github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-07-30 11:39:14 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

ADD: simulating can now handle triplesized UID (10b)

Browse source 
CHG: moved some mifare #DEFINES into protocols.h  (ACK,NACK..)
This commit is contained in:
iceman1001 2016-04-14 11:09:17 +02:00
parent 7ee74a8ebd
commit 0194ce8fc8
6 changed files with 522 additions and 506 deletions
Download patch file Download diff file Expand all files Collapse all files

742
armsrc/iso14443a.c
View file

File diff suppressed because it is too large Load diff

16
armsrc/iso14443a.h
View file

@ -69,6 +69,13 @@ typedef struct {
uint8_t *parity;
} tUart;
typedef struct {
uint8_t* response;
size_t response_n;
uint8_t* modulation;
size_t modulation_n;
uint32_t ProxToAirDuration;
} tag_response_info_t;
extern void GetParity(const uint8_t *pbtCmd, uint16_t len, uint8_t *par);
extern void AppendCrc14443a(uint8_t *data, int len);
@ -83,4 +90,13 @@ extern int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data);
extern int iso14443a_select_card(uint8_t *uid_ptr, iso14a_card_select_t *resp_data, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades);
extern void iso14a_set_trigger(bool enable);
int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNeeded);
int EmSend4bitEx(uint8_t resp, bool correctionNeeded);
int EmSend4bit(uint8_t resp);
int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, bool correctionNeeded, uint8_t *par);
int EmSendCmdEx(uint8_t *resp, uint16_t respLen, bool correctionNeeded);
int EmSendCmd(uint8_t *resp, uint16_t respLen);
int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par);
bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity,
uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint8_t *tag_Parity);
#endif /* __ISO14443A_H */

