github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-19 21:03:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

renamed readtagfile to view\nrenamed clone to restore\nrefactored reader, info, dump, rdbl, wrbl to be on device side. Commands now also seamless works with NON_SECURE_MPAGE

Browse source
This commit is contained in:
iceman1001 2020-07-29 11:02:30 +02:00
commit e147bdc71b
8 changed files with 953 additions and 574 deletions
Download patch file Download diff file Expand all files Collapse all files

145
armsrc/Standalone/hf_iceclass.c
View file

@ -13,10 +13,14 @@
#include "BigBuf.h"
#include "fpgaloader.h"
#include "util.h"
#include "ticks.h"
#include "dbprint.h"
#include "spiffs.h"
#include "iclass.h"
#include "iso15693.h"
#include "optimized_cipher.h"
#include "pm3_cmd.h"
#include "protocols.h"
#define NUM_CSNS 9
#define MAC_RESPONSES_SIZE (16 * NUM_CSNS)
@ -36,15 +40,8 @@ char* cc_files[] = { HF_ICLASS_CC_A, HF_ICLASS_CC_B };
#define ICE_STATE_READER 3
#define ICE_STATE_CONFIGCARD 4
typedef struct {
uint8_t app_limit; //[8]
uint8_t otp[2]; //[9-10]
uint8_t block_writelock;//[11]
uint8_t chip_config; //[12]
uint8_t mem_config; //[13]
uint8_t eas; //[14]
uint8_t fuses; //[15]
} picopass_conf_block_t;
// times in ssp_clk_cycles @ 3,3625MHz when acting as reader
#define DELAY_ICLASS_VICC_TO_VCD_READER DELAY_ISO15693_VICC_TO_VCD_READER
// iclass card descriptors
char * card_types[] = {
@ -70,9 +67,12 @@ uint8_t card_app2_limit[] = {
};
static uint8_t aa2_key[] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
static uint8_t legacy_aa1_key[] = {0xAE, 0xA6, 0x84, 0xA6, 0xDA, 0xB2, 0x32, 0x78};
static uint8_t get_pagemap(const picopass_hdr *hdr) {
return (hdr->conf.fuses & (FUSE_CRYPT0 | FUSE_CRYPT1)) >> 3;
}
static uint8_t csns[8 * NUM_CSNS] = {
0x01, 0x0A, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0,
0x0C, 0x06, 0x0C, 0xFE, 0xF7, 0xFF, 0x12, 0xE0,
@ -224,16 +224,10 @@ static int reader_attack_mode(void) {
static int reader_dump_mode(void) {
BigBuf_free();
uint8_t *card_data = BigBuf_malloc(0xFF * 8);
memset(card_data, 0xFF, sizeof(card_data));
struct p {
uint8_t key[8];
bool use_raw;
bool use_elite;
bool use_credit_key;
} PACKED;
for (;;) {
if (BUTTON_PRESS()) {
@ -241,65 +235,104 @@ static int reader_dump_mode(void) {
break;
}
// AA1
struct p payload = {
// setup authenticate AA1
iclass_auth_req_t auth = {
.use_raw = false,
.use_elite = false,
.use_credit_key = false,
.do_auth = true,
.send_reply = false,
};
memcpy(payload.key, legacy_aa1_key, sizeof(payload.key));
memcpy(auth.key, legacy_aa1_key, sizeof(auth.key));
bool isOK = iclass_auth((uint8_t*)&payload, false, card_data);
if (isOK == false) {
Iso15693InitReader();
// select tag.
uint32_t eof_time = 0;
bool res = select_iclass_tag(card_data, auth.use_credit_key, &eof_time);
if (res == false) {
switch_off();
continue;
}
picopass_conf_block_t *conf = (picopass_conf_block_t*)(card_data + 8);
uint32_t start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
picopass_hdr *hdr = (picopass_hdr *)card_data;
// get 3 config bits
uint8_t type = (conf->chip_config & 0x10) >> 2;
type |= (conf->mem_config & 0x80) >> 6;
type |= (conf->mem_config & 0x20) >> 5;
uint8_t type = (hdr->conf.chip_config & 0x10) >> 2;
type |= (hdr->conf.mem_config & 0x80) >> 6;
type |= (hdr->conf.mem_config & 0x20) >> 5;
uint8_t app1_limit = conf->app_limit - 5; // minus header blocks
uint8_t app2_limit = card_app2_limit[type];
uint8_t pagemap = get_pagemap(hdr);
uint8_t app1_limit, app2_limit, start_block;
// tags configured for NON SECURE PAGE, acts different
if (pagemap == PICOPASS_NON_SECURE_PAGEMODE) {
app1_limit = card_app2_limit[type];
app2_limit = 0;
start_block = 3;
} else {
app1_limit = hdr->conf.app_limit;
app2_limit = card_app2_limit[type];
start_block = 6;
res = authenticate_iclass_tag(&auth, hdr, &start_time, &eof_time, NULL);
if (res == false) {
switch_off();
DbpString("failed AA1 auth");
continue;
}
start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
}
uint16_t dumped = 0;
uint8_t block;
for (block = 5; block < app1_limit; block++) {
isOK = iclass_readblock(block, card_data + (8 * block));
if (isOK) {
// main read loop
for (uint8_t i = start_block; i <= app1_limit; i++) {
res = iclass_read_block(i, card_data + (8 * i));
if (res) {
dumped++;
}
start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
}
// AA2
payload.use_credit_key = true;
memcpy(payload.key, aa2_key, sizeof(payload.key));
if (pagemap != PICOPASS_NON_SECURE_PAGEMODE) {
isOK = iclass_auth((uint8_t*)&payload, false, card_data);
if (isOK) {
for (; block < app2_limit; block++) {
isOK = iclass_readblock(block, card_data + (8 * block));
if (isOK) {
// authenticate AA2
auth.use_credit_key = true;
memcpy(auth.key, aa2_key, sizeof(auth.key));
res = select_iclass_tag(card_data, auth.use_credit_key, &eof_time);
if (res) {
res = authenticate_iclass_tag(&auth, hdr, &start_time, &eof_time, NULL);
if (res) {
start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
for (uint8_t i = app1_limit + 1; i <= app2_limit; i++) {
res = iclass_read_block(i, card_data + (8 * i));
if (res) {
dumped++;
}
start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
}
} else {
DbpString("failed AA2 auth");
}
}
}
Dbprintf("Found %s", card_types[type]);
/*
Dbprintf("APP1 Blocks: %d", app1_limit);
Dbprintf("APP2 Blocks: %d", app2_limit - app1_limit - 5); // minus app1 and header
Dbprintf("Got %d blocks (saving %u, %u bytes )", dumped, dumped + 5, ((dumped+5)*8) );
*/
if (5 + dumped > app1_limit) {
save_to_flash(card_data, (5 + dumped) * 8 );
}
switch_off();
save_to_flash(card_data, (start_block + dumped) * 8 );
SpinDelay(250);
Dbprintf("Found a %s", card_types[type]);
}
Dbprintf("exit read & dump mode");
Dbprintf("-=[ exiting `read & dump` mode");
return PM3_SUCCESS;
}
@ -336,7 +369,7 @@ void RunMod(void) {
StandAloneMode();
Dbprintf(_YELLOW_("HF iCLASS mode a.k.a iceCLASS started"));
uint8_t mode = ICE_STATE_FULLSIM;
uint8_t mode = ICE_STATE_READER;
for (;;) {
@ -345,14 +378,6 @@ void RunMod(void) {
if (mode == ICE_STATE_NONE) break;
if (data_available()) break;
/*
// Was our button held down or pressed?
int button_pressed = BUTTON_HELD(1000);
if (button_pressed != BUTTON_NO_CLICK) {
break;
}
*/
int res;
switch (mode) {
@ -387,7 +412,7 @@ void RunMod(void) {
break;
}
case ICE_STATE_READER: {
Dbprintf("enter read & dump mode");
Dbprintf("enter read & dump mode, continuous scanning");
res = reader_dump_mode();
if (res == PM3_SUCCESS)
download_instructions(mode);

