mirror of
https://github.com/RfidResearchGroup/proxmark3.git
synced 2025-08-19 21:03:48 -07:00
fix: stack corruptions. keep it simple. (coverty scan 170498, 170497, 170496)
This commit is contained in:
iceman1001
parent
b526492d3d
commit
f21555b1b2
2 changed files with 30 additions and 32 deletions
|
|
@ -72,6 +72,9 @@
|
||||||
|
|
||||||
// 32 + 2 crc + 1
|
// 32 + 2 crc + 1
|
||||||
#define ISO15_MAX_FRAME 35
|
#define ISO15_MAX_FRAME 35
|
||||||
|
#define CMD_ID_RESP 5
|
||||||
|
#define CMD_READ_RESP 13
|
||||||
|
#define CMD_INV_RESP 12
|
||||||
|
|
||||||
#define FrameSOF Iso15693FrameSOF
|
#define FrameSOF Iso15693FrameSOF
|
||||||
#define Logic0 Iso15693Logic0
|
#define Logic0 Iso15693Logic0
|
||||||
|
|
@ -84,9 +87,9 @@
|
||||||
|
|
||||||
int DEBUG = 0;
|
int DEBUG = 0;
|
||||||
|
|
||||||
static uint8_t BuildIdentifyRequest(uint8_t **cmdout);
|
static void BuildIdentifyRequest(uint8_t *cmdout);
|
||||||
//static uint8_t BuildReadBlockRequest(uint8_t **cmdout, uint8_t *uid, uint8_t blockNumber );
|
//static void BuildReadBlockRequest(uint8_t *cmdout, uint8_t *uid, uint8_t blockNumber );
|
||||||
static uint8_t BuildInventoryResponse(uint8_t **cmdout, uint8_t *uid);
|
static void BuildInventoryResponse(uint8_t *cmdout, uint8_t *uid);
|
||||||
|
|
||||||
// ---------------------------
|
// ---------------------------
|
||||||
// Signal Processing
|
// Signal Processing
|
||||||
|
|
@ -540,8 +543,8 @@ void AcquireRawAdcSamplesIso15693(void) {
|
||||||
uint8_t *buf = BigBuf_get_addr();
|
uint8_t *buf = BigBuf_get_addr();
|
||||||
|
|
||||||
uint32_t time_start = GetCountSspClk();
|
uint32_t time_start = GetCountSspClk();
|
||||||
uint8_t *cmd = NULL;
|
uint8_t cmd[CMD_ID_RESP] = {0};
|
||||||
uint8_t cmdlen = BuildIdentifyRequest( &cmd);
|
BuildIdentifyRequest(cmd);
|
||||||
|
|
||||||
// sending command
|
// sending command
|
||||||
c = 0;
|
c = 0;
|
||||||
|
|
@ -561,7 +564,7 @@ void AcquireRawAdcSamplesIso15693(void) {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
LogTrace(cmd, cmdlen, time_start << 4, (GetCountSspClk() - time_start) << 4, NULL, true);
|
LogTrace(cmd, CMD_ID_RESP, time_start << 4, (GetCountSspClk() - time_start) << 4, NULL, true);
|
||||||
|
|
||||||
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
|
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
|
||||||
|
|
||||||
|
|
@ -682,8 +685,7 @@ void Iso15693InitReader(void) {
|
||||||
|
|
||||||
// Encode (into the ToSend buffers) an identify request, which is the first
|
// Encode (into the ToSend buffers) an identify request, which is the first
|
||||||
// thing that you must send to a tag to get a response.
|
// thing that you must send to a tag to get a response.