81
client/cmdhf14a.c
View file

@ -126,9 +126,9 @@ char* getTagInfo(uint8_t uid) {
return manufactureMapping[len-1].desc;
}
int usage_hf_14a_sim(void) {
PrintAndLog("\n Emulating ISO/IEC 14443 type A tag with 4 or 7 byte UID\n");
// PrintAndLog("\n Emulating ISO/IEC 14443 type A tag with 4,7 or 10 byte UID\n");
PrintAndLog("\n Emulating ISO/IEC 14443 type A tag with 4,7 byte UID\n");
PrintAndLog("Usage: hf 14a sim t <type> u <uid> x");
PrintAndLog(" Options : ");
PrintAndLog(" h : this help");
@ -139,10 +139,13 @@ int usage_hf_14a_sim(void) {
PrintAndLog(" 5 = MIFARE Tnp3xxx");
PrintAndLog(" 6 = MIFARE Mini");
PrintAndLog(" 7 = AMIIBO (NTAG 215), pack 0x8080");
PrintAndLog(" u : 4 or 7 byte UID");
// PrintAndLog(" u : 4, 7 or 10 byte UID");
PrintAndLog(" u : 4, 7 byte UID");
PrintAndLog(" x : (Optional) performs the 'reader attack', nr/ar attack against a legitimate reader");
PrintAndLog("\n sample : hf 14a sim t 1 u 1122344");
PrintAndLog(" : hf 14a sim t 1 u 1122344 x\n");
PrintAndLog("\n sample : hf 14a sim t 1 u 1122344 x");
PrintAndLog(" : hf 14a sim t 1 u 1122344");
PrintAndLog(" : hf 14a sim t 1 u 1122344556677");
// PrintAndLog(" : hf 14a sim t 1 u 11223445566778899AA\n");
return 0;
}
int usage_hf_14a_sniff(void){
@ -168,15 +171,13 @@ int usage_hf_14a_raw(void){
return 0;
}
int CmdHF14AList(const char *Cmd)
{
int CmdHF14AList(const char *Cmd) {
//PrintAndLog("Deprecated command, use 'hf list 14a' instead");
CmdHFList("14a");
return 0;
}
int CmdHF14AReader(const char *Cmd)
{
int CmdHF14AReader(const char *Cmd) {
UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_DISCONNECT, 0, 0}};
clearCommandBuffer();
SendCommand(&c);
@ -462,8 +463,7 @@ int CmdHF14AReader(const char *Cmd)
}
// Collect ISO14443 Type A UIDs
int CmdHF14ACUIDs(const char *Cmd)
{
int CmdHF14ACUIDs(const char *Cmd) {
// requested number of UIDs
int n = atoi(Cmd);
// collect at least 1 (e.g. if no parameter was given)
@ -494,24 +494,25 @@ int CmdHF14ACUIDs(const char *Cmd)
}
}
PrintAndLog("End: %u", time(NULL));
return 1;
}
// ## simulate iso14443a tag
// ## greg - added ability to specify tag UID
int CmdHF14ASim(const char *Cmd)
{
int CmdHF14ASim(const char *Cmd) {
bool errors = FALSE;
uint8_t flags = 0;
uint8_t tagtype = 1;
uint64_t uid = 0;
uint8_t cmdp = 0;
uint8_t uid[10] = {0,0,0,0,0,0,0,0,0,0};
int uidlen = 0;
uint8_t data[40];
uint8_t key[6] = {0,0,0,0,0,0};
UsbCommand resp;
bool useUIDfromEML = TRUE;
while(param_getchar(Cmd, cmdp) != 0x00)
{
switch(param_getchar(Cmd, cmdp))
{
while(param_getchar(Cmd, cmdp) != 0x00) {
switch(param_getchar(Cmd, cmdp)) {
case 'h':
case 'H':
return usage_hf_14a_sim();
@ -525,17 +526,17 @@ int CmdHF14ASim(const char *Cmd)
break;
case 'u':
case 'U':
// Retrieve the full 4 or 7 byte long uid
uid = param_get64ex(Cmd, cmdp+1, 0, 16);
if (uid == 0 )
errors = TRUE;
if (uid > 0xffffffff) {
PrintAndLog("Emulating ISO/IEC 14443 type A tag with 7 byte UID (%014"llx")",uid);
flags |= FLAG_7B_UID_IN_DATA;
} else {
PrintAndLog("Emulating ISO/IEC 14443 type A tag with 4 byte UID (%08x)",uid);
flags |= FLAG_4B_UID_IN_DATA;
// Retrieve the full 4,7,10 byte long uid
param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);
switch(uidlen) {
//case 20: flags |= FLAG_10B_UID_IN_DATA; break;
case 14: flags |= FLAG_7B_UID_IN_DATA; break;
case 8: flags |= FLAG_4B_UID_IN_DATA; break;
default: errors = TRUE; break;
}
if (!errors) {
PrintAndLog("Emulating ISO/IEC 14443 type A tag with %d byte UID (%s)", uidlen>>1, sprint_hex(uid, uidlen>>1));
useUIDfromEML = FALSE;
}
cmdp += 2;
break;
@ -555,17 +556,16 @@ int CmdHF14ASim(const char *Cmd)
//Validations
if (errors) return usage_hf_14a_sim();
if ( useUIDfromEML )
flags |= FLAG_UID_IN_EMUL;
PrintAndLog("Press pm3-button to abort simulation");
UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443a,{ tagtype, flags, 0 }};
num_to_bytes(uid, 7, c.d.asBytes);
memcpy(c.d.asBytes, uid, uidlen);
clearCommandBuffer();
SendCommand(&c);
uint8_t data[40];
uint8_t key[6];
UsbCommand resp;
while(!ukbhit()){
if ( WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
if ( (resp.arg[0] & 0xffff) == CMD_SIMULATE_MIFARE_CARD ){
@ -573,10 +573,10 @@ int CmdHF14ASim(const char *Cmd)
memset(key, 0x00, sizeof(key));
int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];
memcpy(data, resp.d.asBytes, len);
tryMfk32(uid, data, key);
//tryMfk32_moebius(uid, data, key);
//tryMfk64(uid, data, key);
PrintAndLog("--");
uint32_t cuid = bytes_to_num(data, 4);
tryMfk32(cuid, data, key); // 201604, iceman, errors!
//tryMfk32_moebius(cuid, data, key);
//tryMfk64(cuid, data, key);
}
}
}
@ -785,8 +785,7 @@ int CmdHF14A(const char *Cmd) {
return 0;
}
int CmdHelp(const char *Cmd)
{
int CmdHelp(const char *Cmd) {
CmdsHelp(CommandTable);
return 0;
}

