diff --git a/armsrc/Standalone/hf_iceclass.c b/armsrc/Standalone/hf_iceclass.c index d6bd71e14..4cab3234a 100644 --- a/armsrc/Standalone/hf_iceclass.c +++ b/armsrc/Standalone/hf_iceclass.c @@ -41,7 +41,13 @@ char* cc_files[] = { HF_ICLASS_CC_A, HF_ICLASS_CC_B }; #define ICE_STATE_CONFIGCARD 4 // times in ssp_clk_cycles @ 3,3625MHz when acting as reader +#ifndef DELAY_ICLASS_VICC_TO_VCD_READER #define DELAY_ICLASS_VICC_TO_VCD_READER DELAY_ISO15693_VICC_TO_VCD_READER +#endif + +#ifndef ICLASS_16KS_SIZE +#define ICLASS_16KS_SIZE 0x100 * 8 +#endif // iclass card descriptors char * card_types[] = { @@ -69,6 +75,10 @@ uint8_t card_app2_limit[] = { static uint8_t aa2_key[] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; static uint8_t legacy_aa1_key[] = {0xAE, 0xA6, 0x84, 0xA6, 0xDA, 0xB2, 0x32, 0x78}; +static bool have_aa2(void) { + return memcmp(aa2_key, "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8); +} + static uint8_t get_pagemap(const picopass_hdr *hdr) { return (hdr->conf.fuses & (FUSE_CRYPT0 | FUSE_CRYPT1)) >> 3; } @@ -111,6 +121,10 @@ static void download_instructions(uint8_t t) { } } +// +// Save to flash if file doesn't exist. +// Write over file if size of flash file is less than new datalen +// static void save_to_flash(uint8_t *data, uint16_t datalen) { rdv40_spiffs_lazy_mount(); @@ -121,22 +135,33 @@ static void save_to_flash(uint8_t *data, uint16_t datalen) { data[4], data[5], data[6], data[7] ); + int res; if (exists_in_spiffs(fn) == false) { - int res = rdv40_spiffs_write(fn, data, datalen, RDV40_SPIFFS_SAFETY_SAFE); + res = rdv40_spiffs_write(fn, data, datalen, RDV40_SPIFFS_SAFETY_SAFE); if (res == SPIFFS_OK) { Dbprintf("Saved to `" _YELLOW_("%s") "`", fn); - } else { - Dbprintf("error writing `" _YELLOW_("%s") "`", fn); } + } else { + + // if already exist, see if saved file is smaller.. + uint32_t fsize = 0; + res = rdv40_spiffs_stat(fn, &fsize, RDV40_SPIFFS_SAFETY_SAFE); + if (res == SPIFFS_OK) { + + if (fsize < datalen) { + res = rdv40_spiffs_write(fn, data, datalen, RDV40_SPIFFS_SAFETY_SAFE); + if (res == SPIFFS_OK) { + Dbprintf("Wrote over `" _YELLOW_("%s") "`", fn); + } + } + } } rdv40_spiffs_lazy_unmount(); } static int fullsim_mode(void) { - - bool have_aa2 = memcmp(aa2_key, "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8); - + rdv40_spiffs_lazy_mount(); SpinOff(0); @@ -161,7 +186,7 @@ static int fullsim_mode(void) { } // create diversified key AA2/KC if not in dump. - if (have_aa2) { + if (have_aa2()) { if (memcmp(hdr->key_c, "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8) == 0) { uint8_t ccnr[12] = {0}; memcpy(ccnr, hdr->epurse, 8); @@ -232,15 +257,17 @@ static int reader_attack_mode(void) { static int reader_dump_mode(void) { - bool have_aa2 = (memcmp(aa2_key, "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8) != 0); - + DbpString("This mode has no tracelog"); + if (have_aa2()) + DbpString("Dumping of " _YELLOW_("AA2 enabled")); + for (;;) { BigBuf_free(); - uint8_t *card_data = BigBuf_malloc(0x100 * 8); - memset(card_data, 0xFF, sizeof(card_data)); - + uint8_t *card_data = BigBuf_malloc(ICLASS_16KS_SIZE); + memset(card_data, 0xFF, ICLASS_16KS_SIZE); + if (BUTTON_PRESS()) { DbpString("button pressed"); break; @@ -257,6 +284,7 @@ static int reader_dump_mode(void) { memcpy(auth.key, legacy_aa1_key, sizeof(auth.key)); Iso15693InitReader(); + set_tracing(false); // select tag. uint32_t eof_time = 0; @@ -265,16 +293,24 @@ static int reader_dump_mode(void) { switch_off(); continue; } - - uint32_t start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; picopass_hdr *hdr = (picopass_hdr *)card_data; - + + // sanity check of CSN. + if (hdr->csn[7] != 0xE0 && hdr->csn[6] != 0x12) { + switch_off(); + continue; + } + + uint32_t start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + // get 3 config bits uint8_t type = (hdr->conf.chip_config & 0x10) >> 2; type |= (hdr->conf.mem_config & 0x80) >> 6; type |= (hdr->conf.mem_config & 0x20) >> 5; + Dbprintf("Found " _GREEN_("%s") " dumping...", card_types[type]); + uint8_t pagemap = get_pagemap(hdr); uint8_t app1_limit, app2_limit, start_block; @@ -292,7 +328,7 @@ static int reader_dump_mode(void) { res = authenticate_iclass_tag(&auth, hdr, &start_time, &eof_time, NULL); if (res == false) { switch_off(); - DbpString("failed AA1 auth"); + Dbprintf("%s found, " _RED_("failed AA1 auth") " , skipping ", card_types[type]); continue; } @@ -303,13 +339,12 @@ static int reader_dump_mode(void) { // main read loop for (uint16_t i = start_block; i <= app1_limit; i++) { - - if (iclass_read_block(i, card_data + (8 * i))) { + if (iclass_read_block(i, card_data + (8 * i), &start_time, &eof_time)) { dumped++; } } - if (pagemap != PICOPASS_NON_SECURE_PAGEMODE && have_aa2) { + if (pagemap != PICOPASS_NON_SECURE_PAGEMODE && have_aa2()) { // authenticate AA2 auth.use_raw = false; @@ -319,32 +354,39 @@ static int reader_dump_mode(void) { res = select_iclass_tag(card_data, auth.use_credit_key, &eof_time); if (res) { + // sanity check of CSN. + if (hdr->csn[7] != 0xE0 && hdr->csn[6] != 0x12) { + switch_off(); + continue; + } + res = authenticate_iclass_tag(&auth, hdr, &start_time, &eof_time, NULL); if (res) { - start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; for (uint16_t i = app1_limit + 1; i <= app2_limit; i++) { - if (iclass_read_block(i, card_data + (8 * i))) { + if (iclass_read_block(i, card_data + (8 * i), &start_time, &eof_time)) { dumped++; } - //start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; } } else { - DbpString("failed AA2 auth"); + DbpString(_RED_("failed AA2 auth")); } } else { - DbpString("failed AA2 selecting"); + DbpString(_RED_("failed selecting AA2")); + + // sanity check of CSN. + if (hdr->csn[7] != 0xE0 && hdr->csn[6] != 0x12) { + switch_off(); + continue; + } } } - switch_off(); - save_to_flash(card_data, (start_block + dumped) * 8 ); - Dbprintf("Found a %s (blocks dumped %u)", card_types[type], dumped); + Dbprintf("%u bytes saved", (start_block + dumped) * 8); } - - DbpString("-=[ exiting `read & dump` mode"); + DbpString("-=[ exiting " _YELLOW_("`read & dump`") " mode ]=-"); return PM3_SUCCESS; } diff --git a/armsrc/iclass.c b/armsrc/iclass.c index fd2a6cf6e..160640b1d 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -45,6 +45,10 @@ static uint8_t get_pagemap(const picopass_hdr *hdr) { #define ICLASS_BUFFER_SIZE 34 + 2 #endif +#ifndef ICLASS_16KS_SIZE +#define ICLASS_16KS_SIZE 0x100 * 8 +#endif + // iCLASS has a slightly different timing compared to ISO15693. According to the picopass data sheet the tag response is expected 330us after // the reader command. This is measured from end of reader EOF to first modulation of the tag's SOF which starts with a 56,64us unmodulated period. // 330us = 140 ssp_clk cycles @ 423,75kHz when simulating. @@ -162,7 +166,9 @@ void iclass_simulate(uint8_t sim_type, uint8_t num_csns, bool send_reply, uint8_ Iso15693InitTag(); clear_trace(); - set_tracing(true); + + // only logg if we are called from the client. + set_tracing(send_reply); //Use the emulator memory for SIM uint8_t *emulator = BigBuf_get_EM_addr(); @@ -1242,12 +1248,14 @@ static bool select_iclass_tag_ex(uint8_t *card_data, bool use_credit_key, uint32 static uint8_t act_all[] = { ICLASS_CMD_ACTALL }; static uint8_t identify[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x00, 0x73, 0x33 }; - static uint8_t select[] = { 0x80 | ICLASS_CMD_SELECT, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; static uint8_t read_conf[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x01, 0xfa, 0x22 }; + uint8_t select[] = { 0x80 | ICLASS_CMD_SELECT, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; uint8_t read_aia[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x05, 0xde, 0x64}; uint8_t read_check_cc[] = { 0x80 | ICLASS_CMD_READCHECK, 0x02 }; uint8_t resp[ICLASS_BUFFER_SIZE] = {0}; + picopass_hdr *hdr = (picopass_hdr *)card_data; + // Bit 4: K.If this bit equals to one, the READCHECK will use the Credit Key (Kc); if equals to zero, Debit Key (Kd) will be used // bit 7: parity. if (use_credit_key) @@ -1281,8 +1289,8 @@ static bool select_iclass_tag_ex(uint8_t *card_data, bool use_credit_key, uint32 if (len != 10) return false; - //Save CSN in response data - memcpy(card_data, resp, 8); + // save CSN + memcpy(hdr->csn, resp, sizeof(hdr->csn)); // card selected, now read config (block1) (only 8 bytes no CRC) start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; @@ -1293,18 +1301,16 @@ static bool select_iclass_tag_ex(uint8_t *card_data, bool use_credit_key, uint32 if (len != 10) return false; - //Save CONF in response data - memcpy(card_data + 8, resp, 8); + // save CONF + memcpy( (uint8_t*)&hdr->conf, resp, sizeof(hdr->conf)); if (status) *status |= (FLAG_ICLASS_CSN | FLAG_ICLASS_CONF); - picopass_hdr *hdr = (picopass_hdr *)card_data; - uint8_t pagemap = get_pagemap(hdr); if (pagemap != PICOPASS_NON_SECURE_PAGEMODE) { - //Read App Issuer Area block 5 + // read App Issuer Area block 5 start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; iclass_send_as_reader(read_aia, sizeof(read_aia), &start_time, eof_time); @@ -1315,7 +1321,7 @@ static bool select_iclass_tag_ex(uint8_t *card_data, bool use_credit_key, uint32 if (status) { *status |= FLAG_ICLASS_AIA; - memcpy(card_data + (8 * 5), resp, 8); + memcpy(hdr->app_issuer_area, resp, sizeof(hdr->app_issuer_area)); } // card selected, now read e-purse (cc) (block2) (only 8 bytes no CRC) @@ -1327,12 +1333,12 @@ static bool select_iclass_tag_ex(uint8_t *card_data, bool use_credit_key, uint32 if (len != 8) return false; - memcpy(card_data + (8 * 2), resp, 8); + memcpy(hdr->epurse, resp, sizeof(hdr->epurse)); *status |= FLAG_ICLASS_CC; } else { - //Read App Issuer Area block 2 + // read App Issuer Area block 2 read_aia[1] = 0x02; read_aia[2] = 0x61; read_aia[3] = 0x10; @@ -1593,8 +1599,6 @@ bool authenticate_iclass_tag(iclass_auth_req_t *payload, picopass_hdr *hdr, uint else memcpy(hdr->key_d, div_key, sizeof(hdr->key_d)); -// Dbhexdump(sizeof(div_key), div_key, false); - opt_doReaderMAC(ccnr, div_key, pmac); // copy MAC to check command (readersignature) @@ -1603,7 +1607,7 @@ bool authenticate_iclass_tag(iclass_auth_req_t *payload, picopass_hdr *hdr, uint cmd_check[7] = pmac[2]; cmd_check[8] = pmac[3]; - return iclass_send_cmd_with_retries(cmd_check, sizeof(cmd_check), resp_auth, sizeof(resp_auth), 4, 3, start_time, ICLASS_READER_TIMEOUT_OTHERS, eof_time); + return iclass_send_cmd_with_retries(cmd_check, sizeof(cmd_check), resp_auth, sizeof(resp_auth), 4, 2, start_time, ICLASS_READER_TIMEOUT_OTHERS, eof_time); } typedef struct iclass_premac { @@ -1695,12 +1699,11 @@ out: // Tries to read block. // retries 3times. // reply 8 bytes block -bool iclass_read_block(uint8_t blockno, uint8_t *data) { +bool iclass_read_block(uint16_t blockno, uint8_t *data, uint32_t *start_time, uint32_t *eof_time) { uint8_t resp[10]; uint8_t c[] = {ICLASS_CMD_READ_OR_IDENTIFY, blockno, 0x00, 0x00}; AddCrc(c + 1, 1); - uint32_t eof_time = 0, start_time = 0; - bool isOK = iclass_send_cmd_with_retries(c, sizeof(c), resp, sizeof(resp), 10, 3, &start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time); + bool isOK = iclass_send_cmd_with_retries(c, sizeof(c), resp, sizeof(resp), 10, 2, start_time, ICLASS_READER_TIMEOUT_OTHERS, eof_time); if (isOK) memcpy(data, resp, 8); return isOK; diff --git a/armsrc/iclass.h b/armsrc/iclass.h index 4011cf400..add295c33 100644 --- a/armsrc/iclass.h +++ b/armsrc/iclass.h @@ -1,6 +1,7 @@ //----------------------------------------------------------------------------- // Jonathan Westhues, Aug 2005 // Gerhard de Koning Gans, April 2008, May 2011 +// Iceman, August 2020 // // This code is licensed to you under the terms of the GNU GPL, version 2 or, // at your option, any later version. See the LICENSE.txt file for the text of @@ -34,9 +35,8 @@ void iClass_Authentication(uint8_t *bytes); bool iclass_auth(iclass_auth_req_t *payload, uint8_t *out); void iClass_ReadBlock(uint8_t *msg); -bool iclass_read_block(uint8_t blockno, uint8_t *data); +bool iclass_read_block(uint16_t blockno, uint8_t *data, uint32_t *start_time, uint32_t *eof_time); bool select_iclass_tag(uint8_t *card_data, bool use_credit_key, uint32_t *eof_time); bool authenticate_iclass_tag(iclass_auth_req_t *payload, picopass_hdr *hdr, uint32_t *start_time, uint32_t *eof_time, uint8_t *mac_out); - #endif