chg: 'hf iclass sim' - turning of antenna after simulation is done.

chg: 'hf iclass sim' - use @holiman 's 8 csn instead of the original @carl55 (15), and a new first entry csn, to see if the old one got blacklisted.
2025-08-14 10:37:23 -07:00 · 2017-08-18 10:23:46 +02:00 · 2017-08-18 10:23:46 +02:00 · db515ba6c4
commit db515ba6c4
parent 1d6b0c0c6a
4 changed files with 91 additions and 78 deletions
--- a/armsrc/iclass.c
+++ b/armsrc/iclass.c
@ -994,20 +994,17 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain
 	//Use the emulator memory for SIM
 	uint8_t *emulator = BigBuf_get_EM_addr();

-	if(simType == 0) {
+	if (simType == 0) {
 		// Use the CSN from commandline
 		memcpy(emulator, datain, 8);
 		doIClassSimulation(MODE_SIM_CSN,NULL);
-	}else if(simType == 1)
-	{
+	} else if (simType == 1) {
 		//Default CSN
 		uint8_t csn_crc[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
 		// Use the CSN from commandline
 		memcpy(emulator, csn_crc, 8);
 		doIClassSimulation(MODE_SIM_CSN,NULL);
-	}
-	else if(simType == 2)
-	{
+	} else if(simType == 2) {

 		uint8_t mac_responses[USB_CMD_DATA_SIZE] = { 0 };
 		Dbprintf("Going into attack mode, %d CSNS sent", numberOfCSNS);
@ -1015,30 +1012,28 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain
 		// in order to collect MAC's from the reader. This can later be used in an offlne-attack
 		// in order to obtain the keys, as in the "dismantling iclass"-paper.
 		int i = 0;
-		for( ; i < numberOfCSNS && i*8+8 < USB_CMD_DATA_SIZE; i++)
-		{
+		for( ; i < numberOfCSNS && i*8+8 < USB_CMD_DATA_SIZE; i++) {
 			// The usb data is 512 bytes, fitting 65 8-byte CSNs in there.

 			memcpy(emulator, datain+(i*8), 8);
-			if(doIClassSimulation(MODE_EXIT_AFTER_MAC,mac_responses+i*8))
-			{
+			if (doIClassSimulation(MODE_EXIT_AFTER_MAC,mac_responses+i*8)) {
 				cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8);
 				return; // Button pressed
 			}
 		}
 		cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8);

-	}else if(simType == 3){
+	} else if (simType == 3){
 		//This is 'full sim' mode, where we use the emulator storage for data.
 		doIClassSimulation(MODE_FULLSIM, NULL);
-	}
-	else{
+	} else {
 		// We may want a mode here where we hardcode the csns to use (from proxclone).
 		// That will speed things up a little, but not required just yet.
 		Dbprintf("The mode is not implemented, reserved for future use");
 	}
 	Dbprintf("Done...");
-	set_tracing(false);	
+	set_tracing(false);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);	
 }
 void AppendCrc(uint8_t* data, int len)
 {
@ -1562,16 +1557,18 @@ static int GetIClassAnswer(uint8_t *receivedResponse, int maxLen, int *samples,

 int ReaderReceiveIClass(uint8_t* receivedAnswer)
 {
-  int samples = 0;
-  if (!GetIClassAnswer(receivedAnswer,160,&samples,0)) return false;
-  rsamples += samples;
-  if (tracing) {
-	uint8_t parity[MAX_PARITY_SIZE];
-	GetParity(receivedAnswer, Demod.len, parity);
-	LogTrace(receivedAnswer,Demod.len,rsamples,rsamples,parity,false);
-  }
-  if(samples == 0) return false;
-  return Demod.len;
+	int samples = 0;
+	if (!GetIClassAnswer(receivedAnswer,160,&samples,0)) return false;
+
+	rsamples += samples;
+
+	if (tracing) {
+		uint8_t parity[MAX_PARITY_SIZE];
+		GetParity(receivedAnswer, Demod.len, parity);
+		LogTrace(receivedAnswer,Demod.len,rsamples,rsamples,parity,false);
+	}
+	if(samples == 0) return false;
+	return Demod.len;
 }

 void setupIclassReader()
--- a/client/cmdhficlass.c
+++ b/client/cmdhficlass.c
@ -14,7 +14,8 @@

 static int CmdHelp(const char *Cmd);

-#define NUM_CSNS 15
+#define NUM_CSNS 8
+
 #define ICLASS_KEYS_MAX 8
 static uint8_t iClass_Key_Table[ICLASS_KEYS_MAX][8] = {
 		{ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
@ -182,7 +183,7 @@ int usage_hf_iclass_reader(void) {
 	PrintAndLog("        hf iclass reader 1");
 	return 0;
 }
-int usage_hf_iclass_replay(void){
+int usage_hf_iclass_replay(void) {
 	PrintAndLog("HELP:   Replay a collected mac message");
 	PrintAndLog("Usage:  hf iclass replay [h] <mac>");
 	PrintAndLog("Options:");
@ -192,13 +193,29 @@ int usage_hf_iclass_replay(void){
 	PrintAndLog("        hf iclass replay 00112233");	
 	return 0;
 }
-int usage_hf_iclass_snoop(void){
+int usage_hf_iclass_snoop(void) {
 	PrintAndLog("HELP:   Snoops the communication between reader and tag");
 	PrintAndLog("Usage:  hf iclass snoop [h]");
 	PrintAndLog("Samples:");
 	PrintAndLog("		 hf iclass snoop");	
 	return 0;
 }
+int usage_hf_iclass_loclass(void) {
+	PrintAndLog("Usage: hf iclass loclass [options]");
+	PrintAndLog("Options:");
+	PrintAndLog("h             Show this help");
+	PrintAndLog("t             Perform self-test");
+	PrintAndLog("f <filename>  Bruteforce iclass dumpfile");
+	PrintAndLog("                   An iclass dumpfile is assumed to consist of an arbitrary number of");
+	PrintAndLog("                   malicious CSNs, and their protocol responses");
+	PrintAndLog("                   The binary format of the file is expected to be as follows: ");
+	PrintAndLog("                   <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
+	PrintAndLog("                   <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
+	PrintAndLog("                   <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
+	PrintAndLog("                  ... totalling N*24 bytes");
+	return 0;
+}
+
 int xorbits_8(uint8_t val) {
 	uint8_t res = val ^ (val >> 1); //1st pass
 	res = res ^ (res >> 1); 		// 2nd pass
@ -252,8 +269,26 @@ int CmdHFiClassSim(const char *Cmd) {
 		UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,NUM_CSNS}};
 		UsbCommand resp = {0};

+		// pre-defined 8 CSN by Holiman
+		// but new entry[0] by iceman
+		uint8_t csns[8*NUM_CSNS] = {		
+			//0X00, 0X0B, 0X0F, 0XFF, 0XF7, 0XFF, 0X12, 0XE0, // 0,1,69
+			0x00, 0x8b, 0x8f, 0x7f, 0xf7, 0xff, 0x12, 0xe0,
+			0X00, 0X13, 0X94, 0X7E, 0X76, 0XFF, 0X12, 0XE0, // 2,12
+			0X2A, 0X99, 0XAC, 0X79, 0XEC, 0XFF, 0X12, 0XE0,	// 7,11
+			0X17, 0X12, 0X01, 0XFD, 0XF7, 0XFF, 0X12, 0XE0, // 3,15
+			0XCD, 0X56, 0X01, 0X7C, 0X6F, 0XFF, 0X12, 0XE0, // 4,8
+			0X4B, 0X5E, 0X0B, 0X72, 0XEF, 0XFF, 0X12, 0XE0, // 6,14
+			0X00, 0X73, 0XD8, 0X75, 0X58, 0XFF, 0X12, 0XE0, // 9,5
+			0X0C, 0X90, 0X32, 0XF3, 0X5D, 0XFF, 0X12, 0XE0  // 10,13
+		};
+		
+/*		
+		// pre-defined 15 CSN by Carl55
+		// but new entry[0] by iceman
 		uint8_t csns[8*NUM_CSNS] = {
-			0x00, 0x0B, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0,
+			//0x00, 0x0B, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0,
+			0x00, 0x8b, 0x8f, 0x7f, 0xf7, 0xff, 0x12, 0xe0,
 			0x00, 0x04, 0x0E, 0x08, 0xF7, 0xFF, 0x12, 0xE0,
 			0x00, 0x09, 0x0D, 0x05, 0xF7, 0xFF, 0x12, 0xE0,
 			0x00, 0x0A, 0x0C, 0x06, 0xF7, 0xFF, 0x12, 0xE0,
@ -267,8 +302,9 @@ int CmdHFiClassSim(const char *Cmd) {
 			0x00, 0x02, 0x04, 0x1E, 0xF7, 0xFF, 0x12, 0xE0,
 			0x00, 0x07, 0x03, 0x1B, 0xF7, 0xFF, 0x12, 0xE0,
 			0x00, 0x00, 0x02, 0x24, 0xF7, 0xFF, 0x12, 0xE0,
-			0x00, 0x05, 0x01, 0x21, 0xF7, 0xFF, 0x12, 0xE0 };
-
+			0x00, 0x05, 0x01, 0x21, 0xF7, 0xFF, 0x12, 0xE0 
+		};		
+*/
 		memcpy(c.d.asBytes, csns, 8*NUM_CSNS);
 		clearCommandBuffer();
 		SendCommand(&c);
@ -1284,23 +1320,11 @@ int CmdHFiClass_ReadBlock(const char *Cmd) {
 int CmdHFiClass_loclass(const char *Cmd) {
 	char opt = param_getchar(Cmd, 0);

-	if (strlen(Cmd)<1 || opt == 'h') {
-		PrintAndLog("Usage: hf iclass loclass [options]");
-		PrintAndLog("Options:");
-		PrintAndLog("h             Show this help");
-		PrintAndLog("t             Perform self-test");
-		PrintAndLog("f <filename>  Bruteforce iclass dumpfile");
-		PrintAndLog("                   An iclass dumpfile is assumed to consist of an arbitrary number of");
-		PrintAndLog("                   malicious CSNs, and their protocol responses");
-		PrintAndLog("                   The binary format of the file is expected to be as follows: ");
-		PrintAndLog("                   <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
-		PrintAndLog("                   <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
-		PrintAndLog("                   <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC>");
-		PrintAndLog("                  ... totalling N*24 bytes");
-		return 0;
-	}
+	if (strlen(Cmd)<1 || opt == 'h')
+		usage_hf_iclass_loclass();
+	
 	char fileName[FILE_PATH_SIZE] = {0};
-	if(opt == 'f') 	{
+	if (opt == 'f') {
 		if(param_getstr(Cmd, 1, fileName) > 0) {
 			return bruteforceFileNoKeys(fileName);
 		} else {
@ -1308,7 +1332,7 @@ int CmdHFiClass_loclass(const char *Cmd) {
 			// no return?
 		}
 	}
-	else if(opt == 't') {
+	else if (opt == 't') {
 		int errors = testCipherUtils();
 		errors += testMAC();
 		errors += doKeyTests(0);
--- a/client/loclass/hash1_brute.c
+++ b/client/loclass/hash1_brute.c
@ -7,8 +7,7 @@
 #include <ctype.h>
 #include "elite_crack.h"

-void calc_score(uint8_t* csn, uint8_t* k)
-{
+void calc_score(uint8_t* csn, uint8_t* k) {
    uint8_t score =0 ;
    uint8_t i;
    uint8_t goodvals[16] = {0};
@ -17,64 +16,58 @@ void calc_score(uint8_t* csn, uint8_t* k)
    memset(uniq_vals, 0x00, 8);
    uint8_t badval = 0;
    int badscore =0;
-    for(i=0; i < 8 ; i++)
-    {
-        if(k[i] == 0x01) continue;
-        if(k[i] == 0x00) continue;
-        if(k[i] == 0x45) continue;
-        if(k[i] < 16){
+    for ( i=0; i < 8 ; i++) {
+        if (k[i] == 0x01) continue;
+        if (k[i] == 0x00) continue;
+        if (k[i] == 0x45) continue;
+        if (k[i] < 16){
            goodvals[k[i]] = 1;
        }
 //        if(k[i] ==9 || k[i]==2){
 //            goodvals[k[i]] = 1;
 //        }

-        else if(k[i]>=16){
+        else if (k[i]>=16){
            badscore++;
            badval = k[i];
        }
    }
-    for(i =0; i < 16; i++)
-    {
-        if(goodvals[i])
-        {
+    for (i =0; i < 16; i++) {
+        if (goodvals[i]) {
            uniq_vals[score] = i;
            score +=1;
        }
    }
-    if(score >=2 && badscore < 2)
-    {
+	
+    if (score >=2 && badscore < 2) {
        printf("CSN\t%02x%02x%02x%02x%02x%02x%02x%02x\t%02x %02x %02x %02x %02x %02x %02x %02x\t"
               ,csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]
                ,k[0],k[1],k[2],k[3],k[4],k[5],k[6],k[7]
                );
-        for(i =0 ; i < score; i++)
-        {
+				
+        for (i=0 ; i < score; i++) {
            printf("%d,", uniq_vals[i]);
        }
        printf("\tbadscore: %d (%02x)", badscore, badval);
        printf("\r\n");
-
    }
-
 }

-void brute_hash1(){
+void brute_hash1(void){
+    uint16_t a,b,c,d;
    uint8_t csn[8] = {0,0,0,0,0xf7,0xff,0x12,0xe0};
    uint8_t k[8]= {0,0,0,0,0,0,0,0};
-    uint16_t a,b,c,d;
-    uint8_t testcsn[8] ={0x00,0x0d,0x0f,0xfd,0xf7,0xff,0x12,0xe0} ;
-    uint8_t testkey[8] ={0x05 ,0x01 ,0x00 ,0x10 ,0x45 ,0x08 ,0x45,0x56} ;
+    uint8_t testcsn[8] = {0x00,0x0d,0x0f,0xfd,0xf7,0xff,0x12,0xe0} ;
+    uint8_t testkey[8] = {0x05 ,0x01 ,0x00 ,0x10 ,0x45 ,0x08 ,0x45,0x56} ;
    calc_score(testcsn,testkey);
    printf("Brute forcing hashones\n");
    //exit(1);
-    for(a=0;a < 256;a++)
-    {
+	
+    for (a=0; a < 256; a++) {
        //if(a > 0)printf("%d/256 done...\n", a);
-        for(b=0;b < 256 ; b++)
-            for(c=0;c < 256;c++)
-               for(d=0;d < 256;d++)
-                {
+        for (b=0; b < 256; b++)
+            for (c=0; c < 256; c++)
+               for (d=0; d < 256; d++) {
                    csn[0] = a;
                    csn[1] = b;
                    csn[2] = c;
@ -87,6 +80,5 @@ void brute_hash1(){
                    calc_score(csn,k);
               }
    }
-
 }

--- a/client/loclass/hash1_brute.h
+++ b/client/loclass/hash1_brute.h
@ -1,5 +1,5 @@
 #ifndef HASH1_BRUTE_H
 #define HASH1_BRUTE_H
-void brute_hash1();
+extern void brute_hash1();

 #endif // HASH1_BRUTE_H