141
client/cmdhfmf.c
View file

@ -1236,48 +1236,38 @@ int CmdHF14AMfChk(const char *Cmd)
return 0;
}
void printKeyTable( uint8_t sectorscnt, sector *e_sector ){
PrintAndLog("|---|----------------|---|----------------|---|");
PrintAndLog("|sec|key A |res|key B |res|");
PrintAndLog("|---|----------------|---|----------------|---|");
for (uint8_t i = 0; i < sectorscnt; ++i) {
PrintAndLog("|%03d| %012"llx" | %d | %012"llx" | %d |", i,
e_sector[i].Key[0], e_sector[i].foundKey[0],
e_sector[i].Key[1], e_sector[i].foundKey[1]
);
}
PrintAndLog("|---|----------------|---|----------------|---|");
}
int CmdHF14AMf1kSim(const char *Cmd)
{
uint8_t uid[7] = {0, 0, 0, 0, 0, 0, 0};
int CmdHF14AMf1kSim(const char *Cmd) {
uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
uint8_t exitAfterNReads = 0;
uint8_t flags = 0;
int uidlen = 0;
uint8_t cmdp = param_getchar(Cmd, 0);
if (cmdp == 'h' || cmdp == 'H') {
PrintAndLog("Usage: hf mf sim u <uid (8 hex symbols)> n <numreads> i x");
PrintAndLog(" h this help");
PrintAndLog(" u (Optional) UID. If not specified, the UID from emulator memory will be used");
PrintAndLog(" u (Optional) UID 4,7 or 10bytes. If not specified, the UID from emulator memory will be used");
PrintAndLog(" n (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");
PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");
PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");
PrintAndLog("");
PrintAndLog(" sample: hf mf sim u 0a0a0a0a ");
PrintAndLog("samples:");
PrintAndLog(" hf mf sim u 0a0a0a0a");
PrintAndLog(" hf mf sim u 11223344556677");
PrintAndLog(" hf mf sim u 112233445566778899AA");
return 0;
}
uint8_t pnr = 0;
if (param_getchar(Cmd, pnr) == 'u') {
if(param_gethex(Cmd, pnr+1, uid, 8) == 0)
{
flags |= FLAG_4B_UID_IN_DATA; // UID from packet
} else if(param_gethex(Cmd,pnr+1,uid,14) == 0) {
flags |= FLAG_7B_UID_IN_DATA;// UID from packet
} else {
PrintAndLog("UID, if specified, must include 8 or 14 HEX symbols");
return 1;
param_gethex_ex(Cmd, pnr+1, uid, &uidlen);
switch(uidlen){
case 20: flags |= FLAG_10B_UID_IN_DATA; break;
case 14: flags |= FLAG_7B_UID_IN_DATA; break;
case 8: flags |= FLAG_4B_UID_IN_DATA; break;
default:
PrintAndLog("UID, if specified, must include 8, 14 or 20 HEX symbols , %d", uidlen>>1);
return 1;
}
pnr +=2;
}
@ -1288,24 +1278,20 @@ int CmdHF14AMf1kSim(const char *Cmd)
}
if (param_getchar(Cmd, pnr) == 'i' ) {
//Using a flag to signal interactiveness, least significant bit
flags |= FLAG_INTERACTIVE;
pnr++;
}
if (param_getchar(Cmd, pnr) == 'x' ) {
//Using a flag to signal interactiveness, least significant bit
flags |= FLAG_NR_AR_ATTACK;
}
PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) ",
flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):
flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): "N/A"
PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) "
, (uidlen == 0 ) ? "N/A" : sprint_hex(uid, uidlen)
, exitAfterNReads
, flags
, flags);
UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};
memcpy(c.d.asBytes, uid, sizeof(uid));
clearCommandBuffer();
@ -1323,43 +1309,32 @@ int CmdHF14AMf1kSim(const char *Cmd)
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue;
if ( !(flags & FLAG_NR_AR_ATTACK) ) break;
if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break;
memset(data, 0x00, sizeof(data));
memset(key, 0x00, sizeof(key));
int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];
memset(data, 0x00, sizeof(data));
memset(key, 0x00, sizeof(key));
int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];
memcpy(data, resp.d.asBytes, len);
memcpy(data, resp.d.asBytes, len);
uint64_t corr_uid = 0;
// CUID is always 4 first bytes.
uint64_t cuid = bytes_to_num(data, 4 );
// this IF? what was I thinking of?
if ( memcmp(data, "\x00\x00\x00\x00", 4) == 0 ) {
corr_uid = ((uint64_t)(data[3] << 24)) | (data[2] << 16) | (data[1] << 8) | data[0];
tryMfk32(corr_uid, data, key);
} else {
corr_uid |= (uint64_t)data[2] << 48;
corr_uid |= (uint64_t)data[1] << 40;
corr_uid |= (uint64_t)data[0] << 32;
corr_uid |= (uint64_t)data[7] << 24;
corr_uid |= (uint64_t)data[6] << 16;
corr_uid |= (uint64_t)data[5] << 8;
corr_uid |= (uint64_t)data[4];
tryMfk64(corr_uid, data, key);
}
PrintAndLog("--");
// this needs to be fixed. ICEMAN
if ( memcmp(data, "\x00\x00\x00\x00", 4) == 0 ) {
tryMfk32(cuid, data, key);
} else {
tryMfk64(cuid, data, key);
}
}
}
return 0;
}
int CmdHF14AMfDbg(const char *Cmd)
{
int CmdHF14AMfDbg(const char *Cmd) {
int dbgMode = param_get32ex(Cmd, 0, 0, 10);
if (dbgMode > 4) {
if (dbgMode > 4)
PrintAndLog("Max debug mode parameter is 4 \n");
}
if (strlen(Cmd) < 1 || !param_getchar(Cmd, 0) || dbgMode > 4) {
PrintAndLog("Usage: hf mf dbg <debug level>");
@ -1374,10 +1349,24 @@ int CmdHF14AMfDbg(const char *Cmd)
UsbCommand c = {CMD_MIFARE_SET_DBGMODE, {dbgMode, 0, 0}};
SendCommand(&c);
return 0;
}
void printKeyTable( uint8_t sectorscnt, sector *e_sector ){
PrintAndLog("|---|----------------|---|----------------|---|");
PrintAndLog("|sec|key A |res|key B |res|");
PrintAndLog("|---|----------------|---|----------------|---|");
for (uint8_t i = 0; i < sectorscnt; ++i) {
PrintAndLog("|%03d| %012"llx" | %d | %012"llx" | %d |", i,
e_sector[i].Key[0], e_sector[i].foundKey[0],
e_sector[i].Key[1], e_sector[i].foundKey[1]
);
}
PrintAndLog("|---|----------------|---|----------------|---|");
}
// EMULATOR COMMANDS
int CmdHF14AMfEGet(const char *Cmd)
{
uint8_t blockNo = 0;
@ -1707,8 +1696,9 @@ int CmdHF14AMfEKeyPrn(const char *Cmd)
return 0;
}
int CmdHF14AMfCSetUID(const char *Cmd)
{
// CHINESE MAGIC COMMANDS
int CmdHF14AMfCSetUID(const char *Cmd) {
uint8_t wipeCard = 0;
uint8_t uid[8] = {0x00};
uint8_t oldUid[8] = {0x00};
@ -1778,8 +1768,7 @@ int CmdHF14AMfCSetUID(const char *Cmd)
return 0;
}
int CmdHF14AMfCSetBlk(const char *Cmd)
{
int CmdHF14AMfCSetBlk(const char *Cmd) {
uint8_t block[16] = {0x00};
uint8_t blockNo = 0;
uint8_t params = MAGIC_SINGLE;
@ -1814,8 +1803,7 @@ int CmdHF14AMfCSetBlk(const char *Cmd)
return 0;
}
int CmdHF14AMfCLoad(const char *Cmd)
{
int CmdHF14AMfCLoad(const char *Cmd) {
FILE * f;
char filename[FILE_PATH_SIZE];
char * fnameptr = filename;
@ -2078,6 +2066,8 @@ int CmdHF14AMfCSave(const char *Cmd) {
}
}
int CmdHF14AMfSniff(const char *Cmd){
bool wantLogToFile = 0;
@ -2092,15 +2082,17 @@ int CmdHF14AMfSniff(const char *Cmd){
int blockLen = 0;
int pckNum = 0;
int num = 0;
uint8_t uid[7];
uint8_t uid_len;
uint8_t atqa[2] = {0x00};
uint8_t sak;
uint8_t uid[10];
uint8_t uid_len = 0;
uint8_t atqa[2] = {0x00, 0x00};
uint8_t sak = 0;
bool isTag;
uint8_t *buf = NULL;
uint16_t bufsize = 0;
uint8_t *bufPtr = NULL;
memset(uid, 0x00, sizeof(uid));
char ctmp = param_getchar(Cmd, 0);
if ( ctmp == 'h' || ctmp == 'H' ) {
PrintAndLog("It continuously gets data from the field and saves it to: log, emulator, emulator file.");
@ -2149,9 +2141,10 @@ int CmdHF14AMfSniff(const char *Cmd){
uint16_t traceLen = resp.arg[1];
len = resp.arg[2];
// we are done?
if (res == 0) {
free(buf);
return 0; // we are done
return 0;
}
if (res == 1) { // there is (more) data to be transferred
@ -2204,21 +2197,21 @@ int CmdHF14AMfSniff(const char *Cmd){
memcpy(atqa, bufPtr + 2 + 7, 2);
uid_len = (atqa[0] & 0xC0) == 0x40 ? 7 : 4;
sak = bufPtr[11];
PrintAndLog("tag select uid:%s atqa:0x%02x%02x sak:0x%02x",
PrintAndLog("tag select uid| %s atqa:0x%02x%02x sak:0x%02x",
sprint_hex(uid + (7 - uid_len), uid_len),
atqa[1],
atqa[0],
sak);
if (wantLogToFile || wantDecrypt) {
FillFileNameByUID(logHexFileName, uid + (7 - uid_len), ".log", uid_len);
FillFileNameByUID(logHexFileName, uid + (10 - uid_len), ".log", uid_len);
AddLogCurrentDT(logHexFileName);
}
if (wantDecrypt)
mfTraceInit(uid, atqa, sak, wantSaveToEmlFile);
} else {
PrintAndLog("%s(%d):%s", isTag ? "TAG":"RDR", num, sprint_hex(bufPtr, len));
PrintAndLog("%03d| %s |%s", num, isTag ? "TAG" : "RDR", sprint_hex(bufPtr, len));
if (wantLogToFile)
AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len);
AddLogHex(logHexFileName, isTag ? "TAG| ":"RDR| ", bufPtr, len);
if (wantDecrypt)
mfTraceDecode(bufPtr, len, wantSaveToEmlFile);
num++;

