From be82f9f01832d12709101a516d788b765974ace5 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Thu, 18 Jan 2018 14:11:22 +0100 Subject: [PATCH] DEL: 'hf mf sniff' - since it is very similar to 'hf 14a sniff' , I removed this command. The desired functionality will become a new 'hf list mf' option in the future. --- armsrc/Makefile | 3 +- armsrc/appmain.c | 2 +- armsrc/apps.h | 2 +- armsrc/iso14443a.c | 196 +++----------------------- armsrc/iso14443a.h | 10 +- armsrc/mifaresniff.c | 324 ++++++++++++++++++++++++++++++------------- armsrc/mifaresniff.h | 21 +-- client/cmdhfmf.c | 2 +- client/cmdhfmf.h | 2 +- client/mifarehost.c | 13 +- 10 files changed, 279 insertions(+), 296 deletions(-) diff --git a/armsrc/Makefile b/armsrc/Makefile index 85e4a8777..de607faf8 100644 --- a/armsrc/Makefile +++ b/armsrc/Makefile @@ -45,7 +45,8 @@ SRC_LCD = fonts.c LCD.c SRC_LF = lfops.c hitag2.c hitagS.c lfsampling.c pcf7931.c lfdemod.c SRC_ISO15693 = iso15693.c iso15693tools.c #SRC_ISO14443a = iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c epa.c mifaresim.c -SRC_ISO14443a = iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c epa.c +#SRC_ISO14443a = iso14443a.c mifareutil.c mifarecmd.c epa.c mifaresniff.c +SRC_ISO14443a = iso14443a.c mifareutil.c mifarecmd.c epa.c SRC_ISO14443b = iso14443b.c SRC_FELICA = felica.c SRC_CRAPTO1 = crypto1.c des.c aes.c desfire_key.c desfire_crypto.c mifaredesfire.c diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 33feb430a..64036b139 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -886,7 +886,7 @@ void UsbPacketReceived(uint8_t *packet, int len) { break; // mifare sniffer case CMD_MIFARE_SNIFFER: - SniffMifare(c->arg[0]); + //SniffMifare(c->arg[0]); break; case CMD_MIFARE_SETMOD: MifareSetMod(c->arg[0], c->d.asBytes); diff --git a/armsrc/apps.h b/armsrc/apps.h index a966f4bcf..ef2181d8e 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -162,7 +162,7 @@ void OnErrorMagic(uint8_t reason); int32_t dist_nt(uint32_t nt1, uint32_t nt2); void ReaderMifare(bool first_try, uint8_t block, uint8_t keytype ); -void RAMFUNC SniffMifare(uint8_t param); +//void RAMFUNC SniffMifare(uint8_t param); //desfire void Mifare_DES_Auth1(uint8_t arg0,uint8_t *datain); diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index 4f6509312..15a6a122c 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -11,14 +11,14 @@ //----------------------------------------------------------------------------- #include "iso14443a.h" -static uint32_t iso14a_timeout; #define MAX_ISO14A_TIMEOUT 524288 +static uint32_t iso14a_timeout; int rsamples = 0; + uint8_t trigger = 0; // the block number for the ISO14443-4 PCB static uint8_t iso14_pcb_blocknum = 0; - static uint8_t* free_buffer_pointer; // @@ -187,7 +187,11 @@ const bool Mod_Miller_LUT[] = { #define IsMillerModulationNibble1(b) (Mod_Miller_LUT[(b & 0x000000F0) >> 4]) #define IsMillerModulationNibble2(b) (Mod_Miller_LUT[(b & 0x0000000F)]) -void UartReset() { +tUart* GetUart() { + return &Uart; +} + +void UartReset(void) { Uart.state = STATE_UNSYNCD; Uart.bitCount = 0; Uart.len = 0; // number of decoded data bytes @@ -208,7 +212,7 @@ void UartInit(uint8_t *data, uint8_t *parity) { } // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time -static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) { +RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) { Uart.fourBits = (Uart.fourBits << 8) | bit; if (Uart.state == STATE_UNSYNCD) { // not yet synced @@ -343,7 +347,7 @@ static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) { // 