github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-20 05:13:46 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

the 14a sim had a wrong size check of the irats pointer instead of actual size. Only way around it was to add the length at function call

Browse source
This commit is contained in:
iceman1001 2024-11-15 13:27:39 +01:00
commit d398576fc7
7 changed files with 57 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
## [unreleased][unreleased]
- Fixed wrong size check in MifareSim (@iceman1001)
- Fixed `hf mf sim` not to respond to authentication attempts for sectors out of bound for selected Mifare type (@piotrva)
- Added option to build against non-default python3 with CMake as well (@doegox)
- Added option to build against non-default python3 with Makefile (@ANTodorov)

2
armsrc/Standalone/hf_aveful.c
View file

@ -252,7 +252,7 @@ void RunMod(void) {
FLAG_SET_UID_IN_DATA(flags, 7);
Dbprintf("Starting simulation, press " _GREEN_("pm3 button") " to stop and go back to search state.");
SimulateIso14443aTag(7, flags, card.uid, 0, NULL);
SimulateIso14443aTag(7, flags, card.uid, 0, NULL, 0);
// Go back to search state if user presses pm3-button
state = STATE_SEARCH;

12
armsrc/Standalone/hf_craftbyte.c
View file

@ -89,22 +89,22 @@ void RunMod(void) {
Dbprintf("Starting simulation, press " _GREEN_("pm3 button") " to stop and go back to search state.");
if (card.sak == 0x08 && card.atqa[0] == 0x04 && card.atqa[1] == 0) {
DbpString("Mifare Classic 1k");
SimulateIso14443aTag(1, flags, card.uid, 0, NULL);
SimulateIso14443aTag(1, flags, card.uid, 0, NULL, 0);
} else if (card.sak == 0x08 && card.atqa[0] == 0x44 && card.atqa[1] == 0) {
DbpString("Mifare Classic 4k ");
SimulateIso14443aTag(8, flags, card.uid, 0, NULL);
SimulateIso14443aTag(8, flags, card.uid, 0, NULL, 0);
} else if (card.sak == 0x00 && card.atqa[0] == 0x44 && card.atqa[1] == 0) {
DbpString("Mifare Ultralight");
SimulateIso14443aTag(2, flags, card.uid, 0, NULL);
SimulateIso14443aTag(2, flags, card.uid, 0, NULL, 0);
} else if (card.sak == 0x20 && card.atqa[0] == 0x04 && card.atqa[1] == 0x03) {
DbpString("Mifare DESFire");
SimulateIso14443aTag(3, flags, card.uid, 0, NULL);
SimulateIso14443aTag(3, flags, card.uid, 0, NULL, 0);
} else if (card.sak == 0x20 && card.atqa[0] == 0x44 && card.atqa[1] == 0x03) {
DbpString("Mifare DESFire Ev1/Plus/JCOP");
SimulateIso14443aTag(3, flags, card.uid, 0, NULL);
SimulateIso14443aTag(3, flags, card.uid, 0, NULL, 0);
} else {
Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
SimulateIso14443aTag(1, flags, card.uid, 0, NULL);
SimulateIso14443aTag(1, flags, card.uid, 0, NULL, 0);
}
// Go back to search state if user presses pm3-button

14
armsrc/Standalone/hf_young.c
View file

@ -253,25 +253,25 @@ void RunMod(void) {
if (uids[selected].sak == 0x08 && uids[selected].atqa[0] == 0x04 && uids[selected].atqa[1] == 0) {
DbpString("Mifare Classic 1k");
SimulateIso14443aTag(1, flags, data, 0, NULL);
SimulateIso14443aTag(1, flags, data, 0, NULL, 0);
} else if (uids[selected].sak == 0x18 && uids[selected].atqa[0] == 0x02 && uids[selected].atqa[1] == 0) {
DbpString("Mifare Classic 4k (4b uid)");
SimulateIso14443aTag(8, flags, data, 0, NULL);
SimulateIso14443aTag(8, flags, data, 0, NULL, 0);
} else if (uids[selected].sak == 0x08 && uids[selected].atqa[0] == 0x44 && uids[selected].atqa[1] == 0) {
DbpString("Mifare Classic 4k (7b uid)");
SimulateIso14443aTag(8, flags, data, 0, NULL);
SimulateIso14443aTag(8, flags, data, 0, NULL, 0);
} else if (uids[selected].sak == 0x00 && uids[selected].atqa[0] == 0x44 && uids[selected].atqa[1] == 0) {
DbpString("Mifare Ultralight");
SimulateIso14443aTag(2, flags, data, 0, NULL);
SimulateIso14443aTag(2, flags, data, 0, NULL, 0);
} else if (uids[selected].sak == 0x20 && uids[selected].atqa[0] == 0x04 && uids[selected].atqa[1] == 0x03) {
DbpString("Mifare DESFire");
SimulateIso14443aTag(3, flags, data, 0, NULL);
SimulateIso14443aTag(3, flags, data, 0, NULL, 0);
} else if (uids[selected].sak == 0x20 && uids[selected].atqa[0] == 0x44 && uids[selected].atqa[1] == 0x03) {
DbpString("Mifare DESFire Ev1/Plus/JCOP");
SimulateIso14443aTag(3, flags, data, 0, NULL);
SimulateIso14443aTag(3, flags, data, 0, NULL, 0);
} else {
Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
SimulateIso14443aTag(1, flags, data, 0, NULL);
SimulateIso14443aTag(1, flags, data, 0, NULL, 0);
}
} else if (button_pressed == BUTTON_SINGLE_CLICK) {