10
client/hid-flasher/usb_cmd.h
View file

@ -204,10 +204,12 @@ typedef struct {
//Mifare simulation flags
#define FLAG_INTERACTIVE 0x01
#define FLAG_4B_UID_IN_DATA 0x02
#define FLAG_7B_UID_IN_DATA 0x04
#define FLAG_NR_AR_ATTACK 0x08
#define FLAG_INTERACTIVE 0x01
#define FLAG_4B_UID_IN_DATA 0x02
#define FLAG_7B_UID_IN_DATA 0x04
#define FLAG_10B_UID_IN_DATA 0x08
#define FLAG_UID_IN_EMUL 0x10
#define FLAG_NR_AR_ATTACK 0x12
//Iclass reader flags

10
include/usb_cmd.h
View file

@ -217,10 +217,12 @@ typedef struct{
//Mifare simulation flags
#define FLAG_INTERACTIVE 0x01
#define FLAG_4B_UID_IN_DATA 0x02
#define FLAG_7B_UID_IN_DATA 0x04
#define FLAG_NR_AR_ATTACK 0x08
#define FLAG_INTERACTIVE 0x01
#define FLAG_4B_UID_IN_DATA 0x02
#define FLAG_7B_UID_IN_DATA 0x04
#define FLAG_10B_UID_IN_DATA 0x08
#define FLAG_UID_IN_EMUL 0x10
#define FLAG_NR_AR_ATTACK 0x12
//Iclass reader flags