8 ticks modulated: A collision. Save the collision position and treat as Sequence D // Note 1: the bitstream may start at any time. We therefore need to sync. // Note 2: parameter offset is used to determine the position of the parity bits (required for the anticollision command only) -static tDemod Demod; +tDemod Demod; // Lookup-Table to decide if 4 raw bits are a modulation. // We accept three or four "1" in any position @@ -355,7 +359,10 @@ const bool Mod_Manchester_LUT[] = { #define IsManchesterModulationNibble1(b) (Mod_Manchester_LUT[(b & 0x00F0) >> 4]) #define IsManchesterModulationNibble2(b) (Mod_Manchester_LUT[(b & 0x000F)]) -void DemodReset() { +tDemod* GetDemod() { + return &Demod; +} +void DemodReset(void) { Demod.state = DEMOD_UNSYNCD; Demod.len = 0; // number of decoded data bytes Demod.parityLen = 0; @@ -378,7 +385,7 @@ void DemodInit(uint8_t *data, uint8_t *parity) { } // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time -static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time) { +RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time) { Demod.twoBits = (Demod.twoBits << 8) | bit; if (Demod.state == DEMOD_UNSYNCD) { @@ -496,8 +503,8 @@ void RAMFUNC SniffIso14443a(uint8_t param) { uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE); // The response (tag -> reader) that we're receiving. - uint8_t *receivedResponse = BigBuf_malloc(MAX_FRAME_SIZE); - uint8_t *receivedResponsePar = BigBuf_malloc(MAX_PARITY_SIZE); + uint8_t *receivedResp = BigBuf_malloc(MAX_FRAME_SIZE); + uint8_t *receivedRespPar = BigBuf_malloc(MAX_PARITY_SIZE); // The DMA buffer, used to stream samples from the FPGA uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE); @@ -510,7 +517,7 @@ void RAMFUNC SniffIso14443a(uint8_t param) { bool ReaderIsActive = false; // Set up the demodulator for tag -> reader responses. - DemodInit(receivedResponse, receivedResponsePar); + DemodInit(receivedResp, receivedRespPar); // Set up the demodulator for the reader -> tag commands UartInit(receivedCmd, receivedCmdPar); @@ -547,7 +554,7 @@ void RAMFUNC SniffIso14443a(uint8_t param) { if (dataLen > maxDataLen) { maxDataLen = dataLen; if (dataLen > (9 * DMA_BUFFER_SIZE / 10)) { - Dbprintf("blew circular buffer! dataLen=%d", dataLen); + Dbprintf("[!] blew circular buffer! | datalen %u", dataLen); break; } } @@ -557,7 +564,7 @@ void RAMFUNC SniffIso14443a(uint8_t param) { if (!AT91C_BASE_PDC_SSC->PDC_RCR) { AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf; AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE; - Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary + Dbprintf("[-] RxEmpty ERROR | data length %d", dataLen); // temporary } // secondary buffer sets as primary, secondary buffer was stopped if (!AT91C_BASE_PDC_SSC->PDC_RNCR) { @@ -602,7 +609,7 @@ void RAMFUNC SniffIso14443a(uint8_t param) { if (ManchesterDecoding(tagdata, 0, (rsamples-1)*4)) { LED_B_ON(); - if (!LogTrace(receivedResponse, + if (!LogTrace(receivedResp, Demod.len, Demod.startTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER, Demod.endTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER, @@ -3366,166 +3373,3 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * LEDsoff(); set_tracing(false); } - -//----------------------------------------------------------------------------- -// MIFARE sniffer. -// -// if no activity for 2sec, it sends the collected data to the client. -//----------------------------------------------------------------------------- -// "hf mf sniff" -void RAMFUNC SniffMifare(uint8_t param) { - // param: - // bit 0 - trigger from first card answer - // bit 1 - trigger from first reader 7-bit request - - // C(red) A(yellow) B(green) - LEDsoff(); - iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER); - - // Allocate memory from BigBuf for some buffers - // free all previous allocations first - BigBuf_free(); BigBuf_Clear_ext(false); - clear_trace(); - set_tracing(true); - - // The command (reader -> tag) that we're receiving. - uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00}; - uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE] = {0x00}; - - // The response (tag -> reader) that we're receiving. - uint8_t receivedResponse[MAX_MIFARE_FRAME_SIZE] = {0x00}; - uint8_t receivedResponsePar[MAX_MIFARE_PARITY_SIZE] = {0x00}; - - // allocate the DMA buffer, used to stream samples from the FPGA - uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE); - uint8_t *data = dmaBuf; - uint8_t previous_data = 0; - int maxDataLen = 0; - int dataLen = 0; - bool ReaderIsActive = false; - bool TagIsActive = false; - - // Set up the demodulator for tag -> reader responses. - DemodInit(receivedResponse, receivedResponsePar); - - // Set up the demodulator for the reader -> tag commands - UartInit(receivedCmd, receivedCmdPar); - - // Setup and start DMA. - // set transfer address and number of bytes. Start transfer. - if ( !FpgaSetupSscDma(dmaBuf, DMA_BUFFER_SIZE) ){ - if (MF_DBGLEVEL > 1) Dbprintf("[!] FpgaSetupSscDma failed. Exiting"); - return; - } - - // Signal field is off with the appropriate LED - LED_D_OFF(); - - MfSniffInit(); - - uint32_t sniffCounter = 0; - // loop and listen - while (!BUTTON_PRESS()) { - WDT_HIT(); - LED_A_ON(); - - if ((sniffCounter & 0xFFFF) == 0) { // from time to time - // check if a transaction is completed (timeout after 2000ms). - // if yes, stop the DMA transfer and send what we have so far to the client - if (MfSniffSend(2000)) { - // Reset everything - we missed some sniffed data anyway while the DMA was stopped - sniffCounter = 0; - dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE); - data = dmaBuf; - maxDataLen = 0; - ReaderIsActive = false; - TagIsActive = false; - - // Setup and start DMA. set transfer address and number of bytes. Start transfer. - if ( !FpgaSetupSscDma(dmaBuf, DMA_BUFFER_SIZE) ){ - if (MF_DBGLEVEL > 1) DbpString("[!] FpgaSetupSscDma failed. Exiting"); - return; - } - } - } - - // number of bytes we have processed so far - int register readBufDataP = data - dmaBuf; - // number of bytes already transferred - int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR; - - if (readBufDataP <= dmaBufDataP) // we are processing the same block of data which is currently being transferred - dataLen = dmaBufDataP - readBufDataP; // number of bytes still to be processed - else - dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP; // number of bytes still to be processed - - // test for length of buffer - if (dataLen > maxDataLen) { // we are more behind than ever... - maxDataLen = dataLen; - if (dataLen > (9 * DMA_BUFFER_SIZE / 10)) { - Dbprintf("[!] blew circular buffer! | datalen %u", dataLen); - break; - } - } - if (dataLen < 1) continue; - - // primary buffer was stopped ( <-- we lost data! - if (!AT91C_BASE_PDC_SSC->PDC_RCR) { - AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t)dmaBuf; - AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE; - Dbprintf("[-] RxEmpty ERROR | data length %u", dataLen); // temporary - } - // secondary buffer sets as primary, secondary buffer was stopped - if (!AT91C_BASE_PDC_SSC->PDC_RNCR) { - AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t)dmaBuf; - AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE; - } - - LED_A_OFF(); - - // Need two samples to feed Miller and Manchester-Decoder - if (sniffCounter & 0x01) { - - // no need to try decoding tag data if the reader is sending - if (!TagIsActive) { - uint8_t readerbyte = (previous_data & 0xF0) | (*data >> 4); - if (MillerDecoding(readerbyte, (sniffCounter-1)*4)) { - LED_B_ON(); - LED_C_OFF(); - MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, true); - DemodReset(); - UartReset(); - } - ReaderIsActive = (Uart.state != STATE_UNSYNCD); - TagIsActive = !ReaderIsActive; - } - - // no need to try decoding tag data if the reader is sending - if (!ReaderIsActive) { - uint8_t tagbyte = (previous_data << 4) | (*data & 0x0F); - if (ManchesterDecoding(tagbyte, 0, (sniffCounter-1)*4)) { - LED_B_OFF(); - LED_C_ON(); - MfSniffLogic(receivedResponse, Demod.len, Demod.parity, Demod.bitCount, false); - DemodReset(); - UartReset(); - } - TagIsActive = (Demod.state != DEMOD_UNSYNCD); - ReaderIsActive = !TagIsActive; - } - } - previous_data = *data; - sniffCounter++; - data++; - - if (data == dmaBuf + DMA_BUFFER_SIZE) - data = dmaBuf; - - } // main cycle - - if (MF_DBGLEVEL >= 1) - Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.len=%x", maxDataLen, Uart.state, Uart.len); - - MfSniffEnd(); - switch_off(); -} diff --git a/armsrc/iso14443a.h b/armsrc/iso14443a.h index edaf402cf..83b7ae479 100644 --- a/armsrc/iso14443a.h +++ b/armsrc/iso14443a.h @@ -87,7 +87,15 @@ typedef struct { extern void GetParity(const uint8_t *pbtCmd, uint16_t len, uint8_t *par); extern void AppendCrc14443a(uint8_t *data, int len); -// iso14443a.h +extern tDemod* GetDemod(void); +extern void DemodReset(void); +extern void DemodInit(uint8_t *data, uint8_t *parity); +extern tUart* GetUart(void); +extern void UartReset(void); +extern void UartInit(uint8_t *data, uint8_t *parity); +extern RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time); +extern RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time); + extern void RAMFUNC SniffIso14443a(uint8_t param); extern void SimulateIso14443aTag(int tagType, int flags, uint8_t *data); extern void ReaderIso14443a(UsbCommand *c); diff --git a/armsrc/mifaresniff.c b/armsrc/mifaresniff.c index e1b0fb39d..3e6255354 100644 --- a/armsrc/mifaresniff.c +++ b/armsrc/mifaresniff.c @@ -10,7 +10,7 @@ #include "mifaresniff.h" -static int sniffState = SNF_INIT; +//static int sniffState = SNF_INIT; static uint8_t sniffUIDType = 0; static uint8_t sniffUID[10] = {0,0,0,0,0,0,0,0,0,0}; static uint8_t sniffATQA[2] = {0,0}; @@ -18,12 +18,170 @@ static uint8_t sniffSAK = 0; static uint8_t sniffBuf[17]; static uint32_t timerData = 0; +//----------------------------------------------------------------------------- +// MIFARE sniffer. +// +// if no activity for 2sec, it sends the collected data to the client. +//----------------------------------------------------------------------------- +// "hf mf sniff" +void RAMFUNC SniffMifare(uint8_t param) { + // param: + // bit 0 - trigger from first card answer + // bit 1 - trigger from first reader 7-bit request + + // C(red) A(yellow) B(green) + LEDsoff(); + iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER); + + // Allocate memory from BigBuf for some buffers + // free all previous allocations first + BigBuf_free(); BigBuf_Clear_ext(false); + clear_trace(); + set_tracing(true); + + // The command (reader -> tag) that we're receiving. + uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00}; + uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE] = {0x00}; + + // The response (tag -> reader) that we're receiving. + uint8_t receivedResp[MAX_MIFARE_FRAME_SIZE] = {0x00}; + uint8_t receivedRespPar[MAX_MIFARE_PARITY_SIZE] = {0x00}; + + // allocate the DMA buffer, used to stream samples from the FPGA + uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE); + uint8_t *data = dmaBuf; + uint8_t previous_data = 0; + int maxDataLen = 0; + int dataLen = 0; + bool ReaderIsActive = false; + bool TagIsActive = false; + + // We won't start recording the frames that we acquire until we trigger; + // a good trigger condition to get started is probably when we see a + // response from the tag. + // triggered == false -- to wait first for card + //bool triggered = !(param & 0x03); + + + // Set up the demodulator for tag -> reader responses. + DemodInit(receivedResp, receivedRespPar); + + // Set up the demodulator for the reader -> tag commands + UartInit(receivedCmd, receivedCmdPar); + + // Setup and start DMA. + // set transfer address and number of bytes. Start transfer. + if ( !FpgaSetupSscDma(dmaBuf, DMA_BUFFER_SIZE) ){ + if (MF_DBGLEVEL > 1) Dbprintf("[!] FpgaSetupSscDma failed. Exiting"); + return; + } + + tUart* uart = GetUart(); + tDemod* demod = GetDemod(); + + MfSniffInit(); + + uint32_t sniffCounter = 0; + // loop and listen + while (!BUTTON_PRESS()) { + WDT_HIT(); + LED_A_ON(); +/* + if ((sniffCounter & 0x0000FFFF) == 0) { // from time to time + // check if a transaction is completed (timeout after 2000ms). + // if yes, stop the DMA transfer and send what we have so far to the client + if (BigBuf_get_traceLen()) { + MfSniffSend(); + // Reset everything - we missed some sniffed data anyway while the DMA was stopped + sniffCounter = 0; + dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE); + data = dmaBuf; + maxDataLen = 0; + ReaderIsActive = false; + TagIsActive = false; + FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer. + } + } + */ + + // number of bytes we have processed so far + int register readBufDataP = data - dmaBuf; + // number of bytes already transferred + int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR; + if (readBufDataP <= dmaBufDataP) // we are processing the same block of data which is currently being transferred + dataLen = dmaBufDataP - readBufDataP; // number of bytes still to be processed + else + dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP; // number of bytes still to be processed + + // test for length of buffer + if (dataLen > maxDataLen) { // we are more behind than ever... + maxDataLen = dataLen; + if (dataLen > (9 * DMA_BUFFER_SIZE / 10)) { + Dbprintf("[!] blew circular buffer! | datalen %u", dataLen); + break; + } + } + if (dataLen < 1) continue; + + // primary buffer was stopped ( <-- we lost data! + if (!AT91C_BASE_PDC_SSC->PDC_RCR) { + AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t)dmaBuf; + AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE; + Dbprintf("[-] RxEmpty ERROR | data length %d", dataLen); // temporary + } + // secondary buffer sets as primary, secondary buffer was stopped + if (!AT91C_BASE_PDC_SSC->PDC_RNCR) { + AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t)dmaBuf; + AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE; + } + + LED_A_OFF(); + + // Need two samples to feed Miller and Manchester-Decoder + if (sniffCounter & 0x01) { + + // no need to try decoding tag data if the reader is sending + if (!TagIsActive) { + uint8_t readerbyte = (previous_data & 0xF0) | (*data >> 4); + if (MillerDecoding(readerbyte, (sniffCounter-1)*4)) { + LogTrace(receivedCmd, uart->len, 0, 0, NULL, true); + DemodReset(); + UartReset(); + } + ReaderIsActive = (uart->state != STATE_UNSYNCD); + } + + // no need to try decoding tag data if the reader is sending + if (!ReaderIsActive) { + uint8_t tagbyte = (previous_data << 4) | (*data & 0x0F); + if (ManchesterDecoding(tagbyte, 0, (sniffCounter-1)*4)) { + LogTrace(receivedResp, demod->len, 0, 0, NULL, false); + DemodReset(); + UartReset(); + } + TagIsActive = (demod->state != DEMOD_UNSYNCD); + } + } + previous_data = *data; + sniffCounter++; + data++; + + if (data == dmaBuf + DMA_BUFFER_SIZE) + data = dmaBuf; + + } // main cycle + + MfSniffEnd(); + switch_off(); +} + void MfSniffInit(void){ memset(sniffUID, 0x00, sizeof(sniffUID)); memset(sniffATQA, 0x00, sizeof(sniffATQA)); memset(sniffBuf, 0x00, sizeof(sniffBuf)); sniffSAK = 0; sniffUIDType = SNF_UID_4; + timerData = 0; } void MfSniffEnd(void){ @@ -32,6 +190,7 @@ void MfSniffEnd(void){ LED_B_OFF(); } +/* bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, uint16_t bitCnt, bool reader) { // reset on 7-Bit commands from reader @@ -39,91 +198,88 @@ bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, ui sniffState = SNF_INIT; } + + switch (sniffState) { case SNF_INIT:{ - // REQA or WUPA from reader + // REQA,WUPA or MAGICWUP from reader if ((len == 1) && (reader) && (bitCnt == 7) ) { MfSniffInit(); - sniffState = SNF_WUPREQ; + sniffState = (data[0] == MIFARE_MAGICWUPC1) ? SNF_MAGIC_WUPC2 : SNF_ATQA; } break; } - case SNF_WUPREQ:{ - // ATQA from tag - if ((!reader) && (len == 2)) { - sniffATQA[0] = data[0]; - sniffATQA[1] = data[1]; - sniffState = SNF_ATQA; + case SNF_MAGIC_WUPC2: { + if ((len == 1) && (reader) && (data[0] == MIFARE_MAGICWUPC2) ) { + sniffState = SNF_CARD_IDLE; } break; } case SNF_ATQA:{ - // Select ALL from reader - if ((reader) && (len == 2) && (data[0] == 0x93) && (data[1] == 0x20)) - sniffState = SNF_ANTICOL1; - break; - } - case SNF_ANTICOL1:{ - // UID from tag (CL1) - if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { - memcpy(sniffUID, data, 4); - sniffState = SNF_UID1; + // ATQA from tag + if ((!reader) && (len == 2)) { + sniffATQA[0] = data[0]; + sniffATQA[1] = data[1]; + sniffState = SNF_UID; } break; } - case SNF_UID1:{ - // Select 4 Byte UID from reader - if ((reader) && (len == 9) && (data[0] == 0x93) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) + case SNF_UID: { + + if ( !reader ) break; + if ( len != 9 ) break; + if ( !CheckCrc14443(CRC_14443_A, data, 9)) break; + if ( data[1] != 0x70 ) break; + + Dbprintf("[!] UID | %x", data[0]); + + if ((data[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT)) { + // UID_4 - select 4 Byte UID from reader + memcpy(sniffUID, data+2, 4); + sniffUIDType = SNF_UID_4; sniffState = SNF_SAK; - break; - } - case SNF_SAK:{ - if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) { // SAK from card? - sniffSAK = data[0]; - if (sniffUID[0] == 0x88) // CL2/3 UID part to be expected - sniffState = (sniffState == SNF_ANTICOL2 ) ? SNF_ANTICOL3 : SNF_ANTICOL2; - else // select completed - sniffState = SNF_CARD_IDLE; - } - break; - } - case SNF_ANTICOL2:{ - // CL2 UID - if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { + } else if ((data[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2)) { + // UID_7 - Select 2nd part of 7 Byte UID + + // get rid of 0x88 sniffUID[0] = sniffUID[1]; sniffUID[1] = sniffUID[2]; sniffUID[2] = sniffUID[3]; - memcpy(sniffUID+3, data, 4); + //new uid bytes + memcpy(sniffUID+3, data+2, 4); sniffUIDType = SNF_UID_7; - sniffState = SNF_UID2; - } - break; - } - case SNF_UID2:{ - // Select 2nd part of 7 Byte UID - if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) - sniffState = SNF_SAK; - break; - } - case SNF_ANTICOL3:{ - // CL3 UID - if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { + sniffState = SNF_SAK; + } else if ((data[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3)) { + // UID_10 - Select 3nd part of 10 Byte UID // 3+3+4 = 10. + // get ride of previous 0x88 sniffUID[3] = sniffUID[4]; sniffUID[4] = sniffUID[5]; sniffUID[5] = sniffUID[6]; - memcpy(sniffUID+6, data, 4); + // new uid bytes + memcpy(sniffUID+6, data+2, 4); sniffUIDType = SNF_UID_10; - sniffState = SNF_UID3; + sniffState = SNF_SAK; } break; } - case SNF_UID3:{ - // Select 3nd part of 10 Byte UID - if ((reader) && (len == 9) && (data[0] == 0x97) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) - sniffState = SNF_SAK; + case SNF_SAK:{ + // SAK from card? + if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) { + sniffSAK = data[0]; + // CL2 UID part to be expected + if (( sniffSAK == 0x04) && (sniffUIDType == SNF_UID_4)) { + sniffState = SNF_UID; + // CL3 UID part to be expected + } else if ((sniffSAK == 0x04) && (sniffUIDType == SNF_UID_7)) { + sniffState = SNF_UID; + } else { + // select completed + sniffState = SNF_CARD_IDLE; + } + } break; - } + } case SNF_CARD_IDLE:{ // trace the card select sequence sniffBuf[0] = 0xFF; sniffBuf[1] = 0xFF; @@ -133,56 +289,36 @@ bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, ui sniffBuf[15] = 0xFF; sniffBuf[16] = 0xFF; LogTrace(sniffBuf, sizeof(sniffBuf), 0, 0, NULL, true); - } // intentionally no break; - case SNF_CARD_CMD:{ - LogTrace(data, len, 0, 0, NULL, true); - sniffState = SNF_CARD_RESP; - timerData = GetTickCount(); - break; - } - case SNF_CARD_RESP:{ - LogTrace(data, len, 0, 0, NULL, false); sniffState = SNF_CARD_CMD; + } // intentionally no break; + case SNF_CARD_CMD:{ + LogTrace(data, len, 0, 0, NULL, reader); timerData = GetTickCount(); break; - } + } default: sniffState = SNF_INIT; break; } return false; } +*/ -bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs) { - if (BigBuf_get_traceLen() && (GetTickCount() > timerData + maxTimeoutMs)) { - return intMfSniffSend(); - } - return false; -} - -// internal sending function. not a RAMFUNC. -bool intMfSniffSend() { - - int pckSize = 0; - int pckLen = BigBuf_get_traceLen(); - int pckNum = 0; - uint8_t *data = BigBuf_get_addr(); +void RAMFUNC MfSniffSend() { + uint16_t tracelen = BigBuf_get_traceLen(); + uint16_t chunksize = 0; + int packlen = tracelen; // total number of bytes to send + uint8_t *data = BigBuf_get_addr(); - FpgaDisableSscDma(); - - while (pckLen > 0) { - pckSize = MIN(USB_CMD_DATA_SIZE, pckLen); + while (packlen > 0) { LED_B_ON(); - cmd_send(CMD_ACK, 1, BigBuf_get_traceLen(), pckSize, data + BigBuf_get_traceLen() - pckLen, pckSize); + chunksize = MIN(USB_CMD_DATA_SIZE, packlen); // chunk size 512 + cmd_send(CMD_ACK, 1, tracelen, chunksize, data + tracelen - packlen, chunksize); + packlen -= chunksize; LED_B_OFF(); - pckLen -= pckSize; - pckNum++; } LED_B_ON(); - cmd_send(CMD_ACK,2,0,0,0,0); // 2 == data transfer is finished. + cmd_send(CMD_ACK, 2, 0, 0, 0, 0); // 2 == data transfer finished. LED_B_OFF(); - - clear_trace(); - return true; -} +} \ No newline at end of file diff --git a/armsrc/mifaresniff.h b/armsrc/mifaresniff.h index 42e5d4d00..537fa2941 100644 --- a/armsrc/mifaresniff.h +++ b/armsrc/mifaresniff.h @@ -23,18 +23,12 @@ #define SNF_INIT 0 #define SNF_NO_FIELD 1 -#define SNF_WUPREQ 2 -#define SNF_ATQA 3 -#define SNF_ANTICOL1 4 -#define SNF_UID1 5 -#define SNF_ANTICOL2 6 -#define SNF_UID2 7 -#define SNF_ANTICOL3 8 -#define SNF_UID3 9 -#define SNF_SAK 10 -#define SNF_CARD_IDLE 11 -#define SNF_CARD_CMD 12 -#define SNF_CARD_RESP 13 +#define SNF_ATQA 2 +#define SNF_UID 3 +#define SNF_SAK 4 +#define SNF_CARD_IDLE 5 +#define SNF_CARD_CMD 6 +#define SNF_MAGIC_WUPC2 7 #define SNF_UID_4 0 #define SNF_UID_7 0 @@ -42,8 +36,7 @@ void MfSniffInit(void); bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, uint16_t bitCnt, bool reader); -bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs); -bool intMfSniffSend(); +void RAMFUNC MfSniffSend(void); void MfSniffEnd(void); #endif \ No newline at end of file diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 9e91a609b..60b657388 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -2913,7 +2913,7 @@ static command_t CommandTable[] = { {"nested", CmdHF14AMfNested, 0, "Nested attack. Test nested authentication"}, {"hardnested", CmdHF14AMfNestedHard, 0, "Nested attack for hardened Mifare cards"}, {"keybrute", CmdHF14AMfKeyBrute, 0, "J_Run's 2nd phase of multiple sector nested authentication key recovery"}, - {"sniff", CmdHF14AMfSniff, 0, "Sniff card-reader communication"}, +// {"sniff", CmdHF14AMfSniff, 0, "Sniff card-reader communication"}, {"sim", CmdHF14AMf1kSim, 0, "Simulate MIFARE card"}, {"eclr", CmdHF14AMfEClear, 0, "Clear simulator memory block"}, {"eget", CmdHF14AMfEGet, 0, "Get simulator memory block"}, diff --git a/client/cmdhfmf.h b/client/cmdhfmf.h index 1c1df9c26..390cfaef9 100644 --- a/client/cmdhfmf.h +++ b/client/cmdhfmf.h @@ -46,7 +46,7 @@ extern int CmdHF14AMfChk(const char* cmd); extern int CmdHF14AMifare(const char* cmd); extern int CmdHF14AMfNested(const char* cmd); extern int CmdHF14AMfNestedHard(const char *Cmd); -extern int CmdHF14AMfSniff(const char* cmd); +//extern int CmdHF14AMfSniff(const char* cmd); extern int CmdHF14AMf1kSim(const char* cmd); extern int CmdHF14AMfKeyBrute(const char *Cmd); extern int CmdHF14AMfEClear(const char* cmd); diff --git a/client/mifarehost.c b/client/mifarehost.c index 890ab7e06..8c2c75b55 100644 --- a/client/mifarehost.c +++ b/client/mifarehost.c @@ -697,26 +697,25 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) { } // READ - if ((len ==4) && ((data[0] == ISO14443A_CMD_READBLOCK))) { + if ((len == 4) && ((data[0] == ISO14443A_CMD_READBLOCK))) { traceState = TRACE_READ_DATA; traceCurBlock = data[1]; return 0; } // WRITE - if ((len ==4) && ((data[0] == ISO14443A_CMD_WRITEBLOCK))) { + if ((len == 4) && ((data[0] == ISO14443A_CMD_WRITEBLOCK))) { traceState = TRACE_WRITE_OK; traceCurBlock = data[1]; return 0; } // HALT - if ((len ==4) && ((data[0] == ISO14443A_CMD_HALT) && (data[1] == 0x00))) { + if ((len == 4) && ((data[0] == ISO14443A_CMD_HALT) && (data[1] == 0x00))) { traceState = TRACE_ERROR; // do not decrypt the next commands return 0; } return 0; - break; case TRACE_READ_DATA: if (len == 18) { @@ -812,10 +811,12 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) { // set cryptosystem state traceCrypto1 = lfsr_recovery64(ks2, ks3); - return 0; + } else { + printf("[!] nested key recovery not implemented!\n"); + at_enc = bytes_to_num(data, 4); + crypto1_destroy(traceCrypto1); traceState = TRACE_ERROR; - return 1; } break; default: