github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-14 10:37:23 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

remove tabs

Browse source
This commit is contained in:
Philippe Teuwen 2019-07-24 00:52:24 +02:00
commit c0eb19acb1
19 changed files with 1480 additions and 1447 deletions
Download patch file Download diff file Expand all files Collapse all files

12
LICENSE.txt
View file

@ -1,13 +1,13 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
@ -57,7 +57,7 @@ patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
@ -256,7 +256,7 @@ make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
@ -278,4 +278,4 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
END OF TERMS AND CONDITIONS

2
armsrc/iso14443a.h
View file

@ -104,7 +104,7 @@ typedef struct {
#endif
#ifndef CheckCrc14A
# define CheckCrc14A(data, len) check_crc(CRC_14443_A, (data), (len))
# define CheckCrc14A(data, len) check_crc(CRC_14443_A, (data), (len))
#endif
void GetParity(const uint8_t *pbtCmd, uint16_t len, uint8_t *par);

86
armsrc/ldscript
View file

@ -11,57 +11,57 @@ INCLUDE ../common/ldscript.common
PHDRS
{
text PT_LOAD FLAGS(5);
data PT_LOAD;
bss PT_LOAD;
text PT_LOAD FLAGS(5);
data PT_LOAD;
bss PT_LOAD;
}
ENTRY(Vector)
SECTIONS
{
.start : {
*(.startos)
} >osimage :text
.start : {
*(.startos)
} >osimage :text
.text : {
KEEP(*(stage1_image))
*(.text)
*(.text.*)
*(.eh_frame)
*(.glue_7)
*(.glue_7t)
} >osimage :text
.text : {
KEEP(*(stage1_image))
*(.text)
*(.text.*)
*(.eh_frame)
*(.glue_7)
*(.glue_7t)
} >osimage :text
.rodata : {
*(.rodata)
*(.rodata.*)
*(fpga_all_bit.data)
KEEP(*(.version_information))
. = ALIGN(8);
} >osimage :text
.rodata : {
*(.rodata)
*(.rodata.*)
*(fpga_all_bit.data)
KEEP(*(.version_information))
. = ALIGN(8);
} >osimage :text
.data : {
KEEP(*(compressed_data))
*(.data)
*(.data.*)
*(.ramfunc)
. = ALIGN(4);
} >ram AT>osimage :data
.data : {
KEEP(*(compressed_data))
*(.data)
*(.data.*)
*(.ramfunc)
. = ALIGN(4);
} >ram AT>osimage :data
__data_src_start__ = LOADADDR(.data);
__data_start__ = ADDR(.data);
__data_end__ = __data_start__ + SIZEOF(.data);
__os_size__ = SIZEOF(.text) + SIZEOF(.data) + SIZEOF(.rodata);
.bss : {
__bss_start__ = .;
*(.bss)
*(.bss.*)
. = ALIGN(4);
__bss_end__ = .;
} >ram AT>ram :bss
__data_src_start__ = LOADADDR(.data);
__data_start__ = ADDR(.data);
__data_end__ = __data_start__ + SIZEOF(.data);
__os_size__ = SIZEOF(.text) + SIZEOF(.data) + SIZEOF(.rodata);
.bss : {
__bss_start__ = .;
*(.bss)
*(.bss.*)
. = ALIGN(4);
__bss_end__ = .;
} >ram AT>ram :bss
.commonarea (NOLOAD) : {
*(.commonarea)
} >commonarea :NONE
.commonarea (NOLOAD) : {
*(.commonarea)
} >commonarea :NONE
}

