github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-20 21:33:47 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

chg: 'hf iclass sim' even with sim2, the card should answer to reads of block0,1,2 and 5

Browse source
This commit is contained in:
iceman1001 2017-09-26 17:06:13 +02:00
commit 834a80dcc1
1 changed files with 63 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

95
armsrc/iclass.c
View file

@ -1180,6 +1180,12 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) {
uint8_t *resp_csn = BigBuf_malloc(30); uint8_t *resp_csn = BigBuf_malloc(30);
int resp_csn_len; int resp_csn_len;
// configuration picopass 2ks
uint8_t *resp_conf = BigBuf_malloc(20);
int resp_conf_len;
uint8_t conf_data[10] = {0x12,0xFF,0xFF,0xFF,0x7F,0x1F,0xFF,0x3C,0x00,0x00};
ComputeCrc14443(CRC_ICLASS, conf_data, 8, &conf_data[8], &conf_data[9]);
// e-Purse // e-Purse
// 18: Takes 2 bytes for SOF/EOF and 8 * 2 = 16 bytes (2 bytes/bit) // 18: Takes 2 bytes for SOF/EOF and 8 * 2 = 16 bytes (2 bytes/bit)
uint8_t *resp_cc = BigBuf_malloc(20); uint8_t *resp_cc = BigBuf_malloc(20);
@ -1222,6 +1228,14 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) {
PrintToSendBuffer(); PrintToSendBuffer();
} }
// Configuration
CodeIClassTagAnswer(conf_data, sizeof(conf_data));
memcpy(resp_conf, ToSend, ToSendMax); resp_conf_len = ToSendMax;
if ( MF_DBGLEVEL == MF_DBG_EXTENDED) {
DbpString("Configuration");
PrintToSendBuffer();
}
// e-Purse // e-Purse
CodeIClassTagAnswer(card_challenge_data, sizeof(card_challenge_data)); CodeIClassTagAnswer(card_challenge_data, sizeof(card_challenge_data));
memcpy(resp_cc, ToSend, ToSendMax); resp_cc_len = ToSendMax; memcpy(resp_cc, ToSend, ToSendMax); resp_cc_len = ToSendMax;
@ -1229,6 +1243,7 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) {
DbpString("e-Purse"); DbpString("e-Purse");
PrintToSendBuffer(); PrintToSendBuffer();
} }
// Application Issuer Area // Application Issuer Area
CodeIClassTagAnswer(aia_data, sizeof(aia_data)); CodeIClassTagAnswer(aia_data, sizeof(aia_data));
memcpy(resp_aia, ToSend, ToSendMax); resp_aia_len = ToSendMax; memcpy(resp_aia, ToSend, ToSendMax); resp_aia_len = ToSendMax;
@ -1250,7 +1265,6 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) {
//SpinDelay(200); //SpinDelay(200);
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN); FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
//SpinDelay(20);
StartCountSspClk(); StartCountSspClk();
@ -1267,25 +1281,24 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) {
WDT_HIT(); WDT_HIT();
response_delay = 1; response_delay = 1;
receivedCmd[0] = 0; receivedCmd[1] = 0; receivedCmd[2] = 0; receivedCmd[3] = 0; // receivedCmd[0] = 0; receivedCmd[1] = 0; receivedCmd[2] = 0; receivedCmd[3] = 0;
receivedCmd[4] = 0; receivedCmd[5] = 0; receivedCmd[6] = 0; receivedCmd[7] = 0; // receivedCmd[4] = 0; receivedCmd[5] = 0; receivedCmd[6] = 0; receivedCmd[7] = 0;
receivedCmd[8] = 0; receivedCmd[9] = 0; receivedCmd[10] = 0; receivedCmd[11] = 0; // receivedCmd[8] = 0; receivedCmd[9] = 0; receivedCmd[10] = 0; receivedCmd[11] = 0;
receivedCmd[12] = 0;receivedCmd[13] = 0;receivedCmd[14] = 0; receivedCmd[15] = 0; // receivedCmd[12] = 0;receivedCmd[13] = 0;receivedCmd[14] = 0; receivedCmd[15] = 0;
//Signal tracer, can be used to get a trigger for an oscilloscope.. //Signal tracer, can be used to get a trigger for an oscilloscope..
LED_B_OFF(); LED_C_OFF(); LED_B_OFF(); LED_C_OFF();
if (!GetIClassCommandFromReader(receivedCmd, &len, 100)) { if (!GetIClassCommandFromReader(receivedCmd, &len, 0)) {
buttonPressed = true; buttonPressed = true;
exitLoop = true; exitLoop = true;
continue; continue;
} }
r2t_time = GetCountSspClk(); r2t_time = GetCountSspClk();
//Signal tracer
LED_C_ON();
// Okay, look at the command now. LED_C_ON(); //Signal tracer
if (receivedCmd[0] == ICLASS_CMD_ACTALL ) { // 0x0A if (receivedCmd[0] == ICLASS_CMD_ACTALL ) { // 0x0A
// Reader in anticollission phase // Reader in anticollission phase
modulated_response = resp_sof; modulated_response_size = resp_sof_Len; //order = 1; modulated_response = resp_sof; modulated_response_size = resp_sof_Len; //order = 1;
@ -1296,14 +1309,12 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) {
modulated_response = resp_anticoll; modulated_response_size = resp_anticoll_len; //order = 2; modulated_response = resp_anticoll; modulated_response_size = resp_anticoll_len; //order = 2;
trace_data = anticoll_data; trace_data = anticoll_data;
trace_data_size = sizeof(anticoll_data); trace_data_size = sizeof(anticoll_data);
//DbpString("Reader requests anticollission CSN:");
} else if (receivedCmd[0] == ICLASS_CMD_SELECT) { // 0x81 } else if (receivedCmd[0] == ICLASS_CMD_SELECT) { // 0x81
// Reader selects anticollission CSN. // Reader selects anticollission CSN.
// Tag sends the corresponding real CSN // Tag sends the corresponding real CSN
modulated_response = resp_csn; modulated_response_size = resp_csn_len; //order = 3; modulated_response = resp_csn; modulated_response_size = resp_csn_len; //order = 3;
trace_data = csn_data; trace_data = csn_data;
trace_data_size = sizeof(csn_data); trace_data_size = sizeof(csn_data);
//DbpString("Reader selects anticollission CSN:");
} else if (receivedCmd[0] == ICLASS_CMD_READCHECK_KD) { // 0x88 } else if (receivedCmd[0] == ICLASS_CMD_READCHECK_KD) { // 0x88
// Read e-purse (88 02) // Read e-purse (88 02)
modulated_response = resp_cc; modulated_response_size = resp_cc_len; //order = 4; modulated_response = resp_cc; modulated_response_size = resp_cc_len; //order = 4;
@ -1312,7 +1323,7 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) {
LED_B_ON(); LED_B_ON();
} else if (receivedCmd[0] == ICLASS_CMD_CHECK) { // 0x05 } else if (receivedCmd[0] == ICLASS_CMD_CHECK) { // 0x05
// Reader random and reader MAC!!! // Reader random and reader MAC!!!
if(simulationMode == MODE_FULLSIM) { if (simulationMode == MODE_FULLSIM) {
//NR, from reader, is in receivedCmd +1 //NR, from reader, is in receivedCmd +1
opt_doTagMAC_2(cipher_state,receivedCmd+1,data_generic_trace,diversified_key); opt_doTagMAC_2(cipher_state,receivedCmd+1,data_generic_trace,diversified_key);
@ -1333,8 +1344,7 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) {
if (simulationMode == MODE_EXIT_AFTER_MAC) { if (simulationMode == MODE_EXIT_AFTER_MAC) {
// dbprintf:ing ... // dbprintf:ing ...
Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x" Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x", csn[0], csn[1], csn[2], csn[3], csn[4], csn[5], csn[6], csn[7]);
,csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
Dbprintf("RDR: (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x", len, Dbprintf("RDR: (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x", len,
receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[0], receivedCmd[1], receivedCmd[2],
receivedCmd[3], receivedCmd[4], receivedCmd[5], receivedCmd[3], receivedCmd[4], receivedCmd[5],
@ -1352,18 +1362,33 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) {
modulated_response = resp_sof; modulated_response_size = 0; //order = 0; modulated_response = resp_sof; modulated_response_size = 0; //order = 0;
trace_data = NULL; trace_data = NULL;
trace_data_size = 0; trace_data_size = 0;
// sim 2 / 4,
// (iceman) Special case for testing in SIM 2 attack mode. } else if (simulationMode == MODE_EXIT_AFTER_MAC && receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4){
// hence the ridiculous if statement.. (MY TESTING PURPOSES) // block0,1,2,5 is always readable.
} else if ( simulationMode == MODE_EXIT_AFTER_MAC && uint16_t blk = receivedCmd[1];
receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && switch (blk){
receivedCmd[1] == 0x05 && case 0: // csn (0c 00)
len == 4) { modulated_response = resp_csn; modulated_response_size = resp_csn_len;
// some readers likes the Application Issuer Area trace_data = csn_data;
// Read Application Issuer Area (0c 05) trace_data_size = sizeof(csn_data);
modulated_response = resp_aia; modulated_response_size = resp_aia_len; break;
trace_data = aia_data; case 1: // configuration (0c 01)
trace_data_size = sizeof(aia_data); modulated_response = resp_conf; modulated_response_size = resp_conf_len;
trace_data = conf_data;
trace_data_size = sizeof(conf_data);
break;
case 2: // e-purse (0c 02)
modulated_response = resp_cc; modulated_response_size = resp_cc_len;
trace_data = card_challenge_data;
trace_data_size = sizeof(card_challenge_data);
break;
case 5:// Application Issuer Area (0c 05)
modulated_response = resp_aia; modulated_response_size = resp_aia_len;
trace_data = aia_data;
trace_data_size = sizeof(aia_data);
break;
default: break;
}
} else if (simulationMode == MODE_FULLSIM && receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4){ } else if (simulationMode == MODE_FULLSIM && receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4){
//Read block //Read block
@ -1378,7 +1403,8 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) {
memcpy(data_response, ToSend, ToSendMax); memcpy(data_response, ToSend, ToSendMax);
modulated_response = data_response; modulated_response = data_response;
modulated_response_size = ToSendMax; modulated_response_size = ToSendMax;
} else if (receivedCmd[0] == ICLASS_CMD_UPDATE && simulationMode == MODE_FULLSIM) { } else if (simulationMode == MODE_FULLSIM && receivedCmd[0] == ICLASS_CMD_UPDATE) {
//Probably the reader wants to update the nonce. Let's just ignore that for now. //Probably the reader wants to update the nonce. Let's just ignore that for now.
// OBS! If this is implemented, don't forget to regenerate the cipher_state // OBS! If this is implemented, don't forget to regenerate the cipher_state
//We're expected to respond with the data+crc, exactly what's already in the receivedcmd //We're expected to respond with the data+crc, exactly what's already in the receivedcmd
@ -1394,7 +1420,7 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) {
memcpy(data_response, ToSend, ToSendMax); memcpy(data_response, ToSend, ToSendMax);
modulated_response = data_response; modulated_response = data_response;
modulated_response_size = ToSendMax; modulated_response_size = ToSendMax;
} else if(receivedCmd[0] == ICLASS_CMD_PAGESEL) { // 0x84 // } else if(receivedCmd[0] == ICLASS_CMD_PAGESEL) { // 0x84
//Pagesel //Pagesel
//Pagesel enables to select a page in the selected chip memory and return its configuration block //Pagesel enables to select a page in the selected chip memory and return its configuration block
//Chips with a single page will not answer to this command //Chips with a single page will not answer to this command
@ -1404,11 +1430,14 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf) {
} else { } else {
//#db# Unknown command received from reader (len=5): 26 1 0 f6 a 44 44 44 44 //#db# Unknown command received from reader (len=5): 26 1 0 f6 a 44 44 44 44
// Never seen this command before // Never seen this command before
Dbprintf("Unhandled command received from reader (len %d) | %02x %02x %02x %02x %02x %02x %02x %02x %02x", if ( MF_DBGLEVEL == MF_DBG_EXTENDED) {
len, Dbprintf("Unhandled command received from reader (len %d) | %02x %02x %02x %02x %02x %02x %02x %02x %02x",
receivedCmd[0], receivedCmd[1], receivedCmd[2], len,
receivedCmd[3], receivedCmd[4], receivedCmd[5], receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3],
receivedCmd[6], receivedCmd[7], receivedCmd[8]); receivedCmd[4], receivedCmd[5], receivedCmd[6], receivedCmd[7], receivedCmd[8]
);
}
// Do not respond // Do not respond
modulated_response = resp_sof; modulated_response = resp_sof;
modulated_response_size = 0; //order = 0; modulated_response_size = 0; //order = 0;