37
armsrc/appmain.c
View file

@ -1407,36 +1407,14 @@ static void PacketReceived(PacketCommandNG *packet) {
break;
}
case CMD_HF_ICLASS_WRITEBL: {
struct p {
uint8_t blockno;
uint8_t data[12];
} PACKED;
struct p *payload = (struct p *)packet->data.asBytes;
iClass_WriteBlock(payload->blockno, payload->data);
break;
}
// iceman2019, unused?
case CMD_HF_ICLASS_READCHECK: { // auth step 1
iClass_ReadCheck(packet->oldarg[0], packet->oldarg[1]);
iClass_WriteBlock(packet->data.asBytes);
break;
}
case CMD_HF_ICLASS_READBL: {
/*
struct p {
uint8_t blockno;
} PACKED;
struct p *payload = (struct p *)packet->data.asBytes;
*/
iClass_ReadBlk(packet->data.asBytes[0]);
iClass_ReadBlock(packet->data.asBytes);
break;
}
case CMD_HF_ICLASS_AUTH: { //check
/*
struct p {
uint8_t mac[4];
} PACKED;
struct p *payload = (struct p *)packet->data.asBytes;
*/
iClass_Authentication(packet->data.asBytes);
break;
}
@ -1445,12 +1423,7 @@ static void PacketReceived(PacketCommandNG *packet) {
break;
}
case CMD_HF_ICLASS_DUMP: {
struct p {
uint8_t start_blockno;
uint8_t numblks;
} PACKED;
struct p *payload = (struct p *)packet->data.asBytes;
iClass_Dump(payload->start_blockno, payload->numblks);
iClass_Dump(packet->data.asBytes);
break;
}
case CMD_HF_ICLASS_CLONE: {
@ -1463,6 +1436,10 @@ static void PacketReceived(PacketCommandNG *packet) {
iClass_Clone(payload->startblock, payload->endblock, payload->data);
break;
}
case CMD_HF_ICLASS_RESTORE: {
iClass_Restore(packet->data.asBytes);
break;
}
#endif
#ifdef WITH_HFSNIFF

