From: Martin Holst Swende Date: Tue, 31 Mar 2015 20:11:19 +0000 (+0200) Subject: Merge pull request #91 from marshmellow42/master X-Git-Tag: v2.1.0~22 X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/d5d6f22718903a68bd097b6e276f3eaa33ca3788?hp=a4669d6ef3a423ff4382326571247ca0615117d3 Merge pull request #91 from marshmellow42/master lfdemod.c refactoring (+ bug fixes) --- diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000..5f3f84ef --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,28 @@ +# Change Log +All notable changes to this project will be documented in this file. +This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... + +## [Unreleased][unreleased] +### Changed +- Iclass read, `hf iclass read` now also reads tag config and prints configuration. (holiman) + +### Fixed +- Fixed issue #19, problems with LF T55xx commands (marshmellow) + +### Added +- Added changelog + +## [2.0.0] - 2015-03-25 +### Changed +- LF sim operations now abort when new commands arrive over the USB - not required to push the device button anymore. + +### Fixed +- Mifare simulation, `hf mf sim` (was broken a long time) (pwpiwi) +- Major improvements in LF area and data operations. (marshmellow, iceman1001) +- Issues regarding LF simulation (pwpiwi) + +### Added +- iClass functionality: full simulation of iclass tags, so tags can be simulated with data (not only CSN). Not yet support for write/update, but readers don't seem to enforce update. (holiman). +- iClass decryption. Proxmark can now decrypt data on an iclass tag, but requires you to have the HID decryption key locally on your computer, as this is not bundled with the sourcecode. + + diff --git a/armsrc/iclass.c b/armsrc/iclass.c index 260e6a60..7b4daa36 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -1627,7 +1627,10 @@ uint8_t handshakeIclassTag(uint8_t *card_data) static uint8_t act_all[] = { 0x0a }; static uint8_t identify[] = { 0x0c }; static uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - static uint8_t readcheck_cc[]= { 0x88, 0x02 }; + + + static uint8_t readcheck_cc[]= { 0x88, 0x02,}; + uint8_t resp[ICLASS_BUFFER_SIZE]; uint8_t read_status = 0; @@ -1662,28 +1665,33 @@ uint8_t handshakeIclassTag(uint8_t *card_data) if(ReaderReceiveIClass(resp) == 8) { //Save CC (e-purse) in response data memcpy(card_data+8,resp,8); - - //Got both - read_status = 2; + read_status++; } return read_status; } + // Reader iClass Anticollission void ReaderIClass(uint8_t arg0) { - uint8_t card_data[24]={0}; + uint8_t card_data[6 * 8]={0xFF}; uint8_t last_csn[8]={0}; + //Read conf block CRC(0x01) => 0xfa 0x22 + uint8_t readConf[] = { ICLASS_CMD_READ_OR_IDENTIFY,0x01, 0xfa, 0x22}; + //Read conf block CRC(0x05) => 0xde 0x64 + uint8_t readAA[] = { ICLASS_CMD_READ_OR_IDENTIFY,0x05, 0xde, 0x64}; + + int read_status= 0; + uint8_t result_status = 0; bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE; - bool get_cc = arg0 & FLAG_ICLASS_READER_GET_CC; + set_tracing(TRUE); setupIclassReader(); - size_t datasize = 0; - while(!BUTTON_PRESS()) + while(!BUTTON_PRESS()) { if(!tracing) { @@ -1695,15 +1703,40 @@ void ReaderIClass(uint8_t arg0) { read_status = handshakeIclassTag(card_data); if(read_status == 0) continue; - if(read_status == 1) datasize = 8; - if(read_status == 2) datasize = 16; + if(read_status == 1) result_status = FLAG_ICLASS_READER_CSN; + if(read_status == 2) result_status = FLAG_ICLASS_READER_CSN|FLAG_ICLASS_READER_CC; + + // handshakeIclass returns CSN|CC, but the actual block + // layout is CSN|CONFIG|CC, so here we reorder the data, + // moving CC forward 8 bytes + memcpy(card_data+16,card_data+8, 8); + //Read block 1, config + if(arg0 & FLAG_ICLASS_READER_CONF) + { + if(sendCmdGetResponseWithRetries(readConf, sizeof(readConf),card_data+8, 10, 10)) + { + Dbprintf("Failed to dump config block"); + }else + { + result_status |= FLAG_ICLASS_READER_CONF; + } + } - //Todo, read the public blocks 1,5 aswell: - // - // 0 : CSN (we already have) + //Read block 5, AA + if(arg0 & FLAG_ICLASS_READER_AA){ + if(sendCmdGetResponseWithRetries(readAA, sizeof(readAA),card_data+(8*4), 10, 10)) + { +// Dbprintf("Failed to dump AA block"); + }else + { + result_status |= FLAG_ICLASS_READER_AA; + } + } + + // 0 : CSN // 1 : Configuration - // 2 : e-purse (we already have) - // (3,4 write-only) + // 2 : e-purse + // (3,4 write-only, kc and kd) // 5 Application issuer area // //Then we can 'ship' back the 8 * 5 bytes of data, @@ -1713,10 +1746,10 @@ void ReaderIClass(uint8_t arg0) { //Send back to client, but don't bother if we already sent this if(memcmp(last_csn, card_data, 8) != 0) { - - if(!get_cc || (get_cc && read_status == 2)) + // If caller requires that we get CC, continue until we got it + if( (arg0 & read_status & FLAG_ICLASS_READER_CC) || !(arg0 & FLAG_ICLASS_READER_CC)) { - cmd_send(CMD_ACK,read_status,0,0,card_data,datasize); + cmd_send(CMD_ACK,result_status,0,0,card_data,sizeof(card_data)); if(abort_after_read) { LED_A_OFF(); return; @@ -1724,7 +1757,7 @@ void ReaderIClass(uint8_t arg0) { //Save that we already sent this.... memcpy(last_csn, card_data, 8); } - //If 'get_cc' was specified and we didn't get a CC, we'll just keep trying... + } LED_B_OFF(); } diff --git a/client/cmdhficlass.c b/client/cmdhficlass.c index 31f7ba97..44b074b3 100644 --- a/client/cmdhficlass.c +++ b/client/cmdhficlass.c @@ -30,6 +30,7 @@ #include "loclass/elite_crack.h" #include "loclass/fileutils.h" #include "protocols.h" +#include "usb_cmd.h" static int CmdHelp(const char *Cmd); @@ -166,29 +167,25 @@ int CmdHFiClassSim(const char *Cmd) int CmdHFiClassReader(const char *Cmd) { - UsbCommand c = {CMD_READER_ICLASS, {0}}; + UsbCommand c = {CMD_READER_ICLASS, {FLAG_ICLASS_READER_CSN| + FLAG_ICLASS_READER_CONF|FLAG_ICLASS_READER_AA}}; SendCommand(&c); UsbCommand resp; while(!ukbhit()){ if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) { - uint8_t isOK = resp.arg[0] & 0xff; + uint8_t readStatus = resp.arg[0] & 0xff; uint8_t * data = resp.d.asBytes; - PrintAndLog("isOk:%02x", isOK); - if( isOK == 0){ + PrintAndLog("Readstatus:%02x", readStatus); + if( readStatus == 0){ //Aborted PrintAndLog("Quitting..."); return 0; } - if(isOK > 0) - { - PrintAndLog("CSN: %s",sprint_hex(data,8)); - } - if(isOK >= 1) - { - PrintAndLog("CC: %s",sprint_hex(data+8,8)); - }else{ - PrintAndLog("No CC obtained"); + if( readStatus & FLAG_ICLASS_READER_CSN) PrintAndLog("CSN: %s",sprint_hex(data,8)); + if( readStatus & FLAG_ICLASS_READER_CC) PrintAndLog("CC: %s",sprint_hex(data+16,8)); + if( readStatus & FLAG_ICLASS_READER_CONF){ + printIclassDumpInfo(data); } } else { PrintAndLog("Command execute timeout"); @@ -269,7 +266,7 @@ int CmdHFiClassReader_Dump(const char *Cmd) uint8_t key_sel_p[8] = { 0 }; UsbCommand c = {CMD_READER_ICLASS, {0}}; - c.arg[0] = FLAG_ICLASS_READER_ONLY_ONCE| FLAG_ICLASS_READER_GET_CC; + c.arg[0] = FLAG_ICLASS_READER_ONLY_ONCE| FLAG_ICLASS_READER_CC; SendCommand(&c); @@ -284,7 +281,7 @@ int CmdHFiClassReader_Dump(const char *Cmd) uint8_t * data = resp.d.asBytes; memcpy(CSN,data,8); - memcpy(CCNR,data+8,8); + memcpy(CCNR,data+16,8); PrintAndLog("isOk:%02x", isOK); diff --git a/include/usb_cmd.h b/include/usb_cmd.h index aab631da..62c3d949 100644 --- a/include/usb_cmd.h +++ b/include/usb_cmd.h @@ -199,7 +199,11 @@ typedef struct{ //Iclass reader flags #define FLAG_ICLASS_READER_ONLY_ONCE 0x01 -#define FLAG_ICLASS_READER_GET_CC 0x02 +#define FLAG_ICLASS_READER_CC 0x02 +#define FLAG_ICLASS_READER_CSN 0x04 +#define FLAG_ICLASS_READER_CONF 0x08 +#define FLAG_ICLASS_READER_AA 0x10 + // CMD_DEVICE_INFO response packet has flags in arg[0], flag definitions: