From 7a4bd03cc0b39d465538b5e6a9c8393a3520046d Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Thu, 5 Sep 2024 18:38:17 +0200 Subject: [PATCH] added bounds checking for when the proxmark3 is simulating a ISO14443a tag --- armsrc/Standalone/hf_aveful.c | 36 +++++++++++++++---------------- armsrc/Standalone/hf_bog.c | 5 +++-- armsrc/Standalone/hf_cardhopper.c | 8 +++---- armsrc/Standalone/hf_msdsal.c | 4 ++-- armsrc/Standalone/hf_reblay.c | 4 ++-- armsrc/Standalone/hf_tcprst.c | 6 +++--- armsrc/iso14443a.c | 26 +++++++++++++--------- armsrc/iso14443a.h | 7 +++--- armsrc/mifaresim.c | 2 +- armsrc/mifaresniff_disabled.c | 2 +- doc/commands.json | 2 +- 11 files changed, 55 insertions(+), 47 deletions(-) diff --git a/armsrc/Standalone/hf_aveful.c b/armsrc/Standalone/hf_aveful.c index a7d96a44e..e8797f89d 100644 --- a/armsrc/Standalone/hf_aveful.c +++ b/armsrc/Standalone/hf_aveful.c @@ -67,38 +67,38 @@ typedef struct { uint8_t sak; } PACKED card_clone_t; -int get_block_count(iso14a_card_select_t card, uint8_t version[], uint16_t version_len); -uint16_t get_ev1_version(iso14a_card_select_t card, uint8_t *version); -uint16_t get_ev1_signature(iso14a_card_select_t card, uint8_t *signature); -uint16_t get_ev1_counter(iso14a_card_select_t card, uint8_t counter, uint8_t *response); -uint16_t get_ev1_tearing(iso14a_card_select_t card, uint8_t counter, uint8_t *response); +int get_block_count(iso14a_card_select_t card, uint8_t *version, uint16_t version_len); +uint16_t get_ev1_version(iso14a_card_select_t card, uint8_t *version, uint16_t version_len); +uint16_t get_ev1_signature(iso14a_card_select_t card, uint8_t *signature, uint16_t sign_len); +uint16_t get_ev1_counter(iso14a_card_select_t card, uint8_t counter, uint8_t *response, uint16_t resp_len); +uint16_t get_ev1_tearing(iso14a_card_select_t card, uint8_t counter, uint8_t *response, uint16_t resp_len); -uint16_t get_ev1_version(iso14a_card_select_t card, uint8_t *version) { - return mifare_sendcmd(MIFARE_ULEV1_VERSION, NULL, 0, version, NULL, NULL); +uint16_t get_ev1_version(iso14a_card_select_t card, uint8_t *version, uint16_t version_len) { + return mifare_sendcmd(MIFARE_ULEV1_VERSION, NULL, 0, version, version_len, NULL, NULL); } -uint16_t get_ev1_signature(iso14a_card_select_t card, uint8_t *signature) { +uint16_t get_ev1_signature(iso14a_card_select_t card, uint8_t *signature, uint16_t sign_len) { uint8_t cmd[4] = {MIFARE_ULEV1_READSIG, 0x00, 0x00, 0x00}; AddCrc14A(cmd, 2); ReaderTransmit(cmd, sizeof(cmd), NULL); - return ReaderReceive(signature, NULL); + return ReaderReceive(signature, sign_len, NULL); } -uint16_t get_ev1_counter(iso14a_card_select_t card, uint8_t counter, uint8_t *response) { +uint16_t get_ev1_counter(iso14a_card_select_t card, uint8_t counter, uint8_t *response, uint16_t resp_len) { uint8_t cmd[4] = {MIFARE_ULEV1_READ_CNT, counter, 0x00, 0x00}; AddCrc14A(cmd, 2); ReaderTransmit(cmd, sizeof(cmd), NULL); - return ReaderReceive(response, NULL); + return ReaderReceive(response, resp_len, NULL); } -uint16_t get_ev1_tearing(iso14a_card_select_t card, uint8_t counter, uint8_t *response) { +uint16_t get_ev1_tearing(iso14a_card_select_t card, uint8_t counter, uint8_t *response, uint16_t resp_len) { uint8_t cmd[4] = {MIFARE_ULEV1_CHECKTEAR, counter, 0x00, 0x00}; AddCrc14A(cmd, 2); ReaderTransmit(cmd, sizeof(cmd), NULL); - return ReaderReceive(response, NULL); + return ReaderReceive(response, resp_len, NULL); } -int get_block_count(iso14a_card_select_t card, uint8_t version[], uint16_t version_len) { +int get_block_count(iso14a_card_select_t card, uint8_t *version, uint16_t version_len) { // Default to MAX_DEFAULT_BLOCKS blocks int block_count = MAX_DEFAULT_BLOCKS; // Most of this code is from cmdhfmfu.c @@ -185,7 +185,7 @@ void RunMod(void) { // Get version and re-select card as UL EV0s like to shut off after a 0x60 uint8_t version[10] = {0x00}; uint16_t version_len = 0; - version_len = get_ev1_version(card, version); + version_len = get_ev1_version(card, version, sizeof(version)); iso14443a_select_card(NULL, NULL, NULL, true, 0, true); int block_count = get_block_count(card, version, version_len); @@ -212,7 +212,7 @@ void RunMod(void) { if (read_successful) { uint8_t signature[34] = {0x00}; if (is_ev1) { - get_ev1_signature(card, signature); + get_ev1_signature(card, signature, sizeof(signature)); } Dbprintf("Preparing emulator memory with:"); // Fill first 14 blocks with 0x00 (see comment above) @@ -232,8 +232,8 @@ void RunMod(void) { // On 11-14 read and set counter and tearing on EV1 uint8_t counter[5]; uint8_t tearing[3]; - get_ev1_counter(card, i - 11, counter); - get_ev1_tearing(card, i - 11, tearing); + get_ev1_counter(card, i - 11, counter, sizeof(counter)); + get_ev1_tearing(card, i - 11, tearing, sizeof(tearing)); memcpy(dataout, counter, 3); memcpy(dataout + 3, tearing, 1); } diff --git a/armsrc/Standalone/hf_bog.c b/armsrc/Standalone/hf_bog.c index 9e458a2cf..f7ed9f947 100644 --- a/armsrc/Standalone/hf_bog.c +++ b/armsrc/Standalone/hf_bog.c @@ -87,12 +87,13 @@ static void RAMFUNC SniffAndStore(uint8_t param) { Demod14aInit(receivedResp, MAX_FRAME_SIZE, receivedRespPar); // Set up the demodulator for the reader -> tag commands - Uart14aInit(receivedCmd, receivedCmdPar); + Uart14aInit(receivedCmd, MAX_FRAME_SIZE, receivedCmdPar); // Setup and start DMA. if (!FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE)) { - if (g_dbglevel > 1) + if (g_dbglevel > 1) { Dbprintf("FpgaSetupSscDma failed. Exiting"); + } return; } diff --git a/armsrc/Standalone/hf_cardhopper.c b/armsrc/Standalone/hf_cardhopper.c index 21b162cfb..f36b5bb61 100644 --- a/armsrc/Standalone/hf_cardhopper.c +++ b/armsrc/Standalone/hf_cardhopper.c @@ -71,7 +71,7 @@ static void reply_with_packet(packet_t *); static void read_packet(packet_t *); static void write_packet(packet_t *); -static bool GetIso14443aCommandFromReaderInterruptible(uint8_t *, uint8_t *, int *); +static bool GetIso14443aCommandFromReaderInterruptible(uint8_t *, uint16_t, uint8_t *, int *); void RunMod(void) { @@ -229,7 +229,7 @@ static void become_card(void) { while (1) { WDT_HIT(); - if (!GetIso14443aCommandFromReaderInterruptible(fromReaderDat, parity, &fromReaderLen)) { + if (!GetIso14443aCommandFromReaderInterruptible(fromReaderDat, sizeof(fromReaderDat), parity, &fromReaderLen)) { if (cardhopper_data_available()) { read_packet(rx); if (memcmp(magicRSRT, rx->dat, sizeof(magicRSRT)) == 0) { @@ -496,11 +496,11 @@ static void write_packet(packet_t *packet) { } -static bool GetIso14443aCommandFromReaderInterruptible(uint8_t *received, uint8_t *par, int *len) { +static bool GetIso14443aCommandFromReaderInterruptible(uint8_t *received, uint16_t received_max_len, uint8_t *par, int *len) { LED_D_OFF(); FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN); - Uart14aInit(received, par); + Uart14aInit(received, received_max_len, par); uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; (void)b; diff --git a/armsrc/Standalone/hf_msdsal.c b/armsrc/Standalone/hf_msdsal.c index 56be50db1..74044a1c6 100644 --- a/armsrc/Standalone/hf_msdsal.c +++ b/armsrc/Standalone/hf_msdsal.c @@ -307,7 +307,7 @@ void RunMod(void) { // add loop visa // for (int i = 0; i < ARRAYLEN(AIDlist); i ++) { // hexstr_to_byte_array("a0da02631a440a44000000a012ad10a00e800200048108", sam_apdu, &sam_len); - uint8_t apdulen = iso14_apdu(apdus[i], (uint16_t) apduslen[i], false, apdubuffer, NULL); + uint8_t apdulen = iso14_apdu(apdus[i], (uint16_t) apduslen[i], false, apdubuffer, sizeof(apdubuffer), NULL); if (apdulen > 0) { DbpString("[ " _YELLOW_("Proxmark command") " ]"); @@ -404,7 +404,7 @@ void RunMod(void) { for (;;) { LED_B_OFF(); // clean receive command buffer - if (GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len) == false) { + if (GetIso14443aCommandFromReader(receivedCmd, sizeof(receivedCmd), receivedCmdPar, &len) == false) { DbpString("Emulator stopped"); retval = PM3_EOPABORTED; break; diff --git a/armsrc/Standalone/hf_reblay.c b/armsrc/Standalone/hf_reblay.c index 5bd13ec3b..83a9c37a5 100644 --- a/armsrc/Standalone/hf_reblay.c +++ b/armsrc/Standalone/hf_reblay.c @@ -224,7 +224,7 @@ void RunMod() { DbpString(_YELLOW_("[ ") "Bluetooth data:" _YELLOW_(" ]")); Dbhexdump(lenpacket, rpacket, false); - apdulen = iso14_apdu(rpacket, (uint16_t) lenpacket, false, apdubuffer, NULL); + apdulen = iso14_apdu(rpacket, lenpacket, false, apdubuffer, sizeof(apdubuffer), NULL); DbpString(_YELLOW_("[ ") "Card response:" _YELLOW_(" ]")); Dbhexdump(apdulen - 2, apdubuffer, false); @@ -298,7 +298,7 @@ void RunMod() { for (;;) { LED_B_OFF(); // Clean receive command buffer - if (GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len) == false) { + if (GetIso14443aCommandFromReader(receivedCmd, sizeof(receivedCmd), receivedCmdPar, &len) == false) { DbpString("Emulator stopped"); retval = PM3_EOPABORTED; break; diff --git a/armsrc/Standalone/hf_tcprst.c b/armsrc/Standalone/hf_tcprst.c index 952815d60..9b90c1348 100644 --- a/armsrc/Standalone/hf_tcprst.c +++ b/armsrc/Standalone/hf_tcprst.c @@ -217,7 +217,7 @@ void RunMod(void) { while (!gotkey) { LED_B_OFF(); // Clean receive command buffer - if (!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) { + if (!GetIso14443aCommandFromReader(receivedCmd, sizeof(receivedCmd), receivedCmdPar, &len)) { DbpString(_YELLOW_("!!") "Emulator stopped"); retval = PM3_EOPABORTED; break; @@ -324,7 +324,7 @@ void RunMod(void) { for (uint8_t i = 0; i < 5; i++) { gotndef = false; LED_B_ON(); - uint8_t apdulen = iso14_apdu(apdus[i], (uint16_t) apdusLen[i], false, apdubuffer, NULL); + uint8_t apdulen = iso14_apdu(apdus[i], (uint16_t) apdusLen[i], false, apdubuffer, sizeof(apdubuffer), NULL); if (apdulen > 2) { DbpString(_YELLOW_("[ ") "Proxmark command" _YELLOW_(" ]")); @@ -395,7 +395,7 @@ void RunMod(void) { for (;;) { LED_B_OFF(); // Clean receive command buffer - if (!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) { + if (!GetIso14443aCommandFromReader(receivedCmd, sizeof(receivedCmd), receivedCmdPar, &len)) { DbpString(_YELLOW_("!!") "Emulator stopped"); retval = PM3_EOPABORTED; break; diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index eda9a152d..a9265efd9 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -300,14 +300,20 @@ void Uart14aReset(void) { Uart.syncBit = 9999; } -void Uart14aInit(uint8_t *data, uint8_t *par) { - Uart.output = data; +void Uart14aInit(uint8_t *d, uint16_t n, uint8_t *par) { + Uart.output_len = n; + Uart.output = d; Uart.parity = par; Uart14aReset(); } // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) { + + if (Uart.len == Uart.output_len - 1) { + return true; + } + Uart.fourBits = (Uart.fourBits << 8) | bit; if (Uart.state == STATE_14A_UNSYNCD) { // not yet synced @@ -692,7 +698,7 @@ void RAMFUNC SniffIso14443a(uint8_t param) { Demod14aInit(receivedResp, MAX_FRAME_SIZE, receivedRespPar); // Set up the demodulator for the reader -> tag commands - Uart14aInit(receivedCmd, receivedCmdPar); + Uart14aInit(receivedCmd, MAX_FRAME_SIZE, receivedCmdPar); if (g_dbglevel >= DBG_INFO) { DbpString("Press " _GREEN_("pm3 button") " to abort sniffing"); @@ -800,7 +806,7 @@ void RAMFUNC SniffIso14443a(uint8_t param) { Demod14aReset(); // reset the Miller decoder including its (now outdated) input buffer Uart14aReset(); - //Uart14aInit(receivedCmd, receivedCmdPar); + //Uart14aInit(receivedCmd, MAX_FRAME_SIZE, receivedCmdPar); LED_C_OFF(); } TagIsActive = (Demod.state != DEMOD_14A_UNSYNCD); @@ -936,7 +942,7 @@ static void Code4bitAnswerAsTag(uint8_t cmd) { // stop when button is pressed or client usb connection resets // or return TRUE when command is captured //----------------------------------------------------------------------------- -bool GetIso14443aCommandFromReader(uint8_t *received, uint8_t *par, int *len) { +bool GetIso14443aCommandFromReader(uint8_t *received, uint16_t received_max_len, uint8_t *par, int *len) { // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen // only, since we are receiving, not transmitting). // Signal field is off with the appropriate LED @@ -944,7 +950,7 @@ bool GetIso14443aCommandFromReader(uint8_t *received, uint8_t *par, int *len) { FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN); // Now run a `software UART` on the stream of incoming samples. - Uart14aInit(received, par); + Uart14aInit(received, received_max_len, par); // clear RXRDY: uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; @@ -1462,7 +1468,7 @@ void SimulateIso14443aTag(uint8_t tagType, uint16_t flags, uint8_t *data, uint8_ tag_response_info_t *p_response = NULL; // Clean receive command buffer - if (GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len) == false) { + if (GetIso14443aCommandFromReader(receivedCmd, sizeof(receivedCmd), receivedCmdPar, &len) == false) { Dbprintf("Emulator stopped. Trace length: %d ", BigBuf_get_traceLen()); retval = PM3_EOPABORTED; break; @@ -2070,7 +2076,7 @@ static void CodeIso14443aAsReaderPar(const uint8_t *cmd, uint16_t len, const uin // Stop when button is pressed (return 1) or field was gone (return 2) // Or return 0 when command is captured //----------------------------------------------------------------------------- -int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *par) { +int EmGetCmd(uint8_t *received, uint16_t received_max_len, uint16_t *len, uint8_t *par) { *len = 0; uint32_t timer = 0; @@ -2096,7 +2102,7 @@ int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *par) { AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START; // Now run a 'software UART' on the stream of incoming samples. - Uart14aInit(received, par); + Uart14aInit(received, received_max_len, par); // Clear RXRDY: uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; @@ -2474,7 +2480,7 @@ void iso14443a_antifuzz(uint32_t flags) { WDT_HIT(); // Clean receive command buffer - if (!GetIso14443aCommandFromReader(received, receivedPar, &len)) { + if (!GetIso14443aCommandFromReader(received, MAX_FRAME_SIZE, receivedPar, &len)) { Dbprintf("Anti-fuzz stopped. Trace length: %d ", BigBuf_get_traceLen()); break; } diff --git a/armsrc/iso14443a.h b/armsrc/iso14443a.h index 3b3053def..5a307b01d 100644 --- a/armsrc/iso14443a.h +++ b/armsrc/iso14443a.h @@ -89,6 +89,7 @@ typedef struct { uint8_t parityLen; uint32_t fourBits; uint32_t startTime, endTime; + uint16_t output_len; uint8_t *output; uint8_t *parity; } tUart14a; @@ -134,14 +135,14 @@ void Demod14aReset(void); void Demod14aInit(uint8_t *d, uint16_t n, uint8_t *par); tUart14a *GetUart14a(void); void Uart14aReset(void); -void Uart14aInit(uint8_t *data, uint8_t *par); +void Uart14aInit(uint8_t *d, uint16_t n, uint8_t *par); RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time); RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time); void RAMFUNC SniffIso14443a(uint8_t param); void SimulateIso14443aTag(uint8_t tagType, uint16_t flags, uint8_t *data, uint8_t exitAfterNReads); bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data, tag_response_info_t **responses, uint32_t *cuid, uint32_t counters[3], uint8_t tearings[3], uint8_t *pages); -bool GetIso14443aCommandFromReader(uint8_t *received, uint8_t *par, int *len); +bool GetIso14443aCommandFromReader(uint8_t *received, uint16_t received_max_len, uint8_t *par, int *len); void iso14443a_antifuzz(uint32_t flags); void ReaderIso14443a(PacketCommandNG *c); void ReaderTransmit(uint8_t *frame, uint16_t len, uint32_t *timing); @@ -160,7 +161,7 @@ int EmSendCmd14443aRaw(const uint8_t *resp, uint16_t respLen); int EmSend4bit(uint8_t resp); int EmSendCmd(uint8_t *resp, uint16_t respLen); int EmSendCmdEx(uint8_t *resp, uint16_t respLen, bool collision); -int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *par); +int EmGetCmd(uint8_t *received, uint16_t received_max_len, uint16_t *len, uint8_t *par); int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par); int EmSendCmdParEx(uint8_t *resp, uint16_t respLen, uint8_t *par, bool collision); int EmSendPrecompiledCmd(tag_response_info_t *p_response); diff --git a/armsrc/mifaresim.c b/armsrc/mifaresim.c index 68f4a4769..1164328b3 100644 --- a/armsrc/mifaresim.c +++ b/armsrc/mifaresim.c @@ -579,7 +579,7 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1 FpgaEnableTracing(); //Now, get data - int res = EmGetCmd(receivedCmd, &receivedCmd_len, receivedCmd_par); + int res = EmGetCmd(receivedCmd, sizeof(receivedCmd), &receivedCmd_len, receivedCmd_par); if (res == 2) { //Field is off! //FpgaDisableTracing(); diff --git a/armsrc/mifaresniff_disabled.c b/armsrc/mifaresniff_disabled.c index 342bc878a..80b5adeb8 100644 --- a/armsrc/mifaresniff_disabled.c +++ b/armsrc/mifaresniff_disabled.c @@ -80,7 +80,7 @@ void RAMFUNC SniffMifare(uint8_t param) { Demod14aInit(receivedResp, receivedRespPar); // Set up the demodulator for the reader -> tag commands - Uart14aInit(receivedCmd, receivedCmdPar); + Uart14aInit(receivedCmd, sizeof(receivedCmd), receivedCmdPar); // Setup and start DMA. // set transfer address and number of bytes. Start transfer. diff --git a/doc/commands.json b/doc/commands.json index 878c7bca8..1a781b0bc 100644 --- a/doc/commands.json +++ b/doc/commands.json @@ -12885,6 +12885,6 @@ "metadata": { "commands_extracted": 743, "extracted_by": "PM3Help2JSON v1.00", - "extracted_on": "2024-09-05T15:50:04" + "extracted_on": "2024-09-05T16:36:25" } }