF); @@ -836,24 +832,25 @@ static void BuildReadBlockRequest(uint8_t *uid, uint8_t blockNumber ) } // Now the VICC>VCD responses when we are simulating a tag - static void BuildInventoryResponse(void) + static void BuildInventoryResponse( uint8_t *uid) { uint8_t cmd[12]; uint16_t crc; // one sub-carrier, inventory, 1 slot, fast rate // AFI is at bit 5 (1<<4) when doing an INVENTORY - cmd[0] = 0; //(1 << 2) | (1 << 5) | (1 << 1); - cmd[1] = 0; + //(1 << 2) | (1 << 5) | (1 << 1); + cmd[0] = 0; // + cmd[1] = 0; // DSFID (data storage format identifier). 0x00 = not supported // 64-bit UID - cmd[2] = 0x32; - cmd[3]= 0x4b; - cmd[4] = 0x03; - cmd[5] = 0x01; - cmd[6] = 0x00; - cmd[7] = 0x10; - cmd[8] = 0x05; - cmd[9]= 0xe0; + cmd[2] = uid[7]; //0x32; + cmd[3] = uid[6]; //0x4b; + cmd[4] = uid[5]; //0x03; + cmd[5] = uid[4]; //0x01; + cmd[6] = uid[3]; //0x00; + cmd[7] = uid[2]; //0x10; + cmd[8] = uid[1]; //0x05; + cmd[9] = uid[0]; //0xe0; //Now the CRC crc = Crc(cmd, 10); cmd[10] = crc & 0xff; @@ -1002,23 +999,27 @@ void ReaderIso15693(uint32_t parameter) LED_C_OFF(); LED_D_OFF(); -//DbpString(parameter); - - //uint8_t *answer0 = (((uint8_t *)BigBuf) + 3560); // allow 100 bytes per reponse (way too much) uint8_t *answer1 = (((uint8_t *)BigBuf) + 3660); // uint8_t *answer2 = (((uint8_t *)BigBuf) + 3760); uint8_t *answer3 = (((uint8_t *)BigBuf) + 3860); - //uint8_t *TagUID= (((uint8_t *)BigBuf) + 3960); // where we hold the uid for hi15reader -// int answerLen0 = 0; + int answerLen1 = 0; int answerLen2 = 0; int answerLen3 = 0; - int i=0; // counter + int i = 0; + int samples = 0; + int tsamples = 0; + int wait = 0; + int elapsed = 0; + uint8_t TagUID[8] = {0x00}; + // Blank arrays - memset(BigBuf + 3660, 0, 300); + memset(BigBuf + 3660, 0x00, 300); FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + + SetAdcMuxFor(GPIO_MUXSEL_HIPKD); // Setup SSC FpgaSetupSsc(); @@ -1026,9 +1027,6 @@ void ReaderIso15693(uint32_t parameter) FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); SpinDelay(200); - SetAdcMuxFor(GPIO_MUXSEL_HIPKD); - FpgaSetupSsc(); - // Give the tags time to energize FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR); SpinDelay(200); @@ -1038,44 +1036,19 @@ void ReaderIso15693(uint32_t parameter) LED_C_OFF(); LED_D_OFF(); - int samples = 0; - int tsamples = 0; - int wait = 0; - int elapsed = 0; - // FIRST WE RUN AN INVENTORY TO GET THE TAG UID // THIS MEANS WE CAN PRE-BUILD REQUESTS TO SAVE CPU TIME - uint8_t TagUID[8] = {0, 0, 0, 0, 0, 0, 0, 0}; // where we hold the uid for hi15reader - -// BuildIdentifyRequest(); -// //TransmitTo15693Tag(ToSend,ToSendMax+3,&tsamples, &wait); -// TransmitTo15693Tag(ToSend,ToSendMax,&tsamples, &wait); // No longer ToSendMax+3 -// // Now wait for a response -// responseLen0 = GetIso15693AnswerFromTag(receivedAnswer0, 100, &samples, &elapsed) ; -// if (responseLen0 >=12) // we should do a better check than this -// { -// // really we should check it is a valid mesg -// // but for now just grab what we think is the uid -// TagUID[0] = receivedAnswer0[2]; -// TagUID[1] = receivedAnswer0[3]; -// TagUID[2] = receivedAnswer0[4]; -// TagUID[3] = receivedAnswer0[5]; -// TagUID[4] = receivedAnswer0[6]; -// TagUID[5] = receivedAnswer0[7]; -// TagUID[6] = receivedAnswer0[8]; // IC Manufacturer code -// DbpIntegers(TagUID[6],TagUID[5],TagUID[4]); -//} // Now send the IDENTIFY command BuildIdentifyRequest(); - //TransmitTo15693Tag(ToSend,ToSendMax+3,&tsamples, &wait); - TransmitTo15693Tag(ToSend,ToSendMax,&tsamples, &wait); // No longer ToSendMax+3 + + TransmitTo15693Tag(ToSend,ToSendMax,&tsamples, &wait); + // Now wait for a response answerLen1 = GetIso15693AnswerFromTag(answer1, 100, &samples, &elapsed) ; if (answerLen1 >=12) // we should do a better check than this { - TagUID[0] = answer1[2]; TagUID[1] = answer1[3]; TagUID[2] = answer1[4]; @@ -1085,23 +1058,6 @@ void ReaderIso15693(uint32_t parameter) TagUID[6] = answer1[8]; // IC Manufacturer code TagUID[7] = answer1[9]; // always E0 - // Now send the SELECT command - // since the SELECT command is optional, we should not rely on it. -//// BuildSelectRequest(TagUID); -// TransmitTo15693Tag(ToSend,ToSendMax,&tsamples, &wait); // No longer ToSendMax+3 - // Now wait for a response -/// answerLen2 = GetIso15693AnswerFromTag(answer2, 100, &samples, &elapsed); - - // Now send the MULTI READ command -// BuildArbitraryRequest(*TagUID,parameter); -/// BuildArbitraryCustomRequest(TagUID,parameter); -// BuildReadBlockRequest(*TagUID,parameter); -// BuildSysInfoRequest(*TagUID); - //TransmitTo15693Tag(ToSend,ToSendMax+3,&tsamples, &wait); -/// TransmitTo15693Tag(ToSend,ToSendMax,&tsamples, &wait); // No longer ToSendMax+3 - // Now wait for a response -/// answerLen3 = GetIso15693AnswerFromTag(answer3, 100, &samples, &elapsed) ; - } Dbprintf("%d octets read from IDENTIFY request:", answerLen1); @@ -1110,9 +1066,9 @@ void ReaderIso15693(uint32_t parameter) // UID is reverse if (answerLen1>=12) - //Dbprintf("UID = %*D",8,TagUID," "); - Dbprintf("UID = %02hX%02hX%02hX%02hX%02hX%02hX%02hX%02hX",TagUID[7],TagUID[6],TagUID[5], - TagUID[4],TagUID[3],TagUID[2],TagUID[1],TagUID[0]); + Dbprintf("UID = %02hX%02hX%02hX%02hX%02hX%02hX%02hX%02hX", + TagUID[7],TagUID[6],TagUID[5],TagUID[4], + TagUID[3],TagUID[2],TagUID[1],TagUID[0]); Dbprintf("%d octets read from SELECT request:", answerLen2); @@ -1123,7 +1079,6 @@ void ReaderIso15693(uint32_t parameter) DbdecodeIso15693Answer(answerLen3,answer3); Dbhexdump(answerLen3,answer3,true); - // read all pages if (answerLen1>=12 && DEBUG) { i=0; @@ -1141,13 +1096,6 @@ void ReaderIso15693(uint32_t parameter) } } -// str2[0]=0; -// for(i = 0; i < responseLen3; i++) { -// itoa(str1,receivedAnswer3[i]); -// strncat(str2,str1,8); -// } -// DbpString(str2); - LED_A_OFF(); LED_B_OFF(); LED_C_OFF(); @@ -1156,32 +1104,31 @@ void ReaderIso15693(uint32_t parameter) // Simulate an ISO15693 TAG, perform anti-collision and then print any reader commands // all demodulation performed in arm rather than host. - greg -void SimTagIso15693(uint32_t parameter) +void SimTagIso15693(uint32_t parameter, uint8_t *uid) { LED_A_ON(); LED_B_ON(); LED_C_OFF(); LED_D_OFF(); - uint8_t *answer1 = (((uint8_t *)BigBuf) + 3660); // + uint8_t *buf = (((uint8_t *)BigBuf) + 3660); // + int answerLen1 = 0; + int samples = 0; + int tsamples = 0; + int wait = 0; + int elapsed = 0; - // Blank arrays - memset(answer1, 0, 100); + memset(buf, 0x00, 100); FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - // Setup SSC - FpgaSetupSsc(); - - // Start from off (no field generated) - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - SpinDelay(200); SetAdcMuxFor(GPIO_MUXSEL_HIPKD); + FpgaSetupSsc(); - // Give the tags time to energize -// FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR); // NO GOOD FOR SIM TAG!!!! + // Start from off (no field generated) + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); SpinDelay(200); LED_A_OFF(); @@ -1189,24 +1136,26 @@ void SimTagIso15693(uint32_t parameter) LED_C_ON(); LED_D_OFF(); - int samples = 0; - int tsamples = 0; - int wait = 0; - int elapsed = 0; - - answerLen1 = GetIso15693AnswerFromSniff(answer1, 100, &samples, &elapsed) ; + // Listen to reader + answerLen1 = GetIso15693AnswerFromSniff(buf, 100, &samples, &elapsed) ; if (answerLen1 >=1) // we should do a better check than this { // Build a suitable reponse to the reader INVENTORY cocmmand - BuildInventoryResponse(); + // not so obsvious, but in the call to BuildInventoryResponse, the command is copied to the global ToSend buffer used below. + + BuildInventoryResponse(uid); + TransmitTo15693Reader(ToSend,ToSendMax, &tsamples, &wait); } Dbprintf("%d octets read from reader command: %x %x %x %x %x %x %x %x %x", answerLen1, - answer1[0], answer1[1], answer1[2], - answer1[3], answer1[4], answer1[5], - answer1[6], answer1[7], answer1[8]); + buf[0], buf[1], buf[2], buf[3], + buf[4], buf[5], buf[6], buf[7], buf[8]); + + Dbprintf("Simulationg uid: %x %x %x %x %x %x %x %x", + uid[0], uid[1], uid[2], uid[3], + uid[4], uid[5], uid[6], uid[7]); LED_A_OFF(); LED_B_OFF(); @@ -1275,12 +1224,8 @@ void DirectTag15693Command(uint32_t datalen,uint32_t speed, uint32_t recv, uint8 recvlen=SendDataTag(data,datalen,1,speed,(recv?