github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-19 21:03:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

add: new standalone mode. hf_iceclass

Browse source
This commit is contained in:
iceman1001 2020-07-14 15:47:47 +02:00
commit 49192ca4c4
3 changed files with 173 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

7
armsrc/Standalone/Makefile.hal
View file

@ -44,6 +44,9 @@ define KNOWN_STANDALONE_DEFINITIONS
| HF_COLIN | Mifare ultra fast sniff/sim/clone | | HF_COLIN | Mifare ultra fast sniff/sim/clone |
| (RDV4 only) | - Colin Brigato | | (RDV4 only) | - Colin Brigato |
+----------------------------------------------------------+ +----------------------------------------------------------+
| HF_ICECLASS | Simulate HID iCLASS legacy ags |
| (RDV4 only) | storing in flashmem |
+----------------------------------------------------------+
| HF_LEGIC | Read/simulate Legic Prime tags | | HF_LEGIC | Read/simulate Legic Prime tags |
| | storing in flashmem | | | storing in flashmem |
+----------------------------------------------------------+ +----------------------------------------------------------+
@ -59,9 +62,9 @@ define KNOWN_STANDALONE_DEFINITIONS
endef endef
STANDALONE_MODES := LF_SKELETON LF_EM4100EMUL LF_EM4100RSWB LF_EM4100RWC LF_HIDBRUTE LF_ICEHID LF_PROXBRUTE LF_SAMYRUN STANDALONE_MODES := LF_SKELETON LF_EM4100EMUL LF_EM4100RSWB LF_EM4100RWC LF_HIDBRUTE LF_ICEHID LF_PROXBRUTE LF_SAMYRUN
STANDALONE_MODES += HF_14ASNIFF HF_BOG HF_COLIN HF_LEGIC HF_MATTYRUN HF_MSDSAL HF_YOUNG STANDALONE_MODES += HF_14ASNIFF HF_BOG HF_COLIN HF_ICECLASS HF_LEGIC HF_MATTYRUN HF_MSDSAL HF_YOUNG
STANDALONE_MODES_REQ_SMARTCARD := STANDALONE_MODES_REQ_SMARTCARD :=
STANDALONE_MODES_REQ_FLASH := LF_ICEHID HF_14ASNIFF HF_BOG HF_COLIN STANDALONE_MODES_REQ_FLASH := LF_ICEHID HF_14ASNIFF HF_BOG HF_COLIN HF_ICECLASS
ifneq ($(filter $(STANDALONE),$(STANDALONE_MODES)),) ifneq ($(filter $(STANDALONE),$(STANDALONE_MODES)),)
STANDALONE_PLATFORM_DEFS += -DWITH_STANDALONE_$(STANDALONE) STANDALONE_PLATFORM_DEFS += -DWITH_STANDALONE_$(STANDALONE)
ifneq ($(filter $(STANDALONE),$(STANDALONE_MODES_REQ_SMARTCARD)),) ifneq ($(filter $(STANDALONE),$(STANDALONE_MODES_REQ_SMARTCARD)),)

6
armsrc/Standalone/Makefile.inc
View file

@ -57,7 +57,11 @@ endif
ifneq (,$(findstring WITH_STANDALONE_HF_LEGIC,$(APP_CFLAGS))) ifneq (,$(findstring WITH_STANDALONE_HF_LEGIC,$(APP_CFLAGS)))
SRC_STANDALONE = hf_legic.c SRC_STANDALONE = hf_legic.c
endif endif
# WITH_STANDALONE_LF_MSDSAL # WITH_STANDALONE_HF_MSDSAL
ifneq (,$(findstring WITH_STANDALONE_HF_MSDSAL,$(APP_CFLAGS))) ifneq (,$(findstring WITH_STANDALONE_HF_MSDSAL,$(APP_CFLAGS)))
SRC_STANDALONE = hf_msdsal.c SRC_STANDALONE = hf_msdsal.c
endif endif
# WITH_STANDALONE_HF_ICECLASS
ifneq (,$(findstring WITH_STANDALONE_HF_ICECLASS,$(APP_CFLAGS)))
SRC_STANDALONE = hf_iceclass.c
endif

163
armsrc/Standalone/hf_iceclass.c Normal file
View file

@ -0,0 +1,163 @@
//-----------------------------------------------------------------------------
// Christian Herrmann, 2020
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// main code for hf_iceclass by Iceman
//-----------------------------------------------------------------------------
#include "standalone.h" // standalone definitions
#include "proxmark3_arm.h"
#include "appmain.h"
#include "BigBuf.h"
#include "fpgaloader.h"
#include "util.h"
#include "dbprint.h"
#include "spiffs.h"
#include "iclass.h"
#include "optimized_cipher.h"
#define NUM_CSNS 9
#define MAC_RESPONSES_SIZE (16 * NUM_CSNS)
#define HF_ICLASS_FULLSIM_ORG_BIN "iceclass-orig.bin"
#define HF_ICLASS_FULLSIM_POST_BIN "iceclass-modified.bin"
#define HF_ICLASS_FULLSIM_POST_EML "iceclass-modified-lasttag.bin.eml"
#define HF_ICLASS_ATTACK_BIN "iceclass_mac_attack.bin"
static uint8_t legacy_aa1_key[] = {0xAE, 0xA6, 0x84, 0xA6, 0xDA, 0xB2, 0x32, 0x78};
static uint8_t csns[8 * NUM_CSNS] = {
0x01, 0x0A, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0,
0x0C, 0x06, 0x0C, 0xFE, 0xF7, 0xFF, 0x12, 0xE0,
0x10, 0x97, 0x83, 0x7B, 0xF7, 0xFF, 0x12, 0xE0,
0x13, 0x97, 0x82, 0x7A, 0xF7, 0xFF, 0x12, 0xE0,
0x07, 0x0E, 0x0D, 0xF9, 0xF7, 0xFF, 0x12, 0xE0,
0x14, 0x96, 0x84, 0x76, 0xF7, 0xFF, 0x12, 0xE0,
0x17, 0x96, 0x85, 0x71, 0xF7, 0xFF, 0x12, 0xE0,
0xCE, 0xC5, 0x0F, 0x77, 0xF7, 0xFF, 0x12, 0xE0,
0xD2, 0x5A, 0x82, 0xF8, 0xF7, 0xFF, 0x12, 0xE0
//0x04, 0x08, 0x9F, 0x78, 0x6E, 0xFF, 0x12, 0xE0
};
static void DownloadLogInstructions(uint8_t t) {
Dbprintf("");
switch (t) {
case ICLASS_SIM_MODE_FULL: {
Dbprintf("The emulator memory was saved to flash. Try the following from flash and display it");
Dbprintf("1. " _YELLOW_("mem spiffs dump o "HF_ICLASS_FULLSIM_POST_BIN" f "HF_ICLASS_FULLSIM_POST_BIN" e"));
Dbprintf("2. " _YELLOW_("exit proxmark3 client"));
Dbprintf("3. " _YELLOW_("cat "HF_ICLASS_FULLSIM_POST_EML));
break;
}
case ICLASS_SIM_MODE_READER_ATTACK: {
Dbprintf("The emulator memory was saved to flash. Try the following from flash and display it");
Dbprintf("1. " _YELLOW_("mem spiffs dump o "HF_ICLASS_FULLSIM_POST_BIN" f "HF_ICLASS_FULLSIM_POST_BIN" e"));
Dbprintf("2. " _YELLOW_("hf iclass loclass f "HF_ICLASS_ATTACK_BIN));
break;
}
}
}
void ModInfo(void) {
DbpString(" HF iCLASS mode - aka iceCLASS (iceman)");
}
void RunMod(void) {
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
BigBuf_Clear();
StandAloneMode();
Dbprintf(_YELLOW_("HF iCLASS mode a.k.a iceCLASS started"));
uint8_t simtype = ICLASS_SIM_MODE_FULL;
for (;;) {
WDT_HIT();
// exit from RunMod, send a usbcommand.
if (data_available()) break;
// Was our button held down or pressed?
int button_pressed = BUTTON_HELD(1000);
if (button_pressed != BUTTON_NO_CLICK) {
break;
}
switch (simtype) {
case ICLASS_SIM_MODE_FULL: {
Dbprintf("enter full simulation mode");
rdv40_spiffs_lazy_mount();
// Look for a dump file in FLASH MEM.
if (exists_in_spiffs(HF_ICLASS_FULLSIM_ORG_BIN) == false) {
Dbprintf("error, '" _YELLOW_(HF_ICLASS_FULLSIM_ORG_BIN) "' file missing");
Dbprintf("changing to reader attack mode instead");
simtype = ICLASS_SIM_MODE_READER_ATTACK;
break;
}
SpinOff(0);
uint8_t *emul = BigBuf_get_EM_addr();
uint32_t fsize = size_in_spiffs(HF_ICLASS_FULLSIM_ORG_BIN);
int res = rdv40_spiffs_read_as_filetype(HF_ICLASS_FULLSIM_ORG_BIN, emul, fsize, RDV40_SPIFFS_SAFETY_SAFE);
rdv40_spiffs_lazy_unmount();
Dbprintf("Found `" _YELLOW_(HF_ICLASS_FULLSIM_ORG_BIN) "` , loaded %u bytes to emulator memory", fsize);
if ( memcmp(emul + (3 * 8), "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8) == 0) {
// create diversified key if not in dump.
uint8_t ccnr[12] = {0};
memcpy(ccnr, emul + (2 * 8), 8);
bool use_elite = false;
iclass_calc_div_key(emul, legacy_aa1_key, emul + (3 * 8), use_elite);
Dbhexdump(8, emul + (3 * 8), false);
}
iclass_simulate(ICLASS_SIM_MODE_FULL, 0 , false, NULL, NULL, NULL);
LED_B_ON();
rdv40_spiffs_lazy_mount();
res = rdv40_spiffs_write(HF_ICLASS_FULLSIM_POST_BIN, emul, fsize, RDV40_SPIFFS_SAFETY_SAFE);
rdv40_spiffs_lazy_unmount();
LED_B_OFF();
if (res != 0) {
Dbprintf("error writing '"HF_ICLASS_FULLSIM_POST_BIN"' to flash ( %d )", res);
}
DownloadLogInstructions(simtype);
simtype = 0;
break;
}
case ICLASS_SIM_MODE_READER_ATTACK: {
Dbprintf("enter reader attack mode");
uint16_t mac_response_len = 0;
uint8_t mac_responses[MAC_RESPONSES_SIZE] = {0};
iclass_simulate(ICLASS_SIM_MODE_READER_ATTACK, NUM_CSNS, false, csns, mac_responses, &mac_response_len);
if (mac_response_len > 0) {
LED_B_ON();
rdv40_spiffs_lazy_mount();
int res = rdv40_spiffs_write(HF_ICLASS_ATTACK_BIN, mac_responses, mac_response_len, RDV40_SPIFFS_SAFETY_SAFE);
rdv40_spiffs_lazy_unmount();
LED_B_OFF();
if (res != 0) {
Dbprintf("error writing '"HF_ICLASS_ATTACK_BIN"' to flash ( %d )", res);
}
}
DownloadLogInstructions(simtype);
simtype = 0;
break;
}
} // switch
} // for loop
LEDsoff();
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
}