From 6e93ed80a32d7372fa960a709966b6d448c6643c Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 2 Jan 2018 19:10:55 +0100 Subject: [PATCH] chg: 'hf iclass sniff' - still problems with the dmabuffer --- armsrc/appmain.c | 2 +- armsrc/fpgaloader.c | 5 ++- armsrc/fpgaloader.h | 6 ++-- armsrc/iclass.c | 83 ++++++++++++++++++++++---------------------- armsrc/mifaresniff.c | 1 + 5 files changed, 49 insertions(+), 48 deletions(-) diff --git a/armsrc/appmain.c b/armsrc/appmain.c index ccb7853d9..658e82c8d 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -932,7 +932,7 @@ void UsbPacketReceived(uint8_t *packet, int len) { case CMD_ICLASS_EML_MEMSET: //iceman, should call FPGADOWNLOAD before, since it corrupts BigBuf FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - emlSet(c->d.asBytes,c->arg[0], c->arg[1]); + emlSet(c->d.asBytes, c->arg[0], c->arg[1]); break; case CMD_ICLASS_WRITEBLOCK: iClass_WriteBlock(c->arg[0], c->d.asBytes); diff --git a/armsrc/fpgaloader.c b/armsrc/fpgaloader.c index 479c11197..07300bdbe 100644 --- a/armsrc/fpgaloader.c +++ b/armsrc/fpgaloader.c @@ -536,7 +536,7 @@ void Fpga_print_status(void) { } } -int FpgaGetCurrent() { +int FpgaGetCurrent(void) { return downloaded_bitstream; } @@ -545,10 +545,9 @@ int FpgaGetCurrent() { // if HF, Disable SSC DMA // turn off trace and leds off. -void switch_off() { +void switch_off(void) { if (MF_DBGLEVEL > 3) Dbprintf("switch_off"); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - //SpinDelay(100); if (downloaded_bitstream == FPGA_BITSTREAM_HF ) FpgaDisableSscDma(); set_tracing(false); diff --git a/armsrc/fpgaloader.h b/armsrc/fpgaloader.h index 95eaab8ba..ce2b00d2c 100644 --- a/armsrc/fpgaloader.h +++ b/armsrc/fpgaloader.h @@ -26,14 +26,14 @@ void FpgaSetupSscExt(uint8_t clearPCER); void FpgaSetupSsc(void); void SetupSpi(int mode); bool FpgaSetupSscDma(uint8_t *buf, int len); -void Fpga_print_status(); -int FpgaGetCurrent(); +void Fpga_print_status(void); +int FpgaGetCurrent(void); #define FpgaDisableSscDma(void) AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS; #define FpgaEnableSscDma(void) AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN; void SetAdcMuxFor(uint32_t whichGpio); // extern and generel turn off the antenna method -extern void switch_off(); +extern void switch_off(void); // definitions for multiple FPGA config files support #define FPGA_BITSTREAM_MAX 2 // the total number of FPGA bitstreams (configs) diff --git a/armsrc/iclass.c b/armsrc/iclass.c index c9a5db465..175ba31b1 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -719,7 +719,7 @@ static void iclass_setup_sniff(void){ void RAMFUNC SniffIClass(void) { uint8_t previous_data = 0; - int maxDataLen = 0; // datalen = 0; + int maxDataLen = 0, datalen = 0; uint32_t time_0 = 0, time_start = 0, time_stop = 0; uint32_t sniffCounter = 0; @@ -734,7 +734,7 @@ void RAMFUNC SniffIClass(void) { // Setup and start DMA. if ( !FpgaSetupSscDma(dmaBuf, ICLASS_DMA_BUFFER_SIZE) ){ - if (MF_DBGLEVEL > 1) DbpString("FpgaSetupSscDma failed. Exiting"); + if (MF_DBGLEVEL > 1) DbpString("[-] FpgaSetupSscDma failed. Exiting"); return; } @@ -755,45 +755,46 @@ void RAMFUNC SniffIClass(void) { AT91C_BASE_PDC_SSC->PDC_RNCR = ICLASS_DMA_BUFFER_SIZE; } // number of bytes we have processed so far - //int register readBufDataP = data - dmaBuf; + int register readBufData = data - dmaBuf; // number of bytes already transferred - //int register dmaBufDataP = ICLASS_DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR; - /* - if (readBufDataP <= dmaBufDataP) - datalen = dmaBufDataP - readBufDataP; + int register dmaBufData = ICLASS_DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR; + + if (readBufData <= dmaBufData) + datalen = dmaBufData - readBufData; else - datalen = ICLASS_DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP; - */ - // test for length of buffer + datalen = ICLASS_DMA_BUFFER_SIZE - readBufData + dmaBufData; + /* + // test for length of buffer if (datalen > maxDataLen) { maxDataLen = datalen; if (datalen > (9 * ICLASS_DMA_BUFFER_SIZE / 10)) { - Dbprintf("blew circular buffer! datalen=%d", datalen); + Dbprintf("[-] blew circular buffer! datalen=%d", datalen); break; } } */ + // this part basically does wait until our DMA buffer got a value. // well it loops, but the purpose is to wait. - //if (datalen < 1) continue; + if (datalen < 1) continue; // these two, is more of a "reset" the DMA buffers, re-init. // primary buffer was stopped( <-- we lost data! - /* + if (!AT91C_BASE_PDC_SSC->PDC_RCR) { AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf; AT91C_BASE_PDC_SSC->PDC_RCR = ICLASS_DMA_BUFFER_SIZE; // Dbprintf("Primary buffer ERROR!!! data length: %d", datalen); // temporary } - */ - /* + + // secondary buffer sets as primary, secondary buffer was stopped if (!AT91C_BASE_PDC_SSC->PDC_RNCR) { AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; AT91C_BASE_PDC_SSC->PDC_RNCR = ICLASS_DMA_BUFFER_SIZE; // Dbprintf("Seconday buffer ERROR!!! data length: %d", datalen); // temporary - }*/ + } if (sniffCounter & 0x01) { // no need to try decoding reader data if the tag is sending @@ -835,9 +836,9 @@ void RAMFUNC SniffIClass(void) { } // end main loop if (MF_DBGLEVEL >= 1) { - DbpString("Sniff statistics:"); - Dbprintf(" maxDataLen=%x, Uart.state=%x, Uart.byteCnt=%x", maxDataLen, Uart.state, Uart.byteCnt); - Dbprintf(" Tracelen=%x, Uart.output[0]=%x", BigBuf_get_traceLen(), (int)Uart.output[0]); + DbpString("[+] Sniff statistics:"); + Dbprintf("[+] maxDataLen=%x, Uart.state=%x, Uart.byteCnt=%x", maxDataLen, Uart.state, Uart.byteCnt); + Dbprintf("[+] Tracelen=%x, Uart.output[0]=%x", BigBuf_get_traceLen(), (int)Uart.output[0]); Dbhexdump(ICLASS_DMA_BUFFER_SIZE, data, false); uint8_t r[128] = {0}; uint8_t t[128] = {0}; @@ -1015,18 +1016,14 @@ static void CodeIClassTagSOF() { // turn off afterwards void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) { - if (MF_DBGLEVEL > 3) Dbprintf("iclass_simulate Enter"); + if (MF_DBGLEVEL > 3) Dbprintf("[+] iClass_simulate Enter"); LEDsoff(); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - - - // this will clear out bigbuf memory ... + // this will clear out bigbuf memory, the eload command must select this before! FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - FpgaSetupSsc(); - SetAdcMuxFor(GPIO_MUXSEL_HIPKD); // Enable and clear the trace @@ -1052,7 +1049,7 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain doIClassSimulation(MODE_SIM_CSN, NULL); } else if (simType == 2) { - Dbprintf("Going into attack mode, %d CSNS sent", numberOfCSNS); + Dbprintf("[+] going into attack mode, %d CSNS sent", numberOfCSNS); // In this mode, a number of csns are within datain. We'll simulate each one, one at a time // in order to collect MAC's from the reader. This can later be used in an offlne-attack // in order to obtain the keys, as in the "dismantling iclass"-paper. @@ -1072,6 +1069,7 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain } else if (simType == 3){ //This is 'full sim' mode, where we use the emulator storage for data. + //ie: BigBuf_get_EM_addr should be previously filled with data from the "eload" command doIClassSimulation(MODE_FULLSIM, NULL); } else if (simType == 4){ @@ -1079,7 +1077,7 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain // the collected data (mac_response) is doubled out since we are trying to collect both keys in the keyroll process. // Keyroll iceman 9 csns * 8 * 2 = 144 // keyroll CARL55 15csns * 8 * 2 = 15 * 8 * 2 = 240 - Dbprintf("Going into attack keyroll mode, %d CSNS sent", numberOfCSNS); + Dbprintf("[+] going into attack keyroll mode, %d CSNS sent", numberOfCSNS); // In this mode, a number of csns are within datain. We'll simulate each one, one at a time // in order to collect MAC's from the reader. This can later be used in an offlne-attack // in order to obtain the keys, as in the "dismantling iclass"-paper. @@ -1112,7 +1110,7 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain } else { // We may want a mode here where we hardcode the csns to use (from proxclone). // That will speed things up a little, but not required just yet. - DbpString("The mode is not implemented, reserved for future use"); + DbpString("[-] the mode is not implemented, reserved for future use"); } out: @@ -1142,7 +1140,7 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) { uint8_t anticoll_data[10] = { 0 }; uint8_t csn_data[10] = { 0 }; memcpy(csn_data, csn, sizeof(csn_data)); - Dbprintf("Simulating CSN %02x%02x%02x%02x%02x%02x%02x%02x", csn[0], csn[1], csn[2], csn[3], csn[4], csn[5], csn[6], csn[7]); + Dbprintf("[+] Simulating CSN %02x%02x%02x%02x%02x%02x%02x%02x", csn[0], csn[1], csn[2], csn[3], csn[4], csn[5], csn[6], csn[7]); // Construct anticollision-CSN rotateCSN(csn_data, anticoll_data); @@ -1298,7 +1296,8 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) { } r2t_etime = ((GetCountSspClk() - time_0) << 4 ) - r2t_stime; - response_delay = 330; + // 330us normal wait, adjusted for our execution + response_delay = 230; LED_C_ON(); //Signal tracer @@ -1307,7 +1306,8 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) { modulated_response = resp_sof; modulated_response_size = resp_sof_Len; //order = 1; trace_data = sof_data; trace_data_size = sizeof(sof_data); - response_delay = 330+160; + // adjusted for 330 + (160*num of slot) + response_delay = 330 + 160; } else if (receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 1) { // 0x0C // Reader asks for anticollission CSN modulated_response = resp_anticoll; modulated_response_size = resp_anticoll_len; //order = 2; @@ -1325,6 +1325,12 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) { trace_data = card_challenge_data; trace_data_size = sizeof(card_challenge_data); LED_B_ON(); + } else if (receivedCmd[0] == ICLASS_CMD_READCHECK_KC) { // 0x18 + // Read e-purse (18 02) + modulated_response = resp_cc; modulated_response_size = resp_cc_len; //order = 4; + trace_data = card_challenge_data; + trace_data_size = sizeof(card_challenge_data); + LED_B_ON(); } else if (receivedCmd[0] == ICLASS_CMD_CHECK) { // 0x05 // Reader random and reader MAC!!! if (simulationMode == MODE_FULLSIM) { @@ -1367,7 +1373,7 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) { trace_data = NULL; trace_data_size = 0; // sim 2 / 4, - } else if (simulationMode == MODE_EXIT_AFTER_MAC && receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4){ + } else if (simulationMode == MODE_EXIT_AFTER_MAC && receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4){ // 0x0C // block0,1,2,5 is always readable. uint16_t blk = receivedCmd[1]; switch (blk){ @@ -1394,7 +1400,7 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) { default: break; } - } else if (simulationMode == MODE_FULLSIM && receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4){ + } else if (simulationMode == MODE_FULLSIM && receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4){ // 0x0C //Read block uint16_t blk = receivedCmd[1]; //Take the data... @@ -1437,13 +1443,8 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) { } else { //#db# Unknown command received from reader (len=5): 26 1 0 f6 a 44 44 44 44 // Never seen this command before - if ( MF_DBGLEVEL == MF_DBG_EXTENDED) { - Dbprintf("Unhandled command received from reader (len %d) | %02x %02x %02x %02x %02x %02x %02x %02x %02x", - len, - receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3], - receivedCmd[4], receivedCmd[5], receivedCmd[6], receivedCmd[7], receivedCmd[8] - ); - } + if ( MF_DBGLEVEL == MF_DBG_EXTENDED) + print_result("[-] Unhandled command received ", receivedCmd, len); // Do not respond modulated_response = resp_sof; @@ -1470,7 +1471,7 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) { LEDsoff(); if (buttonPressed) - DbpString("Button pressed"); + DbpString("[+] button pressed"); return buttonPressed; } diff --git a/armsrc/mifaresniff.c b/armsrc/mifaresniff.c index 28cc071d6..e1b0fb39d 100644 --- a/armsrc/mifaresniff.c +++ b/armsrc/mifaresniff.c @@ -169,6 +169,7 @@ bool intMfSniffSend() { uint8_t *data = BigBuf_get_addr(); FpgaDisableSscDma(); + while (pckLen > 0) { pckSize = MIN(USB_CMD_DATA_SIZE, pckLen); LED_B_ON();