&recvbuf:NULL)); if (recv) { -// n.cmd=/* CMD_ISO_15693_COMMAND_DONE */ CMD_ACK; -// n.arg[0]=recvlen>48?48:recvlen; -// memcpy(n.d.asBytes, recvbuf, 48); LED_B_ON(); cmd_send(CMD_ACK,recvlen>48?48:recvlen,0,0,recvbuf,48); -// UsbSendPacket((uint8_t *)&n, sizeof(n)); LED_B_OFF(); if (DEBUG) { diff --git a/armsrc/mifarecmd.c b/armsrc/mifarecmd.c index 344b0f3e..8541553b 100644 --- a/armsrc/mifarecmd.c +++ b/armsrc/mifarecmd.c @@ -2,6 +2,9 @@ // Merlok - June 2011, 2012 // Gerhard de Koning Gans - May 2008 // Hagen Fritsch - June 2010 +// Midnitesnake - Dec 2013 +// Andy Davies - Apr 2014 +// Iceman - May 2014 // // This code is licensed to you under the terms of the GNU GPL, version 2 or, // at your option, any later version. See the LICENSE.txt file for the text of @@ -36,8 +39,6 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) // clear trace iso14a_clear_trace(); -// iso14a_set_tracing(false); - iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); LED_A_ON(); @@ -81,8 +82,6 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) // Thats it... FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); -// iso14a_set_tracing(TRUE); - } void MifareUReadBlock(uint8_t arg0,uint8_t *datain) @@ -129,14 +128,10 @@ void MifareUReadBlock(uint8_t arg0,uint8_t *datain) LED_B_ON(); cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16); LED_B_OFF(); - - - // Thats it... FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); } - //----------------------------------------------------------------------------- // Select, Authenticate, Read a MIFARE tag. // read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes) @@ -150,7 +145,7 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) ui64Key = bytes_to_num(datain, 6); // variables - byte_t isOK; + byte_t isOK = 0; byte_t dataoutbuf[16 * 16]; uint8_t uid[10]; uint32_t cuid; @@ -160,7 +155,6 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) // clear trace iso14a_clear_trace(); -// iso14a_set_tracing(false); iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); @@ -192,7 +186,6 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) if (MF_DBGLEVEL >= 1) Dbprintf("Halt error"); } - // ----------------------------- crypto1 destroy crypto1_destroy(pcs); @@ -205,7 +198,6 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) // Thats it... FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); -// iso14a_set_tracing(TRUE); } @@ -288,7 +280,6 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) // clear trace iso14a_clear_trace(); -// iso14a_set_tracing(false); iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); @@ -334,11 +325,8 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) // Thats it... FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); -// iso14a_set_tracing(TRUE); - } - void MifareUWriteBlock(uint8_t arg0, uint8_t *datain) { // params @@ -355,7 +343,6 @@ void MifareUWriteBlock(uint8_t arg0, uint8_t *datain) // clear trace iso14a_clear_trace(); - // iso14a_set_tracing(false); iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); @@ -396,7 +383,6 @@ void MifareUWriteBlock(uint8_t arg0, uint8_t *datain) // iso14a_set_tracing(TRUE); } - void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain) { // params @@ -412,7 +398,6 @@ void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain) // clear trace iso14a_clear_trace(); - // iso14a_set_tracing(false); iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); @@ -446,15 +431,11 @@ void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain) cmd_send(CMD_ACK,isOK,0,0,0,0); LED_B_OFF(); - // Thats it... FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); -// iso14a_set_tracing(TRUE); - } - // Return 1 if the nonce is invalid else return 0 int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) { return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \ @@ -510,6 +491,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat // statistics on nonce distance if (calibrate) { // for first call only. Otherwise reuse previous calibration LED_B_ON(); + WDT_HIT(); davg = dmax = 0; dmin = 2000; @@ -733,7 +715,6 @@ void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6); LED_B_OFF(); - // Thats it... FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); @@ -750,7 +731,6 @@ void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai Dbprintf("Debug level: %d", MF_DBGLEVEL); } - //----------------------------------------------------------------------------- // Work with emulator memory // @@ -759,23 +739,19 @@ void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) emlClearMem(); } - void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){ emlSetMem(datain, arg0, arg1); // data, block num, blocks count } - void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){ - - byte_t buf[48]; + byte_t buf[USB_CMD_DATA_SIZE]; emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4) LED_B_ON(); - cmd_send(CMD_ACK,arg0,arg1,0,buf,48); + cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE); LED_B_OFF(); } - //----------------------------------------------------------------------------- // Load a card into the emulator memory // @@ -884,32 +860,26 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai // variables byte_t isOK = 0; - uint8_t uid[10]; - uint8_t d_block[18]; + uint8_t uid[10] = {0x00}; + uint8_t d_block[18] = {0x00}; uint32_t cuid; - memset(uid, 0x00, 10); uint8_t *receivedAnswer = get_bigbufptr_recvrespbuf(); uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE; + // reset FPGA and LED if (workFlags & 0x08) { - // clear trace - iso14a_clear_trace(); - iso14a_set_tracing(TRUE); - - iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); - LED_A_ON(); LED_B_OFF(); LED_C_OFF(); - SpinDelay(300); - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - SpinDelay(100); - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); + iso14a_clear_trace(); + iso14a_set_tracing(TRUE); + iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); } while (true) { + // get UID from chip if (workFlags & 0x01) { if(!iso14443a_select_card(uid, NULL, &cuid)) { @@ -988,7 +958,6 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai LED_B_OFF(); if ((workFlags & 0x10) || (!isOK)) { - // Thats it... FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); } @@ -1011,28 +980,20 @@ void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai // variables byte_t isOK = 0; - uint8_t data[18]; + uint8_t data[18] = {0x00}; uint32_t cuid = 0; - memset(data, 0x00, 18); uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf(); uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE; if (workFlags & 0x08) { - // clear trace - iso14a_clear_trace(); - iso14a_set_tracing(TRUE); - - iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); - LED_A_ON(); LED_B_OFF(); LED_C_OFF(); - SpinDelay(300); - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - SpinDelay(100); - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); + iso14a_clear_trace(); + iso14a_set_tracing(TRUE); + iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); } while (true) { @@ -1073,9 +1034,40 @@ void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai LED_B_OFF(); if ((workFlags & 0x10) || (!isOK)) { - // Thats it... FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); } } +void MifareCIdent(){ + + // card commands + uint8_t wupC1[] = { 0x40 }; + uint8_t wupC2[] = { 0x43 }; + + // variables + byte_t isOK = 1; + + uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf(); + uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE; + + ReaderTransmitBitsPar(wupC1,7,0, NULL); + if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) { + isOK = 0; + }; + + ReaderTransmit(wupC2, sizeof(wupC2), NULL); + if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) { + isOK = 0; + }; + + if (mifare_classic_halt(NULL, 0)) { + isOK = 0; + }; + + cmd_send(CMD_ACK,isOK,0,0,0,0); +} + + // +// DESFIRE +// diff --git a/armsrc/mifaresniff.c b/armsrc/mifaresniff.c index 910ea74d..fed12772 100644 --- a/armsrc/mifaresniff.c +++ b/armsrc/mifaresniff.c @@ -11,7 +11,6 @@ #include "mifaresniff.h" #include "apps.h" - static int sniffState = SNF_INIT; static uint8_t sniffUIDType; static uint8_t sniffUID[8]; diff --git a/armsrc/mifareutil.c b/armsrc/mifareutil.c index 5122d0ec..7c856557 100644 --- a/armsrc/mifareutil.c +++ b/armsrc/mifareutil.c @@ -54,10 +54,12 @@ void mf_crypto1_encrypt(struct Crypto1State *pcs, uint8_t *data, uint16_t len, u uint8_t bt = 0; int i; par[0] = 0; + for (i = 0; i < len; i++) { bt = data[i]; data[i] = crypto1_byte(pcs, 0x00, 0) ^ data[i]; - if((i&0x0007) == 0) par[i>>3] = 0; + if((i&0x0007) == 0) + par[i>>3] = 0; par[i>>3] |= (((filter(pcs->odd) ^ oddparity(bt)) & 0x01)<<(7-(i&0x0007))); } return; @@ -81,9 +83,7 @@ int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, int mifare_sendcmd_short_special(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t* data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing) { - uint8_t dcmd[8];//, ecmd[4]; - //uint32_t par=0; - + uint8_t dcmd[8]; dcmd[0] = cmd; dcmd[1] = data[0]; dcmd[2] = data[1]; @@ -91,10 +91,6 @@ int mifare_sendcmd_short_special(struct Crypto1State *pcs, uint8_t crypted, uint dcmd[4] = data[3]; dcmd[5] = data[4]; AppendCrc14443a(dcmd, 6); - //Dbprintf("Data command: %02x", dcmd[0]); - //Dbprintf("Data R: %02x %02x %02x %02x %02x %02x %02x", dcmd[1],dcmd[2],dcmd[3],dcmd[4],dcmd[5],dcmd[6],dcmd[7]); - - //memcpy(ecmd, dcmd, sizeof(dcmd)); ReaderTransmit(dcmd, sizeof(dcmd), NULL); int len = ReaderReceive(answer, answer_parity); if(!len) @@ -165,7 +161,7 @@ int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockN int len; uint32_t pos; uint8_t tmp4[4]; - uint8_t par[1] = {0}; + uint8_t par[1] = {0x00}; byte_t nr[4]; uint32_t nt, ntpp; // Supplied tag nonce @@ -210,7 +206,6 @@ int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockN if (ntptr) *ntptr = nt; - // Generate (encrypted) nr+parity by loading it into the cipher (Nr) par[0] = 0; for (pos = 0; pos < 4; pos++) @@ -292,6 +287,7 @@ int mifare_ultra_readblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData) uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf(); uint8_t* receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE; + // command MIFARE_CLASSIC_READBLOCK len = mifare_sendcmd_short(NULL, 1, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL); if (len == 1) { @@ -318,7 +314,7 @@ int mifare_ultra_readblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData) int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData) { // variables - int len, i; + uint16_t len, i; uint32_t pos; uint8_t par[3] = {0}; // enough for 18 Bytes to send byte_t res; @@ -367,7 +363,6 @@ int mifare_ultra_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData) // variables uint16_t len; uint8_t par[3] = {0}; // enough for 18 parity bits - uint8_t d_block[18]; uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf(); uint8_t* receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE; @@ -400,7 +395,6 @@ int mifare_ultra_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData) int mifare_ultra_special_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData) { uint16_t len; - uint8_t d_block[8]; uint8_t *receivedAnswer = get_bigbufptr_recvrespbuf(); uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE; @@ -418,16 +412,12 @@ int mifare_ultra_special_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *bloc if (MF_DBGLEVEL >= 1) Dbprintf("Cmd Send Error: %02x %d", receivedAnswer[0],len); return 1; } - - return 0; + return 0; } int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid) { - // variables uint16_t len; - - // Mifare HALT uint8_t *receivedAnswer = get_bigbufptr_recvrespbuf(); uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE; @@ -443,8 +433,6 @@ int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid) int mifare_ultra_halt(uint32_t uid) { uint16_t len; - - // Mifare HALT uint8_t *receivedAnswer = get_bigbufptr_recvrespbuf(); uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE; @@ -481,19 +469,16 @@ uint8_t FirstBlockOfSector(uint8_t sectorNo) // work with emulator memory void emlSetMem(uint8_t *data, int blockNum, int blocksCount) { uint8_t* emCARD = get_bigbufptr_emlcardmem(); - memcpy(emCARD + blockNum * 16, data, blocksCount * 16); } void emlGetMem(uint8_t *data, int blockNum, int blocksCount) { uint8_t* emCARD = get_bigbufptr_emlcardmem(); - memcpy(data, emCARD + blockNum * 16, blocksCount * 16); } void emlGetMemBt(uint8_t *data, int bytePtr, int byteCount) { uint8_t* emCARD = get_bigbufptr_emlcardmem(); - memcpy(data, emCARD + bytePtr, byteCount); } @@ -522,7 +507,6 @@ int emlGetValBl(uint32_t *blReg, uint8_t *blBlock, int blockNum) { memcpy(blReg, data, 4); *blBlock = data[12]; - return 0; } diff --git a/armsrc/string.h b/armsrc/string.h index 46ee218d..421c2bf0 100644 --- a/armsrc/string.h +++ b/armsrc/string.h @@ -12,10 +12,13 @@ #ifndef __STRING_H #define __STRING_H +#include +#include + int strlen(const char *str); -void *memcpy(void *dest, const void *src, int len); +RAMFUNC void *memcpy(void *dest, const void *src, int len); void *memset(void *dest, int c, int len); -int memcmp(const void *av, const void *bv, int len); +RAMFUNC int memcmp(const void *av, const void *bv, int len); char *strncat(char *dest, const char *src, unsigned int n); char *strcat(char *dest, const char *src); void strreverse(char s[]); diff --git a/client/Makefile b/client/Makefile index b2b215e1..37616e48 100644 --- a/client/Makefile +++ b/client/Makefile @@ -13,7 +13,7 @@ CXX=g++ VPATH = ../common OBJDIR = obj -LDLIBS = -L/opt/local/lib -L/usr/local/lib -lreadline -lpthread ../liblua/liblua.a +LDLIBS = -L/opt/local/lib -L/usr/local/lib ../liblua/liblua.a -lreadline -lpthread -lm -lcrypto LDFLAGS = $(COMMON_FLAGS) CFLAGS = -std=c99 -lcrypto -I. -I../include -I../common -I/opt/local/include -I../liblua -Wall $(COMMON_FLAGS) -g -O4 LUAPLATFORM = generic diff --git a/client/cmdhf.c b/client/cmdhf.c index 85cc5425..2da4c2d9 100644 --- a/client/cmdhf.c +++ b/client/cmdhf.c @@ -10,7 +10,6 @@ #include #include -//#include "proxusb.h" #include "proxmark3.h" #include "graph.h" #include "ui.h" @@ -35,9 +34,97 @@ int CmdHFTune(const char *Cmd) // for the time being. Need better Bigbuf handling. #define TRACE_SIZE 3000 +//The following data is taken from http://www.proxmark.org/forum/viewtopic.php?pid=13501#p13501 +/* +ISO14443A (usually NFC tags) + 26 (7bits) = REQA + 30 = Read (usage: 30+1byte block number+2bytes ISO14443A-CRC - answer: 16bytes) + A2 = Write (usage: A2+1byte block number+4bytes data+2bytes ISO14443A-CRC - answer: 0A [ACK] or 00 [NAK]) + 52 (7bits) = WUPA (usage: 52(7bits) - answer: 2bytes ATQA) + 93 20 = Anticollision (usage: 9320 - answer: 4bytes UID+1byte UID-bytes-xor) + 93 70 = Select (usage: 9370+5bytes 9320 answer - answer: 1byte SAK) + 95 20 = Anticollision of cascade level2 + 95 70 = Select of cascade level2 + 50 00 = Halt (usage: 5000+2bytes ISO14443A-CRC - no answer from card) +Mifare + 60 = Authenticate with KeyA + 61 = Authenticate with KeyB + 40 (7bits) = Used to put Chinese Changeable UID cards in special mode (must be followed by 43 (8bits) - answer: 0A) + C0 = Decrement + C1 = Increment + C2 = Restore + B0 = Transfer +Ultralight C + A0 = Compatibility Write (to accomodate MIFARE commands) + 1A = Step1 Authenticate + AF = Step2 Authenticate + + +ISO14443B + 05 = REQB + 1D = ATTRIB + 50 = HALT +SRIX4K (tag does not respond to 05) + 06 00 = INITIATE + 0E xx = SELECT ID (xx = Chip-ID) + 0B = Get UID + 08 yy = Read Block (yy = block number) + 09 yy dd dd dd dd = Write Block (yy = block number; dd dd dd dd = data to be written) + 0C = Reset to Inventory + 0F = Completion + 0A 11 22 33 44 55 66 = Authenticate (11 22 33 44 55 66 = data to authenticate) + + +ISO15693 + MANDATORY COMMANDS (all ISO15693 tags must support those) + 01 = Inventory (usage: 260100+2bytes ISO15693-CRC - answer: 12bytes) + 02 = Stay Quiet + OPTIONAL COMMANDS (not all tags support them) + 20 = Read Block (usage: 0220+1byte block number+2bytes ISO15693-CRC - answer: 4bytes) + 21 = Write Block (usage: 0221+1byte block number+4bytes data+2bytes ISO15693-CRC - answer: 4bytes) + 22 = Lock Block + 23 = Read Multiple Blocks (usage: 0223+1byte 1st block to read+1byte last block to read+2bytes ISO15693-CRC) + 25 = Select + 26 = Reset to Ready + 27 = Write AFI + 28 = Lock AFI + 29 = Write DSFID + 2A = Lock DSFID + 2B = Get_System_Info (usage: 022B+2bytes ISO15693-CRC - answer: 14 or more bytes) + 2C = Read Multiple Block Security Status (usage: 022C+1byte 1st block security to read+1byte last block security to read+2bytes ISO15693-CRC) + +EM Microelectronic CUSTOM COMMANDS + A5 = Active EAS (followed by 1byte IC Manufacturer code+1byte EAS type) + A7 = Write EAS ID (followed by 1byte IC Manufacturer code+2bytes EAS value) + B8 = Get Protection Status for a specific block (followed by 1byte IC Manufacturer code+1byte block number+1byte of how many blocks after the previous is needed the info) + E4 = Login (followed by 1byte IC Manufacturer code+4bytes password) +NXP/Philips CUSTOM COMMANDS + A0 = Inventory Read + A1 = Fast Inventory Read + A2 = Set EAS + A3 = Reset EAS + A4 = Lock EAS + A5 = EAS Alarm + A6 = Password Protect EAS + A7 = Write EAS ID + A8 = Read EPC + B0 = Inventory Page Read + B1 = Fast Inventory Page Read + B2 = Get Random Number + B3 = Set Password + B4 = Write Password + B5 = Lock Password + B6 = Bit Password Protection + B7 = Lock Page Protection Condition + B8 = Get Multiple Block Protection Status + B9 = Destroy SLI + BA = Enable Privacy + BB = 64bit Password Protection + 40 = Long Range CMD (Standard ISO/TR7003:1990) + */ + #define ICLASS_CMD_ACTALL 0x0A -#define ICLASS_CMD_IDENTIFY 0x0C -#define ICLASS_CMD_READ 0x0C +#define ICLASS_CMD_READ_OR_IDENTIFY 0x0C #define ICLASS_CMD_SELECT 0x81 #define ICLASS_CMD_PAGESEL 0x84 #define ICLASS_CMD_READCHECK 0x88 @@ -45,62 +132,108 @@ int CmdHFTune(const char *Cmd) #define ICLASS_CMD_SOF 0x0F #define ICLASS_CMD_HALT 0x00 -#define iso14443_CMD_WUPA 0x52 -#define iso14443_CMD_SELECT 0x93 -#define iso14443_CMD_SELECT_2 0x95 -#define iso14443_CMD_REQ 0x26 -#define iso14443_CMD_READBLOCK 0x30 -#define iso14443_CMD_WRITEBLOCK 0xA0 -#define iso14443_CMD_INC 0xC0 -#define iso14443_CMD_DEC 0xC1 -#define iso14443_CMD_RESTORE 0xC2 -#define iso14443_CMD_TRANSFER 0xB0 -#define iso14443_CMD_HALT 0x50 -#define iso14443_CMD_RATS 0xE0 +#define ISO14443_CMD_REQA 0x26 +#define ISO14443_CMD_READBLOCK 0x30 +#define ISO14443_CMD_WUPA 0x52 +#define ISO14443_CMD_ANTICOLL_OR_SELECT 0x93 +#define ISO14443_CMD_ANTICOLL_OR_SELECT_2 0x95 +#define ISO14443_CMD_WRITEBLOCK 0xA0 // or 0xA2 ? +#define ISO14443_CMD_HALT 0x50 +#define ISO14443_CMD_RATS 0xE0 + +#define MIFARE_AUTH_KEYA 0x60 +#define MIFARE_AUTH_KEYB 0x61 +#define MIFARE_MAGICMODE 0x40 +#define MIFARE_CMD_INC 0xC0 +#define MIFARE_CMD_DEC 0xC1 +#define MIFARE_CMD_RESTORE 0xC2 +#define MIFARE_CMD_TRANSFER 0xB0 + +#define MIFARE_ULC_WRITE 0xA0 +#define MIFARE_ULC_AUTH_1 0x1A +#define MIFARE_ULC_AUTH_2 0xAF + +#define ISO14443B_REQB 0x05 +#define ISO14443B_ATTRIB 0x1D +#define ISO14443B_HALT 0x50 + +//First byte is 26 +#define ISO15693_INVENTORY 0x01 +#define ISO15693_STAYQUIET 0x02 +//First byte is 02 +#define ISO15693_READBLOCK 0x20 +#define ISO15693_WRITEBLOCK 0x21 +#define ISO15693_LOCKBLOCK 0x22 +#define ISO15693_READ_MULTI_BLOCK 0x23 +#define ISO15693_SELECT 0x25 +#define ISO15693_RESET_TO_READY 0x26 +#define ISO15693_WRITE_AFI 0x27 +#define ISO15693_LOCK_AFI 0x28 +#define ISO15693_WRITE_DSFID 0x29 +#define ISO15693_LOCK_DSFID 0x2A +#define ISO15693_GET_SYSTEM_INFO 0x2B +#define ISO15693_READ_MULTI_SECSTATUS 0x2C + + void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) { switch(cmd[0]) { - case iso14443_CMD_WUPA: snprintf(exp,size,"WUPA"); break; - case iso14443_CMD_SELECT:{ - if(cmdsize > 2) + case ISO14443_CMD_WUPA: snprintf(exp,size,"WUPA"); break; + case ISO14443_CMD_ANTICOLL_OR_SELECT:{ + // 93 20 = Anticollision (usage: 9320 - answer: 4bytes UID+1byte UID-bytes-xor) + // 93 70 = Select (usage: 9370+5bytes 9320 answer - answer: 1byte SAK) + if(cmd[2] == 0x70) { snprintf(exp,size,"SELECT_UID"); break; }else { - snprintf(exp,size,"SELECT_ALL"); break; + snprintf(exp,size,"ANTICOLL"); break; + } + } + case ISO14443_CMD_ANTICOLL_OR_SELECT_2:{ + //95 20 = Anticollision of cascade level2 + //95 70 = Select of cascade level2 + if(cmd[2] == 0x70) + { + snprintf(exp,size,"SELECT_UID-2"); break; + }else + { + snprintf(exp,size,"ANTICOLL-2"); break; } } - case iso14443_CMD_SELECT_2: snprintf(exp,size,"SELECT_2"); break; - case iso14443_CMD_REQ: snprintf(exp,size,"REW"); break; - case iso14443_CMD_READBLOCK: snprintf(exp,size,"READBLOCK(%d)",cmd[1]); break; - case iso14443_CMD_WRITEBLOCK: snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); break; - case iso14443_CMD_INC: snprintf(exp,size,"INC(%d)",cmd[1]); break; - case iso14443_CMD_DEC: snprintf(exp,size,"DEC(%d)",cmd[1]); break; - case iso14443_CMD_RESTORE: snprintf(exp,size,"RESTORE(%d)",cmd[1]); break; - case iso14443_CMD_TRANSFER: snprintf(exp,size,"TRANSFER(%d)",cmd[1]); break; - case iso14443_CMD_HALT: snprintf(exp,size,"HALT"); break; - case iso14443_CMD_RATS: snprintf(exp,size,"RATS"); break; - default: snprintf(exp,size,"?"); break; + case ISO14443_CMD_REQA: snprintf(exp,size,"REQA"); break; + case ISO14443_CMD_READBLOCK: snprintf(exp,size,"READBLOCK(%d)",cmd[1]); break; + case ISO14443_CMD_WRITEBLOCK: snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); break; + case ISO14443_CMD_HALT: snprintf(exp,size,"HALT"); break; + case ISO14443_CMD_RATS: snprintf(exp,size,"RATS"); break; + case MIFARE_CMD_INC: snprintf(exp,size,"INC(%d)",cmd[1]); break; + case MIFARE_CMD_DEC: snprintf(exp,size,"DEC(%d)",cmd[1]); break; + case MIFARE_CMD_RESTORE: snprintf(exp,size,"RESTORE(%d)",cmd[1]); break; + case MIFARE_CMD_TRANSFER: snprintf(exp,size,"TRANSFER(%d)",cmd[1]); break; + case MIFARE_AUTH_KEYA: snprintf(exp,size,"AUTH-A"); break; + case MIFARE_AUTH_KEYB: snprintf(exp,size,"AUTH-B"); break; + case MIFARE_MAGICMODE: snprintf(exp,size,"MAGIC"); break; + default: snprintf(exp,size,"?"); break; } return; } void annotateIclass(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) { - - if(cmdsize > 1 && cmd[0] == ICLASS_CMD_READ) - { - snprintf(exp,size,"READ(%d)",cmd[1]); - return; - } - switch(cmd[0]) { case ICLASS_CMD_ACTALL: snprintf(exp,size,"ACTALL"); break; - case ICLASS_CMD_IDENTIFY: snprintf(exp,size,"IDENTIFY"); break; + case ICLASS_CMD_READ_OR_IDENTIFY:{ + if(cmdsize > 1){ + snprintf(exp,size,"READ(%d)",cmd[1]); + }else{ + snprintf(exp,size,"IDENTIFY"); + } + break; + } case ICLASS_CMD_SELECT: snprintf(exp,size,"SELECT"); break; case ICLASS_CMD_PAGESEL: snprintf(exp,size,"PAGESEL"); break; case ICLASS_CMD_READCHECK: snprintf(exp,size,"READCHECK"); break; @@ -112,7 +245,37 @@ void annotateIclass(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) return; } +void annotateIso15693(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) +{ + + if(cmd[0] == 0x26) + { + switch(cmd[1]){ + case ISO15693_INVENTORY :snprintf(exp, size, "INVENTORY");break; + case ISO15693_STAYQUIET :snprintf(exp, size, "STAY_QUIET");break; + default: snprintf(exp,size,"?"); break; + } + }else if(cmd[0] == 0x02) + { + switch(cmd[1]) + { + case ISO15693_READBLOCK :snprintf(exp, size, "READBLOCK");break; + case ISO15693_WRITEBLOCK :snprintf(exp, size, "WRITEBLOCK");break; + case ISO15693_LOCKBLOCK :snprintf(exp, size, "LOCKBLOCK");break; + case ISO15693_READ_MULTI_BLOCK :snprintf(exp, size, "READ_MULTI_BLOCK");break; + case ISO15693_SELECT :snprintf(exp, size, "SELECT");break; + case ISO15693_RESET_TO_READY :snprintf(exp, size, "RESET_TO_READY");break; + case ISO15693_WRITE_AFI :snprintf(exp, size, "WRITE_AFI");break; + case ISO15693_LOCK_AFI :snprintf(exp, size, "LOCK_AFI");break; + case ISO15693_WRITE_DSFID :snprintf(exp, size, "WRITE_DSFID");break; + case ISO15693_LOCK_DSFID :snprintf(exp, size, "LOCK_DSFID");break; + case ISO15693_GET_SYSTEM_INFO :snprintf(exp, size, "GET_SYSTEM_INFO");break; + case ISO15693_READ_MULTI_SECSTATUS :snprintf(exp, size, "READ_MULTI_SECSTATUS");break; + default: snprintf(exp,size,"?"); break; + } + } +} uint16_t printTraceLine(uint16_t tracepos, uint8_t* trace, bool iclass, bool showWaitCycles) { diff --git a/client/cmdhf14a.c b/client/cmdhf14a.c index 36ffe1b8..673737e2 100644 --- a/client/cmdhf14a.c +++ b/client/cmdhf14a.c @@ -67,6 +67,7 @@ int CmdHF14AReader(const char *Cmd) switch (card.sak) { case 0x00: PrintAndLog("TYPE : NXP MIFARE Ultralight | Ultralight C"); break; + case 0x01: PrintAndLog("TYPE : NXP TNP3xxx Activision Game Appliance"); break; case 0x04: PrintAndLog("TYPE : NXP MIFARE (various !DESFire !DESFire EV1)"); break; case 0x08: PrintAndLog("TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1"); break; case 0x09: PrintAndLog("TYPE : NXP MIFARE Mini 0.3k"); break; @@ -301,6 +302,7 @@ int CmdHF14ASim(const char *Cmd) PrintAndLog(" 2 = MIFARE Ultralight"); PrintAndLog(" 3 = MIFARE DESFIRE"); PrintAndLog(" 4 = ISO/IEC 14443-4"); + PrintAndLog(" 5 = MIFARE TNP3XXX"); PrintAndLog(""); return 1; } @@ -328,10 +330,6 @@ int CmdHF14ASim(const char *Cmd) // At lease save the mandatory first part of the UID c.arg[0] = long_uid & 0xffffffff; - - // At lease save the mandatory first part of the UID - c.arg[0] = long_uid & 0xffffffff; - if (c.arg[1] == 0) { PrintAndLog("Emulating ISO/IEC 14443 type A tag with UID %01d %08x %08x",c.arg[0],c.arg[1],c.arg[2]); } diff --git a/client/cmdhf14b.c b/client/cmdhf14b.c index c42d54c5..7e4cbd00 100644 --- a/client/cmdhf14b.c +++ b/client/cmdhf14b.c @@ -14,15 +14,16 @@ #include #include #include "iso14443crc.h" -//#include "proxusb.h" #include "proxmark3.h" #include "data.h" #include "graph.h" +#include "util.h" #include "ui.h" #include "cmdparser.h" #include "cmdhf14b.h" #include "cmdmain.h" + static int CmdHelp(const char *Cmd); int CmdHF14BDemod(const char *Cmd) @@ -387,6 +388,66 @@ int CmdHF14BCmdRaw (const char *cmd) { return 0; } +int CmdHF14BWrite( const char *Cmd){ + +/* + * For SRIX4K blocks 00 - 7F + * hf 14b raw -c -p 09 $srix4kwblock $srix4kwdata + * + * For SR512 blocks 00 - 0F + * hf 14b raw -c -p 09 $sr512wblock $sr512wdata + * + * Special block FF = otp_lock_reg block. + * Data len 4 bytes- + */ + char cmdp = param_getchar(Cmd, 0); + uint8_t blockno = -1; + uint8_t data[4] = {0x00}; + bool isSrix4k = true; + char str[20]; + + if (cmdp == 'h' || cmdp == 'H') { + PrintAndLog("Usage: hf 14b write <1|2> "); + PrintAndLog(""); + PrintAndLog(" sample: hf 14b write 1 127 11223344"); + PrintAndLog(" sample: hf 14b write 1 255 11223344"); + PrintAndLog(" sample: hf 14b write 2 15 11223344"); + PrintAndLog(" sample: hf 14b write 2 255 11223344"); + return 0; + } + + if ( param_getchar(Cmd, 0) == '2' ) + isSrix4k = false; + + blockno = param_get8(Cmd, 1); + + if ( isSrix4k ){ + if ( blockno > 0x7f && blockno != 0xff ){ + PrintAndLog("Block number out of range"); + return 0; + } + } else { + if ( blockno > 0x0f && blockno != 0xff ){ + PrintAndLog("Block number out of range"); + return 0; + } + } + + if (param_gethex(Cmd, 2, data, 8)) { + PrintAndLog("Data must include 8 HEX symbols"); + return 0; + } + + if ( blockno == 0xff) + PrintAndLog("Writing to special block %02X [ %s]", blockno, sprint_hex(data,4) ); + else + PrintAndLog("Writing to block %02X [ %s]", blockno, sprint_hex(data,4) ); + + sprintf(str, "-c -p 09 %02x %02x%02x%02x%02x", blockno, data[0], data[1], data[2], data[3]); + CmdHF14BCmdRaw(str); + return 0; +} + static command_t CommandTable[] = { {"help", CmdHelp, 1, "This help"}, @@ -399,6 +460,7 @@ static command_t CommandTable[] = {"sri512read", CmdSri512Read, 0, "Read contents of a SRI512 tag"}, {"srix4kread", CmdSrix4kRead, 0, "Read contents of a SRIX4K tag"}, {"raw", CmdHF14BCmdRaw, 0, "Send raw hex data to tag"}, + {"write", CmdHF14BWrite, 0, "Write data to a SRI512 | SRIX4K tag"}, {NULL, NULL, 0, NULL} }; diff --git a/client/cmdhf14b.h b/client/cmdhf14b.h index 50d64762..cc8b9dbd 100644 --- a/client/cmdhf14b.h +++ b/client/cmdhf14b.h @@ -21,5 +21,6 @@ int CmdHFSimlisten(const char *Cmd); int CmdHF14BSnoop(const char *Cmd); int CmdSri512Read(const char *Cmd); int CmdSrix4kRead(const char *Cmd); +int CmdHF14BWrite( const char *cmd); #endif diff --git a/client/cmdhf15.c b/client/cmdhf15.c index 2239e9e4..b1e04e9a 100644 --- a/client/cmdhf15.c +++ b/client/cmdhf15.c @@ -26,11 +26,12 @@ #include #include #include -//#include "proxusb.h" + #include "proxmark3.h" #include "data.h" #include "graph.h" #include "ui.h" +#include "util.h" #include "cmdparser.h" #include "cmdhf15.h" #include "iso15693tools.h" @@ -58,8 +59,10 @@ const productName uidmapping[] = { { 0xE001000000000000LL, 16, "Motorola" }, { 0xE002000000000000LL, 16, "ST Microelectronics" }, { 0xE003000000000000LL, 16, "Hitachi" }, - { 0xE004000000000000LL, 16, "Philips" }, - { 0xE004010000000000LL, 24, "Philips; IC SL2 ICS20" }, + { 0xE004000000000000LL, 16, "NXP(Philips)" }, + { 0xE004010000000000LL, 24, "NXP(Philips); IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX)" }, + { 0xE004020000000000LL, 24, "NXP(Philips); IC SL2 ICS53/ICS54(SLI-S) ICS5302/ICS5402(SLIX-S)" }, + { 0xE004030000000000LL, 24, "NXP(Philips); IC SL2 ICS50/ICS51(SLI-L) ICS5002/ICS5102(SLIX-L)" }, { 0xE005000000000000LL, 16, "Infineon" }, { 0xE005400000000000LL, 24, "Infineon; 56x32bit" }, { 0xE006000000000000LL, 16, "Cylinc" }, @@ -273,7 +276,28 @@ int CmdHF15Reader(const char *Cmd) // Simulation is still not working very good int CmdHF15Sim(const char *Cmd) { - UsbCommand c = {CMD_SIMTAG_ISO_15693, {strtol(Cmd, NULL, 0), 0, 0}}; + char cmdp = param_getchar(Cmd, 0); + uint8_t uid[8] = {0x00}; + + //E0 16 24 00 00 00 00 00 + if (cmdp == 'h' || cmdp == 'H') { + PrintAndLog("Usage: hf 15 sim "); + PrintAndLog(""); + PrintAndLog(" sample: hf 15 sim E016240000000000"); + return 0; + } + + if (param_gethex(Cmd, 0, uid, 16)) { + PrintAndLog("UID must include 16 HEX symbols"); + return 0; + } + + PrintAndLog("Starting simulating UID %02X %02X %02X %02X %02X %02X %02X %02X", + uid[0],uid[1],uid[2],uid[3],uid[4], uid[5], uid[6], uid[7]); + + UsbCommand c = {CMD_SIMTAG_ISO_15693, {0, 0, 0}}; + memcpy(c.d.asBytes,uid,8); + SendCommand(&c); return 0; } @@ -324,7 +348,7 @@ int CmdHF15DumpMem(const char*Cmd) { if (!(recv[0] & ISO15_RES_ERROR)) { retry=0; *output=0; // reset outputstring - sprintf(output, "Block %2i ",blocknum); + sprintf(output, "Block %02x ",blocknum); for ( int i=1; i"); - PrintAndLog(" 0..no debugging output 1..turn debugging on"); + PrintAndLog("Usage: hf 15 cmd debug <0|1>"); + PrintAndLog(" 0 no debugging"); + PrintAndLog(" 1 turn debugging on"); return 0; } @@ -536,7 +561,7 @@ int CmdHF15CmdRaw (const char *cmd) { int prepareHF15Cmd(char **cmd, UsbCommand *c, uint8_t iso15cmd[], int iso15cmdlen) { int temp; uint8_t *req=c->d.asBytes; - uint8_t uid[8] = {0}; + uint8_t uid[8] = {0x00}; uint32_t reqlen=0; // strip diff --git a/client/cmdhfepa.c b/client/cmdhfepa.c index 8f6a6af2..3286ceb9 100644 --- a/client/cmdhfepa.c +++ b/client/cmdhfepa.c @@ -45,7 +45,7 @@ int CmdHFEPACollectPACENonces(const char *Cmd) SendCommand(&c); UsbCommand resp; - WaitForResponse(CMD_ACK,&resp); + WaitForResponse(CMD_ACK,&resp); // check if command failed if (resp.arg[0] != 0) { diff --git a/client/cmdhficlass.c b/client/cmdhficlass.c index dba4f113..03b39021 100644 --- a/client/cmdhficlass.c +++ b/client/cmdhficlass.c @@ -16,7 +16,6 @@ #include #include "iso14443crc.h" // Can also be used for iClass, using 0xE012 as CRC-type #include "data.h" -//#include "proxusb.h" #include "proxmark3.h" #include "ui.h" #include "cmdparser.h" @@ -272,87 +271,111 @@ int CmdHFiClassReader_Dump(const char *Cmd) uint8_t key_sel[8] = {0}; uint8_t key_sel_p[8] = { 0 }; - //HACK -- Below is for testing without access to a tag - uint8_t fake_dummy_test = false; - if(fake_dummy_test) - { - uint8_t xdata[16] = {0x01,0x02,0x03,0x04,0xF7,0xFF,0x12,0xE0, //CSN from http://www.proxmark.org/forum/viewtopic.php?pid=11230#p11230 - 0xFE,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}; // Just a random CC. Would be good to add a real testcase here - memcpy(resp.d.asBytes,xdata, 16); - resp.arg[0] = 2; - } - - //End hack - - UsbCommand c = {CMD_READER_ICLASS, {0}}; c.arg[0] = FLAG_ICLASS_READER_ONLY_ONCE| FLAG_ICLASS_READER_GET_CC; - if(!fake_dummy_test) - SendCommand(&c); + SendCommand(&c); - if (fake_dummy_test || WaitForResponseTimeout(CMD_ACK,&resp,4500)) { - uint8_t isOK = resp.arg[0] & 0xff; - uint8_t * data = resp.d.asBytes; + if (!WaitForResponseTimeout(CMD_ACK,&resp,4500)) + { + PrintAndLog("Command execute timeout"); + return 0; + } - memcpy(CSN,data,8); - memcpy(CCNR,data+8,8); + uint8_t isOK = resp.arg[0] & 0xff; + uint8_t * data = resp.d.asBytes; - PrintAndLog("isOk:%02x", isOK); + memcpy(CSN,data,8); + memcpy(CCNR,data+8,8); - if(isOK > 0) - { - PrintAndLog("CSN: %s",sprint_hex(CSN,8)); - } - if(isOK > 1) - { - if(elite) - { - //Get the key index (hash1) - uint8_t key_index[8] = {0}; - - hash1(CSN, key_index); - printvar("hash1", key_index,8); - for(i = 0; i < 8 ; i++) - key_sel[i] = keytable[key_index[i]] & 0xFF; - PrintAndLog("Pre-fortified 'permuted' HS key that would be needed by an iclass reader to talk to above CSN:"); - printvar("k_sel", key_sel,8); - //Permute from iclass format to standard format - permutekey_rev(key_sel,key_sel_p); - used_key = key_sel_p; - }else{ - //Perhaps this should also be permuted to std format? - // Something like the code below? I have no std system - // to test this with /Martin + PrintAndLog("isOk:%02x", isOK); - //uint8_t key_sel_p[8] = { 0 }; - //permutekey_rev(KEY,key_sel_p); - //used_key = key_sel_p; + if(isOK > 0) + { + PrintAndLog("CSN: %s",sprint_hex(CSN,8)); + } + if(isOK <= 1){ + PrintAndLog("Failed to obtain CC! Aborting"); + return 0; + } + //Status 2 or higher - used_key = KEY; + if(elite) + { + //Get the key index (hash1) + uint8_t key_index[8] = {0}; + + hash1(CSN, key_index); + printvar("hash1", key_index,8); + for(i = 0; i < 8 ; i++) + key_sel[i] = keytable[key_index[i]] & 0xFF; + PrintAndLog("Pre-fortified 'permuted' HS key that would be needed by an iclass reader to talk to above CSN:"); + printvar("k_sel", key_sel,8); + //Permute from iclass format to standard format + permutekey_rev(key_sel,key_sel_p); + used_key = key_sel_p; + }else{ + used_key = KEY; + } - } + PrintAndLog("Pre-fortified key that would be needed by the OmniKey reader to talk to above CSN:"); + printvar("Used key",used_key,8); + diversifyKey(CSN,used_key, div_key); + PrintAndLog("Hash0, a.k.a diversified key, that is computed using Ksel and stored in the card (Block 3):"); + printvar("Div key", div_key, 8); + printvar("CC_NR:",CCNR,12); + doMAC(CCNR,12,div_key, MAC); + printvar("MAC", MAC, 4); + + uint8_t iclass_data[32000] = {0}; + uint8_t iclass_datalen = 0; + uint8_t iclass_blocksFailed = 0;//Set to 1 if dump was incomplete + + UsbCommand d = {CMD_READER_ICLASS_REPLAY, {readerType}}; + memcpy(d.d.asBytes, MAC, 4); + clearCommandBuffer(); + SendCommand(&d); + PrintAndLog("Waiting for device to dump data. Press button on device and key on keyboard to abort..."); + while (true) { + printf("."); + if (ukbhit()) { + getchar(); + printf("\naborted via keyboard!\n"); + break; + } + if(WaitForResponseTimeout(CMD_ACK,&resp,4500)) + { + uint64_t dataLength = resp.arg[0]; + iclass_blocksFailed |= resp.arg[1]; + + if(dataLength > 0) + { + memcpy(iclass_data, resp.d.asBytes,dataLength); + iclass_datalen += dataLength; + }else + {//Last transfer, datalength 0 means the dump is finished + PrintAndLog("Dumped %d bytes of data from tag. ", iclass_datalen); + if(iclass_blocksFailed) + { + PrintAndLog("OBS! Some blocks failed to be dumped correctly!"); + } + if(iclass_datalen > 0) + { + char filename[100] = {0}; + //create a preferred filename + snprintf(filename, 100,"iclass_tagdump-%02x%02x%02x%02x%02x%02x%02x%02x", + CSN[0],CSN[1],CSN[2],CSN[3], + CSN[4],CSN[5],CSN[6],CSN[7]); + saveFile(filename,"bin",iclass_data, iclass_datalen ); + + } + //Aaaand we're finished + return 0; + } + } + } - PrintAndLog("Pre-fortified key that would be needed by the OmniKey reader to talk to above CSN:"); - printvar("Used key",used_key,8); - diversifyKey(CSN,used_key, div_key); - PrintAndLog("Hash0, a.k.a diversified key, that is computed using Ksel and stored in the card (Block 3):"); - printvar("Div key", div_key, 8); - printvar("CC_NR:",CCNR,12); - doMAC(CCNR,12,div_key, MAC); - printvar("MAC", MAC, 4); - - UsbCommand d = {CMD_READER_ICLASS_REPLAY, {readerType}}; - memcpy(d.d.asBytes, MAC, 4); - if(!fake_dummy_test) SendCommand(&d); - - }else{ - PrintAndLog("Failed to obtain CC! Aborting"); - } - } else { - PrintAndLog("Command execute timeout"); - } return 0; } diff --git a/client/cmdhflegic.c b/client/cmdhflegic.c index 8366b09b..bf874b62 100644 --- a/client/cmdhflegic.c +++ b/client/cmdhflegic.c @@ -10,7 +10,6 @@ #include #include -//#include "proxusb.h" #include "proxmark3.h" #include "data.h" #include "ui.h" @@ -266,7 +265,6 @@ int CmdLegicSave(const char *Cmd) int remainder = requested % 8; requested = requested + 8 - remainder; } - if (offset + requested > sizeof(got)) { PrintAndLog("Tried to read past end of buffer, + > 1024"); return 0; diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 6d0bebd7..121736e9 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -36,7 +36,6 @@ start: //flush queue while (ukbhit()) getchar(); - // wait cycle while (true) { printf("."); @@ -78,6 +77,7 @@ start: num_to_bytes(r_key, 6, keyBlock); isOK = mfCheckKeys(0, 0, 1, keyBlock, &r_key); } + if (!isOK) PrintAndLog("Found valid key:%012"llx, r_key); else @@ -88,6 +88,7 @@ start: goto start; } + PrintAndLog(""); return 0; } @@ -437,7 +438,6 @@ int CmdHF14AMfRdSc(const char *Cmd) return 0; } - uint8_t FirstBlockOfSector(uint8_t sectorNo) { if (sectorNo < 32) { @@ -447,7 +447,6 @@ uint8_t FirstBlockOfSector(uint8_t sectorNo) } } - uint8_t NumBlocksPerSector(uint8_t sectorNo) { if (sectorNo < 32) { @@ -457,7 +456,6 @@ uint8_t NumBlocksPerSector(uint8_t sectorNo) } } - int CmdHF14AMfDump(const char *Cmd) { uint8_t sectorNo, blockNo; @@ -497,8 +495,7 @@ int CmdHF14AMfDump(const char *Cmd) return 1; } - // Read key file - + // Read keys A from file for (sectorNo=0; sectorNo #include #include -//#include "proxusb.h" #include "proxmark3.h" #include "ui.h" +#include "util.h" #include "graph.h" #include "cmdparser.h" #include "cmddata.h" @@ -22,20 +22,16 @@ static int CmdHelp(const char *Cmd); - - int CmdEMdemodASK(const char *Cmd) { - int findone=0; + char cmdp = param_getchar(Cmd, 0); + int findone = (cmdp == '1') ? 