|
||||||
static uint8_t BuildIdentifyRequest(uint8_t **out) {
|
static void BuildIdentifyRequest(uint8_t *out) {
|
||||||
#define CMD_ID_RESP 5
|
|
||||||
|
|
||||||
uint8_t cmd[CMD_ID_RESP] = {0, ISO15_CMD_INVENTORY, 0, 0, 0};
|
uint8_t cmd[CMD_ID_RESP] = {0, ISO15_CMD_INVENTORY, 0, 0, 0};
|
||||||
// flags
|
// flags
|
||||||
|
|
@ -696,15 +698,12 @@ static uint8_t BuildIdentifyRequest(uint8_t **out) {
|
||||||
cmd[4] = crc >> 8;
|
cmd[4] = crc >> 8;
|
||||||
// coding as high speed (1 out of 4)
|
// coding as high speed (1 out of 4)
|
||||||
CodeIso15693AsReader(cmd, CMD_ID_RESP);
|
CodeIso15693AsReader(cmd, CMD_ID_RESP);
|
||||||
*out = cmd;
|
memcpy(out, cmd, CMD_ID_RESP);
|
||||||
return CMD_ID_RESP;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// uid is in transmission order (which is reverse of display order)
|
// uid is in transmission order (which is reverse of display order)
|
||||||
/*
|
/*
|
||||||
static uint8_t BuildReadBlockRequest(uint8_t **out, uint8_t *uid, uint8_t blockNumber ) {
|
static void BuildReadBlockRequest(uint8_t **out, uint8_t *uid, uint8_t blockNumber ) {
|
||||||
#define CMD_READ_RESP 13
|
|
||||||
|
|
||||||
uint8_t cmd[CMD_READ_RESP] = {0,0,0,0,0,0,0,0,0,0,0,0,0};
|
uint8_t cmd[CMD_READ_RESP] = {0,0,0,0,0,0,0,0,0,0,0,0,0};
|
||||||
// If we set the Option_Flag in this request, the VICC will respond with the secuirty status of the block
|
// If we set the Option_Flag in this request, the VICC will respond with the secuirty status of the block
|
||||||
// followed by teh block data
|
// followed by teh block data
|
||||||
|
|
@ -730,14 +729,12 @@ static uint8_t BuildReadBlockRequest(uint8_t **out, uint8_t *uid, uint8_t blockN
|
||||||
cmd[12] = crc >> 8;
|
cmd[12] = crc >> 8;
|
||||||
|
|
||||||
CodeIso15693AsReader(cmd, CMD_READ_RESP);
|
CodeIso15693AsReader(cmd, CMD_READ_RESP);
|
||||||
*out = cmd;
|
memcpy(out, cmd, CMD_ID_RESP);
|
||||||
return CMD_READ_RESP;
|
|
||||||
}
|
}
|
||||||
*/
|
*/
|
||||||
|
|
||||||
// Now the VICC>VCD responses when we are simulating a tag
|
// Now the VICC>VCD responses when we are simulating a tag
|
||||||
static uint8_t BuildInventoryResponse(uint8_t **out, uint8_t *uid) {
|
static void BuildInventoryResponse(uint8_t *out, uint8_t *uid) {
|
||||||
#define CMD_INV_RESP 12
|
|
||||||
|
|
||||||
uint8_t cmd[CMD_INV_RESP] = {0,0,0,0,0,0,0,0,0,0,0,0};
|
uint8_t cmd[CMD_INV_RESP] = {0,0,0,0,0,0,0,0,0,0,0,0};
|
||||||
|
|
||||||
|
|
@ -761,8 +758,7 @@ static uint8_t BuildInventoryResponse(uint8_t **out, uint8_t *uid) {
|
||||||
cmd[11] = crc >> 8;
|
cmd[11] = crc >> 8;
|
||||||
|
|
||||||
CodeIso15693AsReader(cmd, CMD_INV_RESP);
|
CodeIso15693AsReader(cmd, CMD_INV_RESP);
|
||||||
*out = cmd;
|
memcpy(out, cmd, CMD_ID_RESP);
|
||||||
return CMD_INV_RESP;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Universal Method for sending to and recv bytes from a tag
|
// Universal Method for sending to and recv bytes from a tag
|
||||||
|
|
@ -905,10 +901,10 @@ void ReaderIso15693(uint32_t parameter) {
|
||||||
// FIRST WE RUN AN INVENTORY TO GET THE TAG UID
|
// FIRST WE RUN AN INVENTORY TO GET THE TAG UID
|
||||||
// THIS MEANS WE CAN PRE-BUILD REQUESTS TO SAVE CPU TIME
|
// THIS MEANS WE CAN PRE-BUILD REQUESTS TO SAVE CPU TIME
|
||||||
uint32_t time_start = GetCountSspClk();
|
uint32_t time_start = GetCountSspClk();
|
||||||
uint8_t *cmd = NULL;
|
uint8_t cmd[CMD_ID_RESP] = {0};
|
||||||
uint8_t cmdlen = BuildIdentifyRequest( &cmd );
|
BuildIdentifyRequest( cmd );
|
||||||
TransmitTo15693Tag(ToSend, ToSendMax, &tsamples, &wait);
|
TransmitTo15693Tag(ToSend, ToSendMax, &tsamples, &wait);
|
||||||
LogTrace(cmd, cmdlen, time_start << 4, (GetCountSspClk() - time_start) << 4, NULL, true);
|
LogTrace(cmd, CMD_ID_RESP, time_start << 4, (GetCountSspClk() - time_start) << 4, NULL, true);
|
||||||
|
|
||||||
// Now wait for a response
|
// Now wait for a response
|
||||||
answerLen1 = GetIso15693AnswerFromTag(answer1, &elapsed) ;
|
answerLen1 = GetIso15693AnswerFromTag(answer1, &elapsed) ;
|
||||||
|
|
@ -995,8 +991,8 @@ void SimTagIso15693(uint32_t parameter, uint8_t *uid) {
|
||||||
|
|
||||||
// Build a suitable reponse to the reader INVENTORY cocmmand
|
// Build a suitable reponse to the reader INVENTORY cocmmand
|
||||||
// not so obsvious, but in the call to BuildInventoryResponse, the command is copied to the global ToSend buffer used below.