8
armsrc/appmain.c
View file

@ -1637,7 +1637,8 @@ static void PacketReceived(PacketCommandNG *packet) {
uint8_t rats[20];
} PACKED;
struct p *payload = (struct p *) packet->data.asBytes;
SimulateIso14443aTag(payload->tagtype, payload->flags, payload->uid, payload->exitAfter, payload->rats); // ## Simulate iso14443a tag - pass tag type & UID
SimulateIso14443aTag(payload->tagtype, payload->flags, payload->uid,
payload->exitAfter, payload->rats, sizeof(payload->rats)); // ## Simulate iso14443a tag - pass tag type & UID
break;
}
case CMD_HF_ISO14443A_SIM_AID: {
@ -1655,7 +1656,10 @@ static void PacketReceived(PacketCommandNG *packet) {
bool enumerate;
} PACKED;
struct p *payload = (struct p *) packet->data.asBytes;
SimulateIso14443aTagAID(payload->tagtype, payload->flags, payload->uid, payload->rats, payload->aid, payload->response, payload->apdu, payload->aid_len, payload->respond_len, payload->apdu_len, payload->enumerate); // ## Simulate iso14443a tag - pass tag type, UID, rats, aid, resp, apdu
SimulateIso14443aTagAID(payload->tagtype, payload->flags, payload->uid,
payload->rats, sizeof(payload->rats), payload->aid, payload->response,
payload->apdu, payload->aid_len, payload->respond_len,
payload->apdu_len, payload->enumerate); // ## Simulate iso14443a tag - pass tag type, UID, rats, aid, resp, apdu
break;
}
case CMD_HF_ISO14443A_ANTIFUZZ: {

28
armsrc/iso14443a.c
View file

@ -690,6 +690,8 @@ static RAMFUNC int ManchesterDecoding_Thinfilm(uint8_t bit) {
if (Demod.bitCount) { // there are some remaining data bits
Demod.shiftReg <<= (8 - Demod.bitCount); // left align the decoded bits
Demod.output[Demod.len++] = Demod.shiftReg & 0xFF; // and add them to the output
// Dbprintf("A | len... %u - %u == 0x%02x", Demod.len, Demod.bitCount, Demod.output[0]);
return true;
}
@ -1106,7 +1108,8 @@ bool prepare_allocated_tag_modulation(tag_response_info_t *response_info, uint8_
}
}
bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data, uint8_t *iRATs, tag_response_info_t **responses,
bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data,
uint8_t *iRATs, size_t irats_len, tag_response_info_t **responses,
uint32_t *cuid, uint32_t counters[3], uint8_t tearings[3], uint8_t *pages) {
uint8_t sak = 0;
// The first response contains the ATQA (note: bytes are transmitted in reverse order).
@ -1269,11 +1272,19 @@ bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data, uint8
}
}
// copy the iRATs if supplied
// copy the iRATs if supplied.
// iRATs is a pointer to 20 byte array
// rRATS is a 40 byte array
if ((flags & FLAG_RATS_IN_DATA) == FLAG_RATS_IN_DATA) {
memcpy(rRATS, iRATs, sizeof(iRATs));
memcpy(rRATS, iRATs, irats_len);
// rats len is dictated by the first char of the string, add 2 crc bytes
rRATS_len = (iRATs[0] + 2);
// Since its Varible length we can send value > 40 and overflow our array.
// Even if RATS protocol defined as max 40 bytes doesn't mean people try stuff
if (rRATS_len > sizeof(rRATS)) {
if (g_dbglevel >= DBG_ERROR) Dbprintf("[-] ERROR: iRATS overflow. Max %zu, got %zu", sizeof(rRATS), rRATS_len);
return false;
}
}
// if uid not supplied then get from emulator memory
@ -1444,7 +1455,8 @@ bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data, uint8
// response to send, and send it.
// 'hf 14a sim'
//-----------------------------------------------------------------------------
void SimulateIso14443aTag(uint8_t tagType, uint16_t flags, uint8_t *data, uint8_t exitAfterNReads, uint8_t *iRATs) {
void SimulateIso14443aTag(uint8_t tagType, uint16_t flags, uint8_t *data, uint8_t exitAfterNReads,
uint8_t *iRATs, size_t irats_len) {
#define ATTACK_KEY_COUNT 16
@ -1486,7 +1498,7 @@ void SimulateIso14443aTag(uint8_t tagType, uint16_t flags, uint8_t *data, uint8_
.modulation_n = 0
};
if (SimulateIso14443aInit(tagType, flags, data, iRATs, &responses, &cuid, counters, tearings, &pages) == false) {
if (SimulateIso14443aInit(tagType, flags, data, iRATs, irats_len, &responses, &cuid, counters, tearings, &pages) == false) {
BigBuf_free_keep_EM();
reply_ng(CMD_HF_MIFARE_SIMULATE, PM3_EINIT, NULL, 0);
return;
@ -3932,7 +3944,9 @@ It can also continue after the AID has been selected, and respond to other reque
This was forked from the original function to allow for more flexibility in the future, and to increase the processing speed of the original function.
/// */
void SimulateIso14443aTagAID(uint8_t tagType, uint16_t flags, uint8_t *data, uint8_t *iRATs, uint8_t *aid, uint8_t *resp, uint8_t *apdu, int aidLen, int respondLen, int apduLen, bool enumerate) {
void SimulateIso14443aTagAID(uint8_t tagType, uint16_t flags, uint8_t *data,
uint8_t *iRATs, size_t irats_len, uint8_t *aid, uint8_t *resp,
uint8_t *apdu, int aidLen, int respondLen, int apduLen, bool enumerate) {
tag_response_info_t *responses;
uint32_t cuid = 0;
uint32_t counters[3] = { 0x00, 0x00, 0x00 };
@ -3959,7 +3973,7 @@ void SimulateIso14443aTagAID(uint8_t tagType, uint16_t flags, uint8_t *data, uin
.modulation_n = 0
};
if (SimulateIso14443aInit(tagType, flags, data, iRATs, &responses, &cuid, counters, tearings, &pages) == false) {
if (SimulateIso14443aInit(tagType, flags, data, iRATs, irats_len, &responses, &cuid, counters, tearings, &pages) == false) {
BigBuf_free_keep_EM();
reply_ng(CMD_HF_MIFARE_SIMULATE, PM3_EINIT, NULL, 0);
return;

20
armsrc/iso14443a.h
View file

@ -55,7 +55,8 @@ typedef struct {
uint16_t shiftReg;
uint16_t samples;
uint16_t len;
uint32_t startTime, endTime;
uint32_t startTime;
uint32_t endTime;
uint16_t output_len;
uint8_t *output;
uint8_t *parity;
@ -88,7 +89,8 @@ typedef struct {
uint8_t parityBits;
uint8_t parityLen;
uint32_t fourBits;
uint32_t startTime, endTime;
uint32_t startTime;
uint32_t endTime;
uint16_t output_len;
uint8_t *output;
uint8_t *parity;
@ -140,8 +142,17 @@ RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time);
RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time);
void RAMFUNC SniffIso14443a(uint8_t param);
void SimulateIso14443aTag(uint8_t tagType, uint16_t flags, uint8_t *data, uint8_t exitAfterNReads, uint8_t *iRATs);
bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data, uint8_t *iRATs, tag_response_info_t **responses, uint32_t *cuid, uint32_t counters[3], uint8_t tearings[3], uint8_t *pages);
void SimulateIso14443aTag(uint8_t tagType, uint16_t flags, uint8_t *data, uint8_t exitAfterNReads,
uint8_t *iRATs, size_t irats_len);
void SimulateIso14443aTagAID(uint8_t tagType, uint16_t flags, uint8_t *data,
uint8_t *iRATs, size_t irats_len, uint8_t *aid, uint8_t *resp,
uint8_t *apdu, int aid_len, int respond_len, int apdu_len, bool enumerate);
bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data,
uint8_t *iRATs, size_t irats_len, tag_response_info_t **responses,
uint32_t *cuid, uint32_t counters[3], uint8_t tearings[3], uint8_t *pages);
bool GetIso14443aCommandFromReader(uint8_t *received, uint16_t received_maxlen, uint8_t *par, int *len);
void iso14443a_antifuzz(uint32_t flags);
void ReaderIso14443a(PacketCommandNG *c);
@ -174,7 +185,6 @@ bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_Start
void ReaderMifare(bool first_try, uint8_t block, uint8_t keytype);
void DetectNACKbug(void);
void SimulateIso14443aTagAID(uint8_t tagType, uint16_t flags, uint8_t *data, uint8_t *iRATs, uint8_t *aid, uint8_t *resp, uint8_t *apdu, int aid_len, int respond_len, int apdu_len, bool enumerate);
bool GetIso14443aAnswerFromTag_Thinfilm(uint8_t *receivedResponse, uint16_t rec_maxlen, uint8_t *received_len);