From 5633768e810ca38305968e4875aeaf60f60a4ecf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Jen=C5=A1terle?= Date: Fri, 5 Mar 2021 10:58:52 +0100 Subject: [PATCH 1/5] desfire emulation standalone --- armsrc/Standalone/Makefile.hal | 5 +- armsrc/Standalone/Makefile.inc | 4 ++ armsrc/Standalone/hf_emuldes.c | 111 +++++++++++++++++++++++++++++++++ 3 files changed, 119 insertions(+), 1 deletion(-) create mode 100644 armsrc/Standalone/hf_emuldes.c diff --git a/armsrc/Standalone/Makefile.hal b/armsrc/Standalone/Makefile.hal index 552267611..3c0420f2d 100644 --- a/armsrc/Standalone/Makefile.hal +++ b/armsrc/Standalone/Makefile.hal @@ -50,6 +50,9 @@ define KNOWN_STANDALONE_DEFINITIONS | HF_COLIN | Mifare ultra fast sniff/sim/clone | | (RDV4 only) | - Colin Brigato | +----------------------------------------------------------+ +| HF_EMULDES | DESfire 14a simulation | +| | - Anze Jensterle | ++----------------------------------------------------------+ | HF_ICECLASS | Simulate HID iCLASS legacy ags | | (RDV4 only) | storing in flashmem | +----------------------------------------------------------+ @@ -71,7 +74,7 @@ define KNOWN_STANDALONE_DEFINITIONS endef STANDALONE_MODES := LF_SKELETON LF_EM4100EMUL LF_EM4100RSWB LF_EM4100RWC LF_HIDBRUTE LF_ICEHID LF_PROXBRUTE LF_SAMYRUN LF_THAREXDE -STANDALONE_MODES += HF_14ASNIFF HF_AVEFUL HF_BOG HF_COLIN HF_ICECLASS HF_LEGIC HF_MATTYRUN HF_MSDSAL HF_TCPRST HF_YOUNG +STANDALONE_MODES += HF_14ASNIFF HF_AVEFUL HF_BOG HF_COLIN HF_EMULDES HF_ICECLASS HF_LEGIC HF_MATTYRUN HF_MSDSAL HF_TCPRST HF_YOUNG STANDALONE_MODES_REQ_SMARTCARD := STANDALONE_MODES_REQ_FLASH := LF_ICEHID LF_THAREXDE HF_14ASNIFF HF_BOG HF_COLIN HF_ICECLASS ifneq ($(filter $(STANDALONE),$(STANDALONE_MODES)),) diff --git a/armsrc/Standalone/Makefile.inc b/armsrc/Standalone/Makefile.inc index 519dc2087..bda3b2719 100644 --- a/armsrc/Standalone/Makefile.inc +++ b/armsrc/Standalone/Makefile.inc @@ -77,3 +77,7 @@ endif ifneq (,$(findstring WITH_STANDALONE_LF_THAREXDE,$(APP_CFLAGS))) SRC_STANDALONE = lf_tharexde.c endif +# WITH_STANDALONE_HF_EMULDES +ifneq (,$(findstring WITH_STANDALONE_HF_EMULDES,$(APP_CFLAGS))) + SRC_STANDALONE = hf_emuldes.c +endif \ No newline at end of file diff --git a/armsrc/Standalone/hf_emuldes.c b/armsrc/Standalone/hf_emuldes.c new file mode 100644 index 000000000..20a64bf00 --- /dev/null +++ b/armsrc/Standalone/hf_emuldes.c @@ -0,0 +1,111 @@ +//----------------------------------------------------------------------------- +// Copyright 2020 Anze Jensterle +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// main code for standalone HF/iso14a emulator +//----------------------------------------------------------------------------- + +/* + * `hf_basicbreak` scans a card + */ + +#include "standalone.h" +#include "proxmark3_arm.h" +#include "appmain.h" +#include "fpgaloader.h" +#include "util.h" +#include "dbprint.h" +#include "ticks.h" +#include "string.h" +#include "BigBuf.h" +#include "iso14443a.h" +#include "protocols.h" +#include "cmd.h" + +#define STATE_READ 0 +#define STATE_EMUL 1 + +typedef struct { + uint8_t uid[10]; + uint8_t uidlen; + uint8_t atqa[2]; + uint8_t sak; +} PACKED card_clone_t; + +void ModInfo(void) { + DbpString("hf_emuldes: standalone DESfire that scans a card and then