|
// not so obsvious, but in the call to BuildInventoryResponse, the command is copied to the global ToSend buffer used below.
|
||||||
uint8_t *cmd = NULL;
|
uint8_t cmd[CMD_INV_RESP] = {0};
|
||||||
uint8_t cmdlen = BuildInventoryResponse( &cmd, uid);
|
BuildInventoryResponse(cmd, uid);
|
||||||
|
|
||||||
while (!BUTTON_PRESS() && !usb_poll_validate_length() ) {
|
while (!BUTTON_PRESS() && !usb_poll_validate_length() ) {
|
||||||
WDT_HIT();
|
WDT_HIT();
|
||||||
|
|
@ -1009,7 +1005,7 @@ void SimTagIso15693(uint32_t parameter, uint8_t *uid) {
|
||||||
|
|
||||||
time_start = GetCountSspClk();
|
time_start = GetCountSspClk();
|
||||||
TransmitTo15693Reader(ToSend, ToSendMax, &tsamples, &wait);
|
TransmitTo15693Reader(ToSend, ToSendMax, &tsamples, &wait);
|
||||||
LogTrace(cmd, cmdlen, time_start << 4, (GetCountSspClk() - time_start) << 4, NULL, true);
|
LogTrace(cmd, CMD_INV_RESP, time_start << 4, (GetCountSspClk() - time_start) << 4, NULL, true);
|
||||||
|
|
||||||
Dbprintf("%d octets read from reader command: %x %x %x %x %x %x %x %x %x", ans,
|
Dbprintf("%d octets read from reader command: %x %x %x %x %x %x %x %x %x", ans,
|
||||||
buf[0], buf[1], buf[2], buf[3],
|
buf[0], buf[1], buf[2], buf[3],
|
||||||
|
|
@ -1024,6 +1020,8 @@ void SimTagIso15693(uint32_t parameter, uint8_t *uid) {
|
||||||
void BruteforceIso15693Afi(uint32_t speed) {
|
void BruteforceIso15693Afi(uint32_t speed) {
|
||||||
|
|
||||||
uint8_t data[7] = {0,0,0,0,0,0,0};
|
uint8_t data[7] = {0,0,0,0,0,0,0};
|
||||||
|
uint8_t buf[ISO15_MAX_FRAME];
|
||||||
|
memset(buf, 0x00, sizeof(buf));
|
||||||
int datalen = 0, recvlen = 0;
|
int datalen = 0, recvlen = 0;
|
||||||
|
|
||||||
Iso15693InitReader();
|
Iso15693InitReader();
|
||||||
|
|
@ -1036,12 +1034,12 @@ void BruteforceIso15693Afi(uint32_t speed) {
|
||||||
data[2] = 0; // mask length
|
data[2] = 0; // mask length
|
||||||
datalen = AddCrc(data, 3);
|
datalen = AddCrc(data, 3);
|
||||||
|
|
||||||
recvlen = SendDataTag(data, datalen, false, speed, data);
|
recvlen = SendDataTag(data, datalen, false, speed, buf);
|
||||||
|
|
||||||
WDT_HIT();
|
WDT_HIT();
|
||||||
|
|
||||||
if (recvlen >= 12) {
|
if (recvlen >= 12) {
|
||||||
Dbprintf("NoAFI UID=%s", sprintUID(NULL, data + 2) );
|
Dbprintf("NoAFI UID = %s", sprintUID(NULL, buf + 2) );
|
||||||
}
|
}
|
||||||
|
|
||||||
// now with AFI
|
// now with AFI
|
||||||
|
|
@ -1053,10 +1051,10 @@ void BruteforceIso15693Afi(uint32_t speed) {
|
||||||
for (int i = 0; i < 256; i++) {
|
for (int i = 0; i < 256; i++) {
|
||||||
data[2] = i & 0xFF;
|
data[2] = i & 0xFF;
|
||||||
datalen = AddCrc(data, 4);
|
datalen = AddCrc(data, 4);
|
||||||
recvlen = SendDataTag(data, datalen, false, speed, data);
|
recvlen = SendDataTag(data, datalen, false, speed, buf);
|
||||||
WDT_HIT();
|
WDT_HIT();
|
||||||
if (recvlen >= 12) {
|
if (recvlen >= 12) {
|
||||||
Dbprintf("AFI=%i UID=%s", i, sprintUID(NULL, data + 2) );
|
Dbprintf("AFI = %i UID = %s", i, sprintUID(NULL, buf + 2) );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue