add: 'hf 14 antifuzz' - the outline for the new functionality which fuzzes the anticollision phase ISO 14443a.

2025-08-20 13:23:51 -07:00 · 2018-02-28 13:21:47 +01:00 · 2018-02-28 13:21:47 +01:00 · 802994d30a
commit 802994d30a
parent 184ab1aeab
8 changed files with 133 additions and 11 deletions
--- a/armsrc/appmain.c
+++ b/armsrc/appmain.c
@ -811,6 +811,9 @@ void UsbPacketReceived(uint8_t *packet, int len) {
 		case CMD_SIMULATE_TAG_ISO_14443a:
 			SimulateIso14443aTag(c->arg[0], c->arg[1], c->d.asBytes);  // ## Simulate iso14443a tag - pass tag type & UID
 			break;
+		case CMD_ANTIFUZZ_ISO_14443a:
+			iso14443a_antifuzz(c->arg[0]);
+			break;			
 		case CMD_EPA_PACE_COLLECT_NONCE:
 			EPA_PACE_Collect_Nonce(c);
 			break;
--- a/armsrc/apps.h
+++ b/armsrc/apps.h
@ -121,7 +121,8 @@ void ClearFpgaShiftingRegisters(void);
 // iso14443a.h
 void RAMFUNC SniffIso14443a(uint8_t param);
 void SimulateIso14443aTag(int tagType, int flags, uint8_t *data);
-void ReaderIso14443a(UsbCommand * c);
+void ReaderIso14443a(UsbCommand *c);
+
 // Also used in iclass.c
 //bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t len, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag);
 void GetParity(const uint8_t *pbtCmd, uint16_t len, uint8_t *parity);
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
@ -1790,6 +1790,101 @@ int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity) {
 	return Demod.len;
 }

+// This function misstreats the ISO 14443a anticollision procedure.
+// by fooling the reader there is a collision and forceing the reader to 
+// increase the uid bytes.   The might be an overflow, DoS will occure.
+void iso14443a_antifuzz(uint32_t flags){
+	/*
+	uint8_t uidlen = 4+1+1+2;
+	if (( flags & 2 ) == 2 )
+		uidlen = 7+1+1+2;
+	if (( flags & 4 ) == 4 )
+		uidlen = 10+1+1+2;
+		
+	uint8_t *uid = BigBuf_malloc(uidlen);
+	
+	// The first response contains the ATQA (note: bytes are transmitted in reverse order).
+	// Mifare Classic 1K
+	uint8_t atqa[] = {0x04, 0};
+
+	if ( (flags & 2) == 2 ) {
+		uid[0] = 0x88;  // Cascade Tag marker
+		uid[1] = 0x01;
+
+		// Configure the ATQA accordingly
+		atqa[0] |= 0x40;
+	} else {
+		memcpy(response2, data, 4);
+		// Configure the ATQA accordingly
+		atqa[0] &= 0xBF;
+	}	
+	
+	// We need to listen to the high-frequency, peak-detected path.
+	iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
+
+	// allocate buffers:
+	uint8_t *received = BigBuf_malloc(MAX_FRAME_SIZE);
+	uint8_t *receivedPar = BigBuf_malloc(MAX_PARITY_SIZE);
+	uint16_t counter = 0;
+		
+	int len = 0;
+		
+	BigBuf_free();
+	clear_trace();
+	set_tracing(true);
+	
+	LED_A_ON();
+	for (;;) {	
+		WDT_HIT();
+		
+		// Clean receive command buffer
+		if (!GetIso14443aCommandFromReader(received, receivedPar, &len)) {
+			Dbprintf("Anti-fuzz stopped. Tracing: %d  trace length: %d ", tracing, BigBuf_get_traceLen());
+			break;
+		}
+		p_response = NULL;
+		
+		// look at the command now.
+		if (received[0] == ISO14443A_CMD_REQA) { // Received a REQUEST
+			p_response = &responses[0];
+		} else if (received[0] == ISO14443A_CMD_WUPA) { // Received a WAKEUP
+			p_response = &responses[0];
+		} else if (received[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT) {	// Received request for UID (cascade 1)
+			p_response = &responses[1];
+		} else if (received[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2) { 	// Received request for UID (cascade 2)
+			p_response = &responses[2];
+		} else if (received[1] == 0x70 && received[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT) {	// Received a SELECT (cascade 1)
+			p_response = &responses[3];
+		} else if (received[1] == 0x70 && received[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2) {	// Received a SELECT (cascade 2)
+			p_response = &responses[4];
+		}
+		if (p_response != NULL) {
+			
+			EmSendCmd14443aRaw(p_response->modulation, p_response->modulation_n);
+			// do the tracing for the previous reader request and this tag answer:
+			uint8_t par[MAX_PARITY_SIZE] = {0x00};
+			GetParity(p_response->response, p_response->response_n, par);
+	
+			EmLogTrace(Uart.output, 
+						Uart.len, 
+						Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, 
+						Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, 
+						Uart.parity,
+						p_response->response, 
+						p_response->response_n,
+						LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG,
+						(LastTimeProxToAirStart + p_response->ProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG, 
+						par);
+		}
+		counter++;
+	}
+
+	cmd_send(CMD_ACK,1,0,0,0,0);
+	switch_off();	
+	Dbprintf("-[ UID until no response [%d]", counter);
+*/
+}
+
 static void iso14a_set_ATS_times(uint8_t *ats) {

 	uint8_t tb1;
--- a/armsrc/iso14443a.h
+++ b/armsrc/iso14443a.h
@ -106,6 +106,7 @@ extern RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non

 extern void RAMFUNC SniffIso14443a(uint8_t param);
 extern void SimulateIso14443aTag(int tagType, int flags, uint8_t *data);
+extern void iso14443a_antifuzz(uint32_t flags);
 extern void ReaderIso14443a(UsbCommand *c);
 extern void ReaderTransmit(uint8_t *frame, uint16_t len, uint32_t *timing);
 extern void ReaderTransmitBitsPar(uint8_t *frame, uint16_t bits, uint8_t *par, uint32_t *timing);
--- a/client/cmdhf14a.c
+++ b/client/cmdhf14a.c
@ -177,6 +177,11 @@ int usage_hf_14a_apdu(void) {
 	PrintAndLogEx(NORMAL, "       -t    executes TLV decoder if it possible. TODO!!!!");
 	return 0;
 }
+int usage_hf_14a_antifuzz(void) {
+	PrintAndLogEx(NORMAL, "Usage: hf 14a antifuzz [4|7|10]");
+	PrintAndLogEx(NORMAL, "       <len>    determine which anticollision phase the command will target.");
+	return 0;
+}

 int CmdHF14AList(const char *Cmd) {
 	//PrintAndLogEx(NORMAL, "Deprecated command, use 'hf list 14a' instead");
@ -1001,16 +1006,30 @@ static int waitCmd(uint8_t iSelect) {
 	return 0;
 }

+int CmdHF14AAntiFuzz(const char *cmd) {
+	
+	if (strlen(cmd) < 1) return usage_hf_14a_antifuzz();
+
+	//	read param length
+	uint8_t arg0 = 4;
+	
+	UsbCommand c = {CMD_ANTIFUZZ_ISO_14443a, {arg0, 0, 0}};	
+	clearCommandBuffer();
+    SendCommand(&c);	
+	return 0;
+}
+
 static command_t CommandTable[] = {
-  {"help",   CmdHelp,              1, "This help"},
-  {"list",   CmdHF14AList,         0, "[Deprecated] List ISO 14443-a history"},
-  {"info",   CmdHF14AInfo,         0, "Tag information"},
-  {"reader", CmdHF14AReader,       0, "Act like an ISO14443-a reader"},
-  {"cuids",  CmdHF14ACUIDs,        0, "<n> Collect n>0 ISO14443-a UIDs in one go"},
-  {"sim",    CmdHF14ASim,          0, "<UID> -- Simulate ISO 14443-a tag"},
-  {"sniff",  CmdHF14ASniff,        0, "sniff ISO 14443-a traffic"},
-  {"apdu",   CmdHF14AAPDU,         0, "Send ISO 14443-4 APDU to tag"},
-  {"raw",    CmdHF14ACmdRaw,       0, "Send raw hex data to tag"},
+  {"help",		CmdHelp,              1, "This help"},
+  {"list",		CmdHF14AList,         0, "[Deprecated] List ISO 14443-a history"},
+  {"info",		CmdHF14AInfo,         0, "Tag information"},
+  {"reader",	CmdHF14AReader,       0, "Act like an ISO14443-a reader"},
+  {"cuids",		CmdHF14ACUIDs,        0, "<n> Collect n>0 ISO14443-a UIDs in one go"},
+  {"sim",		CmdHF14ASim,          0, "<UID> -- Simulate ISO 14443-a tag"},
+  {"sniff",		CmdHF14ASniff,        0, "sniff ISO 14443-a traffic"},
+  {"apdu",		CmdHF14AAPDU,         0, "Send ISO 14443-4 APDU to tag"},
+  {"raw",		CmdHF14ACmdRaw,       0, "Send raw hex data to tag"},
+  {"antifuzz",	CmdHF14AAntiFuzz,     0, "Fuzzing the anticollision phase.  Warning! Readers may react strange"},
  {NULL, NULL, 0, NULL}
 };

--- a/client/cmdhf14a.h
+++ b/client/cmdhf14a.h
@ -48,6 +48,7 @@ extern int CmdHF14ASim(const char *Cmd);
 extern int CmdHF14ASniff(const char *Cmd);
 extern int CmdHF14ACmdRaw(const char *Cmd);
 extern int CmdHF14ACUIDs(const char *Cmd);
+extern int CmdHF14AAntiFuzz(const char *cmd);

 extern char* getTagInfo(uint8_t uid);
 extern int ExchangeAPDU14a(uint8_t *datain, int datainlen, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen);									
@ -55,4 +56,5 @@ extern int ExchangeAPDU14a(uint8_t *datain, int datainlen, bool activateField, b
 extern int usage_hf_14a_sim(void);
 extern int usage_hf_14a_sniff(void);
 extern int usage_hf_14a_raw(void);
+extern int usage_hf_14a_antifuzz(void);
 #endif
--- a/client/hid-flasher/usb_cmd.h
+++ b/client/hid-flasher/usb_cmd.h
@ -130,6 +130,7 @@ typedef struct {
 #define CMD_WR_HITAG_S													  0x0375
 #define CMD_EMU_HITAG_S													  0x0376

+#define CMD_ANTIFUZZ_ISO_14443a											  0x0380
 #define CMD_SIMULATE_TAG_ISO_14443B                                       0x0381
 #define CMD_SNOOP_ISO_14443B                                              0x0382
 #define CMD_SNOOP_ISO_14443a                                              0x0383
--- a/include/usb_cmd.h
+++ b/include/usb_cmd.h
@ -139,7 +139,7 @@ typedef struct{
 #define CMD_WR_HITAG_S													  0x0375
 #define CMD_EMU_HITAG_S													  0x0376

-
+#define CMD_ANTIFUZZ_ISO_14443a											  0x0380
 #define CMD_SIMULATE_TAG_ISO_14443B                                       0x0381
 #define CMD_SNOOP_ISO_14443B                                              0x0382