194
armsrc/mifaresim.c
View file

@ -42,30 +42,36 @@ static bool IsTrailerAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t act
| ((sector_trailer[8] >> 7) & 0x01);
switch (action) {
case AC_KEYA_READ: {
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("IsTrailerAccessAllowed: AC_KEYA_READ");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("IsTrailerAccessAllowed: AC_KEYA_READ");
return false;
}
case AC_KEYA_WRITE: {
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("IsTrailerAccessAllowed: AC_KEYA_WRITE");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("IsTrailerAccessAllowed: AC_KEYA_WRITE");
return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x01))
|| (keytype == AUTHKEYB && (AC == 0x04 || AC == 0x03)));
}
case AC_KEYB_READ: {
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("IsTrailerAccessAllowed: AC_KEYB_READ");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("IsTrailerAccessAllowed: AC_KEYB_READ");
return (keytype == AUTHKEYA && (AC == 0x00 || AC == 0x02 || AC == 0x01));
}
case AC_KEYB_WRITE: {
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("IsTrailerAccessAllowed: AC_KEYB_WRITE");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("IsTrailerAccessAllowed: AC_KEYB_WRITE");
return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x01))
|| (keytype == AUTHKEYB && (AC == 0x04 || AC == 0x03)));
}
case AC_AC_READ: {
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("IsTrailerAccessAllowed: AC_AC_READ");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("IsTrailerAccessAllowed: AC_AC_READ");
return ((keytype == AUTHKEYA)
|| (keytype == AUTHKEYB && !(AC == 0x00 || AC == 0x02 || AC == 0x01)));
}
case AC_AC_WRITE: {
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("IsTrailerAccessAllowed: AC_AC_WRITE");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("IsTrailerAccessAllowed: AC_AC_WRITE");
return ((keytype == AUTHKEYA && (AC == 0x01))
|| (keytype == AUTHKEYB && (AC == 0x03 || AC == 0x05)));
}
@ -93,46 +99,54 @@ static bool IsDataAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action
AC = ((sector_trailer[7] >> 2) & 0x04)
| ((sector_trailer[8] << 1) & 0x02)
| ((sector_trailer[8] >> 4) & 0x01);
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("IsDataAccessAllowed: case 0x00 - %02x", AC);
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("IsDataAccessAllowed: case 0x00 - %02x", AC);
break;
}
case 0x01: {
AC = ((sector_trailer[7] >> 3) & 0x04)
| ((sector_trailer[8] >> 0) & 0x02)
| ((sector_trailer[8] >> 5) & 0x01);
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("IsDataAccessAllowed: case 0x01 - %02x", AC);
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("IsDataAccessAllowed: case 0x01 - %02x", AC);
break;
}
case 0x02: {
AC = ((sector_trailer[7] >> 4) & 0x04)
| ((sector_trailer[8] >> 1) & 0x02)
| ((sector_trailer[8] >> 6) & 0x01);
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("IsDataAccessAllowed: case 0x02 - %02x", AC);
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("IsDataAccessAllowed: case 0x02 - %02x", AC);
break;
}
default:
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("IsDataAccessAllowed: Error");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("IsDataAccessAllowed: Error");
return false;
}
switch (action) {
case AC_DATA_READ: {
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("IsDataAccessAllowed - AC_DATA_READ: OK");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("IsDataAccessAllowed - AC_DATA_READ: OK");
return ((keytype == AUTHKEYA && !(AC == 0x03 || AC == 0x05 || AC == 0x07))
|| (keytype == AUTHKEYB && !(AC == 0x07)));
}
case AC_DATA_WRITE: {
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("IsDataAccessAllowed - AC_DATA_WRITE: OK");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("IsDataAccessAllowed - AC_DATA_WRITE: OK");
return ((keytype == AUTHKEYA && (AC == 0x00))
|| (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x04 || AC == 0x06 || AC == 0x03)));
}
case AC_DATA_INC: {
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("IsDataAccessAllowed - AC_DATA_INC: OK");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("IsDataAccessAllowed - AC_DATA_INC: OK");
return ((keytype == AUTHKEYA && (AC == 0x00))
|| (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x06)));
}
case AC_DATA_DEC_TRANS_REST: {
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("AC_DATA_DEC_TRANS_REST: OK");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("AC_DATA_DEC_TRANS_REST: OK");
return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x06 || AC == 0x01))
|| (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x06 || AC == 0x01)));
}
@ -160,25 +174,25 @@ static bool MifareSimInit(uint16_t flags, uint8_t *datain, tag_response_info_t *
// SAK
static uint8_t rSAK_Mini = 0x09; // mifare Mini
static uint8_t rSAK_1k = 0x08; // mifare 1k
static uint8_t rSAK_2k = 0x08; // mifare 2k with RATS support
static uint8_t rSAK_4k = 0x18; // mifare 4k
static uint8_t rSAK_1k = 0x08; // mifare 1k
static uint8_t rSAK_2k = 0x08; // mifare 2k with RATS support
static uint8_t rSAK_4k = 0x18; // mifare 4k
static uint8_t rUIDBCC1[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 1st cascade level
static uint8_t rUIDBCC1b4[] = {0x00, 0x00, 0x00, 0x00}; // UID 1st cascade level, last 4 bytes
static uint8_t rUIDBCC1b3[] = {0x00, 0x00, 0x00}; // UID 1st cascade level, last 3 bytes
static uint8_t rUIDBCC1b2[] = {0x00, 0x00}; // UID 1st cascade level, last 2 bytes
static uint8_t rUIDBCC1b1[] = {0x00}; // UID 1st cascade level, last byte
static uint8_t rUIDBCC2[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 2nd cascade level
static uint8_t rUIDBCC2b4[] = {0x00, 0x00, 0x00, 0x00}; // UID 2st cascade level, last 4 bytes
static uint8_t rUIDBCC2b3[] = {0x00, 0x00, 0x00}; // UID 2st cascade level, last 3 bytes
static uint8_t rUIDBCC2b2[] = {0x00, 0x00}; // UID 2st cascade level, last 2 bytes
static uint8_t rUIDBCC2b1[] = {0x00}; // UID 2st cascade level, last byte
static uint8_t rUIDBCC3[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 3nd cascade level
static uint8_t rUIDBCC3b4[] = {0x00, 0x00, 0x00, 0x00}; // UID 3st cascade level, last 4 bytes
static uint8_t rUIDBCC3b3[] = {0x00, 0x00, 0x00}; // UID 3st cascade level, last 3 bytes
static uint8_t rUIDBCC3b2[] = {0x00, 0x00}; // UID 3st cascade level, last 2 bytes
static uint8_t rUIDBCC3b1[] = {0x00}; // UID 3st cascade level, last byte
static uint8_t rUIDBCC1[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 1st cascade level
static uint8_t rUIDBCC1b4[] = {0x00, 0x00, 0x00, 0x00}; // UID 1st cascade level, last 4 bytes
static uint8_t rUIDBCC1b3[] = {0x00, 0x00, 0x00}; // UID 1st cascade level, last 3 bytes
static uint8_t rUIDBCC1b2[] = {0x00, 0x00}; // UID 1st cascade level, last 2 bytes
static uint8_t rUIDBCC1b1[] = {0x00}; // UID 1st cascade level, last byte
static uint8_t rUIDBCC2[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 2nd cascade level
static uint8_t rUIDBCC2b4[] = {0x00, 0x00, 0x00, 0x00}; // UID 2st cascade level, last 4 bytes
static uint8_t rUIDBCC2b3[] = {0x00, 0x00, 0x00}; // UID 2st cascade level, last 3 bytes
static uint8_t rUIDBCC2b2[] = {0x00, 0x00}; // UID 2st cascade level, last 2 bytes
static uint8_t rUIDBCC2b1[] = {0x00}; // UID 2st cascade level, last byte
static uint8_t rUIDBCC3[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 3nd cascade level
static uint8_t rUIDBCC3b4[] = {0x00, 0x00, 0x00, 0x00}; // UID 3st cascade level, last 4 bytes
static uint8_t rUIDBCC3b3[] = {0x00, 0x00, 0x00}; // UID 3st cascade level, last 3 bytes
static uint8_t rUIDBCC3b2[] = {0x00, 0x00}; // UID 3st cascade level, last 2 bytes
static uint8_t rUIDBCC3b1[] = {0x00}; // UID 3st cascade level, last byte
static uint8_t rATQA[] = {0x00, 0x00}; // Current ATQA
static uint8_t rSAK[] = {0x00, 0x00, 0x00}; // Current SAK, CRC
@ -254,17 +268,18 @@ static bool MifareSimInit(uint16_t flags, uint8_t *datain, tag_response_info_t *
}
// Prepare UID arrays
if ((flags & FLAG_4B_UID_IN_DATA) == FLAG_4B_UID_IN_DATA) { // get UID from datain
if ((flags & FLAG_4B_UID_IN_DATA) == FLAG_4B_UID_IN_DATA) { // get UID from datain
memcpy(rUIDBCC1, datain, 4);
*uid_len = 4;
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("MifareSimInit - FLAG_4B_UID_IN_DATA => Get UID from datain: %02X - Flag: %02X - UIDBCC1: %02X", FLAG_4B_UID_IN_DATA, flags, rUIDBCC1);
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("MifareSimInit - FLAG_4B_UID_IN_DATA => Get UID from datain: %02X - Flag: %02X - UIDBCC1: %02X", FLAG_4B_UID_IN_DATA, flags, rUIDBCC1);
// save CUID
*cuid = bytes_to_num(rUIDBCC1, 4);
// BCC
rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
if (DBGLEVEL >= DBG_NONE) {
if (DBGLEVEL >= DBG_NONE) {
Dbprintf("4B UID: %02x%02x%02x%02x", rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3]);
}
@ -275,7 +290,8 @@ static bool MifareSimInit(uint16_t flags, uint8_t *datain, tag_response_info_t *
memcpy(&rUIDBCC1[1], datain, 3);
memcpy(rUIDBCC2, datain + 3, 4);
*uid_len = 7;
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("MifareSimInit - FLAG_7B_UID_IN_DATA => Get UID from datain: %02X - Flag: %02X - UIDBCC1: %02X", FLAG_7B_UID_IN_DATA, flags, rUIDBCC1);
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("MifareSimInit - FLAG_7B_UID_IN_DATA => Get UID from datain: %02X - Flag: %02X - UIDBCC1: %02X", FLAG_7B_UID_IN_DATA, flags, rUIDBCC1);
// save CUID
*cuid = bytes_to_num(rUIDBCC2, 4);
@ -284,7 +300,7 @@ static bool MifareSimInit(uint16_t flags, uint8_t *datain, tag_response_info_t *
// BCC
rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
if (DBGLEVEL >= DBG_NONE) {
if (DBGLEVEL >= DBG_NONE) {
Dbprintf("7B UID: %02x %02x %02x %02x %02x %02x %02x",
rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3], rUIDBCC2[0], rUIDBCC2[1], rUIDBCC2[2], rUIDBCC2[3]);
}
@ -297,7 +313,8 @@ static bool MifareSimInit(uint16_t flags, uint8_t *datain, tag_response_info_t *
memcpy(&rUIDBCC2[1], datain + 3, 3);
memcpy(rUIDBCC3, datain + 6, 4);
*uid_len = 10;
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("MifareSimInit - FLAG_10B_UID_IN_DATA => Get UID from datain: %02X - Flag: %02X - UIDBCC1: %02X", FLAG_10B_UID_IN_DATA, flags, rUIDBCC1);
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("MifareSimInit - FLAG_10B_UID_IN_DATA => Get UID from datain: %02X - Flag: %02X - UIDBCC1: %02X", FLAG_10B_UID_IN_DATA, flags, rUIDBCC1);
// save CUID
*cuid = bytes_to_num(rUIDBCC3, 4);
@ -309,7 +326,7 @@ static bool MifareSimInit(uint16_t flags, uint8_t *datain, tag_response_info_t *
rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
rUIDBCC3[4] = rUIDBCC3[0] ^ rUIDBCC3[1] ^ rUIDBCC3[2] ^ rUIDBCC3[3];
if (DBGLEVEL >= DBG_NONE) {
if (DBGLEVEL >= DBG_NONE) {
Dbprintf("10B UID: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3],
rUIDBCC2[1], rUIDBCC2[2], rUIDBCC2[3],
@ -347,23 +364,23 @@ static bool MifareSimInit(uint16_t flags, uint8_t *datain, tag_response_info_t *
#define TAG_RESPONSE_COUNT 18
static tag_response_info_t responses_init[TAG_RESPONSE_COUNT] = {
{ .response = rATQA, .response_n = sizeof(rATQA) }, // Answer to request - respond with card type
{ .response = rATQA, .response_n = sizeof(rATQA) }, // Answer to request - respond with card type
{ .response = rSAK, .response_n = sizeof(rSAK) }, //
{ .response = rSAKuid, .response_n = sizeof(rSAKuid) }, //
{ .response = rSAKuid, .response_n = sizeof(rSAKuid) }, //
// Do not reorder. Block used via relative index of rUIDBCC1
{ .response = rUIDBCC1, .response_n = sizeof(rUIDBCC1) }, // Anticollision cascade1 - respond with first part of uid
{ .response = rUIDBCC1, .response_n = sizeof(rUIDBCC1) }, // Anticollision cascade1 - respond with first part of uid
{ .response = rUIDBCC1b4, .response_n = sizeof(rUIDBCC1b4)},
{ .response = rUIDBCC1b3, .response_n = sizeof(rUIDBCC1b3)},
{ .response = rUIDBCC1b2, .response_n = sizeof(rUIDBCC1b2)},
{ .response = rUIDBCC1b1, .response_n = sizeof(rUIDBCC1b1)},
// Do not reorder. Block used via relative index of rUIDBCC2
{ .response = rUIDBCC2, .response_n = sizeof(rUIDBCC2) }, // Anticollision cascade2 - respond with 2nd part of uid
{ .response = rUIDBCC2, .response_n = sizeof(rUIDBCC2) }, // Anticollision cascade2 - respond with 2nd part of uid
{ .response = rUIDBCC2b4, .response_n = sizeof(rUIDBCC2b4)},
{ .response = rUIDBCC2b3, .response_n = sizeof(rUIDBCC2b3)},
{ .response = rUIDBCC2b2, .response_n = sizeof(rUIDBCC2b2)},
{ .response = rUIDBCC2b1, .response_n = sizeof(rUIDBCC2b1)},
// Do not reorder. Block used via relative index of rUIDBCC3
{ .response = rUIDBCC3, .response_n = sizeof(rUIDBCC3) }, // Anticollision cascade3 - respond with 3th part of uid
{ .response = rUIDBCC3, .response_n = sizeof(rUIDBCC3) }, // Anticollision cascade3 - respond with 3th part of uid
{ .response = rUIDBCC3b4, .response_n = sizeof(rUIDBCC3b4)},
{ .response = rUIDBCC3b3, .response_n = sizeof(rUIDBCC3b3)},
{ .response = rUIDBCC3b2, .response_n = sizeof(rUIDBCC3b2)},
@ -407,11 +424,11 @@ static bool MifareSimInit(uint16_t flags, uint8_t *datain, tag_response_info_t *
*MIFARE 1K simulate.
*
*@param flags :
* FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
* FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
* FLAG_4B_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that
* FLAG_7B_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
* FLAG_10B_UID_IN_DATA - use 10-byte UID in the data-section not finished
* FLAG_NR_AR_ATTACK - means we should collect NR_AR responses for bruteforcing later
* FLAG_10B_UID_IN_DATA - use 10-byte UID in the data-section not finished
* FLAG_NR_AR_ATTACK - means we should collect NR_AR responses for bruteforcing later
*@param exitAfterNReads, exit simulation after n blocks have been read, 0 is infinite ...
* (unless reader attack mode enabled then it runs util it gets enough nonces to recover all keys attmpted)
*/
@ -421,7 +438,7 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
uint8_t uid_len = 0; // 4,7, 10
uint32_t cuid = 0;
int vHf = 0; // in mV
int vHf = 0; // in mV
uint32_t selTimer = 0;
uint32_t authTimer = 0;
@ -445,7 +462,7 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
struct Crypto1State *pcs;
pcs = &mpcs;
uint32_t numReads = 0; //Counts numer of times reader reads a block
uint32_t numReads = 0; //Counts numer of times reader reads a block
uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00};
uint8_t receivedCmd_dec[MAX_MIFARE_FRAME_SIZE] = {0x00};
uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE] = {0x00};
@ -467,11 +484,11 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
uint8_t ar_nr_collected[ATTACK_KEY_COUNT * 2]; //*2 for 2nd attack type (moebius)
memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
uint8_t nonce1_count = 0;
uint8_t nonce2_count = 0;
uint8_t moebius_n_count = 0;
uint8_t nonce1_count = 0;
uint8_t nonce2_count = 0;
uint8_t moebius_n_count = 0;
bool gettingMoebius = false;
uint8_t mM = 0; //moebius_modifier for collection storage
uint8_t mM = 0; //moebius_modifier for collection storage
// Authenticate response - nonce
uint8_t rAUTH_NT[4];
@ -520,18 +537,21 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
if (res == 2) { //Field is off!
LEDsoff();
cardSTATE = MFEMUL_NOFIELD;
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("cardSTATE = MFEMUL_NOFIELD");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("cardSTATE = MFEMUL_NOFIELD");
continue;
} else if (res == 1) { // button pressed
button_pushed = true;
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("Button pressed");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("Button pressed");
break;
}
// WUPA in HALTED state or REQA or WUPA in any other state
if (receivedCmd_len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) {
selTimer = GetTickCount();
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("EmSendPrecompiledCmd(&responses[ATQA]);");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("EmSendPrecompiledCmd(&responses[ATQA]);");
EmSendPrecompiledCmd(&responses[ATQA]);