emulates UID, SAK and ATQA"); +} + +void RunMod(void) { + StandAloneMode(); + Dbprintf("HF DESfire emulator started"); + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + + // the main loop for your standalone mode + for (;;) { + WDT_HIT(); + + // exit from RunMod, send a usbcommand. + if (data_available()) break; + + iso14a_card_select_t card; + card_clone_t clone; + + SpinDelay(500); + + // 0 = search, 1 = read, 2 = emul + int state = STATE_READ; + + DbpString("Scanning..."); + int button_pressed = BUTTON_NO_CLICK; + for (;;) { + // Was our button held down or pressed? + button_pressed = BUTTON_HELD(1000); + + if (button_pressed != BUTTON_NO_CLICK || data_available()) + break; + else if (state == STATE_READ) { + iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD); + if (!iso14443a_select_card(NULL, &card, NULL, true, 0, true)) { + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + LED_D_OFF(); + SpinDelay(500); + continue; + } else { + Dbprintf("Found card with SAQ: %02X, ATQA: %02X %02X, UID: ", card.sak, card.atqa[0], card.atqa[1]); + Dbhexdump(card.uidlen, card.uid, 0); + clone.uidlen = card.uidlen; + clone.sak = card.sak; + clone.atqa[0] = card.atqa[0]; + clone.atqa[1] = card.atqa[1]; + memcpy(clone.uid, card.uid, card.uidlen); + state = STATE_EMUL; + } + } else if (state == STATE_EMUL) { + uint8_t flags; + if (clone.uidlen == 4) flags |= FLAG_4B_UID_IN_DATA; + else if (clone.uidlen == 7) flags |= FLAG_7B_UID_IN_DATA; + else if (clone.uidlen == 10) flags |= FLAG_10B_UID_IN_DATA; + else { + Dbprintf("Unusual UID length, something is wrong. Try again please."); + state = STATE_READ; + continue; + } + + Dbprintf("Starting simulation, press pm3-button to stop and go back to search state."); + SimulateIso14443aTag(3, flags, card.uid, 0); + + // Go back to search state if user presses pm3-button + state = STATE_READ; + } + } + if (button_pressed == BUTTON_HOLD) //Holding down the button + break; + } + + DbpString("exiting"); + LEDsoff(); +} From ac36c0659020c5458d6c7f917724539811d41c92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Jen=C5=A1terle?= Date: Mon, 15 Mar 2021 00:33:27 +0100 Subject: [PATCH 2/5] rename standalone --- armsrc/Standalone/Makefile.hal | 4 ++-- armsrc/Standalone/Makefile.inc | 6 +++--- armsrc/Standalone/{hf_emuldes.c => hf_craftbyte.c} | 0 3 files changed, 5 insertions(+), 5 deletions(-) rename armsrc/Standalone/{hf_emuldes.c => hf_craftbyte.c} (100%) diff --git a/armsrc/Standalone/Makefile.hal b/armsrc/Standalone/Makefile.hal index 3c0420f2d..78d65cbd7 100644 --- a/armsrc/Standalone/Makefile.hal +++ b/armsrc/Standalone/Makefile.hal @@ -50,7 +50,7 @@ define KNOWN_STANDALONE_DEFINITIONS | HF_COLIN | Mifare ultra fast sniff/sim/clone | | (RDV4 only) | - Colin Brigato | +----------------------------------------------------------+ -| HF_EMULDES | DESfire 14a simulation | +| HF_CRAFTBYTE | UID stealer | | | - Anze Jensterle | +----------------------------------------------------------+ | HF_ICECLASS | Simulate HID iCLASS legacy ags | @@ -74,7 +74,7 @@ define KNOWN_STANDALONE_DEFINITIONS endef STANDALONE_MODES := LF_SKELETON LF_EM4100EMUL LF_EM4100RSWB LF_EM4100RWC LF_HIDBRUTE LF_ICEHID LF_PROXBRUTE LF_SAMYRUN LF_THAREXDE -STANDALONE_MODES += HF_14ASNIFF HF_AVEFUL HF_BOG HF_COLIN