github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 13:53:55 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

added bounds checking for when the proxmark3 is simulating a ISO14443a tag

Browse source
This commit is contained in:
iceman1001 2024-09-05 18:38:17 +02:00
commit 7a4bd03cc0
11 changed files with 55 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

36
armsrc/Standalone/hf_aveful.c
View file

@ -67,38 +67,38 @@ typedef struct {
uint8_t sak;
} PACKED card_clone_t;
int get_block_count(iso14a_card_select_t card, uint8_t version[], uint16_t version_len);
uint16_t get_ev1_version(iso14a_card_select_t card, uint8_t *version);
uint16_t get_ev1_signature(iso14a_card_select_t card, uint8_t *signature);
uint16_t get_ev1_counter(iso14a_card_select_t card, uint8_t counter, uint8_t *response);
uint16_t get_ev1_tearing(iso14a_card_select_t card, uint8_t counter, uint8_t *response);
int get_block_count(iso14a_card_select_t card, uint8_t *version, uint16_t version_len);
uint16_t get_ev1_version(iso14a_card_select_t card, uint8_t *version, uint16_t version_len);
uint16_t get_ev1_signature(iso14a_card_select_t card, uint8_t *signature, uint16_t sign_len);
uint16_t get_ev1_counter(iso14a_card_select_t card, uint8_t counter, uint8_t *response, uint16_t resp_len);
uint16_t get_ev1_tearing(iso14a_card_select_t card, uint8_t counter, uint8_t *response, uint16_t resp_len);
uint16_t get_ev1_version(iso14a_card_select_t card, uint8_t *version) {
return mifare_sendcmd(MIFARE_ULEV1_VERSION, NULL, 0, version, NULL, NULL);
uint16_t get_ev1_version(iso14a_card_select_t card, uint8_t *version, uint16_t version_len) {
return mifare_sendcmd(MIFARE_ULEV1_VERSION, NULL, 0, version, version_len, NULL, NULL);
}
uint16_t get_ev1_signature(iso14a_card_select_t card, uint8_t *signature) {
uint16_t get_ev1_signature(iso14a_card_select_t card, uint8_t *signature, uint16_t sign_len) {
uint8_t cmd[4] = {MIFARE_ULEV1_READSIG, 0x00, 0x00, 0x00};
AddCrc14A(cmd, 2);
ReaderTransmit(cmd, sizeof(cmd), NULL);
return ReaderReceive(signature, NULL);
return ReaderReceive(signature, sign_len, NULL);
}
uint16_t get_ev1_counter(iso14a_card_select_t card, uint8_t counter, uint8_t *response) {
uint16_t get_ev1_counter(iso14a_card_select_t card, uint8_t counter, uint8_t *response, uint16_t resp_len) {
uint8_t cmd[4] = {MIFARE_ULEV1_READ_CNT, counter, 0x00, 0x00};
AddCrc14A(cmd, 2);
ReaderTransmit(cmd, sizeof(cmd), NULL);
return ReaderReceive(response, NULL);
return ReaderReceive(response, resp_len, NULL);
}
uint16_t get_ev1_tearing(iso14a_card_select_t card, uint8_t counter, uint8_t *response) {
uint16_t get_ev1_tearing(iso14a_card_select_t card, uint8_t counter, uint8_t *response, uint16_t resp_len) {
uint8_t cmd[4] = {MIFARE_ULEV1_CHECKTEAR, counter, 0x00, 0x00};
AddCrc14A(cmd, 2);
ReaderTransmit(cmd, sizeof(cmd), NULL);
return ReaderReceive(response, NULL);
return ReaderReceive(response, resp_len, NULL);
}
int get_block_count(iso14a_card_select_t card, uint8_t version[], uint16_t version_len) {
int get_block_count(iso14a_card_select_t card, uint8_t *version, uint16_t version_len) {
// Default to MAX_DEFAULT_BLOCKS blocks
int block_count = MAX_DEFAULT_BLOCKS;
// Most of this code is from cmdhfmfu.c
@ -185,7 +185,7 @@ void RunMod(void) {
// Get version and re-select card as UL EV0s like to shut off after a 0x60
uint8_t version[10] = {0x00};
uint16_t version_len = 0;
version_len = get_ev1_version(card, version);
version_len = get_ev1_version(card, version, sizeof(version));
iso14443a_select_card(NULL, NULL, NULL, true, 0, true);
int block_count = get_block_count(card, version, version_len);
@ -212,7 +212,7 @@ void RunMod(void) {
if (read_successful) {
uint8_t signature[34] = {0x00};
if (is_ev1) {
get_ev1_signature(card, signature);
get_ev1_signature(card, signature, sizeof(signature));
}
Dbprintf("Preparing emulator memory with:");
// Fill first 14 blocks with 0x00 (see comment above)
@ -232,8 +232,8 @@ void RunMod(void) {
// On 11-14 read and set counter and tearing on EV1
uint8_t counter[5];
uint8_t tearing[3];
get_ev1_counter(card, i - 11, counter);
get_ev1_tearing(card, i - 11, tearing);
get_ev1_counter(card, i - 11, counter, sizeof(counter));
get_ev1_tearing(card, i - 11, tearing, sizeof(tearing));
memcpy(dataout, counter, 3);
memcpy(dataout + 3, tearing, 1);
}