1 : 0; UsbCommand c={CMD_EM410X_DEMOD}; - if(Cmd[0]=='1') findone=1; c.arg[0]=findone; SendCommand(&c); return 0; } - - /* Read the ID of an EM410x tag. * Format: * 1111 1111 1 <-- standard non-repeatable header @@ -48,8 +44,8 @@ int CmdEM410xRead(const char *Cmd) { int i, j, clock, header, rows, bit, hithigh, hitlow, first, bit2idx, high, low; int parity[4]; - char id[11]; - char id2[11]; + char id[11] = {0x00}; + char id2[11] = {0x00}; int retested = 0; uint8_t BitStream[MAX_GRAPH_TRACE_LEN]; high = low = 0; @@ -201,7 +197,25 @@ retest: */ int CmdEM410xSim(const char *Cmd) { - int i, n, j, h, binary[4], parity[4]; + int i, n, j, binary[4], parity[4]; + + char cmdp = param_getchar(Cmd, 0); + uint8_t uid[5] = {0x00}; + + if (cmdp == 'h' || cmdp == 'H') { + PrintAndLog("Usage: lf em4x 410xsim "); + PrintAndLog(""); + PrintAndLog(" sample: lf em4x 410xsim 0F0368568B"); + return 0; + } + + if (param_gethex(Cmd, 0, uid, 10)) { + PrintAndLog("UID must include 10 HEX symbols"); + return 0; + } + + PrintAndLog("Starting simulating UID %02X%02X%02X%02X%02X", uid[0],uid[1],uid[2],uid[3],uid[4]); + PrintAndLog("Press pm3-button to about simulation"); /* clock is 64 in EM410x tags */ int clock = 64; @@ -209,9 +223,6 @@ int CmdEM410xSim(const char *Cmd) /* clear our graph */ ClearGraph(0); - /* write it out a few times */ - for (h = 0; h < 4; h++) - { /* write 9 start bits */ for (i = 0; i < 9; i++) AppendGraph(0, clock, 1); @@ -248,38 +259,38 @@ int CmdEM410xSim(const char *Cmd) AppendGraph(0, clock, parity[3]); /* stop bit */ - AppendGraph(0, clock, 0); - } - - /* modulate that biatch */ - CmdManchesterMod(""); - - /* booyah! */ - RepaintGraphWindow(); - - CmdLFSim(""); + AppendGraph(1, clock, 0); + + CmdLFSim("240"); //240 start_gap. return 0; } -/* Function is equivalent of loread + losamples + em410xread - * looped until an EM410x tag is detected */ +/* Function is equivalent of lf read + data samples + em410xread + * looped until an EM410x tag is detected + * + * Why is CmdSamples("16000")? + * TBD: Auto-grow sample size based on detected sample rate. IE: If the + * rate gets lower, then grow the number of samples + * Changed by martin, 4000 x 4 = 16000, + * see http://www.proxmark.org/forum/viewtopic.php?pid=7235#p7235 + +*/ int CmdEM410xWatch(const char *Cmd) { - int read_h = (*Cmd == 'h'); - do - { - CmdLFRead(read_h ? "h" : ""); - // 2000 samples is OK for clock=64, but not clock=32. Probably want - // 8000 for clock=16. Don't want to go too high since old HID driver - // is very slow - // TBD: Auto-grow sample size based on detected sample rate. IE: If the - // rate gets lower, then grow the number of samples - - // Changed by martin, 4000 x 4 = 16000, - // see http://www.proxmark.org/forum/viewtopic.php?pid=7235#p7235 - CmdSamples("16000"); - } while ( ! CmdEM410xRead("")); - return 0; + char cmdp = param_getchar(Cmd, 0); + int read_h = (cmdp == 'h'); + do { + if (ukbhit()) { + printf("\naborted via keyboard!\n"); + break; + } + + CmdLFRead(read_h ? "h" : ""); + CmdSamples("6000"); + } while ( + !CmdEM410xRead("") + ); + return 0; } /* Read the transmitted data of an EM4x50 tag diff --git a/client/cmdlfhid.c b/client/cmdlfhid.c index 5d841ae1..c6d54e78 100644 --- a/client/cmdlfhid.c +++ b/client/cmdlfhid.c @@ -10,7 +10,6 @@ #include #include -//#include "proxusb.h" #include "proxmark3.h" #include "ui.h" #include "graph.h" @@ -41,8 +40,8 @@ int CmdHIDDemod(const char *Cmd) int CmdHIDDemodFSK(const char *Cmd) { int findone=0; + if(Cmd[0]=='1') findone=1; UsbCommand c={CMD_HID_DEMOD_FSK}; - if(Cmd[0]=='1') findone=1; c.arg[0]=findone; SendCommand(&c); return 0; @@ -59,6 +58,7 @@ int CmdHIDSim(const char *Cmd) } PrintAndLog("Emulating tag with ID %x%16x", hi, lo); + PrintAndLog("Press pm3-button to abort simulation"); UsbCommand c = {CMD_HID_SIM_TAG, {hi, lo, 0}}; SendCommand(&c); diff --git a/client/cmdlfhitag.c b/client/cmdlfhitag.c index 32d38aeb..ab4a2609 100644 --- a/client/cmdlfhitag.c +++ b/client/cmdlfhitag.c @@ -12,7 +12,6 @@ #include #include #include "data.h" -//#include "proxusb.h" #include "proxmark3.h" #include "ui.h" #include "cmdparser.h" @@ -225,7 +224,7 @@ int CmdLFHitagReader(const char *Cmd) { return 0; } -static command_t CommandTableHitag[] = +static command_t CommandTable[] = { {"help", CmdHelp, 1, "This help"}, {"list", CmdLFHitagList, 1, "List Hitag trace history"}, @@ -237,12 +236,12 @@ static command_t CommandTableHitag[] = int CmdLFHitag(const char *Cmd) { - CmdsParse(CommandTableHitag, Cmd); + CmdsParse(CommandTable, Cmd); return 0; } int CmdHelp(const char *Cmd) { - CmdsHelp(CommandTableHitag); + CmdsHelp(CommandTable); return 0; } diff --git a/client/cmdlfio.c b/client/cmdlfio.c index 7482ad97..14ce5498 100644 --- a/client/cmdlfio.c +++ b/client/cmdlfio.c @@ -3,7 +3,6 @@ #include #include #include -//#include "proxusb.h" #include "proxmark3.h" #include "data.h" #include "graph.h" @@ -19,26 +18,21 @@ int CmdIODemodFSK(const char *Cmd) { int findone=0; if(Cmd[0]=='1') findone=1; + UsbCommand c={CMD_IO_DEMOD_FSK}; c.arg[0]=findone; SendCommand(&c); return 0; } - int CmdIOProxDemod(const char *Cmd){ if (GraphTraceLen < 4800) { PrintAndLog("too short; need at least 4800 samples"); return 0; } - GraphTraceLen = 4800; for (int i = 0; i < GraphTraceLen; ++i) { - if (GraphBuffer[i] < 0) { - GraphBuffer[i] = 0; - } else { - GraphBuffer[i] = 1; - } + GraphBuffer[i] = (GraphBuffer[i] < 0) ? 0 : 1; } RepaintGraphWindow(); return 0; @@ -61,7 +55,7 @@ int CmdIOClone(const char *Cmd) } PrintAndLog("Cloning tag with ID %08x %08x", hi, lo); - + PrintAndLog("Press pm3-button to abort simulation"); c.cmd = CMD_IO_CLONE_TAG; c.arg[0] = hi; c.arg[1] = lo; diff --git a/client/cmdlfpcf7931.c b/client/cmdlfpcf7931.c index 13917146..0d8fb93d 100644 --- a/client/cmdlfpcf7931.c +++ b/client/cmdlfpcf7931.c @@ -10,7 +10,6 @@ #include #include -//#include "proxusb.h" #include "proxmark3.h" #include "ui.h" #include "graph.h" diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c index 9783370c..a719c7ad 100644 --- a/client/cmdlft55xx.c +++ b/client/cmdlft55xx.c @@ -10,7 +10,6 @@ #include #include #include -//#include "proxusb.h" #include "proxmark3.h" #include "ui.h" #include "graph.h" diff --git a/client/cmdlfti.c b/client/cmdlfti.c index 26128e2f..cb5fcd79 100644 --- a/client/cmdlfti.c +++ b/client/cmdlfti.c @@ -11,7 +11,6 @@ #include #include #include "crc16.h" -//#include "proxusb.h" #include "proxmark3.h" #include "data.h" #include "ui.h" diff --git a/client/cmdmain.c b/client/cmdmain.c index b2723490..8d590e9e 100644 --- a/client/cmdmain.c +++ b/client/cmdmain.c @@ -28,9 +28,6 @@ unsigned int current_command = CMD_UNKNOWN; -//unsigned int received_command = CMD_UNKNOWN; -//UsbCommand current_response; -//UsbCommand current_response_user; static int CmdHelp(const char *Cmd); static int CmdQuit(const char *Cmd); @@ -47,9 +44,9 @@ static command_t CommandTable[] = { {"help", CmdHelp, 1, "This help. Use ' help' for details of a particular command."}, {"data", CmdData, 1, "{ Plot window / data buffer manipulation... }"}, - {"hf", CmdHF, 1, "{ HF commands... }"}, + {"hf", CmdHF, 1, "{ High Frequency commands... }"}, {"hw", CmdHW, 1, "{ Hardware commands... }"}, - {"lf", CmdLF, 1, "{ LF commands... }"}, + {"lf", CmdLF, 1, "{ Low Frequency commands... }"}, {"script", CmdScript, 1,"{ Scripting commands }"}, {"quit", CmdQuit, 1, "Exit program"}, {"exit", CmdQuit, 1, "Exit program"}, @@ -136,20 +133,17 @@ bool WaitForResponseTimeout(uint32_t cmd, UsbCommand* response, size_t ms_timeou UsbCommand resp; - if (response == NULL) { + if (response == NULL) response = &resp; - } + // Wait until the command is received for(size_t dm_seconds=0; dm_seconds < ms_timeout/10; dm_seconds++) { - while(getCommand(response)) - { + while(getCommand(response)) { if(response->cmd == cmd){ - //We got what we expected return true; } - } msleep(10); // XXX ugh if (dm_seconds == 200) { // Two seconds elapsed @@ -178,95 +172,30 @@ void CommandReceived(char *Cmd) { //----------------------------------------------------------------------------- void UsbCommandReceived(UsbCommand *UC) { - /* - // Debug - printf("UsbCommand length[len=%zd]\n",sizeof(UsbCommand)); - printf(" cmd[len=%zd]: %"llx"\n",sizeof(UC->cmd),UC->cmd); - printf(" arg0[len=%zd]: %"llx"\n",sizeof(UC->arg[0]),UC->arg[0]); - printf(" arg1[len=%zd]: %"llx"\n",sizeof(UC->arg[1]),UC->arg[1]); - printf(" arg2[len=%zd]: %"llx"\n",sizeof(UC->arg[2]),UC->arg[2]); - printf(" data[len=%zd]: %02x%02x%02x...\n",sizeof(UC->d.asBytes),UC->d.asBytes[0],UC->d.asBytes[1],UC->d.asBytes[2]); - */ - - // printf("%s(%x) current cmd = %x\n", __FUNCTION__, c->cmd, current_command); - // If we recognize a response, return to avoid further processing - switch(UC->cmd) { - // First check if we are handling a debug message - case CMD_DEBUG_PRINT_STRING: { - char s[USB_CMD_DATA_SIZE+1]; - size_t len = MIN(UC->arg[0],USB_CMD_DATA_SIZE); - memcpy(s,UC->d.asBytes,len); - s[len] = 0x00; - PrintAndLog("#db# %s ", s); - return; - } break; - - case CMD_DEBUG_PRINT_INTEGERS: { - PrintAndLog("#db# %08x, %08x, %08x \r\n", UC->arg[0], UC->arg[1], UC->arg[2]); - return; - } break; - - // case CMD_MEASURED_ANTENNA_TUNING: { - // int peakv, peakf; - // int vLf125, vLf134, vHf; - // vLf125 = UC->arg[0] & 0xffff; - // vLf134 = UC->arg[0] >> 16; - // vHf = UC->arg[1] & 0xffff;; - // peakf = UC->arg[2] & 0xffff; - // peakv = UC->arg[2] >> 16; - // PrintAndLog(""); - // PrintAndLog("# LF antenna: %5.2f V @ 125.00 kHz", vLf125/1000.0); - // PrintAndLog("# LF antenna: %5.2f V @ 134.00 kHz", vLf134/1000.0); - // PrintAndLog("# LF optimal: %5.2f V @%9.2f kHz", peakv/1000.0, 12000.0/(peakf+1)); - // PrintAndLog("# HF antenna: %5.2f V @ 13.56 MHz", vHf/1000.0); - // if (peakv<2000) - // PrintAndLog("# Your LF antenna is unusable."); - // else if (peakv<10000) - // PrintAndLog("# Your LF antenna is marginal."); - // if (vHf<2000) - // PrintAndLog("# Your HF antenna is unusable."); - // else if (vHf<5000) - // PrintAndLog("# Your HF antenna is marginal."); - // } break; - - case CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K: { -// printf("received samples: "); -// print_hex(UC->d.asBytes,512); - sample_buf_len += UC->arg[1]; -// printf("samples: %zd offset: %d\n",sample_buf_len,UC->arg[0]); - memcpy(sample_buf+(UC->arg[0]),UC->d.asBytes,UC->arg[1]); - } break; - - -// case CMD_ACK: { -// PrintAndLog("Receive ACK\n"); -// } break; - - default: { - // Maybe it's a response - /* - switch(current_command) { - case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K: { - if (UC->cmd != CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K) { - PrintAndLog("unrecognized command %08x\n", UC->cmd); - break; - } -// int i; - PrintAndLog("received samples %d\n",UC->arg[0]); - memcpy(sample_buf+UC->arg[0],UC->d.asBytes,48); - sample_buf_len += 48; -// for(i=0; i<48; i++) sample_buf[i] = UC->d.asBytes[i]; - //received_command = UC->cmd; - } break; - - default: { - } break; - }*/ - } - break; - } - - storeCommand(UC); + switch(UC->cmd) { + // First check if we are handling a debug message + case CMD_DEBUG_PRINT_STRING: { + char s[USB_CMD_DATA_SIZE+1] = {0x00}; + size_t len = MIN(UC->arg[0],USB_CMD_DATA_SIZE); + memcpy(s,UC->d.asBytes,len); + PrintAndLog("#db# %s ", s); + return; + } break; + + case CMD_DEBUG_PRINT_INTEGERS: { + PrintAndLog("#db# %08x, %08x, %08x \r\n", UC->arg[0], UC->arg[1], UC->arg[2]); + return; + } break; + + case CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K: { + sample_buf_len += UC->arg[1]; + memcpy(sample_buf+(UC->arg[0]),UC->d.asBytes,UC->arg[1]); + } break; + + default: + break; + } + storeCommand(UC); } diff --git a/client/data.c b/client/data.c index 51134d48..3f019326 100644 --- a/client/data.c +++ b/client/data.c @@ -12,7 +12,6 @@ #include #include "data.h" #include "ui.h" -//#include "proxusb.h" #include "proxmark3.h" #include "cmdmain.h" @@ -23,22 +22,6 @@ void GetFromBigBuf(uint8_t *dest, int bytes, int start_index) { sample_buf_len = 0; sample_buf = dest; -// start_index = ((start_index/12)*12); -// int n = start_index + bytes; - /* - if (n % 48 != 0) { - PrintAndLog("bad len in GetFromBigBuf"); - return; - } - */ UsbCommand c = {CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K, {start_index, bytes, 0}}; SendCommand(&c); -/* - for (int i = start_index; i < n; i += 48) { - UsbCommand c = {CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K, {i, 0, 0}}; - SendCommand(&c); -// WaitForResponse(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K); -// memcpy(dest+(i*4), sample_buf, 48); - } -*/ } diff --git a/client/flash.c b/client/flash.c index 3a0a1cda..4e222ece 100644 --- a/client/flash.c +++ b/client/flash.c @@ -13,7 +13,6 @@ #include #include "proxmark3.h" #include "sleep.h" -//#include "proxusb.h" #include "flash.h" #include "elf.h" #include "proxendian.h" @@ -276,7 +275,6 @@ static int get_proxmark_state(uint32_t *state) { UsbCommand c; c.cmd = CMD_DEVICE_INFO; -// SendCommand_(&c); SendCommand(&c); UsbCommand resp; ReceiveCommand(&resp); @@ -391,7 +389,6 @@ int flash_start_flashing(int enable_bl_writes,char *serial_port_name) c.arg[2] = 0; } SendCommand(&c); -// SendCommand_(&c); return wait_for_ack(); } else { fprintf(stderr, "Note: Your bootloader does not understand the new START_FLASH command\n"); @@ -408,22 +405,8 @@ static int write_block(uint32_t address, uint8_t *data, uint32_t length) memset(block_buf, 0xFF, BLOCK_SIZE); memcpy(block_buf, data, length); UsbCommand c; -/* - c.cmd = {CMD_SETUP_WRITE}; - for (int i = 0; i < 240; i += 48) { - memcpy(c.d.asBytes, block_buf + i, 48); - c.arg[0] = i / 4; - SendCommand(&c); -// SendCommand_(&c); - if (wait_for_ack() < 0) { - return -1; - } - } -*/ c.cmd = CMD_FINISH_WRITE; c.arg[0] = address; -// memcpy(c.d.asBytes, block_buf+240, 16); -// SendCommand_(&c); memcpy(c.d.asBytes, block_buf, length); SendCommand(&c); return wait_for_ack(); @@ -486,7 +469,6 @@ void flash_free(flash_file_t *ctx) // just reset the unit int flash_stop_flashing(void) { UsbCommand c = {CMD_HARDWARE_RESET}; -// SendCommand_(&c); SendCommand(&c); msleep(100); return 0; diff --git a/client/loclass/fileutils.c b/client/loclass/fileutils.c index 9ea9d145..206d9695 100644 --- a/client/loclass/fileutils.c +++ b/client/loclass/fileutils.c @@ -11,8 +11,14 @@ * @return */ int fileExists(const char *filename) { + +#ifdef _WIN32 + struct _stat st; + int result = _stat(filename, &st); +#else struct stat st; int result = stat(filename, &st); +#endif return result == 0; } @@ -40,7 +46,7 @@ int saveFile(const char *preferredName, const char *suffix, const void* data, si } fwrite(data, 1, datalen, fileHandle); fclose(fileHandle); - PrintAndLog(">Saved data to '%s'", fileName); + PrintAndLog("Saved data to '%s'", fileName); free(fileName); diff --git a/client/mifarehost.c b/client/mifarehost.c index 378fb2e5..d025918d 100644 --- a/client/mifarehost.c +++ b/client/mifarehost.c @@ -26,8 +26,6 @@ int compar_int(const void * a, const void * b) { else return -1; } - - // Compare 16 Bits out of cryptostate int Compare16Bits(const void * a, const void * b) { if ((*(uint64_t*)b & 0x00ff000000ff0000) == (*(uint64_t*)a & 0x00ff000000ff0000)) return 0; @@ -35,7 +33,6 @@ int Compare16Bits(const void * a, const void * b) { else return -1; } - typedef struct { union { @@ -70,16 +67,12 @@ void* nested_worker_thread(void *arg) return statelist->head.slhead; } - - - int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKey, bool calibrate) { uint16_t i, len; uint32_t uid; UsbCommand resp; - StateList_t statelists[2]; struct Crypto1State *p1, *p2, *p3, *p4; @@ -239,12 +232,11 @@ int mfEmlSetMem(uint8_t *data, int blockNum, int blocksCount) { // "MAGIC" CARD int mfCSetUID(uint8_t *uid, uint8_t *oldUID, bool wantWipe) { - uint8_t block0[16]; - memset(block0, 0, 16); + uint8_t block0[16] = {0x00}; memcpy(block0, uid, 4); block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // Mifare UID BCC // mifare classic SAK(byte 5) and ATQA(byte 6 and 7) - block0[5] = 0x88; + block0[5] = 0x08; block0[6] = 0x04; block0[7] = 0x00; @@ -252,9 +244,9 @@ int mfCSetUID(uint8_t *uid, uint8_t *oldUID, bool wantWipe) { } int mfCSetBlock(uint8_t blockNo, uint8_t *data, uint8_t *uid, bool wantWipe, uint8_t params) { - uint8_t isOK = 0; - UsbCommand c = {CMD_MIFARE_EML_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}}; + uint8_t isOK = 0; + UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}}; memcpy(c.d.asBytes, data, 16); SendCommand(&c); @@ -273,7 +265,7 @@ int mfCSetBlock(uint8_t blockNo, uint8_t *data, uint8_t *uid, bool wantWipe, uin int mfCGetBlock(uint8_t blockNo, uint8_t *data, uint8_t params) { uint8_t isOK = 0; - UsbCommand c = {CMD_MIFARE_EML_CGETBLOCK, {params, 0, blockNo}}; + UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}}; SendCommand(&c); UsbCommand resp; @@ -296,7 +288,7 @@ static uint8_t trailerAccessBytes[4] = {0x08, 0x77, 0x8F, 0x00}; // variables char logHexFileName[200] = {0x00}; static uint8_t traceCard[4096] = {0x00}; -static char traceFileName[200] = {0}; +static char traceFileName[200] = {0x00}; static int traceState = TRACE_IDLE; static uint8_t traceCurBlock = 0; static uint8_t traceCurKey = 0; @@ -522,7 +514,6 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) { case TRACE_AUTH1: if (len == 4) { traceState = TRACE_AUTH2; - nt = bytes_to_num(data, 4); return 0; } else { @@ -558,6 +549,7 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) { lfsr_rollback_word(revstate, 0, 0); lfsr_rollback_word(revstate, nr_enc, 1); lfsr_rollback_word(revstate, uid ^ nt, 0); + crypto1_get_lfsr(revstate, &lfsr); printf("key> %x%x\n", (unsigned int)((lfsr & 0xFFFFFFFF00000000) >> 32), (unsigned int)(lfsr & 0xFFFFFFFF)); AddLogUint64(logHexFileName, "key> ", lfsr); diff --git a/client/mifarehost.h b/client/mifarehost.h index cb99a407..3e946cd9 100644 --- a/client/mifarehost.h +++ b/client/mifarehost.h @@ -15,7 +15,6 @@ #include "cmdmain.h" #include "ui.h" #include "data.h" -//#include "proxusb.h" #include "util.h" #include "nonce2key/nonce2key.h" #include "nonce2key/crapto1.h" diff --git a/client/nonce2key/crapto1.c b/client/nonce2key/crapto1.c index 61215420..6c0fcafa 100644 --- a/client/nonce2key/crapto1.c +++ b/client/nonce2key/crapto1.c @@ -549,7 +549,6 @@ lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8], free(odd); free(even); return 0; - } s = statelist; diff --git a/client/proxguiqt.cpp b/client/proxguiqt.cpp index a820fe41..3e9bdfd5 100644 --- a/client/proxguiqt.cpp +++ b/client/proxguiqt.cpp @@ -280,7 +280,7 @@ void ProxWidget::paintEvent(QPaintEvent *event) ProxWidget::ProxWidget(QWidget *parent) : QWidget(parent), GraphStart(0), GraphPixelsPerPoint(1) { - resize(600, 500); + resize(600, 300); QPalette palette(QColor(0,0,0,0)); palette.setColor(QPalette::WindowText, QColor(255,255,255)); diff --git a/client/proxmark3.c b/client/proxmark3.c index bf0f3817..0e2a698c 100644 --- a/client/proxmark3.c +++ b/client/proxmark3.c @@ -16,7 +16,7 @@ #include #include #include -//#include "proxusb.h" + #include "proxmark3.h" #include "proxgui.h" #include "cmdmain.h" @@ -34,16 +34,11 @@ static UsbCommand txcmd; volatile static bool txcmd_pending = false; void SendCommand(UsbCommand *c) { -#if 0 - printf("Sending %d bytes\n", sizeof(UsbCommand)); -#endif -/* - if (txcmd_pending) { - ERR("Sending command failed, previous command is still pending"); - } -*/ - if(offline) - { + #if 0 + printf("Sending %d bytes\n", sizeof(UsbCommand)); + #endif + + if (offline) { PrintAndLog("Sending bytes to proxmark failed - offline"); return; } @@ -52,137 +47,116 @@ void SendCommand(UsbCommand *c) { or disconnected. The main console thread is alive, but comm thread just spins here. Not good.../holiman **/ - while(txcmd_pending); - txcmd = *c; - txcmd_pending = true; + while(txcmd_pending); + txcmd = *c; + txcmd_pending = true; } struct receiver_arg { - int run; + int run; }; struct main_loop_arg { - int usb_present; - char *script_cmds_file; + int usb_present; + char *script_cmds_file; }; -//static void *usb_receiver(void *targ) { -// struct receiver_arg *arg = (struct receiver_arg*)targ; -// UsbCommand cmdbuf; -// -// while (arg->run) { -// if (ReceiveCommandPoll(&cmdbuf)) { -// UsbCommandReceived(&cmdbuf); -// fflush(NULL); -// } -// } -// -// pthread_exit(NULL); -// return NULL; -//} - byte_t rx[0x1000000]; byte_t* prx = rx; static void *uart_receiver(void *targ) { - struct receiver_arg *arg = (struct receiver_arg*)targ; - size_t rxlen; - size_t cmd_count; - - while (arg->run) { - rxlen = sizeof(UsbCommand); - if (uart_receive(sp,prx,&rxlen)) { - prx += rxlen; - if (((prx-rx) % sizeof(UsbCommand)) != 0) { - continue; - } - cmd_count = (prx-rx) / sizeof(UsbCommand); - // printf("received %d bytes, which represents %d commands\n",(prx-rx), cmd_count); - for (size_t i=0; irun) { + rxlen = sizeof(UsbCommand); + if (uart_receive(sp, prx, &rxlen)) { + prx += rxlen; + if (((prx-rx) % sizeof(UsbCommand)) != 0) { + continue; + } + cmd_count = (prx-rx) / sizeof(UsbCommand); + + for (size_t i = 0; i < cmd_count; i++) { + UsbCommandReceived((UsbCommand*)(rx+(i*sizeof(UsbCommand)))); + } + } + prx = rx; + + if(txcmd_pending) { + if (!uart_send(sp, (byte_t*) &txcmd, sizeof(UsbCommand))) { + PrintAndLog("Sending bytes to proxmark failed"); + } + txcmd_pending = false; + } + } + + pthread_exit(NULL); + return NULL; } static void *main_loop(void *targ) { - struct main_loop_arg *arg = (struct main_loop_arg*)targ; - struct receiver_arg rarg; - char *cmd = NULL; - pthread_t reader_thread; - - if (arg->usb_present == 1) { - rarg.run=1; - // pthread_create(&reader_thread, NULL, &usb_receiver, &rarg); - pthread_create(&reader_thread, NULL, &uart_receiver, &rarg); - } - - FILE *script_file = NULL; - char script_cmd_buf[256]; + struct main_loop_arg *arg = (struct main_loop_arg*)targ; + struct receiver_arg rarg; + char *cmd = NULL; + pthread_t reader_thread; - if (arg->script_cmds_file) - { - script_file = fopen(arg->script_cmds_file, "r"); - if (script_file) - { - printf("using 'scripting' commands file %s\n", arg->script_cmds_file); - } - } + if (arg->usb_present == 1) { + rarg.run = 1; + pthread_create(&reader_thread, NULL, &uart_receiver, &rarg); + } + + FILE *script_file = NULL; + char script_cmd_buf[256]; // iceman, needs lua script the same file_path_buffer as the rest + + if (arg->script_cmds_file) { + script_file = fopen(arg->script_cmds_file, "r"); + if (script_file) { + printf("using 'scripting' commands file %s\n", arg->script_cmds_file); + } + } read_history(".history"); - while(1) - { - // If there is a script file - if (script_file) - { - if (!fgets(script_cmd_buf, sizeof(script_cmd_buf), script_file)) - { - fclose(script_file); - script_file = NULL; - } - else - { - char *nl; - nl = strrchr(script_cmd_buf, '\r'); - if (nl) *nl = '\0'; - nl = strrchr(script_cmd_buf, '\n'); - if (nl) *nl = '\0'; - - if ((cmd = (char*) malloc(strlen(script_cmd_buf) + 1)) != NULL) - { - memset(cmd, 0, strlen(script_cmd_buf)); - strcpy(cmd, script_cmd_buf); - printf("%s\n", cmd); - } - } - } - - if (!script_file) + + while(1) { + + // If there is a script file + if (script_file) { - cmd = readline(PROXPROMPT); + if (!fgets(script_cmd_buf, sizeof(script_cmd_buf), script_file)) { + fclose(script_file); + script_file = NULL; + } else { + char *nl; + nl = strrchr(script_cmd_buf, '\r'); + if (nl) *nl = '\0'; + + nl = strrchr(script_cmd_buf, '\n'); + if (nl) *nl = '\0'; + + if ((cmd = (char*) malloc(strlen(script_cmd_buf) + 1)) != NULL) { + memset(cmd, 0, strlen(script_cmd_buf)); + strcpy(cmd, script_cmd_buf); + printf("%s\n", cmd); + } + } + } + + if (!script_file) { + cmd = readline(PROXPROMPT); } if (cmd) { + while(cmd[strlen(cmd) - 1] == ' ') - cmd[strlen(cmd) - 1] = 0x00; + cmd[strlen(cmd) - 1] = 0x00; if (cmd[0] != 0x00) { if (strncmp(cmd, "quit", 4) == 0) { exit(0); break; } - CommandReceived(cmd); add_history(cmd); } @@ -195,29 +169,20 @@ static void *main_loop(void *targ) { write_history(".history"); - if (arg->usb_present == 1) { - rarg.run = 0; - pthread_join(reader_thread, NULL); - } - - if (script_file) - { - fclose(script_file); - script_file = NULL; - } - - ExitGraphics(); - pthread_exit(NULL); - return NULL; -} + if (arg->usb_present == 1) { + rarg.run = 0; + pthread_join(reader_thread, NULL); + } -//static void dumpHelp(char *parent, ...) -//{ -// printf("## %s\n\n", parent); -// CommandReceived(parent); -// -// printf("\n"); -//} + if (script_file) { + fclose(script_file); + script_file = NULL; + } + + ExitGraphics(); + pthread_exit(NULL); + return NULL; +} static void dumpAllHelp(int markdown) { @@ -258,17 +223,6 @@ int main(int argc, char* argv[]) { }; pthread_t main_loop_t; -/* - usb_init(); - if (!OpenProxmark(1)) { - fprintf(stderr,"PROXMARK3: NOT FOUND!\n"); - marg.usb_present = 0; - offline = 1; - } else { - marg.usb_present = 1; - offline = 0; - } -*/ sp = uart_open(argv[1]); if (sp == INVALID_SERIAL_PORT) { @@ -309,10 +263,6 @@ int main(int argc, char* argv[]) { pthread_join(main_loop_t, NULL); -// if (marg.usb_present == 1) { -// CloseProxmark(); -// } - // Clean up the port uart_close(sp); diff --git a/client/scripts/formatMifare.lua b/client/scripts/formatMifare.lua index 1ced0c28..0d735e98 100644 --- a/client/scripts/formatMifare.lua +++ b/client/scripts/formatMifare.lua @@ -90,8 +90,10 @@ function GetCardInfo() elseif 0x09 == result.sak then -- NXP MIFARE Mini 0.3k -- MIFARE Classic mini offers 320 bytes split into five sectors. numSectors = 5 - elseif 0x10 == result.sak then-- "NXP MIFARE Plus 2k" + elseif 0x10 == result.sak then -- NXP MIFARE Plus 2k numSectors = 32 + elseif 0x01 == sak then -- NXP MIFARE TNP3xxx 1K + numSectors = 16 else print("I don't know how many sectors there are on this type of card, defaulting to 16") end diff --git a/client/scripts/mifare_autopwn.lua b/client/scripts/mifare_autopwn.lua index 8d0d358f..eb98ffbf 100644 --- a/client/scripts/mifare_autopwn.lua +++ b/client/scripts/mifare_autopwn.lua @@ -133,6 +133,8 @@ function nested(key,sak) typ = 0 elseif 0x10 == sak then-- "NXP MIFARE Plus 2k" typ = 2 + elseif 0x01 == sak then-- "NXP MIFARE TNP3xxx 1K" + typ = 1 else print("I don't know how many sectors there are on this type of card, defaulting to 16") end diff --git a/include/at91sam7s512.h b/include/at91sam7s512.h index 5be13622..2cdcbce3 100644 --- a/include/at91sam7s512.h +++ b/include/at91sam7s512.h @@ -428,7 +428,7 @@ typedef struct _AT91S_PIO { #define PIO_PDR (AT91_CAST(AT91_REG *) 0x00000004) // (PIO_PDR) PIO Disable Register #define PIO_PSR (AT91_CAST(AT91_REG *) 0x00000008) // (PIO_PSR) PIO Status Register #define PIO_OER (AT91_CAST(AT91_REG *) 0x00000010) // (PIO_OER) Output Enable Register -#define PIO_ODR (AT91_CAST(AT91_REG *) 0x00000014) // (PIO_ODR) Output Disable Registerr +#define PIO_ODR (AT91_CAST(AT91_REG *) 0x00000014) // (PIO_ODR) Output Disable Register #define PIO_OSR (AT91_CAST(AT91_REG *) 0x00000018) // (PIO_OSR) Output Status Register #define PIO_IFER (AT91_CAST(AT91_REG *) 0x00000020) // (PIO_IFER) Input Filter Enable Register #define PIO_IFDR (AT91_CAST(AT91_REG *) 0x00000024) // (PIO_IFDR) Input Filter Disable Register diff --git a/include/proxmark3.h b/include/proxmark3.h index 8c9417da..b3530c64 100644 --- a/include/proxmark3.h +++ b/include/proxmark3.h @@ -14,6 +14,7 @@ // Might as well have the hardware-specific defines everywhere. #include "at91sam7s512.h" #include "config_gpio.h" +#include "usb_cmd.h" #define WDT_HIT() AT91C_BASE_WDTC->WDTC_WDCR = 0xa5000001 @@ -67,8 +68,6 @@ #define TRUE 1 #define FALSE 0 -#include - //#define PACKED __attribute__((__packed__)) #define LED_A_ON() HIGH(GPIO_LED_A) diff --git a/include/usb_cmd.h b/include/usb_cmd.h index 4d50de59..69c3c1b6 100644 --- a/include/usb_cmd.h +++ b/include/usb_cmd.h @@ -81,7 +81,7 @@ typedef struct { #define CMD_EM4X_WRITE_WORD 0x0219 #define CMD_IO_DEMOD_FSK 0x021A #define CMD_IO_CLONE_TAG 0x021B -#define CMD_EM410X_DEMOD 0x021C +#define CMD_EM410X_DEMOD 0x021c /* CMD_SET_ADC_MUX: ext1 is 0 for lopkd, 1 for loraw, 2 for hipkd, 3 for hiraw */ @@ -137,8 +137,11 @@ typedef struct { #define CMD_MIFARE_EML_MEMSET 0x0602 #define CMD_MIFARE_EML_MEMGET 0x0603 #define CMD_MIFARE_EML_CARDLOAD 0x0604 -#define CMD_MIFARE_EML_CSETBLOCK 0x0605 -#define CMD_MIFARE_EML_CGETBLOCK 0x0606 + +// magic chinese card commands +#define CMD_MIFARE_CSETBLOCK 0x0605 +#define CMD_MIFARE_CGETBLOCK 0x0606 +#define CMD_MIFARE_CIDENT 0x0607 #define CMD_SIMULATE_MIFARE_CARD 0x0610 @@ -150,11 +153,25 @@ typedef struct { #define CMD_MIFARE_READSC 0x0621 #define CMD_MIFAREU_READCARD 0x0721 #define CMD_MIFARE_WRITEBL 0x0622 -#define CMD_MIFAREU_WRITEBL_COMPAT 0x0722 -#define CMD_MIFAREU_WRITEBL 0x0723 +#define CMD_MIFAREU_WRITEBL 0x0722 +#define CMD_MIFAREU_WRITEBL_COMPAT 0x0723 + #define CMD_MIFARE_CHKKEYS 0x0623 #define CMD_MIFARE_SNIFFER 0x0630 +//ultralightC +#define CMD_MIFAREUC_AUTH1 0x0724 +#define CMD_MIFAREUC_AUTH2 0x0725 +#define CMD_MIFAREUC_READCARD 0x0726 + +// mifare desfire +#define CMD_MIFARE_DESFIRE_READBL 0x0728 +#define CMD_MIFARE_DESFIRE_WRITEBL 0x0729 +#define CMD_MIFARE_DESFIRE_AUTH1 0x072a +#define CMD_MIFARE_DESFIRE_AUTH2 0x072b +#define CMD_MIFARE_DES_READER 0x072c +#define CMD_MIFARE_DESFIRE_INFO 0x072d +#define CMD_MIFARE_DESFIRE 0x072e #define CMD_UNKNOWN 0xFFFF