// init crypto block
@ -550,12 +570,15 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
switch (cardSTATE) {
case MFEMUL_NOFIELD:
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("MFEMUL_NOFIELD");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("MFEMUL_NOFIELD");
case MFEMUL_HALTED:
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("MFEMUL_HALTED");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("MFEMUL_HALTED");
case MFEMUL_IDLE: {
LogTrace(uart->output, uart->len, uart->startTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->endTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->parity, true);
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("MFEMUL_IDLE");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("MFEMUL_IDLE");
break;
}
@ -649,7 +672,8 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
// WORK
case MFEMUL_WORK: {
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] Enter in case");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("[MFEMUL_WORK] Enter in case");
if (receivedCmd_len == 0) {
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] NO CMD received");
@ -799,20 +823,20 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
if (IsSectorTrailer(blockNo)) {
if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_KEYA_READ)) {
memset(response, 0x00, 6); // keyA can never be read
memset(response, 0x00, 6); // keyA can never be read
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK - IsSectorTrailer] keyA can never be read - block %d (0x%02x)", blockNo, blockNo);
}
if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_KEYB_READ)) {
memset(response + 10, 0x00, 6); // keyB cannot be read
memset(response + 10, 0x00, 6); // keyB cannot be read
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK - IsSectorTrailer] keyB cannot be read - block %d (0x%02x)", blockNo, blockNo);
}
if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_AC_READ)) {
memset(response + 6, 0x00, 4); // AC bits cannot be read
memset(response + 6, 0x00, 4); // AC bits cannot be read
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK - IsAccessAllowed] AC bits cannot be read - block %d (0x%02x)", blockNo, blockNo);
}
} else {
if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_DATA_READ)) {
memset(response, 0x00, 16); // datablock cannot be read
memset(response, 0x00, 16); // datablock cannot be read
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK - IsAccessAllowed] Data block %d (0x%02x) cannot be read", blockNo, blockNo);
}
}
@ -898,7 +922,8 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
LED_C_OFF();
cardSTATE = MFEMUL_HALTED;
cardAUTHKEY = AUTHKEYNONE;
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] cardSTATE = MFEMUL_HALTED");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("[MFEMUL_WORK] cardSTATE = MFEMUL_HALTED");
break;
}
@ -911,10 +936,12 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
EmSendCmdPar(response, rats_len, response_par);
} else
EmSendCmd(rats, rats_len);
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] RCV RATS => ACK");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("[MFEMUL_WORK] RCV RATS => ACK");
} else {
EmSend4bit(encrypted_data ? mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA) : CARD_NACK_NA);
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] RCV RATS => NACK");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("[MFEMUL_WORK] RCV RATS => NACK");
}
break;
}
@ -929,28 +956,33 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
EmSendCmdPar(response, receivedCmd_len, response_par);
} else
EmSendCmd(receivedCmd_dec, receivedCmd_len);
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] RCV NXP DESELECT => ACK");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("[MFEMUL_WORK] RCV NXP DESELECT => ACK");
} else {
EmSend4bit(encrypted_data ? mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA) : CARD_NACK_NA);
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WORK] RCV NXP DESELECT => NACK");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("[MFEMUL_WORK] RCV NXP DESELECT => NACK");
}
break;
}
// case MFEMUL_WORK => command not allowed
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("Received command not allowed, nacking");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("Received command not allowed, nacking");
EmSend4bit(encrypted_data ? mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA) : CARD_NACK_NA);
break;
}
// AUTH1
case MFEMUL_AUTH1: {
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_AUTH1] Enter case");
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("[MFEMUL_AUTH1] Enter case");
if (receivedCmd_len != 8) {
cardSTATE_TO_IDLE();
LogTrace(uart->output, uart->len, uart->startTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->endTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->parity, true);
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("MFEMUL_AUTH1: receivedCmd_len != 8 (%d) => cardSTATE_TO_IDLE())", receivedCmd_len);
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("MFEMUL_AUTH1: receivedCmd_len != 8 (%d) => cardSTATE_TO_IDLE())", receivedCmd_len);
break;
}
@ -1034,7 +1066,7 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
, prng_successor(nonce, 64)
);
}
cardAUTHKEY = AUTHKEYNONE; // not authenticated
cardAUTHKEY = AUTHKEYNONE; // not authenticated
cardSTATE_TO_IDLE();
// Really tags not respond NACK on invalid authentication
LogTrace(uart->output, uart->len, uart->startTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->endTime * 16 - DELAY_AIR2ARM_AS_TAG, uart->parity, true);
@ -1067,21 +1099,21 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
if (IsSectorTrailer(cardWRBL)) {
emlGetMem(response, cardWRBL, 1);
if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_KEYA_WRITE)) {
memcpy(receivedCmd_dec, response, 6); // don't change KeyA
memcpy(receivedCmd_dec, response, 6); // don't change KeyA
}
if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_KEYB_WRITE)) {
memcpy(receivedCmd_dec + 10, response + 10, 6); // don't change KeyA
memcpy(receivedCmd_dec + 10, response + 10, 6); // don't change KeyA
}
if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_AC_WRITE)) {
memcpy(receivedCmd_dec + 6, response + 6, 4); // don't change AC bits
memcpy(receivedCmd_dec + 6, response + 6, 4); // don't change AC bits
}
} else {
if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_DATA_WRITE)) {
memcpy(receivedCmd_dec, response, 16); // don't change anything
memcpy(receivedCmd_dec, response, 16); // don't change anything
}
}
emlSetMem(receivedCmd_dec, cardWRBL, 1);
EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); // always ACK?
EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); // always ACK?
cardSTATE = MFEMUL_WORK;
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("[MFEMUL_WRITEBL2] cardSTATE = MFEMUL_WORK");
break;
@ -1152,7 +1184,7 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
// NR AR ATTACK
if (((flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK) && (DBGLEVEL >= DBG_INFO)) {
for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
if (ar_nr_collected[i] == 2) {
Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i < ATTACK_KEY_COUNT / 2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
@ -1167,7 +1199,7 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
}
}
for (uint8_t i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT * 2; i++) {
for (uint8_t i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT * 2; i++) {
if (ar_nr_collected[i] == 2) {
Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i < ATTACK_KEY_COUNT / 2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
Dbprintf("../tools/mfkey/mfkey32v2 %08x %08x %08x %08x %08x %08x %08x",
@ -1182,7 +1214,7 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain) {
}
}
if (DBGLEVEL >= DBG_ERROR) {
if (DBGLEVEL >= DBG_ERROR) {
Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", get_tracing(), BigBuf_get_traceLen());
}

4
armsrc/mifaresim.h
View file

@ -16,7 +16,7 @@
#include <stdint.h>
#ifndef CheckCrc14A
# define CheckCrc14A(data, len) check_crc(CRC_14443_A, (data), (len))
# define CheckCrc14A(data, len) check_crc(CRC_14443_A, (data), (len))
#endif
void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain);
@ -24,7 +24,7 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain);
#define AC_DATA_READ 0
#define AC_DATA_WRITE 1
#define AC_DATA_INC 2
#define AC_DATA_DEC_TRANS_REST 3
#define AC_DATA_DEC_TRANS_REST 3
#define AC_KEYA_READ 0
#define AC_KEYA_WRITE 1
#define AC_KEYB_READ 2

2
armsrc/mifaresniff.c
View file

@ -11,7 +11,7 @@
#include "mifaresniff.h"
#ifndef CheckCrc14A
# define CheckCrc14A(data, len) check_crc(CRC_14443_A, (data), (len))
# define CheckCrc14A(data, len) check_crc(CRC_14443_A, (data), (len))
#endif
//static int sniffState = SNF_INIT;

6
armsrc/mifareutil.c
View file

@ -602,10 +602,12 @@ void emlClearMem(void) {
uint8_t SectorTrailer(uint8_t blockNo) {
if (blockNo <= MIFARE_2K_MAXBLOCK) {
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("Sector Trailer for block %d : %d", blockNo, (blockNo | 0x03));
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("Sector Trailer for block %d : %d", blockNo, (blockNo | 0x03));
return (blockNo | 0x03);
} else {
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("Sector Trailer for block %d : %d", blockNo, (blockNo | 0x0f));
if (DBGLEVEL >= DBG_EXTENDED)
Dbprintf("Sector Trailer for block %d : %d", blockNo, (blockNo | 0x0f));
return (blockNo | 0x0f);
}
}

2
client/cmdlfem4x.c
View file

@ -243,7 +243,7 @@ void printEM410x(uint32_t hi, uint64_t id) {
if (!id && !hi) return;
PrintAndLogEx(SUCCESS, "EM410x%s pattern found", (hi) ? " XL " : "");
PrintAndLogEx(SUCCESS, "EM410x%s pattern found", (hi) ? " XL" : "");
uint64_t n = 1;
uint64_t id2lo = 0;

2
client/cmdsmartcard.h
View file

@ -25,7 +25,7 @@
#include "emv/emvcore.h" // decodeTVL
#include "emv/apduinfo.h" // APDUcode description
#include "emv/dump.h" // dump_buffer
#include "crypto/libpcrypto.h" // sha512hash
#include "crypto/libpcrypto.h" // sha512hash
int CmdSmartcard(const char *Cmd);

29
client/default_keys_dic2lua.awk
View file

@ -1,24 +1,23 @@
BEGIN {
print "--[["
print "These are default_keys dictionary"
print "This file is automatically generated from default_keys.h - DON'T EDIT MANUALLY."
print "--]]"
print "local _keys = {"
print "--[["
print "These are default_keys dictionary"
print "This file is automatically generated from default_keys.h - DON'T EDIT MANUALLY."
print "--]]"
print "local _keys = {"
}
$1 ~ /^[A-Fa-f0-9]+/ { sub(/\r/, ""); print " '"substr($1,1,12)"'," }
END {
print "}"
print "---"
print "-- The keys above have just been pasted in, for completeness sake. They contain duplicates. "
print "-- We need to weed the duplicates out before we expose the list to someone who actually wants to use them"
print "-- @param list a list to do 'uniq' on"
print ""
print "local function uniq(list)"
print "}"
print "---"
print "-- The keys above have just been pasted in, for completeness sake. They contain duplicates. "
print "-- We need to weed the duplicates out before we expose the list to someone who actually wants to use them"
print "-- @param list a list to do 'uniq' on"
print ""
print " local foobar = {}"
print "local function uniq(list)"
print ""
print " local foobar = {}"
print " for _, value in pairs(list) do"
print " value = value:lower()"
print " if not foobar[value] then"
@ -29,4 +28,4 @@ END {
print " return foobar"
print "end"
print "return uniq(_keys)"
}
}

22
client/deprecated-hid-flasher/unbind-proxmark
View file

@ -1,16 +1,16 @@
#!/bin/sh
for i in /sys/bus/usb/devices/*; do
if grep "9ac4" "${i}/idVendor" >/dev/null 2>&1; then
echo "Found Proxmark..."
dev=`basename "${i}"`
if grep "9ac4" "${i}/idVendor" >/dev/null 2>&1; then
echo "Found Proxmark..."
dev=`basename "${i}"`
for j in /sys/bus/usb/drivers/usbhid/*; do
if basename "${j}"|grep "^${dev}" >/dev/null; then
bound="`basename "${j}"`"
echo "Unbinding ${bound}..."
echo -n "${bound}" >/sys/bus/usb/drivers/usbhid/unbind
fi
done
fi
for j in /sys/bus/usb/drivers/usbhid/*; do
if basename "${j}"|grep "^${dev}" >/dev/null; then
bound="`basename "${j}"`"
echo "Unbinding ${bound}..."
echo -n "${bound}" >/sys/bus/usb/drivers/usbhid/unbind
fi
done
fi
done

2
client/loclass/loclass_information.txt
View file

@ -4,7 +4,7 @@ iclass_dump.bin
===============
The file iclass_dump.bin contains CSN's mac results from 128 CSNs.
Hence when running the test mode,
'hf iclass loclass t'
'hf iclass loclass t'
it shows a long output from the bruteforce test.
iclass_key.bin

4
client/scripts/ndef_dump.lua
View file

@ -239,9 +239,9 @@ local function main( args)
for k,v in ipairs(blockData) do
-- print(string.format('Block %02x: %02x %02x %02x %02x', k-1, string.byte(v, 1,4)))
print(string.format(' %02x | %s', k-1, v) )
print(string.format(' %02x | %s', k-1, v) )
end
print('|---|-------------------|')
print('|---|-------------------|')
local filename, err = utils.WriteDumpFile(info.uid, blockData)
if err then return oops(err) end

10
client/scripts/read_pwd_mem.lua
View file

@ -82,11 +82,11 @@ local function main(args)
-- num of bytes to read
if o == 'l' then
length = tonumber(a)
if length < 0 or length > 256 then
return oops('Error: Length is not valid. Must be less than 256')
end
end
length = tonumber(a)
if length < 0 or length > 256 then
return oops('Error: Length is not valid. Must be less than 256')
end
end
-- keylength
if o == 'k' then keylength = tonumber(a); usedkey = true end

98
doc/bt_manual_v10.md
View file

@ -2,14 +2,14 @@
### Bluetooth / Battery add-on 'Blue Shark'
_rev. v1.0 (draft)_
### 1. FEATURES
### 1. FEATURES
* Built-in Bluetooth 2.0 with EDR Bluetooth module, default baud rate 115200.
* Built-in 400 mAh polymer lithium-ion battery, typical standby time up to 3.5 hours.
* Additional heat dissipating fins can significantly reduce the temperature when the HF antenna is in operation for a long time.
* Complete lithium charging management system, seamless switching power supply. Full overcharge and overdischarge protection.
* Bluetooth has an independent power switch that can be turned on or off.
* It's compact and easy to carry. The clamp structure is easy to install and replace.
* Built-in Bluetooth 2.0 with EDR Bluetooth module, default baud rate 115200.
* Built-in 400 mAh polymer lithium-ion battery, typical standby time up to 3.5 hours.
* Additional heat dissipating fins can significantly reduce the temperature when the HF antenna is in operation for a long time.
* Complete lithium charging management system, seamless switching power supply. Full overcharge and overdischarge protection.
* Bluetooth has an independent power switch that can be turned on or off.
* It's compact and easy to carry. The clamp structure is easy to install and replace.
It can easily connect to Bluetooth mobile phone, portable computer, etc. Without USB cable, complicated permissions or driver settings.
@ -17,35 +17,35 @@ It can easily connect to Bluetooth mobile phone, portable computer, etc. Without
Built-in battery can support standalone mode, off-line sniffing, off-line reading & simulation, etc. The temperature of the device is stable.
### 2. PARAMETERS
### 2. PARAMETERS
* Battery capacity: 400 mAh
* Standby time: 3.5h @ StandBy; 2.9h @ LF-On; 50min @ HF-On;
* Charging Current: 200mA (Plug in USB Default Charging)
* Charging time: 2.5h
* Num of charges: 400 -> 70% capacity (standard LIPO)
* Bluetooth power: 4dBm, -85 dBm @ 2Mbps
* Bluetooth distance: 6m (depending on the environment and device orientation)
* Size and weight: 54.4mm * 29.4mm * 13.5mm 24g
* Battery capacity: 400 mAh
* Standby time: 3.5h @ StandBy; 2.9h @ LF-On; 50min @ HF-On;
* Charging Current: 200mA (Plug in USB Default Charging)
* Charging time: 2.5h
* Num of charges: 400 -> 70% capacity (standard LIPO)
* Bluetooth power: 4dBm, -85 dBm @ 2Mbps
* Bluetooth distance: 6m (depending on the environment and device orientation)
* Size and weight: 54.4mm * 29.4mm * 13.5mm 24g
### 3. ASSEMBLY STEPS
### 3. ASSEMBLY STEPS
* Unplug your Proxmark3 RDV4.0 device from any usb cable.
* Remove the plastic upper case of Proxmark3 RDV4.0 with opener.
* Remove temporarily the antenna with a H5 (Hex/Allen) screwdriver to expose the FPC interface.<p>
<img src="https://sneaktechnology.com/wp-content/uploads/2019/06/FPC-Interface.png" alt="Image of blue shark add-on fpc interface" width="300"></p>
* Turn off all power switches, insert the FPC wire into the FPC connector, and lock the FPC connector.<p>
<img src="https://sneaktechnology.com/wp-content/uploads/2019/06/FPC-Connected.png" alt="Image of blue shark add-on fpc wire" width="300"></p>
* Tear off the blue film of heat conductive double-sided tape. Align the add-on to the hole positions and gently insert it into the case.<p>
<img src="https://sneaktechnology.com/wp-content/uploads/2019/06/Blue-Film.png" alt="Image of blue shark add-on blue film location" width="300"></p>
* Assembly finished!
* Unplug your Proxmark3 RDV4.0 device from any usb cable.
* Remove the plastic upper case of Proxmark3 RDV4.0 with opener.
* Remove temporarily the antenna with a H5 (Hex/Allen) screwdriver to expose the FPC interface.<p>
<img src="https://sneaktechnology.com/wp-content/uploads/2019/06/FPC-Interface.png" alt="Image of blue shark add-on fpc interface" width="300"></p>
* Turn off all power switches, insert the FPC wire into the FPC connector, and lock the FPC connector.<p>
<img src="https://sneaktechnology.com/wp-content/uploads/2019/06/FPC-Connected.png" alt="Image of blue shark add-on fpc wire" width="300"></p>
* Tear off the blue film of heat conductive double-sided tape. Align the add-on to the hole positions and gently insert it into the case.<p>
<img src="https://sneaktechnology.com/wp-content/uploads/2019/06/Blue-Film.png" alt="Image of blue shark add-on blue film location" width="300"></p>
* Assembly finished!
<p align='center'>
<img src="http://www.icedev.se/proxmark3/blueshark/addon_open_1.jpg" alt="Image of blue shark add-on open fit" width="300"><img src="http://www.icedev.se/proxmark3/blueshark/addon_fitted_1.jpg" alt="Image of blue shark add-on fitted" width="300">
</p>
### 4. COMPILATION / FLASHING
### 4. COMPILATION / FLASHING
#### From Source
@ -69,7 +69,7 @@ From the [homebrew-proxmark3 readme](https://github.com/RfidResearchGroup/homebr
1. `brew tap rfidresearchgroup/proxmark3`
2. `brew install --with-blueshark proxmark3`
### 5. CONNECT WITH BLUETOOTH
### 5. CONNECT WITH BLUETOOTH
You can have both USB cable connect and BT active at the same time and connect to either serial port.
You can also switch serial port from inside the proxmark3 client using the new command `hw connect`.
@ -82,30 +82,30 @@ You can also switch serial port from inside the proxmark3 client using the new c
#### Windows
#### (1) Connecting your RDV4.0 with Bluetooth on mobile phone or computer
* Open Bluetooth and search for a device named PM3_RDV4.0.
* Enter the paired password 1234 and establish the connection.
* The blue state LED on the add-on will keep blinking after the connection is established. Only when the mobile phone or computer opens the correct COM port, the blue LED turns on solid, indicating that the connection is successful.
#### (1) Connecting your RDV4.0 with Bluetooth on mobile phone or computer
* Open Bluetooth and search for a device named PM3_RDV4.0.
* Enter the paired password 1234 and establish the connection.
* The blue state LED on the add-on will keep blinking after the connection is established. Only when the mobile phone or computer opens the correct COM port, the blue LED turns on solid, indicating that the connection is successful.
#### (2) Fast connection using dedicated USB Bluetooth adapter under Windows
#### (2) Fast connection using dedicated USB Bluetooth adapter under Windows
<p align='center'>
<img src="http://www.icedev.se/proxmark3/blueshark/addon_hc06_dongle_1.jpg" alt="Image of blue shark add-on HC-06 white dongle" width="300"></p>
* Install driver:
* Install driver:
http://www.silabs.com/products/development-tools/software/usb-to-uart-bridge-vcp-drivers
* Insert the adapter into the USB port. The adapter will search automatically and establish the connection. The adapter will remember the device that was first connected and after that the same device will be connected.
* The adapter button can be used to delete memory so that other add-on can be searched and connected.<p align='center'>
<img src="https://sneaktechnology.com/wp-content/uploads/2019/06/Button.png" alt="Image of blue shark add-on HC-06 white dongle button" width="200">
* After the connection is established, the blue state LED on add-on will turn on solid.
* look for _CP2104 USB tp UART bridge controller_ under devices in order to get the assigned serial port
* Insert the adapter into the USB port. The adapter will search automatically and establish the connection. The adapter will remember the device that was first connected and after that the same device will be connected.
* The adapter button can be used to delete memory so that other add-on can be searched and connected.<p align='center'>
<img src="https://sneaktechnology.com/wp-content/uploads/2019/06/Button.png" alt="Image of blue shark add-on HC-06 white dongle button" width="200">
* After the connection is established, the blue state LED on add-on will turn on solid.
* look for _CP2104 USB tp UART bridge controller_ under devices in order to get the assigned serial port
#### Linux
#### (1) Connecting rdv4.0 with Bluetooth on Linux computer
1. Find the MAC address of the Bluetooth add-on, named PM3_RDV4.0.
```sh
sudo hcitool scan
Scanning ...
@ -161,8 +161,8 @@ be connected.
2. The adapter button can be used to delete memory so that other add-on
can be searched and connected.<p align='center'>
<img src="https://sneaktechnology.com/wp-content/uploads/2019/06/Button.png" alt="Image of blue shark add-on HC-06 white dongle button" width="200">
</p>
<img src="https://sneaktechnology.com/wp-content/uploads/2019/06/Button.png" alt="Image of blue shark add-on HC-06 white dongle button" width="200">
</p>
3. After the connection is established, the blue state LED on add-on will
turn on solid.
@ -195,22 +195,22 @@ After reboot you can go ahead to pairing your Proxmark3 RDV4 Blue Shark:
```
### 6. OTHER NOTES
### 6. OTHER NOTES
#### (1) UART and LED behavior
#### (1) UART and LED behavior
Bluetooth is connected to Proxmark3 RDV4.0 via UART. The USB and UART interfaces of RDV4.0 can coexist without conflict, and no special switching is required.
The following link has helpful notes on UART usage and baud rates:
https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/uart_notes.md
#### (2) Disassembly
#### (2) Disassembly
There is a heat conductive double-sided tape inside the add-on, which has strong adhesive force. Therefore, if add-on needs to be removed, it needs to be pulled out from the heat sink end with greater efforts. Each disassembly will reduce the viscidity of double-sided tape. When double-sided tape is well protected, it will not affect the second use. Thermal conductivity will be slightly worse and will therefore have a direct impact on the thermal performance of the heat sink.
#### (3) Battery charging
#### (3) Battery charging
The battery charging circuit is turned on by default. Any time a USB cable is inserted, the battery will be automatically charged. The red LED will remain bright when charging.
The red LED will be extinguished when charging is completed.
#### (4) Get better signals
For the better heat dissipation, we have used a cast metal enclosure for the add-on. As a result Bluetooth wireless signals are sacrificed. For example, if the back of add-on is facing the Bluetooth host, the signal is very bad and the distance will be reduced. The best signal strength can be obtained when the front glass faces the Bluetooth host.
If the Proxmark3 is not responding, it may be due to a poor Bluetooth connection. To improve performance, try repositioning the Proxmark3 so the glass face is directed toward the host.
#### (4) Get better signals
For the better heat dissipation, we have used a cast metal enclosure for the add-on. As a result Bluetooth wireless signals are sacrificed. For example, if the back of add-on is facing the Bluetooth host, the signal is very bad and the distance will be reduced. The best signal strength can be obtained when the front glass faces the Bluetooth host.
If the Proxmark3 is not responding, it may be due to a poor Bluetooth connection. To improve performance, try repositioning the Proxmark3 so the glass face is directed toward the host.

2374
include/at91sam7s512.h
View file

File diff suppressed because it is too large Load diff

14
include/pm3_cmd.h
View file

@ -146,13 +146,13 @@ typedef struct {
} t55xx_config;
/*typedef struct {
uint16_t start_gap [4];
uint16_t write_gap [4];
uint16_t write_0 [4];
uint16_t write_1 [4];
uint16_t write_2 [4];
uint16_t write_3 [4];
uint16_t read_gap [4];
uint16_t start_gap [4];
uint16_t write_gap [4];
uint16_t write_0 [4];
uint16_t write_1 [4];
uint16_t write_2 [4];
uint16_t write_3 [4];
uint16_t read_gap [4];
} t55xx_config;
*/
typedef struct {

24
tools/jtag_openocd/chip-at91sam7s.cfg
View file

@ -7,18 +7,18 @@ jtag newtap sam7x cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id 0x3f0f0f0
target create sam7x.cpu arm7tdmi -endian little -chain-position sam7x.cpu
sam7x.cpu configure -event reset-init {
soft_reset_halt
mww 0xfffffd00 0xa5000004 # RSTC_CR: Reset peripherals
mww 0xfffffd44 0x00008000 # WDT_MR: disable watchdog
mww 0xfffffd08 0xa5000001 # RSTC_MR enable user reset
mww 0xfffffc20 0x00005001 # CKGR_MOR : enable the main oscillator
sleep 10
mww 0xfffffc2c 0x000b1c02 # CKGR_PLLR: 16MHz * 12/2 = 96MHz
sleep 10
mww 0xfffffc30 0x00000007 # PMC_MCKR : MCK = PLL / 2 = 48 MHz
sleep 10
mww 0xffffff60 0x00480100 # MC_FMR: flash mode (FWS=1,FMCN=72)
sleep 100
soft_reset_halt
mww 0xfffffd00 0xa5000004 # RSTC_CR: Reset peripherals
mww 0xfffffd44 0x00008000 # WDT_MR: disable watchdog
mww 0xfffffd08 0xa5000001 # RSTC_MR enable user reset
mww 0xfffffc20 0x00005001 # CKGR_MOR : enable the main oscillator
sleep 10
mww 0xfffffc2c 0x000b1c02 # CKGR_PLLR: 16MHz * 12/2 = 96MHz
sleep 10
mww 0xfffffc30 0x00000007 # PMC_MCKR : MCK = PLL / 2 = 48 MHz
sleep 10
mww 0xffffff60 0x00480100 # MC_FMR: flash mode (FWS=1,FMCN=72)
sleep 100
}
gdb_memory_map enable

40
tools/mfkey/example_trace.txt
View file

@ -35,25 +35,25 @@
New functionality from @zhovner,
-----------------------------------------------------------------------------------------------------
### Communication decryption
RDR 26
TAG 04 00
RDR 93 20
TAG 14 57 9f 69 b5
RDR 93 70 14 57 9f 69 b5 2e 51
TAG 08 b6 dd
RDR 60 14 50 2d
TAG ce 84 42 61
RDR f8 04 9c cb 05 25 c8 4f
TAG 94 31 cc 40
RDR 70 93 df 99
TAG 99 72 42 8c e2 e8 52 3f 45 6b 99 c8 31 e7 69 dc ed 09
RDR 8c a6 82 7b
TAG ab 79 7f d3 69 e8 b9 3a 86 77 6b 40 da e3 ef 68 6e fd
RDR c3 c3 81 ba
TAG 49 e2 c9 de f4 86 8d 17 77 67 0e 58 4c 27 23 02 86 f4
RDR fb dc d7 c1
TAG 4a bd 96 4b 07 d3 56 3a a0 66 ed 0a 2e ac 7f 63 12 bf
RDR 9f 91 49 ea
RDR 26
TAG 04 00
RDR 93 20
TAG 14 57 9f 69 b5
RDR 93 70 14 57 9f 69 b5 2e 51
TAG 08 b6 dd
RDR 60 14 50 2d
TAG ce 84 42 61
RDR f8 04 9c cb 05 25 c8 4f
TAG 94 31 cc 40
RDR 70 93 df 99
TAG 99 72 42 8c e2 e8 52 3f 45 6b 99 c8 31 e7 69 dc ed 09
RDR 8c a6 82 7b
TAG ab 79 7f d3 69 e8 b9 3a 86 77 6b 40 da e3 ef 68 6e fd
RDR c3 c3 81 ba
TAG 49 e2 c9 de f4 86 8d 17 77 67 0e 58 4c 27 23 02 86 f4
RDR fb dc d7 c1
TAG 4a bd 96 4b 07 d3 56 3a a0 66 ed 0a 2e ac 7f 63 12 bf
RDR 9f 91 49 ea
./mfkey64 14579f69 ce844261 f8049ccb 0525c84f 9431cc40 7093df99 9972428ce2e8523f456b99c831e769dced09 8ca6827b ab797fd369e8b93a86776b40dae3ef686efd c3c381ba 49e2c9def4868d1777670e584c27230286f4 fbdcd7c1 4abd964b07d3563aa066ed0a2eac7f6312bf 9f9149ea
@ -93,4 +93,4 @@ Decrypted communication:
{dec7}: 0000000000007e178869000000000000c4f2
{dec8}: 61148834
Found Key: [091e639cb715]
Found Key: [091e639cb715]