HF_EMULDES HF_ICECLASS HF_LEGIC HF_MATTYRUN HF_MSDSAL HF_TCPRST HF_YOUNG +STANDALONE_MODES += HF_14ASNIFF HF_AVEFUL HF_BOG HF_COLIN HF_CRAFTBYTE HF_ICECLASS HF_LEGIC HF_MATTYRUN HF_MSDSAL HF_TCPRST HF_YOUNG STANDALONE_MODES_REQ_SMARTCARD := STANDALONE_MODES_REQ_FLASH := LF_ICEHID LF_THAREXDE HF_14ASNIFF HF_BOG HF_COLIN HF_ICECLASS ifneq ($(filter $(STANDALONE),$(STANDALONE_MODES)),) diff --git a/armsrc/Standalone/Makefile.inc b/armsrc/Standalone/Makefile.inc index bda3b2719..b24ac2f4f 100644 --- a/armsrc/Standalone/Makefile.inc +++ b/armsrc/Standalone/Makefile.inc @@ -77,7 +77,7 @@ endif ifneq (,$(findstring WITH_STANDALONE_LF_THAREXDE,$(APP_CFLAGS))) SRC_STANDALONE = lf_tharexde.c endif -# WITH_STANDALONE_HF_EMULDES -ifneq (,$(findstring WITH_STANDALONE_HF_EMULDES,$(APP_CFLAGS))) - SRC_STANDALONE = hf_emuldes.c +# WITH_STANDALONE_HF_CRAFTBYTE +ifneq (,$(findstring HF_CRAFTBYTE,$(APP_CFLAGS))) + SRC_STANDALONE = hf_craftbyte.c endif \ No newline at end of file diff --git a/armsrc/Standalone/hf_emuldes.c b/armsrc/Standalone/hf_craftbyte.c similarity index 100% rename from armsrc/Standalone/hf_emuldes.c rename to armsrc/Standalone/hf_craftbyte.c From fb34db5e1076cca5e0d992a601df974c6937d1d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Jen=C5=A1terle?= Date: Mon, 15 Mar 2021 00:36:46 +0100 Subject: [PATCH 3/5] Finish renaming standalone, add documentation --- CHANGELOG.md | 1 + armsrc/Standalone/Makefile.inc | 2 +- doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bced7ef1a..00077e5d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] + - Added HF_CRAFTBYTE standalone mode that reads and emulates 14a UID (@craftbyte) - Added a script to dump originality signatures from MFU EV1s and NTAGs (@aveao) - Added parsing of EF_CardAccess to display PACE algorithm, version and parameter in `hf emrtd info` (@aveao) - Change, numerous commands more uses cliparser (@tcprst, @iceman1001) diff --git a/armsrc/Standalone/Makefile.inc b/armsrc/Standalone/Makefile.inc index b24ac2f4f..d018ee927 100644 --- a/armsrc/Standalone/Makefile.inc +++ b/armsrc/Standalone/Makefile.inc @@ -78,6 +78,6 @@ ifneq (,$(findstring WITH_STANDALONE_LF_THAREXDE,$(APP_CFLAGS))) SRC_STANDALONE = lf_tharexde.c endif # WITH_STANDALONE_HF_CRAFTBYTE -ifneq (,$(findstring HF_CRAFTBYTE,$(APP_CFLAGS))) +ifneq (,$(findstring WITH_STANDALONE_HF_CRAFTBYTE,$(APP_CFLAGS))) SRC_STANDALONE = hf_craftbyte.c endif \ No newline at end of file diff --git a/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md b/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md index 2ba6aeaba..0b17be23e 100644 --- a/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md +++ b/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md @@ -90,6 +90,7 @@ Here are the supported values you can assign to `STANDALONE` in `Makefile.platfo | HF_14ASNIFF | 14a sniff storing to flashmem - Micolous | HF_AVEFUL | MIFARE Ultralight read/simulation - Ave Ozkal | HF_BOG | 14a sniff with ULC/ULEV1/NTAG auth storing in flashmem - Bogito +| HF_CRAFTBYTE | UID Stealer - Anze Jensterle | HF_COLIN | Mifare ultra fast sniff/sim/clone - Colin Brigato | HF_ICECLASS | iCLASS 4-1 mode sim/read & dump/loclass/glitch & config to flashmem - Iceman1001 | HF_LEGIC | HF Legic Prime standalone - uhei From 73dd5a23e4e2633b8444e77c420355bd7875b793 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Jen=C5=A1terle?