449
armsrc/iclass.c
View file

@ -57,6 +57,12 @@
#define AddCrc(data, len) compute_crc(CRC_ICLASS, (data), (len), (data)+(len), (data)+(len)+1)
/*
static uint8_t get_pagemap(const picopass_hdr *hdr) {
return (hdr->conf.fuses & (FUSE_CRYPT0 | FUSE_CRYPT1)) >> 3;
}
*/
/*
* CARD TO READER
* in ISO15693-2 mode - Manchester
@ -836,19 +842,21 @@ static void iclass_send_as_reader(uint8_t *frame, int len, uint32_t *start_time,
}
static bool iclass_send_cmd_with_retries(uint8_t* cmd, size_t cmdsize, uint8_t* resp, size_t max_resp_size,
uint8_t expected_size, uint8_t tries, uint32_t start_time,
uint8_t expected_size, uint8_t tries, uint32_t *start_time,
uint16_t timeout, uint32_t *eof_time) {
while (tries-- > 0) {
iclass_send_as_reader(cmd, cmdsize, &start_time, eof_time);
iclass_send_as_reader(cmd, cmdsize, start_time, eof_time);
if (resp == NULL)
if (resp == NULL) {
return true;
}
if (expected_size == GetIso15693AnswerFromTag(resp, max_resp_size, timeout, eof_time)) {
return true;
}
start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
*start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
}
return false;
}
@ -860,12 +868,13 @@ static bool iclass_send_cmd_with_retries(uint8_t* cmd, size_t cmdsize, uint8_t*
* @return false = fail
* true = Got all.
*/
static bool select_iclass_tag(uint8_t *card_data, bool use_credit_key, uint32_t *eof_time) {
static bool select_iclass_tag_ex(uint8_t *card_data, bool use_credit_key, uint32_t *eof_time, uint8_t *status) {
static uint8_t act_all[] = { ICLASS_CMD_ACTALL };
static uint8_t identify[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x00, 0x73, 0x33 };
static uint8_t select[] = { 0x80 | ICLASS_CMD_SELECT, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
static uint8_t read_conf[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x01, 0xfa, 0x22 };
uint8_t read_aia[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x05, 0xde, 0x64};
uint8_t read_check_cc[] = { 0x80 | ICLASS_CMD_READCHECK, 0x02 };
uint8_t resp[ICLASS_BUFFER_SIZE] = {0};
@ -917,6 +926,28 @@ static bool select_iclass_tag(uint8_t *card_data, bool use_credit_key, uint32_t
//Save CONF in response data
memcpy(card_data + 8, resp, 8);
if (status)
*status |= (FLAG_ICLASS_CSN | FLAG_ICLASS_CONF);
picopass_hdr *hdr = (picopass_hdr *)card_data;
uint8_t pagemap = (hdr->conf.fuses & (FUSE_CRYPT0 | FUSE_CRYPT1)) >> 3; // 0x18
if (pagemap != PICOPASS_NON_SECURE_PAGEMODE) {
//Read App Issuer Area block 5
start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
iclass_send_as_reader(read_aia, sizeof(read_aia), &start_time, eof_time);
// expect a 10-byte response here
len = GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_OTHERS, eof_time);
if (len != 10)
return false;
if (status) {
*status |= FLAG_ICLASS_AIA;
memcpy(card_data + (8 * 5), resp, 8);
}
// card selected, now read e-purse (cc) (block2) (only 8 bytes no CRC)
start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
iclass_send_as_reader(read_check_cc, sizeof(read_check_cc), &start_time, eof_time);
@ -926,11 +957,38 @@ static bool select_iclass_tag(uint8_t *card_data, bool use_credit_key, uint32_t
if (len != 8)
return false;
//Save CC (e-purse) in response data
memcpy(card_data + 16, resp, 8);
memcpy(card_data + (8 * 2), resp, 8);
*status |= FLAG_ICLASS_CC;
} else {
//Read App Issuer Area block 2
read_aia[1] = 0x02;
read_aia[2] = 0x61;
read_aia[3] = 0x10;
start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
iclass_send_as_reader(read_aia, sizeof(read_aia), &start_time, eof_time);
// expect a 10-byte response here
len = GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_OTHERS, eof_time);
if (len != 10)
return false;
if (status) {
*status |= FLAG_ICLASS_AIA;
memcpy(card_data + (8 * 2), resp, 8);
}
}
return true;
}
bool select_iclass_tag(uint8_t *card_data, bool use_credit_key, uint32_t *eof_time) {
uint8_t result = 0;
return select_iclass_tag_ex(card_data, use_credit_key, eof_time, &result);
}
// Reader iClass Anticollission
// turn off afterwards
void ReaderIClass(uint8_t flags) {
@ -941,8 +999,7 @@ void ReaderIClass(uint8_t flags) {
memset(resp, 0xFF, sizeof(resp));
// bool flag_readonce = flags & FLAG_ICLASS_READER_ONLY_ONCE; // flag to read until one tag is found successfully
bool use_credit_key = flags & FLAG_ICLASS_READER_CEDITKEY; // flag to use credit key
bool flag_read_aia = flags & FLAG_ICLASS_READER_AIA; // flag to read block5, application issuer area
bool use_credit_key = flags & FLAG_ICLASS_READER_CREDITKEY; // flag to use credit key
if ((flags & FLAG_ICLASS_READER_INIT) == FLAG_ICLASS_READER_INIT) {
Iso15693InitReader();
@ -952,30 +1009,17 @@ void ReaderIClass(uint8_t flags) {
clear_trace();
}
uint8_t result_status = 0;
uint32_t eof_time = 0;
bool status = select_iclass_tag(card_data, use_credit_key, &eof_time);
bool status = select_iclass_tag_ex(card_data, use_credit_key, &eof_time, &result_status);
if (status == false) {
reply_mix(CMD_ACK, 0xFF, 0, 0, card_data, 0);
switch_off();
return;
}
uint32_t start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
uint8_t result_status = (FLAG_ICLASS_CSN | FLAG_ICLASS_CONF | FLAG_ICLASS_CC);
//Read block 5, AIA
if (flag_read_aia) {
//Read App Issuer Area block CRC(0x05) => 0xde 0x64
uint8_t read_aa[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x05, 0xde, 0x64};
status = iclass_send_cmd_with_retries(read_aa, sizeof(read_aa), resp, sizeof(resp), 10, 3, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time);
if (status) {
result_status |= FLAG_ICLASS_AIA;
memcpy(card_data + (8 * 5), resp, 8);
} else {
if (DBGLEVEL >= DBG_EXTENDED) DbpString("Failed to dump AIA block");
}
}
// Page mapping for secure mode
// 0 : CSN
// 1 : Configuration
// 2 : e-purse
@ -983,7 +1027,12 @@ void ReaderIClass(uint8_t flags) {
// 4 : kc / credit / aa1 (write-only)
// 5 : AIA, Application issuer area
//
//Then we can 'ship' back the 6 * 8 bytes of data,
// Page mapping for non secure mode
// 0 : CSN
// 1 : Configuration
// 2 : AIA, Application issuer area
// Return to client, e 6 * 8 bytes of data.
// with 0xFF:s in block 3 and 4.
LED_B_ON();
@ -1046,7 +1095,7 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *mac) {
memcpy(check + 5, mac, 4);
start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
if (iclass_send_cmd_with_retries(check, sizeof(check), resp, sizeof(resp), 4, 3, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time) == false) {
if (iclass_send_cmd_with_retries(check, sizeof(check), resp, sizeof(resp), 4, 3, &start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time) == false) {
if (DBGLEVEL >= DBG_EXTENDED) DbpString("Error: Authentication Fail!");
continue;
}
@ -1056,7 +1105,7 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *mac) {
AddCrc(read + 1, 1);
start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
if (iclass_send_cmd_with_retries(read, sizeof(read), resp, sizeof(resp), 10, 3, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time) == false) {
if (iclass_send_cmd_with_retries(read, sizeof(read), resp, sizeof(resp), 10, 3, &start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time) == false) {
if (DBGLEVEL >= DBG_EXTENDED) DbpString("Dump config (block 1) failed");
continue;
}
@ -1085,7 +1134,7 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *mac) {
AddCrc(read + 1, 1);
start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
if (iclass_send_cmd_with_retries(read, sizeof(read), resp, sizeof(resp), 10, 3, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time)) {
if (iclass_send_cmd_with_retries(read, sizeof(read), resp, sizeof(resp), 10, 3, &start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time)) {
if (DBGLEVEL >= DBG_EXTENDED) {
Dbprintf(" %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
block,
@ -1142,73 +1191,47 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *mac) {
switch_off();
}
// not used. ?!? ( CMD_HF_ICLASS_READCHECK)
// turn off afterwards
void iClass_ReadCheck(uint8_t blockno, uint8_t keytype) {
uint8_t readcheck[] = { keytype, blockno };
uint8_t resp[8] = {0};
uint32_t eof_time = 0;
// start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
bool isOK = iclass_send_cmd_with_retries(readcheck, sizeof(readcheck), resp, sizeof(resp), 8, 3, 0, ICLASS_READER_TIMEOUT_OTHERS, &eof_time);
reply_mix(CMD_ACK, isOK, 0, 0, 0, 0);
switch_off();
}
// used with function select_and_auth (cmdhficlass.c)
// which needs to authenticate before doing more things like read/write
// selects and authenticate to a card, sends back div_key and mac to client.
void iClass_Authentication(uint8_t *bytes) {
iclass_auth(bytes, true, NULL);
void iClass_Authentication(uint8_t *msg) {
}
bool iclass_auth(uint8_t *bytes, bool send_reply, uint8_t *dataout) {
bool authenticate_iclass_tag(iclass_auth_req_t *payload, picopass_hdr *hdr, uint32_t *start_time, uint32_t *eof_time, uint8_t *mac_out) {
iclass_auth_req_t *payload = (iclass_auth_req_t *)bytes;
iclass_auth_resp_t packet;
Iso15693InitReader();
uint8_t card_data[3 * 8] = {0xFF};
uint32_t eof_time = 0;
packet.isOK = select_iclass_tag(card_data, payload->use_credit_key, &eof_time);
if (packet.isOK == false) {
if (send_reply)
reply_ng(CMD_HF_ICLASS_AUTH, PM3_ESOFT, (uint8_t *)&packet, sizeof(packet));
return false;
}
uint32_t start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
uint8_t check[9] = { ICLASS_CMD_CHECK };
uint8_t cmd_check[9] = { ICLASS_CMD_CHECK };
uint8_t div_key[8] = {0};
uint8_t mac[4] = {0};
uint8_t resp_auth[4] = {0};
uint8_t ccnr[12] = {0};
memcpy(ccnr, card_data + 16, 8);
uint8_t *pmac = mac;
if (mac_out)
pmac = mac_out;
memcpy(ccnr, hdr->epurse, sizeof(hdr->epurse));
if (payload->use_raw)
memcpy(packet.div_key, payload->key, 8);
memcpy(div_key, payload->key, 8);
else
iclass_calc_div_key(card_data, payload->key, packet.div_key, payload->use_elite);
iclass_calc_div_key(hdr->csn, payload->key, div_key, payload->use_elite);
opt_doReaderMAC(ccnr, packet.div_key, packet.mac);
if (payload->use_credit_key)
memcpy(hdr->key_c, div_key, sizeof(hdr->key_c));
else
memcpy(hdr->key_d, div_key, sizeof(hdr->key_d));
// Dbhexdump(sizeof(div_key), div_key, false);
opt_doReaderMAC(ccnr, div_key, pmac);
// copy MAC to check command (readersignature)
check[5] = packet.mac[0];
check[6] = packet.mac[1];
check[7] = packet.mac[2];
check[8] = packet.mac[3];
cmd_check[5] = pmac[0];
cmd_check[6] = pmac[1];
cmd_check[7] = pmac[2];
cmd_check[8] = pmac[3];
uint8_t resp[ICLASS_BUFFER_SIZE] = {0};
packet.isOK = iclass_send_cmd_with_retries(check, sizeof(check), resp, sizeof(resp), 4, 3, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time);
if (send_reply)
reply_ng(CMD_HF_ICLASS_AUTH, (packet.isOK)? PM3_SUCCESS : PM3_ESOFT, (uint8_t *)&packet, sizeof(packet));
if (dataout) {
memcpy(dataout, card_data, sizeof(card_data));
memcpy(dataout + (3 * 8), packet.div_key, sizeof(packet.div_key));
}
return true;
return iclass_send_cmd_with_retries(cmd_check, sizeof(cmd_check), resp_auth, sizeof(resp_auth), 4, 3, start_time, ICLASS_READER_TIMEOUT_OTHERS, eof_time);
}
typedef struct iclass_premac {
@ -1279,7 +1302,7 @@ void iClass_Authentication_fast(uint64_t arg0, uint64_t arg1, uint8_t *datain) {
check[8] = keys[i].mac[3];
// expect 4bytes, 3 retries times..
isOK = iclass_send_cmd_with_retries(check, sizeof(check), resp, sizeof(resp), 4, 3, 0, ICLASS_READER_TIMEOUT_OTHERS, &eof_time);
isOK = iclass_send_cmd_with_retries(check, sizeof(check), resp, sizeof(resp), 4, 3, &start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time);
if (isOK)
goto out;
@ -1299,27 +1322,78 @@ out:
// Tries to read block.
// retries 10times.
bool iclass_readblock(uint8_t blockno, uint8_t *data) {
// reply 8 bytes block
bool iclass_read_block(uint8_t blockno, uint8_t *data) {
uint8_t resp[10];
uint8_t c[] = {ICLASS_CMD_READ_OR_IDENTIFY, blockno, 0x00, 0x00};
AddCrc(c + 1, 1);
uint32_t eof_time = 0;
bool isOK = iclass_send_cmd_with_retries(c, sizeof(c), resp, sizeof(resp), 10, 10, 0, ICLASS_READER_TIMEOUT_OTHERS, &eof_time);
uint32_t eof_time = 0, start_time = 0;
bool isOK = iclass_send_cmd_with_retries(c, sizeof(c), resp, sizeof(resp), 10, 10, &start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time);
if (isOK)
memcpy(data, resp, 8);
return isOK;
}
// turn off afterwards
// readblock 8 + 2. only want 8.
void iClass_ReadBlk(uint8_t blockno) {
struct p {
bool isOK;
uint8_t blockdata[8];
} PACKED result;
// send in authentication needed data, if to use auth.
// reply 8 bytes block if send_reply (for client)
void iClass_ReadBlock(uint8_t *msg) {
LED_A_ON();
result.isOK = iclass_readblock(blockno, result.blockdata);
reply_ng(CMD_HF_ICLASS_READBL, PM3_SUCCESS, (uint8_t *)&result, sizeof(result));
iclass_auth_req_t *payload = (iclass_auth_req_t *)msg;
iclass_readblock_resp_t response = { .isOK = true };
memset(response.data, 0, sizeof(response.data));
uint8_t cmd_read[] = {ICLASS_CMD_READ_OR_IDENTIFY, payload->blockno, 0x00, 0x00};
AddCrc(cmd_read + 1, 1);
Iso15693InitReader();
// select tag.
uint32_t eof_time = 0;
picopass_hdr hdr = {0};
bool res = select_iclass_tag( (uint8_t *)&hdr, payload->use_credit_key, &eof_time);
if (res == false) {
if (payload->send_reply) {
response.isOK = res;
reply_ng(CMD_HF_ICLASS_READBL, PM3_ETIMEOUT, (uint8_t *)&response, sizeof(response));
}
goto out;
}
uint32_t start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
// authenticate
if (payload->do_auth) {
res = authenticate_iclass_tag(payload, &hdr, &start_time, &eof_time, NULL);
if (res == false) {
if (payload->send_reply) {
response.isOK = res;
reply_ng(CMD_HF_ICLASS_READBL, PM3_ETIMEOUT, (uint8_t *)&response, sizeof(response));
}
goto out;
}
}
start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
// read data
uint8_t resp[10];
res = iclass_send_cmd_with_retries(cmd_read, sizeof(cmd_read), resp, sizeof(resp), 10, 10, &start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time);
if (res) {
memcpy(response.data, resp, sizeof(response.data));
if (payload->send_reply) {
reply_ng(CMD_HF_ICLASS_READBL, PM3_SUCCESS, (uint8_t *)&response, sizeof(response));
}
} else {
if (payload->send_reply) {
response.isOK = res;
reply_ng(CMD_HF_ICLASS_READBL, PM3_ETIMEOUT, (uint8_t *)&response, sizeof(response));
}
}
out:
switch_off();
}
@ -1328,7 +1402,7 @@ void iClass_ReadBlk(uint8_t blockno) {
// then authenticate AA2, and read those blocks by calling this.
// By the looks at it only 2K cards is supported, or first page dumps on larger cards.
// turn off afterwards
void iClass_Dump(uint8_t start_blockno, uint8_t numblks) {
void iClass_Dump(uint8_t *msg) {
BigBuf_free();
@ -1341,27 +1415,90 @@ void iClass_Dump(uint8_t start_blockno, uint8_t numblks) {
}
memset(dataout, 0xFF, 0xFF * 8);
bool isOK;
uint8_t blkcnt = 0;
for (; blkcnt < numblks; blkcnt++) {
isOK = iclass_readblock(start_blockno + blkcnt, dataout + (8 * blkcnt));
if (isOK == false) {
Dbprintf("failed to read block %02X", start_blockno + blkcnt);
iclass_dump_req_t *cmd = (iclass_dump_req_t *)msg;
iclass_auth_req_t *req = &cmd->req;
Iso15693InitReader();
// select tag.
uint32_t eof_time = 0;
picopass_hdr hdr = {0};
bool res = select_iclass_tag( (uint8_t *)&hdr, req->use_credit_key, &eof_time);
if (res == false) {
if (req->send_reply) {
reply_ng(CMD_HF_ICLASS_DUMP, PM3_ETIMEOUT, NULL, 0);
}
switch_off();
return;
}
uint32_t start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
// authenticate
if (req->do_auth) {
res = authenticate_iclass_tag(req, &hdr, &start_time, &eof_time, NULL);
if (res == false) {
if (req->send_reply) {
reply_ng(CMD_HF_ICLASS_DUMP, PM3_ETIMEOUT, NULL, 0);
}
switch_off();
return;
}
}
start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
// main read loop
uint8_t i = cmd->start_block;
for (; i <= cmd->end_block; i++) {
res = iclass_read_block(i, dataout + (8 * i));
if (res == false) {
Dbprintf("failed to read block %02X", req->blockno + i);
break;
}
/*
else {
Dbprintf("blk: %u (0x%02x) | %02x %02x %02x %02x %02x %02x %02x %02x ",
i,
i,
dataout[8 * i],
dataout[(8 * i) + 1],
dataout[(8 * i) + 2],
dataout[(8 * i) + 3],
dataout[(8 * i) + 4],
dataout[(8 * i) + 5],
dataout[(8 * i) + 6],
dataout[(8 * i) + 7]
);
}
*/
}
switch_off();
// copy diversified key back.
if (req->do_auth) {
if (req->use_credit_key)
memcpy(dataout + (8 * 4), hdr.key_c, 8);
else
memcpy(dataout + (8 * 3), hdr.key_d, 8);
}
if (req->send_reply) {
struct p {
bool isOK;
uint8_t block_cnt;
uint32_t bb_offset;
} PACKED payload;
payload.isOK = isOK;
payload.block_cnt = blkcnt;
payload.bb_offset = dataout - BigBuf_get_addr();
reply_ng(CMD_HF_ICLASS_DUMP, PM3_SUCCESS, (uint8_t *)&payload, sizeof(payload));
} PACKED response;
response.isOK = res;
response.block_cnt = i;
response.bb_offset = dataout - BigBuf_get_addr();
reply_ng(CMD_HF_ICLASS_DUMP, PM3_SUCCESS, (uint8_t *)&response, sizeof(response));
}
BigBuf_free();
}
@ -1372,8 +1509,8 @@ static bool iclass_writeblock_ext(uint8_t blockno, uint8_t *data) {
AddCrc(write + 1, 13);
uint8_t resp[10] = {0};
uint32_t eof_time = 0;
bool isOK = iclass_send_cmd_with_retries(write, sizeof(write), resp, sizeof(resp), 10, 3, 0, ICLASS_READER_TIMEOUT_UPDATE, &eof_time);
uint32_t eof_time = 0, start_time = 0;
bool isOK = iclass_send_cmd_with_retries(write, sizeof(write), resp, sizeof(resp), 10, 3, &start_time, ICLASS_READER_TIMEOUT_UPDATE, &eof_time);
if (isOK == false) {
return false;
}
@ -1400,21 +1537,103 @@ static bool iclass_writeblock_ext(uint8_t blockno, uint8_t *data) {
}
// turn off afterwards
void iClass_WriteBlock(uint8_t blockno, uint8_t *data) {
void iClass_WriteBlock(uint8_t *msg) {
LED_A_ON();
uint8_t isOK = iclass_writeblock_ext(blockno, data);
iclass_writeblock_req_t *payload = (iclass_writeblock_req_t *)msg;
uint8_t write[16] = { 0x80 | ICLASS_CMD_UPDATE, payload->req.blockno };
Iso15693InitReader();
// select tag.
uint32_t eof_time = 0;
picopass_hdr hdr = {0};
bool res = select_iclass_tag( (uint8_t *)&hdr, payload->req.use_credit_key, &eof_time);
if (res == false) {
goto out;
}
uint32_t start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
uint8_t mac[4] = {0};
// authenticate
if (payload->req.do_auth) {
res = authenticate_iclass_tag(&payload->req, &hdr, &start_time, &eof_time, mac);
if (res == false) {
goto out;
}
}
// calc new mac for write
uint8_t wb[9];
wb[0] = payload->req.blockno;
memcpy(wb + 1, payload->data, 8);
if (payload->req.use_credit_key)
doMAC_N(wb, sizeof(wb), hdr.key_c, mac);
else
doMAC_N(wb, sizeof(wb), hdr.key_d, mac);
memcpy(write + 2, payload->data, 8); // data
memcpy(write + 10, mac, sizeof(mac)); // mac
AddCrc(write + 1, 13);
start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
uint8_t resp[10] = {0};
res = iclass_send_cmd_with_retries(write, sizeof(write), resp, sizeof(resp), 10, 3, &start_time, ICLASS_READER_TIMEOUT_UPDATE, &eof_time);
if (res == false) {
goto out;
}
// verify write
uint8_t all_ff[8] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
if (payload->req.blockno == 2) {
// check response. e-purse update swaps first and second half
if (memcmp(payload->data + 4, resp, 4) || memcmp(payload->data, resp + 4, 4)) {
res = false;
goto out;
}
} else if (payload->req.blockno == 3 || payload->req.blockno == 4) {
// check response. Key updates always return 0xffffffffffffffff
if (memcmp(all_ff, resp, 8)) {
res = false;
goto out;
}
} else {
// check response. All other updates return unchanged data
if (memcmp(payload->data, resp, 8)) {
res = false;
goto out;
}
}
out:
switch_off();
reply_ng(CMD_HF_ICLASS_WRITEBL, PM3_SUCCESS, (uint8_t *)&isOK, sizeof(uint8_t));
if (payload->req.send_reply)
reply_ng(CMD_HF_ICLASS_WRITEBL, PM3_SUCCESS, (uint8_t *)&res, sizeof(uint8_t));
}
// turn off afterwards
void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data) {
}
void iClass_Restore(uint8_t *msg) {
iclass_restore_req_t *cmd = (iclass_restore_req_t *)msg;
// iclass_auth_req_t *req = &cmd->req;
LED_A_ON();
uint16_t written = 0;
uint16_t total_blocks = (endblock - startblock) + 1;
for (uint8_t b = startblock; b < total_blocks; b++) {
uint16_t total_blocks = (cmd->end_block - cmd->start_block) + 1;
for (uint8_t b = cmd->start_block; b < total_blocks; b++) {
if (iclass_writeblock_ext(b, data + ((b - startblock) * 12))) {
if (iclass_writeblock_ext(b, cmd->data + ((b - cmd->start_block) * 12))) {
Dbprintf("Write block [%02x] successful", b);
written++;
} else {

18
armsrc/iclass.h
View file

@ -12,15 +12,17 @@
#define __ICLASS_H
#include "common.h"
#include "pm3_cmd.h"
void SniffIClass(uint8_t jam_search_len, uint8_t *jam_search_string);
void ReaderIClass(uint8_t arg0);
void ReaderIClass_Replay(uint8_t arg0, uint8_t *mac);
void iClass_WriteBlock(uint8_t blockno, uint8_t *data);
void iClass_Dump(uint8_t blockno, uint8_t numblks);
void iClass_WriteBlock(uint8_t *msg);
void iClass_Dump(uint8_t *msg);
void iClass_Restore(uint8_t *msg);
void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data);
void iClass_ReadCheck(uint8_t blockno, uint8_t keytype);
int do_iclass_simulation(int simulationMode, uint8_t *reader_mac_buf);
void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
@ -28,8 +30,12 @@ void iclass_simulate(uint8_t sim_type, uint8_t num_csns, bool send_reply, uint8_
void iClass_Authentication_fast(uint64_t arg0, uint64_t arg1, uint8_t *datain);
void iClass_Authentication(uint8_t *bytes);
bool iclass_auth(uint8_t *bytes, bool send_reply, uint8_t *dataout);
bool iclass_auth(iclass_auth_req_t *payload, uint8_t *out);
void iClass_ReadBlock(uint8_t *msg);
bool iclass_read_block(uint8_t blockno, uint8_t *data);
bool select_iclass_tag(uint8_t *card_data, bool use_credit_key, uint32_t *eof_time);
bool authenticate_iclass_tag(iclass_auth_req_t *payload, picopass_hdr *hdr, uint32_t *start_time, uint32_t *eof_time, uint8_t *mac_out);
void iClass_ReadBlk(uint8_t blockno);
bool iclass_readblock(uint8_t blockno, uint8_t *data);
#endif

6
client/src/cmdhf.c
View file

@ -130,10 +130,10 @@ int CmdHFSearch(const char *Cmd) {
}
PROMPT_CLEARLINE;
PrintAndLogEx(INPLACE, " Searching for iClass / PicoPass tag...");
PrintAndLogEx(INPLACE, " Searching for iCLASS / PicoPass tag...");
if (IfPm3Iclass()) {
if (readIclass(false, false) == PM3_SUCCESS) {
PrintAndLogEx(SUCCESS, "\nValid " _GREEN_("iClass tag / PicoPass tag") " found\n");
if (read_iclass_csn(false, false) == PM3_SUCCESS) {
PrintAndLogEx(SUCCESS, "\nValid " _GREEN_("iCLASS tag / PicoPass tag") " found\n");
res = PM3_SUCCESS;
}
}

656
client/src/cmdhficlass.c
View file

File diff suppressed because it is too large Load diff

3
client/src/cmdhficlass.h
View file

@ -29,7 +29,8 @@ typedef struct iclass_prekey {
int CmdHFiClass(const char *Cmd);
int readIclass(bool loop, bool verbose);
int info_iclass(void);
int read_iclass_csn(bool loop, bool verbose);
void printIclassDumpContents(uint8_t *iclass_dump, uint8_t startblock, uint8_t endblock, size_t filesize);
void HFiClassCalcDivKey(uint8_t *CSN, uint8_t *KEY, uint8_t *div_key, bool elite);

63
include/pm3_cmd.h
View file

@ -291,19 +291,74 @@ typedef struct {
// iCLASS auth request data structure
// used with read block, dump, write block
typedef struct {
uint8_t key[8];
bool use_raw;
bool use_elite;
bool use_credit_key;
bool send_reply;
bool do_auth;
uint8_t blockno;
} PACKED iclass_auth_req_t;
// iCLASS auth response data structure
// iCLASS read block response data structure
typedef struct {
bool isOK;
uint8_t div_key[8];
uint8_t mac[4];
} PACKED iclass_auth_resp_t;
uint8_t data[8];
} PACKED iclass_readblock_resp_t;
// iCLASS dump data structure
typedef struct {
iclass_auth_req_t req;
uint8_t start_block;
uint8_t end_block;
} PACKED iclass_dump_req_t;
// iCLASS write block request data structure
typedef struct {
iclass_auth_req_t req;
uint8_t data[8];
} PACKED iclass_writeblock_req_t;
// iCLASS dump data structure
typedef struct {
iclass_auth_req_t req;
uint8_t start_block;
uint8_t end_block;
uint8_t data[];
} PACKED iclass_restore_req_t;
// iclass / picopass chip config structures and shared routines
typedef struct {
uint8_t app_limit; //[8]
uint8_t otp[2]; //[9-10]
uint8_t block_writelock;//[11]
uint8_t chip_config; //[12]
uint8_t mem_config; //[13]
uint8_t eas; //[14]
uint8_t fuses; //[15]
} picopass_conf_block_t;
// iCLASS secure mode memory mapping
typedef struct {
uint8_t csn[8];
picopass_conf_block_t conf;
uint8_t epurse[8];
uint8_t key_d[8];
uint8_t key_c[8];
uint8_t app_issuer_area[8];
} picopass_hdr;
// iCLASS non-secure mode memory mapping
typedef struct {
uint8_t csn[8];
picopass_conf_block_t conf;
uint8_t app_issuer_area[8];
} picopass_ns_hdr;
// For the bootloader
@ -485,6 +540,7 @@ typedef struct {
#define CMD_HF_LEGIC_INFO 0x03BC
#define CMD_HF_LEGIC_ESET 0x03BD
// iCLASS / Picopass
#define CMD_HF_ICLASS_READCHECK 0x038F
#define CMD_HF_ICLASS_CLONE 0x0390
#define CMD_HF_ICLASS_DUMP 0x0391
@ -497,6 +553,7 @@ typedef struct {
#define CMD_HF_ICLASS_EML_MEMSET 0x0398
#define CMD_HF_ICLASS_AUTH 0x0399
#define CMD_HF_ICLASS_CHKKEYS 0x039A
#define CMD_HF_ICLASS_RESTORE 0x039B
// For ISO1092 / FeliCa
#define CMD_HF_FELICA_SIMULATE 0x03A0
@ -602,7 +659,7 @@ typedef struct {
#define FLAG_ICLASS_READER_INIT 0x01
#define FLAG_ICLASS_READER_CLEARTRACE 0x02
#define FLAG_ICLASS_READER_ONLY_ONCE 0x04
#define FLAG_ICLASS_READER_CEDITKEY 0x08
#define FLAG_ICLASS_READER_CREDITKEY 0x08
#define FLAG_ICLASS_READER_AIA 0x10
// iCLASS reader status flags