5
armsrc/Standalone/hf_bog.c
View file

@ -87,12 +87,13 @@ static void RAMFUNC SniffAndStore(uint8_t param) {
Demod14aInit(receivedResp, MAX_FRAME_SIZE, receivedRespPar);
// Set up the demodulator for the reader -> tag commands
Uart14aInit(receivedCmd, receivedCmdPar);
Uart14aInit(receivedCmd, MAX_FRAME_SIZE, receivedCmdPar);
// Setup and start DMA.
if (!FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE)) {
if (g_dbglevel > 1)
if (g_dbglevel > 1) {
Dbprintf("FpgaSetupSscDma failed. Exiting");
}
return;
}

8
armsrc/Standalone/hf_cardhopper.c
View file

@ -71,7 +71,7 @@ static void reply_with_packet(packet_t *);
static void read_packet(packet_t *);
static void write_packet(packet_t *);
static bool GetIso14443aCommandFromReaderInterruptible(uint8_t *, uint8_t *, int *);
static bool GetIso14443aCommandFromReaderInterruptible(uint8_t *, uint16_t, uint8_t *, int *);
void RunMod(void) {
@ -229,7 +229,7 @@ static void become_card(void) {
while (1) {
WDT_HIT();
if (!GetIso14443aCommandFromReaderInterruptible(fromReaderDat, parity, &fromReaderLen)) {
if (!GetIso14443aCommandFromReaderInterruptible(fromReaderDat, sizeof(fromReaderDat), parity, &fromReaderLen)) {
if (cardhopper_data_available()) {
read_packet(rx);
if (memcmp(magicRSRT, rx->dat, sizeof(magicRSRT)) == 0) {
@ -496,11 +496,11 @@ static void write_packet(packet_t *packet) {
}
static bool GetIso14443aCommandFromReaderInterruptible(uint8_t *received, uint8_t *par, int *len) {
static bool GetIso14443aCommandFromReaderInterruptible(uint8_t *received, uint16_t received_max_len, uint8_t *par, int *len) {
LED_D_OFF();
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
Uart14aInit(received, par);
Uart14aInit(received, received_max_len, par);
uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
(void)b;

4
armsrc/Standalone/hf_msdsal.c
View file

@ -307,7 +307,7 @@ void RunMod(void) {
// add loop visa
// for (int i = 0; i < ARRAYLEN(AIDlist); i ++) {
// hexstr_to_byte_array("a0da02631a440a44000000a012ad10a00e800200048108", sam_apdu, &sam_len);
uint8_t apdulen = iso14_apdu(apdus[i], (uint16_t) apduslen[i], false, apdubuffer, NULL);
uint8_t apdulen = iso14_apdu(apdus[i], (uint16_t) apduslen[i], false, apdubuffer, sizeof(apdubuffer), NULL);
if (apdulen > 0) {
DbpString("[ " _YELLOW_("Proxmark command") " ]");
@ -404,7 +404,7 @@ void RunMod(void) {
for (;;) {
LED_B_OFF();
// clean receive command buffer
if (GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len) == false) {
if (GetIso14443aCommandFromReader(receivedCmd, sizeof(receivedCmd), receivedCmdPar, &len) == false) {
DbpString("Emulator stopped");
retval = PM3_EOPABORTED;
break;

4
armsrc/Standalone/hf_reblay.c
View file

@ -224,7 +224,7 @@ void RunMod() {
DbpString(_YELLOW_("[ ") "Bluetooth data:" _YELLOW_(" ]"));
Dbhexdump(lenpacket, rpacket, false);
apdulen = iso14_apdu(rpacket, (uint16_t) lenpacket, false, apdubuffer, NULL);
apdulen = iso14_apdu(rpacket, lenpacket, false, apdubuffer, sizeof(apdubuffer), NULL);
DbpString(_YELLOW_("[ ") "Card response:" _YELLOW_(" ]"));
Dbhexdump(apdulen - 2, apdubuffer, false);
@ -298,7 +298,7 @@ void RunMod() {
for (;;) {
LED_B_OFF();
// Clean receive command buffer
if (GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len) == false) {
if (GetIso14443aCommandFromReader(receivedCmd, sizeof(receivedCmd), receivedCmdPar, &len) == false) {
DbpString("Emulator stopped");
retval = PM3_EOPABORTED;
break;

6
armsrc/Standalone/hf_tcprst.c
View file

@ -217,7 +217,7 @@ void RunMod(void) {
while (!gotkey) {
LED_B_OFF();
// Clean receive command buffer
if (!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
if (!GetIso14443aCommandFromReader(receivedCmd, sizeof(receivedCmd), receivedCmdPar, &len)) {
DbpString(_YELLOW_("!!") "Emulator stopped");
retval = PM3_EOPABORTED;
break;
@ -324,7 +324,7 @@ void RunMod(void) {
for (uint8_t i = 0; i < 5; i++) {
gotndef = false;
LED_B_ON();
uint8_t apdulen = iso14_apdu(apdus[i], (uint16_t) apdusLen[i], false, apdubuffer, NULL);
uint8_t apdulen = iso14_apdu(apdus[i], (uint16_t) apdusLen[i], false, apdubuffer, sizeof(apdubuffer), NULL);
if (apdulen > 2) {
DbpString(_YELLOW_("[ ") "Proxmark command" _YELLOW_(" ]"));
@ -395,7 +395,7 @@ void RunMod(void) {
for (;;) {
LED_B_OFF();
// Clean receive command buffer
if (!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
if (!GetIso14443aCommandFromReader(receivedCmd, sizeof(receivedCmd), receivedCmdPar, &len)) {
DbpString(_YELLOW_("!!") "Emulator stopped");
retval = PM3_EOPABORTED;
break;

26
armsrc/iso14443a.c
View file

@ -300,14 +300,20 @@ void Uart14aReset(void) {
Uart.syncBit = 9999;
}
void Uart14aInit(uint8_t *data, uint8_t *par) {
Uart.output = data;
void Uart14aInit(uint8_t *d, uint16_t n, uint8_t *par) {
Uart.output_len = n;
Uart.output = d;
Uart.parity = par;
Uart14aReset();
}
// use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) {
if (Uart.len == Uart.output_len - 1) {
return true;
}
Uart.fourBits = (Uart.fourBits << 8) | bit;
if (Uart.state == STATE_14A_UNSYNCD) { // not yet synced
@ -692,7 +698,7 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
Demod14aInit(receivedResp, MAX_FRAME_SIZE, receivedRespPar);
// Set up the demodulator for the reader -> tag commands
Uart14aInit(receivedCmd, receivedCmdPar);
Uart14aInit(receivedCmd, MAX_FRAME_SIZE, receivedCmdPar);
if (g_dbglevel >= DBG_INFO) {
DbpString("Press " _GREEN_("pm3 button") " to abort sniffing");
@ -800,7 +806,7 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
Demod14aReset();
// reset the Miller decoder including its (now outdated) input buffer
Uart14aReset();
//Uart14aInit(receivedCmd, receivedCmdPar);
//Uart14aInit(receivedCmd, MAX_FRAME_SIZE, receivedCmdPar);
LED_C_OFF();
}
TagIsActive = (Demod.state != DEMOD_14A_UNSYNCD);
@ -936,7 +942,7 @@ static void Code4bitAnswerAsTag(uint8_t cmd) {
// stop when button is pressed or client usb connection resets
// or return TRUE when command is captured
//-----------------------------------------------------------------------------
bool GetIso14443aCommandFromReader(uint8_t *received, uint8_t *par, int *len) {
bool GetIso14443aCommandFromReader(uint8_t *received, uint16_t received_max_len, uint8_t *par, int *len) {
// Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
// only, since we are receiving, not transmitting).
// Signal field is off with the appropriate LED
@ -944,7 +950,7 @@ bool GetIso14443aCommandFromReader(uint8_t *received, uint8_t *par, int *len) {
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
// Now run a `software UART` on the stream of incoming samples.
Uart14aInit(received, par);
Uart14aInit(received, received_max_len, par);
// clear RXRDY:
uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
@ -1462,7 +1468,7 @@ void SimulateIso14443aTag(uint8_t tagType, uint16_t flags, uint8_t *data, uint8_
tag_response_info_t *p_response = NULL;
// Clean receive command buffer
if (GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len) == false) {
if (GetIso14443aCommandFromReader(receivedCmd, sizeof(receivedCmd), receivedCmdPar, &len) == false) {
Dbprintf("Emulator stopped. Trace length: %d ", BigBuf_get_traceLen());
retval = PM3_EOPABORTED;
break;
@ -2070,7 +2076,7 @@ static void CodeIso14443aAsReaderPar(const uint8_t *cmd, uint16_t len, const uin
// Stop when button is pressed (return 1) or field was gone (return 2)
// Or return 0 when command is captured
//-----------------------------------------------------------------------------
int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *par) {
int EmGetCmd(uint8_t *received, uint16_t received_max_len, uint16_t *len, uint8_t *par) {
*len = 0;
uint32_t timer = 0;
@ -2096,7 +2102,7 @@ int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *par) {
AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
// Now run a 'software UART' on the stream of incoming samples.
Uart14aInit(received, par);
Uart14aInit(received, received_max_len, par);
// Clear RXRDY:
uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
@ -2474,7 +2480,7 @@ void iso14443a_antifuzz(uint32_t flags) {
WDT_HIT();
// Clean receive command buffer
if (!GetIso14443aCommandFromReader(received, receivedPar, &len)) {
if (!GetIso14443aCommandFromReader(received, MAX_FRAME_SIZE, receivedPar, &len)) {
Dbprintf("Anti-fuzz stopped. Trace length: %d ", BigBuf_get_traceLen());
break;
}

7
armsrc/iso14443a.h
View file

@ -89,6 +89,7 @@ typedef struct {
uint8_t parityLen;
uint32_t fourBits;
uint32_t startTime, endTime;
uint16_t output_len;
uint8_t *output;
uint8_t *parity;
} tUart14a;
@ -134,14 +135,14 @@ void Demod14aReset(void);
void Demod14aInit(uint8_t *d, uint16_t n, uint8_t *par);
tUart14a *GetUart14a(void);
void Uart14aReset(void);
void Uart14aInit(uint8_t *data, uint8_t *par);
void Uart14aInit(uint8_t *d, uint16_t n, uint8_t *par);
RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time);
RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time);
void RAMFUNC SniffIso14443a(uint8_t param);
void SimulateIso14443aTag(uint8_t tagType, uint16_t flags, uint8_t *data, uint8_t exitAfterNReads);
bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data, tag_response_info_t **responses, uint32_t *cuid, uint32_t counters[3], uint8_t tearings[3], uint8_t *pages);
bool GetIso14443aCommandFromReader(uint8_t *received, uint8_t *par, int *len);
bool GetIso14443aCommandFromReader(uint8_t *received, uint16_t received_max_len, uint8_t *par, int *len);
void iso14443a_antifuzz(uint32_t flags);
void ReaderIso14443a(PacketCommandNG *c);
void ReaderTransmit(uint8_t *frame, uint16_t len, uint32_t *timing);
@ -160,7 +161,7 @@ int EmSendCmd14443aRaw(const uint8_t *resp, uint16_t respLen);
int EmSend4bit(uint8_t resp);
int EmSendCmd(uint8_t *resp, uint16_t respLen);
int EmSendCmdEx(uint8_t *resp, uint16_t respLen, bool collision);
int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *par);
int EmGetCmd(uint8_t *received, uint16_t received_max_len, uint16_t *len, uint8_t *par);
int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par);
int EmSendCmdParEx(uint8_t *resp, uint16_t respLen, uint8_t *par, bool collision);
int EmSendPrecompiledCmd(tag_response_info_t *p_response);

2
armsrc/mifaresim.c
View file

@ -579,7 +579,7 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
FpgaEnableTracing();
//Now, get data
int res = EmGetCmd(receivedCmd, &receivedCmd_len, receivedCmd_par);
int res = EmGetCmd(receivedCmd, sizeof(receivedCmd), &receivedCmd_len, receivedCmd_par);
if (res == 2) { //Field is off!
//FpgaDisableTracing();

2
armsrc/mifaresniff_disabled.c
View file

@ -80,7 +80,7 @@ void RAMFUNC SniffMifare(uint8_t param) {
Demod14aInit(receivedResp, receivedRespPar);
// Set up the demodulator for the reader -> tag commands
Uart14aInit(receivedCmd, receivedCmdPar);
Uart14aInit(receivedCmd, sizeof(receivedCmd), receivedCmdPar);
// Setup and start DMA.
// set transfer address and number of bytes. Start transfer.

2
doc/commands.json
View file

@ -12885,6 +12885,6 @@
"metadata": {
"commands_extracted": 743,
"extracted_by": "PM3Help2JSON v1.00",
"extracted_on": "2024-09-05T15:50:04"
"extracted_on": "2024-09-05T16:36:25"
}
}