= Date: Mon, 15 Mar 2021 00:55:25 +0100 Subject: [PATCH 4/5] fixed help for standalone --- armsrc/Standalone/Makefile.hal | 2 +- armsrc/Standalone/hf_craftbyte.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/armsrc/Standalone/Makefile.hal b/armsrc/Standalone/Makefile.hal index 78d65cbd7..b0e343b0b 100644 --- a/armsrc/Standalone/Makefile.hal +++ b/armsrc/Standalone/Makefile.hal @@ -50,7 +50,7 @@ define KNOWN_STANDALONE_DEFINITIONS | HF_COLIN | Mifare ultra fast sniff/sim/clone | | (RDV4 only) | - Colin Brigato | +----------------------------------------------------------+ -| HF_CRAFTBYTE | UID stealer | +| HF_CRAFTBYTE | UID stealer - Emulates scanned 14a UID | | | - Anze Jensterle | +----------------------------------------------------------+ | HF_ICECLASS | Simulate HID iCLASS legacy ags | diff --git a/armsrc/Standalone/hf_craftbyte.c b/armsrc/Standalone/hf_craftbyte.c index 20a64bf00..d2f1eda94 100644 --- a/armsrc/Standalone/hf_craftbyte.c +++ b/armsrc/Standalone/hf_craftbyte.c @@ -36,7 +36,7 @@ typedef struct { } PACKED card_clone_t; void ModInfo(void) { - DbpString("hf_emuldes: standalone DESfire that scans a card and then emulates UID, SAK and ATQA"); + DbpString("hf_craftbyte: standalone DESfire that scans a card and then emulates UID, SAK and ATQA"); } void RunMod(void) { From 9a33e547f3865246ff7034a7338a15e4aa60d4dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Jen=C5=A1terle?= Date: Mon, 15 Mar 2021 00:58:38 +0100 Subject: [PATCH 5/5] more renaming and explaining --- armsrc/Standalone/hf_craftbyte.c | 4 ++-- doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/armsrc/Standalone/hf_craftbyte.c b/armsrc/Standalone/hf_craftbyte.c index d2f1eda94..dd4f54345 100644 --- a/armsrc/Standalone/hf_craftbyte.c +++ b/armsrc/Standalone/hf_craftbyte.c @@ -36,12 +36,12 @@ typedef struct { } PACKED card_clone_t; void ModInfo(void) { - DbpString("hf_craftbyte: standalone DESfire that scans a card and then emulates UID, SAK and ATQA"); + DbpString("hf_craftbyte: standalone UID Stealer - Scans and emulates 14a UID"); } void RunMod(void) { StandAloneMode(); - Dbprintf("HF DESfire emulator started"); + Dbprintf("HF UID emulator started"); FpgaDownloadAndGo(FPGA_BITSTREAM_HF); // the main loop for your standalone mode diff --git a/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md b/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md index 0b17be23e..8f49e0b15 100644 --- a/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md +++ b/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md @@ -90,7 +90,7 @@ Here are the supported values you can assign to `STANDALONE` in `Makefile.platfo | HF_14ASNIFF | 14a sniff storing to flashmem - Micolous | HF_AVEFUL | MIFARE Ultralight read/simulation - Ave Ozkal | HF_BOG | 14a sniff with ULC/ULEV1/NTAG auth storing in flashmem - Bogito -| HF_CRAFTBYTE | UID Stealer - Anze Jensterle +| HF_CRAFTBYTE | UID stealer - Emulates scanned 14a UID - Anze Jensterle | HF_COLIN | Mifare ultra fast sniff/sim/clone - Colin Brigato | HF_ICECLASS | iCLASS 4-1 mode sim/read & dump/loclass/glitch & config to flashmem - Iceman1001 | HF_LEGIC | HF Legic Prime standalone - uhei