From 6950344567283501faff59a4733d7a0773154b67 Mon Sep 17 00:00:00 2001 From: Davi Mikael <31720422+penegui@users.noreply.github.com> Date: Wed, 19 Apr 2023 01:39:18 -0300 Subject: [PATCH 1/3] Adjusting hf_msdsal standalone module --- armsrc/Standalone/hf_msdsal.c | 31 +++++++++++++++++++------------ armsrc/iso14443a.c | 15 ++++++++++++++- 2 files changed, 33 insertions(+), 13 deletions(-) diff --git a/armsrc/Standalone/hf_msdsal.c b/armsrc/Standalone/hf_msdsal.c index 55c545489..64db3a446 100644 --- a/armsrc/Standalone/hf_msdsal.c +++ b/armsrc/Standalone/hf_msdsal.c @@ -168,7 +168,7 @@ void RunMod(void) { //Expiration date: 17/11 //Service code: 201 //Discretionary data: 0000030000991 - //char token[19] = {0x44,0x12,0x34,0x56,0x05,0x78,0x12,0x34,0xd1,0x71,0x12,0x01,0x00,0x00,0x03,0x00,0x00,0x99,0x1f}; + //char token[19] = {0x44,0x12,0x34,0x56,0x05,0x78,0x56,0x78,0xd1,0x71,0x12,0x01,0x00,0x00,0x03,0x00,0x00,0x99,0x1f}; // // It is possible to initialize directly the emulation mode, having "token" with data and set "chktoken" = true ;) // @@ -185,11 +185,11 @@ void RunMod(void) { // in case there is a read command received we shouldn't break uint8_t data[PM3_CMD_DATA_SIZE] = {0x00}; - uint8_t visauid[7] = {0x01, 0x02, 0x03, 0x04}; + uint8_t visauid[7] = {0x05, 0x06, 0x07, 0x08}; memcpy(data, visauid, 4); // to initialize the emulation - uint8_t tagType = 4; // 4 = ISO/IEC 14443-4 - javacard (JCOP) + uint8_t tagType = 11; // 11 = ISO/IEC 14443-4 - javacard (JCOP) tag_response_info_t *responses; uint32_t cuid = 0; uint32_t counters[3] = { 0x00, 0x00, 0x00 }; @@ -376,7 +376,8 @@ void RunMod(void) { // dynamic_response_info will be in charge of responses dynamic_response_info.response_n = 0; - + + //Dbprintf("receivedCmd: %02x\n", receivedCmd); // received a REQUEST if (receivedCmd[0] == ISO14443A_CMD_REQA && len == 1) { odd_reply = !odd_reply; @@ -386,30 +387,35 @@ void RunMod(void) { // received a HALT } else if (receivedCmd[0] == ISO14443A_CMD_HALT && len == 4) { -// DbpString(_YELLOW_("+") "Received a HALT"); + //DbpString(_YELLOW_("+") "Received a HALT"); p_response = NULL; // received a WAKEUP } else if (receivedCmd[0] == ISO14443A_CMD_WUPA && len == 1) { -// DbpString(_YELLOW_("+") "WAKEUP Received"); + //DbpString(_YELLOW_("+") "WAKEUP Received"); prevCmd = 0; p_response = &responses[RESP_INDEX_ATQA]; // received request for UID (cascade 1) } else if (receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && len == 2) { -// DbpString(_YELLOW_("+") "Request for UID C1"); - p_response = &responses[RESP_INDEX_UIDC1]; + //DbpString(_YELLOW_("+") "Request for UID C1"); + p_response = &responses[RESP_INDEX_UIDC1]; // received a SELECT (cascade 1) } else if (receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && len == 9) { -// DbpString(_YELLOW_("+") "Request for SELECT S1"); - p_response = &responses[RESP_INDEX_SAKC1]; + //DbpString(_YELLOW_("+") "Request for SELECT S1"); + p_response = &responses[RESP_INDEX_SAKC1]; // received a RATS request } else if (receivedCmd[0] == ISO14443A_CMD_RATS && len == 4) { -// DbpString(_YELLOW_("+") "Request for RATS"); + DbpString(_YELLOW_("+") "Request for RATS"); prevCmd = 0; - p_response = &responses[RESP_INDEX_RATS]; + //p_response = &responses[RESP_INDEX_RATS]; + + static uint8_t rRATS[] = { 0x13, 0x78, 0x80, 0x72, 0x02, 0x80, 0x31, 0x80, 0x66, 0xb1, 0x84, 0x0c, 0x01, 0x6e, 0x01, 0x83, 0x00, 0x90, 0x00 }; + + memcpy(&dynamic_response_info.response[0], rRATS, sizeof(rRATS)); + dynamic_response_info.response_n = sizeof(rRATS); } else { DbpString(_YELLOW_("[ ") "Card reader command" _YELLOW_(" ]")); @@ -483,6 +489,7 @@ void RunMod(void) { } } } + if (dynamic_response_info.response_n > 0) { DbpString(_GREEN_("[ ") "Proxmark3 answer" _GREEN_(" ]")); Dbhexdump(dynamic_response_info.response_n, dynamic_response_info.response, false); diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index 637215cc3..f38edd00d 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -1151,6 +1151,11 @@ bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data, tag_r sak = 0x20; } break; + case 11: { // ISO/IEC 14443-4 - javacard (JCOP) + rATQA[0] = 0x04; + sak = 0x20; + } + break; default: { if (g_dbglevel >= DBG_ERROR) Dbprintf("Error: unknown tagtype (%d)", tagType); @@ -1183,7 +1188,15 @@ bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data, tag_r // Configure the ATQA and SAK accordingly rATQA[0] &= 0xBF; - rSAKc1[0] = sak & 0xFB; + + if(tagType == 11){ + rSAKc1[0] = sak & 0xFC & 0X70; + DbpString(_YELLOW_("[ ") "Passando no Sak Penegui" _YELLOW_(" ]")); + }else{ + rSAKc1[0] = sak & 0xFB; + //DbpString(_YELLOW_("[ ") "Passando no Sak Antigo" _YELLOW_(" ]")); + } + AddCrc14A(rSAKc1, sizeof(rSAKc1) - 2); *cuid = bytes_to_num(data, 4); From 757e53c6ac12fce80f4f11f6e89c4bedc88ee870 Mon Sep 17 00:00:00 2001 From: Davi Mikael <31720422+penegui@users.noreply.github.com> Date: Wed, 24 May 2023 09:48:00 -0300 Subject: [PATCH 2/3] removing debug statement in iso14443a --- armsrc/iso14443a.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index 741440a0a..b4730b62d 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -1190,11 +1190,9 @@ bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data, tag_r rATQA[0] &= 0xBF; if(tagType == 11){ - rSAKc1[0] = sak & 0xFC & 0X70; - DbpString(_YELLOW_("[ ") "Passando no Sak Penegui" _YELLOW_(" ]")); + rSAKc1[0] = sak & 0xFC & 0X70; }else{ - rSAKc1[0] = sak & 0xFB; - //DbpString(_YELLOW_("[ ") "Passando no Sak Antigo" _YELLOW_(" ]")); + rSAKc1[0] = sak & 0xFB; } AddCrc14A(rSAKc1, sizeof(rSAKc1) - 2); From 416abae4bb05d250401d102c15fde5eadecbedbb Mon Sep 17 00:00:00 2001 From: Davi Mikael <31720422+penegui@users.noreply.github.com> Date: Wed, 24 May 2023 09:49:40 -0300 Subject: [PATCH 3/3] Changing token and uid of hf_msdsal --- armsrc/Standalone/hf_msdsal.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/armsrc/Standalone/hf_msdsal.c b/armsrc/Standalone/hf_msdsal.c index 64db3a446..b0d81ff79 100644 --- a/armsrc/Standalone/hf_msdsal.c +++ b/armsrc/Standalone/hf_msdsal.c @@ -168,7 +168,7 @@ void RunMod(void) { //Expiration date: 17/11 //Service code: 201 //Discretionary data: 0000030000991 - //char token[19] = {0x44,0x12,0x34,0x56,0x05,0x78,0x56,0x78,0xd1,0x71,0x12,0x01,0x00,0x00,0x03,0x00,0x00,0x99,0x1f}; + //char token[19] = {0x44,0x12,0x34,0x56,0x05,0x78,0x12,0x34,0xd1,0x71,0x12,0x01,0x00,0x00,0x03,0x00,0x00,0x99,0x1f}; // // It is possible to initialize directly the emulation mode, having "token" with data and set "chktoken" = true ;) // @@ -185,7 +185,7 @@ void RunMod(void) { // in case there is a read command received we shouldn't break uint8_t data[PM3_CMD_DATA_SIZE] = {0x00}; - uint8_t visauid[7] = {0x05, 0x06, 0x07, 0x08}; + uint8_t visauid[7] = {0x01, 0x02, 0x03, 0x04}; memcpy(data, visauid, 4); // to initialize the emulation